Marcus Updateinfo to OVAL Converter5.52024-06-04T05:50:46DirectFB-1.7.1-6.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the DirectFB-1.7.1-6.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2014-2977 at SUSECVE-2014-2977 at NVDCVE-2014-2978 at SUSECVE-2014-2978 at NVDcpe:/o:suse:sles:12:sp3MozillaFirefox-52.2.0esr-108.3 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the MozillaFirefox-52.2.0esr-108.3 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2008-5913 at SUSECVE-2008-5913 at NVDCVE-2009-0040 at SUSECVE-2009-0040 at NVDCVE-2009-0652 at SUSECVE-2009-0652 at NVDCVE-2009-0771 at SUSECVE-2009-0771 at NVDCVE-2009-0772 at SUSECVE-2009-0772 at NVDCVE-2009-0773 at SUSECVE-2009-0773 at NVDCVE-2009-0774 at SUSECVE-2009-0774 at NVDCVE-2009-0775 at SUSECVE-2009-0775 at NVDCVE-2009-0776 at SUSECVE-2009-0776 at NVDCVE-2009-0777 at SUSECVE-2009-0777 at NVDCVE-2009-1044 at SUSECVE-2009-1044 at NVDCVE-2009-1169 at SUSECVE-2009-1169 at NVDCVE-2009-1302 at SUSECVE-2009-1302 at NVDCVE-2009-1303 at SUSECVE-2009-1303 at NVDCVE-2009-1304 at SUSECVE-2009-1304 at NVDCVE-2009-1305 at SUSECVE-2009-1305 at NVDCVE-2009-1306 at SUSECVE-2009-1306 at NVDCVE-2009-1307 at SUSECVE-2009-1307 at NVDCVE-2009-1308 at SUSECVE-2009-1308 at NVDCVE-2009-1309 at SUSECVE-2009-1309 at NVDCVE-2009-1310 at SUSECVE-2009-1310 at NVDCVE-2009-1311 at SUSECVE-2009-1311 at NVDCVE-2009-1312 at SUSECVE-2009-1312 at NVDCVE-2009-1313 at SUSECVE-2009-1313 at NVDCVE-2009-1563 at SUSECVE-2009-1563 at NVDCVE-2009-2470 at SUSECVE-2009-2470 at NVDCVE-2009-2654 at SUSECVE-2009-2654 at NVDCVE-2009-3069 at SUSECVE-2009-3069 at NVDCVE-2009-3070 at SUSECVE-2009-3070 at NVDCVE-2009-3071 at SUSECVE-2009-3071 at NVDCVE-2009-3072 at SUSECVE-2009-3072 at NVDCVE-2009-3073 at SUSECVE-2009-3073 at NVDCVE-2009-3074 at SUSECVE-2009-3074 at NVDCVE-2009-3075 at SUSECVE-2009-3075 at NVDCVE-2009-3077 at SUSECVE-2009-3077 at NVDCVE-2009-3078 at SUSECVE-2009-3078 at NVDCVE-2009-3079 at SUSECVE-2009-3079 at NVDCVE-2009-3274 at SUSECVE-2009-3274 at NVDCVE-2009-3370 at SUSECVE-2009-3370 at NVDCVE-2009-3371 at SUSECVE-2009-3371 at NVDCVE-2009-3372 at SUSECVE-2009-3372 at NVDCVE-2009-3373 at SUSECVE-2009-3373 at NVDCVE-2009-3374 at SUSECVE-2009-3374 at NVDCVE-2009-3375 at SUSECVE-2009-3375 at NVDCVE-2009-3376 at SUSECVE-2009-3376 at NVDCVE-2009-3377 at SUSECVE-2009-3377 at NVDCVE-2009-3378 at SUSECVE-2009-3378 at NVDCVE-2009-3379 at SUSECVE-2009-3379 at NVDCVE-2009-3380 at SUSECVE-2009-3380 at NVDCVE-2009-3381 at SUSECVE-2009-3381 at NVDCVE-2009-3383 at SUSECVE-2009-3383 at NVDCVE-2009-3388 at SUSECVE-2009-3388 at NVDCVE-2009-3389 at SUSECVE-2009-3389 at NVDCVE-2009-3555 at SUSECVE-2009-3555 at NVDCVE-2009-3979 at SUSECVE-2009-3979 at NVDCVE-2009-3980 at SUSECVE-2009-3980 at NVDCVE-2009-3982 at SUSECVE-2009-3982 at NVDCVE-2009-3983 at SUSECVE-2009-3983 at NVDCVE-2009-3984 at SUSECVE-2009-3984 at NVDCVE-2009-3985 at SUSECVE-2009-3985 at NVDCVE-2010-0164 at SUSECVE-2010-0164 at NVDCVE-2010-0165 at SUSECVE-2010-0165 at NVDCVE-2010-0166 at SUSECVE-2010-0166 at NVDCVE-2010-0167 at SUSECVE-2010-0167 at NVDCVE-2010-0168 at SUSECVE-2010-0168 at NVDCVE-2010-0169 at SUSECVE-2010-0169 at NVDCVE-2010-0170 at SUSECVE-2010-0170 at NVDCVE-2010-0171 at SUSECVE-2010-0171 at NVDCVE-2010-0172 at SUSECVE-2010-0172 at NVDCVE-2010-0173 at SUSECVE-2010-0173 at NVDCVE-2010-0174 at SUSECVE-2010-0174 at NVDCVE-2010-0176 at SUSECVE-2010-0176 at NVDCVE-2010-0177 at SUSECVE-2010-0177 at NVDCVE-2010-0178 at SUSECVE-2010-0178 at NVDCVE-2010-0181 at SUSECVE-2010-0181 at NVDCVE-2010-0182 at SUSECVE-2010-0182 at NVDCVE-2010-0654 at SUSECVE-2010-0654 at NVDCVE-2010-1028 at SUSECVE-2010-1028 at NVDCVE-2010-1121 at SUSECVE-2010-1121 at NVDCVE-2010-1125 at SUSECVE-2010-1125 at NVDCVE-2010-1196 at SUSECVE-2010-1196 at NVDCVE-2010-1197 at SUSECVE-2010-1197 at NVDCVE-2010-1198 at SUSECVE-2010-1198 at NVDCVE-2010-1199 at SUSECVE-2010-1199 at NVDCVE-2010-1200 at SUSECVE-2010-1200 at NVDCVE-2010-1201 at SUSECVE-2010-1201 at NVDCVE-2010-1202 at SUSECVE-2010-1202 at NVDCVE-2010-1203 at SUSECVE-2010-1203 at NVDCVE-2010-1205 at SUSECVE-2010-1205 at NVDCVE-2010-1206 at SUSECVE-2010-1206 at NVDCVE-2010-1207 at SUSECVE-2010-1207 at NVDCVE-2010-1208 at SUSECVE-2010-1208 at NVDCVE-2010-1209 at SUSECVE-2010-1209 at NVDCVE-2010-1210 at SUSECVE-2010-1210 at NVDCVE-2010-1211 at SUSECVE-2010-1211 at NVDCVE-2010-1212 at SUSECVE-2010-1212 at NVDCVE-2010-1213 at SUSECVE-2010-1213 at NVDCVE-2010-1214 at SUSECVE-2010-1214 at NVDCVE-2010-1215 at SUSECVE-2010-1215 at NVDCVE-2010-2751 at SUSECVE-2010-2751 at NVDCVE-2010-2752 at SUSECVE-2010-2752 at NVDCVE-2010-2753 at SUSECVE-2010-2753 at NVDCVE-2010-2754 at SUSECVE-2010-2754 at NVDCVE-2010-2755 at SUSECVE-2010-2755 at NVDCVE-2010-2760 at SUSECVE-2010-2760 at NVDCVE-2010-2762 at SUSECVE-2010-2762 at NVDCVE-2010-2764 at SUSECVE-2010-2764 at NVDCVE-2010-2765 at SUSECVE-2010-2765 at NVDCVE-2010-2766 at SUSECVE-2010-2766 at NVDCVE-2010-2767 at SUSECVE-2010-2767 at NVDCVE-2010-2768 at SUSECVE-2010-2768 at NVDCVE-2010-2769 at SUSECVE-2010-2769 at NVDCVE-2010-3166 at SUSECVE-2010-3166 at NVDCVE-2010-3167 at SUSECVE-2010-3167 at NVDCVE-2010-3168 at SUSECVE-2010-3168 at NVDCVE-2010-3169 at SUSECVE-2010-3169 at NVDCVE-2010-3170 at SUSECVE-2010-3170 at NVDCVE-2010-3173 at SUSECVE-2010-3173 at NVDCVE-2010-3174 at SUSECVE-2010-3174 at NVDCVE-2010-3175 at SUSECVE-2010-3175 at NVDCVE-2010-3176 at SUSECVE-2010-3176 at NVDCVE-2010-3177 at SUSECVE-2010-3177 at NVDCVE-2010-3178 at SUSECVE-2010-3178 at NVDCVE-2010-3179 at SUSECVE-2010-3179 at NVDCVE-2010-3180 at SUSECVE-2010-3180 at NVDCVE-2010-3182 at SUSECVE-2010-3182 at NVDCVE-2010-3183 at SUSECVE-2010-3183 at NVDCVE-2010-3765 at SUSECVE-2010-3765 at NVDCVE-2011-0068 at SUSECVE-2011-0068 at NVDCVE-2011-0069 at SUSECVE-2011-0069 at NVDCVE-2011-0070 at SUSECVE-2011-0070 at NVDCVE-2011-0079 at SUSECVE-2011-0079 at NVDCVE-2011-0080 at SUSECVE-2011-0080 at NVDCVE-2011-0081 at SUSECVE-2011-0081 at NVDCVE-2011-0084 at SUSECVE-2011-0084 at NVDCVE-2011-1187 at SUSECVE-2011-1187 at NVDCVE-2011-1202 at SUSECVE-2011-1202 at NVDCVE-2011-2366 at SUSECVE-2011-2366 at NVDCVE-2011-2367 at SUSECVE-2011-2367 at NVDCVE-2011-2368 at SUSECVE-2011-2368 at NVDCVE-2011-2369 at SUSECVE-2011-2369 at NVDCVE-2011-2370 at SUSECVE-2011-2370 at NVDCVE-2011-2371 at SUSECVE-2011-2371 at NVDCVE-2011-2372 at SUSECVE-2011-2372 at NVDCVE-2011-2373 at SUSECVE-2011-2373 at NVDCVE-2011-2374 at SUSECVE-2011-2374 at NVDCVE-2011-2375 at SUSECVE-2011-2375 at NVDCVE-2011-2377 at SUSECVE-2011-2377 at NVDCVE-2011-2985 at SUSECVE-2011-2985 at NVDCVE-2011-2986 at SUSECVE-2011-2986 at NVDCVE-2011-2988 at SUSECVE-2011-2988 at NVDCVE-2011-2989 at SUSECVE-2011-2989 at NVDCVE-2011-2990 at SUSECVE-2011-2990 at NVDCVE-2011-2991 at SUSECVE-2011-2991 at NVDCVE-2011-2992 at SUSECVE-2011-2992 at NVDCVE-2011-2993 at SUSECVE-2011-2993 at NVDCVE-2011-2995 at SUSECVE-2011-2995 at NVDCVE-2011-2996 at SUSECVE-2011-2996 at NVDCVE-2011-2997 at SUSECVE-2011-2997 at NVDCVE-2011-3000 at SUSECVE-2011-3000 at NVDCVE-2011-3001 at SUSECVE-2011-3001 at NVDCVE-2011-3002 at SUSECVE-2011-3002 at NVDCVE-2011-3003 at SUSECVE-2011-3003 at NVDCVE-2011-3004 at SUSECVE-2011-3004 at NVDCVE-2011-3005 at SUSECVE-2011-3005 at NVDCVE-2011-3026 at SUSECVE-2011-3026 at NVDCVE-2011-3062 at SUSECVE-2011-3062 at NVDCVE-2011-3101 at SUSECVE-2011-3101 at NVDCVE-2011-3232 at SUSECVE-2011-3232 at NVDCVE-2011-3648 at SUSECVE-2011-3648 at NVDCVE-2011-3650 at SUSECVE-2011-3650 at NVDCVE-2011-3651 at SUSECVE-2011-3651 at NVDCVE-2011-3652 at SUSECVE-2011-3652 at NVDCVE-2011-3654 at SUSECVE-2011-3654 at NVDCVE-2011-3655 at SUSECVE-2011-3655 at NVDCVE-2011-3658 at SUSECVE-2011-3658 at NVDCVE-2011-3659 at SUSECVE-2011-3659 at NVDCVE-2011-3660 at SUSECVE-2011-3660 at NVDCVE-2011-3661 at SUSECVE-2011-3661 at NVDCVE-2011-3663 at SUSECVE-2011-3663 at NVDCVE-2012-0441 at SUSECVE-2012-0441 at NVDCVE-2012-0442 at SUSECVE-2012-0442 at NVDCVE-2012-0443 at SUSECVE-2012-0443 at NVDCVE-2012-0444 at SUSECVE-2012-0444 at NVDCVE-2012-0445 at SUSECVE-2012-0445 at NVDCVE-2012-0446 at SUSECVE-2012-0446 at NVDCVE-2012-0447 at SUSECVE-2012-0447 at NVDCVE-2012-0449 at SUSECVE-2012-0449 at NVDCVE-2012-0451 at SUSECVE-2012-0451 at NVDCVE-2012-0452 at SUSECVE-2012-0452 at NVDCVE-2012-0455 at SUSECVE-2012-0455 at NVDCVE-2012-0456 at SUSECVE-2012-0456 at NVDCVE-2012-0457 at SUSECVE-2012-0457 at NVDCVE-2012-0458 at SUSECVE-2012-0458 at NVDCVE-2012-0459 at SUSECVE-2012-0459 at NVDCVE-2012-0460 at SUSECVE-2012-0460 at NVDCVE-2012-0461 at SUSECVE-2012-0461 at NVDCVE-2012-0462 at SUSECVE-2012-0462 at NVDCVE-2012-0463 at SUSECVE-2012-0463 at NVDCVE-2012-0464 at SUSECVE-2012-0464 at NVDCVE-2012-0467 at SUSECVE-2012-0467 at NVDCVE-2012-0468 at SUSECVE-2012-0468 at NVDCVE-2012-0469 at SUSECVE-2012-0469 at NVDCVE-2012-0470 at SUSECVE-2012-0470 at NVDCVE-2012-0471 at SUSECVE-2012-0471 at NVDCVE-2012-0472 at SUSECVE-2012-0472 at NVDCVE-2012-0473 at SUSECVE-2012-0473 at NVDCVE-2012-0474 at SUSECVE-2012-0474 at NVDCVE-2012-0475 at SUSECVE-2012-0475 at NVDCVE-2012-0477 at SUSECVE-2012-0477 at NVDCVE-2012-0478 at SUSECVE-2012-0478 at NVDCVE-2012-0479 at SUSECVE-2012-0479 at NVDCVE-2012-0759 at SUSECVE-2012-0759 at NVDCVE-2012-1937 at SUSECVE-2012-1937 at NVDCVE-2012-1938 at SUSECVE-2012-1938 at NVDCVE-2012-1940 at SUSECVE-2012-1940 at NVDCVE-2012-1941 at SUSECVE-2012-1941 at NVDCVE-2012-1944 at SUSECVE-2012-1944 at NVDCVE-2012-1945 at SUSECVE-2012-1945 at NVDCVE-2012-1946 at SUSECVE-2012-1946 at NVDCVE-2012-1947 at SUSECVE-2012-1947 at NVDCVE-2012-1948 at SUSECVE-2012-1948 at NVDCVE-2012-1949 at SUSECVE-2012-1949 at NVDCVE-2012-1950 at SUSECVE-2012-1950 at NVDCVE-2012-1951 at SUSECVE-2012-1951 at NVDCVE-2012-1952 at SUSECVE-2012-1952 at NVDCVE-2012-1953 at SUSECVE-2012-1953 at NVDCVE-2012-1954 at SUSECVE-2012-1954 at NVDCVE-2012-1955 at SUSECVE-2012-1955 at NVDCVE-2012-1956 at SUSECVE-2012-1956 at NVDCVE-2012-1957 at SUSECVE-2012-1957 at NVDCVE-2012-1958 at SUSECVE-2012-1958 at NVDCVE-2012-1959 at SUSECVE-2012-1959 at NVDCVE-2012-1960 at SUSECVE-2012-1960 at NVDCVE-2012-1961 at SUSECVE-2012-1961 at NVDCVE-2012-1962 at SUSECVE-2012-1962 at NVDCVE-2012-1963 at SUSECVE-2012-1963 at NVDCVE-2012-1965 at SUSECVE-2012-1965 at NVDCVE-2012-1966 at SUSECVE-2012-1966 at NVDCVE-2012-1967 at SUSECVE-2012-1967 at NVDCVE-2012-1970 at SUSECVE-2012-1970 at NVDCVE-2012-1972 at SUSECVE-2012-1972 at NVDCVE-2012-1973 at SUSECVE-2012-1973 at NVDCVE-2012-1974 at SUSECVE-2012-1974 at NVDCVE-2012-1975 at SUSECVE-2012-1975 at NVDCVE-2012-1976 at SUSECVE-2012-1976 at NVDCVE-2012-3956 at SUSECVE-2012-3956 at NVDCVE-2012-3957 at SUSECVE-2012-3957 at NVDCVE-2012-3958 at SUSECVE-2012-3958 at NVDCVE-2012-3959 at SUSECVE-2012-3959 at NVDCVE-2012-3960 at SUSECVE-2012-3960 at NVDCVE-2012-3961 at SUSECVE-2012-3961 at NVDCVE-2012-3962 at SUSECVE-2012-3962 at NVDCVE-2012-3963 at SUSECVE-2012-3963 at NVDCVE-2012-3964 at SUSECVE-2012-3964 at NVDCVE-2012-3965 at SUSECVE-2012-3965 at NVDCVE-2012-3966 at SUSECVE-2012-3966 at NVDCVE-2012-3967 at SUSECVE-2012-3967 at NVDCVE-2012-3968 at SUSECVE-2012-3968 at NVDCVE-2012-3969 at SUSECVE-2012-3969 at NVDCVE-2012-3970 at SUSECVE-2012-3970 at NVDCVE-2012-3971 at SUSECVE-2012-3971 at NVDCVE-2012-3972 at SUSECVE-2012-3972 at NVDCVE-2012-3973 at SUSECVE-2012-3973 at NVDCVE-2012-3975 at SUSECVE-2012-3975 at NVDCVE-2012-3976 at SUSECVE-2012-3976 at NVDCVE-2012-3978 at SUSECVE-2012-3978 at NVDCVE-2012-3980 at SUSECVE-2012-3980 at NVDCVE-2012-3982 at SUSECVE-2012-3982 at NVDCVE-2012-3983 at SUSECVE-2012-3983 at NVDCVE-2012-3984 at SUSECVE-2012-3984 at NVDCVE-2012-3985 at SUSECVE-2012-3985 at NVDCVE-2012-3986 at SUSECVE-2012-3986 at NVDCVE-2012-3988 at SUSECVE-2012-3988 at NVDCVE-2012-3989 at SUSECVE-2012-3989 at NVDCVE-2012-3990 at SUSECVE-2012-3990 at NVDCVE-2012-3991 at SUSECVE-2012-3991 at NVDCVE-2012-3992 at SUSECVE-2012-3992 at NVDCVE-2012-3993 at SUSECVE-2012-3993 at NVDCVE-2012-3994 at SUSECVE-2012-3994 at NVDCVE-2012-3995 at SUSECVE-2012-3995 at NVDCVE-2012-4179 at SUSECVE-2012-4179 at NVDCVE-2012-4180 at SUSECVE-2012-4180 at NVDCVE-2012-4181 at SUSECVE-2012-4181 at NVDCVE-2012-4182 at SUSECVE-2012-4182 at NVDCVE-2012-4183 at SUSECVE-2012-4183 at NVDCVE-2012-4184 at SUSECVE-2012-4184 at NVDCVE-2012-4185 at SUSECVE-2012-4185 at NVDCVE-2012-4186 at SUSECVE-2012-4186 at NVDCVE-2012-4187 at SUSECVE-2012-4187 at NVDCVE-2012-4188 at SUSECVE-2012-4188 at NVDCVE-2012-4191 at SUSECVE-2012-4191 at NVDCVE-2012-4192 at SUSECVE-2012-4192 at NVDCVE-2012-4193 at SUSECVE-2012-4193 at NVDCVE-2012-4194 at SUSECVE-2012-4194 at NVDCVE-2012-4195 at SUSECVE-2012-4195 at NVDCVE-2012-4196 at SUSECVE-2012-4196 at NVDCVE-2012-4201 at SUSECVE-2012-4201 at NVDCVE-2012-4202 at SUSECVE-2012-4202 at NVDCVE-2012-4203 at SUSECVE-2012-4203 at NVDCVE-2012-4204 at SUSECVE-2012-4204 at NVDCVE-2012-4205 at SUSECVE-2012-4205 at NVDCVE-2012-4207 at SUSECVE-2012-4207 at NVDCVE-2012-4208 at SUSECVE-2012-4208 at NVDCVE-2012-4209 at SUSECVE-2012-4209 at NVDCVE-2012-4210 at SUSECVE-2012-4210 at NVDCVE-2012-4212 at SUSECVE-2012-4212 at NVDCVE-2012-4213 at SUSECVE-2012-4213 at NVDCVE-2012-4214 at SUSECVE-2012-4214 at NVDCVE-2012-4215 at SUSECVE-2012-4215 at NVDCVE-2012-4216 at SUSECVE-2012-4216 at NVDCVE-2012-4217 at SUSECVE-2012-4217 at NVDCVE-2012-4218 at SUSECVE-2012-4218 at NVDCVE-2012-5829 at SUSECVE-2012-5829 at NVDCVE-2012-5830 at SUSECVE-2012-5830 at NVDCVE-2012-5833 at SUSECVE-2012-5833 at NVDCVE-2012-5835 at SUSECVE-2012-5835 at NVDCVE-2012-5836 at SUSECVE-2012-5836 at NVDCVE-2012-5837 at SUSECVE-2012-5837 at NVDCVE-2012-5838 at SUSECVE-2012-5838 at NVDCVE-2012-5839 at SUSECVE-2012-5839 at NVDCVE-2012-5840 at SUSECVE-2012-5840 at NVDCVE-2012-5841 at SUSECVE-2012-5841 at NVDCVE-2012-5842 at SUSECVE-2012-5842 at NVDCVE-2012-5843 at SUSECVE-2012-5843 at NVDCVE-2013-0743 at SUSECVE-2013-0743 at NVDCVE-2013-0744 at SUSECVE-2013-0744 at NVDCVE-2013-0745 at SUSECVE-2013-0745 at NVDCVE-2013-0746 at SUSECVE-2013-0746 at NVDCVE-2013-0747 at SUSECVE-2013-0747 at NVDCVE-2013-0748 at SUSECVE-2013-0748 at NVDCVE-2013-0749 at SUSECVE-2013-0749 at NVDCVE-2013-0750 at SUSECVE-2013-0750 at NVDCVE-2013-0751 at SUSECVE-2013-0751 at NVDCVE-2013-0752 at SUSECVE-2013-0752 at NVDCVE-2013-0753 at SUSECVE-2013-0753 at NVDCVE-2013-0754 at SUSECVE-2013-0754 at NVDCVE-2013-0755 at SUSECVE-2013-0755 at NVDCVE-2013-0756 at SUSECVE-2013-0756 at NVDCVE-2013-0757 at SUSECVE-2013-0757 at NVDCVE-2013-0758 at SUSECVE-2013-0758 at NVDCVE-2013-0760 at SUSECVE-2013-0760 at NVDCVE-2013-0761 at SUSECVE-2013-0761 at NVDCVE-2013-0762 at SUSECVE-2013-0762 at NVDCVE-2013-0763 at SUSECVE-2013-0763 at NVDCVE-2013-0764 at SUSECVE-2013-0764 at NVDCVE-2013-0765 at SUSECVE-2013-0765 at NVDCVE-2013-0766 at SUSECVE-2013-0766 at NVDCVE-2013-0767 at SUSECVE-2013-0767 at NVDCVE-2013-0768 at SUSECVE-2013-0768 at NVDCVE-2013-0769 at SUSECVE-2013-0769 at NVDCVE-2013-0770 at SUSECVE-2013-0770 at NVDCVE-2013-0771 at SUSECVE-2013-0771 at NVDCVE-2013-0772 at SUSECVE-2013-0772 at NVDCVE-2013-0773 at SUSECVE-2013-0773 at NVDCVE-2013-0774 at SUSECVE-2013-0774 at NVDCVE-2013-0775 at SUSECVE-2013-0775 at NVDCVE-2013-0776 at SUSECVE-2013-0776 at NVDCVE-2013-0777 at SUSECVE-2013-0777 at NVDCVE-2013-0778 at SUSECVE-2013-0778 at NVDCVE-2013-0779 at SUSECVE-2013-0779 at NVDCVE-2013-0780 at SUSECVE-2013-0780 at NVDCVE-2013-0781 at SUSECVE-2013-0781 at NVDCVE-2013-0782 at SUSECVE-2013-0782 at NVDCVE-2013-0783 at SUSECVE-2013-0783 at NVDCVE-2013-0787 at SUSECVE-2013-0787 at NVDCVE-2013-0788 at SUSECVE-2013-0788 at NVDCVE-2013-0789 at SUSECVE-2013-0789 at NVDCVE-2013-0792 at SUSECVE-2013-0792 at NVDCVE-2013-0793 at SUSECVE-2013-0793 at NVDCVE-2013-0794 at SUSECVE-2013-0794 at NVDCVE-2013-0795 at SUSECVE-2013-0795 at NVDCVE-2013-0796 at SUSECVE-2013-0796 at NVDCVE-2013-0800 at SUSECVE-2013-0800 at NVDCVE-2013-0801 at SUSECVE-2013-0801 at NVDCVE-2013-1669 at SUSECVE-2013-1669 at NVDCVE-2013-1670 at SUSECVE-2013-1670 at NVDCVE-2013-1671 at SUSECVE-2013-1671 at NVDCVE-2013-1674 at SUSECVE-2013-1674 at NVDCVE-2013-1675 at SUSECVE-2013-1675 at NVDCVE-2013-1676 at SUSECVE-2013-1676 at NVDCVE-2013-1677 at SUSECVE-2013-1677 at NVDCVE-2013-1678 at SUSECVE-2013-1678 at NVDCVE-2013-1679 at SUSECVE-2013-1679 at NVDCVE-2013-1680 at SUSECVE-2013-1680 at NVDCVE-2013-1681 at SUSECVE-2013-1681 at NVDCVE-2013-1682 at SUSECVE-2013-1682 at NVDCVE-2013-1683 at SUSECVE-2013-1683 at NVDCVE-2013-1684 at SUSECVE-2013-1684 at NVDCVE-2013-1685 at SUSECVE-2013-1685 at NVDCVE-2013-1686 at SUSECVE-2013-1686 at NVDCVE-2013-1687 at SUSECVE-2013-1687 at NVDCVE-2013-1688 at SUSECVE-2013-1688 at NVDCVE-2013-1690 at SUSECVE-2013-1690 at NVDCVE-2013-1692 at SUSECVE-2013-1692 at NVDCVE-2013-1693 at SUSECVE-2013-1693 at NVDCVE-2013-1694 at SUSECVE-2013-1694 at NVDCVE-2013-1695 at SUSECVE-2013-1695 at NVDCVE-2013-1696 at SUSECVE-2013-1696 at NVDCVE-2013-1697 at SUSECVE-2013-1697 at NVDCVE-2013-1698 at SUSECVE-2013-1698 at NVDCVE-2013-1699 at SUSECVE-2013-1699 at NVDCVE-2013-1701 at SUSECVE-2013-1701 at NVDCVE-2013-1702 at SUSECVE-2013-1702 at NVDCVE-2013-1704 at SUSECVE-2013-1704 at NVDCVE-2013-1705 at SUSECVE-2013-1705 at NVDCVE-2013-1708 at SUSECVE-2013-1708 at NVDCVE-2013-1709 at SUSECVE-2013-1709 at NVDCVE-2013-1710 at SUSECVE-2013-1710 at NVDCVE-2013-1711 at SUSECVE-2013-1711 at NVDCVE-2013-1713 at SUSECVE-2013-1713 at NVDCVE-2013-1714 at SUSECVE-2013-1714 at NVDCVE-2013-1717 at SUSECVE-2013-1717 at NVDCVE-2013-1718 at SUSECVE-2013-1718 at NVDCVE-2013-1719 at SUSECVE-2013-1719 at NVDCVE-2013-1720 at SUSECVE-2013-1720 at NVDCVE-2013-1721 at SUSECVE-2013-1721 at NVDCVE-2013-1722 at SUSECVE-2013-1722 at NVDCVE-2013-1723 at SUSECVE-2013-1723 at NVDCVE-2013-1724 at SUSECVE-2013-1724 at NVDCVE-2013-1725 at SUSECVE-2013-1725 at NVDCVE-2013-1728 at SUSECVE-2013-1728 at NVDCVE-2013-1730 at SUSECVE-2013-1730 at NVDCVE-2013-1732 at SUSECVE-2013-1732 at NVDCVE-2013-1735 at SUSECVE-2013-1735 at NVDCVE-2013-1736 at SUSECVE-2013-1736 at NVDCVE-2013-1737 at SUSECVE-2013-1737 at NVDCVE-2013-1738 at SUSECVE-2013-1738 at NVDCVE-2013-5590 at SUSECVE-2013-5590 at NVDCVE-2013-5591 at SUSECVE-2013-5591 at NVDCVE-2013-5592 at SUSECVE-2013-5592 at NVDCVE-2013-5593 at SUSECVE-2013-5593 at NVDCVE-2013-5595 at SUSECVE-2013-5595 at NVDCVE-2013-5596 at SUSECVE-2013-5596 at NVDCVE-2013-5597 at SUSECVE-2013-5597 at NVDCVE-2013-5598 at SUSECVE-2013-5598 at NVDCVE-2013-5599 at SUSECVE-2013-5599 at NVDCVE-2013-5600 at SUSECVE-2013-5600 at NVDCVE-2013-5601 at SUSECVE-2013-5601 at NVDCVE-2013-5602 at SUSECVE-2013-5602 at NVDCVE-2013-5603 at SUSECVE-2013-5603 at NVDCVE-2013-5604 at SUSECVE-2013-5604 at NVDCVE-2013-5609 at SUSECVE-2013-5609 at NVDCVE-2013-5610 at SUSECVE-2013-5610 at NVDCVE-2013-5611 at SUSECVE-2013-5611 at NVDCVE-2013-5612 at SUSECVE-2013-5612 at NVDCVE-2013-5613 at SUSECVE-2013-5613 at NVDCVE-2013-5614 at SUSECVE-2013-5614 at NVDCVE-2013-5615 at SUSECVE-2013-5615 at NVDCVE-2013-5616 at SUSECVE-2013-5616 at NVDCVE-2013-5618 at SUSECVE-2013-5618 at NVDCVE-2013-5619 at SUSECVE-2013-5619 at NVDCVE-2013-6629 at SUSECVE-2013-6629 at NVDCVE-2013-6630 at SUSECVE-2013-6630 at NVDCVE-2013-6671 at SUSECVE-2013-6671 at NVDCVE-2013-6672 at SUSECVE-2013-6672 at NVDCVE-2013-6673 at SUSECVE-2013-6673 at NVDCVE-2014-1477 at SUSECVE-2014-1477 at NVDCVE-2014-1478 at SUSECVE-2014-1478 at NVDCVE-2014-1479 at SUSECVE-2014-1479 at NVDCVE-2014-1480 at SUSECVE-2014-1480 at NVDCVE-2014-1481 at SUSECVE-2014-1481 at NVDCVE-2014-1482 at SUSECVE-2014-1482 at NVDCVE-2014-1483 at SUSECVE-2014-1483 at NVDCVE-2014-1484 at SUSECVE-2014-1484 at NVDCVE-2014-1485 at SUSECVE-2014-1485 at NVDCVE-2014-1486 at SUSECVE-2014-1486 at NVDCVE-2014-1487 at SUSECVE-2014-1487 at NVDCVE-2014-1488 at SUSECVE-2014-1488 at NVDCVE-2014-1489 at SUSECVE-2014-1489 at NVDCVE-2014-1490 at SUSECVE-2014-1490 at NVDCVE-2014-1491 at SUSECVE-2014-1491 at NVDCVE-2014-1544 at SUSECVE-2014-1544 at NVDCVE-2014-1547 at SUSECVE-2014-1547 at NVDCVE-2014-1548 at SUSECVE-2014-1548 at NVDCVE-2014-1553 at SUSECVE-2014-1553 at NVDCVE-2014-1554 at SUSECVE-2014-1554 at NVDCVE-2014-1555 at SUSECVE-2014-1555 at NVDCVE-2014-1556 at SUSECVE-2014-1556 at NVDCVE-2014-1557 at SUSECVE-2014-1557 at NVDCVE-2014-1562 at SUSECVE-2014-1562 at NVDCVE-2014-1563 at SUSECVE-2014-1563 at NVDCVE-2014-1564 at SUSECVE-2014-1564 at NVDCVE-2014-1565 at SUSECVE-2014-1565 at NVDCVE-2014-1567 at SUSECVE-2014-1567 at NVDCVE-2014-1574 at SUSECVE-2014-1574 at NVDCVE-2014-1575 at SUSECVE-2014-1575 at NVDCVE-2014-1576 at SUSECVE-2014-1576 at NVDCVE-2014-1577 at SUSECVE-2014-1577 at NVDCVE-2014-1578 at SUSECVE-2014-1578 at NVDCVE-2014-1581 at SUSECVE-2014-1581 at NVDCVE-2014-1583 at SUSECVE-2014-1583 at NVDCVE-2014-1585 at SUSECVE-2014-1585 at NVDCVE-2014-1586 at SUSECVE-2014-1586 at NVDCVE-2014-1587 at SUSECVE-2014-1587 at NVDCVE-2014-1588 at SUSECVE-2014-1588 at NVDCVE-2014-1590 at SUSECVE-2014-1590 at NVDCVE-2014-1592 at SUSECVE-2014-1592 at NVDCVE-2014-1593 at SUSECVE-2014-1593 at NVDCVE-2014-1594 at SUSECVE-2014-1594 at NVDCVE-2014-8634 at SUSECVE-2014-8634 at NVDCVE-2014-8635 at SUSECVE-2014-8635 at NVDCVE-2014-8638 at SUSECVE-2014-8638 at NVDCVE-2014-8639 at SUSECVE-2014-8639 at NVDCVE-2014-8641 at SUSECVE-2014-8641 at NVDCVE-2015-0797 at SUSECVE-2015-0797 at NVDCVE-2015-0801 at SUSECVE-2015-0801 at NVDCVE-2015-0807 at SUSECVE-2015-0807 at NVDCVE-2015-0813 at SUSECVE-2015-0813 at NVDCVE-2015-0814 at SUSECVE-2015-0814 at NVDCVE-2015-0815 at SUSECVE-2015-0815 at NVDCVE-2015-0816 at SUSECVE-2015-0816 at NVDCVE-2015-0817 at SUSECVE-2015-0817 at NVDCVE-2015-0818 at SUSECVE-2015-0818 at NVDCVE-2015-0822 at SUSECVE-2015-0822 at NVDCVE-2015-0827 at SUSECVE-2015-0827 at NVDCVE-2015-0831 at SUSECVE-2015-0831 at NVDCVE-2015-0835 at SUSECVE-2015-0835 at NVDCVE-2015-0836 at SUSECVE-2015-0836 at NVDCVE-2015-2708 at SUSECVE-2015-2708 at NVDCVE-2015-2709 at SUSECVE-2015-2709 at NVDCVE-2015-2710 at SUSECVE-2015-2710 at NVDCVE-2015-2713 at SUSECVE-2015-2713 at NVDCVE-2015-2716 at SUSECVE-2015-2716 at NVDCVE-2015-2721 at SUSECVE-2015-2721 at NVDCVE-2015-2722 at SUSECVE-2015-2722 at NVDCVE-2015-2724 at SUSECVE-2015-2724 at NVDCVE-2015-2725 at SUSECVE-2015-2725 at NVDCVE-2015-2726 at SUSECVE-2015-2726 at NVDCVE-2015-2728 at SUSECVE-2015-2728 at NVDCVE-2015-2730 at SUSECVE-2015-2730 at NVDCVE-2015-2733 at SUSECVE-2015-2733 at NVDCVE-2015-2734 at SUSECVE-2015-2734 at NVDCVE-2015-2735 at SUSECVE-2015-2735 at NVDCVE-2015-2736 at SUSECVE-2015-2736 at NVDCVE-2015-2737 at SUSECVE-2015-2737 at NVDCVE-2015-2738 at SUSECVE-2015-2738 at NVDCVE-2015-2739 at SUSECVE-2015-2739 at NVDCVE-2015-2740 at SUSECVE-2015-2740 at NVDCVE-2015-2743 at SUSECVE-2015-2743 at NVDCVE-2015-4000 at SUSECVE-2015-4000 at NVDCVE-2015-4473 at SUSECVE-2015-4473 at NVDCVE-2015-4474 at SUSECVE-2015-4474 at NVDCVE-2015-4475 at SUSECVE-2015-4475 at NVDCVE-2015-4478 at SUSECVE-2015-4478 at NVDCVE-2015-4479 at SUSECVE-2015-4479 at NVDCVE-2015-4484 at SUSECVE-2015-4484 at NVDCVE-2015-4485 at SUSECVE-2015-4485 at NVDCVE-2015-4486 at SUSECVE-2015-4486 at NVDCVE-2015-4487 at SUSECVE-2015-4487 at NVDCVE-2015-4488 at SUSECVE-2015-4488 at NVDCVE-2015-4489 at SUSECVE-2015-4489 at NVDCVE-2015-4491 at SUSECVE-2015-4491 at NVDCVE-2015-4492 at SUSECVE-2015-4492 at NVDCVE-2015-4495 at SUSECVE-2015-4495 at NVDCVE-2015-4497 at SUSECVE-2015-4497 at NVDCVE-2015-4498 at SUSECVE-2015-4498 at NVDCVE-2015-4500 at SUSECVE-2015-4500 at NVDCVE-2015-4501 at SUSECVE-2015-4501 at NVDCVE-2015-4506 at SUSECVE-2015-4506 at NVDCVE-2015-4509 at SUSECVE-2015-4509 at NVDCVE-2015-4511 at SUSECVE-2015-4511 at NVDCVE-2015-4513 at SUSECVE-2015-4513 at NVDCVE-2015-4517 at SUSECVE-2015-4517 at NVDCVE-2015-4519 at SUSECVE-2015-4519 at NVDCVE-2015-4520 at SUSECVE-2015-4520 at NVDCVE-2015-4521 at SUSECVE-2015-4521 at NVDCVE-2015-4522 at SUSECVE-2015-4522 at NVDCVE-2015-7174 at SUSECVE-2015-7174 at NVDCVE-2015-7175 at SUSECVE-2015-7175 at NVDCVE-2015-7176 at SUSECVE-2015-7176 at NVDCVE-2015-7177 at SUSECVE-2015-7177 at NVDCVE-2015-7180 at SUSECVE-2015-7180 at NVDCVE-2015-7181 at SUSECVE-2015-7181 at NVDCVE-2015-7182 at SUSECVE-2015-7182 at NVDCVE-2015-7183 at SUSECVE-2015-7183 at NVDCVE-2015-7188 at SUSECVE-2015-7188 at NVDCVE-2015-7189 at SUSECVE-2015-7189 at NVDCVE-2015-7193 at SUSECVE-2015-7193 at NVDCVE-2015-7194 at SUSECVE-2015-7194 at NVDCVE-2015-7196 at SUSECVE-2015-7196 at NVDCVE-2015-7197 at SUSECVE-2015-7197 at NVDCVE-2015-7198 at SUSECVE-2015-7198 at NVDCVE-2015-7199 at SUSECVE-2015-7199 at NVDCVE-2015-7200 at SUSECVE-2015-7200 at NVDCVE-2015-7201 at SUSECVE-2015-7201 at NVDCVE-2015-7202 at SUSECVE-2015-7202 at NVDCVE-2015-7205 at SUSECVE-2015-7205 at NVDCVE-2015-7210 at SUSECVE-2015-7210 at NVDCVE-2015-7212 at SUSECVE-2015-7212 at NVDCVE-2015-7213 at SUSECVE-2015-7213 at NVDCVE-2015-7214 at SUSECVE-2015-7214 at NVDCVE-2015-7222 at SUSECVE-2015-7222 at NVDCVE-2016-10196 at SUSECVE-2016-10196 at NVDCVE-2016-1523 at SUSECVE-2016-1523 at NVDCVE-2016-1930 at SUSECVE-2016-1930 at NVDCVE-2016-1931 at SUSECVE-2016-1931 at NVDCVE-2016-1935 at SUSECVE-2016-1935 at NVDCVE-2016-1950 at SUSECVE-2016-1950 at NVDCVE-2016-1952 at SUSECVE-2016-1952 at NVDCVE-2016-1953 at SUSECVE-2016-1953 at NVDCVE-2016-1954 at SUSECVE-2016-1954 at NVDCVE-2016-1957 at SUSECVE-2016-1957 at NVDCVE-2016-1958 at SUSECVE-2016-1958 at NVDCVE-2016-1960 at SUSECVE-2016-1960 at NVDCVE-2016-1961 at SUSECVE-2016-1961 at NVDCVE-2016-1962 at SUSECVE-2016-1962 at NVDCVE-2016-1964 at SUSECVE-2016-1964 at NVDCVE-2016-1965 at SUSECVE-2016-1965 at NVDCVE-2016-1966 at SUSECVE-2016-1966 at NVDCVE-2016-1974 at SUSECVE-2016-1974 at NVDCVE-2016-1977 at SUSECVE-2016-1977 at NVDCVE-2016-2790 at SUSECVE-2016-2790 at NVDCVE-2016-2791 at SUSECVE-2016-2791 at NVDCVE-2016-2792 at SUSECVE-2016-2792 at NVDCVE-2016-2793 at SUSECVE-2016-2793 at NVDCVE-2016-2794 at SUSECVE-2016-2794 at NVDCVE-2016-2795 at SUSECVE-2016-2795 at NVDCVE-2016-2796 at SUSECVE-2016-2796 at NVDCVE-2016-2797 at SUSECVE-2016-2797 at NVDCVE-2016-2798 at SUSECVE-2016-2798 at NVDCVE-2016-2799 at SUSECVE-2016-2799 at NVDCVE-2016-2800 at SUSECVE-2016-2800 at NVDCVE-2016-2801 at SUSECVE-2016-2801 at NVDCVE-2016-2802 at SUSECVE-2016-2802 at NVDCVE-2016-2805 at SUSECVE-2016-2805 at NVDCVE-2016-2807 at SUSECVE-2016-2807 at NVDCVE-2016-2808 at SUSECVE-2016-2808 at NVDCVE-2016-2814 at SUSECVE-2016-2814 at NVDCVE-2016-2815 at SUSECVE-2016-2815 at NVDCVE-2016-2818 at SUSECVE-2016-2818 at NVDCVE-2016-2819 at SUSECVE-2016-2819 at NVDCVE-2016-2821 at SUSECVE-2016-2821 at NVDCVE-2016-2822 at SUSECVE-2016-2822 at NVDCVE-2016-2824 at SUSECVE-2016-2824 at NVDCVE-2016-2828 at SUSECVE-2016-2828 at NVDCVE-2016-2830 at SUSECVE-2016-2830 at NVDCVE-2016-2831 at SUSECVE-2016-2831 at NVDCVE-2016-2835 at SUSECVE-2016-2835 at NVDCVE-2016-2836 at SUSECVE-2016-2836 at NVDCVE-2016-2837 at SUSECVE-2016-2837 at NVDCVE-2016-2838 at SUSECVE-2016-2838 at NVDCVE-2016-2839 at SUSECVE-2016-2839 at NVDCVE-2016-5250 at SUSECVE-2016-5250 at NVDCVE-2016-5252 at SUSECVE-2016-5252 at NVDCVE-2016-5254 at SUSECVE-2016-5254 at NVDCVE-2016-5257 at SUSECVE-2016-5257 at NVDCVE-2016-5258 at SUSECVE-2016-5258 at NVDCVE-2016-5259 at SUSECVE-2016-5259 at NVDCVE-2016-5261 at SUSECVE-2016-5261 at NVDCVE-2016-5262 at SUSECVE-2016-5262 at NVDCVE-2016-5263 at SUSECVE-2016-5263 at NVDCVE-2016-5264 at SUSECVE-2016-5264 at NVDCVE-2016-5265 at SUSECVE-2016-5265 at NVDCVE-2016-5270 at SUSECVE-2016-5270 at NVDCVE-2016-5272 at SUSECVE-2016-5272 at NVDCVE-2016-5274 at SUSECVE-2016-5274 at NVDCVE-2016-5276 at SUSECVE-2016-5276 at NVDCVE-2016-5277 at SUSECVE-2016-5277 at NVDCVE-2016-5278 at SUSECVE-2016-5278 at NVDCVE-2016-5280 at SUSECVE-2016-5280 at NVDCVE-2016-5281 at SUSECVE-2016-5281 at NVDCVE-2016-5284 at SUSECVE-2016-5284 at NVDCVE-2016-5290 at SUSECVE-2016-5290 at NVDCVE-2016-5291 at SUSECVE-2016-5291 at NVDCVE-2016-5296 at SUSECVE-2016-5296 at NVDCVE-2016-5297 at SUSECVE-2016-5297 at NVDCVE-2016-6354 at SUSECVE-2016-6354 at NVDCVE-2016-9064 at SUSECVE-2016-9064 at NVDCVE-2016-9066 at SUSECVE-2016-9066 at NVDCVE-2016-9079 at SUSECVE-2016-9079 at NVDCVE-2016-9893 at SUSECVE-2016-9893 at NVDCVE-2016-9895 at SUSECVE-2016-9895 at NVDCVE-2016-9897 at SUSECVE-2016-9897 at NVDCVE-2016-9898 at SUSECVE-2016-9898 at NVDCVE-2016-9899 at SUSECVE-2016-9899 at NVDCVE-2016-9900 at SUSECVE-2016-9900 at NVDCVE-2016-9901 at SUSECVE-2016-9901 at NVDCVE-2016-9902 at SUSECVE-2016-9902 at NVDCVE-2016-9904 at SUSECVE-2016-9904 at NVDCVE-2016-9905 at SUSECVE-2016-9905 at NVDCVE-2017-5373 at SUSECVE-2017-5373 at NVDCVE-2017-5375 at SUSECVE-2017-5375 at NVDCVE-2017-5376 at SUSECVE-2017-5376 at NVDCVE-2017-5378 at SUSECVE-2017-5378 at NVDCVE-2017-5380 at SUSECVE-2017-5380 at NVDCVE-2017-5383 at SUSECVE-2017-5383 at NVDCVE-2017-5386 at SUSECVE-2017-5386 at NVDCVE-2017-5390 at SUSECVE-2017-5390 at NVDCVE-2017-5396 at SUSECVE-2017-5396 at NVDCVE-2017-5398 at SUSECVE-2017-5398 at NVDCVE-2017-5400 at SUSECVE-2017-5400 at NVDCVE-2017-5401 at SUSECVE-2017-5401 at NVDCVE-2017-5402 at SUSECVE-2017-5402 at NVDCVE-2017-5404 at SUSECVE-2017-5404 at NVDCVE-2017-5405 at SUSECVE-2017-5405 at NVDCVE-2017-5407 at SUSECVE-2017-5407 at NVDCVE-2017-5408 at SUSECVE-2017-5408 at NVDCVE-2017-5409 at SUSECVE-2017-5409 at NVDCVE-2017-5410 at SUSECVE-2017-5410 at NVDCVE-2017-5429 at SUSECVE-2017-5429 at NVDCVE-2017-5430 at SUSECVE-2017-5430 at NVDCVE-2017-5432 at SUSECVE-2017-5432 at NVDCVE-2017-5433 at SUSECVE-2017-5433 at NVDCVE-2017-5434 at SUSECVE-2017-5434 at NVDCVE-2017-5435 at SUSECVE-2017-5435 at NVDCVE-2017-5436 at SUSECVE-2017-5436 at NVDCVE-2017-5437 at SUSECVE-2017-5437 at NVDCVE-2017-5438 at SUSECVE-2017-5438 at NVDCVE-2017-5439 at SUSECVE-2017-5439 at NVDCVE-2017-5440 at SUSECVE-2017-5440 at NVDCVE-2017-5441 at SUSECVE-2017-5441 at NVDCVE-2017-5442 at SUSECVE-2017-5442 at NVDCVE-2017-5443 at SUSECVE-2017-5443 at NVDCVE-2017-5444 at SUSECVE-2017-5444 at NVDCVE-2017-5445 at SUSECVE-2017-5445 at NVDCVE-2017-5446 at SUSECVE-2017-5446 at NVDCVE-2017-5447 at SUSECVE-2017-5447 at NVDCVE-2017-5448 at SUSECVE-2017-5448 at NVDCVE-2017-5449 at SUSECVE-2017-5449 at NVDCVE-2017-5451 at SUSECVE-2017-5451 at NVDCVE-2017-5454 at SUSECVE-2017-5454 at NVDCVE-2017-5455 at SUSECVE-2017-5455 at NVDCVE-2017-5456 at SUSECVE-2017-5456 at NVDCVE-2017-5459 at SUSECVE-2017-5459 at NVDCVE-2017-5460 at SUSECVE-2017-5460 at NVDCVE-2017-5461 at SUSECVE-2017-5461 at NVDCVE-2017-5462 at SUSECVE-2017-5462 at NVDCVE-2017-5464 at SUSECVE-2017-5464 at NVDCVE-2017-5465 at SUSECVE-2017-5465 at NVDCVE-2017-5466 at SUSECVE-2017-5466 at NVDCVE-2017-5467 at SUSECVE-2017-5467 at NVDCVE-2017-5469 at SUSECVE-2017-5469 at NVDCVE-2017-5470 at SUSECVE-2017-5470 at NVDCVE-2017-5472 at SUSECVE-2017-5472 at NVDCVE-2017-7749 at SUSECVE-2017-7749 at NVDCVE-2017-7750 at SUSECVE-2017-7750 at NVDCVE-2017-7751 at SUSECVE-2017-7751 at NVDCVE-2017-7752 at SUSECVE-2017-7752 at NVDCVE-2017-7754 at SUSECVE-2017-7754 at NVDCVE-2017-7755 at SUSECVE-2017-7755 at NVDCVE-2017-7756 at SUSECVE-2017-7756 at NVDCVE-2017-7757 at SUSECVE-2017-7757 at NVDCVE-2017-7758 at SUSECVE-2017-7758 at NVDCVE-2017-7761 at SUSECVE-2017-7761 at NVDCVE-2017-7763 at SUSECVE-2017-7763 at NVDCVE-2017-7764 at SUSECVE-2017-7764 at NVDCVE-2017-7765 at SUSECVE-2017-7765 at NVDCVE-2017-7768 at SUSECVE-2017-7768 at NVDCVE-2017-7778 at SUSECVE-2017-7778 at NVDcpe:/o:suse:sles:12:sp3aaa_base-13.2+git20140911.61c1681-36.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the aaa_base-13.2+git20140911.61c1681-36.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2011-0461 at SUSECVE-2011-0461 at NVDcpe:/o:suse:sles:12:sp3accountsservice-0.6.42-14.2 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the accountsservice-0.6.42-14.2 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2012-2737 at SUSECVE-2012-2737 at NVDcpe:/o:suse:sles:12:sp3alsa-1.0.27.2-15.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the alsa-1.0.27.2-15.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2009-0035 at SUSECVE-2009-0035 at NVDcpe:/o:suse:sles:12:sp3ant-1.9.4-1.31 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the ant-1.9.4-1.31 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2013-1571 at SUSECVE-2013-1571 at NVDcpe:/o:suse:sles:12:sp3apache-commons-beanutils-1.9.2-1.149 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the apache-commons-beanutils-1.9.2-1.149 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2014-3540 at SUSECVE-2014-3540 at NVDcpe:/o:suse:sles:12:sp3apache-commons-daemon-1.0.15-6.10 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the apache-commons-daemon-1.0.15-6.10 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2011-2729 at SUSECVE-2011-2729 at NVDcpe:/o:suse:sles:12:sp3apache-commons-httpclient-3.1-4.364 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the apache-commons-httpclient-3.1-4.364 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2012-5783 at SUSECVE-2012-5783 at NVDcpe:/o:suse:sles:12:sp3apache2-2.4.23-28.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the apache2-2.4.23-28.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2009-0023 at SUSECVE-2009-0023 at NVDCVE-2009-1191 at SUSECVE-2009-1191 at NVDCVE-2009-1195 at SUSECVE-2009-1195 at NVDCVE-2009-1890 at SUSECVE-2009-1890 at NVDCVE-2009-1891 at SUSECVE-2009-1891 at NVDCVE-2009-1955 at SUSECVE-2009-1955 at NVDCVE-2009-1956 at SUSECVE-2009-1956 at NVDCVE-2009-2412 at SUSECVE-2009-2412 at NVDCVE-2009-2699 at SUSECVE-2009-2699 at NVDCVE-2009-3094 at SUSECVE-2009-3094 at NVDCVE-2009-3095 at SUSECVE-2009-3095 at NVDCVE-2009-3555 at SUSECVE-2009-3555 at NVDCVE-2009-3560 at SUSECVE-2009-3560 at NVDCVE-2009-3720 at SUSECVE-2009-3720 at NVDCVE-2010-0408 at SUSECVE-2010-0408 at NVDCVE-2010-0425 at SUSECVE-2010-0425 at NVDCVE-2010-0434 at SUSECVE-2010-0434 at NVDCVE-2010-1452 at SUSECVE-2010-1452 at NVDCVE-2010-1623 at SUSECVE-2010-1623 at NVDCVE-2010-2068 at SUSECVE-2010-2068 at NVDCVE-2011-1176 at SUSECVE-2011-1176 at NVDCVE-2011-3192 at SUSECVE-2011-3192 at NVDCVE-2011-3368 at SUSECVE-2011-3368 at NVDCVE-2011-3607 at SUSECVE-2011-3607 at NVDCVE-2011-4317 at SUSECVE-2011-4317 at NVDCVE-2012-0021 at SUSECVE-2012-0021 at NVDCVE-2012-0031 at SUSECVE-2012-0031 at NVDCVE-2012-0053 at SUSECVE-2012-0053 at NVDCVE-2012-2687 at SUSECVE-2012-2687 at NVDCVE-2012-3499 at SUSECVE-2012-3499 at NVDCVE-2012-3502 at SUSECVE-2012-3502 at NVDCVE-2013-1896 at SUSECVE-2013-1896 at NVDCVE-2013-2249 at SUSECVE-2013-2249 at NVDCVE-2013-5704 at SUSECVE-2013-5704 at NVDCVE-2013-6438 at SUSECVE-2013-6438 at NVDCVE-2014-0098 at SUSECVE-2014-0098 at NVDCVE-2014-0117 at SUSECVE-2014-0117 at NVDCVE-2014-0118 at SUSECVE-2014-0118 at NVDCVE-2014-0226 at SUSECVE-2014-0226 at NVDCVE-2014-0231 at SUSECVE-2014-0231 at NVDCVE-2014-3523 at SUSECVE-2014-3523 at NVDCVE-2014-3581 at SUSECVE-2014-3581 at NVDCVE-2014-3583 at SUSECVE-2014-3583 at NVDCVE-2014-8109 at SUSECVE-2014-8109 at NVDCVE-2015-0228 at SUSECVE-2015-0228 at NVDCVE-2015-0253 at SUSECVE-2015-0253 at NVDCVE-2015-4000 at SUSECVE-2015-4000 at NVDCVE-2016-0736 at SUSECVE-2016-0736 at NVDCVE-2016-1546 at SUSECVE-2016-1546 at NVDCVE-2016-2161 at SUSECVE-2016-2161 at NVDCVE-2016-4979 at SUSECVE-2016-4979 at NVDCVE-2016-5387 at SUSECVE-2016-5387 at NVDCVE-2016-8740 at SUSECVE-2016-8740 at NVDCVE-2016-8743 at SUSECVE-2016-8743 at NVDCVE-2017-3167 at SUSECVE-2017-3167 at NVDCVE-2017-3169 at SUSECVE-2017-3169 at NVDCVE-2017-7679 at SUSECVE-2017-7679 at NVDcpe:/o:suse:sles:12:sp3apache2-mod_apparmor-2.8.2-49.21 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the apache2-mod_apparmor-2.8.2-49.21 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2017-6507 at SUSECVE-2017-6507 at NVDcpe:/o:suse:sles:12:sp3apache2-mod_jk-1.2.40-5.2 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the apache2-mod_jk-1.2.40-5.2 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2008-5519 at SUSECVE-2008-5519 at NVDCVE-2014-8111 at SUSECVE-2014-8111 at NVDcpe:/o:suse:sles:12:sp3apache2-mod_nss-1.0.14-18.3 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the apache2-mod_nss-1.0.14-18.3 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2013-4566 at SUSECVE-2013-4566 at NVDCVE-2014-3566 at SUSECVE-2014-3566 at NVDCVE-2015-5244 at SUSECVE-2015-5244 at NVDCVE-2016-3099 at SUSECVE-2016-3099 at NVDcpe:/o:suse:sles:12:sp3apache2-mod_perl-2.0.8-11.43 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the apache2-mod_perl-2.0.8-11.43 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2013-1667 at SUSECVE-2013-1667 at NVDcpe:/o:suse:sles:12:sp3at-3.1.14-7.3 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the at-3.1.14-7.3 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2016-6354 at SUSECVE-2016-6354 at NVDcpe:/o:suse:sles:12:sp3audiofile-0.3.6-10.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the audiofile-0.3.6-10.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2015-7747 at SUSECVE-2015-7747 at NVDCVE-2017-6827 at SUSECVE-2017-6827 at NVDCVE-2017-6828 at SUSECVE-2017-6828 at NVDCVE-2017-6829 at SUSECVE-2017-6829 at NVDCVE-2017-6830 at SUSECVE-2017-6830 at NVDCVE-2017-6831 at SUSECVE-2017-6831 at NVDCVE-2017-6832 at SUSECVE-2017-6832 at NVDCVE-2017-6833 at SUSECVE-2017-6833 at NVDCVE-2017-6834 at SUSECVE-2017-6834 at NVDCVE-2017-6835 at SUSECVE-2017-6835 at NVDCVE-2017-6836 at SUSECVE-2017-6836 at NVDCVE-2017-6837 at SUSECVE-2017-6837 at NVDCVE-2017-6838 at SUSECVE-2017-6838 at NVDCVE-2017-6839 at SUSECVE-2017-6839 at NVDcpe:/o:suse:sles:12:sp3augeas-1.2.0-15.3 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the augeas-1.2.0-15.3 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2012-0786 at SUSECVE-2012-0786 at NVDCVE-2014-8119 at SUSECVE-2014-8119 at NVDcpe:/o:suse:sles:12:sp3autofs-5.0.9-27.2 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the autofs-5.0.9-27.2 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2014-8169 at SUSECVE-2014-8169 at NVDcpe:/o:suse:sles:12:sp3automake-1.13.4-6.2 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the automake-1.13.4-6.2 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2009-4029 at SUSECVE-2009-4029 at NVDcpe:/o:suse:sles:12:sp3avahi-0.6.32-30.36 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the avahi-0.6.32-30.36 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2009-0758 at SUSECVE-2009-0758 at NVDCVE-2010-2244 at SUSECVE-2010-2244 at NVDCVE-2011-1002 at SUSECVE-2011-1002 at NVDcpe:/o:suse:sles:12:sp3bash-4.3-82.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the bash-4.3-82.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2014-2524 at SUSECVE-2014-2524 at NVDCVE-2014-6271 at SUSECVE-2014-6271 at NVDCVE-2014-6277 at SUSECVE-2014-6277 at NVDCVE-2014-6278 at SUSECVE-2014-6278 at NVDCVE-2014-7169 at SUSECVE-2014-7169 at NVDCVE-2014-7186 at SUSECVE-2014-7186 at NVDCVE-2014-7187 at SUSECVE-2014-7187 at NVDcpe:/o:suse:sles:12:sp3bind-9.9.9P1-62.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the bind-9.9.9P1-62.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2009-0696 at SUSECVE-2009-0696 at NVDCVE-2009-4022 at SUSECVE-2009-4022 at NVDCVE-2010-3613 at SUSECVE-2010-3613 at NVDCVE-2010-3614 at SUSECVE-2010-3614 at NVDCVE-2010-3615 at SUSECVE-2010-3615 at NVDCVE-2011-0414 at SUSECVE-2011-0414 at NVDCVE-2011-1907 at SUSECVE-2011-1907 at NVDCVE-2011-1910 at SUSECVE-2011-1910 at NVDCVE-2011-2464 at SUSECVE-2011-2464 at NVDCVE-2011-4313 at SUSECVE-2011-4313 at NVDCVE-2012-1667 at SUSECVE-2012-1667 at NVDCVE-2012-3817 at SUSECVE-2012-3817 at NVDCVE-2012-3868 at SUSECVE-2012-3868 at NVDCVE-2012-4244 at SUSECVE-2012-4244 at NVDCVE-2012-5166 at SUSECVE-2012-5166 at NVDCVE-2012-5688 at SUSECVE-2012-5688 at NVDCVE-2012-5689 at SUSECVE-2012-5689 at NVDCVE-2013-2266 at SUSECVE-2013-2266 at NVDCVE-2013-4854 at SUSECVE-2013-4854 at NVDCVE-2014-0591 at SUSECVE-2014-0591 at NVDCVE-2014-8500 at SUSECVE-2014-8500 at NVDCVE-2015-1349 at SUSECVE-2015-1349 at NVDCVE-2015-4620 at SUSECVE-2015-4620 at NVDCVE-2015-5477 at SUSECVE-2015-5477 at NVDCVE-2015-5722 at SUSECVE-2015-5722 at NVDCVE-2015-8000 at SUSECVE-2015-8000 at NVDCVE-2015-8704 at SUSECVE-2015-8704 at NVDCVE-2016-1285 at SUSECVE-2016-1285 at NVDCVE-2016-1286 at SUSECVE-2016-1286 at NVDCVE-2016-2775 at SUSECVE-2016-2775 at NVDCVE-2016-2776 at SUSECVE-2016-2776 at NVDCVE-2016-6170 at SUSECVE-2016-6170 at NVDCVE-2016-8864 at SUSECVE-2016-8864 at NVDCVE-2016-9131 at SUSECVE-2016-9131 at NVDCVE-2016-9147 at SUSECVE-2016-9147 at NVDCVE-2016-9444 at SUSECVE-2016-9444 at NVDCVE-2017-3135 at SUSECVE-2017-3135 at NVDCVE-2017-3136 at SUSECVE-2017-3136 at NVDCVE-2017-3137 at SUSECVE-2017-3137 at NVDCVE-2017-3138 at SUSECVE-2017-3138 at NVDCVE-2017-3142 at SUSECVE-2017-3142 at NVDCVE-2017-3143 at SUSECVE-2017-3143 at NVDcpe:/o:suse:sles:12:sp3binutils-2.26.1-9.12.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the binutils-2.26.1-9.12.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2014-8484 at SUSECVE-2014-8484 at NVDCVE-2014-8485 at SUSECVE-2014-8485 at NVDCVE-2014-8501 at SUSECVE-2014-8501 at NVDCVE-2014-8502 at SUSECVE-2014-8502 at NVDCVE-2014-8503 at SUSECVE-2014-8503 at NVDCVE-2014-8504 at SUSECVE-2014-8504 at NVDCVE-2014-8737 at SUSECVE-2014-8737 at NVDCVE-2014-8738 at SUSECVE-2014-8738 at NVDcpe:/o:suse:sles:12:sp3busybox-1.21.1-3.3 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the busybox-1.21.1-3.3 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2014-9645 at SUSECVE-2014-9645 at NVDcpe:/o:suse:sles:12:sp3bzip2-1.0.6-29.2 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the bzip2-1.0.6-29.2 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2010-0405 at SUSECVE-2010-0405 at NVDcpe:/o:suse:sles:12:sp3chrony-2.3-3.110 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the chrony-2.3-3.110 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2012-4502 at SUSECVE-2012-4502 at NVDCVE-2012-4503 at SUSECVE-2012-4503 at NVDCVE-2014-0021 at SUSECVE-2014-0021 at NVDCVE-2016-1567 at SUSECVE-2016-1567 at NVDcpe:/o:suse:sles:12:sp3cifs-utils-6.5-8.9 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the cifs-utils-6.5-8.9 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2009-1886 at SUSECVE-2009-1886 at NVDCVE-2009-1888 at SUSECVE-2009-1888 at NVDCVE-2009-2813 at SUSECVE-2009-2813 at NVDCVE-2009-2906 at SUSECVE-2009-2906 at NVDCVE-2009-2948 at SUSECVE-2009-2948 at NVDCVE-2010-0547 at SUSECVE-2010-0547 at NVDCVE-2010-0728 at SUSECVE-2010-0728 at NVDCVE-2010-0787 at SUSECVE-2010-0787 at NVDCVE-2012-1586 at SUSECVE-2012-1586 at NVDcpe:/o:suse:sles:12:sp3clamav-0.99.2-32.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the clamav-0.99.2-32.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2010-0405 at SUSECVE-2010-0405 at NVDCVE-2011-2721 at SUSECVE-2011-2721 at NVDCVE-2011-3627 at SUSECVE-2011-3627 at NVDCVE-2012-1457 at SUSECVE-2012-1457 at NVDCVE-2012-1458 at SUSECVE-2012-1458 at NVDCVE-2012-1459 at SUSECVE-2012-1459 at NVDCVE-2012-6706 at SUSECVE-2012-6706 at NVDCVE-2013-6497 at SUSECVE-2013-6497 at NVDCVE-2014-9050 at SUSECVE-2014-9050 at NVDCVE-2014-9328 at SUSECVE-2014-9328 at NVDCVE-2015-1461 at SUSECVE-2015-1461 at NVDCVE-2015-1462 at SUSECVE-2015-1462 at NVDCVE-2015-1463 at SUSECVE-2015-1463 at NVDCVE-2015-2170 at SUSECVE-2015-2170 at NVDCVE-2015-2221 at SUSECVE-2015-2221 at NVDCVE-2015-2222 at SUSECVE-2015-2222 at NVDCVE-2015-2305 at SUSECVE-2015-2305 at NVDCVE-2015-2668 at SUSECVE-2015-2668 at NVDcpe:/o:suse:sles:12:sp3colord-gtk-lang-0.1.26-6.3 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the colord-gtk-lang-0.1.26-6.3 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2011-4349 at SUSECVE-2011-4349 at NVDcpe:/o:suse:sles:12:sp3coolkey-1.1.0-147.67 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the coolkey-1.1.0-147.67 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2007-4129 at SUSECVE-2007-4129 at NVDcpe:/o:suse:sles:12:sp3coreutils-8.25-12.8 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the coreutils-8.25-12.8 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2013-0221 at SUSECVE-2013-0221 at NVDCVE-2013-0222 at SUSECVE-2013-0222 at NVDCVE-2013-0223 at SUSECVE-2013-0223 at NVDCVE-2015-4041 at SUSECVE-2015-4041 at NVDCVE-2015-4042 at SUSECVE-2015-4042 at NVDcpe:/o:suse:sles:12:sp3cpio-2.11-35.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the cpio-2.11-35.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2010-0624 at SUSECVE-2010-0624 at NVDCVE-2014-9112 at SUSECVE-2014-9112 at NVDCVE-2016-2037 at SUSECVE-2016-2037 at NVDcpe:/o:suse:sles:12:sp3cpp48-4.8.5-30.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the cpp48-4.8.5-30.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2014-5044 at SUSECVE-2014-5044 at NVDCVE-2015-5276 at SUSECVE-2015-5276 at NVDcpe:/o:suse:sles:12:sp3cracklib-2.9.0-7.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the cracklib-2.9.0-7.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2016-6318 at SUSECVE-2016-6318 at NVDcpe:/o:suse:sles:12:sp3crash-7.1.8-3.9 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the crash-7.1.8-3.9 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2014-2524 at SUSECVE-2014-2524 at NVDcpe:/o:suse:sles:12:sp3cron-4.2-58.3 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the cron-4.2-58.3 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2006-2607 at SUSECVE-2006-2607 at NVDCVE-2010-0424 at SUSECVE-2010-0424 at NVDcpe:/o:suse:sles:12:sp3ctags-5.8-7.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the ctags-5.8-7.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2014-7204 at SUSECVE-2014-7204 at NVDcpe:/o:suse:sles:12:sp3cups-1.7.5-19.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the cups-1.7.5-19.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2009-0163 at SUSECVE-2009-0163 at NVDCVE-2009-2820 at SUSECVE-2009-2820 at NVDCVE-2009-3553 at SUSECVE-2009-3553 at NVDCVE-2010-0393 at SUSECVE-2010-0393 at NVDCVE-2010-0540 at SUSECVE-2010-0540 at NVDCVE-2010-0542 at SUSECVE-2010-0542 at NVDCVE-2010-1748 at SUSECVE-2010-1748 at NVDCVE-2010-2941 at SUSECVE-2010-2941 at NVDCVE-2012-5519 at SUSECVE-2012-5519 at NVDCVE-2012-6094 at SUSECVE-2012-6094 at NVDCVE-2014-2856 at SUSECVE-2014-2856 at NVDCVE-2014-3537 at SUSECVE-2014-3537 at NVDCVE-2014-5029 at SUSECVE-2014-5029 at NVDCVE-2014-5030 at SUSECVE-2014-5030 at NVDCVE-2014-5031 at SUSECVE-2014-5031 at NVDCVE-2014-9679 at SUSECVE-2014-9679 at NVDCVE-2015-1158 at SUSECVE-2015-1158 at NVDCVE-2015-1159 at SUSECVE-2015-1159 at NVDcpe:/o:suse:sles:12:sp3cups-filters-1.0.58-17.11 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the cups-filters-1.0.58-17.11 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2013-6473 at SUSECVE-2013-6473 at NVDCVE-2013-6474 at SUSECVE-2013-6474 at NVDCVE-2013-6475 at SUSECVE-2013-6475 at NVDCVE-2013-6476 at SUSECVE-2013-6476 at NVDCVE-2014-2707 at SUSECVE-2014-2707 at NVDCVE-2014-4336 at SUSECVE-2014-4336 at NVDCVE-2014-4337 at SUSECVE-2014-4337 at NVDCVE-2014-4338 at SUSECVE-2014-4338 at NVDCVE-2015-2265 at SUSECVE-2015-2265 at NVDCVE-2015-3258 at SUSECVE-2015-3258 at NVDCVE-2015-3279 at SUSECVE-2015-3279 at NVDCVE-2015-8327 at SUSECVE-2015-8327 at NVDCVE-2015-8560 at SUSECVE-2015-8560 at NVDcpe:/o:suse:sles:12:sp3cups-pk-helper-0.2.5-5.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the cups-pk-helper-0.2.5-5.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2012-4510 at SUSECVE-2012-4510 at NVDcpe:/o:suse:sles:12:sp3curl-7.37.0-36.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the curl-7.37.0-36.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2009-0037 at SUSECVE-2009-0037 at NVDCVE-2009-2417 at SUSECVE-2009-2417 at NVDCVE-2013-0249 at SUSECVE-2013-0249 at NVDCVE-2013-1944 at SUSECVE-2013-1944 at NVDCVE-2013-2174 at SUSECVE-2013-2174 at NVDCVE-2013-4545 at SUSECVE-2013-4545 at NVDCVE-2014-0015 at SUSECVE-2014-0015 at NVDCVE-2014-0138 at SUSECVE-2014-0138 at NVDCVE-2014-0139 at SUSECVE-2014-0139 at NVDCVE-2014-3613 at SUSECVE-2014-3613 at NVDCVE-2014-3620 at SUSECVE-2014-3620 at NVDCVE-2014-3707 at SUSECVE-2014-3707 at NVDCVE-2014-8150 at SUSECVE-2014-8150 at NVDCVE-2015-3143 at SUSECVE-2015-3143 at NVDCVE-2015-3144 at SUSECVE-2015-3144 at NVDCVE-2015-3145 at SUSECVE-2015-3145 at NVDCVE-2015-3148 at SUSECVE-2015-3148 at NVDCVE-2015-3153 at SUSECVE-2015-3153 at NVDCVE-2016-0755 at SUSECVE-2016-0755 at NVDCVE-2016-5419 at SUSECVE-2016-5419 at NVDCVE-2016-5420 at SUSECVE-2016-5420 at NVDCVE-2016-5421 at SUSECVE-2016-5421 at NVDCVE-2016-7141 at SUSECVE-2016-7141 at NVDCVE-2016-7167 at SUSECVE-2016-7167 at NVDCVE-2016-8615 at SUSECVE-2016-8615 at NVDCVE-2016-8616 at SUSECVE-2016-8616 at NVDCVE-2016-8617 at SUSECVE-2016-8617 at NVDCVE-2016-8618 at SUSECVE-2016-8618 at NVDCVE-2016-8619 at SUSECVE-2016-8619 at NVDCVE-2016-8620 at SUSECVE-2016-8620 at NVDCVE-2016-8621 at SUSECVE-2016-8621 at NVDCVE-2016-8622 at SUSECVE-2016-8622 at NVDCVE-2016-8623 at SUSECVE-2016-8623 at NVDCVE-2016-8624 at SUSECVE-2016-8624 at NVDCVE-2016-9586 at SUSECVE-2016-9586 at NVDCVE-2017-7407 at SUSECVE-2017-7407 at NVDcpe:/o:suse:sles:12:sp3cvs-1.12.12-181.54 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the cvs-1.12.12-181.54 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2012-0804 at SUSECVE-2012-0804 at NVDcpe:/o:suse:sles:12:sp3cyrus-sasl-2.1.26-7.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the cyrus-sasl-2.1.26-7.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2009-0688 at SUSECVE-2009-0688 at NVDcpe:/o:suse:sles:12:sp3davfs2-1.5.2-2.3 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the davfs2-1.5.2-2.3 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2014-4362 at SUSECVE-2014-4362 at NVDcpe:/o:suse:sles:12:sp3dbus-1-1.8.22-28.19 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the dbus-1-1.8.22-28.19 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2010-4352 at SUSECVE-2010-4352 at NVDCVE-2012-3524 at SUSECVE-2012-3524 at NVDCVE-2013-2168 at SUSECVE-2013-2168 at NVDCVE-2014-3477 at SUSECVE-2014-3477 at NVDCVE-2014-3532 at SUSECVE-2014-3532 at NVDCVE-2014-3533 at SUSECVE-2014-3533 at NVDCVE-2014-3635 at SUSECVE-2014-3635 at NVDCVE-2014-3636 at SUSECVE-2014-3636 at NVDCVE-2014-3637 at SUSECVE-2014-3637 at NVDCVE-2014-3638 at SUSECVE-2014-3638 at NVDCVE-2014-3639 at SUSECVE-2014-3639 at NVDCVE-2014-7824 at SUSECVE-2014-7824 at NVDCVE-2014-8148 at SUSECVE-2014-8148 at NVDCVE-2015-0245 at SUSECVE-2015-0245 at NVDcpe:/o:suse:sles:12:sp3dbus-1-glib-0.100.2-3.58 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the dbus-1-glib-0.100.2-3.58 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2010-1172 at SUSECVE-2010-1172 at NVDCVE-2013-0292 at SUSECVE-2013-0292 at NVDcpe:/o:suse:sles:12:sp3dhcp-4.3.3-9.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the dhcp-4.3.3-9.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2009-1892 at SUSECVE-2009-1892 at NVDCVE-2010-2156 at SUSECVE-2010-2156 at NVDCVE-2010-3611 at SUSECVE-2010-3611 at NVDCVE-2010-3616 at SUSECVE-2010-3616 at NVDCVE-2011-0413 at SUSECVE-2011-0413 at NVDCVE-2011-0997 at SUSECVE-2011-0997 at NVDCVE-2011-2748 at SUSECVE-2011-2748 at NVDCVE-2011-2749 at SUSECVE-2011-2749 at NVDCVE-2011-4539 at SUSECVE-2011-4539 at NVDCVE-2011-4868 at SUSECVE-2011-4868 at NVDCVE-2012-3570 at SUSECVE-2012-3570 at NVDCVE-2012-3571 at SUSECVE-2012-3571 at NVDCVE-2012-3954 at SUSECVE-2012-3954 at NVDCVE-2012-3955 at SUSECVE-2012-3955 at NVDCVE-2013-2266 at SUSECVE-2013-2266 at NVDCVE-2015-8605 at SUSECVE-2015-8605 at NVDCVE-2016-2774 at SUSECVE-2016-2774 at NVDcpe:/o:suse:sles:12:sp3dnsmasq-2.76-17.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the dnsmasq-2.76-17.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2015-3294 at SUSECVE-2015-3294 at NVDCVE-2015-8899 at SUSECVE-2015-8899 at NVDcpe:/o:suse:sles:12:sp3dosfstools-3.0.26-6.5 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the dosfstools-3.0.26-6.5 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2015-8872 at SUSECVE-2015-8872 at NVDCVE-2016-4804 at SUSECVE-2016-4804 at NVDcpe:/o:suse:sles:12:sp3dovecot22-2.2.30.2-14.2 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the dovecot22-2.2.30.2-14.2 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2014-3430 at SUSECVE-2014-3430 at NVDCVE-2016-4983 at SUSECVE-2016-4983 at NVDCVE-2017-2669 at SUSECVE-2017-2669 at NVDcpe:/o:suse:sles:12:sp3dracut-044-113.10 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the dracut-044-113.10 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2012-4453 at SUSECVE-2012-4453 at NVDCVE-2016-8637 at SUSECVE-2016-8637 at NVDcpe:/o:suse:sles:12:sp3dstat-0.7.2-1.2 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the dstat-0.7.2-1.2 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2009-3894 at SUSECVE-2009-3894 at NVDcpe:/o:suse:sles:12:sp3e2fsprogs-1.42.11-15.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the e2fsprogs-1.42.11-15.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2015-0247 at SUSECVE-2015-0247 at NVDCVE-2015-1572 at SUSECVE-2015-1572 at NVDcpe:/o:suse:sles:12:sp3ecryptfs-utils-103-7.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the ecryptfs-utils-103-7.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2011-1831 at SUSECVE-2011-1831 at NVDCVE-2011-1832 at SUSECVE-2011-1832 at NVDCVE-2011-1833 at SUSECVE-2011-1833 at NVDCVE-2011-1834 at SUSECVE-2011-1834 at NVDCVE-2011-1835 at SUSECVE-2011-1835 at NVDCVE-2011-1836 at SUSECVE-2011-1836 at NVDCVE-2011-1837 at SUSECVE-2011-1837 at NVDCVE-2014-9687 at SUSECVE-2014-9687 at NVDCVE-2016-1572 at SUSECVE-2016-1572 at NVDcpe:/o:suse:sles:12:sp3elfutils-0.158-6.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the elfutils-0.158-6.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2014-0172 at SUSECVE-2014-0172 at NVDCVE-2014-9447 at SUSECVE-2014-9447 at NVDcpe:/o:suse:sles:12:sp3emacs-24.3-19.2 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the emacs-24.3-19.2 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2012-0035 at SUSECVE-2012-0035 at NVDCVE-2014-3421 at SUSECVE-2014-3421 at NVDCVE-2014-3422 at SUSECVE-2014-3422 at NVDCVE-2014-3423 at SUSECVE-2014-3423 at NVDCVE-2014-3424 at SUSECVE-2014-3424 at NVDcpe:/o:suse:sles:12:sp3eog-3.20.4-7.7 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the eog-3.20.4-7.7 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2013-7447 at SUSECVE-2013-7447 at NVDCVE-2016-6855 at SUSECVE-2016-6855 at NVDcpe:/o:suse:sles:12:sp3evince-3.20.1-5.66 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the evince-3.20.1-5.66 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2010-2640 at SUSECVE-2010-2640 at NVDCVE-2010-2641 at SUSECVE-2010-2641 at NVDCVE-2010-2642 at SUSECVE-2010-2642 at NVDCVE-2010-2643 at SUSECVE-2010-2643 at NVDcpe:/o:suse:sles:12:sp3expat-2.1.0-20.2 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the expat-2.1.0-20.2 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2009-2625 at SUSECVE-2009-2625 at NVDCVE-2009-3560 at SUSECVE-2009-3560 at NVDCVE-2009-3720 at SUSECVE-2009-3720 at NVDCVE-2012-0876 at SUSECVE-2012-0876 at NVDCVE-2012-1147 at SUSECVE-2012-1147 at NVDCVE-2012-1148 at SUSECVE-2012-1148 at NVDCVE-2012-6702 at SUSECVE-2012-6702 at NVDCVE-2015-1283 at SUSECVE-2015-1283 at NVDCVE-2016-0718 at SUSECVE-2016-0718 at NVDCVE-2016-5300 at SUSECVE-2016-5300 at NVDcpe:/o:suse:sles:12:sp3fetchmail-6.3.26-12.3 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the fetchmail-6.3.26-12.3 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2009-2666 at SUSECVE-2009-2666 at NVDCVE-2010-1167 at SUSECVE-2010-1167 at NVDCVE-2011-1947 at SUSECVE-2011-1947 at NVDCVE-2011-3389 at SUSECVE-2011-3389 at NVDCVE-2012-3482 at SUSECVE-2012-3482 at NVDcpe:/o:suse:sles:12:sp3file-5.19-9.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the file-5.19-9.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2012-1571 at SUSECVE-2012-1571 at NVDCVE-2014-3710 at SUSECVE-2014-3710 at NVDCVE-2014-8116 at SUSECVE-2014-8116 at NVDCVE-2014-8117 at SUSECVE-2014-8117 at NVDcpe:/o:suse:sles:12:sp3fontconfig-2.11.1-7.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the fontconfig-2.11.1-7.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2016-5384 at SUSECVE-2016-5384 at NVDcpe:/o:suse:sles:12:sp3freeradius-server-3.0.14-1.8 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the freeradius-server-3.0.14-1.8 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2012-3547 at SUSECVE-2012-3547 at NVDCVE-2014-2015 at SUSECVE-2014-2015 at NVDCVE-2015-4680 at SUSECVE-2015-4680 at NVDCVE-2015-8763 at SUSECVE-2015-8763 at NVDCVE-2017-9148 at SUSECVE-2017-9148 at NVDcpe:/o:suse:sles:12:sp3ft2demos-2.6.3-7.10.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the ft2demos-2.6.3-7.10.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2009-0946 at SUSECVE-2009-0946 at NVDCVE-2010-2497 at SUSECVE-2010-2497 at NVDCVE-2010-2805 at SUSECVE-2010-2805 at NVDCVE-2010-3053 at SUSECVE-2010-3053 at NVDCVE-2010-3054 at SUSECVE-2010-3054 at NVDCVE-2010-3311 at SUSECVE-2010-3311 at NVDCVE-2010-3814 at SUSECVE-2010-3814 at NVDCVE-2011-0226 at SUSECVE-2011-0226 at NVDCVE-2012-5668 at SUSECVE-2012-5668 at NVDCVE-2012-5669 at SUSECVE-2012-5669 at NVDCVE-2012-5670 at SUSECVE-2012-5670 at NVDCVE-2014-2240 at SUSECVE-2014-2240 at NVDCVE-2014-9656 at SUSECVE-2014-9656 at NVDCVE-2014-9657 at SUSECVE-2014-9657 at NVDCVE-2014-9658 at SUSECVE-2014-9658 at NVDCVE-2014-9659 at SUSECVE-2014-9659 at NVDCVE-2014-9660 at SUSECVE-2014-9660 at NVDCVE-2014-9661 at SUSECVE-2014-9661 at NVDCVE-2014-9662 at SUSECVE-2014-9662 at NVDCVE-2014-9663 at SUSECVE-2014-9663 at NVDCVE-2014-9664 at SUSECVE-2014-9664 at NVDCVE-2014-9665 at SUSECVE-2014-9665 at NVDCVE-2014-9666 at SUSECVE-2014-9666 at NVDCVE-2014-9667 at SUSECVE-2014-9667 at NVDCVE-2014-9668 at SUSECVE-2014-9668 at NVDCVE-2014-9669 at SUSECVE-2014-9669 at NVDCVE-2014-9670 at SUSECVE-2014-9670 at NVDCVE-2014-9671 at SUSECVE-2014-9671 at NVDCVE-2014-9672 at SUSECVE-2014-9672 at NVDCVE-2014-9673 at SUSECVE-2014-9673 at NVDCVE-2014-9674 at SUSECVE-2014-9674 at NVDCVE-2014-9675 at SUSECVE-2014-9675 at NVDcpe:/o:suse:sles:12:sp3fuse-2.9.3-5.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the fuse-2.9.3-5.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2009-3297 at SUSECVE-2009-3297 at NVDCVE-2011-0541 at SUSECVE-2011-0541 at NVDCVE-2015-3202 at SUSECVE-2015-3202 at NVDcpe:/o:suse:sles:12:sp3gd-2.1.0-23.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the gd-2.1.0-23.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2014-2497 at SUSECVE-2014-2497 at NVDCVE-2014-9709 at SUSECVE-2014-9709 at NVDCVE-2016-10166 at SUSECVE-2016-10166 at NVDCVE-2016-10167 at SUSECVE-2016-10167 at NVDCVE-2016-10168 at SUSECVE-2016-10168 at NVDCVE-2016-5116 at SUSECVE-2016-5116 at NVDCVE-2016-6128 at SUSECVE-2016-6128 at NVDCVE-2016-6132 at SUSECVE-2016-6132 at NVDCVE-2016-6161 at SUSECVE-2016-6161 at NVDCVE-2016-6207 at SUSECVE-2016-6207 at NVDCVE-2016-6214 at SUSECVE-2016-6214 at NVDCVE-2016-6905 at SUSECVE-2016-6905 at NVDCVE-2016-6906 at SUSECVE-2016-6906 at NVDCVE-2016-6911 at SUSECVE-2016-6911 at NVDCVE-2016-6912 at SUSECVE-2016-6912 at NVDCVE-2016-7568 at SUSECVE-2016-7568 at NVDCVE-2016-8670 at SUSECVE-2016-8670 at NVDCVE-2016-9317 at SUSECVE-2016-9317 at NVDCVE-2016-9933 at SUSECVE-2016-9933 at NVDcpe:/o:suse:sles:12:sp3gdk-pixbuf-lang-2.34.0-18.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the gdk-pixbuf-lang-2.34.0-18.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2011-2485 at SUSECVE-2011-2485 at NVDCVE-2015-4491 at SUSECVE-2015-4491 at NVDCVE-2015-7552 at SUSECVE-2015-7552 at NVDCVE-2015-7673 at SUSECVE-2015-7673 at NVDCVE-2015-7674 at SUSECVE-2015-7674 at NVDCVE-2016-6352 at SUSECVE-2016-6352 at NVDcpe:/o:suse:sles:12:sp3gdk-pixbuf-loader-rsvg-2.40.15-4.5 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the gdk-pixbuf-loader-rsvg-2.40.15-4.5 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2011-3146 at SUSECVE-2011-3146 at NVDCVE-2013-1881 at SUSECVE-2013-1881 at NVDcpe:/o:suse:sles:12:sp3gdm-3.10.0.1-52.5 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the gdm-3.10.0.1-52.5 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2011-1709 at SUSECVE-2011-1709 at NVDcpe:/o:suse:sles:12:sp3ghostscript-9.15-22.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the ghostscript-9.15-22.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2013-5653 at SUSECVE-2013-5653 at NVDCVE-2015-3228 at SUSECVE-2015-3228 at NVDCVE-2016-10220 at SUSECVE-2016-10220 at NVDCVE-2016-7978 at SUSECVE-2016-7978 at NVDCVE-2016-7979 at SUSECVE-2016-7979 at NVDCVE-2016-8602 at SUSECVE-2016-8602 at NVDCVE-2016-9601 at SUSECVE-2016-9601 at NVDCVE-2017-5951 at SUSECVE-2017-5951 at NVDCVE-2017-7207 at SUSECVE-2017-7207 at NVDCVE-2017-8291 at SUSECVE-2017-8291 at NVDcpe:/o:suse:sles:12:sp3giflib-progs-5.0.5-12.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the giflib-progs-5.0.5-12.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2015-7555 at SUSECVE-2015-7555 at NVDCVE-2016-3977 at SUSECVE-2016-3977 at NVDcpe:/o:suse:sles:12:sp3git-core-2.12.3-26.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the git-core-2.12.3-26.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2011-2186 at SUSECVE-2011-2186 at NVDCVE-2014-9390 at SUSECVE-2014-9390 at NVDCVE-2016-2315 at SUSECVE-2016-2315 at NVDCVE-2016-2324 at SUSECVE-2016-2324 at NVDCVE-2017-8386 at SUSECVE-2017-8386 at NVDcpe:/o:suse:sles:12:sp3glib2-lang-2.48.2-10.2 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the glib2-lang-2.48.2-10.2 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2008-4316 at SUSECVE-2008-4316 at NVDCVE-2012-3524 at SUSECVE-2012-3524 at NVDcpe:/o:suse:sles:12:sp3glibc-2.22-61.3 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the glibc-2.22-61.3 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2009-5029 at SUSECVE-2009-5029 at NVDCVE-2012-3406 at SUSECVE-2012-3406 at NVDCVE-2012-4412 at SUSECVE-2012-4412 at NVDCVE-2013-0242 at SUSECVE-2013-0242 at NVDCVE-2013-1914 at SUSECVE-2013-1914 at NVDCVE-2013-2207 at SUSECVE-2013-2207 at NVDCVE-2013-4237 at SUSECVE-2013-4237 at NVDCVE-2013-4332 at SUSECVE-2013-4332 at NVDCVE-2013-4458 at SUSECVE-2013-4458 at NVDCVE-2013-7423 at SUSECVE-2013-7423 at NVDCVE-2014-0475 at SUSECVE-2014-0475 at NVDCVE-2014-4043 at SUSECVE-2014-4043 at NVDCVE-2014-5119 at SUSECVE-2014-5119 at NVDCVE-2014-6040 at SUSECVE-2014-6040 at NVDCVE-2014-7817 at SUSECVE-2014-7817 at NVDCVE-2014-8121 at SUSECVE-2014-8121 at NVDCVE-2014-9402 at SUSECVE-2014-9402 at NVDCVE-2014-9761 at SUSECVE-2014-9761 at NVDCVE-2015-1472 at SUSECVE-2015-1472 at NVDCVE-2015-1473 at SUSECVE-2015-1473 at NVDCVE-2015-1781 at SUSECVE-2015-1781 at NVDCVE-2015-7547 at SUSECVE-2015-7547 at NVDCVE-2015-8776 at SUSECVE-2015-8776 at NVDCVE-2015-8777 at SUSECVE-2015-8777 at NVDCVE-2015-8778 at SUSECVE-2015-8778 at NVDCVE-2015-8779 at SUSECVE-2015-8779 at NVDCVE-2016-1234 at SUSECVE-2016-1234 at NVDCVE-2016-3075 at SUSECVE-2016-3075 at NVDCVE-2016-3706 at SUSECVE-2016-3706 at NVDCVE-2016-4429 at SUSECVE-2016-4429 at NVDCVE-2017-1000366 at SUSECVE-2017-1000366 at NVDcpe:/o:suse:sles:12:sp3gnome-keyring-3.20.0-27.2 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the gnome-keyring-3.20.0-27.2 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2012-3466 at SUSECVE-2012-3466 at NVDcpe:/o:suse:sles:12:sp3gnome-settings-daemon-3.20.1-49.3 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the gnome-settings-daemon-3.20.1-49.3 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2014-7300 at SUSECVE-2014-7300 at NVDcpe:/o:suse:sles:12:sp3gnome-shell-3.20.4-76.3 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the gnome-shell-3.20.4-76.3 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2010-4000 at SUSECVE-2010-4000 at NVDcpe:/o:suse:sles:12:sp3gnutls-3.3.27-1.10 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the gnutls-3.3.27-1.10 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2008-4989 at SUSECVE-2008-4989 at NVDCVE-2011-4128 at SUSECVE-2011-4128 at NVDCVE-2012-0390 at SUSECVE-2012-0390 at NVDCVE-2012-1569 at SUSECVE-2012-1569 at NVDCVE-2012-1573 at SUSECVE-2012-1573 at NVDCVE-2014-0092 at SUSECVE-2014-0092 at NVDCVE-2014-1959 at SUSECVE-2014-1959 at NVDCVE-2014-3466 at SUSECVE-2014-3466 at NVDCVE-2014-8564 at SUSECVE-2014-8564 at NVDCVE-2015-0294 at SUSECVE-2015-0294 at NVDCVE-2015-3622 at SUSECVE-2015-3622 at NVDCVE-2015-6251 at SUSECVE-2015-6251 at NVDCVE-2016-7444 at SUSECVE-2016-7444 at NVDCVE-2016-8610 at SUSECVE-2016-8610 at NVDCVE-2017-5335 at SUSECVE-2017-5335 at NVDCVE-2017-5336 at SUSECVE-2017-5336 at NVDCVE-2017-5337 at SUSECVE-2017-5337 at NVDcpe:/o:suse:sles:12:sp3gpg2-2.0.24-8.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the gpg2-2.0.24-8.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2010-2547 at SUSECVE-2010-2547 at NVDCVE-2013-4351 at SUSECVE-2013-4351 at NVDCVE-2013-4402 at SUSECVE-2013-4402 at NVDCVE-2014-4617 at SUSECVE-2014-4617 at NVDCVE-2015-1606 at SUSECVE-2015-1606 at NVDCVE-2015-1607 at SUSECVE-2015-1607 at NVDcpe:/o:suse:sles:12:sp3gpgme-1.5.1-1.11 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the gpgme-1.5.1-1.11 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2014-3564 at SUSECVE-2014-3564 at NVDcpe:/o:suse:sles:12:sp3groff-1.22.2-5.287 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the groff-1.22.2-5.287 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2009-5044 at SUSECVE-2009-5044 at NVDCVE-2009-5080 at SUSECVE-2009-5080 at NVDCVE-2009-5081 at SUSECVE-2009-5081 at NVDcpe:/o:suse:sles:12:sp3grub2-2.02-2.12 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the grub2-2.02-2.12 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2015-8370 at SUSECVE-2015-8370 at NVDcpe:/o:suse:sles:12:sp3gstreamer-1.8.3-9.5 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the gstreamer-1.8.3-9.5 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2017-5838 at SUSECVE-2017-5838 at NVDcpe:/o:suse:sles:12:sp3gstreamer-plugins-bad-1.8.3-17.2 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the gstreamer-plugins-bad-1.8.3-17.2 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2016-9445 at SUSECVE-2016-9445 at NVDCVE-2016-9446 at SUSECVE-2016-9446 at NVDCVE-2016-9809 at SUSECVE-2016-9809 at NVDCVE-2016-9812 at SUSECVE-2016-9812 at NVDCVE-2016-9813 at SUSECVE-2016-9813 at NVDCVE-2017-5843 at SUSECVE-2017-5843 at NVDCVE-2017-5848 at SUSECVE-2017-5848 at NVDcpe:/o:suse:sles:12:sp3gstreamer-plugins-base-1.8.3-12.11 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the gstreamer-plugins-base-1.8.3-12.11 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2016-9811 at SUSECVE-2016-9811 at NVDCVE-2017-5837 at SUSECVE-2017-5837 at NVDCVE-2017-5839 at SUSECVE-2017-5839 at NVDCVE-2017-5842 at SUSECVE-2017-5842 at NVDCVE-2017-5844 at SUSECVE-2017-5844 at NVDcpe:/o:suse:sles:12:sp3gstreamer-plugins-good-1.8.3-15.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the gstreamer-plugins-good-1.8.3-15.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2016-10198 at SUSECVE-2016-10198 at NVDCVE-2016-10199 at SUSECVE-2016-10199 at NVDCVE-2016-9634 at SUSECVE-2016-9634 at NVDCVE-2016-9635 at SUSECVE-2016-9635 at NVDCVE-2016-9636 at SUSECVE-2016-9636 at NVDCVE-2016-9807 at SUSECVE-2016-9807 at NVDCVE-2016-9808 at SUSECVE-2016-9808 at NVDCVE-2016-9810 at SUSECVE-2016-9810 at NVDCVE-2017-5840 at SUSECVE-2017-5840 at NVDCVE-2017-5841 at SUSECVE-2017-5841 at NVDCVE-2017-5845 at SUSECVE-2017-5845 at NVDcpe:/o:suse:sles:12:sp3gtk2-data-2.24.31-7.11 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the gtk2-data-2.24.31-7.11 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2013-7447 at SUSECVE-2013-7447 at NVDcpe:/o:suse:sles:12:sp3guestfs-data-1.32.4-19.24 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the guestfs-data-1.32.4-19.24 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2013-2124 at SUSECVE-2013-2124 at NVDCVE-2013-4419 at SUSECVE-2013-4419 at NVDcpe:/o:suse:sles:12:sp3guile-2.0.9-8.3 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the guile-2.0.9-8.3 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2016-8605 at SUSECVE-2016-8605 at NVDcpe:/o:suse:sles:12:sp3gv-3.7.4-1.36 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the gv-3.7.4-1.36 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2012-3386 at SUSECVE-2012-3386 at NVDcpe:/o:suse:sles:12:sp3gvim-7.4.326-16.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the gvim-7.4.326-16.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2009-0316 at SUSECVE-2009-0316 at NVDCVE-2016-1248 at SUSECVE-2016-1248 at NVDCVE-2017-5953 at SUSECVE-2017-5953 at NVDCVE-2017-6349 at SUSECVE-2017-6349 at NVDCVE-2017-6350 at SUSECVE-2017-6350 at NVDcpe:/o:suse:sles:12:sp3gzip-1.6-7.209 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the gzip-1.6-7.209 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2009-2624 at SUSECVE-2009-2624 at NVDCVE-2010-0001 at SUSECVE-2010-0001 at NVDcpe:/o:suse:sles:12:sp3hardlink-1.0-6.38 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the hardlink-1.0-6.38 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2011-3630 at SUSECVE-2011-3630 at NVDCVE-2011-3631 at SUSECVE-2011-3631 at NVDCVE-2011-3632 at SUSECVE-2011-3632 at NVDcpe:/o:suse:sles:12:sp3hplip-3.16.11-1.33 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the hplip-3.16.11-1.33 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2004-0801 at SUSECVE-2004-0801 at NVDCVE-2010-4267 at SUSECVE-2010-4267 at NVDCVE-2011-2697 at SUSECVE-2011-2697 at NVDCVE-2011-2722 at SUSECVE-2011-2722 at NVDCVE-2013-4325 at SUSECVE-2013-4325 at NVDCVE-2013-6402 at SUSECVE-2013-6402 at NVDCVE-2013-6427 at SUSECVE-2013-6427 at NVDCVE-2015-0839 at SUSECVE-2015-0839 at NVDcpe:/o:suse:sles:12:sp3hyper-v-7-13.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the hyper-v-7-13.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2012-2669 at SUSECVE-2012-2669 at NVDCVE-2012-5532 at SUSECVE-2012-5532 at NVDcpe:/o:suse:sles:12:sp3ibus-chewing-1.4.14-4.11 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the ibus-chewing-1.4.14-4.11 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2013-4509 at SUSECVE-2013-4509 at NVDcpe:/o:suse:sles:12:sp3ipsec-tools-0.8.0-18.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the ipsec-tools-0.8.0-18.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2015-4047 at SUSECVE-2015-4047 at NVDcpe:/o:suse:sles:12:sp3iputils-s20121221-2.17 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the iputils-s20121221-2.17 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2010-2529 at SUSECVE-2010-2529 at NVDcpe:/o:suse:sles:12:sp3jakarta-commons-fileupload-1.1.1-120.113 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the jakarta-commons-fileupload-1.1.1-120.113 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2013-2186 at SUSECVE-2013-2186 at NVDCVE-2014-0050 at SUSECVE-2014-0050 at NVDcpe:/o:suse:sles:12:sp3jakarta-taglibs-standard-1.1.1-255.2 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the jakarta-taglibs-standard-1.1.1-255.2 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2015-0254 at SUSECVE-2015-0254 at NVDcpe:/o:suse:sles:12:sp3java-1_7_0-openjdk-1.7.0.141-42.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the java-1_7_0-openjdk-1.7.0.141-42.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2011-3563 at SUSECVE-2011-3563 at NVDCVE-2011-3571 at SUSECVE-2011-3571 at NVDCVE-2011-5035 at SUSECVE-2011-5035 at NVDCVE-2012-0497 at SUSECVE-2012-0497 at NVDCVE-2012-0501 at SUSECVE-2012-0501 at NVDCVE-2012-0502 at SUSECVE-2012-0502 at NVDCVE-2012-0503 at SUSECVE-2012-0503 at NVDCVE-2012-0505 at SUSECVE-2012-0505 at NVDCVE-2012-0506 at SUSECVE-2012-0506 at NVDCVE-2012-0547 at SUSECVE-2012-0547 at NVDCVE-2012-1682 at SUSECVE-2012-1682 at NVDCVE-2012-1711 at SUSECVE-2012-1711 at NVDCVE-2012-1713 at SUSECVE-2012-1713 at NVDCVE-2012-1716 at SUSECVE-2012-1716 at NVDCVE-2012-1717 at SUSECVE-2012-1717 at NVDCVE-2012-1718 at SUSECVE-2012-1718 at NVDCVE-2012-1719 at SUSECVE-2012-1719 at NVDCVE-2012-1723 at SUSECVE-2012-1723 at NVDCVE-2012-1724 at SUSECVE-2012-1724 at NVDCVE-2012-1725 at SUSECVE-2012-1725 at NVDCVE-2012-1726 at SUSECVE-2012-1726 at NVDCVE-2012-3136 at SUSECVE-2012-3136 at NVDCVE-2012-3174 at SUSECVE-2012-3174 at NVDCVE-2012-3216 at SUSECVE-2012-3216 at NVDCVE-2012-4416 at SUSECVE-2012-4416 at NVDCVE-2012-4681 at SUSECVE-2012-4681 at NVDCVE-2012-5068 at SUSECVE-2012-5068 at NVDCVE-2012-5069 at SUSECVE-2012-5069 at NVDCVE-2012-5070 at SUSECVE-2012-5070 at NVDCVE-2012-5071 at SUSECVE-2012-5071 at NVDCVE-2012-5072 at SUSECVE-2012-5072 at NVDCVE-2012-5073 at SUSECVE-2012-5073 at NVDCVE-2012-5074 at SUSECVE-2012-5074 at NVDCVE-2012-5075 at SUSECVE-2012-5075 at NVDCVE-2012-5076 at SUSECVE-2012-5076 at NVDCVE-2012-5077 at SUSECVE-2012-5077 at NVDCVE-2012-5079 at SUSECVE-2012-5079 at NVDCVE-2012-5081 at SUSECVE-2012-5081 at NVDCVE-2012-5084 at SUSECVE-2012-5084 at NVDCVE-2012-5085 at SUSECVE-2012-5085 at NVDCVE-2012-5086 at SUSECVE-2012-5086 at NVDCVE-2012-5087 at SUSECVE-2012-5087 at NVDCVE-2012-5088 at SUSECVE-2012-5088 at NVDCVE-2012-5089 at SUSECVE-2012-5089 at NVDCVE-2013-0169 at SUSECVE-2013-0169 at NVDCVE-2013-0401 at SUSECVE-2013-0401 at NVDCVE-2013-0422 at SUSECVE-2013-0422 at NVDCVE-2013-0424 at SUSECVE-2013-0424 at NVDCVE-2013-0425 at SUSECVE-2013-0425 at NVDCVE-2013-0426 at SUSECVE-2013-0426 at NVDCVE-2013-0427 at SUSECVE-2013-0427 at NVDCVE-2013-0428 at SUSECVE-2013-0428 at NVDCVE-2013-0429 at SUSECVE-2013-0429 at NVDCVE-2013-0431 at SUSECVE-2013-0431 at NVDCVE-2013-0432 at SUSECVE-2013-0432 at NVDCVE-2013-0433 at SUSECVE-2013-0433 at NVDCVE-2013-0434 at SUSECVE-2013-0434 at NVDCVE-2013-0435 at SUSECVE-2013-0435 at NVDCVE-2013-0440 at SUSECVE-2013-0440 at NVDCVE-2013-0441 at SUSECVE-2013-0441 at NVDCVE-2013-0442 at SUSECVE-2013-0442 at NVDCVE-2013-0443 at SUSECVE-2013-0443 at NVDCVE-2013-0444 at SUSECVE-2013-0444 at NVDCVE-2013-0450 at SUSECVE-2013-0450 at NVDCVE-2013-0809 at SUSECVE-2013-0809 at NVDCVE-2013-1475 at SUSECVE-2013-1475 at NVDCVE-2013-1476 at SUSECVE-2013-1476 at NVDCVE-2013-1478 at SUSECVE-2013-1478 at NVDCVE-2013-1480 at SUSECVE-2013-1480 at NVDCVE-2013-1484 at SUSECVE-2013-1484 at NVDCVE-2013-1485 at SUSECVE-2013-1485 at NVDCVE-2013-1486 at SUSECVE-2013-1486 at NVDCVE-2013-1488 at SUSECVE-2013-1488 at NVDCVE-2013-1493 at SUSECVE-2013-1493 at NVDCVE-2013-1500 at SUSECVE-2013-1500 at NVDCVE-2013-1518 at SUSECVE-2013-1518 at NVDCVE-2013-1537 at SUSECVE-2013-1537 at NVDCVE-2013-1557 at SUSECVE-2013-1557 at NVDCVE-2013-1569 at SUSECVE-2013-1569 at NVDCVE-2013-1571 at SUSECVE-2013-1571 at NVDCVE-2013-2383 at SUSECVE-2013-2383 at NVDCVE-2013-2384 at SUSECVE-2013-2384 at NVDCVE-2013-2407 at SUSECVE-2013-2407 at NVDCVE-2013-2412 at SUSECVE-2013-2412 at NVDCVE-2013-2415 at SUSECVE-2013-2415 at NVDCVE-2013-2417 at SUSECVE-2013-2417 at NVDCVE-2013-2419 at SUSECVE-2013-2419 at NVDCVE-2013-2420 at SUSECVE-2013-2420 at NVDCVE-2013-2421 at SUSECVE-2013-2421 at NVDCVE-2013-2422 at SUSECVE-2013-2422 at NVDCVE-2013-2423 at SUSECVE-2013-2423 at NVDCVE-2013-2424 at SUSECVE-2013-2424 at NVDCVE-2013-2426 at SUSECVE-2013-2426 at NVDCVE-2013-2429 at SUSECVE-2013-2429 at NVDCVE-2013-2430 at SUSECVE-2013-2430 at NVDCVE-2013-2431 at SUSECVE-2013-2431 at NVDCVE-2013-2436 at SUSECVE-2013-2436 at NVDCVE-2013-2443 at SUSECVE-2013-2443 at NVDCVE-2013-2444 at SUSECVE-2013-2444 at NVDCVE-2013-2445 at SUSECVE-2013-2445 at NVDCVE-2013-2446 at SUSECVE-2013-2446 at NVDCVE-2013-2447 at SUSECVE-2013-2447 at NVDCVE-2013-2448 at SUSECVE-2013-2448 at NVDCVE-2013-2449 at SUSECVE-2013-2449 at NVDCVE-2013-2450 at SUSECVE-2013-2450 at NVDCVE-2013-2451 at SUSECVE-2013-2451 at NVDCVE-2013-2452 at SUSECVE-2013-2452 at NVDCVE-2013-2453 at SUSECVE-2013-2453 at NVDCVE-2013-2454 at SUSECVE-2013-2454 at NVDCVE-2013-2455 at SUSECVE-2013-2455 at NVDCVE-2013-2456 at SUSECVE-2013-2456 at NVDCVE-2013-2457 at SUSECVE-2013-2457 at NVDCVE-2013-2458 at SUSECVE-2013-2458 at NVDCVE-2013-2459 at SUSECVE-2013-2459 at NVDCVE-2013-2460 at SUSECVE-2013-2460 at NVDCVE-2013-2461 at SUSECVE-2013-2461 at NVDCVE-2013-2463 at SUSECVE-2013-2463 at NVDCVE-2013-2465 at SUSECVE-2013-2465 at NVDCVE-2013-2469 at SUSECVE-2013-2469 at NVDCVE-2013-2470 at SUSECVE-2013-2470 at NVDCVE-2013-2471 at SUSECVE-2013-2471 at NVDCVE-2013-2472 at SUSECVE-2013-2472 at NVDCVE-2013-2473 at SUSECVE-2013-2473 at NVDCVE-2013-3829 at SUSECVE-2013-3829 at NVDCVE-2013-4002 at SUSECVE-2013-4002 at NVDCVE-2013-5772 at SUSECVE-2013-5772 at NVDCVE-2013-5774 at SUSECVE-2013-5774 at NVDCVE-2013-5778 at SUSECVE-2013-5778 at NVDCVE-2013-5780 at SUSECVE-2013-5780 at NVDCVE-2013-5782 at SUSECVE-2013-5782 at NVDCVE-2013-5783 at SUSECVE-2013-5783 at NVDCVE-2013-5784 at SUSECVE-2013-5784 at NVDCVE-2013-5790 at SUSECVE-2013-5790 at NVDCVE-2013-5797 at SUSECVE-2013-5797 at NVDCVE-2013-5800 at SUSECVE-2013-5800 at NVDCVE-2013-5802 at SUSECVE-2013-5802 at NVDCVE-2013-5803 at SUSECVE-2013-5803 at NVDCVE-2013-5804 at SUSECVE-2013-5804 at NVDCVE-2013-5805 at SUSECVE-2013-5805 at NVDCVE-2013-5806 at SUSECVE-2013-5806 at NVDCVE-2013-5809 at SUSECVE-2013-5809 at NVDCVE-2013-5814 at SUSECVE-2013-5814 at NVDCVE-2013-5817 at SUSECVE-2013-5817 at NVDCVE-2013-5820 at SUSECVE-2013-5820 at NVDCVE-2013-5823 at SUSECVE-2013-5823 at NVDCVE-2013-5825 at SUSECVE-2013-5825 at NVDCVE-2013-5829 at SUSECVE-2013-5829 at NVDCVE-2013-5830 at SUSECVE-2013-5830 at NVDCVE-2013-5840 at SUSECVE-2013-5840 at NVDCVE-2013-5842 at SUSECVE-2013-5842 at NVDCVE-2013-5849 at SUSECVE-2013-5849 at NVDCVE-2013-5850 at SUSECVE-2013-5850 at NVDCVE-2013-5851 at SUSECVE-2013-5851 at NVDCVE-2013-5878 at SUSECVE-2013-5878 at NVDCVE-2013-5884 at SUSECVE-2013-5884 at NVDCVE-2013-5893 at SUSECVE-2013-5893 at NVDCVE-2013-5896 at SUSECVE-2013-5896 at NVDCVE-2013-5907 at SUSECVE-2013-5907 at NVDCVE-2013-5910 at SUSECVE-2013-5910 at NVDCVE-2013-6629 at SUSECVE-2013-6629 at NVDCVE-2013-6954 at SUSECVE-2013-6954 at NVDCVE-2014-0368 at SUSECVE-2014-0368 at NVDCVE-2014-0373 at SUSECVE-2014-0373 at NVDCVE-2014-0376 at SUSECVE-2014-0376 at NVDCVE-2014-0408 at SUSECVE-2014-0408 at NVDCVE-2014-0411 at SUSECVE-2014-0411 at NVDCVE-2014-0416 at SUSECVE-2014-0416 at NVDCVE-2014-0422 at SUSECVE-2014-0422 at NVDCVE-2014-0423 at SUSECVE-2014-0423 at NVDCVE-2014-0428 at SUSECVE-2014-0428 at NVDCVE-2014-0429 at SUSECVE-2014-0429 at NVDCVE-2014-0446 at SUSECVE-2014-0446 at NVDCVE-2014-0451 at SUSECVE-2014-0451 at NVDCVE-2014-0452 at SUSECVE-2014-0452 at NVDCVE-2014-0453 at SUSECVE-2014-0453 at NVDCVE-2014-0454 at SUSECVE-2014-0454 at NVDCVE-2014-0455 at SUSECVE-2014-0455 at NVDCVE-2014-0456 at SUSECVE-2014-0456 at NVDCVE-2014-0457 at SUSECVE-2014-0457 at NVDCVE-2014-0458 at SUSECVE-2014-0458 at NVDCVE-2014-0459 at SUSECVE-2014-0459 at NVDCVE-2014-0460 at SUSECVE-2014-0460 at NVDCVE-2014-0461 at SUSECVE-2014-0461 at NVDCVE-2014-1876 at SUSECVE-2014-1876 at NVDCVE-2014-2397 at SUSECVE-2014-2397 at NVDCVE-2014-2398 at SUSECVE-2014-2398 at NVDCVE-2014-2402 at SUSECVE-2014-2402 at NVDCVE-2014-2403 at SUSECVE-2014-2403 at NVDCVE-2014-2412 at SUSECVE-2014-2412 at NVDCVE-2014-2413 at SUSECVE-2014-2413 at NVDCVE-2014-2414 at SUSECVE-2014-2414 at NVDCVE-2014-2421 at SUSECVE-2014-2421 at NVDCVE-2014-2423 at SUSECVE-2014-2423 at NVDCVE-2014-2427 at SUSECVE-2014-2427 at NVDCVE-2014-2483 at SUSECVE-2014-2483 at NVDCVE-2014-2490 at SUSECVE-2014-2490 at NVDCVE-2014-3566 at SUSECVE-2014-3566 at NVDCVE-2014-4209 at SUSECVE-2014-4209 at NVDCVE-2014-4216 at SUSECVE-2014-4216 at NVDCVE-2014-4218 at SUSECVE-2014-4218 at NVDCVE-2014-4219 at SUSECVE-2014-4219 at NVDCVE-2014-4221 at SUSECVE-2014-4221 at NVDCVE-2014-4223 at SUSECVE-2014-4223 at NVDCVE-2014-4244 at SUSECVE-2014-4244 at NVDCVE-2014-4252 at SUSECVE-2014-4252 at NVDCVE-2014-4262 at SUSECVE-2014-4262 at NVDCVE-2014-4263 at SUSECVE-2014-4263 at NVDCVE-2014-4264 at SUSECVE-2014-4264 at NVDCVE-2014-4266 at SUSECVE-2014-4266 at NVDCVE-2014-4268 at SUSECVE-2014-4268 at NVDCVE-2014-6457 at SUSECVE-2014-6457 at NVDCVE-2014-6502 at SUSECVE-2014-6502 at NVDCVE-2014-6504 at SUSECVE-2014-6504 at NVDCVE-2014-6506 at SUSECVE-2014-6506 at NVDCVE-2014-6511 at SUSECVE-2014-6511 at NVDCVE-2014-6512 at SUSECVE-2014-6512 at NVDCVE-2014-6513 at SUSECVE-2014-6513 at NVDCVE-2014-6517 at SUSECVE-2014-6517 at NVDCVE-2014-6519 at SUSECVE-2014-6519 at NVDCVE-2014-6531 at SUSECVE-2014-6531 at NVDCVE-2014-6558 at SUSECVE-2014-6558 at NVDCVE-2014-6585 at SUSECVE-2014-6585 at NVDCVE-2014-6587 at SUSECVE-2014-6587 at NVDCVE-2014-6591 at SUSECVE-2014-6591 at NVDCVE-2014-6593 at SUSECVE-2014-6593 at NVDCVE-2014-6601 at SUSECVE-2014-6601 at NVDCVE-2015-0383 at SUSECVE-2015-0383 at NVDCVE-2015-0395 at SUSECVE-2015-0395 at NVDCVE-2015-0400 at SUSECVE-2015-0400 at NVDCVE-2015-0407 at SUSECVE-2015-0407 at NVDCVE-2015-0408 at SUSECVE-2015-0408 at NVDCVE-2015-0410 at SUSECVE-2015-0410 at NVDCVE-2015-0412 at SUSECVE-2015-0412 at NVDCVE-2015-0460 at SUSECVE-2015-0460 at NVDCVE-2015-0469 at SUSECVE-2015-0469 at NVDCVE-2015-0477 at SUSECVE-2015-0477 at NVDCVE-2015-0478 at SUSECVE-2015-0478 at NVDCVE-2015-0480 at SUSECVE-2015-0480 at NVDCVE-2015-0488 at SUSECVE-2015-0488 at NVDCVE-2015-2590 at SUSECVE-2015-2590 at NVDCVE-2015-2601 at SUSECVE-2015-2601 at NVDCVE-2015-2613 at SUSECVE-2015-2613 at NVDCVE-2015-2621 at SUSECVE-2015-2621 at NVDCVE-2015-2625 at SUSECVE-2015-2625 at NVDCVE-2015-2628 at SUSECVE-2015-2628 at NVDCVE-2015-2632 at SUSECVE-2015-2632 at NVDCVE-2015-2808 at SUSECVE-2015-2808 at NVDCVE-2015-4000 at SUSECVE-2015-4000 at NVDCVE-2015-4731 at SUSECVE-2015-4731 at NVDCVE-2015-4732 at SUSECVE-2015-4732 at NVDCVE-2015-4733 at SUSECVE-2015-4733 at NVDCVE-2015-4734 at SUSECVE-2015-4734 at NVDCVE-2015-4748 at SUSECVE-2015-4748 at NVDCVE-2015-4749 at SUSECVE-2015-4749 at NVDCVE-2015-4760 at SUSECVE-2015-4760 at NVDCVE-2015-4803 at SUSECVE-2015-4803 at NVDCVE-2015-4805 at SUSECVE-2015-4805 at NVDCVE-2015-4806 at SUSECVE-2015-4806 at NVDCVE-2015-4835 at SUSECVE-2015-4835 at NVDCVE-2015-4840 at SUSECVE-2015-4840 at NVDCVE-2015-4842 at SUSECVE-2015-4842 at NVDCVE-2015-4843 at SUSECVE-2015-4843 at NVDCVE-2015-4844 at SUSECVE-2015-4844 at NVDCVE-2015-4860 at SUSECVE-2015-4860 at NVDCVE-2015-4871 at SUSECVE-2015-4871 at NVDCVE-2015-4872 at SUSECVE-2015-4872 at NVDCVE-2015-4881 at SUSECVE-2015-4881 at NVDCVE-2015-4882 at SUSECVE-2015-4882 at NVDCVE-2015-4883 at SUSECVE-2015-4883 at NVDCVE-2015-4893 at SUSECVE-2015-4893 at NVDCVE-2015-4903 at SUSECVE-2015-4903 at NVDCVE-2015-4911 at SUSECVE-2015-4911 at NVDCVE-2015-7575 at SUSECVE-2015-7575 at NVDCVE-2015-8126 at SUSECVE-2015-8126 at NVDCVE-2015-8472 at SUSECVE-2015-8472 at NVDCVE-2016-0402 at SUSECVE-2016-0402 at NVDCVE-2016-0448 at SUSECVE-2016-0448 at NVDCVE-2016-0466 at SUSECVE-2016-0466 at NVDCVE-2016-0483 at SUSECVE-2016-0483 at NVDCVE-2016-0494 at SUSECVE-2016-0494 at NVDCVE-2016-0636 at SUSECVE-2016-0636 at NVDCVE-2016-0686 at SUSECVE-2016-0686 at NVDCVE-2016-0687 at SUSECVE-2016-0687 at NVDCVE-2016-0695 at SUSECVE-2016-0695 at NVDCVE-2016-2183 at SUSECVE-2016-2183 at NVDCVE-2016-3425 at SUSECVE-2016-3425 at NVDCVE-2016-3427 at SUSECVE-2016-3427 at NVDCVE-2016-3458 at SUSECVE-2016-3458 at NVDCVE-2016-3485 at SUSECVE-2016-3485 at NVDCVE-2016-3498 at SUSECVE-2016-3498 at NVDCVE-2016-3500 at SUSECVE-2016-3500 at NVDCVE-2016-3503 at SUSECVE-2016-3503 at NVDCVE-2016-3508 at SUSECVE-2016-3508 at NVDCVE-2016-3511 at SUSECVE-2016-3511 at NVDCVE-2016-3550 at SUSECVE-2016-3550 at NVDCVE-2016-3598 at SUSECVE-2016-3598 at NVDCVE-2016-3606 at SUSECVE-2016-3606 at NVDCVE-2016-3610 at SUSECVE-2016-3610 at NVDCVE-2016-5542 at SUSECVE-2016-5542 at NVDCVE-2016-5546 at SUSECVE-2016-5546 at NVDCVE-2016-5547 at SUSECVE-2016-5547 at NVDCVE-2016-5548 at SUSECVE-2016-5548 at NVDCVE-2016-5549 at SUSECVE-2016-5549 at NVDCVE-2016-5552 at SUSECVE-2016-5552 at NVDCVE-2016-5554 at SUSECVE-2016-5554 at NVDCVE-2016-5556 at SUSECVE-2016-5556 at NVDCVE-2016-5568 at SUSECVE-2016-5568 at NVDCVE-2016-5573 at SUSECVE-2016-5573 at NVDCVE-2016-5582 at SUSECVE-2016-5582 at NVDCVE-2016-5597 at SUSECVE-2016-5597 at NVDCVE-2017-3231 at SUSECVE-2017-3231 at NVDCVE-2017-3241 at SUSECVE-2017-3241 at NVDCVE-2017-3252 at SUSECVE-2017-3252 at NVDCVE-2017-3253 at SUSECVE-2017-3253 at NVDCVE-2017-3260 at SUSECVE-2017-3260 at NVDCVE-2017-3261 at SUSECVE-2017-3261 at NVDCVE-2017-3272 at SUSECVE-2017-3272 at NVDCVE-2017-3289 at SUSECVE-2017-3289 at NVDCVE-2017-3509 at SUSECVE-2017-3509 at NVDCVE-2017-3511 at SUSECVE-2017-3511 at NVDCVE-2017-3512 at SUSECVE-2017-3512 at NVDCVE-2017-3514 at SUSECVE-2017-3514 at NVDCVE-2017-3526 at SUSECVE-2017-3526 at NVDCVE-2017-3533 at SUSECVE-2017-3533 at NVDCVE-2017-3539 at SUSECVE-2017-3539 at NVDCVE-2017-3544 at SUSECVE-2017-3544 at NVDcpe:/o:suse:sles:12:sp3java-1_7_1-ibm-1.7.1_sr4.5-37.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the java-1_7_1-ibm-1.7.1_sr4.5-37.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2014-3065 at SUSECVE-2014-3065 at NVDCVE-2014-3566 at SUSECVE-2014-3566 at NVDCVE-2014-4288 at SUSECVE-2014-4288 at NVDCVE-2014-6456 at SUSECVE-2014-6456 at NVDCVE-2014-6457 at SUSECVE-2014-6457 at NVDCVE-2014-6458 at SUSECVE-2014-6458 at NVDCVE-2014-6466 at SUSECVE-2014-6466 at NVDCVE-2014-6476 at SUSECVE-2014-6476 at NVDCVE-2014-6492 at SUSECVE-2014-6492 at NVDCVE-2014-6493 at SUSECVE-2014-6493 at NVDCVE-2014-6502 at SUSECVE-2014-6502 at NVDCVE-2014-6503 at SUSECVE-2014-6503 at NVDCVE-2014-6506 at SUSECVE-2014-6506 at NVDCVE-2014-6511 at SUSECVE-2014-6511 at NVDCVE-2014-6512 at SUSECVE-2014-6512 at NVDCVE-2014-6513 at SUSECVE-2014-6513 at NVDCVE-2014-6515 at SUSECVE-2014-6515 at NVDCVE-2014-6527 at SUSECVE-2014-6527 at NVDCVE-2014-6531 at SUSECVE-2014-6531 at NVDCVE-2014-6532 at SUSECVE-2014-6532 at NVDCVE-2014-6558 at SUSECVE-2014-6558 at NVDCVE-2014-8891 at SUSECVE-2014-8891 at NVDCVE-2014-8892 at SUSECVE-2014-8892 at NVDCVE-2015-0138 at SUSECVE-2015-0138 at NVDCVE-2015-0192 at SUSECVE-2015-0192 at NVDCVE-2015-0204 at SUSECVE-2015-0204 at NVDCVE-2015-0458 at SUSECVE-2015-0458 at NVDCVE-2015-0459 at SUSECVE-2015-0459 at NVDCVE-2015-0469 at SUSECVE-2015-0469 at NVDCVE-2015-0477 at SUSECVE-2015-0477 at NVDCVE-2015-0478 at SUSECVE-2015-0478 at NVDCVE-2015-0480 at SUSECVE-2015-0480 at NVDCVE-2015-0488 at SUSECVE-2015-0488 at NVDCVE-2015-0491 at SUSECVE-2015-0491 at NVDCVE-2015-1914 at SUSECVE-2015-1914 at NVDCVE-2015-1931 at SUSECVE-2015-1931 at NVDCVE-2015-2590 at SUSECVE-2015-2590 at NVDCVE-2015-2601 at SUSECVE-2015-2601 at NVDCVE-2015-2613 at SUSECVE-2015-2613 at NVDCVE-2015-2619 at SUSECVE-2015-2619 at NVDCVE-2015-2621 at SUSECVE-2015-2621 at NVDCVE-2015-2625 at SUSECVE-2015-2625 at NVDCVE-2015-2632 at SUSECVE-2015-2632 at NVDCVE-2015-2637 at SUSECVE-2015-2637 at NVDCVE-2015-2638 at SUSECVE-2015-2638 at NVDCVE-2015-2664 at SUSECVE-2015-2664 at NVDCVE-2015-2808 at SUSECVE-2015-2808 at NVDCVE-2015-4000 at SUSECVE-2015-4000 at NVDCVE-2015-4729 at SUSECVE-2015-4729 at NVDCVE-2015-4731 at SUSECVE-2015-4731 at NVDCVE-2015-4732 at SUSECVE-2015-4732 at NVDCVE-2015-4733 at SUSECVE-2015-4733 at NVDCVE-2015-4734 at SUSECVE-2015-4734 at NVDCVE-2015-4748 at SUSECVE-2015-4748 at NVDCVE-2015-4749 at SUSECVE-2015-4749 at NVDCVE-2015-4760 at SUSECVE-2015-4760 at NVDCVE-2015-4803 at SUSECVE-2015-4803 at NVDCVE-2015-4805 at SUSECVE-2015-4805 at NVDCVE-2015-4806 at SUSECVE-2015-4806 at NVDCVE-2015-4810 at SUSECVE-2015-4810 at NVDCVE-2015-4835 at SUSECVE-2015-4835 at NVDCVE-2015-4840 at SUSECVE-2015-4840 at NVDCVE-2015-4842 at SUSECVE-2015-4842 at NVDCVE-2015-4843 at SUSECVE-2015-4843 at NVDCVE-2015-4844 at SUSECVE-2015-4844 at NVDCVE-2015-4860 at SUSECVE-2015-4860 at NVDCVE-2015-4871 at SUSECVE-2015-4871 at NVDCVE-2015-4872 at SUSECVE-2015-4872 at NVDCVE-2015-4882 at SUSECVE-2015-4882 at NVDCVE-2015-4883 at SUSECVE-2015-4883 at NVDCVE-2015-4893 at SUSECVE-2015-4893 at NVDCVE-2015-4902 at SUSECVE-2015-4902 at NVDCVE-2015-4903 at SUSECVE-2015-4903 at NVDCVE-2015-4911 at SUSECVE-2015-4911 at NVDCVE-2015-5006 at SUSECVE-2015-5006 at NVDCVE-2015-5041 at SUSECVE-2015-5041 at NVDCVE-2015-7575 at SUSECVE-2015-7575 at NVDCVE-2015-7981 at SUSECVE-2015-7981 at NVDCVE-2015-8126 at SUSECVE-2015-8126 at NVDCVE-2015-8472 at SUSECVE-2015-8472 at NVDCVE-2015-8540 at SUSECVE-2015-8540 at NVDCVE-2016-0264 at SUSECVE-2016-0264 at NVDCVE-2016-0363 at SUSECVE-2016-0363 at NVDCVE-2016-0376 at SUSECVE-2016-0376 at NVDCVE-2016-0402 at SUSECVE-2016-0402 at NVDCVE-2016-0448 at SUSECVE-2016-0448 at NVDCVE-2016-0466 at SUSECVE-2016-0466 at NVDCVE-2016-0483 at SUSECVE-2016-0483 at NVDCVE-2016-0494 at SUSECVE-2016-0494 at NVDCVE-2016-0686 at SUSECVE-2016-0686 at NVDCVE-2016-0687 at SUSECVE-2016-0687 at NVDCVE-2016-2183 at SUSECVE-2016-2183 at NVDCVE-2016-3422 at SUSECVE-2016-3422 at NVDCVE-2016-3426 at SUSECVE-2016-3426 at NVDCVE-2016-3427 at SUSECVE-2016-3427 at NVDCVE-2016-3443 at SUSECVE-2016-3443 at NVDCVE-2016-3449 at SUSECVE-2016-3449 at NVDCVE-2016-3485 at SUSECVE-2016-3485 at NVDCVE-2016-3511 at SUSECVE-2016-3511 at NVDCVE-2016-3598 at SUSECVE-2016-3598 at NVDCVE-2016-5542 at SUSECVE-2016-5542 at NVDCVE-2016-5554 at SUSECVE-2016-5554 at NVDCVE-2016-5556 at SUSECVE-2016-5556 at NVDCVE-2016-5568 at SUSECVE-2016-5568 at NVDCVE-2016-5573 at SUSECVE-2016-5573 at NVDCVE-2016-5597 at SUSECVE-2016-5597 at NVDCVE-2016-9840 at SUSECVE-2016-9840 at NVDCVE-2016-9841 at SUSECVE-2016-9841 at NVDCVE-2016-9842 at SUSECVE-2016-9842 at NVDCVE-2016-9843 at SUSECVE-2016-9843 at NVDCVE-2017-1289 at SUSECVE-2017-1289 at NVDCVE-2017-3509 at SUSECVE-2017-3509 at NVDCVE-2017-3511 at SUSECVE-2017-3511 at NVDCVE-2017-3512 at SUSECVE-2017-3512 at NVDCVE-2017-3514 at SUSECVE-2017-3514 at NVDCVE-2017-3533 at SUSECVE-2017-3533 at NVDCVE-2017-3539 at SUSECVE-2017-3539 at NVDCVE-2017-3544 at SUSECVE-2017-3544 at NVDcpe:/o:suse:sles:12:sp3java-1_8_0-ibm-1.8.0_sr4.5-29.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the java-1_8_0-ibm-1.8.0_sr4.5-29.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2014-3065 at SUSECVE-2014-3065 at NVDCVE-2014-3566 at SUSECVE-2014-3566 at NVDCVE-2014-4288 at SUSECVE-2014-4288 at NVDCVE-2014-6456 at SUSECVE-2014-6456 at NVDCVE-2014-6457 at SUSECVE-2014-6457 at NVDCVE-2014-6458 at SUSECVE-2014-6458 at NVDCVE-2014-6466 at SUSECVE-2014-6466 at NVDCVE-2014-6476 at SUSECVE-2014-6476 at NVDCVE-2014-6492 at SUSECVE-2014-6492 at NVDCVE-2014-6493 at SUSECVE-2014-6493 at NVDCVE-2014-6502 at SUSECVE-2014-6502 at NVDCVE-2014-6503 at SUSECVE-2014-6503 at NVDCVE-2014-6506 at SUSECVE-2014-6506 at NVDCVE-2014-6511 at SUSECVE-2014-6511 at NVDCVE-2014-6512 at SUSECVE-2014-6512 at NVDCVE-2014-6513 at SUSECVE-2014-6513 at NVDCVE-2014-6515 at SUSECVE-2014-6515 at NVDCVE-2014-6527 at SUSECVE-2014-6527 at NVDCVE-2014-6531 at SUSECVE-2014-6531 at NVDCVE-2014-6532 at SUSECVE-2014-6532 at NVDCVE-2014-6558 at SUSECVE-2014-6558 at NVDCVE-2014-8891 at SUSECVE-2014-8891 at NVDCVE-2014-8892 at SUSECVE-2014-8892 at NVDCVE-2015-0204 at SUSECVE-2015-0204 at NVDCVE-2015-0458 at SUSECVE-2015-0458 at NVDCVE-2015-0459 at SUSECVE-2015-0459 at NVDCVE-2015-0469 at SUSECVE-2015-0469 at NVDCVE-2015-0477 at SUSECVE-2015-0477 at NVDCVE-2015-0478 at SUSECVE-2015-0478 at NVDCVE-2015-0480 at SUSECVE-2015-0480 at NVDCVE-2015-0486 at SUSECVE-2015-0486 at NVDCVE-2015-0488 at SUSECVE-2015-0488 at NVDCVE-2015-0491 at SUSECVE-2015-0491 at NVDCVE-2015-1931 at SUSECVE-2015-1931 at NVDCVE-2015-2590 at SUSECVE-2015-2590 at NVDCVE-2015-2601 at SUSECVE-2015-2601 at NVDCVE-2015-2613 at SUSECVE-2015-2613 at NVDCVE-2015-2619 at SUSECVE-2015-2619 at NVDCVE-2015-2621 at SUSECVE-2015-2621 at NVDCVE-2015-2625 at SUSECVE-2015-2625 at NVDCVE-2015-2632 at SUSECVE-2015-2632 at NVDCVE-2015-2637 at SUSECVE-2015-2637 at NVDCVE-2015-2638 at SUSECVE-2015-2638 at NVDCVE-2015-2664 at SUSECVE-2015-2664 at NVDCVE-2015-2808 at SUSECVE-2015-2808 at NVDCVE-2015-4000 at SUSECVE-2015-4000 at NVDCVE-2015-4729 at SUSECVE-2015-4729 at NVDCVE-2015-4731 at SUSECVE-2015-4731 at NVDCVE-2015-4732 at SUSECVE-2015-4732 at NVDCVE-2015-4733 at SUSECVE-2015-4733 at NVDCVE-2015-4734 at SUSECVE-2015-4734 at NVDCVE-2015-4748 at SUSECVE-2015-4748 at NVDCVE-2015-4749 at SUSECVE-2015-4749 at NVDCVE-2015-4760 at SUSECVE-2015-4760 at NVDCVE-2015-4803 at SUSECVE-2015-4803 at NVDCVE-2015-4805 at SUSECVE-2015-4805 at NVDCVE-2015-4806 at SUSECVE-2015-4806 at NVDCVE-2015-4810 at SUSECVE-2015-4810 at NVDCVE-2015-4835 at SUSECVE-2015-4835 at NVDCVE-2015-4840 at SUSECVE-2015-4840 at NVDCVE-2015-4842 at SUSECVE-2015-4842 at NVDCVE-2015-4843 at SUSECVE-2015-4843 at NVDCVE-2015-4844 at SUSECVE-2015-4844 at NVDCVE-2015-4860 at SUSECVE-2015-4860 at NVDCVE-2015-4871 at SUSECVE-2015-4871 at NVDCVE-2015-4872 at SUSECVE-2015-4872 at NVDCVE-2015-4882 at SUSECVE-2015-4882 at NVDCVE-2015-4883 at SUSECVE-2015-4883 at NVDCVE-2015-4893 at SUSECVE-2015-4893 at NVDCVE-2015-4902 at SUSECVE-2015-4902 at NVDCVE-2015-4903 at SUSECVE-2015-4903 at NVDCVE-2015-4911 at SUSECVE-2015-4911 at NVDCVE-2015-5006 at SUSECVE-2015-5006 at NVDCVE-2015-5041 at SUSECVE-2015-5041 at NVDCVE-2015-7575 at SUSECVE-2015-7575 at NVDCVE-2015-8126 at SUSECVE-2015-8126 at NVDCVE-2015-8472 at SUSECVE-2015-8472 at NVDCVE-2016-0264 at SUSECVE-2016-0264 at NVDCVE-2016-0363 at SUSECVE-2016-0363 at NVDCVE-2016-0376 at SUSECVE-2016-0376 at NVDCVE-2016-0402 at SUSECVE-2016-0402 at NVDCVE-2016-0448 at SUSECVE-2016-0448 at NVDCVE-2016-0466 at SUSECVE-2016-0466 at NVDCVE-2016-0475 at SUSECVE-2016-0475 at NVDCVE-2016-0483 at SUSECVE-2016-0483 at NVDCVE-2016-0494 at SUSECVE-2016-0494 at NVDCVE-2016-0686 at SUSECVE-2016-0686 at NVDCVE-2016-0687 at SUSECVE-2016-0687 at NVDCVE-2016-2183 at SUSECVE-2016-2183 at NVDCVE-2016-3422 at SUSECVE-2016-3422 at NVDCVE-2016-3426 at SUSECVE-2016-3426 at NVDCVE-2016-3427 at SUSECVE-2016-3427 at NVDCVE-2016-3443 at SUSECVE-2016-3443 at NVDCVE-2016-3449 at SUSECVE-2016-3449 at NVDCVE-2016-3485 at SUSECVE-2016-3485 at NVDCVE-2016-3511 at SUSECVE-2016-3511 at NVDCVE-2016-3598 at SUSECVE-2016-3598 at NVDCVE-2016-5542 at SUSECVE-2016-5542 at NVDCVE-2016-5547 at SUSECVE-2016-5547 at NVDCVE-2016-5548 at SUSECVE-2016-5548 at NVDCVE-2016-5549 at SUSECVE-2016-5549 at NVDCVE-2016-5552 at SUSECVE-2016-5552 at NVDCVE-2016-5554 at SUSECVE-2016-5554 at NVDCVE-2016-5556 at SUSECVE-2016-5556 at NVDCVE-2016-5568 at SUSECVE-2016-5568 at NVDCVE-2016-5573 at SUSECVE-2016-5573 at NVDCVE-2016-5597 at SUSECVE-2016-5597 at NVDCVE-2016-9840 at SUSECVE-2016-9840 at NVDCVE-2016-9841 at SUSECVE-2016-9841 at NVDCVE-2016-9842 at SUSECVE-2016-9842 at NVDCVE-2016-9843 at SUSECVE-2016-9843 at NVDCVE-2017-1289 at SUSECVE-2017-1289 at NVDCVE-2017-3231 at SUSECVE-2017-3231 at NVDCVE-2017-3241 at SUSECVE-2017-3241 at NVDCVE-2017-3252 at SUSECVE-2017-3252 at NVDCVE-2017-3253 at SUSECVE-2017-3253 at NVDCVE-2017-3259 at SUSECVE-2017-3259 at NVDCVE-2017-3261 at SUSECVE-2017-3261 at NVDCVE-2017-3272 at SUSECVE-2017-3272 at NVDCVE-2017-3289 at SUSECVE-2017-3289 at NVDCVE-2017-3509 at SUSECVE-2017-3509 at NVDCVE-2017-3511 at SUSECVE-2017-3511 at NVDCVE-2017-3512 at SUSECVE-2017-3512 at NVDCVE-2017-3514 at SUSECVE-2017-3514 at NVDCVE-2017-3533 at SUSECVE-2017-3533 at NVDCVE-2017-3539 at SUSECVE-2017-3539 at NVDCVE-2017-3544 at SUSECVE-2017-3544 at NVDcpe:/o:suse:sles:12:sp3java-1_8_0-openjdk-1.8.0.131-26.3 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the java-1_8_0-openjdk-1.8.0.131-26.3 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2015-2590 at SUSECVE-2015-2590 at NVDCVE-2015-2597 at SUSECVE-2015-2597 at NVDCVE-2015-2601 at SUSECVE-2015-2601 at NVDCVE-2015-2613 at SUSECVE-2015-2613 at NVDCVE-2015-2619 at SUSECVE-2015-2619 at NVDCVE-2015-2621 at SUSECVE-2015-2621 at NVDCVE-2015-2625 at SUSECVE-2015-2625 at NVDCVE-2015-2627 at SUSECVE-2015-2627 at NVDCVE-2015-2628 at SUSECVE-2015-2628 at NVDCVE-2015-2632 at SUSECVE-2015-2632 at NVDCVE-2015-2637 at SUSECVE-2015-2637 at NVDCVE-2015-2638 at SUSECVE-2015-2638 at NVDCVE-2015-2659 at SUSECVE-2015-2659 at NVDCVE-2015-2664 at SUSECVE-2015-2664 at NVDCVE-2015-2808 at SUSECVE-2015-2808 at NVDCVE-2015-4000 at SUSECVE-2015-4000 at NVDCVE-2015-4729 at SUSECVE-2015-4729 at NVDCVE-2015-4731 at SUSECVE-2015-4731 at NVDCVE-2015-4732 at SUSECVE-2015-4732 at NVDCVE-2015-4733 at SUSECVE-2015-4733 at NVDCVE-2015-4734 at SUSECVE-2015-4734 at NVDCVE-2015-4736 at SUSECVE-2015-4736 at NVDCVE-2015-4748 at SUSECVE-2015-4748 at NVDCVE-2015-4749 at SUSECVE-2015-4749 at NVDCVE-2015-4760 at SUSECVE-2015-4760 at NVDCVE-2015-4803 at SUSECVE-2015-4803 at NVDCVE-2015-4805 at SUSECVE-2015-4805 at NVDCVE-2015-4806 at SUSECVE-2015-4806 at NVDCVE-2015-4810 at SUSECVE-2015-4810 at NVDCVE-2015-4835 at SUSECVE-2015-4835 at NVDCVE-2015-4840 at SUSECVE-2015-4840 at NVDCVE-2015-4842 at SUSECVE-2015-4842 at NVDCVE-2015-4843 at SUSECVE-2015-4843 at NVDCVE-2015-4844 at SUSECVE-2015-4844 at NVDCVE-2015-4860 at SUSECVE-2015-4860 at NVDCVE-2015-4868 at SUSECVE-2015-4868 at NVDCVE-2015-4872 at SUSECVE-2015-4872 at NVDCVE-2015-4881 at SUSECVE-2015-4881 at NVDCVE-2015-4882 at SUSECVE-2015-4882 at NVDCVE-2015-4883 at SUSECVE-2015-4883 at NVDCVE-2015-4893 at SUSECVE-2015-4893 at NVDCVE-2015-4901 at SUSECVE-2015-4901 at NVDCVE-2015-4902 at SUSECVE-2015-4902 at NVDCVE-2015-4903 at SUSECVE-2015-4903 at NVDCVE-2015-4906 at SUSECVE-2015-4906 at NVDCVE-2015-4908 at SUSECVE-2015-4908 at NVDCVE-2015-4911 at SUSECVE-2015-4911 at NVDCVE-2015-4916 at SUSECVE-2015-4916 at NVDCVE-2015-7575 at SUSECVE-2015-7575 at NVDCVE-2015-8126 at SUSECVE-2015-8126 at NVDCVE-2016-0402 at SUSECVE-2016-0402 at NVDCVE-2016-0448 at SUSECVE-2016-0448 at NVDCVE-2016-0466 at SUSECVE-2016-0466 at NVDCVE-2016-0475 at SUSECVE-2016-0475 at NVDCVE-2016-0483 at SUSECVE-2016-0483 at NVDCVE-2016-0494 at SUSECVE-2016-0494 at NVDCVE-2016-0636 at SUSECVE-2016-0636 at NVDCVE-2016-0686 at SUSECVE-2016-0686 at NVDCVE-2016-0687 at SUSECVE-2016-0687 at NVDCVE-2016-0695 at SUSECVE-2016-0695 at NVDCVE-2016-2183 at SUSECVE-2016-2183 at NVDCVE-2016-3425 at SUSECVE-2016-3425 at NVDCVE-2016-3426 at SUSECVE-2016-3426 at NVDCVE-2016-3427 at SUSECVE-2016-3427 at NVDCVE-2016-3458 at SUSECVE-2016-3458 at NVDCVE-2016-3485 at SUSECVE-2016-3485 at NVDCVE-2016-3498 at SUSECVE-2016-3498 at NVDCVE-2016-3500 at SUSECVE-2016-3500 at NVDCVE-2016-3503 at SUSECVE-2016-3503 at NVDCVE-2016-3508 at SUSECVE-2016-3508 at NVDCVE-2016-3511 at SUSECVE-2016-3511 at NVDCVE-2016-3550 at SUSECVE-2016-3550 at NVDCVE-2016-3552 at SUSECVE-2016-3552 at NVDCVE-2016-3587 at SUSECVE-2016-3587 at NVDCVE-2016-3598 at SUSECVE-2016-3598 at NVDCVE-2016-3606 at SUSECVE-2016-3606 at NVDCVE-2016-3610 at SUSECVE-2016-3610 at NVDCVE-2016-5542 at SUSECVE-2016-5542 at NVDCVE-2016-5546 at SUSECVE-2016-5546 at NVDCVE-2016-5547 at SUSECVE-2016-5547 at NVDCVE-2016-5548 at SUSECVE-2016-5548 at NVDCVE-2016-5549 at SUSECVE-2016-5549 at NVDCVE-2016-5552 at SUSECVE-2016-5552 at NVDCVE-2016-5554 at SUSECVE-2016-5554 at NVDCVE-2016-5556 at SUSECVE-2016-5556 at NVDCVE-2016-5568 at SUSECVE-2016-5568 at NVDCVE-2016-5573 at SUSECVE-2016-5573 at NVDCVE-2016-5582 at SUSECVE-2016-5582 at NVDCVE-2016-5597 at SUSECVE-2016-5597 at NVDCVE-2017-3231 at SUSECVE-2017-3231 at NVDCVE-2017-3241 at SUSECVE-2017-3241 at NVDCVE-2017-3252 at SUSECVE-2017-3252 at NVDCVE-2017-3253 at SUSECVE-2017-3253 at NVDCVE-2017-3260 at SUSECVE-2017-3260 at NVDCVE-2017-3261 at SUSECVE-2017-3261 at NVDCVE-2017-3272 at SUSECVE-2017-3272 at NVDCVE-2017-3289 at SUSECVE-2017-3289 at NVDCVE-2017-3509 at SUSECVE-2017-3509 at NVDCVE-2017-3511 at SUSECVE-2017-3511 at NVDCVE-2017-3512 at SUSECVE-2017-3512 at NVDCVE-2017-3514 at SUSECVE-2017-3514 at NVDCVE-2017-3526 at SUSECVE-2017-3526 at NVDCVE-2017-3533 at SUSECVE-2017-3533 at NVDCVE-2017-3539 at SUSECVE-2017-3539 at NVDCVE-2017-3544 at SUSECVE-2017-3544 at NVDcpe:/o:suse:sles:12:sp3kbd-1.15.5-8.7.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the kbd-1.15.5-8.7.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2011-0460 at SUSECVE-2011-0460 at NVDcpe:/o:suse:sles:12:sp3kdump-0.8.16-5.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the kdump-0.8.16-5.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2016-5759 at SUSECVE-2016-5759 at NVDcpe:/o:suse:sles:12:sp3kernel-default-4.4.73-5.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the kernel-default-4.4.73-5.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2009-3939 at SUSECVE-2009-3939 at NVDCVE-2009-4026 at SUSECVE-2009-4026 at NVDCVE-2009-4027 at SUSECVE-2009-4027 at NVDCVE-2009-4131 at SUSECVE-2009-4131 at NVDCVE-2009-4138 at SUSECVE-2009-4138 at NVDCVE-2009-4536 at SUSECVE-2009-4536 at NVDCVE-2009-4538 at SUSECVE-2009-4538 at NVDCVE-2010-1146 at SUSECVE-2010-1146 at NVDCVE-2010-1436 at SUSECVE-2010-1436 at NVDCVE-2010-1641 at SUSECVE-2010-1641 at NVDCVE-2010-2066 at SUSECVE-2010-2066 at NVDCVE-2010-2942 at SUSECVE-2010-2942 at NVDCVE-2010-2954 at SUSECVE-2010-2954 at NVDCVE-2010-2955 at SUSECVE-2010-2955 at NVDCVE-2010-3081 at SUSECVE-2010-3081 at NVDCVE-2010-3296 at SUSECVE-2010-3296 at NVDCVE-2010-3297 at SUSECVE-2010-3297 at NVDCVE-2010-3298 at SUSECVE-2010-3298 at NVDCVE-2010-3301 at SUSECVE-2010-3301 at NVDCVE-2010-3310 at SUSECVE-2010-3310 at NVDCVE-2011-0712 at SUSECVE-2011-0712 at NVDCVE-2011-1020 at SUSECVE-2011-1020 at NVDCVE-2011-1577 at SUSECVE-2011-1577 at NVDCVE-2011-2203 at SUSECVE-2011-2203 at NVDCVE-2012-0056 at SUSECVE-2012-0056 at NVDCVE-2013-0160 at SUSECVE-2013-0160 at NVDCVE-2013-0231 at SUSECVE-2013-0231 at NVDCVE-2013-0913 at SUSECVE-2013-0913 at NVDCVE-2013-2850 at SUSECVE-2013-2850 at NVDCVE-2013-4312 at SUSECVE-2013-4312 at NVDCVE-2014-0038 at SUSECVE-2014-0038 at NVDCVE-2014-0196 at SUSECVE-2014-0196 at NVDCVE-2014-0691 at SUSECVE-2014-0691 at NVDCVE-2015-1350 at SUSECVE-2015-1350 at NVDCVE-2015-7833 at SUSECVE-2015-7833 at NVDCVE-2015-7884 at SUSECVE-2015-7884 at NVDCVE-2015-7885 at SUSECVE-2015-7885 at NVDCVE-2015-8709 at SUSECVE-2015-8709 at NVDCVE-2015-8812 at SUSECVE-2015-8812 at NVDCVE-2015-8964 at SUSECVE-2015-8964 at NVDCVE-2016-0617 at SUSECVE-2016-0617 at NVDCVE-2016-0723 at SUSECVE-2016-0723 at NVDCVE-2016-0728 at SUSECVE-2016-0728 at NVDCVE-2016-0758 at SUSECVE-2016-0758 at NVDCVE-2016-10200 at SUSECVE-2016-10200 at NVDCVE-2016-1237 at SUSECVE-2016-1237 at NVDCVE-2016-1583 at SUSECVE-2016-1583 at NVDCVE-2016-2117 at SUSECVE-2016-2117 at NVDCVE-2016-2143 at SUSECVE-2016-2143 at NVDCVE-2016-2184 at SUSECVE-2016-2184 at NVDCVE-2016-2185 at SUSECVE-2016-2185 at NVDCVE-2016-2186 at SUSECVE-2016-2186 at NVDCVE-2016-2188 at SUSECVE-2016-2188 at NVDCVE-2016-2383 at SUSECVE-2016-2383 at NVDCVE-2016-2384 at SUSECVE-2016-2384 at NVDCVE-2016-2847 at SUSECVE-2016-2847 at NVDCVE-2016-3134 at SUSECVE-2016-3134 at NVDCVE-2016-3135 at SUSECVE-2016-3135 at NVDCVE-2016-3136 at SUSECVE-2016-3136 at NVDCVE-2016-3137 at SUSECVE-2016-3137 at NVDCVE-2016-3138 at SUSECVE-2016-3138 at NVDCVE-2016-3140 at SUSECVE-2016-3140 at NVDCVE-2016-3156 at SUSECVE-2016-3156 at NVDCVE-2016-3672 at SUSECVE-2016-3672 at NVDCVE-2016-3689 at SUSECVE-2016-3689 at NVDCVE-2016-3713 at SUSECVE-2016-3713 at NVDCVE-2016-3951 at SUSECVE-2016-3951 at NVDCVE-2016-4470 at SUSECVE-2016-4470 at NVDCVE-2016-4482 at SUSECVE-2016-4482 at NVDCVE-2016-4486 at SUSECVE-2016-4486 at NVDCVE-2016-4557 at SUSECVE-2016-4557 at NVDCVE-2016-4558 at SUSECVE-2016-4558 at NVDCVE-2016-4569 at SUSECVE-2016-4569 at NVDCVE-2016-4578 at SUSECVE-2016-4578 at NVDCVE-2016-4794 at SUSECVE-2016-4794 at NVDCVE-2016-4805 at SUSECVE-2016-4805 at NVDCVE-2016-4951 at SUSECVE-2016-4951 at NVDCVE-2016-4997 at SUSECVE-2016-4997 at NVDCVE-2016-4998 at SUSECVE-2016-4998 at NVDCVE-2016-5195 at SUSECVE-2016-5195 at NVDCVE-2016-5244 at SUSECVE-2016-5244 at NVDCVE-2016-5412 at SUSECVE-2016-5412 at NVDCVE-2016-5696 at SUSECVE-2016-5696 at NVDCVE-2016-5828 at SUSECVE-2016-5828 at NVDCVE-2016-5829 at SUSECVE-2016-5829 at NVDCVE-2016-6197 at SUSECVE-2016-6197 at NVDCVE-2016-6480 at SUSECVE-2016-6480 at NVDCVE-2016-6828 at SUSECVE-2016-6828 at NVDCVE-2016-7039 at SUSECVE-2016-7039 at NVDCVE-2016-7042 at SUSECVE-2016-7042 at NVDCVE-2016-7097 at SUSECVE-2016-7097 at NVDCVE-2016-7117 at SUSECVE-2016-7117 at NVDCVE-2016-7425 at SUSECVE-2016-7425 at NVDCVE-2016-7913 at SUSECVE-2016-7913 at NVDCVE-2016-7917 at SUSECVE-2016-7917 at NVDCVE-2016-8632 at SUSECVE-2016-8632 at NVDCVE-2016-8636 at SUSECVE-2016-8636 at NVDCVE-2016-8645 at SUSECVE-2016-8645 at NVDCVE-2016-8655 at SUSECVE-2016-8655 at NVDCVE-2016-8658 at SUSECVE-2016-8658 at NVDCVE-2016-8666 at SUSECVE-2016-8666 at NVDCVE-2016-9083 at SUSECVE-2016-9083 at NVDCVE-2016-9084 at SUSECVE-2016-9084 at NVDCVE-2016-9191 at SUSECVE-2016-9191 at NVDCVE-2016-9555 at SUSECVE-2016-9555 at NVDCVE-2016-9576 at SUSECVE-2016-9576 at NVDCVE-2016-9793 at SUSECVE-2016-9793 at NVDCVE-2016-9794 at SUSECVE-2016-9794 at NVDCVE-2016-9806 at SUSECVE-2016-9806 at NVDCVE-2016-9919 at SUSECVE-2016-9919 at NVDCVE-2017-1000364 at SUSECVE-2017-1000364 at NVDCVE-2017-1000365 at SUSECVE-2017-1000365 at NVDCVE-2017-1000380 at SUSECVE-2017-1000380 at NVDCVE-2017-2583 at SUSECVE-2017-2583 at NVDCVE-2017-2584 at SUSECVE-2017-2584 at NVDCVE-2017-2596 at SUSECVE-2017-2596 at NVDCVE-2017-2636 at SUSECVE-2017-2636 at NVDCVE-2017-2671 at SUSECVE-2017-2671 at NVDCVE-2017-5551 at SUSECVE-2017-5551 at NVDCVE-2017-5576 at SUSECVE-2017-5576 at NVDCVE-2017-5577 at SUSECVE-2017-5577 at NVDCVE-2017-5897 at SUSECVE-2017-5897 at NVDCVE-2017-5970 at SUSECVE-2017-5970 at NVDCVE-2017-5986 at SUSECVE-2017-5986 at NVDCVE-2017-6074 at SUSECVE-2017-6074 at NVDCVE-2017-6214 at SUSECVE-2017-6214 at NVDCVE-2017-6345 at SUSECVE-2017-6345 at NVDCVE-2017-6346 at SUSECVE-2017-6346 at NVDCVE-2017-6347 at SUSECVE-2017-6347 at NVDCVE-2017-6353 at SUSECVE-2017-6353 at NVDCVE-2017-7184 at SUSECVE-2017-7184 at NVDCVE-2017-7187 at SUSECVE-2017-7187 at NVDCVE-2017-7261 at SUSECVE-2017-7261 at NVDCVE-2017-7294 at SUSECVE-2017-7294 at NVDCVE-2017-7308 at SUSECVE-2017-7308 at NVDCVE-2017-7346 at SUSECVE-2017-7346 at NVDCVE-2017-7374 at SUSECVE-2017-7374 at NVDCVE-2017-7487 at SUSECVE-2017-7487 at NVDCVE-2017-7518 at SUSECVE-2017-7518 at NVDCVE-2017-7616 at SUSECVE-2017-7616 at NVDCVE-2017-7618 at SUSECVE-2017-7618 at NVDCVE-2017-8890 at SUSECVE-2017-8890 at NVDCVE-2017-9074 at SUSECVE-2017-9074 at NVDCVE-2017-9075 at SUSECVE-2017-9075 at NVDCVE-2017-9076 at SUSECVE-2017-9076 at NVDCVE-2017-9077 at SUSECVE-2017-9077 at NVDCVE-2017-9150 at SUSECVE-2017-9150 at NVDCVE-2017-9242 at SUSECVE-2017-9242 at NVDcpe:/o:suse:sles:12:sp3krb5-1.12.5-39.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the krb5-1.12.5-39.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2002-2443 at SUSECVE-2002-2443 at NVDCVE-2009-0844 at SUSECVE-2009-0844 at NVDCVE-2009-0845 at SUSECVE-2009-0845 at NVDCVE-2009-0846 at SUSECVE-2009-0846 at NVDCVE-2009-0847 at SUSECVE-2009-0847 at NVDCVE-2009-3295 at SUSECVE-2009-3295 at NVDCVE-2009-4212 at SUSECVE-2009-4212 at NVDCVE-2010-0283 at SUSECVE-2010-0283 at NVDCVE-2010-0628 at SUSECVE-2010-0628 at NVDCVE-2010-1320 at SUSECVE-2010-1320 at NVDCVE-2010-1321 at SUSECVE-2010-1321 at NVDCVE-2010-1322 at SUSECVE-2010-1322 at NVDCVE-2010-1323 at SUSECVE-2010-1323 at NVDCVE-2010-1324 at SUSECVE-2010-1324 at NVDCVE-2010-4020 at SUSECVE-2010-4020 at NVDCVE-2010-4021 at SUSECVE-2010-4021 at NVDCVE-2010-4022 at SUSECVE-2010-4022 at NVDCVE-2011-0281 at SUSECVE-2011-0281 at NVDCVE-2011-0282 at SUSECVE-2011-0282 at NVDCVE-2011-0284 at SUSECVE-2011-0284 at NVDCVE-2011-0285 at SUSECVE-2011-0285 at NVDCVE-2011-1527 at SUSECVE-2011-1527 at NVDCVE-2011-1528 at SUSECVE-2011-1528 at NVDCVE-2011-1529 at SUSECVE-2011-1529 at NVDCVE-2011-1530 at SUSECVE-2011-1530 at NVDCVE-2012-1012 at SUSECVE-2012-1012 at NVDCVE-2012-1013 at SUSECVE-2012-1013 at NVDCVE-2012-1016 at SUSECVE-2012-1016 at NVDCVE-2013-1415 at SUSECVE-2013-1415 at NVDCVE-2013-1417 at SUSECVE-2013-1417 at NVDCVE-2013-1418 at SUSECVE-2013-1418 at NVDCVE-2014-4341 at SUSECVE-2014-4341 at NVDCVE-2014-4342 at SUSECVE-2014-4342 at NVDCVE-2014-4343 at SUSECVE-2014-4343 at NVDCVE-2014-4344 at SUSECVE-2014-4344 at NVDCVE-2014-4345 at SUSECVE-2014-4345 at NVDCVE-2014-5351 at SUSECVE-2014-5351 at NVDCVE-2014-5352 at SUSECVE-2014-5352 at NVDCVE-2014-5353 at SUSECVE-2014-5353 at NVDCVE-2014-5354 at SUSECVE-2014-5354 at NVDCVE-2014-5355 at SUSECVE-2014-5355 at NVDCVE-2014-9421 at SUSECVE-2014-9421 at NVDCVE-2014-9422 at SUSECVE-2014-9422 at NVDCVE-2014-9423 at SUSECVE-2014-9423 at NVDCVE-2015-2694 at SUSECVE-2015-2694 at NVDCVE-2015-2695 at SUSECVE-2015-2695 at NVDCVE-2015-2696 at SUSECVE-2015-2696 at NVDCVE-2015-2697 at SUSECVE-2015-2697 at NVDCVE-2015-2698 at SUSECVE-2015-2698 at NVDCVE-2015-8629 at SUSECVE-2015-8629 at NVDCVE-2015-8630 at SUSECVE-2015-8630 at NVDCVE-2015-8631 at SUSECVE-2015-8631 at NVDCVE-2016-3119 at SUSECVE-2016-3119 at NVDCVE-2016-3120 at SUSECVE-2016-3120 at NVDcpe:/o:suse:sles:12:sp3krb5-appl-clients-1.0.3-1.2 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the krb5-appl-clients-1.0.3-1.2 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2011-1526 at SUSECVE-2011-1526 at NVDCVE-2011-4862 at SUSECVE-2011-4862 at NVDcpe:/o:suse:sles:12:sp3lftp-4.7.4-1.13 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the lftp-4.7.4-1.13 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2014-0139 at SUSECVE-2014-0139 at NVDcpe:/o:suse:sles:12:sp3libFLAC++6-1.3.0-11.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the libFLAC++6-1.3.0-11.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2014-8962 at SUSECVE-2014-8962 at NVDCVE-2014-9028 at SUSECVE-2014-9028 at NVDcpe:/o:suse:sles:12:sp3libHX28-3.18-1.18 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the libHX28-3.18-1.18 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2010-2947 at SUSECVE-2010-2947 at NVDcpe:/o:suse:sles:12:sp3libIlmImf-Imf_2_1-21-2.1.0-4.3 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the libIlmImf-Imf_2_1-21-2.1.0-4.3 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2009-1720 at SUSECVE-2009-1720 at NVDCVE-2009-1721 at SUSECVE-2009-1721 at NVDcpe:/o:suse:sles:12:sp3libMagickCore-6_Q16-1-6.8.8.1-70.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the libMagickCore-6_Q16-1-6.8.8.1-70.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2012-0247 at SUSECVE-2012-0247 at NVDCVE-2012-0248 at SUSECVE-2012-0248 at NVDCVE-2012-1185 at SUSECVE-2012-1185 at NVDCVE-2012-1186 at SUSECVE-2012-1186 at NVDCVE-2014-8354 at SUSECVE-2014-8354 at NVDCVE-2014-8355 at SUSECVE-2014-8355 at NVDCVE-2014-8562 at SUSECVE-2014-8562 at NVDCVE-2014-8716 at SUSECVE-2014-8716 at NVDCVE-2014-9805 at SUSECVE-2014-9805 at NVDCVE-2014-9806 at SUSECVE-2014-9806 at NVDCVE-2014-9807 at SUSECVE-2014-9807 at NVDCVE-2014-9808 at SUSECVE-2014-9808 at NVDCVE-2014-9809 at SUSECVE-2014-9809 at NVDCVE-2014-9810 at SUSECVE-2014-9810 at NVDCVE-2014-9811 at SUSECVE-2014-9811 at NVDCVE-2014-9812 at SUSECVE-2014-9812 at NVDCVE-2014-9813 at SUSECVE-2014-9813 at NVDCVE-2014-9814 at SUSECVE-2014-9814 at NVDCVE-2014-9815 at SUSECVE-2014-9815 at NVDCVE-2014-9816 at SUSECVE-2014-9816 at NVDCVE-2014-9817 at SUSECVE-2014-9817 at NVDCVE-2014-9818 at SUSECVE-2014-9818 at NVDCVE-2014-9819 at SUSECVE-2014-9819 at NVDCVE-2014-9820 at SUSECVE-2014-9820 at NVDCVE-2014-9821 at SUSECVE-2014-9821 at NVDCVE-2014-9822 at SUSECVE-2014-9822 at NVDCVE-2014-9823 at SUSECVE-2014-9823 at NVDCVE-2014-9824 at SUSECVE-2014-9824 at NVDCVE-2014-9825 at SUSECVE-2014-9825 at NVDCVE-2014-9826 at SUSECVE-2014-9826 at NVDCVE-2014-9828 at SUSECVE-2014-9828 at NVDCVE-2014-9829 at SUSECVE-2014-9829 at NVDCVE-2014-9830 at SUSECVE-2014-9830 at NVDCVE-2014-9831 at SUSECVE-2014-9831 at NVDCVE-2014-9832 at SUSECVE-2014-9832 at NVDCVE-2014-9833 at SUSECVE-2014-9833 at NVDCVE-2014-9834 at SUSECVE-2014-9834 at NVDCVE-2014-9835 at SUSECVE-2014-9835 at NVDCVE-2014-9836 at SUSECVE-2014-9836 at NVDCVE-2014-9837 at SUSECVE-2014-9837 at NVDCVE-2014-9838 at SUSECVE-2014-9838 at NVDCVE-2014-9839 at SUSECVE-2014-9839 at NVDCVE-2014-9840 at SUSECVE-2014-9840 at NVDCVE-2014-9841 at SUSECVE-2014-9841 at NVDCVE-2014-9842 at SUSECVE-2014-9842 at NVDCVE-2014-9843 at SUSECVE-2014-9843 at NVDCVE-2014-9844 at SUSECVE-2014-9844 at NVDCVE-2014-9845 at SUSECVE-2014-9845 at NVDCVE-2014-9846 at SUSECVE-2014-9846 at NVDCVE-2014-9847 at SUSECVE-2014-9847 at NVDCVE-2014-9848 at SUSECVE-2014-9848 at NVDCVE-2014-9849 at SUSECVE-2014-9849 at NVDCVE-2014-9850 at SUSECVE-2014-9850 at NVDCVE-2014-9851 at SUSECVE-2014-9851 at NVDCVE-2014-9852 at SUSECVE-2014-9852 at NVDCVE-2014-9853 at SUSECVE-2014-9853 at NVDCVE-2014-9854 at SUSECVE-2014-9854 at NVDCVE-2014-9907 at SUSECVE-2014-9907 at NVDCVE-2015-8894 at SUSECVE-2015-8894 at NVDCVE-2015-8895 at SUSECVE-2015-8895 at NVDCVE-2015-8896 at SUSECVE-2015-8896 at NVDCVE-2015-8897 at SUSECVE-2015-8897 at NVDCVE-2015-8898 at SUSECVE-2015-8898 at NVDCVE-2015-8900 at SUSECVE-2015-8900 at NVDCVE-2015-8901 at SUSECVE-2015-8901 at NVDCVE-2015-8902 at SUSECVE-2015-8902 at NVDCVE-2015-8903 at SUSECVE-2015-8903 at NVDCVE-2015-8957 at SUSECVE-2015-8957 at NVDCVE-2015-8958 at SUSECVE-2015-8958 at NVDCVE-2015-8959 at SUSECVE-2015-8959 at NVDCVE-2016-10046 at SUSECVE-2016-10046 at NVDCVE-2016-10048 at SUSECVE-2016-10048 at NVDCVE-2016-10049 at SUSECVE-2016-10049 at NVDCVE-2016-10050 at SUSECVE-2016-10050 at NVDCVE-2016-10051 at SUSECVE-2016-10051 at NVDCVE-2016-10052 at SUSECVE-2016-10052 at NVDCVE-2016-10059 at SUSECVE-2016-10059 at NVDCVE-2016-10060 at SUSECVE-2016-10060 at NVDCVE-2016-10061 at SUSECVE-2016-10061 at NVDCVE-2016-10062 at SUSECVE-2016-10062 at NVDCVE-2016-10063 at SUSECVE-2016-10063 at NVDCVE-2016-10064 at SUSECVE-2016-10064 at NVDCVE-2016-10065 at SUSECVE-2016-10065 at NVDCVE-2016-10068 at SUSECVE-2016-10068 at NVDCVE-2016-10069 at SUSECVE-2016-10069 at NVDCVE-2016-10070 at SUSECVE-2016-10070 at NVDCVE-2016-10071 at SUSECVE-2016-10071 at NVDCVE-2016-10144 at SUSECVE-2016-10144 at NVDCVE-2016-10145 at SUSECVE-2016-10145 at NVDCVE-2016-10146 at SUSECVE-2016-10146 at NVDCVE-2016-3714 at SUSECVE-2016-3714 at NVDCVE-2016-3715 at SUSECVE-2016-3715 at NVDCVE-2016-3716 at SUSECVE-2016-3716 at NVDCVE-2016-3717 at SUSECVE-2016-3717 at NVDCVE-2016-3718 at SUSECVE-2016-3718 at NVDCVE-2016-4562 at SUSECVE-2016-4562 at NVDCVE-2016-4563 at SUSECVE-2016-4563 at NVDCVE-2016-4564 at SUSECVE-2016-4564 at NVDCVE-2016-5010 at SUSECVE-2016-5010 at NVDCVE-2016-5118 at SUSECVE-2016-5118 at NVDCVE-2016-5687 at SUSECVE-2016-5687 at NVDCVE-2016-5688 at SUSECVE-2016-5688 at NVDCVE-2016-5689 at SUSECVE-2016-5689 at NVDCVE-2016-5690 at SUSECVE-2016-5690 at NVDCVE-2016-5691 at SUSECVE-2016-5691 at NVDCVE-2016-5841 at SUSECVE-2016-5841 at NVDCVE-2016-5842 at SUSECVE-2016-5842 at NVDCVE-2016-6491 at SUSECVE-2016-6491 at NVDCVE-2016-6520 at SUSECVE-2016-6520 at NVDCVE-2016-6823 at SUSECVE-2016-6823 at NVDCVE-2016-7101 at SUSECVE-2016-7101 at NVDCVE-2016-7513 at SUSECVE-2016-7513 at NVDCVE-2016-7514 at SUSECVE-2016-7514 at NVDCVE-2016-7515 at SUSECVE-2016-7515 at NVDCVE-2016-7516 at SUSECVE-2016-7516 at NVDCVE-2016-7517 at SUSECVE-2016-7517 at NVDCVE-2016-7518 at SUSECVE-2016-7518 at NVDCVE-2016-7519 at SUSECVE-2016-7519 at NVDCVE-2016-7520 at SUSECVE-2016-7520 at NVDCVE-2016-7521 at SUSECVE-2016-7521 at NVDCVE-2016-7522 at SUSECVE-2016-7522 at NVDCVE-2016-7523 at SUSECVE-2016-7523 at NVDCVE-2016-7524 at SUSECVE-2016-7524 at NVDCVE-2016-7525 at SUSECVE-2016-7525 at NVDCVE-2016-7526 at SUSECVE-2016-7526 at NVDCVE-2016-7527 at SUSECVE-2016-7527 at NVDCVE-2016-7528 at SUSECVE-2016-7528 at NVDCVE-2016-7529 at SUSECVE-2016-7529 at NVDCVE-2016-7530 at SUSECVE-2016-7530 at NVDCVE-2016-7531 at SUSECVE-2016-7531 at NVDCVE-2016-7532 at SUSECVE-2016-7532 at NVDCVE-2016-7533 at SUSECVE-2016-7533 at NVDCVE-2016-7534 at SUSECVE-2016-7534 at NVDCVE-2016-7535 at SUSECVE-2016-7535 at NVDCVE-2016-7537 at SUSECVE-2016-7537 at NVDCVE-2016-7538 at SUSECVE-2016-7538 at NVDCVE-2016-7539 at SUSECVE-2016-7539 at NVDCVE-2016-7540 at SUSECVE-2016-7540 at NVDCVE-2016-7799 at SUSECVE-2016-7799 at NVDCVE-2016-7800 at SUSECVE-2016-7800 at NVDCVE-2016-7996 at SUSECVE-2016-7996 at NVDCVE-2016-7997 at SUSECVE-2016-7997 at NVDCVE-2016-8677 at SUSECVE-2016-8677 at NVDCVE-2016-8682 at SUSECVE-2016-8682 at NVDCVE-2016-8683 at SUSECVE-2016-8683 at NVDCVE-2016-8684 at SUSECVE-2016-8684 at NVDCVE-2016-8707 at SUSECVE-2016-8707 at NVDCVE-2016-8862 at SUSECVE-2016-8862 at NVDCVE-2016-8866 at SUSECVE-2016-8866 at NVDCVE-2016-9556 at SUSECVE-2016-9556 at NVDCVE-2016-9559 at SUSECVE-2016-9559 at NVDCVE-2016-9773 at SUSECVE-2016-9773 at NVDCVE-2017-5506 at SUSECVE-2017-5506 at NVDCVE-2017-5507 at SUSECVE-2017-5507 at NVDCVE-2017-5508 at SUSECVE-2017-5508 at NVDCVE-2017-5510 at SUSECVE-2017-5510 at NVDCVE-2017-5511 at SUSECVE-2017-5511 at NVDCVE-2017-6502 at SUSECVE-2017-6502 at NVDCVE-2017-7606 at SUSECVE-2017-7606 at NVDCVE-2017-7941 at SUSECVE-2017-7941 at NVDCVE-2017-7942 at SUSECVE-2017-7942 at NVDCVE-2017-7943 at SUSECVE-2017-7943 at NVDCVE-2017-8343 at SUSECVE-2017-8343 at NVDCVE-2017-8344 at SUSECVE-2017-8344 at NVDCVE-2017-8345 at SUSECVE-2017-8345 at NVDCVE-2017-8346 at SUSECVE-2017-8346 at NVDCVE-2017-8347 at SUSECVE-2017-8347 at NVDCVE-2017-8348 at SUSECVE-2017-8348 at NVDCVE-2017-8349 at SUSECVE-2017-8349 at NVDCVE-2017-8350 at SUSECVE-2017-8350 at NVDCVE-2017-8351 at SUSECVE-2017-8351 at NVDCVE-2017-8352 at SUSECVE-2017-8352 at NVDCVE-2017-8353 at SUSECVE-2017-8353 at NVDCVE-2017-8354 at SUSECVE-2017-8354 at NVDCVE-2017-8355 at SUSECVE-2017-8355 at NVDCVE-2017-8356 at SUSECVE-2017-8356 at NVDCVE-2017-8357 at SUSECVE-2017-8357 at NVDCVE-2017-8765 at SUSECVE-2017-8765 at NVDCVE-2017-8830 at SUSECVE-2017-8830 at NVDCVE-2017-9098 at SUSECVE-2017-9098 at NVDCVE-2017-9141 at SUSECVE-2017-9141 at NVDCVE-2017-9142 at SUSECVE-2017-9142 at NVDCVE-2017-9143 at SUSECVE-2017-9143 at NVDCVE-2017-9144 at SUSECVE-2017-9144 at NVDcpe:/o:suse:sles:12:sp3libQt5Concurrent5-5.6.2-5.9 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the libQt5Concurrent5-5.6.2-5.9 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2015-0295 at SUSECVE-2015-0295 at NVDCVE-2015-1858 at SUSECVE-2015-1858 at NVDCVE-2015-1859 at SUSECVE-2015-1859 at NVDCVE-2015-1860 at SUSECVE-2015-1860 at NVDcpe:/o:suse:sles:12:sp3libQt5WebKit5-5.6.2-1.31 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the libQt5WebKit5-5.6.2-1.31 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2015-8079 at SUSECVE-2015-8079 at NVDcpe:/o:suse:sles:12:sp3libX11-6-1.6.2-11.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the libX11-6-1.6.2-11.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2013-1981 at SUSECVE-2013-1981 at NVDCVE-2013-1997 at SUSECVE-2013-1997 at NVDCVE-2013-2004 at SUSECVE-2013-2004 at NVDCVE-2016-7942 at SUSECVE-2016-7942 at NVDcpe:/o:suse:sles:12:sp3libXRes1-1.0.7-3.53 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the libXRes1-1.0.7-3.53 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2013-1988 at SUSECVE-2013-1988 at NVDcpe:/o:suse:sles:12:sp3libXcursor1-1.1.14-3.59 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the libXcursor1-1.1.14-3.59 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2013-2003 at SUSECVE-2013-2003 at NVDcpe:/o:suse:sles:12:sp3libXext6-1.3.2-3.60 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the libXext6-1.3.2-3.60 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2013-1982 at SUSECVE-2013-1982 at NVDcpe:/o:suse:sles:12:sp3libXfixes3-32bit-5.0.1-7.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the libXfixes3-32bit-5.0.1-7.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2013-1983 at SUSECVE-2013-1983 at NVDCVE-2016-7944 at SUSECVE-2016-7944 at NVDcpe:/o:suse:sles:12:sp3libXfont1-1.5.1-10.3 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the libXfont1-1.5.1-10.3 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2011-2895 at SUSECVE-2011-2895 at NVDCVE-2013-6462 at SUSECVE-2013-6462 at NVDCVE-2014-0209 at SUSECVE-2014-0209 at NVDCVE-2014-0210 at SUSECVE-2014-0210 at NVDCVE-2014-0211 at SUSECVE-2014-0211 at NVDCVE-2015-1802 at SUSECVE-2015-1802 at NVDCVE-2015-1803 at SUSECVE-2015-1803 at NVDCVE-2015-1804 at SUSECVE-2015-1804 at NVDcpe:/o:suse:sles:12:sp3libXi6-1.7.4-17.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the libXi6-1.7.4-17.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2013-1984 at SUSECVE-2013-1984 at NVDCVE-2013-1995 at SUSECVE-2013-1995 at NVDCVE-2013-1998 at SUSECVE-2013-1998 at NVDCVE-2016-7945 at SUSECVE-2016-7945 at NVDCVE-2016-7946 at SUSECVE-2016-7946 at NVDcpe:/o:suse:sles:12:sp3libXinerama1-1.1.3-3.54 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the libXinerama1-1.1.3-3.54 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2013-1985 at SUSECVE-2013-1985 at NVDcpe:/o:suse:sles:12:sp3libXp6-1.0.2-3.57 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the libXp6-1.0.2-3.57 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2013-2062 at SUSECVE-2013-2062 at NVDcpe:/o:suse:sles:12:sp3libXpm4-3.5.11-5.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the libXpm4-3.5.11-5.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2016-10164 at SUSECVE-2016-10164 at NVDcpe:/o:suse:sles:12:sp3libXrandr2-1.5.0-6.2 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the libXrandr2-1.5.0-6.2 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2013-1986 at SUSECVE-2013-1986 at NVDCVE-2016-7947 at SUSECVE-2016-7947 at NVDCVE-2016-7948 at SUSECVE-2016-7948 at NVDcpe:/o:suse:sles:12:sp3libXrender1-0.9.8-7.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the libXrender1-0.9.8-7.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2013-1987 at SUSECVE-2013-1987 at NVDCVE-2016-7949 at SUSECVE-2016-7949 at NVDCVE-2016-7950 at SUSECVE-2016-7950 at NVDcpe:/o:suse:sles:12:sp3libXt6-1.1.4-3.57 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the libXt6-1.1.4-3.57 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2013-2002 at SUSECVE-2013-2002 at NVDCVE-2013-2005 at SUSECVE-2013-2005 at NVDcpe:/o:suse:sles:12:sp3libXtst6-1.2.2-7.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the libXtst6-1.2.2-7.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2013-2063 at SUSECVE-2013-2063 at NVDCVE-2016-7951 at SUSECVE-2016-7951 at NVDCVE-2016-7952 at SUSECVE-2016-7952 at NVDcpe:/o:suse:sles:12:sp3libXv1-1.0.10-7.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the libXv1-1.0.10-7.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2013-1989 at SUSECVE-2013-1989 at NVDCVE-2013-2066 at SUSECVE-2013-2066 at NVDCVE-2016-5407 at SUSECVE-2016-5407 at NVDcpe:/o:suse:sles:12:sp3libXvMC1-1.0.8-7.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the libXvMC1-1.0.8-7.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2013-1990 at SUSECVE-2013-1990 at NVDCVE-2013-1999 at SUSECVE-2013-1999 at NVDCVE-2016-7953 at SUSECVE-2016-7953 at NVDcpe:/o:suse:sles:12:sp3libXvnc1-1.6.0-18.11.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the libXvnc1-1.6.0-18.11.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2014-0011 at SUSECVE-2014-0011 at NVDCVE-2014-8240 at SUSECVE-2014-8240 at NVDCVE-2015-0255 at SUSECVE-2015-0255 at NVDcpe:/o:suse:sles:12:sp3libXxf86dga1-1.1.4-3.58 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the libXxf86dga1-1.1.4-3.58 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2013-1991 at SUSECVE-2013-1991 at NVDCVE-2013-2000 at SUSECVE-2013-2000 at NVDcpe:/o:suse:sles:12:sp3libXxf86vm1-1.1.3-3.53 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the libXxf86vm1-1.1.3-3.53 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2013-2001 at SUSECVE-2013-2001 at NVDcpe:/o:suse:sles:12:sp3libapr-util1-1.5.3-1.46 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the libapr-util1-1.5.3-1.46 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2009-0023 at SUSECVE-2009-0023 at NVDCVE-2009-2412 at SUSECVE-2009-2412 at NVDCVE-2009-3560 at SUSECVE-2009-3560 at NVDCVE-2009-3720 at SUSECVE-2009-3720 at NVDCVE-2010-1623 at SUSECVE-2010-1623 at NVDcpe:/o:suse:sles:12:sp3libapr1-1.5.1-2.3 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the libapr1-1.5.1-2.3 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2009-2412 at SUSECVE-2009-2412 at NVDCVE-2011-0419 at SUSECVE-2011-0419 at NVDCVE-2011-1928 at SUSECVE-2011-1928 at NVDcpe:/o:suse:sles:12:sp3libarchive13-3.1.2-25.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the libarchive13-3.1.2-25.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2013-0211 at SUSECVE-2013-0211 at NVDCVE-2015-2304 at SUSECVE-2015-2304 at NVDCVE-2015-8915 at SUSECVE-2015-8915 at NVDCVE-2015-8916 at SUSECVE-2015-8916 at NVDCVE-2015-8918 at SUSECVE-2015-8918 at NVDCVE-2015-8919 at SUSECVE-2015-8919 at NVDCVE-2015-8920 at SUSECVE-2015-8920 at NVDCVE-2015-8921 at SUSECVE-2015-8921 at NVDCVE-2015-8922 at SUSECVE-2015-8922 at NVDCVE-2015-8923 at SUSECVE-2015-8923 at NVDCVE-2015-8924 at SUSECVE-2015-8924 at NVDCVE-2015-8925 at SUSECVE-2015-8925 at NVDCVE-2015-8926 at SUSECVE-2015-8926 at NVDCVE-2015-8928 at SUSECVE-2015-8928 at NVDCVE-2015-8929 at SUSECVE-2015-8929 at NVDCVE-2015-8930 at SUSECVE-2015-8930 at NVDCVE-2015-8931 at SUSECVE-2015-8931 at NVDCVE-2015-8932 at SUSECVE-2015-8932 at NVDCVE-2015-8933 at SUSECVE-2015-8933 at NVDCVE-2015-8934 at SUSECVE-2015-8934 at NVDCVE-2016-1541 at SUSECVE-2016-1541 at NVDCVE-2016-4300 at SUSECVE-2016-4300 at NVDCVE-2016-4301 at SUSECVE-2016-4301 at NVDCVE-2016-4302 at SUSECVE-2016-4302 at NVDCVE-2016-4809 at SUSECVE-2016-4809 at NVDCVE-2016-5418 at SUSECVE-2016-5418 at NVDCVE-2016-5844 at SUSECVE-2016-5844 at NVDCVE-2016-6250 at SUSECVE-2016-6250 at NVDCVE-2016-8687 at SUSECVE-2016-8687 at NVDCVE-2016-8688 at SUSECVE-2016-8688 at NVDCVE-2016-8689 at SUSECVE-2016-8689 at NVDcpe:/o:suse:sles:12:sp3libasan2-32bit-5.3.1+r233831-12.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the libasan2-32bit-5.3.1+r233831-12.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2015-5276 at SUSECVE-2015-5276 at NVDcpe:/o:suse:sles:12:sp3libass5-0.10.2-3.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the libass5-0.10.2-3.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2016-7969 at SUSECVE-2016-7969 at NVDCVE-2016-7972 at SUSECVE-2016-7972 at NVDcpe:/o:suse:sles:12:sp3libblkid1-2.29.2-2.3 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the libblkid1-2.29.2-2.3 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2013-0157 at SUSECVE-2013-0157 at NVDCVE-2014-9114 at SUSECVE-2014-9114 at NVDCVE-2015-5218 at SUSECVE-2015-5218 at NVDCVE-2016-5011 at SUSECVE-2016-5011 at NVDCVE-2017-2616 at SUSECVE-2017-2616 at NVDcpe:/o:suse:sles:12:sp3libcairo-gobject2-1.15.2-24.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the libcairo-gobject2-1.15.2-24.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2016-9082 at SUSECVE-2016-9082 at NVDCVE-2017-7475 at SUSECVE-2017-7475 at NVDcpe:/o:suse:sles:12:sp3libcares2-1.9.1-5.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the libcares2-1.9.1-5.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2016-5180 at SUSECVE-2016-5180 at NVDcpe:/o:suse:sles:12:sp3libcgroup-tools-0.41.rc1-9.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the libcgroup-tools-0.41.rc1-9.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2011-1006 at SUSECVE-2011-1006 at NVDCVE-2011-1022 at SUSECVE-2011-1022 at NVDcpe:/o:suse:sles:12:sp3libdcerpc-binding0-32bit-4.6.5+git.27.6afd48b1083-2.11 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the libdcerpc-binding0-32bit-4.6.5+git.27.6afd48b1083-2.11 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2009-1886 at SUSECVE-2009-1886 at NVDCVE-2009-1888 at SUSECVE-2009-1888 at NVDCVE-2009-2813 at SUSECVE-2009-2813 at NVDCVE-2009-2906 at SUSECVE-2009-2906 at NVDCVE-2009-2948 at SUSECVE-2009-2948 at NVDCVE-2010-0547 at SUSECVE-2010-0547 at NVDCVE-2010-0728 at SUSECVE-2010-0728 at NVDCVE-2010-0787 at SUSECVE-2010-0787 at NVDCVE-2010-0926 at SUSECVE-2010-0926 at NVDCVE-2010-1635 at SUSECVE-2010-1635 at NVDCVE-2010-1642 at SUSECVE-2010-1642 at NVDCVE-2010-2063 at SUSECVE-2010-2063 at NVDCVE-2010-3069 at SUSECVE-2010-3069 at NVDCVE-2011-0719 at SUSECVE-2011-0719 at NVDCVE-2011-2522 at SUSECVE-2011-2522 at NVDCVE-2011-2694 at SUSECVE-2011-2694 at NVDCVE-2012-0817 at SUSECVE-2012-0817 at NVDCVE-2012-0870 at SUSECVE-2012-0870 at NVDCVE-2012-1182 at SUSECVE-2012-1182 at NVDCVE-2012-2111 at SUSECVE-2012-2111 at NVDCVE-2012-6150 at SUSECVE-2012-6150 at NVDCVE-2013-0172 at SUSECVE-2013-0172 at NVDCVE-2013-0213 at SUSECVE-2013-0213 at NVDCVE-2013-0214 at SUSECVE-2013-0214 at NVDCVE-2013-0454 at SUSECVE-2013-0454 at NVDCVE-2013-1863 at SUSECVE-2013-1863 at NVDCVE-2013-4124 at SUSECVE-2013-4124 at NVDCVE-2013-4408 at SUSECVE-2013-4408 at NVDCVE-2013-4475 at SUSECVE-2013-4475 at NVDCVE-2013-4476 at SUSECVE-2013-4476 at NVDCVE-2013-4496 at SUSECVE-2013-4496 at NVDCVE-2013-6442 at SUSECVE-2013-6442 at NVDCVE-2014-0178 at SUSECVE-2014-0178 at NVDCVE-2014-0239 at SUSECVE-2014-0239 at NVDCVE-2014-0244 at SUSECVE-2014-0244 at NVDCVE-2014-3493 at SUSECVE-2014-3493 at NVDCVE-2014-3560 at SUSECVE-2014-3560 at NVDCVE-2014-8143 at SUSECVE-2014-8143 at NVDCVE-2015-0240 at SUSECVE-2015-0240 at NVDCVE-2015-3223 at SUSECVE-2015-3223 at NVDCVE-2015-5252 at SUSECVE-2015-5252 at NVDCVE-2015-5296 at SUSECVE-2015-5296 at NVDCVE-2015-5299 at SUSECVE-2015-5299 at NVDCVE-2015-5330 at SUSECVE-2015-5330 at NVDCVE-2015-5370 at SUSECVE-2015-5370 at NVDCVE-2015-7560 at SUSECVE-2015-7560 at NVDCVE-2015-8467 at SUSECVE-2015-8467 at NVDCVE-2015-8543 at SUSECVE-2015-8543 at NVDCVE-2016-0771 at SUSECVE-2016-0771 at NVDCVE-2016-2110 at SUSECVE-2016-2110 at NVDCVE-2016-2111 at SUSECVE-2016-2111 at NVDCVE-2016-2112 at SUSECVE-2016-2112 at NVDCVE-2016-2113 at SUSECVE-2016-2113 at NVDCVE-2016-2115 at SUSECVE-2016-2115 at NVDCVE-2016-2118 at SUSECVE-2016-2118 at NVDCVE-2016-2119 at SUSECVE-2016-2119 at NVDCVE-2016-2123 at SUSECVE-2016-2123 at NVDCVE-2016-2125 at SUSECVE-2016-2125 at NVDCVE-2016-2126 at SUSECVE-2016-2126 at NVDCVE-2017-2619 at SUSECVE-2017-2619 at NVDCVE-2017-7494 at SUSECVE-2017-7494 at NVDcpe:/o:suse:sles:12:sp3libdmx1-1.1.3-3.51 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the libdmx1-1.1.3-3.51 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2013-1992 at SUSECVE-2013-1992 at NVDcpe:/o:suse:sles:12:sp3libecpg6-9.6.3-2.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the libecpg6-9.6.3-2.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2007-4772 at SUSECVE-2007-4772 at NVDCVE-2007-6600 at SUSECVE-2007-6600 at NVDCVE-2009-4034 at SUSECVE-2009-4034 at NVDCVE-2009-4136 at SUSECVE-2009-4136 at NVDCVE-2010-1169 at SUSECVE-2010-1169 at NVDCVE-2010-1170 at SUSECVE-2010-1170 at NVDCVE-2010-3433 at SUSECVE-2010-3433 at NVDCVE-2012-0866 at SUSECVE-2012-0866 at NVDCVE-2012-0867 at SUSECVE-2012-0867 at NVDCVE-2012-0868 at SUSECVE-2012-0868 at NVDCVE-2012-2143 at SUSECVE-2012-2143 at NVDCVE-2012-2655 at SUSECVE-2012-2655 at NVDCVE-2012-3488 at SUSECVE-2012-3488 at NVDCVE-2012-3489 at SUSECVE-2012-3489 at NVDCVE-2013-0255 at SUSECVE-2013-0255 at NVDCVE-2013-1899 at SUSECVE-2013-1899 at NVDCVE-2013-1900 at SUSECVE-2013-1900 at NVDCVE-2013-1901 at SUSECVE-2013-1901 at NVDCVE-2014-0060 at SUSECVE-2014-0060 at NVDCVE-2014-0061 at SUSECVE-2014-0061 at NVDCVE-2014-0062 at SUSECVE-2014-0062 at NVDCVE-2014-0063 at SUSECVE-2014-0063 at NVDCVE-2014-0064 at SUSECVE-2014-0064 at NVDCVE-2014-0065 at SUSECVE-2014-0065 at NVDCVE-2014-0066 at SUSECVE-2014-0066 at NVDCVE-2014-0067 at SUSECVE-2014-0067 at NVDCVE-2015-3165 at SUSECVE-2015-3165 at NVDCVE-2015-3166 at SUSECVE-2015-3166 at NVDCVE-2015-3167 at SUSECVE-2015-3167 at NVDCVE-2015-5288 at SUSECVE-2015-5288 at NVDCVE-2015-5289 at SUSECVE-2015-5289 at NVDCVE-2016-0766 at SUSECVE-2016-0766 at NVDCVE-2016-0773 at SUSECVE-2016-0773 at NVDCVE-2016-2193 at SUSECVE-2016-2193 at NVDCVE-2016-3065 at SUSECVE-2016-3065 at NVDCVE-2017-7484 at SUSECVE-2017-7484 at NVDCVE-2017-7485 at SUSECVE-2017-7485 at NVDCVE-2017-7486 at SUSECVE-2017-7486 at NVDcpe:/o:suse:sles:12:sp3libevent-2_0-5-2.0.21-4.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the libevent-2_0-5-2.0.21-4.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2014-6272 at SUSECVE-2014-6272 at NVDcpe:/o:suse:sles:12:sp3libexif12-0.6.21-6.3 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the libexif12-0.6.21-6.3 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2012-2812 at SUSECVE-2012-2812 at NVDCVE-2012-2813 at SUSECVE-2012-2813 at NVDCVE-2012-2814 at SUSECVE-2012-2814 at NVDCVE-2012-2836 at SUSECVE-2012-2836 at NVDCVE-2012-2837 at SUSECVE-2012-2837 at NVDCVE-2012-2840 at SUSECVE-2012-2840 at NVDCVE-2012-2841 at SUSECVE-2012-2841 at NVDcpe:/o:suse:sles:12:sp3libfreebl3-3.29.5-57.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the libfreebl3-3.29.5-57.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2010-3170 at SUSECVE-2010-3170 at NVDCVE-2011-3389 at SUSECVE-2011-3389 at NVDCVE-2011-3640 at SUSECVE-2011-3640 at NVDCVE-2013-0743 at SUSECVE-2013-0743 at NVDCVE-2013-0791 at SUSECVE-2013-0791 at NVDCVE-2013-1620 at SUSECVE-2013-1620 at NVDCVE-2013-1739 at SUSECVE-2013-1739 at NVDCVE-2013-1740 at SUSECVE-2013-1740 at NVDCVE-2013-5605 at SUSECVE-2013-5605 at NVDCVE-2014-1492 at SUSECVE-2014-1492 at NVDCVE-2014-1568 at SUSECVE-2014-1568 at NVDCVE-2014-1569 at SUSECVE-2014-1569 at NVDCVE-2015-4000 at SUSECVE-2015-4000 at NVDCVE-2015-7181 at SUSECVE-2015-7181 at NVDCVE-2015-7182 at SUSECVE-2015-7182 at NVDCVE-2015-7575 at SUSECVE-2015-7575 at NVDCVE-2016-1938 at SUSECVE-2016-1938 at NVDCVE-2016-1950 at SUSECVE-2016-1950 at NVDCVE-2016-1978 at SUSECVE-2016-1978 at NVDCVE-2016-1979 at SUSECVE-2016-1979 at NVDCVE-2016-2834 at SUSECVE-2016-2834 at NVDCVE-2016-5285 at SUSECVE-2016-5285 at NVDCVE-2016-8635 at SUSECVE-2016-8635 at NVDCVE-2016-9074 at SUSECVE-2016-9074 at NVDCVE-2016-9574 at SUSECVE-2016-9574 at NVDcpe:/o:suse:sles:12:sp3libfreetype6-2.6.3-7.10.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the libfreetype6-2.6.3-7.10.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2009-0946 at SUSECVE-2009-0946 at NVDCVE-2010-2497 at SUSECVE-2010-2497 at NVDCVE-2010-2805 at SUSECVE-2010-2805 at NVDCVE-2010-3053 at SUSECVE-2010-3053 at NVDCVE-2010-3054 at SUSECVE-2010-3054 at NVDCVE-2010-3311 at SUSECVE-2010-3311 at NVDCVE-2010-3814 at SUSECVE-2010-3814 at NVDCVE-2010-3855 at SUSECVE-2010-3855 at NVDCVE-2011-0226 at SUSECVE-2011-0226 at NVDCVE-2011-3256 at SUSECVE-2011-3256 at NVDCVE-2011-3439 at SUSECVE-2011-3439 at NVDCVE-2012-1126 at SUSECVE-2012-1126 at NVDCVE-2012-1127 at SUSECVE-2012-1127 at NVDCVE-2012-1128 at SUSECVE-2012-1128 at NVDCVE-2012-1129 at SUSECVE-2012-1129 at NVDCVE-2012-1130 at SUSECVE-2012-1130 at NVDCVE-2012-1131 at SUSECVE-2012-1131 at NVDCVE-2012-1132 at SUSECVE-2012-1132 at NVDCVE-2012-1133 at SUSECVE-2012-1133 at NVDCVE-2012-1134 at SUSECVE-2012-1134 at NVDCVE-2012-1135 at SUSECVE-2012-1135 at NVDCVE-2012-1136 at SUSECVE-2012-1136 at NVDCVE-2012-1137 at SUSECVE-2012-1137 at NVDCVE-2012-1138 at SUSECVE-2012-1138 at NVDCVE-2012-1139 at SUSECVE-2012-1139 at NVDCVE-2012-1140 at SUSECVE-2012-1140 at NVDCVE-2012-1141 at SUSECVE-2012-1141 at NVDCVE-2012-1142 at SUSECVE-2012-1142 at NVDCVE-2012-1143 at SUSECVE-2012-1143 at NVDCVE-2012-1144 at SUSECVE-2012-1144 at NVDCVE-2012-5668 at SUSECVE-2012-5668 at NVDCVE-2012-5669 at SUSECVE-2012-5669 at NVDCVE-2012-5670 at SUSECVE-2012-5670 at NVDCVE-2014-2240 at SUSECVE-2014-2240 at NVDCVE-2014-2241 at SUSECVE-2014-2241 at NVDCVE-2014-9656 at SUSECVE-2014-9656 at NVDCVE-2014-9657 at SUSECVE-2014-9657 at NVDCVE-2014-9658 at SUSECVE-2014-9658 at NVDCVE-2014-9659 at SUSECVE-2014-9659 at NVDCVE-2014-9660 at SUSECVE-2014-9660 at NVDCVE-2014-9661 at SUSECVE-2014-9661 at NVDCVE-2014-9662 at SUSECVE-2014-9662 at NVDCVE-2014-9663 at SUSECVE-2014-9663 at NVDCVE-2014-9664 at SUSECVE-2014-9664 at NVDCVE-2014-9665 at SUSECVE-2014-9665 at NVDCVE-2014-9666 at SUSECVE-2014-9666 at NVDCVE-2014-9667 at SUSECVE-2014-9667 at NVDCVE-2014-9668 at SUSECVE-2014-9668 at NVDCVE-2014-9669 at SUSECVE-2014-9669 at NVDCVE-2014-9670 at SUSECVE-2014-9670 at NVDCVE-2014-9671 at SUSECVE-2014-9671 at NVDCVE-2014-9672 at SUSECVE-2014-9672 at NVDCVE-2014-9673 at SUSECVE-2014-9673 at NVDCVE-2014-9674 at SUSECVE-2014-9674 at NVDCVE-2014-9675 at SUSECVE-2014-9675 at NVDcpe:/o:suse:sles:12:sp3libgc1-7.2d-5.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the libgc1-7.2d-5.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2012-2673 at SUSECVE-2012-2673 at NVDCVE-2016-9427 at SUSECVE-2016-9427 at NVDcpe:/o:suse:sles:12:sp3libgcrypt20-1.6.1-16.39.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the libgcrypt20-1.6.1-16.39.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2013-4242 at SUSECVE-2013-4242 at NVDCVE-2014-3591 at SUSECVE-2014-3591 at NVDCVE-2015-0837 at SUSECVE-2015-0837 at NVDCVE-2015-7511 at SUSECVE-2015-7511 at NVDCVE-2016-6313 at SUSECVE-2016-6313 at NVDcpe:/o:suse:sles:12:sp3libgme0-0.6.0-5.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the libgme0-0.6.0-5.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2016-9957 at SUSECVE-2016-9957 at NVDCVE-2016-9958 at SUSECVE-2016-9958 at NVDCVE-2016-9959 at SUSECVE-2016-9959 at NVDCVE-2016-9960 at SUSECVE-2016-9960 at NVDCVE-2016-9961 at SUSECVE-2016-9961 at NVDcpe:/o:suse:sles:12:sp3libgnomesu-2.0.0-353.6.2 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the libgnomesu-2.0.0-353.6.2 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2011-1946 at SUSECVE-2011-1946 at NVDcpe:/o:suse:sles:12:sp3libgoa-1_0-0-3.20.5-9.6 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the libgoa-1_0-0-3.20.5-9.6 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2013-0240 at SUSECVE-2013-0240 at NVDCVE-2013-1799 at SUSECVE-2013-1799 at NVDcpe:/o:suse:sles:12:sp3libgraphite2-3-1.3.1-9.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the libgraphite2-3-1.3.1-9.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2016-1521 at SUSECVE-2016-1521 at NVDCVE-2016-1523 at SUSECVE-2016-1523 at NVDCVE-2016-1526 at SUSECVE-2016-1526 at NVDCVE-2017-5436 at SUSECVE-2017-5436 at NVDcpe:/o:suse:sles:12:sp3libgssglue1-0.4-3.76 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the libgssglue1-0.4-3.76 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2011-2709 at SUSECVE-2011-2709 at NVDcpe:/o:suse:sles:12:sp3libgypsy0-0.9-6.22 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the libgypsy0-0.9-6.22 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2011-0523 at SUSECVE-2011-0523 at NVDCVE-2011-0524 at SUSECVE-2011-0524 at NVDcpe:/o:suse:sles:12:sp3libhivex0-1.3.10-4.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the libhivex0-1.3.10-4.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2014-9273 at SUSECVE-2014-9273 at NVDcpe:/o:suse:sles:12:sp3libhogweed2-2.7.1-12.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the libhogweed2-2.7.1-12.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2015-8803 at SUSECVE-2015-8803 at NVDCVE-2015-8804 at SUSECVE-2015-8804 at NVDCVE-2015-8805 at SUSECVE-2015-8805 at NVDCVE-2016-6489 at SUSECVE-2016-6489 at NVDcpe:/o:suse:sles:12:sp3libicu-doc-52.1-7.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the libicu-doc-52.1-7.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2014-9654 at SUSECVE-2014-9654 at NVDcpe:/o:suse:sles:12:sp3libidn-tools-1.28-4.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the libidn-tools-1.28-4.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2015-2059 at SUSECVE-2015-2059 at NVDCVE-2015-8948 at SUSECVE-2015-8948 at NVDCVE-2016-6261 at SUSECVE-2016-6261 at NVDCVE-2016-6262 at SUSECVE-2016-6262 at NVDCVE-2016-6263 at SUSECVE-2016-6263 at NVDcpe:/o:suse:sles:12:sp3libimobiledevice6-1.2.0-7.31 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the libimobiledevice6-1.2.0-7.31 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2013-2142 at SUSECVE-2013-2142 at NVDCVE-2016-5104 at SUSECVE-2016-5104 at NVDcpe:/o:suse:sles:12:sp3libipa_hbac0-1.13.4-33.2 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the libipa_hbac0-1.13.4-33.2 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2010-4341 at SUSECVE-2010-4341 at NVDCVE-2011-1758 at SUSECVE-2011-1758 at NVDCVE-2013-0219 at SUSECVE-2013-0219 at NVDCVE-2013-0220 at SUSECVE-2013-0220 at NVDCVE-2013-0287 at SUSECVE-2013-0287 at NVDcpe:/o:suse:sles:12:sp3libjansson4-2.7-1.2 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the libjansson4-2.7-1.2 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2013-6401 at SUSECVE-2013-6401 at NVDcpe:/o:suse:sles:12:sp3libjasper1-1.900.14-194.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the libjasper1-1.900.14-194.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2008-3522 at SUSECVE-2008-3522 at NVDCVE-2011-4516 at SUSECVE-2011-4516 at NVDCVE-2011-4517 at SUSECVE-2011-4517 at NVDCVE-2014-8137 at SUSECVE-2014-8137 at NVDCVE-2014-8138 at SUSECVE-2014-8138 at NVDCVE-2014-8157 at SUSECVE-2014-8157 at NVDCVE-2014-8158 at SUSECVE-2014-8158 at NVDCVE-2014-9029 at SUSECVE-2014-9029 at NVDCVE-2015-5203 at SUSECVE-2015-5203 at NVDCVE-2015-5221 at SUSECVE-2015-5221 at NVDCVE-2016-10251 at SUSECVE-2016-10251 at NVDCVE-2016-1577 at SUSECVE-2016-1577 at NVDCVE-2016-1867 at SUSECVE-2016-1867 at NVDCVE-2016-2089 at SUSECVE-2016-2089 at NVDCVE-2016-2116 at SUSECVE-2016-2116 at NVDCVE-2016-8654 at SUSECVE-2016-8654 at NVDCVE-2016-8690 at SUSECVE-2016-8690 at NVDCVE-2016-8691 at SUSECVE-2016-8691 at NVDCVE-2016-8692 at SUSECVE-2016-8692 at NVDCVE-2016-8693 at SUSECVE-2016-8693 at NVDCVE-2016-8880 at SUSECVE-2016-8880 at NVDCVE-2016-8881 at SUSECVE-2016-8881 at NVDCVE-2016-8882 at SUSECVE-2016-8882 at NVDCVE-2016-8883 at SUSECVE-2016-8883 at NVDCVE-2016-8884 at SUSECVE-2016-8884 at NVDCVE-2016-8885 at SUSECVE-2016-8885 at NVDCVE-2016-8886 at SUSECVE-2016-8886 at NVDCVE-2016-8887 at SUSECVE-2016-8887 at NVDCVE-2016-9395 at SUSECVE-2016-9395 at NVDCVE-2016-9398 at SUSECVE-2016-9398 at NVDCVE-2016-9560 at SUSECVE-2016-9560 at NVDCVE-2016-9583 at SUSECVE-2016-9583 at NVDCVE-2016-9591 at SUSECVE-2016-9591 at NVDCVE-2016-9600 at SUSECVE-2016-9600 at NVDCVE-2017-5498 at SUSECVE-2017-5498 at NVDCVE-2017-6850 at SUSECVE-2017-6850 at NVDcpe:/o:suse:sles:12:sp3libjavascriptcoregtk-3_0-0-2.4.11-23.20 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the libjavascriptcoregtk-3_0-0-2.4.11-23.20 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2012-5112 at SUSECVE-2012-5112 at NVDCVE-2012-5133 at SUSECVE-2012-5133 at NVDCVE-2014-1344 at SUSECVE-2014-1344 at NVDCVE-2014-1384 at SUSECVE-2014-1384 at NVDCVE-2014-1385 at SUSECVE-2014-1385 at NVDCVE-2014-1386 at SUSECVE-2014-1386 at NVDCVE-2014-1387 at SUSECVE-2014-1387 at NVDCVE-2014-1388 at SUSECVE-2014-1388 at NVDCVE-2014-1389 at SUSECVE-2014-1389 at NVDCVE-2014-1390 at SUSECVE-2014-1390 at NVDCVE-2014-1748 at SUSECVE-2014-1748 at NVDCVE-2015-1071 at SUSECVE-2015-1071 at NVDCVE-2015-1076 at SUSECVE-2015-1076 at NVDCVE-2015-1081 at SUSECVE-2015-1081 at NVDCVE-2015-1083 at SUSECVE-2015-1083 at NVDCVE-2015-1120 at SUSECVE-2015-1120 at NVDCVE-2015-1122 at SUSECVE-2015-1122 at NVDCVE-2015-1127 at SUSECVE-2015-1127 at NVDCVE-2015-1153 at SUSECVE-2015-1153 at NVDCVE-2015-1155 at SUSECVE-2015-1155 at NVDCVE-2015-2330 at SUSECVE-2015-2330 at NVDCVE-2015-3658 at SUSECVE-2015-3658 at NVDCVE-2015-3659 at SUSECVE-2015-3659 at NVDCVE-2015-3727 at SUSECVE-2015-3727 at NVDCVE-2015-3731 at SUSECVE-2015-3731 at NVDCVE-2015-3741 at SUSECVE-2015-3741 at NVDCVE-2015-3743 at SUSECVE-2015-3743 at NVDCVE-2015-3745 at SUSECVE-2015-3745 at NVDCVE-2015-3747 at SUSECVE-2015-3747 at NVDCVE-2015-3748 at SUSECVE-2015-3748 at NVDCVE-2015-3749 at SUSECVE-2015-3749 at NVDCVE-2015-3752 at SUSECVE-2015-3752 at NVDCVE-2015-5788 at SUSECVE-2015-5788 at NVDCVE-2015-5794 at SUSECVE-2015-5794 at NVDCVE-2015-5801 at SUSECVE-2015-5801 at NVDCVE-2015-5809 at SUSECVE-2015-5809 at NVDCVE-2015-5822 at SUSECVE-2015-5822 at NVDCVE-2015-5928 at SUSECVE-2015-5928 at NVDcpe:/o:suse:sles:12:sp3libjavascriptcoregtk-4_0-18-2.12.5-1.12 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the libjavascriptcoregtk-4_0-18-2.12.5-1.12 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2016-1856 at SUSECVE-2016-1856 at NVDCVE-2016-1857 at SUSECVE-2016-1857 at NVDCVE-2016-4590 at SUSECVE-2016-4590 at NVDCVE-2016-4591 at SUSECVE-2016-4591 at NVDCVE-2016-4622 at SUSECVE-2016-4622 at NVDCVE-2016-4624 at SUSECVE-2016-4624 at NVDcpe:/o:suse:sles:12:sp3libjbig2-2.0-12.13 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the libjbig2-2.0-12.13 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2013-6369 at SUSECVE-2013-6369 at NVDcpe:/o:suse:sles:12:sp3libjpeg-turbo-1.3.1-30.3 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the libjpeg-turbo-1.3.1-30.3 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2014-9092 at SUSECVE-2014-9092 at NVDcpe:/o:suse:sles:12:sp3libjson-c2-0.11-2.15 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the libjson-c2-0.11-2.15 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2013-6370 at SUSECVE-2013-6370 at NVDCVE-2013-6371 at SUSECVE-2013-6371 at NVDcpe:/o:suse:sles:12:sp3libkde4-32bit-4.12.0-10.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the libkde4-32bit-4.12.0-10.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2016-6354 at SUSECVE-2016-6354 at NVDCVE-2017-8422 at SUSECVE-2017-8422 at NVDcpe:/o:suse:sles:12:sp3libksba8-1.3.0-23.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the libksba8-1.3.0-23.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2014-9087 at SUSECVE-2014-9087 at NVDCVE-2016-4574 at SUSECVE-2016-4574 at NVDCVE-2016-4579 at SUSECVE-2016-4579 at NVDcpe:/o:suse:sles:12:sp3liblcms1-1.19-17.28 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the liblcms1-1.19-17.28 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2009-0793 at SUSECVE-2009-0793 at NVDCVE-2013-4276 at SUSECVE-2013-4276 at NVDcpe:/o:suse:sles:12:sp3libldap-2_4-2-2.4.41-18.29.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the libldap-2_4-2-2.4.41-18.29.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2015-1545 at SUSECVE-2015-1545 at NVDCVE-2015-1546 at SUSECVE-2015-1546 at NVDCVE-2015-6908 at SUSECVE-2015-6908 at NVDCVE-2017-9287 at SUSECVE-2017-9287 at NVDcpe:/o:suse:sles:12:sp3libldb1-1.1.29-1.13 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the libldb1-1.1.29-1.13 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2015-3223 at SUSECVE-2015-3223 at NVDCVE-2015-5330 at SUSECVE-2015-5330 at NVDcpe:/o:suse:sles:12:sp3libltdl7-2.4.2-16.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the libltdl7-2.4.2-16.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2009-3736 at SUSECVE-2009-3736 at NVDcpe:/o:suse:sles:12:sp3liblua5_2-32bit-5.2.4-6.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the liblua5_2-32bit-5.2.4-6.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2014-5461 at SUSECVE-2014-5461 at NVDcpe:/o:suse:sles:12:sp3liblzo2-2-2.08-1.13 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the liblzo2-2-2.08-1.13 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2014-4607 at SUSECVE-2014-4607 at NVDcpe:/o:suse:sles:12:sp3libmicrohttpd10-0.9.30-5.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the libmicrohttpd10-0.9.30-5.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2013-7038 at SUSECVE-2013-7038 at NVDCVE-2013-7039 at SUSECVE-2013-7039 at NVDcpe:/o:suse:sles:12:sp3libmms0-0.6.2-15.8 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the libmms0-0.6.2-15.8 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2014-2892 at SUSECVE-2014-2892 at NVDcpe:/o:suse:sles:12:sp3libmodplug1-0.8.8.4-13.63 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the libmodplug1-0.8.8.4-13.63 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2011-1761 at SUSECVE-2011-1761 at NVDCVE-2013-4233 at SUSECVE-2013-4233 at NVDCVE-2013-4234 at SUSECVE-2013-4234 at NVDcpe:/o:suse:sles:12:sp3libmpfr4-3.1.2-7.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the libmpfr4-3.1.2-7.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2014-9474 at SUSECVE-2014-9474 at NVDcpe:/o:suse:sles:12:sp3libmspack0-0.4-14.4 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the libmspack0-0.4-14.4 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2010-2800 at SUSECVE-2010-2800 at NVDCVE-2010-2801 at SUSECVE-2010-2801 at NVDCVE-2014-9556 at SUSECVE-2014-9556 at NVDCVE-2014-9732 at SUSECVE-2014-9732 at NVDCVE-2015-4467 at SUSECVE-2015-4467 at NVDCVE-2015-4468 at SUSECVE-2015-4468 at NVDCVE-2015-4469 at SUSECVE-2015-4469 at NVDCVE-2015-4470 at SUSECVE-2015-4470 at NVDCVE-2015-4471 at SUSECVE-2015-4471 at NVDCVE-2015-4472 at SUSECVE-2015-4472 at NVDcpe:/o:suse:sles:12:sp3libmusicbrainz4-2.1.5-27.79 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the libmusicbrainz4-2.1.5-27.79 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2006-4197 at SUSECVE-2006-4197 at NVDcpe:/o:suse:sles:12:sp3libmysqlclient18-10.0.30-28.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the libmysqlclient18-10.0.30-28.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2007-5970 at SUSECVE-2007-5970 at NVDCVE-2008-7247 at SUSECVE-2008-7247 at NVDCVE-2009-4019 at SUSECVE-2009-4019 at NVDCVE-2009-4028 at SUSECVE-2009-4028 at NVDCVE-2009-4030 at SUSECVE-2009-4030 at NVDCVE-2010-5298 at SUSECVE-2010-5298 at NVDCVE-2012-5615 at SUSECVE-2012-5615 at NVDCVE-2013-1976 at SUSECVE-2013-1976 at NVDCVE-2014-0195 at SUSECVE-2014-0195 at NVDCVE-2014-0198 at SUSECVE-2014-0198 at NVDCVE-2014-0221 at SUSECVE-2014-0221 at NVDCVE-2014-0224 at SUSECVE-2014-0224 at NVDCVE-2014-2494 at SUSECVE-2014-2494 at NVDCVE-2014-3470 at SUSECVE-2014-3470 at NVDCVE-2014-4207 at SUSECVE-2014-4207 at NVDCVE-2014-4258 at SUSECVE-2014-4258 at NVDCVE-2014-4260 at SUSECVE-2014-4260 at NVDCVE-2014-4274 at SUSECVE-2014-4274 at NVDCVE-2014-4287 at SUSECVE-2014-4287 at NVDCVE-2014-6463 at SUSECVE-2014-6463 at NVDCVE-2014-6464 at SUSECVE-2014-6464 at NVDCVE-2014-6469 at SUSECVE-2014-6469 at NVDCVE-2014-6474 at SUSECVE-2014-6474 at NVDCVE-2014-6478 at SUSECVE-2014-6478 at NVDCVE-2014-6484 at SUSECVE-2014-6484 at NVDCVE-2014-6489 at SUSECVE-2014-6489 at NVDCVE-2014-6491 at SUSECVE-2014-6491 at NVDCVE-2014-6494 at SUSECVE-2014-6494 at NVDCVE-2014-6495 at SUSECVE-2014-6495 at NVDCVE-2014-6496 at SUSECVE-2014-6496 at NVDCVE-2014-6500 at SUSECVE-2014-6500 at NVDCVE-2014-6505 at SUSECVE-2014-6505 at NVDCVE-2014-6507 at SUSECVE-2014-6507 at NVDCVE-2014-6520 at SUSECVE-2014-6520 at NVDCVE-2014-6530 at SUSECVE-2014-6530 at NVDCVE-2014-6551 at SUSECVE-2014-6551 at NVDCVE-2014-6555 at SUSECVE-2014-6555 at NVDCVE-2014-6559 at SUSECVE-2014-6559 at NVDCVE-2014-6564 at SUSECVE-2014-6564 at NVDCVE-2014-6568 at SUSECVE-2014-6568 at NVDCVE-2014-8964 at SUSECVE-2014-8964 at NVDCVE-2015-0374 at SUSECVE-2015-0374 at NVDCVE-2015-0381 at SUSECVE-2015-0381 at NVDCVE-2015-0382 at SUSECVE-2015-0382 at NVDCVE-2015-0391 at SUSECVE-2015-0391 at NVDCVE-2015-0411 at SUSECVE-2015-0411 at NVDCVE-2015-0432 at SUSECVE-2015-0432 at NVDCVE-2015-0433 at SUSECVE-2015-0433 at NVDCVE-2015-0441 at SUSECVE-2015-0441 at NVDCVE-2015-0499 at SUSECVE-2015-0499 at NVDCVE-2015-0501 at SUSECVE-2015-0501 at NVDCVE-2015-0505 at SUSECVE-2015-0505 at NVDCVE-2015-2325 at SUSECVE-2015-2325 at NVDCVE-2015-2326 at SUSECVE-2015-2326 at NVDCVE-2015-2568 at SUSECVE-2015-2568 at NVDCVE-2015-2571 at SUSECVE-2015-2571 at NVDCVE-2015-2573 at SUSECVE-2015-2573 at NVDCVE-2015-3152 at SUSECVE-2015-3152 at NVDCVE-2015-4792 at SUSECVE-2015-4792 at NVDCVE-2015-4802 at SUSECVE-2015-4802 at NVDCVE-2015-4807 at SUSECVE-2015-4807 at NVDCVE-2015-4815 at SUSECVE-2015-4815 at NVDCVE-2015-4826 at SUSECVE-2015-4826 at NVDCVE-2015-4830 at SUSECVE-2015-4830 at NVDCVE-2015-4836 at SUSECVE-2015-4836 at NVDCVE-2015-4858 at SUSECVE-2015-4858 at NVDCVE-2015-4861 at SUSECVE-2015-4861 at NVDCVE-2015-4870 at SUSECVE-2015-4870 at NVDCVE-2015-4913 at SUSECVE-2015-4913 at NVDCVE-2015-5969 at SUSECVE-2015-5969 at NVDCVE-2016-0505 at SUSECVE-2016-0505 at NVDCVE-2016-0546 at SUSECVE-2016-0546 at NVDCVE-2016-0596 at SUSECVE-2016-0596 at NVDCVE-2016-0597 at SUSECVE-2016-0597 at NVDCVE-2016-0598 at SUSECVE-2016-0598 at NVDCVE-2016-0600 at SUSECVE-2016-0600 at NVDCVE-2016-0606 at SUSECVE-2016-0606 at NVDCVE-2016-0608 at SUSECVE-2016-0608 at NVDCVE-2016-0609 at SUSECVE-2016-0609 at NVDCVE-2016-0616 at SUSECVE-2016-0616 at NVDCVE-2016-0640 at SUSECVE-2016-0640 at NVDCVE-2016-0641 at SUSECVE-2016-0641 at NVDCVE-2016-0642 at SUSECVE-2016-0642 at NVDCVE-2016-0643 at SUSECVE-2016-0643 at NVDCVE-2016-0644 at SUSECVE-2016-0644 at NVDCVE-2016-0646 at SUSECVE-2016-0646 at NVDCVE-2016-0647 at SUSECVE-2016-0647 at NVDCVE-2016-0648 at SUSECVE-2016-0648 at NVDCVE-2016-0649 at SUSECVE-2016-0649 at NVDCVE-2016-0650 at SUSECVE-2016-0650 at NVDCVE-2016-0651 at SUSECVE-2016-0651 at NVDCVE-2016-0655 at SUSECVE-2016-0655 at NVDCVE-2016-0666 at SUSECVE-2016-0666 at NVDCVE-2016-0668 at SUSECVE-2016-0668 at NVDCVE-2016-2047 at SUSECVE-2016-2047 at NVDCVE-2016-3477 at SUSECVE-2016-3477 at NVDCVE-2016-3492 at SUSECVE-2016-3492 at NVDCVE-2016-3521 at SUSECVE-2016-3521 at NVDCVE-2016-3615 at SUSECVE-2016-3615 at NVDCVE-2016-5440 at SUSECVE-2016-5440 at NVDCVE-2016-5584 at SUSECVE-2016-5584 at NVDCVE-2016-5624 at SUSECVE-2016-5624 at NVDCVE-2016-5626 at SUSECVE-2016-5626 at NVDCVE-2016-5629 at SUSECVE-2016-5629 at NVDCVE-2016-6662 at SUSECVE-2016-6662 at NVDCVE-2016-6663 at SUSECVE-2016-6663 at NVDCVE-2016-6664 at SUSECVE-2016-6664 at NVDCVE-2016-7440 at SUSECVE-2016-7440 at NVDCVE-2016-8283 at SUSECVE-2016-8283 at NVDCVE-2017-3238 at SUSECVE-2017-3238 at NVDCVE-2017-3243 at SUSECVE-2017-3243 at NVDCVE-2017-3244 at SUSECVE-2017-3244 at NVDCVE-2017-3257 at SUSECVE-2017-3257 at NVDCVE-2017-3258 at SUSECVE-2017-3258 at NVDCVE-2017-3265 at SUSECVE-2017-3265 at NVDCVE-2017-3291 at SUSECVE-2017-3291 at NVDCVE-2017-3302 at SUSECVE-2017-3302 at NVDCVE-2017-3312 at SUSECVE-2017-3312 at NVDCVE-2017-3313 at SUSECVE-2017-3313 at NVDCVE-2017-3317 at SUSECVE-2017-3317 at NVDCVE-2017-3318 at SUSECVE-2017-3318 at NVDcpe:/o:suse:sles:12:sp3libneon27-0.30.0-3.64 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the libneon27-0.30.0-3.64 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2009-2473 at SUSECVE-2009-2473 at NVDCVE-2009-2474 at SUSECVE-2009-2474 at NVDcpe:/o:suse:sles:12:sp3libnetpbm11-10.66.3-7.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the libnetpbm11-10.66.3-7.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2016-6354 at SUSECVE-2016-6354 at NVDCVE-2017-2581 at SUSECVE-2017-2581 at NVDCVE-2017-2586 at SUSECVE-2017-2586 at NVDCVE-2017-2587 at SUSECVE-2017-2587 at NVDcpe:/o:suse:sles:12:sp3libnghttp2-14-1.7.1-1.84 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the libnghttp2-14-1.7.1-1.84 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2016-1544 at SUSECVE-2016-1544 at NVDcpe:/o:suse:sles:12:sp3libnm-glib-vpn1-1.0.12-12.4 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the libnm-glib-vpn1-1.0.12-12.4 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2015-2924 at SUSECVE-2015-2924 at NVDCVE-2016-0764 at SUSECVE-2016-0764 at NVDcpe:/o:suse:sles:12:sp3libopenjp2-7-2.1.0-3.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the libopenjp2-7-2.1.0-3.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2016-7445 at SUSECVE-2016-7445 at NVDCVE-2016-8332 at SUSECVE-2016-8332 at NVDCVE-2016-9112 at SUSECVE-2016-9112 at NVDCVE-2016-9113 at SUSECVE-2016-9113 at NVDCVE-2016-9114 at SUSECVE-2016-9114 at NVDCVE-2016-9115 at SUSECVE-2016-9115 at NVDCVE-2016-9116 at SUSECVE-2016-9116 at NVDCVE-2016-9117 at SUSECVE-2016-9117 at NVDCVE-2016-9118 at SUSECVE-2016-9118 at NVDCVE-2016-9572 at SUSECVE-2016-9572 at NVDCVE-2016-9573 at SUSECVE-2016-9573 at NVDCVE-2016-9580 at SUSECVE-2016-9580 at NVDCVE-2016-9581 at SUSECVE-2016-9581 at NVDcpe:/o:suse:sles:12:sp3libopenssl-devel-1.0.2j-59.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the libopenssl-devel-1.0.2j-59.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2006-7250 at SUSECVE-2006-7250 at NVDCVE-2008-5077 at SUSECVE-2008-5077 at NVDCVE-2009-0590 at SUSECVE-2009-0590 at NVDCVE-2009-0591 at SUSECVE-2009-0591 at NVDCVE-2009-0789 at SUSECVE-2009-0789 at NVDCVE-2009-1377 at SUSECVE-2009-1377 at NVDCVE-2009-1378 at SUSECVE-2009-1378 at NVDCVE-2009-1379 at SUSECVE-2009-1379 at NVDCVE-2009-1386 at SUSECVE-2009-1386 at NVDCVE-2009-1387 at SUSECVE-2009-1387 at NVDCVE-2010-0740 at SUSECVE-2010-0740 at NVDCVE-2010-0742 at SUSECVE-2010-0742 at NVDCVE-2010-1633 at SUSECVE-2010-1633 at NVDCVE-2010-2939 at SUSECVE-2010-2939 at NVDCVE-2010-3864 at SUSECVE-2010-3864 at NVDCVE-2010-5298 at SUSECVE-2010-5298 at NVDCVE-2011-0014 at SUSECVE-2011-0014 at NVDCVE-2011-3207 at SUSECVE-2011-3207 at NVDCVE-2011-3210 at SUSECVE-2011-3210 at NVDCVE-2011-4108 at SUSECVE-2011-4108 at NVDCVE-2011-4576 at SUSECVE-2011-4576 at NVDCVE-2011-4577 at SUSECVE-2011-4577 at NVDCVE-2011-4619 at SUSECVE-2011-4619 at NVDCVE-2012-0027 at SUSECVE-2012-0027 at NVDCVE-2012-0050 at SUSECVE-2012-0050 at NVDCVE-2012-0884 at SUSECVE-2012-0884 at NVDCVE-2012-1165 at SUSECVE-2012-1165 at NVDCVE-2012-2110 at SUSECVE-2012-2110 at NVDCVE-2012-2686 at SUSECVE-2012-2686 at NVDCVE-2012-4929 at SUSECVE-2012-4929 at NVDCVE-2013-0166 at SUSECVE-2013-0166 at NVDCVE-2013-0169 at SUSECVE-2013-0169 at NVDCVE-2013-4353 at SUSECVE-2013-4353 at NVDCVE-2013-6449 at SUSECVE-2013-6449 at NVDCVE-2013-6450 at SUSECVE-2013-6450 at NVDCVE-2014-0076 at SUSECVE-2014-0076 at NVDCVE-2014-0160 at SUSECVE-2014-0160 at NVDCVE-2014-0195 at SUSECVE-2014-0195 at NVDCVE-2014-0198 at SUSECVE-2014-0198 at NVDCVE-2014-0221 at SUSECVE-2014-0221 at NVDCVE-2014-0224 at SUSECVE-2014-0224 at NVDCVE-2014-3470 at SUSECVE-2014-3470 at NVDCVE-2014-3505 at SUSECVE-2014-3505 at NVDCVE-2014-3506 at SUSECVE-2014-3506 at NVDCVE-2014-3507 at SUSECVE-2014-3507 at NVDCVE-2014-3508 at SUSECVE-2014-3508 at NVDCVE-2014-3509 at SUSECVE-2014-3509 at NVDCVE-2014-3510 at SUSECVE-2014-3510 at NVDCVE-2014-3511 at SUSECVE-2014-3511 at NVDCVE-2014-3512 at SUSECVE-2014-3512 at NVDCVE-2014-3513 at SUSECVE-2014-3513 at NVDCVE-2014-3566 at SUSECVE-2014-3566 at NVDCVE-2014-3567 at SUSECVE-2014-3567 at NVDCVE-2014-3568 at SUSECVE-2014-3568 at NVDCVE-2014-3570 at SUSECVE-2014-3570 at NVDCVE-2014-3571 at SUSECVE-2014-3571 at NVDCVE-2014-3572 at SUSECVE-2014-3572 at NVDCVE-2014-5139 at SUSECVE-2014-5139 at NVDCVE-2014-8275 at SUSECVE-2014-8275 at NVDCVE-2015-0204 at SUSECVE-2015-0204 at NVDCVE-2015-0205 at SUSECVE-2015-0205 at NVDCVE-2015-0206 at SUSECVE-2015-0206 at NVDCVE-2015-0209 at SUSECVE-2015-0209 at NVDCVE-2015-0286 at SUSECVE-2015-0286 at NVDCVE-2015-0287 at SUSECVE-2015-0287 at NVDCVE-2015-0288 at SUSECVE-2015-0288 at NVDCVE-2015-0289 at SUSECVE-2015-0289 at NVDCVE-2015-0293 at SUSECVE-2015-0293 at NVDCVE-2015-1788 at SUSECVE-2015-1788 at NVDCVE-2015-1789 at SUSECVE-2015-1789 at NVDCVE-2015-1790 at SUSECVE-2015-1790 at NVDCVE-2015-1791 at SUSECVE-2015-1791 at NVDCVE-2015-1792 at SUSECVE-2015-1792 at NVDCVE-2015-3194 at SUSECVE-2015-3194 at NVDCVE-2015-3195 at SUSECVE-2015-3195 at NVDCVE-2015-3196 at SUSECVE-2015-3196 at NVDCVE-2015-3197 at SUSECVE-2015-3197 at NVDCVE-2015-3216 at SUSECVE-2015-3216 at NVDCVE-2015-4000 at SUSECVE-2015-4000 at NVDCVE-2016-0702 at SUSECVE-2016-0702 at NVDCVE-2016-0705 at SUSECVE-2016-0705 at NVDCVE-2016-0797 at SUSECVE-2016-0797 at NVDCVE-2016-0798 at SUSECVE-2016-0798 at NVDCVE-2016-0799 at SUSECVE-2016-0799 at NVDCVE-2016-0800 at SUSECVE-2016-0800 at NVDCVE-2016-2105 at SUSECVE-2016-2105 at NVDCVE-2016-2106 at SUSECVE-2016-2106 at NVDCVE-2016-2107 at SUSECVE-2016-2107 at NVDCVE-2016-2109 at SUSECVE-2016-2109 at NVDCVE-2016-2176 at SUSECVE-2016-2176 at NVDCVE-2016-2177 at SUSECVE-2016-2177 at NVDCVE-2016-2178 at SUSECVE-2016-2178 at NVDCVE-2016-2179 at SUSECVE-2016-2179 at NVDCVE-2016-2180 at SUSECVE-2016-2180 at NVDCVE-2016-2181 at SUSECVE-2016-2181 at NVDCVE-2016-2182 at SUSECVE-2016-2182 at NVDCVE-2016-2183 at SUSECVE-2016-2183 at NVDCVE-2016-6302 at SUSECVE-2016-6302 at NVDCVE-2016-6303 at SUSECVE-2016-6303 at NVDCVE-2016-6304 at SUSECVE-2016-6304 at NVDCVE-2016-6306 at SUSECVE-2016-6306 at NVDCVE-2016-7052 at SUSECVE-2016-7052 at NVDCVE-2016-7055 at SUSECVE-2016-7055 at NVDCVE-2017-3731 at SUSECVE-2017-3731 at NVDCVE-2017-3732 at SUSECVE-2017-3732 at NVDcpe:/o:suse:sles:12:sp3libopus0-1.1-3.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the libopus0-1.1-3.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2017-0381 at SUSECVE-2017-0381 at NVDcpe:/o:suse:sles:12:sp3libotr5-4.0.0-9.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the libotr5-4.0.0-9.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2016-2851 at SUSECVE-2016-2851 at NVDcpe:/o:suse:sles:12:sp3libpango-1_0-0-1.40.1-9.5 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the libpango-1_0-0-1.40.1-9.5 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2011-0020 at SUSECVE-2011-0020 at NVDCVE-2011-0064 at SUSECVE-2011-0064 at NVDcpe:/o:suse:sles:12:sp3libpcre1-32bit-8.39-7.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the libpcre1-32bit-8.39-7.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2014-8964 at SUSECVE-2014-8964 at NVDCVE-2015-2325 at SUSECVE-2015-2325 at NVDCVE-2015-2327 at SUSECVE-2015-2327 at NVDCVE-2015-2328 at SUSECVE-2015-2328 at NVDCVE-2015-3210 at SUSECVE-2015-3210 at NVDCVE-2015-3217 at SUSECVE-2015-3217 at NVDCVE-2015-5073 at SUSECVE-2015-5073 at NVDCVE-2015-8380 at SUSECVE-2015-8380 at NVDCVE-2016-1283 at SUSECVE-2016-1283 at NVDCVE-2016-3191 at SUSECVE-2016-3191 at NVDcpe:/o:suse:sles:12:sp3libpcsclite1-1.8.10-6.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the libpcsclite1-1.8.10-6.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2010-0407 at SUSECVE-2010-0407 at NVDCVE-2010-4531 at SUSECVE-2010-4531 at NVDCVE-2016-10109 at SUSECVE-2016-10109 at NVDcpe:/o:suse:sles:12:sp3libplist3-1.12-19.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the libplist3-1.12-19.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2017-5209 at SUSECVE-2017-5209 at NVDCVE-2017-5545 at SUSECVE-2017-5545 at NVDCVE-2017-5834 at SUSECVE-2017-5834 at NVDCVE-2017-5835 at SUSECVE-2017-5835 at NVDCVE-2017-5836 at SUSECVE-2017-5836 at NVDCVE-2017-6440 at SUSECVE-2017-6440 at NVDCVE-2017-7982 at SUSECVE-2017-7982 at NVDcpe:/o:suse:sles:12:sp3libpng12-0-1.2.50-19.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the libpng12-0-1.2.50-19.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2010-1205 at SUSECVE-2010-1205 at NVDCVE-2011-2501 at SUSECVE-2011-2501 at NVDCVE-2011-3026 at SUSECVE-2011-3026 at NVDCVE-2011-3045 at SUSECVE-2011-3045 at NVDCVE-2011-3048 at SUSECVE-2011-3048 at NVDCVE-2012-3386 at SUSECVE-2012-3386 at NVDCVE-2013-7353 at SUSECVE-2013-7353 at NVDCVE-2013-7354 at SUSECVE-2013-7354 at NVDCVE-2015-7981 at SUSECVE-2015-7981 at NVDCVE-2015-8126 at SUSECVE-2015-8126 at NVDCVE-2015-8540 at SUSECVE-2015-8540 at NVDCVE-2016-10087 at SUSECVE-2016-10087 at NVDcpe:/o:suse:sles:12:sp3libpng15-15-1.5.22-9.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the libpng15-15-1.5.22-9.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2010-1205 at SUSECVE-2010-1205 at NVDCVE-2011-2501 at SUSECVE-2011-2501 at NVDCVE-2011-2690 at SUSECVE-2011-2690 at NVDCVE-2011-2691 at SUSECVE-2011-2691 at NVDCVE-2011-2692 at SUSECVE-2011-2692 at NVDCVE-2011-3026 at SUSECVE-2011-3026 at NVDCVE-2011-3048 at SUSECVE-2011-3048 at NVDCVE-2011-3328 at SUSECVE-2011-3328 at NVDCVE-2011-3464 at SUSECVE-2011-3464 at NVDCVE-2012-3386 at SUSECVE-2012-3386 at NVDCVE-2015-8126 at SUSECVE-2015-8126 at NVDCVE-2015-8540 at SUSECVE-2015-8540 at NVDCVE-2016-10087 at SUSECVE-2016-10087 at NVDcpe:/o:suse:sles:12:sp3libpng16-16-1.6.8-14.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the libpng16-16-1.6.8-14.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2010-1205 at SUSECVE-2010-1205 at NVDCVE-2011-2501 at SUSECVE-2011-2501 at NVDCVE-2011-2690 at SUSECVE-2011-2690 at NVDCVE-2011-2691 at SUSECVE-2011-2691 at NVDCVE-2011-2692 at SUSECVE-2011-2692 at NVDCVE-2011-3328 at SUSECVE-2011-3328 at NVDCVE-2013-6954 at SUSECVE-2013-6954 at NVDCVE-2014-0333 at SUSECVE-2014-0333 at NVDCVE-2014-9495 at SUSECVE-2014-9495 at NVDCVE-2015-0973 at SUSECVE-2015-0973 at NVDCVE-2015-8126 at SUSECVE-2015-8126 at NVDCVE-2016-10087 at SUSECVE-2016-10087 at NVDcpe:/o:suse:sles:12:sp3libpolkit0-0.113-5.6.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the libpolkit0-0.113-5.6.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2010-0750 at SUSECVE-2010-0750 at NVDCVE-2011-1485 at SUSECVE-2011-1485 at NVDCVE-2013-4288 at SUSECVE-2013-4288 at NVDCVE-2015-3218 at SUSECVE-2015-3218 at NVDCVE-2015-3255 at SUSECVE-2015-3255 at NVDCVE-2015-3256 at SUSECVE-2015-3256 at NVDCVE-2015-4625 at SUSECVE-2015-4625 at NVDcpe:/o:suse:sles:12:sp3libpoppler-glib8-0.43.0-15.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the libpoppler-glib8-0.43.0-15.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2009-0799 at SUSECVE-2009-0799 at NVDCVE-2009-0800 at SUSECVE-2009-0800 at NVDCVE-2009-1179 at SUSECVE-2009-1179 at NVDCVE-2009-1180 at SUSECVE-2009-1180 at NVDCVE-2009-1181 at SUSECVE-2009-1181 at NVDCVE-2009-1182 at SUSECVE-2009-1182 at NVDCVE-2009-1183 at SUSECVE-2009-1183 at NVDCVE-2009-1187 at SUSECVE-2009-1187 at NVDCVE-2009-1188 at SUSECVE-2009-1188 at NVDCVE-2009-3607 at SUSECVE-2009-3607 at NVDCVE-2009-3608 at SUSECVE-2009-3608 at NVDCVE-2013-1788 at SUSECVE-2013-1788 at NVDCVE-2013-1789 at SUSECVE-2013-1789 at NVDCVE-2013-1790 at SUSECVE-2013-1790 at NVDCVE-2013-4473 at SUSECVE-2013-4473 at NVDCVE-2013-4474 at SUSECVE-2013-4474 at NVDcpe:/o:suse:sles:12:sp3libproxy1-0.4.13-16.3 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the libproxy1-0.4.13-16.3 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2012-4504 at SUSECVE-2012-4504 at NVDcpe:/o:suse:sles:12:sp3libpulse-mainloop-glib0-32bit-5.0-4.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the libpulse-mainloop-glib0-32bit-5.0-4.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2014-3970 at SUSECVE-2014-3970 at NVDcpe:/o:suse:sles:12:sp3libpython2_7-1_0-2.7.13-27.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the libpython2_7-1_0-2.7.13-27.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2011-1521 at SUSECVE-2011-1521 at NVDCVE-2011-3389 at SUSECVE-2011-3389 at NVDCVE-2011-4944 at SUSECVE-2011-4944 at NVDCVE-2012-0845 at SUSECVE-2012-0845 at NVDCVE-2012-1150 at SUSECVE-2012-1150 at NVDCVE-2013-1752 at SUSECVE-2013-1752 at NVDCVE-2013-1753 at SUSECVE-2013-1753 at NVDCVE-2013-4238 at SUSECVE-2013-4238 at NVDCVE-2014-1912 at SUSECVE-2014-1912 at NVDCVE-2014-4650 at SUSECVE-2014-4650 at NVDCVE-2014-7185 at SUSECVE-2014-7185 at NVDCVE-2016-0772 at SUSECVE-2016-0772 at NVDCVE-2016-1000110 at SUSECVE-2016-1000110 at NVDCVE-2016-5636 at SUSECVE-2016-5636 at NVDCVE-2016-5699 at SUSECVE-2016-5699 at NVDcpe:/o:suse:sles:12:sp3libpython3_4m1_0-3.4.6-24.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the libpython3_4m1_0-3.4.6-24.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2011-3389 at SUSECVE-2011-3389 at NVDCVE-2011-4944 at SUSECVE-2011-4944 at NVDCVE-2012-0845 at SUSECVE-2012-0845 at NVDCVE-2012-1150 at SUSECVE-2012-1150 at NVDCVE-2013-1752 at SUSECVE-2013-1752 at NVDCVE-2013-4238 at SUSECVE-2013-4238 at NVDCVE-2014-2667 at SUSECVE-2014-2667 at NVDCVE-2014-4650 at SUSECVE-2014-4650 at NVDCVE-2016-0772 at SUSECVE-2016-0772 at NVDCVE-2016-1000110 at SUSECVE-2016-1000110 at NVDCVE-2016-5636 at SUSECVE-2016-5636 at NVDCVE-2016-5699 at SUSECVE-2016-5699 at NVDcpe:/o:suse:sles:12:sp3libqt4-32bit-4.8.6-7.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the libqt4-32bit-4.8.6-7.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2009-0945 at SUSECVE-2009-0945 at NVDCVE-2011-3193 at SUSECVE-2011-3193 at NVDCVE-2011-3922 at SUSECVE-2011-3922 at NVDCVE-2012-4929 at SUSECVE-2012-4929 at NVDCVE-2012-6093 at SUSECVE-2012-6093 at NVDCVE-2013-0254 at SUSECVE-2013-0254 at NVDCVE-2013-4549 at SUSECVE-2013-4549 at NVDCVE-2014-0190 at SUSECVE-2014-0190 at NVDCVE-2015-0295 at SUSECVE-2015-0295 at NVDCVE-2015-1858 at SUSECVE-2015-1858 at NVDCVE-2015-1859 at SUSECVE-2015-1859 at NVDCVE-2015-1860 at SUSECVE-2015-1860 at NVDcpe:/o:suse:sles:12:sp3libquicktime0-1.2.4-10.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the libquicktime0-1.2.4-10.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2016-2399 at SUSECVE-2016-2399 at NVDcpe:/o:suse:sles:12:sp3libraptor2-0-2.0.10-3.63 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the libraptor2-0-2.0.10-3.63 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2012-0037 at SUSECVE-2012-0037 at NVDcpe:/o:suse:sles:12:sp3libruby2_1-2_1-2.1.9-18.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the libruby2_1-2_1-2.1.9-18.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2014-3566 at SUSECVE-2014-3566 at NVDCVE-2014-4975 at SUSECVE-2014-4975 at NVDCVE-2014-8080 at SUSECVE-2014-8080 at NVDCVE-2014-8090 at SUSECVE-2014-8090 at NVDCVE-2015-1855 at SUSECVE-2015-1855 at NVDCVE-2015-3900 at SUSECVE-2015-3900 at NVDCVE-2015-7551 at SUSECVE-2015-7551 at NVDCVE-2016-2339 at SUSECVE-2016-2339 at NVDcpe:/o:suse:sles:12:sp3libsmi-0.4.8-18.55 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the libsmi-0.4.8-18.55 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2010-2891 at SUSECVE-2010-2891 at NVDcpe:/o:suse:sles:12:sp3libsndfile1-1.0.25-35.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the libsndfile1-1.0.25-35.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2009-0186 at SUSECVE-2009-0186 at NVDCVE-2011-2696 at SUSECVE-2011-2696 at NVDCVE-2014-9496 at SUSECVE-2014-9496 at NVDCVE-2014-9756 at SUSECVE-2014-9756 at NVDCVE-2015-7805 at SUSECVE-2015-7805 at NVDCVE-2015-8075 at SUSECVE-2015-8075 at NVDCVE-2017-7585 at SUSECVE-2017-7585 at NVDCVE-2017-7586 at SUSECVE-2017-7586 at NVDCVE-2017-7741 at SUSECVE-2017-7741 at NVDCVE-2017-7742 at SUSECVE-2017-7742 at NVDCVE-2017-8361 at SUSECVE-2017-8361 at NVDCVE-2017-8362 at SUSECVE-2017-8362 at NVDCVE-2017-8363 at SUSECVE-2017-8363 at NVDCVE-2017-8365 at SUSECVE-2017-8365 at NVDcpe:/o:suse:sles:12:sp3libsnmp30-32bit-5.7.3-4.2 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the libsnmp30-32bit-5.7.3-4.2 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2012-2141 at SUSECVE-2012-2141 at NVDCVE-2014-2284 at SUSECVE-2014-2284 at NVDCVE-2014-2285 at SUSECVE-2014-2285 at NVDCVE-2014-3565 at SUSECVE-2014-3565 at NVDCVE-2015-5621 at SUSECVE-2015-5621 at NVDcpe:/o:suse:sles:12:sp3libsoup-2_4-1-2.54.1-4.5 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the libsoup-2_4-1-2.54.1-4.5 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2011-2054 at SUSECVE-2011-2054 at NVDcpe:/o:suse:sles:12:sp3libspice-client-glib-2_0-8-0.33-1.33 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the libspice-client-glib-2_0-8-0.33-1.33 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2012-4425 at SUSECVE-2012-4425 at NVDcpe:/o:suse:sles:12:sp3libspice-server1-0.12.8-1.17 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the libspice-server1-0.12.8-1.17 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2013-4282 at SUSECVE-2013-4282 at NVDCVE-2015-3247 at SUSECVE-2015-3247 at NVDCVE-2015-5260 at SUSECVE-2015-5260 at NVDCVE-2015-5261 at SUSECVE-2015-5261 at NVDCVE-2016-0749 at SUSECVE-2016-0749 at NVDCVE-2016-2150 at SUSECVE-2016-2150 at NVDCVE-2016-9577 at SUSECVE-2016-9577 at NVDCVE-2016-9578 at SUSECVE-2016-9578 at NVDcpe:/o:suse:sles:12:sp3libsqlite3-0-3.8.10.2-8.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the libsqlite3-0-3.8.10.2-8.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2016-6153 at SUSECVE-2016-6153 at NVDcpe:/o:suse:sles:12:sp3libsrtp1-1.5.2-2.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the libsrtp1-1.5.2-2.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2013-2139 at SUSECVE-2013-2139 at NVDcpe:/o:suse:sles:12:sp3libssh2-1-1.4.3-19.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the libssh2-1-1.4.3-19.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2015-1782 at SUSECVE-2015-1782 at NVDCVE-2016-0787 at SUSECVE-2016-0787 at NVDcpe:/o:suse:sles:12:sp3libsystemd0-228-142.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the libsystemd0-228-142.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2012-1174 at SUSECVE-2012-1174 at NVDCVE-2013-4288 at SUSECVE-2013-4288 at NVDCVE-2016-10156 at SUSECVE-2016-10156 at NVDCVE-2016-7795 at SUSECVE-2016-7795 at NVDcpe:/o:suse:sles:12:sp3libtag1-1.9.1-1.218 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the libtag1-1.9.1-1.218 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2012-2396 at SUSECVE-2012-2396 at NVDcpe:/o:suse:sles:12:sp3libtasn1-4.9-1.7 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the libtasn1-4.9-1.7 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2014-3467 at SUSECVE-2014-3467 at NVDCVE-2014-3468 at SUSECVE-2014-3468 at NVDCVE-2014-3469 at SUSECVE-2014-3469 at NVDCVE-2015-2806 at SUSECVE-2015-2806 at NVDCVE-2015-3622 at SUSECVE-2015-3622 at NVDCVE-2016-4008 at SUSECVE-2016-4008 at NVDcpe:/o:suse:sles:12:sp3libtcnative-1-0-1.1.34-12.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the libtcnative-1-0-1.1.34-12.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2015-4000 at SUSECVE-2015-4000 at NVDcpe:/o:suse:sles:12:sp3libthai-data-0.1.25-4.2 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the libthai-data-0.1.25-4.2 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2009-4012 at SUSECVE-2009-4012 at NVDcpe:/o:suse:sles:12:sp3libtiff5-32bit-4.0.7-43.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the libtiff5-32bit-4.0.7-43.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2009-2285 at SUSECVE-2009-2285 at NVDCVE-2009-2347 at SUSECVE-2009-2347 at NVDCVE-2010-2065 at SUSECVE-2010-2065 at NVDCVE-2010-2067 at SUSECVE-2010-2067 at NVDCVE-2010-2233 at SUSECVE-2010-2233 at NVDCVE-2010-4665 at SUSECVE-2010-4665 at NVDCVE-2011-0192 at SUSECVE-2011-0192 at NVDCVE-2011-1167 at SUSECVE-2011-1167 at NVDCVE-2012-1173 at SUSECVE-2012-1173 at NVDCVE-2012-2113 at SUSECVE-2012-2113 at NVDCVE-2012-3401 at SUSECVE-2012-3401 at NVDCVE-2012-4564 at SUSECVE-2012-4564 at NVDCVE-2013-1960 at SUSECVE-2013-1960 at NVDCVE-2013-1961 at SUSECVE-2013-1961 at NVDCVE-2013-4231 at SUSECVE-2013-4231 at NVDCVE-2013-4232 at SUSECVE-2013-4232 at NVDCVE-2013-4243 at SUSECVE-2013-4243 at NVDCVE-2013-4244 at SUSECVE-2013-4244 at NVDCVE-2014-8127 at SUSECVE-2014-8127 at NVDCVE-2014-8128 at SUSECVE-2014-8128 at NVDCVE-2014-8129 at SUSECVE-2014-8129 at NVDCVE-2014-8130 at SUSECVE-2014-8130 at NVDCVE-2014-9655 at SUSECVE-2014-9655 at NVDCVE-2015-1547 at SUSECVE-2015-1547 at NVDCVE-2015-7554 at SUSECVE-2015-7554 at NVDCVE-2015-8665 at SUSECVE-2015-8665 at NVDCVE-2015-8683 at SUSECVE-2015-8683 at NVDCVE-2015-8781 at SUSECVE-2015-8781 at NVDCVE-2015-8782 at SUSECVE-2015-8782 at NVDCVE-2015-8783 at SUSECVE-2015-8783 at NVDCVE-2016-10266 at SUSECVE-2016-10266 at NVDCVE-2016-10267 at SUSECVE-2016-10267 at NVDCVE-2016-10268 at SUSECVE-2016-10268 at NVDCVE-2016-10269 at SUSECVE-2016-10269 at NVDCVE-2016-10270 at SUSECVE-2016-10270 at NVDCVE-2016-10271 at SUSECVE-2016-10271 at NVDCVE-2016-10272 at SUSECVE-2016-10272 at NVDCVE-2016-3186 at SUSECVE-2016-3186 at NVDCVE-2016-3622 at SUSECVE-2016-3622 at NVDCVE-2016-3623 at SUSECVE-2016-3623 at NVDCVE-2016-3658 at SUSECVE-2016-3658 at NVDCVE-2016-3945 at SUSECVE-2016-3945 at NVDCVE-2016-3990 at SUSECVE-2016-3990 at NVDCVE-2016-3991 at SUSECVE-2016-3991 at NVDCVE-2016-5314 at SUSECVE-2016-5314 at NVDCVE-2016-5316 at SUSECVE-2016-5316 at NVDCVE-2016-5317 at SUSECVE-2016-5317 at NVDCVE-2016-5320 at SUSECVE-2016-5320 at NVDCVE-2016-5321 at SUSECVE-2016-5321 at NVDCVE-2016-5323 at SUSECVE-2016-5323 at NVDCVE-2016-5652 at SUSECVE-2016-5652 at NVDCVE-2016-5875 at SUSECVE-2016-5875 at NVDCVE-2016-9273 at SUSECVE-2016-9273 at NVDCVE-2016-9297 at SUSECVE-2016-9297 at NVDCVE-2016-9448 at SUSECVE-2016-9448 at NVDCVE-2016-9453 at SUSECVE-2016-9453 at NVDCVE-2017-5225 at SUSECVE-2017-5225 at NVDcpe:/o:suse:sles:12:sp3libtirpc-netconfig-1.0.1-16.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the libtirpc-netconfig-1.0.1-16.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2017-8779 at SUSECVE-2017-8779 at NVDcpe:/o:suse:sles:12:sp3libudisks2-0-2.1.3-1.13 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the libudisks2-0-2.1.3-1.13 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2014-0004 at SUSECVE-2014-0004 at NVDcpe:/o:suse:sles:12:sp3libupsclient1-2.7.1-4.55 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the libupsclient1-2.7.1-4.55 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2012-2944 at SUSECVE-2012-2944 at NVDcpe:/o:suse:sles:12:sp3libusbmuxd4-1.0.10-2.3 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the libusbmuxd4-1.0.10-2.3 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2016-5104 at SUSECVE-2016-5104 at NVDcpe:/o:suse:sles:12:sp3libvdpau1-1.1.1-6.73 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the libvdpau1-1.1.1-6.73 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2015-5198 at SUSECVE-2015-5198 at NVDCVE-2015-5199 at SUSECVE-2015-5199 at NVDCVE-2015-5200 at SUSECVE-2015-5200 at NVDcpe:/o:suse:sles:12:sp3libvirglrenderer0-0.5.0-11.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the libvirglrenderer0-0.5.0-11.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2016-10163 at SUSECVE-2016-10163 at NVDCVE-2016-10214 at SUSECVE-2016-10214 at NVDCVE-2017-5580 at SUSECVE-2017-5580 at NVDCVE-2017-5937 at SUSECVE-2017-5937 at NVDCVE-2017-5956 at SUSECVE-2017-5956 at NVDCVE-2017-5957 at SUSECVE-2017-5957 at NVDCVE-2017-5993 at SUSECVE-2017-5993 at NVDCVE-2017-5994 at SUSECVE-2017-5994 at NVDCVE-2017-6209 at SUSECVE-2017-6209 at NVDCVE-2017-6210 at SUSECVE-2017-6210 at NVDCVE-2017-6317 at SUSECVE-2017-6317 at NVDCVE-2017-6355 at SUSECVE-2017-6355 at NVDCVE-2017-6386 at SUSECVE-2017-6386 at NVDcpe:/o:suse:sles:12:sp3libvirt-3.3.0-4.28 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the libvirt-3.3.0-4.28 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2010-2242 at SUSECVE-2010-2242 at NVDCVE-2011-1146 at SUSECVE-2011-1146 at NVDCVE-2011-2511 at SUSECVE-2011-2511 at NVDCVE-2011-4600 at SUSECVE-2011-4600 at NVDCVE-2012-3445 at SUSECVE-2012-3445 at NVDCVE-2013-0170 at SUSECVE-2013-0170 at NVDCVE-2013-1962 at SUSECVE-2013-1962 at NVDCVE-2013-2218 at SUSECVE-2013-2218 at NVDCVE-2013-2230 at SUSECVE-2013-2230 at NVDCVE-2013-4153 at SUSECVE-2013-4153 at NVDCVE-2013-4154 at SUSECVE-2013-4154 at NVDCVE-2013-4239 at SUSECVE-2013-4239 at NVDCVE-2013-4296 at SUSECVE-2013-4296 at NVDCVE-2013-4297 at SUSECVE-2013-4297 at NVDCVE-2013-4311 at SUSECVE-2013-4311 at NVDCVE-2013-4399 at SUSECVE-2013-4399 at NVDCVE-2013-4400 at SUSECVE-2013-4400 at NVDCVE-2013-4401 at SUSECVE-2013-4401 at NVDCVE-2013-6436 at SUSECVE-2013-6436 at NVDCVE-2013-6456 at SUSECVE-2013-6456 at NVDCVE-2013-6457 at SUSECVE-2013-6457 at NVDCVE-2013-6458 at SUSECVE-2013-6458 at NVDCVE-2014-0028 at SUSECVE-2014-0028 at NVDCVE-2014-0179 at SUSECVE-2014-0179 at NVDCVE-2014-1447 at SUSECVE-2014-1447 at NVDCVE-2014-3633 at SUSECVE-2014-3633 at NVDCVE-2014-3657 at SUSECVE-2014-3657 at NVDCVE-2014-7823 at SUSECVE-2014-7823 at NVDCVE-2014-8131 at SUSECVE-2014-8131 at NVDCVE-2015-0236 at SUSECVE-2015-0236 at NVDCVE-2015-5247 at SUSECVE-2015-5247 at NVDCVE-2015-5313 at SUSECVE-2015-5313 at NVDCVE-2017-2635 at SUSECVE-2017-2635 at NVDcpe:/o:suse:sles:12:sp3libvmtools0-10.1.5-2.17 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the libvmtools0-10.1.5-2.17 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2015-5191 at SUSECVE-2015-5191 at NVDcpe:/o:suse:sles:12:sp3libvncclient0-0.9.9-16.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the libvncclient0-0.9.9-16.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2014-6051 at SUSECVE-2014-6051 at NVDCVE-2014-6052 at SUSECVE-2014-6052 at NVDCVE-2014-6053 at SUSECVE-2014-6053 at NVDCVE-2014-6054 at SUSECVE-2014-6054 at NVDCVE-2014-6055 at SUSECVE-2014-6055 at NVDcpe:/o:suse:sles:12:sp3libvorbis-doc-1.3.3-8.23 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the libvorbis-doc-1.3.3-8.23 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2008-1420 at SUSECVE-2008-1420 at NVDCVE-2009-3379 at SUSECVE-2009-3379 at NVDCVE-2012-0444 at SUSECVE-2012-0444 at NVDcpe:/o:suse:sles:12:sp3libvte9-0.28.2-19.7 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the libvte9-0.28.2-19.7 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2012-2738 at SUSECVE-2012-2738 at NVDcpe:/o:suse:sles:12:sp3libwireshark8-2.2.7-47.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the libwireshark8-2.2.7-47.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2009-1210 at SUSECVE-2009-1210 at NVDCVE-2009-1267 at SUSECVE-2009-1267 at NVDCVE-2009-1268 at SUSECVE-2009-1268 at NVDCVE-2009-1269 at SUSECVE-2009-1269 at NVDCVE-2009-3241 at SUSECVE-2009-3241 at NVDCVE-2009-3242 at SUSECVE-2009-3242 at NVDCVE-2009-3243 at SUSECVE-2009-3243 at NVDCVE-2010-1455 at SUSECVE-2010-1455 at NVDCVE-2010-2993 at SUSECVE-2010-2993 at NVDCVE-2010-3445 at SUSECVE-2010-3445 at NVDCVE-2010-4300 at SUSECVE-2010-4300 at NVDCVE-2010-4301 at SUSECVE-2010-4301 at NVDCVE-2010-4538 at SUSECVE-2010-4538 at NVDCVE-2011-0024 at SUSECVE-2011-0024 at NVDCVE-2011-0538 at SUSECVE-2011-0538 at NVDCVE-2011-0713 at SUSECVE-2011-0713 at NVDCVE-2011-1138 at SUSECVE-2011-1138 at NVDCVE-2011-1139 at SUSECVE-2011-1139 at NVDCVE-2011-1140 at SUSECVE-2011-1140 at NVDCVE-2011-1143 at SUSECVE-2011-1143 at NVDCVE-2011-1590 at SUSECVE-2011-1590 at NVDCVE-2011-1591 at SUSECVE-2011-1591 at NVDCVE-2011-1592 at SUSECVE-2011-1592 at NVDCVE-2011-1957 at SUSECVE-2011-1957 at NVDCVE-2011-1958 at SUSECVE-2011-1958 at NVDCVE-2011-1959 at SUSECVE-2011-1959 at NVDCVE-2011-2174 at SUSECVE-2011-2174 at NVDCVE-2011-2175 at SUSECVE-2011-2175 at NVDCVE-2011-2597 at SUSECVE-2011-2597 at NVDCVE-2011-2698 at SUSECVE-2011-2698 at NVDCVE-2011-3266 at SUSECVE-2011-3266 at NVDCVE-2011-3360 at SUSECVE-2011-3360 at NVDCVE-2011-3483 at SUSECVE-2011-3483 at NVDCVE-2012-2392 at SUSECVE-2012-2392 at NVDCVE-2012-2393 at SUSECVE-2012-2393 at NVDCVE-2012-2394 at SUSECVE-2012-2394 at NVDCVE-2012-3548 at SUSECVE-2012-3548 at NVDCVE-2012-4048 at SUSECVE-2012-4048 at NVDCVE-2012-4049 at SUSECVE-2012-4049 at NVDCVE-2012-4285 at SUSECVE-2012-4285 at NVDCVE-2012-4286 at SUSECVE-2012-4286 at NVDCVE-2012-4287 at SUSECVE-2012-4287 at NVDCVE-2012-4288 at SUSECVE-2012-4288 at NVDCVE-2012-4289 at SUSECVE-2012-4289 at NVDCVE-2012-4290 at SUSECVE-2012-4290 at NVDCVE-2012-4291 at SUSECVE-2012-4291 at NVDCVE-2012-4292 at SUSECVE-2012-4292 at NVDCVE-2012-4293 at SUSECVE-2012-4293 at NVDCVE-2012-4294 at SUSECVE-2012-4294 at NVDCVE-2012-4295 at SUSECVE-2012-4295 at NVDCVE-2012-4296 at SUSECVE-2012-4296 at NVDCVE-2012-4297 at SUSECVE-2012-4297 at NVDCVE-2012-4298 at SUSECVE-2012-4298 at NVDCVE-2012-5237 at SUSECVE-2012-5237 at NVDCVE-2012-5238 at SUSECVE-2012-5238 at NVDCVE-2012-5239 at SUSECVE-2012-5239 at NVDCVE-2012-5240 at SUSECVE-2012-5240 at NVDCVE-2012-5592 at SUSECVE-2012-5592 at NVDCVE-2012-5593 at SUSECVE-2012-5593 at NVDCVE-2012-5594 at SUSECVE-2012-5594 at NVDCVE-2012-5595 at SUSECVE-2012-5595 at NVDCVE-2012-5596 at SUSECVE-2012-5596 at NVDCVE-2012-5597 at SUSECVE-2012-5597 at NVDCVE-2012-5598 at SUSECVE-2012-5598 at NVDCVE-2012-5599 at SUSECVE-2012-5599 at NVDCVE-2012-5600 at SUSECVE-2012-5600 at NVDCVE-2012-5601 at SUSECVE-2012-5601 at NVDCVE-2012-5602 at SUSECVE-2012-5602 at NVDCVE-2013-1572 at SUSECVE-2013-1572 at NVDCVE-2013-1573 at SUSECVE-2013-1573 at NVDCVE-2013-1574 at SUSECVE-2013-1574 at NVDCVE-2013-1575 at SUSECVE-2013-1575 at NVDCVE-2013-1576 at SUSECVE-2013-1576 at NVDCVE-2013-1577 at SUSECVE-2013-1577 at NVDCVE-2013-1578 at SUSECVE-2013-1578 at NVDCVE-2013-1579 at SUSECVE-2013-1579 at NVDCVE-2013-1580 at SUSECVE-2013-1580 at NVDCVE-2013-1581 at SUSECVE-2013-1581 at NVDCVE-2013-1582 at SUSECVE-2013-1582 at NVDCVE-2013-1583 at SUSECVE-2013-1583 at NVDCVE-2013-1584 at SUSECVE-2013-1584 at NVDCVE-2013-1585 at SUSECVE-2013-1585 at NVDCVE-2013-1586 at SUSECVE-2013-1586 at NVDCVE-2013-1587 at SUSECVE-2013-1587 at NVDCVE-2013-1588 at SUSECVE-2013-1588 at NVDCVE-2013-1589 at SUSECVE-2013-1589 at NVDCVE-2013-1590 at SUSECVE-2013-1590 at NVDCVE-2013-2475 at SUSECVE-2013-2475 at NVDCVE-2013-2476 at SUSECVE-2013-2476 at NVDCVE-2013-2477 at SUSECVE-2013-2477 at NVDCVE-2013-2478 at SUSECVE-2013-2478 at NVDCVE-2013-2479 at SUSECVE-2013-2479 at NVDCVE-2013-2480 at SUSECVE-2013-2480 at NVDCVE-2013-2481 at SUSECVE-2013-2481 at NVDCVE-2013-2482 at SUSECVE-2013-2482 at NVDCVE-2013-2483 at SUSECVE-2013-2483 at NVDCVE-2013-2484 at SUSECVE-2013-2484 at NVDCVE-2013-2485 at SUSECVE-2013-2485 at NVDCVE-2013-2486 at SUSECVE-2013-2486 at NVDCVE-2013-2487 at SUSECVE-2013-2487 at NVDCVE-2013-2488 at SUSECVE-2013-2488 at NVDCVE-2013-3555 at SUSECVE-2013-3555 at NVDCVE-2013-3556 at SUSECVE-2013-3556 at NVDCVE-2013-3557 at SUSECVE-2013-3557 at NVDCVE-2013-3558 at SUSECVE-2013-3558 at NVDCVE-2013-3559 at SUSECVE-2013-3559 at NVDCVE-2013-3560 at SUSECVE-2013-3560 at NVDCVE-2013-3561 at SUSECVE-2013-3561 at NVDCVE-2013-3562 at SUSECVE-2013-3562 at NVDCVE-2013-4083 at SUSECVE-2013-4083 at NVDCVE-2013-4920 at SUSECVE-2013-4920 at NVDCVE-2013-4921 at SUSECVE-2013-4921 at NVDCVE-2013-4922 at SUSECVE-2013-4922 at NVDCVE-2013-4923 at SUSECVE-2013-4923 at NVDCVE-2013-4924 at SUSECVE-2013-4924 at NVDCVE-2013-4925 at SUSECVE-2013-4925 at NVDCVE-2013-4926 at SUSECVE-2013-4926 at NVDCVE-2013-4927 at SUSECVE-2013-4927 at NVDCVE-2013-4928 at SUSECVE-2013-4928 at NVDCVE-2013-4929 at SUSECVE-2013-4929 at NVDCVE-2013-4930 at SUSECVE-2013-4930 at NVDCVE-2013-4931 at SUSECVE-2013-4931 at NVDCVE-2013-4932 at SUSECVE-2013-4932 at NVDCVE-2013-4933 at SUSECVE-2013-4933 at NVDCVE-2013-4934 at SUSECVE-2013-4934 at NVDCVE-2013-4935 at SUSECVE-2013-4935 at NVDCVE-2013-4936 at SUSECVE-2013-4936 at NVDCVE-2013-5717 at SUSECVE-2013-5717 at NVDCVE-2013-5718 at SUSECVE-2013-5718 at NVDCVE-2013-5719 at SUSECVE-2013-5719 at NVDCVE-2013-5720 at SUSECVE-2013-5720 at NVDCVE-2013-5721 at SUSECVE-2013-5721 at NVDCVE-2013-5722 at SUSECVE-2013-5722 at NVDCVE-2013-6336 at SUSECVE-2013-6336 at NVDCVE-2013-6337 at SUSECVE-2013-6337 at NVDCVE-2013-6338 at SUSECVE-2013-6338 at NVDCVE-2013-6339 at SUSECVE-2013-6339 at NVDCVE-2013-6340 at SUSECVE-2013-6340 at NVDCVE-2013-7112 at SUSECVE-2013-7112 at NVDCVE-2013-7113 at SUSECVE-2013-7113 at NVDCVE-2013-7114 at SUSECVE-2013-7114 at NVDCVE-2014-2281 at SUSECVE-2014-2281 at NVDCVE-2014-2282 at SUSECVE-2014-2282 at NVDCVE-2014-2283 at SUSECVE-2014-2283 at NVDCVE-2014-2299 at SUSECVE-2014-2299 at NVDCVE-2014-2907 at SUSECVE-2014-2907 at NVDCVE-2014-4020 at SUSECVE-2014-4020 at NVDCVE-2014-5161 at SUSECVE-2014-5161 at NVDCVE-2014-5162 at SUSECVE-2014-5162 at NVDCVE-2014-5163 at SUSECVE-2014-5163 at NVDCVE-2014-5164 at SUSECVE-2014-5164 at NVDCVE-2014-5165 at SUSECVE-2014-5165 at NVDCVE-2015-0559 at SUSECVE-2015-0559 at NVDCVE-2015-0560 at SUSECVE-2015-0560 at NVDCVE-2015-0561 at SUSECVE-2015-0561 at NVDCVE-2015-0562 at SUSECVE-2015-0562 at NVDCVE-2015-0563 at SUSECVE-2015-0563 at NVDCVE-2015-0564 at SUSECVE-2015-0564 at NVDCVE-2015-2188 at SUSECVE-2015-2188 at NVDCVE-2015-2189 at SUSECVE-2015-2189 at NVDCVE-2015-2191 at SUSECVE-2015-2191 at NVDCVE-2015-3811 at SUSECVE-2015-3811 at NVDCVE-2015-3812 at SUSECVE-2015-3812 at NVDCVE-2015-3813 at SUSECVE-2015-3813 at NVDCVE-2015-3814 at SUSECVE-2015-3814 at NVDCVE-2015-7830 at SUSECVE-2015-7830 at NVDCVE-2015-8711 at SUSECVE-2015-8711 at NVDCVE-2015-8712 at SUSECVE-2015-8712 at NVDCVE-2015-8713 at SUSECVE-2015-8713 at NVDCVE-2015-8714 at SUSECVE-2015-8714 at NVDCVE-2015-8715 at SUSECVE-2015-8715 at NVDCVE-2015-8716 at SUSECVE-2015-8716 at NVDCVE-2015-8717 at SUSECVE-2015-8717 at NVDCVE-2015-8718 at SUSECVE-2015-8718 at NVDCVE-2015-8719 at SUSECVE-2015-8719 at NVDCVE-2015-8720 at SUSECVE-2015-8720 at NVDCVE-2015-8721 at SUSECVE-2015-8721 at NVDCVE-2015-8722 at SUSECVE-2015-8722 at NVDCVE-2015-8723 at SUSECVE-2015-8723 at NVDCVE-2015-8724 at SUSECVE-2015-8724 at NVDCVE-2015-8725 at SUSECVE-2015-8725 at NVDCVE-2015-8726 at SUSECVE-2015-8726 at NVDCVE-2015-8727 at SUSECVE-2015-8727 at NVDCVE-2015-8728 at SUSECVE-2015-8728 at NVDCVE-2015-8729 at SUSECVE-2015-8729 at NVDCVE-2015-8730 at SUSECVE-2015-8730 at NVDCVE-2015-8731 at SUSECVE-2015-8731 at NVDCVE-2015-8732 at SUSECVE-2015-8732 at NVDCVE-2015-8733 at SUSECVE-2015-8733 at NVDCVE-2016-2523 at SUSECVE-2016-2523 at NVDCVE-2016-2530 at SUSECVE-2016-2530 at NVDCVE-2016-2531 at SUSECVE-2016-2531 at NVDCVE-2016-2532 at SUSECVE-2016-2532 at NVDCVE-2016-5350 at SUSECVE-2016-5350 at NVDCVE-2016-5351 at SUSECVE-2016-5351 at NVDCVE-2016-5352 at SUSECVE-2016-5352 at NVDCVE-2016-5353 at SUSECVE-2016-5353 at NVDCVE-2016-5354 at SUSECVE-2016-5354 at NVDCVE-2016-5355 at SUSECVE-2016-5355 at NVDCVE-2016-5356 at SUSECVE-2016-5356 at NVDCVE-2016-5357 at SUSECVE-2016-5357 at NVDCVE-2016-5358 at SUSECVE-2016-5358 at NVDCVE-2016-5359 at SUSECVE-2016-5359 at NVDCVE-2016-6354 at SUSECVE-2016-6354 at NVDCVE-2016-6504 at SUSECVE-2016-6504 at NVDCVE-2016-6505 at SUSECVE-2016-6505 at NVDCVE-2016-6506 at SUSECVE-2016-6506 at NVDCVE-2016-6507 at SUSECVE-2016-6507 at NVDCVE-2016-6508 at SUSECVE-2016-6508 at NVDCVE-2016-6509 at SUSECVE-2016-6509 at NVDCVE-2016-6510 at SUSECVE-2016-6510 at NVDCVE-2016-6511 at SUSECVE-2016-6511 at NVDCVE-2016-7175 at SUSECVE-2016-7175 at NVDCVE-2016-7176 at SUSECVE-2016-7176 at NVDCVE-2016-7177 at SUSECVE-2016-7177 at NVDCVE-2016-7178 at SUSECVE-2016-7178 at NVDCVE-2016-7179 at SUSECVE-2016-7179 at NVDCVE-2016-7180 at SUSECVE-2016-7180 at NVDCVE-2016-9373 at SUSECVE-2016-9373 at NVDCVE-2016-9374 at SUSECVE-2016-9374 at NVDCVE-2016-9375 at SUSECVE-2016-9375 at NVDCVE-2016-9376 at SUSECVE-2016-9376 at NVDCVE-2017-5596 at SUSECVE-2017-5596 at NVDCVE-2017-5597 at SUSECVE-2017-5597 at NVDCVE-2017-6014 at SUSECVE-2017-6014 at NVDCVE-2017-7700 at SUSECVE-2017-7700 at NVDCVE-2017-7701 at SUSECVE-2017-7701 at NVDCVE-2017-7702 at SUSECVE-2017-7702 at NVDCVE-2017-7703 at SUSECVE-2017-7703 at NVDCVE-2017-7704 at SUSECVE-2017-7704 at NVDCVE-2017-7705 at SUSECVE-2017-7705 at NVDCVE-2017-7745 at SUSECVE-2017-7745 at NVDCVE-2017-7746 at SUSECVE-2017-7746 at NVDCVE-2017-7747 at SUSECVE-2017-7747 at NVDCVE-2017-7748 at SUSECVE-2017-7748 at NVDCVE-2017-9343 at SUSECVE-2017-9343 at NVDCVE-2017-9344 at SUSECVE-2017-9344 at NVDCVE-2017-9345 at SUSECVE-2017-9345 at NVDCVE-2017-9346 at SUSECVE-2017-9346 at NVDCVE-2017-9347 at SUSECVE-2017-9347 at NVDCVE-2017-9348 at SUSECVE-2017-9348 at NVDCVE-2017-9349 at SUSECVE-2017-9349 at NVDCVE-2017-9350 at SUSECVE-2017-9350 at NVDCVE-2017-9351 at SUSECVE-2017-9351 at NVDCVE-2017-9352 at SUSECVE-2017-9352 at NVDCVE-2017-9353 at SUSECVE-2017-9353 at NVDCVE-2017-9354 at SUSECVE-2017-9354 at NVDcpe:/o:suse:sles:12:sp3libxcb-dri2-0-1.10-3.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the libxcb-dri2-0-1.10-3.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2013-2064 at SUSECVE-2013-2064 at NVDcpe:/o:suse:sles:12:sp3libxerces-c-3_1-3.1.1-12.3 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the libxerces-c-3_1-3.1.1-12.3 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2009-1885 at SUSECVE-2009-1885 at NVDCVE-2015-0252 at SUSECVE-2015-0252 at NVDCVE-2016-0729 at SUSECVE-2016-0729 at NVDCVE-2016-2099 at SUSECVE-2016-2099 at NVDCVE-2016-4463 at SUSECVE-2016-4463 at NVDcpe:/o:suse:sles:12:sp3libxml2-2-2.9.4-45.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the libxml2-2-2.9.4-45.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2008-4225 at SUSECVE-2008-4225 at NVDCVE-2008-4226 at SUSECVE-2008-4226 at NVDCVE-2008-4409 at SUSECVE-2008-4409 at NVDCVE-2010-4494 at SUSECVE-2010-4494 at NVDCVE-2011-1944 at SUSECVE-2011-1944 at NVDCVE-2012-5134 at SUSECVE-2012-5134 at NVDCVE-2013-0338 at SUSECVE-2013-0338 at NVDCVE-2013-1969 at SUSECVE-2013-1969 at NVDCVE-2014-0191 at SUSECVE-2014-0191 at NVDCVE-2014-3660 at SUSECVE-2014-3660 at NVDCVE-2015-1819 at SUSECVE-2015-1819 at NVDCVE-2015-5312 at SUSECVE-2015-5312 at NVDCVE-2015-7497 at SUSECVE-2015-7497 at NVDCVE-2015-7498 at SUSECVE-2015-7498 at NVDCVE-2015-7499 at SUSECVE-2015-7499 at NVDCVE-2015-7500 at SUSECVE-2015-7500 at NVDCVE-2015-7941 at SUSECVE-2015-7941 at NVDCVE-2015-7942 at SUSECVE-2015-7942 at NVDCVE-2015-8035 at SUSECVE-2015-8035 at NVDCVE-2015-8241 at SUSECVE-2015-8241 at NVDCVE-2015-8242 at SUSECVE-2015-8242 at NVDCVE-2015-8317 at SUSECVE-2015-8317 at NVDCVE-2015-8710 at SUSECVE-2015-8710 at NVDCVE-2016-1762 at SUSECVE-2016-1762 at NVDCVE-2016-1833 at SUSECVE-2016-1833 at NVDCVE-2016-1834 at SUSECVE-2016-1834 at NVDCVE-2016-1835 at SUSECVE-2016-1835 at NVDCVE-2016-1836 at SUSECVE-2016-1836 at NVDCVE-2016-1837 at SUSECVE-2016-1837 at NVDCVE-2016-1838 at SUSECVE-2016-1838 at NVDCVE-2016-1839 at SUSECVE-2016-1839 at NVDCVE-2016-1840 at SUSECVE-2016-1840 at NVDCVE-2016-3627 at SUSECVE-2016-3627 at NVDCVE-2016-3705 at SUSECVE-2016-3705 at NVDCVE-2016-4483 at SUSECVE-2016-4483 at NVDCVE-2016-4658 at SUSECVE-2016-4658 at NVDCVE-2016-9318 at SUSECVE-2016-9318 at NVDCVE-2016-9597 at SUSECVE-2016-9597 at NVDCVE-2017-0663 at SUSECVE-2017-0663 at NVDCVE-2017-5969 at SUSECVE-2017-5969 at NVDCVE-2017-7375 at SUSECVE-2017-7375 at NVDCVE-2017-7376 at SUSECVE-2017-7376 at NVDCVE-2017-9047 at SUSECVE-2017-9047 at NVDCVE-2017-9048 at SUSECVE-2017-9048 at NVDCVE-2017-9049 at SUSECVE-2017-9049 at NVDCVE-2017-9050 at SUSECVE-2017-9050 at NVDcpe:/o:suse:sles:12:sp3libxslt-tools-1.1.28-16.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the libxslt-tools-1.1.28-16.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2015-7995 at SUSECVE-2015-7995 at NVDCVE-2015-9019 at SUSECVE-2015-9019 at NVDCVE-2016-4738 at SUSECVE-2016-4738 at NVDCVE-2017-5029 at SUSECVE-2017-5029 at NVDcpe:/o:suse:sles:12:sp3libyaml-0-2-0.1.6-7.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the libyaml-0-2-0.1.6-7.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2013-6393 at SUSECVE-2013-6393 at NVDCVE-2014-2525 at SUSECVE-2014-2525 at NVDCVE-2014-9130 at SUSECVE-2014-9130 at NVDcpe:/o:suse:sles:12:sp3libz1-1.2.8-11.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the libz1-1.2.8-11.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2016-9840 at SUSECVE-2016-9840 at NVDCVE-2016-9841 at SUSECVE-2016-9841 at NVDCVE-2016-9842 at SUSECVE-2016-9842 at NVDCVE-2016-9843 at SUSECVE-2016-9843 at NVDcpe:/o:suse:sles:12:sp3libzip2-0.11.1-12.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the libzip2-0.11.1-12.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2011-0421 at SUSECVE-2011-0421 at NVDCVE-2012-1162 at SUSECVE-2012-1162 at NVDCVE-2012-1163 at SUSECVE-2012-1163 at NVDCVE-2015-2331 at SUSECVE-2015-2331 at NVDcpe:/o:suse:sles:12:sp3logrotate-3.11.0-1.15 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the logrotate-3.11.0-1.15 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2011-1098 at SUSECVE-2011-1098 at NVDCVE-2011-1154 at SUSECVE-2011-1154 at NVDCVE-2011-1155 at SUSECVE-2011-1155 at NVDcpe:/o:suse:sles:12:sp3logwatch-7.4.3-15.65 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the logwatch-7.4.3-15.65 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2011-1018 at SUSECVE-2011-1018 at NVDcpe:/o:suse:sles:12:sp3mailman-2.1.17-1.18 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the mailman-2.1.17-1.18 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2011-0707 at SUSECVE-2011-0707 at NVDcpe:/o:suse:sles:12:sp3mailx-12.5-28.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the mailx-12.5-28.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2004-2771 at SUSECVE-2004-2771 at NVDCVE-2014-7844 at SUSECVE-2014-7844 at NVDcpe:/o:suse:sles:12:sp3memcached-1.4.33-3.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the memcached-1.4.33-3.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2009-1494 at SUSECVE-2009-1494 at NVDCVE-2011-4971 at SUSECVE-2011-4971 at NVDCVE-2013-0179 at SUSECVE-2013-0179 at NVDCVE-2013-7239 at SUSECVE-2013-7239 at NVDCVE-2013-7290 at SUSECVE-2013-7290 at NVDCVE-2013-7291 at SUSECVE-2013-7291 at NVDCVE-2016-8704 at SUSECVE-2016-8704 at NVDCVE-2016-8705 at SUSECVE-2016-8705 at NVDCVE-2016-8706 at SUSECVE-2016-8706 at NVDcpe:/o:suse:sles:12:sp3minicom-2.7-3.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the minicom-2.7-3.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2017-7467 at SUSECVE-2017-7467 at NVDcpe:/o:suse:sles:12:sp3mipv6d-2.0.2.umip.0.4-19.63 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the mipv6d-2.0.2.umip.0.4-19.63 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2010-2522 at SUSECVE-2010-2522 at NVDCVE-2010-2523 at SUSECVE-2010-2523 at NVDcpe:/o:suse:sles:12:sp3mozilla-nspr-32bit-4.13.1-18.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the mozilla-nspr-32bit-4.13.1-18.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2014-1545 at SUSECVE-2014-1545 at NVDCVE-2015-7183 at SUSECVE-2015-7183 at NVDcpe:/o:suse:sles:12:sp3mutt-1.6.0-54.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the mutt-1.6.0-54.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2014-0467 at SUSECVE-2014-0467 at NVDCVE-2014-9116 at SUSECVE-2014-9116 at NVDcpe:/o:suse:sles:12:sp3ntp-4.2.8p10-63.3 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the ntp-4.2.8p10-63.3 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2009-0159 at SUSECVE-2009-0159 at NVDCVE-2009-1252 at SUSECVE-2009-1252 at NVDCVE-2013-5211 at SUSECVE-2013-5211 at NVDCVE-2014-9293 at SUSECVE-2014-9293 at NVDCVE-2014-9294 at SUSECVE-2014-9294 at NVDCVE-2014-9295 at SUSECVE-2014-9295 at NVDCVE-2014-9296 at SUSECVE-2014-9296 at NVDCVE-2014-9297 at SUSECVE-2014-9297 at NVDCVE-2014-9298 at SUSECVE-2014-9298 at NVDCVE-2015-1798 at SUSECVE-2015-1798 at NVDCVE-2015-1799 at SUSECVE-2015-1799 at NVDCVE-2015-3405 at SUSECVE-2015-3405 at NVDCVE-2015-5219 at SUSECVE-2015-5219 at NVDCVE-2015-5300 at SUSECVE-2015-5300 at NVDCVE-2015-7691 at SUSECVE-2015-7691 at NVDCVE-2015-7692 at SUSECVE-2015-7692 at NVDCVE-2015-7701 at SUSECVE-2015-7701 at NVDCVE-2015-7702 at SUSECVE-2015-7702 at NVDCVE-2015-7703 at SUSECVE-2015-7703 at NVDCVE-2015-7704 at SUSECVE-2015-7704 at NVDCVE-2015-7705 at SUSECVE-2015-7705 at NVDCVE-2015-7848 at SUSECVE-2015-7848 at NVDCVE-2015-7849 at SUSECVE-2015-7849 at NVDCVE-2015-7850 at SUSECVE-2015-7850 at NVDCVE-2015-7851 at SUSECVE-2015-7851 at NVDCVE-2015-7852 at SUSECVE-2015-7852 at NVDCVE-2015-7853 at SUSECVE-2015-7853 at NVDCVE-2015-7854 at SUSECVE-2015-7854 at NVDCVE-2015-7855 at SUSECVE-2015-7855 at NVDCVE-2015-7871 at SUSECVE-2015-7871 at NVDCVE-2015-7973 at SUSECVE-2015-7973 at NVDCVE-2015-7974 at SUSECVE-2015-7974 at NVDCVE-2015-7975 at SUSECVE-2015-7975 at NVDCVE-2015-7976 at SUSECVE-2015-7976 at NVDCVE-2015-7977 at SUSECVE-2015-7977 at NVDCVE-2015-7978 at SUSECVE-2015-7978 at NVDCVE-2015-7979 at SUSECVE-2015-7979 at NVDCVE-2015-8138 at SUSECVE-2015-8138 at NVDCVE-2015-8139 at SUSECVE-2015-8139 at NVDCVE-2015-8140 at SUSECVE-2015-8140 at NVDCVE-2015-8158 at SUSECVE-2015-8158 at NVDCVE-2016-1547 at SUSECVE-2016-1547 at NVDCVE-2016-1548 at SUSECVE-2016-1548 at NVDCVE-2016-1549 at SUSECVE-2016-1549 at NVDCVE-2016-1550 at SUSECVE-2016-1550 at NVDCVE-2016-1551 at SUSECVE-2016-1551 at NVDCVE-2016-2516 at SUSECVE-2016-2516 at NVDCVE-2016-2517 at SUSECVE-2016-2517 at NVDCVE-2016-2518 at SUSECVE-2016-2518 at NVDCVE-2016-2519 at SUSECVE-2016-2519 at NVDCVE-2016-4953 at SUSECVE-2016-4953 at NVDCVE-2016-4954 at SUSECVE-2016-4954 at NVDCVE-2016-4955 at SUSECVE-2016-4955 at NVDCVE-2016-4956 at SUSECVE-2016-4956 at NVDCVE-2016-4957 at SUSECVE-2016-4957 at NVDCVE-2016-7426 at SUSECVE-2016-7426 at NVDCVE-2016-7427 at SUSECVE-2016-7427 at NVDCVE-2016-7428 at SUSECVE-2016-7428 at NVDCVE-2016-7429 at SUSECVE-2016-7429 at NVDCVE-2016-7431 at SUSECVE-2016-7431 at NVDCVE-2016-7433 at SUSECVE-2016-7433 at NVDCVE-2016-7434 at SUSECVE-2016-7434 at NVDCVE-2016-9042 at SUSECVE-2016-9042 at NVDCVE-2016-9310 at SUSECVE-2016-9310 at NVDCVE-2016-9311 at SUSECVE-2016-9311 at NVDCVE-2017-6451 at SUSECVE-2017-6451 at NVDCVE-2017-6458 at SUSECVE-2017-6458 at NVDCVE-2017-6460 at SUSECVE-2017-6460 at NVDCVE-2017-6462 at SUSECVE-2017-6462 at NVDCVE-2017-6463 at SUSECVE-2017-6463 at NVDCVE-2017-6464 at SUSECVE-2017-6464 at NVDcpe:/o:suse:sles:12:sp3opensc-0.13.0-1.107 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the opensc-0.13.0-1.107 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2009-0368 at SUSECVE-2009-0368 at NVDCVE-2010-4523 at SUSECVE-2010-4523 at NVDcpe:/o:suse:sles:12:sp3openslp-2.0.0-17.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the openslp-2.0.0-17.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2010-3609 at SUSECVE-2010-3609 at NVDCVE-2016-4912 at SUSECVE-2016-4912 at NVDCVE-2016-6354 at SUSECVE-2016-6354 at NVDCVE-2016-7567 at SUSECVE-2016-7567 at NVDcpe:/o:suse:sles:12:sp3openssh-7.2p2-69.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the openssh-7.2p2-69.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2014-2653 at SUSECVE-2014-2653 at NVDCVE-2015-5352 at SUSECVE-2015-5352 at NVDCVE-2015-5600 at SUSECVE-2015-5600 at NVDCVE-2015-6563 at SUSECVE-2015-6563 at NVDCVE-2015-6564 at SUSECVE-2015-6564 at NVDCVE-2015-8325 at SUSECVE-2015-8325 at NVDCVE-2016-0777 at SUSECVE-2016-0777 at NVDCVE-2016-0778 at SUSECVE-2016-0778 at NVDCVE-2016-10009 at SUSECVE-2016-10009 at NVDCVE-2016-10010 at SUSECVE-2016-10010 at NVDCVE-2016-10011 at SUSECVE-2016-10011 at NVDCVE-2016-10012 at SUSECVE-2016-10012 at NVDCVE-2016-1908 at SUSECVE-2016-1908 at NVDCVE-2016-3115 at SUSECVE-2016-3115 at NVDCVE-2016-6210 at SUSECVE-2016-6210 at NVDCVE-2016-6515 at SUSECVE-2016-6515 at NVDCVE-2016-8858 at SUSECVE-2016-8858 at NVDcpe:/o:suse:sles:12:sp3openvpn-2.3.8-16.17.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the openvpn-2.3.8-16.17.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2014-8104 at SUSECVE-2014-8104 at NVDCVE-2016-6329 at SUSECVE-2016-6329 at NVDCVE-2017-7478 at SUSECVE-2017-7478 at NVDCVE-2017-7479 at SUSECVE-2017-7479 at NVDCVE-2017-7508 at SUSECVE-2017-7508 at NVDCVE-2017-7520 at SUSECVE-2017-7520 at NVDCVE-2017-7521 at SUSECVE-2017-7521 at NVDcpe:/o:suse:sles:12:sp3openvswitch-2.7.0-2.29 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the openvswitch-2.7.0-2.29 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2012-3449 at SUSECVE-2012-3449 at NVDcpe:/o:suse:sles:12:sp3opie-2.4-724.56 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the opie-2.4-724.56 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2011-2489 at SUSECVE-2011-2489 at NVDCVE-2011-2490 at SUSECVE-2011-2490 at NVDcpe:/o:suse:sles:12:sp3p7zip-9.20.1-6.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the p7zip-9.20.1-6.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2015-1038 at SUSECVE-2015-1038 at NVDCVE-2016-2335 at SUSECVE-2016-2335 at NVDcpe:/o:suse:sles:12:sp3pam-1.1.8-23.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the pam-1.1.8-23.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2010-3430 at SUSECVE-2010-3430 at NVDCVE-2010-3431 at SUSECVE-2010-3431 at NVDCVE-2010-3853 at SUSECVE-2010-3853 at NVDCVE-2011-3148 at SUSECVE-2011-3148 at NVDCVE-2011-3149 at SUSECVE-2011-3149 at NVDCVE-2014-2583 at SUSECVE-2014-2583 at NVDCVE-2015-3238 at SUSECVE-2015-3238 at NVDcpe:/o:suse:sles:12:sp3pam-modules-12.1-23.12 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the pam-modules-12.1-23.12 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2011-3172 at SUSECVE-2011-3172 at NVDcpe:/o:suse:sles:12:sp3pam_krb5-2.4.4-4.4 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the pam_krb5-2.4.4-4.4 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2008-3825 at SUSECVE-2008-3825 at NVDCVE-2009-1384 at SUSECVE-2009-1384 at NVDcpe:/o:suse:sles:12:sp3pam_ssh-2.0-1.39 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the pam_ssh-2.0-1.39 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2009-1273 at SUSECVE-2009-1273 at NVDcpe:/o:suse:sles:12:sp3patch-2.7.5-7.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the patch-2.7.5-7.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2010-4651 at SUSECVE-2010-4651 at NVDCVE-2015-1196 at SUSECVE-2015-1196 at NVDCVE-2015-1395 at SUSECVE-2015-1395 at NVDCVE-2015-1396 at SUSECVE-2015-1396 at NVDcpe:/o:suse:sles:12:sp3pcsc-ccid-1.4.25-4.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the pcsc-ccid-1.4.25-4.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2010-4530 at SUSECVE-2010-4530 at NVDcpe:/o:suse:sles:12:sp3perl-32bit-5.18.2-11.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the perl-32bit-5.18.2-11.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2010-2761 at SUSECVE-2010-2761 at NVDCVE-2010-4410 at SUSECVE-2010-4410 at NVDCVE-2010-4411 at SUSECVE-2010-4411 at NVDCVE-2010-4777 at SUSECVE-2010-4777 at NVDCVE-2015-8853 at SUSECVE-2015-8853 at NVDCVE-2016-1238 at SUSECVE-2016-1238 at NVDCVE-2016-2381 at SUSECVE-2016-2381 at NVDCVE-2016-6185 at SUSECVE-2016-6185 at NVDcpe:/o:suse:sles:12:sp3perl-Config-IniFiles-2.82-3.12 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the perl-Config-IniFiles-2.82-3.12 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2012-2451 at SUSECVE-2012-2451 at NVDcpe:/o:suse:sles:12:sp3perl-DBD-mysql-4.021-11.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the perl-DBD-mysql-4.021-11.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2016-1246 at SUSECVE-2016-1246 at NVDCVE-2016-1249 at SUSECVE-2016-1249 at NVDCVE-2016-1251 at SUSECVE-2016-1251 at NVDcpe:/o:suse:sles:12:sp3perl-HTML-Parser-3.71-1.145 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the perl-HTML-Parser-3.71-1.145 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2009-3627 at SUSECVE-2009-3627 at NVDcpe:/o:suse:sles:12:sp3perl-LWP-Protocol-https-6.04-5.4 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the perl-LWP-Protocol-https-6.04-5.4 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2014-3230 at SUSECVE-2014-3230 at NVDcpe:/o:suse:sles:12:sp3perl-Tk-804.031-3.76 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the perl-Tk-804.031-3.76 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2006-4484 at SUSECVE-2006-4484 at NVDcpe:/o:suse:sles:12:sp3perl-XML-LibXML-2.0019-5.3 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the perl-XML-LibXML-2.0019-5.3 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2015-3451 at SUSECVE-2015-3451 at NVDcpe:/o:suse:sles:12:sp3perl-YAML-LibYAML-0.38-10.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the perl-YAML-LibYAML-0.38-10.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2012-1152 at SUSECVE-2012-1152 at NVDCVE-2013-6393 at SUSECVE-2013-6393 at NVDCVE-2014-2525 at SUSECVE-2014-2525 at NVDCVE-2014-9130 at SUSECVE-2014-9130 at NVDcpe:/o:suse:sles:12:sp3pigz-2.3-5.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the pigz-2.3-5.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2015-1191 at SUSECVE-2015-1191 at NVDcpe:/o:suse:sles:12:sp3policycoreutils-2.5-9.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the policycoreutils-2.5-9.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2016-7545 at SUSECVE-2016-7545 at NVDcpe:/o:suse:sles:12:sp3powerpc-utils-1.3.3-5.3 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the powerpc-utils-1.3.3-5.3 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2014-4040 at SUSECVE-2014-4040 at NVDcpe:/o:suse:sles:12:sp3ppc64-diag-2.7.3-1.17 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the ppc64-diag-2.7.3-1.17 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2014-4038 at SUSECVE-2014-4038 at NVDCVE-2014-4039 at SUSECVE-2014-4039 at NVDcpe:/o:suse:sles:12:sp3ppp-2.4.7-3.4 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the ppp-2.4.7-3.4 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2014-3158 at SUSECVE-2014-3158 at NVDCVE-2015-3310 at SUSECVE-2015-3310 at NVDcpe:/o:suse:sles:12:sp3procmail-3.22-267.12 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the procmail-3.22-267.12 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2014-3618 at SUSECVE-2014-3618 at NVDcpe:/o:suse:sles:12:sp3python-2.7.13-27.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the python-2.7.13-27.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2013-4238 at SUSECVE-2013-4238 at NVDCVE-2016-0772 at SUSECVE-2016-0772 at NVDCVE-2016-1000110 at SUSECVE-2016-1000110 at NVDCVE-2016-5636 at SUSECVE-2016-5636 at NVDCVE-2016-5699 at SUSECVE-2016-5699 at NVDcpe:/o:suse:sles:12:sp3python-PyYAML-3.12-25.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the python-PyYAML-3.12-25.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2014-9130 at SUSECVE-2014-9130 at NVDcpe:/o:suse:sles:12:sp3python-cupshelpers-1.5.7-7.5 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the python-cupshelpers-1.5.7-7.5 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2011-4405 at SUSECVE-2011-4405 at NVDcpe:/o:suse:sles:12:sp3python-doc-2.7.13-27.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the python-doc-2.7.13-27.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2016-0772 at SUSECVE-2016-0772 at NVDCVE-2016-5636 at SUSECVE-2016-5636 at NVDCVE-2016-5699 at SUSECVE-2016-5699 at NVDcpe:/o:suse:sles:12:sp3python-imaging-1.1.7-21.15 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the python-imaging-1.1.7-21.15 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2014-1932 at SUSECVE-2014-1932 at NVDcpe:/o:suse:sles:12:sp3python-libxml2-2.9.4-45.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the python-libxml2-2.9.4-45.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2008-4225 at SUSECVE-2008-4225 at NVDCVE-2008-4226 at SUSECVE-2008-4226 at NVDCVE-2008-4409 at SUSECVE-2008-4409 at NVDCVE-2012-5134 at SUSECVE-2012-5134 at NVDCVE-2016-1762 at SUSECVE-2016-1762 at NVDCVE-2016-1833 at SUSECVE-2016-1833 at NVDCVE-2016-1834 at SUSECVE-2016-1834 at NVDCVE-2016-1835 at SUSECVE-2016-1835 at NVDCVE-2016-1836 at SUSECVE-2016-1836 at NVDCVE-2016-1837 at SUSECVE-2016-1837 at NVDCVE-2016-1838 at SUSECVE-2016-1838 at NVDCVE-2016-1839 at SUSECVE-2016-1839 at NVDCVE-2016-1840 at SUSECVE-2016-1840 at NVDCVE-2016-3627 at SUSECVE-2016-3627 at NVDCVE-2016-3705 at SUSECVE-2016-3705 at NVDCVE-2016-4483 at SUSECVE-2016-4483 at NVDcpe:/o:suse:sles:12:sp3python-pyOpenSSL-16.0.0-2.3.2 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the python-pyOpenSSL-16.0.0-2.3.2 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2013-4314 at SUSECVE-2013-4314 at NVDcpe:/o:suse:sles:12:sp3python-pywbem-0.7.0-4.3 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the python-pywbem-0.7.0-4.3 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2013-6418 at SUSECVE-2013-6418 at NVDcpe:/o:suse:sles:12:sp3python-requests-2.8.1-6.16.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the python-requests-2.8.1-6.16.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2014-1829 at SUSECVE-2014-1829 at NVDCVE-2014-1830 at SUSECVE-2014-1830 at NVDCVE-2015-2296 at SUSECVE-2015-2296 at NVDcpe:/o:suse:sles:12:sp3python3-3.4.6-24.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the python3-3.4.6-24.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2013-4238 at SUSECVE-2013-4238 at NVDCVE-2014-4650 at SUSECVE-2014-4650 at NVDCVE-2016-0772 at SUSECVE-2016-0772 at NVDCVE-2016-1000110 at SUSECVE-2016-1000110 at NVDCVE-2016-5636 at SUSECVE-2016-5636 at NVDCVE-2016-5699 at SUSECVE-2016-5699 at NVDcpe:/o:suse:sles:12:sp3qemu-2.9.0-5.10 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the qemu-2.9.0-5.10 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2008-0928 at SUSECVE-2008-0928 at NVDCVE-2008-1945 at SUSECVE-2008-1945 at NVDCVE-2008-2382 at SUSECVE-2008-2382 at NVDCVE-2008-4539 at SUSECVE-2008-4539 at NVDCVE-2012-3515 at SUSECVE-2012-3515 at NVDCVE-2013-4148 at SUSECVE-2013-4148 at NVDCVE-2013-4149 at SUSECVE-2013-4149 at NVDCVE-2013-4150 at SUSECVE-2013-4150 at NVDCVE-2013-4151 at SUSECVE-2013-4151 at NVDCVE-2013-4526 at SUSECVE-2013-4526 at NVDCVE-2013-4527 at SUSECVE-2013-4527 at NVDCVE-2013-4529 at SUSECVE-2013-4529 at NVDCVE-2013-4530 at SUSECVE-2013-4530 at NVDCVE-2013-4531 at SUSECVE-2013-4531 at NVDCVE-2013-4533 at SUSECVE-2013-4533 at NVDCVE-2013-4534 at SUSECVE-2013-4534 at NVDCVE-2013-4535 at SUSECVE-2013-4535 at NVDCVE-2013-4536 at SUSECVE-2013-4536 at NVDCVE-2013-4537 at SUSECVE-2013-4537 at NVDCVE-2013-4538 at SUSECVE-2013-4538 at NVDCVE-2013-4539 at SUSECVE-2013-4539 at NVDCVE-2013-4540 at SUSECVE-2013-4540 at NVDCVE-2013-4541 at SUSECVE-2013-4541 at NVDCVE-2013-4542 at SUSECVE-2013-4542 at NVDCVE-2013-4544 at SUSECVE-2013-4544 at NVDCVE-2013-6399 at SUSECVE-2013-6399 at NVDCVE-2014-0142 at SUSECVE-2014-0142 at NVDCVE-2014-0143 at SUSECVE-2014-0143 at NVDCVE-2014-0144 at SUSECVE-2014-0144 at NVDCVE-2014-0145 at SUSECVE-2014-0145 at NVDCVE-2014-0146 at SUSECVE-2014-0146 at NVDCVE-2014-0147 at SUSECVE-2014-0147 at NVDCVE-2014-0150 at SUSECVE-2014-0150 at NVDCVE-2014-0182 at SUSECVE-2014-0182 at NVDCVE-2014-0222 at SUSECVE-2014-0222 at NVDCVE-2014-0223 at SUSECVE-2014-0223 at NVDCVE-2014-3461 at SUSECVE-2014-3461 at NVDCVE-2014-3640 at SUSECVE-2014-3640 at NVDCVE-2014-7840 at SUSECVE-2014-7840 at NVDCVE-2014-8106 at SUSECVE-2014-8106 at NVDCVE-2015-1779 at SUSECVE-2015-1779 at NVDCVE-2015-3209 at SUSECVE-2015-3209 at NVDCVE-2015-3456 at SUSECVE-2015-3456 at NVDCVE-2015-4037 at SUSECVE-2015-4037 at NVDCVE-2015-5154 at SUSECVE-2015-5154 at NVDCVE-2015-5225 at SUSECVE-2015-5225 at NVDCVE-2015-5278 at SUSECVE-2015-5278 at NVDCVE-2015-5279 at SUSECVE-2015-5279 at NVDCVE-2015-5745 at SUSECVE-2015-5745 at NVDCVE-2015-6815 at SUSECVE-2015-6815 at NVDCVE-2015-6855 at SUSECVE-2015-6855 at NVDCVE-2015-7295 at SUSECVE-2015-7295 at NVDCVE-2015-7512 at SUSECVE-2015-7512 at NVDCVE-2015-7549 at SUSECVE-2015-7549 at NVDCVE-2015-8345 at SUSECVE-2015-8345 at NVDCVE-2015-8504 at SUSECVE-2015-8504 at NVDCVE-2015-8558 at SUSECVE-2015-8558 at NVDCVE-2015-8567 at SUSECVE-2015-8567 at NVDCVE-2015-8568 at SUSECVE-2015-8568 at NVDCVE-2015-8613 at SUSECVE-2015-8613 at NVDCVE-2015-8619 at SUSECVE-2015-8619 at NVDCVE-2015-8743 at SUSECVE-2015-8743 at NVDCVE-2015-8744 at SUSECVE-2015-8744 at NVDCVE-2015-8745 at SUSECVE-2015-8745 at NVDCVE-2016-10028 at SUSECVE-2016-10028 at NVDCVE-2016-10155 at SUSECVE-2016-10155 at NVDCVE-2016-1568 at SUSECVE-2016-1568 at NVDCVE-2016-1714 at SUSECVE-2016-1714 at NVDCVE-2016-1922 at SUSECVE-2016-1922 at NVDCVE-2016-1981 at SUSECVE-2016-1981 at NVDCVE-2016-2198 at SUSECVE-2016-2198 at NVDCVE-2016-3710 at SUSECVE-2016-3710 at NVDCVE-2016-3712 at SUSECVE-2016-3712 at NVDCVE-2016-4002 at SUSECVE-2016-4002 at NVDCVE-2016-4020 at SUSECVE-2016-4020 at NVDCVE-2016-4439 at SUSECVE-2016-4439 at NVDCVE-2016-4441 at SUSECVE-2016-4441 at NVDCVE-2016-4453 at SUSECVE-2016-4453 at NVDCVE-2016-4454 at SUSECVE-2016-4454 at NVDCVE-2016-4952 at SUSECVE-2016-4952 at NVDCVE-2016-4964 at SUSECVE-2016-4964 at NVDCVE-2016-5105 at SUSECVE-2016-5105 at NVDCVE-2016-5106 at SUSECVE-2016-5106 at NVDCVE-2016-5107 at SUSECVE-2016-5107 at NVDCVE-2016-5126 at SUSECVE-2016-5126 at NVDCVE-2016-5238 at SUSECVE-2016-5238 at NVDCVE-2016-5337 at SUSECVE-2016-5337 at NVDCVE-2016-5338 at SUSECVE-2016-5338 at NVDCVE-2016-5403 at SUSECVE-2016-5403 at NVDCVE-2016-6351 at SUSECVE-2016-6351 at NVDCVE-2016-6490 at SUSECVE-2016-6490 at NVDCVE-2016-6833 at SUSECVE-2016-6833 at NVDCVE-2016-6836 at SUSECVE-2016-6836 at NVDCVE-2016-6888 at SUSECVE-2016-6888 at NVDCVE-2016-7116 at SUSECVE-2016-7116 at NVDCVE-2016-7155 at SUSECVE-2016-7155 at NVDCVE-2016-7156 at SUSECVE-2016-7156 at NVDCVE-2016-7157 at SUSECVE-2016-7157 at NVDCVE-2016-7161 at SUSECVE-2016-7161 at NVDCVE-2016-7170 at SUSECVE-2016-7170 at NVDCVE-2016-7421 at SUSECVE-2016-7421 at NVDCVE-2016-7422 at SUSECVE-2016-7422 at NVDCVE-2016-7423 at SUSECVE-2016-7423 at NVDCVE-2016-7466 at SUSECVE-2016-7466 at NVDCVE-2016-7907 at SUSECVE-2016-7907 at NVDCVE-2016-7908 at SUSECVE-2016-7908 at NVDCVE-2016-7909 at SUSECVE-2016-7909 at NVDCVE-2016-7994 at SUSECVE-2016-7994 at NVDCVE-2016-7995 at SUSECVE-2016-7995 at NVDCVE-2016-8576 at SUSECVE-2016-8576 at NVDCVE-2016-8577 at SUSECVE-2016-8577 at NVDCVE-2016-8578 at SUSECVE-2016-8578 at NVDCVE-2016-8667 at SUSECVE-2016-8667 at NVDCVE-2016-8668 at SUSECVE-2016-8668 at NVDCVE-2016-8669 at SUSECVE-2016-8669 at NVDCVE-2016-8909 at SUSECVE-2016-8909 at NVDCVE-2016-8910 at SUSECVE-2016-8910 at NVDCVE-2016-9101 at SUSECVE-2016-9101 at NVDCVE-2016-9102 at SUSECVE-2016-9102 at NVDCVE-2016-9103 at SUSECVE-2016-9103 at NVDCVE-2016-9104 at SUSECVE-2016-9104 at NVDCVE-2016-9105 at SUSECVE-2016-9105 at NVDCVE-2016-9106 at SUSECVE-2016-9106 at NVDCVE-2016-9381 at SUSECVE-2016-9381 at NVDCVE-2016-9602 at SUSECVE-2016-9602 at NVDCVE-2016-9776 at SUSECVE-2016-9776 at NVDCVE-2016-9845 at SUSECVE-2016-9845 at NVDCVE-2016-9846 at SUSECVE-2016-9846 at NVDCVE-2016-9907 at SUSECVE-2016-9907 at NVDCVE-2016-9908 at SUSECVE-2016-9908 at NVDCVE-2016-9911 at SUSECVE-2016-9911 at NVDCVE-2016-9912 at SUSECVE-2016-9912 at NVDCVE-2016-9913 at SUSECVE-2016-9913 at NVDCVE-2016-9921 at SUSECVE-2016-9921 at NVDCVE-2016-9922 at SUSECVE-2016-9922 at NVDCVE-2016-9923 at SUSECVE-2016-9923 at NVDCVE-2017-2615 at SUSECVE-2017-2615 at NVDCVE-2017-2620 at SUSECVE-2017-2620 at NVDCVE-2017-2630 at SUSECVE-2017-2630 at NVDCVE-2017-2633 at SUSECVE-2017-2633 at NVDCVE-2017-5525 at SUSECVE-2017-5525 at NVDCVE-2017-5526 at SUSECVE-2017-5526 at NVDCVE-2017-5552 at SUSECVE-2017-5552 at NVDCVE-2017-5578 at SUSECVE-2017-5578 at NVDCVE-2017-5579 at SUSECVE-2017-5579 at NVDCVE-2017-5667 at SUSECVE-2017-5667 at NVDCVE-2017-5856 at SUSECVE-2017-5856 at NVDCVE-2017-5857 at SUSECVE-2017-5857 at NVDCVE-2017-5898 at SUSECVE-2017-5898 at NVDCVE-2017-5931 at SUSECVE-2017-5931 at NVDCVE-2017-5973 at SUSECVE-2017-5973 at NVDCVE-2017-5987 at SUSECVE-2017-5987 at NVDCVE-2017-6058 at SUSECVE-2017-6058 at NVDCVE-2017-6505 at SUSECVE-2017-6505 at NVDCVE-2017-7471 at SUSECVE-2017-7471 at NVDCVE-2017-7493 at SUSECVE-2017-7493 at NVDCVE-2017-8112 at SUSECVE-2017-8112 at NVDCVE-2017-8309 at SUSECVE-2017-8309 at NVDCVE-2017-8379 at SUSECVE-2017-8379 at NVDCVE-2017-8380 at SUSECVE-2017-8380 at NVDCVE-2017-9503 at SUSECVE-2017-9503 at NVDCVE-2017-9524 at SUSECVE-2017-9524 at NVDcpe:/o:suse:sles:12:sp3quagga-0.99.22.1-15.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the quagga-0.99.22.1-15.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2010-1674 at SUSECVE-2010-1674 at NVDCVE-2010-1675 at SUSECVE-2010-1675 at NVDCVE-2016-1245 at SUSECVE-2016-1245 at NVDCVE-2016-2342 at SUSECVE-2016-2342 at NVDCVE-2016-4049 at SUSECVE-2016-4049 at NVDcpe:/o:suse:sles:12:sp3radvd-1.9.7-2.12 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the radvd-1.9.7-2.12 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2011-3602 at SUSECVE-2011-3602 at NVDcpe:/o:suse:sles:12:sp3res-signingkeys-3.0.25-48.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the res-signingkeys-3.0.25-48.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2014-3566 at SUSECVE-2014-3566 at NVDcpe:/o:suse:sles:12:sp3rpcbind-0.2.3-23.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the rpcbind-0.2.3-23.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2015-7236 at SUSECVE-2015-7236 at NVDCVE-2017-8779 at SUSECVE-2017-8779 at NVDcpe:/o:suse:sles:12:sp3rpm-32bit-4.11.2-15.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the rpm-32bit-4.11.2-15.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2013-6435 at SUSECVE-2013-6435 at NVDCVE-2014-8118 at SUSECVE-2014-8118 at NVDcpe:/o:suse:sles:12:sp3rrdtool-1.4.7-20.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the rrdtool-1.4.7-20.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2013-2131 at SUSECVE-2013-2131 at NVDcpe:/o:suse:sles:12:sp3rsync-3.1.0-12.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the rsync-3.1.0-12.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2011-1097 at SUSECVE-2011-1097 at NVDCVE-2014-2855 at SUSECVE-2014-2855 at NVDCVE-2014-8242 at SUSECVE-2014-8242 at NVDCVE-2014-9512 at SUSECVE-2014-9512 at NVDcpe:/o:suse:sles:12:sp3rsyslog-8.24.0-1.20 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the rsyslog-8.24.0-1.20 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2011-3200 at SUSECVE-2011-3200 at NVDCVE-2013-4758 at SUSECVE-2013-4758 at NVDCVE-2013-6370 at SUSECVE-2013-6370 at NVDCVE-2013-6371 at SUSECVE-2013-6371 at NVDCVE-2014-3634 at SUSECVE-2014-3634 at NVDCVE-2014-3683 at SUSECVE-2014-3683 at NVDcpe:/o:suse:sles:12:sp3rtkit-0.11_git201205151338-8.14 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the rtkit-0.11_git201205151338-8.14 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2013-4326 at SUSECVE-2013-4326 at NVDcpe:/o:suse:sles:12:sp3ruby-2.1-1.4 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the ruby-2.1-1.4 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2009-4492 at SUSECVE-2009-4492 at NVDCVE-2010-0541 at SUSECVE-2010-0541 at NVDCVE-2011-1004 at SUSECVE-2011-1004 at NVDCVE-2011-1005 at SUSECVE-2011-1005 at NVDCVE-2011-4815 at SUSECVE-2011-4815 at NVDcpe:/o:suse:sles:12:sp3sane-backends-1.0.24-3.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the sane-backends-1.0.24-3.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2017-6318 at SUSECVE-2017-6318 at NVDcpe:/o:suse:sles:12:sp3sblim-sfcb-1.4.8-16.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the sblim-sfcb-1.4.8-16.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2015-5185 at SUSECVE-2015-5185 at NVDcpe:/o:suse:sles:12:sp3shim-0.9-23.14 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the shim-0.9-23.14 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2014-3675 at SUSECVE-2014-3675 at NVDCVE-2014-3676 at SUSECVE-2014-3676 at NVDCVE-2014-3677 at SUSECVE-2014-3677 at NVDcpe:/o:suse:sles:12:sp3socat-1.7.2.4-3.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the socat-1.7.2.4-3.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2013-3571 at SUSECVE-2013-3571 at NVDCVE-2014-0019 at SUSECVE-2014-0019 at NVDCVE-2015-4000 at SUSECVE-2015-4000 at NVDcpe:/o:suse:sles:12:sp3squashfs-4.3-6.2 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the squashfs-4.3-6.2 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2012-4024 at SUSECVE-2012-4024 at NVDCVE-2012-4025 at SUSECVE-2012-4025 at NVDcpe:/o:suse:sles:12:sp3squid-3.5.21-25.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the squid-3.5.21-25.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2012-5643 at SUSECVE-2012-5643 at NVDCVE-2014-7141 at SUSECVE-2014-7141 at NVDCVE-2014-7142 at SUSECVE-2014-7142 at NVDCVE-2014-9749 at SUSECVE-2014-9749 at NVDCVE-2015-5400 at SUSECVE-2015-5400 at NVDCVE-2016-10002 at SUSECVE-2016-10002 at NVDCVE-2016-10003 at SUSECVE-2016-10003 at NVDCVE-2016-2390 at SUSECVE-2016-2390 at NVDCVE-2016-2569 at SUSECVE-2016-2569 at NVDCVE-2016-2570 at SUSECVE-2016-2570 at NVDCVE-2016-2571 at SUSECVE-2016-2571 at NVDCVE-2016-2572 at SUSECVE-2016-2572 at NVDCVE-2016-3947 at SUSECVE-2016-3947 at NVDCVE-2016-3948 at SUSECVE-2016-3948 at NVDCVE-2016-4051 at SUSECVE-2016-4051 at NVDCVE-2016-4052 at SUSECVE-2016-4052 at NVDCVE-2016-4053 at SUSECVE-2016-4053 at NVDCVE-2016-4054 at SUSECVE-2016-4054 at NVDCVE-2016-4553 at SUSECVE-2016-4553 at NVDCVE-2016-4554 at SUSECVE-2016-4554 at NVDCVE-2016-4555 at SUSECVE-2016-4555 at NVDCVE-2016-4556 at SUSECVE-2016-4556 at NVDcpe:/o:suse:sles:12:sp3squidGuard-1.4-29.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the squidGuard-1.4-29.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2009-3700 at SUSECVE-2009-3700 at NVDCVE-2009-3826 at SUSECVE-2009-3826 at NVDCVE-2015-8936 at SUSECVE-2015-8936 at NVDcpe:/o:suse:sles:12:sp3strongswan-5.1.3-25.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the strongswan-5.1.3-25.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2009-0790 at SUSECVE-2009-0790 at NVDCVE-2012-2388 at SUSECVE-2012-2388 at NVDCVE-2013-2944 at SUSECVE-2013-2944 at NVDCVE-2013-5018 at SUSECVE-2013-5018 at NVDCVE-2013-6075 at SUSECVE-2013-6075 at NVDCVE-2013-6076 at SUSECVE-2013-6076 at NVDCVE-2014-2338 at SUSECVE-2014-2338 at NVDCVE-2014-9221 at SUSECVE-2014-9221 at NVDCVE-2015-4171 at SUSECVE-2015-4171 at NVDCVE-2015-8023 at SUSECVE-2015-8023 at NVDCVE-2017-9022 at SUSECVE-2017-9022 at NVDCVE-2017-9023 at SUSECVE-2017-9023 at NVDcpe:/o:suse:sles:12:sp3stunnel-5.00-3.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the stunnel-5.00-3.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2013-1762 at SUSECVE-2013-1762 at NVDCVE-2014-0016 at SUSECVE-2014-0016 at NVDCVE-2015-3644 at SUSECVE-2015-3644 at NVDcpe:/o:suse:sles:12:sp3sudo-1.8.20p2-1.3 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the sudo-1.8.20p2-1.3 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2010-1163 at SUSECVE-2010-1163 at NVDCVE-2010-1646 at SUSECVE-2010-1646 at NVDCVE-2011-0010 at SUSECVE-2011-0010 at NVDCVE-2012-2337 at SUSECVE-2012-2337 at NVDCVE-2013-1775 at SUSECVE-2013-1775 at NVDCVE-2013-1776 at SUSECVE-2013-1776 at NVDCVE-2014-9680 at SUSECVE-2014-9680 at NVDCVE-2016-7032 at SUSECVE-2016-7032 at NVDCVE-2016-7076 at SUSECVE-2016-7076 at NVDCVE-2017-1000367 at SUSECVE-2017-1000367 at NVDCVE-2017-1000368 at SUSECVE-2017-1000368 at NVDcpe:/o:suse:sles:12:sp3supportutils-3.0-94.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the supportutils-3.0-94.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2016-1602 at SUSECVE-2016-1602 at NVDcpe:/o:suse:sles:12:sp3sysconfig-0.84.0-13.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the sysconfig-0.84.0-13.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2011-4182 at SUSECVE-2011-4182 at NVDcpe:/o:suse:sles:12:sp3syslog-service-2.0-778.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the syslog-service-2.0-778.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2014-3634 at SUSECVE-2014-3634 at NVDcpe:/o:suse:sles:12:sp3systemtap-3.0-10.15 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the systemtap-3.0-10.15 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2009-2911 at SUSECVE-2009-2911 at NVDCVE-2009-4273 at SUSECVE-2009-4273 at NVDCVE-2010-0411 at SUSECVE-2010-0411 at NVDCVE-2010-0412 at SUSECVE-2010-0412 at NVDcpe:/o:suse:sles:12:sp3sysvinit-tools-2.88+-99.15 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the sysvinit-tools-2.88+-99.15 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2011-2483 at SUSECVE-2011-2483 at NVDcpe:/o:suse:sles:12:sp3tar-1.27.1-14.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the tar-1.27.1-14.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2010-0624 at SUSECVE-2010-0624 at NVDCVE-2016-6321 at SUSECVE-2016-6321 at NVDcpe:/o:suse:sles:12:sp3tcpdump-4.9.0-13.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the tcpdump-4.9.0-13.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2014-8767 at SUSECVE-2014-8767 at NVDCVE-2014-8768 at SUSECVE-2014-8768 at NVDCVE-2014-8769 at SUSECVE-2014-8769 at NVDCVE-2014-9140 at SUSECVE-2014-9140 at NVDCVE-2015-0261 at SUSECVE-2015-0261 at NVDCVE-2015-2153 at SUSECVE-2015-2153 at NVDCVE-2015-2154 at SUSECVE-2015-2154 at NVDCVE-2015-2155 at SUSECVE-2015-2155 at NVDCVE-2015-3138 at SUSECVE-2015-3138 at NVDCVE-2016-7922 at SUSECVE-2016-7922 at NVDCVE-2016-7923 at SUSECVE-2016-7923 at NVDCVE-2016-7924 at SUSECVE-2016-7924 at NVDCVE-2016-7925 at SUSECVE-2016-7925 at NVDCVE-2016-7926 at SUSECVE-2016-7926 at NVDCVE-2016-7927 at SUSECVE-2016-7927 at NVDCVE-2016-7928 at SUSECVE-2016-7928 at NVDCVE-2016-7929 at SUSECVE-2016-7929 at NVDCVE-2016-7930 at SUSECVE-2016-7930 at NVDCVE-2016-7931 at SUSECVE-2016-7931 at NVDCVE-2016-7932 at SUSECVE-2016-7932 at NVDCVE-2016-7933 at SUSECVE-2016-7933 at NVDCVE-2016-7934 at SUSECVE-2016-7934 at NVDCVE-2016-7935 at SUSECVE-2016-7935 at NVDCVE-2016-7936 at SUSECVE-2016-7936 at NVDCVE-2016-7937 at SUSECVE-2016-7937 at NVDCVE-2016-7938 at SUSECVE-2016-7938 at NVDCVE-2016-7939 at SUSECVE-2016-7939 at NVDCVE-2016-7940 at SUSECVE-2016-7940 at NVDCVE-2016-7973 at SUSECVE-2016-7973 at NVDCVE-2016-7974 at SUSECVE-2016-7974 at NVDCVE-2016-7975 at SUSECVE-2016-7975 at NVDCVE-2016-7983 at SUSECVE-2016-7983 at NVDCVE-2016-7984 at SUSECVE-2016-7984 at NVDCVE-2016-7985 at SUSECVE-2016-7985 at NVDCVE-2016-7986 at SUSECVE-2016-7986 at NVDCVE-2016-7992 at SUSECVE-2016-7992 at NVDCVE-2016-7993 at SUSECVE-2016-7993 at NVDCVE-2016-8574 at SUSECVE-2016-8574 at NVDCVE-2016-8575 at SUSECVE-2016-8575 at NVDCVE-2017-5202 at SUSECVE-2017-5202 at NVDCVE-2017-5203 at SUSECVE-2017-5203 at NVDCVE-2017-5204 at SUSECVE-2017-5204 at NVDCVE-2017-5205 at SUSECVE-2017-5205 at NVDCVE-2017-5341 at SUSECVE-2017-5341 at NVDCVE-2017-5342 at SUSECVE-2017-5342 at NVDCVE-2017-5482 at SUSECVE-2017-5482 at NVDCVE-2017-5483 at SUSECVE-2017-5483 at NVDCVE-2017-5484 at SUSECVE-2017-5484 at NVDCVE-2017-5485 at SUSECVE-2017-5485 at NVDCVE-2017-5486 at SUSECVE-2017-5486 at NVDcpe:/o:suse:sles:12:sp3tftp-5.2-10.3 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the tftp-5.2-10.3 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2011-2199 at SUSECVE-2011-2199 at NVDcpe:/o:suse:sles:12:sp3tomcat-8.0.43-23.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the tomcat-8.0.43-23.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2013-1976 at SUSECVE-2013-1976 at NVDCVE-2014-0050 at SUSECVE-2014-0050 at NVDCVE-2015-5174 at SUSECVE-2015-5174 at NVDCVE-2015-5345 at SUSECVE-2015-5345 at NVDCVE-2015-5346 at SUSECVE-2015-5346 at NVDCVE-2015-5351 at SUSECVE-2015-5351 at NVDCVE-2016-0706 at SUSECVE-2016-0706 at NVDCVE-2016-0714 at SUSECVE-2016-0714 at NVDCVE-2016-0762 at SUSECVE-2016-0762 at NVDCVE-2016-0763 at SUSECVE-2016-0763 at NVDCVE-2016-3092 at SUSECVE-2016-3092 at NVDCVE-2016-5018 at SUSECVE-2016-5018 at NVDCVE-2016-6794 at SUSECVE-2016-6794 at NVDCVE-2016-6796 at SUSECVE-2016-6796 at NVDCVE-2016-6797 at SUSECVE-2016-6797 at NVDCVE-2016-6816 at SUSECVE-2016-6816 at NVDCVE-2016-8735 at SUSECVE-2016-8735 at NVDCVE-2016-8745 at SUSECVE-2016-8745 at NVDCVE-2017-5647 at SUSECVE-2017-5647 at NVDCVE-2017-5648 at SUSECVE-2017-5648 at NVDcpe:/o:suse:sles:12:sp3tpm2.0-tools-2.0.0-2.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the tpm2.0-tools-2.0.0-2.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2017-7524 at SUSECVE-2017-7524 at NVDcpe:/o:suse:sles:12:sp3unixODBC-2.3.4-6.5 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the unixODBC-2.3.4-6.5 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2011-1145 at SUSECVE-2011-1145 at NVDcpe:/o:suse:sles:12:sp3unrar-5.0.14-3.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the unrar-5.0.14-3.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2012-6706 at SUSECVE-2012-6706 at NVDcpe:/o:suse:sles:12:sp3unzip-6.00-32.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the unzip-6.00-32.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2014-8139 at SUSECVE-2014-8139 at NVDCVE-2014-8140 at SUSECVE-2014-8140 at NVDCVE-2014-8141 at SUSECVE-2014-8141 at NVDCVE-2014-9636 at SUSECVE-2014-9636 at NVDcpe:/o:suse:sles:12:sp3update-alternatives-1.18.4-14.216 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the update-alternatives-1.18.4-14.216 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2015-0840 at SUSECVE-2015-0840 at NVDcpe:/o:suse:sles:12:sp3vino-3.20.2-5.8 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the vino-3.20.2-5.8 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2011-0904 at SUSECVE-2011-0904 at NVDCVE-2011-0905 at SUSECVE-2011-0905 at NVDCVE-2011-1164 at SUSECVE-2011-1164 at NVDcpe:/o:suse:sles:12:sp3vorbis-tools-1.4.0-26.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the vorbis-tools-1.4.0-26.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2008-1686 at SUSECVE-2008-1686 at NVDCVE-2014-9638 at SUSECVE-2014-9638 at NVDCVE-2014-9639 at SUSECVE-2014-9639 at NVDCVE-2014-9640 at SUSECVE-2014-9640 at NVDCVE-2015-6749 at SUSECVE-2015-6749 at NVDcpe:/o:suse:sles:12:sp3vsftpd-3.0.2-39.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the vsftpd-3.0.2-39.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2015-1419 at SUSECVE-2015-1419 at NVDcpe:/o:suse:sles:12:sp3w3m-0.5.3.git20161120-160.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the w3m-0.5.3.git20161120-160.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2010-2074 at SUSECVE-2010-2074 at NVDCVE-2012-4929 at SUSECVE-2012-4929 at NVDCVE-2016-9434 at SUSECVE-2016-9434 at NVDCVE-2016-9435 at SUSECVE-2016-9435 at NVDCVE-2016-9436 at SUSECVE-2016-9436 at NVDCVE-2016-9437 at SUSECVE-2016-9437 at NVDCVE-2016-9438 at SUSECVE-2016-9438 at NVDCVE-2016-9439 at SUSECVE-2016-9439 at NVDCVE-2016-9440 at SUSECVE-2016-9440 at NVDCVE-2016-9441 at SUSECVE-2016-9441 at NVDCVE-2016-9442 at SUSECVE-2016-9442 at NVDCVE-2016-9443 at SUSECVE-2016-9443 at NVDCVE-2016-9621 at SUSECVE-2016-9621 at NVDCVE-2016-9622 at SUSECVE-2016-9622 at NVDCVE-2016-9623 at SUSECVE-2016-9623 at NVDCVE-2016-9624 at SUSECVE-2016-9624 at NVDCVE-2016-9625 at SUSECVE-2016-9625 at NVDCVE-2016-9626 at SUSECVE-2016-9626 at NVDCVE-2016-9627 at SUSECVE-2016-9627 at NVDCVE-2016-9628 at SUSECVE-2016-9628 at NVDCVE-2016-9629 at SUSECVE-2016-9629 at NVDCVE-2016-9630 at SUSECVE-2016-9630 at NVDCVE-2016-9631 at SUSECVE-2016-9631 at NVDCVE-2016-9632 at SUSECVE-2016-9632 at NVDCVE-2016-9633 at SUSECVE-2016-9633 at NVDcpe:/o:suse:sles:12:sp3wget-1.14-20.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the wget-1.14-20.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2010-2252 at SUSECVE-2010-2252 at NVDCVE-2012-4929 at SUSECVE-2012-4929 at NVDCVE-2014-4877 at SUSECVE-2014-4877 at NVDCVE-2015-2059 at SUSECVE-2015-2059 at NVDCVE-2016-4971 at SUSECVE-2016-4971 at NVDCVE-2016-7098 at SUSECVE-2016-7098 at NVDCVE-2017-6508 at SUSECVE-2017-6508 at NVDcpe:/o:suse:sles:12:sp3wpa_supplicant-2.2-14.2 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the wpa_supplicant-2.2-14.2 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2014-3686 at SUSECVE-2014-3686 at NVDCVE-2015-0210 at SUSECVE-2015-0210 at NVDCVE-2015-1863 at SUSECVE-2015-1863 at NVDCVE-2015-4141 at SUSECVE-2015-4141 at NVDCVE-2015-4142 at SUSECVE-2015-4142 at NVDCVE-2015-4143 at SUSECVE-2015-4143 at NVDCVE-2015-5130 at SUSECVE-2015-5130 at NVDCVE-2015-5310 at SUSECVE-2015-5310 at NVDCVE-2015-8041 at SUSECVE-2015-8041 at NVDcpe:/o:suse:sles:12:sp3xalan-j2-2.7.0-264.133 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the xalan-j2-2.7.0-264.133 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2014-0107 at SUSECVE-2014-0107 at NVDcpe:/o:suse:sles:12:sp3xdg-utils-20140630-5.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the xdg-utils-20140630-5.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2014-9622 at SUSECVE-2014-9622 at NVDcpe:/o:suse:sles:12:sp3xen-4.9.0_08-2.2 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the xen-4.9.0_08-2.2 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2011-1898 at SUSECVE-2011-1898 at NVDCVE-2012-0029 at SUSECVE-2012-0029 at NVDCVE-2012-0217 at SUSECVE-2012-0217 at NVDCVE-2012-2625 at SUSECVE-2012-2625 at NVDCVE-2012-3432 at SUSECVE-2012-3432 at NVDCVE-2012-3433 at SUSECVE-2012-3433 at NVDCVE-2012-4411 at SUSECVE-2012-4411 at NVDCVE-2012-4535 at SUSECVE-2012-4535 at NVDCVE-2012-4536 at SUSECVE-2012-4536 at NVDCVE-2012-4537 at SUSECVE-2012-4537 at NVDCVE-2012-4538 at SUSECVE-2012-4538 at NVDCVE-2012-4539 at SUSECVE-2012-4539 at NVDCVE-2012-4544 at SUSECVE-2012-4544 at NVDCVE-2012-5510 at SUSECVE-2012-5510 at NVDCVE-2012-5511 at SUSECVE-2012-5511 at NVDCVE-2012-5513 at SUSECVE-2012-5513 at NVDCVE-2012-5514 at SUSECVE-2012-5514 at NVDCVE-2012-5515 at SUSECVE-2012-5515 at NVDCVE-2012-5525 at SUSECVE-2012-5525 at NVDCVE-2012-5634 at SUSECVE-2012-5634 at NVDCVE-2012-6075 at SUSECVE-2012-6075 at NVDCVE-2013-0151 at SUSECVE-2013-0151 at NVDCVE-2013-0152 at SUSECVE-2013-0152 at NVDCVE-2013-0153 at SUSECVE-2013-0153 at NVDCVE-2013-1442 at SUSECVE-2013-1442 at NVDCVE-2013-1917 at SUSECVE-2013-1917 at NVDCVE-2013-1918 at SUSECVE-2013-1918 at NVDCVE-2013-1919 at SUSECVE-2013-1919 at NVDCVE-2013-1922 at SUSECVE-2013-1922 at NVDCVE-2013-1952 at SUSECVE-2013-1952 at NVDCVE-2013-2007 at SUSECVE-2013-2007 at NVDCVE-2013-3495 at SUSECVE-2013-3495 at NVDCVE-2013-4355 at SUSECVE-2013-4355 at NVDCVE-2013-4356 at SUSECVE-2013-4356 at NVDCVE-2013-4361 at SUSECVE-2013-4361 at NVDCVE-2013-4375 at SUSECVE-2013-4375 at NVDCVE-2013-4416 at SUSECVE-2013-4416 at NVDCVE-2013-4494 at SUSECVE-2013-4494 at NVDCVE-2013-4533 at SUSECVE-2013-4533 at NVDCVE-2013-4534 at SUSECVE-2013-4534 at NVDCVE-2013-4537 at SUSECVE-2013-4537 at NVDCVE-2013-4538 at SUSECVE-2013-4538 at NVDCVE-2013-4539 at SUSECVE-2013-4539 at NVDCVE-2013-4540 at SUSECVE-2013-4540 at NVDCVE-2013-4551 at SUSECVE-2013-4551 at NVDCVE-2013-4553 at SUSECVE-2013-4553 at NVDCVE-2013-4554 at SUSECVE-2013-4554 at NVDCVE-2014-0222 at SUSECVE-2014-0222 at NVDCVE-2014-3124 at SUSECVE-2014-3124 at NVDCVE-2014-3640 at SUSECVE-2014-3640 at NVDCVE-2014-3672 at SUSECVE-2014-3672 at NVDCVE-2014-5146 at SUSECVE-2014-5146 at NVDCVE-2014-5149 at SUSECVE-2014-5149 at NVDCVE-2014-6268 at SUSECVE-2014-6268 at NVDCVE-2014-7154 at SUSECVE-2014-7154 at NVDCVE-2014-7155 at SUSECVE-2014-7155 at NVDCVE-2014-7156 at SUSECVE-2014-7156 at NVDCVE-2014-7188 at SUSECVE-2014-7188 at NVDCVE-2014-7815 at SUSECVE-2014-7815 at NVDCVE-2015-1779 at SUSECVE-2015-1779 at NVDCVE-2015-3259 at SUSECVE-2015-3259 at NVDCVE-2015-3340 at SUSECVE-2015-3340 at NVDCVE-2015-3456 at SUSECVE-2015-3456 at NVDCVE-2015-4037 at SUSECVE-2015-4037 at NVDCVE-2015-4103 at SUSECVE-2015-4103 at NVDCVE-2015-4104 at SUSECVE-2015-4104 at NVDCVE-2015-4105 at SUSECVE-2015-4105 at NVDCVE-2015-4106 at SUSECVE-2015-4106 at NVDCVE-2015-5154 at SUSECVE-2015-5154 at NVDCVE-2015-5239 at SUSECVE-2015-5239 at NVDCVE-2015-5278 at SUSECVE-2015-5278 at NVDCVE-2015-5307 at SUSECVE-2015-5307 at NVDCVE-2015-6815 at SUSECVE-2015-6815 at NVDCVE-2015-6855 at SUSECVE-2015-6855 at NVDCVE-2015-7311 at SUSECVE-2015-7311 at NVDCVE-2015-7504 at SUSECVE-2015-7504 at NVDCVE-2015-7512 at SUSECVE-2015-7512 at NVDCVE-2015-7549 at SUSECVE-2015-7549 at NVDCVE-2015-7835 at SUSECVE-2015-7835 at NVDCVE-2015-7969 at SUSECVE-2015-7969 at NVDCVE-2015-7970 at SUSECVE-2015-7970 at NVDCVE-2015-7971 at SUSECVE-2015-7971 at NVDCVE-2015-7972 at SUSECVE-2015-7972 at NVDCVE-2015-8104 at SUSECVE-2015-8104 at NVDCVE-2015-8339 at SUSECVE-2015-8339 at NVDCVE-2015-8340 at SUSECVE-2015-8340 at NVDCVE-2015-8341 at SUSECVE-2015-8341 at NVDCVE-2015-8345 at SUSECVE-2015-8345 at NVDCVE-2015-8504 at SUSECVE-2015-8504 at NVDCVE-2015-8550 at SUSECVE-2015-8550 at NVDCVE-2015-8554 at SUSECVE-2015-8554 at NVDCVE-2015-8555 at SUSECVE-2015-8555 at NVDCVE-2015-8558 at SUSECVE-2015-8558 at NVDCVE-2015-8567 at SUSECVE-2015-8567 at NVDCVE-2015-8568 at SUSECVE-2015-8568 at NVDCVE-2015-8613 at SUSECVE-2015-8613 at NVDCVE-2015-8615 at SUSECVE-2015-8615 at NVDCVE-2015-8619 at SUSECVE-2015-8619 at NVDCVE-2015-8743 at SUSECVE-2015-8743 at NVDCVE-2015-8744 at SUSECVE-2015-8744 at NVDCVE-2015-8745 at SUSECVE-2015-8745 at NVDCVE-2016-10013 at SUSECVE-2016-10013 at NVDCVE-2016-10024 at SUSECVE-2016-10024 at NVDCVE-2016-10025 at SUSECVE-2016-10025 at NVDCVE-2016-1568 at SUSECVE-2016-1568 at NVDCVE-2016-1570 at SUSECVE-2016-1570 at NVDCVE-2016-1571 at SUSECVE-2016-1571 at NVDCVE-2016-1714 at SUSECVE-2016-1714 at NVDCVE-2016-1922 at SUSECVE-2016-1922 at NVDCVE-2016-1981 at SUSECVE-2016-1981 at NVDCVE-2016-2198 at SUSECVE-2016-2198 at NVDCVE-2016-2270 at SUSECVE-2016-2270 at NVDCVE-2016-2271 at SUSECVE-2016-2271 at NVDCVE-2016-2391 at SUSECVE-2016-2391 at NVDCVE-2016-2392 at SUSECVE-2016-2392 at NVDCVE-2016-2538 at SUSECVE-2016-2538 at NVDCVE-2016-2841 at SUSECVE-2016-2841 at NVDCVE-2016-4439 at SUSECVE-2016-4439 at NVDCVE-2016-4441 at SUSECVE-2016-4441 at NVDCVE-2016-5238 at SUSECVE-2016-5238 at NVDCVE-2016-5338 at SUSECVE-2016-5338 at NVDCVE-2016-6258 at SUSECVE-2016-6258 at NVDCVE-2016-6259 at SUSECVE-2016-6259 at NVDCVE-2016-6351 at SUSECVE-2016-6351 at NVDCVE-2016-7092 at SUSECVE-2016-7092 at NVDCVE-2016-7093 at SUSECVE-2016-7093 at NVDCVE-2016-7094 at SUSECVE-2016-7094 at NVDCVE-2016-7777 at SUSECVE-2016-7777 at NVDCVE-2016-7908 at SUSECVE-2016-7908 at NVDCVE-2016-7909 at SUSECVE-2016-7909 at NVDCVE-2016-8667 at SUSECVE-2016-8667 at NVDCVE-2016-8669 at SUSECVE-2016-8669 at NVDCVE-2016-8910 at SUSECVE-2016-8910 at NVDCVE-2016-9377 at SUSECVE-2016-9377 at NVDCVE-2016-9378 at SUSECVE-2016-9378 at NVDCVE-2016-9379 at SUSECVE-2016-9379 at NVDCVE-2016-9380 at SUSECVE-2016-9380 at NVDCVE-2016-9381 at SUSECVE-2016-9381 at NVDCVE-2016-9382 at SUSECVE-2016-9382 at NVDCVE-2016-9383 at SUSECVE-2016-9383 at NVDCVE-2016-9384 at SUSECVE-2016-9384 at NVDCVE-2016-9385 at SUSECVE-2016-9385 at NVDCVE-2016-9386 at SUSECVE-2016-9386 at NVDCVE-2016-9637 at SUSECVE-2016-9637 at NVDCVE-2016-9921 at SUSECVE-2016-9921 at NVDCVE-2016-9922 at SUSECVE-2016-9922 at NVDCVE-2016-9932 at SUSECVE-2016-9932 at NVDCVE-2017-2615 at SUSECVE-2017-2615 at NVDCVE-2017-2620 at SUSECVE-2017-2620 at NVDCVE-2017-6505 at SUSECVE-2017-6505 at NVDCVE-2017-8309 at SUSECVE-2017-8309 at NVDCVE-2017-9330 at SUSECVE-2017-9330 at NVDcpe:/o:suse:sles:12:sp3xf86-video-intel-2.99.917.770_gcb6ba2da-1.23 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the xf86-video-intel-2.99.917.770_gcb6ba2da-1.23 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2014-4910 at SUSECVE-2014-4910 at NVDcpe:/o:suse:sles:12:sp3xfsprogs-4.3.0-12.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the xfsprogs-4.3.0-12.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2012-2150 at SUSECVE-2012-2150 at NVDcpe:/o:suse:sles:12:sp3xinetd-2.3.15-7.3 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the xinetd-2.3.15-7.3 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2012-0862 at SUSECVE-2012-0862 at NVDCVE-2013-4342 at SUSECVE-2013-4342 at NVDcpe:/o:suse:sles:12:sp3xlockmore-5.43-5.30 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the xlockmore-5.43-5.30 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2013-4143 at SUSECVE-2013-4143 at NVDcpe:/o:suse:sles:12:sp3xorg-x11-7.6_1-14.17 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the xorg-x11-7.6_1-14.17 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2011-0465 at SUSECVE-2011-0465 at NVDcpe:/o:suse:sles:12:sp3xorg-x11-libs-7.6-45.14 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the xorg-x11-libs-7.6-45.14 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2011-2895 at SUSECVE-2011-2895 at NVDcpe:/o:suse:sles:12:sp3xorg-x11-server-7.6_1.18.3-71.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the xorg-x11-server-7.6_1.18.3-71.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2010-2240 at SUSECVE-2010-2240 at NVDCVE-2013-1940 at SUSECVE-2013-1940 at NVDCVE-2013-4396 at SUSECVE-2013-4396 at NVDCVE-2013-6424 at SUSECVE-2013-6424 at NVDCVE-2014-8091 at SUSECVE-2014-8091 at NVDCVE-2014-8092 at SUSECVE-2014-8092 at NVDCVE-2014-8093 at SUSECVE-2014-8093 at NVDCVE-2014-8094 at SUSECVE-2014-8094 at NVDCVE-2014-8095 at SUSECVE-2014-8095 at NVDCVE-2014-8096 at SUSECVE-2014-8096 at NVDCVE-2014-8097 at SUSECVE-2014-8097 at NVDCVE-2014-8098 at SUSECVE-2014-8098 at NVDCVE-2014-8099 at SUSECVE-2014-8099 at NVDCVE-2014-8100 at SUSECVE-2014-8100 at NVDCVE-2014-8101 at SUSECVE-2014-8101 at NVDCVE-2014-8102 at SUSECVE-2014-8102 at NVDCVE-2014-8103 at SUSECVE-2014-8103 at NVDCVE-2015-0255 at SUSECVE-2015-0255 at NVDCVE-2015-3164 at SUSECVE-2015-3164 at NVDCVE-2015-3418 at SUSECVE-2015-3418 at NVDCVE-2017-2624 at SUSECVE-2017-2624 at NVDcpe:/o:suse:sles:12:sp3xscreensaver-5.22-7.1 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the xscreensaver-5.22-7.1 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2015-8025 at SUSECVE-2015-8025 at NVDcpe:/o:suse:sles:12:sp3yast2-3.2.36-1.11 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the yast2-3.2.36-1.11 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2011-3177 at SUSECVE-2011-3177 at NVDcpe:/o:suse:sles:12:sp3yast2-core-3.2.2-1.29 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the yast2-core-3.2.2-1.29 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2011-2483 at SUSECVE-2011-2483 at NVDCVE-2011-3177 at SUSECVE-2011-3177 at NVDcpe:/o:suse:sles:12:sp3yast2-users-3.2.11-1.47 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the yast2-users-3.2.11-1.47 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2016-1601 at SUSECVE-2016-1601 at NVDcpe:/o:suse:sles:12:sp3zoo-2.10-1020.56 on GA media (Moderate)SUSE Linux Enterprise Server 12 SP3
These are all security issues fixed in the zoo-2.10-1020.56 package on the GA media of SUSE Linux Enterprise Server 12 SP3. ModerateCVE-2006-0855 at SUSECVE-2006-0855 at NVDCVE-2007-1669 at SUSECVE-2007-1669 at NVDcpe:/o:suse:sles:12:sp3Security update for git (Important)SUSE OpenStack Cloud 8
This update for git fixes several issues.
These security issues were fixed:
- CVE-2018-11233: Path sanity-checks on NTFS allowed attackers to read arbitrary memory (bsc#1095218)
- CVE-2018-11235: Arbitrary code execution when recursively cloning a malicious repository (bsc#1095219)
ImportantSUSE bug 1095218SUSE bug 1095219CVE-2018-11233 at SUSECVE-2018-11233 at NVDCVE-2018-11235 at SUSECVE-2018-11235 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for pdns (Moderate)SUSE OpenStack Cloud 8
This update for pdns fixes the following issues:
Security issues fixed:
- CVE-2018-1046: Fix an issue with replaying a specially crafted PCAP file that can trigger a stack-based buffer overflow, leading to a crash and potentially arbitrary code execution (bsc#1092540).
ModerateSUSE bug 1092540CVE-2018-1046 at SUSECVE-2018-1046 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for slf4j (Important)SUSE OpenStack Cloud 8
This update for slf4j fixes the following issues:
- CVE-2018-8088: Disallow EventData deserialization by default to avoid arbitrary code execution using serialized data (bsc#1085970)
ImportantSUSE bug 1085970CVE-2018-8088 at SUSECVE-2018-8088 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for cobbler (Moderate)SUSE OpenStack Cloud 8
This update for cobbler fixes the following issues:
The following security issue has been fixed:
- CVE-2017-1000469: Escape shell parameters provided by the user for the reposync action. (bsc#1074594)
Additionally, the following non-security issues have been fixed:
- Fix signature for SLES15. (bsc#1075014)
- Detect if there is already another instance of 'cobbler sync' running and exit with failure if so. (bsc#1081714)
- Add SLES 15 distro profile. (bsc#1090205)
- Require tftp(server) instead of atftp.
ModerateSUSE bug 1074594SUSE bug 1075014SUSE bug 1081714SUSE bug 1090205CVE-2017-1000469 at SUSECVE-2017-1000469 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for mariadb, mariadb-connector-c, xtrabackup (Important)SUSE OpenStack Cloud 8
This MariaDB update to version 10.2.15 brings the following fixes and improvements.
Security issues:
- CVE-2018-2767: The embedded server library now supports SSL when connecting to remote servers (bsc#1088681).
- Collected CVEs fixes:
* 10.2.15: CVE-2018-2786, CVE-2018-2759, CVE-2018-2777, CVE-2018-2810,
CVE-2018-2782, CVE-2018-2784, CVE-2018-2787, CVE-2018-2766,
CVE-2018-2755, CVE-2018-2819, CVE-2018-2817, CVE-2018-2761,
CVE-2018-2781, CVE-2018-2771, CVE-2018-2813
Bugfixes:
- bsc#1092544: Update suse_skipped_tests.list and add tests that are failing with GCC 8.
- bsc#1080891: Compile option DWITH_SYSTEMD=ON is no longer needed - systemd is detected automatically.
ImportantSUSE bug 1080891SUSE bug 1082318SUSE bug 1088681SUSE bug 1092544CVE-2018-2755 at SUSECVE-2018-2755 at NVDCVE-2018-2759 at SUSECVE-2018-2759 at NVDCVE-2018-2761 at SUSECVE-2018-2761 at NVDCVE-2018-2766 at SUSECVE-2018-2766 at NVDCVE-2018-2767 at SUSECVE-2018-2767 at NVDCVE-2018-2771 at SUSECVE-2018-2771 at NVDCVE-2018-2777 at SUSECVE-2018-2777 at NVDCVE-2018-2781 at SUSECVE-2018-2781 at NVDCVE-2018-2782 at SUSECVE-2018-2782 at NVDCVE-2018-2784 at SUSECVE-2018-2784 at NVDCVE-2018-2786 at SUSECVE-2018-2786 at NVDCVE-2018-2787 at SUSECVE-2018-2787 at NVDCVE-2018-2810 at SUSECVE-2018-2810 at NVDCVE-2018-2813 at SUSECVE-2018-2813 at NVDCVE-2018-2817 at SUSECVE-2018-2817 at NVDCVE-2018-2819 at SUSECVE-2018-2819 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for grafana, kafka, logstash, openstack-monasca-installer (Moderate)SUSE OpenStack Cloud 8
This update for grafana, kafka, logstash, openstack-monasca-installer fixes the following issues:
Security issues fixed:
- CVE-2018-12099: grafana: Fix XSS vulnerabilities in dashboard links (bsc#1096985).
- CVE-2018-3817: logstash: Fix inadvertently logging of sensitive information (bsc#1090849).
Bug fixes:
- bsc#1095603: Disable jmxremote debugging.
- bsc#1097847: Make time series database schema setup conditional.
- bsc#1094448: Set log rotation options.
- bsc#1090336: Add complete set of elasticsearch performance tunables.
- bsc#1101366: Fix build issues with s390x, ppc64le and aarch64.
- Fix various spec errors affecting Leap 15 and Tumbleweed
ModerateSUSE bug 1090336SUSE bug 1090849SUSE bug 1094448SUSE bug 1095603SUSE bug 1096985SUSE bug 1097847SUSE bug 1101366CVE-2018-12099 at SUSECVE-2018-12099 at NVDCVE-2018-3817 at SUSECVE-2018-3817 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for cobbler (Important)SUSE OpenStack Cloud 8
This update for cobbler fixes the following issues:
Security issues fixed:
- Forbid exposure of private methods in the API (CVE-2018-10931,
CVE-2018-1000225, bsc#1104287, bsc#1104189, bsc#1105442)
- Check access token when calling 'modify_setting' API endpoint (bsc#1104190,
bsc#1105440, CVE-2018-1000226)
Other bugs fixed:
- Do not try to hardlink to a symlink. The result will be a dangling symlink
in the general case. (bsc#1097733)
- fix kernel options when generating bootiso (bsc#1101670)
ImportantSUSE bug 1097733SUSE bug 1101670SUSE bug 1104189SUSE bug 1104190SUSE bug 1104287SUSE bug 1105440SUSE bug 1105442CVE-2018-1000225 at SUSECVE-2018-1000225 at NVDCVE-2018-1000226 at SUSECVE-2018-1000226 at NVDCVE-2018-10931 at SUSECVE-2018-10931 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for OpenStack (Moderate)SUSE OpenStack Cloud 8
This update for OpenStack fixes the following issues:
The following security issue with openstack-keystone has been fixed:
- CVE-2018-14432: Reduce duplication in federated authentication APIs. (bsc#1102151)
Additionally, the following non-security issues have been fixed:
aodh:
- Support same projects in different domain.
barbican:
- Add zuulv3 to Pike.
cinder:
- Empty option value maybe cause Unity driver failed to initialize.
- GoodnessWeigher schedules non-type volumes.
- Fix quota error when deleting temporary volume.
- Fix cinder quota-usage error.
- Unity: Return logged-out initiators.
- Correct S-Series to DS-Series systems.
- Update storage backends supported for Lenovo.
- Unity: Add support of removing empty host.
- NetApp: Fix to support SVM scoped permissions.
- NetApp ONTAP iSCSI: Force exception on online extend.
- NetApp ONTAP: Set new sub-lun clone limit for ONTAP driver.
dashboard:
- Make @memoize thread-aware.
designate:
- Add provides to handle installation of mdns and producer seamlessly.
- Fix service files.
- Install a default pools.yaml.
glance:
- doc: Modify the description for the command.
- Make ImageTarget behave like a dictionary.
- Add barbican-tempest experimental job.
heat:
- Fixing unicode issue when to\_dict is called on py2.7 env.
- Ignore NotFound error in prepare\_for\_replace.
- Reset resource replaced\_by field for rollback.
- Ignore RESOLVE translation errors when translating before\_props.
- Ignore errors in purging events.
heat-templates:
- Deprecate hooks in heat-templates.
horizon-plugin-designate-ui:
- Install all designate panels that are available.
horizon-plugin-freezer-ui:
- Avoid using deprecated opt in Web-UI.
horizon-plugin-gbp-ui:
- Fix patching of create instance dialog.
neutron-lbaas-dashboard:
- Remove custom zuul jobs.
horizon-plugin-trove-ui:
- Update UPPER\_CONSTRAINTS\_FILE for stable/pike.
ironic:
- Fix error when deleting a non-existent port.
- Tear down console during unprovisioning.
manila:
- Fix ZFSOnLinux doc about manage ops.
- DB Migration: Fix downgrade.
- Fix share-service VM restart problem.
- Added Handling Newer Quobyte API Error Codes.
- NetApp ONTAP: Fix delete-share for vsadmin users.
- Remove confusing DB deprecation messages.
- Add missing Requires: for python-tooz
neutron:
- Skip MTU check during deletion of Networks.
- HA L3 agent restart only standby agents.
- Retry dhcp\_release on failures.
- Reduce IP address collision during port creating.
- Refactor DVR HA migarations DB operations.
- Disallow router interface out of subnet IP range.
- Fix fwaas v1 configuration doc.
- Add list of all working DSCP marks.
- Set trusted port only once in iptables firewall driver.
- Fix UT BridgeLibTest when IPv6 is disabled.
neutron-fwaas:
- DVR-FWaaS: Fix DVR FWaaS rules for fipnamespace.
neutron-lbaas:
- Get providers directly from ORM to make startup take half as long.
- Cap haproxy log level severity.
- Fix sphinx-docs job for stable branch.
neutron-vpnaas:
- Fix sphinx-docs job for stable branch and pep8 issues.
neutron-zvm-agent:
- Backport zCC backend networking-zvm.
nova:
- libvirt: Add method to configure migration speed.
- Make host\_aggregate\_map dictionary case-insensitive.
- Fix unbound local when saving an unchanged RequestSpec.
- Cleanup mapping/reqspec after archive instance.
- Default embedded instance.flavor.disabled attribute.
- Backport tox.ini to switch to stestr.
- Cleanup RP and HM records while deleting a compute service.
- Delete allocations from API if nova-compute is down.
- Block deleting compute services which are hosting instances.
- api-ref: Add a note in DELETE /os-services about deleting computes.
- Add functional test for deleting a compute service.
- Factor out compute service start in ServerMovingTest.
- Moving more utils to ProviderUsageBaseTestCase.
- Make nova service-list use scatter-gather routine.
- libvirt: Slow live-migration to ensure network is ready.
- Use instance project/user when creating RequestSpec during resize reschedule.
- Mock utils.execute() in qemu-img unit test.
- Add policy rule to block image-backed servers with 0 root disk flavor.
- Change consecutive build failure limit to a weigher.
- Ensure resource class cache when listing usages.
- Metadata-API fails to retrieve avz for instances created before Pike.
- placement: Fix HTTP error generation.
- Add amd-ssbd and amd-no-ssb CPU flags.
- Fixed auto-convergence option name in doc.
- libvirt: Skip fetching the virtual size of block devices.
- libvirt: Handle DiskNotFound during update\_available\_resource.
- Avoid showing password in log.
- Fix shelving a paused instance.
- Document how to disable notifications.
- Add ssbd and virt-ssbd flags to cpu\_model\_extra\_flags whitelist.
- Stringify instance UUID.
nova-virt-zvm:
- Backport zvm driver.
octavia:
- Update introduction documention page.
- Use HMAC.hexdigest to avoid non-ascii characters for package data.
trove:
- Add .stestr.conf to fix tox-py27 stable job.
- Fix mysql instance create failed when enable skip-name-resolve.
- Failed to build mongo image.
- Open the volume\_support of redis.
- Remove Mitaka reference in install/dashboard.rst.
- Enable longer Keystone token life.
- Fix gate issues.
python-barbicanclient:
- Update time for functional tests. (bsc#1084362)
python-keystone-json-assignment:
- Speedup project lookup.
python-manilaclient:
- Fix for use endpoint_type in _discover_client method.
- Add search_opts in func list of ManagerWithFind type classes.
- Fix share can not be found by name in admin context.
python-vmware-nsx:
- NSX|V3: Handle port-not-found during get_ports.
- NSXAdminV3: Add message on client cert generation.
- NSX-V: Add server-ip-address to the supported dhcp options.
- NSX|V3: Fix global SG creation duplication.
- Fix security groups ext_properties loading.
- NSXv3: Add pool-level lock for LB pool member operations.
- NSX|v3: Do not retry on DB duplications on section init.
- NSXv: Handle listener failures on backend.
- Add mock to the requirements.
- AdminUtils V3: Do not set nat_pass for NO-NAT rules.
- NSX|V3: Wait for another neutron to create default section.
- NSX|V3: Cleanup duplicate sections on startup.
- V and D: Make security group logging more robust.
- NSX|v3: Ensure that 0.0.0.0/# is treated correctly in SG rules.
- NSX|V: Fix create/delete subnet race condition.
python-vmware-nsxlib:
- Fix service ports for egress firewall rule.
- Add server-ip-address to the suppoprted dhcp options.
- Retry on 503 Service Unavailable.
- Remove sha224 from supported client cert hash algs.
- Add logging when initializing a default FW section.
- Fixed tenacity usage.
- Retry is IOError is received.
- Handle cluster connection closed by server. ModerateSUSE bug 1084362SUSE bug 1102151CVE-2018-14432 at SUSECVE-2018-14432 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for python-cryptography (Moderate)SUSE OpenStack Cloud 8
This update for python-cryptography fixes the following issues:
- CVE-2018-10903: The finalize_with_tag API did not enforce a minimum tag
length. If a user did not validate the input length prior to passing it to
finalize_with_tag an attacker could craft an invalid payload with a shortened
tag (e.g. 1 byte) such that they would have a 1 in 256 chance of passing the
MAC check. GCM tag forgeries could have caused key leakage (bsc#1101820)
ModerateSUSE bug 1101820CVE-2018-10903 at SUSECVE-2018-10903 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for python-Django (Moderate)SUSE OpenStack Cloud 8
This update for python-Django fixes the following issues:
- CVE-2018-14574: Prevent open redirect in
django.middleware.common.CommonMiddleware (bsc#1102680)
ModerateSUSE bug 1102680CVE-2018-14574 at SUSECVE-2018-14574 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for ardana-monasca, ardana-spark, kafka, kafka-kit, openstack-monasca-api (Important)SUSE OpenStack Cloud 8
This update for ardana-monasca, ardana-spark, kafka, kafka-kit, openstack-monasca-api fixes the following issues:
This update for ardana-monasca to version 8.0+git.1535031421.9262a47 fixes these issues:
- Requests Apache to reload on change (bsc#1102662)
- Avoids managing non-Monasca users (bsc#1102662)
- Line up perms on storm.conf to match rpm (bsc#1094971)
This update for ardana-spark to version 8.0+git.1532114050.04654a8 fixes this issue:
- Only set log dir perms on legacy install (bsc#1094851)
This update for kafka to version 0.10.2.2 fixes this security issue:
- CVE-2018-1288: Authenticated Kafka users may have performed action reserved
for the Broker via a manually created fetch request interfering with data
replication, resulting in data loss (bsc#1102920).
This update for kafka to version 0.10.2.2 fixes these non-security issues:
- set internal.leave.group.on.close to false in KafkaStreams
- Improve message for Kafka failed startup with non-Kafka data in data.dirs
- add max_number _of_retries to exponential backoff strategy
- Mute logger for reflections.org at the warn level in system tests
- Kafka connect: error with special characters in connector name
- streams task gets stuck after re-balance due to LockException
- CachingSessionStore doesn't use the default keySerde.
- RocksDBSessionStore doesn't use default aggSerde.
- Recommended values for Connect transformations contain the wrong class name
- Kafka broker fails to start if a topic containing dot in its name is marked for delete but hasn't been deleted during previous uptime
- GlobalKTable does not checkpoint offsets after restoring state
- Log cleaning can increase message size and cause cleaner to crash with buffer overflow
- Some socket connections not closed after restart of Kafka Streams
- Distributed Herder Deadlocks on Shutdown
- Log cleaner fails due to large offset in segment file
- StreamsKafkaClient should not use StreamsConfig.POLL_MS_CONFIG
- Refactor kafkatest docker support
- ducktape kafka service: do not assume Service contains num_nodes
- Using _DUCKTAPE_OPTIONS has no effect on executing tests
- Connect WorkerSinkTask out of order offset commit can lead to inconsistent state
- RocksDB segments not removed when store is closed causes re-initialization to fail
- FetchMetadata creates unneeded Strings on instantiation
- SourceTask#stop() not called after exception raised in poll()
- Sink connectors that explicitly 'resume' topic partitions can resume a paused task
- GlobalStateManagerImpl should not write offsets of in-memory stores in checkpoint file
- Source KTable checkpoint is not correct
- ConnectSchema#equals() broken for array-typed default values
This update for openstack-monasca-api to version 2.2.1~dev24 fixes these issues:
- devstack: download storm from archive.apache.org
- Backport tempest test robustness improvements
- 1724543-fixed kafka partition creation error in devstack installation
- Fix:No alarms created if metric name in alarm def. expr. is mix case
- Zuul: Remove project name
- Run against Pike requirements
ImportantSUSE bug 1094851SUSE bug 1094971SUSE bug 1102662SUSE bug 1102920CVE-2018-1288 at SUSECVE-2018-1288 at NVDcpe:/o:suse:suse-openstack-cloud:8Recommended update for ardana-ansible (Moderate)SUSE OpenStack Cloud 8
This update for ardana-ansible fixes the following issues:
ardana-ansible:
- Initial checkin of info capture tool
- Rename dayzero-site.yml (bsc#1111886)
- Switch to non-legacy media layout by default.
- Add Keystone Fernet master node monitoring. (bsc#1097241)
- Add restart verb for maintenance updates.
- Remove tasks to in-place modify systemd files.
- Don't install systemd service file when SUSEified. (bsc#1082708)
- Use sosreport for RHEL and supportutils for SLES nodes (bsc#1100688)
- Obtain notification URL from environment
- Add support for callback plugin post initial install
- Added start and stop tracking events
- New Service Manila Integration in Ardana
- Make changes to return both openstack and cloud pkgs
- Added a new playbook to generate hosts file
- Make get_ts_pkgs more robust
- Add Ansible play and library tool to gather package data
- Adding sosreport upgrade to be included in update path (bsc#1105141)
- Remove obsolete config.json file (bsc#1104047)
ardana-barbican:
- Switch to stable/pike branch
ardana-cinder:
- Updating swift backup url to check non-empty value (bsc#1099412)
ardana-cluster:
- Fix haproxy not being able to log using journald (bsc#1005886)
ardana-cobbler:
- Updating failure behavior on power down step in reimage (bsc#1089243)
ardana-freezer:
- Freezer: Restoring control node fails (bsc#1099741)
ardana-glance:
- Fix security audit. (bsc#1109445)
- Filter out API health checks from logs (bsc#1049737, bsc#1096798)
ardana-input-model:
- Relicense manila to Apache-2.0.
- Remove manila-share dependency to keystone-client (bsc#1109264)
- New Service Manila Integration in Ardana
- CVE-2016-8611: Add glance-api rate limit to address (bsc#1005886)
ardana-keystone:
- Updates keystone user if it exists (bsc#1102662)
- Reruns of keystone credentials change (bsc#1102662)
ardana-mq:
- Add rabbitmq-server-plugins (bsc#1103903)
ardana-neutron:
- Make ovsvapp_agent.log logging consistent with other agents (bsc#1105420)
- Allow 3rd-party drivers to pass in dhcp_driver option value
- Allow SDNs to replace neutron's policy.json file
ardana-nova:
- Fixes cell0 map updates (bsc#1091490)
ardana-octavia:
- Set the correct systemd_service_dir for octavia (bsc#1094847)
ardana-osconfig:
- Restart dpdk network after restarting openvswitch (bsc#1104407)
- Allow passwordless root logins
- Added start and stop tracking events
ardana-service:
- Pass notify_url in extra-vars to playbook
- add monasca support
- filter out the item where ardana_ansible_host empty
- Pass encrypt and rekey parms when running config-processor (bsc#1102789)
- Support legacy playbook names for dev env for day2
- Replace dayzero playbook reference with installui
- Added mocks for running ardana-start.yml
- merge changes up to Sept 17 2018 to stable/pike
- Support legacy playbook names for dev env for day2
- Updated REST packages call to handle all packages
- handle run playbooks for adding compute nodes
- Add DELETE service file method
- Added deployed_servers endpoint in ardana-service
- Add mock for keystone endpoints
- add mocking, robustness, pep8 fix
- Gracefully handle missing service description
- Add fake playbook, log for running keystone-status
- Support insecure mode for keystone
- Add caching for internal cp files
- Allow insecure mode for keystone sessions
- Make packages changes Python 3 compatible
- Add ability to get remote host package data
- Add endpoint for getting internal cp files
- add python-monascaclient dependency
- Make packages changes Python 3 compatible
- Add ability to get remote host package data
ardana-service-ansible:
- Include service URL in config file
- Create cache directory
ardana-ses:
- Support phase 2 SES config.
- Add SES config yaml conversion utility.
- Fix the cinder-backup settings (bsc#1096988, bsc#1096798)
ardana-swift:
- Switch to stable/pike branch
ModerateSUSE bug 1005886SUSE bug 1049737SUSE bug 1082708SUSE bug 1089243SUSE bug 1091490SUSE bug 1094847SUSE bug 1095166SUSE bug 1096798SUSE bug 1096988SUSE bug 1097241SUSE bug 1099412SUSE bug 1099741SUSE bug 1100688SUSE bug 1102662SUSE bug 1102789SUSE bug 1103903SUSE bug 1104047SUSE bug 1104407SUSE bug 1105141SUSE bug 1105420SUSE bug 1109264SUSE bug 1109445SUSE bug 1111886CVE-2016-8611 at SUSECVE-2016-8611 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for git (Important)SUSE OpenStack Cloud 8
This update for git fixes the following issue:
- CVE-2018-17456: Git allowed remote code execution during processing of a recursive 'git clone' of a superproject if a .gitmodules file has a URL field beginning with a '-' character. (boo#1110949).
ImportantSUSE bug 1110949CVE-2018-17456 at SUSECVE-2018-17456 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for ansible (Moderate)SUSE OpenStack Cloud 8
This update for ansible fixes the following issues:
Ansible was updated to ansible 2.4.6.0.
The full release notes can be found on:
https://github.com/ansible/ansible/blob/stable-2.4/CHANGELOG.md
Security issues fixed:
- CVE-2018-10875: ansible.cfg is read from the current working directory which can be altered to make it point to a plugin or a module path under the control of an attacker, thus allowing the attacker to execute arbitrary code. (bsc#1099808)
- CVE-2018-10874: It was found that inventory variables are loaded from current working directory when running ad-hoc command which are under attacker's control, allowing to run arbitrary code as a result. (bsc#1099805)
- CVE-2018-10855: Ansible did not honor the no_log task flag for failed tasks. When the no_log flag has been used to protect sensitive data passed to a task from being logged, and that task does not run successfully, Ansible will expose sensitive data in log files and on the terminal of the user running Ansible. (bsc#1097775)
ModerateSUSE bug 1097775SUSE bug 1099805SUSE bug 1099808CVE-2018-10855 at SUSECVE-2018-10855 at NVDCVE-2018-10874 at SUSECVE-2018-10874 at NVDCVE-2018-10875 at SUSECVE-2018-10875 at NVDcpe:/o:suse:suse-openstack-cloud:8Recommended update for ardana-ansible, ardana-cobbler, ardana-db, ardana-heat, ardana-manila, ardana-neutron, ardana-nova, ardana-octavia, ardana-osconfig, ardana-service, ardana-ses, ardana-swift, ardana-tempest, crowbar, crowbar-core, crowbar-ha, crowbar-openstack, documentation-suse-openstack-cloud, galera-python-clustercheck, openstack-dashboard, openstack-ec2-api, openstack-heat, openstack-heat-templates, openstack-horizon-plugin-ironic-ui, openstack-horizon-plugin-magnum-ui, openstack-horizon-plugin-sahara-ui, openstack-ironic, openstack-keystone, openstack-magnum, openstack-manila, openstack-monasca-api, openstack-monasca-notification, openstack-monasca-persister, openstack-murano, openstack-neutron, openstack-neutron-fwaas, openstack-nova, openstack-octavia, openstack-sahara, openstack-swift, openstack-tempest, python-cinderclient, python-cryptography, python-monasca-common, python-networking-hyperv, python-os-brick, python-venvjail, venv-openstack-aodh, venv-openstack-barbican, venv-openstack-ceilometer, venv-openstack-cinder, venv-openstack-designate, venv-openstack-freezer, venv-openstack-glance, venv-openstack-heat, venv-openstack-horizon, venv-openstack-ironic, venv-openstack-keystone, venv-openstack-magnum, venv-openstack-manila, venv-openstack-monasca, venv-openstack-monasca-ceilometer, venv-openstack-murano, venv-openstack-nova, venv-openstack-octavia, venv-openstack-sahara, venv-openstack-swift, venv-openstack-trove (Moderate)SUSE OpenStack Cloud 8
This update for ardana-ansible, ardana-cobbler, ardana-db, ardana-heat, ardana-manila, ardana-neutron, ardana-nova, ardana-octavia, ardana-osconfig, ardana-service, ardana-ses, ardana-swift, ardana-tempest, crowbar, crowbar-core, crowbar-ha, crowbar-openstack, documentation-suse-openstack-cloud, galera-python-clustercheck, openstack-dashboard, openstack-ec2-api, openstack-heat, openstack-heat-templates, openstack-horizon-plugin-ironic-ui, openstack-horizon-plugin-magnum-ui, openstack-horizon-plugin-sahara-ui, openstack-ironic, openstack-keystone, openstack-magnum, openstack-manila, openstack-monasca-api, openstack-monasca-notification, openstack-monasca-persister, openstack-murano, openstack-neutron, openstack-neutron-fwaas, openstack-nova, openstack-octavia, openstack-sahara, openstack-swift, openstack-tempest, python-cinderclient, python-cryptography, python-monasca-common, python-networking-hyperv, python-os-brick, python-venvjail, venv-openstack-aodh, venv-openstack-barbican, venv-openstack-ceilometer, venv-openstack-cinder, venv-openstack-designate, venv-openstack-freezer, venv-openstack-glance, venv-openstack-heat, venv-openstack-horizon, venv-openstack-ironic, venv-openstack-keystone, venv-openstack-magnum, venv-openstack-manila, venv-openstack-monasca, venv-openstack-monasca-ceilometer, venv-openstack-murano, venv-openstack-nova, venv-openstack-octavia, venv-openstack-sahara, venv-openstack-swift, venv-openstack-trove fixes the following issues:
This update fixes the following issues:
ardana-ansible:
* Move manila to the correct location in verb action list files (SCRD-6812)
* Enable manila service in verb action list files (SCRD-6812)
* Improve user experience (bsc#1114632)
ardana-cobbler:
* gate cobbler import on distro existence (SCRD-6821)
ardana-db:
* xtrabackup no longer needed (SCRD-7640, bsc#1116686)
ardana-heat:
* Fix typo so that heat gets correct name for hostname certs (bsc#127227)
ardana-manila:
* Put all config into one template (SCRD-7770)
* Fail when Manila service is not running (SCRD-7413)
* Split Manila API and Share deployment (SCRD-7773)
* Comment out example backends (bsc#1116501)
ardana-neutron:
* Fix misspelled variable names (SCRD-7836)
* Neutron services require network service to be started (SCRD-7764)
ardana-nova:
* Add dosfstools as requirement for nova-comptue (SCRD-8175)
ardana-octavia:
* Remove octavia dependency from monasca (SCRD-7690)
ardana-osconfig:
* Clean up ifcfg- files left behind by udevadm (bsc#1105822)
ardana-service:
* Add support for deprecated encryption-key parameter (SCRD-7837)
ardana-ses:
* Run SWF-PRX tasks in dedicated play (SCRD-8602)
* Make SES globals available to SWF (SCRD-8109)
* Add symlink ceph.conf.j2 to ~/openstack/my_cloud/config/ses (bsc#1128479)
* Add support for reusing clients (bsc#1122237)
* Ensure keyring files are readable (bsc#1122237)
ardana-swift:
* Prefer Kronos logrotate conf to Swift RPM logrotate conf (SCRD-7410)
ardana-tempest:
* Enable additional keystone tests (SCRD-7496)
* Enable domain specific drivers on tempest (SCRD-7496)
* Fix tempest heat plugin configuration (SCRD-7508)
* Add freezer to tempest available/testable list (SCRD-7496)
* Fix tempest configuration for magnum (SCRD-7496)
* Add missing test packages (SCRD-7496)
* Set cinder/glance admin on tempest roles (SCRD-7496)
* Update tempest test filters (SCRD-7496)
* Configure tempest accordingly when SES enabled (SCRD-7496)
* Merge test results from parallel and serial filters (SCRD-7784)
crowbar:
* install-chef-suse: filter comments from authorized_keys file
crowbar-core:
* crowbar: Do not rely on Chef::Util::FileEdit to write the file (bsc#1127752)
* Revert 'Disable upgrade API in Cloud8'
* upgrade: Make sure all compute nodes get compute related scripts
* network: run wicked ifdown for interface cleanup (bsc#1063535)
crowbar-ha:
* improve galera HA setup (bsc#1122875)
crowbar-openstack:
* ceilometer: Install package which contains cron file (bsc#1130414)
* monasca: Set hostname for monasca-agent as FQDN (SCRD-8705)
* memcache: Use first array element as fallback (SCRD-8255)
* db: Raise default connection limit to 2048
* rabbit: fix mirroring regex
* neutron: Add osprofiler support
* nova: Add osprofiler support
* cinder: Add osprofiler support
* glance: Add osprofiler support
* keystone: Make osprofiler connection_string configurable
* keystone: Add basic osprofiler support
documentation-suse-openstack-cloud:
* Additional corrections from Carl
* Fix reference to wrong neutron-reconfigure.yml playbook (SCRD-7709)
* increasing url_timeout parameter (SCRD-8512)
* Fix <screen> prompts in migration guide (SCRD-3763)
* Revert 'Fix <screen> prompts in migration guide (SCRD-3763)'
* Fix <screen> prompts in migration guide (SCRD-3763)
* Include additional notes for 3PAR multipath instructions (SCRD-8584)
* remove L2 Gateway Agent (SCRD-7645)
* Added more detail about how to test load balancer during migration
* Fix RHEL SMT repo setup command (SCPM-93)
* added <step> tags
* Update to octavia migration process
* Support Octavia LB's during HOS 5 -> C8 migration (bsc#1094690)
* change parameters ardana-update-status.yml (SCRD-8530)
* Fix haproxy user deletion
* Update description of kernel patch needed for RHEL 7.5 (SCPM-93)
* Adding missing nova guide
* Remove screenshots
* Fix IDs and x-refs
* Fix Magnim user guide. WIP
* Add missing guide. Need fixing
* change 3par multipath statements (bsc#1128928,SCRD-8396)
* remove vlan transparency section (bsc#1125216,SCRD-7648)
* remove ESXi create DVS from the Command Line (bsc#1125180)
* make QE recommended edits (bsc#1124017, bsc#1124022)
* Use &clm; instead of &lcm; for C*loud Lifec*ycle Manager
* add supportconfig, sosreport cross-references (SCRD-2680)
* Fixing xref tag for package builds
* Fix missing ID
* make hidden-tag consistent (SCRD-7870)
* Nesting availability zone aware section
* Removing the API content from the admin guide
* Remove empty sections
* Remove weird [OBJ] characters in odd places
* Replace <function> -> <literal>
* Fixing broken ref
* Add references to DIB back to guide
* rabbitmq cluster replace node (SCRD-7468,SCRD-7469)
* minor typo and prompt changes (no bsc or SCRD)
galera-python-clustercheck:
* Add socket read timeout (bsc#1122053)
openstack-dashboard:
* network topology: handle port AZ correctly
openstack-ec2-api:
* Replace openstack.org git:// URLs with https://
openstack-heat:
* Retry on DB deadlock when updating resource
openstack-heat-templates:
* Replace openstack.org git:// URLs with https://
openstack-horizon-plugin-ironic-ui:
* Normalize operation messages into capital case
* Replace openstack.org git:// URLs with https://
penstack-horizon-plugin-magnum-ui:
* Replace openstack.org git:// URLs with https://
* Set ubuntu-xenial for nodejs jobs
openstack-horizon-plugin-sahara-ui:
* Replace openstack.org git:// URLs with https://
* Remove the legacy integration tests job
penstack-ironic:
* Fix CPU count returned by introspection in Ironic iDRAC driver
openstack-keystone:
* create proper tmpdir for locking
* Remove publish-loci post job
openstack-magnum:
* Replace openstack.org git:// URLs with https://
openstack-manila:
* Replace openstack.org git:// URLs with https://
* Manila VMAX docs - differences between quotas
* Manila VMAX docs - improve pre-configurations on VMAX section
* Manila VMAX docs - clarify snapshot support
* Manila VMAX docs - clarify driver\_handles\_share\_servers
* VMAX manila doc - SSL Support
* VMAX manila doc - use of correct VMAX tags
* VMAX manila - deprecate old tags correctly
* Destroy type quotas when a share type is deleted
* Fix driver filter to not check share\_backend\_name
* Only run the needed services for CephFS jobs
* Return request-id to APIs that don't respond with a body
* Fix service image boot issues
* Port dummy driver manage/unmanage changes to stable
openstack-monasca-api:
* Replace openstack.org git:// URLs with https://
openstack-monasca-notification:
* Replace openstack.org git:// URLs with https://
openstack-monasca-persister:
* Replace openstack.org git:// URLs with https://
openstack-murano:
* Replace openstack.org git:// URLs with https://
openstack-neutron:
* Specify tenant\_id in TestRevisionPlugin objects
* Fix QoS rule update
* Add rootwrap filters to kill state change monitor
* Fix port update deferred IP allocation with host\_id + new MAC
* Try to enable dnsmasq process several times
* Remove conntrack rule when FIP is deleted
* More accurate agent restart state transfer
* [OVS] Exception message when retrieving bridge-id and is not present
* [Functional tests] Change way how conntrack entries are checked
* Change duplicate OVS bridge datapath-ids
* Fix KeyError in OVS firewall
* ovs: raise RuntimeError in \_get\_dp if id is None
* Replace openstack.org git:// URLs with https://
* [Functional] Don't assert that HA router don't have IPs configured
* Improve invalid port ranges error message
* Do not release DHCP lease when no client ID is set on port
* ovsfw: Update SG rules even if OVSFW Port is not found
* Enable ipv6\_forwarding in HA router's namespace
* Spawn metadata proxy on dvr ha standby routers
* Set initial ha router state in neutron-keepalived-state-change
* When converting sg rules to iptables, do not emit dport if not supported
* DVR edge router: avoid accidental centralized floating IP remove
* ovsfw: Don't create rules if updated port doesn't exist
* Add new test decorator skip\_if\_timeout
* Fix notification about arp entries for dvr routers
* Add lock\_path in installation guide
* Fix update of ports cache in router\_info class
* Ensure dnsmasq is down before enabling it in restart method
* Block port update from unbound DHCP agent
* Fix performance regression adding rules to security groups
* Always fill UDP checksums in DHCPv6 replies
* Secure dnsmasq process against external abuse
* Check port VNIC type when associating a floating IP
* Enable 'all' IPv6 forwarding knob correctly
* protect DHCP agent cache out of sync
* Add kill\_timeout to AsyncProcess
* Fullstack: init trunk agent's driver only when necessary
* Don't modify global variables in unit tests
* Do state report after setting start\_flag on OVS restart
* Do not delete trunk bridges if service port attached
* Fix the bug about DHCP port whose network has multiple subnets
* Force all fdb entries update after ovs-vswitchd restart
* Get centralized FIP only on router's snat host
* Include all rootwrap filters when building wheels
openstack-neutron-fwaas:
* don't package tempest plugin twice
openstack-nova:
* Document unset/reset wrinkle for \*\_allocation\_ratio options
* Replace openstack.org git:// URLs with https://
* Refix disk size during live migration with disk over-commit
* Fix WeighedHost logging regression
* Correct examples in 'Manage Compute services' documentation
* Fix disk size during live migration with disk over-commit
* Exclude build request marker from server listing
* Update port device\_owner when unshelving
* Handle tags in \_bury\_in\_cell0
* Null out instance.availability\_zone on shelve offload
* Fix server\_group\_members quota check
* Add functional regressions tests for server\_group\_members OverQuota
* Fix bug case by none token context
* Migrate nova v2.0 legacy job to zuulv3
* Handle missing marker during online data migration
* tox: Don't write byte code (maybe)
* [pike-only] Fix resize\_instance rpcapi call
* Lock detach\_volume
* PCI: do not force remove allocated devices
* Note the aggregate allocation ratio restriction in scheduler docs
* Add regression test for bug #1764883
* Create BDMs/tags in cell with instance when over-quota
* Add functional regression test for bug 1806064
* Not set instance to ERROR if set\_admin\_password failed
* De-dupe subnet IDs when calling neutron /subnets API
* Fix destination\_type attribute in the bdm\_v2 documentation
openstack-octavia:
* Replace openstack.org git:// URLs with https://
openstack-sahara:
* Replace openstack.org git:// URLs with https://
* Use venv-py2 to run sahara-scenario, remove the py3 job
* archive-primary.cloudera.com -> archive.cloudera.com
* Changing hdfs fs to hdfs dfs
* Add DEBIAN\_FRONTEND=noninteractive in front of apt-get install commands
openstack-swift:
* Fixed a cache invalidation issue related to GET and PUT requests to
containers that would occasionally cause object PUTs to a container to
404 after the container had been successfully created.
* Removed a race condition where a POST to an SLO could modify the X-Static-Large-Object metadata.
* Fixed rare socket leak on range requests to erasure-coded objects.
* Fix SLO delete for accounts with non-ASCII names.
* Fixed an issue in COPY where concurrent requests may have copied the wrong data.
* Fixed time skew when using X-Delete-After.
* Send ETag header in 206 Partial Content responses to SLO reads.
openstack-tempest:
* create lockdir on install
python-cinderclient:
* Update .gitreview for stable/pike
* Fix get_highest_client_server_version with Cinder API + uWSGI
* Updated from global requirements
* import zuul job settings from project-config
* Update UPPER_CONSTRAINTS_FILE for stable/pike
python-cryptography:
* Add X509_up_ref() function to help pyOpenSSL deal with CVE-2018-1000807 (bsc#1111635) and CVE-2018-1000808 (bsc#1111634).
python-monasca-common:
* update to version 2.3.1~dev4
python-networking-hyperv:
* import zuul job settings from project-config
python-os-brick:
* iscsiadm -m session' failure handling
* Handle multiple errors in multipath -l parsing
* Fixing FC scanning
* RemoteFS: don't fail in do_mount if already mounted
* Fix multipath disconnect with path failure
* import zuul job settings from project-config
python-venvjail:
* Set [] as default value for --no-relocate-shebang-list
* Exclude some files from relocation (SCRD-8594)
ModerateSUSE bug 1063535SUSE bug 1094690SUSE bug 1105822SUSE bug 1111634SUSE bug 1111635SUSE bug 1114632SUSE bug 1116501SUSE bug 1116686SUSE bug 1122053SUSE bug 1122237SUSE bug 1122875SUSE bug 1124017SUSE bug 1124022SUSE bug 1125180SUSE bug 1125216SUSE bug 1127752SUSE bug 1128479SUSE bug 1128928SUSE bug 1130414SUSE bug 127227CVE-2018-1000807 at SUSECVE-2018-1000807 at NVDCVE-2018-1000808 at SUSECVE-2018-1000808 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for mariadb (Low)SUSE OpenStack Cloud 8
This update for mariadb to version 10.2.22 fixes the following issues:
Security issues fixed (bsc#1122198):
- CVE-2019-2510: Fixed a vulnerability which can lead to MySQL compromise and lead to Denial of Service.
- CVE-2019-2537: Fixed a vulnerability which can lead to MySQL compromise and lead to Denial of Service.
Other issues fixed:
- Fixed an issue where mysl_install_db fails due to incorrect basedir (bsc#1127027).
- Fixed an issue where the lograte was not working (bsc#1112767).
- Backport Information Schema CHECK_CONSTRAINTS Table.
- Maximum value of table_definition_cache is now 2097152.
- InnoDB ALTER TABLE fixes.
- Galera crash recovery fixes.
- Encryption fixes.
- Remove xtrabackup dependency as MariaDB ships a build in mariabackup so xtrabackup is not needed (bsc#1122475).
The complete changelog can be found at: https://mariadb.com/kb/en/library/mariadb-10222-changelog/
LowSUSE bug 1112767SUSE bug 1122198SUSE bug 1122475SUSE bug 1127027CVE-2019-2510 at SUSECVE-2019-2510 at NVDCVE-2019-2537 at SUSECVE-2019-2537 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for libssh2_org (Moderate)SUSE OpenStack Cloud 8
This update for libssh2_org fixes the following issues:
- Fix the previous fix for CVE-2019-3860 (bsc#1136570, bsc#1128481)
(Out-of-bounds reads with specially crafted SFTP packets)
ModerateSUSE bug 1128481SUSE bug 1136570CVE-2019-3860 at SUSECVE-2019-3860 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for MozillaFirefox (Important)SUSE OpenStack Cloud 8
This update for MozillaFirefox fixes the following issues:
- Mozilla Firefox Firefox 60.7.2
MFSA 2019-19 (bsc#1138872)
- CVE-2019-11708: Fix sandbox escape using Prompt:Open.
* Insufficient vetting of parameters passed with the Prompt:Open IPC
message between child and parent processes could result in the non-sandboxed
parent process opening web content chosen by a compromised child process.
When combined with additional vulnerabilities this could result in executing
arbitrary code on the user's computer.
ImportantSUSE bug 1138872CVE-2019-11708 at SUSECVE-2019-11708 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for dnsmasq (Moderate)SUSE OpenStack Cloud 8
This update for dnsmasq fixes the following issues:
Security issue fixed:
- CVE-2017-15107: Fixed a vulnerability in DNSSEC implementation. Processing of
wildcard synthesized NSEC records may result improper validation for non-existance. (bsc#1076958)
Non-security issue fixed:
- Reload system dbus to pick up policy change on install (bsc#1054429).
ModerateSUSE bug 1054429SUSE bug 1076958CVE-2017-15107 at SUSECVE-2017-15107 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for postgresql10 (Important)SUSE OpenStack Cloud 8
This update for postgresql10 to version 10.9 fixes the following issue:
Security issue fixed:
- CVE-2019-10164: Fixed buffer-overflow vulnerabilities in SCRAM verifier parsing (bsc#1138034).
More information at https://www.postgresql.org/docs/10/release-10-9.html
ImportantSUSE bug 1138034CVE-2019-10164 at SUSECVE-2019-10164 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for glib2 (Important)SUSE OpenStack Cloud 8
This update for glib2 fixes the following issues:
Security issue fixed:
- CVE-2019-13012: Fixed improper restriction of file permissions when creating directories (bsc#1139959).
Non-security issue fixed:
- Added explicit requires between libglib2 and libgio2 (bsc#1140122).
ImportantSUSE bug 1139959SUSE bug 1140122CVE-2019-13012 at SUSECVE-2019-13012 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for the Linux Kernel (Important)SUSE OpenStack Cloud 8
The SUSE Linux Enterprise 12 SP3 kernel was updated to receive various security and bugfixes.
The following security bugs were fixed:
- CVE-2019-10638: In the Linux kernel, a device could be tracked by an attacker using the IP ID values the kernel produces for connection-less protocols (e.g., UDP and ICMP). When such traffic was sent to multiple destination IP addresses, it was possible to obtain hash collisions (of indices to the counter array) and thereby obtain the hashing key (via enumeration). An attack may have been conducted by hosting a crafted web page that uses WebRTC or gQUIC to force UDP traffic to attacker-controlled IP addresses (bnc#1140575 1140577).
- CVE-2019-10639: The Linux kernel allowed Information Exposure (partial kernel address disclosure), that lead to a KASLR bypass. Specifically, it was possible to extract the KASLR kernel image offset using the IP ID values the kernel produces for connection-less protocols (e.g., UDP and ICMP). When such traffic is sent to multiple destination IP addresses, it was possible to obtain hash collisions (of indices to the counter array) and thereby obtain the hashing key (via enumeration). This key contains enough bits from a kernel address (of a static variable) so when the key is extracted (via enumeration), the offset of the kernel image is exposed. This attack could be carried out remotely, by the attacker forcing the target device to send UDP or ICMP (or certain other) traffic to attacker-controlled IP addresses. Forcing a server to send UDP traffic is trivial if the server is a DNS server. ICMP traffic is trivial if the server answers ICMP Echo requests (ping). For client targets, if the target visited the attacker's web page, then WebRTC or gQUIC could be used to force UDP traffic to attacker-controlled IP addresses. NOTE: this attack against KASLR became viable because IP ID generation was changed to have a dependency on an address associated with a network namespace (bnc#1140577).
- CVE-2019-10126: A flaw was found in the Linux kernel. A heap based buffer overflow in mwifiex_uap_parse_tail_ies function in drivers/net/wireless/marvell/mwifiex/ie.c might have lead to memory corruption and possibly other consequences (bnc#1136935).
- CVE-2018-20836: An issue was discovered in the Linux kernel There was a race condition in smp_task_timedout() and smp_task_done() in drivers/scsi/libsas/sas_expander.c, leading to a use-after-free (bnc#1134395).
- CVE-2019-11599: The coredump implementation in the Linux kernel did not use locking or other mechanisms to prevent vma layout or vma flags changes while it ran, which allowed local users to obtain sensitive information, cause a denial of service, or possibly have unspecified other impact by triggering a race condition with mmget_not_zero or get_task_mm call. This is related to fs/userfaultfd.c, mm/mmap.c, fs/proc/task_mmu.c, and drivers/infiniband/core/uverbs_main.c (bnc#1131645 1133738).
- CVE-2019-12614: An issue was discovered in dlpar_parse_cc_property in arch/powerpc/platforms/pseries/dlpar.c in the Linux kernel There was an unchecked kstrdup of prop-name, which might have allowed an attacker to cause a denial of service (NULL pointer dereference and system crash) (bnc#1137194).
- CVE-2019-12819: An issue was discovered in the Linux kernel The function __mdiobus_register() in drivers/net/phy/mdio_bus.c calls put_device(), which would trigger a fixed_mdio_bus_init use-after-free. This would cause a denial of service (bnc#1138291).
- CVE-2019-12818: An issue was discovered in the Linux kernel The nfc_llcp_build_tlv function in net/nfc/llcp_commands.c may return NULL. If the caller did not check for this, it would trigger a NULL pointer dereference. This would cause a denial of service. This affected nfc_llcp_build_gb in net/nfc/llcp_core.c (bnc#1138293).
- CVE-2019-12456: A double-fetch bug in _ctl_ioctl_main() could lead to a local denial of service attack (bsc#1136922 CVE-2019-12456).
- CVE-2019-12380: An issue was discovered in the efi subsystem in the Linux kernel phys_efi_set_virtual_address_map in arch/x86/platform/efi/efi.c and efi_call_phys_prolog in arch/x86/platform/efi/efi_64.c mishandle memory allocation failures. NOTE: This id is disputed as not being an issue because ;All the code touched by the referenced commit runs only at boot, before any user processes are started. Therefore, there is no possibility for an unprivileged user to control it (bnc#1136598).
- CVE-2019-11487: The Linux kernel before allowed page-_refcount reference count overflow, with resultant use-after-free issues, if about 140 GiB of RAM exists. This is related to fs/fuse/dev.c, fs/pipe.c, fs/splice.c, include/linux/mm.h, include/linux/pipe_fs_i.h, kernel/trace/trace.c, mm/gup.c, and mm/hugetlb.c. It could occur with FUSE requests (bnc#1133190 1133191).
The following non-security bugs were fixed:
- Drop multiversion(kernel) from the KMP template (bsc#1127155).
- Fix ixgbe backport (bsc#1133140)
- Revert 'KMPs: obsolete older KMPs of the same flavour (bsc#1127155, bsc#1109137).' This reverts commit 4cc83da426b53d47f1fde9328112364eab1e9a19.
- Update 'TCP SACK Panic' series
- ACPI / CPPC: Check for valid PCC subspace only if PCC is used (bsc#1126961).
- ACPI / CPPC: Fix KASAN global out of bounds warning (bsc#1126961).
- ACPI / CPPC: Make CPPC ACPI driver aware of PCC subspace IDs (bsc#1126961).
- ACPI / CPPC: Update all pr_(debug/err) messages to log the susbspace id (bsc#1126961).
- ACPI / CPPC: Use 64-bit arithmetic instead of 32-bit (bsc#1126961).
- ACPI / CPPC: fix build issue with ktime_t used in logical operation (bsc#1126961).
- ACPI: CPPC: remove initial assignment of pcc_ss_data (bsc#1126961).
- at76c50x-usb: Do not register led_trigger if usb_register_driver failed (bsc#1135642).
- ath6kl: Only use match sets when firmware supports it (bsc#1120902).
- btrfs: check for refs on snapshot delete resume (bsc#1131335, bsc#1137004).
- btrfs: run delayed items before dropping the snapshot (bsc#1121263, bsc#1111188, bsc#1137004).
- btrfs: save drop_progress if we drop refs at all (bsc#1131336, bsc#1137004).
- ceph: fix potential use-after-free in ceph_mdsc_build_path (bsc#1138681).
- ceph: flush dirty inodes before proceeding with remount (bsc#1138681).
- ceph: print inode number in __caps_issued_mask debugging messages (bsc#1138681).
- cpu/hotplug: Provide cpus_read|write_[un]lock() (bsc#1138374, LTC#178199).
- cpu/hotplug: Provide lockdep_assert_cpus_held() (bsc#1138374, LTC#178199).
- cpufreq / CPPC: Add cpuinfo_cur_freq support for CPPC (bsc#1126961).
- cpufreq: CPPC: fix build in absence of v3 support (bsc#1126961).
- cpufreq: Replace 'max_transition_latency' with 'dynamic_switching' (bsc#1126961).
- cpufreq: cn99xx: set platform specific sampling rate (bsc#1126961).
- ibmvnic: Add device identification to requested IRQs (bsc#1137739).
- ibmvnic: Do not close unopened driver during reset (bsc#1137752).
- ibmvnic: Fix unchecked return codes of memory allocations (bsc#1137752).
- ibmvnic: Refresh device multicast list after reset (bsc#1137752).
- ibmvnic: remove set but not used variable 'netdev' (bsc#1137739).
- iwiwifi: fix bad monitor buffer register addresses (bsc#1129770).
- kabi: cpufreq: rename dynamic_switching to max_transition_latency (bsc#1126961).
- kernel/sys.c: prctl: fix false positive in validate_prctl_map() (bsc#1137749).
- libertas_tf: prevent underflow in process_cmdrequest() (bsc#1119086).
- mailbox: PCC: Move the MAX_PCC_SUBSPACES definition to header file (bsc#1126961).
- mailbox: pcc: Drop uninformative output during boot (bsc#1126961).
- mailbox: pcc: Fix crash when request PCC channel 0 (bsc#1126961).
- mwl8k: Fix rate_idx underflow (bsc#1135642).
- net/ibmvnic: Remove tests of member address (bsc#1137739).
- net: Remove NO_IRQ from powerpc-only network drivers (bsc#1137739).
- nvmet-fc: bring Disconnect into compliance with FC-NVME spec (bsc#1136889).
- nvmet-fc: fix issues with targetport assoc_list list walking (bsc#1136889).
- nvmet: fix fatal_err_work deadlock (bsc#1136889).
- nvmet_fc: support target port removal with nvmet layer (bsc#1136889).
- powerpc/cacheinfo: add cacheinfo_teardown, cacheinfo_rebuild (bsc#1138374, LTC#178199).
- powerpc/eeh: Fix race with driver un/bind (bsc#1066223).
- powerpc/perf: Add blacklisted events for Power9 DD2.1 (bsc#1053043).
- powerpc/perf: Add blacklisted events for Power9 DD2.2 (bsc#1053043).
- powerpc/perf: Fix MMCRA corruption by bhrb_filter (bsc#1053043).
- powerpc/perf: Infrastructure to support addition of blacklisted events (bsc#1053043).
- powerpc/process: Fix sparse address space warnings (bsc#1066223).
- powerpc/pseries/mobility: prevent cpu hotplug during DT update (bsc#1138374, LTC#178199).
- powerpc/pseries/mobility: rebuild cacheinfo hierarchy post-migration (bsc#1138374, LTC#178199).
- rtlwifi: fix false rates in _rtl8821ae_mrate_idx_to_arfr_id() (bsc#1120902).
- scsi: core: add new RDAC LENOVO/DE_Series device (bsc#1132390).
- scsi: qla2xxx: Fix FC-AL connection target discovery (bsc#1094555).
- scsi: qla2xxx: Fix N2N target discovery with Local loop (bsc#1094555).
- signals: avoid random wakeups in sigsuspend() (bsc#1137915)
- treewide: Use DEVICE_ATTR_WO (bsc#1137739).
- x86/entry/64/compat: Fix stack switching for XEN PV (bsc#1108382).
ImportantSUSE bug 1053043SUSE bug 1066223SUSE bug 1094555SUSE bug 1108382SUSE bug 1109137SUSE bug 1111188SUSE bug 1119086SUSE bug 1120902SUSE bug 1121263SUSE bug 1125580SUSE bug 1126961SUSE bug 1127155SUSE bug 1129770SUSE bug 1131335SUSE bug 1131336SUSE bug 1131645SUSE bug 1132390SUSE bug 1133140SUSE bug 1133190SUSE bug 1133191SUSE bug 1133738SUSE bug 1134395SUSE bug 1135642SUSE bug 1136598SUSE bug 1136889SUSE bug 1136922SUSE bug 1136935SUSE bug 1137004SUSE bug 1137194SUSE bug 1137739SUSE bug 1137749SUSE bug 1137752SUSE bug 1137915SUSE bug 1138291SUSE bug 1138293SUSE bug 1138374SUSE bug 1138681SUSE bug 1139751SUSE bug 1140575SUSE bug 1140577CVE-2018-20836 at SUSECVE-2018-20836 at NVDCVE-2019-10126 at SUSECVE-2019-10126 at NVDCVE-2019-10638 at SUSECVE-2019-10638 at NVDCVE-2019-10639 at SUSECVE-2019-10639 at NVDCVE-2019-11487 at SUSECVE-2019-11487 at NVDCVE-2019-11599 at SUSECVE-2019-11599 at NVDCVE-2019-12380 at SUSECVE-2019-12380 at NVDCVE-2019-12456 at SUSECVE-2019-12456 at NVDCVE-2019-12614 at SUSECVE-2019-12614 at NVDCVE-2019-12818 at SUSECVE-2019-12818 at NVDCVE-2019-12819 at SUSECVE-2019-12819 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for MozillaFirefox (Important)SUSE OpenStack Cloud 8
This update for MozillaFirefox, mozilla-nss fixes the following issues:
MozillaFirefox to version ESR 60.8:
- CVE-2019-9811: Sandbox escape via installation of malicious language pack (bsc#1140868).
- CVE-2019-11711: Script injection within domain through inner window reuse (bsc#1140868).
- CVE-2019-11712: Cross-origin POST requests can be made with NPAPI plugins by following 308 redirects (bsc#1140868).
- CVE-2019-11713: Use-after-free with HTTP/2 cached stream (bsc#1140868).
- CVE-2019-11729: Empty or malformed p256-ECDH public keys may trigger a segmentation fault (bsc#1140868).
- CVE-2019-11715: HTML parsing error can contribute to content XSS (bsc#1140868).
- CVE-2019-11717: Caret character improperly escaped in origins (bsc#1140868).
- CVE-2019-11719: Out-of-bounds read when importing curve25519 private key (bsc#1140868).
- CVE-2019-11730: Same-origin policy treats all files in a directory as having the same-origin (bsc#1140868).
- CVE-2019-11709: Multiple Memory safety bugs fixed (bsc#1140868).
mozilla-nss to version 3.44.1:
* Added IPSEC IKE support to softoken
* Many new FIPS test cases
ImportantSUSE bug 1140868CVE-2019-11709 at SUSECVE-2019-11709 at NVDCVE-2019-11711 at SUSECVE-2019-11711 at NVDCVE-2019-11712 at SUSECVE-2019-11712 at NVDCVE-2019-11713 at SUSECVE-2019-11713 at NVDCVE-2019-11715 at SUSECVE-2019-11715 at NVDCVE-2019-11717 at SUSECVE-2019-11717 at NVDCVE-2019-11719 at SUSECVE-2019-11719 at NVDCVE-2019-11729 at SUSECVE-2019-11729 at NVDCVE-2019-11730 at SUSECVE-2019-11730 at NVDCVE-2019-9811 at SUSECVE-2019-9811 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for ardana and crowbar (Important)SUSE OpenStack Cloud 8
This update for ardana and crowbar fixes the following issues:
- Restrict rootwrap directories for cinder (bsc#1132542)
- Change Cinder default log level from DEBUG to INFO (SCRD-7132)
- Remove configuration from migration (bsc#1126391)
- Configurable innodb flush options (SCRD-7496)
- Secure designate's rootwrap files (bsc#1132542)
- specify rootwrap config file in designate sudoer (bsc#1132542)
- Update Designate log threshold from DEBUG to INFO (SCRD-8459)
- Change Glance default log level from DEBUG to INFO (SCRD-8592)
- Change Heat default log level from DEBUG to INFO (SCRD-7132)
- Fix Horizon missing create snapshot action for users (bsc#1130593)
- Don't set external-name in ardana-ci models (SCRD-7471)
- Fix fail-over/-back behavior of haproxy for galera (bsc#1122875)
- Update swift endpoints from keystone-reconfigure.yml if needed (SCRD-8703)
- Change Magnum default log level from DEFAULT to INFO (SCRD-7132)
- Rip out vertica related code (SCRD-9031)
- Tighten neutron sudoers to only execute rootwrap (bsc#1132542)
- Change Neutron default log level from DEBUG to INFO (SCRD-7132)
- SCRD-9031 Change permitted nova-rootwrap config file pattern (bsc#1132542)
- specify rootwrap config file in nova sudoer (bsc#1132542)
- Change Nova default log level from DEBUG to INFO (SCRD-7132)
- Stop installing a sudoers root escalator (SCRD-9031)
- Change Octavia default log level from DEBUG to INFO (SCRD-7132)
- Increase number of connect retries (SCRD-7496)
- UDEV rules for multi-port nics (SCRD-8329)
- Ensure that the ceph group exists (SCRD-8347)
- Disable test_create_health_monitor_with_scenarios tempest (SOC-9176)
- Make --os-test-timeout configurable and increase default (SCRD-7496)
- Disable TestVolumeBootPattern.test_volume_boot_pattern (SCRD-9015)
- Increase and make timeout values configurable (SCRD-7496)
- Configure heat boot config template path (SCRD-7496)
- Fix typo on ceilometer filter (SCRD-7496)
- barclamp: Fix setting MTU on networks using a bridge
- Fix order of values in nodes piechart
- Ignore CVE-2019-11068 during Travis (SOC-9262)
- Fix cloud-mkcloud9-job-backup-restore (SCRD-7126)
- Update suse-branding.patch with correct links for documentation
(SCRD-8294)
- pacemaker: add failure nodes to sync fail message (bsc#1083721)
- update suse-branding.patch (SOC-9297)
- pacemaker: wait more for founder if SBD is configured (SCRD-8462)
- pacemaker: don't check cluster members on founder (SCRD-8462)
- database: Make wsrep_provider_options configurable (fate#327745)
- database: Raise and align promote/demote timeouts (bsc#1131791)
- mysql: improve galera HA setup (bsc#1122875)
- Update suse-branding.patch with correct links for documentation
(SCRD-8294)
- neutron: Fix the rest of the keystone related settings for LBaaS
- neutron: properly define neutron lbaas region (bsc#1128753)
- CLM - update MariaDB manually (bsc#1132852, SOC-9022)
- update MariaDB manually (bsc#1132852, SOC-9022)
- SOC8 alarm table restructure ((SCRD-7710, bsc#1124170)
- Fix bsc#1118003
- add deprecation decision tree (shrub) (SCRD-8530)
- add cert section (SCRD-5542)
- grammar; make migration pairing more explicit (SCRD-7595)
- Remove whitespace on top of login page (SCRD-7142)
- Revert alert and form colors to default SCRD-6919
- Change active sidebar section text white SCRD-6919
- Updated the openstack-monasca-agent-sudoers file (bsc#1132542)
- Don't restart neutron-ovs-cleanup on RPM update (bsc#1132860)
- Fix KeyError in OVS firewall (bsc#1131712, CVE-2019-10876)
- update to 1.11.20 (bsc#124991, CVE-2019-6975):
- Memory exhaustion in ``django.utils.numberformat.format()``
- Include ops-console logs if exist (bsc-1126912)
- Add a sed pattern to censor passwords from servers.yml (bsc#1105559)
- Show the status file of crowbar upgrade (if it exists)
ImportantSUSE bug 1083721SUSE bug 1105559SUSE bug 1118003SUSE bug 1120932SUSE bug 1122875SUSE bug 1124170SUSE bug 1126391SUSE bug 1128753SUSE bug 1130593SUSE bug 1131712SUSE bug 1131791SUSE bug 1132542SUSE bug 1132852SUSE bug 1132860SUSE bug 124991CVE-2018-14574 at SUSECVE-2018-14574 at NVDCVE-2019-10876 at SUSECVE-2019-10876 at NVDCVE-2019-11068 at SUSECVE-2019-11068 at NVDCVE-2019-3498 at SUSECVE-2019-3498 at NVDCVE-2019-6975 at SUSECVE-2019-6975 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for ucode-intel (Important)SUSE OpenStack Cloud 8
This update for ucode-intel fixes the following issues:
This update contains the Intel QSR 2019.1 Microcode release (bsc#1111331)
Four new speculative execution information leak issues have been identified in Intel CPUs. (bsc#1111331)
- CVE-2018-12126: Microarchitectural Store Buffer Data Sampling (MSBDS)
- CVE-2018-12127: Microarchitectural Fill Buffer Data Sampling (MFBDS)
- CVE-2018-12130: Microarchitectural Load Port Data Samling (MLPDS)
- CVE-2019-11091: Microarchitectural Data Sampling Uncacheable Memory (MDSUM)
These updates contain the CPU Microcode adjustments for the software mitigations.
For more information on this set of vulnerabilities, check out https://www.suse.com/support/kb/doc/?id=7023736
Release notes:
---- updated platforms ------------------------------------
SNB-E/EN/EP C1/M0 6-2d-6/6d 0000061d->0000061f Xeon E3/E5, Core X
SNB-E/EN/EP C2/M1 6-2d-7/6d 00000714->00000718 Xeon E3/E5, Core X
ImportantSUSE bug 1111331CVE-2018-12126 at SUSECVE-2018-12126 at NVDCVE-2018-12127 at SUSECVE-2018-12127 at NVDCVE-2018-12130 at SUSECVE-2018-12130 at NVDCVE-2019-11091 at SUSECVE-2019-11091 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for bzip2 (Important)SUSE OpenStack Cloud 8
This update for bzip2 fixes the following issues:
Security issue fixed:
- CVE-2019-12900: Fixed an out-of-bounds write in decompress.c with many selectors (bsc#1139083).
- CVE-2016-3189: Fixed a use-after-free in bzip2recover (bsc#985657).
ImportantSUSE bug 1139083SUSE bug 985657CVE-2016-3189 at SUSECVE-2016-3189 at NVDCVE-2019-12900 at SUSECVE-2019-12900 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for glibc (Moderate)SUSE OpenStack Cloud 8
This update for glibc fixes the following issues:
Security issues fixed:
- CVE-2019-9169: Fixed a heap-based buffer over-read via an attempted case-insensitive regular-expression match (bsc#1127308).
- CVE-2009-5155: Fixed a denial of service in parse_reg_exp() (bsc#1127223).
Non-security issues fixed:
- Added cfi information for start routines in order to stop unwinding on S390 (bsc#1128574).
ModerateSUSE bug 1127223SUSE bug 1127308SUSE bug 1128574CVE-2009-5155 at SUSECVE-2009-5155 at NVDCVE-2019-9169 at SUSECVE-2019-9169 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for libsolv, libzypp, zypper (Moderate)SUSE OpenStack Cloud 8
This update for libsolv, libzypp and zypper fixes the following issues:
libsolv was updated to version 0.6.36 fixes the following issues:
Security issues fixed:
- CVE-2018-20532: Fixed a NULL pointer dereference in testcase_read() (bsc#1120629).
- CVE-2018-20533: Fixed a NULL pointer dereference in testcase_str2dep_complex() (bsc#1120630).
- CVE-2018-20534: Fixed a NULL pointer dereference in pool_whatprovides() (bsc#1120631).
Non-security issues fixed:
- Made cleandeps jobs on patterns work (bsc#1137977).
- Fixed an issue multiversion packages that obsolete their own name (bsc#1127155).
- Keep consistent package name if there are multiple alternatives (bsc#1131823).
libzypp received following fixes:
- Fixes a bug where locking the kernel was not possible (bsc#1113296)
zypper received following fixes:
- Fixes a bug where the wrong exit code was set when refreshing
repos if --root was used (bsc#1134226)
- Improved the displaying of locks (bsc#1112911)
- Fixes an issue where `https` repository urls caused an error prompt to
appear twice (bsc#1110542)
- zypper will now always warn when no repositories are defined (bsc#1109893)
ModerateSUSE bug 1109893SUSE bug 1110542SUSE bug 1111319SUSE bug 1112911SUSE bug 1113296SUSE bug 1120629SUSE bug 1120630SUSE bug 1120631SUSE bug 1127155SUSE bug 1131823SUSE bug 1134226SUSE bug 1137977CVE-2018-20532 at SUSECVE-2018-20532 at NVDCVE-2018-20533 at SUSECVE-2018-20533 at NVDCVE-2018-20534 at SUSECVE-2018-20534 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for bzip2 (Important)SUSE OpenStack Cloud 8
This update for bzip2 fixes the following issues:
- Fixed a regression with the fix for CVE-2019-12900, which caused incompatibilities
with files that used many selectors (bsc#1139083).
ImportantSUSE bug 1139083CVE-2019-12900 at SUSECVE-2019-12900 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for polkit (Important)SUSE OpenStack Cloud 8
This update for polkit fixes the following issues:
Security issue fixed:
- CVE-2019-6133: Fixed improper caching of auth decisions, which could bypass
uid checking in the interactive backend (bsc#1121826).
ImportantSUSE bug 1121826CVE-2019-6133 at SUSECVE-2019-6133 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for java-1_8_0-openjdk (Important)SUSE OpenStack Cloud 8
This update for java-1_8_0-openjdk to version 8u222 fixes the following issues:
Security issues fixed:
- CVE-2019-2745: Improved ECC Implementation (bsc#1141784).
- CVE-2019-2762: Exceptional throw cases (bsc#1141782).
- CVE-2019-2766: Improve file protocol handling (bsc#1141789).
- CVE-2019-2769: Better copies of CopiesList (bsc#1141783).
- CVE-2019-2786: More limited privilege usage (bsc#1141787).
- CVE-2019-2816: Normalize normalization (bsc#1141785).
- CVE-2019-2842: Extended AES support (bsc#1141786).
- CVE-2019-7317: Improve PNG support (bsc#1141780).
- Certificate validation improvements
Non-security issue fixed:
- Fixed an issue where the installation failed when the manpages are not present (bsc#1115375)
ImportantSUSE bug 1115375SUSE bug 1141780SUSE bug 1141782SUSE bug 1141783SUSE bug 1141784SUSE bug 1141785SUSE bug 1141786SUSE bug 1141787SUSE bug 1141789CVE-2019-2745 at SUSECVE-2019-2745 at NVDCVE-2019-2762 at SUSECVE-2019-2762 at NVDCVE-2019-2766 at SUSECVE-2019-2766 at NVDCVE-2019-2769 at SUSECVE-2019-2769 at NVDCVE-2019-2786 at SUSECVE-2019-2786 at NVDCVE-2019-2816 at SUSECVE-2019-2816 at NVDCVE-2019-2842 at SUSECVE-2019-2842 at NVDCVE-2019-7317 at SUSECVE-2019-7317 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for mariadb (Important)SUSE OpenStack Cloud 8
This update for mariadb fixes the following issues:
Update to MariaDB 10.0.38 GA (bsc#1136037).
Security issues fixed:
- CVE-2019-2537: Denial of service via multiple protocols (bsc#1136037)
- CVE-2019-2529: Denial of service via multiple protocols (bsc#1136037)
- CVE-2018-3282: Server Storage Engines unspecified vulnerability (CPU Oct 2018) (bsc#1112432)
- CVE-2018-3251: InnoDB unspecified vulnerability (CPU Oct 2018) (bsc#1112397)
- CVE-2018-3174: Client programs unspecified vulnerability (CPU Oct 2018) (bsc#1112368)
- CVE-2018-3156: InnoDB unspecified vulnerability (CPU Oct 2018) (bsc#1112417)
- CVE-2018-3143: InnoDB unspecified vulnerability (CPU Oct 2018) (bsc#1112421)
- CVE-2018-3066: Unspecified vulnerability in the MySQL Server component of Oracle MySQL (subcomponent Server Options). (bsc#1101678)
- CVE-2018-3064: InnoDB unspecified vulnerability (CPU Jul 2018) (bsc#1103342)
- CVE-2018-3063: Unspecified vulnerability in the MySQL Server component of Oracle MySQL (subcomponent Server Security Privileges). (bsc#1101677)
- CVE-2018-3058: Unspecified vulnerability in the MySQL Server component of Oracle MySQL (subcomponent MyISAM). (bsc#1101676)
- CVE-2016-9843: Big-endian out-of-bounds pointer (bsc#1013882)
Non-security changes:
- Removed PerconaFT from the package as it has AGPL licence (bsc#1118754).
- Do not just remove tokudb plugin but don't build it at all (missing jemalloc dependency).
- Fixed reading options for multiple instances if my${INSTANCE}.cnf is used (bsc#1132666).
- Removed 'umask 077' from mysql-systemd-helper that caused new datadirs created
with wrong permissions (bsc#1132666).
Release notes and changelog:
- https://kb.askmonty.org/en/mariadb-10038-release-notes
- https://kb.askmonty.org/en/mariadb-10038-changelog
- https://kb.askmonty.org/en/mariadb-10037-release-notes
- https://kb.askmonty.org/en/mariadb-10037-changelog
- https://kb.askmonty.org/en/mariadb-10036-release-notes
- https://kb.askmonty.org/en/mariadb-10036-changelog
ImportantSUSE bug 1013882SUSE bug 1101676SUSE bug 1101677SUSE bug 1101678SUSE bug 1103342SUSE bug 1112368SUSE bug 1112397SUSE bug 1112417SUSE bug 1112421SUSE bug 1112432SUSE bug 1116686SUSE bug 1118754SUSE bug 1132666SUSE bug 1136037CVE-2016-9843 at SUSECVE-2016-9843 at NVDCVE-2018-3058 at SUSECVE-2018-3058 at NVDCVE-2018-3063 at SUSECVE-2018-3063 at NVDCVE-2018-3064 at SUSECVE-2018-3064 at NVDCVE-2018-3066 at SUSECVE-2018-3066 at NVDCVE-2018-3143 at SUSECVE-2018-3143 at NVDCVE-2018-3156 at SUSECVE-2018-3156 at NVDCVE-2018-3174 at SUSECVE-2018-3174 at NVDCVE-2018-3251 at SUSECVE-2018-3251 at NVDCVE-2018-3282 at SUSECVE-2018-3282 at NVDCVE-2019-2529 at SUSECVE-2019-2529 at NVDCVE-2019-2537 at SUSECVE-2019-2537 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for python3 (Important)SUSE OpenStack Cloud 8
This update for python3 fixes the following issues:
- CVE-2019-10160: Fixed a regression in urlparse() and urlsplit() introduced by the fix for CVE-2019-9636 (bsc#1138459).
- CVE-2018-14647: Fixed a denial of service vulnerability caused by a crafted XML document (bsc#1109847).
- CVE-2018-1000802: Fixed a command injection in the shutil module (bsc#1109663).
ImportantSUSE bug 1109663SUSE bug 1109847SUSE bug 1138459CVE-2018-1000802 at SUSECVE-2018-1000802 at NVDCVE-2018-14647 at SUSECVE-2018-14647 at NVDCVE-2019-10160 at SUSECVE-2019-10160 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for python-Twisted (Moderate)SUSE OpenStack Cloud 8
This update for python-Twisted fixes the following issue:
Security issue fixed:
- CVE-2019-12387: Fixed an improper sanitization of URIs or HTTP which could have allowed
attackers to perfrom CRLF attacks (bsc#1137825).
ModerateSUSE bug 1137825CVE-2019-12387 at SUSECVE-2019-12387 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for evince (Important)SUSE OpenStack Cloud 8
This update for evince fixes the following issues:
Security issues fixed:
- CVE-2019-11459: Fixed an improper error handling in which could have led to use of uninitialized use of memory (bsc#1133037).
- CVE-2019-1010006: Fixed a buffer overflow in backend/tiff/tiff-document.c (bsc#1141619).
ImportantSUSE bug 1133037SUSE bug 1141619CVE-2019-1010006 at SUSECVE-2019-1010006 at NVDCVE-2019-11459 at SUSECVE-2019-11459 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for squid (Moderate)SUSE OpenStack Cloud 8
This update for squid fixes the following issues:
Security issue fixed:
- CVE-2019-12529: Fixed a potential denial of service associated with HTTP Basic Authentication credentials (bsc#1141329).
- CVE-2019-12525: Fixed a denial of service during processing of HTTP Digest Authentication credentials (bsc#1141332).
- CVE-2019-13345: Fixed a cross site scripting vulnerability via user_name or auth parameter in cachemgr.cgi (bsc#1140738).
ModerateSUSE bug 1140738SUSE bug 1141329SUSE bug 1141332CVE-2019-12525 at SUSECVE-2019-12525 at NVDCVE-2019-12529 at SUSECVE-2019-12529 at NVDCVE-2019-13345 at SUSECVE-2019-13345 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for python (Important)SUSE OpenStack Cloud 8
This update for python fixes the following issues:
- CVE-2019-10160: Fixed a regression in urlparse() and urlsplit() introduced by the fix for CVE-2019-9636 (bsc#1138459).
- CVE-2018-20852: Fixed an information leak where cookies could be send to the wrong server because of incorrect domain validation (bsc#1141853).
ImportantSUSE bug 1138459SUSE bug 1141853CVE-2018-20852 at SUSECVE-2018-20852 at NVDCVE-2019-10160 at SUSECVE-2019-10160 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for postgresql96 (Important)SUSE OpenStack Cloud 8
This update for postgresql96 fixes the following issues:
Security issue fixed:
- CVE-2019-10208: Fixed arbitrary SQL execution via suitable SECURITY DEFINER function under the identity of the function owner (bsc#1145092).
ImportantSUSE bug 1145092CVE-2019-10208 at SUSECVE-2019-10208 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for ardana-ansible, ardana-db, ardana-freezer, ardana-glance, ardana-input-model, ardana-nova, ardana-osconfig, ardana-tempest, caasp-openstack-heat-templates, crowbar-core, crowbar-ha, crowbar-openstack, crowbar-ui, documentation-suse-openstack-cloud, galera-python-clustercheck, openstack-cinder, openstack-glance, openstack-heat, openstack-horizon-plugin-monasca-ui, openstack-horizon-plugin-neutron-fwaas-ui, openstack-ironic, openstack-keystone, openstack-manila, openstack-monasca-agent, openstack-monasca-api, openstack-monasca-persister, openstack-monasca-persister-java, openstack-murano, openstack-neutron, openstack-neutron-gbp, openstack-neutron-lbaas, openstack-nova, openstack-octavia, python-Beaver, python-oslo.db, python-osprofiler, python-swiftlm, venv-openstack-magnum, venv-openstack-monasca, venv-openstack-monasca-ceilometer, venv-openstack-murano, venv-openstack-neutron (Moderate)SUSE OpenStack Cloud 8
This update for ardana-ansible, ardana-db, ardana-freezer, ardana-glance, ardana-input-model, ardana-nova, ardana-osconfig, ardana-tempest, caasp-openstack-heat-templates, crowbar-core, crowbar-ha, crowbar-openstack, crowbar-ui, documentation-suse-openstack-cloud, galera-python-clustercheck, openstack-cinder, openstack-glance, openstack-heat, openstack-horizon-plugin-monasca-ui, openstack-horizon-plugin-neutron-fwaas-ui, openstack-ironic, openstack-keystone, openstack-manila, openstack-monasca-agent, openstack-monasca-api, openstack-monasca-persister, openstack-monasca-persister-java, openstack-murano, openstack-neutron, openstack-neutron-gbp, openstack-neutron-lbaas, openstack-nova, openstack-octavia, python-Beaver, python-oslo.db, python-osprofiler, python-swiftlm, venv-openstack-magnum, venv-openstack-monasca, venv-openstack-monasca-ceilometer, venv-openstack-murano, venv-openstack-neutron fixes the following issues:
- Update to version 8.0+git.1560208949.67048e3:
* Adds repository list parameter (bsc#1122825)
- Update to version 8.0+git.1564410318.f0cca2c:
* Don't use 'latest' with 'zypper' (SOC-9997)
- Update to version 8.0+git.1564164977.ef9baeb:
* Freezer Config file is mixed case (SOC-9700)
- Update to version 8.0+git.1564491709.349d78e:
* Default glance_default_store to rbd if SES enabled (SOC-8749)
- Update to version 8.0+git.1562848601.c3daff0:
* Include memcached in the minimal ardana-ci model (SOC-9800)
- Update to version 8.0+git.1565388406.c6abb8d:
* Make default/rpc_response_timeout configurable (SOC-9285)
- Update to version 8.0+git.1562943864.e04a92f:
* Resolves nova-novncproxy random status failures (SOC-9574)
- Update to version 8.0+git.1560180700.bd26898:
* Adding support for qemu-ovmf to ardana (SOC-8985)
- Update to version 8.0+git.1563383198.c7fd9b4:
* Add an global_filter entry to lvm.conf (bsc#1140512)
- Update to version 8.0+git.1559761021.5605746:
* Enable FCOE for SUSE platform family (SCRD-8562)
- Update to version 8.0+git.1562849010.73bc517:
* Fix Keystone only deployment tempest testing (SOC-9800)
- Update to version 8.0+git.1560764545.6c8d2dc:
* Install manila tempest tests package (SOC-7496)
- Update to version 8.0+git.1560330843.b7d807c:
* Add configuration for manila-tempest-plugin (SOC-7496)
- Update to version 1.0+git.1560518045.ad7dc6d:
* Patching node before bootstraping
- Update to version 5.0+git.1565280360.01fed6905:
* batch: Fix get_proposal_json (SOC-9954)
* batch: Format crowbar batch error output (SOC-9954)
* batch: Format crowbar batch error output (SOC-9954)
- Update to version 5.0+git.1564657662.75174c965:
* travis: Whitelist CVE-2015-3448 (SOC-9911)
* travis: Use env variable for commit range (SOC-9911)
* Use proper names for the Travis Tests (SOC-9565)
* Replace Danger with Gitlint (SOC-9565)
* Switch from Travis dist from Trusty to Xenial (SOC-9565)
- Update to version 5.0+git.1563983933.03880f1c8:
* dns: fix migration for designate
- Update to version 5.0+git.1562080799.f2dd7d0dd:
* network: Don't set datapath-ids on ovs-bridges anymore
* crowbar: Save sync_mark attributes in databag
- Update to version 5.0+git.1561648142.b6be652e9:
* dns: forwards dns queries to dns-master when using desingate
* dns: write admin network in ip/mask notation for bind9
* dns: skip installing designate-rndc-key on non-master nodes
* dns: fix designate migration
* dns: allow using dns-server as designate target
* bind: Allow new zones configured via rndc
* bind: Disable listening on IPv6 addresses for now
- Update to version 5.0+git.1561465092.4dc67a7fa:
* travis: pin sexp_processor to 4.12.0
- Update to version 5.0+git.1561380950.b4e37c0e2:
* deployer: Use dhcp on crowbar_register only when enable_pxe is set (bsc#1132654)
* network: Allow locking down the network config for nodes (bsc#1120657)
- Update to version 5.0+git.1562069707.e2de18c:
* Add timeout multiplier
* Make default sync_mark timeout configurable
- Update to version 5.0+git.1565270683.ea6e63d87:
* designate: Use server node for VIP look ups (SOC-9631)
- Update to version 5.0+git.1565081678.e15f2c9a9:
* nova: add max_threads_per_process tuneable (SOC-10001, bsc#1133719)
- Update to version 5.0+git.1562911219.f22efd5c2:
* designate: allow worker on cluster (SOC-9632)
* swift: Sync HA nodes (SOC-9683)
- Update to version 5.0+git.1562731577.aefaf8a6d:
* Improve Mnesia IO performances
- Update to version 5.0+git.1562650331.0e86ce8ba:
* cinder: Set cinder pool to exclusive by default when using embedded ceph
- Update to version 5.0+git.1561984197.a675e8c50:
* designate: do not install the keystone_authtoken on worker nodes
* neutron: enable designate integration
* designate: rely on dns-master entirely
* designate: Fix variables initialization in mdns
* designate: start and run the mdns service
* designate: Finish rename of role to designate-worker
* designate: address most hound comments.
* designate: update monasca monitoring.
* neutron: add floating_dns_domain setting
* designate: Add initial designate barclamp
- Update to version 5.0+git.1559857295.d68afb38f:
* rabbitmq: Fix ACL of SSL key after uid/gid change
- Update to version 5.0+git.1559536094.a9cc7f312:
* nova: Don't retry creating existing flavors
- Update to version 1.2.0+git.1563181545.65360af5:
* upgrade: Update repocheck keys
* Update texts for 8-9 upgrade (SOC-9689)
- Update to version 1.2.0+git.1562579063.5690a1bc:
* Pin gulp-angular-templatecache version
- Update to version 8.20190805:
* DC files: Align profiling, throw out unnecessary attributes
* Rename DCs: 'hos-imported' to 'clm-all' & '-all' to 'crowbar-all'
* Fix styleroot of Helion set
* add ardana prompt, add ardana-init step (bsc#1143310)
* New ID format (noref)
- Update packaging to deal with new IDs
- Update to version 8.20190729:
* add image-volume cache instructions for SES (bsc#1140663)
- Update to version 8.20190725:
* warning about .j2 file comments (bsc#1142521)
* MANAGEMENT network group name cannot be changed (bsc#1142686)
- Update to version 8.20190724:
* replace SUSE ca-certificate instructions for Crowbar (bsc#1136569)
* replace SUSE ca-certificate instructions (bsc#1136569)
- Update to version 8.20190723:
* update MariaDB manually with CLI (bsc#1132852, SOC-9022)
* clarify No Maintenance Mode (bsc#1108818)
* replace empty ESX compatibility guide (noref)
* delete cache volume before trying to use source volume (bsc#1142032)
* delete cache volume when source volume is changed (bsc#1142032)
* replace empty ESX compatibility guide (noref)
- Update to version 8.20190719:
* add hostnamectl to ardana-update-pkgs process (bsc#1138967)
- Update to version 8.20190718:
* correct repo URL (bsc#1134589)
* remove duplicate content (bsc#1138489)
- Update to version 8.20190717:
* corrections from Scott Wulf (bsc#1128453)
* replace SLES 12 SP2 with SLES 12 SP3 (bsc#1128382)
* add information about image-volume-cache (bsc#1140663)
* remove deprecated parameters (bsc#1138124)
* correct file reference (bsc#1137377)
* change SES URL (bsc#1137817)
* manually set br-int(bsc#1139750)
* update MariaDB manually with CLI (bsc#1132852, SOC-9022)
- Update to version 8.20190717:
* Fix DC file
- Update to version 8.20190621:
* minor grammar fixups
* add external reference to Deploy Keystone
* add LDAP integration troubleshooting (bsc#1134495)
* clarify LDAP manual vs GUI (bsc#1134495)
* address requested changes
* SOC8 alarm table restructure ((SCRD-7710, bsc#1124170)
- Update to version 8.20190620:
* Update installation-installation-ses_integration.xml
* Adding copy-on-write cloning backport - BSC#1138187
* move fernet token to supported Keystone feature
* Remove obsolete DC/DEF file
* Fix title
* CLM - update MariaDB manually (bsc#1132852, SOC-9022)
* update MariaDB manually (bsc#1132852, SOC-9022)
* Fix command to create external network
* Remove sudo from commands in 'Setting Up Multiple External Networks'
* address requested changes
* SOC8 alarm table restructure ((SCRD-7710, bsc#1124170)
* add scottwulf content
* address recommended changes
* change PTF deploy instructions (bsc#1128453)
- Update to version 8.20190613:
* Update installation-installation-ses_integration.xml
* Adding copy-on-write cloning backport - BSC#1138187
- Update to version 8.20190605:
* move fernet token to supported Keystone feature
- Add 0001-Use-strings-when-setting-X-Cache-header.patch
Fixes a problem with Twisted versions where headers values
must be strings, not bools.
- Update to version 0.0+git.1562242499.36b8b64 (bsc#1122053):
* Add optional systemd ready and watchdog support
* Drop unneeded check for 'conn'
* Reset last_query_response when the cache needs to be updated
* Drop unneeded 'conn' var initialization
* Move respone header generation to own function
* Use None as default result
* Drop opts.being_updated variable
* Use contextmanager for DB connection
* Refactor DB method to get WSREP local state
* Refactor method to get readonly DB status
* pep8: Fix E712 comparison to False should be 'if cond is False:'
* pep8: Fix E305 expected 2 blank lines after class or function def
* pep8: Fix E124 closing bracket does not match visual indentation
* pep8: Fix E251 unexpected spaces around keyword / parameter equals
* pep8: Fix E262 inline comment should start with '# '
* pep8: Fix E261 at least two spaces before inline comment
* pep8: Fix F841 local variable is assigned to but never used
* pep8: Fix E302 expected 2 blank lines, found 1
* pep8: Fix E265 block comment should start with '# '
* pep8: Fix E231 missing whitespace after ','
* pep8: Fix E999 SyntaxError: invalid syntax
* pep8: Fix F821 undefined name
* pep8: Fix E225 missing whitespace around operator
* pep8: Fix E221 multiple spaces before operator
* pep8: Fix F401 module imported but unused
* Add clustercheck to console_scripts
* Add basic test infrastructure and a first pep8 job
* Fix exception handling for pymysql exception
* Readd argparse usage
* Fix installation requirements
* Add read timeout to prevent connection hanging forever
* Exclude benchmark/ directory when creating sdist tarball
* Use argparse instead of optparse
* Add basic logging infrastructure
* Add a standard setup.py file
* Catch all query exceptions
* Switch to PyMySQL
- Drop pymysql.patch and readtimeout.patch. Both merged upstream.
- Use systemd service type=notify which is now supported upstream
- Use systemd watchdog which is now supported upstream
- Update to version cinder-11.2.3.dev7:
* [VNX] Fix test case issue
- Update to version cinder-11.2.3.dev6:
* VMAX Pike docs - clarifying supported software in Pike
- Update to version cinder-11.2.3.dev7:
* [VNX] Fix test case issue
- Update to version cinder-11.2.3.dev6:
* VMAX Pike docs - clarifying supported software in Pike
- Update to version glance-15.0.3.dev2:
* Add a local bindep.txt override
* OpenDev Migration Patch
15.0.2
- Update to version glance-15.0.3.dev2:
* Add a local bindep.txt override
* OpenDev Migration Patch
15.0.2
- Update to version heat-9.0.8.dev11:
* Retry on DB deadlock in event\_create()
- Update to version heat-9.0.8.dev10:
* Add local bindep.txt and limit bandit version
- Update to version heat-9.0.8.dev9:
* Fix regression with SW deployments when region not configured
* Return None for attributes of sd with no actions
* Fix multi region issue for software deployment
- Update to version heat-9.0.8.dev4:
* Blacklist bandit 1.6.0 and cap Sphinx on Python2
- Update to version heat-9.0.8.dev11:
* Retry on DB deadlock in event\_create()
- Update to version heat-9.0.8.dev10:
* Add local bindep.txt and limit bandit version
- Update to version heat-9.0.8.dev9:
* Fix regression with SW deployments when region not configured
* Return None for attributes of sd with no actions
* Fix multi region issue for software deployment
- Update to version heat-9.0.8.dev4:
* Blacklist bandit 1.6.0 and cap Sphinx on Python2
- update to version 1.8.1~dev39
- Convert README.md to ReStructuredText format
- OpenDev Migration Patch
- don't exclude *pyc files to fix update/upgrade (SOC-9339)
- Update to version ironic-9.1.8.dev7:
* Add bindep.txt
- Update to version ironic-9.1.8.dev6:
* Update sphinx requirements
- Update to version ironic-9.1.8.dev7:
* Add bindep.txt
- Update to version ironic-9.1.8.dev6:
* Update sphinx requirements
- 0001-Allow-domain-admin-to-list-projest-assignments.patch
* bsc#1118159
* forward-port from SOC 7
- Update to version manila-5.1.1.dev2:
* [CI] Add bindep.txt
* OpenDev Migration Patch
5.1.0
- Update to version manila-5.1.1.dev2:
* [CI] Add bindep.txt
* OpenDev Migration Patch
5.1.0
- update to version 2.2.5~dev5
- Convert README to reStructuredText
- OpenDev Migration Patch
- update to version 2.2.2~dev1
- OpenDev Migration Patch
- Fix test_metrics tempest-test encoding
- Convert README.md to ReStructuredText format
- update to version 1.7.1~dev10
- OpenDev Migration Patch
- Convert README.md to ReStructuredTest format
- Add 0001-Update-all-columns-in-metrics-on-an-update-to-refres.patch (bsc#1128783)
- Add java-persister-defaults.patch
- Update to version murano-4.0.2.dev2:
* Add local bindep.txt
* OpenDev Migration Patch
4.0.1
- Update to version murano-4.0.2.dev2:
* Add local bindep.txt
* OpenDev Migration Patch
4.0.1
- Update to version neutron-11.0.9.dev42:
* Yield control to other greenthreads while processing trusted ports
- Update to version neutron-11.0.9.dev41:
* DVR: on new port only send router update on port's host
- Update to version neutron-11.0.9.dev40:
* Reset MAC on unbinding direct-physical port
- Update to version neutron-11.0.9.dev38:
* SRIOV agent: wait VFs initialization on embedded switch create
- Update to version neutron-11.0.9.dev36:
* Make OVS controller inactivity\_probe configurable
- Update to version neutron-11.0.9.dev34:
* Packets getting lost during SNAT with too many connections
* [DVR] Block ARP to dvr router's port instead of subnet's gateway
- Update to version neutron-11.0.9.dev30:
* improve dvr port update under large scale deployment
- Update to version neutron-11.0.9.dev29:
* cap bandit in test-requirements.txt
- Update to version neutron-11.0.9.dev42:
* Yield control to other greenthreads while processing trusted ports
- Update to version neutron-11.0.9.dev41:
* DVR: on new port only send router update on port's host
- Update to version neutron-11.0.9.dev40:
* Reset MAC on unbinding direct-physical port
- Update to version neutron-11.0.9.dev38:
* SRIOV agent: wait VFs initialization on embedded switch create
- Update to version neutron-11.0.9.dev36:
* Make OVS controller inactivity\_probe configurable
- Update to version neutron-11.0.9.dev34:
* Packets getting lost during SNAT with too many connections
* [DVR] Block ARP to dvr router's port instead of subnet's gateway
- Update to version neutron-11.0.9.dev30:
* improve dvr port update under large scale deployment
- Update to version neutron-11.0.9.dev29:
* cap bandit in test-requirements.txt
* When converting sg rules to iptables, do not emit dport if not supported (CVE-2019-9735, bsc#1129729)
- Update to version group-based-policy-7.3.1.dev45:
* Adding icmp\_code and icmp\_type for SG rule
- Update to version group-based-policy-7.3.1.dev43:
* A VM could be associated with multiple ports
* Optimize the extend\_router\_dict() call
- Update to version group-based-policy-7.3.1.dev40:
* [AIM] Enhance gbp-validate to detect routed subnet overlap
* [AIM] Prevent overlapping CIDRs in routed VRF
- Update to version group-based-policy-7.3.1.dev37:
* Disallow external subnets as router interfaces
* Make DHCP provisioning blocks conditional
- Update to version group-based-policy-7.3.1.dev34:
* Fix issues on sync\_state display on neutron based on AIM status
* Send the port updates for the SNAT case if needed
- Update to version group-based-policy-7.3.1.dev32:
* Pull the upper constraint file also from the opendev.org site
- Update to version group-based-policy-7.3.1.dev31:
* Fix the thread concurrency issue while calling gbp purge
- Update to version group-based-policy-7.3.1.dev30:
* [AIM] Fix handling of missing PortSecurityBinding
- Update to version group-based-policy-7.3.1.dev29:
* [AIM] Don't override loading of SG rules when validating
- add 0001-neutron-lbaas-haproxy-agent-prevent-vif-unplug-when-.patch
and 0001-Fix-memory-leak-in-the-haproxy-provider-driver.patch
- Update to version nova-16.1.9.dev4:
* Implement power\_off/power\_on for the FakeDriver
- Update to version nova-16.1.9.dev4:
* Implement power\_off/power\_on for the FakeDriver
* Fix doubling allocations on rebuild (CVE-2017-17051, bsc#1070500)
- Update to version octavia-1.0.6.dev2:
* Add bindep.txt and ignore sha1 warning
* OpenDev Migration Patch
1.0.5
- Switch to new Gerrit Server
- added 0001-exc_filters-fix-deadlock-detection-for-MariaDB-Galer.patch
- added 0001-Add-sqlalchemy-collector.patch
- added 0001-Don-t-fail-if-sqlalchemy-driver-fails-to-initialize.patch
- update to version 1.11.1
- Update .gitreview for stable/pike
- import zuul job settings from project-config
- Switch to new Gerrit Server
- Fix lower version numver after inheriting the version from main
component (SCRD-8523)
- Do not relocate shebang in make-cert.py (SCRD-8594)
- Inherit version number of venv from main component (SCRD-8523)
- Inherit version number of venv from main component (SCRD-8523)
- Fix lower version numver after inheriting the version from main
component (SCRD-8523)
- Inherit version number of venv from main component (SCRD-8523)
- Inherit version number of venv from main component (SCRD-8523)
- Remove openstack-neutron-opflex-agent, python-aci-integration-module,
python-acitoolkit, python-apicapi and python-networking-cisco as
they pull in new requirements into the product
- Inherit version number of venv from main component (SCRD-8523)
- Added to the neutron virtual environment:
* python-aci-integration-module
* python-acitoolkit
* python-apicapi
* python-networking-cisco
* openstack-neutron-gbp
* openstack-neutron-opflex-agent
- Inherit version number of venv from main component (SCRD-8523)
ModerateSUSE bug 1070500SUSE bug 1108818SUSE bug 1118159SUSE bug 1120657SUSE bug 1122053SUSE bug 1122825SUSE bug 1124170SUSE bug 1128382SUSE bug 1128453SUSE bug 1128783SUSE bug 1129729SUSE bug 1132654SUSE bug 1132852SUSE bug 1133719SUSE bug 1134495SUSE bug 1134589SUSE bug 1136569SUSE bug 1137377SUSE bug 1137817SUSE bug 1138124SUSE bug 1138187SUSE bug 1138489SUSE bug 1138967SUSE bug 1139750SUSE bug 1140512SUSE bug 1140663SUSE bug 1142032SUSE bug 1142521SUSE bug 1142686SUSE bug 1143310CVE-2015-3448 at SUSECVE-2015-3448 at NVDCVE-2017-17051 at SUSECVE-2017-17051 at NVDCVE-2019-9735 at SUSECVE-2019-9735 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for libvirt (Important)SUSE OpenStack Cloud 8
This update for libvirt fixes the following issues:
Security issues fixed:
- CVE-2019-10161: Fixed virDomainSaveImageGetXMLDesc API which could accept a path
parameter pointing anywhere on the system and potentially leading to execution
of a malicious file with root privileges by libvirtd (bsc#1138301).
- CVE-2019-10167: Fixed an issue with virConnectGetDomainCapabilities API which
could have been used to execute arbitrary emulators (bsc#1138303).
Non-security issues fixed:
- Fixed an issue with short bitmaps when setting vcpu affinity using the vcpupin (bsc#1138734).
- Added support for overriding max threads per process limit (bsc#1133719)
ImportantSUSE bug 1133719SUSE bug 1138301SUSE bug 1138303SUSE bug 1138734CVE-2019-10161 at SUSECVE-2019-10161 at NVDCVE-2019-10167 at SUSECVE-2019-10167 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for python-Django (Important)SUSE OpenStack Cloud 8
This update for python-Django to version 1.11.23 fixes the following issues:
- CVE-2019-14232: Fixed a denial of service in 'django.utils.text.Truncator' (bsc#1142880).
- CVE-2019-14233: Fixed a denial of service in strip_tags() (bsc#1142882).
- CVE-2019-14234: Fixed an SQL injection in key and index lookups for 'JSONField'/'HStoreField' (bsc#1142883).
- CVE-2019-14235: Fixed a potential memory exhaustion in 'django.utils.encoding.uri_to_iri()' (bsc#1142885).
- CVE-2019-12781: Fixed incorrect HTTP detection with reverse-proxy connecting via HTTPS (bsc#1139945).
- CVE-2019-12308: Fixed a cross site scripting vulnerability in the AdminURLFieldWidget (bsc#1136468).
ImportantSUSE bug 1136468SUSE bug 1139945SUSE bug 1142880SUSE bug 1142882SUSE bug 1142883SUSE bug 1142885CVE-2019-12308 at SUSECVE-2019-12308 at NVDCVE-2019-12781 at SUSECVE-2019-12781 at NVDCVE-2019-14232 at SUSECVE-2019-14232 at NVDCVE-2019-14233 at SUSECVE-2019-14233 at NVDCVE-2019-14234 at SUSECVE-2019-14234 at NVDCVE-2019-14235 at SUSECVE-2019-14235 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for python-SQLAlchemy (Important)SUSE OpenStack Cloud 8
This update for python-SQLAlchemy fixes the following issues:
Security issues fixed:
- CVE-2019-7164: Fixed SQL Injection via the order_by parameter (bsc#1124593).
- CVE-2019-7548: Fixed SQL Injection via the group_by parameter (bsc#1124593).
ImportantSUSE bug 1124593CVE-2019-7164 at SUSECVE-2019-7164 at NVDCVE-2019-7548 at SUSECVE-2019-7548 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for the Linux Kernel (Important)SUSE OpenStack Cloud 8
The SUSE Linux Enterprise 12 SP3 kernel was updated to receive various security and bugfixes.
The following security bugs were fixed:
- CVE-2019-1125: Enable Spectre v1 swapgs mitigations (bsc#1139358).
- CVE-2018-20855: An issue was discovered in create_qp_common in drivers/infiniband/hw/mlx5/qp.c, mlx5_ib_create_qp_resp was never initialized, resulting in a leak of stack memory to userspace (bsc#1143045).
- CVE-2019-14284: The drivers/block/floppy.c allowed a denial of service by setup_format_params division-by-zero. Two consecutive ioctls can trigger the bug: the first one should set the drive geometry with .sect and .rate values that make F_SECT_PER_TRACK be zero. Next, the floppy format operation should be called. It can be triggered by an unprivileged local user even when a floppy disk has not been inserted. NOTE: QEMU creates the floppy device by default (bsc#1143189).
- CVE-2019-14283: The function set_geometry in drivers/block/floppy.c did not validate the sect and head fields, as demonstrated by an integer overflow and out-of-bounds read. It can be triggered by an unprivileged local user when a floppy disk has been inserted. NOTE: QEMU creates the floppy device by default (bsc#1143191).
- CVE-2019-11810: A NULL pointer dereference can occur when megasas_create_frame_pool() fails in megasas_alloc_cmds() in drivers/scsi/megaraid/megaraid_sas_base.c. This causes a Denial of Service, related to a use-after-free (bsc#1134399).
- CVE-2019-13648: In the Linux kernel on the powerpc platform, when hardware transactional memory is disabled, a local user can cause a denial of service (TM Bad Thing exception and system crash) via a sigreturn() system call that sends a crafted signal frame. This affects arch/powerpc/kernel/signal_32.c and arch/powerpc/kernel/signal_64.c (bnc#1142254).
- CVE-2019-13631: In parse_hid_report_descriptor in drivers/input/tablet/gtco.c, a malicious USB device can send an HID report that triggers an out-of-bounds write during generation of debugging messages (bsc#1142023).
- CVE-2019-15118: Fixed kernel stack exhaustion in check_input_term in sound/usb/mixer.c via mishandled recursion (bnc#1145922).
- CVE-2019-15117: Fixed out-of-bounds memory access in parse_audio_mixer_unit in sound/usb/mixer.c via mishandled short descriptor (bnc#1145920).
- CVE-2019-3819: A flaw was fixed in the function hid_debug_events_read() in drivers/hid/hid-debug.c file which may have enter an infinite loop with certain parameters passed from a userspace. A local privileged user ('root') could have caused a system lock up and a denial of service (bnc#1123161).
- CVE-2019-10207: Check for missing tty operations in bluetooth/hci_uart (bsc#1142857).
- CVE-2018-20856: Fixed a use-after-free issue in block/blk-core.c, where certain error case are mishandled (bnc#1143048).
The following non-security bugs were fixed:
- cifs: do not log STATUS_NOT_FOUND errors for DFS (bsc#1125674).
- dlm: Fix saving of NULL callbacks (bsc#1135365).
- bcache: Revert 'bcache: fix high CPU occupancy during journal' (bsc#1140652, bsc#1144288).
- bcache: Revert 'bcache: free heap cache_set->flush_btree in bch_journal_free' (bsc#1140652, bsc#1144288).
- bcache: add reclaimed_journal_buckets to struct cache_set (bsc#1140652, bsc#1144288).
- bcache: fix race in btree_flush_write() (bsc#1140652, bsc#1144288).
- bcache: fix stack corruption by PRECEDING_KEY() (bsc#1130972, bsc#1144257).
- bcache: only set BCACHE_DEV_WB_RUNNING when cached device attached (bsc#1130972, bsc#1144273).
- bcache: performance improvement for btree_flush_write() (bsc#1140652, bsc#1144288).
- bcache: remove retry_flush_write from struct cache_set (bsc#1140652, bsc#1144288).
- bonding: Force slave speed check after link state recovery for 802.3ad (bsc#1137584).
- clocksource: Defer override invalidation unless clock is unstable (bsc#1139826).
- kvm: mmu: Fix overflow on kvm mmu page limit calculation (bsc#1135335).
- kvmclock: fix TSC calibration for nested guests (bsc#1133860, jsc#PM-1211).
- mm, page_alloc: fix has_unmovable_pages for HugePages (bsc#1127034).
- powerpc/watchpoint: Restore NV GPRs while returning from exception (bsc#1140945, bsc#1141401, bsc#1141402, bsc#1141452, bsc#1141453, bsc#1141454).
- qla2xxx: performance degradation when enabling blk-mq (bsc#1128977).
- qlge: Deduplicate lbq_buf_size (bsc#1106061).
- qlge: Deduplicate rx buffer queue management (bsc#1106061).
- qlge: Factor out duplicated expression (bsc#1106061).
- qlge: Fix dma_sync_single calls (bsc#1106061).
- qlge: Fix irq masking in INTx mode (bsc#1106061).
- qlge: Refill empty buffer queues from wq (bsc#1106061).
- qlge: Refill rx buffers up to multiple of 16 (bsc#1106061).
- qlge: Remove bq_desc.maplen (bsc#1106061).
- qlge: Remove irq_cnt (bsc#1106061).
- qlge: Remove page_chunk.last_flag (bsc#1106061).
- qlge: Remove qlge_bq.len size (bsc#1106061).
- qlge: Remove rx_ring.sbq_buf_size (bsc#1106061).
- qlge: Remove rx_ring.type (bsc#1106061).
- qlge: Remove useless dma synchronization calls (bsc#1106061).
- qlge: Remove useless memset (bsc#1106061).
- qlge: Replace memset with assignment (bsc#1106061).
- qlge: Update buffer queue prod index despite oom (bsc#1106061).
- rbd: flush rbd_dev->watch_dwork after watch is unregistered (bsc#1143333).
- rbd: retry watch re-registration periodically (bsc#1143333).
- sched/fair: Do not free p->numa_faults with concurrent readers (bsc#1144920).
- sched/fair: Use RCU accessors consistently for ->numa_group (bsc#1144920).
- scsi: virtio_scsi: let host do exception handling (bsc#1141181).
- x86: mm: fix fast GUP with hyper-based TLB flushing (VM Functionality, bsc#1140903).
- x86: tsc: Add X86_FEATURE_TSC_KNOWN_FREQ flag (bsc#1133860, jsc#PM-1211).
- xen: let alloc_xenballooned_pages() fail if not enough memory free (XSA-300).
ImportantSUSE bug 1106061SUSE bug 1123161SUSE bug 1125674SUSE bug 1127034SUSE bug 1128977SUSE bug 1130972SUSE bug 1133860SUSE bug 1134399SUSE bug 1135335SUSE bug 1135365SUSE bug 1137584SUSE bug 1139358SUSE bug 1139826SUSE bug 1140652SUSE bug 1140903SUSE bug 1140945SUSE bug 1141181SUSE bug 1141401SUSE bug 1141402SUSE bug 1141452SUSE bug 1141453SUSE bug 1141454SUSE bug 1142023SUSE bug 1142254SUSE bug 1142857SUSE bug 1143045SUSE bug 1143048SUSE bug 1143189SUSE bug 1143191SUSE bug 1143333SUSE bug 1144257SUSE bug 1144273SUSE bug 1144288SUSE bug 1144920SUSE bug 1145920SUSE bug 1145922CVE-2018-20855 at SUSECVE-2018-20855 at NVDCVE-2018-20856 at SUSECVE-2018-20856 at NVDCVE-2019-10207 at SUSECVE-2019-10207 at NVDCVE-2019-1125 at SUSECVE-2019-1125 at NVDCVE-2019-11810 at SUSECVE-2019-11810 at NVDCVE-2019-13631 at SUSECVE-2019-13631 at NVDCVE-2019-13648 at SUSECVE-2019-13648 at NVDCVE-2019-14283 at SUSECVE-2019-14283 at NVDCVE-2019-14284 at SUSECVE-2019-14284 at NVDCVE-2019-15117 at SUSECVE-2019-15117 at NVDCVE-2019-15118 at SUSECVE-2019-15118 at NVDCVE-2019-3819 at SUSECVE-2019-3819 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for perl (Important)SUSE OpenStack Cloud 8
This update for perl fixes the following issues:
Security issue fixed:
- CVE-2018-18311: Fixed integer overflow with oversize environment (bsc#1114674).
ImportantSUSE bug 1114674CVE-2018-18311 at SUSECVE-2018-18311 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for libsolv, libzypp, zypper (Moderate)SUSE OpenStack Cloud 8
This update for libsolv, libzypp and zypper fixes the following issues:
libsolv was updated to version 0.6.36 and fixes the following issues:
Security issues fixed:
- CVE-2018-20532: Fixed a NULL pointer dereference in testcase_read() (bsc#1120629).
- CVE-2018-20533: Fixed a NULL pointer dereference in testcase_str2dep_complex() (bsc#1120630).
- CVE-2018-20534: Fixed a NULL pointer dereference in pool_whatprovides() (bsc#1120631).
Non-security issues fixed:
- Made cleandeps jobs on patterns work (bsc#1137977).
- Fixed an issue multiversion packages that obsolete their own name (bsc#1127155).
- Keep consistent package name if there are multiple alternatives (bsc#1131823).
Fixes for libzypp:
- Fixes a bug where locking the kernel was not possible (bsc#1113296)
- Fixes a file descriptor leak (bsc#1116995)
- Will now run file conflict check on dry-run (best with download-only) (bsc#1140039)
Fixes for zypper:
- Fixes a bug where the wrong exit code was set when refreshing repos if --root was used (bsc#1134226)
- Improved the displaying of locks (bsc#1112911)
- Fixes an issue where `https` repository urls caused an error prompt to appear twice (bsc#1110542)
- zypper will now always warn when no repositories are defined (bsc#1109893)
- Fixes bash completion option detection (bsc#1049825)
ModerateSUSE bug 1049825SUSE bug 1109893SUSE bug 1110542SUSE bug 1111319SUSE bug 1112911SUSE bug 1113296SUSE bug 1116995SUSE bug 1120629SUSE bug 1120630SUSE bug 1120631SUSE bug 1127155SUSE bug 1131823SUSE bug 1134226SUSE bug 1137977SUSE bug 1140039SUSE bug 1145521CVE-2018-20532 at SUSECVE-2018-20532 at NVDCVE-2018-20533 at SUSECVE-2018-20533 at NVDCVE-2018-20534 at SUSECVE-2018-20534 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for ansible (Moderate)SUSE OpenStack Cloud 8
This update for ansible fixes the following issues:
Security issue fixed:
- CVE-2019-10206: Fixed ansible cli tools that prompt passwords by expanding them from templates as they could contain special characters (bsc#1142690).
ModerateSUSE bug 1142690CVE-2019-10206 at SUSECVE-2019-10206 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for python-urllib3 (Moderate)SUSE OpenStack Cloud 8
This update for python-urllib3 fixes the following issues:
Security issues fixed:
- CVE-2019-9740: Fixed CRLF injection issue (bsc#1129071).
- CVE-2019-11324: Fixed invalid CA certificat verification (bsc#1132900).
- CVE-2019-11236: Fixed CRLF injection via request parameter (bsc#1132663).
- CVE-2018-20060: Remove Authorization header when redirecting cross-host (bsc#1119376).
ModerateSUSE bug 1119376SUSE bug 1129071SUSE bug 1132663SUSE bug 1132900CVE-2018-20060 at SUSECVE-2018-20060 at NVDCVE-2019-11236 at SUSECVE-2019-11236 at NVDCVE-2019-11324 at SUSECVE-2019-11324 at NVDCVE-2019-9740 at SUSECVE-2019-9740 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for java-1_7_1-ibm (Important)SUSE OpenStack Cloud 8
This update for java-1_7_1-ibm fixes the following issues:
Update to Java 7.1 Service Refresh 4 Fix Pack 50.
Security issues fixed:
- CVE-2019-11771: IBM Security Update July 2019 (bsc#1147021)
- CVE-2019-11775: IBM Security Update July 2019 (bsc#1147021)
- CVE-2019-4473: IBM Security Update July 2019 (bsc#1147021)
- CVE-2019-7317: Fixed issue inside Component AWT (libpng)(bsc#1141780).
- CVE-2019-2769: Fixed issue inside Component Utilities (bsc#1141783).
- CVE-2019-2762: Fixed issue inside Component Utilities (bsc#1141782).
- CVE-2019-2816: Fixed issue inside Component Networking (bsc#1141785).
- CVE-2019-2766: Fixed issue inside Component Networking (bsc#1141789).
ImportantSUSE bug 1141780SUSE bug 1141782SUSE bug 1141783SUSE bug 1141785SUSE bug 1141789SUSE bug 1147021CVE-2019-11771 at SUSECVE-2019-11771 at NVDCVE-2019-11775 at SUSECVE-2019-11775 at NVDCVE-2019-2762 at SUSECVE-2019-2762 at NVDCVE-2019-2766 at SUSECVE-2019-2766 at NVDCVE-2019-2769 at SUSECVE-2019-2769 at NVDCVE-2019-2816 at SUSECVE-2019-2816 at NVDCVE-2019-4473 at SUSECVE-2019-4473 at NVDCVE-2019-7317 at SUSECVE-2019-7317 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for curl (Important)SUSE OpenStack Cloud 8
This update for curl fixes the following issues:
Security issue fixed:
- CVE-2019-5482: Fixed TFTP small blocksize heap buffer overflow (bsc#1149496).
ImportantSUSE bug 1149496CVE-2019-5482 at SUSECVE-2019-5482 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for webkit2gtk3 (Important)SUSE OpenStack Cloud 8
This update for webkit2gtk3 fixes the following issues:
Updated to version 2.24.4 (bsc#1148931).
Security issues fixed:
- CVE-2019-8644, CVE-2019-8649, CVE-2019-8658, CVE-2019-8669, CVE-2019-8678,
CVE-2019-8680, CVE-2019-8683, CVE-2019-8684, CVE-2019-8688, CVE-2019-8595,
CVE-2019-8607, CVE-2019-8615, CVE-2019-8644, CVE-2019-8649, CVE-2019-8658,
CVE-2019-8666, CVE-2019-8669, CVE-2019-8671, CVE-2019-8672, CVE-2019-8673,
CVE-2019-8676, CVE-2019-8677, CVE-2019-8678, CVE-2019-8679, CVE-2019-8680,
CVE-2019-8681, CVE-2019-8683, CVE-2019-8684, CVE-2019-8686, CVE-2019-8687,
CVE-2019-8688, CVE-2019-8689, CVE-2019-8690
Non-security issues fixed:
- Improved loading of multimedia streams to avoid memory exhaustion due to excessive caching.
- Updated the user agent string to make happy certain websites which would claim that the browser being used was unsupported.
ImportantSUSE bug 1135715SUSE bug 1148931CVE-2019-8595 at SUSECVE-2019-8595 at NVDCVE-2019-8607 at SUSECVE-2019-8607 at NVDCVE-2019-8615 at SUSECVE-2019-8615 at NVDCVE-2019-8644 at SUSECVE-2019-8644 at NVDCVE-2019-8649 at SUSECVE-2019-8649 at NVDCVE-2019-8658 at SUSECVE-2019-8658 at NVDCVE-2019-8666 at SUSECVE-2019-8666 at NVDCVE-2019-8669 at SUSECVE-2019-8669 at NVDCVE-2019-8671 at SUSECVE-2019-8671 at NVDCVE-2019-8672 at SUSECVE-2019-8672 at NVDCVE-2019-8673 at SUSECVE-2019-8673 at NVDCVE-2019-8676 at SUSECVE-2019-8676 at NVDCVE-2019-8677 at SUSECVE-2019-8677 at NVDCVE-2019-8678 at SUSECVE-2019-8678 at NVDCVE-2019-8679 at SUSECVE-2019-8679 at NVDCVE-2019-8680 at SUSECVE-2019-8680 at NVDCVE-2019-8681 at SUSECVE-2019-8681 at NVDCVE-2019-8683 at SUSECVE-2019-8683 at NVDCVE-2019-8684 at SUSECVE-2019-8684 at NVDCVE-2019-8686 at SUSECVE-2019-8686 at NVDCVE-2019-8687 at SUSECVE-2019-8687 at NVDCVE-2019-8688 at SUSECVE-2019-8688 at NVDCVE-2019-8689 at SUSECVE-2019-8689 at NVDCVE-2019-8690 at SUSECVE-2019-8690 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for python-Werkzeug (Moderate)SUSE OpenStack Cloud 8
This update for python-Werkzeug fixes the following issues:
Security issue fixed:
- CVE-2019-14806: Fixed the development server in Docker, the debugger security pin is now unique per container (bsc#1145383).
ModerateSUSE bug 1145383CVE-2019-14806 at SUSECVE-2019-14806 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for java-1_8_0-ibm (Important)SUSE OpenStack Cloud 8
This update for java-1_8_0-ibm fixes the following issues:
Update to Java 8.0 Service Refresh 5 Fix Pack 40.
Security issues fixed:
- CVE-2019-11771: IBM Security Update July 2019 (bsc#1147021)
- CVE-2019-11772: IBM Security Update July 2019 (bsc#1147021)
- CVE-2019-11775: IBM Security Update July 2019 (bsc#1147021)
- CVE-2019-4473: IBM Security Update July 2019 (bsc#1147021)
- CVE-2019-7317: Fixed issue inside Component AWT (libpng)(bsc#1141780).
- CVE-2019-2769: Fixed issue inside Component Utilities (bsc#1141783).
- CVE-2019-2762: Fixed issue inside Component Utilities (bsc#1141782).
- CVE-2019-2816: Fixed issue inside Component Networking (bsc#1141785).
- CVE-2019-2766: Fixed issue inside Component Networking (bsc#1141789).
- CVE-2019-2786: Fixed issue inside Component Security (bsc#1141787).
ImportantSUSE bug 1122292SUSE bug 1122299SUSE bug 1141780SUSE bug 1141782SUSE bug 1141783SUSE bug 1141785SUSE bug 1141787SUSE bug 1141789SUSE bug 1147021CVE-2018-11212 at SUSECVE-2018-11212 at NVDCVE-2019-11771 at SUSECVE-2019-11771 at NVDCVE-2019-11772 at SUSECVE-2019-11772 at NVDCVE-2019-11775 at SUSECVE-2019-11775 at NVDCVE-2019-2449 at SUSECVE-2019-2449 at NVDCVE-2019-2762 at SUSECVE-2019-2762 at NVDCVE-2019-2766 at SUSECVE-2019-2766 at NVDCVE-2019-2769 at SUSECVE-2019-2769 at NVDCVE-2019-2786 at SUSECVE-2019-2786 at NVDCVE-2019-2816 at SUSECVE-2019-2816 at NVDCVE-2019-4473 at SUSECVE-2019-4473 at NVDCVE-2019-7317 at SUSECVE-2019-7317 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for ibus (Important)SUSE OpenStack Cloud 8
This update for ibus fixes the following issues:
Security issue fixed:
- CVE-2019-14822: Fixed a misconfiguration of the DBus server that allowed an unprivileged user to monitor and send method calls to the ibus bus of another user. (bsc#1150011)
ImportantSUSE bug 1150011CVE-2019-14822 at SUSECVE-2019-14822 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for openssl (Moderate)SUSE OpenStack Cloud 8
This update for openssl fixes the following issues:
OpenSSL Security Advisory [10 September 2019]
- CVE-2019-1547: Added EC_GROUP_set_generator side channel attack avoidance (bsc#1150003).
- CVE-2019-1563: Fixed Bleichenbacher attack against cms/pkcs7 encryption transported key (bsc#1150250).
ModerateSUSE bug 1150003SUSE bug 1150250CVE-2019-1547 at SUSECVE-2019-1547 at NVDCVE-2019-1563 at SUSECVE-2019-1563 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for MozillaFirefox (Important)SUSE OpenStack Cloud 8
This update for MozillaFirefox to ESR 60.9 fixes the following issues:
Security issues fixed:
- CVE-2019-11742: Fixed a same-origin policy violation involving SVG filters and canvas to steal cross-origin images. (bsc#1149303)
- CVE-2019-11746: Fixed a use-after-free while manipulating video. (bsc#1149297)
- CVE-2019-11744: Fixed an XSS caused by breaking out of title and textarea elements using innerHTML. (bsc#1149304)
- CVE-2019-11753: Fixed a privilege escalation with Mozilla Maintenance Service in custom Firefox installation location. (bsc#1149295)
- CVE-2019-11752: Fixed a use-after-free while extracting a key value in IndexedDB. (bsc#1149296)
- CVE-2019-11743: Fixed a timing side-channel attack on cross-origin information, utilizing unload event attributes. (bsc#1149298)
- CVE-2019-11740: Fixed several memory safety bugs. (bsc#1149299)
ImportantSUSE bug 1149294SUSE bug 1149295SUSE bug 1149296SUSE bug 1149297SUSE bug 1149298SUSE bug 1149299SUSE bug 1149303SUSE bug 1149304SUSE bug 1149324CVE-2019-11740 at SUSECVE-2019-11740 at NVDCVE-2019-11742 at SUSECVE-2019-11742 at NVDCVE-2019-11743 at SUSECVE-2019-11743 at NVDCVE-2019-11744 at SUSECVE-2019-11744 at NVDCVE-2019-11746 at SUSECVE-2019-11746 at NVDCVE-2019-11752 at SUSECVE-2019-11752 at NVDCVE-2019-11753 at SUSECVE-2019-11753 at NVDCVE-2019-9812 at SUSECVE-2019-9812 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for python-Twisted (Moderate)SUSE OpenStack Cloud 8
This update for python-Twisted fixes the following issues:
Security issue fixed:
- CVE-2019-12855: Fixed TLS certificate verification to protecting against MITM attacks (bsc#1138461).
ModerateSUSE bug 1138461CVE-2019-12855 at SUSECVE-2019-12855 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for dovecot22 (Important)SUSE OpenStack Cloud 8
This update for dovecot22 fixes the following issues:
- CVE-2019-11500: Fixed a potential remote code execution in the IMAP and ManageSieve protocol parsers (bsc#1145559).
ImportantSUSE bug 1145559CVE-2019-11500 at SUSECVE-2019-11500 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for mariadb (Moderate)SUSE OpenStack Cloud 8
This update for mariadb fixes the following issues:
Updated to MariaDB 10.0.40-1.
Security issues fixed:
- CVE-2019-2805, CVE-2019-2740, CVE-2019-2739, CVE-2019-2737,
CVE-2019-2614, CVE-2019-2627. (bsc#1132826) (bsc#1141798).
Non-security issues fixed:
- Adjusted mysql-systemd-helper ('shutdown protected MySQL' section)
so it checks both ping response and the pid in a process list
as it can take some time till the process is terminated.
Otherwise it can lead to 'found left-over process' situation
when regular mariadb is started. (bsc#1143215)
- Fixed IP resolving in mysql_install_db script. (bsc#1142058, bsc#1127027, MDEV-18526)
ModerateSUSE bug 1127027SUSE bug 1132826SUSE bug 1141798SUSE bug 1142058SUSE bug 1143215CVE-2019-2614 at SUSECVE-2019-2614 at NVDCVE-2019-2627 at SUSECVE-2019-2627 at NVDCVE-2019-2737 at SUSECVE-2019-2737 at NVDCVE-2019-2739 at SUSECVE-2019-2739 at NVDCVE-2019-2740 at SUSECVE-2019-2740 at NVDCVE-2019-2805 at SUSECVE-2019-2805 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for ghostscript (Important)SUSE OpenStack Cloud 8
This update for ghostscript to 9.27 fixes the following issues:
Security issues fixed:
- CVE-2019-3835: Fixed an unauthorized file system access caused by an available superexec operator. (bsc#1129180)
- CVE-2019-3839: Fixed an unauthorized file system access caused by available privileged operators. (bsc#1134156)
- CVE-2019-12973: Fixed a denial-of-service vulnerability in the OpenJPEG function opj_t1_encode_cblks. (bsc#1140359)
- CVE-2019-14811: Fixed a safer mode bypass by .forceput exposure in .pdf_hook_DSC_Creator. (bsc#1146882)
- CVE-2019-14812: Fixed a safer mode bypass by .forceput exposure in setuserparams. (bsc#1146882)
- CVE-2019-14813: Fixed a safer mode bypass by .forceput exposure in setsystemparams. (bsc#1146882)
- CVE-2019-14817: Fixed a safer mode bypass by .forceput exposure in .pdfexectoken and other procedures. (bsc#1146884)
ImportantSUSE bug 1129180SUSE bug 1131863SUSE bug 1134156SUSE bug 1140359SUSE bug 1146882SUSE bug 1146884CVE-2019-12973 at SUSECVE-2019-12973 at NVDCVE-2019-14811 at SUSECVE-2019-14811 at NVDCVE-2019-14812 at SUSECVE-2019-14812 at NVDCVE-2019-14813 at SUSECVE-2019-14813 at NVDCVE-2019-14817 at SUSECVE-2019-14817 at NVDCVE-2019-3835 at SUSECVE-2019-3835 at NVDCVE-2019-3839 at SUSECVE-2019-3839 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for libgcrypt (Moderate)SUSE OpenStack Cloud 8
This update for libgcrypt fixes the following issues:
Security issues fixed:
- CVE-2019-13627: Mitigated ECDSA timing attack. (bsc#1148987)
ModerateSUSE bug 1148987CVE-2019-13627 at SUSECVE-2019-13627 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for MozillaFirefox (Important)SUSE OpenStack Cloud 8
This update for MozillaFirefox fixes the following issues:
Updated to new ESR version 68.1 (bsc#1149323).
In addition to the already fixed vulnerabilities released in previous ESR updates,
the following were also fixed:
CVE-2019-11751, CVE-2019-11736, CVE-2019-9812, CVE-2019-11748, CVE-2019-11749,
CVE-2019-11750, CVE-2019-11738, CVE-2019-11747, CVE-2019-11735.
Several run-time issues were also resolved (bsc#1117473, bsc#1124525, bsc#1133810).
The version displayed in Help > About is now correct (bsc#1087200).
ImportantSUSE bug 1087200SUSE bug 1109465SUSE bug 1117473SUSE bug 1123482SUSE bug 1124525SUSE bug 1133810SUSE bug 1140868SUSE bug 1145665SUSE bug 1149323CVE-2019-11709 at SUSECVE-2019-11709 at NVDCVE-2019-11710 at SUSECVE-2019-11710 at NVDCVE-2019-11711 at SUSECVE-2019-11711 at NVDCVE-2019-11712 at SUSECVE-2019-11712 at NVDCVE-2019-11713 at SUSECVE-2019-11713 at NVDCVE-2019-11714 at SUSECVE-2019-11714 at NVDCVE-2019-11715 at SUSECVE-2019-11715 at NVDCVE-2019-11716 at SUSECVE-2019-11716 at NVDCVE-2019-11717 at SUSECVE-2019-11717 at NVDCVE-2019-11718 at SUSECVE-2019-11718 at NVDCVE-2019-11719 at SUSECVE-2019-11719 at NVDCVE-2019-11720 at SUSECVE-2019-11720 at NVDCVE-2019-11721 at SUSECVE-2019-11721 at NVDCVE-2019-11723 at SUSECVE-2019-11723 at NVDCVE-2019-11724 at SUSECVE-2019-11724 at NVDCVE-2019-11725 at SUSECVE-2019-11725 at NVDCVE-2019-11727 at SUSECVE-2019-11727 at NVDCVE-2019-11728 at SUSECVE-2019-11728 at NVDCVE-2019-11729 at SUSECVE-2019-11729 at NVDCVE-2019-11730 at SUSECVE-2019-11730 at NVDCVE-2019-11733 at SUSECVE-2019-11733 at NVDCVE-2019-11735 at SUSECVE-2019-11735 at NVDCVE-2019-11736 at SUSECVE-2019-11736 at NVDCVE-2019-11738 at SUSECVE-2019-11738 at NVDCVE-2019-11740 at SUSECVE-2019-11740 at NVDCVE-2019-11742 at SUSECVE-2019-11742 at NVDCVE-2019-11743 at SUSECVE-2019-11743 at NVDCVE-2019-11744 at SUSECVE-2019-11744 at NVDCVE-2019-11746 at SUSECVE-2019-11746 at NVDCVE-2019-11747 at SUSECVE-2019-11747 at NVDCVE-2019-11748 at SUSECVE-2019-11748 at NVDCVE-2019-11749 at SUSECVE-2019-11749 at NVDCVE-2019-11750 at SUSECVE-2019-11750 at NVDCVE-2019-11751 at SUSECVE-2019-11751 at NVDCVE-2019-11752 at SUSECVE-2019-11752 at NVDCVE-2019-11753 at SUSECVE-2019-11753 at NVDCVE-2019-9811 at SUSECVE-2019-9811 at NVDCVE-2019-9812 at SUSECVE-2019-9812 at NVDcpe:/o:suse:suse-openstack-cloud:8Recommended update for python-setuptools and dependend packages (Moderate)SUSE OpenStack Cloud 8
All changes necessary for upgrade of python-setuptools to 40.6.2 (bsc#1075812)
New packages:
- python-cachetools
- python-google-auth
- python-packaging
Rebuilt without source changes:
- python-cffi
- python-cliff
- python-mock
- python-oauthlib
- python-pbr
- python-PyJWT
- python-pytest
Added python3 packages:
- python-hgtools
- python-pyasn1-modules
- python-rsa
Updated:
- python-kubernetes
Updated to version 6.0
- python-pyparsing
Was updated to version 2.2.0.
- python-setuptools
Was upgraded to version 40.6.2.
ModerateSUSE bug 1024540SUSE bug 1054413SUSE bug 1074247SUSE bug 1075812SUSE bug 1088358SUSE bug 1091826SUSE bug 1110422CVE-2016-9015 at SUSECVE-2016-9015 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for binutils (Moderate)SUSE OpenStack Cloud 8
This update for binutils fixes the following issues:
binutils was updated to current 2.32 branch @7b468db3 [jsc#ECO-368]:
Includes the following security fixes:
- CVE-2018-17358: Fixed invalid memory access in _bfd_stab_section_find_nearest_line in syms.c (bsc#1109412)
- CVE-2018-17359: Fixed invalid memory access exists in bfd_zalloc in opncls.c (bsc#1109413)
- CVE-2018-17360: Fixed heap-based buffer over-read in bfd_getl32 in libbfd.c (bsc#1109414)
- CVE-2018-17985: Fixed a stack consumption problem caused by the cplus_demangle_type (bsc#1116827)
- CVE-2018-18309: Fixed an invalid memory address dereference was discovered in read_reloc in reloc.c (bsc#1111996)
- CVE-2018-18483: Fixed get_count function provided by libiberty that allowed attackers to cause a denial of service or other unspecified impact (bsc#1112535)
- CVE-2018-18484: Fixed stack exhaustion in the C++ demangling functions provided by libiberty, caused by recursive stack frames (bsc#1112534)
- CVE-2018-18605: Fixed a heap-based buffer over-read issue was discovered in the function sec_merge_hash_lookup causing a denial of service (bsc#1113255)
- CVE-2018-18606: Fixed a NULL pointer dereference in _bfd_add_merge_section when attempting to merge sections with large alignments, causing denial of service (bsc#1113252)
- CVE-2018-18607: Fixed a NULL pointer dereference in elf_link_input_bfd when used for finding STT_TLS symbols without any TLS section, causing denial of service (bsc#1113247)
- CVE-2018-19931: Fixed a heap-based buffer overflow in bfd_elf32_swap_phdr_in in elfcode.h (bsc#1118831)
- CVE-2018-19932: Fixed an integer overflow and infinite loop caused by the IS_CONTAINED_BY_LMA (bsc#1118830)
- CVE-2018-20623: Fixed a use-after-free in the error function in elfcomm.c (bsc#1121035)
- CVE-2018-20651: Fixed a denial of service via a NULL pointer dereference in elf_link_add_object_symbols in elflink.c (bsc#1121034)
- CVE-2018-20671: Fixed an integer overflow that can trigger a heap-based buffer overflow in load_specific_debug_section in objdump.c (bsc#1121056)
- CVE-2018-1000876: Fixed integer overflow in bfd_get_dynamic_reloc_upper_bound,bfd_canonicalize_dynamic_reloc in objdump (bsc#1120640)
- CVE-2019-1010180: Fixed an out of bound memory access that could lead to crashes (bsc#1142772)
- Enable xtensa architecture (Tensilica lc6 and related)
- Use -ffat-lto-objects in order to provide assembly for static libs
(bsc#1141913).
- Fixed some LTO problems (bsc#1133131 bsc#1133232).
- riscv: Don't check ABI flags if no code section
Update to binutils 2.32:
* The binutils now support for the C-SKY processor series.
* The x86 assembler now supports a -mvexwig=[0|1] option to control
encoding of VEX.W-ignored (WIG) VEX instructions.
It also has a new -mx86-used-note=[yes|no] option to generate (or
not) x86 GNU property notes.
* The MIPS assembler now supports the Loongson EXTensions R2 (EXT2),
the Loongson EXTensions (EXT) instructions, the Loongson Content
Address Memory (CAM) ASE and the Loongson MultiMedia extensions
Instructions (MMI) ASE.
* The addr2line, c++filt, nm and objdump tools now have a default
limit on the maximum amount of recursion that is allowed whilst
demangling strings. This limit can be disabled if necessary.
* Objdump's --disassemble option can now take a parameter,
specifying the starting symbol for disassembly. Disassembly will
continue from this symbol up to the next symbol or the end of the
function.
* The BFD linker will now report property change in linker map file
when merging GNU properties.
* The BFD linker's -t option now doesn't report members within
archives, unless -t is given twice. This makes it more useful
when generating a list of files that should be packaged for a
linker bug report.
* The GOLD linker has improved warning messages for relocations that
refer to discarded sections.
- Improve relro support on s390 [fate#326356]
- Handle ELF compressed header alignment correctly.
ModerateSUSE bug 1109412SUSE bug 1109413SUSE bug 1109414SUSE bug 1111996SUSE bug 1112534SUSE bug 1112535SUSE bug 1113247SUSE bug 1113252SUSE bug 1113255SUSE bug 1116827SUSE bug 1118830SUSE bug 1118831SUSE bug 1120640SUSE bug 1121034SUSE bug 1121035SUSE bug 1121056SUSE bug 1133131SUSE bug 1133232SUSE bug 1141913SUSE bug 1142772CVE-2018-1000876 at SUSECVE-2018-1000876 at NVDCVE-2018-17358 at SUSECVE-2018-17358 at NVDCVE-2018-17359 at SUSECVE-2018-17359 at NVDCVE-2018-17360 at SUSECVE-2018-17360 at NVDCVE-2018-17985 at SUSECVE-2018-17985 at NVDCVE-2018-18309 at SUSECVE-2018-18309 at NVDCVE-2018-18483 at SUSECVE-2018-18483 at NVDCVE-2018-18484 at SUSECVE-2018-18484 at NVDCVE-2018-18605 at SUSECVE-2018-18605 at NVDCVE-2018-18606 at SUSECVE-2018-18606 at NVDCVE-2018-18607 at SUSECVE-2018-18607 at NVDCVE-2018-19931 at SUSECVE-2018-19931 at NVDCVE-2018-19932 at SUSECVE-2018-19932 at NVDCVE-2018-20623 at SUSECVE-2018-20623 at NVDCVE-2018-20651 at SUSECVE-2018-20651 at NVDCVE-2018-20671 at SUSECVE-2018-20671 at NVDCVE-2019-1010180 at SUSECVE-2019-1010180 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for sudo (Important)SUSE OpenStack Cloud 8
This update for sudo fixes the following issues:
Security issue fixed:
- CVE-2019-14287: Fixed an issue where a user with sudo privileges
that allowed them to run commands with an arbitrary uid, could
run commands as root, despite being forbidden to do so in sudoers
(bsc#1153674).
ImportantSUSE bug 1153674CVE-2019-14287 at SUSECVE-2019-14287 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for libpcap (Important)SUSE OpenStack Cloud 8
This update for libpcap fixes the following issues:
- CVE-2019-15165: Added sanity checks for PHB header length before allocating memory (bsc#1153332).
- CVE-2018-16301: Fixed a buffer overflow (bsc#1153332).
ImportantSUSE bug 1153332CVE-2018-16301 at SUSECVE-2018-16301 at NVDCVE-2019-15165 at SUSECVE-2019-15165 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for xen (Important)SUSE OpenStack Cloud 8
This update for xen fixes the following issues:
Security issues fixed:
- CVE-2019-15890: Fixed a use-after-free in SLiRP networking implementation of QEMU emulator
which could have led to Denial of Service (bsc#1149813).
- CVE-2019-12068: Fixed an issue in lsi which could lead to an infinite loop and denial of
service (bsc#1146874).
- CVE-2019-14378: Fixed a heap buffer overflow in SLiRp networking implementation of QEMU
emulator which could have led to execution of arbitrary code with privileges of the
QEMU process (bsc#1143797).
Other issue fixed:
- Fixed an issue where libxenlight could not restore domain vsa6535522 on live migration (bsc#1133818).
ImportantSUSE bug 1126140SUSE bug 1126141SUSE bug 1126192SUSE bug 1126195SUSE bug 1126196SUSE bug 1126197SUSE bug 1126198SUSE bug 1126201SUSE bug 1127400SUSE bug 1133818SUSE bug 1143797SUSE bug 1146874SUSE bug 1149813CVE-2018-12126 at SUSECVE-2018-12126 at NVDCVE-2018-12127 at SUSECVE-2018-12127 at NVDCVE-2018-12130 at SUSECVE-2018-12130 at NVDCVE-2019-11091 at SUSECVE-2019-11091 at NVDCVE-2019-12068 at SUSECVE-2019-12068 at NVDCVE-2019-14378 at SUSECVE-2019-14378 at NVDCVE-2019-15890 at SUSECVE-2019-15890 at NVDCVE-2019-17340 at SUSECVE-2019-17340 at NVDCVE-2019-17341 at SUSECVE-2019-17341 at NVDCVE-2019-17342 at SUSECVE-2019-17342 at NVDCVE-2019-17343 at SUSECVE-2019-17343 at NVDCVE-2019-17344 at SUSECVE-2019-17344 at NVDCVE-2019-17345 at SUSECVE-2019-17345 at NVDCVE-2019-17346 at SUSECVE-2019-17346 at NVDCVE-2019-17347 at SUSECVE-2019-17347 at NVDCVE-2019-17348 at SUSECVE-2019-17348 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for nfs-utils (Moderate)SUSE OpenStack Cloud 8
This update for nfs-utils fixes the following issues:
- CVE-2019-3689: Fixed root-owned files stored in insecure /var/lib/nfs. (bsc#1150733)
ModerateSUSE bug 1150733CVE-2019-3689 at SUSECVE-2019-3689 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for ardana-ansible, ardana-glance, ardana-horizon, ardana-input-model, ardana-manila, ardana-neutron, ardana-nova, ardana-octavia, ardana-tempest, crowbar-core, crowbar-ha, crowbar-openstack, crowbar-ui, galera-3, grafana, mariadb, mariadb-connector-c, novnc, openstack-cinder, openstack-glance, openstack-heat, openstack-horizon-plugin-neutron-vpnaas-ui, openstack-keystone, openstack-monasca-installer, openstack-neutron, openstack-neutron-gbp, openstack-neutron-lbaas, openstack-nova, python-amqp, python-ovs, python-pysaml2, python-python-engineio, python-urllib3, release-notes-suse-openstack-cloud, rubygem-easy_diff, rubygem-rest-client-1_6, venv-openstack-keystone (Moderate)SUSE OpenStack Cloud 8
This update for ardana-ansible, ardana-glance, ardana-horizon, ardana-input-model, ardana-manila, ardana-neutron, ardana-nova, ardana-octavia, ardana-tempest, crowbar-core, crowbar-ha, crowbar-openstack, crowbar-ui, galera-3, grafana, mariadb, mariadb-connector-c, novnc, openstack-cinder, openstack-glance, openstack-heat, openstack-horizon-plugin-neutron-vpnaas-ui, openstack-keystone, openstack-monasca-installer, openstack-neutron, openstack-neutron-gbp, openstack-neutron-lbaas, openstack-nova, python-amqp, python-ovs, python-pysaml2, python-python-engineio, python-urllib3, release-notes-suse-openstack-cloud, rubygem-easy_diff, rubygem-rest-client-1_6, venv-openstack-keystone contains the following fixes:
- Update to version 8.0+git.1566374355.c509923:
* Use raw image format when using SES backend on Nova (SOC-9285)
- Update to version 8.0+git.1566376789.be0fe01:
* Configure glance image_direct_url/multiple_locations (SOC-9285)
- Update to version 8.0+git.1565816064.5d4f73f:
* Removed None condition from rule (SOC-10003)
- Update to version 8.0+git.1566517401.98450e6:
* Add neutron-fwaas.json when neutron-l3-agent is deployed (SOC-10280)
- Update to version 8.0+git.1568835837.2452e7a:
* Ensure Manila services don't auto start on reboot (SOC-10641)
- Update to version 8.0+git.1568220097.74ee4b4:
* API extension paths separated by colon (SOC-10447)
- Update to version 8.0+git.1567555448.5ecd5b0:
* Add dependent services to neutron services (SOC-8746)
- Update to version 8.0+git.1566517377.f2a8c54:
* Add policy.d/neutron-fwaas.json.j2 (SOC-10280)
- Update to version 8.0+git.1566902754.c58ff69:
* Install libosinfo package (SOC-10295)
- Update to version 8.0+git.1565946419.a76c00e:
* Set diskcachemode and disk discard when using RBD (SOC-10182)
- Update to version 8.0+git.1568373448.bcaee7e:
* Make octavia heartbeat frequency options configurable (SOC-9285)
- Update to version 8.0+git.1566374572.a3c91d9:
* Include SES variables when configuring image (SOC-9285)
- Update to version 8.0+git.1566208257.5213d93:
* Use default values for amphora connection retries/timeout (SOC-9285)
- Update to version 8.0+git.1566471887.fd2fec7:
* Delete existing run filter before deploying it (SOC-10287)
- Update to version 5.0+git.1569597589.1f025c557:
* barclamp_lib: Sync timeout with other barclamps (SOC-10513, SOC-10011)
- Update to version 5.0+git.1569231378.ac645b753:
* Revert 'batch: Use easy_merge for merging (SOC-10505)'
- Update to version 5.0+git.1569103607.ee4a6cbc9:
* upgrade: Fix pie chart colors on dashboard (SOC-10619)
- Update to version 5.0+git.1568983947.70c39b8c7:
* batch: Use easy_merge for merging (SOC-10505)
- Update to version 5.0+git.1568317972.dfb856def:
* upgrade: Fix pre-checks tests (SOC-9868)
* Allow designate rndc for all nodes (SOC-10339)
- Update to version 5.0+git.1568210854.4f87b86f8:
* gems: Update easy_diff to 1.0.0 (SOC-10505)
- Update to version 5.0+git.1567531836.e06d68030:
* Public ips for dns nodes when designate integration is in use (SOC-9635)
- Update to version 5.0+git.1567513044.e9ef28b03:
* crowbar: Do not read /etc/crowbar.install.key in non-SUSE init script
* transition.sh: Do not read /etc/crowbar.install.key
* gather_logs: Make it a bit useful again
* gather_logs: Do not read /etc/crowbar.install.key
* network: Check existing upper layers before bond setup (bsc#1120657)
* network: never plug two interface into the same ovs bridge (bsc#1120657)
* network: Avoid plugging the same interface to two ovs bridges (bsc#1120657)
* nic library: some helper for identifying base interface (bsc#1120657)
* network: Rework the vlan port replugging code (bsc#1120657)
* network: DRY out 'kill_nic_files' (noref)
- Update to version 5.0+git.1567161136.fa34ac9f2:
* Add CVE-2019-5477 the to travis ignore list (SOC-9635)
- Update to version 5.0+git.1567094388.48f2be817:
* upgrade: Add more prechecks for 8->9 (SOC-9868)
- Update to version 5.0+git.1567673535.607aada:
* Fix typo in error message
- add cirros-0.4.0-x86_64-disk.img (SOC-9298, SOC-10844)
* the disk img is required to run the barbican tempest test
- Update to version 5.0+git.1570141351.058c8bd44:
* tempest:install designate tempest plugin for SOC8 (SOC-10288)
- Update to version 5.0+git.1569972328.9d475ceb9:
* [5.0] Designate: Add dns_domain_ports config (SOC-10740)
- Update to version 5.0+git.1569933916.d38d07e2d:
* Install barbican tempest plugin for SOC8 (SOC-10191)
* Designate: Filter out the admin node (SOC-10658)
- Update to version 5.0+git.1569885207.573f090bd:
* 5.0: designate: Fix the keys syntax error on migrations (SOC-10660)
- Update to version 5.0+git.1569620621.21c6c5459:
* helper:move config_for_role_exists from horizon to crowbar-openstack(SOC-10191)
- Update to version 5.0+git.1569431597.02675553d:
* tempest: don't rely on service catalogue (SOC-10633)
* glance: don't reuse sync mark names (SOC-10348)
* enable LDAP chase_referrals configuration (SOC-7364)
* nova: set default attribute for max_threads_per_process
- Update to version 5.0+git.1569053854.bb65c0fd1:
* Make ovs of_inactivity_probe configurable from neutron barclamp
- Update to version 5.0+git.1568904694.4d6e71fd1:
* Revert 'designate: Mark as user managed (SOC-10233)'
- Update to version 5.0+git.1568762121.5889ee9c4:
* Octavia: Hide UI until complete (SOC-10550)
- Update to version 5.0+git.1568721569.5927d34b8:
* designate: Mark as user managed (SOC-10233)
- Update to version 5.0+git.1568593066.8a7e963dd:
* designate: cleanup producer HA deployment (SOC-9766)
- Update to version 5.0+git.1568373930.d508e93f7:
* designate: Correct missing variable (SOC-10549)
- Update to version 5.0+git.1568323106.c080edcc1:
* neutron: Add 'insecure' to old cli calls (SOC-10453)
- Update to version 5.0+git.1568303804.bd258bef6:
* designate: No longer care about master/slave (SOC-10456)
- Update to version 5.0+git.1568173760.4a32699b1:
* nova: raise neutron client timeout to 5 minutes
* neutron: Small cleanup to neutron_lbaas.conf template
- Update to version 5.0+git.1568117991.15d77c6ea:
* Designate default Bind9 pool config (SOC-10339)
- Update to version 5.0+git.1568034797.254b8fb85:
* tempest: Skip manila and ceilometer tests (SOC-9799)
- Update to version 5.0+git.1567660321.885064382:
* nova: Don't put nova-compute roles on monasca node (SOC-10373)
- Update to version 5.0+git.1567513535.f2939eeed:
* designate: Update ns_records with all nameservers (SOC-9636)
* designate: Deploy producer on a server node (SOC-9766)
- Update to version 5.0+git.1567165725.8d5b4fa26:
* horizon: fix Grafana in HA clouds (bsc#1116846)
- Update to version 5.0+git.1567094879.c918a5e23:
* Fix barbican SSL support (SOC-9298)
* Add/fix run_filters
* Add tempest filters based on services (SOC-9298)
- Update to version 5.0+git.1566858336.891ddbf31:
* Fix magnum tempest tests (SOC-9298)
* tempest: only assign creator role if needed
* database: Hardcode ruby version for package installation (SOC-10010)
- Update to version 5.0+git.1566838653.efe3b147d:
* memcache: lookup memcached servers port only on local node (SOC-10173)
* designate: initialize email in default designate proposal
* horizon: Install designate plugin when configured (SOC-9695)
- Update to version 5.0+git.1566629404.88dae370a:
* Designate: Update DB pools configuration (SOC-9767)
- Update to version 5.0+git.1566256160.59ebd76c0:
* designate: Configure resource settings (SOC-9633)
- Update to version 1.2.0+git.1568396400.0344a727:
* upgrade: Add missing precheck titles
- Update to 25.3.25:
* A new Galera configuration parameter cert.optimistic_pa was added. If the
parameter value is set to true, full parallellization in applying write
sets is allowed as determined by certification algorithm. If set to false,
no more parallellism is allowed in applying than seen on the master.
* Support for ECDH OpenSSL engines on CentOS 6 (galera#520)
* Fixed compilation on Debian testing and unstable (galera#516, galera#528)
- Add unescape_IPv6_bind_ip.patch
* https://github.com/dciabrin/galera-1/commit/0f6f8aeeb09809280c956514cfd5844b8acad4f9
- Add CVE-2019-15043.patch (SOC-10357)
* Adds authentication to a few rest endpoints
see: https://github.com/grafana/grafana/compare/v5.4.4...v5.4.5
- Update to version 4.6.5:
* release 4.6.5
CVE-2018-19039 (jsc#SOC-9976)
File Exfiltration vulnerability Security fix
* Updated version to 4.6.4.
CVE-2018-558213/CVE-2018-558213 (jsc#SOC-9980)
Important fix for LDAP & OAuth login vulnerability
* Updated version to 4.6.4.
* sql: added code migration type
* release 4.6.3
* fix default alias
* fixes broken alert eval when first condition is using OR
* fix: alert list panel now works correctly after adding manual annotation on dashboard, fixes #9951
* fix: fix for avatar images when gzip is turned on, fixes #5952
* sets version to 4.6.2
* prom: add support for default step param (#9866)
* build: fixed jshint error
* fix: Html escaping caused issue in InfluxDB query editor, could not pick greater than or less then operators, fixes #9871
* heatmap: fix tooltip in 'Time series bucket' mode, #9332 (#9867)
* fix cloudwatch ec2_instance_attribute (#9718)
* colorpicker: fix color string change #9769 (#9780)
* changes version to 4.6.1
* fix: panel view now wraps, no scrolling required, fixes #9746
* plugins: fix for loading external plugins behind auth proxy, fixes #9509
* fix: color picker bug at series overrides page, #9715 (#9738)
* tech: switch to golang 1.9.2
* tech: add missing include
* save as should only delete threshold for panels with alerts
* fix: graphite annotation tooltip included undefined, fixes #9707
* build: updated version to v4.6.0
* plugins: added backward compatible path for rxjs
* ux: updated singlestat default colors
* prometheus: fixed unsaved changes warning when changing time range due to step option on query model was changed in datasource.query code, fixes #9675
* fix: firefox can now create region annotations, fixes #9638
* alerting: only editors can pause rules
* fix: another fix for playlist view state, #9639
* fix: fixed playlist controls and view state, fixes #9639
* prom: adds pre built grafana dashboard
* bump version for publish_testing.sh
* update version to 4.6.0-beta3
* plugins: expose dashboard impression store
* modify $__timeGroup macro so it can be used in select clause (#9527)
* plugins: fixes path issue on Windows
* prometheus: enable gzip for /metrics endpoint
* fix: fixed save to file button in export modal, fixes #9586
* mysql: add usage stats for mysql
* pluginloader: esModule true for systemjs config
* Fix heatmap Y axis rendering (#9580)
* fix vector range
* prometheus: add builtin template variable as range vectors
* fix: fixed prometheus step issue that caused browser crash, fixes #9575
* fix: getting started panel and mark adding data source as done, fixes #9568
* Fixes for annotations API (#9577)
* bump packagecloud script
* build: added imports of rxjs utility functions
* prepare for v4.6.0-beta2 release
* fix template variable expanding
* annotations: quote reserved fields (#9550)
* ux: align alert and btn colors
* fix: fixed color pickers that were broken in minified builds, fixes #9549
* textpanel: fixes #9491
* csv: fix import for saveAs shim
* plugins: expose more util and flot dependencies
* alert_tab: clear test result when testing rules
* (cloudwatch) fix cloudwatch query error over 24h (#9536)
* show error message when cloudwatch datasource can't add
* update packagecloud script for 4.6.0-beta1
* changelog: adds note about closing #9516
* alerting: add count_non_null reducer
* Update rpm.md
* fix: can now remove annotation tags without popover closing
* tech: add backward compatibility for <spectrum-picker> directive (#9510)
* fix: fixed links on new 404 page, fixes #9493
* logging: dont use cli logger in http_server
* oauth: raise error if session state is missing
* oauth: provide more logging for failed oauth requests
* prepare for 4.6.0-beta1 release
* docs: updated whats new article
* docs: initial draft release v46
* graph: fix y-axis decimalTick check. Fixes #9405
* minor docs update
* docs: annotation docs update
* changelog: adds note about closing #7104
* changelog: adds note about closing #9373
* metrics: disable gzip for /metrics endpoint (#9468)
* Annotation docs (#9506)
* Update CHANGELOG.md
* Update PLUGIN_DEV.md
* Update PLUGIN_DEV.md
* Update README.md
* Fixed link issue in CHANGELOG
* Create PLUGIN_DEV.md
* changelog: adds note about closing #9371,#5334,#8812
* ds_edit: placeholder should only be cert header
* fixed minor styling issus (#9497)
* fix: alert api limit param did not work and caused SQL syntax error, fixes #9492
* annotations: add endpoint for writing graphite-like events (#9495)
* Update unsaved_changes_modal.ts
* fix: set lastSeenAt date when creating users to then years in past insteasd of empty date, fixes #9260
* ux: minor ux fix
* Retain old name for TLS client auth
* Return error if datasource TLS CA not parsed
* Datasource settings: Make HTTP all caps
* Datasource HTTP settings: Add TLS skip verify
* Make URL capitalisation consistent in UI
* Alias macron package in app_routes.go
* Verify datasource TLS and split client auth and CA
* Tidy spacing in datasource TLS settings
* Tests: Clarify what InsecureSkipVerify does
* postgres: add missing ngInject decorator
* docs: initial docs for new annotation features, #9483
* Adds note for #9209 to changelog
* Postgres Data Source (#9475)
* tech: expose more to plugins, closes #9456
* Fix NaN handling (#9469)
* snapshots: improve snapshot listing performance, #9314 (#9477)
* mysql: fix interpolation for numbers in temp vars
* Added docs for Kafka alerting
* Fixed failing go tests
* gofmt fixes
* Added tests
* Kafka REST Proxy works with Grafana
* added insrtuctions for oauth2 okta bitbucket (#9471)
* Unified Color picker fixes (#9466)
* Show min interval query option for mixed datasource (#9467)
* gzip: plugin readme content set explicitly
* ignore pattern for vendored libs
* fix: escape metric segment auto complete, fixes #9423
* Corrected a PostgreSQL SELECT statement. (#9460)
* tests: found the unhandled promise issue in the dash import tests
* testing: fixing tests
* annotations: minor change to default/edit annotation color
* Create annotations (#8197)
* OAuth: Rename sslcli
* OAuth: Separate TLS client auth and CA config
* OAuth: Check both TLS client cert and key
* Always verify TLS unless explicitly told otherwise
* fix: threshold's colors in table panels (#9445) (#9453)
* singlestat: fix sizing bug #9337 (#9448)
* Revert 'Fix coloring in singlestat if null value (#9438)' (#9443)
* Fix coloring in singlestat if null value (#9438)
* fix: missing semicolon
* changed jsontree to use jsonexplorer (#9416)
* docs page for authproxy (#9420)
* Update codebox (#9430)
* Series color picker fix (#9442)
* fix type in readme
* removed commented line
* changelog: adds note about closing #9110
* Fixed typo
* Change empty string checks and improve logging
* changelog: adds note about closing #9208
* Fix spelling on 404 page.
* Lint fix
* Update kbn.js
* Add Norwegian Krone denominator for currency
* fixed layout for column options, changed dropdown for date format kept old code
* build: add noUnusedLocals to tsc parameters
* build: install go based on env variable
* changes go version to 1.9.1
* changelog: adds note about closing #9226
* changelog: add note about closing #9429
* changelog: adds note about closing #9399
* Fix formatting issue
* Add milliseconds format in table panel's config
* support for s3 path (#9151)
* Remove apparently unnecessary .flush() calls.
* Fix empty message and toolong attribute names Use default state message if no message is provided by the user Slice attribute name to maximum of 50 chars
* Address review comments.
* changelog: add note about closing #7175
* plugin_loader: expose app_events to plugins
* Add the missing comma
* colorpicker: refactoring the new unififed colorpicker, #9347
* Unified colorpicker (#9347)
* fix missing column headers in excel export (#9413)
* build: remove clean plugin from dev build
* build: fixed broken elastic unit test
* shore: cleanup unused stuff in common.d.ts
* Build URL for close alert request differently
* some restyling (#9409)
* Docs text fixes (#9408)
* Checkbox fixes (#9400)
* fix: ensure panel.datasource is null as default
* plugibs: expose more to plugins
* properly parse & pass upload image bool from config
* break out slack upload into separate function
* tech: minor npm scripts update
* build: fixed build
* refactoring: minor refactoring of PR #8916
* Update script to make it use OpsGenie's REST API
* docs: minor docs fix
* Merge branch 'master' of github.com:grafana/grafana
* build: minor webpack fix
* docs: updated building from source docs
* playlist: play and edit should use same width
* shore: fixed html indentation, #9368
* tech: updated yarn.lock
* shore: minor cleanup
* Webpack (#9391)
* fixing json for CI
* adding support for token-based slack file.upload API call for posting images to slack
* changelog: adds note about closing #8479
* changelog: adds note about closing #8050
* changelog: adds note about closing #9386
* change pdiff to percent_diff for conditions
* panel: rename label on csv export modal
* add diff and pdiff for conditions
* fix, add targetContainsTemplate()
* fix cloudwatch alert bug
* add debug log
* move extend statistics handling code to backend
* fix assume role
* improve cloudwatch tsdb
* refactor cloudwatch code
* remove obsolete code
* move cloudwatch crendential related code
* remove old handler
* fix annotation query
* fix time
* fix dimension convertion
* re-implement annotation query
* fix parameter format
* fix alert feature
* fix parameter format
* refactor cloudwatch to support new tsdb interface
* refactor cloudwatch frontend code
* refactor cloudwatch frontend code
* fix test
* re-implement dimension_values()
* fix error message
* remove performEC2DescribeInstances()
* re-implement ec2_instance_attribute()
* re-implement ebs_volume_ids()
* import the change, https://github.com/grafana/grafana/pull/9268
* fix conflict
* fix test
* remove obsolete GetMetricStatistics()
* fix test
* move test code
* fix conflict
* porting other suggestion
* re-implement get regions
* move the metric find query code
* (cloudwatch) move query parameter to 'parameters'
* parse duration
* remove offset for startTime
* cache creds for keys/credentials auth type
* fix test
* fix invalid query filter
* count up metrics
* (cloudwatch) alerting
* add brazil currency
* tech: upgrade of systemjs to 0.20.x working
* tech: reverted to systemjs
* tech: migrating elasticsearch to typescript
* changelog: add note about using golang 1.9
* change go version to 1.9
* changelog: adds note about closing #9367
* tech: systemjs upgrade
* made a text-panel page, maybe we don't need it
* cleaned up html/sass and added final touches
* Enable dualstack in every net.Dialer, fixes #9364
* jaeger: capitalize tracer name
* jaeger: logging improvement
* tech: systemjs upgrade
* Have include intervalFactor in its calculation, so always equal to the step query parameter.
* alertlist: toggle play/pause button
* updated css and html for recent state changes for alert lists
* Fix export_modal message (#9353)
* s3: minor fix for PR #9223
* internal metrics: add grafana version
* changelog: adds note about closing 5765
* Update latest.json
* typescript: stricter typescript option
* prom_docker: give targets correct job name
* testdata: add bucket scenarios for heatmap
* dev-docker: add grafana as target
* changelog: add note ablout closing #9319
* introduce smtp config option for EHLO identity
* changelog: note about closing #9250
* go fmt
* new page for text, needs more work
* replaced img in graph, created alert list page
* docs: update docs
* Update CHANGELOG.md
* changelog: adds note about closing #5873
* replaced image
* Docs new updates (#9324)
* Update CHANGELOG.md
* Update latest.json
* cleanup: removed unused file
* tech: remove bower and moved remaining bower dependencies to npm
* tech: cleanup and fixed build issue
* tech: upgraded angularjs and moved dependency from bower to npm, closes #9327
* follow go idiom and return error as second param
* tech: updated tsconfig
* docker: adds alertmanager to prometheus fig
* tech: more tslint rules
* another img update
* tech: removing unused variables from typescript files, and making tslint rules more strict
* deleted old shortcuts instruction
* text uppdates for dashlist and singlestat(+img). updated the keyboard shortcuts
* context is reserved for go's context
* make ds a param for Query
* remove batch abstraction
* rename executor into tsdbqueryendpoint
* remove unused structs
* refactor response flow
* tech: removed test component
* ux: minor singlestat update
* singlestat: minor change
* Update CHANGELOG.md
* Singlestat time (#9298)
* tech: progress on react poc
* adds note about closing #9213
* Update _navbar.scss
* replaced images, updating text(not finished)
* fix: close for 'Unsaved Changes' modal, #9284 (#9313)
* Initial graphite tags support (#9239)
* tech: initial react poc
* Make details more clean in PD description
* bug: enable HEAD requests again
* Add `DbClusterIdentifier` to CloudWatch dimensions (#9297)
* templating: fix dependent variable updating (#9306)
* Fix adhoc filters restoration (#9303)
* Explicitly refer to Github 'OAuth' applications
* config bucket and region for s3 uploader
* fixes bug introduced with prom namespaces
* fixing spelling of millesecond -> millisecond
* fixing spelling of millesecond -> millisecond
* Remove duplicate bus.AddHandler() (#9289)
* Update CHANGELOG.md
* use same key as mt
* tag alert queries that return no_data
* updated error page html+css, added ds_store to ignore (#9285)
* public/app/plugins/panel/graph/specs/graph_specs.ts: relax tests to be 'within' instead of 'equal', so they won't fail on i686 (#9286)
* Fix path to icon (#9276)
* adds note about fix in v4.5.2
* skip NaN values when writing to graphite
* addded mass units, #9265 (#9273)
* Fully fill out nulls in cloudfront data source (#9268)
* make it possible to configure sampler type
* mark >=400 responses as error
* change port for jaeger dev container
* logwrapper for jaeger
* make samplerconfig.param configurable
* adds custom tags from settings
* use route as span name
* add trace headers for outgoing requests
* docker file for running jaeger
* better formating for error trace
* attach context with span to *http.Request
* add traces for datasource reverse proxy requests
* trace failed executions
* use tags instead of logs
* use opentracing ext package when possible
* set example port to zipkin default
* adds codahale to vendor
* makes jaeger tracing configurable
* add trace parameters for outgoing requests
* adds basic traces using open traces
* require dashboard panels to have id
* fix: jsonData should not be allowed to be null, fixes #9258
* packaging: reduce package size
* Update upgrading.md (#9263)
* Added --pluginUrl option to grafana-cli for local network plugin installation
* adds note about closing #1395
* add locale format
* update changelog
* fixes broken tests :boom:
* minor code adjusetments
* pass context to image uploaders
* remove unused deps
* Reduced OAuth scope to read_write
* GCS support via JSON API
* gofmt fixes
* Added GCS support #8370
* move more known datasources from others
* Remove alert thresholds on panel duplicate, issue #9178 (#9257)
* 4.5.1 docs + update version to 5.0.0-pre1
* publish_both.sh update for 4.5.1
* Update CHANGELOG.md
* docs: updated changelog
* packaging: reducing package size be only including public vendor stuff we need
* docs: update download links
* allow ssl renegotiation for datasources
* check args for query
* add test for completer
* fix
* follow token name change
* (prometheus) support label value completion
* (prometheus) support label name completion
* get s3 url via aws-sdk-go, fix #9189
* Prometheus: Rework the interaction between auto interval (computed based on graph resolution), min interval (where specified, per query) and intervalFactor (AKA resolution, where specified, per query). As a bonus, have and reflect the actual interval (not the auto interval), taking into account min interval and Prometheus' 11k data points limit.
* minor fix
* (prometheus) support instant query for table format, use checkbox to switch query type
* (prometheus) instant query support
* Add thumbnail to card
* Add values to the hipchat card
* Reorder editorconfig
* Enable datasources to be able to round off to a UTC day properly
* Include triggering metrics to pagerduty alerts
- Add 0001-fix-XSS-vulnerabilities-in-dashboard-links.patch (bsc#1096985)
- adjust mysql-systemd-helper ('shutdown protected MySQL' section)
so it checks both ping response and the pid in a process list
as it can take some time till the process is terminated.
Otherwise it can lead to 'found left-over process' situation
when regular mariadb is started [bsc#1143215]
- update suse_skipped_tests.list
- remove client_ed25519.so plugin because it's shipped in
mariadb-connector-c package (libmariadb_plugins)
- update suse_skipped_tests.list
- update to 10.2.25 GA
* Fixes for the following security vulnerabilities:
* 10.2.23: none
* 10.2.24: CVE-2019-2628, CVE-2019-2627, CVE-2019-2614
* 10.2.25: none
* release notes and changelog:
https://mariadb.com/kb/en/library/mariadb-10223-release-notes
https://mariadb.com/kb/en/library/mariadb-10223-changelog
https://mariadb.com/kb/en/library/mariadb-10224-release-notes
https://mariadb.com/kb/en/library/mariadb-10224-changelog
https://mariadb.com/kb/en/library/mariadb-10225-release-notes
https://mariadb.com/kb/en/library/mariadb-10225-changelog
- remove mariadb-10.2.22-fix_path.patch that was applied upstream
in mariadb 10.2.23
- remove caching_sha2_password.so because it's shipped in
mariadb-connector-c package (libmariadb_plugins)
- remove xtrabackup scripts as it was replaced by mariabackup (we
already removed xtrabackup requires in the first phase)
- fix reading options for multiple instances if my${INSTANCE}.cnf
is used. Also remove 'umask 077' from mysql-systemd-helper that
causes that new datadirs are created with wrong permissions. Set
correct permissions for files created by us (mysql_upgrade_info,
.run-mysql_upgrade) [bsc#1132666]
- fix build comment to not refer to openSUSE
- tracker bug [bsc#1136035]
- New upstream version 3.1.2 [bsc#1136035]
* CONC-383: client plugins can't be loaded due to missing prefix
* Fixed version setting in GnuTLS by moving 'NORMAL' at the end
of priority string
* CONC-386: Added support for pem files which contain certificate
and private key.
* Replication/Binlog API: The main mechanism used in replication
is the binary log.
* CONC-395: Dashes and underscores are not interchangeable in
options in my.cnf
* CONC-384: Incorrect packet when a connection attribute name or
value is equal to or greater than 251
* CONC-388: field->def_length is always set to 0
* Getter should get and the setter should set
CLIENT_CAN_HANDLE_EXPIRED_PASSWORDS
* Disable LOAD DATA LOCAL INFILE suport by default and auto-enable
it for the duration of one query, if the query string starts with
the word 'load'. In all other cases the application should enable
LOAD DATA LOCAL INFILE support explicitly.
* Changed return code for mysql_optionv/mysql_get_optionv to 1 (was -1)
and added CR_NOT_IMPLEMENTED error message if a option is unknown
or not supported.
* mingw fix: use lowercase names for include files
* CONC-375: Fixed handshake errors when mixing TLSv1.3 cipher
suites with cipher suites from other TLS protocols
* CONC-312: Added new caching_sha2_password authentication plugin
for authentication with MySQL 8.0
- refresh mariadb-connector-c-2.3.1_unresolved_symbols.patch and
private_library.patch
- pack caching_sha2_password.so and client_ed25519.so
- move libmariadb.pc from /usr/lib/pkgconfig to
/usr/lib64/pkgconfig for x86_64 [bsc#1126088]
- Fixes bugs bsc#1145796: Add tightPNG encoding
* Apply novnc-1.0.0-add-encoding-support-for-TightPNG.patch
This patch cherry-picks commit 2c813a33f to novnc 1.0.0 to enable tightPNG encoding.
This encoding is needed to allow noVNC to work with instances that
run on ESX hypervisors. It is not possible to update the Pike package
to noVNC 1.1.0 as that version is not supported with openstack-nova until Rocky.
- Update to version cinder-11.2.3.dev16:
* RBD: remove redundant exception log to reduce noise
- Update to version cinder-11.2.3.dev14:
* Fix NFS volume retype with migrate
- Update to version cinder-11.2.3.dev12:
* Remove Sheepdog tests from zuul config
* NetApp: Return all iSCSI targets-portals
- Update to version cinder-11.2.3.dev8:
* Remove experimental openSUSE 42.3 job
- Update to version cinder-11.2.3.dev16:
* RBD: remove redundant exception log to reduce noise
- Update to version cinder-11.2.3.dev14:
* Fix NFS volume retype with migrate
- Update to version cinder-11.2.3.dev12:
* Remove Sheepdog tests from zuul config
* NetApp: Return all iSCSI targets-portals
- Update to version cinder-11.2.3.dev8:
* Remove experimental openSUSE 42.3 job
- Update to version glance-15.0.3.dev3:
* Remove experimental openSUSE 42.3 job
- Update to version glance-15.0.3.dev3:
* Remove experimental openSUSE 42.3 job
- Update to version heat-9.0.8.dev13:
* Unlimited cinder quotas throws exception
- Update to version heat-9.0.8.dev12:
* Do not perform the tenant stack limit check for admin user
- Update to version heat-9.0.8.dev13:
* Unlimited cinder quotas throws exception
- Update to version heat-9.0.8.dev12:
* Do not perform the tenant stack limit check for admin user
- don't exclude pyc files to fix update/upgrade (SOC-9339)
- Update to version keystone-12.0.4.dev4:
* Remove experimental openSUSE 42.3 job
* Cap bandit
- Update to version keystone-12.0.4.dev4:
* Remove experimental openSUSE 42.3 job
* Cap bandit
- Update to version keystone-12.0.4.dev4:
* Remove experimental openSUSE 42.3 job
* Cap bandit
- Update to version keystone-12.0.4.dev4:
* Remove experimental openSUSE 42.3 job
* Cap bandit
- Update to version Build_20190923_16.32 (bsc#1148158)
* Create path.repo directory for Elasticseach
- Update to version neutron-11.0.9.dev51:
* Check for agent restarted after checking for DVR port
- Update to version neutron-11.0.9.dev49:
* Allow first address in an IPv6 subnet as valid unicast
- Update to version neutron-11.0.9.dev47:
* Remove experimental openSUSE 42.3 job
- Update to version neutron-11.0.9.dev45:
* Clear skb mark on encapsulating packets
* fix update port bug
- Update to version neutron-11.0.9.dev51:
* Check for agent restarted after checking for DVR port
- Update to version neutron-11.0.9.dev49:
* Allow first address in an IPv6 subnet as valid unicast
- Update to version neutron-11.0.9.dev47:
* Remove experimental openSUSE 42.3 job
- Update to version neutron-11.0.9.dev45:
* Clear skb mark on encapsulating packets
* fix update port bug
- Update to version group-based-policy-7.3.1.dev56:
* [AIM] Fix HAIP RPC query
- Update to version group-based-policy-7.3.1.dev55:
* Fix implicit ICMPv6 Security Group Rules
- Update to version group-based-policy-7.3.1.dev54:
* Fixed snat port status to be ACTIVE and UP
- Update to version group-based-policy-7.3.1.dev53:
* Verify aim\_epg exists before proceeding
* Revert 'Make DHCP provisioning blocks conditional'
* Some refactoring regarding merge aim statuses
- Update to version group-based-policy-7.3.1.dev47:
* Bulk extension support for routers
- Update to version group-based-policy-7.3.1.dev46:
* [AIM] Eliminate redundant router extension content
- add 0001-Remove-DDT-tests-from-tempest-plugin.patch
- add 0001-Fix-unable-to-delete-subnet-in-API-tests.patch
- Update to version nova-16.1.9.dev7:
* Remove experimental job on openSUSE 42.3
- Update to version nova-16.1.9.dev6:
* Fix misuse of nova.objects.base.obj\_equal\_prims
- Update to version nova-16.1.9.dev5:
* Replace non-nova server fault message
- Allow to attach more than 26 volumes (bsc#1118900)
* This is a forward port from SOC7
* Add 0001-Add-method-to-generate-device-names-universally.patch
* Add 0002-Raise-403-instead-of-500-error-from-attach-volume-AP.patch
* Add 0003-Add-configuration-of-maximum-disk-devices-to-attach.patch
- Update to version nova-16.1.9.dev7:
* Remove experimental job on openSUSE 42.3
- Update to version nova-16.1.9.dev6:
* Fix misuse of nova.objects.base.obj\_equal\_prims
- Update to version nova-16.1.9.dev5:
* Replace non-nova server fault message
- add 0002-Do_not_send_AAAA_DNS_request_when_domain_resolved_to_IPv4_address.patch (SOC-9144)
- update to 2.7.2:
* includes fix for controller connection over SSL
* enable build against openvswitch-devel to get C extensions enabled (bsc#1141121)
- Added fix-xxe-in-xml-parsing.patch (CVE-2016-10127, bsc#1019074)
- Add patch CVE-2019-13611.patch (SOC-9989, bsc#1141676)
* python-python-engineio: An issue was discovered in
python-engineio through 3.8.2. There is a Cross-Site WebSocket
Hijacking (CSWSH) vulnerability that allows attackers to make
WebSocket connections to a server
- Add missing dependency on python-six (bsc#1150895)
- Update to version 8.20190911:
* Fixing broken markup (noref)
- Update to version 8.20190909:
* Adding networking loop known issue (SOC-10150)
* add Keystone default is still UUID (noref)
* remove Known Issue-WebSSO not working (bsc#1132593)
* Remove de-de from the URL again.
* transfer C8 revision history from MF wiki (SCRD-7737)
* Typo/grammar fixes + URL fix
* remove Crowbar deprecation date (bsc#1125893)
* remove comment that ovsvapp is not functional
- Update to version 8.20190909:
* Adding networking loop known issue (SOC-10150)
* add Keystone default is still UUID (noref)
* remove Known Issue-WebSSO not working (bsc#1132593)
- Add python-defusedxml (bsc#1019074)
rubygem-easy_diff, rubygem-rest-client-1_6:
- CVE-2015-3448: Fixed a plain text local password disclosure. (bsc#917802)
Non-security issue fixed:
- rubygem-easy_diff was updated to version 1.0.0.
ModerateSUSE bug 1019074SUSE bug 1096985SUSE bug 1106515SUSE bug 1115960SUSE bug 1116846SUSE bug 1118900SUSE bug 1120657SUSE bug 1125893SUSE bug 1126088SUSE bug 1132593SUSE bug 1132666SUSE bug 1136035SUSE bug 1141121SUSE bug 1141676SUSE bug 1143215SUSE bug 1145796SUSE bug 1146578SUSE bug 1148158SUSE bug 1148383SUSE bug 1150895SUSE bug 917802CVE-2015-3448 at SUSECVE-2015-3448 at NVDCVE-2016-10127 at SUSECVE-2016-10127 at NVDCVE-2018-15727 at SUSECVE-2018-15727 at NVDCVE-2018-19039 at SUSECVE-2018-19039 at NVDCVE-2018-558213 at SUSECVE-2018-558213 at NVDCVE-2019-13611 at SUSECVE-2019-13611 at NVDCVE-2019-15043 at SUSECVE-2019-15043 at NVDCVE-2019-2614 at SUSECVE-2019-2614 at NVDCVE-2019-2627 at SUSECVE-2019-2627 at NVDCVE-2019-2628 at SUSECVE-2019-2628 at NVDCVE-2019-5477 at SUSECVE-2019-5477 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for MozillaFirefox (Important)SUSE OpenStack Cloud 8
This update for MozillaFirefox to 68.2.0 ESR fixes the following issues:
Mozilla Firefox was updated to version 68.2.0 ESR (bsc#1154738).
Security issues fixed:
- CVE-2019-15903: Fixed a heap overflow in the expat library (bsc#1149429).
- CVE-2019-11757: Fixed a use-after-free when creating index updates in IndexedDB (bsc#1154738).
- CVE-2019-11758: Fixed a potentially exploitable crash due to 360 Total Security (bsc#1154738).
- CVE-2019-11759: Fixed a stack buffer overflow in HKDF output (bsc#1154738).
- CVE-2019-11760: Fixed a stack buffer overflow in WebRTC networking (bsc#1154738).
- CVE-2019-11761: Fixed an unintended access to a privileged JSONView object (bsc#1154738).
- CVE-2019-11762: Fixed a same-origin-property violation (bsc#1154738).
- CVE-2019-11763: Fixed an XSS bypass (bsc#1154738).
- CVE-2019-11764: Fixed several memory safety bugs (bsc#1154738).
Non-security issues fixed:
- Firefox 60.7 ESR changed the user interface language (bsc#1137990).
- Wrong Firefox GUI Language (bsc#1120374).
- Fixed an inadvertent crash report transmission without user opt-in (bsc#1074235).
- Firefox hangs randomly when browsing and scrolling (bsc#1043008).
- Firefox stops loading page until mouse is moved (bsc#1025108).
ImportantSUSE bug 1010399SUSE bug 1010405SUSE bug 1010406SUSE bug 1010408SUSE bug 1010409SUSE bug 1010421SUSE bug 1010423SUSE bug 1010424SUSE bug 1010425SUSE bug 1010426SUSE bug 1025108SUSE bug 1043008SUSE bug 1047281SUSE bug 1074235SUSE bug 1092611SUSE bug 1120374SUSE bug 1137990SUSE bug 1149429SUSE bug 1154738SUSE bug 959933SUSE bug 983922CVE-2016-2830 at SUSECVE-2016-2830 at NVDCVE-2016-5289 at SUSECVE-2016-5289 at NVDCVE-2016-5292 at SUSECVE-2016-5292 at NVDCVE-2016-9063 at SUSECVE-2016-9063 at NVDCVE-2016-9067 at SUSECVE-2016-9067 at NVDCVE-2016-9068 at SUSECVE-2016-9068 at NVDCVE-2016-9069 at SUSECVE-2016-9069 at NVDCVE-2016-9071 at SUSECVE-2016-9071 at NVDCVE-2016-9073 at SUSECVE-2016-9073 at NVDCVE-2016-9075 at SUSECVE-2016-9075 at NVDCVE-2016-9076 at SUSECVE-2016-9076 at NVDCVE-2016-9077 at SUSECVE-2016-9077 at NVDCVE-2017-7789 at SUSECVE-2017-7789 at NVDCVE-2018-5150 at SUSECVE-2018-5150 at NVDCVE-2018-5151 at SUSECVE-2018-5151 at NVDCVE-2018-5152 at SUSECVE-2018-5152 at NVDCVE-2018-5153 at SUSECVE-2018-5153 at NVDCVE-2018-5154 at SUSECVE-2018-5154 at NVDCVE-2018-5155 at SUSECVE-2018-5155 at NVDCVE-2018-5157 at SUSECVE-2018-5157 at NVDCVE-2018-5158 at SUSECVE-2018-5158 at NVDCVE-2018-5159 at SUSECVE-2018-5159 at NVDCVE-2018-5160 at SUSECVE-2018-5160 at NVDCVE-2018-5163 at SUSECVE-2018-5163 at NVDCVE-2018-5164 at SUSECVE-2018-5164 at NVDCVE-2018-5165 at SUSECVE-2018-5165 at NVDCVE-2018-5166 at SUSECVE-2018-5166 at NVDCVE-2018-5167 at SUSECVE-2018-5167 at NVDCVE-2018-5168 at SUSECVE-2018-5168 at NVDCVE-2018-5169 at SUSECVE-2018-5169 at NVDCVE-2018-5172 at SUSECVE-2018-5172 at NVDCVE-2018-5173 at SUSECVE-2018-5173 at NVDCVE-2018-5174 at SUSECVE-2018-5174 at NVDCVE-2018-5175 at SUSECVE-2018-5175 at NVDCVE-2018-5176 at SUSECVE-2018-5176 at NVDCVE-2018-5177 at SUSECVE-2018-5177 at NVDCVE-2018-5178 at SUSECVE-2018-5178 at NVDCVE-2018-5179 at SUSECVE-2018-5179 at NVDCVE-2018-5180 at SUSECVE-2018-5180 at NVDCVE-2018-5181 at SUSECVE-2018-5181 at NVDCVE-2018-5182 at SUSECVE-2018-5182 at NVDCVE-2018-5183 at SUSECVE-2018-5183 at NVDCVE-2019-11757 at SUSECVE-2019-11757 at NVDCVE-2019-11758 at SUSECVE-2019-11758 at NVDCVE-2019-11759 at SUSECVE-2019-11759 at NVDCVE-2019-11760 at SUSECVE-2019-11760 at NVDCVE-2019-11761 at SUSECVE-2019-11761 at NVDCVE-2019-11762 at SUSECVE-2019-11762 at NVDCVE-2019-11763 at SUSECVE-2019-11763 at NVDCVE-2019-11764 at SUSECVE-2019-11764 at NVDCVE-2019-15903 at SUSECVE-2019-15903 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for samba (Important)SUSE OpenStack Cloud 8
This update for samba fixes the following issues:
- CVE-2019-10218: Client code can return filenames containing path separators (bsc#1144902).
ImportantSUSE bug 1144902CVE-2019-10218 at SUSECVE-2019-10218 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for gdb (Moderate)SUSE OpenStack Cloud 8
This update for gdb fixes the following issues:
Update to gdb 8.3.1: (jsc#ECO-368)
Security issues fixed:
- CVE-2019-1010180: Fixed a potential buffer overflow when loading ELF sections larger than the file. (bsc#1142772)
Upgrade libipt from v2.0 to v2.0.1.
- Enable librpm for version > librpm.so.3 [bsc#1145692]:
* Allow any librpm.so.x
* Add %build test to check for 'zypper install <rpm-packagename>'
message
- Copy gdbinit from fedora master @ 25caf28. Add
gdbinit.without-python, and use it for --without=python.
Rebase to 8.3 release (as in fedora 30 @ 1e222a3).
* DWARF index cache: GDB can now automatically save indices of DWARF
symbols on disk to speed up further loading of the same binaries.
* Ada task switching is now supported on aarch64-elf targets when
debugging a program using the Ravenscar Profile.
* Terminal styling is now available for the CLI and the TUI.
* Removed support for old demangling styles arm, edg, gnu, hp and
lucid.
* Support for new native configuration RISC-V GNU/Linux (riscv*-*-linux*).
- Implemented access to more POWER8 registers. [fate#326120, fate#325178]
- Also handle most new s390 arch13 instructions. [fate#327369, jsc#ECO-368]
ModerateSUSE bug 1115034SUSE bug 1142772SUSE bug 1145692CVE-2019-1010180 at SUSECVE-2019-1010180 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for libssh2_org (Moderate)SUSE OpenStack Cloud 8
This update for libssh2_org fixes the following issue:
- CVE-2019-17498: Fixed an integer overflow in a bounds check that might have led to the disclosure of sensitive information or a denial of service (bsc#1154862).
ModerateSUSE bug 1154862CVE-2019-17498 at SUSECVE-2019-17498 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for libseccomp (Moderate)SUSE OpenStack Cloud 8
This update for libseccomp fixes the following issues:
Update to new upstream release 2.4.1:
* Fix a BPF generation bug where the optimizer mistakenly
identified duplicate BPF code blocks.
Updated to 2.4.0 (bsc#1128828 CVE-2019-9893):
* Update the syscall table for Linux v5.0-rc5
* Added support for the SCMP_ACT_KILL_PROCESS action
* Added support for the SCMP_ACT_LOG action and SCMP_FLTATR_CTL_LOG attribute
* Added explicit 32-bit (SCMP_AX_32(...)) and 64-bit (SCMP_AX_64(...)) argument comparison macros to help protect against unexpected sign extension
* Added support for the parisc and parisc64 architectures
* Added the ability to query and set the libseccomp API level via seccomp_api_get(3) and seccomp_api_set(3)
* Return -EDOM on an endian mismatch when adding an architecture to a filter
* Renumber the pseudo syscall number for subpage_prot() so it no longer conflicts with spu_run()
* Fix PFC generation when a syscall is prioritized, but no rule exists
* Numerous fixes to the seccomp-bpf filter generation code
* Switch our internal hashing function to jhash/Lookup3 to MurmurHash3
* Numerous tests added to the included test suite, coverage now at ~92%
* Update our Travis CI configuration to use Ubuntu 16.04
* Numerous documentation fixes and updates
Update to release 2.3.3:
* Updated the syscall table for Linux v4.15-rc7
Update to release 2.3.2:
* Achieved full compliance with the CII Best Practices program
* Added Travis CI builds to the GitHub repository
* Added code coverage reporting with the '--enable-code-coverage' configure
flag and added Coveralls to the GitHub repository
* Updated the syscall tables to match Linux v4.10-rc6+
* Support for building with Python v3.x
* Allow rules with the -1 syscall if the SCMP\_FLTATR\_API\_TSKIP attribute is
set to true
* Several small documentation fixes
- ignore make check error for ppc64/ppc64le, bypass bsc#1142614
ModerateSUSE bug 1082318SUSE bug 1128828SUSE bug 1142614CVE-2019-9893 at SUSECVE-2019-9893 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for the Linux Kernel (Important)SUSE OpenStack Cloud 8
The SUSE Linux Enterprise 12-SP3 kernel was updated to receive various security and bugfixes.
The following security bugs were fixed:
- CVE-2018-12207: Untrusted virtual machines on Intel CPUs could exploit a race
condition in the Instruction Fetch Unit of the Intel CPU to cause a Machine
Exception during Page Size Change, causing the CPU core to be non-functional.
The Linux Kernel kvm hypervisor was adjusted to avoid page size changes in
executable pages by splitting / merging huge pages into small pages as
needed. More information can be found on https://www.suse.com/support/kb/doc/?id=7023735
- CVE-2019-16995: Fix a memory leak in hsr_dev_finalize() if hsr_add_port
failed to add a port, which may have caused denial of service (bsc#1152685).
- CVE-2019-11135: Aborting an asynchronous TSX operation on Intel CPUs with
Transactional Memory support could be used to facilitate sidechannel
information leaks out of microarchitectural buffers, similar to the
previously described 'Microarchitectural Data Sampling' attack.
The Linux kernel was supplemented with the option to disable TSX operation
altogether (requiring CPU Microcode updates on older systems) and better
flushing of microarchitectural buffers (VERW).
The set of options available is described in our TID at https://www.suse.com/support/kb/doc/?id=7024251
- CVE-2019-16233: drivers/scsi/qla2xxx/qla_os.c did not check the
alloc_workqueue return value, leading to a NULL pointer dereference.
(bsc#1150457).
- CVE-2019-10220: Added sanity checks on the pathnames passed to the user
space. (bsc#1144903).
- CVE-2019-17666: rtlwifi: Fix potential overflow in P2P code (bsc#1154372).
- CVE-2019-17133: cfg80211 wireless extension did not reject a long SSID IE,
leading to a Buffer Overflow (bsc#1153158).
- CVE-2019-16232: Fix a potential NULL pointer dereference in the Marwell
libertas driver (bsc#1150465).
- CVE-2019-16234: iwlwifi pcie driver did not check the alloc_workqueue return
value, leading to a NULL pointer dereference. (bsc#1150452).
- CVE-2019-17055: The AF_ISDN network module in the Linux kernel did not
enforce CAP_NET_RAW, which meant that unprivileged users could create a raw
socket (bnc#1152782).
- CVE-2019-17056: The AF_NFC network module did not enforce CAP_NET_RAW, which
meant that unprivileged users could create a raw socket (bsc#1152788).
- CVE-2019-16413: The 9p filesystem did not protect i_size_write() properly,
which caused an i_size_read() infinite loop and denial of service on SMP
systems (bnc#1151347).
- CVE-2019-15902: A backporting issue was discovered that re-introduced the
Spectre vulnerability it had aimed to eliminate. This occurred because the
backport process depends on cherry picking specific commits, and because two
(correctly ordered) code lines were swapped (bnc#1149376).
- CVE-2019-15291: Fixed a NULL pointer dereference issue that could be caused
by a malicious USB device (bnc#1146519).
- CVE-2019-15807: Fixed a memory leak in the SCSI module that could be abused
to cause denial of service (bnc#1148938).
- CVE-2019-13272: Fixed a mishandled the recording of the credentials of a
process that wants to create a ptrace relationship, which allowed local users
to obtain root access by leveraging certain scenarios with a parent-child
process relationship, where a parent drops privileges and calls execve
(potentially allowing control by an attacker). (bnc#1140671).
- CVE-2019-14821: An out-of-bounds access issue was fixed in the kernel's KVM
hypervisor. An unprivileged host user or process with access to '/dev/kvm'
device could use this flaw to crash the host kernel, resulting in a denial of
service or potentially escalating privileges on the system (bnc#1151350).
- CVE-2019-15505: An out-of-bounds issue had been fixed that could be caused by
crafted USB device traffic (bnc#1147122).
- CVE-2017-18595: A double free in allocate_trace_buffer was fixed
(bnc#1149555).
- CVE-2019-14835: A buffer overflow flaw was found in the kernel's vhost
functionality that translates virtqueue buffers to IOVs. A privileged guest
user able to pass descriptors with invalid length to the host could use this
flaw to increase their privileges on the host (bnc#1150112).
- CVE-2019-15216: A NULL pointer dereference was fixed that could be malicious
USB device (bnc#1146361).
- CVE-2019-15924: A a NULL pointer dereference has been fixed in the
drivers/net/ethernet/intel/fm10k module (bnc#1149612).
- CVE-2019-9456: An out-of-bounds write in the USB monitor driver has been
fixed. This issue could lead to local escalation of privilege with System
execution privileges needed. (bnc#1150025).
- CVE-2019-15926: An out-of-bounds access was fixed in the
drivers/net/wireless/ath/ath6kl module. (bnc#1149527).
- CVE-2019-15927: An out-of-bounds access was fixed in the sound/usb/mixer
module (bnc#1149522).
- CVE-2019-15666: There was an out-of-bounds array access in the net/xfrm
module that could cause denial of service (bnc#1148394).
- CVE-2017-18379: An out-of-boundary access was fixed in the
drivers/nvme/target module (bnc#1143187).
- CVE-2019-15219: A NULL pointer dereference was fixed that could be abused by
a malicious USB device (bnc#1146519 1146524).
- CVE-2019-15220: A use-after-free issue was fixed that could be caused by a
malicious USB device (bnc#1146519 1146526).
- CVE-2019-15221: A NULL pointer dereference was fixed that could be caused by
a malicious USB device (bnc#1146519 1146529).
- CVE-2019-14814: A heap-based buffer overflow was fixed in the marvell wifi
chip driver. That issue allowed local users to cause a denial of service
(system crash) or possibly execute arbitrary code (bnc#1146512).
- CVE-2019-14815: A missing length check while parsing WMM IEs was fixed
(bsc#1146512, bsc#1146514, bsc#1146516).
- CVE-2019-14816: A heap-based buffer overflow in the marvell wifi chip driver
was fixed. Local users would have abused this issue to cause a denial of
service (system crash) or possibly execute arbitrary code (bnc#1146516).
- CVE-2017-18509: An issue in net/ipv6 as fixed. By setting a specific socket
option, an attacker could control a pointer in kernel land and cause an
inet_csk_listen_stop general protection fault, or potentially execute
arbitrary code under certain circumstances. The issue can be triggered as
root (e.g., inside a default LXC container or with the CAP_NET_ADMIN
capability) or after namespace unsharing. (bnc#1145477)
- CVE-2019-9506: The Bluetooth BR/EDR specification used to permit sufficiently
low encryption key length and did not prevent an attacker from influencing
the key length negotiation. This allowed practical brute-force attacks (aka
'KNOB') that could decrypt traffic and inject arbitrary ciphertext without
the victim noticing (bnc#1137865).
- CVE-2019-15098: A NULL pointer dereference in drivers/net/wireless/ath was
fixed (bnc#1146378).
- CVE-2019-15290: A NULL pointer dereference in ath6kl_usb_alloc_urb_from_pipe
was fixed (bsc#1146378).
- CVE-2019-15239: A incorrect patch to net/ipv4 was fixed. By adding to a write
queue between disconnection and re-connection, a local attacker could trigger
multiple use-after-free conditions. This could result in kernel crashes or
potentially in privilege escalation. (bnc#1146589)
- CVE-2019-15212: A double-free issue was fixed in drivers/usb driver
(bnc#1146391).
- CVE-2016-10906: A use-after-free issue was fixed in drivers/net/ethernet/arc
(bnc#1146584).
- CVE-2019-15211: A use-after-free issue caused by a malicious USB device was
fixed in the drivers/media/v4l2-core driver (bnc#1146519).
- CVE-2019-15217: A a NULL pointer dereference issue caused by a malicious USB
device was fixed in the drivers/media/usb/zr364xx driver (bnc#1146519).
- CVE-2019-15214: An a use-after-free issue in the sound subsystem was fixed
(bnc#1146519).
- CVE-2019-15218: A NULL pointer dereference caused by a malicious USB device
was fixed in the drivers/media/usb/siano driver (bnc#1146413).
- CVE-2019-15215: A use-after-free issue caused by a malicious USB device was
fixed in the drivers/media/usb/cpia2 driver (bnc#1146425).
- CVE-2018-20976: A use-after-free issue was fixed in the fs/xfs driver
(bnc#1146285).
- CVE-2017-18551: An out-of-bounds write was fixed in the drivers/i2c driver
(bnc#1146163).
- CVE-2019-0154: An unprotected read access to i915 registers has been fixed
that could have been abused to facilitate a local denial-of-service attack.
(bsc#1135966)
- CVE-2019-0155: A privilege escalation vulnerability has been fixed in the
i915 module that allowed batch buffers from user mode to gain super user
privileges. (bsc#1135967)
The following non-security bugs were fixed:
- array_index_nospec: Sanitize speculative array (bsc#1155671)
- bonding/802.3ad: fix link_failure_count tracking (bsc#1141013).
- bonding/802.3ad: fix slave link initialization transition states (bsc#1141013).
- bonding: correctly update link status during mii-commit phase (bsc#1141013).
- bonding: fix active-backup transition (bsc#1141013).
- bonding: make speed, duplex setting consistent with link state (bsc#1141013).
- bonding: ratelimit failed speed/duplex update warning (bsc#1141013).
- bonding: require speed/duplex only for 802.3ad, alb and tlb (bsc#1141013).
- bonding: set default miimon value for non-arp modes if not set (bsc#1141013).
- bonding: speed/duplex update at NETDEV_UP event (bsc#1141013).
- cifs: fix panic in smb2_reconnect (bsc#1142458).
- cifs: handle netapp error codes (bsc#1136261).
- cpu/speculation: Uninline and export CPU mitigations helpers (bnc#1117665).
- ib/core, ipoib: Do not overreact to SM LID change event (bsc#1154103)
- ib/core: Add mitigation for Spectre V1 (bsc#1155671)
- ixgbe: sync the first fragment unconditionally (bsc#1133140).
- kvm: Convert kvm_lock to a mutex (bsc#1117665).
- kvm: lapic: cap __delay at lapic_timer_advance_ns (bsc#1149083).
- kvm: mmu: drop vcpu param in gpte_access (bsc#1117665).
- kvm: mmu: introduce kvm_mmu_gfn_{allow,disallow}_lpage (bsc#1117665).
- kvm: mmu: rename has_wrprotected_page to mmu_gfn_lpage_is_disallowed (bsc#1117665).
- kvm: vmx, svm: always run with EFER.NXE=1 when shadow paging is active (bsc#1117665).
- kvm: x86, powerpc: do not allow clearing largepages debugfs entry (bsc#1117665).
- kvm: x86: Do not release the page inside mmu_set_spte() (bsc#1117665).
- kvm: x86: MMU: Consolidate quickly_check_mmio_pf() and is_mmio_page_fault() (bsc#1117665).
- kvm: x86: MMU: Encapsulate the type of rmap-chain head in a new struct (bsc#1117665).
- kvm: x86: MMU: Move handle_mmio_page_fault() call to kvm_mmu_page_fault() (bsc#1117665).
- kvm: x86: MMU: Move initialization of parent_ptes out from kvm_mmu_alloc_page() (bsc#1117665).
- kvm: x86: MMU: Move parent_pte handling from kvm_mmu_get_page() to link_shadow_page() (bsc#1117665).
- kvm: x86: MMU: Remove unused parameter parent_pte from kvm_mmu_get_page() (bsc#1117665).
- kvm: x86: MMU: always set accessed bit in shadow PTEs (bsc#1117665).
- kvm: x86: Reduce the overhead when lapic_timer_advance is disabled (bsc#1149083).
- kvm: x86: add tracepoints around __direct_map and FNAME(fetch) (bsc#1117665).
- kvm: x86: adjust kvm_mmu_page member to save 8 bytes (bsc#1117665).
- kvm: x86: change kvm_mmu_page_get_gfn BUG_ON to WARN_ON (bsc#1117665).
- kvm: x86: extend usage of RET_MMIO_PF_* constants (bsc#1117665).
- kvm: x86: make FNAME(fetch) and __direct_map more similar (bsc#1117665).
- kvm: x86: mmu: Apply global mitigations knob to ITLB_MULTIHIT (bnc#1117665).
- kvm: x86: move nsec_to_cycles from x86.c to x86.h (bsc#1149083).
- kvm: x86: remove now unneeded hugepage gfn adjustment (bsc#1117665).
- kvm: x86: simplify ept_misconfig (bsc#1117665).
- media: smsusb: better handle optional alignment (bsc#1146413).
- pci: hv: Use bytes 4 and 5 from instance ID as the PCI domain numbers (bsc#1153263).
- powerpc/64s: support nospectre_v2 cmdline option (bsc#1131107).
- powerpc/pseries: correctly track irq state in default idle (bsc#1150727 bsc#1150942 ltc#178925 ltc#181484).
- powerpc/rtas: use device model APIs and serialization during LPM (bsc#1144123 ltc#178840).
- powerpc/security: Show powerpc_security_features in debugfs (bsc#1131107).
- scsi: scsi_transport_fc: Drop double list_del() (bsc#1084878) During the backport of 260f4aeddb48 ('scsi: scsi_transport_fc: return -EBUSY for deleted vport') an additional list_del() was introduced. The list entry will be freed in fc_vport_terminate(). Do not free it premature in fc_remove_host().
- swiotlb: Add support for DMA_ATTR_SKIP_CPU_SYNC in Xen-swiotlb unmap path (bsc#1133140).
- vmci: Release resource if the work is already queued (bsc#1051510).
- x86/cpu: Add Atom Tremont (Jacobsville) (bsc#1117665).
ImportantSUSE bug 1051510SUSE bug 1084878SUSE bug 1117665SUSE bug 1131107SUSE bug 1133140SUSE bug 1135966SUSE bug 1135967SUSE bug 1136261SUSE bug 1137865SUSE bug 1139073SUSE bug 1140671SUSE bug 1141013SUSE bug 1141054SUSE bug 1142458SUSE bug 1143187SUSE bug 1144123SUSE bug 1144903SUSE bug 1145477SUSE bug 1146042SUSE bug 1146163SUSE bug 1146285SUSE bug 1146361SUSE bug 1146378SUSE bug 1146391SUSE bug 1146413SUSE bug 1146425SUSE bug 1146512SUSE bug 1146514SUSE bug 1146516SUSE bug 1146519SUSE bug 1146524SUSE bug 1146526SUSE bug 1146529SUSE bug 1146540SUSE bug 1146543SUSE bug 1146547SUSE bug 1146550SUSE bug 1146584SUSE bug 1146589SUSE bug 1147022SUSE bug 1147122SUSE bug 1148394SUSE bug 1148938SUSE bug 1149083SUSE bug 1149376SUSE bug 1149522SUSE bug 1149527SUSE bug 1149555SUSE bug 1149612SUSE bug 1150025SUSE bug 1150112SUSE bug 1150452SUSE bug 1150457SUSE bug 1150465SUSE bug 1150727SUSE bug 1150942SUSE bug 1151347SUSE bug 1151350SUSE bug 1152685SUSE bug 1152782SUSE bug 1152788SUSE bug 1153158SUSE bug 1153263SUSE bug 1154103SUSE bug 1154372SUSE bug 1155131SUSE bug 1155671CVE-2016-10906 at SUSECVE-2016-10906 at NVDCVE-2017-18379 at SUSECVE-2017-18379 at NVDCVE-2017-18509 at SUSECVE-2017-18509 at NVDCVE-2017-18551 at SUSECVE-2017-18551 at NVDCVE-2017-18595 at SUSECVE-2017-18595 at NVDCVE-2018-12207 at SUSECVE-2018-12207 at NVDCVE-2018-20976 at SUSECVE-2018-20976 at NVDCVE-2019-0154 at SUSECVE-2019-0154 at NVDCVE-2019-0155 at SUSECVE-2019-0155 at NVDCVE-2019-10220 at SUSECVE-2019-10220 at NVDCVE-2019-11135 at SUSECVE-2019-11135 at NVDCVE-2019-13272 at SUSECVE-2019-13272 at NVDCVE-2019-14814 at SUSECVE-2019-14814 at NVDCVE-2019-14815 at SUSECVE-2019-14815 at NVDCVE-2019-14816 at SUSECVE-2019-14816 at NVDCVE-2019-14821 at SUSECVE-2019-14821 at NVDCVE-2019-14835 at SUSECVE-2019-14835 at NVDCVE-2019-15098 at SUSECVE-2019-15098 at NVDCVE-2019-15211 at SUSECVE-2019-15211 at NVDCVE-2019-15212 at SUSECVE-2019-15212 at NVDCVE-2019-15214 at SUSECVE-2019-15214 at NVDCVE-2019-15215 at SUSECVE-2019-15215 at NVDCVE-2019-15216 at SUSECVE-2019-15216 at NVDCVE-2019-15217 at SUSECVE-2019-15217 at NVDCVE-2019-15218 at SUSECVE-2019-15218 at NVDCVE-2019-15219 at SUSECVE-2019-15219 at NVDCVE-2019-15220 at SUSECVE-2019-15220 at NVDCVE-2019-15221 at SUSECVE-2019-15221 at NVDCVE-2019-15239 at SUSECVE-2019-15239 at NVDCVE-2019-15290 at SUSECVE-2019-15290 at NVDCVE-2019-15291 at SUSECVE-2019-15291 at NVDCVE-2019-15505 at SUSECVE-2019-15505 at NVDCVE-2019-15666 at SUSECVE-2019-15666 at NVDCVE-2019-15807 at SUSECVE-2019-15807 at NVDCVE-2019-15902 at SUSECVE-2019-15902 at NVDCVE-2019-15924 at SUSECVE-2019-15924 at NVDCVE-2019-15926 at SUSECVE-2019-15926 at NVDCVE-2019-15927 at SUSECVE-2019-15927 at NVDCVE-2019-16232 at SUSECVE-2019-16232 at NVDCVE-2019-16233 at SUSECVE-2019-16233 at NVDCVE-2019-16234 at SUSECVE-2019-16234 at NVDCVE-2019-16413 at SUSECVE-2019-16413 at NVDCVE-2019-16995 at SUSECVE-2019-16995 at NVDCVE-2019-17055 at SUSECVE-2019-17055 at NVDCVE-2019-17056 at SUSECVE-2019-17056 at NVDCVE-2019-17133 at SUSECVE-2019-17133 at NVDCVE-2019-17666 at SUSECVE-2019-17666 at NVDCVE-2019-9456 at SUSECVE-2019-9456 at NVDCVE-2019-9506 at SUSECVE-2019-9506 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for ucode-intel (Important)SUSE OpenStack Cloud 8
This update for ucode-intel fixes the following issues:
- Updated to 20191112 security release (bsc#1155988)
- Processor Identifier Version Products
- Model Stepping F-MO-S/PI Old->New
- ---- new platforms ----------------------------------------
- CML-U62 A0 6-a6-0/80 000000c6 Core Gen10 Mobile
- CNL-U D0 6-66-3/80 0000002a Core Gen8 Mobile
- SKX-SP B1 6-55-3/97 01000150 Xeon Scalable
- ICL U/Y D1 6-7e-5/80 00000046 Core Gen10 Mobile
- ---- updated platforms ------------------------------------
- SKL U/Y D0 6-4e-3/c0 000000cc->000000d4 Core Gen6 Mobile
- SKL H/S/E3 R0/N0 6-5e-3/36 000000cc->000000d4 Core Gen6
- AML-Y22 H0 6-8e-9/10 000000b4->000000c6 Core Gen8 Mobile
- KBL-U/Y H0 6-8e-9/c0 000000b4->000000c6 Core Gen7 Mobile
- CFL-U43e D0 6-8e-a/c0 000000b4->000000c6 Core Gen8 Mobile
- WHL-U W0 6-8e-b/d0 000000b8->000000c6 Core Gen8 Mobile
- AML-Y V0 6-8e-c/94 000000b8->000000c6 Core Gen10 Mobile
- CML-U42 V0 6-8e-c/94 000000b8->000000c6 Core Gen10 Mobile
- WHL-U V0 6-8e-c/94 000000b8->000000c6 Core Gen8 Mobile
- KBL-G/X H0 6-9e-9/2a 000000b4->000000c6 Core Gen7/Gen8
- KBL-H/S/E3 B0 6-9e-9/2a 000000b4->000000c6 Core Gen7; Xeon E3 v6
- CFL-H/S/E3 U0 6-9e-a/22 000000b4->000000c6 Core Gen8 Desktop, Mobile, Xeon E
- CFL-S B0 6-9e-b/02 000000b4->000000c6 Core Gen8
- CFL-H R0 6-9e-d/22 000000b8->000000c6 Core Gen9 Mobile
- Includes security fixes for:
- CVE-2019-11135: Added feature allowing to disable TSX RTM (bsc#1139073)
- CVE-2019-11139: A CPU microcode only fix for Voltage modulation issues (bsc#1141035)
- requires coreutils for the %post script (bsc#1154043)
ImportantSUSE bug 1139073SUSE bug 1141035SUSE bug 1154043SUSE bug 1155988CVE-2019-11135 at SUSECVE-2019-11135 at NVDCVE-2019-11139 at SUSECVE-2019-11139 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for libjpeg-turbo (Important)SUSE OpenStack Cloud 8
This update for libjpeg-turbo fixes the following issues:
- CVE-2019-2201: Several integer overflow issues and subsequent segfaults occurred in libjpeg-turbo,
when attempting to compress or decompress gigapixel images. [bsc#1156402]
ImportantSUSE bug 1156402CVE-2019-2201 at SUSECVE-2019-2201 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for ghostscript (Important)SUSE OpenStack Cloud 8
This update for ghostscript fixes the following issue:
- CVE-2019-14869: Fixed a possible dSAFER escape which could have allowed
an attacker to gain high privileges by a specially crafted Postscript
code (bsc#1156275).
ImportantSUSE bug 1156275CVE-2019-14869 at SUSECVE-2019-14869 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for ucode-intel (Important)SUSE OpenStack Cloud 8
This update for ucode-intel fixes the following issues:
- Updated to 20191112 official security release (bsc#1155988)
- Includes security fixes for:
- CVE-2019-11135: Added feature allowing to disable TSX RTM (bsc#1139073)
- CVE-2019-11139: A CPU microcode only fix for Voltage modulation issues (bsc#1141035)
ImportantSUSE bug 1139073SUSE bug 1141035SUSE bug 1155988CVE-2019-11135 at SUSECVE-2019-11135 at NVDCVE-2019-11139 at SUSECVE-2019-11139 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for python-ecdsa (Moderate)SUSE OpenStack Cloud 8
This update for python-ecdsa to version 0.13.3 fixes the following issues:
Security issues fixed:
- CVE-2019-14853: Fixed unexpected exceptions during signature decoding (bsc#1153165).
- CVE-2019-14859: Fixed a signature malleability caused by insufficient checks of DER encoding (bsc#1154217).
ModerateSUSE bug 1153165SUSE bug 1154217CVE-2019-14853 at SUSECVE-2019-14853 at NVDCVE-2019-14859 at SUSECVE-2019-14859 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for sqlite3 (Important)SUSE OpenStack Cloud 8
This update for sqlite3 fixes the following issues:
- CVE-2017-2518: Fixed a use-after-free vulnerability which could have
led to buffer overflow via a crafted SQL statement (bsc#1155787).
ImportantSUSE bug 1155787CVE-2017-2518 at SUSECVE-2017-2518 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for cups (Important)SUSE OpenStack Cloud 8
This update for cups fixes the following issues:
- CVE-2019-8675: Fixed a stack buffer overflow in libcups's asn1_get_type function(bsc#1146358).
- CVE-2019-8696: Fixed a stack buffer overflow in libcups's asn1_get_packed function (bsc#1146359).
ImportantSUSE bug 1146358SUSE bug 1146359CVE-2019-8675 at SUSECVE-2019-8675 at NVDCVE-2019-8696 at SUSECVE-2019-8696 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for clamav (Moderate)SUSE OpenStack Cloud 8
This update for clamav fixes the following issues:
Security issue fixed:
- CVE-2019-12625: Fixed a ZIP bomb issue by adding detection and heuristics for zips with overlapping files (bsc#1144504).
- CVE-2019-12900: Fixed an out-of-bounds write in decompress.c with many selectors (bsc#1149458).
Non-security issues fixed:
- Added the --max-scantime clamscan option and MaxScanTime clamd configuration option (bsc#1144504).
- Increased the startup timeout of clamd to 5 minutes to cater for the grown virus database as a workaround until clamd has learned to talk to systemd to extend the timeout as long as needed (bsc#1151839).
ModerateSUSE bug 1144504SUSE bug 1149458SUSE bug 1151839CVE-2019-12625 at SUSECVE-2019-12625 at NVDCVE-2019-12900 at SUSECVE-2019-12900 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for mailman (Important)SUSE OpenStack Cloud 8
This update for mailman fixes the following issues:
- CVE-2019-3693: Fixed a local privilege escalation from wwwrun to root (bsc#1154328).
ImportantSUSE bug 1154328CVE-2019-3693 at SUSECVE-2019-3693 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for java-1_7_0-openjdk (Important)SUSE OpenStack Cloud 8
This update for java-1_7_0-openjdk fixes the following issues:
Security issues fixed (October 2019 CPU bsc#1154212):
- CVE-2019-2933: Windows file handling redux
- CVE-2019-2945: Better socket support
- CVE-2019-2949: Better Kerberos ccache handling
- CVE-2019-2958: Build Better Processes
- CVE-2019-2964: Better support for patterns
- CVE-2019-2962: Better Glyph Images
- CVE-2019-2973: Better pattern compilation
- CVE-2019-2978: Improved handling of jar files
- CVE-2019-2981: Better Path supports
- CVE-2019-2983: Better serial attributes
- CVE-2019-2987: Better rendering of native glyphs
- CVE-2019-2988: Better Graphics2D drawing
- CVE-2019-2989: Improve TLS connection support
- CVE-2019-2992: Enhance font glyph mapping
- CVE-2019-2999: Commentary on Javadoc comments
- CVE-2019-2894: Enhance ECDSA operations (bsc#1152856).
ImportantSUSE bug 1152856SUSE bug 1154212CVE-2019-2894 at SUSECVE-2019-2894 at NVDCVE-2019-2933 at SUSECVE-2019-2933 at NVDCVE-2019-2945 at SUSECVE-2019-2945 at NVDCVE-2019-2949 at SUSECVE-2019-2949 at NVDCVE-2019-2958 at SUSECVE-2019-2958 at NVDCVE-2019-2962 at SUSECVE-2019-2962 at NVDCVE-2019-2964 at SUSECVE-2019-2964 at NVDCVE-2019-2973 at SUSECVE-2019-2973 at NVDCVE-2019-2978 at SUSECVE-2019-2978 at NVDCVE-2019-2981 at SUSECVE-2019-2981 at NVDCVE-2019-2983 at SUSECVE-2019-2983 at NVDCVE-2019-2987 at SUSECVE-2019-2987 at NVDCVE-2019-2988 at SUSECVE-2019-2988 at NVDCVE-2019-2989 at SUSECVE-2019-2989 at NVDCVE-2019-2992 at SUSECVE-2019-2992 at NVDCVE-2019-2999 at SUSECVE-2019-2999 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for clamav (Important)SUSE OpenStack Cloud 8
This update for clamav fixes the following issues:
- CVE-2019-15961: Fixed a denial of service which might occur when
scanning a specially crafted email file as (bsc#1157763).
ImportantSUSE bug 1157763CVE-2019-15961 at SUSECVE-2019-15961 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for permissions (Moderate)SUSE OpenStack Cloud 8
This update for permissions fixes the following issues:
- CVE-2019-3688: Changed wrong ownership in /usr/sbin/pinger to root:squid
which could have allowed a squid user to gain persistence by changing the
binary (bsc#1093414).
- CVE-2019-3690: Fixed a privilege escalation through untrusted symbolic
links (bsc#1150734).
- Fixed a regression which caused segmentation fault (bsc#1157198).
ModerateSUSE bug 1093414SUSE bug 1150734SUSE bug 1157198CVE-2019-3688 at SUSECVE-2019-3688 at NVDCVE-2019-3690 at SUSECVE-2019-3690 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for strongswan (Important)SUSE OpenStack Cloud 8
This update for strongswan provides the following fixes:
Security issues fixed:
- CVE-2018-5388: Fixed a buffer underflow which may allow to a remote attacker
with local user credentials to resource exhaustion and denial of service while
reading from the socket (bsc#1094462).
- CVE-2018-10811: Fixed a denial of service during the IKEv2 key derivation if
the openssl plugin is used in FIPS mode and HMAC-MD5 is negotiated as PRF
(bsc#1093536).
- CVE-2018-16151,CVE-2018-16152: Fixed multiple flaws in the gmp plugin which
might lead to authorization bypass (bsc#1107874).
- CVE-2018-17540: Fixed an improper input validation in gmp plugin (bsc#1109845).
Other issues addressed:
- Fixed some client fails when the scep server URL is used with HTTPS protocol (bsc#1071853).
- Reject Diffie-Hellman key exchanges using primes smaller than 1024 bit.
- Handle unexpected informational message from SonicWall. (bsc#1009254)
ImportantSUSE bug 1009254SUSE bug 1071853SUSE bug 1093536SUSE bug 1094462SUSE bug 1107874SUSE bug 1109845CVE-2018-10811 at SUSECVE-2018-10811 at NVDCVE-2018-16151 at SUSECVE-2018-16151 at NVDCVE-2018-16152 at SUSECVE-2018-16152 at NVDCVE-2018-17540 at SUSECVE-2018-17540 at NVDCVE-2018-5388 at SUSECVE-2018-5388 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for haproxy (Important)SUSE OpenStack Cloud 8
This update for haproxy fixes the following issues:
- CVE-2019-18277: Fixed HTTP smuggling in messages with transfer-encoding header missing the 'chunked' value (bsc#1154980).
ImportantSUSE bug 1154980CVE-2019-18277 at SUSECVE-2019-18277 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for xen (Important)SUSE OpenStack Cloud 8
This update for xen fixes the following issues:
- CVE-2019-19581: Fixed a potential out of bounds on 32-bit Arm (bsc#1158003 XSA-307).
- CVE-2019-19582: Fixed a potential infinite loop when x86 accesses to bitmaps with
a compile time known size of 64 (bsc#1158003 XSA-307).
- CVE-2019-19583: Fixed improper checks which could have allowed HVM/PVH guest userspace
code to crash the guest,leading to a guest denial of service (bsc#1158004 XSA-308).
- CVE-2019-19578: Fixed an issue where a malicious or buggy PV guest could have caused
hypervisor crash resulting in denial of service affecting the entire host (bsc#1158005 XSA-309).
- CVE-2019-19580: Fixed a privilege escalation where a malicious PV guest administrator
could have been able to escalate their privilege to that of the host (bsc#1158006 XSA-310).
- CVE-2019-19577: Fixed an issue where a malicious guest administrator could have caused Xen
to access data structures while they are being modified leading to a crash (bsc#1158007 XSA-311).
- CVE-2019-19579: Fixed a privilege escaltion where an untrusted domain with access
to a physical device can DMA into host memory (bsc#1157888 XSA-306).
- CVE-2019-18420: Malicious x86 PV guests may have caused a hypervisor crash,
resulting in a denial of service (bsc#1154448 XSA-296)
- CVE-2019-18425: 32-bit PV guest user mode could elevate its privileges to that
of the guest kernel. (bsc#1154456 XSA-298).
- CVE-2019-18421: A malicious PV guest administrator may have been able to
escalate their privilege to that of the host. (bsc#1154458 XSA-299).
- CVE-2019-18423: A malicious guest administrator may cause a hypervisor crash,
resulting in a denial of service (bsc#1154460 XSA-301).
- CVE-2019-18422: A malicious ARM guest might contrive to arrange for critical
Xen code to run with interrupts erroneously enabled. This could lead to data
corruption, denial of service, or possibly even privilege escalation. However
a precise attack technique has not been identified. (bsc#1154464 XSA-303)
- CVE-2019-18424: An untrusted domain with access to a physical device can DMA
into host memory, leading to privilege escalation. (bsc#1154461 XSA-302).
- CVE-2018-12207: Untrusted virtual machines on Intel CPUs could exploit a race
condition in the Instruction Fetch Unit of the Intel CPU to cause a Machine
Exception during Page Size Change, causing the CPU core to be non-functional.
(bsc#1155945 XSA-304)
- CVE-2019-11135: Aborting an asynchronous TSX operation on Intel CPUs with
Transactional Memory support could be used to facilitate sidechannel
information leaks out of microarchitectural buffers, similar to the
previously described 'Microarchitectural Data Sampling' attack. (bsc#1152497 XSA-305).
ImportantSUSE bug 1152497SUSE bug 1154448SUSE bug 1154456SUSE bug 1154458SUSE bug 1154460SUSE bug 1154461SUSE bug 1154464SUSE bug 1155945SUSE bug 1157888SUSE bug 1158003SUSE bug 1158004SUSE bug 1158005SUSE bug 1158006SUSE bug 1158007CVE-2018-12207 at SUSECVE-2018-12207 at NVDCVE-2019-11135 at SUSECVE-2019-11135 at NVDCVE-2019-18420 at SUSECVE-2019-18420 at NVDCVE-2019-18421 at SUSECVE-2019-18421 at NVDCVE-2019-18422 at SUSECVE-2019-18422 at NVDCVE-2019-18423 at SUSECVE-2019-18423 at NVDCVE-2019-18424 at SUSECVE-2019-18424 at NVDCVE-2019-18425 at SUSECVE-2019-18425 at NVDCVE-2019-19577 at SUSECVE-2019-19577 at NVDCVE-2019-19578 at SUSECVE-2019-19578 at NVDCVE-2019-19579 at SUSECVE-2019-19579 at NVDCVE-2019-19580 at SUSECVE-2019-19580 at NVDCVE-2019-19581 at SUSECVE-2019-19581 at NVDCVE-2019-19582 at SUSECVE-2019-19582 at NVDCVE-2019-19583 at SUSECVE-2019-19583 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for git (Important)SUSE OpenStack Cloud 8
This update for git fixes the following issues:
Security issues fixed:
- CVE-2019-1349: Fixed issue on Windows, when submodules are cloned recursively, under certain circumstances Git could be fooled into using the same Git directory twice (bsc#1158787).
- CVE-2019-19604: Fixed a recursive clone followed by a submodule update could execute code contained within the repository without the user explicitly having asked for that (bsc#1158795).
- CVE-2019-1387: Fixed recursive clones that are currently affected by a vulnerability that is caused by too-lax validation of submodule names, allowing very targeted attacks via remote code execution in recursive clones (bsc#1158793).
- CVE-2019-1354: Fixed issue on Windows that refuses to write tracked files with filenames that contain backslashes (bsc#1158792).
- CVE-2019-1353: Fixed issue when run in the Windows Subsystem for Linux while accessing a working directory on a regular Windows drive, none of the NTFS protections were active (bsc#1158791).
- CVE-2019-1352: Fixed issue on Windows was unaware of NTFS Alternate Data Streams (bsc#1158790).
- CVE-2019-1351: Fixed issue on Windows mistakes drive letters outside of the US-English alphabet as relative paths (bsc#1158789).
- CVE-2019-1350: Fixed incorrect quoting of command-line arguments allowed remote code execution during a recursive clone in conjunction with SSH URLs (bsc#1158788).
- CVE-2019-1348: Fixed the --export-marks option of fast-import is exposed also via the in-stream command feature export-marks=... and it allows overwriting arbitrary paths (bsc#1158785).
- Fixed an issue where git send-email fails to authenticate with SMTP server (bsc#1082023)
ImportantSUSE bug 1082023SUSE bug 1158785SUSE bug 1158787SUSE bug 1158788SUSE bug 1158789SUSE bug 1158790SUSE bug 1158791SUSE bug 1158792SUSE bug 1158793SUSE bug 1158795CVE-2019-1348 at SUSECVE-2019-1348 at NVDCVE-2019-1349 at SUSECVE-2019-1349 at NVDCVE-2019-1350 at SUSECVE-2019-1350 at NVDCVE-2019-1351 at SUSECVE-2019-1351 at NVDCVE-2019-1352 at SUSECVE-2019-1352 at NVDCVE-2019-1353 at SUSECVE-2019-1353 at NVDCVE-2019-1354 at SUSECVE-2019-1354 at NVDCVE-2019-1387 at SUSECVE-2019-1387 at NVDCVE-2019-19604 at SUSECVE-2019-19604 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for MozillaFirefox (Important)SUSE OpenStack Cloud 8
This update for MozillaFirefox fixes the following issues:
Mozilla Firefox was updated to 68.3esr (MFSA 2019-37 bsc#1158328)
Security issues fixed:
- CVE-2019-17008: Fixed a use-after-free in worker destruction (bmo#1546331)
- CVE-2019-13722: Fixed a stack corruption due to incorrect number of arguments
in WebRTC code (bmo#1580156)
- CVE-2019-11745: Fixed an out of bounds write in NSS when encrypting with a
block cipher (bmo#1586176)
- CVE-2019-17009: Fixed an issue where updater temporary files accessible to
unprivileged processes (bmo#1510494)
- CVE-2019-17010: Fixed a use-after-free when performing device orientation
checks (bmo#1581084)
- CVE-2019-17005: Fixed a buffer overflow in plain text serializer (bmo#1584170)
- CVE-2019-17011: Fixed a use-after-free when retrieving a document
in antitracking (bmo#1591334)
- CVE-2019-17012: Fixed multiple memmory issues
(bmo#1449736, bmo#1533957, bmo#1560667,bmo#1567209, bmo#1580288, bmo#1585760,
bmo#1592502)
ImportantSUSE bug 1158328CVE-2019-11745 at SUSECVE-2019-11745 at NVDCVE-2019-13722 at SUSECVE-2019-13722 at NVDCVE-2019-17005 at SUSECVE-2019-17005 at NVDCVE-2019-17008 at SUSECVE-2019-17008 at NVDCVE-2019-17009 at SUSECVE-2019-17009 at NVDCVE-2019-17010 at SUSECVE-2019-17010 at NVDCVE-2019-17011 at SUSECVE-2019-17011 at NVDCVE-2019-17012 at SUSECVE-2019-17012 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for the Linux Kernel (Important)SUSE OpenStack Cloud 8
The SUSE Linux Enterprise 12 SP 3 LTSS kernel was updated to receive various security and bugfixes.
The following security bugs were fixed:
- CVE-2019-14895: A heap-based buffer overflow was discovered in the Linux kernel in Marvell WiFi chip driver. The flaw could occur when the station attempts a connection negotiation during the handling of the remote devices country settings. This could have allowed the remote device to cause a denial of service (system crash) or possibly execute arbitrary code (bnc#1157158).
- CVE-2019-18660: The Linux kernel on powerpc allowed Information Exposure because the Spectre-RSB mitigation is not in place for all applicable CPUs. This is related to arch/powerpc/kernel/entry_64.S and arch/powerpc/kernel/security.c (bnc#1157038).
- CVE-2019-18683: An issue was discovered in drivers/media/platform/vivid in the Linux kernel. It is exploitable for privilege escalation on some Linux distributions where local users have /dev/video0 access, but only if the driver happens to be loaded. There are multiple race conditions during streaming stopping in this driver (part of the V4L2 subsystem). These issues are caused by wrong mutex locking in vivid_stop_generating_vid_cap(), vivid_stop_generating_vid_out(), sdr_cap_stop_streaming(), and the corresponding kthreads. At least one of these race conditions leads to a use-after-free (bnc#1155897).
- CVE-2019-19062: A memory leak in the crypto_report() function in crypto/crypto_user_base.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) by triggering crypto_report_alg() failures (bnc#1157333).
- CVE-2019-19065: A memory leak in the sdma_init() function in drivers/infiniband/hw/hfi1/sdma.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) by triggering rhashtable_init() failures (bnc#1157191).
- CVE-2019-19052: A memory leak in the gs_can_open() function in drivers/net/can/usb/gs_usb.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) by triggering usb_submit_urb() failures (bnc#1157324).
- CVE-2019-19074: A memory leak in the ath9k_wmi_cmd() function in drivers/net/wireless/ath/ath9k/wmi.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) (bnc#1157143).
- CVE-2019-19073: Memory leaks in drivers/net/wireless/ath/ath9k/htc_hst.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) by triggering wait_for_completion_timeout() failures. This affects the htc_config_pipe_credits() function, the htc_setup_complete() function, and the htc_connect_service() function (bnc#1157070).
- CVE-2019-16231: drivers/net/fjes/fjes_main.c in the Linux kernel 5.2.14 did not check the alloc_workqueue return value, leading to a NULL pointer dereference (bnc#1150466).
- CVE-2019-18805: An issue was discovered in net/ipv4/sysctl_net_ipv4.c in the Linux kernel There was a net/ipv4/tcp_input.c signed integer overflow in tcp_ack_update_rtt() when userspace writes a very large integer to /proc/sys/net/ipv4/tcp_min_rtt_wlen, leading to a denial of service or possibly unspecified other impact (bnc#1156187).
- CVE-2019-18680: An issue was discovered in the Linux kernel. There was a NULL pointer dereference in rds_tcp_kill_sock() in net/rds/tcp.c that will cause denial of service (bnc#1155898).
- CVE-2019-15213: An use-after-free was fixed caused by malicious USB device in drivers/media/usb/dvb-usb/dvb-usb-init.c (bsc#1146544).
- CVE-2019-19536: An uninitialized Kernel memory can leak to USB devices in drivers/net/can/usb/peak_usb/pcan_usb_pro.c (bsc#1158394).
- CVE-2019-19534: An uninitialized Kernel memory can leak to USB devices in drivers/net/can/usb/peak_usb/pcan_usb_core.c (bsc#1158398).
- CVE-2019-19530: An use-after-free bug that can be caused by a malicious USB device in the drivers/usb/class/cdc-acm.c driver (bsc#1158410).
- CVE-2019-19524: An use-after-free bug that can be caused by a malicious USB device in the drivers/input/ff-memless.c driver (bsc#1158413).
- CVE-2019-19525: An use-after-free bug that can be caused by a malicious USB device in the drivers/net/ieee802154/atusb.c driver (bsc#1158417).
- CVE-2019-19531: An use-after-free in yurex_delete may lead to denial of service (bsc#1158445).
- CVE-2019-19523: An use-after-free on disconnect in USB adutux (bsc#1158823).
- CVE-2019-19532: An out-of-bounds write bugs that can be caused by a malicious USB device in the Linux kernel HID drivers (bsc#1158824).
- CVE-2019-19332: An out-of-bounds memory write via kvm_dev_ioctl_get_cpuid (bsc#1158827).
- CVE-2019-19533: An info-leak bug that can be caused by a malicious USB device in the drivers/media/usb/ttusb-dec/ttusb_dec.c driver (bsc#1158834).
- CVE-2019-19527: An use-after-free bug that can be caused by a malicious USB device in the drivers/hid/usbhid/hiddev.c driver (bsc#1158900).
- CVE-2019-19535: An info-leak bug that can be caused by a malicious USB device in the drivers/net/can/usb/peak_usb/pcan_usb_fd.c driver (bsc#1158903).
- CVE-2019-19537: Two races in the USB character device registration and deregistration routines (bsc#1158904).
- CVE-2019-19338: An incomplete fix for Transaction Asynchronous Abort (TAA) (bsc#1158954).
The following non-security bugs were fixed:
- hyperv: set nvme msi interrupts to unmanaged (jsc#SLE-8953, jsc#SLE-9221, jsc#SLE-4941, bsc#1119461, bsc#1119465, bsc#1138190, bsc#1154905).
- ibmvnic: Bound waits for device queries (bsc#1155689 ltc#182047).
- ibmvnic: Fix completion structure initialization (bsc#1155689 ltc#182047).
- ibmvnic: Serialize device queries (bsc#1155689 ltc#182047).
- ibmvnic: Terminate waiting device threads after loss of service (bsc#1155689 ltc#182047).
- netfilter: nf_nat: do not bug when mapping already exists (bsc#1146612).
- powerpc/security/book3s64: Report L1TF status in sysfs (bsc#1091041).
- powerpc/security: Fix wrong message when RFI Flush is disable (bsc#1131107).
- sched/fair: WARN() and refuse to set buddy when !se->on_rq (bsc#1158132).
- x86/alternatives: Add int3_emulate_call() selftest (bsc#1153811).
- x86/alternatives: Fix int3_emulate_call() selftest stack corruption (bsc#1153811).
- xen/pv: Fix a boot up hang revealed by int3 self test (bsc#1153811).
- arp: Fix cache issue during Life Partition Migration (bsc#1152631).
- futexes: Fix speed on 4.12 kernel (bsc#1157464).
ImportantSUSE bug 1091041SUSE bug 1119461SUSE bug 1119465SUSE bug 1131107SUSE bug 1138190SUSE bug 1146544SUSE bug 1146612SUSE bug 1150466SUSE bug 1150483SUSE bug 1152631SUSE bug 1153811SUSE bug 1154905SUSE bug 1155689SUSE bug 1155897SUSE bug 1155898SUSE bug 1156187SUSE bug 1157038SUSE bug 1157042SUSE bug 1157070SUSE bug 1157143SUSE bug 1157158SUSE bug 1157191SUSE bug 1157324SUSE bug 1157333SUSE bug 1157464SUSE bug 1158132SUSE bug 1158394SUSE bug 1158398SUSE bug 1158410SUSE bug 1158413SUSE bug 1158417SUSE bug 1158445SUSE bug 1158823SUSE bug 1158824SUSE bug 1158827SUSE bug 1158834SUSE bug 1158900SUSE bug 1158903SUSE bug 1158904SUSE bug 1158954CVE-2019-14895 at SUSECVE-2019-14895 at NVDCVE-2019-15213 at SUSECVE-2019-15213 at NVDCVE-2019-16231 at SUSECVE-2019-16231 at NVDCVE-2019-18660 at SUSECVE-2019-18660 at NVDCVE-2019-18680 at SUSECVE-2019-18680 at NVDCVE-2019-18683 at SUSECVE-2019-18683 at NVDCVE-2019-18805 at SUSECVE-2019-18805 at NVDCVE-2019-19052 at SUSECVE-2019-19052 at NVDCVE-2019-19062 at SUSECVE-2019-19062 at NVDCVE-2019-19065 at SUSECVE-2019-19065 at NVDCVE-2019-19073 at SUSECVE-2019-19073 at NVDCVE-2019-19074 at SUSECVE-2019-19074 at NVDCVE-2019-19332 at SUSECVE-2019-19332 at NVDCVE-2019-19338 at SUSECVE-2019-19338 at NVDCVE-2019-19523 at SUSECVE-2019-19523 at NVDCVE-2019-19524 at SUSECVE-2019-19524 at NVDCVE-2019-19525 at SUSECVE-2019-19525 at NVDCVE-2019-19527 at SUSECVE-2019-19527 at NVDCVE-2019-19530 at SUSECVE-2019-19530 at NVDCVE-2019-19531 at SUSECVE-2019-19531 at NVDCVE-2019-19532 at SUSECVE-2019-19532 at NVDCVE-2019-19533 at SUSECVE-2019-19533 at NVDCVE-2019-19534 at SUSECVE-2019-19534 at NVDCVE-2019-19535 at SUSECVE-2019-19535 at NVDCVE-2019-19536 at SUSECVE-2019-19536 at NVDCVE-2019-19537 at SUSECVE-2019-19537 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for python-PyKMIP (Moderate)SUSE OpenStack Cloud 8
This update for python-PyKMIP fixes the following issues:
Security issue fixed:
- CVE-2018-1000872: Fixed a denial-of-service vulnerability which was caused by exhausting
the available sockets. To mitigate the issue server socket timeout was decreased (bsc#1120767).
ModerateSUSE bug 1120767CVE-2018-1000872 at SUSECVE-2018-1000872 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for python-paramiko (Important)SUSE OpenStack Cloud 8
This update for python-paramiko to version 2.2.4 fixes the following issues:
Security issue fixed:
- CVE-2018-1000805: Fixed an authentication bypass in auth_handler.py (bsc#1111151)
ImportantSUSE bug 1111151SUSE bug 1120531CVE-2018-1000805 at SUSECVE-2018-1000805 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for galera-3, mariadb, mariadb-connector-c (Important)SUSE OpenStack Cloud 8
This update for mariadb, galera-3, mariadb-connector fixes the following issues:
Security vulnerabilities addressed for mariadb:
- CVE-2016-9843 [bsc#1013882]
- CVE-2018-3058 [bsc#1101676]
- CVE-2018-3060
- CVE-2018-3063 [bsc#1101677]
- CVE-2018-3064 [bsc#1103342]
- CVE-2018-3066 [bsc#1101678]
- CVE-2018-3143 [bsc#1112421]
- CVE-2018-3156 [bsc#1112417]
- CVE-2018-3162 [bsc#1112415]
- CVE-2018-3173 [bsc#1112386]
- CVE-2018-3174 [bsc#1112368]
- CVE-2018-3185 [bsc#1112384]
- CVE-2018-3200 [bsc#1112404]
- CVE-2018-3251 [bsc#1112397]
- CVE-2018-3277 [bsc#1112391]
- CVE-2018-3282 [bsc#1112432]
- CVE-2018-3284 [bsc#1112377]
Other bug fixes and changes for mariadb:
- update to 10.2.21 GA
* MDEV-17589 - Stack-buffer-overflow with indexed varchar
(utf8) field
* MDEV-16987 - ALTER DATABASE possible in read-only mode
(forbid ALTER DATABASE in read_only)
* MDEV-17720 - slave_ddl_exec_mode=IDEMPOTENT does not handle
DROP DATABASE
* MDEV-6453 - Assertion `inited==NONE || (inited==RND && scan)'
failed in handler::ha_rnd_init(bool) with InnoDB, joins,
AND/OR conditions
* MDEV-18105 - Mariabackup fails to copy encrypted InnoDB
system tablespace if LSN>4G
* MDEV-18041 - Database corruption after renaming a
prefix-indexed column [bsc#1120041]
* MDEV-17470 - Orphan temporary files after interrupted ALTER
cause InnoDB: Operating system error number 17 and eventual
fatal error 71
* MDEV-17833: ALTER TABLE is not enforcing prefix index size
limit
* MDEV-17989: InnoDB: Failing assertion:
dict_tf2_is_valid(flags, flags2)
* MDEV-17765: Locking bug fix for SPATIAL INDEX
* MDEV-17923, MDEV-17904, MDEV-17938: Fixes for FULLTEXT INDEX
* Fixes for regressions introduced in MariaDB Server 10.2.19 by
the backup-safe TRUNCATE TABLE (MDEV-13564,
innodb_safe_truncate=ON) and innodb_undo_log_truncate:
* MDEV-17780, MDEV-17816, MDEV-17849, MDEV-17851, MDEV-17885
* Several improvements to MariaDB Server and backup for dealing
with encrypted or page_compressed pages:
* MDEV-12112: corruption in encrypted table may be overlooked
* MDEV-17958: On little-endian systems, remove bug-compatible
variant of innodb_checksum_algorithm=crc32
* MDEV-17957: Make innodb_checksum_algorithm stricter for
strict_* values
* MDEV-18025: Mariabackup fails to detect corrupted
page_compressed=1 tables
* release notes and changelog:
- https://mariadb.com/kb/en/library/mariadb-10221-release-notes
- https://mariadb.com/kb/en/library/mariadb-10221-changelog
- https://mariadb.com/kb/en/library/mariadb-10220-release-notes
- https://mariadb.com/kb/en/library/mariadb-10220-changelog
- remove PerconaFT from the package as it has AGPL licence (bsc#1118754)
- Add patch to link against libatomic where necessary and
use C++11 atomics instead of gcc built-in atomics
- update to 10.2.19 GA [bsc#1116686]
* innodb_safe_truncate system variable for a backup-safe
TRUNCATE TABLE implementation that is based on RENAME,
CREATE, DROP (MDEV-14717, MDEV-14585, MDEV-13564). Default
value for this variable is ON. If you absolutely must use
XtraBackup instead of Mariabackup, you can set it to OFF and
restart the server
* MDEV-17289: Multi-pass recovery fails to apply some redo
log records
* MDEV-17073: INSERT…ON DUPLICATE KEY UPDATE became more
deadlock-prone
* MDEV-17491: micro optimize page_id_t
* MDEV-13671: InnoDB should use case-insensitive column name
comparisons like the rest of the server
* Fixes for indexed virtual columns: MDEV-17215, MDEV-16980
* MDEV-17433: Allow InnoDB start up with empty ib_logfile0
from mariabackup --prepare
* MDEV-12547: InnoDB FULLTEXT index has too strict
innodb_ft_result_cache_limit max limit
* MDEV-17541: KILL QUERY during lock wait in FOREIGN KEY
check causes hang
* MDEV-17531: Crash in RENAME TABLE with FOREIGN KEY and
FULLTEXT INDEX
* MDEV-17532: Performance_schema reports wrong directory for
the temporary files of ALTER TABLE…ALGORITHM=INPLACE
* MDEV-17545: Predicate lock for SPATIAL INDEX should lock
non-matching record
* MDEV-17546: SPATIAL INDEX should not be allowed for
FOREIGN KEY
* MDEV-17548: Incorrect access to off-page column for
indexed virtual column
* MDEV-12023: Assertion failure sym_node->table != NULL
on startup
* MDEV-17230: encryption_key_id from alter is ignored by
encryption threads
* release notes and changelog:
- https://mariadb.com/kb/en/library/mariadb-10219-release-notes
- https://mariadb.com/kb/en/library/mariadb-10219-changelog
- do not pack libmariadb.pc (packed in mariadb-connector-c)
- add 'Requires: libmariadb_plugins' to the mariadb-test subpackage
in order to be able to test client plugins successfuly
(bsc#1111859)
- don't remove debug_key_management.so anymore (bsc#1111858)
- update to 10.2.18 GA
* MDEV-15511 - if available, stunnel can be used during Galera
rsync SST
* MDEV-16791 - mariabackup: Support DDL commands during backup
* MDEV-13564 - Refuse MLOG_TRUNCATE in mariabackup
* MDEV-16934 - add new system variable eq_range_index_dive_limit
to speed up queries that new long nested IN lists. The default
value, for backward compatibility, is 0 meaning 'unlimited'.
* MDEV-13333 - errors on InnoDB lock conflict
* Report all InnoDB redo log corruption
* MDEV-17043 - Purge of indexed virtual columns may cause hang
on table-rebuilding DDL
* MDEV-16868 - corruption of InnoDB temporary tables
* MDEV-16465 - Invalid (old?) table or database name or hang
in ha_innobase::delete_table and log semaphore wait upon
concurrent DDL with foreign keys
* release notes and changelog:
- https://mariadb.com/kb/en/library/mariadb-10218-release-notes
- https://mariadb.com/kb/en/library/mariadb-10218-changelog
- update to 10.2.17 GA
* New variable innodb_log_optimize_ddl for avoiding delay due
to page flushing and allowing concurrent backup
* InnoDB updated to 5.7.23
* MDEV-14637 - Fix hang due to DDL with FOREIGN KEY or
persistent statistics
* MDEV-15953 - Alter InnoDB Partitioned Table Moves Files
(which were originally not in the datadir) to the datadir
* MDEV-16515 - InnoDB: Failing assertion: ++retries < 10000 in
file dict0dict.cc line 2737
* MDEV-16809 - Allow full redo logging for ALTER TABLE
* Temporary tables: MDEV-16713 - InnoDB hang with repeating
log entry
* indexed virtual columns: MDEV-15855 - Deadlock between purge
thread and DDL statement
* MDEV-16664 - Change the default to
innodb_lock_schedule_algorithm=fcfs
* Galera: MDEV-15822 - WSREP: BF lock wait long for trx
* release notes and changelog:
- https://mariadb.com/kb/en/library/mariadb-10217-release-notes
- https://mariadb.com/kb/en/library/mariadb-10217-changelog
- switch to libedit as control sequences were already fixed there
so we don't have to avoid it (bsc#1098683)
- update to 10.2.16 GA
* MDEV-13122: mariabackup now supports MyRocks
* MDEV-13779 - InnoDB fails to shut down purge workers, causing
hang
* MDEV-16267 - Wrong INFORMATION_SCHEMA.INNODB_BUFFER_PAGE.\
TABLE_NAME
* MDEV-13834 - Upgrade failure from 10.1 innodb_encrypt_log
* MDEV-16283 - ALTER TABLE...DISCARD TABLESPACE still takes long
on a large buffer pool
* MDEV-16376 - ASAN: heap-use-after-free in
gcol.innodb_virtual_debug
* MDEV-15824 - innodb_defragment=ON trumps
innodb_optimize_fulltext_only=ON in OPTIMIZE TABLE
* MDEV-16124 - fil_rename_tablespace() times out and crashes
server during table-rebuilding ALTER TABLE
* MDEV-16416 - Crash on IMPORT TABLESPACE of a
ROW_FORMAT=COMPRESSED table
* MDEV-16456 - InnoDB error 'returned OS error 71' complains
about wrong path
* MDEV-13103 - Deal with page_compressed page corruption
* MDEV-16496 - Mariabackup: Implement --verbose option to
instrument InnoDB log apply
* MDEV-16087 - Inconsistent SELECT results when query cache
is enabled
* MDEV-15114 - ASAN heap-use-after-free in mem_heap_dup or
dfield_data_is_binary_equal (fix for indexed virtual columns)
* release notes and changelog:
- https://mariadb.com/kb/en/library/mariadb-10216-release-notes
- https://mariadb.com/kb/en/library/mariadb-10216-changelog
- pack wsrep_sst_rsync_wan file to galera subpackage
Bug fixes and changes for galera-3:
- update to 25.3.24:
* A support for new certification key type was added to allow
more relaxed certification rules for foreign key references (galera#491).
* New status variables were added to display the number of open transactions
and referenced client connections inside Galera provider (galera#492).
* GCache was sometimes cleared unnecessarily on startup if the recovered
state had smaller sequence number than the highest found from GCache.
Now only entries with sequence number higher than recovery point will be
cleared (galera#498).
* Non-primary configuration is saved into grastate.dat only when if the
node is in closing state (galera#499).
* Exception from GComm was not always handled properly resulting in
Galera to remain in half closed state. This was fixed by propagating the
error condition appropriately to upper layers (galera#500).
* A new status variable displaying the total weight of the cluster nodes
was added (galera#501).
* The value of pc.weight did not reflect the actual effective value after
setting it via wsrep_provider_options. This was fixed by making sure that
the new value is taken into use before returning the control back to
caller (galera#505, MDEV-11959)
* Use of ECHD algorithms with old OpenSSL versions was enabled (galera#511).
* Default port value is now used by garbd if the port is not explicitly
given in cluster address (MDEV-15531).
* Correct error handling for posix_fallocate().
* Failed causal reads are retried during configuration changes.
Bug fixes and changes for mariadb-connector-c:
- New upstream version 3.0.6
* MDEV-15263: FIx IS_NUM() macro
* CONC-297: local infile parameter must be unsigned int instead
of my_bool
* CONC-329: change return value of internal socket functions
from my_bool to int
* CONC-332: my_auth doesn't read/update server ok packet
* CONC-344: reset internal row counter
* CONC-345: invalid heap use after free
* CONC-346: Remove old cmake policies
* fixed crash in mysql_select_db if NULL parameter was provided
- New upstream version 3.0.5
* CONC-336: Allow multiple initialization of client library
* Fixed string to MYSQL_TIME conversion (prepared statements)
* CONC-334: Copy all members of MYSQL_FIELD to internal
statement structure
* Fixed double free in dynamic column library
* Added checks for corrupted packets in protocol
* MDEV-15450: Added default connection attribute _server_host
* CONC-326: fixed wrong openssl thread id callback
- New upstream version 3.0.4
* Added option MYSQL_OPT_CAN_HANDLE_EXPIRED_PASSWORDS for
mysql_options()/mysql_optionsv():
* New plugin configuration interface: The default configuration
for a specific plugin can be specified via cmake parameter
-DCLIENT_PLUGIN_${PLUGIN}=[DYNAMIC|STATIC|OFF].
* Added support for linux abstract socket (MDEV-15655).
* CONC-320: Added asynchronous/non-blocking support for
OpenSSL and GnuTLS
* CONC-294: Access violation in mysql_close when using
a connection plugin.
* MDEV-14977: If built dynamically the old_password plugin
could not be located due to wrong filename (must be
mysql_old_password.so instead of old_password.so).
* CONC-315: If no default client character set was specified,
the utf8 character set will be used by default (instead of
setting the client character set to server character set)
* CONC-317: Parsing of configuration file fails if key/value
pairs contain white spaces.
* CONC-322: Correct handling of EAGAIN and EINPROGRESS in
internal_connect (socket) for non windows platforms.
* CONC-323: mariadb_stmt_execute_direct hangs forever if
compression used.
* CONC-324: Wrong codepage numbers for some collations.
* CONC-326: ssl_thread_init() uses wrong openssl threadid
callback
- Drop libmysqlclient_r Provides from the -devel package.
(bsc#1097938)
ImportantSUSE bug 1013882SUSE bug 1097938SUSE bug 1098683SUSE bug 1101676SUSE bug 1101677SUSE bug 1101678SUSE bug 1103342SUSE bug 1111858SUSE bug 1111859SUSE bug 1112368SUSE bug 1112377SUSE bug 1112384SUSE bug 1112386SUSE bug 1112391SUSE bug 1112397SUSE bug 1112404SUSE bug 1112415SUSE bug 1112417SUSE bug 1112421SUSE bug 1112432SUSE bug 1116686SUSE bug 1118754SUSE bug 1120041CVE-2016-9843 at SUSECVE-2016-9843 at NVDCVE-2018-3058 at SUSECVE-2018-3058 at NVDCVE-2018-3060 at SUSECVE-2018-3060 at NVDCVE-2018-3063 at SUSECVE-2018-3063 at NVDCVE-2018-3064 at SUSECVE-2018-3064 at NVDCVE-2018-3066 at SUSECVE-2018-3066 at NVDCVE-2018-3143 at SUSECVE-2018-3143 at NVDCVE-2018-3156 at SUSECVE-2018-3156 at NVDCVE-2018-3162 at SUSECVE-2018-3162 at NVDCVE-2018-3173 at SUSECVE-2018-3173 at NVDCVE-2018-3174 at SUSECVE-2018-3174 at NVDCVE-2018-3185 at SUSECVE-2018-3185 at NVDCVE-2018-3200 at SUSECVE-2018-3200 at NVDCVE-2018-3251 at SUSECVE-2018-3251 at NVDCVE-2018-3277 at SUSECVE-2018-3277 at NVDCVE-2018-3282 at SUSECVE-2018-3282 at NVDCVE-2018-3284 at SUSECVE-2018-3284 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for freeradius-server (Moderate)SUSE OpenStack Cloud 8
This update for freeradius-server fixes the following issues:
- CVE-2019-13456: Fixed a side-channel password leak in EAP-pwd
(bsc#1144524).
- CVE-2019-17185: Fixed a debial of service due to multithreaded
BN_CTX access (bsc#1166847).
- Fixed an issue in TLS-EAP where the OCSP verification, when an
intermediate client certificate was not explicitly trusted
(bsc#1146848).
ModerateSUSE bug 1144524SUSE bug 1146848SUSE bug 1166847CVE-2019-13456 at SUSECVE-2019-13456 at NVDCVE-2019-17185 at SUSECVE-2019-17185 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for cups (Important)SUSE OpenStack Cloud 8
This update for cups fixes the following issues:
- CVE-2020-3898: Fixed a heap buffer overflow in ppdFindOption() (bsc#1168422).
ImportantSUSE bug 1168422CVE-2020-3898 at SUSECVE-2020-3898 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for ardana-ansible, ardana-barbican, ardana-db, ardana-monasca, ardana-mq, ardana-neutron, ardana-octavia, ardana-tempest, crowbar-core, crowbar-ha, crowbar-openstack, documentation-suse-openstack-cloud, memcached, openstack-manila, openstack-neutron, openstack-nova, pdns, python-amqp, rubygem-puma, zookeeper (Moderate)SUSE OpenStack Cloud 8
This update for ardana-ansible, ardana-barbican, ardana-db, ardana-monasca, ardana-mq, ardana-neutron, ardana-octavia, ardana-tempest, crowbar-core, crowbar-ha, crowbar-openstack, documentation-suse-openstack-cloud, memcached, openstack-manila, openstack-neutron, openstack-nova, pdns, python-amqp, rubygem-puma, zookeeper contains the following fixes:
Security fix for rubygem-puma:
- CVE-2020-5247: Fixed an issue where the newlines in headers according to Rack spec were not split (bsc#1165402)
Security fix for openstack-manila:
- CVE-2020-9543: Fixed an issue where an attacker could view, update, delete, or share resources that do not
Security fixes for memcached:
- CVE-2019-15026: Fixed a stack-based buffer over-read in conn_to_str() in memcached.c (bsc#1149110).
- CVE-2019-11596: Fixed NULL pointer dereference in process_lru_command() in memcached.c (bsc#1133817).
Security fixes for pdns:
- CVE-2019-3871: Fixed a denial of service with the HTTP remote backend when the attacker can send crafted DNS queries (bsc#1129734).
- CVE-2018-10851: Fixed a denial of service via crafted zone record (bnc#1114157).
- CVE-2018-14626: Fixed a denial of service by hiding DNSSEC records using a crafted DNS query (bsc#1114169).
Security fixes for zookeeper:
- CVE-2019-0201: Fixed an information disclosure in the ACL handling (bsc#1135773).
- CVE-2017-5637: Fixed incorrect input validation with wchp/wchc four letter words (bsc#1040519).
Changes in ardana-ansible:
- Update to version 8.0+git.1583432621.24fa60e:
* Upgrade pre-checks in Cloud 8 and Cloud 9 (SOC-10300)
Changes in ardana-barbican:
- Update to version 8.0+git.1585152761.8ef3d61:
* monitor ardana-node-cert (SOC-10873)
Changes in ardana-db:
- Update to version 8.0+git.1583944923.03cca6c:
* monitor MySQL TLS certificate (SOC-10873)
Changes in ardana-monasca:
- Update to version 8.0+git.1583944894.38f023a:
* Add certificate file check alarm (SOC-10873)
Changes in ardana-mq:
- Update to version 8.0+git.1583944811.dc14403:
* monitor RabbitMQ TLS certificate (SOC-10873)
Changes in ardana-neutron:
- Update to version 8.0+git.1584715262.e4ea620:
* Add symlink for neutron-fwaas.json.j2 (bsc#1166290)
Changes in ardana-octavia:
- Update to version 8.0+git.1585171918.418f5cf:
* Reconfigure monitor if needed (SOC-10873)
- Update to version 8.0+git.1585168661.135c735:
* fix Octavia client cert redeploy (SOC-10873)
- Update to version 8.0+git.1585152502.f15907a:
* monitor Octavia client certificate (SOC-10873)
Changes in ardana-tempest:
- Update to version 8.0+git.1585311051.6ab5488:
* Enable port-security feature in tempest(SOC-11027)
Changes in crowbar-core:
- Update to version 5.0+git.1585575551.16781d00d:
* upgrade: Point to config dir instead of config file (SOC-11171)
* upgrade: Do not call neutron-evacuate-lbaasv2-agent with use_crm (SOC-11171)
- Update to version 5.0+git.1585316726.670746c8c:
* upgrade: Fix systemd unit listing (trivial)
- Update to version 5.0+git.1585213241.46f12f9be:
* upgrade: Remove the assignement of crowbar-upgrade role (SOC-11166)
- Update to version 5.0+git.1585118470.eed9020de:
* Update the default value of OS version (trivial)
* Ignore CVE-2020-5267 in CI (bsc#1167240)
* Ignore CVE-2020-10663 in CI (bsc#1167244)
- Update to version 5.0+git.1583911121.d6b4b4b1a:
* ses: Make SES UI safe for unknown options (trivial)
* ses: Use cinder user for nova (SOC-11119)
* ses: Added helper for populating cinder volumes (SOC-11117)
* ses: Add ses cookbook (SOC-11114)
* ses: Configuration upload (SOC-11115)
- Update to version 5.0+git.1583309007.e3a8b81e9:
* Ignore CVE-2020-8130 in CI (bsc#1164804)
* Ignore CVE-2020-5247 (bsc#1165402)
Changes in crowbar-ha:
- Update to version 5.0+git.1585316176.344190f:
* add ssl termination on haproxy (bsc#1149535)
Changes in crowbar-openstack:
- Update to version 5.0+git.1585304226.2164b7895:
* nova: Fix migration numbers (trivial)
- Update to version 5.0+git.1584692779.369c58aca:
* nova: Drop redundant disk_cachemodes (trivial)
* nova: Add option to disable ephemeral on ceph (SOC-11119)
* keystone: Register SES RadosGW endpoints (SOC-5270)
* heat: Increase heat_register syncmark timeout (SOC-11103)
* heat: Simplify domain registration code (SOC-11103)
* nova: Setup CEPH secrets later (SOC-11141)
* nova: Enable ephemeral volumes on SES (SOC-11119)
* glance: Set SES as default for new deployments (SOC-11118)
* cinder: Correctly show old internal backends (SOC-11117)
* nova: SES integration (SOC-11117)
* nova: Hound fixes (trivial)
* nova: Better error handling when Cephx auth is failing (noref)
* nova: delete libvirt secret snippet immediately (noref)
* nova: reduce nesting of ceph management code (noref)
* nova: Remove obsolete rbd/ceph attributes (trivial)
* cinder: SES integration (SOC-11117)
* cinder: Disable use_crowbar default (SOC-11117)
* glance: SES integration (SOC-11118)
Changes in documentation-suse-openstack-cloud:
- Update to version 8.20200319:
* Adding ses-integration docs to cloud 8 (noref)
* Fix bsc-1130532. Add feedback
* fix bsc-1130532
- Update to version 8.20200116:
* Fixing links from suse.com/doc to new URL (noref)
- Update to version 8.20200224:
* Designate: add instructions on using PowerDNS backend (SOC-11051)
* Designate: recommend deploying DNS in a cluster in HA deployment (SOC-10636)
* message to add non-admin node for public network (SOC-10658)
* update designate deployment (SOC-8739)
* add designate barclamp (SCRD-8739)
* remove Designate name server instruction (bsc#1125357,SCRD-7649)
- Update to version 8.20200130:
* Add instructions for lbaas v2 loadbalancers (SOC-10980) (#1253)
- Update to version 8.20191211:
* Specify that manila-share should be installed on the control node (SOC-10938) (#1230)
* Remove (commented) mention of phrases-decl.ent (trivial)
- Update to version 8.20191206:
* Clarify keyring chown instructions for Ceph (bsc#1111180)
* Clarify VSA/Ceph support in HOS 8 , SOC-10981 (bsc#144694)
- Update to version 8.20191205:
* Update incorrect Manila install/setup instructions (SOC-10975)
- Update to version 8.20191029:
* Supplement/UAdmin: Group guides on documentation.suse.com (trivial)
- Update to version 8.20191023:
* fix instructions for TLS certitificate renewal (SOC-10846)
- Update to version 8.20191002:
* Added missing edit (SOC-8480)
* Adding Carl's second round of edits (SOC-8480)
* Removing accidentally re-added guilabels (SOC-8480)
* Applying Carl's edits (SOC-8480)
* Optimizing PNGs (SOC-8480)
* Removing guilabel complaint (SOC-8480)
* Adding xi:include to commit (SOC-8480)
* Add SSLCA-SelfSigned cert info to SOC Crowbar documentation (SOC-8480)
* Add SSLCA-SelfSigned cert info to SOC Crowbar documentation (SOC-8480)
- Update to version 8.20190923:
* remove zvm references, only in SOC6 (noref)
- Update to version 8.20190920:
* remove workaround, leave description (bsc#1151206)
* add qos to neutron not supported (bsc#1151206)
- Update to version 8.20190829:
* add available clients, dedicated CLM (bsc#1148426)
* add tempest to service components, dedicated CLM (bsc#1148426)
- Update to version 8.20190823:
* Create CC-BY license file (noref)
* for MariaDB update, db cluster must be running, healthy (bsc#1132852)
- Update to version 8.20190820:
* Fix broken URLs (SOC-10109)
- Update to version 8.20190820:
* add requirement for dummy entries in servers.yml (bsc#1146206)
- Update to version 8.20190816:
* add workaround for partition image resize (bsc#1145498)
- Update to version 8.20190813:
* MANAGEMENT network group cannot be changed, is required (SOC-10106)
* remove NSX references from Crowbar deployment (SOC-10081)
Changes in memcached:
- version update to 1.5.17
* bugfixes
fix strncpy call in stats conns to avoid ASAN violation (bsc#1149110, CVE-2019-15026)
extstore: fix indentation
add error handling when calling dup function
add unlock when item_cachedump malloc failed
extstore: emulate pread(v) for macOS
fix off-by-one in logger to allow CAS commands to be logged.
use strdup for explicitly configured slab sizes
move mem_requested from slabs.c to items.c (internal cleanup)
* new features
add server address to the 'stats conns' output
log client connection id with fetchers and mutations
Add a handler for seccomp crashes
- version update to 1.5.16
* bugfixes
When nsuffix is 0 space for flags hasn't been allocated so don't memcpy them.
- version update to 1.5.15
* bugfixes
Speed up incr/decr by replacing snprintf.
Use correct buffer size for internal URI encoding.
change some links from http to https
Fix small memory leak in testapp.c.
free window_global in slab_automove_extstore.c
remove inline_ascii_response option
-Y [filename] for ascii authentication mode
fix: idle-timeout wasn't compatible with binprot
* features
-Y [authfile] enables an authentication mode for ASCII protocol.
- modified patches
% memcached-autofoo.patch (refreshed)
- version update to 1.5.14
* update -h output for -I (max item size)
* fix segfault in 'lru' command (bsc#1133817, CVE-2019-11596)
* fix compile error on centos7
* extstore: error adjusting page_size after ext_path
* extstore: fix segfault if page_count is too high.
* close delete + incr item survival race bug
* memcached-tool dump fix loss of exp value
* Fix 'qw' in 'MemcachedTest.pm' so wait_ext_flush is exported properly
* Experimental TLS support.
* Basic implementation of TLS for memcached.
* Improve Get And Touch documentation
* fix INCR/DECR refcount leak for invalid items
- modified patches
% memcached-autofoo.patch (refreshed)
- Version bump to 1.5.11:
* extstore: balance IO thread queues
- Drop memcached-fix_test.patch that is present now upstream
- Add patch to fix aarch64, ppc64* and s390x tests:
* memcached-fix_test.patch
- Fix linter errors regarding COPYING
- update to 1.5.10:
* disruptive change in extstore: -o ext_page_count= is deprecated
and no longer works. To specify size: -o ext_path=/d/m/e:500G
extstore figures out the page count based on your desired page
size. M|G|T|P supported.
* extstore: Add basic JBOD support: ext_path can be specified
multiple times for striping onto simimar devices
* fix alignment issues on some ARM platforms for chunked items
- Update to 1.5.9:
* Bugfix release.
* Important note: if using --enable-seccomp, privilege dropping
is no longer on by default. The feature is experimental and many
users are reporting hard to diagnose problems on varied platforms.
* Seccomp is now marked EXPERIMENTAL, and must be explicitly
enabled by adding -o drop_privileges. Once we're more confident
with the usability of the feature, it will be enabled in -o modern,
like any other new change. You should only use it if you are
willing to carefully test it, especially if you're a vendor or
distribution.
* Also important is a crash fix in extstore when using the ASCII
protocol, large items, and running low on memory.
- update to 1.5.8:
* Bugfixes for seccomp and extstore
* Extstore platform portability has been greatly improved for ARM
and 32bit systems
- includes changes from 1.5.7:
* Fix alignment issues for 64bit ARM processors
* Fix seccomp portability
* Fix refcount leak with extstore while using binary touch commands
- turn on the testsuite again, it seems to pass server side,
too
- Home directory shouldn't be world readable bsc#1077718
- Mention that this stream isn't affected by bsc#1085209,
CVE-2018-1000127 to make the checker bots happy.
Changes in openstack-manila:
- Update to version manila-5.1.1.dev5:
* Fix manila-tempest-minimal-dsvm-lvm-centos-7 job
* share\_networks: enable project\_only API only
Changes in openstack-manila:
- Rebased patches:
+ cve-2020-9543-stable-pike.patch dropped (merged upstream)
- Update to version manila-5.1.1.dev5:
* Fix manila-tempest-minimal-dsvm-lvm-centos-7 job
* share\_networks: enable project\_only API only
Changes in openstack-neutron:
- Update to version neutron-11.0.9.dev63:
* ovs agent: signal to plugin if tunnel refresh needed
* Do not initialize snat-ns twice
Changes in openstack-neutron:
- Update to version neutron-11.0.9.dev63:
* ovs agent: signal to plugin if tunnel refresh needed
* Do not initialize snat-ns twice
Changes in openstack-nova:
- Update to version nova-16.1.9.dev61:
* Avoid circular reference during serialization
* Mask the token used to allow access to consoles
* Improve metadata server performance with large security groups
* Remove exp legacy-tempest-dsvm-full-devstack-plugin-nfs
- Update to version nova-16.1.9.dev54:
* pike-only: remove broken non-voting ceph jobs
* nova-live-migration: Wait for n-cpu services to come up after configuring Ceph
* rt: only map compute node if we created it
Changes in openstack-nova:
- Update to version nova-16.1.9.dev61:
* Avoid circular reference during serialization
* Mask the token used to allow access to consoles
* Improve metadata server performance with large security groups
* Remove exp legacy-tempest-dsvm-full-devstack-plugin-nfs
- Update to version nova-16.1.9.dev54:
* pike-only: remove broken non-voting ceph jobs
* nova-live-migration: Wait for n-cpu services to come up after configuring Ceph
* rt: only map compute node if we created it
Changes in pdns:
- Add missing 'BuildRequires: libmysqlclient-devel' to allow
the package to build correctly.
- CVE-2019-3871-auth-4.1.6.patch: fixes insufficient validation in
HTTP remote backend (bsc#1129734, CVE-2019-3871)
- CVE-2018-10851-auth-4.1.4.patch: fixes DoS via crafted zone record
(bnc#1114157, CVE-2018-10851)
- CVE-2018-14626-auth-4.1.4.patch: fixes an issue allowing a
remote user to craft a DNS query that will cause an answer without
DNSSEC records to be inserted into the packet cache and be
returned to clients asking for DNSSEC records, thus hiding
the presence of DNSSEC signatures leading to a potential DoS
(bsc#1114169, CVE-2018-14626)
Changes in python-amqp:
- Make it build for SLE12SP3:
- remove pytest-sugar build dependency
- used %doc macro instead of %license
- Removed patches that are already included in 2.4.2
- 0002-Do_not_send_AAAA_DNS_request_when_domain_resolved_to_IPv4_address.patch (SOC-9144)
- 0001-Always-treat-SSLError-timeouts-as-socket-timeouts-24.patch (bsc#1115904)
- Update to 2.4.2:
- Added support for the Cygwin platform
- Correct offset incrementation when parsing bitmaps.
- Consequent bitmaps are now parsed correctly.
- Better call of py.test
- Add versions to dependencies
- Remove python-sasl from build dependencies
- Update to version 2.4.1
* To avoid breaking the API basic_consume() now returns the consumer tag
instead of a tuple when nowait is True.
* Fix crash in basic_publish when broker does not support connection.blocked
capability.
* read_frame() is now Python 3 compatible for large payloads.
* Support float read_timeout/write_timeout.
* Always treat SSLError timeouts as socket timeouts.
* Treat EWOULDBLOCK as timeout.
- from 2.4.0
* Fix inconsistent frame_handler return value.
The function returned by frame_handler is meant to return True
once the complete message is received and the callback is called,
False otherwise.
This fixes the return value for messages with a body split across
multiple frames, and heartbeat frames.
* Don't default content_encoding to utf-8 for bytes.
This is not an acceptable default as the content may not be
valid utf-8, and even if it is, the producer likely does not
expect the message to be decoded by the consumer.
* Fix encoding of messages with multibyte characters.
Body length was previously calculated using string length,
which may be less than the length of the encoded body when
it contains multibyte sequences. This caused the body of
the frame to be truncated.
* Respect content_encoding when encoding messages.
Previously the content_encoding was ignored and messages
were always encoded as utf-8. This caused messages to be
incorrectly decoded if content_encoding is properly respected
when decoding.
* Fix AMQP protocol header for AMQP 0-9-1.
Previously it was set to a different value for unknown reasons.
* Add support for Python 3.7.
Change direct SSLSocket instantiation with wrap_socket.
* Add support for field type 'x' (byte array).
* If there is an exception raised on Connection.connect or
Connection.close, ensure that the underlying transport socket
is closed. Adjust exception message on connection errors as well.
* TCP_USER_TIMEOUT has to be excluded from KNOWN_TCP_OPTS in BSD platforms.
* Handle negative acknowledgments.
* Added integration tests.
* Fix basic_consume() with no consumer_tag provided.
* Improved empty AMQPError string representation.
* Drain events before publish.
This is needed to capture out of memory messages for clients that only
publish. Otherwise on_blocked is never called.
* Don't revive channel when connection is closing.
When connection is closing don't raise error when Channel.Close
method is received.
Changes in zookeeper:
- Apply 0002-Apply-patch-to-resolve-CVE-2019-0201.patch
This applies the patch for ZOOKEEPER-1392 to resolve CVE-2019-0201
Should not allow to read ACL when not authorized to read node
(bsc#1135773)
- Various cleanups in spec file
- Fixed off-by-one in zkCleanTRX.sh and made output more useful (bsc#1048688, FATE#323204)
- Fixed ExecStartPre statment in service file
- added zkCleanTRX.sh to clean up 0 length transaction logs
- Update to to zookeeper-3.4.10 (bsc#1040519)
* Fixes CVE-2017-5637
- Remove Changes.txt (missing as of 3.4.10)
ModerateSUSE bug 1040519SUSE bug 1048688SUSE bug 1077718SUSE bug 1111180SUSE bug 1114157SUSE bug 1114169SUSE bug 1115904SUSE bug 1125357SUSE bug 1129734SUSE bug 1132852SUSE bug 1133817SUSE bug 1135773SUSE bug 1145498SUSE bug 1146206SUSE bug 1148426SUSE bug 1149110SUSE bug 1149535SUSE bug 1151206SUSE bug 1165402SUSE bug 1165643SUSE bug 1166290SUSE bug 1167240SUSE bug 144694CVE-2017-5637 at SUSECVE-2017-5637 at NVDCVE-2018-10851 at SUSECVE-2018-10851 at NVDCVE-2018-14626 at SUSECVE-2018-14626 at NVDCVE-2019-0201 at SUSECVE-2019-0201 at NVDCVE-2019-11596 at SUSECVE-2019-11596 at NVDCVE-2019-15026 at SUSECVE-2019-15026 at NVDCVE-2019-3871 at SUSECVE-2019-3871 at NVDCVE-2020-5247 at SUSECVE-2020-5247 at NVDCVE-2020-9543 at SUSECVE-2020-9543 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for pam_radius (Important)SUSE OpenStack Cloud 8
This update for pam_radius fixes the following issues:
- CVE-2015-9542: Fixed a buffer overflow in password field (bsc#1163933).
- On s390x didn't decrypt passwords correctly (bsc#1141670).
ImportantSUSE bug 1141670SUSE bug 1163933CVE-2015-9542 at SUSECVE-2015-9542 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for webkit2gtk3 (Important)SUSE OpenStack Cloud 8
This update for webkit2gtk3 to version 2.28.1 fixes the following issues:
Security issues fixed:
- CVE-2020-10018: Fixed a denial of service because the m_deferredFocusedNodeChange data structure was mishandled (bsc#1165528).
- CVE-2020-11793: Fixed a potential arbitrary code execution caused by a use-after-free vulnerability (bsc#1169658).
- CVE-2019-8835: Fixed multiple memory corruption issues (bsc#1161719).
- CVE-2019-8844: Fixed multiple memory corruption issues (bsc#1161719).
- CVE-2019-8846: Fixed a use-after-free issue (bsc#1161719).
- CVE-2020-3862: Fixed a memory handling issue (bsc#1163809).
- CVE-2020-3867: Fixed an XSS issue (bsc#1163809).
- CVE-2020-3868: Fixed multiple memory corruption issues that could have lead to arbitrary code execution (bsc#1163809).
- CVE-2020-3864,CVE-2020-3865: Fixed logic issues in the DOM object context handling (bsc#1163809).
Non-security issues fixed:
- Add API to enable Process Swap on (Cross-site) Navigation.
- Add user messages API for the communication with the web extension.
- Add support for same-site cookies.
- Service workers are enabled by default.
- Add support for Pointer Lock API.
- Add flatpak sandbox support.
- Make ondemand hardware acceleration policy never leave accelerated compositing mode.
- Always use a light theme for rendering form controls.
- Add about:gpu to show information about the graphics stack.
- Fixed issues while trying to play a video on NextCloud.
- Fixed vertical alignment of text containing arabic diacritics.
- Fixed build with icu 65.1.
- Fixed page loading errors with websites using HSTS.
- Fixed web process crash when displaying a KaTeX formula.
- Fixed several crashes and rendering issues.
- Switched to a single web process for Evolution and geary (bsc#1159329).
ImportantSUSE bug 1155321SUSE bug 1156318SUSE bug 1159329SUSE bug 1161719SUSE bug 1163809SUSE bug 1165528SUSE bug 1169658CVE-2019-8625 at SUSECVE-2019-8625 at NVDCVE-2019-8710 at SUSECVE-2019-8710 at NVDCVE-2019-8720 at SUSECVE-2019-8720 at NVDCVE-2019-8743 at SUSECVE-2019-8743 at NVDCVE-2019-8764 at SUSECVE-2019-8764 at NVDCVE-2019-8766 at SUSECVE-2019-8766 at NVDCVE-2019-8769 at SUSECVE-2019-8769 at NVDCVE-2019-8771 at SUSECVE-2019-8771 at NVDCVE-2019-8782 at SUSECVE-2019-8782 at NVDCVE-2019-8783 at SUSECVE-2019-8783 at NVDCVE-2019-8808 at SUSECVE-2019-8808 at NVDCVE-2019-8811 at SUSECVE-2019-8811 at NVDCVE-2019-8812 at SUSECVE-2019-8812 at NVDCVE-2019-8813 at SUSECVE-2019-8813 at NVDCVE-2019-8814 at SUSECVE-2019-8814 at NVDCVE-2019-8815 at SUSECVE-2019-8815 at NVDCVE-2019-8816 at SUSECVE-2019-8816 at NVDCVE-2019-8819 at SUSECVE-2019-8819 at NVDCVE-2019-8820 at SUSECVE-2019-8820 at NVDCVE-2019-8823 at SUSECVE-2019-8823 at NVDCVE-2019-8835 at SUSECVE-2019-8835 at NVDCVE-2019-8844 at SUSECVE-2019-8844 at NVDCVE-2019-8846 at SUSECVE-2019-8846 at NVDCVE-2020-10018 at SUSECVE-2020-10018 at NVDCVE-2020-11793 at SUSECVE-2020-11793 at NVDCVE-2020-3862 at SUSECVE-2020-3862 at NVDCVE-2020-3864 at SUSECVE-2020-3864 at NVDCVE-2020-3865 at SUSECVE-2020-3865 at NVDCVE-2020-3867 at SUSECVE-2020-3867 at NVDCVE-2020-3868 at SUSECVE-2020-3868 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for shibboleth-sp (Moderate)SUSE OpenStack Cloud 8
This update for shibboleth-sp fixes the following issues:
Security issue fixed:
- CVE-2019-19191: Fixed escalation to root by fixing ownership of log files (bsc#1157471).
ModerateSUSE bug 1157471CVE-2019-19191 at SUSECVE-2019-19191 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for ceph (Important)SUSE OpenStack Cloud 8
This update for ceph fixes the following issues:
- CVE-2020-12059: Fixed a denial of service caused by a specially crafted XML payload on POST requests (bsc#1170170).
ImportantSUSE bug 1170170CVE-2020-12059 at SUSECVE-2020-12059 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for LibVNCServer (Important)SUSE OpenStack Cloud 8
This update for LibVNCServer fixes the following issues:
- CVE-2019-15690: Fixed a heap buffer overflow (bsc#1160471).
- CVE-2019-15681: Fixed a memory leak which could have allowed to a remote attacker to read stack memory (bsc#1155419).
- CVE-2019-20788: Fixed a integer overflow and heap-based buffer overflow via a large height or width value (bsc#1170441).
ImportantSUSE bug 1155419SUSE bug 1160471SUSE bug 1170441CVE-2019-15681 at SUSECVE-2019-15681 at NVDCVE-2019-15690 at SUSECVE-2019-15690 at NVDCVE-2019-20788 at SUSECVE-2019-20788 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for icu (Moderate)SUSE OpenStack Cloud 8
This update for icu fixes the following issues:
- CVE-2020-10531: Fixed integer overflow in UnicodeString:doAppend() (bsc#1166844).
ModerateSUSE bug 1166844CVE-2020-10531 at SUSECVE-2020-10531 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for openldap2 (Important)SUSE OpenStack Cloud 8
This update for openldap2 fixes the following issues:
- CVE-2020-12243: Fixed a denial of service related to recursive filters (bsc#1170771).
ImportantSUSE bug 1170771CVE-2020-12243 at SUSECVE-2020-12243 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for webkit2gtk3 (Important)SUSE OpenStack Cloud 8
This update for webkit2gtk3 fixes the following issues:
Security issue fixed:
- CVE-2020-3899: Fixed a memory consumption issue that could have led to remote code execution (bsc#1170643).
Non-security issues fixed:
- Update to version 2.28.2 (bsc#1170643):
+ Fix excessive CPU usage due to GdkFrameClock not being stopped.
+ Fix UI process crash when EGL_WL_bind_wayland_display extension
is not available.
+ Fix position of select popup menus in X11.
+ Fix playing of Youtube 'live stream'/H264 URLs.
+ Fix a crash under X11 when cairo uses xcb.
+ Fix the build in MIPS64.
+ Fix several crashes and rendering issues.
ImportantSUSE bug 1170643CVE-2020-3899 at SUSECVE-2020-3899 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for ghostscript (Important)SUSE OpenStack Cloud 8
This update for ghostscript to version 9.52 fixes the following issues:
- CVE-2020-12268: Fixed a heap-based buffer overflow in jbig2_image_compose (bsc#1170603).
ImportantSUSE bug 1170603CVE-2020-12268 at SUSECVE-2020-12268 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for MozillaFirefox (Important)SUSE OpenStack Cloud 8
This update for MozillaFirefox fixes the following issues:
Update to version 68.8.0 ESR (bsc#1171186):
- CVE-2020-12387: Use-after-free during worker shutdown
- CVE-2020-12388: Sandbox escape with improperly guarded Access Tokens
- CVE-2020-12389: Sandbox escape with improperly separated process types
- CVE-2020-6831: Buffer overflow in SCTP chunk input validation
- CVE-2020-12392: Arbitrary local file access with 'Copy as cURL'
- CVE-2020-12393: Devtools' 'Copy as cURL' feature did not fully escape website-controlled data, potentially leading to command injection
- CVE-2020-12395: Memory safety bugs fixed in Firefox 76 and Firefox ESR 68.8
ImportantSUSE bug 1171186CVE-2020-12387 at SUSECVE-2020-12387 at NVDCVE-2020-12388 at SUSECVE-2020-12388 at NVDCVE-2020-12389 at SUSECVE-2020-12389 at NVDCVE-2020-12392 at SUSECVE-2020-12392 at NVDCVE-2020-12393 at SUSECVE-2020-12393 at NVDCVE-2020-12395 at SUSECVE-2020-12395 at NVDCVE-2020-6831 at SUSECVE-2020-6831 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for squid (Important)SUSE OpenStack Cloud 8
This update for squid fixes the following issues:
- CVE-2019-12519, CVE-2019-12521: fixes incorrect buffer handling that can
result in cache poisoning, remote execution, and denial of service attacks
when processing ESI responses (bsc#1169659).
- CVE-2020-11945: fixes a potential remote execution vulnerability
when using HTTP Digest Authentication (bsc#1170313).
- CVE-2019-12520, CVE-2019-12524: fixes a potential ACL bypass, cache-bypass
and cross-site scripting attack when processing invalid HTTP
Request messages (bsc#1170423).
ImportantSUSE bug 1169659SUSE bug 1170313SUSE bug 1170423CVE-2019-12519 at SUSECVE-2019-12519 at NVDCVE-2019-12520 at SUSECVE-2019-12520 at NVDCVE-2019-12521 at SUSECVE-2019-12521 at NVDCVE-2019-12524 at SUSECVE-2019-12524 at NVDCVE-2020-11945 at SUSECVE-2020-11945 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for apache2 (Important)SUSE OpenStack Cloud 8
This update for apache2 fixes the following issues:
- CVE-2020-1934: mod_proxy_ftp may use uninitialized memory when proxying to a malicious FTP server (bsc#1168404).
- CVE-2020-1927: mod_rewrite configurations vulnerable to open redirect (bsc#1168407).
- CVE-2020-1938: mod_proxy_ajp: Add 'secret' parameter to proxy workers to implement legacy AJP13 authentication (bsc#1169066).
ImportantSUSE bug 1168404SUSE bug 1168407SUSE bug 1169066CVE-2020-1927 at SUSECVE-2020-1927 at NVDCVE-2020-1934 at SUSECVE-2020-1934 at NVDCVE-2020-1938 at SUSECVE-2020-1938 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for the Linux Kernel (Important)SUSE OpenStack Cloud 8
The SUSE Linux Enterprise 12 SP3 kernel was updated to receive various security and bugfixes.
The following security bugs were fixed:
- CVE-2020-11494: An issue was discovered in slc_bump in drivers/net/can/slcan.c, which allowed attackers to read uninitialized can_frame data, potentially containing sensitive information from kernel stack memory, if the configuration lacks CONFIG_INIT_STACK_ALL (bnc#1168424).
- CVE-2020-10942: In get_raw_socket in drivers/vhost/net.c lacks validation of an sk_family field, which might allow attackers to trigger kernel stack corruption via crafted system calls (bnc#1167629).
- CVE-2020-8647: Fixed a use-after-free vulnerability in the vc_do_resize function in drivers/tty/vt/vt.c (bnc#1162929).
- CVE-2020-8649: Fixed a use-after-free vulnerability in the vgacon_invert_region function in drivers/video/console/vgacon.c (bnc#1162931).
- CVE-2020-9383: Fixed an issue in set_fdc in drivers/block/floppy.c, which leads to a wait_til_ready out-of-bounds read (bnc#1165111).
- CVE-2019-9458: In the video driver there was a use after free due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed (bnc#1168295).
- CVE-2019-3701: Fixed an issue in can_can_gw_rcv, which could cause a system crash (bnc#1120386).
- CVE-2019-19768: Fixed a use-after-free in the __blk_add_trace function in kernel/trace/blktrace.c (bnc#1159285).
- CVE-2020-11609: Fixed a NULL pointer dereference in the stv06xx subsystem caused by mishandling invalid descriptors (bnc#1168854).
- CVE-2020-10720: Fixed a use-after-free read in napi_gro_frags() (bsc#1170778).
- CVE-2020-10690: Fixed the race between the release of ptp_clock and cdev (bsc#1170056).
- CVE-2019-9455: Fixed a pointer leak due to a WARN_ON statement in a video driver. This could lead to local information disclosure with System execution privileges needed (bnc#1170345).
- CVE-2020-11608: Fixed an issue in drivers/media/usb/gspca/ov519.c caused by a NULL pointer dereferences in ov511_mode_init_regs and ov518_mode_init_regs when there are zero endpoints (bnc#1168829).
- CVE-2017-18255: The perf_cpu_time_max_percent_handler function in kernel/events/core.c allowed local users to cause a denial of service (integer overflow) or possibly have unspecified other impact via a large value, as demonstrated by an incorrect sample-rate calculation (bnc#1087813).
- CVE-2020-8648: There was a use-after-free vulnerability in the n_tty_receive_buf_common function in drivers/tty/n_tty.c (bnc#1162928).
- CVE-2020-2732: A flaw was discovered in the way that the KVM hypervisor handled instruction emulation for an L2 guest when nested virtualisation is enabled. Under some circumstances, an L2 guest may trick the L0 guest into accessing sensitive L1 resources that should be inaccessible to the L2 guest (bnc#1163971).
- CVE-2019-5108: Fixed a denial-of-service vulnerability caused by triggering AP to send IAPP location updates for stations before the required authentication process has completed (bnc#1159912).
- CVE-2020-8992: ext4_protect_reserved_inode in fs/ext4/block_validity.c allowed attackers to cause a denial of service (soft lockup) via a crafted journal size (bnc#1164069).
- CVE-2018-21008: Fixed a use-after-free which could be caused by the function rsi_mac80211_detach in the file drivers/net/wireless/rsi/rsi_91x_mac80211.c (bnc#1149591).
- CVE-2019-14896: A heap-based buffer overflow vulnerability was found in Marvell WiFi chip driver. A remote attacker could cause a denial of service (system crash) or, possibly execute arbitrary code, when the lbs_ibss_join_existing function is called after a STA connects to an AP (bnc#1157157).
- CVE-2019-14897: A stack-based buffer overflow was found in Marvell WiFi chip driver. An attacker is able to cause a denial of service (system crash) or, possibly execute arbitrary code, when a STA works in IBSS mode (allows connecting stations together without the use of an AP) and connects to another STA (bnc#1157155).
- CVE-2019-18675: Fixed an integer overflow in cpia2_remap_buffer in drivers/media/usb/cpia2/cpia2_core.c because cpia2 has its own mmap implementation. This allowed local users (with /dev/video0 access) to obtain read and write permissions on kernel physical pages, which can possibly result in a privilege escalation (bnc#1157804).
- CVE-2019-14615: Insufficient control flow in certain data structures for some Intel(R) Processors with Intel(R) Processor Graphics may have allowed an unauthenticated user to potentially enable information disclosure via local access (bnc#1160195, bsc#1165881).
- CVE-2019-19965: Fixed a NULL pointer dereference in drivers/scsi/libsas/sas_discover.c because of mishandling of port disconnection during discovery, related to a PHY down race condition (bnc#1159911).
- CVE-2019-20054: Fixed a NULL pointer dereference in drop_sysctl_table() in fs/proc/proc_sysctl.c, related to put_links (bnc#1159910).
- CVE-2019-20096: Fixed a memory leak in __feat_register_sp() in net/dccp/feat.c, which may cause denial of service (bnc#1159908).
- CVE-2019-19966: Fixed a use-after-free in cpia2_exit() in drivers/media/usb/cpia2/cpia2_v4l.c that will cause denial of service (bnc#1159841).
- CVE-2019-19447: Fixed an issue with mounting a crafted ext4 filesystem image, performing some operations, and unmounting could lead to a use-after-free in ext4_put_super in fs/ext4/super.c, related to dump_orphan_list in fs/ext4/super.c (bnc#1158819).
- CVE-2019-19319: Fixed an issue with a setxattr operation, after a mount of a crafted ext4 image, can cause a slab-out-of-bounds write access because of an ext4_xattr_set_entry use-after-free in fs/ext4/xattr.c when a large old_size value is used in a memset call (bnc#1158021).
- CVE-2019-19767: Fixed mishandling of ext4_expand_extra_isize, as demonstrated by use-after-free errors in __ext4_expand_extra_isize and ext4_xattr_set_entry, related to fs/ext4/inode.c and fs/ext4/super.c (bnc#1159297).
- CVE-2019-11091,CVE-2018-12126,CVE-2018-12130,CVE-2018-12127: Earlier mitigations for the 'MDS' Microarchitectural Data Sampling attacks were not complete.
An additional fix was added to the x86_64 fast systemcall path to further mitigate these attacks. (bsc#1164846 bsc#1170847)
The following non-security bugs were fixed:
- blk: Fix kabi due to blk_trace_mutex addition (bsc#1159285).
- blktrace: fix dereference after null check (bsc#1159285).
- blktrace: fix trace mutex deadlock (bsc#1159285).
- btrfs: fix btrfs_wait_ordered_range() so that it waits for all ordered extents (bsc#1163508).
- btrfs: fix panic during relocation after ENOSPC before writeback happens (bsc#1163508).
- btrfs: qgroup: Fix root item corruption when multiple same source snapshots are created with quota enabled (bsc#1158642)
- btrfs: relocation: fix reloc_root lifespan and access (bsc#1164009).
- enic: prevent waking up stopped tx queues over watchdog reset (bsc#1133147).
- fix PageHeadHuge() race with THP split (VM Functionality, bsc#1165311).
- fs/xfs: fix f_ffree value for statfs when project quota is set (bsc#1165985).
- ibmvnic: Bound waits for device queries (bsc#1155689 ltc#182047).
- ibmvnic: Fix completion structure initialization (bsc#1155689 ltc#182047).
- ibmvnic: Serialize device queries (bsc#1155689 ltc#182047).
- ibmvnic: Terminate waiting device threads after loss of service (bsc#1155689 ltc#182047).
- input: add safety guards to input_set_keycode() (bsc#1168075).
- ipv4: correct gso_size for UFO (bsc#1154844).
- ipv6: fix memory accounting during ipv6 queue expire (bsc#1162227) (bsc#1162227).
- ipvlan: do not add hardware address of master to its unicast filter list (bsc#1137325).
- md: add mddev->pers to avoid potential NULL pointer dereference (bsc#1056134).
- md/bitmap: do not read page from device with Bitmap_sync (bsc#1056134).
- md: change the initialization value for a spare device spot to MD_DISK_ROLE_SPARE (bsc#1056134).
- md: Delete gendisk before cleaning up the request queue (bsc#1056134).
- md: do not call bitmap_create() while array is quiesced (bsc#1056134).
- md: do not set In_sync if array is frozen (bsc#1056134).
- md: fix a potential deadlock of raid5/raid10 reshape (bsc#1056134).
- md: md.c: Return -ENODEV when mddev is NULL in rdev_attr_show (bsc#1056134).
- md: notify about new spare disk in the container (bsc#1056134).
- md/raid0: Fix buffer overflow at debug print (bsc#1164051).
- md/raid10: end bio when the device faulty (bsc#1056134).
- md/raid10: Fix raid10 replace hang when new added disk faulty (bsc#1056134).
- md/raid1,raid10: silence warning about wait-within-wait (bsc#1056134).
- md: return -ENODEV if rdev has no mddev assigned (bsc#1056134).
- media: ov519: add missing endpoint sanity checks (bsc#1168829).
- media: stv06xx: add missing descriptor sanity checks (bsc#1168854).
- net: ena: Add PCI shutdown handler to allow safe kexec (bsc#1167421, bsc#1167423).
- netfilter: conntrack: sctp: use distinct states for new SCTP connections (bsc#1159199).
- net/ibmvnic: Fix typo in retry check (bsc#1155689 ltc#182047).
- rpm/kernel-binary.spec.in: Replace Novell with SUSE
- sched/fair: Scale bandwidth quota and period without losing quota/period ratio precision (bsc#1161586).
- scsi: core: avoid repetitive logging of device offline messages (bsc#1145929).
- scsi: core: kABI fix already_offline (bsc#1145929).
- tcp: clear tp->packets_out when purging write queue (bsc#1154118).
- x86/mitigations: Clear CPU buffers on the SYSCALL fast path (bsc#1164846 bsc#1170847).
- xfs: also remove cached ACLs when removing the underlying attr (bsc#1165873).
- xfs: bulkstat should copy lastip whenever userspace supplies one (bsc#1165984).
ImportantSUSE bug 1056134SUSE bug 1087813SUSE bug 1120386SUSE bug 1133147SUSE bug 1137325SUSE bug 1145929SUSE bug 1149591SUSE bug 1154118SUSE bug 1154844SUSE bug 1155689SUSE bug 1157155SUSE bug 1157157SUSE bug 1157303SUSE bug 1157804SUSE bug 1158021SUSE bug 1158642SUSE bug 1158819SUSE bug 1159199SUSE bug 1159285SUSE bug 1159297SUSE bug 1159841SUSE bug 1159908SUSE bug 1159910SUSE bug 1159911SUSE bug 1159912SUSE bug 1160195SUSE bug 1161586SUSE bug 1162227SUSE bug 1162928SUSE bug 1162929SUSE bug 1162931SUSE bug 1163508SUSE bug 1163971SUSE bug 1164009SUSE bug 1164051SUSE bug 1164069SUSE bug 1164078SUSE bug 1164846SUSE bug 1165111SUSE bug 1165311SUSE bug 1165873SUSE bug 1165881SUSE bug 1165984SUSE bug 1165985SUSE bug 1167421SUSE bug 1167423SUSE bug 1167629SUSE bug 1168075SUSE bug 1168295SUSE bug 1168424SUSE bug 1168829SUSE bug 1168854SUSE bug 1170056SUSE bug 1170345SUSE bug 1170778SUSE bug 1170847CVE-2017-18255 at SUSECVE-2017-18255 at NVDCVE-2018-12126 at SUSECVE-2018-12126 at NVDCVE-2018-12127 at SUSECVE-2018-12127 at NVDCVE-2018-12130 at SUSECVE-2018-12130 at NVDCVE-2018-21008 at SUSECVE-2018-21008 at NVDCVE-2019-11091 at SUSECVE-2019-11091 at NVDCVE-2019-14615 at SUSECVE-2019-14615 at NVDCVE-2019-14896 at SUSECVE-2019-14896 at NVDCVE-2019-14897 at SUSECVE-2019-14897 at NVDCVE-2019-18675 at SUSECVE-2019-18675 at NVDCVE-2019-19066 at SUSECVE-2019-19066 at NVDCVE-2019-19319 at SUSECVE-2019-19319 at NVDCVE-2019-19447 at SUSECVE-2019-19447 at NVDCVE-2019-19767 at SUSECVE-2019-19767 at NVDCVE-2019-19768 at SUSECVE-2019-19768 at NVDCVE-2019-19965 at SUSECVE-2019-19965 at NVDCVE-2019-19966 at SUSECVE-2019-19966 at NVDCVE-2019-20054 at SUSECVE-2019-20054 at NVDCVE-2019-20096 at SUSECVE-2019-20096 at NVDCVE-2019-3701 at SUSECVE-2019-3701 at NVDCVE-2019-5108 at SUSECVE-2019-5108 at NVDCVE-2019-9455 at SUSECVE-2019-9455 at NVDCVE-2019-9458 at SUSECVE-2019-9458 at NVDCVE-2020-10690 at SUSECVE-2020-10690 at NVDCVE-2020-10720 at SUSECVE-2020-10720 at NVDCVE-2020-10942 at SUSECVE-2020-10942 at NVDCVE-2020-11494 at SUSECVE-2020-11494 at NVDCVE-2020-11608 at SUSECVE-2020-11608 at NVDCVE-2020-11609 at SUSECVE-2020-11609 at NVDCVE-2020-2732 at SUSECVE-2020-2732 at NVDCVE-2020-8647 at SUSECVE-2020-8647 at NVDCVE-2020-8648 at SUSECVE-2020-8648 at NVDCVE-2020-8649 at SUSECVE-2020-8649 at NVDCVE-2020-8992 at SUSECVE-2020-8992 at NVDCVE-2020-9383 at SUSECVE-2020-9383 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for python-PyYAML (Important)SUSE OpenStack Cloud 8
This update for python-PyYAML fixes the following issues:
- CVE-2020-1747: Fixed an arbitrary code execution when YAML files are parsed by FullLoader (bsc#1165439).
ImportantSUSE bug 1165439CVE-2020-1747 at SUSECVE-2020-1747 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for git (Moderate)SUSE OpenStack Cloud 8
This update for git to 2.26.2 fixes the following issues:
Security issue fixed:
- CVE-2020-11008: Specially crafted URLs may have tricked the credentials helper
to providing credential information that is not appropriate for the protocol
in use and host being contacted (bsc#1169936).
Non-security issue fixed:
- Fixed git-daemon not starting after conversion from sysvinit to systemd service (bsc#1169605).
- Enabled access for git-daemon in firewall configuration (bsc#1170302).
- Fixed problems with recent switch to protocol v2, which caused fetches transferring unreasonable amount of data (bsc#1170741).
ModerateSUSE bug 1149792SUSE bug 1168930SUSE bug 1169605SUSE bug 1169786SUSE bug 1169936SUSE bug 1170302SUSE bug 1170741SUSE bug 1170939CVE-2020-11008 at SUSECVE-2020-11008 at NVDCVE-2020-5260 at SUSECVE-2020-5260 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for mailman (Important)SUSE OpenStack Cloud 8
This update for mailman fixes the following issues:
Security issue fixed:
- CVE-2020-12108: Fixed a content injection bug (bsc#1171363).
- CVE-2020-12137: Fixed a XSS vulnerability caused by MIME type confusion (bsc#1170558).
Non-security issue fixed:
- Fixed rights and ownership on /var/lib/mailman/archives (bsc#1167068).
- Don't default to invalid hosts for DEFAULT_EMAIL_HOST (bsc#682920).
ImportantSUSE bug 1167068SUSE bug 1170558SUSE bug 1171363SUSE bug 682920CVE-2020-12108 at SUSECVE-2020-12108 at NVDCVE-2020-12137 at SUSECVE-2020-12137 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for tomcat (Important)SUSE OpenStack Cloud 8
This update for tomcat fixes the following issues:
CVE-2020-9484 (bsc#1171928)
Apache Tomcat Remote Code Execution via session persistence
If an attacker was able to control the contents and name of a file on a
server configured to use the PersistenceManager, then the attacker could
have triggered a remote code execution via deserialization of the file under
their control.
CVE-2019-12418 (bsc#1159723)
Local privilege escalation by manipulating the RMI registry and performing a man-in-the-middle attack
When Tomcat is configured with the JMX Remote Lifecycle Listener, a local attacker without access to the Tomcat process or configuration files was able to manipulate the RMI registry to perform a man-in-the-middle attack to capture user names and passwords used to access the JMX interface.
The attacker could then use these credentials to access the JMX interface and gain complete control over the Tomcat instance.
CVE-2019-0221 (bsc#1136085)
The SSI printenv command echoed user provided data without escaping, which
made it vulnerable to XSS.
CVE-2019-17563 (bsc#1159729)
When using FORM authentication there was a narrow window where an attacker could perform a session fixation attack.
CVE-2019-17569 (bsc#1164825)
Invalid Transfer-Encoding headers were incorrectly processed leading to a possibility of HTTP Request Smuggling
if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header.
ImportantSUSE bug 1136085SUSE bug 1159723SUSE bug 1159729SUSE bug 1164825SUSE bug 1171928CVE-2019-0221 at SUSECVE-2019-0221 at NVDCVE-2019-12418 at SUSECVE-2019-12418 at NVDCVE-2019-17563 at SUSECVE-2019-17563 at NVDCVE-2019-17569 at SUSECVE-2019-17569 at NVDCVE-2020-9484 at SUSECVE-2020-9484 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for python (Moderate)SUSE OpenStack Cloud 8
This update for python to version 2.7.17 fixes the following issues:
Syncing with lots of upstream bug fixes and security fixes.
Bug fixes:
- CVE-2019-9674: Improved the documentation to reflect the dangers of zip-bombs (bsc#1162825).
- CVE-2019-18348: Fixed a CRLF injection via the host part of the url passed to urlopen(). Now an InvalidURL exception is raised (bsc#1155094).
- CVE-2020-8492: Fixed a regular expression in urllib that was prone to denial of service via HTTP (bsc#1162367).
- Fixed mismatches between libpython and python-base versions (bsc#1162224).
- Fixed segfault in libpython2.7.so.1 (bsc#1073748).
- Unified packages among openSUSE:Factory and SLE versions (bsc#1159035).
- Added idle.desktop and idle.appdata.xml to provide IDLE in menus (bsc#1153830).
- Excluded tsl_check files from python-base to prevent file conflict with python-strict-tls-checks package (bsc#945401).
- Changed the name of idle3 icons to idle3.png to avoid collision with Python 2 version (bsc#1165894).
Additionally a new 'shared-python-startup' package is provided containing startup files.
python-rpm-macros was updated to fix:
- Do not write .pyc files for tests (bsc#1171561)
ModerateSUSE bug 1027282SUSE bug 1041090SUSE bug 1042670SUSE bug 1073269SUSE bug 1073748SUSE bug 1078326SUSE bug 1078485SUSE bug 1081750SUSE bug 1084650SUSE bug 1086001SUSE bug 1149792SUSE bug 1153830SUSE bug 1155094SUSE bug 1159035SUSE bug 1162224SUSE bug 1162367SUSE bug 1162825SUSE bug 1165894SUSE bug 1170411SUSE bug 1171561SUSE bug 945401CVE-2019-18348 at SUSECVE-2019-18348 at NVDCVE-2019-9674 at SUSECVE-2019-9674 at NVDCVE-2020-8492 at SUSECVE-2020-8492 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for krb5-appl (Important)SUSE OpenStack Cloud 8
This update for krb5-appl fixes the following issues:
- CVE-2020-10188: Fixed a remote root execution (bsc#1165787).
ImportantSUSE bug 1165787CVE-2020-10188 at SUSECVE-2020-10188 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for libexif (Moderate)SUSE OpenStack Cloud 8
This update for libexif fixes the following issues:
Security issues fixed:
- CVE-2016-6328: Fixed an integer overflow in parsing MNOTE entry data of the input file (bsc#1055857).
- CVE-2017-7544: Fixed an out-of-bounds heap read vulnerability in exif_data_save_data_entry function in libexif/exif-data.c (bsc#1059893).
- CVE-2018-20030: Fixed a denial of service by endless recursion (bsc#1120943).
- CVE-2019-9278: Fixed an integer overflow (bsc#1160770).
- CVE-2020-0093: Fixed an out-of-bounds read in exif_data_save_data_entry (bsc#1171847).
- CVE-2020-12767: Fixed a divide-by-zero error in exif_entry_get_value (bsc#1171475).
- CVE-2020-13112: Fixed a time consumption DoS when parsing canon array markers (bsc#1172121).
- CVE-2020-13113: Fixed a potential use of uninitialized memory (bsc#1172105).
- CVE-2020-13114: Fixed various buffer overread fixes due to integer overflows in maker notes (bsc#1172116).
Non-security issues fixed:
- libexif was updated to version 0.6.22:
* New translations: ms
* Updated translations for most languages
* Some useful EXIF 2.3 tag added:
* EXIF_TAG_GAMMA
* EXIF_TAG_COMPOSITE_IMAGE
* EXIF_TAG_SOURCE_IMAGE_NUMBER_OF_COMPOSITE_IMAGE
* EXIF_TAG_SOURCE_EXPOSURE_TIMES_OF_COMPOSITE_IMAGE
* EXIF_TAG_GPS_H_POSITIONING_ERROR
* EXIF_TAG_CAMERA_OWNER_NAME
* EXIF_TAG_BODY_SERIAL_NUMBER
* EXIF_TAG_LENS_SPECIFICATION
* EXIF_TAG_LENS_MAKE
* EXIF_TAG_LENS_MODEL
* EXIF_TAG_LENS_SERIAL_NUMBER
ModerateSUSE bug 1055857SUSE bug 1059893SUSE bug 1120943SUSE bug 1160770SUSE bug 1171475SUSE bug 1171847SUSE bug 1172105SUSE bug 1172116SUSE bug 1172121CVE-2016-6328 at SUSECVE-2016-6328 at NVDCVE-2017-7544 at SUSECVE-2017-7544 at NVDCVE-2018-20030 at SUSECVE-2018-20030 at NVDCVE-2019-9278 at SUSECVE-2019-9278 at NVDCVE-2020-0093 at SUSECVE-2020-0093 at NVDCVE-2020-12767 at SUSECVE-2020-12767 at NVDCVE-2020-13112 at SUSECVE-2020-13112 at NVDCVE-2020-13113 at SUSECVE-2020-13113 at NVDCVE-2020-13114 at SUSECVE-2020-13114 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for qemu (Moderate)SUSE OpenStack Cloud 8
This update for qemu fixes the following issues:
Security issues fixed:
- CVE-2020-1711: Fixed a potential OOB access in the iSCSI client code (bsc#1166240).
- CVE-2019-12068: Fixed a potential DoS in the LSI SCSI controller emulation (bsc#1146873).
- CVE-2020-1983: Fixed a use-after-free in the ip_reass function of slirp (bsc#1170940).
- CVE-2020-8608: Fixed a potential OOB access in slirp (bsc#1163018).
- CVE-2020-7039: Fixed a potential OOB access in slirp (bsc#1161066).
- CVE-2019-15890: Fixed a use-after-free during packet reassembly in slirp (bsc#1149811).
- Fixed multiple potential DoS issues in SLIRP, similar to CVE-2019-6778 (bsc#1123156).
Non-security issue fixed:
- Make sure that required memory is mapped properly during an incoming migration of a Xen HVM domU (bsc#1160024).
ModerateSUSE bug 1123156SUSE bug 1146873SUSE bug 1149811SUSE bug 1160024SUSE bug 1161066SUSE bug 1163018SUSE bug 1166240SUSE bug 1170940CVE-2019-12068 at SUSECVE-2019-12068 at NVDCVE-2019-15890 at SUSECVE-2019-15890 at NVDCVE-2019-6778 at SUSECVE-2019-6778 at NVDCVE-2020-1711 at SUSECVE-2020-1711 at NVDCVE-2020-1983 at SUSECVE-2020-1983 at NVDCVE-2020-7039 at SUSECVE-2020-7039 at NVDCVE-2020-8608 at SUSECVE-2020-8608 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for vim (Moderate)SUSE OpenStack Cloud 8
This update for vim fixes the following issues:
- CVE-2019-20807: Fixed an issue where escaping from the restrictive mode of vim
was possible using interfaces (bsc#1172225 and bsc#1172031).
ModerateSUSE bug 1172031SUSE bug 1172225CVE-2019-20807 at SUSECVE-2019-20807 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for MozillaFirefox (Important)SUSE OpenStack Cloud 8
This update for MozillaFirefox fixes the following issues:
- MozillaFirefox was updated to version 68.9.0 Extended Support Release (bsc#1172402).
- CVE-2020-12405: Fixed a use-after-free in SharedWorkerService.
- CVE-2020-12406: Fixed a JavaScript Type confusion with NativeTypes.
- CVE-2020-12410: Fixed multiple memory safety bugs.
ImportantSUSE bug 1172402CVE-2020-12405 at SUSECVE-2020-12405 at NVDCVE-2020-12406 at SUSECVE-2020-12406 at NVDCVE-2020-12410 at SUSECVE-2020-12410 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for ruby2.1 (Important)SUSE OpenStack Cloud 8
This update for ruby2.1 fixes the following issues:
Security issues fixed:
- CVE-2015-9096: Fixed an SMTP command injection via CRLFsequences in a RCPT TO or MAIL FROM command (bsc#1043983).
- CVE-2016-7798: Fixed an IV Reuse in GCM Mode (bsc#1055265).
- CVE-2017-0898: Fixed a buffer underrun vulnerability in Kernel.sprintf (bsc#1058755).
- CVE-2017-0899: Fixed an issue with malicious gem specifications, insufficient sanitation when printing gem specifications could have included terminal characters (bsc#1056286).
- CVE-2017-0900: Fixed an issue with malicious gem specifications, the query command could have led to a denial of service attack against clients (bsc#1056286).
- CVE-2017-0901: Fixed an issue with malicious gem specifications, potentially overwriting arbitrary files on the client system (bsc#1056286).
- CVE-2017-0902: Fixed an issue with malicious gem specifications, that could have enabled MITM attacks against clients (bsc#1056286).
- CVE-2017-0903: Fixed an unsafe object deserialization vulnerability (bsc#1062452).
- CVE-2017-9228: Fixed a heap out-of-bounds write in bitset_set_range() during regex compilation (bsc#1069607).
- CVE-2017-9229: Fixed an invalid pointer dereference in left_adjust_char_head() in oniguruma (bsc#1069632).
- CVE-2017-10784: Fixed an escape sequence injection vulnerability in the Basic authentication of WEBrick (bsc#1058754).
- CVE-2017-14033: Fixed a buffer underrun vulnerability in OpenSSL ASN1 decode (bsc#1058757).
- CVE-2017-14064: Fixed an arbitrary memory exposure during a JSON.generate call (bsc#1056782).
- CVE-2017-17405: Fixed a command injection vulnerability in Net::FTP (bsc#1073002).
- CVE-2017-17742: Fixed an HTTP response splitting issue in WEBrick (bsc#1087434).
- CVE-2017-17790: Fixed a command injection in lib/resolv.rb:lazy_initialize() (bsc#1078782).
- CVE-2018-6914: Fixed an unintentional file and directory creation with directory traversal in tempfile and tmpdir (bsc#1087441).
- CVE-2018-8777: Fixed a potential DoS caused by large requests in WEBrick (bsc#1087436).
- CVE-2018-8778: Fixed a buffer under-read in String#unpack (bsc#1087433).
- CVE-2018-8779: Fixed an unintentional socket creation by poisoned NUL byte in UNIXServer and UNIXSocket (bsc#1087440).
- CVE-2018-8780: Fixed an unintentional directory traversal by poisoned NUL byte in Dir (bsc#1087437).
- CVE-2018-16395: Fixed an issue with OpenSSL::X509::Name equality checking (bsc#1112530).
- CVE-2018-16396: Fixed an issue with tainted string handling, where the flag was not propagated in Array#pack and String#unpack with some directives (bsc#1112532).
- CVE-2018-1000073: Fixed a path traversal issue (bsc#1082007).
- CVE-2018-1000074: Fixed an unsafe object deserialization vulnerability in gem owner, allowing arbitrary code execution with specially crafted YAML (bsc#1082008).
- CVE-2018-1000075: Fixed an infinite loop vulnerability due to negative size in tar header causes Denial of Service (bsc#1082014).
- CVE-2018-1000076: Fixed an improper verification of signatures in tarballs (bsc#1082009).
- CVE-2018-1000077: Fixed an improper URL validation in the homepage attribute of ruby gems (bsc#1082010).
- CVE-2018-1000078: Fixed a XSS vulnerability in the homepage attribute when displayed via gem server (bsc#1082011).
- CVE-2018-1000079: Fixed a path traversal issue during gem installation allows to write to arbitrary filesystem locations (bsc#1082058).
- CVE-2019-8320: Fixed a directory traversal issue when decompressing tar files (bsc#1130627).
- CVE-2019-8321: Fixed an escape sequence injection vulnerability in verbose (bsc#1130623).
- CVE-2019-8322: Fixed an escape sequence injection vulnerability in gem owner (bsc#1130622).
- CVE-2019-8323: Fixed an escape sequence injection vulnerability in API response handling (bsc#1130620).
- CVE-2019-8324: Fixed an issue with malicious gems that may have led to arbitrary code execution (bsc#1130617).
- CVE-2019-8325: Fixed an escape sequence injection vulnerability in errors (bsc#1130611).
- CVE-2019-15845: Fixed a NUL injection vulnerability in File.fnmatch and File.fnmatch? (bsc#1152994).
- CVE-2019-16201: Fixed a regular expression denial of service vulnerability in WEBrick's digest access authentication (bsc#1152995).
- CVE-2019-16254: Fixed an HTTP response splitting vulnerability in WEBrick (bsc#1152992).
- CVE-2019-16255: Fixed a code injection vulnerability in Shell#[] and Shell#test (bsc#1152990).
- CVE-2020-10663: Fixed an unsafe object creation vulnerability in JSON (bsc#1171517).
Non-security issue fixed:
- Add conflicts to libruby to make sure ruby and ruby-stdlib are also updated when libruby is updated (bsc#1048072).
Also yast2-ruby-bindings on SLES 12 SP2 LTSS was updated to handle the updated ruby interpreter. (bsc#1172275)
ImportantSUSE bug 1043983SUSE bug 1048072SUSE bug 1055265SUSE bug 1056286SUSE bug 1056782SUSE bug 1058754SUSE bug 1058755SUSE bug 1058757SUSE bug 1062452SUSE bug 1069607SUSE bug 1069632SUSE bug 1073002SUSE bug 1078782SUSE bug 1082007SUSE bug 1082008SUSE bug 1082009SUSE bug 1082010SUSE bug 1082011SUSE bug 1082014SUSE bug 1082058SUSE bug 1087433SUSE bug 1087434SUSE bug 1087436SUSE bug 1087437SUSE bug 1087440SUSE bug 1087441SUSE bug 1112530SUSE bug 1112532SUSE bug 1130611SUSE bug 1130617SUSE bug 1130620SUSE bug 1130622SUSE bug 1130623SUSE bug 1130627SUSE bug 1152990SUSE bug 1152992SUSE bug 1152994SUSE bug 1152995SUSE bug 1171517SUSE bug 1172275CVE-2015-9096 at SUSECVE-2015-9096 at NVDCVE-2016-2339 at SUSECVE-2016-2339 at NVDCVE-2016-7798 at SUSECVE-2016-7798 at NVDCVE-2017-0898 at SUSECVE-2017-0898 at NVDCVE-2017-0899 at SUSECVE-2017-0899 at NVDCVE-2017-0900 at SUSECVE-2017-0900 at NVDCVE-2017-0901 at SUSECVE-2017-0901 at NVDCVE-2017-0902 at SUSECVE-2017-0902 at NVDCVE-2017-0903 at SUSECVE-2017-0903 at NVDCVE-2017-10784 at SUSECVE-2017-10784 at NVDCVE-2017-14033 at SUSECVE-2017-14033 at NVDCVE-2017-14064 at SUSECVE-2017-14064 at NVDCVE-2017-17405 at SUSECVE-2017-17405 at NVDCVE-2017-17742 at SUSECVE-2017-17742 at NVDCVE-2017-17790 at SUSECVE-2017-17790 at NVDCVE-2017-9228 at SUSECVE-2017-9228 at NVDCVE-2017-9229 at SUSECVE-2017-9229 at NVDCVE-2018-1000073 at SUSECVE-2018-1000073 at NVDCVE-2018-1000074 at SUSECVE-2018-1000074 at NVDCVE-2018-1000075 at SUSECVE-2018-1000075 at NVDCVE-2018-1000076 at SUSECVE-2018-1000076 at NVDCVE-2018-1000077 at SUSECVE-2018-1000077 at NVDCVE-2018-1000078 at SUSECVE-2018-1000078 at NVDCVE-2018-1000079 at SUSECVE-2018-1000079 at NVDCVE-2018-16395 at SUSECVE-2018-16395 at NVDCVE-2018-16396 at SUSECVE-2018-16396 at NVDCVE-2018-6914 at SUSECVE-2018-6914 at NVDCVE-2018-8777 at SUSECVE-2018-8777 at NVDCVE-2018-8778 at SUSECVE-2018-8778 at NVDCVE-2018-8779 at SUSECVE-2018-8779 at NVDCVE-2018-8780 at SUSECVE-2018-8780 at NVDCVE-2019-15845 at SUSECVE-2019-15845 at NVDCVE-2019-16201 at SUSECVE-2019-16201 at NVDCVE-2019-16254 at SUSECVE-2019-16254 at NVDCVE-2019-16255 at SUSECVE-2019-16255 at NVDCVE-2019-8320 at SUSECVE-2019-8320 at NVDCVE-2019-8321 at SUSECVE-2019-8321 at NVDCVE-2019-8322 at SUSECVE-2019-8322 at NVDCVE-2019-8323 at SUSECVE-2019-8323 at NVDCVE-2019-8324 at SUSECVE-2019-8324 at NVDCVE-2019-8325 at SUSECVE-2019-8325 at NVDCVE-2020-10663 at SUSECVE-2020-10663 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for java-1_7_0-openjdk (Important)SUSE OpenStack Cloud 8
This update for java-1_7_0-openjdk to version 7u261 fixes the following issues:
- CVE-2020-2756: Better mapping of serial ENUMs (bsc#1169511)
- CVE-2020-2757: Less Blocking Array Queues (bsc#1169511)
- CVE-2020-2773: Better signatures in XML (bsc#1169511)
- CVE-2020-2781: Improve TLS session handling (bsc#1169511)
- CVE-2020-2800: Better Headings for HTTP Servers (bsc#1169511)
- CVE-2020-2803: Enhance buffering of byte buffers (bsc#1169511)
- CVE-2020-2805: Enhance typing of methods (bsc#1169511)
- CVE-2020-2830: Better Scanner conversions (bsc#1169511)
ImportantSUSE bug 1169511CVE-2020-2756 at SUSECVE-2020-2756 at NVDCVE-2020-2757 at SUSECVE-2020-2757 at NVDCVE-2020-2773 at SUSECVE-2020-2773 at NVDCVE-2020-2781 at SUSECVE-2020-2781 at NVDCVE-2020-2800 at SUSECVE-2020-2800 at NVDCVE-2020-2803 at SUSECVE-2020-2803 at NVDCVE-2020-2805 at SUSECVE-2020-2805 at NVDCVE-2020-2830 at SUSECVE-2020-2830 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for tigervnc (Important)SUSE OpenStack Cloud 8
This update for tigervnc fixes the following issues:
- CVE-2019-15691: Fixed a use-after-return due to incorrect usage of stack memory in ZRLEDecoder (bsc#1159856).
- CVE-2019-15692: Fixed a heap-based buffer overflow in CopyRectDecode (bsc#1160250).
- CVE-2019-15693: Fixed a heap-based buffer overflow in TightDecoder::FilterGradient (bsc#1159858).
- CVE-2019-15694: Fixed a heap-based buffer overflow, caused by improper error handling in processing MemOutStream (bsc#1160251).
- CVE-2019-15695: Fixed a stack-based buffer overflow, which could be triggered from CMsgReader::readSetCursor (bsc#1159860).
ImportantSUSE bug 1159856SUSE bug 1159858SUSE bug 1159860SUSE bug 1160250SUSE bug 1160251SUSE bug 1160937CVE-2019-15691 at SUSECVE-2019-15691 at NVDCVE-2019-15692 at SUSECVE-2019-15692 at NVDCVE-2019-15693 at SUSECVE-2019-15693 at NVDCVE-2019-15694 at SUSECVE-2019-15694 at NVDCVE-2019-15695 at SUSECVE-2019-15695 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for ucode-intel (Moderate)SUSE OpenStack Cloud 8
This update for ucode-intel fixes the following issues:
Updated Intel CPU Microcode to 20200602 (prerelease) (bsc#1172466)
This update contains security mitigations for:
- CVE-2020-0543: Fixed a side channel attack against special registers
which could have resulted in leaking of read values to cores other
than the one which called it. This attack is known as Special Register
Buffer Data Sampling (SRBDS) or 'CrossTalk' (bsc#1154824).
- CVE-2020-0548,CVE-2020-0549: Additional ucode updates were supplied to
mitigate the Vector Register and L1D Eviction Sampling aka 'CacheOutAttack'
attacks. (bsc#1156353)
Microcode Table:
Processor Identifier Version Products
Model Stepping F-MO-S/PI Old->New
---- new platforms ----------------------------------------
---- updated platforms ------------------------------------
HSW C0 6-3c-3/32 00000027->00000028 Core Gen4
BDW-U/Y E0/F0 6-3d-4/c0 0000002e->0000002f Core Gen5
HSW-U C0/D0 6-45-1/72 00000025->00000026 Core Gen4
HSW-H C0 6-46-1/32 0000001b->0000001c Core Gen4
BDW-H/E3 E0/G0 6-47-1/22 00000021->00000022 Core Gen5
SKL-U/Y D0 6-4e-3/c0 000000d6->000000dc Core Gen6 Mobile
SKL-U23e K1 6-4e-3/c0 000000d6->000000dc Core Gen6 Mobile
SKX-SP B1 6-55-3/97 01000151->01000157 Xeon Scalable
SKX-SP H0/M0/U0 6-55-4/b7 02000065->02006906 Xeon Scalable
SKX-D M1 6-55-4/b7 02000065->02006906 Xeon D-21xx
CLX-SP B0 6-55-6/bf 0400002c->04002f01 Xeon Scalable Gen2
CLX-SP B1 6-55-7/bf 0500002c->04002f01 Xeon Scalable Gen2
SKL-H/S R0/N0 6-5e-3/36 000000d6->000000dc Core Gen6; Xeon E3 v5
AML-Y22 H0 6-8e-9/10 000000ca->000000d6 Core Gen8 Mobile
KBL-U/Y H0 6-8e-9/c0 000000ca->000000d6 Core Gen7 Mobile
CFL-U43e D0 6-8e-a/c0 000000ca->000000d6 Core Gen8 Mobile
WHL-U W0 6-8e-b/d0 000000ca->000000d6 Core Gen8 Mobile
AML-Y42 V0 6-8e-c/94 000000ca->000000d6 Core Gen10 Mobile
CML-Y42 V0 6-8e-c/94 000000ca->000000d6 Core Gen10 Mobile
WHL-U V0 6-8e-c/94 000000ca->000000d6 Core Gen8 Mobile
KBL-G/H/S/E3 B0 6-9e-9/2a 000000ca->000000d6 Core Gen7; Xeon E3 v6
CFL-H/S/E3 U0 6-9e-a/22 000000ca->000000d6 Core Gen8 Desktop, Mobile, Xeon E
CFL-S B0 6-9e-b/02 000000ca->000000d6 Core Gen8
CFL-H/S P0 6-9e-c/22 000000ca->000000d6 Core Gen9
CFL-H R0 6-9e-d/22 000000ca->000000d6 Core Gen9 Mobile
Also contains the Intel CPU Microcode update to 20200520:
Processor Identifier Version Products
Model Stepping F-MO-S/PI Old->New
---- new platforms ----------------------------------------
---- updated platforms ------------------------------------
SNB-E/EN/EP C1/M0 6-2d-6/6d 0000061f->00000621 Xeon E3/E5, Core X
SNB-E/EN/EP C2/M1 6-2d-7/6d 00000718->0000071a Xeon E3/E5, Core X
ModerateSUSE bug 1154824SUSE bug 1156353SUSE bug 1172466CVE-2020-0543 at SUSECVE-2020-0543 at NVDCVE-2020-0548 at SUSECVE-2020-0548 at NVDCVE-2020-0549 at SUSECVE-2020-0549 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for the Linux Kernel (Important)SUSE OpenStack Cloud 8
The SUSE Linux Enterprise 12 SP3 kernel was updated to receive various security and bugfixes.
The following security bugs were fixed:
- CVE-2020-0543: Fixed a side channel attack against special registers which could have resulted in leaking of read values to cores other than the one which called it.
This attack is known as Special Register Buffer Data Sampling (SRBDS) or 'CrossTalk' (bsc#1154824).
- CVE-2020-12652: Fixed an issue which could have allowed local users to hold an incorrect lock during the ioctl operation and trigger a race condition (bsc#1171218).
- CVE-2020-12653: Fixed an issue in the wifi driver which could have allowed local users to gain privileges or cause a denial of service (bsc#1171195).
- CVE-2020-12654: Fixed an issue in he wifi driver which could have allowed a remote AP to trigger a heap-based buffer overflow (bsc#1171202).
- CVE-2020-12656: Fixed an improper handling of certain domain_release calls leadingch could have led to a memory leak (bsc#1171219).
- CVE-2020-12114: Fixed A pivot_root race condition which could have allowed local users to cause a denial of service (panic) by corrupting a mountpoint reference counter (bsc#1171098).
- CVE-2020-10757: Fixed an issue where remaping hugepage DAX to anon mmap could have caused user PTE access (bsc#1172317).
The following non-security bugs were fixed:
- can, slip: Protect tty->disc_data in write_wakeup and close with RCU (bsc#1171698).
- clocksource/drivers/hyper-v: Set TSC clocksource as default w/ InvariantTSC (bsc#1170620).
- Drivers: HV: Send one page worth of kmsg dump over Hyper-V during panic (bsc#1170618).
- Drivers: hv: vmbus: Fix the issue with freeing up hv_ctl_table_hdr (bsc#1170618).
- Drivers: hv: vmbus: Get rid of MSR access from vmbus_drv.c (bsc#1170618).
- Drivers: hv: vmbus: Make panic reporting to be more useful (bsc#1170618).
- Drivers: hv: vmus: Fix the check for return value from kmsg get dump buffer (bsc#1170618).
- EDAC: Convert to new X86 CPU match macros
- ibmvfc: do not send implicit logouts prior to NPIV login (bsc#1169625 ltc#184611).
- ibmvfc: Fix NULL return compiler warning (bsc#1161951 ltc#183551).
- KEYS: reaching the keys quotas correctly (bsc#1171689).
- NFS: Cleanup if nfs_match_client is interrupted (bsc#1169025).
- NFS: Fix a double unlock from nfs_match,get_client (bsc#1169025).
- NFS: make nfs_match_client killable (bsc#1169025).
- NFS: Unlock requests must never fail (bsc#1172032).
- random: always use batched entropy for get_random_u{32,64} (bsc#1164871).
- Revert 'ipc,sem: remove uneeded sem_undo_list lock usage in exit_sem()' (bsc#1172221).
- scsi: ibmvfc: Avoid loss of all paths during SVC node reboot (bsc#1161951 ltc#183551).
- scsi: ibmvfc: Fix NULL return compiler warning (bsc#1161951 ltc#183551).
- x86/dumpstack/64: Handle faults when printing the 'Stack: ' part of an OOPS (bsc#1170383).
- x86/hyperv: Allow guests to enable InvariantTSC (bsc#1170620).
- x86/Hyper-V: Free hv_panic_page when fail to register kmsg dump (bsc#1170618).
- x86/Hyper-V: Report crash data in die() when panic_on_oops is set (bsc#1170618).
- x86/Hyper-V: Report crash register data or kmsg before running crash kernel (bsc#1170618).
- x86/Hyper-V: Report crash register data when sysctl_record_panic_msg is not set (bsc#1170618).
- x86: hyperv: report value of misc_features (git fixes).
- x86/Hyper-V: Trigger crash enlightenment only once during system crash (bsc#1170618).
- x86/Hyper-V: Unload vmbus channel in hv panic callback (bsc#1170618).
ImportantSUSE bug 1154824SUSE bug 1161951SUSE bug 1164871SUSE bug 1169025SUSE bug 1169625SUSE bug 1170383SUSE bug 1170618SUSE bug 1170620SUSE bug 1171098SUSE bug 1171195SUSE bug 1171202SUSE bug 1171218SUSE bug 1171219SUSE bug 1171689SUSE bug 1171698SUSE bug 1172032SUSE bug 1172221SUSE bug 1172317CVE-2020-0543 at SUSECVE-2020-0543 at NVDCVE-2020-10757 at SUSECVE-2020-10757 at NVDCVE-2020-12114 at SUSECVE-2020-12114 at NVDCVE-2020-12652 at SUSECVE-2020-12652 at NVDCVE-2020-12653 at SUSECVE-2020-12653 at NVDCVE-2020-12654 at SUSECVE-2020-12654 at NVDCVE-2020-12656 at SUSECVE-2020-12656 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for virglrenderer (Important)SUSE OpenStack Cloud 8
This update for virglrenderer fixes the following issues:
- CVE-2019-18388: Fixed a null pointer dereference which could have led
to denial of service (bsc#1159479).
- CVE-2019-18390: Fixed an out of bound read which could have led to
denial of service (bsc#1159478).
- CVE-2019-18389: Fixed a heap buffer overflow which could have led to
guest escape or denial of service (bsc#1159482).
- CVE-2019-18391: Fixed a heap based buffer overflow which could have led to
guest escape or denial of service (bsc#1159486).
ImportantSUSE bug 1159478SUSE bug 1159479SUSE bug 1159482SUSE bug 1159486CVE-2019-18388 at SUSECVE-2019-18388 at NVDCVE-2019-18389 at SUSECVE-2019-18389 at NVDCVE-2019-18390 at SUSECVE-2019-18390 at NVDCVE-2019-18391 at SUSECVE-2019-18391 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for adns (Important)SUSE OpenStack Cloud 8
This update for adns fixes the following issues:
- CVE-2017-9103,CVE-2017-9104,CVE-2017-9105,CVE-2017-9109: Fixed an issue in local recursive resolver
which could have led to remote code execution (bsc#1172265).
- CVE-2017-9106: Fixed an issue with upstream DNS data sources which could have led to denial of
service (bsc#1172265).
- CVE-2017-9107: Fixed an issue when quering domain names which could have led to denial of service (bsc#1172265).
- CVE-2017-9108: Fixed an issue which could have led to denial of service (bsc#1172265).
ImportantSUSE bug 1172265CVE-2017-9103 at SUSECVE-2017-9103 at NVDCVE-2017-9104 at SUSECVE-2017-9104 at NVDCVE-2017-9105 at SUSECVE-2017-9105 at NVDCVE-2017-9106 at SUSECVE-2017-9106 at NVDCVE-2017-9107 at SUSECVE-2017-9107 at NVDCVE-2017-9108 at SUSECVE-2017-9108 at NVDCVE-2017-9109 at SUSECVE-2017-9109 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for mariadb (Moderate)SUSE OpenStack Cloud 8
This update for mariadb fixes the following issues:
mariadb was updated to version 10.0.44 (bsc#1171550)
- CVE-2020-2752: Fixed an issue which could have resulted in unauthorized ability to cause denial of service.
- CVE-2020-2812: Fixed an issue which could have resulted in unauthorized ability to cause denial of service.
ModerateSUSE bug 1171550CVE-2020-2752 at SUSECVE-2020-2752 at NVDCVE-2020-2812 at SUSECVE-2020-2812 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for xen (Important)SUSE OpenStack Cloud 8
This update for xen fixes the following issues:
- CVE-2020-0543: Fixed a side channel attack against special registers which could have resulted in leaking of read values to cores other than the one which called it.
This attack is known as Special Register Buffer Data Sampling (SRBDS) or 'CrossTalk' (bsc#1172205).
- CVE-2020-11742: Bad continuation handling in GNTTABOP_copy (bsc#1169392).
- CVE-2020-11740, CVE-2020-11741: xen: XSA-313 multiple xenoprof issues (bsc#1168140).
- CVE-2020-11739: Missing memory barriers in read-write unlock paths (bsc#1168142).
- CVE-2019-19583: Fixed improper checks which could have allowed HVM/PVH guest userspace code to crash the guest, leading to a guest denial of service (bsc#1158004 XSA-308).
- CVE-2019-19581: Fixed a potential out of bounds on 32-bit Arm (bsc#1158003 XSA-307).
- CVE-2019-19580: Fixed a privilege escalation where a malicious PV guest administrator could have been able to escalate their privilege to that of the host (bsc#1158006 XSA-310).
- CVE-2019-19579: Fixed a privilege escalation where an untrusted domain with access to a physical device can DMA into host memory (bsc#1157888 XSA-306).
- CVE-2019-19578: Fixed an issue where a malicious or buggy PV guest could have caused hypervisor crash resulting in denial of service affecting the entire host (bsc#1158005 XSA-309).
- CVE-2019-19577: Fixed an issue where a malicious guest administrator could have caused Xen to access data structures while they are being modified leading to a crash (bsc#1158007 XSA-311).
- Xenstored Crashed during VM install (bsc#1167152)
ImportantSUSE bug 1157888SUSE bug 1158003SUSE bug 1158004SUSE bug 1158005SUSE bug 1158006SUSE bug 1158007SUSE bug 1161181SUSE bug 1167152SUSE bug 1168140SUSE bug 1168142SUSE bug 1169392SUSE bug 1172205CVE-2019-19577 at SUSECVE-2019-19577 at NVDCVE-2019-19578 at SUSECVE-2019-19578 at NVDCVE-2019-19579 at SUSECVE-2019-19579 at NVDCVE-2019-19580 at SUSECVE-2019-19580 at NVDCVE-2019-19581 at SUSECVE-2019-19581 at NVDCVE-2019-19583 at SUSECVE-2019-19583 at NVDCVE-2020-0543 at SUSECVE-2020-0543 at NVDCVE-2020-11739 at SUSECVE-2020-11739 at NVDCVE-2020-11740 at SUSECVE-2020-11740 at NVDCVE-2020-11741 at SUSECVE-2020-11741 at NVDCVE-2020-11742 at SUSECVE-2020-11742 at NVDCVE-2020-7211 at SUSECVE-2020-7211 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for perl (Important)SUSE OpenStack Cloud 8
This update for perl fixes the following issues:
- CVE-2020-10543: Fixed a heap buffer overflow in regular expression compiler which could have
allowed overwriting of allocated memory with attacker's data (bsc#1171863).
- CVE-2020-10878: Fixed multiple integer overflows which could have allowed the insertion of
instructions into the compiled form of Perl regular expression (bsc#1171864).
- CVE-2020-12723: Fixed an attacker's corruption of the intermediate language state of a
compiled regular expression (bsc#1171866).
- Fixed utf8 handling in perldoc by useing 'term' instead of 'man' (bsc#1170601).
- Some packages make assumptions about the date and time they are built.
This update will solve the issues caused by calling the perl function timelocal
expressing the year with two digit only instead of four digits. (bsc#1102840) (bsc#1160039)
ImportantSUSE bug 1102840SUSE bug 1160039SUSE bug 1170601SUSE bug 1171863SUSE bug 1171864SUSE bug 1171866CVE-2020-10543 at SUSECVE-2020-10543 at NVDCVE-2020-10878 at SUSECVE-2020-10878 at NVDCVE-2020-12723 at SUSECVE-2020-12723 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for java-1_7_1-ibm (Important)SUSE OpenStack Cloud 8
This update for java-1_7_1-ibm fixes the following issues:
java-1_7_1-ibm was updated to Java 7.1 Service Refresh 4 Fix Pack 65 (bsc#1172277 and bsc#1169511)
- CVE-2020-2654: Fixed an issue which could have resulted in unauthorized ability to cause a partial denial of service
- CVE-2020-2756: Improved mapping of serial ENUMs
- CVE-2020-2757: Less Blocking Array Queues
- CVE-2020-2781: Improved TLS session handling
- CVE-2020-2800: Improved Headings for HTTP Servers
- CVE-2020-2803: Enhanced buffering of byte buffers
- CVE-2020-2805: Enhanced typing of methods
- CVE-2020-2830: Improved Scanner conversions
ImportantSUSE bug 1169511SUSE bug 1172277CVE-2020-2654 at SUSECVE-2020-2654 at NVDCVE-2020-2756 at SUSECVE-2020-2756 at NVDCVE-2020-2757 at SUSECVE-2020-2757 at NVDCVE-2020-2781 at SUSECVE-2020-2781 at NVDCVE-2020-2800 at SUSECVE-2020-2800 at NVDCVE-2020-2803 at SUSECVE-2020-2803 at NVDCVE-2020-2805 at SUSECVE-2020-2805 at NVDCVE-2020-2830 at SUSECVE-2020-2830 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for java-1_8_0-ibm (Important)SUSE OpenStack Cloud 8
This update for java-1_8_0-ibm fixes the following issues:
java-1_8_0-ibm was updated to Java 8.0 Service Refresh 6 Fix Pack 10 (bsc#1172277,bsc#1169511,bsc#1160968)
- CVE-2020-2654: Fixed an issue which could have resulted in unauthorized ability to cause a partial denial of service
- CVE-2020-2754: Forwarded references to Nashorn
- CVE-2020-2755: Improved Nashorn matching
- CVE-2020-2756: Improved mapping of serial ENUMs
- CVE-2020-2757: Less Blocking Array Queues
- CVE-2020-2781: Improved TLS session handling
- CVE-2020-2800: Improved Headings for HTTP Servers
- CVE-2020-2803: Enhanced buffering of byte buffers
- CVE-2020-2805: Enhanced typing of methods
- CVE-2020-2830: Improved Scanner conversions
- CVE-2019-2949: Fixed an issue which could have resulted in unauthorized access to critical data
- Added RSA PSS SUPPORT TO IBMPKCS11IMPL
- The pack200 and unpack200 alternatives should be slaves of java (bsc#1171352).
ImportantSUSE bug 1160968SUSE bug 1169511SUSE bug 1171352SUSE bug 1172277CVE-2019-2949 at SUSECVE-2019-2949 at NVDCVE-2020-2654 at SUSECVE-2020-2654 at NVDCVE-2020-2754 at SUSECVE-2020-2754 at NVDCVE-2020-2755 at SUSECVE-2020-2755 at NVDCVE-2020-2756 at SUSECVE-2020-2756 at NVDCVE-2020-2757 at SUSECVE-2020-2757 at NVDCVE-2020-2781 at SUSECVE-2020-2781 at NVDCVE-2020-2800 at SUSECVE-2020-2800 at NVDCVE-2020-2803 at SUSECVE-2020-2803 at NVDCVE-2020-2805 at SUSECVE-2020-2805 at NVDCVE-2020-2830 at SUSECVE-2020-2830 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for java-1_8_0-openjdk (Important)SUSE OpenStack Cloud 8
This update for java-1_8_0-openjdk to version jdk8u252 fixes the following issues:
- CVE-2020-2754: Forward references to Nashorn (bsc#1169511)
- CVE-2020-2755: Improve Nashorn matching (bsc#1169511)
- CVE-2020-2756: Better mapping of serial ENUMs (bsc#1169511)
- CVE-2020-2757: Less Blocking Array Queues (bsc#1169511)
- CVE-2020-2773: Better signatures in XML (bsc#1169511)
- CVE-2020-2781: Improve TLS session handling (bsc#1169511)
- CVE-2020-2800: Better Headings for HTTP Servers (bsc#1169511)
- CVE-2020-2803: Enhance buffering of byte buffers (bsc#1169511)
- CVE-2020-2805: Enhance typing of methods (bsc#1169511)
- CVE-2020-2830: Better Scanner conversions (bsc#1169511)
ImportantSUSE bug 1160398SUSE bug 1169511CVE-2020-2754 at SUSECVE-2020-2754 at NVDCVE-2020-2755 at SUSECVE-2020-2755 at NVDCVE-2020-2756 at SUSECVE-2020-2756 at NVDCVE-2020-2757 at SUSECVE-2020-2757 at NVDCVE-2020-2773 at SUSECVE-2020-2773 at NVDCVE-2020-2781 at SUSECVE-2020-2781 at NVDCVE-2020-2800 at SUSECVE-2020-2800 at NVDCVE-2020-2803 at SUSECVE-2020-2803 at NVDCVE-2020-2805 at SUSECVE-2020-2805 at NVDCVE-2020-2830 at SUSECVE-2020-2830 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for the Linux Kernel (Important)SUSE OpenStack Cloud 8
The SUSE Linux Enterprise 12 SP3 kernel was updated to receive various security and bugfixes.
The following security bugs were fixed:
- CVE-2020-10768: Fixed an issue with the prctl() function which could have allowed indirect branch speculation even after it has been disabled (bsc#1172783).
- CVE-2020-10767: Fixed an issue where the Indirect Branch Prediction Barrier (IBPB) would have been disabled when STIBP is unavailable or enhanced IBRS is available making the system vulnerable to spectre v2 (bsc#1172782).
- CVE-2020-10766: Fixed an issue with Linux scheduler which could have allowed an attacker to turn off the SSBD protection (bsc#1172781).
- xfs: Fix tail rounding in xfs_alloc_file_space() (bsc#1172049).
ImportantSUSE bug 1172049SUSE bug 1172781SUSE bug 1172782SUSE bug 1172783CVE-2020-10766 at SUSECVE-2020-10766 at NVDCVE-2020-10767 at SUSECVE-2020-10767 at NVDCVE-2020-10768 at SUSECVE-2020-10768 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for curl (Important)SUSE OpenStack Cloud 8
This update for curl fixes the following issues:
- CVE-2020-8177: Fixed an issue where curl could have been tricked by a malicious server to overwrite a local file when using the -J option (bsc#1173027).
ImportantSUSE bug 1173027CVE-2020-8177 at SUSECVE-2020-8177 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for ceph (Important)SUSE OpenStack Cloud 8
This is a version update for ceph to version 12.2.13:
Security issue fixed:
- CVE-2020-10753: Fixed an HTTP header injection via CORS ExposeHeader tag (bsc#1171921).
- Notable changes in this update for ceph:
* mgr: telemetry: backported and now available on SES5.5. Please
consider enabling via 'ceph telemetry on' (bsc#1171670)
* OSD heartbeat ping time: new health warning, options and admin
commands (bsc#1171960)
* 'osd_calc_pg_upmaps_max_stddev' ceph.conf parameter has been
removed; use 'upmap_max_deviation' instead (bsc#1171961)
* Default maximum concurrent bluestore rocksdb compaction threads
raised from 1 to 2 for improved ability to keep up with rgw
bucket index workloads (bsc#1171963)
- Bug fixes in this ceph update:
* mon: Error message displayed when mon_osd_max_split_count would be
exceeded is not as user-friendly as it could be (bsc#1126230)
* ceph_volume_client: remove ceph mds calls in favor of ceph fs
calls (bsc#1136082)
* rgw: crypt: permit RGW-AUTO/default with SSE-S3 headers
(bsc#1157607)
* mon/AuthMonitor: don't validate fs caps on authorize (bsc#1161096)
- Additional bug fixes:
* ceph-volume: strip _dmcrypt suffix in simple scan json output (bsc#1162553) ImportantSUSE bug 1126230SUSE bug 1136082SUSE bug 1157607SUSE bug 1161096SUSE bug 1162553SUSE bug 1171670SUSE bug 1171921SUSE bug 1171960SUSE bug 1171961SUSE bug 1171963CVE-2020-10753 at SUSECVE-2020-10753 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for tomcat (Important)SUSE OpenStack Cloud 8
This update for tomcat fixes the following issues:
- CVE-2020-8022: Fixed a local root exploit due to improper permissions (bsc#1172405)
ImportantSUSE bug 1172405CVE-2020-8022 at SUSECVE-2020-8022 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for python3-requests (Moderate)SUSE OpenStack Cloud 8
This update for python3-requests provides the following fix:
python-requests was updated to 2.20.1.
Update to version 2.20.1:
* Fixed bug with unintended Authorization header stripping for
redirects using default ports (http/80, https/443).
Update to version 2.20.0:
* Bugfixes
+ Content-Type header parsing is now case-insensitive
(e.g. charset=utf8 v Charset=utf8).
+ Fixed exception leak where certain redirect urls would raise
uncaught urllib3 exceptions.
+ Requests removes Authorization header from requests redirected
from https to http on the same hostname. (CVE-2018-18074)
+ should_bypass_proxies now handles URIs without hostnames
(e.g. files).
Update to version 2.19.1:
* Fixed issue where status_codes.py’s init function failed trying
to append to a __doc__ value of None.
Update to version 2.19.0:
* Improvements
+ Warn about possible slowdown with cryptography version < 1.3.4
+ Check host in proxy URL, before forwarding request to adapter.
+ Maintain fragments properly across redirects. (RFC7231 7.1.2)
+ Removed use of cgi module to expedite library load time.
+ Added support for SHA-256 and SHA-512 digest auth algorithms.
+ Minor performance improvement to Request.content.
* Bugfixes
+ Parsing empty Link headers with parse_header_links() no longer
return one bogus entry.
+ Fixed issue where loading the default certificate bundle from
a zip archive would raise an IOError.
+ Fixed issue with unexpected ImportError on windows system
which do not support winreg module.
+ DNS resolution in proxy bypass no longer includes the username
and password in the request. This also fixes the issue of DNS
queries failing on macOS.
+ Properly normalize adapter prefixes for url comparison.
+ Passing None as a file pointer to the files param no longer
raises an exception.
+ Calling copy on a RequestsCookieJar will now preserve the
cookie policy correctly.
Update to version 2.18.4:
* Improvements
+ Error messages for invalid headers now include the header name
for easier debugging
Update to version 2.18.3:
* Improvements
+ Running $ python -m requests.help now includes the installed
version of idna.
* Bugfixes
+ Fixed issue where Requests would raise ConnectionError instead
of SSLError when encountering SSL problems when using urllib3
v1.22.
- Add ca-certificates (and ca-certificates-mozilla) to dependencies, otherwise https
connections will fail.
ModerateSUSE bug 1054413SUSE bug 1073879SUSE bug 1111622SUSE bug 1122668SUSE bug 761500SUSE bug 922448SUSE bug 929736SUSE bug 935252SUSE bug 945455SUSE bug 947357SUSE bug 961596SUSE bug 967128CVE-2015-2296 at SUSECVE-2015-2296 at NVDCVE-2018-18074 at SUSECVE-2018-18074 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for mutt (Important)SUSE OpenStack Cloud 8
This update for mutt fixes the following issues:
- CVE-2020-14954: Fixed a response injection due to a STARTTLS buffering issue which was
affecting IMAP, SMTP, and POP3 (bsc#1173197).
- CVE-2020-14093: Fixed a potential IMAP Man-in-the-Middle attack via a PREAUTH response (bsc#1172906, bsc#1172935).
- CVE-2020-14154: Fixed an issue where Mutt was ignoring an expired certificate and was
proceeding with a connection (bsc#1172906, bsc#1172935).
ImportantSUSE bug 1172906SUSE bug 1172935SUSE bug 1173197CVE-2020-14093 at SUSECVE-2020-14093 at NVDCVE-2020-14154 at SUSECVE-2020-14154 at NVDCVE-2020-14954 at SUSECVE-2020-14954 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for squid (Important)SUSE OpenStack Cloud 8
This update for squid fixes the following issues:
- CVE-2020-14059: Fixed an issue where a client could potentially deny the service of a server
during TLS Handshake (bsc#1173304).
- CVE-2019-18860: Fixed handling of invalid domain names in cachemgr.cgi (bsc#1167373).
ImportantSUSE bug 1167373SUSE bug 1173304CVE-2019-18860 at SUSECVE-2019-18860 at NVDCVE-2020-14059 at SUSECVE-2020-14059 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for ntp (Moderate)SUSE OpenStack Cloud 8
This update for ntp fixes the following issues:
ntp was updated to 4.2.8p15
- CVE-2020-11868: Fixed an issue which a server mode packet with spoofed source address
frequently send to the client ntpd could have caused denial of service (bsc#1169740).
- CVE-2018-8956: Fixed an issue which could have allowed remote attackers to prevent
a broadcast client from synchronizing its clock with a broadcast NTP server via spoofed
mode 3 and mode 5 packets (bsc#1171355).
- CVE-2020-13817: Fixed an issue which an off-path attacker with the ability to query time
from victim's ntpd instance could have modified the victim's clock by a limited amount (bsc#1172651).
- CVE-2020-15025: Fixed an issue which remote attacker could have caused denial of service by consuming
the memory when a CMAC key was used andassociated with a CMAC algorithm in the ntp.keys (bsc#1173334).
ModerateSUSE bug 1169740SUSE bug 1171355SUSE bug 1172651SUSE bug 1173334CVE-2018-8956 at SUSECVE-2018-8956 at NVDCVE-2020-11868 at SUSECVE-2020-11868 at NVDCVE-2020-13817 at SUSECVE-2020-13817 at NVDCVE-2020-15025 at SUSECVE-2020-15025 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for mozilla-nspr, mozilla-nss (Important)SUSE OpenStack Cloud 8
This update for mozilla-nspr, mozilla-nss fixes the following issues:
mozilla-nss was updated to version 3.53.1
- CVE-2020-12402: Fixed a potential side channel attack during RSA key generation (bsc#1173032).
- CVE-2020-12399: Fixed a timing attack on DSA signature generation (bsc#1171978).
- CVE-2019-17006: Added length checks for cryptographic primitives (bsc#1159819).
- Fixed various FIPS issues in libfreebl3 which were causing segfaults in the test suite of chrony (bsc#1168669).
- Fixed an issue where Firefox tab was crashing (bsc#1170908).
Release notes: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.53_release_notes
mozilla-nspr to version 4.25
ImportantSUSE bug 1159819SUSE bug 1168669SUSE bug 1169746SUSE bug 1170908SUSE bug 1171978SUSE bug 1173022CVE-2019-17006 at SUSECVE-2019-17006 at NVDCVE-2020-12399 at SUSECVE-2020-12399 at NVDCVE-2020-12402 at SUSECVE-2020-12402 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for openldap2 (Important)SUSE OpenStack Cloud 8
This update for openldap2 fixes the following issues:
- CVE-2020-8023: Fixed a potential local privilege escalation from ldap to root when OPENLDAP_CONFIG_BACKEND='ldap' was used (bsc#1172698).
- Changed DB_CONFIG to root:ldap permissions (bsc#1172704).
- Fixed an issue where slapd becomes unresponsive after many failed login/bind attempts(bsc#1170715).
ImportantSUSE bug 1170715SUSE bug 1172698SUSE bug 1172704CVE-2020-8023 at SUSECVE-2020-8023 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for xen (Important)SUSE OpenStack Cloud 8
This update for xen fixes the following issues:
- CVE-2020-15563: Fixed inverted code paths in x86 dirty VRAM tracking (bsc#1173377).
- CVE-2020-15565: Fixed insufficient cache write-back under VT-d (bsc#1173378).
- CVE-2020-15567: Fixed non-atomic modification of live EPT PTE (bsc#1173380).
ImportantSUSE bug 1173377SUSE bug 1173378SUSE bug 1173380CVE-2020-15563 at SUSECVE-2020-15563 at NVDCVE-2020-15565 at SUSECVE-2020-15565 at NVDCVE-2020-15567 at SUSECVE-2020-15567 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for MozillaFirefox (Important)SUSE OpenStack Cloud 8
This update for MozillaFirefox to version 78.0.1 ESR fixes the following issues:
Security issues fixed:
- CVE-2020-12415: AppCache manifest poisoning due to url encoded character processing (bsc#1173576).
- CVE-2020-12416: Use-after-free in WebRTC VideoBroadcaster (bsc#1173576).
- CVE-2020-12417: Memory corruption due to missing sign-extension for ValueTags on ARM64 (bsc#1173576).
- CVE-2020-12418: Information disclosure due to manipulated URL object (bsc#1173576).
- CVE-2020-12419: Use-after-free in nsGlobalWindowInner (bsc#1173576).
- CVE-2020-12420: Use-After-Free when trying to connect to a STUN server (bsc#1173576).
- CVE-2020-12402: RSA Key Generation vulnerable to side-channel attack (bsc#1173576).
- CVE-2020-12421: Add-On updates did not respect the same certificate trust rules as software updates (bsc#1173576).
- CVE-2020-12422: Integer overflow in nsJPEGEncoder::emptyOutputBuffer (bsc#1173576).
- CVE-2020-12423: DLL Hijacking due to searching %PATH% for a library (bsc#1173576).
- CVE-2020-12424: WebRTC permission prompt could have been bypassed by a compromised content process (bsc#1173576).
- CVE-2020-12425: Out of bound read in Date.parse() (bsc#1173576).
- CVE-2020-12426: Memory safety bugs fixed in Firefox 78 (bsc#1173576).
- FIPS: MozillaFirefox: allow /proc/sys/crypto/fips_enabled (bsc#1167231).
Non-security issues fixed:
- Fixed interaction with freetype6 (bsc#1173613).
ImportantSUSE bug 1167231SUSE bug 1173576SUSE bug 1173613CVE-2020-12402 at SUSECVE-2020-12402 at NVDCVE-2020-12415 at SUSECVE-2020-12415 at NVDCVE-2020-12416 at SUSECVE-2020-12416 at NVDCVE-2020-12417 at SUSECVE-2020-12417 at NVDCVE-2020-12418 at SUSECVE-2020-12418 at NVDCVE-2020-12419 at SUSECVE-2020-12419 at NVDCVE-2020-12420 at SUSECVE-2020-12420 at NVDCVE-2020-12421 at SUSECVE-2020-12421 at NVDCVE-2020-12422 at SUSECVE-2020-12422 at NVDCVE-2020-12423 at SUSECVE-2020-12423 at NVDCVE-2020-12424 at SUSECVE-2020-12424 at NVDCVE-2020-12425 at SUSECVE-2020-12425 at NVDCVE-2020-12426 at SUSECVE-2020-12426 at NVDCVE-2020-6813 at SUSECVE-2020-6813 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for ansible, ansible1, ardana-ansible, ardana-cluster, ardana-freezer, ardana-input-model, ardana-logging, ardana-mq, ardana-neutron, ardana-octavia, ardana-osconfig, caasp-openstack-heat-templates, crowbar-core, crowbar-openstack, documentation-suse-openstack-cloud, grafana, kibana, openstack-dashboard, openstack-dashboard-theme-HPE, openstack-heat-templates, openstack-keystone, openstack-monasca-agent, openstack-monasca-installer, openstack-neutron, openstack-octavia-amphora-image, python-Django, python-Flask, python-GitPython, python-Pillow, python-amqp, python-apicapi, python-keystoneauth1, python-oslo.messaging, python-psutil, python-pyroute2, python-pysaml2, python-tooz, python-waitress, storm (Important)SUSE OpenStack Cloud 8
This update for ansible, ansible1, ardana-ansible, ardana-cluster, ardana-freezer, ardana-input-model, ardana-logging, ardana-mq, ardana-neutron, ardana-octavia, ardana-osconfig, caasp-openstack-heat-templates, crowbar-core, crowbar-openstack, documentation-suse-openstack-cloud, grafana, kibana, openstack-dashboard, openstack-dashboard-theme-HPE, openstack-heat-templates, openstack-keystone, openstack-monasca-agent, openstack-monasca-installer, openstack-neutron, openstack-octavia-amphora-image, python-Django, python-Flask, python-GitPython, python-Pillow, python-amqp, python-apicapi, python-keystoneauth1, python-oslo.messaging, python-psutil, python-pyroute2, python-pysaml2, python-tooz, python-waitress, storm contains the following fixes:
The update fixes several security issues:
ansible
- CVE-2019-3828: Fixed a path traversal in the fetch module (bsc#1126503).
grafana
- CVE-2020-13379: Fixed an incorrect access control issue which could lead to information
leaks or denial of service (bsc#1172409).
- CVE-2020-12052: Fixed an cross site scripting vulnerability related to the annotation
popup (bsc#1170657).
kibana
- CVE-2020-10743: Fixed a clickjacking vulnerability (bsc#1171909).
python-Django
- CVE-2020-13254: Fixed a data leakage via malformed memcached keys. (bsc#1172167)
- CVE-2020-13596: Fixed a cross site scripting vulnerability related to the admin
parameters of the ForeignKeyRawIdWidget. (bsc#1172166)
python-Flask
- CVE-2019-1010083: Fixed a denial of service via crafted encoded JSON. (bsc#1141968)
python-Pillow
- CVE-2019-16865: Fixed a denial of service with specially crafted
image files. (bsc#1153191)
- CVE-2020-5312: Fixed a buffer overflow in the PCX P mode. (bsc#1160152)
- CVE-2020-5313: Fixed a buffer overflow related to FLI. (bsc#1160153)
- CVE-2019-19911: Fixed a denial of service in FpxImagePlugin.py. (bsc#1160192)
python-psutil
- CVE-2019-18874: Fixed a double free caused by refcount mishandling. (bsc#1156525)
python-pysaml2
- CVE-2020-5390: Fixed an issue with the verification of signatures in SAML documents.
(bsc#1160851)
- CVE-2017-1000246: Fixed an issue with weak encryption data, caused by initialization
vector reuse. (bsc#1068612)
python-waitress (to version 1.4.3)
- CVE-2019-16785: Fixed HTTP request smuggling through LF vs CRLF handling. (bsc#1161088)
- CVE-2019-16786: Fixed HTTP request smuggling through invalid Transfer-Encoding.
(bsc#1161089)
- CVE-2019-16789: Fixed HTTP Request Smuggling through Invalid whitespace characters.
(bsc#1160790)
- CVE-2019-16792: Fixed HTTP Request Smuggling through Content-Length header handling.
(bsc#1161670)
rubygem-activeresource
- CVE-2020-8151: Fixed information disclosure issue via specially crafted requests.
(bsc#1171560)
rubygem-json-1_7
- CVE-2020-10663: Fixed an unsafe object creation vulnerability. (bsc#1167244)
rubygem-puma
- CVE-2020-11077: Fixed a HTTP smuggling issue related to proxy usage. (bsc#1172175)
- CVE-2020-11076: Fixed a HTTP smuggling issue when using an invalid transfer-encoding
header. (bsc#1172176)
Other non-security fixes in in the update below:
Changes in ansible:
- Add 0001-Disallow-use-of-remote-home-directories-containing-..patch
(bsc#1126503, CVE-2019-3828)
Changes in ansible1:
- Add 0001-Disallow-use-of-remote-home-directories-containing-..patch
(bsc#1126503, CVE-2019-3828)
Changes in ardana-ansible:
- Update to version 8.0+git.1589740980.6c3bcdc:
* Reconfigure rabbitmq user permissions on update (SOC-11082)
- Update to version 8.0+git.1588953487.9bfd5cb:
* Fix incorrect prefix used to collect supportconfig files (bsc#1171273)
- Update to version 8.0+git.1585690828.81d8f45:
* Cleanup keystone-ansible (bsc#1108719)
Changes in ardana-cluster:
- Update to version 8.0+git.1585685203.3e71e49:
* Use bool filter to ensure valid boolean evaluation (SOC-11192)
Changes in ardana-freezer:
- Update to version 8.0+git.1586539529.b7d295f:
* Recovering Cloud8 using Freezer or SSH backups if upgrade fails (SOC-10137)
Changes in ardana-input-model:
- Update to version 8.0+git.1589740934.0e0ad61:
* Add default rabbitmq exchange write permissions (SOC-11082)
- Update to version 8.0+git.1586174594.2b92ec3:
* add port neutron security extension to CI models (SOC-11027)
Changes in ardana-logging:
- Update to version 8.0+git.1591194866.b7375d0:
* kibana: set x-frame-options header (bsc#1171909)
- Update to version 8.0+git.1586179244.ae61f62:
* Fix YAMLLoadWarning: calling yaml.load() without Loader (bsc#1168593)
Changes in ardana-mq:
- Update to version 8.0+git.1589715269.62ad6df:
* Don't mirror reply queues (SOC-10317)
- Update to version 8.0+git.1586784724.586343d:
* Actually fail if sync HA queues retries exceeded (SOC-11083)
Changes in ardana-neutron:
- Update to version 8.0+git.1590756744.ba84abc:
* Update L3 rootwrap filters (SOC-11306)
- Update to version 8.0+git.1587737509.4e09de3:
* Add network.target 'After' option (bsc#1169770)
- Update to version 8.0+git.1586546152.e7bc07f:
* Add neutron-common role dependencies (SOC-10875)
- Update to version 8.0+git.1586543712.62bb5a3:
* Fix neutron-ovsvapp-agent status (SOC-10637)
- Update to version 8.0+git.1586535447.55769df:
* Improve neutron service restart limit handling (SOC-8746)
- Update to version 8.0+git.1586519528.a28db53:
* Correctly setup ardana_notify_... fact (SOC-10902)
Changes in ardana-octavia:
- Update to version 8.0+git.1590100427.cf4cc8f:
* fix octavia to glance communication over internal endpoint (SOC-11294)
Changes in ardana-osconfig:
- Update to version 8.0+git.1587034587.eac37b8:
* Include SLE 12 SP3 LTSS repos in list of managed repos (SOC-11223)
Changes in caasp-openstack-heat-templates:
- Switch github URL from git@ to git:// to bypass authentication
Changes in crowbar-core:
- Update to version 5.0+git.1593156248.55bbdb26d:
* Ignore CVE-8184 (SOC-11299)
* Ignore latest ruby-related CVEs in the CI (SOC-11299)
- Update to version 5.0+git.1589804984.44a89be24:
* provisioner: Fix ssh key validation (SOC-11126)
* assign host to hostless keys (noref)
Changes in crowbar-openstack:
- Update to version 5.0+git.1593085772.64c4ab43c:
* monasca: Prevent deploying monasca-server to the node in pacemaker cluster (SOC-6354)
- Update to version 5.0+git.1591171674.1f299cd1c:
* Restore undeprecated nova dhcp_domain option (bsc#1171594)
- Update to version 5.0+git.1591104265.683d76534:
* [5.0] Fix availability zone script (bsc#1171661)
- Update to version 5.0+git.1590398068.f5cfacc12:
* nova: only create nonexistent cell1
- Update to version 5.0+git.1590150829.e86326d03:
* [5.0] Tempest: enable test_volume_boot_pattern test (SOC-10874)
- Update to version 5.0+git.1589814633.23fde86ab:
* rabbitmq: sync startup definitions.json with recipe (SOC-11077,SOC-11274)
- Update to version 5.0+git.1589647291.73c7f1cb6:
* [5.0] trove: fix rabbitmq connection URL (SOC-11286)
- Update to version 5.0+git.1589214669.8332efff3:
* Fix monasca libvirt ping checks (bsc#1107190)
- Update to version 5.0+git.1588271874.90adebc7a:
* run keystone_register on cluster founder only when HA (SOC-11248)
* nova: run keystone_register on cluster founder only (SOC-11243)
- Update to version 5.0+git.1588059034.3823515b7:
* tempest: retry openstack commands (SOC-11238)
- Update to version 5.0+git.1587403360.c43cd9905:
* tempest: disable block migration when using RBD (SOC-11176)
- Update to version 5.0+git.1586293860.901cb0f55:
* monasca: disable postgres backend monitoring by default (SOC-11190)
- Update to version 5.0+git.1585659861.c29fac257:
* magnum: Populate SSL configuration (SOC-9849)
* magnum: Add SSL support (SOC-9849)
* nova: Populate cinder SES settings early (SOC-11179)
Changes in documentation-suse-openstack-cloud:
- Update to version 8.20200527:
* Update Travis config: new container name (noref)
- Update to version 8.20200417:
* Recovering Cloud8 using Freezer or SSH backups if upgrade fails (SOC-10137)
- Update to version 8.20200326:
* Clarify wipe_disks does not affect non-OS partitions (bsc#1092420)
Changes in grafana:
- Add CVE-2020-13379.patch
* Security: fix unauthorized avatar proxying (bsc#1172409, CVE-2020-13379)
- Refresh systemd-notification.patch
- Fix declaration for LICENSE
- Add 0002-CVE-2020-12052-bsc1170657-XSS-annotation-popup-vulnerability.patch
* Security: Fix annotation popup XSS vulnerability
(bsc#1170657)
- Add CVE-2019-15043.patch (SOC-10357, CVE-2019-15043, bsc#11483483)
Changes in kibana:
- Add 0001-Configurable-custom-response-headers-for-server.patch
(bsc#1171909, CVE-2020-10743)
Changes in openstack-dashboard:
- Update to version horizon-12.0.5.dev3:
* Fix typo in publicize\_image policy name
Changes in openstack-dashboard-theme-HPE:
- Switch github URL from git@ to https:// to bypass authentication
Changes in openstack-heat-templates:
- Update to version 0.0.0+git.1582270132.8a20477:
* Drop use of git.openstack.org
* Add sample templates for Blazar
Changes in openstack-keystone:
- Update to version keystone-12.0.4.dev11:
* Fix security issues with EC2 credentials
- Update to version keystone-12.0.4.dev10:
* Check timestamp of signed EC2 token request
* Ensure OAuth1 authorized roles are respected
- Update to version keystone-12.0.4.dev6:
* Remove neutron-grenade job
Changes in openstack-keystone:
- Update to version keystone-12.0.4.dev11:
* Fix security issues with EC2 credentials
- Update to version keystone-12.0.4.dev10:
* Check timestamp of signed EC2 token request
* Ensure OAuth1 authorized roles are respected
- Update to version keystone-12.0.4.dev6:
* Remove neutron-grenade job
Changes in openstack-monasca-agent:
- update to version 2.2.6~dev4
- Add debug output for libvirt ping checks
- Lockdown /bin/ip permissions for the monasca-agent (bsc#1107190)
- add addtional arguments to /bin/ip in sudoers
- Fix missing sudo privleges (bsc#1107190)
- add /bin/ip and /usr/bin/ovs-vsctl to monasca-agent sudoers
- removed 0001-Avoid-overwriting-sys.path-ip-command.patch
- update to version 2.2.6~dev3
- Do not copy /sbin/ip to /usr/bin/monasa-agent-ip
- update to version 2.2.6~dev2
- Remove incorrect assignment of ping_cmd to 'True'
- update to version 2.2.6~dev1
- Update hacking version to 1.1.x
Changes in openstack-monasca-installer:
- Add 0001-kibana:-set-x-frame-options-header.patch (bsc#1171909,
CVE-2020-10743)
Changes in openstack-neutron:
- Update to version neutron-11.0.9.dev65:
* Revert iptables TCP checksum-fill code
- Update to version neutron-11.0.9.dev64:
* [Pike-only]: make grenade jobs non-voting
Changes in openstack-neutron:
- Update to version neutron-11.0.9.dev65:
* Revert iptables TCP checksum-fill code
- Update to version neutron-11.0.9.dev64:
* [Pike-only]: make grenade jobs non-voting
Changes in openstack-octavia-amphora-image:
- Update image to 0.1.4 to include latest changes
Changes in python-Django:
- Security fixes (bsc#1172167, bsc#1172166, CVE-2020-13254, CVE-2020-13596)
* Added patch CVE-2020-13254-1.8.19.patch
* Added patch CVE-2020-13596-1.8.19.patch
Changes in python-Flask:
- Apply patch to resolve CVE-2019-1010083 (bsc#1141968)
- 0001-detect-UTF-encodings-when-loading-json.patch
Changes in python-GitPython:
- Require git-core instead of git
Changes in python-Pillow:
- Remove decompression_bomb.gif and relevant test case to avoid
ClamAV scan alerts during build
- Add 001-Corrected-negative-seeks.patch
* From upstream, backported
* Fixes part of CVE-2019-16865, bsc#1153191
- Add 002-Added-DecompressionBombError.patch
* From upstream, backported
* Adds DecompressionBombError class
* Used by 003-Added-decompression-bomb-checks.patch
- Add 003-Added-decompression-bomb-checks.patch
* From upstream, backported
* Fixes part of CVE-2019-16865, bsc#1153191
- Add 004-Raise-error-if-dimension-is-a-string.patch
* From upstream, backported
* Fixes part of CVE-2019-16865, bsc#1153191
- Add 005-Catch-buffer-overruns.patch
* From upstream, backported
* Fixes part of CVE-2019-16865, bsc#1153191
- Add 006-Catch-PCX-P-mode-buffer-overrun.patch
* From upstream, backported
* Fixes CVE-2020-5312, bsc#1160152
- Add 007-Test-animated-FLI-file.patch
* From upstream, backported
* Adds test animated FLI file
* Used by 008-Ensure-previous-FLI-frame-is-loaded.patch
- Add 008-Ensure-previous-FLI-frame-is-loaded.patch
* From upstream, backported
* Fixes https://github.com/python-pillow/Pillow/issues/2649
* Uncovers CVE-2020-5313, bsc#1160153
- Add 009-Catch-FLI-buffer-overrun.patch
* From upstream, backported
* Fixes CVE-2020-5313, bsc#1160153
- Add 010-Invalid-number-of-bands-in-FPX-image.patch
* From upstream, backported
* Fixes CVE-2019-19911, bsc#1160192
Changes in python-amqp:
- Add python-devel as build dependecy
* Required when building against python 2.7.17
Changes in python-apicapi:
- Add python-devel as build dependecy
* Required when building against python 2.7.17
Changes in python-keystoneauth1:
- switch to tracking stable/pike tarball
- disable renderspec
- update to version 3.1.2.dev2
- Make tests pass in 2020
- OpenDev Migration Patch
- import zuul job settings from project-config into stable/pike
- Remove tox_install.sh
- import zuul job settings from project-config
- Update UPPER_CONSTRAINTS_FILE for stable/pike into stable/pike
- Update .gitreview for stable/pike into stable/pike
- Updated from global requirements
- Update UPPER_CONSTRAINTS_FILE for stable/pike
- Update .gitreview for stable/pike
Changes in python-oslo.messaging:
- added 0001-Use-default-exchange-for-direct-messaging.patch
(SOC-11082, SOC-11274, bsc#1159046)
- Add 0001-Retry-to-declare-a-queue-after-internal-error.patch (bsc#1123872)
After receiving 'AMQP internal error 541', retry to create the queue after a delay.
Changes in python-psutil:
- Add bsc1156525-CVE-2019-18874.patch (bsc#1156525, CVE-2019-18874))
Changes in python-pyroute2:
- netns: fix NetNS resource leakage (#504) (bsc#1164322)
Changes in python-pysaml2:
- Add 0001-Always-generate-a-random-IV-for-AES-operations.patch
(CVE-2017-1000246, bsc#1068612)
- Add 0001-Fix-XML-Signature-Wrapping-XSW-vulnerabilities.patch
(CVE-2020-5390, bsc#1160851)
Changes in python-tooz:
- update to version 1.58.1
- Update .gitreview for stable/pike
- import zuul job settings from project-config
- Add doc/requirements.txt
- Fix sphinx-docs job for stable branch
Changes in python-waitress:
- update to 1.4.3 to include fixes for:
* CVE-2019-16785 / bsc#1161088
* CVE-2019-16786 / bsc#1161089
* CVE-2019-16789 / bsc#1160790
* CVE-2019-16792 / bsc#1161670
- make sure UTF8 locale is used when runnning tests
* Sometimes functional tests executed in python3 failed if stdout was not
set to UTF-8. The error message was:
ValueError: underlying buffer has been detached
- %python3_only -> %python_alternative
- update to 1.4.3
* Waitress did not properly validate that the HTTP headers it received
were properly formed, thereby potentially allowing a front-end server
to treat a request different from Waitress. This could lead to HTTP
request smuggling/splitting.
- drop patch local-intersphinx-inventories.patch
* it was commented out, anyway
- update to 1.4.0:
- Waitress used to slam the door shut on HTTP pipelined requests without
setting the ``Connection: close`` header as appropriate in the response. This
is of course not very friendly. Waitress now explicitly sets the header when
responding with an internally generated error such as 400 Bad Request or 500
Internal Server Error to notify the remote client that it will be closing the
connection after the response is sent.
- Waitress no longer allows any spaces to exist between the header field-name
and the colon. While waitress did not strip the space and thereby was not
vulnerable to any potential header field-name confusion, it should have sent
back a 400 Bad Request. See https://github.com/Pylons/waitress/issues/273
- CRLR handling Security fixes
- update to 1.3.1
* Waitress won’t accidentally throw away part of the path if it
starts with a double slash
- version update to 1.3.0
Deprecations
~~~~~~~~~~~~
- The ``send_bytes`` adjustment now defaults to ``1`` and is deprecated
pending removal in a future release.
and https://github.com/Pylons/waitress/pull/246
Features
~~~~~~~~
- Add a new ``outbuf_high_watermark`` adjustment which is used to apply
backpressure on the ``app_iter`` to avoid letting it spin faster than data
can be written to the socket. This stabilizes responses that iterate quickly
with a lot of data.
See https://github.com/Pylons/waitress/pull/242
- Stop early and close the ``app_iter`` when attempting to write to a closed
socket due to a client disconnect. This should notify a long-lived streaming
response when a client hangs up.
See https://github.com/Pylons/waitress/pull/238
and https://github.com/Pylons/waitress/pull/240
and https://github.com/Pylons/waitress/pull/241
- Adjust the flush to output ``SO_SNDBUF`` bytes instead of whatever was
set in the ``send_bytes`` adjustment. ``send_bytes`` now only controls how
much waitress will buffer internally before flushing to the kernel, whereas
previously it used to also throttle how much data was sent to the kernel.
This change enables a streaming ``app_iter`` containing small chunks to
still be flushed efficiently.
See https://github.com/Pylons/waitress/pull/246
Bugfixes
~~~~~~~~
- Upon receiving a request that does not include HTTP/1.0 or HTTP/1.1 we will
no longer set the version to the string value 'None'. See
https://github.com/Pylons/waitress/pull/252 and
https://github.com/Pylons/waitress/issues/110
- When a client closes a socket unexpectedly there was potential for memory
leaks in which data was written to the buffers after they were closed,
causing them to reopen.
See https://github.com/Pylons/waitress/pull/239
- Fix the queue depth warnings to only show when all threads are busy.
See https://github.com/Pylons/waitress/pull/243
and https://github.com/Pylons/waitress/pull/247
- Trigger the ``app_iter`` to close as part of shutdown. This will only be
noticeable for users of the internal server api. In more typical operations
the server will die before benefiting from these changes.
See https://github.com/Pylons/waitress/pull/245
- Fix a bug in which a streaming ``app_iter`` may never cleanup data that has
already been sent. This would cause buffers in waitress to grow without
bounds. These buffers now properly rotate and release their data.
See https://github.com/Pylons/waitress/pull/242
- Fix a bug in which non-seekable subclasses of ``io.IOBase`` would trigger
an exception when passed to the ``wsgi.file_wrapper`` callback.
See https://github.com/Pylons/waitress/pull/249
- Trim marketing wording and other platform mentions.
- Add fetch-intersphinx-inventories.sh to sources
- Add local-intersphinx-inventories.patch for generating the docs
correctly
- update to version 1.2.1:
too many changes to list here, see:
https://github.com/Pylons/waitress/blob/master/CHANGES.txt
or even:
https://github.com/Pylons/waitress/commits/master
- Remove superfluous devel dependency for noarch package
- update to version 1.1.0:
* Features
+ Waitress now has a __main__ and thus may be called with 'python
-mwaitress'
* Bugfixes
+ Waitress no longer allows lowercase HTTP verbs. This change was
made to fall in line with most HTTP servers. See
https://github.com/Pylons/waitress/pull/170
+ When receiving non-ascii bytes in the request URL, waitress will
no longer abruptly close the connection, instead returning a 400
Bad Request. See https://github.com/Pylons/waitress/pull/162 and
https://github.com/Pylons/waitress/issues/64
- Update to 1.0.2
* Python 3.6 is now officially supported in Waitress
* Add a work-around for libc issue on Linux not following the
documented standards. If getnameinfo() fails because of DNS not
being available it should return the IP address instead of the
reverse DNS entry, however instead getnameinfo() raises. We
catch this, and ask getnameinfo() for the same information
again, explicitly asking for IP address instead of reverse
DNS hostname.
- Implement single-spec version.
- Fix source URL.
- update to 1.0.1:
- IPv6 support on Windows was broken due to missing constants in the socket
module. This has been resolved by setting the constants on Windows if they
are missing. See https://github.com/Pylons/waitress/issues/138
- A ValueError was raised on Windows when passing a string for the port, on
Windows in Python 2 using service names instead of port numbers doesn't work
with `getaddrinfo`. This has been resolved by attempting to convert the port
number to an integer, if that fails a ValueError will be raised. See
https://github.com/Pylons/waitress/issues/139
- Removed `AI_ADDRCONFIG` from the call to `getaddrinfo`, this resolves an
issue whereby `getaddrinfo` wouldn't return any addresses to `bind` to on
hosts where there is no internet connection but localhost is requested to be
bound to. See https://github.com/Pylons/waitress/issues/131 for more
information.
- disable tests. need network access.
Changes in storm:
- update to 1.1.3:
* 1.1.3:
* [STORM-3026] - Upgrade ZK instance for security
* [STORM-3027] - Make Impersonation Optional
* [STORM-3011] - Use default bin path in flight.bash if $JAVA_HOME is undefined
* [STORM-3039] - Ports of killed topologies remain in TIME_WAIT state preventing to start new topology
* [STORM-2911] - SpoutConfig is serializable but does not declare a serialVersionUID field
* [STORM-2978] - The fix for STORM-2706 is broken, and adds a transitive dependency on Zookeeper 3.5.3-beta for projects that depend on e.g. storm-kafka
* [STORM-2979] - WorkerHooks EOFException during run_worker_shutdown_hooks
* [STORM-2981] - Upgrade Curator to lastest patch version
* [STORM-2985] - Add jackson-annotations to dependency management
* [STORM-2989] - LogCleaner should preserve current worker.log.metrics
* [STORM-2994] - KafkaSpout consumes messages but doesn't commit offsets
* [STORM-3043] - NullPointerException thrown in SimpleRecordTranslator.apply()
* [STORM-3052] - Let blobs un archive
* [STORM-3059] - KafkaSpout throws NPE when hitting a null tuple if the processing guarantee is not AT_LEAST_ONCE
* [STORM-2960] - Better to stress importance of setting up proper OS account for Storm processes
* [STORM-3060] - Configuration mapping between storm-kafka & storm-kafka-client
* [STORM-2952] - Deprecate storm-kafka in 1.x
* [STORM-3005] - [DRPC] LinearDRPCTopologyBuilder shouldn't be deprecated
* [STORM-2841] - testNoAcksIfFlushFails UT fails with NullPointerException
* 1.1.2:
* [STORM-2512] - Change KafkaSpoutConfig in storm-kafka-client to make it work with flux
* [STORM-2616] - Document the built in metrics (just in time to replace them???)
* [STORM-2657] - Update SECURITY.MD
* [STORM-2663] - Backport STORM-2558 and deprecate storm.cmd on 1.x-branch
* [STORM-2712] - accept arbitrary number of rows per tuple in storm-cassandra
* [STORM-2775] - Improve KafkaPartition Metric Names
* [STORM-2807] - Integration test should shut down topologies immediately after the test
* [STORM-2862] - More flexible logging in multilang (Python, Ruby, JS)
* [STORM-2877] - Introduce an option to configure pagination in Storm UI
* [STORM-2917] - Check the config(nimbus.host) before using it to connect
* [STORM-2231] - NULL in DisruptorQueue while multi-threaded ack
* [STORM-2426] - First tuples fail after worker is respawn
* [STORM-2500] - waitUntilReady in PacemakerClient cannot be invoked
* [STORM-2525] - Fix flaky integration tests
* [STORM-2535] - test-reset-timeout is flaky. Replace with a more reliable test.
* [STORM-2541] - Manual partition assignment doesn't work
* [STORM-2607] - [kafka-client] Consumer group every time with lag 1
* [STORM-2642] - Storm-kafka-client spout cannot be serialized when using manual partition assignment
* [STORM-2660] - The Nimbus storm-local directory is relative to the working directory of the shell executing 'storm nimbus'
* [STORM-2666] - Storm-kafka-client spout can sometimes emit messages that were already committed.
* [STORM-2674] - NoNodeException when ZooKeeper tries to delete nodes
* [STORM-2677] - consider all sampled tuples which took greater than 0 ms processing time
* [STORM-2682] - Supervisor crashes with NullPointerException
* [STORM-2690] - resurrect invocation of ISupervisor.assigned() & make Supervisor.launchDaemon() accessible
* [STORM-2695] - BlobStore uncompress argument should be Boolean
* [STORM-2705] - DRPCSpout sleeps twice when idle
* [STORM-2706] - Nimbus stuck in exception and does not fail fast
* [STORM-2724] - ExecutorService in WaterMarkEventGenerator never shutdown
* [STORM-2736] - o.a.s.b.BlobStoreUtils [ERROR] Could not update the blob with key
* [STORM-2750] - fix double_checked locking
* [STORM-2751] - Remove AsyncLoggingContext from Supervisor
* [STORM-2764] - HDFSBlobStore leaks file system objects
* [STORM-2769] - Fast-fail if output stream Id is null
* [STORM-2771] - Some tests are being run twice
* [STORM-2779] - NPE on shutting down WindowedBoltExecutor
* [STORM-2786] - Ackers leak tracking info on failure and lots of other cases.
* [STORM-2810] - Storm-hdfs tests are leaking resources
* [STORM-2811] - Nimbus may throw NPE if the same topology is killed multiple times, and the integration test kills the same topology multiple times
* [STORM-2814] - Logviewer HTTP server should return 403 instead of 200 if the user is unauthorized
* [STORM-2815] - UI HTTP server should return 403 if the user is unauthorized
* [STORM-2833] - Cached Netty Connections can have different keys for the same thing.
* [STORM-2853] - Deactivated topologies cause high cpu utilization
* [STORM-2855] - Travis build doesn't work after update of Ubuntu image
* [STORM-2856] - Make Storm build work on post 2017Q4 Travis Trusty image
* [STORM-2868] - Address handling activate/deactivate in multilang module files
* [STORM-2870] - FileBasedEventLogger leaks non-daemon ExecutorService which prevents process to be finished
* [STORM-2876] - Some storm-hdfs tests fail with out of memory periodically
* [STORM-2879] - Supervisor collapse continuously when there is a expired assignment for overdue storm
* [STORM-2892] - Flux test fails to parse valid PATH environment variable
* [STORM-2894] - fix some random typos in tests
* [STORM-2912] - Tick tuple is being shared without resetting start time and incur side-effect to break metrics
* [STORM-2918] - Upgrade Netty version
* [STORM-2942] - Remove javadoc and source jars from toollib directory in binary distribution
* [STORM-2874] - Minor style improvements to backpressure code
* [STORM-2858] - Fix worker-launcher build
* 1.1.1:
* STORM-2659: Add daemon.name variable to storm.cmd to fix log4j logging
* STORM-2652: fix error in open method of JmsSpout
* STORM-2645: Update storm.py to be python3 compatible
* STORM-2621: add tuple_population metric
* STORM-2639: Kafka Spout incorrectly computes numCommittedOffsets due to voids in the topic (topic compaction)
* STORM-2544: Fixing issue in acking of tuples that hit retry limit under manual commit mode
* STORM-2618: Add TridentKafkaStateUpdater for storm-kafka-client
* STORM-2608: Remove any pending offsets that are no longer valid
* STORM-2503: Fix lgtm.com alerts on equality and comparison operations
* STORM-2478: Fix BlobStoreTest.testDeleteAfterFailedCreate on Windows
* STORM-2602: storm.zookeeper.topology.auth.payload doesn't work even you set it
* STORM-2597: Don't parse passed in class paths
* STORM-2564: We should provide a template for storm-cluster-auth.yaml
* STORM-2568: Fix getTopicsString
* STORM-2563: Remove the workaround to handle missing UGI.loginUserFromSubject
* STORM-2552: KafkaSpoutMessageId should be serializable
* STORM-2562: Use stronger key size than default for blow fish key generator and get rid of stack trace
* STORM-2557: A bug in DisruptorQueue causing severe underestimation of queue arrival rates
* STORM-2449: Ensure same key appears only once in State iterator
* STORM-2516: Fix timing issues with testPrepareLateTupleStreamWithoutBuilder
* STORM-2489: Overlap and data loss on WindowedBolt based on Duration
* STORM-2528: Bump log4j version to 2.8.2
* STORM-2527: Initialize java.sql.DriverManager earlier to avoid deadlock
* STORM-2413: Make new Kafka spout respect tuple retry limits
* STORM-2518: Handles empty name for 'USER type' ACL when normalizing ACLs
* STORM-2511: Submitting a topology with name containing unicode getting failed
* STORM-2496: Dependency artifacts should be uploaded to blobstore with READ permission for all
* STORM-2505: Spout to support topic compaction
* STORM-2498: Fix Download Full File link
* STORM-2343: New Kafka spout can stop emitting tuples if more than maxUncommittedOffsets tuples fail at once.
* STORM-2486: Prevent cd from printing target directory to avoid breaking classpath
* STORM-2488: The UI user Must be HTTP.
* STORM-2481: Upgrade Aether version to resolve Aether bug BUG-451566
* STORM-2435: Logging in storm.js inconsistent to console.log and does not support log levels
* STORM-2315: New kafka spout can't commit offset when ack is disabled
* STORM-2467: Use explicit charset when decoding from array backed buffer
* STORM-1114: Race condition in trident zookeeper zk-node create/delete
* STORM-2448: Add in Storm and JDK versions when submitting a topology
* STORM-2343: Fix new Kafka spout stopping processing if more than maxUncommittedOffsets tuples fail at once
* STORM-2431: the default blobstore.dir is storm.local.dir/blobs which is different from distcache-blobstore.md
* STORM-2429: Properly validate supervisor.scheduler.meta
* STORM-2451: windows storm.cmd does not set log4j2 config file correctly by default
* STORM-2450: Write resources into correct local director
* STORM-2440: Kill process if executor catches java.net.SocketTimeoutException
* STORM-2432: Storm-Kafka-Client Trident Spout Seeks Incorrect Offset With UNCOMMITTED_LATEST Strategy
* 1.1.0:
* STORM-2425: Storm Hive Bolt not closing open transactions
* STORM-2409: Storm-Kafka-Client KafkaSpout Support for Failed and NullTuples
* STORM-2423: Join Bolt should use explicit instead of default window anchoring for emitted tuples
* STORM-2416: Improve Release Packaging to Reduce File Size
* STORM-2414: Skip checking meta's ACL when subject has write privileges for any blobs
* STORM-2038: Disable symlinks with a config option
* STORM-2240: STORM PMML Bolt - Add Support to Load Models from Blob Store
* STORM-2412: Nimbus isLeader check while waiting for max replication
* STORM-2408: build failed if storm.kafka.client.version = 0.10.2.0
* STORM-2403: Fix KafkaBolt test failure: tick tuple should not be acked
* STORM-2361: Kafka spout - after leader change, it stops committing offsets to ZK
* STORM-2353: Replace kafka-unit by kafka_2.11 and kafka-clients to test kafka-clients:0.10.1.1
* STORM-2387: Handle tick tuples properly for Bolts in external modules
* STORM-2345: Type mismatch in ReadClusterState's ProfileAction processing Map
* STORM-2400: Upgraded Curator to 2.12.0 and made respective API changes
* STORM-2396: setting interrupted status back before throwing a RuntimeException
* STORM-1772: Adding Perf module with topologies for measuring performance
* STORM-2395: storm.cmd supervisor calls the wrong class name
* STORM-2391: Move HdfsSpoutTopology from storm-starter to storm-hdfs-examples
* STORM-2389: Avoid instantiating Event Logger when topology.eventlogger.executors=0
* STORM-2386: Fail-back Blob deletion also fails in BlobSynchronizer.syncBlobs.
* STORM-2388: JoinBolt breaks compilation against JDK 7
* STORM-2374: Storm Kafka Client Test Topologies Must be Serializable
* STORM-2372: Pacemaker client doesn't clean up heartbeats properly
* STORM-2326: Upgrade log4j and slf4j
* STORM-2334: Join Bolt implementation
* STORM-1363: TridentKafkaState should handle null values from TridentTupleToKafkaMapper.getMessageFromTuple()
* STORM-2365: Support for specifying output stream in event hubs spout
* STORM-2250: Kafka spout refactoring to increase modularity and testability
* STORM-2340: fix AutoCommitMode issue in KafkaSpout
* STORM-2344: Flux YAML File Viewer for Nimbus UI
* STORM-2350: Storm-HDFS's listFilesByModificationTime is broken
* STORM-2270 Kafka spout should consume from latest when ZK partition commit offset bigger than the latest offset
* STORM-1464: storm-hdfs support for multiple output files and partitioning
* STORM-2320: DRPC client printer class reusable for local and remote DRPC
* STORM-2281: Running Multiple Kafka Spouts (Trident) Throws Illegal State Exception
* STORM-2296: Kafka spout no dup on leader changes
* STORM-2244: Some shaded jars doesn't exclude dependency signature files
* STORM-2014: New Kafka spout duplicates checking if failed messages have reached max retries
* STORM-1443: [Storm SQL] Support customizing parallelism in StormSQL
* STORM-2148: [Storm SQL] Trident mode: back to code generate and compile Trident topology
* STORM-2331: Emitting from JavaScript should work when not anchoring.
* STORM-2225: change spout config to be simpler.
* STORM-2323: Precondition for Leader Nimbus should check all topology blobs and also corresponding dependencies
* STORM-2330: Fix storm sql code generation for UDAF with non standard sql types
* STORM-2298: Don't kill Nimbus when ClusterMetricsConsumer is failed to initialize
* STORM-2301: [storm-cassandra] upgrade cassandra driver to 3.1.2
* STORM-1446: Compile the Calcite logical plan to Storm Trident logical plan
* STORM-2303: [storm-opentsdb] Fix list invariant issue for JDK 7
* STORM-2236: storm kafka client should support manual partition management
* STORM-2295: KafkaSpoutStreamsNamedTopics should return output fields with predictable ordering
* STORM-2300: [Flux] support list of references
* STORM-2297: [storm-opentsdb] Support Flux for OpenTSDBBolt
* STORM-2294: Send activate and deactivate command to ShellSpout
* STORM-2280: Upgrade Calcite version to 1.11.0
* STORM-2278: Allow max number of disruptor queue flusher threads to be configurable
* STORM-2277: Add shaded jar for Druid connector
* STORM-2274: Support named output streams in Hdfs Spout
* STORM-2204: Adding caching capabilities in HBaseLookupBolt
* STORM-2267: Use user's local maven repo. directory to local repo.
* STORM-2254: Provide Socket time out for nimbus thrift client
* STORM-2200: [Storm SQL] Drop Aggregate & Join support on Trident mode
* STORM-2266: Close NimbusClient instances appropriately
* STORM-2203: Add a getAll method to KeyValueState interface
* STORM-1886: Extend KeyValueState iface with delete
* STORM-2022: update Fields test to match new behavior
* STORM-2020: Stop using sun internal classes
* STORM-1228: port fields_test to java
* STORM-2104: New Kafka spout crashes if partitions are reassigned while tuples are in-flight
* STORM-2257: Add built in support for sum function with different types.
* STORM-2082: add sql external module storm-sql-hdfs
* STORM-2256: storm-pmml breaks on java 1.7
* STORM-2223: PMML Bolt.
* STORM-2222: Repeated NPEs thrown in nimbus if rebalance fails
* STORM-2190: reduce contention between submission and scheduling
* STORM-2239: Handle InterruptException in new Kafka spout
* STORM-2087: Storm-kafka-client: Failed tuples are not always replayed
* STORM-2238: Add Timestamp extractor for windowed bolt
* STORM-2235: Introduce new option: 'add remote repositories' for dependency resolver
* STORM-2215: validate blobs are present before submitting
* STORM-2170: [Storm SQL] Add built-in socket datasource to runtime
* STORM-2226: Fix kafka spout offset lag ui for kerberized kafka
* STORM-2224: Exposed a method to override in computing the field from given tuple in FieldSelector
* STORM-2220: Added config support for each bolt in Cassandra bolts, fixed the bolts to be used also as sinks.
* STORM-2205: Racecondition in getting nimbus summaries while ZK connectionions are reconnected
* STORM-2182: Refactor Storm Kafka Examples Into Own Modules.
* STORM-1694: Kafka Spout Trident Implementation Using New Kafka Consumer API
* STORM-2173: [SQL] Support CSV as input / output format
* STORM-2177: [SQL] Support TSV as input / output format
* STORM-2172: [SQL] Support Avro as input / output format
* STORM-2185: Storm Supervisor doesn't delete directories properly sometimes
* STORM-2103: [SQL] Introduce new sql external module: storm-sql-mongodb
* STORM-2175: fix double close of workers
* STORM-2109: Under supervisor V2 SUPERVISOR_MEMORY_CAPACITY_MB and SUPERVISOR_CPU_CAPACITY must be Doubles
* STORM-2110: in supervisor v2 filter out empty command line args
* STORM-2117: Supervisor V2 with local mode extracts resources directory to topology root directory instead of temporary directory
* STORM-2131: Add blob command to worker-launcher, make stormdist directory not writeable by topo owner
* STORM-2018: Supervisor V2
* STORM-2139: Let ShellBolts and ShellSpouts run with scripts from blobs
* STORM-2072: Add map, flatMap with different outputs (T->V) in Trident
* STORM-2134: improving the current scheduling strategy for RAS
* STORM-2125: Use Calcite's implementation of Rex Compiler
* STORM-1546: Adding Read and Write Aggregations for Pacemaker to make it HA compatible
* STORM-1444: Support EXPLAIN statement in StormSQL
* STORM-2099: Introduce new sql external module: storm-sql-redis
* STORM-2097: Improve logging in trident core and examples
* STORM-2144: Fix Storm-sql group-by behavior in standalone mode
* STORM-2066: make error message in IsolatedPool.java more descriptive
* STORM-1870: Allow FluxShellBolt/Spout set custom 'componentConfig' via yaml
* STORM-2126: fix NPE due to race condition in compute-new-sched-assign…
* STORM-2124: show requested cpu mem for each component
* STORM-2089: Replace Consumer of ISqlTridentDataSource with SqlTridentConsumer
* STORM-2118: A few fixes for storm-sql standalone mode
* STORM-2105: Cluster/Supervisor total and available resources displayed in the UI
* STORM-2078: enable paging in worker datatable
* STORM-1664: Allow Java users to start a local cluster with a Nimbus Thrift server.
* STORM-1872: Release Jedis connection when topology shutdown
* STORM-2100: Fix Trident SQL join tests to not rely on ordering
* STORM-1837: Fix complete-topology and prevent message loss
* STORM-2098: DruidBeamBolt: Pass DruidConfig.Builder as constructor argument
* STORM-2092: optimize TridentKafkaState batch sending
* STORM-1979: Storm Druid Connector implementation.
* STORM-2057: Support JOIN statement in Storm SQL
* STORM-1970: external project examples refator
* STORM-2074: fix storm-kafka-monitor NPE bug
* STORM-1459: Allow not specifying producer properties in read-only Kafka table in StormSQL
* STORM-2052: Kafka Spout New Client API - Log Improvements and Parameter Tuning for Better Performance.
* STORM-2050: [storm-sql] Support User Defined Aggregate Function for Trident mode
* STORM-1434: Support the GROUP BY clause in StormSQL
* STORM-2016: Topology submission improvement: support adding local jars and maven artifacts on submission
* STORM-1994: Add table with per-topology & worker resource usage and components in (new) supervisor and topology pages
* STORM-2042: Nimbus client connections not closed properly causing connection leaks
* STORM-1766: A better algorithm server rack selection for RAS
* STORM-1913: Additions and Improvements for Trident RAS API
* STORM-2037: debug operation should be whitelisted in SimpleAclAuthorizer.
* STORM-2023: Add calcite-core to dependency of storm-sql-runtime
* STORM-2036: Fix minor bug in RAS Tests
* STORM-1979: Storm Druid Connector implementation.
* STORM-1839: Storm spout implementation for Amazon Kinesis Streams.
* STORM-1876: Option to build storm-kafka and storm-kafka-client with different kafka client version
* STORM-2000: Package storm-opentsdb as part of external dir in installation
* STORM-1989: X-Frame-Options support for Storm UI
* STORM-1962: support python 3 and 2 in multilang
* STORM-1964: Unexpected behavior when using count window together with timestamp extraction
* STORM-1890: ensure we refetch static resources after package build
* STORM-1988: Kafka Offset not showing due to bad classpath.
* STORM-1966: Expand metric having Map type as value into multiple metrics based on entries
* STORM-1737: storm-kafka-client has compilation errors with Apache Kafka 0.10
* STORM-1968: Storm logviewer does not work for nimbus.log in secure cluster
* STORM-1910: One topology cannot use hdfs spout to read from two locations
* STORM-1960: Add CORS support to STORM UI Rest api
* STORM-1959: Add missing license header to KafkaPartitionOffsetLag
* STORM-1950: Change response json of 'Topology Lag' REST API to keyed by spoutId, topic, partition.
* STORM-1833: Simple equi-join in storm-sql standalone mode
* STORM-1866: Update Resource Aware Scheduler Documentation
* STORM-1930: Kafka New Client API - Support for Topic Wildcards
* STORM-1924: Adding conf options for Persistent Word Count Topology
* STORM-1956: Disabling Backpressure by default
* STORM-1934: Fix race condition between sync-supervisor and sync-processes
* STORM-1919: Introduce FilterBolt on storm-redis
* STORM-1945: Fix NPE bugs on topology spout lag for storm-kafka-monitor
* STORM-1888: add description for shell command
* STORM-1902: add a simple & flexible FileNameFormat for storm-hdfs
* STORM-1914: Storm Kafka Field Topic Selector
* STORM-1907: PartitionedTridentSpoutExecutor has incompatible types that cause ClassCastException
* STORM-1925: Remove Nimbus thrift call from Nimbus itself
* STORM-1909: Update HDFS spout documentation
* STORM-1136: Command line module to return kafka spout offsets lag and display in storm ui
* STORM-1911: IClusterMetricsConsumer should use seconds to timestamp unit
* STORM-1893: Support OpenTSDB for storing timeseries data.
* STORM-1723: Introduce ClusterMetricsConsumer
* STORM-1700: Introduce 'whitelist' / 'blacklist' option to MetricsConsumer
* STORM-1698: Asynchronous MetricsConsumerBolt
* STORM-1705: Cap number of retries for a failed message
* STORM-1884: Prioritize pendingPrepare over pendingCommit
* STORM-1575: fix TwitterSampleSpout NPE on close
* STORM-1874: Update logger private permissions
* STORM-1865: update command line client document
* STORM-1771: HiveState should flushAndClose before closing old or idle Hive connections
* STORM-1882: Expose TextFileReader public
* STORM-1873: Implement alternative behaviour for late tuples
* STORM-1719: Introduce REST API: Topology metric stats for stream
* STORM-1887: Fixed help message for set_log_level command
* STORM-1878: Flux can now handle IStatefulBolts
* STORM-1864: StormSubmitter should throw respective exceptions and log respective errors forregistered submitter hook invocation
* STORM-1868: Modify TridentKafkaWordCount to run in distributed mode
* STORM-1859: Ack late tuples in windowed mode
* STORM-1851: Fix default nimbus impersonation authorizer config
* STORM-1848: Make KafkaMessageId and Partition serializable to support
* STORM-1862: Flux ShellSpout and ShellBolt can't emit to named streams
* Storm-1728: TransactionalTridentKafkaSpout error
* STORM-1850: State Checkpointing Documentation update
* STORM-1674: Idle KafkaSpout consumes more bandwidth than needed
* STORM-1842: Forward references in storm.thrift cause tooling issues
* STORM-1730: LocalCluster#shutdown() does not terminate all storm threads/thread pools.
* STORM-1709: Added group by support in storm sql standalone mode
* STORM-1720: Support GEO in storm-redis
* 1.0.6:
* [STORM-2877] - Introduce an option to configure pagination in Storm UI
* [STORM-2917] - Check the config(nimbus.host) before using it to connect
* [STORM-2451] - windows storm.cmd does not set log4j2 config file correctly by default
* [STORM-2690] - resurrect invocation of ISupervisor.assigned() & make Supervisor.launchDaemon() accessible
* [STORM-2751] - Remove AsyncLoggingContext from Supervisor
* [STORM-2764] - HDFSBlobStore leaks file system objects
* [STORM-2771] - Some tests are being run twice
* [STORM-2786] - Ackers leak tracking info on failure and lots of other cases.
* [STORM-2853] - Deactivated topologies cause high cpu utilization
* [STORM-2856] - Make Storm build work on post 2017Q4 Travis Trusty image
* [STORM-2870] - FileBasedEventLogger leaks non-daemon ExecutorService which prevents process to be finished
* [STORM-2879] - Supervisor collapse continuously when there is a expired assignment for overdue storm
* [STORM-2892] - Flux test fails to parse valid PATH environment variable
* [STORM-2894] - fix some random typos in tests
* [STORM-2912] - Tick tuple is being shared without resetting start time and incur side-effect to break metrics
* [STORM-2918] - Upgrade Netty version
* [STORM-2874] - Minor style improvements to backpressure code
* [STORM-2937] - Overwrite storm-kafka-client 1.x-branch into 1.0.x-branch
* [STORM-2858] - Fix worker-launcher build
- Use %license macro
* 1.0.5:
* [STORM-2657] - Update SECURITY.MD
* [STORM-2231] - NULL in DisruptorQueue while multi-threaded ack
* [STORM-2660] - The Nimbus storm-local directory is relative to the working directory of the shell executing 'storm nimbus'
* [STORM-2674] - NoNodeException when ZooKeeper tries to delete nodes
* [STORM-2677] - consider all sampled tuples which took greater than 0 ms processing time
* [STORM-2682] - Supervisor crashes with NullPointerException
* [STORM-2695] - BlobStore uncompress argument should be Boolean
* [STORM-2705] - DRPCSpout sleeps twice when idle
* 1.0.4:
* STORM-2627: Update docs for storm.zookeeper.topology.auth.scheme
* STORM-2597: Don't parse passed in class paths
* STORM-2524: Set Kafka client.id with storm-kafka
* STORM-2448: Add in Storm and JDK versions when submitting a topology
* STORM-2511: Submitting a topology with name containing unicode getting failed
* STORM-2498: Fix Download Full File link
* STORM-2486: Prevent cd from printing target directory to avoid breaking classpath
* STORM-1114: Race condition in trident zookeeper zk-node create/delete
* STORM-2429: Properly validate supervisor.scheduler.meta
* STORM-2194: Stop ignoring socket timeout error from executor
* STORM-2450: Write resources into correct local director
* STORM-2414: Skip checking meta's ACL when subject has write privileges for any blobs
* STORM-2038: Disable symlinks with a config option
* STORM-2038: No symlinks for local cluster
* STORM-2403: Fix KafkaBolt test failure: tick tuple should not be acked
* STORM-2361: Kafka spout - after leader change, it stops committing offsets to ZK
* STORM-2296: Kafka spout - no duplicates on leader changes
* STORM-2387: Handle tick tuples properly for Bolts in external modules
* STORM-2345: Type mismatch in ReadClusterState's ProfileAction processing Map
* STORM-2104: New Kafka spout crashes if partitions are reassigned while tuples are in-flight
* STORM-2396: setting interrupted status back before throwing a RuntimeException
* STORM-2395: storm.cmd supervisor calls the wrong class name
* STORM-2385: pacemaker_state_factory.clj does not compile on branch-1.0.x
* STORM-2389: Avoid instantiating Event Logger when topology.eventlogger.executors=0
* STORM-2386: Fail-back Blob deletion also fails in BlobSynchronizer.syncBlobs
* STORM-2360: Storm-Hive: Thrift version mismatch with storm-core
* STORM-2372: Pacemaker client doesn't clean up heartbeats properly
* STORM-2326: Upgrade log4j and slf4j
* STORM-2350: Storm-HDFS's listFilesByModificationTime is broken
* 1.0.3:
* STORM-2197: NimbusClient connectins leak due to leakage in ThriftClient
* STORM-2321: Handle blobstore zk key deletion in KeySequenceNumber.
* STORM-2324: Fix deployment failure if resources directory is missing in topology jar
* STORM-2335: Fix broken Topology visualization with empty ':transferred' in executor stats
* STORM-2336: Close Localizer and AsyncLocalizer when supervisor is shutting down
* STORM-2338: Subprocess exception handling is broken in storm.py on Windows environment
* STORM-2337: Broken documentation generation for storm-metrics-profiling-internal-actions.md and windows-users-guide.md
* STORM-2325: Logviewer doesn't consider 'storm.local.hostname'
* STORM-1742: More accurate 'complete latency'
* STORM-2176: Workers do not shutdown cleanly and worker hooks don't run when a topology is killed
* STORM-2293: hostname should only refer node's 'storm.local.hostname'
* STORM-2246: Logviewer download link has urlencoding on part of the URL
* STORM-1906: Window count/length of zero should be disallowed
* STORM-1841: Address a few minor issues in windowing and doc
* STORM-2268: Fix integration test for Travis CI build
* STORM-2283: Fix DefaultStateHandler kryo multithreading issues
* STORM-2264: OpaqueTridentKafkaSpout failing after STORM-2216
* STORM-2276: Remove twitter4j usages due to license issue (JSON.org is catalog X)
* STORM-2095: remove any remaining files when deleting blobstore directory
* STORM-2222: Repeated NPEs thrown in nimbus if rebalance fails
* STORM-2251: Integration test refers specific version of Storm which should be project version
* STORM-2234: heartBeatExecutorService in shellSpout don't work well with deactivate
* STORM-2216: Favor JSONValue.parseWithException
* STORM-2208: HDFS State Throws FileNotFoundException in Azure Data Lake Store file system (adl://)
* STORM-2213: ShellSpout has race condition when ShellSpout is being inactive longer than heartbeat timeout
* STORM-2210: remove array shuffle from ShuffleGrouping
* STORM-2052: Kafka Spout - New Client API - Performance Improvements
* storm-2205: Racecondition in getting nimbus summaries while ZK connections are reconnected
* STORM-2198: perform RotationAction when stopping HdfsBolt
* STORM-2196: A typo in RAS_Node::consumeCPU
* STORM-2189: RAS_Node::freeCPU outputs incorrect info
* STORM-2184: Don't wakeup KafkaConsumer on shutdown
* STORM-2185: Storm Supervisor doesn't delete directories properly sometimes
* STORM-2175: fix double close of workers
* STORM-2018: Supervisor V2
* STORM-2145: Leave leader nimbus's hostname to log when trying to connect leader nimbus
* STORM-2127: Storm-eventhubs should use latest amqp and eventhubs-client versions
* STORM-2040: Fix bug on assert-can-serialize
* STORM-2017: ShellBolt stops reporting task ids
* STORM-2119: bug in log message printing to stdout
* STORM-2120: Emit to _spoutConfig.outputStreamId
* STORM-2101: fixes npe in compute-executors in nimbus
* STORM-2090: Add integration test for storm windowing
* STORM-2003: Make sure config contains TOPIC before get it
* STORM-1567: in defaults.yaml 'topology.disable.loadaware' should be 'topology.disable.loadaware.messaging'
* STORM-1987: Fix TridentKafkaWordCount arg handling in distributed mode.
* STORM-1969: Modify HiveTopology to show usage of non-partition table.
* STORM-1849: HDFSFileTopology should use the 3rd argument as topologyName
* STORM-2086: use DefaultTopicSelector instead of creating a new one
* STORM-2079: Unneccessary readStormConfig operation
* STORM-2081: create external directory for storm-sql various data sources and move storm-sql-kafka to it
* STORM-2070: Fix sigar native binary download link
* STORM-2056: Bugs in logviewer
* STORM-1646: Fix ExponentialBackoffMsgRetryManager test
* STORM-2039: Backpressure refactoring in worker and executor
* STORM-2064: Add storm name and function, access result and function to log-thrift-access
* STORM-2063: Add thread name in worker logs
* STORM-2042: Nimbus client connections not closed properly causing connection leaks
* STORM-2032: removes warning in case more than one metrics tuple is received
* STORM-1594: org.apache.storm.tuple.Fields can throw NPE if given invalid field in selector
* STORM-1995: downloadChunk in nimbus.clj should close the input stream
Changes in rubygem-activeresource:
- Add bsc#1171560-CVE-2020-8151-encode-id-param.patch
Prevent possible information disclosure issue that could allow
an attacker to create specially crafted requests to access data
in an unexpected way (bsc#1171560 CVE-2020-8151))_
Changes in rubygem-crowbar-client:
- Update to 3.9.2
- Enable SES commands in Cloud8 (SOC-11122)
Changes in rubygem-json-1_7:
- Add CVE-2020-10663.patch (CVE-2020-10663, bsc#1167244)
Changes in rubygem-puma:
- Fix indentation in gem2rpm.yml_
- Add CVE-2020-11077.patch (bsc#1172175, CVE-2020-11077)
- Add chunked-request-handling.patch (needed for CVE-2020-11076.patch)
- Add CVE-2020-11076.patch (bsc#1172176, CVE-2020-11076)
- Add all patches to gem2rpm.yml
ImportantSUSE bug 1068612SUSE bug 1092420SUSE bug 1107190SUSE bug 1108719SUSE bug 1123872SUSE bug 1126503SUSE bug 1141968SUSE bug 11483483SUSE bug 1148383SUSE bug 1153191SUSE bug 1156525SUSE bug 1159046SUSE bug 1160152SUSE bug 1160153SUSE bug 1160192SUSE bug 1160790SUSE bug 1160851SUSE bug 1161088SUSE bug 1161089SUSE bug 1161670SUSE bug 1164322SUSE bug 1167244SUSE bug 1168593SUSE bug 1169770SUSE bug 1170657SUSE bug 1171273SUSE bug 1171560SUSE bug 1171594SUSE bug 1171661SUSE bug 1171909SUSE bug 1172166SUSE bug 1172167SUSE bug 1172175SUSE bug 1172176SUSE bug 1172409CVE-2017-1000246 at SUSECVE-2017-1000246 at NVDCVE-2019-1010083 at SUSECVE-2019-1010083 at NVDCVE-2019-15043 at SUSECVE-2019-15043 at NVDCVE-2019-16785 at SUSECVE-2019-16785 at NVDCVE-2019-16786 at SUSECVE-2019-16786 at NVDCVE-2019-16789 at SUSECVE-2019-16789 at NVDCVE-2019-16792 at SUSECVE-2019-16792 at NVDCVE-2019-16865 at SUSECVE-2019-16865 at NVDCVE-2019-18874 at SUSECVE-2019-18874 at NVDCVE-2019-19911 at SUSECVE-2019-19911 at NVDCVE-2019-3828 at SUSECVE-2019-3828 at NVDCVE-2020-10663 at SUSECVE-2020-10663 at NVDCVE-2020-10743 at SUSECVE-2020-10743 at NVDCVE-2020-11076 at SUSECVE-2020-11076 at NVDCVE-2020-11077 at SUSECVE-2020-11077 at NVDCVE-2020-12052 at SUSECVE-2020-12052 at NVDCVE-2020-13254 at SUSECVE-2020-13254 at NVDCVE-2020-13379 at SUSECVE-2020-13379 at NVDCVE-2020-13596 at SUSECVE-2020-13596 at NVDCVE-2020-5312 at SUSECVE-2020-5312 at NVDCVE-2020-5313 at SUSECVE-2020-5313 at NVDCVE-2020-5390 at SUSECVE-2020-5390 at NVDCVE-2020-8151 at SUSECVE-2020-8151 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for bind (Important)SUSE OpenStack Cloud 8
This update for bind fixes the following issues:
- Amended documentation referring to rule types 'krb5-subdomain'
and 'ms-subdomain'. This incorrect documentation could mislead
operators into believing that policies they had configured were
more restrictive than they actually were. [CVE-2018-5741]
- Further limit the number of queries that can be triggered from a
request. Root and TLD servers are no longer exempt from
max-recursion-queries. Fetches for missing name server address
records are limited to 4 for any domain. [CVE-2020-8616]
- Replaying a TSIG BADTIME response as a request could trigger an
assertion failure. [CVE-2020-8617]
[bsc#1109160, bsc#1171740,
CVE-2018-5741, bind-CVE-2018-5741.patch,
CVE-2020-8616, bind-CVE-2020-8616.patch,
CVE-2020-8617, bind-CVE-2020-8617.patch]
- Don't rely on /etc/insserv.conf anymore for proper dependencies
against nss-lookup.target in named.service and lwresd.service
(bsc#1118367 bsc#1118368)
- Using a drop-in file
ImportantSUSE bug 1109160SUSE bug 1118367SUSE bug 1118368SUSE bug 1171740CVE-2018-5741 at SUSECVE-2018-5741 at NVDCVE-2020-8616 at SUSECVE-2020-8616 at NVDCVE-2020-8617 at SUSECVE-2020-8617 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for python-ipaddress (Important)SUSE OpenStack Cloud 8
This update for python-ipaddress fixes the following issues:
- Add CVE-2020-14422-ipaddress-hash-collision.patch fixing
CVE-2020-14422 (bsc#1173274, bpo#41004), where hash collisions
in IPv4Interface and IPv6Interface could lead to DOS.
ImportantSUSE bug 1173274CVE-2020-14422 at SUSECVE-2020-14422 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for squid (Important)SUSE OpenStack Cloud 8
This update for squid fixes the following issues:
- CVE-2020-15049.patch: fixes a Cache Poisoning and Request Smuggling
attack (CVE-2020-15049, bsc#1173455)
ImportantSUSE bug 1173455CVE-2020-15049 at SUSECVE-2020-15049 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for SUSE Manager Client Tools (Moderate)SUSE OpenStack Cloud 8
This update fixes the following issues:
cobbler:
- Calculate relative path for kernel and inited when generating
grub entry (bsc#1170231)
Added: fix-grub2-entry-paths.diff
- Fix os-release version detection for SUSE
Modified: sles15.patch
- Jinja2 template library fix (bsc#1141661)
- Removes string replace for textmode fix (bsc#1134195)
golang-github-prometheus-node_exporter:
- Update to 0.18.1
* [BUGFIX] Fix incorrect sysctl call in BSD meminfo collector, resulting in broken swap metrics on FreeBSD #1345
* [BUGFIX] Fix rollover bug in mountstats collector #1364
* Renamed interface label to device in netclass collector for consistency with
* other network metrics #1224
* The cpufreq metrics now separate the cpufreq and scaling data based on what the driver provides. #1248
* The labels for the network_up metric have changed, see issue #1236
* Bonding collector now uses mii_status instead of operstatus #1124
* Several systemd metrics have been turned off by default to improve performance #1254
* These include unit_tasks_current, unit_tasks_max, service_restart_total, and unit_start_time_seconds
* The systemd collector blacklist now includes automount, device, mount, and slice units by default. #1255
* [CHANGE] Bonding state uses mii_status #1124
* [CHANGE] Add a limit to the number of in-flight requests #1166
* [CHANGE] Renamed interface label to device in netclass collector #1224
* [CHANGE] Add separate cpufreq and scaling metrics #1248
* [CHANGE] Several systemd metrics have been turned off by default to improve performance #1254
* [CHANGE] Expand systemd collector blacklist #1255
* [CHANGE] Split cpufreq metrics into a separate collector #1253
* [FEATURE] Add a flag to disable exporter metrics #1148
* [FEATURE] Add kstat-based Solaris metrics for boottime, cpu and zfs collectors #1197
* [FEATURE] Add uname collector for FreeBSD #1239
* [FEATURE] Add diskstats collector for OpenBSD #1250
* [FEATURE] Add pressure collector exposing pressure stall information for Linux #1174
* [FEATURE] Add perf exporter for Linux #1274
* [ENHANCEMENT] Add Infiniband counters #1120
* [ENHANCEMENT] Add TCPSynRetrans to netstat default filter #1143
* [ENHANCEMENT] Move network_up labels into new metric network_info #1236
* [ENHANCEMENT] Use 64-bit counters for Darwin netstat
* [BUGFIX] Add fallback for missing /proc/1/mounts #1172
* [BUGFIX] Fix node_textfile_mtime_seconds to work properly on symlinks #1326
- Add network-online (Wants and After) dependency to systemd unit bsc#1143913
golang-github-prometheus-prometheus:
- Update change log and spec file
+ Modified spec file: default to golang 1.14 to avoid 'have choice' build issues in OBS.
+ Rebase and update patches for version 2.18.0
+ Changed:
* 0002-Default-settings.patch Changed
- Update to 2.18.0
+ Features
* Tracing: Added experimental Jaeger support #7148
+ Changes
* Federation: Only use local TSDB for federation (ignore remote read). #7096
* Rules: `rule_evaluations_total` and `rule_evaluation_failures_total` have a `rule_group` label now. #7094
+ Enhancements
* TSDB: Significantly reduce WAL size kept around after a block cut. #7098
* Discovery: Add `architecture` meta label for EC2. #7000
+ Bug fixes
* UI: Fixed wrong MinTime reported by /status. #7182
* React UI: Fixed multiselect legend on OSX. #6880
* Remote Write: Fixed blocked resharding edge case. #7122
* Remote Write: Fixed remote write not updating on relabel configs change. #7073
- Changes from 2.17.2
+ Bug fixes
* Federation: Register federation metrics #7081
* PromQL: Fix panic in parser error handling #7132
* Rules: Fix reloads hanging when deleting a rule group that is being evaluated #7138
* TSDB: Fix a memory leak when prometheus starts with an empty TSDB WAL #7135
* TSDB: Make isolation more robust to panics in web handlers #7129 #7136
- Changes from 2.17.1
+ Bug fixes
* TSDB: Fix query performance regression that increased memory and CPU usage #7051
- Changes from 2.17.0
+ Features
* TSDB: Support isolation #6841
* This release implements isolation in TSDB. API queries and recording rules are
guaranteed to only see full scrapes and full recording rules. This comes with a
certain overhead in resource usage. Depending on the situation, there might be
some increase in memory usage, CPU usage, or query latency.
+ Enhancements
* PromQL: Allow more keywords as metric names #6933
* React UI: Add normalization of localhost URLs in targets page #6794
* Remote read: Read from remote storage concurrently #6770
* Rules: Mark deleted rule series as stale after a reload #6745
* Scrape: Log scrape append failures as debug rather than warn #6852
* TSDB: Improve query performance for queries that partially hit the head #6676
* Consul SD: Expose service health as meta label #5313
* EC2 SD: Expose EC2 instance lifecycle as meta label #6914
* Kubernetes SD: Expose service type as meta label for K8s service role #6684
* Kubernetes SD: Expose label_selector and field_selector #6807
* Openstack SD: Expose hypervisor id as meta label #6962
+ Bug fixes
* PromQL: Do not escape HTML-like chars in query log #6834 #6795
* React UI: Fix data table matrix values #6896
* React UI: Fix new targets page not loading when using non-ASCII characters #6892
* Remote read: Fix duplication of metrics read from remote storage with external labels #6967 #7018
* Remote write: Register WAL watcher and live reader metrics for all remotes, not just the first one #6998
* Scrape: Prevent removal of metric names upon relabeling #6891
* Scrape: Fix 'superfluous response.WriteHeader call' errors when scrape fails under some circonstances #6986
* Scrape: Fix crash when reloads are separated by two scrape intervals #7011
- Changes from 2.16.0
+ Features
* React UI: Support local timezone on /graph #6692
* PromQL: add absent_over_time query function #6490
* Adding optional logging of queries to their own file #6520
+ Enhancements
* React UI: Add support for rules page and 'Xs ago' duration displays #6503
* React UI: alerts page, replace filtering togglers tabs with checkboxes #6543
* TSDB: Export metric for WAL write errors #6647
* TSDB: Improve query performance for queries that only touch the most recent 2h of data. #6651
* PromQL: Refactoring in parser errors to improve error messages #6634
* PromQL: Support trailing commas in grouping opts #6480
* Scrape: Reduce memory usage on reloads by reusing scrape cache #6670
* Scrape: Add metrics to track bytes and entries in the metadata cache #6675
* promtool: Add support for line-column numbers for invalid rules output #6533
* Avoid restarting rule groups when it is unnecessary #6450
+ Bug fixes
* React UI: Send cookies on fetch() on older browsers #6553
* React UI: adopt grafana flot fix for stacked graphs #6603
* React UI: broken graph page browser history so that back button works as expected #6659
* TSDB: ensure compactionsSkipped metric is registered, and log proper error if one is returned from head.Init #6616
* TSDB: return an error on ingesting series with duplicate labels #6664
* PromQL: Fix unary operator precedence #6579
* PromQL: Respect query.timeout even when we reach query.max-concurrency #6712
* PromQL: Fix string and parentheses handling in engine, which affected React UI #6612
* PromQL: Remove output labels returned by absent() if they are produced by multiple identical label matchers #6493
* Scrape: Validate that OpenMetrics input ends with `# EOF` #6505
* Remote read: return the correct error if configs can't be marshal'd to JSON #6622
* Remote write: Make remote client `Store` use passed context, which can affect shutdown timing #6673
* Remote write: Improve sharding calculation in cases where we would always be consistently behind by tracking pendingSamples #6511
* Ensure prometheus_rule_group metrics are deleted when a rule group is removed #6693
- Changes from 2.15.2
+ Bug fixes
* TSDB: Fixed support for TSDB blocks built with Prometheus before 2.1.0. #6564
* TSDB: Fixed block compaction issues on Windows. #6547
- Changes from 2.15.1
+ Bug fixes
* TSDB: Fixed race on concurrent queries against same data. #6512
- Changes from 2.15.0
+ Features
* API: Added new endpoint for exposing per metric metadata `/metadata`. #6420 #6442
+ Changes
* Discovery: Removed `prometheus_sd_kubernetes_cache_*` metrics. Additionally `prometheus_sd_kubernetes_workqueue_latency_seconds` and `prometheus_sd_kubernetes_workqueue_work_duration_seconds` metrics now show correct values in seconds. #6393
* Remote write: Changed `query` label on `prometheus_remote_storage_*` metrics to `remote_name` and `url`. #6043
+ Enhancements
* TSDB: Significantly reduced memory footprint of loaded TSDB blocks. #6418 #6461
* TSDB: Significantly optimized what we buffer during compaction which should result in lower memory footprint during compaction. #6422 #6452 #6468 #6475
* TSDB: Improve replay latency. #6230
* TSDB: WAL size is now used for size based retention calculation. #5886
* Remote read: Added query grouping and range hints to the remote read request #6401
* Remote write: Added `prometheus_remote_storage_sent_bytes_total` counter per queue. #6344
* promql: Improved PromQL parser performance. #6356
* React UI: Implemented missing pages like `/targets` #6276, TSDB status page #6281 #6267 and many other fixes and performance improvements.
* promql: Prometheus now accepts spaces between time range and square bracket. e.g `[ 5m]` #6065
+ Bug fixes
* Config: Fixed alertmanager configuration to not miss targets when configurations are similar. #6455
* Remote write: Value of `prometheus_remote_storage_shards_desired` gauge shows raw value of desired shards and it's updated correctly. #6378
* Rules: Prometheus now fails the evaluation of rules and alerts where metric results collide with labels specified in `labels` field. #6469
* API: Targets Metadata API `/targets/metadata` now accepts empty `match_targets` parameter as in the spec. #6303
- Changes from 2.14.0
+ Features
* API: `/api/v1/status/runtimeinfo` and `/api/v1/status/buildinfo` endpoints added for use by the React UI. #6243
* React UI: implement the new experimental React based UI. #5694 and many more
* Can be found by under `/new`.
* Not all pages are implemented yet.
* Status: Cardinality statistics added to the Runtime & Build Information page. #6125
+ Enhancements
* Remote write: fix delays in remote write after a compaction. #6021
* UI: Alerts can be filtered by state. #5758
+ Bug fixes
* Ensure warnings from the API are escaped. #6279
* API: lifecycle endpoints return 403 when not enabled. #6057
* Build: Fix Solaris build. #6149
* Promtool: Remove false duplicate rule warnings when checking rule files with alerts. #6270
* Remote write: restore use of deduplicating logger in remote write. #6113
* Remote write: do not reshard when unable to send samples. #6111
* Service discovery: errors are no longer logged on context cancellation. #6116, #6133
* UI: handle null response from API properly. #6071
- Changes from 2.13.1
+ Bug fixes
* Fix panic in ARM builds of Prometheus. #6110
* promql: fix potential panic in the query logger. #6094
* Multiple errors of http: superfluous response.WriteHeader call in the logs. #6145
- Changes from 2.13.0
+ Enhancements
* Metrics: renamed prometheus_sd_configs_failed_total to prometheus_sd_failed_configs and changed to Gauge #5254
* Include the tsdb tool in builds. #6089
* Service discovery: add new node address types for kubernetes. #5902
* UI: show warnings if query have returned some warnings. #5964
* Remote write: reduce memory usage of the series cache. #5849
* Remote read: use remote read streaming to reduce memory usage. #5703
* Metrics: added metrics for remote write max/min/desired shards to queue manager. #5787
* Promtool: show the warnings during label query. #5924
* Promtool: improve error messages when parsing bad rules. #5965
* Promtool: more promlint rules. #5515
+ Bug fixes
* UI: Fix a Stored DOM XSS vulnerability with query history [CVE-2019-10215](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10215). #6098
* Promtool: fix recording inconsistency due to duplicate labels. #6026
* UI: fixes service-discovery view when accessed from unhealthy targets. #5915
* Metrics format: OpenMetrics parser crashes on short input. #5939
* UI: avoid truncated Y-axis values. #6014
- Changes from 2.12.0
+ Features
* Track currently active PromQL queries in a log file. #5794
* Enable and provide binaries for `mips64` / `mips64le` architectures. #5792
+ Enhancements
* Improve responsiveness of targets web UI and API endpoint. #5740
* Improve remote write desired shards calculation. #5763
* Flush TSDB pages more precisely. tsdb#660
* Add `prometheus_tsdb_retention_limit_bytes` metric. tsdb#667
* Add logging during TSDB WAL replay on startup. tsdb#662
* Improve TSDB memory usage. tsdb#653, tsdb#643, tsdb#654, tsdb#642, tsdb#627
+ Bug fixes
* Check for duplicate label names in remote read. #5829
* Mark deleted rules' series as stale on next evaluation. #5759
* Fix JavaScript error when showing warning about out-of-sync server time. #5833
* Fix `promtool test rules` panic when providing empty `exp_labels`. #5774
* Only check last directory when discovering checkpoint number. #5756
* Fix error propagation in WAL watcher helper functions. #5741
* Correctly handle empty labels from alert templates. #5845
- Update Uyuni/SUSE Manager service discovery patch
+ Modified 0003-Add-Uyuni-service-discovery.patch:
+ Adapt service discovery to the new Uyuni API endpoints
+ Modified spec file: force golang 1.12 to fix build issues in SLE15SP2
- Update to Prometheus 2.11.2
grafana:
- Update to version 7.0.3
* Features / Enhancements
- Stats: include all fields. #24829, @ryantxu
- Variables: change VariableEditorList row action Icon to IconButton. #25217, @hshoff
* Bug fixes
- Cloudwatch: Fix dimensions of DDoSProtection. #25317, @papagian
- Configuration: Fix env var override of sections containing hyphen. #25178, @marefr
- Dashboard: Get panels in collapsed rows. #25079, @peterholmberg
- Do not show alerts tab when alerting is disabled. #25285, @dprokop
- Jaeger: fixes cascader option label duration value. #25129, @Estrax
- Transformations: Fixed Transform tab crash & no update after adding first transform. #25152, @torkelo
- Update to version 7.0.2
* Bug fixes
- Security: Urgent security patch release to fix CVE-2020-13379
- Update to version 7.0.1
* Features / Enhancements
- Datasource/CloudWatch: Makes CloudWatch Logs query history more readable. #24795, @kaydelaney
- Download CSV: Add date and time formatting. #24992, @ryantxu
- Table: Make last cell value visible when right aligned. #24921, @peterholmberg
- TablePanel: Adding sort order persistance. #24705, @torkelo
- Transformations: Display correct field name when using reduce transformation. #25068, @peterholmberg
- Transformations: Allow custom number input for binary operations. #24752, @ryantxu
* Bug fixes
- Dashboard/Links: Fixes dashboard links by tags not working. #24773, @KamalGalrani
- Dashboard/Links: Fixes open in new window for dashboard link. #24772, @KamalGalrani
- Dashboard/Links: Variables are resolved and limits to 100. #25076, @hugohaggmark
- DataLinks: Bring back variables interpolation in title. #24970, @dprokop
- Datasource/CloudWatch: Field suggestions no longer limited to prefix-only. #24855, @kaydelaney
- Explore/Table: Keep existing field types if possible. #24944, @kaydelaney
- Explore: Fix wrap lines toggle for results of queries with filter expression. #24915, @ivanahuckova
- Explore: fix undo in query editor. #24797, @zoltanbedi
- Explore: fix word break in type head info. #25014, @zoltanbedi
- Graph: Legend decimals now work as expected. #24931, @torkelo
- LoginPage: Fix hover color for service buttons. #25009, @tskarhed
- LogsPanel: Fix scrollbar. #24850, @ivanahuckova
- MoveDashboard: Fix for moving dashboard caused all variables to be lost. #25005, @torkelo
- Organize transformer: Use display name in field order comparer. #24984, @dprokop
- Panel: shows correct panel menu items in view mode. #24912, @hugohaggmark
- PanelEditor Fix missing labels and description if there is only single option in category. #24905, @dprokop
- PanelEditor: Overrides name matcher still show all original field names even after Field default display name is specified. #24933, @torkelo
- PanelInspector: Makes sure Data display options are visible. #24902, @hugohaggmark
- PanelInspector: Hides unsupported data display options for Panel type. #24918, @hugohaggmark
- PanelMenu: Make menu disappear on button press. #25015, @tskarhed
- Postgres: Fix add button. #25087, @phemmer
- Prometheus: Fix recording rules expansion. #24977, @ivanahuckova
- Stackdriver: Fix creating Service Level Objectives (SLO) datasource query variable. #25023, @papagian
- Update to version 7.0.0
* Breaking changes
- Removed PhantomJS: PhantomJS was deprecated in Grafana v6.4 and starting from Grafana v7.0.0, all PhantomJS support has been removed. This means that Grafana no longer ships with a built-in image renderer, and we advise you to install the Grafana Image Renderer plugin.
- Dashboard: A global minimum dashboard refresh interval is now enforced and defaults to 5 seconds.
- Interval calculation: There is now a new option Max data points that controls the auto interval $__interval calculation. Interval was previously calculated by dividing the panel width by the time range. With the new max data points option it is now easy to set $__interval to a dynamic value that is time range agnostic. For example if you set Max data points to 10 Grafana will dynamically set $__interval by dividing the current time range by 10.
- Datasource/Loki: Support for deprecated Loki endpoints has been removed.
- Backend plugins: Grafana now requires backend plugins to be signed, otherwise Grafana will not load/start them. This is an additional security measure to make sure backend plugin binaries and files haven't been tampered with. Refer to Upgrade Grafana for more information.
- @grafana/ui: Forms migration notice, see @grafana/ui changelog
- @grafana/ui: Select API change for creating custom values, see @grafana/ui changelog
+ Deprecation warnings
- Scripted dashboards is now deprecated. The feature is not removed but will be in a future release. We hope to address the underlying requirement of dynamic dashboards in a different way. #24059
- The unofficial first version of backend plugins together with usage of grafana/grafana-plugin-model is now deprecated and support for that will be removed in a future release. Please refer to backend plugins documentation for information about the new officially supported backend plugins.
* Features / Enhancements
- Backend plugins: Log deprecation warning when using the unofficial first version of backend plugins. #24675, @marefr
- Editor: New line on Enter, run query on Shift+Enter. #24654, @davkal
- Loki: Allow multiple derived fields with the same name. #24437, @aocenas
- Orgs: Add future deprecation notice. #24502, @torkelo
* Bug Fixes
- @grafana/toolkit: Use process.cwd() instead of PWD to get directory. #24677, @zoltanbedi
- Admin: Makes long settings values line break in settings page. #24559, @hugohaggmark
- Dashboard: Allow editing provisioned dashboard JSON and add confirmation when JSON is copied to dashboard. #24680, @dprokop
- Dashboard: Fix for strange 'dashboard not found' errors when opening links in dashboard settings. #24416, @torkelo
- Dashboard: Fix so default data source is selected when data source can't be found in panel editor. #24526, @mckn
- Dashboard: Fixed issue changing a panel from transparent back to normal in panel editor. #24483, @torkelo
- Dashboard: Make header names reflect the field name when exporting to CSV file from the the panel inspector. #24624, @peterholmberg
- Dashboard: Make sure side pane is displayed with tabs by default in panel editor. #24636, @dprokop
- Data source: Fix query/annotation help content formatting. #24687, @AgnesToulet
- Data source: Fixes async mount errors. #24579, @Estrax
- Data source: Fixes saving a data source without failure when URL doesn't specify a protocol. #24497, @aknuds1
- Explore/Prometheus: Show results of instant queries only in table. #24508, @ivanahuckova
- Explore: Fix rendering of react query editors. #24593, @ivanahuckova
- Explore: Fixes loading more logs in logs context view. #24135, @Estrax
- Graphite: Fix schema and dedupe strategy in rollup indicators for Metrictank queries. #24685, @torkelo
- Graphite: Makes query annotations work again. #24556, @hugohaggmark
- Logs: Clicking 'Load more' from context overlay doesn't expand log row. #24299, @kaydelaney
- Logs: Fix total bytes process calculation. #24691, @davkal
- Org/user/team preferences: Fixes so UI Theme can be set back to Default. #24628, @AgnesToulet
- Plugins: Fix manifest validation. #24573, @aknuds1
- Provisioning: Use proxy as default access mode in provisioning. #24669, @bergquist
- Search: Fix select item when pressing enter and Grafana is served using a sub path. #24634, @tskarhed
- Search: Save folder expanded state. #24496, @Clarity-89
- Security: Tag value sanitization fix in OpenTSDB data source. #24539, @rotemreiss
- Table: Do not include angular options in options when switching from angular panel. #24684, @torkelo
- Table: Fixed persisting column resize for time series fields. #24505, @torkelo
- Table: Fixes Cannot read property subRows of null. #24578, @hugohaggmark
- Time picker: Fixed so you can enter a relative range in the time picker without being converted to absolute range. #24534, @mckn
- Transformations: Make transform dropdowns not cropped. #24615, @dprokop
- Transformations: Sort order should be preserved as entered by user when using the reduce transformation. #24494, @hugohaggmark
- Units: Adds scale symbol for currencies with suffixed symbol. #24678, @hugohaggmark
- Variables: Fixes filtering options with more than 1000 entries. #24614, @hugohaggmark
- Variables: Fixes so Textbox variables read value from url. #24623, @hugohaggmark
- Zipkin: Fix error when span contains remoteEndpoint. #24524, @aocenas
- SAML: Switch from email to login for user login attribute mapping (Enterprise)
- Update Makefile and spec file
* Remove phantomJS patch from Makefile
* Fix multiline strings in Makefile
* Exclude s390 from SLE12 builds, golang 1.14 is not built for s390
- Add instructions for patching the Grafana javascript frontend.
- BuildRequires golang(API) instead of go metapackage version range
* BuildRequires: golang(API) >= 1.14 from
BuildRequires: ( go >= 1.14 with go < 1.15 )
- Update to version 6.7.3
- This version fixes bsc#1170557 and its corresponding CVE-2020-12245
- Admin: Fix Synced via LDAP message for non-LDAP external users. #23477, @alexanderzobnin
- Alerting: Fixes notifications for alerts with empty message in Google Hangouts notifier. #23559, @hugohaggmark
- AuthProxy: Fixes bug where long username could not be cached.. #22926, @jcmcken
- Dashboard: Fix saving dashboard when editing raw dashboard JSON model. #23314, @peterholmberg
- Dashboard: Try to parse 8 and 15 digit numbers as timestamps if parsing of time range as date fails. #21694, @jessetan
- DashboardListPanel: Fixed problem with empty panel after going into edit mode (General folder filter being automatically added) . #23426, @torkelo
- Data source: Handle datasource withCredentials option properly. #23380, @hvtuananh
- Security: Fix annotation popup XSS vulnerability. #23813, @torkelo
- Server: Exit Grafana with status code 0 if no error. #23312, @aknuds1
- TablePanel: Fix XSS issue in header column rename (backport). #23814, @torkelo
- Variables: Fixes error when setting adhoc variable values. #23580, @hugohaggmark
- Update to version 6.7.2:
(see installed changelog for the full list of changes)
- BackendSrv: Adds config to response to fix issue for external plugins that used this property . #23032, @torkelo
- Dashboard: Fixed issue with saving new dashboard after changing title . #23104, @dprokop
- DataLinks: make sure we use the correct datapoint when dataset contains null value.. #22981, @mckn
- Plugins: Fixed issue for plugins that imported dateMath util . #23069, @mckn
- Security: Fix for dashboard snapshot original dashboard link could contain XSS vulnerability in url. #23254, @torkelo
- Variables: Fixes issue with too many queries being issued for nested template variables after value change. #23220, @torkelo
- Plugins: Expose promiseToDigest. #23249, @torkelo
- Reporting (Enterprise): Fixes issue updating a report created by someone else
- Update to 6.7.1:
(see installed changelog for the full list of changes)
Bug Fixes
- Azure: Fixed dropdowns not showing current value. #22914, @torkelo
- BackendSrv: only add content-type on POST, PUT requests. #22910, @hugohaggmark
- Panels: Fixed size issue with panel internal size when exiting panel edit mode. #22912, @torkelo
- Reporting: fixes migrations compatibility with mysql (Enterprise)
- Reporting: Reduce default concurrency limit to 4 (Enterprise)
- Update to 6.7.0:
(see installed changelog for the full list of changes)
Bug Fixes
- AngularPanels: Fixed inner height calculation for angular panels . #22796, @torkelo
- BackendSrv: makes sure provided headers are correctly recognized and set. #22778, @hugohaggmark
- Forms: Fix input suffix position (caret-down in Select) . #22780, @torkelo
- Graphite: Fixed issue with query editor and next select metric now showing after selecting metric node . #22856, @torkelo
- Rich History: UX adjustments and fixes. #22729, @ivanahuckova
- Update to 6.7.0-beta1:
Breaking changes
- Slack: Removed Mention setting and instead introduce Mention Users, Mention Groups, and Mention Channel. The first two settings require user and group IDs, respectively. This change was necessary because the way of mentioning via the Slack API changed and mentions in Slack notifications no longer worked.
- Alerting: Reverts the behavior of diff and percent_diff to not always be absolute. Something we introduced by mistake in 6.1.0. Alerting now support diff(), diff_abs(), percent_diff() and percent_diff_abs(). #21338
- Notice about changes in backendSrv for plugin authors
In our mission to migrate away from AngularJS to React we have removed all AngularJS dependencies in the core data retrieval service backendSrv.
Removing the AngularJS dependencies in backendSrv has the unfortunate side effect of AngularJS digest no longer being triggered for any request made with backendSrv. Because of this, external plugins using backendSrv directly may suffer from strange behaviour in the UI.
To remedy this issue, as a plugin author you need to trigger the digest after a direct call to backendSrv.
Bug Fixes
API: Fix redirect issues. #22285, @papagian
Alerting: Don't include image_url field with Slack message if empty. #22372, @aknuds1
Alerting: Fixed bad background color for default notifications in alert tab . #22660, @krvajal
Annotations: In table panel when setting transform to annotation, they will now show up right away without a manual refresh. #22323, @krvajal
Azure Monitor: Fix app insights source to allow for new __timeFrom and __timeTo. #21879, @ChadNedzlek
BackendSrv: Fixes POST body for form data. gmark
CloudWatch: Credentials cache invalidation fix. #22473, @sunker
CloudWatch: Expand alias variables when query yields no result. #22695, @sunker
Dashboard: Fix bug with NaN in alerting. #22053, @a-melnyk
Explore: Fix display of multiline logs in log panel and explore. #22057, @thomasdraebing
Heatmap: Legend color range is incorrect when using custom min/max. #21748, @sv5d
Security: Fixed XSS issue in dashboard history diff . #22680, @torkelo
StatPanel: Fixes base color is being used for null values .
#22646, @torkelo
- Update to version 6.6.2:
(see installed changelog for the full list of changes)
- Update to version 6.6.1:
(see installed changelog for the full list of changes)
- Update to version 6.6.0:
(see installed changelog for the full list of changes)
- Update to version 6.5.3:
(see installed changelog for the full list of changes)
- Update to version 6.5.2:
(see installed changelog for the full list of changes)
- Update to version 6.5.1:
(see installed changelog for the full list of changes)
- Update to version 6.5.0
(see installed changelog for the full list of changes)
- Update to version 6.4.5:
* Create version 6.4.5
* CloudWatch: Fix high CPU load (#20579)
- Add obs-service-go_modules to download required modules into vendor.tar.gz
- Adjusted spec file to use vendor.tar.gz
- Adjusted Makefile to work with new filenames
- BuildRequire go1.14
- Update to version 6.4.4:
* DataLinks: Fix blur issues. #19883, @aocenas
* Docker: Makes it possible to parse timezones in the docker image. #20081, @xlson
* LDAP: All LDAP servers should be tried even if one of them returns a connection error. #20077, @jongyllen
* LDAP: No longer shows incorrectly matching groups based on role in debug page. #20018, @xlson
* Singlestat: Fix no data / null value mapping . #19951, @ryantxu
- Revert the spec file and make script
- Remove PhantomJS dependency
- Update to 6.4.3
* Bug Fixes
- Alerting: All notification channels should send even if one fails to send. #19807, @jan25
- AzureMonitor: Fix slate interference with dropdowns. #19799, @aocenas
- ContextMenu: make ContextMenu positioning aware of the viewport width. #19699, @krvajal
- DataLinks: Fix context menu not showing in singlestat-ish visualisations. #19809, @dprokop
- DataLinks: Fix url field not releasing focus. #19804, @aocenas
- Datasource: Fixes clicking outside of some query editors required 2 clicks. #19822, @aocenas
- Panels: Fixes default tab for visualizations without Queries Tab. #19803, @hugohaggmark
- Singlestat: Fixed issue with mapping null to text. #19689, @torkelo
- @grafana/toolkit: Don't fail plugin creation when git user.name config is not set. #19821, @dprokop
- @grafana/toolkit: TSLint line number off by 1. #19782, @fredwangwang
- Update to 6.4.2
* Bug Fixes
- CloudWatch: Changes incorrect dimension wmlid to wlmid . #19679, @ATTron
- Grafana Image Renderer: Fixes plugin page. #19664, @hugohaggmark
- Graph: Fixes auto decimals logic for y axis ticks that results in too many decimals for high values. #19618, @torkelo
- Graph: Switching to series mode should re-render graph. #19623, @torkelo
- Loki: Fix autocomplete on label values. #19579, @aocenas
- Loki: Removes live option for logs panel. #19533, @davkal
- Profile: Fix issue with user profile not showing more than sessions sessions in some cases. #19578, @huynhsamha
- Prometheus: Fixes so results in Panel always are sorted by query order. #19597, @hugohaggmark
- sted keys in YAML provisioning caused a server crash, #19547
- ImageRendering: Fixed issue with image rendering in enterprise build (Enterprise)
- Reporting: Fixed issue with reporting service when STMP was disabled (Enterprise).
- Changes from 6.4.0
* Features / Enhancements
- Build: Upgrade go to 1.12.10. #19499, @marefr
- DataLinks: Suggestions menu improvements. #19396, @dprokop
- Explore: Take root_url setting into account when redirecting from dashboard to explore. #19447, @ivanahuckova
- Explore: Update broken link to logql docs. #19510, @ivanahuckova
- Logs: Adds Logs Panel as a visualization. #19504, @davkal
* Bug Fixes
- CLI: Fix version selection for plugin install. #19498, @aocenas
- Graph: Fixes minor issue with series override color picker and custom color . #19516, @torkelo
- Changes from 6.4.0 Beta 2
* Features / Enhancements
- Azure Monitor: Remove support for cross resource queries (#19115)'. #19346, @sunker
- Docker: Upgrade packages to resolve reported vulnerabilities. #19188, @marefr
- Graphite: Time range expansion reduced from 1 minute to 1 second. #19246, @torkelo
- grafana/toolkit: Add plugin creation task. #19207, @dprokop
* Bug Fixes
- Alerting: Prevents creating alerts from unsupported queries. #19250, @hugohaggmark
- Alerting: Truncate PagerDuty summary when greater than 1024 characters. #18730, @nvllsvm
- Cloudwatch: Fix autocomplete for Gamelift dimensions. #19146, @kevinpz
- Dashboard: Fix export for sharing when panels use default data source. #19315, @torkelo
- Database: Rewrite system statistics query to perform better. #19178, @papagian
- Gauge/BarGauge: Fix issue with [object Object] in titles . #19217, @ryantxu
- MSSQL: Revert usage of new connectionstring format introduced by #18384. #19203, @marefr
- Multi-LDAP: Do not fail-fast on invalid credentials. #19261, @gotjosh
- MySQL, Postgres, MSSQL: Fix validating query with template variables in alert . #19237, @marefr
- MySQL, Postgres: Update raw sql when query builder updates. #19209, @marefr
- MySQL: Limit datasource error details returned from the backend. #19373, @marefr
- Changes from 6.4.0 Beta 1
* Features / Enhancements
- API: Readonly datasources should not be created via the API. #19006, @papagian
- Alerting: Include configured AlertRuleTags in Webhooks notifier. #18233, @dominic-miglar
- Annotations: Add annotations support to Loki. #18949, @aocenas
- Annotations: Use a single row to represent a region. #17673, @ryantxu
- Auth: Allow inviting existing users when login form is disabled. #19048, @548017
- Azure Monitor: Add support for cross resource queries. #19115, @sunker
- CLI: Allow installing custom binary plugins. #17551, @aocenas
- Dashboard: Adds Logs Panel (alpha) as visualization option for Dashboards. #18641, @hugohaggmark
- Dashboard: Reuse query results between panels . #16660, @ryantxu
- Dashboard: Set time to to 23:59:59 when setting To time using calendar. #18595, @simPod
- DataLinks: Add DataLinks support to Gauge, BarGauge and SingleStat2 panel. #18605, @ryantxu
- DataLinks: Enable access to labels & field names. #18918, @torkelo
- DataLinks: Enable multiple data links per panel. #18434, @dprokop
- Docker: switch docker image to alpine base with phantomjs support. #18468, @DanCech
- Elasticsearch: allow templating queries to order by doc_count. #18870, @hackery
- Explore: Add throttling when doing live queries. #19085, @aocenas
- Explore: Adds ability to go back to dashboard, optionally with query changes. #17982, @kaydelaney
- Explore: Reduce default time range to last hour. #18212, @davkal
- Gauge/BarGauge: Support decimals for min/max. #18368, @ryantxu
- Graph: New series override transform constant that renders a single point as a line across the whole graph. #19102, @davkal
- Image rendering: Add deprecation warning when PhantomJS is used for rendering images. #18933, @papagian
- InfluxDB: Enable interpolation within ad-hoc filter values. #18077, @kvc-code
- LDAP: Allow an user to be synchronized against LDAP. #18976, @gotjosh
- Ldap: Add ldap debug page. #18759, @peterholmberg
- Loki: Remove prefetching of default label values. #18213, @davkal
- Metrics: Add failed alert notifications metric. #18089, @koorgoo
- OAuth: Support JMES path lookup when retrieving user email. #14683, @bobmshannon
- OAuth: return GitLab groups as a part of user info (enable team sync). #18388, @alexanderzobnin
- Panels: Add unit for electrical charge - ampere-hour. #18950, @anirudh-ramesh
- Plugin: AzureMonitor - Reapply MetricNamespace support. #17282, @raphaelquati
- Plugins: better warning when plugins fail to load. #18671, @ryantxu
- Postgres: Add support for scram sha 256 authentication. #18397, @nonamef
- RemoteCache: Support SSL with Redis. #18511, @kylebrandt
- SingleStat: The gauge option in now disabled/hidden (unless it's an old panel with it already enabled) . #18610, @ryantxu
- Stackdriver: Add extra alignment period options. #18909, @sunker
- Units: Add South African Rand (ZAR) to currencies. #18893, @jeteon
- Units: Adding T,P,E,Z,and Y bytes. #18706, @chiqomar
* Bug Fixes
- Alerting: Notification is sent when state changes from no_data to ok. #18920, @papagian
- Alerting: fix duplicate alert states when the alert fails to save to the database. #18216, @kylebrandt
- Alerting: fix response popover prompt when add notification channels. #18967, @lzdw
- CloudWatch: Fix alerting for queries with Id (using GetMetricData). #17899, @alex-berger
- Explore: Fix auto completion on label values for Loki. #18988, @aocenas
- Explore: Fixes crash using back button with a zoomed in graph. #19122, @hugohaggmark
- Explore: Fixes so queries in Explore are only run if Graph/Table is shown. #19000, @hugohaggmark
- MSSQL: Change connectionstring to URL format to fix using passwords with semicolon. #18384, @Russiancold
- MSSQL: Fix memory leak when debug enabled. #19049, @briangann
- Provisioning: Allow escaping literal '$' with '$$' in configs to avoid interpolation. #18045, @kylebrandt
- TimePicker: Fixes hiding time picker dropdown in FireFox. #19154, @hugohaggmark
* Breaking changes
+ Annotations
There are some breaking changes in the annotations HTTP API for region annotations. Region annotations are now represented
using a single event instead of two seperate events. Check breaking changes in HTTP API below and HTTP API documentation for more details.
+ Docker
Grafana is now using Alpine 3.10 as docker base image.
+ HTTP API
- GET /api/alert-notifications now requires at least editor access.
New /api/alert-notifications/lookup returns less information than /api/alert-notifications and can be access by any authenticated user.
- GET /api/alert-notifiers now requires at least editor access
- GET /api/org/users now requires org admin role.
New /api/org/users/lookup returns less information than /api/org/users and can be access by users that are org admins,
admin in any folder or admin of any team.
- GET /api/annotations no longer returns regionId property.
- POST /api/annotations no longer supports isRegion property.
- PUT /api/annotations/:id no longer supports isRegion property.
- PATCH /api/annotations/:id no longer supports isRegion property.
- DELETE /api/annotations/region/:id has been removed.
* Deprecation notes
+ PhantomJS
- PhantomJS, which is used for rendering images of dashboards and panels,
is deprecated and will be removed in a future Grafana release.
A deprecation warning will from now on be logged when Grafana starts up if PhantomJS is in use.
Please consider migrating from PhantomJS to the Grafana Image Renderer plugin.
- Changes from 6.3.6
* Features / Enhancements
- Metrics: Adds setting for turning off total stats metrics. #19142, @marefr
* Bug Fixes
- Database: Rewrite system statistics query to perform better. #19178, @papagian
- Explore: Fixes error when switching from prometheus to loki data sources. #18599, @kaydelaney
- Rebase package spec. Use mostly from fedora, fix suse specified things and fix some errors.
- Add missing directories provisioning/datasources and provisioning/notifiers
and sample.yaml as described in packaging/rpm/control from upstream.
Missing directories are shown in logfiles.
- Version 6.3.5
* Upgrades
+ Build: Upgrade to go 1.12.9.
* Bug Fixes
+ Dashboard: Fixes dashboards init failed loading error for dashboards with panel links that had missing properties.
+ Editor: Fixes issue where only entire lines were being copied.
+ Explore: Fixes query field layout in splitted view for Safari browsers.
+ LDAP: multildap + ldap integration.
+ Profile/UserAdmin: Fix for user agent parser crashes grafana-server on 32-bit builds.
+ Prometheus: Prevents panel editor crash when switching to Prometheus datasource.
+ Prometheus: Changes brace-insertion behavior to be less annoying.
- Version 6.3.4
* Security: CVE-2019-15043 - Parts of the HTTP API allow unauthenticated use.
- Version 6.3.3
* Bug Fixes
+ Annotations: Fix failing annotation query when time series query is cancelled. #18532 1, @dprokop 1
+ Auth: Do not set SameSite cookie attribute if cookie_samesite is none. #18462 1, @papagian 3
+ DataLinks: Apply scoped variables to data links correctly. #18454 1, @dprokop 1
+ DataLinks: Respect timezone when displaying datapoint’s timestamp in graph context menu. #18461 2, @dprokop 1
+ DataLinks: Use datapoint timestamp correctly when interpolating variables. #18459 1, @dprokop 1
+ Explore: Fix loading error for empty queries. #18488 1, @davkal
+ Graph: Fixes legend issue clicking on series line icon and issue with horizontal scrollbar being visible on windows. #18563 1, @torkelo 2
+ Graphite: Avoid glob of single-value array variables . #18420, @gotjosh
+ Prometheus: Fix queries with label_replace remove the $1 match when loading query editor. #18480 5, @hugohaggmark 3
+ Prometheus: More consistently allows for multi-line queries in editor. #18362 2, @kaydelaney 2
+ TimeSeries: Assume values are all numbers. #18540 4, @ryantxu
- Version 6.3.2
* Bug Fixes
+ Gauge/BarGauge: Fixes issue with losts thresholds and issue loading Gauge with avg stat. #18375 12
- Version 6.3.1
* Bug Fixes
+ PanelLinks: Fix crash issue Gauge & Bar Gauge for panels with panel links (drill down links). #18430 2
- Version 6.3.0
* Features / Enhancements
+ OAuth: Do not set SameSite OAuth cookie if cookie_samesite is None. #18392 4, @papagian 3
+ Auth Proxy: Include additional headers as part of the cache key. #18298 6, @gotjosh
+ Build grafana images consistently. #18224 12, @hassanfarid
+ Docs: SAML. #18069 11, @gotjosh
+ Permissions: Show plugins in nav for non admin users but hide plugin configuration. #18234 1, @aocenas
+ TimePicker: Increase max height of quick range dropdown. #18247 2, @torkelo 2
+ Alerting: Add tags to alert rules. #10989 13, @Thib17 1
+ Alerting: Attempt to send email notifications to all given email addresses. #16881 1, @zhulongcheng
+ Alerting: Improve alert rule testing. #16286 2, @marefr
+ Alerting: Support for configuring content field for Discord alert notifier. #17017 2, @jan25
+ Alertmanager: Replace illegal chars with underscore in label names. #17002 5, @bergquist 1
+ Auth: Allow expiration of API keys. #17678, @papagian 3
+ Auth: Return device, os and browser when listing user auth tokens in HTTP API. #17504, @shavonn 1
+ Auth: Support list and revoke of user auth tokens in UI. #17434 2, @shavonn 1
+ AzureMonitor: change clashing built-in Grafana variables/macro names for Azure Logs. #17140, @shavonn 1
+ CloudWatch: Made region visible for AWS Cloudwatch Expressions. #17243 2, @utkarshcmu
+ Cloudwatch: Add AWS DocDB metrics. #17241, @utkarshcmu
+ Dashboard: Use timezone dashboard setting when exporting to CSV. #18002 1, @dehrax
+ Data links. #17267 11, @torkelo 2
+ Docker: Switch base image to ubuntu:latest from debian:stretch to avoid security issues… #17066 5, @bergquist 1
+ Elasticsearch: Support for visualizing logs in Explore . #17605 7, @marefr
+ Explore: Adds Live option for supported datasources. #17062 1, @hugohaggmark 3
+ Explore: Adds orgId to URL for sharing purposes. #17895 1, @kaydelaney 2
+ Explore: Adds support for new loki ‘start’ and ‘end’ params for labels endpoint. #17512, @kaydelaney 2
+ Explore: Adds support for toggling raw query mode in explore. #17870, @kaydelaney 2
+ Explore: Allow switching between metrics and logs . #16959 2, @marefr
+ Explore: Combines the timestamp and local time columns into one. #17775, @hugohaggmark 3
+ Explore: Display log lines context . #17097, @dprokop 1
+ Explore: Don’t parse log levels if provided by field or label. #17180 1, @marefr
+ Explore: Improves performance of Logs element by limiting re-rendering. #17685, @kaydelaney 2
+ Explore: Support for new LogQL filtering syntax. #16674 4, @davkal
+ Explore: Use new TimePicker from Grafana/UI. #17793, @hugohaggmark 3
+ Explore: handle newlines in LogRow Highlighter. #17425, @rrfeng 1
+ Graph: Added new fill gradient option. #17528 3, @torkelo 2
+ GraphPanel: Don’t sort series when legend table & sort column is not visible . #17095, @shavonn 1
+ InfluxDB: Support for visualizing logs in Explore. #17450 9, @hugohaggmark 3
+ Logging: Login and Logout actions (#17760). #17883 1, @ATTron
+ Logging: Move log package to pkg/infra. #17023, @zhulongcheng
+ Metrics: Expose stats about roles as metrics. #17469 2, @bergquist 1
+ MySQL/Postgres/MSSQL: Add parsing for day, weeks and year intervals in macros. #13086 6, @bernardd
+ MySQL: Add support for periodically reloading client certs. #14892, @tpetr
+ Plugins: replace dataFormats list with skipDataQuery flag in plugin.json. #16984, @ryantxu
+ Prometheus: Take timezone into account for step alignment. #17477, @fxmiii
+ Prometheus: Use overridden panel range for $__range instead of dashboard range. #17352, @patrick246
+ Prometheus: added time range filter to series labels query. #16851 3, @FUSAKLA
+ Provisioning: Support folder that doesn’t exist yet in dashboard provisioning. #17407 1, @Nexucis
+ Refresh picker: Handle empty intervals. #17585 1, @dehrax
+ Singlestat: Add y min/max config to singlestat sparklines. #17527 4, @pitr
+ Snapshot: use given key and deleteKey. #16876, @zhulongcheng
+ Templating: Correctly display __text in multi-value variable after page reload. #17840 1, @EduardSergeev
+ Templating: Support selecting all filtered values of a multi-value variable. #16873 2, @r66ad
+ Tracing: allow propagation with Zipkin headers. #17009 4, @jrockway
+ Users: Disable users removed from LDAP. #16820 2, @alexanderzobnin
* Bug Fixes
+ PanelLinks: Fix render issue when there is no panel description. #18408 3, @dehrax
+ OAuth: Fix “missing saved state” OAuth login failure due to SameSite cookie policy. #18332 1, @papagian 3
+ cli: fix for recognizing when in dev mode… #18334, @xlson
+ DataLinks: Fixes incorrect interpolation of ${__series_name} . #18251 1, @torkelo 2
+ Loki: Display live tailed logs in correct order in Explore. #18031 3, @kaydelaney 2
+ PhantomJS: Fixes rendering on Debian Buster. #18162 2, @xlson
+ TimePicker: Fixed style issue for custom range popover. #18244, @torkelo 2
+ Timerange: Fixes a bug where custom time ranges didn’t respect UTC. #18248 1, @kaydelaney 2
+ remote_cache: Fix redis connstr parsing. #18204 1, @mblaschke
+ AddPanel: Fix issue when removing moved add panel widget . #17659 2, @dehrax
+ CLI: Fix encrypt-datasource-passwords fails with sql error. #18014, @marefr
+ Elasticsearch: Fix default max concurrent shard requests. #17770 4, @marefr
+ Explore: Fix browsing back to dashboard panel. #17061, @jschill
+ Explore: Fix filter by series level in logs graph. #17798, @marefr
+ Explore: Fix issues when loading and both graph/table are collapsed. #17113, @marefr
+ Explore: Fix selection/copy of log lines. #17121, @marefr
+ Fix: Wrap value of multi variable in array when coming from URL. #16992 1, @aocenas
+ Frontend: Fix for Json tree component not working. #17608, @srid12
+ Graphite: Fix for issue with alias function being moved last. #17791, @torkelo 2
+ Graphite: Fixes issue with seriesByTag & function with variable param. #17795, @torkelo 2
+ Graphite: use POST for /metrics/find requests. #17814 2, @papagian 3
+ HTTP Server: Serve Grafana with a custom URL path prefix. #17048 6, @jan25
+ InfluxDB: Fixes single quotes are not escaped in label value filters. #17398 1, @Panzki
+ Prometheus: Correctly escape ‘|’ literals in interpolated PromQL variables. #16932, @Limess
+ Prometheus: Fix when adding label for metrics which contains colons in Explore. #16760, @tolwi
+ SinglestatPanel: Remove background color when value turns null. #17552 1, @druggieri
- Make phantomjs dependency configurable
- Create plugin directory and clean up (create in %install,
add to %files) handling of /var/lib/grafana/* and
mgr-cfg:
- Remove commented code in test files
- Replace spacewalk-usix with uyuni-common-libs
- Bump version to 4.1.0 (bsc#1154940)
- Add mgr manpage links
mgr-custom-info:
- Bump version to 4.1.0 (bsc#1154940)
mgr-daemon:
- Bump version to 4.1.0 (bsc#1154940)
- Fix systemd timer configuration on SLE12 (bsc#1142038)
mgr-osad:
- Separate osa-dispatcher and jabberd so it can be disabled independently
- Replace spacewalk-usix with uyuni-common-libs
- Bump version to 4.1.0 (bsc#1154940)
- Move /usr/share/rhn/config-defaults to uyuni-base-common
- Require uyuni-base-common for /etc/rhn (for osa-dispatcher)
- Ensure bytes type when using hashlib to avoid traceback (bsc#1138822)
mgr-push:
- Replace spacewalk-usix and spacewalk-backend-libs with uyuni-common-libs
- Bump version to 4.1.0 (bsc#1154940)
mgr-virtualization:
- Replace spacewalk-usix with uyuni-common-libs
- Bump version to 4.1.0 (bsc#1154940)
- Fix mgr-virtualization timer
rhnlib:
- Fix building
- Fix malformed XML response when data contains non-ASCII chars (bsc#1154968)
- Bump version to 4.1.0 (bsc#1154940)
- Fix bootstrapping SLE11SP4 trad client with SSL enabled (bsc#1148177)
spacecmd:
- Only report real error, not result (bsc#1171687)
- Use defined return values for spacecmd methods so scripts can
check for failure (bsc#1171687)
- Disable globbing for api subcommand to allow wildcards in filter
settings (bsc#1163871)
- Bugfix: attempt to purge SSM when it is empty (bsc#1155372)
- Bump version to 4.1.0 (bsc#1154940)
- Prevent error when piping stdout in Python 2 (bsc#1153090)
- Java api expects content as encoded string instead of encoded bytes like before (bsc#1153277)
- Enable building and installing for Ubuntu 16.04 and Ubuntu 18.04
- Add unit test for schedule, errata, user, utils, misc, configchannel
and kickstart modules
- Multiple minor bugfixes alongside the unit tests
- Bugfix: referenced variable before assignment.
- Add unit test for report, package, org, repo and group
spacewalk-client-tools:
- Add workaround for uptime overflow to spacewalk-update-status as well (bsc#1165921)
- Spell correctly 'successful' and 'successfully'
- Skip dmidecode data on aarch64 to prevent coredump (bsc#1113160)
- Replace spacewalk-usix with uyuni-common-libs
- Return a non-zero exit status on errors in rhn_check
- Bump version to 4.1.0 (bsc#1154940)
- Make a explicit requirement to systemd for spacewalk-client-tools
when rhnsd timer is installed
spacewalk-koan:
- Bump version to 4.1.0 (bsc#1154940)
- Require commands we use in merge-rd.sh
spacewalk-oscap:
- Bump version to 4.1.0 (bsc#1154940)
spacewalk-remote-utils:
- Update spacewalk-create-channel with RHEL 7.7 channel definitions
- Bump version to 4.1.0 (bsc#1154940)
supportutils-plugin-susemanager-client:
- Bump version to 4.1.0 (bsc#1154940)
suseRegisterInfo:
- SuseRegisterInfo only needs perl-base, not full perl (bsc#1168310)
- Bump version to 4.1.0 (bsc#1154940)
zypp-plugin-spacewalk:
- Prevent issue with non-ASCII characters in Python 2 systems (bsc#1172462)
ModerateSUSE bug 1113160SUSE bug 1134195SUSE bug 1138822SUSE bug 1141661SUSE bug 1142038SUSE bug 1143913SUSE bug 1148177SUSE bug 1153090SUSE bug 1153277SUSE bug 1154940SUSE bug 1154968SUSE bug 1155372SUSE bug 1163871SUSE bug 1165921SUSE bug 1168310SUSE bug 1170231SUSE bug 1170557SUSE bug 1171687SUSE bug 1172462CVE-2019-10215 at SUSECVE-2019-10215 at NVDCVE-2019-15043 at SUSECVE-2019-15043 at NVDCVE-2020-12245 at SUSECVE-2020-12245 at NVDCVE-2020-13379 at SUSECVE-2020-13379 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for xrdp (Important)SUSE OpenStack Cloud 8
This update for xrdp fixes the following issues:
- Security fixes (bsc#1173580, CVE-2020-4044):
+ Add patches:
* xrdp-cve-2020-4044-fix-0.patch
* xrdp-cve-2020-4044-fix-1.patch
+ Rebase SLE patch:
* xrdp-fate318398-change-expired-password.patch
- Update patch:
+ xrdp-Allow-sessions-with-32-bpp.patch.patch
ImportantSUSE bug 1173580CVE-2020-4044 at SUSECVE-2020-4044 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for mailman (Important)SUSE OpenStack Cloud 8
This update for mailman fixes the following issues:
- CVE-2020-15011: Fixed a possible Arbitrary Content Injection via the private archive login page (bsc#1173369).
ImportantSUSE bug 1173369CVE-2020-15011 at SUSECVE-2020-15011 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for samba (Moderate)SUSE OpenStack Cloud 8
This update for samba fixes the following issues:
- CVE-2020-10745: Fixed an issue which parsing and packing of NBT and DNS packets containing dots could potentially have consumed excessive CPU (bsc#1173160).
ModerateSUSE bug 1173160CVE-2020-10745 at SUSECVE-2020-10745 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for webkit2gtk3 (Important)SUSE OpenStack Cloud 8
This update for webkit2gtk3 fixes the following issues:
- Update to version 2.28.3 (bsc#1173998):
+ Enable kinetic scrolling with async scrolling.
+ Fix web process hangs on large GitHub pages.
+ Bubblewrap sandbox should not attempt to bind empty paths.
+ Fix threading issues in the media player.
+ Fix several crashes and rendering issues.
+ Security fixes: CVE-2020-9802, CVE-2020-9803, CVE-2020-9805,
CVE-2020-9806, CVE-2020-9807, CVE-2020-9843, CVE-2020-9850,
CVE-2020-13753.
ImportantSUSE bug 1173998CVE-2020-13753 at SUSECVE-2020-13753 at NVDCVE-2020-9802 at SUSECVE-2020-9802 at NVDCVE-2020-9803 at SUSECVE-2020-9803 at NVDCVE-2020-9805 at SUSECVE-2020-9805 at NVDCVE-2020-9806 at SUSECVE-2020-9806 at NVDCVE-2020-9807 at SUSECVE-2020-9807 at NVDCVE-2020-9843 at SUSECVE-2020-9843 at NVDCVE-2020-9850 at SUSECVE-2020-9850 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for grub2 (Important)SUSE OpenStack Cloud 8
This update for grub2 fixes the following issues:
- Fix for CVE-2020-10713 (bsc#1168994)
- Fix for CVE-2020-14308 CVE-2020-14309, CVE-2020-14310, CVE-2020-14311
(bsc#1173812)
- Fix for CVE-2020-15706 (bsc#1174463)
- Fix for CVE-2020-15707 (bsc#1174570)
- Use overflow checking primitives where the arithmetic expression for buffer
allocations may include unvalidated data
- Use grub_calloc for overflow check and return NULL when it would occur
- Use gcc-9 compiler for overflow check builtins
- Backport gcc-9 build fixes
- Fix packed-not-aligned error on GCC 8 (bsc#1084632)
ImportantSUSE bug 1084632SUSE bug 1168994SUSE bug 1173812SUSE bug 1174463SUSE bug 1174570CVE-2020-10713 at SUSECVE-2020-10713 at NVDCVE-2020-14308 at SUSECVE-2020-14308 at NVDCVE-2020-14309 at SUSECVE-2020-14309 at NVDCVE-2020-14310 at SUSECVE-2020-14310 at NVDCVE-2020-14311 at SUSECVE-2020-14311 at NVDCVE-2020-15706 at SUSECVE-2020-15706 at NVDCVE-2020-15707 at SUSECVE-2020-15707 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for ghostscript (Important)SUSE OpenStack Cloud 8
This update for ghostscript fixes the following issues:
- fixed CVE-2020-15900 Memory Corruption (SAFER Sandbox Breakout)
cf. https://bugs.ghostscript.com/show_bug.cgi?id=702582
(bsc#1174415)
ImportantSUSE bug 1174415CVE-2020-15900 at SUSECVE-2020-15900 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for MozillaFirefox (Moderate)SUSE OpenStack Cloud 8
This update for MozillaFirefox fixes the following issues:
- Firefox Extended Support Release 78.1.0 ESR
* Fixed: Various stability, functionality, and security fixes (bsc#1174538)
* CVE-2020-15652: Potential leak of redirect targets when loading scripts in a worker
* CVE-2020-6514: WebRTC data channel leaks internal address to peer
* CVE-2020-15655: Extension APIs could be used to bypass Same-Origin Policy
* CVE-2020-15653: Bypassing iframe sandbox when allowing popups
* CVE-2020-6463: Use-after-free in ANGLE gl::Texture::onUnbindAsSamplerTexture
* CVE-2020-15656: Type confusion for special arguments in IonMonkey
* CVE-2020-15658: Overriding file type when saving to disk
* CVE-2020-15657: DLL hijacking due to incorrect loading path
* CVE-2020-15654: Custom cursor can overlay user interface
* CVE-2020-15659: Memory safety bugs fixed in Firefox 79 and Firefox ESR 78.1
ModerateSUSE bug 1173948SUSE bug 1174538CVE-2020-15652 at SUSECVE-2020-15652 at NVDCVE-2020-15653 at SUSECVE-2020-15653 at NVDCVE-2020-15654 at SUSECVE-2020-15654 at NVDCVE-2020-15655 at SUSECVE-2020-15655 at NVDCVE-2020-15656 at SUSECVE-2020-15656 at NVDCVE-2020-15657 at SUSECVE-2020-15657 at NVDCVE-2020-15658 at SUSECVE-2020-15658 at NVDCVE-2020-15659 at SUSECVE-2020-15659 at NVDCVE-2020-6463 at SUSECVE-2020-6463 at NVDCVE-2020-6514 at SUSECVE-2020-6514 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for libX11 (Important)SUSE OpenStack Cloud 8
This update for libX11 fixes the following issues:
- Fixed XIM client heap overflows (CVE-2020-14344, bsc#1174628)
ImportantSUSE bug 1174628CVE-2020-14344 at SUSECVE-2020-14344 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for the Linux Kernel (Important)SUSE OpenStack Cloud 8
The SUSE Linux Enterprise 12 SP3 kernel was updated to receive various security and bugfixes.
The following security bugs were fixed:
- CVE-2020-10135: Legacy pairing and secure-connections pairing authentication in Bluetooth may have allowed an unauthenticated user to complete authentication without pairing credentials via adjacent access. An unauthenticated, adjacent attacker could impersonate a Bluetooth BR/EDR master or slave to pair with a previously paired remote device to successfully complete the authentication procedure without knowing the link key (bnc#1171988).
- CVE-2020-10711: A NULL pointer dereference flaw was found in the SELinux subsystem. This flaw occurs while importing the Commercial IP Security Option (CIPSO) protocol's category bitmap into the SELinux extensible bitmap via the' ebitmap_netlbl_import' routine. This flaw allowed a remote network user to crash the system kernel, resulting in a denial of service (bnc#1171191).
- CVE-2020-10751: A flaw was found in the SELinux LSM hook implementation, where it incorrectly assumed that an skb would only contain a single netlink message. The hook would incorrectly only validate the first netlink message in the skb and allow or deny the rest of the messages within the skb with the granted permission without further processing (bnc#1171189).
- CVE-2019-20812: An issue was discovered in the prb_calc_retire_blk_tmo() function in net/packet/af_packet.c can result in a denial of service (CPU consumption and soft lockup) in a certain failure case involving TPACKET_V3, aka CID-b43d1f9f7067 (bnc#1172453).
- CVE-2020-10732: A flaw was found in the implementation of userspace core dumps. This flaw allowed an attacker with a local account to crash a trivial program and exfiltrate private kernel data (bnc#1171220).
- CVE-2020-0305: In cdev_get of char_dev.c, there is a possible use-after-free due to a race condition. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation (bnc#1174462).
- CVE-2020-12771: btree_gc_coalesce in drivers/md/bcache/btree.c had a deadlock if a coalescing operation fails (bnc#1171732).
- CVE-2020-10773: A kernel stack information leak on s390/s390x was fixed (bnc#1172999).
- CVE-2020-14416: A race condition in tty->disc_data handling in the slip and slcan line discipline could lead to a use-after-free, aka CID-0ace17d56824. This affects drivers/net/slip/slip.c and drivers/net/can/slcan.c (bnc#1162002).
- CVE-2020-13974: drivers/tty/vt/keyboard.c had an integer overflow if k_ascii is called several times in a row, aka CID-b86dab054059. (bnc#1172775).
- CVE-2019-20810: go7007_snd_init in drivers/media/usb/go7007/snd-go7007.c in the Linux kernel did not call snd_card_free for a failure path, which causes a memory leak, aka CID-9453264ef586 (bnc#1172458).
The following non-security bugs were fixed:
- Drivers: hv: Change flag to write log level in panic msg to false (bsc#1170618).
- ibmvnic: Do not process device remove during device reset (bsc#1065729).
- ibmvnic: Do not process reset during or after device removal (bsc#1149652 ltc#179635).
- ibmvnic: Flush existing work items before device removal (bsc#1065729).
- ibmvnic: Harden device login requests (bsc#1170011 ltc#183538).
- ibmvnic: Skip fatal error reset after passive init (bsc#1171078 ltc#184239).
- ibmvnic: Unmap DMA address of TX descriptor buffers after use (bsc#1146351 ltc#180726).
- ibmvnic: continue to init in CRQ reset returns H_CLOSED (bsc#1173280 ltc#185369).
- intel_idle: Graceful probe failure when MWAIT is disabled (bsc#1174115).
- mm, vmstat: reduce zone->lock holding time by /proc/pagetypeinfo (bsc#1164910).
- net/ibmvnic: Fix missing { in __ibmvnic_reset (bsc#1149652 ltc#179635).
- net/ibmvnic: free reset work of removed device from queue (bsc#1149652 ltc#179635).
- net/ibmvnic: prevent more than one thread from running in reset (bsc#1152457 ltc#174432).
- net/ibmvnic: unlock rtnl_lock in reset so linkwatch_event can run (bsc#1152457 ltc#174432).
- udp: drop corrupt packets earlier to avoid data corruption (bsc#1173658).
ImportantSUSE bug 1065729SUSE bug 1146351SUSE bug 1149652SUSE bug 1152457SUSE bug 1162002SUSE bug 1164910SUSE bug 1170011SUSE bug 1170618SUSE bug 1171078SUSE bug 1171189SUSE bug 1171191SUSE bug 1171220SUSE bug 1171732SUSE bug 1171988SUSE bug 1172453SUSE bug 1172458SUSE bug 1172775SUSE bug 1172999SUSE bug 1173280SUSE bug 1173658SUSE bug 1174115SUSE bug 1174462SUSE bug 1174543CVE-2019-20810 at SUSECVE-2019-20810 at NVDCVE-2019-20812 at SUSECVE-2019-20812 at NVDCVE-2020-0305 at SUSECVE-2020-0305 at NVDCVE-2020-10135 at SUSECVE-2020-10135 at NVDCVE-2020-10711 at SUSECVE-2020-10711 at NVDCVE-2020-10732 at SUSECVE-2020-10732 at NVDCVE-2020-10751 at SUSECVE-2020-10751 at NVDCVE-2020-10773 at SUSECVE-2020-10773 at NVDCVE-2020-12771 at SUSECVE-2020-12771 at NVDCVE-2020-13974 at SUSECVE-2020-13974 at NVDCVE-2020-14416 at SUSECVE-2020-14416 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for python-ipaddress (Important)SUSE OpenStack Cloud 8
This update for python-ipaddress fixes the following issues:
- Add CVE-2020-14422-ipaddress-hash-collision.patch fixing
CVE-2020-14422 (bsc#1173274, bpo#41004), where hash collisions
in IPv4Interface and IPv6Interface could lead to DOS.
ImportantSUSE bug 1173274CVE-2020-14422 at SUSECVE-2020-14422 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for LibVNCServer (Important)SUSE OpenStack Cloud 8
This update for LibVNCServer fixes the following issues:
- security update
fix CVE-2018-21247 [bsc#1173874], uninitialized memory contents are vulnerable to Information leak
fix CVE-2019-20839 [bsc#1173875], buffer overflow in ConnectClientToUnixSock()
fix CVE-2019-20840 [bsc#1173876], unaligned accesses in hybiReadAndDecode can lead to denial of service
fix CVE-2020-14398 [bsc#1173880], improperly closed TCP connection causes an infinite loop in libvncclient/sockets.c
fix CVE-2020-14397 [bsc#1173700], NULL pointer dereference in libvncserver/rfbregion.c
fix CVE-2020-14399 [bsc#1173743], Byte-aligned data is accessed through uint32_t pointers in libvncclient/rfbproto.c.
fix CVE-2020-14400 [bsc#1173691], Byte-aligned data is accessed through uint16_t pointers in libvncserver/translate.c.
fix CVE-2020-14401 [bsc#1173694], potential integer overflows in libvncserver/scale.c
fix CVE-2020-14402 [bsc#1173701], out-of-bounds access via encodings.
fix CVE-2020-14403 [bsc#1173701], out-of-bounds access via encodings.
fix CVE-2020-14404 [bsc#1173701], out-of-bounds access via encodings.
fix CVE-2017-18922 [bsc#1173477], preauth buffer overwrite
ImportantSUSE bug 1173477SUSE bug 1173691SUSE bug 1173694SUSE bug 1173700SUSE bug 1173701SUSE bug 1173743SUSE bug 1173874SUSE bug 1173875SUSE bug 1173876SUSE bug 1173880CVE-2017-18922 at SUSECVE-2017-18922 at NVDCVE-2018-21247 at SUSECVE-2018-21247 at NVDCVE-2019-20839 at SUSECVE-2019-20839 at NVDCVE-2019-20840 at SUSECVE-2019-20840 at NVDCVE-2020-14397 at SUSECVE-2020-14397 at NVDCVE-2020-14398 at SUSECVE-2020-14398 at NVDCVE-2020-14399 at SUSECVE-2020-14399 at NVDCVE-2020-14400 at SUSECVE-2020-14400 at NVDCVE-2020-14401 at SUSECVE-2020-14401 at NVDCVE-2020-14402 at SUSECVE-2020-14402 at NVDCVE-2020-14403 at SUSECVE-2020-14403 at NVDCVE-2020-14404 at SUSECVE-2020-14404 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for xen (Important)SUSE OpenStack Cloud 8
This update for xen fixes the following issues:
- bsc#1174543 - secure boot related fixes
- bsc#1163019 - CVE-2020-8608: Potential OOB access due to unsafe snprintf() usages
ImportantSUSE bug 1163019SUSE bug 1174543CVE-2020-8608 at SUSECVE-2020-8608 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for dpdk (Moderate)SUSE OpenStack Cloud 8
This update for dpdk to version 16.11.9 following issue:
- CVE-2019-14818: Fixed a memory leak vulnerability caused by a malicious container may lead to to denial of service (bsc#1156146).
- CVE-2020-12693: Fixed an authentication bypass via an alternate path or channel (boo#1172004).
- rebuilt with new signing key. (bsc#1174543)
ModerateSUSE bug 1156146SUSE bug 1171477SUSE bug 1171930SUSE bug 1174543CVE-2019-14818 at SUSECVE-2019-14818 at NVDCVE-2020-10722 at SUSECVE-2020-10722 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for libX11 (Important)SUSE OpenStack Cloud 8
This update for libX11 fixes the following issues:
- Fixed XIM client heap overflows (CVE-2020-14344, bsc#1174628).
ImportantSUSE bug 1174628CVE-2020-14344 at SUSECVE-2020-14344 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for xerces-c (Moderate)SUSE OpenStack Cloud 8
This update for xerces-c fixes the following issues:
- CVE-2017-12627: Processing of external DTD paths could have resulted in a
null pointer dereference under certain conditions (bsc#1083630)
ModerateSUSE bug 1083630CVE-2017-12627 at SUSECVE-2017-12627 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for webkit2gtk3 (Important)SUSE OpenStack Cloud 8
This update for webkit2gtk3 fixes the following issues:
- Update to version 2.28.4 (bsc#1174662):
+ Fix several crashes and rendering issues.
+ Security fixes: CVE-2020-9862, CVE-2020-9893, CVE-2020-9894,
CVE-2020-9895, CVE-2020-9915, CVE-2020-9925.
ImportantSUSE bug 1174662CVE-2020-9862 at SUSECVE-2020-9862 at NVDCVE-2020-9893 at SUSECVE-2020-9893 at NVDCVE-2020-9894 at SUSECVE-2020-9894 at NVDCVE-2020-9895 at SUSECVE-2020-9895 at NVDCVE-2020-9915 at SUSECVE-2020-9915 at NVDCVE-2020-9925 at SUSECVE-2020-9925 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for dovecot22 (Important)SUSE OpenStack Cloud 8
This update for dovecot22 fixes the following issues:
- CVE-2020-12673: improper implementation of NTLM does not check message buffer size (bsc#1174922).
- CVE-2020-12674: improper implementation of RPA mechanism (bsc#1174923).
ImportantSUSE bug 1174922SUSE bug 1174923CVE-2020-12673 at SUSECVE-2020-12673 at NVDCVE-2020-12674 at SUSECVE-2020-12674 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for grub2 (Important)SUSE OpenStack Cloud 8
This update for grub2 fixes the following issues:
- CVE-2020-15705: Fail kernel validation without shim protocol (bsc#1174421).
- Add fibre channel device's ofpath support to grub-ofpathname and search hint to speed up root device discovery (bsc#1172745).
ImportantSUSE bug 1172745SUSE bug 1174421CVE-2020-15705 at SUSECVE-2020-15705 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for samba (Moderate)SUSE OpenStack Cloud 8
This update for samba fixes the following issues:
- CVE-2019-14907: Fixed a Server-side crash after charset conversion failure during NTLMSSP processing (bsc#1160888).
ModerateSUSE bug 1160888CVE-2019-14907 at SUSECVE-2019-14907 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for xorg-x11-server (Moderate)SUSE OpenStack Cloud 8
This update for xorg-x11-server fixes the following issues:
- CVE-2020-14347: Leak of uninitialized heap memory from the X server to clients on pixmap allocation (bsc#1174633, ZDI-CAN-11426).
- CVE-2020-14346: XIChangeHierarchy Integer Underflow Privilege Escalation Vulnerability (bsc#1174638, ZDI-CAN-11429).
- CVE-2020-14345: XKB out-of-bounds access privilege escalation vulnerability (bsc#1174635, ZDI-CAN-11428).
ModerateSUSE bug 1174633SUSE bug 1174635SUSE bug 1174638CVE-2020-14345 at SUSECVE-2020-14345 at NVDCVE-2020-14346 at SUSECVE-2020-14346 at NVDCVE-2020-14347 at SUSECVE-2020-14347 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for java-1_8_0-ibm (Moderate)SUSE OpenStack Cloud 8
This update for java-1_8_0-ibm fixes the following issues:
- Update to Java 8.0 Service Refresh 6 [bsc#1158442, bsc#1154212]
* Security fixes:
CVE-2019-2933 CVE-2019-2945 CVE-2019-2958
CVE-2019-2962 CVE-2019-2964 CVE-2019-2975
CVE-2019-2978 CVE-2019-2983 CVE-2019-2988
CVE-2019-2989 CVE-2019-2992 CVE-2019-2996
CVE-2019-2999 CVE-2019-2973 CVE-2019-2981
CVE-2019-17631
ModerateSUSE bug 1154212SUSE bug 1158442CVE-2019-17631 at SUSECVE-2019-17631 at NVDCVE-2019-2933 at SUSECVE-2019-2933 at NVDCVE-2019-2945 at SUSECVE-2019-2945 at NVDCVE-2019-2958 at SUSECVE-2019-2958 at NVDCVE-2019-2962 at SUSECVE-2019-2962 at NVDCVE-2019-2964 at SUSECVE-2019-2964 at NVDCVE-2019-2973 at SUSECVE-2019-2973 at NVDCVE-2019-2975 at SUSECVE-2019-2975 at NVDCVE-2019-2978 at SUSECVE-2019-2978 at NVDCVE-2019-2981 at SUSECVE-2019-2981 at NVDCVE-2019-2983 at SUSECVE-2019-2983 at NVDCVE-2019-2988 at SUSECVE-2019-2988 at NVDCVE-2019-2989 at SUSECVE-2019-2989 at NVDCVE-2019-2992 at SUSECVE-2019-2992 at NVDCVE-2019-2996 at SUSECVE-2019-2996 at NVDCVE-2019-2999 at SUSECVE-2019-2999 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for xorg-x11-server (Important)SUSE OpenStack Cloud 8
This update for xorg-x11-server fixes the following issues:
- CVE-2020-14361: Fix XkbSelectEvents() integer underflow (bsc#1174910 ZDI-CAN-11573).
- CVE-2020-14362: Fix XRecordRegisterClients() Integer underflow (bsc#1174913 ZDI-CAN-11574).
ImportantSUSE bug 1174910SUSE bug 1174913CVE-2020-14361 at SUSECVE-2020-14361 at NVDCVE-2020-14362 at SUSECVE-2020-14362 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for apache2 (Moderate)SUSE OpenStack Cloud 8
This update for apache2 fixes the following issues:
- CVE-2020-9490: Fixed a crash caused by a specially crafted value for the 'Cache-Digest' header in a HTTP/2 request (bsc#1175071).
- CVE-2020-11985: IP address spoofing when proxying using mod_remoteip and mod_rewrite (bsc#1175072).
- CVE-2020-11993: When trace/debug was enabled for the HTTP/2 module logging statements were made on the wrong connection (bsc#1175070).
ModerateSUSE bug 1175070SUSE bug 1175071SUSE bug 1175072CVE-2020-11985 at SUSECVE-2020-11985 at NVDCVE-2020-11993 at SUSECVE-2020-11993 at NVDCVE-2020-9490 at SUSECVE-2020-9490 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for java-1_8_0-ibm (Moderate)SUSE OpenStack Cloud 8
This update for java-1_8_0-ibm fixes the following issues:
- Update to Java 8.0 Service Refresh 6 Fix Pack 15 [bsc#1175259, bsc#1174157]
CVE-2020-14577 CVE-2020-14578 CVE-2020-14579 CVE-2020-14581
CVE-2020-14556 CVE-2020-14621 CVE-2020-14593 CVE-2020-14583
CVE-2019-17639
* Class Libraries:
- JAVA.UTIL.ZIP.DEFLATER OPERATIONS THROW JAVA.LANG.INTERNALERROR
- JAVA 8 DECODER OBJECTS CONSUME A LARGE AMOUNT OF JAVA HEAP
- TRANSLATION MESSAGES UPDATE FOR JCL
- UPDATE TIMEZONE INFORMATION TO TZDATA2020A
* Java Virtual Machine:
- IBM JAVA REGISTERS A HANDLER BY DEFAULT FOR SIGABRT
- LARGE MEMORY FOOTPRINT HELD BY TRACECONTEXT OBJECT
* JIT Compiler:
- CRASH IN THE INTERPRETER AFTER OSR FROM INLINED SYNCHRONIZED METHOD
IN DEBUGGING MODE
- INTERMITTENT ASSERTION FAILURE REPORTED
- CRASH IN RESOLVECLASSREF() DURING AOT LOAD
- JIT CRASH DURING CLASS UNLOADING IN J9METHOD_HT::ONCLASSUNLOADING()
- SEGMENTATION FAULT WHILE COMPILING A METHOD
- UNEXPECTED CLASSCASTEXCEPTION THROWN IN HIGH LEVEL PARALLEL
APPLICATION ON IBM Z PLATFORM
* Security:
- CERTIFICATEEXCEPTION OCCURS WHEN FILE.ENCODING PROPERTY SET TO
NON DEFAULT VALUE
- CHANGES TO IBMJCE AND IBMJCEPLUS PROVIDERS
- IBMJCEPLUS FAILS, WHEN THE SECURITY MANAGER IS ENABLED, WITH
DEFAULT PERMISSIONS, SPECIFIED IN JAVA.POLICY FILE
- IN CERTAIN INSTANCES, IBMJCEPLUS PROVIDER THROWS EXCEPTION FROM
KEYFACTORY CLASS
ModerateSUSE bug 1174157SUSE bug 1175259CVE-2019-17639 at SUSECVE-2019-17639 at NVDCVE-2020-14556 at SUSECVE-2020-14556 at NVDCVE-2020-14577 at SUSECVE-2020-14577 at NVDCVE-2020-14578 at SUSECVE-2020-14578 at NVDCVE-2020-14579 at SUSECVE-2020-14579 at NVDCVE-2020-14581 at SUSECVE-2020-14581 at NVDCVE-2020-14583 at SUSECVE-2020-14583 at NVDCVE-2020-14593 at SUSECVE-2020-14593 at NVDCVE-2020-14621 at SUSECVE-2020-14621 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for squid (Critical)SUSE OpenStack Cloud 8
This update for squid fixes the following issues:
- CVE-2020-24606: Fix livelocking in peerDigestHandleReply (bsc#1175671).
- CVE-2020-15811: Improve Transfer-Encoding handling (bsc#1175665).
- CVE-2020-15810: Enforce token characters for field-name (bsc#1175664).
CriticalSUSE bug 1175664SUSE bug 1175665SUSE bug 1175671CVE-2020-15810 at SUSECVE-2020-15810 at NVDCVE-2020-15811 at SUSECVE-2020-15811 at NVDCVE-2020-24606 at SUSECVE-2020-24606 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for libX11 (Moderate)SUSE OpenStack Cloud 8
This update for libX11 fixes the following issues:
- CVE-2020-14363: Fix an integer overflow in init_om() (bsc#1175239).
ModerateSUSE bug 1175239CVE-2020-14363 at SUSECVE-2020-14363 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for java-1_7_1-ibm (Moderate)SUSE OpenStack Cloud 8
This update for java-1_7_1-ibm fixes the following issues:
- Update to Java 7.1 Service Refresh 4 Fix Pack 70 [bsc#1175259, bsc#1174157]
CVE-2020-14577 CVE-2020-14578 CVE-2020-14579 CVE-2020-14621
CVE-2020-14593 CVE-2020-14583 CVE-2019-17639
* Class Libraries:
- UPDATE TIMEZONE INFORMATION TO TZDATA2020A
* Security:
- CERTIFICATEEXCEPTION OCCURS WHEN FILE.ENCODING PROPERTY SET TO
NON DEFAULT VALUE
ModerateSUSE bug 1174157SUSE bug 1175259CVE-2019-17639 at SUSECVE-2019-17639 at NVDCVE-2020-14577 at SUSECVE-2020-14577 at NVDCVE-2020-14578 at SUSECVE-2020-14578 at NVDCVE-2020-14579 at SUSECVE-2020-14579 at NVDCVE-2020-14583 at SUSECVE-2020-14583 at NVDCVE-2020-14593 at SUSECVE-2020-14593 at NVDCVE-2020-14621 at SUSECVE-2020-14621 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for aws-cli (Moderate)SUSE OpenStack Cloud 8
This update for aws-cli to version 1.16.297 fixes the following issues:
Security issue fixed:
- CVE-2018-15869: Fixed an permission handling issue where an unexpected AMI could potentially be used (bsc#1105988).
Non-security issues fixed:
- Fixed an issue with the CLI client, where a ModuleNotFoundError was triggered (bsc#1092493).
ModerateSUSE bug 1092493SUSE bug 1105988SUSE bug 1118021SUSE bug 1118024SUSE bug 1118099CVE-2018-15869 at SUSECVE-2018-15869 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for MozillaFirefox (Moderate)SUSE OpenStack Cloud 8
This update for MozillaFirefox fixes the following issues:
- Firefox Extended Support Release 78.2.0 ESR
* Fixed: Various stability, functionality, and security fixes
- Mozilla Firefox ESR 78.2
MFSA 2020-38 (bsc#1175686)
* CVE-2020-15663 (bmo#1643199)
Downgrade attack on the Mozilla Maintenance Service could
have resulted in escalation of privilege
* CVE-2020-15664 (bmo#1658214)
Attacker-induced prompt for extension installation
* CVE-2020-15670 (bmo#1651001, bmo#1651449, bmo#1653626,
bmo#1656957)
Memory safety bugs fixed in Firefox 80 and Firefox ESR 78.2
- Fixed Firefox tab crash in FIPS mode (bsc#1174284).
- Fix broken translation-loading. (bsc#1173991)
* allow addon sideloading
* mark signatures for langpacks non-mandatory
* do not autodisable user profile scopes
- Google API key is not usable for geolocation service any more
ModerateSUSE bug 1173991SUSE bug 1174284SUSE bug 1175686CVE-2020-15663 at SUSECVE-2020-15663 at NVDCVE-2020-15664 at SUSECVE-2020-15664 at NVDCVE-2020-15670 at SUSECVE-2020-15670 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for the Linux Kernel (Important)SUSE OpenStack Cloud 8
The SUSE Linux Enterprise 12 SP3 kernel was updated to receive various security and bugfixes.
The following security bugs were fixed:
- CVE-2020-14314: Fixed a potential negative array index in do_split() (bsc#1173798).
- CVE-2020-14331: Fixed a missing check in vgacon scrollback handling (bsc#1174205).
- CVE-2020-16166: Fixed a potential issue which could have allowed remote attackers to make observations that help to obtain sensitive information about the internal state of the network RNG (bsc#1174757).
- CVE-2019-16746: Fixed an improper check of the length of variable elements in a beacon head, leading to a buffer overflow (bsc#1152107).
- CVE-2020-14386: Fixed a potential local privilege escalation via memory corruption (bsc#1176069).
The following non-security bugs were fixed:
- bonding: fix active-backup failover for current ARP slave (bsc#1174771).
- Drivers: hv: vmbus: Only notify Hyper-V for die events that are oops (bsc#1175127).
- ibmvnic: Fix IRQ mapping disposal in error path (bsc#1175112 ltc#187459).
- mm, vmstat: reduce zone->lock holding time by /proc/pagetypeinfo (bsc#1175691).
- ocfs2: add trimfs dlm lock resource (bsc#1175228).
- ocfs2: add trimfs lock to avoid duplicated trims in cluster (bsc#1175228).
- ocfs2: fix the application IO timeout when fstrim is running (bsc#1175228).
ImportantSUSE bug 1152107SUSE bug 1173798SUSE bug 1174205SUSE bug 1174757SUSE bug 1174771SUSE bug 1175112SUSE bug 1175127SUSE bug 1175228SUSE bug 1175691SUSE bug 1176069CVE-2019-16746 at SUSECVE-2019-16746 at NVDCVE-2020-14314 at SUSECVE-2020-14314 at NVDCVE-2020-14331 at SUSECVE-2020-14331 at NVDCVE-2020-14386 at SUSECVE-2020-14386 at NVDCVE-2020-16166 at SUSECVE-2020-16166 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for java-1_8_0-openjdk (Important)SUSE OpenStack Cloud 8
This update for java-1_8_0-openjdk fixes the following issues:
Update java-1_8_0-openjdk to version jdk8u242 (icedtea 3.15.0) (January 2020 CPU, bsc#1160968):
- CVE-2020-2583: Unlink Set of LinkedHashSets
- CVE-2020-2590: Improve Kerberos interop capabilities
- CVE-2020-2593: Normalize normalization for all
- CVE-2020-2601: Better Ticket Granting Services
- CVE-2020-2604: Better serial filter handling
- CVE-2020-2659: Enhance datagram socket support
- CVE-2020-2654: Improve Object Identifier Processing
ImportantSUSE bug 1160968CVE-2020-2583 at SUSECVE-2020-2583 at NVDCVE-2020-2590 at SUSECVE-2020-2590 at NVDCVE-2020-2593 at SUSECVE-2020-2593 at NVDCVE-2020-2601 at SUSECVE-2020-2601 at NVDCVE-2020-2604 at SUSECVE-2020-2604 at NVDCVE-2020-2654 at SUSECVE-2020-2654 at NVDCVE-2020-2659 at SUSECVE-2020-2659 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for tomcat (Moderate)SUSE OpenStack Cloud 8
This update for tomcat fixes the following issues:
- CVE-2020-1935: Fixed an HTTP request smuggling vulnerability (bsc#1164860).
- CVE-2020-13935: Fixed a WebSocket DoS (bsc#1174117).
ModerateSUSE bug 1164860SUSE bug 1174117CVE-2020-13935 at SUSECVE-2020-13935 at NVDCVE-2020-1935 at SUSECVE-2020-1935 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for shim (Moderate)SUSE OpenStack Cloud 8
This update for shim fixes the following issues:
- Update to the unified shim binary from SUSE Linux Enterprise 15-SP1 (bsc#1168994)
This update addresses the 'BootHole' security issue (master CVE CVE-2020-10713), by
disallowing binaries signed by the previous SUSE UEFI signing key from booting.
This update should only be installed after updates of grub2, the Linux kernel and (if used)
Xen from July / August 2020 are applied.
Additional fixes:
+ shim-install: install MokManager to \EFI\boot to process the pending MOK request (bsc#1175626, bsc#1175656)
ModerateSUSE bug 1168994SUSE bug 1175626SUSE bug 1175656CVE-2020-10713 at SUSECVE-2020-10713 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for libsolv (Moderate)SUSE OpenStack Cloud 8
This update for libsolv fixes the following issues:
This is a reissue of an existing libsolv update that also included libsolv-devel for LTSS products.
libsolv was updated to version 0.6.36 fixes the following issues:
Security issues fixed:
- CVE-2018-20532: Fixed a NULL pointer dereference in testcase_read() (bsc#1120629).
- CVE-2018-20533: Fixed a NULL pointer dereference in testcase_str2dep_complex() (bsc#1120630).
- CVE-2018-20534: Fixed a NULL pointer dereference in pool_whatprovides() (bsc#1120631).
Non-security issues fixed:
- Made cleandeps jobs on patterns work (bsc#1137977).
- Fixed an issue multiversion packages that obsolete their own name (bsc#1127155).
- Keep consistent package name if there are multiple alternatives (bsc#1131823).
ModerateSUSE bug 1120629SUSE bug 1120630SUSE bug 1120631SUSE bug 1127155SUSE bug 1131823SUSE bug 1137977CVE-2018-20532 at SUSECVE-2018-20532 at NVDCVE-2018-20533 at SUSECVE-2018-20533 at NVDCVE-2018-20534 at SUSECVE-2018-20534 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for perl-DBI (Important)SUSE OpenStack Cloud 8
This update for perl-DBI fixes the following issues:
Security issues fixed:
- CVE-2020-14392: Memory corruption in XS functions when Perl stack is reallocated (bsc#1176412).
- CVE-2020-14393: Fixed a buffer overflow on an overlong DBD class name (bsc#1176409).
ImportantSUSE bug 1176409SUSE bug 1176412CVE-2020-14392 at SUSECVE-2020-14392 at NVDCVE-2020-14393 at SUSECVE-2020-14393 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for python3 (Important)SUSE OpenStack Cloud 8
This update for python3 fixes the following issues:
- CVE-2019-20907: Fixed denial of service by avoiding possible infinite loop in specifically crafted tarball (bsc#1174091).
- CVE-2020-14422: Fixed an improper computation of hash values in the IPv4Interface and IPv6Interface
could have led to denial of service (bsc#1173274).
- CVE-2019-16935: Fixed a reflected XSS in python/Lib/DocXMLRPCServer.py (bsc#1153238).
- CVE-2019-9947: Fixed an issue in urllib2 which allowed CRLF injection if the attacker controls a url parameter (bsc#1130840).
- If the locale is 'C', coerce it to C.UTF-8 (bsc#1162423).
ImportantSUSE bug 1088004SUSE bug 1088009SUSE bug 1130840SUSE bug 1141853SUSE bug 1149955SUSE bug 1153238SUSE bug 1162423SUSE bug 1173274SUSE bug 1174091SUSE bug 1174701CVE-2018-14647 at SUSECVE-2018-14647 at NVDCVE-2018-20852 at SUSECVE-2018-20852 at NVDCVE-2019-16056 at SUSECVE-2019-16056 at NVDCVE-2019-16935 at SUSECVE-2019-16935 at NVDCVE-2019-20907 at SUSECVE-2019-20907 at NVDCVE-2019-9947 at SUSECVE-2019-9947 at NVDCVE-2020-14422 at SUSECVE-2020-14422 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for pdns (Moderate)SUSE OpenStack Cloud 8
This update for pdns fixes the following issues:
- CVE-2020-17482: Fixed an issue where an authorized user with the ability to insert crafted
records into a zone might be able to leak the content of uninitialized memory (bsc#1176535)
ModerateSUSE bug 1176535CVE-2020-17482 at SUSECVE-2020-17482 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for samba (Important)SUSE OpenStack Cloud 8
This update for samba fixes the following issues:
- ZeroLogon: An elevation of privilege was possible with some configurations when an attacker established
a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC)
(CVE-2020-1472, bsc#1176579).
- Fixed an issue where multiple home folders were created(bsc#1174316, bso#13369).
- Fixed an issue where the net command was unable to negotiate SMB2 (bsc#1174120);
ImportantSUSE bug 1174120SUSE bug 1174316SUSE bug 1176579CVE-2020-1472 at SUSECVE-2020-1472 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for python-pip (Moderate)SUSE OpenStack Cloud 8
This update for python-pip fixes the following issues:
- CVE-2019-20916: Fixed a directory traversal in _download_http_url (bsc#1176262)
ModerateSUSE bug 1176262CVE-2019-20916 at SUSECVE-2019-20916 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for libqt5-qtbase (Important)SUSE OpenStack Cloud 8
This update for libqt5-qtbase fixes the following issues:
- CVE-2020-17507: Fixed a buffer overflow in XBM parser (bsc#1176315)
- Made handling of XDG_RUNTIME_DIR more secure (bsc#1172515)
ImportantSUSE bug 1172515SUSE bug 1176315CVE-2020-17507 at SUSECVE-2020-17507 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for MozillaFirefox (Important)SUSE OpenStack Cloud 8
This update for MozillaFirefox fixes the following issues:
-Firefox was updated to 78.3.0 ESR (bsc#1176756, MFSA 2020-43)
- CVE-2020-15677: Download origin spoofing via redirect
- CVE-2020-15676: Fixed an XSS when pasting attacker-controlled data into a
contenteditable element
- CVE-2020-15678: When recursing through layers while scrolling, an iterator
may have become invalid, resulting in a potential use-after-free scenario
- CVE-2020-15673: Fixed memory safety bugs
- Enhance fix for wayland-detection (bsc#1174420)
- Attempt to fix langpack-parallelization by introducing separate
obj-dirs for each lang (bsc#1173986, bsc#1167976)
ImportantSUSE bug 1167976SUSE bug 1173986SUSE bug 1174420SUSE bug 1176756CVE-2020-15673 at SUSECVE-2020-15673 at NVDCVE-2020-15676 at SUSECVE-2020-15676 at NVDCVE-2020-15677 at SUSECVE-2020-15677 at NVDCVE-2020-15678 at SUSECVE-2020-15678 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for xen (Important)SUSE OpenStack Cloud 8
This update for xen fixes the following issues:
- CVE-2020-25604: Fixed a race condition when migrating timers between x86
HVM vCPU-s (bsc#1176343,XSA-336)
- CVE-2020-25595: Fixed an issue where PCI passthrough code was reading back hardware registers (bsc#1176344,XSA-337)
- CVE-2020-25597: Fixed an issue where a valid event channels may not turn invalid (bsc#1176346,XSA-338)
- CVE-2020-25596: Fixed a potential denial of service in x86 pv guest kernel via SYSENTER (bsc#1176345,XSA-339)
- CVE-2020-25603: Fixed an issue due to missing barriers when accessing/allocating an event channel (bsc#1176347,XSA-340)
- CVE-2020-25600: Fixed out of bounds event channels available to 32-bit x86 domains (bsc#1176348,XSA-342)
- CVE-2020-25599: Fixed race conditions with evtchn_reset() (bsc#1176349,XSA-343)
- CVE-2020-25601: Fixed an issue due to lack of preemption in evtchn_reset() / evtchn_destroy() (bsc#1176350,XSA-344)
- CVE-2020-14364: Fixed an out-of-bounds read/write access while processing usb packets (bsc#1175534).
- Various bug fixes (bsc#1027519)
ImportantSUSE bug 1175534SUSE bug 1176343SUSE bug 1176344SUSE bug 1176345SUSE bug 1176346SUSE bug 1176347SUSE bug 1176348SUSE bug 1176349SUSE bug 1176350CVE-2020-14364 at SUSECVE-2020-14364 at NVDCVE-2020-25595 at SUSECVE-2020-25595 at NVDCVE-2020-25596 at SUSECVE-2020-25596 at NVDCVE-2020-25597 at SUSECVE-2020-25597 at NVDCVE-2020-25599 at SUSECVE-2020-25599 at NVDCVE-2020-25600 at SUSECVE-2020-25600 at NVDCVE-2020-25601 at SUSECVE-2020-25601 at NVDCVE-2020-25603 at SUSECVE-2020-25603 at NVDCVE-2020-25604 at SUSECVE-2020-25604 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for perl-DBI (Important)SUSE OpenStack Cloud 8
This update for perl-DBI fixes the following issues:
- CVE-2019-20919: Fixed a NULL profile dereference in dbi_profile (bsc#1176764).
- CVE-2013-7490: Fixed memory corruption when using many arguments
to methods for CallbacksUsing (bsc#1176496).
ImportantSUSE bug 1176496SUSE bug 1176764CVE-2013-7490 at SUSECVE-2013-7490 at NVDCVE-2019-20919 at SUSECVE-2019-20919 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for java-1_7_0-openjdk (Important)SUSE OpenStack Cloud 8
This update for java-1_7_0-openjdk fixes the following issues:
- java-1_7_0-openjdk was updated to 2.6.23 (July 2020 CPU, bsc#1174157)
- JDK-8028431, CVE-2020-14579: NullPointerException in
- DerValue.equals(DerValue)
- JDK-8028591, CVE-2020-14578: NegativeArraySizeException in
- sun.security.util.DerInputStream.getUnalignedBitString()
- JDK-8230613: Better ASCII conversions
- JDK-8231800: Better listing of arrays
- JDK-8232014: Expand DTD support
- JDK-8233255: Better Swing Buttons
- JDK-8234032: Improve basic calendar services
- JDK-8234042: Better factory production of certificates
- JDK-8234418: Better parsing with CertificateFactory
- JDK-8234836: Improve serialization handling
- JDK-8236191: Enhance OID processing
- JDK-8237592, CVE-2020-14577: Enhance certificate verification
- JDK-8238002, CVE-2020-14581: Better matrix operations
- JDK-8238804: Enhance key handling process
- JDK-8238842: AIOOBE in GIFImageReader.initializeStringTable
- JDK-8238843: Enhanced font handing
- JDK-8238920, CVE-2020-14583: Better Buffer support
- JDK-8238925: Enhance WAV file playback
- JDK-8240119, CVE-2020-14593: Less Affine Transformations
- JDK-8240482: Improved WAV file playback
- JDK-8241379: Update JCEKS support
- JDK-8241522: Manifest improved jar headers redux
- JDK-8242136, CVE-2020-14621: Better XML namespace handling
- JDK-8040113: File not initialized in src/share/native/sun/awt/giflib/dgif_lib.c
- JDK-8054446: Repeated offer and remove on ConcurrentLinkedQueue lead to an OutOfMemoryError
- JDK-8077982: GIFLIB upgrade
- JDK-8081315: 8077982 giflib upgrade breaks system giflib builds with earlier versions
- JDK-8147087: Race when reusing PerRegionTable bitmaps may result in dropped remembered set entries
- JDK-8151582: (ch) test java/nio/channels/AsyncCloseAndInterrupt.java failing due to 'Connection succeeded'
- JDK-8155691: Update GIFlib library to the latest up-to-date
- JDK-8181841: A TSA server returns timestamp with precision higher than milliseconds
- JDK-8203190: SessionId.hashCode generates too many collisions
- JDK-8217676: Upgrade libpng to 1.6.37
- JDK-8220495: Update GIFlib library to the 5.1.8
- JDK-8226892: ActionListeners on JRadioButtons don't get notified when selection is changed with arrow keys
- JDK-8229899: Make java.io.File.isInvalid() less racy
- JDK-8230597: Update GIFlib library to the 5.2.1
- JDK-8230769: BufImg_SetupICM add ReleasePrimitiveArrayCritical call in early return
- JDK-8243541: (tz) Upgrade time-zone data to tzdata2020a
- JDK-8244548: JDK 8u: sun.misc.Version.jdkUpdateVersion() returns wrong result
ImportantSUSE bug 1174157CVE-2020-14577 at SUSECVE-2020-14577 at NVDCVE-2020-14578 at SUSECVE-2020-14578 at NVDCVE-2020-14579 at SUSECVE-2020-14579 at NVDCVE-2020-14581 at SUSECVE-2020-14581 at NVDCVE-2020-14583 at SUSECVE-2020-14583 at NVDCVE-2020-14593 at SUSECVE-2020-14593 at NVDCVE-2020-14621 at SUSECVE-2020-14621 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for tigervnc (Critical)SUSE OpenStack Cloud 8
This update for tigervnc fixes the following issues:
- CVE-2020-26117: Server certificates were stored as certiticate
authorities, allowing malicious owners of these certificates
to impersonate any server after a client had added an exception
(bsc#1176733).
CriticalSUSE bug 1176733CVE-2020-26117 at SUSECVE-2020-26117 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for libproxy (Important)SUSE OpenStack Cloud 8
This update for libproxy fixes the following issues:
- CVE-2020-25219: Rewrote url::recvline to be nonrecursive (bsc#1176410).
- CVE-2020-26154: Fixed a buffer overflow when PAC is enabled (bsc#1177143).
ImportantSUSE bug 1176410SUSE bug 1177143CVE-2020-25219 at SUSECVE-2020-25219 at NVDCVE-2020-26154 at SUSECVE-2020-26154 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for freetype2 (Important)SUSE OpenStack Cloud 8
This update for freetype2 fixes the following issues:
- CVE-2020-15999: fixed a heap buffer overflow found in the handling of embedded PNG bitmaps (bsc#1177914).
ImportantSUSE bug 1177914CVE-2020-15999 at SUSECVE-2020-15999 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for glibc (Moderate)SUSE OpenStack Cloud 8
This update for glibc fixes the following issues:
- CVE-2020-10029: Fixed a stack corruption from range reduction of pseudo-zero (bsc#1165784)
- Use posix_spawn on popen (bsc#1149332, bsc#1176013)
- Correct locking and cancellation cleanup in syslog functions (bsc#1172085)
- Fixed concurrent changes on nscd aware files (bsc#1171878)
ModerateSUSE bug 1149332SUSE bug 1165784SUSE bug 1171878SUSE bug 1172085SUSE bug 1176013CVE-2020-10029 at SUSECVE-2020-10029 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for MozillaFirefox (Important)SUSE OpenStack Cloud 8
This update for MozillaFirefox fixes the following issues:
- Firefox Extended Support Release 78.4.0 ESR
* Fixed: Various stability, functionality, and security fixes MFSA 2020-46 (bsc#1177872, bsc#1176756)
* CVE-2020-15969 Use-after-free in usersctp
* CVE-2020-15683 Memory safety bugs fixed in Firefox 82 and Firefox ESR 78.4
* Fixed: Fixed legacy preferences not being properly applied when set via GPO
ImportantSUSE bug 1176756SUSE bug 1177872CVE-2020-15683 at SUSECVE-2020-15683 at NVDCVE-2020-15969 at SUSECVE-2020-15969 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for spice (Moderate)SUSE OpenStack Cloud 8
This update for spice fixes the following issues:
- CVE-2020-14355: Fixed multiple buffer overflow vulnerabilities in QUIC image decoding (bsc#1177158).
ModerateSUSE bug 1177158CVE-2020-14355 at SUSECVE-2020-14355 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for spice-gtk (Moderate)SUSE OpenStack Cloud 8
This update for spice-gtk fixes the following issues:
- CVE-2020-14355: Fixed multiple buffer overflow vulnerabilities in QUIC image decoding (bsc#1177158).
ModerateSUSE bug 1177158CVE-2020-14355 at SUSECVE-2020-14355 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for samba (Important)SUSE OpenStack Cloud 8
This update for samba fixes the following issues:
- CVE-2020-14383: An authenticated user can crash the DCE/RPC DNS with easily crafted records (bsc#1177613).
- CVE-2020-14323: Unprivileged user can crash winbind (bsc#1173994).
- CVE-2020-14318: Missing permissions check in SMB1/2/3 ChangeNotify (bsc#1173902).
ImportantSUSE bug 1173902SUSE bug 1173994SUSE bug 1177613CVE-2020-14318 at SUSECVE-2020-14318 at NVDCVE-2020-14323 at SUSECVE-2020-14323 at NVDCVE-2020-14383 at SUSECVE-2020-14383 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for libvirt (Important)SUSE OpenStack Cloud 8
This update for libvirt fixes the following issues:
CVE-2020-15708: Added a note to libvirtd.conf about polkit auth in SUSE distros (bsc#1174955).
CVE-2020-25637: Fixed a double free in qemuAgentGetInterfaces() (bsc#1177155).
ImportantSUSE bug 1174955SUSE bug 1177155CVE-2020-15708 at SUSECVE-2020-15708 at NVDCVE-2020-25637 at SUSECVE-2020-25637 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for sane-backends (Important)SUSE OpenStack Cloud 8
This update for sane-backends fixes the following issues:
- sane-backends version upgrade to 1.0.31:
* sane-backends version upgrade to 1.0.30
fixes memory corruption bugs CVE-2020-12861, CVE-2020-12862,
CVE-2020-12863, CVE-2020-12864, CVE-2020-12865,
CVE-2020-12866, CVE-2020-12867 (bsc#1172524)
* sane-backends version upgrade to 1.0.31
to further improve hardware enablement for scanner devices
(jsc#SLE-15561 and jsc#SLE-15560 with jsc#ECO-2418)
* The new escl backend cannot be provided for SLE12 because
it requires more additional software (avahi-client, libcurl,
and libpoppler-glib-devel) where in particular for libcurl
the one that is in SLE12 (via libcurl-devel-7.37.0) is likely
too old because with that building the escl backend fails with
'escl/escl.c:1267:34: error: 'CURLOPT_UNIX_SOCKET_PATH'
undeclared curl_easy_setopt(handle, CURLOPT_UNIX_SOCKET_PATH'
ImportantSUSE bug 1172524CVE-2017-6318 at SUSECVE-2017-6318 at NVDCVE-2020-12861 at SUSECVE-2020-12861 at NVDCVE-2020-12862 at SUSECVE-2020-12862 at NVDCVE-2020-12863 at SUSECVE-2020-12863 at NVDCVE-2020-12864 at SUSECVE-2020-12864 at NVDCVE-2020-12865 at SUSECVE-2020-12865 at NVDCVE-2020-12866 at SUSECVE-2020-12866 at NVDCVE-2020-12867 at SUSECVE-2020-12867 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for apache-commons-httpclient (Important)SUSE OpenStack Cloud 8
This update for apache-commons-httpclient fixes the following issues:
- http/conn/ssl/SSLConnectionSocketFactory.java ignores the
http.socket.timeout configuration setting during an SSL handshake,
which allows remote attackers to cause a denial of service (HTTPS
call hang) via unspecified vectors. [bsc#945190, CVE-2015-5262]
- org.apache.http.conn.ssl.AbstractVerifier does not properly
verify that the server hostname matches a domain name in the
subject's Common Name (CN) or subjectAltName field of the X.509
certificate, which allows MITM attackers to spoof SSL servers
via a 'CN=' string in a field in the distinguished name (DN)
of a certificate. [bsc#1178171, CVE-2014-3577]
ImportantSUSE bug 1178171SUSE bug 945190CVE-2014-3577 at SUSECVE-2014-3577 at NVDCVE-2015-5262 at SUSECVE-2015-5262 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for libqt5-qtbase (Important)SUSE OpenStack Cloud 8
This update for libqt5-qtbase fixes the following issues:
Security issues fixed:
- CVE-2020-0569: Fixed a potential local code execution by loading plugins from CWD (bsc#1161167).
- CVE-2018-19870: Fixed an improper check in QImage allocation which could allow Denial of Service
when opening crafted gif files (bsc#1118597).
- CVE-2018-19872: Fixed an issue which could allow a division by zero leading to crash (bsc#1130246).
ImportantSUSE bug 1118597SUSE bug 1130246SUSE bug 1161167CVE-2018-19870 at SUSECVE-2018-19870 at NVDCVE-2018-19872 at SUSECVE-2018-19872 at NVDCVE-2020-0569 at SUSECVE-2020-0569 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for java-1_8_0-openjdk (Important)SUSE OpenStack Cloud 8
This update for java-1_8_0-openjdk fixes the following issues:
- Fix regression '8250861: Crash in MinINode::Ideal(PhaseGVN*, bool)',
introduced in October 2020 CPU.
- Update to version jdk8u272 (icedtea 3.17.0) (July 2020 CPU,
bsc#1174157, and October 2020 CPU, bsc#1177943)
* New features
+ JDK-8245468: Add TLSv1.3 implementation classes from 11.0.7
+ PR3796: Allow the number of curves supported to be specified
* Security fixes
+ JDK-8028431, CVE-2020-14579: NullPointerException in
DerValue.equals(DerValue)
+ JDK-8028591, CVE-2020-14578: NegativeArraySizeException in
sun.security.util.DerInputStream.getUnalignedBitString()
+ JDK-8230613: Better ASCII conversions
+ JDK-8231800: Better listing of arrays
+ JDK-8232014: Expand DTD support
+ JDK-8233255: Better Swing Buttons
+ JDK-8233624: Enhance JNI linkage
+ JDK-8234032: Improve basic calendar services
+ JDK-8234042: Better factory production of certificates
+ JDK-8234418: Better parsing with CertificateFactory
+ JDK-8234836: Improve serialization handling
+ JDK-8236191: Enhance OID processing
+ JDK-8236196: Improve string pooling
+ JDK-8236862, CVE-2020-14779: Enhance support of Proxy class
+ JDK-8237117, CVE-2020-14556: Better ForkJoinPool behavior
+ JDK-8237592, CVE-2020-14577: Enhance certificate verification
+ JDK-8237990, CVE-2020-14781: Enhanced LDAP contexts
+ JDK-8237995, CVE-2020-14782: Enhance certificate processing
+ JDK-8238002, CVE-2020-14581: Better matrix operations
+ JDK-8238804: Enhance key handling process
+ JDK-8238842: AIOOBE in GIFImageReader.initializeStringTable
+ JDK-8238843: Enhanced font handing
+ JDK-8238920, CVE-2020-14583: Better Buffer support
+ JDK-8238925: Enhance WAV file playback
+ JDK-8240119, CVE-2020-14593: Less Affine Transformations
+ JDK-8240124: Better VM Interning
+ JDK-8240482: Improved WAV file playback
+ JDK-8241114, CVE-2020-14792: Better range handling
+ JDK-8241379: Update JCEKS support
+ JDK-8241522: Manifest improved jar headers redux
+ JDK-8242136, CVE-2020-14621: Better XML namespace handling
+ JDK-8242680, CVE-2020-14796: Improved URI Support
+ JDK-8242685, CVE-2020-14797: Better Path Validation
+ JDK-8242695, CVE-2020-14798: Enhanced buffer support
+ JDK-8243302: Advanced class supports
+ JDK-8244136, CVE-2020-14803: Improved Buffer supports
+ JDK-8244479: Further constrain certificates
+ JDK-8244955: Additional Fix for JDK-8240124
+ JDK-8245407: Enhance zoning of times
+ JDK-8245412: Better class definitions
+ JDK-8245417: Improve certificate chain handling
+ JDK-8248574: Improve jpeg processing
+ JDK-8249927: Specify limits of jdk.serialProxyInterfaceLimit
+ JDK-8253019: Enhanced JPEG decoding
* Import of OpenJDK 8 u262 build 01
+ JDK-4949105: Access Bridge lacks html tags parsing
+ JDK-8003209: JFR events for network utilization
+ JDK-8030680: 292 cleanup from default method code assessment
+ JDK-8035633: TEST_BUG: java/net/NetworkInterface/Equals.java
and some tests failed on windows intermittently
+ JDK-8041626: Shutdown tracing event
+ JDK-8141056: Erroneous assignment in HeapRegionSet.cpp
+ JDK-8149338: JVM Crash caused by Marlin renderer not handling
NaN coordinates
+ JDK-8151582: (ch) test java/nio/channels/
/AsyncCloseAndInterrupt.java failing due to 'Connection
succeeded'
+ JDK-8165675: Trace event for thread park has incorrect unit
for timeout
+ JDK-8176182: 4 security tests are not run
+ JDK-8178910: Problemlist sample tests
+ JDK-8183925: Decouple crash protection from watcher thread
+ JDK-8191393: Random crashes during cfree+0x1c
+ JDK-8195817: JFR.stop should require name of recording
+ JDK-8195818: JFR.start should increase autogenerated name by
one
+ JDK-8195819: Remove recording=x from jcmd JFR.check output
+ JDK-8199712: Flight Recorder
+ JDK-8202578: Revisit location for class unload events
+ JDK-8202835: jfr/event/os/TestSystemProcess.java fails on
missing events
+ JDK-8203287: Zero fails to build after JDK-8199712 (Flight
Recorder)
+ JDK-8203346: JFR: Inconsistent signature of
jfr_add_string_constant
+ JDK-8203664: JFR start failure after AppCDS archive created
with JFR StartFlightRecording
+ JDK-8203921: JFR thread sampling is missing fixes from
JDK-8194552
+ JDK-8203929: Limit amount of data for JFR.dump
+ JDK-8205516: JFR tool
+ JDK-8207392: [PPC64] Implement JFR profiling
+ JDK-8207829: FlightRecorderMXBeanImpl is leaking the first
classloader which calls it
+ JDK-8209960: -Xlog:jfr* doesn't work with the JFR
+ JDK-8210024: JFR calls virtual is_Java_thread from ~Thread()
+ JDK-8210776: Upgrade X Window System 6.8.2 to the latest XWD
1.0.7
+ JDK-8211239: Build fails without JFR: empty JFR events
signatures mismatch
+ JDK-8212232: Wrong metadata for the configuration of the
cutoff for old object sample events
+ JDK-8213015: Inconsistent settings between JFR.configure and
-XX:FlightRecorderOptions
+ JDK-8213421: Line number information for execution samples
always 0
+ JDK-8213617: JFR should record the PID of the recorded process
+ JDK-8213734: SAXParser.parse(File, ..) does not close
resources when Exception occurs.
+ JDK-8213914: [TESTBUG] Several JFR VM events are not covered
by tests
+ JDK-8213917: [TESTBUG] Shutdown JFR event is not covered by
test
+ JDK-8213966: The ZGC JFR events should be marked as
experimental
+ JDK-8214542: JFR: Old Object Sample event slow on a deep heap
in debug builds
+ JDK-8214750: Unnecessary <p> tags in jfr classes
+ JDK-8214896: JFR Tool left files behind
+ JDK-8214906: [TESTBUG] jfr/event/sampling/TestNative.java
fails with UnsatisfiedLinkError
+ JDK-8214925: JFR tool fails to execute
+ JDK-8215175: Inconsistencies in JFR event metadata
+ JDK-8215237: jdk.jfr.Recording javadoc does not compile
+ JDK-8215284: Reduce noise induced by periodic task
getFileSize()
+ JDK-8215355: Object monitor deadlock with no threads holding
the monitor (using jemalloc 5.1)
+ JDK-8215362: JFR GTest JfrTestNetworkUtilization fails
+ JDK-8215771: The jfr tool should pretty print reference chains
+ JDK-8216064: -XX:StartFlightRecording:settings= doesn't work
properly
+ JDK-8216486: Possibility of integer overflow in
JfrThreadSampler::run()
+ JDK-8216528: test/jdk/java/rmi/transport/
/runtimeThreadInheritanceLeak/
/RuntimeThreadInheritanceLeak.java failing with Xcomp
+ JDK-8216559: [JFR] Native libraries not correctly parsed from
/proc/self/maps
+ JDK-8216578: Remove unused/obsolete method in JFR code
+ JDK-8216995: Clean up JFR command line processing
+ JDK-8217744: [TESTBUG] JFR TestShutdownEvent fails on some
systems due to process surviving SIGINT
+ JDK-8217748: [TESTBUG] Exclude TestSig test case from JFR
TestShutdownEvent
+ JDK-8218935: Make jfr strncpy uses GCC 8.x friendly
+ JDK-8223147: JFR Backport
+ JDK-8223689: Add JFR Thread Sampling Support
+ JDK-8223690: Add JFR BiasedLock Event Support
+ JDK-8223691: Add JFR G1 Region Type Change Event Support
+ JDK-8223692: Add JFR G1 Heap Summary Event Support
+ JDK-8224172: assert(jfr_is_event_enabled(id)) failed:
invariant
+ JDK-8224475: JTextPane does not show images in HTML rendering
+ JDK-8226253: JAWS reports wrong number of radio buttons when
buttons are hidden.
+ JDK-8226779: [TESTBUG] Test JFR API from Java agent
+ JDK-8226892: ActionListeners on JRadioButtons don't get
notified when selection is changed with arrow keys
+ JDK-8227011: Starting a JFR recording in response to JVMTI
VMInit and / or Java agent premain corrupts memory
+ JDK-8227605: Kitchensink fails 'assert((((klass)->trace_id()
& (JfrTraceIdEpoch::leakp_in_use_this_epoch_bit())) != 0))
failed: invariant'
+ JDK-8229366: JFR backport allows unchecked writing to memory
+ JDK-8229401: Fix JFR code cache test failures
+ JDK-8229708: JFR backport code does not initialize
+ JDK-8229873: 8229401 broke jdk8u-jfr-incubator
+ JDK-8230448: [test] JFRSecurityTestSuite.java is failing on
Windows
+ JDK-8230707: JFR related tests are failing
+ JDK-8230782: Robot.createScreenCapture() fails if
'awt.robot.gtk' is set to false
+ JDK-8230856: Java_java_net_NetworkInterface_getByName0 on
unix misses ReleaseStringUTFChars in early return
+ JDK-8230947: TestLookForUntestedEvents.java is failing after
JDK-8230707
+ JDK-8231995: two jtreg tests failed after 8229366 is fixed
+ JDK-8233623: Add classpath exception to copyright in
EventHandlerProxyCreator.java file
+ JDK-8236002: CSR for JFR backport suggests not leaving out
the package-info
+ JDK-8236008: Some backup files were accidentally left in the
hotspot tree
+ JDK-8236074: Missed package-info
+ JDK-8236174: Should update javadoc since tags
+ JDK-8238076: Fix OpenJDK 7 Bootstrap Broken by JFR Backport
+ JDK-8238452: Keytool generates wrong expiration date if
validity is set to 2050/01/01
+ JDK-8238555: Allow Initialization of SunPKCS11 with NSS when
there are external FIPS modules in the NSSDB
+ JDK-8238589: Necessary code cleanup in JFR for JDK8u
+ JDK-8238590: Enable JFR by default during compilation in 8u
+ JDK-8239055: Wrong implementation of VMState.hasListener
+ JDK-8239476: JDK-8238589 broke windows build by moving
OrderedPair
+ JDK-8239479: minimal1 and zero builds are failing
+ JDK-8239867: correct over use of INCLUDE_JFR macro
+ JDK-8240375: Disable JFR by default for July 2020 release
+ JDK-8241444: Metaspace::_class_vsm not initialized if
compressed class pointers are disabled
+ JDK-8241902: AIX Build broken after integration of
JDK-8223147 (JFR Backport)
+ JDK-8242788: Non-PCH build is broken after JDK-8191393
* Import of OpenJDK 8 u262 build 02
+ JDK-8130737: AffineTransformOp can't handle child raster with
non-zero x-offset
+ JDK-8172559: [PIT][TEST_BUG] Move @test to be 1st annotation
in java/awt/image/Raster/TestChildRasterOp.java
+ JDK-8230926: [macosx] Two apostrophes are entered instead of
one with 'U.S. International - PC' layout
+ JDK-8240576: JVM crashes after transformation in C2
IdealLoopTree::merge_many_backedges
+ JDK-8242883: Incomplete backport of JDK-8078268: backport
test part
* Import of OpenJDK 8 u262 build 03
+ JDK-8037866: Replace the Fun class in tests with lambdas
+ JDK-8146612: C2: Precedence edges specification violated
+ JDK-8150986: serviceability/sa/jmap-hprof/
/JMapHProfLargeHeapTest.java failing because expects HPROF
JAVA PROFILE 1.0.1 file format
+ JDK-8229888: (zipfs) Updating an existing zip file does not
preserve original permissions
+ JDK-8230597: Update GIFlib library to the 5.2.1
+ JDK-8230769: BufImg_SetupICM add
ReleasePrimitiveArrayCritical call in early return
+ JDK-8233880, PR3798: Support compilers with multi-digit major
version numbers
+ JDK-8239852: java/util/concurrent tests fail with
-XX:+VerifyGraphEdges: assert(!VerifyGraphEdges) failed:
verification should have failed
+ JDK-8241638: launcher time metrics always report 1 on Linux
when _JAVA_LAUNCHER_DEBUG set
+ JDK-8243059: Build fails when --with-vendor-name contains a
comma
+ JDK-8243474: [TESTBUG] removed three tests of 0 bytes
+ JDK-8244461: [JDK 8u] Build fails with glibc 2.32
+ JDK-8244548: JDK 8u: sun.misc.Version.jdkUpdateVersion()
returns wrong result
* Import of OpenJDK 8 u262 build 04
+ JDK-8067796: (process) Process.waitFor(timeout, unit) doesn't
throw NPE if timeout is less than, or equal to zero when unit
== null
+ JDK-8148886: SEGV in sun.java2d.marlin.Renderer._endRendering
+ JDK-8171934:
ObjectSizeCalculator.getEffectiveMemoryLayoutSpecification()
does not recognize OpenJDK's HotSpot VM
+ JDK-8196969: JTreg Failure:
serviceability/sa/ClhsdbJstack.java causes NPE
+ JDK-8243539: Copyright info (Year) should be updated for fix
of 8241638
+ JDK-8244777: ClassLoaderStats VM Op uses constant hash value
* Import of OpenJDK 8 u262 build 05
+ JDK-7147060: com/sun/org/apache/xml/internal/security/
/transforms/ClassLoaderTest.java doesn't run in agentvm mode
+ JDK-8178374: Problematic ByteBuffer handling in
CipherSpi.bufferCrypt method
+ JDK-8181841: A TSA server returns timestamp with precision
higher than milliseconds
+ JDK-8227269: Slow class loading when running with JDWP
+ JDK-8229899: Make java.io.File.isInvalid() less racy
+ JDK-8236996: Incorrect Roboto font rendering on Windows with
subpixel antialiasing
+ JDK-8241750: x86_32 build failure after JDK-8227269
+ JDK-8244407: JVM crashes after transformation in C2
IdealLoopTree::split_fall_in
+ JDK-8244843: JapanEraNameCompatTest fails
* Import of OpenJDK 8 u262 build 06
+ JDK-8246223: Windows build fails after JDK-8227269
* Import of OpenJDK 8 u262 build 07
+ JDK-8233197: Invert JvmtiExport::post_vm_initialized() and
Jfr:on_vm_start() start-up order for correct option parsing
+ JDK-8243541: (tz) Upgrade time-zone data to tzdata2020a
+ JDK-8245167: Top package in method profiling shows null in JMC
+ JDK-8246703: [TESTBUG] Add test for JDK-8233197
* Import of OpenJDK 8 u262 build 08
+ JDK-8220293: Deadlock in JFR string pool
+ JDK-8225068: Remove DocuSign root certificate that is
expiring in May 2020
+ JDK-8225069: Remove Comodo root certificate that is expiring
in May 2020
* Import of OpenJDK 8 u262 build 09
+ JDK-8248399: Build installs jfr binary when JFR is disabled
* Import of OpenJDK 8 u262 build 10
+ JDK-8248715: New JavaTimeSupplementary localisation for 'in'
installed in wrong package
* Import of OpenJDK 8 u265 build 01
+ JDK-8249677: Regression in 8u after JDK-8237117: Better
ForkJoinPool behavior
+ JDK-8250546: Expect changed behaviour reported in JDK-8249846
* Import of OpenJDK 8 u272 build 01
+ JDK-8006205: [TESTBUG] NEED_TEST: please JTREGIFY
test/compiler/7177917/Test7177917.java
+ JDK-8035493: JVMTI PopFrame capability must instruct
compilers not to prune locals
+ JDK-8036088: Replace strtok() with its safe equivalent
strtok_s() in DefaultProxySelector.c
+ JDK-8039082: [TEST_BUG] Test java/awt/dnd/
/BadSerializationTest/BadSerializationTest.java fails
+ JDK-8075774: Small readability and performance improvements
for zipfs
+ JDK-8132206: move ScanTest.java into OpenJDK
+ JDK-8132376: Add @requires os.family to the client tests with
access to internal OS-specific API
+ JDK-8132745: minor cleanup of java/util/Scanner/ScanTest.java
+ JDK-8137087: [TEST_BUG] Cygwin failure of java/awt/
/appletviewer/IOExceptionIfEncodedURLTest/
/IOExceptionIfEncodedURLTest.sh
+ JDK-8145808: java/awt/Graphics2D/MTGraphicsAccessTest/
/MTGraphicsAccessTest.java hangs on Win. 8
+ JDK-8151788: NullPointerException from ntlm.Client.type3
+ JDK-8151834: Test SmallPrimeExponentP.java times out
intermittently
+ JDK-8153430: jdk regression test MletParserLocaleTest,
ParserInfiniteLoopTest reduce default timeout
+ JDK-8153583: Make OutputAnalyzer.reportDiagnosticSummary
public
+ JDK-8156169: Some sound tests rarely hangs because of
incorrect synchronization
+ JDK-8165936: Potential Heap buffer overflow when seaching
timezone info files
+ JDK-8166148: Fix for JDK-8165936 broke solaris builds
+ JDK-8167300: Scheduling failures during gcm should be fatal
+ JDK-8167615: Opensource unit/regression tests for JavaSound
+ JDK-8172012: [TEST_BUG] delays needed in
javax/swing/JTree/4633594/bug4633594.java
+ JDK-8177628: Opensource unit/regression tests for ImageIO
+ JDK-8183341: Better cleanup for javax/imageio/AllowSearch.java
+ JDK-8183351: Better cleanup for jdk/test/javax/imageio/spi/
/AppletContextTest/BadPluginConfigurationTest.sh
+ JDK-8193137: Nashorn crashes when given an empty script file
+ JDK-8194298: Add support for per Socket configuration of TCP
keepalive
+ JDK-8198004: javax/swing/JFileChooser/6868611/bug6868611.java
throws error
+ JDK-8200313: java/awt/Gtk/GtkVersionTest/GtkVersionTest.java
fails
+ JDK-8210147: adjust some WSAGetLastError usages in windows
network coding
+ JDK-8211714: Need to update vm_version.cpp to recognise
VS2017 minor versions
+ JDK-8214862: assert(proj != __null) at compile.cpp:3251
+ JDK-8217606: LdapContext#reconnect always opens a new
connection
+ JDK-8217647: JFR: recordings on 32-bit systems unreadable
+ JDK-8226697: Several tests which need the @key headful
keyword are missing it.
+ JDK-8229378: jdwp library loader in linker_md.c quietly
truncates on buffer overflow
+ JDK-8230303: JDB hangs when running monitor command
+ JDK-8230711: ConnectionGraph::unique_java_object(Node* N)
return NULL if n is not in the CG
+ JDK-8234617: C1: Incorrect result of field load due to
missing narrowing conversion
+ JDK-8235243: handle VS2017 15.9 and VS2019 in
abstract_vm_version
+ JDK-8235325: build failure on Linux after 8235243
+ JDK-8235687: Contents/MacOS/libjli.dylib cannot be a symlink
+ JDK-8237951: CTW: C2 compilation fails with 'malformed
control flow'
+ JDK-8238225: Issues reported after replacing symlink at
Contents/MacOS/libjli.dylib with binary
+ JDK-8239385: KerberosTicket client name refers wrongly to
sAMAccountName in AD
+ JDK-8239819: XToolkit: Misread of screen information memory
+ JDK-8240295: hs_err elapsed time in seconds is not accurate
enough
+ JDK-8241888: Mirror jdk.security.allowNonCaAnchor system
property with a security one
+ JDK-8242498: Invalid 'sun.awt.TimedWindowEvent' object leads
to JVM crash
+ JDK-8243489: Thread CPU Load event may contain wrong data for
CPU time under certain conditions
+ JDK-8244818: Java2D Queue Flusher crash while moving
application window to external monitor
+ JDK-8246310: Clean commented-out code about ModuleEntry
and PackageEntry in JFR
+ JDK-8246384: Enable JFR by default on supported architectures
for October 2020 release
+ JDK-8248643: Remove extra leading space in JDK-8240295 8u
backport
+ JDK-8249610: Make
sun.security.krb5.Config.getBooleanObject(String... keys)
method public
* Import of OpenJDK 8 u272 build 02
+ JDK-8023697: failed class resolution reports different class
name in detail message for the first and subsequent times
+ JDK-8025886: replace [[ and == bash extensions in regtest
+ JDK-8046274: Removing dependency on jakarta-regexp
+ JDK-8048933: -XX:+TraceExceptions output should include the
message
+ JDK-8076151: [TESTBUG] Test java/awt/FontClass/CreateFont/
/fileaccess/FontFile.java fails
+ JDK-8148854: Class names 'SomeClass' and 'LSomeClass;'
treated by JVM as an equivalent
+ JDK-8154313: Generated javadoc scattered all over the place
+ JDK-8163251: Hard coded loop limit prevents reading of smart
card data greater than 8k
+ JDK-8173300: [TESTBUG]compiler/tiered/NonTieredLevelsTest.java
fails with compiler.whitebox.SimpleTestCaseHelper(int) must be
compiled
+ JDK-8183349: Better cleanup for jdk/test/javax/imageio/
/plugins/shared/CanWriteSequence.java and WriteAfterAbort.java
+ JDK-8191678: [TESTBUG] Add keyword headful in java/awt
FocusTransitionTest test.
+ JDK-8201633: Problems with AES-GCM native acceleration
+ JDK-8211049: Second parameter of 'initialize' method is not
used
+ JDK-8219566: JFR did not collect call stacks when
MaxJavaStackTraceDepth is set to zero
+ JDK-8220165: Encryption using GCM results in
RuntimeException- input length out of bound
+ JDK-8220555: JFR tool shows potentially misleading message
when it cannot access a file
+ JDK-8224217: RecordingInfo should use textual representation
of path
+ JDK-8231779: crash
HeapWord*ParallelScavengeHeap::failed_mem_allocate
+ JDK-8238380, PR3798: java.base/unix/native/libjava/childproc.c
'multiple definition' link errors with GCC10
+ JDK-8238386, PR3798: (sctp) jdk.sctp/unix/native/libsctp/
/SctpNet.c 'multiple definition' link errors with GCC10
+ JDK-8238388, PR3798: libj2gss/NativeFunc.o 'multiple
definition' link errors with GCC10
+ JDK-8242556: Cannot load RSASSA-PSS public key with non-null
params from byte array
+ JDK-8250755: Better cleanup for jdk/test/javax/imageio/
/plugins/shared/CanWriteSequence.java
* Import of OpenJDK 8 u272 build 03
+ JDK-6574989: TEST_BUG:
javax/sound/sampled/Clip/bug5070081.java fails sometimes
+ JDK-8148754: C2 loop unrolling fails due to unexpected graph
shape
+ JDK-8192953: sun/management/jmxremote/bootstrap/*.sh tests
fail with error : revokeall.exe: Permission denied
+ JDK-8203357: Container Metrics
+ JDK-8209113: Use WeakReference for lastFontStrike for created
Fonts
+ JDK-8216283: Allow shorter method sampling interval than 10 ms
+ JDK-8221569: JFR tool produces incorrect output when both
--categories and --events are specified
+ JDK-8233097: Fontmetrics for large Fonts has zero width
+ JDK-8248851: CMS: Missing memory fences between free chunk
check and klass read
+ JDK-8250875: Incorrect parameter type for update_number in
JDK_Version::jdk_update
* Import of OpenJDK 8 u272 build 04
+ JDK-8061616: HotspotDiagnosticMXBean.getVMOption() throws
IllegalArgumentException for flags of type double
+ JDK-8177334: Update xmldsig implementation to Apache
Santuario 2.1.1
+ JDK-8217878: ENVELOPING XML signature no longer works in JDK
11
+ JDK-8218629: XML Digital Signature throws NAMESPACE_ERR
exception on OpenJDK 11, works 8/9/10
+ JDK-8243138: Enhance BaseLdapServer to support starttls
extended request
* Import of OpenJDK 8 u272 build 05
+ JDK-8026236: Add PrimeTest for BigInteger
+ JDK-8057003: Large reference arrays cause extremely long
synchronization times
+ JDK-8060721: Test runtime/SharedArchiveFile/
/LimitSharedSizes.java fails in jdk 9 fcs new
platforms/compiler
+ JDK-8152077: (cal) Calendar.roll does not always roll the
hours during daylight savings
+ JDK-8168517: java/lang/ProcessBuilder/Basic.java failed
+ JDK-8211163: UNIX version of Java_java_io_Console_echo does
not return a clean boolean
+ JDK-8220674: [TESTBUG] MetricsMemoryTester failcount test in
docker container only works with debug JVMs
+ JDK-8231213: Migrate SimpleDateFormatConstTest to JDK Repo
+ JDK-8236645: JDK 8u231 introduces a regression with
incompatible handling of XML messages
+ JDK-8240676: Meet not symmetric failure when running lucene
on jdk8
+ JDK-8243321: Add Entrust root CA - G4 to Oracle Root CA
program
+ JDK-8249158: THREAD_START and THREAD_END event posted in
primordial phase
+ JDK-8250627: Use -XX:+/-UseContainerSupport for
enabling/disabling Java container metrics
+ JDK-8251546: 8u backport of JDK-8194298 breaks AIX and
Solaris builds
+ JDK-8252084: Minimal VM fails to bootcycle: undefined symbol:
AgeTableTracer::is_tenuring_distribution_event_enabled
* Import of OpenJDK 8 u272 build 06
+ JDK-8064319: Need to enable -XX:+TraceExceptions in release
builds
+ JDK-8080462, PR3801: Update SunPKCS11 provider with PKCS11
v2.40 support
+ JDK-8160768: Add capability to custom resolve host/domain
names within the default JNDI LDAP provider
+ JDK-8161973: PKIXRevocationChecker.getSoftFailExceptions()
not working
+ JDK-8169925, PR3801: PKCS #11 Cryptographic Token Interface
license
+ JDK-8184762: ZapStackSegments should use optimized memset
+ JDK-8193234: When using -Xcheck:jni an internally allocated
buffer can leak
+ JDK-8219919: RuntimeStub name lost with
PrintFrameConverterAssembly
+ JDK-8220313: [TESTBUG] Update base image for Docker testing
to OL 7.6
+ JDK-8222079: Don't use memset to initialize fields decode_env
constructor in disassembler.cpp
+ JDK-8225695: 32-bit build failures after JDK-8080462 (Update
SunPKCS11 provider with PKCS11 v2.40 support)
+ JDK-8226575: OperatingSystemMXBean should be made container
aware
+ JDK-8226809: Circular reference in printed stack trace is not
correctly indented & ambiguous
+ JDK-8228835: Memory leak in PKCS11 provider when using AES GCM
+ JDK-8233621: Mismatch in jsse.enableMFLNExtension property
name
+ JDK-8238898, PR3801: Missing hash characters for header on
license file
+ JDK-8243320: Add SSL root certificates to Oracle Root CA
program
+ JDK-8244151: Update MUSCLE PC/SC-Lite headers to the latest
release 1.8.26
+ JDK-8245467: Remove 8u TLSv1.2 implementation files
+ JDK-8245469: Remove DTLS protocol implementation
+ JDK-8245470: Fix JDK8 compatibility issues
+ JDK-8245471: Revert JDK-8148188
+ JDK-8245472: Backport JDK-8038893 to JDK8
+ JDK-8245473: OCSP stapling support
+ JDK-8245474: Add TLS_KRB5 cipher suites support according to
RFC-2712
+ JDK-8245476: Disable TLSv1.3 protocol in the ClientHello
message by default
+ JDK-8245477: Adjust TLS tests location
+ JDK-8245653: Remove 8u TLS tests
+ JDK-8245681: Add TLSv1.3 regression test from 11.0.7
+ JDK-8251117: Cannot check P11Key size in P11Cipher and
P11AEADCipher
+ JDK-8251120, PR3793: [8u] HotSpot build assumes ENABLE_JFR is
set to either true or false
+ JDK-8251341: Minimal Java specification change
+ JDK-8251478: Backport TLSv1.3 regression tests to JDK8u
* Import of OpenJDK 8 u272 build 07
+ JDK-8246193: Possible NPE in ENC-PA-REP search in AS-REQ
* Import of OpenJDK 8 u272 build 08
+ JDK-8062947: Fix exception message to correctly represent
LDAP connection failure
+ JDK-8151678: com/sun/jndi/ldap/LdapTimeoutTest.java failed
due to timeout on DeadServerNoTimeoutTest is incorrect
+ JDK-8252573: 8u: Windows build failed after 8222079 backport
* Import of OpenJDK 8 u272 build 09
+ JDK-8252886: [TESTBUG] sun/security/ec/TestEC.java :
Compilation failed
* Import of OpenJDK 8 u272 build 10
+ JDK-8254673: Call to JvmtiExport::post_vm_start() was removed
by the fix for JDK-8249158
+ JDK-8254937: Revert JDK-8148854 for 8u272
* Backports
+ JDK-8038723, PR3806: Openup some PrinterJob tests
+ JDK-8041480, PR3806: ArrayIndexOutOfBoundsException when
JTable contains certain string
+ JDK-8058779, PR3805: Faster implementation of
String.replace(CharSequence, CharSequence)
+ JDK-8130125, PR3806: [TEST_BUG] add @modules to the several
client tests unaffected by the automated bulk update
+ JDK-8144015, PR3806: [PIT] failures of text layout font tests
+ JDK-8144023, PR3806: [PIT] failure of text measurements in
javax/swing/text/html/parser/Parser/6836089/bug6836089.java
+ JDK-8144240, PR3806: [macosx][PIT] AIOOB in
closed/javax/swing/text/GlyphPainter2/6427244/bug6427244.java
+ JDK-8145542, PR3806: The case failed automatically and thrown
java.lang.ArrayIndexOutOfBoundsException exception
+ JDK-8151725, PR3806: [macosx] ArrayIndexOOB exception when
displaying Devanagari text in JEditorPane
+ JDK-8152358, PR3800: code and comment cleanups found during
the hunt for 8077392
+ JDK-8152545, PR3804: Use preprocessor instead of compiling a
program to generate native nio constants
+ JDK-8152680, PR3806: Regression in
GlyphVector.getGlyphCharIndex behaviour
+ JDK-8158924, PR3806: Incorrect i18n text document layout
+ JDK-8166003, PR3806: [PIT][TEST_BUG] missing helper for
javax/swing/text/GlyphPainter2/6427244/bug6427244.java
+ JDK-8166068, PR3806: test/java/awt/font/GlyphVector/
/GetGlyphCharIndexTest.java does not compile
+ JDK-8169879, PR3806: [TEST_BUG] javax/swing/text/
/GlyphPainter2/6427244/bug6427244.java - compilation failed
+ JDK-8191512, PR3806: T2K font rasterizer code removal
+ JDK-8191522, PR3806: Remove Bigelow&Holmes Lucida fonts from
JDK sources
+ JDK-8236512, PR3801: PKCS11 Connection closed after
Cipher.doFinal and NoPadding
+ JDK-8254177, PR3809: (tz) Upgrade time-zone data to
tzdata2020b
* Bug fixes
+ PR3798: Fix format-overflow error on GCC 10, caused by
passing NULL to a '%s' directive
+ PR3795: ECDSAUtils for XML digital signatures should support
the same curve set as the rest of the JDK
+ PR3799: Adapt elliptic curve patches to JDK-8245468: Add
TLSv1.3 implementation classes from 11.0.7
+ PR3808: IcedTea does not install the JFR *.jfc files
+ PR3810: Enable JFR on x86 (32-bit) now that JDK-8252096 has
fixed its use with Shenandoah
+ PR3811: Don't attempt to install JFR files when JFR is
disabled
* Shenandoah
+ [backport] 8221435: Shenandoah should not mark through weak
roots
+ [backport] 8221629: Shenandoah: Cleanup class unloading logic
+ [backport] 8222992: Shenandoah: Pre-evacuate all roots
+ [backport] 8223215: Shenandoah: Support verifying subset of
roots
+ [backport] 8223774: Shenandoah: Refactor
ShenandoahRootProcessor and family
+ [backport] 8224210: Shenandoah: Refactor
ShenandoahRootScanner to support scanning CSet codecache roots
+ [backport] 8224508: Shenandoah: Need to update thread roots
in final mark for piggyback ref update cycle
+ [backport] 8224579: ResourceMark not declared in
shenandoahRootProcessor.inline.hpp with
--disable-precompiled-headers
+ [backport] 8224679: Shenandoah: Make
ShenandoahParallelCodeCacheIterator noncopyable
+ [backport] 8224751: Shenandoah: Shenandoah Verifier should
select proper roots according to current GC cycle
+ [backport] 8225014: Separate ShenandoahRootScanner method for
object_iterate
+ [backport] 8225216: gc/logging/TestMetaSpaceLog.java doesn't
work for Shenandoah
+ [backport] 8225573: Shenandoah: Enhance ShenandoahVerifier to
ensure roots to-space invariant
+ [backport] 8225590: Shenandoah: Refactor
ShenandoahClassLoaderDataRoots API
+ [backport] 8226413: Shenandoah: Separate root scanner for
SH::object_iterate()
+ [backport] 8230853: Shenandoah: replace leftover
assert(is_in(...)) with rich asserts
+ [backport] 8231198: Shenandoah: heap walking should visit all
roots most of the time
+ [backport] 8231244: Shenandoah: all-roots heap walking misses
some weak roots
+ [backport] 8237632: Shenandoah: accept NULL fwdptr to
cooperate with JVMTI and JFR
+ [backport] 8239786: Shenandoah: print per-cycle statistics
+ [backport] 8239926: Shenandoah: Shenandoah needs to mark
nmethod's metadata
+ [backport] 8240671: Shenandoah: refactor
ShenandoahPhaseTimings
+ [backport] 8240749: Shenandoah: refactor ShenandoahUtils
+ [backport] 8240750: Shenandoah: remove leftover files and
mentions of ShenandoahAllocTracker
+ [backport] 8240868: Shenandoah: remove CM-with-UR
piggybacking cycles
+ [backport] 8240872: Shenandoah: Avoid updating new regions
from start of evacuation
+ [backport] 8240873: Shenandoah: Short-cut arraycopy barriers
+ [backport] 8240915: Shenandoah: Remove unused fields in init
mark tasks
+ [backport] 8240948: Shenandoah: cleanup not-forwarded-objects
paths after JDK-8240868
+ [backport] 8241007: Shenandoah: remove
ShenandoahCriticalControlThreadPriority support
+ [backport] 8241062: Shenandoah: rich asserts trigger 'empty
statement' inspection
+ [backport] 8241081: Shenandoah: Do not modify
update-watermark concurrently
+ [backport] 8241093: Shenandoah: editorial changes in flag
descriptions
+ [backport] 8241139: Shenandoah: distribute mark-compact work
exactly to minimize fragmentation
+ [backport] 8241142: Shenandoah: should not use parallel
reference processing with single GC thread
+ [backport] 8241351: Shenandoah: fragmentation metrics overhaul
+ [backport] 8241435: Shenandoah: avoid disabling pacing with
'aggressive'
+ [backport] 8241520: Shenandoah: simplify region sequence
numbers handling
+ [backport] 8241534: Shenandoah: region status should include
update watermark
+ [backport] 8241574: Shenandoah: remove
ShenandoahAssertToSpaceClosure
+ [backport] 8241583: Shenandoah: turn heap lock asserts into
macros
+ [backport] 8241668: Shenandoah: make ShenandoahHeapRegion not
derive from ContiguousSpace
+ [backport] 8241673: Shenandoah: refactor anti-false-sharing
padding
+ [backport] 8241675: Shenandoah: assert(n->outcnt() > 0) at
shenandoahSupport.cpp:2858 with
java/util/Collections/FindSubList.java
+ [backport] 8241692: Shenandoah: remove
ShenandoahHeapRegion::_reserved
+ [backport] 8241700: Shenandoah: Fold
ShenandoahKeepAliveBarrier flag into ShenandoahSATBBarrier
+ [backport] 8241740: Shenandoah: remove
ShenandoahHeapRegion::_heap
+ [backport] 8241743: Shenandoah: refactor and inline
ShenandoahHeap::heap()
+ [backport] 8241748: Shenandoah: inline MarkingContext TAMS
methods
+ [backport] 8241838: Shenandoah: no need to trash cset during
final mark
+ [backport] 8241841: Shenandoah: ditch one of allocation type
counters in ShenandoahHeapRegion
+ [backport] 8241842: Shenandoah: inline
ShenandoahHeapRegion::region_number
+ [backport] 8241844: Shenandoah: rename
ShenandoahHeapRegion::region_number
+ [backport] 8241845: Shenandoah: align ShenandoahHeapRegions
to cache lines
+ [backport] 8241926: Shenandoah: only print heap changes for
operations that directly affect it
+ [backport] 8241983: Shenandoah: simplify FreeSet logging
+ [backport] 8241985: Shenandoah: simplify collectable garbage
logging
+ [backport] 8242040: Shenandoah: print allocation failure type
+ [backport] 8242041: Shenandoah: adaptive heuristics should
account evac reserve in free target
+ [backport] 8242042: Shenandoah: tune down
ShenandoahGarbageThreshold
+ [backport] 8242054: Shenandoah: New incremental-update mode
+ [backport] 8242075: Shenandoah: rename
ShenandoahHeapRegionSize flag
+ [backport] 8242082: Shenandoah: Purge Traversal mode
+ [backport] 8242083: Shenandoah: split 'Prepare Evacuation'
tracking into cset/freeset counters
+ [backport] 8242089: Shenandoah: per-worker stats should be
summed up, not averaged
+ [backport] 8242101: Shenandoah: coalesce and parallelise heap
region walks during the pauses
+ [backport] 8242114: Shenandoah: remove
ShenandoahHeapRegion::reset_alloc_metadata_to_shared
+ [backport] 8242130: Shenandoah: Simplify arraycopy-barrier
dispatching
+ [backport] 8242211: Shenandoah: remove
ShenandoahHeuristics::RegionData::_seqnum_last_alloc
+ [backport] 8242212: Shenandoah: initialize
ShenandoahHeuristics::_region_data eagerly
+ [backport] 8242213: Shenandoah: remove
ShenandoahHeuristics::_bytes_in_cset
+ [backport] 8242217: Shenandoah: Enable GC mode to be
diagnostic/experimental and have a name
+ [backport] 8242227: Shenandoah: transit regions to cset state
when adding to collection set
+ [backport] 8242228: Shenandoah: remove unused
ShenandoahCollectionSet methods
+ [backport] 8242229: Shenandoah: inline ShenandoahHeapRegion
liveness-related methods
+ [backport] 8242267: Shenandoah: regions space needs to be
aligned by os::vm_allocation_granularity()
+ [backport] 8242271: Shenandoah: add test to verify GC mode
unlock
+ [backport] 8242273: Shenandoah: accept either SATB or IU
barriers, but not both
+ [backport] 8242301: Shenandoah: Inline LRB runtime call
+ [backport] 8242316: Shenandoah: Turn NULL-check into assert
in SATB slow-path entry
+ [backport] 8242353: Shenandoah: micro-optimize region
liveness handling
+ [backport] 8242365: Shenandoah: use uint16_t instead of
jushort for liveness cache
+ [backport] 8242375: Shenandoah: Remove
ShenandoahHeuristic::record_gc_start/end methods
+ [backport] 8242641: Shenandoah: clear live data and update
TAMS optimistically
+ [backport] 8243238: Shenandoah: explicit GC request should
wait for a complete GC cycle
+ [backport] 8243301: Shenandoah: ditch
ShenandoahAllowMixedAllocs
+ [backport] 8243307: Shenandoah: remove
ShCollectionSet::live_data
+ [backport] 8243395: Shenandoah: demote guarantee in
ShenandoahPhaseTimings::record_workers_end
+ [backport] 8243463: Shenandoah: ditch total_pause counters
+ [backport] 8243464: Shenandoah: print statistic counters in
time order
+ [backport] 8243465: Shenandoah: ditch unused pause_other,
conc_other counters
+ [backport] 8243487: Shenandoah: make _num_phases illegal
phase type
+ [backport] 8243494: Shenandoah: set counters once per cycle
+ [backport] 8243573: Shenandoah: rename GCParPhases and
related code
+ [backport] 8243848: Shenandoah: Windows build fails after
JDK-8239786
+ [backport] 8244180: Shenandoah: carry Phase to
ShWorkerTimingsTracker explicitly
+ [backport] 8244200: Shenandoah: build breakages after
JDK-8241743
+ [backport] 8244226: Shenandoah: per-cycle statistics contain
worker data from previous cycles
+ [backport] 8244326: Shenandoah: global statistics should not
accept bogus samples
+ [backport] 8244509: Shenandoah: refactor
ShenandoahBarrierC2Support::test_* methods
+ [backport] 8244551: Shenandoah: Fix racy update of
update_watermark
+ [backport] 8244667: Shenandoah: SBC2Support::test_gc_state
takes loop for wrong control
+ [backport] 8244730: Shenandoah: gc/shenandoah/options/
/TestHeuristicsUnlock.java should only verify the heuristics
+ [backport] 8244732: Shenandoah: move heuristics code to
gc/shenandoah/heuristics
+ [backport] 8244737: Shenandoah: move mode code to
gc/shenandoah/mode
+ [backport] 8244739: Shenandoah: break superclass dependency
on ShenandoahNormalMode
+ [backport] 8244740: Shenandoah: rename ShenandoahNormalMode
to ShenandoahSATBMode
+ [backport] 8245461: Shenandoah: refine mode name()-s
+ [backport] 8245463: Shenandoah: refine ShenandoahPhaseTimings
constructor arguments
+ [backport] 8245464: Shenandoah: allocate collection set
bitmap at lower addresses
+ [backport] 8245465: Shenandoah: test_in_cset can use more
efficient encoding
+ [backport] 8245726: Shenandoah: lift/cleanup
ShenandoahHeuristics names and properties
+ [backport] 8245754: Shenandoah: ditch ShenandoahAlwaysPreTouch
+ [backport] 8245757: Shenandoah: AlwaysPreTouch should not
disable heap resizing or uncommits
+ [backport] 8245773: Shenandoah: Windows assertion failure
after JDK-8245464
+ [backport] 8245812: Shenandoah: compute root phase parallelism
+ [backport] 8245814: Shenandoah: reconsider format specifiers
for stats
+ [backport] 8245825: Shenandoah: Remove diagnostic flag
ShenandoahConcurrentScanCodeRoots
+ [backport] 8246162: Shenandoah: full GC does not mark code
roots when class unloading is off
+ [backport] 8247310: Shenandoah: pacer should not affect
interrupt status
+ [backport] 8247358: Shenandoah: reconsider free budget slice
for marking
+ [backport] 8247367: Shenandoah: pacer should wait on lock
instead of exponential backoff
+ [backport] 8247474: Shenandoah: Windows build warning after
JDK-8247310
+ [backport] 8247560: Shenandoah: heap iteration holds root
locks all the time
+ [backport] 8247593: Shenandoah: should not block pacing
reporters
+ [backport] 8247751: Shenandoah: options tests should run with
smaller heaps
+ [backport] 8247754: Shenandoah: mxbeans tests can be shorter
+ [backport] 8247757: Shenandoah: split heavy tests by
heuristics to improve parallelism
+ [backport] 8247860: Shenandoah: add update watermark line in
rich assert failure message
+ [backport] 8248041: Shenandoah: pre-Full GC root updates may
miss some roots
+ [backport] 8248652: Shenandoah: SATB buffer handling may
assume no forwarded objects
+ [backport] 8249560: Shenandoah: Fix racy GC request handling
+ [backport] 8249649: Shenandoah: provide per-cycle pacing stats
+ [backport] 8249801: Shenandoah: Clear soft-refs on requested
GC cycle
+ [backport] 8249953: Shenandoah: gc/shenandoah/mxbeans tests
should account for corner cases
+ Fix slowdebug build after JDK-8230853 backport
+ JDK-8252096: Shenandoah: adjust SerialPageShiftCount for
x86_32 and JFR
+ JDK-8252366: Shenandoah: revert/cleanup changes in
graphKit.cpp
+ Shenandoah: add JFR roots to root processor after JFR
integration
+ Shenandoah: add root statistics for string dedup table/queues
+ Shenandoah: enable low-frequency STW class unloading
+ Shenandoah: fix build failures after JDK-8244737 backport
+ Shenandoah: Fix build failure with +JFR -PCH
+ Shenandoah: fix forceful pacer claim
+ Shenandoah: fix formats in
ShenandoahStringSymbolTableUnlinkTask
+ Shenandoah: fix runtime linking failure due to non-compiled
shenandoahBarrierSetC1
+ Shenandoah: hook statistics printing to PrintGCDetails, not
PrintGC
+ Shenandoah: JNI weak roots are always cleared before Full GC
mark
+ Shenandoah: missing SystemDictionary roots in
ShenandoahHeapIterationRootScanner
+ Shenandoah: move barrier sets to their proper locations
+ Shenandoah: move parallelCleaning.* to shenandoah/
+ Shenandoah: pacer should use proper Atomics for intptr_t
+ Shenandoah: properly deallocates class loader metadata
+ Shenandoah: specialize String Table scans for better pause
performance
+ Shenandoah: Zero build fails after recent Atomic cleanup in
Pacer
* AArch64 port
+ JDK-8161072, PR3797: AArch64: jtreg
compiler/uncommontrap/TestDeoptOOM failure
+ JDK-8171537, PR3797: aarch64: compiler/c1/Test6849574.java
generates guarantee failure in C1
+ JDK-8183925, PR3797: [AArch64] Decouple crash protection from
watcher thread
+ JDK-8199712, PR3797: [AArch64] Flight Recorder
+ JDK-8203481, PR3797: Incorrect constraint for unextended_sp
in frame:safe_for_sender
+ JDK-8203699, PR3797: java/lang/invoke/SpecialInterfaceCall
fails with SIGILL on aarch64
+ JDK-8209413, PR3797: AArch64: NPE in clhsdb jstack command
+ JDK-8215961, PR3797: jdk/jfr/event/os/TestCPUInformation.java
fails on AArch64
+ JDK-8216989, PR3797:
CardTableBarrierSetAssembler::gen_write_ref_array_post_barrier()
does not check for zero length on AARCH64
+ JDK-8217368, PR3797: AArch64: C2 recursive stack locking
optimisation not triggered
+ JDK-8221658, PR3797: aarch64: add necessary predicate for
ubfx patterns
+ JDK-8237512, PR3797: AArch64: aarch64TestHook leaks a
BufferBlob
+ JDK-8246482, PR3797: Build failures with +JFR -PCH
+ JDK-8247979, PR3797: aarch64: missing side effect of killing
flags for clearArray_reg_reg
+ JDK-8248219, PR3797: aarch64: missing memory barrier in
fast_storefield and fast_accessfield
- Ignore whitespaces after the header or footer in PEM X.509 cert
(bsc#1171352)
ImportantSUSE bug 1171352SUSE bug 1174157SUSE bug 1177943CVE-2020-14556 at SUSECVE-2020-14556 at NVDCVE-2020-14577 at SUSECVE-2020-14577 at NVDCVE-2020-14578 at SUSECVE-2020-14578 at NVDCVE-2020-14579 at SUSECVE-2020-14579 at NVDCVE-2020-14581 at SUSECVE-2020-14581 at NVDCVE-2020-14583 at SUSECVE-2020-14583 at NVDCVE-2020-14593 at SUSECVE-2020-14593 at NVDCVE-2020-14621 at SUSECVE-2020-14621 at NVDCVE-2020-14779 at SUSECVE-2020-14779 at NVDCVE-2020-14781 at SUSECVE-2020-14781 at NVDCVE-2020-14782 at SUSECVE-2020-14782 at NVDCVE-2020-14792 at SUSECVE-2020-14792 at NVDCVE-2020-14796 at SUSECVE-2020-14796 at NVDCVE-2020-14797 at SUSECVE-2020-14797 at NVDCVE-2020-14798 at SUSECVE-2020-14798 at NVDCVE-2020-14803 at SUSECVE-2020-14803 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for gcc10 (Moderate)SUSE OpenStack Cloud 8
This update for gcc10 fixes the following issues:
This update provides the GCC10 compiler suite and runtime libraries.
The base SUSE Linux Enterprise libraries libgcc_s1, libstdc++6 are replaced by
the gcc10 variants.
The new compiler variants are available with '-10' suffix, you can specify them
via:
CC=gcc-10
CXX=g++-10
or similar commands.
For a detailed changelog check out https://gcc.gnu.org/gcc-10/changes.html
ModerateSUSE bug 1172798SUSE bug 1172846SUSE bug 1173972SUSE bug 1174753SUSE bug 1174817SUSE bug 1175168CVE-2020-13844 at SUSECVE-2020-13844 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for ucode-intel (Moderate)SUSE OpenStack Cloud 8
This update for ucode-intel fixes the following issues:
- Intel CPU Microcode updated to 20201027 prerelease
- CVE-2020-8695: Fixed Intel RAPL sidechannel attack (SGX) (bsc#1170446)
- CVE-2020-8698: Fixed Fast Store Forward Predictor INTEL-SA-00381 (bsc#1173594)
# New Platforms:
| Processor | Stepping | F-M-S/PI | Old Ver | New Ver | Products
|:---------------|:---------|:------------|:---------|:---------|:---------
| TGL | B1 | 06-8c-01/80 | | 00000068 | Core Gen11 Mobile
| CPX-SP | A1 | 06-55-0b/bf | | 0700001e | Xeon Scalable Gen3
| CML-H | R1 | 06-a5-02/20 | | 000000e0 | Core Gen10 Mobile
| CML-S62 | G1 | 06-a5-03/22 | | 000000e0 | Core Gen10
| CML-S102 | Q0 | 06-a5-05/22 | | 000000e0 | Core Gen10
| CML-U62 V2 | K0 | 06-a6-01/80 | | 000000e0 | Core Gen10 Mobile
# Updated Platforms:
| Processor | Stepping | F-M-S/PI | Old Ver | New Ver | Products
|:---------------|:---------|:------------|:---------|:---------|:---------
| GKL-R | R0 | 06-7a-08/01 | 00000016 | 00000018 | Pentium J5040/N5030, Celeron J4125/J4025/N4020/N4120
| SKL-U/Y | D0 | 06-4e-03/c0 | 000000d6 | 000000e2 | Core Gen6 Mobile
| SKL-U23e | K1 | 06-4e-03/c0 | 000000d6 | 000000e2 | Core Gen6 Mobile
| APL | D0 | 06-5c-09/03 | 00000038 | 00000040 | Pentium N/J4xxx, Celeron N/J3xxx, Atom x5/7-E39xx
| APL | E0 | 06-5c-0a/03 | 00000016 | 0000001e | Atom x5-E39xx
| SKL-H/S | R0/N0 | 06-5e-03/36 | 000000d6 | 000000e2 | Core Gen6; Xeon E3 v5
| HSX-E/EP | Cx/M1 | 06-3f-02/6f | 00000043 | 00000044 | Core Gen4 X series; Xeon E5 v3
| SKX-SP | B1 | 06-55-03/97 | 01000157 | 01000159 | Xeon Scalable
| SKX-SP | H0/M0/U0 | 06-55-04/b7 | 02006906 | 02006a08 | Xeon Scalable
| SKX-D | M1 | 06-55-04/b7 | 02006906 | 02006a08 | Xeon D-21xx
| CLX-SP | B0 | 06-55-06/bf | 04002f01 | 04003003 | Xeon Scalable Gen2
| CLX-SP | B1 | 06-55-07/bf | 05002f01 | 05003003 | Xeon Scalable Gen2
| ICL-U/Y | D1 | 06-7e-05/80 | 00000078 | 000000a0 | Core Gen10 Mobile
| AML-Y22 | H0 | 06-8e-09/10 | 000000d6 | 000000de | Core Gen8 Mobile
| KBL-U/Y | H0 | 06-8e-09/c0 | 000000d6 | 000000de | Core Gen7 Mobile
| CFL-U43e | D0 | 06-8e-0a/c0 | 000000d6 | 000000e0 | Core Gen8 Mobile
| WHL-U | W0 | 06-8e-0b/d0 | 000000d6 | 000000de | Core Gen8 Mobile
| AML-Y42 | V0 | 06-8e-0c/94 | 000000d6 | 000000de | Core Gen10 Mobile
| CML-Y42 | V0 | 06-8e-0c/94 | 000000d6 | 000000de | Core Gen10 Mobile
| WHL-U | V0 | 06-8e-0c/94 | 000000d6 | 000000de | Core Gen8 Mobile
| KBL-G/H/S/E3 | B0 | 06-9e-09/2a | 000000d6 | 000000de | Core Gen7; Xeon E3 v6
| CFL-H/S/E3 | U0 | 06-9e-0a/22 | 000000d6 | 000000de | Core Gen8 Desktop, Mobile, Xeon E
| CFL-S | B0 | 06-9e-0b/02 | 000000d6 | 000000de | Core Gen8
| CFL-H/S | P0 | 06-9e-0c/22 | 000000d6 | 000000de | Core Gen9
| CFL-H | R0 | 06-9e-0d/22 | 000000d6 | 000000de | Core Gen9 Mobile
| CML-U62 | A0 | 06-a6-00/80 | 000000ca | 000000e0 | Core Gen10 Mobile
ModerateSUSE bug 1170446SUSE bug 1173594CVE-2020-8695 at SUSECVE-2020-8695 at NVDCVE-2020-8698 at SUSECVE-2020-8698 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for ansible, ardana-ansible, ardana-cinder, ardana-glance, ardana-mq, ardana-nova, ardana-osconfig, crowbar-core, crowbar-openstack, documentation-suse-openstack-cloud, grafana, grafana-natel-discrete-panel, openstack-cinder, openstack-monasca-installer, openstack-neutron, openstack-nova, python-Django, python-Flask-Cors, python-Pillow, python-ardana-packager, python-keystoneclient, python-keystonemiddleware, python-kombu, python-straight-plugin, python-urllib3, release-notes-suse-openstack-cloud, storm, storm-kit, venv-openstack-cinder, venv-openstack-swift (Important)SUSE OpenStack Cloud 8
This update for ansible, ardana-ansible, ardana-cinder, ardana-glance, ardana-mq, ardana-nova, ardana-osconfig, crowbar-core, crowbar-openstack, documentation-suse-openstack-cloud, grafana, grafana-natel-discrete-panel, openstack-cinder, openstack-monasca-installer, openstack-neutron, openstack-nova, python-Django, python-Flask-Cors, python-Pillow, python-ardana-packager, python-keystoneclient, python-keystonemiddleware, python-kombu, python-straight-plugin, python-urllib3, release-notes-suse-openstack-cloud, storm, storm-kit, venv-openstack-cinder, venv-openstack-swift contains the following fixes:
Security fixes included in this update:
ansible to 2.9.14:
- CVE-2020-1733: Fixed insecure temporary directory when running
become_user (bsc#1164140).
- CVE-2020-1753: Kubectl connection plugin - connection plugin now
redact kubectl_token and kubectl_password in console log. (bsc#1166389)
- CVE-2020-14365: Previously, regardless of the disable_gpg_check
option, packages were not GPG validated. They are now. (bsc#1175993)
- CVE-2020-14332: copy - Redact the value of the no_log 'content'
parameter in the result's invocation.module_args in check mode.
Previously when used with check mode and with '-vvv', the module would
not censor the content if a change would be made to the destination
path. (bsc#1174302)
- CVE-2020-1736: atomic_move - Change default permissions when creating
temporary files so they are not world readable (bsc#1164134).
- CVE-2020-14330: Sanitize no_log values from any response keys that
might be returned from the uri module (bsc#1174145).
- CVE-2019-14846: Reset logging level to INFO. (bsc#1153452).
- CVE-2020-10744: incomplete fix for CVE-2020-1733 (bsc#1171823).
grafana:
- CVE-2018-18623, CVE-2018-18624,CVE-2018-18625: Fixed multiple XSS
vulnerabilities in dashboard due to a incomplete fix for CVE-2018-12099
(bsc#1172450).
- CVE-2020-11110: Fixed a stored XSS (bsc#1174583).
openstack-nova:
- CVE-2020-17376: Fixed an information leak during live migration (bsc#1175484).
python-Django to 1.11.29
- CVE-2020-7471: Fixed a SQL injection via StringAgg delimiter (bsc#1161919).
- CVE-2020-9402: Fixed a SQL injection via tolerance parameter in GIS functions
and aggregates (bsc#1165022).
- CVE-2019-19844: Fixed a potential account hijack via password reset form (bsc#1159447).
python-Flask-Cors
- CVE-2020-25032: Fixed a potential information leak through path traversal (bsc#1175986).
python-Pillow
- CVE-2020-10177: Fixed multiple out-of-bounds reads in libImaging/FliDecode.c (bsc#1173413).
- CVE-2020-10994: Fixed multiple out-of-bounds reads via a crafted JP2 files (bsc#1173418).
- CVE-2020-10378: Fixed an out-of-bounds read when reading PCX files (bsc#1173416).
python-urllib3
- CVE-2020-26137: Fixed CRLF injection via HTTP request method (bsc#1177120)
storm:
- CVE-2018-11779: Fixed java deserialization vulnerability related to the usage of
storm-kafka-client or storm-kafka modules (bsc#1143163).
- CVE-2019-0202: Fixed an information leak related to the log viewer (bsc#1142617).
rubygem-crowbar-client update to 3.9.3:
- CVE-2018-17954: Fixed information leak of the admin password to all
nodes in cleartext during provisioning (bsc#1117080)
Non-security fixes included on this update:
Changes in ansible:
- Update to ansible 2.9.14:
- minor bugs and fixes, including security bugs:
- CVE-2020-1753, bsc#1166389: Kubectl connection plugin - connection
plugin now redact kubectl_token and kubectl_password in console
log.
- revert CVE-2020-1736. Users are encouraged to specify a mode
parameter in their file-based tasks when the files being
manipulated contain sensitive data.
- CVE-2020-14365, bsc#1175993: Previously, regardless of the
disable_gpg_check option, packages were not GPG validated. They
are now.
- CVE-2020-14332, bsc#1174302: copy - Redact the value of the no_log
'content' parameter in the result's invocation.module_args in
check mode. Previously when used with check mode and with '-vvv',
the module would not censor the content if a change would be made
to the destination path.
- CVE-2020-1736, bsc#1164134: atomic_move - Change default
permissions when creating temporary files so they are not world
readable
- CVE-2020-14330, bsc#1174145: Sanitize no_log values from any
response keys that might be returned from the uri module.
- CVE-2019-14846, bsc#1153452: Reset logging level to INFO.
- CVE-2020-10744, bsc#1171823, gh#ansible/ansible#69782: incomplete
fix for CVE-2020-1733
- Remove patches included upstream:
- CVE-2020-14330_exposed_keys_uri_mod.patch
- CVE-2020-10744_avoid_mkdir_p.patch
- Don't Require python-coverage, it is needed only for testing
(bsc#1177948).
- Add CVE-2020-14330_exposed_keys_uri_mod.patch which fixes
CVE-2020-14330 (bsc#1174145). Sanitize no_log values from any
response keys that might be returned from the uri module.
Sensitive values marked with ``no_log=True`` will automatically
have that value stripped from module return values. If
your module could return these sensitive values as
part of a dictionary key name, you should call the
``ansible.module_utils.basic.sanitize_keys()`` function to
strip the values from the keys. See the ``uri`` module for an
example.
- importlib and argparse are required only on SLE-11 and less.
- Add CVE-2020-10744_avoid_mkdir_p.patch (bsc#1171823) to fix
insecure temporary directory creation.
- Add metadata information to this file to mark which SUSE
bugzilla have been already fixed.
- Remove CVE-2017-7550-jenkins-disallow-password-in-params.patch
as it has been already included in 2.4.1.0
- update to version 2.9.9
* fix for a regression introduced in 2.9.8
- update to version 2.9.8
maintenance release containing numerous bugfixes
- update to version 2.9.7 with many bug fixes,
especially for these security issues:
- bsc#1164140 CVE-2020-1733 - insecure temporary directory when
running become_user from become directive
- bsc#1164139 CVE-2020-1734 shell enabled by default in a pipe
lookup plugin subprocess
- bsc#1164137 CVE-2020-1735 - path injection on dest parameter
in fetch module
- bsc#1164134 CVE-2020-1736 atomic_move primitive sets
permissive permissions
- bsc#1164138 CVE-2020-1737 - Extract-Zip function in win_unzip
module does not check extracted path
- bsc#1164136 CVE-2020-1738 module package can be selected by
the ansible facts
- bsc#1164133 CVE-2020-1739 - svn module leaks password when
specified as a parameter
- bsc#1164135 CVE-2020-1740 - secrets readable after
ansible-vault edit
- bsc#1165393 CVE-2020-1746 - information disclosure issue in
ldap_attr and ldap_entry modules
- bsc#1166389 CVE-2020-1753 - kubectl connection plugin leaks
sensitive information
- bsc#1167532 CVE-2020-10684 - code injection when using
ansible_facts as a subkey
- bsc#1167440 CVE-2020-10685 - modules which use files
encrypted with vault are not properly cleaned up
- CVE-2020-10691 - archive traversal vulnerability in ansible-galaxy collection install [2]
- create missing (empty) template and files directories for
'ansible-galaxy init' during package build (fixes boo#1137479)
- require python-xml on python 2 systems (boo#1142542)
- update to version 2.9.6 (maintenance release) including
these security issues:
- bsc#1171162 CVE-2020-10729 two random password lookups in
same task return same value
- update to version 2.9.5 (maintenance release)
- update to version 2.9.4 (maintenance release)
- fix in yum module
- security fixes:
- bsc#1157968 CVE-2019-14904 vulnerability in solaris_zone
module via crafted solaris zone
- bsc#1157969 CVE-2019-14905 malicious code could craft
filename in nxos_file_copy module
- update to version 2.9.3 (maintenance release)
* security fixes
- CVE-2019-14904 (solaris_zone module) (boo#1157968)
- CVE-2019-14905 (nxos_file_copy module) (boo#1157969)
* various bugfixes
- sync with upstream spec file (especially for RHEL & Fedora builds)
- ran spec-cleaner
- remove old SUSE targets (SLE-11, Leap 42.3 and below)
This simplifies the spec file and makes building easier
- Additional required packages for building:
+ python-boto3 and python-botocore for Amazon EC2
+ python-jmespath for json queries
+ python-memcached for cloud modules and local caching of JSON
formatted, per host records
+ python-redis for cloud modules and local caching of JSON
formatted, per host records
+ python-requests for many web-based modules (cloud, network,
netapp)
=> as the need for those packages depends on the usage of the
tool, they are just recommended on openSUSE/SUSE machines
- made dependencies for gitlab, vmware and winrm modules configurable,
as most of their dependencies are not (yet) available on current
openSUSE/SUSE distributions
- exclude /usr/bin/pwsh from the automatic dependency generation,
as the Windows Power Shell is not available (yet) on openSUSE/SUSE
- build additional docs and split up ansible-doc package;
moving changelogs, contrib and example directories there
- prepare for building HTML documentation, but disable this per
default for the moment, as not all package dependencies are available
in openSUSE/SUSE (yet)
- package some test scripts with executable permissions
- update to version 2.9.2
maintenance release containing numerous bugfixes
- Create system directories that Ansible defines as default locations
in ansible/config/base.yml
- rephrase the summary line
- Disable shebang munging for specific paths. These files are data files.
ansible-test munges the shebangs itself.
- split out ansible-test package for module developers
- update to version 2.9.1
Full changelog is packaged at /usr/share/doc/packages/ansible/changelogs/
and also available online at
https://github.com/ansible/ansible/blob/stable-2.9/changelogs/CHANGELOG-v2.9.rst
+ CVE-2019-14864: fixed Splunk and Sumologic callback plugins leak
sensitive data in logs (boo#1154830)
- replace all #!/usr/bin/env lines to use #!/usr/bin/$1 directly
- added file '/usr/bin/ansible-test' to spec file
- Update to version 2.9.0:
Full changelog is packaged at /usr/share/doc/packages/ansible/changelogs/
and also available online at
https://github.com/ansible/ansible/blob/stable-2.9/changelogs/CHANGELOG-v2.9.rst
- Fixed among other this security bug:
- bsc#1112959 CVE-2018-16837 Information leak in 'user' module patch added
- include the sha checksum file in the source, which allows to verify
the original sources
- Update to version 2.8.6:
Full changelog is packaged at /usr/share/doc/packages/ansible/changelogs/
and also available online at
https://github.com/ansible/ansible/blob/stable-2.8/changelogs/CHANGELOG-v2.8.rst
Included security fixes:
* CVE-2019-14846: Fixed secrets disclosure on logs due to display is hardcoded
to DEBUG level (bsc#1153452)
* CVE-2019-14856: Fixed insufficient fix for CVE-2019-10206 (bsc#1154232)
* CVE-2019-14858: Fixed data in the sub parameter fields that will not be masked
and will be displayed when run with increased verbosity (bsc#1154231)
- Update to version 2.8.5:
Full changelog is packaged at /usr/share/doc/packages/ansible/changelogs/
and also available online at
https://github.com/ansible/ansible/blob/stable-2.8/changelogs/CHANGELOG-v2.8.rst
- removed patches fixed upstream:
+ CVE-2019-10206-data-disclosure.patch
+ CVE-2019-10217-gcp-modules-sensitive-fields.patch
- Update to version 2.8.3:
Full changelog is packaged, but also at
https://github.com/ansible/ansible/blob/stable-2.8/changelogs/CHANGELOG-v2.8.rst
- (bsc#1137528) CVE-2019-10156: ansible: templating causing an
unexpected key file to be set on remote node
- (bsc#1144453) Adds CVE-2019-10217-gcp-modules-sensitive-fields.patch
CVE-2019-10217: Fields managing sensitive data should be set as
such by no_log feature. Some of these fields in GCP modules are
not set properly. service_account_contents() which is common
class for all gcp modules is not setting no_log to True. Any
sensitive data managed by that function would be leak as an
output when running ansible playbooks.
- Update to version 2.8.1
Full changelog is at /usr/share/doc/packages/ansible/changelogs/
Bugfixes
--------
- ACI - DO not encode query_string
- ACI modules - Fix non-signature authentication
- Add missing directory provided via ``--playbook-dir`` to adjacent collection loading
- Fix 'Interface not found' errors when using eos_l2_interface with nonexistant
interfaces configured
- Fix cannot get credential when `source_auth` set to `credential_file`.
- Fix netconf_config backup string issue
- Fix privilege escalation support for the docker connection plugin when
credentials need to be supplied (e.g. sudo with password).
- Fix vyos cli prompt inspection
- Fixed loading namespaced documentation fragments from collections.
- Fixing bug came up after running cnos_vrf module against coverity.
- Properly handle data importer failures on PVC creation, instead of timing out.
- To fix the ios static route TC failure in CI
- To fix the nios member module params
- To fix the nios_zone module idempotency failure
- add terminal initial prompt for initial connection
- allow include_role to work with ansible command
- allow python_requirements_facts to report on dependencies containing dashes
- asa_config fix
- azure_rm_roledefinition - fix a small error in build scope.
- azure_rm_virtualnetworkpeering - fix cross subscriptions virtual network
peering.
- cgroup_perf_recap - When not using file_per_task, make sure we don't
prematurely close the perf files
- display underlying error when reporting an invalid ``tasks:`` block.
- dnf - fix wildcard matching for state: absent
- docker connection plugin - accept version ``dev`` as 'newest version' and
print warning.
- docker_container - ``oom_killer`` and ``oom_score_adj`` options are available
since docker-py 1.8.0, not 2.0.0 as assumed by the version check.
- docker_container - fix network creation when ``networks_cli_compatible`` is
enabled.
- docker_container - use docker API's ``restart`` instead of ``stop``/``start``
to restart a container.
- docker_image - if ``build`` was not specified, the wrong default for
``build.rm`` is used.
- docker_image - if ``nocache`` set to ``yes`` but not ``build.nocache``, the
module failed.
- docker_image - module failed when ``source: build`` was set but
``build.path`` options not specified.
- docker_network module - fix idempotency when using ``aux_addresses`` in
``ipam_config``.
- ec2_instance - make Name tag idempotent
- eos: don't fail modules without become set, instead show message and continue
- eos_config: check for session support when asked to 'diff_against: session'
- eos_eapi: fix idempotency issues when vrf was unspecified.
- fix bugs for ce - more info see
- fix incorrect uses of to_native that should be to_text instead.
- hcloud_volume - Fix idempotency when attaching a server to a volume.
- ibm_storage - Added a check for null fields in ibm_storage utils module.
- include_tasks - whitelist ``listen`` as a valid keyword
- k8s - resource updates applied with force work correctly now
- keep results subset also when not no_log.
- meraki_switchport - improve reliability with native VLAN functionality.
- netapp_e_iscsi_target - fix netapp_e_iscsi_target chap secret size and
clearing functionality
- netapp_e_volumes - fix workload profileId indexing when no previous workload
tags exist on the storage array.
- nxos_acl some platforms/versions raise when no ACLs are present
- nxos_facts fix <https://github.com/ansible/ansible/pull/57009>
- nxos_file_copy fix passwordless workflow
- nxos_interface Fix admin_state check for n6k
- nxos_snmp_traps fix group all for N35 platforms
- nxos_snmp_user fix platform fixes for get_snmp_user
- nxos_vlan mode idempotence bug
- nxos_vlan vlan names containing regex ctl chars should be escaped
- nxos_vtp_* modules fix n6k issues
- openssl_certificate - fix private key passphrase handling for
``cryptography`` backend.
- openssl_pkcs12 - fixes crash when private key has a passphrase and the module
is run a second time.
- os_stack - Apply tags conditionally so that the module does not throw up an
error when using an older distro of openstacksdk
- pass correct loading context to persistent connections other than local
- pkg_mgr - Ansible 2.8.0 failing to install yum packages on Amazon Linux
- postgresql - added initial SSL related tests
- postgresql - added missing_required_libs, removed excess param mapping
- postgresql - move connect_to_db and get_pg_version into
module_utils/postgres.py (https://github.com/ansible/ansible/pull/55514)
- postgresql_db - add note to the documentation about state dump and the
incorrect rc (https://github.com/ansible/ansible/pull/57297)
- postgresql_db - fix for postgresql_db fails if stderr contains output
- postgresql_ping - fixed a typo in the module documentation
- preserve actual ssh error when we cannot connect.
- route53_facts - the module did not advertise check mode support, causing it
not to be run in check mode.
- sysctl: the module now also checks the output of STDERR to report if values
are correctly set (https://github.com/ansible/ansible/pull/55695)
- ufw - correctly check status when logging is off
- uri - always return a value for status even during failure
- urls - Handle redirects properly for IPv6 address by not splitting on ``:``
and rely on already parsed hostname and port values
- vmware_vm_facts - fix the support with regular ESXi
- vyos_interface fix <https://github.com/ansible/ansible/pull/57169>
- we don't really need to template vars on definition as we do this on demand
in templating.
- win_acl - Fix qualifier parser when using UNC paths -
- win_hostname - Fix non netbios compliant name handling
- winrm - Fix issue when attempting to parse CLIXML on send input failure
- xenserver_guest - fixed an issue where VM whould be powered off even though
check mode is used if reconfiguration requires VM to be powered off.
- xenserver_guest - proper error message is shown when maximum number of
network interfaces is reached and multiple network interfaces are added at
once.
- yum - Fix false error message about autoremove not being supported
- yum - fix failure when using ``update_cache`` standalone
- yum - handle special '_none_' value for proxy in yum.conf and .repo files
- Update to version 2.8.0
Major changes:
* Experimental support for Ansible Collections and content namespacing -
Ansible content can now be packaged in a collection and addressed via
namespaces. This allows for easier sharing, distribution, and installation
of bundled modules/roles/plugins, and consistent rules for accessing
specific content via namespaces.
* Python interpreter discovery - The first time a Python module runs on a
target, Ansible will attempt to discover the proper default Python
interpreter to use for the target platform/version (instead of immediately
defaulting to /usr/bin/python). You can override this behavior by
setting ansible_python_interpreter or via config.
(see https://github.com/ansible/ansible/pull/50163)
* become - The deprecated CLI arguments for --sudo, --sudo-user,
--ask-sudo-pass, -su, --su-user, and --ask-su-pass have been removed, in
favor of the more generic --become, --become-user, --become-method, and
--ask-become-pass.
* become - become functionality has been migrated to a plugin architecture,
to allow customization of become functionality and 3rd party become methods
(https://github.com/ansible/ansible/pull/50991)
- addresses CVE-2018-16859, CVE-2018-16876, CVE-2019-3828, CVE-2018-16837
For the full changelog see /usr/share/doc/packages/ansible/changelogs or online:
https://github.com/ansible/ansible/blob/stable-2.8/changelogs/CHANGELOG-v2.8.rst
- Update to version 2.7.10
Minor Changes
- Catch all connection timeout related exceptions and raise AnsibleConnectionError instead
- openssl_pkcs12, openssl_privatekey, openssl_publickey - These modules no longer delete the output file before starting to regenerate the output, or when generating the output failed.
Bugfixes
- Backport of https://github.com/ansible/ansible/pull/54105, pamd - fix idempotence issue when removing rules
- Use custom JSON encoder in conneciton.py so that ansible objects (AnsibleVaultEncryptedUnicode, for example) can be sent to the persistent connection process
- allow 'dict()' jinja2 global to function the same even though it has changed in jinja2 versions
- azure_rm inventory plugin - fix missing hostvars properties (https://github.com/ansible/ansible/pull/53046)
- azure_rm inventory plugin - fix no nic type in vmss nic. (https://github.com/ansible/ansible/pull/53496)
- deprecate {Get/Set}ManagerAttributes commands (https://github.com/ansible/ansible/issues/47590)
- flatpak_remote - Handle empty output in remote_exists, fixes https://github.com/ansible/ansible/issues/51481
- foreman - fix Foreman returning host parameters
- get_url - Fix issue with checksum validation when using a file to ensure we skip lines in the file that do not contain exactly 2 parts. Also restrict exception handling to the minimum number of necessary lines (https://github.com/ansible/ansible/issues/48790)
- grafana_datasource - Fixed an issue when running Python3 and using basic auth (https://github.com/ansible/ansible/issues/49147)
- include_tasks - Fixed an unexpected exception if no file was given to include.
- openssl_certificate - fix ``state=absent``.
- openssl_certificate, openssl_csr, openssl_pkcs12, openssl_privatekey, openssl_publickey - The modules are now able to overwrite write-protected files (https://github.com/ansible/ansible/issues/48656).
- openssl_dhparam - fix ``state=absent`` idempotency and ``changed`` flag.
- openssl_pkcs12, openssl_privatekey - These modules now accept the output file mode in symbolic form or as a octal string (https://github.com/ansible/ansible/issues/53476).
- openssl_publickey - fixed crash on Python 3 when OpenSSH private keys were used with passphrases.
- openstack inventory plugin: allow 'constructed' functionality (``compose``, ``groups``, and ``keyed_groups``) to work as documented.
- random_mac - generate a proper MAC address when the provided vendor prefix is two or four characters (https://github.com/ansible/ansible/issues/50838)
- replace - fix behavior when ``before`` and ``after`` are used together (https://github.com/ansible/ansible/issues/31354)
- report correct CPU information on ARM systems (https://github.com/ansible/ansible/pull/52884)
- slurp - Fix issues when using paths on Windows with glob like characters, e.g. ``[``, ``]``
- ssh - Check the return code of the ssh process before raising AnsibleConnectionFailure, as the error message for the ssh process will likely contain more useful information. This will improve the missing interpreter messaging when using modules such as setup which have a larger payload to transfer when combined with pipelining. (https://github.com/ansible/ansible/issues/53487)
- tower_settings - 'name' and 'value' parameters are always required, module can not be used in order to get a setting
- win_acl - Fix issues when using paths with glob like characters, e.g. ``[``, ``]``
- win_acl_inheritance - Fix issues when using paths with glob like characters, e.g. ``[``, ``]``
- win_certificate_store - Fix issues when using paths with glob like characters, e.g. ``[``, ``]``
- win_chocolatey - Fix incompatibilities with the latest release of Chocolatey ``v0.10.12+``
- win_copy - Fix issues when using paths with glob like characters, e.g. ``[``, ``]``
- win_file - Fix issues when using paths with glob like characters, e.g. ``[``, ``]``
- win_find - Ensure found files are sorted alphabetically by the path instead of it being random
- win_find - Fix issues when using paths with glob like characters, e.g. ``[``, ``]``
- win_owner - Fix issues when using paths with glob like characters, e.g. ``[``, ``]``
- win_psexec - Support executables with a space in the path
- win_reboot - Fix reboot command validation failure when running under the psrp connection plugin
- win_tempfile - Always return the full NTFS absolute path and not a DOS 8.3 path.
- win_user_right - Fix output containing non json data - https://github.com/ansible/ansible/issues/54413
- windows - Fixed various module utils that did not work with path that had glob like chars
- yum - fix disable_excludes on systems with yum rhn plugin enabled (https://github.com/ansible/ansible/issues/53134)
- Update to version 2.7.9
Minor Changes
* Add missing import for ConnectionError in edge and routeros module_utils.
* ``to_yaml`` filter updated to maintain formatting consistency when used
with ``pyyaml`` versions 5.1 and later
(https://github.com/ansible/ansible/pull/53772)
* docker_image * set ``changed`` to ``false`` when using ``force: yes`` to
tag or push an image that ends up being identical to one already present on
the Docker host or Docker registry.
* jenkins_plugin * Set new default value for the update_url parameter
(https://github.com/ansible/ansible/issues/52086)
Bugfixes
* Fix bug where some inventory parsing tracebacks were missing or reported under the wrong plugin.
* Fix rabbitmq_plugin idempotence due to information message in new version of rabbitmq (https://github.com/ansible/ansible/pull/52166)
* Fixed KeyError issue in vmware_host_config_manager when a supported option isn't already set (https://github.com/ansible/ansible/issues/44561).
* Fixed issue related to --yaml flag in vmware_vm_inventory. Also fixed caching issue in vmware_vm_inventory (https://github.com/ansible/ansible/issues/52381).
* If large integers are passed as options to modules under Python 2, module argument parsing will reject them as they are of type ``long`` and not of type ``int``.
* allow nice error to work when auto plugin reads file w/o `plugin` field
* ansible-doc * Fix traceback on providing arguemnt --all to ansible-doc command
* azure_rm_virtualmachine_facts * fixed crash related to attached managed disks (https://github.com/ansible/ansible/issues/52181)
* basic * modify the correct variable when determining available hashing algorithms to avoid errors when md5 is not available (https://github.com/ansible/ansible/issues/51355)
* cloudscale * Fix compatibilty with Python3 in version 3.5 and lower.
* convert input into text to ensure valid comparisons in nmap inventory plugin
* dict2items * Allow dict2items to work with hostvars
* dnsimple * fixed a KeyError exception related to record types handling.
* docker_container * now returns warnings from docker daemon on container creation and updating.
* docker_swarm * Fixed node_id parameter not working for node removal (https://github.com/ansible/ansible/issues/53501)
* docker_swarm * do not crash with older docker daemons (https://github.com/ansible/ansible/issues/51175).
* docker_swarm * fixes idempotency for the ``ca_force_rotate`` option.
* docker_swarm * improve Swarm detection.
* docker_swarm * improve idempotency checking; ``rotate_worker_token`` and ``rotate_manager_token`` are now also used when all other parameters have not changed.
* docker_swarm * now supports docker-py 1.10.0 and newer for most operations, instead only docker 2.6.0 and newer.
* docker_swarm * properly implement check mode (it did apply changes).
* docker_swarm * the ``force`` option was ignored when ``state: present``.
* docker_swarm_service * do basic validation of ``publish`` option if specified (must be list of dicts).
* docker_swarm_service * don't crash when ``publish`` is not specified.
* docker_swarm_service * fix problem with docker daemons which do not return ``UpdateConfig`` in the swarm service spec.
* docker_swarm_service * the return value was documented as ``ansible_swarm_service``, but the module actually returned ``ansible_docker_service``. Documentation and code have been updated so that the variable is now called ``swarm_service``. In Ansible 2.7.x, the old name ``ansible_docker_service`` can still be used to access the result.
* ec2 * if the private_ip has been provided for the new network interface it shouldn't also be added to top level parameters for run_instances()
* fix DNSimple to ensure check works even when the number of records is larger than 100
* get_url * return no change in check mode when checksum matches
* inventory plugins * Fix creating groups from composed variables by getting the latest host variables
* inventory_aws_ec2 * fix no_log indentation so AWS temporary credentials aren't displayed in tests
* jenkins_plugin * Prevent plugin to be reinstalled when state=present (https://github.com/ansible/ansible/issues/43728)
* lvol * fixed ValueError when using float size (https://github.com/ansible/ansible/issues/32886, https://github.com/ansible/ansible/issues/29429)
* mysql * MySQLdb doesn't import the cursors module for its own purposes so it has to be imported in MySQL module utilities before it can be used in dependent modules like the proxysql module family.
* mysql * fixing unexpected keyword argument 'cursorclass' issue after migration from MySQLdb to PyMySQL.
* mysql_user: match backticks, single and double quotes when checking user privileges.
* onepassword_facts * Fixes issues which prevented this module working with 1Password CLI version 0.5.5 (or greater). Older versions of the CLI were deprecated by 1Password and will no longer function.
* openssl_certificate * ``has_expired`` correctly checks if the certificate is expired or not
* openssl_certificate * fix Python 3 string/bytes problems for `notBefore`/`notAfter` for self-signed and ownCA providers.
* openssl_certificate * make sure that extensions are actually present when their values should be checked.
* openssl_csr * improve ``subject`` validation.
* openssl_csr * improve error messages for invalid SANs.
* play order is now applied under all circumstances, fixes
* remote_management foreman * Fixed issue where it was impossible to createdelete a product because product was missing in dict choices ( https://github.com/ansible/ansible/issues/48594 )
* rhsm_repository * handle systems without any repos
* skip invalid plugin after warning in loader
* urpmi module * fixed issue
* win_certificate_store * Fix exception handling typo
* win_chocolatey * Fix issue when parsing a beta Chocolatey install * https://github.com/ansible/ansible/issues/52331
* win_chocolatey_source * fix bug where a Chocolatey source could not be disabled unless ``source`` was also set * https://github.com/ansible/ansible/issues/50133
* win_domain * Do not fail if DC is already promoted but a reboot is required, return ``reboot_required: True``
* win_domain * Fix when running without credential delegated authentication * https://github.com/ansible/ansible/issues/53182
* win_file * Fix issue when managing hidden files and directories * https://github.com/ansible/ansible/issues/42466
* winrm * attempt to recover from a WinRM send input failure if possible
* zabbix_hostmacro: fixes truncation of macro contexts that contain colons (see https://github.com/ansible/ansible/pull/51853)
New Plugins
* vmware_vm_inventory * VMware Guest inventory source
- update URL (use SSL version of the URL)
- prepare update for multiple releases (bsc#1102126, bsc#1109957)
- Update to version 2.7.8
Minor Changes:
* Raise AnsibleConnectionError on winrm connnection errors
Bugfixes:
* Backport of https://github.com/ansible/ansible/pull/46478 , fixes name collision in haproxy module
* Fix aws_ec2 inventory plugin code to automatically populate regions when missing as documentation states, also leverage config system vs self default/type validation
* Fix unexpected error when using Jinja2 native types with non-strict constructed keyed_groups (https://github.com/ansible/ansible/issues/52158).
* If an ios module uses a section filter on a device which does not support it, retry the command without the filter.
* acme_challenge_cert_helper * the module no longer crashes when the required ``cryptography`` library cannot be found.
* azure_rm_managed_disk_facts * added missing implementation of listing managed disks by resource group
* azure_rm_mysqlserver * fixed issues with passing parameters while updating existing server instance
* azure_rm_postgresqldatabase * fix force_update bug (https://github.com/ansible/ansible/issues/50978).
* azure_rm_postgresqldatabase * fix force_update bug.
* azure_rm_postgresqlserver * fixed issues with passing parameters while updating existing server instance
* azure_rm_sqlserver * fix for tags support
* azure_rm_virtualmachine * fixed several crashes in module
* azure_rm_virtualmachine_facts * fix crash when vm created from custom image
* azure_rm_virtualmachine_facts * fixed crash related to VM with managed disk attached
* ec2 * Correctly sets the end date of the Spot Instance request. Sets `ValidUntil` value in proper way so it will be auto-canceled through `spot_wait_timeout` interval.
* openssl_csr * fixes idempotence problem with PyOpenSSL backend when no Subject Alternative Names were specified.
* openstack inventory plugin * send logs from sdk to stderr so they do not combine with output
* psrp * do not display bootstrap wrapper for each module exec run
* redfish_utils * get standard properties for firmware entries (https://github.com/ansible/ansible/issues/49832)
* remote home directory * Disallow use of remote home directories that include relative pathing by means of `..` (CVE-2019-3828, bsc#1126503) (https://github.com/ansible/ansible/pull/52133)
* ufw * when using ``state: reset`` in check mode, ``ufw --dry-run reset`` was executed, which causes a loss of firewall rules. The ``ufw`` module was adjusted to no longer run ``ufw --dry-run reset`` to prevent this from happening.
* ufw: make sure that only valid values for ``direction`` are passed on.
* update GetBiosBootOrder to use standard Redfish resources (https://github.com/ansible/ansible/issues/47571)
* win become * Fix some scenarios where become failed to create an elevated process
* win_psmodule * the NuGet package provider will be updated, if needed, to avoid issue under adding a repository
* yum * Remove incorrect disable_includes error message when using disable_excludes (https://github.com/ansible/ansible/issues/51697)
* yum * properly handle a proxy config in yum.conf for an unauthenticated proxy
- Update to version 2.7.7
Minor Changes:
* Allow check_mode with supports_generate_diff capability in cli_config. (https://github.com/ansible/ansible/pull/51417)
* Fixed typo in vmware documentation fragment. Changed 'supported added' to 'support added'.
Bugfixes:
* All K8S_AUTH_* environment variables are now properly loaded by the k8s lookup plugin
* Change backup file globbing for network _config modules so backing up one host's config will not delete the backed up config of any host whose hostname is a subset of the first host's hostname (e.g., switch1 and switch11)
* Fixes bug where nios_a_record wasn't getting deleted if an uppercase named a_record was being passed. (https://github.com/ansible/ansible/pull/51539)
* aci_aaa_user - Fix setting user description (https://github.com/ansible/ansible/issues/51406)
* apt_repository - fixed failure under Python 3.7 (https://github.com/ansible/ansible/pull/47219)
* archive - Fix check if archive is created in path to be removed
* azure_rm inventory plugin - fix azure batch request (https://github.com/ansible/ansible/pull/50006)
* cnos_backup - fixed syntax error (https://github.com/ansible/ansible/pull/47219)
* cnos_image - fixed syntax error (https://github.com/ansible/ansible/pull/47219)
* consul_kv - minor error-handling bugfix under Python 3.7 (https://github.com/ansible/ansible/pull/47219)
* copy - align invocation in return value between check and normal mode
* delegate_facts - fix to work properly under block and include_role (https://github.com/ansible/ansible/pull/51553)
* docker_swarm_service - fix endpoint_mode and publish idempotency.
* ec2_instance - Correctly adds description when adding a single ENI to the instance
* ensure we have a XDG_RUNTIME_DIR, as it is not handled correctly by some privilege escalation configurations
* file - Allow state=touch on file the user does not own https://github.com/ansible/ansible/issues/50943
* fix ansible-pull hanlding of extra args, complex quoting is needed for inline JSON
* fix ansible_connect_timeout variable in network_cli,netconf,httpapi and nxos_install_os timeout check
* netapp_e_storagepool - fixed failure under Python 3.7 (https://github.com/ansible/ansible/pull/47219)
* onepassword_facts - Fix an issue looking up some 1Password items which have a 'password' attribute alongside the 'fields' attribute, not inside it.
* prevent import_role from inserting dupe into roles: execution when duplicate signature role already exists in the section.
* reboot - Fix bug where the connection timeout was not reset in the same task after rebooting
* ssh connection - do not retry with invalid credentials to prevent account lockout (https://github.com/ansible/ansible/issues/48422)
* systemd - warn when exeuting in a chroot environment rather than failing (https://github.com/ansible/ansible/pull/43904)
* win_chocolatey - Fix hang when used with proxy for the first time - https://github.com/ansible/ansible/issues/47669
* win_power_plan - Fix issue where win_power_plan failed on newer Windows 10 builds - https://github.com/ansible/ansible/issues/43827
- update to version 2.7.6
Minor Changes:
* Added documentation about using VMware dynamic inventory plugin.
* Fixed bug around populating host_ip in hostvars in vmware_vm_inventory.
* Image reference change in Azure VMSS is detected and applied correctly.
* docker_volume - reverted changed behavior of force, which was released in Ansible 2.7.1 to 2.7.5, and Ansible 2.6.8 to 2.6.11. Volumes are now only recreated if the parameters changed and force is set to true (instead of or). This is the behavior which has been described in the documentation all the time.
* set ansible_os_family from name variable in os-release
* yum and dnf can now handle installing packages from URIs that are proxy redirects and don't end in the .rpm file extension
Bugfixes:
* Added log message at -vvvv when using netconf connection listing connection details.
* Changes how ansible-connection names socket lock files. They now use the same name as the socket itself, and as such do not lock other attempts on connections to the same host, or cause issues with overly-long hostnames.
* Fix mandatory statement error for junos modules (https://github.com/ansible/ansible/pull/50138)
* Moved error in netconf connection plugin from at import to on connection.
* This reverts some changes from commit 723daf3. If a line is found in the file, exactly or via regexp matching, it must not be added again. insertafter/insertbefore options are used only when a line is to be inserted, to specify where it must be added.
* allow using openstack inventory plugin w/o a cache
* callbacks - Do not filter out exception, warnings, deprecations on failure when using debug (https://github.com/ansible/ansible/issues/47576)
* certificate_complete_chain - fix behavior when invalid file is parsed while reading intermediate or root certificates.
* copy - Ensure that the src file contents is converted to unicode in diff information so that it is properly wrapped by AnsibleUnsafeText to prevent unexpected templating of diff data in Python3 (https://github.com/ansible/ansible/issues/45717)
* correct behaviour of verify_file for vmware inventory plugin, it was always returning True
* dnf - fix issue where conf_file was not being loaded properly
* dnf - fix update_cache combined with install operation to not cause dnf transaction failure
* docker_container - fix network_mode idempotency if the container:<container-name> form is used (as opposed to container:<container-id>) (https://github.com/ansible/ansible/issues/49794)
* docker_container - warning when non-string env values are found, avoiding YAML parsing issues. Will be made an error in Ansible 2.8. (https://github.com/ansible/ansible/issues/49802)
* docker_swarm_service - Document labels and container_labels with correct type.
* docker_swarm_service - Document limit_memory and reserve_memory correctly on how to specify sizes.
* docker_swarm_service - Document minimal API version for configs and secrets.
* docker_swarm_service - fix use of Docker API so that services are not detected as present if there is an existing service whose name is a substring of the desired service
* docker_swarm_service - fixing falsely reporting update_order as changed when option is not used.
* document old option that was initally missed
* ec2_instance now respects check mode https://github.com/ansible/ansible/pull/46774
* fix for network_cli - ansible_command_timeout not working as expected (#49466)
* fix handling of firewalld port if protocol is missing
* fix lastpass lookup failure on python 3 (https://github.com/ansible/ansible/issues/42062)
* flatpak - Fixed Python 2/3 compatibility
* flatpak - Fixed issue where newer versions of flatpak failed on flatpak removal
* flatpak_remote - Fixed Python 2/3 compatibility
* gcp_compute_instance - fix crash when the instance metadata is not set
* grafana_dashboard - Fix a pair of unicode string handling issues with version checking (https://github.com/ansible/ansible/pull/49194)
* host execution order - Fix reverse_inventory not to change the order of the items before reversing on python2 and to not backtrace on python3
* icinga2_host - fixed the issue with not working use_proxy option of the module.
* influxdb_user - An unspecified password now sets the password to blank, except on existing users. This previously caused an unhandled exception.
* influxdb_user - Fixed unhandled exception when using invalid login credentials (https://github.com/ansible/ansible/issues/50131)
* openssl_* - fix error when path contains a file name without path.
* openssl_csr - fix problem with idempotency of keyUsage option.
* openssl_pkcs12 - now does proper path expansion for ca_certificates.
* os_security_group_rule - os_security_group_rule doesn't exit properly when secgroup doesn't exist and state=absent (https://github.com/ansible/ansible/issues/50057)
* paramiko_ssh - add auth_timeout parameter to ssh.connect when supported by installed paramiko version. This will prevent 'Authentication timeout' errors when a slow authentication step (>30s) happens with a host (https://github.com/ansible/ansible/issues/42596)
* purefa_facts and purefb_facts now correctly adds facts into main ansible_fact dictionary (https://github.com/ansible/ansible/pull/50349)
* reboot - add appropriate commands to make the plugin work with VMware ESXi (https://github.com/ansible/ansible/issues/48425)
* reboot - add support for rebooting AIX (https://github.com/ansible/ansible/issues/49712)
* reboot - gather distribution information in order to support Alpine and other distributions (https://github.com/ansible/ansible/issues/46723)
* reboot - search common paths for the shutdown command and use the full path to the binary rather than depending on the PATH of the remote system (https://github.com/ansible/ansible/issues/47131)
* reboot - use a common set of commands for older and newer Solaris and SunOS variants (https://github.com/ansible/ansible/pull/48986)
* redfish_utils - fix reference to local variable 'systems_service'
* setup - fix the rounding of the ansible_memtotal_mb value on VMWare vm's (https://github.com/ansible/ansible/issues/49608)
* vultr_server - fixed multiple ssh keys were not handled.
* win_copy - Fix copy of a dir that contains an empty directory - https://github.com/ansible/ansible/issues/50077
* win_firewall_rule - Remove invalid 'bypass' action
* win_lineinfile - Fix issue where a malformed json block was returned causing an error
* win_updates - Correctly report changes on success
- update to version 2.7.5
Minor Changes:
* Add warning about falling back to jinja2_native=false when Jinja2 version is lower than 2.10.
* Change the position to search os-release since clearlinux new versions are providing /etc/os-release too
* Fixed typo in ansible-galaxy info command.
* Improve the deprecation message for squashing, to not give misleading advice
* Update docs and return section of vmware_host_service_facts module.
* ansible-galaxy: properly warn when git isn't found in an installed bin path instead of traceback
* dnf module properly load and initialize dnf package manager plugins
* docker_swarm_service: use docker defaults for the user parameter if it is set to null
Bugfixes:
* bsc#1118896 CVE-2018-16876 Information disclosure in vvv+ mode with no_log on (https://github.com/ansible/ansible/pull/49569)
* ACME modules: improve error messages in some cases (include error returned by server).
* Added unit test for VMware module_utils.
* Also check stdout for interpreter errors for more intelligent messages to user
* Backported support for Devuan-based distribution
* Convert hostvars data in OpenShift inventory plugin to be serializable by ansible-inventory
* Fix AttributeError (Python 3 only) when an exception occurs while rendering a template
* Fix N3K power supply facts (https://github.com/ansible/ansible/pull/49150).
* Fix NameError nxos_facts (https://github.com/ansible/ansible/pull/48981).
* Fix VMware module utils for self usage.
* Fix error in OpenShift inventory plugin when a pod has errored and is empty
* Fix if the route table changed to none (https://github.com/ansible/ansible/pull/49533)
* Fix iosxr netconf plugin response namespace (https://github.com/ansible/ansible/pull/49300)
* Fix issues with nxos_install_os module for nxapi (https://github.com/ansible/ansible/pull/48811).
* Fix lldp and cdp neighbors information (https://github.com/ansible/ansible/pull/48318)(https://github.com/ansible/ansible/pull/48087)(https://github.com/ansible/ansible/pull/49024).
* Fix nxos_interface and nxos_linkagg Idempotence issue (https://github.com/ansible/ansible/pull/46437).
* Fix traceback when updating facts and the fact cache plugin was nonfunctional
* Fix using vault encrypted data with jinja2_native (https://github.com/ansible/ansible/issues/48950)
* Fixed: Make sure that the files excluded when extracting the archive are not checked. https://github.com/ansible/ansible/pull/45122
* Fixes issue where a password parameter was not set to no_log
* Respect no_log on retry and high verbosity (CVE-2018-16876)
* aci_rest - Fix issue ignoring custom port
* acme_account, acme_account_facts - in some cases, it could happen that the modules return information on disabled accounts accidentally returned by the ACME server.
* docker_swarm - decreased minimal required API version from 1.35 to 1.25; some features require API version 1.30 though.
* docker_swarm_service: fails because of default 'user: root' (https://github.com/ansible/ansible/issues/49199)
* ec2_metadata_facts - Parse IAM role name from the security credential field since the instance profile name is different
* fix azure_rm_image module use positional parameter (https://github.com/ansible/ansible/pull/49394)
* fixes an issue with dict_merge in network utils (https://github.com/ansible/ansible/pull/49474)
* gcp_utils - fix google auth scoping issue with application default credentials or google cloud engine credentials. Only scope credentials that can be scoped.
* mail - fix python 2.7 regression
* openstack - fix parameter handling when cloud provided as dict https://github.com/ansible/ansible/issues/42858
* os_user - Include domain parameter in user deletion https://github.com/ansible/ansible/issues/42901
* os_user - Include domain parameter in user lookup https://github.com/ansible/ansible/issues/42901
* ovirt_storage_connection - comparing passwords breaks idempotency in update_check (https://github.com/ansible/ansible/issues/48933)
* paramiko_ssh - improve log message to state the connection type
* reboot - use IndexError instead of TypeError in exception
* redis cache - Support version 3 of the redis python library (https://github.com/ansible/ansible/issues/49341)
* sensu_silence - Cast int for expire field to avoid call failure to sensu API.
* vmware_host_service_facts - handle exception when service package does not have package name.
* win_nssm - Switched to Argv-ToString for escaping NSSM credentials (https://github.com/ansible/ansible/issues/48728)
* zabbix_hostmacro - Added missing validate_certs logic for running module against Zabbix servers with untrused SSL certificates (https://github.com/ansible/ansible/issues/47611)
* zabbix_hostmacro - Fixed support for user macros with context (https://github.com/ansible/ansible/issues/46953)
- update to version 2.7.4
Bugfixes:
* powershell - add lib/ansible/executor/powershell to the packaging data
- update to version 2.7.3
Minor Changes:
* Document Path and Port are mutually exclusive parameters in wait_for module
* Puppet module remove --ignorecache to allow Puppet 6 support
* dnf properly support modularity appstream installation via overloaded group
modifier syntax
* proxmox_kvm - fix exception
* win_security_policy - warn users to use win_user_right instead when editing
Privilege Rights
Bugfixes:
* Fix the issue that FTD HTTP API retries authentication-related HTTP requests
* Fix the issue that module fails when the Swagger model does not have required fields
* Fix the issue with comparing string-like objects
* Fix using omit on play keywords
* Windows - prevent sensitive content from appearing in scriptblock logging (CVE-2018-16859)
* apt_key - Disable TTY requirement in GnuPG for the module to work correctly
when SSH pipelining is enabled
* better error message when bad type in config, deal with EVNAR= more gracefully
* configuration retrieval would fail on non primed plugins
* cs_template - Fixed a KeyError on state=extracted
* docker_container - fix idempotency problems with docker-py caused by previous
init idempotency fix
* docker_container - fix interplay of docker-py version check with argument_spec
validation improvements
* docker_network - driver_options containing Python booleans would cause Docker
to throw exceptions
* ec2_group - Fix comparison of determining which rules to purge by ignoring descriptions
* pip module - fix setuptools/distutils replacement
* sysvinit - enabling a service should use 'defaults' if no runlevels are specified
- update to version 2.7.2
Minor changes:
* Fix documentation for cloning template
* Parsing plugin filter may raise TypeError, gracefully handle this
exception and let user know about the syntax error in plugin filter file
* Scenario guide for VMware HTTP API usage
* Update plugin filter documentation
* fix yum and dnf autoremove input sanitization to properly warn user if
invalid options passed and update documentation to match
* improve readability and fix privileges names on vmware scenario_clone_template
* k8s - updated module documentation to mention how to avoid SSL validation errors
* yum - when checking for updates, now properly include Obsoletes
(both old and new) package data in the module JSON output
- update to 2.7.1
Minor changes:
* Fix yum module to properly check for empty conf_file value
* added capability to set the scheme for the consul_kv lookup
* added optional certificate and certificate validation for consul_kv lookups
* dnf - properly handle modifying the enable/disable excludes data field
* dnf appropriately handles disable_excludes repoid argument
* dnf proerly honors disable_gpg_check for local package installation
* fix yum module to handle list argument optional empty strings properly
* netconf_config - Make default_operation optional in netconf_config module
* yum - properly handle proxy password and username embedded in url
* yum/dnf - fail when space separated string of names
- update to 2.7.0
Major changes:
* Allow config to enable native jinja types
* Remove support for simplejson
* yum and dnf modules now at feature parity
Minor changes:
* Changed the prefix of all Vultr modules from vr to vultr
* Enable installroot tests for yum4(dnf) integration testing, dnf backend now supports that
* Fixed timer in exponential backoff algorithm in vmware.py
Bugfixes:
* Security Fix - avoid loading host/group vars from cwd when not specifying a playbook or playbook base dir
* Security Fix - avoid using ansible.cfg in a world writable dir
* Some connection exception would cause no_log specified on a task to be ignored (stdout info disclosure)
* Fix glob path of rc.d (SUSE-specific)
* Fix lambda_policy updates
* Fix alt linux detection/matching
- update to 2.6.4
Minor Changes:
* add azure_rm_storageaccount support to StorageV2 kind.
* import_tasks - Do not allow import_tasks to transition to dynamic
if the file is missing
Bugfixes:
* Add md5sum check in nxos_file_copy module
* Allow arbitrary log_driver for docker_container
* Fix Python2.6 regex bug terminal plugin nxos, iosxr
* Fix check_mode in nxos_static_route module
* Fix glob path of rc.d Some distribtuions like SUSE has the rc%.d
directories under /etc/init.d
* Fix network config diff issue for lines
* Fixed an issue where ansible_facts.pkg_mgr would incorrectly set
to zypper on Debian/Ubuntu systems that happened to have the
command installed
* The docker_* modules respect the DOCKER_* environment variables again
* The fix for CVE-2018-10875 prints out a warning message about
skipping a config file from a world writable current working directory.
However, if the user is in a world writable current working directory
which does not contain a config file, it should not print a warning
message. This release fixes that extaneous warning.
* To resolve nios_network issue where vendor-encapsulated-options
can not have a use_option flag.
* To resolve the issue of handling exception for Nios lookup gracefully.
* always correctly template no log for tasks
* ansible-galaxy - properly list all roles in roles_path
* basic.py - catch ValueError in case a FIPS enabled platform
raises this exception
* docker_container: fixing working_dir idempotency problem
* docker_container: makes unit parsing for memory sizes more consistent,
and fixes idempotency problem when kernel_memory is set
* fix example code for AWS lightsail documentation
* fix the enable_snat parameter that is only supposed to be used by
an user with the right policies.
* fixes docker_container check and debug mode
* improves docker_container idempotency
* ios_l2_interface - fix bug when list of vlans ends with comma
* ios_l2_interface - fix issue with certain interface types
* ios_user - fix unable to delete user admin issue
* ios_vlan - fix unable to work on certain interface types issue
* nxos_facts test lldp feature and fix nxapi check_rc
* nxos_interface port-channel idempotence fix for mode
* nxos_linkagg mode fix
* nxos_system idempotence fix
* nxos_vlan refactor to support non structured output
* one_host - fixes settings via environment variables
* use retry_json nxos_banner
* user - Strip trailing comments in /etc/default/passwd
* user - when creating a new user without an expiration date,
properly set no expiration rather that expirining the account
* win_domain_computer - fixed deletion of computer active directory
object that have dependent objects
* win_domain_computer - fixed error in diff_support
* win_domain_computer - fixed error when description parameter is empty
* win_psexec - changed code to not escape the command option when building the args
* win_uri -- Fix support for JSON output when charset is set
* win_wait_for - fix issue where timeout doesn't wait unless state=drained
- update to 2.6.3
Bugfixes:
* Fix lxd module to be idempotent when the given configuration for
the lxd container has not changed
* Fix setting value type to str to avoid conversion during template
read. Fix Idempotency in case of 'no key'.
* Fix the mount module's handling of swap entries in fstab
* The fix for (CVE-2018-10875) prints out a warning message about
skipping a config file from a world writable current working
directory. However, if the user explicitly specifies that the
config file should be used via the ANSIBLE_CONFIG environment
variable then Ansible would honor that but still print out the
warning message. This has been fixed so that Ansible honors the
user's explicit wishes and does not print a warning message in
that circumstance.
* To fix the bug where existing host_record was deleted when existing
record name is used with different IP.
* VMware handle pnic in proxyswitch
* fix azure security group cannot add rules when purge_rule set to false.
* fix azure_rm_deployment collect tags from existing Resource Group.
* fix azure_rm_loadbalancer_facts list takes at least 2 arguments.
* fix for the bundled selectors module (used in the ssh and local
connection plugins) when a syscall is restarted after being
interrupted by a signal
* get_url - fix the bug that get_url does not change mode when checksum matches
* nicer error when multiprocessing breaks
* openssl_certificate - Convert valid_date to bytes for conversion
* openstack_inventory.py dynamic inventory file fixed the plugin to the
script so that it will work with current ansible-inventory. Also
redirect stdout before dumping the ouptput, because not doing so will
cause JSON parse errors in some cases.
* slack callback - Fix invocation by looking up data from cli.options
* sysvinit module: handle values of optional parameters. Don't disable
service when enabled parameter isn't set. Fix command when arguments
parameter isn't set.
* vars_prompt - properly template play level variables in vars_prompt
* win_domain - ensure the Netlogon service is up and running after
promoting host to controller
* win_domain_controller - ensure the Netlogon service is up and running
after promoting host to controller
- update to 2.6.2
Minor Changes
+ Sceanrio guide for removing an existing virtual machine is added.
+ lineinfile - add warning when using an empty regexp
+ Restore module_utils.basic.BOOLEANS variable for backwards compatibility
with the module API in older ansible releases.
Bugfixes:
+ Includes fix for bsc#1099808 (CVE-2018-10875) ansible.cfg is being read
from current working directory allowing possible code execution
+ Add text output along with structured output in nxos_facts
+ Allow more than one page of results by using the right pagination
indicator ('NextMarker' instead of 'NextToken').
+ Fix an atomic_move error that is 'true', but misleading.
Now we show all 3 files involved and clarify what happened.
+ Fix eos_l2_interface eapi.
+ Fix fetching old style facts in junos_facts module
+ Fix get_device_info nxos zero or more whitespace regex
+ Fix nxos CI failures
+ Fix nxos_nxapi default http behavior
+ Fix nxos_vxlan_vtep_vni
+ Fix regex network_os_platform nxos
+ Refactor nxos cliconf get_device_info for non structured
output supported devices
+ To fix the NoneType error raised in ios_l2_interface when
Access Mode VLAN is unassigned
+ emtpy host/group name is an error
+ fix default SSL version for docker modules
+ fix mail module when using starttls
+ fix nmap config example
+ fix ps detection of service
+ fix the remote tmp folder permissions issue when becoming a non
admin user
+ fix typoe in sysvinit that breaks update.rc-d detection
+ fixes docker_container compatibilty with docker-py < 2.2
+ get_capabilities in nxapi module_utils should not return empty dictionary
+ inventory - When using an inventory directory, ensure extension
comparison uses text types
+ ios_vlan - fix unable to identify correct vlans issue
+ nxos_facts warning message improved
+ openvswitch_db - make 'key' argument optional
+ pause - do not set stdout to raw mode when redirecting to a file
+ pause - nest try except when importing curses to gracefully fail
if curses is not present
+ plugins/inventory/openstack.py - Do not create group with empty
name if region is not set
+ preseve delegation info on nolog
+ remove ambiguity when it comes to 'the source'
+ remove dupes from var precedence
+ restores filtering out conflicting facts
+ user - fix bug that resulted in module always reporting a change when
specifiying the home directory on FreeBSD
+ user - use correct attribute name in FreeBSD for creat_home
+ vultr - Do not fail trying to load configuration from ini files if
required variables have been set as environment variables.
+ vyos_command correcting conditionals looping
+ win_chocolatey - enable TLSv1.2 support when downloading the
Chocolatey installer
+ win_reboot - fix for handling an already scheduled reboot and other
minor log formatting issues
+ win_reboot - fix issue when overridding connection timeout hung
the post reboot uptime check
+ win_reboot - handle post reboots when running test_command
+ win_security_policy - allows an empty string to reset a policy value
+ win_share - discard any cmdlet output we don't use to ensure only the
return json is received by Ansible
+ win_unzip - discard any cmdlet output we don't use to ensure only the
return json is received by Ansible
+ win_updates - fixed module return value is lost in error in some cases
+ win_user - Use LogonUser to validate the password as it does not
rely on SMB/RPC to be available
+ Security Fix - avoid loading host/group vars from cwd when not
specifying a playbook or playbook base dir
+ Security Fix - avoid using ansible.cfg in a world writable dir.
+ Fix junos_config confirm commit timeout issue
(https://github.com/ansible/ansible/pull/41527)
+ file module - The touch subcommand had its diff output broken during
the 2.6.x development cycle. This is now fixed.
+ inventory manager - This fixes required options being populated before
the inventory config file is read, so the required options may be
set in the config file.
+ nsupdate - allow hmac-sha384 https://github.com/ansible/ansible/pull/42209
+ win_domain - fixes typo in one of the AD cmdlets
https://github.com/ansible/ansible/issues/41536
+ win_group_membership - uses the internal Ansible SID conversion logic
and uses that when comparing group membership instead of the name
- use fdupes to save some space in python_sitelib
- define BuildRoot on older distributions like SLE-11
- be a bit more flexible with the ending of manpage files to allow
Fedora builds to succeed
- includes fix for bsc#1099805 (CVE-2018-10874) Inventory
variables are loaded from current working directory when
running ad-hoc command that can lead to code execution
(included upstream in 2.6.1).
- revert some unneeded changes from spec-cleaner
- updated to latest release 2.6.0
- New Plugins:
+ Callback:
- cgroup_memory_recap
- grafana_annotations
- sumologic
+ Connection:
- httpapi
+ Inventory:
- foreman
- gcp_compute
- generator
- nmap
+ Lookup:
- onepassword
- onepassword_raw
- Modules updates too many to mention here
please look at package documentation directory (/usr/share/doc/packages/.../changelogs)
- bug fixes:
- **Security Fix** - Some connection exceptions would cause no_log
specified on a task to be ignored. If this happened, the task information,
including any private information coul d have been displayed to stdout and
(if enabled, not the default) logged to a log file specified in
ansible.cfg's log_path. Additionally, sites which redirected stdout from
ansible runs to a log file may have stored that private information onto
disk that way as well. (https://github.com/ansible/ansible/pull/41414)
- Changed the admin_users config option to not include 'admin' by default
as admin is frequently used for a non-privileged account
(https://github.com/ansible/ansible/pull/41164)
- Changed the output to 'text' for 'show vrf' command as default 'json'
output format with respect to 'eapi' transport was failing
(https://github.com/ansible/ansible/pull/41470)
- Document mode=preserve for both the copy and template module
- Fix added for Digital Ocean Volumes API change causing Ansible to
recieve an unexpected value in the response.
(https://github.com/ansible/ansible/pull/41431)
- Fix an encoding issue when parsing the examples from a plugins'
documentation
- Fix iosxr_config module to handle route-policy, community-set,
prefix-set, as-path-set and rd-set blocks. All these blocks are part of
route-policy language of iosxr.
- Fix mode=preserve with remote_src=True for the copy module
- Implement mode=preserve for the template module
- The yaml callback plugin now allows non-ascii characters to be
displayed.
- Various grafana_* modules - Port away from the deprecated
b64encodestring function to the b64encode function instead.
https://github.com/ansible/ansible/pull/38388
- added missing 'raise' to exception definition
https://github.com/ansible/ansible/pull/41690
- allow custom endpoints to be used in the aws_s3 module
(https://github.com/ansible/ansible/pull/36832)
- allow set_options to be called multiple times
https://github.com/ansible/ansible/pull/41913
- ansible-doc - fixed traceback on missing plugins
(https://github.com/ansible/ansible/pull/41167)
- cast the device_mapping volume size to an int in the ec2_ami module
(https://github.com/ansible/ansible/pull/40938)
- copy - fixed copy to only follow symlinks for files in the non-recursive case
- copy module - The copy module was attempting to change the mode of files
for remote_src=True even if mode was not set as a parameter. This
failed on filesystems which do not have permission bits
(https://github.com/ansible/ansible/pull/40099)
- copy module - fixed recursive copy with relative paths
(https://github.com/ansible/ansible/pull/40166)
- correct debug display for all cases
https://github.com/ansible/ansible/pull/41331
- correctly check hostvars for vars term
https://github.com/ansible/ansible/pull/41819
- correctly handle yaml inventory files when entries are null dicts
https://github.com/ansible/ansible/issues/41692
- dynamic includes - Allow inheriting attributes from static parents
(https://github.com/ansible/ansible/pull/38827)
- dynamic includes - Don't treat undefined vars for conditional includes
as truthy (https://github.com/ansible/ansible/pull/39377)
- dynamic includes - Fix IncludedFile comparison for free strategy
(https://github.com/ansible/ansible/pull/37083)
- dynamic includes - Improved performance by fixing re-parenting on copy
(https://github.com/ansible/ansible/pull/38747)
- dynamic includes - Use the copied and merged task for calculating task
vars (https://github.com/ansible/ansible/pull/39762)
- file - fixed the default follow behaviour of file to be true
- file module - Eliminate an error if we're asked to remove a file but
something removes it while we are processing the request
(https://github.com/ansible/ansible/pull/39466)
- file module - Fix error when recursively assigning permissions and a
symlink to a nonexistent file is present in the directory tree
(https://github.com/ansible/ansible/issues/39456)
- file module - Fix error when running a task which assures a symlink to a
nonexistent file exists for the second and subsequent times
(https://github.com/ansible/ansible/issues/39558)
- file module - The file module allowed the user to specify src as a
parameter when state was not link or hard. This is documented as only
applying to state=link or state=hard but in previous Ansible, this could
have an effect in rare cornercases. For instance, 'ansible -m file -a
'state=directory path=/tmp src=/var/lib'' would create /tmp/lib. This
has been disabled and a warning emitted (will change to an error in
Ansible-2.10).
- file module - The touch subcommand had its diff output broken during the
2.6.x development cycle. This is now fixed
(https://github.com/ansible/ansible/issues/41755)
- fix BotoCoreError exception handling
- fix apt-mark on debian6 (https://github.com/ansible/ansible/pull/41530)
- fix async for the aws_s3 module by adding async support to the action
plugin (https://github.com/ansible/ansible/pull/40826)
- fix decrypting vault files for the aws_s3 module
(https://github.com/ansible/ansible/pull/39634)
- fix errors with S3-compatible APIs if they cannot use ACLs for buckets
or objects
- fix permission handling to try to download a file even if the user does
not have permission to list all objects in the bucket
- fixed config required handling, specifically for _terms in lookups
https://github.com/ansible/ansible/pull/41740
- gce_net - Fix sorting of allowed ports
(https://github.com/ansible/ansible/pull/41567)
- group_by - support implicit localhost
(https://github.com/ansible/ansible/pull/41860)
- import/include - Ensure role handlers have the proper parent, allowing
for correct attribute inheritance
(https://github.com/ansible/ansible/pull/39426)
- import_playbook - Pass vars applied to import_playbook into parsing of
the playbook as they may be needed to parse the imported plays
(https://github.com/ansible/ansible/pull/39521)
- include_role/import_role - Don't overwrite included role handlers with
play handlers on parse (https://github.com/ansible/ansible/pull/39563)
- include_role/import_role - Fix parameter templating
(https://github.com/ansible/ansible/pull/36372)
- include_role/import_role - Use the computed role name for
include_role/import_role so to diffentiate between names computed from
host vars (https://github.com/ansible/ansible/pull/39516)-
include_role/import_role - improved performance and recursion depth
(https://github.com/ansible/ansible/pull/36470)
- lineinfile - fix insertbefore when used with BOF to not insert duplicate
lines (https://github.com/ansible/ansible/issues/38219)
- password lookup - Do not load password lookup in network filters,
allowing the password lookup to be overriden
(https://github.com/ansible/ansible/pull/41907)
- pause - ensure ctrl+c interrupt works in all cases
(https://github.com/ansible/ansible/issues/35372)
- powershell - use the tmpdir set by `remote_tmp` for become/async tasks
instead of the generic $env:TEMP -
https://github.com/ansible/ansible/pull/40210
- selinux - correct check mode behavior to report same changes as normal
mode (https://github.com/ansible/ansible/pull/40721)
- spwd - With python 3.6 spwd.getspnam returns PermissionError instead of
KeyError if user does not have privileges
(https://github.com/ansible/ansible/issues/39472)
- synchronize - Ensure the local connection created by synchronize uses
_remote_is_local=True, which causes ActionBase to build a local tmpdir
(https://github.com/ansible/ansible/pull/40833)
- template - Fix for encoding issues when a template path contains
non-ascii characters and using the template path in ansible_managed
(https://github.com/ansible/ansible/issues/27262)
- template action plugin - fix the encoding of filenames to avoid
tracebacks on Python2 when characters that are not present in the user's
locale are present. (https://github.com/ansible/ansible/pull/39424)
- user - only change the expiration time when necessary
(https://github.com/ansible/ansible/issues/13235)
- uses correct conn info for reset_connection
https://github.com/ansible/ansible/issues/27520
- win_environment - Fix for issue where the environment value was deleted
when a null value or empty string was set -
https://github.com/ansible/ansible/issues/40450
- win_file - fix issue where special chars like [ and ] were not being
handled correctly https://github.com/ansible/ansible/pull/37901
- win_get_url - fixed a few bugs around authentication and force no when
using an FTP URL
- win_iis_webapppool - redirect some module output to null so Ansible can
read the output JSON https://github.com/ansible/ansible/issues/40874
- win_template - fix when specifying the dest option as a directory with
and without the trailing slash
https://github.com/ansible/ansible/issues/39886
- win_updates - Added the ability to run on a scheduled task for older
hosts so async starts working again -
https://github.com/ansible/ansible/issues/38364
- win_updates - Fix logic when using a whitelist for multiple updates
- win_updates - Fix typo that hid the download error when a download
failed
- win_updates - Fixed issue where running win_updates on async fails
without any error
- windows become - Show better error messages when the become process fails
- winrm - Add better error handling when the kinit process fails
- winrm - allow `ansible_user` or `ansible_winrm_user` to override
`ansible_ssh_user` when both are defined in an inventory -
https://github.com/ansible/ansible/issues/39844
- winrm - ensure pexpect is set to not echo the input on a failure and have
a manual sanity check afterwards
https://github.com/ansible/ansible/issues/41865
- winrm connection plugin - Fix exception messages sometimes raising a
traceback when the winrm connection plugin encounters an unrecoverable
error. https://github.com/ansible/ansible/pull/39333
- xenserver_facts - ensure module works with newer versions of XenServer
(https://github.com/ansible/ansible/pull/35821)
- use python3 on (open)SUSE 15 or newer
- Update to 2.5.5
- Fixed the honouration of the no_log option with failed task iterations
(CVE-2018-10855 boo#1097775)
- Bufixes:
- Changed the admin_users config option to not include 'admin' by default
as admin is frequently used for a non-privileged account
- aws_s3 - add async support to the action plugin
- aws_s3 - fix decrypting vault files
- ec2_ami - cast the device_mapping volume size to an int
- eos_logging - fix idempotency issues
- cache plugins - A cache timeout of 0 means the cache will not expire.
- ios_logging - fix idempotency issues
- ios/nxos/eos_config - don't retrieve config in running_config when config is provided for diff
- nxos_banner - fix multiline banner issue
- nxos terminal plugin - fix output truncation
- nxos_l3_interface - fix no switchport issue with loopback and svi interfaces
- nxos_snapshot - fix compare_option
- Applied spec-cleaner
- Update to 2.5.1
Minor Changes
+ Updated example in vcenter_license module.
+ Updated virtual machine facts with instanceUUID which is unique
for each VM irrespective of name and BIOS UUID.
+ A lot of Bugfixes, please refer to the Changelog installed in
/usr/share/doc/packages/ansible/changelogs/CHANGELOG-v2.5.rst
- Update to 2.5.0:
Major Changes
* Ansible Network improvements
+ Created new connection plugins network_cli and netconf to replace
connection=local. connection=local will continue to work for a
number of Ansible releases.
+ No more unable to open shell. A clear and descriptive message will
be displayed in normal ansible-playbook output without needing to enable debug mode
+ Loads of documentation, see Ansible for Network Automation Documentation.
+ Refactor common network shared code into package under module_utils/network/
+ Filters: Add a filter to convert XML response from a network device to JSON object.
+ Loads of bug fixes.
+ Plus lots more.
* New simpler and more intuitive 'loop' keyword for task loops. The
with_<lookup> loops will likely be deprecated in the near future
and eventually removed.
* Added fact namespacing; from now on facts will be available under
ansible_facts namespace (for example: ansible_facts.os_distribution)
without the ansible_ prefix. They will continue to be added into the
main namespace directly, but now with a configuration toggle to enable
this. This is currently on by default, but in the future it will default to off.
* Added a configuration file that a site administrator can use to
specify modules to exclude from being used.
Minor Changes
* please refer to /share/doc/packages/ansible/changelogs/CHANGELOG-v2.5.rst
Deprecated Features
* Previously deprecated 'hostfile' config settings have been 're-deprecated'
because previously code did not warn about deprecated configuration settings.
* Using Ansible-provided Jinja tests as filters is deprecated and will
be removed in Ansible 2.9.
* The stat and win_stat modules have deprecated get_md5 and the md5 return
values. These options will become undocumented in Ansible 2.9 and
removed in a later version.
* The redis_kv lookup has been deprecated in favor of new redis lookup
* Passing arbitrary parameters that begin with HEADER_ to the uri module,
used for passing http headers, is deprecated. Use the headers parameter
with a dictionary of header names to value instead.
This will be removed in Ansible 2.9
* Passing arbitrary parameters to the zfs module to set zfs properties is
deprecated. Use the extra_zfs_properties parameter with a dictionary of
property names to values instead. This will be removed in Ansible 2.9.
* Use of the AnsibleModule parameter check\_invalid\_arguments in custom
modules is deprecated. In the future, all parameters will be checked to
see whether they are listed in the arg spec and an error raised if they
are not listed. This behaviour is the current and future default so most
custom modules can simply remove check\_invalid\_arguments if they set it
to the default value of True. The check\_invalid\_arguments parameter
will be removed in Ansible 2.9.
* The nxos_ip_interface module is deprecated in Ansible 2.5.
Use nxos_l3_interface module instead.
* The nxos_portchannel module is deprecated in Ansible 2.5.
Use nxos_linkagg module instead.
* The nxos_switchport module is deprecated in Ansible 2.5.
Use nxos_l2_interface module instead.
* The ec2_ami_find has been deprecated; use ec2_ami_facts instead.
* panos_security_policy: Use panos_security_rule - the old module uses
deprecated API calls
* vsphere_guest is deprecated in Ansible 2.5 and will be removed in
Ansible-2.9. Use vmware_guest module instead.
Removed Features (previously deprecated)
* accelerate.
* boundary_meter: There was no deprecation period for this but the hosted
service it relied on has gone away so the module has been removed. #29387
* cl_ : cl_interface, cl_interface_policy, cl_bridge, cl_img_install,
cl_ports, cl_license, cl_bond. Use nclu instead
* docker. Use docker_container and docker_image instead.
* ec2_vpc.
* ec2_ami_search, use ec2_ami_facts instead.
* nxos_mtu. Use nxos_system's system_mtu option instead.
To specify an interface's MTU use nxos_interface.
* panos_nat_policy: Use panos_nat_rule the old module uses
deprecated API calls
- also package the changelogs directory below
/usr/share/doc/packages/ansible/ for better reference
- License changed to GPL-3.0-or-later, as mentioned in the source
(former license focues on GPL-3.0 only)
- Add python-passlib as Requires (bsc#1080682)
passlib is needed for the 'vars_prompt' feature of ansible
- Update to version 2.4.3.0:
* Fix `pamd` rule args regexp to match file paths.
* Check if SELinux policy exists before setting.
* Set locale to `C` in `letsencrypt` module to fix date parsing
errors.
* Fix include in loop when stategy=free.
* Fix save parameter in asa_config.
* Fix --vault-id support in ansible-pull.
* In nxos_interface_ospf, fail nicely if loopback is used with
passive_interface.
* Fix quote filter when given an integer to quote.
* nxos_vrf_interface fix when validating the interface.
* Fix for win_copy when sourcing files from an SMBv1 share.
* correctly report callback plugin file.
* restrict revaulting to vault cli.
* Fix python3 tracebacks in letsencrypt module.
* Fix ansible_*_interpreter variables to be templated prior to
being used.
* Fix setting of environment in a task that uses a loop
* Fix fetch on Windows failing to fetch files or particular
block size.
* preserve certain fields during no log.
* fix issue with order of declaration of sections in ini
inventory.
* Fix win_iis_webapppool to correctly stop a apppool.
* Fix CloudEngine host failed.
* Fix ios_config save issue.
* Handle vault filenames with nonascii chars when displaying
messages.
* Fix win_iis_webapppool to not return passwords.
* Fix extended file attributes detection and changing.
* correctly ensure 'ungrouped' membership rules.
* made warnings less noisy when empty/no inventory is supplied.
* Fixes a failure which prevents to create servers in module
cloudscale_server.
* Fix win_firewall_rule 'Specified cast is invalid' error when
modifying a rule with all of Domain/Public/Private profiles set.
* Fix case for multilib when installing from a file in the yum
module.
* Fix WinRM parsing/escaping of IPv6 addresses.
* Fix win_package to detect MSI regardless of the extension case.
* Updated win_mapped_drive docs to clarify what it is used for.
* Fix file related modules run in check_mode when the file being
operated on does not exist.
* Make eos_vlan idempotent.
* Fix win_iis_website to properly check attributes before setting.
* Fixed the removal date for ios_config save and force parameters.
* cloudstack: fix timeout from ini config file being ignored.
* fixes memory usage issues with many blocks/includes.
* Fixes maximum recursion depth exceeded with include_role.
* Fix to win_dns_client module to take ordering of DNS servers to
resolve into account.
* Fix for the nxos_banner module where some nxos images nest the
output inside of an additional dict.
* Fix failure message 'got multiple values for keyword argument
id' in the azure_rm_securitygroup module (caused by changes to
the azure python API).
* Bump Azure storage client minimum to 1.5.0 to fix
deserialization issues.
This will break Azure Stack until it receives storage API
version 2017-10-01 or changes are made to support multiple
versions.
* Flush stdin when passing the become password. Fixes some cases
of timeout on Python 3 with the ssh connection plugin.
update to version v2.4.2.0:
* lock azure containerservice to below 2.0.0
* ovirt_host_networks: Fix label assignment
* Fix vault --ask-vault-pass with no tty (#31493)
* cherry-pick changes of azure_rm_common from devel to 2.4 (#32607)
* Fixes #31090. In network parse_cli filter plugin, this change moves the creation of a (#31092) (#32458)
* Use an abspath for network inventory ssh key path.
* Remove toLower on source (#31983)
* Add k8s_common.py logging fixes to the changelog
* inserts enable cmd hash with auth_pass used (#32107)
* Fix exception upon display.warn() (#31876)
* ios_system: Fix typo in unit test (#32284)
* yum: use the C locale when screen scraping (#32203)
* Use region derived from get_aws_connection_info() in dynamodb_table to fix tagging bug (#32557)
* fix item var in delegation (#32986)
* Add changelog entry for elb_application_lb fix
* Add a validate example to blockinfile. (#32088)
* Correct formatting --arguments (#31808)
* Add changelog for URI/get_url fix
* [cloud] Bugfix for aws_s3 empty directory creation (#32198)
* Fix junos integration test fixes as per connection refactor (#33050) (#33055)
* Update win_copy for #32677 (#32682)
* ios_interface testfix (#32381)
* Add proper check mode support to the script module (#31852)
* Add galaxy --force fix to changelog
* Fix non-ascii errors in config manager
* Add python3 urllib fixes to changelog
* Add changelog entry for the stdin py3 fix
* Update version info for the 2.4.2 release
* Add max_fail_percentage fix to changelog
* Changelog entry for script inventory plugin fix.
* Make RPM spec compatible with RHEL 6 (#31653)
* Add changelog entry for the yum locale fix
* Use vyos/1.1.8 in CI.
* Fix patching to epel package
* Pass proper error value to to_text (#33030)
* Fix and re-enable zypper* integration tests in CI.
* avoid chroot paths (#32778)
* Add changelog entry for inventory nonascii paths fix
* Fix ios_config integration test failures (#32959) (#32970)
* Fix ios_config file prompt issue (#32744) (#32780)
* Mdd module unit test docs (#31373)
* dont add all group vars to implicit on create
* Fix nxos_banner removal idempotence issue in N1 images (#31259)
* Clarify the release and maintenance cycle (#32402)
* Add ansible_distribution_major_version to macOS (#31708)
* Docs (#32718)
* Keep newlines when reading LXC container config file (#32219)
* Updated changelog for vmware logon error handling
* New release v2.4.2.0-0.2.beta2
* added doc notes about vars plugins in precedence
* revert module_utils/nxos change from #32846 (#32956)
* [cloud] add boto3 requirement to `cloudformation` module docs (#31135)
* Fixes #31056 (#31057)
* - Fix logging module issue where facility is being deleted along with host (#32234)
* Get the moid in a more failsafe manner (#32671)
* Integration Tests only: add static route, snmp_user, snapshot and hsrp it cases (#28933)
* Add the change to when we escape backslashes (for the template lookup plugin) to changelog
* correctly deal with changed (#31812)
* Add the template lookup escaping to the 2.4 porting guide (#32760)
* tests for InventoryModule error conditions (#31381)
* Disable pylint rules for stable-2.4.
* fix typo
* Enable TLS1.1 and TLS1.2 for win_package (#32184)
* Add remove host fix to changelog
* ios_interface provider issue testfix (#32335)
* win_service: quoted path fix (#32469)
* Add changes to succeeded/failed tests to the 2.4 porting guide (#33201)
* Run OS X tests in 3 groups in CI.
* ini inventory: document value parsing workaround
* Change netconf port in testcase as per test enviornment (#32883) (#32889)
* fix inventory loading for ansible-doc
* jsonify inventory (#32990)
* firewalld: don't reference undefined variable in error case (#31949)
* change ports to non well known ports and drop time_range for N1 (#31261)
* make vars only group declarations an error
* Add changelog for os_floating_ip fix
* Fix example on comparing master config (#32406)
* py2/py3 safer shas on hostvars (#31788)
* ensure we always have a basedir
* Add missing ansible-test --remote-terminate support. (#32918)
* Use show command to support wider platform set for nxos_interface module (#33037)
* ios_logging: change IOS command pipe to section to include (#33100) (#33116)
* win_find: allow module to skip on files it fails to check (#32105)
* New release v2.4.2.0-0.4.beta4
* multiple nxos fixes (#32905)
* Add changelog entry for git archive fix
* Add changelog entries for a myriad of 2.4.2 bugfixes
* iosxr integration testfix (#32344)
* Fix #31694: running with closed stdin on python 3 (#31695)
* Add eos_user fix to changelog
* updated changelog with win_find fix
* Added urls python3 fix to changelog
* [cloud] Support changeset_name parameter on CloudFormation stack create (#31436)
* use configured ansible_shell_executable
* New release v2.4.2.0-0.3.beta3
* Fix ec2_lc failing to create multi-volume configurations (#32191)
* Changelog win_package TLS fix
* Fix wrong prompt issue for network modules (#32426) (#32442)
* New release v2.4.2.0-0.1.beta1
* Exclude stack policy when running in check mode.
* change inventory_hostname to ansible_host to fix test (#32890) (#32891)
* Add azure_rm_acs check mode fix
* Updated changelog for win_copy fix
* corrected package docs
* make sure patterns are strings
* Add more bugfixes to changelog
* Fix junos netconf port issue in integration test (#32610) (#32668)
* fixed .loads error for non decoded json in Python 3 (#32065)
* nxos_config and nxos_facts - fixes for N35 platform. (#32762) (#32875)
* Add changelog entry for #32219
* Remove provider from ios integration test (#31037) (#32230)
* added note about serial behaviour (#32461)
* Fixes ios_logging unit test (#32240)
* Avoid AttributeError: internal_network on os_floating_ip (#32887)
* use to_str instead of json.dumps when serializing k8s object for logging
* Prefer the stdlib SSLContext over urllib3 context
* git: fix archive when update is set to no (#31829)
* Add elb_target_group port fix to the changelog
* Changelog entry for aws_s3 issue #32144
* Add error handling for user login (#32613)
* Move asa provider to suboptions (#32356)
* fix dci failure nxos (#32877) (#32878)
* Add inventory jsonification to the changelog
* eos_eapi: adding the desired state config to the new vrf fixes #32111 (#32112) (#32452)
* Handle ip name-server lines containing multiple nameservers (#32235) (#32373)
* Remove provider from prepare_ios_tests integration test (#31038)
* Add last minute bugfixes and doc updates for rc1
* Fix snmp bugs on Nexus 3500 platform (#32773) (#32847)
* validate that existing dest is valid directory
* Update the release data for 2.4.1 in the changelog
* add check mode for acs delete (#32063)
* More fixes added to changelog
* Add wait_for fix to the changelog
* removed psobject to hashtables that were missed (#32710)
* wait_for: treat broken connections as 'unready' (#28839)
* Return all elements in a more robust way
* fix ios_interface test (#32372)
* Add missing packages to default docker image.
* fix nxos_igmp_snooping (#31688)
* - Fix to return error message back to the module. (#31035)
* Ensure that readonly result members are serialized (#33170)
* Keywords docs (#32807)
* remove hosts from removed when rescuing
* Add panos_security_rule docs typo fix to changelog
* Update vyos completion in network.txt.
* move to use ansible logging
* ovirt_clusters: Fix fencing and kuma comparision
* Documentation typo fixes (#32473)
* [fix] issue #30516 : take care about autoremove in upgrade function
* Enable ECHO in prompt module (#32083)
* calculate max fail against all hosts in batch
* Fix urlparse import for Python3 (#31240)
* Bunch of changelog updates for cherry-picks
* restore hostpattern regex/glob behaviour
* Better handling of malformed vault data envelope (#32515)
* Updated changelog regarding win_service quoted path fix
* nxos_interface error handling (#32846)
* An availability zone will be selected if none is provided. Set az to an empty string if it's None to avoid traceback. (#32216)
* Use to_native when validating proxy result (#32596)
* vmware_guest: refactor spec serialization (#32681)
* Add new default Docker container for ansible-test. (#31944)
* warn on bad keys in group
* NXOS: Integration tests to Ansible (part 3) (#29030)
* Add spec file fix to changelog
* eos_user testfix (#32264)
* iam.py: return iam.role dict when creating roles (#28964)
* Add networking bug fixes to changelog (#32201)
* [cloud] sns_topic: Fix unreferenced variable
* Fix service_mgr fact collection (#32086)
* Fix include_role unit tests (#31920)
* Updated changelog for win_iis_* modules things
* handle ignore_errors in loop
* adjust nohome param when using luser
* better cleanup on task results display (#27175)
* Improve python 2/3 ABC fallback for pylint. (#31848)
* fix html formatting
* Add ansible_shell_executable fix to changelog
* Move resource pool login to a separate function and fix undefined var reference (#32674)
* Update ansible-test sanity command. (#31958)
* ios_ping test fix (#32342)
* fix CI failure yaml syntax (#32374)
* Scan group_vars/host_vars in sorted order
* luseradd defaults to creating w/o need for -m (#32411)
* Integration Tests only: nxos_udld, nxos_udld_interface, nxos_vxlan_vtep_vni (#29143) (#32962)
* Fix: modifying existing application lb using certificates now properly sets certificates (#28217)
* ios_logging: Fix some smaller issues, add unit test (#32321)
* Fix nxos_snmp_host bug (#32916) (#32958)
* ovirt_hosts: Don't fail upgrade when NON_RESPONSIVE state
* ini plugin should recursively instantiate pending
* eos_user: sends user secret first on user creation fixes #31680 (#32162)
* Cast target port to an int in elb_target_group. Fixes #32098 (#32202)
* New release v2.4.2.0-0.5.rc1
* remove misleading group vars as they are flat (#32276)
* Fix typo
* Avoid default inventory proccessing for pull (#32135)
* Fix ansible-test default image. (#31966)
* removed superfluous `type` field from RecordSet constructor (#33167)
* Update k8s_common.py
* Add ios_logging fixes to changelog 2.4.2beta2 (#32447)
* Revert 'Removed a force conditional (#28851)' (#32282)
* Add new documentation on writing unittests to the changelog
* Fix ansible-test race calling get_coverage_path.
* New release v2.4.2.0-1
- update to 2.3.2.0 (final) - bsc#1059235
- update to 2.3.1 RC1 (package version 2.3.0.1) (bsc#1056094):
as 'unsafe'. bsc#1038785
* SECURITY (MODERATE): fix for CVE-2017-7466, which finally fixes
an arbitrary command execution vulnerability
- security update to rc4 of 2.2.1.0 version CVE-2016-9587,
CVE-2016-8628, CVE-2016-8614, CVE-2016-8647, CVE-2016-9587
(bsc#1008037, bsc#1008038, bsc#1010940, bsc#1019021)
Changes in ardana-ansible:
- Update to version 8.0+git.1596735237.54109b1:
* Update the Swift XFS inode size check (SOC-10300)
- Update to version 8.0+git.1596204601.75b0e4e:
* Fix upgrade validations Keystone V3 check target (SOC-10300)
Changes in ardana-cinder:
- Update to version 8.0+git.1596129856.263f430:
* Install python-swiftclient as cinder-backup dependency (SOC-11364)
Changes in ardana-glance:
- Update to version 8.0+git.1593631779.76fa9b7:
* Idempotent cirros image upload to glance (SOC-11342)
Changes in ardana-mq:
- Update to version 8.0+git.1593618123.678c32b:
* Ensure epmd.service started/stopped independent of rabbitmq (SOC-6780)
Changes in ardana-nova:
- Update to version 8.0+git.1601298847.dd01585:
* restore ram_weight_multiplier to default (bsc#1123561)
* enable all weigher classes by default (bsc#1123561)
- Update to version 8.0+git.1595857666.cf6b4a9:
* Correction for (bsc#1174242)
- Update to version 8.0+git.1595356665.56726ed:
* Disable nova-consoleauth monasca process check (bsc#1174242)
Changes in ardana-osconfig:
- Update to version 8.0+git.1595885113.93abcbc:
* Enable SLE12 SP3 LTSS for SMT deployments (SOC-11223)
Changes in crowbar-core:
- Update to version 5.0+git.1600432272.b3ad722f0:
* provisioner: check for client_user (SOC-11389)
* upgrade: Allow transition from crowbar_upgrade to reboot (trivial)
- Update to version 5.0+git.1600352887.1e23b8015:
* Ignore CVE-2020-15169 (SOC-11391)
- Update to version 5.0+git.1594898401.caf0b325c:
* crowbar: Also add access to /restricted/ in SSL vhost (SOC-11352)
- Update to version 5.0+git.1593779118.8362c57e5:
* crowbar: Allow hardware-installing -> discovering transition (noref)
* crowbar: Add Restricted controller with API for restricted clients (bsc#1117080)
* crowbar: Add complete list of states to Crowbar::State (noref)
* provisioner: Remove the need for /updates/parse_node_data (noref)
* crowbar: Create helper module to validate states (noref)
* provisioner: Use new restricted API (bsc#1117080)
* provisioner: Do not read /etc/crowbar.install.key from crowbar_joi (bsc#1117080)
* provisioner: Remove use of privileged user for Windows machine (bsc#1117080)
* provisioner: Use restricted client during provisioning (bsc#1117080)
* provisioner: Use restricted client for crowbar_register (bsc#1117080)
* provisioner: Drop /etc/crowbar.install.key bits from autoyast prof (bsc#1117080)
* Avoid hardcoding machine-install user (bsc#1117080)
* crowbar: Restrict admin access (bsc#1117080)
Changes in crowbar-openstack:
- Update to version 5.0+git.1599037158.5c4d07480:
* horizon: Update configuration for Grafana 5.x
Changes in documentation-suse-openstack-cloud:
- Update to version 8.20201007:
* reveresed step8 and 9 in PTF installation (SOC-10616)
* Modified the PTF install instructions as per the (SOC-10616)
- Update to version 8.20200904:
* Clarify reboot instructions during update workflow (SOC-11386)
- Update to version 8.20200921:
* replacd postgreSQL to MariaDB as per comments4 and 5 in ticket (SOC-11000)
- Update to version 8.20200424:
* Update ESX documentation for DVS creation (bsc#1142121)
* Fix table issues
Changes in grafana:
- BuildRequire go1.14 explicitly
- Add recompress source service
- Add go_modules source service to create vendor.tar.gz
containing 3rd party go modules.
- Adjust spec to work for Grafana-6.7.4
- Adjust Makefile to work for Grafana-6.7.4
- Remove CVE-2019-15043.patch (merged upstream)
- Remove CVE-2020-13379.patch (merged upstream)
- Remove 0001-fix-XSS-vulnerabilities-in-dashboard-links.patch (merged upstream)
- Remove 0002-CVE-2020-12052-bsc1170657-XSS-annotation-popup-vulnerability.patch
(merged upstream)
- Remove systemd-notification.patch (merged upstream)
- Update to version 6.7.4 (bsc#1172450, CVE-2018-18623,
CVE-2018-18624, CVE-2018-18625, bsc#1174583, CVE-2020-11110)
* Security: Urgent security fix for stored XSS
- Update to version 6.7.3
* Admin: Fix Synced via LDAP message for non-LDAP external users. [#23477]
* Alerting: Fix notifications for alerts with empty message in Google
Hangouts notifier. [#23559]
* AuthProxy: Fix bug where long username could not be cached. [#22926]
* Dashboard: Fix saving dashboard when editing raw dashboard JSON model.
[#23314]
* Dashboard: Try to parse 8 and 15 digit numbers as timestamps if parsing of
time range as date fails. [#21694]
* DashboardListPanel: Fix problem with empty panel after going into edit
mode (General folder filter being automatically added) . [#23426]
* Data source: Handle datasource withCredentials option properly. [#23380]
* Security: Fix annotation popup XSS vulnerability [#23813]
* Security: Fix XSS vulnerability in table panel [#23816]
* Server: Exit Grafana with status code 0 if no error. [#23312]
* TablePanel: Fix XSS issue in header column rename (backport). [#23814]
* Variables: Fix error when setting adhoc variable values. [#23580]
- Update to version 6.7.2
* BackendSrv: Adds config to response to fix issue for external plugins that
used this property . [#23032]
* Dashboard: Fix issue with saving new dashboard after changing title .
[#23104]
* DataLinks: make sure we use the correct datapoint when dataset contains
null value.. [#22981]
* Plugins: Fix issue for plugins that imported dateMath util . [#23069]
* Security: Fix for dashboard snapshot original dashboard link could contain
XSS vulnerability in url. [#23254]
* Variables: Fix issue with too many queries being issued for nested
template variables after value change. [#23220]
* Plugins: Expose promiseToDigest. [#23249]
* Reporting: Fix issue updating a report created by someone else
(Enterprise)
- Update to version 6.7.1
* Azure: Fix dropdowns not showing current value. [#22914]
* BackendSrv: only add content-type on POST, PUT requests. [#22910]
* Panels: Fix size issue with panel internal size when exiting panel edit
mode. [#22912]
* Reporting: fixes migrations compatibility with mysql (Enterprise)
* Reporting: Reduce default concurrency limit to 4 (Enterprise)
- Update to version 6.7.0
* AzureMonitor: support workspaces function for template variables. [#22882]
* SQLStore: Add migration for adding index on annotation.alert_id. [#22876]
* TablePanel: Enable new units picker . [#22833]
* AngularPanels: Fix inner height calculation for angular panels. [#22796]
* BackendSrv: makes sure provided headers are correctly recognized and set. [#22778]
* Forms: Fix input suffix position (caret-down in Select) . [#22780]
* Graphite: Fix issue with query editor and next select metric now showing
after selecting metric node [#22856]
* Rich History: UX adjustments and fixes. [#22729]
* Slack: Removed _Mention_ setting and instead introduce _Mention Users_,
_Mention Groups_, and _Mention Channel_.
* Alerting: Reverts the behavior of `diff` and `percent_diff` to not always
be absolute.
* API: Include IP address when logging request error. [#21596]
* Alerting: Support passing tags to Pagerduty and allow notification on
specific event categories [#21335]
* Chore: Remove angular dependency from backendSrv. [#20999]
* CloudWatch: Surround dimension names with double quotes. [#22222]
* CloudWatch: updated metrics and dimensions for Athena, DocDB, and
Route53Resolver. [#22604]
* Cloudwatch: add Usage Metrics. [#22179]
* Dashboard: Adds support for a global minimum dashboard refresh interval.
[#19416]
* DatasourceEditor: Add UI to edit custom HTTP headers. [#17846]
Elastic: To get fields, start with today's index and go backwards. [#22318]
* Explore: Rich history. [#22570]
* Graph: canvas's Stroke is executed after loop. [#22610]
* Graphite: Don't issue empty 'select metric' queries. [#22699]
* Image Rendering: Store render key in remote cache to enable renderer to
callback to public/load balancer URL when running in HA mode. [#22031]
* LDAP: Add fallback to search_base_dns if group_search_base_dns is
undefined [#21263]
* OAuth: Implement Azure AD provide. [#20030]
* Prometheus: Implement region annotation. [#22225]
* Prometheus: make \$\_\_range more precise. [#21722]
* Prometheus: Do not show rate hint when increase function is used in query.
[#21955]
* Stackdriver: Project selector. [#22447]
* TablePanel: display multi-line text. [#20210]
* Templating: Add new global built-in variables. [#21790]
* Reporting: add concurrent render limit to settings (Enterprise)
* Reporting: Add rendering timeout in settings (Enterprise)
* API: Fix redirect issues. [#22285]
* Alerting: Don't include image_url field with Slack message if empty.
[#22372]
* Alerting: Fix bad background color for default notifications in alert tab
. [#22660]
* Annotations: In table panel when setting transform to annotation, they will
now show up right away without a manual refresh. [#22323]
* Azure Monitor: Fix app insights source to allow for new timeFrom and
timeTo. [#21879]
* BackendSrv: Fix POST body for form data. [#21714]
* CloudWatch: Credentials cache invalidation fix. [#22473]
CloudWatch: Expand alias variables when query yields no result [#22695]
* Dashboard: Fix bug with NaN in alerting. [#22053]
* Explore: Fix display of multiline logs in log panel and explore. [#22057]
* Heatmap: Legend color range is incorrect when using custom min/max
[#21748]
* Security: Fix XSS issue in dashboard history diff. [#22680]
* StatPanel: Fix base color being used for null values. [#22646]
- Update to version 6.6.2
* Data proxy: Log proxy errors using Grafana logger. [#22174]
* Metrics: Add gauge for requests currently in flight. [#22168]
* @grafana/ui: Fix displaying of bars in React Graph. [#21968]
* API: Fix redirect issue when configured to use a subpath. [#21652]
* API: Improve recovery middleware when response already been written [#22256]
* Auth: Don't rotate auth token when requests are cancelled by client [#22106]
* Elasticsearch: Fix auto interval for date histogram in explore logs mode. [#21937]
* Image Rendering: Fix PhantomJS compatibility with es2016 node dependencies. [#21677]
* Links: Assure base url when single stat, panel and data links are built. [#21956]
* Loki, Prometheus: Fix PromQL and LogQL syntax highlighting. [#21944]
* OAuth: Enforce auto_assign_org_id setting when role mapping enabled using
Generic OAuth. [#22268]
* Prometheus: Updates explore query editor to prevent it from throwing error
on edit. [#21605]
* Server: Reorder cipher suites for better security. [#22101]
* TimePicker: fixing weird behavior with calendar when switching between
months/years. [#22253]
- Update to version 6.6.1
* Annotations: Change indices and rewrites annotation find query to improve
database query performance. [#21915]
* Azure Monitor: Fix Application Insights API key field to allow input. [#21738]
* BarGauge: Fix so we properly display the 'no result' value when query
returns empty result. [#21791]
* Datasource: Show access (Browser/Server) select on the Prometheus
datasource. [#21833]
* DatasourceSettings: Fix issue navigating away from data source settings
page. [#21841]
* Graph Panel: Fix typo in thresholds form. [#21903]
* Graphite: Fix issue with functions with multiple required params and no
defaults [#21814]
* Image Rendering: Fix render of graph panel legend aligned to the right
using Grafana image renderer plugin/service. [#21854]
* Metrics: Adds back missing summary quantiles. [#21858]
* OpenTSDB: Adds back missing ngInject to make it work again. [#21796]
* Plugins: Fix routing in app plugin pages. [#21847]
* Prometheus: Fix default step value for annotation query. [#21934]
* Quota: Makes LDAP + Quota work for the first login of a new user. [#21949]
* StatPanels: Fix change from singlestat to Gauge / BarGauge / Stat where
default min & max (0, 100) was copied . [#21820]
* TimePicker: Should display in kiosk mode. [#21816]
* grafana/toolkit: Fix failing linter when there were lint issues. [#21849]
- Update to version 6.6.0
* CloudWatch: Add DynamoDB Accelerator (DAX) metrics & dimensions. [#21644]
* CloudWatch: Auto period snap to next higher period. [#21659]
* Template variables: Add error for failed query variable on time range
update. [#21731]
* XSS: Sanitize column link. [#21735]
* Elasticsearch: Fix adhoc variable filtering for logs query. [#21346]
* Explore: Fix colors for log level when level value is capitalised. [#21646]
* Explore: Fix context view in logs, where some rows may have been filtered
out. [#21729]
Loki: Fix Loki with repeated panels and interpolation for Explore. [#21685]
* SQLStore: Fix PostgreSQL failure to create organisation for first time. [#21648]
* PagerDuty: Change `payload.custom_details` field in PagerDuty notification
to be a JSON object instead of a string.
* Security: The `[security]` setting `cookie_samesite` configured to `none`
now renders cookies with `SameSite=None` attribute.
* Graphite: Add Metrictank dashboard to Graphite datasource
* Admin: Show name of user in users table view. [#18108]
* Alerting: Add configurable severity support for PagerDuty notifier. [#19425]
* Alerting: Add more information to webhook notifications. [#20420]
* Alerting: Add support for sending tags in OpsGenie notifier. [#20810]
* Alerting: Added fallbackText to Google Chat notifier. [#21464]
* Alerting: Adds support for sending a single email to all recipients in
email notifier. [#21091]
* Alerting: Enable setting of OpsGenie priority via a tag. [#21298]
* Alerting: Use fully qualified status emoji in Threema notifier. [#21305]
* Alerting: new min_interval_seconds option to enforce a minimum evaluation
frequency. [#21188]
* CloudWatch: Calculate period based on time range. [#21471]
* CloudWatch: Display partial result in graph when max DP/call limit is
reached. [#21533]
* CloudWatch: ECS/ContainerInsights metrics support. [#21125]
* CloudWatch: Upgrade aws-sdk-go. [#20510]
* DataLinks: allow using values from other fields in the same row (cells). [#21478]
* Editor: Ignore closing brace when it was added by editor. [#21172]
* Explore: Context tooltip to copy labels and values from graph. [#21405]
* Explore: Log message line wrapping options for logs. [#20360]
* Forms: introduce RadioButtonGroup. [#20828]
* Frontend: Changes in Redux location should not strip subpath from location
url. [#20161]
* Graph: Add fill gradient option to series override line fill. [#20941]
* Graphite: Add metrictank dashboard to Graphite datasource. [#20776]
* Graphite: Do not change query when opening the query editor and there is no
data. [#21588]
* Gravatar: Use HTTPS by default. [#20964]
* Loki: Support for template variable queries. [#20697]
* NewsPanel: Add news as a builtin panel. [#21128]
* OAuth: Removes send_client_credentials_via_post setting. [#20044]
* OpenTSDB: Adding lookup limit to OpenTSDB datasource settings. [#20647]
* Postgres/MySQL/MSSQL: Adds support for region annotations. [#20752]
* Prometheus: Field to specify step in Explore. [#20195]
* Prometheus: User metrics metadata to inform query hints. [#21304]
* Renderer: Add user-agent to remote rendering service requests. [#20956]
* Security: Add disabled option for cookie samesite attribute. [#21472]
* Stackdriver: Support meta labels. [#21373]
* TablePanel, GraphPanel: Exclude hidden columns from CSV. [#19925]
* Templating: Update variables on location changed. [#21480]
* Tracing: Support configuring Jaeger client from environment. [#21103]
* Units: Add currency and energy units. [#20428]
* Units: Support dynamic count and currency units. [#21279]
* grafana/toolkit: Add option to override webpack config. [#20872]
* grafana/ui: ConfirmModal component. [#20965]
* grafana/ui: Create Tabs component. [#21328]
* grafana/ui: New table component. [#20991]
* grafana/ui: New updated time picker. [#20931]
* White-labeling: Makes it possible to customize the footer and login
background (Enterprise)
* API: Optionally list expired API keys. [#20468]
* Alerting: Fix custom_details to be a JSON object instead of a string in
PagerDuty notifier. [#21150]
* Alerting: Fix image rendering and uploading timeout preventing to send
alert notifications. [#21536]
* Alerting: Fix panic in dingding notifier. [#20378]
* Alerting: Fix template query validation logic. [#20721]
* Alerting: If no permission to clear history, keep the historical data. [#19007]
* Alerting: Unpausing a non-paused alert rule should not change status to
Unknown. [#21375]
* Api: Fix returned message when enabling, disabling and deleting a
non-existing user. [#21391]
* Auth: Rotate auth tokens at the end of requests. [#21347]
* Azure Monitor: Fix error when using azure monitor credentials with log
analytics and non-default cloud. [#21032]
* CLI: Return error and aborts when plugin file extraction fails. [#20849]
* CloudWatch: Multi-valued template variable dimension alias fix. [#21541]
* Dashboard: Disable draggable panels on small devices. [#20629]
* DataLinks: Links with \${\_\_value.time} do not work when clicking on first
result. [#20019]
* Explore: Fix showing of results in selected timezone (UTC/local). [#20812]
* Explore: Fix timepicker when browsing back after switching datasource. [#21454]
* Explore: Sync timepicker and logs after live-tailing stops. [#20979]
* Graph: Fix when clicking a plot on a touch device we won't display the
annotation menu. [#21479]
* OAuth: Fix role mapping from id token. [#20300]
* Plugins: Add appSubUrl string to config pages. [#21414]
* Provisioning: Start provision dashboards after Grafana server have started. [#21564]
* Render: Use https as protocol when rendering if HTTP2 enabled. [#21600]
* Security: Use same cookie settings for all cookies. [#19787]
* Singlestat: Support empty value map texts. [#20952]
* Units: Custom suffix and prefix units can now be specified, for example
custom currency & SI & time formats. [#20763]
* grafana/ui: Do not build grafana/ui in strict mode as it depends on
non-strict libs. [#21319]
- Update to version 6.5.3
* API: Validate redirect_to cookie has valid (Grafana) url. [#21057]
* AdHocFilter: Shows SubMenu when filtering directly from table. [#21017]
* Cloudwatch: Fix crash when switching from cloudwatch data source. [#21376]
* DataLinks: Sanitize data/panel link URLs. [#21140]
* Elastic: Fix multiselect variable interpolation for logs. [#20894]
* Prometheus: allow user to change HTTP Method in config settings. [#21055]
* Prometheus: Prevents validation of inputs when clicking in them without
changing the value. [#21059]
* Rendering: Fix panel PNG rendering when using sub url and
serve_from_sub_path = true. [#21306]
* Table: Matches column names with unescaped regex characters. [#21164]
- Update to version 6.5.2
* Alerting: Improve alert threshold handle dragging behavior. [#20922]
* AngularPanels: Fix loading spinner being stuck in some rare cases. [#20878]
* CloudWatch: Fix query editor does not render in Explore. [#20909]
* CloudWatch: Remove illegal character escaping in inferred expressions. [#20915]
* CloudWatch: Remove template variable error message. [#20864]
* CloudWatch: Use datasource template variable in curated dashboards. [#20917]
* Elasticsearch: Set default port to 9200 in ConfigEditor. [#20948]
* Gauge/BarGauge: Added support for value mapping of 'no data'-state to
text/value. [#20842]
* Graph: Prevent tooltip from being displayed outside of window. [#20874]
* Graphite: Fix error with annotation metric queries. [#20857]
* Login: Fix fatal error when navigating from reset password page. [#20747]
* MixedDatasources: Do not filter out all mixed data sources in add mixed
query dropdown. [#20990]
* Prometheus: Fix caching for default labels request. [#20718]
* Prometheus: Run default labels query only once. [#20898]
* Security: Fix invite link still accessible after completion or revocation. [#20863]
* Server: Fail when unable to create log directory. [#20804]
* TeamPicker: Increase size limit from 10 to 100. [#20882]
* Units: Remove SI prefix symbol from new milli/microSievert(/h) units. [#20650]
- Update to version 6.5.1
* CloudWatch: Region template query fix. [#20661]
* CloudWatch: Fix annotations query editor loading. [#20687]
* Panel: Fix undefined services/dependencies in plugins without
`/@ngInject*/`. [#20696]
* Server: Fix failure to start with 'bind: address already in use' when using
socket as protocol. [#20679]
* Stats: Fix active admins/editors/viewers stats are counted more than once
if the user is part of more than one org. [#20711]
- Update to version 6.5.0
* CloudWatch: Add curated dashboards for most popular amazon services. [#20486]
* CloudWatch: Enable Min time interval. [#20260]
* Explore: UI improvements for log details. [#20485]
* Server: Improve grafana-server diagnostics configuration for profiling and
tracing. [#20593]
* BarGauge/Gauge: Add back missing title option field display options. [#20616]
* CloudWatch: Fix high CPU load. [#20579]
* CloudWatch: Fix high resolution mode without expression. [#20459]
* CloudWatch: Make sure period variable is being interpreted correctly. [#20447]
* CloudWatch: Remove HighResolution toggle since it's not being used. [#20440]
* Cloudwatch: Fix LaunchTime attribute tag bug. [#20237]
* Data links: Fix URL field turns read-only for graph panels. [#20381]
* Explore: Keep logQL filters when selecting labels in log row details. [#20570]
* MySQL: Fix TLS auth settings in config page. [#20501]
* Provisioning: Fix unmarshaling nested jsonData values. [#20399]
* Server: Should fail when server is unable to bind port. [#20409]
* Templating: Prevents crash when \$\_\_searchFilter is not a string. [#20526]
* TextPanel: Fix issue with template variable value not properly html
escaped [#20588]
* TimePicker: Should update after location change. [#20466]
* CloudWatch: use GetMetricsData API for all queries
* CloudWatch: The GetMetricData API does not return metric unit, so unit auto
detection in panels is no longer supported.
* CloudWatch: The `HighRes` switch has been removed from the query editor.
* API: Add `createdAt` and `updatedAt` to api/users/lookup. [#19496]
* API: Add createdAt field to /api/users/:id. [#19475]
* Admin: Adds setting to disable creating initial admin user. [#19505]
* Alerting: Include alert_state in Kafka notifier payload. [#20099]
* AuthProxy: Can now login with auth proxy and get a login token. [#20175]
* AuthProxy: replaces setting ldap_sync_ttl with sync_ttl. [#20191]
* AzureMonitor: Alerting for Azure Application Insights. [#19381]
* Build: Upgrade to Go 1.13. [#19502]
* CLI: Reduce memory usage for plugin installation. [#19639]
* CloudWatch: Add ap-east-1 to hard-coded region lists. [#19523]
* CloudWatch: ContainerInsights metrics support. [#18971]
* CloudWatch: Support dynamic queries using dimension wildcards [#20058]
* CloudWatch: Stop using GetMetricStatistics and use GetMetricData for all
time series requests [#20057]
* CloudWatch: Convert query editor from Angular to React [#19880]
* CloudWatch: Convert config editor from Angular to React [#19881]
* CloudWatch: Improved error handling when throttling occurs [#20348]
* CloudWatch: Deep linking from Grafana panel to CloudWatch console [#20279]
* CloudWatch: Add Grafana user agent to GMD calls [#20277]
* Dashboard: Allows the d-solo route to be used without slug. [#19640]
* Elasticsearch: Adds support for region annotations. [#17602]
* Explore: Add custom DataLinks on datasource level (like tracing links). [#20060]
* Explore: Add functionality to show/hide query row results. [#19794]
* Explore: Synchronise time ranges in split mode. [#19274]
* Explore: UI change for log row details . [#20034]
* Frontend: Migrate DataSource HTTP Settings to React. [#19452]
* Frontend: Show browser not supported notification. [#19904]
* Graph: Added series override option to have hidden series be persisted on
save. [#20124]
* Graphite: Add Metrictank option to settings to view Metrictank request
processing info in new inspect feature. [#20138]
* LDAP: Enable single user sync. [#19446]
* LDAP: Last org admin can login but wont be removed. [#20326]
* LDAP: Support env variable expressions in ldap.toml file. [#20173]
* OAuth: Generic OAuth role mapping support. [#17149]
* Prometheus: Custom query parameters string for Thanos downsampling. [#19121]
* Provisioning: Allow saving of provisioned dashboards. [#19820]
* Security: Minor XSS issue resolved by angularjs upgrade from 1.6.6 ->
1.6.9. [#19849]
* TablePanel: Prevents crash when data contains mixed data formats. [#20202]
* Templating: Introduces \$\_\_searchFilter to Query Variables. [#19858]
* Templating: Made default template variable query editor field a textarea
with automatic height. [#20288]
* Units: Add milli/microSievert, milli/microSievert/h and pixels. [#20144]
* Units: Added mega ampere and watt-hour per kg. [#19922]
* Enterprise: Enterprise without a license behaves like OSS (Enterprise)
* API: Added dashboardId and slug in response to dashboard import api. [#19692]
* API: Fix logging of dynamic listening port. [#19644]
* BarGauge: Fix so that default thresholds not keeps resetting. [#20190]
* CloudWatch: Fix incorrect casing of Redshift dimension entry for service
class and stage. [#19897]
* CloudWatch: Fixing AWS Kafka dimension names. [#19986]
* CloudWatch: Metric math broken when using multi template variables [#18337]
* CloudWatch: Graphs with multiple multi-value dimension variables don't work [#17949]
* CloudWatch: Variables' values surrounded with braces in request sent to AWS [#14451]
* CloudWatch: Cloudwatch Query for a list of instances for which data is
available in the selected time interval [#12784]
* CloudWatch: Dimension's positioning/order should be stored in the json
dashboard [#11062]
* CloudWatch: Batch CloudWatch API call support in backend [#7991]
* ColorPicker: Fix issue with ColorPicker disappearing too quickly. [#20289]
* Datasource: Add custom headers on alerting queries. [#19508]
plugins in alpine. [#20214]
* Elasticsearch: Fix template variables interpolation when redirecting to
Explore. [#20314]
* Elasticsearch: Support rendering in logs panel. [#20229]
* Explore: Expand template variables when redirecting from dashboard panel. [#19582]
* OAuth: Make the login button display name of custom OAuth provider. [#20209]
* ReactPanels: Adds Explore menu item. [#20236]
* Team Sync: Fix URL encode Group IDs for external team sync. [#20280]
- Update to version 6.4.5
* CloudWatch: Fix high CPU load [#20579]
- Update to version 6.4.4
* MySQL: Fix encoding in connection string [#20192]
* DataLinks: Fix blur issues. [#19883]
* LDAP: try all LDAP servers even if one returns a connection error. [#20077]
* LDAP: No longer shows incorrectly matching groups based on role in debug
page. [#20018]
* Singlestat: Fix no data / null value mapping . [#19951]
- Update to version 6.4.3
* Alerting: All notification channels should send even if one fails to send. [#19807]
* AzureMonitor: Fix slate interference with dropdowns. [#19799]
* ContextMenu: make ContextMenu positioning aware of the viewport width. [#19699]
* DataLinks: Fix context menu not showing in singlestat-ish visualisations. [#19809]
* DataLinks: Fix url field not releasing focus. [#19804]
* Datasource: Fix issue where clicking outside of some query editors required
2 clicks. [#19822]
* Panels: Fix default tab for visualizations without Queries Tab. [#19803]
* Singlestat: Fix issue with mapping null to text. [#19689]
* @grafana/toolkit: Don't fail plugin creation when git user.name config is
not set. [#19821]
* @grafana/toolkit: TSLint line number off by 1. [#19782]
- Update to version 6.4.2
* CloudWatch: Changes incorrect dimension wmlid to wlmid . [#19679]
* Grafana Image Renderer: Fix plugin page. [#19664]
* Graph: Fix auto decimals logic for y axis ticks that results in too many
decimals for high values. [#19618]
* Graph: Switching to series mode should re-render graph. [#19623]
* Loki: Fix autocomplete on label values. [#19579]
* Loki: Removes live option for logs panel. [#19533]
* Profile: Fix issue with user profile not showing more than sessions
sessions in some cases. [#19578]
* Prometheus: Always sort results in Panel by query order. [#19597]
* Show SAML login button if SAML is enabled. [#19591]
* SingleStat: Fix $__name postfix/prefix usage. [#19687]
* Table: Proper handling of json data with dataframes. [#19596]
* Units: Fix wrong id for Terabits/sec. [#19611]
- Update to version 6.4.1
* Provisioning: Fix issue where empty nested keys in YAML provisioning
caused server crash, [#19547]
- Update to version 6.4.0
* Build: Upgrade go to 1.12.10. [#19499]
* DataLinks: Suggestions menu improvements. [#19396]
* Explore: Take root_url setting into account when redirecting from dashboard
to explore. [#19447]
* Explore: Update broken link to logql docs. [#19510]
* Logs: Adds Logs Panel as a visualization. [#19504]
* Reporting: Generate and email PDF reports based on Dashboards (Enterprise)
* CLI: Fix version selection for plugin install. [#19498]
* Graph: Fix minor issue with series override color picker and custom color. [#19516]
* Splunk plugin needs to be updated when upgrading from 6.3 to 6.4
* Azure Monitor: Remove support for cross resource queries (#19115)'. [#19346]
* Graphite: Time range expansion reduced from 1 minute to 1 second. [#19246]
* grafana/toolkit: Add plugin creation task. [#19207]
* Alerting: Prevents creating alerts from unsupported queries. [#19250]
* Alerting: Truncate PagerDuty summary when greater than 1024 characters. [#18730]
* Cloudwatch: Fix autocomplete for Gamelift dimensions. [#19146]
* Dashboard: Fix export for sharing when panels use default data source. [#19315]
* Database: Rewrite system statistics query to perform better. [#19178]
* Gauge/BarGauge: Fix issue with [object Object] in titles . [#19217]
* MSSQL: Revert usage of new connectionstring format introduced by #18384. [#19203]
* Multi-LDAP: Do not fail-fast on invalid credentials. [#19261]
* MySQL, Postgres, MSSQL: Fix validating query with template variables in
alert. [#19237]
* MySQL, Postgres: Update raw sql when query builder updates. [#19209]
* MySQL: Limit datasource error details returned from the backend. [#19373]
* Reporting: Created scheduled PDF reports for any dashboard (Enterprise).
* API: Readonly datasources should not be created via the API. [#19006]
* Alerting: Include configured AlertRuleTags in Webhooks notifier. [#18233]
* Annotations: Add annotations support to Loki. [#18949]
* Annotations: Use a single row to represent a region. [#17673]
* Auth: Allow inviting existing users when login form is disabled. [#19048]
* Azure Monitor: Add support for cross resource queries. [#19115]
* CLI: Allow installing custom binary plugins. [#17551]
* Dashboard: Adds Logs Panel (alpha) as visualization option for Dashboards. [#18641]
* Dashboard: Reuse query results between panels . [#16660]
* Dashboard: Set time to to 23:59:59 when setting To time using calendar. [#18595]
* DataLinks: Add DataLinks support to Gauge, BarGauge and stat panel. [#18605]
* DataLinks: Enable access to labels & field names. [#18918]
* DataLinks: Enable multiple data links per panel. [#18434]
* Elasticsearch: allow templating queries to order by doc_count. [#18870]
* Explore: Add throttling when doing live queries. [#19085]
* Explore: Adds ability to go back to dashboard, optionally with query
changes. [#17982]
* Explore: Reduce default time range to last hour. [#18212]
* Gauge/BarGauge: Support decimals for min/max. [#18368]
* Graph: New series override transform constant that renders a single point
as a line across the whole graph. [#19102]
* Image rendering: Add deprecation warning when PhantomJS is used for
rendering images. [#18933]
* InfluxDB: Enable interpolation within ad-hoc filter values. [#18077]
* LDAP: Allow an user to be synchronized against LDAP. [#18976]
* Ldap: Add ldap debug page. [#18759]
* Loki: Remove prefetching of default label values. [#18213]
* Metrics: Add failed alert notifications metric. [#18089]
* OAuth: Support JMES path lookup when retrieving user email. [#14683]
* OAuth: return GitLab groups as a part of user info (enable team sync). [#18388]
* Panels: Add unit for electrical charge - ampere-hour. [#18950]
* Plugin: AzureMonitor - Reapply MetricNamespace support. [#17282]
* Plugins: better warning when plugins fail to load. [#18671]
* Postgres: Add support for scram sha 256 authentication. [#18397]
* RemoteCache: Support SSL with Redis. [#18511]
* SingleStat: The gauge option in now disabled/hidden (unless it's an old
panel with it already enabled) . [#18610]
* Stackdriver: Add extra alignment period options. [#18909]
* Units: Add South African Rand (ZAR) to currencies. [#18893]
* Units: Adding T,P,E,Z,and Y bytes. [#18706]
* Alerting: Notification is sent when state changes from no_data to ok. [#18920]
* Alerting: fix duplicate alert states when the alert fails to save to the
database. [#18216]
* Alerting: fix response popover prompt when add notification channels. [#18967]
* CloudWatch: Fix alerting for queries with Id (using GetMetricData). [#17899]
* Explore: Fix auto completion on label values for Loki. [#18988]
* Explore: Fix crash using back button with a zoomed in graph. [#19122]
* Explore: only run queries in Explore if Graph/Table is shown. [#19000]
* MSSQL: Change connectionstring to URL format to fix using passwords with
semicolon. [#18384]
* MSSQL: Fix memory leak when debug enabled. [#19049]
* Provisioning: Allow escaping literal '$' with '$\$' in configs to avoid
interpolation. [#18045]
* TimePicker: Fix hiding time picker dropdown in FireFox. [#19154]
* Various breaking changes in the annotations HTTP API for region annotations.
- Update to version 6.3.7
* CloudWatch: Fix high CPU load [#20579]
- Update to version 6.3.6
* Metrics: Adds setting for turning off total stats metrics. [#19142]
* Database: Rewrite system statistics query to perform better. [#19178]
* Explore: Fix error when switching from prometheus to loki data sources. [#18599]
- Update to version 6.3.5
* Dashboard: Fix dashboards init failed loading error for dashboards with
panel links that had missing properties. [#18786]
* Editor: Fix issue where only entire lines were being copied. [#18806]
* Explore: Fix query field layout in splitted view for Safari browsers. [#18654]
* LDAP: multildap + ldap integration. [#18588]
* Profile/UserAdmin: Fix for user agent parser crashes grafana-server on
32-bit builds. [#18788]
* Prometheus: Prevents panel editor crash when switching to Prometheus data
source. [#18616]
* Prometheus: Changes brace-insertion behavior to be less annoying. [#18698]
- Update to version 6.3.4
* Annotations: Fix failing annotation query when time series query is
cancelled. [#18532]
* Auth: Do not set SameSite cookie attribute if cookie_samesite is none. [#18462]
* DataLinks: Apply scoped variables to data links correctly. [#18454]
* DataLinks: Respect timezone when displaying datapoint's timestamp in graph
context menu. [#18461]
* DataLinks: Use datapoint timestamp correctly when interpolating variables. [#18459]
* Explore: Fix loading error for empty queries. [#18488]
* Graph: Fix legend issue clicking on series line icon and issue with
horizontal scrollbar being visible on windows. [#18563]
* Graphite: Avoid glob of single-value array variables . [#18420]
* Prometheus: Fix queries with label_replace remove the \$1 match when
loading query editor. [#18480]
* Prometheus: More consistently allows for multi-line queries in editor. [#18362]
* TimeSeries: Assume values are all numbers. [#18540]
- Update to version 6.3.2
* Gauge/BarGauge: Fix issue with lost thresholds and an issue loading Gauge
with avg stat. [#18375]
- Update to version 6.3.1
* PanelLinks: Fix crash issue with Gauge & Bar Gauge panels with panel links
(drill down links). [#18430]
- Update to version 6.3.0
* OAuth: Do not set SameSite OAuth cookie if cookie_samesite is None. [#18392]
* PanelLinks: Fix render issue when there is no panel description. [#18408]
* Auth Proxy: Include additional headers as part of the cache key. [#18298]
* OAuth: Fix 'missing saved state' OAuth login failure due to SameSite cookie
policy. [#18332]
* cli: fix for recognizing when in dev mode.. [#18334]
* Build grafana images consistently. [#18224]
* Docs: SAML. [#18069]
* Permissions: Show plugins in nav for non admin users but hide plugin
configuration. [#18234]
* TimePicker: Increase max height of quick range dropdown. [#18247]
* DataLinks: Fix incorrect interpolation of \${\_\_series_name} . [#18251]
* Loki: Display live tailed logs in correct order in Explore. [#18031]
* PhantomJS: Fix rendering on Debian Buster. [#18162]
* TimePicker: Fix style issue for custom range popover. [#18244]
* Timerange: Fix a bug where custom time ranges didn't respect UTC. [#18248]
* remote_cache: Fix redis connstr parsing. [#18204]
* Alerting: Add tags to alert rules. [#10989]
* Alerting: Attempt to send email notifications to all given email addresses. [#16881]
* Alerting: Improve alert rule testing. [#16286]
* Alerting: Support for configuring content field for Discord alert notifier. [#17017]
* Alertmanager: Replace illegal chars with underscore in label names. [#17002]
* Auth: Allow expiration of API keys. [#17678]
* Auth: Return device, os and browser when listing user auth tokens in HTTP
API. [#17504]
* Auth: Support list and revoke of user auth tokens in UI. [#17434]
* AzureMonitor: change clashing built-in Grafana variables/macro names for
Azure Logs. [#17140]
* CloudWatch: Made region visible for AWS Cloudwatch Expressions. [#17243]
* Cloudwatch: Add AWS DocDB metrics. [#17241]
* Dashboard: Use timezone dashboard setting when exporting to CSV. [#18002]
* Data links. [#17267]
* Elasticsearch: Support for visualizing logs in Explore . [#17605]
* Explore: Adds Live option for supported data sources. [#17062]
* Explore: Adds orgId to URL for sharing purposes. [#17895]
* Explore: Adds support for new loki 'start' and 'end' params for labels
endpoint. [#17512]
* Explore: Adds support for toggling raw query mode in explore. [#17870]
* Explore: Allow switching between metrics and logs . [#16959]
* Explore: Combines the timestamp and local time columns into one. [#17775]
* Explore: Display log lines context . [#17097]
* Explore: Don't parse log levels if provided by field or label. [#17180]
* Explore: Improves performance of Logs element by limiting re-rendering. [#17685]
* Explore: Support for new LogQL filtering syntax. [#16674]
* Explore: Use new TimePicker from Grafana/UI. [#17793]
* Explore: handle newlines in LogRow Highlighter. [#17425]
* Graph: Added new fill gradient option. [#17528]
* GraphPanel: Don't sort series when legend table & sort column is not
visible. [#17095]
* InfluxDB: Support for visualizing logs in Explore. [#17450]
* Logging: Login and Logout actions (#17760). [#17883]
* Logging: Move log package to pkg/infra. [#17023]
* Metrics: Expose stats about roles as metrics. [#17469]
* MySQL/Postgres/MSSQL: Add parsing for day, weeks and year intervals in
macros. [#13086]
* MySQL: Add support for periodically reloading client certs. [#14892]
* Plugins: replace dataFormats list with skipDataQuery flag in plugin.json. [#16984]
* Prometheus: Take timezone into account for step alignment. [#17477]
* Prometheus: Use overridden panel range for \$\_\_range instead of dashboard
range. [#17352]
* Prometheus: added time range filter to series labels query. [#16851]
* Provisioning: Support folder that doesn't exist yet in dashboard
provisioning. [#17407]
* Refresh picker: Handle empty intervals. [#17585]
* Singlestat: Add y min/max config to singlestat sparklines. [#17527]
* Snapshot: use given key and deleteKey. [#16876]
* Templating: Correctly display __text in multi-value variable after page
reload. [#17840]
* Templating: Support selecting all filtered values of a multi-value
variable. [#16873]
* Tracing: allow propagation with Zipkin headers. [#17009]
* Users: Disable users removed from LDAP. [#16820]
* SAML: Add SAML as an authentication option (Enterprise)
* AddPanel: Fix issue when removing moved add panel widget . [#17659]
* CLI: Fix encrypt-datasource-passwords fails with sql error. [#18014]
* Elasticsearch: Fix default max concurrent shard requests. [#17770]
* Explore: Fix browsing back to dashboard panel. [#17061]
* Explore: Fix filter by series level in logs graph. [#17798]
* Explore: Fix issues when loading and both graph/table are collapsed. [#17113]
* Explore: Fix selection/copy of log lines. [#17121]
* Fix: Wrap value of multi variable in array when coming from URL. [#16992]
* Frontend: Fix for Json tree component not working. [#17608]
* Graphite: Fix for issue with alias function being moved last. [#17791]
* Graphite: Fix issue with seriesByTag & function with variable param. [#17795]
* Graphite: use POST for /metrics/find requests. [#17814]
* HTTP Server: Serve Grafana with a custom URL path prefix. [#17048]
* InfluxDB: Fix single quotes are not escaped in label value filters. [#17398]
* Prometheus: Correctly escape '|' literals in interpolated PromQL variables. [#16932]
* Prometheus: Fix when adding label for metrics which contains colons in
Explore. [#16760]
* SinglestatPanel: Remove background color when value turns null. [#17552]
- Update to version 6.2.5
* Grafana-CLI: Wrapper for `grafana-cli` within RPM/DEB packages and
config/homepath are now global flags. [#17695]
* Panel: Fully escape html in drilldown links (was only sanitized before). [#17731]
* Config: Fix connectionstring for remote_cache in defaults.ini. [#17675]
* Elasticsearch: Fix empty query (via template variable) should be sent as
wildcard. [#17488]
* HTTP-Server: Fix Strict-Transport-Security header. [#17644]
* TablePanel: fix annotations display. [#17646]
- Update to version 6.2.4
* Grafana-CLI: Fix receiving flags via command line . [#17617]
* HTTPServer: Fix X-XSS-Protection header formatting. [#17620]
- Update to version 6.2.3
* AuthProxy: Optimistic lock pattern for remote cache Set. [#17485]
* HTTPServer: Options for returning new headers X-Content-Type-Options,
X-XSS-Protection and Strict-Transport-Security. [#17522]
* Auth Proxy: Fix non-negative cache TTL. [#17495]
* Grafana-CLI: Fix receiving configuration flags from the command line. [#17606]
* OAuth: Fix for wrong user token updated on OAuth refresh in DS proxy. [#17541]
* remote_cache: Fix redis. [#17483]
- Update to version 6.2.2
* Security: Prevent CSV formula injection attack when exporting data. [#17363]
* CloudWatch: Fix error when hiding/disabling queries. [#17283]
* Database: Fix slow permission query in folder/dashboard search. [#17427]
* Explore: Fix updating time range before running queries. [#17349]
* Plugins: Fix plugin config page navigation when using subpath. [#17364]
- Update to version 6.2.1
* CLI: Add command to migrate all data sources to use encrypted password fields . [#17118]
* Gauge/BarGauge: Improvements to auto value font size . [#17292]
* Auth Proxy: Resolve database is locked errors. [#17274]
* Database: Retry transaction if sqlite returns database is locked error. [#17276]
* Explore: Fix filtering query by clicked value when a Prometheus Table is
clicked. [#17083]
* Singlestat: Fix issue with value placement and line wraps. [#17249]
* Tech: Update jQuery to 3.4.1 to fix issue on iOS 10 based browsers as well
as Chrome 53.x. [#17290]
- Update to version 6.2.0
* BarGauge: Fix for negative min values. [#17192]
* Gauge/BarGauge: Fix for issues editing min & max options. [#17174]
* Search: Make only folder name only open search with current folder filter. [#17226]
* AzureMonitor: Revert to clearing chained dropdowns. [#17212]
* Data source plugins that process hidden queries need to add a
'hiddenQueries: true' attribute in plugin.json. [#17124]
* Plugins: Support templated urls in plugin routes. [#16599]
* Packaging: New MSI windows installer package\*\*. [#17073]
* Dashboard: Fix blank dashboard after window resize with panel without
title. [#16942]
* Dashboard: Fix lazy loading & expanding collapsed rows on mobile. [#17055]
* Dashboard: Fix scrolling issues for Edge browser. [#17033]
* Dashboard: Show refresh button in first kiosk(tv) mode. [#17032]
* Explore: Fix empty result from data source should render logs container. [#16999]
* Explore: Filter query by clicked value when clicking in a Prometheus Table [#17083]
* Explore: Makes it possible to zoom in Explore/Loki/Graph without exception. [#16991]
* Gauge: Fix orientation issue after switching from BarGauge to Gauge. [#17064]
* GettingStarted: Fix layout issues in getting started panel. [#16941]
* InfluxDB: Fix HTTP method should default to GET. [#16949]
* Panels: Fix alert icon position in panel header. [#17070]
* Panels: Fix panel error tooltip not showing. [#16993]
* Plugins: Fix how datemath utils are exposed to plugins. [#16976]
* Singlestat: fixed centering issue for very small panels. [#16944]
* Search: Scroll issue in dashboard search in latest Chrome. [#17054]
* Gauge: Adds background shade to gauge track and improves height usage. [#17019]
* RemoteCache: Avoid race condition in Set causing error on insert. . [#17082]
* Admin: Add more stats about roles. [#16667]
* Alert list panel: Support variables in filters. [#16892]
* Alerting: Adjust label for send on all alerts to default . [#16554]
* Alerting: Makes timeouts and retries configurable. [#16259]
* Alerting: No notification when going from no data to pending. [#16905]
* Alerting: Pushover alert, support for different sound for OK. [#16525]
* Auth: Enable retries and transaction for some db calls for auth tokens. [#16785]
* AzureMonitor: Adds support for multiple subscriptions per data source. [#16922]
* Bar Gauge: New multi series enabled gauge like panel with horizontal and
vertical layouts and 3 display modes. [#16918]
* Build: Upgrades to golang 1.12.4. [#16545]
* CloudWatch: Update AWS/IoT metric and dimensions. [#16337]
* Config: Show user-friendly error message instead of stack trace. [#16564]
* Dashboard: Enable filtering dashboards in search by current folder. [#16790]
* Dashboard: Lazy load out of view panels . [#15554]
* DataProxy: Restore Set-Cookie header after proxy request. [#16838]
* Data Sources: Add pattern validation for time input on data source config
pages. [#16837]
* Elasticsearch: Add 7.x version support. [#16646]
* Explore: Adds reconnect for failing data source. [#16226]
* Explore: Support user timezone. [#16469]
* InfluxDB: Add support for POST HTTP verb. [#16690]
* Loki: Search is now case insensitive. [#15948]
* OAuth: Update jwt regexp to include `=`. [#16521]
* Panels: No title will no longer make panel header take up space. [#16884]
* Prometheus: Adds tracing headers for Prometheus datasource. [#16724]
* Provisioning: Add API endpoint to reload provisioning configs. [#16579]
* Provisioning: Do not allow deletion of provisioned dashboards. [#16211]
* Provisioning: Interpolate env vars in provisioning files. [#16499]
* Provisioning: Support FolderUid in Dashboard Provisioning Config. [#16559]
* Security: Add new setting allow_embedding. [#16853]
* Security: Store data source passwords encrypted in secureJsonData. [#16175]
* UX: Improve Grafana usage for smaller screens. [#16783]
* Units: Add angle units, Arc Minutes and Seconds. [#16271]
* CloudWatch: Fix query order not affecting series ordering & color. [#16408]
* CloudWatch: Use default alias if there is no alias for metrics. [#16732]
* Config: Fix bug where timeouts for alerting was not parsed correctly. [#16784]
* Elasticsearch: Fix view percentiles metric in table without date histogram. [#15686]
* Explore: Prevents histogram loading from killing Prometheus instance. [#16768]
* Graph: Allow override decimals to fully override. [#16414]
* Mixed Data Source: Fix error when one query is disabled. [#16409]
* Search: Fix search limits and add a page parameter. [#16458]
* Security: Responses from backend should not be cached. [#16848]
* Gauge Panel: The suffix / prefix options have been removed from the new
Gauge Panel (introduced in v6.0). [#16870]
- Update to version 6.1.6
* Security: Bump jQuery to 3.4.0 . [#16761]
* Playlist: Fix loading dashboards by tag. [#16727]
- Update to version 6.1.4
* DataPanel: Added missing built-in interval variables to scopedVars. [#16556]
* Explore: Adds maxDataPoints to data source query options . [#16513]
* Explore: Recalculate intervals on run query. [#16510]
* Heatmap: Fix for empty graph when panel is too narrow (#16378). [#16460]
* Heatmap: Fix auto decimals when bucket name is not number. [#16609]
* QueryInspector: Now shows error responses again. [#16514]
- Update to version 6.1.3
* Graph: Fix auto decimals in legend values for some units like `ms` and
`s`. [#16455]
* Graph: Fix png rendering with legend to the right. [#16463]
* Singlestat: Use decimals when manually specified. [#16451]
* Fix broken UI switches: Default Data Source switch, Explore Logs switches,
Gauge option switches. [#16303]
- Update to version 6.1.2
* Graph: Fix series legend color for hidden series. [#16438]
* Graph: Fix tooltip highlight on white theme. [#16429]
* Styles: Fix menu hover highlight border. [#16431]
* Singlestat Panel: Correctly use the override decimals. [#16413]
- Update to version 6.1.1
* Graphite: Editing graphite query function now works again. [#16390]
* Playlist: Kiosk & auto fit panels modes are working normally again . [#16403]
* QueryEditors: Toggle edit mode now always work on slower computers. [#16394]
- Update to version 6.1.0
* CloudWatch: Fix for dimension value list when changing dimension key. [#16356]
* Graphite: Editing function arguments now works again. [#16297]
* InfluxDB: Fix tag names with periods in alert evaluation. [#16255]
* PngRendering: Fix for panel height & title centering . [#16351]
* Templating: Fix for editing query variables. [#16299]
* Prometheus: adhoc filter support [#8253]
* Permissions: Editors can become admin for dashboards, folders and teams
they create. [#15977]
* Alerting: Don't include non-existing image in MS Teams notifications. [#16116]
* Api: Invalid org invite code [#10506]
* Annotations: Fix for native annotations filtered by template variable with
pipe. [#15515]
* Dashboard: Fix for time regions spanning across midnight. [#16201]
* Data Source: Handles nil jsondata field gracefully [#14239]
* Data Source: Empty user/password was not updated when updating data sources [#15608]
* Elasticsearch: Fix using template variables in the alias field. [#16229]
* Elasticsearch: Fix incorrect index pattern padding in alerting queries. [#15892]
* Explore: Fix for Prometheus autocomplete not working in Firefox. [#16192]
* Explore: Fix for url does not keep query after browser refresh. [#16189]
* Gauge: Interpolate scoped variables in repeated gauges [#15739]
* Graphite: Fix issue with using series ref and series by tag. [#16111]
* Graphite: Fix variable quoting when variable value is numeric. [#16149]
* Heatmap: Fix Y-axis tick labels being in wrong order for some Prometheus
queries. [#15932]
* Heatmap: Negative values are now displayed correctly in graph & legend. [#15953]
* Heatmap: legend shows wrong colors for small values [#14019]
* InfluxDB: Always close request body even for error status codes. [#16207]
* ManageDashboards: Fix for checkboxes not appearing properly Firefox . [#15981]
* Playlist: Leaving playlist now always stops playlist . [#15791]
* Prometheus: fixes regex ad-hoc filters variables with wildcards. [#16234]
* TablePanel: Column color style now works even after removing columns. [#16227]
* TablePanel: Fix for white text on white background when value is null. [#16199]
- Update to version 6.0.2
* Alerting: Fix issue with AlertList panel links resulting in panel not
found errors. [#15975]
* Dashboard: Improved error handling when rendering dashboard panels. [#15970]
* LDAP: Fix allow anonymous server bind for ldap search. [#15872]
* Discord: Fix discord notifier so it doesn't crash when there are no image
generated. [#15833]
* Panel Edit: Prevent search in VizPicker from stealing focus. [#15802]
* Data Source admin: Fix url of back button in data source edit page, when
root_url configured. [#15759]
- Update to version 6.0.1
* Metrics: Fix broken usagestats metrics for /metrics [#15651]
* Dashboard: append &kiosk to the url in Kiosk mode [#15765]
* Dashboard: respect header in kiosk=tv mode with autofitpanels [#15650]
* Image rendering: Fix image rendering issue for dashboards with auto
refresh. [#15818]
* Dashboard: Fix only users that can edit a dashboard should be able to
update panel json. [#15805]
* LDAP: fix allow anonymous initial bind for ldap search. [#15803]
* UX: ixed scrollbar not visible initially (only after manual scroll). [#15798]
* Data Source admin TestData [#15793]
* Dashboard: Fix scrolling issue that caused scroll to be locked to bottom. [#15792]
* Explore: Viewers with viewers_can_edit should be able to access /explore. [#15787]
* Security fix: limit access to org admin and alerting pages. [#15761]
* Panel Edit minInterval changes did not persist [#15757]
* Teams: Fix bug when getting teams for user. [#15595]
* Stackdriver: fix for float64 bounds for distribution metrics [#14509]
* Stackdriver: no reducers available for distribution type [#15179]
- Update to version 6.0.0
* Dashboard: fixes click after scroll in series override menu [#15621]
* MySQL: fix mysql query using \_interval_ms variable throws error [#14507]
* Influxdb: Add support for alerting on InfluxDB queries that use the
non_negative_difference function [#15415]
* Alerting: Fix percent_diff calculation when points are nulls [#15443]
* Alerting: Fix handling of alert urls with true flags [#15454]
* AzureMonitor: Enable alerting by converting Azure Monitor API to Go [#14623]
* Security: Fix CSRF Token validation for POSTs [#1441]
* Internal Metrics Edition has been added to the build_info metric. This will
break any Graphite queries using this metric. Edition will be a new label
for the Prometheus metric. [#15363]
* Gauge: Fix issue with gauge requests being cancelled [#15366]
* Gauge: Accept decimal inputs for thresholds [#15372]
* UI: Fix error caused by named colors that are not part of named colors
palette [#15373]
* Search: Bug pressing special regexp chars in input fields [#12972]
* Permissions: No need to have edit permissions to be able to 'Save as' [#13066]
* Alerting: Adds support for Google Hangouts Chat notifications [#11221]
* Elasticsearch: Support bucket script pipeline aggregations [#5968]
* Influxdb: Add support for time zone (`tz`) clause [#10322]
* Snapshots: Enable deletion of public snapshot [#14109]
* Provisioning: Provisioning support for alert notifiers [#10487]
* Explore: A whole new way to do ad-hoc metric queries and exploration. Split
view in half and compare metrics & logs.
* Auth: Replace remember me cookie solution for Grafana's builtin, LDAP and
OAuth authentication with a solution based on short-lived tokens [#15303]
* Search: Fix for issue with scrolling the 'tags filter' dropdown, fixes [#14486]
* Prometheus: fix annotation always using 60s step regardless of
dashboard range [#14795]
* Annotations: Fix creating annotation when graph panel has no data points
position the popup outside viewport [#13765]
* Piechart/Flot: Fix multiple piechart instances with donut bug [#15062]
* Postgres: Fix default port not added when port not configured [#15189]
* Alerting: Fix crash bug when alert notifier folders are missing [#15295]
* Dashboard: Fix save provisioned dashboard modal [#15219]
* Dashboard: Fix having a long query in prometheus dashboard query editor
* blocks 30% of the query field when on OSX and having native scrollbars
[#15122]
* Explore: Fix issue with wrapping on long queries [#15222]
* Explore: Fix cut & paste adds newline before and after selection [#15223]
* Dataproxy: Fix global data source proxy timeout not added to correct http
client [#15258]
* Text Panel: The text panel does no longer by default allow unsanitized
HTML. [#4117]
* Dashboard: Panel property `minSpan` replaced by `maxPerRow`. Dashboard
* migration will automatically migrate all dashboard panels using the
`minSpan` property to the new `maxPerRow` property [#12991]
- Update to version 5.4.3
* MySQL only update session in mysql database when required [#14540]
* Alerting Invalid frequency causes division by zero in alert scheduler [#14810]
* Dashboard Dashboard links do not update when time range changes [#14493]
* Limits Support more than 1000 data sources per org [#13883]
* Backend fix signed in user for orgId=0 result should return active org id [#14574]
* Provisioning Adds orgId to user dto for provisioned dashboards [#14678]
- Update to version 5.4.2
* Data Source admin: Fix for issue creating new data source when same name
exists [#14467]
* OAuth: Fix for oauth auto login setting, can now be set using env variable [#14435]
- Update to version 5.4.1
* Stackdriver: Fix issue with data proxy and Authorization header [#14262]
* Units: fixedUnit for Flow:l/min and mL/min [#14294]
* Logging: Fix for issue where data proxy logged a secret when debug logging
was enabled, now redacted. [#14319]
* TSDB: Fix always take dashboard timezone into consideration when handle
custom time ranges: Add support for alerting on InfluxDB queries that use
the cumulative_sum function. [#14314]
* Embedded Graphs: Iframe graph panels should now work as usual. [#14284]
* Postgres: Improve PostgreSQL Query Editor if using different Schemas, [#14313]
* Quotas: Fix updating org & user quotas. [#14347]
* Cloudwatch: Add the AWS/SES Cloudwatch metrics of BounceRate and
ComplaintRate to auto complete list. [#14401]
* Dashboard Search: Fix filtering by tag issues.
* Graph: Fix time region issues, [#14425]
- Update to version 5.4.0
* Cloudwatch: Fix invalid time range causes segmentation fault [#14150]
* Cloudwatch: AWS/CodeBuild metrics and dimensions [#14167]
* MySQL: Fix `$__timeFrom()` and `$__timeTo()` should respect local time zone [#14228]
* Graph: Fix legend always visible even if configured to be hidden [#14144]
* Elasticsearch: Fix regression when using data source version 6.0+ and
alerting [#14175]
* Alerting: Introduce alert debouncing with the `FOR` setting. [#7886]
* Alerting: Option to disable OK alert notifications [#12330]
* Postgres/MySQL/MSSQL: Adds support for configuration of max open/idle
connections and connection max lifetime. Also, panels with multiple SQL
queries will now be executed concurrently [#11711]
* MySQL: Graphical query builder [#13762]
* MySQL: Support connecting thru Unix socket for MySQL data source [#12342]
* MSSQL: Add encrypt setting to allow configuration of how data sent between
client and server are encrypted [#13629]
* Stackdriver: Not possible to authenticate using GCE metadata server [#13669]
* Teams: Team preferences (theme, home dashboard, timezone) support [#12550]
* Graph: Time regions support enabling highlight of weekdays and/or certain
timespans [#5930]
* OAuth: Automatic redirect to sign-in with OAuth [#11893]
* Stackdriver: Template query editor [#13561]
* Security: Upgrade macaron session package to fix security issue. [#14043]
* Postgres/MySQL/MSSQL data sources now per default uses `max open
connections` = `unlimited` (earlier 10), `max idle connections` = `2`
(earlier 10) and `connection max lifetime` = `4` hours (earlier unlimited).
- Update to version 5.3.4
* Alerting: Delete alerts when parent folder was deleted [#13322]
* MySQL: Fix `$__timeFilter()` should respect local time zone [#13769]
* Dashboard: Fix data source selection in panel by enter key [#13932]
* Graph: Fix table legend height when positioned below graph and using
Internet Explorer 11 [#13903]
* Dataproxy: Drop origin and referer http headers [#13328]
- Update to version 5.3.3
* Fix file exfiltration vulnerability
- Update to version 5.3.2
* InfluxDB/Graphite/Postgres: Prevent XSS in query editor [#13667]
* Postgres: Fix template variables error [#13692]
* Cloudwatch: Fix service panic because of race conditions [#13674]
* Cloudwatch: Fix check for invalid percentile statistics [#13633]
* Stackdriver/Cloudwatch: Allow user to change unit in graph panel if
cloudwatch/stackdriver data source response doesn't include unit [#13718]
* Stackdriver: stackdriver user-metrics duplicated response when multiple
resource types [#13691]
* Variables: Fix text box template variable doesn't work properly without a
default value [#13666]
* Variables: Fix variable dependency check when using `${var}` format [#13600]
* Dashboard: Fix kiosk=1 url parameter should put dashboard in kiosk mode [#13764]
* LDAP: Fix super admins can also be admins of orgs [#13710]
* Provisioning: Fix deleting provisioned dashboard folder should cleanup
provisioning meta data [#13280]
- Update to version 5.3.1
* Render: Fix PhantomJS render of graph panel when legend displayed as table
to the right [#13616]
* Stackdriver: Filter option disappears after removing initial filter [#13607]
* Elasticsearch: Fix no limit size in terms aggregation for alerting queries [#13172]
* InfluxDB: Fix for annotation issue that caused text to be shown twice [#13553]
* Variables: Fix nesting variables leads to exception and missing refresh [#13628]
* Variables: Prometheus: Single letter labels are not supported [#13641]
* Graph: Fix graph time formatting for Last 24h ranges [#13650]
* Playlist: Fix cannot add dashboards with long names to playlist [#13464]
* HTTP API: Fix /api/org/users so that query and limit querystrings works
- Update to version 5.3.0
* Stackdriver: Filter wildcards and regex matching are not yet supported [#13495]
* Stackdriver: Support the distribution metric type for heatmaps [#13559]
* Cloudwatch: Automatically set graph yaxis unit [#13575]
* Stackdriver: Fix for missing ngInject [#13511]
* Permissions: Fix for broken permissions selector [#13507]
* Alerting: Alert reminders deduping not working as expected when running
multiple Grafana instances [#13492]
* Annotations: Enable template variables in tagged annotations queries [#9735]
* Stackdriver: Support for Google Stackdriver data source [#13289]
* Alerting: Notification reminders [#7330]
* Dashboard: TV & Kiosk mode changes, new cycle view mode button in dashboard
toolbar [#13025]
* OAuth: Gitlab OAuth with support for filter by groups [#5623]
* Postgres: Graphical query builder [#10095]
* LDAP: Define Grafana Admin permission in ldap group mappings [#2469]
* LDAP: Client certificates support [#12805]
* Profile: List teams that the user is member of in current/active
organization [#12476]
* Configuration: Allow auto-assigning users to specific organization (other
than Main. Org) [#1823]
* Dataproxy: Pass configured/auth headers to a data source [#10971]
* CloudWatch: GetMetricData support [#11487]
* Postgres: TimescaleDB support, e.g. use `time_bucket` for grouping by time
when option enabled [#12680]
* Cleanup: Make temp file time to live configurable [#11607]
* Postgres data source no longer automatically adds time column alias when
using the $__timeGroup alias.
* Kiosk mode now also hides submenu (variables)
* ?inactive url parameter no longer supported, replaced with kiosk=tv url parameter
* Dashboard: Auto fit dashboard panels to optimize space used for current TV
or Monitor [#12768]
* Frontend: Convert all Frontend Karma tests to Jest tests [#12224]
* Backend: Upgrade to golang 1.11 [#13030]
- Update to version 5.2.4
* GrafanaCli: Fix issue with grafana-cli install plugin resulting in
corrupt http response from source error. [#13079]
- Update to version 5.2.3
* Important fix for LDAP & OAuth login vulnerability
- Update to version 5.2.2
* Prometheus: Fix graph panel bar width issue in aligned prometheus queries [#12379]
* Dashboard: Dashboard links not updated when changing variables [#12506]
* Postgres/MySQL/MSSQL: Fix connection leak [#12636]
* Plugins: Fix loading of external plugins [#12551]
* Dashboard: Remove unwanted scrollbars in embedded panels [#12589]
* Prometheus: Prevent error using \$\_\_interval_ms in query [#12533]
- Update to version 5.2.1
* Auth Proxy: Important security fix for whitelist of IP address feature [#12444]
* UI: Fix - Grafana footer overlapping page [#12430]
* Logging: Errors should be reported before crashing [#12438]
- Update to version 5.2.0
* Plugins: Handle errors correctly when loading data source plugin [#12383]
* Render: Enhance error message if phantomjs executable is not found [#11868]
* Dashboard: Set correct text in drop down when variable is present in url [#11968]
* LDAP: Handle 'dn' ldap attribute more gracefully [#12385]
* Dashboard: Import dashboard to folder [#10796]
* Permissions: Important security fix for API keys with viewer role [#12343]
* Dashboard: Fix so panel titles doesn't wrap [#11074]
* Dashboard: Prevent double-click when saving dashboard [#11963]
* Dashboard: AutoFocus the add-panel search filter [#12189]
* Units: W/m2 (energy), l/h (flow) and kPa (pressure) [#11233]
* Units: Liter/min (flow) and milliLiter/min (flow) [#12282]
* Alerting: Fix mobile notifications for Microsoft Teams alert notifier [#11484]
* Influxdb: Add support for mode function [#12286]
* Cloudwatch: Fix panic caused by bad timerange settings [#12199]
* Auth Proxy: Whitelist proxy IP address instead of client IP address [#10707]
* User Management: Make sure that a user always has a current org assigned [#11076]
* Snapshots: Fix: annotations not properly extracted leading to incorrect
rendering of annotations [#12278]
* LDAP: Allow use of DN in group_search_filter_user_attribute and member_of [#3132]
* Graph: Fix legend decimals precision calculation [#11792]
* Dashboard: Make sure to process panels in collapsed rows when exporting
dashboard [#12256]
* Dashboard: Dashboard link doesn't work when 'As dropdown' option is checked [#12315]
* Dashboard: Fix regressions after save modal changes, including adhoc
template issues [#12240]
* Elasticsearch: Alerting support [#5893]
* Build: Crosscompile and packages Grafana on arm, windows, linux and darwin [#11920]
* Login: Change admin password after first login [#11882]
* Alert list panel: Updated to support filtering alerts by name, dashboard
title, folder, tags [#11500]
* Dashboard: Modified time range and variables are now not saved by default [#10748]
* Graph: Show invisible highest value bucket in histogram [#11498]
* Dashboard: Enable 'Save As...' if user has edit permission [#11625]
* Prometheus: Query dates are now step-aligned [#10434]
* Prometheus: Table columns order now changes when rearrange queries [#11690]
* Variables: Fix variable interpolation when using multiple formatting types [#11800]
* Dashboard: Fix date selector styling for dark/light theme in time picker
control [#11616]
* Discord: Alert notification channel type for Discord, [#7964]
* InfluxDB: Support SELECT queries in templating query, [#5013]
* InfluxDB: Support count distinct aggregation [#11645]
* Dashboard: JSON Model under dashboard settings can now be updated & changes
saved. [#1429]
* Security: Fix XSS vulnerabilities in dashboard links [#11813]
* Singlestat: Fix 'time of last point' shows local time when dashboard
timezone set to UTC [#10338]
* Prometheus: Add support for passing timeout parameter to Prometheus [#11788]
* Login: Add optional option sign out url for generic oauth [#9847]
* Login: Use proxy server from environment variable if available [#9703]
* Invite users: Friendlier error message when smtp is not configured [#12087]
* Graphite: Don't send distributed tracing headers when using direct/browser
access mode [#11494]
* Sidenav: Show create dashboard link for viewers if at least editor in one
folder [#11858]
* SQL: Second epochs are now correctly converted to ms. [#12085]
* Singlestat: Fix singlestat threshold tooltip [#11971]
* Dashboard: Hide grid controls in fullscreen/low-activity views [#11771]
* Dashboard: Validate uid when importing dashboards [#11515]
* Alert list panel: Show alerts for user with viewer role [#11167]
* Provisioning: Verify checksum of dashboards before updating to reduce load
on database [#11670]
* Provisioning: Support symlinked files in dashboard provisioning config
files [#11958]
* Dashboard list panel: Search dashboards by folder [#11525]
* Sidenav: Always show server admin link in sidenav if grafana admin [#11657]
- Update to version 5.1.4
* Permissions: Important security fix for API keys with viewer role [#12343]
- Update to version 5.1.3
* Scroll: Graph panel / legend texts shifts on the left each time we move
scrollbar on firefox [#11830]
- Update to version 5.1.2
* Database: Fix MySql migration issue [#11862]
* Google Analytics: Enable Google Analytics anonymizeIP setting for GDPR [#11656]
- Update to version 5.1.1
* LDAP: LDAP login with MariaDB/MySQL database and dn>100 chars not possible [#11754]
* Build: AppVeyor Windows build missing version and commit info [#11758]
* Scroll: Scroll can't start in graphs on Chrome mobile [#11710]
* Units: Revert renaming of unit key ppm [#11743]
- Update to version 5.1.0
* Folders: Default permissions on folder are not shown as inherited in its
dashboards [#11668]
* Templating: Allow more than 20 previews when creating a variable [#11508]
* Dashboard: Row edit icon not shown [#11466]
* SQL: Unsupported data types for value column using time series query [#11703]
* Prometheus: Prometheus query inspector expands to be very large on
autocomplete queries [#11673]
* MSSQL: New Microsoft SQL Server data source [#10093]
* Prometheus: The heatmap panel now support Prometheus histograms [#10009]
* Postgres/MySQL: Ability to insert 0s or nulls for missing intervals [#9487]
* Postgres/MySQL/MSSQL: Fix precision for the time column in table mode [#11306]
* Graph: Align left and right Y-axes to one level [#1271]
* Graph: Thresholds for Right Y axis [#7107]
* Graph: Support multiple series stacking in histogram mode [#8151]
* Alerting: Pausing/un alerts now updates new_state_date [#10942]
* Alerting: Support Pagerduty notification channel using Pagerduty V2 API [#10531]
* Templating: Add comma templating format [#10632]
* Prometheus: Show template variable candidate in query editor [#9210]
* Prometheus: Support POST for query and query_range [#9859]
* Alerting: Add support for retries on alert queries [#5855]
* Table: Table plugin value mappings [#7119]
* IE11: IE 11 compatibility [#11165]
* Scrolling: Better scrolling experience [#11053]
* Folders: A folder admin cannot add user/team permissions for folder/its
dashboards [#11173]
* Provisioning: Improved workflow for provisioned dashboards [#10883]
* OpsGenie: Add triggered alerts as description [#11046]
* Cloudwatch: Support high resolution metrics [#10925]
* Cloudwatch: Add dimension filtering to CloudWatch `dimension_values()` [#10029]
* Units: Second to HH:mm:ss formatter [#11107]
* Singlestat: Add color to prefix and postfix in singlestat panel [#11143]
* Dashboards: Version cleanup fails on old databases with many entries [#11278]
* Server: Adjust permissions of unix socket [#11343]
* Shortcuts: Add shortcut for duplicate panel [#11102]
* AuthProxy: Support IPv6 in Auth proxy white list [#11330]
* SMTP: Don't connect to STMP server using TLS unless configured. [#7189]
* Prometheus: Escape backslash in labels correctly. [#10555]
* Variables: Case-insensitive sorting for template values [#11128]
* Annotations (native): Change default limit from 10 to 100 when querying api [#11569]
* MySQL/Postgres/MSSQL: PostgreSQL data source generates invalid query with
dates before 1970 [#11530]
* Kiosk: Adds url parameter for starting a dashboard in inactive mode [#11228]
* Dashboard: Enable closing timepicker using escape key [#11332]
* Data Sources: Rename direct access mode in the data source settings [#11391]
* Search: Display dashboards in folder indented [#11073]
* Units: Use B/s instead Bps for Bytes per second [#9342]
* Units: Radiation units [#11001]
* Units: Timeticks unit [#11183]
* Units: Concentration units and 'Normal cubic meter' [#11211]
* Units: New currency - Czech koruna [#11384]
* Avatar: Fix DISABLE_GRAVATAR option [#11095]
* Heatmap: Disable log scale when using time time series buckets [#10792]
* Provisioning: Remove `id` from json when provisioning dashboards, [#11138]
* Prometheus: tooltip for legend format not showing properly [#11516]
* Playlist: Empty playlists cannot be deleted [#11133]
* Switch Orgs: Alphabetic order in Switch Organization modal [#11556]
* Postgres: improve `$__timeFilter` macro [#11578]
* Permission list: Improved ux [#10747]
* Dashboard: Sizing and positioning of settings menu icons [#11572]
* Dashboard: Add search filter/tabs to new panel control [#10427]
* Folders: User with org viewer role should not be able to save/move
dashboards in/to general folder [#11553]
* Influxdb: Don't assume the first column in table response is time. [#11476]
- Update to version 5.0.4
* Dashboard Fix inability to link collapsed panels directly to [#11114]
* Dashboard Provisioning dashboard with alert rules should create alerts [#11247]
* Snapshots For snapshots, the Graph panel renders the legend incorrectly on
right hand side [#11318]
* Alerting Link back to Grafana returns wrong URL if root_path contains
sub-path components [#11403]
* Alerting Incorrect default value for upload images setting for alert
notifiers [#11413]
- Update to version 5.0.3
* Mysql: Mysql panic occurring occasionally upon Grafana dashboard access (a
bigger patch than the one in 5.0.2) [#11155]
- Update to version 5.0.2
* Mysql: Mysql panic occurring occasionally upon Grafana dashboard access [#11155]
* Dashboards: Should be possible to browse dashboard using only uid [#11231]
* Alerting: Fix bug where alerts from hidden panels where deleted [#11222]
* Import: Fix bug where dashboards with alerts couldn't be imported [#11227]
* Teams: Remove quota restrictions from teams [#11220]
* Render: Fix bug with legacy url redirection for panel rendering [#11180]
- Update to version 5.0.1
* Postgres: PostgreSQL error when using ipv6 address as hostname in
connection string [#11055]
* Dashboards: Changing templated value from dropdown is causing unsaved
changes [#11063]
* Prometheus: Fix bundled Prometheus 2.0 dashboard [#11016]
* Sidemenu: Profile menu 'invisible' when gravatar is disabled [#11097]
* Dashboard: Fix a bug with resizable handles for panels [#11103]
* Alerting: Telegram inline image mode fails when caption too long [#10975]
* Alerting: Fix silent failing validation [#11145]
* OAuth: Only use jwt token if it contains an email address [#11127]
- Update to version 5.0.0
* oauth Fix GitHub OAuth not working with private Organizations [#11028]
* kiosk white area over bottom panels in kiosk mode [#11010]
* alerting Fix OK state doesn't show up in Microsoft Teams [#11032]
* Permissions Fix search permissions issues [#10822]
* Permissions Fix problem issues displaying permissions lists [#10864]
* PNG-Rendering Fix problem rendering legend to the right [#10526]
* Reset password Fix problem with reset password form [#10870]
* Light theme Fix problem with light theme in safari, [#10869]
* Provisioning Now handles deletes when dashboard json files removed from
disk [#10865]
* MySQL: Fix issue with schema migration on old mysql (index too long) [#10779]
* GitHub OAuth: Fix fetching github orgs from private github org [#10823]
* Embedding:Fix issues with embedding panel [#10787]
* Dashboards: Dashboard folders, [#1611]
* Teams User groups (teams) implemented. Can be used in folder & dashboard
permission list.
* Dashboard grid: Panels are now laid out in a two dimensional grid (with x,
y, w, h). [#9093]
* Templating: Vertical repeat direction for panel repeats.
* UX: Major update to page header and navigation
* Dashboard settings: Combine dashboard settings views into one with side menu, [#9750]
* Persistent dashboard url's: New url's for dashboards that allows renaming
dashboards without breaking links. [#7883]
* dashboard.json files have been replaced with dashboard provisioning API.
* Config files for provisioning data sources as configuration have changed
from /etc/grafana/conf/datasources to /etc/grafana/provisioning/datasources.
* Pagerduty notifier now defaults to not auto resolve incidents. More details at [#10222]
* `GET /api/alerts` property dashboardUri renamed to url
* New grid engine for positioning dashboard panels
* Alerting: Add support for internal image store [#6922]
* Data Source Proxy: Add support for whitelisting specified cookies to be
be passed through to the data source when proxying [#5457]
* Postgres/MySQL: add \_\_timeGroup macro for mysql [#9596]
* Text: Text panel are now edited in the ace editor. [#9698]
* Teams: Add Microsoft Teams notifier as [#8523]
* Data Sources: Its now possible to configure data sources with config files [#1789]
* Graphite: Query editor updated to support new query by tag features [#9230]
* Dashboard history: New config file option versions_to_keep sets how many
versions per dashboard to store, [#9671]
* Dashboard as cfg: Load dashboards from file into Grafana on startup/change [#9654]
* Prometheus: Grafana can now send alerts to Prometheus Alertmanager while
firing [#7481]
* Table: Support multiple table formatted queries in table panel [#9170]
* Security: Protect against brute force (frequent) login attempts [#7616]
* Graph: Don't hide graph display options (Lines/Points) when draw mode is
unchecked [#9770]
* Alert panel: Adds placeholder text when no alerts are within the time range [#9624]
* Mysql: MySQL enable MaxOpenCon and MaxIdleCon regards how constring is
configured. [#9784]
* Cloudwatch: Fix broken query inspector for cloudwatch [#9661]
* Dashboard: Make it possible to start dashboards from search and dashboard
list panel [#1871]
* Annotations: Posting annotations now return the id of the annotation [#9798]
* Systemd: Use systemd notification ready flag [#10024]
* GitHub: Use organizations_url provided from github to verify user belongs
in org. [#10111]
* Backend: Fix bug where Grafana exited before all sub routines where finished [#10131]
* Azure: Adds support for Azure blob storage as external image stor [#8955]
* Telegram: Add support for inline image uploads to telegram notifier plugin [#9967]
* Sensu: Send alert message to sensu output [#9551]
* Singlestat: suppress error when result contains no datapoints [#9636]
* Postgres/MySQL: Control quoting in SQL-queries when using template variables [#9030]
* Pagerduty: Pagerduty don't auto resolve incidents by default anymore. [#10222]
* Cloudwatch: Fix for multi-valued templated queries. [#9903]
* RabbitMq: Remove support for publishing events to RabbitMQ [#9645]
* API: GET /api/dashboards/db/:slug deprecated, use GET /api/dashboards/uid/:uid
* API: DELETE /api/dashboards/db/:slug deprecated, use DELETE /api/dashboards/uid/:uid
* API: `uri` property in GET /api/search deprecated, use `url` or `uid` property
* API: `meta.slug` property in GET /api/dashboards/uid/:uid and GET
/api/dashboards/db/:slug deprecated, use `meta.url` or `dashboard.uid` property
Changes in grafana-natel-discrete-panel:
- Add recompress source service
- Add set_version source service
- Enable changesgenerate for tar_scm source service
- Update to version 0.0.9:
* split commands
* put back the history
Changes in openstack-cinder:
- Update to version cinder-11.2.3.dev29:
* Remove VxFlex OS credentials from connection\_properties
* Fix stable/pike gate
* tintri: Enable SSL with requests
* [Unity] Fix TypeError for test case test\_delete\_host\_wo\_lock
Changes in openstack-cinder:
- Update to version cinder-11.2.3.dev29:
* Remove VxFlex OS credentials from connection\_properties
* Fix stable/pike gate
* tintri: Enable SSL with requests
* [Unity] Fix TypeError for test case test\_delete\_host\_wo\_lock
Changes in openstack-monasca-installer:
- Add 0001-Add-support-for-ansible-2.9.patch
Changes in openstack-neutron:
- Update to version neutron-11.0.9.dev69:
* Do not block connection between br-int and br-phys on startup
* [EM releases] Move non-voting jobs to the experimental queue
- Update to version neutron-11.0.9.dev66:
* Fix pike gates, multiple fixes
Changes in openstack-neutron:
- Add 0001-Ensure-drop-flows-on-br-int-at-agent-startup-for-DVR-too.patch (LP#1887148)
- Update to version neutron-11.0.9.dev69:
* Do not block connection between br-int and br-phys on startup
* [EM releases] Move non-voting jobs to the experimental queue
- Update to version neutron-11.0.9.dev66:
* Fix pike gates, multiple fixes
Changes in openstack-nova:
- Update to version nova-16.1.9.dev76:
* Removed the host FQDN from the exception message
- Update to version nova-16.1.9.dev74:
* libvirt: Provide VIR\_MIGRATE\_PARAM\_PERSIST\_XML during live migration
- Update to version nova-16.1.9.dev73:
* Fix os-simple-tenant-usage result order
- Update to version nova-16.1.9.dev71:
* Fix false ERROR message at compute restart
- Update to version nova-16.1.9.dev69:
* Check cherry-pick hashes in pep8 tox target
- Update to version nova-16.1.9.dev67:
* libvirt: Do not reraise DiskNotFound exceptions during resize
- Update to version nova-16.1.9.dev66:
* Clean up allocation if unshelve fails due to neutron
* Reproduce bug 1862633
- Update to version nova-16.1.9.dev64:
* Init HostState.failed\_builds
- Update to version nova-16.1.9.dev62:
* Fix os\_CODENAME detection and repo refresh during ceph tests
Changes in openstack-nova:
- Update to version nova-16.1.9.dev76:
* Removed the host FQDN from the exception message
- Rebased patches:
+ 0004-Provide-VIR_MIGRATE_PARAM_PERSIST_XML-during-live-migration.patch dropped (merged upstream)
- Update to version nova-16.1.9.dev74:
* libvirt: Provide VIR\_MIGRATE\_PARAM\_PERSIST\_XML during live migration
- Add 0004-Provide-VIR_MIGRATE_PARAM_PERSIST_XML-during-live-migration.patch
* (bsc#1175484, CVE-2020-17376)
- Update to version nova-16.1.9.dev73:
* Fix os-simple-tenant-usage result order
- Update to version nova-16.1.9.dev71:
* Fix false ERROR message at compute restart
- Update to version nova-16.1.9.dev69:
* Check cherry-pick hashes in pep8 tox target
- Update to version nova-16.1.9.dev67:
* libvirt: Do not reraise DiskNotFound exceptions during resize
- Update to version nova-16.1.9.dev66:
* Clean up allocation if unshelve fails due to neutron
* Reproduce bug 1862633
- Update to version nova-16.1.9.dev64:
* Init HostState.failed\_builds
- Update to version nova-16.1.9.dev62:
* Fix os\_CODENAME detection and repo refresh during ceph tests
Changes in python-Django:
- Update to version 1.11.29 (bsc#1161919, CVE-2020-7471, bsc#1165022, CVE-2020-9402, bsc#1159447, CVE-2019-19844)
* Fixed CVE-2020-9402 -- Properly escaped tolerance parameter in GIS functions and aggregates on Oracle.
* Pinned PyYAML < 5.3 in test requirements.
* Fixed CVE-2020-7471 -- Properly escaped StringAgg(delimiter) parameter.
* Fixed timezones tests for PyYAML 5.3+.
* Fixed CVE-2019-19844 -- Used verified user email for password reset requests.
* Fixed #31073 -- Prevented CheckboxInput.get_context() from mutating attrs.
* Fixed #30826 -- Fixed crash of many JSONField lookups when one hand side is key transform.
* Fixed #30769 -- Fixed a crash when filtering against a subquery JSON/HStoreField annotation.
* Fixed #30672 -- Fixed crash of JSONField/HStoreField key transforms on expressions with params.
* Added patch CVE-2020-13254.patch
* Added patch CVE-2020-13596.patch
Changes in python-Flask-Cors:
- Add patches to fix a relative directory traversal issue
(boo#1175986, CVE-2020-25032):
* 0001-Handle-request_headers-None.patch
* 0002-Fix-request-path-normalization.patch
Changes in python-Pillow:
- Add 011-Fix-OOB-reads-in-FLI-decoding.patch
* From upstream, backported
* Fixes CVE-2020-10177, bsc#1173413
- Add 012-Fix-bounds-overflow-in-JPEG-2000-decoding.patch
* From upstream, backported
* Fixes CVE-2020-10994, bsc#1173418
- Add 013-Fix-bounds-overflow-in-PCX-decoding.patch
* From upstream, backported
* Fixes CVE-2020-10378, bsc#1173416
Changes in python-ardana-packager:
- fetch updated nova_host_aggregate from git
- Add missing novaclient required domain entries (bsc#1174006)
Changes in python-keystoneclient:
- add 2020-tests-pass.patch:
- Make tests pass in 2020
- update to version 3.13.1
- Updated from global requirements
- Update .gitreview for stable/pike
- Update UPPER_CONSTRAINTS_FILE for stable/pike
- import zuul job settings from project-config
- Avoid tox_install.sh for constraints support
Changes in python-keystonemiddleware:
- added 0001-Make-tests-pass-in-2022.patch
- removed 0001-Add-use_oslo_messaging-option.patch
- update to version 4.17.1
- Update .gitreview for stable/pike
- Update UPPER_CONSTRAINTS_FILE for stable/pike
- Add option to disable using oslo_message notifier
- Fix docs builds
- Updated from global requirements
- import zuul job settings from project-config
Changes in python-kombu:
- Add 0001-Fix-failing-unittests-of-pyamqp-transport.patch
Changes in python-straight-plugin:
- Add pip_no_plugins.patch to avoid error: 'UnboundLocalError:
local variable 'r' referenced before assignment', when there
is no plugin available.
- Initial packaging
Changes in python-urllib3:
- Update urllib3-fix-test-urls.patch. Adjust to match upstream solution.
- Add urllib3-fix-test-urls.patch. Fix tests failing on python checks for
CVE-2019-9740.
- Add urllib3-cve-2020-26137.patch. Don't allow control chars in request
method. (bsc#1177120, CVE-2020-26137)
Changes in release-notes-suse-openstack-cloud:
- Update to version 8.20200922:
* postgreSQL db replace changes are updated for suse openstack cloud section (SOC-11000)
Changes in storm:
- Fix duplicate BuildRequire on storm-kit
- update to 1.2.3 (SOC-9974, CVE-2019-0202, SOC-9998, CVE-2018-11779):
* 1.2.3
* [STORM-3233] - Upgrade zookeeper client to newest version (3.4.13)
* [STORM-3077] - Upgrade Disruptor version to 3.3.11
* [STORM-3083] - Upgrade HikariCP version to 2.4.7
* [STORM-3094] - Topology name needs to be validated at storm-client
* [STORM-3222] - Fix KafkaSpout internals to use LinkedList instead of ArrayList
* [STORM-3292] - Trident HiveState must flush writers when the batch commits
* [STORM-3013] - Deactivated topology restarts if data flows into Kafka
* [STORM-3028] - HdfsSpout does not handle empty files in case of ack enabled
* [STORM-3046] - Getting a NPE leading worker to die when starting a topology.
* [STORM-3047] - Ensure Trident emitter refreshPartitions is only called with partitions assigned to the emitter
* [STORM-3055] - never refresh connection
* [STORM-3068] - STORM_JAR_JVM_OPTS are not passed to storm-kafka-monitor properly
* [STORM-3082] - NamedTopicFilter can't handle topics that don't exist yet
* [STORM-3087] - FluxBuilder.canInvokeWithArgs is too permissive when the method parameter type is a primitive
* [STORM-3090] - The same offset value is used by the same partition number of different topics.
* [STORM-3097] - Remove storm-druid in 2.x and deprecate support for it in 1.x
* [STORM-3102] - Storm Kafka Client performance issues with Kafka Client v1.0.0
* [STORM-3109] - Wrong canonical path set to STORM_LOCAL_DIR in storm kill_workers
* [STORM-3110] - Supervisor does not kill all worker processes in secure mode in case of user mismatch
* [STORM-3121] - Fix flaky metrics tests in storm-core
* [STORM-3122] - FNFE due to race condition between 'async localizer' and 'update blob' timer thread
* [STORM-3123] - Storm Kafka Monitor does not work with Kafka over two-way SSL
* [STORM-3161] - Local mode should force setting min replication count to 1
* [STORM-3164] - Multilang storm.py uses traceback.format_exc incorrectly
* [STORM-3184] - Storm supervisor log showing keystore and truststore password in plaintext
* [STORM-3201] - kafka spout lag on UI needs some cleanup
* [STORM-3301] - The KafkaSpout can in some cases still replay tuples that were already committed
* [STORM-3381] - Upgrading to Zookeeper 3.4.14 added an LGPL dependency
* [STORM-3384] - storm set-log-level command throws wrong exception when the topology is not running
* [STORM-3086] - Update Flux documentation to demonstrate static factory methods (STORM-2796)
* [STORM-3089] - Document worker hooks on the hooks page
* [STORM-3199] - Metrics-ganglia depends on an LGPL library, so we shouldn't depend on it
* [STORM-3289] - Add note about KAFKA-7044 to storm-kafka-client compatibility docs
* [STORM-3330] - Migrate parts of storm-webapp, and reduce use of mocks for files
* 1.2.2
* [STORM-3026] - Upgrade ZK instance for security
* [STORM-3027] - Make Impersonation Optional
* [STORM-2896] - Support automatic migration of offsets from storm-kafka to storm-kafka-client KafkaSpout
* [STORM-2997] - Add logviewer ssl module in SECURITY.md
* [STORM-3006] - Distributed RPC documentation needs an update
* [STORM-3011] - Use default bin path in flight.bash if $JAVA_HOME is undefined
* [STORM-3022] - Decouple storm-hive UTs with Hive
* [STORM-3039] - Ports of killed topologies remain in TIME_WAIT state preventing to start new topology
* [STORM-3069] - Allow users to specify maven local repository directory for storm submit tool
* [STORM-2911] - SpoutConfig is serializable but does not declare a serialVersionUID field
* [STORM-2967] - Upgrade jackson to latest version 2.9.4
* [STORM-2968] - Exclude a few unwanted jars from storm-autocreds
* [STORM-2978] - The fix for STORM-2706 is broken, and adds a transitive dependency on Zookeeper 3.5.3-beta for projects that depend on e.g. storm-kafka
* [STORM-2979] - WorkerHooks EOFException during run_worker_shutdown_hooks
* [STORM-2981] - Upgrade Curator to lastest patch version
* [STORM-2985] - Add jackson-annotations to dependency management
* [STORM-2988] - 'Error on initialization of server mk-worker' when using org.apache.storm.metrics2.reporters.JmxStormReporter on worker
* [STORM-2989] - LogCleaner should preserve current worker.log.metrics
* [STORM-2993] - Storm HDFS bolt throws ClosedChannelException when Time rotation policy is used
* [STORM-2994] - KafkaSpout consumes messages but doesn't commit offsets
* [STORM-3043] - NullPointerException thrown in SimpleRecordTranslator.apply()
* [STORM-3052] - Let blobs un archive
* [STORM-3059] - KafkaSpout throws NPE when hitting a null tuple if the processing guarantee is not AT_LEAST_ONCE
* [STORM-2960] - Better to stress importance of setting up proper OS account for Storm processes
* [STORM-3060] - Configuration mapping between storm-kafka & storm-kafka-client
* [STORM-2952] - Deprecate storm-kafka in 1.x
* [STORM-3005] - [DRPC] LinearDRPCTopologyBuilder shouldn't be deprecated
Changes in storm-kit:
- Add _constraints to prevent build from running out of disk space
- Updated kit for storm-1.2.3
Changes in venv-openstack-cinder:
- Ensure that python-swiftclient is pulled into the built venv
via an explicit BuildRequires directive. (SOC-10522)
Changes in venv-openstack-swift:
- Ensure that python-oslo.log is pulled into the built venv by
explicitly requiring the package using a BuildRequires entry.
ImportantSUSE bug 1008037SUSE bug 1008038SUSE bug 1010940SUSE bug 1019021SUSE bug 1038785SUSE bug 1056094SUSE bug 1059235SUSE bug 1080682SUSE bug 1097775SUSE bug 1102126SUSE bug 1109957SUSE bug 1112959SUSE bug 1117080SUSE bug 1118896SUSE bug 1123561SUSE bug 1126503SUSE bug 1137479SUSE bug 1137528SUSE bug 1142121SUSE bug 1142542SUSE bug 1144453SUSE bug 1153452SUSE bug 1154231SUSE bug 1154232SUSE bug 1154830SUSE bug 1157968SUSE bug 1157969SUSE bug 1159447SUSE bug 1161919SUSE bug 1164133SUSE bug 1164134SUSE bug 1164135SUSE bug 1164136SUSE bug 1164137SUSE bug 1164138SUSE bug 1164139SUSE bug 1164140SUSE bug 1165022SUSE bug 1165393SUSE bug 1166389SUSE bug 1167440SUSE bug 1167532SUSE bug 1171162SUSE bug 1171823SUSE bug 1172450SUSE bug 1173413SUSE bug 1173416SUSE bug 1173418SUSE bug 1174006SUSE bug 1174145SUSE bug 1174242SUSE bug 1174302SUSE bug 1174583SUSE bug 1175484SUSE bug 1175986SUSE bug 1175993SUSE bug 1177120SUSE bug 1177948CVE-2016-8614 at SUSECVE-2016-8614 at NVDCVE-2016-8628 at SUSECVE-2016-8628 at NVDCVE-2016-8647 at SUSECVE-2016-8647 at NVDCVE-2016-9587 at SUSECVE-2016-9587 at NVDCVE-2017-7466 at SUSECVE-2017-7466 at NVDCVE-2017-7550 at SUSECVE-2017-7550 at NVDCVE-2018-10875 at SUSECVE-2018-10875 at NVDCVE-2018-11779 at SUSECVE-2018-11779 at NVDCVE-2018-16837 at SUSECVE-2018-16837 at NVDCVE-2018-16859 at SUSECVE-2018-16859 at NVDCVE-2018-16876 at SUSECVE-2018-16876 at NVDCVE-2018-18623 at SUSECVE-2018-18623 at NVDCVE-2018-18624 at SUSECVE-2018-18624 at NVDCVE-2018-18625 at SUSECVE-2018-18625 at NVDCVE-2019-0202 at SUSECVE-2019-0202 at NVDCVE-2019-10156 at SUSECVE-2019-10156 at NVDCVE-2019-10206 at SUSECVE-2019-10206 at NVDCVE-2019-10217 at SUSECVE-2019-10217 at NVDCVE-2019-14846 at SUSECVE-2019-14846 at NVDCVE-2019-14856 at SUSECVE-2019-14856 at NVDCVE-2019-14858 at SUSECVE-2019-14858 at NVDCVE-2019-14864 at SUSECVE-2019-14864 at NVDCVE-2019-14904 at SUSECVE-2019-14904 at NVDCVE-2019-14905 at SUSECVE-2019-14905 at NVDCVE-2019-19844 at SUSECVE-2019-19844 at NVDCVE-2019-3828 at SUSECVE-2019-3828 at NVDCVE-2020-10177 at SUSECVE-2020-10177 at NVDCVE-2020-10378 at SUSECVE-2020-10378 at NVDCVE-2020-10684 at SUSECVE-2020-10684 at NVDCVE-2020-10685 at SUSECVE-2020-10685 at NVDCVE-2020-10691 at SUSECVE-2020-10691 at NVDCVE-2020-10729 at SUSECVE-2020-10729 at NVDCVE-2020-10744 at SUSECVE-2020-10744 at NVDCVE-2020-10994 at SUSECVE-2020-10994 at NVDCVE-2020-11110 at SUSECVE-2020-11110 at NVDCVE-2020-14330 at SUSECVE-2020-14330 at NVDCVE-2020-14332 at SUSECVE-2020-14332 at NVDCVE-2020-14365 at SUSECVE-2020-14365 at NVDCVE-2020-1733 at SUSECVE-2020-1733 at NVDCVE-2020-1734 at SUSECVE-2020-1734 at NVDCVE-2020-1735 at SUSECVE-2020-1735 at NVDCVE-2020-1736 at SUSECVE-2020-1736 at NVDCVE-2020-1737 at SUSECVE-2020-1737 at NVDCVE-2020-17376 at SUSECVE-2020-17376 at NVDCVE-2020-1738 at SUSECVE-2020-1738 at NVDCVE-2020-1739 at SUSECVE-2020-1739 at NVDCVE-2020-1740 at SUSECVE-2020-1740 at NVDCVE-2020-1746 at SUSECVE-2020-1746 at NVDCVE-2020-1753 at SUSECVE-2020-1753 at NVDCVE-2020-25032 at SUSECVE-2020-25032 at NVDCVE-2020-26137 at SUSECVE-2020-26137 at NVDCVE-2020-7471 at SUSECVE-2020-7471 at NVDCVE-2020-9402 at SUSECVE-2020-9402 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for systemd (Important)SUSE OpenStack Cloud 8
This update for systemd fixes the following issues:
- CVE-2020-1712 (bsc#bsc#1162108)
Fix a heap use-after-free vulnerability, when asynchronous
Polkit queries were performed while handling Dbus messages. A local
unprivileged attacker could have abused this flaw to crash systemd services or
potentially execute code and elevate their privileges, by sending specially
crafted Dbus messages.
- Unconfirmed fix for prevent hanging of systemctl during restart. (bsc#1139459)
- Fix warnings thrown during package installation. (bsc#1154043)
- Fix for system-udevd prevent crash within OES2018. (bsc#1151506)
- Fragments of masked units ought not be considered for 'NeedDaemonReload'. (bsc#1156482)
- Wait for workers to finish when exiting. (bsc#1106383)
- Improve log message when inotify limit is reached. (bsc#1155574)
- Mention in the man pages that alias names are only effective after command 'systemctl enable'. (bsc#1151377)
- Introduce function for reading virtual files in 'sysfs' and 'procfs'. (bsc#1133495, bsc#1159814)
ImportantSUSE bug 1106383SUSE bug 1133495SUSE bug 1139459SUSE bug 1151377SUSE bug 1151506SUSE bug 1154043SUSE bug 1155574SUSE bug 1156482SUSE bug 1159814SUSE bug 1162108CVE-2020-1712 at SUSECVE-2020-1712 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for java-1_7_0-openjdk (Important)SUSE OpenStack Cloud 8
This update for java-1_7_0-openjdk fixes the following issues:
- Update to 2.6.24 - OpenJDK 7u281 (October 2020 CPU, bsc#1177943)
* Security fixes
+ JDK-8233624: Enhance JNI linkage
+ JDK-8236862, CVE-2020-14779: Enhance support of Proxy class
+ JDK-8237990, CVE-2020-14781: Enhanced LDAP contexts
+ JDK-8237995, CVE-2020-14782: Enhance certificate processing
+ JDK-8240124: Better VM Interning
+ JDK-8241114, CVE-2020-14792: Better range handling
+ JDK-8242680, CVE-2020-14796: Improved URI Support
+ JDK-8242685, CVE-2020-14797: Better Path Validation
+ JDK-8242695, CVE-2020-14798: Enhanced buffer support
+ JDK-8243302: Advanced class supports
+ JDK-8244136, CVE-2020-14803: Improved Buffer supports
+ JDK-8244479: Further constrain certificates
+ JDK-8244955: Additional Fix for JDK-8240124
+ JDK-8245407: Enhance zoning of times
+ JDK-8245412: Better class definitions
+ JDK-8245417: Improve certificate chain handling
+ JDK-8248574: Improve jpeg processing
+ JDK-8249927: Specify limits of jdk.serialProxyInterfaceLimit
+ JDK-8253019: Enhanced JPEG decoding
* Import of OpenJDK 7 u281 build 1
+ JDK-8145096: Undefined behaviour in HotSpot
+ JDK-8215265: C2: range check elimination may allow illegal
out of bound access
* Backports
+ JDK-8250861, PR3812: Crash in MinINode::Ideal(PhaseGVN*, bool)
ImportantSUSE bug 1177943CVE-2020-14779 at SUSECVE-2020-14779 at NVDCVE-2020-14781 at SUSECVE-2020-14781 at NVDCVE-2020-14782 at SUSECVE-2020-14782 at NVDCVE-2020-14792 at SUSECVE-2020-14792 at NVDCVE-2020-14796 at SUSECVE-2020-14796 at NVDCVE-2020-14797 at SUSECVE-2020-14797 at NVDCVE-2020-14798 at SUSECVE-2020-14798 at NVDCVE-2020-14803 at SUSECVE-2020-14803 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for openldap2 (Important)SUSE OpenStack Cloud 8
This update for openldap2 fixes the following issues:
- CVE-2020-25692: Fixed an unauthenticated remote denial of service due to incorrect validation of modrdn equality rules (bsc#1178387).
ImportantSUSE bug 1178387CVE-2020-25692 at SUSECVE-2020-25692 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for MozillaFirefox (Important)SUSE OpenStack Cloud 8
This update for MozillaFirefox fixes the following issues:
- Firefox Extended Support Release 78.4.1 ESR
* Fixed: Security fix
MFSA 2020-49 (bsc#1178588)
* CVE-2020-26950 (bmo#1675905)
Write side effects in MCallGetProperty opcode not accounted
for
ImportantSUSE bug 1178588CVE-2020-26950 at SUSECVE-2020-26950 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for postgresql, postgresql96, postgresql10 and postgresql12 (Moderate)SUSE OpenStack Cloud 8
This update changes the internal packaging for postgresql, and so contains
all currently maintained postgresql versions across our SUSE Linux Enterprise 12
products.
* postgresql12 is shipped new in version 12.3 (bsc#1171924).
The server and client packages only on SUSE Linux Enterprise Server 12 SP5,
the libraries on SUSE Linux Enterprise Server 12 SP2 LTSS up to 12 SP5.
+ https://www.postgresql.org/about/news/2038/
+ https://www.postgresql.org/docs/12/release-12-3.html
* postgresql10 is updated to 10.13 (bsc#1171924).
On SUSE Linux Enterprise Server 12 SP2 LTSS up to 12 SP5.
+ https://www.postgresql.org/about/news/2038/
+ https://www.postgresql.org/docs/10/release-10-13.html
* postgresql96 is updated to 9.6.18 (bsc#1171924):
+ https://www.postgresql.org/about/news/2038/
+ https://www.postgresql.org/docs/9.6/release-9-6-18.html
On SUSE Linux Enterprise Server 12-SP2 and 12-SP3 LTSS only.
* postgresql 9.4 is updated to 9.4.26:
+ https://www.postgresql.org/about/news/2011/
+ https://www.postgresql.org/docs/9.4/release-9-4-26.html
+ https://www.postgresql.org/about/news/1994/
+ https://www.postgresql.org/docs/9.4/release-9-4-25.html
ModerateSUSE bug 1171924cpe:/o:suse:suse-openstack-cloud:8Security update for raptor (Important)SUSE OpenStack Cloud 8
This update for raptor fixes the following issues:
- Fixed a heap overflow vulnerability (bsc#1178593, CVE-2017-18926).
- Update raptor to version 2.0.15
* Made several fixes to Turtle / N-Triples family of parsers and serializers
* Added utility functions for re-entrant sorting of objects and sequences.
* Made other fixes and improvements including fixing reported issues:
0000574, 0000575, 0000576, 0000577, 0000579, 0000581 and 0000584.
ImportantSUSE bug 1178593CVE-2017-18926 at SUSECVE-2017-18926 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for kernel-firmware (Important)SUSE OpenStack Cloud 8
This update for kernel-firmware fixes the following issue:
- CVE-2020-12321: Updated the Intel Bluetooth firmware for buffer overflow security bugs (bsc#1178671).
ImportantSUSE bug 1178671CVE-2020-12321 at SUSECVE-2020-12321 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for krb5 (Moderate)SUSE OpenStack Cloud 8
This update for krb5 fixes the following security issue:
- CVE-2020-28196: Fixed an unbounded recursion via an ASN.1-encoded Kerberos message (bsc#1178512).
ModerateSUSE bug 1178512CVE-2020-28196 at SUSECVE-2020-28196 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for postgresql10 (Important)SUSE OpenStack Cloud 8
This update for postgresql10 fixes the following issues:
Upgrade to version 10.15:
* CVE-2020-25695, bsc#1178666: Block DECLARE CURSOR ... WITH HOLD
and firing of deferred triggers within index expressions and
materialized view queries.
* CVE-2020-25694, bsc#1178667:
a) Fix usage of complex connection-string parameters in pg_dump,
pg_restore, clusterdb, reindexdb, and vacuumdb.
b) When psql's \connect command re-uses connection parameters,
ensure that all non-overridden parameters from a previous
connection string are re-used.
* CVE-2020-25696, bsc#1178668: Prevent psql's \gset command from
modifying specially-treated variables.
* https://www.postgresql.org/about/news/2111/
* https://www.postgresql.org/docs/10/release-10-15.html
Update to 10.14:
* CVE-2020-14349, bsc#1175193: Set a secure search_path in
logical replication walsenders and apply workers
* CVE-2020-14350, bsc#1175194: Make contrib modules' installation
scripts more secure.
* https://www.postgresql.org/docs/10/release-10-14.html
ImportantSUSE bug 1175193SUSE bug 1175194SUSE bug 1178666SUSE bug 1178667SUSE bug 1178668CVE-2020-14349 at SUSECVE-2020-14349 at NVDCVE-2020-14350 at SUSECVE-2020-14350 at NVDCVE-2020-25694 at SUSECVE-2020-25694 at NVDCVE-2020-25695 at SUSECVE-2020-25695 at NVDCVE-2020-25696 at SUSECVE-2020-25696 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for postgresql96 (Important)SUSE OpenStack Cloud 8
This update for postgresql96 fixes the following issues:
Upgrade to version 9.6.20:
* CVE-2020-25695, bsc#1178666: Block DECLARE CURSOR ... WITH HOLD
and firing of deferred triggers within index expressions and
materialized view queries.
* CVE-2020-25694, bsc#1178667:
a) Fix usage of complex connection-string parameters in pg_dump,
pg_restore, clusterdb, reindexdb, and vacuumdb.
b) When psql's \connect command re-uses connection parameters,
ensure that all non-overridden parameters from a previous
connection string are re-used.
* CVE-2020-25696, bsc#1178668: Prevent psql's \gset command from
modifying specially-treated variables.
* https://www.postgresql.org/about/news/2111/
* https://www.postgresql.org/docs/9.6/release-9-6-20.html
Changes from 9.6.19:
* CVE-2020-14350, bsc#1175194: Make contrib modules installation
ImportantSUSE bug 1175194SUSE bug 1178666SUSE bug 1178667SUSE bug 1178668CVE-2020-14350 at SUSECVE-2020-14350 at NVDCVE-2020-25694 at SUSECVE-2020-25694 at NVDCVE-2020-25695 at SUSECVE-2020-25695 at NVDCVE-2020-25696 at SUSECVE-2020-25696 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for the Linux Kernel (Important)SUSE OpenStack Cloud 8
The SUSE Linux Enterprise 12 SP3 kernel was updated to receive various security and bug fixes.
The following security bugs were fixed:
- CVE-2020-25705: A flaw in the way reply ICMP packets are limited in was found that allowed to quickly scan open UDP ports. This flaw allowed an off-path remote user to effectively bypassing source port UDP randomization. The highest threat from this vulnerability is to confidentiality and possibly integrity, because software and services that rely on UDP source port randomization (like DNS) are indirectly affected as well. Kernel versions may be vulnerable to this issue (bsc#1175721, bsc#1178782).
- CVE-2020-25668: Fixed a use-after-free in con_font_op() (bsc#1178123).
- CVE-2020-25656: Fixed a concurrency use-after-free in vt_do_kdgkb_ioctl (bnc#1177766).
- CVE-2020-14351: Fixed a race in the perf_mmap_close() function (bsc#1177086).
- CVE-2020-8694: Restricted energy meter to root access (bsc#1170415).
- CVE-2020-12352: Fixed an information leak when processing certain AMP packets aka 'BleedingTooth' (bsc#1177725).
- CVE-2020-25645: Fixed an issue which traffic between two Geneve endpoints may be unencrypted when IPsec is configured to encrypt traffic for the specific UDP port used by the GENEVE tunnel allowing anyone between the two endpoints to read the traffic unencrypted (bsc#1177511).
- CVE-2020-14381: Fixed a use-after-free in the fast user mutex (futex) wait operation, which could have lead to memory corruption and possibly privilege escalation (bsc#1176011).
- CVE-2020-25212: Fixed A TOCTOU mismatch in the NFS client code which could have been used by local attackers to corrupt memory (bsc#1176381).
- CVE-2020-14390: Fixed an out-of-bounds memory write leading to memory corruption or a denial of service when changing screen size (bnc#1176235).
- CVE-2020-25643: Fixed a memory corruption and a read overflow which could have caused by improper input validation in the ppp_cp_parse_cr function (bsc#1177206).
- CVE-2020-25641: Fixed a zero-length biovec request issued by the block subsystem could have caused the kernel to enter an infinite loop, causing a denial of service (bsc#1177121).
- CVE-2020-26088: Fixed an improper CAP_NET_RAW check in NFC socket creation could have been used by local attackers to create raw sockets, bypassing security mechanisms (bsc#1176990).
- CVE-2020-0432: Fixed an out of bounds write due to an integer overflow (bsc#1176721).
- CVE-2020-0431: Fixed an out of bounds write due to a missing bounds check (bsc#1176722).
- CVE-2020-0427: Fixed an out of bounds read due to a use after free (bsc#1176725).
- CVE-2020-0404: Fixed a linked list corruption due to an unusual root cause (bsc#1176423).
- CVE-2020-25284: Fixed an incomplete permission checking for access to rbd devices, which could have been leveraged by local attackers to map or unmap rbd block devices (bsc#1176482).
- CVE-2019-19063: Fixed two memory leaks in the rtl_usb_probe() function in drivers/net/wireless/realtek/rtlwifi/usb.c, which could have allowed an attacker to cause a denial of service (memory consumption) (bsc#1157298).
- CVE-2019-6133: In PolicyKit (aka polkit), the 'start time' protection mechanism can be bypassed because fork() is not atomic, and therefore authorization decisions are improperly cached. This is related to lack of uid checking in polkitbackend/polkitbackendinteractiveauthority.c (bsc#1121872).
- CVE-2017-18204: Fixed a denial of service in the ocfs2_setattr function of fs/ocfs2/file.c (bnc#1083244).
The following non-security bugs were fixed:
- hv: vmbus: Add timeout to vmbus_wait_for_unload (bsc#1177816).
- hyperv_fb: disable superfluous VERSION_WIN10_V5 case (bsc#1175306).
- hyperv_fb: Update screen_info after removing old framebuffer (bsc#1175306).
- mm, numa: fix bad pmd by atomically check for pmd_trans_huge when marking page tables prot_numa (bsc#1176816).
- net/packet: fix overflow in tpacket_rcv (bsc#1176069).
- ocfs2: give applications more IO opportunities during fstrim (bsc#1175228).
- video: hyperv: hyperv_fb: Obtain screen resolution from Hyper-V host (bsc#1175306).
- video: hyperv: hyperv_fb: Support deferred IO for Hyper-V frame buffer driver (bsc#1175306).
- video: hyperv: hyperv_fb: Use physical memory for fb on HyperV Gen 1 VMs (bsc#1175306).
- x86/kexec: Use up-to-dated screen_info copy to fill boot params (bsc#1175306).
- xen/blkback: use lateeoi irq binding (XSA-332 bsc#1177411).
- xen-blkfront: switch kcalloc to kvcalloc for large array allocation (bsc#1160917).
- xen: do not reschedule in preemption off sections (bsc#1175749).
- xen/events: add a new 'late EOI' evtchn framework (XSA-332 bsc#1177411).
- xen/events: add a proper barrier to 2-level uevent unmasking (XSA-332 bsc#1177411).
- xen/events: avoid removing an event channel while handling it (XSA-331 bsc#1177410).
- xen/events: block rogue events for some time (XSA-332 bsc#1177411).
- xen/events: defer eoi in case of excessive number of events (XSA-332 bsc#1177411).
- xen/events: do not use chip_data for legacy IRQs (XSA-332 bsc#1065600).
- xen/events: fix race in evtchn_fifo_unmask() (XSA-332 bsc#1177411).
- xen/events: switch user event channels to lateeoi model (XSA-332 bsc#1177411).
- xen/events: use a common cpu hotplug hook for event channels (XSA-332 bsc#1177411).
- xen/netback: use lateeoi irq binding (XSA-332 bsc#1177411).
- xen/pciback: use lateeoi irq binding (XSA-332 bsc#1177411).
- xen/scsiback: use lateeoi irq binding (XSA-332 bsc#1177411).
- xen uses irqdesc::irq_data_common::handler_data to store a per interrupt XEN data pointer which contains XEN specific information (XSA-332 bsc#1065600).
ImportantSUSE bug 1065600SUSE bug 1083244SUSE bug 1121826SUSE bug 1121872SUSE bug 1157298SUSE bug 1160917SUSE bug 1170415SUSE bug 1175228SUSE bug 1175306SUSE bug 1175721SUSE bug 1175749SUSE bug 1176011SUSE bug 1176069SUSE bug 1176235SUSE bug 1176253SUSE bug 1176278SUSE bug 1176381SUSE bug 1176382SUSE bug 1176423SUSE bug 1176482SUSE bug 1176721SUSE bug 1176722SUSE bug 1176725SUSE bug 1176816SUSE bug 1176896SUSE bug 1176990SUSE bug 1177027SUSE bug 1177086SUSE bug 1177121SUSE bug 1177165SUSE bug 1177206SUSE bug 1177226SUSE bug 1177410SUSE bug 1177411SUSE bug 1177511SUSE bug 1177513SUSE bug 1177725SUSE bug 1177766SUSE bug 1177816SUSE bug 1178123SUSE bug 1178622SUSE bug 1178782CVE-2017-18204 at SUSECVE-2017-18204 at NVDCVE-2019-19063 at SUSECVE-2019-19063 at NVDCVE-2019-6133 at SUSECVE-2019-6133 at NVDCVE-2020-0404 at SUSECVE-2020-0404 at NVDCVE-2020-0427 at SUSECVE-2020-0427 at NVDCVE-2020-0431 at SUSECVE-2020-0431 at NVDCVE-2020-0432 at SUSECVE-2020-0432 at NVDCVE-2020-12352 at SUSECVE-2020-12352 at NVDCVE-2020-14351 at SUSECVE-2020-14351 at NVDCVE-2020-14381 at SUSECVE-2020-14381 at NVDCVE-2020-14390 at SUSECVE-2020-14390 at NVDCVE-2020-25212 at SUSECVE-2020-25212 at NVDCVE-2020-25284 at SUSECVE-2020-25284 at NVDCVE-2020-25641 at SUSECVE-2020-25641 at NVDCVE-2020-25643 at SUSECVE-2020-25643 at NVDCVE-2020-25645 at SUSECVE-2020-25645 at NVDCVE-2020-25656 at SUSECVE-2020-25656 at NVDCVE-2020-25668 at SUSECVE-2020-25668 at NVDCVE-2020-25705 at SUSECVE-2020-25705 at NVDCVE-2020-26088 at SUSECVE-2020-26088 at NVDCVE-2020-8694 at SUSECVE-2020-8694 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for ucode-intel (Moderate)SUSE OpenStack Cloud 8
This update for ucode-intel fixes the following issues:
- Updated Intel CPU Microcode to 20201118 official release. (bsc#1178971)
- Removed TGL/06-8c-01/80 due to functional issues with some OEM platforms.
- CVE-2020-8695: Fixed Intel RAPL sidechannel attack (SGX) INTEL-SA-00389 (bsc#1170446)
- CVE-2020-8698: Fixed Fast Store Forward Predictor INTEL-SA-00381 (bsc#1173594)
- CVE-2020-8696: Vector Register Sampling Active INTEL-SA-00381 (bsc#1173592)
- Release notes:
- Security updates for [INTEL-SA-00381](https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00381.html).
- Security updates for [INTEL-SA-00389](https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00389.html).
- Update for functional issues. Refer to [Second Generation Intel? Xeon? Processor Scalable Family Specification Update](https://cdrdv2.intel.com/v1/dl/getContent/338848) for details.
- Update for functional issues. Refer to [Intel? Xeon? Processor Scalable Family Specification Update](https://cdrdv2.intel.com/v1/dl/getContent/613537) for details.
- Update for functional issues. Refer to [Intel? Xeon? Processor E5 v3 Product Family Specification Update](https://www.intel.com/content/www/us/en/processors/xeon/xeon-e5-v3-spec-update.html?wapkw=processor+spec+update+e5) for details.
- Update for functional issues. Refer to [10th Gen Intel? Core™ Processor Families Specification Update](https://www.intel.com/content/www/us/en/products/docs/processors/core/10th-gen-core-families-specification-update.html) for details.
- Update for functional issues. Refer to [8th and 9th Gen Intel? Core™ Processor Family Spec Update](https://www.intel.com/content/www/us/en/products/docs/processors/core/8th-gen-core-spec-update.html) for details.
- Update for functional issues. Refer to [7th Gen and 8th Gen (U Quad-Core) Intel? Processor Families Specification Update](https://www.intel.com/content/www/us/en/processors/core/7th-gen-core-family-spec-update.html) for details.
- Update for functional issues. Refer to [6th Gen Intel? Processor Family Specification Update](https://cdrdv2.intel.com/v1/dl/getContent/332689) for details.
- Update for functional issues. Refer to [Intel? Xeon? E3-1200 v6 Processor Family Specification Update](https://www.intel.com/content/www/us/en/processors/xeon/xeon-e3-1200v6-spec-update.html) for details.
- Update for functional issues. Refer to [Intel? Xeon? E-2100 and E-2200 Processor Family Specification Update](https://www.intel.com/content/www/us/en/products/docs/processors/xeon/xeon-e-2100-specification-update.html) for details.
### New Platforms
| Processor | Stepping | F-M-S/PI | Old Ver | New Ver | Products
|:---------------|:---------|:------------|:---------|:---------|:---------
| CPX-SP | A1 | 06-55-0b/bf | | 0700001e | Xeon Scalable Gen3
| LKF | B2/B3 | 06-8a-01/10 | | 00000028 | Core w/Hybrid Technology
| TGL | B1 | 06-8c-01/80 | | 00000068 | Core Gen11 Mobile
| CML-H | R1 | 06-a5-02/20 | | 000000e0 | Core Gen10 Mobile
| CML-S62 | G1 | 06-a5-03/22 | | 000000e0 | Core Gen10
| CML-S102 | Q0 | 06-a5-05/22 | | 000000e0 | Core Gen10
| CML-U62 V2 | K0 | 06-a6-01/80 | | 000000e0 | Core Gen10 Mobile
### Updated Platforms
| Processor | Stepping | F-M-S/PI | Old Ver | New Ver | Products
|:---------------|:---------|:------------|:---------|:---------|:---------
| HSX-E/EP | Cx/M1 | 06-3f-02/6f | 00000043 | 00000044 | Core Gen4 X series; Xeon E5 v3
| SKL-U/Y | D0 | 06-4e-03/c0 | 000000d6 | 000000e2 | Core Gen6 Mobile
| SKL-U23e | K1 | 06-4e-03/c0 | 000000d6 | 000000e2 | Core Gen6 Mobile
| SKX-SP | B1 | 06-55-03/97 | 01000157 | 01000159 | Xeon Scalable
| SKX-SP | H0/M0/U0 | 06-55-04/b7 | 02006906 | 02006a08 | Xeon Scalable
| SKX-D | M1 | 06-55-04/b7 | 02006906 | 02006a08 | Xeon D-21xx
| CLX-SP | B0 | 06-55-06/bf | 04002f01 | 04003003 | Xeon Scalable Gen2
| CLX-SP | B1 | 06-55-07/bf | 05002f01 | 05003003 | Xeon Scalable Gen2
| APL | D0 | 06-5c-09/03 | 00000038 | 00000040 | Pentium N/J4xxx, Celeron N/J3xxx, Atom x5/7-E39xx
| APL | E0 | 06-5c-0a/03 | 00000016 | 0000001e | Atom x5-E39xx
| SKL-H/S | R0/N0 | 06-5e-03/36 | 000000d6 | 000000e2 | Core Gen6; Xeon E3 v5
| GKL-R | R0 | 06-7a-08/01 | 00000016 | 00000018 | Pentium J5040/N5030, Celeron J4125/J4025/N4020/N4120
| ICL-U/Y | D1 | 06-7e-05/80 | 00000078 | 000000a0 | Core Gen10 Mobile
| AML-Y22 | H0 | 06-8e-09/10 | 000000d6 | 000000de | Core Gen8 Mobile
| KBL-U/Y | H0 | 06-8e-09/c0 | 000000d6 | 000000de | Core Gen7 Mobile
| CFL-U43e | D0 | 06-8e-0a/c0 | 000000d6 | 000000e0 | Core Gen8 Mobile
| WHL-U | W0 | 06-8e-0b/d0 | 000000d6 | 000000de | Core Gen8 Mobile
| AML-Y42 | V0 | 06-8e-0c/94 | 000000d6 | 000000de | Core Gen10 Mobile
| CML-Y42 | V0 | 06-8e-0c/94 | 000000d6 | 000000de | Core Gen10 Mobile
| WHL-U | V0 | 06-8e-0c/94 | 000000d6 | 000000de | Core Gen8 Mobile
| KBL-G/H/S/E3 | B0 | 06-9e-09/2a | 000000d6 | 000000de | Core Gen7; Xeon E3 v6
| CFL-H/S/E3 | U0 | 06-9e-0a/22 | 000000d6 | 000000de | Core Gen8 Desktop, Mobile, Xeon E
| CFL-S | B0 | 06-9e-0b/02 | 000000d6 | 000000de | Core Gen8
| CFL-H/S | P0 | 06-9e-0c/22 | 000000d6 | 000000de | Core Gen9
| CFL-H | R0 | 06-9e-0d/22 | 000000d6 | 000000de | Core Gen9 Mobile
| CML-U62 | A0 | 06-a6-00/80 | 000000ca | 000000e0 | Core Gen10 Mobile
ModerateSUSE bug 1170446SUSE bug 1173592SUSE bug 1173594SUSE bug 1178971CVE-2020-8695 at SUSECVE-2020-8695 at NVDCVE-2020-8696 at SUSECVE-2020-8696 at NVDCVE-2020-8698 at SUSECVE-2020-8698 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for bluez (Important)SUSE OpenStack Cloud 8
This update for bluez fixes the following issues:
- CVE-2020-0556: Fixed improper access control which may lead to escalation of privilege and denial of service by an unauthenticated user (bsc#1166751).
ImportantSUSE bug 1166751CVE-2020-0556 at SUSECVE-2020-0556 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for MozillaFirefox (Important)SUSE OpenStack Cloud 8
This update for MozillaFirefox fixes the following issues:
- Firefox Extended Support Release 78.5.0 ESR (bsc#1178824)
* CVE-2020-26951: Parsing mismatches could confuse and bypass security sanitizer for chrome privileged code
* CVE-2020-16012: Variable time processing of cross-origin images during drawImage calls
* CVE-2020-26953: Fullscreen could be enabled without displaying the security UI
* CVE-2020-26956: XSS through paste (manual and clipboard API)
* CVE-2020-26958: Requests intercepted through ServiceWorkers lacked MIME type restrictions
* CVE-2020-26959: Use-after-free in WebRequestService
* CVE-2020-26960: Potential use-after-free in uses of nsTArray
* CVE-2020-15999: Heap buffer overflow in freetype
* CVE-2020-26961: DoH did not filter IPv4 mapped IP Addresses
* CVE-2020-26965: Software keyboards may have remembered typed passwords
* CVE-2020-26966: Single-word search queries were also broadcast to local network
* CVE-2020-26968: Memory safety bugs fixed in Firefox 83 and Firefox ESR 78.5
ImportantSUSE bug 1178824CVE-2020-15999 at SUSECVE-2020-15999 at NVDCVE-2020-16012 at SUSECVE-2020-16012 at NVDCVE-2020-26951 at SUSECVE-2020-26951 at NVDCVE-2020-26953 at SUSECVE-2020-26953 at NVDCVE-2020-26956 at SUSECVE-2020-26956 at NVDCVE-2020-26958 at SUSECVE-2020-26958 at NVDCVE-2020-26959 at SUSECVE-2020-26959 at NVDCVE-2020-26960 at SUSECVE-2020-26960 at NVDCVE-2020-26961 at SUSECVE-2020-26961 at NVDCVE-2020-26965 at SUSECVE-2020-26965 at NVDCVE-2020-26966 at SUSECVE-2020-26966 at NVDCVE-2020-26968 at SUSECVE-2020-26968 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for LibVNCServer (Important)SUSE OpenStack Cloud 8
This update for LibVNCServer fixes the following issues:
- CVE-2020-25708 [bsc#1178682], libvncserver/rfbserver.c has a divide by zero which could result in DoS
ImportantSUSE bug 1178682CVE-2020-25708 at SUSECVE-2020-25708 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for xorg-x11-server (Important)SUSE OpenStack Cloud 8
This update for xorg-x11-server fixes the following issues:
- CVE-2020-25712: Fixed a heap-based buffer overflow which could have led to privilege escalation (bsc#1177596).
- CVE-2020-14360: Fixed an out of bounds memory accesses on too short request which could lead to denial of service (bsc#1174908).
ImportantSUSE bug 1174908SUSE bug 1177596CVE-2020-14360 at SUSECVE-2020-14360 at NVDCVE-2020-25712 at SUSECVE-2020-25712 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for python-setuptools (Important)SUSE OpenStack Cloud 8
This update for python-setuptools fixes the following issues:
- Fixed a directory traversal in _download_http_url() (bsc#1176262 CVE-2019-20916)
ImportantSUSE bug 1176262CVE-2019-20916 at SUSECVE-2019-20916 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for python3 (Important)SUSE OpenStack Cloud 8
This update for python3 fixes the following issues:
- Fixed a directory traversal in _download_http_url() (bsc#1176262 CVE-2019-20916)
ImportantSUSE bug 1176262CVE-2019-20916 at SUSECVE-2019-20916 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for gdm (Important)SUSE OpenStack Cloud 8
This update for gdm fixes the following issues:
- CVE-2020-16125: Fixed a privilege escalation (bsc#1178150).
ImportantSUSE bug 1178150CVE-2020-16125 at SUSECVE-2020-16125 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for python-cryptography (Moderate)SUSE OpenStack Cloud 8
This update for python-cryptography fixes the following issues:
- CVE-2020-25659: Attempted to mitigate Bleichenbacher attacks on RSA decryption (bsc#1178168).
ModerateSUSE bug 1178168CVE-2020-25659 at SUSECVE-2020-25659 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for postgresql12 (Important)SUSE OpenStack Cloud 8
This update for postgresql12 fixes the following issues:
Upgrade to version 12.5:
* CVE-2020-25695, bsc#1178666: Block DECLARE CURSOR ... WITH HOLD
and firing of deferred triggers within index expressions and
materialized view queries.
* CVE-2020-25694, bsc#1178667:
a) Fix usage of complex connection-string parameters in pg_dump,
pg_restore, clusterdb, reindexdb, and vacuumdb.
b) When psql's \connect command re-uses connection parameters,
ensure that all non-overridden parameters from a previous
connection string are re-used.
* CVE-2020-25696, bsc#1178668: Prevent psql's \gset command from
modifying specially-treated variables.
* Fix recently-added timetz test case so it works when the USA
is not observing daylight savings time.
(obsoletes postgresql-timetz.patch)
* https://www.postgresql.org/about/news/2111/
* https://www.postgresql.org/docs/12/release-12-5.html
The previous postgresql12 update already addressed:
Update to 12.4:
* CVE-2020-14349, bsc#1175193: Set a secure search_path in logical replication walsenders and apply workers
* CVE-2020-14350, bsc#1175194: Make contrib modules' installation scripts more secure.
* https://www.postgresql.org/docs/12/release-12-4.html
ImportantSUSE bug 1175193SUSE bug 1175194SUSE bug 1178666SUSE bug 1178667SUSE bug 1178668CVE-2020-14349 at SUSECVE-2020-14349 at NVDCVE-2020-14350 at SUSECVE-2020-14350 at NVDCVE-2020-25694 at SUSECVE-2020-25694 at NVDCVE-2020-25695 at SUSECVE-2020-25695 at NVDCVE-2020-25696 at SUSECVE-2020-25696 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for xen (Important)SUSE OpenStack Cloud 8
This update for xen fixes the following issues:
- bsc#1178963 - stack corruption from XSA-346 change (XSA-355)
- bsc#1177409 - CVE-2020-27674: x86 PV guest INVLPG-like flushes may leave stale TLB entries (XSA-286)
- bsc#1177412 - CVE-2020-27672: Race condition in Xen mapping code (XSA-345)
- bsc#1177413 - CVE-2020-27671: undue deferral of IOMMU TLB flushes (XSA-346)
- bsc#1177414 - CVE-2020-27670: unsafe AMD IOMMU page table updates (XSA-347)
- bsc#1178591 - CVE-2020-28368: Intel RAPL sidechannel attack aka PLATYPUS attack aka XSA-351
ImportantSUSE bug 1177409SUSE bug 1177412SUSE bug 1177413SUSE bug 1177414SUSE bug 1178591SUSE bug 1178963CVE-2020-27670 at SUSECVE-2020-27670 at NVDCVE-2020-27671 at SUSECVE-2020-27671 at NVDCVE-2020-27672 at SUSECVE-2020-27672 at NVDCVE-2020-27674 at SUSECVE-2020-27674 at NVDCVE-2020-28368 at SUSECVE-2020-28368 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for mutt (Important)SUSE OpenStack Cloud 8
This update for mutt fixes the following issues:
- Find and display the content of messages properly. (bsc#1179461)
- CVE-2020-28896: incomplete connection termination could send credentials over unencrypted connections. (bsc#1179035)
- Avoid that message with a million tiny parts can freeze MUA for several minutes. (bsc#1179113)
ImportantSUSE bug 1179035SUSE bug 1179113SUSE bug 1179461CVE-2020-28896 at SUSECVE-2020-28896 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for dbus-1 (Important)SUSE OpenStack Cloud 8
This update for dbus-1 fixes the following issues:
Security issue fixed:
- CVE-2019-12749: Fixed an implementation flaw in DBUS_COOKIE_SHA1 which
could have allowed local attackers to bypass authentication (bsc#1137832).
ImportantSUSE bug 1137832CVE-2019-12749 at SUSECVE-2019-12749 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for openssl (Important)SUSE OpenStack Cloud 8
This update for openssl fixes the following issues:
- CVE-2020-1971: Fixed a null pointer dereference in EDIPARTYNAME (bsc#1179491).
ImportantSUSE bug 1179491CVE-2020-1971 at SUSECVE-2020-1971 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for python (Important)SUSE OpenStack Cloud 8
This update for python fixes the following issues:
- Fixed a directory traversal in _download_http_url() (bsc#1176262 CVE-2019-20916)
ImportantSUSE bug 1176262CVE-2019-20916 at SUSECVE-2019-20916 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for MozillaFirefox (Important)SUSE OpenStack Cloud 8
This update for MozillaFirefox fixes the following issues:
- Firefox Extended Support Release 68.5.0 ESR
* CVE-2020-6796 (bmo#1610426)
Missing bounds check on shared memory read in the parent
process
* CVE-2020-6797 (bmo#1596668)
Extensions granted downloads.open permission could open
arbitrary applications on Mac OSX
* CVE-2020-6798 (bmo#1602944)
Incorrect parsing of template tag could result in JavaScript
injection
* CVE-2020-6799 (bmo#1606596)
Arbitrary code execution when opening pdf links from other
applications, when Firefox is configured as default pdf
reader
* CVE-2020-6800 (bmo#1595786, bmo#1596706, bmo#1598543,
bmo#1604851, bmo#1605777, bmo#1608580, bmo#1608785)
Memory safety bugs fixed in Firefox 73 and Firefox ESR 68.5
* Fixed: Fixed various issues opening files with spaces in
their path (bmo#1601905, bmo#1602726)
ImportantSUSE bug 1161799CVE-2020-6796 at SUSECVE-2020-6796 at NVDCVE-2020-6797 at SUSECVE-2020-6797 at NVDCVE-2020-6798 at SUSECVE-2020-6798 at NVDCVE-2020-6799 at SUSECVE-2020-6799 at NVDCVE-2020-6800 at SUSECVE-2020-6800 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for MozillaFirefox (Critical)SUSE OpenStack Cloud 8
This update for MozillaFirefox fixes the following issues:
- Firefox Extended Support Release 78.6.0 ESR
* Fixed: Various stability, functionality, and security fixes
MFSA 2020-55 (bsc#1180039)
* CVE-2020-16042 (bmo#1679003)
Operations on a BigInt could have caused uninitialized memory
to be exposed
* CVE-2020-26971 (bmo#1663466)
Heap buffer overflow in WebGL
* CVE-2020-26973 (bmo#1680084)
CSS Sanitizer performed incorrect sanitization
* CVE-2020-26974 (bmo#1681022)
Incorrect cast of StyleGenericFlexBasis resulted in a heap
use-after-free
* CVE-2020-26978 (bmo#1677047)
Internal network hosts could have been probed by a malicious
webpage
* CVE-2020-35111 (bmo#1657916)
The proxy.onRequest API did not catch view-source URLs
* CVE-2020-35112 (bmo#1661365)
Opening an extension-less download may have inadvertently
launched an executable instead
* CVE-2020-35113 (bmo#1664831, bmo#1673589)
Memory safety bugs fixed in Firefox 84 and Firefox ESR 78.6
CriticalSUSE bug 1180039CVE-2020-16042 at SUSECVE-2020-16042 at NVDCVE-2020-26971 at SUSECVE-2020-26971 at NVDCVE-2020-26973 at SUSECVE-2020-26973 at NVDCVE-2020-26974 at SUSECVE-2020-26974 at NVDCVE-2020-26978 at SUSECVE-2020-26978 at NVDCVE-2020-35111 at SUSECVE-2020-35111 at NVDCVE-2020-35112 at SUSECVE-2020-35112 at NVDCVE-2020-35113 at SUSECVE-2020-35113 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for clamav (Important)SUSE OpenStack Cloud 8
This update for clamav fixes the following issues:
clamav was updated to 0.103.0 to implement jsc#ECO-3010 and bsc#1118459.
* clamd can now reload the signature database without blocking
scanning. This multi-threaded database reload improvement was made
possible thanks to a community effort.
- Non-blocking database reloads are now the default behavior. Some
systems that are more constrained on RAM may need to disable
non-blocking reloads as it will temporarily consume two times as
much memory. We added a new clamd config option
ConcurrentDatabaseReload, which may be set to no.
* Fix clamav-milter.service (requires clamd.service to run)
* bsc#1119353, clamav-fips.patch: Fix freshclam crash in FIPS mode.
* Partial sync with SLE15.
Update to version 0.102.4
Accumulated security fixes:
* CVE-2020-3350: Fix a vulnerability wherein a malicious user could
replace a scan target's directory with a symlink to another path
to trick clamscan, clamdscan, or clamonacc into removing or moving
a different file (eg. a critical system file). The issue would
affect users that use the --move or --remove options for clamscan,
clamdscan, and clamonacc. (bsc#1174255)
* CVE-2020-3327: Fix a vulnerability in the ARJ archive parsing
module in ClamAV 0.102.3 that could cause a Denial-of-Service
(DoS) condition. Improper bounds checking results in an
out-of-bounds read which could cause a crash. The previous fix for
this CVE in 0.102.3 was incomplete. This fix correctly resolves
the issue.
* CVE-2020-3481: Fix a vulnerability in the EGG archive module in
ClamAV 0.102.0 - 0.102.3 could cause a Denial-of-Service (DoS)
condition. Improper error handling may result in a crash due to a
NULL pointer dereference. This vulnerability is mitigated for
those using the official ClamAV signature databases because the
file type signatures in daily.cvd will not enable the EGG archive
parser in versions affected by the vulnerability. (bsc#1174250)
* CVE-2020-3341: Fix a vulnerability in the PDF parsing module in
ClamAV 0.101 - 0.102.2 that could cause a Denial-of-Service (DoS)
condition. Improper size checking of a buffer used to initialize AES
decryption routines results in an out-of-bounds read which may cause
a crash. (bsc#1171981)
* CVE-2020-3123: A denial-of-service (DoS) condition may occur when
using the optional credit card data-loss-prevention (DLP) feature.
Improper bounds checking of an unsigned variable resulted in an
out-of-bounds read, which causes a crash.
* CVE-2019-15961: A Denial-of-Service (DoS) vulnerability may
occur when scanning a specially crafted email file as a result
of excessively long scan times. The issue is resolved by
implementing several maximums in parsing MIME messages and by
optimizing use of memory allocation. (bsc#1157763).
* CVE-2019-12900: An out of bounds write in the NSIS bzip2
(bsc#1149458)
* CVE-2019-12625: Introduce a configurable time limit to mitigate
zip bomb vulnerability completely. Default is 2 minutes,
configurable useing the clamscan --max-scantime and for clamd
using the MaxScanTime config option (bsc#1144504)
Update to version 0.101.3:
* ZIP bomb causes extreme CPU spikes (bsc#1144504)
Update to version 0.101.2 (bsc#1118459):
* Support for RAR v5 archive extraction.
* Incompatible changes to the arguments of cl_scandesc,
cl_scandesc_callback, and cl_scanmap_callback.
* Scanning options have been converted from a single flag
bit-field into a structure of multiple categorized flag
bit-fields.
* The CL_SCAN_HEURISTIC_ENCRYPTED scan option was replaced by
2 new scan options: CL_SCAN_HEURISTIC_ENCRYPTED_ARCHIVE, and
CL_SCAN_HEURISTIC_ENCRYPTED_DOC
* Incompatible clamd.conf and command line interface changes.
* Heuristic Alerts' (aka 'Algorithmic Detection') options have
been changed to make the names more consistent. The original
options are deprecated in 0.101, and will be removed in a
future feature release.
* For details, see https://blog.clamav.net/2018/12/clamav-01010-has-been-released.html ImportantSUSE bug 1118459SUSE bug 1119353SUSE bug 1144504SUSE bug 1149458SUSE bug 1157763SUSE bug 1171981SUSE bug 1174250SUSE bug 1174255CVE-2019-12900 at SUSECVE-2019-12900 at NVDCVE-2019-15961 at SUSECVE-2019-15961 at NVDCVE-2020-3123 at SUSECVE-2020-3123 at NVDCVE-2020-3327 at SUSECVE-2020-3327 at NVDCVE-2020-3341 at SUSECVE-2020-3341 at NVDCVE-2020-3350 at SUSECVE-2020-3350 at NVDCVE-2020-3481 at SUSECVE-2020-3481 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for cyrus-sasl (Important)SUSE OpenStack Cloud 8
This update for cyrus-sasl fixes the following issues:
- CVE-2019-19906: Fixed an out-of-bounds write leading to unauthenticated remote denial-of-service in OpenLDAP via a malformed LDAP packet (bsc#1159635).
ImportantSUSE bug 1159635CVE-2019-19906 at SUSECVE-2019-19906 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for gcc9 (Moderate)SUSE OpenStack Cloud 8
This update for gcc9 fixes the following issues:
The GNU Compiler Collection is shipped in version 9.
A detailed changelog on what changed in GCC 9 is available at https://gcc.gnu.org/gcc-9/changes.html
The compilers have been added to the SUSE Linux Enterprise Toolchain Module.
To use these compilers, install e.g. gcc9, gcc9-c++ and build with CC=gcc-9
CXX=g++-9 set.
For SUSE Linux Enterprise base products, the libstdc++6, libgcc_s1 and
other compiler libraries have been switched from their gcc8 variants to
their gcc9 variants.
Security issues fixed:
- CVE-2019-15847: Fixed a miscompilation in the POWER9 back end, that optimized multiple calls of the __builtin_darn intrinsic into a single call. (bsc#1149145)
- CVE-2019-14250: Fixed a heap overflow in the LTO linker. (bsc#1142649)
Non-security issues fixed:
- Split out libstdc++ pretty-printers into a separate package supplementing gdb and the installed runtime. (bsc#1135254)
- Fixed miscompilation for vector shift on s390. (bsc#1141897)
ModerateSUSE bug 1114592SUSE bug 1135254SUSE bug 1141897SUSE bug 1142649SUSE bug 1142654SUSE bug 1148517SUSE bug 1149145CVE-2019-14250 at SUSECVE-2019-14250 at NVDCVE-2019-15847 at SUSECVE-2019-15847 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for xen (Moderate)SUSE OpenStack Cloud 8
This update for xen fixes the following issues:
- CVE-2020-29480: Fixed an issue which could have allowed leak of non-sensitive data to administrator guests (bsc#117949 XSA-115).
- CVE-2020-29481: Fixed an issue which could have allowd to new domains to inherit existing node permissions (bsc#1179498 XSA-322).
- CVE-2020-29483: Fixed an issue where guests could disturb domain cleanup (bsc#1179502 XSA-325).
- CVE-2020-29484: Fixed an issue where guests could crash xenstored via watchs (bsc#1179501 XSA-324).
- CVE-2020-29566: Fixed an undue recursion in x86 HVM context switch code (bsc#1179506 XSA-348).
- CVE-2020-29570: Fixed an issue where FIFO event channels control block related ordering (bsc#1179514 XSA-358).
- CVE-2020-29571: Fixed an issue where FIFO event channels control structure ordering (bsc#1179516 XSA-359).
- CVE-2020-29130: Fixed an out-of-bounds access while processing ARP packets (bsc#1179477).
- Fixed an issue where dump-core shows missing nr_pages during core (bsc#1176782).
- Multiple other bugs (bsc#1027519)
ModerateSUSE bug 1027519SUSE bug 1176782SUSE bug 1179477SUSE bug 1179496SUSE bug 1179498SUSE bug 1179501SUSE bug 1179502SUSE bug 1179506SUSE bug 1179514SUSE bug 1179516CVE-2020-29130 at SUSECVE-2020-29130 at NVDCVE-2020-29480 at SUSECVE-2020-29480 at NVDCVE-2020-29481 at SUSECVE-2020-29481 at NVDCVE-2020-29483 at SUSECVE-2020-29483 at NVDCVE-2020-29484 at SUSECVE-2020-29484 at NVDCVE-2020-29566 at SUSECVE-2020-29566 at NVDCVE-2020-29570 at SUSECVE-2020-29570 at NVDCVE-2020-29571 at SUSECVE-2020-29571 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for sudo (Important)SUSE OpenStack Cloud 8
This update for sudo fixes the following issues:
Security issue fixed:
- CVE-2019-18634: Fixed a buffer overflow in the passphrase prompt that could occur when pwfeedback was enabled in /etc/sudoers (bsc#1162202).
Non-security issue fixed:
- Fixed an issue where sudo -l would ask for a password even though `listpw` was set to `never` (bsc#1162675).
ImportantSUSE bug 1162202SUSE bug 1162675CVE-2019-18634 at SUSECVE-2019-18634 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for dnsmasq (Moderate)SUSE OpenStack Cloud 8
This update for dnsmasq fixes the following issues:
Security issue fixed:
- CVE-2019-14834: Fixed a memory leak which could have allowed to remote attackers
to cause denial of service via DHCP response creation (bsc#1154849)
Other issue addressed:
- Removed cache size limit (bsc#1138743).
ModerateSUSE bug 1138743SUSE bug 1154849CVE-2019-14834 at SUSECVE-2019-14834 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for java-1_7_1-ibm (Important)SUSE OpenStack Cloud 8
This update for java-1_7_1-ibm fixes the following issues:
Java was updated to 7.1 Service Refresh 4 Fix Pack 60 [bsc#1162972, bsc#1160968].
Security issues fixed:
- CVE-2020-2583: Fixed a serialization vulnerability in BeanContextSupport (bsc#1162972).
- CVE-2020-2593: Fixed an incorrect check in isBuiltinStreamHandler, causing URL normalization issues (bsc#1162972).
- CVE-2020-2604: Fixed a serialization issue in jdk.serialFilter (bsc#1162972).
- CVE-2020-2659: Fixed the incomplete enforcement of the maxDatagramSockets limit in DatagramChannelImpl (bsc#1162972).
Non-security issues fixed:
* Class Libraries:
IJ22333 HANG IN JAVA_JAVA_NET_SOCKETINPUTSTREAM_SOCKETREAD0 EVEN
WHEN TIMEOUT IS SET
IJ22350 JAVA 7 AND JAVA 8 NOT WORKING WELL WITH TRADITIONAL/SIMPLIFIED
CHINESE EDITION OF WINDOWS CLIENT SYSTEM
IJ22337 THE NAME OF THE REPUBLIC OF BELARUS IN THE RUSSIAN LOCALE
INCONSISTENT WITH CLDR
IJ22349 UPDATE TIMEZONE INFORMATION TO TZDATA2019C
* JIT Compiler:
IJ11368 JAVA JIT PPC: CRASH IN JIT COMPILED CODE ON PPC MACHINES
ImportantSUSE bug 1160968SUSE bug 1162972CVE-2020-2583 at SUSECVE-2020-2583 at NVDCVE-2020-2593 at SUSECVE-2020-2593 at NVDCVE-2020-2604 at SUSECVE-2020-2604 at NVDCVE-2020-2659 at SUSECVE-2020-2659 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for libexif (Moderate)SUSE OpenStack Cloud 8
This update for libexif fixes the following issues:
- CVE-2019-9278: Fixed an integer overflow (bsc#1160770).
- CVE-2018-20030: Fixed a denial of service by endless recursion (bsc#1120943).
ModerateSUSE bug 1120943SUSE bug 1160770CVE-2018-20030 at SUSECVE-2018-20030 at NVDCVE-2019-9278 at SUSECVE-2019-9278 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for openssl (Moderate)SUSE OpenStack Cloud 8
This update for openssl fixes the following issues:
Security issue fixed:
- CVE-2019-1551: Fixed an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli (bsc#1158809).
Non-security issue fixed:
- Fixed a crash in BN_copy (bsc#1160163).
ModerateSUSE bug 1117951SUSE bug 1158809SUSE bug 1160163CVE-2019-1551 at SUSECVE-2019-1551 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for ppp (Important)SUSE OpenStack Cloud 8
This update for ppp fixes the following security issue:
- CVE-2020-8597: Fixed a buffer overflow in the eap_request and eap_response functions (bsc#1162610).
ImportantSUSE bug 1162610CVE-2020-8597 at SUSECVE-2020-8597 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for python3 (Moderate)SUSE OpenStack Cloud 8
This update for python3 fixes the following issues:
Update to 3.4.10 (jsc#SLE-9427, bsc#1159208) from 3.4.6:
Security issues fixed:
- Update expat copy from 2.1.1 to 2.2.0 to fix the following issues:
CVE-2012-0876, CVE-2016-0718, CVE-2016-4472, CVE-2017-9233, CVE-2016-9063
- CVE-2017-1000158: Fix an integer overflow in thePyString_DecodeEscape function in stringobject.c, resulting in heap-based bufferoverflow (bsc#1068664).
ModerateSUSE bug 1068664SUSE bug 1159208SUSE bug 1159623CVE-2012-0876 at SUSECVE-2012-0876 at NVDCVE-2016-0718 at SUSECVE-2016-0718 at NVDCVE-2016-4472 at SUSECVE-2016-4472 at NVDCVE-2016-9063 at SUSECVE-2016-9063 at NVDCVE-2017-1000158 at SUSECVE-2017-1000158 at NVDCVE-2017-9233 at SUSECVE-2017-9233 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for mariadb (Moderate)SUSE OpenStack Cloud 8
This update for mariadb fixes the following issues:
Security issue fixed:
- CVE-2019-2974: Fixed Server Optimizer (bsc#1154162).
ModerateSUSE bug 1154162CVE-2019-2974 at SUSECVE-2019-2974 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for java-1_7_1-ibm (Moderate)SUSE OpenStack Cloud 8
This update for java-1_7_1-ibm fixes the following issues:
- Update to 7.1 Service Refresh 4 Fix Pack 55 [bsc#1158442, bsc#1154212]
* Security fixes:
CVE-2019-2933 CVE-2019-2945 CVE-2019-2962 CVE-2019-2964
CVE-2019-2978 CVE-2019-2983 CVE-2019-2989 CVE-2019-2992
CVE-2019-2999 CVE-2019-2973 CVE-2019-2981
ModerateSUSE bug 1154212SUSE bug 1158442CVE-2019-2933 at SUSECVE-2019-2933 at NVDCVE-2019-2945 at SUSECVE-2019-2945 at NVDCVE-2019-2962 at SUSECVE-2019-2962 at NVDCVE-2019-2964 at SUSECVE-2019-2964 at NVDCVE-2019-2973 at SUSECVE-2019-2973 at NVDCVE-2019-2978 at SUSECVE-2019-2978 at NVDCVE-2019-2981 at SUSECVE-2019-2981 at NVDCVE-2019-2983 at SUSECVE-2019-2983 at NVDCVE-2019-2989 at SUSECVE-2019-2989 at NVDCVE-2019-2992 at SUSECVE-2019-2992 at NVDCVE-2019-2999 at SUSECVE-2019-2999 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for mariadb (Moderate)SUSE OpenStack Cloud 8
This update for mariadb fixes the following issues:
MariaDB was updated to version 10.0.40-3 (bsc#1162388).
Security issues fixed:
- CVE-2020-2574: Fixed a difficult to exploit vulnerability that allowed an attacker to crash the client (bsc#1162388).
- CVE-2019-18901: Fixed an unsafe path handling behavior in mysql-systemd-helper (bsc#1160895).
ModerateSUSE bug 1077717SUSE bug 1160895SUSE bug 1160912SUSE bug 1162388CVE-2019-18901 at SUSECVE-2019-18901 at NVDCVE-2020-2574 at SUSECVE-2020-2574 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for java-1_8_0-ibm (Important)SUSE OpenStack Cloud 8
This update for java-1_8_0-ibm fixes the following issues:
Java 8.0 was updated to Service Refresh 6 Fix Pack 5 (bsc#1162972, bsc#1160968)
- CVE-2020-2583: Unlink Set of LinkedHashSets
- CVE-2019-4732: Untrusted DLL search path vulnerability
- CVE-2020-2593: Normalize normalization for all
- CVE-2020-2604: Better serial filter handling
- CVE-2020-2659: Enhance datagram socket support
ImportantSUSE bug 1160968SUSE bug 1162972CVE-2019-4732 at SUSECVE-2019-4732 at NVDCVE-2020-2583 at SUSECVE-2020-2583 at NVDCVE-2020-2593 at SUSECVE-2020-2593 at NVDCVE-2020-2604 at SUSECVE-2020-2604 at NVDCVE-2020-2659 at SUSECVE-2020-2659 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for log4j (Important)SUSE OpenStack Cloud 8
This update for log4j fixes the following issues:
- CVE-2019-17571: Fixed a remote code execution by deserialization of untrusted data in SocketServer (bsc#1159646).
ImportantSUSE bug 1159646CVE-2019-17571 at SUSECVE-2019-17571 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for permissions (Moderate)SUSE OpenStack Cloud 8
This update for permissions fixes the following issues:
Security issues fixed:
- CVE-2020-8013: Fixed an issue where chkstat set unintended setuid/capabilities for mrsh and wodim (bsc#1163922).
Non-security issues fixed:
- Fixed a regression where chkstat broke when /proc was not available (bsc#1160764, bsc#1160594).
- Fixed capability handling when doing multiple permission changes at once (bsc#1161779).
ModerateSUSE bug 1123886SUSE bug 1160594SUSE bug 1160764SUSE bug 1161779SUSE bug 1163922CVE-2020-8013 at SUSECVE-2020-8013 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for python-aws-sam-translator, python-boto3, python-botocore, python-cfn-lint, python-jsonschema, python-nose2, python-parameterized, python-pathlib2, python-pytest-cov, python-requests, python-s3transfer (Moderate)SUSE OpenStack Cloud 8
This update for python-aws-sam-translator, python-boto3, python-botocore, python-cfn-lint, python-jsonschema, python-nose2, python-parameterized, python-pathlib2, python-pytest-cov, python-requests, python-s3transfer, python-jsonpatch, python-jsonpointer, python-scandir, python-PyYAML fixes the following issues:
python-cfn-lint was included as a new package in 0.21.4.
python-aws-sam-translator was updated to 1.11.0:
* Add ReservedConcurrentExecutions to globals
* Fix ElasticsearchHttpPostPolicy resource reference
* Support using AWS::Region in Ref and Sub
* Documentation and examples updates
* Add VersionDescription property to Serverless::Function
* Update ServerlessRepoReadWriteAccessPolicy
* Add additional template validation
Upgrade to 1.10.0:
* Add GSIs to DynamoDBReadPolicy and DynamoDBCrudPolicy
* Add DynamoDBReconfigurePolicy
* Add CostExplorerReadOnlyPolicy and OrganizationsListAccountsPolicy
* Add EKSDescribePolicy
* Add SESBulkTemplatedCrudPolicy
* Add FilterLogEventsPolicy
* Add SSMParameterReadPolicy
* Add SESEmailTemplateCrudPolicy
* Add s3:PutObjectAcl to S3CrudPolicy
* Add allow_credentials CORS option
* Add support for AccessLogSetting and CanarySetting Serverless::Api properties
* Add support for X-Ray in Serverless::Api
* Add support for MinimumCompressionSize in Serverless::Api
* Add Auth to Serverless::Api globals
* Remove trailing slashes from APIGW permissions
* Add SNS FilterPolicy and an example application
* Add Enabled property to Serverless::Function event sources
* Add support for PermissionsBoundary in Serverless::Function
* Fix boto3 client initialization
* Add PublicAccessBlockConfiguration property to S3 bucket resource
* Make PAY_PER_REQUEST default mode for Serverless::SimpleTable
* Add limited support for resolving intrinsics in Serverless::LayerVersion
* SAM now uses Flake8
* Add example application for S3 Events written in Go
* Updated several example applications
- Initial build
+ Version 1.9.0
- Add patch to drop compatible releases operator from setup.py,
required for SLES12 as the setuptools version is too old
+ ast_drop-compatible-releases-operator.patch
python-jsonschema was updated to 2.6.0:
* Improved performance on CPython by adding caching around ref resolution
Update to version 2.5.0:
* Improved performance on CPython by adding caching around ref
resolution (#203)
Update to version 2.4.0:
* Added a CLI (#134)
* Added absolute path and absolute schema path to errors (#120)
* Added ``relevance``
* Meta-schemas are now loaded via ``pkgutil``
* Added ``by_relevance`` and ``best_match`` (#91)
* Fixed ``format`` to allow adding formats for non-strings (#125)
* Fixed the ``uri`` format to reject URI references (#131)
- Install /usr/bin/jsonschema with update-alternatives support
python-nose2 was updated to 0.9.1:
* the prof plugin now uses cProfile instead of hotshot for profiling
* skipped tests now include the user's reason in junit XML's message field
* the prettyassert plugin mishandled multi-line function definitions
* Using a plugin's CLI flag when the plugin is already enabled via config
no longer errors
* nose2.plugins.prettyassert, enabled with --pretty-assert
* Cleanup code for EOLed python versions
* Dropped support for distutils.
* Result reporter respects failure status set by other plugins
* JUnit XML plugin now includes the skip reason in its output
Upgrade to 0.8.0:
List of changes is too long to show here, see
https://github.com/nose-devs/nose2/blob/master/docs/changelog.rst
changes between 0.6.5 and 0.8.0
Update to 0.7.0:
* Added parameterized_class feature, for parameterizing entire test
classes (many thanks to @TobyLL for their suggestions and help testing!)
* Fix DeprecationWarning on `inspect.getargs` (thanks @brettdh;
https://github.com/wolever/parameterized/issues/67)
* Make sure that `setUp` and `tearDown` methods work correctly (#40)
* Raise a ValueError when input is empty (thanks @danielbradburn;
https://github.com/wolever/parameterized/pull/48)
* Fix the order when number of cases exceeds 10 (thanks @ntflc;
https://github.com/wolever/parameterized/pull/49)
python-scandir was included in version 2.3.2.
python-requests was updated to version 2.20.1 (bsc#1111622)
* Fixed bug with unintended Authorization header stripping for
redirects using default ports (http/80, https/443).
* remove restriction for urllib3 < 1.24
Update to version 2.20.0:
* Bugfixes
+ Content-Type header parsing is now case-insensitive
(e.g. charset=utf8 v Charset=utf8).
+ Fixed exception leak where certain redirect urls would raise
uncaught urllib3 exceptions.
+ Requests removes Authorization header from requests redirected
from https to http on the same hostname. (CVE-2018-18074)
+ should_bypass_proxies now handles URIs without hostnames
(e.g. files).
* Dependencies
+ Requests now supports urllib3 v1.24.
* Deprecations
+ Requests has officially stopped support for Python 2.6.
Update to version 2.19.1:
* Fixed issue where status_codes.py’s init function failed trying
to append to a __doc__ value of None.
Update to version 2.19.0:
* Improvements
+ Warn about possible slowdown with cryptography version < 1.3.4
+ Check host in proxy URL, before forwarding request to adapter.
+ Maintain fragments properly across redirects. (RFC7231 7.1.2)
+ Removed use of cgi module to expedite library load time.
+ Added support for SHA-256 and SHA-512 digest auth algorithms.
+ Minor performance improvement to Request.content.
+ Migrate to using collections.abc for 3.7 compatibility.
* Bugfixes
+ Parsing empty Link headers with parse_header_links() no longer
return one bogus entry.
+ Fixed issue where loading the default certificate bundle from
a zip archive would raise an IOError.
+ Fixed issue with unexpected ImportError on windows system
which do not support winreg module.
+ DNS resolution in proxy bypass no longer includes the username
and password in the request. This also fixes the issue of DNS
queries failing on macOS.
+ Properly normalize adapter prefixes for url comparison.
+ Passing None as a file pointer to the files param no longer
raises an exception.
+ Calling copy on a RequestsCookieJar will now preserve the
cookie policy correctly.
* We now support idna v2.7 and urllib3 v1.23.
update to version 2.18.4:
* Improvements
+ Error messages for invalid headers now include the header name
for easier debugging
* Dependencies
+ We now support idna v2.6.
update to version 2.18.3:
* Improvements
+ Running $ python -m requests.help now includes the installed
version of idna.
* Bugfixes
+ Fixed issue where Requests would raise ConnectionError instead
of SSLError when encountering SSL problems when using urllib3
v1.22.
ModerateSUSE bug 1111622SUSE bug 1122668CVE-2018-18074 at SUSECVE-2018-18074 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for libpng16 (Moderate)SUSE OpenStack Cloud 8
This update for libpng16 fixes the following issues:
Security issues fixed:
- CVE-2019-7317: Fixed a use-after-free vulnerability, triggered when
png_image_free() was called under png_safe_execute (bsc#1124211).
- CVE-2017-12652: Fixed an Input Validation Error related to the length of chunks (bsc#1141493).
ModerateSUSE bug 1124211SUSE bug 1141493CVE-2017-12652 at SUSECVE-2017-12652 at NVDCVE-2019-7317 at SUSECVE-2019-7317 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for postgresql96 (Low)SUSE OpenStack Cloud 8
This update for postgresql96 fixes the following issues:
PostgreSQL was updated to version 9.6.17.
Security issue fixed:
- CVE-2020-1720: Fixed a missing authorization check in the ALTER ... DEPENDS ON extension (bsc#1163985).
LowSUSE bug 1163985CVE-2020-1720 at SUSECVE-2020-1720 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for java-1_7_0-openjdk (Important)SUSE OpenStack Cloud 8
This update for java-1_7_0-openjdk fixes the following issues:
Update java-1_7_0-openjdk to version jdk7u251 (January 2020 CPU, bsc#1160968):
- CVE-2020-2583: Unlink Set of LinkedHashSets
- CVE-2020-2590: Improve Kerberos interop capabilities
- CVE-2020-2593: Normalize normalization for all
- CVE-2020-2601: Better Ticket Granting Services
- CVE-2020-2604: Better serial filter handling
- CVE-2020-2659: Enhance datagram socket support
- CVE-2020-2654: Improve Object Identifier Processing
ImportantSUSE bug 1160968CVE-2020-2583 at SUSECVE-2020-2583 at NVDCVE-2020-2590 at SUSECVE-2020-2590 at NVDCVE-2020-2593 at SUSECVE-2020-2593 at NVDCVE-2020-2601 at SUSECVE-2020-2601 at NVDCVE-2020-2604 at SUSECVE-2020-2604 at NVDCVE-2020-2654 at SUSECVE-2020-2654 at NVDCVE-2020-2659 at SUSECVE-2020-2659 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for ipmitool (Important)SUSE OpenStack Cloud 8
This update for ipmitool fixes the following issues:
- CVE-2020-5208: Fixed multiple remote code executtion vulnerabilities (bsc#1163026).
- picmg discover messages are now DEBUG and not INFO messages (bsc#1085469).
ImportantSUSE bug 1085469SUSE bug 1163026CVE-2020-5208 at SUSECVE-2020-5208 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for ardana-cinder, ardana-cobbler, ardana-designate, ardana-extensions-example, ardana-extensions-nsx, ardana-glance, ardana-heat, ardana-input-model, ardana-ironic, ardana-keystone, ardana-logging, ardana-monasca, ardana-monasca-transform, ardana-mq, ardana-neutron, ardana-nova, ardana-octavia, ardana-osconfig, ardana-tempest, crowbar-core, crowbar-ha, crowbar-openstack, crowbar-ui, keepalived, mariadb, openstack-cinder, openstack-dashboard, openstack-dashboard-theme-SUSE, openstack-heat, openstack-heat-templates, openstack-horizon-plugin-designate-ui, openstack-horizon-plugin-neutron-lbaas-ui, openstack-ironic, openstack-keystone, openstack-monasca-agent, openstack-neutron, openstack-neutron-gbp, openstack-neutron-vsphere, openstack-nova, openstack-octavia, openstack-octavia-amphora-image, openstack-resource-agents, openstack-sahara, openstack-trove, python-cinderlm, python-congressclient, python-designateclient, python-ironic-lib, python-networking-cisco, python-osc-lib, python-oslo.context, python-oslo.rootwrap, python-oslo.serialization, python-oslo.service, python-stevedore, python-taskflow, rubygem-crowbar-client, rubygem-pumavenv-openstack-swift (Important)SUSE OpenStack Cloud 8
This update for ardana-cinder, ardana-cobbler, ardana-designate, ardana-extensions-example, ardana-extensions-nsx, ardana-glance, ardana-heat, ardana-input-model, ardana-ironic, ardana-keystone, ardana-logging, ardana-monasca, ardana-monasca-transform, ardana-mq, ardana-neutron, ardana-nova, ardana-octavia, ardana-osconfig, ardana-tempest, crowbar-core, crowbar-ha, crowbar-openstack, crowbar-ui, keepalived, mariadb, openstack-cinder, openstack-dashboard, openstack-dashboard-theme-SUSE, openstack-heat, openstack-heat-templates, openstack-horizon-plugin-designate-ui, openstack-horizon-plugin-neutron-lbaas-ui, openstack-ironic, openstack-keystone, openstack-monasca-agent, openstack-neutron, openstack-neutron-gbp, openstack-neutron-vsphere, openstack-nova, openstack-octavia, openstack-octavia-amphora-image, openstack-resource-agents, openstack-sahara, openstack-trove, python-cinderlm, python-congressclient, python-designateclient, python-ironic-lib, python-networking-cisco, python-osc-lib, python-oslo.context, python-oslo.rootwrap, python-oslo.serialization, python-oslo.service, python-stevedore, python-taskflow, rubygem-crowbar-client, rubygem-puma, venv-openstack-swift fixes the following issues:
Security issues fixed:
The update of rubygem-crowbar-client, rubygem-puma fixes the following security issues:
- CVE-2018-17954: Fixed an issue where crowbar was leaking the secret admin passwords to all nodes (bsc#1117080).
- CVE-2019-16770: Fixed a denial-of-service vulnerability that was exploitable by clients sending extraneous keepalive requests (bsc#1158675).
The update of mariadb to 10.2.29 fixes several security issues:
- CVE-2020-2574: Fixed a difficult to exploit vulnerability that allowed an attacker to crash the client (bsc#1162388).
- CVE-2019-18901: Fixed a difficult to exploit vulnerability that allowed an attacker to crash the client (bsc#1162388).
- CVE-2017-1002201: Fixed an issue where special characters did not escpae properly (bsc#1155089)
- CVE-2019-2737, CVE-2019-2739, CVE-2019-2740, CVE-2019-2758, CVE-2019-2805, CVE-2019-2938, CVE-2019-2974: Fixed an issue where could lead a remote attacker to cause denial of service (bsc#1156669)
Non-security issues fixed:
Changes in ardana-cinder:
- Update to version 8.0+git.1579279939.ee7da88:
* Add option to flatten snapshots when using SES (SOC-11054)
- Update to version 8.0+git.1571846011.1a2f62b:
* SCRD-4764 move v2.0 endpoints to v3 (SOC-9753)
Changes in ardana-cobbler:
- Update to version 8.0+git.1575037115.0326803:
* Set root device on SLES autoyast templates (SOC-7365)
Changes in ardana-designate:
- Update to version 8.0+git.1573597788.15b7984:
* Update gerrit location (SOC-9140)
Changes in ardana-extensions-example:
- Switch to new Gerrit Server
- Update to version 8.0+git.1534266307.db1ec28:
* SCPL-409 Fix .gitreview for stable/pike
Changes in ardana-extensions-nsx:
- Update to version 8.0+git.1567529036.a41a037:
* Update policy json templates for vmware-nsx (SOC-10254)
- Switch to new Gerrit Server
Changes in ardana-glance:
- Update to version 8.0+git.1571846045.ab9e3ea:
* SCRD-4764 move v2.0 endpoints to v3 (SOC-9753)
Changes in ardana-heat:
- Update to version 8.0+git.1571777596.14dce6a:
* SCRD-4764 remove V2.0 auth end points (SOC-9753)
Changes in ardana-input-model:
- Update to version 8.0+git.1582147997.b9ed134:
* Enable port security extension neutron (SOC-11027)
- Update to version 8.0+git.1573658751.38e822a:
* Move manila share to controller (SOC-10938)
Changes in ardana-ironic:
- Update to version 8.0+git.1571845225.006843d:
* SCRD-4764 remove V2.0 auth end points (SOC-9753)
Changes in ardana-keystone:
- Update to version 8.0+git.1573147067.09e3ea0:
* enable debug and insecure_debug on demand (SOC-10934)
Changes in ardana-logging:
- Update to version 8.0+git.1572452293.e65d714:
* use correct Keystone v3 params bsc#1117840 (SOC-9753)
Changes in ardana-monasca:
- Update to version 8.0+git.1572527728.9b34bdf:
* use correct Keystone v3 params bsc#1117840 (SOC-9753)
* SCRD-4764 remove V2.0 auth end points (SOC-9753)
Changes in ardana-monasca-transform:
- Update to version 8.0+git.1571845965.97714fb:
* SCRD-4764 remove V2.0 auth end points (SOC-9753)
Changes in ardana-mq:
- Update to version 8.0+git.1581024906.fbf0be3:
* Ensure HA queue sync wait fails (SOC-11083)
* Fix HA policy setting comments (SOC-10317, SOC-11082)
- Update to version 8.0+git.1580853688.4e72fc1:
* Set HA policy accordingly (SOC-10317, SOC-11082)
- Update to version 8.0+git.1579014733.a855e3a:
* Change the HA policy mirror (SOC-10317)
Changes in ardana-neutron:
- Update to version 8.0+git.1573050365.ff6fa06:
* Kill dhclient before restarting neutron-openvswitch-agent (SOC-9230)
- Update to version 8.0+git.1571846086.19cb7eb:
* SCRD-4764 move v2.0 endpoints to v3 (SOC-9753)
Changes in ardana-nova:
- Update to version 8.0+git.1571846125.584d988:
* SCRD-4764 remove V2.0 auth end points (SOC-9753)
Changes in ardana-octavia:
- Update to version 8.0+git.1575642049.1f321d0:
* Change event_streamer_driver to noop (bsc#1154235)
Changes in ardana-osconfig:
- Update to version 8.0+git.1581015942.2d21e63:
* Adjust 'fs.inotify.max_user_instances' to align with crowbar (bsc#1161351)
- Update to version 8.0+git.1580469528.0ac2a8b:
* Start OVS services before wicked service at boot (SOC-11067)
Changes in ardana-tempest:
- Update to version 8.0+git.1579261264.7dd213a:
* Create network resources needed by some heat tests (SOC-7028)
- Update to version 8.0+git.1573571182.8fa9823:
* Restrore designate test (SOC-9753)
- Update to version 8.0+git.1571846164.6279bc0:
* SCRD-4764 remove V2.0 auth end points (SOC-9753)
Changes in crowbar-core:
- Update to version 5.0+git.1582968668.1a55c77c5:
* Ignore CVE-2020-7595 in CI (bsc#1161517)
- Update to version 5.0+git.1582543433.f71d39544:
* Fix deployment queue display (SOC-10741)
- Update to version 5.0+git.1580209640.80f2ba3d9:
* network: start OVS before wickedd (SOC-11067)
- Update to version 5.0+git.1579705862.220974047:
* dns: add checks to designate migration (SOC-11047)
- Update to version 5.0+git.1579271614.eac1c490c:
* upgrade: Add the upgrade menu entry (SOC-11053)
* upgrade: Fix upgrade link (SOC-11053)
- Update to version 5.0+git.1578989446.a2d23b7e1:
* Do not log an error for a case that is correct (trivial)
- Update to version 5.0+git.1578472131.b88a31055:
* apache2: Restart after enabling SSL flag (SOC-11029)
- Update to version 5.0+git.1578295229.96952deab:
* Avoid nil crash when provisioner attributes are not set (bsc#1160048)
- Update to version 5.0+git.1578063264.d0223905b:
* Ignore CVE-2019-16770 (SOC-10999)
- Update to version 5.0+git.1576053049.a2f4c9820:
* upgrade: Remove DRBD specific code from the preparation parts (SOC-10985)
- Update to version 5.0+git.1575020613.fc167f4dc:
* List XEN nodes when failing precheck (trivial)
- Update to version 5.0+git.1574763025.0a6957f37:
* Disable installation repository (bsc#1152007)
* Disable automatic repo services (bsc#1152007)
* Designate: Don't add the admin node to the public network (SOC-10658)
- Update to version 5.0+git.1574715523.ee8e58f4b:
* upgrade: Check the result after commiting proposal (noref)
* upgrade: Do not try to disable services that might not exist (noref)
- Update to version 5.0+git.1574667034.76644f658:
* [upgrade] Remove existing upgrade directories from nodes (SOC-10956)
- Update to version 5.0+git.1574348992.88de970a6:
* [upgrade] Wait for keystone to be ready after start (bsc#1157206)
- Update to version 5.0+git.1574270784.294f0e830:
* upgrade: Ignore Cloud repository during repocheck (bsc#1152007)
- Update to version 5.0+git.1574165163.52870c62e:
* [upgrade] Call finalize_nodes_upgrade at the very end (bsc#1155942)
- Update to version 5.0+git.1574103089.1fbb5a51d:
* Ignore CVE-2019-13117 in CI builds (bsc#1157028)
* upgrade: Make the time before next upgrade configurable (SOC-10955)
* upgrade: Make sure cinder-volume is really stopped (bsc#1156305)
- Update to version 5.0+git.1573110008.449237f0d:
* Allow pacemaker remotes for upgrade (SOC-10133)
* upgrade: Precheck for unsaved proposals (SOC-10912)
- Update to version 5.0+git.1572880575.4a6efa3a1:
* upgrade: Add a precheck for XEN compute nodes presence (SOC-10495)
* upgrade: Reload repo config in repochecks (SOC-10718)
- Update to version 5.0+git.1572097431.519baa552:
* Ignore CVE-2017-1002201 in CI builds (bsc#1155089)
- Update to version 5.0+git.1571210032.8648ab99c:
* Revert 'Use block-migration when needed' (SOC-10133)
Changes in crowbar-ha:
- Update to version 5.0+git.1574286229.e0364c3:
* Drop g-haproxy location before group deletion (bsc#1156914)
Changes in crowbar-openstack:
- Update to version 5.0+git.1582911795.5081ef1da:
* designate: Mark as user managed (SOC-10233)
* Designate: make sure dns-server is active on a non-admin node (SOC-10636)
- Update to version 5.0+git.1580549331.ba1e1a0a3:
* [5.0] ec2-api: run keystone_register on cluster founder only (SOC-11079)
- Update to version 5.0+git.1579182968.f54cfa8f5:
* tempest: tempest run filters as templates (SOC-11052)
- Update to version 5.0+git.1578515319.fdab3a0b2:
* Install openstack client for neutron recipes (SOC-11039)
- Update to version 5.0+git.1576764142.8efe58655:
* Do not read data from barclamp that has not been saved (SOC-11028)
- Update to version 5.0+git.1576666547.b7a0b8814:
* Revert 'Octavia: Hide UI until complete (SOC-10550)'
- Update to version 5.0+git.1576250115.67b80cbca:
* [5.0] tempest: Update default image on schema (SOC-11023)
- Update to version 5.0+git.1576078873.ecc798ffe:
* neutron: Revert remove .openrc creation from neutron cookbooks (SOC-10378)
* keystone: Add OS_INTERFACE env var to .openrc (SOC-11006)
- Update to version 5.0+git.1574927541.694ac3863:
* designate: move keystone resource lookup to convergence (SOC-10887)
- Update to version 5.0+git.1574769056.07a7c373e:
* designate: declare all mdns servers as master on pool config (SOC-10952)
* designate: add support for SSL (SOC-10877)
* designate: change default configuration (SOC-10899)
- Update to version 5.0+git.1574421761.ace345683:
* Add tempest filter for designate (SOC-10288)
- Update to version 5.0+git.1574359417.113b616b2:
* horizon: install lbaas horizon dashboard (SOC-10883)
- Update to version 5.0+git.1572937880.ffb86e88b:
* Make sure the input file with ssh key exists (SOC-10133)
- Update to version 5.0+git.1571764038.ad48726d6:
* mysql: fix WSREP sync race (SOC-10717)
* mysql: stop service for mysql_install_db (SOC-10717)
* Do not use obsoleted --endpoint-type option with CLI
- Update to version 5.0+git.1571323259.7402ef5eb:
* [5.0] Tempest: blacklist test_volume_boot_pattern (SOC-10874)
- Update to version 5.0+git.1571241534.f4af21325:
* rabbitmq: fix migration 200 (SOC-10623)
* Fix Cloud 8 no-op migrations (SOC-10623)
* neutron-lbaas: remove loadbalancer/pool limit
* [5.0] Configurable timeout for Galera pre-sync
- Update to version 5.0+git.1571138324.edb9e8b56:
* horizon: tighten check for existence of monasca while deploying grafana
* monasca: improve detection if monasca-server is available
* monasca: install agent before run setup monitors in server
* Monasca: Handle node reinstall (jsc#SOC-10440, bsc#1148158 )
- Update to version 5.0+git.1570618886.06022a6ef:
* glance: Set barbican auth endpoint (bsc#1123191, SOC-10844)
* tempest: Add barbican run_filters from ardana (SOC-10844)
* Fix nova tempest tests (SOC-9298, SOC-10844)
- Update to version 5.0+git.1570505588.4bdc5aa6f:
* No rndc key if no public DNS server (SOC-10835)
Changes in crowbar-ui:
- Update to version 1.2.0+git.1575896697.a01a3a08:
* upgrade: Added missing error title
* travis: Stop testing against nodejs4
- Update to version 1.2.0+git.1572871359.50fc6087:
* Add title for XEN compute nodes precheck (SOC-10495)
Changes in keepalived:
- update to 2.0.19
- new BR pkgconfig(libnftnl) to fix nftables support
- add nftables to the BR
- added patch
* linux-4.15.patch
- add buildrequires for file-devel
- used in the checker to verify scripts
- enable json stats and config dump support
new BR: pkgconfig(json-c)
- enable http regexp support: new BR pcre2-devel
- disable dbus instance creation support as it is marked as
dangerous
- Add BFD build option to keepalived.spec rpm file
Issue #1114 identified that the keepalived.spec file was not being
generated to build BFD support even if keepalived had been
configured to support it.
- full changelog
https://keepalived.org/changelog.html
Changes in mariadb:
- update to 10.2.31 GA [bsc#1162388]
* Fixes for the following security vulnerabilities:
* 10.2.31: CVE-2020-2574
* 10.2.30: none
* release notes and changelog:
https://mariadb.com/kb/en/library/mariadb-10231-release-notes
https://mariadb.com/kb/en/library/mariadb-10231-changelog
https://mariadb.com/kb/en/library/mariadb-10230-release-notes
https://mariadb.com/kb/en/library/mariadb-10230-changelog
- refresh mariadb-10.1.12-deharcode-libdir.patch
- remove mariadb-10.2.29-bufferoverflowstrncat.patch (upstreamed)
- pack pam_user_map.so module in the /%{_lib}/security directory
and user_map.conf configuration file in the /etc/security directory
- fix race condition with mysql_upgrade_info status file by moving
it to the location owned by root (/var/lib/misc) CVE-2019-18901
[bsc#1160895]
- move .run-mysql_upgrade file from $datadir/.run-mysql_upgrade
to /var/lib/misc/.mariadb_run_upgrade so the mysql user can't
use it for a symlink attack [bsc#1160912]
- on BTRFS systems /var/lib/mysql is created as a subvolume with
755 permissions during the system installaion. Fix it to 700 as
mysql_install_db doesn't do it [bsc#1077717]
- add important options to mariadb.service and mariadb@.service
(ProtectSystem, ProtectHome and UMask) [bsc#1160878]
- mysql-systemd-helper: use systemd-tmpfiles instead of shell
script operations for a cleaner and safer creating of /run/mysql
[bsc#1160883]
- update to 10.2.29 GA
* Fixes for the following security vulnerabilities:
* 10.2.29: none
* 10.2.28: CVE-2019-2974, CVE-2019-2938
* 10.2.27: none
* 10.2.26: CVE-2019-2805, CVE-2019-2740, CVE-2019-2739,
CVE-2019-2737, CVE-2019-2758
* release notes and changelog:
https://mariadb.com/kb/en/library/mariadb-10229-release-notes
https://mariadb.com/kb/en/library/mariadb-10229-changelog
https://mariadb.com/kb/en/library/mariadb-10228-release-notes
https://mariadb.com/kb/en/library/mariadb-10228-changelog
https://mariadb.com/kb/en/library/mariadb-10227-release-notes
https://mariadb.com/kb/en/library/mariadb-10227-changelog
https://mariadb.com/kb/en/library/mariadb-10226-release-notes
https://mariadb.com/kb/en/library/mariadb-10226-changelog
- refresh
mariadb-10.0.15-logrotate-su.patch
mariadb-10.2.4-logrotate.patch
- add mariadb-10.2.29-bufferoverflowstrncat.patch to fix 'Statement
might be overflowing a buffer in strncat' error
- tracker bug [bsc#1156669]
- add main.gis_notembedded to the skipped tests (fails when latin1
is not set)
Changes in openstack-cinder:
- Update to version cinder-11.2.3.dev23:
* Fix handling of 'cinder\_encryption\_key\_id' image metadata
- Update to version cinder-11.2.3.dev21:
* Add retry to LVM deactivation
- Update to version cinder-11.2.3.dev19:
* Fix ceph: only close rbd image after snapshot iteration is finished
- Update to version cinder-11.2.3.dev17:
* Exclude disabled API versions from listing
Changes in openstack-cinder:
- Update to version cinder-11.2.3.dev23:
* Fix handling of 'cinder\_encryption\_key\_id' image metadata
- Update to version cinder-11.2.3.dev21:
* Add retry to LVM deactivation
- Update to version cinder-11.2.3.dev19:
* Fix ceph: only close rbd image after snapshot iteration is finished
- Update to version cinder-11.2.3.dev17:
* Exclude disabled API versions from listing
Changes in openstack-dashboard:
- Update to version horizon-12.0.5.dev2:
* Use python 2.7 as the default interpreter in tox
* OpenDev Migration Patch
12.0.4
Changes in openstack-dashboard-theme-SUSE:
- Update to version 2017.2+git.1573629528.6b21fa5:
* SCRD-7984 fixed help links
Changes in openstack-heat:
- Update to version heat-9.0.8.dev22:
* Do deepcopy when copying templates
- Update to version heat-9.0.8.dev21:
* Set stack.thread\_group\_mgr for cancel\_update
* Eliminate client race condition in convergence delete
* Delete snapshots using contemporary resources
- Update to version heat-9.0.8.dev15:
* Unskip StackSnapshotRestoreTest
- Update to version heat-9.0.8.dev14:
* Fix translate tenants in flavor
Changes in openstack-heat:
- Update to version heat-9.0.8.dev22:
* Do deepcopy when copying templates
- Update to version heat-9.0.8.dev21:
* Set stack.thread\_group\_mgr for cancel\_update
* Eliminate client race condition in convergence delete
* Delete snapshots using contemporary resources
- Update to version heat-9.0.8.dev15:
* Unskip StackSnapshotRestoreTest
- Update to version heat-9.0.8.dev14:
* Fix translate tenants in flavor
Changes in openstack-heat-templates:
- Update to version 0.0.0+git.1560033670.e3b5a52:
* Add example for running Zun container
* OpenDev Migration Patch
* Replace openstack.org git:// URLs with https://
* Remove docs, deprecated hooks, tests
* Update the bugs link to storyboard
* Use octavia resources for autoscaling example
* Fix the incorrect cirros default password
Changes in openstack-horizon-plugin-designate-ui:
- Update to version designate-dashboard-5.0.3.dev2:
* Fix list zones updated at same time
* OpenDev Migration Patch
5.0.2
Changes in openstack-horizon-plugin-neutron-lbaas-ui:
- Add _1481_project_ng_loadbalancersv2_panel.pyc file to package (SOC-10883)
The .pyc file needs to be removed when the package is uninstalled,
otherwise the panel will remain enabled in the dashboard and cause
errors.
Changes in openstack-ironic:
- Update to version ironic-9.1.8.dev8:
* Place upper bound on python-dracclient version
Changes in openstack-ironic:
- Update to version ironic-9.1.8.dev8:
* Place upper bound on python-dracclient version
Changes in openstack-keystone:
- Update to version keystone-12.0.4.dev5:
* Import LDAP job into project
Changes in openstack-keystone:
- Update to version keystone-12.0.4.dev5:
* Import LDAP job into project
Changes in openstack-monasca-agent:
- Added dependency:
* fdupes
* pwdutils and shadow-utils for useradd/groupadd
- added 0001-add-X.509-certificate-check-plugin.patch
Changes in openstack-neutron:
- Update to version neutron-11.0.9.dev60:
* Set DB retry for quota\_enforcement pecan\_wsgi hook
- Update to version neutron-11.0.9.dev58:
* don't clear skb mark when ovs is hw-offload enabled
- Update to version neutron-11.0.9.dev57:
* doc: add known limitation about attaching SR-IOV ports
- Update to version neutron-11.0.9.dev56:
* raise priority of dead vlan drop
- Update to version neutron-11.0.9.dev54:
* [Unit tests] Skip TestWSGIServer with IPv6 if no IPv6 enabled
- Update to version neutron-11.0.9.dev52:
* Initialize phys bridges before setup\_rpc
Changes in openstack-neutron:
- Update neutron-ha-tool to latest version:
* Add DHCP agent evacuation (SOC-11046)
- Update to version neutron-11.0.9.dev60:
* Set DB retry for quota\_enforcement pecan\_wsgi hook
- Update to version neutron-11.0.9.dev58:
* don't clear skb mark when ovs is hw-offload enabled
- neutron: Remove stop action from ovs-cleanup (bsc#1157482)
backport of https://review.opendev.org/#/c/695867/
- Update to version neutron-11.0.9.dev57:
* doc: add known limitation about attaching SR-IOV ports
- Update to version neutron-11.0.9.dev56:
* raise priority of dead vlan drop
- Update to version neutron-11.0.9.dev54:
* [Unit tests] Skip TestWSGIServer with IPv6 if no IPv6 enabled
- Update to version neutron-11.0.9.dev52:
* Initialize phys bridges before setup\_rpc
Changes in openstack-neutron-gbp:
- Update to version group-based-policy-7.3.1.dev72:
* Refactor static path code
- Update to version group-based-policy-7.3.1.dev71:
* Support named ip protocols for SecurityGroupRules
- Update to version group-based-policy-7.3.1.dev70:
* Allow both FIP and SNAT on a single port
- Update to version group-based-policy-7.3.1.dev69:
* Fix active-active AAP RPC query
- Update to version group-based-policy-7.3.1.dev67:
* [AIM] Add extra provided/consumed contracts to network extension
- Update to version group-based-policy-7.3.1.dev66:
* Active active AAP feature
- Update to version group-based-policy-7.3.1.dev64:
* Support cache option for legacy GBP driver
- Update to version group-based-policy-7.3.1.dev63:
* Fix host ID length in VM names table
- Update to version group-based-policy-7.3.1.dev62:
* Update\_proj\_descr in apic when project description is updated in os
- Update to version group-based-policy-7.3.1.dev61:
* Send port notifications when host\_route is getting updated
* Provide a control knob to use the internal EP interface
- Update to version group-based-policy-7.3.1.dev57:
* Fix pep8 failures seen on submitted patches
Changes in openstack-neutron-vsphere:
- Update to version networking-vsphere-2.0.1.dev133:
* Update to use Agent model from neutron.db.models
* Fix neutron-dvs-agent startup errors
* OpenDev Migration Patch
- Remove 0001-fix-dvs-agent-config.patch as changes
had been backported to stable/pike
- See https://review.opendev.org/#/c/682482
Changes in openstack-nova:
- Update to version nova-16.1.9.dev49:
* Use stable constraint for Tempest pinned stable branches
- Update to version nova-16.1.9.dev48:
* Avoid redundant initialize\_connection on source post live migration
* Error out interrupted builds
* Skip checking of target\_dev for vhostuser
* Functional reproduce for bug 1833581
* Prevent init\_host test to interfere with other tests
* Add functional test for resize crash compute restart revert
* Move restart\_compute\_service to a common place
* lxc: make use of filter python3 compatible
* cleanup evacuated instances not on hypervisor
* Delete resource providers for all nodes when deleting compute service
- Update to version nova-16.1.9.dev30:
* Explicitly fail if trying to attach SR-IOV port
* Stabilize unshelve notification sample tests
- Update to version nova-16.1.9.dev26:
* Fix listing deleted servers with a marker
* Add functional regression test for bug 1849409
- Update to version nova-16.1.9.dev22:
* Hook resource\_tracker to remove stale node information
- Update to version nova-16.1.9.dev20:
* Workaround missing RequestSpec.instance\_group.uuid
* Add regression recreate test for bug 1830747
- Update to version nova-16.1.9.dev16:
* Changing scheduler sync event from INFO to DEBUG
- Update to version nova-16.1.9.dev14:
* Only nil az during shelve offload
* Delete instance\_id\_mappings record in instance\_destroy
- Update to version nova-16.1.9.dev11:
* Revert 'openstack server create' to 'nova boot' in nova docs
* doc: fix and clarify --block-device usage in user docs
- Update to version nova-16.1.9.dev8:
* Functional reproduce for bug 1852207
Changes in openstack-nova:
- Update to version nova-16.1.9.dev49:
* Use stable constraint for Tempest pinned stable branches
- Update to version nova-16.1.9.dev48:
* Avoid redundant initialize\_connection on source post live migration
* Error out interrupted builds
* Skip checking of target\_dev for vhostuser
* Functional reproduce for bug 1833581
* Prevent init\_host test to interfere with other tests
* Add functional test for resize crash compute restart revert
* Move restart\_compute\_service to a common place
* lxc: make use of filter python3 compatible
* cleanup evacuated instances not on hypervisor
* Delete resource providers for all nodes when deleting compute service
- Update to version nova-16.1.9.dev30:
* Explicitly fail if trying to attach SR-IOV port
* Stabilize unshelve notification sample tests
- Update to version nova-16.1.9.dev26:
* Fix listing deleted servers with a marker
* Add functional regression test for bug 1849409
- Update to version nova-16.1.9.dev22:
* Hook resource\_tracker to remove stale node information
- Update to version nova-16.1.9.dev20:
* Workaround missing RequestSpec.instance\_group.uuid
* Add regression recreate test for bug 1830747
- Update to version nova-16.1.9.dev16:
* Changing scheduler sync event from INFO to DEBUG
- Update to version nova-16.1.9.dev14:
* Only nil az during shelve offload
* Delete instance\_id\_mappings record in instance\_destroy
- Update to version nova-16.1.9.dev11:
* Revert 'openstack server create' to 'nova boot' in nova docs
* doc: fix and clarify --block-device usage in user docs
- Update to version nova-16.1.9.dev8:
* Functional reproduce for bug 1852207
Changes in openstack-octavia:
- Update to version octavia-1.0.6.dev3:
* Fix urgent amphora two-way auth security bug
Changes in openstack-octavia-amphora-image:
- Update image to 0.1.2 to include udated keepalived 2.0.19
- Update image to 0.1.1 to include latest changes
- Add keepalived service
Changes in openstack-resource-agents:
- Update to version 1.0+git.1569436425.8b9c49f:
* Add a configurable delay to Nova Evacuate calls
* OpenDev Migration Patch
* NovaEvacuate: fix a syntax error
* NovaEvacuate: Support the new split-out IHA fence agents with backwards compatibility
* NovaEvacuate: Correctly handle stopped hypervisors
* neutron-ha-tool: do not replicate dhcp
* NovaCompute: Support parsing host option from /etc/nova/nova.conf.d
* NovaCompute: Use variable to avoid calling crudini a second time
* NovaEvacuate: Allow debug logging to be turned on easily
Changes in openstack-sahara:
- Update to version sahara-7.0.5.dev4:
* Run sahara-scenario using Python 3
* Enforce python 2 for documentation build
* Fix requirements(bandit)
* OpenDev Migration Patch
7.0.4
Changes in openstack-sahara:
- Update to version sahara-7.0.5.dev4:
* Run sahara-scenario using Python 3
* Enforce python 2 for documentation build
* Fix requirements (bandit)
* OpenDev Migration Patch
7.0.4
Changes in openstack-trove:
- Update to version trove-8.0.2.dev2:
* Add local bindep.txt
* OpenDev Migration Patch
8.0.1
Changes in openstack-trove:
- Update to version trove-8.0.2.dev2:
* Add local bindep.txt
* OpenDev Migration Patch
8.0.1
Changes in python-cinderlm:
- Update to version 0.0.2+git.1571845893.27f0b7b:
* SCRD-4764 remove V2.0 auth end points (SOC-9753)
Changes in python-congressclient:
- update to version 1.8.1
- Update .gitreview for stable/pike
- Update UPPER_CONSTRAINTS_FILE for stable/pike
- import zuul job settings from project-config
- Updated from global requirements
Changes in python-designateclient:
- update to version 2.7.1
- Update .gitreview for stable/pike
- Updated from global requirements
- import zuul job settings from project-config
- Update UPPER_CONSTRAINTS_FILE for stable/pike
- server-get/update show wrong values about 'id' and 'update_at'
Changes in python-ironic-lib:
- update to version 2.10.2
- Replace openstack.org git:// URLs with https://
- Make search for config drive partition case insensitive
- Revert 'Use dd conv=sparse when writing images to nodes'
- Check GPT table with sgdisk insread of partprobe
- Avoid tox_install.sh for constraints support
- Fix GPT bug with whole disk images
- import zuul job settings from project-config
Changes in python-networking-cisco:
- Update to version networking-cisco-6.1.1.dev65:
* Nexus: Add CA Bundle path to https doc
* Improve Nexus Ironic related doc and logs
* Upgrade release notes to include Tripleo/puppet
* Fix socket not closed errors in unit test logs
* Add release note about adding support for Rocky OpenStack
* Update publish-openstack-python-branch-tarball job
* Remove MultiConfigParser from SAF application
* More fixes for networking\_cisco rocky support
* Remove MultiConfigParser from the device manger config loader
* Ensure CFG agent is started after neutron config is written
* Removed older version of python added 3.5
* Begin process of supporting neutron Rocky
* Typo in tar command in doc install guide
* Add cisco providernet extension to Nexus doc
* Add missing policy to fix stable/queens unit tests
* Pin stestr version (1.1.0) for Mitaka
* Fix places in ucsm network driver using .ucsm instead of .ucsms
* Fix doc build under python3
* Fix mitaka bug with NeutronWorker missing parameter
* Eliminate 30 sec delay for Nexus replay thread
* Fix foreign key constraint violation while creating primary key with subnet\_id
* Put upper constraint on ncclient version to prevent breakages
* Improvements to the networking-cisco zuul jobs
* Remove deprecated host/interface map config
* Include device manager configuration file when starting config agent
* Fix pep8 and other tox environments locally
* Add rocky to CI
* Add bandit to tox and resolve Nexus SA errors
* Deprecate old ML2 Nexus/UCSM documentation file
* Secure Nexus https certificates by default
- Add tempest_plugin subpackage
Changes in python-osc-lib:
- update to version 1.7.1
- import zuul job settings from project-config
- Update UPPER_CONSTRAINTS_FILE for stable/pike
- Updated from global requirements
- Update .gitreview for stable/pike
- Avoid tox_install.sh for constraints support
Changes iython-oslo.context:
- update to version 2.17.2
- Fix sphinx-docs job for stable branch
- import zuul job settings from project-config
Changes in python-oslo.rootwrap:
- update to version 5.9.3
- Avoid tox_install.sh for constraints support
- Follow the new PTI for document build
- import zuul job settings from project-config
Changes in python-oslo.serialization:
- update to version 2.20.3
- import zuul job settings from project-config
- Fix sphinx-docs job for stable branch
Changes in python-oslo.service:
- update to version 1.25.2
- import zuul job settings from project-config
- Fix sphinx-docs job for stable branch
Changes in python-stevedore:
- update to version 1.25.2
- move doc requirements to doc/requirements.txt
- Use stable branch for upper-constraints
- remove duplicate sphinx dependency
- Avoid tox_install.sh for constraints support
- import zuul job settings from project-config
Changes in python-taskflow:
- update to version 2.14.2
- don't let tox_install.sh error if there is nothing to do
- import zuul job settings from project-config
- Updated from global requirements
- Use doc/requirements.txt
Changes in rubygem-crowbar-client:
- Update to 3.9.1
- Fix repocheck table output (SOC-10718)
- Enable restricted commands for Cloud8 (bsc#1117080, CVE-2018-17954)
Changes in rubygem-puma:
- Add CVE-2019-16770.patch (bsc#1158675, SOC-10999, CVE-2019-16770)
This patch fixes a DoS vulnerability a malicious client could use to
block a large amount of threads.
Changes in venv-openstack-swift:
- Fix lower version numver after inheriting the version from main
component (SCRD-8523)
- Revert: 'Inherit version number of venv from main component
(SCRD-8523)' as zypper reports the new version number as older
than what is released
- Inherit version number of venv from main component (SCRD-8523)
ImportantSUSE bug 1077717SUSE bug 1117080SUSE bug 1117840SUSE bug 1123191SUSE bug 1148158SUSE bug 1152007SUSE bug 1154235SUSE bug 1155089SUSE bug 1155942SUSE bug 1156305SUSE bug 1156669SUSE bug 1156914SUSE bug 1157028SUSE bug 1157206SUSE bug 1157482SUSE bug 1158675SUSE bug 1160048SUSE bug 1160878SUSE bug 1160883SUSE bug 1160895SUSE bug 1160912SUSE bug 1161351SUSE bug 1161517SUSE bug 1162388CVE-2017-1002201 at SUSECVE-2017-1002201 at NVDCVE-2018-17954 at SUSECVE-2018-17954 at NVDCVE-2019-13117 at SUSECVE-2019-13117 at NVDCVE-2019-16770 at SUSECVE-2019-16770 at NVDCVE-2019-18901 at SUSECVE-2019-18901 at NVDCVE-2019-2737 at SUSECVE-2019-2737 at NVDCVE-2019-2739 at SUSECVE-2019-2739 at NVDCVE-2019-2740 at SUSECVE-2019-2740 at NVDCVE-2019-2758 at SUSECVE-2019-2758 at NVDCVE-2019-2805 at SUSECVE-2019-2805 at NVDCVE-2019-2938 at SUSECVE-2019-2938 at NVDCVE-2019-2974 at SUSECVE-2019-2974 at NVDCVE-2020-2574 at SUSECVE-2020-2574 at NVDCVE-2020-7595 at SUSECVE-2020-7595 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for openstack-manila (Important)SUSE OpenStack Cloud 8
This update for openstack-manila fixes the following issues:
- CVE-2020-9543: Fixed an issue where other project users to view, update,
delete, or share resources that do not belong to them, due to a
context-free lookup of a UUID (bsc#1165643)
ImportantSUSE bug 1165643CVE-2020-9543 at SUSECVE-2020-9543 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for squid (Important)SUSE OpenStack Cloud 8
This update for squid fixes the following issues:
- CVE-2019-12528: Fixed an information disclosure flaw in the FTP gateway (bsc#1162689).
- CVE-2019-12526: Fixed potential remote code execution during URN processing (bsc#1156326).
- CVE-2019-12523,CVE-2019-18676: Fixed multiple improper validations in URI processing (bsc#1156329).
- CVE-2019-18677: Fixed Cross-Site Request Forgery in HTTP Request processing (bsc#1156328).
- CVE-2019-18678: Fixed incorrect message parsing which could have led to HTTP request splitting issue (bsc#1156323).
- CVE-2019-18679: Fixed information disclosure when processing HTTP Digest Authentication (bsc#1156324).
- CVE-2020-8449: Fixed a buffer overflow when squid is acting as reverse-proxy (bsc#1162687).
- CVE-2020-8450: Fixed a buffer overflow when squid is acting as reverse-proxy (bsc#1162687).
- CVE-2020-8517: Fixed a buffer overflow in ext_lm_group_acl when processing NTLM Authentication credentials (bsc#1162691).
ImportantSUSE bug 1156323SUSE bug 1156324SUSE bug 1156326SUSE bug 1156328SUSE bug 1156329SUSE bug 1162687SUSE bug 1162689SUSE bug 1162691CVE-2019-12523 at SUSECVE-2019-12523 at NVDCVE-2019-12526 at SUSECVE-2019-12526 at NVDCVE-2019-12528 at SUSECVE-2019-12528 at NVDCVE-2019-18676 at SUSECVE-2019-18676 at NVDCVE-2019-18677 at SUSECVE-2019-18677 at NVDCVE-2019-18678 at SUSECVE-2019-18678 at NVDCVE-2019-18679 at SUSECVE-2019-18679 at NVDCVE-2020-8449 at SUSECVE-2020-8449 at NVDCVE-2020-8450 at SUSECVE-2020-8450 at NVDCVE-2020-8517 at SUSECVE-2020-8517 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for MozillaFirefox (Important)SUSE OpenStack Cloud 8
This update for MozillaFirefox fixes the following issues:
- Firefox Extended Support Release 68.4.1 ESR
* Fixed: Security fix
MFSA 2020-03 (bsc#1160498)
* CVE-2019-17026 (bmo#1607443)
IonMonkey type confusion with StoreElementHole and
FallibleStoreElement
- Firefox Extended Support Release 68.4.0 ESR
* Fixed: Various security fixes
MFSA 2020-02 (bsc#1160305)
* CVE-2019-17015 (bmo#1599005)
Memory corruption in parent process during new content
process initialization on Windows
* CVE-2019-17016 (bmo#1599181)
Bypass of @namespace CSS sanitization during pasting
* CVE-2019-17017 (bmo#1603055)
Type Confusion in XPCVariant.cpp
* CVE-2019-17021 (bmo#1599008)
Heap address disclosure in parent process during content
process initialization on Windows
* CVE-2019-17022 (bmo#1602843)
CSS sanitization does not escape HTML tags
* CVE-2019-17024 (bmo#1507180, bmo#1595470, bmo#1598605,
bmo#1601826)
Memory safety bugs fixed in Firefox 72 and Firefox ESR 68.4
ImportantSUSE bug 1160305SUSE bug 1160498CVE-2019-17015 at SUSECVE-2019-17015 at NVDCVE-2019-17016 at SUSECVE-2019-17016 at NVDCVE-2019-17017 at SUSECVE-2019-17017 at NVDCVE-2019-17021 at SUSECVE-2019-17021 at NVDCVE-2019-17022 at SUSECVE-2019-17022 at NVDCVE-2019-17024 at SUSECVE-2019-17024 at NVDCVE-2019-17026 at SUSECVE-2019-17026 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for postgresql10 (Low)SUSE OpenStack Cloud 8
This update for postgresql10 fixes the following issues:
PostgreSQL was updated to version 10.12.
Security issue fixed:
- CVE-2020-1720: Fixed a missing authorization check in the ALTER ... DEPENDS ON extension (bsc#1163985).
LowSUSE bug 1163985CVE-2020-1720 at SUSECVE-2020-1720 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for MozillaFirefox (Important)SUSE OpenStack Cloud 8
This update for MozillaFirefox fixes the following issues:
MozillaFirefox was updated to 68.6.0 ESR (MFSA 2020-09 bsc#1132665 bsc#1166238)
- CVE-2020-6805: Fixed a use-after-free when removing data about origins
- CVE-2020-6806: Fixed improper protections against state confusion
- CVE-2020-6807: Fixed a use-after-free in cubeb during stream destruction
- CVE-2020-6811: Fixed an issue where copy as cURL' feature did not fully
escape website-controlled data potentially leading to command injection
- CVE-2019-20503: Fixed out of bounds reads in sctp_load_addresses_from_init
- CVE-2020-6812: Fixed an issue where the names of AirPods with personally
identifiable information were exposed to websites with camera or microphone
permission
- CVE-2020-6814: Fixed multiple memory safety bugs
- Fixed an issue with minimizing a window (bsc#1132665).
ImportantSUSE bug 1132665SUSE bug 1166238CVE-2019-20503 at SUSECVE-2019-20503 at NVDCVE-2020-6805 at SUSECVE-2020-6805 at NVDCVE-2020-6806 at SUSECVE-2020-6806 at NVDCVE-2020-6807 at SUSECVE-2020-6807 at NVDCVE-2020-6811 at SUSECVE-2020-6811 at NVDCVE-2020-6812 at SUSECVE-2020-6812 at NVDCVE-2020-6814 at SUSECVE-2020-6814 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for tomcat (Important)SUSE OpenStack Cloud 8
This update for tomcat fixes the following issues:
- CVE-2020-1938: Fixed a file contents disclosure vulnerability (bsc#1164692).
ImportantSUSE bug 1164692CVE-2020-1938 at SUSECVE-2020-1938 at NVDcpe:/o:suse:suse-openstack-cloud:8Recommended update for python-botocore (Important)SUSE OpenStack Cloud 8
This update for python-boto3, python-botocore and python-futures fixes the following issues:
python-botocore was updated to 1.13.33:
- Fix for python3-botocore versioning issues between SLES12 SP3 Teradata and Public Cloud Module. (bsc#1129696)
- Remove the broken attempt to avoid using the bundled requests module provided by the source. (boo#1088310)
- Update to the latest SDK components. (bsc#1146853, bsc#1146854)
- Add support for urllib 1.25 for CVE-2019-9947. (boo#1136184)
- Fix implementing MD5 header injection into new operations if they are necessary and create default session configuration. (bsc#1118021, bsc#1118024, bsc#1118027)
- Add attribute 'ssl_context' to 'AWSHTTPSConnection'. (bsc#1095041)
python-boto3 was updated to 1.10.33.
python-futures also provides python2-futures in the python2 build.
ImportantSUSE bug 1069697SUSE bug 1075263SUSE bug 1088310SUSE bug 1095041SUSE bug 1118021SUSE bug 1118024SUSE bug 1118027SUSE bug 1129696SUSE bug 1136184SUSE bug 1146853SUSE bug 1146854CVE-2019-9947 at SUSECVE-2019-9947 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for libzypp (Moderate)SUSE OpenStack Cloud 8
This update for libzypp fixes the following issues:
Security issue fixed:
- CVE-2019-18900: Fixed assert cookie file that was world readable (bsc#1158763).
ModerateSUSE bug 1158763CVE-2019-18900 at SUSECVE-2019-18900 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for python-cffi, python-cryptography (Moderate)SUSE OpenStack Cloud 8
This update for python-cffi, python-cryptography fixes the following issues:
Security issue fixed:
- CVE-2018-10903: Fixed GCM tag forgery via truncated tag in finalize_with_tag API (bsc#1101820).
Non-security issues fixed:
python-cffi was updated to 1.11.2 (bsc#1138748, jsc#ECO-1256, jsc#PM-1598):
- fixed a build failure on i586 (bsc#1111657)
- Salt was unable to highstate in snapshot 20171129 (bsc#1070737)
- Update pytest in spec to add c directory tests in addition to
testing directory.
- update to version 1.11.2:
* Fix Windows issue with managing the thread-state on CPython 3.0 to
3.5
- Update pytest in spec to add c directory tests in addition to
testing directory.
- Omit test_init_once_multithread tests as they rely on multiple
threads finishing in a given time. Returns sporadic pass/fail
within build.
- Update to 1.11.1:
* Fix tests, remove deprecated C API usage
* Fix (hack) for 3.6.0/3.6.1/3.6.2 giving incompatible binary
extensions (cpython issue #29943)
* Fix for 3.7.0a1+
- Update to 1.11.0:
* Support the modern standard types char16_t and char32_t. These
work like wchar_t: they represent one unicode character, or when
used as charN_t * or charN_t[] they represent a unicode string.
The difference with wchar_t is that they have a known, fixed
size. They should work at all places that used to work with
wchar_t (please report an issue if I missed something). Note
that with set_source(), you need to make sure that these types
are actually defined by the C source you provide (if used in
cdef()).
* Support the C99 types float _Complex and double _Complex. Note
that libffi doesn't support them, which means that in the ABI
mode you still cannot call C functions that take complex
numbers directly as arguments or return type.
* Fixed a rare race condition when creating multiple FFI instances
from multiple threads. (Note that you aren't meant to create
many FFI instances: in inline mode, you should write
ffi = cffi.FFI() at module level just after import cffi; and in
out-of-line mode you don't instantiate FFI explicitly at all.)
* Windows: using callbacks can be messy because the CFFI internal
error messages show up to stderr-but stderr goes nowhere in many
applications. This makes it particularly hard to get started
with the embedding mode. (Once you get started, you can at least
use @ffi.def_extern(onerror=...) and send the error logs where
it makes sense for your application, or record them in log
files, and so on.) So what is new in CFFI is that now, on
Windows CFFI will try to open a non-modal MessageBox (in addition
to sending raw messages to stderr). The MessageBox is only
visible if the process stays alive: typically, console
applications that crash close immediately, but that is also the
situation where stderr should be visible anyway.
* Progress on support for callbacks in NetBSD.
* Functions returning booleans would in some case still return 0
or 1 instead of False or True. Fixed.
* ffi.gc() now takes an optional third parameter, which gives an
estimate of the size (in bytes) of the object. So far, this is
only used by PyPy, to make the next GC occur more quickly
(issue #320). In the future, this might have an effect on
CPython too (provided the CPython issue 31105 is addressed).
* Add a note to the documentation: the ABI mode gives function
objects that are slower to call than the API mode does. For
some reason it is often thought to be faster. It is not!
- Update to 1.10.1:
* Fixed the line numbers reported in case of cdef() errors. Also,
I just noticed, but pycparser always supported the preprocessor
directive # 42 'foo.h' to mean 'from the next line, we're in
file foo.h starting from line 42';, which it puts in the error
messages.
- update to 1.10.0:
* Issue #295: use calloc() directly instead of PyObject_Malloc()+memset()
to handle ffi.new() with a default allocator. Speeds up ffi.new(large-array)
where most of the time you never touch most of the array.
* Some OS/X build fixes ('only with Xcode but without CLT';).
* Improve a couple of error messages: when getting mismatched versions of
cffi and its backend; and when calling functions which cannot be called with
libffi because an argument is a struct that is 'too complicated'; (and not
a struct pointer, which always works).
* Add support for some unusual compilers (non-msvc, non-gcc, non-icc, non-clang)
* Implemented the remaining cases for ffi.from_buffer. Now all
buffer/memoryview objects can be passed. The one remaining check is against
passing unicode strings in Python 2. (They support the buffer interface, but
that gives the raw bytes behind the UTF16/UCS4 storage, which is most of the
times not what you expect. In Python 3 this has been fixed and the unicode
strings don't support the memoryview interface any more.)
* The C type _Bool or bool now converts to a Python boolean when reading,
instead of the content of the byte as an integer. The potential
incompatibility here is what occurs if the byte contains a value different
from 0 and 1. Previously, it would just return it; with this change, CFFI
raises an exception in this case. But this case means 'undefined behavior';
in C; if you really have to interface with a library relying on this,
don't use bool in the CFFI side. Also, it is still valid to use a byte
string as initializer for a bool[], but now it must only contain \x00 or
\x01. As an aside, ffi.string() no longer works on bool[] (but it never made
much sense, as this function stops at the first zero).
* ffi.buffer is now the name of cffi's buffer type, and ffi.buffer() works
like before but is the constructor of that type.
* ffi.addressof(lib, 'name') now works also in in-line mode, not only in
out-of-line mode. This is useful for taking the address of global variables.
* Issue #255: cdata objects of a primitive type (integers, floats, char) are
now compared and ordered by value. For example, <cdata 'int' 42> compares
equal to 42 and <cdata 'char' b'A'> compares equal to b'A'. Unlike C,
<cdata 'int' -1> does not compare equal to ffi.cast('unsigned int', -1): it
compares smaller, because -1 < 4294967295.
* PyPy: ffi.new() and ffi.new_allocator()() did not record 'memory pressure';,
causing the GC to run too infrequently if you call ffi.new() very often
and/or with large arrays. Fixed in PyPy 5.7.
* Support in ffi.cdef() for numeric expressions with + or -. Assumes that
there is no overflow; it should be fixed first before we add more general
support for arbitrary arithmetic on constants.
- do not generate HTML documentation for packages that are indirect
dependencies of Sphinx
(see docs at https://cffi.readthedocs.org/ )
- update to 1.9.1
- Structs with variable-sized arrays as their last field: now we track the
length of the array after ffi.new() is called, just like we always tracked
the length of ffi.new('int[]', 42). This lets us detect out-of-range
accesses to array items. This also lets us display a better repr(), and
have the total size returned by ffi.sizeof() and ffi.buffer(). Previously
both functions would return a result based on the size of the declared
structure type, with an assumed empty array. (Thanks andrew for starting
this refactoring.)
- Add support in cdef()/set_source() for unspecified-length arrays in
typedefs: typedef int foo_t[...];. It was already supported for global
variables or structure fields.
- I turned in v1.8 a warning from cffi/model.py into an error: 'enum xxx' has
no values explicitly defined: refusing to guess which integer type it is
meant to be (unsigned/signed, int/long). Now I'm turning it back to a
warning again; it seems that guessing that the enum has size int is a
99%-safe bet. (But not 100%, so it stays as a warning.)
- Fix leaks in the code handling FILE * arguments. In CPython 3 there is a
remaining issue that is hard to fix: if you pass a Python file object to a
FILE * argument, then os.dup() is used and the new file descriptor is only
closed when the GC reclaims the Python file object-and not at the earlier
time when you call close(), which only closes the original file descriptor.
If this is an issue, you should avoid this automatic convertion of Python
file objects: instead, explicitly manipulate file descriptors and call
fdopen() from C (...via cffi).
- When passing a void * argument to a function with a different pointer type,
or vice-versa, the cast occurs automatically, like in C. The same occurs
for initialization with ffi.new() and a few other places. However, I
thought that char * had the same property-but I was mistaken. In C you get
the usual warning if you try to give a char * to a char ** argument, for
example. Sorry about the confusion. This has been fixed in CFFI by giving
for now a warning, too. It will turn into an error in a future version.
- Issue #283: fixed ffi.new() on structures/unions with nested anonymous
structures/unions, when there is at least one union in the mix. When
initialized with a list or a dict, it should now behave more closely like
the { } syntax does in GCC.
- CPython 3.x: experimental: the generated C extension modules now use the
'limited API';, which means that, as a compiled .so/.dll, it should work
directly on any version of CPython >= 3.2. The name produced by distutils
is still version-specific. To get the version-independent name, you can
rename it manually to NAME.abi3.so, or use the very recent setuptools 26.
- Added ffi.compile(debug=...), similar to python setup.py build --debug but
defaulting to True if we are running a debugging version of Python itself.
- Removed the restriction that ffi.from_buffer() cannot be used on byte
strings. Now you can get a char * out of a byte string, which is valid as
long as the string object is kept alive. (But don't use it to modify the
string object! If you need this, use bytearray or other official
techniques.)
- PyPy 5.4 can now pass a byte string directly to a char * argument (in older
versions, a copy would be made). This used to be a CPython-only
optimization.
- ffi.gc(p, None) removes the destructor on an object previously created by
another call to ffi.gc()
- bool(ffi.cast('primitive type', x)) now returns False if the value is zero
(including -0.0), and True otherwise. Previously this would only return
False for cdata objects of a pointer type when the pointer is NULL.
- bytearrays: ffi.from_buffer(bytearray-object) is now supported. (The reason
it was not supported was that it was hard to do in PyPy, but it works since
PyPy 5.3.) To call a C function with a char * argument from a buffer
object-now including bytearrays-you write lib.foo(ffi.from_buffer(x)).
Additionally, this is now supported: p[0:length] = bytearray-object. The
problem with this was that a iterating over bytearrays gives numbers
instead of characters. (Now it is implemented with just a memcpy, of
course, not actually iterating over the characters.)
- C++: compiling the generated C code with C++ was supposed to work, but
failed if you make use the bool type (because that is rendered as the C
_Bool type, which doesn't exist in C++).
- help(lib) and help(lib.myfunc) now give useful information, as well as
dir(p) where p is a struct or pointer-to-struct.
- update for multipython build
- disable 'negative left shift' warning in test suite to prevent
failures with gcc6, until upstream fixes the undefined code
in question (bsc#981848)
- Update to version 1.6.0:
* ffi.list_types()
* ffi.unpack()
* extern 'Python+C';
* in API mode, lib.foo.__doc__ contains the C signature now.
* Yet another attempt at robustness of ffi.def_extern() against
CPython's interpreter shutdown logic.
- Update in SLE-12 (bsc#1138748, jsc#ECO-1256, jsc#PM-1598)
- Make this version of the package compatible with OpenSSL 1.1.1d, thus fixing bsc#1149792.
- bsc#1101820 CVE-2018-10903 GCM tag forgery via truncated tag in
finalize_with_tag API
- Add proper conditional for the python2, the ifpython works only
for the requires/etc
- add missing dependency on python ssl
- update to version 2.1.4:
* Added X509_up_ref for an upcoming pyOpenSSL release.
- update to version 2.1.3:
* Updated Windows, macOS, and manylinux1 wheels to be compiled with
OpenSSL 1.1.0g.
- update to version 2.1.2:
* Corrected a bug with the manylinux1 wheels where OpenSSL's stack
was marked executable.
- fix BuildRequires conditions for python3
- update to 2.1.1
- Fix cffi version requirement.
- Disable memleak tests to fix build with OpenSSL 1.1 (bsc#1055478)
- update to 2.0.3
- update to 2.0.2
- update to 2.0
- update to 1.9
- add python-packaging to requirements explicitly instead of relying
on setuptools to pull it in
- Switch to singlespec approach
- update to 1.8.1
- Adust Requires and BuildRequires ModerateSUSE bug 1055478SUSE bug 1070737SUSE bug 1101820SUSE bug 1111657SUSE bug 1138748SUSE bug 1149792SUSE bug 981848CVE-2018-10903 at SUSECVE-2018-10903 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for spamassassin (Important)SUSE OpenStack Cloud 8
This update for spamassassin fixes the following issues:
- CVE-2018-11805: Fixed an issue with delimiter handling in rule files
related to is_regexp_valid() (bsc#1118987).
- CVE-2020-1930: Fixed an issue with rule configuration (.cf) files which
can be configured to run system commands (bsc#1162197).
- CVE-2020-1931: Fixed an issue with rule configuration (.cf) files which
can be configured to run system commands with warnings (bsc#1162200).
ImportantSUSE bug 1118987SUSE bug 1162197SUSE bug 1162200CVE-2018-11805 at SUSECVE-2018-11805 at NVDCVE-2020-1930 at SUSECVE-2020-1930 at NVDCVE-2020-1931 at SUSECVE-2020-1931 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for python3 (Moderate)SUSE OpenStack Cloud 8
This update for python3 fixes the following issue:
- CVE-2019-18348: Fixed a CRLF injection via the host part
of the url passed to urlopen(). Now an InvalidURL exception
is raised (bsc#1155094).
- CVE-2019-9674: Improved the documentation to reflect the
dangers of zip-bombs (bsc#1162825).
- CVE-2020-8492: Fixed a regular expression in urllib that
was prone to denial of service via HTTP (bsc#1162367).
- Fixed an issue with version missmatch (bsc#1162224).
- Rename idle icons to idle3 in order to not conflict with python2
variant of the package. (bsc#1165894)
ModerateSUSE bug 1155094SUSE bug 1162224SUSE bug 1162367SUSE bug 1162825SUSE bug 1165894CVE-2019-18348 at SUSECVE-2019-18348 at NVDCVE-2019-9674 at SUSECVE-2019-9674 at NVDCVE-2020-8492 at SUSECVE-2020-8492 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for mozilla-nspr, mozilla-nss (Moderate)SUSE OpenStack Cloud 8
This update for mozilla-nspr, mozilla-nss fixes the following issues:
mozilla-nss was updated to NSS 3.47.1:
Security issues fixed:
- CVE-2019-17006: Added length checks for cryptographic primitives (bsc#1159819).
- CVE-2019-11745: EncryptUpdate should use maxout, not block size (bsc#1158527).
- CVE-2019-11727: Fixed vulnerability sign CertificateVerify with PKCS#1 v1.5 signatures issue (bsc#1141322).
mozilla-nspr was updated to version 4.23:
- Whitespace in C files was cleaned up and no longer uses tab characters for indenting.
ModerateSUSE bug 1141322SUSE bug 1158527SUSE bug 1159819CVE-2019-11745 at SUSECVE-2019-11745 at NVDCVE-2019-17006 at SUSECVE-2019-17006 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for libxslt (Moderate)SUSE OpenStack Cloud 8
This update for libxslt fixes the following issue:
- CVE-2019-18197: Fixed a dangling pointer in xsltCopyText which may have led to information disclosure (bsc#1154609).
ModerateSUSE bug 1154609CVE-2019-18197 at SUSECVE-2019-18197 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for MozillaFirefox (Important)SUSE OpenStack Cloud 8
This update for MozillaFirefox fixes the following issues:
- Mozilla Firefox 68.6.1esr
MFSA 2020-11 (bsc#1168630)
* CVE-2020-6819 (bmo#1620818)
Use-after-free while running the nsDocShell destructor
* CVE-2020-6820 (bmo#1626728)
Use-after-free when handling a ReadableStream
ImportantSUSE bug 1168630CVE-2020-6819 at SUSECVE-2020-6819 at NVDCVE-2020-6820 at SUSECVE-2020-6820 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for MozillaFirefox (Important)SUSE OpenStack Cloud 8
This update for MozillaFirefox to version 68.7.0 ESR fixes the following issues:
- CVE-2020-6821: Uninitialized memory could be read when using the WebGL copyTexSubImage method (bsc#1168874).
- CVE-2020-6822: Fixed out of bounds write in GMPDecodeData when processing large images (bsc#1168874).
- CVE-2020-6825: Fixed Memory safety bugs (bsc#1168874).
- CVE-2020-6827: Custom Tabs could have the URI spoofed (bsc#1168874).
- CVE-2020-6828: Preference overwrite via crafted Intent (bsc#1168874).
ImportantSUSE bug 1168874CVE-2020-6821 at SUSECVE-2020-6821 at NVDCVE-2020-6822 at SUSECVE-2020-6822 at NVDCVE-2020-6825 at SUSECVE-2020-6825 at NVDCVE-2020-6827 at SUSECVE-2020-6827 at NVDCVE-2020-6828 at SUSECVE-2020-6828 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for git (Important)SUSE OpenStack Cloud 8
This update for git fixes the following issues:
Security issue fixed:
- CVE-2020-5260: With a crafted URL that contains a newline in it, the credential
helper machinery can be fooled to give credential information for a wrong host (bsc#1168930).
Non-security issue fixed:
git was updated to 2.26.0 for SHA256 support (bsc#1167890, jsc#SLE-11608):
- the xinetd snippet was removed
- the System V init script for the git-daemon was replaced by a systemd
service file of the same name.
git 2.26.0:
* 'git rebase' now uses a different backend that is based on the
'merge' machinery by default. The 'rebase.backend' configuration
variable reverts to old behaviour when set to 'apply'
* Improved handling of sparse checkouts
* Improvements to many commands and internal features
git 2.25.1:
* 'git commit' now honors advise.statusHints
* various updates, bug fixes and documentation updates
git 2.25.0:
* The branch description ('git branch --edit-description') has been
used to fill the body of the cover letters by the format-patch
command; this has been enhanced so that the subject can also be
filled.
* A few commands learned to take the pathspec from the standard input
or a named file, instead of taking it as the command line
arguments, with the '--pathspec-from-file' option.
* Test updates to prepare for SHA-2 transition continues.
* Redo 'git name-rev' to avoid recursive calls.
* When all files from some subdirectory were renamed to the root
directory, the directory rename heuristics would fail to detect that
as a rename/merge of the subdirectory to the root directory, which has
been corrected.
* HTTP transport had possible allocator/deallocator mismatch, which
has been corrected.
git 2.24.1:
* CVE-2019-1348: The --export-marks option of fast-import is
exposed also via the in-stream command feature export-marks=...
and it allows overwriting arbitrary paths (bsc#1158785)
* CVE-2019-1349: on Windows, when submodules are cloned
recursively, under certain circumstances Git could be fooled
into using the same Git directory twice (bsc#1158787)
* CVE-2019-1350: Incorrect quoting of command-line arguments
allowed remote code execution during a recursive clone in
conjunction with SSH URLs (bsc#1158788)
* CVE-2019-1351: on Windows mistakes drive letters outside of
the US-English alphabet as relative paths (bsc#1158789)
* CVE-2019-1352: on Windows was unaware of NTFS Alternate Data
Streams (bsc#1158790)
* CVE-2019-1353: when run in the Windows Subsystem for Linux
while accessing a working directory on a regular Windows
drive, none of the NTFS protections were active (bsc#1158791)
* CVE-2019-1354: on Windows refuses to write tracked files with
filenames that contain backslashes (bsc#1158792)
* CVE-2019-1387: Recursive clones vulnerability that is caused
by too-lax validation of submodule names, allowing very
targeted attacks via remote code execution in recursive
clones (bsc#1158793)
* CVE-2019-19604: a recursive clone followed by a submodule
update could execute code contained within the repository
without the user explicitly having asked for that (bsc#1158795)
- Fix building with asciidoctor and without DocBook4 stylesheets.
git 2.24.0
* The command line parser learned '--end-of-options' notation.
* A mechanism to affect the default setting for a (related) group of
configuration variables is introduced.
* 'git fetch' learned '--set-upstream' option to help those who first
clone from their private fork they intend to push to, add the true
upstream via 'git remote add' and then 'git fetch' from it.
* fixes and improvements to UI, workflow and features, bash completion fixes
* part of it merged upstream
* the Makefile attempted to download some documentation, banned
git 2.23.0:
* The '--base' option of 'format-patch' computed the patch-ids for
prerequisite patches in an unstable way, which has been updated
to compute in a way that is compatible with 'git patch-id
--stable'.
* The 'git log' command by default behaves as if the --mailmap
option was given.
* fixes and improvements to UI, workflow and features
git 2.22.1:
* A relative pathname given to 'git init --template=<path> <repo>'
ought to be relative to the directory 'git init' gets invoked in,
but it instead was made relative to the repository, which has been
corrected.
* 'git worktree add' used to fail when another worktree connected to
the same repository was corrupt, which has been corrected.
* 'git am -i --resolved' segfaulted after trying to see a commit as
if it were a tree, which has been corrected.
* 'git merge --squash' is designed to update the working tree and the
index without creating the commit, and this cannot be countermanded
by adding the '--commit' option; the command now refuses to work
when both options are given.
* Update to Unicode 12.1 width table.
* 'git request-pull' learned to warn when the ref we ask them to pull
from in the local repository and in the published repository are
different.
* 'git fetch' into a lazy clone forgot to fetch base objects that are
necessary to complete delta in a thin packfile, which has been
corrected.
* The URL decoding code has been updated to avoid going past the end
of the string while parsing %-<hex>-<hex> sequence.
* 'git clean' silently skipped a path when it cannot lstat() it; now
it gives a warning.
* 'git rm' to resolve a conflicted path leaked an internal message
'needs merge' before actually removing the path, which was
confusing. This has been corrected.
* Many more bugfixes and code cleanups.
- removal of SuSEfirewall2 service, since SuSEfirewall2 has been replaced by
firewalld, see [1].
[1]: https://lists.opensuse.org/opensuse-factory/2019-01/msg00490.html
git 2.22.0:
* The filter specification '--filter=sparse:path=<path>' used to
create a lazy/partial clone has been removed. Using a blob that is
part of the project as sparse specification is still supported with
the '--filter=sparse:oid=<blob>' option
* 'git checkout --no-overlay' can be used to trigger a new mode of
checking out paths out of the tree-ish, that allows paths that
match the pathspec that are in the current index and working tree
and are not in the tree-ish.
* Four new configuration variables {author,committer}.{name,email}
have been introduced to override user.{name,email} in more specific
cases.
* 'git branch' learned a new subcommand '--show-current'.
* The command line completion (in contrib/) has been taught to
complete more subcommand parameters.
* The completion helper code now pays attention to repository-local
configuration (when available), which allows --list-cmds to honour
a repository specific setting of completion.commands, for example.
* The list of conflicted paths shown in the editor while concluding a
conflicted merge was shown above the scissors line when the
clean-up mode is set to 'scissors', even though it was commented
out just like the list of updated paths and other information to
help the user explain the merge better.
* 'git rebase' that was reimplemented in C did not set ORIG_HEAD
correctly, which has been corrected.
* 'git worktree add' used to do a 'find an available name with stat
and then mkdir', which is race-prone. This has been fixed by using
mkdir and reacting to EEXIST in a loop.
- update git-web AppArmor profile for bash and tar usrMerge (bsc#1132350)
git 2.21.0:
* Historically, the '-m' (mainline) option can only be used for 'git
cherry-pick' and 'git revert' when working with a merge commit.
This version of Git no longer warns or errors out when working with
a single-parent commit, as long as the argument to the '-m' option
is 1 (i.e. it has only one parent, and the request is to pick or
revert relative to that first parent). Scripts that relied on the
behaviour may get broken with this change.
* Small fixes and features for fast-export and fast-import.
* The 'http.version' configuration variable can be used with recent
enough versions of cURL library to force the version of HTTP used
to talk when fetching and pushing.
* 'git push $there $src:$dst' rejects when $dst is not a fully
qualified refname and it is not clear what the end user meant.
* Update 'git multimail' from the upstream.
* A new date format '--date=human' that morphs its output depending
on how far the time is from the current time has been introduced.
'--date=auto:human' can be used to use this new format (or any
existing format) when the output is going to the pager or to the
terminal, and otherwise the default format.
- Fix worktree creation race (bsc#1114225).
git 2.20.1:
* portability fixes
* 'git help -a' did not work well when an overly long alias was
defined
* no longer squelched an error message when the run_command API
failed to run a missing command
git 2.20.0:
* 'git help -a' now gives verbose output (same as 'git help -av').
Those who want the old output may say 'git help --no-verbose -a'..
* 'git send-email' learned to grab address-looking string on any
trailer whose name ends with '-by'.
* 'git format-patch' learned new '--interdiff' and '--range-diff'
options to explain the difference between this version and the
previous attempt in the cover letter (or after the three-dashes as
a comment).
* Developer builds now use -Wunused-function compilation option.
* Fix a bug in which the same path could be registered under multiple
worktree entries if the path was missing (for instance, was removed
manually). Also, as a convenience, expand the number of cases in
which --force is applicable.
* The overly large Documentation/config.txt file have been split into
million little pieces. This potentially allows each individual piece
to be included into the manual page of the command it affects more easily.
* Malformed or crafted data in packstream can make our code attempt
to read or write past the allocated buffer and abort, instead of
reporting an error, which has been fixed.
* Fix for a long-standing bug that leaves the index file corrupt when
it shrinks during a partial commit.
* 'git merge' and 'git pull' that merges into an unborn branch used
to completely ignore '--verify-signatures', which has been
corrected.
* ...and much more features and fixes
- fix CVE-2018-19486 (bsc#1117257)
git 2.19.2:
* various bug fixes for multiple subcommands and operations
git 2.19.1:
* CVE-2018-17456: Specially crafted .gitmodules files may have
allowed arbitrary code execution when the repository is cloned
with --recurse-submodules (bsc#1110949)
git 2.19.0:
* 'git diff' compares the index and the working tree. For paths
added with intent-to-add bit, the command shows the full contents
of them as added, but the paths themselves were not marked as new
files. They are now shown as new by default.
* 'git apply' learned the '--intent-to-add' option so that an
otherwise working-tree-only application of a patch will add new
paths to the index marked with the 'intent-to-add' bit.
* 'git grep' learned the '--column' option that gives not just the
line number but the column number of the hit.
* The '-l' option in 'git branch -l' is an unfortunate short-hand for
'--create-reflog', but many users, both old and new, somehow expect
it to be something else, perhaps '--list'. This step warns when '-l'
is used as a short-hand for '--create-reflog' and warns about the
future repurposing of the it when it is used.
* The userdiff pattern for .php has been updated.
* The content-transfer-encoding of the message 'git send-email' sends
out by default was 8bit, which can cause trouble when there is an
overlong line to bust RFC 5322/2822 limit. A new option 'auto' to
automatically switch to quoted-printable when there is such a line
in the payload has been introduced and is made the default.
* 'git checkout' and 'git worktree add' learned to honor
checkout.defaultRemote when auto-vivifying a local branch out of a
remote tracking branch in a repository with multiple remotes that
have tracking branches that share the same names.
(merge 8d7b558bae ab/checkout-default-remote later to maint).
* 'git grep' learned the '--only-matching' option.
* 'git rebase --rebase-merges' mode now handles octopus merges as
well.
* Add a server-side knob to skip commits in exponential/fibbonacci
stride in an attempt to cover wider swath of history with a smaller
number of iterations, potentially accepting a larger packfile
transfer, instead of going back one commit a time during common
ancestor discovery during the 'git fetch' transaction.
(merge 42cc7485a2 jt/fetch-negotiator-skipping later to maint).
* A new configuration variable core.usereplacerefs has been added,
primarily to help server installations that want to ignore the
replace mechanism altogether.
* Teach 'git tag -s' etc. a few configuration variables (gpg.format
that can be set to 'openpgp' or 'x509', and gpg.<format>.program
that is used to specify what program to use to deal with the format)
to allow x.509 certs with CMS via 'gpgsm' to be used instead of
openpgp via 'gnupg'.
* Many more strings are prepared for l10n.
* 'git p4 submit' learns to ask its own pre-submit hook if it should
continue with submitting.
* The test performed at the receiving end of 'git push' to prevent
bad objects from entering repository can be customized via
receive.fsck.* configuration variables; we now have gained a
counterpart to do the same on the 'git fetch' side, with
fetch.fsck.* configuration variables.
* 'git pull --rebase=interactive' learned 'i' as a short-hand for
'interactive'.
* 'git instaweb' has been adjusted to run better with newer Apache on
RedHat based distros.
* 'git range-diff' is a reimplementation of 'git tbdiff' that lets us
compare individual patches in two iterations of a topic.
* The sideband code learned to optionally paint selected keywords at
the beginning of incoming lines on the receiving end.
* 'git branch --list' learned to take the default sort order from the
'branch.sort' configuration variable, just like 'git tag --list'
pays attention to 'tag.sort'.
* 'git worktree' command learned '--quiet' option to make it less
verbose.
git 2.18.0:
* improvements to rename detection logic
* When built with more recent cURL, GIT_SSL_VERSION can now
specify 'tlsv1.3' as its value.
* 'git mergetools' learned talking to guiffy.
* various other workflow improvements and fixes
* performance improvements and other developer visible fixes
Update to git 2.16.4: security fix release
git 2.17.1:
* Submodule 'names' come from the untrusted .gitmodules file, but
we blindly append them to $GIT_DIR/modules to create our on-disk
repo paths. This means you can do bad things by putting '../'
into the name. We now enforce some rules for submodule names
which will cause Git to ignore these malicious names
(CVE-2018-11235, bsc#1095219)
* It was possible to trick the code that sanity-checks paths on
NTFS into reading random piece of memory
(CVE-2018-11233, bsc#1095218)
* Support on the server side to reject pushes to repositories
that attempt to create such problematic .gitmodules file etc.
as tracked contents, to help hosting sites protect their
customers by preventing malicious contents from spreading.
git 2.17.0:
* 'diff' family of commands learned '--find-object=<object-id>' option
to limit the findings to changes that involve the named object.
* 'git format-patch' learned to give 72-cols to diffstat, which is
consistent with other line length limits the subcommand uses for
its output meant for e-mails.
* The log from 'git daemon' can be redirected with a new option; one
relevant use case is to send the log to standard error (instead of
syslog) when running it from inetd.
* 'git rebase' learned to take '--allow-empty-message' option.
* 'git am' has learned the '--quit' option, in addition to the
existing '--abort' option; having the pair mirrors a few other
commands like 'rebase' and 'cherry-pick'.
* 'git worktree add' learned to run the post-checkout hook, just like
'git clone' runs it upon the initial checkout.
* 'git tag' learned an explicit '--edit' option that allows the
message given via '-m' and '-F' to be further edited.
* 'git fetch --prune-tags' may be used as a handy short-hand for
getting rid of stale tags that are locally held.
* The new '--show-current-patch' option gives an end-user facing way
to get the diff being applied when 'git rebase' (and 'git am')
stops with a conflict.
* 'git add -p' used to offer '/' (look for a matching hunk) as a
choice, even there was only one hunk, which has been corrected.
Also the single-key help is now given only for keys that are
enabled (e.g. help for '/' won't be shown when there is only one
hunk).
* Since Git 1.7.9, 'git merge' defaulted to --no-ff (i.e. even when
the side branch being merged is a descendant of the current commit,
create a merge commit instead of fast-forwarding) when merging a
tag object. This was appropriate default for integrators who pull
signed tags from their downstream contributors, but caused an
unnecessary merges when used by downstream contributors who
habitually 'catch up' their topic branches with tagged releases
from the upstream. Update 'git merge' to default to --no-ff only
when merging a tag object that does *not* sit at its usual place in
refs/tags/ hierarchy, and allow fast-forwarding otherwise, to
mitigate the problem.
* 'git status' can spend a lot of cycles to compute the relation
between the current branch and its upstream, which can now be
disabled with '--no-ahead-behind' option.
* 'git diff' and friends learned funcname patterns for Go language
source files.
* 'git send-email' learned '--reply-to=<address>' option.
* Funcname pattern used for C# now recognizes 'async' keyword.
* In a way similar to how 'git tag' learned to honor the pager
setting only in the list mode, 'git config' learned to ignore the
pager setting when it is used for setting values (i.e. when the
purpose of the operation is not to 'show').
- Use %license instead of %doc [bsc#1082318]
git 2.16.3:
* 'git status' after moving a path in the working tree (hence
making it appear 'removed') and then adding with the -N option
(hence making that appear 'added') detected it as a rename, but
did not report the old and new pathnames correctly.
* 'git commit --fixup' did not allow '-m<message>' option to be
used at the same time; allow it to annotate resulting commit
with more text.
* When resetting the working tree files recursively, the working
tree of submodules are now also reset to match.
* Fix for a commented-out code to adjust it to a rather old API
change around object ID.
* When there are too many changed paths, 'git diff' showed a
warning message but in the middle of a line.
* The http tracing code, often used to debug connection issues,
learned to redact potentially sensitive information from its
output so that it can be more safely sharable.
* Crash fix for a corner case where an error codepath tried to
unlock what it did not acquire lock on.
* The split-index mode had a few corner case bugs fixed.
* Assorted fixes to 'git daemon'.
* Completion of 'git merge -s<strategy>' (in contrib/) did not
work well in non-C locale.
* Workaround for segfault with more recent versions of SVN.
* Recently introduced leaks in fsck have been plugged.
* Travis CI integration now builds the executable in 'script'
phase to follow the established practice, rather than during
'before_script' phase. This allows the CI categorize the
failures better ('failed' is project's fault, 'errored' is
build environment's).
- Drop superfluous xinetd snippet, no longer used (bsc#1084460)
- Build with asciidoctor for the recent distros (bsc#1075764)
- Move %{?systemd_requires} to daemon subpackage
- Create subpackage for libsecret credential helper.
git 2.16.2:
* An old regression in 'git describe --all $annotated_tag^0' has
been fixed.
* 'git svn dcommit' did not take into account the fact that a
svn+ssh:// URL with a username@ (typically used for pushing)
refers to the same SVN repository without the username@ and
failed when svn.pushmergeinfo option is set.
* 'git merge -Xours/-Xtheirs' learned to use our/their version
when resolving a conflicting updates to a symbolic link.
* 'git clone $there $here' is allowed even when here directory
exists as long as it is an empty directory, but the command
incorrectly removed it upon a failure of the operation.
* 'git stash -- <pathspec>' incorrectly blew away untracked files
in the directory that matched the pathspec, which has been
corrected.
* 'git add -p' was taught to ignore local changes to submodules
as they do not interfere with the partial addition of regular
changes anyway.
git 2.16.1:
* 'git clone' segfaulted when cloning a project that happens to
track two paths that differ only in case on a case insensitive
filesystem
git 2.16.0 (CVE-2017-15298, bsc#1063412):
* See https://raw.github.com/git/git/master/Documentation/RelNotes/2.16.0.txt
git 2.15.1:
* fix 'auto' column output
* fixes to moved lines diffing
* documentation updates
* fix use of repositories immediately under the root directory
* improve usage of libsecret
* fixes to various error conditions in git commands
- Rewrite from sysv init to systemd unit file for git-daemon
(bsc#1069803)
- Replace references to /var/adm/fillup-templates with new
%_fillupdir macro (bsc#1069468)
- split off p4 to a subpackage (bsc#1067502)
- Build with the external libsha1detectcoll (bsc#1042644)
git 2.15.0:
* Use of an empty string as a pathspec element that is used for
'everything matches' is still warned and Git asks users to use a
more explicit '.' for that instead. Removal scheduled for 2.16
* Git now avoids blindly falling back to '.git' when the setup
sequence said we are _not_ in Git repository (another corner
case removed)
* 'branch --set-upstream' was retired, deprecated since 1.8
* many other improvements and updates
git 2.14.3:
* git send-email understands more cc: formats
* fixes so gitk --bisect
* git commit-tree fixed to handle -F file alike
* Prevent segfault in 'git cat-file --textconv'
* Fix function header parsing for HTML
* Various small fixes to user commands and and internal functions
git 2.14.2:
* fixes to color output
* http.{sslkey,sslCert} now interpret '~[username]/' prefix
* fixes to walking of reflogs via 'log -g' and friends
* various fixes to output correctness
* 'git push --recurse-submodules $there HEAD:$target' is now
propagated down to the submodules
* 'git clone --recurse-submodules --quiet' c$how propagates quiet
option down to submodules.
* 'git svn --localtime' correctness fixes
* 'git grep -L' and 'git grep --quiet -L' now report same exit code
* fixes to 'git apply' when converting line endings
* Various Perl scripts did not use safe_pipe_capture() instead
of backticks, leaving them susceptible to end-user input.
CVE-2017-14867 bsc#1061041
* 'git cvsserver' no longer is invoked by 'git daemon' by
default
git 2.14.1 (bsc#1052481):
* Security fix for CVE-2017-1000117: A malicious third-party can
give a crafted 'ssh://...' URL to an unsuspecting victim, and
an attempt to visit the URL can result in any program that
exists on the victim's machine being executed. Such a URL could
be placed in the .gitmodules file of a malicious project, and
an unsuspecting victim could be tricked into running
'git clone --recurse-submodules' to trigger the vulnerability.
* A 'ssh://...' URL can result in a 'ssh' command line with a
hostname that begins with a dash '-', which would cause the
'ssh' command to instead (mis)treat it as an option. This is
now prevented by forbidding such a hostname (which should not
impact any real-world usage).
* Similarly, when GIT_PROXY_COMMAND is configured, the command
is run with host and port that are parsed out from 'ssh://...'
URL; a poorly written GIT_PROXY_COMMAND could be tricked into
treating a string that begins with a dash '-' as an option.
This is now prevented by forbidding such a hostname and port
number (again, which should not impact any real-world usage).
* In the same spirit, a repository name that begins with a dash
'-' is also forbidden now.
git 2.14.0:
* Use of an empty string as a pathspec element that is used for
'everything matches' is deprecated, use '.'
* Avoid blindly falling back to '.git' when the setup sequence
indicates operation not on a Git repository
* 'indent heuristics' are now the default.
* Builds with pcre2
* Many bug fixes, improvements and updates
git 2.13.4:
* Update the character width tables.
* Fix an alias that contained an uppercase letter
* Progress meter fixes
* git gc concurrency fixes
git 2.13.3:
* various internal bug fixes
* Fix a regression to 'git rebase -i'
* Correct unaligned 32-bit access in pack-bitmap code
* Tighten error checks for invalid 'git apply' input
* The split index code did not honor core.sharedrepository setting
correctly
* Fix 'git branch --list' handling of color.branch.local
git 2.13.2:
* 'collision detecting' SHA-1 update for platform fixes
* 'git checkout --recurse-submodules' did not quite work with a
submodule that itself has submodules.
* The 'run-command' API implementation has been made more robust
against dead-locking in a threaded environment.
* 'git clean -d' now only cleans ignored files with '-x'
* 'git status --ignored' did not list ignored and untracked files
without '-uall'
* 'git pull --rebase --autostash' didn't auto-stash when the local
history fast-forwards to the upstream.
* 'git describe --contains' gives as much weight to lightweight
tags as annotated tags
* Fix 'git stash push <pathspec>' from a subdirectory
git 2.13.1:
* Setting 'log.decorate=false' in the configuration file did not
take effect in v2.13, which has been corrected.
* corrections to documentation and command help output
* garbage collection fixes
* memory leaks fixed
* receive-pack now makes sure that the push certificate records
the same set of push options used for pushing
* shell completion corrections for git stash
* fix 'git clone --config var=val' with empty strings
* internal efficiency improvements
* Update sha1 collision detection code for big-endian platforms
and platforms not supporting unaligned fetches
- Fix packaging of documentation
git 2.13.0:
* empty string as a pathspec element for 'everything matches'
is still warned, for future removal.
* deprecated argument order 'git merge <msg> HEAD <commit>...'
was removed
* default location '~/.git-credential-cache/socket' for the
socket used to communicate with the credential-cache daemon
moved to '~/.cache/git/credential/socket'.
* now avoid blindly falling back to '.git' when the setup
sequence indicated otherwise
* many workflow features, improvements and bug fixes
* add a hardened implementation of SHA1 in response to practical
collision attacks (CVE-2005-4900, bsc#1042640)
* CVE-2017-8386: On a server running git-shell as login shell to
restrict user to git commands, remote users may have been able
to have git service programs spawn an interactive pager
and thus escape the shell restrictions. (bsc#1038395)
Changes in pcre2:
- Include the libraries, development and tools packages.
git uses only libpcre2-8 so far, but this allows further
application usage of pcre2.
ImportantSUSE bug 1167890SUSE bug 1168930CVE-2020-5260 at SUSECVE-2020-5260 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for fwupdate (Important)SUSE OpenStack Cloud 8
This update for fwupdate fixes the following issues:
- Add SBAT section to EFI images (bsc#1182057)
ImportantSUSE bug 1182057cpe:/o:suse:suse-openstack-cloud:8Security update for spamassassin (Important)SUSE OpenStack Cloud 8
This update for spamassassin fixes the following issues:
- spamassassin was updated to version 3.4.5
- CVE-2019-12420: memory leak via crafted messages (bsc#1159133)
- CVE-2020-1946: security update (bsc#1184221)
ImportantSUSE bug 1159133SUSE bug 1184221CVE-2019-12420 at SUSECVE-2019-12420 at NVDCVE-2020-1946 at SUSECVE-2020-1946 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for xorg-x11-server (Important)SUSE OpenStack Cloud 8
This update for xorg-x11-server fixes the following issues:
- CVE-2021-3472: XChangeFeedbackControl Integer Underflow Privilege Escalation (bsc#1180128)
ImportantSUSE bug 1180128CVE-2021-3472 at SUSECVE-2021-3472 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for clamav (Important)SUSE OpenStack Cloud 8
This update for clamav fixes the following issues:
- CVE-2021-1252: Fix for Excel XLM parser infinite loop. (bsc#1184532)
- CVE-2021-1404: Fix for PDF parser buffer over-read; possible crash. (bsc#1184533)
- CVE-2021-1405: Fix for mail parser NULL-dereference crash. (bsc#1184534)
- Fix errors when scanning files > 4G (bsc#1181256)
- Update clamav.keyring
- Update to 0.103.2
ImportantSUSE bug 1181256SUSE bug 1184532SUSE bug 1184533SUSE bug 1184534CVE-2021-1252 at SUSECVE-2021-1252 at NVDCVE-2021-1404 at SUSECVE-2021-1404 at NVDCVE-2021-1405 at SUSECVE-2021-1405 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for qemu (Important)SUSE OpenStack Cloud 8
This update for qemu fixes the following issues:
- Fix OOB access in sm501 device emulation (CVE-2020-12829, bsc#1172385)
- Fix OOB access possibility in MegaRAID SAS 8708EM2 emulation (CVE-2020-13362 bsc#1172383)
- Fix use-after-free in usb xhci packet handling (CVE-2020-25723, bsc#1178934)
- Fix use-after-free in usb ehci packet handling (CVE-2020-25084, bsc#1176673)
- Fix OOB access in usb hcd-ohci emulation (CVE-2020-25624, bsc#1176682)
- Fix infinite loop (DoS) in usb hcd-ohci emulation (CVE-2020-25625, bsc#1176684)
- Fix guest triggerable assert in shared network handling code (CVE-2020-27617, bsc#1178174)
- Fix infinite loop (DoS) in e1000e device emulation (CVE-2020-28916, bsc#1179468)
- Fix OOB access in atapi emulation (CVE-2020-29443, bsc#1181108)
- Fix null pointer deref. (DoS) in mmio ops (CVE-2020-15469, bsc#1173612)
- Fix infinite loop (DoS) in e1000 device emulation (CVE-2021-20257, bsc#1182577)
- Fix OOB access (stack overflow) in rtl8139 NIC emulation (CVE-2021-3416, bsc#1182968)
- Fix OOB access (stack overflow) in other NIC emulations (CVE-2021-3416)
- Fix OOB access in SLIRP ARP packet processing (CVE-2020-29130, bsc#1179467)
- Fix null pointer dereference possibility (DoS) in MegaRAID SAS 8708EM2 emulation (CVE-2020-13659 bsc#1172386
- Fix OOB access in iscsi (CVE-2020-11947 bsc#1180523)
- Fix OOB access in vmxnet3 emulation (CVE-2021-20203 bsc#1181639)
- Fix buffer overflow in the XGMAC device (CVE-2020-15863, bsc#1174386)
- Fix DoS in packet processing of various emulated NICs (CVE-2020-16092 bsc#1174641)
- Fix OOB access while processing USB packets (CVE-2020-14364 bsc#1175441)
- Fix package scripts to not use hard coded paths for temporary working directories and log files (bsc#1182425)
- Fix potential privilege escalation in virtfs (CVE-2021-20181 bsc#1182137)
- Fix OOB access possibility in ES1370 audio device emulation (CVE-2020-13361 bsc#1172384)
- Fix OOB access in ROM loading (CVE-2020-13765 bsc#1172478)
ImportantSUSE bug 1172383SUSE bug 1172384SUSE bug 1172385SUSE bug 1172386SUSE bug 1172478SUSE bug 1173612SUSE bug 1174386SUSE bug 1174641SUSE bug 1175441SUSE bug 1176673SUSE bug 1176682SUSE bug 1176684SUSE bug 1178174SUSE bug 1178934SUSE bug 1179467SUSE bug 1179468SUSE bug 1180523SUSE bug 1181108SUSE bug 1181639SUSE bug 1182137SUSE bug 1182425SUSE bug 1182577SUSE bug 1182968CVE-2020-11947 at SUSECVE-2020-11947 at NVDCVE-2020-12829 at SUSECVE-2020-12829 at NVDCVE-2020-13361 at SUSECVE-2020-13361 at NVDCVE-2020-13362 at SUSECVE-2020-13362 at NVDCVE-2020-13659 at SUSECVE-2020-13659 at NVDCVE-2020-13765 at SUSECVE-2020-13765 at NVDCVE-2020-14364 at SUSECVE-2020-14364 at NVDCVE-2020-15469 at SUSECVE-2020-15469 at NVDCVE-2020-15863 at SUSECVE-2020-15863 at NVDCVE-2020-16092 at SUSECVE-2020-16092 at NVDCVE-2020-25084 at SUSECVE-2020-25084 at NVDCVE-2020-25624 at SUSECVE-2020-25624 at NVDCVE-2020-25625 at SUSECVE-2020-25625 at NVDCVE-2020-25723 at SUSECVE-2020-25723 at NVDCVE-2020-27617 at SUSECVE-2020-27617 at NVDCVE-2020-28916 at SUSECVE-2020-28916 at NVDCVE-2020-29130 at SUSECVE-2020-29130 at NVDCVE-2020-29443 at SUSECVE-2020-29443 at NVDCVE-2021-20181 at SUSECVE-2021-20181 at NVDCVE-2021-20203 at SUSECVE-2021-20203 at NVDCVE-2021-20257 at SUSECVE-2021-20257 at NVDCVE-2021-3416 at SUSECVE-2021-3416 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for xen (Important)SUSE OpenStack Cloud 8
This update for xen fixes the following issues:
- CVE-2021-20257: xen: infinite loop issue in the e1000 NIC emulator (bsc#1182846).
- CVE-2021-27379: Fixed an issue where entries in the IOMMU were not being updated
under certain circumstances due to improper backport of XSA-321 (XSA-366, bsc#1182431).
ImportantSUSE bug 1182431SUSE bug 1182846CVE-2021-20257 at SUSECVE-2021-20257 at NVDCVE-2021-27379 at SUSECVE-2021-27379 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for sudo (Important)SUSE OpenStack Cloud 8
This update for sudo fixes the following issues:
- L3: Tenable Scan reports sudo is vulnerable to CVE-2021-3156 (bsc#1183936)
ImportantSUSE bug 1183936CVE-2021-3156 at SUSECVE-2021-3156 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for MozillaFirefox (Important)SUSE OpenStack Cloud 8
This update for MozillaFirefox fixes the following issues:
- Firefox was updated to 78.10.0 ESR (bsc#1184960)
* CVE-2021-23994: Out of bound write due to lazy initialization
* CVE-2021-23995: Use-after-free in Responsive Design Mode
* CVE-2021-23998: Secure Lock icon could have been spoofed
* CVE-2021-23961: More internal network hosts could have been probed by a malicious webpage
* CVE-2021-23999: Blob URLs may have been granted additional privileges
* CVE-2021-24002: Arbitrary FTP command execution on FTP servers using an encoded URL
* CVE-2021-29945: Incorrect size computation in WebAssembly JIT could lead to null-reads
* CVE-2021-29946: Port blocking could be bypassed
ImportantSUSE bug 1184960CVE-2021-23961 at SUSECVE-2021-23961 at NVDCVE-2021-23994 at SUSECVE-2021-23994 at NVDCVE-2021-23995 at SUSECVE-2021-23995 at NVDCVE-2021-23998 at SUSECVE-2021-23998 at NVDCVE-2021-23999 at SUSECVE-2021-23999 at NVDCVE-2021-24002 at SUSECVE-2021-24002 at NVDCVE-2021-29945 at SUSECVE-2021-29945 at NVDCVE-2021-29946 at SUSECVE-2021-29946 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for libnettle (Important)SUSE OpenStack Cloud 8
This update for libnettle fixes the following issues:
- CVE-2021-20305: Fixed the multiply function which was being called with out-of-range scalars (bsc#1184401, bsc#1183835).
ImportantSUSE bug 1183835SUSE bug 1184401CVE-2021-20305 at SUSECVE-2021-20305 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for gdm (Important)SUSE OpenStack Cloud 8
This update for gdm fixes the following issues:
- Avoid the signal SIGTRAP when gdm exits (bsc#1184456).
ImportantSUSE bug 1184456cpe:/o:suse:suse-openstack-cloud:8Security update for tomcat (Important)SUSE OpenStack Cloud 8
This update for tomcat fixes the following issues:
- CVE-2021-25329: Complete fix for CVE-2020-9484 (bsc#1182909)
ImportantSUSE bug 1182909CVE-2021-25329 at SUSECVE-2021-25329 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for java-1_7_0-openjdk (Moderate)SUSE OpenStack Cloud 8
This update for java-1_7_0-openjdk fixes the following issues:
- Update to 2.6.25 - OpenJDK 7u291 (January 2021 CPU, bsc#1181239)
* Security fixes
+ JDK-8247619: Improve Direct Buffering of Characters
* Import of OpenJDK 7 u291 build 1
+ JDK-8254177: (tz) Upgrade time-zone data to tzdata2020b
+ JDK-8254982: (tz) Upgrade time-zone data to tzdata2020c
+ JDK-8255226: (tz) Upgrade time-zone data to tzdata2020d
ModerateSUSE bug 1181239cpe:/o:suse:suse-openstack-cloud:8Security update for cups (Important)SUSE OpenStack Cloud 8
This update for cups fixes the following issues:
- CVE-2021-25317: ownership of /var/log/cups could allow privilege escalation from lp user to root via symlink attacks (bsc#1184161)
ImportantSUSE bug 1184161CVE-2021-25317 at SUSECVE-2021-25317 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for bind (Important)SUSE OpenStack Cloud 8
This update for bind fixes the following issues:
- CVE-2021-25214: Fixed a broken inbound incremental zone update (IXFR) which could have caused named to terminate unexpectedly (bsc#1185345).
- CVE-2021-25215: Fixed an assertion check which could have failed while answering queries for DNAME records that required the DNAME to be processed to resolve itself (bsc#1185345).
- CVE-2021-25216: Fixed an issue where policy negotiation can be targeted by a buffer overflow attack (bsc#1185345).
- MD5 warning message using host, dig, nslookup (bind-utils) with FIPS enabled (bsc#1181495).
ImportantSUSE bug 1181495SUSE bug 1185345CVE-2021-25214 at SUSECVE-2021-25214 at NVDCVE-2021-25215 at SUSECVE-2021-25215 at NVDCVE-2021-25216 at SUSECVE-2021-25216 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for samba (Important)SUSE OpenStack Cloud 8
This update for samba fixes the following issues:
- CVE-2021-20254: Fixed a buffer overrun in sids_to_unixids() (bsc#1184677).
- Avoid free'ing our own pointer in memcache when memcache_trim attempts to reduce cache size (bsc#1179156).
- Adjust smbcacls '--propagate-inheritance' feature to align with upstream (bsc#1178469).
ImportantSUSE bug 1178469SUSE bug 1179156SUSE bug 1184677CVE-2021-20254 at SUSECVE-2021-20254 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for avahi (Important)SUSE OpenStack Cloud 8
This update for avahi fixes the following issues:
- CVE-2021-3468: avoid infinite loop by handling HUP event in client_work (bsc#1184521).
ImportantSUSE bug 1184521CVE-2021-3468 at SUSECVE-2021-3468 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for python3 (Important)SUSE OpenStack Cloud 8
This update for python3 fixes the following issues:
Security issues fixed:
- CVE-2020-27619: where Lib/test/multibytecodec_support calls eval() on content retrieved via HTTP. (bsc#1178009)
Other fixes:
- Make sure to close the 'import_failed.map' file after the exception
has been raised in order to avoid ResourceWarnings when the
failing import is part of a try...except block
ImportantCVE-2020-27619 at SUSECVE-2020-27619 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for the Linux Kernel (Important)SUSE OpenStack Cloud 8
The SUSE Linux Enterprise 12 SP2 LTSS kernel was updated to receive various security and bugfixes.
The following security bugs were fixed:
- CVE-2020-36312: Fixed an issue in virt/kvm/kvm_main.c that had a kvm_io_bus_unregister_dev memory leak upon a kmalloc failure (bnc#1184509).
- CVE-2021-29650: Fixed an issue inside the netfilter subsystem that allowed attackers to cause a denial of service (panic) because net/netfilter/x_tables.c and include/linux/netfilter/x_tables.h lack a full memory barrier upon the assignment of a new table value (bnc#1184208).
- CVE-2020-27673: Fixed an issue in Xen where a guest OS users could have caused a denial of service (host OS hang) via a high rate of events to dom0 (bnc#1177411, bnc#1184583).
- CVE-2021-29154: Fixed BPF JIT compilers that allowed to execute arbitrary code within the kernel context (bnc#1184391).
- CVE-2020-25673: Fixed NFC endless loops caused by repeated llcp_sock_connect() (bsc#1178181).
- CVE-2020-25672: Fixed NFC memory leak in llcp_sock_connect() (bsc#1178181).
- CVE-2020-25671: Fixed NFC refcount leak in llcp_sock_connect() (bsc#1178181).
- CVE-2020-25670: Fixed NFC refcount leak in llcp_sock_bind() (bsc#1178181).
- CVE-2021-28950: Fixed an issue in fs/fuse/fuse_i.h where a 'stall on CPU' could have occured because a retry loop continually finds the same bad inode (bnc#1184194, bnc#1184211).
- CVE-2020-36322: Fixed an issue inside the FUSE filesystem implementation where fuse_do_getattr() calls make_bad_inode() in inappropriate situations, could have caused a system crash. NOTE: the original fix for this vulnerability was incomplete, and its incompleteness is tracked as CVE-2021-28950 (bnc#1184211).
- CVE-2021-30002: Fixed a memory leak issue when a webcam device exists (bnc#1184120).
- CVE-2021-3483: Fixed a use-after-free bug in nosy_ioctl() (bsc#1184393).
- CVE-2021-20219: Fixed a denial of service vulnerability in drivers/tty/n_tty.c of the Linux kernel. In this flaw a local attacker with a normal user privilege could have delayed the loop and cause a threat to the system availability (bnc#1184397).
- CVE-2021-29265: Fixed an issue in usbip_sockfd_store in drivers/usb/usbip/stub_dev.c that allowed attackers to cause a denial of service (GPF) because the stub-up sequence has race conditions during an update of the local and shared status (bnc#1184167).
- CVE-2021-29264: Fixed an issue in drivers/net/ethernet/freescale/gianfar.c in the Freescale Gianfar Ethernet driver that allowed attackers to cause a system crash because a negative fragment size is calculated in situations involving an rx queue overrun when jumbo packets are used and NAPI is enabled (bnc#1184168).
- CVE-2021-28972: Fixed an issue in drivers/pci/hotplug/rpadlpar_sysfs.c where the RPA PCI Hotplug driver had a user-tolerable buffer overflow when writing a new device name to the driver from userspace, allowing userspace to write data to the kernel stack frame directly. This occurs because add_slot_store and remove_slot_store mishandle drc_name '\0' termination (bnc#1184198).
- CVE-2021-28660: Fixed rtw_wx_set_scan in drivers/staging/rtl8188eu/os_dep/ioctl_linux.c that allowed writing beyond the end of the ssid array (bnc#1183593).
- CVE-2020-0433: Fixed blk_mq_queue_tag_busy_iter of blk-mq-tag.c, where a possible use after free due to improper locking could have happened. This could have led to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation (bnc#1176720).
- CVE-2021-28038: Fixed an issue with Xen PV. A certain part of the netback driver lacks necessary treatment of errors such as failed memory allocations (as a result of changes to the handling of grant mapping errors). A host OS denial of service may occur during misbehavior of a networking frontend driver. NOTE: this issue exists because of an incomplete fix for CVE-2021-26931 (bnc#1183022, bnc#1183069).
- CVE-2021-27365: Fixed an issue inside the iSCSI data structures that does not have appropriate length constraints or checks, and can exceed the PAGE_SIZE value. An unprivileged user can send a Netlink message that is associated with iSCSI, and has a length up to the maximum length of a Netlink message (bnc#1182715).
- CVE-2021-27363: Fixed an issue with a kernel pointer leak that could have been used to determine the address of the iscsi_transport structure. When an iSCSI transport is registered with the iSCSI subsystem, the transport's handle is available to unprivileged users via the sysfs file system, at /sys/class/iscsi_transport/$TRANSPORT_NAME/handle. When read, the show_transport_handle function (in drivers/scsi/scsi_transport_iscsi.c) is called, which leaks the handle. This handle is actually the pointer to an iscsi_transport struct in the kernel module's global variables (bnc#1182716).
- CVE-2021-27364: Fixed an issue in drivers/scsi/scsi_transport_iscsi.c where an unprivileged user can craft Netlink messages (bnc#1182717).
- CVE-2020-1749: Fixed a flaw inside of some networking protocols in IPsec, such as VXLAN and GENEVE tunnels over IPv6. When an encrypted tunnel is created between two hosts, the kernel isn't correctly routing tunneled data over the encrypted link; rather sending the data unencrypted. This would allow anyone in between the two endpoints to read the traffic unencrypted. The main threat from this vulnerability is to data confidentiality (bnc#1165629).
The following non-security bugs were fixed:
- bluetooth: eliminate the potential race condition when removing the HCI controller (bsc#1184611).
- Btrfs: add missing extents release on file extent cluster relocation error (bsc#1159483).
- btrfs: change timing for qgroup reserved space for ordered extents to fix reserved space leak (bsc#1172247).
- btrfs: Cleanup try_flush_qgroup (bsc#1182047).
- btrfs: Do not flush from btrfs_delayed_inode_reserve_metadata (bsc#1182047).
- btrfs: drop unused parameter qgroup_reserved (bsc#1182261).
- btrfs: fix qgroup data rsv leak caused by falloc failure (bsc#1182261).
- btrfs: fix qgroup_free wrong num_bytes in btrfs_subvolume_reserve_metadata (bsc#1182261).
- btrfs: Free correct amount of space in btrfs_delayed_inode_reserve_metadata (bsc#1182047).
- btrfs: inode: move qgroup reserved space release to the callers of insert_reserved_file_extent() (bsc#1172247).
- btrfs: inode: refactor the parameters of insert_reserved_file_extent() (bsc#1172247).
- btrfs: make btrfs_ordered_extent naming consistent with btrfs_file_extent_item (bsc#1172247).
- btrfs: qgroup: allow to unreserve range without releasing other ranges (bsc#1120163).
- btrfs: qgroup: Always free PREALLOC META reserve in btrfs_delalloc_release_extents() (bsc#1155179).
- btrfs: qgroup: do not commit transaction when we already hold the handle (bsc#1178634).
- btrfs: qgroup: Do not hold qgroup_ioctl_lock in btrfs_qgroup_inherit() (bsc#1165823).
- btrfs: qgroup: do not try to wait flushing if we're already holding a transaction (bsc#1179575).
- btrfs: qgroup: Fix a bug that prevents qgroup to be re-enabled after disable (bsc#1172247).
- btrfs: qgroup: fix data leak caused by race between writeback and truncate (bsc#1172247).
- btrfs: qgroup: fix qgroup meta rsv leak for subvolume operations (bsc#1177856).
- btrfs: qgroup: Fix reserved data space leak if we have multiple reserve calls (bsc#1152975).
- btrfs: qgroup: Fix the wrong target io_tree when freeing reserved data space (bsc#1152974).
- btrfs: qgroup: fix wrong qgroup metadata reserve for delayed inode (bsc#1177855).
- btrfs: qgroup: mark qgroup inconsistent if we're inherting snapshot to a new qgroup (bsc#1165823).
- btrfs: qgroup: remove ASYNC_COMMIT mechanism in favor of reserve retry-after-EDQUOT (bsc#1120163).
- btrfs: qgroup: try to flush qgroup space when we get -EDQUOT (bsc#1120163).
- btrfs: remove unused parameter from btrfs_subvolume_release_metadata (bsc#1182261).
- btrfs: tracepoints: Fix bad entry members of qgroup events (bsc#1155186).
- btrfs: tracepoints: Fix wrong parameter order for qgroup events (bsc#1155184).
- ext4: check journal inode extents more carefully (bsc#1173485).
- ext4: do not allow overlapping system zones (bsc#1173485).
- ext4: handle error of ext4_setup_system_zone() on remount (bsc#1173485).
- hv_netvsc: remove ndo_poll_controller (bsc#1185248).
- KVM: Add proper lockdep assertion in I/O bus unregister (bsc#1185555).
- KVM: Destroy I/O bus devices on unregister failure _after_ sync'ing SRCU (bsc#1185556).
- KVM: Stop looking for coalesced MMIO zones if the bus is destroyed (bsc#1185557).
- xen-netback: respect gnttab_map_refs()'s return value (bsc#1183022 XSA-367).
- Xen/gnttab: handle p2m update errors on a per-slot basis (bsc#1183022 XSA-367).
ImportantSUSE bug 1120163SUSE bug 1152974SUSE bug 1152975SUSE bug 1155179SUSE bug 1155184SUSE bug 1155186SUSE bug 1159483SUSE bug 1165629SUSE bug 1165823SUSE bug 1172247SUSE bug 1173485SUSE bug 1176720SUSE bug 1177411SUSE bug 1177855SUSE bug 1177856SUSE bug 1178181SUSE bug 1178634SUSE bug 1179575SUSE bug 1182047SUSE bug 1182261SUSE bug 1182715SUSE bug 1182716SUSE bug 1182717SUSE bug 1183022SUSE bug 1183069SUSE bug 1183593SUSE bug 1184120SUSE bug 1184167SUSE bug 1184168SUSE bug 1184194SUSE bug 1184198SUSE bug 1184208SUSE bug 1184211SUSE bug 1184391SUSE bug 1184393SUSE bug 1184397SUSE bug 1184509SUSE bug 1184583SUSE bug 1184611SUSE bug 1185248SUSE bug 1185555SUSE bug 1185556SUSE bug 1185557CVE-2020-0433 at SUSECVE-2020-0433 at NVDCVE-2020-1749 at SUSECVE-2020-1749 at NVDCVE-2020-25670 at SUSECVE-2020-25670 at NVDCVE-2020-25671 at SUSECVE-2020-25671 at NVDCVE-2020-25672 at SUSECVE-2020-25672 at NVDCVE-2020-25673 at SUSECVE-2020-25673 at NVDCVE-2020-27673 at SUSECVE-2020-27673 at NVDCVE-2020-36312 at SUSECVE-2020-36312 at NVDCVE-2020-36322 at SUSECVE-2020-36322 at NVDCVE-2021-20219 at SUSECVE-2021-20219 at NVDCVE-2021-27363 at SUSECVE-2021-27363 at NVDCVE-2021-27364 at SUSECVE-2021-27364 at NVDCVE-2021-27365 at SUSECVE-2021-27365 at NVDCVE-2021-28038 at SUSECVE-2021-28038 at NVDCVE-2021-28660 at SUSECVE-2021-28660 at NVDCVE-2021-28950 at SUSECVE-2021-28950 at NVDCVE-2021-28972 at SUSECVE-2021-28972 at NVDCVE-2021-29154 at SUSECVE-2021-29154 at NVDCVE-2021-29264 at SUSECVE-2021-29264 at NVDCVE-2021-29265 at SUSECVE-2021-29265 at NVDCVE-2021-29650 at SUSECVE-2021-29650 at NVDCVE-2021-30002 at SUSECVE-2021-30002 at NVDCVE-2021-3483 at SUSECVE-2021-3483 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for djvulibre (Important)SUSE OpenStack Cloud 8
This update for djvulibre fixes the following issues:
Security issues fixed:
- CVE-2021-32491 [bsc#1185900]: Integer overflow in function render() in tools/ddjvu via crafted djvu file
- CVE-2021-32492 [bsc#1185904]: Out of bounds read in function DJVU:DataPool:has_data() via crafted djvu file
- CVE-2021-32493 [bsc#1185905]: Heap buffer overflow in function DJVU:GBitmap:decode() via crafted djvu file
ImportantSUSE bug 1185900SUSE bug 1185904SUSE bug 1185905CVE-2019-18804 at SUSECVE-2019-18804 at NVDCVE-2021-32491 at SUSECVE-2021-32491 at NVDCVE-2021-32492 at SUSECVE-2021-32492 at NVDCVE-2021-32493 at SUSECVE-2021-32493 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for graphviz (Critical)SUSE OpenStack Cloud 8
This update for graphviz fixes the following issues:
- CVE-2020-18032: Fixed possible remote code execution via buffer overflow (bsc#1185833).
CriticalSUSE bug 1185833CVE-2020-18032 at SUSECVE-2020-18032 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for libxml2 (Important)SUSE OpenStack Cloud 8
This update for libxml2 fixes the following issues:
Security issues fixed:
CVE-2021-3537: NULL pointer dereference in valid.c:xmlValidBuildAContentModel (bsc#1185698)
- CVE-2021-3518: Fixed a use after free in xinclude.c:xmlXIncludeDoProcess (bsc#1185408).
- CVE-2021-3517: Fixed a heap based buffer overflow in entities.c:xmlEncodeEntitiesInternal (bsc#1185410).
- CVE-2021-3516: Fixed a use after free in entities.c:xmlEncodeEntitiesInternal (bsc#1185409).
ImportantSUSE bug 1185408SUSE bug 1185409SUSE bug 1185410SUSE bug 1185698CVE-2021-3516 at SUSECVE-2021-3516 at NVDCVE-2021-3517 at SUSECVE-2021-3517 at NVDCVE-2021-3518 at SUSECVE-2021-3518 at NVDCVE-2021-3537 at SUSECVE-2021-3537 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for dnsmasq (Important)SUSE OpenStack Cloud 8
This update for dnsmasq fixes the following issues:
- bsc#1177077: Fixed DNSpooq vulnerabilities
- CVE-2020-25684, CVE-2020-25685, CVE-2020-25686:
Fixed multiple Cache Poisoning attacks.
- CVE-2020-25681, CVE-2020-25682, CVE-2020-25683, CVE-2020-25687:
Fixed multiple potential Heap-based overflows when DNSSEC is
enabled.
- Retry query to other servers on receipt of SERVFAIL rcode
(bsc#1176076)
ImportantSUSE bug 1176076SUSE bug 1177077CVE-2020-25681 at SUSECVE-2020-25681 at NVDCVE-2020-25682 at SUSECVE-2020-25682 at NVDCVE-2020-25683 at SUSECVE-2020-25683 at NVDCVE-2020-25684 at SUSECVE-2020-25684 at NVDCVE-2020-25685 at SUSECVE-2020-25685 at NVDCVE-2020-25686 at SUSECVE-2020-25686 at NVDCVE-2020-25687 at SUSECVE-2020-25687 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for flac (Moderate)SUSE OpenStack Cloud 8
This update for flac fixes the following issues:
- CVE-2020-0499: Fixed an out-of-bounds access (bsc#1180099).
ModerateSUSE bug 1180099CVE-2020-0499 at SUSECVE-2020-0499 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for dovecot22 (Important)SUSE OpenStack Cloud 8
This update for dovecot22 fixes the following issues:
- CVE-2020-24386: Fixed an issue with IMAP hibernation that allowed users to access other users' emails (bsc#1180405).
ImportantSUSE bug 1180405CVE-2020-24386 at SUSECVE-2020-24386 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for python-httplib2 (Moderate)SUSE OpenStack Cloud 8
This update for python-httplib2 contains the following fixes:
Security fixes included in this update:
- CVE-2021-21240: Fixed a regular expression denial of service via malicious header (bsc#1182053).
- CVE-2020-11078: Fixed an issue where an attacker could change request headers and body (bsc#1171998).
Non security fixes included in this update:
- Update in SLE to 0.19.0 (bsc#1182053, CVE-2021-21240)
- update to 0.19.0:
* auth: parse headers using pyparsing instead of regexp
* auth: WSSE token needs to be string not bytes
- update to 0.18.1: (bsc#1171998, CVE-2020-11078)
* explicit build-backend workaround for pip build isolation bug
* IMPORTANT security vulnerability CWE-93 CRLF injection
Force %xx quote of space, CR, LF characters in uri.
* Ship test suite in source dist
- update to 0.17.3:
* bugfixes
- Update to 0.17.1
* python3: no_proxy was not checked with https
* feature: Http().redirect_codes set, works after follow(_all)_redirects check
This allows one line workaround for old gcloud library that uses 308
response without redirect semantics.
* IMPORTANT cache invalidation change, fix 307 keep method, add 308 Redirects
* proxy: username/password as str compatible with pysocks
* python2: regression in connect() error handling
* add support for password protected certificate files
* feature: Http.close() to clean persistent connections and sensitive data
- Update to 0.14.0:
* Python3: PROXY_TYPE_SOCKS5 with str user/pass raised TypeError
- version update to 0.13.1
0.13.1
* Python3: Use no_proxy
https://github.com/httplib2/httplib2/pull/140
0.13.0
* Allow setting TLS max/min versions
https://github.com/httplib2/httplib2/pull/138
0.12.3
* No changes to library. Distribute py3 wheels.
0.12.1
* Catch socket timeouts and clear dead connection
https://github.com/httplib2/httplib2/issues/18
https://github.com/httplib2/httplib2/pull/111
* Officially support Python 3.7 (package metadata)
https://github.com/httplib2/httplib2/issues/123
0.12.0
* Drop support for Python 3.3
* ca_certs from environment HTTPLIB2_CA_CERTS or certifi
https://github.com/httplib2/httplib2/pull/117
* PROXY_TYPE_HTTP with non-empty user/pass raised TypeError: bytes required
https://github.com/httplib2/httplib2/pull/115
* Revert http:443->https workaround
https://github.com/httplib2/httplib2/issues/112
* eliminate connection pool read race
https://github.com/httplib2/httplib2/pull/110
* cache: stronger safename
https://github.com/httplib2/httplib2/pull/101
0.11.3
* No changes, just reupload of 0.11.2 after fixing automatic release conditions in Travis.
0.11.2
* proxy: py3 NameError basestring
https://github.com/httplib2/httplib2/pull/100
0.11.1
* Fix HTTP(S)ConnectionWithTimeout AttributeError proxy_info
https://github.com/httplib2/httplib2/pull/97
0.11.0
* Add DigiCert Global Root G2 serial 033af1e6a711a9a0bb2864b11d09fae5
https://github.com/httplib2/httplib2/pull/91
* python3 proxy support
https://github.com/httplib2/httplib2/pull/90
* If no_proxy environment value ends with comma then proxy is not used
https://github.com/httplib2/httplib2/issues/11
* fix UnicodeDecodeError using socks5 proxy
https://github.com/httplib2/httplib2/pull/64
* Respect NO_PROXY env var in proxy_info_from_url
https://github.com/httplib2/httplib2/pull/58
* NO_PROXY=bar was matching foobar (suffix without dot delimiter)
New behavior matches curl/wget:
- no_proxy=foo.bar will only skip proxy for exact hostname match
- no_proxy=.wild.card will skip proxy for any.subdomains.wild.card
https://github.com/httplib2/httplib2/issues/94
* Bugfix for Content-Encoding: deflate
https://stackoverflow.com/a/22311297
- deleted patches
- httplib2 started to use certifi and this is already bent to
use system certificate bundle
ModerateSUSE bug 1171998SUSE bug 1182053CVE-2020-11078 at SUSECVE-2020-11078 at NVDCVE-2021-21240 at SUSECVE-2021-21240 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for djvulibre (Important)SUSE OpenStack Cloud 8
This update for djvulibre fixes the following issues:
- CVE-2021-3500: Stack overflow in function DJVU:DjVuDocument:get_djvu_file() via crafted djvu file (bsc#1186253)
ImportantSUSE bug 1186253CVE-2021-3500 at SUSECVE-2021-3500 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for dhcp (Important)SUSE OpenStack Cloud 8
This update for dhcp fixes the following issues:
- CVE-2021-25217: A buffer overrun in lease file parsing code can be used to exploit a common vulnerability shared by dhcpd and dhclient (bsc#1186382)
ImportantSUSE bug 1186382CVE-2021-25217 at SUSECVE-2021-25217 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for libwebp (Critical)SUSE OpenStack Cloud 8
This update for libwebp fixes the following issues:
- CVE-2018-25010: Fixed heap-based buffer overflow in ApplyFilter() (bsc#1185685).
- CVE-2020-36330: Fixed heap-based buffer overflow in ChunkVerifyAndAssign() (bsc#1185691).
- CVE-2020-36332: Fixed extreme memory allocation when reading a file (bsc#1185674).
- CVE-2020-36329: Fixed use-after-free in EmitFancyRGB() (bsc#1185652).
- CVE-2018-25012: Fixed heap-based buffer overflow in GetLE24() (bsc#1185690).
- CVE-2018-25013: Fixed heap-based buffer overflow in ShiftBytes() (bsc#1185654).
- CVE-2020-36331: Fixed heap-based buffer overflow in ChunkAssignData() (bsc#1185686).
- CVE-2018-25009: Fixed heap-based buffer overflow in GetLE16() (bsc#1185673).
- CVE-2018-25011: Fixed fail on multiple image chunks (bsc#1186247).
CriticalSUSE bug 1185652SUSE bug 1185654SUSE bug 1185673SUSE bug 1185674SUSE bug 1185685SUSE bug 1185686SUSE bug 1185690SUSE bug 1185691SUSE bug 1186247CVE-2018-25009 at SUSECVE-2018-25009 at NVDCVE-2018-25010 at SUSECVE-2018-25010 at NVDCVE-2018-25011 at SUSECVE-2018-25011 at NVDCVE-2018-25012 at SUSECVE-2018-25012 at NVDCVE-2018-25013 at SUSECVE-2018-25013 at NVDCVE-2020-36329 at SUSECVE-2020-36329 at NVDCVE-2020-36330 at SUSECVE-2020-36330 at NVDCVE-2020-36331 at SUSECVE-2020-36331 at NVDCVE-2020-36332 at SUSECVE-2020-36332 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for polkit (Important)SUSE OpenStack Cloud 8
This update for polkit fixes the following issues:
- CVE-2021-3560: Fixed a local privilege escalation using polkit_system_bus_name_get_creds_sync() (bsc#1186497).
ImportantSUSE bug 1186497CVE-2021-3560 at SUSECVE-2021-3560 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for gstreamer-plugins-bad (Important)SUSE OpenStack Cloud 8
This update for gstreamer-plugins-bad fixes the following issues:
- CVE-2021-3185: Fixed buffer overflow in gst_h264_slice_parse_dec_ref_pic_marking (bsc#1181255).
ImportantSUSE bug 1181255CVE-2021-3185 at SUSECVE-2021-3185 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for MozillaFirefox (Important)SUSE OpenStack Cloud 8
This update for MozillaFirefox fixes the following issues:
Firefox Extended Support Release 78.11.0 ESR (bsc#1186696)
* CVE-2021-29964: Out of bounds-read when parsing a `WM_COPYDATA` message
* CVE-2021-29967: Memory safety bugs fixed in Firefox
ImportantSUSE bug 1185633SUSE bug 1186696CVE-2021-29951 at SUSECVE-2021-29951 at NVDCVE-2021-29964 at SUSECVE-2021-29964 at NVDCVE-2021-29967 at SUSECVE-2021-29967 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for libX11 (Important)SUSE OpenStack Cloud 8
This update for libX11 fixes the following issues:
- Regression in the fix for CVE-2021-31535, causing segfaults for xforms applications like fdesign (bsc#1186643)
ImportantSUSE bug 1186643CVE-2021-31535 at SUSECVE-2021-31535 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for qemu (Important)SUSE OpenStack Cloud 8
This update for qemu fixes the following issues:
- Fix OOB access during mmio operations (CVE-2020-13754, bsc#1172382)
- Fix out-of-bounds read information disclosure in icmp6_send_echoreply (CVE-2020-10756, bsc#1172380)
- Fix out-of-bound heap buffer access via an interrupt ID field (CVE-2021-20221, bsc#1181933)
- For the record, these issues are fixed in this package already.
Most are alternate references to previously mentioned issues:
(CVE-2019-15890, bsc#1149813, CVE-2020-8608, bsc#1163019,
CVE-2020-14364, bsc#1175534, CVE-2020-25707, bsc#1178683,
CVE-2020-25723, bsc#1178935, CVE-2020-29130, bsc#1179477,
CVE-2021-20257, bsc#1182846, CVE-2021-3419, bsc#1182975,
bsc#1094725)
ImportantSUSE bug 1094725SUSE bug 1149813SUSE bug 1163019SUSE bug 1172380SUSE bug 1172382SUSE bug 1175534SUSE bug 1178683SUSE bug 1178935SUSE bug 1179477SUSE bug 1181933SUSE bug 1182846SUSE bug 1182975CVE-2019-15890 at SUSECVE-2019-15890 at NVDCVE-2020-10756 at SUSECVE-2020-10756 at NVDCVE-2020-13754 at SUSECVE-2020-13754 at NVDCVE-2020-14364 at SUSECVE-2020-14364 at NVDCVE-2020-25707 at SUSECVE-2020-25707 at NVDCVE-2020-25723 at SUSECVE-2020-25723 at NVDCVE-2020-29130 at SUSECVE-2020-29130 at NVDCVE-2020-8608 at SUSECVE-2020-8608 at NVDCVE-2021-20221 at SUSECVE-2021-20221 at NVDCVE-2021-20257 at SUSECVE-2021-20257 at NVDCVE-2021-3419 at SUSECVE-2021-3419 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for java-1_7_1-ibm (Moderate)SUSE OpenStack Cloud 8
This update for java-1_7_1-ibm fixes the following issues:
- Update to Java 7.1 Service Refresh 4 Fix Pack 75 [bsc#1180063, bsc#1177943]
CVE-2020-14792 CVE-2020-14797 CVE-2020-14782 CVE-2020-14781
CVE-2020-14779 CVE-2020-14798 CVE-2020-14796 CVE-2020-14803
* Class Libraries:
- Z/OS specific C function send_file is changing the file pointer position
* Security:
- Add the new oracle signer certificate
- Certificate parsing error
- JVM memory growth can be caused by the IBMPKCS11IMPL crypto provider
- Remove check for websphere signed jars
- sessionid.hashcode generates too many collisions
- The Java 8 IBM certpath provider does not honor the user
specified system property for CLR connect timeout
ModerateSUSE bug 1177943SUSE bug 1180063CVE-2020-14779 at SUSECVE-2020-14779 at NVDCVE-2020-14781 at SUSECVE-2020-14781 at NVDCVE-2020-14782 at SUSECVE-2020-14782 at NVDCVE-2020-14792 at SUSECVE-2020-14792 at NVDCVE-2020-14796 at SUSECVE-2020-14796 at NVDCVE-2020-14797 at SUSECVE-2020-14797 at NVDCVE-2020-14798 at SUSECVE-2020-14798 at NVDCVE-2020-14803 at SUSECVE-2020-14803 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for spice (Important)SUSE OpenStack Cloud 8
This update for spice fixes the following issues:
- CVE-2021-20201: client initiated renegotiation causing denial of service (bsc#1181686)
ImportantSUSE bug 1181686CVE-2021-20201 at SUSECVE-2021-20201 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for ucode-intel (Important)SUSE OpenStack Cloud 8
This update for ucode-intel fixes the following issues:
Updated to Intel CPU Microcode 20210608 release.
- CVE-2020-24513: A domain bypass transient execution vulnerability was discovered on some Intel Atom processors that use a micro-architectural incident channel. (INTEL-SA-00465 bsc#1179833)
See also: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00465.html
- CVE-2020-24511: The IBRS feature to mitigate Spectre variant 2 transient execution side channel vulnerabilities may not fully prevent non-root (guest) branches from controlling the branch predictions of the root (host) (INTEL-SA-00464 bsc#1179836)
See also https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00464.html)
- CVE-2020-24512: Fixed trivial data value cache-lines such as all-zero value cache-lines may lead to changes in cache-allocation or write-back behavior for such cache-lines (bsc#1179837 INTEL-SA-00464)
See also https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00464.html)
- CVE-2020-24489: Fixed Intel VT-d device pass through potential local privilege escalation (INTEL-SA-00442 bsc#1179839)
See also https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00442.html
Other fixes:
- Update for functional issues. Refer to [Third Generation Intel Xeon Processor Scalable Family Specification Update](https://cdrdv2.intel.com/v1/dl/getContent/637780)for details.
- Update for functional issues. Refer to [Second Generation Intel Xeon Processor Scalable Family Specification Update](https://cdrdv2.intel.com/v1/dl/getContent/338848) for details.
- Update for functional issues. Refer to [Intel Xeon Processor Scalable Family Specification Update](https://cdrdv2.intel.com/v1/dl/getContent/613537) for details.
- Update for functional issues. Refer to [Intel Xeon Processor D-1500, D-1500 NS and D-1600 NS Spec Update](https://www.intel.com/content/www/us/en/products/docs/processors/xeon/xeon-d-1500-specification-update.html) for details.
- Update for functional issues. Refer to [Intel Xeon E7-8800 and E7-4800 v3 Processor Specification Update](https://www.intel.com/content/www/us/en/processors/xeon/xeon-e7-v3-spec-update.html) for details.
- Update for functional issues. Refer to [Intel Xeon Processor E5 v3 Product Family Specification Update](https://www.intel.com/content/www/us/en/processors/xeon/xeon-e5-v3-spec-update.html?wapkw=processor+spec+update+e5) for details.
- Update for functional issues. Refer to [10th Gen Intel Core Processor Families Specification Update](https://www.intel.com/content/www/us/en/products/docs/processors/core/10th-gen-core-families-specification-update.html) for details.
- Update for functional issues. Refer to [8th and 9th Gen Intel Core Processor Family Spec Update](https://www.intel.com/content/www/us/en/products/docs/processors/core/8th-gen-core-spec-update.html) for details.
- Update for functional issues. Refer to [7th Gen and 8th Gen (U Quad-Core) Intel Processor Families Specification Update](https://www.intel.com/content/www/us/en/processors/core/7th-gen-core-family-spec-update.html) for details.
- Update for functional issues. Refer to [6th Gen Intel Processor Family Specification Update](https://cdrdv2.intel.com/v1/dl/getContent/332689) for details.
- Update for functional issues. Refer to [Intel Xeon E3-1200 v6 Processor Family Specification Update](https://www.intel.com/content/www/us/en/processors/xeon/xeon-e3-1200v6-spec-update.html) for details.
- Update for functional issues. Refer to [Intel Xeon E-2100 and E-2200 Processor Family Specification Update](https://www.intel.com/content/www/us/en/products/docs/processors/xeon/xeon-e-2100-specification-update.html) for details.
- New platforms:
| Processor | Stepping | F-M-S/PI | Old Ver | New Ver | Products
|:---------------|:---------|:------------|:---------|:---------|:---------
| CLX-SP | A0 | 06-55-05/b7 | | 03000010 | Xeon Scalable Gen2
| ICX-SP | C0 | 06-6a-05/87 | | 0c0002f0 | Xeon Scalable Gen3
| ICX-SP | D0 | 06-6a-06/87 | | 0d0002a0 | Xeon Scalable Gen3
| SNR | B0 | 06-86-04/01 | | 0b00000f | Atom P59xxB
| SNR | B1 | 06-86-05/01 | | 0b00000f | Atom P59xxB
| TGL | B1 | 06-8c-01/80 | | 00000088 | Core Gen11 Mobile
| TGL-R | C0 | 06-8c-02/c2 | | 00000016 | Core Gen11 Mobile
| TGL-H | R0 | 06-8d-01/c2 | | 0000002c | Core Gen11 Mobile
| EHL | B1 | 06-96-01/01 | | 00000011 | Pentium J6426/N6415, Celeron J6412/J6413/N6210/N6211, Atom x6000E
| JSL | A0/A1 | 06-9c-00/01 | | 0000001d | Pentium N6000/N6005, Celeron N4500/N4505/N5100/N5105
| RKL-S | B0 | 06-a7-01/02 | | 00000040 | Core Gen11
- Updated platforms:
| Processor | Stepping | F-M-S/PI | Old Ver | New Ver | Products
|:---------------|:---------|:------------|:---------|:---------|:---------
| HSX-E/EP | Cx/M1 | 06-3f-02/6f | 00000044 | 00000046 | Core Gen4 X series; Xeon E5 v3
| HSX-EX | E0 | 06-3f-04/80 | 00000016 | 00000019 | Xeon E7 v3
| SKL-U/Y | D0 | 06-4e-03/c0 | 000000e2 | 000000ea | Core Gen6 Mobile
| SKL-U23e | K1 | 06-4e-03/c0 | 000000e2 | 000000ea | Core Gen6 Mobile
| BDX-ML | B0/M0/R0 | 06-4f-01/ef | 0b000038 | 0b00003e | Xeon E5/E7 v4; Core i7-69xx/68xx
| SKX-SP | B1 | 06-55-03/97 | 01000159 | 0100015b | Xeon Scalable
| SKX-SP | H0/M0/U0 | 06-55-04/b7 | 02006a0a | 02006b06 | Xeon Scalable
| SKX-D | M1 | 06-55-04/b7 | 02006a0a | 02006b06 | Xeon D-21xx
| CLX-SP | B0 | 06-55-06/bf | 04003006 | 04003102 | Xeon Scalable Gen2
| CLX-SP | B1 | 06-55-07/bf | 05003006 | 05003102 | Xeon Scalable Gen2
| CPX-SP | A1 | 06-55-0b/bf | 0700001e | 07002302 | Xeon Scalable Gen3
| BDX-DE | V2/V3 | 06-56-03/10 | 07000019 | 0700001b | Xeon D-1518/19/21/27/28/31/33/37/41/48, Pentium D1507/08/09/17/19
| BDX-DE | Y0 | 06-56-04/10 | 0f000017 | 0f000019 | Xeon D-1557/59/67/71/77/81/87
| BDX-NS | A0 | 06-56-05/10 | 0e00000f | 0e000012 | Xeon D-1513N/23/33/43/53
| APL | D0 | 06-5c-09/03 | 00000040 | 00000044 | Pentium N/J4xxx, Celeron N/J3xxx, Atom x5/7-E39xx
| APL | E0 | 06-5c-0a/03 | 0000001e | 00000020 | Atom x5-E39xx
| SKL-H/S | R0/N0 | 06-5e-03/36 | 000000e2 | 000000ea | Core Gen6; Xeon E3 v5
| DNV | B0 | 06-5f-01/01 | 0000002e | 00000034 | Atom C Series
| GLK | B0 | 06-7a-01/01 | 00000034 | 00000036 | Pentium Silver N/J5xxx, Celeron N/J4xxx
| GKL-R | R0 | 06-7a-08/01 | 00000018 | 0000001a | Pentium J5040/N5030, Celeron J4125/J4025/N4020/N4120
| ICL-U/Y | D1 | 06-7e-05/80 | 000000a0 | 000000a6 | Core Gen10 Mobile
| LKF | B2/B3 | 06-8a-01/10 | 00000028 | 0000002a | Core w/Hybrid Technology
| AML-Y22 | H0 | 06-8e-09/10 | 000000de | 000000ea | Core Gen8 Mobile
| KBL-U/Y | H0 | 06-8e-09/c0 | 000000de | 000000ea | Core Gen7 Mobile
| CFL-U43e | D0 | 06-8e-0a/c0 | 000000e0 | 000000ea | Core Gen8 Mobile
| WHL-U | W0 | 06-8e-0b/d0 | 000000de | 000000ea | Core Gen8 Mobile
| AML-Y42 | V0 | 06-8e-0c/94 | 000000de | 000000ea | Core Gen10 Mobile
| CML-Y42 | V0 | 06-8e-0c/94 | 000000de | 000000ea | Core Gen10 Mobile
| WHL-U | V0 | 06-8e-0c/94 | 000000de | 000000ea | Core Gen8 Mobile
| KBL-G/H/S/E3 | B0 | 06-9e-09/2a | 000000de | 000000ea | Core Gen7; Xeon E3 v6
| CFL-H/S/E3 | U0 | 06-9e-0a/22 | 000000de | 000000ea | Core Gen8 Desktop, Mobile, Xeon E
| CFL-S | B0 | 06-9e-0b/02 | 000000de | 000000ea | Core Gen8
| CFL-H/S | P0 | 06-9e-0c/22 | 000000de | 000000ea | Core Gen9
| CFL-H | R0 | 06-9e-0d/22 | 000000de | 000000ea | Core Gen9 Mobile
| CML-H | R1 | 06-a5-02/20 | 000000e0 | 000000ea | Core Gen10 Mobile
| CML-S62 | G1 | 06-a5-03/22 | 000000e0 | 000000ea | Core Gen10
| CML-S102 | Q0 | 06-a5-05/22 | 000000e0 | 000000ec | Core Gen10
| CML-U62 | A0 | 06-a6-00/80 | 000000e0 | 000000e8 | Core Gen10 Mobile
| CML-U62 V2 | K0 | 06-a6-01/80 | 000000e0 | 000000ea | Core Gen10 Mobile
ImportantSUSE bug 1179833SUSE bug 1179836SUSE bug 1179837SUSE bug 1179839CVE-2020-24489 at SUSECVE-2020-24489 at NVDCVE-2020-24511 at SUSECVE-2020-24511 at NVDCVE-2020-24512 at SUSECVE-2020-24512 at NVDCVE-2020-24513 at SUSECVE-2020-24513 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for python-Pillow (Important)SUSE OpenStack Cloud 8
This update for python-Pillow fixes the following issues:
- CVE-2021-25292: Fixed a backtracking regex in PDF parser could be used as a DOS attack (bsc#1183101).
- CVE-2021-25290: Fixed a negative-offset memcpy with an invalid size in TiffDecode.c (bsc#1183105).
- CVE-2021-27922,CVE-2021-27923: Fixed improper reported size of a contained image (bsc#1183108,bsc#1183107)
- CVE-2020-35653: Fixed buffer over-read in PcxDecode when decoding a crafted PCX file (bsc#1180834).
- CVE-2021-25287: Fixed out-of-bounds read in J2kDecode in j2ku_graya_la (bsc#1185805).
- CVE-2021-25288: Fixed out-of-bounds read in J2kDecode in j2ku_gray_i (bsc#1185803).
- CVE-2021-28675: Fixed DoS in PsdImagePlugin (bsc#1185804).
- CVE-2021-28677: Fixed DoS in the open phase via a malicious EPS file (bsc#1185785).
- CVE-2021-28676: Fixed infinite loop in FliDecode.c (bsc#1185786).
ImportantSUSE bug 1180834SUSE bug 1183101SUSE bug 1183105SUSE bug 1183107SUSE bug 1183108SUSE bug 1185785SUSE bug 1185786SUSE bug 1185803SUSE bug 1185804SUSE bug 1185805CVE-2020-35653 at SUSECVE-2020-35653 at NVDCVE-2021-25287 at SUSECVE-2021-25287 at NVDCVE-2021-25288 at SUSECVE-2021-25288 at NVDCVE-2021-25290 at SUSECVE-2021-25290 at NVDCVE-2021-25292 at SUSECVE-2021-25292 at NVDCVE-2021-27922 at SUSECVE-2021-27922 at NVDCVE-2021-27923 at SUSECVE-2021-27923 at NVDCVE-2021-28675 at SUSECVE-2021-28675 at NVDCVE-2021-28676 at SUSECVE-2021-28676 at NVDCVE-2021-28677 at SUSECVE-2021-28677 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for caribou (Important)SUSE OpenStack Cloud 8
This update for caribou fixes the following issues:
Security issue fixed:
- CVE-2021-3567: Fixed a segfault when attempting to use shifted characters (bsc#1186617).
ImportantSUSE bug 1186617CVE-2021-3567 at SUSECVE-2021-3567 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for freeradius-server (Moderate)SUSE OpenStack Cloud 8
This update for freeradius-server fixes the following issues:
- Do not log passwords in logfiles (bsc#1184016)
ModerateSUSE bug 1184016cpe:/o:suse:suse-openstack-cloud:8Security update for java-1_8_0-openjdk (Moderate)SUSE OpenStack Cloud 8
This update for java-1_8_0-openjdk fixes the following issues:
- Update to version jdk8u292 (icedtea 3.19.0).
- CVE-2021-2161: Fixed incomplete enforcement of JAR signing disabled algorithms (bsc#1185055).
ModerateSUSE bug 1185055CVE-2021-2163 at SUSECVE-2021-2163 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for ImageMagick (Important)SUSE OpenStack Cloud 8
This update for ImageMagick fixes the following issues:
- CVE-2020-19667: Fixed a stack buffer overflow in XPM coder could result in a crash (bsc#1179103).
- CVE-2020-25664: Fixed a heap-based buffer overflow in PopShortPixel (bsc#1179202).
- CVE-2020-25665: Fixed a heap-based buffer overflow in WritePALMImage (bsc#1179208).
- CVE-2020-25666: Fixed an outside the range of representable values of type 'int' and signed integer overflow (bsc#1179212).
- CVE-2020-25674: Fixed a heap-based buffer overflow in WriteOnePNGImage (bsc#1179223).
- CVE-2020-25675: Fixed an outside the range of representable values of type 'long' and integer overflow (bsc#1179240).
- CVE-2020-25676: Fixed an outside the range of representable values of type 'long' and integer overflow at MagickCore/pixel.c (bsc#1179244).
- CVE-2020-27750: Fixed an division by zero in MagickCore/colorspace-private.h (bsc#1179260).
- CVE-2020-27751: Fixed an integer overflow in MagickCore/quantum-export.c (bsc#1179269).
- CVE-2020-27752: Fixed a heap-based buffer overflow in PopShortPixel in MagickCore/quantum-private.h (bsc#1179346).
- CVE-2020-27753: Fixed memory leaks in AcquireMagickMemory function (bsc#1179397).
- CVE-2020-27754: Fixed an outside the range of representable values of type 'long' and signed integer overflow at MagickCore/quantize.c (bsc#1179336).
- CVE-2020-27755: Fixed memory leaks in ResizeMagickMemory function in ImageMagick/MagickCore/memory.c (bsc#1179345).
- CVE-2020-27757: Fixed an outside the range of representable values of type 'unsigned long long' at MagickCore/quantum-private.h (bsc#1179268).
- CVE-2020-27759: Fixed an outside the range of representable values of type 'int' at MagickCore/quantize.c (bsc#1179313).
- CVE-2020-27760: Fixed a division by zero at MagickCore/enhance.c (bsc#1179281).
- CVE-2020-27761: Fixed an outside the range of representable values of type 'unsigned long' at coders/palm.c (bsc#1179315).
- CVE-2020-27762: Fixed an outside the range of representable values of type 'unsigned char' (bsc#1179278).
- CVE-2020-27763: Fixed a division by zero at MagickCore/resize.c (bsc#1179312).
- CVE-2020-27764: Fixed an outside the range of representable values of type 'unsigned long' at MagickCore/statistic.c (bsc#1179317).
- CVE-2020-27765: Fixed a division by zero at MagickCore/segment.c (bsc#1179311).
- CVE-2020-27766: Fixed an outside the range of representable values of type 'unsigned long' at MagickCore/statistic.c (bsc#1179361).
- CVE-2020-27767: Fixed an outside the range of representable values of type 'float' at MagickCore/quantum.h (bsc#1179322).
- CVE-2020-27768: Fixed an outside the range of representable values of type 'unsigned int' at MagickCore/quantum-private.h (bsc#1179339).
- CVE-2020-27769: Fixed an outside the range of representable values of type 'float' at MagickCore/quantize.c (bsc#1179321).
- CVE-2020-27770: Fixed an unsigned offset overflowed at MagickCore/string.c (bsc#1179343).
- CVE-2020-27771: Fixed an outside the range of representable values of type 'unsigned char' at coders/pdf.c (bsc#1179327).
- CVE-2020-27772: Fixed an outside the range of representable values of type 'unsigned int' at coders/bmp.c (bsc#1179347).
- CVE-2020-27773: Fixed a division by zero at MagickCore/gem-private.h (bsc#1179285).
- CVE-2020-27774: Fixed an integer overflow at MagickCore/statistic.c (bsc#1179333).
- CVE-2020-27775: Fixed an outside the range of representable values of type 'unsigned char' at MagickCore/quantum.h (bsc#1179338).
- CVE-2020-27776: Fixed an outside the range of representable values of type 'unsigned long' at MagickCore/statistic.c (bsc#1179362).
ImportantSUSE bug 1179103SUSE bug 1179202SUSE bug 1179208SUSE bug 1179212SUSE bug 1179223SUSE bug 1179240SUSE bug 1179244SUSE bug 1179260SUSE bug 1179268SUSE bug 1179269SUSE bug 1179278SUSE bug 1179281SUSE bug 1179285SUSE bug 1179311SUSE bug 1179312SUSE bug 1179313SUSE bug 1179315SUSE bug 1179317SUSE bug 1179321SUSE bug 1179322SUSE bug 1179327SUSE bug 1179333SUSE bug 1179336SUSE bug 1179338SUSE bug 1179339SUSE bug 1179343SUSE bug 1179345SUSE bug 1179346SUSE bug 1179347SUSE bug 1179361SUSE bug 1179362SUSE bug 1179397CVE-2020-19667 at SUSECVE-2020-19667 at NVDCVE-2020-25664 at SUSECVE-2020-25664 at NVDCVE-2020-25665 at SUSECVE-2020-25665 at NVDCVE-2020-25666 at SUSECVE-2020-25666 at NVDCVE-2020-25674 at SUSECVE-2020-25674 at NVDCVE-2020-25675 at SUSECVE-2020-25675 at NVDCVE-2020-25676 at SUSECVE-2020-25676 at NVDCVE-2020-27750 at SUSECVE-2020-27750 at NVDCVE-2020-27751 at SUSECVE-2020-27751 at NVDCVE-2020-27752 at SUSECVE-2020-27752 at NVDCVE-2020-27753 at SUSECVE-2020-27753 at NVDCVE-2020-27754 at SUSECVE-2020-27754 at NVDCVE-2020-27755 at SUSECVE-2020-27755 at NVDCVE-2020-27757 at SUSECVE-2020-27757 at NVDCVE-2020-27759 at SUSECVE-2020-27759 at NVDCVE-2020-27760 at SUSECVE-2020-27760 at NVDCVE-2020-27761 at SUSECVE-2020-27761 at NVDCVE-2020-27762 at SUSECVE-2020-27762 at NVDCVE-2020-27763 at SUSECVE-2020-27763 at NVDCVE-2020-27764 at SUSECVE-2020-27764 at NVDCVE-2020-27765 at SUSECVE-2020-27765 at NVDCVE-2020-27766 at SUSECVE-2020-27766 at NVDCVE-2020-27767 at SUSECVE-2020-27767 at NVDCVE-2020-27768 at SUSECVE-2020-27768 at NVDCVE-2020-27769 at SUSECVE-2020-27769 at NVDCVE-2020-27770 at SUSECVE-2020-27770 at NVDCVE-2020-27771 at SUSECVE-2020-27771 at NVDCVE-2020-27772 at SUSECVE-2020-27772 at NVDCVE-2020-27773 at SUSECVE-2020-27773 at NVDCVE-2020-27774 at SUSECVE-2020-27774 at NVDCVE-2020-27775 at SUSECVE-2020-27775 at NVDCVE-2020-27776 at SUSECVE-2020-27776 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for webkit2gtk3 (Important)SUSE OpenStack Cloud 8
This update for webkit2gtk3 fixes the following issues:
- Update to version 2.32.1:
+ Improve handling of Media Capture devices.
+ Improve WebAudio playback.
+ Improve video orientation handling.
+ Improve seeking support for MSE playback.
+ Improve flush support in EME decryptors.
+ Fix HTTP status codes for requests done through a custom URI handler.
+ Fix the Bubblewrap sandbox in certain 32-bit systems.
+ Fix inconsistencies between the WebKitWebView.is-muted property
state and values returned by
webkit_web_view_is_playing_audio().
+ Fix the build with ENABLE_VIDEO=OFF.
+ Fix wrong timestamps for long-lived cookies.
+ Fix UI process crash when failing to load favicons.
+ Fix several crashes and rendering issues.
- Including Security fixes for: CVE-2021-1788, CVE-2021-1844, CVE-2021-1871,
CVE-2020-27918, CVE-2020-29623, CVE-2021-1765, CVE-2021-1789, CVE-2021-1799,
CVE-2021-1801, CVE-2021-1870, CVE-2020-13558, CVE-2020-13584, CVE-2020-9983,
CVE-2020-13543, CVE-2020-9947, CVE-2020-9948, CVE-2020-9951.
ImportantSUSE bug 1177087SUSE bug 1179122SUSE bug 1179451SUSE bug 1182286SUSE bug 1184155SUSE bug 1184262CVE-2020-13543 at SUSECVE-2020-13543 at NVDCVE-2020-13558 at SUSECVE-2020-13558 at NVDCVE-2020-13584 at SUSECVE-2020-13584 at NVDCVE-2020-27918 at SUSECVE-2020-27918 at NVDCVE-2020-29623 at SUSECVE-2020-29623 at NVDCVE-2020-9947 at SUSECVE-2020-9947 at NVDCVE-2020-9948 at SUSECVE-2020-9948 at NVDCVE-2020-9951 at SUSECVE-2020-9951 at NVDCVE-2020-9983 at SUSECVE-2020-9983 at NVDCVE-2021-1765 at SUSECVE-2021-1765 at NVDCVE-2021-1788 at SUSECVE-2021-1788 at NVDCVE-2021-1789 at SUSECVE-2021-1789 at NVDCVE-2021-1799 at SUSECVE-2021-1799 at NVDCVE-2021-1801 at SUSECVE-2021-1801 at NVDCVE-2021-1844 at SUSECVE-2021-1844 at NVDCVE-2021-1870 at SUSECVE-2021-1870 at NVDCVE-2021-1871 at SUSECVE-2021-1871 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for apache2 (Important)SUSE OpenStack Cloud 8
This update for apache2 fixes the following issues:
- fixed CVE-2021-30641 [bsc#1187174]: MergeSlashes regression
- fixed CVE-2021-31618 [bsc#1186924]: NULL pointer dereference on specially crafted HTTP/2 request
- fixed CVE-2020-35452 [bsc#1186922]: Single zero byte stack overflow in mod_auth_digest
- fixed CVE-2021-26690 [bsc#1186923]: mod_session NULL pointer dereference in parser
- fixed CVE-2021-26691 [bsc#1187017]: Heap overflow in mod_session
ImportantSUSE bug 1186922SUSE bug 1186923SUSE bug 1186924SUSE bug 1187017SUSE bug 1187174CVE-2020-35452 at SUSECVE-2020-35452 at NVDCVE-2021-26690 at SUSECVE-2021-26690 at NVDCVE-2021-26691 at SUSECVE-2021-26691 at NVDCVE-2021-30641 at SUSECVE-2021-30641 at NVDCVE-2021-31618 at SUSECVE-2021-31618 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for xterm (Important)SUSE OpenStack Cloud 8
This update for xterm fixes the following issues:
- CVE-2021-27135: Fixed buffer-overflow when clicking on selected utf8 text. (bsc#1182091)
ImportantSUSE bug 1182091CVE-2021-27135 at SUSECVE-2021-27135 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for ovmf (Important)SUSE OpenStack Cloud 8
This update for ovmf fixes the following issues:
- Fixed a possible buffer overflow in IScsiDxe (bsc#1186151)
ImportantSUSE bug 1186151cpe:/o:suse:suse-openstack-cloud:8Security update for ansible (Moderate)SUSE OpenStack Cloud 8
This update for ansible fixes the following issues:
- Update to 2.9.22:
- CVE-2021-3447: multiple modules expose secured values (bsc#1183684)
- CVE-2021-20228: basic.py no_log with fallback option (bsc#1181935)
- CVE-2021-20191: multiple collections exposes secured values (bsc#1181119)
- CVE-2021-20180: bitbucket_pipeline_variable exposes sensitive values (bsc#1180942)
- CVE-2021-20178: user data leak in snmp_facts module (bsc#1180816)
ModerateSUSE bug 1180816SUSE bug 1180942SUSE bug 1181119SUSE bug 1181935SUSE bug 1183684CVE-2021-20178 at SUSECVE-2021-20178 at NVDCVE-2021-20180 at SUSECVE-2021-20180 at NVDCVE-2021-20191 at SUSECVE-2021-20191 at NVDCVE-2021-20228 at SUSECVE-2021-20228 at NVDCVE-2021-3447 at SUSECVE-2021-3447 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for libnettle (Important)SUSE OpenStack Cloud 8
This update for libnettle fixes the following issues:
- CVE-2021-3580: Fixed a remote denial of service in the RSA decryption via manipulated ciphertext (bsc#1187060).
ImportantSUSE bug 1187060CVE-2021-3580 at SUSECVE-2021-3580 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for libgcrypt (Important)SUSE OpenStack Cloud 8
This update for libgcrypt fixes the following issues:
- CVE-2021-33560: Fixed a side-channel against ElGamal encryption, caused by missing exponent blinding (bsc#1187212).
ImportantSUSE bug 1187212CVE-2021-33560 at SUSECVE-2021-33560 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for openexr (Important)SUSE OpenStack Cloud 8
This update for openexr fixes the following issues:
- Fixed CVE-2021-3479 [bsc#1184354]: Out-of-memory caused by allocation of a very large buffer
- Fixed CVE-2021-3605 [bsc#1187395]: Heap buffer overflow in the rleUncompress function
- Fixed CVE-2021-3598 [bsc#1187310]: Heap buffer overflow in Imf_3_1:CharPtrIO:readChars
ImportantSUSE bug 1184354SUSE bug 1187310SUSE bug 1187395CVE-2021-3479 at SUSECVE-2021-3479 at NVDCVE-2021-3598 at SUSECVE-2021-3598 at NVDCVE-2021-3605 at SUSECVE-2021-3605 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for postgresql, postgresql12, postgresql13 (Important)SUSE OpenStack Cloud 8
This update for postgresql, postgresql12, postgresql13 fixes the following issues:
Initial packaging of PostgreSQL 13:
* https://www.postgresql.org/about/news/2077/
* https://www.postgresql.org/docs/13/release-13.html
Changes in postgresql:
- Bump postgresql major version to 13.
Changes in postgresql12:
- %ghost the symlinks to pg_config and ecpg. (bsc#1178961)
- BuildRequire libpq5 and libecpg6 when not building them to avoid dangling symlinks in the devel package. (bsc#1179765)
- Fix a DST problem in the test suite.
Changes in postgresql13:
- Add postgresql-icu68.patch: fix build with ICU 68
- %ghost the symlinks to pg_config and ecpg. (bsc#1178961)
- BuildRequire libpq5 and libecpg6 when not building them to avoid dangling symlinks in the devel package. (bsc#1179765)
Upgrade to version 13.1:
* CVE-2020-25695, bsc#1178666: Block DECLARE CURSOR ... WITH HOLD
and firing of deferred triggers within index expressions and
materialized view queries.
* CVE-2020-25694, bsc#1178667:
a) Fix usage of complex connection-string parameters in pg_dump,
pg_restore, clusterdb, reindexdb, and vacuumdb.
b) When psql's \connect command re-uses connection parameters,
ensure that all non-overridden parameters from a previous
connection string are re-used.
* CVE-2020-25696, bsc#1178668: Prevent psql's \gset command from
modifying specially-treated variables.
* Fix recently-added timetz test case so it works when the USA
is not observing daylight savings time.
(obsoletes postgresql-timetz.patch)
* https://www.postgresql.org/about/news/2111/
* https://www.postgresql.org/docs/13/release-13-1.html
- Fix a DST problem in the test suite.
ImportantSUSE bug 1178666SUSE bug 1178667SUSE bug 1178668SUSE bug 1178961SUSE bug 1179765CVE-2020-25694 at SUSECVE-2020-25694 at NVDCVE-2020-25695 at SUSECVE-2020-25695 at NVDCVE-2020-25696 at SUSECVE-2020-25696 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for arpwatch (Important)SUSE OpenStack Cloud 8
This update for arpwatch fixes the following issues:
- CVE-2021-25321: Fixed local privilege escalation from runtime user to root (bsc#1186240).
ImportantSUSE bug 1186240CVE-2021-25321 at SUSECVE-2021-25321 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for libsolv (Important)SUSE OpenStack Cloud 8
This update for libsolv fixes the following issues:
Security issues fixed:
- CVE-2019-20387: Fixed heap-buffer-overflow in repodata_schema2id (bsc#1161510)
- CVE-2021-3200: testcase_read: error out if repos are added or the system is changed too late (bsc#1186229)
Other issues fixed:
- backport support for blacklisted packages to support ptf packages and retracted patches
- fix ruleinfo of complex dependencies returning the wrong origin
- fix SOLVER_FLAG_FOCUS_BEST updateing packages without reason
- fix add_complex_recommends() selecting conflicted packages in rare cases
- fix potential segfault in resolve_jobrules
- fix solv_zchunk decoding error if large chunks are used
ImportantSUSE bug 1161510SUSE bug 1186229CVE-2019-20387 at SUSECVE-2019-20387 at NVDCVE-2021-3200 at SUSECVE-2021-3200 at NVDcpe:/o:suse:suse-openstack-cloud:8Recommended update for the Azure and AWS SDKs (Important)SUSE OpenStack Cloud 8
This update for the SLE Public Cloud module provides the following fixes:
Azure SDK update:
This update for the Azure SDK and CLI adds support for the AHB (Azure Hybrid Benefit).
(bsc#1176784, jsc#ECO-3105)
AWS SDK update:
This update for the AWS SDK updates python-boto3 to version 1.17.9 and aws-cli to 1.19.9.
(bsc#1182421, jsc#ECO-3352)
Security fix for python-urllib3:
- Improve performance of sub-authority splitting in URL. (bsc#1187045, CVE-2021-33503)
ImportantSUSE bug 1125671SUSE bug 1154393SUSE bug 1175289SUSE bug 1176784SUSE bug 1176785SUSE bug 1182421SUSE bug 1187045CVE-2021-33503 at SUSECVE-2021-33503 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for python-urllib3, python-requests (Moderate)SUSE OpenStack Cloud 8
This update for python-urllib3 and python-requests fixes the following issues:
Security fix:
- Improve performance of sub-authority splitting in URL. (bsc#1187045, CVE-2021-33503)
Non-security changes:
- Update python-urllib3 to version 1.25.10 to stay compatible with changes needed in the
Server and Public Cloud products. (bsc#1182421, jsc#ECO-3352)
- Update python-requests to version 2.24.0 to stay compatible with changes needed in the
Server and Public Cloud products. (bsc#1176784, jsc#ECO-3105))
ModerateSUSE bug 1176784SUSE bug 1182421SUSE bug 1187045CVE-2021-33503 at SUSECVE-2021-33503 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for openssh (Moderate)SUSE OpenStack Cloud 8
This update for openssh fixes the following issues:
- CVE-2020-14145: Fixed a potential information leak during host key exchange (bsc#1173513).
ModerateSUSE bug 1173513CVE-2020-14145 at SUSECVE-2020-14145 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for sudo (Important)SUSE OpenStack Cloud 8
This update for sudo fixes the following issues:
- A Heap-based buffer overflow in sudo could be exploited to allow a user to gain root privileges
[bsc#1181090,CVE-2021-3156]
- It was possible for a user to test for the existence of a directory due to a Race Condition in `sudoedit`
[bsc#1180684,CVE-2021-23239]
- A Possible Symlink Attack vector existed in `sudoedit` if SELinux was running in permissive mode [bsc#1180685,
CVE-2021-23240]
- It was possible for a User to enable Debug Settings not Intended for them [bsc#1180687]
ImportantSUSE bug 1180684SUSE bug 1180685SUSE bug 1180687SUSE bug 1181090CVE-2021-23239 at SUSECVE-2021-23239 at NVDCVE-2021-23240 at SUSECVE-2021-23240 at NVDCVE-2021-3156 at SUSECVE-2021-3156 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for MozillaFirefox (Important)SUSE OpenStack Cloud 8
This update for MozillaFirefox fixes the following issues:
Firefox Extended Support Release 78.12.0 ESR
* Fixed: Various stability, functionality, and security fixes
MFSA 2021-29 (bsc#1188275)
* CVE-2021-29970: Use-after-free in accessibility features of a document
* CVE-2021-30547: Out of bounds write in ANGLE
* CVE-2021-29976: Memory safety bugs fixed in Firefox 90 and Firefox ESR 78.12
ImportantSUSE bug 1188275CVE-2021-29970 at SUSECVE-2021-29970 at NVDCVE-2021-29976 at SUSECVE-2021-29976 at NVDCVE-2021-30547 at SUSECVE-2021-30547 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for MozillaFirefox (Important)SUSE OpenStack Cloud 8
This update for MozillaFirefox fixes the following issues:
- Firefox Extended Support Release 78.7.0 ESR (MFSA 2021-04, bsc#1181414)
* CVE-2021-23953: Fixed a Cross-origin information leakage via redirected PDF requests
* CVE-2021-23954: Fixed a type confusion when using logical assignment operators in JavaScript switch statements
* CVE-2020-26976: Fixed an issue where HTTPS pages could have been intercepted by a registered service worker when they should not have been
* CVE-2021-23960: Fixed a use-after-poison for incorrectly redeclared JavaScript variables during GC
* CVE-2021-23964: Fixed Memory safety bugs
ImportantSUSE bug 1181414CVE-2020-26976 at SUSECVE-2020-26976 at NVDCVE-2021-23953 at SUSECVE-2021-23953 at NVDCVE-2021-23954 at SUSECVE-2021-23954 at NVDCVE-2021-23960 at SUSECVE-2021-23960 at NVDCVE-2021-23964 at SUSECVE-2021-23964 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for systemd (Important)SUSE OpenStack Cloud 8
This update for systemd fixes the following issues:
Security issues fixed:
- CVE-2021-33910: Fixed a denial of service (stack exhaustion) in systemd (PID 1) (bsc#1188063)
Other fixes:
- mount-util: shorten the loop a bit (#7545)
- mount-util: do not use the official MAX_HANDLE_SZ (#7523)
- mount-util: tape over name_to_handle_at() flakiness (#7517) (bsc#1184761)
- mount-util: fix bad indenting
- mount-util: EOVERFLOW might have other causes than buffer size issues
- mount-util: fix error propagation in fd_fdinfo_mnt_id()
- mount-util: drop exponential buffer growing in name_to_handle_at_loop()
- udev: port udev_has_devtmpfs() to use path_get_mnt_id()
- mount-util: add new path_get_mnt_id() call that queries the mnt ID of a path
- mount-util: add name_to_handle_at_loop() wrapper around name_to_handle_at()
- mount-util: accept that name_to_handle_at() might fail with EPERM (#5499)
- basic: fallback to the fstat if we don't have access to the /proc/self/fdinfo
- sysusers: use the usual comment style
- test/TEST-21-SYSUSERS: add tests for new functionality
- sysusers: allow admin/runtime overrides to command-line config
- basic/strv: add function to insert items at position
- sysusers: allow the shell to be specified
- sysusers: move various user credential validity checks to src/basic/
- man: reformat table in sysusers.d(5)
- sysusers: take configuration as positional arguments
- sysusers: emit a bit more info at debug level when locking fails
- sysusers: allow force reusing existing user/group IDs (#8037)
- sysusers: ensure GID in uid:gid syntax exists
- sysusers: make ADD_GROUP always create a group
- test: add TEST-21-SYSUSERS test
- sysuser: use OrderedHashmap
- sysusers: allow uid:gid in sysusers.conf files
- sysusers: fix memleak (#4430)
- These commits implement the option '--replace' for systemd-sysusers
so %sysusers_create_package can be introduced in SLE and packages
can rely on this rpm macro without wondering whether the macro is
available on the different target the package is submitted to.
- Expect 644 permissions for /usr/lib/udev/compat-symlink-generation (bsc#1185807)
- systemctl: add --value option
- execute: make sure to call into PAM after initializing resource limits (bsc#1184967)
- rlimit-util: introduce setrlimit_closest_all()
- system-conf: drop reference to ShutdownWatchdogUsec=
- core: rename ShutdownWatchdogSec to RebootWatchdogSec (bsc#1185331)
- Return -EAGAIN instead of -EALREADY from unit_reload (bsc#1185046)
- rules: don't ignore Xen virtual interfaces anymore (bsc#1178561)
- write_net_rules: set execute bits (bsc#1178561)
- udev: rework network device renaming
- Revert 'Revert 'udev: network device renaming - immediately give up if the target name isn't available''
ImportantSUSE bug 1178561SUSE bug 1184761SUSE bug 1184967SUSE bug 1185046SUSE bug 1185331SUSE bug 1185807SUSE bug 1188063CVE-2021-33910 at SUSECVE-2021-33910 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for python-pip (Moderate)SUSE OpenStack Cloud 8
This update for python-pip fixes the following issues:
- CVE-2021-3572: Fixed incorrect handling of unicode separators in git references (bsc#1186819).
ModerateSUSE bug 1186819CVE-2021-3572 at SUSECVE-2021-3572 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for linuxptp (Important)SUSE OpenStack Cloud 8
This update for linuxptp fixes the following issues:
- CVE-2021-3570: Validate the messageLength field of incoming messages. (bsc#1187646)
ImportantSUSE bug 1187646CVE-2021-3570 at SUSECVE-2021-3570 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for the Linux Kernel (Important)SUSE OpenStack Cloud 8
The SUSE Linux Enterprise 12 SP3 kernel was updated to receive various security and bugfixes.
The following security bugs were fixed:
- CVE-2021-22555: Fixed an heap out-of-bounds write in net/netfilter/x_tables.c that could allow local provilege escalation. (bsc#1188116)
- CVE-2021-33909: Fixed an out-of-bounds write in the filesystem layer that allows to obtain full root privileges. (bsc#1188062)
- CVE-2021-3609: Fixed a race condition in the CAN BCM networking protocol which allows for local privilege escalation. (bsc#1187215)
- CVE-2021-0605: Fixed an out-of-bounds read which could lead to local information disclosure in the kernel with System execution privileges needed. (bsc#1187601)
- CVE-2021-0512: Fixed a possible out-of-bounds write which could lead to local escalation of privilege with no additional execution privileges needed. (bsc#1187595)
- CVE-2021-34693: Fixed a bug in net/can/bcm.c which could allow local users to obtain sensitive information from kernel stack memory because parts of a data structure are uninitialized. (bsc#1187452)
- CVE-2020-36385: Fixed a use-after-free flaw in ucma.c which allows for local privilege escalation. (bsc#1187050)
- CVE-2021-0129: Fixed an improper access control in BlueZ that may have allowed an authenticated user to potentially enable information disclosure via adjacent access. (bsc#1186463)
- CVE-2020-26558: Fixed a flaw in the Bluetooth LE and BR/EDR secure pairing that could permit a nearby man-in-the-middle attacker to identify the Passkey used during pairing. (bsc#1179610)
- CVE-2020-36386: Fixed an out-of-bounds read in hci_extended_inquiry_result_evt. (bsc#1187038)
- CVE-2020-24588: Fixed a bug that could allow an adversary to abuse devices that support receiving non-SSP A-MSDU frames to inject arbitrary network packets. (bsc#1185861)
- CVE-2021-32399: Fixed a race condition in net/bluetooth/hci_request.c for removal of the HCI controller. (bsc#1184611)
- CVE-2021-33034: Fixed an issue in net/bluetooth/hci_event.c where a use-after-free leads to writing an arbitrary value. (bsc#1186111)
- CVE-2020-26139: Fixed a bug that allows an Access Point (AP) to forward EAPOL frames to other clients even though the sender has not yet successfully authenticated. This might be abused in projected Wi-Fi networks to launch denial-of-service attacks against connected clients and made it easier to exploit other vulnerabilities in connected clients. (bsc#1186062)
- CVE-2021-23134: Fixed a use After Free vulnerability in nfc sockets which allows local attackers to elevate their privileges. (bsc#1186060)
- CVE-2020-24586: Fixed a bug that, under the right circumstances, allows to inject arbitrary network packets and/or exfiltrate user data when another device sends fragmented frames encrypted using WEP, CCMP, or GCMP. (bsc#1185859)
- CVE-2020-26141: Fixed a flaw that could allows an adversary to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-confidentiality protocol. (bsc#1185987)
- CVE-2020-26145: Fixed a bug in the WEP, WPA, WPA2, and WPA3 implementations that could allows an adversary to inject arbitrary network packets. (bsc#1185860)
- CVE-2020-24587: Fixed a bug that allows an adversary to decrypt selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP encryption key is periodically renewed. (bsc#1185862)
- CVE-2020-26147: Fixed a bug in the WEP, WPA, WPA2, and WPA3 implementations that could allows an adversary to inject packets and/or exfiltrate selected fragments when another device sends fragmented frames. (bsc#1185987)
The following non-security bugs were fixed:
- Bluetooth: SMP: Fail if remote and local public keys are identical (git-fixes).
- Drivers: hv: vmbus: Increase wait time for VMbus unload (bsc#1185724).
- Drivers: hv: vmbus: Initialize unload_event statically (bsc#1185724).
- hv_netvsc: Add handlers for ethtool get/set msg level (bsc#1175462).
- hv_netvsc: avoid retry on send during shutdown (bsc#1175462).
- hv_netvsc: avoid unnecessary wakeups on subchannel creation (bsc#1175462).
- hv_netvsc: cancel subchannel setup before halting device (bsc#1175462).
- hv_netvsc: change GPAD teardown order on older versions (bsc#1175462).
- hv_netvsc: common detach logic (bsc#1175462).
- hv_netvsc: delay setup of VF device (bsc#1175462).
- hv_netvsc: disable NAPI before channel close (bsc#1175462).
- hv_netvsc: Ensure correct teardown message sequence order (bsc#1175462).
- hv_netvsc: Fix a deadlock by getting rtnl lock earlier in netvsc_probe() (bsc#1175462).
- hv_netvsc: Fix a network regression after ifdown/ifup (bsc#1175462).
- hv_netvsc: fix deadlock on hotplug (bsc#1175462).
- hv_netvsc: Fix error handling in netvsc_attach() (bsc#1175462).
- hv_netvsc: fix error unwind handling if vmbus_open fails (bsc#1175462).
- hv_netvsc: Fix extra rcu_read_unlock in netvsc_recv_callback() (bsc#1175462).
- hv_netvsc: fix handling of fallback to single queue mode (bsc#1175462).
- hv_netvsc: Fix hash key value reset after other ops (bsc#1175462).
- hv_netvsc: Fix IP header checksum for coalesced packets (bsc#1175462).
- hv_netvsc: Fix net device attach on older Windows hosts (bsc#1175462).
- hv_netvsc: fix network namespace issues with VF support (bsc#1175462).
- hv_netvsc: Fix NULL dereference at single queue mode fallback (bsc#1175462).
- hv_netvsc: fix race during initialization (bsc#1175462).
- hv_netvsc: fix race on sub channel creation (bsc#1175462).
- hv_netvsc: fix race that may miss tx queue wakeup (bsc#1175462).
- hv_netvsc: fix schedule in RCU context (bsc#1175462).
- hv_netvsc: Fix the variable sizes in ipsecv2 and rsc offload (bsc#1175462).
- hv_netvsc: Fix tx_table init in rndis_set_subchannel() (bsc#1175462).
- hv_netvsc: Fix unwanted wakeup after tx_disable (bsc#1175462).
- hv_netvsc: Fix unwanted wakeup in netvsc_attach() (bsc#1175462).
- hv_netvsc: flag software created hash value (bsc#1175462).
- hv_netvsc: netvsc_teardown_gpadl() split (bsc#1175462).
- hv_netvsc: only wake transmit queue if link is up (bsc#1175462).
- hv_netvsc: pass netvsc_device to rndis halt (bsc#1175462).
- hv_netvsc: preserve hw_features on mtu/channels/ringparam changes (bsc#1175462).
- hv_netvsc: Refactor assignments of struct netvsc_device_info (bsc#1175462).
- hv_netvsc: set master device (bsc#1175462).
- hv_netvsc: Set tx_table to equal weight after subchannels open (bsc#1175462).
- hv_netvsc: Simplify num_chn checking in rndis_filter_device_add() (bsc#1175462).
- hv_netvsc: Split netvsc_revoke_buf() and netvsc_teardown_gpadl() (bsc#1175462).
- hv_netvsc: split sub-channel setup into async and sync (bsc#1175462).
- hv_netvsc: typo in NDIS RSS parameters structure (bsc#1175462).
- hv_netvsc: use RCU to fix concurrent rx and queue changes (bsc#1175462).
- hv_netvsc: use reciprocal divide to speed up percent calculation (bsc#1175462).
- hv_netvsc: Use Windows version instead of NVSP version on GPAD teardown (bsc#1175462).
- kgraft: truncate the output from state_show() sysfs attr (bsc#1186235).
- mm, memory_hotplug: do not clear numa_node association after hot_remove (bsc#1115026).
- mm: consider __HW_POISON pages when allocating from pcp lists (bsc#1187388).
- scsi: storvsc: Enable scatterlist entry lengths > 4Kbytes (bsc#1187193).
- video: hyperv_fb: Add ratelimit on error message (bsc#1185724).
ImportantSUSE bug 1115026SUSE bug 1175462SUSE bug 1179610SUSE bug 1184611SUSE bug 1185724SUSE bug 1185859SUSE bug 1185860SUSE bug 1185861SUSE bug 1185862SUSE bug 1185863SUSE bug 1185898SUSE bug 1185987SUSE bug 1186060SUSE bug 1186062SUSE bug 1186111SUSE bug 1186235SUSE bug 1186390SUSE bug 1186463SUSE bug 1187038SUSE bug 1187050SUSE bug 1187193SUSE bug 1187215SUSE bug 1187388SUSE bug 1187452SUSE bug 1187595SUSE bug 1187601SUSE bug 1187934SUSE bug 1188062SUSE bug 1188063SUSE bug 1188116CVE-2020-24586 at SUSECVE-2020-24586 at NVDCVE-2020-24587 at SUSECVE-2020-24587 at NVDCVE-2020-24588 at SUSECVE-2020-24588 at NVDCVE-2020-26139 at SUSECVE-2020-26139 at NVDCVE-2020-26141 at SUSECVE-2020-26141 at NVDCVE-2020-26145 at SUSECVE-2020-26145 at NVDCVE-2020-26147 at SUSECVE-2020-26147 at NVDCVE-2020-26558 at SUSECVE-2020-26558 at NVDCVE-2020-36385 at SUSECVE-2020-36385 at NVDCVE-2020-36386 at SUSECVE-2020-36386 at NVDCVE-2021-0129 at SUSECVE-2021-0129 at NVDCVE-2021-0512 at SUSECVE-2021-0512 at NVDCVE-2021-0605 at SUSECVE-2021-0605 at NVDCVE-2021-22555 at SUSECVE-2021-22555 at NVDCVE-2021-23134 at SUSECVE-2021-23134 at NVDCVE-2021-32399 at SUSECVE-2021-32399 at NVDCVE-2021-33034 at SUSECVE-2021-33034 at NVDCVE-2021-33909 at SUSECVE-2021-33909 at NVDCVE-2021-34693 at SUSECVE-2021-34693 at NVDCVE-2021-3609 at SUSECVE-2021-3609 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for ardana-cobbler, cassandra, cassandra-kit, crowbar-core, crowbar-openstack, documentation-suse-openstack-cloud, grafana, kibana, openstack-heat-templates, openstack-monasca-installer, openstack-nova, python-Django, python-elementpath, python-eventlet, python-py, python-pysaml2, python-six, python-xmlschema (Moderate)SUSE OpenStack Cloud 8
This update for ardana-cobbler, cassandra, cassandra-kit, crowbar-core, crowbar-openstack, documentation-suse-openstack-cloud, grafana, kibana, openstack-heat-templates, openstack-monasca-installer, openstack-nova, python-Django, python-elementpath, python-eventlet, python-py, python-pysaml2, python-six, python-xmlschema fixes the following issues:
Security fixes included on this update:
cassandra-kit:
- CVE-2020-17516: Internode encryption enforcement vulnerability
cassandra:
- CVE-2020-17516: Internode encryption enforcement vulnerability
- CVE-2017-5929 logback: Fixed a serialization vulnerability in SocketServer and ServerSocketReceiver
crowbar-core:
CVE-2020-26247: Potentially XXE or SSRF attacks by parsed Nokogiri::XML::Schema
grafana:
- CVE-2021-27358: Unauthenticated remote attackers to trigger a Denial of Service via a remote API call
kibana:
- CVE-2017-11481: Fixed an XSS via URL fields
- CVE-2017-11499: Fixed a constant hashtable seeds vulnerability
python-Django:
- CVE-2021-28658: Potential directory-traversal via uploaded files
- CVE-2021-31542: Potential directory-traversal via uploaded files
- CVE-2021-33203: Potential directory traversal via admindocs
- CVE-2021-33571: Possible indeterminate SSRF, RFI, and LFI attacks since validators accepted leading zeros in IPv4 addresses
- CVE-2021-23336: Fixed web cache poisoning via django.utils.http.limited_parse_qsl
python-eventlet:
- CVE-2021-21419: Improper handling of highly compressed data and memory allocation with excessive size value
python-pysaml2:
- CVE-2021-21238: Fixed an improper verification of cryptographic signatures for signed SAML documents
- CVE-2021-21239: Fixed an improper verification of cryptographic signatures when using CryptoBackendXmlSec1()_
python-py:
- CVE-2020-29651: Regular expression denial of service in svnwc.py
rubygem-activerecord-session_store:
- CVE-2019-25025: Fixed a hijack sessions by using timing attacks targeting the session id
CVE-2019-16782
Non-security fixes included on this update:
Changes in ardana-cobbler:
- Update to version 8.0+git.1614096566.e8c2b27:
* Change install_recommended to true (bsc#1181828)
Changes in cassandra:
- update to 3.11.10 (bsc#1181689, CVE-2020-17516)
* Fix digest computation for queries with fetched but non queried columns (CASSANDRA-15962)
* Reduce amount of allocations during batch statement execution (CASSANDRA-16201)
* Update jflex-1.6.0.jar to match upstream (CASSANDRA-16393)
* Fix DecimalDeserializer#toString OOM (CASSANDRA-14925)
* Rate limit validation compactions using compaction_throughput_mb_per_sec (CASSANDRA-16161)
* SASI's `max_compaction_flush_memory_in_mb` settings over 100GB revert to default of 1GB (CASSANDRA-16071)
* Prevent unbounded number of pending flushing tasks (CASSANDRA-16261)
* Improve empty hint file handling during startup (CASSANDRA-16162)
* Allow empty string in collections with COPY FROM in cqlsh (CASSANDRA-16372)
* Fix skipping on pre-3.0 created compact storage sstables due to missing primary key liveness (CASSANDRA-16226)
* Extend the exclusion of replica filtering protection to other indices instead of just SASI (CASSANDRA-16311)
* Synchronize transaction logs for JBOD (CASSANDRA-16225)
* Fix the counting of cells per partition (CASSANDRA-16259)
* Fix serial read/non-applying CAS linearizability (CASSANDRA-12126)
* Avoid potential NPE in JVMStabilityInspector (CASSANDRA-16294)
* Improved check of num_tokens against the length of initial_token (CASSANDRA-14477)
* Fix a race condition on ColumnFamilyStore and TableMetrics (CASSANDRA-16228)
* Remove the SEPExecutor blocking behavior (CASSANDRA-16186)
* Fix invalid cell value skipping when reading from disk (CASSANDRA-16223)
* Prevent invoking enable/disable gossip when not in NORMAL (CASSANDRA-16146)
* Wait for schema agreement when bootstrapping (CASSANDRA-15158)
* Fix the histogram merge of the table metrics (CASSANDRA-16259)
* Synchronize Keyspace instance store/clear (CASSANDRA-16210)
* Fix ColumnFilter to avoid querying cells of unselected complex columns (CASSANDRA-15977)
* Fix memory leak in CompressedChunkReader (CASSANDRA-15880)
* Don't attempt value skipping with mixed version cluster (CASSANDRA-15833)
* Avoid failing compactions with very large partitions (CASSANDRA-15164)
* Make sure LCS handles duplicate sstable added/removed notifications correctly (CASSANDRA-14103)
* Fix OOM when terminating repair session (CASSANDRA-15902)
* Avoid marking shutting down nodes as up after receiving gossip shutdown message (CASSANDRA-16094)
* Check SSTables for latest version before dropping compact storage (CASSANDRA-16063)
* Handle unexpected columns due to schema races (CASSANDRA-15899)
* Add flag to ignore unreplicated keyspaces during repair (CASSANDRA-15160)
* Package tools/bin scripts as executable (CASSANDRA-16151)
* Fixed a NullPointerException when calling nodetool enablethrift (CASSANDRA-16127)
* Correctly interpret SASI's `max_compaction_flush_memory_in_mb` setting in megabytes not bytes (CASSANDRA-16071)
* Fix short read protection for GROUP BY queries (CASSANDRA-15459)
* Frozen RawTuple is not annotated with frozen in the toString method (CASSANDRA-15857)
Merged from 3.0:
* Use IF NOT EXISTS for index and UDT create statements in snapshot schema files (CASSANDRA-13935)
* Fix gossip shutdown order (CASSANDRA-15816)
* Remove broken 'defrag-on-read' optimization (CASSANDRA-15432)
* Check for endpoint collision with hibernating nodes (CASSANDRA-14599)
* Operational improvements and hardening for replica filtering protection (CASSANDRA-15907)
* stop_paranoid disk failure policy is ignored on CorruptSSTableException after node is up (CASSANDRA-15191)
* Forbid altering UDTs used in partition keys (CASSANDRA-15933)
* Fix empty/null json string representation (CASSANDRA-15896)
* 3.x fails to start if commit log has range tombstones from a column which is also deleted (CASSANDRA-15970)
* Handle difference in timestamp precision between java8 and java11 in LogFIle.java (CASSANDRA-16050)
Merged from 2.2:
* Fix CQL parsing of collections when the column type is reversed (CASSANDRA-15814)
* Only allow strings to be passed to JMX authentication (CASSANDRA-16077)
* Fix cqlsh output when fetching all rows in batch mode (CASSANDRA-15905)
* Upgrade Jackson to 2.9.10 (CASSANDRA-15867)
* Fix CQL formatting of read command restrictions for slow query log (CASSANDRA-15503)
* Allow sstableloader to use SSL on the native port (CASSANDRA-14904)
* Backport CASSANDRA-12189: escape string literals (CASSANDRA-15948)
* Avoid hinted handoff per-host throttle being arounded to 0 in large cluster (CASSANDRA-15859)
* Avoid emitting empty range tombstones from RangeTombstoneList (CASSANDRA-15924)
* Avoid thread starvation, and improve compare-and-swap performance, in the slab allocators (CASSANDRA-15922)
* Add token to tombstone warning and error messages (CASSANDRA-15890)
* Fixed range read concurrency factor computation and capped as 10 times tpc cores (CASSANDRA-15752)
* Catch exception on bootstrap resume and init native transport (CASSANDRA-15863)
* Fix replica-side filtering returning stale data with CL > ONE (CASSANDRA-8272, CASSANDRA-8273)
* Fix duplicated row on 2.x upgrades when multi-rows range tombstones interact with collection ones (CASSANDRA-15805)
* Rely on snapshotted session infos on StreamResultFuture.maybeComplete to avoid race conditions (CASSANDRA-15667)
* EmptyType doesn't override writeValue so could attempt to write bytes when expected not to (CASSANDRA-15790)
* Fix index queries on partition key columns when some partitions contains only static data (CASSANDRA-13666)
* Avoid creating duplicate rows during major upgrades (CASSANDRA-15789)
* liveDiskSpaceUsed and totalDiskSpaceUsed get corrupted if IndexSummaryRedistribution gets interrupted (CASSANDRA-15674)
* Fix Debian init start/stop (CASSANDRA-15770)
* Fix infinite loop on index query paging in tables with clustering (CASSANDRA-14242)
* Fix chunk index overflow due to large sstable with small chunk length (CASSANDRA-15595)
* Allow selecting static column only when querying static index (CASSANDRA-14242)
* cqlsh return non-zero status when STDIN CQL fails (CASSANDRA-15623)
* Don't skip sstables in slice queries based only on local min/max/deletion timestamp (CASSANDRA-15690)
* Memtable memory allocations may deadlock (CASSANDRA-15367)
* Run evictFromMembership in GossipStage (CASSANDRA-15592)
* Fix nomenclature of allow and deny lists (CASSANDRA-15862)
* Remove generated files from source artifact (CASSANDRA-15849)
* Remove duplicated tools binaries from tarballs (CASSANDRA-15768)
* Duplicate results with DISTINCT queries in mixed mode (CASSANDRA-15501)
* Disable JMX rebinding (CASSANDRA-15653)
* Fix writing of snapshot manifest when the table has table-backed secondary indexes (CASSANDRA-10968)
* Fix parse error in cqlsh COPY FROM and formatting for map of blobs (CASSANDRA-15679)
* Fix Commit log replays when static column clustering keys are collections (CASSANDRA-14365)
* Fix Red Hat init script on newer systemd versions (CASSANDRA-15273)
* Allow EXTRA_CLASSPATH to work on tar/source installations (CASSANDRA-15567)
* Fix bad UDT sstable metadata serialization headers written by C* 3.0 on upgrade and in sstablescrub (CASSANDRA-15035)
* Fix nodetool compactionstats showing extra pending task for TWCS - patch implemented (CASSANDRA-15409)
* Fix SELECT JSON formatting for the 'duration' type (CASSANDRA-15075)
* Fix LegacyLayout to have same behavior as 2.x when handling unknown column names (CASSANDRA-15081)
* Update nodetool help stop output (CASSANDRA-15401)
* Run in-jvm upgrade dtests in circleci (CASSANDRA-15506)
* Include updates to static column in mutation size calculations (CASSANDRA-15293)
* Fix point-in-time recoevery ignoring timestamp of updates to static columns (CASSANDRA-15292)
* GC logs are also put under $CASSANDRA_LOG_DIR (CASSANDRA-14306)
* Fix sstabledump's position key value when partitions have multiple rows (CASSANDRA-14721)
* Avoid over-scanning data directories in LogFile.verify() (CASSANDRA-15364)
* Bump generations and document changes to system_distributed and system_traces in 3.0, 3.11
(CASSANDRA-15441)
* Fix system_traces creation timestamp; optimise system keyspace upgrades (CASSANDRA-15398)
* Fix various data directory prefix matching issues (CASSANDRA-13974)
* Minimize clustering values in metadata collector (CASSANDRA-15400)
* Avoid over-trimming of results in mixed mode clusters (CASSANDRA-15405)
* validate value sizes in LegacyLayout (CASSANDRA-15373)
* Ensure that tracing doesn't break connections in 3.x/4.0 mixed mode by default (CASSANDRA-15385)
* Make sure index summary redistribution does not start when compactions are paused (CASSANDRA-15265)
* Ensure legacy rows have primary key livenessinfo when they contain illegal cells (CASSANDRA-15365)
* Fix race condition when setting bootstrap flags (CASSANDRA-14878)
* Fix NativeLibrary.tryOpenDirectory callers for Windows (CASSANDRA-15426)
* Fix SELECT JSON output for empty blobs (CASSANDRA-15435)
* In-JVM DTest: Set correct internode message version for upgrade test (CASSANDRA-15371)
* In-JVM DTest: Support NodeTool in dtest (CASSANDRA-15429)
* Fix NativeLibrary.tryOpenDirectory callers for Windows (CASSANDRA-15426)
* Fix SASI non-literal string comparisons (range operators) (CASSANDRA-15169)
* Make sure user defined compaction transactions are always closed (CASSANDRA-15123)
* Fix cassandra-env.sh to use $CASSANDRA_CONF to find cassandra-jaas.config (CASSANDRA-14305)
* Fixed nodetool cfstats printing index name twice (CASSANDRA-14903)
* Add flag to disable SASI indexes, and warnings on creation (CASSANDRA-14866)
* Add ability to cap max negotiable protocol version (CASSANDRA-15193)
* Gossip tokens on startup if available (CASSANDRA-15335)
* Fix resource leak in CompressedSequentialWriter (CASSANDRA-15340)
* Fix bad merge that reverted CASSANDRA-14993 (CASSANDRA-15289)
* Fix LegacyLayout RangeTombstoneList IndexOutOfBoundsException when upgrading and RangeTombstone bounds are asymmetric (CASSANDRA-15172)
* Fix NPE when using allocate_tokens_for_keyspace on new DC/rack (CASSANDRA-14952)
* Filter sstables earlier when running cleanup (CASSANDRA-15100)
* Use mean row count instead of mean column count for index selectivity calculation (CASSANDRA-15259)
* Avoid updating unchanged gossip states (CASSANDRA-15097)
* Prevent recreation of previously dropped columns with a different kind (CASSANDRA-14948)
* Prevent client requests from blocking on executor task queue (CASSANDRA-15013)
* Toughen up column drop/recreate type validations (CASSANDRA-15204)
* LegacyLayout should handle paging states that cross a collection column (CASSANDRA-15201)
* Prevent RuntimeException when username or password is empty/null (CASSANDRA-15198)
* Multiget thrift query returns null records after digest mismatch (CASSANDRA-14812)
* Skipping illegal legacy cells can break reverse iteration of indexed partitions (CASSANDRA-15178)
* Handle paging states serialized with a different version than the session's (CASSANDRA-15176)
* Throw IOE instead of asserting on unsupporter peer versions (CASSANDRA-15066)
* Update token metadata when handling MOVING/REMOVING_TOKEN events (CASSANDRA-15120)
* Add ability to customize cassandra log directory using $CASSANDRA_LOG_DIR (CASSANDRA-15090)
* Skip cells with illegal column names when reading legacy sstables (CASSANDRA-15086)
* Fix assorted gossip races and add related runtime checks (CASSANDRA-15059)
* Fix mixed mode partition range scans with limit (CASSANDRA-15072)
* cassandra-stress works with frozen collections: list and set (CASSANDRA-14907)
* Fix handling FS errors on writing and reading flat files - LogTransaction and hints (CASSANDRA-15053)
* Avoid double closing the iterator to avoid overcounting the number of requests (CASSANDRA-15058)
* Improve `nodetool status -r` speed (CASSANDRA-14847)
* Improve merkle tree size and time on heap (CASSANDRA-14096)
* Add missing commands to nodetool_completion (CASSANDRA-14916)
* Anti-compaction temporarily corrupts sstable state for readers (CASSANDRA-15004)
* Catch non-IOException in FileUtils.close to make sure that all resources are closed (CASSANDRA-15225)
* Handle exceptions during authentication/authorization (CASSANDRA-15041)
* Support cross version messaging in in-jvm upgrade dtests (CASSANDRA-15078)
* Fix index summary redistribution cancellation (CASSANDRA-15045)
* Fixing invalid CQL in security documentation (CASSANDRA-15020)
* Allow instance class loaders to be garbage collected for inJVM dtest (CASSANDRA-15170)
* Add support for network topology and query tracing for inJVM dtest (CASSANDRA-15319)
* Correct sstable sorting for garbagecollect and levelled compaction (CASSANDRA-14870)
* Severe concurrency issues in STCS,DTCS,TWCS,TMD.Topology,TypeParser
* Add a script to make running the cqlsh tests in cassandra repo easier (CASSANDRA-14951)
* If SizeEstimatesRecorder misses a 'onDropTable' notification, the size_estimates table will never be cleared for that table. (CASSANDRA-14905)
* Counters fail to increment in 2.1/2.2 to 3.X mixed version clusters (CASSANDRA-14958)
* Streaming needs to synchronise access to LifecycleTransaction (CASSANDRA-14554)
* Fix cassandra-stress write hang with default options (CASSANDRA-14616)
* Differentiate between slices and RTs when decoding legacy bounds (CASSANDRA-14919)
* Netty epoll IOExceptions caused by unclean client disconnects being logged at INFO (CASSANDRA-14909)
* Unfiltered.isEmpty conflicts with Row extends AbstractCollection.isEmpty (CASSANDRA-14588)
* RangeTombstoneList doesn't properly clean up mergeable or superseded rts in some cases (CASSANDRA-14894)
* Fix handling of collection tombstones for dropped columns from legacy sstables (CASSANDRA-14912)
* Throw exception if Columns serialized subset encode more columns than possible (CASSANDRA-14591)
* Drop/add column name with different Kind can result in corruption (CASSANDRA-14843)
* Fix missing rows when reading 2.1 SSTables with static columns in 3.0 (CASSANDRA-14873)
* Move TWCS message 'No compaction necessary for bucket size' to Trace level (CASSANDRA-14884)
* Sstable min/max metadata can cause data loss (CASSANDRA-14861)
* Dropped columns can cause reverse sstable iteration to return prematurely (CASSANDRA-14838)
* Legacy sstables with multi block range tombstones create invalid bound sequences (CASSANDRA-14823)
* Expand range tombstone validation checks to multiple interim request stages (CASSANDRA-14824)
* Reverse order reads can return incomplete results (CASSANDRA-14803)
* Avoid calling iter.next() in a loop when notifying indexers about range tombstones (CASSANDRA-14794)
* Fix purging semi-expired RT boundaries in reversed iterators (CASSANDRA-14672)
* DESC order reads can fail to return the last Unfiltered in the partition (CASSANDRA-14766)
* Fix corrupted collection deletions for dropped columns in 3.0 2.{1,2} messages (CASSANDRA-14568)
* Fix corrupted static collection deletions in 3.0 2.{1,2} messages (CASSANDRA-14568)
* Handle failures in parallelAllSSTableOperation (cleanup/upgradesstables/etc) (CASSANDRA-14657)
* Improve TokenMetaData cache populating performance avoid long locking (CASSANDRA-14660)
* Backport: Flush netty client messages immediately (not by default) (CASSANDRA-13651)
* Fix static column order for SELECT * wildcard queries (CASSANDRA-14638)
* sstableloader should use discovered broadcast address to connect intra-cluster (CASSANDRA-14522)
* Fix reading columns with non-UTF names from schema (CASSANDRA-14468)
* Don't enable client transports when bootstrap is pending (CASSANDRA-14525)
* MigrationManager attempts to pull schema from different major version nodes (CASSANDRA-14928)
* Fix incorrect cqlsh results when selecting same columns multiple times (CASSANDRA-13262)
* Returns null instead of NaN or Infinity in JSON strings (CASSANDRA-14377)
* Paged Range Slice queries with DISTINCT can drop rows from results (CASSANDRA-14956)
* Validate supported column type with SASI analyzer (CASSANDRA-13669)
* Remove BTree.Builder Recycler to reduce memory usage (CASSANDRA-13929)
* Reduce nodetool GC thread count (CASSANDRA-14475)
* Fix New SASI view creation during Index Redistribution (CASSANDRA-14055)
* Remove string formatting lines from BufferPool hot path (CASSANDRA-14416)
* Update metrics to 3.1.5 (CASSANDRA-12924)
* Detect OpenJDK jvm type and architecture (CASSANDRA-12793)
* Don't use guava collections in the non-system keyspace jmx attributes (CASSANDRA-12271)
* Allow existing nodes to use all peers in shadow round (CASSANDRA-13851)
* Fix cqlsh to read connection.ssl cqlshrc option again (CASSANDRA-14299)
* Downgrade log level to trace for CommitLogSegmentManager (CASSANDRA-14370)
* CQL fromJson(null) throws NullPointerException (CASSANDRA-13891)
* Serialize empty buffer as empty string for json output format (CASSANDRA-14245)
* Allow logging implementation to be interchanged for embedded testing (CASSANDRA-13396)
* SASI tokenizer for simple delimiter based entries (CASSANDRA-14247)
* Fix Loss of digits when doing CAST from varint/bigint to decimal (CASSANDRA-14170)
* RateBasedBackPressure unnecessarily invokes a lock on the Guava RateLimiter (CASSANDRA-14163)
* Fix wildcard GROUP BY queries (CASSANDRA-14209)
* Fix corrupted static collection deletions in 3.0 -> 2.{1,2} messages (CASSANDRA-14568)
* Fix potential IndexOutOfBoundsException with counters (CASSANDRA-14167)
* Always close RT markers returned by ReadCommand#executeLocally() (CASSANDRA-14515)
* Reverse order queries with range tombstones can cause data loss (CASSANDRA-14513)
* Fix regression of lagging commitlog flush log message (CASSANDRA-14451)
* Add Missing dependencies in pom-all (CASSANDRA-14422)
* Cleanup StartupClusterConnectivityChecker and PING Verb (CASSANDRA-14447)
* Fix deprecated repair error notifications from 3.x clusters to legacy JMX clients (CASSANDRA-13121)
* Cassandra not starting when using enhanced startup scripts in windows (CASSANDRA-14418)
* Fix progress stats and units in compactionstats (CASSANDRA-12244)
* Better handle missing partition columns in system_schema.columns (CASSANDRA-14379)
* Delay hints store excise by write timeout to avoid race with decommission (CASSANDRA-13740)
* Deprecate background repair and probablistic read_repair_chance table options
(CASSANDRA-13910)
* Add missed CQL keywords to documentation (CASSANDRA-14359)
* Fix unbounded validation compactions on repair / revert CASSANDRA-13797 (CASSANDRA-14332)
* Avoid deadlock when running nodetool refresh before node is fully up (CASSANDRA-14310)
* Handle all exceptions when opening sstables (CASSANDRA-14202)
* Handle incompletely written hint descriptors during startup (CASSANDRA-14080)
* Handle repeat open bound from SRP in read repair (CASSANDRA-14330)
* Respect max hint window when hinting for LWT (CASSANDRA-14215)
* Adding missing WriteType enum values to v3, v4, and v5 spec (CASSANDRA-13697)
* Don't regenerate bloomfilter and summaries on startup (CASSANDRA-11163)
* Fix NPE when performing comparison against a null frozen in LWT (CASSANDRA-14087)
* Log when SSTables are deleted (CASSANDRA-14302)
* Fix batch commitlog sync regression (CASSANDRA-14292)
* Write to pending endpoint when view replica is also base replica (CASSANDRA-14251)
* Chain commit log marker potential performance regression in batch commit mode (CASSANDRA-14194)
* Fully utilise specified compaction threads (CASSANDRA-14210)
* Pre-create deletion log records to finish compactions quicker (CASSANDRA-12763)
* Fix bug that prevented compaction of SSTables after full repairs (CASSANDRA-14423)
* Incorrect counting of pending messages in OutboundTcpConnection (CASSANDRA-11551)
* Fix compaction failure caused by reading un-flushed data (CASSANDRA-12743)
* Use Bounds instead of Range for sstables in anticompaction (CASSANDRA-14411)
* Fix JSON queries with IN restrictions and ORDER BY clause (CASSANDRA-14286)
* Backport circleci yaml (CASSANDRA-14240)
* Check checksum before decompressing data (CASSANDRA-14284)
* CVE-2017-5929 Security vulnerability in Logback warning in NEWS.txt (CASSANDRA-14183)
- Use %license macro
Changes in cassandra-kit:
- Update to Cassandra 3.11.10 (bsc#1181689, CVE-2020-17516)
Changes in crowbar-core:
- Update to version 5.0+git.1622489449.a8e60e238:
* avoid v4.1.5 of delayed_job_active_record (noref)
* add CVE-2020-26247 to travis ignore list (bsc#1180507)
Changes in crowbar-openstack:
- Update to version 5.0+git.1616001417.67fd9c2a1:
* monasca: restart Kibana on update (bsc#1044849)
- Update to version 5.0+git.1615542070.7841c34b7:
* monasca: fix monasca-server reinstall state check (SOC-11471)
Changes in documentation-suse-openstack-cloud:
- Update to version 8.20210512:
* Moved Monasca deployment to immediately after keystone (SOC-11525) (#1312)
- Update to version 8.20210511:
* Update the correct SLES version to suse-12.3 (SOC-11521) (#1321)
* Renamed the repo name from SLE12-SP3-HA to SLE-HA12-SP3 (SOC-11523) (#1320)
- Update to version 8.20210511:
* Add bm-power-status playbook to add sles compute section (#1317)
- Update to version 8.20210507:
* Add instructions for checking MySQL cert expiry (SOC-11422) (#1311)
- Update to version 8.20210304:
* Add nova and heat db purge cron jobs to maintenance section (SOC-9876) (#1307)
Changes in grafana:
- Add CVE-2021-27358.patch (bsc#1183803, CVE-2021-27358)
* Prevent unauthenticated remote attackers from causing a DoS through the
snapshots API.
Changes in kibana:
- Ensure /etc/sysconfig/kibana is present
- Update to Kibana 4.6.6 (bsc#1044849, CVE-2017-11499, ESA-2017-14,
ESA-2017-16)
* [4.6] ignore forked code for babel transpile build phase (#13483)
* Allow more than match queries in custom filters (#8614) (#10857)
* [state] don't make extra $location.replace() calls (#9954)
* [optimizer] move to querystring-browser package for up-to-date api
* [state/unhashUrl] use encode-uri-query to generate cleanly encoded urls
* server: refactor log_interceptor to be more DRY (#9617)
* server: downgrade ECANCELED logs to debug (#9616)
* server: do not treat logged warnings as errors (#8746) (#9610)
* [server/logger] downgrade EPIPE errors to debug level (#9023)
* Add basepath when redirecting from a trailling slash (#9035)
* [es/kibanaIndex] use unmapped_type rather than ignore_unmapped (#8968)
* [server/shortUrl] validate urls before shortening them
- Add CVE-2017-11481.patch (bsc#1044849, CVE-2017-11481)
* This fixes an XSS vulnerability in URL fields
- Remove %dir declaration from /opt/kibana/optimize to ensure
no files owned by root end up in there
- Exclude /opt/kibana/optimize from %fdupes
- Restart service on upgrade
- Do not copy LICENSE.txt and README.txt to /opt/kibana
- Fix rpmlint warnings/errors
- Switch to explicit patch application
- Fix source URL
- Fix logic for systemd/systemv detection
Changes in openstack-heat-templates:
- Update to version 0.0.0+git.1623056900.7917e18:
* Fix zuul config for heat-templates-check
- Update to version 0.0.0+git.1621405516.71a0f7a:
* Remove testr
Changes in openstack-monasca-installer:
- Add 0001-fix-influxdb-stop-task.patch (SOC-11470)
- Add 0001-fix-cassandra-deployment.patch (SOC-11470)
Changes in openstack-nova:
- Update to version nova-16.1.9.dev92:
* Lowercase ironic driver hash ring and ignore case in cache
* Include only required fields in ironic node cache
* Add resource\_class to fields in ironic node cache
- Update to version nova-16.1.9.dev86:
* [stable-only] Move grenade jobs to experimental
* Update resources once in update\_available\_resource
* rt: Make resource tracker always invoking get\_inventory()
- Update to version nova-16.1.9.dev81:
* [stable-only] gate: Pin CEPH\_RELEASE to nautilus in LM hook
- Update to version nova-16.1.9.dev80:
* [placement] Add status and links fields to version document at /
Changes in openstack-nova:
- Update to version nova-16.1.9.dev92:
* Lowercase ironic driver hash ring and ignore case in cache
* Include only required fields in ironic node cache
* Add resource\_class to fields in ironic node cache
- Update to version nova-16.1.9.dev86:
* [stable-only] Move grenade jobs to experimental
* Update resources once in update\_available\_resource
* rt: Make resource tracker always invoking get\_inventory()
- Update to version nova-16.1.9.dev81:
* [stable-only] gate: Pin CEPH\_RELEASE to nautilus in LM hook
- Update to version nova-16.1.9.dev80:
* [placement] Add status and links fields to version document at /
Changes in python-Django:
- Add CVE-2021-33203.patch (bsc#1186608, CVE-2021-33203)
* Fixed potential path-traversal via admindocs' TemplateDetailView.
- Add CVE-2021-33571.patch (bsc#1186611, CVE-2021-33571)
* Prevented leading zeros in IPv4 addresses.
- Add CVE-2021-31542.patch (bsc#1185623, CVE-2021-31542)
* Fixed CVE-2021-31542 -- Tightened path and file name sanitation in file
uploads.
- Add CVE-2021-28658.patch (bsc#1184148, CVE-2021-28658)
* Fixed potential directory-traversal via uploaded files
- Add CVE-2021-23336.patch (bsc#1182433, CVE-2021-23336)
* Fixed web cache poisoning via django.utils.http.limited_parse_qsl()
Changes in python-eventlet:
- Add 0001-websocket-fd-leak-when-client-did-not-close-connecti.patch
- Add 0002-websocket-Limit-maximum-uncompressed-frame-length-to.patch (bsc#1185836 CVE-2021-21419)
* websocket: Limit maximum uncompressed frame length to 8MiB
Changes in python-py:
- Add CVE-2020-29651.patch ((bsc#1179805, CVE-2020-29651)
* svnwc: fix regular expression vulnerable to DoS in blame
functionality
Changes in python-pysaml2:
- Add %dir declaration for %{_licensedir}
- Fix CVE-2021-21238, bsc#1181277 with
0004-Strengthen-XSW-tests.patch ,
0005-Fix-the-parser-to-not-break-on-ePTID-AttributeValues.patch ,
0006-Add-xsd-schemas.patch ,
0007-Fix-CVE-2021-21238-SAML-XML-Signature-wrapping.patch .
This adds a dependency on python-xmlschema, which depends on
python-elementpath and build depends python-pathlib2, which depends on
python-scandir, thus all these need to be added for this to work.
The used python-xmlschema needs to support the sandbox argument
which was added in 1.2.0 and refined in 1.2.1, but that version
doesn't support python2, so a patched version that does both is
needed.
0009-Make-previous-commits-python2-compatible.patch to
not add a dependency on reportlib_resources and make other
changes python2 compatible.
- Fix CVE-2021-21239, bsc#1181278 with
0008-Fix-CVE-2021-21239-Restrict-the-key-data-that-xmlsec.patch
Changes in venv-openstack-keystone:
- Add python-xmlschema and python-elementpath for new python-pysaml2 version.
Changes in python-xmlschema:
- Add missed BuildRequires on pathlib2
- Add 3 patches to backport sandbox argument, which is needed by a security fix
in python-pysaml2 and one patch to make backport python2 compatible.
- Upstream url changed
- Add rpmlintrc to make it work on Leap 42.3
- Update to 1.0.18:
* Fix for *ModelVisitor.iter_unordered_content()*
* Fixed default converter, AbderaConverter and JsonMLConverter for xs:anyType decode
* Fixed validation tests with all converters
* Added UnorderedConverter to validation tests
- Update to 1.0.17:
* Enhancement of validation-only speed (~15%)
* Added *is_valid()* and *iter_errors()* to module API
- Update to 1.0.16:
* Improved XMLResource class for working with compressed files
* Fix for validation with XSD wildcards and 'lax' process content
* Fix ambiguous items validation for xs:choice and xs:sequence models
- Handle UnicodeDecodeErrors during build process
- Update to 1.0.15:
* Improved XPath 2.0 bindings
* Added logging for schema initialization and building (handled with argument loglevel)
* Update encoding of collapsed contents with a new model based reordering method
* Removed XLink namespace from meta-schema (loaded from a fallback location like XHTML)
* Fixed half of failed W3C instance tests (remain 255 over 15344 tests)
- Initial commit, needed by pytest 5.1.2
Changes in python-elementpath:
- Update to 1.3.1:
* Improved schema proxy
* Improved XSD type matching using paths
* Cached parent path for XPathContext (only Python 3)
* Improve typed selection with TypedAttribute and TypedElement named-tuples
* Add iter_results to XPathContext
* Remove XMLSchemaProxy from package
* Fix descendant shortcut operator '//'
* Fix text() function
* Fix typed select of '(name)' token
* Fix 24-hour time for DateTime
- Skip test_hashing to fix 32bit builds
- Initial commit needed by python-xmlschema
Changes in python-six:
- Update in SLE-12 (bsc#1176784, jsc#ECO-3105, jsc#PM-2352)
- Fix testsuite on SLE-12
+ Add python to BuildRequires for suse_version less 1500
- Fix dbm deps as the MU for provides: python-dbm was not released
on sle12 yet
- Add requirement on pytest > 4.0 to see the pytest module works
with this MU
- Do not cause buildcycle with previous change but rather
install the egg-info prepared metadata from the tarball
- use setuptools for building to support pip 10.x (bsc#1166139)
- update to 1.14.0
* Add `six.assertNotRegex`
* `six.moves._dummy_thread` now points to the `_thread` module on
Python 3.9+. Python 3.7 and later requires threading and deprecated the
`_dummy_thread` module
* Remove support for Python 2.6 and Python 3.2
* `six.wraps` now ignores missing attributes
- Pull in dbm/gdbm module from python for testing
- update to 0.13.0:
- Issue #298, pull request #299: Add `six.moves.dbm_ndbm`.
- Issue #155: Add `six.moves.collections_abc`, which aliases the `collections`
module on Python 2-3.2 and the `collections.abc` on Python 3.3 and greater.
- Pull request #304: Re-add distutils fallback in `setup.py`.
- Pull request #305: On Python 3.7, `with_metaclass` supports classes using PEP
- Simplify the pytest call
- Fix pytest call
- Fixdocumentation package generating
- Change %pretrans back to %pre to fix bootstrap issue
boo#1123064 bsc#1143893
- Require just base python module, even full python is too much
and it is not required here
- Update to 0.12.0:
* `six.add_metaclass` now preserves `__qualname__` from the
original class.
* Add `six.ensure_binary`, `six.ensure_text`, and
`six.ensure_str`.
- Because of cyclical dependencies between six and Sphinx, we
need to to do multibuild.
- Include in SLE-12 (FATE#326838, bsc#1113302)
- remove egg-info directory in %pretrans
- fix egg-info directory pattern
- match any version of egg-info for a certain python version
- Break the cycilical dependency on python-setuptools.
- Remove argparse dependency
- build python3 subpackage (FATE#324435, bsc#1073879)
- remove egg-info directory before installation if it exists,
because setuptools produce directory and six switched to distutils
that produce a file
(and because rpm can't handle that by itself)
fixes bsc#1057496
- Fix Source url
- README->README.rst, add CHANGES
- update to version 1.11.0:
* Pull request #178: `with_metaclass` now properly proxies
`__prepare__` to the underlying metaclass.
* Pull request #191: Allow `with_metaclass` to work with metaclasses
implemented in C.
* Pull request #203: Add parse_http_list and parse_keqv_list to
moved urllib.request.
* Pull request #172 and issue #171: Add unquote_to_bytes to moved
urllib.parse.
* Pull request #167: Add `six.moves.getoutput`.
* Pull request #80: Add `six.moves.urllib_parse.splitvalue`.
* Pull request #75: Add `six.moves.email_mime_image`.
* Pull request #72: Avoid creating reference cycles through
tracebacks in `reraise`.
- Submit 1.9.0 to SLE-12 (fate#319030, fate#318838, bsc#940812)
- sanitize release line in specfile
Changes in rubygem-activerecord-session_store.SUSE_SLE-12-SP4_Update_Products_Cloud9_Update:
- added CVE-2019-25025.patch (CVE-2019-25025, bsc#1183174)
* This requires CVE-2019-16782.patch to be included in rubygem-actionpack-4_2
to work correctly.
Changes in venv-openstack-keystone:
- Add python-xmlschema and python-elementpath for new python-pysaml2 version.
- Add python-defusedxml (bsc#1019074)
- Inherit version number of venv from main component (SCRD-8523)
ModerateSUSE bug 1019074SUSE bug 1044849SUSE bug 1057496SUSE bug 1073879SUSE bug 1113302SUSE bug 1123064SUSE bug 1143893SUSE bug 1166139SUSE bug 1176784SUSE bug 1179805SUSE bug 1180507SUSE bug 1181277SUSE bug 1181278SUSE bug 1181689SUSE bug 1181828SUSE bug 1182433SUSE bug 1183174SUSE bug 1183803SUSE bug 1184148SUSE bug 1185623SUSE bug 1185836SUSE bug 1186608SUSE bug 1186611SUSE bug 940812CVE-2017-11481 at SUSECVE-2017-11481 at NVDCVE-2017-11499 at SUSECVE-2017-11499 at NVDCVE-2017-5929 at SUSECVE-2017-5929 at NVDCVE-2019-25025 at SUSECVE-2019-25025 at NVDCVE-2020-17516 at SUSECVE-2020-17516 at NVDCVE-2020-26247 at SUSECVE-2020-26247 at NVDCVE-2020-29651 at SUSECVE-2020-29651 at NVDCVE-2021-21238 at SUSECVE-2021-21238 at NVDCVE-2021-21239 at SUSECVE-2021-21239 at NVDCVE-2021-21419 at SUSECVE-2021-21419 at NVDCVE-2021-23336 at SUSECVE-2021-23336 at NVDCVE-2021-27358 at SUSECVE-2021-27358 at NVDCVE-2021-28658 at SUSECVE-2021-28658 at NVDCVE-2021-31542 at SUSECVE-2021-31542 at NVDCVE-2021-33203 at SUSECVE-2021-33203 at NVDCVE-2021-33571 at SUSECVE-2021-33571 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for qemu (Important)SUSE OpenStack Cloud 8
This update for qemu fixes the following issues:
Security issues fixed:
- CVE-2021-3595: Fixed slirp: invalid pointer initialization may lead to information disclosure (tftp) (bsc#1187366)
- CVE-2021-3592: Fix for slirp: invalid pointer initialization may lead to information disclosure (bootp) (bsc#1187364)
- CVE-2021-3594: Fix for slirp: invalid pointer initialization may lead to information disclosure (udp) (bsc#1187367)
- CVE-2021-3593: Fix for slirp: invalid pointer initialization may lead to information disclosure (udp6) (bsc#1187365)
- CVE-2021-3611: Fix intel-hda segmentation fault due to stack overflow (bsc#1187529)
ImportantSUSE bug 1187364SUSE bug 1187365SUSE bug 1187366SUSE bug 1187367SUSE bug 1187529CVE-2021-3592 at SUSECVE-2021-3592 at NVDCVE-2021-3593 at SUSECVE-2021-3593 at NVDCVE-2021-3594 at SUSECVE-2021-3594 at NVDCVE-2021-3595 at SUSECVE-2021-3595 at NVDCVE-2021-3611 at SUSECVE-2021-3611 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for dbus-1 (Important)SUSE OpenStack Cloud 8
This update for dbus-1 fixes the following issues:
- CVE-2020-35512: Fixed a bug where users with the same numeric UID could lead to use-after-free and undefined behaviour. (bsc#1187105)
- CVE-2020-12049: Fixed a bug where a truncated messages lead to resource exhaustion. (bsc#1172505)
ImportantSUSE bug 1172505SUSE bug 1187105CVE-2020-12049 at SUSECVE-2020-12049 at NVDCVE-2020-35512 at SUSECVE-2020-35512 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for webkit2gtk3 (Important)SUSE OpenStack Cloud 8
This update for webkit2gtk3 fixes the following issues:
Update to version 2.32.3:
- CVE-2021-21775: Fixed a use-after-free vulnerability in the way certain events are processed for ImageLoader objects. A specially crafted web page can lead to a potential information leak and further memory corruption. A victim must be tricked into visiting a malicious web page to trigger this vulnerability. (bsc#1188697)
- CVE-2021-21779: Fixed a use-after-free vulnerability in the way that WebKit GraphicsContext handles certain events. A specially crafted web page can lead to a potential information leak and further memory corruption. A victim must be tricked into visiting a malicious web page to trigger this vulnerability. (bsc#1188697)
- CVE-2021-30663: An integer overflow was addressed with improved input validation. (bsc#1188697)
- CVE-2021-30665: A memory corruption issue was addressed with improved state management. (bsc#1188697)
- CVE-2021-30689: A logic issue was addressed with improved state management. (bsc#1188697)
- CVE-2021-30720: A logic issue was addressed with improved restrictions. (bsc#1188697)
- CVE-2021-30734: Multiple memory corruption issues were addressed with improved memory handling. (bsc#1188697)
- CVE-2021-30744: A cross-origin issue with iframe elements was addressed with improved tracking of security origins. (bsc#1188697)
- CVE-2021-30749: Multiple memory corruption issues were addressed with improved memory handling. (bsc#1188697)
- CVE-2021-30758: A type confusion issue was addressed with improved state handling. (bsc#1188697)
- CVE-2021-30795: A use after free issue was addressed with improved memory management. (bsc#1188697)
- CVE-2021-30797: This issue was addressed with improved checks. (bsc#1188697)
- CVE-2021-30799: Multiple memory corruption issues were addressed with improved memory handling. (bsc#1188697)
ImportantSUSE bug 1188697CVE-2021-21775 at SUSECVE-2021-21775 at NVDCVE-2021-21779 at SUSECVE-2021-21779 at NVDCVE-2021-30663 at SUSECVE-2021-30663 at NVDCVE-2021-30665 at SUSECVE-2021-30665 at NVDCVE-2021-30689 at SUSECVE-2021-30689 at NVDCVE-2021-30720 at SUSECVE-2021-30720 at NVDCVE-2021-30734 at SUSECVE-2021-30734 at NVDCVE-2021-30744 at SUSECVE-2021-30744 at NVDCVE-2021-30749 at SUSECVE-2021-30749 at NVDCVE-2021-30758 at SUSECVE-2021-30758 at NVDCVE-2021-30795 at SUSECVE-2021-30795 at NVDCVE-2021-30797 at SUSECVE-2021-30797 at NVDCVE-2021-30799 at SUSECVE-2021-30799 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for libsndfile (Critical)SUSE OpenStack Cloud 8
This update for libsndfile fixes the following issues:
- CVE-2018-13139: Fixed a stack-based buffer overflow in psf_memset in common.c in libsndfile 1.0.28allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact. (bsc#1100167)
- CVE-2018-19432: Fixed a NULL pointer dereference in the function sf_write_int in sndfile.c, which will lead to a denial of service. (bsc#1116993)
- CVE-2021-3246: Fixed a heap buffer overflow vulnerability in msadpcm_decode_block. (bsc#1188540)
- CVE-2018-19758: Fixed a heap-based buffer over-read at wav.c in wav_write_header in libsndfile 1.0.28 that will cause a denial of service. (bsc#1117954)
CriticalSUSE bug 1100167SUSE bug 1116993SUSE bug 1117954SUSE bug 1188540CVE-2018-13139 at SUSECVE-2018-13139 at NVDCVE-2018-19432 at SUSECVE-2018-19432 at NVDCVE-2018-19758 at SUSECVE-2018-19758 at NVDCVE-2021-3246 at SUSECVE-2021-3246 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for djvulibre (Important)SUSE OpenStack Cloud 8
This update for djvulibre fixes the following issues:
- CVE-2021-3630: out-of-bounds write in DJVU:DjVuTXT:decode() in DjVuText.cpp (bsc#1187869)
ImportantSUSE bug 1187869CVE-2021-3630 at SUSECVE-2021-3630 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for python-Pillow (Important)SUSE OpenStack Cloud 8
This update for python-Pillow fixes the following issues:
- CVE-2021-34552: Fixed a buffer overflow in Convert.c (bsc#1188574)
ImportantSUSE bug 1188574CVE-2021-34552 at SUSECVE-2021-34552 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for cpio (Important)SUSE OpenStack Cloud 8
This update for cpio fixes the following issues:
It was possible to trigger Remote code execution due to a integer overflow (CVE-2021-38185, bsc#1189206)
ImportantSUSE bug 1189206CVE-2021-38185 at SUSECVE-2021-38185 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for libcares2 (Important)SUSE OpenStack Cloud 8
This update for libcares2 fixes the following issues:
- CVE-2021-3672: Fixed input validation on hostnames (bsc#1188881).
ImportantSUSE bug 1188881CVE-2021-3672 at SUSECVE-2021-3672 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for MozillaFirefox (Important)SUSE OpenStack Cloud 8
This update for MozillaFirefox fixes the following issues:
Firefox Extended Support Release 78.13.0 ESR (MFSA 2021-34, bsc#1188891):
- CVE-2021-29986: Race condition when resolving DNS names could have led to memory corruption
- CVE-2021-29988: Memory corruption as a result of incorrect style treatment
- CVE-2021-29984: Incorrect instruction reordering during JIT optimization
- CVE-2021-29980: Uninitialized memory in a canvas object could have led to memory corruption
- CVE-2021-29985: Use-after-free media channels
- CVE-2021-29989: Memory safety bugs fixed in Firefox 91 and Firefox ESR 78.13
ImportantSUSE bug 1188891CVE-2021-29980 at SUSECVE-2021-29980 at NVDCVE-2021-29984 at SUSECVE-2021-29984 at NVDCVE-2021-29985 at SUSECVE-2021-29985 at NVDCVE-2021-29986 at SUSECVE-2021-29986 at NVDCVE-2021-29988 at SUSECVE-2021-29988 at NVDCVE-2021-29989 at SUSECVE-2021-29989 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for fetchmail (Moderate)SUSE OpenStack Cloud 8
This update for fetchmail fixes the following issues:
- CVE-2021-36386: DoS or information disclosure in some configurations (bsc#1188875)
- Change PASSWORDLEN from 64 to 256 [bsc#1188034]
- Set the hostname for SNI when using TLS [bsc#1182807]
- Allow --syslog option in daemon mode. (bsc#1033081)
- Set the hostname for SNI when using TLS. (bsc#1182807)
- Change PASSWORDLEN from 64 to 256 (bsc#1188034)
ModerateSUSE bug 1033081SUSE bug 1182807SUSE bug 1188034SUSE bug 1188875CVE-2021-36386 at SUSECVE-2021-36386 at NVDcpe:/o:suse:suse-openstack-cloud:8Recommended update for cpio (Critical)SUSE OpenStack Cloud 8
This update for cpio fixes the following issues:
- A regression in the previous update could lead to crashes (bsc#1189465)
CriticalSUSE bug 1189465CVE-2021-38185 at SUSECVE-2021-38185 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for java-1_8_0-openjdk (Important)SUSE OpenStack Cloud 8
This update for java-1_8_0-openjdk fixes the following issues:
- Update to version jdk8u302 (icedtea 3.20.0)
- CVE-2021-2341: Improve file transfers. (bsc#1188564)
- CVE-2021-2369: Better jar file validation. (bsc#1188565)
- CVE-2021-2388: Enhance compiler validation. (bsc#1188566)
- CVE-2021-2161: Less ambiguous processing. (bsc#1185056)
ImportantSUSE bug 1185056SUSE bug 1188564SUSE bug 1188565SUSE bug 1188566CVE-2021-2161 at SUSECVE-2021-2161 at NVDCVE-2021-2341 at SUSECVE-2021-2341 at NVDCVE-2021-2369 at SUSECVE-2021-2369 at NVDCVE-2021-2388 at SUSECVE-2021-2388 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for cpio (Important)SUSE OpenStack Cloud 8
This update for cpio fixes the following issues:
- A patch previously applied to remedy CVE-2021-38185 introduced a regression
that had the potential to cause a segmentation fault in cpio. [bsc#1189465]
ImportantSUSE bug 1189465CVE-2021-38185 at SUSECVE-2021-38185 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for python-PyYAML (Important)SUSE OpenStack Cloud 8
This update for python-PyYAML fixes the following issues:
- Update to 5.3.1.
- CVE-2020-14343: A vulnerability was discovered in the PyYAML library,
where it was susceptible to arbitrary code execution when it processes
untrusted YAML files through the full_load method or with the FullLoader
loader. Applications that use the library to process untrusted input
may be vulnerable to this flaw. This flaw allows an attacker to
execute arbitrary code on the system by abusing the python/object/new
constructor. This flaw is due to an incomplete fix for CVE-2020-1747.
ImportantSUSE bug 1174514CVE-2020-14343 at SUSECVE-2020-14343 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for openssl (Important)SUSE OpenStack Cloud 8
This update for openssl fixes the following security issue:
- CVE-2021-3712: a bug in the code for printing certificate details could lead
to a buffer overrun that a malicious actor could exploit to crash the
application, causing a denial-of-service attack. [bsc#1189521]
ImportantSUSE bug 1189521CVE-2021-3712 at SUSECVE-2021-3712 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for unrar (Moderate)SUSE OpenStack Cloud 8
This update for unrar to version 5.6.1 fixes several issues.
These security issues were fixed:
- CVE-2017-12938: Prevent remote attackers to bypass a directory-traversal
protection mechanism via vectors involving a symlink to the . directory, a
symlink to the .. directory, and a regular file (bsc#1054038).
- CVE-2017-12940: Prevent out-of-bounds read in the EncodeFileName::Decode call
within the Archive::ReadHeader15 function (bsc#1054038).
- CVE-2017-12941: Prevent an out-of-bounds read in the Unpack::Unpack20
function (bsc#1054038).
- CVE-2017-12942: Prevent a buffer overflow in the Unpack::LongLZ function
(bsc#1054038).
- CVE-2017-20006: Fixed heap-based buffer overflow in Unpack:CopyString (bsc#1187974).
These non-security issues were fixed:
- Added extraction support for .LZ archives created by Lzip compressor
- Enable unpacking of files in ZIP archives compressed with XZ algorithm and
encrypted with AES
- Added support for PAX extended headers inside of TAR archive
- If RAR recovery volumes (.rev files) are present in the same folder as usual
RAR volumes, archive test command verifies .rev contents after completing
testing .rar files
- By default unrar skips symbolic links with absolute paths in link target when
extracting unless -ola command line switch is specified
- Added support for AES-NI CPU instructions
- Support for a new RAR 5.0 archiving format
- Wildcard exclusion mask for folders
- Prevent conditional jumps depending on uninitialised values (bsc#1046882)
ModerateSUSE bug 1046882SUSE bug 1054038SUSE bug 1187974CVE-2012-6706 at SUSECVE-2012-6706 at NVDCVE-2017-12938 at SUSECVE-2017-12938 at NVDCVE-2017-12940 at SUSECVE-2017-12940 at NVDCVE-2017-12941 at SUSECVE-2017-12941 at NVDCVE-2017-12942 at SUSECVE-2017-12942 at NVDCVE-2017-20006 at SUSECVE-2017-20006 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for openvswitch (Important)SUSE OpenStack Cloud 8
This update for openvswitch fixes the following issues:
- openvswitch was updated to 2.7.12
- CVE-2020-27827: Fixed a memory leak when parsing lldp packets (bsc#1181345)
A lot more minor bugs have been fixed with this openvswitch version. Please refer to the changelog of
the openvswitch.rpm file in order to obtain a list of all changes.
ImportantSUSE bug 1117483SUSE bug 1181345CVE-2020-27827 at SUSECVE-2020-27827 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for aspell (Important)SUSE OpenStack Cloud 8
This update for aspell fixes the following issues:
- CVE-2019-25051: Fixed heap-buffer-overflow in acommon:ObjStack:dup_top (bsc#1188576).
ImportantSUSE bug 1188576CVE-2019-25051 at SUSECVE-2019-25051 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for bind (Moderate)SUSE OpenStack Cloud 8
This update for bind fixes the following issues:
- CVE-2020-8622: A truncated TSIG response can lead to an assertion failure (bsc#1175443).
ModerateSUSE bug 1175443SUSE bug 1188888CVE-2020-8622 at SUSECVE-2020-8622 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for mysql-connector-java (Moderate)SUSE OpenStack Cloud 8
This update for mysql-connector-java fixes the following issues:
- CVE-2020-2875: Unauthenticated attacker with network access via multiple protocols can compromise MySQL Connectors. (bsc#1173600)
- CVE-2020-2934: Fixed a vulnerability which could cause a partial denial of service of MySQL Connectors. (bsc#1173600)
- CVE-2020-2933: Fixed a vulnerability which could allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. (bsc#1173600)
ModerateSUSE bug 1173600CVE-2020-2875 at SUSECVE-2020-2875 at NVDCVE-2020-2933 at SUSECVE-2020-2933 at NVDCVE-2020-2934 at SUSECVE-2020-2934 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for openexr (Important)SUSE OpenStack Cloud 8
This update for openexr fixes the following issues:
- CVE-2021-20298 [bsc#1188460]: Fixed Out-of-memory in B44Compressor
- CVE-2021-20299 [bsc#1188459]: Fixed Null-dereference READ in Imf_2_5:Header:operator
- CVE-2021-20300 [bsc#1188458]: Fixed Integer-overflow in Imf_2_5:hufUncompress
- CVE-2021-20302 [bsc#1188462]: Fixed Floating-point-exception in Imf_2_5:precalculateTileInfot
- CVE-2021-20303 [bsc#1188457]: Fixed Heap-buffer-overflow in Imf_2_5::copyIntoFrameBuffer
- CVE-2021-20304 [bsc#1188461]: Fixed Undefined-shift in Imf_2_5:hufDecode
ImportantSUSE bug 1188457SUSE bug 1188458SUSE bug 1188459SUSE bug 1188460SUSE bug 1188461SUSE bug 1188462CVE-2021-20298 at SUSECVE-2021-20298 at NVDCVE-2021-20299 at SUSECVE-2021-20299 at NVDCVE-2021-20300 at SUSECVE-2021-20300 at NVDCVE-2021-20302 at SUSECVE-2021-20302 at NVDCVE-2021-20303 at SUSECVE-2021-20303 at NVDCVE-2021-20304 at SUSECVE-2021-20304 at NVDCVE-2021-3476 at SUSECVE-2021-3476 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for libesmtp (Important)SUSE OpenStack Cloud 8
This update for libesmtp fixes the following issues:
- CVE-2019-19977: Fix stack-based buffer over-read in ntlm/ntlmstruct.c (bsc#1160462).
ImportantSUSE bug 1160462SUSE bug 1189097CVE-2019-19977 at SUSECVE-2019-19977 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for file (Important)SUSE OpenStack Cloud 8
This update for file fixes the following issues:
- CVE-2019-18218: Fixed heap-based buffer overflow in cdf_read_property_info in cdf.c (bsc#1154661).
ImportantSUSE bug 1154661CVE-2019-18218 at SUSECVE-2019-18218 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for xen (Important)SUSE OpenStack Cloud 8
This update for xen fixes the following issues:
- CVE-2021-3594: slirp: invalid pointer initialization may lead to information disclosure (udp)(bsc#1187378).
- CVE-2021-3595: slirp: invalid pointer initialization may lead to information disclosure (tftp)(bsc#1187376).
- CVE-2021-28698: long running loops in grant table handling (XSA-380)(bsc#1189378).
- CVE-2021-28699: inadequate grant-v2 status frames array bounds check (XSA-382)(bsc#1189380).
- CVE-2021-20255: Fixed stack overflow via infinite recursion in eepro100 (bsc#1182654)
- CVE-2021-28690: xen: x86: TSX Async Abort protections not restored after S3 (bsc#1186434)
- CVE-2021-28692: xen: inappropriate x86 IOMMU timeout detection / handling (bsc#1186429)
- CVE-2021-28694,CVE-2021-28695,CVE-2021-28696: IOMMU page mapping issues on x86 (XSA-378)(bsc#1189373).
- CVE-2021-0089: xen: Speculative Code Store Bypass (bsc#1186433)
- CVE-2021-28697: grant table v2 status pages may remain accessible after de-allocation (XSA-379)(bsc#1189376).
- CVE-2021-3592: slirp: invalid pointer initialization may lead to information disclosure (bootp)(bsc#1187369).
- Prevent superpage allocation in the LAPIC and ACPI_INFO range (bsc#1189882).
ImportantSUSE bug 1182654SUSE bug 1186429SUSE bug 1186433SUSE bug 1186434SUSE bug 1187369SUSE bug 1187376SUSE bug 1187378SUSE bug 1189373SUSE bug 1189376SUSE bug 1189378SUSE bug 1189380SUSE bug 1189882CVE-2021-0089 at SUSECVE-2021-0089 at NVDCVE-2021-20255 at SUSECVE-2021-20255 at NVDCVE-2021-28690 at SUSECVE-2021-28690 at NVDCVE-2021-28692 at SUSECVE-2021-28692 at NVDCVE-2021-28694 at SUSECVE-2021-28694 at NVDCVE-2021-28695 at SUSECVE-2021-28695 at NVDCVE-2021-28696 at SUSECVE-2021-28696 at NVDCVE-2021-28697 at SUSECVE-2021-28697 at NVDCVE-2021-28698 at SUSECVE-2021-28698 at NVDCVE-2021-28699 at SUSECVE-2021-28699 at NVDCVE-2021-3592 at SUSECVE-2021-3592 at NVDCVE-2021-3594 at SUSECVE-2021-3594 at NVDCVE-2021-3595 at SUSECVE-2021-3595 at NVDcpe:/o:suse:suse-openstack-cloud:8Recommended update for mozilla-nspr, mozilla-nss (Moderate)SUSE OpenStack Cloud 8
This update for mozilla-nspr fixes the following issues:
mozilla-nspr was updated to version 4.32:
* implement new socket option PR_SockOpt_DontFrag
* support larger DNS records by increasing the default buffer
size for DNS queries
* Lock access to PRCallOnceType members in PR_CallOnce* for
thread safety bmo#1686138
* PR_GetSystemInfo supports a new flag PR_SI_RELEASE_BUILD to get
information about the operating system build version.
Mozilla NSS was updated to version 3.68:
* bmo#1713562 - Fix test leak.
* bmo#1717452 - NSS 3.68 should depend on NSPR 4.32.
* bmo#1693206 - Implement PKCS8 export of ECDSA keys.
* bmo#1712883 - DTLS 1.3 draft-43.
* bmo#1655493 - Support SHA2 HW acceleration using Intel SHA Extension.
* bmo#1713562 - Validate ECH public names.
* bmo#1717610 - Add function to get seconds from epoch from pkix::Time.
update to NSS 3.67
* bmo#1683710 - Add a means to disable ALPN.
* bmo#1715720 - Fix nssckbi version number in NSS 3.67 (was supposed to be incremented in 3.66).
* bmo#1714719 - Set NSS_USE_64 on riscv64 target when using GYP/Ninja.
* bmo#1566124 - Fix counter increase in ppc-gcm-wrap.c.
* bmo#1566124 - Fix AES_GCM mode on ppc64le for messages of length more than 255-byte.
update to NSS 3.66
* bmo#1710716 - Remove Expired Sonera Class2 CA from NSS.
* bmo#1710716 - Remove Expired Root Certificates from NSS - QuoVadis Root Certification Authority.
* bmo#1708307 - Remove Trustis FPS Root CA from NSS.
* bmo#1707097 - Add Certum Trusted Root CA to NSS.
* bmo#1707097 - Add Certum EC-384 CA to NSS.
* bmo#1703942 - Add ANF Secure Server Root CA to NSS.
* bmo#1697071 - Add GLOBALTRUST 2020 root cert to NSS.
* bmo#1712184 - NSS tools manpages need to be updated to reflect that sqlite is the default database.
* bmo#1712230 - Don't build ppc-gcm.s with clang integrated assembler.
* bmo#1712211 - Strict prototype error when trying to compile nss code that includes blapi.h.
* bmo#1710773 - NSS needs FIPS 180-3 FIPS indicators.
* bmo#1709291 - Add VerifyCodeSigningCertificateChain.
update to NSS 3.65
* bmo#1709654 - Update for NetBSD configuration.
* bmo#1709750 - Disable HPKE test when fuzzing.
* bmo#1566124 - Optimize AES-GCM for ppc64le.
* bmo#1699021 - Add AES-256-GCM to HPKE.
* bmo#1698419 - ECH -10 updates.
* bmo#1692930 - Update HPKE to final version.
* bmo#1707130 - NSS should use modern algorithms in PKCS#12 files by default.
* bmo#1703936 - New coverity/cpp scanner errors.
* bmo#1697303 - NSS needs to update it's csp clearing to FIPS 180-3 standards.
* bmo#1702663 - Need to support RSA PSS with Hashing PKCS #11 Mechanisms.
* bmo#1705119 - Deadlock when using GCM and non-thread safe tokens.
update to NSS 3.64
* bmo#1705286 - Properly detect mips64.
* bmo#1687164 - Introduce NSS_DISABLE_CRYPTO_VSX and
disable_crypto_vsx.
* bmo#1698320 - replace __builtin_cpu_supports('vsx') with
ppc_crypto_support() for clang.
* bmo#1613235 - Add POWER ChaCha20 stream cipher vector
acceleration.
Fixed in 3.63
* bmo#1697380 - Make a clang-format run on top of helpful contributions.
* bmo#1683520 - ECCKiila P384, change syntax of nested structs
initialization to prevent build isses with GCC 4.8.
* bmo#1683520 - [lib/freebl/ecl] P-384: allow zero scalars in dual
scalar multiplication.
* bmo#1683520 - ECCKiila P521, change syntax of nested structs
initialization to prevent build isses with GCC 4.8.
* bmo#1683520 - [lib/freebl/ecl] P-521: allow zero scalars in dual
scalar multiplication.
* bmo#1696800 - HACL* update March 2021 - c95ab70fcb2bc21025d8845281bc4bc8987ca683.
* bmo#1694214 - tstclnt can't enable middlebox compat mode.
* bmo#1694392 - NSS does not work with PKCS #11 modules not supporting
profiles.
* bmo#1685880 - Minor fix to prevent unused variable on early return.
* bmo#1685880 - Fix for the gcc compiler version 7 to support setenv
with nss build.
* bmo#1693217 - Increase nssckbi.h version number for March 2021 batch
of root CA changes, CA list version 2.48.
* bmo#1692094 - Set email distrust after to 21-03-01 for Camerfirma's
'Chambers of Commerce' and 'Global Chambersign' roots.
* bmo#1618407 - Symantec root certs - Set CKA_NSS_EMAIL_DISTRUST_AFTER.
* bmo#1693173 - Add GlobalSign R45, E45, R46, and E46 root certs to NSS.
* bmo#1683738 - Add AC RAIZ FNMT-RCM SERVIDORES SEGUROS root cert to NSS.
* bmo#1686854 - Remove GeoTrust PCA-G2 and VeriSign Universal root certs
from NSS.
* bmo#1687822 - Turn off Websites trust bit for the “Staat der
Nederlanden Root CA - G3” root cert in NSS.
* bmo#1692094 - Turn off Websites Trust Bit for 'Chambers of Commerce
Root - 2008' and 'Global Chambersign Root - 2008’.
* bmo#1694291 - Tracing fixes for ECH.
update to NSS 3.62
* bmo#1688374 - Fix parallel build NSS-3.61 with make
* bmo#1682044 - pkix_Build_GatherCerts() + pkix_CacheCert_Add()
can corrupt 'cachedCertTable'
* bmo#1690583 - Fix CH padding extension size calculation
* bmo#1690421 - Adjust 3.62 ABI report formatting for new libabigail
* bmo#1690421 - Install packaged libabigail in docker-builds image
* bmo#1689228 - Minor ECH -09 fixes for interop testing, fuzzing
* bmo#1674819 - Fixup a51fae403328, enum type may be signed
* bmo#1681585 - Add ECH support to selfserv
* bmo#1681585 - Update ECH to Draft-09
* bmo#1678398 - Add Export/Import functions for HPKE context
* bmo#1678398 - Update HPKE to draft-07
update to NSS 3.61
* bmo#1682071 - Fix issue with IKE Quick mode deriving incorrect key
values under certain conditions.
* bmo#1684300 - Fix default PBE iteration count when NSS is compiled
with NSS_DISABLE_DBM.
* bmo#1651411 - Improve constant-timeness in RSA operations.
* bmo#1677207 - Upgrade Google Test version to latest release.
* bmo#1654332 - Add aarch64-make target to nss-try.
Update to NSS 3.60.1:
Notable changes in NSS 3.60:
* TLS 1.3 Encrypted Client Hello (draft-ietf-tls-esni-08) support
has been added, replacing the previous ESNI (draft-ietf-tls-esni-01)
implementation. See bmo#1654332 for more information.
* December 2020 batch of Root CA changes, builtins library updated
to version 2.46. See bmo#1678189, bmo#1678166, and bmo#1670769
for more information.
Update to NSS 3.59.1:
* bmo#1679290 - Fix potential deadlock with certain third-party
PKCS11 modules
Update to NSS 3.59:
Notable changes:
* Exported two existing functions from libnss:
CERT_AddCertToListHeadWithData and CERT_AddCertToListTailWithData
Bugfixes
* bmo#1607449 - Lock cert->nssCertificate to prevent a potential data race
* bmo#1672823 - Add Wycheproof test cases for HMAC, HKDF, and DSA
* bmo#1663661 - Guard against NULL token in nssSlot_IsTokenPresent
* bmo#1670835 - Support enabling and disabling signatures via Crypto Policy
* bmo#1672291 - Resolve libpkix OCSP failures on SHA1 self-signed
root certs when SHA1 signatures are disabled.
* bmo#1644209 - Fix broken SelectedCipherSuiteReplacer filter to
solve some test intermittents
* bmo#1672703 - Tolerate the first CCS in TLS 1.3 to fix a regression in
our CVE-2020-25648 fix that broke purple-discord
(boo#1179382)
* bmo#1666891 - Support key wrap/unwrap with RSA-OAEP
* bmo#1667989 - Fix gyp linking on Solaris
* bmo#1668123 - Export CERT_AddCertToListHeadWithData and
CERT_AddCertToListTailWithData from libnss
* bmo#1634584 - Set CKA_NSS_SERVER_DISTRUST_AFTER for Trustis FPS Root CA
* bmo#1663091 - Remove unnecessary assertions in the streaming
ASN.1 decoder that affected decoding certain PKCS8
private keys when using NSS debug builds
* bmo#670839 - Use ARM crypto extension for AES, SHA1 and SHA2 on MacOS.
update to NSS 3.58
Bugs fixed:
* bmo#1641480 (CVE-2020-25648)
Tighten CCS handling for middlebox compatibility mode.
* bmo#1631890 - Add support for Hybrid Public Key Encryption
(draft-irtf-cfrg-hpke) support for TLS Encrypted Client Hello
(draft-ietf-tls-esni).
* bmo#1657255 - Add CI tests that disable SHA1/SHA2 ARM crypto
extensions.
* bmo#1668328 - Handle spaces in the Python path name when using
gyp on Windows.
* bmo#1667153 - Add PK11_ImportDataKey for data object import.
* bmo#1665715 - Pass the embedded SCT list extension (if present)
to TrustDomain::CheckRevocation instead of the notBefore value.
update to NSS 3.57
* The following CA certificates were Added:
bmo#1663049 - CN=Trustwave Global Certification Authority
SHA-256 Fingerprint: 97552015F5DDFC3C8788C006944555408894450084F100867086BC1A2BB58DC8
bmo#1663049 - CN=Trustwave Global ECC P256 Certification Authority
SHA-256 Fingerprint: 945BBC825EA554F489D1FD51A73DDF2EA624AC7019A05205225C22A78CCFA8B4
bmo#1663049 - CN=Trustwave Global ECC P384 Certification Authority
SHA-256 Fingerprint: 55903859C8C0C3EBB8759ECE4E2557225FF5758BBD38EBD48276601E1BD58097
* The following CA certificates were Removed:
bmo#1651211 - CN=EE Certification Centre Root CA
SHA-256 Fingerprint: 3E84BA4342908516E77573C0992F0979CA084E4685681FF195CCBA8A229B8A76
bmo#1656077 - O=Government Root Certification Authority; C=TW
SHA-256 Fingerprint: 7600295EEFE85B9E1FD624DB76062AAAAE59818A54D2774CD4C0B2C01131E1B3
* Trust settings for the following CA certificates were Modified:
bmo#1653092 - CN=OISTE WISeKey Global Root GA CA
Websites (server authentication) trust bit removed.
* https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.57_release_notes
update to NSS 3.56
Notable changes
* bmo#1650702 - Support SHA-1 HW acceleration on ARMv8
* bmo#1656981 - Use MPI comba and mulq optimizations on x86-64 MacOS.
* bmo#1654142 - Add CPU feature detection for Intel SHA extension.
* bmo#1648822 - Add stricter validation of DH keys in FIPS mode.
* bmo#1656986 - Properly detect arm64 during GYP build architecture
detection.
* bmo#1652729 - Add build flag to disable RC2 and relocate to
lib/freebl/deprecated.
* bmo#1656429 - Correct RTT estimate used in 0-RTT anti-replay.
* bmo#1588941 - Send empty certificate message when scheme selection
fails.
* bmo#1652032 - Fix failure to build in Windows arm64 makefile
cross-compilation.
* bmo#1625791 - Fix deadlock issue in nssSlot_IsTokenPresent.
* bmo#1653975 - Fix 3.53 regression by setting 'all' as the default
makefile target.
* bmo#1659792 - Fix broken libpkix tests with unexpired PayPal cert.
* bmo#1659814 - Fix interop.sh failures with newer tls-interop
commit and dependencies.
* bmo#1656519 - NSPR dependency updated to 4.28
update to NSS 3.55
Notable changes
* P384 and P521 elliptic curve implementations are replaced with
verifiable implementations from Fiat-Crypto [0] and ECCKiila [1].
* PK11_FindCertInSlot is added. With this function, a given slot
can be queried with a DER-Encoded certificate, providing performance
and usability improvements over other mechanisms. (bmo#1649633)
* DTLS 1.3 implementation is updated to draft-38. (bmo#1647752)
Relevant Bugfixes
* bmo#1631583 (CVE-2020-6829, CVE-2020-12400) - Replace P384 and
P521 with new, verifiable implementations from Fiat-Crypto and ECCKiila.
* bmo#1649487 - Move overzealous assertion in VFY_EndWithSignature.
* bmo#1631573 (CVE-2020-12401) - Remove unnecessary scalar padding.
* bmo#1636771 (CVE-2020-12403) - Explicitly disable multi-part
ChaCha20 (which was not functioning correctly) and more strictly
enforce tag length.
* bmo#1649648 - Don't memcpy zero bytes (sanitizer fix).
* bmo#1649316 - Don't memcpy zero bytes (sanitizer fix).
* bmo#1649322 - Don't memcpy zero bytes (sanitizer fix).
* bmo#1653202 - Fix initialization bug in blapitest when compiled
with NSS_DISABLE_DEPRECATED_SEED.
* bmo#1646594 - Fix AVX2 detection in makefile builds.
* bmo#1649633 - Add PK11_FindCertInSlot to search a given slot
for a DER-encoded certificate.
* bmo#1651520 - Fix slotLock race in NSC_GetTokenInfo.
* bmo#1647752 - Update DTLS 1.3 implementation to draft-38.
* bmo#1649190 - Run cipher, sdr, and ocsp tests under standard test cycle in CI.
* bmo#1649226 - Add Wycheproof ECDSA tests.
* bmo#1637222 - Consistently enforce IV requirements for DES and 3DES.
* bmo#1067214 - Enforce minimum PKCS#1 v1.5 padding length in
RSA_CheckSignRecover.
* bmo#1646324 - Advertise PKCS#1 schemes for certificates in the
signature_algorithms extension.
update to NSS 3.54
Notable changes
* Support for TLS 1.3 external pre-shared keys (bmo#1603042).
* Use ARM Cryptography Extension for SHA256, when available
(bmo#1528113)
* The following CA certificates were Added:
bmo#1645186 - certSIGN Root CA G2.
bmo#1645174 - e-Szigno Root CA 2017.
bmo#1641716 - Microsoft ECC Root Certificate Authority 2017.
bmo#1641716 - Microsoft RSA Root Certificate Authority 2017.
* The following CA certificates were Removed:
bmo#1645199 - AddTrust Class 1 CA Root.
bmo#1645199 - AddTrust External CA Root.
bmo#1641718 - LuxTrust Global Root 2.
bmo#1639987 - Staat der Nederlanden Root CA - G2.
bmo#1618402 - Symantec Class 2 Public Primary Certification Authority - G4.
bmo#1618402 - Symantec Class 1 Public Primary Certification Authority - G4.
bmo#1618402 - VeriSign Class 3 Public Primary Certification Authority - G3.
* A number of certificates had their Email trust bit disabled.
See bmo#1618402 for a complete list.
Bugs fixed
* bmo#1528113 - Use ARM Cryptography Extension for SHA256.
* bmo#1603042 - Add TLS 1.3 external PSK support.
* bmo#1642802 - Add uint128 support for HACL* curve25519 on Windows.
* bmo#1645186 - Add 'certSIGN Root CA G2' root certificate.
* bmo#1645174 - Add Microsec's 'e-Szigno Root CA 2017' root certificate.
* bmo#1641716 - Add Microsoft's non-EV root certificates.
* bmo1621151 - Disable email trust bit for 'O=Government
Root Certification Authority; C=TW' root.
* bmo#1645199 - Remove AddTrust root certificates.
* bmo#1641718 - Remove 'LuxTrust Global Root 2' root certificate.
* bmo#1639987 - Remove 'Staat der Nederlanden Root CA - G2' root
certificate.
* bmo#1618402 - Remove Symantec root certificates and disable email trust
bit.
* bmo#1640516 - NSS 3.54 should depend on NSPR 4.26.
* bmo#1642146 - Fix undefined reference to `PORT_ZAlloc_stub' in seed.c.
* bmo#1642153 - Fix infinite recursion building NSS.
* bmo#1642638 - Fix fuzzing assertion crash.
* bmo#1642871 - Enable SSL_SendSessionTicket after resumption.
* bmo#1643123 - Support SSL_ExportEarlyKeyingMaterial with External PSKs.
* bmo#1643557 - Fix numerous compile warnings in NSS.
* bmo#1644774 - SSL gtests to use ClearServerCache when resetting
self-encrypt keys.
* bmo#1645479 - Don't use SECITEM_MakeItem in secutil.c.
* bmo#1646520 - Stricter enforcement of ASN.1 INTEGER encoding.
ModerateSUSE bug 1029961SUSE bug 1174697SUSE bug 1176206SUSE bug 1176934SUSE bug 1179382SUSE bug 1188891CVE-2020-12400 at SUSECVE-2020-12400 at NVDCVE-2020-12401 at SUSECVE-2020-12401 at NVDCVE-2020-12403 at SUSECVE-2020-12403 at NVDCVE-2020-25648 at SUSECVE-2020-25648 at NVDCVE-2020-6829 at SUSECVE-2020-6829 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for transfig (Moderate)SUSE OpenStack Cloud 8
This update for transfig fixes the following issues:
Update to version 3.2.8, including fixes for
- CVE-2021-3561: overflow in fig2dev/read.c in function read_colordef() (bsc#1186329).
- CVE-2020-21683: Fixed buffer overflow in the shade_or_tint_name_after_declare_color in genpstricks.c (bsc#1189325).
- CVE-2020-21682: Fixed buffer overflow in the set_fill component in genge.c (bsc#1189346).
- CVE-2020-21681: Fixed buffer overflow in the set_color component in genge.c (bsc#1189345).
- CVE-2020-21680: Fixed stack-based buffer overflow in the put_arrow() component in genpict2e.c (bsc#1189343).
- CVE-2019-19797: out-of-bounds write in read_colordef in read.c (bsc#1159293).
- CVE-2019-19555: stack-based buffer overflow because of an incorrect sscanf (bsc#1161698).
- CVE-2019-19746: segmentation fault and out-of-bounds write because of an integer overflow via a large arrow type (bsc#1159130).
ModerateSUSE bug 1136882SUSE bug 1159130SUSE bug 1159293SUSE bug 1161698SUSE bug 1186329SUSE bug 1189325SUSE bug 1189343SUSE bug 1189345SUSE bug 1189346CVE-2019-19555 at SUSECVE-2019-19555 at NVDCVE-2019-19746 at SUSECVE-2019-19746 at NVDCVE-2019-19797 at SUSECVE-2019-19797 at NVDCVE-2020-21680 at SUSECVE-2020-21680 at NVDCVE-2020-21681 at SUSECVE-2020-21681 at NVDCVE-2020-21682 at SUSECVE-2020-21682 at NVDCVE-2020-21683 at SUSECVE-2020-21683 at NVDCVE-2021-3561 at SUSECVE-2021-3561 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for gtk-vnc (Moderate)SUSE OpenStack Cloud 8
This update for gtk-vnc fixes the following issues:
- CVE-2017-5885: Correctly validate color map range indexes (bsc#1024268).
- CVE-2017-5884: Fix bounds checking for RRE, hextile & copyrect encodings (bsc#1024266).
- Fix crash when opening connection from a GSocketAddress (bsc#1046782).
- Fix possible crash on connection failure (bsc#1188292).
ModerateSUSE bug 1024266SUSE bug 1024268SUSE bug 1046782SUSE bug 1188292CVE-2017-5884 at SUSECVE-2017-5884 at NVDCVE-2017-5885 at SUSECVE-2017-5885 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for openssl (Low)SUSE OpenStack Cloud 8
This update for openssl fixes the following issues:
- CVE-2021-3712: This is an update for the incomplete fix for CVE-2021-3712.
Read buffer overruns processing ASN.1 strings (bsc#1189521).
LowSUSE bug 1189521CVE-2021-3712 at SUSECVE-2021-3712 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for ghostscript (Critical)SUSE OpenStack Cloud 8
This update for ghostscript fixes the following issues:
- CVE-2021-3781: Fixed a trivial -dSAFER bypass command injection (bsc#1190381)
CriticalSUSE bug 1190381CVE-2021-3781 at SUSECVE-2021-3781 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for MozillaFirefox (Important)SUSE OpenStack Cloud 8
This update for MozillaFirefox fixes the following issues:
This update contains the Firefox Extended Support Release 91.1.0 ESR.
* Fixed: Various stability, functionality, and security fixes
MFSA 2021-40 (bsc#1190269, bsc#1190274):
* CVE-2021-38492: Navigating to `mk:` URL scheme could load Internet Explorer
* CVE-2021-38495: Memory safety bugs fixed in Firefox 92 and Firefox ESR 91.1
Firefox 91.0.1esr ESR
* Fixed: Fixed an issue causing buttons on the tab bar to be
resized when loading certain websites (bug 1704404)
* Fixed: Fixed an issue which caused tabs from private windows
to be visible in non-private windows when viewing switch-to-
tab results in the address bar panel (bug 1720369)
* Fixed: Various stability fixes
* Fixed: Security fix MFSA 2021-37 (bsc#1189547)
* CVE-2021-29991 (bmo#1724896)
Header Splitting possible with HTTP/3 Responses
Firefox Extended Support Release 91.0 ESR
* New: Some of the highlights of the new Extended Support Release are:
- A number of user interface changes. For more information,
see the Firefox 89 release notes.
- Firefox now supports logging into Microsoft, work, and
school accounts using Windows single sign-on. Learn more
- On Windows, updates can now be applied in the background
while Firefox is not running.
- Firefox for Windows now offers a new page about:third-party
to help identify compatibility issues caused by third-party
applications
- Version 2 of Firefox's SmartBlock feature further improves
private browsing. Third party Facebook scripts are blocked to
prevent you from being tracked, but are now automatically
loaded 'just in time' if you decide to 'Log in with Facebook'
on any website.
- Enhanced the privacy of the Firefox Browser's Private
Browsing mode with Total Cookie Protection, which confines
cookies to the site where they were created, preventing
companis from using cookies to track your browsing across
sites. This feature was originally launched in Firefox's ETP
Strict mode.
- PDF forms now support JavaScript embedded in PDF files.
Some PDF forms use JavaScript for validation and other
interactive features.
- You'll encounter less website breakage in Private Browsing
and Strict Enhanced Tracking Protection with SmartBlock,
which provides stand-in scripts so that websites load
properly.
- Improved Print functionality with a cleaner design and
better integration with your computer's printer settings.
- Firefox now protects you from supercookies, a type of
tracker that can stay hidden in your browser and track you
online, even after you clear cookies. By isolating
supercookies, Firefox prevents them from tracking your web
browsing from one site to the next.
- Firefox now remembers your preferred location for saved
bookmarks, displays the bookmarks toolbar by default on new
tabs, and gives you easy access to all of your bookmarks via
a toolbar folder.
- Native support for macOS devices built with Apple Silicon
CPUs brings dramatic performance improvements over the non-
native build that was shipped in Firefox 83: Firefox launches
over 2.5 times faster and web apps are now twice as
responsive (per the SpeedoMeter 2.0 test). If you are on a
new Apple device, follow these steps to upgrade to the latest
Firefox.
- Pinch zooming will now be supported for our users with
Windows touchscreen devices and touchpads on Mac devices.
Firefox users may now use pinch to zoom on touch-capable
devices to zoom in and out of webpages.
- We’ve improved functionality and design for a number of
Firefox search features:
* Selecting a search engine at the bottom of the search
panel now enters search mode for that engine, allowing you to
see suggestions (if available) for your search terms. The old
behavior (immediately performing a search) is available with
a shift-click.
* When Firefox autocompletes the URL of one of your search
engines, you can now search with that engine directly in the
address bar by selecting the shortcut in the address bar
results.
* We’ve added buttons at the bottom of the search panel to
allow you to search your bookmarks, open tabs, and history.
- Firefox supports AcroForm, which will allow you to fill in,
print, and save supported PDF forms and the PDF viewer also
has a new fresh look.
- For our users in the US and Canada, Firefox can now save,
manage, and auto-fill credit card information for you, making
shopping on Firefox ever more convenient.
- In addition to our default, dark and light themes, with
this release, Firefox introduces the Alpenglow theme: a
colorful appearance for buttons, menus, and windows. You can
update your Firefox themes under settings or preferences.
* Changed: Firefox no longer supports Adobe Flash. There is no
setting available to re-enable Flash support.
* Enterprise: Various bug fixes and new policies have been
implemented in the latest version of Firefox. See more
details in the Firefox for Enterprise 91 Release Notes.
MFSA 2021-33 (bsc#1188891):
* CVE-2021-29986: Race condition when resolving DNS names could have led to
memory corruption
* CVE-2021-29981: Live range splitting could have led to conflicting
assignments in the JIT
* CVE-2021-29988: Memory corruption as a result of incorrect style treatment
* CVE-2021-29983: Firefox for Android could get stuck in fullscreen mode
* CVE-2021-29984: Incorrect instruction reordering during JIT optimization
* CVE-2021-29980: Uninitialized memory in a canvas object could have led to
memory corruption
* CVE-2021-29987: Users could have been tricked into accepting unwanted
permissions on Linux
* CVE-2021-29985: Use-after-free media channels
* CVE-2021-29982: Single bit data leak due to incorrect JIT optimization and
type confusion
* CVE-2021-29989: Memory safety bugs fixed in Firefox 91 and Firefox ESR 78.13
* CVE-2021-29990: Memory safety bugs fixed in Firefox 91
ImportantSUSE bug 1188891SUSE bug 1189547SUSE bug 1190269SUSE bug 1190274CVE-2021-29980 at SUSECVE-2021-29980 at NVDCVE-2021-29981 at SUSECVE-2021-29981 at NVDCVE-2021-29982 at SUSECVE-2021-29982 at NVDCVE-2021-29983 at SUSECVE-2021-29983 at NVDCVE-2021-29984 at SUSECVE-2021-29984 at NVDCVE-2021-29985 at SUSECVE-2021-29985 at NVDCVE-2021-29986 at SUSECVE-2021-29986 at NVDCVE-2021-29987 at SUSECVE-2021-29987 at NVDCVE-2021-29988 at SUSECVE-2021-29988 at NVDCVE-2021-29989 at SUSECVE-2021-29989 at NVDCVE-2021-29990 at SUSECVE-2021-29990 at NVDCVE-2021-29991 at SUSECVE-2021-29991 at NVDCVE-2021-38492 at SUSECVE-2021-38492 at NVDCVE-2021-38495 at SUSECVE-2021-38495 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for java-1_8_0-ibm (Moderate)SUSE OpenStack Cloud 8
This update for java-1_8_0-ibm fixes the following issues:
- Update to Java 8.0 Service Refresh 6 Fix Pack 20 [bsc#1180063,bsc#1177943]
CVE-2020-14792 CVE-2020-14797 CVE-2020-14781 CVE-2020-14779
CVE-2020-14798 CVE-2020-14796 CVE-2020-14803
* Class libraries:
- SOCKETADAPTOR$SOCKETINPUTSTREAM.READ is blocking for more time
that the set timeout
- Z/OS specific C function send_file is changing the file pointer
position
* Java Virtual Machine:
- Crash on iterate java stack
- Java process hang on SIGTERM
* JIT Compiler:
- JMS performance regression from JDK8 SR5 FP40 TO FP41
* Class Libraries:
- z15 high utilization following Z/VM and Linux migration from
z14 To z15
* Java Virtual Machine:
- Assertion failed when trying to write a class file
- Assertion failure at modronapi.cpp
- Improve the performance of defining and finding classes
* JIT Compiler:
- An assert in ppcbinaryencoding.cpp may trigger when running
with traps disabled on power
- AOT field offset off by n bytes
- Segmentation fault in jit module on ibm z platform ModerateSUSE bug 1177943SUSE bug 1180063CVE-2020-14779 at SUSECVE-2020-14779 at NVDCVE-2020-14781 at SUSECVE-2020-14781 at NVDCVE-2020-14792 at SUSECVE-2020-14792 at NVDCVE-2020-14796 at SUSECVE-2020-14796 at NVDCVE-2020-14797 at SUSECVE-2020-14797 at NVDCVE-2020-14798 at SUSECVE-2020-14798 at NVDCVE-2020-14803 at SUSECVE-2020-14803 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for xen (Important)SUSE OpenStack Cloud 8
This update for xen fixes the following issues:
- CVE-2021-28701: Fixed race condition in XENMAPSPACE_grant_table handling (XSA-384) (bsc#1189632).
- Integrate bugfixes (bsc#1189373, bsc#1189378).
ImportantSUSE bug 1189373SUSE bug 1189378SUSE bug 1189632CVE-2021-28701 at SUSECVE-2021-28701 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for sqlite3 (Important)SUSE OpenStack Cloud 8
This update for sqlite3 fixes the following issues:
sqlite3 is sync version 3.36.0 from Factory (jsc#SLE-16032).
The following CVEs have been fixed in upstream releases up to
this point, but were not mentioned in the change log so far:
* bsc#1173641, CVE-2020-15358: heap-based buffer overflow in
multiSelectOrderBy due to mishandling of query-flattener
optimization
* bsc#1164719, CVE-2020-9327: NULL pointer dereference and
segmentation fault because of generated column optimizations in
isAuxiliaryVtabOperator
* bsc#1160439, CVE-2019-20218: selectExpander in select.c proceeds
with WITH stack unwinding even after a parsing error
* bsc#1160438, CVE-2019-19959: memory-management error via
ext/misc/zipfile.c involving embedded '\0' input
* bsc#1160309, CVE-2019-19923: improper handling of certain uses
of SELECT DISTINCT in flattenSubquery may lead to null pointer
dereference
* bsc#1159850, CVE-2019-19924: improper error handling in
sqlite3WindowRewrite()
* bsc#1159847, CVE-2019-19925: improper handling of NULL pathname
during an update of a ZIP archive
* bsc#1159715, CVE-2019-19926: improper handling of certain
errors during parsing multiSelect in select.c
* bsc#1159491, CVE-2019-19880: exprListAppendList in window.c
allows attackers to trigger an invalid pointer dereference
* bsc#1158960, CVE-2019-19603: during handling of CREATE TABLE
and CREATE VIEW statements, does not consider confusion with
a shadow table name
* bsc#1158959, CVE-2019-19646: pragma.c mishandles NOT NULL in an
integrity_check PRAGMA command in certain cases of generated
columns
* bsc#1158958, CVE-2019-19645: alter.c allows attackers to trigger
infinite recursion via certain types of self-referential views
in conjunction with ALTER TABLE statements
* bsc#1158812, CVE-2019-19317: lookupName in resolve.c omits bits
from the colUsed bitmask in the case of a generated column,
which allows attackers to cause a denial of service
* bsc#1157818, CVE-2019-19244: sqlite3,sqlite2,sqlite: The
function sqlite3Select in select.c allows a crash if a
sub-select uses both DISTINCT and window functions, and also
has certain ORDER BY usage
* bsc#928701, CVE-2015-3415: sqlite3VdbeExec comparison operator
vulnerability
* bsc#928700, CVE-2015-3414: sqlite3,sqlite2: dequoting of
collation-sequence names
* CVE-2020-13434 bsc#1172115: integer overflow in
sqlite3_str_vappendf
* CVE-2020-13630 bsc#1172234: use-after-free in fts3EvalNextRow
* CVE-2020-13631 bsc#1172236: virtual table allowed to be renamed
to one of its shadow tables
* CVE-2020-13632 bsc#1172240: NULL pointer dereference via
crafted matchinfo() query
* CVE-2020-13435: Malicious SQL statements could have crashed the
process that is running SQLite (bsc#1172091)
ImportantSUSE bug 1157818SUSE bug 1158812SUSE bug 1158958SUSE bug 1158959SUSE bug 1158960SUSE bug 1159491SUSE bug 1159715SUSE bug 1159847SUSE bug 1159850SUSE bug 1160309SUSE bug 1160438SUSE bug 1160439SUSE bug 1164719SUSE bug 1172091SUSE bug 1172115SUSE bug 1172234SUSE bug 1172236SUSE bug 1172240SUSE bug 1173641SUSE bug 928700SUSE bug 928701CVE-2015-3414 at SUSECVE-2015-3414 at NVDCVE-2015-3415 at SUSECVE-2015-3415 at NVDCVE-2016-6153 at SUSECVE-2016-6153 at NVDCVE-2017-10989 at SUSECVE-2017-10989 at NVDCVE-2017-2518 at SUSECVE-2017-2518 at NVDCVE-2018-20346 at SUSECVE-2018-20346 at NVDCVE-2018-8740 at SUSECVE-2018-8740 at NVDCVE-2019-16168 at SUSECVE-2019-16168 at NVDCVE-2019-19244 at SUSECVE-2019-19244 at NVDCVE-2019-19317 at SUSECVE-2019-19317 at NVDCVE-2019-19603 at SUSECVE-2019-19603 at NVDCVE-2019-19645 at SUSECVE-2019-19645 at NVDCVE-2019-19646 at SUSECVE-2019-19646 at NVDCVE-2019-19880 at SUSECVE-2019-19880 at NVDCVE-2019-19923 at SUSECVE-2019-19923 at NVDCVE-2019-19924 at SUSECVE-2019-19924 at NVDCVE-2019-19925 at SUSECVE-2019-19925 at NVDCVE-2019-19926 at SUSECVE-2019-19926 at NVDCVE-2019-19959 at SUSECVE-2019-19959 at NVDCVE-2019-20218 at SUSECVE-2019-20218 at NVDCVE-2019-8457 at SUSECVE-2019-8457 at NVDCVE-2020-13434 at SUSECVE-2020-13434 at NVDCVE-2020-13435 at SUSECVE-2020-13435 at NVDCVE-2020-13630 at SUSECVE-2020-13630 at NVDCVE-2020-13631 at SUSECVE-2020-13631 at NVDCVE-2020-13632 at SUSECVE-2020-13632 at NVDCVE-2020-15358 at SUSECVE-2020-15358 at NVDCVE-2020-9327 at SUSECVE-2020-9327 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for python-Pillow (Important)SUSE OpenStack Cloud 8
This update for python-Pillow fixes the following issues:
- CVE-2021-23437: Fixed regular expression denial of service (ReDoS) via the getrgb function (bsc#1190229).
ImportantSUSE bug 1190229CVE-2021-23437 at SUSECVE-2021-23437 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for python-urllib3 (Moderate)SUSE OpenStack Cloud 8
This update for python-urllib3 fixes the following security issue:
- CVE-2020-26137: A CRLF injection via HTTP request method was fixed (bsc#1177120)
Note that this was fixed in a previous version update to 1.25.9, this update just complements the tracking.
ModerateSUSE bug 1177120CVE-2020-26137 at SUSECVE-2020-26137 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for glibc (Moderate)SUSE OpenStack Cloud 8
This update for glibc fixes the following issues:
Security issues fixed:
- CVE-2021-35942: wordexp: handle overflow in positional parameter number (bsc#1187911)
- CVE-2021-33574: Use __pthread_attr_copy in mq_notify (bsc#1186489)
Also the following bug was fixed:
- Avoid concurrency problem in ldconfig (bsc#1117993)
ModerateSUSE bug 1117993SUSE bug 1186489SUSE bug 1187911CVE-2021-33574 at SUSECVE-2021-33574 at NVDCVE-2021-35942 at SUSECVE-2021-35942 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for webkit2gtk3 (Important)SUSE OpenStack Cloud 8
This update for webkit2gtk3 fixes the following issues:
- Update to version 2.32.4
- CVE-2021-30858: Fixed a security bug that could allow maliciously crafted web content to achieve arbitrary code execution. (bsc#1190701)
- CVE-2021-21806: Fixed an exploitable use-after-free vulnerability via specially crafted HTML web page. (bsc#1188697)
ImportantSUSE bug 1188697SUSE bug 1190701CVE-2021-21806 at SUSECVE-2021-21806 at NVDCVE-2021-30858 at SUSECVE-2021-30858 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for apache2 (Important)SUSE OpenStack Cloud 8
This update for apache2 fixes the following issues:
- CVE-2021-40438: Fixed a SRF via a crafted request uri-path. (bsc#1190703)
- CVE-2021-39275: Fixed an out-of-bounds write in ap_escape_quotes() via malicious input. (bsc#1190666)
- CVE-2021-34798: Fixed a NULL pointer dereference via malformed requests. (bsc#1190669)
ImportantSUSE bug 1190666SUSE bug 1190669SUSE bug 1190703CVE-2021-34798 at SUSECVE-2021-34798 at NVDCVE-2021-39275 at SUSECVE-2021-39275 at NVDCVE-2021-40438 at SUSECVE-2021-40438 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for python3 (Important)SUSE OpenStack Cloud 8
This update for python3 fixes the following issues:
- Provide the newest setuptools wheel (bsc#1176262,
CVE-2019-20916) in their correct form (bsc#1180686).
ImportantSUSE bug 1176262SUSE bug 1180686CVE-2019-20916 at SUSECVE-2019-20916 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for MozillaFirefox (Important)SUSE OpenStack Cloud 8
This update for MozillaFirefox fixes the following issues:
Firefox Extended Support Release 91.2.0 ESR
* Fixed: Various stability, functionality, and security fixes
MFSA 2021-45 (bsc#1191332)
* CVE-2021-38496: Use-after-free in MessageTask
* CVE-2021-38497: Validation message could have been overlaid on another origin
* CVE-2021-38498: Use-after-free of nsLanguageAtomService object
* CVE-2021-32810: Fixed Data race in crossbeam-deque
* CVE-2021-38500: Memory safety bugs fixed in Firefox 93, Firefox ESR 78.15, and Firefox ESR 91.2
* CVE-2021-38501: Memory safety bugs fixed in Firefox 93 and Firefox ESR 91.2
- Fixed crash in FIPS mode (bsc#1190710)
ImportantSUSE bug 1190710SUSE bug 1191332CVE-2021-32810 at SUSECVE-2021-32810 at NVDCVE-2021-38496 at SUSECVE-2021-38496 at NVDCVE-2021-38497 at SUSECVE-2021-38497 at NVDCVE-2021-38498 at SUSECVE-2021-38498 at NVDCVE-2021-38500 at SUSECVE-2021-38500 at NVDCVE-2021-38501 at SUSECVE-2021-38501 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for javapackages-tools, javassist, mysql-connector-java, protobuf, python-python-gflags (Important)SUSE OpenStack Cloud 8
This update for javapackages-tools, javassist, mysql-connector-java, protobuf, python-python-gflags contains the following fixes:
Changes in mysql-connector-java:
- Restrict license to GPL-2.0-only
- Fix README adjustments
- Depend on log4j rather than log4j-mini and adjust log4j dependencies to
account for the lack of log4j12 Provides in some code streams.
- Add missing Group tag
- Update to 8.0.25 (SOC-11543)
Changes in 8.0.25
* No functional changes: version alignment with MySQL Server 8.0.25.
Changes in 8.0.24
* Bug#102188 (32526663), AccessControlException with AuthenticationLdapSaslClientPlugin.
* Bug#22508715, SETSESSIONMAXROWS() CALL ON CLOSED CONNECTION RESULTS IN NPE.
* Bug#102131 (32338451), UPDATABLERESULTSET NPE WHEN USING DERIVED QUERIES OR VIEWS.
* Bug#101596 (32151143), GET THE 'HOST' PROPERTY ERROR AFTER CALLING TRANSFORMPROPERTIES() METHOD.
* Bug#20391832, SETOBJECT() FOR TYPES.TIME RESULTS IN EXCEPTION WHEN VALUE HAS FRACTIONAL PART.
* Bug#97730 (31699993), xdev api: ConcurrentModificationException at Session.close.
* Bug#99708 (31510398), mysql-connector-java 8.0.20 ASSERTION FAILED: Unknown message type: 57 s.close.
* Bug#32122553, EXTRA BYTE IN COM_STMT_EXECUTE.
* Bug#101558 (32141210), NULLPOINTEREXCEPTION WHEN EXECUTING INVALID QUERY WITH USEUSAGEADVISOR ENABLED.
* Bug#102076 (32329915), CONTRIBUTION: MYSQL JDBC DRIVER RESULTSET.GETLONG() THROWS NUMBEROUTOFRANGE.
* Bug#31747910, BUG 30474158 FIX IMPROVES JDBC COMPLIANCE BUT CHANGES DEFAULT RESULTSETTYPE HANDLING.
* Bug#102321 (32405590), CALLING RESULTSETMETADATA.GETCOLUMNCLASSNAME RETURNS WRONG VALUE FOR DATETIME.
* WL#14453, Pluggable authentication: new default behavior & user-less authentications.
* WL#14392, Improve timeout error messages [classic].
* WL#14202, XProtocol: Support connection close notification.
Changes in 8.0.23
* Bug#21789378, FORCED TO SET SERVER TIMEZONE IN CONNECT STRING.
* Bug#95644 (30573281), JDBC GETDATE/GETTIME/GETTIMESTAMP INTERFACE BEHAVIOR CHANGE AFTER UPGRADE 8.0.
* Bug#94457 (29402209), CONNECTOR/J RESULTSET.GETOBJECT( ..., OFFSETDATETIME.CLASS ) THROWS.
* Bug#76775 (20959249), FRACTIONAL SECONDS IN TIME VALUES ARE NOT AVAILABLE VIA JDBC.
* Bug#99013 (31074051), AN EXTRA HOUR GETS ADDED TO THE TIMESTAMP WHEN SUBTRACTING INTERVAL 'N' DAYS.
* Bug#98695 (30962953), EXECUTION OF 'LOAD DATA LOCAL INFILE' COMMAND THROUGH JDBC FOR DATETIME COLUMN.
* Bug#101413 (32099505), JAVA.TIME.LOCALDATETIME CANNOT BE CAST TO JAVA.SQL.TIMESTAMP.
* Bug#101242 (32046007), CANNOT USE BYTEARRAYINPUTSTREAM AS ARGUMENTS IN PREPARED STATEMENTS AN MORE.
* WL#14274, Support for authentication_ldap_sasl_client(SCRAM-SHA-256) authentication plugin.
* WL#14206, Support for authentication_ldap_sasl_client(GSSAPI) authentication plugin.
* WL#14207, Replace language in APIs and source code/docs.
Changes in 8.0.22
* Bug#98667 (31711961), 'All pipe instances are busy' exception on multiple connections to named Pipe.
* Bug#96309 (31699357), MultiHost in loadbalance may lead to a TPS reduction during a quick switch.
* Bug#99076 (31083755), Unclear exception/error when connecting with jdbc:mysql to a mysqlx port.
* Bug#96870 (30304764), Contribution: Allow to disable AbandonedConnectionCleanupThread completely.
* WL#14115, Support for authentication_ldap_sasl_client (SCRAM-SHA-1) authentication plugin.
* WL#14096, Add option to specify LOAD DATA LOCAL allow list folder.
* WL#13780, Skip system-wide trust and key stores (incl. X DevAPI client certs).
* WL#14017, XProtocol -- support for configurable compression algorithms.
* Bug#92903 (28834903), MySQL Connector/j should support wildcard names or alternative names.
* Bug#99767 (31443178), Contribution: Check SubjectAlternativeName for TLS instead of commonName.
* Bug#93444 (29015453), LOCALDATETIME PARAMETER VA UES ALTERED WHEN CLIENT AND SERVER TIMEZONES DIFFER.
* WL#14052, Remove asynchronous variant of X Protocol.
* Bug#99713 (31418928), NPE DURING COM.MYSQL.CJ.SERVERPREPAREDQUERYBINDVALUE.STOREDATE().
* WL#14068, Remove legacy integration with JBoss.
Changes in 8.0.21
* WL#14051, Upgrade Protocol Buffers dependency to protobuf-java-3.11.4.
* WL#14042, Upgrade testsuite to JUnit 5.
* Bug#98237 (30911870), PREPAREDSTATEMENT.SETOBJECT(I, 'FALSE', TYPES.BOOLEAN) ALWAYS SETS TRUE OR 1.
* WL#13008, DevAPI: Add schema validation to create collection.
Changes in 8.0.20
* Bug#30805426, IN CASE OF ISAUTHMETHODSWITCHREQUESTPACKET , TOSERVERS > 1 ARE IGNORED.
* Bug#97714 (30570249), Contribution: Expose elapsed time for query interceptor
* Bug#97724 (30570721), Contribution: Allow \'3.\' formatted numbers.
* Bug#98536 (30877755), SIMPLEDATEFORMAT COULD CACHE A WRONG CALENDAR.
Fix for Bug#91112 (28125069), AGAIN WRONG JAVA.SQL.DATE.
* Bug#30474158, CONNECTOR/J 8 DOES NOT HONOR THE REQUESTED RESULTSETTYPE SCROLL_INSENSITIVE ETC.
* Bug#98445 (30832513), Connection option clientInfoProvider=ClientInfoProviderSP causes NPE.
* WL#12248, DevAPI: Connection compression.
* Bug#30636056, ResultSetUtil.resultSetToMap() can be unsafe to use.
* Bug#97757 (30584907), NULLPOINTEREXCEPTION WITH CACHERESULTSETMETADATA=TRUE AND EXECUTEQUERY OF 'SET'.
Changes in 8.0.19
* WL#13346, Support for mult-host and failover.
* Bug#97413 (30477722), DATABASEMETADATA IS BROKEN AFTER SERVER WL#13528.
* WL#13367, DNS SRV support.
* WL#12736, DevAPI: Specify TLS ciphers to be used by a client or session.
* Bug#96383 (30119545) RS.GETTIMESTAMP() HAS * DIFFERENT RESULTS FOR TIME FIELDS WITH USECURSORFETCH=TRUE.
* Bug#96059 (29999318), ERROR STREAMING MULTI RESULTSETS WITH MYSQL-CONNECTOR-JAVA 8.0.X.
* Bug#96442 (30151808), INCORRECT DATE ERROR WHEN CALLING GETMETADATA ON PREPARED STATEMENT.
Changes in 8.0.18
* WL#13347, Connectors should handle expired password sandbox without SET operations.
* Bug#84098 (25223123), endless loop in LoadBalancedAutoCommitInterceptor.
* Bug#23721537, MULTI-SELECT WITH EXECUTEASYNC() GIVES IMPROPER ERROR.
* Bug#95741 (29898567), METADATA QUERY USES UPPER() AROUND NUMERIC EXPRESSION.
* Bug#20913289, PSTMT.EXECUTEUPDATE() FAILS WHEN SQL MODE IS NO_BACKSLASH_ESCAPES.
* Bug#80441 (22850444), SYNTAX ERROR ON RESULTSET.UPDATEROW() WITH SQL_MODE NO_BACKSLASH_ESCAPES.
Changes in 8.0.17
* WL#13210, Generate Javadocs via ant.
* WL#12247, DevAPI: indexing array fields.
* WL#12726, DevAPI: Add overlaps and not_overlaps as operator.
* Bug#95503 (29821029), Operator IN not mapping consistently to the right X Plugin operation.
* WL#12942, Update README.md and add new CONTRIBUTING.md.
* WL#13125, Support fully qualified hostnames longer than 60 characters.
* Bug#95210 (29807741), ClassCastException in BlobFromLocator when connecting as jdbc:mysql:replication.
* Bug#29591275, THE JAR FILE NEEDS TO CONTAIN A README AND LICENSE FILE.
* WL#13124, Support new utf8mb4 bin collation.
* WL#13009, DevAPI: Deprecate methods.
* WL#11101, Remove de-cache and close of SSPSs on double call to close().
* Bug#89133 (27356869) CONTRIBUTION: UPDATE DA ABASEMETADATA.JAVA.
* Bug#11891000, DABATASEMETADATA.GETTABLES() IGNORES THE SCHEMA_PATTERN ARGUMENT.
* Bug#94101 (29277648), SETTING LOGSLOWQUERIES SHOULD NOT AUTOMATICALLY ENABLE PROFILESQL FOR QUERIES.
* Bug#74690 (20010454), PROFILEREVENT HOSTNAME HAS NO GETTER().
* Bug#70677 (17640628), CONNECTOR J WITH PROFILESQL - LOG CONTAINS LOTS OF STACKTRACE DATA.
* Bug#41172 (11750577), PROFILEREVENT.PACK() THROWS ARRAYINDEXOUTOFBOUNDSEXCEPTION.
* Bug#27453692, CHARACTERS GET GARBLED IN CONCAT() IN PS WHEN USECURSORFETCH=TRUE.
* Bug#94585 (29452669), GETTABLENAME() RETURNS NULL FOR A QUERY HAVING COUNT(*) WITH JDBC DRIVER V8.0.12.
* Bug#94442 (29446059), RESULTSETIMPL.GETDOUBLE IS INEFFICIENT BECAUSE OF BIGDECIMAL (RE)CONSTRUCTIONS.
Changes in 8.0.16
* WL#12825, Remove third-party libraries from sources and bundles.
* Bug#93590 (29054329), javax.net.ssl.SSLException: closing inbound before receiving peer's close_notify.
* Bug#94414 (29384853), Connector/J RPM package have version number in path.
* Bug#27786499, REDUNDANT FILES IN DEBIAN PACKAGE FOR DEBIAN9(COMMUNITY PACKAGE) FOR CJAVA.
* WL#12246, DevAPI: Prepared statement support.
* WL#10839, Adjust c/J tests to the new 'ON' default for explicit_defaults_for_timestamp.
* Bug#29329326, PLEASE AVOID SHOW PROCESSLIST IF POSSIBLE.
* WL#12460, DevAPI: Support new session reset functionality.
* WL#12459, DevAPI: Support connection-attributes.
* Bug#25650385, GETBYTE() RETURNS ERROR FOR BINARY() FLD.
* Bug#27784363, MYSQL 8.0 JDBC DRIVER THROWS NUMBERFORMATEXCEPTION FOR TEXT DATA
* Bug#93007 (28860051), LoadBalancedConnectionProxy.getGlobalBlacklist bug.
* Bug#29186870, CONNECTOR/J REGRESSION: NOT RETURNING PRECISION GETPROCEDURECOLUMNS.
* Bug#22038729, X DEVAPI: ANY API CALL AFTER A FAILED CALL PROC() RESULTS IN HANG.
* Bug#29244101, ADD MAPPING FOR UTF8MB4_ZH_0900_AS_CS COLLATION.
* Bug#92819 (28834959), EXPRPARSER THROWS WRONGARGUMENTEXCEPTION WHEN PARSING EMPTY JSON ARRAY.
* Bug#21921956, X DEVAPI: EXPRESSION PARSE ERROR WITH UNARY OPERATOR.
* Bug#94031 (29257922), WRONG JSON_UNQUOTE WORKAROUND.
* Bug#22931700, BINDINGS.GETBOOLEAN() ALWAYS RETURNS FALSE.
* Bug#25650912, ERROR MESSAGE NOT CLEAR WHEN WE PASS A CHAR DATA TO ANY TABLE API.
* Bug#25642021, CHANGEUSER() FAILS WHEN ENABLEPACKETDEBUG=TRUE.
Changes in 8.0.15
* Bug#94051 (29261254), Not recommended default for 'allowLoadLocalInfile'.
Changes in 8.0.14
* WL#12298, Connectors: Expose metadata about source and binaries in unified way.
* Bug#93111 (28894344), ConnectionUrl.java contains char U+00A7 (section sign).
* WL#12621, DevAPI: Handling of Default Schema.
* Bug#93340 (28970166), C/J BUILD SCRIPT IS TOO VERBOSE
* WL#12462, DevAPI: Be prepared for initial notice on connection.
* Bug#28924137, WL#12463:IF COLLECTION DOESN'T EXIST, COLL.COUNT() IS GIVING A WRONG ERROR MESSAGE.
* WL#12463, DevAPI: Standardize count method.
* Bug#92508 (28747636), mysql-connector in bootclasspath causing memory leak.
* Bug#25650514, UPDATEROW() CALL FAILS WITH NPE WHEN SSPS=TRUE AND TABLE HAS MULTI-FLD KEY.
* Bug#25650482, REFRESHROW() CALL AFTER UPDATEROW() API FAILS WHEN USESERVERPREPSTMTS=TRUE.
* Bug#92536 (28692243), UPDATEING SERVER SIDE PREPSTMTS RESULTSET FAIL.
* Bug#92625 (28731795), CONTRIBUTION: FIX OBSERVED NPE IN CLEARINPUTSTREAM.
* Bug#23045642, ADDING NO-DOC (MYSQLCONNJ-696) RESULTS IN EXCEPTION.
* Bug#91065 (28101003), ZERODATETIMEBEHAVIOR=CONVERT_TO_NULL SHOULD NOT APPLY TO 00:00:00 TIME COLUMNS.
* Bug#92574 (28706219), WHEN CONVERTING FROM VARCHAR TO JAVA BOOLEAN, 'N' IS NOT SUPPORTED.
* Bug#25642226, CHANGEUSER() NOT SETTING THE DATABASE PROPERLY WITH SHA USER.
* Bug#28606708, NAMED PIPE CONNECTION FOR X PROTOCOL RETURNS NPE, EXPECTED PROPER ERROR MESSAGE.
Changes in 8.0.13
* Bug#91317 (28207422), Wrong defaults on collation mappings.
* WL#12245, DevAPI: Implement connect timeout.
* Bug#21774249, UNIT TEST FAILS WITH ERROR ' 'CEST' IS UNRECOGNIZED TIME ZONE'.
* WL#11857, DevAPI: Implement connection pooling for xprotocol.
* Bug#91873 (28444461), REMOVE USEOLDUTF8BEHAVIOR CONNECTION PROPERTY.
* Bug#92264 (28594434), JSONPARSER PUTS UNNECESSARY MAXIMUM LIMIT ON JSONNUMBER TO 10 DIGITS.
* WL#12110, Extend PropertyDefinitions.PropertyKey usage.
* Bug#81063 (23098159), w/ rewriteBatchedStatements, when 2 tables involved, the rewriting not correct.
* Bug#84813 (25501750), rewriteBatchedStatements fails in INSERT.
* Bug#81196 (23227334), CONNECTOR/J NOT FOLLOWING DATABASE CHARACTER SET.
* Bug#72609 (18749544), SETDATE() NOT USING A PROLEPTIC GREGORIAN CALENDAR.
* Bug#87534 (26730196), UNION ALL query fails when useServerPrepStmts=true on database connection.
* Bug#89948 (27658489), Batched statements are not committed for useLocalTransactionState=true.
* BUG#22305979, WRONG RECORD UPDATED IF SENDFRACTIONALSECONDS=FALSE AND SMT IS SCROLLABLE.
* Bug#27102307, CHANGE USESSL AND VERIFYSERVERCERTIFICATE TO SSLMODE OPTION.
* Bug#28150662, CONNECTOR/J 8 MALFORMED DATABASE URL EXCEPTION WHIT CORRECT URL STRING.
* Bug#91421 (28246270), ALLOWED VALUES FOR ZERODATETIMEBEHAVIOR ARE INCOMPATIBLE WITH NETBEANS.
* Bug#23045604, XSESSION.GETURI() RETURNS NPE.
* Bug#21914769, NPE WHEN TRY TO EXECUTE INVALID JSON STRING.
* Bug#BUG#90887 (28034570), DATABASEMETADATAUSINGINFOSCHEMA#GETTABLES FAILS IF METHOD ARGUMENTS ARE NULL.
* Bug#28207088, C/JAVA: UPDATECLOB(INT COLUMNLABEL, JAVA.SQL.CLOB CLOB) IS FAILING.
* Bug#27629553, NPE FROM GETSESSION() FOR SSL CONNECTION WHEN NO PASSWORD PASSED.
Changes in 8.0.12
* Bug#28208000, MASTER : HANG IN ASYNCHRONOUS SELECT TEST.
* WL#10544, Update MySQL 8.0 keywords list.
* WL#11858, DevAPI: Core API v1 alignment.
* Bug#27652379, NPE FROM GETSESSION(PROPERTIES) WHEN HOST PARAMETER IS GIVEN IN SMALL LETTER.
* BUG#87600 (26724154), CONNECTOR THROWS 'MALFORMED DATABASE URL' ON NON MYSQL CONNECTION-URLS.
* BUG#26089880, GETCONNECTION('MYSQLX://..') RETURNS NON-X PROTOCOL CONNECTION.
* WL#11876, Improve connection properties design.
* WL#11933, Connector/J 8.0 X DevAPI reference documentation update.
* WL#11860, Ensure >= 75% code coverage.
* Bug#90753 (27977617), WAIT_TIMEOUT EXCEEDED MESSAGE NOT TRIGGERED.
* Bug#85941 (25924324), WASNULL NOT SET AFTER GETBYTES IS CALLED.
* Bug#28066709, COLLECTION.CREATEINDEX() TEST IS BROKEN AFTER WL#11808 IMPLEMENTATION.
* Bug#90872 (28027459), FILTERPARAMS CLASS IS NOT NEEDED.
* Bug#27522054, POSSIBLE ASYNC XPROTOCOL MESSAGE HANDLING PERF ISSUE.
The 'xdevapi.useAsyncProtocol' connection property default value is changed to 'false'.
Changes in 8.0.11
* WL#11293, DevAPI: Support new locking modes : NOWAIT and SKIP LOCKED.
* Bug#90029 (27678308), FAILURE WHEN GETTING GEOMCOLLECTION COLUMN TYPE.
* BUG#90024 (27677574), SOME TESTS FAILED AGAINST MYSQL 8.0.5 BECAUSE OF DEPRECATED FEATURES REMOVAL.
* Bug#86741 (26314325), Multi-Host connection with autocommit=0 getAutoCommit maybe wrong.
* Bug#27231383, PROVIDE MAVEN-FRIENDLY COMMERCIAL PACKAGES WITHOUT '-BIN'.
* Bug#26819691, SETTING PACKETDEBUGBUFFERSIZE=0 RESULTS IN CONNECTION FAILURE.
* Bug#88227 (27029657), Connector/J 5.1.44 cannot be used against MySQL 5.7.20 without warnings.
* Bug#27374581, CONNECTION FAILS WHEN GPL SERVER STARTED WITH TLS-VERSION=TLSV1.2.
* WL#11419, DevAPI: New document _id generation support.
* WL#11620, Change caching_sha2_password padding.
* WL#11604, DevAPI: Add SHA256_MEMORY support.
* BUG#86278 (26092824), SUPPORT CUSTOM CONSTRUCTION OF SSLSOCKET DURING CONNECTION ESTABLISHMENT.
* BUG#27226293, JSONNUMBER.GETINTEGER() & NUMBERFORMATEXCEPTION.
* WL#10527, Clean up Protocol and Session interfaces.
Changes in 8.0.9
* WL#11469, Update license header in GPL packages.
* BUG#27247349, WL#11208 : UNIQUE DOES NOT GIVE ERROR EVEN THOUGH IT IS NOT SUPPORTED.
* WL#11208, DevAPI: Collection.createIndex.
* WL#10156, Add setters/getters for connection properties to MysqlDataSource,
MysqlXADataSource and MysqlConnectionPoolDataSource.
* WL#11401, DevAPI: Remove configuration API.
* WL#10619, Ensure compatibility with new data dictionary.
* BUG#27217264, WL#10937: NULL POINTER EXCEPTION WHEN NULL IS PASSED AS _ID IN COLL.REPLACEONE.
* WL#10937, DevAPI: ReplaceOne, AddOrReplaceOne, GetOne, RemoveOne.
* Bug#26723646, JSON_MERGE() FUNCTION IS DEPRECATED IN MYSQL 8.0.
* Bug#27185332, WL#11210:ERROR IS THROWN WHEN NESTED EMPTY DOCUMENTS ARE INSERTED TO COLLECTION.
* Bug#27151601, WL#11210: DOCUMENT PATCH EXPRESSIONS ARE NOT SUPPORTED.
* WL#11210, DevAPI: Modify/MergePatch.
* Bug#79612 (22362474), CONNECTION ATTRIBUTES LOST WHEN CONNECTING WITHOUT DEFAULT DATABASE.
* WL#10152, Enable TLSv1.2 on mysqlx.
* Bug#27131768, NULL POINTER EXCEPTION IN CONNECTION.
* Bug#88232 (27047676), c/J does not rollback transaction when autoReconnect=true.
* Bug#88242 (27040063), autoReconnect and socketTimeout JDBC option makes wrong order of client packet.
* Bug#88021 (26939943), High GC pressure when driver configured with serversideprepared statements.
* Bug#26724085, CHARSET MAPPING TO BE UPDATED FOR MYSQL 8.0.3.
* Bug#87704 (26771560), THE STREAM GETS THE RESULT SET ?THE DRIVER SIDE GET WRONG ABOUT GETLONG().
* Bug#24924097, SERVER GREETING ERROR ISN'T RECOGNIZED DURING HANDSHAKE.
* Bug#26748909, MASTER : ERROR - NO OPERATIONS ALLOWED AFTER STATEMENT CLOSED FOR TOSTRING().
* Bug#26266731, CONCUR_UPDATABLE RESULTSET OPERATIONS FAIL AGAINST 8.0 FOR BOOLEAN COLUMN.
* WL#11239, DevAPI: Remove create table implementation.
* Bug#27131100, WL#11212 : SAVEPOINT CREATING WITH EMPTY STRING AND SPACE AS NAME.
* WL#11212, DevAPI: transaction save-points.
* WL#11060, Support new SHA-256 authentication system.
* Bug#87826 (26846249), MYSQL JDBC CONNECTOR/J DATABASEMETADATA NULL PATTERN HANDLING IS NON-COMPLIANT.
* WL#11163, Extract parameter setters, serverPrepare() and serverExecute() to core classes.
* BUG#26995710, WL#11161 : NULL POINTER EXCEPTION IN EXECUTEBATCH() AND CLOSE().
* WL#11161, Unify query bindings.
* WL#8469, Don't extract query text from packets when possible.
Changes in 8.0.8
* BUG#26722030, TEST FAILING DUE TO BINARY LOGGING ENABLED BY DEFAULT IN MYSQL 8.0.3.
* BUG#26722018, TESTS FAILING DUE TO CHANGE IN INFORMATION_SCHEMA.INNODB_SYS_* NAMING.
* BUG#26750807, MASTER : NULL POINTER EXCEPTION IN SCHEMA.DROPVIEW(NULL).
* BUG#26750705, MASTER : ERROR - UNSUPPORTED CONVERSION FROM TIME TO JAVA.SQL.DATE.
* WL#10620, DevAPI: SHA256 Authentication support.
* WL#10936, DevAPI: Row locking for Crud.Find.
* WL#9868, DevAPI: Configuration handling interface.
* WL#10935, DevAPI: Array or Object 'contains' operator.
* WL#9875, Prepare c/J 8.0 for DEB and RPM builds.
* BUG#26259384, CALLABLE STATEMENT GIVES ERROR IN C/JAVA WHEN RUN AGAINST MYSQL 8.0.
* Bug#26393132, NULLPOINTEREXCEPTION IS THROWN WHEN TRIED TO DROP A NULL COLLECTION.
* WL#10532, DevAPI: Cleanup Drop APIs.
* Bug#87429 (26633984), repeated close of ServerPreparedStatement causes memory leak.
* Bug#87379 (26646676), Perform actual TLS capabilities check when restricting TLSv1.2.
* Bug#85601 (25777822), Unit notation is missing in the description of the property involved in the time.
* Bug#87153 (26501245), INCORRECT RESULT OF DBMD.GETVERSIONCOLUMNS() AGAINST MYSQL 8.0.2+.
* Bug#78313 (21931572), proxies not handling Object.equals(Object) calls correctly.
* Bug#85885 (25874048), resultSetConcurrency and resultSetType are swapped in call to prepareStatement.
* Bug#74932 (20066806), ConnectionImp Doesn't Close Server Prepared Statement (PreparedStatement Leak).
* WL#10536, Deprecating COM_SHUTDOWN.
* Bug#25946965, UPDATE THE TIME ZONE MAPPINGS WITH LATEST TZ DATABASES.
* Bug#20182108, INCLUDE CUSTOM LOAD BALANCING STRATEGY USING PLUGIN API.
* Bug#26440544, CONNECTOR/J SHOULD NOT USE TX_{READ_ONLY,ISOLATION} WHICH IS PLANNED FOR REMOVAL.
* Bug#26399958, UNABLE TO CONNECT TO MYSQL 8.0.3.
* Bug#25650305, GETDATE(),GETTIME() AND GETTIMESTAMP() CALL WITH NULL CALENDAR RETURNS NPE.
Changes in 8.0.7
* Bug#26227653, WL#10528 DIFF BEHAVIOUR WHEN SYSTEM PROP JAVAX.NET.SSL.TRUSTSTORETYPE IS SET.
* WL#10528, DevAPI: Ensure all connectors are secure by default.
* WL#8305, Remove internal dependency on connection objects.
* Bug#22972057, X DEVAPI: CLIENT HANGS AFTER CONNECTION FAILURE.
* Bug#26140577, GIS TESTS ARE FAILING WITH MYSQL 8.0.1.
* WL#10765, DevAPI: Forbid modify() and remove() with no condition.
* Bug#26090721, CONNECTION FAILING WHEN SERVER STARTED WITH COLLATION UTF8MB4_DE_PB_0900_AI_CI.
* WL#10781, enum-based connection properties.
* Bug#73775 (19531384), DBMD.getProcedureColumns()/.getFunctionColumns() fail to filter by columnPattern.
* Bug#84324 (25321524), CallableStatement.extractProcedureName() not work when catalog name with dash.
* Bug#79561 (22333996), NullPointerException when calling a fully qualified stored procedure.
* Bug#84783 (25490163), query timeout is not working(thread hang).
* Bug#70704 (17653733), Deadlock using UpdatableResultSet.
* Bug#66430 (16714868), setCatalog on connection leaves ServerPreparedStatement cache for old catalog.
* Bug#70808 (17757070), Set sessionVariables in a single query.
* Bug#77192 (21170603), Description for the Property replicationConnetionGroup Missing from the Manual.
* Bug#83834 (25101890), Typo in Connector/J error message.
* WL#10531, Support utf8mb4 as default charset.
* Bug#85555 (25757019), useConfigs Can't find configuration template named, in mysql-connector-java 6.x
* WL#10529, Move version number to 8.0.
* WL#10530, DevAPI: Remove XSession, rename NodeSession to Session.
* Bug#23510958, CONCURRENT ASYNC OPERATIONS RESULT IN HANG.
* Bug#23597281, GETNODESESSION() CALL WITH SSL PARAMETERS RETURNS CJCOMMUNICATIONSEXCEPTION.
* Bug#25207784, C/J DOESN'T FOLLOW THE FINAL X DEVAPI MY-193 SPECIFICATION.
* Bug#25494338, ENABLEDSSLCIPHERSUITES PARAMETER NOT WORKING AS EXPECTED WITH X-PLUGIN.
* Bug#84084 (25215008), JAVA.LANG.ARRAYINDEXOUTOFBOUNDSEXCEPTION ON ATTEMPT TO GET VALUE FROM RESULTSET.
* WL#10553, Add mapping for Japanese utf8mb4 collation.
* Bug#25575103, NPE FROM CREATETABLE() WHEN SOME OF THE INPUTS ARE NULL.
* Bug#25575156, NPE FROM CREATEVIEW() WHEN SOME OF THE INPUTS ARE NULL.
* Bug#25636947, CONNECTION USING MYSQL CLIENT FAILS IF WE USE THE SSL CERTIFICATES FROM C/J SRC.
* Bug#25687718, INCORRECT TIME ZONE IDENTIFIER IN STATEMENTREGRESSIONTEST.
* Bug#25556597, RESULTSETTEST.TESTPADDING UNIT TEST IS FAILING IN 5.1.41 RELEASE PACKAGE.
* Bug#25517837, CONNECT PERFORMNACE DEGRADED BY 10% IN 5.1.41.
* Bug#25504578, CONNECT FAILS WHEN CONNECTIONCOLLATION=ISO-8859-13.
* Bug#25438355, Improper automatic deserialization of binary data.
* Bug#70785 (17756825), MySQL Connector/J inconsistent init state for autocommit.
* Bug#66884: Property 'elideSetAutoCommits' temporarily defaults to 'false' until this bug is fixed.
* Bug#75615 (21181249), Incorrect implementation of Connection.setNetworkTimeout().
* Bug#81706 (23535001), NullPointerException in driver.
* Bug#83052 (25048543), static method in com.mysql.jdbc.Util relies on null object.
* Bug#69526 (17035755), 'Abandoned connection cleanup thread' at mysql-connector-java-5.1.25.
* Bug#82826 (24942672), Unneeded version requirement for javax.net.ssl Import-Package on OSGi MANIFEST.MF.
Changes in 6.0.6
* Added Core TLS/SSL options for the mysqlx URI scheme.
* Updated collations map.
* Bug#24350526, UNEXPECTED BEHAVIOUR OF IS_NUMBER_SIGNED API IN C/JAVA.
* Bug#82707 (24512766), WRONG MILLI SECOND VALUE RETURNED FROM TIMESTAMP COLUMN.
* Bug#82005 (23702040), JDBCDATEVALUEFACTORY FAILS TO PARSE SOME DATES.
* Bug#83725 (25056803), NPE IN XPROTOCOL.GETPLUGINVERSION() WITH MYSQL 5.7.17.
* Bug#24525461, UPDATABLE RESULTSET FEATURE FAILS WHEN USESERVERPREPSTMTS=TRUE.
* Bug#24527173, QUERY EXECUTION USING PREPARED STMT FAILS WHEN USECURSORFETCH=TRUE.
* Bug#82964 (24658016), JSR-310 DATA TYPES CREATED THROUGH JAVA.SQL TYPES.
* Bug#81202 (23188159), RESULTSETIMPL.GETOBJECT THROWS NULLPOINTEREXCEPTION WHEN FIELD IS NULL.
* Bug#22931277, COLUMN.GETTYPE() RETURNS ERROR FOR VALID DATATYPES.
* BUG#24471057, UPDATE FAILS WHEN THE NEW VALUE IS OF TYPE DBDOC WHICH HAS ARRAY IN IT.
* Bug#81691 (23519211), GETLASTDOCUMENTIDS() DOESN'T REPORT IDS PROVIDED BY USER.
* Bug#82826 (24942672), Unneeded version requirement for javax.net.ssl Import-Package on OSGi MANIFEST.MF.
Changes in 6.0.5
* BUG#82896 (24613062), Unexpected behavior on attempt to connect to JDBC driver with unsupported URL.
* Added client-side failover during XSession initialization for multi-router configuration.
* Removed Extension interface. All extension classes now implement their specific interfaces.
* Bug#22988922, GETLENGTH() RETURNS -1 FOR LONGBLOB AND LONGTEXT FIELDS.
* Bug#24619829, NEW FAILURES IN C/JAVA UNITTESTS AGAINST MYSQL 8.0.
* Bug#75209 (20212882), Set useLocalTransactionState may result in partially committed transaction.
* Bug#48346 (11756431), Communications link failure when reading compressed data with compressed=true.
* Bug#80631 (22891845), ResultSet.getString return garbled result with json type data.
* Bug#64188 (13702433), MysqlXAConnection.MYSQL_ERROR_CODES_TO_XA_ERROR_CODES is missing XA error codes.
* Bug#72632 (18759269), NullPointerException for invalid JDBC URL.
* Bug#82115 (23743956), Some exceptions are intercepted twice or fail to set the init cause.
* Bug#78685 (21938551), Wrong results when retrieving the value of a BIT column as an integer.
* Bug#80615 (22954007), prepared statement leak when rewriteBatchedStatements=true and useServerPrepStmt.
* Extended X DevAPI with flexible parameter lists.
* Added a virtual NodeSession to X DevAPI.
Changes in 6.0.4
* X DevAPI URL prefix changed from 'mysql:x:' to 'mysqlx:'.
* Bug#24301468 X DEVAPI SSL CONNECTION FAILS ON WINDOWS
* The X DevAPI Table object now represents both database tables and views.
* Added support for matching against pattern for X DevAPI list_objects calls.
* Added Schema.getCollections(String pattern) and Schema.getTables(String pattern) interface methods.
* Switched to 'mysqlx' namespace for X DevAPI StmtExecute messages.
This change is incompatible to MySQL server versions < 5.7.14.
* Bug#82046 (23743947), MYSQL CONNECTOR JAVA OSGI METADATA BROKEN.
* Bug#21690043, CONNECT FAILS WHEN PASSWORD IS BLANK.
* Bug#22931433, GETTING VALUE OF BIT COLUMN RESULTS IN EXCEPTION.
Changes in 6.0.3
* Bug#23535571, EXCESSIVE MEMORY USAGE WHEN ENABLEPACKETDEBUG=TRUE.
* Bug#23212347, ALL API CALLS ON RESULTSET METADATA RESULTS IN NPE WHEN USESERVERPREPSTMTS=TRUE.
* Bug#23201930, CLIENT HANG WHEN RSLT CUNCURRENCY=CONCUR_UPDATABLE AND RSLTSET TYPE=FORWARD_ONLY.
* Bug#23188498, CLIENT HANG WHILE USING SERVERPREPSTMT WHEN PROFILESQL=TRUE AND USEIS=TRUE.
* Bug#22678872, NPE DURING UPDATE WITH FABRIC.
* Bug#71131 (18068303), Poor error message in CallableStatement.java.
* Bug#59462 (16736619), ConcurrentModificationException inside ConnectionImpl.closeAllOpenStatements().
* Bug#22848249, LOADBALANCECONNECTIONGROUPMANAGER.REMOVEHOST() NOT WORKING AS EXPECTED.
* Bug#22730682, ARRAYINDEXOUTOFBOUNDSEXCEPTION FROM CONNECTIONGROUPMANAGER.REMOVEHOST().
* Bug#77171 (21181466), On every connect getting sql_mode from server creates unnecessary exception.
* Bug#79343 (22353759), NPE in TimeUtil.loadTimeZoneMappings causing server time zone value unrecognized.
* Bug#22038729, X DevAPI: Any API call after a failed CALL PROC() results in hang
* Replace Schema.drop(), Collection.drop() by X DevAPI's session.dropSchema() and session.dropCollection().
* Added session.dropTable().
* Bug#22932078, GETTIMESTAMP() RETURNS WRONG VALUE FOR FRACTIONAL PART
* Extracted packet readers from MysqlaProtocol.
* Bug#22972057, X protocol CLIENT HANGS AFTER CONNECTION FAILURE
* Bug#23044312, NullPointerException in X protocol AsyncMessageReader due to race condition
* Returned support for MySQL 5.5 and 5.6.
Changes in 6.0.2
* Deprecate the EOF packet.
* Bug#75956, Inserting timestamps using a server PreparedStatement and useLegacyDatetimeCode=false
* Bug#22385172, CONNECTOR/J MANIFEST DOES NOT EXPOSE FABRIC (OSGi).
* Bug#22598938, FABRICMYSQLDATASOURCE.GETCONNECTION() NPE AFTER SWITCHOVER.
* Bug#21286268, CONNECTOR/J REPLICATION USE MASTER IF SLAVE IS UNAVAILABLE.
* Bug#21296840 & Bug#17910835, Server information in a group from Fabric is not refreshed after expired TTL.
* Bug#56122 (11763419), JDBC4 functionality failure when using replication connections.
* Added support for TLSv1.1 and TLSv1.2
* Bug#78961 (22096981), Can't call MySQL procedure with InOut parameters in Fabric environment.
* Bug#56100 (11763401), Replication driver routes DML statements to read-only slaves.
* StandardSSLSocketFactory implements SocketMetadata.
* Bug#21978216, GETTYPEINFO REPORT MAXIMUM PRECISION OF 255 FOR VARBINARY.
* Bug#78706 (21947042), Prefer TLS where supported by MySQL Server.
* Bug#21934573, FABRIC CODE INVOLVED IN THREAD DEADLOCK.
* Bug#21876798, CONNECTOR/J WITH MYSQL FABRIC AND SPRING PRODUCES PROXY ERROR.
Changes in 6.0.1
* Removed useJvmCharsetConverters connection property. JVM charset converters are now used in all cases.
* Refactored value decoding and removed all date/time connection properties
* Refactored connection properties
* Assume existence of INFORMATION_SCHEMA.PARAMETERS (and thus MySQL 5.5) when preparing stored procedure calls.
* Removed retainStatementAfterResultSetClose connection property.
* Null-merge of Bug#54095 (11761585) fix.
* Removed support code for MySQL server versions < 5.7.
* Bug#76859 (20969312), DBMD getColumns using I_S doesn't have column IS_GENERATEDCOLUMN as per JDBC 4.1.
* Added support for GENERATED COLUMNS.
* Update Time Zone mappings with IANA Time Zone database tsdata2015f and Unicode CLDR v.28.
* Update DatabaseMetaData SQL keywords.
* Added tests for Optimizer hints syntax introduced in MySQL 5.7.7.
* Bug#21860833, JSON DATA TYPE DOESN'T WORK WITH SSPS.
* Added support for JSON data type.
* Added support for JDBC 4.2 new features.
* Bug#16634180, LOCK WAIT TIMEOUT EXCEEDED CAUSES SQLEXCEPTION, SHOULD CAUSE SQLTRANSIENTEXCEPTION
* Bug#75849 (20536592), NPE in abortInternal() method on line 1358 of ConnectionImpl.
* Bug#78106 (21648826), Potential memory leak with inflater.
* Bug#78225 (21697684), DEFAULT NO_AUTO_CREATE_USER SQL_MODE BEHAVIOR BROKE SOME TESTS
* Bug#77665 (21415165), JDBC fails to connect with MySQL 5.0.
* Bug#77681 (21429909), rewrite replace sql like insert when rewriteBatchedStatements=true (contribution).
* Bug#77449 (21304726) Add 'truncateFractionalSeconds=true|false' property (contribution).
* Bug#50348 (11758179), mysql connector/j 5.1.10 render the wrong value for dateTime column in GMT DB.
* Bug#75670 (20433047), Connection fails with 'Public Key Retrieval is not allowed' for native auth.
* Bug#76187 (20675539), getTypeInfo report maximum precision of 255 for varchar.
* Add test for new syntax 'ALTER TABLE ... DISCARD|IMPORT PARTITION ...' introduced in MySQL 5.7.4.
* Bug#20727196, GETPROCEDURECOLUMNS() RETURNS EXCEPTION FOR FUNCTION WHICH RETURNS ENUM/SET TYPE.
* Bug#19803348, GETPROCEDURES() RETURNS INCORRECT OUTPUT WHEN USEINFORMATIONSCHEMA=FALSE.
* Bug#21215151, DATABASEMETADATA.GETCATALOGS() FAILS TO SORT RESULTS.
* Bug#72630 (18758686), NullPointerException during handshake in some situations
* Bug#20825727, CONNECT FAILURE WHEN TRY TO CONNECT SHA USER WITH DIFFERENT CHARSET.
* Flag RowDataDynamic.isInterrupted removed as it isn't needed.
* Bug#20518653, XSL FILES IN PACKAGES
* Bug#20804635, GETTIME() AND GETDATE() FUNCTIONS FAILS WHEN FRACTIONAL PART EXISTS
* Bug#62452 (16444069), NPE thrown in JDBC4MySQLPooledException when statement is closed.
* BUG#70927 (17810800), Connector/J COM_CHANGE_USER handling is broken
* Bug#75335 (20283655), Maven artifact for Connector/J is missing source jar.
* BUG#75592 (20408891), 'SHOW VARIABLES WHERE' is expensive.
* Bug#75113 (20821888), Fail in failover of the connection in MySQL fabric
* Bug#72077 (18425861), Fabric connection with username to a server with disabled auth throws NPE
* Add test for already fixed Bug#72546 (18719760), C/J Fabric createGroup() throws ClassCastException
* Bug#77217 (21184949), ClassCastException when executing a streaming PreparedStatement with Fabric
* Bug#19536760, GETSTRING() CALL AFTER RS.RELATIVE() RETURNS NULLPOINTEREXCEPTION
* BUG#20453712, CLOB.SETSTRING() WITH VALID INPUT RETURNS EXCEPTION
* BUG#20453671, CLOB.POSITION() API CALL WITH CLOB INPUT RETURNS EXCEPTION
* Bug#20685022, SSL CONNECTION TO MYSQL 5.7.6 COMMUNITY SERVER FAILS.
* Bug#20606107, TEST FAILURES WHEN RUNNING AGAINST 5.7.6 SERVER VERSION
* Bug#20533907, BUG#20204783 FIX EXPOSES WRONG BEAHAVIORS IN FAILOVER CONNECTIONS.
* Bug#20504139, GETFUNCTIONCOLUMNS() AND GETPROCEDURECOLUMNS() RETURNS ERROR FOR VALID INPUTS.
* Expose PreparedStatment.ParseInfo for external usage, with no capture of the connection
* Bug#75309 (20272931), mysql connector/J driver in streaming mode will in the blocking state.
* New property 'readOnlyPropagatesToServer' controls the implicit propagation of read only transaction access mode to server.
* Bug#54095 (11761585), Unnecessary call in newSetTimestampInternal.
* Bug#67760 (15936413), Deadlock when concurrently executing prepared statements with Timestamp objects.
* Bug#71084 (18028319), Wrong java.sql.Date stored if client and server time zones differ.
* Bug#75080 (20217686), NullPointerException during setTimestamp on Fabric connection.
* Bug#75168 (20204783), loadBalanceExceptionChecker interface cannot work using JDBC4/JDK7.
* Bug#73595 (19465516), Replace usage of StringBuffer in JDBC driver.
* Bug#18925727, SQL INJECTION IN MYSQL JDBC DRIVER.
* Bug#74998 (20112694), readRemainingMultiPackets not computed correctly for rows larger than 16 MB.
* Bug#73012 (19219158), Precedence between timezone options is unclear.
* Implement support for connecting through SOCKS proxies (WL#8105).
* Ant buildfile reworked to fix incompatibilities with latest Eclipse
* Bug#18474141, TESTSUITE.FABRIC TEST CASES FAIL IF NO FABRIC.TESTSUITE PROPERTIES PROVIDED
* Bug#19383371, CONNECT USING MYSQL_OLD_PASSWORD USER FAILS WHEN PWD IS BLANK
* Bug#17441747, C/J DOESN'T SUPPORT XA RECOVER OUTPUT FORMAT CHANGED IN MYSQL 5.7.
* Bug#19145408, Error messages may not be interpreted according to the proper character set
* Bug#19505524, UNIT TEST SUITE DOES NOT CONSIDER ALL THE PARAMETERS PASSED TO BUILD.XML.
* Bug#73474 (19365473), Invalid empty line in MANIFEST.MF
* Bug#70436 (17527948), Incorrect mapping of windows timezone to Olson timezone.
* Bug73163 (19171665), IndexOutOfBoundsException thrown preparing statement.
* Added support for gb18030 character set
* Bug#73663 (19479242), utf8mb4 does not work for connector/j >=5.1.13
* Bug#73594 (19450418), ClassCastException in MysqlXADataSource if pinGlobalTxToPhysicalConnection=true
* Bug#19354014, changeUser() call results in 'packets out of order' error when useCompression=true.
* Bug#73577 (19443777), CHANGEUSER() CALL WITH USECOMPRESSION=TRUE COULD LEAD TO IO FREEZE
* Bug#19172037, TEST FAILURES WHEN RUNNING AGAINST 5.6.20 SERVER VERSION
* Bug#71923 (18344403), Incorrect generated keys if ON DUPLICATE KEY UPDATE not exact.
* Bug#72502 (18691866), NullPointerException in isInterfaceJdbc() when using DynaTrace
* Bug#72890 (18970520), Java jdbc driver returns incorrect return code when it's part of XA transaction.
* Fabric client now supports Fabric 1.5. Older versions are no longer supported.
* Bug#71672 (18232840), Every SQL statement is checked if it contains 'ON DUPLICATE KEY UPDATE' or not.
* Bug#73070 (19034681), Preparing a stored procedure call with Fabric results in an exception
* Bug#73053 (19022745), Endless loop in MysqlIO.clearInputStream due to Linux kernel bug.
* Bug#18869381, CHANGEUSER() FOR SHA USER RESULTS IN NULLPOINTEREXCEPTION
* Bug#62577 (16722757), XA connection fails with ClassCastException
* Bug#18852587, CONNECT WITH A USER CREATED USING SHA256_PASSWORD PLUGIN FAILS WHEN PWD IS BLANK
* Bug#18852682, TEST TESTSHA256PASSWORDPLUGIN FAILS WHEN EXECUTE AGAINST COMMERCIAL SERVER
* failing tests when running test suite with Java 6+.
* Bug#72712 (18836319), No way to configure Connector JDBC to not do extra queries on connection
- Adjust log4j/log4j-mini dependencies to account for the lack of
log4j12/log4jmini12 Provides in some code streams.
Changes in javapackages-tools:
- Can't assume non-existence of python38 macros in Leap.
gh#openSUSE/python-rpm-macros#107
Test for suse_version instead. Only Tumbleweed has and needs the
python_subpackage_only support.
- Fix typo in spec file sitearch -> sitelib
- Fix the python subpackage generation
gh#openSUSE/python-rpm-macros#79
- Support python subpackages for each flavor
gh#openSUSE/python-rpm-macros#66
- Replace old nose with pytest gh#fedora-java/javapackages#86
- when building extra flavor, BuildRequire javapackages-filesystem:
/etc/java is being cleaned out of the filesystems package.
- Upgrade to version 5.3.1
- Define _rpmmacrodir for distributions that don't have it
- Use %{_rpmmacrodir} instead of %{_libexecdir}/rpm/macros.d: this
just happens to overlap in some distros.
- Rename gradle-local and ivy-local to javapackages-gradle and
javapackages-ivy and let them depend only on javapackages-tools
and javapackages-local. These packages only install files
produced during the javapackages-tools build. The dependencies
will be pulled by gradle-local, ivy-local and maven-local
meta-packages built in a separate spec file.
- Split maven-local meta-package out of javapackages-tools spec
file
- Make the ivy-local and maven-local sub-packages depend on the
right stuff, so that they actually can be used for building
- Provide both com.sun:tools and sun.jdk:jconsole that are part of
standard OpenJDK installation. These provides cannot be generated
from metadata due to build sequence.
+ fix directories for eclipse.conf too
- Make the javapackages-local package depend on java-devel. It is
used for package building and this avoids each package to require
java-devel itself.
- Replace the occurences of /usr/lib by libdir in configuration
files too
- Update to version 5.3.0
- Modified patch:
- Build the :extras flavour as noarch
+ we did not bump epoch of OpenJDK packages in SUSE
+ fix a potential generation of unresolvable requires
+ adapt the tests to not expect the epoch
- Switch to multibuild layout
- Update to version 5.2.0+git20180620.70fa2258:
* Rename the async kwarg in call_script to wait (reverses the logic)
* Actually bump version to 5.3.0 snapshot
* Bump version in VERSION file
* [man] s/Pacakge/Package/g
* Fix typos in README
* Fix configure-base.sh after filesystem macro split
* Split filesystem macros to separate macro file
* Introduce javapackages-filesystem package
* [java-functions] extend ABRT Java agent options
* change abrt-java-connector upstream URL
* Remove resolverSettings/prefixes from XMvn config
* Add macros to allow passing arbitrary options to XMvn
* [spec] Bump package version to 5.1.0
* Allow specifying custom repo when calling xmvn-install
- Update to version 5.0.0+git20180104.9367c8f6:
* [java-functions] Avoid colons in jar names
* Workaround for SCL enable scripts not working with -e
* Second argument to pom_xpath_inject is mandatory
* [mvn_artifact] Provide more helpful error messages
* Fix traceback on corrupt zipfile
* [test] Add reproducer for rhbz#1481005
* [spec] Fix default JRE path
* [readme] Fix typo
* Add initial content to README.md (#21)
* Decouple JAVA_HOME setting from java command alternatives
- Fix url to correct one https://github.com/fedora-java/javapackages
- Split to python and non-python edition for smaller depgraph
- Fix abs2rel shebang:
- Fix Requires on subpackages to point to javapackages-tools proper
- Update to version 4.7.0+git20170331.ef4057e7:
* Reimplement abs2rel in Python
* Don't expand {scl} in macro definitions
* Install expanded rpmfc attr files
* [spec] Avoid file conflicts between in SCL
* Fix macros.d directory ownership
* Make %ant macro enable SCL when needed
* [spec] Fix file conflicts between SCL and non-SCL packages
* Fix ownership of ivyxmldir
* [test] Force locale for python processes
* Don't include timestamp in generated pom.properties
* We switch to /usr/lib/ location for macros
- Try to reduce some dependencies bsc#1036025
- python-lxml 3.5.0 introduces validation for xml comments, and
one of the comments created in this package were not valid.
This patch fixes the problem. It backported from upstream and
should be in the next release.
https://github.com/mizdebsk/javapackages/commit/84211c0ee761e93ee507f5d37e9fc80ec377e89d
- Version update to 4.6.0:
* various bugfixes for maven tooling
* introduction to gradle-local package for gradle packaging
- Drop dependency over source-highlight as it causes build cycle
- Try to break buildcycle detected on Factory
- Fix build on SLE11
- Use python-devel instead of pkgconfig to build on sle11
- Add python-javapackages as requirement for main package
- Update requires on python packages to properly have all the needed
dependencies on runtime
- Install macros to /etc/rpm as we do in SUSE:
- Cleanup with spec-cleaner
- Fix rpmlint errors
- Enable maven-local
- Avoid unsatisfiable dependencies
- Enable unit tests
- Update to version 4.4.0
- create directories for java, so that ant build works
- Add virtual provide jpackage-utils-java9 to be able to
distinguish the presence of java9 compatibility
- fix bashisms
- SLES patch for ZipFile, having no attribute '__exit__' which was causing
ecj build failures
- set correct libxslt package when building for SLES
Changes in javassist:
+ Add OSGi manifest to the javassist.jar
- Allow building on systems that do not have java 9 or higher
- Install and package the maven pom and metadata files
- BuildRequire at least Java 9. This version uses APIs introduced
in Java 9
- Replace old $RPM_* shell vars by macros.
- Version update to 3.23.1:
* 3.23.1 Github PR #171
* 3.23 Fix leaking file handlers in ClassPool and removed
ClassPath.close(). Github issue #165
* 3.22 Java 9 supports.
JIRA JASSIST-261.
- Specify java target and source version 1.6 in order to allow
building with jdk9
- fix javadoc errors that are fatal with jdk9
- Version update to 3.21.0:
* various compiler settings
* Require java >= 1.6
- Update to version 3.19.0
* Including a number of bug fixes and Java 8 supports.
- Clean up specfile
- Remove redundant %clean section
- Build for java API 1.5
- Remove unzip requirement
- Update home page and download source Urls
Changes in protobuf:
- Update to 3.17.3:
C++
* Introduce FieldAccessListener.
* Stop emitting boilerplate {Copy/Merge}From in each ProtoBuf class
* Provide stable versions of SortAndUnique().
* Make sure to cache proto3 optional message fields when they are cleared.
* Expose UnsafeArena methods to Reflection.
* Use std::string::empty() rather than std::string::size() > 0.
* [Protoc] C++ Resolved an issue where NO_DESTROY and CONSTINIT are in incorrect order (#8296)
* Fix PROTOBUF_CONSTINIT macro redefinition (#8323)
* Delete StringPiecePod (#8353)
* Create a CMake option to control whether or not RTTI is enabled (#8347)
* Make util::Status more similar to absl::Status (#8405)
* The ::pb namespace is no longer exposed due to conflicts.
* Allow MessageDifferencer::TreatAsSet() (and friends) to override previous
calls instead of crashing.
* Reduce the size of generated proto headers for protos with string or
bytes fields.
* Move arena() operation on uncommon path to out-of-line routine
* For iterator-pair function parameter types, take both iterators by value.
* Code-space savings and perhaps some modest performance improvements in
* RepeatedPtrField.
* Eliminate nullptr check from every tag parse.
* Remove unused _$name$cached_byte_size fields.
* Serialize extension ranges together when not broken by a proto field in the
middle.
* Do out-of-line allocation and deallocation of string object in ArenaString.
* Streamline ParseContext::ParseMessage to avoid code bloat and improve
performance.
* New member functions RepeatedField::Assign, RepeatedPtrField::{Add, Assign}.
on an error path.
* util::DefaultFieldComparator will be final in a future version of protobuf.
* Subclasses should inherit from SimpleFieldComparator instead.
Kotlin
* Introduce support for Kotlin protos (#8272)
* Restrict extension setter and getter operators to non-nullable T.
Java
* Fixed parser to check that we are at a proper limit when a sub-message has
finished parsing.
* updating GSON and Guava to more recent versions (#8524)
* Reduce the time spent evaluating isExtensionNumber by storing the extension
ranges in a TreeMap for faster queries. This is particularly relevant for
protos which define a large number of extension ranges, for example when
each tag is defined as an extension.
* Fix java bytecode estimation logic for optional fields.
* Optimize Descriptor.isExtensionNumber.
* deps: update JUnit and Truth (#8319)
* Detect invalid overflow of byteLimit and return InvalidProtocolBufferException as documented.
* Exceptions thrown while reading from an InputStream in parseFrom are now
included as causes.
* Support potentially more efficient proto parsing from RopeByteStrings.
* Clarify runtime of ByteString.Output.toStringBuffer().
* Added UnsafeByteOperations to protobuf-lite (#8426)
Python
* Add MethodDescriptor.CopyToProto() (#8327)
* Remove unused python_protobuf.{cc,h} (#8513)
* Start publishing python aarch64 manylinux wheels normally (#8530)
* Fix constness issue detected by MSVC standard conforming mode (#8568)
* Make JSON parsing match C++ and Java when multiple fields from the same
oneof are present and all but one is null.
* Fix some constness / char literal issues being found by MSVC standard conforming mode (#8344)
* Switch on 'new' buffer API (#8339)
* Enable crosscompiling aarch64 python wheels under dockcross manylinux docker image (#8280)
* Fixed a bug in text format where a trailing colon was printed for repeated field.
* When TextFormat encounters a duplicate message map key, replace the current
one instead of merging.
Ruby
* Add support for proto3 json_name in compiler and field definitions (#8356)
* Fixed memory leak of Ruby arena objects. (#8461)
* Fix source gem compilation (#8471)
* Fix various exceptions in Ruby on 64-bit Windows (#8563)
* Fix crash when calculating Message hash values on 64-bit Windows (#8565)
General
* Support M1 (#8557)
- Update to 3.15.8:
- Fixed memory leak of Ruby arena objects (#8461)
- update to 3.15.7:
C++
* Remove the ::pb namespace (alias) (#8423)
Ruby
* Fix unbounded memory growth for Ruby <2.7 (#8429)
* Fixed message equality in cases where the message type is different (#8434)
- Can't assume non-existence of python38 macros in Leap.
gh#openSUSE/python-rpm-macros#107
Test for suse_version instead. Only Tumbleweed has and needs the
python_subpackage_only support.
- update to 3.15.6:
Ruby
* Fixed bug in string comparison logic (#8386)
* Fixed quadratic memory use in array append (#8379)
* Fixed SEGV when users pass nil messages (#8363)
* Fixed quadratic memory usage when appending to arrays (#8364)
* Ruby <2.7 now uses WeakMap too, which prevents memory leaks. (#8341)
* Fix for FieldDescriptor.get(msg) (#8330)
* Bugfix for Message.[] for repeated or map fields (#8313)
PHP
* read_property() handler is not supposed to return NULL (#8362)
Protocol Compiler
* Optional fields for proto3 are enabled by default, and no longer require
the --experimental_allow_proto3_optional flag.
C++
* Do not disable RTTI by default in the CMake build (#8377)
* Create a CMake option to control whether or not RTTI is enabled (#8361)
* Fix PROTOBUF_CONSTINIT macro redefinition (#8323)
* MessageDifferencer: fixed bug when using custom ignore with multiple
unknown fields
* Use init_seg in MSVC to push initialization to an earlier phase.
* Runtime no longer triggers -Wsign-compare warnings.
* Fixed -Wtautological-constant-out-of-range-compare warning.
* DynamicCastToGenerated works for nullptr input for even if RTTI is disabled
* Arena is refactored and optimized.
* Clarified/specified that the exact value of Arena::SpaceAllocated() is an
implementation detail users must not rely on. It should not be used in
unit tests.
* Change the signature of Any::PackFrom() to return false on error.
* Add fast reflection getter API for strings.
* Constant initialize the global message instances
* Avoid potential for missed wakeup in UnknownFieldSet
* Now Proto3 Oneof fields have 'has' methods for checking their presence in
C++.
* Bugfix for NVCC
* Return early in _InternalSerialize for empty maps.
* Adding functionality for outputting map key values in proto path logging
output (does not affect comparison logic) and stop printing 'value' in the
path. The modified print functionality is in the
MessageDifferencer::StreamReporter.
* Fixed https://github.com/protocolbuffers/protobuf/issues/8129
* Ensure that null char symbol, package and file names do not result in a
crash.
* Constant initialize the global message instances
* Pretty print 'max' instead of numeric values in reserved ranges.
* Removed remaining instances of std::is_pod, which is deprecated in C++20.
* Changes to reduce code size for unknown field handling by making uncommon
cases out of line.
* Fix std::is_pod deprecated in C++20 (#7180)
* Fix some -Wunused-parameter warnings (#8053)
* Fix detecting file as directory on zOS issue #8051 (#8052)
* Don't include sys/param.h for _BYTE_ORDER (#8106)
* remove CMAKE_THREAD_LIBS_INIT from pkgconfig CFLAGS (#8154)
* Fix TextFormatMapTest.DynamicMessage issue#5136 (#8159)
* Fix for compiler warning issue#8145 (#8160)
* fix: support deprecated enums for GCC < 6 (#8164)
* Fix some warning when compiling with Visual Studio 2019 on x64 target (#8125)
Python
* Provided an override for the reverse() method that will reverse the internal
collection directly instead of using the other methods of the BaseContainer.
* MessageFactory.CreateProtoype can be overridden to customize class creation.
* Fix PyUnknownFields memory leak (#7928)
* Add macOS big sur compatibility (#8126)
JavaScript
* Generate `getDescriptor` methods with `*` as their `this` type.
* Enforce `let/const` for generated messages.
* js/binary/utils.js: Fix jspb.utils.joinUnsignedDecimalString to work with
negative bitsLow and low but non-zero bitsHigh parameter. (#8170)
PHP
* Added support for PHP 8. (#8105)
* unregister INI entries and fix invalid read on shutdown (#8042)
* Fix PhpDoc comments for message accessors to include '|null'. (#8136)
* fix: convert native PHP floats to single precision (#8187)
* Fixed PHP to support field numbers >=2**28. (#8235)
* feat: add support for deprecated fields to PHP compiler (#8223)
* Protect against stack overflow if the user derives from Message. (#8248)
* Fixed clone for Message, RepeatedField, and MapField. (#8245)
* Updated upb to allow nonzero offset minutes in JSON timestamps. (#8258)
Ruby
* Added support for Ruby 3. (#8184)
* Rewrote the data storage layer to be based on upb_msg objects from the
upb library. This should lead to much better parsing performance,
particularly for large messages. (#8184).
* Fill out JRuby support (#7923)
* [Ruby] Fix: (SIGSEGV) gRPC-Ruby issue on Windows. memory alloc infinite
recursion/run out of memory (#8195)
* Fix jruby support to handle messages nested more than 1 level deep (#8194)
Java
* Avoid possible UnsupportedOperationException when using CodedInputSteam
with a direct ByteBuffer.
* Make Durations.comparator() and Timestamps.comparator() Serializable.
* Add more detailed error information for dynamic message field type
validation failure
* Removed declarations of functions declared in java_names.h from
java_helpers.h.
* Now Proto3 Oneof fields have 'has' methods for checking their presence in
Java.
* Annotates Java proto generated *_FIELD_NUMBER constants.
* Add -assumevalues to remove JvmMemoryAccessor on Android.
C#
* Fix parsing negative Int32Value that crosses segment boundary (#8035)
* Change ByteString to use memory and support unsafe create without copy (#7645)
* Optimize MapField serialization by removing MessageAdapter (#8143)
* Allow FileDescriptors to be parsed with extension registries (#8220)
* Optimize writing small strings (#8149)
- Updated URL to https://github.com/protocolbuffers/protobuf
- Update to v3.14.0
Protocol Compiler
* The proto compiler no longer requires a .proto filename when it is not
generating code.
* Added flag `--deterministic_output` to `protoc --encode=...`.
* Fixed deadlock when using google.protobuf.Any embedded in aggregate options.
C++
* Arenas are now unconditionally enabled. cc_enable_arenas no longer has
any effect.
* Removed inlined string support, which is incompatible with arenas.
* Fix a memory corruption bug in reflection when mixing optional and
non-optional fields.
* Make SpaceUsed() calculation more thorough for map fields.
* Add stack overflow protection for text format with unknown field values.
* FieldPath::FollowAll() now returns a bool to signal if an out-of-bounds
error was encountered.
* Performance improvements for Map.
* Minor formatting fix when dumping a descriptor to .proto format with
DebugString.
* UBSAN fix in RepeatedField
* When running under ASAN, skip a test that makes huge allocations.
* Fixed a crash that could happen when creating more than 256 extensions in
a single message.
* Fix a crash in BuildFile when passing in invalid descriptor proto.
* Parser security fix when operating with CodedInputStream.
* Warn against the use of AllowUnknownExtension.
* Migrated to C++11 for-range loops instead of index-based loops where
possible. This fixes a lot of warnings when compiling with -Wsign-compare.
* Fix segment fault for proto3 optional
* Adds a CMake option to build `libprotoc` separately
Java
* Bugfix in mergeFrom() when a oneof has multiple message fields.
* Fix RopeByteString.RopeInputStream.read() returning -1 when told to read
0 bytes when not at EOF.
* Redefine remove(Object) on primitive repeated field Lists to avoid
autoboxing.
* Support '\u' escapes in textformat string literals.
* Trailing empty spaces are no longer ignored for FieldMask.
* Fix FieldMaskUtil.subtract to recursively remove mask.
* Mark enums with `@java.lang.Deprecated` if the proto enum has option
`deprecated = true;`.
* Adding forgotten duration.proto to the lite library
Python
* Print google.protobuf.NullValue as null instead of 'NULL_VALUE' when it is
used outside WKT Value/Struct.
* Fix bug occurring when attempting to deep copy an enum type in python 3.
* Add a setuptools extension for generating Python protobufs
* Remove uses of pkg_resources in non-namespace packages
* [bazel/py] Omit google/__init__.py from the Protobuf runtime
* Removed the unnecessary setuptools package dependency for Python package
* Fix PyUnknownFields memory leak
PHP
* Added support for '==' to the PHP C extension
* Added `==` operators for Map and Array
* Native C well-known types
* Optimized away hex2bin() call in generated code
* New version of upb, and a new hash function wyhash in third_party
* add missing hasOneof method to check presence of oneof fields
Go:
* Update go_package options to reference google.golang.org/protobuf module.
C#:
* annotate ByteString.CopyFrom(ReadOnlySpan<byte>) as SecuritySafeCritical
* Fix C# optional field reflection when there are regular fields too
* Fix parsing negative Int32Value that crosses segment boundary
Javascript:
* JS: parse (un)packed fields conditionally
- from version 3.13.0
PHP:
* The C extension is completely rewritten. The new C extension has significantly
better parsing performance and fixes a handful of conformance issues. It will
also make it easier to add support for more features like proto2 and proto3 presence.
* The new C extension does not support PHP 5.x. PHP 5.x users can still use pure-PHP.
C++:
* Removed deprecated unsafe arena string accessors
* Enabled heterogeneous lookup for std::string keys in maps.
* Removed implicit conversion from StringPiece to std::string
* Fix use-after-destroy bug when the Map is allocated in the arena.
* Improved the randomness of map ordering
* Added stack overflow protection for text format with unknown fields
* Use std::hash for proto maps to help with portability.
* Added more Windows macros to proto whitelist.
* Arena constructors for map entry messages are now marked 'explicit'
(for regular messages they were already explicit).
* Fix subtle aliasing bug in RepeatedField::Add
* Fix mismatch between MapEntry ByteSize and Serialize with respect to unset
fields.
Python:
* JSON format conformance fixes:
* Reject lowercase t for Timestamp json format.
* Print full_name directly for extensions (no camelCase).
* Reject boolean values for integer fields.
* Reject NaN, Infinity, -Infinity that is not quoted.
* Base64 fixes for bytes fields: accept URL-safe base64 and missing padding.
* Bugfix for fields/files named 'async' or 'await'.
* Improved the error message when AttributeError is returned from __getattr__
in EnumTypeWrapper.
Java:
* Fixed a bug where setting optional proto3 enums with setFooValue() would
not mark the value as present.
* Add Subtract function to FieldMaskUtil.
C#:
* Dropped support for netstandard1.0 (replaced by support for netstandard1.1).
This was required to modernize the parsing stack to use the `Span<byte>`
type internally
* Add `ParseFrom(ReadOnlySequence<byte>)` method to enable GC friendly
parsing with reduced allocations and buffer copies
* Add support for serialization directly to a `IBufferWriter<byte>` or
to a `Span<byte>` to enable GC friendly serialization.
The new API is available as extension methods on the `IMessage` type
* Add `GOOGLE_PROTOBUF_REFSTRUCT_COMPATIBILITY_MODE` define to make
generated code compatible with old C# compilers (pre-roslyn compilers
from .NET framework and old versions of mono) that do not support
ref structs. Users that are still on a legacy stack that does
not support C# 7.2 compiler might need to use the new define
in their projects to be able to build the newly generated code
* Due to the major overhaul of parsing and serialization internals,
it is recommended to regenerate your generated code to achieve the best
performance (the legacy generated code will still work, but might incur
a slight performance penalty).
- Fix the python subpackage generation
gh#openSUSE/python-rpm-macros#79
- Support multiple python3 flavors gh#openSUSE/python-rpm-macros#66
- Update to version 3.12.3; notable changes since 3.11.4:
Protocol Compiler
* [experimental] Singular, non-message typed fields in proto3 now support
presence tracking. This is enabled by adding the 'optional' field label and
passing the --experimental_allow_proto3_optional flag to protoc.
* For usage info, see docs/field_presence.md.
* During this experimental phase, code generators should update to support
proto3 presence, see docs/implementing_proto3_presence.md for instructions.
* Allow duplicate symbol names when multiple descriptor sets are passed on
the command-line, to match the behavior when multiple .proto files are passed.
* Deterministic `protoc --descriptor_set_out` (#7175)
Objective-C
* Tweak the union used for Extensions to support old generated code. #7573
* Fix for the :protobuf_objc target in the Bazel BUILD file. (#7538)
if p['result'] == 'FAIL':
* [experimental] ObjC Proto3 optional support (#7421)
* Block subclassing of generated classes (#7124)
* Use references to Obj C classes instead of names in descriptors. (#7026)
* Revisit how the WKTs are bundled with ObjC. (#7173)
C++
* Simplified the template export macros to fix the build for mingw32. (#7539)
* [experimental] Added proto3 presence support.
* New descriptor APIs to support proto3 presence.
* Enable Arenas by default on all .proto files.
* Documented that users are not allowed to subclass Message or MessageLite.
* Mark generated classes as final; inheriting from protos is strongly discouraged.
* Add stack overflow protection for text format with unknown fields.
* Add accessors for map key and value FieldDescriptors.
* Add FieldMaskUtil::FromFieldNumbers().
* MessageDifferencer: use ParsePartial() on Any fields so the diff does not
fail when there are missing required fields.
* ReflectionOps::Merge(): lookup messages in the right factory, if it can.
* Added Descriptor::WellKnownTypes enum and Descriptor::well_known_type()
accessor as an easier way of determining if a message is a Well-Known Type.
* Optimized RepeatedField::Add() when it is used in a loop.
* Made proto move/swap more efficient.
* De-virtualize the GetArena() method in MessageLite.
* Improves performance of json_stream_parser.cc by factor 1000 (#7230)
* bug: #7076 undefine Windows OUT and OPTIONAL macros (#7087)
* Fixed a bug in FieldDescriptor::DebugString() that would erroneously print
an 'optional' label for a field in a oneof.
* Fix bug in parsing bool extensions that assumed they are always 1 byte.
* Fix off-by-one error in FieldOptions::ByteSize() when extensions are present.
* Clarified the comments to show an example of the difference between
Descriptor::extension and DescriptorPool::FindAllExtensions.
* Add a compiler option 'code_size' to force optimize_for=code_size on all
protos where this is possible.
Ruby
* Re-add binary gems for Ruby 2.3 and 2.4. These are EOL upstream, however
many people still use them and dropping support will require more
coordination.
* [experimental] Implemented proto3 presence for Ruby. (#7406)
* Stop building binary gems for ruby <2.5 (#7453)
* Fix for wrappers with a zero value (#7195)
* Fix for JSON serialization of 0/empty-valued wrapper types (#7198)
* Call 'Class#new' over rb_class_new_instance in decoding (#7352)
* Build extensions for Ruby 2.7 (#7027)
* assigning 'nil' to submessage should clear the field. (#7397)
Java
* [experimental] Added proto3 presence support.
* Mark java enum _VALUE constants as @Deprecated if the enum field is deprecated
* reduce <clinit> size for enums with allow_alias set to true.
* Sort map fields alphabetically by the field's key when printing textproto.
* Fixed a bug in map sorting that appeared in -rc1 and -rc2 (#7508).
* TextFormat.merge() handles Any as top level type.
* Throw a descriptive IllegalArgumentException when calling
getValueDescriptor() on enum special value UNRECOGNIZED instead of
ArrayIndexOutOfBoundsException.
* Fixed an issue with JsonFormat.printer() where setting printingEnumsAsInts()
would override the configuration passed into includingDefaultValueFields().
* Implement overrides of indexOf() and contains() on primitive lists returned
for repeated fields to avoid autoboxing the list contents.
* Add overload to FieldMaskUtil.fromStringList that accepts a descriptor.
* [bazel] Move Java runtime/toolchains into //java (#7190)
Python
* [experimental] Added proto3 presence support.
* [experimental] fast import protobuf module, only works with cpp generated code linked in.
* Truncate 'float' fields to 4 bytes of precision in setters for pure-Python
implementation (C++ extension was already doing this).
* Fixed a memory leak in C++ bindings.
* Added a deprecation warning when code tries to create Descriptor objects
directly.
* Fix unintended comparison between bytes and string in descriptor.py.
* Avoid printing excess digits for float fields in TextFormat.
* Remove Python 2.5 syntax compatibility from the proto compiler generated _pb2.py module code.
* Drop 3.3, 3.4 and use single version docker images for all python tests (#7396)
JavaScript
* Fix js message pivot selection (#6813)
PHP
* Persistent Descriptor Pool (#6899)
* Implement lazy loading of php class for proto messages (#6911)
* Correct @return in Any.unpack docblock (#7089)
* Ignore unknown enum value when ignore_unknown specified (#7455)
C#
* [experimental] Add support for proto3 presence fields in C# (#7382)
* Mark GetOption API as obsolete and expose the 'GetOptions()' method on descriptors instead (#7491)
* Remove Has/Clear members for C# message fields in proto2 (#7429)
* Enforce recursion depth checking for unknown fields (#7132)
* Fix conformance test failures for Google.Protobuf (#6910)
* Cleanup various bits of Google.Protobuf (#6674)
* Fix latest ArgumentException for C# extensions (#6938)
* Remove unnecessary branch from ReadTag (#7289)
Other
* Add a proto_lang_toolchain for javalite (#6882)
* [bazel] Update gtest and deprecate //external:{gtest,gtest_main} (#7237)
* Add application note for explicit presence tracking. (#7390)
* Howto doc for implementing proto3 presence in a code generator. (#7407)
- Python: Add requirement on python-six
- Update to version 3.11.4; notable changes since 3.9.2:
* C++: Make serialization method naming consistent
* C++: Moved ShutdownProtobufLibrary() to message_lite.h. For
backward compatibility a declaration is still available
in stubs/common.h, but users should prefer message_lite.h
* C++: Removed non-namespace macro EXPECT_OK()
* C++: Removed mathlimits.h from stubs in favor of using
std::numeric_limits from C++11
* C++: Support direct pickling of nested messages
* C++: Disable extension code gen for C#
* C++: Switch the proto parser to the faster MOMI parser
* C++: Unused imports of files defining descriptor extensions
will now be reported
* C++: Add proto2::util::RemoveSubranges to remove multiple
subranges in linear time
* C++: Support 32 bit values for ProtoStreamObjectWriter to Struct
* C++: Removed the internal-only header coded_stream_inl.h and
the internal-only methods defined there
* C++: Enforced no SWIG wrapping of descriptor_database.h
(other headers already had this restriction)
* C++: Implementation of the equivalent of the MOMI parser for
serialization. This removes one of the two serialization
routines, by making the fast array serialization routine
completely general. SerializeToCodedStream can now be
implemented in terms of the much much faster array
serialization. The array serialization regresses slightly,
but when array serialization is not possible this wins big
* C++: Add move constructor for Reflection's SetString
* Java: Remove the usage of MethodHandle, so that Android users
prior to API version 26 can use protobuf-java
* Java: Publish ProGuard config for javalite
* Java: Include unknown fields when merging proto3 messages in
Java lite builders
* Java: Have oneof enums implement a separate interface (other
than EnumLite) for clarity
* Java: Opensource Android Memory Accessors
* Java: Change ProtobufArrayList to use Object[] instead of
ArrayList for 5-10% faster parsing
* Java: Make a copy of JsonFormat.TypeRegistry at the protobuf
top level package. This will eventually replace
JsonFormat.TypeRegistry
* Java: Add Automatic-Module-Name entries to the Manifest
* Python: Add float_precision option in json format printer
* Python: Optionally print bytes fields as messages in unknown
fields, if possible
* Python: Experimental code gen (fast import protobuf module)
which only work with cpp generated code linked in
* Python: Add descriptor methods in descriptor_pool are deprecated
* Python: Added delitem for Python extension dict
* JavaScript: Remove guard for Symbol iterator for jspb.Map
* JavaScript: Remove deprecated boolean option to getResultBase64String()
* JavaScript: Change the parameter types of binaryReaderFn in
ExtensionFieldBinaryInfo to (number, ?, ?)
* JavaScript: Create dates.ts and time_of_days.ts to mirror Java
versions. This is a near-identical conversion of
c.g.type.util.{Dates,TimeOfDays} respectively
* JavaScript: Migrate moneys to TypeScript
* PHP: Increase php7.4 compatibility
* PHP: Implement lazy loading of php class for proto messages
* Ruby: Support hashes for struct initializers
* C#: Experimental proto2 support is now officially available
* C#: Change _Extensions property to normal body rather than expression
* Objective C: Remove OSReadLittle* due to alignment requirements
* Other: Override CocoaPods module to lowercase
* further bugfixes and optimisations
- Use tarball provided by upstream
- Small package cleanup
- Updated to version 3.9.2 (bsc#1162343)
(Objective-C)
* Remove OSReadLittle* due to alignment requirements. (#6678)
* Don't use unions and instead use memcpy for the type swaps. (#6672)
- Package also the protobuf-bom pom file
- Update to new upstream release 3.9.1
* Optimized the implementation of RepeatedPtrFieldBase.
* Added delimited parse and serialize util.
* Added FieldDescriptor::PrintableNameForExtension() and
DescriptorPool::FindExtensionByPrintableName(). The latter
will replace Reflection::FindKnownExtensionByName().
* Created a new Add method in repeated field that allows adding
a range of elements all at once.
* Drop building wheel for Python 3.4.
- Specify java source and target levels in order to build
compatible protobuf-java binaries
- Update to new upstream release 3.8.0
* Introduced new MOMI (maybe-outside-memory-interval) parser.
* Added use of C++ override keyword where appropriate.
* Always declare enums to be int-sized.
* Append '_' to C++ reserved keywords for message, enum, extension.
- Disable LTO (boo#1133277).
- fixes build with Bazel 0.22.0.
- Add protobuf-source package - some programs using gRPC and
protobuf need protobuf definitions which are included inside the
source code, but are not included in the devel package.
- Add maven pom files to the protobuf-java package
- update to version v3.6.1:
* PHP namespaces for nested messages and enums (#4536)
* Allows the json marshaller to be passed json marshal options (#4252)
* Make sure to delete temporary maps used by FileDescriptorTables
* fix python cpp kokoro build
* Change C# reflection to avoid using expression trees
* Updated checked-in generated code
* Removed unused variables in repeated_scalar_container.cc
* Removed unused code pertaining to shared_ptr
* Include no_package.proto in Python test
* Only check filenames when end with .py in _CalledFromGeneratedFile() (#4262)
* Convert descriptortype to type for upb_msgval_sizeof (#4357)
* Removed duplicate using statement from ReflectionUtil.cs
* Add support for power ppc64le
* Cat the test-suite.log on errors for presubits
* Address review comments
* Add third-party RPC implementation: raster - a network framework supports pbrpc by 'service' keyword.
* Delete javanano kokoro build configs.
* Updated Ruby conformance test failure list
* Removed use of some type traits
* Adopt php_metadata_namespace in php code generator (#4622)
* Move to Xcode 9.3 which also means a High Sierra image.
* Add protoc release script for Linux build.
* protoc-artifacts: Avoid storing temporary files and use fewer layers
* Rewrite go_benchmark
* Add files to build ruby artifact for mac on kokoro (#4814)
* Remove javanano.
* Comment out unused command from release script.
* Avoid direct check of class name (#4601)
* The JsonParseOptions::ignore_unknown_fields option behavior treats
* Fix php memory leak test (#4692)
* Fix benchmark build
* Add VS2017 optional component dependency details to the C# readme (#4128)
* Fix initialization with Visual Studio
* For windows, all python version should use /MT (#4468)
* use brew install instead of easy_install in OSX (#4537)
* Sync upb change (#4373)
* Always add -std=c++11 for mac (#4684)
* Add kokoro build status badges.
* Removed unrecognized option from no_package.proto
* Fixed up proto3_lite_unittest.cc
* Update Xcode settings
* Cleanup LICENSE file.
* Remove js_embed binary. (#4709)
* Fixed JS parsing of unspecified map keys
* Update version number to 3.6.0
* Deliberately call simple code to avoid Unity linker pruning
* Revert 'Move `compiler/plugin.pb.cc` to libprotobuf with the other WKT sources.'
* protoc-artifacts: Use ENTRYPOINT to enable devtoolset-1.1
* MinGW build failed
* Support using MSVC intrinsics in Log2FloorNonZero
* Fix array constructor in c extension for compatibility (#4667)
* Add space between class name and concat message (#4577)
* fix python
* Add performance.md and add instruction for linking tcmalloc
* Add script for run and upload the benchmark result to bq
* Add test for failing write of raw pointer to output stream
* [objectivec] Fix memory leak of exceptions raised by RaiseException() (#4556)
* Remove stray indent on normal imports.
* Fix python ext build on kokoro (#4527)
* Add compile test sources for to test include order.
* Fixed a Visual Studio 2017 build error. (#4488)
* fix linux kokoro build in docker
* Fixes MSVC compiler warning C4800 'Forcing value to bool 'true' or 'false'' (#4350)
* Updated Docker setup to use GCC 4.8
* Remove broken build status icons.
* Run autogen.sh in release script.
* Output *_pb2_grpc.py when use_grpc_plugin=True
* Adopt ruby_package in ruby generated code. (#4627)
* Cygwin build failed
* Work around an 'old runtime' issue with reflection
* Added Kokoro protoc release build for OS X (#4770)
* Updated change log for 3.6.1 release
* Move methods out of class (#4697)
* Fix to allow AOT compilers to play nicely with reflection
* Update Makefile.am for Java lite files.
* Added map_lite_test.proto to fix LiteTest
* Introduce a compatiblity shim to support .NET 3.5 delegate creation
* Revert 'Removed mention of Buffer in byteSourceToUint8Array'
* Add gogo benchmark
* Set ext.no_native = true for non mac platform
* Removed atomicops.h since it is no longer used
* Rename a shadowed variable.
* Add kokoro bazel configs for 3.6.x branch.
* Deleted scoped_ptr.h
* Check the message to be encoded is the wrong type. (#4885) (#4949)
* protoc-artifacts: Avoid checking out protobuf code
* Add conformance test for null value in list JSON
* Build ruby gem on kokoro (#4819)
* Try using a new version of Visual Studio on AppVeyor
* Make ruby release configs consistent with protoc.
* fix for API change in PHP 7.3 (#4898)
* Add .proto files to extract_includes.bat
* Update protoc build scripts.
* Blacklist all WELL_KNOWN_PROTOS from Bazel C++ code generation.
* Additional support for building and deploying ppcle_64 artifacts
* Fix php tests
* Cleanup + documentation for Java Lite runtime.
* Added Kokoro Windows release build config for protoc (#4766)
* typo
* fix golang kokoro linux build
* Fix spelling error of __GNUC_MINOR__
* Update code to work for Xcode 10b1 (#4729)
* Added pyext/thread_unsafe_shared_ptr.h
* Added missing .inc files to BUILD
* js message support for jstype string on integers (#4332)
* Improve error message when googletest is missing.
* Make assertEquals pass for message (#4947)
* Sync internal benchmark changes
* Removed some unused C++ source files
* Fix missing LIBPROTOC_EXPORT.
* Added new test source files to Makefile.am
* Update php version to 3.6.0 (#4736)
* Fix RepeatedField#delete_if (#4292)
* Merge branch (#4466)
* Implement array constructor in php c extension.
* protoc-artifacts: Update centos base from 6.6 to 6.9
* PHP array constructors for protobuf messages (#4530)
* Fix problem: cmake build failed in c++11 by clang
* Don't assume Windows builds use MSVC.
* Use legacy name in php runtime (#4741)
* Add file option php_metadata_namespace and ruby_package (#4609)
* Fix cpp benchmark dependency on mac
* Use the first enum value instead of 0 in DefaultValueObjectWriter::FindEnumDefault
* Check return value on write of raw pointer
* Delete unused directories.
* Replace //:protoc and similar default macro arguments with
* Add extra C# file to Makefile.am
* includes the expected class in the exception, otherwise the error is harder to track down (#3371)
* Update instructions about getting protobuf source.
* Add cpp tests under release docker image.
* fix java benchmark, fix dashboard build
* `update_file_lists.sh` depends on Bash features, thus needs Bash sebang.
* Rename build_artifacts.cfg to release.cfg (#4818)
* Fix bug: whether always_print_enums_as_ints is true or false, it always print the default value of enums as strings
* source code info for interpreted options; fix source code info for extension range options (#4342)
* Updated version numbers to 3.6.1
* Trim imports for bundled generated protos.
* Require C++11 and pass -std=c++11
* Remove the iOS Test App.
* fix duplicate mkdir in update_file_lists.sh
* Updated csharp/README.md to reflect testing changes
* Fix bazel build of examples.
* Add missing ruby/tests/test_ruby_package.proto
* Fix cpp_distcheck
* Updated the change log with changes for 3.6.0
* some fix
* CMake: Update CXX Standard management
* Add the files added in #4485.
* Change to deal all messages in one loop
* Fix php conformance test.
* Add __init__.py files to compiler and util subpackages (#4117)
* Updated .gitignore to exclude downloaded gmock/ directory
* Fix error in Clang UndefinedBehaviorSanitizer
* Work around MSVC issue with std::atomic initialization (#4777)
* Updated conformance failure lists
* Add back GeneratedClassName to public (#4686)
* Add continuous test for ruby 2.3, 2.4 and 2.5 (#4829)
* Throw error if user want to access message properties (#4603)
* fix json_decode call parameters (#4381)
* Move `compiler/plugin.pb.cc` to libprotobuf with the other WKT sources.
* PHP: fixed typo in message.c
* Add go benchmark
* Allow list values to be null when parsing
* Added instruction for existing ZLIB configuration
* Fix 32bit php tests
* Removed javanano from post_process_dist.sh
* Don't generate imports for the WKTs unless generating the WKTs.
* For encoding upb needs descriptor type instead of type. (#4354)
* Include googletest as a submodule (#3993)
* Write messages to backing field in generated C# cloning code (#4440)
* Integrated internal changes from Google
- bump soname version
update to version v3.5.2:
* Update release date
* Disable pip cache when testing uploaded packages
* Replace private timelib_update_ts with public date_timestamp_get
* Remove py2.6 support.
* Cherrypick for csharp, including:
* Update changelog
* Update changelog for 3.5.1
* Fix uploading binary wheel.
* Fix memory leak when creating map field via array.
* Update rake file to build of 2.1.6.
* Avoid using php_date_get_date_ce() in case date extension is not
* Update protoc-artfacts
* Fix string::back() usage in googletest.cc
* Fix memory leak in php7
* Support ruby2.5
* io_win32: support non-ASCII paths
* Explicitly propagate the status of Flush().
* Add discard unknown API in ruby. (#3990)
* Update version for 3.5.0.post1
* remove nullptr
* Fix more memory leak for php c extension (#4211)
* Bumping number to fix ruby 2.1 on mac
* io_win32_unittest: remove incorrect error check
* Fix memory leak when creating repeated field via array.
* Update version number for php c extension (#3896)
* Fix file permission for python package.
* Create containing directory before generating well_known_types_embed.cc
* Replace C++11 only method std::map::at
* Recursively clear unknown fields in submessages. (#3982)
* Update version number to 3.5.1
* io_win32_unittest: fix condition in GetCwdAsUtf8
* Add release log
* io_win32_unittest: use CWD as last tempdir
* Add PROTOBUF_ENABLE_TIMESTAMP to let user decide whether timestamp util
* Add support for Windows ARM64 build
* Add protobuf-all in post release
* Use fully qualifed name for DescriptorPool in Any.php to avoid name (#3886)
* Add _file_desc_by_toplevel_extension back
* Fix setup.py for windows build.
* io_win32_unittest: make //:win32_test run again
* Provide discardUnknonwnFields API in php (#3976)
* Update php c extension version number to 3.5.0.1
* Fix ruby gc_test in ruby 2.4 (#4011)
* Remove duplicate typedef. (#3975)
* Accept DatetimeInterface in fromDatetime
* io_win32: add more encoding-related tests
* Bump version number to 3.5.2
* Bump protoc-artifact version for a patch rebuild
* Call php method via function name instead of calling directly.
* Well known types are not initialized properly. (#4139)
* Use matching enum type for IsPOD.
* Fix several more memory leak
* Fix for php5.5
* Add backslach to make class explict in global namespace
* Fix compile error undefined reference to
`google::protobuf::internal::Release_CompareAndSwap(long volatile*, long, long)'
on s390x https://github.com/google/protobuf/issues/3937
- Conditionalize python2 and python3 in order to be able to build
without python2 present in distribution
* Use singlespec macros to simplify the logic
- Run fdupes on python modules to avoid duplicates
- Remove shebangs from import-only code
- Update to new upstream release 3.5.0
* Proto3 messages are now preserving unknown fields by default.
If you rely on unknowns fields being dropped, use
DiscardUnknownFields() explicitly.
* Deprecated the unsafe_arena_release_* and
unsafe_arena_add_allocated_* methods for string fields.
* Added move constructor and move assignment to RepeatedField,
RepeatedPtrField and google::protobuf::Any.
* Added perfect forwarding in Arena::CreateMessage.
* In-progress experimental support for implicit weak fields
with lite protos. This feature allows the linker to strip out
more unused messages and reduce binary size.
- Rename %soname to %sover to better reflect its use.
- Install LICENSE
- Update to 3.3.0 :
* C++:
* Fixed map fields serialization of DynamicMessage to correctly serialize
both key and value regardless of their presence.
* Parser now rejects field number 0 correctly.
* New API Message::SpaceUsedLong() that’s equivalent to
Message::SpaceUsed() but returns the value in size_t.
* JSON support
- New flag always_print_enums_as_ints in JsonPrintOptions.
- New flag preserve_proto_field_names in JsonPrintOptions. It will instruct
the JSON printer to use the original field name declared in the .proto
file instead of converting them to lowerCamelCase when printing JSON.
- JsonPrintOptions.always_print_primtive_fields now works for oneof message
fields.
- Fixed a bug that doesn’t allow different fields to set the same json_name
value.
- Fixed a performance bug that causes excessive memory copy when printing
large messages.
* Various performance optimizations.
* Java:
* Map field setters eagerly validate inputs and throw NullPointerExceptions
as appropriate.
* Added ByteBuffer overloads to the generated parsing methods and the Parser
interface.
* proto3 enum's getNumber() method now throws on UNRECOGNIZED values.
* Output of JsonFormat is now locale independent.
* Python:
* Added FindServiceByName() in the pure-Python DescriptorPool. This works only
for descriptors added with DescriptorPool.Add(). Generated descriptor_pool
does not support this yet.
* Added a descriptor_pool parameter for parsing Any in text_format.Parse().
* descriptor_pool.FindFileContainingSymbol() now is able to find nested
extensions.
* Extending empty [] to repeated field now sets parent message presence.
- Update to 3.2.0 :
* Added protoc version number to protoc plugin protocol. It can be used by
protoc plugin to detect which version of protoc is used with the plugin and
mitigate known problems in certain version of protoc.
* C++:
* The default parsing byte size limit has been raised from 64MB to 2GB.
* Added rvalue setters for non-arena string fields.
* Enabled debug logging for Android.
* Fixed a double-free problem when using Reflection::SetAllocatedMessage()
with extension fields.
* Fixed several deterministic serialization bugs:
* MessageLite::SerializeAsString() now respects the global deterministic
serialization flag.
* Extension fields are serialized deterministically as well. Fixed protocol
compiler to correctly report importing-self as an error.
* Fixed FileDescriptor::DebugString() to print custom options correctly.
* Various performance/codesize optimizations and cleanups.
* Java:
* The default parsing byte size limit has been raised from 64MB to 2GB.
* Added recursion limit when parsing JSON.
* Fixed a bug that enumType.getDescriptor().getOptions() doesn't have custom
options.
* Fixed generated code to support field numbers up to 2^29-1.
* Python:
* You can now assign NumPy scalars/arrays (np.int32, np.int64) to protobuf
fields, and assigning other numeric types has been optimized for
performance.
* Pure-Python: message types are now garbage-collectable.
* Python/C++: a lot of internal cleanup/refactoring.
- Increase soname to 13
- Generate python2-protobuf and python3-protobuf packages in Factory
- Make the python2-protobuf package provide and obsolete python-protobuf
to make the transition smooth in Tumbleweed
- Fix an issue with setup.py where some files are built on the
first invocation, but only copied on the second. This resulted
in an incomplete protobuf-python package.
- Update to protobuf v3.1.0. Protobuf v3.0.0 introduceced a new
version of the protocol buffer language, proto3, which supersedes
proto2.
The protoc compiler is able to read old proto2 protocol definitions,
and defaults to the proto2 syntax if a syntax is not specified, thus
packages can be recompiled to link to the new library. For backwards
compatibility, the old library version is available from the
protobuf2 package.
As the API for proto2 is not compatible to the proto3 API, proto3
should only be used for new Protocol Buffers, whereas current users
are advised to keep using proto2. For a detailed list of changes,
see https://github.com/google/protobuf/releases
- Use py_sitedir for library installation with setup.py install
- Drop protobuf-libs as it is just workaround for rpmlint issue
- Cleanup specfile:
* remove any conditionals for versions predating SLES 12/Leap 42.x
* add Provides: protobuf-libs to fix rpmlint warning
Changes in python-python-gflags:
- Don't provide python2-gflags, singlespec packages should use
correct name.
- Provide python-gflags in the python2 package
- Fix URL.
- Update to version 3.1.1
* Added PEP8 style method/function aliases.
- Update to version 3.1.0
* Python3 compatibility
* Removed UnrecognizedFlag exception.
* Replaced flags.DuplicateFlag with flags.DuplicateFlagError.
* Moved the validators.Error class to exceptions.ValidationError.
* Renamed IllegalFlagValue to IllegalFlagValueError.
* Removed MutualExclusionValidator class, in favor of flags.MarkFlagsAsMutualExclusive.
* Removed FlagValues.AddValidator method.
* Removed _helpers.GetMainModule.
* Use xml.dom.minidom to create XML strings, instead of manual crafting.
* Declared PEP8-style names.
* Added examples.
- Update to version 3.0.7
* Removed the unused method ShortestUniquePrefixes.
* Removed _GetCallingModule function alias.
- Update to version 3.0.6
* Declared pypi package classifiers.
* Added support for CLIF flag processing (not included in python-gflags repo
yet).
- Update to version 3.0.5
* Added a warning when FLAGS.SetDefault is used after flags were parsed.
* Added new function: MarkFlagsAsRequired.
- Update to version 3.0.4
* One more fix for setup.py - this time about third_party package.
- Update to version 3.0.3
* Fixed setup.py.
* --noflag if argument is given is no longer allowed.
* Python3 compatibility: removed need for cgi import.
* Disallowed unparsed flag usage after FLAGS.Reset()
- Update to version 3.0.2
* Fix MANIFEST.in to include all relevant files.
- Update to version 3.0.1
* Some changes for python3 compatibility.
* Automatically generate ordering operations for Flag.
* Add optional comma compatibility to whitespace-separated list flags.
* A lot of potentially backwards incompatible changes since 2.0.
* This version is NOT recommended to use in production. Some of the files and
documentation has been lost during export; this will be fixed in next
versions.
- Fix source URL
- Implement single-spec version
ImportantSUSE bug 1036025SUSE bug 1133277SUSE bug 1162343cpe:/o:suse:suse-openstack-cloud:8Security update for util-linux (Moderate)SUSE OpenStack Cloud 8
This update for util-linux fixes the following issues:
- CVE-2021-37600: Fixed an integer overflow which could lead to buffer overflow in get_sem_elements. (bsc#1188921)
- Prevent outdated pam files (bsc#1082293, bsc#1081947#c68).
- Do not trim read-only volumes (bsc#1106214).
- libmount: To prevent incorrect behavior, recognize more pseudofs and netfs (bsc#1122417).
- raw.service: Add RemainAfterExit=yes (bsc#1135534).
- agetty: Reload issue only if it is really needed (bsc#1085196)
- agetty: Return previous response of agetty for special characters (bsc#1085196, bsc#1125886)
- blockdev: Do not fail --report on kpartx-style partitions on multipath. (bsc#1168235)
- nologin: Add support for -c to prevent error from su -c. (bsc#1151708)
- Avoid triggering autofs in lookup_umount_fs_by_statfs. (bsc#1168389)
- libblkid: Do not trigger CDROM autoclose. (bsc#1084671)
- Avoid sulogin failing on not existing or not functional console devices. (bsc#1175514)
- Build with libudev support to support non-root users. (bsc#1169006)
- lscpu: avoid segfault on PowerPC systems with valid hardware configurations. (bsc#1175623, bsc#1178554, bsc#1178825)
- Fix for warning on mounts to CIFS with mount. (SG#57988, bsc#1174942)
ModerateSUSE bug 1081947SUSE bug 1082293SUSE bug 1084671SUSE bug 1085196SUSE bug 1106214SUSE bug 1122417SUSE bug 1125886SUSE bug 1135534SUSE bug 1135708SUSE bug 1151708SUSE bug 1168235SUSE bug 1168389SUSE bug 1169006SUSE bug 1174942SUSE bug 1175514SUSE bug 1175623SUSE bug 1178236SUSE bug 1178554SUSE bug 1178825SUSE bug 1188921CVE-2021-37600 at SUSECVE-2021-37600 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for strongswan (Important)SUSE OpenStack Cloud 8
This update for strongswan fixes the following issues:
- CVE-2021-41991: Fixed an integer overflow when replacing certificates in cache. (bsc#1191435)
ImportantSUSE bug 1191435CVE-2021-41991 at SUSECVE-2021-41991 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for postgresql10 (Important)SUSE OpenStack Cloud 8
This update for postgresql10 fixes the following issues:
- Fix for build with llvm12 on s390x. (bsc#1185952)
- Re-enable 'icu' for PostgreSQL 10. (bsc#1179945)
- Add postgresqlXX-server-devel as a dependency for postgresql13-server-devel. (bsc#1187751)
- Upgrade to version 10.18. (bsc#1190177)
Upgrade to version 10.17 (already released for SUSE Linux Enterprise 12 SP5):
- CVE-2021-32027: Fixed integer overflows in array subscripting calculations (bsc#1185924).
- CVE-2021-32028: Fixed mishandling of junk columns in INSERT ... ON CONFLICT ... UPDATE target lists (bsc#1185925).
- Don't use %_stop_on_removal, because it was meant to be private and got removed from openSUSE. %_restart_on_update is also private, but still supported and needed for now (bsc#1183168).
- Re-enable build of the llvmjit subpackage on SLE, but it will only be delivered on PackageHub for now (bsc#1183118).
- Disable icu for PostgreSQL 10 (and older) on TW (bsc#1179945).
- Fixed an issue droping irregular warning messages by removing the package. (bsc#1178961)
- Fixed an issue when build does not build the requiements to avoid dangling symlinks in the devel package. (bsc#1179765)
- Fix recently-added timetz test case so it works when the USA is not observing daylight savings time.
ImportantSUSE bug 1178961SUSE bug 1179765SUSE bug 1179945SUSE bug 1183118SUSE bug 1183168SUSE bug 1185924SUSE bug 1185925SUSE bug 1185952SUSE bug 1187751SUSE bug 1190177CVE-2021-32027 at SUSECVE-2021-32027 at NVDCVE-2021-32028 at SUSECVE-2021-32028 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for git (Low)SUSE OpenStack Cloud 8
This update for git fixes the following issues:
- CVE-2021-40330: Fixed unexpected cross-protocol requests via newline character in git_connect_git repository path (bsc#1189992).
LowSUSE bug 1189992CVE-2021-40330 at SUSECVE-2021-40330 at NVDcpe:/o:suse:suse-openstack-cloud:8Recommended update for ardana-horizon, ardana-logging, ardana-monasca, ardana-mq, ardana-osconfig, crowbar-ha, crowbar-openstack, kibana, openstack-neutron, openstack-nova, python-Django, release-notes-suse-openstack-cloud, sleshammer, spark (Important)SUSE OpenStack Cloud 8
This update for ardana-horizon, ardana-logging, ardana-monasca, ardana-mq, ardana-osconfig, crowbar-ha, crowbar-openstack, kibana, openstack-neutron, openstack-nova, python-Django, release-notes-suse-openstack-cloud, sleshammer, spark fixes the following issues:
Security fix from this update:
python-Django1
- CVE-2021-3281: Fixed a potential directory traversal when extracting
archives (bsc#1181379).
Changes in ardana-horizon_Update:
- Update to version 8.0+git.1610733160.0f577f4:
* Add Fix for logfile permissions (bsc#1179189)
Changes in ardana-logging_Update:
- Update to version 8.0+git.1610573640.452aed1:
* Remove some files from upgrade.yml (bsc#1179189)
Changes in ardana-monasca_Update:
- Update to version 8.0+git.1610740501.5dca121:
* Add Fix for logfile permissions (bsc#1179189)
Changes in ardana-mq_Update:
- Update to version 8.0+git.1605176800.52cccfa:
* Re-enable mirroring of fanout and reply queues (bsc#1177611)
Changes in ardana-osconfig_Update:
- Update to version 8.0+git.1610643571.91b88d6:
* Remove SLES-12-SP3-LTSS repos (bsc#1180916)
Changes in crowbar-ha:
- Update to version 5.0+git.1610564036.b75ee1b:
* [5.0] crowbar-pacemaker: Cluster member SSH key improvements
Changes in crowbar-openstack:
- Update to version 5.0+git.1610402513.08dca931e:
* neutron: Fix handling of networks with non-ascii names (SOC-11429)
- Update to version 5.0+git.1610372799.621afb999:
* keystone: fix keystone node lookup (SOC-11333, bsc#1164838)
Changes in kibana:
- Add 0001-Configurable-custom-response-headers-for-server.patch
(bsc#1171909, CVE-2020-10743)
- Added kibana.yml symlink (bsc#1048688, FATE#323204)
Changes in openstack-nova_Update:
- Update to version nova-16.1.9.dev78:
* [stable-only] Cap bandit to 1.6.2
Changes in python-Django_Update:
- Add CVE-2021-3281.patch (bsc#1181379, CVE-2021-3281)
* Fixes a potential directory traversal when extracting archives
Changes in release-notes-suse-openstack-cloud:
- Fix incorrect issue number for bsc#1179955
- Update to version 8.20201214:
* Add workaround for secure boot issue when shim package is updated. (bsc#1179955)
Changes in spark_Update:
- Add _constraints to prevent build from running out of disk space.
Changes in sleshammer:
- Really drop etc/udev/rules.d/70-persistent-net.rules from the overlay
it was still present in the tarball. (SOC-9288)
- added ruby2.1-rubygem-crowbar-client providing crowbarctl
ImportantSUSE bug 1048688SUSE bug 1164838SUSE bug 1177611SUSE bug 1179189SUSE bug 1179955SUSE bug 1180916SUSE bug 1181379CVE-2016-8611 at SUSECVE-2016-8611 at NVDCVE-2020-10743 at SUSECVE-2020-10743 at NVDCVE-2021-3281 at SUSECVE-2021-3281 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for opensc (Important)SUSE OpenStack Cloud 8
This update for opensc fixes the following issues:
- CVE-2021-42780: Fixed use after return in insert_pin() (bsc#1192005).
- CVE-2021-42779: Fixed use after free in sc_file_valid() (bsc#1191992).
- CVE-2021-42781: Fixed multiple heap buffer overflows in pkcs15-oberthur.c (bsc#1192000).
- CVE-2021-42782: Stack buffer overflow issues in various places (bsc#1191957).
ImportantSUSE bug 1191957SUSE bug 1191992SUSE bug 1192000SUSE bug 1192005CVE-2021-42779 at SUSECVE-2021-42779 at NVDCVE-2021-42780 at SUSECVE-2021-42780 at NVDCVE-2021-42781 at SUSECVE-2021-42781 at NVDCVE-2021-42782 at SUSECVE-2021-42782 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for transfig (Important)SUSE OpenStack Cloud 8
This update for transfig fixes the following issues:
Update to fig2dev version 3.2.8 Patchlevel 8b (Aug 2021)
- bsc#1190618, CVE-2020-21529: stack buffer overflow in the bezier_spline function in genepic.c.
- bsc#1190615, CVE-2020-21530: segmentation fault in the read_objects function in read.c.
- bsc#1190617, CVE-2020-21531: global buffer overflow in the conv_pattern_index function in gencgm.c.
- bsc#1190616, CVE-2020-21532: global buffer overflow in the setfigfont function in genepic.c.
- bsc#1190612, CVE-2020-21533: stack buffer overflow in the read_textobject function in read.c.
- bsc#1190611, CVE-2020-21534: global buffer overflow in the get_line function in read.c.
- bsc#1190607, CVE-2020-21535: segmentation fault in the gencgm_start function in gencgm.c.
- bsc#1192019, CVE-2021-32280: NULL pointer dereference in compute_closed_spline() in trans_spline.c
ImportantSUSE bug 1190607SUSE bug 1190611SUSE bug 1190612SUSE bug 1190615SUSE bug 1190616SUSE bug 1190617SUSE bug 1190618SUSE bug 1192019CVE-2020-21529 at SUSECVE-2020-21529 at NVDCVE-2020-21530 at SUSECVE-2020-21530 at NVDCVE-2020-21531 at SUSECVE-2020-21531 at NVDCVE-2020-21532 at SUSECVE-2020-21532 at NVDCVE-2020-21533 at SUSECVE-2020-21533 at NVDCVE-2020-21534 at SUSECVE-2020-21534 at NVDCVE-2020-21535 at SUSECVE-2020-21535 at NVDCVE-2021-32280 at SUSECVE-2021-32280 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for binutils (Moderate)SUSE OpenStack Cloud 8
This update for binutils fixes the following issues:
Update to binutils 2.37:
* The GNU Binutils sources now requires a C99 compiler and library to
build.
* Support for the arm-symbianelf format has been removed.
* Support for Realm Management Extension (RME) for AArch64 has been
added.
* A new linker option '-z report-relative-reloc' for x86 ELF targets
has been added to report dynamic relative relocations.
* A new linker option '-z start-stop-gc' has been added to disable
special treatment of __start_*/__stop_* references when
--gc-sections.
* A new linker options '-Bno-symbolic' has been added which will
cancel the '-Bsymbolic' and '-Bsymbolic-functions' options.
* The readelf tool has a new command line option which can be used to
specify how the numeric values of symbols are reported.
--sym-base=0|8|10|16 tells readelf to display the values in base 8,
base 10 or base 16. A sym base of 0 represents the default action
of displaying values under 10000 in base 10 and values above that in
base 16.
* A new format has been added to the nm program. Specifying
'--format=just-symbols' (or just using -j) will tell the program to
only display symbol names and nothing else.
* A new command line option '--keep-section-symbols' has been added to
objcopy and strip. This stops the removal of unused section symbols
when the file is copied. Removing these symbols saves space, but
sometimes they are needed by other tools.
* The '--weaken', '--weaken-symbol' and '--weaken-symbols' options
supported by objcopy now make undefined symbols weak on targets that
support weak symbols.
* Readelf and objdump can now display and use the contents of .debug_sup
sections.
* Readelf and objdump will now follow links to separate debug info
files by default. This behaviour can be stopped via the use of the
new '-wN' or '--debug-dump=no-follow-links' options for readelf and
the '-WN' or '--dwarf=no-follow-links' options for objdump. Also
the old behaviour can be restored by the use of the
'--enable-follow-debug-links=no' configure time option.
The semantics of the =follow-links option have also been slightly
changed. When enabled, the option allows for the loading of symbol
tables and string tables from the separate files which can be used
to enhance the information displayed when dumping other sections,
but it does not automatically imply that information from the
separate files should be displayed.
If other debug section display options are also enabled (eg
'--debug-dump=info') then the contents of matching sections in both
the main file and the separate debuginfo file *will* be displayed.
This is because in most cases the debug section will only be present
in one of the files.
If however non-debug section display options are enabled (eg
'--sections') then the contents of matching parts of the separate
debuginfo file will *not* be displayed. This is because in most
cases the user probably only wanted to load the symbol information
from the separate debuginfo file. In order to change this behaviour
a new command line option --process-links can be used. This will
allow di0pslay options to applied to both the main file and any
separate debuginfo files.
* Nm has a new command line option: '--quiet'. This suppresses 'no
symbols' diagnostic.
Update to binutils 2.36:
New features in the Assembler:
General:
* When setting the link order attribute of ELF sections, it is now
possible to use a numeric section index instead of symbol name.
* Added a .nop directive to generate a single no-op instruction in
a target neutral manner. This instruction does have an effect on
DWARF line number generation, if that is active.
* Removed --reduce-memory-overheads and --hash-size as gas now
uses hash tables that can be expand and shrink automatically.
X86/x86_64:
* Add support for AVX VNNI, HRESET, UINTR, TDX, AMX and Key
Locker instructions.
* Support non-absolute segment values for lcall and ljmp.
* Add {disp16} pseudo prefix to x86 assembler.
* Configure with --enable-x86-used-note by default for Linux/x86.
ARM/AArch64:
* Add support for Cortex-A78, Cortex-A78AE and Cortex-X1,
Cortex-R82, Neoverse V1, and Neoverse N2 cores.
* Add support for ETMv4 (Embedded Trace Macrocell), ETE (Embedded
Trace Extension), TRBE (Trace Buffer Extension), CSRE (Call
Stack Recorder Extension) and BRBE (Branch Record Buffer
Extension) system registers.
* Add support for Armv8-R and Armv8.7-A ISA extensions.
* Add support for DSB memory nXS barrier, WFET and WFIT
instruction for Armv8.7.
* Add support for +csre feature for -march. Add CSR PDEC
instruction for CSRE feature in AArch64.
* Add support for +flagm feature for -march in Armv8.4 AArch64.
* Add support for +ls64 feature for -march in Armv8.7
AArch64. Add atomic 64-byte load/store instructions for this
feature.
* Add support for +pauth (Pointer Authentication) feature for
-march in AArch64.
New features in the Linker:
* Add --error-handling-script=<NAME> command line option to allow
a helper script to be invoked when an undefined symbol or a
missing library is encountered. This option can be suppressed
via the configure time switch: --enable-error-handling-script=no.
* Add -z x86-64-{baseline|v[234]} to the x86 ELF linker to mark
x86-64-{baseline|v[234]} ISA level as needed.
* Add -z unique-symbol to avoid duplicated local symbol names.
* The creation of PE format DLLs now defaults to using a more
secure set of DLL characteristics.
* The linker now deduplicates the types in .ctf sections. The new
command-line option --ctf-share-types describes how to do this:
its default value, share-unconflicted, produces the most compact
output.
* The linker now omits the 'variable section' from .ctf sections
by default, saving space. This is almost certainly what you
want unless you are working on a project that has its own
analogue of symbol tables that are not reflected in the ELF
symtabs.
New features in other binary tools:
* The ar tool's previously unused l modifier is now used for
specifying dependencies of a static library. The arguments of
this option (or --record-libdeps long form option) will be
stored verbatim in the __.LIBDEP member of the archive, which
the linker may read at link time.
* Readelf can now display the contents of LTO symbol table
sections when asked to do so via the --lto-syms command line
option.
* Readelf now accepts the -C command line option to enable the
demangling of symbol names. In addition the --demangle=<style>,
--no-demangle, --recurse-limit and --no-recurse-limit options
are also now availale.
Update to binutils 2.35.1:
* This is a point release over the previous 2.35 version, containing bug
fixes, and as an exception to the usual rule, one new feature. The
new feature is the support for a new directive in the assembler:
'.nop'. This directive creates a single no-op instruction in whatever
encoding is correct for the target architecture. Unlike the .space or
.fill this is a real instruction, and it does affect the generation of
DWARF line number tables, should they be enabled.
Update to binutils 2.35:
* The assembler can now produce DWARF-5 format line number tables.
* Readelf now has a 'lint' mode to enable extra checks of the files it is processing.
* Readelf will now display '[...]' when it has to truncate a symbol name.
The old behaviour - of displaying as many characters as possible, up to
the 80 column limit - can be restored by the use of the --silent-truncation
option.
* The linker can now produce a dependency file listing the inputs that it
has processed, much like the -M -MP option supported by the compiler.
Update to binutils 2.34:
* The disassembler (objdump --disassemble) now has an option to
generate ascii art thats show the arcs between that start and end
points of control flow instructions.
* The binutils tools now have support for debuginfod. Debuginfod is a
HTTP service for distributing ELF/DWARF debugging information as
well as source code. The tools can now connect to debuginfod
servers in order to download debug information about the files that
they are processing.
* The assembler and linker now support the generation of ELF format
files for the Z80 architecture.
Update to binutils 2.33.1:
* Adds support for the Arm Scalable Vector Extension version 2
(SVE2) instructions, the Arm Transactional Memory Extension (TME)
instructions and the Armv8.1-M Mainline and M-profile Vector
Extension (MVE) instructions.
* Adds support for the Arm Cortex-A76AE, Cortex-A77 and Cortex-M35P
processors and the AArch64 Cortex-A34, Cortex-A65, Cortex-A65AE,
Cortex-A76AE, and Cortex-A77 processors.
* Adds a .float16 directive for both Arm and AArch64 to allow
encoding of 16-bit floating point literals.
* For MIPS, Add -m[no-]fix-loongson3-llsc option to fix (or not)
Loongson3 LLSC Errata. Add a --enable-mips-fix-loongson3-llsc=[yes|no]
configure time option to set the default behavior. Set the default
if the configure option is not used to 'no'.
* The Cortex-A53 Erratum 843419 workaround now supports a choice of
which workaround to use. The option --fix-cortex-a53-843419 now
takes an optional argument --fix-cortex-a53-843419[=full|adr|adrp]
which can be used to force a particular workaround to be used.
See --help for AArch64 for more details.
* Add support for GNU_PROPERTY_AARCH64_FEATURE_1_BTI and
GNU_PROPERTY_AARCH64_FEATURE_1_PAC in ELF GNU program properties
in the AArch64 ELF linker.
* Add -z force-bti for AArch64 to enable GNU_PROPERTY_AARCH64_FEATURE_1_BTI
on output while warning about missing GNU_PROPERTY_AARCH64_FEATURE_1_BTI
on inputs and use PLTs protected with BTI.
* Add -z pac-plt for AArch64 to pick PAC enabled PLTs.
* Add --source-comment[=<txt>] option to objdump which if present,
provides a prefix to source code lines displayed in a disassembly.
* Add --set-section-alignment <section-name>=<power-of-2-align>
option to objcopy to allow the changing of section alignments.
* Add --verilog-data-width option to objcopy for verilog targets to
control width of data elements in verilog hex format.
* The separate debug info file options of readelf (--debug-dump=links
and --debug-dump=follow) and objdump (--dwarf=links and
--dwarf=follow-links) will now display and/or follow multiple
links if more than one are present in a file. (This usually
happens when gcc's -gsplit-dwarf option is used).
In addition objdump's --dwarf=follow-links now also affects its
other display options, so that for example, when combined with
--syms it will cause the symbol tables in any linked debug info
files to also be displayed. In addition when combined with
--disassemble the --dwarf= follow-links option will ensure that
any symbol tables in the linked files are read and used when
disassembling code in the main file.
* Add support for dumping types encoded in the Compact Type Format
to objdump and readelf.
The following security fixes are addressed by the update:
- CVE-2021-20197: Fixed a race condition which allows users to own arbitrary files (bsc#1181452).
- CVE-2021-20284: Fixed a heap-based buffer overflow in _bfd_elf_slurp_secondary_reloc_section in elf.c (bsc#1183511).
- CVE-2021-3487: Fixed a denial of service via excessive debug section size causing excessive memory consumption in bfd's dwarf2.c read_section() (bsc#1184620).
- CVE-2020-35448: Fixed a heap-based buffer over-read in bfd_getl_signed_32() in libbfd.c (bsc#1184794).
- CVE-2020-16590: Fixed a double free vulnerability in process_symbol_table() (bsc#1179898).
- CVE-2020-16591: Fixed an invalid read in process_symbol_table() (bsc#1179899).
- CVE-2020-16592: Fixed an use-after-free in bfd_hash_lookup() (bsc#1179900).
- CVE-2020-16593: Fixed a null pointer dereference in scan_unit_for_symbols() (bsc#1179901).
- CVE-2020-16598: Fixed a null pointer dereference in debug_get_real_type() (bsc#1179902).
- CVE-2020-16599: Fixed a null pointer dereference in _bfd_elf_get_symbol_version_string() (bsc#1179903)
- CVE-2020-35493: Fixed heap-based buffer overflow in bfd_pef_parse_function_stubs function in bfd/pef.c via crafted PEF file (bsc#1180451).
- CVE-2020-35496: Fixed multiple null pointer dereferences in bfd module due to not checking return value of bfd_malloc (bsc#1180454).
- CVE-2020-35507: Fixed a null pointer dereference in bfd_pef_parse_function_stubs() (bsc#1180461).
- CVE-2019-17451: Fixed an integer overflow leading to a SEGV in _bfd_dwarf2_find_nearest_line() in dwarf2.c (bsc#1153768).
- CVE-2019-17450: Fixed a potential denial of service in find_abstract_instance() in dwarf2.c (bsc#1153770).
- CVE-2019-9077: Fixed a heap-based buffer overflow in process_mips_specific() in readelf.c via a malformed MIPS option section (bsc#1126826).
- CVE-2019-9075: Fixed a heap-based buffer overflow in _bfd_archive_64_bit_slurp_armap() in archive64.c (bsc#1126829).
- CVE-2019-9074: Fixed a out-of-bounds read leading to a SEGV in bfd_getl32() in libbfd.c (bsc#1126831).
- CVE-2019-12972: Fixed a heap-based buffer over-read in _bfd_doprnt() in bfd.c (bsc#1140126).
- CVE-2019-14444: Fixed an integer overflow apply_relocations() in readelf.c (bsc#1143609).
- CVE-2019-14250: Fixed an integer overflow in simple_object_elf_match() in simple-object-elf.c (bsc#1142649).
ModerateSUSE bug 1126826SUSE bug 1126829SUSE bug 1126831SUSE bug 1140126SUSE bug 1142649SUSE bug 1143609SUSE bug 1153768SUSE bug 1153770SUSE bug 1157755SUSE bug 1160254SUSE bug 1160590SUSE bug 1163333SUSE bug 1163744SUSE bug 1179036SUSE bug 1179341SUSE bug 1179898SUSE bug 1179899SUSE bug 1179900SUSE bug 1179901SUSE bug 1179902SUSE bug 1179903SUSE bug 1180451SUSE bug 1180454SUSE bug 1180461SUSE bug 1181452SUSE bug 1182252SUSE bug 1183511SUSE bug 1184620SUSE bug 1184794CVE-2019-12972 at SUSECVE-2019-12972 at NVDCVE-2019-14250 at SUSECVE-2019-14250 at NVDCVE-2019-14444 at SUSECVE-2019-14444 at NVDCVE-2019-17450 at SUSECVE-2019-17450 at NVDCVE-2019-17451 at SUSECVE-2019-17451 at NVDCVE-2019-9074 at SUSECVE-2019-9074 at NVDCVE-2019-9075 at SUSECVE-2019-9075 at NVDCVE-2019-9077 at SUSECVE-2019-9077 at NVDCVE-2020-16590 at SUSECVE-2020-16590 at NVDCVE-2020-16591 at SUSECVE-2020-16591 at NVDCVE-2020-16592 at SUSECVE-2020-16592 at NVDCVE-2020-16593 at SUSECVE-2020-16593 at NVDCVE-2020-16598 at SUSECVE-2020-16598 at NVDCVE-2020-16599 at SUSECVE-2020-16599 at NVDCVE-2020-35448 at SUSECVE-2020-35448 at NVDCVE-2020-35493 at SUSECVE-2020-35493 at NVDCVE-2020-35496 at SUSECVE-2020-35496 at NVDCVE-2020-35507 at SUSECVE-2020-35507 at NVDCVE-2021-20197 at SUSECVE-2021-20197 at NVDCVE-2021-20284 at SUSECVE-2021-20284 at NVDCVE-2021-3487 at SUSECVE-2021-3487 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for binutils (Moderate)SUSE OpenStack Cloud 8
This update for binutils fixes the following issues:
- For compatibility on old code stream that expect 'brcl 0,label' to
not be disassembled as 'jgnop label' on s390x. (bsc#1192267)
This reverts IBM zSeries HLASM support for now.
- Fixed that ppc64 optflags did not enable LTO (bsc#1188941).
- Fix empty man-pages from broken release tarball
- Fixed a memory corruption with rpath option (bsc#1191473).
- Fixed slow performance of stripping some binaries (bsc#1183909).
Security issue fixed:
- CVE-2021-20294: Fixed out-of-bounds write in print_dynamic_symbol in readelf (bnc#1184519)
ModerateSUSE bug 1183909SUSE bug 1184519SUSE bug 1188941SUSE bug 1191473SUSE bug 1192267CVE-2021-20294 at SUSECVE-2021-20294 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for pcre (Moderate)SUSE OpenStack Cloud 8
This update for pcre fixes the following issues:
Update pcre to version 8.45:
- CVE-2020-14155: Fixed integer overflow via a large number after a '(?C' substring (bsc#1172974).
- CVE-2019-20838: Fixed buffer over-read in JIT compiler (bsc#1172973).
- CVE-2017-7244: Fixed invalid read in _pcre32_xclass() (bsc#1030807).
- CVE-2017-7245: Fixed buffer overflow in the pcre32_copy_substring (bsc#1030805).
- CVE-2017-7246: Fixed another buffer overflow in the pcre32_copy_substring (bsc#1030803).
- CVE-2017-7186: Fixed denial of service caused by an invalid Unicode property lookup (bsc#1030066).
- CVE-2017-6004: Fixed denial of service via crafted regular expression (bsc#1025709).
ModerateSUSE bug 1025709SUSE bug 1030066SUSE bug 1030803SUSE bug 1030805SUSE bug 1030807SUSE bug 1172973SUSE bug 1172974CVE-2017-6004 at SUSECVE-2017-6004 at NVDCVE-2017-7186 at SUSECVE-2017-7186 at NVDCVE-2017-7244 at SUSECVE-2017-7244 at NVDCVE-2017-7245 at SUSECVE-2017-7245 at NVDCVE-2017-7246 at SUSECVE-2017-7246 at NVDCVE-2019-20838 at SUSECVE-2019-20838 at NVDCVE-2020-14155 at SUSECVE-2020-14155 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for qemu (Important)SUSE OpenStack Cloud 8
This update for qemu fixes the following issues:
Security issues fixed:
- Fix out-of-bounds write in UAS (USB Attached SCSI) device emulation (bsc#1189702, CVE-2021-3713)
- Fix heap use-after-free in virtio_net_receive_rcu (bsc#1189938, CVE-2021-3748)
ImportantSUSE bug 1189702SUSE bug 1189938CVE-2021-3713 at SUSECVE-2021-3713 at NVDCVE-2021-3748 at SUSECVE-2021-3748 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for MozillaFirefox (Important)SUSE OpenStack Cloud 8
This update for MozillaFirefox fixes the following issues:
MozillaFirefox was updated to Extended Support Release 91.3.0 ESR
* Fixed: Various stability, functionality, and security fixes
MFSA 2021-49 (bsc#1192250)
* CVE-2021-38503: iframe sandbox rules did not apply to XSLT stylesheets
* CVE-2021-38504: Use-after-free in file picker dialog
* CVE-2021-38505: Windows 10 Cloud Clipboard may have recorded sensitive user data
* CVE-2021-38506: Firefox could be coaxed into going into fullscreen mode without notification or warning
* CVE-2021-38507: Opportunistic Encryption in HTTP2 could be used to bypass the Same-Origin-Policy on services hosted on other ports
* CVE-2021-38508: Permission Prompt could be overlaid, resulting in user confusion and potential spoofing
* CVE-2021-38509: Javascript alert box could have been spoofed onto an arbitrary domain
* CVE-2021-38510: Download Protections were bypassed by .inetloc files on Mac OS
* MOZ-2021-0008: Use-after-free in HTTP2 Session object
* MOZ-2021-0007: Memory safety bugs fixed in Firefox 94 and Firefox ESR 91.3
ImportantSUSE bug 1192250CVE-2021-38503 at SUSECVE-2021-38503 at NVDCVE-2021-38504 at SUSECVE-2021-38504 at NVDCVE-2021-38505 at SUSECVE-2021-38505 at NVDCVE-2021-38506 at SUSECVE-2021-38506 at NVDCVE-2021-38507 at SUSECVE-2021-38507 at NVDCVE-2021-38508 at SUSECVE-2021-38508 at NVDCVE-2021-38509 at SUSECVE-2021-38509 at NVDCVE-2021-38510 at SUSECVE-2021-38510 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for ardana-ansible, ardana-monasca, documentation-suse-openstack-cloud, openstack-ec2-api, openstack-heat-templates, python-Django, python-monasca-common, rubygem-redcarpet, rubygem-puma (Moderate)SUSE OpenStack Cloud 8
This update for ardana-ansible, ardana-monasca, documentation-suse-openstack-cloud, openstack-ec2-api, openstack-heat-templates, python-Django, python-monasca-common, rubygem-redcarpet, rubygem-puma contains the following fixes:
Security fixes included in this update:
rubygem-redcarpet:
CVE-2020-26298: Fixed XSS via HTML escaping when processing quotes. (bsc#1180837)
rubygem-puma:
CVE-2021-41136: Fixed build of the Java state machine for parsing HTTP. (bsc#1191681)
Non-security fixes included in this update:
Changes in ardana-ansible:
* Patch service.py to skip blank lines.
Changes in ardana-monasca:
* Use specific TLS versions for monasca-thresh DB connections. (SOC-11543)
Changes in documentation-suse-openstack-cloud:
* CI: only run on DocBook/AsciiDoc paths, make upload fails nonfatal
* DC files: Update to 2021 stylesheets (#1327)
* CI: Use GitHub Actions
Changes in openstack-ec2-api:
* Remove jobs corresponds to obselete featuresets
* OpenDev Migration Patch
Changes in openstack-heat-templates:
* [ussuri][goal] Update contributor documentation
Changes in python-Django:
- Add missing dependency for CVE-2021-31542
Changes in python-monasca-common:
- Remove renderspec source service.
- Retry publish once on failures. (SOC-11543)
ModerateSUSE bug 1180837SUSE bug 1191681CVE-2020-26298 at SUSECVE-2020-26298 at NVDCVE-2021-41136 at SUSECVE-2021-41136 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for samba (Important)SUSE OpenStack Cloud 8
This update for samba fixes the following issues:
- CVE-2016-2124: Fixed not to fallback to non spnego authentication if we require kerberos (bsc#1014440).
- CVE-2020-25717: Fixed privilege escalation inside an AD Domain where a user could become root on domain members (bsc#1192284).
ImportantSUSE bug 1014440SUSE bug 1192284CVE-2016-2124 at SUSECVE-2016-2124 at NVDCVE-2020-25717 at SUSECVE-2020-25717 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for postgresql, postgresql13, postgresql14 (Important)SUSE OpenStack Cloud 8
This update for postgresql, postgresql13 and postgresql14 fixes the following issues:
Security issues fixed:
- CVE-2021-23214: Make the server reject extraneous data after an SSL or GSS encryption handshake (bsc#1192516).
- CVE-2021-23222: Make libpq reject extraneous data after an SSL or GSS encryption handshake (bsc#1192516).
This update also ships postgresql14 to SUSE Linux Enterprise 12 SP5. (jsc#SLE-22673)
On older service packs only libpq5 and libecpg6 are being replaced by the postgresql14 variants.
Feature changes in postgresql14:
- https://www.postgresql.org/about/news/postgresql-14-released-2318/
- https://www.postgresql.org/docs/14/release-14.html
ImportantSUSE bug 1192516CVE-2021-23214 at SUSECVE-2021-23214 at NVDCVE-2021-23222 at SUSECVE-2021-23222 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for postgresql96 (Important)SUSE OpenStack Cloud 8
This update for postgresql96 fixes the following issues:
- CVE-2021-23214: Make the server reject extraneous data after an SSL or GSS encryption handshake (bsc#1192516).
- CVE-2021-23222: Make libpq reject extraneous data after an SSL or GSS encryption handshake (bsc#1192516).
ImportantSUSE bug 1192516CVE-2021-23214 at SUSECVE-2021-23214 at NVDCVE-2021-23222 at SUSECVE-2021-23222 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for postgresql10 (Important)SUSE OpenStack Cloud 8
This update for postgresql10 fixes the following issues:
- CVE-2021-23214: Make the server reject extraneous data after an SSL or GSS encryption handshake (bsc#1192516).
- CVE-2021-23222: Make libpq reject extraneous data after an SSL or GSS encryption handshake (bsc#1192516).
ImportantSUSE bug 1192516CVE-2021-23214 at SUSECVE-2021-23214 at NVDCVE-2021-23222 at SUSECVE-2021-23222 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for webkit2gtk3 (Important)SUSE OpenStack Cloud 8
This update for webkit2gtk3 fixes the following issues:
- CVE-2021-42762: Updated seccomp rules with latest changes from flatpak (bsc#1191937).
ImportantSUSE bug 1191937CVE-2021-42762 at SUSECVE-2021-42762 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for java-1_8_0-openjdk (Important)SUSE OpenStack Cloud 8
This update for java-1_8_0-openjdk fixes the following issues:
Update to version OpenJDK 8u312 (October 2021 CPU):
- CVE-2021-35550: Fixed weak ciphers preferred over stronger ones for TLS (bsc#1191901).
- CVE-2021-35556: Fixed excessive memory allocation in RTFParser (bsc#1191910).
- CVE-2021-35559: Fixed excessive memory allocation in RTFReader (bsc#1191911).
- CVE-2021-35561: Fixed excessive memory allocation in HashMap and HashSet (bsc#1191912).
- CVE-2021-35564: Fixed certificates with end dates too far in the future can corrupt keystore (bsc#1191913).
- CVE-2021-35565: Fixed loop in HttpsServer triggered during TLS session close (bsc#1191909).
- CVE-2021-35567: Fixed incorrect principal selection when using Kerberos Constrained Delegation (bsc#1191903).
- CVE-2021-35578: Fixed unexpected exception raised during TLS handshake (bsc#1191904).
- CVE-2021-35586: Fixed excessive memory allocation in BMPImageReader (bsc#1191914).
- CVE-2021-35588: Fixed incomplete validation of inner class references in ClassFileParser (bsc#1191905)
- CVE-2021-35603: Fixed non-constant comparison during TLS handshakes (bsc#1191906).
ImportantSUSE bug 1191901SUSE bug 1191903SUSE bug 1191904SUSE bug 1191905SUSE bug 1191906SUSE bug 1191909SUSE bug 1191910SUSE bug 1191911SUSE bug 1191912SUSE bug 1191913SUSE bug 1191914CVE-2021-35550 at SUSECVE-2021-35550 at NVDCVE-2021-35556 at SUSECVE-2021-35556 at NVDCVE-2021-35559 at SUSECVE-2021-35559 at NVDCVE-2021-35561 at SUSECVE-2021-35561 at NVDCVE-2021-35564 at SUSECVE-2021-35564 at NVDCVE-2021-35565 at SUSECVE-2021-35565 at NVDCVE-2021-35567 at SUSECVE-2021-35567 at NVDCVE-2021-35578 at SUSECVE-2021-35578 at NVDCVE-2021-35586 at SUSECVE-2021-35586 at NVDCVE-2021-35588 at SUSECVE-2021-35588 at NVDCVE-2021-35603 at SUSECVE-2021-35603 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for java-1_7_0-openjdk (Important)SUSE OpenStack Cloud 8
This update for java-1_7_0-openjdk fixes the following issues:
Update to OpenJDK 7u321 (October 2021 CPU):
- CVE-2021-35550: Fixed weak ciphers preferred over stronger ones for TLS (bsc#1191901).
- CVE-2021-35556: Fixed excessive memory allocation in RTFParser (bsc#1191910).
- CVE-2021-35559: Fixed excessive memory allocation in RTFReader (bsc#1191911).
- CVE-2021-35561: Fixed excessive memory allocation in HashMap and HashSet (bsc#1191912).
- CVE-2021-35564: Fixed certificates with end dates too far in the future can corrupt keystore (bsc#1191913).
- CVE-2021-35565: Fixed loop in HttpsServer triggered during TLS session close (bsc#1191909).
- CVE-2021-35586: Fixed excessive memory allocation in BMPImageReader (bsc#1191914).
- CVE-2021-35588: Fixed incomplete validation of inner class references in ClassFileParser (bsc#1191905)
- CVE-2021-35603: Fixed non-constant comparison during TLS handshakes (bsc#1191906).
ImportantSUSE bug 1191901SUSE bug 1191905SUSE bug 1191906SUSE bug 1191909SUSE bug 1191910SUSE bug 1191911SUSE bug 1191912SUSE bug 1191913SUSE bug 1191914CVE-2021-35550 at SUSECVE-2021-35550 at NVDCVE-2021-35556 at SUSECVE-2021-35556 at NVDCVE-2021-35559 at SUSECVE-2021-35559 at NVDCVE-2021-35561 at SUSECVE-2021-35561 at NVDCVE-2021-35564 at SUSECVE-2021-35564 at NVDCVE-2021-35565 at SUSECVE-2021-35565 at NVDCVE-2021-35586 at SUSECVE-2021-35586 at NVDCVE-2021-35588 at SUSECVE-2021-35588 at NVDCVE-2021-35603 at SUSECVE-2021-35603 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for ruby2.1 (Important)SUSE OpenStack Cloud 8
This update for ruby2.1 fixes the following issues:
- CVE-2020-25613: Fixed potential HTTP request smuggling in WEBrick (bsc#1177125).
- CVE-2021-31799: Fixed Command injection vulnerability in RDoc (bsc#1190375).
- CVE-2021-31810: Fixed trusting FTP PASV responses vulnerability in Net:FTP (bsc#1188161).
- CVE-2021-32066: Fixed StartTLS stripping vulnerability in Net:IMAP (bsc#1188160).
ImportantSUSE bug 1177125SUSE bug 1188160SUSE bug 1188161SUSE bug 1190375CVE-2020-25613 at SUSECVE-2020-25613 at NVDCVE-2021-31799 at SUSECVE-2021-31799 at NVDCVE-2021-31810 at SUSECVE-2021-31810 at NVDCVE-2021-32066 at SUSECVE-2021-32066 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for xen (Moderate)SUSE OpenStack Cloud 8
This update for xen fixes the following issues:
- CVE-2021-28704, CVE-2021-28707, CVE-2021-28708: Fixed PoD operations on misaligned GFNs (XSA-388) (bsc#1192557).
- CVE-2021-28705, CVE-2021-28709: Fixed issues with partially successful P2M updates on x86 (XSA-389) (bsc#1192559).
- CVE-2021-28706: Fixed guests may exceed their designated memory limit (XSA-385) (bsc#1192554).
ModerateSUSE bug 1192554SUSE bug 1192557SUSE bug 1192559CVE-2021-28704 at SUSECVE-2021-28704 at NVDCVE-2021-28705 at SUSECVE-2021-28705 at NVDCVE-2021-28706 at SUSECVE-2021-28706 at NVDCVE-2021-28707 at SUSECVE-2021-28707 at NVDCVE-2021-28708 at SUSECVE-2021-28708 at NVDCVE-2021-28709 at SUSECVE-2021-28709 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for clamav (Moderate)SUSE OpenStack Cloud 8
This update for clamav fixes the following issues:
- CVE-2018-14679: Fixed off-by-one issue in embedded libmspack that could lead to denial of service (bsc#1103032).
- Update to 0.103.4 (bsc#1192346).
- Update to 0.103.3 (bsc#1188284).
ModerateSUSE bug 1103032SUSE bug 1188284SUSE bug 1192346CVE-2018-14679 at SUSECVE-2018-14679 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for webkit2gtk3 (Important)SUSE OpenStack Cloud 8
This update for webkit2gtk3 fixes the following issues:
- CVE-2021-30846: Fixed memory corruption issue that could lead to arbitrary code execution when processing maliciously crafted web content (bsc#1192063).
- CVE-2021-30851: Fixed memory corruption vulnerability that could lead to arbitrary code execution when processing maliciously crafted web content (bsc#1192063).
ImportantSUSE bug 1192063CVE-2021-30846 at SUSECVE-2021-30846 at NVDCVE-2021-30851 at SUSECVE-2021-30851 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for the Linux Kernel (Important)SUSE OpenStack Cloud 8
The SUSE Linux Enterprise 12 SP3 LTSS kernel was updated to receive various security and bugfixes.
The following security bugs were fixed:
- Unprivileged BPF has been disabled by default to reduce attack surface as too many security issues have happened in the past (jsc#SLE-22573)
You can reenable via systemctl setting /proc/sys/kernel/unprivileged_bpf_disabled to 0. (kernel.unprivileged_bpf_disabled = 0)
- CVE-2021-31916: An out-of-bounds (OOB) memory write flaw was found in list_devices in drivers/md/dm-ioctl.c in the Multi-device driver module in the Linux kernel A bound check failure allowed an attacker with special user (CAP_SYS_ADMIN) privilege to gain access to out-of-bounds memory leading to a system crash or a leak of internal kernel information. The highest threat from this vulnerability is to system availability (bnc#1192781).
- CVE-2021-20322: Make the ipv4 and ipv6 ICMP exception caches less predictive to avoid information leaks about UDP ports in use. (bsc#1191790)
- CVE-2021-34981: Fixed file refcounting in cmtp when cmtp_attach_device fails (bsc#1191961).
- CVE-2020-12655: An issue was discovered in xfs_agf_verify in fs/xfs/libxfs/xfs_alloc.c. Attackers may trigger a sync of excessive duration via an XFS v5 image with crafted metadata, aka CID-d0c7feaf8767 (bnc#1171217).
- CVE-2021-43389: There was an array-index-out-of-bounds flaw in the detach_capi_ctr function in drivers/isdn/capi/kcapi.c (bnc#1191958).
- CVE-2021-37159: hso_free_net_device in drivers/net/usb/hso.c called unregister_netdev without checking for the NETREG_REGISTERED state, leading to a use-after-free and a double free (bnc#1188601).
- CVE-2021-34556: An unprivileged BPF program can obtain sensitive information from kernel memory via a Speculative Store Bypass side-channel attack because the protection mechanism neglects the possibility of uninitialized memory locations on the BPF stack (bnc#1188983).
- CVE-2021-35477: An unprivileged BPF program can obtain sensitive information from kernel memory via a Speculative Store Bypass side-channel attack because a certain preempting store operation did not necessarily occur before a store operation that has an attacker-controlled value (bnc#1188985).
- CVE-2017-17862: kernel/bpf/verifier.c in the Linux kernel ignores unreachable code, even though it would still be processed by JIT compilers. This behavior, also considered an improper branch-pruning logic issue, could possibly be used by local users for denial of service (bnc#1073928).
- CVE-2017-17864: kernel/bpf/verifier.c in the Linux kernel mishandled states_equal comparisons between the pointer data type and the UNKNOWN_VALUE data type, which allowed local users to obtain potentially sensitive address information, aka a 'pointer leak (bnc#1073928).
- CVE-2021-20265: A flaw was found in the way memory resources were freed in the unix_stream_recvmsg function in the Linux kernel when a signal was pending. This flaw allowed an unprivileged local user to crash the system by exhausting available memory. The highest threat from this vulnerability is to system availability (bnc#1183089).
- CVE-2021-3772: Fixed sctp vtag check in sctp_sf_ootb (bsc#1190351).
- CVE-2021-3655: Missing size validations on inbound SCTP packets may have allowed the kernel to read uninitialized memory (bnc#1188563).
- CVE-2018-13405: The inode_init_owner function in fs/inode.c in the Linux kernel allowed local users to create files with an unintended group ownership, in a scenario where a directory is SGID to a certain group and is writable by a user who is not a member of that group. Here, the non-member can trigger creation of a plain file whose group ownership is that group. The intended behavior was that the non-member can trigger creation of a directory (but not a plain file) whose group ownership is that group. The non-member can escalate privileges by making the plain file executable and SGID (bnc#1100416 bnc#1129735).
- CVE-2021-3760: Fixed a use-after-free vulnerability with the ndev->rf_conn_info object (bsc#1190067).
- CVE-2021-42739: The firewire subsystem in the Linux kernel has a buffer overflow related to drivers/media/firewire/firedtv-avc.c and drivers/media/firewire/firedtv-ci.c, because avc_ca_pmt mishandled bounds checking (bnc#1184673).
- CVE-2021-3542: Fixed heap buffer overflow in firedtv driver (bsc#1186063).
- CVE-2021-33033: The Linux kernel has a use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c because the CIPSO and CALIPSO refcounting for the DOI definitions is mishandled, aka CID-ad5d07f4a9cd. This leads to writing an arbitrary value (bnc#1186109 bnc#1186390 bnc#1188876).
- CVE-2020-14305: An out-of-bounds memory write flaw was found in how the Linux kernel’s Voice Over IP H.323 connection tracking functionality handled connections on ipv6 port 1720. This flaw allowed an unauthenticated remote user to crash the system, causing a denial of service. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability (bnc#1173346).
- CVE-2021-3715: Fixed a use-after-free in route4_change() in net/sched/cls_route.c (bsc#1190349).
- CVE-2021-3896: Fixed a array-index-out-bounds in detach_capi_ctr in drivers/isdn/capi/kcapi.c (bsc#1191958).
- CVE-2021-42008: The decode_data function in drivers/net/hamradio/6pack.c in the Linux kernel has a slab out-of-bounds write. Input from a process that has the CAP_NET_ADMIN capability can lead to root access (bnc#1191315).
- CVE-2020-3702: Specifically timed and handcrafted traffic can cause internal errors in a WLAN device that lead to improper layer 2 Wi-Fi encryption with a consequent possibility of information disclosure over the air for a discrete set of traffic (bnc#1191193).
- CVE-2021-3752: Fixed a use after free vulnerability in the Linux kernel's bluetooth module. (bsc#1190023)
- CVE-2021-40490: A race condition was discovered in ext4_write_inline_data_end in fs/ext4/inline.c in the ext4 subsystem in the Linux kernel (bnc#1190159 bnc#1192775)
- CVE-2021-3640: Fixed a Use-After-Free vulnerability in function sco_sock_sendmsg() in the bluetooth stack (bsc#1188172).
- CVE-2021-38160: Data corruption or loss could be triggered by an untrusted device that supplies a buf->len value exceeding the buffer size in drivers/char/virtio_console.c (bsc#1190117)
- CVE-2021-3753: Fixed race out-of-bounds in virtual terminal handling (bsc#1190025).
- CVE-2021-3732: Mounting overlayfs inside an unprivileged user namespace can reveal files (bsc#1189706).
- CVE-2021-3653: A flaw was found in the KVM's AMD code for supporting SVM nested virtualization. The flaw occurs when processing the VMCB (virtual machine control block) provided by the L1 guest to spawn/handle a nested guest (L2). Due to improper validation of the 'int_ctl' field, this issue could allow a malicious L1 to enable AVIC support (Advanced Virtual Interrupt Controller) for the L2 guest. As a result, the L2 guest would be allowed to read/write physical pages of the host, resulting in a crash of the entire system, leak of sensitive data or potential guest-to-host escape. This flaw affects Linux kernel versions prior to 5.14-rc7 (bnc#1189399 bnc#1189420).
- CVE-2021-38198: arch/x86/kvm/mmu/paging_tmpl.h in the Linux kernel incorrectly computes the access permissions of a shadow page, leading to a missing guest protection page fault (bnc#1189262 bnc#1189278).
- CVE-2021-38204: drivers/usb/host/max3421-hcd.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (use-after-free and panic) by removing a MAX-3421 USB device in certain situations (bnc#1189291).
- CVE-2021-3679: A lack of CPU resource in the Linux kernel tracing module functionality in versions prior to 5.14-rc3 was found in the way user uses trace ring buffer in a specific way. Only privileged local users (with CAP_SYS_ADMIN capability) could use this flaw to starve the resources causing denial of service (bnc#1189057).
- CVE-2018-16882: A use-after-free issue was found in the way the Linux kernel's KVM hypervisor processed posted interrupts when nested(=1) virtualization is enabled. In nested_get_vmcs12_pages(), in case of an error while processing posted interrupt address, it unmaps the 'pi_desc_page' without resetting 'pi_desc' descriptor address, which is later used in pi_test_and_clear_on(). A guest user/process could use this flaw to crash the host kernel resulting in DoS or potentially gain privileged access to a system. Kernel versions and are vulnerable (bnc#1119934).
- CVE-2020-0429: In l2tp_session_delete and related functions of l2tp_core.c, there is possible memory corruption due to a use after free. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation (bnc#1176724).
- CVE-2020-4788: IBM Power9 (AIX 7.1, 7.2, and VIOS 3.1) processors could allow a local user to obtain sensitive information from the data in the L1 cache under extenuating circumstances. IBM X-Force ID: 189296 (bnc#1177666 bnc#1181158).
- CVE-2021-3659: Fixed a NULL pointer dereference in llsec_key_alloc() in net/mac802154/llsec.c (bsc#1188876).
- CVE-2021-37576: arch/powerpc/kvm/book3s_rtas.c in the Linux kernel on the powerpc platform allowed KVM guest OS users to cause host OS memory corruption via rtas_args.nargs, aka CID-f62f3c20647e (bnc#1188838).
The following non-security bugs were fixed:
- PCI: hv: Use expected affinity when unmasking IRQ (bsc#1185973).
- SUNRPC: improve error response to over-size gss credential (bsc#1190022).
- Update config files: Add CONFIG_BPF_UNPRIV_DEFAULT_OFF is not set
- blacklist.conf: Drop a line that was added by mistake
- bpf: Add kconfig knob for disabling unpriv bpf by default (jsc#SLE-22918)
- bpf: Disallow unprivileged bpf by default (jsc#SLE-22918).
- bpf: properly enforce index mask to prevent out-of-bounds speculation (bsc#1098425).
- config: disable unprivileged BPF by default (jsc#SLE-22918)
- cpufreq: intel_pstate: Add Icelake servers support in no-HWP mode (bsc#1185758,bsc#1192400).
- ftrace: Fix scripts/recordmcount.pl due to new binutils (bsc#1192267).
- hv: mana: adjust mana_select_queue to old API (jsc#SLE-18779, bsc#1185727).
- hv: mana: declare vzalloc (jsc#SLE-18779, bsc#1185726).
- hv: mana: fake bitmap API (jsc#SLE-18779, bsc#1185726).
- hv: mana: remove netdev_lockdep_set_classes usage (jsc#SLE-18779, bsc#1185727).
- kABI: protect struct bpf_map (kabi).
- mm: replace open coded page to virt conversion with page_to_virt() (jsc#SLE-18779, bsc#1185727).
- net/mlx4_en: Avoid scheduling restart task if it is already running (bsc#1181854 bsc#1181855).
- net/mlx4_en: Handle TX error CQE (bsc#1181854 bsc#1181855).
- net: mana: Add WARN_ON_ONCE in case of CQE read overflow (jsc#SLE-18779, bsc#1185727).
- net: mana: Add a driver for Microsoft Azure Network Adapter (MANA) (jsc#SLE-18779, bsc#1185727).
- net: mana: Add support for EQ sharing (jsc#SLE-18779, bsc#1185727).
- net: mana: Fix a memory leak in an error handling path in (jsc#SLE-18779, bsc#1185727).
- net: mana: Fix error handling in mana_create_rxq() (git-fixes, bsc#1191801).
- net: mana: Move NAPI from EQ to CQ (jsc#SLE-18779, bsc#1185727).
- net: mana: Use int to check the return value of mana_gd_poll_cq() (jsc#SLE-18779, bsc#1185727).
- net: mana: fix PCI_HYPERV dependency (jsc#SLE-18779, bsc#1185727).
- net: mana: remove redundant initialization of variable err (jsc#SLE-18779, bsc#1185727).
- net: sched: sch_teql: fix null-pointer dereference (bsc#1190717).
- s390/bpf: Fix 64-bit subtraction of the -0x80000000 constant (bsc#1190601).
- s390/bpf: Fix branch shortening during codegen pass (bsc#1190601).
- s390/bpf: Fix optimizing out zero-extensions (bsc#1190601).
- s390/bpf: Wrap JIT macro parameter usages in parentheses (bsc#1190601).
- s390: bpf: implement jitting of BPF_ALU | BPF_ARSH | BPF_* (bsc#1190601).
- scsi: sg: add sg_remove_request in sg_write (bsc#1171420 CVE2020-12770).
- sctp: check asoc peer.asconf_capable before processing asconf (bsc#1190351).
- sctp: fully initialize v4 addr in some functions (bsc#1188563).
- sctp: simplify addr copy (bsc#1188563).
- x86/CPU: Add more Icelake model numbers (bsc#1185758,bsc#1192400).
- x86/tlb: Flush global mappings when KAISER is disabled (bsc#1190194).
ImportantSUSE bug 1073928SUSE bug 1098425SUSE bug 1100416SUSE bug 1119934SUSE bug 1129735SUSE bug 1171217SUSE bug 1171420SUSE bug 1173346SUSE bug 1176724SUSE bug 1177666SUSE bug 1181158SUSE bug 1181854SUSE bug 1181855SUSE bug 1183089SUSE bug 1184673SUSE bug 1185726SUSE bug 1185727SUSE bug 1185758SUSE bug 1185973SUSE bug 1186109SUSE bug 1186390SUSE bug 1188172SUSE bug 1188563SUSE bug 1188601SUSE bug 1188838SUSE bug 1188876SUSE bug 1188983SUSE bug 1188985SUSE bug 1189057SUSE bug 1189262SUSE bug 1189278SUSE bug 1189291SUSE bug 1189399SUSE bug 1189420SUSE bug 1189706SUSE bug 1190022SUSE bug 1190023SUSE bug 1190025SUSE bug 1190067SUSE bug 1190117SUSE bug 1190159SUSE bug 1190194SUSE bug 1190349SUSE bug 1190351SUSE bug 1190601SUSE bug 1190717SUSE bug 1191193SUSE bug 1191315SUSE bug 1191790SUSE bug 1191801SUSE bug 1191958SUSE bug 1191961SUSE bug 1192267SUSE bug 1192400SUSE bug 1192775SUSE bug 1192781CVE-2017-17862 at SUSECVE-2017-17862 at NVDCVE-2017-17864 at SUSECVE-2017-17864 at NVDCVE-2018-13405 at SUSECVE-2018-13405 at NVDCVE-2018-16882 at SUSECVE-2018-16882 at NVDCVE-2020-0429 at SUSECVE-2020-0429 at NVDCVE-2020-12655 at SUSECVE-2020-12655 at NVDCVE-2020-14305 at SUSECVE-2020-14305 at NVDCVE-2020-3702 at SUSECVE-2020-3702 at NVDCVE-2020-4788 at SUSECVE-2020-4788 at NVDCVE-2021-20265 at SUSECVE-2021-20265 at NVDCVE-2021-20322 at SUSECVE-2021-20322 at NVDCVE-2021-31916 at SUSECVE-2021-31916 at NVDCVE-2021-33033 at SUSECVE-2021-33033 at NVDCVE-2021-34556 at SUSECVE-2021-34556 at NVDCVE-2021-34981 at SUSECVE-2021-34981 at NVDCVE-2021-3542 at SUSECVE-2021-3542 at NVDCVE-2021-35477 at SUSECVE-2021-35477 at NVDCVE-2021-3640 at SUSECVE-2021-3640 at NVDCVE-2021-3653 at SUSECVE-2021-3653 at NVDCVE-2021-3655 at SUSECVE-2021-3655 at NVDCVE-2021-3659 at SUSECVE-2021-3659 at NVDCVE-2021-3679 at SUSECVE-2021-3679 at NVDCVE-2021-3715 at SUSECVE-2021-3715 at NVDCVE-2021-37159 at SUSECVE-2021-37159 at NVDCVE-2021-3732 at SUSECVE-2021-3732 at NVDCVE-2021-3752 at SUSECVE-2021-3752 at NVDCVE-2021-3753 at SUSECVE-2021-3753 at NVDCVE-2021-37576 at SUSECVE-2021-37576 at NVDCVE-2021-3760 at SUSECVE-2021-3760 at NVDCVE-2021-3772 at SUSECVE-2021-3772 at NVDCVE-2021-38160 at SUSECVE-2021-38160 at NVDCVE-2021-38198 at SUSECVE-2021-38198 at NVDCVE-2021-38204 at SUSECVE-2021-38204 at NVDCVE-2021-3896 at SUSECVE-2021-3896 at NVDCVE-2021-40490 at SUSECVE-2021-40490 at NVDCVE-2021-42008 at SUSECVE-2021-42008 at NVDCVE-2021-42739 at SUSECVE-2021-42739 at NVDCVE-2021-43389 at SUSECVE-2021-43389 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for mozilla-nss (Important)SUSE OpenStack Cloud 8
This update for mozilla-nss fixes the following issues:
Update to version 3.68.1:
- CVE-2021-43527: Fixed a Heap overflow in NSS when verifying DER-encoded DSA or RSA-PSS signatures (bsc#1193170).
ImportantSUSE bug 1193170CVE-2021-43527 at SUSECVE-2021-43527 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for openssh (Important)SUSE OpenStack Cloud 8
This update for openssh fixes the following issues:
- CVE-2021-41617: Fixed privilege escalation when AuthorizedKeysCommand/AuthorizedPrincipalsCommand are configured (bsc#1190975).
ImportantSUSE bug 1190975CVE-2021-41617 at SUSECVE-2021-41617 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for MozillaFirefox (Important)SUSE OpenStack Cloud 8
This update for MozillaFirefox fixes the following issues:
Update to Extended Support Release 91.4.0 (bsc#1193485):
- CVE-2021-43536: URL leakage when navigating while executing asynchronous function
- CVE-2021-43537: Heap buffer overflow when using structured clone
- CVE-2021-43538: Missing fullscreen and pointer lock notification when requesting both
- CVE-2021-43539: GC rooting failure when calling wasm instance methods
- CVE-2021-43541: External protocol handler parameters were unescaped
- CVE-2021-43542: XMLHttpRequest error codes could have leaked the existence of an external protocol handler
- CVE-2021-43543: Bypass of CSP sandbox directive when embedding
- CVE-2021-43545: Denial of Service when using the Location API in a loop
- CVE-2021-43546: Cursor spoofing could overlay user interface when native cursor is zoomed
- Memory safety bugs fixed in Firefox 95 and Firefox ESR 91.4
- Removed x-scheme-handler/ftp from MozillaFirefox.desktop (bsc#1193321)
ImportantSUSE bug 1193321SUSE bug 1193485CVE-2021-43536 at SUSECVE-2021-43536 at NVDCVE-2021-43537 at SUSECVE-2021-43537 at NVDCVE-2021-43538 at SUSECVE-2021-43538 at NVDCVE-2021-43539 at SUSECVE-2021-43539 at NVDCVE-2021-43541 at SUSECVE-2021-43541 at NVDCVE-2021-43542 at SUSECVE-2021-43542 at NVDCVE-2021-43543 at SUSECVE-2021-43543 at NVDCVE-2021-43545 at SUSECVE-2021-43545 at NVDCVE-2021-43546 at SUSECVE-2021-43546 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for glib-networking (Important)SUSE OpenStack Cloud 8
This update for glib-networking fixes the following issues:
- CVE-2020-13645: Fixed a connection failure when the server identity is unset (bsc#1172460).
ImportantSUSE bug 1172460CVE-2020-13645 at SUSECVE-2020-13645 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for xorg-x11-server (Important)SUSE OpenStack Cloud 8
This update for xorg-x11-server fixes the following issues:
- CVE-2021-4008: Fixed Privilege Escalation Vulnerability via Out-Of-Bounds Access in SProcRenderCompositeGlyphs (bsc#1193030).
ImportantSUSE bug 1193030CVE-2021-4008 at SUSECVE-2021-4008 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for storm (Critical)SUSE OpenStack Cloud 8
This update for storm fixes the following issues:
- Remove JndiLookup from log4j 2.x jars during build to prevent 'log4shell' code injection. (bsc#1193641, bsc#1193611, CVE-2021-44228)
- Remove JMSAppender from log4j 1.2.x jars during build to prevent attacks when JMS is enabled (bsc#1193641, bsc#1193662, CVE-2021-4104)
CriticalSUSE bug 1193611SUSE bug 1193641SUSE bug 1193662CVE-2021-4104 at SUSECVE-2021-4104 at NVDCVE-2021-44228 at SUSECVE-2021-44228 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for log4j (Important)SUSE OpenStack Cloud 8
This update for log4j fixes the following issue:
- CVE-2021-4104: Disable the JMSAppender class from log4j to protect against
the log4jshell vulnerability. [bsc#1193662]
ImportantSUSE bug 1193662CVE-2021-4104 at SUSECVE-2021-4104 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for xorg-x11-server (Important)SUSE OpenStack Cloud 8
This update for xorg-x11-server fixes the following issues:
- CVE-2021-4009: The handler for the CreatePointerBarrier request of the XFixes
extension does not properly validate the request length leading to out of
bounds memory write. (bsc#1190487)
- CVE-2021-4011: The handlers for the RecordCreateContext and RecordRegisterClients
requests of the Record extension do not properly validate the request
length leading to out of bounds memory write. (bsc#1190489)
ImportantSUSE bug 1190487SUSE bug 1190489CVE-2021-4009 at SUSECVE-2021-4009 at NVDCVE-2021-4011 at SUSECVE-2021-4011 at NVDcpe:/o:suse:suse-openstack-cloud:8Recommended update for samba (Important)SUSE OpenStack Cloud 8
This update for samba fixes the following issues:
The username map advice from the CVE-2020-25717 advisory
note has undesired side effects for the local nt token. Fallback
to a SID/UID based mapping if the name based lookup fails (bsc#1192849).
ImportantSUSE bug 1192849CVE-2020-25717 at SUSECVE-2020-25717 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for chrony (Moderate)SUSE OpenStack Cloud 8
This update for chrony fixes the following issues:
Chrony was updated to 4.1:
* Add support for NTS servers specified by IP address (matching
Subject Alternative Name in server certificate)
* Add source-specific configuration of trusted certificates
* Allow multiple files and directories with trusted certificates
* Allow multiple pairs of server keys and certificates
* Add copy option to server/pool directive
* Increase PPS lock limit to 40% of pulse interval
* Perform source selection immediately after loading dump files
* Reload dump files for addresses negotiated by NTS-KE server
* Update seccomp filter and add less restrictive level
* Restart ongoing name resolution on online command
* Fix dump files to not include uncorrected offset
* Fix initstepslew to accept time from own NTP clients
* Reset NTP address and port when no longer negotiated by NTS-KE
server
- Update clknetsim to snapshot f89702d.
- Ensure the correct pool packages are installed for openSUSE and SLE (bsc#1180689).
- Enable syscallfilter unconditionally (bsc#1181826).
Chrony was updated to 4.0:
Enhancements
- Add support for Network Time Security (NTS) authentication
- Add support for AES-CMAC keys (AES128, AES256) with Nettle
- Add authselectmode directive to control selection of
unauthenticated sources
- Add binddevice, bindacqdevice, bindcmddevice directives
- Add confdir directive to better support fragmented
configuration
- Add sourcedir directive and 'reload sources' command to
support dynamic NTP sources specified in files
- Add clockprecision directive
- Add dscp directive to set Differentiated Services Code Point
(DSCP)
- Add -L option to limit log messages by severity
- Add -p option to print whole configuration with included
files
- Add -U option to allow start under non-root user
- Allow maxsamples to be set to 1 for faster update with -q/-Q
option
- Avoid replacing NTP sources with sources that have
unreachable address
- Improve pools to repeat name resolution to get 'maxsources'
sources
- Improve source selection with trusted sources
- Improve NTP loop test to prevent synchronisation to itself
- Repeat iburst when NTP source is switched from offline state
to online
- Update clock synchronisation status and leap status more
frequently
- Update seccomp filter
- Add 'add pool' command
- Add 'reset sources' command to drop all measurements
- Add authdata command to print details about NTP
authentication
- Add selectdata command to print details about source
selection
- Add -N option and sourcename command to print original names
of sources
- Add -a option to some commands to print also unresolved
sources
- Add -k, -p, -r options to clients command to select, limit,
reset data
- Bug fixes
- Don’t set interface for NTP responses to allow asymmetric
routing
- Handle RTCs that don’t support interrupts
- Respond to command requests with correct address on
multihomed hosts
- Removed features
- Drop support for RIPEMD keys (RMD128, RMD160, RMD256, RMD320)
- Drop support for long (non-standard) MACs in NTPv4 packets
(chrony 2.x clients using non-MD5/SHA1 keys need to use
option 'version 3')
- By default we don't write log files but log to journald, so
only recommend logrotate.
- Adjust and rename the sysconfig file, so that it matches the
expectations of chronyd.service (bsc#1173277).
Chrony was updated to 3.5.1:
* Create new file when writing pidfile (CVE-2020-14367, bsc#1174911)
- Add chrony-pool-suse and chrony-pool-openSUSE subpackages that
preconfigure chrony to use NTP servers from the respective
pools for SUSE and openSUSE (bsc#1156884, SLE-11424).
- Add chrony-pool-empty to still allow installing chrony without
preconfigured servers.
- Use iburst in the default pool statements to speed up initial
synchronisation (bsc#1172113).
- Update clknetsim to version 79ffe44 (fixes bsc#1162964).
Update to 3.5:
+ Add support for more accurate reading of PHC on Linux 5.0
+ Add support for hardware timestamping on interfaces with read-only timestamping configuration
+ Add support for memory locking and real-time priority on FreeBSD, NetBSD, Solaris
+ Update seccomp filter to work on more architectures
+ Validate refclock driver options
+ Fix bindaddress directive on FreeBSD
+ Fix transposition of hardware RX timestamp on Linux 4.13 and later
+ Fix building on non-glibc systems
- Fix location of helper script in chrony-dnssrv@.service (bsc#1128846).
- Read runtime servers from /var/run/netconfig/chrony.servers (bsc#1099272)
- Move chrony-helper to /usr/lib/chrony/helper, because there should be no executables in /usr/share.
- Remove discrepancies between spec file and chrony-tmpfiles (bsc#1115529)
Update to version 3.4
* Enhancements
+ Add filter option to server/pool/peer directive
+ Add minsamples and maxsamples options to hwtimestamp directive
+ Add support for faster frequency adjustments in Linux 4.19
+ Change default pidfile to /var/run/chrony/chronyd.pid to allow chronyd
without root privileges to remove it on exit
+ Disable sub-second polling intervals for distant NTP sources
+ Extend range of supported sub-second polling intervals
+ Get/set IPv4 destination/source address of NTP packets on FreeBSD
+ Make burst options and command useful with short polling intervals
+ Modify auto_offline option to activate when sending request failed
+ Respond from interface that received NTP request if possible
+ Add onoffline command to switch between online and offline state
according to current system network configuration
+ Improve example NetworkManager dispatcher script
* Bug fixes
+ Avoid waiting in Linux getrandom system call
+ Fix PPS support on FreeBSD and NetBSD
Update to version 3.3
* Enhancements:
+ Add burst option to server/pool directive
+ Add stratum and tai options to refclock directive
+ Add support for Nettle crypto library
+ Add workaround for missing kernel receive timestamps on Linux
+ Wait for late hardware transmit timestamps
+ Improve source selection with unreachable sources
+ Improve protection against replay attacks on symmetric mode
+ Allow PHC refclock to use socket in /var/run/chrony
+ Add shutdown command to stop chronyd
+ Simplify format of response to manual list command
+ Improve handling of unknown responses in chronyc
* Bug fixes:
+ Respond to NTPv1 client requests with zero mode
+ Fix -x option to not require CAP_SYS_TIME under non-root user
+ Fix acquisitionport directive to work with privilege separation
+ Fix handling of socket errors on Linux to avoid high CPU usage
+ Fix chronyc to not get stuck in infinite loop after clock step
- Added /etc/chrony.d/ directory to the package (bsc#1083597) Modifed default chrony.conf to add 'include /etc/chrony.d/*'
- Enable pps support
Upgraded to version 3.2:
Enhancements
* Improve stability with NTP sources and reference clocks
* Improve stability with hardware timestamping
* Improve support for NTP interleaved modes
* Control frequency of system clock on macOS 10.13 and later
* Set TAI-UTC offset of system clock with leapsectz directive
* Minimise data in client requests to improve privacy
* Allow transmit-only hardware timestamping
* Add support for new timestamping options introduced in Linux 4.13
* Add root delay, root dispersion and maximum error to tracking log
* Add mindelay and asymmetry options to server/peer/pool directive
* Add extpps option to PHC refclock to timestamp external PPS signal
* Add pps option to refclock directive to treat any refclock as PPS
* Add width option to refclock directive to filter wrong pulse edges
* Add rxfilter option to hwtimestamp directive
* Add -x option to disable control of system clock
* Add -l option to log to specified file instead of syslog
* Allow multiple command-line options to be specified together
* Allow starting without root privileges with -Q option
* Update seccomp filter for new glibc versions
* Dump history on exit by default with dumpdir directive
* Use hardening compiler options by default
Bug fixes
* Don't drop PHC samples with low-resolution system clock
* Ignore outliers in PHC tracking, RTC tracking, manual input
* Increase polling interval when peer is not responding
* Exit with error message when include directive fails
* Don't allow slash after hostname in allow/deny directive/command
* Try to connect to all addresses in chronyc before giving up
Upgraded to version 3.1:
- Enhancements
- Add support for precise cross timestamping of PHC on Linux
- Add minpoll, precision, nocrossts options to hwtimestamp directive
- Add rawmeasurements option to log directive and modify measurements
option to log only valid measurements from synchronised sources
- Allow sub-second polling interval with NTP sources
- Bug fixes
- Fix time smoothing in interleaved mode
Upgraded to version 3.0:
- Enhancements
- Add support for software and hardware timestamping on Linux
- Add support for client/server and symmetric interleaved modes
- Add support for MS-SNTP authentication in Samba
- Add support for truncated MACs in NTPv4 packets
- Estimate and correct for asymmetric network jitter
- Increase default minsamples and polltarget to improve stability with very low jitter
- Add maxjitter directive to limit source selection by jitter
- Add offset option to server/pool/peer directive
- Add maxlockage option to refclock directive
- Add -t option to chronyd to exit after specified time
- Add partial protection against replay attacks on symmetric mode
- Don't reset polling interval when switching sources to online state
- Allow rate limiting with very short intervals
- Improve maximum server throughput on Linux and NetBSD
- Remove dump files after start
- Add tab-completion to chronyc with libedit/readline
- Add ntpdata command to print details about NTP measurements
- Allow all source options to be set in add server/peer command
- Indicate truncated addresses/hostnames in chronyc output
- Print reference IDs as hexadecimal numbers to avoid confusion with IPv4 addresses
- Bug fixes
- Fix crash with disabled asynchronous name resolving
Upgraded to version 2.4.1:
- Bug fixes
- Fix processing of kernel timestamps on non-Linux systems
- Fix crash with smoothtime directive
- Fix validation of refclock sample times
- Fix parsing of refclock directive
update to 2.4:
- Enhancements
- Add orphan option to local directive for orphan mode
compatible with ntpd
- Add distance option to local directive to set activation
threshold (1 second by default)
- Add maxdrift directive to set maximum allowed drift of system
clock
- Try to replace NTP sources exceeding maximum distance
- Randomise source replacement to avoid getting stuck with bad
sources
- Randomise selection of sources from pools on start
- Ignore reference timestamp as ntpd doesn't always set it
correctly
- Modify tracking report to use same values as seen by NTP
clients
- Add -c option to chronyc to write reports in CSV format
- Provide detailed manual pages
- Bug fixes
- Fix SOCK refclock to work correctly when not specified as
last refclock
- Fix initstepslew and -q/-Q options to accept time from own
NTP clients
- Fix authentication with keys using 512-bit hash functions
- Fix crash on exit when multiple signals are received
- Fix conversion of very small floating-point numbers in
command packets
ModerateSUSE bug 1063704SUSE bug 1069468SUSE bug 1082318SUSE bug 1083597SUSE bug 1099272SUSE bug 1115529SUSE bug 1128846SUSE bug 1156884SUSE bug 1159840SUSE bug 1161119SUSE bug 1162964SUSE bug 1171806SUSE bug 1172113SUSE bug 1173277SUSE bug 1173760SUSE bug 1174075SUSE bug 1174911SUSE bug 1180689SUSE bug 1181826SUSE bug 1183783SUSE bug 1184400SUSE bug 1187906SUSE bug 1190926CVE-2020-14367 at SUSECVE-2020-14367 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for ansible (Important)SUSE OpenStack Cloud 8
This update for ansible fixes the following issues:
Update to 2.9.27:
- CVE-2021-3620: ansible-connection module discloses sensitive info in traceback error message (bsc#1187725).
- CVE-2021-3583: Template Injection through yaml multi-line strings with ansible facts used in template (bsc#1188061).
- ansible module nmcli is broken in ansible 2.9.13 (bsc#1176460)
ImportantSUSE bug 1176460SUSE bug 1187725SUSE bug 1188061CVE-2021-3583 at SUSECVE-2021-3583 at NVDCVE-2021-3620 at SUSECVE-2021-3620 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for logstash (Important)SUSE OpenStack Cloud 8
This update for logstash fixes the following issues:
Fixed vulnerability related to log4j version 1.2.x
- CVE-2021-4104: Fixed remote code execution through the JMS API via the ldap JNDI parser (bsc#1193662)
ImportantSUSE bug 1193662CVE-2021-4104 at SUSECVE-2021-4104 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for python (Important)SUSE OpenStack Cloud 8
This update for python fixes the following issues:
- buffer overflow in PyCArg_repr in _ctypes/callproc.c,
which may lead to remote code execution (bsc#1181126, CVE-2021-3177).
- Provide the newest setuptools wheel (bsc#1176262,
CVE-2019-20916) in their correct form (bsc#1180686).
ImportantSUSE bug 1176262SUSE bug 1180686SUSE bug 1181126CVE-2019-20916 at SUSECVE-2019-20916 at NVDCVE-2021-3177 at SUSECVE-2021-3177 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for openvswitch (Important)SUSE OpenStack Cloud 8
This update for openvswitch fixes the following issues:
- CVE-2020-35498: Fixed a denial of service related to the handling of Ethernet padding (bsc#1181742).
ImportantSUSE bug 1181742CVE-2020-35498 at SUSECVE-2020-35498 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for the Linux Kernel (Important)SUSE OpenStack Cloud 8
The SUSE Linux Enterprise 12 SP3 kernel was updated to receive various security and bugfixes.
The following security bugs were fixed:
- CVE-2021-3347: A use-after-free was discovered in the PI futexes during fault handling, allowing local users to execute code in the kernel (bnc#1181349).
- CVE-2020-25211: Fixed a buffer overflow in ctnetlink_parse_tuple_filter() which could be triggered by a local attackers by injecting conntrack netlink configuration (bnc#1176395).
- CVE-2020-27835: A use-after-free in the infiniband hfi1 driver was found, specifically in the way user calls Ioctl after open dev file and fork. A local user could use this flaw to crash the system (bnc#1179878).
- CVE-2020-29569: Fixed a potential privilege escalation and information leaks related to the PV block backend, as used by Xen (bnc#1179509).
- CVE-2020-29568: Fixed a denial of service issue, related to processing watch events (bnc#1179508).
- CVE-2020-0444: Fixed a bad kfree due to a logic error in audit_data_to_entry (bnc#1180027).
- CVE-2020-0465: Fixed multiple missing bounds checks in hid-multitouch.c that could have led to local privilege escalation (bnc#1180029).
- CVE-2020-0466: Fixed a use-after-free due to a logic error in do_epoll_ctl and ep_loop_check_proc of eventpoll.c (bnc#1180031).
- CVE-2020-4788: Fixed an issue with IBM Power9 processors could have allowed a local user to obtain sensitive information from the data in the L1 cache under extenuating circumstances (bsc#1177666).
- CVE-2020-15436: Fixed a use after free vulnerability in fs/block_dev.c which could have allowed local users to gain privileges or cause a denial of service (bsc#1179141).
- CVE-2020-27068: Fixed an out-of-bounds read due to a missing bounds check in the nl80211_policy policy of nl80211.c (bnc#1180086).
- CVE-2020-27777: Fixed a privilege escalation in the Run-Time Abstraction Services (RTAS) interface, affecting guests running on top of PowerVM or KVM hypervisors (bnc#1179107).
- CVE-2020-27786: Fixed an out-of-bounds write in the MIDI implementation (bnc#1179601).
- CVE-2020-27825: Fixed a race in the trace_open and buffer resize calls (bsc#1179960).
- CVE-2020-29660: Fixed a locking inconsistency in the tty subsystem that may have allowed a read-after-free attack against TIOCGSID (bnc#1179745).
- CVE-2020-29661: Fixed a locking issue in the tty subsystem that allowed a use-after-free attack against TIOCSPGRP (bsc#1179745).
- CVE-2020-28974: Fixed a slab-out-of-bounds read in fbcon which could have been used by local attackers to read privileged information or potentially crash the kernel (bsc#1178589).
- CVE-2020-28915: Fixed a buffer over-read in the fbcon code which could have been used by local attackers to read kernel memory (bsc#1178886).
- CVE-2020-25669: Fixed a use-after-free read in sunkbd_reinit() (bsc#1178182).
- CVE-2020-15437: Fixed a null pointer dereference which could have allowed local users to cause a denial of service(bsc#1179140).
- CVE-2020-36158: Fixed a potential remote code execution in the Marvell mwifiex driver (bsc#1180559).
- CVE-2020-11668: Fixed the mishandling of invalid descriptors in the Xirlink camera USB driver (bnc#1168952).
- CVE-2020-25285: Fixed a race condition between hugetlb sysctl handlers in mm/hugetlb.c (bnc#1176485).
- CVE-2019-20934: Fixed a use-after-free in show_numa_stats() because NUMA fault statistics were inappropriately freed (bsc#1179663).
- CVE-2018-10902: It was found that the raw midi kernel driver did not protect against concurrent access which leads to a double realloc (double free) in snd_rawmidi_input_params() and snd_rawmidi_output_status() which are part of snd_rawmidi_ioctl() handler in rawmidi.c file. A malicious local attacker could possibly use this for privilege escalation (bnc#1105322).
The following non-security bugs were fixed:
- cifs: do not revalidate mountpoint dentries (bsc#1177440).
- cifs: fix potential use-after-free in cifs_echo_request() (bsc#1139944).
- cifs: ignore revalidate failures in case of process gets signaled (bsc#1177440).
- epoll: Keep a reference on files added to the check list (bsc#1180031).
- fix regression in 'epoll: Keep a reference on files added to the check list' (bsc#1180031, git-fixes).
- futex: Avoid freeing an active timer (bsc#969755).
- futex: Avoid violating the 10th rule of futex (bsc#969755).
- futex: Change locking rules (bsc#969755).
- futex: Do not enable IRQs unconditionally in put_pi_state() (bsc#969755).
- futex: Drop hb->lock before enqueueing on the rtmutex (bsc#969755).
- futex: Fix incorrect should_fail_futex() handling (bsc#969755).
- futex: Fix more put_pi_state() vs. exit_pi_state_list() races (bsc#969755).
- futex: Fix OWNER_DEAD fixup (bsc#969755).
- futex: Fix pi_state->owner serialization (bsc#969755).
- futex: Fix small (and harmless looking) inconsistencies (bsc#969755).
- futex: Futex_unlock_pi() determinism (bsc#969755).
- futex: Handle early deadlock return correctly (bsc#969755).
- futex: Handle transient 'ownerless' rtmutex state correctly (bsc#969755).
- futex: Pull rt_mutex_futex_unlock() out from under hb->lock (bsc#969755).
- futex: Rework futex_lock_pi() to use rt_mutex_*_proxy_lock() (bsc#969755).
- futex: Rework inconsistent rt_mutex/futex_q state (bsc#969755).
- futex,rt_mutex: Fix rt_mutex_cleanup_proxy_lock() (bsc#969755).
- futex,rt_mutex: Introduce rt_mutex_init_waiter() (bsc#969755).
- futex,rt_mutex: Provide futex specific rt_mutex API (bsc#969755).
- futex,rt_mutex: Restructure rt_mutex_finish_proxy_lock() (bsc#969755).
- HID: Fix slab-out-of-bounds read in hid_field_extract (bsc#1180052).
- IB/hfi1: Clean up hfi1_user_exp_rcv_setup function (bsc#1179878).
- IB/hfi1: Clean up pin_vector_pages() function (bsc#1179878).
- IB/hfi1: Fix the bail out code in pin_vector_pages() function (bsc#1179878).
- IB/hfi1: Move structure definitions from user_exp_rcv.c to user_exp_rcv.h (bsc#1179878).
- IB/hfi1: Name function prototype parameters (bsc#1179878).
- IB/hfi1: Use filedata rather than filepointer (bsc#1179878).
- locking/futex: Allow low-level atomic operations to return -EAGAIN (bsc#969755).
- mm/userfaultfd: do not access vma->vm_mm after calling handle_userfault() (bsc#1179204).
- scsi: iscsi: Fix a potential deadlock in the timeout handler (bsc#1178272).
- Use r3 instead of r13 for l1d fallback flush in do_uaccess_fush (bsc#1181096 ltc#190883).
- video: hyperv_fb: include vmalloc.h (bsc#1175306).
ImportantSUSE bug 1105322SUSE bug 1105323SUSE bug 1139944SUSE bug 1168952SUSE bug 1173942SUSE bug 1175306SUSE bug 1176395SUSE bug 1176485SUSE bug 1177440SUSE bug 1177666SUSE bug 1178182SUSE bug 1178272SUSE bug 1178589SUSE bug 1178886SUSE bug 1179107SUSE bug 1179140SUSE bug 1179141SUSE bug 1179204SUSE bug 1179419SUSE bug 1179508SUSE bug 1179509SUSE bug 1179601SUSE bug 1179616SUSE bug 1179663SUSE bug 1179666SUSE bug 1179745SUSE bug 1179877SUSE bug 1179878SUSE bug 1179960SUSE bug 1179961SUSE bug 1180008SUSE bug 1180027SUSE bug 1180028SUSE bug 1180029SUSE bug 1180030SUSE bug 1180031SUSE bug 1180032SUSE bug 1180052SUSE bug 1180086SUSE bug 1180559SUSE bug 1180562SUSE bug 1180815SUSE bug 1181096SUSE bug 1181158SUSE bug 1181349SUSE bug 1181553SUSE bug 969755CVE-2018-10902 at SUSECVE-2018-10902 at NVDCVE-2019-20934 at SUSECVE-2019-20934 at NVDCVE-2020-0444 at SUSECVE-2020-0444 at NVDCVE-2020-0465 at SUSECVE-2020-0465 at NVDCVE-2020-0466 at SUSECVE-2020-0466 at NVDCVE-2020-11668 at SUSECVE-2020-11668 at NVDCVE-2020-15436 at SUSECVE-2020-15436 at NVDCVE-2020-15437 at SUSECVE-2020-15437 at NVDCVE-2020-25211 at SUSECVE-2020-25211 at NVDCVE-2020-25285 at SUSECVE-2020-25285 at NVDCVE-2020-25669 at SUSECVE-2020-25669 at NVDCVE-2020-27068 at SUSECVE-2020-27068 at NVDCVE-2020-27777 at SUSECVE-2020-27777 at NVDCVE-2020-27786 at SUSECVE-2020-27786 at NVDCVE-2020-27825 at SUSECVE-2020-27825 at NVDCVE-2020-27835 at SUSECVE-2020-27835 at NVDCVE-2020-28915 at SUSECVE-2020-28915 at NVDCVE-2020-28974 at SUSECVE-2020-28974 at NVDCVE-2020-29568 at SUSECVE-2020-29568 at NVDCVE-2020-29569 at SUSECVE-2020-29569 at NVDCVE-2020-29660 at SUSECVE-2020-29660 at NVDCVE-2020-29661 at SUSECVE-2020-29661 at NVDCVE-2020-36158 at SUSECVE-2020-36158 at NVDCVE-2020-4788 at SUSECVE-2020-4788 at NVDCVE-2021-3347 at SUSECVE-2021-3347 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for wpa_supplicant (Important)SUSE OpenStack Cloud 8
This update for wpa_supplicant fixes the following issues:
- CVE-2021-0326: P2P group information processing vulnerability (bsc#1181777).
- CVE-2019-16275: AP mode PMF disconnection protection bypass (bsc#1150934)
ImportantSUSE bug 1150934SUSE bug 1181777CVE-2019-16275 at SUSECVE-2019-16275 at NVDCVE-2021-0326 at SUSECVE-2021-0326 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for jasper (Important)SUSE OpenStack Cloud 8
This update for jasper fixes the following issues:
- bsc#1179748 CVE-2020-27828: Fix heap overflow by checking maxrlvls
- bsc#1181483 CVE-2021-3272: Fix buffer over-read in jp2_decode
ImportantSUSE bug 1179748SUSE bug 1181483CVE-2020-27828 at SUSECVE-2020-27828 at NVDCVE-2021-3272 at SUSECVE-2021-3272 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for screen (Important)SUSE OpenStack Cloud 8
This update for screen fixes the following issues:
- CVE-2021-26937: Fixed double width combining char handling that could lead to a denial of service or code execution (bsc#1182092).
ImportantSUSE bug 1182092CVE-2021-26937 at SUSECVE-2021-26937 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for bind (Important)SUSE OpenStack Cloud 8
This update for bind fixes the following issues:
- CVE-2020-8625: A vulnerability in BIND's GSSAPI security policy
negotiation can be targeted by a buffer overflow attack [bsc#1182246, CVE-2020-8625]
ImportantSUSE bug 1182246CVE-2020-8625 at SUSECVE-2020-8625 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for java-1_7_1-ibm (Important)SUSE OpenStack Cloud 8
This update for java-1_7_1-ibm fixes the following issues:
- Update to Java 7.1 Service Refresh 4 Fix Pack 80
[bsc#1182186, bsc#1181239, CVE-2020-27221, CVE-2020-14803]
* CVE-2020-27221: Potential for a stack-based buffer overflow
when the virtual machine or JNI natives are converting from
UTF-8 characters to platform encoding.
* CVE-2020-14803: Unauthenticated attacker with network access
via multiple protocols allows to compromise Java SE.
ImportantSUSE bug 1181239SUSE bug 1182186CVE-2020-14803 at SUSECVE-2020-14803 at NVDCVE-2020-27221 at SUSECVE-2020-27221 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for python-urllib3 (Moderate)SUSE OpenStack Cloud 8
This update for python-urllib3 fixes the following issues:
- CVE-2020-26116: Raise ValueError if method contains control characters and thus prevent CRLF injection into URLs (bsc#1177211).
ModerateSUSE bug 1177211CVE-2020-26116 at SUSECVE-2020-26116 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for krb5-appl (Important)SUSE OpenStack Cloud 8
This update for krb5-appl fixes the following issues:
- CVE-2019-25017: Check the filenames sent by the server match those requested by the client (bsc#1131109).
- CVE-2019-25018: Disallow empty incoming filename or ones that refer to the current directory (bsc#1131109).
ImportantSUSE bug 1131109CVE-2019-25017 at SUSECVE-2019-25017 at NVDCVE-2019-25018 at SUSECVE-2019-25018 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for java-1_8_0-openjdk (Moderate)SUSE OpenStack Cloud 8
This update for java-1_8_0-openjdk fixes the following issues:
- Update to version jdk8u282 (icedtea 3.18.0)
* January 2021 CPU (bsc#1181239)
* Security fixes
+ JDK-8247619: Improve Direct Buffering of Characters (CVE-2020-14803)
* Import of OpenJDK 8 u282 build 01
+ JDK-6962725: Regtest javax/swing/JFileChooser/6738668/
/bug6738668.java fails under Linux
+ JDK-8025936: Windows .pdb and .map files does not have proper
dependencies setup
+ JDK-8030350: Enable additional compiler warnings for GCC
+ JDK-8031423: Test java/awt/dnd/DisposeFrameOnDragCrash/
/DisposeFrameOnDragTest.java fails by Timeout on Windows
+ JDK-8036122: Fix warning 'format not a string literal'
+ JDK-8051853: new
URI('x/').resolve('..').getSchemeSpecificPart() returns null!
+ JDK-8132664: closed/javax/swing/DataTransfer/DefaultNoDrop/
/DefaultNoDrop.java locks on Windows
+ JDK-8134632: Mark javax/sound/midi/Devices/
/InitializationHang.java as headful
+ JDK-8148854: Class names 'SomeClass' and 'LSomeClass;'
treated by JVM as an equivalent
+ JDK-8148916: Mark bug6400879.java as intermittently failing
+ JDK-8148983: Fix extra comma in changes for JDK-8148916
+ JDK-8160438: javax/swing/plaf/nimbus/8057791/bug8057791.java
fails
+ JDK-8165808: Add release barriers when allocating objects
with concurrent collection
+ JDK-8185003: JMX: Add a version of
ThreadMXBean.dumpAllThreads with a maxDepth argument
+ JDK-8202076: test/jdk/java/io/File/WinSpecialFiles.java on
windows with VS2017
+ JDK-8207766: [testbug] Adapt tests for Aix.
+ JDK-8212070: Introduce diagnostic flag to abort VM on failed
JIT compilation
+ JDK-8213448: [TESTBUG] enhance jfr/jvm/TestDumpOnCrash
+ JDK-8215727: Restore JFR thread sampler loop to old /
previous behavior
+ JDK-8220657: JFR.dump does not work when filename is set
+ JDK-8221342: [TESTBUG] Generate Dockerfile for docker testing
+ JDK-8224502: [TESTBUG] JDK docker test TestSystemMetrics.java
fails with access issues and OOM
+ JDK-8231209: [REDO] ThreadMXBean::getThreadAllocatedBytes()
can be quicker for self thread
+ JDK-8231968: getCurrentThreadAllocatedBytes default
implementation s/b getThreadAllocatedBytes
+ JDK-8232114: JVM crashed at imjpapi.dll in native code
+ JDK-8234270: [REDO] JDK-8204128 NMT might report incorrect
numbers for Compiler area
+ JDK-8234339: replace JLI_StrTok in java_md_solinux.c
+ JDK-8238448: RSASSA-PSS signature verification fail when
using certain odd key sizes
+ JDK-8242335: Additional Tests for RSASSA-PSS
+ JDK-8244225: stringop-overflow warning on strncpy call from
compile_the_world_in
+ JDK-8245400: Upgrade to LittleCMS 2.11
+ JDK-8248214: Add paddings for TaskQueueSuper to reduce
false-sharing cache contention
+ JDK-8249176: Update GlobalSignR6CA test certificates
+ JDK-8250665: Wrong translation for the month name of May in
ar_JO,LB,SY
+ JDK-8250928: JFR: Improve hash algorithm for stack traces
+ JDK-8251469: Better cleanup for
test/jdk/javax/imageio/SetOutput.java
+ JDK-8251840: Java_sun_awt_X11_XToolkit_getDefaultScreenData
should not be in make/mapfiles/libawt_xawt/mapfile-vers
+ JDK-8252384: [TESTBUG] Some tests refer to COMPAT provider
rather than JRE
+ JDK-8252395: [8u] --with-native-debug-symbols=external
doesn't include debuginfo files for binaries
+ JDK-8252497: Incorrect numeric currency code for ROL
+ JDK-8252754: Hash code calculation of JfrStackTrace is
inconsistent
+ JDK-8252904: VM crashes when JFR is used and JFR event class
is transformed
+ JDK-8252975: [8u] JDK-8252395 breaks the build for
--with-native-debug-symbols=internal
+ JDK-8253284: Zero OrderAccess barrier mappings are incorrect
+ JDK-8253550: [8u] JDK-8252395 breaks the build for make
STRIP_POLICY=no_strip
+ JDK-8253752: test/sun/management/jmxremote/bootstrap/
/RmiBootstrapTest.java fails randomly
+ JDK-8254081: java/security/cert/PolicyNode/
/GetPolicyQualifiers.java fails due to an expired certificate
+ JDK-8254144: Non-x86 Zero builds fail with return-type
warning in os_linux_zero.cpp
+ JDK-8254166: Zero: return-type warning in
zeroInterpreter_zero.cpp
+ JDK-8254683: [TEST_BUG] jdk/test/sun/tools/jconsole/
/WorkerDeadlockTest.java fails
+ JDK-8255003: Build failures on Solaris
ModerateSUSE bug 1181239CVE-2020-14803 at SUSECVE-2020-14803 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for crowbar-core, crowbar-openstack, grafana, influxdb, openstack-heat-templates, openstack-nova, python-Jinja2 (Important)SUSE OpenStack Cloud 8
This update for crowbar-core, crowbar-openstack, grafana, influxdb, openstack-heat-templates, openstack-nova, python-Jinja2 fixes the following issues:
Security fixes included in this request:
grafana:
- CVE-2020-24303: Fixed an XXS with series overides. (bsc#1178243)
influxdb:
- CVE-2019-20933: Fixed an authentication bypass. (bsc#1178988)
python-Jinja2:
- CVE-2019-10906, CVE-2019-8341, CVE-2016-10745: 'SandboxedEnvironment' securely handles
'str.format_map' in order to prevent code execution through untrusted format strings.
(bsc#1132323, bsc#1125815, bsc#1132174)
Non-security fixes included in this request:
Changes in crowbar-core.SUSE_SLE-12-SP3_Update_Products_Cloud8:
- Update to version 5.0+git.1606840757.839a64745:
* ntp: Do not use rate-limiting (bsc#1179161)
Changes in crowbar-openstack.SUSE_SLE-12-SP3_Update_Products_Cloud8:
- Update to version 5.0+git.1604938523.ded915845:
* rabbitmq: Fix crm running check (SOC-11240)
Changes in grafana.SUSE_SLE-12-SP3_Update_Products_Cloud8_Update:
- Fix bsc#1178243 CVE-2020-24303 by adding
25401-Fix-XSS-vulnerability-with-series-overrides.patch
Changes in influxdb.SUSE_SLE-12-SP3_Update_Products_Cloud8:
- Add CVE-2019-20933.patch (bsc#1178988, CVE-2019-20933) to
fix authentication bypass
- Declare license files correctly
Changes in openstack-heat-templates.SUSE_SLE-12-SP3_Update_Products_Cloud8_Update:
- Update to version 0.0.0+git.1605509190.64f020b:
* Fix software config on rdo
* optimize size and time using --no-cache-dir
* add template for servers using Octavia
- Update to version 0.0.0+git.1604032742.c5733ee:
* Move heat-templates-check job to zuul v3
Changes in openstack-nova-doc.SUSE_SLE-12-SP3_Update_Products_Cloud8_Update:
- Update to version nova-16.1.9.dev77:
* Follow up for cherry-pick check for merge patch
Changes in openstack-nova.SUSE_SLE-12-SP3_Update_Products_Cloud8_Update:
- Update to version nova-16.1.9.dev77:
* Follow up for cherry-pick check for merge patch
Changes in python-Jinja2.SUSE_SLE-12-SP3_Update_Products_Cloud8_Update:
- add 0001-sandbox-str.format_map.patch (bsc#1132323, CVE-2019-10906, bsc#1125815, CVE-2019-8341)
* 'SandboxedEnvironment' securely handles 'str.format_map' in order
to prevent code execution through untrusted format strings. The
sandbox already handled 'str.format'.
- add 0001-SECURITY-support-sandboxing-in-format-expressions.patch (bsc#1132174, CVE-2016-10745)
- Allows Recommends and Suggest in Fedora
- Recommends only for SUSE
Changes in rubygem-crowbar-client:
- Update to 3.9.3
- Enable restricted commands for Cloud 7 (bsc#1117080, CVE-2018-17954)
ImportantSUSE bug 1117080SUSE bug 1125815SUSE bug 1132174SUSE bug 1132323SUSE bug 1178243SUSE bug 1178988SUSE bug 1179161CVE-2016-10745 at SUSECVE-2016-10745 at NVDCVE-2018-17954 at SUSECVE-2018-17954 at NVDCVE-2019-10906 at SUSECVE-2019-10906 at NVDCVE-2019-20933 at SUSECVE-2019-20933 at NVDCVE-2019-8341 at SUSECVE-2019-8341 at NVDCVE-2020-24303 at SUSECVE-2020-24303 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for python-Jinja2 (Important)SUSE OpenStack Cloud 8
This update for python-Jinja2 fixes the following issues:
- CVE-2020-28493: Improve the speed of the 'urlize' filter by reducing regex
backtracking. Email matching requires a word character at the start of the
domain part, and only word characters in the TLD. (bsc#1181944)
ImportantSUSE bug 1181944CVE-2020-28493 at SUSECVE-2020-28493 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for java-1_8_0-ibm (Important)SUSE OpenStack Cloud 8
This update for java-1_8_0-ibm fixes the following issues:
- Update to Java 8.0 Service Refresh 6 Fix Pack 25
[bsc#1182186, bsc#1181239, CVE-2020-27221, CVE-2020-14803]
* CVE-2020-27221: Potential for a stack-based buffer overflow
when the virtual machine or JNI natives are converting from
UTF-8 characters to platform encoding.
* CVE-2020-14803: Unauthenticated attacker with network access
via multiple protocols allows to compromise Java SE.
ImportantSUSE bug 1181239SUSE bug 1182186CVE-2020-14803 at SUSECVE-2020-14803 at NVDCVE-2020-27221 at SUSECVE-2020-27221 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for perl-XML-Twig (Moderate)SUSE OpenStack Cloud 8
This update for perl-XML-Twig fixes the following issues:
- Security fix [bsc#1008644, CVE-2016-9180]
* Added: the no_xxe option to XML::Twig::new, which causes the
parse to fail if external entities are used (to prevent
malicious XML to access the filesystem).
* Setting expand_external_ents to 0 or -1 currently doesn't work
as expected; To completely turn off expanding external entities
use no_xxe.
* Update documentation for XML::Twig to mention problems with
expand_external_ents and add information about new no_xxe argument
ModerateSUSE bug 1008644CVE-2016-9180 at SUSECVE-2016-9180 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for MozillaFirefox (Important)SUSE OpenStack Cloud 8
This update for MozillaFirefox fixes the following issues:
- Firefox Extended Support Release 78.8.0 ESR
* Fixed: Various stability, functionality, and security fixes
MFSA 2021-08 (bsc#1182614)
* CVE-2021-23969: Content Security Policy violation report could have contained the destination of a redirect
* CVE-2021-23968: Content Security Policy violation report could have contained the destination of a redirect
* CVE-2021-23973: MediaError message property could have leaked information about cross-origin resources
* CVE-2021-23978: Memory safety bugs fixed in Firefox 86 and Firefox ESR 78.8
ImportantSUSE bug 1182357SUSE bug 1182614CVE-2021-23968 at SUSECVE-2021-23968 at NVDCVE-2021-23969 at SUSECVE-2021-23969 at NVDCVE-2021-23973 at SUSECVE-2021-23973 at NVDCVE-2021-23978 at SUSECVE-2021-23978 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for python-cryptography (Important)SUSE OpenStack Cloud 8
This update for python-cryptography fixes the following issues:
- CVE-2020-36242: Using the Fernet class to symmetrically encrypt multi gigabyte
values could result in an integer overflow and buffer overflow (bsc#1182066).
ImportantSUSE bug 1182066CVE-2020-36242 at SUSECVE-2020-36242 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for python-cryptography (Important)SUSE OpenStack Cloud 8
This update for python-cryptography fixes the following issues:
- CVE-2020-36242: Using the Fernet class to symmetrically encrypt multi gigabyte
values could result in an integer overflow and buffer overflow (bsc#1182066).
ImportantSUSE bug 1182066CVE-2020-36242 at SUSECVE-2020-36242 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for grub2 (Important)SUSE OpenStack Cloud 8
This update for grub2 fixes the following issues:
grub2 now implements the new 'SBAT' method for SHIM based secure boot revocation. (bsc#1182057)
Following security issues are fixed that can violate secure boot constraints:
- CVE-2020-25632: Fixed a use-after-free in rmmod command (bsc#1176711)
- CVE-2020-25647: Fixed an out-of-bound write in grub_usb_device_initialize() (bsc#1177883)
- CVE-2020-27749: Fixed a stack buffer overflow in grub_parser_split_cmdline (bsc#1179264)
- CVE-2020-27779, CVE-2020-14372: Disallow cutmem and acpi commands in secure boot mode (bsc#1179265 bsc#1175970)
- CVE-2021-20225: Fixed a heap out-of-bounds write in short form option parser (bsc#1182262)
- CVE-2021-20233: Fixed a heap out-of-bound write due to mis-calculation of space required for quoting (bsc#1182263)
ImportantSUSE bug 1175970SUSE bug 1176711SUSE bug 1177883SUSE bug 1179264SUSE bug 1179265SUSE bug 1182057SUSE bug 1182262SUSE bug 1182263CVE-2020-14372 at SUSECVE-2020-14372 at NVDCVE-2020-25632 at SUSECVE-2020-25632 at NVDCVE-2020-25647 at SUSECVE-2020-25647 at NVDCVE-2020-27749 at SUSECVE-2020-27749 at NVDCVE-2020-27779 at SUSECVE-2020-27779 at NVDCVE-2021-20225 at SUSECVE-2021-20225 at NVDCVE-2021-20233 at SUSECVE-2021-20233 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for openldap2 (Important)SUSE OpenStack Cloud 8
This update for openldap2 fixes the following issues:
- bsc#1182408 CVE-2020-36230 - an assertion failure in slapd in the
X.509 DN parsing in decode.c ber_next_element, resulting in denial
of service.
- bsc#1182411 CVE-2020-36229 - ldap_X509dn2bv crash in the X.509 DN
parsing in ad_keystring, resulting in denial of service.
- bsc#1182412 CVE-2020-36228 - integer underflow leading to crash
in the Certificate List Exact Assertion processing, resulting in
denial of service.
- bsc#1182413 CVE-2020-36227 - infinite loop in slapd with the
cancel_extop Cancel operation, resulting in denial of service.
- bsc#1182416 CVE-2020-36225 - double free and slapd crash in the
saslAuthzTo processing, resulting in denial of service.
- bsc#1182417 CVE-2020-36224 - invalid pointer free and slapd crash
in the saslAuthzTo processing, resulting in denial of service.
- bsc#1182415 CVE-2020-36226 - memch->bv_len miscalculation and slapd
crash in the saslAuthzTo processing, resulting in denial of service.
- bsc#1182419 CVE-2020-36222 - assertion failure in slapd in the
saslAuthzTo validation, resulting in denial of service.
- bsc#1182420 CVE-2020-36221 - slapd crashes in the Certificate Exact
Assertion processing, resulting in denial of service (schema_init.c
serialNumberAndIssuerCheck).
- bsc#1182418 CVE-2020-36223 - slapd crash in the Values Return Filter
control handling, resulting in denial of service (double free and
out-of-bounds read).
- bsc#1182279 CVE-2021-27212 - an assertion failure in slapd can occur
in the issuerAndThisUpdateCheck function via a crafted packet,
resulting in a denial of service (daemon exit) via a short timestamp.
This is related to schema_init.c and checkTime.
ImportantSUSE bug 1182279SUSE bug 1182408SUSE bug 1182411SUSE bug 1182412SUSE bug 1182413SUSE bug 1182415SUSE bug 1182416SUSE bug 1182417SUSE bug 1182418SUSE bug 1182419SUSE bug 1182420CVE-2020-36221 at SUSECVE-2020-36221 at NVDCVE-2020-36222 at SUSECVE-2020-36222 at NVDCVE-2020-36223 at SUSECVE-2020-36223 at NVDCVE-2020-36224 at SUSECVE-2020-36224 at NVDCVE-2020-36225 at SUSECVE-2020-36225 at NVDCVE-2020-36226 at SUSECVE-2020-36226 at NVDCVE-2020-36227 at SUSECVE-2020-36227 at NVDCVE-2020-36228 at SUSECVE-2020-36228 at NVDCVE-2020-36229 at SUSECVE-2020-36229 at NVDCVE-2020-36230 at SUSECVE-2020-36230 at NVDCVE-2021-27212 at SUSECVE-2021-27212 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for the Linux Kernel (Important)SUSE OpenStack Cloud 8
The SUSE Linux Enterprise 12 SP3 kernel was updated to receive various security and bugfixes.
The following security bugs were fixed:
- CVE-2021-26930: Fixed an improper error handling in blkback's grant mapping (XSA-365 bsc#1181843).
- CVE-2021-26931: Fixed an issue where Linux kernel was treating grant mapping errors as bugs (XSA-362 bsc#1181753).
- CVE-2021-26932: Fixed improper error handling issues in Linux grant mapping (XSA-361 bsc#1181747).
- CVE-2020-28374: Fixed insufficient identifier checking in the LIO SCSI target code which could have been used
by remote attackers to read or write files via directory traversal in an XCOPY request (bsc#178372).
The following non-security bugs were fixed:
- cifs: report error instead of invalid when revalidating a dentry fails (bsc#1177440).
- xen/netback: fix spurious event detection for common event case (bsc#1182175).
ImportantSUSE bug 1177440SUSE bug 1178372SUSE bug 1181747SUSE bug 1181753SUSE bug 1181843SUSE bug 1182175CVE-2020-28374 at SUSECVE-2020-28374 at NVDCVE-2021-26930 at SUSECVE-2021-26930 at NVDCVE-2021-26931 at SUSECVE-2021-26931 at NVDCVE-2021-26932 at SUSECVE-2021-26932 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for wpa_supplicant (Important)SUSE OpenStack Cloud 8
This update for wpa_supplicant fixes the following issues:
- CVE-2021-27803: P2P provision discovery processing vulnerability (bsc#1182805)
ImportantSUSE bug 1182805CVE-2021-27803 at SUSECVE-2021-27803 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for git (Important)SUSE OpenStack Cloud 8
This update for git fixes the following issues:
- On case-insensitive filesystems, with support for symbolic links,
if Git is configured globally to apply delay-capable clean/smudge
filters (such as Git LFS), Git could be fooled into running
remote code during a clone. (bsc#1183026, CVE-2021-21300)
ImportantSUSE bug 1183026CVE-2021-21300 at SUSECVE-2021-21300 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for python (Moderate)SUSE OpenStack Cloud 8
This update for python fixes the following issues:
- python27 was upgraded to 2.7.18
- CVE-2021-23336: Fixed a potential web cache poisoning by using a semicolon in query parameters use of semicolon as a query string separator (bsc#1182379).
ModerateSUSE bug 1182379CVE-2019-18348 at SUSECVE-2019-18348 at NVDCVE-2021-23336 at SUSECVE-2021-23336 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for MozillaFirefox (Important)SUSE OpenStack Cloud 8
This update for MozillaFirefox fixes the following issues:
- Firefox Extended Support Release 78.6.1 ESR
* Fixed: Critical security issue MFSA 2021-01 (bsc#1180623)
* CVE-2020-16044
Use-after-free write when handling a malicious COOKIE-ECHO SCTP chunk
ImportantSUSE bug 1180623CVE-2020-16044 at SUSECVE-2020-16044 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for glib2 (Important)SUSE OpenStack Cloud 8
This update for glib2 fixes the following issues:
- CVE-2021-27218: g_byte_array_new_take takes a gsize as length but stores in a guint, this patch will refuse if the length is larger than guint. (bsc#1182328)
- CVE-2021-27219: g_memdup takes a guint as parameter and sometimes leads into an integer overflow, so add a g_memdup2 function which uses gsize to replace it. (bsc#1182362)
ImportantSUSE bug 1182328SUSE bug 1182362CVE-2021-27218 at SUSECVE-2021-27218 at NVDCVE-2021-27219 at SUSECVE-2021-27219 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for wavpack (Important)SUSE OpenStack Cloud 8
This update for wavpack fixes the following issues:
- CVE-2020-35738: Fixed an out-of-bounds write in WavpackPackSamples (bsc#1180414).
ImportantSUSE bug 1180414CVE-2020-35738 at SUSECVE-2020-35738 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for nghttp2 (Important)SUSE OpenStack Cloud 8
This update for nghttp2 fixes the following issues:
Security issues fixed:
- CVE-2020-11080: HTTP/2 Large Settings Frame DoS (bsc#1181358).
- CVE-2019-9513: Fixed HTTP/2 implementation that is vulnerable to resource loops, potentially leading to a denial of service (bsc#1146184).
- CVE-2019-9511: Fixed HTTP/2 implementations that are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service (bsc#1146182).
- CVE-2018-1000168: Fixed ALTSVC frame client side denial of service (bsc#1088639).
- CVE-2016-1544: Fixed out of memory due to unlimited incoming HTTP header fields (bsc#966514).
Bug fixes and enhancements:
- Packages must not mark license files as %doc (bsc#1082318)
- Typo in description of libnghttp2_asio1 (bsc#962914)
- Fixed mistake in spec file (bsc#1125689)
- Fixed build issue with boost 1.70.0 (bsc#1134616)
- Fixed build issue with GCC 6 (bsc#964140)
- Feature: Add W&S module (FATE#326776, bsc#1112438)
ImportantSUSE bug 1082318SUSE bug 1088639SUSE bug 1112438SUSE bug 1125689SUSE bug 1134616SUSE bug 1146182SUSE bug 1146184SUSE bug 1181358SUSE bug 962914SUSE bug 964140SUSE bug 966514CVE-2016-1544 at SUSECVE-2016-1544 at NVDCVE-2018-1000168 at SUSECVE-2018-1000168 at NVDCVE-2019-9511 at SUSECVE-2019-9511 at NVDCVE-2019-9513 at SUSECVE-2019-9513 at NVDCVE-2020-11080 at SUSECVE-2020-11080 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for openssl (Moderate)SUSE OpenStack Cloud 8
This update for openssl fixes the following issues:
- CVE-2021-23840: Fixed an Integer overflow in CipherUpdate (bsc#1182333)
- CVE-2021-23841: Fixed a Null pointer dereference in X509_issuer_and_serial_hash() (bsc#1182331)
ModerateSUSE bug 1182331SUSE bug 1182333CVE-2021-23840 at SUSECVE-2021-23840 at NVDCVE-2021-23841 at SUSECVE-2021-23841 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for openstack-dashboard, release-notes-suse-openstack-cloud (Important)SUSE OpenStack Cloud 8
This update for openstack-dashboard, release-notes-suse-openstack-cloud fixes the following issues:
- Fix open redirect (OSSA-2020-008, CVE-2020-29565)
- Fix horizon-nodejs jobs.
- Add workaround for secure boot issue when shim package is updated. (bsc#1179955)
ImportantSUSE bug 1179955CVE-2020-29565 at SUSECVE-2020-29565 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for MozillaFirefox (Important)SUSE OpenStack Cloud 8
This update for MozillaFirefox fixes the following issues:
- Firefox was updated to 78.9.0 ESR (MFSA 2021-11, bsc#1183942)
* CVE-2021-23981: Texture upload into an unbound backing buffer resulted in an out-of-bound read
* CVE-2021-23982: Internal network hosts could have been probed by a malicious webpage
* CVE-2021-23984: Malicious extensions could have spoofed popup information
* CVE-2021-23987: Memory safety bugs
ImportantSUSE bug 1183942CVE-2021-23981 at SUSECVE-2021-23981 at NVDCVE-2021-23982 at SUSECVE-2021-23982 at NVDCVE-2021-23984 at SUSECVE-2021-23984 at NVDCVE-2021-23987 at SUSECVE-2021-23987 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for python-Django (Important)SUSE OpenStack Cloud 8
This update for python-Django fixes the following issues:
- CVE-2021-45115: Fixed denial-of-service possibility in UserAttributeSimilarityValidator (bsc#1194115).
- CVE-2021-45116: Fixed potential information disclosure in dictsort template filter (bsc#1194117).
- CVE-2021-45452: Fixed potential directory-traversal via Storage.save() (bsc#1194116).
ImportantSUSE bug 1194115SUSE bug 1194116SUSE bug 1194117CVE-2021-45115 at SUSECVE-2021-45115 at NVDCVE-2021-45116 at SUSECVE-2021-45116 at NVDCVE-2021-45452 at SUSECVE-2021-45452 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for openvpn (Important)SUSE OpenStack Cloud 8
This update for openvpn fixes the following issues:
- CVE-2022-0547: Fixed possible authentication bypass in external authentication plug-in (bsc#1197341).
ImportantSUSE bug 1197341CVE-2022-0547 at SUSECVE-2022-0547 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for java-1_7_1-ibm (Important)SUSE OpenStack Cloud 8
This update for java-1_7_1-ibm fixes the following issues:
Update Java 7.1 to Service Refresh 7 Fix Pack 5 (bsc#1197126).
Including fixes for the following vulnerabilities:
CVE-2022-21366, CVE-2022-21365, CVE-2022-21360, CVE-2022-21349,
CVE-2022-21341, CVE-2022-21340, CVE-2022-21305, CVE-2022-21277,
CVE-2022-21299, CVE-2022-21296, CVE-2022-21282, CVE-2022-21294,
CVE-2022-21293, CVE-2022-21291, CVE-2022-21283, CVE-2022-21248,
CVE-2022-21271.
ImportantSUSE bug 1194925SUSE bug 1194926SUSE bug 1194927SUSE bug 1194928SUSE bug 1194929SUSE bug 1194930SUSE bug 1194931SUSE bug 1194932SUSE bug 1194933SUSE bug 1194934SUSE bug 1194935SUSE bug 1194937SUSE bug 1194939SUSE bug 1194940SUSE bug 1194941SUSE bug 1196500SUSE bug 1197126CVE-2022-21248 at SUSECVE-2022-21248 at NVDCVE-2022-21271 at SUSECVE-2022-21271 at NVDCVE-2022-21277 at SUSECVE-2022-21277 at NVDCVE-2022-21282 at SUSECVE-2022-21282 at NVDCVE-2022-21283 at SUSECVE-2022-21283 at NVDCVE-2022-21291 at SUSECVE-2022-21291 at NVDCVE-2022-21293 at SUSECVE-2022-21293 at NVDCVE-2022-21294 at SUSECVE-2022-21294 at NVDCVE-2022-21296 at SUSECVE-2022-21296 at NVDCVE-2022-21299 at SUSECVE-2022-21299 at NVDCVE-2022-21305 at SUSECVE-2022-21305 at NVDCVE-2022-21340 at SUSECVE-2022-21340 at NVDCVE-2022-21341 at SUSECVE-2022-21341 at NVDCVE-2022-21349 at SUSECVE-2022-21349 at NVDCVE-2022-21360 at SUSECVE-2022-21360 at NVDCVE-2022-21365 at SUSECVE-2022-21365 at NVDCVE-2022-21366 at SUSECVE-2022-21366 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for java-1_8_0-ibm (Important)SUSE OpenStack Cloud 8
This update for java-1_8_0-ibm fixes the following issues:
Update Java 8.0 to Service Refresh 7 Fix Pack 5 (bsc#1197126).
Including fixes for the following vulnerabilities:
CVE-2022-21366, CVE-2022-21365, CVE-2022-21360, CVE-2022-21349,
CVE-2022-21341, CVE-2022-21340, CVE-2022-21305, CVE-2022-21277,
CVE-2022-21299, CVE-2022-21296, CVE-2022-21282, CVE-2022-21294,
CVE-2022-21293, CVE-2022-21291, CVE-2022-21283, CVE-2022-21248,
CVE-2022-21271.
Non-securtiy fix:
- Fixed a broken symlink for javaws (bsc#1195146).
ImportantSUSE bug 1194925SUSE bug 1194926SUSE bug 1194927SUSE bug 1194928SUSE bug 1194929SUSE bug 1194930SUSE bug 1194931SUSE bug 1194932SUSE bug 1194933SUSE bug 1194934SUSE bug 1194935SUSE bug 1194937SUSE bug 1194939SUSE bug 1194940SUSE bug 1194941SUSE bug 1195146SUSE bug 1196500SUSE bug 1197126CVE-2022-21248 at SUSECVE-2022-21248 at NVDCVE-2022-21271 at SUSECVE-2022-21271 at NVDCVE-2022-21277 at SUSECVE-2022-21277 at NVDCVE-2022-21282 at SUSECVE-2022-21282 at NVDCVE-2022-21283 at SUSECVE-2022-21283 at NVDCVE-2022-21291 at SUSECVE-2022-21291 at NVDCVE-2022-21293 at SUSECVE-2022-21293 at NVDCVE-2022-21294 at SUSECVE-2022-21294 at NVDCVE-2022-21296 at SUSECVE-2022-21296 at NVDCVE-2022-21299 at SUSECVE-2022-21299 at NVDCVE-2022-21305 at SUSECVE-2022-21305 at NVDCVE-2022-21340 at SUSECVE-2022-21340 at NVDCVE-2022-21341 at SUSECVE-2022-21341 at NVDCVE-2022-21349 at SUSECVE-2022-21349 at NVDCVE-2022-21360 at SUSECVE-2022-21360 at NVDCVE-2022-21365 at SUSECVE-2022-21365 at NVDCVE-2022-21366 at SUSECVE-2022-21366 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for zlib (Important)SUSE OpenStack Cloud 8
This update for zlib fixes the following issues:
- CVE-2018-25032: Fixed memory corruption on deflate (bsc#1197459).
ImportantSUSE bug 1197459CVE-2018-25032 at SUSECVE-2018-25032 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for java-1_8_0-ibm (Important)SUSE OpenStack Cloud 8
This update for java-1_8_0-ibm fixes the following issues:
- Update to Java 8.0 Service Refresh 7 Fix Pack 0
- CVE-2021-41035: before version 0.29.0, the openj9 JVM does not throw IllegalAccessError for MethodHandles that invoke inaccessible interface methods. (bsc#1194198, bsc#1192052)
- CVE-2021-35586: Excessive memory allocation in BMPImageReader. (bsc#1191914)
- CVE-2021-35564: Certificates with end dates too far in the future can corrupt keystore. (bsc#1191913)
- CVE-2021-35559: Excessive memory allocation in RTFReader. (bsc#1191911)
- CVE-2021-35556: Excessive memory allocation in RTFParser. (bsc#1191910)
- CVE-2021-35565: Loop in HttpsServer triggered during TLS session close. (bsc#1191909)
- CVE-2021-35588: Incomplete validation of inner class references in ClassFileParser. (bsc#1191905)
- CVE-2021-2341: Fixed a flaw inside the FtpClient. (bsc#1188564)
- CVE-2021-2369: JAR file handling problem containing multiple MANIFEST.MF files. (bsc#1188565)
- CVE-2021-2163: Incomplete enforcement of JAR signing disabled algorithms. (bsc#1185055)
- CVE-2021-35560: Fixed a vulnerability in the component Deployment. (bsc#1191902)
- CVE-2021-35578: Fixed unexpected exception raised during TLS handshake. (bsc#1191904)
ImportantSUSE bug 1185055SUSE bug 1188564SUSE bug 1188565SUSE bug 1191902SUSE bug 1191904SUSE bug 1191905SUSE bug 1191909SUSE bug 1191910SUSE bug 1191911SUSE bug 1191913SUSE bug 1191914SUSE bug 1192052SUSE bug 1194198SUSE bug 1194232CVE-2021-2163 at SUSECVE-2021-2163 at NVDCVE-2021-2341 at SUSECVE-2021-2341 at NVDCVE-2021-2369 at SUSECVE-2021-2369 at NVDCVE-2021-35556 at SUSECVE-2021-35556 at NVDCVE-2021-35559 at SUSECVE-2021-35559 at NVDCVE-2021-35560 at SUSECVE-2021-35560 at NVDCVE-2021-35564 at SUSECVE-2021-35564 at NVDCVE-2021-35565 at SUSECVE-2021-35565 at NVDCVE-2021-35578 at SUSECVE-2021-35578 at NVDCVE-2021-35586 at SUSECVE-2021-35586 at NVDCVE-2021-35588 at SUSECVE-2021-35588 at NVDCVE-2021-41035 at SUSECVE-2021-41035 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for mozilla-nss (Important)SUSE OpenStack Cloud 8
This update for mozilla-nss fixes the following issues:
Mozilla NSS 3.68.3 (bsc#1197903):
- CVE-2022-1097: Fixed memory safety violations that could occur when PKCS#11
tokens are removed while in use.
ImportantSUSE bug 1197903CVE-2022-1097 at SUSECVE-2022-1097 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for MozillaFirefox (Important)SUSE OpenStack Cloud 8
This update for MozillaFirefox fixes the following issues:
Firefox Extended Support Release 91.8.0 ESR (bsc#1197903):
MFSA 2022-14 (bsc#1197903)
* CVE-2022-1097: Fixed memory safety violations that could occur when PKCS#11 tokens are removed while in use
* CVE-2022-28281: Fixed an out of bounds write due to unexpected WebAuthN Extensions
* CVE-2022-1196: Fixed a use-after-free after VR Process destruction
* CVE-2022-28282: Fixed a use-after-free in DocumentL10n::TranslateDocument
* CVE-2022-28285: Fixed incorrect AliasSet used in JIT Codegen
* CVE-2022-28286: Fixed that iframe contents could be rendered outside the border
* CVE-2022-24713: Fixed a denial of service via complex regular expressions
* CVE-2022-28289: Memory safety bugs fixed in Firefox 99 and Firefox ESR 91.8
ImportantSUSE bug 1197903CVE-2022-1097 at SUSECVE-2022-1097 at NVDCVE-2022-1196 at SUSECVE-2022-1196 at NVDCVE-2022-24713 at SUSECVE-2022-24713 at NVDCVE-2022-28281 at SUSECVE-2022-28281 at NVDCVE-2022-28282 at SUSECVE-2022-28282 at NVDCVE-2022-28285 at SUSECVE-2022-28285 at NVDCVE-2022-28286 at SUSECVE-2022-28286 at NVDCVE-2022-28289 at SUSECVE-2022-28289 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for glibc (Important)SUSE OpenStack Cloud 8
This update for glibc fixes the following issues:
- CVE-2020-1752: Fix use-after-free in glob when expanding ~user (bsc#1167631)
ImportantSUSE bug 1167631CVE-2020-1752 at SUSECVE-2020-1752 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for openjpeg2 (Important)SUSE OpenStack Cloud 8
This update for openjpeg2 fixes the following issues:
- CVE-2016-1924: Fixed heap buffer overflow (bsc#980504).
- CVE-2016-3183: Fixed out-of-bounds read in sycc422_to_rgb function (bsc#971617).
- CVE-2016-4797: Fixed heap buffer overflow (bsc#980504).
- CVE-2018-14423: Fixed division-by-zero vulnerabilities in the functions pi_next_pcrl, pi_next_cprl,and pi_next_rpcl in lib/openjp3d/pi.c (bsc#1102016).
- CVE-2018-16375: Fixed missing checks for header_info.height and header_info.width in the function pnmtoimage in bin/jpwl/convert.c (bsc#1106882).
- CVE-2018-16376: Fixed heap-based buffer overflow function t2_encode_packet in lib/openmj2/t2.c (bsc#1106881).
- CVE-2018-20845: Fixed division-by-zero in the functions pi_next_pcrl, pi_next_cprl, and pi_next_rpcl in openmj2/pi.c (bsc#1140130).
- CVE-2018-20846: Fixed out-of-bounds accesses in pi_next_lrcp, pi_next_rlcp, pi_next_rpcl, pi_next_pcrl, pi_next_rpcl, and pi_next_cprl in openmj2/pi.c (bsc#1140205).
- CVE-2020-8112: Fixed heap-based buffer overflow in opj_t1_clbl_decode_processor in openjp2/t1.c (bsc#1162090).
- CVE-2020-15389: Fixed use-after-free if t a mix of valid and invalid files in a directory operated on by the decompressor (bsc#1173578).
- CVE-2020-27823: Fixed heap buffer over-write in opj_tcd_dc_level_shift_encode() (bsc#1180457).
- CVE-2021-29338: Fixed integer overflow that allows remote attackers to crash the application (bsc#1184774).
- CVE-2022-1122: Fixed segmentation fault in opj2_decompress due to uninitialized pointer (bsc#1197738).
ImportantSUSE bug 1102016SUSE bug 1106881SUSE bug 1106882SUSE bug 1140130SUSE bug 1140205SUSE bug 1162090SUSE bug 1173578SUSE bug 1180457SUSE bug 1184774SUSE bug 1197738SUSE bug 971617SUSE bug 980504CVE-2016-1924 at SUSECVE-2016-1924 at NVDCVE-2016-3183 at SUSECVE-2016-3183 at NVDCVE-2016-4797 at SUSECVE-2016-4797 at NVDCVE-2018-14423 at SUSECVE-2018-14423 at NVDCVE-2018-16375 at SUSECVE-2018-16375 at NVDCVE-2018-16376 at SUSECVE-2018-16376 at NVDCVE-2018-20845 at SUSECVE-2018-20845 at NVDCVE-2018-20846 at SUSECVE-2018-20846 at NVDCVE-2020-15389 at SUSECVE-2020-15389 at NVDCVE-2020-27823 at SUSECVE-2020-27823 at NVDCVE-2020-8112 at SUSECVE-2020-8112 at NVDCVE-2021-29338 at SUSECVE-2021-29338 at NVDCVE-2022-1122 at SUSECVE-2022-1122 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for mysql-connector-java (Moderate)SUSE OpenStack Cloud 8
This update for mysql-connector-java fixes the following issues:
- CVE-2021-2471: Fixed unauthorized access to critical data or complete access to all MySQL Connectors (bsc#1195557).
ModerateSUSE bug 1195557CVE-2021-2471 at SUSECVE-2021-2471 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for MozillaFirefox (Important)SUSE OpenStack Cloud 8
This update for MozillaFirefox fixes the following issues:
- CVE-2021-4140: Fixed iframe sandbox bypass with XSLT (bsc#1194547).
- CVE-2022-22737: Fixed race condition when playing audio files (bsc#1194547).
- CVE-2022-22738: Fixed heap-buffer-overflow in blendGaussianBlur (bsc#1194547).
- CVE-2022-22739: Fixed missing throttling on external protocol launch dialog (bsc#1194547).
- CVE-2022-22740: Fixed use-after-free of ChannelEventQueue::mOwner (bsc#1194547).
- CVE-2022-22741: Fixed browser window spoof using fullscreen mode (bsc#1194547).
- CVE-2022-22742: Fixed out-of-bounds memory access when inserting text in edit mode (bsc#1194547).
- CVE-2022-22743: Fixed browser window spoof using fullscreen mode (bsc#1194547).
- CVE-2022-22744: Fixed possible command injection via the 'Copy as curl' feature in DevTools (bsc#1194547).
- CVE-2022-22745: Fixed leaking cross-origin URLs through securitypolicyviolation event (bsc#1194547).
- CVE-2022-22746: Fixed calling into reportValidity could have lead to fullscreen window spoof (bsc#1194547).
- CVE-2022-22747: Fixed crash when handling empty pkcs7 sequence(bsc#1194547).
- CVE-2022-22748: Fixed spoofed origin on external protocol launch dialog (bsc#1194547).
- CVE-2022-22751: Fixed memory safety bugs (bsc#1194547).
ImportantSUSE bug 1194547CVE-2021-4140 at SUSECVE-2021-4140 at NVDCVE-2022-22737 at SUSECVE-2022-22737 at NVDCVE-2022-22738 at SUSECVE-2022-22738 at NVDCVE-2022-22739 at SUSECVE-2022-22739 at NVDCVE-2022-22740 at SUSECVE-2022-22740 at NVDCVE-2022-22741 at SUSECVE-2022-22741 at NVDCVE-2022-22742 at SUSECVE-2022-22742 at NVDCVE-2022-22743 at SUSECVE-2022-22743 at NVDCVE-2022-22744 at SUSECVE-2022-22744 at NVDCVE-2022-22745 at SUSECVE-2022-22745 at NVDCVE-2022-22746 at SUSECVE-2022-22746 at NVDCVE-2022-22747 at SUSECVE-2022-22747 at NVDCVE-2022-22748 at SUSECVE-2022-22748 at NVDCVE-2022-22751 at SUSECVE-2022-22751 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for xz (Important)SUSE OpenStack Cloud 8
This update for xz fixes the following issues:
- CVE-2022-1271: Fixed an incorrect escaping of malicious filenames (ZDI-CAN-16587). (bsc#1198062)
ImportantSUSE bug 1198062CVE-2022-1271 at SUSECVE-2022-1271 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for libexif (Important)SUSE OpenStack Cloud 8
This update for libexif fixes the following issues:
- CVE-2020-0181: Fixed an integer overflow that could lead to denial of service
(bsc#1172802).
- CVE-2020-0198: Fixed and unsigned integer overflow that could lead to denial
of service (bsc#1172768).
- CVE-2020-0452: Fixed a buffer overflow check that could be optimized away
by the compiler (bsc#1178479).
ImportantSUSE bug 1172768SUSE bug 1172802SUSE bug 1178479CVE-2020-0181 at SUSECVE-2020-0181 at NVDCVE-2020-0198 at SUSECVE-2020-0198 at NVDCVE-2020-0452 at SUSECVE-2020-0452 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for openstack-monasca-agent, spark, spark-kit, zookeeper (Important)SUSE OpenStack Cloud 8
This update for openstack-monasca-agent, spark, spark-kit, zookeeper fixes the following issues:
- CVE-2021-4104: Remove JMSAppender from log4j jars (bsc#1193662)
ImportantSUSE bug 1193662CVE-2021-4104 at SUSECVE-2021-4104 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for the Linux Kernel (Important)SUSE OpenStack Cloud 8
The SUSE Linux Enterprise 12 SP3 kernel was updated.
The following security bugs were fixed:
- CVE-2022-1016: Fixed a vulnerability in the nf_tables component of the netfilter subsystem. This vulnerability gives an attacker a powerful primitive that can be used to both read from and write to relative stack data, which can lead to arbitrary code execution. (bsc#1197227)
- CVE-2022-1048: Fixed a race Condition in snd_pcm_hw_free leading to use-after-free due to the AB/BA lock with buffer_mutex and mmap_lock. (bsc#1197331)
- CVE-2022-0850: Fixed a kernel information leak vulnerability in iov_iter.c. (bsc#1196761)
- CVE-2021-45868: Fixed a wrong validation check in fs/quota/quota_tree.c which could lead to an use-after-free if there is a corrupted quota file. (bnc#1197366)
- CVE-2022-26966: Fixed an issue in drivers/net/usb/sr9700.c, which allowed attackers to obtain sensitive information from the memory via crafted frame lengths from a USB device. (bsc#1196836)
- CVE-2022-23036,CVE-2022-23037,CVE-2022-23038,CVE-2022-23039,CVE-2022-23040,CVE-2022-23041,CVE-2022-23042: Fixed multiple issues which could have lead to read/write access to memory pages or denial of service. These issues are related to the Xen PV device frontend drivers. (bsc#1196488)
- CVE-2022-26490: Fixed a buffer overflow in the st21nfca driver. An attacker with adjacent NFC access could crash the system or corrupt the system memory. (bsc#1196830)
The following non-security bugs were fixed:
- ax88179_178a: Merge memcpy + le32_to_cpus to get_unaligned_le32 (bsc#1196018).
- clocksource: Initialize cs->wd_list (git-fixes)
- llc: fix netdevice reference leaks in llc_ui_bind() (git-fixes).
- net: usb: ax88179_178a: Fix out-of-bounds accesses in RX fixup (bsc#1196018).
- net: usb: ax88179_178a: fix packet alignment padding (bsc#1196018).
- sched/autogroup: Fix possible Spectre-v1 indexing for (git-fixes)
- sr9700: sanity check for packet length (bsc#1196836).
- usb: host: xen-hcd: add missing unlock in error path (git-fixes).
- xen/usb: do not use gnttab_end_foreign_access() in xenhcd_gnttab_done() (bsc#1196488, XSA-396).
ImportantSUSE bug 1189562SUSE bug 1196018SUSE bug 1196488SUSE bug 1196761SUSE bug 1196830SUSE bug 1196836SUSE bug 1197227SUSE bug 1197331SUSE bug 1197366CVE-2021-45868 at SUSECVE-2021-45868 at NVDCVE-2022-0850 at SUSECVE-2022-0850 at NVDCVE-2022-1016 at SUSECVE-2022-1016 at NVDCVE-2022-1048 at SUSECVE-2022-1048 at NVDCVE-2022-23036 at SUSECVE-2022-23036 at NVDCVE-2022-23037 at SUSECVE-2022-23037 at NVDCVE-2022-23038 at SUSECVE-2022-23038 at NVDCVE-2022-23039 at SUSECVE-2022-23039 at NVDCVE-2022-23040 at SUSECVE-2022-23040 at NVDCVE-2022-23041 at SUSECVE-2022-23041 at NVDCVE-2022-23042 at SUSECVE-2022-23042 at NVDCVE-2022-26490 at SUSECVE-2022-26490 at NVDCVE-2022-26966 at SUSECVE-2022-26966 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for gzip (Important)SUSE OpenStack Cloud 8
This update for gzip fixes the following issues:
- CVE-2022-1271: Fixed an incorrect escaping of malicious filenames (ZDI-CAN-16587). (bsc#1198062)
ImportantSUSE bug 1198062CVE-2022-1271 at SUSECVE-2022-1271 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for dnsmasq (Important)SUSE OpenStack Cloud 8
This update for dnsmasq fixes the following issues:
- CVE-2021-3448: Fixed a potential DNS cache poisoning issue due to a constant
outgoing port being used when for certain use cases of the --server option
(bsc#1183709).
- CVE-2022-0934: Fixed an invalid memory access that could lead to remote denial
of service via crafted packet (bsc#1197872).
ImportantSUSE bug 1183709SUSE bug 1197872CVE-2021-3448 at SUSECVE-2021-3448 at NVDCVE-2022-0934 at SUSECVE-2022-0934 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for git (Important)SUSE OpenStack Cloud 8
This update for git fixes the following issues:
- CVE-2022-24765: Fixed a potential command injection via git worktree (bsc#1198234).
ImportantSUSE bug 1198234CVE-2022-24765 at SUSECVE-2022-24765 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for libxml2 (Important)SUSE OpenStack Cloud 8
This update for libxml2 fixes the following issues:
- CVE-2022-23308: Fixed use-after-free of ID and IDREF attributes. (bsc#1196490)
ImportantSUSE bug 1196490CVE-2022-23308 at SUSECVE-2022-23308 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for SDL (Important)SUSE OpenStack Cloud 8
This update for SDL fixes the following issues:
- CVE-2020-14409: Fixed an integer overflow (and resultant SDL_memcpy heap corruption) in SDL_BlitCopy in video/SDL_blit_copy.c. (bsc#1181202)
- CVE-2020-14410: Fixed a heap-based buffer over-read in Blit_3or4_to_3or4__inversed_rgb in video/SDL_blit_N.c. (bsc#1181201)
- CVE-2021-33657: Fixed a Heap overflow problem in video/SDL_pixels.c. (bsc#1198001)
ImportantSUSE bug 1181201SUSE bug 1181202SUSE bug 1198001CVE-2020-14409 at SUSECVE-2020-14409 at NVDCVE-2020-14410 at SUSECVE-2020-14410 at NVDCVE-2021-33657 at SUSECVE-2021-33657 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for xen (Important)SUSE OpenStack Cloud 8
This update for xen fixes the following issues:
- CVE-2022-26356: Fixed potential race conditions in dirty memory tracking that
could cause a denial of service in the host (bsc#1197423).
- CVE-2022-26357: Fixed a potential race condition in memory cleanup for hosts
using VT-d IOMMU hardware, which could lead to a denial of service in the host
(bsc#1197425).
- CVE-2022-26358,CVE-2022-26359,CVE-2022-26360,CVE-2022-26361: Fixed various memory
corruption issues for hosts using VT-d or AMD-Vi IOMMU hardware. These could be
leveraged by an attacker to cause a denial of service in the host (bsc#1197426).
- CVE-2022-0001, CVE-2022-0002, CVE-2021-26401: Added BHB speculation issue
mitigations (bsc#1196915).
ImportantSUSE bug 1196915SUSE bug 1197423SUSE bug 1197425SUSE bug 1197426CVE-2021-26401 at SUSECVE-2021-26401 at NVDCVE-2022-0001 at SUSECVE-2022-0001 at NVDCVE-2022-0002 at SUSECVE-2022-0002 at NVDCVE-2022-26356 at SUSECVE-2022-26356 at NVDCVE-2022-26357 at SUSECVE-2022-26357 at NVDCVE-2022-26358 at SUSECVE-2022-26358 at NVDCVE-2022-26359 at SUSECVE-2022-26359 at NVDCVE-2022-26360 at SUSECVE-2022-26360 at NVDCVE-2022-26361 at SUSECVE-2022-26361 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for webkit2gtk3 (Important)SUSE OpenStack Cloud 8
This update for webkit2gtk3 fixes the following issues:
- Update to version 2.34.3 (bsc#1194019).
- CVE-2021-30887: Fixed logic issue allowing unexpectedly unenforced Content Security Policy when processing maliciously crafted web content.
- CVE-2021-30890: Fixed logic issue allowing universal cross site scripting when processing maliciously crafted web content.
ImportantSUSE bug 1194019CVE-2018-8518 at SUSECVE-2018-8518 at NVDCVE-2018-8523 at SUSECVE-2018-8523 at NVDCVE-2019-8551 at SUSECVE-2019-8551 at NVDCVE-2019-8558 at SUSECVE-2019-8558 at NVDCVE-2019-8559 at SUSECVE-2019-8559 at NVDCVE-2019-8563 at SUSECVE-2019-8563 at NVDCVE-2019-8674 at SUSECVE-2019-8674 at NVDCVE-2019-8681 at SUSECVE-2019-8681 at NVDCVE-2019-8684 at SUSECVE-2019-8684 at NVDCVE-2019-8687 at SUSECVE-2019-8687 at NVDCVE-2019-8688 at SUSECVE-2019-8688 at NVDCVE-2019-8689 at SUSECVE-2019-8689 at NVDCVE-2019-8690 at SUSECVE-2019-8690 at NVDCVE-2019-8707 at SUSECVE-2019-8707 at NVDCVE-2019-8719 at SUSECVE-2019-8719 at NVDCVE-2019-8726 at SUSECVE-2019-8726 at NVDCVE-2019-8733 at SUSECVE-2019-8733 at NVDCVE-2019-8763 at SUSECVE-2019-8763 at NVDCVE-2019-8765 at SUSECVE-2019-8765 at NVDCVE-2019-8766 at SUSECVE-2019-8766 at NVDCVE-2019-8768 at SUSECVE-2019-8768 at NVDCVE-2019-8782 at SUSECVE-2019-8782 at NVDCVE-2019-8808 at SUSECVE-2019-8808 at NVDCVE-2019-8815 at SUSECVE-2019-8815 at NVDCVE-2019-8821 at SUSECVE-2019-8821 at NVDCVE-2019-8822 at SUSECVE-2019-8822 at NVDCVE-2020-10018 at SUSECVE-2020-10018 at NVDCVE-2020-13753 at SUSECVE-2020-13753 at NVDCVE-2020-27918 at SUSECVE-2020-27918 at NVDCVE-2020-29623 at SUSECVE-2020-29623 at NVDCVE-2020-3885 at SUSECVE-2020-3885 at NVDCVE-2020-3894 at SUSECVE-2020-3894 at NVDCVE-2020-3895 at SUSECVE-2020-3895 at NVDCVE-2020-3897 at SUSECVE-2020-3897 at NVDCVE-2020-3900 at SUSECVE-2020-3900 at NVDCVE-2020-3901 at SUSECVE-2020-3901 at NVDCVE-2020-3902 at SUSECVE-2020-3902 at NVDCVE-2020-9802 at SUSECVE-2020-9802 at NVDCVE-2020-9803 at SUSECVE-2020-9803 at NVDCVE-2020-9805 at SUSECVE-2020-9805 at NVDCVE-2020-9947 at SUSECVE-2020-9947 at NVDCVE-2020-9948 at SUSECVE-2020-9948 at NVDCVE-2020-9951 at SUSECVE-2020-9951 at NVDCVE-2020-9952 at SUSECVE-2020-9952 at NVDCVE-2021-1765 at SUSECVE-2021-1765 at NVDCVE-2021-1788 at SUSECVE-2021-1788 at NVDCVE-2021-1817 at SUSECVE-2021-1817 at NVDCVE-2021-1820 at SUSECVE-2021-1820 at NVDCVE-2021-1825 at SUSECVE-2021-1825 at NVDCVE-2021-1826 at SUSECVE-2021-1826 at NVDCVE-2021-1844 at SUSECVE-2021-1844 at NVDCVE-2021-1871 at SUSECVE-2021-1871 at NVDCVE-2021-30661 at SUSECVE-2021-30661 at NVDCVE-2021-30666 at SUSECVE-2021-30666 at NVDCVE-2021-30682 at SUSECVE-2021-30682 at NVDCVE-2021-30761 at SUSECVE-2021-30761 at NVDCVE-2021-30762 at SUSECVE-2021-30762 at NVDCVE-2021-30809 at SUSECVE-2021-30809 at NVDCVE-2021-30818 at SUSECVE-2021-30818 at NVDCVE-2021-30823 at SUSECVE-2021-30823 at NVDCVE-2021-30836 at SUSECVE-2021-30836 at NVDCVE-2021-30846 at SUSECVE-2021-30846 at NVDCVE-2021-30848 at SUSECVE-2021-30848 at NVDCVE-2021-30849 at SUSECVE-2021-30849 at NVDCVE-2021-30851 at SUSECVE-2021-30851 at NVDCVE-2021-30858 at SUSECVE-2021-30858 at NVDCVE-2021-30884 at SUSECVE-2021-30884 at NVDCVE-2021-30887 at SUSECVE-2021-30887 at NVDCVE-2021-30888 at SUSECVE-2021-30888 at NVDCVE-2021-30889 at SUSECVE-2021-30889 at NVDCVE-2021-30890 at SUSECVE-2021-30890 at NVDCVE-2021-30897 at SUSECVE-2021-30897 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for cifs-utils (Important)SUSE OpenStack Cloud 8
This update for cifs-utils fixes the following issues:
- CVE-2022-27239: Fixed a buffer overflow in the command line ip option (bsc#1197216).
ImportantSUSE bug 1197216CVE-2022-27239 at SUSECVE-2022-27239 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for aide (Important)SUSE OpenStack Cloud 8
This update for aide fixes the following issues:
- CVE-2021-45417: Fix a bufferoverflow in base64 functions (bsc#1194735)
ImportantSUSE bug 1194735CVE-2021-45417 at SUSECVE-2021-45417 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for python-Twisted (Moderate)SUSE OpenStack Cloud 8
This update for python-Twisted fixes the following issues:
- CVE-2022-24801: Fixed to not be as lenient as earlier HTTP/1.1 RFCs to prevent HTTP
request smuggling. (bsc#1198086)
ModerateSUSE bug 1198086CVE-2022-24801 at SUSECVE-2022-24801 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for MozillaFirefox (Important)SUSE OpenStack Cloud 8
This update for MozillaFirefox fixes the following issues:
This update contains the Firefox Extended Support Release 91.1.0 ESR.
* Fixed: Various stability, functionality, and security fixes
MFSA 2021-40 (bsc#1190269, bsc#1190274):
* CVE-2021-38492: Navigating to `mk:` URL scheme could load Internet Explorer
* CVE-2021-38495: Memory safety bugs fixed in Firefox 92 and Firefox ESR 91.1
Firefox 91.0.1esr ESR
* Fixed: Fixed an issue causing buttons on the tab bar to be
resized when loading certain websites (bug 1704404)
* Fixed: Fixed an issue which caused tabs from private windows
to be visible in non-private windows when viewing switch-to-
tab results in the address bar panel (bug 1720369)
* Fixed: Various stability fixes
* Fixed: Security fix MFSA 2021-37 (bsc#1189547)
* CVE-2021-29991 (bmo#1724896)
Header Splitting possible with HTTP/3 Responses
Firefox Extended Support Release 91.0 ESR
* New: Some of the highlights of the new Extended Support Release are:
- A number of user interface changes. For more information,
see the Firefox 89 release notes.
- Firefox now supports logging into Microsoft, work, and
school accounts using Windows single sign-on. Learn more
- On Windows, updates can now be applied in the background
while Firefox is not running.
- Firefox for Windows now offers a new page about:third-party
to help identify compatibility issues caused by third-party
applications
- Version 2 of Firefox's SmartBlock feature further improves
private browsing. Third party Facebook scripts are blocked to
prevent you from being tracked, but are now automatically
loaded 'just in time' if you decide to 'Log in with Facebook'
on any website.
- Enhanced the privacy of the Firefox Browser's Private
Browsing mode with Total Cookie Protection, which confines
cookies to the site where they were created, preventing
companis from using cookies to track your browsing across
sites. This feature was originally launched in Firefox's ETP
Strict mode.
- PDF forms now support JavaScript embedded in PDF files.
Some PDF forms use JavaScript for validation and other
interactive features.
- You'll encounter less website breakage in Private Browsing
and Strict Enhanced Tracking Protection with SmartBlock,
which provides stand-in scripts so that websites load
properly.
- Improved Print functionality with a cleaner design and
better integration with your computer's printer settings.
- Firefox now protects you from supercookies, a type of
tracker that can stay hidden in your browser and track you
online, even after you clear cookies. By isolating
supercookies, Firefox prevents them from tracking your web
browsing from one site to the next.
- Firefox now remembers your preferred location for saved
bookmarks, displays the bookmarks toolbar by default on new
tabs, and gives you easy access to all of your bookmarks via
a toolbar folder.
- Native support for macOS devices built with Apple Silicon
CPUs brings dramatic performance improvements over the non-
native build that was shipped in Firefox 83: Firefox launches
over 2.5 times faster and web apps are now twice as
responsive (per the SpeedoMeter 2.0 test). If you are on a
new Apple device, follow these steps to upgrade to the latest
Firefox.
- Pinch zooming will now be supported for our users with
Windows touchscreen devices and touchpads on Mac devices.
Firefox users may now use pinch to zoom on touch-capable
devices to zoom in and out of webpages.
- We’ve improved functionality and design for a number of
Firefox search features:
* Selecting a search engine at the bottom of the search
panel now enters search mode for that engine, allowing you to
see suggestions (if available) for your search terms. The old
behavior (immediately performing a search) is available with
a shift-click.
* When Firefox autocompletes the URL of one of your search
engines, you can now search with that engine directly in the
address bar by selecting the shortcut in the address bar
results.
* We’ve added buttons at the bottom of the search panel to
allow you to search your bookmarks, open tabs, and history.
- Firefox supports AcroForm, which will allow you to fill in,
print, and save supported PDF forms and the PDF viewer also
has a new fresh look.
- For our users in the US and Canada, Firefox can now save,
manage, and auto-fill credit card information for you, making
shopping on Firefox ever more convenient.
- In addition to our default, dark and light themes, with
this release, Firefox introduces the Alpenglow theme: a
colorful appearance for buttons, menus, and windows. You can
update your Firefox themes under settings or preferences.
* Changed: Firefox no longer supports Adobe Flash. There is no
setting available to re-enable Flash support.
* Enterprise: Various bug fixes and new policies have been
implemented in the latest version of Firefox. See more
details in the Firefox for Enterprise 91 Release Notes.
MFSA 2021-33 (bsc#1188891):
* CVE-2021-29986: Race condition when resolving DNS names could have led to
memory corruption
* CVE-2021-29981: Live range splitting could have led to conflicting
assignments in the JIT
* CVE-2021-29988: Memory corruption as a result of incorrect style treatment
* CVE-2021-29983: Firefox for Android could get stuck in fullscreen mode
* CVE-2021-29984: Incorrect instruction reordering during JIT optimization
* CVE-2021-29980: Uninitialized memory in a canvas object could have led to
memory corruption
* CVE-2021-29987: Users could have been tricked into accepting unwanted
permissions on Linux
* CVE-2021-29985: Use-after-free media channels
* CVE-2021-29982: Single bit data leak due to incorrect JIT optimization and
type confusion
* CVE-2021-29989: Memory safety bugs fixed in Firefox 91 and Firefox ESR 78.13
* CVE-2021-29990: Memory safety bugs fixed in Firefox 91
ImportantSUSE bug 1188891SUSE bug 1189547SUSE bug 1190269SUSE bug 1190274CVE-2021-29980 at SUSECVE-2021-29980 at NVDCVE-2021-29981 at SUSECVE-2021-29981 at NVDCVE-2021-29982 at SUSECVE-2021-29982 at NVDCVE-2021-29983 at SUSECVE-2021-29983 at NVDCVE-2021-29984 at SUSECVE-2021-29984 at NVDCVE-2021-29985 at SUSECVE-2021-29985 at NVDCVE-2021-29986 at SUSECVE-2021-29986 at NVDCVE-2021-29987 at SUSECVE-2021-29987 at NVDCVE-2021-29988 at SUSECVE-2021-29988 at NVDCVE-2021-29989 at SUSECVE-2021-29989 at NVDCVE-2021-29990 at SUSECVE-2021-29990 at NVDCVE-2021-29991 at SUSECVE-2021-29991 at NVDCVE-2021-38492 at SUSECVE-2021-38492 at NVDCVE-2021-38495 at SUSECVE-2021-38495 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for zsh (Important)SUSE OpenStack Cloud 8
This update for zsh fixes the following issues:
- CVE-2018-0502: Fixed execve call vulnerability to program named on the second line when the beginning of a #! script file was mishandled. (bsc#1107296, bsc#1107294)
- CVE-2018-13259: Fixed execve call vulnerability to program name that is a substring of the intended one. (bsc#1107296, bsc#1107294)
ImportantSUSE bug 1107294SUSE bug 1107296CVE-2018-0502 at SUSECVE-2018-0502 at NVDCVE-2018-13259 at SUSECVE-2018-13259 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for bind (Moderate)SUSE OpenStack Cloud 8
This update for bind fixes the following issues:
- CVE-2021-25220: Fixed potentially incorrect answers by cached forwarders (bsc#1197135).
ModerateSUSE bug 1197135CVE-2021-25220 at SUSECVE-2021-25220 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for e2fsprogs (Important)SUSE OpenStack Cloud 8
This update for e2fsprogs fixes the following issues:
- CVE-2022-1304: Fixed out-of-bounds read/write leading to segmentation fault
and possibly arbitrary code execution. (bsc#1198446)
ImportantSUSE bug 1198446CVE-2022-1304 at SUSECVE-2022-1304 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for documentation-suse-openstack-cloud, kibana, openstack-keystone, openstack-monasca-notification (Important)SUSE OpenStack Cloud 8
This update for documentation-suse-openstack-cloud, kibana, openstack-keystone, openstack-monasca-notification fixes the following issues:
- CVE-2021-22141: Fixed URL redirection flaw (bsc#1186868).
- CVE-2021-38155: Fixed information disclosure during account locking (bsc#1189390).
The following non-security bugs were fixed:
- Fix smtp server authentication (bsc#1197204)
ImportantSUSE bug 1186868SUSE bug 1189390SUSE bug 1197204CVE-2021-22141 at SUSECVE-2021-22141 at NVDCVE-2021-38155 at SUSECVE-2021-38155 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for java-1_7_1-ibm (Moderate)SUSE OpenStack Cloud 8
This update for java-1_7_1-ibm fixes the following issues:
- Update to Java 7.1 Service Refresh 5 Fix Pack 0
- CVE-2021-41035: before version 0.29.0, the openj9 JVM does not throw IllegalAccessError for MethodHandles that invoke inaccessible interface methods. (bsc#1194198, bsc#1192052)
- CVE-2021-35586: Excessive memory allocation in BMPImageReader. (bsc#1191914)
- CVE-2021-35564: Certificates with end dates too far in the future can corrupt keystore. (bsc#1191913)
- CVE-2021-35559: Excessive memory allocation in RTFReader. (bsc#1191911)
- CVE-2021-35556: Excessive memory allocation in RTFParser. (bsc#1191910)
- CVE-2021-35565: Loop in HttpsServer triggered during TLS session close. (bsc#1191909)
- CVE-2021-35588: Incomplete validation of inner class references in ClassFileParser. (bsc#1191905)
- CVE-2021-2341: Fixed a flaw inside the FtpClient. (bsc#1188564)
- CVE-2021-2369: JAR file handling problem containing multiple MANIFEST.MF files. (bsc#1188565)
- CVE-2021-2432: Fixed a vulnerability in the omponent JNDI. (bsc#1188568)
- CVE-2021-2163: Incomplete enforcement of JAR signing disabled algorithms. (bsc#1185055)
ModerateSUSE bug 1185055SUSE bug 1188564SUSE bug 1188565SUSE bug 1188568SUSE bug 1191905SUSE bug 1191909SUSE bug 1191910SUSE bug 1191911SUSE bug 1191913SUSE bug 1191914SUSE bug 1192052SUSE bug 1194198SUSE bug 1194232CVE-2021-2163 at SUSECVE-2021-2163 at NVDCVE-2021-2341 at SUSECVE-2021-2341 at NVDCVE-2021-2369 at SUSECVE-2021-2369 at NVDCVE-2021-2432 at SUSECVE-2021-2432 at NVDCVE-2021-35556 at SUSECVE-2021-35556 at NVDCVE-2021-35559 at SUSECVE-2021-35559 at NVDCVE-2021-35564 at SUSECVE-2021-35564 at NVDCVE-2021-35565 at SUSECVE-2021-35565 at NVDCVE-2021-35586 at SUSECVE-2021-35586 at NVDCVE-2021-35588 at SUSECVE-2021-35588 at NVDCVE-2021-41035 at SUSECVE-2021-41035 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for openldap2 (Important)SUSE OpenStack Cloud 8
This update for openldap2 fixes the following issues:
- CVE-2022-29155: Fixed SQL injection in back-sql (bsc#1199240).
- Fixed issue with SASL init that crashed slapd at startup under certain conditions (bsc#1198383).
ImportantSUSE bug 1198383SUSE bug 1199240CVE-2022-29155 at SUSECVE-2022-29155 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for gzip (Important)SUSE OpenStack Cloud 8
This update for gzip fixes the following issues:
- CVE-2022-1271: Add hardening for zgrep. (bsc#1198062)
ImportantCVE-2022-1271 at SUSECVE-2022-1271 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for webkit2gtk3 (Important)SUSE OpenStack Cloud 8
This update for webkit2gtk3 fixes the following issues:
Update to version 2.36.0 (bsc#1198290):
- CVE-2022-22624: Fixed use after free that may lead to arbitrary code execution.
- CVE-2022-22628: Fixed use after free that may lead to arbitrary code execution.
- CVE-2022-22629: Fixed a buffer overflow that may lead to arbitrary code execution.
- CVE-2022-22637: Fixed an unexpected cross-origin behavior due to a logic error.
Missing CVE reference for the update to 2.34.6 (bsc#1196133):
- CVE-2022-22594: Fixed a cross-origin issue in the IndexDB API.
ImportantSUSE bug 1196133SUSE bug 1198290CVE-2022-22594 at SUSECVE-2022-22594 at NVDCVE-2022-22624 at SUSECVE-2022-22624 at NVDCVE-2022-22628 at SUSECVE-2022-22628 at NVDCVE-2022-22629 at SUSECVE-2022-22629 at NVDCVE-2022-22637 at SUSECVE-2022-22637 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for curl (Important)SUSE OpenStack Cloud 8
This update for curl fixes the following issues:
- CVE-2022-27781: Fixed CERTINFO never-ending busy-loop (bsc#1199223)
- CVE-2022-27782: Fixed TLS and SSH connection too eager reuse (bsc#1199224)
ImportantSUSE bug 1199223SUSE bug 1199224CVE-2022-27781 at SUSECVE-2022-27781 at NVDCVE-2022-27782 at SUSECVE-2022-27782 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for ucode-intel (Moderate)SUSE OpenStack Cloud 8
This update for ucode-intel fixes the following issues:
Updated to Intel CPU Microcode 20220510 release. (bsc#1199423)
Updated to Intel CPU Microcode 20220419 release. (bsc#1198717)
- CVE-2022-21151: Processor optimization removal or modification of security-critical code for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access (bsc#1199423).
ModerateSUSE bug 1198717SUSE bug 1199423CVE-2022-21151 at SUSECVE-2022-21151 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for MozillaFirefox (Important)SUSE OpenStack Cloud 8
This update for MozillaFirefox fixes the following issues:
Firefox Extended Support Release 91.9.0 ESR (MFSA 2022-17)(bsc#1198970):
- CVE-2022-29914: Fullscreen notification bypass using popups
- CVE-2022-29909: Bypassing permission prompt in nested browsing contexts
- CVE-2022-29916: Leaking browser history with CSS variables
- CVE-2022-29911: iframe Sandbox bypass
- CVE-2022-29912: Reader mode bypassed SameSite cookies
- CVE-2022-29917: Memory safety bugs fixed in Firefox 100 and Firefox ESR 91.9
ImportantSUSE bug 1198970CVE-2022-29909 at SUSECVE-2022-29909 at NVDCVE-2022-29911 at SUSECVE-2022-29911 at NVDCVE-2022-29912 at SUSECVE-2022-29912 at NVDCVE-2022-29914 at SUSECVE-2022-29914 at NVDCVE-2022-29916 at SUSECVE-2022-29916 at NVDCVE-2022-29917 at SUSECVE-2022-29917 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for expat (Important)SUSE OpenStack Cloud 8
This update for expat fixes the following issues:
- CVE-2021-45960: Fixed left shift in the storeAtts function in xmlparse.c that can lead to realloc misbehavior (bsc#1194251).
- CVE-2021-46143: Fixed integer overflow in m_groupSize in doProlog (bsc#1194362).
- CVE-2022-22822: Fixed integer overflow in addBinding in xmlparse.c (bsc#1194474).
- CVE-2022-22823: Fixed integer overflow in build_model in xmlparse.c (bsc#1194476).
- CVE-2022-22824: Fixed integer overflow in defineAttribute in xmlparse.c (bsc#1194477).
- CVE-2022-22825: Fixed integer overflow in lookup in xmlparse.c (bsc#1194478).
- CVE-2022-22826: Fixed integer overflow in nextScaffoldPart in xmlparse.c (bsc#1194479).
- CVE-2022-22827: Fixed integer overflow in storeAtts in xmlparse.c (bsc#1194480).
ImportantSUSE bug 1194251SUSE bug 1194362SUSE bug 1194474SUSE bug 1194476SUSE bug 1194477SUSE bug 1194478SUSE bug 1194479SUSE bug 1194480CVE-2021-45960 at SUSECVE-2021-45960 at NVDCVE-2021-46143 at SUSECVE-2021-46143 at NVDCVE-2022-22822 at SUSECVE-2022-22822 at NVDCVE-2022-22823 at SUSECVE-2022-22823 at NVDCVE-2022-22824 at SUSECVE-2022-22824 at NVDCVE-2022-22825 at SUSECVE-2022-22825 at NVDCVE-2022-22826 at SUSECVE-2022-22826 at NVDCVE-2022-22827 at SUSECVE-2022-22827 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for postgresql10 (Important)SUSE OpenStack Cloud 8
This update for postgresql10 fixes the following issues:
- CVE-2022-1552: Confine additional operations within 'security restricted operation' sandboxes (bsc#1199475).
ImportantSUSE bug 1199475CVE-2022-1552 at SUSECVE-2022-1552 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for MozillaFirefox (Important)SUSE OpenStack Cloud 8
This update for MozillaFirefox fixes the following issues:
Firefox Extended Support Release 91.9.1 ESR - MFSA 2022-19 (bsc#1199768):
- CVE-2022-1802: Prototype pollution in Top-Level Await implementation
- CVE-2022-1529: Untrusted input used in JavaScript object indexing, leading to prototype pollution
ImportantSUSE bug 1199768CVE-2022-1529 at SUSECVE-2022-1529 at NVDCVE-2022-1802 at SUSECVE-2022-1802 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for python-requests (Moderate)SUSE OpenStack Cloud 8
This update for python-requests fixes the following issues:
- CVE-2018-18074: Fixed to prevent the package to send an HTTP Authorization header to an http URI
upon receiving a same-hostname https-to-http redirect. (bsc#1111622)
ModerateSUSE bug 1111622CVE-2018-18074 at SUSECVE-2018-18074 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for libxml2 (Important)SUSE OpenStack Cloud 8
This update for libxml2 fixes the following issues:
- CVE-2022-29824: Fixed integer overflow leading to out-of-bounds write in buf.c and tree.c (bsc#1199132).
- CVE-2017-16932: Prevent infinite recursion in parameter entities (bsc#1069689).
ImportantSUSE bug 1069689SUSE bug 1199132CVE-2017-16932 at SUSECVE-2017-16932 at NVDCVE-2022-29824 at SUSECVE-2022-29824 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for pcre2 (Important)SUSE OpenStack Cloud 8
This update for pcre2 fixes the following issues:
- CVE-2022-1586: Fixed out-of-bounds read via missing Unicode property matching issue in JIT compiled regular expressions (bsc#1199232).
ImportantSUSE bug 1199232CVE-2022-1586 at SUSECVE-2022-1586 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for wpa_supplicant (Important)SUSE OpenStack Cloud 8
This update for wpa_supplicant fixes the following issues:
- CVE-2022-23303, CVE-2022-23304: Fixed SAE/EAP-pwd side-channel attacks (bsc#1194732, bsc#1194733)
- CVE-2021-0326: Fixed P2P group information processing vulnerability (bsc#1181777)
- Fix systemd device ready dependencies in wpa_supplicant@.service file. (bsc#1182805)
- Limit P2P_DEVICE name to appropriate ifname size
- Enable SAE support(jsc#SLE-14992).
- Fix wicked wlan (bsc#1156920)
- Change wpa_supplicant.service to ensure wpa_supplicant gets started before
network. Fix WLAN config on boot with wicked. (bsc#1166933)
- Adjust the service to start after network.target wrt bsc#1165266
Update to 2.9 release:
* SAE changes
- disable use of groups using Brainpool curves
- improved protection against side channel attacks
[https://w1.fi/security/2019-6/]
* EAP-pwd changes
- disable use of groups using Brainpool curves
- allow the set of groups to be configured (eap_pwd_groups)
- improved protection against side channel attacks
[https://w1.fi/security/2019-6/]
* fixed FT-EAP initial mobility domain association using PMKSA caching
(disabled by default for backwards compatibility; can be enabled
with ft_eap_pmksa_caching=1)
* fixed a regression in OpenSSL 1.1+ engine loading
* added validation of RSNE in (Re)Association Response frames
* fixed DPP bootstrapping URI parser of channel list
* extended EAP-SIM/AKA fast re-authentication to allow use with FILS
* extended ca_cert_blob to support PEM format
* improved robustness of P2P Action frame scheduling
* added support for EAP-SIM/AKA using anonymous@realm identity
* fixed Hotspot 2.0 credential selection based on roaming consortium
to ignore credentials without a specific EAP method
* added experimental support for EAP-TEAP peer (RFC 7170)
* added experimental support for EAP-TLS peer with TLS v1.3
* fixed a regression in WMM parameter configuration for a TDLS peer
* fixed a regression in operation with drivers that offload 802.1X
4-way handshake
* fixed an ECDH operation corner case with OpenSSL
* SAE changes
- added support for SAE Password Identifier
- changed default configuration to enable only groups 19, 20, 21
(i.e., disable groups 25 and 26) and disable all unsuitable groups
completely based on REVmd changes
- do not regenerate PWE unnecessarily when the AP uses the
anti-clogging token mechanisms
- fixed some association cases where both SAE and FT-SAE were enabled
on both the station and the selected AP
- started to prefer FT-SAE over SAE AKM if both are enabled
- started to prefer FT-SAE over FT-PSK if both are enabled
- fixed FT-SAE when SAE PMKSA caching is used
- reject use of unsuitable groups based on new implementation guidance
in REVmd (allow only FFC groups with prime >= 3072 bits and ECC
groups with prime >= 256)
- minimize timing and memory use differences in PWE derivation
[https://w1.fi/security/2019-1/] (CVE-2019-9494, bsc#1131868)
* EAP-pwd changes
- minimize timing and memory use differences in PWE derivation
[https://w1.fi/security/2019-2/] (CVE-2019-9495, bsc#1131870)
- verify server scalar/element
[https://w1.fi/security/2019-4/] (CVE-2019-9497, CVE-2019-9498,
CVE-2019-9499, bsc#1131874, bsc#1131872, bsc#1131871, bsc#1131644)
- fix message reassembly issue with unexpected fragment
[https://w1.fi/security/2019-5/] (CVE-2019-11555, bsc#1133640)
- enforce rand,mask generation rules more strictly
- fix a memory leak in PWE derivation
- disallow ECC groups with a prime under 256 bits (groups 25, 26, and
27)
- SAE/EAP-pwd side-channel attack update
[https://w1.fi/security/2019-6/] (CVE-2019-13377, bsc#1144443)
* fixed CONFIG_IEEE80211R=y (FT) build without CONFIG_FILS=y
* Hotspot 2.0 changes
- do not indicate release number that is higher than the one
AP supports
- added support for release number 3
- enable PMF automatically for network profiles created from
credentials
* fixed OWE network profile saving
* fixed DPP network profile saving
* added support for RSN operating channel validation
(CONFIG_OCV=y and network profile parameter ocv=1)
* added Multi-AP backhaul STA support
* fixed build with LibreSSL
* number of MKA/MACsec fixes and extensions
* extended domain_match and domain_suffix_match to allow list of values
* fixed dNSName matching in domain_match and domain_suffix_match when
using wolfSSL
* started to prefer FT-EAP-SHA384 over WPA-EAP-SUITE-B-192 AKM if both
are enabled
* extended nl80211 Connect and external authentication to support
SAE, FT-SAE, FT-EAP-SHA384
* fixed KEK2 derivation for FILS+FT
* extended client_cert file to allow loading of a chain of PEM
encoded certificates
* extended beacon reporting functionality
* extended D-Bus interface with number of new properties
* fixed a regression in FT-over-DS with mac80211-based drivers
* OpenSSL: allow systemwide policies to be overridden
* extended driver flags indication for separate 802.1X and PSK
4-way handshake offload capability
* added support for random P2P Device/Interface Address use
* extended PEAP to derive EMSK to enable use with ERP/FILS
* extended WPS to allow SAE configuration to be added automatically
for PSK (wps_cred_add_sae=1)
* removed support for the old D-Bus interface (CONFIG_CTRL_IFACE_DBUS)
* extended domain_match and domain_suffix_match to allow list of values
* added a RSN workaround for misbehaving PMF APs that advertise
IGTK/BIP KeyID using incorrect byte order
* fixed PTK rekeying with FILS and FT
* fixed WPA packet number reuse with replayed messages and key
reinstallation
[https://w1.fi/security/2017-1/] (CVE-2017-13077, CVE-2017-13078,
CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13082,
CVE-2017-13086, CVE-2017-13087, CVE-2017-13088)
* fixed unauthenticated EAPOL-Key decryption in wpa_supplicant
[https://w1.fi/security/2018-1/] (CVE-2018-14526)
* added support for FILS (IEEE 802.11ai) shared key authentication
* added support for OWE (Opportunistic Wireless Encryption, RFC 8110;
and transition mode defined by WFA)
* added support for DPP (Wi-Fi Device Provisioning Protocol)
* added support for RSA 3k key case with Suite B 192-bit level
* fixed Suite B PMKSA caching not to update PMKID during each 4-way
handshake
* fixed EAP-pwd pre-processing with PasswordHashHash
* added EAP-pwd client support for salted passwords
* fixed a regression in TDLS prohibited bit validation
* started to use estimated throughput to avoid undesired signal
strength based roaming decision
* MACsec/MKA:
- new macsec_linux driver interface support for the Linux
kernel macsec module
- number of fixes and extensions
* added support for external persistent storage of PMKSA cache
(PMKSA_GET/PMKSA_ADD control interface commands; and
MESH_PMKSA_GET/MESH_PMKSA_SET for the mesh case)
* fixed mesh channel configuration pri/sec switch case
* added support for beacon report
* large number of other fixes, cleanup, and extensions
* added support for randomizing local address for GAS queries
(gas_rand_mac_addr parameter)
* fixed EAP-SIM/AKA/AKA' ext auth cases within TLS tunnel
* added option for using random WPS UUID (auto_uuid=1)
* added SHA256-hash support for OCSP certificate matching
* fixed EAP-AKA' to add AT_KDF into Synchronization-Failure
* fixed a regression in RSN pre-authentication candidate selection
* added option to configure allowed group management cipher suites
(group_mgmt network profile parameter)
* removed all PeerKey functionality
* fixed nl80211 AP and mesh mode configuration regression with
Linux 4.15 and newer
* added ap_isolate configuration option for AP mode
* added support for nl80211 to offload 4-way handshake into the driver
* added support for using wolfSSL cryptographic library
* SAE
- added support for configuring SAE password separately of the
WPA2 PSK/passphrase
- fixed PTK and EAPOL-Key integrity and key-wrap algorithm selection
for SAE;
note: this is not backwards compatible, i.e., both the AP and
station side implementations will need to be update at the same
time to maintain interoperability
- added support for Password Identifier
- fixed FT-SAE PMKID matching
* Hotspot 2.0
- added support for fetching of Operator Icon Metadata ANQP-element
- added support for Roaming Consortium Selection element
- added support for Terms and Conditions
- added support for OSEN connection in a shared RSN BSS
- added support for fetching Venue URL information
* added support for using OpenSSL 1.1.1
* FT
- disabled PMKSA caching with FT since it is not fully functional
- added support for SHA384 based AKM
- added support for BIP ciphers BIP-CMAC-256, BIP-GMAC-128,
BIP-GMAC-256 in addition to previously supported BIP-CMAC-128
- fixed additional IE inclusion in Reassociation Request frame when
using FT protocol
- CVE-2015-8041: Using O_WRONLY flag [http://w1.fi/security/2015-5/] ImportantSUSE bug 1131644SUSE bug 1131868SUSE bug 1131870SUSE bug 1131871SUSE bug 1131872SUSE bug 1131874SUSE bug 1133640SUSE bug 1144443SUSE bug 1156920SUSE bug 1165266SUSE bug 1166933SUSE bug 1167331SUSE bug 1182805SUSE bug 1194732SUSE bug 1194733CVE-2015-8041 at SUSECVE-2015-8041 at NVDCVE-2017-13077 at SUSECVE-2017-13077 at NVDCVE-2017-13078 at SUSECVE-2017-13078 at NVDCVE-2017-13079 at SUSECVE-2017-13079 at NVDCVE-2017-13080 at SUSECVE-2017-13080 at NVDCVE-2017-13081 at SUSECVE-2017-13081 at NVDCVE-2017-13082 at SUSECVE-2017-13082 at NVDCVE-2017-13086 at SUSECVE-2017-13086 at NVDCVE-2017-13087 at SUSECVE-2017-13087 at NVDCVE-2017-13088 at SUSECVE-2017-13088 at NVDCVE-2018-14526 at SUSECVE-2018-14526 at NVDCVE-2019-11555 at SUSECVE-2019-11555 at NVDCVE-2019-13377 at SUSECVE-2019-13377 at NVDCVE-2019-9494 at SUSECVE-2019-9494 at NVDCVE-2019-9495 at SUSECVE-2019-9495 at NVDCVE-2019-9497 at SUSECVE-2019-9497 at NVDCVE-2019-9498 at SUSECVE-2019-9498 at NVDCVE-2019-9499 at SUSECVE-2019-9499 at NVDCVE-2022-23303 at SUSECVE-2022-23303 at NVDCVE-2022-23304 at SUSECVE-2022-23304 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for postgresql14 (Important)SUSE OpenStack Cloud 8
This update for postgresql14 fixes the following issues:
- CVE-2022-1552: Confine additional operations within 'security restricted operation' sandboxes (bsc#1199475).
ImportantSUSE bug 1199475CVE-2022-1552 at SUSECVE-2022-1552 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for openstack-neutron (Important)SUSE OpenStack Cloud 8
This update for openstack-neutron fixes the following issues:
- CVE-2021-40797: Fixed routes middleware memory leak for nonexistent controllers (bsc#1190339).
- CVE-2021-40085: Fixed arbitrary dnsmasq reconfiguration via extra_dhcp_opts (bsc#1189794).
ImportantSUSE bug 1189794SUSE bug 1190339CVE-2021-40085 at SUSECVE-2021-40085 at NVDCVE-2021-40797 at SUSECVE-2021-40797 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for ImageMagick (Important)SUSE OpenStack Cloud 8
This update for ImageMagick fixes the following issues:
- CVE-2022-1270: Fixed a memory corruption issue when parsing MIFF files (bsc#1198351).
- CVE-2022-28463: Fixed buffer overflow in coders/cin.c (bsc#1199350).
ImportantSUSE bug 1198351SUSE bug 1199350CVE-2022-1270 at SUSECVE-2022-1270 at NVDCVE-2022-28463 at SUSECVE-2022-28463 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for mailman (Important)SUSE OpenStack Cloud 8
This update for mailman fixes the following issues:
- CVE-2021-44227: Preventing list moderator or list member accessing the admin UI (bsc#1193316).
- CVE-2021-43332: Preventing list moderator from cracking the list admin password encrypted in a CSRF token (bsc#1192741).
- CVE-2021-43331: Fixed XSS in Cgi/options.py (bsc#1192735).
- CVE-2021-42096: Add protection against remote privilege escalation via csrf_token derived from admin password (bsc#1191959).
ImportantSUSE bug 1191959SUSE bug 1192735SUSE bug 1192741SUSE bug 1193316CVE-2021-42096 at SUSECVE-2021-42096 at NVDCVE-2021-43331 at SUSECVE-2021-43331 at NVDCVE-2021-43332 at SUSECVE-2021-43332 at NVDCVE-2021-44227 at SUSECVE-2021-44227 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for polkit (Important)SUSE OpenStack Cloud 8
This update for polkit fixes the following issues:
- CVE-2021-4034: Fixed a local privilege escalation in pkexec (bsc#1194568).
ImportantSUSE bug 1194568CVE-2021-4034 at SUSECVE-2021-4034 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for librelp (Moderate)SUSE OpenStack Cloud 8
This update for librelp fixes the following issues:
- CVE-2018-1000140: Fixed remote attack via specially crafted x509 certificates when connecting to rsyslog to trigger a stack buffer overflow and run arbitrary code (bsc#1086730).
ModerateSUSE bug 1086730CVE-2018-1000140 at SUSECVE-2018-1000140 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for MozillaFirefox (Important)SUSE OpenStack Cloud 8
This update for MozillaFirefox fixes the following issues:
Firefox Extended Support Release 91.10.0 ESR (MFSA 2022-21)(bsc#1200027)
- CVE-2022-31736: Cross-Origin resource's length leaked
- CVE-2022-31737: Heap buffer overflow in WebGL
- CVE-2022-31738: Browser window spoof using fullscreen mode
- CVE-2022-31739: Attacker-influenced path traversal when saving downloaded files
- CVE-2022-31740: Register allocation problem in WASM on arm64
- CVE-2022-31741: Uninitialized variable leads to invalid memory read
- CVE-2022-31742: Querying a WebAuthn token with a large number of allowCredential entries may have leaked cross-origin information
- CVE-2022-31747: Memory safety bugs fixed in Firefox 101 and Firefox ESR 91.10
ImportantSUSE bug 1200027CVE-2022-31736 at SUSECVE-2022-31736 at NVDCVE-2022-31737 at SUSECVE-2022-31737 at NVDCVE-2022-31738 at SUSECVE-2022-31738 at NVDCVE-2022-31739 at SUSECVE-2022-31739 at NVDCVE-2022-31740 at SUSECVE-2022-31740 at NVDCVE-2022-31741 at SUSECVE-2022-31741 at NVDCVE-2022-31742 at SUSECVE-2022-31742 at NVDCVE-2022-31747 at SUSECVE-2022-31747 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for strongswan (Important)SUSE OpenStack Cloud 8
This update for strongswan fixes the following issues:
- CVE-2021-45079: Fixed authentication bypass in EAP authentication. (bsc#1194471)
ImportantSUSE bug 1194471CVE-2021-45079 at SUSECVE-2021-45079 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for mozilla-nss (Important)SUSE OpenStack Cloud 8
This update for mozilla-nss fixes the following issues:
Mozilla NSS 3.68.4 (bsc#1200027)
* CVE-2022-31741: Initialize pointers passed to NSS_CMSDigestContext_FinishMultiple. (bmo#1767590)
ImportantSUSE bug 1200027CVE-2022-31741 at SUSECVE-2022-31741 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for grub2 (Important)SUSE OpenStack Cloud 8
This update for grub2 fixes the following issues:
Security fixes and hardenings for boothole 3 / boothole 2022 (bsc#1198581)
- CVE-2021-3695: Fixed that a crafted PNG grayscale image could lead to out-of-bounds write in heap (bsc#1191184)
- CVE-2021-3696: Fixed that a crafted PNG image could lead to out-of-bound write during huffman table handling (bsc#1191185)
- CVE-2021-3697: Fixed that a crafted JPEG image could lead to buffer underflow write in the heap (bsc#1191186)
- CVE-2022-28733: Fixed fragmentation math in net/ip (bsc#1198460)
- CVE-2022-28734: Fixed an out-of-bound write for split http headers (bsc#1198493)
- CVE-2022-28736: Fixed a use-after-free in chainloader command (bsc#1198496)
- Update SBAT security contact (bsc#1193282)
- Bump grub's SBAT generation to 2
- Use boot disks in OpenFirmware, fixing regression caused when the root LV is completely in the boot LUN (bsc#1197948)
ImportantSUSE bug 1191184SUSE bug 1191185SUSE bug 1191186SUSE bug 1193282SUSE bug 1197948SUSE bug 1198460SUSE bug 1198493SUSE bug 1198496SUSE bug 1198581CVE-2021-3695 at SUSECVE-2021-3695 at NVDCVE-2021-3696 at SUSECVE-2021-3696 at NVDCVE-2021-3697 at SUSECVE-2021-3697 at NVDCVE-2022-28733 at SUSECVE-2022-28733 at NVDCVE-2022-28734 at SUSECVE-2022-28734 at NVDCVE-2022-28736 at SUSECVE-2022-28736 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for the Linux Kernel (Important)SUSE OpenStack Cloud 8
The SUSE Linux Enterprise 12 SP3 kernel was updated to 3.12.31 to receive various security and bugfixes.
The following security bugs were fixed:
- CVE-2022-21127: Fixed a stale MMIO data transient which can be exploited to speculatively/transiently disclose information via spectre like attacks. (bsc#1199650)
- CVE-2022-21123: Fixed a stale MMIO data transient which can be exploited to speculatively/transiently disclose information via spectre like attacks. (bsc#1199650)
- CVE-2022-21125: Fixed a stale MMIO data transient which can be exploited to speculatively/transiently disclose information via spectre like attacks. (bsc#1199650)
- CVE-2022-21180: Fixed a stale MMIO data transient which can be exploited to speculatively/transiently disclose information via spectre like attacks. (bsc#1199650)
- CVE-2022-21166: Fixed a stale MMIO data transient which can be exploited to speculatively/transiently disclose information via spectre like attacks. (bsc#1199650)
- CVE-2022-1975: Fixed a bug that allows an attacker to crash the linux kernel by simulating nfc device from user-space. (bsc#1200143)
- CVE-2022-1974: Fixed an use-after-free that could causes kernel crash by simulating an nfc device from user-space. (bsc#1200144)
- CVE-2019-19377: Fixed an user-after-free that could be triggered when an attacker mounts a crafted btrfs filesystem image. (bnc#1158266)
- CVE-2022-1729: Fixed a sys_perf_event_open() race condition against self (bsc#1199507).
- CVE-2022-1184: Fixed an use-after-free and memory errors in ext4 when mounting and operating on a corrupted image. (bsc#1198577)
- CVE-2022-21499: Reinforce the kernel lockdown feature, until now it's been trivial to break out of it with kgdb or kdb. (bsc#1199426)
- CVE-2017-13695: Fixed a bug that caused a stack dump allowing local users to obtain sensitive information from kernel memory and bypass the KASLR protection mechanism via a crafted ACPI table. (bnc#1055710)
- CVE-2022-1652: Fixed a statically allocated error counter inside the floppy kernel module (bsc#1199063).
- CVE-2022-1734: Fixed a r/w use-after-free when non synchronized between cleanup routine and firmware download routine. (bnc#1199605)
- CVE-2022-30594: Fixed restriction bypass on setting the PT_SUSPEND_SECCOMP flag (bnc#1199505).
- CVE-2021-28688: Fixed XSA-365 that includes initialization of pointers such that subsequent cleanup code wouldn't use uninitialized or stale values. This initialization went too far and may under certain conditions also overwrite pointers which are in need of cleaning up. The lack of cleanup would result in leaking persistent grants. The leak in turn would prevent fully cleaning up after a respective guest has died, leaving around zombie domains (bnc#1183646).
- CVE-2020-10769: Fixed a buffer over-read flaw in the IPsec Cryptographic algorithm's module. This flaw allowed a local attacker with user privileges to cause a denial of service. (bnc#1173265)
- CVE-2021-33061: Fixed insufficient control flow management for the Intel(R) 82599 Ethernet Controllers and Adapters that may have allowed an authenticated user to potentially enable denial of service via local access (bnc#1196426).
- CVE-2022-1516: Fixed null-ptr-deref caused by x25_disconnect (bsc#1199012).
- CVE-2021-20321: Fixed a race condition accessing file object in the OverlayFS subsystem in the way users do rename in specific way with OverlayFS. A local user could have used this flaw to crash the system (bnc#1191647).
- CVE-2018-7755: Fixed an issue in the fd_locked_ioctl function in drivers/block/floppy.c. The floppy driver will copy a kernel pointer to user memory in response to the FDGETPRM ioctl. An attacker can send the FDGETPRM ioctl and use the obtained kernel pointer to discover the location of kernel code and data and bypass kernel security protections such as KASLR (bnc#1084513).
- CVE-2022-1419: Fixed a concurrency use-after-free in vgem_gem_dumb_create (bsc#1198742).
- CVE-2021-38208: Fixed a denial of service (NULL pointer dereference and BUG) by making a getsockname call after a certain type of failure of a bind call (bnc#1187055).
- CVE-2022-1353: Fixed access controll to kernel memory in the pfkey_register function in net/key/af_key.c. (bnc#1198516)
- CVE-2018-20784: Fixed a denial of service (infinite loop in update_blocked_averages) by mishandled leaf cfs_rq in kernel/sched/fair.c (bnc#1126703).
- CVE-2021-20292: Fixed object validation prior to performing operations on the object in nouveau_sgdma_create_ttm in Nouveau DRM subsystem (bnc#1183723).
- CVE-2022-28390: Fixed a double free in drivers/net/can/usb/ems_usb.c vulnerability in the Linux kernel (bnc#1198031).
- CVE-2022-28388: Fixed a double free in drivers/net/can/usb/usb_8dev.c vulnerability in the Linux kernel (bnc#1198032).
- CVE-2022-1011: Fixed an use-after-free vulnerability which could allow a local attacker to retireve (partial) /etc/shadow hashes or any other data from filesystem when he can mount a FUSE filesystems. (bnc#1197343)
The following non-security bugs were fixed:
- btrfs: tree-checker: fix incorrect printk format (bsc#1200249).
- net: mana: Add handling of CQE_RX_TRUNCATED (bsc#1195651).
- net: mana: Remove unnecessary check of cqe_type in mana_process_rx_cqe() (bsc#1195651).
- PCI: hv: Do not set PCI_COMMAND_MEMORY to reduce VM boot time (bsc#1199314).
- powerpc/pseries: extract host bridge from pci_bus prior to bus removal (bsc#1182171 ltc#190900 bsc#1198660 ltc#197803).
- powerpc/pseries: Fix use after free in remove_phb_dynamic() (bsc#1065729 bsc#1198660 ltc#197803).
- vmbus: do not return values for uninitalized channels (bsc#1051510 bsc#1198997).
- vt: vt_ioctl: fix race in VT_RESIZEX (bsc#1199785).
- x86/hyperv: Read TSC frequency from a synthetic MSR (bsc#1198962).
- x86/speculation: Fix redundant MDS mitigation message (bsc#1199650).
ImportantSUSE bug 1051510SUSE bug 1055710SUSE bug 1065729SUSE bug 1084513SUSE bug 1087082SUSE bug 1126703SUSE bug 1158266SUSE bug 1173265SUSE bug 1182171SUSE bug 1183646SUSE bug 1183723SUSE bug 1187055SUSE bug 1191647SUSE bug 1195651SUSE bug 1196426SUSE bug 1197343SUSE bug 1198031SUSE bug 1198032SUSE bug 1198516SUSE bug 1198577SUSE bug 1198660SUSE bug 1198687SUSE bug 1198742SUSE bug 1198962SUSE bug 1198997SUSE bug 1199012SUSE bug 1199063SUSE bug 1199314SUSE bug 1199426SUSE bug 1199505SUSE bug 1199507SUSE bug 1199605SUSE bug 1199650SUSE bug 1199785SUSE bug 1200143SUSE bug 1200144SUSE bug 1200249CVE-2017-13695 at SUSECVE-2017-13695 at NVDCVE-2018-20784 at SUSECVE-2018-20784 at NVDCVE-2018-7755 at SUSECVE-2018-7755 at NVDCVE-2019-19377 at SUSECVE-2019-19377 at NVDCVE-2020-10769 at SUSECVE-2020-10769 at NVDCVE-2021-20292 at SUSECVE-2021-20292 at NVDCVE-2021-20321 at SUSECVE-2021-20321 at NVDCVE-2021-28688 at SUSECVE-2021-28688 at NVDCVE-2021-33061 at SUSECVE-2021-33061 at NVDCVE-2021-38208 at SUSECVE-2021-38208 at NVDCVE-2022-1011 at SUSECVE-2022-1011 at NVDCVE-2022-1184 at SUSECVE-2022-1184 at NVDCVE-2022-1353 at SUSECVE-2022-1353 at NVDCVE-2022-1419 at SUSECVE-2022-1419 at NVDCVE-2022-1516 at SUSECVE-2022-1516 at NVDCVE-2022-1652 at SUSECVE-2022-1652 at NVDCVE-2022-1729 at SUSECVE-2022-1729 at NVDCVE-2022-1734 at SUSECVE-2022-1734 at NVDCVE-2022-1974 at SUSECVE-2022-1974 at NVDCVE-2022-1975 at SUSECVE-2022-1975 at NVDCVE-2022-21123 at SUSECVE-2022-21123 at NVDCVE-2022-21125 at SUSECVE-2022-21125 at NVDCVE-2022-21127 at SUSECVE-2022-21127 at NVDCVE-2022-21166 at SUSECVE-2022-21166 at NVDCVE-2022-21180 at SUSECVE-2022-21180 at NVDCVE-2022-21499 at SUSECVE-2022-21499 at NVDCVE-2022-28388 at SUSECVE-2022-28388 at NVDCVE-2022-28390 at SUSECVE-2022-28390 at NVDCVE-2022-30594 at SUSECVE-2022-30594 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for webkit2gtk3 (Important)SUSE OpenStack Cloud 8
This update for webkit2gtk3 fixes the following issues:
Update to version 2.36.3 (bsc#1200106)
- CVE-2022-30293: Fixed heap-based buffer overflow in WebCore::TextureMapperLayer::setContentsLayer (bsc#1199287).
- CVE-2022-26700: Fixed memory corruption issue that may lead to code execution when processing maliciously crafted web content (bsc#1200106).
- CVE-2022-26709: Fixed use after free issue that may lead to code execution when processing maliciously crafted web content (bsc#1200106).
- CVE-2022-26716: Fixed use after free issue that may lead to code execution when processing maliciously crafted web content (bsc#1200106).
- CVE-2022-26717: Fixed memory corruption issue that may lead to code execution when processing maliciously crafted web content (bsc#1200106).
- CVE-2022-26719: Fixed memory corruption issue that may lead to code execution when processing maliciously crafted web content (bsc#1200106).
ImportantSUSE bug 1199287SUSE bug 1200106CVE-2022-26700 at SUSECVE-2022-26700 at NVDCVE-2022-26709 at SUSECVE-2022-26709 at NVDCVE-2022-26716 at SUSECVE-2022-26716 at NVDCVE-2022-26717 at SUSECVE-2022-26717 at NVDCVE-2022-26719 at SUSECVE-2022-26719 at NVDCVE-2022-30293 at SUSECVE-2022-30293 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for openssl (Important)SUSE OpenStack Cloud 8
This update for openssl fixes the following issues:
- CVE-2022-1292: Fixed command injection in c_rehash (bsc#1199166).
ImportantSUSE bug 1199166CVE-2022-1292 at SUSECVE-2022-1292 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for apache2 (Important)SUSE OpenStack Cloud 8
This update for apache2 fixes the following issues:
- CVE-2022-26377: Fixed possible request smuggling in mod_proxy_ajp (bsc#1200338)
- CVE-2022-28614: Fixed read beyond bounds via ap_rwrite() (bsc#1200340)
- CVE-2022-28615: Fixed read beyond bounds in ap_strcmp_match() (bsc#1200341)
- CVE-2022-29404: Fixed denial of service in mod_lua r:parsebody (bsc#1200345)
- CVE-2022-30556: Fixed information disclosure in mod_lua with websockets (bsc#1200350)
- CVE-2022-30522: Fixed mod_sed denial of service (bsc#1200352)
- CVE-2022-31813: Fixed mod_proxy X-Forwarded-For dropped by hop-by-hop mechanism (bsc#1200348)
ImportantSUSE bug 1200338SUSE bug 1200340SUSE bug 1200341SUSE bug 1200345SUSE bug 1200348SUSE bug 1200350SUSE bug 1200352CVE-2022-26377 at SUSECVE-2022-26377 at NVDCVE-2022-28614 at SUSECVE-2022-28614 at NVDCVE-2022-28615 at SUSECVE-2022-28615 at NVDCVE-2022-29404 at SUSECVE-2022-29404 at NVDCVE-2022-30522 at SUSECVE-2022-30522 at NVDCVE-2022-30556 at SUSECVE-2022-30556 at NVDCVE-2022-31813 at SUSECVE-2022-31813 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for python-Twisted (Important)SUSE OpenStack Cloud 8
This update for python-Twisted fixes the following issues:
- CVE-2022-21716: Fixed that ssh server accepts an infinite amount of data using all the available memory (bsc#1196739).
ImportantSUSE bug 1196739CVE-2022-21716 at SUSECVE-2022-21716 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for log4j (Important)SUSE OpenStack Cloud 8
This update for log4j fixes the following issues:
- CVE-2022-23307: Fix deserialization issue by removing the chainsaw sub-package. (bsc#1194844)
- CVE-2022-23305: Fix SQL injection by removing src/main/java/org/apache/log4j/jdbc/JDBCAppender.java. (bsc#1194843)
- CVE-2022-23302: Fix remote code execution by removing src/main/java/org/apache/log4j/net/JMSSink.java. (bsc#1194842)
ImportantSUSE bug 1194842SUSE bug 1194843SUSE bug 1194844CVE-2022-23302 at SUSECVE-2022-23302 at NVDCVE-2022-23305 at SUSECVE-2022-23305 at NVDCVE-2022-23307 at SUSECVE-2022-23307 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for SUSE Manager Client Tools (Important)SUSE OpenStack Cloud 8
This update fixes the following issues:
golang-github-QubitProducts-exporter_exporter:
- Adapted to build on Enterprise Linux.
- Fix build for RedHat 7
- Require Go >= 1.14 also for CentOS
- Add support for CentOS
- Replace %{?systemd_requires} with %{?systemd_ordering}
golang-github-prometheus-alertmanager:
- CVE-2022-21698: Denial of service using InstrumentHandlerCounter.
* Update vendor tarball with prometheus/client_golang 1.11.1 (bsc#1196338, jsc#SLE-24077)
- Update required Go version to 1.16
- Update to version 0.23.0:
* amtool: Detect version drift and warn users (#2672)
* Add ability to skip TLS verification for amtool (#2663)
* Fix empty isEqual in amtool. (#2668)
* Fix main tests (#2670)
* cli: add new template render command (#2538)
* OpsGenie: refer to alert instead of incident (#2609)
* Docs: target_match and source_match are DEPRECATED (#2665)
* Fix test not waiting for cluster member to be ready
- Added hardening to systemd service(s) (bsc#1181400)
golang-github-prometheus-node_exporter:
- CVE-2022-21698: Denial of service using InstrumentHandlerCounter.
* Update vendor tarball with prometheus/client_golang 1.11.1
(bsc#1196338, jsc#SLE-24238, jsc#SLE-24239)
- Update to 1.3.0
* [CHANGE] Add path label to rapl collector #2146
* [CHANGE] Exclude filesystems under /run/credentials #2157
* [CHANGE] Add TCPTimeouts to netstat default filter #2189
* [FEATURE] Add lnstat collector for metrics from /proc/net/stat/ #1771
* [FEATURE] Add darwin powersupply collector #1777
* [FEATURE] Add support for monitoring GPUs on Linux #1998
* [FEATURE] Add Darwin thermal collector #2032
* [FEATURE] Add os release collector #2094
* [FEATURE] Add netdev.address-info collector #2105
* [FEATURE] Add clocksource metrics to time collector #2197
* [ENHANCEMENT] Support glob textfile collector directories #1985
* [ENHANCEMENT] ethtool: Expose node_ethtool_info metric #2080
* [ENHANCEMENT] Use include/exclude flags for ethtool filtering #2165
* [ENHANCEMENT] Add flag to disable guest CPU metrics #2123
* [ENHANCEMENT] Add DMI collector #2131
* [ENHANCEMENT] Add threads metrics to processes collector #2164
* [ENHANCMMENT] Reduce timer GC delays in the Linux filesystem collector #2169
* [ENHANCMMENT] Add TCPTimeouts to netstat default filter #2189
* [ENHANCMMENT] Use SysctlTimeval for boottime collector on BSD #2208
* [BUGFIX] ethtool: Sanitize metric names #2093
* [BUGFIX] Fix ethtool collector for multiple interfaces #2126
* [BUGFIX] Fix possible panic on macOS #2133
* [BUGFIX] Collect flag_info and bug_info only for one core #2156
* [BUGFIX] Prevent duplicate ethtool metric names #2187
- Update to 1.2.2
* Bug fixes
Fix processes collector long int parsing #2112
- Update to 1.2.1
* Removed
Remove obsolete capture permission denied error patch that is already included upstream
Fix zoneinfo parsing prometheus/procfs#386
Fix nvme collector log noise #2091
Fix rapl collector log noise #2092
- Update to 1.2.0
* Changes
Rename filesystem collector flags to match other collectors #2012
Make node_exporter print usage to STDOUT #203
* Features
Add conntrack statistics metrics #1155
Add ethtool stats collector #1832
Add flag to ignore network speed if it is unknown #1989
Add tapestats collector for Linux #2044
Add nvme collector #2062
* Enhancements
Add ErrorLog plumbing to promhttp #1887
Add more Infiniband counters #2019
netclass: retrieve interface names and filter before parsing #2033
Add time zone offset metric #2060
Handle errors from disabled PSI subsystem #1983
Fix panic when using backwards compatible flags #2000
Fix wrong value for OpenBSD memory buffer cache #2015
Only initiate collectors once #2048
Handle small backwards jumps in CPU idle #2067
- Apply patch to capture permission denied error for 'energy_uj' file (bsc#1190535)
grafana:
- Update to version 8.3.5 (jsc#SLE-23439, jsc#SLE-23422)
+ Security:
* Fixes XSS vulnerability in handling data sources
(bsc#1195726, CVE-2022-21702)
* Fixes cross-origin request forgery vulnerability
(bsc#1195727, CVE-2022-21703)
* Fixes Insecure Direct Object Reference vulnerability in Teams
API (bsc#1195728, CVE-2022-21713)
- Update to Go 1.17.
- Add build-time dependency on `wire`.
- Update license to GNU Affero General Public License v3.0.
- Update to version 8.3.4
* GetUserInfo: return an error if no user was found
(bsc#1194873, CVE-2022-21673)
+ Features and enhancements:
* Alerting: Allow configuration of non-ready alertmanagers.
* Alerting: Allow customization of Google chat message.
* AppPlugins: Support app plugins with only default nav.
* InfluxDB: query editor: skip fields in metadata queries.
* Postgres/MySQL/MSSQL: Cancel in-flight SQL query if user
cancels query in grafana.
* Prometheus: Forward oauth tokens after prometheus datasource
migration.
+ Bug fixes:
* Azure Monitor: Bug fix for variable interpolations in metrics
dropdowns.
* Azure Monitor: Improved error messages for variable queries.
* CloudMonitoring: Fixes broken variable queries that use group
bys.
* Configuration: You can now see your expired API keys if you
have no active ones.
* Elasticsearch: Fix handling multiple datalinks for a single
field.
* Export: Fix error being thrown when exporting dashboards
using query variables that reference the default datasource.
* ImportDashboard: Fixes issue with importing dashboard and
name ending up in uid.
* Login: Page no longer overflows on mobile.
* Plugins: Set backend metadata property for core plugins.
* Prometheus: Fill missing steps with null values.
* Prometheus: Fix interpolation of $__rate_interval variable.
* Prometheus: Interpolate variables with curly brackets syntax.
* Prometheus: Respect the http-method data source setting.
* Table: Fixes issue with field config applied to wrong fields
when hiding columns.
* Toolkit: Fix bug with rootUrls not being properly parsed when
signing a private plugin.
* Variables: Fix so data source variables are added to adhoc
configuration.
+ Plugin development fixes & changes:
* Toolkit: Revert build config so tslib is bundled with plugins
to prevent plugins from crashing.
- Update to version 8.3.3:
* BarChart: Use new data error view component to show actions
in panel edit.
* CloudMonitor: Iterate over pageToken for resources.
* Macaron: Prevent WriteHeader invalid HTTP status code panic.
* AnnoListPanel: Fix interpolation of variables in tags.
* CloudWatch: Allow queries to have no dimensions specified.
* CloudWatch: Fix broken queries for users migrating from
8.2.4/8.2.5 to 8.3.0.
* CloudWatch: Make sure MatchExact flag gets the right value.
* Dashboards: Fix so that empty folders can be deleted from the
manage dashboards/folders page.
* InfluxDB: Improve handling of metadata query errors in
InfluxQL.
* Loki: Fix adding of ad hoc filters for queries with parser
and line_format expressions.
* Prometheus: Fix running of exemplar queries for non-histogram
metrics.
* Prometheus: Interpolate template variables in interval.
* StateTimeline: Fix toolitp not showing when for frames with
multiple fields.
* TraceView: Fix virtualized scrolling when trace view is
opened in right pane in Explore.
* Variables: Fix repeating panels for on time range changed
variables.
* Variables: Fix so queryparam option works for scoped
- Update to version 8.3.2
+ Security: Fixes CVE-2021-43813 and CVE-2021-43815.
- Update to version 8.3.1
+ Security: Fixes CVE-2021-43798.
- Update to version 8.3.0
* Alerting: Prevent folders from being deleted when they
contain alerts.
* Alerting: Show full preview value in tooltip.
* BarGauge: Limit title width when name is really long.
* CloudMonitoring: Avoid to escape regexps in filters.
* CloudWatch: Add support for AWS Metric Insights.
* TooltipPlugin: Remove other panels' shared tooltip in edit
panel.
* Visualizations: Limit y label width to 40% of visualization
width.
* Alerting: Clear alerting rule evaluation errors after
intermittent failures.
* Alerting: Fix refresh on legacy Alert List panel.
* Dashboard: Fix queries for panels with non-integer widths.
* Explore: Fix url update inconsistency.
* Prometheus: Fix range variables interpolation for time ranges
smaller than 1 second.
* ValueMappings: Fixes issue with regex value mapping that only
sets color.
- Update to version 8.3.0-beta2
+ Breaking changes:
* Grafana 8 Alerting enabled by default for installations that
do not use legacy alerting.
* Keep Last State for 'If execution error or timeout' when
upgrading to Grafana 8 alerting.
* Alerting: Create DatasourceError alert if evaluation returns
error.
* Alerting: Make Unified Alerting enabled by default for those
who do not use legacy alerting.
* Alerting: Support mute timings configuration through the api
for the embedded alert manager.
* CloudWatch: Add missing AWS/Events metrics.
* Docs: Add easier to find deprecation notices to certain data
sources and to the changelog.
* Plugins Catalog: Enable install controls based on the
pluginAdminEnabled flag.
* Table: Add space between values for the DefaultCell and
JSONViewCell.
* Tracing: Make query editors available in dashboard for Tempo
and Zipkin.
* AccessControl: Renamed orgs roles, removed fixed:orgs:reader
introduced in beta1.
* Azure Monitor: Add trap focus for modals in grafana/ui and
other small a11y fixes for Azure Monitor.
* CodeEditor: Prevent suggestions from being clipped.
* Dashboard: Fix cache timeout persistence.
* Datasource: Fix stable sort order of query responses.
* Explore: Fix error in query history when removing last item.
* Logs: Fix requesting of older logs when flipped order.
* Prometheus: Fix running of health check query based on access
mode.
* TextPanel: Fix suggestions for existing panels.
* Tracing: Fix incorrect indentations due to reoccurring
spanIDs.
* Tracing: Show start time of trace with milliseconds
precision.
* Variables: Make renamed or missing variable section
expandable.
* Select: Select menus now properly scroll during keyboard
navigation.
- Update to version 8.3.0-beta1
* Alerting: Add UI for contact point testing with custom
annotations and labels.
* Alerting: Make alert state indicator in panel header work
with Grafana 8 alerts.
* Alerting: Option for Discord notifier to use webhook name.
* Annotations: Deprecate AnnotationsSrv.
* Auth: Omit all base64 paddings in JWT tokens for the JWT
auth.
* Azure Monitor: Clean up fields when editing Metrics.
* AzureMonitor: Add new starter dashboards.
* AzureMonitor: Add starter dashboard for app monitoring with
Application Insights.
* Barchart/Time series: Allow x axis label.
* CLI: Improve error handling for installing plugins.
* CloudMonitoring: Migrate to use backend plugin SDK contracts.
* CloudWatch Logs: Add retry strategy for hitting max
concurrent queries.
* CloudWatch: Add AWS RoboMaker metrics and dimension.
* CloudWatch: Add AWS Transfer metrics and dimension.
* Dashboard: replace datasource name with a reference object.
* Dashboards: Show logs on time series when hovering.
* Elasticsearch: Add support for Elasticsearch 8.0 (Beta).
* Elasticsearch: Add time zone setting to Date Histogram
aggregation.
* Elasticsearch: Enable full range log volume histogram.
* Elasticsearch: Full range logs volume.
* Explore: Allow changing the graph type.
* Explore: Show ANSI colors when highlighting matched words in
the logs panel.
* Graph(old) panel: Listen to events from Time series panel.
* Import: Load gcom dashboards from URL.
* LibraryPanels: Improves export and import of library panels
between orgs.
* OAuth: Support PKCE.
* Panel edit: Overrides now highlight correctly when searching.
* PanelEdit: Display drag indicators on draggable sections.
* Plugins: Refactor Plugin Management.
* Prometheus: Add custom query parameters when creating
PromLink url.
* Prometheus: Remove limits on metrics, labels, and values in
Metrics Browser.
* StateTimeline: Share cursor with rest of the panels.
* Tempo: Add error details when json upload fails.
* Tempo: Add filtering for service graph query.
* Tempo: Add links to nodes in Service Graph pointing to
Prometheus metrics.
* Time series/Bar chart panel: Add ability to sort series via
legend.
* TimeSeries: Allow multiple axes for the same unit.
* TraceView: Allow span links defined on dataFrame.
* Transformations: Support a rows mode in labels to fields.
* ValueMappings: Don't apply field config defaults to time
fields.
* Variables: Only update panels that are impacted by variable
change.
* API: Fix dashboard quota limit for imports.
* Alerting: Fix rule editor issues with Azure Monitor data
source.
* Azure monitor: Make sure alert rule editor is not enabled
when template variables are being used.
* CloudMonitoring: Fix annotation queries.
* CodeEditor: Trigger the latest getSuggestions() passed to
CodeEditor.
* Dashboard: Remove the current panel from the list of options
in the Dashboard datasource.
* Encryption: Fix decrypting secrets in alerting migration.
* InfluxDB: Fix corner case where index is too large in ALIAS
* NavBar: Order App plugins alphabetically.
* NodeGraph: Fix zooming sensitivity on touchpads.
* Plugins: Add OAuth pass-through logic to api/ds/query
endpoint.
* Snapshots: Fix panel inspector for snapshot data.
* Tempo: Fix basic auth password reset on adding tag.
* ValueMapping: Fixes issue with regex mappings.
* grafana/ui: Enable slider marks display.
- Update to version 8.2.7
- Update to version 8.2.6
* Security: Upgrade Docker base image to Alpine 3.14.3.
* Security: Upgrade Go to 1.17.2.
* TimeSeries: Fix fillBelowTo wrongly affecting fills of
unrelated series.
- Update to version 8.2.5
* Fix No Data behaviour in Legacy Alerting.
* Alerting: Fix a bug where the metric in the evaluation string
was not correctly populated.
* Alerting: Fix no data behaviour in Legacy Alerting for alert
rules using the AND operator.
* CloudMonitoring: Ignore min and max aggregation in MQL
queries.
* Dashboards: 'Copy' is no longer added to new dashboard
titles.
* DataProxy: Fix overriding response body when response is a
WebSocket upgrade.
* Elasticsearch: Use field configured in query editor as field
for date_histogram aggregations.
* Explore: Fix running queries without a datasource property
set.
* InfluxDB: Fix numeric aliases in queries.
* Plugins: Ensure consistent plugin settings list response.
* Tempo: Fix validation of float durations.
* Tracing: Correct tags for each span are shown.
- Update to version 8.2.4
+ Security: Fixes CVE-2021-41244.
- Update to version 8.2.3
+ Security: Fixes CVE-2021-41174.
- Update to version 8.2.2
* Annotations: We have improved tag search performance.
* Application: You can now configure an error-template title.
* AzureMonitor: We removed a restriction from the resource
filter query.
* Packaging: We removed the ProcSubset option in systemd. This
option prevented Grafana from starting in LXC environments.
* Prometheus: We removed the autocomplete limit for metrics.
* Table: We improved the styling of the type icons to make them
more distinct from column / field name.
* ValueMappings: You can now use value mapping in stat, gauge,
bar gauge, and pie chart visualizations.
* Alerting: Fix panic when Slack's API sends unexpected
response.
* Alerting: The Create Alert button now appears on the
dashboard panel when you are working with a default
datasource.
* Explore: We fixed the problem where the Explore log panel
disappears when an Elasticsearch logs query returns no
results.
* Graph: You can now see annotation descriptions on hover.
* Logs: The system now uses the JSON parser only if the line is
parsed to an object.
* Prometheus: We fixed the issue where the system did not reuse
TCP connections when querying from Grafana alerting.
* Prometheus: We fixed the problem that resulted in an error
when a user created a query with a $__interval min step.
* RowsToFields: We fixed the issue where the system was not
properly interpreting number values.
* Scale: We fixed how the system handles NaN percent when data
min = data max.
* Table panel: You can now create a filter that includes
special characters.
- Update to version 8.2.1
* Dashboard: Fix rendering of repeating panels.
* Datasources: Fix deletion of data source if plugin is not
found.
* Packaging: Remove systemcallfilters sections from systemd
unit files.
* Prometheus: Add Headers to HTTP client options.
- Update to version 8.2.0
* AWS: Updated AWS authentication documentation.
* Alerting: Added support Alertmanager data source for upstream
Prometheus AM implementation.
* Alerting: Allows more characters in label names so
notifications are sent.
* Alerting: Get alert rules for a dashboard or a panel using
/api/v1/rules endpoints.
* Annotations: Improved rendering performance of event markers.
* CloudWatch Logs: Skip caching for log queries.
* Explore: Added an opt-in configuration for Node Graph in
Jaeger, Zipkin, and Tempo.
* Packaging: Add stricter systemd unit options.
* Prometheus: Metrics browser can now handle label values with
* CodeEditor: Ensure that we trigger the latest onSave callback
provided to the component.
* DashboardList/AlertList: Fix for missing All folder value.
* Plugins: Create a mock icon component to prevent console
errors.
- Update to version 8.2.0-beta2
* AccessControl: Document new permissions restricting data
source access.
* TimePicker: Add fiscal years and search to time picker.
* Alerting: Added support for Unified Alerting with Grafana HA.
* Alerting: Added support for tune rule evaluation using
configuration options.
* Alerting: Cleanups alertmanager namespace from key-value
store when disabling Grafana 8 alerts.
* Alerting: Remove ngalert feature toggle and introduce two new
settings for enabling Grafana 8 alerts and disabling them for
specific organisations.
* CloudWatch: Introduced new math expression where it is
necessary to specify the period field.
* InfluxDB: Added support for $__interval and $__interval_ms in
Flux queries for alerting.
* InfluxDB: Flux queries can use more precise start and end
timestamps with nanosecond-precision.
* Plugins Catalog: Make the catalog the default way to interact
with plugins.
* Prometheus: Removed autocomplete limit for metrics.
* Alerting: Fixed an issue where the edit page crashes if you
tried to preview an alert without a condition set.
* Alerting: Fixed rules migration to keep existing Grafana 8
alert rules.
* Alerting: Fixed the silence file content generated during
* Analytics: Fixed an issue related to interaction event
propagation in Azure Application Insights.
* BarGauge: Fixed an issue where the cell color was lit even
though there was no data.
* BarGauge: Improved handling of streaming data.
* CloudMonitoring: Fixed INT64 label unmarshal error.
* ConfirmModal: Fixes confirm button focus on modal open.
* Dashboard: Add option to generate short URL for variables
with values containing spaces.
* Explore: No longer hides errors containing refId property.
* Fixed an issue that produced State timeline panel tooltip
error when data was not in sync.
* InfluxDB: InfluxQL query editor is set to always use
resultFormat.
* Loki: Fixed creating context query for logs with parsed
labels.
* PageToolbar: Fixed alignment of titles.
* Plugins Catalog: Update to the list of available panels after
an install, update or uninstall.
* TimeSeries: Fixed an issue where the shared cursor was not
showing when hovering over in old Graph panel.
* Variables: Fixed issues related to change of focus or refresh
pages when pressing enter in a text box variable input.
* Variables: Panel no longer crash when using the adhoc
variable in data links.
- Update to version 8.2.0-beta1
* AccessControl: Introduce new permissions to restrict access
for reloading provisioning configuration.
* Alerting: Add UI to edit Cortex/Loki namespace, group names,
and group evaluation interval.
* Alerting: Add a Test button to test contact point.
* Alerting: Allow creating/editing recording rules for Loki and
Cortex.
* Alerting: Metrics should have the label org instead of user.
* Alerting: Sort notification channels by name to make them
easier to locate.
* Alerting: Support org level isolation of notification
* AzureMonitor: Add data links to deep link to Azure Portal
Azure Resource Graph.
* AzureMonitor: Add support for annotations from Azure Monitor
Metrics and Azure Resource Graph services.
* AzureMonitor: Show error message when subscriptions request
fails in ConfigEditor.
* Chore: Update to Golang 1.16.7.
* CloudWatch Logs: Add link to X-Ray data source for trace IDs
in logs.
* CloudWatch Logs: Disable query path using websockets (Live)
feature.
* CloudWatch/Logs: Don't group dataframes for non time series
* Cloudwatch: Migrate queries that use multiple stats to one
query per stat.
* Dashboard: Keep live timeseries moving left (v2).
* Datasources: Introduce response_limit for datasource
responses.
* Explore: Add filter by trace or span ID to trace to logs
* Explore: Download traces as JSON in Explore Inspector.
* Explore: Reuse Dashboard's QueryRows component.
* Explore: Support custom display label for derived fields
buttons for Loki datasource.
* Grafana UI: Update monaco-related dependencies.
* Graphite: Deprecate browser access mode.
* InfluxDB: Improve handling of intervals in alerting.
* InfluxDB: InfluxQL query editor: Handle unusual characters in
tag values better.
* Jaeger: Add ability to upload JSON file for trace data.
* LibraryElements: Enable specifying UID for new and existing
library elements.
* LibraryPanels: Remove library panel icon from the panel
header so you can no longer tell that a panel is a library
panel from the dashboard view.
* Logs panel: Scroll to the bottom on page refresh when sorting
in ascending order.
* Loki: Add fuzzy search to label browser.
* Navigation: Implement active state for items in the Sidemenu.
* Packaging: Update PID file location from /var/run to /run.
* Plugins: Add Hide OAuth Forward config option.
* Postgres/MySQL/MSSQL: Add setting to limit the maximum number
of rows processed.
* Prometheus: Add browser access mode deprecation warning.
* Prometheus: Add interpolation for built-in-time variables to
backend.
* Tempo: Add ability to upload trace data in JSON format.
* TimeSeries/XYChart: Allow grid lines visibility control in
XYChart and TimeSeries panels.
* Transformations: Convert field types to time string number or
boolean.
* Value mappings: Add regular-expression based value mapping.
* Zipkin: Add ability to upload trace JSON.
* Admin: Prevent user from deleting user's current/active
organization.
* LibraryPanels: Fix library panel getting saved in the
dashboard's folder.
* OAuth: Make generic teams URL and JMES path configurable.
* QueryEditor: Fix broken copy-paste for mouse middle-click
* Thresholds: Fix undefined color in 'Add threshold'.
* Timeseries: Add wide-to-long, and fix multi-frame output.
* TooltipPlugin: Fix behavior of Shared Crosshair when Tooltip
is set to All.
* Grafana UI: Fix TS error property css is missing in type.
- Update to version 8.1.8
- Update to version 8.1.7
* Alerting: Fix alerts with evaluation interval more than 30
seconds resolving before notification.
* Elasticsearch/Prometheus: Fix usage of proper SigV4 service
namespace.
- Update to version 8.1.6
+ Security: Fixes CVE-2021-39226.
- Update to version 8.1.5
* BarChart: Fixes panel error that happens on second refresh.
- Update to version 8.1.4
+ Features and enhancements
* Explore: Ensure logs volume bar colors match legend colors.
* LDAP: Search all DNs for users.
* Alerting: Fix notification channel migration.
* Annotations: Fix blank panels for queries with unknown data
sources.
* BarChart: Fix stale values and x axis labels.
* Graph: Make old graph panel thresholds work even if ngalert
is enabled.
* InfluxDB: Fix regex to identify / as separator.
* LibraryPanels: Fix update issues related to library panels in
rows.
* Variables: Fix variables not updating inside a Panel when the
preceding Row uses 'Repeat For'.
- Update to version 8.1.3
+ Bug fixes
* Alerting: Fix alert flapping in the internal alertmanager.
* Alerting: Fix request handler failed to convert dataframe
'results' to plugins.DataTimeSeriesSlice: input frame is not
recognized as a time series.
* Dashboard: Fix UIDs are not preserved when importing/creating
dashboards thru importing .json file.
* Dashboard: Forces panel re-render when exiting panel edit.
* Dashboard: Prevent folder from changing when navigating to
general settings.
* Docker: Force use of libcrypto1.1 and libssl1.1 versions to
fix CVE-2021-3711.
* Elasticsearch: Fix metric names for alert queries.
* Elasticsearch: Limit Histogram field parameter to numeric
values.
* Elasticsearch: Prevent pipeline aggregations to show up in
terms order by options.
* LibraryPanels: Prevent duplicate repeated panels from being
created.
* Loki: Fix ad-hoc filter in dashboard when used with parser.
* Plugins: Track signed files + add warn log for plugin assets
which are not signed.
* Postgres/MySQL/MSSQL: Fix region annotations not displayed
correctly.
* Prometheus: Fix validate selector in metrics browser.
* Security: Fix stylesheet injection vulnerability.
* Security: Fix short URL vulnerability.
- Update to version 8.1.2
* AzureMonitor: Add support for PostgreSQL and MySQL Flexible
Servers.
* Datasource: Change HTTP status code for failed datasource
health check to 400.
* Explore: Add span duration to left panel in trace viewer.
* Plugins: Use file extension allowlist when serving plugin
assets instead of checking for UNIX executable.
* Profiling: Add support for binding pprof server to custom
network interfaces.
* Search: Make search icon keyboard navigable.
* Template variables: Keyboard navigation improvements.
* Tooltip: Display ms within minute time range.
* Alerting: Fix saving LINE contact point.
* Annotations: Fix alerting annotation coloring.
* Annotations: Alert annotations are now visible in the correct
Panel.
* Auth: Hide SigV4 config UI and disable middleware when its
config flag is disabled.
* Dashboard: Prevent incorrect panel layout by comparing window
width against theme breakpoints.
* Explore: Fix showing of full log context.
* PanelEdit: Fix 'Actual' size by passing the correct panel
size to Dashboard.
* Plugins: Fix TLS datasource settings.
* Variables: Fix issue with empty drop downs on navigation.
* Variables: Fix URL util converting false into true.
* Toolkit: Fix matchMedia not found error.
- Update to version 8.1.1
* CloudWatch Logs: Fix crash when no region is selected.
- Update to version 8.1.0
* Alerting: Deduplicate receivers during migration.
* ColorPicker: Display colors as RGBA.
* Select: Make portalling the menu opt-in, but opt-in
everywhere.
* TimeRangePicker: Improve accessibility.
* Annotations: Correct annotations that are displayed upon page
refresh.
* Annotations: Fix Enabled button that disappeared from Grafana
v8.0.6.
* Annotations: Fix data source template variable that was not
available for annotations.
* AzureMonitor: Fix annotations query editor that does not
load.
* Geomap: Fix scale calculations.
* GraphNG: Fix y-axis autosizing.
* Live: Display stream rate and fix duplicate channels in list
* Loki: Update labels in log browser when time range changes in
dashboard.
* NGAlert: Send resolve signal to alertmanager on alerting ->
Normal.
* PasswordField: Prevent a password from being displayed when
you click the Enter button.
* Renderer: Remove debug.log file when Grafana is stopped.
* Security: Update dependencies to fix CVE-2021-36222.
- Update to version 8.1.0-beta3
* Alerting: Support label matcher syntax in alert rule list
filter.
* IconButton: Put tooltip text as aria-label.
* Live: Experimental HA with Redis.
* UI: FileDropzone component.
* CloudWatch: Add AWS LookoutMetrics.
* Docker: Fix builds by delaying go mod verify until all
required files are copied over.
* Exemplars: Fix disable exemplars only on the query that
failed.
* SQL: Fix SQL dataframe resampling (fill mode + time
intervals).
- Update to version 8.1.0-beta2
* Alerting: Expand the value string in alert annotations and
* Auth: Add Azure HTTP authentication middleware.
* Auth: Auth: Pass user role when using the authentication
proxy.
* Gazetteer: Update countries.json file to allow for linking to
3-letter country codes.
* Config: Fix Docker builds by correcting formatting in
sample.ini.
* Explore: Fix encoding of internal URLs.
- Update to version 8.1.0-beta1
* Alerting: Add Alertmanager notifications tab.
* Alerting: Add button to deactivate current Alertmanager
* Alerting: Add toggle in Loki/Prometheus data source
configuration to opt out of alerting UI.
* Alerting: Allow any 'evaluate for' value >=0 in the alert
rule form.
* Alerting: Load default configuration from status endpoint, if
Cortex Alertmanager returns empty user configuration.
* Alerting: view to display alert rule and its underlying data.
* Annotation panel: Release the annotation panel.
* Annotations: Add typeahead support for tags in built-in
annotations.
* AzureMonitor: Add curated dashboards for Azure services.
* AzureMonitor: Add support for deep links to Microsoft Azure
portal for Metrics.
* AzureMonitor: Remove support for different credentials for
Azure Monitor Logs.
* AzureMonitor: Support querying any Resource for Logs queries.
* Elasticsearch: Add frozen indices search support.
* Elasticsearch: Name fields after template variables values
instead of their name.
* Elasticsearch: add rate aggregation.
* Email: Allow configuration of content types for email
notifications.
* Explore: Add more meta information when line limit is hit.
* Explore: UI improvements to trace view.
* FieldOverrides: Added support to change display name in an
override field and have it be matched by a later rule.
* HTTP Client: Introduce dataproxy_max_idle_connections config
variable.
* InfluxDB: InfluxQL: adds tags to timeseries data.
* InfluxDB: InfluxQL: make measurement search case insensitive.
Legacy Alerting: Replace simplejson with a struct in webhook
notification channel.
* Legend: Updates display name for Last (not null) to just
Last*.
* Logs panel: Add option to show common labels.
* Loki: Add $__range variable.
* Loki: Add support for 'label_values(log stream selector,
label)' in templating.
* Loki: Add support for ad-hoc filtering in dashboard.
* MySQL Datasource: Add timezone parameter.
* NodeGraph: Show gradient fields in legend.
* PanelOptions: Don't mutate panel options/field config object
when updating.
* PieChart: Make pie gradient more subtle to match other
charts.
* Prometheus: Update PromQL typeahead and highlighting.
* Prometheus: interpolate variable for step field.
* Provisioning: Improve validation by validating across all
dashboard providers.
* SQL Datasources: Allow multiple string/labels columns with
time series.
* Select: Portal select menu to document.body.
* Team Sync: Add group mapping to support team sync in the
Generic OAuth provider.
* Tooltip: Make active series more noticeable.
* Tracing: Add support to configure trace to logs start and end
time.
* Transformations: Skip merge when there is only a single data
frame.
* ValueMapping: Added support for mapping text to color,
boolean values, NaN and Null. Improved UI for value mapping.
* Visualizations: Dynamically set any config (min, max, unit,
color, thresholds) from query results.
* live: Add support to handle origin without a value for the
port when matching with root_url.
* Alerting: Handle marshaling Inf values.
* AzureMonitor: Fix macro resolution for template variables.
* AzureMonitor: Fix queries with Microsoft.NetApp/../../volumes
resources.
* AzureMonitor: Request and concat subsequent resource pages.
* Bug: Fix parse duration for day.
* Datasources: Improve error handling for error messages.
* Explore: Correct the functionality of shift-enter shortcut
across all uses.
* Explore: Show all dataFrames in data tab in Inspector.
* GraphNG: Fix Tooltip mode 'All' for XYChart.
* Loki: Fix highlight of logs when using filter expressions
with backticks.
* Modal: Force modal content to overflow with scroll.
* Plugins: Ignore symlinked folders when verifying plugin
signature.
* Toolkit: Improve error messages when tasks fail.
- Update to version 8.0.7
- Update to version 8.0.6
* Alerting: Add annotation upon alert state change.
* Alerting: Allow space in label and annotation names.
* InfluxDB: Improve legend labels for InfluxDB query results.
* Alerting: Fix improper alert by changing the handling of
empty labels.
* CloudWatch/Logs: Reestablish Cloud Watch alert behavior.
* Dashboard: Avoid migration breaking on fieldConfig without
defaults field in folded panel.
* DashboardList: Fix issue not re-fetching dashboard list after
variable change.
* Database: Fix incorrect format of isolation level
configuration parameter for MySQL.
* InfluxDB: Correct tag filtering on InfluxDB data.
* Links: Fix links that caused a full page reload.
* Live: Fix HTTP error when InfluxDB metrics have an incomplete
or asymmetrical field set.
* Postgres/MySQL/MSSQL: Change time field to 'Time' for time
series queries.
* Postgres: Fix the handling of a null return value in query
* Tempo: Show hex strings instead of uints for IDs.
* TimeSeries: Improve tooltip positioning when tooltip
overflows.
* Transformations: Add 'prepare time series' transformer.
- Update to version 8.0.5
* Cloudwatch Logs: Send error down to client.
* Folders: Return 409 Conflict status when folder already
exists.
* TimeSeries: Do not show series in tooltip if it's hidden in
the viz.
* AzureMonitor: Fix issue where resource group name is missing
on the resource picker button.
* Chore: Fix AWS auth assuming role with workspace IAM.
* DashboardQueryRunner: Fixes unrestrained subscriptions being
* DateFormats: Fix reading correct setting key for
use_browser_locale.
* Links: Fix links to other apps outside Grafana when under sub
path.
* Snapshots: Fix snapshot absolute time range issue.
* Table: Fix data link color.
* Time Series: Fix X-axis time format when tick increment is
larger than a year.
* Tooltip Plugin: Prevent tooltip render if field is undefined.
- Update to version 8.0.4
* Live: Rely on app url for origin check.
* PieChart: Sort legend descending, update placeholder.
* TimeSeries panel: Do not reinitialize plot when thresholds
mode change.
* Elasticsearch: Allow case sensitive custom options in
date_histogram interval.
* Elasticsearch: Restore previous field naming strategy when
using variables.
* Explore: Fix import of queries between SQL data sources.
* InfluxDB: InfluxQL query editor: fix retention policy
handling.
* Loki: Send correct time range in template variable queries.
* TimeSeries: Preserve RegExp series overrides when migrating
from old graph panel.
- Update to version 8.0.3
* Alerting: Increase alertmanager_conf column if MySQL.
* Time series/Bar chart panel: Handle infinite numbers as nulls
when converting to plot array.
* TimeSeries: Ensure series overrides that contain color are
migrated, and migrate the previous fieldConfig when changing
the panel type.
* ValueMappings: Improve singlestat value mappings migration.
* Annotations: Fix annotation line and marker colors.
* AzureMonitor: Fix KQL template variable queries without
default workspace.
* CloudWatch/Logs: Fix missing response data for log queries.
* LibraryPanels: Fix crash in library panels list when panel
plugin is not found.
* LogsPanel: Fix performance drop when moving logs panel in
* Loki: Parse log levels when ANSI coloring is enabled.
* MSSQL: Fix issue with hidden queries still being executed.
* PanelEdit: Display the VisualizationPicker that was not
displayed if a panel has an unknown panel plugin.
* Plugins: Fix loading symbolically linked plugins.
* Prometheus: Fix issue where legend name was replaced with
name Value in stat and gauge panels.
* State Timeline: Fix crash when hovering over panel.
- Update to version 8.0.2
* Datasource: Add support for max_conns_per_host in dataproxy
settings.
* Configuration: Fix changing org preferences in FireFox.
* PieChart: Fix legend dimension limits.
* Postgres/MySQL/MSSQL: Fix panic in concurrent map writes.
* Variables: Hide default data source if missing from regex.
- Update to version 8.0.1
* Alerting/SSE: Fix 'count_non_null' reducer validation.
* Cloudwatch: Fix duplicated time series.
* Cloudwatch: Fix missing defaultRegion.
* Dashboard: Fix Dashboard init failed error on dashboards with
old singlestat panels in collapsed rows.
* Datasource: Fix storing timeout option as numeric.
* Postgres/MySQL/MSSQL: Fix annotation parsing for empty
* Postgres/MySQL/MSSQL: Numeric/non-string values are now
returned from query variables.
* Postgres: Fix an error that was thrown when the annotation
query did not return any results.
* StatPanel: Fix an issue with the appearance of the graph when
switching color mode.
* Visualizations: Fix an issue in the
Stat/BarGauge/Gauge/PieChart panels where all values mode
were showing the same name if they had the same value.
* Toolkit: Resolve external fonts when Grafana is served from a
sub path.
- Update to version 8.0.0
* The following endpoints were deprecated for Grafana v5.0 and
support for them has now been removed:
GET /dashboards/db/:slug
GET /dashboard-solo/db/:slug
GET /api/dashboard/db/:slug
DELETE /api/dashboards/db/:slug
* AzureMonitor: Require default subscription for workspaces()
template variable query.
* AzureMonitor: Use resource type display names in the UI.
* Dashboard: Remove support for loading and deleting dashboard
by slug.
* InfluxDB: Deprecate direct browser access in data source.
* VizLegend: Add a read-only property.
* AzureMonitor: Fix Azure Resource Graph queries in Azure
China.
* Checkbox: Fix vertical layout issue with checkboxes due to
fixed height.
* Dashboard: Fix Table view when editing causes the panel data
to not update.
* Dashboard: Fix issues where unsaved-changes warning is not
displayed.
* Login: Fixes Unauthorized message showing when on login page
or snapshot page.
* NodeGraph: Fix sorting markers in grid view.
* Short URL: Include orgId in generated short URLs.
* Variables: Support raw values of boolean type.
- Update to version 8.0.0-beta3
* The default HTTP method for Prometheus data source is now
POST.
* API: Support folder UID in dashboards API.
* Alerting: Add support for configuring avatar URL for the
Discord notifier.
* Alerting: Clarify that Threema Gateway Alerts support only
Basic IDs.
* Azure: Expose Azure settings to external plugins.
* AzureMonitor: Deprecate using separate credentials for Azure
Monitor Logs.
* AzureMonitor: Display variables in resource picker for Azure
* AzureMonitor: Hide application insights for data sources not
using it.
* AzureMonitor: Support querying subscriptions and resource
groups in Azure Monitor Logs.
* AzureMonitor: remove requirement for default subscription.
* CloudWatch: Add Lambda@Edge Amazon CloudFront metrics.
* CloudWatch: Add missing AWS AppSync metrics.
* ConfirmModal: Auto focus delete button.
* Explore: Add caching for queries that are run from logs
* Loki: Add formatting for annotations.
* Loki: Bring back processed bytes as meta information.
* NodeGraph: Display node graph collapsed by default with trace
view.
* Overrides: Include a manual override option to hide something
from visualization.
* PieChart: Support row data in pie charts.
* Prometheus: Update default HTTP method to POST for existing
data sources.
* Time series panel: Position tooltip correctly when window is
scrolled or resized.
* Admin: Fix infinite loading edit on the profile page.
* Color: Fix issues with random colors in string and date
* Dashboard: Fix issue with title or folder change has no
effect after exiting settings view.
* DataLinks: Fix an issue __series.name is not working in data
link.
* Datasource: Fix dataproxy timeout should always be applied
for outgoing data source HTTP requests.
* Elasticsearch: Fix NewClient not passing httpClientProvider
to client impl.
* Explore: Fix Browser title not updated on Navigation to
Explore.
* GraphNG: Remove fieldName and hideInLegend properties from
UPlotSeriesBuilder.
* OAuth: Fix fallback to auto_assign_org_role setting for Azure
AD OAuth when no role claims exists.
* PanelChrome: Fix issue with empty panel after adding a non
data panel and coming back from panel edit.
* StatPanel: Fix data link tooltip not showing for single
value.
* Table: Fix sorting for number fields.
* Table: Have text underline for datalink, and add support for
image datalink.
* Transformations: Prevent FilterByValue transform from
crashing panel edit.
- Update to version 8.0.0-beta2
* AppPlugins: Expose react-router to apps.
* AzureMonitor: Add Azure Resource Graph.
* AzureMonitor: Managed Identity configuration UI.
* AzureMonitor: Token provider with support for Managed
Identities.
* AzureMonitor: Update Logs workspace() template variable query
to return resource URIs.
* BarChart: Value label sizing.
* CloudMonitoring: Add support for preprocessing.
* CloudWatch: Add AWS/EFS StorageBytes metric.
* CloudWatch: Allow use of missing AWS namespaces using custom
* Datasource: Shared HTTP client provider for core backend data
sources and any data source using the data source proxy.
* InfluxDB: InfluxQL: allow empty tag values in the query
editor.
* Instrumentation: Instrument incoming HTTP request with
histograms by default.
* Library Panels: Add name endpoint & unique name validation to
AddLibraryPanelModal.
* Logs panel: Support details view.
* PieChart: Always show the calculation options dropdown in the
* PieChart: Remove beta flag.
* Plugins: Enforce signing for all plugins.
* Plugins: Remove support for deprecated backend plugin
protocol version.
* Tempo/Jaeger: Add better display name to legend.
* Timeline: Add time range zoom.
* Timeline: Adds opacity & line width option.
* Timeline: Value text alignment option.
* ValueMappings: Add duplicate action, and disable dismiss on
backdrop click.
* Zipkin: Add node graph view to trace response.
* Annotations panel: Remove subpath from dashboard links.
* Content Security Policy: Allow all image sources by default.
* Content Security Policy: Relax default template wrt. loading
of scripts, due to nonces not working.
* Datasource: Fix tracing propagation for alert execution by
introducing HTTP client outgoing tracing middleware.
* InfluxDB: InfluxQL always apply time interval end.
* Library Panels: Fixes 'error while loading library panels'.
* NewsPanel: Fixes rendering issue in Safari.
* PanelChrome: Fix queries being issued again when scrolling in
and out of view.
* Plugins: Fix Azure token provider cache panic and auth param
nil value.
* Snapshots: Fix key and deleteKey being ignored when creating
an external snapshot.
* Table: Fix issue with cell border not showing with colored
background cells.
* Table: Makes tooltip scrollable for long JSON values.
* TimeSeries: Fix for Connected null values threshold toggle
during panel editing.
* Variables: Fixes inconsistent selected states on dashboard
* Variables: Refreshes all panels even if panel is full screen.
* QueryField: Remove carriage return character from pasted text.
- Update to version 8.0.0-beta1
+ License update:
* AGPL License: Update license from Apache 2.0 to the GNU
Affero General Public License (AGPL).
* Removes the never refresh option for Query variables.
* Removes the experimental Tags feature for Variables.
+ Deprecations:
* The InfoBox & FeatureInfoBox are now deprecated please use
the Alert component instead with severity info.
* API: Add org users with pagination.
* API: Return 404 when deleting nonexistent API key.
* API: Return query results as JSON rather than base64 encoded
Arrow.
* Alerting: Allow sending notification tags to Opsgenie as
extra properties.
* Alerts: Replaces all uses of InfoBox & FeatureInfoBox with
Alert.
* Auth: Add support for JWT Authentication.
* AzureMonitor: Add support for
Microsoft.SignalRService/SignalR metrics.
* AzureMonitor: Azure settings in Grafana server config.
* AzureMonitor: Migrate Metrics query editor to React.
* BarChart panel: enable series toggling via legend.
* BarChart panel: Adds support for Tooltip in BarChartPanel.
* PieChart panel: Change look of highlighted pie slices.
* CloudMonitoring: Migrate config editor from angular to react.
* CloudWatch: Add Amplify Console metrics and dimensions.
* CloudWatch: Add missing Redshift metrics to CloudWatch data
* CloudWatch: Add metrics for managed RabbitMQ service.
* DashboardList: Enable templating on search tag input.
* Datasource config: correctly remove single custom http
header.
* Elasticsearch: Add generic support for template variables.
* Elasticsearch: Allow omitting field when metric supports
inline script.
* Elasticsearch: Allow setting a custom limit for log queries.
* Elasticsearch: Guess field type from first non-empty value.
* Elasticsearch: Use application/x-ndjson content type for
multisearch requests.
* Elasticsearch: Use semver strings to identify ES version.
* Explore: Add logs navigation to request more logs.
* Explore: Map Graphite queries to Loki.
* Explore: Scroll split panes in Explore independently.
* Explore: Wrap each panel in separate error boundary.
* FieldDisplay: Smarter naming of stat values when visualising
row values (all values) in stat panels.
* Graphite: Expand metric names for variables.
* Graphite: Handle unknown Graphite functions without breaking
the visual editor.
* Graphite: Show graphite functions descriptions.
* Graphite: Support request cancellation properly (Uses new
backendSrv.fetch Observable request API).
* InfluxDB: Flux: Improve handling of complex
response-structures.
* InfluxDB: Support region annotations.
* Inspector: Download logs for manual processing.
* Jaeger: Add node graph view for trace.
* Jaeger: Search traces.
* Loki: Use data source settings for alerting queries.
* NodeGraph: Exploration mode.
* OAuth: Add support for empty scopes.
* PanelChrome: New logic-less emotion based component with no
dependency on PanelModel or DashboardModel.
* PanelEdit: Adds a table view toggle to quickly view data in
table form.
* PanelEdit: Highlight matched words when searching options.
* PanelEdit: UX improvements.
* Plugins: PanelRenderer and simplified QueryRunner to be used
from plugins.
* Plugins: AuthType in route configuration and params
interpolation.
* Plugins: Enable plugin runtime install/uninstall
capabilities.
* Plugins: Support set body content in plugin routes.
* Plugins: Introduce marketplace app.
* Plugins: Moving the DataSourcePicker to grafana/runtime so it
can be reused in plugins.
* Prometheus: Add custom query params for alert and exemplars
* Prometheus: Use fuzzy string matching to autocomplete metric
names and label.
* Routing: Replace Angular routing with react-router.
* Slack: Use chat.postMessage API by default.
* Tempo: Search for Traces by querying Loki directly from
Tempo.
* Tempo: Show graph view of the trace.
* Themes: Switch theme without reload using global shortcut.
* TimeSeries panel: Add support for shared cursor.
* TimeSeries panel: Do not crash the panel if there is no time
series data in the response.
* Variables: Do not save repeated panels, rows and scopedVars.
* Variables: Removes experimental Tags feature.
* Variables: Removes the never refresh option.
* Visualizations: Unify tooltip options across visualizations.
* Visualizations: Refactor and unify option creation between
new visualizations.
* Visualizations: Remove singlestat panel.
* APIKeys: Fixes issue with adding first api key.
* Alerting: Add checks for non supported units - disable
defaulting to seconds.
* Alerting: Fix issue where Slack notifications won't link to
user IDs.
* Alerting: Omit empty message in PagerDuty notifier.
* AzureMonitor: Fix migration error from older versions of App
Insights queries.
* CloudWatch: Fix AWS/Connect dimensions.
* CloudWatch: Fix broken AWS/MediaTailor dimension name.
* Dashboards: Allow string manipulation as advanced variable
format option.
* DataLinks: Includes harmless extended characters like
Cyrillic characters.
* Drawer: Fixes title overflowing its container.
* Explore: Fix issue when some query errors were not shown.
* Generic OAuth: Prevent adding duplicated users.
* Graphite: Handle invalid annotations.
* Graphite: Fix autocomplete when tags are not available.
* InfluxDB: Fix Cannot read property 'length' of undefined in
when parsing response.
* Instrumentation: Enable tracing when Jaeger host and port are
* Instrumentation: Prefix metrics with grafana.
* MSSQL: By default let driver choose port.
* OAuth: Add optional strict parsing of role_attribute_path.
* Panel: Fixes description markdown with inline code being
rendered on newlines and full width.
* PanelChrome: Ignore data updates & errors for non data
panels.
* Permissions: Fix inherited folder permissions can prevent new
permissions being added to a dashboard.
* Plugins: Remove pre-existing plugin installs when installing
with grafana-cli.
* Plugins: Support installing to folders with whitespace and
fix pluginUrl trailing and leading whitespace failures.
* Postgres/MySQL/MSSQL: Don't return connection failure details
to the client.
* Postgres: Fix ms precision of interval in time group macro
when TimescaleDB is enabled.
* Provisioning: Use dashboard checksum field as change
indicator.
* SQL: Fix so that all captured errors are returned from sql
engine.
* Shortcuts: Fixes panel shortcuts so they always work.
* Table: Fixes so border is visible for cells with links.
* Variables: Clear query when data source type changes.
* Variables: Filters out builtin variables from unknown list.
* Button: Introduce buttonStyle prop.
* DataQueryRequest: Remove deprecated props showingGraph and
showingTabel and exploreMode.
* grafana/ui: Update React Hook Form to v7.
* IconButton: Introduce variant for red and blue icon buttons.
* Plugins: Expose the getTimeZone function to be able to get
the current selected timeZone.
* TagsInput: Add className to TagsInput.
* VizLegend: Move onSeriesColorChanged to PanelContext
(breaking change).
- Update to version 7.5.13
* Alerting: Fix NoDataFound for alert rules using AND operator.
mgr-cfg:
- Version 4.3.6-1
* Corrected source URL in spec file
* Fix installation problem for SLE15SP4 due missing python-selinux
* Fix python selinux package name depending on build target (bsc#1193600)
* Do not build python 2 package for SLE15SP4 and higher
* Remove unused legacy code
mgr-custom-info:
- Version 4.3.3-1
* Remove unused legacy code
mgr-daemon:
- Version 4.3.4-1
* Corrected source URLs in spec file
* Update translation strings
mgr-osad:
- Version 4.3.6-1
* Corrected source URL in spec file.
* Do not build python 2 package for SLE15SP4 and higher
* Removed spacewalk-selinux dependencies.
* Updated source url.
mgr-push:
- Version 4.3.4-1
* Corrected source URLs in spec file
mgr-virtualization:
- Version 4.3.5-1
* Corrected source URLs in spec file.
* Do not build python 2 package for SLE15SP4 and higher
prometheus-blackbox_exporter:
- Enhanced to build on Enterprise Linux 8
prometheus-postgres_exporter:
- Updated for RHEL8.
python-hwdata:
- Require python macros for building
rhnlib:
- Version 4.3.4-1
* Reorganize python files
spacecmd:
- Version 4.3.11-1
* on full system update call schedulePackageUpdate API (bsc#1197507)
* parse boolean paramaters correctly (bsc#1197689)
* Add parameter to set containerized proxy SSH port
* Add proxy config generation subcommand
* Option 'org_createfirst' added to perform initial organization and user creation
* Added gettext build requirement for RHEL.
* Removed RHEL 5 references.
* Include group formulas configuration in spacecmd group_backup and
spacecmd group_restore. This changes backup format to json,
previously used plain text is still supported for reading (bsc#1190462)
* Update translation strings
* Improved event history listing and added new system_eventdetails
command to retrieve the details of an event
* Make schedule_deletearchived to get all actions without display limit
* Allow passing a date limit for schedule_deletearchived on spacecmd (bsc#1181223)
spacewalk-client-tools:
- Version 4.3.9-1
* Corrected source URLs in spec file.
* do not build python 2 package for SLE15
* Remove unused legacy code
* Update translation strings
spacewalk-koan:
- Version 4.3.5-1
* Corrected source URLs in spec file.
spacewalk-oscap:
- Version 4.3.5-1
* Corrected source URLs in spec file.
* Do not build python 2 package for SLE15SP4 and higher
spacewalk-remote-utils:
- Version 4.3.3-1
* Adapt the package for changes in rhnlib
supportutils-plugin-susemanager-client:
- Version 4.3.2-1
* Add proxy containers config and logs
suseRegisterInfo:
- Version 4.3.3-1
* Bump version to 4.3.0
supportutils-plugin-salt:
- Add support for Salt Bundle
uyuni-common-libs:
- Version 4.3.4-1
* implement more decompression algorithms for reposync (bsc#1196704)
* Reorganize python files
* Add decompression of zck files to fileutils
ImportantSUSE bug 1181223SUSE bug 1181400SUSE bug 1190462SUSE bug 1190535SUSE bug 1193600SUSE bug 1194873SUSE bug 1195726SUSE bug 1195727SUSE bug 1195728SUSE bug 1196338SUSE bug 1196704SUSE bug 1197507SUSE bug 1197689CVE-2021-36222 at SUSECVE-2021-36222 at NVDCVE-2021-3711 at SUSECVE-2021-3711 at NVDCVE-2021-39226 at SUSECVE-2021-39226 at NVDCVE-2021-41174 at SUSECVE-2021-41174 at NVDCVE-2021-41244 at SUSECVE-2021-41244 at NVDCVE-2021-43798 at SUSECVE-2021-43798 at NVDCVE-2021-43813 at SUSECVE-2021-43813 at NVDCVE-2021-43815 at SUSECVE-2021-43815 at NVDCVE-2022-21673 at SUSECVE-2022-21673 at NVDCVE-2022-21698 at SUSECVE-2022-21698 at NVDCVE-2022-21702 at SUSECVE-2022-21702 at NVDCVE-2022-21703 at SUSECVE-2022-21703 at NVDCVE-2022-21713 at SUSECVE-2022-21713 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for fwupdate (Important)SUSE OpenStack Cloud 8
This update of fwupdate fixes the following issue:
- rebuild with new secure boot key due to grub2 boothole 3 issues (bsc#1198581)
ImportantSUSE bug 1198581cpe:/o:suse:suse-openstack-cloud:8Security update for python3 (Important)SUSE OpenStack Cloud 8
This update for python3 fixes the following issues:
- CVE-2015-20107: avoid command injection in the mailcap module (bsc#1198511).
ImportantSUSE bug 1070738SUSE bug 1198511SUSE bug 1199441CVE-2015-20107 at SUSECVE-2015-20107 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for openssl (Moderate)SUSE OpenStack Cloud 8
This update for openssl fixes the following issues:
- CVE-2022-2068: Fixed more shell code injection issues in c_rehash. (bsc#1200550)
ModerateSUSE bug 1200550CVE-2022-2068 at SUSECVE-2022-2068 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for oracleasm (Important)SUSE OpenStack Cloud 8
This update of oracleasm fixes the following issue:
- rebuild with new secure boot key due to grub2 boothole 3 issues (bsc#1198581)
ImportantSUSE bug 1198581cpe:/o:suse:suse-openstack-cloud:8Security update for python (Important)SUSE OpenStack Cloud 8
This update for python fixes the following issues:
- CVE-2015-20107: avoid command injection in the mailcap module (bsc#1198511).
ImportantSUSE bug 1198511CVE-2015-20107 at SUSECVE-2015-20107 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for sysstat (Moderate)SUSE OpenStack Cloud 8
This update for sysstat fixes the following issues:
Security issue fixed:
- CVE-2019-19725: Fixed double free in check_file_actlst in sa_common.c (bsc#1159104).
Bug fixes:
- Enable log information of starting/stoping services. (bsc#1144923, jsc#SLE-5958)
ModerateSUSE bug 1144923SUSE bug 1159104CVE-2019-19725 at SUSECVE-2019-19725 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for dpdk (Important)SUSE OpenStack Cloud 8
This update of dpdk fixes the following issue:
- rebuild with new secure boot key due to grub2 boothole 3 issues (bsc#1198581)
ImportantSUSE bug 1198581cpe:/o:suse:suse-openstack-cloud:8Security update for MozillaFirefox (Important)SUSE OpenStack Cloud 8
This update for MozillaFirefox fixes the following issues:
Update to Firefox Extended Support Release 91.11.0 ESR (MFSA 2022-25) (bsc#1200793):
- CVE-2022-2200: Undesired attributes could be set as part of prototype pollution (bmo#1771381)
- CVE-2022-31744: CSP bypass enabling stylesheet injection (bmo#1757604)
- CVE-2022-34468: CSP sandbox header without `allow-scripts` can be bypassed via retargeted javascript: URI (bmo#1768537)
- CVE-2022-34470: Use-after-free in nsSHistory (bmo#1765951)
- CVE-2022-34472: Unavailable PAC file resulted in OCSP requests being blocked (bmo#1770123)
- CVE-2022-34478: Microsoft protocols can be attacked if a user accepts a prompt (bmo#1773717)
- CVE-2022-34479: A popup window could be resized in a way to overlay the address bar with web content (bmo#1745595)
- CVE-2022-34481: Potential integer overflow in ReplaceElementsAt (bmo#1497246)
- CVE-2022-34484: Memory safety bugs fixed in Firefox 102 and Firefox ESR 91.11 (bmo#1763634, bmo#1772651)
ImportantSUSE bug 1200793CVE-2022-2200 at SUSECVE-2022-2200 at NVDCVE-2022-31744 at SUSECVE-2022-31744 at NVDCVE-2022-34468 at SUSECVE-2022-34468 at NVDCVE-2022-34470 at SUSECVE-2022-34470 at NVDCVE-2022-34472 at SUSECVE-2022-34472 at NVDCVE-2022-34478 at SUSECVE-2022-34478 at NVDCVE-2022-34479 at SUSECVE-2022-34479 at NVDCVE-2022-34481 at SUSECVE-2022-34481 at NVDCVE-2022-34484 at SUSECVE-2022-34484 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for rsyslog (Important)SUSE OpenStack Cloud 8
This update for rsyslog fixes the following issues:
- CVE-2022-24903: fix potential heap buffer overflow in modules for TCP syslog reception (bsc#1199061)
ImportantSUSE bug 1199061CVE-2022-24903 at SUSECVE-2022-24903 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for pcre (Important)SUSE OpenStack Cloud 8
This update for pcre fixes the following issues:
- CVE-2022-1586: Fixed unicode property matching issue. (bsc#1199232)
ImportantSUSE bug 1199232CVE-2022-1586 at SUSECVE-2022-1586 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for git (Important)SUSE OpenStack Cloud 8
This update for git fixes the following issues:
- CVE-2022-29187: Incomplete fix for CVE-2022-24765: potential command injection via git worktree (bsc#1201431).
- Allow to opt-out from the check added in the security fix for CVE-2022-24765 (bsc#1200119)
ImportantSUSE bug 1200119SUSE bug 1201431CVE-2022-29187 at SUSECVE-2022-29187 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for samba (Critical)SUSE OpenStack Cloud 8
This update for samba fixes the following issues:
- CVE-2021-44142: Fixed out-of-Bound Read/Write on Samba vfs_fruit module. (bsc#1194859)
CriticalSUSE bug 1194859CVE-2021-44142 at SUSECVE-2021-44142 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for python-Twisted (Important)SUSE OpenStack Cloud 8
This update for python-Twisted fixes the following issues:
- CVE-2020-10108: Fixed an HTTP request smuggling issue (bsc#1166457).
- CVE-2020-10109: Fixed an HTTP request smuggling issue (bsc#1166458).
ImportantSUSE bug 1166457SUSE bug 1166458CVE-2020-10108 at SUSECVE-2020-10108 at NVDCVE-2020-10109 at SUSECVE-2020-10109 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for python-Django (Important)SUSE OpenStack Cloud 8
This update for python-Django fixes the following issues:
- CVE-2022-22818: Fixed possible XSS via {% debug %} template tag (bsc#1195086)
- CVE-2022-23833: Fixed denial-of-service possibility in file uploads. (bsc#1195088)
A regression in the fix for CVE-2021-45452 was fixed (bsc#1194116)
ImportantSUSE bug 1194116SUSE bug 1195086SUSE bug 1195088CVE-2021-45452 at SUSECVE-2021-45452 at NVDCVE-2022-22818 at SUSECVE-2022-22818 at NVDCVE-2022-23833 at SUSECVE-2022-23833 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for python-Babel (Important)SUSE OpenStack Cloud 8
This update for python-Babel fixes the following issues:
- CVE-2021-42771: Fixed relative path traversal leading to loading arbitrary
locale files on disk and executing arbitrary code (bsc#1185768).
ImportantSUSE bug 1185768CVE-2021-42771 at SUSECVE-2021-42771 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for net-snmp (Important)SUSE OpenStack Cloud 8
This update for net-snmp fixes the following issues:
- CVE-2020-15862: Make extended MIB read-only (bsc#1174961)
ImportantSUSE bug 1100146SUSE bug 1145864SUSE bug 1152968SUSE bug 1174961SUSE bug 1178021SUSE bug 1178351SUSE bug 1179009SUSE bug 1179699SUSE bug 1184839CVE-2020-15862 at SUSECVE-2020-15862 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for keepalived (Important)SUSE OpenStack Cloud 8
This update for keepalived fixes the following issues:
- CVE-2021-44225: Fix a potential privilege escalation due to
insufficient control in the D-Bus policy (bsc#1193115).
ImportantSUSE bug 1193115CVE-2021-44225 at SUSECVE-2021-44225 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for python-rsa (Important)SUSE OpenStack Cloud 8
This update for python-rsa fixes the following issues:
- CVE-2020-13757: Fixed an issue where leading null bytes in a
ciphertext would be ignored during decryption, leading to a
potential information leak (bsc#1172389).
ImportantSUSE bug 1172389CVE-2020-13757 at SUSECVE-2020-13757 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for ardana-ansible, ardana-cobbler, grafana, openstack-heat-templates, openstack-murano, python-Django, rabbitmq-server, rubygem-puma (Moderate)SUSE OpenStack Cloud 8
This update for ardana-ansible, ardana-cobbler, grafana, openstack-heat-templates, openstack-murano, python-Django, rabbitmq-server, rubygem-puma fixes the following issues:
Security updates included on this update:
ardana-ansible, ardana-cobbler, grafana, openstack-heat-templates, openstack-murano, rabbitmq-server:
- CVE-2020-1734: Fixed vulnerability where shell was enabled by default in a pipe lookup plugin subprocess. (SOC-11662, bnc#1164139)
- CVE-2021-44716: Fixed uncontrolled memory consumption in go's net/http. (bsc#1193597)
- CVE-2019-11287: Fixed DoS via 'X-Reason' HTTP Header in malicious Erlang format string. (bsc#1157665)
grafana:
- CVE-2021-39226: Fixed snapshot authentication bypass (bsc#1191454).
- CVE-2021-44716: Fixed uncontrolled memory consumption in go's net/http (bsc#1193597).
python-Django:
- CVE-2022-28346: Fixed vulnerability that could lead to SQL injection in QuerySet.annotate(),aggregate() and extra(). (bsc#1198398)
- CVE-2022-34265: Fixed vulnerability that could lead to SQL injection via Trunc(kind) and Extract(lookup_name) arguments. (bsc#1201186)
rubygem puma:
- CVE-2022-24790: Fixed HTTP request smuggling vulnerability. (bsc#1197818)
Additional information about the this update:
Changes in ardana-ansible:
- Update to version 8.0+git.1660773729.3789a6d:
* Mitigate CVE-2020-1734 (SOC-11662)
Changes in ardana-cobbler:
- Update to version 8.0+git.1660773402.d845a45:
* Mitigate CVE-2020-1734 (SOC-11662)
Changes in grafana:
- Add CVE-2021-39226 patch (bsc#1191454, CVE-2021-39226)
* snapshot authentication bypass
- Bump Go to 1.16 (bsc#1193597, CVE-2021-44716)
* Fix Go net/http: limit growth of header canonicalization cache.
Changes in openstack-heat-templates:
- Update to version 0.0.0+git.1654529662.75fa04a:
* doc: Comment out language option
Changes in openstack-murano:
- Update to version murano-4.0.2.dev3:
* [stable-only] Remove periodic-stable-jobs template
Changes in openstack-murano:
- Update to version murano-4.0.2.dev3:
* [stable-only] Remove periodic-stable-jobs template
Changes in rabbitmq-server:
- add explanation-format patch to fix CVE-2019-11287 (bsc#1157665)
Changes in python-Django:
- Rename Django-1.11.29.tar.gz.asc to Django-1.11.29.tar.gz.checksums.txt
to avoid source_validator incorrectly trying to use it as a detached
signature file for the sources tarball.
- Remove unnecessary project.diff file.
- Add CVE-2022-28346 patch (bsc#1198398, CVE-2022-28346)
* Potential SQL injection in QuerySet.annotate(),aggregate() and extra()
- Add CVE-2022-34265 patch (bsc#1201186, CVE-2022-34265)
* SQL injection via Trunc(kind) and Extract(lookup_name) arguments
Changes in rubygem-puma:
- Add CVE-2022-24790: Fixed HTTP request smuggling vulnerability (bsc#1197818).
ModerateSUSE bug 1157665SUSE bug 1191454SUSE bug 1193597SUSE bug 1197818SUSE bug 1198398SUSE bug 1201186CVE-2019-11287 at SUSECVE-2019-11287 at NVDCVE-2020-1734 at SUSECVE-2020-1734 at NVDCVE-2021-39226 at SUSECVE-2021-39226 at NVDCVE-2021-44716 at SUSECVE-2021-44716 at NVDCVE-2022-24790 at SUSECVE-2022-24790 at NVDCVE-2022-28346 at SUSECVE-2022-28346 at NVDCVE-2022-34265 at SUSECVE-2022-34265 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for libsndfile (Important)SUSE OpenStack Cloud 8
This update for libsndfile fixes the following issues:
- CVE-2021-4156: Fixed heap buffer overflow in flac_buffer_copy that
could potentially lead to heap exploitation (bsc#1194006).
ImportantSUSE bug 1194006CVE-2021-4156 at SUSECVE-2021-4156 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for elasticsearch, elasticsearch-kit, kafka, kafka-kit, logstash, openstack-monasca-agent, openstack-monasca-log-metrics, openstack-monasca-log-persister, openstack-monasca-log-transformer, openstack-monasca-persister-java, openstack-monasca-persister-java-kit, openstack-monasca-thresh, openstack-monasca-thresh-kit, spark, spark-kit, venv-openstack-monasca, zookeeper, zookeeper-kit (Important)SUSE OpenStack Cloud 8
This update for elasticsearch, elasticsearch-kit, kafka, kafka-kit, logstash, openstack-monasca-agent, openstack-monasca-log-metrics, openstack-monasca-log-persister, openstack-monasca-log-transformer, openstack-monasca-persister-java, openstack-monasca-persister-java-kit, openstack-monasca-thresh, openstack-monasca-thresh-kit, spark, spark-kit, venv-openstack-monasca, zookeeper, zookeeper-kit fixes the following issues:
- CVE-2021-4104: Fixed remote code execution through JMS API via the ldap JNDI parser (bsc#1193662).
- CVE-2022-23302: Fixed remote code execution in Log4j 1.x when application is configured to use JMSSink (bsc#1194842).
- CVE-2022-23305: Fixed SQL injection in Log4j 1.x when application is configured to use JDBCAppender (bsc#1194843).
- CVE-2022-23307: Fixed deserialization flaw in the Chainsaw component of Log4j 1 that could lead to malicious code execution (bsc#1194844).
ImportantSUSE bug 1193662SUSE bug 1194842SUSE bug 1194843SUSE bug 1194844CVE-2021-4104 at SUSECVE-2021-4104 at NVDCVE-2022-23302 at SUSECVE-2022-23302 at NVDCVE-2022-23305 at SUSECVE-2022-23305 at NVDCVE-2022-23307 at SUSECVE-2022-23307 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for clamav (Important)SUSE OpenStack Cloud 8
This update for clamav fixes the following issues:
- CVE-2022-20698: Fixed invalid pointer read allowing denial of service crash. (bsc#1194731)
ImportantSUSE bug 1194731CVE-2022-20698 at SUSECVE-2022-20698 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for xen (Important)SUSE OpenStack Cloud 8
This update for xen fixes the following issues:
- CVE-2022-23034: Fixed possible DoS by a PV guest Xen while unmapping a grant. (XSA-394) (bsc#1194581)
- CVE-2022-23035: Fixed insufficient cleanup of passed-through device IRQs. (XSA-395) (bsc#1194588)
ImportantSUSE bug 1194581SUSE bug 1194588CVE-2022-23034 at SUSECVE-2022-23034 at NVDCVE-2022-23035 at SUSECVE-2022-23035 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for the Linux Kernel (Important)SUSE OpenStack Cloud 8
The SUSE Linux Enterprise 12 SP3 LTSS kernel was updated to receive various security and bugfixes.
The following security bugs were fixed:
- CVE-2018-25020: Fixed an overflow in the BPF subsystem due to a mishandling of a long jump over an instruction sequence where inner instructions require substantial expansions into multiple BPF instructions. This affects kernel/bpf/core.c and net/core/filter.c (bnc#1193575).
- CVE-2019-0136: Fixed insufficient access control in the Intel(R) PROSet/Wireless WiFi Software driver that may have allowed an unauthenticated user to potentially enable denial of service via adjacent access (bnc#1193157).
- CVE-2020-35519: Fixed out-of-bounds memory access in x25_bind in net/x25/af_x25.c. A bounds check failure allowed a local attacker with a user account on the system to gain access to out-of-bounds memory, leading to a system crash or a leak of internal kernel information (bnc#1183696).
- CVE-2021-0935: Fixed possible out of bounds write in ip6_xmit of ip6_output.c due to a use after free. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation (bnc#1192032).
- CVE-2021-28711: Fixed issue with xen/blkfront to harden blkfront against event channel storms (XSA-391) (bsc#1193440).
- CVE-2021-28712: Fixed issue with xen/netfront to harden netfront against event channel storms (XSA-391) (bsc#1193440).
- CVE-2021-28713: Fixed issue with xen/console to harden hvc_xen against event channel storms (XSA-391) (bsc#1193440).
- CVE-2021-28715: Fixed issue with xen/netback to do not queue unlimited number of packages (XSA-392) (bsc#1193442).
- CVE-2021-33098: Fixed improper input validation in the Intel(R) Ethernet ixgbe driver that may have allowed an authenticated user to potentially cause denial of service via local access (bnc#1192877).
- CVE-2021-3564: Fixed double-free memory corruption in the Linux kernel HCI device initialization subsystem that could have been used by attaching malicious HCI TTY Bluetooth devices. A local user could use this flaw to crash the system (bnc#1186207).
- CVE-2021-39648: Fixed possible disclosure of kernel heap memory due to a race condition in gadget_dev_desc_UDC_show of configfs.c. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation (bnc#1193861).
- CVE-2021-39657: Fixed out of bounds read due to a missing bounds check in ufshcd_eh_device_reset_handler of ufshcd.c. This could lead to local information disclosure with System execution privileges needed (bnc#1193864).
- CVE-2021-4002: Fixed incorrect TLBs flush in hugetlbfs after huge_pmd_unshare (bsc#1192946).
- CVE-2021-4083: Fixed a read-after-free memory flaw inside the garbage collection for Unix domain socket file handlers when users call close() and fget() simultaneouslyand can potentially trigger a race condition (bnc#1193727).
- CVE-2021-4149: Fixed btrfs unlock newly allocated extent buffer after error (bsc#1194001).
- CVE-2021-4155: Fixed XFS map issue when unwritten blocks in XFS_IOC_{ALLOC,FREE}SP just like fallocate (bsc#1194272).
- CVE-2021-4197: Use cgroup open-time credentials for process migraton perm checks (bsc#1194302).
- CVE-2021-4202: Fixed NFC race condition by adding NCI_UNREG flag (bsc#1194529).
- CVE-2021-43976: Fixed insufficient access control in drivers/net/wireless/marvell/mwifiex/usb.c that allowed an attacker who connect a crafted USB device to cause denial of service (bnc#1192847).
- CVE-2021-45095: Fixed refcount leak in pep_sock_accept in net/phonet/pep.c (bnc#1193867).
- CVE-2021-45485: Fixed information leak in the IPv6 implementation in net/ipv6/output_core.c (bnc#1194094).
- CVE-2021-45486: Fixed information leak inside the IPv4 implementation caused by very small hash table (bnc#1194087).
- CVE-2022-0330: Fixed flush TLBs before releasing backing store (bsc#1194880).
The following non-security bugs were fixed:
- fget: clarify and improve __fget_files() implementation (bsc#1193727).
- hv_netvsc: Fix the queue_mapping in netvsc_vf_xmit() (bsc#1193507).
- hv_netvsc: Set needed_headroom according to VF (bsc#1193507).
- kprobes: Limit max data_size of the kretprobe instances (bsc#1193669).
- memstick: rtsx_usb_ms: fix UAF
- moxart: fix potential use-after-free on remove path (bsc1194516).
- net/x25: fix a race in x25_bind() (networking-stable-19_03_15).
- net: mana: Add RX fencing (bsc#1193507).
- net: mana: Allow setting the number of queues while the NIC is down (bsc#1193507).
- net: mana: Fix spelling mistake 'calledd' -> 'called' (bsc#1193507).
- net: mana: Fix the netdev_err()'s vPort argument in mana_init_port() (bsc#1193507).
- net: mana: Improve the HWC error handling (bsc#1193507).
- net: mana: Support hibernation and kexec (bsc#1193507).
- net: mana: Use kcalloc() instead of kzalloc() (bsc#1193507).
- recordmcount.pl: fix typo in s390 mcount regex (bsc#1192267).
- recordmcount.pl: look for jgnop instruction as well as bcrl on s390 (bsc#1192267).
- ring-buffer: Protect ring_buffer_reset() from reentrancy (bsc#1179960).
- tty: hvc: replace BUG_ON() with negative return value (git-fixes).
- xen-netfront: do not assume sk_buff_head list is empty in error handling (git-fixes).
- xen-netfront: do not use ~0U as error return value for xennet_fill_frags() (git-fixes).
- xen/blkfront: do not take local copy of a request from the ring page (git-fixes).
- xen/blkfront: do not trust the backend response data blindly (git-fixes).
- xen/blkfront: read response from backend only once (git-fixes).
- xen/netfront: disentangle tx_skb_freelist (git-fixes).
- xen/netfront: do not bug in case of too many frags (bnc#1012382).
- xen/netfront: do not cache skb_shinfo() (bnc#1012382).
- xen/netfront: do not read data from request on the ring page (git-fixes).
- xen/netfront: do not trust the backend response data blindly (git-fixes).
- xen/netfront: read response from backend only once (git-fixes).
- xen: sync include/xen/interface/io/ring.h with Xen's newest version (git-fixes).
ImportantSUSE bug 1012382SUSE bug 1179960SUSE bug 1183696SUSE bug 1186207SUSE bug 1192032SUSE bug 1192267SUSE bug 1192847SUSE bug 1192877SUSE bug 1192946SUSE bug 1193157SUSE bug 1193440SUSE bug 1193442SUSE bug 1193507SUSE bug 1193575SUSE bug 1193669SUSE bug 1193727SUSE bug 1193861SUSE bug 1193864SUSE bug 1193867SUSE bug 1194001SUSE bug 1194087SUSE bug 1194094SUSE bug 1194272SUSE bug 1194302SUSE bug 1194516SUSE bug 1194529SUSE bug 1194880CVE-2018-25020 at SUSECVE-2018-25020 at NVDCVE-2019-0136 at SUSECVE-2019-0136 at NVDCVE-2020-35519 at SUSECVE-2020-35519 at NVDCVE-2021-0935 at SUSECVE-2021-0935 at NVDCVE-2021-28711 at SUSECVE-2021-28711 at NVDCVE-2021-28712 at SUSECVE-2021-28712 at NVDCVE-2021-28713 at SUSECVE-2021-28713 at NVDCVE-2021-28715 at SUSECVE-2021-28715 at NVDCVE-2021-33098 at SUSECVE-2021-33098 at NVDCVE-2021-3564 at SUSECVE-2021-3564 at NVDCVE-2021-39648 at SUSECVE-2021-39648 at NVDCVE-2021-39657 at SUSECVE-2021-39657 at NVDCVE-2021-4002 at SUSECVE-2021-4002 at NVDCVE-2021-4083 at SUSECVE-2021-4083 at NVDCVE-2021-4149 at SUSECVE-2021-4149 at NVDCVE-2021-4155 at SUSECVE-2021-4155 at NVDCVE-2021-4197 at SUSECVE-2021-4197 at NVDCVE-2021-4202 at SUSECVE-2021-4202 at NVDCVE-2021-43976 at SUSECVE-2021-43976 at NVDCVE-2021-45095 at SUSECVE-2021-45095 at NVDCVE-2021-45485 at SUSECVE-2021-45485 at NVDCVE-2021-45486 at SUSECVE-2021-45486 at NVDCVE-2022-0330 at SUSECVE-2022-0330 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for python-waitress (Important)SUSE OpenStack Cloud 8
This update for python-waitress fixes the following issues:
- CVE-2022-24761: Fixed a bug to avoid inconsistent interpretation of HTTP requests leading to request smuggling. (bsc#1197255)
ImportantSUSE bug 1197255CVE-2022-24761 at SUSECVE-2022-24761 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for python-Mako (Moderate)SUSE OpenStack Cloud 8
This update for python-Mako fixes the following issues:
- CVE-2022-40023: Fixed regular expression Denial of Service when using the Lexer class to parse (bsc#1203246).
ModerateSUSE bug 1203246CVE-2022-40023 at SUSECVE-2022-40023 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for apache2-mod_wsgi (Moderate)SUSE OpenStack Cloud 8
This update for apache2-mod_wsgi fixes the following issues:
- CVE-2022-2255: Hardened the trusted proxy header filter to avoid bypass. (bsc#1201634)
ModerateSUSE bug 1201634CVE-2022-2255 at SUSECVE-2022-2255 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for python-Twisted (Important)SUSE OpenStack Cloud 8
This update for python-Twisted fixes the following issues:
- CVE-2022-39348: Fixed NameVirtualHost Host header injection (bsc#1204781).
ImportantSUSE bug 1204781CVE-2019-12387 at SUSECVE-2019-12387 at NVDCVE-2020-10108 at SUSECVE-2020-10108 at NVDCVE-2022-21712 at SUSECVE-2022-21712 at NVDCVE-2022-39348 at SUSECVE-2022-39348 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for libvirt (Important)SUSE OpenStack Cloud 8
This update for libvirt fixes the following issues:
- CVE-2021-4147: libxl: Fix libvirtd deadlocks and segfaults. (bsc#1194041)
- CVE-2021-3975: Add missing lock in qemuProcessHandleMonitorEOF. (bsc#1192876)
ImportantSUSE bug 1192876SUSE bug 1193981SUSE bug 1194041CVE-2021-3975 at SUSECVE-2021-3975 at NVDCVE-2021-4147 at SUSECVE-2021-4147 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for git (Moderate)SUSE OpenStack Cloud 8
This update for git fixes the following issues:
- CVE-2022-39260: Fixed overflow in split_cmdline() (bsc#1204456).
- CVE-2022-39253: Fixed dereference issue with symbolic links via the `--local` clone mechanism (bsc#1204455).
ModerateSUSE bug 1204455SUSE bug 1204456CVE-2022-39253 at SUSECVE-2022-39253 at NVDCVE-2022-39260 at SUSECVE-2022-39260 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for virglrenderer (Important)SUSE OpenStack Cloud 8
This update for virglrenderer fixes the following issues:
- CVE-2022-0135: Fixed out-of-bonds write in read_transfer_data() (bsc#1195389).
ImportantSUSE bug 1195389CVE-2022-0135 at SUSECVE-2022-0135 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for expat (Important)SUSE OpenStack Cloud 8
This update for expat fixes the following issues:
- CVE-2022-23852: Fixed signed integer overflow in XML_GetBuffer (bsc#1195054).
- CVE-2022-23990: Fixed integer overflow in the doProlog function (bsc#1195217).
ImportantSUSE bug 1195054SUSE bug 1195217CVE-2022-23852 at SUSECVE-2022-23852 at NVDCVE-2022-23990 at SUSECVE-2022-23990 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for tiff (Important)SUSE OpenStack Cloud 8
This update for tiff fixes the following issues:
- CVE-2017-17095: Fixed DoS in tools/pal2rgb.c in pal2rgb (bsc#1071031).
- CVE-2019-17546: Fixed integer overflow that potentially causes a heap-based buffer overflow via a crafted RGBA image (bsc#1154365).
- CVE-2020-19131: Fixed buffer overflow in tiffcrop that may cause DoS via the invertImage() function (bsc#1190312).
- CVE-2020-35521: Fixed memory allocation failure in tif_read.c (bsc#1182808).
- CVE-2020-35522: Fixed memory allocation failure in tif_pixarlog.c (bsc#1182809).
- CVE-2020-35523: Fixed integer overflow in tif_getimage.c (bsc#1182811).
- CVE-2020-35524: Fixed heap-based buffer overflow in TIFF2PDF tool (bsc#1182812).
- CVE-2022-22844: Fixed out-of-bounds read in _TIFFmemcpy in tif_unix.c (bsc#1194539).
ImportantSUSE bug 1071031SUSE bug 1154365SUSE bug 1182808SUSE bug 1182809SUSE bug 1182811SUSE bug 1182812SUSE bug 1190312SUSE bug 1194539CVE-2017-17095 at SUSECVE-2017-17095 at NVDCVE-2019-17546 at SUSECVE-2019-17546 at NVDCVE-2020-19131 at SUSECVE-2020-19131 at NVDCVE-2020-35521 at SUSECVE-2020-35521 at NVDCVE-2020-35522 at SUSECVE-2020-35522 at NVDCVE-2020-35523 at SUSECVE-2020-35523 at NVDCVE-2020-35524 at SUSECVE-2020-35524 at NVDCVE-2022-22844 at SUSECVE-2022-22844 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for tcpdump (Moderate)SUSE OpenStack Cloud 8
This update for tcpdump fixes the following issues:
- CVE-2018-16301: Fixed segfault when handling large files (bsc#1195825).
ModerateSUSE bug 1195825CVE-2018-16301 at SUSECVE-2018-16301 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for cobbler (Important)SUSE OpenStack Cloud 8
This update for cobbler fixes the following issues:
- CVE-2021-45083: Fixed unsafe permissions on sensitive files (bsc#1193671).
The following non-security bugs were fixed:
- Move configuration files ownership to apache (bsc#1195906)
ImportantSUSE bug 1193671SUSE bug 1195906CVE-2021-45083 at SUSECVE-2021-45083 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for xerces-j2 (Important)SUSE OpenStack Cloud 8
This update for xerces-j2 fixes the following issues:
- CVE-2022-23437: Fixed infinite loop within Apache XercesJ xml parser (bsc#1195108).
ImportantSUSE bug 1195108CVE-2022-23437 at SUSECVE-2022-23437 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for MozillaFirefox (Important)SUSE OpenStack Cloud 8
This update for MozillaFirefox fixes the following issues:
Firefox Extended Support Release 91.6.0 ESR / MFSA 2022-05 (bsc#1195682)
- CVE-2022-22753: Privilege Escalation to SYSTEM on Windows via Maintenance Service
- CVE-2022-22754: Extensions could have bypassed permission confirmation during update
- CVE-2022-22756: Drag and dropping an image could have resulted in the dropped object being an executable
- CVE-2022-22759: Sandboxed iframes could have executed script if the parent appended elements
- CVE-2022-22760: Cross-Origin responses could be distinguished between script and non-script content-types
- CVE-2022-22761: frame-ancestors Content Security Policy directive was not enforced for framed extension pages
- CVE-2022-22763: Script Execution during invalid object state
- CVE-2022-22764: Memory safety bugs fixed in Firefox 97 and Firefox ESR 91.6
Firefox Extended Support Release 91.5.1 ESR (bsc#1195230)
- Fixed an issue that allowed unexpected data to be submitted in some of our search telemetry
ImportantSUSE bug 1195230SUSE bug 1195682CVE-2022-22753 at SUSECVE-2022-22753 at NVDCVE-2022-22754 at SUSECVE-2022-22754 at NVDCVE-2022-22756 at SUSECVE-2022-22756 at NVDCVE-2022-22759 at SUSECVE-2022-22759 at NVDCVE-2022-22760 at SUSECVE-2022-22760 at NVDCVE-2022-22761 at SUSECVE-2022-22761 at NVDCVE-2022-22763 at SUSECVE-2022-22763 at NVDCVE-2022-22764 at SUSECVE-2022-22764 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for ucode-intel (Important)SUSE OpenStack Cloud 8
This update for ucode-intel fixes the following issues:
Updated to Intel CPU Microcode 20220207 release.
- CVE-2021-0146: Fixed a potential security vulnerability in some Intel Processors may allow escalation of privilege (bsc#1192615)
- CVE-2021-0127: Intel Processor Breakpoint Control Flow (bsc#1195779)
- CVE-2021-0145: Fast store forward predictor - Cross Domain Training (bsc#1195780)
- CVE-2021-33120: Out of bounds read for some Intel Atom processors (bsc#1195781)
- Security updates for [INTEL-SA-00528](https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00528.html)
- Security updates for [INTEL-SA-00532](https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00532.html)
ImportantSUSE bug 1192615SUSE bug 1195779SUSE bug 1195780SUSE bug 1195781CVE-2021-0127 at SUSECVE-2021-0127 at NVDCVE-2021-0145 at SUSECVE-2021-0145 at NVDCVE-2021-0146 at SUSECVE-2021-0146 at NVDCVE-2021-33120 at SUSECVE-2021-33120 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for apache2 (Important)SUSE OpenStack Cloud 8
This update for apache2 fixes the following issues:
- CVE-2021-44224: Fixed NULL dereference or SSRF in forward proxy configurations. (bsc#1193943)
- CVE-2021-44790: Fixed buffer overflow when parsing multipart content in mod_lua. (bsc#1193942)
ImportantSUSE bug 1193942SUSE bug 1193943CVE-2021-44224 at SUSECVE-2021-44224 at NVDCVE-2021-44790 at SUSECVE-2021-44790 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for cyrus-sasl (Important)SUSE OpenStack Cloud 8
This update for cyrus-sasl fixes the following issues:
- CVE-2022-24407: Fixed SQL injection in sql_auxprop_store in plugins/sql.c (bsc#1196036).
ImportantSUSE bug 1196036CVE-2022-24407 at SUSECVE-2022-24407 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for webkit2gtk3 (Important)SUSE OpenStack Cloud 8
This update for webkit2gtk3 fixes the following issues:
Update to version 2.34.5 (bsc#1195735):
- CVE-2022-22589: A validation issue was addressed with improved input sanitization.
- CVE-2022-22590: A use after free issue was addressed with improved memory management.
- CVE-2022-22592: A logic issue was addressed with improved state management.
Update to version 2.34.4 (bsc#1195064):
- CVE-2021-30934: A buffer overflow issue was addressed with improved memory handling.
- CVE-2021-30936: A use after free issue was addressed with improved memory management.
- CVE-2021-30951: A use after free issue was addressed with improved memory management.
- CVE-2021-30952: An integer overflow was addressed with improved input validation.
- CVE-2021-30953: An out-of-bounds read was addressed with improved bounds checking.
- CVE-2021-30954: A type confusion issue was addressed with improved memory handling.
- CVE-2021-30984: A race condition was addressed with improved state handling.
- CVE-2022-22594: A cross-origin issue in the IndexDB API was addressed with improved input validation.
The following CVEs were addressed in a previous update:
- CVE-2021-45481: Incorrect memory allocation in WebCore::ImageBufferCairoImageSurfaceBackend::create.
- CVE-2021-45482: A use-after-free in WebCore::ContainerNode::firstChild.
- CVE-2021-45483: A use-after-free in WebCore::Frame::page.
ImportantSUSE bug 1195064SUSE bug 1195735CVE-2021-30934 at SUSECVE-2021-30934 at NVDCVE-2021-30936 at SUSECVE-2021-30936 at NVDCVE-2021-30951 at SUSECVE-2021-30951 at NVDCVE-2021-30952 at SUSECVE-2021-30952 at NVDCVE-2021-30953 at SUSECVE-2021-30953 at NVDCVE-2021-30954 at SUSECVE-2021-30954 at NVDCVE-2021-30984 at SUSECVE-2021-30984 at NVDCVE-2021-45481 at SUSECVE-2021-45481 at NVDCVE-2021-45482 at SUSECVE-2021-45482 at NVDCVE-2021-45483 at SUSECVE-2021-45483 at NVDCVE-2022-22589 at SUSECVE-2022-22589 at NVDCVE-2022-22590 at SUSECVE-2022-22590 at NVDCVE-2022-22592 at SUSECVE-2022-22592 at NVDCVE-2022-22594 at SUSECVE-2022-22594 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for expat (Important)SUSE OpenStack Cloud 8
This update for expat fixes the following issues:
- CVE-2022-25236: Fixed possible namespace-separator characters insertion into namespace URIs (bsc#1196025).
- CVE-2022-25235: Fixed UTF-8 character validation in a certain context (bsc#1196026).
- CVE-2022-25313: Fixed stack exhaustion in build_model() via uncontrolled recursion (bsc#1196168).
- CVE-2022-25314: Fixed integer overflow in copyString (bsc#1196169).
- CVE-2022-25315: Fixed integer overflow in storeRawNames (bsc#1196171).
ImportantSUSE bug 1196025SUSE bug 1196026SUSE bug 1196168SUSE bug 1196169SUSE bug 1196171CVE-2022-25235 at SUSECVE-2022-25235 at NVDCVE-2022-25236 at SUSECVE-2022-25236 at NVDCVE-2022-25313 at SUSECVE-2022-25313 at NVDCVE-2022-25314 at SUSECVE-2022-25314 at NVDCVE-2022-25315 at SUSECVE-2022-25315 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for zsh (Important)SUSE OpenStack Cloud 8
This update for zsh fixes the following issues:
- CVE-2021-45444: Fixed a vulnerability where arbitrary shell commands could be
executed related to prompt expansion (bsc#1196435).
- CVE-2019-20044: Fixed a vulnerability where shell privileges would not be
properly dropped when unsetting the PRIVILEGED option (bsc#1163882).
- CVE-2018-1100: Fixed a potential code execution via a stack-based buffer
overflow in utils.c:checkmailpath() (bsc#1089030).
ImportantSUSE bug 1089030SUSE bug 1163882SUSE bug 1196435CVE-2018-1100 at SUSECVE-2018-1100 at NVDCVE-2019-20044 at SUSECVE-2019-20044 at NVDCVE-2021-45444 at SUSECVE-2021-45444 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for python-Twisted (Important)SUSE OpenStack Cloud 8
This update for python-Twisted fixes the following issues:
- CVE-2022-21712: Fixed secret exposure in cross-origin redirects (bsc#1195667, GHSA-92x2-jw7w-xvvx) from
ImportantSUSE bug 1195667CVE-2022-21712 at SUSECVE-2022-21712 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for the Linux Kernel (Important)SUSE OpenStack Cloud 8
The SUSE Linux Enterprise 12 SP3 kernel was updated to receive various security and bugfixes.
Transient execution side-channel attacks attacking the Branch History Buffer (BHB),
named 'Branch Target Injection' and 'Intra-Mode Branch History Injection' are now mitigated.
The following security bugs were fixed:
- CVE-2022-0001: Fixed Branch History Injection vulnerability (bsc#1191580).
- CVE-2022-0002: Fixed Intra-Mode Branch Target Injection vulnerability (bsc#1191580).
- CVE-2022-0617: Fixed a null pointer dereference in UDF file system functionality. A local user could crash the system by triggering udf_file_write_iter() via a malicious UDF image. (bsc#1196079)
- CVE-2022-0492: Fixed a privilege escalation related to cgroups v1 release_agent feature, which allowed bypassing namespace isolation unexpectedly (bsc#1195543).
- CVE-2022-24448: Fixed an issue in fs/nfs/dir.c. If an application sets the O_DIRECTORY flag, and tries to open a regular file, nfs_atomic_open() performs a regular lookup. If a regular file is found, ENOTDIR should have occured, but the server instead returned uninitialized data in the file descriptor (bsc#1195612).
- CVE-2021-0920: Fixed a local privilege escalation due to a use-after-free bug in unix_gc (bsc#1193731).
- CVE-2016-10905: Fixed a use-after-free is gfs2_clear_rgrpd() and read_rindex_entry() (bsc#1146312).
ImportantSUSE bug 1146312SUSE bug 1185973SUSE bug 1191580SUSE bug 1193731SUSE bug 1194463SUSE bug 1195536SUSE bug 1195543SUSE bug 1195612SUSE bug 1195908SUSE bug 1195939SUSE bug 1196079SUSE bug 1196612CVE-2016-10905 at SUSECVE-2016-10905 at NVDCVE-2021-0920 at SUSECVE-2021-0920 at NVDCVE-2022-0001 at SUSECVE-2022-0001 at NVDCVE-2022-0002 at SUSECVE-2022-0002 at NVDCVE-2022-0492 at SUSECVE-2022-0492 at NVDCVE-2022-0617 at SUSECVE-2022-0617 at NVDCVE-2022-24448 at SUSECVE-2022-24448 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for MozillaFirefox (Important)SUSE OpenStack Cloud 8
This update for MozillaFirefox fixes the following issues:
Firefox Extended Support Release 91.6.1 ESR (bsc#1196809):
- CVE-2022-26485: Use-after-free in XSLT parameter processing
- CVE-2022-26486: Use-after-free in WebGPU IPC Framework
ImportantSUSE bug 1196809CVE-2022-26485 at SUSECVE-2022-26485 at NVDCVE-2022-26486 at SUSECVE-2022-26486 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for tomcat (Important)SUSE OpenStack Cloud 8
This update for tomcat fixes the following issues:
Security issues fixed:
- CVE-2022-23181: Fixed time of check, time of use vulnerability that allowed local privilege escalation. (bsc#1195255)
- Remove log4j dependency, which is currently directly in use (bsc#1196137)
- Make the package RPM conflict even more specific to conflict with java-openjdk-headless >= 9 (bsc#1196091)
ImportantSUSE bug 1195255SUSE bug 1196091SUSE bug 1196137CVE-2022-23181 at SUSECVE-2022-23181 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for webkit2gtk3 (Important)SUSE OpenStack Cloud 8
This update for webkit2gtk3 fixes the following issues:
Update to version 2.34.6 (bsc#1196133):
- CVE-2022-22620: Processing maliciously crafted web content may have lead to arbitrary code execution.
ImportantSUSE bug 1196133CVE-2022-22620 at SUSECVE-2022-22620 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for libcaca (Important)SUSE OpenStack Cloud 8
This update for libcaca fixes the following issues:
- CVE-2021-30498, CVE-2021-30499: If an image has a size of 0x0, when exporting, no
data is written and space is allocated for the header only, not taking into
account that sprintf appends a NUL byte (bsc#1184751, bsc#1184752).
ImportantSUSE bug 1184751SUSE bug 1184752CVE-2021-30498 at SUSECVE-2021-30498 at NVDCVE-2021-30499 at SUSECVE-2021-30499 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for MozillaFirefox (Important)SUSE OpenStack Cloud 8
This update for MozillaFirefox fixes the following issues:
Firefox Extended Support Release 91.7.0 ESR (bsc#1196900):
- CVE-2022-26383: Browser window spoof using fullscreen mode
- CVE-2022-26384: iframe allow-scripts sandbox bypass
- CVE-2022-26387: Time-of-check time-of-use bug when verifying add-on signatures
- CVE-2022-26381: Use-after-free in text reflows
- CVE-2022-26386: Temporary files downloaded to /tmp and accessible by other local users
ImportantSUSE bug 1196900CVE-2022-26381 at SUSECVE-2022-26381 at NVDCVE-2022-26383 at SUSECVE-2022-26383 at NVDCVE-2022-26384 at SUSECVE-2022-26384 at NVDCVE-2022-26386 at SUSECVE-2022-26386 at NVDCVE-2022-26387 at SUSECVE-2022-26387 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for expat (Important)SUSE OpenStack Cloud 8
This update for expat fixes the following issues:
- Fixed a regression caused by the patch for CVE-2022-25236 (bsc#1196784).
ImportantSUSE bug 1196025SUSE bug 1196784CVE-2022-25236 at SUSECVE-2022-25236 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for openssl (Important)SUSE OpenStack Cloud 8
This update for openssl fixes the following issues:
- CVE-2022-0778: Infinite loop in BN_mod_sqrt() reachable when parsing certificates (bsc#1196877).
ImportantSUSE bug 1196877CVE-2022-0778 at SUSECVE-2022-0778 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for java-1_8_0-openjdk (Important)SUSE OpenStack Cloud 8
This update for java-1_8_0-openjdk fixes the following issues:
Update to version jdk8u322 (icedtea-3.22.0)
Including the following security fixes:
- CVE-2022-21248, bsc#1194926: Enhance cross VM serialization
- CVE-2022-21283, bsc#1194937: Better String matching
- CVE-2022-21293, bsc#1194935: Improve String constructions
- CVE-2022-21294, bsc#1194934: Enhance construction of Identity maps
- CVE-2022-21282, bsc#1194933: Better resolution of URIs
- CVE-2022-21296, bsc#1194932: Improve SAX Parser configuration management
- CVE-2022-21299, bsc#1194931: Improved scanning of XML entities
- CVE-2022-21305, bsc#1194939: Better array indexing
- CVE-2022-21340, bsc#1194940: Verify Jar Verification
- CVE-2022-21341, bsc#1194941: Improve serial forms for transport
- CVE-2022-21349: Improve Solaris font rendering
- CVE-2022-21360, bsc#1194929: Enhance BMP image support
- CVE-2022-21365, bsc#1194928: Enhanced BMP processing
ImportantSUSE bug 1193314SUSE bug 1193444SUSE bug 1193491SUSE bug 1194926SUSE bug 1194928SUSE bug 1194929SUSE bug 1194931SUSE bug 1194932SUSE bug 1194933SUSE bug 1194934SUSE bug 1194935SUSE bug 1194937SUSE bug 1194939SUSE bug 1194940SUSE bug 1194941SUSE bug 1195163CVE-2022-21248 at SUSECVE-2022-21248 at NVDCVE-2022-21282 at SUSECVE-2022-21282 at NVDCVE-2022-21283 at SUSECVE-2022-21283 at NVDCVE-2022-21293 at SUSECVE-2022-21293 at NVDCVE-2022-21294 at SUSECVE-2022-21294 at NVDCVE-2022-21296 at SUSECVE-2022-21296 at NVDCVE-2022-21299 at SUSECVE-2022-21299 at NVDCVE-2022-21305 at SUSECVE-2022-21305 at NVDCVE-2022-21340 at SUSECVE-2022-21340 at NVDCVE-2022-21341 at SUSECVE-2022-21341 at NVDCVE-2022-21349 at SUSECVE-2022-21349 at NVDCVE-2022-21360 at SUSECVE-2022-21360 at NVDCVE-2022-21365 at SUSECVE-2022-21365 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for python-lxml (Moderate)SUSE OpenStack Cloud 8
This update for python-lxml fixes the following issues:
- CVE-2021-43818: Removed SVG image data URLs since they can embed script
content (bsc#1193752).
- CVE-2021-28957: Fixed a potential XSS due to improper input sanitization (bsc#1184177).
- CVE-2020-27783: Fixed a potential XSS due to improper HTML parsing (bsc#1179534).
- CVE-2018-19787: Fixed a potential XSS due to improper input sanitization (bsc#1118088).
ModerateSUSE bug 1118088SUSE bug 1179534SUSE bug 1184177SUSE bug 1193752CVE-2018-19787 at SUSECVE-2018-19787 at NVDCVE-2020-27783 at SUSECVE-2020-27783 at NVDCVE-2021-28957 at SUSECVE-2021-28957 at NVDCVE-2021-43818 at SUSECVE-2021-43818 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for glibc (Important)SUSE OpenStack Cloud 8
This update for glibc fixes the following issues:
- CVE-2022-23219: Fixed buffer overflow in sunrpc clnt_create for 'unix' (bsc#1194768)
- CVE-2022-23218: Fixed buffer overflow in sunrpc svcunix_create (bsc#1194770)
- CVE-2021-3999: Fixed getcwd to set errno to ERANGE for size == 1 (bsc#1194640)
ImportantSUSE bug 1194640SUSE bug 1194768SUSE bug 1194770CVE-2021-3999 at SUSECVE-2021-3999 at NVDCVE-2022-23218 at SUSECVE-2022-23218 at NVDCVE-2022-23219 at SUSECVE-2022-23219 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for apache2 (Important)SUSE OpenStack Cloud 8
This update for apache2 fixes the following issues:
- CVE-2022-23943: heap out-of-bounds write in mod_sed (bsc#1197098).
- CVE-2022-22720: HTTP request smuggling due to incorrect error handling (bsc#1197095).
- CVE-2022-22719: use of uninitialized value of in r:parsebody in mod_lua (bsc#1197091).
- CVE-2022-22721: possible buffer overflow with very large or unlimited LimitXMLRequestBody (bsc#1197096).
ImportantSUSE bug 1197091SUSE bug 1197095SUSE bug 1197096SUSE bug 1197098CVE-2022-22719 at SUSECVE-2022-22719 at NVDCVE-2022-22720 at SUSECVE-2022-22720 at NVDCVE-2022-22721 at SUSECVE-2022-22721 at NVDCVE-2022-23943 at SUSECVE-2022-23943 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for git (Important)SUSE OpenStack Cloud 8
This update for git fixes the following issues:
- CVE-2022-41903: Fixed a heap overflow in the 'git archive' and
'git log --format' commands (bsc#1207033).
- CVE-2022-23521: Fixed an integer overflow that could be triggered
when parsing a gitattributes file (bsc#1207032).
ImportantSUSE bug 1207032SUSE bug 1207033CVE-2022-23521 at SUSECVE-2022-23521 at NVDCVE-2022-41903 at SUSECVE-2022-41903 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for openstack-cinder, openstack-nova, python-oslo.utils (Important)SUSE OpenStack Cloud 8
This update for openstack-cinder, openstack-nova, python-oslo.utils contains the following fixes:
Security fixes included on this update:
openstack-cinder, openstack-nova:
- CVE-2022-47951: Fixed file access control through custom VMDK flat descriptor. (bsc#1207321)
Non-security changes included on this update:
Changes in openstack-cinder:
- Fixed file access control through custom VMDK flat descriptor. (bsc#1207321, CVE-2022-47951)
Changes in openstack-nova:
- Fixed file access control through custom VMDK flat descriptor. (bsc#1207321, CVE-2022-47951)
Changes in python-oslo.utils:
- Report format specific details when using JSON output format. (bsc#1207321)
ImportantSUSE bug 1207321CVE-2022-47951 at SUSECVE-2022-47951 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for git (Moderate)SUSE OpenStack Cloud 8
This update for git fixes the following issues:
- CVE-2023-25652: Fixed partial overwrite of paths outside the working tree (bsc#1210686).
- CVE-2023-25815: Fixed malicious placemtn of crafted message (bsc#1210686).
- CVE-2023-29007: Fixed arbitrary configuration injection (bsc#1210686).
ModerateSUSE bug 1210686CVE-2023-25652 at SUSECVE-2023-25652 at NVDCVE-2023-25815 at SUSECVE-2023-25815 at NVDCVE-2023-29007 at SUSECVE-2023-29007 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for dnsmasq (Moderate)SUSE OpenStack Cloud 8
This update for dnsmasq fixes the following issues:
- CVE-2023-28450: Fixed default maximum size for EDNS.0 UDP packets (bsc#1209358).
ModerateSUSE bug 1209358CVE-2023-28450 at SUSECVE-2023-28450 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for python-cryptography (Moderate)SUSE OpenStack Cloud 8
This update for python-cryptography fixes the following issues:
- CVE-2023-23931: Fixed memory corruption in Cipher.update_into (bsc#1208036).
ModerateSUSE bug 1208036CVE-2023-23931 at SUSECVE-2023-23931 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for openstack-heat, python-Werkzeug (Important)SUSE OpenStack Cloud 8
This update for openstack-heat, python-Werkzeug contains the following fixes:
Security fixes included on this update:
openstack-heat:
- CVE-2023-1625: Fixed an issue where parameter values marked as 'hidden' would be shown in the stack's environment. (bsc#1209774)
python-Werkzeug:
- CVE-2023-25577: Fixed an unbounded resource usage when parsing multipart forms with many fields. (bsc#1208283)
ImportantSUSE bug 1208283SUSE bug 1209774CVE-2023-1625 at SUSECVE-2023-1625 at NVDCVE-2023-25577 at SUSECVE-2023-25577 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for libwebp (Important)SUSE OpenStack Cloud 8
This update for libwebp fixes the following issues:
- CVE-2023-1999: Fixed double free (bsc#1210212).
ImportantSUSE bug 1210212CVE-2023-1999 at SUSECVE-2023-1999 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for python-sqlparse (Moderate)SUSE OpenStack Cloud 8
This update for python-sqlparse fixes the following issues:
- CVE-2023-30608: Fixed a regular rexpression that is vulnerable to ReDOS (bsc#1210617).
ModerateSUSE bug 1210617CVE-2023-30608 at SUSECVE-2023-30608 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for python-tornado (Low)SUSE OpenStack Cloud 8
This update for python-tornado fixes the following issues:
- CVE-2023-28370: Fixed an open redirect issue in the static file
handler (bsc#1211741).
LowSUSE bug 1211741CVE-2023-28370 at SUSECVE-2023-28370 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for python-Django (Moderate)SUSE OpenStack Cloud 8
This update for python-Django fixes the following issues:
- CVE-2023-36053: Fixed potential regular expression denial of service vulnerability in EmailValidator/URLValidator (bsc#1212742).
ModerateSUSE bug 1212742CVE-2023-36053 at SUSECVE-2023-36053 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for python-swift3 (Important)SUSE OpenStack Cloud 8
This update for python-swift3 fixes the following issues:
- CVE-2022-47950: Fixed an issue that could allow a remote attacker to
disclose local file contents via a crafted XML file (bsc#1207035).
ImportantSUSE bug 1207035CVE-2022-47950 at SUSECVE-2022-47950 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for tomcat (Important)SUSE OpenStack Cloud 8
This update for tomcat fixes the following issues:
- Remove the log4j dependency as it is not used by the tomcat package (bsc#1196137)
Security hardening, related to Spring Framework vulnerabilities:
- Deprecate getResources() and always return null (bsc#1198136).
ImportantSUSE bug 1196137SUSE bug 1198136cpe:/o:suse:suse-openstack-cloud:8Security update for python-Django (Moderate)SUSE OpenStack Cloud 8
This update for python-Django fixes the following issues:
- CVE-2023-41164: Fixed a potential denial of service vulnerability in django.utils.encoding.uri_to_iri() (bsc#1214667).
ModerateSUSE bug 1214667CVE-2023-41164 at SUSECVE-2023-41164 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for libwebp (Critical)SUSE OpenStack Cloud 8
This update for libwebp fixes the following issues:
- CVE-2023-4863: Fixed a heap buffer overflow (bsc#1215231).
CriticalSUSE bug 1215231CVE-2023-4863 at SUSECVE-2023-4863 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for python-gevent (Important)SUSE OpenStack Cloud 8
This update for python-gevent fixes the following issues:
- CVE-2023-41419: Fixed a http request smuggling (bsc#1215469).
ImportantSUSE bug 1215469CVE-2023-41419 at SUSECVE-2023-41419 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for python-setuptools (Moderate)SUSE OpenStack Cloud 8
This update for python-setuptools fixes the following issues:
- CVE-2022-40897: Fixed an excessive CPU usage that could be triggered
by fetching a malicious HTML document (bsc#1206667).
ModerateSUSE bug 1206667CVE-2022-40897 at SUSECVE-2022-40897 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for python-urllib3 (Moderate)SUSE OpenStack Cloud 8
This update for python-urllib3 fixes the following issues:
- CVE-2023-43804: Fixed a potential cookie leak via HTTP redirect if
the user manually set the corresponding header (bsc#1215968).
ModerateSUSE bug 1215968CVE-2023-43804 at SUSECVE-2023-43804 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for python-Django (Moderate)SUSE OpenStack Cloud 8
This update for python-Django fixes the following issues:
- CVE-2023-43665: Fixed a Denial-of-service in django.utils.text.Truncator. (bsc#1215978)
ModerateSUSE bug 1215978CVE-2023-43665 at SUSECVE-2023-43665 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for git (Important)SUSE OpenStack Cloud 8
This update for git fixes the following issues:
- CVE-2023-22490: Fixed incorrectly usable local clone optimization even when using a non-local transport (bsc#1208027).
- CVE-2023-23946: Fixed issue where a path outside the working tree can be overwritten as the user who is running 'git apply' (bsc#1208028).
ImportantSUSE bug 1208027SUSE bug 1208028CVE-2023-22490 at SUSECVE-2023-22490 at NVDCVE-2023-23946 at SUSECVE-2023-23946 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for python-urllib3 (Moderate)SUSE OpenStack Cloud 8
This update for python-urllib3 fixes the following issues:
- CVE-2023-45803: Fix a request body leak that could occur when
receiving a 303 HTTP response (bsc#1216377).
ModerateSUSE bug 1216377CVE-2023-45803 at SUSECVE-2023-45803 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for python-Pillow (Important)SUSE OpenStack Cloud 8
This update for python-Pillow fixes the following issues:
- CVE-2023-44271: Fixed uncontrolled resource consumption when textlength in an ImageDraw instance operates on a long text argument (bsc#1216894).
ImportantSUSE bug 1216894CVE-2023-44271 at SUSECVE-2023-44271 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for python-Django (Important)SUSE OpenStack Cloud 8
This update for python-Django fixes the following issues:
- CVE-2023-24580: Fixed DOS in file uploads (bsc#1208082).
ImportantSUSE bug 1208082CVE-2023-24580 at SUSECVE-2023-24580 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for openstack-barbican (Moderate)SUSE OpenStack Cloud 8
This update for openstack-barbican contains the following fix:
Security fix included on this update:
openstack-barbican:
- CVE-2022-3100: Fixed an access policy bypass via query string injection (bsc#1203873).
Update for openstack-barbican:
- Add patch for CVE-2022-3100 to address access policy bypass via query string injection. (bsc#1203873, CVE-2022-3100)
ModerateSUSE bug 1203873CVE-2022-3100 at SUSECVE-2022-3100 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for python-cffi (Moderate)SUSE OpenStack Cloud 8
This update for python-cffi fixes the following issues:
- CVE-2023-23931: Fixed memory corruption due to immutable python object being changed (bsc#1208036).
Bugfixes:
- Disabled broken tests related to Threads.
ModerateSUSE bug 1208036CVE-2023-23931 at SUSECVE-2023-23931 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for python-Django (Important)SUSE OpenStack Cloud 8
This update for python-Django fixes the following issues:
- CVE-2024-27351: Align the patch with the upstream one and make it more robust. (bsc#1220358)
ImportantSUSE bug 1220358CVE-2024-27351 at SUSECVE-2024-27351 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for python-Pillow (Important)SUSE OpenStack Cloud 8
This update for python-Pillow fixes the following issues:
- CVE-2024-28219: Fixed buffer overflow in _imagingcms.c (bsc#1222262)
ImportantSUSE bug 1222262CVE-2024-28219 at SUSECVE-2024-28219 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for python-Pillow (Important)SUSE OpenStack Cloud 8
This update for python-Pillow fixes the following issues:
- CVE-2023-50447: Fixed arbitrary code execution via the environment parameter. (bsc#1219048)
- CVE-2022-22817: Fixes evaluation of arbitrary expressions via PIL.ImageMath.eval. (bsc#1194521)
ImportantSUSE bug 1194521SUSE bug 1219048CVE-2022-22817 at SUSECVE-2022-22817 at NVDCVE-2023-50447 at SUSECVE-2023-50447 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for python-Django (Important)SUSE OpenStack Cloud 8
This update for python-Django fixes the following issues:
- CVE-2024-24680: Fixed a denial-of-service in intcomma template filter (bsc#1219683).
- CVE-2024-27351: Fixed potential regular expression denial-of-service in ``django.utils.text.Truncator.words()`` (bsc#1220358).
ImportantSUSE bug 1219683SUSE bug 1220358CVE-2024-24680 at SUSECVE-2024-24680 at NVDCVE-2024-27351 at SUSECVE-2024-27351 at NVDcpe:/o:suse:suse-openstack-cloud:8Security update for slf4j (Important)SUSE OpenStack Cloud Crowbar 8
This update for slf4j fixes the following issues:
- CVE-2018-8088: Disallow EventData deserialization by default to avoid arbitrary code execution using serialized data (bsc#1085970)
ImportantSUSE bug 1085970CVE-2018-8088 at SUSECVE-2018-8088 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for mariadb, mariadb-connector-c, xtrabackup (Important)SUSE OpenStack Cloud Crowbar 8
This MariaDB update to version 10.2.15 brings the following fixes and improvements.
Security issues:
- CVE-2018-2767: The embedded server library now supports SSL when connecting to remote servers (bsc#1088681).
- Collected CVEs fixes:
* 10.2.15: CVE-2018-2786, CVE-2018-2759, CVE-2018-2777, CVE-2018-2810,
CVE-2018-2782, CVE-2018-2784, CVE-2018-2787, CVE-2018-2766,
CVE-2018-2755, CVE-2018-2819, CVE-2018-2817, CVE-2018-2761,
CVE-2018-2781, CVE-2018-2771, CVE-2018-2813
Bugfixes:
- bsc#1092544: Update suse_skipped_tests.list and add tests that are failing with GCC 8.
- bsc#1080891: Compile option DWITH_SYSTEMD=ON is no longer needed - systemd is detected automatically.
ImportantSUSE bug 1080891SUSE bug 1082318SUSE bug 1088681SUSE bug 1092544CVE-2018-2755 at SUSECVE-2018-2755 at NVDCVE-2018-2759 at SUSECVE-2018-2759 at NVDCVE-2018-2761 at SUSECVE-2018-2761 at NVDCVE-2018-2766 at SUSECVE-2018-2766 at NVDCVE-2018-2767 at SUSECVE-2018-2767 at NVDCVE-2018-2771 at SUSECVE-2018-2771 at NVDCVE-2018-2777 at SUSECVE-2018-2777 at NVDCVE-2018-2781 at SUSECVE-2018-2781 at NVDCVE-2018-2782 at SUSECVE-2018-2782 at NVDCVE-2018-2784 at SUSECVE-2018-2784 at NVDCVE-2018-2786 at SUSECVE-2018-2786 at NVDCVE-2018-2787 at SUSECVE-2018-2787 at NVDCVE-2018-2810 at SUSECVE-2018-2810 at NVDCVE-2018-2813 at SUSECVE-2018-2813 at NVDCVE-2018-2817 at SUSECVE-2018-2817 at NVDCVE-2018-2819 at SUSECVE-2018-2819 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for nodejs6 (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for nodejs6 to version 6.14.3 fixes the following issues:
The following security vulnerability was addressed:
- Fixed a denial of service (DoS) vulnerability in Buffer.fill(), which could
hang when being called (CVE-2018-7167, bsc#1097375).
The following other changes were made:
- Use absolute paths in executable shebang lines
- Fixed building with ICU61.1 (bsc#1091764)
ModerateSUSE bug 1091764SUSE bug 1097375CVE-2018-7167 at SUSECVE-2018-7167 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for rubygem-sprockets-2_12 (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for rubygem-sprockets-2_12 fixes the following issues:
Security issue fixed:
- CVE-2018-3760: Fix path traversal in sprockets/server.rb:forbidden_request?() that can allow remote attackers to read
arbitrary files (bsc#1098369).
ModerateSUSE bug 1098369CVE-2018-3760 at SUSECVE-2018-3760 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for grafana, kafka, logstash, openstack-monasca-installer (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for grafana, kafka, logstash, openstack-monasca-installer fixes the following issues:
Security issues fixed:
- CVE-2018-12099: grafana: Fix XSS vulnerabilities in dashboard links (bsc#1096985).
- CVE-2018-3817: logstash: Fix inadvertently logging of sensitive information (bsc#1090849).
Bug fixes:
- bsc#1095603: Disable jmxremote debugging.
- bsc#1097847: Make time series database schema setup conditional.
- bsc#1094448: Set log rotation options.
- bsc#1090336: Add complete set of elasticsearch performance tunables.
- bsc#1101366: Fix build issues with s390x, ppc64le and aarch64.
- Fix various spec errors affecting Leap 15 and Tumbleweed
ModerateSUSE bug 1090336SUSE bug 1090849SUSE bug 1094448SUSE bug 1095603SUSE bug 1096985SUSE bug 1097847SUSE bug 1101366CVE-2018-12099 at SUSECVE-2018-12099 at NVDCVE-2018-3817 at SUSECVE-2018-3817 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for crowbar, crowbar-core, crowbar-ha, crowbar-init, crowbar-openstack, crowbar-ui (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for crowbar, crowbar-ha, crowbar-init, crowbar-openstack, crowbar-ui fixes the following issues:
This security issues was fixed:
- CVE-2018-3760: Upgrade rubygem-sprockets to prevent an information leak.
Specially crafted requests could have been be used to access files that exists
on the filesystem that is outside an application's root directory, when the
Sprockets server is used in production (bsc#1098369).
- CVE-2016-861: Add rate limiting for glance api (bsc#1005886)
These non-security issues were fixed for crowbar:
- upgrade: Lock crowbar-ui before admin upgrade
- upgrade: Make sure schemas are properly migrated after the upgrade
- upgrade: No need for database dump before the upgrade
- upgrade: No need to use crowbar-init during the upgrade
These non-security issues were fixed for crowbar-core:
- upgrade: Remove pre-upgrade constraints from existing locations
- upgrade: Show the grep result when checking for not-migrated instances
- upgrade: Set clone_stateless_services to false on upgrade
- control_lib: fix host allocation check
- Fix exception handling in get_log_lines
- apache: copytruncate apache logs bsc#1083093
- upgrade: Refresh repos before crowbar-ui update (bsc#1099392)
- upgrade: Reset RabbitMQ nodes during upgrade
- upgrade: Do not allow cinder-volume on compute nodes
- upgrade: Wait until all nova-compute services are up before evacuation
- upgrade: Save the information which set of nodes should be upgraded
- Let skip_unready_nodes skip also nodes that are in crowbar_upgrade state
- upgrade: Add missing brackets checking for nodes
- upgrade: Make sure postponed nodes can be skipped when applying proposal
- upgrade: When the upgrade is not finished, show a link to wizard
- upgrade: Correctly delete remaining upgrade scripts
- upgrade: Wait for services shutdown to finish
- upgrade: Unlock crowbar-ui after completed upgrade
- upgrade: Stop cron before stopping any other service
- upgrade: Provide better information after the failure
- upgrade: Report missing scripts
- upgrade: Better check for upgraded nodes - do not rely on state
- upgrade: Improve error messages with lists
- upgrade: Check input is a valid node for nodes
- upgrade: Delete upgrade scripts really at the end of upgrade
- upgrade: Increase the timeout for deleting pacemaker resources
- upgrade: Adapt the check for upgraded? value
- upgrade: Move step to mark the admin upgrade end
- upgrade: Do not finalize nodes that are not upgraded
- upgrade: Fix file layout for rails' autoloading (bsc#1096759)
- upgrade: Deleting cinder services from database no longer needed
- upgrade: Allow postpone and resume of compute nodes upgrade
- upgrade: Allow the access to controller actions when upgrade is postponed
- upgrade: Finalize upgrade of controller nodes after they are done
- upgrade: Added API calls for postponing/resuming compute nodes upgrade
- upgrade: Unblock upgrade status API in Cloud8
- upgrade: Do not end admin step while it is still running (bsc#1095420)
- upgrade: Adapt ceph-related checks to 7-8 upgrade
- upgrade: Allow running schema migrations on upgrade
- upgrade: Fix platform retrieval
These non-security issues were fixed for crowbar-ha:
- pacemaker: allow multiple meta parameters (bsc#1093898)
- haproxy: active-active mode, just one VIP
These non-security issues were fixed for crowbar-openstack:
- Synchronize SSL in the cluster (bsc#1081518)
- neutron: add force_metadata attribute
- rabbitmq: set client timout to default value
- /etc/sysctl.d/99-sysctl.conf is a symlink to /etc/sysctl.conf
- Do not automatically put manila-share roles to compute nodes
- rabbitmq: check for rabbit readiness
- rabbitmq: Make sure rabbit is running on cluster
- monasca: various monasca-installer improvements
- monasca: reduce monasca-installer runs (bsc#1096043)
- manila: Correct field name for cluster name
- Do not mark [:nova][:db_synced] too early
- nova: Do not do partial online migrations, that was Newton specific
- monasca: add elasticsearch tunables (bsc#1090336)
- copytruncate apache logs instead of creating
- rabbitmq: Better dependency check
- aodh: Add config for alarm_history_ttl (bsc#1073703)
- upgrade: cinder: run live migrations at correct rev
These non-security issues were fixed for crowbar-ui:
- upgrade: Dummy backend for status testing
- upgrade: Refactor postpone nodes upgrade
- upgrade: Allow interruption of status wait loop
- upgrade: Added ability to postpone upgrade nodes
- upgrade: Add ability to postpone upgrade nodes
- upgrade: Add ability to postpone upgrade nodes
- upgrade: Add ability to postpone upgrade nodes
- Add ability to postpone upgrade
- upgrade: Remove openstack precheck
- upgrade: Fixed error key for ha_configured
- upgrade: Remove CEPH related code
- Remove the non-essential database-configuration controller
- remove ui typo test
- Remove database configuration option
- upgrade: Update SUSE-OpenStack-Cloud-8 label
- upgrade: Update admin and nodes repo names
ModerateSUSE bug 1005886SUSE bug 1073703SUSE bug 1081518SUSE bug 1083093SUSE bug 1090336SUSE bug 1093898SUSE bug 1095420SUSE bug 1096043SUSE bug 1096759SUSE bug 1098369SUSE bug 1099392CVE-2016-8611 at SUSECVE-2016-8611 at NVDCVE-2018-3760 at SUSECVE-2018-3760 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for OpenStack (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for OpenStack fixes the following issues:
The following security issue with openstack-keystone has been fixed:
- CVE-2018-14432: Reduce duplication in federated authentication APIs. (bsc#1102151)
Additionally, the following non-security issues have been fixed:
aodh:
- Support same projects in different domain.
barbican:
- Add zuulv3 to Pike.
cinder:
- Empty option value maybe cause Unity driver failed to initialize.
- GoodnessWeigher schedules non-type volumes.
- Fix quota error when deleting temporary volume.
- Fix cinder quota-usage error.
- Unity: Return logged-out initiators.
- Correct S-Series to DS-Series systems.
- Update storage backends supported for Lenovo.
- Unity: Add support of removing empty host.
- NetApp: Fix to support SVM scoped permissions.
- NetApp ONTAP iSCSI: Force exception on online extend.
- NetApp ONTAP: Set new sub-lun clone limit for ONTAP driver.
dashboard:
- Make @memoize thread-aware.
designate:
- Add provides to handle installation of mdns and producer seamlessly.
- Fix service files.
- Install a default pools.yaml.
glance:
- doc: Modify the description for the command.
- Make ImageTarget behave like a dictionary.
- Add barbican-tempest experimental job.
heat:
- Fixing unicode issue when to\_dict is called on py2.7 env.
- Ignore NotFound error in prepare\_for\_replace.
- Reset resource replaced\_by field for rollback.
- Ignore RESOLVE translation errors when translating before\_props.
- Ignore errors in purging events.
heat-templates:
- Deprecate hooks in heat-templates.
horizon-plugin-designate-ui:
- Install all designate panels that are available.
horizon-plugin-freezer-ui:
- Avoid using deprecated opt in Web-UI.
horizon-plugin-gbp-ui:
- Fix patching of create instance dialog.
neutron-lbaas-dashboard:
- Remove custom zuul jobs.
horizon-plugin-trove-ui:
- Update UPPER\_CONSTRAINTS\_FILE for stable/pike.
ironic:
- Fix error when deleting a non-existent port.
- Tear down console during unprovisioning.
manila:
- Fix ZFSOnLinux doc about manage ops.
- DB Migration: Fix downgrade.
- Fix share-service VM restart problem.
- Added Handling Newer Quobyte API Error Codes.
- NetApp ONTAP: Fix delete-share for vsadmin users.
- Remove confusing DB deprecation messages.
- Add missing Requires: for python-tooz
neutron:
- Skip MTU check during deletion of Networks.
- HA L3 agent restart only standby agents.
- Retry dhcp\_release on failures.
- Reduce IP address collision during port creating.
- Refactor DVR HA migarations DB operations.
- Disallow router interface out of subnet IP range.
- Fix fwaas v1 configuration doc.
- Add list of all working DSCP marks.
- Set trusted port only once in iptables firewall driver.
- Fix UT BridgeLibTest when IPv6 is disabled.
neutron-fwaas:
- DVR-FWaaS: Fix DVR FWaaS rules for fipnamespace.
neutron-lbaas:
- Get providers directly from ORM to make startup take half as long.
- Cap haproxy log level severity.
- Fix sphinx-docs job for stable branch.
neutron-vpnaas:
- Fix sphinx-docs job for stable branch and pep8 issues.
neutron-zvm-agent:
- Backport zCC backend networking-zvm.
nova:
- libvirt: Add method to configure migration speed.
- Make host\_aggregate\_map dictionary case-insensitive.
- Fix unbound local when saving an unchanged RequestSpec.
- Cleanup mapping/reqspec after archive instance.
- Default embedded instance.flavor.disabled attribute.
- Backport tox.ini to switch to stestr.
- Cleanup RP and HM records while deleting a compute service.
- Delete allocations from API if nova-compute is down.
- Block deleting compute services which are hosting instances.
- api-ref: Add a note in DELETE /os-services about deleting computes.
- Add functional test for deleting a compute service.
- Factor out compute service start in ServerMovingTest.
- Moving more utils to ProviderUsageBaseTestCase.
- Make nova service-list use scatter-gather routine.
- libvirt: Slow live-migration to ensure network is ready.
- Use instance project/user when creating RequestSpec during resize reschedule.
- Mock utils.execute() in qemu-img unit test.
- Add policy rule to block image-backed servers with 0 root disk flavor.
- Change consecutive build failure limit to a weigher.
- Ensure resource class cache when listing usages.
- Metadata-API fails to retrieve avz for instances created before Pike.
- placement: Fix HTTP error generation.
- Add amd-ssbd and amd-no-ssb CPU flags.
- Fixed auto-convergence option name in doc.
- libvirt: Skip fetching the virtual size of block devices.
- libvirt: Handle DiskNotFound during update\_available\_resource.
- Avoid showing password in log.
- Fix shelving a paused instance.
- Document how to disable notifications.
- Add ssbd and virt-ssbd flags to cpu\_model\_extra\_flags whitelist.
- Stringify instance UUID.
nova-virt-zvm:
- Backport zvm driver.
octavia:
- Update introduction documention page.
- Use HMAC.hexdigest to avoid non-ascii characters for package data.
trove:
- Add .stestr.conf to fix tox-py27 stable job.
- Fix mysql instance create failed when enable skip-name-resolve.
- Failed to build mongo image.
- Open the volume\_support of redis.
- Remove Mitaka reference in install/dashboard.rst.
- Enable longer Keystone token life.
- Fix gate issues.
python-barbicanclient:
- Update time for functional tests. (bsc#1084362)
python-keystone-json-assignment:
- Speedup project lookup.
python-manilaclient:
- Fix for use endpoint_type in _discover_client method.
- Add search_opts in func list of ManagerWithFind type classes.
- Fix share can not be found by name in admin context.
python-vmware-nsx:
- NSX|V3: Handle port-not-found during get_ports.
- NSXAdminV3: Add message on client cert generation.
- NSX-V: Add server-ip-address to the supported dhcp options.
- NSX|V3: Fix global SG creation duplication.
- Fix security groups ext_properties loading.
- NSXv3: Add pool-level lock for LB pool member operations.
- NSX|v3: Do not retry on DB duplications on section init.
- NSXv: Handle listener failures on backend.
- Add mock to the requirements.
- AdminUtils V3: Do not set nat_pass for NO-NAT rules.
- NSX|V3: Wait for another neutron to create default section.
- NSX|V3: Cleanup duplicate sections on startup.
- V and D: Make security group logging more robust.
- NSX|v3: Ensure that 0.0.0.0/# is treated correctly in SG rules.
- NSX|V: Fix create/delete subnet race condition.
python-vmware-nsxlib:
- Fix service ports for egress firewall rule.
- Add server-ip-address to the suppoprted dhcp options.
- Retry on 503 Service Unavailable.
- Remove sha224 from supported client cert hash algs.
- Add logging when initializing a default FW section.
- Fixed tenacity usage.
- Retry is IOError is received.
- Handle cluster connection closed by server. ModerateSUSE bug 1084362SUSE bug 1102151CVE-2018-14432 at SUSECVE-2018-14432 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for couchdb (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for couchdb fixes the following security issues:
- CVE-2018-8007: Apache CouchDB administrative users can configure the database
server via HTTP(S). Due to insufficient validation of administrator-supplied
configuration settings via the HTTP API, it was possible for a CouchDB
administrator user to escalate their privileges to that of the operating
system's user that CouchDB runs under, by bypassing the blacklist of
configuration settings that are not allowed to be modified via the HTTP API
(bsc#1100973)
ModerateSUSE bug 1100973CVE-2018-8007 at SUSECVE-2018-8007 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for nodejs6 (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for nodejs6 to version 6.14.4 fixes the following issues:
Security issues fixed:
CVE-2018-12115: Fixed an out-of-bounds (OOB) write in Buffer.write() for UCS-2 encoding (bsc#1105019)
CVE-2018-0732: Upgrade to OpenSSL 1.0.2p, fixing a client DoS due to large DH parameter (bsc#1097158)
Other issues fixed:
- Recommend same major version npm package (bsc#1097748)
ModerateSUSE bug 1097158SUSE bug 1097748SUSE bug 1105019CVE-2018-0732 at SUSECVE-2018-0732 at NVDCVE-2018-12115 at SUSECVE-2018-12115 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for python-cryptography (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for python-cryptography fixes the following issues:
- CVE-2018-10903: The finalize_with_tag API did not enforce a minimum tag
length. If a user did not validate the input length prior to passing it to
finalize_with_tag an attacker could craft an invalid payload with a shortened
tag (e.g. 1 byte) such that they would have a 1 in 256 chance of passing the
MAC check. GCM tag forgeries could have caused key leakage (bsc#1101820)
ModerateSUSE bug 1101820CVE-2018-10903 at SUSECVE-2018-10903 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for python-Django (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for python-Django fixes the following issues:
- CVE-2018-14574: Prevent open redirect in
django.middleware.common.CommonMiddleware (bsc#1102680)
ModerateSUSE bug 1102680CVE-2018-14574 at SUSECVE-2018-14574 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for ardana-monasca, ardana-spark, kafka, kafka-kit, openstack-monasca-api (Important)SUSE OpenStack Cloud Crowbar 8
This update for ardana-monasca, ardana-spark, kafka, kafka-kit, openstack-monasca-api fixes the following issues:
This update for ardana-monasca to version 8.0+git.1535031421.9262a47 fixes these issues:
- Requests Apache to reload on change (bsc#1102662)
- Avoids managing non-Monasca users (bsc#1102662)
- Line up perms on storm.conf to match rpm (bsc#1094971)
This update for ardana-spark to version 8.0+git.1532114050.04654a8 fixes this issue:
- Only set log dir perms on legacy install (bsc#1094851)
This update for kafka to version 0.10.2.2 fixes this security issue:
- CVE-2018-1288: Authenticated Kafka users may have performed action reserved
for the Broker via a manually created fetch request interfering with data
replication, resulting in data loss (bsc#1102920).
This update for kafka to version 0.10.2.2 fixes these non-security issues:
- set internal.leave.group.on.close to false in KafkaStreams
- Improve message for Kafka failed startup with non-Kafka data in data.dirs
- add max_number _of_retries to exponential backoff strategy
- Mute logger for reflections.org at the warn level in system tests
- Kafka connect: error with special characters in connector name
- streams task gets stuck after re-balance due to LockException
- CachingSessionStore doesn't use the default keySerde.
- RocksDBSessionStore doesn't use default aggSerde.
- Recommended values for Connect transformations contain the wrong class name
- Kafka broker fails to start if a topic containing dot in its name is marked for delete but hasn't been deleted during previous uptime
- GlobalKTable does not checkpoint offsets after restoring state
- Log cleaning can increase message size and cause cleaner to crash with buffer overflow
- Some socket connections not closed after restart of Kafka Streams
- Distributed Herder Deadlocks on Shutdown
- Log cleaner fails due to large offset in segment file
- StreamsKafkaClient should not use StreamsConfig.POLL_MS_CONFIG
- Refactor kafkatest docker support
- ducktape kafka service: do not assume Service contains num_nodes
- Using _DUCKTAPE_OPTIONS has no effect on executing tests
- Connect WorkerSinkTask out of order offset commit can lead to inconsistent state
- RocksDB segments not removed when store is closed causes re-initialization to fail
- FetchMetadata creates unneeded Strings on instantiation
- SourceTask#stop() not called after exception raised in poll()
- Sink connectors that explicitly 'resume' topic partitions can resume a paused task
- GlobalStateManagerImpl should not write offsets of in-memory stores in checkpoint file
- Source KTable checkpoint is not correct
- ConnectSchema#equals() broken for array-typed default values
This update for openstack-monasca-api to version 2.2.1~dev24 fixes these issues:
- devstack: download storm from archive.apache.org
- Backport tempest test robustness improvements
- 1724543-fixed kafka partition creation error in devstack installation
- Fix:No alarms created if metric name in alarm def. expr. is mix case
- Zuul: Remove project name
- Run against Pike requirements
ImportantSUSE bug 1094851SUSE bug 1094971SUSE bug 1102662SUSE bug 1102920CVE-2018-1288 at SUSECVE-2018-1288 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for ansible (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for ansible fixes the following issues:
Ansible was updated to ansible 2.4.6.0.
The full release notes can be found on:
https://github.com/ansible/ansible/blob/stable-2.4/CHANGELOG.md
Security issues fixed:
- CVE-2018-10875: ansible.cfg is read from the current working directory which can be altered to make it point to a plugin or a module path under the control of an attacker, thus allowing the attacker to execute arbitrary code. (bsc#1099808)
- CVE-2018-10874: It was found that inventory variables are loaded from current working directory when running ad-hoc command which are under attacker's control, allowing to run arbitrary code as a result. (bsc#1099805)
- CVE-2018-10855: Ansible did not honor the no_log task flag for failed tasks. When the no_log flag has been used to protect sensitive data passed to a task from being logged, and that task does not run successfully, Ansible will expose sensitive data in log files and on the terminal of the user running Ansible. (bsc#1097775)
ModerateSUSE bug 1097775SUSE bug 1099805SUSE bug 1099808CVE-2018-10855 at SUSECVE-2018-10855 at NVDCVE-2018-10874 at SUSECVE-2018-10874 at NVDCVE-2018-10875 at SUSECVE-2018-10875 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Recommended update for ardana-ansible, ardana-cobbler, ardana-db, ardana-heat, ardana-manila, ardana-neutron, ardana-nova, ardana-octavia, ardana-osconfig, ardana-service, ardana-ses, ardana-swift, ardana-tempest, crowbar, crowbar-core, crowbar-ha, crowbar-openstack, documentation-suse-openstack-cloud, galera-python-clustercheck, openstack-dashboard, openstack-ec2-api, openstack-heat, openstack-heat-templates, openstack-horizon-plugin-ironic-ui, openstack-horizon-plugin-magnum-ui, openstack-horizon-plugin-sahara-ui, openstack-ironic, openstack-keystone, openstack-magnum, openstack-manila, openstack-monasca-api, openstack-monasca-notification, openstack-monasca-persister, openstack-murano, openstack-neutron, openstack-neutron-fwaas, openstack-nova, openstack-octavia, openstack-sahara, openstack-swift, openstack-tempest, python-cinderclient, python-cryptography, python-monasca-common, python-networking-hyperv, python-os-brick, python-venvjail, venv-openstack-aodh, venv-openstack-barbican, venv-openstack-ceilometer, venv-openstack-cinder, venv-openstack-designate, venv-openstack-freezer, venv-openstack-glance, venv-openstack-heat, venv-openstack-horizon, venv-openstack-ironic, venv-openstack-keystone, venv-openstack-magnum, venv-openstack-manila, venv-openstack-monasca, venv-openstack-monasca-ceilometer, venv-openstack-murano, venv-openstack-nova, venv-openstack-octavia, venv-openstack-sahara, venv-openstack-swift, venv-openstack-trove (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for ardana-ansible, ardana-cobbler, ardana-db, ardana-heat, ardana-manila, ardana-neutron, ardana-nova, ardana-octavia, ardana-osconfig, ardana-service, ardana-ses, ardana-swift, ardana-tempest, crowbar, crowbar-core, crowbar-ha, crowbar-openstack, documentation-suse-openstack-cloud, galera-python-clustercheck, openstack-dashboard, openstack-ec2-api, openstack-heat, openstack-heat-templates, openstack-horizon-plugin-ironic-ui, openstack-horizon-plugin-magnum-ui, openstack-horizon-plugin-sahara-ui, openstack-ironic, openstack-keystone, openstack-magnum, openstack-manila, openstack-monasca-api, openstack-monasca-notification, openstack-monasca-persister, openstack-murano, openstack-neutron, openstack-neutron-fwaas, openstack-nova, openstack-octavia, openstack-sahara, openstack-swift, openstack-tempest, python-cinderclient, python-cryptography, python-monasca-common, python-networking-hyperv, python-os-brick, python-venvjail, venv-openstack-aodh, venv-openstack-barbican, venv-openstack-ceilometer, venv-openstack-cinder, venv-openstack-designate, venv-openstack-freezer, venv-openstack-glance, venv-openstack-heat, venv-openstack-horizon, venv-openstack-ironic, venv-openstack-keystone, venv-openstack-magnum, venv-openstack-manila, venv-openstack-monasca, venv-openstack-monasca-ceilometer, venv-openstack-murano, venv-openstack-nova, venv-openstack-octavia, venv-openstack-sahara, venv-openstack-swift, venv-openstack-trove fixes the following issues:
This update fixes the following issues:
ardana-ansible:
* Move manila to the correct location in verb action list files (SCRD-6812)
* Enable manila service in verb action list files (SCRD-6812)
* Improve user experience (bsc#1114632)
ardana-cobbler:
* gate cobbler import on distro existence (SCRD-6821)
ardana-db:
* xtrabackup no longer needed (SCRD-7640, bsc#1116686)
ardana-heat:
* Fix typo so that heat gets correct name for hostname certs (bsc#127227)
ardana-manila:
* Put all config into one template (SCRD-7770)
* Fail when Manila service is not running (SCRD-7413)
* Split Manila API and Share deployment (SCRD-7773)
* Comment out example backends (bsc#1116501)
ardana-neutron:
* Fix misspelled variable names (SCRD-7836)
* Neutron services require network service to be started (SCRD-7764)
ardana-nova:
* Add dosfstools as requirement for nova-comptue (SCRD-8175)
ardana-octavia:
* Remove octavia dependency from monasca (SCRD-7690)
ardana-osconfig:
* Clean up ifcfg- files left behind by udevadm (bsc#1105822)
ardana-service:
* Add support for deprecated encryption-key parameter (SCRD-7837)
ardana-ses:
* Run SWF-PRX tasks in dedicated play (SCRD-8602)
* Make SES globals available to SWF (SCRD-8109)
* Add symlink ceph.conf.j2 to ~/openstack/my_cloud/config/ses (bsc#1128479)
* Add support for reusing clients (bsc#1122237)
* Ensure keyring files are readable (bsc#1122237)
ardana-swift:
* Prefer Kronos logrotate conf to Swift RPM logrotate conf (SCRD-7410)
ardana-tempest:
* Enable additional keystone tests (SCRD-7496)
* Enable domain specific drivers on tempest (SCRD-7496)
* Fix tempest heat plugin configuration (SCRD-7508)
* Add freezer to tempest available/testable list (SCRD-7496)
* Fix tempest configuration for magnum (SCRD-7496)
* Add missing test packages (SCRD-7496)
* Set cinder/glance admin on tempest roles (SCRD-7496)
* Update tempest test filters (SCRD-7496)
* Configure tempest accordingly when SES enabled (SCRD-7496)
* Merge test results from parallel and serial filters (SCRD-7784)
crowbar:
* install-chef-suse: filter comments from authorized_keys file
crowbar-core:
* crowbar: Do not rely on Chef::Util::FileEdit to write the file (bsc#1127752)
* Revert 'Disable upgrade API in Cloud8'
* upgrade: Make sure all compute nodes get compute related scripts
* network: run wicked ifdown for interface cleanup (bsc#1063535)
crowbar-ha:
* improve galera HA setup (bsc#1122875)
crowbar-openstack:
* ceilometer: Install package which contains cron file (bsc#1130414)
* monasca: Set hostname for monasca-agent as FQDN (SCRD-8705)
* memcache: Use first array element as fallback (SCRD-8255)
* db: Raise default connection limit to 2048
* rabbit: fix mirroring regex
* neutron: Add osprofiler support
* nova: Add osprofiler support
* cinder: Add osprofiler support
* glance: Add osprofiler support
* keystone: Make osprofiler connection_string configurable
* keystone: Add basic osprofiler support
documentation-suse-openstack-cloud:
* Additional corrections from Carl
* Fix reference to wrong neutron-reconfigure.yml playbook (SCRD-7709)
* increasing url_timeout parameter (SCRD-8512)
* Fix <screen> prompts in migration guide (SCRD-3763)
* Revert 'Fix <screen> prompts in migration guide (SCRD-3763)'
* Fix <screen> prompts in migration guide (SCRD-3763)
* Include additional notes for 3PAR multipath instructions (SCRD-8584)
* remove L2 Gateway Agent (SCRD-7645)
* Added more detail about how to test load balancer during migration
* Fix RHEL SMT repo setup command (SCPM-93)
* added <step> tags
* Update to octavia migration process
* Support Octavia LB's during HOS 5 -> C8 migration (bsc#1094690)
* change parameters ardana-update-status.yml (SCRD-8530)
* Fix haproxy user deletion
* Update description of kernel patch needed for RHEL 7.5 (SCPM-93)
* Adding missing nova guide
* Remove screenshots
* Fix IDs and x-refs
* Fix Magnim user guide. WIP
* Add missing guide. Need fixing
* change 3par multipath statements (bsc#1128928,SCRD-8396)
* remove vlan transparency section (bsc#1125216,SCRD-7648)
* remove ESXi create DVS from the Command Line (bsc#1125180)
* make QE recommended edits (bsc#1124017, bsc#1124022)
* Use &clm; instead of &lcm; for C*loud Lifec*ycle Manager
* add supportconfig, sosreport cross-references (SCRD-2680)
* Fixing xref tag for package builds
* Fix missing ID
* make hidden-tag consistent (SCRD-7870)
* Nesting availability zone aware section
* Removing the API content from the admin guide
* Remove empty sections
* Remove weird [OBJ] characters in odd places
* Replace <function> -> <literal>
* Fixing broken ref
* Add references to DIB back to guide
* rabbitmq cluster replace node (SCRD-7468,SCRD-7469)
* minor typo and prompt changes (no bsc or SCRD)
galera-python-clustercheck:
* Add socket read timeout (bsc#1122053)
openstack-dashboard:
* network topology: handle port AZ correctly
openstack-ec2-api:
* Replace openstack.org git:// URLs with https://
openstack-heat:
* Retry on DB deadlock when updating resource
openstack-heat-templates:
* Replace openstack.org git:// URLs with https://
openstack-horizon-plugin-ironic-ui:
* Normalize operation messages into capital case
* Replace openstack.org git:// URLs with https://
penstack-horizon-plugin-magnum-ui:
* Replace openstack.org git:// URLs with https://
* Set ubuntu-xenial for nodejs jobs
openstack-horizon-plugin-sahara-ui:
* Replace openstack.org git:// URLs with https://
* Remove the legacy integration tests job
penstack-ironic:
* Fix CPU count returned by introspection in Ironic iDRAC driver
openstack-keystone:
* create proper tmpdir for locking
* Remove publish-loci post job
openstack-magnum:
* Replace openstack.org git:// URLs with https://
openstack-manila:
* Replace openstack.org git:// URLs with https://
* Manila VMAX docs - differences between quotas
* Manila VMAX docs - improve pre-configurations on VMAX section
* Manila VMAX docs - clarify snapshot support
* Manila VMAX docs - clarify driver\_handles\_share\_servers
* VMAX manila doc - SSL Support
* VMAX manila doc - use of correct VMAX tags
* VMAX manila - deprecate old tags correctly
* Destroy type quotas when a share type is deleted
* Fix driver filter to not check share\_backend\_name
* Only run the needed services for CephFS jobs
* Return request-id to APIs that don't respond with a body
* Fix service image boot issues
* Port dummy driver manage/unmanage changes to stable
openstack-monasca-api:
* Replace openstack.org git:// URLs with https://
openstack-monasca-notification:
* Replace openstack.org git:// URLs with https://
openstack-monasca-persister:
* Replace openstack.org git:// URLs with https://
openstack-murano:
* Replace openstack.org git:// URLs with https://
openstack-neutron:
* Specify tenant\_id in TestRevisionPlugin objects
* Fix QoS rule update
* Add rootwrap filters to kill state change monitor
* Fix port update deferred IP allocation with host\_id + new MAC
* Try to enable dnsmasq process several times
* Remove conntrack rule when FIP is deleted
* More accurate agent restart state transfer
* [OVS] Exception message when retrieving bridge-id and is not present
* [Functional tests] Change way how conntrack entries are checked
* Change duplicate OVS bridge datapath-ids
* Fix KeyError in OVS firewall
* ovs: raise RuntimeError in \_get\_dp if id is None
* Replace openstack.org git:// URLs with https://
* [Functional] Don't assert that HA router don't have IPs configured
* Improve invalid port ranges error message
* Do not release DHCP lease when no client ID is set on port
* ovsfw: Update SG rules even if OVSFW Port is not found
* Enable ipv6\_forwarding in HA router's namespace
* Spawn metadata proxy on dvr ha standby routers
* Set initial ha router state in neutron-keepalived-state-change
* When converting sg rules to iptables, do not emit dport if not supported
* DVR edge router: avoid accidental centralized floating IP remove
* ovsfw: Don't create rules if updated port doesn't exist
* Add new test decorator skip\_if\_timeout
* Fix notification about arp entries for dvr routers
* Add lock\_path in installation guide
* Fix update of ports cache in router\_info class
* Ensure dnsmasq is down before enabling it in restart method
* Block port update from unbound DHCP agent
* Fix performance regression adding rules to security groups
* Always fill UDP checksums in DHCPv6 replies
* Secure dnsmasq process against external abuse
* Check port VNIC type when associating a floating IP
* Enable 'all' IPv6 forwarding knob correctly
* protect DHCP agent cache out of sync
* Add kill\_timeout to AsyncProcess
* Fullstack: init trunk agent's driver only when necessary
* Don't modify global variables in unit tests
* Do state report after setting start\_flag on OVS restart
* Do not delete trunk bridges if service port attached
* Fix the bug about DHCP port whose network has multiple subnets
* Force all fdb entries update after ovs-vswitchd restart
* Get centralized FIP only on router's snat host
* Include all rootwrap filters when building wheels
openstack-neutron-fwaas:
* don't package tempest plugin twice
openstack-nova:
* Document unset/reset wrinkle for \*\_allocation\_ratio options
* Replace openstack.org git:// URLs with https://
* Refix disk size during live migration with disk over-commit
* Fix WeighedHost logging regression
* Correct examples in 'Manage Compute services' documentation
* Fix disk size during live migration with disk over-commit
* Exclude build request marker from server listing
* Update port device\_owner when unshelving
* Handle tags in \_bury\_in\_cell0
* Null out instance.availability\_zone on shelve offload
* Fix server\_group\_members quota check
* Add functional regressions tests for server\_group\_members OverQuota
* Fix bug case by none token context
* Migrate nova v2.0 legacy job to zuulv3
* Handle missing marker during online data migration
* tox: Don't write byte code (maybe)
* [pike-only] Fix resize\_instance rpcapi call
* Lock detach\_volume
* PCI: do not force remove allocated devices
* Note the aggregate allocation ratio restriction in scheduler docs
* Add regression test for bug #1764883
* Create BDMs/tags in cell with instance when over-quota
* Add functional regression test for bug 1806064
* Not set instance to ERROR if set\_admin\_password failed
* De-dupe subnet IDs when calling neutron /subnets API
* Fix destination\_type attribute in the bdm\_v2 documentation
openstack-octavia:
* Replace openstack.org git:// URLs with https://
openstack-sahara:
* Replace openstack.org git:// URLs with https://
* Use venv-py2 to run sahara-scenario, remove the py3 job
* archive-primary.cloudera.com -> archive.cloudera.com
* Changing hdfs fs to hdfs dfs
* Add DEBIAN\_FRONTEND=noninteractive in front of apt-get install commands
openstack-swift:
* Fixed a cache invalidation issue related to GET and PUT requests to
containers that would occasionally cause object PUTs to a container to
404 after the container had been successfully created.
* Removed a race condition where a POST to an SLO could modify the X-Static-Large-Object metadata.
* Fixed rare socket leak on range requests to erasure-coded objects.
* Fix SLO delete for accounts with non-ASCII names.
* Fixed an issue in COPY where concurrent requests may have copied the wrong data.
* Fixed time skew when using X-Delete-After.
* Send ETag header in 206 Partial Content responses to SLO reads.
openstack-tempest:
* create lockdir on install
python-cinderclient:
* Update .gitreview for stable/pike
* Fix get_highest_client_server_version with Cinder API + uWSGI
* Updated from global requirements
* import zuul job settings from project-config
* Update UPPER_CONSTRAINTS_FILE for stable/pike
python-cryptography:
* Add X509_up_ref() function to help pyOpenSSL deal with CVE-2018-1000807 (bsc#1111635) and CVE-2018-1000808 (bsc#1111634).
python-monasca-common:
* update to version 2.3.1~dev4
python-networking-hyperv:
* import zuul job settings from project-config
python-os-brick:
* iscsiadm -m session' failure handling
* Handle multiple errors in multipath -l parsing
* Fixing FC scanning
* RemoteFS: don't fail in do_mount if already mounted
* Fix multipath disconnect with path failure
* import zuul job settings from project-config
python-venvjail:
* Set [] as default value for --no-relocate-shebang-list
* Exclude some files from relocation (SCRD-8594)
ModerateSUSE bug 1063535SUSE bug 1094690SUSE bug 1105822SUSE bug 1111634SUSE bug 1111635SUSE bug 1114632SUSE bug 1116501SUSE bug 1116686SUSE bug 1122053SUSE bug 1122237SUSE bug 1122875SUSE bug 1124017SUSE bug 1124022SUSE bug 1125180SUSE bug 1125216SUSE bug 1127752SUSE bug 1128479SUSE bug 1128928SUSE bug 1130414SUSE bug 127227CVE-2018-1000807 at SUSECVE-2018-1000807 at NVDCVE-2018-1000808 at SUSECVE-2018-1000808 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for mariadb (Low)SUSE OpenStack Cloud Crowbar 8
This update for mariadb to version 10.2.22 fixes the following issues:
Security issues fixed (bsc#1122198):
- CVE-2019-2510: Fixed a vulnerability which can lead to MySQL compromise and lead to Denial of Service.
- CVE-2019-2537: Fixed a vulnerability which can lead to MySQL compromise and lead to Denial of Service.
Other issues fixed:
- Fixed an issue where mysl_install_db fails due to incorrect basedir (bsc#1127027).
- Fixed an issue where the lograte was not working (bsc#1112767).
- Backport Information Schema CHECK_CONSTRAINTS Table.
- Maximum value of table_definition_cache is now 2097152.
- InnoDB ALTER TABLE fixes.
- Galera crash recovery fixes.
- Encryption fixes.
- Remove xtrabackup dependency as MariaDB ships a build in mariabackup so xtrabackup is not needed (bsc#1122475).
The complete changelog can be found at: https://mariadb.com/kb/en/library/mariadb-10222-changelog/
LowSUSE bug 1112767SUSE bug 1122198SUSE bug 1122475SUSE bug 1127027CVE-2019-2510 at SUSECVE-2019-2510 at NVDCVE-2019-2537 at SUSECVE-2019-2537 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for rubygem-rack (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for rubygem-rack fixes the following issues:
Security issued fixed:
- CVE-2018-16471: Fixed a cross-site scripting vulnerability via 'scheme' method (bsc#1116600).
ModerateSUSE bug 1114828SUSE bug 1116600CVE-2018-16471 at SUSECVE-2018-16471 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for rubygem-activejob-4_2 (Low)SUSE OpenStack Cloud Crowbar 8
This update for rubygem-activejob-4_2 fixes the following issues:
Security issue fixed:
- CVE-2018-16476: Fixed broken access control vulnerability (bsc#1117632).
LowSUSE bug 1117632CVE-2018-16476 at SUSECVE-2018-16476 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for libssh2_org (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for libssh2_org fixes the following issues:
- Fix the previous fix for CVE-2019-3860 (bsc#1136570, bsc#1128481)
(Out-of-bounds reads with specially crafted SFTP packets)
ModerateSUSE bug 1128481SUSE bug 1136570CVE-2019-3860 at SUSECVE-2019-3860 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for dnsmasq (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for dnsmasq fixes the following issues:
Security issue fixed:
- CVE-2017-15107: Fixed a vulnerability in DNSSEC implementation. Processing of
wildcard synthesized NSEC records may result improper validation for non-existance. (bsc#1076958)
Non-security issue fixed:
- Reload system dbus to pick up policy change on install (bsc#1054429).
ModerateSUSE bug 1054429SUSE bug 1076958CVE-2017-15107 at SUSECVE-2017-15107 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for postgresql10 (Important)SUSE OpenStack Cloud Crowbar 8
This update for postgresql10 to version 10.9 fixes the following issue:
Security issue fixed:
- CVE-2019-10164: Fixed buffer-overflow vulnerabilities in SCRAM verifier parsing (bsc#1138034).
More information at https://www.postgresql.org/docs/10/release-10-9.html
ImportantSUSE bug 1138034CVE-2019-10164 at SUSECVE-2019-10164 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for glib2 (Important)SUSE OpenStack Cloud Crowbar 8
This update for glib2 fixes the following issues:
Security issue fixed:
- CVE-2019-13012: Fixed improper restriction of file permissions when creating directories (bsc#1139959).
Non-security issue fixed:
- Added explicit requires between libglib2 and libgio2 (bsc#1140122).
ImportantSUSE bug 1139959SUSE bug 1140122CVE-2019-13012 at SUSECVE-2019-13012 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for MozillaFirefox (Important)SUSE OpenStack Cloud Crowbar 8
This update for MozillaFirefox, mozilla-nss fixes the following issues:
MozillaFirefox to version ESR 60.8:
- CVE-2019-9811: Sandbox escape via installation of malicious language pack (bsc#1140868).
- CVE-2019-11711: Script injection within domain through inner window reuse (bsc#1140868).
- CVE-2019-11712: Cross-origin POST requests can be made with NPAPI plugins by following 308 redirects (bsc#1140868).
- CVE-2019-11713: Use-after-free with HTTP/2 cached stream (bsc#1140868).
- CVE-2019-11729: Empty or malformed p256-ECDH public keys may trigger a segmentation fault (bsc#1140868).
- CVE-2019-11715: HTML parsing error can contribute to content XSS (bsc#1140868).
- CVE-2019-11717: Caret character improperly escaped in origins (bsc#1140868).
- CVE-2019-11719: Out-of-bounds read when importing curve25519 private key (bsc#1140868).
- CVE-2019-11730: Same-origin policy treats all files in a directory as having the same-origin (bsc#1140868).
- CVE-2019-11709: Multiple Memory safety bugs fixed (bsc#1140868).
mozilla-nss to version 3.44.1:
* Added IPSEC IKE support to softoken
* Many new FIPS test cases
ImportantSUSE bug 1140868CVE-2019-11709 at SUSECVE-2019-11709 at NVDCVE-2019-11711 at SUSECVE-2019-11711 at NVDCVE-2019-11712 at SUSECVE-2019-11712 at NVDCVE-2019-11713 at SUSECVE-2019-11713 at NVDCVE-2019-11715 at SUSECVE-2019-11715 at NVDCVE-2019-11717 at SUSECVE-2019-11717 at NVDCVE-2019-11719 at SUSECVE-2019-11719 at NVDCVE-2019-11729 at SUSECVE-2019-11729 at NVDCVE-2019-11730 at SUSECVE-2019-11730 at NVDCVE-2019-9811 at SUSECVE-2019-9811 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for ardana and crowbar (Important)SUSE OpenStack Cloud Crowbar 8
This update for ardana and crowbar fixes the following issues:
- Restrict rootwrap directories for cinder (bsc#1132542)
- Change Cinder default log level from DEBUG to INFO (SCRD-7132)
- Remove configuration from migration (bsc#1126391)
- Configurable innodb flush options (SCRD-7496)
- Secure designate's rootwrap files (bsc#1132542)
- specify rootwrap config file in designate sudoer (bsc#1132542)
- Update Designate log threshold from DEBUG to INFO (SCRD-8459)
- Change Glance default log level from DEBUG to INFO (SCRD-8592)
- Change Heat default log level from DEBUG to INFO (SCRD-7132)
- Fix Horizon missing create snapshot action for users (bsc#1130593)
- Don't set external-name in ardana-ci models (SCRD-7471)
- Fix fail-over/-back behavior of haproxy for galera (bsc#1122875)
- Update swift endpoints from keystone-reconfigure.yml if needed (SCRD-8703)
- Change Magnum default log level from DEFAULT to INFO (SCRD-7132)
- Rip out vertica related code (SCRD-9031)
- Tighten neutron sudoers to only execute rootwrap (bsc#1132542)
- Change Neutron default log level from DEBUG to INFO (SCRD-7132)
- SCRD-9031 Change permitted nova-rootwrap config file pattern (bsc#1132542)
- specify rootwrap config file in nova sudoer (bsc#1132542)
- Change Nova default log level from DEBUG to INFO (SCRD-7132)
- Stop installing a sudoers root escalator (SCRD-9031)
- Change Octavia default log level from DEBUG to INFO (SCRD-7132)
- Increase number of connect retries (SCRD-7496)
- UDEV rules for multi-port nics (SCRD-8329)
- Ensure that the ceph group exists (SCRD-8347)
- Disable test_create_health_monitor_with_scenarios tempest (SOC-9176)
- Make --os-test-timeout configurable and increase default (SCRD-7496)
- Disable TestVolumeBootPattern.test_volume_boot_pattern (SCRD-9015)
- Increase and make timeout values configurable (SCRD-7496)
- Configure heat boot config template path (SCRD-7496)
- Fix typo on ceilometer filter (SCRD-7496)
- barclamp: Fix setting MTU on networks using a bridge
- Fix order of values in nodes piechart
- Ignore CVE-2019-11068 during Travis (SOC-9262)
- Fix cloud-mkcloud9-job-backup-restore (SCRD-7126)
- Update suse-branding.patch with correct links for documentation
(SCRD-8294)
- pacemaker: add failure nodes to sync fail message (bsc#1083721)
- update suse-branding.patch (SOC-9297)
- pacemaker: wait more for founder if SBD is configured (SCRD-8462)
- pacemaker: don't check cluster members on founder (SCRD-8462)
- database: Make wsrep_provider_options configurable (fate#327745)
- database: Raise and align promote/demote timeouts (bsc#1131791)
- mysql: improve galera HA setup (bsc#1122875)
- Update suse-branding.patch with correct links for documentation
(SCRD-8294)
- neutron: Fix the rest of the keystone related settings for LBaaS
- neutron: properly define neutron lbaas region (bsc#1128753)
- CLM - update MariaDB manually (bsc#1132852, SOC-9022)
- update MariaDB manually (bsc#1132852, SOC-9022)
- SOC8 alarm table restructure ((SCRD-7710, bsc#1124170)
- Fix bsc#1118003
- add deprecation decision tree (shrub) (SCRD-8530)
- add cert section (SCRD-5542)
- grammar; make migration pairing more explicit (SCRD-7595)
- Remove whitespace on top of login page (SCRD-7142)
- Revert alert and form colors to default SCRD-6919
- Change active sidebar section text white SCRD-6919
- Updated the openstack-monasca-agent-sudoers file (bsc#1132542)
- Don't restart neutron-ovs-cleanup on RPM update (bsc#1132860)
- Fix KeyError in OVS firewall (bsc#1131712, CVE-2019-10876)
- update to 1.11.20 (bsc#124991, CVE-2019-6975):
- Memory exhaustion in ``django.utils.numberformat.format()``
- Include ops-console logs if exist (bsc-1126912)
- Add a sed pattern to censor passwords from servers.yml (bsc#1105559)
- Show the status file of crowbar upgrade (if it exists)
ImportantSUSE bug 1083721SUSE bug 1105559SUSE bug 1118003SUSE bug 1120932SUSE bug 1122875SUSE bug 1124170SUSE bug 1126391SUSE bug 1128753SUSE bug 1130593SUSE bug 1131712SUSE bug 1131791SUSE bug 1132542SUSE bug 1132852SUSE bug 1132860SUSE bug 124991CVE-2018-14574 at SUSECVE-2018-14574 at NVDCVE-2019-10876 at SUSECVE-2019-10876 at NVDCVE-2019-11068 at SUSECVE-2019-11068 at NVDCVE-2019-3498 at SUSECVE-2019-3498 at NVDCVE-2019-6975 at SUSECVE-2019-6975 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for ucode-intel (Important)SUSE OpenStack Cloud Crowbar 8
This update for ucode-intel fixes the following issues:
This update contains the Intel QSR 2019.1 Microcode release (bsc#1111331)
Four new speculative execution information leak issues have been identified in Intel CPUs. (bsc#1111331)
- CVE-2018-12126: Microarchitectural Store Buffer Data Sampling (MSBDS)
- CVE-2018-12127: Microarchitectural Fill Buffer Data Sampling (MFBDS)
- CVE-2018-12130: Microarchitectural Load Port Data Samling (MLPDS)
- CVE-2019-11091: Microarchitectural Data Sampling Uncacheable Memory (MDSUM)
These updates contain the CPU Microcode adjustments for the software mitigations.
For more information on this set of vulnerabilities, check out https://www.suse.com/support/kb/doc/?id=7023736
Release notes:
---- updated platforms ------------------------------------
SNB-E/EN/EP C1/M0 6-2d-6/6d 0000061d->0000061f Xeon E3/E5, Core X
SNB-E/EN/EP C2/M1 6-2d-7/6d 00000714->00000718 Xeon E3/E5, Core X
ImportantSUSE bug 1111331CVE-2018-12126 at SUSECVE-2018-12126 at NVDCVE-2018-12127 at SUSECVE-2018-12127 at NVDCVE-2018-12130 at SUSECVE-2018-12130 at NVDCVE-2019-11091 at SUSECVE-2019-11091 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for glibc (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for glibc fixes the following issues:
Security issues fixed:
- CVE-2019-9169: Fixed a heap-based buffer over-read via an attempted case-insensitive regular-expression match (bsc#1127308).
- CVE-2009-5155: Fixed a denial of service in parse_reg_exp() (bsc#1127223).
Non-security issues fixed:
- Added cfi information for start routines in order to stop unwinding on S390 (bsc#1128574).
ModerateSUSE bug 1127223SUSE bug 1127308SUSE bug 1128574CVE-2009-5155 at SUSECVE-2009-5155 at NVDCVE-2019-9169 at SUSECVE-2019-9169 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for bzip2 (Important)SUSE OpenStack Cloud Crowbar 8
This update for bzip2 fixes the following issues:
- Fixed a regression with the fix for CVE-2019-12900, which caused incompatibilities
with files that used many selectors (bsc#1139083).
ImportantSUSE bug 1139083CVE-2019-12900 at SUSECVE-2019-12900 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for polkit (Important)SUSE OpenStack Cloud Crowbar 8
This update for polkit fixes the following issues:
Security issue fixed:
- CVE-2019-6133: Fixed improper caching of auth decisions, which could bypass
uid checking in the interactive backend (bsc#1121826).
ImportantSUSE bug 1121826CVE-2019-6133 at SUSECVE-2019-6133 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for java-1_8_0-openjdk (Important)SUSE OpenStack Cloud Crowbar 8
This update for java-1_8_0-openjdk to version 8u222 fixes the following issues:
Security issues fixed:
- CVE-2019-2745: Improved ECC Implementation (bsc#1141784).
- CVE-2019-2762: Exceptional throw cases (bsc#1141782).
- CVE-2019-2766: Improve file protocol handling (bsc#1141789).
- CVE-2019-2769: Better copies of CopiesList (bsc#1141783).
- CVE-2019-2786: More limited privilege usage (bsc#1141787).
- CVE-2019-2816: Normalize normalization (bsc#1141785).
- CVE-2019-2842: Extended AES support (bsc#1141786).
- CVE-2019-7317: Improve PNG support (bsc#1141780).
- Certificate validation improvements
Non-security issue fixed:
- Fixed an issue where the installation failed when the manpages are not present (bsc#1115375)
ImportantSUSE bug 1115375SUSE bug 1141780SUSE bug 1141782SUSE bug 1141783SUSE bug 1141784SUSE bug 1141785SUSE bug 1141786SUSE bug 1141787SUSE bug 1141789CVE-2019-2745 at SUSECVE-2019-2745 at NVDCVE-2019-2762 at SUSECVE-2019-2762 at NVDCVE-2019-2766 at SUSECVE-2019-2766 at NVDCVE-2019-2769 at SUSECVE-2019-2769 at NVDCVE-2019-2786 at SUSECVE-2019-2786 at NVDCVE-2019-2816 at SUSECVE-2019-2816 at NVDCVE-2019-2842 at SUSECVE-2019-2842 at NVDCVE-2019-7317 at SUSECVE-2019-7317 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for mariadb (Important)SUSE OpenStack Cloud Crowbar 8
This update for mariadb fixes the following issues:
Update to MariaDB 10.0.38 GA (bsc#1136037).
Security issues fixed:
- CVE-2019-2537: Denial of service via multiple protocols (bsc#1136037)
- CVE-2019-2529: Denial of service via multiple protocols (bsc#1136037)
- CVE-2018-3282: Server Storage Engines unspecified vulnerability (CPU Oct 2018) (bsc#1112432)
- CVE-2018-3251: InnoDB unspecified vulnerability (CPU Oct 2018) (bsc#1112397)
- CVE-2018-3174: Client programs unspecified vulnerability (CPU Oct 2018) (bsc#1112368)
- CVE-2018-3156: InnoDB unspecified vulnerability (CPU Oct 2018) (bsc#1112417)
- CVE-2018-3143: InnoDB unspecified vulnerability (CPU Oct 2018) (bsc#1112421)
- CVE-2018-3066: Unspecified vulnerability in the MySQL Server component of Oracle MySQL (subcomponent Server Options). (bsc#1101678)
- CVE-2018-3064: InnoDB unspecified vulnerability (CPU Jul 2018) (bsc#1103342)
- CVE-2018-3063: Unspecified vulnerability in the MySQL Server component of Oracle MySQL (subcomponent Server Security Privileges). (bsc#1101677)
- CVE-2018-3058: Unspecified vulnerability in the MySQL Server component of Oracle MySQL (subcomponent MyISAM). (bsc#1101676)
- CVE-2016-9843: Big-endian out-of-bounds pointer (bsc#1013882)
Non-security changes:
- Removed PerconaFT from the package as it has AGPL licence (bsc#1118754).
- Do not just remove tokudb plugin but don't build it at all (missing jemalloc dependency).
- Fixed reading options for multiple instances if my${INSTANCE}.cnf is used (bsc#1132666).
- Removed 'umask 077' from mysql-systemd-helper that caused new datadirs created
with wrong permissions (bsc#1132666).
Release notes and changelog:
- https://kb.askmonty.org/en/mariadb-10038-release-notes
- https://kb.askmonty.org/en/mariadb-10038-changelog
- https://kb.askmonty.org/en/mariadb-10037-release-notes
- https://kb.askmonty.org/en/mariadb-10037-changelog
- https://kb.askmonty.org/en/mariadb-10036-release-notes
- https://kb.askmonty.org/en/mariadb-10036-changelog
ImportantSUSE bug 1013882SUSE bug 1101676SUSE bug 1101677SUSE bug 1101678SUSE bug 1103342SUSE bug 1112368SUSE bug 1112397SUSE bug 1112417SUSE bug 1112421SUSE bug 1112432SUSE bug 1116686SUSE bug 1118754SUSE bug 1132666SUSE bug 1136037CVE-2016-9843 at SUSECVE-2016-9843 at NVDCVE-2018-3058 at SUSECVE-2018-3058 at NVDCVE-2018-3063 at SUSECVE-2018-3063 at NVDCVE-2018-3064 at SUSECVE-2018-3064 at NVDCVE-2018-3066 at SUSECVE-2018-3066 at NVDCVE-2018-3143 at SUSECVE-2018-3143 at NVDCVE-2018-3156 at SUSECVE-2018-3156 at NVDCVE-2018-3174 at SUSECVE-2018-3174 at NVDCVE-2018-3251 at SUSECVE-2018-3251 at NVDCVE-2018-3282 at SUSECVE-2018-3282 at NVDCVE-2019-2529 at SUSECVE-2019-2529 at NVDCVE-2019-2537 at SUSECVE-2019-2537 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for python3 (Important)SUSE OpenStack Cloud Crowbar 8
This update for python3 fixes the following issues:
- CVE-2019-10160: Fixed a regression in urlparse() and urlsplit() introduced by the fix for CVE-2019-9636 (bsc#1138459).
- CVE-2018-14647: Fixed a denial of service vulnerability caused by a crafted XML document (bsc#1109847).
- CVE-2018-1000802: Fixed a command injection in the shutil module (bsc#1109663).
ImportantSUSE bug 1109663SUSE bug 1109847SUSE bug 1138459CVE-2018-1000802 at SUSECVE-2018-1000802 at NVDCVE-2018-14647 at SUSECVE-2018-14647 at NVDCVE-2019-10160 at SUSECVE-2019-10160 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for python-Twisted (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for python-Twisted fixes the following issue:
Security issue fixed:
- CVE-2019-12387: Fixed an improper sanitization of URIs or HTTP which could have allowed
attackers to perfrom CRLF attacks (bsc#1137825).
ModerateSUSE bug 1137825CVE-2019-12387 at SUSECVE-2019-12387 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for evince (Important)SUSE OpenStack Cloud Crowbar 8
This update for evince fixes the following issues:
Security issues fixed:
- CVE-2019-11459: Fixed an improper error handling in which could have led to use of uninitialized use of memory (bsc#1133037).
- CVE-2019-1010006: Fixed a buffer overflow in backend/tiff/tiff-document.c (bsc#1141619).
ImportantSUSE bug 1133037SUSE bug 1141619CVE-2019-1010006 at SUSECVE-2019-1010006 at NVDCVE-2019-11459 at SUSECVE-2019-11459 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for squid (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for squid fixes the following issues:
Security issue fixed:
- CVE-2019-12529: Fixed a potential denial of service associated with HTTP Basic Authentication credentials (bsc#1141329).
- CVE-2019-12525: Fixed a denial of service during processing of HTTP Digest Authentication credentials (bsc#1141332).
- CVE-2019-13345: Fixed a cross site scripting vulnerability via user_name or auth parameter in cachemgr.cgi (bsc#1140738).
ModerateSUSE bug 1140738SUSE bug 1141329SUSE bug 1141332CVE-2019-12525 at SUSECVE-2019-12525 at NVDCVE-2019-12529 at SUSECVE-2019-12529 at NVDCVE-2019-13345 at SUSECVE-2019-13345 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for python (Important)SUSE OpenStack Cloud Crowbar 8
This update for python fixes the following issues:
- CVE-2019-10160: Fixed a regression in urlparse() and urlsplit() introduced by the fix for CVE-2019-9636 (bsc#1138459).
- CVE-2018-20852: Fixed an information leak where cookies could be send to the wrong server because of incorrect domain validation (bsc#1141853).
ImportantSUSE bug 1138459SUSE bug 1141853CVE-2018-20852 at SUSECVE-2018-20852 at NVDCVE-2019-10160 at SUSECVE-2019-10160 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for postgresql96 (Important)SUSE OpenStack Cloud Crowbar 8
This update for postgresql96 fixes the following issues:
Security issue fixed:
- CVE-2019-10208: Fixed arbitrary SQL execution via suitable SECURITY DEFINER function under the identity of the function owner (bsc#1145092).
ImportantSUSE bug 1145092CVE-2019-10208 at SUSECVE-2019-10208 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for nodejs6 (Important)SUSE OpenStack Cloud Crowbar 8
This update for nodejs6 fixes the following issues:
- CVE-2019-13173: Fixed a potential file overwrite via hardlink in fstream.DirWriter() (bsc#1140290).
ImportantSUSE bug 1140290CVE-2019-13173 at SUSECVE-2019-13173 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for rubygem-rails-html-sanitizer (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for rubygem-rails-html-sanitizer fixes the following issues:
- CVE-2018-3741: Fixed a XSS vulnerability due to insufficient filtering in scrub_attribute (bsc#1086598).
ModerateSUSE bug 1086598CVE-2018-3741 at SUSECVE-2018-3741 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for rubygem-loofah (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for rubygem-loofah fixes the following issues:
- Security issue fixed:
- CVE-2018-8048: Update fix to make Loofah::HTML5::Scrub.force_correct_attribute_escaping! callable from other gems (bsc#1086598).
ModerateSUSE bug 1086598CVE-2018-8048 at SUSECVE-2018-8048 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for ardana-ansible, ardana-db, ardana-freezer, ardana-glance, ardana-input-model, ardana-nova, ardana-osconfig, ardana-tempest, caasp-openstack-heat-templates, crowbar-core, crowbar-ha, crowbar-openstack, crowbar-ui, documentation-suse-openstack-cloud, galera-python-clustercheck, openstack-cinder, openstack-glance, openstack-heat, openstack-horizon-plugin-monasca-ui, openstack-horizon-plugin-neutron-fwaas-ui, openstack-ironic, openstack-keystone, openstack-manila, openstack-monasca-agent, openstack-monasca-api, openstack-monasca-persister, openstack-monasca-persister-java, openstack-murano, openstack-neutron, openstack-neutron-gbp, openstack-neutron-lbaas, openstack-nova, openstack-octavia, python-Beaver, python-oslo.db, python-osprofiler, python-swiftlm, venv-openstack-magnum, venv-openstack-monasca, venv-openstack-monasca-ceilometer, venv-openstack-murano, venv-openstack-neutron (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for ardana-ansible, ardana-db, ardana-freezer, ardana-glance, ardana-input-model, ardana-nova, ardana-osconfig, ardana-tempest, caasp-openstack-heat-templates, crowbar-core, crowbar-ha, crowbar-openstack, crowbar-ui, documentation-suse-openstack-cloud, galera-python-clustercheck, openstack-cinder, openstack-glance, openstack-heat, openstack-horizon-plugin-monasca-ui, openstack-horizon-plugin-neutron-fwaas-ui, openstack-ironic, openstack-keystone, openstack-manila, openstack-monasca-agent, openstack-monasca-api, openstack-monasca-persister, openstack-monasca-persister-java, openstack-murano, openstack-neutron, openstack-neutron-gbp, openstack-neutron-lbaas, openstack-nova, openstack-octavia, python-Beaver, python-oslo.db, python-osprofiler, python-swiftlm, venv-openstack-magnum, venv-openstack-monasca, venv-openstack-monasca-ceilometer, venv-openstack-murano, venv-openstack-neutron fixes the following issues:
- Update to version 8.0+git.1560208949.67048e3:
* Adds repository list parameter (bsc#1122825)
- Update to version 8.0+git.1564410318.f0cca2c:
* Don't use 'latest' with 'zypper' (SOC-9997)
- Update to version 8.0+git.1564164977.ef9baeb:
* Freezer Config file is mixed case (SOC-9700)
- Update to version 8.0+git.1564491709.349d78e:
* Default glance_default_store to rbd if SES enabled (SOC-8749)
- Update to version 8.0+git.1562848601.c3daff0:
* Include memcached in the minimal ardana-ci model (SOC-9800)
- Update to version 8.0+git.1565388406.c6abb8d:
* Make default/rpc_response_timeout configurable (SOC-9285)
- Update to version 8.0+git.1562943864.e04a92f:
* Resolves nova-novncproxy random status failures (SOC-9574)
- Update to version 8.0+git.1560180700.bd26898:
* Adding support for qemu-ovmf to ardana (SOC-8985)
- Update to version 8.0+git.1563383198.c7fd9b4:
* Add an global_filter entry to lvm.conf (bsc#1140512)
- Update to version 8.0+git.1559761021.5605746:
* Enable FCOE for SUSE platform family (SCRD-8562)
- Update to version 8.0+git.1562849010.73bc517:
* Fix Keystone only deployment tempest testing (SOC-9800)
- Update to version 8.0+git.1560764545.6c8d2dc:
* Install manila tempest tests package (SOC-7496)
- Update to version 8.0+git.1560330843.b7d807c:
* Add configuration for manila-tempest-plugin (SOC-7496)
- Update to version 1.0+git.1560518045.ad7dc6d:
* Patching node before bootstraping
- Update to version 5.0+git.1565280360.01fed6905:
* batch: Fix get_proposal_json (SOC-9954)
* batch: Format crowbar batch error output (SOC-9954)
* batch: Format crowbar batch error output (SOC-9954)
- Update to version 5.0+git.1564657662.75174c965:
* travis: Whitelist CVE-2015-3448 (SOC-9911)
* travis: Use env variable for commit range (SOC-9911)
* Use proper names for the Travis Tests (SOC-9565)
* Replace Danger with Gitlint (SOC-9565)
* Switch from Travis dist from Trusty to Xenial (SOC-9565)
- Update to version 5.0+git.1563983933.03880f1c8:
* dns: fix migration for designate
- Update to version 5.0+git.1562080799.f2dd7d0dd:
* network: Don't set datapath-ids on ovs-bridges anymore
* crowbar: Save sync_mark attributes in databag
- Update to version 5.0+git.1561648142.b6be652e9:
* dns: forwards dns queries to dns-master when using desingate
* dns: write admin network in ip/mask notation for bind9
* dns: skip installing designate-rndc-key on non-master nodes
* dns: fix designate migration
* dns: allow using dns-server as designate target
* bind: Allow new zones configured via rndc
* bind: Disable listening on IPv6 addresses for now
- Update to version 5.0+git.1561465092.4dc67a7fa:
* travis: pin sexp_processor to 4.12.0
- Update to version 5.0+git.1561380950.b4e37c0e2:
* deployer: Use dhcp on crowbar_register only when enable_pxe is set (bsc#1132654)
* network: Allow locking down the network config for nodes (bsc#1120657)
- Update to version 5.0+git.1562069707.e2de18c:
* Add timeout multiplier
* Make default sync_mark timeout configurable
- Update to version 5.0+git.1565270683.ea6e63d87:
* designate: Use server node for VIP look ups (SOC-9631)
- Update to version 5.0+git.1565081678.e15f2c9a9:
* nova: add max_threads_per_process tuneable (SOC-10001, bsc#1133719)
- Update to version 5.0+git.1562911219.f22efd5c2:
* designate: allow worker on cluster (SOC-9632)
* swift: Sync HA nodes (SOC-9683)
- Update to version 5.0+git.1562731577.aefaf8a6d:
* Improve Mnesia IO performances
- Update to version 5.0+git.1562650331.0e86ce8ba:
* cinder: Set cinder pool to exclusive by default when using embedded ceph
- Update to version 5.0+git.1561984197.a675e8c50:
* designate: do not install the keystone_authtoken on worker nodes
* neutron: enable designate integration
* designate: rely on dns-master entirely
* designate: Fix variables initialization in mdns
* designate: start and run the mdns service
* designate: Finish rename of role to designate-worker
* designate: address most hound comments.
* designate: update monasca monitoring.
* neutron: add floating_dns_domain setting
* designate: Add initial designate barclamp
- Update to version 5.0+git.1559857295.d68afb38f:
* rabbitmq: Fix ACL of SSL key after uid/gid change
- Update to version 5.0+git.1559536094.a9cc7f312:
* nova: Don't retry creating existing flavors
- Update to version 1.2.0+git.1563181545.65360af5:
* upgrade: Update repocheck keys
* Update texts for 8-9 upgrade (SOC-9689)
- Update to version 1.2.0+git.1562579063.5690a1bc:
* Pin gulp-angular-templatecache version
- Update to version 8.20190805:
* DC files: Align profiling, throw out unnecessary attributes
* Rename DCs: 'hos-imported' to 'clm-all' & '-all' to 'crowbar-all'
* Fix styleroot of Helion set
* add ardana prompt, add ardana-init step (bsc#1143310)
* New ID format (noref)
- Update packaging to deal with new IDs
- Update to version 8.20190729:
* add image-volume cache instructions for SES (bsc#1140663)
- Update to version 8.20190725:
* warning about .j2 file comments (bsc#1142521)
* MANAGEMENT network group name cannot be changed (bsc#1142686)
- Update to version 8.20190724:
* replace SUSE ca-certificate instructions for Crowbar (bsc#1136569)
* replace SUSE ca-certificate instructions (bsc#1136569)
- Update to version 8.20190723:
* update MariaDB manually with CLI (bsc#1132852, SOC-9022)
* clarify No Maintenance Mode (bsc#1108818)
* replace empty ESX compatibility guide (noref)
* delete cache volume before trying to use source volume (bsc#1142032)
* delete cache volume when source volume is changed (bsc#1142032)
* replace empty ESX compatibility guide (noref)
- Update to version 8.20190719:
* add hostnamectl to ardana-update-pkgs process (bsc#1138967)
- Update to version 8.20190718:
* correct repo URL (bsc#1134589)
* remove duplicate content (bsc#1138489)
- Update to version 8.20190717:
* corrections from Scott Wulf (bsc#1128453)
* replace SLES 12 SP2 with SLES 12 SP3 (bsc#1128382)
* add information about image-volume-cache (bsc#1140663)
* remove deprecated parameters (bsc#1138124)
* correct file reference (bsc#1137377)
* change SES URL (bsc#1137817)
* manually set br-int(bsc#1139750)
* update MariaDB manually with CLI (bsc#1132852, SOC-9022)
- Update to version 8.20190717:
* Fix DC file
- Update to version 8.20190621:
* minor grammar fixups
* add external reference to Deploy Keystone
* add LDAP integration troubleshooting (bsc#1134495)
* clarify LDAP manual vs GUI (bsc#1134495)
* address requested changes
* SOC8 alarm table restructure ((SCRD-7710, bsc#1124170)
- Update to version 8.20190620:
* Update installation-installation-ses_integration.xml
* Adding copy-on-write cloning backport - BSC#1138187
* move fernet token to supported Keystone feature
* Remove obsolete DC/DEF file
* Fix title
* CLM - update MariaDB manually (bsc#1132852, SOC-9022)
* update MariaDB manually (bsc#1132852, SOC-9022)
* Fix command to create external network
* Remove sudo from commands in 'Setting Up Multiple External Networks'
* address requested changes
* SOC8 alarm table restructure ((SCRD-7710, bsc#1124170)
* add scottwulf content
* address recommended changes
* change PTF deploy instructions (bsc#1128453)
- Update to version 8.20190613:
* Update installation-installation-ses_integration.xml
* Adding copy-on-write cloning backport - BSC#1138187
- Update to version 8.20190605:
* move fernet token to supported Keystone feature
- Add 0001-Use-strings-when-setting-X-Cache-header.patch
Fixes a problem with Twisted versions where headers values
must be strings, not bools.
- Update to version 0.0+git.1562242499.36b8b64 (bsc#1122053):
* Add optional systemd ready and watchdog support
* Drop unneeded check for 'conn'
* Reset last_query_response when the cache needs to be updated
* Drop unneeded 'conn' var initialization
* Move respone header generation to own function
* Use None as default result
* Drop opts.being_updated variable
* Use contextmanager for DB connection
* Refactor DB method to get WSREP local state
* Refactor method to get readonly DB status
* pep8: Fix E712 comparison to False should be 'if cond is False:'
* pep8: Fix E305 expected 2 blank lines after class or function def
* pep8: Fix E124 closing bracket does not match visual indentation
* pep8: Fix E251 unexpected spaces around keyword / parameter equals
* pep8: Fix E262 inline comment should start with '# '
* pep8: Fix E261 at least two spaces before inline comment
* pep8: Fix F841 local variable is assigned to but never used
* pep8: Fix E302 expected 2 blank lines, found 1
* pep8: Fix E265 block comment should start with '# '
* pep8: Fix E231 missing whitespace after ','
* pep8: Fix E999 SyntaxError: invalid syntax
* pep8: Fix F821 undefined name
* pep8: Fix E225 missing whitespace around operator
* pep8: Fix E221 multiple spaces before operator
* pep8: Fix F401 module imported but unused
* Add clustercheck to console_scripts
* Add basic test infrastructure and a first pep8 job
* Fix exception handling for pymysql exception
* Readd argparse usage
* Fix installation requirements
* Add read timeout to prevent connection hanging forever
* Exclude benchmark/ directory when creating sdist tarball
* Use argparse instead of optparse
* Add basic logging infrastructure
* Add a standard setup.py file
* Catch all query exceptions
* Switch to PyMySQL
- Drop pymysql.patch and readtimeout.patch. Both merged upstream.
- Use systemd service type=notify which is now supported upstream
- Use systemd watchdog which is now supported upstream
- Update to version cinder-11.2.3.dev7:
* [VNX] Fix test case issue
- Update to version cinder-11.2.3.dev6:
* VMAX Pike docs - clarifying supported software in Pike
- Update to version cinder-11.2.3.dev7:
* [VNX] Fix test case issue
- Update to version cinder-11.2.3.dev6:
* VMAX Pike docs - clarifying supported software in Pike
- Update to version glance-15.0.3.dev2:
* Add a local bindep.txt override
* OpenDev Migration Patch
15.0.2
- Update to version glance-15.0.3.dev2:
* Add a local bindep.txt override
* OpenDev Migration Patch
15.0.2
- Update to version heat-9.0.8.dev11:
* Retry on DB deadlock in event\_create()
- Update to version heat-9.0.8.dev10:
* Add local bindep.txt and limit bandit version
- Update to version heat-9.0.8.dev9:
* Fix regression with SW deployments when region not configured
* Return None for attributes of sd with no actions
* Fix multi region issue for software deployment
- Update to version heat-9.0.8.dev4:
* Blacklist bandit 1.6.0 and cap Sphinx on Python2
- Update to version heat-9.0.8.dev11:
* Retry on DB deadlock in event\_create()
- Update to version heat-9.0.8.dev10:
* Add local bindep.txt and limit bandit version
- Update to version heat-9.0.8.dev9:
* Fix regression with SW deployments when region not configured
* Return None for attributes of sd with no actions
* Fix multi region issue for software deployment
- Update to version heat-9.0.8.dev4:
* Blacklist bandit 1.6.0 and cap Sphinx on Python2
- update to version 1.8.1~dev39
- Convert README.md to ReStructuredText format
- OpenDev Migration Patch
- don't exclude *pyc files to fix update/upgrade (SOC-9339)
- Update to version ironic-9.1.8.dev7:
* Add bindep.txt
- Update to version ironic-9.1.8.dev6:
* Update sphinx requirements
- Update to version ironic-9.1.8.dev7:
* Add bindep.txt
- Update to version ironic-9.1.8.dev6:
* Update sphinx requirements
- 0001-Allow-domain-admin-to-list-projest-assignments.patch
* bsc#1118159
* forward-port from SOC 7
- Update to version manila-5.1.1.dev2:
* [CI] Add bindep.txt
* OpenDev Migration Patch
5.1.0
- Update to version manila-5.1.1.dev2:
* [CI] Add bindep.txt
* OpenDev Migration Patch
5.1.0
- update to version 2.2.5~dev5
- Convert README to reStructuredText
- OpenDev Migration Patch
- update to version 2.2.2~dev1
- OpenDev Migration Patch
- Fix test_metrics tempest-test encoding
- Convert README.md to ReStructuredText format
- update to version 1.7.1~dev10
- OpenDev Migration Patch
- Convert README.md to ReStructuredTest format
- Add 0001-Update-all-columns-in-metrics-on-an-update-to-refres.patch (bsc#1128783)
- Add java-persister-defaults.patch
- Update to version murano-4.0.2.dev2:
* Add local bindep.txt
* OpenDev Migration Patch
4.0.1
- Update to version murano-4.0.2.dev2:
* Add local bindep.txt
* OpenDev Migration Patch
4.0.1
- Update to version neutron-11.0.9.dev42:
* Yield control to other greenthreads while processing trusted ports
- Update to version neutron-11.0.9.dev41:
* DVR: on new port only send router update on port's host
- Update to version neutron-11.0.9.dev40:
* Reset MAC on unbinding direct-physical port
- Update to version neutron-11.0.9.dev38:
* SRIOV agent: wait VFs initialization on embedded switch create
- Update to version neutron-11.0.9.dev36:
* Make OVS controller inactivity\_probe configurable
- Update to version neutron-11.0.9.dev34:
* Packets getting lost during SNAT with too many connections
* [DVR] Block ARP to dvr router's port instead of subnet's gateway
- Update to version neutron-11.0.9.dev30:
* improve dvr port update under large scale deployment
- Update to version neutron-11.0.9.dev29:
* cap bandit in test-requirements.txt
- Update to version neutron-11.0.9.dev42:
* Yield control to other greenthreads while processing trusted ports
- Update to version neutron-11.0.9.dev41:
* DVR: on new port only send router update on port's host
- Update to version neutron-11.0.9.dev40:
* Reset MAC on unbinding direct-physical port
- Update to version neutron-11.0.9.dev38:
* SRIOV agent: wait VFs initialization on embedded switch create
- Update to version neutron-11.0.9.dev36:
* Make OVS controller inactivity\_probe configurable
- Update to version neutron-11.0.9.dev34:
* Packets getting lost during SNAT with too many connections
* [DVR] Block ARP to dvr router's port instead of subnet's gateway
- Update to version neutron-11.0.9.dev30:
* improve dvr port update under large scale deployment
- Update to version neutron-11.0.9.dev29:
* cap bandit in test-requirements.txt
* When converting sg rules to iptables, do not emit dport if not supported (CVE-2019-9735, bsc#1129729)
- Update to version group-based-policy-7.3.1.dev45:
* Adding icmp\_code and icmp\_type for SG rule
- Update to version group-based-policy-7.3.1.dev43:
* A VM could be associated with multiple ports
* Optimize the extend\_router\_dict() call
- Update to version group-based-policy-7.3.1.dev40:
* [AIM] Enhance gbp-validate to detect routed subnet overlap
* [AIM] Prevent overlapping CIDRs in routed VRF
- Update to version group-based-policy-7.3.1.dev37:
* Disallow external subnets as router interfaces
* Make DHCP provisioning blocks conditional
- Update to version group-based-policy-7.3.1.dev34:
* Fix issues on sync\_state display on neutron based on AIM status
* Send the port updates for the SNAT case if needed
- Update to version group-based-policy-7.3.1.dev32:
* Pull the upper constraint file also from the opendev.org site
- Update to version group-based-policy-7.3.1.dev31:
* Fix the thread concurrency issue while calling gbp purge
- Update to version group-based-policy-7.3.1.dev30:
* [AIM] Fix handling of missing PortSecurityBinding
- Update to version group-based-policy-7.3.1.dev29:
* [AIM] Don't override loading of SG rules when validating
- add 0001-neutron-lbaas-haproxy-agent-prevent-vif-unplug-when-.patch
and 0001-Fix-memory-leak-in-the-haproxy-provider-driver.patch
- Update to version nova-16.1.9.dev4:
* Implement power\_off/power\_on for the FakeDriver
- Update to version nova-16.1.9.dev4:
* Implement power\_off/power\_on for the FakeDriver
* Fix doubling allocations on rebuild (CVE-2017-17051, bsc#1070500)
- Update to version octavia-1.0.6.dev2:
* Add bindep.txt and ignore sha1 warning
* OpenDev Migration Patch
1.0.5
- Switch to new Gerrit Server
- added 0001-exc_filters-fix-deadlock-detection-for-MariaDB-Galer.patch
- added 0001-Add-sqlalchemy-collector.patch
- added 0001-Don-t-fail-if-sqlalchemy-driver-fails-to-initialize.patch
- update to version 1.11.1
- Update .gitreview for stable/pike
- import zuul job settings from project-config
- Switch to new Gerrit Server
- Fix lower version numver after inheriting the version from main
component (SCRD-8523)
- Do not relocate shebang in make-cert.py (SCRD-8594)
- Inherit version number of venv from main component (SCRD-8523)
- Inherit version number of venv from main component (SCRD-8523)
- Fix lower version numver after inheriting the version from main
component (SCRD-8523)
- Inherit version number of venv from main component (SCRD-8523)
- Inherit version number of venv from main component (SCRD-8523)
- Remove openstack-neutron-opflex-agent, python-aci-integration-module,
python-acitoolkit, python-apicapi and python-networking-cisco as
they pull in new requirements into the product
- Inherit version number of venv from main component (SCRD-8523)
- Added to the neutron virtual environment:
* python-aci-integration-module
* python-acitoolkit
* python-apicapi
* python-networking-cisco
* openstack-neutron-gbp
* openstack-neutron-opflex-agent
- Inherit version number of venv from main component (SCRD-8523)
ModerateSUSE bug 1070500SUSE bug 1108818SUSE bug 1118159SUSE bug 1120657SUSE bug 1122053SUSE bug 1122825SUSE bug 1124170SUSE bug 1128382SUSE bug 1128453SUSE bug 1128783SUSE bug 1129729SUSE bug 1132654SUSE bug 1132852SUSE bug 1133719SUSE bug 1134495SUSE bug 1134589SUSE bug 1136569SUSE bug 1137377SUSE bug 1137817SUSE bug 1138124SUSE bug 1138187SUSE bug 1138489SUSE bug 1138967SUSE bug 1139750SUSE bug 1140512SUSE bug 1140663SUSE bug 1142032SUSE bug 1142521SUSE bug 1142686SUSE bug 1143310CVE-2015-3448 at SUSECVE-2015-3448 at NVDCVE-2017-17051 at SUSECVE-2017-17051 at NVDCVE-2019-9735 at SUSECVE-2019-9735 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for libvirt (Important)SUSE OpenStack Cloud Crowbar 8
This update for libvirt fixes the following issues:
Security issues fixed:
- CVE-2019-10161: Fixed virDomainSaveImageGetXMLDesc API which could accept a path
parameter pointing anywhere on the system and potentially leading to execution
of a malicious file with root privileges by libvirtd (bsc#1138301).
- CVE-2019-10167: Fixed an issue with virConnectGetDomainCapabilities API which
could have been used to execute arbitrary emulators (bsc#1138303).
Non-security issues fixed:
- Fixed an issue with short bitmaps when setting vcpu affinity using the vcpupin (bsc#1138734).
- Added support for overriding max threads per process limit (bsc#1133719)
ImportantSUSE bug 1133719SUSE bug 1138301SUSE bug 1138303SUSE bug 1138734CVE-2019-10161 at SUSECVE-2019-10161 at NVDCVE-2019-10167 at SUSECVE-2019-10167 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for python-Django (Important)SUSE OpenStack Cloud Crowbar 8
This update for python-Django to version 1.11.23 fixes the following issues:
- CVE-2019-14232: Fixed a denial of service in 'django.utils.text.Truncator' (bsc#1142880).
- CVE-2019-14233: Fixed a denial of service in strip_tags() (bsc#1142882).
- CVE-2019-14234: Fixed an SQL injection in key and index lookups for 'JSONField'/'HStoreField' (bsc#1142883).
- CVE-2019-14235: Fixed a potential memory exhaustion in 'django.utils.encoding.uri_to_iri()' (bsc#1142885).
- CVE-2019-12781: Fixed incorrect HTTP detection with reverse-proxy connecting via HTTPS (bsc#1139945).
- CVE-2019-12308: Fixed a cross site scripting vulnerability in the AdminURLFieldWidget (bsc#1136468).
ImportantSUSE bug 1136468SUSE bug 1139945SUSE bug 1142880SUSE bug 1142882SUSE bug 1142883SUSE bug 1142885CVE-2019-12308 at SUSECVE-2019-12308 at NVDCVE-2019-12781 at SUSECVE-2019-12781 at NVDCVE-2019-14232 at SUSECVE-2019-14232 at NVDCVE-2019-14233 at SUSECVE-2019-14233 at NVDCVE-2019-14234 at SUSECVE-2019-14234 at NVDCVE-2019-14235 at SUSECVE-2019-14235 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for python-SQLAlchemy (Important)SUSE OpenStack Cloud Crowbar 8
This update for python-SQLAlchemy fixes the following issues:
Security issues fixed:
- CVE-2019-7164: Fixed SQL Injection via the order_by parameter (bsc#1124593).
- CVE-2019-7548: Fixed SQL Injection via the group_by parameter (bsc#1124593).
ImportantSUSE bug 1124593CVE-2019-7164 at SUSECVE-2019-7164 at NVDCVE-2019-7548 at SUSECVE-2019-7548 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for the Linux Kernel (Important)SUSE OpenStack Cloud Crowbar 8
The SUSE Linux Enterprise 12 SP3 kernel was updated to receive various security and bugfixes.
The following security bugs were fixed:
- CVE-2019-1125: Enable Spectre v1 swapgs mitigations (bsc#1139358).
- CVE-2018-20855: An issue was discovered in create_qp_common in drivers/infiniband/hw/mlx5/qp.c, mlx5_ib_create_qp_resp was never initialized, resulting in a leak of stack memory to userspace (bsc#1143045).
- CVE-2019-14284: The drivers/block/floppy.c allowed a denial of service by setup_format_params division-by-zero. Two consecutive ioctls can trigger the bug: the first one should set the drive geometry with .sect and .rate values that make F_SECT_PER_TRACK be zero. Next, the floppy format operation should be called. It can be triggered by an unprivileged local user even when a floppy disk has not been inserted. NOTE: QEMU creates the floppy device by default (bsc#1143189).
- CVE-2019-14283: The function set_geometry in drivers/block/floppy.c did not validate the sect and head fields, as demonstrated by an integer overflow and out-of-bounds read. It can be triggered by an unprivileged local user when a floppy disk has been inserted. NOTE: QEMU creates the floppy device by default (bsc#1143191).
- CVE-2019-11810: A NULL pointer dereference can occur when megasas_create_frame_pool() fails in megasas_alloc_cmds() in drivers/scsi/megaraid/megaraid_sas_base.c. This causes a Denial of Service, related to a use-after-free (bsc#1134399).
- CVE-2019-13648: In the Linux kernel on the powerpc platform, when hardware transactional memory is disabled, a local user can cause a denial of service (TM Bad Thing exception and system crash) via a sigreturn() system call that sends a crafted signal frame. This affects arch/powerpc/kernel/signal_32.c and arch/powerpc/kernel/signal_64.c (bnc#1142254).
- CVE-2019-13631: In parse_hid_report_descriptor in drivers/input/tablet/gtco.c, a malicious USB device can send an HID report that triggers an out-of-bounds write during generation of debugging messages (bsc#1142023).
- CVE-2019-15118: Fixed kernel stack exhaustion in check_input_term in sound/usb/mixer.c via mishandled recursion (bnc#1145922).
- CVE-2019-15117: Fixed out-of-bounds memory access in parse_audio_mixer_unit in sound/usb/mixer.c via mishandled short descriptor (bnc#1145920).
- CVE-2019-3819: A flaw was fixed in the function hid_debug_events_read() in drivers/hid/hid-debug.c file which may have enter an infinite loop with certain parameters passed from a userspace. A local privileged user ('root') could have caused a system lock up and a denial of service (bnc#1123161).
- CVE-2019-10207: Check for missing tty operations in bluetooth/hci_uart (bsc#1142857).
- CVE-2018-20856: Fixed a use-after-free issue in block/blk-core.c, where certain error case are mishandled (bnc#1143048).
The following non-security bugs were fixed:
- cifs: do not log STATUS_NOT_FOUND errors for DFS (bsc#1125674).
- dlm: Fix saving of NULL callbacks (bsc#1135365).
- bcache: Revert 'bcache: fix high CPU occupancy during journal' (bsc#1140652, bsc#1144288).
- bcache: Revert 'bcache: free heap cache_set->flush_btree in bch_journal_free' (bsc#1140652, bsc#1144288).
- bcache: add reclaimed_journal_buckets to struct cache_set (bsc#1140652, bsc#1144288).
- bcache: fix race in btree_flush_write() (bsc#1140652, bsc#1144288).
- bcache: fix stack corruption by PRECEDING_KEY() (bsc#1130972, bsc#1144257).
- bcache: only set BCACHE_DEV_WB_RUNNING when cached device attached (bsc#1130972, bsc#1144273).
- bcache: performance improvement for btree_flush_write() (bsc#1140652, bsc#1144288).
- bcache: remove retry_flush_write from struct cache_set (bsc#1140652, bsc#1144288).
- bonding: Force slave speed check after link state recovery for 802.3ad (bsc#1137584).
- clocksource: Defer override invalidation unless clock is unstable (bsc#1139826).
- kvm: mmu: Fix overflow on kvm mmu page limit calculation (bsc#1135335).
- kvmclock: fix TSC calibration for nested guests (bsc#1133860, jsc#PM-1211).
- mm, page_alloc: fix has_unmovable_pages for HugePages (bsc#1127034).
- powerpc/watchpoint: Restore NV GPRs while returning from exception (bsc#1140945, bsc#1141401, bsc#1141402, bsc#1141452, bsc#1141453, bsc#1141454).
- qla2xxx: performance degradation when enabling blk-mq (bsc#1128977).
- qlge: Deduplicate lbq_buf_size (bsc#1106061).
- qlge: Deduplicate rx buffer queue management (bsc#1106061).
- qlge: Factor out duplicated expression (bsc#1106061).
- qlge: Fix dma_sync_single calls (bsc#1106061).
- qlge: Fix irq masking in INTx mode (bsc#1106061).
- qlge: Refill empty buffer queues from wq (bsc#1106061).
- qlge: Refill rx buffers up to multiple of 16 (bsc#1106061).
- qlge: Remove bq_desc.maplen (bsc#1106061).
- qlge: Remove irq_cnt (bsc#1106061).
- qlge: Remove page_chunk.last_flag (bsc#1106061).
- qlge: Remove qlge_bq.len size (bsc#1106061).
- qlge: Remove rx_ring.sbq_buf_size (bsc#1106061).
- qlge: Remove rx_ring.type (bsc#1106061).
- qlge: Remove useless dma synchronization calls (bsc#1106061).
- qlge: Remove useless memset (bsc#1106061).
- qlge: Replace memset with assignment (bsc#1106061).
- qlge: Update buffer queue prod index despite oom (bsc#1106061).
- rbd: flush rbd_dev->watch_dwork after watch is unregistered (bsc#1143333).
- rbd: retry watch re-registration periodically (bsc#1143333).
- sched/fair: Do not free p->numa_faults with concurrent readers (bsc#1144920).
- sched/fair: Use RCU accessors consistently for ->numa_group (bsc#1144920).
- scsi: virtio_scsi: let host do exception handling (bsc#1141181).
- x86: mm: fix fast GUP with hyper-based TLB flushing (VM Functionality, bsc#1140903).
- x86: tsc: Add X86_FEATURE_TSC_KNOWN_FREQ flag (bsc#1133860, jsc#PM-1211).
- xen: let alloc_xenballooned_pages() fail if not enough memory free (XSA-300).
ImportantSUSE bug 1106061SUSE bug 1123161SUSE bug 1125674SUSE bug 1127034SUSE bug 1128977SUSE bug 1130972SUSE bug 1133860SUSE bug 1134399SUSE bug 1135335SUSE bug 1135365SUSE bug 1137584SUSE bug 1139358SUSE bug 1139826SUSE bug 1140652SUSE bug 1140903SUSE bug 1140945SUSE bug 1141181SUSE bug 1141401SUSE bug 1141402SUSE bug 1141452SUSE bug 1141453SUSE bug 1141454SUSE bug 1142023SUSE bug 1142254SUSE bug 1142857SUSE bug 1143045SUSE bug 1143048SUSE bug 1143189SUSE bug 1143191SUSE bug 1143333SUSE bug 1144257SUSE bug 1144273SUSE bug 1144288SUSE bug 1144920SUSE bug 1145920SUSE bug 1145922CVE-2018-20855 at SUSECVE-2018-20855 at NVDCVE-2018-20856 at SUSECVE-2018-20856 at NVDCVE-2019-10207 at SUSECVE-2019-10207 at NVDCVE-2019-1125 at SUSECVE-2019-1125 at NVDCVE-2019-11810 at SUSECVE-2019-11810 at NVDCVE-2019-13631 at SUSECVE-2019-13631 at NVDCVE-2019-13648 at SUSECVE-2019-13648 at NVDCVE-2019-14283 at SUSECVE-2019-14283 at NVDCVE-2019-14284 at SUSECVE-2019-14284 at NVDCVE-2019-15117 at SUSECVE-2019-15117 at NVDCVE-2019-15118 at SUSECVE-2019-15118 at NVDCVE-2019-3819 at SUSECVE-2019-3819 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for perl (Important)SUSE OpenStack Cloud Crowbar 8
This update for perl fixes the following issues:
Security issue fixed:
- CVE-2018-18311: Fixed integer overflow with oversize environment (bsc#1114674).
ImportantSUSE bug 1114674CVE-2018-18311 at SUSECVE-2018-18311 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for libsolv, libzypp, zypper (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for libsolv, libzypp and zypper fixes the following issues:
libsolv was updated to version 0.6.36 and fixes the following issues:
Security issues fixed:
- CVE-2018-20532: Fixed a NULL pointer dereference in testcase_read() (bsc#1120629).
- CVE-2018-20533: Fixed a NULL pointer dereference in testcase_str2dep_complex() (bsc#1120630).
- CVE-2018-20534: Fixed a NULL pointer dereference in pool_whatprovides() (bsc#1120631).
Non-security issues fixed:
- Made cleandeps jobs on patterns work (bsc#1137977).
- Fixed an issue multiversion packages that obsolete their own name (bsc#1127155).
- Keep consistent package name if there are multiple alternatives (bsc#1131823).
Fixes for libzypp:
- Fixes a bug where locking the kernel was not possible (bsc#1113296)
- Fixes a file descriptor leak (bsc#1116995)
- Will now run file conflict check on dry-run (best with download-only) (bsc#1140039)
Fixes for zypper:
- Fixes a bug where the wrong exit code was set when refreshing repos if --root was used (bsc#1134226)
- Improved the displaying of locks (bsc#1112911)
- Fixes an issue where `https` repository urls caused an error prompt to appear twice (bsc#1110542)
- zypper will now always warn when no repositories are defined (bsc#1109893)
- Fixes bash completion option detection (bsc#1049825)
ModerateSUSE bug 1049825SUSE bug 1109893SUSE bug 1110542SUSE bug 1111319SUSE bug 1112911SUSE bug 1113296SUSE bug 1116995SUSE bug 1120629SUSE bug 1120630SUSE bug 1120631SUSE bug 1127155SUSE bug 1131823SUSE bug 1134226SUSE bug 1137977SUSE bug 1140039SUSE bug 1145521CVE-2018-20532 at SUSECVE-2018-20532 at NVDCVE-2018-20533 at SUSECVE-2018-20533 at NVDCVE-2018-20534 at SUSECVE-2018-20534 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for ansible (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for ansible fixes the following issues:
Security issue fixed:
- CVE-2019-10206: Fixed ansible cli tools that prompt passwords by expanding them from templates as they could contain special characters (bsc#1142690).
ModerateSUSE bug 1142690CVE-2019-10206 at SUSECVE-2019-10206 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for python-urllib3 (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for python-urllib3 fixes the following issues:
Security issues fixed:
- CVE-2019-9740: Fixed CRLF injection issue (bsc#1129071).
- CVE-2019-11324: Fixed invalid CA certificat verification (bsc#1132900).
- CVE-2019-11236: Fixed CRLF injection via request parameter (bsc#1132663).
- CVE-2018-20060: Remove Authorization header when redirecting cross-host (bsc#1119376).
ModerateSUSE bug 1119376SUSE bug 1129071SUSE bug 1132663SUSE bug 1132900CVE-2018-20060 at SUSECVE-2018-20060 at NVDCVE-2019-11236 at SUSECVE-2019-11236 at NVDCVE-2019-11324 at SUSECVE-2019-11324 at NVDCVE-2019-9740 at SUSECVE-2019-9740 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for java-1_7_1-ibm (Important)SUSE OpenStack Cloud Crowbar 8
This update for java-1_7_1-ibm fixes the following issues:
Update to Java 7.1 Service Refresh 4 Fix Pack 50.
Security issues fixed:
- CVE-2019-11771: IBM Security Update July 2019 (bsc#1147021)
- CVE-2019-11775: IBM Security Update July 2019 (bsc#1147021)
- CVE-2019-4473: IBM Security Update July 2019 (bsc#1147021)
- CVE-2019-7317: Fixed issue inside Component AWT (libpng)(bsc#1141780).
- CVE-2019-2769: Fixed issue inside Component Utilities (bsc#1141783).
- CVE-2019-2762: Fixed issue inside Component Utilities (bsc#1141782).
- CVE-2019-2816: Fixed issue inside Component Networking (bsc#1141785).
- CVE-2019-2766: Fixed issue inside Component Networking (bsc#1141789).
ImportantSUSE bug 1141780SUSE bug 1141782SUSE bug 1141783SUSE bug 1141785SUSE bug 1141789SUSE bug 1147021CVE-2019-11771 at SUSECVE-2019-11771 at NVDCVE-2019-11775 at SUSECVE-2019-11775 at NVDCVE-2019-2762 at SUSECVE-2019-2762 at NVDCVE-2019-2766 at SUSECVE-2019-2766 at NVDCVE-2019-2769 at SUSECVE-2019-2769 at NVDCVE-2019-2816 at SUSECVE-2019-2816 at NVDCVE-2019-4473 at SUSECVE-2019-4473 at NVDCVE-2019-7317 at SUSECVE-2019-7317 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for curl (Important)SUSE OpenStack Cloud Crowbar 8
This update for curl fixes the following issues:
Security issue fixed:
- CVE-2019-5482: Fixed TFTP small blocksize heap buffer overflow (bsc#1149496).
ImportantSUSE bug 1149496CVE-2019-5482 at SUSECVE-2019-5482 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for webkit2gtk3 (Important)SUSE OpenStack Cloud Crowbar 8
This update for webkit2gtk3 fixes the following issues:
Updated to version 2.24.4 (bsc#1148931).
Security issues fixed:
- CVE-2019-8644, CVE-2019-8649, CVE-2019-8658, CVE-2019-8669, CVE-2019-8678,
CVE-2019-8680, CVE-2019-8683, CVE-2019-8684, CVE-2019-8688, CVE-2019-8595,
CVE-2019-8607, CVE-2019-8615, CVE-2019-8644, CVE-2019-8649, CVE-2019-8658,
CVE-2019-8666, CVE-2019-8669, CVE-2019-8671, CVE-2019-8672, CVE-2019-8673,
CVE-2019-8676, CVE-2019-8677, CVE-2019-8678, CVE-2019-8679, CVE-2019-8680,
CVE-2019-8681, CVE-2019-8683, CVE-2019-8684, CVE-2019-8686, CVE-2019-8687,
CVE-2019-8688, CVE-2019-8689, CVE-2019-8690
Non-security issues fixed:
- Improved loading of multimedia streams to avoid memory exhaustion due to excessive caching.
- Updated the user agent string to make happy certain websites which would claim that the browser being used was unsupported.
ImportantSUSE bug 1135715SUSE bug 1148931CVE-2019-8595 at SUSECVE-2019-8595 at NVDCVE-2019-8607 at SUSECVE-2019-8607 at NVDCVE-2019-8615 at SUSECVE-2019-8615 at NVDCVE-2019-8644 at SUSECVE-2019-8644 at NVDCVE-2019-8649 at SUSECVE-2019-8649 at NVDCVE-2019-8658 at SUSECVE-2019-8658 at NVDCVE-2019-8666 at SUSECVE-2019-8666 at NVDCVE-2019-8669 at SUSECVE-2019-8669 at NVDCVE-2019-8671 at SUSECVE-2019-8671 at NVDCVE-2019-8672 at SUSECVE-2019-8672 at NVDCVE-2019-8673 at SUSECVE-2019-8673 at NVDCVE-2019-8676 at SUSECVE-2019-8676 at NVDCVE-2019-8677 at SUSECVE-2019-8677 at NVDCVE-2019-8678 at SUSECVE-2019-8678 at NVDCVE-2019-8679 at SUSECVE-2019-8679 at NVDCVE-2019-8680 at SUSECVE-2019-8680 at NVDCVE-2019-8681 at SUSECVE-2019-8681 at NVDCVE-2019-8683 at SUSECVE-2019-8683 at NVDCVE-2019-8684 at SUSECVE-2019-8684 at NVDCVE-2019-8686 at SUSECVE-2019-8686 at NVDCVE-2019-8687 at SUSECVE-2019-8687 at NVDCVE-2019-8688 at SUSECVE-2019-8688 at NVDCVE-2019-8689 at SUSECVE-2019-8689 at NVDCVE-2019-8690 at SUSECVE-2019-8690 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for python-Werkzeug (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for python-Werkzeug fixes the following issues:
Security issue fixed:
- CVE-2019-14806: Fixed the development server in Docker, the debugger security pin is now unique per container (bsc#1145383).
ModerateSUSE bug 1145383CVE-2019-14806 at SUSECVE-2019-14806 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for java-1_8_0-ibm (Important)SUSE OpenStack Cloud Crowbar 8
This update for java-1_8_0-ibm fixes the following issues:
Update to Java 8.0 Service Refresh 5 Fix Pack 40.
Security issues fixed:
- CVE-2019-11771: IBM Security Update July 2019 (bsc#1147021)
- CVE-2019-11772: IBM Security Update July 2019 (bsc#1147021)
- CVE-2019-11775: IBM Security Update July 2019 (bsc#1147021)
- CVE-2019-4473: IBM Security Update July 2019 (bsc#1147021)
- CVE-2019-7317: Fixed issue inside Component AWT (libpng)(bsc#1141780).
- CVE-2019-2769: Fixed issue inside Component Utilities (bsc#1141783).
- CVE-2019-2762: Fixed issue inside Component Utilities (bsc#1141782).
- CVE-2019-2816: Fixed issue inside Component Networking (bsc#1141785).
- CVE-2019-2766: Fixed issue inside Component Networking (bsc#1141789).
- CVE-2019-2786: Fixed issue inside Component Security (bsc#1141787).
ImportantSUSE bug 1122292SUSE bug 1122299SUSE bug 1141780SUSE bug 1141782SUSE bug 1141783SUSE bug 1141785SUSE bug 1141787SUSE bug 1141789SUSE bug 1147021CVE-2018-11212 at SUSECVE-2018-11212 at NVDCVE-2019-11771 at SUSECVE-2019-11771 at NVDCVE-2019-11772 at SUSECVE-2019-11772 at NVDCVE-2019-11775 at SUSECVE-2019-11775 at NVDCVE-2019-2449 at SUSECVE-2019-2449 at NVDCVE-2019-2762 at SUSECVE-2019-2762 at NVDCVE-2019-2766 at SUSECVE-2019-2766 at NVDCVE-2019-2769 at SUSECVE-2019-2769 at NVDCVE-2019-2786 at SUSECVE-2019-2786 at NVDCVE-2019-2816 at SUSECVE-2019-2816 at NVDCVE-2019-4473 at SUSECVE-2019-4473 at NVDCVE-2019-7317 at SUSECVE-2019-7317 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for ibus (Important)SUSE OpenStack Cloud Crowbar 8
This update for ibus fixes the following issues:
Security issue fixed:
- CVE-2019-14822: Fixed a misconfiguration of the DBus server that allowed an unprivileged user to monitor and send method calls to the ibus bus of another user. (bsc#1150011)
ImportantSUSE bug 1150011CVE-2019-14822 at SUSECVE-2019-14822 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for openssl (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for openssl fixes the following issues:
OpenSSL Security Advisory [10 September 2019]
- CVE-2019-1547: Added EC_GROUP_set_generator side channel attack avoidance (bsc#1150003).
- CVE-2019-1563: Fixed Bleichenbacher attack against cms/pkcs7 encryption transported key (bsc#1150250).
ModerateSUSE bug 1150003SUSE bug 1150250CVE-2019-1547 at SUSECVE-2019-1547 at NVDCVE-2019-1563 at SUSECVE-2019-1563 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for MozillaFirefox (Important)SUSE OpenStack Cloud Crowbar 8
This update for MozillaFirefox to ESR 60.9 fixes the following issues:
Security issues fixed:
- CVE-2019-11742: Fixed a same-origin policy violation involving SVG filters and canvas to steal cross-origin images. (bsc#1149303)
- CVE-2019-11746: Fixed a use-after-free while manipulating video. (bsc#1149297)
- CVE-2019-11744: Fixed an XSS caused by breaking out of title and textarea elements using innerHTML. (bsc#1149304)
- CVE-2019-11753: Fixed a privilege escalation with Mozilla Maintenance Service in custom Firefox installation location. (bsc#1149295)
- CVE-2019-11752: Fixed a use-after-free while extracting a key value in IndexedDB. (bsc#1149296)
- CVE-2019-11743: Fixed a timing side-channel attack on cross-origin information, utilizing unload event attributes. (bsc#1149298)
- CVE-2019-11740: Fixed several memory safety bugs. (bsc#1149299)
ImportantSUSE bug 1149294SUSE bug 1149295SUSE bug 1149296SUSE bug 1149297SUSE bug 1149298SUSE bug 1149299SUSE bug 1149303SUSE bug 1149304SUSE bug 1149324CVE-2019-11740 at SUSECVE-2019-11740 at NVDCVE-2019-11742 at SUSECVE-2019-11742 at NVDCVE-2019-11743 at SUSECVE-2019-11743 at NVDCVE-2019-11744 at SUSECVE-2019-11744 at NVDCVE-2019-11746 at SUSECVE-2019-11746 at NVDCVE-2019-11752 at SUSECVE-2019-11752 at NVDCVE-2019-11753 at SUSECVE-2019-11753 at NVDCVE-2019-9812 at SUSECVE-2019-9812 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for python-Twisted (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for python-Twisted fixes the following issues:
Security issue fixed:
- CVE-2019-12855: Fixed TLS certificate verification to protecting against MITM attacks (bsc#1138461).
ModerateSUSE bug 1138461CVE-2019-12855 at SUSECVE-2019-12855 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for dovecot22 (Important)SUSE OpenStack Cloud Crowbar 8
This update for dovecot22 fixes the following issues:
- CVE-2019-11500: Fixed a potential remote code execution in the IMAP and ManageSieve protocol parsers (bsc#1145559).
ImportantSUSE bug 1145559CVE-2019-11500 at SUSECVE-2019-11500 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for mariadb (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for mariadb fixes the following issues:
Updated to MariaDB 10.0.40-1.
Security issues fixed:
- CVE-2019-2805, CVE-2019-2740, CVE-2019-2739, CVE-2019-2737,
CVE-2019-2614, CVE-2019-2627. (bsc#1132826) (bsc#1141798).
Non-security issues fixed:
- Adjusted mysql-systemd-helper ('shutdown protected MySQL' section)
so it checks both ping response and the pid in a process list
as it can take some time till the process is terminated.
Otherwise it can lead to 'found left-over process' situation
when regular mariadb is started. (bsc#1143215)
- Fixed IP resolving in mysql_install_db script. (bsc#1142058, bsc#1127027, MDEV-18526)
ModerateSUSE bug 1127027SUSE bug 1132826SUSE bug 1141798SUSE bug 1142058SUSE bug 1143215CVE-2019-2614 at SUSECVE-2019-2614 at NVDCVE-2019-2627 at SUSECVE-2019-2627 at NVDCVE-2019-2737 at SUSECVE-2019-2737 at NVDCVE-2019-2739 at SUSECVE-2019-2739 at NVDCVE-2019-2740 at SUSECVE-2019-2740 at NVDCVE-2019-2805 at SUSECVE-2019-2805 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for ghostscript (Important)SUSE OpenStack Cloud Crowbar 8
This update for ghostscript to 9.27 fixes the following issues:
Security issues fixed:
- CVE-2019-3835: Fixed an unauthorized file system access caused by an available superexec operator. (bsc#1129180)
- CVE-2019-3839: Fixed an unauthorized file system access caused by available privileged operators. (bsc#1134156)
- CVE-2019-12973: Fixed a denial-of-service vulnerability in the OpenJPEG function opj_t1_encode_cblks. (bsc#1140359)
- CVE-2019-14811: Fixed a safer mode bypass by .forceput exposure in .pdf_hook_DSC_Creator. (bsc#1146882)
- CVE-2019-14812: Fixed a safer mode bypass by .forceput exposure in setuserparams. (bsc#1146882)
- CVE-2019-14813: Fixed a safer mode bypass by .forceput exposure in setsystemparams. (bsc#1146882)
- CVE-2019-14817: Fixed a safer mode bypass by .forceput exposure in .pdfexectoken and other procedures. (bsc#1146884)
ImportantSUSE bug 1129180SUSE bug 1131863SUSE bug 1134156SUSE bug 1140359SUSE bug 1146882SUSE bug 1146884CVE-2019-12973 at SUSECVE-2019-12973 at NVDCVE-2019-14811 at SUSECVE-2019-14811 at NVDCVE-2019-14812 at SUSECVE-2019-14812 at NVDCVE-2019-14813 at SUSECVE-2019-14813 at NVDCVE-2019-14817 at SUSECVE-2019-14817 at NVDCVE-2019-3835 at SUSECVE-2019-3835 at NVDCVE-2019-3839 at SUSECVE-2019-3839 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for libgcrypt (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for libgcrypt fixes the following issues:
Security issues fixed:
- CVE-2019-13627: Mitigated ECDSA timing attack. (bsc#1148987)
ModerateSUSE bug 1148987CVE-2019-13627 at SUSECVE-2019-13627 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for MozillaFirefox (Important)SUSE OpenStack Cloud Crowbar 8
This update for MozillaFirefox fixes the following issues:
Updated to new ESR version 68.1 (bsc#1149323).
In addition to the already fixed vulnerabilities released in previous ESR updates,
the following were also fixed:
CVE-2019-11751, CVE-2019-11736, CVE-2019-9812, CVE-2019-11748, CVE-2019-11749,
CVE-2019-11750, CVE-2019-11738, CVE-2019-11747, CVE-2019-11735.
Several run-time issues were also resolved (bsc#1117473, bsc#1124525, bsc#1133810).
The version displayed in Help > About is now correct (bsc#1087200).
ImportantSUSE bug 1087200SUSE bug 1109465SUSE bug 1117473SUSE bug 1123482SUSE bug 1124525SUSE bug 1133810SUSE bug 1140868SUSE bug 1145665SUSE bug 1149323CVE-2019-11709 at SUSECVE-2019-11709 at NVDCVE-2019-11710 at SUSECVE-2019-11710 at NVDCVE-2019-11711 at SUSECVE-2019-11711 at NVDCVE-2019-11712 at SUSECVE-2019-11712 at NVDCVE-2019-11713 at SUSECVE-2019-11713 at NVDCVE-2019-11714 at SUSECVE-2019-11714 at NVDCVE-2019-11715 at SUSECVE-2019-11715 at NVDCVE-2019-11716 at SUSECVE-2019-11716 at NVDCVE-2019-11717 at SUSECVE-2019-11717 at NVDCVE-2019-11718 at SUSECVE-2019-11718 at NVDCVE-2019-11719 at SUSECVE-2019-11719 at NVDCVE-2019-11720 at SUSECVE-2019-11720 at NVDCVE-2019-11721 at SUSECVE-2019-11721 at NVDCVE-2019-11723 at SUSECVE-2019-11723 at NVDCVE-2019-11724 at SUSECVE-2019-11724 at NVDCVE-2019-11725 at SUSECVE-2019-11725 at NVDCVE-2019-11727 at SUSECVE-2019-11727 at NVDCVE-2019-11728 at SUSECVE-2019-11728 at NVDCVE-2019-11729 at SUSECVE-2019-11729 at NVDCVE-2019-11730 at SUSECVE-2019-11730 at NVDCVE-2019-11733 at SUSECVE-2019-11733 at NVDCVE-2019-11735 at SUSECVE-2019-11735 at NVDCVE-2019-11736 at SUSECVE-2019-11736 at NVDCVE-2019-11738 at SUSECVE-2019-11738 at NVDCVE-2019-11740 at SUSECVE-2019-11740 at NVDCVE-2019-11742 at SUSECVE-2019-11742 at NVDCVE-2019-11743 at SUSECVE-2019-11743 at NVDCVE-2019-11744 at SUSECVE-2019-11744 at NVDCVE-2019-11746 at SUSECVE-2019-11746 at NVDCVE-2019-11747 at SUSECVE-2019-11747 at NVDCVE-2019-11748 at SUSECVE-2019-11748 at NVDCVE-2019-11749 at SUSECVE-2019-11749 at NVDCVE-2019-11750 at SUSECVE-2019-11750 at NVDCVE-2019-11751 at SUSECVE-2019-11751 at NVDCVE-2019-11752 at SUSECVE-2019-11752 at NVDCVE-2019-11753 at SUSECVE-2019-11753 at NVDCVE-2019-9811 at SUSECVE-2019-9811 at NVDCVE-2019-9812 at SUSECVE-2019-9812 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Recommended update for python-setuptools and dependend packages (Moderate)SUSE OpenStack Cloud Crowbar 8
All changes necessary for upgrade of python-setuptools to 40.6.2 (bsc#1075812)
New packages:
- python-cachetools
- python-google-auth
- python-packaging
Rebuilt without source changes:
- python-cffi
- python-cliff
- python-mock
- python-oauthlib
- python-pbr
- python-PyJWT
- python-pytest
Added python3 packages:
- python-hgtools
- python-pyasn1-modules
- python-rsa
Updated:
- python-kubernetes
Updated to version 6.0
- python-pyparsing
Was updated to version 2.2.0.
- python-setuptools
Was upgraded to version 40.6.2.
ModerateSUSE bug 1024540SUSE bug 1054413SUSE bug 1074247SUSE bug 1075812SUSE bug 1088358SUSE bug 1091826SUSE bug 1110422CVE-2016-9015 at SUSECVE-2016-9015 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for binutils (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for binutils fixes the following issues:
binutils was updated to current 2.32 branch @7b468db3 [jsc#ECO-368]:
Includes the following security fixes:
- CVE-2018-17358: Fixed invalid memory access in _bfd_stab_section_find_nearest_line in syms.c (bsc#1109412)
- CVE-2018-17359: Fixed invalid memory access exists in bfd_zalloc in opncls.c (bsc#1109413)
- CVE-2018-17360: Fixed heap-based buffer over-read in bfd_getl32 in libbfd.c (bsc#1109414)
- CVE-2018-17985: Fixed a stack consumption problem caused by the cplus_demangle_type (bsc#1116827)
- CVE-2018-18309: Fixed an invalid memory address dereference was discovered in read_reloc in reloc.c (bsc#1111996)
- CVE-2018-18483: Fixed get_count function provided by libiberty that allowed attackers to cause a denial of service or other unspecified impact (bsc#1112535)
- CVE-2018-18484: Fixed stack exhaustion in the C++ demangling functions provided by libiberty, caused by recursive stack frames (bsc#1112534)
- CVE-2018-18605: Fixed a heap-based buffer over-read issue was discovered in the function sec_merge_hash_lookup causing a denial of service (bsc#1113255)
- CVE-2018-18606: Fixed a NULL pointer dereference in _bfd_add_merge_section when attempting to merge sections with large alignments, causing denial of service (bsc#1113252)
- CVE-2018-18607: Fixed a NULL pointer dereference in elf_link_input_bfd when used for finding STT_TLS symbols without any TLS section, causing denial of service (bsc#1113247)
- CVE-2018-19931: Fixed a heap-based buffer overflow in bfd_elf32_swap_phdr_in in elfcode.h (bsc#1118831)
- CVE-2018-19932: Fixed an integer overflow and infinite loop caused by the IS_CONTAINED_BY_LMA (bsc#1118830)
- CVE-2018-20623: Fixed a use-after-free in the error function in elfcomm.c (bsc#1121035)
- CVE-2018-20651: Fixed a denial of service via a NULL pointer dereference in elf_link_add_object_symbols in elflink.c (bsc#1121034)
- CVE-2018-20671: Fixed an integer overflow that can trigger a heap-based buffer overflow in load_specific_debug_section in objdump.c (bsc#1121056)
- CVE-2018-1000876: Fixed integer overflow in bfd_get_dynamic_reloc_upper_bound,bfd_canonicalize_dynamic_reloc in objdump (bsc#1120640)
- CVE-2019-1010180: Fixed an out of bound memory access that could lead to crashes (bsc#1142772)
- Enable xtensa architecture (Tensilica lc6 and related)
- Use -ffat-lto-objects in order to provide assembly for static libs
(bsc#1141913).
- Fixed some LTO problems (bsc#1133131 bsc#1133232).
- riscv: Don't check ABI flags if no code section
Update to binutils 2.32:
* The binutils now support for the C-SKY processor series.
* The x86 assembler now supports a -mvexwig=[0|1] option to control
encoding of VEX.W-ignored (WIG) VEX instructions.
It also has a new -mx86-used-note=[yes|no] option to generate (or
not) x86 GNU property notes.
* The MIPS assembler now supports the Loongson EXTensions R2 (EXT2),
the Loongson EXTensions (EXT) instructions, the Loongson Content
Address Memory (CAM) ASE and the Loongson MultiMedia extensions
Instructions (MMI) ASE.
* The addr2line, c++filt, nm and objdump tools now have a default
limit on the maximum amount of recursion that is allowed whilst
demangling strings. This limit can be disabled if necessary.
* Objdump's --disassemble option can now take a parameter,
specifying the starting symbol for disassembly. Disassembly will
continue from this symbol up to the next symbol or the end of the
function.
* The BFD linker will now report property change in linker map file
when merging GNU properties.
* The BFD linker's -t option now doesn't report members within
archives, unless -t is given twice. This makes it more useful
when generating a list of files that should be packaged for a
linker bug report.
* The GOLD linker has improved warning messages for relocations that
refer to discarded sections.
- Improve relro support on s390 [fate#326356]
- Handle ELF compressed header alignment correctly.
ModerateSUSE bug 1109412SUSE bug 1109413SUSE bug 1109414SUSE bug 1111996SUSE bug 1112534SUSE bug 1112535SUSE bug 1113247SUSE bug 1113252SUSE bug 1113255SUSE bug 1116827SUSE bug 1118830SUSE bug 1118831SUSE bug 1120640SUSE bug 1121034SUSE bug 1121035SUSE bug 1121056SUSE bug 1133131SUSE bug 1133232SUSE bug 1141913SUSE bug 1142772CVE-2018-1000876 at SUSECVE-2018-1000876 at NVDCVE-2018-17358 at SUSECVE-2018-17358 at NVDCVE-2018-17359 at SUSECVE-2018-17359 at NVDCVE-2018-17360 at SUSECVE-2018-17360 at NVDCVE-2018-17985 at SUSECVE-2018-17985 at NVDCVE-2018-18309 at SUSECVE-2018-18309 at NVDCVE-2018-18483 at SUSECVE-2018-18483 at NVDCVE-2018-18484 at SUSECVE-2018-18484 at NVDCVE-2018-18605 at SUSECVE-2018-18605 at NVDCVE-2018-18606 at SUSECVE-2018-18606 at NVDCVE-2018-18607 at SUSECVE-2018-18607 at NVDCVE-2018-19931 at SUSECVE-2018-19931 at NVDCVE-2018-19932 at SUSECVE-2018-19932 at NVDCVE-2018-20623 at SUSECVE-2018-20623 at NVDCVE-2018-20651 at SUSECVE-2018-20651 at NVDCVE-2018-20671 at SUSECVE-2018-20671 at NVDCVE-2019-1010180 at SUSECVE-2019-1010180 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for sudo (Important)SUSE OpenStack Cloud Crowbar 8
This update for sudo fixes the following issues:
Security issue fixed:
- CVE-2019-14287: Fixed an issue where a user with sudo privileges
that allowed them to run commands with an arbitrary uid, could
run commands as root, despite being forbidden to do so in sudoers
(bsc#1153674).
ImportantSUSE bug 1153674CVE-2019-14287 at SUSECVE-2019-14287 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for libpcap (Important)SUSE OpenStack Cloud Crowbar 8
This update for libpcap fixes the following issues:
- CVE-2019-15165: Added sanity checks for PHB header length before allocating memory (bsc#1153332).
- CVE-2018-16301: Fixed a buffer overflow (bsc#1153332).
ImportantSUSE bug 1153332CVE-2018-16301 at SUSECVE-2018-16301 at NVDCVE-2019-15165 at SUSECVE-2019-15165 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for xen (Important)SUSE OpenStack Cloud Crowbar 8
This update for xen fixes the following issues:
Security issues fixed:
- CVE-2019-15890: Fixed a use-after-free in SLiRP networking implementation of QEMU emulator
which could have led to Denial of Service (bsc#1149813).
- CVE-2019-12068: Fixed an issue in lsi which could lead to an infinite loop and denial of
service (bsc#1146874).
- CVE-2019-14378: Fixed a heap buffer overflow in SLiRp networking implementation of QEMU
emulator which could have led to execution of arbitrary code with privileges of the
QEMU process (bsc#1143797).
Other issue fixed:
- Fixed an issue where libxenlight could not restore domain vsa6535522 on live migration (bsc#1133818).
ImportantSUSE bug 1126140SUSE bug 1126141SUSE bug 1126192SUSE bug 1126195SUSE bug 1126196SUSE bug 1126197SUSE bug 1126198SUSE bug 1126201SUSE bug 1127400SUSE bug 1133818SUSE bug 1143797SUSE bug 1146874SUSE bug 1149813CVE-2018-12126 at SUSECVE-2018-12126 at NVDCVE-2018-12127 at SUSECVE-2018-12127 at NVDCVE-2018-12130 at SUSECVE-2018-12130 at NVDCVE-2019-11091 at SUSECVE-2019-11091 at NVDCVE-2019-12068 at SUSECVE-2019-12068 at NVDCVE-2019-14378 at SUSECVE-2019-14378 at NVDCVE-2019-15890 at SUSECVE-2019-15890 at NVDCVE-2019-17340 at SUSECVE-2019-17340 at NVDCVE-2019-17341 at SUSECVE-2019-17341 at NVDCVE-2019-17342 at SUSECVE-2019-17342 at NVDCVE-2019-17343 at SUSECVE-2019-17343 at NVDCVE-2019-17344 at SUSECVE-2019-17344 at NVDCVE-2019-17345 at SUSECVE-2019-17345 at NVDCVE-2019-17346 at SUSECVE-2019-17346 at NVDCVE-2019-17347 at SUSECVE-2019-17347 at NVDCVE-2019-17348 at SUSECVE-2019-17348 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for nfs-utils (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for nfs-utils fixes the following issues:
- CVE-2019-3689: Fixed root-owned files stored in insecure /var/lib/nfs. (bsc#1150733)
ModerateSUSE bug 1150733CVE-2019-3689 at SUSECVE-2019-3689 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for ardana-ansible, ardana-glance, ardana-horizon, ardana-input-model, ardana-manila, ardana-neutron, ardana-nova, ardana-octavia, ardana-tempest, crowbar-core, crowbar-ha, crowbar-openstack, crowbar-ui, galera-3, grafana, mariadb, mariadb-connector-c, novnc, openstack-cinder, openstack-glance, openstack-heat, openstack-horizon-plugin-neutron-vpnaas-ui, openstack-keystone, openstack-monasca-installer, openstack-neutron, openstack-neutron-gbp, openstack-neutron-lbaas, openstack-nova, python-amqp, python-ovs, python-pysaml2, python-python-engineio, python-urllib3, release-notes-suse-openstack-cloud, rubygem-easy_diff, rubygem-rest-client-1_6, venv-openstack-keystone (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for ardana-ansible, ardana-glance, ardana-horizon, ardana-input-model, ardana-manila, ardana-neutron, ardana-nova, ardana-octavia, ardana-tempest, crowbar-core, crowbar-ha, crowbar-openstack, crowbar-ui, galera-3, grafana, mariadb, mariadb-connector-c, novnc, openstack-cinder, openstack-glance, openstack-heat, openstack-horizon-plugin-neutron-vpnaas-ui, openstack-keystone, openstack-monasca-installer, openstack-neutron, openstack-neutron-gbp, openstack-neutron-lbaas, openstack-nova, python-amqp, python-ovs, python-pysaml2, python-python-engineio, python-urllib3, release-notes-suse-openstack-cloud, rubygem-easy_diff, rubygem-rest-client-1_6, venv-openstack-keystone contains the following fixes:
- Update to version 8.0+git.1566374355.c509923:
* Use raw image format when using SES backend on Nova (SOC-9285)
- Update to version 8.0+git.1566376789.be0fe01:
* Configure glance image_direct_url/multiple_locations (SOC-9285)
- Update to version 8.0+git.1565816064.5d4f73f:
* Removed None condition from rule (SOC-10003)
- Update to version 8.0+git.1566517401.98450e6:
* Add neutron-fwaas.json when neutron-l3-agent is deployed (SOC-10280)
- Update to version 8.0+git.1568835837.2452e7a:
* Ensure Manila services don't auto start on reboot (SOC-10641)
- Update to version 8.0+git.1568220097.74ee4b4:
* API extension paths separated by colon (SOC-10447)
- Update to version 8.0+git.1567555448.5ecd5b0:
* Add dependent services to neutron services (SOC-8746)
- Update to version 8.0+git.1566517377.f2a8c54:
* Add policy.d/neutron-fwaas.json.j2 (SOC-10280)
- Update to version 8.0+git.1566902754.c58ff69:
* Install libosinfo package (SOC-10295)
- Update to version 8.0+git.1565946419.a76c00e:
* Set diskcachemode and disk discard when using RBD (SOC-10182)
- Update to version 8.0+git.1568373448.bcaee7e:
* Make octavia heartbeat frequency options configurable (SOC-9285)
- Update to version 8.0+git.1566374572.a3c91d9:
* Include SES variables when configuring image (SOC-9285)
- Update to version 8.0+git.1566208257.5213d93:
* Use default values for amphora connection retries/timeout (SOC-9285)
- Update to version 8.0+git.1566471887.fd2fec7:
* Delete existing run filter before deploying it (SOC-10287)
- Update to version 5.0+git.1569597589.1f025c557:
* barclamp_lib: Sync timeout with other barclamps (SOC-10513, SOC-10011)
- Update to version 5.0+git.1569231378.ac645b753:
* Revert 'batch: Use easy_merge for merging (SOC-10505)'
- Update to version 5.0+git.1569103607.ee4a6cbc9:
* upgrade: Fix pie chart colors on dashboard (SOC-10619)
- Update to version 5.0+git.1568983947.70c39b8c7:
* batch: Use easy_merge for merging (SOC-10505)
- Update to version 5.0+git.1568317972.dfb856def:
* upgrade: Fix pre-checks tests (SOC-9868)
* Allow designate rndc for all nodes (SOC-10339)
- Update to version 5.0+git.1568210854.4f87b86f8:
* gems: Update easy_diff to 1.0.0 (SOC-10505)
- Update to version 5.0+git.1567531836.e06d68030:
* Public ips for dns nodes when designate integration is in use (SOC-9635)
- Update to version 5.0+git.1567513044.e9ef28b03:
* crowbar: Do not read /etc/crowbar.install.key in non-SUSE init script
* transition.sh: Do not read /etc/crowbar.install.key
* gather_logs: Make it a bit useful again
* gather_logs: Do not read /etc/crowbar.install.key
* network: Check existing upper layers before bond setup (bsc#1120657)
* network: never plug two interface into the same ovs bridge (bsc#1120657)
* network: Avoid plugging the same interface to two ovs bridges (bsc#1120657)
* nic library: some helper for identifying base interface (bsc#1120657)
* network: Rework the vlan port replugging code (bsc#1120657)
* network: DRY out 'kill_nic_files' (noref)
- Update to version 5.0+git.1567161136.fa34ac9f2:
* Add CVE-2019-5477 the to travis ignore list (SOC-9635)
- Update to version 5.0+git.1567094388.48f2be817:
* upgrade: Add more prechecks for 8->9 (SOC-9868)
- Update to version 5.0+git.1567673535.607aada:
* Fix typo in error message
- add cirros-0.4.0-x86_64-disk.img (SOC-9298, SOC-10844)
* the disk img is required to run the barbican tempest test
- Update to version 5.0+git.1570141351.058c8bd44:
* tempest:install designate tempest plugin for SOC8 (SOC-10288)
- Update to version 5.0+git.1569972328.9d475ceb9:
* [5.0] Designate: Add dns_domain_ports config (SOC-10740)
- Update to version 5.0+git.1569933916.d38d07e2d:
* Install barbican tempest plugin for SOC8 (SOC-10191)
* Designate: Filter out the admin node (SOC-10658)
- Update to version 5.0+git.1569885207.573f090bd:
* 5.0: designate: Fix the keys syntax error on migrations (SOC-10660)
- Update to version 5.0+git.1569620621.21c6c5459:
* helper:move config_for_role_exists from horizon to crowbar-openstack(SOC-10191)
- Update to version 5.0+git.1569431597.02675553d:
* tempest: don't rely on service catalogue (SOC-10633)
* glance: don't reuse sync mark names (SOC-10348)
* enable LDAP chase_referrals configuration (SOC-7364)
* nova: set default attribute for max_threads_per_process
- Update to version 5.0+git.1569053854.bb65c0fd1:
* Make ovs of_inactivity_probe configurable from neutron barclamp
- Update to version 5.0+git.1568904694.4d6e71fd1:
* Revert 'designate: Mark as user managed (SOC-10233)'
- Update to version 5.0+git.1568762121.5889ee9c4:
* Octavia: Hide UI until complete (SOC-10550)
- Update to version 5.0+git.1568721569.5927d34b8:
* designate: Mark as user managed (SOC-10233)
- Update to version 5.0+git.1568593066.8a7e963dd:
* designate: cleanup producer HA deployment (SOC-9766)
- Update to version 5.0+git.1568373930.d508e93f7:
* designate: Correct missing variable (SOC-10549)
- Update to version 5.0+git.1568323106.c080edcc1:
* neutron: Add 'insecure' to old cli calls (SOC-10453)
- Update to version 5.0+git.1568303804.bd258bef6:
* designate: No longer care about master/slave (SOC-10456)
- Update to version 5.0+git.1568173760.4a32699b1:
* nova: raise neutron client timeout to 5 minutes
* neutron: Small cleanup to neutron_lbaas.conf template
- Update to version 5.0+git.1568117991.15d77c6ea:
* Designate default Bind9 pool config (SOC-10339)
- Update to version 5.0+git.1568034797.254b8fb85:
* tempest: Skip manila and ceilometer tests (SOC-9799)
- Update to version 5.0+git.1567660321.885064382:
* nova: Don't put nova-compute roles on monasca node (SOC-10373)
- Update to version 5.0+git.1567513535.f2939eeed:
* designate: Update ns_records with all nameservers (SOC-9636)
* designate: Deploy producer on a server node (SOC-9766)
- Update to version 5.0+git.1567165725.8d5b4fa26:
* horizon: fix Grafana in HA clouds (bsc#1116846)
- Update to version 5.0+git.1567094879.c918a5e23:
* Fix barbican SSL support (SOC-9298)
* Add/fix run_filters
* Add tempest filters based on services (SOC-9298)
- Update to version 5.0+git.1566858336.891ddbf31:
* Fix magnum tempest tests (SOC-9298)
* tempest: only assign creator role if needed
* database: Hardcode ruby version for package installation (SOC-10010)
- Update to version 5.0+git.1566838653.efe3b147d:
* memcache: lookup memcached servers port only on local node (SOC-10173)
* designate: initialize email in default designate proposal
* horizon: Install designate plugin when configured (SOC-9695)
- Update to version 5.0+git.1566629404.88dae370a:
* Designate: Update DB pools configuration (SOC-9767)
- Update to version 5.0+git.1566256160.59ebd76c0:
* designate: Configure resource settings (SOC-9633)
- Update to version 1.2.0+git.1568396400.0344a727:
* upgrade: Add missing precheck titles
- Update to 25.3.25:
* A new Galera configuration parameter cert.optimistic_pa was added. If the
parameter value is set to true, full parallellization in applying write
sets is allowed as determined by certification algorithm. If set to false,
no more parallellism is allowed in applying than seen on the master.
* Support for ECDH OpenSSL engines on CentOS 6 (galera#520)
* Fixed compilation on Debian testing and unstable (galera#516, galera#528)
- Add unescape_IPv6_bind_ip.patch
* https://github.com/dciabrin/galera-1/commit/0f6f8aeeb09809280c956514cfd5844b8acad4f9
- Add CVE-2019-15043.patch (SOC-10357)
* Adds authentication to a few rest endpoints
see: https://github.com/grafana/grafana/compare/v5.4.4...v5.4.5
- Update to version 4.6.5:
* release 4.6.5
CVE-2018-19039 (jsc#SOC-9976)
File Exfiltration vulnerability Security fix
* Updated version to 4.6.4.
CVE-2018-558213/CVE-2018-558213 (jsc#SOC-9980)
Important fix for LDAP & OAuth login vulnerability
* Updated version to 4.6.4.
* sql: added code migration type
* release 4.6.3
* fix default alias
* fixes broken alert eval when first condition is using OR
* fix: alert list panel now works correctly after adding manual annotation on dashboard, fixes #9951
* fix: fix for avatar images when gzip is turned on, fixes #5952
* sets version to 4.6.2
* prom: add support for default step param (#9866)
* build: fixed jshint error
* fix: Html escaping caused issue in InfluxDB query editor, could not pick greater than or less then operators, fixes #9871
* heatmap: fix tooltip in 'Time series bucket' mode, #9332 (#9867)
* fix cloudwatch ec2_instance_attribute (#9718)
* colorpicker: fix color string change #9769 (#9780)
* changes version to 4.6.1
* fix: panel view now wraps, no scrolling required, fixes #9746
* plugins: fix for loading external plugins behind auth proxy, fixes #9509
* fix: color picker bug at series overrides page, #9715 (#9738)
* tech: switch to golang 1.9.2
* tech: add missing include
* save as should only delete threshold for panels with alerts
* fix: graphite annotation tooltip included undefined, fixes #9707
* build: updated version to v4.6.0
* plugins: added backward compatible path for rxjs
* ux: updated singlestat default colors
* prometheus: fixed unsaved changes warning when changing time range due to step option on query model was changed in datasource.query code, fixes #9675
* fix: firefox can now create region annotations, fixes #9638
* alerting: only editors can pause rules
* fix: another fix for playlist view state, #9639
* fix: fixed playlist controls and view state, fixes #9639
* prom: adds pre built grafana dashboard
* bump version for publish_testing.sh
* update version to 4.6.0-beta3
* plugins: expose dashboard impression store
* modify $__timeGroup macro so it can be used in select clause (#9527)
* plugins: fixes path issue on Windows
* prometheus: enable gzip for /metrics endpoint
* fix: fixed save to file button in export modal, fixes #9586
* mysql: add usage stats for mysql
* pluginloader: esModule true for systemjs config
* Fix heatmap Y axis rendering (#9580)
* fix vector range
* prometheus: add builtin template variable as range vectors
* fix: fixed prometheus step issue that caused browser crash, fixes #9575
* fix: getting started panel and mark adding data source as done, fixes #9568
* Fixes for annotations API (#9577)
* bump packagecloud script
* build: added imports of rxjs utility functions
* prepare for v4.6.0-beta2 release
* fix template variable expanding
* annotations: quote reserved fields (#9550)
* ux: align alert and btn colors
* fix: fixed color pickers that were broken in minified builds, fixes #9549
* textpanel: fixes #9491
* csv: fix import for saveAs shim
* plugins: expose more util and flot dependencies
* alert_tab: clear test result when testing rules
* (cloudwatch) fix cloudwatch query error over 24h (#9536)
* show error message when cloudwatch datasource can't add
* update packagecloud script for 4.6.0-beta1
* changelog: adds note about closing #9516
* alerting: add count_non_null reducer
* Update rpm.md
* fix: can now remove annotation tags without popover closing
* tech: add backward compatibility for <spectrum-picker> directive (#9510)
* fix: fixed links on new 404 page, fixes #9493
* logging: dont use cli logger in http_server
* oauth: raise error if session state is missing
* oauth: provide more logging for failed oauth requests
* prepare for 4.6.0-beta1 release
* docs: updated whats new article
* docs: initial draft release v46
* graph: fix y-axis decimalTick check. Fixes #9405
* minor docs update
* docs: annotation docs update
* changelog: adds note about closing #7104
* changelog: adds note about closing #9373
* metrics: disable gzip for /metrics endpoint (#9468)
* Annotation docs (#9506)
* Update CHANGELOG.md
* Update PLUGIN_DEV.md
* Update PLUGIN_DEV.md
* Update README.md
* Fixed link issue in CHANGELOG
* Create PLUGIN_DEV.md
* changelog: adds note about closing #9371,#5334,#8812
* ds_edit: placeholder should only be cert header
* fixed minor styling issus (#9497)
* fix: alert api limit param did not work and caused SQL syntax error, fixes #9492
* annotations: add endpoint for writing graphite-like events (#9495)
* Update unsaved_changes_modal.ts
* fix: set lastSeenAt date when creating users to then years in past insteasd of empty date, fixes #9260
* ux: minor ux fix
* Retain old name for TLS client auth
* Return error if datasource TLS CA not parsed
* Datasource settings: Make HTTP all caps
* Datasource HTTP settings: Add TLS skip verify
* Make URL capitalisation consistent in UI
* Alias macron package in app_routes.go
* Verify datasource TLS and split client auth and CA
* Tidy spacing in datasource TLS settings
* Tests: Clarify what InsecureSkipVerify does
* postgres: add missing ngInject decorator
* docs: initial docs for new annotation features, #9483
* Adds note for #9209 to changelog
* Postgres Data Source (#9475)
* tech: expose more to plugins, closes #9456
* Fix NaN handling (#9469)
* snapshots: improve snapshot listing performance, #9314 (#9477)
* mysql: fix interpolation for numbers in temp vars
* Added docs for Kafka alerting
* Fixed failing go tests
* gofmt fixes
* Added tests
* Kafka REST Proxy works with Grafana
* added insrtuctions for oauth2 okta bitbucket (#9471)
* Unified Color picker fixes (#9466)
* Show min interval query option for mixed datasource (#9467)
* gzip: plugin readme content set explicitly
* ignore pattern for vendored libs
* fix: escape metric segment auto complete, fixes #9423
* Corrected a PostgreSQL SELECT statement. (#9460)
* tests: found the unhandled promise issue in the dash import tests
* testing: fixing tests
* annotations: minor change to default/edit annotation color
* Create annotations (#8197)
* OAuth: Rename sslcli
* OAuth: Separate TLS client auth and CA config
* OAuth: Check both TLS client cert and key
* Always verify TLS unless explicitly told otherwise
* fix: threshold's colors in table panels (#9445) (#9453)
* singlestat: fix sizing bug #9337 (#9448)
* Revert 'Fix coloring in singlestat if null value (#9438)' (#9443)
* Fix coloring in singlestat if null value (#9438)
* fix: missing semicolon
* changed jsontree to use jsonexplorer (#9416)
* docs page for authproxy (#9420)
* Update codebox (#9430)
* Series color picker fix (#9442)
* fix type in readme
* removed commented line
* changelog: adds note about closing #9110
* Fixed typo
* Change empty string checks and improve logging
* changelog: adds note about closing #9208
* Fix spelling on 404 page.
* Lint fix
* Update kbn.js
* Add Norwegian Krone denominator for currency
* fixed layout for column options, changed dropdown for date format kept old code
* build: add noUnusedLocals to tsc parameters
* build: install go based on env variable
* changes go version to 1.9.1
* changelog: adds note about closing #9226
* changelog: add note about closing #9429
* changelog: adds note about closing #9399
* Fix formatting issue
* Add milliseconds format in table panel's config
* support for s3 path (#9151)
* Remove apparently unnecessary .flush() calls.
* Fix empty message and toolong attribute names Use default state message if no message is provided by the user Slice attribute name to maximum of 50 chars
* Address review comments.
* changelog: add note about closing #7175
* plugin_loader: expose app_events to plugins
* Add the missing comma
* colorpicker: refactoring the new unififed colorpicker, #9347
* Unified colorpicker (#9347)
* fix missing column headers in excel export (#9413)
* build: remove clean plugin from dev build
* build: fixed broken elastic unit test
* shore: cleanup unused stuff in common.d.ts
* Build URL for close alert request differently
* some restyling (#9409)
* Docs text fixes (#9408)
* Checkbox fixes (#9400)
* fix: ensure panel.datasource is null as default
* plugibs: expose more to plugins
* properly parse & pass upload image bool from config
* break out slack upload into separate function
* tech: minor npm scripts update
* build: fixed build
* refactoring: minor refactoring of PR #8916
* Update script to make it use OpsGenie's REST API
* docs: minor docs fix
* Merge branch 'master' of github.com:grafana/grafana
* build: minor webpack fix
* docs: updated building from source docs
* playlist: play and edit should use same width
* shore: fixed html indentation, #9368
* tech: updated yarn.lock
* shore: minor cleanup
* Webpack (#9391)
* fixing json for CI
* adding support for token-based slack file.upload API call for posting images to slack
* changelog: adds note about closing #8479
* changelog: adds note about closing #8050
* changelog: adds note about closing #9386
* change pdiff to percent_diff for conditions
* panel: rename label on csv export modal
* add diff and pdiff for conditions
* fix, add targetContainsTemplate()
* fix cloudwatch alert bug
* add debug log
* move extend statistics handling code to backend
* fix assume role
* improve cloudwatch tsdb
* refactor cloudwatch code
* remove obsolete code
* move cloudwatch crendential related code
* remove old handler
* fix annotation query
* fix time
* fix dimension convertion
* re-implement annotation query
* fix parameter format
* fix alert feature
* fix parameter format
* refactor cloudwatch to support new tsdb interface
* refactor cloudwatch frontend code
* refactor cloudwatch frontend code
* fix test
* re-implement dimension_values()
* fix error message
* remove performEC2DescribeInstances()
* re-implement ec2_instance_attribute()
* re-implement ebs_volume_ids()
* import the change, https://github.com/grafana/grafana/pull/9268
* fix conflict
* fix test
* remove obsolete GetMetricStatistics()
* fix test
* move test code
* fix conflict
* porting other suggestion
* re-implement get regions
* move the metric find query code
* (cloudwatch) move query parameter to 'parameters'
* parse duration
* remove offset for startTime
* cache creds for keys/credentials auth type
* fix test
* fix invalid query filter
* count up metrics
* (cloudwatch) alerting
* add brazil currency
* tech: upgrade of systemjs to 0.20.x working
* tech: reverted to systemjs
* tech: migrating elasticsearch to typescript
* changelog: add note about using golang 1.9
* change go version to 1.9
* changelog: adds note about closing #9367
* tech: systemjs upgrade
* made a text-panel page, maybe we don't need it
* cleaned up html/sass and added final touches
* Enable dualstack in every net.Dialer, fixes #9364
* jaeger: capitalize tracer name
* jaeger: logging improvement
* tech: systemjs upgrade
* Have include intervalFactor in its calculation, so always equal to the step query parameter.
* alertlist: toggle play/pause button
* updated css and html for recent state changes for alert lists
* Fix export_modal message (#9353)
* s3: minor fix for PR #9223
* internal metrics: add grafana version
* changelog: adds note about closing 5765
* Update latest.json
* typescript: stricter typescript option
* prom_docker: give targets correct job name
* testdata: add bucket scenarios for heatmap
* dev-docker: add grafana as target
* changelog: add note ablout closing #9319
* introduce smtp config option for EHLO identity
* changelog: note about closing #9250
* go fmt
* new page for text, needs more work
* replaced img in graph, created alert list page
* docs: update docs
* Update CHANGELOG.md
* changelog: adds note about closing #5873
* replaced image
* Docs new updates (#9324)
* Update CHANGELOG.md
* Update latest.json
* cleanup: removed unused file
* tech: remove bower and moved remaining bower dependencies to npm
* tech: cleanup and fixed build issue
* tech: upgraded angularjs and moved dependency from bower to npm, closes #9327
* follow go idiom and return error as second param
* tech: updated tsconfig
* docker: adds alertmanager to prometheus fig
* tech: more tslint rules
* another img update
* tech: removing unused variables from typescript files, and making tslint rules more strict
* deleted old shortcuts instruction
* text uppdates for dashlist and singlestat(+img). updated the keyboard shortcuts
* context is reserved for go's context
* make ds a param for Query
* remove batch abstraction
* rename executor into tsdbqueryendpoint
* remove unused structs
* refactor response flow
* tech: removed test component
* ux: minor singlestat update
* singlestat: minor change
* Update CHANGELOG.md
* Singlestat time (#9298)
* tech: progress on react poc
* adds note about closing #9213
* Update _navbar.scss
* replaced images, updating text(not finished)
* fix: close for 'Unsaved Changes' modal, #9284 (#9313)
* Initial graphite tags support (#9239)
* tech: initial react poc
* Make details more clean in PD description
* bug: enable HEAD requests again
* Add `DbClusterIdentifier` to CloudWatch dimensions (#9297)
* templating: fix dependent variable updating (#9306)
* Fix adhoc filters restoration (#9303)
* Explicitly refer to Github 'OAuth' applications
* config bucket and region for s3 uploader
* fixes bug introduced with prom namespaces
* fixing spelling of millesecond -> millisecond
* fixing spelling of millesecond -> millisecond
* Remove duplicate bus.AddHandler() (#9289)
* Update CHANGELOG.md
* use same key as mt
* tag alert queries that return no_data
* updated error page html+css, added ds_store to ignore (#9285)
* public/app/plugins/panel/graph/specs/graph_specs.ts: relax tests to be 'within' instead of 'equal', so they won't fail on i686 (#9286)
* Fix path to icon (#9276)
* adds note about fix in v4.5.2
* skip NaN values when writing to graphite
* addded mass units, #9265 (#9273)
* Fully fill out nulls in cloudfront data source (#9268)
* make it possible to configure sampler type
* mark >=400 responses as error
* change port for jaeger dev container
* logwrapper for jaeger
* make samplerconfig.param configurable
* adds custom tags from settings
* use route as span name
* add trace headers for outgoing requests
* docker file for running jaeger
* better formating for error trace
* attach context with span to *http.Request
* add traces for datasource reverse proxy requests
* trace failed executions
* use tags instead of logs
* use opentracing ext package when possible
* set example port to zipkin default
* adds codahale to vendor
* makes jaeger tracing configurable
* add trace parameters for outgoing requests
* adds basic traces using open traces
* require dashboard panels to have id
* fix: jsonData should not be allowed to be null, fixes #9258
* packaging: reduce package size
* Update upgrading.md (#9263)
* Added --pluginUrl option to grafana-cli for local network plugin installation
* adds note about closing #1395
* add locale format
* update changelog
* fixes broken tests :boom:
* minor code adjusetments
* pass context to image uploaders
* remove unused deps
* Reduced OAuth scope to read_write
* GCS support via JSON API
* gofmt fixes
* Added GCS support #8370
* move more known datasources from others
* Remove alert thresholds on panel duplicate, issue #9178 (#9257)
* 4.5.1 docs + update version to 5.0.0-pre1
* publish_both.sh update for 4.5.1
* Update CHANGELOG.md
* docs: updated changelog
* packaging: reducing package size be only including public vendor stuff we need
* docs: update download links
* allow ssl renegotiation for datasources
* check args for query
* add test for completer
* fix
* follow token name change
* (prometheus) support label value completion
* (prometheus) support label name completion
* get s3 url via aws-sdk-go, fix #9189
* Prometheus: Rework the interaction between auto interval (computed based on graph resolution), min interval (where specified, per query) and intervalFactor (AKA resolution, where specified, per query). As a bonus, have and reflect the actual interval (not the auto interval), taking into account min interval and Prometheus' 11k data points limit.
* minor fix
* (prometheus) support instant query for table format, use checkbox to switch query type
* (prometheus) instant query support
* Add thumbnail to card
* Add values to the hipchat card
* Reorder editorconfig
* Enable datasources to be able to round off to a UTC day properly
* Include triggering metrics to pagerduty alerts
- Add 0001-fix-XSS-vulnerabilities-in-dashboard-links.patch (bsc#1096985)
- adjust mysql-systemd-helper ('shutdown protected MySQL' section)
so it checks both ping response and the pid in a process list
as it can take some time till the process is terminated.
Otherwise it can lead to 'found left-over process' situation
when regular mariadb is started [bsc#1143215]
- update suse_skipped_tests.list
- remove client_ed25519.so plugin because it's shipped in
mariadb-connector-c package (libmariadb_plugins)
- update suse_skipped_tests.list
- update to 10.2.25 GA
* Fixes for the following security vulnerabilities:
* 10.2.23: none
* 10.2.24: CVE-2019-2628, CVE-2019-2627, CVE-2019-2614
* 10.2.25: none
* release notes and changelog:
https://mariadb.com/kb/en/library/mariadb-10223-release-notes
https://mariadb.com/kb/en/library/mariadb-10223-changelog
https://mariadb.com/kb/en/library/mariadb-10224-release-notes
https://mariadb.com/kb/en/library/mariadb-10224-changelog
https://mariadb.com/kb/en/library/mariadb-10225-release-notes
https://mariadb.com/kb/en/library/mariadb-10225-changelog
- remove mariadb-10.2.22-fix_path.patch that was applied upstream
in mariadb 10.2.23
- remove caching_sha2_password.so because it's shipped in
mariadb-connector-c package (libmariadb_plugins)
- remove xtrabackup scripts as it was replaced by mariabackup (we
already removed xtrabackup requires in the first phase)
- fix reading options for multiple instances if my${INSTANCE}.cnf
is used. Also remove 'umask 077' from mysql-systemd-helper that
causes that new datadirs are created with wrong permissions. Set
correct permissions for files created by us (mysql_upgrade_info,
.run-mysql_upgrade) [bsc#1132666]
- fix build comment to not refer to openSUSE
- tracker bug [bsc#1136035]
- New upstream version 3.1.2 [bsc#1136035]
* CONC-383: client plugins can't be loaded due to missing prefix
* Fixed version setting in GnuTLS by moving 'NORMAL' at the end
of priority string
* CONC-386: Added support for pem files which contain certificate
and private key.
* Replication/Binlog API: The main mechanism used in replication
is the binary log.
* CONC-395: Dashes and underscores are not interchangeable in
options in my.cnf
* CONC-384: Incorrect packet when a connection attribute name or
value is equal to or greater than 251
* CONC-388: field->def_length is always set to 0
* Getter should get and the setter should set
CLIENT_CAN_HANDLE_EXPIRED_PASSWORDS
* Disable LOAD DATA LOCAL INFILE suport by default and auto-enable
it for the duration of one query, if the query string starts with
the word 'load'. In all other cases the application should enable
LOAD DATA LOCAL INFILE support explicitly.
* Changed return code for mysql_optionv/mysql_get_optionv to 1 (was -1)
and added CR_NOT_IMPLEMENTED error message if a option is unknown
or not supported.
* mingw fix: use lowercase names for include files
* CONC-375: Fixed handshake errors when mixing TLSv1.3 cipher
suites with cipher suites from other TLS protocols
* CONC-312: Added new caching_sha2_password authentication plugin
for authentication with MySQL 8.0
- refresh mariadb-connector-c-2.3.1_unresolved_symbols.patch and
private_library.patch
- pack caching_sha2_password.so and client_ed25519.so
- move libmariadb.pc from /usr/lib/pkgconfig to
/usr/lib64/pkgconfig for x86_64 [bsc#1126088]
- Fixes bugs bsc#1145796: Add tightPNG encoding
* Apply novnc-1.0.0-add-encoding-support-for-TightPNG.patch
This patch cherry-picks commit 2c813a33f to novnc 1.0.0 to enable tightPNG encoding.
This encoding is needed to allow noVNC to work with instances that
run on ESX hypervisors. It is not possible to update the Pike package
to noVNC 1.1.0 as that version is not supported with openstack-nova until Rocky.
- Update to version cinder-11.2.3.dev16:
* RBD: remove redundant exception log to reduce noise
- Update to version cinder-11.2.3.dev14:
* Fix NFS volume retype with migrate
- Update to version cinder-11.2.3.dev12:
* Remove Sheepdog tests from zuul config
* NetApp: Return all iSCSI targets-portals
- Update to version cinder-11.2.3.dev8:
* Remove experimental openSUSE 42.3 job
- Update to version cinder-11.2.3.dev16:
* RBD: remove redundant exception log to reduce noise
- Update to version cinder-11.2.3.dev14:
* Fix NFS volume retype with migrate
- Update to version cinder-11.2.3.dev12:
* Remove Sheepdog tests from zuul config
* NetApp: Return all iSCSI targets-portals
- Update to version cinder-11.2.3.dev8:
* Remove experimental openSUSE 42.3 job
- Update to version glance-15.0.3.dev3:
* Remove experimental openSUSE 42.3 job
- Update to version glance-15.0.3.dev3:
* Remove experimental openSUSE 42.3 job
- Update to version heat-9.0.8.dev13:
* Unlimited cinder quotas throws exception
- Update to version heat-9.0.8.dev12:
* Do not perform the tenant stack limit check for admin user
- Update to version heat-9.0.8.dev13:
* Unlimited cinder quotas throws exception
- Update to version heat-9.0.8.dev12:
* Do not perform the tenant stack limit check for admin user
- don't exclude pyc files to fix update/upgrade (SOC-9339)
- Update to version keystone-12.0.4.dev4:
* Remove experimental openSUSE 42.3 job
* Cap bandit
- Update to version keystone-12.0.4.dev4:
* Remove experimental openSUSE 42.3 job
* Cap bandit
- Update to version keystone-12.0.4.dev4:
* Remove experimental openSUSE 42.3 job
* Cap bandit
- Update to version keystone-12.0.4.dev4:
* Remove experimental openSUSE 42.3 job
* Cap bandit
- Update to version Build_20190923_16.32 (bsc#1148158)
* Create path.repo directory for Elasticseach
- Update to version neutron-11.0.9.dev51:
* Check for agent restarted after checking for DVR port
- Update to version neutron-11.0.9.dev49:
* Allow first address in an IPv6 subnet as valid unicast
- Update to version neutron-11.0.9.dev47:
* Remove experimental openSUSE 42.3 job
- Update to version neutron-11.0.9.dev45:
* Clear skb mark on encapsulating packets
* fix update port bug
- Update to version neutron-11.0.9.dev51:
* Check for agent restarted after checking for DVR port
- Update to version neutron-11.0.9.dev49:
* Allow first address in an IPv6 subnet as valid unicast
- Update to version neutron-11.0.9.dev47:
* Remove experimental openSUSE 42.3 job
- Update to version neutron-11.0.9.dev45:
* Clear skb mark on encapsulating packets
* fix update port bug
- Update to version group-based-policy-7.3.1.dev56:
* [AIM] Fix HAIP RPC query
- Update to version group-based-policy-7.3.1.dev55:
* Fix implicit ICMPv6 Security Group Rules
- Update to version group-based-policy-7.3.1.dev54:
* Fixed snat port status to be ACTIVE and UP
- Update to version group-based-policy-7.3.1.dev53:
* Verify aim\_epg exists before proceeding
* Revert 'Make DHCP provisioning blocks conditional'
* Some refactoring regarding merge aim statuses
- Update to version group-based-policy-7.3.1.dev47:
* Bulk extension support for routers
- Update to version group-based-policy-7.3.1.dev46:
* [AIM] Eliminate redundant router extension content
- add 0001-Remove-DDT-tests-from-tempest-plugin.patch
- add 0001-Fix-unable-to-delete-subnet-in-API-tests.patch
- Update to version nova-16.1.9.dev7:
* Remove experimental job on openSUSE 42.3
- Update to version nova-16.1.9.dev6:
* Fix misuse of nova.objects.base.obj\_equal\_prims
- Update to version nova-16.1.9.dev5:
* Replace non-nova server fault message
- Allow to attach more than 26 volumes (bsc#1118900)
* This is a forward port from SOC7
* Add 0001-Add-method-to-generate-device-names-universally.patch
* Add 0002-Raise-403-instead-of-500-error-from-attach-volume-AP.patch
* Add 0003-Add-configuration-of-maximum-disk-devices-to-attach.patch
- Update to version nova-16.1.9.dev7:
* Remove experimental job on openSUSE 42.3
- Update to version nova-16.1.9.dev6:
* Fix misuse of nova.objects.base.obj\_equal\_prims
- Update to version nova-16.1.9.dev5:
* Replace non-nova server fault message
- add 0002-Do_not_send_AAAA_DNS_request_when_domain_resolved_to_IPv4_address.patch (SOC-9144)
- update to 2.7.2:
* includes fix for controller connection over SSL
* enable build against openvswitch-devel to get C extensions enabled (bsc#1141121)
- Added fix-xxe-in-xml-parsing.patch (CVE-2016-10127, bsc#1019074)
- Add patch CVE-2019-13611.patch (SOC-9989, bsc#1141676)
* python-python-engineio: An issue was discovered in
python-engineio through 3.8.2. There is a Cross-Site WebSocket
Hijacking (CSWSH) vulnerability that allows attackers to make
WebSocket connections to a server
- Add missing dependency on python-six (bsc#1150895)
- Update to version 8.20190911:
* Fixing broken markup (noref)
- Update to version 8.20190909:
* Adding networking loop known issue (SOC-10150)
* add Keystone default is still UUID (noref)
* remove Known Issue-WebSSO not working (bsc#1132593)
* Remove de-de from the URL again.
* transfer C8 revision history from MF wiki (SCRD-7737)
* Typo/grammar fixes + URL fix
* remove Crowbar deprecation date (bsc#1125893)
* remove comment that ovsvapp is not functional
- Update to version 8.20190909:
* Adding networking loop known issue (SOC-10150)
* add Keystone default is still UUID (noref)
* remove Known Issue-WebSSO not working (bsc#1132593)
- Add python-defusedxml (bsc#1019074)
rubygem-easy_diff, rubygem-rest-client-1_6:
- CVE-2015-3448: Fixed a plain text local password disclosure. (bsc#917802)
Non-security issue fixed:
- rubygem-easy_diff was updated to version 1.0.0.
ModerateSUSE bug 1019074SUSE bug 1096985SUSE bug 1106515SUSE bug 1115960SUSE bug 1116846SUSE bug 1118900SUSE bug 1120657SUSE bug 1125893SUSE bug 1126088SUSE bug 1132593SUSE bug 1132666SUSE bug 1136035SUSE bug 1141121SUSE bug 1141676SUSE bug 1143215SUSE bug 1145796SUSE bug 1146578SUSE bug 1148158SUSE bug 1148383SUSE bug 1150895SUSE bug 917802CVE-2015-3448 at SUSECVE-2015-3448 at NVDCVE-2016-10127 at SUSECVE-2016-10127 at NVDCVE-2018-15727 at SUSECVE-2018-15727 at NVDCVE-2018-19039 at SUSECVE-2018-19039 at NVDCVE-2018-558213 at SUSECVE-2018-558213 at NVDCVE-2019-13611 at SUSECVE-2019-13611 at NVDCVE-2019-15043 at SUSECVE-2019-15043 at NVDCVE-2019-2614 at SUSECVE-2019-2614 at NVDCVE-2019-2627 at SUSECVE-2019-2627 at NVDCVE-2019-2628 at SUSECVE-2019-2628 at NVDCVE-2019-5477 at SUSECVE-2019-5477 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for MozillaFirefox (Important)SUSE OpenStack Cloud Crowbar 8
This update for MozillaFirefox to 68.2.0 ESR fixes the following issues:
Mozilla Firefox was updated to version 68.2.0 ESR (bsc#1154738).
Security issues fixed:
- CVE-2019-15903: Fixed a heap overflow in the expat library (bsc#1149429).
- CVE-2019-11757: Fixed a use-after-free when creating index updates in IndexedDB (bsc#1154738).
- CVE-2019-11758: Fixed a potentially exploitable crash due to 360 Total Security (bsc#1154738).
- CVE-2019-11759: Fixed a stack buffer overflow in HKDF output (bsc#1154738).
- CVE-2019-11760: Fixed a stack buffer overflow in WebRTC networking (bsc#1154738).
- CVE-2019-11761: Fixed an unintended access to a privileged JSONView object (bsc#1154738).
- CVE-2019-11762: Fixed a same-origin-property violation (bsc#1154738).
- CVE-2019-11763: Fixed an XSS bypass (bsc#1154738).
- CVE-2019-11764: Fixed several memory safety bugs (bsc#1154738).
Non-security issues fixed:
- Firefox 60.7 ESR changed the user interface language (bsc#1137990).
- Wrong Firefox GUI Language (bsc#1120374).
- Fixed an inadvertent crash report transmission without user opt-in (bsc#1074235).
- Firefox hangs randomly when browsing and scrolling (bsc#1043008).
- Firefox stops loading page until mouse is moved (bsc#1025108).
ImportantSUSE bug 1010399SUSE bug 1010405SUSE bug 1010406SUSE bug 1010408SUSE bug 1010409SUSE bug 1010421SUSE bug 1010423SUSE bug 1010424SUSE bug 1010425SUSE bug 1010426SUSE bug 1025108SUSE bug 1043008SUSE bug 1047281SUSE bug 1074235SUSE bug 1092611SUSE bug 1120374SUSE bug 1137990SUSE bug 1149429SUSE bug 1154738SUSE bug 959933SUSE bug 983922CVE-2016-2830 at SUSECVE-2016-2830 at NVDCVE-2016-5289 at SUSECVE-2016-5289 at NVDCVE-2016-5292 at SUSECVE-2016-5292 at NVDCVE-2016-9063 at SUSECVE-2016-9063 at NVDCVE-2016-9067 at SUSECVE-2016-9067 at NVDCVE-2016-9068 at SUSECVE-2016-9068 at NVDCVE-2016-9069 at SUSECVE-2016-9069 at NVDCVE-2016-9071 at SUSECVE-2016-9071 at NVDCVE-2016-9073 at SUSECVE-2016-9073 at NVDCVE-2016-9075 at SUSECVE-2016-9075 at NVDCVE-2016-9076 at SUSECVE-2016-9076 at NVDCVE-2016-9077 at SUSECVE-2016-9077 at NVDCVE-2017-7789 at SUSECVE-2017-7789 at NVDCVE-2018-5150 at SUSECVE-2018-5150 at NVDCVE-2018-5151 at SUSECVE-2018-5151 at NVDCVE-2018-5152 at SUSECVE-2018-5152 at NVDCVE-2018-5153 at SUSECVE-2018-5153 at NVDCVE-2018-5154 at SUSECVE-2018-5154 at NVDCVE-2018-5155 at SUSECVE-2018-5155 at NVDCVE-2018-5157 at SUSECVE-2018-5157 at NVDCVE-2018-5158 at SUSECVE-2018-5158 at NVDCVE-2018-5159 at SUSECVE-2018-5159 at NVDCVE-2018-5160 at SUSECVE-2018-5160 at NVDCVE-2018-5163 at SUSECVE-2018-5163 at NVDCVE-2018-5164 at SUSECVE-2018-5164 at NVDCVE-2018-5165 at SUSECVE-2018-5165 at NVDCVE-2018-5166 at SUSECVE-2018-5166 at NVDCVE-2018-5167 at SUSECVE-2018-5167 at NVDCVE-2018-5168 at SUSECVE-2018-5168 at NVDCVE-2018-5169 at SUSECVE-2018-5169 at NVDCVE-2018-5172 at SUSECVE-2018-5172 at NVDCVE-2018-5173 at SUSECVE-2018-5173 at NVDCVE-2018-5174 at SUSECVE-2018-5174 at NVDCVE-2018-5175 at SUSECVE-2018-5175 at NVDCVE-2018-5176 at SUSECVE-2018-5176 at NVDCVE-2018-5177 at SUSECVE-2018-5177 at NVDCVE-2018-5178 at SUSECVE-2018-5178 at NVDCVE-2018-5179 at SUSECVE-2018-5179 at NVDCVE-2018-5180 at SUSECVE-2018-5180 at NVDCVE-2018-5181 at SUSECVE-2018-5181 at NVDCVE-2018-5182 at SUSECVE-2018-5182 at NVDCVE-2018-5183 at SUSECVE-2018-5183 at NVDCVE-2019-11757 at SUSECVE-2019-11757 at NVDCVE-2019-11758 at SUSECVE-2019-11758 at NVDCVE-2019-11759 at SUSECVE-2019-11759 at NVDCVE-2019-11760 at SUSECVE-2019-11760 at NVDCVE-2019-11761 at SUSECVE-2019-11761 at NVDCVE-2019-11762 at SUSECVE-2019-11762 at NVDCVE-2019-11763 at SUSECVE-2019-11763 at NVDCVE-2019-11764 at SUSECVE-2019-11764 at NVDCVE-2019-15903 at SUSECVE-2019-15903 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for samba (Important)SUSE OpenStack Cloud Crowbar 8
This update for samba fixes the following issues:
- CVE-2019-10218: Client code can return filenames containing path separators (bsc#1144902).
ImportantSUSE bug 1144902CVE-2019-10218 at SUSECVE-2019-10218 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for gdb (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for gdb fixes the following issues:
Update to gdb 8.3.1: (jsc#ECO-368)
Security issues fixed:
- CVE-2019-1010180: Fixed a potential buffer overflow when loading ELF sections larger than the file. (bsc#1142772)
Upgrade libipt from v2.0 to v2.0.1.
- Enable librpm for version > librpm.so.3 [bsc#1145692]:
* Allow any librpm.so.x
* Add %build test to check for 'zypper install <rpm-packagename>'
message
- Copy gdbinit from fedora master @ 25caf28. Add
gdbinit.without-python, and use it for --without=python.
Rebase to 8.3 release (as in fedora 30 @ 1e222a3).
* DWARF index cache: GDB can now automatically save indices of DWARF
symbols on disk to speed up further loading of the same binaries.
* Ada task switching is now supported on aarch64-elf targets when
debugging a program using the Ravenscar Profile.
* Terminal styling is now available for the CLI and the TUI.
* Removed support for old demangling styles arm, edg, gnu, hp and
lucid.
* Support for new native configuration RISC-V GNU/Linux (riscv*-*-linux*).
- Implemented access to more POWER8 registers. [fate#326120, fate#325178]
- Also handle most new s390 arch13 instructions. [fate#327369, jsc#ECO-368]
ModerateSUSE bug 1115034SUSE bug 1142772SUSE bug 1145692CVE-2019-1010180 at SUSECVE-2019-1010180 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for rubygem-haml (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for rubygem-haml fixes the following issue:
- CVE-2017-1002201: Fixed an insufficient character escape that could have led to arbitrary code execution (bsc#1155089).
ModerateSUSE bug 1155089CVE-2017-1002201 at SUSECVE-2017-1002201 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for libssh2_org (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for libssh2_org fixes the following issue:
- CVE-2019-17498: Fixed an integer overflow in a bounds check that might have led to the disclosure of sensitive information or a denial of service (bsc#1154862).
ModerateSUSE bug 1154862CVE-2019-17498 at SUSECVE-2019-17498 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for libseccomp (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for libseccomp fixes the following issues:
Update to new upstream release 2.4.1:
* Fix a BPF generation bug where the optimizer mistakenly
identified duplicate BPF code blocks.
Updated to 2.4.0 (bsc#1128828 CVE-2019-9893):
* Update the syscall table for Linux v5.0-rc5
* Added support for the SCMP_ACT_KILL_PROCESS action
* Added support for the SCMP_ACT_LOG action and SCMP_FLTATR_CTL_LOG attribute
* Added explicit 32-bit (SCMP_AX_32(...)) and 64-bit (SCMP_AX_64(...)) argument comparison macros to help protect against unexpected sign extension
* Added support for the parisc and parisc64 architectures
* Added the ability to query and set the libseccomp API level via seccomp_api_get(3) and seccomp_api_set(3)
* Return -EDOM on an endian mismatch when adding an architecture to a filter
* Renumber the pseudo syscall number for subpage_prot() so it no longer conflicts with spu_run()
* Fix PFC generation when a syscall is prioritized, but no rule exists
* Numerous fixes to the seccomp-bpf filter generation code
* Switch our internal hashing function to jhash/Lookup3 to MurmurHash3
* Numerous tests added to the included test suite, coverage now at ~92%
* Update our Travis CI configuration to use Ubuntu 16.04
* Numerous documentation fixes and updates
Update to release 2.3.3:
* Updated the syscall table for Linux v4.15-rc7
Update to release 2.3.2:
* Achieved full compliance with the CII Best Practices program
* Added Travis CI builds to the GitHub repository
* Added code coverage reporting with the '--enable-code-coverage' configure
flag and added Coveralls to the GitHub repository
* Updated the syscall tables to match Linux v4.10-rc6+
* Support for building with Python v3.x
* Allow rules with the -1 syscall if the SCMP\_FLTATR\_API\_TSKIP attribute is
set to true
* Several small documentation fixes
- ignore make check error for ppc64/ppc64le, bypass bsc#1142614
ModerateSUSE bug 1082318SUSE bug 1128828SUSE bug 1142614CVE-2019-9893 at SUSECVE-2019-9893 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for the Linux Kernel (Important)SUSE OpenStack Cloud Crowbar 8
The SUSE Linux Enterprise 12-SP3 kernel was updated to receive various security and bugfixes.
The following security bugs were fixed:
- CVE-2018-12207: Untrusted virtual machines on Intel CPUs could exploit a race
condition in the Instruction Fetch Unit of the Intel CPU to cause a Machine
Exception during Page Size Change, causing the CPU core to be non-functional.
The Linux Kernel kvm hypervisor was adjusted to avoid page size changes in
executable pages by splitting / merging huge pages into small pages as
needed. More information can be found on https://www.suse.com/support/kb/doc/?id=7023735
- CVE-2019-16995: Fix a memory leak in hsr_dev_finalize() if hsr_add_port
failed to add a port, which may have caused denial of service (bsc#1152685).
- CVE-2019-11135: Aborting an asynchronous TSX operation on Intel CPUs with
Transactional Memory support could be used to facilitate sidechannel
information leaks out of microarchitectural buffers, similar to the
previously described 'Microarchitectural Data Sampling' attack.
The Linux kernel was supplemented with the option to disable TSX operation
altogether (requiring CPU Microcode updates on older systems) and better
flushing of microarchitectural buffers (VERW).
The set of options available is described in our TID at https://www.suse.com/support/kb/doc/?id=7024251
- CVE-2019-16233: drivers/scsi/qla2xxx/qla_os.c did not check the
alloc_workqueue return value, leading to a NULL pointer dereference.
(bsc#1150457).
- CVE-2019-10220: Added sanity checks on the pathnames passed to the user
space. (bsc#1144903).
- CVE-2019-17666: rtlwifi: Fix potential overflow in P2P code (bsc#1154372).
- CVE-2019-17133: cfg80211 wireless extension did not reject a long SSID IE,
leading to a Buffer Overflow (bsc#1153158).
- CVE-2019-16232: Fix a potential NULL pointer dereference in the Marwell
libertas driver (bsc#1150465).
- CVE-2019-16234: iwlwifi pcie driver did not check the alloc_workqueue return
value, leading to a NULL pointer dereference. (bsc#1150452).
- CVE-2019-17055: The AF_ISDN network module in the Linux kernel did not
enforce CAP_NET_RAW, which meant that unprivileged users could create a raw
socket (bnc#1152782).
- CVE-2019-17056: The AF_NFC network module did not enforce CAP_NET_RAW, which
meant that unprivileged users could create a raw socket (bsc#1152788).
- CVE-2019-16413: The 9p filesystem did not protect i_size_write() properly,
which caused an i_size_read() infinite loop and denial of service on SMP
systems (bnc#1151347).
- CVE-2019-15902: A backporting issue was discovered that re-introduced the
Spectre vulnerability it had aimed to eliminate. This occurred because the
backport process depends on cherry picking specific commits, and because two
(correctly ordered) code lines were swapped (bnc#1149376).
- CVE-2019-15291: Fixed a NULL pointer dereference issue that could be caused
by a malicious USB device (bnc#1146519).
- CVE-2019-15807: Fixed a memory leak in the SCSI module that could be abused
to cause denial of service (bnc#1148938).
- CVE-2019-13272: Fixed a mishandled the recording of the credentials of a
process that wants to create a ptrace relationship, which allowed local users
to obtain root access by leveraging certain scenarios with a parent-child
process relationship, where a parent drops privileges and calls execve
(potentially allowing control by an attacker). (bnc#1140671).
- CVE-2019-14821: An out-of-bounds access issue was fixed in the kernel's KVM
hypervisor. An unprivileged host user or process with access to '/dev/kvm'
device could use this flaw to crash the host kernel, resulting in a denial of
service or potentially escalating privileges on the system (bnc#1151350).
- CVE-2019-15505: An out-of-bounds issue had been fixed that could be caused by
crafted USB device traffic (bnc#1147122).
- CVE-2017-18595: A double free in allocate_trace_buffer was fixed
(bnc#1149555).
- CVE-2019-14835: A buffer overflow flaw was found in the kernel's vhost
functionality that translates virtqueue buffers to IOVs. A privileged guest
user able to pass descriptors with invalid length to the host could use this
flaw to increase their privileges on the host (bnc#1150112).
- CVE-2019-15216: A NULL pointer dereference was fixed that could be malicious
USB device (bnc#1146361).
- CVE-2019-15924: A a NULL pointer dereference has been fixed in the
drivers/net/ethernet/intel/fm10k module (bnc#1149612).
- CVE-2019-9456: An out-of-bounds write in the USB monitor driver has been
fixed. This issue could lead to local escalation of privilege with System
execution privileges needed. (bnc#1150025).
- CVE-2019-15926: An out-of-bounds access was fixed in the
drivers/net/wireless/ath/ath6kl module. (bnc#1149527).
- CVE-2019-15927: An out-of-bounds access was fixed in the sound/usb/mixer
module (bnc#1149522).
- CVE-2019-15666: There was an out-of-bounds array access in the net/xfrm
module that could cause denial of service (bnc#1148394).
- CVE-2017-18379: An out-of-boundary access was fixed in the
drivers/nvme/target module (bnc#1143187).
- CVE-2019-15219: A NULL pointer dereference was fixed that could be abused by
a malicious USB device (bnc#1146519 1146524).
- CVE-2019-15220: A use-after-free issue was fixed that could be caused by a
malicious USB device (bnc#1146519 1146526).
- CVE-2019-15221: A NULL pointer dereference was fixed that could be caused by
a malicious USB device (bnc#1146519 1146529).
- CVE-2019-14814: A heap-based buffer overflow was fixed in the marvell wifi
chip driver. That issue allowed local users to cause a denial of service
(system crash) or possibly execute arbitrary code (bnc#1146512).
- CVE-2019-14815: A missing length check while parsing WMM IEs was fixed
(bsc#1146512, bsc#1146514, bsc#1146516).
- CVE-2019-14816: A heap-based buffer overflow in the marvell wifi chip driver
was fixed. Local users would have abused this issue to cause a denial of
service (system crash) or possibly execute arbitrary code (bnc#1146516).
- CVE-2017-18509: An issue in net/ipv6 as fixed. By setting a specific socket
option, an attacker could control a pointer in kernel land and cause an
inet_csk_listen_stop general protection fault, or potentially execute
arbitrary code under certain circumstances. The issue can be triggered as
root (e.g., inside a default LXC container or with the CAP_NET_ADMIN
capability) or after namespace unsharing. (bnc#1145477)
- CVE-2019-9506: The Bluetooth BR/EDR specification used to permit sufficiently
low encryption key length and did not prevent an attacker from influencing
the key length negotiation. This allowed practical brute-force attacks (aka
'KNOB') that could decrypt traffic and inject arbitrary ciphertext without
the victim noticing (bnc#1137865).
- CVE-2019-15098: A NULL pointer dereference in drivers/net/wireless/ath was
fixed (bnc#1146378).
- CVE-2019-15290: A NULL pointer dereference in ath6kl_usb_alloc_urb_from_pipe
was fixed (bsc#1146378).
- CVE-2019-15239: A incorrect patch to net/ipv4 was fixed. By adding to a write
queue between disconnection and re-connection, a local attacker could trigger
multiple use-after-free conditions. This could result in kernel crashes or
potentially in privilege escalation. (bnc#1146589)
- CVE-2019-15212: A double-free issue was fixed in drivers/usb driver
(bnc#1146391).
- CVE-2016-10906: A use-after-free issue was fixed in drivers/net/ethernet/arc
(bnc#1146584).
- CVE-2019-15211: A use-after-free issue caused by a malicious USB device was
fixed in the drivers/media/v4l2-core driver (bnc#1146519).
- CVE-2019-15217: A a NULL pointer dereference issue caused by a malicious USB
device was fixed in the drivers/media/usb/zr364xx driver (bnc#1146519).
- CVE-2019-15214: An a use-after-free issue in the sound subsystem was fixed
(bnc#1146519).
- CVE-2019-15218: A NULL pointer dereference caused by a malicious USB device
was fixed in the drivers/media/usb/siano driver (bnc#1146413).
- CVE-2019-15215: A use-after-free issue caused by a malicious USB device was
fixed in the drivers/media/usb/cpia2 driver (bnc#1146425).
- CVE-2018-20976: A use-after-free issue was fixed in the fs/xfs driver
(bnc#1146285).
- CVE-2017-18551: An out-of-bounds write was fixed in the drivers/i2c driver
(bnc#1146163).
- CVE-2019-0154: An unprotected read access to i915 registers has been fixed
that could have been abused to facilitate a local denial-of-service attack.
(bsc#1135966)
- CVE-2019-0155: A privilege escalation vulnerability has been fixed in the
i915 module that allowed batch buffers from user mode to gain super user
privileges. (bsc#1135967)
The following non-security bugs were fixed:
- array_index_nospec: Sanitize speculative array (bsc#1155671)
- bonding/802.3ad: fix link_failure_count tracking (bsc#1141013).
- bonding/802.3ad: fix slave link initialization transition states (bsc#1141013).
- bonding: correctly update link status during mii-commit phase (bsc#1141013).
- bonding: fix active-backup transition (bsc#1141013).
- bonding: make speed, duplex setting consistent with link state (bsc#1141013).
- bonding: ratelimit failed speed/duplex update warning (bsc#1141013).
- bonding: require speed/duplex only for 802.3ad, alb and tlb (bsc#1141013).
- bonding: set default miimon value for non-arp modes if not set (bsc#1141013).
- bonding: speed/duplex update at NETDEV_UP event (bsc#1141013).
- cifs: fix panic in smb2_reconnect (bsc#1142458).
- cifs: handle netapp error codes (bsc#1136261).
- cpu/speculation: Uninline and export CPU mitigations helpers (bnc#1117665).
- ib/core, ipoib: Do not overreact to SM LID change event (bsc#1154103)
- ib/core: Add mitigation for Spectre V1 (bsc#1155671)
- ixgbe: sync the first fragment unconditionally (bsc#1133140).
- kvm: Convert kvm_lock to a mutex (bsc#1117665).
- kvm: lapic: cap __delay at lapic_timer_advance_ns (bsc#1149083).
- kvm: mmu: drop vcpu param in gpte_access (bsc#1117665).
- kvm: mmu: introduce kvm_mmu_gfn_{allow,disallow}_lpage (bsc#1117665).
- kvm: mmu: rename has_wrprotected_page to mmu_gfn_lpage_is_disallowed (bsc#1117665).
- kvm: vmx, svm: always run with EFER.NXE=1 when shadow paging is active (bsc#1117665).
- kvm: x86, powerpc: do not allow clearing largepages debugfs entry (bsc#1117665).
- kvm: x86: Do not release the page inside mmu_set_spte() (bsc#1117665).
- kvm: x86: MMU: Consolidate quickly_check_mmio_pf() and is_mmio_page_fault() (bsc#1117665).
- kvm: x86: MMU: Encapsulate the type of rmap-chain head in a new struct (bsc#1117665).
- kvm: x86: MMU: Move handle_mmio_page_fault() call to kvm_mmu_page_fault() (bsc#1117665).
- kvm: x86: MMU: Move initialization of parent_ptes out from kvm_mmu_alloc_page() (bsc#1117665).
- kvm: x86: MMU: Move parent_pte handling from kvm_mmu_get_page() to link_shadow_page() (bsc#1117665).
- kvm: x86: MMU: Remove unused parameter parent_pte from kvm_mmu_get_page() (bsc#1117665).
- kvm: x86: MMU: always set accessed bit in shadow PTEs (bsc#1117665).
- kvm: x86: Reduce the overhead when lapic_timer_advance is disabled (bsc#1149083).
- kvm: x86: add tracepoints around __direct_map and FNAME(fetch) (bsc#1117665).
- kvm: x86: adjust kvm_mmu_page member to save 8 bytes (bsc#1117665).
- kvm: x86: change kvm_mmu_page_get_gfn BUG_ON to WARN_ON (bsc#1117665).
- kvm: x86: extend usage of RET_MMIO_PF_* constants (bsc#1117665).
- kvm: x86: make FNAME(fetch) and __direct_map more similar (bsc#1117665).
- kvm: x86: mmu: Apply global mitigations knob to ITLB_MULTIHIT (bnc#1117665).
- kvm: x86: move nsec_to_cycles from x86.c to x86.h (bsc#1149083).
- kvm: x86: remove now unneeded hugepage gfn adjustment (bsc#1117665).
- kvm: x86: simplify ept_misconfig (bsc#1117665).
- media: smsusb: better handle optional alignment (bsc#1146413).
- pci: hv: Use bytes 4 and 5 from instance ID as the PCI domain numbers (bsc#1153263).
- powerpc/64s: support nospectre_v2 cmdline option (bsc#1131107).
- powerpc/pseries: correctly track irq state in default idle (bsc#1150727 bsc#1150942 ltc#178925 ltc#181484).
- powerpc/rtas: use device model APIs and serialization during LPM (bsc#1144123 ltc#178840).
- powerpc/security: Show powerpc_security_features in debugfs (bsc#1131107).
- scsi: scsi_transport_fc: Drop double list_del() (bsc#1084878) During the backport of 260f4aeddb48 ('scsi: scsi_transport_fc: return -EBUSY for deleted vport') an additional list_del() was introduced. The list entry will be freed in fc_vport_terminate(). Do not free it premature in fc_remove_host().
- swiotlb: Add support for DMA_ATTR_SKIP_CPU_SYNC in Xen-swiotlb unmap path (bsc#1133140).
- vmci: Release resource if the work is already queued (bsc#1051510).
- x86/cpu: Add Atom Tremont (Jacobsville) (bsc#1117665).
ImportantSUSE bug 1051510SUSE bug 1084878SUSE bug 1117665SUSE bug 1131107SUSE bug 1133140SUSE bug 1135966SUSE bug 1135967SUSE bug 1136261SUSE bug 1137865SUSE bug 1139073SUSE bug 1140671SUSE bug 1141013SUSE bug 1141054SUSE bug 1142458SUSE bug 1143187SUSE bug 1144123SUSE bug 1144903SUSE bug 1145477SUSE bug 1146042SUSE bug 1146163SUSE bug 1146285SUSE bug 1146361SUSE bug 1146378SUSE bug 1146391SUSE bug 1146413SUSE bug 1146425SUSE bug 1146512SUSE bug 1146514SUSE bug 1146516SUSE bug 1146519SUSE bug 1146524SUSE bug 1146526SUSE bug 1146529SUSE bug 1146540SUSE bug 1146543SUSE bug 1146547SUSE bug 1146550SUSE bug 1146584SUSE bug 1146589SUSE bug 1147022SUSE bug 1147122SUSE bug 1148394SUSE bug 1148938SUSE bug 1149083SUSE bug 1149376SUSE bug 1149522SUSE bug 1149527SUSE bug 1149555SUSE bug 1149612SUSE bug 1150025SUSE bug 1150112SUSE bug 1150452SUSE bug 1150457SUSE bug 1150465SUSE bug 1150727SUSE bug 1150942SUSE bug 1151347SUSE bug 1151350SUSE bug 1152685SUSE bug 1152782SUSE bug 1152788SUSE bug 1153158SUSE bug 1153263SUSE bug 1154103SUSE bug 1154372SUSE bug 1155131SUSE bug 1155671CVE-2016-10906 at SUSECVE-2016-10906 at NVDCVE-2017-18379 at SUSECVE-2017-18379 at NVDCVE-2017-18509 at SUSECVE-2017-18509 at NVDCVE-2017-18551 at SUSECVE-2017-18551 at NVDCVE-2017-18595 at SUSECVE-2017-18595 at NVDCVE-2018-12207 at SUSECVE-2018-12207 at NVDCVE-2018-20976 at SUSECVE-2018-20976 at NVDCVE-2019-0154 at SUSECVE-2019-0154 at NVDCVE-2019-0155 at SUSECVE-2019-0155 at NVDCVE-2019-10220 at SUSECVE-2019-10220 at NVDCVE-2019-11135 at SUSECVE-2019-11135 at NVDCVE-2019-13272 at SUSECVE-2019-13272 at NVDCVE-2019-14814 at SUSECVE-2019-14814 at NVDCVE-2019-14815 at SUSECVE-2019-14815 at NVDCVE-2019-14816 at SUSECVE-2019-14816 at NVDCVE-2019-14821 at SUSECVE-2019-14821 at NVDCVE-2019-14835 at SUSECVE-2019-14835 at NVDCVE-2019-15098 at SUSECVE-2019-15098 at NVDCVE-2019-15211 at SUSECVE-2019-15211 at NVDCVE-2019-15212 at SUSECVE-2019-15212 at NVDCVE-2019-15214 at SUSECVE-2019-15214 at NVDCVE-2019-15215 at SUSECVE-2019-15215 at NVDCVE-2019-15216 at SUSECVE-2019-15216 at NVDCVE-2019-15217 at SUSECVE-2019-15217 at NVDCVE-2019-15218 at SUSECVE-2019-15218 at NVDCVE-2019-15219 at SUSECVE-2019-15219 at NVDCVE-2019-15220 at SUSECVE-2019-15220 at NVDCVE-2019-15221 at SUSECVE-2019-15221 at NVDCVE-2019-15239 at SUSECVE-2019-15239 at NVDCVE-2019-15290 at SUSECVE-2019-15290 at NVDCVE-2019-15291 at SUSECVE-2019-15291 at NVDCVE-2019-15505 at SUSECVE-2019-15505 at NVDCVE-2019-15666 at SUSECVE-2019-15666 at NVDCVE-2019-15807 at SUSECVE-2019-15807 at NVDCVE-2019-15902 at SUSECVE-2019-15902 at NVDCVE-2019-15924 at SUSECVE-2019-15924 at NVDCVE-2019-15926 at SUSECVE-2019-15926 at NVDCVE-2019-15927 at SUSECVE-2019-15927 at NVDCVE-2019-16232 at SUSECVE-2019-16232 at NVDCVE-2019-16233 at SUSECVE-2019-16233 at NVDCVE-2019-16234 at SUSECVE-2019-16234 at NVDCVE-2019-16413 at SUSECVE-2019-16413 at NVDCVE-2019-16995 at SUSECVE-2019-16995 at NVDCVE-2019-17055 at SUSECVE-2019-17055 at NVDCVE-2019-17056 at SUSECVE-2019-17056 at NVDCVE-2019-17133 at SUSECVE-2019-17133 at NVDCVE-2019-17666 at SUSECVE-2019-17666 at NVDCVE-2019-9456 at SUSECVE-2019-9456 at NVDCVE-2019-9506 at SUSECVE-2019-9506 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for ucode-intel (Important)SUSE OpenStack Cloud Crowbar 8
This update for ucode-intel fixes the following issues:
- Updated to 20191112 security release (bsc#1155988)
- Processor Identifier Version Products
- Model Stepping F-MO-S/PI Old->New
- ---- new platforms ----------------------------------------
- CML-U62 A0 6-a6-0/80 000000c6 Core Gen10 Mobile
- CNL-U D0 6-66-3/80 0000002a Core Gen8 Mobile
- SKX-SP B1 6-55-3/97 01000150 Xeon Scalable
- ICL U/Y D1 6-7e-5/80 00000046 Core Gen10 Mobile
- ---- updated platforms ------------------------------------
- SKL U/Y D0 6-4e-3/c0 000000cc->000000d4 Core Gen6 Mobile
- SKL H/S/E3 R0/N0 6-5e-3/36 000000cc->000000d4 Core Gen6
- AML-Y22 H0 6-8e-9/10 000000b4->000000c6 Core Gen8 Mobile
- KBL-U/Y H0 6-8e-9/c0 000000b4->000000c6 Core Gen7 Mobile
- CFL-U43e D0 6-8e-a/c0 000000b4->000000c6 Core Gen8 Mobile
- WHL-U W0 6-8e-b/d0 000000b8->000000c6 Core Gen8 Mobile
- AML-Y V0 6-8e-c/94 000000b8->000000c6 Core Gen10 Mobile
- CML-U42 V0 6-8e-c/94 000000b8->000000c6 Core Gen10 Mobile
- WHL-U V0 6-8e-c/94 000000b8->000000c6 Core Gen8 Mobile
- KBL-G/X H0 6-9e-9/2a 000000b4->000000c6 Core Gen7/Gen8
- KBL-H/S/E3 B0 6-9e-9/2a 000000b4->000000c6 Core Gen7; Xeon E3 v6
- CFL-H/S/E3 U0 6-9e-a/22 000000b4->000000c6 Core Gen8 Desktop, Mobile, Xeon E
- CFL-S B0 6-9e-b/02 000000b4->000000c6 Core Gen8
- CFL-H R0 6-9e-d/22 000000b8->000000c6 Core Gen9 Mobile
- Includes security fixes for:
- CVE-2019-11135: Added feature allowing to disable TSX RTM (bsc#1139073)
- CVE-2019-11139: A CPU microcode only fix for Voltage modulation issues (bsc#1141035)
- requires coreutils for the %post script (bsc#1154043)
ImportantSUSE bug 1139073SUSE bug 1141035SUSE bug 1154043SUSE bug 1155988CVE-2019-11135 at SUSECVE-2019-11135 at NVDCVE-2019-11139 at SUSECVE-2019-11139 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for libjpeg-turbo (Important)SUSE OpenStack Cloud Crowbar 8
This update for libjpeg-turbo fixes the following issues:
- CVE-2019-2201: Several integer overflow issues and subsequent segfaults occurred in libjpeg-turbo,
when attempting to compress or decompress gigapixel images. [bsc#1156402]
ImportantSUSE bug 1156402CVE-2019-2201 at SUSECVE-2019-2201 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for ghostscript (Important)SUSE OpenStack Cloud Crowbar 8
This update for ghostscript fixes the following issue:
- CVE-2019-14869: Fixed a possible dSAFER escape which could have allowed
an attacker to gain high privileges by a specially crafted Postscript
code (bsc#1156275).
ImportantSUSE bug 1156275CVE-2019-14869 at SUSECVE-2019-14869 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for ucode-intel (Important)SUSE OpenStack Cloud Crowbar 8
This update for ucode-intel fixes the following issues:
- Updated to 20191112 official security release (bsc#1155988)
- Includes security fixes for:
- CVE-2019-11135: Added feature allowing to disable TSX RTM (bsc#1139073)
- CVE-2019-11139: A CPU microcode only fix for Voltage modulation issues (bsc#1141035)
ImportantSUSE bug 1139073SUSE bug 1141035SUSE bug 1155988CVE-2019-11135 at SUSECVE-2019-11135 at NVDCVE-2019-11139 at SUSECVE-2019-11139 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for python-ecdsa (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for python-ecdsa to version 0.13.3 fixes the following issues:
Security issues fixed:
- CVE-2019-14853: Fixed unexpected exceptions during signature decoding (bsc#1153165).
- CVE-2019-14859: Fixed a signature malleability caused by insufficient checks of DER encoding (bsc#1154217).
ModerateSUSE bug 1153165SUSE bug 1154217CVE-2019-14853 at SUSECVE-2019-14853 at NVDCVE-2019-14859 at SUSECVE-2019-14859 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for sqlite3 (Important)SUSE OpenStack Cloud Crowbar 8
This update for sqlite3 fixes the following issues:
- CVE-2017-2518: Fixed a use-after-free vulnerability which could have
led to buffer overflow via a crafted SQL statement (bsc#1155787).
ImportantSUSE bug 1155787CVE-2017-2518 at SUSECVE-2017-2518 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for cups (Important)SUSE OpenStack Cloud Crowbar 8
This update for cups fixes the following issues:
- CVE-2019-8675: Fixed a stack buffer overflow in libcups's asn1_get_type function(bsc#1146358).
- CVE-2019-8696: Fixed a stack buffer overflow in libcups's asn1_get_packed function (bsc#1146359).
ImportantSUSE bug 1146358SUSE bug 1146359CVE-2019-8675 at SUSECVE-2019-8675 at NVDCVE-2019-8696 at SUSECVE-2019-8696 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for clamav (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for clamav fixes the following issues:
Security issue fixed:
- CVE-2019-12625: Fixed a ZIP bomb issue by adding detection and heuristics for zips with overlapping files (bsc#1144504).
- CVE-2019-12900: Fixed an out-of-bounds write in decompress.c with many selectors (bsc#1149458).
Non-security issues fixed:
- Added the --max-scantime clamscan option and MaxScanTime clamd configuration option (bsc#1144504).
- Increased the startup timeout of clamd to 5 minutes to cater for the grown virus database as a workaround until clamd has learned to talk to systemd to extend the timeout as long as needed (bsc#1151839).
ModerateSUSE bug 1144504SUSE bug 1149458SUSE bug 1151839CVE-2019-12625 at SUSECVE-2019-12625 at NVDCVE-2019-12900 at SUSECVE-2019-12900 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for mailman (Important)SUSE OpenStack Cloud Crowbar 8
This update for mailman fixes the following issues:
- CVE-2019-3693: Fixed a local privilege escalation from wwwrun to root (bsc#1154328).
ImportantSUSE bug 1154328CVE-2019-3693 at SUSECVE-2019-3693 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for java-1_7_0-openjdk (Important)SUSE OpenStack Cloud Crowbar 8
This update for java-1_7_0-openjdk fixes the following issues:
Security issues fixed (October 2019 CPU bsc#1154212):
- CVE-2019-2933: Windows file handling redux
- CVE-2019-2945: Better socket support
- CVE-2019-2949: Better Kerberos ccache handling
- CVE-2019-2958: Build Better Processes
- CVE-2019-2964: Better support for patterns
- CVE-2019-2962: Better Glyph Images
- CVE-2019-2973: Better pattern compilation
- CVE-2019-2978: Improved handling of jar files
- CVE-2019-2981: Better Path supports
- CVE-2019-2983: Better serial attributes
- CVE-2019-2987: Better rendering of native glyphs
- CVE-2019-2988: Better Graphics2D drawing
- CVE-2019-2989: Improve TLS connection support
- CVE-2019-2992: Enhance font glyph mapping
- CVE-2019-2999: Commentary on Javadoc comments
- CVE-2019-2894: Enhance ECDSA operations (bsc#1152856).
ImportantSUSE bug 1152856SUSE bug 1154212CVE-2019-2894 at SUSECVE-2019-2894 at NVDCVE-2019-2933 at SUSECVE-2019-2933 at NVDCVE-2019-2945 at SUSECVE-2019-2945 at NVDCVE-2019-2949 at SUSECVE-2019-2949 at NVDCVE-2019-2958 at SUSECVE-2019-2958 at NVDCVE-2019-2962 at SUSECVE-2019-2962 at NVDCVE-2019-2964 at SUSECVE-2019-2964 at NVDCVE-2019-2973 at SUSECVE-2019-2973 at NVDCVE-2019-2978 at SUSECVE-2019-2978 at NVDCVE-2019-2981 at SUSECVE-2019-2981 at NVDCVE-2019-2983 at SUSECVE-2019-2983 at NVDCVE-2019-2987 at SUSECVE-2019-2987 at NVDCVE-2019-2988 at SUSECVE-2019-2988 at NVDCVE-2019-2989 at SUSECVE-2019-2989 at NVDCVE-2019-2992 at SUSECVE-2019-2992 at NVDCVE-2019-2999 at SUSECVE-2019-2999 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for clamav (Important)SUSE OpenStack Cloud Crowbar 8
This update for clamav fixes the following issues:
- CVE-2019-15961: Fixed a denial of service which might occur when
scanning a specially crafted email file as (bsc#1157763).
ImportantSUSE bug 1157763CVE-2019-15961 at SUSECVE-2019-15961 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for permissions (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for permissions fixes the following issues:
- CVE-2019-3688: Changed wrong ownership in /usr/sbin/pinger to root:squid
which could have allowed a squid user to gain persistence by changing the
binary (bsc#1093414).
- CVE-2019-3690: Fixed a privilege escalation through untrusted symbolic
links (bsc#1150734).
- Fixed a regression which caused segmentation fault (bsc#1157198).
ModerateSUSE bug 1093414SUSE bug 1150734SUSE bug 1157198CVE-2019-3688 at SUSECVE-2019-3688 at NVDCVE-2019-3690 at SUSECVE-2019-3690 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for haproxy (Important)SUSE OpenStack Cloud Crowbar 8
This update for haproxy fixes the following issues:
- CVE-2019-18277: Fixed HTTP smuggling in messages with transfer-encoding header missing the 'chunked' value (bsc#1154980).
ImportantSUSE bug 1154980CVE-2019-18277 at SUSECVE-2019-18277 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for xen (Important)SUSE OpenStack Cloud Crowbar 8
This update for xen fixes the following issues:
- CVE-2019-19581: Fixed a potential out of bounds on 32-bit Arm (bsc#1158003 XSA-307).
- CVE-2019-19582: Fixed a potential infinite loop when x86 accesses to bitmaps with
a compile time known size of 64 (bsc#1158003 XSA-307).
- CVE-2019-19583: Fixed improper checks which could have allowed HVM/PVH guest userspace
code to crash the guest,leading to a guest denial of service (bsc#1158004 XSA-308).
- CVE-2019-19578: Fixed an issue where a malicious or buggy PV guest could have caused
hypervisor crash resulting in denial of service affecting the entire host (bsc#1158005 XSA-309).
- CVE-2019-19580: Fixed a privilege escalation where a malicious PV guest administrator
could have been able to escalate their privilege to that of the host (bsc#1158006 XSA-310).
- CVE-2019-19577: Fixed an issue where a malicious guest administrator could have caused Xen
to access data structures while they are being modified leading to a crash (bsc#1158007 XSA-311).
- CVE-2019-19579: Fixed a privilege escaltion where an untrusted domain with access
to a physical device can DMA into host memory (bsc#1157888 XSA-306).
- CVE-2019-18420: Malicious x86 PV guests may have caused a hypervisor crash,
resulting in a denial of service (bsc#1154448 XSA-296)
- CVE-2019-18425: 32-bit PV guest user mode could elevate its privileges to that
of the guest kernel. (bsc#1154456 XSA-298).
- CVE-2019-18421: A malicious PV guest administrator may have been able to
escalate their privilege to that of the host. (bsc#1154458 XSA-299).
- CVE-2019-18423: A malicious guest administrator may cause a hypervisor crash,
resulting in a denial of service (bsc#1154460 XSA-301).
- CVE-2019-18422: A malicious ARM guest might contrive to arrange for critical
Xen code to run with interrupts erroneously enabled. This could lead to data
corruption, denial of service, or possibly even privilege escalation. However
a precise attack technique has not been identified. (bsc#1154464 XSA-303)
- CVE-2019-18424: An untrusted domain with access to a physical device can DMA
into host memory, leading to privilege escalation. (bsc#1154461 XSA-302).
- CVE-2018-12207: Untrusted virtual machines on Intel CPUs could exploit a race
condition in the Instruction Fetch Unit of the Intel CPU to cause a Machine
Exception during Page Size Change, causing the CPU core to be non-functional.
(bsc#1155945 XSA-304)
- CVE-2019-11135: Aborting an asynchronous TSX operation on Intel CPUs with
Transactional Memory support could be used to facilitate sidechannel
information leaks out of microarchitectural buffers, similar to the
previously described 'Microarchitectural Data Sampling' attack. (bsc#1152497 XSA-305).
ImportantSUSE bug 1152497SUSE bug 1154448SUSE bug 1154456SUSE bug 1154458SUSE bug 1154460SUSE bug 1154461SUSE bug 1154464SUSE bug 1155945SUSE bug 1157888SUSE bug 1158003SUSE bug 1158004SUSE bug 1158005SUSE bug 1158006SUSE bug 1158007CVE-2018-12207 at SUSECVE-2018-12207 at NVDCVE-2019-11135 at SUSECVE-2019-11135 at NVDCVE-2019-18420 at SUSECVE-2019-18420 at NVDCVE-2019-18421 at SUSECVE-2019-18421 at NVDCVE-2019-18422 at SUSECVE-2019-18422 at NVDCVE-2019-18423 at SUSECVE-2019-18423 at NVDCVE-2019-18424 at SUSECVE-2019-18424 at NVDCVE-2019-18425 at SUSECVE-2019-18425 at NVDCVE-2019-19577 at SUSECVE-2019-19577 at NVDCVE-2019-19578 at SUSECVE-2019-19578 at NVDCVE-2019-19579 at SUSECVE-2019-19579 at NVDCVE-2019-19580 at SUSECVE-2019-19580 at NVDCVE-2019-19581 at SUSECVE-2019-19581 at NVDCVE-2019-19582 at SUSECVE-2019-19582 at NVDCVE-2019-19583 at SUSECVE-2019-19583 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for MozillaFirefox (Important)SUSE OpenStack Cloud Crowbar 8
This update for MozillaFirefox fixes the following issues:
Mozilla Firefox was updated to 68.3esr (MFSA 2019-37 bsc#1158328)
Security issues fixed:
- CVE-2019-17008: Fixed a use-after-free in worker destruction (bmo#1546331)
- CVE-2019-13722: Fixed a stack corruption due to incorrect number of arguments
in WebRTC code (bmo#1580156)
- CVE-2019-11745: Fixed an out of bounds write in NSS when encrypting with a
block cipher (bmo#1586176)
- CVE-2019-17009: Fixed an issue where updater temporary files accessible to
unprivileged processes (bmo#1510494)
- CVE-2019-17010: Fixed a use-after-free when performing device orientation
checks (bmo#1581084)
- CVE-2019-17005: Fixed a buffer overflow in plain text serializer (bmo#1584170)
- CVE-2019-17011: Fixed a use-after-free when retrieving a document
in antitracking (bmo#1591334)
- CVE-2019-17012: Fixed multiple memmory issues
(bmo#1449736, bmo#1533957, bmo#1560667,bmo#1567209, bmo#1580288, bmo#1585760,
bmo#1592502)
ImportantSUSE bug 1158328CVE-2019-11745 at SUSECVE-2019-11745 at NVDCVE-2019-13722 at SUSECVE-2019-13722 at NVDCVE-2019-17005 at SUSECVE-2019-17005 at NVDCVE-2019-17008 at SUSECVE-2019-17008 at NVDCVE-2019-17009 at SUSECVE-2019-17009 at NVDCVE-2019-17010 at SUSECVE-2019-17010 at NVDCVE-2019-17011 at SUSECVE-2019-17011 at NVDCVE-2019-17012 at SUSECVE-2019-17012 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for the Linux Kernel (Important)SUSE OpenStack Cloud Crowbar 8
The SUSE Linux Enterprise 12 SP 3 LTSS kernel was updated to receive various security and bugfixes.
The following security bugs were fixed:
- CVE-2019-14895: A heap-based buffer overflow was discovered in the Linux kernel in Marvell WiFi chip driver. The flaw could occur when the station attempts a connection negotiation during the handling of the remote devices country settings. This could have allowed the remote device to cause a denial of service (system crash) or possibly execute arbitrary code (bnc#1157158).
- CVE-2019-18660: The Linux kernel on powerpc allowed Information Exposure because the Spectre-RSB mitigation is not in place for all applicable CPUs. This is related to arch/powerpc/kernel/entry_64.S and arch/powerpc/kernel/security.c (bnc#1157038).
- CVE-2019-18683: An issue was discovered in drivers/media/platform/vivid in the Linux kernel. It is exploitable for privilege escalation on some Linux distributions where local users have /dev/video0 access, but only if the driver happens to be loaded. There are multiple race conditions during streaming stopping in this driver (part of the V4L2 subsystem). These issues are caused by wrong mutex locking in vivid_stop_generating_vid_cap(), vivid_stop_generating_vid_out(), sdr_cap_stop_streaming(), and the corresponding kthreads. At least one of these race conditions leads to a use-after-free (bnc#1155897).
- CVE-2019-19062: A memory leak in the crypto_report() function in crypto/crypto_user_base.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) by triggering crypto_report_alg() failures (bnc#1157333).
- CVE-2019-19065: A memory leak in the sdma_init() function in drivers/infiniband/hw/hfi1/sdma.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) by triggering rhashtable_init() failures (bnc#1157191).
- CVE-2019-19052: A memory leak in the gs_can_open() function in drivers/net/can/usb/gs_usb.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) by triggering usb_submit_urb() failures (bnc#1157324).
- CVE-2019-19074: A memory leak in the ath9k_wmi_cmd() function in drivers/net/wireless/ath/ath9k/wmi.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) (bnc#1157143).
- CVE-2019-19073: Memory leaks in drivers/net/wireless/ath/ath9k/htc_hst.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) by triggering wait_for_completion_timeout() failures. This affects the htc_config_pipe_credits() function, the htc_setup_complete() function, and the htc_connect_service() function (bnc#1157070).
- CVE-2019-16231: drivers/net/fjes/fjes_main.c in the Linux kernel 5.2.14 did not check the alloc_workqueue return value, leading to a NULL pointer dereference (bnc#1150466).
- CVE-2019-18805: An issue was discovered in net/ipv4/sysctl_net_ipv4.c in the Linux kernel There was a net/ipv4/tcp_input.c signed integer overflow in tcp_ack_update_rtt() when userspace writes a very large integer to /proc/sys/net/ipv4/tcp_min_rtt_wlen, leading to a denial of service or possibly unspecified other impact (bnc#1156187).
- CVE-2019-18680: An issue was discovered in the Linux kernel. There was a NULL pointer dereference in rds_tcp_kill_sock() in net/rds/tcp.c that will cause denial of service (bnc#1155898).
- CVE-2019-15213: An use-after-free was fixed caused by malicious USB device in drivers/media/usb/dvb-usb/dvb-usb-init.c (bsc#1146544).
- CVE-2019-19536: An uninitialized Kernel memory can leak to USB devices in drivers/net/can/usb/peak_usb/pcan_usb_pro.c (bsc#1158394).
- CVE-2019-19534: An uninitialized Kernel memory can leak to USB devices in drivers/net/can/usb/peak_usb/pcan_usb_core.c (bsc#1158398).
- CVE-2019-19530: An use-after-free bug that can be caused by a malicious USB device in the drivers/usb/class/cdc-acm.c driver (bsc#1158410).
- CVE-2019-19524: An use-after-free bug that can be caused by a malicious USB device in the drivers/input/ff-memless.c driver (bsc#1158413).
- CVE-2019-19525: An use-after-free bug that can be caused by a malicious USB device in the drivers/net/ieee802154/atusb.c driver (bsc#1158417).
- CVE-2019-19531: An use-after-free in yurex_delete may lead to denial of service (bsc#1158445).
- CVE-2019-19523: An use-after-free on disconnect in USB adutux (bsc#1158823).
- CVE-2019-19532: An out-of-bounds write bugs that can be caused by a malicious USB device in the Linux kernel HID drivers (bsc#1158824).
- CVE-2019-19332: An out-of-bounds memory write via kvm_dev_ioctl_get_cpuid (bsc#1158827).
- CVE-2019-19533: An info-leak bug that can be caused by a malicious USB device in the drivers/media/usb/ttusb-dec/ttusb_dec.c driver (bsc#1158834).
- CVE-2019-19527: An use-after-free bug that can be caused by a malicious USB device in the drivers/hid/usbhid/hiddev.c driver (bsc#1158900).
- CVE-2019-19535: An info-leak bug that can be caused by a malicious USB device in the drivers/net/can/usb/peak_usb/pcan_usb_fd.c driver (bsc#1158903).
- CVE-2019-19537: Two races in the USB character device registration and deregistration routines (bsc#1158904).
- CVE-2019-19338: An incomplete fix for Transaction Asynchronous Abort (TAA) (bsc#1158954).
The following non-security bugs were fixed:
- hyperv: set nvme msi interrupts to unmanaged (jsc#SLE-8953, jsc#SLE-9221, jsc#SLE-4941, bsc#1119461, bsc#1119465, bsc#1138190, bsc#1154905).
- ibmvnic: Bound waits for device queries (bsc#1155689 ltc#182047).
- ibmvnic: Fix completion structure initialization (bsc#1155689 ltc#182047).
- ibmvnic: Serialize device queries (bsc#1155689 ltc#182047).
- ibmvnic: Terminate waiting device threads after loss of service (bsc#1155689 ltc#182047).
- netfilter: nf_nat: do not bug when mapping already exists (bsc#1146612).
- powerpc/security/book3s64: Report L1TF status in sysfs (bsc#1091041).
- powerpc/security: Fix wrong message when RFI Flush is disable (bsc#1131107).
- sched/fair: WARN() and refuse to set buddy when !se->on_rq (bsc#1158132).
- x86/alternatives: Add int3_emulate_call() selftest (bsc#1153811).
- x86/alternatives: Fix int3_emulate_call() selftest stack corruption (bsc#1153811).
- xen/pv: Fix a boot up hang revealed by int3 self test (bsc#1153811).
- arp: Fix cache issue during Life Partition Migration (bsc#1152631).
- futexes: Fix speed on 4.12 kernel (bsc#1157464).
ImportantSUSE bug 1091041SUSE bug 1119461SUSE bug 1119465SUSE bug 1131107SUSE bug 1138190SUSE bug 1146544SUSE bug 1146612SUSE bug 1150466SUSE bug 1150483SUSE bug 1152631SUSE bug 1153811SUSE bug 1154905SUSE bug 1155689SUSE bug 1155897SUSE bug 1155898SUSE bug 1156187SUSE bug 1157038SUSE bug 1157042SUSE bug 1157070SUSE bug 1157143SUSE bug 1157158SUSE bug 1157191SUSE bug 1157324SUSE bug 1157333SUSE bug 1157464SUSE bug 1158132SUSE bug 1158394SUSE bug 1158398SUSE bug 1158410SUSE bug 1158413SUSE bug 1158417SUSE bug 1158445SUSE bug 1158823SUSE bug 1158824SUSE bug 1158827SUSE bug 1158834SUSE bug 1158900SUSE bug 1158903SUSE bug 1158904SUSE bug 1158954CVE-2019-14895 at SUSECVE-2019-14895 at NVDCVE-2019-15213 at SUSECVE-2019-15213 at NVDCVE-2019-16231 at SUSECVE-2019-16231 at NVDCVE-2019-18660 at SUSECVE-2019-18660 at NVDCVE-2019-18680 at SUSECVE-2019-18680 at NVDCVE-2019-18683 at SUSECVE-2019-18683 at NVDCVE-2019-18805 at SUSECVE-2019-18805 at NVDCVE-2019-19052 at SUSECVE-2019-19052 at NVDCVE-2019-19062 at SUSECVE-2019-19062 at NVDCVE-2019-19065 at SUSECVE-2019-19065 at NVDCVE-2019-19073 at SUSECVE-2019-19073 at NVDCVE-2019-19074 at SUSECVE-2019-19074 at NVDCVE-2019-19332 at SUSECVE-2019-19332 at NVDCVE-2019-19338 at SUSECVE-2019-19338 at NVDCVE-2019-19523 at SUSECVE-2019-19523 at NVDCVE-2019-19524 at SUSECVE-2019-19524 at NVDCVE-2019-19525 at SUSECVE-2019-19525 at NVDCVE-2019-19527 at SUSECVE-2019-19527 at NVDCVE-2019-19530 at SUSECVE-2019-19530 at NVDCVE-2019-19531 at SUSECVE-2019-19531 at NVDCVE-2019-19532 at SUSECVE-2019-19532 at NVDCVE-2019-19533 at SUSECVE-2019-19533 at NVDCVE-2019-19534 at SUSECVE-2019-19534 at NVDCVE-2019-19535 at SUSECVE-2019-19535 at NVDCVE-2019-19536 at SUSECVE-2019-19536 at NVDCVE-2019-19537 at SUSECVE-2019-19537 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for python-PyKMIP (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for python-PyKMIP fixes the following issues:
Security issue fixed:
- CVE-2018-1000872: Fixed a denial-of-service vulnerability which was caused by exhausting
the available sockets. To mitigate the issue server socket timeout was decreased (bsc#1120767).
ModerateSUSE bug 1120767CVE-2018-1000872 at SUSECVE-2018-1000872 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for couchdb (Important)SUSE OpenStack Cloud Crowbar 8
This update for couchdb fixes the following issues:
Security issue fixed:
- CVE-2018-11769: Fixed a remote code execution vulnerability by removing the _config route from default.ini (bsc#1104204)
ImportantSUSE bug 1104204CVE-2018-11769 at SUSECVE-2018-11769 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for rubygem-loofah (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for rubygem-loofah fixes the following issues:
Security issues fixed:
- CVE-2018-16468: Fixed XXS by removing the svg animate attribute `from` from the allowlist (bsc#1113969).
- CVE-2018-8048: Fixed XSS vulnerability due to unescaped characters by libcxml2 (bsc#1085967).
ModerateSUSE bug 1085967SUSE bug 1113969CVE-2018-16468 at SUSECVE-2018-16468 at NVDCVE-2018-8048 at SUSECVE-2018-8048 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for nodejs6 (Important)SUSE OpenStack Cloud Crowbar 8
This update for nodejs6 to version 6.16.0 fixes the following issues:
Security issues fixed:
- CVE-2018-0734: Fixed a timing vulnerability in the DSA signature generation (bsc#1113652)
- CVE-2018-5407: Fixed a hyperthread port content side channel attack (aka 'PortSmash') (bsc#1113534)
- CVE-2018-12120: Fixed that the debugger listens on any interface by default (bsc#1117625)
- CVE-2018-12121: Fixed a denial of Service with large HTTP headers (bsc#1117626)
- CVE-2018-12122: Fixed the 'Slowloris' HTTP Denial of Service (bsc#1117627)
- CVE-2018-12116: Fixed HTTP request splitting (bsc#1117630)
- CVE-2018-12123: Fixed hostname spoofing in URL parser for javascript protocol (bsc#1117629)
ImportantSUSE bug 1113534SUSE bug 1113652SUSE bug 1117625SUSE bug 1117626SUSE bug 1117627SUSE bug 1117629SUSE bug 1117630CVE-2018-0734 at SUSECVE-2018-0734 at NVDCVE-2018-12116 at SUSECVE-2018-12116 at NVDCVE-2018-12120 at SUSECVE-2018-12120 at NVDCVE-2018-12121 at SUSECVE-2018-12121 at NVDCVE-2018-12122 at SUSECVE-2018-12122 at NVDCVE-2018-12123 at SUSECVE-2018-12123 at NVDCVE-2018-5407 at SUSECVE-2018-5407 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for python-paramiko (Important)SUSE OpenStack Cloud Crowbar 8
This update for python-paramiko to version 2.2.4 fixes the following issues:
Security issue fixed:
- CVE-2018-1000805: Fixed an authentication bypass in auth_handler.py (bsc#1111151)
ImportantSUSE bug 1111151SUSE bug 1120531CVE-2018-1000805 at SUSECVE-2018-1000805 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for galera-3, mariadb, mariadb-connector-c (Important)SUSE OpenStack Cloud Crowbar 8
This update for mariadb, galera-3, mariadb-connector fixes the following issues:
Security vulnerabilities addressed for mariadb:
- CVE-2016-9843 [bsc#1013882]
- CVE-2018-3058 [bsc#1101676]
- CVE-2018-3060
- CVE-2018-3063 [bsc#1101677]
- CVE-2018-3064 [bsc#1103342]
- CVE-2018-3066 [bsc#1101678]
- CVE-2018-3143 [bsc#1112421]
- CVE-2018-3156 [bsc#1112417]
- CVE-2018-3162 [bsc#1112415]
- CVE-2018-3173 [bsc#1112386]
- CVE-2018-3174 [bsc#1112368]
- CVE-2018-3185 [bsc#1112384]
- CVE-2018-3200 [bsc#1112404]
- CVE-2018-3251 [bsc#1112397]
- CVE-2018-3277 [bsc#1112391]
- CVE-2018-3282 [bsc#1112432]
- CVE-2018-3284 [bsc#1112377]
Other bug fixes and changes for mariadb:
- update to 10.2.21 GA
* MDEV-17589 - Stack-buffer-overflow with indexed varchar
(utf8) field
* MDEV-16987 - ALTER DATABASE possible in read-only mode
(forbid ALTER DATABASE in read_only)
* MDEV-17720 - slave_ddl_exec_mode=IDEMPOTENT does not handle
DROP DATABASE
* MDEV-6453 - Assertion `inited==NONE || (inited==RND && scan)'
failed in handler::ha_rnd_init(bool) with InnoDB, joins,
AND/OR conditions
* MDEV-18105 - Mariabackup fails to copy encrypted InnoDB
system tablespace if LSN>4G
* MDEV-18041 - Database corruption after renaming a
prefix-indexed column [bsc#1120041]
* MDEV-17470 - Orphan temporary files after interrupted ALTER
cause InnoDB: Operating system error number 17 and eventual
fatal error 71
* MDEV-17833: ALTER TABLE is not enforcing prefix index size
limit
* MDEV-17989: InnoDB: Failing assertion:
dict_tf2_is_valid(flags, flags2)
* MDEV-17765: Locking bug fix for SPATIAL INDEX
* MDEV-17923, MDEV-17904, MDEV-17938: Fixes for FULLTEXT INDEX
* Fixes for regressions introduced in MariaDB Server 10.2.19 by
the backup-safe TRUNCATE TABLE (MDEV-13564,
innodb_safe_truncate=ON) and innodb_undo_log_truncate:
* MDEV-17780, MDEV-17816, MDEV-17849, MDEV-17851, MDEV-17885
* Several improvements to MariaDB Server and backup for dealing
with encrypted or page_compressed pages:
* MDEV-12112: corruption in encrypted table may be overlooked
* MDEV-17958: On little-endian systems, remove bug-compatible
variant of innodb_checksum_algorithm=crc32
* MDEV-17957: Make innodb_checksum_algorithm stricter for
strict_* values
* MDEV-18025: Mariabackup fails to detect corrupted
page_compressed=1 tables
* release notes and changelog:
- https://mariadb.com/kb/en/library/mariadb-10221-release-notes
- https://mariadb.com/kb/en/library/mariadb-10221-changelog
- https://mariadb.com/kb/en/library/mariadb-10220-release-notes
- https://mariadb.com/kb/en/library/mariadb-10220-changelog
- remove PerconaFT from the package as it has AGPL licence (bsc#1118754)
- Add patch to link against libatomic where necessary and
use C++11 atomics instead of gcc built-in atomics
- update to 10.2.19 GA [bsc#1116686]
* innodb_safe_truncate system variable for a backup-safe
TRUNCATE TABLE implementation that is based on RENAME,
CREATE, DROP (MDEV-14717, MDEV-14585, MDEV-13564). Default
value for this variable is ON. If you absolutely must use
XtraBackup instead of Mariabackup, you can set it to OFF and
restart the server
* MDEV-17289: Multi-pass recovery fails to apply some redo
log records
* MDEV-17073: INSERT…ON DUPLICATE KEY UPDATE became more
deadlock-prone
* MDEV-17491: micro optimize page_id_t
* MDEV-13671: InnoDB should use case-insensitive column name
comparisons like the rest of the server
* Fixes for indexed virtual columns: MDEV-17215, MDEV-16980
* MDEV-17433: Allow InnoDB start up with empty ib_logfile0
from mariabackup --prepare
* MDEV-12547: InnoDB FULLTEXT index has too strict
innodb_ft_result_cache_limit max limit
* MDEV-17541: KILL QUERY during lock wait in FOREIGN KEY
check causes hang
* MDEV-17531: Crash in RENAME TABLE with FOREIGN KEY and
FULLTEXT INDEX
* MDEV-17532: Performance_schema reports wrong directory for
the temporary files of ALTER TABLE…ALGORITHM=INPLACE
* MDEV-17545: Predicate lock for SPATIAL INDEX should lock
non-matching record
* MDEV-17546: SPATIAL INDEX should not be allowed for
FOREIGN KEY
* MDEV-17548: Incorrect access to off-page column for
indexed virtual column
* MDEV-12023: Assertion failure sym_node->table != NULL
on startup
* MDEV-17230: encryption_key_id from alter is ignored by
encryption threads
* release notes and changelog:
- https://mariadb.com/kb/en/library/mariadb-10219-release-notes
- https://mariadb.com/kb/en/library/mariadb-10219-changelog
- do not pack libmariadb.pc (packed in mariadb-connector-c)
- add 'Requires: libmariadb_plugins' to the mariadb-test subpackage
in order to be able to test client plugins successfuly
(bsc#1111859)
- don't remove debug_key_management.so anymore (bsc#1111858)
- update to 10.2.18 GA
* MDEV-15511 - if available, stunnel can be used during Galera
rsync SST
* MDEV-16791 - mariabackup: Support DDL commands during backup
* MDEV-13564 - Refuse MLOG_TRUNCATE in mariabackup
* MDEV-16934 - add new system variable eq_range_index_dive_limit
to speed up queries that new long nested IN lists. The default
value, for backward compatibility, is 0 meaning 'unlimited'.
* MDEV-13333 - errors on InnoDB lock conflict
* Report all InnoDB redo log corruption
* MDEV-17043 - Purge of indexed virtual columns may cause hang
on table-rebuilding DDL
* MDEV-16868 - corruption of InnoDB temporary tables
* MDEV-16465 - Invalid (old?) table or database name or hang
in ha_innobase::delete_table and log semaphore wait upon
concurrent DDL with foreign keys
* release notes and changelog:
- https://mariadb.com/kb/en/library/mariadb-10218-release-notes
- https://mariadb.com/kb/en/library/mariadb-10218-changelog
- update to 10.2.17 GA
* New variable innodb_log_optimize_ddl for avoiding delay due
to page flushing and allowing concurrent backup
* InnoDB updated to 5.7.23
* MDEV-14637 - Fix hang due to DDL with FOREIGN KEY or
persistent statistics
* MDEV-15953 - Alter InnoDB Partitioned Table Moves Files
(which were originally not in the datadir) to the datadir
* MDEV-16515 - InnoDB: Failing assertion: ++retries < 10000 in
file dict0dict.cc line 2737
* MDEV-16809 - Allow full redo logging for ALTER TABLE
* Temporary tables: MDEV-16713 - InnoDB hang with repeating
log entry
* indexed virtual columns: MDEV-15855 - Deadlock between purge
thread and DDL statement
* MDEV-16664 - Change the default to
innodb_lock_schedule_algorithm=fcfs
* Galera: MDEV-15822 - WSREP: BF lock wait long for trx
* release notes and changelog:
- https://mariadb.com/kb/en/library/mariadb-10217-release-notes
- https://mariadb.com/kb/en/library/mariadb-10217-changelog
- switch to libedit as control sequences were already fixed there
so we don't have to avoid it (bsc#1098683)
- update to 10.2.16 GA
* MDEV-13122: mariabackup now supports MyRocks
* MDEV-13779 - InnoDB fails to shut down purge workers, causing
hang
* MDEV-16267 - Wrong INFORMATION_SCHEMA.INNODB_BUFFER_PAGE.\
TABLE_NAME
* MDEV-13834 - Upgrade failure from 10.1 innodb_encrypt_log
* MDEV-16283 - ALTER TABLE...DISCARD TABLESPACE still takes long
on a large buffer pool
* MDEV-16376 - ASAN: heap-use-after-free in
gcol.innodb_virtual_debug
* MDEV-15824 - innodb_defragment=ON trumps
innodb_optimize_fulltext_only=ON in OPTIMIZE TABLE
* MDEV-16124 - fil_rename_tablespace() times out and crashes
server during table-rebuilding ALTER TABLE
* MDEV-16416 - Crash on IMPORT TABLESPACE of a
ROW_FORMAT=COMPRESSED table
* MDEV-16456 - InnoDB error 'returned OS error 71' complains
about wrong path
* MDEV-13103 - Deal with page_compressed page corruption
* MDEV-16496 - Mariabackup: Implement --verbose option to
instrument InnoDB log apply
* MDEV-16087 - Inconsistent SELECT results when query cache
is enabled
* MDEV-15114 - ASAN heap-use-after-free in mem_heap_dup or
dfield_data_is_binary_equal (fix for indexed virtual columns)
* release notes and changelog:
- https://mariadb.com/kb/en/library/mariadb-10216-release-notes
- https://mariadb.com/kb/en/library/mariadb-10216-changelog
- pack wsrep_sst_rsync_wan file to galera subpackage
Bug fixes and changes for galera-3:
- update to 25.3.24:
* A support for new certification key type was added to allow
more relaxed certification rules for foreign key references (galera#491).
* New status variables were added to display the number of open transactions
and referenced client connections inside Galera provider (galera#492).
* GCache was sometimes cleared unnecessarily on startup if the recovered
state had smaller sequence number than the highest found from GCache.
Now only entries with sequence number higher than recovery point will be
cleared (galera#498).
* Non-primary configuration is saved into grastate.dat only when if the
node is in closing state (galera#499).
* Exception from GComm was not always handled properly resulting in
Galera to remain in half closed state. This was fixed by propagating the
error condition appropriately to upper layers (galera#500).
* A new status variable displaying the total weight of the cluster nodes
was added (galera#501).
* The value of pc.weight did not reflect the actual effective value after
setting it via wsrep_provider_options. This was fixed by making sure that
the new value is taken into use before returning the control back to
caller (galera#505, MDEV-11959)
* Use of ECHD algorithms with old OpenSSL versions was enabled (galera#511).
* Default port value is now used by garbd if the port is not explicitly
given in cluster address (MDEV-15531).
* Correct error handling for posix_fallocate().
* Failed causal reads are retried during configuration changes.
Bug fixes and changes for mariadb-connector-c:
- New upstream version 3.0.6
* MDEV-15263: FIx IS_NUM() macro
* CONC-297: local infile parameter must be unsigned int instead
of my_bool
* CONC-329: change return value of internal socket functions
from my_bool to int
* CONC-332: my_auth doesn't read/update server ok packet
* CONC-344: reset internal row counter
* CONC-345: invalid heap use after free
* CONC-346: Remove old cmake policies
* fixed crash in mysql_select_db if NULL parameter was provided
- New upstream version 3.0.5
* CONC-336: Allow multiple initialization of client library
* Fixed string to MYSQL_TIME conversion (prepared statements)
* CONC-334: Copy all members of MYSQL_FIELD to internal
statement structure
* Fixed double free in dynamic column library
* Added checks for corrupted packets in protocol
* MDEV-15450: Added default connection attribute _server_host
* CONC-326: fixed wrong openssl thread id callback
- New upstream version 3.0.4
* Added option MYSQL_OPT_CAN_HANDLE_EXPIRED_PASSWORDS for
mysql_options()/mysql_optionsv():
* New plugin configuration interface: The default configuration
for a specific plugin can be specified via cmake parameter
-DCLIENT_PLUGIN_${PLUGIN}=[DYNAMIC|STATIC|OFF].
* Added support for linux abstract socket (MDEV-15655).
* CONC-320: Added asynchronous/non-blocking support for
OpenSSL and GnuTLS
* CONC-294: Access violation in mysql_close when using
a connection plugin.
* MDEV-14977: If built dynamically the old_password plugin
could not be located due to wrong filename (must be
mysql_old_password.so instead of old_password.so).
* CONC-315: If no default client character set was specified,
the utf8 character set will be used by default (instead of
setting the client character set to server character set)
* CONC-317: Parsing of configuration file fails if key/value
pairs contain white spaces.
* CONC-322: Correct handling of EAGAIN and EINPROGRESS in
internal_connect (socket) for non windows platforms.
* CONC-323: mariadb_stmt_execute_direct hangs forever if
compression used.
* CONC-324: Wrong codepage numbers for some collations.
* CONC-326: ssl_thread_init() uses wrong openssl threadid
callback
- Drop libmysqlclient_r Provides from the -devel package.
(bsc#1097938)
ImportantSUSE bug 1013882SUSE bug 1097938SUSE bug 1098683SUSE bug 1101676SUSE bug 1101677SUSE bug 1101678SUSE bug 1103342SUSE bug 1111858SUSE bug 1111859SUSE bug 1112368SUSE bug 1112377SUSE bug 1112384SUSE bug 1112386SUSE bug 1112391SUSE bug 1112397SUSE bug 1112404SUSE bug 1112415SUSE bug 1112417SUSE bug 1112421SUSE bug 1112432SUSE bug 1116686SUSE bug 1118754SUSE bug 1120041CVE-2016-9843 at SUSECVE-2016-9843 at NVDCVE-2018-3058 at SUSECVE-2018-3058 at NVDCVE-2018-3060 at SUSECVE-2018-3060 at NVDCVE-2018-3063 at SUSECVE-2018-3063 at NVDCVE-2018-3064 at SUSECVE-2018-3064 at NVDCVE-2018-3066 at SUSECVE-2018-3066 at NVDCVE-2018-3143 at SUSECVE-2018-3143 at NVDCVE-2018-3156 at SUSECVE-2018-3156 at NVDCVE-2018-3162 at SUSECVE-2018-3162 at NVDCVE-2018-3173 at SUSECVE-2018-3173 at NVDCVE-2018-3174 at SUSECVE-2018-3174 at NVDCVE-2018-3185 at SUSECVE-2018-3185 at NVDCVE-2018-3200 at SUSECVE-2018-3200 at NVDCVE-2018-3251 at SUSECVE-2018-3251 at NVDCVE-2018-3277 at SUSECVE-2018-3277 at NVDCVE-2018-3282 at SUSECVE-2018-3282 at NVDCVE-2018-3284 at SUSECVE-2018-3284 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for nodejs6 (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for nodejs6 to version 6.17.0 fixes the following issues:
Security issues fixed:
- CVE-2019-5739: Fixed a potentially attack vector which could lead to Denial of Service
when HTTP connection are kept active (bsc#1127533).
- CVE-2019-5737: Fixed a potentially attack vector which could lead to Denial of Service
when HTTP connection are kept active (bsc#1127532).
- CVE-2019-1559: Fixed OpenSSL 0-byte Record Padding Oracle which under certain circumstances
a TLS server can be forced to respond differently to a client and lead to the decryption of the data (bsc#1127080).
Release Notes: https://nodejs.org/en/blog/release/v6.17.0/
ModerateSUSE bug 1127080SUSE bug 1127532SUSE bug 1127533CVE-2019-1559 at SUSECVE-2019-1559 at NVDCVE-2019-5737 at SUSECVE-2019-5737 at NVDCVE-2019-5739 at SUSECVE-2019-5739 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for rubygem-actionpack-4_2 (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for rubygem-actionpack-4_2 fixes the following issues:
Security issues fixed:
- CVE-2019-5418: Fixed a file content disclosure vulnerability in Action View which
could be exploited via specially crafted accept headers in combination with calls
to render file (bsc#1129272).
- CVE-2019-5419: Fixed a resource exhaustion issue in Action View which could make
the server unable to process requests (bsc#1129271).
ModerateSUSE bug 1129271SUSE bug 1129272CVE-2019-5418 at SUSECVE-2019-5418 at NVDCVE-2019-5419 at SUSECVE-2019-5419 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for freeradius-server (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for freeradius-server fixes the following issues:
- CVE-2019-13456: Fixed a side-channel password leak in EAP-pwd
(bsc#1144524).
- CVE-2019-17185: Fixed a debial of service due to multithreaded
BN_CTX access (bsc#1166847).
- Fixed an issue in TLS-EAP where the OCSP verification, when an
intermediate client certificate was not explicitly trusted
(bsc#1146848).
ModerateSUSE bug 1144524SUSE bug 1146848SUSE bug 1166847CVE-2019-13456 at SUSECVE-2019-13456 at NVDCVE-2019-17185 at SUSECVE-2019-17185 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for cups (Important)SUSE OpenStack Cloud Crowbar 8
This update for cups fixes the following issues:
- CVE-2020-3898: Fixed a heap buffer overflow in ppdFindOption() (bsc#1168422).
ImportantSUSE bug 1168422CVE-2020-3898 at SUSECVE-2020-3898 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for ardana-ansible, ardana-barbican, ardana-db, ardana-monasca, ardana-mq, ardana-neutron, ardana-octavia, ardana-tempest, crowbar-core, crowbar-ha, crowbar-openstack, documentation-suse-openstack-cloud, memcached, openstack-manila, openstack-neutron, openstack-nova, pdns, python-amqp, rubygem-puma, zookeeper (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for ardana-ansible, ardana-barbican, ardana-db, ardana-monasca, ardana-mq, ardana-neutron, ardana-octavia, ardana-tempest, crowbar-core, crowbar-ha, crowbar-openstack, documentation-suse-openstack-cloud, memcached, openstack-manila, openstack-neutron, openstack-nova, pdns, python-amqp, rubygem-puma, zookeeper contains the following fixes:
Security fix for rubygem-puma:
- CVE-2020-5247: Fixed an issue where the newlines in headers according to Rack spec were not split (bsc#1165402)
Security fix for openstack-manila:
- CVE-2020-9543: Fixed an issue where an attacker could view, update, delete, or share resources that do not
Security fixes for memcached:
- CVE-2019-15026: Fixed a stack-based buffer over-read in conn_to_str() in memcached.c (bsc#1149110).
- CVE-2019-11596: Fixed NULL pointer dereference in process_lru_command() in memcached.c (bsc#1133817).
Security fixes for pdns:
- CVE-2019-3871: Fixed a denial of service with the HTTP remote backend when the attacker can send crafted DNS queries (bsc#1129734).
- CVE-2018-10851: Fixed a denial of service via crafted zone record (bnc#1114157).
- CVE-2018-14626: Fixed a denial of service by hiding DNSSEC records using a crafted DNS query (bsc#1114169).
Security fixes for zookeeper:
- CVE-2019-0201: Fixed an information disclosure in the ACL handling (bsc#1135773).
- CVE-2017-5637: Fixed incorrect input validation with wchp/wchc four letter words (bsc#1040519).
Changes in ardana-ansible:
- Update to version 8.0+git.1583432621.24fa60e:
* Upgrade pre-checks in Cloud 8 and Cloud 9 (SOC-10300)
Changes in ardana-barbican:
- Update to version 8.0+git.1585152761.8ef3d61:
* monitor ardana-node-cert (SOC-10873)
Changes in ardana-db:
- Update to version 8.0+git.1583944923.03cca6c:
* monitor MySQL TLS certificate (SOC-10873)
Changes in ardana-monasca:
- Update to version 8.0+git.1583944894.38f023a:
* Add certificate file check alarm (SOC-10873)
Changes in ardana-mq:
- Update to version 8.0+git.1583944811.dc14403:
* monitor RabbitMQ TLS certificate (SOC-10873)
Changes in ardana-neutron:
- Update to version 8.0+git.1584715262.e4ea620:
* Add symlink for neutron-fwaas.json.j2 (bsc#1166290)
Changes in ardana-octavia:
- Update to version 8.0+git.1585171918.418f5cf:
* Reconfigure monitor if needed (SOC-10873)
- Update to version 8.0+git.1585168661.135c735:
* fix Octavia client cert redeploy (SOC-10873)
- Update to version 8.0+git.1585152502.f15907a:
* monitor Octavia client certificate (SOC-10873)
Changes in ardana-tempest:
- Update to version 8.0+git.1585311051.6ab5488:
* Enable port-security feature in tempest(SOC-11027)
Changes in crowbar-core:
- Update to version 5.0+git.1585575551.16781d00d:
* upgrade: Point to config dir instead of config file (SOC-11171)
* upgrade: Do not call neutron-evacuate-lbaasv2-agent with use_crm (SOC-11171)
- Update to version 5.0+git.1585316726.670746c8c:
* upgrade: Fix systemd unit listing (trivial)
- Update to version 5.0+git.1585213241.46f12f9be:
* upgrade: Remove the assignement of crowbar-upgrade role (SOC-11166)
- Update to version 5.0+git.1585118470.eed9020de:
* Update the default value of OS version (trivial)
* Ignore CVE-2020-5267 in CI (bsc#1167240)
* Ignore CVE-2020-10663 in CI (bsc#1167244)
- Update to version 5.0+git.1583911121.d6b4b4b1a:
* ses: Make SES UI safe for unknown options (trivial)
* ses: Use cinder user for nova (SOC-11119)
* ses: Added helper for populating cinder volumes (SOC-11117)
* ses: Add ses cookbook (SOC-11114)
* ses: Configuration upload (SOC-11115)
- Update to version 5.0+git.1583309007.e3a8b81e9:
* Ignore CVE-2020-8130 in CI (bsc#1164804)
* Ignore CVE-2020-5247 (bsc#1165402)
Changes in crowbar-ha:
- Update to version 5.0+git.1585316176.344190f:
* add ssl termination on haproxy (bsc#1149535)
Changes in crowbar-openstack:
- Update to version 5.0+git.1585304226.2164b7895:
* nova: Fix migration numbers (trivial)
- Update to version 5.0+git.1584692779.369c58aca:
* nova: Drop redundant disk_cachemodes (trivial)
* nova: Add option to disable ephemeral on ceph (SOC-11119)
* keystone: Register SES RadosGW endpoints (SOC-5270)
* heat: Increase heat_register syncmark timeout (SOC-11103)
* heat: Simplify domain registration code (SOC-11103)
* nova: Setup CEPH secrets later (SOC-11141)
* nova: Enable ephemeral volumes on SES (SOC-11119)
* glance: Set SES as default for new deployments (SOC-11118)
* cinder: Correctly show old internal backends (SOC-11117)
* nova: SES integration (SOC-11117)
* nova: Hound fixes (trivial)
* nova: Better error handling when Cephx auth is failing (noref)
* nova: delete libvirt secret snippet immediately (noref)
* nova: reduce nesting of ceph management code (noref)
* nova: Remove obsolete rbd/ceph attributes (trivial)
* cinder: SES integration (SOC-11117)
* cinder: Disable use_crowbar default (SOC-11117)
* glance: SES integration (SOC-11118)
Changes in documentation-suse-openstack-cloud:
- Update to version 8.20200319:
* Adding ses-integration docs to cloud 8 (noref)
* Fix bsc-1130532. Add feedback
* fix bsc-1130532
- Update to version 8.20200116:
* Fixing links from suse.com/doc to new URL (noref)
- Update to version 8.20200224:
* Designate: add instructions on using PowerDNS backend (SOC-11051)
* Designate: recommend deploying DNS in a cluster in HA deployment (SOC-10636)
* message to add non-admin node for public network (SOC-10658)
* update designate deployment (SOC-8739)
* add designate barclamp (SCRD-8739)
* remove Designate name server instruction (bsc#1125357,SCRD-7649)
- Update to version 8.20200130:
* Add instructions for lbaas v2 loadbalancers (SOC-10980) (#1253)
- Update to version 8.20191211:
* Specify that manila-share should be installed on the control node (SOC-10938) (#1230)
* Remove (commented) mention of phrases-decl.ent (trivial)
- Update to version 8.20191206:
* Clarify keyring chown instructions for Ceph (bsc#1111180)
* Clarify VSA/Ceph support in HOS 8 , SOC-10981 (bsc#144694)
- Update to version 8.20191205:
* Update incorrect Manila install/setup instructions (SOC-10975)
- Update to version 8.20191029:
* Supplement/UAdmin: Group guides on documentation.suse.com (trivial)
- Update to version 8.20191023:
* fix instructions for TLS certitificate renewal (SOC-10846)
- Update to version 8.20191002:
* Added missing edit (SOC-8480)
* Adding Carl's second round of edits (SOC-8480)
* Removing accidentally re-added guilabels (SOC-8480)
* Applying Carl's edits (SOC-8480)
* Optimizing PNGs (SOC-8480)
* Removing guilabel complaint (SOC-8480)
* Adding xi:include to commit (SOC-8480)
* Add SSLCA-SelfSigned cert info to SOC Crowbar documentation (SOC-8480)
* Add SSLCA-SelfSigned cert info to SOC Crowbar documentation (SOC-8480)
- Update to version 8.20190923:
* remove zvm references, only in SOC6 (noref)
- Update to version 8.20190920:
* remove workaround, leave description (bsc#1151206)
* add qos to neutron not supported (bsc#1151206)
- Update to version 8.20190829:
* add available clients, dedicated CLM (bsc#1148426)
* add tempest to service components, dedicated CLM (bsc#1148426)
- Update to version 8.20190823:
* Create CC-BY license file (noref)
* for MariaDB update, db cluster must be running, healthy (bsc#1132852)
- Update to version 8.20190820:
* Fix broken URLs (SOC-10109)
- Update to version 8.20190820:
* add requirement for dummy entries in servers.yml (bsc#1146206)
- Update to version 8.20190816:
* add workaround for partition image resize (bsc#1145498)
- Update to version 8.20190813:
* MANAGEMENT network group cannot be changed, is required (SOC-10106)
* remove NSX references from Crowbar deployment (SOC-10081)
Changes in memcached:
- version update to 1.5.17
* bugfixes
fix strncpy call in stats conns to avoid ASAN violation (bsc#1149110, CVE-2019-15026)
extstore: fix indentation
add error handling when calling dup function
add unlock when item_cachedump malloc failed
extstore: emulate pread(v) for macOS
fix off-by-one in logger to allow CAS commands to be logged.
use strdup for explicitly configured slab sizes
move mem_requested from slabs.c to items.c (internal cleanup)
* new features
add server address to the 'stats conns' output
log client connection id with fetchers and mutations
Add a handler for seccomp crashes
- version update to 1.5.16
* bugfixes
When nsuffix is 0 space for flags hasn't been allocated so don't memcpy them.
- version update to 1.5.15
* bugfixes
Speed up incr/decr by replacing snprintf.
Use correct buffer size for internal URI encoding.
change some links from http to https
Fix small memory leak in testapp.c.
free window_global in slab_automove_extstore.c
remove inline_ascii_response option
-Y [filename] for ascii authentication mode
fix: idle-timeout wasn't compatible with binprot
* features
-Y [authfile] enables an authentication mode for ASCII protocol.
- modified patches
% memcached-autofoo.patch (refreshed)
- version update to 1.5.14
* update -h output for -I (max item size)
* fix segfault in 'lru' command (bsc#1133817, CVE-2019-11596)
* fix compile error on centos7
* extstore: error adjusting page_size after ext_path
* extstore: fix segfault if page_count is too high.
* close delete + incr item survival race bug
* memcached-tool dump fix loss of exp value
* Fix 'qw' in 'MemcachedTest.pm' so wait_ext_flush is exported properly
* Experimental TLS support.
* Basic implementation of TLS for memcached.
* Improve Get And Touch documentation
* fix INCR/DECR refcount leak for invalid items
- modified patches
% memcached-autofoo.patch (refreshed)
- Version bump to 1.5.11:
* extstore: balance IO thread queues
- Drop memcached-fix_test.patch that is present now upstream
- Add patch to fix aarch64, ppc64* and s390x tests:
* memcached-fix_test.patch
- Fix linter errors regarding COPYING
- update to 1.5.10:
* disruptive change in extstore: -o ext_page_count= is deprecated
and no longer works. To specify size: -o ext_path=/d/m/e:500G
extstore figures out the page count based on your desired page
size. M|G|T|P supported.
* extstore: Add basic JBOD support: ext_path can be specified
multiple times for striping onto simimar devices
* fix alignment issues on some ARM platforms for chunked items
- Update to 1.5.9:
* Bugfix release.
* Important note: if using --enable-seccomp, privilege dropping
is no longer on by default. The feature is experimental and many
users are reporting hard to diagnose problems on varied platforms.
* Seccomp is now marked EXPERIMENTAL, and must be explicitly
enabled by adding -o drop_privileges. Once we're more confident
with the usability of the feature, it will be enabled in -o modern,
like any other new change. You should only use it if you are
willing to carefully test it, especially if you're a vendor or
distribution.
* Also important is a crash fix in extstore when using the ASCII
protocol, large items, and running low on memory.
- update to 1.5.8:
* Bugfixes for seccomp and extstore
* Extstore platform portability has been greatly improved for ARM
and 32bit systems
- includes changes from 1.5.7:
* Fix alignment issues for 64bit ARM processors
* Fix seccomp portability
* Fix refcount leak with extstore while using binary touch commands
- turn on the testsuite again, it seems to pass server side,
too
- Home directory shouldn't be world readable bsc#1077718
- Mention that this stream isn't affected by bsc#1085209,
CVE-2018-1000127 to make the checker bots happy.
Changes in openstack-manila:
- Update to version manila-5.1.1.dev5:
* Fix manila-tempest-minimal-dsvm-lvm-centos-7 job
* share\_networks: enable project\_only API only
Changes in openstack-manila:
- Rebased patches:
+ cve-2020-9543-stable-pike.patch dropped (merged upstream)
- Update to version manila-5.1.1.dev5:
* Fix manila-tempest-minimal-dsvm-lvm-centos-7 job
* share\_networks: enable project\_only API only
Changes in openstack-neutron:
- Update to version neutron-11.0.9.dev63:
* ovs agent: signal to plugin if tunnel refresh needed
* Do not initialize snat-ns twice
Changes in openstack-neutron:
- Update to version neutron-11.0.9.dev63:
* ovs agent: signal to plugin if tunnel refresh needed
* Do not initialize snat-ns twice
Changes in openstack-nova:
- Update to version nova-16.1.9.dev61:
* Avoid circular reference during serialization
* Mask the token used to allow access to consoles
* Improve metadata server performance with large security groups
* Remove exp legacy-tempest-dsvm-full-devstack-plugin-nfs
- Update to version nova-16.1.9.dev54:
* pike-only: remove broken non-voting ceph jobs
* nova-live-migration: Wait for n-cpu services to come up after configuring Ceph
* rt: only map compute node if we created it
Changes in openstack-nova:
- Update to version nova-16.1.9.dev61:
* Avoid circular reference during serialization
* Mask the token used to allow access to consoles
* Improve metadata server performance with large security groups
* Remove exp legacy-tempest-dsvm-full-devstack-plugin-nfs
- Update to version nova-16.1.9.dev54:
* pike-only: remove broken non-voting ceph jobs
* nova-live-migration: Wait for n-cpu services to come up after configuring Ceph
* rt: only map compute node if we created it
Changes in pdns:
- Add missing 'BuildRequires: libmysqlclient-devel' to allow
the package to build correctly.
- CVE-2019-3871-auth-4.1.6.patch: fixes insufficient validation in
HTTP remote backend (bsc#1129734, CVE-2019-3871)
- CVE-2018-10851-auth-4.1.4.patch: fixes DoS via crafted zone record
(bnc#1114157, CVE-2018-10851)
- CVE-2018-14626-auth-4.1.4.patch: fixes an issue allowing a
remote user to craft a DNS query that will cause an answer without
DNSSEC records to be inserted into the packet cache and be
returned to clients asking for DNSSEC records, thus hiding
the presence of DNSSEC signatures leading to a potential DoS
(bsc#1114169, CVE-2018-14626)
Changes in python-amqp:
- Make it build for SLE12SP3:
- remove pytest-sugar build dependency
- used %doc macro instead of %license
- Removed patches that are already included in 2.4.2
- 0002-Do_not_send_AAAA_DNS_request_when_domain_resolved_to_IPv4_address.patch (SOC-9144)
- 0001-Always-treat-SSLError-timeouts-as-socket-timeouts-24.patch (bsc#1115904)
- Update to 2.4.2:
- Added support for the Cygwin platform
- Correct offset incrementation when parsing bitmaps.
- Consequent bitmaps are now parsed correctly.
- Better call of py.test
- Add versions to dependencies
- Remove python-sasl from build dependencies
- Update to version 2.4.1
* To avoid breaking the API basic_consume() now returns the consumer tag
instead of a tuple when nowait is True.
* Fix crash in basic_publish when broker does not support connection.blocked
capability.
* read_frame() is now Python 3 compatible for large payloads.
* Support float read_timeout/write_timeout.
* Always treat SSLError timeouts as socket timeouts.
* Treat EWOULDBLOCK as timeout.
- from 2.4.0
* Fix inconsistent frame_handler return value.
The function returned by frame_handler is meant to return True
once the complete message is received and the callback is called,
False otherwise.
This fixes the return value for messages with a body split across
multiple frames, and heartbeat frames.
* Don't default content_encoding to utf-8 for bytes.
This is not an acceptable default as the content may not be
valid utf-8, and even if it is, the producer likely does not
expect the message to be decoded by the consumer.
* Fix encoding of messages with multibyte characters.
Body length was previously calculated using string length,
which may be less than the length of the encoded body when
it contains multibyte sequences. This caused the body of
the frame to be truncated.
* Respect content_encoding when encoding messages.
Previously the content_encoding was ignored and messages
were always encoded as utf-8. This caused messages to be
incorrectly decoded if content_encoding is properly respected
when decoding.
* Fix AMQP protocol header for AMQP 0-9-1.
Previously it was set to a different value for unknown reasons.
* Add support for Python 3.7.
Change direct SSLSocket instantiation with wrap_socket.
* Add support for field type 'x' (byte array).
* If there is an exception raised on Connection.connect or
Connection.close, ensure that the underlying transport socket
is closed. Adjust exception message on connection errors as well.
* TCP_USER_TIMEOUT has to be excluded from KNOWN_TCP_OPTS in BSD platforms.
* Handle negative acknowledgments.
* Added integration tests.
* Fix basic_consume() with no consumer_tag provided.
* Improved empty AMQPError string representation.
* Drain events before publish.
This is needed to capture out of memory messages for clients that only
publish. Otherwise on_blocked is never called.
* Don't revive channel when connection is closing.
When connection is closing don't raise error when Channel.Close
method is received.
Changes in zookeeper:
- Apply 0002-Apply-patch-to-resolve-CVE-2019-0201.patch
This applies the patch for ZOOKEEPER-1392 to resolve CVE-2019-0201
Should not allow to read ACL when not authorized to read node
(bsc#1135773)
- Various cleanups in spec file
- Fixed off-by-one in zkCleanTRX.sh and made output more useful (bsc#1048688, FATE#323204)
- Fixed ExecStartPre statment in service file
- added zkCleanTRX.sh to clean up 0 length transaction logs
- Update to to zookeeper-3.4.10 (bsc#1040519)
* Fixes CVE-2017-5637
- Remove Changes.txt (missing as of 3.4.10)
ModerateSUSE bug 1040519SUSE bug 1048688SUSE bug 1077718SUSE bug 1111180SUSE bug 1114157SUSE bug 1114169SUSE bug 1115904SUSE bug 1125357SUSE bug 1129734SUSE bug 1132852SUSE bug 1133817SUSE bug 1135773SUSE bug 1145498SUSE bug 1146206SUSE bug 1148426SUSE bug 1149110SUSE bug 1149535SUSE bug 1151206SUSE bug 1165402SUSE bug 1165643SUSE bug 1166290SUSE bug 1167240SUSE bug 144694CVE-2017-5637 at SUSECVE-2017-5637 at NVDCVE-2018-10851 at SUSECVE-2018-10851 at NVDCVE-2018-14626 at SUSECVE-2018-14626 at NVDCVE-2019-0201 at SUSECVE-2019-0201 at NVDCVE-2019-11596 at SUSECVE-2019-11596 at NVDCVE-2019-15026 at SUSECVE-2019-15026 at NVDCVE-2019-3871 at SUSECVE-2019-3871 at NVDCVE-2020-5247 at SUSECVE-2020-5247 at NVDCVE-2020-9543 at SUSECVE-2020-9543 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for pam_radius (Important)SUSE OpenStack Cloud Crowbar 8
This update for pam_radius fixes the following issues:
- CVE-2015-9542: Fixed a buffer overflow in password field (bsc#1163933).
- On s390x didn't decrypt passwords correctly (bsc#1141670).
ImportantSUSE bug 1141670SUSE bug 1163933CVE-2015-9542 at SUSECVE-2015-9542 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for webkit2gtk3 (Important)SUSE OpenStack Cloud Crowbar 8
This update for webkit2gtk3 to version 2.28.1 fixes the following issues:
Security issues fixed:
- CVE-2020-10018: Fixed a denial of service because the m_deferredFocusedNodeChange data structure was mishandled (bsc#1165528).
- CVE-2020-11793: Fixed a potential arbitrary code execution caused by a use-after-free vulnerability (bsc#1169658).
- CVE-2019-8835: Fixed multiple memory corruption issues (bsc#1161719).
- CVE-2019-8844: Fixed multiple memory corruption issues (bsc#1161719).
- CVE-2019-8846: Fixed a use-after-free issue (bsc#1161719).
- CVE-2020-3862: Fixed a memory handling issue (bsc#1163809).
- CVE-2020-3867: Fixed an XSS issue (bsc#1163809).
- CVE-2020-3868: Fixed multiple memory corruption issues that could have lead to arbitrary code execution (bsc#1163809).
- CVE-2020-3864,CVE-2020-3865: Fixed logic issues in the DOM object context handling (bsc#1163809).
Non-security issues fixed:
- Add API to enable Process Swap on (Cross-site) Navigation.
- Add user messages API for the communication with the web extension.
- Add support for same-site cookies.
- Service workers are enabled by default.
- Add support for Pointer Lock API.
- Add flatpak sandbox support.
- Make ondemand hardware acceleration policy never leave accelerated compositing mode.
- Always use a light theme for rendering form controls.
- Add about:gpu to show information about the graphics stack.
- Fixed issues while trying to play a video on NextCloud.
- Fixed vertical alignment of text containing arabic diacritics.
- Fixed build with icu 65.1.
- Fixed page loading errors with websites using HSTS.
- Fixed web process crash when displaying a KaTeX formula.
- Fixed several crashes and rendering issues.
- Switched to a single web process for Evolution and geary (bsc#1159329).
ImportantSUSE bug 1155321SUSE bug 1156318SUSE bug 1159329SUSE bug 1161719SUSE bug 1163809SUSE bug 1165528SUSE bug 1169658CVE-2019-8625 at SUSECVE-2019-8625 at NVDCVE-2019-8710 at SUSECVE-2019-8710 at NVDCVE-2019-8720 at SUSECVE-2019-8720 at NVDCVE-2019-8743 at SUSECVE-2019-8743 at NVDCVE-2019-8764 at SUSECVE-2019-8764 at NVDCVE-2019-8766 at SUSECVE-2019-8766 at NVDCVE-2019-8769 at SUSECVE-2019-8769 at NVDCVE-2019-8771 at SUSECVE-2019-8771 at NVDCVE-2019-8782 at SUSECVE-2019-8782 at NVDCVE-2019-8783 at SUSECVE-2019-8783 at NVDCVE-2019-8808 at SUSECVE-2019-8808 at NVDCVE-2019-8811 at SUSECVE-2019-8811 at NVDCVE-2019-8812 at SUSECVE-2019-8812 at NVDCVE-2019-8813 at SUSECVE-2019-8813 at NVDCVE-2019-8814 at SUSECVE-2019-8814 at NVDCVE-2019-8815 at SUSECVE-2019-8815 at NVDCVE-2019-8816 at SUSECVE-2019-8816 at NVDCVE-2019-8819 at SUSECVE-2019-8819 at NVDCVE-2019-8820 at SUSECVE-2019-8820 at NVDCVE-2019-8823 at SUSECVE-2019-8823 at NVDCVE-2019-8835 at SUSECVE-2019-8835 at NVDCVE-2019-8844 at SUSECVE-2019-8844 at NVDCVE-2019-8846 at SUSECVE-2019-8846 at NVDCVE-2020-10018 at SUSECVE-2020-10018 at NVDCVE-2020-11793 at SUSECVE-2020-11793 at NVDCVE-2020-3862 at SUSECVE-2020-3862 at NVDCVE-2020-3864 at SUSECVE-2020-3864 at NVDCVE-2020-3865 at SUSECVE-2020-3865 at NVDCVE-2020-3867 at SUSECVE-2020-3867 at NVDCVE-2020-3868 at SUSECVE-2020-3868 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for shibboleth-sp (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for shibboleth-sp fixes the following issues:
Security issue fixed:
- CVE-2019-19191: Fixed escalation to root by fixing ownership of log files (bsc#1157471).
ModerateSUSE bug 1157471CVE-2019-19191 at SUSECVE-2019-19191 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for ceph (Important)SUSE OpenStack Cloud Crowbar 8
This update for ceph fixes the following issues:
- CVE-2020-12059: Fixed a denial of service caused by a specially crafted XML payload on POST requests (bsc#1170170).
ImportantSUSE bug 1170170CVE-2020-12059 at SUSECVE-2020-12059 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for LibVNCServer (Important)SUSE OpenStack Cloud Crowbar 8
This update for LibVNCServer fixes the following issues:
- CVE-2019-15690: Fixed a heap buffer overflow (bsc#1160471).
- CVE-2019-15681: Fixed a memory leak which could have allowed to a remote attacker to read stack memory (bsc#1155419).
- CVE-2019-20788: Fixed a integer overflow and heap-based buffer overflow via a large height or width value (bsc#1170441).
ImportantSUSE bug 1155419SUSE bug 1160471SUSE bug 1170441CVE-2019-15681 at SUSECVE-2019-15681 at NVDCVE-2019-15690 at SUSECVE-2019-15690 at NVDCVE-2019-20788 at SUSECVE-2019-20788 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for icu (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for icu fixes the following issues:
- CVE-2020-10531: Fixed integer overflow in UnicodeString:doAppend() (bsc#1166844).
ModerateSUSE bug 1166844CVE-2020-10531 at SUSECVE-2020-10531 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for openldap2 (Important)SUSE OpenStack Cloud Crowbar 8
This update for openldap2 fixes the following issues:
- CVE-2020-12243: Fixed a denial of service related to recursive filters (bsc#1170771).
ImportantSUSE bug 1170771CVE-2020-12243 at SUSECVE-2020-12243 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for webkit2gtk3 (Important)SUSE OpenStack Cloud Crowbar 8
This update for webkit2gtk3 fixes the following issues:
Security issue fixed:
- CVE-2020-3899: Fixed a memory consumption issue that could have led to remote code execution (bsc#1170643).
Non-security issues fixed:
- Update to version 2.28.2 (bsc#1170643):
+ Fix excessive CPU usage due to GdkFrameClock not being stopped.
+ Fix UI process crash when EGL_WL_bind_wayland_display extension
is not available.
+ Fix position of select popup menus in X11.
+ Fix playing of Youtube 'live stream'/H264 URLs.
+ Fix a crash under X11 when cairo uses xcb.
+ Fix the build in MIPS64.
+ Fix several crashes and rendering issues.
ImportantSUSE bug 1170643CVE-2020-3899 at SUSECVE-2020-3899 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for ghostscript (Important)SUSE OpenStack Cloud Crowbar 8
This update for ghostscript to version 9.52 fixes the following issues:
- CVE-2020-12268: Fixed a heap-based buffer overflow in jbig2_image_compose (bsc#1170603).
ImportantSUSE bug 1170603CVE-2020-12268 at SUSECVE-2020-12268 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for MozillaFirefox (Important)SUSE OpenStack Cloud Crowbar 8
This update for MozillaFirefox fixes the following issues:
Update to version 68.8.0 ESR (bsc#1171186):
- CVE-2020-12387: Use-after-free during worker shutdown
- CVE-2020-12388: Sandbox escape with improperly guarded Access Tokens
- CVE-2020-12389: Sandbox escape with improperly separated process types
- CVE-2020-6831: Buffer overflow in SCTP chunk input validation
- CVE-2020-12392: Arbitrary local file access with 'Copy as cURL'
- CVE-2020-12393: Devtools' 'Copy as cURL' feature did not fully escape website-controlled data, potentially leading to command injection
- CVE-2020-12395: Memory safety bugs fixed in Firefox 76 and Firefox ESR 68.8
ImportantSUSE bug 1171186CVE-2020-12387 at SUSECVE-2020-12387 at NVDCVE-2020-12388 at SUSECVE-2020-12388 at NVDCVE-2020-12389 at SUSECVE-2020-12389 at NVDCVE-2020-12392 at SUSECVE-2020-12392 at NVDCVE-2020-12393 at SUSECVE-2020-12393 at NVDCVE-2020-12395 at SUSECVE-2020-12395 at NVDCVE-2020-6831 at SUSECVE-2020-6831 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for squid (Important)SUSE OpenStack Cloud Crowbar 8
This update for squid fixes the following issues:
- CVE-2019-12519, CVE-2019-12521: fixes incorrect buffer handling that can
result in cache poisoning, remote execution, and denial of service attacks
when processing ESI responses (bsc#1169659).
- CVE-2020-11945: fixes a potential remote execution vulnerability
when using HTTP Digest Authentication (bsc#1170313).
- CVE-2019-12520, CVE-2019-12524: fixes a potential ACL bypass, cache-bypass
and cross-site scripting attack when processing invalid HTTP
Request messages (bsc#1170423).
ImportantSUSE bug 1169659SUSE bug 1170313SUSE bug 1170423CVE-2019-12519 at SUSECVE-2019-12519 at NVDCVE-2019-12520 at SUSECVE-2019-12520 at NVDCVE-2019-12521 at SUSECVE-2019-12521 at NVDCVE-2019-12524 at SUSECVE-2019-12524 at NVDCVE-2020-11945 at SUSECVE-2020-11945 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for apache2 (Important)SUSE OpenStack Cloud Crowbar 8
This update for apache2 fixes the following issues:
- CVE-2020-1934: mod_proxy_ftp may use uninitialized memory when proxying to a malicious FTP server (bsc#1168404).
- CVE-2020-1927: mod_rewrite configurations vulnerable to open redirect (bsc#1168407).
- CVE-2020-1938: mod_proxy_ajp: Add 'secret' parameter to proxy workers to implement legacy AJP13 authentication (bsc#1169066).
ImportantSUSE bug 1168404SUSE bug 1168407SUSE bug 1169066CVE-2020-1927 at SUSECVE-2020-1927 at NVDCVE-2020-1934 at SUSECVE-2020-1934 at NVDCVE-2020-1938 at SUSECVE-2020-1938 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for the Linux Kernel (Important)SUSE OpenStack Cloud Crowbar 8
The SUSE Linux Enterprise 12 SP3 kernel was updated to receive various security and bugfixes.
The following security bugs were fixed:
- CVE-2020-11494: An issue was discovered in slc_bump in drivers/net/can/slcan.c, which allowed attackers to read uninitialized can_frame data, potentially containing sensitive information from kernel stack memory, if the configuration lacks CONFIG_INIT_STACK_ALL (bnc#1168424).
- CVE-2020-10942: In get_raw_socket in drivers/vhost/net.c lacks validation of an sk_family field, which might allow attackers to trigger kernel stack corruption via crafted system calls (bnc#1167629).
- CVE-2020-8647: Fixed a use-after-free vulnerability in the vc_do_resize function in drivers/tty/vt/vt.c (bnc#1162929).
- CVE-2020-8649: Fixed a use-after-free vulnerability in the vgacon_invert_region function in drivers/video/console/vgacon.c (bnc#1162931).
- CVE-2020-9383: Fixed an issue in set_fdc in drivers/block/floppy.c, which leads to a wait_til_ready out-of-bounds read (bnc#1165111).
- CVE-2019-9458: In the video driver there was a use after free due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed (bnc#1168295).
- CVE-2019-3701: Fixed an issue in can_can_gw_rcv, which could cause a system crash (bnc#1120386).
- CVE-2019-19768: Fixed a use-after-free in the __blk_add_trace function in kernel/trace/blktrace.c (bnc#1159285).
- CVE-2020-11609: Fixed a NULL pointer dereference in the stv06xx subsystem caused by mishandling invalid descriptors (bnc#1168854).
- CVE-2020-10720: Fixed a use-after-free read in napi_gro_frags() (bsc#1170778).
- CVE-2020-10690: Fixed the race between the release of ptp_clock and cdev (bsc#1170056).
- CVE-2019-9455: Fixed a pointer leak due to a WARN_ON statement in a video driver. This could lead to local information disclosure with System execution privileges needed (bnc#1170345).
- CVE-2020-11608: Fixed an issue in drivers/media/usb/gspca/ov519.c caused by a NULL pointer dereferences in ov511_mode_init_regs and ov518_mode_init_regs when there are zero endpoints (bnc#1168829).
- CVE-2017-18255: The perf_cpu_time_max_percent_handler function in kernel/events/core.c allowed local users to cause a denial of service (integer overflow) or possibly have unspecified other impact via a large value, as demonstrated by an incorrect sample-rate calculation (bnc#1087813).
- CVE-2020-8648: There was a use-after-free vulnerability in the n_tty_receive_buf_common function in drivers/tty/n_tty.c (bnc#1162928).
- CVE-2020-2732: A flaw was discovered in the way that the KVM hypervisor handled instruction emulation for an L2 guest when nested virtualisation is enabled. Under some circumstances, an L2 guest may trick the L0 guest into accessing sensitive L1 resources that should be inaccessible to the L2 guest (bnc#1163971).
- CVE-2019-5108: Fixed a denial-of-service vulnerability caused by triggering AP to send IAPP location updates for stations before the required authentication process has completed (bnc#1159912).
- CVE-2020-8992: ext4_protect_reserved_inode in fs/ext4/block_validity.c allowed attackers to cause a denial of service (soft lockup) via a crafted journal size (bnc#1164069).
- CVE-2018-21008: Fixed a use-after-free which could be caused by the function rsi_mac80211_detach in the file drivers/net/wireless/rsi/rsi_91x_mac80211.c (bnc#1149591).
- CVE-2019-14896: A heap-based buffer overflow vulnerability was found in Marvell WiFi chip driver. A remote attacker could cause a denial of service (system crash) or, possibly execute arbitrary code, when the lbs_ibss_join_existing function is called after a STA connects to an AP (bnc#1157157).
- CVE-2019-14897: A stack-based buffer overflow was found in Marvell WiFi chip driver. An attacker is able to cause a denial of service (system crash) or, possibly execute arbitrary code, when a STA works in IBSS mode (allows connecting stations together without the use of an AP) and connects to another STA (bnc#1157155).
- CVE-2019-18675: Fixed an integer overflow in cpia2_remap_buffer in drivers/media/usb/cpia2/cpia2_core.c because cpia2 has its own mmap implementation. This allowed local users (with /dev/video0 access) to obtain read and write permissions on kernel physical pages, which can possibly result in a privilege escalation (bnc#1157804).
- CVE-2019-14615: Insufficient control flow in certain data structures for some Intel(R) Processors with Intel(R) Processor Graphics may have allowed an unauthenticated user to potentially enable information disclosure via local access (bnc#1160195, bsc#1165881).
- CVE-2019-19965: Fixed a NULL pointer dereference in drivers/scsi/libsas/sas_discover.c because of mishandling of port disconnection during discovery, related to a PHY down race condition (bnc#1159911).
- CVE-2019-20054: Fixed a NULL pointer dereference in drop_sysctl_table() in fs/proc/proc_sysctl.c, related to put_links (bnc#1159910).
- CVE-2019-20096: Fixed a memory leak in __feat_register_sp() in net/dccp/feat.c, which may cause denial of service (bnc#1159908).
- CVE-2019-19966: Fixed a use-after-free in cpia2_exit() in drivers/media/usb/cpia2/cpia2_v4l.c that will cause denial of service (bnc#1159841).
- CVE-2019-19447: Fixed an issue with mounting a crafted ext4 filesystem image, performing some operations, and unmounting could lead to a use-after-free in ext4_put_super in fs/ext4/super.c, related to dump_orphan_list in fs/ext4/super.c (bnc#1158819).
- CVE-2019-19319: Fixed an issue with a setxattr operation, after a mount of a crafted ext4 image, can cause a slab-out-of-bounds write access because of an ext4_xattr_set_entry use-after-free in fs/ext4/xattr.c when a large old_size value is used in a memset call (bnc#1158021).
- CVE-2019-19767: Fixed mishandling of ext4_expand_extra_isize, as demonstrated by use-after-free errors in __ext4_expand_extra_isize and ext4_xattr_set_entry, related to fs/ext4/inode.c and fs/ext4/super.c (bnc#1159297).
- CVE-2019-11091,CVE-2018-12126,CVE-2018-12130,CVE-2018-12127: Earlier mitigations for the 'MDS' Microarchitectural Data Sampling attacks were not complete.
An additional fix was added to the x86_64 fast systemcall path to further mitigate these attacks. (bsc#1164846 bsc#1170847)
The following non-security bugs were fixed:
- blk: Fix kabi due to blk_trace_mutex addition (bsc#1159285).
- blktrace: fix dereference after null check (bsc#1159285).
- blktrace: fix trace mutex deadlock (bsc#1159285).
- btrfs: fix btrfs_wait_ordered_range() so that it waits for all ordered extents (bsc#1163508).
- btrfs: fix panic during relocation after ENOSPC before writeback happens (bsc#1163508).
- btrfs: qgroup: Fix root item corruption when multiple same source snapshots are created with quota enabled (bsc#1158642)
- btrfs: relocation: fix reloc_root lifespan and access (bsc#1164009).
- enic: prevent waking up stopped tx queues over watchdog reset (bsc#1133147).
- fix PageHeadHuge() race with THP split (VM Functionality, bsc#1165311).
- fs/xfs: fix f_ffree value for statfs when project quota is set (bsc#1165985).
- ibmvnic: Bound waits for device queries (bsc#1155689 ltc#182047).
- ibmvnic: Fix completion structure initialization (bsc#1155689 ltc#182047).
- ibmvnic: Serialize device queries (bsc#1155689 ltc#182047).
- ibmvnic: Terminate waiting device threads after loss of service (bsc#1155689 ltc#182047).
- input: add safety guards to input_set_keycode() (bsc#1168075).
- ipv4: correct gso_size for UFO (bsc#1154844).
- ipv6: fix memory accounting during ipv6 queue expire (bsc#1162227) (bsc#1162227).
- ipvlan: do not add hardware address of master to its unicast filter list (bsc#1137325).
- md: add mddev->pers to avoid potential NULL pointer dereference (bsc#1056134).
- md/bitmap: do not read page from device with Bitmap_sync (bsc#1056134).
- md: change the initialization value for a spare device spot to MD_DISK_ROLE_SPARE (bsc#1056134).
- md: Delete gendisk before cleaning up the request queue (bsc#1056134).
- md: do not call bitmap_create() while array is quiesced (bsc#1056134).
- md: do not set In_sync if array is frozen (bsc#1056134).
- md: fix a potential deadlock of raid5/raid10 reshape (bsc#1056134).
- md: md.c: Return -ENODEV when mddev is NULL in rdev_attr_show (bsc#1056134).
- md: notify about new spare disk in the container (bsc#1056134).
- md/raid0: Fix buffer overflow at debug print (bsc#1164051).
- md/raid10: end bio when the device faulty (bsc#1056134).
- md/raid10: Fix raid10 replace hang when new added disk faulty (bsc#1056134).
- md/raid1,raid10: silence warning about wait-within-wait (bsc#1056134).
- md: return -ENODEV if rdev has no mddev assigned (bsc#1056134).
- media: ov519: add missing endpoint sanity checks (bsc#1168829).
- media: stv06xx: add missing descriptor sanity checks (bsc#1168854).
- net: ena: Add PCI shutdown handler to allow safe kexec (bsc#1167421, bsc#1167423).
- netfilter: conntrack: sctp: use distinct states for new SCTP connections (bsc#1159199).
- net/ibmvnic: Fix typo in retry check (bsc#1155689 ltc#182047).
- rpm/kernel-binary.spec.in: Replace Novell with SUSE
- sched/fair: Scale bandwidth quota and period without losing quota/period ratio precision (bsc#1161586).
- scsi: core: avoid repetitive logging of device offline messages (bsc#1145929).
- scsi: core: kABI fix already_offline (bsc#1145929).
- tcp: clear tp->packets_out when purging write queue (bsc#1154118).
- x86/mitigations: Clear CPU buffers on the SYSCALL fast path (bsc#1164846 bsc#1170847).
- xfs: also remove cached ACLs when removing the underlying attr (bsc#1165873).
- xfs: bulkstat should copy lastip whenever userspace supplies one (bsc#1165984).
ImportantSUSE bug 1056134SUSE bug 1087813SUSE bug 1120386SUSE bug 1133147SUSE bug 1137325SUSE bug 1145929SUSE bug 1149591SUSE bug 1154118SUSE bug 1154844SUSE bug 1155689SUSE bug 1157155SUSE bug 1157157SUSE bug 1157303SUSE bug 1157804SUSE bug 1158021SUSE bug 1158642SUSE bug 1158819SUSE bug 1159199SUSE bug 1159285SUSE bug 1159297SUSE bug 1159841SUSE bug 1159908SUSE bug 1159910SUSE bug 1159911SUSE bug 1159912SUSE bug 1160195SUSE bug 1161586SUSE bug 1162227SUSE bug 1162928SUSE bug 1162929SUSE bug 1162931SUSE bug 1163508SUSE bug 1163971SUSE bug 1164009SUSE bug 1164051SUSE bug 1164069SUSE bug 1164078SUSE bug 1164846SUSE bug 1165111SUSE bug 1165311SUSE bug 1165873SUSE bug 1165881SUSE bug 1165984SUSE bug 1165985SUSE bug 1167421SUSE bug 1167423SUSE bug 1167629SUSE bug 1168075SUSE bug 1168295SUSE bug 1168424SUSE bug 1168829SUSE bug 1168854SUSE bug 1170056SUSE bug 1170345SUSE bug 1170778SUSE bug 1170847CVE-2017-18255 at SUSECVE-2017-18255 at NVDCVE-2018-12126 at SUSECVE-2018-12126 at NVDCVE-2018-12127 at SUSECVE-2018-12127 at NVDCVE-2018-12130 at SUSECVE-2018-12130 at NVDCVE-2018-21008 at SUSECVE-2018-21008 at NVDCVE-2019-11091 at SUSECVE-2019-11091 at NVDCVE-2019-14615 at SUSECVE-2019-14615 at NVDCVE-2019-14896 at SUSECVE-2019-14896 at NVDCVE-2019-14897 at SUSECVE-2019-14897 at NVDCVE-2019-18675 at SUSECVE-2019-18675 at NVDCVE-2019-19066 at SUSECVE-2019-19066 at NVDCVE-2019-19319 at SUSECVE-2019-19319 at NVDCVE-2019-19447 at SUSECVE-2019-19447 at NVDCVE-2019-19767 at SUSECVE-2019-19767 at NVDCVE-2019-19768 at SUSECVE-2019-19768 at NVDCVE-2019-19965 at SUSECVE-2019-19965 at NVDCVE-2019-19966 at SUSECVE-2019-19966 at NVDCVE-2019-20054 at SUSECVE-2019-20054 at NVDCVE-2019-20096 at SUSECVE-2019-20096 at NVDCVE-2019-3701 at SUSECVE-2019-3701 at NVDCVE-2019-5108 at SUSECVE-2019-5108 at NVDCVE-2019-9455 at SUSECVE-2019-9455 at NVDCVE-2019-9458 at SUSECVE-2019-9458 at NVDCVE-2020-10690 at SUSECVE-2020-10690 at NVDCVE-2020-10720 at SUSECVE-2020-10720 at NVDCVE-2020-10942 at SUSECVE-2020-10942 at NVDCVE-2020-11494 at SUSECVE-2020-11494 at NVDCVE-2020-11608 at SUSECVE-2020-11608 at NVDCVE-2020-11609 at SUSECVE-2020-11609 at NVDCVE-2020-2732 at SUSECVE-2020-2732 at NVDCVE-2020-8647 at SUSECVE-2020-8647 at NVDCVE-2020-8648 at SUSECVE-2020-8648 at NVDCVE-2020-8649 at SUSECVE-2020-8649 at NVDCVE-2020-8992 at SUSECVE-2020-8992 at NVDCVE-2020-9383 at SUSECVE-2020-9383 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for python-PyYAML (Important)SUSE OpenStack Cloud Crowbar 8
This update for python-PyYAML fixes the following issues:
- CVE-2020-1747: Fixed an arbitrary code execution when YAML files are parsed by FullLoader (bsc#1165439).
ImportantSUSE bug 1165439CVE-2020-1747 at SUSECVE-2020-1747 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for git (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for git to 2.26.2 fixes the following issues:
Security issue fixed:
- CVE-2020-11008: Specially crafted URLs may have tricked the credentials helper
to providing credential information that is not appropriate for the protocol
in use and host being contacted (bsc#1169936).
Non-security issue fixed:
- Fixed git-daemon not starting after conversion from sysvinit to systemd service (bsc#1169605).
- Enabled access for git-daemon in firewall configuration (bsc#1170302).
- Fixed problems with recent switch to protocol v2, which caused fetches transferring unreasonable amount of data (bsc#1170741).
ModerateSUSE bug 1149792SUSE bug 1168930SUSE bug 1169605SUSE bug 1169786SUSE bug 1169936SUSE bug 1170302SUSE bug 1170741SUSE bug 1170939CVE-2020-11008 at SUSECVE-2020-11008 at NVDCVE-2020-5260 at SUSECVE-2020-5260 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for mailman (Important)SUSE OpenStack Cloud Crowbar 8
This update for mailman fixes the following issues:
Security issue fixed:
- CVE-2020-12108: Fixed a content injection bug (bsc#1171363).
- CVE-2020-12137: Fixed a XSS vulnerability caused by MIME type confusion (bsc#1170558).
Non-security issue fixed:
- Fixed rights and ownership on /var/lib/mailman/archives (bsc#1167068).
- Don't default to invalid hosts for DEFAULT_EMAIL_HOST (bsc#682920).
ImportantSUSE bug 1167068SUSE bug 1170558SUSE bug 1171363SUSE bug 682920CVE-2020-12108 at SUSECVE-2020-12108 at NVDCVE-2020-12137 at SUSECVE-2020-12137 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for tomcat (Important)SUSE OpenStack Cloud Crowbar 8
This update for tomcat fixes the following issues:
CVE-2020-9484 (bsc#1171928)
Apache Tomcat Remote Code Execution via session persistence
If an attacker was able to control the contents and name of a file on a
server configured to use the PersistenceManager, then the attacker could
have triggered a remote code execution via deserialization of the file under
their control.
CVE-2019-12418 (bsc#1159723)
Local privilege escalation by manipulating the RMI registry and performing a man-in-the-middle attack
When Tomcat is configured with the JMX Remote Lifecycle Listener, a local attacker without access to the Tomcat process or configuration files was able to manipulate the RMI registry to perform a man-in-the-middle attack to capture user names and passwords used to access the JMX interface.
The attacker could then use these credentials to access the JMX interface and gain complete control over the Tomcat instance.
CVE-2019-0221 (bsc#1136085)
The SSI printenv command echoed user provided data without escaping, which
made it vulnerable to XSS.
CVE-2019-17563 (bsc#1159729)
When using FORM authentication there was a narrow window where an attacker could perform a session fixation attack.
CVE-2019-17569 (bsc#1164825)
Invalid Transfer-Encoding headers were incorrectly processed leading to a possibility of HTTP Request Smuggling
if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header.
ImportantSUSE bug 1136085SUSE bug 1159723SUSE bug 1159729SUSE bug 1164825SUSE bug 1171928CVE-2019-0221 at SUSECVE-2019-0221 at NVDCVE-2019-12418 at SUSECVE-2019-12418 at NVDCVE-2019-17563 at SUSECVE-2019-17563 at NVDCVE-2019-17569 at SUSECVE-2019-17569 at NVDCVE-2020-9484 at SUSECVE-2020-9484 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for python (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for python to version 2.7.17 fixes the following issues:
Syncing with lots of upstream bug fixes and security fixes.
Bug fixes:
- CVE-2019-9674: Improved the documentation to reflect the dangers of zip-bombs (bsc#1162825).
- CVE-2019-18348: Fixed a CRLF injection via the host part of the url passed to urlopen(). Now an InvalidURL exception is raised (bsc#1155094).
- CVE-2020-8492: Fixed a regular expression in urllib that was prone to denial of service via HTTP (bsc#1162367).
- Fixed mismatches between libpython and python-base versions (bsc#1162224).
- Fixed segfault in libpython2.7.so.1 (bsc#1073748).
- Unified packages among openSUSE:Factory and SLE versions (bsc#1159035).
- Added idle.desktop and idle.appdata.xml to provide IDLE in menus (bsc#1153830).
- Excluded tsl_check files from python-base to prevent file conflict with python-strict-tls-checks package (bsc#945401).
- Changed the name of idle3 icons to idle3.png to avoid collision with Python 2 version (bsc#1165894).
Additionally a new 'shared-python-startup' package is provided containing startup files.
python-rpm-macros was updated to fix:
- Do not write .pyc files for tests (bsc#1171561)
ModerateSUSE bug 1027282SUSE bug 1041090SUSE bug 1042670SUSE bug 1073269SUSE bug 1073748SUSE bug 1078326SUSE bug 1078485SUSE bug 1081750SUSE bug 1084650SUSE bug 1086001SUSE bug 1149792SUSE bug 1153830SUSE bug 1155094SUSE bug 1159035SUSE bug 1162224SUSE bug 1162367SUSE bug 1162825SUSE bug 1165894SUSE bug 1170411SUSE bug 1171561SUSE bug 945401CVE-2019-18348 at SUSECVE-2019-18348 at NVDCVE-2019-9674 at SUSECVE-2019-9674 at NVDCVE-2020-8492 at SUSECVE-2020-8492 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for krb5-appl (Important)SUSE OpenStack Cloud Crowbar 8
This update for krb5-appl fixes the following issues:
- CVE-2020-10188: Fixed a remote root execution (bsc#1165787).
ImportantSUSE bug 1165787CVE-2020-10188 at SUSECVE-2020-10188 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for libexif (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for libexif fixes the following issues:
Security issues fixed:
- CVE-2016-6328: Fixed an integer overflow in parsing MNOTE entry data of the input file (bsc#1055857).
- CVE-2017-7544: Fixed an out-of-bounds heap read vulnerability in exif_data_save_data_entry function in libexif/exif-data.c (bsc#1059893).
- CVE-2018-20030: Fixed a denial of service by endless recursion (bsc#1120943).
- CVE-2019-9278: Fixed an integer overflow (bsc#1160770).
- CVE-2020-0093: Fixed an out-of-bounds read in exif_data_save_data_entry (bsc#1171847).
- CVE-2020-12767: Fixed a divide-by-zero error in exif_entry_get_value (bsc#1171475).
- CVE-2020-13112: Fixed a time consumption DoS when parsing canon array markers (bsc#1172121).
- CVE-2020-13113: Fixed a potential use of uninitialized memory (bsc#1172105).
- CVE-2020-13114: Fixed various buffer overread fixes due to integer overflows in maker notes (bsc#1172116).
Non-security issues fixed:
- libexif was updated to version 0.6.22:
* New translations: ms
* Updated translations for most languages
* Some useful EXIF 2.3 tag added:
* EXIF_TAG_GAMMA
* EXIF_TAG_COMPOSITE_IMAGE
* EXIF_TAG_SOURCE_IMAGE_NUMBER_OF_COMPOSITE_IMAGE
* EXIF_TAG_SOURCE_EXPOSURE_TIMES_OF_COMPOSITE_IMAGE
* EXIF_TAG_GPS_H_POSITIONING_ERROR
* EXIF_TAG_CAMERA_OWNER_NAME
* EXIF_TAG_BODY_SERIAL_NUMBER
* EXIF_TAG_LENS_SPECIFICATION
* EXIF_TAG_LENS_MAKE
* EXIF_TAG_LENS_MODEL
* EXIF_TAG_LENS_SERIAL_NUMBER
ModerateSUSE bug 1055857SUSE bug 1059893SUSE bug 1120943SUSE bug 1160770SUSE bug 1171475SUSE bug 1171847SUSE bug 1172105SUSE bug 1172116SUSE bug 1172121CVE-2016-6328 at SUSECVE-2016-6328 at NVDCVE-2017-7544 at SUSECVE-2017-7544 at NVDCVE-2018-20030 at SUSECVE-2018-20030 at NVDCVE-2019-9278 at SUSECVE-2019-9278 at NVDCVE-2020-0093 at SUSECVE-2020-0093 at NVDCVE-2020-12767 at SUSECVE-2020-12767 at NVDCVE-2020-13112 at SUSECVE-2020-13112 at NVDCVE-2020-13113 at SUSECVE-2020-13113 at NVDCVE-2020-13114 at SUSECVE-2020-13114 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for qemu (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for qemu fixes the following issues:
Security issues fixed:
- CVE-2020-1711: Fixed a potential OOB access in the iSCSI client code (bsc#1166240).
- CVE-2019-12068: Fixed a potential DoS in the LSI SCSI controller emulation (bsc#1146873).
- CVE-2020-1983: Fixed a use-after-free in the ip_reass function of slirp (bsc#1170940).
- CVE-2020-8608: Fixed a potential OOB access in slirp (bsc#1163018).
- CVE-2020-7039: Fixed a potential OOB access in slirp (bsc#1161066).
- CVE-2019-15890: Fixed a use-after-free during packet reassembly in slirp (bsc#1149811).
- Fixed multiple potential DoS issues in SLIRP, similar to CVE-2019-6778 (bsc#1123156).
Non-security issue fixed:
- Make sure that required memory is mapped properly during an incoming migration of a Xen HVM domU (bsc#1160024).
ModerateSUSE bug 1123156SUSE bug 1146873SUSE bug 1149811SUSE bug 1160024SUSE bug 1161066SUSE bug 1163018SUSE bug 1166240SUSE bug 1170940CVE-2019-12068 at SUSECVE-2019-12068 at NVDCVE-2019-15890 at SUSECVE-2019-15890 at NVDCVE-2019-6778 at SUSECVE-2019-6778 at NVDCVE-2020-1711 at SUSECVE-2020-1711 at NVDCVE-2020-1983 at SUSECVE-2020-1983 at NVDCVE-2020-7039 at SUSECVE-2020-7039 at NVDCVE-2020-8608 at SUSECVE-2020-8608 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for vim (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for vim fixes the following issues:
- CVE-2019-20807: Fixed an issue where escaping from the restrictive mode of vim
was possible using interfaces (bsc#1172225 and bsc#1172031).
ModerateSUSE bug 1172031SUSE bug 1172225CVE-2019-20807 at SUSECVE-2019-20807 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for MozillaFirefox (Important)SUSE OpenStack Cloud Crowbar 8
This update for MozillaFirefox fixes the following issues:
- MozillaFirefox was updated to version 68.9.0 Extended Support Release (bsc#1172402).
- CVE-2020-12405: Fixed a use-after-free in SharedWorkerService.
- CVE-2020-12406: Fixed a JavaScript Type confusion with NativeTypes.
- CVE-2020-12410: Fixed multiple memory safety bugs.
ImportantSUSE bug 1172402CVE-2020-12405 at SUSECVE-2020-12405 at NVDCVE-2020-12406 at SUSECVE-2020-12406 at NVDCVE-2020-12410 at SUSECVE-2020-12410 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for ruby2.1 (Important)SUSE OpenStack Cloud Crowbar 8
This update for ruby2.1 fixes the following issues:
Security issues fixed:
- CVE-2015-9096: Fixed an SMTP command injection via CRLFsequences in a RCPT TO or MAIL FROM command (bsc#1043983).
- CVE-2016-7798: Fixed an IV Reuse in GCM Mode (bsc#1055265).
- CVE-2017-0898: Fixed a buffer underrun vulnerability in Kernel.sprintf (bsc#1058755).
- CVE-2017-0899: Fixed an issue with malicious gem specifications, insufficient sanitation when printing gem specifications could have included terminal characters (bsc#1056286).
- CVE-2017-0900: Fixed an issue with malicious gem specifications, the query command could have led to a denial of service attack against clients (bsc#1056286).
- CVE-2017-0901: Fixed an issue with malicious gem specifications, potentially overwriting arbitrary files on the client system (bsc#1056286).
- CVE-2017-0902: Fixed an issue with malicious gem specifications, that could have enabled MITM attacks against clients (bsc#1056286).
- CVE-2017-0903: Fixed an unsafe object deserialization vulnerability (bsc#1062452).
- CVE-2017-9228: Fixed a heap out-of-bounds write in bitset_set_range() during regex compilation (bsc#1069607).
- CVE-2017-9229: Fixed an invalid pointer dereference in left_adjust_char_head() in oniguruma (bsc#1069632).
- CVE-2017-10784: Fixed an escape sequence injection vulnerability in the Basic authentication of WEBrick (bsc#1058754).
- CVE-2017-14033: Fixed a buffer underrun vulnerability in OpenSSL ASN1 decode (bsc#1058757).
- CVE-2017-14064: Fixed an arbitrary memory exposure during a JSON.generate call (bsc#1056782).
- CVE-2017-17405: Fixed a command injection vulnerability in Net::FTP (bsc#1073002).
- CVE-2017-17742: Fixed an HTTP response splitting issue in WEBrick (bsc#1087434).
- CVE-2017-17790: Fixed a command injection in lib/resolv.rb:lazy_initialize() (bsc#1078782).
- CVE-2018-6914: Fixed an unintentional file and directory creation with directory traversal in tempfile and tmpdir (bsc#1087441).
- CVE-2018-8777: Fixed a potential DoS caused by large requests in WEBrick (bsc#1087436).
- CVE-2018-8778: Fixed a buffer under-read in String#unpack (bsc#1087433).
- CVE-2018-8779: Fixed an unintentional socket creation by poisoned NUL byte in UNIXServer and UNIXSocket (bsc#1087440).
- CVE-2018-8780: Fixed an unintentional directory traversal by poisoned NUL byte in Dir (bsc#1087437).
- CVE-2018-16395: Fixed an issue with OpenSSL::X509::Name equality checking (bsc#1112530).
- CVE-2018-16396: Fixed an issue with tainted string handling, where the flag was not propagated in Array#pack and String#unpack with some directives (bsc#1112532).
- CVE-2018-1000073: Fixed a path traversal issue (bsc#1082007).
- CVE-2018-1000074: Fixed an unsafe object deserialization vulnerability in gem owner, allowing arbitrary code execution with specially crafted YAML (bsc#1082008).
- CVE-2018-1000075: Fixed an infinite loop vulnerability due to negative size in tar header causes Denial of Service (bsc#1082014).
- CVE-2018-1000076: Fixed an improper verification of signatures in tarballs (bsc#1082009).
- CVE-2018-1000077: Fixed an improper URL validation in the homepage attribute of ruby gems (bsc#1082010).
- CVE-2018-1000078: Fixed a XSS vulnerability in the homepage attribute when displayed via gem server (bsc#1082011).
- CVE-2018-1000079: Fixed a path traversal issue during gem installation allows to write to arbitrary filesystem locations (bsc#1082058).
- CVE-2019-8320: Fixed a directory traversal issue when decompressing tar files (bsc#1130627).
- CVE-2019-8321: Fixed an escape sequence injection vulnerability in verbose (bsc#1130623).
- CVE-2019-8322: Fixed an escape sequence injection vulnerability in gem owner (bsc#1130622).
- CVE-2019-8323: Fixed an escape sequence injection vulnerability in API response handling (bsc#1130620).
- CVE-2019-8324: Fixed an issue with malicious gems that may have led to arbitrary code execution (bsc#1130617).
- CVE-2019-8325: Fixed an escape sequence injection vulnerability in errors (bsc#1130611).
- CVE-2019-15845: Fixed a NUL injection vulnerability in File.fnmatch and File.fnmatch? (bsc#1152994).
- CVE-2019-16201: Fixed a regular expression denial of service vulnerability in WEBrick's digest access authentication (bsc#1152995).
- CVE-2019-16254: Fixed an HTTP response splitting vulnerability in WEBrick (bsc#1152992).
- CVE-2019-16255: Fixed a code injection vulnerability in Shell#[] and Shell#test (bsc#1152990).
- CVE-2020-10663: Fixed an unsafe object creation vulnerability in JSON (bsc#1171517).
Non-security issue fixed:
- Add conflicts to libruby to make sure ruby and ruby-stdlib are also updated when libruby is updated (bsc#1048072).
Also yast2-ruby-bindings on SLES 12 SP2 LTSS was updated to handle the updated ruby interpreter. (bsc#1172275)
ImportantSUSE bug 1043983SUSE bug 1048072SUSE bug 1055265SUSE bug 1056286SUSE bug 1056782SUSE bug 1058754SUSE bug 1058755SUSE bug 1058757SUSE bug 1062452SUSE bug 1069607SUSE bug 1069632SUSE bug 1073002SUSE bug 1078782SUSE bug 1082007SUSE bug 1082008SUSE bug 1082009SUSE bug 1082010SUSE bug 1082011SUSE bug 1082014SUSE bug 1082058SUSE bug 1087433SUSE bug 1087434SUSE bug 1087436SUSE bug 1087437SUSE bug 1087440SUSE bug 1087441SUSE bug 1112530SUSE bug 1112532SUSE bug 1130611SUSE bug 1130617SUSE bug 1130620SUSE bug 1130622SUSE bug 1130623SUSE bug 1130627SUSE bug 1152990SUSE bug 1152992SUSE bug 1152994SUSE bug 1152995SUSE bug 1171517SUSE bug 1172275CVE-2015-9096 at SUSECVE-2015-9096 at NVDCVE-2016-2339 at SUSECVE-2016-2339 at NVDCVE-2016-7798 at SUSECVE-2016-7798 at NVDCVE-2017-0898 at SUSECVE-2017-0898 at NVDCVE-2017-0899 at SUSECVE-2017-0899 at NVDCVE-2017-0900 at SUSECVE-2017-0900 at NVDCVE-2017-0901 at SUSECVE-2017-0901 at NVDCVE-2017-0902 at SUSECVE-2017-0902 at NVDCVE-2017-0903 at SUSECVE-2017-0903 at NVDCVE-2017-10784 at SUSECVE-2017-10784 at NVDCVE-2017-14033 at SUSECVE-2017-14033 at NVDCVE-2017-14064 at SUSECVE-2017-14064 at NVDCVE-2017-17405 at SUSECVE-2017-17405 at NVDCVE-2017-17742 at SUSECVE-2017-17742 at NVDCVE-2017-17790 at SUSECVE-2017-17790 at NVDCVE-2017-9228 at SUSECVE-2017-9228 at NVDCVE-2017-9229 at SUSECVE-2017-9229 at NVDCVE-2018-1000073 at SUSECVE-2018-1000073 at NVDCVE-2018-1000074 at SUSECVE-2018-1000074 at NVDCVE-2018-1000075 at SUSECVE-2018-1000075 at NVDCVE-2018-1000076 at SUSECVE-2018-1000076 at NVDCVE-2018-1000077 at SUSECVE-2018-1000077 at NVDCVE-2018-1000078 at SUSECVE-2018-1000078 at NVDCVE-2018-1000079 at SUSECVE-2018-1000079 at NVDCVE-2018-16395 at SUSECVE-2018-16395 at NVDCVE-2018-16396 at SUSECVE-2018-16396 at NVDCVE-2018-6914 at SUSECVE-2018-6914 at NVDCVE-2018-8777 at SUSECVE-2018-8777 at NVDCVE-2018-8778 at SUSECVE-2018-8778 at NVDCVE-2018-8779 at SUSECVE-2018-8779 at NVDCVE-2018-8780 at SUSECVE-2018-8780 at NVDCVE-2019-15845 at SUSECVE-2019-15845 at NVDCVE-2019-16201 at SUSECVE-2019-16201 at NVDCVE-2019-16254 at SUSECVE-2019-16254 at NVDCVE-2019-16255 at SUSECVE-2019-16255 at NVDCVE-2019-8320 at SUSECVE-2019-8320 at NVDCVE-2019-8321 at SUSECVE-2019-8321 at NVDCVE-2019-8322 at SUSECVE-2019-8322 at NVDCVE-2019-8323 at SUSECVE-2019-8323 at NVDCVE-2019-8324 at SUSECVE-2019-8324 at NVDCVE-2019-8325 at SUSECVE-2019-8325 at NVDCVE-2020-10663 at SUSECVE-2020-10663 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for java-1_7_0-openjdk (Important)SUSE OpenStack Cloud Crowbar 8
This update for java-1_7_0-openjdk to version 7u261 fixes the following issues:
- CVE-2020-2756: Better mapping of serial ENUMs (bsc#1169511)
- CVE-2020-2757: Less Blocking Array Queues (bsc#1169511)
- CVE-2020-2773: Better signatures in XML (bsc#1169511)
- CVE-2020-2781: Improve TLS session handling (bsc#1169511)
- CVE-2020-2800: Better Headings for HTTP Servers (bsc#1169511)
- CVE-2020-2803: Enhance buffering of byte buffers (bsc#1169511)
- CVE-2020-2805: Enhance typing of methods (bsc#1169511)
- CVE-2020-2830: Better Scanner conversions (bsc#1169511)
ImportantSUSE bug 1169511CVE-2020-2756 at SUSECVE-2020-2756 at NVDCVE-2020-2757 at SUSECVE-2020-2757 at NVDCVE-2020-2773 at SUSECVE-2020-2773 at NVDCVE-2020-2781 at SUSECVE-2020-2781 at NVDCVE-2020-2800 at SUSECVE-2020-2800 at NVDCVE-2020-2803 at SUSECVE-2020-2803 at NVDCVE-2020-2805 at SUSECVE-2020-2805 at NVDCVE-2020-2830 at SUSECVE-2020-2830 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for tigervnc (Important)SUSE OpenStack Cloud Crowbar 8
This update for tigervnc fixes the following issues:
- CVE-2019-15691: Fixed a use-after-return due to incorrect usage of stack memory in ZRLEDecoder (bsc#1159856).
- CVE-2019-15692: Fixed a heap-based buffer overflow in CopyRectDecode (bsc#1160250).
- CVE-2019-15693: Fixed a heap-based buffer overflow in TightDecoder::FilterGradient (bsc#1159858).
- CVE-2019-15694: Fixed a heap-based buffer overflow, caused by improper error handling in processing MemOutStream (bsc#1160251).
- CVE-2019-15695: Fixed a stack-based buffer overflow, which could be triggered from CMsgReader::readSetCursor (bsc#1159860).
ImportantSUSE bug 1159856SUSE bug 1159858SUSE bug 1159860SUSE bug 1160250SUSE bug 1160251SUSE bug 1160937CVE-2019-15691 at SUSECVE-2019-15691 at NVDCVE-2019-15692 at SUSECVE-2019-15692 at NVDCVE-2019-15693 at SUSECVE-2019-15693 at NVDCVE-2019-15694 at SUSECVE-2019-15694 at NVDCVE-2019-15695 at SUSECVE-2019-15695 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for ucode-intel (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for ucode-intel fixes the following issues:
Updated Intel CPU Microcode to 20200602 (prerelease) (bsc#1172466)
This update contains security mitigations for:
- CVE-2020-0543: Fixed a side channel attack against special registers
which could have resulted in leaking of read values to cores other
than the one which called it. This attack is known as Special Register
Buffer Data Sampling (SRBDS) or 'CrossTalk' (bsc#1154824).
- CVE-2020-0548,CVE-2020-0549: Additional ucode updates were supplied to
mitigate the Vector Register and L1D Eviction Sampling aka 'CacheOutAttack'
attacks. (bsc#1156353)
Microcode Table:
Processor Identifier Version Products
Model Stepping F-MO-S/PI Old->New
---- new platforms ----------------------------------------
---- updated platforms ------------------------------------
HSW C0 6-3c-3/32 00000027->00000028 Core Gen4
BDW-U/Y E0/F0 6-3d-4/c0 0000002e->0000002f Core Gen5
HSW-U C0/D0 6-45-1/72 00000025->00000026 Core Gen4
HSW-H C0 6-46-1/32 0000001b->0000001c Core Gen4
BDW-H/E3 E0/G0 6-47-1/22 00000021->00000022 Core Gen5
SKL-U/Y D0 6-4e-3/c0 000000d6->000000dc Core Gen6 Mobile
SKL-U23e K1 6-4e-3/c0 000000d6->000000dc Core Gen6 Mobile
SKX-SP B1 6-55-3/97 01000151->01000157 Xeon Scalable
SKX-SP H0/M0/U0 6-55-4/b7 02000065->02006906 Xeon Scalable
SKX-D M1 6-55-4/b7 02000065->02006906 Xeon D-21xx
CLX-SP B0 6-55-6/bf 0400002c->04002f01 Xeon Scalable Gen2
CLX-SP B1 6-55-7/bf 0500002c->04002f01 Xeon Scalable Gen2
SKL-H/S R0/N0 6-5e-3/36 000000d6->000000dc Core Gen6; Xeon E3 v5
AML-Y22 H0 6-8e-9/10 000000ca->000000d6 Core Gen8 Mobile
KBL-U/Y H0 6-8e-9/c0 000000ca->000000d6 Core Gen7 Mobile
CFL-U43e D0 6-8e-a/c0 000000ca->000000d6 Core Gen8 Mobile
WHL-U W0 6-8e-b/d0 000000ca->000000d6 Core Gen8 Mobile
AML-Y42 V0 6-8e-c/94 000000ca->000000d6 Core Gen10 Mobile
CML-Y42 V0 6-8e-c/94 000000ca->000000d6 Core Gen10 Mobile
WHL-U V0 6-8e-c/94 000000ca->000000d6 Core Gen8 Mobile
KBL-G/H/S/E3 B0 6-9e-9/2a 000000ca->000000d6 Core Gen7; Xeon E3 v6
CFL-H/S/E3 U0 6-9e-a/22 000000ca->000000d6 Core Gen8 Desktop, Mobile, Xeon E
CFL-S B0 6-9e-b/02 000000ca->000000d6 Core Gen8
CFL-H/S P0 6-9e-c/22 000000ca->000000d6 Core Gen9
CFL-H R0 6-9e-d/22 000000ca->000000d6 Core Gen9 Mobile
Also contains the Intel CPU Microcode update to 20200520:
Processor Identifier Version Products
Model Stepping F-MO-S/PI Old->New
---- new platforms ----------------------------------------
---- updated platforms ------------------------------------
SNB-E/EN/EP C1/M0 6-2d-6/6d 0000061f->00000621 Xeon E3/E5, Core X
SNB-E/EN/EP C2/M1 6-2d-7/6d 00000718->0000071a Xeon E3/E5, Core X
ModerateSUSE bug 1154824SUSE bug 1156353SUSE bug 1172466CVE-2020-0543 at SUSECVE-2020-0543 at NVDCVE-2020-0548 at SUSECVE-2020-0548 at NVDCVE-2020-0549 at SUSECVE-2020-0549 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for the Linux Kernel (Important)SUSE OpenStack Cloud Crowbar 8
The SUSE Linux Enterprise 12 SP3 kernel was updated to receive various security and bugfixes.
The following security bugs were fixed:
- CVE-2020-0543: Fixed a side channel attack against special registers which could have resulted in leaking of read values to cores other than the one which called it.
This attack is known as Special Register Buffer Data Sampling (SRBDS) or 'CrossTalk' (bsc#1154824).
- CVE-2020-12652: Fixed an issue which could have allowed local users to hold an incorrect lock during the ioctl operation and trigger a race condition (bsc#1171218).
- CVE-2020-12653: Fixed an issue in the wifi driver which could have allowed local users to gain privileges or cause a denial of service (bsc#1171195).
- CVE-2020-12654: Fixed an issue in he wifi driver which could have allowed a remote AP to trigger a heap-based buffer overflow (bsc#1171202).
- CVE-2020-12656: Fixed an improper handling of certain domain_release calls leadingch could have led to a memory leak (bsc#1171219).
- CVE-2020-12114: Fixed A pivot_root race condition which could have allowed local users to cause a denial of service (panic) by corrupting a mountpoint reference counter (bsc#1171098).
- CVE-2020-10757: Fixed an issue where remaping hugepage DAX to anon mmap could have caused user PTE access (bsc#1172317).
The following non-security bugs were fixed:
- can, slip: Protect tty->disc_data in write_wakeup and close with RCU (bsc#1171698).
- clocksource/drivers/hyper-v: Set TSC clocksource as default w/ InvariantTSC (bsc#1170620).
- Drivers: HV: Send one page worth of kmsg dump over Hyper-V during panic (bsc#1170618).
- Drivers: hv: vmbus: Fix the issue with freeing up hv_ctl_table_hdr (bsc#1170618).
- Drivers: hv: vmbus: Get rid of MSR access from vmbus_drv.c (bsc#1170618).
- Drivers: hv: vmbus: Make panic reporting to be more useful (bsc#1170618).
- Drivers: hv: vmus: Fix the check for return value from kmsg get dump buffer (bsc#1170618).
- EDAC: Convert to new X86 CPU match macros
- ibmvfc: do not send implicit logouts prior to NPIV login (bsc#1169625 ltc#184611).
- ibmvfc: Fix NULL return compiler warning (bsc#1161951 ltc#183551).
- KEYS: reaching the keys quotas correctly (bsc#1171689).
- NFS: Cleanup if nfs_match_client is interrupted (bsc#1169025).
- NFS: Fix a double unlock from nfs_match,get_client (bsc#1169025).
- NFS: make nfs_match_client killable (bsc#1169025).
- NFS: Unlock requests must never fail (bsc#1172032).
- random: always use batched entropy for get_random_u{32,64} (bsc#1164871).
- Revert 'ipc,sem: remove uneeded sem_undo_list lock usage in exit_sem()' (bsc#1172221).
- scsi: ibmvfc: Avoid loss of all paths during SVC node reboot (bsc#1161951 ltc#183551).
- scsi: ibmvfc: Fix NULL return compiler warning (bsc#1161951 ltc#183551).
- x86/dumpstack/64: Handle faults when printing the 'Stack: ' part of an OOPS (bsc#1170383).
- x86/hyperv: Allow guests to enable InvariantTSC (bsc#1170620).
- x86/Hyper-V: Free hv_panic_page when fail to register kmsg dump (bsc#1170618).
- x86/Hyper-V: Report crash data in die() when panic_on_oops is set (bsc#1170618).
- x86/Hyper-V: Report crash register data or kmsg before running crash kernel (bsc#1170618).
- x86/Hyper-V: Report crash register data when sysctl_record_panic_msg is not set (bsc#1170618).
- x86: hyperv: report value of misc_features (git fixes).
- x86/Hyper-V: Trigger crash enlightenment only once during system crash (bsc#1170618).
- x86/Hyper-V: Unload vmbus channel in hv panic callback (bsc#1170618).
ImportantSUSE bug 1154824SUSE bug 1161951SUSE bug 1164871SUSE bug 1169025SUSE bug 1169625SUSE bug 1170383SUSE bug 1170618SUSE bug 1170620SUSE bug 1171098SUSE bug 1171195SUSE bug 1171202SUSE bug 1171218SUSE bug 1171219SUSE bug 1171689SUSE bug 1171698SUSE bug 1172032SUSE bug 1172221SUSE bug 1172317CVE-2020-0543 at SUSECVE-2020-0543 at NVDCVE-2020-10757 at SUSECVE-2020-10757 at NVDCVE-2020-12114 at SUSECVE-2020-12114 at NVDCVE-2020-12652 at SUSECVE-2020-12652 at NVDCVE-2020-12653 at SUSECVE-2020-12653 at NVDCVE-2020-12654 at SUSECVE-2020-12654 at NVDCVE-2020-12656 at SUSECVE-2020-12656 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for virglrenderer (Important)SUSE OpenStack Cloud Crowbar 8
This update for virglrenderer fixes the following issues:
- CVE-2019-18388: Fixed a null pointer dereference which could have led
to denial of service (bsc#1159479).
- CVE-2019-18390: Fixed an out of bound read which could have led to
denial of service (bsc#1159478).
- CVE-2019-18389: Fixed a heap buffer overflow which could have led to
guest escape or denial of service (bsc#1159482).
- CVE-2019-18391: Fixed a heap based buffer overflow which could have led to
guest escape or denial of service (bsc#1159486).
ImportantSUSE bug 1159478SUSE bug 1159479SUSE bug 1159482SUSE bug 1159486CVE-2019-18388 at SUSECVE-2019-18388 at NVDCVE-2019-18389 at SUSECVE-2019-18389 at NVDCVE-2019-18390 at SUSECVE-2019-18390 at NVDCVE-2019-18391 at SUSECVE-2019-18391 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for adns (Important)SUSE OpenStack Cloud Crowbar 8
This update for adns fixes the following issues:
- CVE-2017-9103,CVE-2017-9104,CVE-2017-9105,CVE-2017-9109: Fixed an issue in local recursive resolver
which could have led to remote code execution (bsc#1172265).
- CVE-2017-9106: Fixed an issue with upstream DNS data sources which could have led to denial of
service (bsc#1172265).
- CVE-2017-9107: Fixed an issue when quering domain names which could have led to denial of service (bsc#1172265).
- CVE-2017-9108: Fixed an issue which could have led to denial of service (bsc#1172265).
ImportantSUSE bug 1172265CVE-2017-9103 at SUSECVE-2017-9103 at NVDCVE-2017-9104 at SUSECVE-2017-9104 at NVDCVE-2017-9105 at SUSECVE-2017-9105 at NVDCVE-2017-9106 at SUSECVE-2017-9106 at NVDCVE-2017-9107 at SUSECVE-2017-9107 at NVDCVE-2017-9108 at SUSECVE-2017-9108 at NVDCVE-2017-9109 at SUSECVE-2017-9109 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for nodejs6 (Critical)SUSE OpenStack Cloud Crowbar 8
This update for nodejs6 fixes the following issues:
- CVE-2020-8174: Fixed multiple memory corruption in napi_get_value_string_*() (bsc#1172443).
- CVE-2020-7598: Fixed an issue which could have tricked minimist into adding or modifying
properties of Object.prototype (bsc#1166916).
CriticalSUSE bug 1166916SUSE bug 1172443CVE-2020-7598 at SUSECVE-2020-7598 at NVDCVE-2020-8174 at SUSECVE-2020-8174 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for mariadb (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for mariadb fixes the following issues:
mariadb was updated to version 10.0.44 (bsc#1171550)
- CVE-2020-2752: Fixed an issue which could have resulted in unauthorized ability to cause denial of service.
- CVE-2020-2812: Fixed an issue which could have resulted in unauthorized ability to cause denial of service.
ModerateSUSE bug 1171550CVE-2020-2752 at SUSECVE-2020-2752 at NVDCVE-2020-2812 at SUSECVE-2020-2812 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for xen (Important)SUSE OpenStack Cloud Crowbar 8
This update for xen fixes the following issues:
- CVE-2020-0543: Fixed a side channel attack against special registers which could have resulted in leaking of read values to cores other than the one which called it.
This attack is known as Special Register Buffer Data Sampling (SRBDS) or 'CrossTalk' (bsc#1172205).
- CVE-2020-11742: Bad continuation handling in GNTTABOP_copy (bsc#1169392).
- CVE-2020-11740, CVE-2020-11741: xen: XSA-313 multiple xenoprof issues (bsc#1168140).
- CVE-2020-11739: Missing memory barriers in read-write unlock paths (bsc#1168142).
- CVE-2019-19583: Fixed improper checks which could have allowed HVM/PVH guest userspace code to crash the guest, leading to a guest denial of service (bsc#1158004 XSA-308).
- CVE-2019-19581: Fixed a potential out of bounds on 32-bit Arm (bsc#1158003 XSA-307).
- CVE-2019-19580: Fixed a privilege escalation where a malicious PV guest administrator could have been able to escalate their privilege to that of the host (bsc#1158006 XSA-310).
- CVE-2019-19579: Fixed a privilege escalation where an untrusted domain with access to a physical device can DMA into host memory (bsc#1157888 XSA-306).
- CVE-2019-19578: Fixed an issue where a malicious or buggy PV guest could have caused hypervisor crash resulting in denial of service affecting the entire host (bsc#1158005 XSA-309).
- CVE-2019-19577: Fixed an issue where a malicious guest administrator could have caused Xen to access data structures while they are being modified leading to a crash (bsc#1158007 XSA-311).
- Xenstored Crashed during VM install (bsc#1167152)
ImportantSUSE bug 1157888SUSE bug 1158003SUSE bug 1158004SUSE bug 1158005SUSE bug 1158006SUSE bug 1158007SUSE bug 1161181SUSE bug 1167152SUSE bug 1168140SUSE bug 1168142SUSE bug 1169392SUSE bug 1172205CVE-2019-19577 at SUSECVE-2019-19577 at NVDCVE-2019-19578 at SUSECVE-2019-19578 at NVDCVE-2019-19579 at SUSECVE-2019-19579 at NVDCVE-2019-19580 at SUSECVE-2019-19580 at NVDCVE-2019-19581 at SUSECVE-2019-19581 at NVDCVE-2019-19583 at SUSECVE-2019-19583 at NVDCVE-2020-0543 at SUSECVE-2020-0543 at NVDCVE-2020-11739 at SUSECVE-2020-11739 at NVDCVE-2020-11740 at SUSECVE-2020-11740 at NVDCVE-2020-11741 at SUSECVE-2020-11741 at NVDCVE-2020-11742 at SUSECVE-2020-11742 at NVDCVE-2020-7211 at SUSECVE-2020-7211 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for perl (Important)SUSE OpenStack Cloud Crowbar 8
This update for perl fixes the following issues:
- CVE-2020-10543: Fixed a heap buffer overflow in regular expression compiler which could have
allowed overwriting of allocated memory with attacker's data (bsc#1171863).
- CVE-2020-10878: Fixed multiple integer overflows which could have allowed the insertion of
instructions into the compiled form of Perl regular expression (bsc#1171864).
- CVE-2020-12723: Fixed an attacker's corruption of the intermediate language state of a
compiled regular expression (bsc#1171866).
- Fixed utf8 handling in perldoc by useing 'term' instead of 'man' (bsc#1170601).
- Some packages make assumptions about the date and time they are built.
This update will solve the issues caused by calling the perl function timelocal
expressing the year with two digit only instead of four digits. (bsc#1102840) (bsc#1160039)
ImportantSUSE bug 1102840SUSE bug 1160039SUSE bug 1170601SUSE bug 1171863SUSE bug 1171864SUSE bug 1171866CVE-2020-10543 at SUSECVE-2020-10543 at NVDCVE-2020-10878 at SUSECVE-2020-10878 at NVDCVE-2020-12723 at SUSECVE-2020-12723 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for java-1_7_1-ibm (Important)SUSE OpenStack Cloud Crowbar 8
This update for java-1_7_1-ibm fixes the following issues:
java-1_7_1-ibm was updated to Java 7.1 Service Refresh 4 Fix Pack 65 (bsc#1172277 and bsc#1169511)
- CVE-2020-2654: Fixed an issue which could have resulted in unauthorized ability to cause a partial denial of service
- CVE-2020-2756: Improved mapping of serial ENUMs
- CVE-2020-2757: Less Blocking Array Queues
- CVE-2020-2781: Improved TLS session handling
- CVE-2020-2800: Improved Headings for HTTP Servers
- CVE-2020-2803: Enhanced buffering of byte buffers
- CVE-2020-2805: Enhanced typing of methods
- CVE-2020-2830: Improved Scanner conversions
ImportantSUSE bug 1169511SUSE bug 1172277CVE-2020-2654 at SUSECVE-2020-2654 at NVDCVE-2020-2756 at SUSECVE-2020-2756 at NVDCVE-2020-2757 at SUSECVE-2020-2757 at NVDCVE-2020-2781 at SUSECVE-2020-2781 at NVDCVE-2020-2800 at SUSECVE-2020-2800 at NVDCVE-2020-2803 at SUSECVE-2020-2803 at NVDCVE-2020-2805 at SUSECVE-2020-2805 at NVDCVE-2020-2830 at SUSECVE-2020-2830 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for java-1_8_0-ibm (Important)SUSE OpenStack Cloud Crowbar 8
This update for java-1_8_0-ibm fixes the following issues:
java-1_8_0-ibm was updated to Java 8.0 Service Refresh 6 Fix Pack 10 (bsc#1172277,bsc#1169511,bsc#1160968)
- CVE-2020-2654: Fixed an issue which could have resulted in unauthorized ability to cause a partial denial of service
- CVE-2020-2754: Forwarded references to Nashorn
- CVE-2020-2755: Improved Nashorn matching
- CVE-2020-2756: Improved mapping of serial ENUMs
- CVE-2020-2757: Less Blocking Array Queues
- CVE-2020-2781: Improved TLS session handling
- CVE-2020-2800: Improved Headings for HTTP Servers
- CVE-2020-2803: Enhanced buffering of byte buffers
- CVE-2020-2805: Enhanced typing of methods
- CVE-2020-2830: Improved Scanner conversions
- CVE-2019-2949: Fixed an issue which could have resulted in unauthorized access to critical data
- Added RSA PSS SUPPORT TO IBMPKCS11IMPL
- The pack200 and unpack200 alternatives should be slaves of java (bsc#1171352).
ImportantSUSE bug 1160968SUSE bug 1169511SUSE bug 1171352SUSE bug 1172277CVE-2019-2949 at SUSECVE-2019-2949 at NVDCVE-2020-2654 at SUSECVE-2020-2654 at NVDCVE-2020-2754 at SUSECVE-2020-2754 at NVDCVE-2020-2755 at SUSECVE-2020-2755 at NVDCVE-2020-2756 at SUSECVE-2020-2756 at NVDCVE-2020-2757 at SUSECVE-2020-2757 at NVDCVE-2020-2781 at SUSECVE-2020-2781 at NVDCVE-2020-2800 at SUSECVE-2020-2800 at NVDCVE-2020-2803 at SUSECVE-2020-2803 at NVDCVE-2020-2805 at SUSECVE-2020-2805 at NVDCVE-2020-2830 at SUSECVE-2020-2830 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for java-1_8_0-openjdk (Important)SUSE OpenStack Cloud Crowbar 8
This update for java-1_8_0-openjdk to version jdk8u252 fixes the following issues:
- CVE-2020-2754: Forward references to Nashorn (bsc#1169511)
- CVE-2020-2755: Improve Nashorn matching (bsc#1169511)
- CVE-2020-2756: Better mapping of serial ENUMs (bsc#1169511)
- CVE-2020-2757: Less Blocking Array Queues (bsc#1169511)
- CVE-2020-2773: Better signatures in XML (bsc#1169511)
- CVE-2020-2781: Improve TLS session handling (bsc#1169511)
- CVE-2020-2800: Better Headings for HTTP Servers (bsc#1169511)
- CVE-2020-2803: Enhance buffering of byte buffers (bsc#1169511)
- CVE-2020-2805: Enhance typing of methods (bsc#1169511)
- CVE-2020-2830: Better Scanner conversions (bsc#1169511)
ImportantSUSE bug 1160398SUSE bug 1169511CVE-2020-2754 at SUSECVE-2020-2754 at NVDCVE-2020-2755 at SUSECVE-2020-2755 at NVDCVE-2020-2756 at SUSECVE-2020-2756 at NVDCVE-2020-2757 at SUSECVE-2020-2757 at NVDCVE-2020-2773 at SUSECVE-2020-2773 at NVDCVE-2020-2781 at SUSECVE-2020-2781 at NVDCVE-2020-2800 at SUSECVE-2020-2800 at NVDCVE-2020-2803 at SUSECVE-2020-2803 at NVDCVE-2020-2805 at SUSECVE-2020-2805 at NVDCVE-2020-2830 at SUSECVE-2020-2830 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for the Linux Kernel (Important)SUSE OpenStack Cloud Crowbar 8
The SUSE Linux Enterprise 12 SP3 kernel was updated to receive various security and bugfixes.
The following security bugs were fixed:
- CVE-2020-10768: Fixed an issue with the prctl() function which could have allowed indirect branch speculation even after it has been disabled (bsc#1172783).
- CVE-2020-10767: Fixed an issue where the Indirect Branch Prediction Barrier (IBPB) would have been disabled when STIBP is unavailable or enhanced IBRS is available making the system vulnerable to spectre v2 (bsc#1172782).
- CVE-2020-10766: Fixed an issue with Linux scheduler which could have allowed an attacker to turn off the SSBD protection (bsc#1172781).
- xfs: Fix tail rounding in xfs_alloc_file_space() (bsc#1172049).
ImportantSUSE bug 1172049SUSE bug 1172781SUSE bug 1172782SUSE bug 1172783CVE-2020-10766 at SUSECVE-2020-10766 at NVDCVE-2020-10767 at SUSECVE-2020-10767 at NVDCVE-2020-10768 at SUSECVE-2020-10768 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for curl (Important)SUSE OpenStack Cloud Crowbar 8
This update for curl fixes the following issues:
- CVE-2020-8177: Fixed an issue where curl could have been tricked by a malicious server to overwrite a local file when using the -J option (bsc#1173027).
ImportantSUSE bug 1173027CVE-2020-8177 at SUSECVE-2020-8177 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for ceph (Important)SUSE OpenStack Cloud Crowbar 8
This is a version update for ceph to version 12.2.13:
Security issue fixed:
- CVE-2020-10753: Fixed an HTTP header injection via CORS ExposeHeader tag (bsc#1171921).
- Notable changes in this update for ceph:
* mgr: telemetry: backported and now available on SES5.5. Please
consider enabling via 'ceph telemetry on' (bsc#1171670)
* OSD heartbeat ping time: new health warning, options and admin
commands (bsc#1171960)
* 'osd_calc_pg_upmaps_max_stddev' ceph.conf parameter has been
removed; use 'upmap_max_deviation' instead (bsc#1171961)
* Default maximum concurrent bluestore rocksdb compaction threads
raised from 1 to 2 for improved ability to keep up with rgw
bucket index workloads (bsc#1171963)
- Bug fixes in this ceph update:
* mon: Error message displayed when mon_osd_max_split_count would be
exceeded is not as user-friendly as it could be (bsc#1126230)
* ceph_volume_client: remove ceph mds calls in favor of ceph fs
calls (bsc#1136082)
* rgw: crypt: permit RGW-AUTO/default with SSE-S3 headers
(bsc#1157607)
* mon/AuthMonitor: don't validate fs caps on authorize (bsc#1161096)
- Additional bug fixes:
* ceph-volume: strip _dmcrypt suffix in simple scan json output (bsc#1162553) ImportantSUSE bug 1126230SUSE bug 1136082SUSE bug 1157607SUSE bug 1161096SUSE bug 1162553SUSE bug 1171670SUSE bug 1171921SUSE bug 1171960SUSE bug 1171961SUSE bug 1171963CVE-2020-10753 at SUSECVE-2020-10753 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for tomcat (Important)SUSE OpenStack Cloud Crowbar 8
This update for tomcat fixes the following issues:
- CVE-2020-8022: Fixed a local root exploit due to improper permissions (bsc#1172405)
ImportantSUSE bug 1172405CVE-2020-8022 at SUSECVE-2020-8022 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for python3-requests (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for python3-requests provides the following fix:
python-requests was updated to 2.20.1.
Update to version 2.20.1:
* Fixed bug with unintended Authorization header stripping for
redirects using default ports (http/80, https/443).
Update to version 2.20.0:
* Bugfixes
+ Content-Type header parsing is now case-insensitive
(e.g. charset=utf8 v Charset=utf8).
+ Fixed exception leak where certain redirect urls would raise
uncaught urllib3 exceptions.
+ Requests removes Authorization header from requests redirected
from https to http on the same hostname. (CVE-2018-18074)
+ should_bypass_proxies now handles URIs without hostnames
(e.g. files).
Update to version 2.19.1:
* Fixed issue where status_codes.py’s init function failed trying
to append to a __doc__ value of None.
Update to version 2.19.0:
* Improvements
+ Warn about possible slowdown with cryptography version < 1.3.4
+ Check host in proxy URL, before forwarding request to adapter.
+ Maintain fragments properly across redirects. (RFC7231 7.1.2)
+ Removed use of cgi module to expedite library load time.
+ Added support for SHA-256 and SHA-512 digest auth algorithms.
+ Minor performance improvement to Request.content.
* Bugfixes
+ Parsing empty Link headers with parse_header_links() no longer
return one bogus entry.
+ Fixed issue where loading the default certificate bundle from
a zip archive would raise an IOError.
+ Fixed issue with unexpected ImportError on windows system
which do not support winreg module.
+ DNS resolution in proxy bypass no longer includes the username
and password in the request. This also fixes the issue of DNS
queries failing on macOS.
+ Properly normalize adapter prefixes for url comparison.
+ Passing None as a file pointer to the files param no longer
raises an exception.
+ Calling copy on a RequestsCookieJar will now preserve the
cookie policy correctly.
Update to version 2.18.4:
* Improvements
+ Error messages for invalid headers now include the header name
for easier debugging
Update to version 2.18.3:
* Improvements
+ Running $ python -m requests.help now includes the installed
version of idna.
* Bugfixes
+ Fixed issue where Requests would raise ConnectionError instead
of SSLError when encountering SSL problems when using urllib3
v1.22.
- Add ca-certificates (and ca-certificates-mozilla) to dependencies, otherwise https
connections will fail.
ModerateSUSE bug 1054413SUSE bug 1073879SUSE bug 1111622SUSE bug 1122668SUSE bug 761500SUSE bug 922448SUSE bug 929736SUSE bug 935252SUSE bug 945455SUSE bug 947357SUSE bug 961596SUSE bug 967128CVE-2015-2296 at SUSECVE-2015-2296 at NVDCVE-2018-18074 at SUSECVE-2018-18074 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for mutt (Important)SUSE OpenStack Cloud Crowbar 8
This update for mutt fixes the following issues:
- CVE-2020-14954: Fixed a response injection due to a STARTTLS buffering issue which was
affecting IMAP, SMTP, and POP3 (bsc#1173197).
- CVE-2020-14093: Fixed a potential IMAP Man-in-the-Middle attack via a PREAUTH response (bsc#1172906, bsc#1172935).
- CVE-2020-14154: Fixed an issue where Mutt was ignoring an expired certificate and was
proceeding with a connection (bsc#1172906, bsc#1172935).
ImportantSUSE bug 1172906SUSE bug 1172935SUSE bug 1173197CVE-2020-14093 at SUSECVE-2020-14093 at NVDCVE-2020-14154 at SUSECVE-2020-14154 at NVDCVE-2020-14954 at SUSECVE-2020-14954 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for squid (Important)SUSE OpenStack Cloud Crowbar 8
This update for squid fixes the following issues:
- CVE-2020-14059: Fixed an issue where a client could potentially deny the service of a server
during TLS Handshake (bsc#1173304).
- CVE-2019-18860: Fixed handling of invalid domain names in cachemgr.cgi (bsc#1167373).
ImportantSUSE bug 1167373SUSE bug 1173304CVE-2019-18860 at SUSECVE-2019-18860 at NVDCVE-2020-14059 at SUSECVE-2020-14059 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for ntp (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for ntp fixes the following issues:
ntp was updated to 4.2.8p15
- CVE-2020-11868: Fixed an issue which a server mode packet with spoofed source address
frequently send to the client ntpd could have caused denial of service (bsc#1169740).
- CVE-2018-8956: Fixed an issue which could have allowed remote attackers to prevent
a broadcast client from synchronizing its clock with a broadcast NTP server via spoofed
mode 3 and mode 5 packets (bsc#1171355).
- CVE-2020-13817: Fixed an issue which an off-path attacker with the ability to query time
from victim's ntpd instance could have modified the victim's clock by a limited amount (bsc#1172651).
- CVE-2020-15025: Fixed an issue which remote attacker could have caused denial of service by consuming
the memory when a CMAC key was used andassociated with a CMAC algorithm in the ntp.keys (bsc#1173334).
ModerateSUSE bug 1169740SUSE bug 1171355SUSE bug 1172651SUSE bug 1173334CVE-2018-8956 at SUSECVE-2018-8956 at NVDCVE-2020-11868 at SUSECVE-2020-11868 at NVDCVE-2020-13817 at SUSECVE-2020-13817 at NVDCVE-2020-15025 at SUSECVE-2020-15025 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for mozilla-nspr, mozilla-nss (Important)SUSE OpenStack Cloud Crowbar 8
This update for mozilla-nspr, mozilla-nss fixes the following issues:
mozilla-nss was updated to version 3.53.1
- CVE-2020-12402: Fixed a potential side channel attack during RSA key generation (bsc#1173032).
- CVE-2020-12399: Fixed a timing attack on DSA signature generation (bsc#1171978).
- CVE-2019-17006: Added length checks for cryptographic primitives (bsc#1159819).
- Fixed various FIPS issues in libfreebl3 which were causing segfaults in the test suite of chrony (bsc#1168669).
- Fixed an issue where Firefox tab was crashing (bsc#1170908).
Release notes: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.53_release_notes
mozilla-nspr to version 4.25
ImportantSUSE bug 1159819SUSE bug 1168669SUSE bug 1169746SUSE bug 1170908SUSE bug 1171978SUSE bug 1173022CVE-2019-17006 at SUSECVE-2019-17006 at NVDCVE-2020-12399 at SUSECVE-2020-12399 at NVDCVE-2020-12402 at SUSECVE-2020-12402 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for openldap2 (Important)SUSE OpenStack Cloud Crowbar 8
This update for openldap2 fixes the following issues:
- CVE-2020-8023: Fixed a potential local privilege escalation from ldap to root when OPENLDAP_CONFIG_BACKEND='ldap' was used (bsc#1172698).
- Changed DB_CONFIG to root:ldap permissions (bsc#1172704).
- Fixed an issue where slapd becomes unresponsive after many failed login/bind attempts(bsc#1170715).
ImportantSUSE bug 1170715SUSE bug 1172698SUSE bug 1172704CVE-2020-8023 at SUSECVE-2020-8023 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for xen (Important)SUSE OpenStack Cloud Crowbar 8
This update for xen fixes the following issues:
- CVE-2020-15563: Fixed inverted code paths in x86 dirty VRAM tracking (bsc#1173377).
- CVE-2020-15565: Fixed insufficient cache write-back under VT-d (bsc#1173378).
- CVE-2020-15567: Fixed non-atomic modification of live EPT PTE (bsc#1173380).
ImportantSUSE bug 1173377SUSE bug 1173378SUSE bug 1173380CVE-2020-15563 at SUSECVE-2020-15563 at NVDCVE-2020-15565 at SUSECVE-2020-15565 at NVDCVE-2020-15567 at SUSECVE-2020-15567 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for MozillaFirefox (Important)SUSE OpenStack Cloud Crowbar 8
This update for MozillaFirefox to version 78.0.1 ESR fixes the following issues:
Security issues fixed:
- CVE-2020-12415: AppCache manifest poisoning due to url encoded character processing (bsc#1173576).
- CVE-2020-12416: Use-after-free in WebRTC VideoBroadcaster (bsc#1173576).
- CVE-2020-12417: Memory corruption due to missing sign-extension for ValueTags on ARM64 (bsc#1173576).
- CVE-2020-12418: Information disclosure due to manipulated URL object (bsc#1173576).
- CVE-2020-12419: Use-after-free in nsGlobalWindowInner (bsc#1173576).
- CVE-2020-12420: Use-After-Free when trying to connect to a STUN server (bsc#1173576).
- CVE-2020-12402: RSA Key Generation vulnerable to side-channel attack (bsc#1173576).
- CVE-2020-12421: Add-On updates did not respect the same certificate trust rules as software updates (bsc#1173576).
- CVE-2020-12422: Integer overflow in nsJPEGEncoder::emptyOutputBuffer (bsc#1173576).
- CVE-2020-12423: DLL Hijacking due to searching %PATH% for a library (bsc#1173576).
- CVE-2020-12424: WebRTC permission prompt could have been bypassed by a compromised content process (bsc#1173576).
- CVE-2020-12425: Out of bound read in Date.parse() (bsc#1173576).
- CVE-2020-12426: Memory safety bugs fixed in Firefox 78 (bsc#1173576).
- FIPS: MozillaFirefox: allow /proc/sys/crypto/fips_enabled (bsc#1167231).
Non-security issues fixed:
- Fixed interaction with freetype6 (bsc#1173613).
ImportantSUSE bug 1167231SUSE bug 1173576SUSE bug 1173613CVE-2020-12402 at SUSECVE-2020-12402 at NVDCVE-2020-12415 at SUSECVE-2020-12415 at NVDCVE-2020-12416 at SUSECVE-2020-12416 at NVDCVE-2020-12417 at SUSECVE-2020-12417 at NVDCVE-2020-12418 at SUSECVE-2020-12418 at NVDCVE-2020-12419 at SUSECVE-2020-12419 at NVDCVE-2020-12420 at SUSECVE-2020-12420 at NVDCVE-2020-12421 at SUSECVE-2020-12421 at NVDCVE-2020-12422 at SUSECVE-2020-12422 at NVDCVE-2020-12423 at SUSECVE-2020-12423 at NVDCVE-2020-12424 at SUSECVE-2020-12424 at NVDCVE-2020-12425 at SUSECVE-2020-12425 at NVDCVE-2020-12426 at SUSECVE-2020-12426 at NVDCVE-2020-6813 at SUSECVE-2020-6813 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for ansible, ansible1, ardana-ansible, ardana-cluster, ardana-freezer, ardana-input-model, ardana-logging, ardana-mq, ardana-neutron, ardana-octavia, ardana-osconfig, caasp-openstack-heat-templates, crowbar-core, crowbar-openstack, documentation-suse-openstack-cloud, grafana, kibana, openstack-dashboard, openstack-dashboard-theme-HPE, openstack-heat-templates, openstack-keystone, openstack-monasca-agent, openstack-monasca-installer, openstack-neutron, openstack-octavia-amphora-image, python-Django, python-Flask, python-GitPython, python-Pillow, python-amqp, python-apicapi, python-keystoneauth1, python-oslo.messaging, python-psutil, python-pyroute2, python-pysaml2, python-tooz, python-waitress, storm (Important)SUSE OpenStack Cloud Crowbar 8
This update for ansible, ansible1, ardana-ansible, ardana-cluster, ardana-freezer, ardana-input-model, ardana-logging, ardana-mq, ardana-neutron, ardana-octavia, ardana-osconfig, caasp-openstack-heat-templates, crowbar-core, crowbar-openstack, documentation-suse-openstack-cloud, grafana, kibana, openstack-dashboard, openstack-dashboard-theme-HPE, openstack-heat-templates, openstack-keystone, openstack-monasca-agent, openstack-monasca-installer, openstack-neutron, openstack-octavia-amphora-image, python-Django, python-Flask, python-GitPython, python-Pillow, python-amqp, python-apicapi, python-keystoneauth1, python-oslo.messaging, python-psutil, python-pyroute2, python-pysaml2, python-tooz, python-waitress, storm contains the following fixes:
The update fixes several security issues:
ansible
- CVE-2019-3828: Fixed a path traversal in the fetch module (bsc#1126503).
grafana
- CVE-2020-13379: Fixed an incorrect access control issue which could lead to information
leaks or denial of service (bsc#1172409).
- CVE-2020-12052: Fixed an cross site scripting vulnerability related to the annotation
popup (bsc#1170657).
kibana
- CVE-2020-10743: Fixed a clickjacking vulnerability (bsc#1171909).
python-Django
- CVE-2020-13254: Fixed a data leakage via malformed memcached keys. (bsc#1172167)
- CVE-2020-13596: Fixed a cross site scripting vulnerability related to the admin
parameters of the ForeignKeyRawIdWidget. (bsc#1172166)
python-Flask
- CVE-2019-1010083: Fixed a denial of service via crafted encoded JSON. (bsc#1141968)
python-Pillow
- CVE-2019-16865: Fixed a denial of service with specially crafted
image files. (bsc#1153191)
- CVE-2020-5312: Fixed a buffer overflow in the PCX P mode. (bsc#1160152)
- CVE-2020-5313: Fixed a buffer overflow related to FLI. (bsc#1160153)
- CVE-2019-19911: Fixed a denial of service in FpxImagePlugin.py. (bsc#1160192)
python-psutil
- CVE-2019-18874: Fixed a double free caused by refcount mishandling. (bsc#1156525)
python-pysaml2
- CVE-2020-5390: Fixed an issue with the verification of signatures in SAML documents.
(bsc#1160851)
- CVE-2017-1000246: Fixed an issue with weak encryption data, caused by initialization
vector reuse. (bsc#1068612)
python-waitress (to version 1.4.3)
- CVE-2019-16785: Fixed HTTP request smuggling through LF vs CRLF handling. (bsc#1161088)
- CVE-2019-16786: Fixed HTTP request smuggling through invalid Transfer-Encoding.
(bsc#1161089)
- CVE-2019-16789: Fixed HTTP Request Smuggling through Invalid whitespace characters.
(bsc#1160790)
- CVE-2019-16792: Fixed HTTP Request Smuggling through Content-Length header handling.
(bsc#1161670)
rubygem-activeresource
- CVE-2020-8151: Fixed information disclosure issue via specially crafted requests.
(bsc#1171560)
rubygem-json-1_7
- CVE-2020-10663: Fixed an unsafe object creation vulnerability. (bsc#1167244)
rubygem-puma
- CVE-2020-11077: Fixed a HTTP smuggling issue related to proxy usage. (bsc#1172175)
- CVE-2020-11076: Fixed a HTTP smuggling issue when using an invalid transfer-encoding
header. (bsc#1172176)
Other non-security fixes in in the update below:
Changes in ansible:
- Add 0001-Disallow-use-of-remote-home-directories-containing-..patch
(bsc#1126503, CVE-2019-3828)
Changes in ansible1:
- Add 0001-Disallow-use-of-remote-home-directories-containing-..patch
(bsc#1126503, CVE-2019-3828)
Changes in ardana-ansible:
- Update to version 8.0+git.1589740980.6c3bcdc:
* Reconfigure rabbitmq user permissions on update (SOC-11082)
- Update to version 8.0+git.1588953487.9bfd5cb:
* Fix incorrect prefix used to collect supportconfig files (bsc#1171273)
- Update to version 8.0+git.1585690828.81d8f45:
* Cleanup keystone-ansible (bsc#1108719)
Changes in ardana-cluster:
- Update to version 8.0+git.1585685203.3e71e49:
* Use bool filter to ensure valid boolean evaluation (SOC-11192)
Changes in ardana-freezer:
- Update to version 8.0+git.1586539529.b7d295f:
* Recovering Cloud8 using Freezer or SSH backups if upgrade fails (SOC-10137)
Changes in ardana-input-model:
- Update to version 8.0+git.1589740934.0e0ad61:
* Add default rabbitmq exchange write permissions (SOC-11082)
- Update to version 8.0+git.1586174594.2b92ec3:
* add port neutron security extension to CI models (SOC-11027)
Changes in ardana-logging:
- Update to version 8.0+git.1591194866.b7375d0:
* kibana: set x-frame-options header (bsc#1171909)
- Update to version 8.0+git.1586179244.ae61f62:
* Fix YAMLLoadWarning: calling yaml.load() without Loader (bsc#1168593)
Changes in ardana-mq:
- Update to version 8.0+git.1589715269.62ad6df:
* Don't mirror reply queues (SOC-10317)
- Update to version 8.0+git.1586784724.586343d:
* Actually fail if sync HA queues retries exceeded (SOC-11083)
Changes in ardana-neutron:
- Update to version 8.0+git.1590756744.ba84abc:
* Update L3 rootwrap filters (SOC-11306)
- Update to version 8.0+git.1587737509.4e09de3:
* Add network.target 'After' option (bsc#1169770)
- Update to version 8.0+git.1586546152.e7bc07f:
* Add neutron-common role dependencies (SOC-10875)
- Update to version 8.0+git.1586543712.62bb5a3:
* Fix neutron-ovsvapp-agent status (SOC-10637)
- Update to version 8.0+git.1586535447.55769df:
* Improve neutron service restart limit handling (SOC-8746)
- Update to version 8.0+git.1586519528.a28db53:
* Correctly setup ardana_notify_... fact (SOC-10902)
Changes in ardana-octavia:
- Update to version 8.0+git.1590100427.cf4cc8f:
* fix octavia to glance communication over internal endpoint (SOC-11294)
Changes in ardana-osconfig:
- Update to version 8.0+git.1587034587.eac37b8:
* Include SLE 12 SP3 LTSS repos in list of managed repos (SOC-11223)
Changes in caasp-openstack-heat-templates:
- Switch github URL from git@ to git:// to bypass authentication
Changes in crowbar-core:
- Update to version 5.0+git.1593156248.55bbdb26d:
* Ignore CVE-8184 (SOC-11299)
* Ignore latest ruby-related CVEs in the CI (SOC-11299)
- Update to version 5.0+git.1589804984.44a89be24:
* provisioner: Fix ssh key validation (SOC-11126)
* assign host to hostless keys (noref)
Changes in crowbar-openstack:
- Update to version 5.0+git.1593085772.64c4ab43c:
* monasca: Prevent deploying monasca-server to the node in pacemaker cluster (SOC-6354)
- Update to version 5.0+git.1591171674.1f299cd1c:
* Restore undeprecated nova dhcp_domain option (bsc#1171594)
- Update to version 5.0+git.1591104265.683d76534:
* [5.0] Fix availability zone script (bsc#1171661)
- Update to version 5.0+git.1590398068.f5cfacc12:
* nova: only create nonexistent cell1
- Update to version 5.0+git.1590150829.e86326d03:
* [5.0] Tempest: enable test_volume_boot_pattern test (SOC-10874)
- Update to version 5.0+git.1589814633.23fde86ab:
* rabbitmq: sync startup definitions.json with recipe (SOC-11077,SOC-11274)
- Update to version 5.0+git.1589647291.73c7f1cb6:
* [5.0] trove: fix rabbitmq connection URL (SOC-11286)
- Update to version 5.0+git.1589214669.8332efff3:
* Fix monasca libvirt ping checks (bsc#1107190)
- Update to version 5.0+git.1588271874.90adebc7a:
* run keystone_register on cluster founder only when HA (SOC-11248)
* nova: run keystone_register on cluster founder only (SOC-11243)
- Update to version 5.0+git.1588059034.3823515b7:
* tempest: retry openstack commands (SOC-11238)
- Update to version 5.0+git.1587403360.c43cd9905:
* tempest: disable block migration when using RBD (SOC-11176)
- Update to version 5.0+git.1586293860.901cb0f55:
* monasca: disable postgres backend monitoring by default (SOC-11190)
- Update to version 5.0+git.1585659861.c29fac257:
* magnum: Populate SSL configuration (SOC-9849)
* magnum: Add SSL support (SOC-9849)
* nova: Populate cinder SES settings early (SOC-11179)
Changes in documentation-suse-openstack-cloud:
- Update to version 8.20200527:
* Update Travis config: new container name (noref)
- Update to version 8.20200417:
* Recovering Cloud8 using Freezer or SSH backups if upgrade fails (SOC-10137)
- Update to version 8.20200326:
* Clarify wipe_disks does not affect non-OS partitions (bsc#1092420)
Changes in grafana:
- Add CVE-2020-13379.patch
* Security: fix unauthorized avatar proxying (bsc#1172409, CVE-2020-13379)
- Refresh systemd-notification.patch
- Fix declaration for LICENSE
- Add 0002-CVE-2020-12052-bsc1170657-XSS-annotation-popup-vulnerability.patch
* Security: Fix annotation popup XSS vulnerability
(bsc#1170657)
- Add CVE-2019-15043.patch (SOC-10357, CVE-2019-15043, bsc#11483483)
Changes in kibana:
- Add 0001-Configurable-custom-response-headers-for-server.patch
(bsc#1171909, CVE-2020-10743)
Changes in openstack-dashboard:
- Update to version horizon-12.0.5.dev3:
* Fix typo in publicize\_image policy name
Changes in openstack-dashboard-theme-HPE:
- Switch github URL from git@ to https:// to bypass authentication
Changes in openstack-heat-templates:
- Update to version 0.0.0+git.1582270132.8a20477:
* Drop use of git.openstack.org
* Add sample templates for Blazar
Changes in openstack-keystone:
- Update to version keystone-12.0.4.dev11:
* Fix security issues with EC2 credentials
- Update to version keystone-12.0.4.dev10:
* Check timestamp of signed EC2 token request
* Ensure OAuth1 authorized roles are respected
- Update to version keystone-12.0.4.dev6:
* Remove neutron-grenade job
Changes in openstack-keystone:
- Update to version keystone-12.0.4.dev11:
* Fix security issues with EC2 credentials
- Update to version keystone-12.0.4.dev10:
* Check timestamp of signed EC2 token request
* Ensure OAuth1 authorized roles are respected
- Update to version keystone-12.0.4.dev6:
* Remove neutron-grenade job
Changes in openstack-monasca-agent:
- update to version 2.2.6~dev4
- Add debug output for libvirt ping checks
- Lockdown /bin/ip permissions for the monasca-agent (bsc#1107190)
- add addtional arguments to /bin/ip in sudoers
- Fix missing sudo privleges (bsc#1107190)
- add /bin/ip and /usr/bin/ovs-vsctl to monasca-agent sudoers
- removed 0001-Avoid-overwriting-sys.path-ip-command.patch
- update to version 2.2.6~dev3
- Do not copy /sbin/ip to /usr/bin/monasa-agent-ip
- update to version 2.2.6~dev2
- Remove incorrect assignment of ping_cmd to 'True'
- update to version 2.2.6~dev1
- Update hacking version to 1.1.x
Changes in openstack-monasca-installer:
- Add 0001-kibana:-set-x-frame-options-header.patch (bsc#1171909,
CVE-2020-10743)
Changes in openstack-neutron:
- Update to version neutron-11.0.9.dev65:
* Revert iptables TCP checksum-fill code
- Update to version neutron-11.0.9.dev64:
* [Pike-only]: make grenade jobs non-voting
Changes in openstack-neutron:
- Update to version neutron-11.0.9.dev65:
* Revert iptables TCP checksum-fill code
- Update to version neutron-11.0.9.dev64:
* [Pike-only]: make grenade jobs non-voting
Changes in openstack-octavia-amphora-image:
- Update image to 0.1.4 to include latest changes
Changes in python-Django:
- Security fixes (bsc#1172167, bsc#1172166, CVE-2020-13254, CVE-2020-13596)
* Added patch CVE-2020-13254-1.8.19.patch
* Added patch CVE-2020-13596-1.8.19.patch
Changes in python-Flask:
- Apply patch to resolve CVE-2019-1010083 (bsc#1141968)
- 0001-detect-UTF-encodings-when-loading-json.patch
Changes in python-GitPython:
- Require git-core instead of git
Changes in python-Pillow:
- Remove decompression_bomb.gif and relevant test case to avoid
ClamAV scan alerts during build
- Add 001-Corrected-negative-seeks.patch
* From upstream, backported
* Fixes part of CVE-2019-16865, bsc#1153191
- Add 002-Added-DecompressionBombError.patch
* From upstream, backported
* Adds DecompressionBombError class
* Used by 003-Added-decompression-bomb-checks.patch
- Add 003-Added-decompression-bomb-checks.patch
* From upstream, backported
* Fixes part of CVE-2019-16865, bsc#1153191
- Add 004-Raise-error-if-dimension-is-a-string.patch
* From upstream, backported
* Fixes part of CVE-2019-16865, bsc#1153191
- Add 005-Catch-buffer-overruns.patch
* From upstream, backported
* Fixes part of CVE-2019-16865, bsc#1153191
- Add 006-Catch-PCX-P-mode-buffer-overrun.patch
* From upstream, backported
* Fixes CVE-2020-5312, bsc#1160152
- Add 007-Test-animated-FLI-file.patch
* From upstream, backported
* Adds test animated FLI file
* Used by 008-Ensure-previous-FLI-frame-is-loaded.patch
- Add 008-Ensure-previous-FLI-frame-is-loaded.patch
* From upstream, backported
* Fixes https://github.com/python-pillow/Pillow/issues/2649
* Uncovers CVE-2020-5313, bsc#1160153
- Add 009-Catch-FLI-buffer-overrun.patch
* From upstream, backported
* Fixes CVE-2020-5313, bsc#1160153
- Add 010-Invalid-number-of-bands-in-FPX-image.patch
* From upstream, backported
* Fixes CVE-2019-19911, bsc#1160192
Changes in python-amqp:
- Add python-devel as build dependecy
* Required when building against python 2.7.17
Changes in python-apicapi:
- Add python-devel as build dependecy
* Required when building against python 2.7.17
Changes in python-keystoneauth1:
- switch to tracking stable/pike tarball
- disable renderspec
- update to version 3.1.2.dev2
- Make tests pass in 2020
- OpenDev Migration Patch
- import zuul job settings from project-config into stable/pike
- Remove tox_install.sh
- import zuul job settings from project-config
- Update UPPER_CONSTRAINTS_FILE for stable/pike into stable/pike
- Update .gitreview for stable/pike into stable/pike
- Updated from global requirements
- Update UPPER_CONSTRAINTS_FILE for stable/pike
- Update .gitreview for stable/pike
Changes in python-oslo.messaging:
- added 0001-Use-default-exchange-for-direct-messaging.patch
(SOC-11082, SOC-11274, bsc#1159046)
- Add 0001-Retry-to-declare-a-queue-after-internal-error.patch (bsc#1123872)
After receiving 'AMQP internal error 541', retry to create the queue after a delay.
Changes in python-psutil:
- Add bsc1156525-CVE-2019-18874.patch (bsc#1156525, CVE-2019-18874))
Changes in python-pyroute2:
- netns: fix NetNS resource leakage (#504) (bsc#1164322)
Changes in python-pysaml2:
- Add 0001-Always-generate-a-random-IV-for-AES-operations.patch
(CVE-2017-1000246, bsc#1068612)
- Add 0001-Fix-XML-Signature-Wrapping-XSW-vulnerabilities.patch
(CVE-2020-5390, bsc#1160851)
Changes in python-tooz:
- update to version 1.58.1
- Update .gitreview for stable/pike
- import zuul job settings from project-config
- Add doc/requirements.txt
- Fix sphinx-docs job for stable branch
Changes in python-waitress:
- update to 1.4.3 to include fixes for:
* CVE-2019-16785 / bsc#1161088
* CVE-2019-16786 / bsc#1161089
* CVE-2019-16789 / bsc#1160790
* CVE-2019-16792 / bsc#1161670
- make sure UTF8 locale is used when runnning tests
* Sometimes functional tests executed in python3 failed if stdout was not
set to UTF-8. The error message was:
ValueError: underlying buffer has been detached
- %python3_only -> %python_alternative
- update to 1.4.3
* Waitress did not properly validate that the HTTP headers it received
were properly formed, thereby potentially allowing a front-end server
to treat a request different from Waitress. This could lead to HTTP
request smuggling/splitting.
- drop patch local-intersphinx-inventories.patch
* it was commented out, anyway
- update to 1.4.0:
- Waitress used to slam the door shut on HTTP pipelined requests without
setting the ``Connection: close`` header as appropriate in the response. This
is of course not very friendly. Waitress now explicitly sets the header when
responding with an internally generated error such as 400 Bad Request or 500
Internal Server Error to notify the remote client that it will be closing the
connection after the response is sent.
- Waitress no longer allows any spaces to exist between the header field-name
and the colon. While waitress did not strip the space and thereby was not
vulnerable to any potential header field-name confusion, it should have sent
back a 400 Bad Request. See https://github.com/Pylons/waitress/issues/273
- CRLR handling Security fixes
- update to 1.3.1
* Waitress won’t accidentally throw away part of the path if it
starts with a double slash
- version update to 1.3.0
Deprecations
~~~~~~~~~~~~
- The ``send_bytes`` adjustment now defaults to ``1`` and is deprecated
pending removal in a future release.
and https://github.com/Pylons/waitress/pull/246
Features
~~~~~~~~
- Add a new ``outbuf_high_watermark`` adjustment which is used to apply
backpressure on the ``app_iter`` to avoid letting it spin faster than data
can be written to the socket. This stabilizes responses that iterate quickly
with a lot of data.
See https://github.com/Pylons/waitress/pull/242
- Stop early and close the ``app_iter`` when attempting to write to a closed
socket due to a client disconnect. This should notify a long-lived streaming
response when a client hangs up.
See https://github.com/Pylons/waitress/pull/238
and https://github.com/Pylons/waitress/pull/240
and https://github.com/Pylons/waitress/pull/241
- Adjust the flush to output ``SO_SNDBUF`` bytes instead of whatever was
set in the ``send_bytes`` adjustment. ``send_bytes`` now only controls how
much waitress will buffer internally before flushing to the kernel, whereas
previously it used to also throttle how much data was sent to the kernel.
This change enables a streaming ``app_iter`` containing small chunks to
still be flushed efficiently.
See https://github.com/Pylons/waitress/pull/246
Bugfixes
~~~~~~~~
- Upon receiving a request that does not include HTTP/1.0 or HTTP/1.1 we will
no longer set the version to the string value 'None'. See
https://github.com/Pylons/waitress/pull/252 and
https://github.com/Pylons/waitress/issues/110
- When a client closes a socket unexpectedly there was potential for memory
leaks in which data was written to the buffers after they were closed,
causing them to reopen.
See https://github.com/Pylons/waitress/pull/239
- Fix the queue depth warnings to only show when all threads are busy.
See https://github.com/Pylons/waitress/pull/243
and https://github.com/Pylons/waitress/pull/247
- Trigger the ``app_iter`` to close as part of shutdown. This will only be
noticeable for users of the internal server api. In more typical operations
the server will die before benefiting from these changes.
See https://github.com/Pylons/waitress/pull/245
- Fix a bug in which a streaming ``app_iter`` may never cleanup data that has
already been sent. This would cause buffers in waitress to grow without
bounds. These buffers now properly rotate and release their data.
See https://github.com/Pylons/waitress/pull/242
- Fix a bug in which non-seekable subclasses of ``io.IOBase`` would trigger
an exception when passed to the ``wsgi.file_wrapper`` callback.
See https://github.com/Pylons/waitress/pull/249
- Trim marketing wording and other platform mentions.
- Add fetch-intersphinx-inventories.sh to sources
- Add local-intersphinx-inventories.patch for generating the docs
correctly
- update to version 1.2.1:
too many changes to list here, see:
https://github.com/Pylons/waitress/blob/master/CHANGES.txt
or even:
https://github.com/Pylons/waitress/commits/master
- Remove superfluous devel dependency for noarch package
- update to version 1.1.0:
* Features
+ Waitress now has a __main__ and thus may be called with 'python
-mwaitress'
* Bugfixes
+ Waitress no longer allows lowercase HTTP verbs. This change was
made to fall in line with most HTTP servers. See
https://github.com/Pylons/waitress/pull/170
+ When receiving non-ascii bytes in the request URL, waitress will
no longer abruptly close the connection, instead returning a 400
Bad Request. See https://github.com/Pylons/waitress/pull/162 and
https://github.com/Pylons/waitress/issues/64
- Update to 1.0.2
* Python 3.6 is now officially supported in Waitress
* Add a work-around for libc issue on Linux not following the
documented standards. If getnameinfo() fails because of DNS not
being available it should return the IP address instead of the
reverse DNS entry, however instead getnameinfo() raises. We
catch this, and ask getnameinfo() for the same information
again, explicitly asking for IP address instead of reverse
DNS hostname.
- Implement single-spec version.
- Fix source URL.
- update to 1.0.1:
- IPv6 support on Windows was broken due to missing constants in the socket
module. This has been resolved by setting the constants on Windows if they
are missing. See https://github.com/Pylons/waitress/issues/138
- A ValueError was raised on Windows when passing a string for the port, on
Windows in Python 2 using service names instead of port numbers doesn't work
with `getaddrinfo`. This has been resolved by attempting to convert the port
number to an integer, if that fails a ValueError will be raised. See
https://github.com/Pylons/waitress/issues/139
- Removed `AI_ADDRCONFIG` from the call to `getaddrinfo`, this resolves an
issue whereby `getaddrinfo` wouldn't return any addresses to `bind` to on
hosts where there is no internet connection but localhost is requested to be
bound to. See https://github.com/Pylons/waitress/issues/131 for more
information.
- disable tests. need network access.
Changes in storm:
- update to 1.1.3:
* 1.1.3:
* [STORM-3026] - Upgrade ZK instance for security
* [STORM-3027] - Make Impersonation Optional
* [STORM-3011] - Use default bin path in flight.bash if $JAVA_HOME is undefined
* [STORM-3039] - Ports of killed topologies remain in TIME_WAIT state preventing to start new topology
* [STORM-2911] - SpoutConfig is serializable but does not declare a serialVersionUID field
* [STORM-2978] - The fix for STORM-2706 is broken, and adds a transitive dependency on Zookeeper 3.5.3-beta for projects that depend on e.g. storm-kafka
* [STORM-2979] - WorkerHooks EOFException during run_worker_shutdown_hooks
* [STORM-2981] - Upgrade Curator to lastest patch version
* [STORM-2985] - Add jackson-annotations to dependency management
* [STORM-2989] - LogCleaner should preserve current worker.log.metrics
* [STORM-2994] - KafkaSpout consumes messages but doesn't commit offsets
* [STORM-3043] - NullPointerException thrown in SimpleRecordTranslator.apply()
* [STORM-3052] - Let blobs un archive
* [STORM-3059] - KafkaSpout throws NPE when hitting a null tuple if the processing guarantee is not AT_LEAST_ONCE
* [STORM-2960] - Better to stress importance of setting up proper OS account for Storm processes
* [STORM-3060] - Configuration mapping between storm-kafka & storm-kafka-client
* [STORM-2952] - Deprecate storm-kafka in 1.x
* [STORM-3005] - [DRPC] LinearDRPCTopologyBuilder shouldn't be deprecated
* [STORM-2841] - testNoAcksIfFlushFails UT fails with NullPointerException
* 1.1.2:
* [STORM-2512] - Change KafkaSpoutConfig in storm-kafka-client to make it work with flux
* [STORM-2616] - Document the built in metrics (just in time to replace them???)
* [STORM-2657] - Update SECURITY.MD
* [STORM-2663] - Backport STORM-2558 and deprecate storm.cmd on 1.x-branch
* [STORM-2712] - accept arbitrary number of rows per tuple in storm-cassandra
* [STORM-2775] - Improve KafkaPartition Metric Names
* [STORM-2807] - Integration test should shut down topologies immediately after the test
* [STORM-2862] - More flexible logging in multilang (Python, Ruby, JS)
* [STORM-2877] - Introduce an option to configure pagination in Storm UI
* [STORM-2917] - Check the config(nimbus.host) before using it to connect
* [STORM-2231] - NULL in DisruptorQueue while multi-threaded ack
* [STORM-2426] - First tuples fail after worker is respawn
* [STORM-2500] - waitUntilReady in PacemakerClient cannot be invoked
* [STORM-2525] - Fix flaky integration tests
* [STORM-2535] - test-reset-timeout is flaky. Replace with a more reliable test.
* [STORM-2541] - Manual partition assignment doesn't work
* [STORM-2607] - [kafka-client] Consumer group every time with lag 1
* [STORM-2642] - Storm-kafka-client spout cannot be serialized when using manual partition assignment
* [STORM-2660] - The Nimbus storm-local directory is relative to the working directory of the shell executing 'storm nimbus'
* [STORM-2666] - Storm-kafka-client spout can sometimes emit messages that were already committed.
* [STORM-2674] - NoNodeException when ZooKeeper tries to delete nodes
* [STORM-2677] - consider all sampled tuples which took greater than 0 ms processing time
* [STORM-2682] - Supervisor crashes with NullPointerException
* [STORM-2690] - resurrect invocation of ISupervisor.assigned() & make Supervisor.launchDaemon() accessible
* [STORM-2695] - BlobStore uncompress argument should be Boolean
* [STORM-2705] - DRPCSpout sleeps twice when idle
* [STORM-2706] - Nimbus stuck in exception and does not fail fast
* [STORM-2724] - ExecutorService in WaterMarkEventGenerator never shutdown
* [STORM-2736] - o.a.s.b.BlobStoreUtils [ERROR] Could not update the blob with key
* [STORM-2750] - fix double_checked locking
* [STORM-2751] - Remove AsyncLoggingContext from Supervisor
* [STORM-2764] - HDFSBlobStore leaks file system objects
* [STORM-2769] - Fast-fail if output stream Id is null
* [STORM-2771] - Some tests are being run twice
* [STORM-2779] - NPE on shutting down WindowedBoltExecutor
* [STORM-2786] - Ackers leak tracking info on failure and lots of other cases.
* [STORM-2810] - Storm-hdfs tests are leaking resources
* [STORM-2811] - Nimbus may throw NPE if the same topology is killed multiple times, and the integration test kills the same topology multiple times
* [STORM-2814] - Logviewer HTTP server should return 403 instead of 200 if the user is unauthorized
* [STORM-2815] - UI HTTP server should return 403 if the user is unauthorized
* [STORM-2833] - Cached Netty Connections can have different keys for the same thing.
* [STORM-2853] - Deactivated topologies cause high cpu utilization
* [STORM-2855] - Travis build doesn't work after update of Ubuntu image
* [STORM-2856] - Make Storm build work on post 2017Q4 Travis Trusty image
* [STORM-2868] - Address handling activate/deactivate in multilang module files
* [STORM-2870] - FileBasedEventLogger leaks non-daemon ExecutorService which prevents process to be finished
* [STORM-2876] - Some storm-hdfs tests fail with out of memory periodically
* [STORM-2879] - Supervisor collapse continuously when there is a expired assignment for overdue storm
* [STORM-2892] - Flux test fails to parse valid PATH environment variable
* [STORM-2894] - fix some random typos in tests
* [STORM-2912] - Tick tuple is being shared without resetting start time and incur side-effect to break metrics
* [STORM-2918] - Upgrade Netty version
* [STORM-2942] - Remove javadoc and source jars from toollib directory in binary distribution
* [STORM-2874] - Minor style improvements to backpressure code
* [STORM-2858] - Fix worker-launcher build
* 1.1.1:
* STORM-2659: Add daemon.name variable to storm.cmd to fix log4j logging
* STORM-2652: fix error in open method of JmsSpout
* STORM-2645: Update storm.py to be python3 compatible
* STORM-2621: add tuple_population metric
* STORM-2639: Kafka Spout incorrectly computes numCommittedOffsets due to voids in the topic (topic compaction)
* STORM-2544: Fixing issue in acking of tuples that hit retry limit under manual commit mode
* STORM-2618: Add TridentKafkaStateUpdater for storm-kafka-client
* STORM-2608: Remove any pending offsets that are no longer valid
* STORM-2503: Fix lgtm.com alerts on equality and comparison operations
* STORM-2478: Fix BlobStoreTest.testDeleteAfterFailedCreate on Windows
* STORM-2602: storm.zookeeper.topology.auth.payload doesn't work even you set it
* STORM-2597: Don't parse passed in class paths
* STORM-2564: We should provide a template for storm-cluster-auth.yaml
* STORM-2568: Fix getTopicsString
* STORM-2563: Remove the workaround to handle missing UGI.loginUserFromSubject
* STORM-2552: KafkaSpoutMessageId should be serializable
* STORM-2562: Use stronger key size than default for blow fish key generator and get rid of stack trace
* STORM-2557: A bug in DisruptorQueue causing severe underestimation of queue arrival rates
* STORM-2449: Ensure same key appears only once in State iterator
* STORM-2516: Fix timing issues with testPrepareLateTupleStreamWithoutBuilder
* STORM-2489: Overlap and data loss on WindowedBolt based on Duration
* STORM-2528: Bump log4j version to 2.8.2
* STORM-2527: Initialize java.sql.DriverManager earlier to avoid deadlock
* STORM-2413: Make new Kafka spout respect tuple retry limits
* STORM-2518: Handles empty name for 'USER type' ACL when normalizing ACLs
* STORM-2511: Submitting a topology with name containing unicode getting failed
* STORM-2496: Dependency artifacts should be uploaded to blobstore with READ permission for all
* STORM-2505: Spout to support topic compaction
* STORM-2498: Fix Download Full File link
* STORM-2343: New Kafka spout can stop emitting tuples if more than maxUncommittedOffsets tuples fail at once.
* STORM-2486: Prevent cd from printing target directory to avoid breaking classpath
* STORM-2488: The UI user Must be HTTP.
* STORM-2481: Upgrade Aether version to resolve Aether bug BUG-451566
* STORM-2435: Logging in storm.js inconsistent to console.log and does not support log levels
* STORM-2315: New kafka spout can't commit offset when ack is disabled
* STORM-2467: Use explicit charset when decoding from array backed buffer
* STORM-1114: Race condition in trident zookeeper zk-node create/delete
* STORM-2448: Add in Storm and JDK versions when submitting a topology
* STORM-2343: Fix new Kafka spout stopping processing if more than maxUncommittedOffsets tuples fail at once
* STORM-2431: the default blobstore.dir is storm.local.dir/blobs which is different from distcache-blobstore.md
* STORM-2429: Properly validate supervisor.scheduler.meta
* STORM-2451: windows storm.cmd does not set log4j2 config file correctly by default
* STORM-2450: Write resources into correct local director
* STORM-2440: Kill process if executor catches java.net.SocketTimeoutException
* STORM-2432: Storm-Kafka-Client Trident Spout Seeks Incorrect Offset With UNCOMMITTED_LATEST Strategy
* 1.1.0:
* STORM-2425: Storm Hive Bolt not closing open transactions
* STORM-2409: Storm-Kafka-Client KafkaSpout Support for Failed and NullTuples
* STORM-2423: Join Bolt should use explicit instead of default window anchoring for emitted tuples
* STORM-2416: Improve Release Packaging to Reduce File Size
* STORM-2414: Skip checking meta's ACL when subject has write privileges for any blobs
* STORM-2038: Disable symlinks with a config option
* STORM-2240: STORM PMML Bolt - Add Support to Load Models from Blob Store
* STORM-2412: Nimbus isLeader check while waiting for max replication
* STORM-2408: build failed if storm.kafka.client.version = 0.10.2.0
* STORM-2403: Fix KafkaBolt test failure: tick tuple should not be acked
* STORM-2361: Kafka spout - after leader change, it stops committing offsets to ZK
* STORM-2353: Replace kafka-unit by kafka_2.11 and kafka-clients to test kafka-clients:0.10.1.1
* STORM-2387: Handle tick tuples properly for Bolts in external modules
* STORM-2345: Type mismatch in ReadClusterState's ProfileAction processing Map
* STORM-2400: Upgraded Curator to 2.12.0 and made respective API changes
* STORM-2396: setting interrupted status back before throwing a RuntimeException
* STORM-1772: Adding Perf module with topologies for measuring performance
* STORM-2395: storm.cmd supervisor calls the wrong class name
* STORM-2391: Move HdfsSpoutTopology from storm-starter to storm-hdfs-examples
* STORM-2389: Avoid instantiating Event Logger when topology.eventlogger.executors=0
* STORM-2386: Fail-back Blob deletion also fails in BlobSynchronizer.syncBlobs.
* STORM-2388: JoinBolt breaks compilation against JDK 7
* STORM-2374: Storm Kafka Client Test Topologies Must be Serializable
* STORM-2372: Pacemaker client doesn't clean up heartbeats properly
* STORM-2326: Upgrade log4j and slf4j
* STORM-2334: Join Bolt implementation
* STORM-1363: TridentKafkaState should handle null values from TridentTupleToKafkaMapper.getMessageFromTuple()
* STORM-2365: Support for specifying output stream in event hubs spout
* STORM-2250: Kafka spout refactoring to increase modularity and testability
* STORM-2340: fix AutoCommitMode issue in KafkaSpout
* STORM-2344: Flux YAML File Viewer for Nimbus UI
* STORM-2350: Storm-HDFS's listFilesByModificationTime is broken
* STORM-2270 Kafka spout should consume from latest when ZK partition commit offset bigger than the latest offset
* STORM-1464: storm-hdfs support for multiple output files and partitioning
* STORM-2320: DRPC client printer class reusable for local and remote DRPC
* STORM-2281: Running Multiple Kafka Spouts (Trident) Throws Illegal State Exception
* STORM-2296: Kafka spout no dup on leader changes
* STORM-2244: Some shaded jars doesn't exclude dependency signature files
* STORM-2014: New Kafka spout duplicates checking if failed messages have reached max retries
* STORM-1443: [Storm SQL] Support customizing parallelism in StormSQL
* STORM-2148: [Storm SQL] Trident mode: back to code generate and compile Trident topology
* STORM-2331: Emitting from JavaScript should work when not anchoring.
* STORM-2225: change spout config to be simpler.
* STORM-2323: Precondition for Leader Nimbus should check all topology blobs and also corresponding dependencies
* STORM-2330: Fix storm sql code generation for UDAF with non standard sql types
* STORM-2298: Don't kill Nimbus when ClusterMetricsConsumer is failed to initialize
* STORM-2301: [storm-cassandra] upgrade cassandra driver to 3.1.2
* STORM-1446: Compile the Calcite logical plan to Storm Trident logical plan
* STORM-2303: [storm-opentsdb] Fix list invariant issue for JDK 7
* STORM-2236: storm kafka client should support manual partition management
* STORM-2295: KafkaSpoutStreamsNamedTopics should return output fields with predictable ordering
* STORM-2300: [Flux] support list of references
* STORM-2297: [storm-opentsdb] Support Flux for OpenTSDBBolt
* STORM-2294: Send activate and deactivate command to ShellSpout
* STORM-2280: Upgrade Calcite version to 1.11.0
* STORM-2278: Allow max number of disruptor queue flusher threads to be configurable
* STORM-2277: Add shaded jar for Druid connector
* STORM-2274: Support named output streams in Hdfs Spout
* STORM-2204: Adding caching capabilities in HBaseLookupBolt
* STORM-2267: Use user's local maven repo. directory to local repo.
* STORM-2254: Provide Socket time out for nimbus thrift client
* STORM-2200: [Storm SQL] Drop Aggregate & Join support on Trident mode
* STORM-2266: Close NimbusClient instances appropriately
* STORM-2203: Add a getAll method to KeyValueState interface
* STORM-1886: Extend KeyValueState iface with delete
* STORM-2022: update Fields test to match new behavior
* STORM-2020: Stop using sun internal classes
* STORM-1228: port fields_test to java
* STORM-2104: New Kafka spout crashes if partitions are reassigned while tuples are in-flight
* STORM-2257: Add built in support for sum function with different types.
* STORM-2082: add sql external module storm-sql-hdfs
* STORM-2256: storm-pmml breaks on java 1.7
* STORM-2223: PMML Bolt.
* STORM-2222: Repeated NPEs thrown in nimbus if rebalance fails
* STORM-2190: reduce contention between submission and scheduling
* STORM-2239: Handle InterruptException in new Kafka spout
* STORM-2087: Storm-kafka-client: Failed tuples are not always replayed
* STORM-2238: Add Timestamp extractor for windowed bolt
* STORM-2235: Introduce new option: 'add remote repositories' for dependency resolver
* STORM-2215: validate blobs are present before submitting
* STORM-2170: [Storm SQL] Add built-in socket datasource to runtime
* STORM-2226: Fix kafka spout offset lag ui for kerberized kafka
* STORM-2224: Exposed a method to override in computing the field from given tuple in FieldSelector
* STORM-2220: Added config support for each bolt in Cassandra bolts, fixed the bolts to be used also as sinks.
* STORM-2205: Racecondition in getting nimbus summaries while ZK connectionions are reconnected
* STORM-2182: Refactor Storm Kafka Examples Into Own Modules.
* STORM-1694: Kafka Spout Trident Implementation Using New Kafka Consumer API
* STORM-2173: [SQL] Support CSV as input / output format
* STORM-2177: [SQL] Support TSV as input / output format
* STORM-2172: [SQL] Support Avro as input / output format
* STORM-2185: Storm Supervisor doesn't delete directories properly sometimes
* STORM-2103: [SQL] Introduce new sql external module: storm-sql-mongodb
* STORM-2175: fix double close of workers
* STORM-2109: Under supervisor V2 SUPERVISOR_MEMORY_CAPACITY_MB and SUPERVISOR_CPU_CAPACITY must be Doubles
* STORM-2110: in supervisor v2 filter out empty command line args
* STORM-2117: Supervisor V2 with local mode extracts resources directory to topology root directory instead of temporary directory
* STORM-2131: Add blob command to worker-launcher, make stormdist directory not writeable by topo owner
* STORM-2018: Supervisor V2
* STORM-2139: Let ShellBolts and ShellSpouts run with scripts from blobs
* STORM-2072: Add map, flatMap with different outputs (T->V) in Trident
* STORM-2134: improving the current scheduling strategy for RAS
* STORM-2125: Use Calcite's implementation of Rex Compiler
* STORM-1546: Adding Read and Write Aggregations for Pacemaker to make it HA compatible
* STORM-1444: Support EXPLAIN statement in StormSQL
* STORM-2099: Introduce new sql external module: storm-sql-redis
* STORM-2097: Improve logging in trident core and examples
* STORM-2144: Fix Storm-sql group-by behavior in standalone mode
* STORM-2066: make error message in IsolatedPool.java more descriptive
* STORM-1870: Allow FluxShellBolt/Spout set custom 'componentConfig' via yaml
* STORM-2126: fix NPE due to race condition in compute-new-sched-assign…
* STORM-2124: show requested cpu mem for each component
* STORM-2089: Replace Consumer of ISqlTridentDataSource with SqlTridentConsumer
* STORM-2118: A few fixes for storm-sql standalone mode
* STORM-2105: Cluster/Supervisor total and available resources displayed in the UI
* STORM-2078: enable paging in worker datatable
* STORM-1664: Allow Java users to start a local cluster with a Nimbus Thrift server.
* STORM-1872: Release Jedis connection when topology shutdown
* STORM-2100: Fix Trident SQL join tests to not rely on ordering
* STORM-1837: Fix complete-topology and prevent message loss
* STORM-2098: DruidBeamBolt: Pass DruidConfig.Builder as constructor argument
* STORM-2092: optimize TridentKafkaState batch sending
* STORM-1979: Storm Druid Connector implementation.
* STORM-2057: Support JOIN statement in Storm SQL
* STORM-1970: external project examples refator
* STORM-2074: fix storm-kafka-monitor NPE bug
* STORM-1459: Allow not specifying producer properties in read-only Kafka table in StormSQL
* STORM-2052: Kafka Spout New Client API - Log Improvements and Parameter Tuning for Better Performance.
* STORM-2050: [storm-sql] Support User Defined Aggregate Function for Trident mode
* STORM-1434: Support the GROUP BY clause in StormSQL
* STORM-2016: Topology submission improvement: support adding local jars and maven artifacts on submission
* STORM-1994: Add table with per-topology & worker resource usage and components in (new) supervisor and topology pages
* STORM-2042: Nimbus client connections not closed properly causing connection leaks
* STORM-1766: A better algorithm server rack selection for RAS
* STORM-1913: Additions and Improvements for Trident RAS API
* STORM-2037: debug operation should be whitelisted in SimpleAclAuthorizer.
* STORM-2023: Add calcite-core to dependency of storm-sql-runtime
* STORM-2036: Fix minor bug in RAS Tests
* STORM-1979: Storm Druid Connector implementation.
* STORM-1839: Storm spout implementation for Amazon Kinesis Streams.
* STORM-1876: Option to build storm-kafka and storm-kafka-client with different kafka client version
* STORM-2000: Package storm-opentsdb as part of external dir in installation
* STORM-1989: X-Frame-Options support for Storm UI
* STORM-1962: support python 3 and 2 in multilang
* STORM-1964: Unexpected behavior when using count window together with timestamp extraction
* STORM-1890: ensure we refetch static resources after package build
* STORM-1988: Kafka Offset not showing due to bad classpath.
* STORM-1966: Expand metric having Map type as value into multiple metrics based on entries
* STORM-1737: storm-kafka-client has compilation errors with Apache Kafka 0.10
* STORM-1968: Storm logviewer does not work for nimbus.log in secure cluster
* STORM-1910: One topology cannot use hdfs spout to read from two locations
* STORM-1960: Add CORS support to STORM UI Rest api
* STORM-1959: Add missing license header to KafkaPartitionOffsetLag
* STORM-1950: Change response json of 'Topology Lag' REST API to keyed by spoutId, topic, partition.
* STORM-1833: Simple equi-join in storm-sql standalone mode
* STORM-1866: Update Resource Aware Scheduler Documentation
* STORM-1930: Kafka New Client API - Support for Topic Wildcards
* STORM-1924: Adding conf options for Persistent Word Count Topology
* STORM-1956: Disabling Backpressure by default
* STORM-1934: Fix race condition between sync-supervisor and sync-processes
* STORM-1919: Introduce FilterBolt on storm-redis
* STORM-1945: Fix NPE bugs on topology spout lag for storm-kafka-monitor
* STORM-1888: add description for shell command
* STORM-1902: add a simple & flexible FileNameFormat for storm-hdfs
* STORM-1914: Storm Kafka Field Topic Selector
* STORM-1907: PartitionedTridentSpoutExecutor has incompatible types that cause ClassCastException
* STORM-1925: Remove Nimbus thrift call from Nimbus itself
* STORM-1909: Update HDFS spout documentation
* STORM-1136: Command line module to return kafka spout offsets lag and display in storm ui
* STORM-1911: IClusterMetricsConsumer should use seconds to timestamp unit
* STORM-1893: Support OpenTSDB for storing timeseries data.
* STORM-1723: Introduce ClusterMetricsConsumer
* STORM-1700: Introduce 'whitelist' / 'blacklist' option to MetricsConsumer
* STORM-1698: Asynchronous MetricsConsumerBolt
* STORM-1705: Cap number of retries for a failed message
* STORM-1884: Prioritize pendingPrepare over pendingCommit
* STORM-1575: fix TwitterSampleSpout NPE on close
* STORM-1874: Update logger private permissions
* STORM-1865: update command line client document
* STORM-1771: HiveState should flushAndClose before closing old or idle Hive connections
* STORM-1882: Expose TextFileReader public
* STORM-1873: Implement alternative behaviour for late tuples
* STORM-1719: Introduce REST API: Topology metric stats for stream
* STORM-1887: Fixed help message for set_log_level command
* STORM-1878: Flux can now handle IStatefulBolts
* STORM-1864: StormSubmitter should throw respective exceptions and log respective errors forregistered submitter hook invocation
* STORM-1868: Modify TridentKafkaWordCount to run in distributed mode
* STORM-1859: Ack late tuples in windowed mode
* STORM-1851: Fix default nimbus impersonation authorizer config
* STORM-1848: Make KafkaMessageId and Partition serializable to support
* STORM-1862: Flux ShellSpout and ShellBolt can't emit to named streams
* Storm-1728: TransactionalTridentKafkaSpout error
* STORM-1850: State Checkpointing Documentation update
* STORM-1674: Idle KafkaSpout consumes more bandwidth than needed
* STORM-1842: Forward references in storm.thrift cause tooling issues
* STORM-1730: LocalCluster#shutdown() does not terminate all storm threads/thread pools.
* STORM-1709: Added group by support in storm sql standalone mode
* STORM-1720: Support GEO in storm-redis
* 1.0.6:
* [STORM-2877] - Introduce an option to configure pagination in Storm UI
* [STORM-2917] - Check the config(nimbus.host) before using it to connect
* [STORM-2451] - windows storm.cmd does not set log4j2 config file correctly by default
* [STORM-2690] - resurrect invocation of ISupervisor.assigned() & make Supervisor.launchDaemon() accessible
* [STORM-2751] - Remove AsyncLoggingContext from Supervisor
* [STORM-2764] - HDFSBlobStore leaks file system objects
* [STORM-2771] - Some tests are being run twice
* [STORM-2786] - Ackers leak tracking info on failure and lots of other cases.
* [STORM-2853] - Deactivated topologies cause high cpu utilization
* [STORM-2856] - Make Storm build work on post 2017Q4 Travis Trusty image
* [STORM-2870] - FileBasedEventLogger leaks non-daemon ExecutorService which prevents process to be finished
* [STORM-2879] - Supervisor collapse continuously when there is a expired assignment for overdue storm
* [STORM-2892] - Flux test fails to parse valid PATH environment variable
* [STORM-2894] - fix some random typos in tests
* [STORM-2912] - Tick tuple is being shared without resetting start time and incur side-effect to break metrics
* [STORM-2918] - Upgrade Netty version
* [STORM-2874] - Minor style improvements to backpressure code
* [STORM-2937] - Overwrite storm-kafka-client 1.x-branch into 1.0.x-branch
* [STORM-2858] - Fix worker-launcher build
- Use %license macro
* 1.0.5:
* [STORM-2657] - Update SECURITY.MD
* [STORM-2231] - NULL in DisruptorQueue while multi-threaded ack
* [STORM-2660] - The Nimbus storm-local directory is relative to the working directory of the shell executing 'storm nimbus'
* [STORM-2674] - NoNodeException when ZooKeeper tries to delete nodes
* [STORM-2677] - consider all sampled tuples which took greater than 0 ms processing time
* [STORM-2682] - Supervisor crashes with NullPointerException
* [STORM-2695] - BlobStore uncompress argument should be Boolean
* [STORM-2705] - DRPCSpout sleeps twice when idle
* 1.0.4:
* STORM-2627: Update docs for storm.zookeeper.topology.auth.scheme
* STORM-2597: Don't parse passed in class paths
* STORM-2524: Set Kafka client.id with storm-kafka
* STORM-2448: Add in Storm and JDK versions when submitting a topology
* STORM-2511: Submitting a topology with name containing unicode getting failed
* STORM-2498: Fix Download Full File link
* STORM-2486: Prevent cd from printing target directory to avoid breaking classpath
* STORM-1114: Race condition in trident zookeeper zk-node create/delete
* STORM-2429: Properly validate supervisor.scheduler.meta
* STORM-2194: Stop ignoring socket timeout error from executor
* STORM-2450: Write resources into correct local director
* STORM-2414: Skip checking meta's ACL when subject has write privileges for any blobs
* STORM-2038: Disable symlinks with a config option
* STORM-2038: No symlinks for local cluster
* STORM-2403: Fix KafkaBolt test failure: tick tuple should not be acked
* STORM-2361: Kafka spout - after leader change, it stops committing offsets to ZK
* STORM-2296: Kafka spout - no duplicates on leader changes
* STORM-2387: Handle tick tuples properly for Bolts in external modules
* STORM-2345: Type mismatch in ReadClusterState's ProfileAction processing Map
* STORM-2104: New Kafka spout crashes if partitions are reassigned while tuples are in-flight
* STORM-2396: setting interrupted status back before throwing a RuntimeException
* STORM-2395: storm.cmd supervisor calls the wrong class name
* STORM-2385: pacemaker_state_factory.clj does not compile on branch-1.0.x
* STORM-2389: Avoid instantiating Event Logger when topology.eventlogger.executors=0
* STORM-2386: Fail-back Blob deletion also fails in BlobSynchronizer.syncBlobs
* STORM-2360: Storm-Hive: Thrift version mismatch with storm-core
* STORM-2372: Pacemaker client doesn't clean up heartbeats properly
* STORM-2326: Upgrade log4j and slf4j
* STORM-2350: Storm-HDFS's listFilesByModificationTime is broken
* 1.0.3:
* STORM-2197: NimbusClient connectins leak due to leakage in ThriftClient
* STORM-2321: Handle blobstore zk key deletion in KeySequenceNumber.
* STORM-2324: Fix deployment failure if resources directory is missing in topology jar
* STORM-2335: Fix broken Topology visualization with empty ':transferred' in executor stats
* STORM-2336: Close Localizer and AsyncLocalizer when supervisor is shutting down
* STORM-2338: Subprocess exception handling is broken in storm.py on Windows environment
* STORM-2337: Broken documentation generation for storm-metrics-profiling-internal-actions.md and windows-users-guide.md
* STORM-2325: Logviewer doesn't consider 'storm.local.hostname'
* STORM-1742: More accurate 'complete latency'
* STORM-2176: Workers do not shutdown cleanly and worker hooks don't run when a topology is killed
* STORM-2293: hostname should only refer node's 'storm.local.hostname'
* STORM-2246: Logviewer download link has urlencoding on part of the URL
* STORM-1906: Window count/length of zero should be disallowed
* STORM-1841: Address a few minor issues in windowing and doc
* STORM-2268: Fix integration test for Travis CI build
* STORM-2283: Fix DefaultStateHandler kryo multithreading issues
* STORM-2264: OpaqueTridentKafkaSpout failing after STORM-2216
* STORM-2276: Remove twitter4j usages due to license issue (JSON.org is catalog X)
* STORM-2095: remove any remaining files when deleting blobstore directory
* STORM-2222: Repeated NPEs thrown in nimbus if rebalance fails
* STORM-2251: Integration test refers specific version of Storm which should be project version
* STORM-2234: heartBeatExecutorService in shellSpout don't work well with deactivate
* STORM-2216: Favor JSONValue.parseWithException
* STORM-2208: HDFS State Throws FileNotFoundException in Azure Data Lake Store file system (adl://)
* STORM-2213: ShellSpout has race condition when ShellSpout is being inactive longer than heartbeat timeout
* STORM-2210: remove array shuffle from ShuffleGrouping
* STORM-2052: Kafka Spout - New Client API - Performance Improvements
* storm-2205: Racecondition in getting nimbus summaries while ZK connections are reconnected
* STORM-2198: perform RotationAction when stopping HdfsBolt
* STORM-2196: A typo in RAS_Node::consumeCPU
* STORM-2189: RAS_Node::freeCPU outputs incorrect info
* STORM-2184: Don't wakeup KafkaConsumer on shutdown
* STORM-2185: Storm Supervisor doesn't delete directories properly sometimes
* STORM-2175: fix double close of workers
* STORM-2018: Supervisor V2
* STORM-2145: Leave leader nimbus's hostname to log when trying to connect leader nimbus
* STORM-2127: Storm-eventhubs should use latest amqp and eventhubs-client versions
* STORM-2040: Fix bug on assert-can-serialize
* STORM-2017: ShellBolt stops reporting task ids
* STORM-2119: bug in log message printing to stdout
* STORM-2120: Emit to _spoutConfig.outputStreamId
* STORM-2101: fixes npe in compute-executors in nimbus
* STORM-2090: Add integration test for storm windowing
* STORM-2003: Make sure config contains TOPIC before get it
* STORM-1567: in defaults.yaml 'topology.disable.loadaware' should be 'topology.disable.loadaware.messaging'
* STORM-1987: Fix TridentKafkaWordCount arg handling in distributed mode.
* STORM-1969: Modify HiveTopology to show usage of non-partition table.
* STORM-1849: HDFSFileTopology should use the 3rd argument as topologyName
* STORM-2086: use DefaultTopicSelector instead of creating a new one
* STORM-2079: Unneccessary readStormConfig operation
* STORM-2081: create external directory for storm-sql various data sources and move storm-sql-kafka to it
* STORM-2070: Fix sigar native binary download link
* STORM-2056: Bugs in logviewer
* STORM-1646: Fix ExponentialBackoffMsgRetryManager test
* STORM-2039: Backpressure refactoring in worker and executor
* STORM-2064: Add storm name and function, access result and function to log-thrift-access
* STORM-2063: Add thread name in worker logs
* STORM-2042: Nimbus client connections not closed properly causing connection leaks
* STORM-2032: removes warning in case more than one metrics tuple is received
* STORM-1594: org.apache.storm.tuple.Fields can throw NPE if given invalid field in selector
* STORM-1995: downloadChunk in nimbus.clj should close the input stream
Changes in rubygem-activeresource:
- Add bsc#1171560-CVE-2020-8151-encode-id-param.patch
Prevent possible information disclosure issue that could allow
an attacker to create specially crafted requests to access data
in an unexpected way (bsc#1171560 CVE-2020-8151))_
Changes in rubygem-crowbar-client:
- Update to 3.9.2
- Enable SES commands in Cloud8 (SOC-11122)
Changes in rubygem-json-1_7:
- Add CVE-2020-10663.patch (CVE-2020-10663, bsc#1167244)
Changes in rubygem-puma:
- Fix indentation in gem2rpm.yml_
- Add CVE-2020-11077.patch (bsc#1172175, CVE-2020-11077)
- Add chunked-request-handling.patch (needed for CVE-2020-11076.patch)
- Add CVE-2020-11076.patch (bsc#1172176, CVE-2020-11076)
- Add all patches to gem2rpm.yml
ImportantSUSE bug 1068612SUSE bug 1092420SUSE bug 1107190SUSE bug 1108719SUSE bug 1123872SUSE bug 1126503SUSE bug 1141968SUSE bug 11483483SUSE bug 1148383SUSE bug 1153191SUSE bug 1156525SUSE bug 1159046SUSE bug 1160152SUSE bug 1160153SUSE bug 1160192SUSE bug 1160790SUSE bug 1160851SUSE bug 1161088SUSE bug 1161089SUSE bug 1161670SUSE bug 1164322SUSE bug 1167244SUSE bug 1168593SUSE bug 1169770SUSE bug 1170657SUSE bug 1171273SUSE bug 1171560SUSE bug 1171594SUSE bug 1171661SUSE bug 1171909SUSE bug 1172166SUSE bug 1172167SUSE bug 1172175SUSE bug 1172176SUSE bug 1172409CVE-2017-1000246 at SUSECVE-2017-1000246 at NVDCVE-2019-1010083 at SUSECVE-2019-1010083 at NVDCVE-2019-15043 at SUSECVE-2019-15043 at NVDCVE-2019-16785 at SUSECVE-2019-16785 at NVDCVE-2019-16786 at SUSECVE-2019-16786 at NVDCVE-2019-16789 at SUSECVE-2019-16789 at NVDCVE-2019-16792 at SUSECVE-2019-16792 at NVDCVE-2019-16865 at SUSECVE-2019-16865 at NVDCVE-2019-18874 at SUSECVE-2019-18874 at NVDCVE-2019-19911 at SUSECVE-2019-19911 at NVDCVE-2019-3828 at SUSECVE-2019-3828 at NVDCVE-2020-10663 at SUSECVE-2020-10663 at NVDCVE-2020-10743 at SUSECVE-2020-10743 at NVDCVE-2020-11076 at SUSECVE-2020-11076 at NVDCVE-2020-11077 at SUSECVE-2020-11077 at NVDCVE-2020-12052 at SUSECVE-2020-12052 at NVDCVE-2020-13254 at SUSECVE-2020-13254 at NVDCVE-2020-13379 at SUSECVE-2020-13379 at NVDCVE-2020-13596 at SUSECVE-2020-13596 at NVDCVE-2020-5312 at SUSECVE-2020-5312 at NVDCVE-2020-5313 at SUSECVE-2020-5313 at NVDCVE-2020-5390 at SUSECVE-2020-5390 at NVDCVE-2020-8151 at SUSECVE-2020-8151 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for bind (Important)SUSE OpenStack Cloud Crowbar 8
This update for bind fixes the following issues:
- Amended documentation referring to rule types 'krb5-subdomain'
and 'ms-subdomain'. This incorrect documentation could mislead
operators into believing that policies they had configured were
more restrictive than they actually were. [CVE-2018-5741]
- Further limit the number of queries that can be triggered from a
request. Root and TLD servers are no longer exempt from
max-recursion-queries. Fetches for missing name server address
records are limited to 4 for any domain. [CVE-2020-8616]
- Replaying a TSIG BADTIME response as a request could trigger an
assertion failure. [CVE-2020-8617]
[bsc#1109160, bsc#1171740,
CVE-2018-5741, bind-CVE-2018-5741.patch,
CVE-2020-8616, bind-CVE-2020-8616.patch,
CVE-2020-8617, bind-CVE-2020-8617.patch]
- Don't rely on /etc/insserv.conf anymore for proper dependencies
against nss-lookup.target in named.service and lwresd.service
(bsc#1118367 bsc#1118368)
- Using a drop-in file
ImportantSUSE bug 1109160SUSE bug 1118367SUSE bug 1118368SUSE bug 1171740CVE-2018-5741 at SUSECVE-2018-5741 at NVDCVE-2020-8616 at SUSECVE-2020-8616 at NVDCVE-2020-8617 at SUSECVE-2020-8617 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for python-ipaddress (Important)SUSE OpenStack Cloud Crowbar 8
This update for python-ipaddress fixes the following issues:
- Add CVE-2020-14422-ipaddress-hash-collision.patch fixing
CVE-2020-14422 (bsc#1173274, bpo#41004), where hash collisions
in IPv4Interface and IPv6Interface could lead to DOS.
ImportantSUSE bug 1173274CVE-2020-14422 at SUSECVE-2020-14422 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for squid (Important)SUSE OpenStack Cloud Crowbar 8
This update for squid fixes the following issues:
- CVE-2020-15049.patch: fixes a Cache Poisoning and Request Smuggling
attack (CVE-2020-15049, bsc#1173455)
ImportantSUSE bug 1173455CVE-2020-15049 at SUSECVE-2020-15049 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for SUSE Manager Client Tools (Moderate)SUSE OpenStack Cloud Crowbar 8
This update fixes the following issues:
cobbler:
- Calculate relative path for kernel and inited when generating
grub entry (bsc#1170231)
Added: fix-grub2-entry-paths.diff
- Fix os-release version detection for SUSE
Modified: sles15.patch
- Jinja2 template library fix (bsc#1141661)
- Removes string replace for textmode fix (bsc#1134195)
golang-github-prometheus-node_exporter:
- Update to 0.18.1
* [BUGFIX] Fix incorrect sysctl call in BSD meminfo collector, resulting in broken swap metrics on FreeBSD #1345
* [BUGFIX] Fix rollover bug in mountstats collector #1364
* Renamed interface label to device in netclass collector for consistency with
* other network metrics #1224
* The cpufreq metrics now separate the cpufreq and scaling data based on what the driver provides. #1248
* The labels for the network_up metric have changed, see issue #1236
* Bonding collector now uses mii_status instead of operstatus #1124
* Several systemd metrics have been turned off by default to improve performance #1254
* These include unit_tasks_current, unit_tasks_max, service_restart_total, and unit_start_time_seconds
* The systemd collector blacklist now includes automount, device, mount, and slice units by default. #1255
* [CHANGE] Bonding state uses mii_status #1124
* [CHANGE] Add a limit to the number of in-flight requests #1166
* [CHANGE] Renamed interface label to device in netclass collector #1224
* [CHANGE] Add separate cpufreq and scaling metrics #1248
* [CHANGE] Several systemd metrics have been turned off by default to improve performance #1254
* [CHANGE] Expand systemd collector blacklist #1255
* [CHANGE] Split cpufreq metrics into a separate collector #1253
* [FEATURE] Add a flag to disable exporter metrics #1148
* [FEATURE] Add kstat-based Solaris metrics for boottime, cpu and zfs collectors #1197
* [FEATURE] Add uname collector for FreeBSD #1239
* [FEATURE] Add diskstats collector for OpenBSD #1250
* [FEATURE] Add pressure collector exposing pressure stall information for Linux #1174
* [FEATURE] Add perf exporter for Linux #1274
* [ENHANCEMENT] Add Infiniband counters #1120
* [ENHANCEMENT] Add TCPSynRetrans to netstat default filter #1143
* [ENHANCEMENT] Move network_up labels into new metric network_info #1236
* [ENHANCEMENT] Use 64-bit counters for Darwin netstat
* [BUGFIX] Add fallback for missing /proc/1/mounts #1172
* [BUGFIX] Fix node_textfile_mtime_seconds to work properly on symlinks #1326
- Add network-online (Wants and After) dependency to systemd unit bsc#1143913
golang-github-prometheus-prometheus:
- Update change log and spec file
+ Modified spec file: default to golang 1.14 to avoid 'have choice' build issues in OBS.
+ Rebase and update patches for version 2.18.0
+ Changed:
* 0002-Default-settings.patch Changed
- Update to 2.18.0
+ Features
* Tracing: Added experimental Jaeger support #7148
+ Changes
* Federation: Only use local TSDB for federation (ignore remote read). #7096
* Rules: `rule_evaluations_total` and `rule_evaluation_failures_total` have a `rule_group` label now. #7094
+ Enhancements
* TSDB: Significantly reduce WAL size kept around after a block cut. #7098
* Discovery: Add `architecture` meta label for EC2. #7000
+ Bug fixes
* UI: Fixed wrong MinTime reported by /status. #7182
* React UI: Fixed multiselect legend on OSX. #6880
* Remote Write: Fixed blocked resharding edge case. #7122
* Remote Write: Fixed remote write not updating on relabel configs change. #7073
- Changes from 2.17.2
+ Bug fixes
* Federation: Register federation metrics #7081
* PromQL: Fix panic in parser error handling #7132
* Rules: Fix reloads hanging when deleting a rule group that is being evaluated #7138
* TSDB: Fix a memory leak when prometheus starts with an empty TSDB WAL #7135
* TSDB: Make isolation more robust to panics in web handlers #7129 #7136
- Changes from 2.17.1
+ Bug fixes
* TSDB: Fix query performance regression that increased memory and CPU usage #7051
- Changes from 2.17.0
+ Features
* TSDB: Support isolation #6841
* This release implements isolation in TSDB. API queries and recording rules are
guaranteed to only see full scrapes and full recording rules. This comes with a
certain overhead in resource usage. Depending on the situation, there might be
some increase in memory usage, CPU usage, or query latency.
+ Enhancements
* PromQL: Allow more keywords as metric names #6933
* React UI: Add normalization of localhost URLs in targets page #6794
* Remote read: Read from remote storage concurrently #6770
* Rules: Mark deleted rule series as stale after a reload #6745
* Scrape: Log scrape append failures as debug rather than warn #6852
* TSDB: Improve query performance for queries that partially hit the head #6676
* Consul SD: Expose service health as meta label #5313
* EC2 SD: Expose EC2 instance lifecycle as meta label #6914
* Kubernetes SD: Expose service type as meta label for K8s service role #6684
* Kubernetes SD: Expose label_selector and field_selector #6807
* Openstack SD: Expose hypervisor id as meta label #6962
+ Bug fixes
* PromQL: Do not escape HTML-like chars in query log #6834 #6795
* React UI: Fix data table matrix values #6896
* React UI: Fix new targets page not loading when using non-ASCII characters #6892
* Remote read: Fix duplication of metrics read from remote storage with external labels #6967 #7018
* Remote write: Register WAL watcher and live reader metrics for all remotes, not just the first one #6998
* Scrape: Prevent removal of metric names upon relabeling #6891
* Scrape: Fix 'superfluous response.WriteHeader call' errors when scrape fails under some circonstances #6986
* Scrape: Fix crash when reloads are separated by two scrape intervals #7011
- Changes from 2.16.0
+ Features
* React UI: Support local timezone on /graph #6692
* PromQL: add absent_over_time query function #6490
* Adding optional logging of queries to their own file #6520
+ Enhancements
* React UI: Add support for rules page and 'Xs ago' duration displays #6503
* React UI: alerts page, replace filtering togglers tabs with checkboxes #6543
* TSDB: Export metric for WAL write errors #6647
* TSDB: Improve query performance for queries that only touch the most recent 2h of data. #6651
* PromQL: Refactoring in parser errors to improve error messages #6634
* PromQL: Support trailing commas in grouping opts #6480
* Scrape: Reduce memory usage on reloads by reusing scrape cache #6670
* Scrape: Add metrics to track bytes and entries in the metadata cache #6675
* promtool: Add support for line-column numbers for invalid rules output #6533
* Avoid restarting rule groups when it is unnecessary #6450
+ Bug fixes
* React UI: Send cookies on fetch() on older browsers #6553
* React UI: adopt grafana flot fix for stacked graphs #6603
* React UI: broken graph page browser history so that back button works as expected #6659
* TSDB: ensure compactionsSkipped metric is registered, and log proper error if one is returned from head.Init #6616
* TSDB: return an error on ingesting series with duplicate labels #6664
* PromQL: Fix unary operator precedence #6579
* PromQL: Respect query.timeout even when we reach query.max-concurrency #6712
* PromQL: Fix string and parentheses handling in engine, which affected React UI #6612
* PromQL: Remove output labels returned by absent() if they are produced by multiple identical label matchers #6493
* Scrape: Validate that OpenMetrics input ends with `# EOF` #6505
* Remote read: return the correct error if configs can't be marshal'd to JSON #6622
* Remote write: Make remote client `Store` use passed context, which can affect shutdown timing #6673
* Remote write: Improve sharding calculation in cases where we would always be consistently behind by tracking pendingSamples #6511
* Ensure prometheus_rule_group metrics are deleted when a rule group is removed #6693
- Changes from 2.15.2
+ Bug fixes
* TSDB: Fixed support for TSDB blocks built with Prometheus before 2.1.0. #6564
* TSDB: Fixed block compaction issues on Windows. #6547
- Changes from 2.15.1
+ Bug fixes
* TSDB: Fixed race on concurrent queries against same data. #6512
- Changes from 2.15.0
+ Features
* API: Added new endpoint for exposing per metric metadata `/metadata`. #6420 #6442
+ Changes
* Discovery: Removed `prometheus_sd_kubernetes_cache_*` metrics. Additionally `prometheus_sd_kubernetes_workqueue_latency_seconds` and `prometheus_sd_kubernetes_workqueue_work_duration_seconds` metrics now show correct values in seconds. #6393
* Remote write: Changed `query` label on `prometheus_remote_storage_*` metrics to `remote_name` and `url`. #6043
+ Enhancements
* TSDB: Significantly reduced memory footprint of loaded TSDB blocks. #6418 #6461
* TSDB: Significantly optimized what we buffer during compaction which should result in lower memory footprint during compaction. #6422 #6452 #6468 #6475
* TSDB: Improve replay latency. #6230
* TSDB: WAL size is now used for size based retention calculation. #5886
* Remote read: Added query grouping and range hints to the remote read request #6401
* Remote write: Added `prometheus_remote_storage_sent_bytes_total` counter per queue. #6344
* promql: Improved PromQL parser performance. #6356
* React UI: Implemented missing pages like `/targets` #6276, TSDB status page #6281 #6267 and many other fixes and performance improvements.
* promql: Prometheus now accepts spaces between time range and square bracket. e.g `[ 5m]` #6065
+ Bug fixes
* Config: Fixed alertmanager configuration to not miss targets when configurations are similar. #6455
* Remote write: Value of `prometheus_remote_storage_shards_desired` gauge shows raw value of desired shards and it's updated correctly. #6378
* Rules: Prometheus now fails the evaluation of rules and alerts where metric results collide with labels specified in `labels` field. #6469
* API: Targets Metadata API `/targets/metadata` now accepts empty `match_targets` parameter as in the spec. #6303
- Changes from 2.14.0
+ Features
* API: `/api/v1/status/runtimeinfo` and `/api/v1/status/buildinfo` endpoints added for use by the React UI. #6243
* React UI: implement the new experimental React based UI. #5694 and many more
* Can be found by under `/new`.
* Not all pages are implemented yet.
* Status: Cardinality statistics added to the Runtime & Build Information page. #6125
+ Enhancements
* Remote write: fix delays in remote write after a compaction. #6021
* UI: Alerts can be filtered by state. #5758
+ Bug fixes
* Ensure warnings from the API are escaped. #6279
* API: lifecycle endpoints return 403 when not enabled. #6057
* Build: Fix Solaris build. #6149
* Promtool: Remove false duplicate rule warnings when checking rule files with alerts. #6270
* Remote write: restore use of deduplicating logger in remote write. #6113
* Remote write: do not reshard when unable to send samples. #6111
* Service discovery: errors are no longer logged on context cancellation. #6116, #6133
* UI: handle null response from API properly. #6071
- Changes from 2.13.1
+ Bug fixes
* Fix panic in ARM builds of Prometheus. #6110
* promql: fix potential panic in the query logger. #6094
* Multiple errors of http: superfluous response.WriteHeader call in the logs. #6145
- Changes from 2.13.0
+ Enhancements
* Metrics: renamed prometheus_sd_configs_failed_total to prometheus_sd_failed_configs and changed to Gauge #5254
* Include the tsdb tool in builds. #6089
* Service discovery: add new node address types for kubernetes. #5902
* UI: show warnings if query have returned some warnings. #5964
* Remote write: reduce memory usage of the series cache. #5849
* Remote read: use remote read streaming to reduce memory usage. #5703
* Metrics: added metrics for remote write max/min/desired shards to queue manager. #5787
* Promtool: show the warnings during label query. #5924
* Promtool: improve error messages when parsing bad rules. #5965
* Promtool: more promlint rules. #5515
+ Bug fixes
* UI: Fix a Stored DOM XSS vulnerability with query history [CVE-2019-10215](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10215). #6098
* Promtool: fix recording inconsistency due to duplicate labels. #6026
* UI: fixes service-discovery view when accessed from unhealthy targets. #5915
* Metrics format: OpenMetrics parser crashes on short input. #5939
* UI: avoid truncated Y-axis values. #6014
- Changes from 2.12.0
+ Features
* Track currently active PromQL queries in a log file. #5794
* Enable and provide binaries for `mips64` / `mips64le` architectures. #5792
+ Enhancements
* Improve responsiveness of targets web UI and API endpoint. #5740
* Improve remote write desired shards calculation. #5763
* Flush TSDB pages more precisely. tsdb#660
* Add `prometheus_tsdb_retention_limit_bytes` metric. tsdb#667
* Add logging during TSDB WAL replay on startup. tsdb#662
* Improve TSDB memory usage. tsdb#653, tsdb#643, tsdb#654, tsdb#642, tsdb#627
+ Bug fixes
* Check for duplicate label names in remote read. #5829
* Mark deleted rules' series as stale on next evaluation. #5759
* Fix JavaScript error when showing warning about out-of-sync server time. #5833
* Fix `promtool test rules` panic when providing empty `exp_labels`. #5774
* Only check last directory when discovering checkpoint number. #5756
* Fix error propagation in WAL watcher helper functions. #5741
* Correctly handle empty labels from alert templates. #5845
- Update Uyuni/SUSE Manager service discovery patch
+ Modified 0003-Add-Uyuni-service-discovery.patch:
+ Adapt service discovery to the new Uyuni API endpoints
+ Modified spec file: force golang 1.12 to fix build issues in SLE15SP2
- Update to Prometheus 2.11.2
grafana:
- Update to version 7.0.3
* Features / Enhancements
- Stats: include all fields. #24829, @ryantxu
- Variables: change VariableEditorList row action Icon to IconButton. #25217, @hshoff
* Bug fixes
- Cloudwatch: Fix dimensions of DDoSProtection. #25317, @papagian
- Configuration: Fix env var override of sections containing hyphen. #25178, @marefr
- Dashboard: Get panels in collapsed rows. #25079, @peterholmberg
- Do not show alerts tab when alerting is disabled. #25285, @dprokop
- Jaeger: fixes cascader option label duration value. #25129, @Estrax
- Transformations: Fixed Transform tab crash & no update after adding first transform. #25152, @torkelo
- Update to version 7.0.2
* Bug fixes
- Security: Urgent security patch release to fix CVE-2020-13379
- Update to version 7.0.1
* Features / Enhancements
- Datasource/CloudWatch: Makes CloudWatch Logs query history more readable. #24795, @kaydelaney
- Download CSV: Add date and time formatting. #24992, @ryantxu
- Table: Make last cell value visible when right aligned. #24921, @peterholmberg
- TablePanel: Adding sort order persistance. #24705, @torkelo
- Transformations: Display correct field name when using reduce transformation. #25068, @peterholmberg
- Transformations: Allow custom number input for binary operations. #24752, @ryantxu
* Bug fixes
- Dashboard/Links: Fixes dashboard links by tags not working. #24773, @KamalGalrani
- Dashboard/Links: Fixes open in new window for dashboard link. #24772, @KamalGalrani
- Dashboard/Links: Variables are resolved and limits to 100. #25076, @hugohaggmark
- DataLinks: Bring back variables interpolation in title. #24970, @dprokop
- Datasource/CloudWatch: Field suggestions no longer limited to prefix-only. #24855, @kaydelaney
- Explore/Table: Keep existing field types if possible. #24944, @kaydelaney
- Explore: Fix wrap lines toggle for results of queries with filter expression. #24915, @ivanahuckova
- Explore: fix undo in query editor. #24797, @zoltanbedi
- Explore: fix word break in type head info. #25014, @zoltanbedi
- Graph: Legend decimals now work as expected. #24931, @torkelo
- LoginPage: Fix hover color for service buttons. #25009, @tskarhed
- LogsPanel: Fix scrollbar. #24850, @ivanahuckova
- MoveDashboard: Fix for moving dashboard caused all variables to be lost. #25005, @torkelo
- Organize transformer: Use display name in field order comparer. #24984, @dprokop
- Panel: shows correct panel menu items in view mode. #24912, @hugohaggmark
- PanelEditor Fix missing labels and description if there is only single option in category. #24905, @dprokop
- PanelEditor: Overrides name matcher still show all original field names even after Field default display name is specified. #24933, @torkelo
- PanelInspector: Makes sure Data display options are visible. #24902, @hugohaggmark
- PanelInspector: Hides unsupported data display options for Panel type. #24918, @hugohaggmark
- PanelMenu: Make menu disappear on button press. #25015, @tskarhed
- Postgres: Fix add button. #25087, @phemmer
- Prometheus: Fix recording rules expansion. #24977, @ivanahuckova
- Stackdriver: Fix creating Service Level Objectives (SLO) datasource query variable. #25023, @papagian
- Update to version 7.0.0
* Breaking changes
- Removed PhantomJS: PhantomJS was deprecated in Grafana v6.4 and starting from Grafana v7.0.0, all PhantomJS support has been removed. This means that Grafana no longer ships with a built-in image renderer, and we advise you to install the Grafana Image Renderer plugin.
- Dashboard: A global minimum dashboard refresh interval is now enforced and defaults to 5 seconds.
- Interval calculation: There is now a new option Max data points that controls the auto interval $__interval calculation. Interval was previously calculated by dividing the panel width by the time range. With the new max data points option it is now easy to set $__interval to a dynamic value that is time range agnostic. For example if you set Max data points to 10 Grafana will dynamically set $__interval by dividing the current time range by 10.
- Datasource/Loki: Support for deprecated Loki endpoints has been removed.
- Backend plugins: Grafana now requires backend plugins to be signed, otherwise Grafana will not load/start them. This is an additional security measure to make sure backend plugin binaries and files haven't been tampered with. Refer to Upgrade Grafana for more information.
- @grafana/ui: Forms migration notice, see @grafana/ui changelog
- @grafana/ui: Select API change for creating custom values, see @grafana/ui changelog
+ Deprecation warnings
- Scripted dashboards is now deprecated. The feature is not removed but will be in a future release. We hope to address the underlying requirement of dynamic dashboards in a different way. #24059
- The unofficial first version of backend plugins together with usage of grafana/grafana-plugin-model is now deprecated and support for that will be removed in a future release. Please refer to backend plugins documentation for information about the new officially supported backend plugins.
* Features / Enhancements
- Backend plugins: Log deprecation warning when using the unofficial first version of backend plugins. #24675, @marefr
- Editor: New line on Enter, run query on Shift+Enter. #24654, @davkal
- Loki: Allow multiple derived fields with the same name. #24437, @aocenas
- Orgs: Add future deprecation notice. #24502, @torkelo
* Bug Fixes
- @grafana/toolkit: Use process.cwd() instead of PWD to get directory. #24677, @zoltanbedi
- Admin: Makes long settings values line break in settings page. #24559, @hugohaggmark
- Dashboard: Allow editing provisioned dashboard JSON and add confirmation when JSON is copied to dashboard. #24680, @dprokop
- Dashboard: Fix for strange 'dashboard not found' errors when opening links in dashboard settings. #24416, @torkelo
- Dashboard: Fix so default data source is selected when data source can't be found in panel editor. #24526, @mckn
- Dashboard: Fixed issue changing a panel from transparent back to normal in panel editor. #24483, @torkelo
- Dashboard: Make header names reflect the field name when exporting to CSV file from the the panel inspector. #24624, @peterholmberg
- Dashboard: Make sure side pane is displayed with tabs by default in panel editor. #24636, @dprokop
- Data source: Fix query/annotation help content formatting. #24687, @AgnesToulet
- Data source: Fixes async mount errors. #24579, @Estrax
- Data source: Fixes saving a data source without failure when URL doesn't specify a protocol. #24497, @aknuds1
- Explore/Prometheus: Show results of instant queries only in table. #24508, @ivanahuckova
- Explore: Fix rendering of react query editors. #24593, @ivanahuckova
- Explore: Fixes loading more logs in logs context view. #24135, @Estrax
- Graphite: Fix schema and dedupe strategy in rollup indicators for Metrictank queries. #24685, @torkelo
- Graphite: Makes query annotations work again. #24556, @hugohaggmark
- Logs: Clicking 'Load more' from context overlay doesn't expand log row. #24299, @kaydelaney
- Logs: Fix total bytes process calculation. #24691, @davkal
- Org/user/team preferences: Fixes so UI Theme can be set back to Default. #24628, @AgnesToulet
- Plugins: Fix manifest validation. #24573, @aknuds1
- Provisioning: Use proxy as default access mode in provisioning. #24669, @bergquist
- Search: Fix select item when pressing enter and Grafana is served using a sub path. #24634, @tskarhed
- Search: Save folder expanded state. #24496, @Clarity-89
- Security: Tag value sanitization fix in OpenTSDB data source. #24539, @rotemreiss
- Table: Do not include angular options in options when switching from angular panel. #24684, @torkelo
- Table: Fixed persisting column resize for time series fields. #24505, @torkelo
- Table: Fixes Cannot read property subRows of null. #24578, @hugohaggmark
- Time picker: Fixed so you can enter a relative range in the time picker without being converted to absolute range. #24534, @mckn
- Transformations: Make transform dropdowns not cropped. #24615, @dprokop
- Transformations: Sort order should be preserved as entered by user when using the reduce transformation. #24494, @hugohaggmark
- Units: Adds scale symbol for currencies with suffixed symbol. #24678, @hugohaggmark
- Variables: Fixes filtering options with more than 1000 entries. #24614, @hugohaggmark
- Variables: Fixes so Textbox variables read value from url. #24623, @hugohaggmark
- Zipkin: Fix error when span contains remoteEndpoint. #24524, @aocenas
- SAML: Switch from email to login for user login attribute mapping (Enterprise)
- Update Makefile and spec file
* Remove phantomJS patch from Makefile
* Fix multiline strings in Makefile
* Exclude s390 from SLE12 builds, golang 1.14 is not built for s390
- Add instructions for patching the Grafana javascript frontend.
- BuildRequires golang(API) instead of go metapackage version range
* BuildRequires: golang(API) >= 1.14 from
BuildRequires: ( go >= 1.14 with go < 1.15 )
- Update to version 6.7.3
- This version fixes bsc#1170557 and its corresponding CVE-2020-12245
- Admin: Fix Synced via LDAP message for non-LDAP external users. #23477, @alexanderzobnin
- Alerting: Fixes notifications for alerts with empty message in Google Hangouts notifier. #23559, @hugohaggmark
- AuthProxy: Fixes bug where long username could not be cached.. #22926, @jcmcken
- Dashboard: Fix saving dashboard when editing raw dashboard JSON model. #23314, @peterholmberg
- Dashboard: Try to parse 8 and 15 digit numbers as timestamps if parsing of time range as date fails. #21694, @jessetan
- DashboardListPanel: Fixed problem with empty panel after going into edit mode (General folder filter being automatically added) . #23426, @torkelo
- Data source: Handle datasource withCredentials option properly. #23380, @hvtuananh
- Security: Fix annotation popup XSS vulnerability. #23813, @torkelo
- Server: Exit Grafana with status code 0 if no error. #23312, @aknuds1
- TablePanel: Fix XSS issue in header column rename (backport). #23814, @torkelo
- Variables: Fixes error when setting adhoc variable values. #23580, @hugohaggmark
- Update to version 6.7.2:
(see installed changelog for the full list of changes)
- BackendSrv: Adds config to response to fix issue for external plugins that used this property . #23032, @torkelo
- Dashboard: Fixed issue with saving new dashboard after changing title . #23104, @dprokop
- DataLinks: make sure we use the correct datapoint when dataset contains null value.. #22981, @mckn
- Plugins: Fixed issue for plugins that imported dateMath util . #23069, @mckn
- Security: Fix for dashboard snapshot original dashboard link could contain XSS vulnerability in url. #23254, @torkelo
- Variables: Fixes issue with too many queries being issued for nested template variables after value change. #23220, @torkelo
- Plugins: Expose promiseToDigest. #23249, @torkelo
- Reporting (Enterprise): Fixes issue updating a report created by someone else
- Update to 6.7.1:
(see installed changelog for the full list of changes)
Bug Fixes
- Azure: Fixed dropdowns not showing current value. #22914, @torkelo
- BackendSrv: only add content-type on POST, PUT requests. #22910, @hugohaggmark
- Panels: Fixed size issue with panel internal size when exiting panel edit mode. #22912, @torkelo
- Reporting: fixes migrations compatibility with mysql (Enterprise)
- Reporting: Reduce default concurrency limit to 4 (Enterprise)
- Update to 6.7.0:
(see installed changelog for the full list of changes)
Bug Fixes
- AngularPanels: Fixed inner height calculation for angular panels . #22796, @torkelo
- BackendSrv: makes sure provided headers are correctly recognized and set. #22778, @hugohaggmark
- Forms: Fix input suffix position (caret-down in Select) . #22780, @torkelo
- Graphite: Fixed issue with query editor and next select metric now showing after selecting metric node . #22856, @torkelo
- Rich History: UX adjustments and fixes. #22729, @ivanahuckova
- Update to 6.7.0-beta1:
Breaking changes
- Slack: Removed Mention setting and instead introduce Mention Users, Mention Groups, and Mention Channel. The first two settings require user and group IDs, respectively. This change was necessary because the way of mentioning via the Slack API changed and mentions in Slack notifications no longer worked.
- Alerting: Reverts the behavior of diff and percent_diff to not always be absolute. Something we introduced by mistake in 6.1.0. Alerting now support diff(), diff_abs(), percent_diff() and percent_diff_abs(). #21338
- Notice about changes in backendSrv for plugin authors
In our mission to migrate away from AngularJS to React we have removed all AngularJS dependencies in the core data retrieval service backendSrv.
Removing the AngularJS dependencies in backendSrv has the unfortunate side effect of AngularJS digest no longer being triggered for any request made with backendSrv. Because of this, external plugins using backendSrv directly may suffer from strange behaviour in the UI.
To remedy this issue, as a plugin author you need to trigger the digest after a direct call to backendSrv.
Bug Fixes
API: Fix redirect issues. #22285, @papagian
Alerting: Don't include image_url field with Slack message if empty. #22372, @aknuds1
Alerting: Fixed bad background color for default notifications in alert tab . #22660, @krvajal
Annotations: In table panel when setting transform to annotation, they will now show up right away without a manual refresh. #22323, @krvajal
Azure Monitor: Fix app insights source to allow for new __timeFrom and __timeTo. #21879, @ChadNedzlek
BackendSrv: Fixes POST body for form data. gmark
CloudWatch: Credentials cache invalidation fix. #22473, @sunker
CloudWatch: Expand alias variables when query yields no result. #22695, @sunker
Dashboard: Fix bug with NaN in alerting. #22053, @a-melnyk
Explore: Fix display of multiline logs in log panel and explore. #22057, @thomasdraebing
Heatmap: Legend color range is incorrect when using custom min/max. #21748, @sv5d
Security: Fixed XSS issue in dashboard history diff . #22680, @torkelo
StatPanel: Fixes base color is being used for null values .
#22646, @torkelo
- Update to version 6.6.2:
(see installed changelog for the full list of changes)
- Update to version 6.6.1:
(see installed changelog for the full list of changes)
- Update to version 6.6.0:
(see installed changelog for the full list of changes)
- Update to version 6.5.3:
(see installed changelog for the full list of changes)
- Update to version 6.5.2:
(see installed changelog for the full list of changes)
- Update to version 6.5.1:
(see installed changelog for the full list of changes)
- Update to version 6.5.0
(see installed changelog for the full list of changes)
- Update to version 6.4.5:
* Create version 6.4.5
* CloudWatch: Fix high CPU load (#20579)
- Add obs-service-go_modules to download required modules into vendor.tar.gz
- Adjusted spec file to use vendor.tar.gz
- Adjusted Makefile to work with new filenames
- BuildRequire go1.14
- Update to version 6.4.4:
* DataLinks: Fix blur issues. #19883, @aocenas
* Docker: Makes it possible to parse timezones in the docker image. #20081, @xlson
* LDAP: All LDAP servers should be tried even if one of them returns a connection error. #20077, @jongyllen
* LDAP: No longer shows incorrectly matching groups based on role in debug page. #20018, @xlson
* Singlestat: Fix no data / null value mapping . #19951, @ryantxu
- Revert the spec file and make script
- Remove PhantomJS dependency
- Update to 6.4.3
* Bug Fixes
- Alerting: All notification channels should send even if one fails to send. #19807, @jan25
- AzureMonitor: Fix slate interference with dropdowns. #19799, @aocenas
- ContextMenu: make ContextMenu positioning aware of the viewport width. #19699, @krvajal
- DataLinks: Fix context menu not showing in singlestat-ish visualisations. #19809, @dprokop
- DataLinks: Fix url field not releasing focus. #19804, @aocenas
- Datasource: Fixes clicking outside of some query editors required 2 clicks. #19822, @aocenas
- Panels: Fixes default tab for visualizations without Queries Tab. #19803, @hugohaggmark
- Singlestat: Fixed issue with mapping null to text. #19689, @torkelo
- @grafana/toolkit: Don't fail plugin creation when git user.name config is not set. #19821, @dprokop
- @grafana/toolkit: TSLint line number off by 1. #19782, @fredwangwang
- Update to 6.4.2
* Bug Fixes
- CloudWatch: Changes incorrect dimension wmlid to wlmid . #19679, @ATTron
- Grafana Image Renderer: Fixes plugin page. #19664, @hugohaggmark
- Graph: Fixes auto decimals logic for y axis ticks that results in too many decimals for high values. #19618, @torkelo
- Graph: Switching to series mode should re-render graph. #19623, @torkelo
- Loki: Fix autocomplete on label values. #19579, @aocenas
- Loki: Removes live option for logs panel. #19533, @davkal
- Profile: Fix issue with user profile not showing more than sessions sessions in some cases. #19578, @huynhsamha
- Prometheus: Fixes so results in Panel always are sorted by query order. #19597, @hugohaggmark
- sted keys in YAML provisioning caused a server crash, #19547
- ImageRendering: Fixed issue with image rendering in enterprise build (Enterprise)
- Reporting: Fixed issue with reporting service when STMP was disabled (Enterprise).
- Changes from 6.4.0
* Features / Enhancements
- Build: Upgrade go to 1.12.10. #19499, @marefr
- DataLinks: Suggestions menu improvements. #19396, @dprokop
- Explore: Take root_url setting into account when redirecting from dashboard to explore. #19447, @ivanahuckova
- Explore: Update broken link to logql docs. #19510, @ivanahuckova
- Logs: Adds Logs Panel as a visualization. #19504, @davkal
* Bug Fixes
- CLI: Fix version selection for plugin install. #19498, @aocenas
- Graph: Fixes minor issue with series override color picker and custom color . #19516, @torkelo
- Changes from 6.4.0 Beta 2
* Features / Enhancements
- Azure Monitor: Remove support for cross resource queries (#19115)'. #19346, @sunker
- Docker: Upgrade packages to resolve reported vulnerabilities. #19188, @marefr
- Graphite: Time range expansion reduced from 1 minute to 1 second. #19246, @torkelo
- grafana/toolkit: Add plugin creation task. #19207, @dprokop
* Bug Fixes
- Alerting: Prevents creating alerts from unsupported queries. #19250, @hugohaggmark
- Alerting: Truncate PagerDuty summary when greater than 1024 characters. #18730, @nvllsvm
- Cloudwatch: Fix autocomplete for Gamelift dimensions. #19146, @kevinpz
- Dashboard: Fix export for sharing when panels use default data source. #19315, @torkelo
- Database: Rewrite system statistics query to perform better. #19178, @papagian
- Gauge/BarGauge: Fix issue with [object Object] in titles . #19217, @ryantxu
- MSSQL: Revert usage of new connectionstring format introduced by #18384. #19203, @marefr
- Multi-LDAP: Do not fail-fast on invalid credentials. #19261, @gotjosh
- MySQL, Postgres, MSSQL: Fix validating query with template variables in alert . #19237, @marefr
- MySQL, Postgres: Update raw sql when query builder updates. #19209, @marefr
- MySQL: Limit datasource error details returned from the backend. #19373, @marefr
- Changes from 6.4.0 Beta 1
* Features / Enhancements
- API: Readonly datasources should not be created via the API. #19006, @papagian
- Alerting: Include configured AlertRuleTags in Webhooks notifier. #18233, @dominic-miglar
- Annotations: Add annotations support to Loki. #18949, @aocenas
- Annotations: Use a single row to represent a region. #17673, @ryantxu
- Auth: Allow inviting existing users when login form is disabled. #19048, @548017
- Azure Monitor: Add support for cross resource queries. #19115, @sunker
- CLI: Allow installing custom binary plugins. #17551, @aocenas
- Dashboard: Adds Logs Panel (alpha) as visualization option for Dashboards. #18641, @hugohaggmark
- Dashboard: Reuse query results between panels . #16660, @ryantxu
- Dashboard: Set time to to 23:59:59 when setting To time using calendar. #18595, @simPod
- DataLinks: Add DataLinks support to Gauge, BarGauge and SingleStat2 panel. #18605, @ryantxu
- DataLinks: Enable access to labels & field names. #18918, @torkelo
- DataLinks: Enable multiple data links per panel. #18434, @dprokop
- Docker: switch docker image to alpine base with phantomjs support. #18468, @DanCech
- Elasticsearch: allow templating queries to order by doc_count. #18870, @hackery
- Explore: Add throttling when doing live queries. #19085, @aocenas
- Explore: Adds ability to go back to dashboard, optionally with query changes. #17982, @kaydelaney
- Explore: Reduce default time range to last hour. #18212, @davkal
- Gauge/BarGauge: Support decimals for min/max. #18368, @ryantxu
- Graph: New series override transform constant that renders a single point as a line across the whole graph. #19102, @davkal
- Image rendering: Add deprecation warning when PhantomJS is used for rendering images. #18933, @papagian
- InfluxDB: Enable interpolation within ad-hoc filter values. #18077, @kvc-code
- LDAP: Allow an user to be synchronized against LDAP. #18976, @gotjosh
- Ldap: Add ldap debug page. #18759, @peterholmberg
- Loki: Remove prefetching of default label values. #18213, @davkal
- Metrics: Add failed alert notifications metric. #18089, @koorgoo
- OAuth: Support JMES path lookup when retrieving user email. #14683, @bobmshannon
- OAuth: return GitLab groups as a part of user info (enable team sync). #18388, @alexanderzobnin
- Panels: Add unit for electrical charge - ampere-hour. #18950, @anirudh-ramesh
- Plugin: AzureMonitor - Reapply MetricNamespace support. #17282, @raphaelquati
- Plugins: better warning when plugins fail to load. #18671, @ryantxu
- Postgres: Add support for scram sha 256 authentication. #18397, @nonamef
- RemoteCache: Support SSL with Redis. #18511, @kylebrandt
- SingleStat: The gauge option in now disabled/hidden (unless it's an old panel with it already enabled) . #18610, @ryantxu
- Stackdriver: Add extra alignment period options. #18909, @sunker
- Units: Add South African Rand (ZAR) to currencies. #18893, @jeteon
- Units: Adding T,P,E,Z,and Y bytes. #18706, @chiqomar
* Bug Fixes
- Alerting: Notification is sent when state changes from no_data to ok. #18920, @papagian
- Alerting: fix duplicate alert states when the alert fails to save to the database. #18216, @kylebrandt
- Alerting: fix response popover prompt when add notification channels. #18967, @lzdw
- CloudWatch: Fix alerting for queries with Id (using GetMetricData). #17899, @alex-berger
- Explore: Fix auto completion on label values for Loki. #18988, @aocenas
- Explore: Fixes crash using back button with a zoomed in graph. #19122, @hugohaggmark
- Explore: Fixes so queries in Explore are only run if Graph/Table is shown. #19000, @hugohaggmark
- MSSQL: Change connectionstring to URL format to fix using passwords with semicolon. #18384, @Russiancold
- MSSQL: Fix memory leak when debug enabled. #19049, @briangann
- Provisioning: Allow escaping literal '$' with '$$' in configs to avoid interpolation. #18045, @kylebrandt
- TimePicker: Fixes hiding time picker dropdown in FireFox. #19154, @hugohaggmark
* Breaking changes
+ Annotations
There are some breaking changes in the annotations HTTP API for region annotations. Region annotations are now represented
using a single event instead of two seperate events. Check breaking changes in HTTP API below and HTTP API documentation for more details.
+ Docker
Grafana is now using Alpine 3.10 as docker base image.
+ HTTP API
- GET /api/alert-notifications now requires at least editor access.
New /api/alert-notifications/lookup returns less information than /api/alert-notifications and can be access by any authenticated user.
- GET /api/alert-notifiers now requires at least editor access
- GET /api/org/users now requires org admin role.
New /api/org/users/lookup returns less information than /api/org/users and can be access by users that are org admins,
admin in any folder or admin of any team.
- GET /api/annotations no longer returns regionId property.
- POST /api/annotations no longer supports isRegion property.
- PUT /api/annotations/:id no longer supports isRegion property.
- PATCH /api/annotations/:id no longer supports isRegion property.
- DELETE /api/annotations/region/:id has been removed.
* Deprecation notes
+ PhantomJS
- PhantomJS, which is used for rendering images of dashboards and panels,
is deprecated and will be removed in a future Grafana release.
A deprecation warning will from now on be logged when Grafana starts up if PhantomJS is in use.
Please consider migrating from PhantomJS to the Grafana Image Renderer plugin.
- Changes from 6.3.6
* Features / Enhancements
- Metrics: Adds setting for turning off total stats metrics. #19142, @marefr
* Bug Fixes
- Database: Rewrite system statistics query to perform better. #19178, @papagian
- Explore: Fixes error when switching from prometheus to loki data sources. #18599, @kaydelaney
- Rebase package spec. Use mostly from fedora, fix suse specified things and fix some errors.
- Add missing directories provisioning/datasources and provisioning/notifiers
and sample.yaml as described in packaging/rpm/control from upstream.
Missing directories are shown in logfiles.
- Version 6.3.5
* Upgrades
+ Build: Upgrade to go 1.12.9.
* Bug Fixes
+ Dashboard: Fixes dashboards init failed loading error for dashboards with panel links that had missing properties.
+ Editor: Fixes issue where only entire lines were being copied.
+ Explore: Fixes query field layout in splitted view for Safari browsers.
+ LDAP: multildap + ldap integration.
+ Profile/UserAdmin: Fix for user agent parser crashes grafana-server on 32-bit builds.
+ Prometheus: Prevents panel editor crash when switching to Prometheus datasource.
+ Prometheus: Changes brace-insertion behavior to be less annoying.
- Version 6.3.4
* Security: CVE-2019-15043 - Parts of the HTTP API allow unauthenticated use.
- Version 6.3.3
* Bug Fixes
+ Annotations: Fix failing annotation query when time series query is cancelled. #18532 1, @dprokop 1
+ Auth: Do not set SameSite cookie attribute if cookie_samesite is none. #18462 1, @papagian 3
+ DataLinks: Apply scoped variables to data links correctly. #18454 1, @dprokop 1
+ DataLinks: Respect timezone when displaying datapoint’s timestamp in graph context menu. #18461 2, @dprokop 1
+ DataLinks: Use datapoint timestamp correctly when interpolating variables. #18459 1, @dprokop 1
+ Explore: Fix loading error for empty queries. #18488 1, @davkal
+ Graph: Fixes legend issue clicking on series line icon and issue with horizontal scrollbar being visible on windows. #18563 1, @torkelo 2
+ Graphite: Avoid glob of single-value array variables . #18420, @gotjosh
+ Prometheus: Fix queries with label_replace remove the $1 match when loading query editor. #18480 5, @hugohaggmark 3
+ Prometheus: More consistently allows for multi-line queries in editor. #18362 2, @kaydelaney 2
+ TimeSeries: Assume values are all numbers. #18540 4, @ryantxu
- Version 6.3.2
* Bug Fixes
+ Gauge/BarGauge: Fixes issue with losts thresholds and issue loading Gauge with avg stat. #18375 12
- Version 6.3.1
* Bug Fixes
+ PanelLinks: Fix crash issue Gauge & Bar Gauge for panels with panel links (drill down links). #18430 2
- Version 6.3.0
* Features / Enhancements
+ OAuth: Do not set SameSite OAuth cookie if cookie_samesite is None. #18392 4, @papagian 3
+ Auth Proxy: Include additional headers as part of the cache key. #18298 6, @gotjosh
+ Build grafana images consistently. #18224 12, @hassanfarid
+ Docs: SAML. #18069 11, @gotjosh
+ Permissions: Show plugins in nav for non admin users but hide plugin configuration. #18234 1, @aocenas
+ TimePicker: Increase max height of quick range dropdown. #18247 2, @torkelo 2
+ Alerting: Add tags to alert rules. #10989 13, @Thib17 1
+ Alerting: Attempt to send email notifications to all given email addresses. #16881 1, @zhulongcheng
+ Alerting: Improve alert rule testing. #16286 2, @marefr
+ Alerting: Support for configuring content field for Discord alert notifier. #17017 2, @jan25
+ Alertmanager: Replace illegal chars with underscore in label names. #17002 5, @bergquist 1
+ Auth: Allow expiration of API keys. #17678, @papagian 3
+ Auth: Return device, os and browser when listing user auth tokens in HTTP API. #17504, @shavonn 1
+ Auth: Support list and revoke of user auth tokens in UI. #17434 2, @shavonn 1
+ AzureMonitor: change clashing built-in Grafana variables/macro names for Azure Logs. #17140, @shavonn 1
+ CloudWatch: Made region visible for AWS Cloudwatch Expressions. #17243 2, @utkarshcmu
+ Cloudwatch: Add AWS DocDB metrics. #17241, @utkarshcmu
+ Dashboard: Use timezone dashboard setting when exporting to CSV. #18002 1, @dehrax
+ Data links. #17267 11, @torkelo 2
+ Docker: Switch base image to ubuntu:latest from debian:stretch to avoid security issues… #17066 5, @bergquist 1
+ Elasticsearch: Support for visualizing logs in Explore . #17605 7, @marefr
+ Explore: Adds Live option for supported datasources. #17062 1, @hugohaggmark 3
+ Explore: Adds orgId to URL for sharing purposes. #17895 1, @kaydelaney 2
+ Explore: Adds support for new loki ‘start’ and ‘end’ params for labels endpoint. #17512, @kaydelaney 2
+ Explore: Adds support for toggling raw query mode in explore. #17870, @kaydelaney 2
+ Explore: Allow switching between metrics and logs . #16959 2, @marefr
+ Explore: Combines the timestamp and local time columns into one. #17775, @hugohaggmark 3
+ Explore: Display log lines context . #17097, @dprokop 1
+ Explore: Don’t parse log levels if provided by field or label. #17180 1, @marefr
+ Explore: Improves performance of Logs element by limiting re-rendering. #17685, @kaydelaney 2
+ Explore: Support for new LogQL filtering syntax. #16674 4, @davkal
+ Explore: Use new TimePicker from Grafana/UI. #17793, @hugohaggmark 3
+ Explore: handle newlines in LogRow Highlighter. #17425, @rrfeng 1
+ Graph: Added new fill gradient option. #17528 3, @torkelo 2
+ GraphPanel: Don’t sort series when legend table & sort column is not visible . #17095, @shavonn 1
+ InfluxDB: Support for visualizing logs in Explore. #17450 9, @hugohaggmark 3
+ Logging: Login and Logout actions (#17760). #17883 1, @ATTron
+ Logging: Move log package to pkg/infra. #17023, @zhulongcheng
+ Metrics: Expose stats about roles as metrics. #17469 2, @bergquist 1
+ MySQL/Postgres/MSSQL: Add parsing for day, weeks and year intervals in macros. #13086 6, @bernardd
+ MySQL: Add support for periodically reloading client certs. #14892, @tpetr
+ Plugins: replace dataFormats list with skipDataQuery flag in plugin.json. #16984, @ryantxu
+ Prometheus: Take timezone into account for step alignment. #17477, @fxmiii
+ Prometheus: Use overridden panel range for $__range instead of dashboard range. #17352, @patrick246
+ Prometheus: added time range filter to series labels query. #16851 3, @FUSAKLA
+ Provisioning: Support folder that doesn’t exist yet in dashboard provisioning. #17407 1, @Nexucis
+ Refresh picker: Handle empty intervals. #17585 1, @dehrax
+ Singlestat: Add y min/max config to singlestat sparklines. #17527 4, @pitr
+ Snapshot: use given key and deleteKey. #16876, @zhulongcheng
+ Templating: Correctly display __text in multi-value variable after page reload. #17840 1, @EduardSergeev
+ Templating: Support selecting all filtered values of a multi-value variable. #16873 2, @r66ad
+ Tracing: allow propagation with Zipkin headers. #17009 4, @jrockway
+ Users: Disable users removed from LDAP. #16820 2, @alexanderzobnin
* Bug Fixes
+ PanelLinks: Fix render issue when there is no panel description. #18408 3, @dehrax
+ OAuth: Fix “missing saved state” OAuth login failure due to SameSite cookie policy. #18332 1, @papagian 3
+ cli: fix for recognizing when in dev mode… #18334, @xlson
+ DataLinks: Fixes incorrect interpolation of ${__series_name} . #18251 1, @torkelo 2
+ Loki: Display live tailed logs in correct order in Explore. #18031 3, @kaydelaney 2
+ PhantomJS: Fixes rendering on Debian Buster. #18162 2, @xlson
+ TimePicker: Fixed style issue for custom range popover. #18244, @torkelo 2
+ Timerange: Fixes a bug where custom time ranges didn’t respect UTC. #18248 1, @kaydelaney 2
+ remote_cache: Fix redis connstr parsing. #18204 1, @mblaschke
+ AddPanel: Fix issue when removing moved add panel widget . #17659 2, @dehrax
+ CLI: Fix encrypt-datasource-passwords fails with sql error. #18014, @marefr
+ Elasticsearch: Fix default max concurrent shard requests. #17770 4, @marefr
+ Explore: Fix browsing back to dashboard panel. #17061, @jschill
+ Explore: Fix filter by series level in logs graph. #17798, @marefr
+ Explore: Fix issues when loading and both graph/table are collapsed. #17113, @marefr
+ Explore: Fix selection/copy of log lines. #17121, @marefr
+ Fix: Wrap value of multi variable in array when coming from URL. #16992 1, @aocenas
+ Frontend: Fix for Json tree component not working. #17608, @srid12
+ Graphite: Fix for issue with alias function being moved last. #17791, @torkelo 2
+ Graphite: Fixes issue with seriesByTag & function with variable param. #17795, @torkelo 2
+ Graphite: use POST for /metrics/find requests. #17814 2, @papagian 3
+ HTTP Server: Serve Grafana with a custom URL path prefix. #17048 6, @jan25
+ InfluxDB: Fixes single quotes are not escaped in label value filters. #17398 1, @Panzki
+ Prometheus: Correctly escape ‘|’ literals in interpolated PromQL variables. #16932, @Limess
+ Prometheus: Fix when adding label for metrics which contains colons in Explore. #16760, @tolwi
+ SinglestatPanel: Remove background color when value turns null. #17552 1, @druggieri
- Make phantomjs dependency configurable
- Create plugin directory and clean up (create in %install,
add to %files) handling of /var/lib/grafana/* and
mgr-cfg:
- Remove commented code in test files
- Replace spacewalk-usix with uyuni-common-libs
- Bump version to 4.1.0 (bsc#1154940)
- Add mgr manpage links
mgr-custom-info:
- Bump version to 4.1.0 (bsc#1154940)
mgr-daemon:
- Bump version to 4.1.0 (bsc#1154940)
- Fix systemd timer configuration on SLE12 (bsc#1142038)
mgr-osad:
- Separate osa-dispatcher and jabberd so it can be disabled independently
- Replace spacewalk-usix with uyuni-common-libs
- Bump version to 4.1.0 (bsc#1154940)
- Move /usr/share/rhn/config-defaults to uyuni-base-common
- Require uyuni-base-common for /etc/rhn (for osa-dispatcher)
- Ensure bytes type when using hashlib to avoid traceback (bsc#1138822)
mgr-push:
- Replace spacewalk-usix and spacewalk-backend-libs with uyuni-common-libs
- Bump version to 4.1.0 (bsc#1154940)
mgr-virtualization:
- Replace spacewalk-usix with uyuni-common-libs
- Bump version to 4.1.0 (bsc#1154940)
- Fix mgr-virtualization timer
rhnlib:
- Fix building
- Fix malformed XML response when data contains non-ASCII chars (bsc#1154968)
- Bump version to 4.1.0 (bsc#1154940)
- Fix bootstrapping SLE11SP4 trad client with SSL enabled (bsc#1148177)
spacecmd:
- Only report real error, not result (bsc#1171687)
- Use defined return values for spacecmd methods so scripts can
check for failure (bsc#1171687)
- Disable globbing for api subcommand to allow wildcards in filter
settings (bsc#1163871)
- Bugfix: attempt to purge SSM when it is empty (bsc#1155372)
- Bump version to 4.1.0 (bsc#1154940)
- Prevent error when piping stdout in Python 2 (bsc#1153090)
- Java api expects content as encoded string instead of encoded bytes like before (bsc#1153277)
- Enable building and installing for Ubuntu 16.04 and Ubuntu 18.04
- Add unit test for schedule, errata, user, utils, misc, configchannel
and kickstart modules
- Multiple minor bugfixes alongside the unit tests
- Bugfix: referenced variable before assignment.
- Add unit test for report, package, org, repo and group
spacewalk-client-tools:
- Add workaround for uptime overflow to spacewalk-update-status as well (bsc#1165921)
- Spell correctly 'successful' and 'successfully'
- Skip dmidecode data on aarch64 to prevent coredump (bsc#1113160)
- Replace spacewalk-usix with uyuni-common-libs
- Return a non-zero exit status on errors in rhn_check
- Bump version to 4.1.0 (bsc#1154940)
- Make a explicit requirement to systemd for spacewalk-client-tools
when rhnsd timer is installed
spacewalk-koan:
- Bump version to 4.1.0 (bsc#1154940)
- Require commands we use in merge-rd.sh
spacewalk-oscap:
- Bump version to 4.1.0 (bsc#1154940)
spacewalk-remote-utils:
- Update spacewalk-create-channel with RHEL 7.7 channel definitions
- Bump version to 4.1.0 (bsc#1154940)
supportutils-plugin-susemanager-client:
- Bump version to 4.1.0 (bsc#1154940)
suseRegisterInfo:
- SuseRegisterInfo only needs perl-base, not full perl (bsc#1168310)
- Bump version to 4.1.0 (bsc#1154940)
zypp-plugin-spacewalk:
- Prevent issue with non-ASCII characters in Python 2 systems (bsc#1172462)
ModerateSUSE bug 1113160SUSE bug 1134195SUSE bug 1138822SUSE bug 1141661SUSE bug 1142038SUSE bug 1143913SUSE bug 1148177SUSE bug 1153090SUSE bug 1153277SUSE bug 1154940SUSE bug 1154968SUSE bug 1155372SUSE bug 1163871SUSE bug 1165921SUSE bug 1168310SUSE bug 1170231SUSE bug 1170557SUSE bug 1171687SUSE bug 1172462CVE-2019-10215 at SUSECVE-2019-10215 at NVDCVE-2019-15043 at SUSECVE-2019-15043 at NVDCVE-2020-12245 at SUSECVE-2020-12245 at NVDCVE-2020-13379 at SUSECVE-2020-13379 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for xrdp (Important)SUSE OpenStack Cloud Crowbar 8
This update for xrdp fixes the following issues:
- Security fixes (bsc#1173580, CVE-2020-4044):
+ Add patches:
* xrdp-cve-2020-4044-fix-0.patch
* xrdp-cve-2020-4044-fix-1.patch
+ Rebase SLE patch:
* xrdp-fate318398-change-expired-password.patch
- Update patch:
+ xrdp-Allow-sessions-with-32-bpp.patch.patch
ImportantSUSE bug 1173580CVE-2020-4044 at SUSECVE-2020-4044 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for mailman (Important)SUSE OpenStack Cloud Crowbar 8
This update for mailman fixes the following issues:
- CVE-2020-15011: Fixed a possible Arbitrary Content Injection via the private archive login page (bsc#1173369).
ImportantSUSE bug 1173369CVE-2020-15011 at SUSECVE-2020-15011 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for samba (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for samba fixes the following issues:
- CVE-2020-10745: Fixed an issue which parsing and packing of NBT and DNS packets containing dots could potentially have consumed excessive CPU (bsc#1173160).
ModerateSUSE bug 1173160CVE-2020-10745 at SUSECVE-2020-10745 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for webkit2gtk3 (Important)SUSE OpenStack Cloud Crowbar 8
This update for webkit2gtk3 fixes the following issues:
- Update to version 2.28.3 (bsc#1173998):
+ Enable kinetic scrolling with async scrolling.
+ Fix web process hangs on large GitHub pages.
+ Bubblewrap sandbox should not attempt to bind empty paths.
+ Fix threading issues in the media player.
+ Fix several crashes and rendering issues.
+ Security fixes: CVE-2020-9802, CVE-2020-9803, CVE-2020-9805,
CVE-2020-9806, CVE-2020-9807, CVE-2020-9843, CVE-2020-9850,
CVE-2020-13753.
ImportantSUSE bug 1173998CVE-2020-13753 at SUSECVE-2020-13753 at NVDCVE-2020-9802 at SUSECVE-2020-9802 at NVDCVE-2020-9803 at SUSECVE-2020-9803 at NVDCVE-2020-9805 at SUSECVE-2020-9805 at NVDCVE-2020-9806 at SUSECVE-2020-9806 at NVDCVE-2020-9807 at SUSECVE-2020-9807 at NVDCVE-2020-9843 at SUSECVE-2020-9843 at NVDCVE-2020-9850 at SUSECVE-2020-9850 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for grub2 (Important)SUSE OpenStack Cloud Crowbar 8
This update for grub2 fixes the following issues:
- Fix for CVE-2020-10713 (bsc#1168994)
- Fix for CVE-2020-14308 CVE-2020-14309, CVE-2020-14310, CVE-2020-14311
(bsc#1173812)
- Fix for CVE-2020-15706 (bsc#1174463)
- Fix for CVE-2020-15707 (bsc#1174570)
- Use overflow checking primitives where the arithmetic expression for buffer
allocations may include unvalidated data
- Use grub_calloc for overflow check and return NULL when it would occur
- Use gcc-9 compiler for overflow check builtins
- Backport gcc-9 build fixes
- Fix packed-not-aligned error on GCC 8 (bsc#1084632)
ImportantSUSE bug 1084632SUSE bug 1168994SUSE bug 1173812SUSE bug 1174463SUSE bug 1174570CVE-2020-10713 at SUSECVE-2020-10713 at NVDCVE-2020-14308 at SUSECVE-2020-14308 at NVDCVE-2020-14309 at SUSECVE-2020-14309 at NVDCVE-2020-14310 at SUSECVE-2020-14310 at NVDCVE-2020-14311 at SUSECVE-2020-14311 at NVDCVE-2020-15706 at SUSECVE-2020-15706 at NVDCVE-2020-15707 at SUSECVE-2020-15707 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for ghostscript (Important)SUSE OpenStack Cloud Crowbar 8
This update for ghostscript fixes the following issues:
- fixed CVE-2020-15900 Memory Corruption (SAFER Sandbox Breakout)
cf. https://bugs.ghostscript.com/show_bug.cgi?id=702582
(bsc#1174415)
ImportantSUSE bug 1174415CVE-2020-15900 at SUSECVE-2020-15900 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for MozillaFirefox (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for MozillaFirefox fixes the following issues:
- Firefox Extended Support Release 78.1.0 ESR
* Fixed: Various stability, functionality, and security fixes (bsc#1174538)
* CVE-2020-15652: Potential leak of redirect targets when loading scripts in a worker
* CVE-2020-6514: WebRTC data channel leaks internal address to peer
* CVE-2020-15655: Extension APIs could be used to bypass Same-Origin Policy
* CVE-2020-15653: Bypassing iframe sandbox when allowing popups
* CVE-2020-6463: Use-after-free in ANGLE gl::Texture::onUnbindAsSamplerTexture
* CVE-2020-15656: Type confusion for special arguments in IonMonkey
* CVE-2020-15658: Overriding file type when saving to disk
* CVE-2020-15657: DLL hijacking due to incorrect loading path
* CVE-2020-15654: Custom cursor can overlay user interface
* CVE-2020-15659: Memory safety bugs fixed in Firefox 79 and Firefox ESR 78.1
ModerateSUSE bug 1173948SUSE bug 1174538CVE-2020-15652 at SUSECVE-2020-15652 at NVDCVE-2020-15653 at SUSECVE-2020-15653 at NVDCVE-2020-15654 at SUSECVE-2020-15654 at NVDCVE-2020-15655 at SUSECVE-2020-15655 at NVDCVE-2020-15656 at SUSECVE-2020-15656 at NVDCVE-2020-15657 at SUSECVE-2020-15657 at NVDCVE-2020-15658 at SUSECVE-2020-15658 at NVDCVE-2020-15659 at SUSECVE-2020-15659 at NVDCVE-2020-6463 at SUSECVE-2020-6463 at NVDCVE-2020-6514 at SUSECVE-2020-6514 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for libX11 (Important)SUSE OpenStack Cloud Crowbar 8
This update for libX11 fixes the following issues:
- Fixed XIM client heap overflows (CVE-2020-14344, bsc#1174628)
ImportantSUSE bug 1174628CVE-2020-14344 at SUSECVE-2020-14344 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for rubygem-actionview-4_2 (Important)SUSE OpenStack Cloud Crowbar 8
This update for rubygem-actionview-4_2 fixes the following issues:
- Fixed a potential remote code execution of user-provided local names (bsc#1173144, CVE-2020-8163).
ImportantSUSE bug 1173144CVE-2020-8163 at SUSECVE-2020-8163 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for the Linux Kernel (Important)SUSE OpenStack Cloud Crowbar 8
The SUSE Linux Enterprise 12 SP3 kernel was updated to receive various security and bugfixes.
The following security bugs were fixed:
- CVE-2020-10135: Legacy pairing and secure-connections pairing authentication in Bluetooth may have allowed an unauthenticated user to complete authentication without pairing credentials via adjacent access. An unauthenticated, adjacent attacker could impersonate a Bluetooth BR/EDR master or slave to pair with a previously paired remote device to successfully complete the authentication procedure without knowing the link key (bnc#1171988).
- CVE-2020-10711: A NULL pointer dereference flaw was found in the SELinux subsystem. This flaw occurs while importing the Commercial IP Security Option (CIPSO) protocol's category bitmap into the SELinux extensible bitmap via the' ebitmap_netlbl_import' routine. This flaw allowed a remote network user to crash the system kernel, resulting in a denial of service (bnc#1171191).
- CVE-2020-10751: A flaw was found in the SELinux LSM hook implementation, where it incorrectly assumed that an skb would only contain a single netlink message. The hook would incorrectly only validate the first netlink message in the skb and allow or deny the rest of the messages within the skb with the granted permission without further processing (bnc#1171189).
- CVE-2019-20812: An issue was discovered in the prb_calc_retire_blk_tmo() function in net/packet/af_packet.c can result in a denial of service (CPU consumption and soft lockup) in a certain failure case involving TPACKET_V3, aka CID-b43d1f9f7067 (bnc#1172453).
- CVE-2020-10732: A flaw was found in the implementation of userspace core dumps. This flaw allowed an attacker with a local account to crash a trivial program and exfiltrate private kernel data (bnc#1171220).
- CVE-2020-0305: In cdev_get of char_dev.c, there is a possible use-after-free due to a race condition. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation (bnc#1174462).
- CVE-2020-12771: btree_gc_coalesce in drivers/md/bcache/btree.c had a deadlock if a coalescing operation fails (bnc#1171732).
- CVE-2020-10773: A kernel stack information leak on s390/s390x was fixed (bnc#1172999).
- CVE-2020-14416: A race condition in tty->disc_data handling in the slip and slcan line discipline could lead to a use-after-free, aka CID-0ace17d56824. This affects drivers/net/slip/slip.c and drivers/net/can/slcan.c (bnc#1162002).
- CVE-2020-13974: drivers/tty/vt/keyboard.c had an integer overflow if k_ascii is called several times in a row, aka CID-b86dab054059. (bnc#1172775).
- CVE-2019-20810: go7007_snd_init in drivers/media/usb/go7007/snd-go7007.c in the Linux kernel did not call snd_card_free for a failure path, which causes a memory leak, aka CID-9453264ef586 (bnc#1172458).
The following non-security bugs were fixed:
- Drivers: hv: Change flag to write log level in panic msg to false (bsc#1170618).
- ibmvnic: Do not process device remove during device reset (bsc#1065729).
- ibmvnic: Do not process reset during or after device removal (bsc#1149652 ltc#179635).
- ibmvnic: Flush existing work items before device removal (bsc#1065729).
- ibmvnic: Harden device login requests (bsc#1170011 ltc#183538).
- ibmvnic: Skip fatal error reset after passive init (bsc#1171078 ltc#184239).
- ibmvnic: Unmap DMA address of TX descriptor buffers after use (bsc#1146351 ltc#180726).
- ibmvnic: continue to init in CRQ reset returns H_CLOSED (bsc#1173280 ltc#185369).
- intel_idle: Graceful probe failure when MWAIT is disabled (bsc#1174115).
- mm, vmstat: reduce zone->lock holding time by /proc/pagetypeinfo (bsc#1164910).
- net/ibmvnic: Fix missing { in __ibmvnic_reset (bsc#1149652 ltc#179635).
- net/ibmvnic: free reset work of removed device from queue (bsc#1149652 ltc#179635).
- net/ibmvnic: prevent more than one thread from running in reset (bsc#1152457 ltc#174432).
- net/ibmvnic: unlock rtnl_lock in reset so linkwatch_event can run (bsc#1152457 ltc#174432).
- udp: drop corrupt packets earlier to avoid data corruption (bsc#1173658).
ImportantSUSE bug 1065729SUSE bug 1146351SUSE bug 1149652SUSE bug 1152457SUSE bug 1162002SUSE bug 1164910SUSE bug 1170011SUSE bug 1170618SUSE bug 1171078SUSE bug 1171189SUSE bug 1171191SUSE bug 1171220SUSE bug 1171732SUSE bug 1171988SUSE bug 1172453SUSE bug 1172458SUSE bug 1172775SUSE bug 1172999SUSE bug 1173280SUSE bug 1173658SUSE bug 1174115SUSE bug 1174462SUSE bug 1174543CVE-2019-20810 at SUSECVE-2019-20810 at NVDCVE-2019-20812 at SUSECVE-2019-20812 at NVDCVE-2020-0305 at SUSECVE-2020-0305 at NVDCVE-2020-10135 at SUSECVE-2020-10135 at NVDCVE-2020-10711 at SUSECVE-2020-10711 at NVDCVE-2020-10732 at SUSECVE-2020-10732 at NVDCVE-2020-10751 at SUSECVE-2020-10751 at NVDCVE-2020-10773 at SUSECVE-2020-10773 at NVDCVE-2020-12771 at SUSECVE-2020-12771 at NVDCVE-2020-13974 at SUSECVE-2020-13974 at NVDCVE-2020-14416 at SUSECVE-2020-14416 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for python-ipaddress (Important)SUSE OpenStack Cloud Crowbar 8
This update for python-ipaddress fixes the following issues:
- Add CVE-2020-14422-ipaddress-hash-collision.patch fixing
CVE-2020-14422 (bsc#1173274, bpo#41004), where hash collisions
in IPv4Interface and IPv6Interface could lead to DOS.
ImportantSUSE bug 1173274CVE-2020-14422 at SUSECVE-2020-14422 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for LibVNCServer (Important)SUSE OpenStack Cloud Crowbar 8
This update for LibVNCServer fixes the following issues:
- security update
fix CVE-2018-21247 [bsc#1173874], uninitialized memory contents are vulnerable to Information leak
fix CVE-2019-20839 [bsc#1173875], buffer overflow in ConnectClientToUnixSock()
fix CVE-2019-20840 [bsc#1173876], unaligned accesses in hybiReadAndDecode can lead to denial of service
fix CVE-2020-14398 [bsc#1173880], improperly closed TCP connection causes an infinite loop in libvncclient/sockets.c
fix CVE-2020-14397 [bsc#1173700], NULL pointer dereference in libvncserver/rfbregion.c
fix CVE-2020-14399 [bsc#1173743], Byte-aligned data is accessed through uint32_t pointers in libvncclient/rfbproto.c.
fix CVE-2020-14400 [bsc#1173691], Byte-aligned data is accessed through uint16_t pointers in libvncserver/translate.c.
fix CVE-2020-14401 [bsc#1173694], potential integer overflows in libvncserver/scale.c
fix CVE-2020-14402 [bsc#1173701], out-of-bounds access via encodings.
fix CVE-2020-14403 [bsc#1173701], out-of-bounds access via encodings.
fix CVE-2020-14404 [bsc#1173701], out-of-bounds access via encodings.
fix CVE-2017-18922 [bsc#1173477], preauth buffer overwrite
ImportantSUSE bug 1173477SUSE bug 1173691SUSE bug 1173694SUSE bug 1173700SUSE bug 1173701SUSE bug 1173743SUSE bug 1173874SUSE bug 1173875SUSE bug 1173876SUSE bug 1173880CVE-2017-18922 at SUSECVE-2017-18922 at NVDCVE-2018-21247 at SUSECVE-2018-21247 at NVDCVE-2019-20839 at SUSECVE-2019-20839 at NVDCVE-2019-20840 at SUSECVE-2019-20840 at NVDCVE-2020-14397 at SUSECVE-2020-14397 at NVDCVE-2020-14398 at SUSECVE-2020-14398 at NVDCVE-2020-14399 at SUSECVE-2020-14399 at NVDCVE-2020-14400 at SUSECVE-2020-14400 at NVDCVE-2020-14401 at SUSECVE-2020-14401 at NVDCVE-2020-14402 at SUSECVE-2020-14402 at NVDCVE-2020-14403 at SUSECVE-2020-14403 at NVDCVE-2020-14404 at SUSECVE-2020-14404 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for xen (Important)SUSE OpenStack Cloud Crowbar 8
This update for xen fixes the following issues:
- bsc#1174543 - secure boot related fixes
- bsc#1163019 - CVE-2020-8608: Potential OOB access due to unsafe snprintf() usages
ImportantSUSE bug 1163019SUSE bug 1174543CVE-2020-8608 at SUSECVE-2020-8608 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for dpdk (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for dpdk to version 16.11.9 following issue:
- CVE-2019-14818: Fixed a memory leak vulnerability caused by a malicious container may lead to to denial of service (bsc#1156146).
- CVE-2020-12693: Fixed an authentication bypass via an alternate path or channel (boo#1172004).
- rebuilt with new signing key. (bsc#1174543)
ModerateSUSE bug 1156146SUSE bug 1171477SUSE bug 1171930SUSE bug 1174543CVE-2019-14818 at SUSECVE-2019-14818 at NVDCVE-2020-10722 at SUSECVE-2020-10722 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for libX11 (Important)SUSE OpenStack Cloud Crowbar 8
This update for libX11 fixes the following issues:
- Fixed XIM client heap overflows (CVE-2020-14344, bsc#1174628).
ImportantSUSE bug 1174628CVE-2020-14344 at SUSECVE-2020-14344 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for webkit2gtk3 (Important)SUSE OpenStack Cloud Crowbar 8
This update for webkit2gtk3 fixes the following issues:
- Update to version 2.28.4 (bsc#1174662):
+ Fix several crashes and rendering issues.
+ Security fixes: CVE-2020-9862, CVE-2020-9893, CVE-2020-9894,
CVE-2020-9895, CVE-2020-9915, CVE-2020-9925.
ImportantSUSE bug 1174662CVE-2020-9862 at SUSECVE-2020-9862 at NVDCVE-2020-9893 at SUSECVE-2020-9893 at NVDCVE-2020-9894 at SUSECVE-2020-9894 at NVDCVE-2020-9895 at SUSECVE-2020-9895 at NVDCVE-2020-9915 at SUSECVE-2020-9915 at NVDCVE-2020-9925 at SUSECVE-2020-9925 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for dovecot22 (Important)SUSE OpenStack Cloud Crowbar 8
This update for dovecot22 fixes the following issues:
- CVE-2020-12673: improper implementation of NTLM does not check message buffer size (bsc#1174922).
- CVE-2020-12674: improper implementation of RPA mechanism (bsc#1174923).
ImportantSUSE bug 1174922SUSE bug 1174923CVE-2020-12673 at SUSECVE-2020-12673 at NVDCVE-2020-12674 at SUSECVE-2020-12674 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for grub2 (Important)SUSE OpenStack Cloud Crowbar 8
This update for grub2 fixes the following issues:
- CVE-2020-15705: Fail kernel validation without shim protocol (bsc#1174421).
- Add fibre channel device's ofpath support to grub-ofpathname and search hint to speed up root device discovery (bsc#1172745).
ImportantSUSE bug 1172745SUSE bug 1174421CVE-2020-15705 at SUSECVE-2020-15705 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for samba (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for samba fixes the following issues:
- CVE-2019-14907: Fixed a Server-side crash after charset conversion failure during NTLMSSP processing (bsc#1160888).
ModerateSUSE bug 1160888CVE-2019-14907 at SUSECVE-2019-14907 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for xorg-x11-server (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for xorg-x11-server fixes the following issues:
- CVE-2020-14347: Leak of uninitialized heap memory from the X server to clients on pixmap allocation (bsc#1174633, ZDI-CAN-11426).
- CVE-2020-14346: XIChangeHierarchy Integer Underflow Privilege Escalation Vulnerability (bsc#1174638, ZDI-CAN-11429).
- CVE-2020-14345: XKB out-of-bounds access privilege escalation vulnerability (bsc#1174635, ZDI-CAN-11428).
ModerateSUSE bug 1174633SUSE bug 1174635SUSE bug 1174638CVE-2020-14345 at SUSECVE-2020-14345 at NVDCVE-2020-14346 at SUSECVE-2020-14346 at NVDCVE-2020-14347 at SUSECVE-2020-14347 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for java-1_8_0-ibm (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for java-1_8_0-ibm fixes the following issues:
- Update to Java 8.0 Service Refresh 6 [bsc#1158442, bsc#1154212]
* Security fixes:
CVE-2019-2933 CVE-2019-2945 CVE-2019-2958
CVE-2019-2962 CVE-2019-2964 CVE-2019-2975
CVE-2019-2978 CVE-2019-2983 CVE-2019-2988
CVE-2019-2989 CVE-2019-2992 CVE-2019-2996
CVE-2019-2999 CVE-2019-2973 CVE-2019-2981
CVE-2019-17631
ModerateSUSE bug 1154212SUSE bug 1158442CVE-2019-17631 at SUSECVE-2019-17631 at NVDCVE-2019-2933 at SUSECVE-2019-2933 at NVDCVE-2019-2945 at SUSECVE-2019-2945 at NVDCVE-2019-2958 at SUSECVE-2019-2958 at NVDCVE-2019-2962 at SUSECVE-2019-2962 at NVDCVE-2019-2964 at SUSECVE-2019-2964 at NVDCVE-2019-2973 at SUSECVE-2019-2973 at NVDCVE-2019-2975 at SUSECVE-2019-2975 at NVDCVE-2019-2978 at SUSECVE-2019-2978 at NVDCVE-2019-2981 at SUSECVE-2019-2981 at NVDCVE-2019-2983 at SUSECVE-2019-2983 at NVDCVE-2019-2988 at SUSECVE-2019-2988 at NVDCVE-2019-2989 at SUSECVE-2019-2989 at NVDCVE-2019-2992 at SUSECVE-2019-2992 at NVDCVE-2019-2996 at SUSECVE-2019-2996 at NVDCVE-2019-2999 at SUSECVE-2019-2999 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for xorg-x11-server (Important)SUSE OpenStack Cloud Crowbar 8
This update for xorg-x11-server fixes the following issues:
- CVE-2020-14361: Fix XkbSelectEvents() integer underflow (bsc#1174910 ZDI-CAN-11573).
- CVE-2020-14362: Fix XRecordRegisterClients() Integer underflow (bsc#1174913 ZDI-CAN-11574).
ImportantSUSE bug 1174910SUSE bug 1174913CVE-2020-14361 at SUSECVE-2020-14361 at NVDCVE-2020-14362 at SUSECVE-2020-14362 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for apache2 (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for apache2 fixes the following issues:
- CVE-2020-9490: Fixed a crash caused by a specially crafted value for the 'Cache-Digest' header in a HTTP/2 request (bsc#1175071).
- CVE-2020-11985: IP address spoofing when proxying using mod_remoteip and mod_rewrite (bsc#1175072).
- CVE-2020-11993: When trace/debug was enabled for the HTTP/2 module logging statements were made on the wrong connection (bsc#1175070).
ModerateSUSE bug 1175070SUSE bug 1175071SUSE bug 1175072CVE-2020-11985 at SUSECVE-2020-11985 at NVDCVE-2020-11993 at SUSECVE-2020-11993 at NVDCVE-2020-9490 at SUSECVE-2020-9490 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for java-1_8_0-ibm (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for java-1_8_0-ibm fixes the following issues:
- Update to Java 8.0 Service Refresh 6 Fix Pack 15 [bsc#1175259, bsc#1174157]
CVE-2020-14577 CVE-2020-14578 CVE-2020-14579 CVE-2020-14581
CVE-2020-14556 CVE-2020-14621 CVE-2020-14593 CVE-2020-14583
CVE-2019-17639
* Class Libraries:
- JAVA.UTIL.ZIP.DEFLATER OPERATIONS THROW JAVA.LANG.INTERNALERROR
- JAVA 8 DECODER OBJECTS CONSUME A LARGE AMOUNT OF JAVA HEAP
- TRANSLATION MESSAGES UPDATE FOR JCL
- UPDATE TIMEZONE INFORMATION TO TZDATA2020A
* Java Virtual Machine:
- IBM JAVA REGISTERS A HANDLER BY DEFAULT FOR SIGABRT
- LARGE MEMORY FOOTPRINT HELD BY TRACECONTEXT OBJECT
* JIT Compiler:
- CRASH IN THE INTERPRETER AFTER OSR FROM INLINED SYNCHRONIZED METHOD
IN DEBUGGING MODE
- INTERMITTENT ASSERTION FAILURE REPORTED
- CRASH IN RESOLVECLASSREF() DURING AOT LOAD
- JIT CRASH DURING CLASS UNLOADING IN J9METHOD_HT::ONCLASSUNLOADING()
- SEGMENTATION FAULT WHILE COMPILING A METHOD
- UNEXPECTED CLASSCASTEXCEPTION THROWN IN HIGH LEVEL PARALLEL
APPLICATION ON IBM Z PLATFORM
* Security:
- CERTIFICATEEXCEPTION OCCURS WHEN FILE.ENCODING PROPERTY SET TO
NON DEFAULT VALUE
- CHANGES TO IBMJCE AND IBMJCEPLUS PROVIDERS
- IBMJCEPLUS FAILS, WHEN THE SECURITY MANAGER IS ENABLED, WITH
DEFAULT PERMISSIONS, SPECIFIED IN JAVA.POLICY FILE
- IN CERTAIN INSTANCES, IBMJCEPLUS PROVIDER THROWS EXCEPTION FROM
KEYFACTORY CLASS
ModerateSUSE bug 1174157SUSE bug 1175259CVE-2019-17639 at SUSECVE-2019-17639 at NVDCVE-2020-14556 at SUSECVE-2020-14556 at NVDCVE-2020-14577 at SUSECVE-2020-14577 at NVDCVE-2020-14578 at SUSECVE-2020-14578 at NVDCVE-2020-14579 at SUSECVE-2020-14579 at NVDCVE-2020-14581 at SUSECVE-2020-14581 at NVDCVE-2020-14583 at SUSECVE-2020-14583 at NVDCVE-2020-14593 at SUSECVE-2020-14593 at NVDCVE-2020-14621 at SUSECVE-2020-14621 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for nodejs6 (Important)SUSE OpenStack Cloud Crowbar 8
This update for nodejs6 to version 6.17.1 fixes the following issues:
Security issues fixed:
- CVE-2019-16777, CVE-2019-16776, CVE-2019-16775: Updated npm to 6.13.4, fixing
an arbitrary path overwrite and access via 'bin' field (bsc#1159352).
ImportantSUSE bug 1159352CVE-2019-16775 at SUSECVE-2019-16775 at NVDCVE-2019-16776 at SUSECVE-2019-16776 at NVDCVE-2019-16777 at SUSECVE-2019-16777 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for squid (Critical)SUSE OpenStack Cloud Crowbar 8
This update for squid fixes the following issues:
- CVE-2020-24606: Fix livelocking in peerDigestHandleReply (bsc#1175671).
- CVE-2020-15811: Improve Transfer-Encoding handling (bsc#1175665).
- CVE-2020-15810: Enforce token characters for field-name (bsc#1175664).
CriticalSUSE bug 1175664SUSE bug 1175665SUSE bug 1175671CVE-2020-15810 at SUSECVE-2020-15810 at NVDCVE-2020-15811 at SUSECVE-2020-15811 at NVDCVE-2020-24606 at SUSECVE-2020-24606 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for libX11 (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for libX11 fixes the following issues:
- CVE-2020-14363: Fix an integer overflow in init_om() (bsc#1175239).
ModerateSUSE bug 1175239CVE-2020-14363 at SUSECVE-2020-14363 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for java-1_7_1-ibm (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for java-1_7_1-ibm fixes the following issues:
- Update to Java 7.1 Service Refresh 4 Fix Pack 70 [bsc#1175259, bsc#1174157]
CVE-2020-14577 CVE-2020-14578 CVE-2020-14579 CVE-2020-14621
CVE-2020-14593 CVE-2020-14583 CVE-2019-17639
* Class Libraries:
- UPDATE TIMEZONE INFORMATION TO TZDATA2020A
* Security:
- CERTIFICATEEXCEPTION OCCURS WHEN FILE.ENCODING PROPERTY SET TO
NON DEFAULT VALUE
ModerateSUSE bug 1174157SUSE bug 1175259CVE-2019-17639 at SUSECVE-2019-17639 at NVDCVE-2020-14577 at SUSECVE-2020-14577 at NVDCVE-2020-14578 at SUSECVE-2020-14578 at NVDCVE-2020-14579 at SUSECVE-2020-14579 at NVDCVE-2020-14583 at SUSECVE-2020-14583 at NVDCVE-2020-14593 at SUSECVE-2020-14593 at NVDCVE-2020-14621 at SUSECVE-2020-14621 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for aws-cli (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for aws-cli to version 1.16.297 fixes the following issues:
Security issue fixed:
- CVE-2018-15869: Fixed an permission handling issue where an unexpected AMI could potentially be used (bsc#1105988).
Non-security issues fixed:
- Fixed an issue with the CLI client, where a ModuleNotFoundError was triggered (bsc#1092493).
ModerateSUSE bug 1092493SUSE bug 1105988SUSE bug 1118021SUSE bug 1118024SUSE bug 1118099CVE-2018-15869 at SUSECVE-2018-15869 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for MozillaFirefox (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for MozillaFirefox fixes the following issues:
- Firefox Extended Support Release 78.2.0 ESR
* Fixed: Various stability, functionality, and security fixes
- Mozilla Firefox ESR 78.2
MFSA 2020-38 (bsc#1175686)
* CVE-2020-15663 (bmo#1643199)
Downgrade attack on the Mozilla Maintenance Service could
have resulted in escalation of privilege
* CVE-2020-15664 (bmo#1658214)
Attacker-induced prompt for extension installation
* CVE-2020-15670 (bmo#1651001, bmo#1651449, bmo#1653626,
bmo#1656957)
Memory safety bugs fixed in Firefox 80 and Firefox ESR 78.2
- Fixed Firefox tab crash in FIPS mode (bsc#1174284).
- Fix broken translation-loading. (bsc#1173991)
* allow addon sideloading
* mark signatures for langpacks non-mandatory
* do not autodisable user profile scopes
- Google API key is not usable for geolocation service any more
ModerateSUSE bug 1173991SUSE bug 1174284SUSE bug 1175686CVE-2020-15663 at SUSECVE-2020-15663 at NVDCVE-2020-15664 at SUSECVE-2020-15664 at NVDCVE-2020-15670 at SUSECVE-2020-15670 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for the Linux Kernel (Important)SUSE OpenStack Cloud Crowbar 8
The SUSE Linux Enterprise 12 SP3 kernel was updated to receive various security and bugfixes.
The following security bugs were fixed:
- CVE-2020-14314: Fixed a potential negative array index in do_split() (bsc#1173798).
- CVE-2020-14331: Fixed a missing check in vgacon scrollback handling (bsc#1174205).
- CVE-2020-16166: Fixed a potential issue which could have allowed remote attackers to make observations that help to obtain sensitive information about the internal state of the network RNG (bsc#1174757).
- CVE-2019-16746: Fixed an improper check of the length of variable elements in a beacon head, leading to a buffer overflow (bsc#1152107).
- CVE-2020-14386: Fixed a potential local privilege escalation via memory corruption (bsc#1176069).
The following non-security bugs were fixed:
- bonding: fix active-backup failover for current ARP slave (bsc#1174771).
- Drivers: hv: vmbus: Only notify Hyper-V for die events that are oops (bsc#1175127).
- ibmvnic: Fix IRQ mapping disposal in error path (bsc#1175112 ltc#187459).
- mm, vmstat: reduce zone->lock holding time by /proc/pagetypeinfo (bsc#1175691).
- ocfs2: add trimfs dlm lock resource (bsc#1175228).
- ocfs2: add trimfs lock to avoid duplicated trims in cluster (bsc#1175228).
- ocfs2: fix the application IO timeout when fstrim is running (bsc#1175228).
ImportantSUSE bug 1152107SUSE bug 1173798SUSE bug 1174205SUSE bug 1174757SUSE bug 1174771SUSE bug 1175112SUSE bug 1175127SUSE bug 1175228SUSE bug 1175691SUSE bug 1176069CVE-2019-16746 at SUSECVE-2019-16746 at NVDCVE-2020-14314 at SUSECVE-2020-14314 at NVDCVE-2020-14331 at SUSECVE-2020-14331 at NVDCVE-2020-14386 at SUSECVE-2020-14386 at NVDCVE-2020-16166 at SUSECVE-2020-16166 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for java-1_8_0-openjdk (Important)SUSE OpenStack Cloud Crowbar 8
This update for java-1_8_0-openjdk fixes the following issues:
Update java-1_8_0-openjdk to version jdk8u242 (icedtea 3.15.0) (January 2020 CPU, bsc#1160968):
- CVE-2020-2583: Unlink Set of LinkedHashSets
- CVE-2020-2590: Improve Kerberos interop capabilities
- CVE-2020-2593: Normalize normalization for all
- CVE-2020-2601: Better Ticket Granting Services
- CVE-2020-2604: Better serial filter handling
- CVE-2020-2659: Enhance datagram socket support
- CVE-2020-2654: Improve Object Identifier Processing
ImportantSUSE bug 1160968CVE-2020-2583 at SUSECVE-2020-2583 at NVDCVE-2020-2590 at SUSECVE-2020-2590 at NVDCVE-2020-2593 at SUSECVE-2020-2593 at NVDCVE-2020-2601 at SUSECVE-2020-2601 at NVDCVE-2020-2604 at SUSECVE-2020-2604 at NVDCVE-2020-2654 at SUSECVE-2020-2654 at NVDCVE-2020-2659 at SUSECVE-2020-2659 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for tomcat (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for tomcat fixes the following issues:
- CVE-2020-1935: Fixed an HTTP request smuggling vulnerability (bsc#1164860).
- CVE-2020-13935: Fixed a WebSocket DoS (bsc#1174117).
ModerateSUSE bug 1164860SUSE bug 1174117CVE-2020-13935 at SUSECVE-2020-13935 at NVDCVE-2020-1935 at SUSECVE-2020-1935 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for shim (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for shim fixes the following issues:
- Update to the unified shim binary from SUSE Linux Enterprise 15-SP1 (bsc#1168994)
This update addresses the 'BootHole' security issue (master CVE CVE-2020-10713), by
disallowing binaries signed by the previous SUSE UEFI signing key from booting.
This update should only be installed after updates of grub2, the Linux kernel and (if used)
Xen from July / August 2020 are applied.
Additional fixes:
+ shim-install: install MokManager to \EFI\boot to process the pending MOK request (bsc#1175626, bsc#1175656)
ModerateSUSE bug 1168994SUSE bug 1175626SUSE bug 1175656CVE-2020-10713 at SUSECVE-2020-10713 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for libsolv (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for libsolv fixes the following issues:
This is a reissue of an existing libsolv update that also included libsolv-devel for LTSS products.
libsolv was updated to version 0.6.36 fixes the following issues:
Security issues fixed:
- CVE-2018-20532: Fixed a NULL pointer dereference in testcase_read() (bsc#1120629).
- CVE-2018-20533: Fixed a NULL pointer dereference in testcase_str2dep_complex() (bsc#1120630).
- CVE-2018-20534: Fixed a NULL pointer dereference in pool_whatprovides() (bsc#1120631).
Non-security issues fixed:
- Made cleandeps jobs on patterns work (bsc#1137977).
- Fixed an issue multiversion packages that obsolete their own name (bsc#1127155).
- Keep consistent package name if there are multiple alternatives (bsc#1131823).
ModerateSUSE bug 1120629SUSE bug 1120630SUSE bug 1120631SUSE bug 1127155SUSE bug 1131823SUSE bug 1137977CVE-2018-20532 at SUSECVE-2018-20532 at NVDCVE-2018-20533 at SUSECVE-2018-20533 at NVDCVE-2018-20534 at SUSECVE-2018-20534 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for perl-DBI (Important)SUSE OpenStack Cloud Crowbar 8
This update for perl-DBI fixes the following issues:
Security issues fixed:
- CVE-2020-14392: Memory corruption in XS functions when Perl stack is reallocated (bsc#1176412).
- CVE-2020-14393: Fixed a buffer overflow on an overlong DBD class name (bsc#1176409).
ImportantSUSE bug 1176409SUSE bug 1176412CVE-2020-14392 at SUSECVE-2020-14392 at NVDCVE-2020-14393 at SUSECVE-2020-14393 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for rubygem-rack (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for rubygem-rack to version 1.6.13 fixes the following issues:
- CVE-2020-8184: Fixed an issue where percent-encoded cookies could have been used to overwrite existing prefixed cookie names (bsc#1173351).
- CVE-2020-8161: Fixed a directory traversal (bsc#1172037).
- CVE-2019-16782: Fixed an information leak / session hijack vulnerability (bsc#1159548).
ModerateSUSE bug 1159548SUSE bug 1172037SUSE bug 1173351CVE-2019-16782 at SUSECVE-2019-16782 at NVDCVE-2020-8161 at SUSECVE-2020-8161 at NVDCVE-2020-8184 at SUSECVE-2020-8184 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for rubygem-actionview-4_2 (Important)SUSE OpenStack Cloud Crowbar 8
This update for rubygem-actionview-4_2 fixes the following issues:
- CVE-2020-15169: Fix cross-site scripting in translation helpers (bsc#1176421)
ImportantSUSE bug 1176421CVE-2020-15169 at SUSECVE-2020-15169 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for python3 (Important)SUSE OpenStack Cloud Crowbar 8
This update for python3 fixes the following issues:
- CVE-2019-20907: Fixed denial of service by avoiding possible infinite loop in specifically crafted tarball (bsc#1174091).
- CVE-2020-14422: Fixed an improper computation of hash values in the IPv4Interface and IPv6Interface
could have led to denial of service (bsc#1173274).
- CVE-2019-16935: Fixed a reflected XSS in python/Lib/DocXMLRPCServer.py (bsc#1153238).
- CVE-2019-9947: Fixed an issue in urllib2 which allowed CRLF injection if the attacker controls a url parameter (bsc#1130840).
- If the locale is 'C', coerce it to C.UTF-8 (bsc#1162423).
ImportantSUSE bug 1088004SUSE bug 1088009SUSE bug 1130840SUSE bug 1141853SUSE bug 1149955SUSE bug 1153238SUSE bug 1162423SUSE bug 1173274SUSE bug 1174091SUSE bug 1174701CVE-2018-14647 at SUSECVE-2018-14647 at NVDCVE-2018-20852 at SUSECVE-2018-20852 at NVDCVE-2019-16056 at SUSECVE-2019-16056 at NVDCVE-2019-16935 at SUSECVE-2019-16935 at NVDCVE-2019-20907 at SUSECVE-2019-20907 at NVDCVE-2019-9947 at SUSECVE-2019-9947 at NVDCVE-2020-14422 at SUSECVE-2020-14422 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for samba (Important)SUSE OpenStack Cloud Crowbar 8
This update for samba fixes the following issues:
- ZeroLogon: An elevation of privilege was possible with some configurations when an attacker established
a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC)
(CVE-2020-1472, bsc#1176579).
- Fixed an issue where multiple home folders were created(bsc#1174316, bso#13369).
- Fixed an issue where the net command was unable to negotiate SMB2 (bsc#1174120);
ImportantSUSE bug 1174120SUSE bug 1174316SUSE bug 1176579CVE-2020-1472 at SUSECVE-2020-1472 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for python-pip (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for python-pip fixes the following issues:
- CVE-2019-20916: Fixed a directory traversal in _download_http_url (bsc#1176262)
ModerateSUSE bug 1176262CVE-2019-20916 at SUSECVE-2019-20916 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for libqt5-qtbase (Important)SUSE OpenStack Cloud Crowbar 8
This update for libqt5-qtbase fixes the following issues:
- CVE-2020-17507: Fixed a buffer overflow in XBM parser (bsc#1176315)
- Made handling of XDG_RUNTIME_DIR more secure (bsc#1172515)
ImportantSUSE bug 1172515SUSE bug 1176315CVE-2020-17507 at SUSECVE-2020-17507 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for MozillaFirefox (Important)SUSE OpenStack Cloud Crowbar 8
This update for MozillaFirefox fixes the following issues:
-Firefox was updated to 78.3.0 ESR (bsc#1176756, MFSA 2020-43)
- CVE-2020-15677: Download origin spoofing via redirect
- CVE-2020-15676: Fixed an XSS when pasting attacker-controlled data into a
contenteditable element
- CVE-2020-15678: When recursing through layers while scrolling, an iterator
may have become invalid, resulting in a potential use-after-free scenario
- CVE-2020-15673: Fixed memory safety bugs
- Enhance fix for wayland-detection (bsc#1174420)
- Attempt to fix langpack-parallelization by introducing separate
obj-dirs for each lang (bsc#1173986, bsc#1167976)
ImportantSUSE bug 1167976SUSE bug 1173986SUSE bug 1174420SUSE bug 1176756CVE-2020-15673 at SUSECVE-2020-15673 at NVDCVE-2020-15676 at SUSECVE-2020-15676 at NVDCVE-2020-15677 at SUSECVE-2020-15677 at NVDCVE-2020-15678 at SUSECVE-2020-15678 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for xen (Important)SUSE OpenStack Cloud Crowbar 8
This update for xen fixes the following issues:
- CVE-2020-25604: Fixed a race condition when migrating timers between x86
HVM vCPU-s (bsc#1176343,XSA-336)
- CVE-2020-25595: Fixed an issue where PCI passthrough code was reading back hardware registers (bsc#1176344,XSA-337)
- CVE-2020-25597: Fixed an issue where a valid event channels may not turn invalid (bsc#1176346,XSA-338)
- CVE-2020-25596: Fixed a potential denial of service in x86 pv guest kernel via SYSENTER (bsc#1176345,XSA-339)
- CVE-2020-25603: Fixed an issue due to missing barriers when accessing/allocating an event channel (bsc#1176347,XSA-340)
- CVE-2020-25600: Fixed out of bounds event channels available to 32-bit x86 domains (bsc#1176348,XSA-342)
- CVE-2020-25599: Fixed race conditions with evtchn_reset() (bsc#1176349,XSA-343)
- CVE-2020-25601: Fixed an issue due to lack of preemption in evtchn_reset() / evtchn_destroy() (bsc#1176350,XSA-344)
- CVE-2020-14364: Fixed an out-of-bounds read/write access while processing usb packets (bsc#1175534).
- Various bug fixes (bsc#1027519)
ImportantSUSE bug 1175534SUSE bug 1176343SUSE bug 1176344SUSE bug 1176345SUSE bug 1176346SUSE bug 1176347SUSE bug 1176348SUSE bug 1176349SUSE bug 1176350CVE-2020-14364 at SUSECVE-2020-14364 at NVDCVE-2020-25595 at SUSECVE-2020-25595 at NVDCVE-2020-25596 at SUSECVE-2020-25596 at NVDCVE-2020-25597 at SUSECVE-2020-25597 at NVDCVE-2020-25599 at SUSECVE-2020-25599 at NVDCVE-2020-25600 at SUSECVE-2020-25600 at NVDCVE-2020-25601 at SUSECVE-2020-25601 at NVDCVE-2020-25603 at SUSECVE-2020-25603 at NVDCVE-2020-25604 at SUSECVE-2020-25604 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for perl-DBI (Important)SUSE OpenStack Cloud Crowbar 8
This update for perl-DBI fixes the following issues:
- CVE-2019-20919: Fixed a NULL profile dereference in dbi_profile (bsc#1176764).
- CVE-2013-7490: Fixed memory corruption when using many arguments
to methods for CallbacksUsing (bsc#1176496).
ImportantSUSE bug 1176496SUSE bug 1176764CVE-2013-7490 at SUSECVE-2013-7490 at NVDCVE-2019-20919 at SUSECVE-2019-20919 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for java-1_7_0-openjdk (Important)SUSE OpenStack Cloud Crowbar 8
This update for java-1_7_0-openjdk fixes the following issues:
- java-1_7_0-openjdk was updated to 2.6.23 (July 2020 CPU, bsc#1174157)
- JDK-8028431, CVE-2020-14579: NullPointerException in
- DerValue.equals(DerValue)
- JDK-8028591, CVE-2020-14578: NegativeArraySizeException in
- sun.security.util.DerInputStream.getUnalignedBitString()
- JDK-8230613: Better ASCII conversions
- JDK-8231800: Better listing of arrays
- JDK-8232014: Expand DTD support
- JDK-8233255: Better Swing Buttons
- JDK-8234032: Improve basic calendar services
- JDK-8234042: Better factory production of certificates
- JDK-8234418: Better parsing with CertificateFactory
- JDK-8234836: Improve serialization handling
- JDK-8236191: Enhance OID processing
- JDK-8237592, CVE-2020-14577: Enhance certificate verification
- JDK-8238002, CVE-2020-14581: Better matrix operations
- JDK-8238804: Enhance key handling process
- JDK-8238842: AIOOBE in GIFImageReader.initializeStringTable
- JDK-8238843: Enhanced font handing
- JDK-8238920, CVE-2020-14583: Better Buffer support
- JDK-8238925: Enhance WAV file playback
- JDK-8240119, CVE-2020-14593: Less Affine Transformations
- JDK-8240482: Improved WAV file playback
- JDK-8241379: Update JCEKS support
- JDK-8241522: Manifest improved jar headers redux
- JDK-8242136, CVE-2020-14621: Better XML namespace handling
- JDK-8040113: File not initialized in src/share/native/sun/awt/giflib/dgif_lib.c
- JDK-8054446: Repeated offer and remove on ConcurrentLinkedQueue lead to an OutOfMemoryError
- JDK-8077982: GIFLIB upgrade
- JDK-8081315: 8077982 giflib upgrade breaks system giflib builds with earlier versions
- JDK-8147087: Race when reusing PerRegionTable bitmaps may result in dropped remembered set entries
- JDK-8151582: (ch) test java/nio/channels/AsyncCloseAndInterrupt.java failing due to 'Connection succeeded'
- JDK-8155691: Update GIFlib library to the latest up-to-date
- JDK-8181841: A TSA server returns timestamp with precision higher than milliseconds
- JDK-8203190: SessionId.hashCode generates too many collisions
- JDK-8217676: Upgrade libpng to 1.6.37
- JDK-8220495: Update GIFlib library to the 5.1.8
- JDK-8226892: ActionListeners on JRadioButtons don't get notified when selection is changed with arrow keys
- JDK-8229899: Make java.io.File.isInvalid() less racy
- JDK-8230597: Update GIFlib library to the 5.2.1
- JDK-8230769: BufImg_SetupICM add ReleasePrimitiveArrayCritical call in early return
- JDK-8243541: (tz) Upgrade time-zone data to tzdata2020a
- JDK-8244548: JDK 8u: sun.misc.Version.jdkUpdateVersion() returns wrong result
ImportantSUSE bug 1174157CVE-2020-14577 at SUSECVE-2020-14577 at NVDCVE-2020-14578 at SUSECVE-2020-14578 at NVDCVE-2020-14579 at SUSECVE-2020-14579 at NVDCVE-2020-14581 at SUSECVE-2020-14581 at NVDCVE-2020-14583 at SUSECVE-2020-14583 at NVDCVE-2020-14593 at SUSECVE-2020-14593 at NVDCVE-2020-14621 at SUSECVE-2020-14621 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for tigervnc (Critical)SUSE OpenStack Cloud Crowbar 8
This update for tigervnc fixes the following issues:
- CVE-2020-26117: Server certificates were stored as certiticate
authorities, allowing malicious owners of these certificates
to impersonate any server after a client had added an exception
(bsc#1176733).
CriticalSUSE bug 1176733CVE-2020-26117 at SUSECVE-2020-26117 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for libproxy (Important)SUSE OpenStack Cloud Crowbar 8
This update for libproxy fixes the following issues:
- CVE-2020-25219: Rewrote url::recvline to be nonrecursive (bsc#1176410).
- CVE-2020-26154: Fixed a buffer overflow when PAC is enabled (bsc#1177143).
ImportantSUSE bug 1176410SUSE bug 1177143CVE-2020-25219 at SUSECVE-2020-25219 at NVDCVE-2020-26154 at SUSECVE-2020-26154 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for rubygem-activesupport-4_2 (Critical)SUSE OpenStack Cloud Crowbar 8
This update for rubygem-activesupport-4_2 fixes the following issues:
- CVE-2020-8165: Fixed deserialization of untrusted data in MemCacheStore potentially resulting in remote code execution (bsc#1172186)
CriticalSUSE bug 1172186CVE-2020-8165 at SUSECVE-2020-8165 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for freetype2 (Important)SUSE OpenStack Cloud Crowbar 8
This update for freetype2 fixes the following issues:
- CVE-2020-15999: fixed a heap buffer overflow found in the handling of embedded PNG bitmaps (bsc#1177914).
ImportantSUSE bug 1177914CVE-2020-15999 at SUSECVE-2020-15999 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for glibc (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for glibc fixes the following issues:
- CVE-2020-10029: Fixed a stack corruption from range reduction of pseudo-zero (bsc#1165784)
- Use posix_spawn on popen (bsc#1149332, bsc#1176013)
- Correct locking and cancellation cleanup in syslog functions (bsc#1172085)
- Fixed concurrent changes on nscd aware files (bsc#1171878)
ModerateSUSE bug 1149332SUSE bug 1165784SUSE bug 1171878SUSE bug 1172085SUSE bug 1176013CVE-2020-10029 at SUSECVE-2020-10029 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for MozillaFirefox (Important)SUSE OpenStack Cloud Crowbar 8
This update for MozillaFirefox fixes the following issues:
- Firefox Extended Support Release 78.4.0 ESR
* Fixed: Various stability, functionality, and security fixes MFSA 2020-46 (bsc#1177872, bsc#1176756)
* CVE-2020-15969 Use-after-free in usersctp
* CVE-2020-15683 Memory safety bugs fixed in Firefox 82 and Firefox ESR 78.4
* Fixed: Fixed legacy preferences not being properly applied when set via GPO
ImportantSUSE bug 1176756SUSE bug 1177872CVE-2020-15683 at SUSECVE-2020-15683 at NVDCVE-2020-15969 at SUSECVE-2020-15969 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for spice (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for spice fixes the following issues:
- CVE-2020-14355: Fixed multiple buffer overflow vulnerabilities in QUIC image decoding (bsc#1177158).
ModerateSUSE bug 1177158CVE-2020-14355 at SUSECVE-2020-14355 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for spice-gtk (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for spice-gtk fixes the following issues:
- CVE-2020-14355: Fixed multiple buffer overflow vulnerabilities in QUIC image decoding (bsc#1177158).
ModerateSUSE bug 1177158CVE-2020-14355 at SUSECVE-2020-14355 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for samba (Important)SUSE OpenStack Cloud Crowbar 8
This update for samba fixes the following issues:
- CVE-2020-14383: An authenticated user can crash the DCE/RPC DNS with easily crafted records (bsc#1177613).
- CVE-2020-14323: Unprivileged user can crash winbind (bsc#1173994).
- CVE-2020-14318: Missing permissions check in SMB1/2/3 ChangeNotify (bsc#1173902).
ImportantSUSE bug 1173902SUSE bug 1173994SUSE bug 1177613CVE-2020-14318 at SUSECVE-2020-14318 at NVDCVE-2020-14323 at SUSECVE-2020-14323 at NVDCVE-2020-14383 at SUSECVE-2020-14383 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for libvirt (Important)SUSE OpenStack Cloud Crowbar 8
This update for libvirt fixes the following issues:
CVE-2020-15708: Added a note to libvirtd.conf about polkit auth in SUSE distros (bsc#1174955).
CVE-2020-25637: Fixed a double free in qemuAgentGetInterfaces() (bsc#1177155).
ImportantSUSE bug 1174955SUSE bug 1177155CVE-2020-15708 at SUSECVE-2020-15708 at NVDCVE-2020-25637 at SUSECVE-2020-25637 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for sane-backends (Important)SUSE OpenStack Cloud Crowbar 8
This update for sane-backends fixes the following issues:
- sane-backends version upgrade to 1.0.31:
* sane-backends version upgrade to 1.0.30
fixes memory corruption bugs CVE-2020-12861, CVE-2020-12862,
CVE-2020-12863, CVE-2020-12864, CVE-2020-12865,
CVE-2020-12866, CVE-2020-12867 (bsc#1172524)
* sane-backends version upgrade to 1.0.31
to further improve hardware enablement for scanner devices
(jsc#SLE-15561 and jsc#SLE-15560 with jsc#ECO-2418)
* The new escl backend cannot be provided for SLE12 because
it requires more additional software (avahi-client, libcurl,
and libpoppler-glib-devel) where in particular for libcurl
the one that is in SLE12 (via libcurl-devel-7.37.0) is likely
too old because with that building the escl backend fails with
'escl/escl.c:1267:34: error: 'CURLOPT_UNIX_SOCKET_PATH'
undeclared curl_easy_setopt(handle, CURLOPT_UNIX_SOCKET_PATH'
ImportantSUSE bug 1172524CVE-2017-6318 at SUSECVE-2017-6318 at NVDCVE-2020-12861 at SUSECVE-2020-12861 at NVDCVE-2020-12862 at SUSECVE-2020-12862 at NVDCVE-2020-12863 at SUSECVE-2020-12863 at NVDCVE-2020-12864 at SUSECVE-2020-12864 at NVDCVE-2020-12865 at SUSECVE-2020-12865 at NVDCVE-2020-12866 at SUSECVE-2020-12866 at NVDCVE-2020-12867 at SUSECVE-2020-12867 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for apache-commons-httpclient (Important)SUSE OpenStack Cloud Crowbar 8
This update for apache-commons-httpclient fixes the following issues:
- http/conn/ssl/SSLConnectionSocketFactory.java ignores the
http.socket.timeout configuration setting during an SSL handshake,
which allows remote attackers to cause a denial of service (HTTPS
call hang) via unspecified vectors. [bsc#945190, CVE-2015-5262]
- org.apache.http.conn.ssl.AbstractVerifier does not properly
verify that the server hostname matches a domain name in the
subject's Common Name (CN) or subjectAltName field of the X.509
certificate, which allows MITM attackers to spoof SSL servers
via a 'CN=' string in a field in the distinguished name (DN)
of a certificate. [bsc#1178171, CVE-2014-3577]
ImportantSUSE bug 1178171SUSE bug 945190CVE-2014-3577 at SUSECVE-2014-3577 at NVDCVE-2015-5262 at SUSECVE-2015-5262 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for java-1_8_0-openjdk (Important)SUSE OpenStack Cloud Crowbar 8
This update for java-1_8_0-openjdk fixes the following issues:
- Fix regression '8250861: Crash in MinINode::Ideal(PhaseGVN*, bool)',
introduced in October 2020 CPU.
- Update to version jdk8u272 (icedtea 3.17.0) (July 2020 CPU,
bsc#1174157, and October 2020 CPU, bsc#1177943)
* New features
+ JDK-8245468: Add TLSv1.3 implementation classes from 11.0.7
+ PR3796: Allow the number of curves supported to be specified
* Security fixes
+ JDK-8028431, CVE-2020-14579: NullPointerException in
DerValue.equals(DerValue)
+ JDK-8028591, CVE-2020-14578: NegativeArraySizeException in
sun.security.util.DerInputStream.getUnalignedBitString()
+ JDK-8230613: Better ASCII conversions
+ JDK-8231800: Better listing of arrays
+ JDK-8232014: Expand DTD support
+ JDK-8233255: Better Swing Buttons
+ JDK-8233624: Enhance JNI linkage
+ JDK-8234032: Improve basic calendar services
+ JDK-8234042: Better factory production of certificates
+ JDK-8234418: Better parsing with CertificateFactory
+ JDK-8234836: Improve serialization handling
+ JDK-8236191: Enhance OID processing
+ JDK-8236196: Improve string pooling
+ JDK-8236862, CVE-2020-14779: Enhance support of Proxy class
+ JDK-8237117, CVE-2020-14556: Better ForkJoinPool behavior
+ JDK-8237592, CVE-2020-14577: Enhance certificate verification
+ JDK-8237990, CVE-2020-14781: Enhanced LDAP contexts
+ JDK-8237995, CVE-2020-14782: Enhance certificate processing
+ JDK-8238002, CVE-2020-14581: Better matrix operations
+ JDK-8238804: Enhance key handling process
+ JDK-8238842: AIOOBE in GIFImageReader.initializeStringTable
+ JDK-8238843: Enhanced font handing
+ JDK-8238920, CVE-2020-14583: Better Buffer support
+ JDK-8238925: Enhance WAV file playback
+ JDK-8240119, CVE-2020-14593: Less Affine Transformations
+ JDK-8240124: Better VM Interning
+ JDK-8240482: Improved WAV file playback
+ JDK-8241114, CVE-2020-14792: Better range handling
+ JDK-8241379: Update JCEKS support
+ JDK-8241522: Manifest improved jar headers redux
+ JDK-8242136, CVE-2020-14621: Better XML namespace handling
+ JDK-8242680, CVE-2020-14796: Improved URI Support
+ JDK-8242685, CVE-2020-14797: Better Path Validation
+ JDK-8242695, CVE-2020-14798: Enhanced buffer support
+ JDK-8243302: Advanced class supports
+ JDK-8244136, CVE-2020-14803: Improved Buffer supports
+ JDK-8244479: Further constrain certificates
+ JDK-8244955: Additional Fix for JDK-8240124
+ JDK-8245407: Enhance zoning of times
+ JDK-8245412: Better class definitions
+ JDK-8245417: Improve certificate chain handling
+ JDK-8248574: Improve jpeg processing
+ JDK-8249927: Specify limits of jdk.serialProxyInterfaceLimit
+ JDK-8253019: Enhanced JPEG decoding
* Import of OpenJDK 8 u262 build 01
+ JDK-4949105: Access Bridge lacks html tags parsing
+ JDK-8003209: JFR events for network utilization
+ JDK-8030680: 292 cleanup from default method code assessment
+ JDK-8035633: TEST_BUG: java/net/NetworkInterface/Equals.java
and some tests failed on windows intermittently
+ JDK-8041626: Shutdown tracing event
+ JDK-8141056: Erroneous assignment in HeapRegionSet.cpp
+ JDK-8149338: JVM Crash caused by Marlin renderer not handling
NaN coordinates
+ JDK-8151582: (ch) test java/nio/channels/
/AsyncCloseAndInterrupt.java failing due to 'Connection
succeeded'
+ JDK-8165675: Trace event for thread park has incorrect unit
for timeout
+ JDK-8176182: 4 security tests are not run
+ JDK-8178910: Problemlist sample tests
+ JDK-8183925: Decouple crash protection from watcher thread
+ JDK-8191393: Random crashes during cfree+0x1c
+ JDK-8195817: JFR.stop should require name of recording
+ JDK-8195818: JFR.start should increase autogenerated name by
one
+ JDK-8195819: Remove recording=x from jcmd JFR.check output
+ JDK-8199712: Flight Recorder
+ JDK-8202578: Revisit location for class unload events
+ JDK-8202835: jfr/event/os/TestSystemProcess.java fails on
missing events
+ JDK-8203287: Zero fails to build after JDK-8199712 (Flight
Recorder)
+ JDK-8203346: JFR: Inconsistent signature of
jfr_add_string_constant
+ JDK-8203664: JFR start failure after AppCDS archive created
with JFR StartFlightRecording
+ JDK-8203921: JFR thread sampling is missing fixes from
JDK-8194552
+ JDK-8203929: Limit amount of data for JFR.dump
+ JDK-8205516: JFR tool
+ JDK-8207392: [PPC64] Implement JFR profiling
+ JDK-8207829: FlightRecorderMXBeanImpl is leaking the first
classloader which calls it
+ JDK-8209960: -Xlog:jfr* doesn't work with the JFR
+ JDK-8210024: JFR calls virtual is_Java_thread from ~Thread()
+ JDK-8210776: Upgrade X Window System 6.8.2 to the latest XWD
1.0.7
+ JDK-8211239: Build fails without JFR: empty JFR events
signatures mismatch
+ JDK-8212232: Wrong metadata for the configuration of the
cutoff for old object sample events
+ JDK-8213015: Inconsistent settings between JFR.configure and
-XX:FlightRecorderOptions
+ JDK-8213421: Line number information for execution samples
always 0
+ JDK-8213617: JFR should record the PID of the recorded process
+ JDK-8213734: SAXParser.parse(File, ..) does not close
resources when Exception occurs.
+ JDK-8213914: [TESTBUG] Several JFR VM events are not covered
by tests
+ JDK-8213917: [TESTBUG] Shutdown JFR event is not covered by
test
+ JDK-8213966: The ZGC JFR events should be marked as
experimental
+ JDK-8214542: JFR: Old Object Sample event slow on a deep heap
in debug builds
+ JDK-8214750: Unnecessary <p> tags in jfr classes
+ JDK-8214896: JFR Tool left files behind
+ JDK-8214906: [TESTBUG] jfr/event/sampling/TestNative.java
fails with UnsatisfiedLinkError
+ JDK-8214925: JFR tool fails to execute
+ JDK-8215175: Inconsistencies in JFR event metadata
+ JDK-8215237: jdk.jfr.Recording javadoc does not compile
+ JDK-8215284: Reduce noise induced by periodic task
getFileSize()
+ JDK-8215355: Object monitor deadlock with no threads holding
the monitor (using jemalloc 5.1)
+ JDK-8215362: JFR GTest JfrTestNetworkUtilization fails
+ JDK-8215771: The jfr tool should pretty print reference chains
+ JDK-8216064: -XX:StartFlightRecording:settings= doesn't work
properly
+ JDK-8216486: Possibility of integer overflow in
JfrThreadSampler::run()
+ JDK-8216528: test/jdk/java/rmi/transport/
/runtimeThreadInheritanceLeak/
/RuntimeThreadInheritanceLeak.java failing with Xcomp
+ JDK-8216559: [JFR] Native libraries not correctly parsed from
/proc/self/maps
+ JDK-8216578: Remove unused/obsolete method in JFR code
+ JDK-8216995: Clean up JFR command line processing
+ JDK-8217744: [TESTBUG] JFR TestShutdownEvent fails on some
systems due to process surviving SIGINT
+ JDK-8217748: [TESTBUG] Exclude TestSig test case from JFR
TestShutdownEvent
+ JDK-8218935: Make jfr strncpy uses GCC 8.x friendly
+ JDK-8223147: JFR Backport
+ JDK-8223689: Add JFR Thread Sampling Support
+ JDK-8223690: Add JFR BiasedLock Event Support
+ JDK-8223691: Add JFR G1 Region Type Change Event Support
+ JDK-8223692: Add JFR G1 Heap Summary Event Support
+ JDK-8224172: assert(jfr_is_event_enabled(id)) failed:
invariant
+ JDK-8224475: JTextPane does not show images in HTML rendering
+ JDK-8226253: JAWS reports wrong number of radio buttons when
buttons are hidden.
+ JDK-8226779: [TESTBUG] Test JFR API from Java agent
+ JDK-8226892: ActionListeners on JRadioButtons don't get
notified when selection is changed with arrow keys
+ JDK-8227011: Starting a JFR recording in response to JVMTI
VMInit and / or Java agent premain corrupts memory
+ JDK-8227605: Kitchensink fails 'assert((((klass)->trace_id()
& (JfrTraceIdEpoch::leakp_in_use_this_epoch_bit())) != 0))
failed: invariant'
+ JDK-8229366: JFR backport allows unchecked writing to memory
+ JDK-8229401: Fix JFR code cache test failures
+ JDK-8229708: JFR backport code does not initialize
+ JDK-8229873: 8229401 broke jdk8u-jfr-incubator
+ JDK-8230448: [test] JFRSecurityTestSuite.java is failing on
Windows
+ JDK-8230707: JFR related tests are failing
+ JDK-8230782: Robot.createScreenCapture() fails if
'awt.robot.gtk' is set to false
+ JDK-8230856: Java_java_net_NetworkInterface_getByName0 on
unix misses ReleaseStringUTFChars in early return
+ JDK-8230947: TestLookForUntestedEvents.java is failing after
JDK-8230707
+ JDK-8231995: two jtreg tests failed after 8229366 is fixed
+ JDK-8233623: Add classpath exception to copyright in
EventHandlerProxyCreator.java file
+ JDK-8236002: CSR for JFR backport suggests not leaving out
the package-info
+ JDK-8236008: Some backup files were accidentally left in the
hotspot tree
+ JDK-8236074: Missed package-info
+ JDK-8236174: Should update javadoc since tags
+ JDK-8238076: Fix OpenJDK 7 Bootstrap Broken by JFR Backport
+ JDK-8238452: Keytool generates wrong expiration date if
validity is set to 2050/01/01
+ JDK-8238555: Allow Initialization of SunPKCS11 with NSS when
there are external FIPS modules in the NSSDB
+ JDK-8238589: Necessary code cleanup in JFR for JDK8u
+ JDK-8238590: Enable JFR by default during compilation in 8u
+ JDK-8239055: Wrong implementation of VMState.hasListener
+ JDK-8239476: JDK-8238589 broke windows build by moving
OrderedPair
+ JDK-8239479: minimal1 and zero builds are failing
+ JDK-8239867: correct over use of INCLUDE_JFR macro
+ JDK-8240375: Disable JFR by default for July 2020 release
+ JDK-8241444: Metaspace::_class_vsm not initialized if
compressed class pointers are disabled
+ JDK-8241902: AIX Build broken after integration of
JDK-8223147 (JFR Backport)
+ JDK-8242788: Non-PCH build is broken after JDK-8191393
* Import of OpenJDK 8 u262 build 02
+ JDK-8130737: AffineTransformOp can't handle child raster with
non-zero x-offset
+ JDK-8172559: [PIT][TEST_BUG] Move @test to be 1st annotation
in java/awt/image/Raster/TestChildRasterOp.java
+ JDK-8230926: [macosx] Two apostrophes are entered instead of
one with 'U.S. International - PC' layout
+ JDK-8240576: JVM crashes after transformation in C2
IdealLoopTree::merge_many_backedges
+ JDK-8242883: Incomplete backport of JDK-8078268: backport
test part
* Import of OpenJDK 8 u262 build 03
+ JDK-8037866: Replace the Fun class in tests with lambdas
+ JDK-8146612: C2: Precedence edges specification violated
+ JDK-8150986: serviceability/sa/jmap-hprof/
/JMapHProfLargeHeapTest.java failing because expects HPROF
JAVA PROFILE 1.0.1 file format
+ JDK-8229888: (zipfs) Updating an existing zip file does not
preserve original permissions
+ JDK-8230597: Update GIFlib library to the 5.2.1
+ JDK-8230769: BufImg_SetupICM add
ReleasePrimitiveArrayCritical call in early return
+ JDK-8233880, PR3798: Support compilers with multi-digit major
version numbers
+ JDK-8239852: java/util/concurrent tests fail with
-XX:+VerifyGraphEdges: assert(!VerifyGraphEdges) failed:
verification should have failed
+ JDK-8241638: launcher time metrics always report 1 on Linux
when _JAVA_LAUNCHER_DEBUG set
+ JDK-8243059: Build fails when --with-vendor-name contains a
comma
+ JDK-8243474: [TESTBUG] removed three tests of 0 bytes
+ JDK-8244461: [JDK 8u] Build fails with glibc 2.32
+ JDK-8244548: JDK 8u: sun.misc.Version.jdkUpdateVersion()
returns wrong result
* Import of OpenJDK 8 u262 build 04
+ JDK-8067796: (process) Process.waitFor(timeout, unit) doesn't
throw NPE if timeout is less than, or equal to zero when unit
== null
+ JDK-8148886: SEGV in sun.java2d.marlin.Renderer._endRendering
+ JDK-8171934:
ObjectSizeCalculator.getEffectiveMemoryLayoutSpecification()
does not recognize OpenJDK's HotSpot VM
+ JDK-8196969: JTreg Failure:
serviceability/sa/ClhsdbJstack.java causes NPE
+ JDK-8243539: Copyright info (Year) should be updated for fix
of 8241638
+ JDK-8244777: ClassLoaderStats VM Op uses constant hash value
* Import of OpenJDK 8 u262 build 05
+ JDK-7147060: com/sun/org/apache/xml/internal/security/
/transforms/ClassLoaderTest.java doesn't run in agentvm mode
+ JDK-8178374: Problematic ByteBuffer handling in
CipherSpi.bufferCrypt method
+ JDK-8181841: A TSA server returns timestamp with precision
higher than milliseconds
+ JDK-8227269: Slow class loading when running with JDWP
+ JDK-8229899: Make java.io.File.isInvalid() less racy
+ JDK-8236996: Incorrect Roboto font rendering on Windows with
subpixel antialiasing
+ JDK-8241750: x86_32 build failure after JDK-8227269
+ JDK-8244407: JVM crashes after transformation in C2
IdealLoopTree::split_fall_in
+ JDK-8244843: JapanEraNameCompatTest fails
* Import of OpenJDK 8 u262 build 06
+ JDK-8246223: Windows build fails after JDK-8227269
* Import of OpenJDK 8 u262 build 07
+ JDK-8233197: Invert JvmtiExport::post_vm_initialized() and
Jfr:on_vm_start() start-up order for correct option parsing
+ JDK-8243541: (tz) Upgrade time-zone data to tzdata2020a
+ JDK-8245167: Top package in method profiling shows null in JMC
+ JDK-8246703: [TESTBUG] Add test for JDK-8233197
* Import of OpenJDK 8 u262 build 08
+ JDK-8220293: Deadlock in JFR string pool
+ JDK-8225068: Remove DocuSign root certificate that is
expiring in May 2020
+ JDK-8225069: Remove Comodo root certificate that is expiring
in May 2020
* Import of OpenJDK 8 u262 build 09
+ JDK-8248399: Build installs jfr binary when JFR is disabled
* Import of OpenJDK 8 u262 build 10
+ JDK-8248715: New JavaTimeSupplementary localisation for 'in'
installed in wrong package
* Import of OpenJDK 8 u265 build 01
+ JDK-8249677: Regression in 8u after JDK-8237117: Better
ForkJoinPool behavior
+ JDK-8250546: Expect changed behaviour reported in JDK-8249846
* Import of OpenJDK 8 u272 build 01
+ JDK-8006205: [TESTBUG] NEED_TEST: please JTREGIFY
test/compiler/7177917/Test7177917.java
+ JDK-8035493: JVMTI PopFrame capability must instruct
compilers not to prune locals
+ JDK-8036088: Replace strtok() with its safe equivalent
strtok_s() in DefaultProxySelector.c
+ JDK-8039082: [TEST_BUG] Test java/awt/dnd/
/BadSerializationTest/BadSerializationTest.java fails
+ JDK-8075774: Small readability and performance improvements
for zipfs
+ JDK-8132206: move ScanTest.java into OpenJDK
+ JDK-8132376: Add @requires os.family to the client tests with
access to internal OS-specific API
+ JDK-8132745: minor cleanup of java/util/Scanner/ScanTest.java
+ JDK-8137087: [TEST_BUG] Cygwin failure of java/awt/
/appletviewer/IOExceptionIfEncodedURLTest/
/IOExceptionIfEncodedURLTest.sh
+ JDK-8145808: java/awt/Graphics2D/MTGraphicsAccessTest/
/MTGraphicsAccessTest.java hangs on Win. 8
+ JDK-8151788: NullPointerException from ntlm.Client.type3
+ JDK-8151834: Test SmallPrimeExponentP.java times out
intermittently
+ JDK-8153430: jdk regression test MletParserLocaleTest,
ParserInfiniteLoopTest reduce default timeout
+ JDK-8153583: Make OutputAnalyzer.reportDiagnosticSummary
public
+ JDK-8156169: Some sound tests rarely hangs because of
incorrect synchronization
+ JDK-8165936: Potential Heap buffer overflow when seaching
timezone info files
+ JDK-8166148: Fix for JDK-8165936 broke solaris builds
+ JDK-8167300: Scheduling failures during gcm should be fatal
+ JDK-8167615: Opensource unit/regression tests for JavaSound
+ JDK-8172012: [TEST_BUG] delays needed in
javax/swing/JTree/4633594/bug4633594.java
+ JDK-8177628: Opensource unit/regression tests for ImageIO
+ JDK-8183341: Better cleanup for javax/imageio/AllowSearch.java
+ JDK-8183351: Better cleanup for jdk/test/javax/imageio/spi/
/AppletContextTest/BadPluginConfigurationTest.sh
+ JDK-8193137: Nashorn crashes when given an empty script file
+ JDK-8194298: Add support for per Socket configuration of TCP
keepalive
+ JDK-8198004: javax/swing/JFileChooser/6868611/bug6868611.java
throws error
+ JDK-8200313: java/awt/Gtk/GtkVersionTest/GtkVersionTest.java
fails
+ JDK-8210147: adjust some WSAGetLastError usages in windows
network coding
+ JDK-8211714: Need to update vm_version.cpp to recognise
VS2017 minor versions
+ JDK-8214862: assert(proj != __null) at compile.cpp:3251
+ JDK-8217606: LdapContext#reconnect always opens a new
connection
+ JDK-8217647: JFR: recordings on 32-bit systems unreadable
+ JDK-8226697: Several tests which need the @key headful
keyword are missing it.
+ JDK-8229378: jdwp library loader in linker_md.c quietly
truncates on buffer overflow
+ JDK-8230303: JDB hangs when running monitor command
+ JDK-8230711: ConnectionGraph::unique_java_object(Node* N)
return NULL if n is not in the CG
+ JDK-8234617: C1: Incorrect result of field load due to
missing narrowing conversion
+ JDK-8235243: handle VS2017 15.9 and VS2019 in
abstract_vm_version
+ JDK-8235325: build failure on Linux after 8235243
+ JDK-8235687: Contents/MacOS/libjli.dylib cannot be a symlink
+ JDK-8237951: CTW: C2 compilation fails with 'malformed
control flow'
+ JDK-8238225: Issues reported after replacing symlink at
Contents/MacOS/libjli.dylib with binary
+ JDK-8239385: KerberosTicket client name refers wrongly to
sAMAccountName in AD
+ JDK-8239819: XToolkit: Misread of screen information memory
+ JDK-8240295: hs_err elapsed time in seconds is not accurate
enough
+ JDK-8241888: Mirror jdk.security.allowNonCaAnchor system
property with a security one
+ JDK-8242498: Invalid 'sun.awt.TimedWindowEvent' object leads
to JVM crash
+ JDK-8243489: Thread CPU Load event may contain wrong data for
CPU time under certain conditions
+ JDK-8244818: Java2D Queue Flusher crash while moving
application window to external monitor
+ JDK-8246310: Clean commented-out code about ModuleEntry
and PackageEntry in JFR
+ JDK-8246384: Enable JFR by default on supported architectures
for October 2020 release
+ JDK-8248643: Remove extra leading space in JDK-8240295 8u
backport
+ JDK-8249610: Make
sun.security.krb5.Config.getBooleanObject(String... keys)
method public
* Import of OpenJDK 8 u272 build 02
+ JDK-8023697: failed class resolution reports different class
name in detail message for the first and subsequent times
+ JDK-8025886: replace [[ and == bash extensions in regtest
+ JDK-8046274: Removing dependency on jakarta-regexp
+ JDK-8048933: -XX:+TraceExceptions output should include the
message
+ JDK-8076151: [TESTBUG] Test java/awt/FontClass/CreateFont/
/fileaccess/FontFile.java fails
+ JDK-8148854: Class names 'SomeClass' and 'LSomeClass;'
treated by JVM as an equivalent
+ JDK-8154313: Generated javadoc scattered all over the place
+ JDK-8163251: Hard coded loop limit prevents reading of smart
card data greater than 8k
+ JDK-8173300: [TESTBUG]compiler/tiered/NonTieredLevelsTest.java
fails with compiler.whitebox.SimpleTestCaseHelper(int) must be
compiled
+ JDK-8183349: Better cleanup for jdk/test/javax/imageio/
/plugins/shared/CanWriteSequence.java and WriteAfterAbort.java
+ JDK-8191678: [TESTBUG] Add keyword headful in java/awt
FocusTransitionTest test.
+ JDK-8201633: Problems with AES-GCM native acceleration
+ JDK-8211049: Second parameter of 'initialize' method is not
used
+ JDK-8219566: JFR did not collect call stacks when
MaxJavaStackTraceDepth is set to zero
+ JDK-8220165: Encryption using GCM results in
RuntimeException- input length out of bound
+ JDK-8220555: JFR tool shows potentially misleading message
when it cannot access a file
+ JDK-8224217: RecordingInfo should use textual representation
of path
+ JDK-8231779: crash
HeapWord*ParallelScavengeHeap::failed_mem_allocate
+ JDK-8238380, PR3798: java.base/unix/native/libjava/childproc.c
'multiple definition' link errors with GCC10
+ JDK-8238386, PR3798: (sctp) jdk.sctp/unix/native/libsctp/
/SctpNet.c 'multiple definition' link errors with GCC10
+ JDK-8238388, PR3798: libj2gss/NativeFunc.o 'multiple
definition' link errors with GCC10
+ JDK-8242556: Cannot load RSASSA-PSS public key with non-null
params from byte array
+ JDK-8250755: Better cleanup for jdk/test/javax/imageio/
/plugins/shared/CanWriteSequence.java
* Import of OpenJDK 8 u272 build 03
+ JDK-6574989: TEST_BUG:
javax/sound/sampled/Clip/bug5070081.java fails sometimes
+ JDK-8148754: C2 loop unrolling fails due to unexpected graph
shape
+ JDK-8192953: sun/management/jmxremote/bootstrap/*.sh tests
fail with error : revokeall.exe: Permission denied
+ JDK-8203357: Container Metrics
+ JDK-8209113: Use WeakReference for lastFontStrike for created
Fonts
+ JDK-8216283: Allow shorter method sampling interval than 10 ms
+ JDK-8221569: JFR tool produces incorrect output when both
--categories and --events are specified
+ JDK-8233097: Fontmetrics for large Fonts has zero width
+ JDK-8248851: CMS: Missing memory fences between free chunk
check and klass read
+ JDK-8250875: Incorrect parameter type for update_number in
JDK_Version::jdk_update
* Import of OpenJDK 8 u272 build 04
+ JDK-8061616: HotspotDiagnosticMXBean.getVMOption() throws
IllegalArgumentException for flags of type double
+ JDK-8177334: Update xmldsig implementation to Apache
Santuario 2.1.1
+ JDK-8217878: ENVELOPING XML signature no longer works in JDK
11
+ JDK-8218629: XML Digital Signature throws NAMESPACE_ERR
exception on OpenJDK 11, works 8/9/10
+ JDK-8243138: Enhance BaseLdapServer to support starttls
extended request
* Import of OpenJDK 8 u272 build 05
+ JDK-8026236: Add PrimeTest for BigInteger
+ JDK-8057003: Large reference arrays cause extremely long
synchronization times
+ JDK-8060721: Test runtime/SharedArchiveFile/
/LimitSharedSizes.java fails in jdk 9 fcs new
platforms/compiler
+ JDK-8152077: (cal) Calendar.roll does not always roll the
hours during daylight savings
+ JDK-8168517: java/lang/ProcessBuilder/Basic.java failed
+ JDK-8211163: UNIX version of Java_java_io_Console_echo does
not return a clean boolean
+ JDK-8220674: [TESTBUG] MetricsMemoryTester failcount test in
docker container only works with debug JVMs
+ JDK-8231213: Migrate SimpleDateFormatConstTest to JDK Repo
+ JDK-8236645: JDK 8u231 introduces a regression with
incompatible handling of XML messages
+ JDK-8240676: Meet not symmetric failure when running lucene
on jdk8
+ JDK-8243321: Add Entrust root CA - G4 to Oracle Root CA
program
+ JDK-8249158: THREAD_START and THREAD_END event posted in
primordial phase
+ JDK-8250627: Use -XX:+/-UseContainerSupport for
enabling/disabling Java container metrics
+ JDK-8251546: 8u backport of JDK-8194298 breaks AIX and
Solaris builds
+ JDK-8252084: Minimal VM fails to bootcycle: undefined symbol:
AgeTableTracer::is_tenuring_distribution_event_enabled
* Import of OpenJDK 8 u272 build 06
+ JDK-8064319: Need to enable -XX:+TraceExceptions in release
builds
+ JDK-8080462, PR3801: Update SunPKCS11 provider with PKCS11
v2.40 support
+ JDK-8160768: Add capability to custom resolve host/domain
names within the default JNDI LDAP provider
+ JDK-8161973: PKIXRevocationChecker.getSoftFailExceptions()
not working
+ JDK-8169925, PR3801: PKCS #11 Cryptographic Token Interface
license
+ JDK-8184762: ZapStackSegments should use optimized memset
+ JDK-8193234: When using -Xcheck:jni an internally allocated
buffer can leak
+ JDK-8219919: RuntimeStub name lost with
PrintFrameConverterAssembly
+ JDK-8220313: [TESTBUG] Update base image for Docker testing
to OL 7.6
+ JDK-8222079: Don't use memset to initialize fields decode_env
constructor in disassembler.cpp
+ JDK-8225695: 32-bit build failures after JDK-8080462 (Update
SunPKCS11 provider with PKCS11 v2.40 support)
+ JDK-8226575: OperatingSystemMXBean should be made container
aware
+ JDK-8226809: Circular reference in printed stack trace is not
correctly indented & ambiguous
+ JDK-8228835: Memory leak in PKCS11 provider when using AES GCM
+ JDK-8233621: Mismatch in jsse.enableMFLNExtension property
name
+ JDK-8238898, PR3801: Missing hash characters for header on
license file
+ JDK-8243320: Add SSL root certificates to Oracle Root CA
program
+ JDK-8244151: Update MUSCLE PC/SC-Lite headers to the latest
release 1.8.26
+ JDK-8245467: Remove 8u TLSv1.2 implementation files
+ JDK-8245469: Remove DTLS protocol implementation
+ JDK-8245470: Fix JDK8 compatibility issues
+ JDK-8245471: Revert JDK-8148188
+ JDK-8245472: Backport JDK-8038893 to JDK8
+ JDK-8245473: OCSP stapling support
+ JDK-8245474: Add TLS_KRB5 cipher suites support according to
RFC-2712
+ JDK-8245476: Disable TLSv1.3 protocol in the ClientHello
message by default
+ JDK-8245477: Adjust TLS tests location
+ JDK-8245653: Remove 8u TLS tests
+ JDK-8245681: Add TLSv1.3 regression test from 11.0.7
+ JDK-8251117: Cannot check P11Key size in P11Cipher and
P11AEADCipher
+ JDK-8251120, PR3793: [8u] HotSpot build assumes ENABLE_JFR is
set to either true or false
+ JDK-8251341: Minimal Java specification change
+ JDK-8251478: Backport TLSv1.3 regression tests to JDK8u
* Import of OpenJDK 8 u272 build 07
+ JDK-8246193: Possible NPE in ENC-PA-REP search in AS-REQ
* Import of OpenJDK 8 u272 build 08
+ JDK-8062947: Fix exception message to correctly represent
LDAP connection failure
+ JDK-8151678: com/sun/jndi/ldap/LdapTimeoutTest.java failed
due to timeout on DeadServerNoTimeoutTest is incorrect
+ JDK-8252573: 8u: Windows build failed after 8222079 backport
* Import of OpenJDK 8 u272 build 09
+ JDK-8252886: [TESTBUG] sun/security/ec/TestEC.java :
Compilation failed
* Import of OpenJDK 8 u272 build 10
+ JDK-8254673: Call to JvmtiExport::post_vm_start() was removed
by the fix for JDK-8249158
+ JDK-8254937: Revert JDK-8148854 for 8u272
* Backports
+ JDK-8038723, PR3806: Openup some PrinterJob tests
+ JDK-8041480, PR3806: ArrayIndexOutOfBoundsException when
JTable contains certain string
+ JDK-8058779, PR3805: Faster implementation of
String.replace(CharSequence, CharSequence)
+ JDK-8130125, PR3806: [TEST_BUG] add @modules to the several
client tests unaffected by the automated bulk update
+ JDK-8144015, PR3806: [PIT] failures of text layout font tests
+ JDK-8144023, PR3806: [PIT] failure of text measurements in
javax/swing/text/html/parser/Parser/6836089/bug6836089.java
+ JDK-8144240, PR3806: [macosx][PIT] AIOOB in
closed/javax/swing/text/GlyphPainter2/6427244/bug6427244.java
+ JDK-8145542, PR3806: The case failed automatically and thrown
java.lang.ArrayIndexOutOfBoundsException exception
+ JDK-8151725, PR3806: [macosx] ArrayIndexOOB exception when
displaying Devanagari text in JEditorPane
+ JDK-8152358, PR3800: code and comment cleanups found during
the hunt for 8077392
+ JDK-8152545, PR3804: Use preprocessor instead of compiling a
program to generate native nio constants
+ JDK-8152680, PR3806: Regression in
GlyphVector.getGlyphCharIndex behaviour
+ JDK-8158924, PR3806: Incorrect i18n text document layout
+ JDK-8166003, PR3806: [PIT][TEST_BUG] missing helper for
javax/swing/text/GlyphPainter2/6427244/bug6427244.java
+ JDK-8166068, PR3806: test/java/awt/font/GlyphVector/
/GetGlyphCharIndexTest.java does not compile
+ JDK-8169879, PR3806: [TEST_BUG] javax/swing/text/
/GlyphPainter2/6427244/bug6427244.java - compilation failed
+ JDK-8191512, PR3806: T2K font rasterizer code removal
+ JDK-8191522, PR3806: Remove Bigelow&Holmes Lucida fonts from
JDK sources
+ JDK-8236512, PR3801: PKCS11 Connection closed after
Cipher.doFinal and NoPadding
+ JDK-8254177, PR3809: (tz) Upgrade time-zone data to
tzdata2020b
* Bug fixes
+ PR3798: Fix format-overflow error on GCC 10, caused by
passing NULL to a '%s' directive
+ PR3795: ECDSAUtils for XML digital signatures should support
the same curve set as the rest of the JDK
+ PR3799: Adapt elliptic curve patches to JDK-8245468: Add
TLSv1.3 implementation classes from 11.0.7
+ PR3808: IcedTea does not install the JFR *.jfc files
+ PR3810: Enable JFR on x86 (32-bit) now that JDK-8252096 has
fixed its use with Shenandoah
+ PR3811: Don't attempt to install JFR files when JFR is
disabled
* Shenandoah
+ [backport] 8221435: Shenandoah should not mark through weak
roots
+ [backport] 8221629: Shenandoah: Cleanup class unloading logic
+ [backport] 8222992: Shenandoah: Pre-evacuate all roots
+ [backport] 8223215: Shenandoah: Support verifying subset of
roots
+ [backport] 8223774: Shenandoah: Refactor
ShenandoahRootProcessor and family
+ [backport] 8224210: Shenandoah: Refactor
ShenandoahRootScanner to support scanning CSet codecache roots
+ [backport] 8224508: Shenandoah: Need to update thread roots
in final mark for piggyback ref update cycle
+ [backport] 8224579: ResourceMark not declared in
shenandoahRootProcessor.inline.hpp with
--disable-precompiled-headers
+ [backport] 8224679: Shenandoah: Make
ShenandoahParallelCodeCacheIterator noncopyable
+ [backport] 8224751: Shenandoah: Shenandoah Verifier should
select proper roots according to current GC cycle
+ [backport] 8225014: Separate ShenandoahRootScanner method for
object_iterate
+ [backport] 8225216: gc/logging/TestMetaSpaceLog.java doesn't
work for Shenandoah
+ [backport] 8225573: Shenandoah: Enhance ShenandoahVerifier to
ensure roots to-space invariant
+ [backport] 8225590: Shenandoah: Refactor
ShenandoahClassLoaderDataRoots API
+ [backport] 8226413: Shenandoah: Separate root scanner for
SH::object_iterate()
+ [backport] 8230853: Shenandoah: replace leftover
assert(is_in(...)) with rich asserts
+ [backport] 8231198: Shenandoah: heap walking should visit all
roots most of the time
+ [backport] 8231244: Shenandoah: all-roots heap walking misses
some weak roots
+ [backport] 8237632: Shenandoah: accept NULL fwdptr to
cooperate with JVMTI and JFR
+ [backport] 8239786: Shenandoah: print per-cycle statistics
+ [backport] 8239926: Shenandoah: Shenandoah needs to mark
nmethod's metadata
+ [backport] 8240671: Shenandoah: refactor
ShenandoahPhaseTimings
+ [backport] 8240749: Shenandoah: refactor ShenandoahUtils
+ [backport] 8240750: Shenandoah: remove leftover files and
mentions of ShenandoahAllocTracker
+ [backport] 8240868: Shenandoah: remove CM-with-UR
piggybacking cycles
+ [backport] 8240872: Shenandoah: Avoid updating new regions
from start of evacuation
+ [backport] 8240873: Shenandoah: Short-cut arraycopy barriers
+ [backport] 8240915: Shenandoah: Remove unused fields in init
mark tasks
+ [backport] 8240948: Shenandoah: cleanup not-forwarded-objects
paths after JDK-8240868
+ [backport] 8241007: Shenandoah: remove
ShenandoahCriticalControlThreadPriority support
+ [backport] 8241062: Shenandoah: rich asserts trigger 'empty
statement' inspection
+ [backport] 8241081: Shenandoah: Do not modify
update-watermark concurrently
+ [backport] 8241093: Shenandoah: editorial changes in flag
descriptions
+ [backport] 8241139: Shenandoah: distribute mark-compact work
exactly to minimize fragmentation
+ [backport] 8241142: Shenandoah: should not use parallel
reference processing with single GC thread
+ [backport] 8241351: Shenandoah: fragmentation metrics overhaul
+ [backport] 8241435: Shenandoah: avoid disabling pacing with
'aggressive'
+ [backport] 8241520: Shenandoah: simplify region sequence
numbers handling
+ [backport] 8241534: Shenandoah: region status should include
update watermark
+ [backport] 8241574: Shenandoah: remove
ShenandoahAssertToSpaceClosure
+ [backport] 8241583: Shenandoah: turn heap lock asserts into
macros
+ [backport] 8241668: Shenandoah: make ShenandoahHeapRegion not
derive from ContiguousSpace
+ [backport] 8241673: Shenandoah: refactor anti-false-sharing
padding
+ [backport] 8241675: Shenandoah: assert(n->outcnt() > 0) at
shenandoahSupport.cpp:2858 with
java/util/Collections/FindSubList.java
+ [backport] 8241692: Shenandoah: remove
ShenandoahHeapRegion::_reserved
+ [backport] 8241700: Shenandoah: Fold
ShenandoahKeepAliveBarrier flag into ShenandoahSATBBarrier
+ [backport] 8241740: Shenandoah: remove
ShenandoahHeapRegion::_heap
+ [backport] 8241743: Shenandoah: refactor and inline
ShenandoahHeap::heap()
+ [backport] 8241748: Shenandoah: inline MarkingContext TAMS
methods
+ [backport] 8241838: Shenandoah: no need to trash cset during
final mark
+ [backport] 8241841: Shenandoah: ditch one of allocation type
counters in ShenandoahHeapRegion
+ [backport] 8241842: Shenandoah: inline
ShenandoahHeapRegion::region_number
+ [backport] 8241844: Shenandoah: rename
ShenandoahHeapRegion::region_number
+ [backport] 8241845: Shenandoah: align ShenandoahHeapRegions
to cache lines
+ [backport] 8241926: Shenandoah: only print heap changes for
operations that directly affect it
+ [backport] 8241983: Shenandoah: simplify FreeSet logging
+ [backport] 8241985: Shenandoah: simplify collectable garbage
logging
+ [backport] 8242040: Shenandoah: print allocation failure type
+ [backport] 8242041: Shenandoah: adaptive heuristics should
account evac reserve in free target
+ [backport] 8242042: Shenandoah: tune down
ShenandoahGarbageThreshold
+ [backport] 8242054: Shenandoah: New incremental-update mode
+ [backport] 8242075: Shenandoah: rename
ShenandoahHeapRegionSize flag
+ [backport] 8242082: Shenandoah: Purge Traversal mode
+ [backport] 8242083: Shenandoah: split 'Prepare Evacuation'
tracking into cset/freeset counters
+ [backport] 8242089: Shenandoah: per-worker stats should be
summed up, not averaged
+ [backport] 8242101: Shenandoah: coalesce and parallelise heap
region walks during the pauses
+ [backport] 8242114: Shenandoah: remove
ShenandoahHeapRegion::reset_alloc_metadata_to_shared
+ [backport] 8242130: Shenandoah: Simplify arraycopy-barrier
dispatching
+ [backport] 8242211: Shenandoah: remove
ShenandoahHeuristics::RegionData::_seqnum_last_alloc
+ [backport] 8242212: Shenandoah: initialize
ShenandoahHeuristics::_region_data eagerly
+ [backport] 8242213: Shenandoah: remove
ShenandoahHeuristics::_bytes_in_cset
+ [backport] 8242217: Shenandoah: Enable GC mode to be
diagnostic/experimental and have a name
+ [backport] 8242227: Shenandoah: transit regions to cset state
when adding to collection set
+ [backport] 8242228: Shenandoah: remove unused
ShenandoahCollectionSet methods
+ [backport] 8242229: Shenandoah: inline ShenandoahHeapRegion
liveness-related methods
+ [backport] 8242267: Shenandoah: regions space needs to be
aligned by os::vm_allocation_granularity()
+ [backport] 8242271: Shenandoah: add test to verify GC mode
unlock
+ [backport] 8242273: Shenandoah: accept either SATB or IU
barriers, but not both
+ [backport] 8242301: Shenandoah: Inline LRB runtime call
+ [backport] 8242316: Shenandoah: Turn NULL-check into assert
in SATB slow-path entry
+ [backport] 8242353: Shenandoah: micro-optimize region
liveness handling
+ [backport] 8242365: Shenandoah: use uint16_t instead of
jushort for liveness cache
+ [backport] 8242375: Shenandoah: Remove
ShenandoahHeuristic::record_gc_start/end methods
+ [backport] 8242641: Shenandoah: clear live data and update
TAMS optimistically
+ [backport] 8243238: Shenandoah: explicit GC request should
wait for a complete GC cycle
+ [backport] 8243301: Shenandoah: ditch
ShenandoahAllowMixedAllocs
+ [backport] 8243307: Shenandoah: remove
ShCollectionSet::live_data
+ [backport] 8243395: Shenandoah: demote guarantee in
ShenandoahPhaseTimings::record_workers_end
+ [backport] 8243463: Shenandoah: ditch total_pause counters
+ [backport] 8243464: Shenandoah: print statistic counters in
time order
+ [backport] 8243465: Shenandoah: ditch unused pause_other,
conc_other counters
+ [backport] 8243487: Shenandoah: make _num_phases illegal
phase type
+ [backport] 8243494: Shenandoah: set counters once per cycle
+ [backport] 8243573: Shenandoah: rename GCParPhases and
related code
+ [backport] 8243848: Shenandoah: Windows build fails after
JDK-8239786
+ [backport] 8244180: Shenandoah: carry Phase to
ShWorkerTimingsTracker explicitly
+ [backport] 8244200: Shenandoah: build breakages after
JDK-8241743
+ [backport] 8244226: Shenandoah: per-cycle statistics contain
worker data from previous cycles
+ [backport] 8244326: Shenandoah: global statistics should not
accept bogus samples
+ [backport] 8244509: Shenandoah: refactor
ShenandoahBarrierC2Support::test_* methods
+ [backport] 8244551: Shenandoah: Fix racy update of
update_watermark
+ [backport] 8244667: Shenandoah: SBC2Support::test_gc_state
takes loop for wrong control
+ [backport] 8244730: Shenandoah: gc/shenandoah/options/
/TestHeuristicsUnlock.java should only verify the heuristics
+ [backport] 8244732: Shenandoah: move heuristics code to
gc/shenandoah/heuristics
+ [backport] 8244737: Shenandoah: move mode code to
gc/shenandoah/mode
+ [backport] 8244739: Shenandoah: break superclass dependency
on ShenandoahNormalMode
+ [backport] 8244740: Shenandoah: rename ShenandoahNormalMode
to ShenandoahSATBMode
+ [backport] 8245461: Shenandoah: refine mode name()-s
+ [backport] 8245463: Shenandoah: refine ShenandoahPhaseTimings
constructor arguments
+ [backport] 8245464: Shenandoah: allocate collection set
bitmap at lower addresses
+ [backport] 8245465: Shenandoah: test_in_cset can use more
efficient encoding
+ [backport] 8245726: Shenandoah: lift/cleanup
ShenandoahHeuristics names and properties
+ [backport] 8245754: Shenandoah: ditch ShenandoahAlwaysPreTouch
+ [backport] 8245757: Shenandoah: AlwaysPreTouch should not
disable heap resizing or uncommits
+ [backport] 8245773: Shenandoah: Windows assertion failure
after JDK-8245464
+ [backport] 8245812: Shenandoah: compute root phase parallelism
+ [backport] 8245814: Shenandoah: reconsider format specifiers
for stats
+ [backport] 8245825: Shenandoah: Remove diagnostic flag
ShenandoahConcurrentScanCodeRoots
+ [backport] 8246162: Shenandoah: full GC does not mark code
roots when class unloading is off
+ [backport] 8247310: Shenandoah: pacer should not affect
interrupt status
+ [backport] 8247358: Shenandoah: reconsider free budget slice
for marking
+ [backport] 8247367: Shenandoah: pacer should wait on lock
instead of exponential backoff
+ [backport] 8247474: Shenandoah: Windows build warning after
JDK-8247310
+ [backport] 8247560: Shenandoah: heap iteration holds root
locks all the time
+ [backport] 8247593: Shenandoah: should not block pacing
reporters
+ [backport] 8247751: Shenandoah: options tests should run with
smaller heaps
+ [backport] 8247754: Shenandoah: mxbeans tests can be shorter
+ [backport] 8247757: Shenandoah: split heavy tests by
heuristics to improve parallelism
+ [backport] 8247860: Shenandoah: add update watermark line in
rich assert failure message
+ [backport] 8248041: Shenandoah: pre-Full GC root updates may
miss some roots
+ [backport] 8248652: Shenandoah: SATB buffer handling may
assume no forwarded objects
+ [backport] 8249560: Shenandoah: Fix racy GC request handling
+ [backport] 8249649: Shenandoah: provide per-cycle pacing stats
+ [backport] 8249801: Shenandoah: Clear soft-refs on requested
GC cycle
+ [backport] 8249953: Shenandoah: gc/shenandoah/mxbeans tests
should account for corner cases
+ Fix slowdebug build after JDK-8230853 backport
+ JDK-8252096: Shenandoah: adjust SerialPageShiftCount for
x86_32 and JFR
+ JDK-8252366: Shenandoah: revert/cleanup changes in
graphKit.cpp
+ Shenandoah: add JFR roots to root processor after JFR
integration
+ Shenandoah: add root statistics for string dedup table/queues
+ Shenandoah: enable low-frequency STW class unloading
+ Shenandoah: fix build failures after JDK-8244737 backport
+ Shenandoah: Fix build failure with +JFR -PCH
+ Shenandoah: fix forceful pacer claim
+ Shenandoah: fix formats in
ShenandoahStringSymbolTableUnlinkTask
+ Shenandoah: fix runtime linking failure due to non-compiled
shenandoahBarrierSetC1
+ Shenandoah: hook statistics printing to PrintGCDetails, not
PrintGC
+ Shenandoah: JNI weak roots are always cleared before Full GC
mark
+ Shenandoah: missing SystemDictionary roots in
ShenandoahHeapIterationRootScanner
+ Shenandoah: move barrier sets to their proper locations
+ Shenandoah: move parallelCleaning.* to shenandoah/
+ Shenandoah: pacer should use proper Atomics for intptr_t
+ Shenandoah: properly deallocates class loader metadata
+ Shenandoah: specialize String Table scans for better pause
performance
+ Shenandoah: Zero build fails after recent Atomic cleanup in
Pacer
* AArch64 port
+ JDK-8161072, PR3797: AArch64: jtreg
compiler/uncommontrap/TestDeoptOOM failure
+ JDK-8171537, PR3797: aarch64: compiler/c1/Test6849574.java
generates guarantee failure in C1
+ JDK-8183925, PR3797: [AArch64] Decouple crash protection from
watcher thread
+ JDK-8199712, PR3797: [AArch64] Flight Recorder
+ JDK-8203481, PR3797: Incorrect constraint for unextended_sp
in frame:safe_for_sender
+ JDK-8203699, PR3797: java/lang/invoke/SpecialInterfaceCall
fails with SIGILL on aarch64
+ JDK-8209413, PR3797: AArch64: NPE in clhsdb jstack command
+ JDK-8215961, PR3797: jdk/jfr/event/os/TestCPUInformation.java
fails on AArch64
+ JDK-8216989, PR3797:
CardTableBarrierSetAssembler::gen_write_ref_array_post_barrier()
does not check for zero length on AARCH64
+ JDK-8217368, PR3797: AArch64: C2 recursive stack locking
optimisation not triggered
+ JDK-8221658, PR3797: aarch64: add necessary predicate for
ubfx patterns
+ JDK-8237512, PR3797: AArch64: aarch64TestHook leaks a
BufferBlob
+ JDK-8246482, PR3797: Build failures with +JFR -PCH
+ JDK-8247979, PR3797: aarch64: missing side effect of killing
flags for clearArray_reg_reg
+ JDK-8248219, PR3797: aarch64: missing memory barrier in
fast_storefield and fast_accessfield
- Ignore whitespaces after the header or footer in PEM X.509 cert
(bsc#1171352)
ImportantSUSE bug 1171352SUSE bug 1174157SUSE bug 1177943CVE-2020-14556 at SUSECVE-2020-14556 at NVDCVE-2020-14577 at SUSECVE-2020-14577 at NVDCVE-2020-14578 at SUSECVE-2020-14578 at NVDCVE-2020-14579 at SUSECVE-2020-14579 at NVDCVE-2020-14581 at SUSECVE-2020-14581 at NVDCVE-2020-14583 at SUSECVE-2020-14583 at NVDCVE-2020-14593 at SUSECVE-2020-14593 at NVDCVE-2020-14621 at SUSECVE-2020-14621 at NVDCVE-2020-14779 at SUSECVE-2020-14779 at NVDCVE-2020-14781 at SUSECVE-2020-14781 at NVDCVE-2020-14782 at SUSECVE-2020-14782 at NVDCVE-2020-14792 at SUSECVE-2020-14792 at NVDCVE-2020-14796 at SUSECVE-2020-14796 at NVDCVE-2020-14797 at SUSECVE-2020-14797 at NVDCVE-2020-14798 at SUSECVE-2020-14798 at NVDCVE-2020-14803 at SUSECVE-2020-14803 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for gcc10 (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for gcc10 fixes the following issues:
This update provides the GCC10 compiler suite and runtime libraries.
The base SUSE Linux Enterprise libraries libgcc_s1, libstdc++6 are replaced by
the gcc10 variants.
The new compiler variants are available with '-10' suffix, you can specify them
via:
CC=gcc-10
CXX=g++-10
or similar commands.
For a detailed changelog check out https://gcc.gnu.org/gcc-10/changes.html
ModerateSUSE bug 1172798SUSE bug 1172846SUSE bug 1173972SUSE bug 1174753SUSE bug 1174817SUSE bug 1175168CVE-2020-13844 at SUSECVE-2020-13844 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for ucode-intel (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for ucode-intel fixes the following issues:
- Intel CPU Microcode updated to 20201027 prerelease
- CVE-2020-8695: Fixed Intel RAPL sidechannel attack (SGX) (bsc#1170446)
- CVE-2020-8698: Fixed Fast Store Forward Predictor INTEL-SA-00381 (bsc#1173594)
# New Platforms:
| Processor | Stepping | F-M-S/PI | Old Ver | New Ver | Products
|:---------------|:---------|:------------|:---------|:---------|:---------
| TGL | B1 | 06-8c-01/80 | | 00000068 | Core Gen11 Mobile
| CPX-SP | A1 | 06-55-0b/bf | | 0700001e | Xeon Scalable Gen3
| CML-H | R1 | 06-a5-02/20 | | 000000e0 | Core Gen10 Mobile
| CML-S62 | G1 | 06-a5-03/22 | | 000000e0 | Core Gen10
| CML-S102 | Q0 | 06-a5-05/22 | | 000000e0 | Core Gen10
| CML-U62 V2 | K0 | 06-a6-01/80 | | 000000e0 | Core Gen10 Mobile
# Updated Platforms:
| Processor | Stepping | F-M-S/PI | Old Ver | New Ver | Products
|:---------------|:---------|:------------|:---------|:---------|:---------
| GKL-R | R0 | 06-7a-08/01 | 00000016 | 00000018 | Pentium J5040/N5030, Celeron J4125/J4025/N4020/N4120
| SKL-U/Y | D0 | 06-4e-03/c0 | 000000d6 | 000000e2 | Core Gen6 Mobile
| SKL-U23e | K1 | 06-4e-03/c0 | 000000d6 | 000000e2 | Core Gen6 Mobile
| APL | D0 | 06-5c-09/03 | 00000038 | 00000040 | Pentium N/J4xxx, Celeron N/J3xxx, Atom x5/7-E39xx
| APL | E0 | 06-5c-0a/03 | 00000016 | 0000001e | Atom x5-E39xx
| SKL-H/S | R0/N0 | 06-5e-03/36 | 000000d6 | 000000e2 | Core Gen6; Xeon E3 v5
| HSX-E/EP | Cx/M1 | 06-3f-02/6f | 00000043 | 00000044 | Core Gen4 X series; Xeon E5 v3
| SKX-SP | B1 | 06-55-03/97 | 01000157 | 01000159 | Xeon Scalable
| SKX-SP | H0/M0/U0 | 06-55-04/b7 | 02006906 | 02006a08 | Xeon Scalable
| SKX-D | M1 | 06-55-04/b7 | 02006906 | 02006a08 | Xeon D-21xx
| CLX-SP | B0 | 06-55-06/bf | 04002f01 | 04003003 | Xeon Scalable Gen2
| CLX-SP | B1 | 06-55-07/bf | 05002f01 | 05003003 | Xeon Scalable Gen2
| ICL-U/Y | D1 | 06-7e-05/80 | 00000078 | 000000a0 | Core Gen10 Mobile
| AML-Y22 | H0 | 06-8e-09/10 | 000000d6 | 000000de | Core Gen8 Mobile
| KBL-U/Y | H0 | 06-8e-09/c0 | 000000d6 | 000000de | Core Gen7 Mobile
| CFL-U43e | D0 | 06-8e-0a/c0 | 000000d6 | 000000e0 | Core Gen8 Mobile
| WHL-U | W0 | 06-8e-0b/d0 | 000000d6 | 000000de | Core Gen8 Mobile
| AML-Y42 | V0 | 06-8e-0c/94 | 000000d6 | 000000de | Core Gen10 Mobile
| CML-Y42 | V0 | 06-8e-0c/94 | 000000d6 | 000000de | Core Gen10 Mobile
| WHL-U | V0 | 06-8e-0c/94 | 000000d6 | 000000de | Core Gen8 Mobile
| KBL-G/H/S/E3 | B0 | 06-9e-09/2a | 000000d6 | 000000de | Core Gen7; Xeon E3 v6
| CFL-H/S/E3 | U0 | 06-9e-0a/22 | 000000d6 | 000000de | Core Gen8 Desktop, Mobile, Xeon E
| CFL-S | B0 | 06-9e-0b/02 | 000000d6 | 000000de | Core Gen8
| CFL-H/S | P0 | 06-9e-0c/22 | 000000d6 | 000000de | Core Gen9
| CFL-H | R0 | 06-9e-0d/22 | 000000d6 | 000000de | Core Gen9 Mobile
| CML-U62 | A0 | 06-a6-00/80 | 000000ca | 000000e0 | Core Gen10 Mobile
ModerateSUSE bug 1170446SUSE bug 1173594CVE-2020-8695 at SUSECVE-2020-8695 at NVDCVE-2020-8698 at SUSECVE-2020-8698 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for ansible, ardana-ansible, ardana-cinder, ardana-glance, ardana-mq, ardana-nova, ardana-osconfig, crowbar-core, crowbar-openstack, documentation-suse-openstack-cloud, grafana, grafana-natel-discrete-panel, openstack-cinder, openstack-monasca-installer, openstack-neutron, openstack-nova, python-Django, python-Flask-Cors, python-Pillow, python-ardana-packager, python-keystoneclient, python-keystonemiddleware, python-kombu, python-straight-plugin, python-urllib3, release-notes-suse-openstack-cloud, storm, storm-kit, venv-openstack-cinder, venv-openstack-swift (Important)SUSE OpenStack Cloud Crowbar 8
This update for ansible, ardana-ansible, ardana-cinder, ardana-glance, ardana-mq, ardana-nova, ardana-osconfig, crowbar-core, crowbar-openstack, documentation-suse-openstack-cloud, grafana, grafana-natel-discrete-panel, openstack-cinder, openstack-monasca-installer, openstack-neutron, openstack-nova, python-Django, python-Flask-Cors, python-Pillow, python-ardana-packager, python-keystoneclient, python-keystonemiddleware, python-kombu, python-straight-plugin, python-urllib3, release-notes-suse-openstack-cloud, storm, storm-kit, venv-openstack-cinder, venv-openstack-swift contains the following fixes:
Security fixes included in this update:
ansible to 2.9.14:
- CVE-2020-1733: Fixed insecure temporary directory when running
become_user (bsc#1164140).
- CVE-2020-1753: Kubectl connection plugin - connection plugin now
redact kubectl_token and kubectl_password in console log. (bsc#1166389)
- CVE-2020-14365: Previously, regardless of the disable_gpg_check
option, packages were not GPG validated. They are now. (bsc#1175993)
- CVE-2020-14332: copy - Redact the value of the no_log 'content'
parameter in the result's invocation.module_args in check mode.
Previously when used with check mode and with '-vvv', the module would
not censor the content if a change would be made to the destination
path. (bsc#1174302)
- CVE-2020-1736: atomic_move - Change default permissions when creating
temporary files so they are not world readable (bsc#1164134).
- CVE-2020-14330: Sanitize no_log values from any response keys that
might be returned from the uri module (bsc#1174145).
- CVE-2019-14846: Reset logging level to INFO. (bsc#1153452).
- CVE-2020-10744: incomplete fix for CVE-2020-1733 (bsc#1171823).
grafana:
- CVE-2018-18623, CVE-2018-18624,CVE-2018-18625: Fixed multiple XSS
vulnerabilities in dashboard due to a incomplete fix for CVE-2018-12099
(bsc#1172450).
- CVE-2020-11110: Fixed a stored XSS (bsc#1174583).
openstack-nova:
- CVE-2020-17376: Fixed an information leak during live migration (bsc#1175484).
python-Django to 1.11.29
- CVE-2020-7471: Fixed a SQL injection via StringAgg delimiter (bsc#1161919).
- CVE-2020-9402: Fixed a SQL injection via tolerance parameter in GIS functions
and aggregates (bsc#1165022).
- CVE-2019-19844: Fixed a potential account hijack via password reset form (bsc#1159447).
python-Flask-Cors
- CVE-2020-25032: Fixed a potential information leak through path traversal (bsc#1175986).
python-Pillow
- CVE-2020-10177: Fixed multiple out-of-bounds reads in libImaging/FliDecode.c (bsc#1173413).
- CVE-2020-10994: Fixed multiple out-of-bounds reads via a crafted JP2 files (bsc#1173418).
- CVE-2020-10378: Fixed an out-of-bounds read when reading PCX files (bsc#1173416).
python-urllib3
- CVE-2020-26137: Fixed CRLF injection via HTTP request method (bsc#1177120)
storm:
- CVE-2018-11779: Fixed java deserialization vulnerability related to the usage of
storm-kafka-client or storm-kafka modules (bsc#1143163).
- CVE-2019-0202: Fixed an information leak related to the log viewer (bsc#1142617).
rubygem-crowbar-client update to 3.9.3:
- CVE-2018-17954: Fixed information leak of the admin password to all
nodes in cleartext during provisioning (bsc#1117080)
Non-security fixes included on this update:
Changes in ansible:
- Update to ansible 2.9.14:
- minor bugs and fixes, including security bugs:
- CVE-2020-1753, bsc#1166389: Kubectl connection plugin - connection
plugin now redact kubectl_token and kubectl_password in console
log.
- revert CVE-2020-1736. Users are encouraged to specify a mode
parameter in their file-based tasks when the files being
manipulated contain sensitive data.
- CVE-2020-14365, bsc#1175993: Previously, regardless of the
disable_gpg_check option, packages were not GPG validated. They
are now.
- CVE-2020-14332, bsc#1174302: copy - Redact the value of the no_log
'content' parameter in the result's invocation.module_args in
check mode. Previously when used with check mode and with '-vvv',
the module would not censor the content if a change would be made
to the destination path.
- CVE-2020-1736, bsc#1164134: atomic_move - Change default
permissions when creating temporary files so they are not world
readable
- CVE-2020-14330, bsc#1174145: Sanitize no_log values from any
response keys that might be returned from the uri module.
- CVE-2019-14846, bsc#1153452: Reset logging level to INFO.
- CVE-2020-10744, bsc#1171823, gh#ansible/ansible#69782: incomplete
fix for CVE-2020-1733
- Remove patches included upstream:
- CVE-2020-14330_exposed_keys_uri_mod.patch
- CVE-2020-10744_avoid_mkdir_p.patch
- Don't Require python-coverage, it is needed only for testing
(bsc#1177948).
- Add CVE-2020-14330_exposed_keys_uri_mod.patch which fixes
CVE-2020-14330 (bsc#1174145). Sanitize no_log values from any
response keys that might be returned from the uri module.
Sensitive values marked with ``no_log=True`` will automatically
have that value stripped from module return values. If
your module could return these sensitive values as
part of a dictionary key name, you should call the
``ansible.module_utils.basic.sanitize_keys()`` function to
strip the values from the keys. See the ``uri`` module for an
example.
- importlib and argparse are required only on SLE-11 and less.
- Add CVE-2020-10744_avoid_mkdir_p.patch (bsc#1171823) to fix
insecure temporary directory creation.
- Add metadata information to this file to mark which SUSE
bugzilla have been already fixed.
- Remove CVE-2017-7550-jenkins-disallow-password-in-params.patch
as it has been already included in 2.4.1.0
- update to version 2.9.9
* fix for a regression introduced in 2.9.8
- update to version 2.9.8
maintenance release containing numerous bugfixes
- update to version 2.9.7 with many bug fixes,
especially for these security issues:
- bsc#1164140 CVE-2020-1733 - insecure temporary directory when
running become_user from become directive
- bsc#1164139 CVE-2020-1734 shell enabled by default in a pipe
lookup plugin subprocess
- bsc#1164137 CVE-2020-1735 - path injection on dest parameter
in fetch module
- bsc#1164134 CVE-2020-1736 atomic_move primitive sets
permissive permissions
- bsc#1164138 CVE-2020-1737 - Extract-Zip function in win_unzip
module does not check extracted path
- bsc#1164136 CVE-2020-1738 module package can be selected by
the ansible facts
- bsc#1164133 CVE-2020-1739 - svn module leaks password when
specified as a parameter
- bsc#1164135 CVE-2020-1740 - secrets readable after
ansible-vault edit
- bsc#1165393 CVE-2020-1746 - information disclosure issue in
ldap_attr and ldap_entry modules
- bsc#1166389 CVE-2020-1753 - kubectl connection plugin leaks
sensitive information
- bsc#1167532 CVE-2020-10684 - code injection when using
ansible_facts as a subkey
- bsc#1167440 CVE-2020-10685 - modules which use files
encrypted with vault are not properly cleaned up
- CVE-2020-10691 - archive traversal vulnerability in ansible-galaxy collection install [2]
- create missing (empty) template and files directories for
'ansible-galaxy init' during package build (fixes boo#1137479)
- require python-xml on python 2 systems (boo#1142542)
- update to version 2.9.6 (maintenance release) including
these security issues:
- bsc#1171162 CVE-2020-10729 two random password lookups in
same task return same value
- update to version 2.9.5 (maintenance release)
- update to version 2.9.4 (maintenance release)
- fix in yum module
- security fixes:
- bsc#1157968 CVE-2019-14904 vulnerability in solaris_zone
module via crafted solaris zone
- bsc#1157969 CVE-2019-14905 malicious code could craft
filename in nxos_file_copy module
- update to version 2.9.3 (maintenance release)
* security fixes
- CVE-2019-14904 (solaris_zone module) (boo#1157968)
- CVE-2019-14905 (nxos_file_copy module) (boo#1157969)
* various bugfixes
- sync with upstream spec file (especially for RHEL & Fedora builds)
- ran spec-cleaner
- remove old SUSE targets (SLE-11, Leap 42.3 and below)
This simplifies the spec file and makes building easier
- Additional required packages for building:
+ python-boto3 and python-botocore for Amazon EC2
+ python-jmespath for json queries
+ python-memcached for cloud modules and local caching of JSON
formatted, per host records
+ python-redis for cloud modules and local caching of JSON
formatted, per host records
+ python-requests for many web-based modules (cloud, network,
netapp)
=> as the need for those packages depends on the usage of the
tool, they are just recommended on openSUSE/SUSE machines
- made dependencies for gitlab, vmware and winrm modules configurable,
as most of their dependencies are not (yet) available on current
openSUSE/SUSE distributions
- exclude /usr/bin/pwsh from the automatic dependency generation,
as the Windows Power Shell is not available (yet) on openSUSE/SUSE
- build additional docs and split up ansible-doc package;
moving changelogs, contrib and example directories there
- prepare for building HTML documentation, but disable this per
default for the moment, as not all package dependencies are available
in openSUSE/SUSE (yet)
- package some test scripts with executable permissions
- update to version 2.9.2
maintenance release containing numerous bugfixes
- Create system directories that Ansible defines as default locations
in ansible/config/base.yml
- rephrase the summary line
- Disable shebang munging for specific paths. These files are data files.
ansible-test munges the shebangs itself.
- split out ansible-test package for module developers
- update to version 2.9.1
Full changelog is packaged at /usr/share/doc/packages/ansible/changelogs/
and also available online at
https://github.com/ansible/ansible/blob/stable-2.9/changelogs/CHANGELOG-v2.9.rst
+ CVE-2019-14864: fixed Splunk and Sumologic callback plugins leak
sensitive data in logs (boo#1154830)
- replace all #!/usr/bin/env lines to use #!/usr/bin/$1 directly
- added file '/usr/bin/ansible-test' to spec file
- Update to version 2.9.0:
Full changelog is packaged at /usr/share/doc/packages/ansible/changelogs/
and also available online at
https://github.com/ansible/ansible/blob/stable-2.9/changelogs/CHANGELOG-v2.9.rst
- Fixed among other this security bug:
- bsc#1112959 CVE-2018-16837 Information leak in 'user' module patch added
- include the sha checksum file in the source, which allows to verify
the original sources
- Update to version 2.8.6:
Full changelog is packaged at /usr/share/doc/packages/ansible/changelogs/
and also available online at
https://github.com/ansible/ansible/blob/stable-2.8/changelogs/CHANGELOG-v2.8.rst
Included security fixes:
* CVE-2019-14846: Fixed secrets disclosure on logs due to display is hardcoded
to DEBUG level (bsc#1153452)
* CVE-2019-14856: Fixed insufficient fix for CVE-2019-10206 (bsc#1154232)
* CVE-2019-14858: Fixed data in the sub parameter fields that will not be masked
and will be displayed when run with increased verbosity (bsc#1154231)
- Update to version 2.8.5:
Full changelog is packaged at /usr/share/doc/packages/ansible/changelogs/
and also available online at
https://github.com/ansible/ansible/blob/stable-2.8/changelogs/CHANGELOG-v2.8.rst
- removed patches fixed upstream:
+ CVE-2019-10206-data-disclosure.patch
+ CVE-2019-10217-gcp-modules-sensitive-fields.patch
- Update to version 2.8.3:
Full changelog is packaged, but also at
https://github.com/ansible/ansible/blob/stable-2.8/changelogs/CHANGELOG-v2.8.rst
- (bsc#1137528) CVE-2019-10156: ansible: templating causing an
unexpected key file to be set on remote node
- (bsc#1144453) Adds CVE-2019-10217-gcp-modules-sensitive-fields.patch
CVE-2019-10217: Fields managing sensitive data should be set as
such by no_log feature. Some of these fields in GCP modules are
not set properly. service_account_contents() which is common
class for all gcp modules is not setting no_log to True. Any
sensitive data managed by that function would be leak as an
output when running ansible playbooks.
- Update to version 2.8.1
Full changelog is at /usr/share/doc/packages/ansible/changelogs/
Bugfixes
--------
- ACI - DO not encode query_string
- ACI modules - Fix non-signature authentication
- Add missing directory provided via ``--playbook-dir`` to adjacent collection loading
- Fix 'Interface not found' errors when using eos_l2_interface with nonexistant
interfaces configured
- Fix cannot get credential when `source_auth` set to `credential_file`.
- Fix netconf_config backup string issue
- Fix privilege escalation support for the docker connection plugin when
credentials need to be supplied (e.g. sudo with password).
- Fix vyos cli prompt inspection
- Fixed loading namespaced documentation fragments from collections.
- Fixing bug came up after running cnos_vrf module against coverity.
- Properly handle data importer failures on PVC creation, instead of timing out.
- To fix the ios static route TC failure in CI
- To fix the nios member module params
- To fix the nios_zone module idempotency failure
- add terminal initial prompt for initial connection
- allow include_role to work with ansible command
- allow python_requirements_facts to report on dependencies containing dashes
- asa_config fix
- azure_rm_roledefinition - fix a small error in build scope.
- azure_rm_virtualnetworkpeering - fix cross subscriptions virtual network
peering.
- cgroup_perf_recap - When not using file_per_task, make sure we don't
prematurely close the perf files
- display underlying error when reporting an invalid ``tasks:`` block.
- dnf - fix wildcard matching for state: absent
- docker connection plugin - accept version ``dev`` as 'newest version' and
print warning.
- docker_container - ``oom_killer`` and ``oom_score_adj`` options are available
since docker-py 1.8.0, not 2.0.0 as assumed by the version check.
- docker_container - fix network creation when ``networks_cli_compatible`` is
enabled.
- docker_container - use docker API's ``restart`` instead of ``stop``/``start``
to restart a container.
- docker_image - if ``build`` was not specified, the wrong default for
``build.rm`` is used.
- docker_image - if ``nocache`` set to ``yes`` but not ``build.nocache``, the
module failed.
- docker_image - module failed when ``source: build`` was set but
``build.path`` options not specified.
- docker_network module - fix idempotency when using ``aux_addresses`` in
``ipam_config``.
- ec2_instance - make Name tag idempotent
- eos: don't fail modules without become set, instead show message and continue
- eos_config: check for session support when asked to 'diff_against: session'
- eos_eapi: fix idempotency issues when vrf was unspecified.
- fix bugs for ce - more info see
- fix incorrect uses of to_native that should be to_text instead.
- hcloud_volume - Fix idempotency when attaching a server to a volume.
- ibm_storage - Added a check for null fields in ibm_storage utils module.
- include_tasks - whitelist ``listen`` as a valid keyword
- k8s - resource updates applied with force work correctly now
- keep results subset also when not no_log.
- meraki_switchport - improve reliability with native VLAN functionality.
- netapp_e_iscsi_target - fix netapp_e_iscsi_target chap secret size and
clearing functionality
- netapp_e_volumes - fix workload profileId indexing when no previous workload
tags exist on the storage array.
- nxos_acl some platforms/versions raise when no ACLs are present
- nxos_facts fix <https://github.com/ansible/ansible/pull/57009>
- nxos_file_copy fix passwordless workflow
- nxos_interface Fix admin_state check for n6k
- nxos_snmp_traps fix group all for N35 platforms
- nxos_snmp_user fix platform fixes for get_snmp_user
- nxos_vlan mode idempotence bug
- nxos_vlan vlan names containing regex ctl chars should be escaped
- nxos_vtp_* modules fix n6k issues
- openssl_certificate - fix private key passphrase handling for
``cryptography`` backend.
- openssl_pkcs12 - fixes crash when private key has a passphrase and the module
is run a second time.
- os_stack - Apply tags conditionally so that the module does not throw up an
error when using an older distro of openstacksdk
- pass correct loading context to persistent connections other than local
- pkg_mgr - Ansible 2.8.0 failing to install yum packages on Amazon Linux
- postgresql - added initial SSL related tests
- postgresql - added missing_required_libs, removed excess param mapping
- postgresql - move connect_to_db and get_pg_version into
module_utils/postgres.py (https://github.com/ansible/ansible/pull/55514)
- postgresql_db - add note to the documentation about state dump and the
incorrect rc (https://github.com/ansible/ansible/pull/57297)
- postgresql_db - fix for postgresql_db fails if stderr contains output
- postgresql_ping - fixed a typo in the module documentation
- preserve actual ssh error when we cannot connect.
- route53_facts - the module did not advertise check mode support, causing it
not to be run in check mode.
- sysctl: the module now also checks the output of STDERR to report if values
are correctly set (https://github.com/ansible/ansible/pull/55695)
- ufw - correctly check status when logging is off
- uri - always return a value for status even during failure
- urls - Handle redirects properly for IPv6 address by not splitting on ``:``
and rely on already parsed hostname and port values
- vmware_vm_facts - fix the support with regular ESXi
- vyos_interface fix <https://github.com/ansible/ansible/pull/57169>
- we don't really need to template vars on definition as we do this on demand
in templating.
- win_acl - Fix qualifier parser when using UNC paths -
- win_hostname - Fix non netbios compliant name handling
- winrm - Fix issue when attempting to parse CLIXML on send input failure
- xenserver_guest - fixed an issue where VM whould be powered off even though
check mode is used if reconfiguration requires VM to be powered off.
- xenserver_guest - proper error message is shown when maximum number of
network interfaces is reached and multiple network interfaces are added at
once.
- yum - Fix false error message about autoremove not being supported
- yum - fix failure when using ``update_cache`` standalone
- yum - handle special '_none_' value for proxy in yum.conf and .repo files
- Update to version 2.8.0
Major changes:
* Experimental support for Ansible Collections and content namespacing -
Ansible content can now be packaged in a collection and addressed via
namespaces. This allows for easier sharing, distribution, and installation
of bundled modules/roles/plugins, and consistent rules for accessing
specific content via namespaces.
* Python interpreter discovery - The first time a Python module runs on a
target, Ansible will attempt to discover the proper default Python
interpreter to use for the target platform/version (instead of immediately
defaulting to /usr/bin/python). You can override this behavior by
setting ansible_python_interpreter or via config.
(see https://github.com/ansible/ansible/pull/50163)
* become - The deprecated CLI arguments for --sudo, --sudo-user,
--ask-sudo-pass, -su, --su-user, and --ask-su-pass have been removed, in
favor of the more generic --become, --become-user, --become-method, and
--ask-become-pass.
* become - become functionality has been migrated to a plugin architecture,
to allow customization of become functionality and 3rd party become methods
(https://github.com/ansible/ansible/pull/50991)
- addresses CVE-2018-16859, CVE-2018-16876, CVE-2019-3828, CVE-2018-16837
For the full changelog see /usr/share/doc/packages/ansible/changelogs or online:
https://github.com/ansible/ansible/blob/stable-2.8/changelogs/CHANGELOG-v2.8.rst
- Update to version 2.7.10
Minor Changes
- Catch all connection timeout related exceptions and raise AnsibleConnectionError instead
- openssl_pkcs12, openssl_privatekey, openssl_publickey - These modules no longer delete the output file before starting to regenerate the output, or when generating the output failed.
Bugfixes
- Backport of https://github.com/ansible/ansible/pull/54105, pamd - fix idempotence issue when removing rules
- Use custom JSON encoder in conneciton.py so that ansible objects (AnsibleVaultEncryptedUnicode, for example) can be sent to the persistent connection process
- allow 'dict()' jinja2 global to function the same even though it has changed in jinja2 versions
- azure_rm inventory plugin - fix missing hostvars properties (https://github.com/ansible/ansible/pull/53046)
- azure_rm inventory plugin - fix no nic type in vmss nic. (https://github.com/ansible/ansible/pull/53496)
- deprecate {Get/Set}ManagerAttributes commands (https://github.com/ansible/ansible/issues/47590)
- flatpak_remote - Handle empty output in remote_exists, fixes https://github.com/ansible/ansible/issues/51481
- foreman - fix Foreman returning host parameters
- get_url - Fix issue with checksum validation when using a file to ensure we skip lines in the file that do not contain exactly 2 parts. Also restrict exception handling to the minimum number of necessary lines (https://github.com/ansible/ansible/issues/48790)
- grafana_datasource - Fixed an issue when running Python3 and using basic auth (https://github.com/ansible/ansible/issues/49147)
- include_tasks - Fixed an unexpected exception if no file was given to include.
- openssl_certificate - fix ``state=absent``.
- openssl_certificate, openssl_csr, openssl_pkcs12, openssl_privatekey, openssl_publickey - The modules are now able to overwrite write-protected files (https://github.com/ansible/ansible/issues/48656).
- openssl_dhparam - fix ``state=absent`` idempotency and ``changed`` flag.
- openssl_pkcs12, openssl_privatekey - These modules now accept the output file mode in symbolic form or as a octal string (https://github.com/ansible/ansible/issues/53476).
- openssl_publickey - fixed crash on Python 3 when OpenSSH private keys were used with passphrases.
- openstack inventory plugin: allow 'constructed' functionality (``compose``, ``groups``, and ``keyed_groups``) to work as documented.
- random_mac - generate a proper MAC address when the provided vendor prefix is two or four characters (https://github.com/ansible/ansible/issues/50838)
- replace - fix behavior when ``before`` and ``after`` are used together (https://github.com/ansible/ansible/issues/31354)
- report correct CPU information on ARM systems (https://github.com/ansible/ansible/pull/52884)
- slurp - Fix issues when using paths on Windows with glob like characters, e.g. ``[``, ``]``
- ssh - Check the return code of the ssh process before raising AnsibleConnectionFailure, as the error message for the ssh process will likely contain more useful information. This will improve the missing interpreter messaging when using modules such as setup which have a larger payload to transfer when combined with pipelining. (https://github.com/ansible/ansible/issues/53487)
- tower_settings - 'name' and 'value' parameters are always required, module can not be used in order to get a setting
- win_acl - Fix issues when using paths with glob like characters, e.g. ``[``, ``]``
- win_acl_inheritance - Fix issues when using paths with glob like characters, e.g. ``[``, ``]``
- win_certificate_store - Fix issues when using paths with glob like characters, e.g. ``[``, ``]``
- win_chocolatey - Fix incompatibilities with the latest release of Chocolatey ``v0.10.12+``
- win_copy - Fix issues when using paths with glob like characters, e.g. ``[``, ``]``
- win_file - Fix issues when using paths with glob like characters, e.g. ``[``, ``]``
- win_find - Ensure found files are sorted alphabetically by the path instead of it being random
- win_find - Fix issues when using paths with glob like characters, e.g. ``[``, ``]``
- win_owner - Fix issues when using paths with glob like characters, e.g. ``[``, ``]``
- win_psexec - Support executables with a space in the path
- win_reboot - Fix reboot command validation failure when running under the psrp connection plugin
- win_tempfile - Always return the full NTFS absolute path and not a DOS 8.3 path.
- win_user_right - Fix output containing non json data - https://github.com/ansible/ansible/issues/54413
- windows - Fixed various module utils that did not work with path that had glob like chars
- yum - fix disable_excludes on systems with yum rhn plugin enabled (https://github.com/ansible/ansible/issues/53134)
- Update to version 2.7.9
Minor Changes
* Add missing import for ConnectionError in edge and routeros module_utils.
* ``to_yaml`` filter updated to maintain formatting consistency when used
with ``pyyaml`` versions 5.1 and later
(https://github.com/ansible/ansible/pull/53772)
* docker_image * set ``changed`` to ``false`` when using ``force: yes`` to
tag or push an image that ends up being identical to one already present on
the Docker host or Docker registry.
* jenkins_plugin * Set new default value for the update_url parameter
(https://github.com/ansible/ansible/issues/52086)
Bugfixes
* Fix bug where some inventory parsing tracebacks were missing or reported under the wrong plugin.
* Fix rabbitmq_plugin idempotence due to information message in new version of rabbitmq (https://github.com/ansible/ansible/pull/52166)
* Fixed KeyError issue in vmware_host_config_manager when a supported option isn't already set (https://github.com/ansible/ansible/issues/44561).
* Fixed issue related to --yaml flag in vmware_vm_inventory. Also fixed caching issue in vmware_vm_inventory (https://github.com/ansible/ansible/issues/52381).
* If large integers are passed as options to modules under Python 2, module argument parsing will reject them as they are of type ``long`` and not of type ``int``.
* allow nice error to work when auto plugin reads file w/o `plugin` field
* ansible-doc * Fix traceback on providing arguemnt --all to ansible-doc command
* azure_rm_virtualmachine_facts * fixed crash related to attached managed disks (https://github.com/ansible/ansible/issues/52181)
* basic * modify the correct variable when determining available hashing algorithms to avoid errors when md5 is not available (https://github.com/ansible/ansible/issues/51355)
* cloudscale * Fix compatibilty with Python3 in version 3.5 and lower.
* convert input into text to ensure valid comparisons in nmap inventory plugin
* dict2items * Allow dict2items to work with hostvars
* dnsimple * fixed a KeyError exception related to record types handling.
* docker_container * now returns warnings from docker daemon on container creation and updating.
* docker_swarm * Fixed node_id parameter not working for node removal (https://github.com/ansible/ansible/issues/53501)
* docker_swarm * do not crash with older docker daemons (https://github.com/ansible/ansible/issues/51175).
* docker_swarm * fixes idempotency for the ``ca_force_rotate`` option.
* docker_swarm * improve Swarm detection.
* docker_swarm * improve idempotency checking; ``rotate_worker_token`` and ``rotate_manager_token`` are now also used when all other parameters have not changed.
* docker_swarm * now supports docker-py 1.10.0 and newer for most operations, instead only docker 2.6.0 and newer.
* docker_swarm * properly implement check mode (it did apply changes).
* docker_swarm * the ``force`` option was ignored when ``state: present``.
* docker_swarm_service * do basic validation of ``publish`` option if specified (must be list of dicts).
* docker_swarm_service * don't crash when ``publish`` is not specified.
* docker_swarm_service * fix problem with docker daemons which do not return ``UpdateConfig`` in the swarm service spec.
* docker_swarm_service * the return value was documented as ``ansible_swarm_service``, but the module actually returned ``ansible_docker_service``. Documentation and code have been updated so that the variable is now called ``swarm_service``. In Ansible 2.7.x, the old name ``ansible_docker_service`` can still be used to access the result.
* ec2 * if the private_ip has been provided for the new network interface it shouldn't also be added to top level parameters for run_instances()
* fix DNSimple to ensure check works even when the number of records is larger than 100
* get_url * return no change in check mode when checksum matches
* inventory plugins * Fix creating groups from composed variables by getting the latest host variables
* inventory_aws_ec2 * fix no_log indentation so AWS temporary credentials aren't displayed in tests
* jenkins_plugin * Prevent plugin to be reinstalled when state=present (https://github.com/ansible/ansible/issues/43728)
* lvol * fixed ValueError when using float size (https://github.com/ansible/ansible/issues/32886, https://github.com/ansible/ansible/issues/29429)
* mysql * MySQLdb doesn't import the cursors module for its own purposes so it has to be imported in MySQL module utilities before it can be used in dependent modules like the proxysql module family.
* mysql * fixing unexpected keyword argument 'cursorclass' issue after migration from MySQLdb to PyMySQL.
* mysql_user: match backticks, single and double quotes when checking user privileges.
* onepassword_facts * Fixes issues which prevented this module working with 1Password CLI version 0.5.5 (or greater). Older versions of the CLI were deprecated by 1Password and will no longer function.
* openssl_certificate * ``has_expired`` correctly checks if the certificate is expired or not
* openssl_certificate * fix Python 3 string/bytes problems for `notBefore`/`notAfter` for self-signed and ownCA providers.
* openssl_certificate * make sure that extensions are actually present when their values should be checked.
* openssl_csr * improve ``subject`` validation.
* openssl_csr * improve error messages for invalid SANs.
* play order is now applied under all circumstances, fixes
* remote_management foreman * Fixed issue where it was impossible to createdelete a product because product was missing in dict choices ( https://github.com/ansible/ansible/issues/48594 )
* rhsm_repository * handle systems without any repos
* skip invalid plugin after warning in loader
* urpmi module * fixed issue
* win_certificate_store * Fix exception handling typo
* win_chocolatey * Fix issue when parsing a beta Chocolatey install * https://github.com/ansible/ansible/issues/52331
* win_chocolatey_source * fix bug where a Chocolatey source could not be disabled unless ``source`` was also set * https://github.com/ansible/ansible/issues/50133
* win_domain * Do not fail if DC is already promoted but a reboot is required, return ``reboot_required: True``
* win_domain * Fix when running without credential delegated authentication * https://github.com/ansible/ansible/issues/53182
* win_file * Fix issue when managing hidden files and directories * https://github.com/ansible/ansible/issues/42466
* winrm * attempt to recover from a WinRM send input failure if possible
* zabbix_hostmacro: fixes truncation of macro contexts that contain colons (see https://github.com/ansible/ansible/pull/51853)
New Plugins
* vmware_vm_inventory * VMware Guest inventory source
- update URL (use SSL version of the URL)
- prepare update for multiple releases (bsc#1102126, bsc#1109957)
- Update to version 2.7.8
Minor Changes:
* Raise AnsibleConnectionError on winrm connnection errors
Bugfixes:
* Backport of https://github.com/ansible/ansible/pull/46478 , fixes name collision in haproxy module
* Fix aws_ec2 inventory plugin code to automatically populate regions when missing as documentation states, also leverage config system vs self default/type validation
* Fix unexpected error when using Jinja2 native types with non-strict constructed keyed_groups (https://github.com/ansible/ansible/issues/52158).
* If an ios module uses a section filter on a device which does not support it, retry the command without the filter.
* acme_challenge_cert_helper * the module no longer crashes when the required ``cryptography`` library cannot be found.
* azure_rm_managed_disk_facts * added missing implementation of listing managed disks by resource group
* azure_rm_mysqlserver * fixed issues with passing parameters while updating existing server instance
* azure_rm_postgresqldatabase * fix force_update bug (https://github.com/ansible/ansible/issues/50978).
* azure_rm_postgresqldatabase * fix force_update bug.
* azure_rm_postgresqlserver * fixed issues with passing parameters while updating existing server instance
* azure_rm_sqlserver * fix for tags support
* azure_rm_virtualmachine * fixed several crashes in module
* azure_rm_virtualmachine_facts * fix crash when vm created from custom image
* azure_rm_virtualmachine_facts * fixed crash related to VM with managed disk attached
* ec2 * Correctly sets the end date of the Spot Instance request. Sets `ValidUntil` value in proper way so it will be auto-canceled through `spot_wait_timeout` interval.
* openssl_csr * fixes idempotence problem with PyOpenSSL backend when no Subject Alternative Names were specified.
* openstack inventory plugin * send logs from sdk to stderr so they do not combine with output
* psrp * do not display bootstrap wrapper for each module exec run
* redfish_utils * get standard properties for firmware entries (https://github.com/ansible/ansible/issues/49832)
* remote home directory * Disallow use of remote home directories that include relative pathing by means of `..` (CVE-2019-3828, bsc#1126503) (https://github.com/ansible/ansible/pull/52133)
* ufw * when using ``state: reset`` in check mode, ``ufw --dry-run reset`` was executed, which causes a loss of firewall rules. The ``ufw`` module was adjusted to no longer run ``ufw --dry-run reset`` to prevent this from happening.
* ufw: make sure that only valid values for ``direction`` are passed on.
* update GetBiosBootOrder to use standard Redfish resources (https://github.com/ansible/ansible/issues/47571)
* win become * Fix some scenarios where become failed to create an elevated process
* win_psmodule * the NuGet package provider will be updated, if needed, to avoid issue under adding a repository
* yum * Remove incorrect disable_includes error message when using disable_excludes (https://github.com/ansible/ansible/issues/51697)
* yum * properly handle a proxy config in yum.conf for an unauthenticated proxy
- Update to version 2.7.7
Minor Changes:
* Allow check_mode with supports_generate_diff capability in cli_config. (https://github.com/ansible/ansible/pull/51417)
* Fixed typo in vmware documentation fragment. Changed 'supported added' to 'support added'.
Bugfixes:
* All K8S_AUTH_* environment variables are now properly loaded by the k8s lookup plugin
* Change backup file globbing for network _config modules so backing up one host's config will not delete the backed up config of any host whose hostname is a subset of the first host's hostname (e.g., switch1 and switch11)
* Fixes bug where nios_a_record wasn't getting deleted if an uppercase named a_record was being passed. (https://github.com/ansible/ansible/pull/51539)
* aci_aaa_user - Fix setting user description (https://github.com/ansible/ansible/issues/51406)
* apt_repository - fixed failure under Python 3.7 (https://github.com/ansible/ansible/pull/47219)
* archive - Fix check if archive is created in path to be removed
* azure_rm inventory plugin - fix azure batch request (https://github.com/ansible/ansible/pull/50006)
* cnos_backup - fixed syntax error (https://github.com/ansible/ansible/pull/47219)
* cnos_image - fixed syntax error (https://github.com/ansible/ansible/pull/47219)
* consul_kv - minor error-handling bugfix under Python 3.7 (https://github.com/ansible/ansible/pull/47219)
* copy - align invocation in return value between check and normal mode
* delegate_facts - fix to work properly under block and include_role (https://github.com/ansible/ansible/pull/51553)
* docker_swarm_service - fix endpoint_mode and publish idempotency.
* ec2_instance - Correctly adds description when adding a single ENI to the instance
* ensure we have a XDG_RUNTIME_DIR, as it is not handled correctly by some privilege escalation configurations
* file - Allow state=touch on file the user does not own https://github.com/ansible/ansible/issues/50943
* fix ansible-pull hanlding of extra args, complex quoting is needed for inline JSON
* fix ansible_connect_timeout variable in network_cli,netconf,httpapi and nxos_install_os timeout check
* netapp_e_storagepool - fixed failure under Python 3.7 (https://github.com/ansible/ansible/pull/47219)
* onepassword_facts - Fix an issue looking up some 1Password items which have a 'password' attribute alongside the 'fields' attribute, not inside it.
* prevent import_role from inserting dupe into roles: execution when duplicate signature role already exists in the section.
* reboot - Fix bug where the connection timeout was not reset in the same task after rebooting
* ssh connection - do not retry with invalid credentials to prevent account lockout (https://github.com/ansible/ansible/issues/48422)
* systemd - warn when exeuting in a chroot environment rather than failing (https://github.com/ansible/ansible/pull/43904)
* win_chocolatey - Fix hang when used with proxy for the first time - https://github.com/ansible/ansible/issues/47669
* win_power_plan - Fix issue where win_power_plan failed on newer Windows 10 builds - https://github.com/ansible/ansible/issues/43827
- update to version 2.7.6
Minor Changes:
* Added documentation about using VMware dynamic inventory plugin.
* Fixed bug around populating host_ip in hostvars in vmware_vm_inventory.
* Image reference change in Azure VMSS is detected and applied correctly.
* docker_volume - reverted changed behavior of force, which was released in Ansible 2.7.1 to 2.7.5, and Ansible 2.6.8 to 2.6.11. Volumes are now only recreated if the parameters changed and force is set to true (instead of or). This is the behavior which has been described in the documentation all the time.
* set ansible_os_family from name variable in os-release
* yum and dnf can now handle installing packages from URIs that are proxy redirects and don't end in the .rpm file extension
Bugfixes:
* Added log message at -vvvv when using netconf connection listing connection details.
* Changes how ansible-connection names socket lock files. They now use the same name as the socket itself, and as such do not lock other attempts on connections to the same host, or cause issues with overly-long hostnames.
* Fix mandatory statement error for junos modules (https://github.com/ansible/ansible/pull/50138)
* Moved error in netconf connection plugin from at import to on connection.
* This reverts some changes from commit 723daf3. If a line is found in the file, exactly or via regexp matching, it must not be added again. insertafter/insertbefore options are used only when a line is to be inserted, to specify where it must be added.
* allow using openstack inventory plugin w/o a cache
* callbacks - Do not filter out exception, warnings, deprecations on failure when using debug (https://github.com/ansible/ansible/issues/47576)
* certificate_complete_chain - fix behavior when invalid file is parsed while reading intermediate or root certificates.
* copy - Ensure that the src file contents is converted to unicode in diff information so that it is properly wrapped by AnsibleUnsafeText to prevent unexpected templating of diff data in Python3 (https://github.com/ansible/ansible/issues/45717)
* correct behaviour of verify_file for vmware inventory plugin, it was always returning True
* dnf - fix issue where conf_file was not being loaded properly
* dnf - fix update_cache combined with install operation to not cause dnf transaction failure
* docker_container - fix network_mode idempotency if the container:<container-name> form is used (as opposed to container:<container-id>) (https://github.com/ansible/ansible/issues/49794)
* docker_container - warning when non-string env values are found, avoiding YAML parsing issues. Will be made an error in Ansible 2.8. (https://github.com/ansible/ansible/issues/49802)
* docker_swarm_service - Document labels and container_labels with correct type.
* docker_swarm_service - Document limit_memory and reserve_memory correctly on how to specify sizes.
* docker_swarm_service - Document minimal API version for configs and secrets.
* docker_swarm_service - fix use of Docker API so that services are not detected as present if there is an existing service whose name is a substring of the desired service
* docker_swarm_service - fixing falsely reporting update_order as changed when option is not used.
* document old option that was initally missed
* ec2_instance now respects check mode https://github.com/ansible/ansible/pull/46774
* fix for network_cli - ansible_command_timeout not working as expected (#49466)
* fix handling of firewalld port if protocol is missing
* fix lastpass lookup failure on python 3 (https://github.com/ansible/ansible/issues/42062)
* flatpak - Fixed Python 2/3 compatibility
* flatpak - Fixed issue where newer versions of flatpak failed on flatpak removal
* flatpak_remote - Fixed Python 2/3 compatibility
* gcp_compute_instance - fix crash when the instance metadata is not set
* grafana_dashboard - Fix a pair of unicode string handling issues with version checking (https://github.com/ansible/ansible/pull/49194)
* host execution order - Fix reverse_inventory not to change the order of the items before reversing on python2 and to not backtrace on python3
* icinga2_host - fixed the issue with not working use_proxy option of the module.
* influxdb_user - An unspecified password now sets the password to blank, except on existing users. This previously caused an unhandled exception.
* influxdb_user - Fixed unhandled exception when using invalid login credentials (https://github.com/ansible/ansible/issues/50131)
* openssl_* - fix error when path contains a file name without path.
* openssl_csr - fix problem with idempotency of keyUsage option.
* openssl_pkcs12 - now does proper path expansion for ca_certificates.
* os_security_group_rule - os_security_group_rule doesn't exit properly when secgroup doesn't exist and state=absent (https://github.com/ansible/ansible/issues/50057)
* paramiko_ssh - add auth_timeout parameter to ssh.connect when supported by installed paramiko version. This will prevent 'Authentication timeout' errors when a slow authentication step (>30s) happens with a host (https://github.com/ansible/ansible/issues/42596)
* purefa_facts and purefb_facts now correctly adds facts into main ansible_fact dictionary (https://github.com/ansible/ansible/pull/50349)
* reboot - add appropriate commands to make the plugin work with VMware ESXi (https://github.com/ansible/ansible/issues/48425)
* reboot - add support for rebooting AIX (https://github.com/ansible/ansible/issues/49712)
* reboot - gather distribution information in order to support Alpine and other distributions (https://github.com/ansible/ansible/issues/46723)
* reboot - search common paths for the shutdown command and use the full path to the binary rather than depending on the PATH of the remote system (https://github.com/ansible/ansible/issues/47131)
* reboot - use a common set of commands for older and newer Solaris and SunOS variants (https://github.com/ansible/ansible/pull/48986)
* redfish_utils - fix reference to local variable 'systems_service'
* setup - fix the rounding of the ansible_memtotal_mb value on VMWare vm's (https://github.com/ansible/ansible/issues/49608)
* vultr_server - fixed multiple ssh keys were not handled.
* win_copy - Fix copy of a dir that contains an empty directory - https://github.com/ansible/ansible/issues/50077
* win_firewall_rule - Remove invalid 'bypass' action
* win_lineinfile - Fix issue where a malformed json block was returned causing an error
* win_updates - Correctly report changes on success
- update to version 2.7.5
Minor Changes:
* Add warning about falling back to jinja2_native=false when Jinja2 version is lower than 2.10.
* Change the position to search os-release since clearlinux new versions are providing /etc/os-release too
* Fixed typo in ansible-galaxy info command.
* Improve the deprecation message for squashing, to not give misleading advice
* Update docs and return section of vmware_host_service_facts module.
* ansible-galaxy: properly warn when git isn't found in an installed bin path instead of traceback
* dnf module properly load and initialize dnf package manager plugins
* docker_swarm_service: use docker defaults for the user parameter if it is set to null
Bugfixes:
* bsc#1118896 CVE-2018-16876 Information disclosure in vvv+ mode with no_log on (https://github.com/ansible/ansible/pull/49569)
* ACME modules: improve error messages in some cases (include error returned by server).
* Added unit test for VMware module_utils.
* Also check stdout for interpreter errors for more intelligent messages to user
* Backported support for Devuan-based distribution
* Convert hostvars data in OpenShift inventory plugin to be serializable by ansible-inventory
* Fix AttributeError (Python 3 only) when an exception occurs while rendering a template
* Fix N3K power supply facts (https://github.com/ansible/ansible/pull/49150).
* Fix NameError nxos_facts (https://github.com/ansible/ansible/pull/48981).
* Fix VMware module utils for self usage.
* Fix error in OpenShift inventory plugin when a pod has errored and is empty
* Fix if the route table changed to none (https://github.com/ansible/ansible/pull/49533)
* Fix iosxr netconf plugin response namespace (https://github.com/ansible/ansible/pull/49300)
* Fix issues with nxos_install_os module for nxapi (https://github.com/ansible/ansible/pull/48811).
* Fix lldp and cdp neighbors information (https://github.com/ansible/ansible/pull/48318)(https://github.com/ansible/ansible/pull/48087)(https://github.com/ansible/ansible/pull/49024).
* Fix nxos_interface and nxos_linkagg Idempotence issue (https://github.com/ansible/ansible/pull/46437).
* Fix traceback when updating facts and the fact cache plugin was nonfunctional
* Fix using vault encrypted data with jinja2_native (https://github.com/ansible/ansible/issues/48950)
* Fixed: Make sure that the files excluded when extracting the archive are not checked. https://github.com/ansible/ansible/pull/45122
* Fixes issue where a password parameter was not set to no_log
* Respect no_log on retry and high verbosity (CVE-2018-16876)
* aci_rest - Fix issue ignoring custom port
* acme_account, acme_account_facts - in some cases, it could happen that the modules return information on disabled accounts accidentally returned by the ACME server.
* docker_swarm - decreased minimal required API version from 1.35 to 1.25; some features require API version 1.30 though.
* docker_swarm_service: fails because of default 'user: root' (https://github.com/ansible/ansible/issues/49199)
* ec2_metadata_facts - Parse IAM role name from the security credential field since the instance profile name is different
* fix azure_rm_image module use positional parameter (https://github.com/ansible/ansible/pull/49394)
* fixes an issue with dict_merge in network utils (https://github.com/ansible/ansible/pull/49474)
* gcp_utils - fix google auth scoping issue with application default credentials or google cloud engine credentials. Only scope credentials that can be scoped.
* mail - fix python 2.7 regression
* openstack - fix parameter handling when cloud provided as dict https://github.com/ansible/ansible/issues/42858
* os_user - Include domain parameter in user deletion https://github.com/ansible/ansible/issues/42901
* os_user - Include domain parameter in user lookup https://github.com/ansible/ansible/issues/42901
* ovirt_storage_connection - comparing passwords breaks idempotency in update_check (https://github.com/ansible/ansible/issues/48933)
* paramiko_ssh - improve log message to state the connection type
* reboot - use IndexError instead of TypeError in exception
* redis cache - Support version 3 of the redis python library (https://github.com/ansible/ansible/issues/49341)
* sensu_silence - Cast int for expire field to avoid call failure to sensu API.
* vmware_host_service_facts - handle exception when service package does not have package name.
* win_nssm - Switched to Argv-ToString for escaping NSSM credentials (https://github.com/ansible/ansible/issues/48728)
* zabbix_hostmacro - Added missing validate_certs logic for running module against Zabbix servers with untrused SSL certificates (https://github.com/ansible/ansible/issues/47611)
* zabbix_hostmacro - Fixed support for user macros with context (https://github.com/ansible/ansible/issues/46953)
- update to version 2.7.4
Bugfixes:
* powershell - add lib/ansible/executor/powershell to the packaging data
- update to version 2.7.3
Minor Changes:
* Document Path and Port are mutually exclusive parameters in wait_for module
* Puppet module remove --ignorecache to allow Puppet 6 support
* dnf properly support modularity appstream installation via overloaded group
modifier syntax
* proxmox_kvm - fix exception
* win_security_policy - warn users to use win_user_right instead when editing
Privilege Rights
Bugfixes:
* Fix the issue that FTD HTTP API retries authentication-related HTTP requests
* Fix the issue that module fails when the Swagger model does not have required fields
* Fix the issue with comparing string-like objects
* Fix using omit on play keywords
* Windows - prevent sensitive content from appearing in scriptblock logging (CVE-2018-16859)
* apt_key - Disable TTY requirement in GnuPG for the module to work correctly
when SSH pipelining is enabled
* better error message when bad type in config, deal with EVNAR= more gracefully
* configuration retrieval would fail on non primed plugins
* cs_template - Fixed a KeyError on state=extracted
* docker_container - fix idempotency problems with docker-py caused by previous
init idempotency fix
* docker_container - fix interplay of docker-py version check with argument_spec
validation improvements
* docker_network - driver_options containing Python booleans would cause Docker
to throw exceptions
* ec2_group - Fix comparison of determining which rules to purge by ignoring descriptions
* pip module - fix setuptools/distutils replacement
* sysvinit - enabling a service should use 'defaults' if no runlevels are specified
- update to version 2.7.2
Minor changes:
* Fix documentation for cloning template
* Parsing plugin filter may raise TypeError, gracefully handle this
exception and let user know about the syntax error in plugin filter file
* Scenario guide for VMware HTTP API usage
* Update plugin filter documentation
* fix yum and dnf autoremove input sanitization to properly warn user if
invalid options passed and update documentation to match
* improve readability and fix privileges names on vmware scenario_clone_template
* k8s - updated module documentation to mention how to avoid SSL validation errors
* yum - when checking for updates, now properly include Obsoletes
(both old and new) package data in the module JSON output
- update to 2.7.1
Minor changes:
* Fix yum module to properly check for empty conf_file value
* added capability to set the scheme for the consul_kv lookup
* added optional certificate and certificate validation for consul_kv lookups
* dnf - properly handle modifying the enable/disable excludes data field
* dnf appropriately handles disable_excludes repoid argument
* dnf proerly honors disable_gpg_check for local package installation
* fix yum module to handle list argument optional empty strings properly
* netconf_config - Make default_operation optional in netconf_config module
* yum - properly handle proxy password and username embedded in url
* yum/dnf - fail when space separated string of names
- update to 2.7.0
Major changes:
* Allow config to enable native jinja types
* Remove support for simplejson
* yum and dnf modules now at feature parity
Minor changes:
* Changed the prefix of all Vultr modules from vr to vultr
* Enable installroot tests for yum4(dnf) integration testing, dnf backend now supports that
* Fixed timer in exponential backoff algorithm in vmware.py
Bugfixes:
* Security Fix - avoid loading host/group vars from cwd when not specifying a playbook or playbook base dir
* Security Fix - avoid using ansible.cfg in a world writable dir
* Some connection exception would cause no_log specified on a task to be ignored (stdout info disclosure)
* Fix glob path of rc.d (SUSE-specific)
* Fix lambda_policy updates
* Fix alt linux detection/matching
- update to 2.6.4
Minor Changes:
* add azure_rm_storageaccount support to StorageV2 kind.
* import_tasks - Do not allow import_tasks to transition to dynamic
if the file is missing
Bugfixes:
* Add md5sum check in nxos_file_copy module
* Allow arbitrary log_driver for docker_container
* Fix Python2.6 regex bug terminal plugin nxos, iosxr
* Fix check_mode in nxos_static_route module
* Fix glob path of rc.d Some distribtuions like SUSE has the rc%.d
directories under /etc/init.d
* Fix network config diff issue for lines
* Fixed an issue where ansible_facts.pkg_mgr would incorrectly set
to zypper on Debian/Ubuntu systems that happened to have the
command installed
* The docker_* modules respect the DOCKER_* environment variables again
* The fix for CVE-2018-10875 prints out a warning message about
skipping a config file from a world writable current working directory.
However, if the user is in a world writable current working directory
which does not contain a config file, it should not print a warning
message. This release fixes that extaneous warning.
* To resolve nios_network issue where vendor-encapsulated-options
can not have a use_option flag.
* To resolve the issue of handling exception for Nios lookup gracefully.
* always correctly template no log for tasks
* ansible-galaxy - properly list all roles in roles_path
* basic.py - catch ValueError in case a FIPS enabled platform
raises this exception
* docker_container: fixing working_dir idempotency problem
* docker_container: makes unit parsing for memory sizes more consistent,
and fixes idempotency problem when kernel_memory is set
* fix example code for AWS lightsail documentation
* fix the enable_snat parameter that is only supposed to be used by
an user with the right policies.
* fixes docker_container check and debug mode
* improves docker_container idempotency
* ios_l2_interface - fix bug when list of vlans ends with comma
* ios_l2_interface - fix issue with certain interface types
* ios_user - fix unable to delete user admin issue
* ios_vlan - fix unable to work on certain interface types issue
* nxos_facts test lldp feature and fix nxapi check_rc
* nxos_interface port-channel idempotence fix for mode
* nxos_linkagg mode fix
* nxos_system idempotence fix
* nxos_vlan refactor to support non structured output
* one_host - fixes settings via environment variables
* use retry_json nxos_banner
* user - Strip trailing comments in /etc/default/passwd
* user - when creating a new user without an expiration date,
properly set no expiration rather that expirining the account
* win_domain_computer - fixed deletion of computer active directory
object that have dependent objects
* win_domain_computer - fixed error in diff_support
* win_domain_computer - fixed error when description parameter is empty
* win_psexec - changed code to not escape the command option when building the args
* win_uri -- Fix support for JSON output when charset is set
* win_wait_for - fix issue where timeout doesn't wait unless state=drained
- update to 2.6.3
Bugfixes:
* Fix lxd module to be idempotent when the given configuration for
the lxd container has not changed
* Fix setting value type to str to avoid conversion during template
read. Fix Idempotency in case of 'no key'.
* Fix the mount module's handling of swap entries in fstab
* The fix for (CVE-2018-10875) prints out a warning message about
skipping a config file from a world writable current working
directory. However, if the user explicitly specifies that the
config file should be used via the ANSIBLE_CONFIG environment
variable then Ansible would honor that but still print out the
warning message. This has been fixed so that Ansible honors the
user's explicit wishes and does not print a warning message in
that circumstance.
* To fix the bug where existing host_record was deleted when existing
record name is used with different IP.
* VMware handle pnic in proxyswitch
* fix azure security group cannot add rules when purge_rule set to false.
* fix azure_rm_deployment collect tags from existing Resource Group.
* fix azure_rm_loadbalancer_facts list takes at least 2 arguments.
* fix for the bundled selectors module (used in the ssh and local
connection plugins) when a syscall is restarted after being
interrupted by a signal
* get_url - fix the bug that get_url does not change mode when checksum matches
* nicer error when multiprocessing breaks
* openssl_certificate - Convert valid_date to bytes for conversion
* openstack_inventory.py dynamic inventory file fixed the plugin to the
script so that it will work with current ansible-inventory. Also
redirect stdout before dumping the ouptput, because not doing so will
cause JSON parse errors in some cases.
* slack callback - Fix invocation by looking up data from cli.options
* sysvinit module: handle values of optional parameters. Don't disable
service when enabled parameter isn't set. Fix command when arguments
parameter isn't set.
* vars_prompt - properly template play level variables in vars_prompt
* win_domain - ensure the Netlogon service is up and running after
promoting host to controller
* win_domain_controller - ensure the Netlogon service is up and running
after promoting host to controller
- update to 2.6.2
Minor Changes
+ Sceanrio guide for removing an existing virtual machine is added.
+ lineinfile - add warning when using an empty regexp
+ Restore module_utils.basic.BOOLEANS variable for backwards compatibility
with the module API in older ansible releases.
Bugfixes:
+ Includes fix for bsc#1099808 (CVE-2018-10875) ansible.cfg is being read
from current working directory allowing possible code execution
+ Add text output along with structured output in nxos_facts
+ Allow more than one page of results by using the right pagination
indicator ('NextMarker' instead of 'NextToken').
+ Fix an atomic_move error that is 'true', but misleading.
Now we show all 3 files involved and clarify what happened.
+ Fix eos_l2_interface eapi.
+ Fix fetching old style facts in junos_facts module
+ Fix get_device_info nxos zero or more whitespace regex
+ Fix nxos CI failures
+ Fix nxos_nxapi default http behavior
+ Fix nxos_vxlan_vtep_vni
+ Fix regex network_os_platform nxos
+ Refactor nxos cliconf get_device_info for non structured
output supported devices
+ To fix the NoneType error raised in ios_l2_interface when
Access Mode VLAN is unassigned
+ emtpy host/group name is an error
+ fix default SSL version for docker modules
+ fix mail module when using starttls
+ fix nmap config example
+ fix ps detection of service
+ fix the remote tmp folder permissions issue when becoming a non
admin user
+ fix typoe in sysvinit that breaks update.rc-d detection
+ fixes docker_container compatibilty with docker-py < 2.2
+ get_capabilities in nxapi module_utils should not return empty dictionary
+ inventory - When using an inventory directory, ensure extension
comparison uses text types
+ ios_vlan - fix unable to identify correct vlans issue
+ nxos_facts warning message improved
+ openvswitch_db - make 'key' argument optional
+ pause - do not set stdout to raw mode when redirecting to a file
+ pause - nest try except when importing curses to gracefully fail
if curses is not present
+ plugins/inventory/openstack.py - Do not create group with empty
name if region is not set
+ preseve delegation info on nolog
+ remove ambiguity when it comes to 'the source'
+ remove dupes from var precedence
+ restores filtering out conflicting facts
+ user - fix bug that resulted in module always reporting a change when
specifiying the home directory on FreeBSD
+ user - use correct attribute name in FreeBSD for creat_home
+ vultr - Do not fail trying to load configuration from ini files if
required variables have been set as environment variables.
+ vyos_command correcting conditionals looping
+ win_chocolatey - enable TLSv1.2 support when downloading the
Chocolatey installer
+ win_reboot - fix for handling an already scheduled reboot and other
minor log formatting issues
+ win_reboot - fix issue when overridding connection timeout hung
the post reboot uptime check
+ win_reboot - handle post reboots when running test_command
+ win_security_policy - allows an empty string to reset a policy value
+ win_share - discard any cmdlet output we don't use to ensure only the
return json is received by Ansible
+ win_unzip - discard any cmdlet output we don't use to ensure only the
return json is received by Ansible
+ win_updates - fixed module return value is lost in error in some cases
+ win_user - Use LogonUser to validate the password as it does not
rely on SMB/RPC to be available
+ Security Fix - avoid loading host/group vars from cwd when not
specifying a playbook or playbook base dir
+ Security Fix - avoid using ansible.cfg in a world writable dir.
+ Fix junos_config confirm commit timeout issue
(https://github.com/ansible/ansible/pull/41527)
+ file module - The touch subcommand had its diff output broken during
the 2.6.x development cycle. This is now fixed.
+ inventory manager - This fixes required options being populated before
the inventory config file is read, so the required options may be
set in the config file.
+ nsupdate - allow hmac-sha384 https://github.com/ansible/ansible/pull/42209
+ win_domain - fixes typo in one of the AD cmdlets
https://github.com/ansible/ansible/issues/41536
+ win_group_membership - uses the internal Ansible SID conversion logic
and uses that when comparing group membership instead of the name
- use fdupes to save some space in python_sitelib
- define BuildRoot on older distributions like SLE-11
- be a bit more flexible with the ending of manpage files to allow
Fedora builds to succeed
- includes fix for bsc#1099805 (CVE-2018-10874) Inventory
variables are loaded from current working directory when
running ad-hoc command that can lead to code execution
(included upstream in 2.6.1).
- revert some unneeded changes from spec-cleaner
- updated to latest release 2.6.0
- New Plugins:
+ Callback:
- cgroup_memory_recap
- grafana_annotations
- sumologic
+ Connection:
- httpapi
+ Inventory:
- foreman
- gcp_compute
- generator
- nmap
+ Lookup:
- onepassword
- onepassword_raw
- Modules updates too many to mention here
please look at package documentation directory (/usr/share/doc/packages/.../changelogs)
- bug fixes:
- **Security Fix** - Some connection exceptions would cause no_log
specified on a task to be ignored. If this happened, the task information,
including any private information coul d have been displayed to stdout and
(if enabled, not the default) logged to a log file specified in
ansible.cfg's log_path. Additionally, sites which redirected stdout from
ansible runs to a log file may have stored that private information onto
disk that way as well. (https://github.com/ansible/ansible/pull/41414)
- Changed the admin_users config option to not include 'admin' by default
as admin is frequently used for a non-privileged account
(https://github.com/ansible/ansible/pull/41164)
- Changed the output to 'text' for 'show vrf' command as default 'json'
output format with respect to 'eapi' transport was failing
(https://github.com/ansible/ansible/pull/41470)
- Document mode=preserve for both the copy and template module
- Fix added for Digital Ocean Volumes API change causing Ansible to
recieve an unexpected value in the response.
(https://github.com/ansible/ansible/pull/41431)
- Fix an encoding issue when parsing the examples from a plugins'
documentation
- Fix iosxr_config module to handle route-policy, community-set,
prefix-set, as-path-set and rd-set blocks. All these blocks are part of
route-policy language of iosxr.
- Fix mode=preserve with remote_src=True for the copy module
- Implement mode=preserve for the template module
- The yaml callback plugin now allows non-ascii characters to be
displayed.
- Various grafana_* modules - Port away from the deprecated
b64encodestring function to the b64encode function instead.
https://github.com/ansible/ansible/pull/38388
- added missing 'raise' to exception definition
https://github.com/ansible/ansible/pull/41690
- allow custom endpoints to be used in the aws_s3 module
(https://github.com/ansible/ansible/pull/36832)
- allow set_options to be called multiple times
https://github.com/ansible/ansible/pull/41913
- ansible-doc - fixed traceback on missing plugins
(https://github.com/ansible/ansible/pull/41167)
- cast the device_mapping volume size to an int in the ec2_ami module
(https://github.com/ansible/ansible/pull/40938)
- copy - fixed copy to only follow symlinks for files in the non-recursive case
- copy module - The copy module was attempting to change the mode of files
for remote_src=True even if mode was not set as a parameter. This
failed on filesystems which do not have permission bits
(https://github.com/ansible/ansible/pull/40099)
- copy module - fixed recursive copy with relative paths
(https://github.com/ansible/ansible/pull/40166)
- correct debug display for all cases
https://github.com/ansible/ansible/pull/41331
- correctly check hostvars for vars term
https://github.com/ansible/ansible/pull/41819
- correctly handle yaml inventory files when entries are null dicts
https://github.com/ansible/ansible/issues/41692
- dynamic includes - Allow inheriting attributes from static parents
(https://github.com/ansible/ansible/pull/38827)
- dynamic includes - Don't treat undefined vars for conditional includes
as truthy (https://github.com/ansible/ansible/pull/39377)
- dynamic includes - Fix IncludedFile comparison for free strategy
(https://github.com/ansible/ansible/pull/37083)
- dynamic includes - Improved performance by fixing re-parenting on copy
(https://github.com/ansible/ansible/pull/38747)
- dynamic includes - Use the copied and merged task for calculating task
vars (https://github.com/ansible/ansible/pull/39762)
- file - fixed the default follow behaviour of file to be true
- file module - Eliminate an error if we're asked to remove a file but
something removes it while we are processing the request
(https://github.com/ansible/ansible/pull/39466)
- file module - Fix error when recursively assigning permissions and a
symlink to a nonexistent file is present in the directory tree
(https://github.com/ansible/ansible/issues/39456)
- file module - Fix error when running a task which assures a symlink to a
nonexistent file exists for the second and subsequent times
(https://github.com/ansible/ansible/issues/39558)
- file module - The file module allowed the user to specify src as a
parameter when state was not link or hard. This is documented as only
applying to state=link or state=hard but in previous Ansible, this could
have an effect in rare cornercases. For instance, 'ansible -m file -a
'state=directory path=/tmp src=/var/lib'' would create /tmp/lib. This
has been disabled and a warning emitted (will change to an error in
Ansible-2.10).
- file module - The touch subcommand had its diff output broken during the
2.6.x development cycle. This is now fixed
(https://github.com/ansible/ansible/issues/41755)
- fix BotoCoreError exception handling
- fix apt-mark on debian6 (https://github.com/ansible/ansible/pull/41530)
- fix async for the aws_s3 module by adding async support to the action
plugin (https://github.com/ansible/ansible/pull/40826)
- fix decrypting vault files for the aws_s3 module
(https://github.com/ansible/ansible/pull/39634)
- fix errors with S3-compatible APIs if they cannot use ACLs for buckets
or objects
- fix permission handling to try to download a file even if the user does
not have permission to list all objects in the bucket
- fixed config required handling, specifically for _terms in lookups
https://github.com/ansible/ansible/pull/41740
- gce_net - Fix sorting of allowed ports
(https://github.com/ansible/ansible/pull/41567)
- group_by - support implicit localhost
(https://github.com/ansible/ansible/pull/41860)
- import/include - Ensure role handlers have the proper parent, allowing
for correct attribute inheritance
(https://github.com/ansible/ansible/pull/39426)
- import_playbook - Pass vars applied to import_playbook into parsing of
the playbook as they may be needed to parse the imported plays
(https://github.com/ansible/ansible/pull/39521)
- include_role/import_role - Don't overwrite included role handlers with
play handlers on parse (https://github.com/ansible/ansible/pull/39563)
- include_role/import_role - Fix parameter templating
(https://github.com/ansible/ansible/pull/36372)
- include_role/import_role - Use the computed role name for
include_role/import_role so to diffentiate between names computed from
host vars (https://github.com/ansible/ansible/pull/39516)-
include_role/import_role - improved performance and recursion depth
(https://github.com/ansible/ansible/pull/36470)
- lineinfile - fix insertbefore when used with BOF to not insert duplicate
lines (https://github.com/ansible/ansible/issues/38219)
- password lookup - Do not load password lookup in network filters,
allowing the password lookup to be overriden
(https://github.com/ansible/ansible/pull/41907)
- pause - ensure ctrl+c interrupt works in all cases
(https://github.com/ansible/ansible/issues/35372)
- powershell - use the tmpdir set by `remote_tmp` for become/async tasks
instead of the generic $env:TEMP -
https://github.com/ansible/ansible/pull/40210
- selinux - correct check mode behavior to report same changes as normal
mode (https://github.com/ansible/ansible/pull/40721)
- spwd - With python 3.6 spwd.getspnam returns PermissionError instead of
KeyError if user does not have privileges
(https://github.com/ansible/ansible/issues/39472)
- synchronize - Ensure the local connection created by synchronize uses
_remote_is_local=True, which causes ActionBase to build a local tmpdir
(https://github.com/ansible/ansible/pull/40833)
- template - Fix for encoding issues when a template path contains
non-ascii characters and using the template path in ansible_managed
(https://github.com/ansible/ansible/issues/27262)
- template action plugin - fix the encoding of filenames to avoid
tracebacks on Python2 when characters that are not present in the user's
locale are present. (https://github.com/ansible/ansible/pull/39424)
- user - only change the expiration time when necessary
(https://github.com/ansible/ansible/issues/13235)
- uses correct conn info for reset_connection
https://github.com/ansible/ansible/issues/27520
- win_environment - Fix for issue where the environment value was deleted
when a null value or empty string was set -
https://github.com/ansible/ansible/issues/40450
- win_file - fix issue where special chars like [ and ] were not being
handled correctly https://github.com/ansible/ansible/pull/37901
- win_get_url - fixed a few bugs around authentication and force no when
using an FTP URL
- win_iis_webapppool - redirect some module output to null so Ansible can
read the output JSON https://github.com/ansible/ansible/issues/40874
- win_template - fix when specifying the dest option as a directory with
and without the trailing slash
https://github.com/ansible/ansible/issues/39886
- win_updates - Added the ability to run on a scheduled task for older
hosts so async starts working again -
https://github.com/ansible/ansible/issues/38364
- win_updates - Fix logic when using a whitelist for multiple updates
- win_updates - Fix typo that hid the download error when a download
failed
- win_updates - Fixed issue where running win_updates on async fails
without any error
- windows become - Show better error messages when the become process fails
- winrm - Add better error handling when the kinit process fails
- winrm - allow `ansible_user` or `ansible_winrm_user` to override
`ansible_ssh_user` when both are defined in an inventory -
https://github.com/ansible/ansible/issues/39844
- winrm - ensure pexpect is set to not echo the input on a failure and have
a manual sanity check afterwards
https://github.com/ansible/ansible/issues/41865
- winrm connection plugin - Fix exception messages sometimes raising a
traceback when the winrm connection plugin encounters an unrecoverable
error. https://github.com/ansible/ansible/pull/39333
- xenserver_facts - ensure module works with newer versions of XenServer
(https://github.com/ansible/ansible/pull/35821)
- use python3 on (open)SUSE 15 or newer
- Update to 2.5.5
- Fixed the honouration of the no_log option with failed task iterations
(CVE-2018-10855 boo#1097775)
- Bufixes:
- Changed the admin_users config option to not include 'admin' by default
as admin is frequently used for a non-privileged account
- aws_s3 - add async support to the action plugin
- aws_s3 - fix decrypting vault files
- ec2_ami - cast the device_mapping volume size to an int
- eos_logging - fix idempotency issues
- cache plugins - A cache timeout of 0 means the cache will not expire.
- ios_logging - fix idempotency issues
- ios/nxos/eos_config - don't retrieve config in running_config when config is provided for diff
- nxos_banner - fix multiline banner issue
- nxos terminal plugin - fix output truncation
- nxos_l3_interface - fix no switchport issue with loopback and svi interfaces
- nxos_snapshot - fix compare_option
- Applied spec-cleaner
- Update to 2.5.1
Minor Changes
+ Updated example in vcenter_license module.
+ Updated virtual machine facts with instanceUUID which is unique
for each VM irrespective of name and BIOS UUID.
+ A lot of Bugfixes, please refer to the Changelog installed in
/usr/share/doc/packages/ansible/changelogs/CHANGELOG-v2.5.rst
- Update to 2.5.0:
Major Changes
* Ansible Network improvements
+ Created new connection plugins network_cli and netconf to replace
connection=local. connection=local will continue to work for a
number of Ansible releases.
+ No more unable to open shell. A clear and descriptive message will
be displayed in normal ansible-playbook output without needing to enable debug mode
+ Loads of documentation, see Ansible for Network Automation Documentation.
+ Refactor common network shared code into package under module_utils/network/
+ Filters: Add a filter to convert XML response from a network device to JSON object.
+ Loads of bug fixes.
+ Plus lots more.
* New simpler and more intuitive 'loop' keyword for task loops. The
with_<lookup> loops will likely be deprecated in the near future
and eventually removed.
* Added fact namespacing; from now on facts will be available under
ansible_facts namespace (for example: ansible_facts.os_distribution)
without the ansible_ prefix. They will continue to be added into the
main namespace directly, but now with a configuration toggle to enable
this. This is currently on by default, but in the future it will default to off.
* Added a configuration file that a site administrator can use to
specify modules to exclude from being used.
Minor Changes
* please refer to /share/doc/packages/ansible/changelogs/CHANGELOG-v2.5.rst
Deprecated Features
* Previously deprecated 'hostfile' config settings have been 're-deprecated'
because previously code did not warn about deprecated configuration settings.
* Using Ansible-provided Jinja tests as filters is deprecated and will
be removed in Ansible 2.9.
* The stat and win_stat modules have deprecated get_md5 and the md5 return
values. These options will become undocumented in Ansible 2.9 and
removed in a later version.
* The redis_kv lookup has been deprecated in favor of new redis lookup
* Passing arbitrary parameters that begin with HEADER_ to the uri module,
used for passing http headers, is deprecated. Use the headers parameter
with a dictionary of header names to value instead.
This will be removed in Ansible 2.9
* Passing arbitrary parameters to the zfs module to set zfs properties is
deprecated. Use the extra_zfs_properties parameter with a dictionary of
property names to values instead. This will be removed in Ansible 2.9.
* Use of the AnsibleModule parameter check\_invalid\_arguments in custom
modules is deprecated. In the future, all parameters will be checked to
see whether they are listed in the arg spec and an error raised if they
are not listed. This behaviour is the current and future default so most
custom modules can simply remove check\_invalid\_arguments if they set it
to the default value of True. The check\_invalid\_arguments parameter
will be removed in Ansible 2.9.
* The nxos_ip_interface module is deprecated in Ansible 2.5.
Use nxos_l3_interface module instead.
* The nxos_portchannel module is deprecated in Ansible 2.5.
Use nxos_linkagg module instead.
* The nxos_switchport module is deprecated in Ansible 2.5.
Use nxos_l2_interface module instead.
* The ec2_ami_find has been deprecated; use ec2_ami_facts instead.
* panos_security_policy: Use panos_security_rule - the old module uses
deprecated API calls
* vsphere_guest is deprecated in Ansible 2.5 and will be removed in
Ansible-2.9. Use vmware_guest module instead.
Removed Features (previously deprecated)
* accelerate.
* boundary_meter: There was no deprecation period for this but the hosted
service it relied on has gone away so the module has been removed. #29387
* cl_ : cl_interface, cl_interface_policy, cl_bridge, cl_img_install,
cl_ports, cl_license, cl_bond. Use nclu instead
* docker. Use docker_container and docker_image instead.
* ec2_vpc.
* ec2_ami_search, use ec2_ami_facts instead.
* nxos_mtu. Use nxos_system's system_mtu option instead.
To specify an interface's MTU use nxos_interface.
* panos_nat_policy: Use panos_nat_rule the old module uses
deprecated API calls
- also package the changelogs directory below
/usr/share/doc/packages/ansible/ for better reference
- License changed to GPL-3.0-or-later, as mentioned in the source
(former license focues on GPL-3.0 only)
- Add python-passlib as Requires (bsc#1080682)
passlib is needed for the 'vars_prompt' feature of ansible
- Update to version 2.4.3.0:
* Fix `pamd` rule args regexp to match file paths.
* Check if SELinux policy exists before setting.
* Set locale to `C` in `letsencrypt` module to fix date parsing
errors.
* Fix include in loop when stategy=free.
* Fix save parameter in asa_config.
* Fix --vault-id support in ansible-pull.
* In nxos_interface_ospf, fail nicely if loopback is used with
passive_interface.
* Fix quote filter when given an integer to quote.
* nxos_vrf_interface fix when validating the interface.
* Fix for win_copy when sourcing files from an SMBv1 share.
* correctly report callback plugin file.
* restrict revaulting to vault cli.
* Fix python3 tracebacks in letsencrypt module.
* Fix ansible_*_interpreter variables to be templated prior to
being used.
* Fix setting of environment in a task that uses a loop
* Fix fetch on Windows failing to fetch files or particular
block size.
* preserve certain fields during no log.
* fix issue with order of declaration of sections in ini
inventory.
* Fix win_iis_webapppool to correctly stop a apppool.
* Fix CloudEngine host failed.
* Fix ios_config save issue.
* Handle vault filenames with nonascii chars when displaying
messages.
* Fix win_iis_webapppool to not return passwords.
* Fix extended file attributes detection and changing.
* correctly ensure 'ungrouped' membership rules.
* made warnings less noisy when empty/no inventory is supplied.
* Fixes a failure which prevents to create servers in module
cloudscale_server.
* Fix win_firewall_rule 'Specified cast is invalid' error when
modifying a rule with all of Domain/Public/Private profiles set.
* Fix case for multilib when installing from a file in the yum
module.
* Fix WinRM parsing/escaping of IPv6 addresses.
* Fix win_package to detect MSI regardless of the extension case.
* Updated win_mapped_drive docs to clarify what it is used for.
* Fix file related modules run in check_mode when the file being
operated on does not exist.
* Make eos_vlan idempotent.
* Fix win_iis_website to properly check attributes before setting.
* Fixed the removal date for ios_config save and force parameters.
* cloudstack: fix timeout from ini config file being ignored.
* fixes memory usage issues with many blocks/includes.
* Fixes maximum recursion depth exceeded with include_role.
* Fix to win_dns_client module to take ordering of DNS servers to
resolve into account.
* Fix for the nxos_banner module where some nxos images nest the
output inside of an additional dict.
* Fix failure message 'got multiple values for keyword argument
id' in the azure_rm_securitygroup module (caused by changes to
the azure python API).
* Bump Azure storage client minimum to 1.5.0 to fix
deserialization issues.
This will break Azure Stack until it receives storage API
version 2017-10-01 or changes are made to support multiple
versions.
* Flush stdin when passing the become password. Fixes some cases
of timeout on Python 3 with the ssh connection plugin.
update to version v2.4.2.0:
* lock azure containerservice to below 2.0.0
* ovirt_host_networks: Fix label assignment
* Fix vault --ask-vault-pass with no tty (#31493)
* cherry-pick changes of azure_rm_common from devel to 2.4 (#32607)
* Fixes #31090. In network parse_cli filter plugin, this change moves the creation of a (#31092) (#32458)
* Use an abspath for network inventory ssh key path.
* Remove toLower on source (#31983)
* Add k8s_common.py logging fixes to the changelog
* inserts enable cmd hash with auth_pass used (#32107)
* Fix exception upon display.warn() (#31876)
* ios_system: Fix typo in unit test (#32284)
* yum: use the C locale when screen scraping (#32203)
* Use region derived from get_aws_connection_info() in dynamodb_table to fix tagging bug (#32557)
* fix item var in delegation (#32986)
* Add changelog entry for elb_application_lb fix
* Add a validate example to blockinfile. (#32088)
* Correct formatting --arguments (#31808)
* Add changelog for URI/get_url fix
* [cloud] Bugfix for aws_s3 empty directory creation (#32198)
* Fix junos integration test fixes as per connection refactor (#33050) (#33055)
* Update win_copy for #32677 (#32682)
* ios_interface testfix (#32381)
* Add proper check mode support to the script module (#31852)
* Add galaxy --force fix to changelog
* Fix non-ascii errors in config manager
* Add python3 urllib fixes to changelog
* Add changelog entry for the stdin py3 fix
* Update version info for the 2.4.2 release
* Add max_fail_percentage fix to changelog
* Changelog entry for script inventory plugin fix.
* Make RPM spec compatible with RHEL 6 (#31653)
* Add changelog entry for the yum locale fix
* Use vyos/1.1.8 in CI.
* Fix patching to epel package
* Pass proper error value to to_text (#33030)
* Fix and re-enable zypper* integration tests in CI.
* avoid chroot paths (#32778)
* Add changelog entry for inventory nonascii paths fix
* Fix ios_config integration test failures (#32959) (#32970)
* Fix ios_config file prompt issue (#32744) (#32780)
* Mdd module unit test docs (#31373)
* dont add all group vars to implicit on create
* Fix nxos_banner removal idempotence issue in N1 images (#31259)
* Clarify the release and maintenance cycle (#32402)
* Add ansible_distribution_major_version to macOS (#31708)
* Docs (#32718)
* Keep newlines when reading LXC container config file (#32219)
* Updated changelog for vmware logon error handling
* New release v2.4.2.0-0.2.beta2
* added doc notes about vars plugins in precedence
* revert module_utils/nxos change from #32846 (#32956)
* [cloud] add boto3 requirement to `cloudformation` module docs (#31135)
* Fixes #31056 (#31057)
* - Fix logging module issue where facility is being deleted along with host (#32234)
* Get the moid in a more failsafe manner (#32671)
* Integration Tests only: add static route, snmp_user, snapshot and hsrp it cases (#28933)
* Add the change to when we escape backslashes (for the template lookup plugin) to changelog
* correctly deal with changed (#31812)
* Add the template lookup escaping to the 2.4 porting guide (#32760)
* tests for InventoryModule error conditions (#31381)
* Disable pylint rules for stable-2.4.
* fix typo
* Enable TLS1.1 and TLS1.2 for win_package (#32184)
* Add remove host fix to changelog
* ios_interface provider issue testfix (#32335)
* win_service: quoted path fix (#32469)
* Add changes to succeeded/failed tests to the 2.4 porting guide (#33201)
* Run OS X tests in 3 groups in CI.
* ini inventory: document value parsing workaround
* Change netconf port in testcase as per test enviornment (#32883) (#32889)
* fix inventory loading for ansible-doc
* jsonify inventory (#32990)
* firewalld: don't reference undefined variable in error case (#31949)
* change ports to non well known ports and drop time_range for N1 (#31261)
* make vars only group declarations an error
* Add changelog for os_floating_ip fix
* Fix example on comparing master config (#32406)
* py2/py3 safer shas on hostvars (#31788)
* ensure we always have a basedir
* Add missing ansible-test --remote-terminate support. (#32918)
* Use show command to support wider platform set for nxos_interface module (#33037)
* ios_logging: change IOS command pipe to section to include (#33100) (#33116)
* win_find: allow module to skip on files it fails to check (#32105)
* New release v2.4.2.0-0.4.beta4
* multiple nxos fixes (#32905)
* Add changelog entry for git archive fix
* Add changelog entries for a myriad of 2.4.2 bugfixes
* iosxr integration testfix (#32344)
* Fix #31694: running with closed stdin on python 3 (#31695)
* Add eos_user fix to changelog
* updated changelog with win_find fix
* Added urls python3 fix to changelog
* [cloud] Support changeset_name parameter on CloudFormation stack create (#31436)
* use configured ansible_shell_executable
* New release v2.4.2.0-0.3.beta3
* Fix ec2_lc failing to create multi-volume configurations (#32191)
* Changelog win_package TLS fix
* Fix wrong prompt issue for network modules (#32426) (#32442)
* New release v2.4.2.0-0.1.beta1
* Exclude stack policy when running in check mode.
* change inventory_hostname to ansible_host to fix test (#32890) (#32891)
* Add azure_rm_acs check mode fix
* Updated changelog for win_copy fix
* corrected package docs
* make sure patterns are strings
* Add more bugfixes to changelog
* Fix junos netconf port issue in integration test (#32610) (#32668)
* fixed .loads error for non decoded json in Python 3 (#32065)
* nxos_config and nxos_facts - fixes for N35 platform. (#32762) (#32875)
* Add changelog entry for #32219
* Remove provider from ios integration test (#31037) (#32230)
* added note about serial behaviour (#32461)
* Fixes ios_logging unit test (#32240)
* Avoid AttributeError: internal_network on os_floating_ip (#32887)
* use to_str instead of json.dumps when serializing k8s object for logging
* Prefer the stdlib SSLContext over urllib3 context
* git: fix archive when update is set to no (#31829)
* Add elb_target_group port fix to the changelog
* Changelog entry for aws_s3 issue #32144
* Add error handling for user login (#32613)
* Move asa provider to suboptions (#32356)
* fix dci failure nxos (#32877) (#32878)
* Add inventory jsonification to the changelog
* eos_eapi: adding the desired state config to the new vrf fixes #32111 (#32112) (#32452)
* Handle ip name-server lines containing multiple nameservers (#32235) (#32373)
* Remove provider from prepare_ios_tests integration test (#31038)
* Add last minute bugfixes and doc updates for rc1
* Fix snmp bugs on Nexus 3500 platform (#32773) (#32847)
* validate that existing dest is valid directory
* Update the release data for 2.4.1 in the changelog
* add check mode for acs delete (#32063)
* More fixes added to changelog
* Add wait_for fix to the changelog
* removed psobject to hashtables that were missed (#32710)
* wait_for: treat broken connections as 'unready' (#28839)
* Return all elements in a more robust way
* fix ios_interface test (#32372)
* Add missing packages to default docker image.
* fix nxos_igmp_snooping (#31688)
* - Fix to return error message back to the module. (#31035)
* Ensure that readonly result members are serialized (#33170)
* Keywords docs (#32807)
* remove hosts from removed when rescuing
* Add panos_security_rule docs typo fix to changelog
* Update vyos completion in network.txt.
* move to use ansible logging
* ovirt_clusters: Fix fencing and kuma comparision
* Documentation typo fixes (#32473)
* [fix] issue #30516 : take care about autoremove in upgrade function
* Enable ECHO in prompt module (#32083)
* calculate max fail against all hosts in batch
* Fix urlparse import for Python3 (#31240)
* Bunch of changelog updates for cherry-picks
* restore hostpattern regex/glob behaviour
* Better handling of malformed vault data envelope (#32515)
* Updated changelog regarding win_service quoted path fix
* nxos_interface error handling (#32846)
* An availability zone will be selected if none is provided. Set az to an empty string if it's None to avoid traceback. (#32216)
* Use to_native when validating proxy result (#32596)
* vmware_guest: refactor spec serialization (#32681)
* Add new default Docker container for ansible-test. (#31944)
* warn on bad keys in group
* NXOS: Integration tests to Ansible (part 3) (#29030)
* Add spec file fix to changelog
* eos_user testfix (#32264)
* iam.py: return iam.role dict when creating roles (#28964)
* Add networking bug fixes to changelog (#32201)
* [cloud] sns_topic: Fix unreferenced variable
* Fix service_mgr fact collection (#32086)
* Fix include_role unit tests (#31920)
* Updated changelog for win_iis_* modules things
* handle ignore_errors in loop
* adjust nohome param when using luser
* better cleanup on task results display (#27175)
* Improve python 2/3 ABC fallback for pylint. (#31848)
* fix html formatting
* Add ansible_shell_executable fix to changelog
* Move resource pool login to a separate function and fix undefined var reference (#32674)
* Update ansible-test sanity command. (#31958)
* ios_ping test fix (#32342)
* fix CI failure yaml syntax (#32374)
* Scan group_vars/host_vars in sorted order
* luseradd defaults to creating w/o need for -m (#32411)
* Integration Tests only: nxos_udld, nxos_udld_interface, nxos_vxlan_vtep_vni (#29143) (#32962)
* Fix: modifying existing application lb using certificates now properly sets certificates (#28217)
* ios_logging: Fix some smaller issues, add unit test (#32321)
* Fix nxos_snmp_host bug (#32916) (#32958)
* ovirt_hosts: Don't fail upgrade when NON_RESPONSIVE state
* ini plugin should recursively instantiate pending
* eos_user: sends user secret first on user creation fixes #31680 (#32162)
* Cast target port to an int in elb_target_group. Fixes #32098 (#32202)
* New release v2.4.2.0-0.5.rc1
* remove misleading group vars as they are flat (#32276)
* Fix typo
* Avoid default inventory proccessing for pull (#32135)
* Fix ansible-test default image. (#31966)
* removed superfluous `type` field from RecordSet constructor (#33167)
* Update k8s_common.py
* Add ios_logging fixes to changelog 2.4.2beta2 (#32447)
* Revert 'Removed a force conditional (#28851)' (#32282)
* Add new documentation on writing unittests to the changelog
* Fix ansible-test race calling get_coverage_path.
* New release v2.4.2.0-1
- update to 2.3.2.0 (final) - bsc#1059235
- update to 2.3.1 RC1 (package version 2.3.0.1) (bsc#1056094):
as 'unsafe'. bsc#1038785
* SECURITY (MODERATE): fix for CVE-2017-7466, which finally fixes
an arbitrary command execution vulnerability
- security update to rc4 of 2.2.1.0 version CVE-2016-9587,
CVE-2016-8628, CVE-2016-8614, CVE-2016-8647, CVE-2016-9587
(bsc#1008037, bsc#1008038, bsc#1010940, bsc#1019021)
Changes in ardana-ansible:
- Update to version 8.0+git.1596735237.54109b1:
* Update the Swift XFS inode size check (SOC-10300)
- Update to version 8.0+git.1596204601.75b0e4e:
* Fix upgrade validations Keystone V3 check target (SOC-10300)
Changes in ardana-cinder:
- Update to version 8.0+git.1596129856.263f430:
* Install python-swiftclient as cinder-backup dependency (SOC-11364)
Changes in ardana-glance:
- Update to version 8.0+git.1593631779.76fa9b7:
* Idempotent cirros image upload to glance (SOC-11342)
Changes in ardana-mq:
- Update to version 8.0+git.1593618123.678c32b:
* Ensure epmd.service started/stopped independent of rabbitmq (SOC-6780)
Changes in ardana-nova:
- Update to version 8.0+git.1601298847.dd01585:
* restore ram_weight_multiplier to default (bsc#1123561)
* enable all weigher classes by default (bsc#1123561)
- Update to version 8.0+git.1595857666.cf6b4a9:
* Correction for (bsc#1174242)
- Update to version 8.0+git.1595356665.56726ed:
* Disable nova-consoleauth monasca process check (bsc#1174242)
Changes in ardana-osconfig:
- Update to version 8.0+git.1595885113.93abcbc:
* Enable SLE12 SP3 LTSS for SMT deployments (SOC-11223)
Changes in crowbar-core:
- Update to version 5.0+git.1600432272.b3ad722f0:
* provisioner: check for client_user (SOC-11389)
* upgrade: Allow transition from crowbar_upgrade to reboot (trivial)
- Update to version 5.0+git.1600352887.1e23b8015:
* Ignore CVE-2020-15169 (SOC-11391)
- Update to version 5.0+git.1594898401.caf0b325c:
* crowbar: Also add access to /restricted/ in SSL vhost (SOC-11352)
- Update to version 5.0+git.1593779118.8362c57e5:
* crowbar: Allow hardware-installing -> discovering transition (noref)
* crowbar: Add Restricted controller with API for restricted clients (bsc#1117080)
* crowbar: Add complete list of states to Crowbar::State (noref)
* provisioner: Remove the need for /updates/parse_node_data (noref)
* crowbar: Create helper module to validate states (noref)
* provisioner: Use new restricted API (bsc#1117080)
* provisioner: Do not read /etc/crowbar.install.key from crowbar_joi (bsc#1117080)
* provisioner: Remove use of privileged user for Windows machine (bsc#1117080)
* provisioner: Use restricted client during provisioning (bsc#1117080)
* provisioner: Use restricted client for crowbar_register (bsc#1117080)
* provisioner: Drop /etc/crowbar.install.key bits from autoyast prof (bsc#1117080)
* Avoid hardcoding machine-install user (bsc#1117080)
* crowbar: Restrict admin access (bsc#1117080)
Changes in crowbar-openstack:
- Update to version 5.0+git.1599037158.5c4d07480:
* horizon: Update configuration for Grafana 5.x
Changes in documentation-suse-openstack-cloud:
- Update to version 8.20201007:
* reveresed step8 and 9 in PTF installation (SOC-10616)
* Modified the PTF install instructions as per the (SOC-10616)
- Update to version 8.20200904:
* Clarify reboot instructions during update workflow (SOC-11386)
- Update to version 8.20200921:
* replacd postgreSQL to MariaDB as per comments4 and 5 in ticket (SOC-11000)
- Update to version 8.20200424:
* Update ESX documentation for DVS creation (bsc#1142121)
* Fix table issues
Changes in grafana:
- BuildRequire go1.14 explicitly
- Add recompress source service
- Add go_modules source service to create vendor.tar.gz
containing 3rd party go modules.
- Adjust spec to work for Grafana-6.7.4
- Adjust Makefile to work for Grafana-6.7.4
- Remove CVE-2019-15043.patch (merged upstream)
- Remove CVE-2020-13379.patch (merged upstream)
- Remove 0001-fix-XSS-vulnerabilities-in-dashboard-links.patch (merged upstream)
- Remove 0002-CVE-2020-12052-bsc1170657-XSS-annotation-popup-vulnerability.patch
(merged upstream)
- Remove systemd-notification.patch (merged upstream)
- Update to version 6.7.4 (bsc#1172450, CVE-2018-18623,
CVE-2018-18624, CVE-2018-18625, bsc#1174583, CVE-2020-11110)
* Security: Urgent security fix for stored XSS
- Update to version 6.7.3
* Admin: Fix Synced via LDAP message for non-LDAP external users. [#23477]
* Alerting: Fix notifications for alerts with empty message in Google
Hangouts notifier. [#23559]
* AuthProxy: Fix bug where long username could not be cached. [#22926]
* Dashboard: Fix saving dashboard when editing raw dashboard JSON model.
[#23314]
* Dashboard: Try to parse 8 and 15 digit numbers as timestamps if parsing of
time range as date fails. [#21694]
* DashboardListPanel: Fix problem with empty panel after going into edit
mode (General folder filter being automatically added) . [#23426]
* Data source: Handle datasource withCredentials option properly. [#23380]
* Security: Fix annotation popup XSS vulnerability [#23813]
* Security: Fix XSS vulnerability in table panel [#23816]
* Server: Exit Grafana with status code 0 if no error. [#23312]
* TablePanel: Fix XSS issue in header column rename (backport). [#23814]
* Variables: Fix error when setting adhoc variable values. [#23580]
- Update to version 6.7.2
* BackendSrv: Adds config to response to fix issue for external plugins that
used this property . [#23032]
* Dashboard: Fix issue with saving new dashboard after changing title .
[#23104]
* DataLinks: make sure we use the correct datapoint when dataset contains
null value.. [#22981]
* Plugins: Fix issue for plugins that imported dateMath util . [#23069]
* Security: Fix for dashboard snapshot original dashboard link could contain
XSS vulnerability in url. [#23254]
* Variables: Fix issue with too many queries being issued for nested
template variables after value change. [#23220]
* Plugins: Expose promiseToDigest. [#23249]
* Reporting: Fix issue updating a report created by someone else
(Enterprise)
- Update to version 6.7.1
* Azure: Fix dropdowns not showing current value. [#22914]
* BackendSrv: only add content-type on POST, PUT requests. [#22910]
* Panels: Fix size issue with panel internal size when exiting panel edit
mode. [#22912]
* Reporting: fixes migrations compatibility with mysql (Enterprise)
* Reporting: Reduce default concurrency limit to 4 (Enterprise)
- Update to version 6.7.0
* AzureMonitor: support workspaces function for template variables. [#22882]
* SQLStore: Add migration for adding index on annotation.alert_id. [#22876]
* TablePanel: Enable new units picker . [#22833]
* AngularPanels: Fix inner height calculation for angular panels. [#22796]
* BackendSrv: makes sure provided headers are correctly recognized and set. [#22778]
* Forms: Fix input suffix position (caret-down in Select) . [#22780]
* Graphite: Fix issue with query editor and next select metric now showing
after selecting metric node [#22856]
* Rich History: UX adjustments and fixes. [#22729]
* Slack: Removed _Mention_ setting and instead introduce _Mention Users_,
_Mention Groups_, and _Mention Channel_.
* Alerting: Reverts the behavior of `diff` and `percent_diff` to not always
be absolute.
* API: Include IP address when logging request error. [#21596]
* Alerting: Support passing tags to Pagerduty and allow notification on
specific event categories [#21335]
* Chore: Remove angular dependency from backendSrv. [#20999]
* CloudWatch: Surround dimension names with double quotes. [#22222]
* CloudWatch: updated metrics and dimensions for Athena, DocDB, and
Route53Resolver. [#22604]
* Cloudwatch: add Usage Metrics. [#22179]
* Dashboard: Adds support for a global minimum dashboard refresh interval.
[#19416]
* DatasourceEditor: Add UI to edit custom HTTP headers. [#17846]
Elastic: To get fields, start with today's index and go backwards. [#22318]
* Explore: Rich history. [#22570]
* Graph: canvas's Stroke is executed after loop. [#22610]
* Graphite: Don't issue empty 'select metric' queries. [#22699]
* Image Rendering: Store render key in remote cache to enable renderer to
callback to public/load balancer URL when running in HA mode. [#22031]
* LDAP: Add fallback to search_base_dns if group_search_base_dns is
undefined [#21263]
* OAuth: Implement Azure AD provide. [#20030]
* Prometheus: Implement region annotation. [#22225]
* Prometheus: make \$\_\_range more precise. [#21722]
* Prometheus: Do not show rate hint when increase function is used in query.
[#21955]
* Stackdriver: Project selector. [#22447]
* TablePanel: display multi-line text. [#20210]
* Templating: Add new global built-in variables. [#21790]
* Reporting: add concurrent render limit to settings (Enterprise)
* Reporting: Add rendering timeout in settings (Enterprise)
* API: Fix redirect issues. [#22285]
* Alerting: Don't include image_url field with Slack message if empty.
[#22372]
* Alerting: Fix bad background color for default notifications in alert tab
. [#22660]
* Annotations: In table panel when setting transform to annotation, they will
now show up right away without a manual refresh. [#22323]
* Azure Monitor: Fix app insights source to allow for new timeFrom and
timeTo. [#21879]
* BackendSrv: Fix POST body for form data. [#21714]
* CloudWatch: Credentials cache invalidation fix. [#22473]
CloudWatch: Expand alias variables when query yields no result [#22695]
* Dashboard: Fix bug with NaN in alerting. [#22053]
* Explore: Fix display of multiline logs in log panel and explore. [#22057]
* Heatmap: Legend color range is incorrect when using custom min/max
[#21748]
* Security: Fix XSS issue in dashboard history diff. [#22680]
* StatPanel: Fix base color being used for null values. [#22646]
- Update to version 6.6.2
* Data proxy: Log proxy errors using Grafana logger. [#22174]
* Metrics: Add gauge for requests currently in flight. [#22168]
* @grafana/ui: Fix displaying of bars in React Graph. [#21968]
* API: Fix redirect issue when configured to use a subpath. [#21652]
* API: Improve recovery middleware when response already been written [#22256]
* Auth: Don't rotate auth token when requests are cancelled by client [#22106]
* Elasticsearch: Fix auto interval for date histogram in explore logs mode. [#21937]
* Image Rendering: Fix PhantomJS compatibility with es2016 node dependencies. [#21677]
* Links: Assure base url when single stat, panel and data links are built. [#21956]
* Loki, Prometheus: Fix PromQL and LogQL syntax highlighting. [#21944]
* OAuth: Enforce auto_assign_org_id setting when role mapping enabled using
Generic OAuth. [#22268]
* Prometheus: Updates explore query editor to prevent it from throwing error
on edit. [#21605]
* Server: Reorder cipher suites for better security. [#22101]
* TimePicker: fixing weird behavior with calendar when switching between
months/years. [#22253]
- Update to version 6.6.1
* Annotations: Change indices and rewrites annotation find query to improve
database query performance. [#21915]
* Azure Monitor: Fix Application Insights API key field to allow input. [#21738]
* BarGauge: Fix so we properly display the 'no result' value when query
returns empty result. [#21791]
* Datasource: Show access (Browser/Server) select on the Prometheus
datasource. [#21833]
* DatasourceSettings: Fix issue navigating away from data source settings
page. [#21841]
* Graph Panel: Fix typo in thresholds form. [#21903]
* Graphite: Fix issue with functions with multiple required params and no
defaults [#21814]
* Image Rendering: Fix render of graph panel legend aligned to the right
using Grafana image renderer plugin/service. [#21854]
* Metrics: Adds back missing summary quantiles. [#21858]
* OpenTSDB: Adds back missing ngInject to make it work again. [#21796]
* Plugins: Fix routing in app plugin pages. [#21847]
* Prometheus: Fix default step value for annotation query. [#21934]
* Quota: Makes LDAP + Quota work for the first login of a new user. [#21949]
* StatPanels: Fix change from singlestat to Gauge / BarGauge / Stat where
default min & max (0, 100) was copied . [#21820]
* TimePicker: Should display in kiosk mode. [#21816]
* grafana/toolkit: Fix failing linter when there were lint issues. [#21849]
- Update to version 6.6.0
* CloudWatch: Add DynamoDB Accelerator (DAX) metrics & dimensions. [#21644]
* CloudWatch: Auto period snap to next higher period. [#21659]
* Template variables: Add error for failed query variable on time range
update. [#21731]
* XSS: Sanitize column link. [#21735]
* Elasticsearch: Fix adhoc variable filtering for logs query. [#21346]
* Explore: Fix colors for log level when level value is capitalised. [#21646]
* Explore: Fix context view in logs, where some rows may have been filtered
out. [#21729]
Loki: Fix Loki with repeated panels and interpolation for Explore. [#21685]
* SQLStore: Fix PostgreSQL failure to create organisation for first time. [#21648]
* PagerDuty: Change `payload.custom_details` field in PagerDuty notification
to be a JSON object instead of a string.
* Security: The `[security]` setting `cookie_samesite` configured to `none`
now renders cookies with `SameSite=None` attribute.
* Graphite: Add Metrictank dashboard to Graphite datasource
* Admin: Show name of user in users table view. [#18108]
* Alerting: Add configurable severity support for PagerDuty notifier. [#19425]
* Alerting: Add more information to webhook notifications. [#20420]
* Alerting: Add support for sending tags in OpsGenie notifier. [#20810]
* Alerting: Added fallbackText to Google Chat notifier. [#21464]
* Alerting: Adds support for sending a single email to all recipients in
email notifier. [#21091]
* Alerting: Enable setting of OpsGenie priority via a tag. [#21298]
* Alerting: Use fully qualified status emoji in Threema notifier. [#21305]
* Alerting: new min_interval_seconds option to enforce a minimum evaluation
frequency. [#21188]
* CloudWatch: Calculate period based on time range. [#21471]
* CloudWatch: Display partial result in graph when max DP/call limit is
reached. [#21533]
* CloudWatch: ECS/ContainerInsights metrics support. [#21125]
* CloudWatch: Upgrade aws-sdk-go. [#20510]
* DataLinks: allow using values from other fields in the same row (cells). [#21478]
* Editor: Ignore closing brace when it was added by editor. [#21172]
* Explore: Context tooltip to copy labels and values from graph. [#21405]
* Explore: Log message line wrapping options for logs. [#20360]
* Forms: introduce RadioButtonGroup. [#20828]
* Frontend: Changes in Redux location should not strip subpath from location
url. [#20161]
* Graph: Add fill gradient option to series override line fill. [#20941]
* Graphite: Add metrictank dashboard to Graphite datasource. [#20776]
* Graphite: Do not change query when opening the query editor and there is no
data. [#21588]
* Gravatar: Use HTTPS by default. [#20964]
* Loki: Support for template variable queries. [#20697]
* NewsPanel: Add news as a builtin panel. [#21128]
* OAuth: Removes send_client_credentials_via_post setting. [#20044]
* OpenTSDB: Adding lookup limit to OpenTSDB datasource settings. [#20647]
* Postgres/MySQL/MSSQL: Adds support for region annotations. [#20752]
* Prometheus: Field to specify step in Explore. [#20195]
* Prometheus: User metrics metadata to inform query hints. [#21304]
* Renderer: Add user-agent to remote rendering service requests. [#20956]
* Security: Add disabled option for cookie samesite attribute. [#21472]
* Stackdriver: Support meta labels. [#21373]
* TablePanel, GraphPanel: Exclude hidden columns from CSV. [#19925]
* Templating: Update variables on location changed. [#21480]
* Tracing: Support configuring Jaeger client from environment. [#21103]
* Units: Add currency and energy units. [#20428]
* Units: Support dynamic count and currency units. [#21279]
* grafana/toolkit: Add option to override webpack config. [#20872]
* grafana/ui: ConfirmModal component. [#20965]
* grafana/ui: Create Tabs component. [#21328]
* grafana/ui: New table component. [#20991]
* grafana/ui: New updated time picker. [#20931]
* White-labeling: Makes it possible to customize the footer and login
background (Enterprise)
* API: Optionally list expired API keys. [#20468]
* Alerting: Fix custom_details to be a JSON object instead of a string in
PagerDuty notifier. [#21150]
* Alerting: Fix image rendering and uploading timeout preventing to send
alert notifications. [#21536]
* Alerting: Fix panic in dingding notifier. [#20378]
* Alerting: Fix template query validation logic. [#20721]
* Alerting: If no permission to clear history, keep the historical data. [#19007]
* Alerting: Unpausing a non-paused alert rule should not change status to
Unknown. [#21375]
* Api: Fix returned message when enabling, disabling and deleting a
non-existing user. [#21391]
* Auth: Rotate auth tokens at the end of requests. [#21347]
* Azure Monitor: Fix error when using azure monitor credentials with log
analytics and non-default cloud. [#21032]
* CLI: Return error and aborts when plugin file extraction fails. [#20849]
* CloudWatch: Multi-valued template variable dimension alias fix. [#21541]
* Dashboard: Disable draggable panels on small devices. [#20629]
* DataLinks: Links with \${\_\_value.time} do not work when clicking on first
result. [#20019]
* Explore: Fix showing of results in selected timezone (UTC/local). [#20812]
* Explore: Fix timepicker when browsing back after switching datasource. [#21454]
* Explore: Sync timepicker and logs after live-tailing stops. [#20979]
* Graph: Fix when clicking a plot on a touch device we won't display the
annotation menu. [#21479]
* OAuth: Fix role mapping from id token. [#20300]
* Plugins: Add appSubUrl string to config pages. [#21414]
* Provisioning: Start provision dashboards after Grafana server have started. [#21564]
* Render: Use https as protocol when rendering if HTTP2 enabled. [#21600]
* Security: Use same cookie settings for all cookies. [#19787]
* Singlestat: Support empty value map texts. [#20952]
* Units: Custom suffix and prefix units can now be specified, for example
custom currency & SI & time formats. [#20763]
* grafana/ui: Do not build grafana/ui in strict mode as it depends on
non-strict libs. [#21319]
- Update to version 6.5.3
* API: Validate redirect_to cookie has valid (Grafana) url. [#21057]
* AdHocFilter: Shows SubMenu when filtering directly from table. [#21017]
* Cloudwatch: Fix crash when switching from cloudwatch data source. [#21376]
* DataLinks: Sanitize data/panel link URLs. [#21140]
* Elastic: Fix multiselect variable interpolation for logs. [#20894]
* Prometheus: allow user to change HTTP Method in config settings. [#21055]
* Prometheus: Prevents validation of inputs when clicking in them without
changing the value. [#21059]
* Rendering: Fix panel PNG rendering when using sub url and
serve_from_sub_path = true. [#21306]
* Table: Matches column names with unescaped regex characters. [#21164]
- Update to version 6.5.2
* Alerting: Improve alert threshold handle dragging behavior. [#20922]
* AngularPanels: Fix loading spinner being stuck in some rare cases. [#20878]
* CloudWatch: Fix query editor does not render in Explore. [#20909]
* CloudWatch: Remove illegal character escaping in inferred expressions. [#20915]
* CloudWatch: Remove template variable error message. [#20864]
* CloudWatch: Use datasource template variable in curated dashboards. [#20917]
* Elasticsearch: Set default port to 9200 in ConfigEditor. [#20948]
* Gauge/BarGauge: Added support for value mapping of 'no data'-state to
text/value. [#20842]
* Graph: Prevent tooltip from being displayed outside of window. [#20874]
* Graphite: Fix error with annotation metric queries. [#20857]
* Login: Fix fatal error when navigating from reset password page. [#20747]
* MixedDatasources: Do not filter out all mixed data sources in add mixed
query dropdown. [#20990]
* Prometheus: Fix caching for default labels request. [#20718]
* Prometheus: Run default labels query only once. [#20898]
* Security: Fix invite link still accessible after completion or revocation. [#20863]
* Server: Fail when unable to create log directory. [#20804]
* TeamPicker: Increase size limit from 10 to 100. [#20882]
* Units: Remove SI prefix symbol from new milli/microSievert(/h) units. [#20650]
- Update to version 6.5.1
* CloudWatch: Region template query fix. [#20661]
* CloudWatch: Fix annotations query editor loading. [#20687]
* Panel: Fix undefined services/dependencies in plugins without
`/@ngInject*/`. [#20696]
* Server: Fix failure to start with 'bind: address already in use' when using
socket as protocol. [#20679]
* Stats: Fix active admins/editors/viewers stats are counted more than once
if the user is part of more than one org. [#20711]
- Update to version 6.5.0
* CloudWatch: Add curated dashboards for most popular amazon services. [#20486]
* CloudWatch: Enable Min time interval. [#20260]
* Explore: UI improvements for log details. [#20485]
* Server: Improve grafana-server diagnostics configuration for profiling and
tracing. [#20593]
* BarGauge/Gauge: Add back missing title option field display options. [#20616]
* CloudWatch: Fix high CPU load. [#20579]
* CloudWatch: Fix high resolution mode without expression. [#20459]
* CloudWatch: Make sure period variable is being interpreted correctly. [#20447]
* CloudWatch: Remove HighResolution toggle since it's not being used. [#20440]
* Cloudwatch: Fix LaunchTime attribute tag bug. [#20237]
* Data links: Fix URL field turns read-only for graph panels. [#20381]
* Explore: Keep logQL filters when selecting labels in log row details. [#20570]
* MySQL: Fix TLS auth settings in config page. [#20501]
* Provisioning: Fix unmarshaling nested jsonData values. [#20399]
* Server: Should fail when server is unable to bind port. [#20409]
* Templating: Prevents crash when \$\_\_searchFilter is not a string. [#20526]
* TextPanel: Fix issue with template variable value not properly html
escaped [#20588]
* TimePicker: Should update after location change. [#20466]
* CloudWatch: use GetMetricsData API for all queries
* CloudWatch: The GetMetricData API does not return metric unit, so unit auto
detection in panels is no longer supported.
* CloudWatch: The `HighRes` switch has been removed from the query editor.
* API: Add `createdAt` and `updatedAt` to api/users/lookup. [#19496]
* API: Add createdAt field to /api/users/:id. [#19475]
* Admin: Adds setting to disable creating initial admin user. [#19505]
* Alerting: Include alert_state in Kafka notifier payload. [#20099]
* AuthProxy: Can now login with auth proxy and get a login token. [#20175]
* AuthProxy: replaces setting ldap_sync_ttl with sync_ttl. [#20191]
* AzureMonitor: Alerting for Azure Application Insights. [#19381]
* Build: Upgrade to Go 1.13. [#19502]
* CLI: Reduce memory usage for plugin installation. [#19639]
* CloudWatch: Add ap-east-1 to hard-coded region lists. [#19523]
* CloudWatch: ContainerInsights metrics support. [#18971]
* CloudWatch: Support dynamic queries using dimension wildcards [#20058]
* CloudWatch: Stop using GetMetricStatistics and use GetMetricData for all
time series requests [#20057]
* CloudWatch: Convert query editor from Angular to React [#19880]
* CloudWatch: Convert config editor from Angular to React [#19881]
* CloudWatch: Improved error handling when throttling occurs [#20348]
* CloudWatch: Deep linking from Grafana panel to CloudWatch console [#20279]
* CloudWatch: Add Grafana user agent to GMD calls [#20277]
* Dashboard: Allows the d-solo route to be used without slug. [#19640]
* Elasticsearch: Adds support for region annotations. [#17602]
* Explore: Add custom DataLinks on datasource level (like tracing links). [#20060]
* Explore: Add functionality to show/hide query row results. [#19794]
* Explore: Synchronise time ranges in split mode. [#19274]
* Explore: UI change for log row details . [#20034]
* Frontend: Migrate DataSource HTTP Settings to React. [#19452]
* Frontend: Show browser not supported notification. [#19904]
* Graph: Added series override option to have hidden series be persisted on
save. [#20124]
* Graphite: Add Metrictank option to settings to view Metrictank request
processing info in new inspect feature. [#20138]
* LDAP: Enable single user sync. [#19446]
* LDAP: Last org admin can login but wont be removed. [#20326]
* LDAP: Support env variable expressions in ldap.toml file. [#20173]
* OAuth: Generic OAuth role mapping support. [#17149]
* Prometheus: Custom query parameters string for Thanos downsampling. [#19121]
* Provisioning: Allow saving of provisioned dashboards. [#19820]
* Security: Minor XSS issue resolved by angularjs upgrade from 1.6.6 ->
1.6.9. [#19849]
* TablePanel: Prevents crash when data contains mixed data formats. [#20202]
* Templating: Introduces \$\_\_searchFilter to Query Variables. [#19858]
* Templating: Made default template variable query editor field a textarea
with automatic height. [#20288]
* Units: Add milli/microSievert, milli/microSievert/h and pixels. [#20144]
* Units: Added mega ampere and watt-hour per kg. [#19922]
* Enterprise: Enterprise without a license behaves like OSS (Enterprise)
* API: Added dashboardId and slug in response to dashboard import api. [#19692]
* API: Fix logging of dynamic listening port. [#19644]
* BarGauge: Fix so that default thresholds not keeps resetting. [#20190]
* CloudWatch: Fix incorrect casing of Redshift dimension entry for service
class and stage. [#19897]
* CloudWatch: Fixing AWS Kafka dimension names. [#19986]
* CloudWatch: Metric math broken when using multi template variables [#18337]
* CloudWatch: Graphs with multiple multi-value dimension variables don't work [#17949]
* CloudWatch: Variables' values surrounded with braces in request sent to AWS [#14451]
* CloudWatch: Cloudwatch Query for a list of instances for which data is
available in the selected time interval [#12784]
* CloudWatch: Dimension's positioning/order should be stored in the json
dashboard [#11062]
* CloudWatch: Batch CloudWatch API call support in backend [#7991]
* ColorPicker: Fix issue with ColorPicker disappearing too quickly. [#20289]
* Datasource: Add custom headers on alerting queries. [#19508]
plugins in alpine. [#20214]
* Elasticsearch: Fix template variables interpolation when redirecting to
Explore. [#20314]
* Elasticsearch: Support rendering in logs panel. [#20229]
* Explore: Expand template variables when redirecting from dashboard panel. [#19582]
* OAuth: Make the login button display name of custom OAuth provider. [#20209]
* ReactPanels: Adds Explore menu item. [#20236]
* Team Sync: Fix URL encode Group IDs for external team sync. [#20280]
- Update to version 6.4.5
* CloudWatch: Fix high CPU load [#20579]
- Update to version 6.4.4
* MySQL: Fix encoding in connection string [#20192]
* DataLinks: Fix blur issues. [#19883]
* LDAP: try all LDAP servers even if one returns a connection error. [#20077]
* LDAP: No longer shows incorrectly matching groups based on role in debug
page. [#20018]
* Singlestat: Fix no data / null value mapping . [#19951]
- Update to version 6.4.3
* Alerting: All notification channels should send even if one fails to send. [#19807]
* AzureMonitor: Fix slate interference with dropdowns. [#19799]
* ContextMenu: make ContextMenu positioning aware of the viewport width. [#19699]
* DataLinks: Fix context menu not showing in singlestat-ish visualisations. [#19809]
* DataLinks: Fix url field not releasing focus. [#19804]
* Datasource: Fix issue where clicking outside of some query editors required
2 clicks. [#19822]
* Panels: Fix default tab for visualizations without Queries Tab. [#19803]
* Singlestat: Fix issue with mapping null to text. [#19689]
* @grafana/toolkit: Don't fail plugin creation when git user.name config is
not set. [#19821]
* @grafana/toolkit: TSLint line number off by 1. [#19782]
- Update to version 6.4.2
* CloudWatch: Changes incorrect dimension wmlid to wlmid . [#19679]
* Grafana Image Renderer: Fix plugin page. [#19664]
* Graph: Fix auto decimals logic for y axis ticks that results in too many
decimals for high values. [#19618]
* Graph: Switching to series mode should re-render graph. [#19623]
* Loki: Fix autocomplete on label values. [#19579]
* Loki: Removes live option for logs panel. [#19533]
* Profile: Fix issue with user profile not showing more than sessions
sessions in some cases. [#19578]
* Prometheus: Always sort results in Panel by query order. [#19597]
* Show SAML login button if SAML is enabled. [#19591]
* SingleStat: Fix $__name postfix/prefix usage. [#19687]
* Table: Proper handling of json data with dataframes. [#19596]
* Units: Fix wrong id for Terabits/sec. [#19611]
- Update to version 6.4.1
* Provisioning: Fix issue where empty nested keys in YAML provisioning
caused server crash, [#19547]
- Update to version 6.4.0
* Build: Upgrade go to 1.12.10. [#19499]
* DataLinks: Suggestions menu improvements. [#19396]
* Explore: Take root_url setting into account when redirecting from dashboard
to explore. [#19447]
* Explore: Update broken link to logql docs. [#19510]
* Logs: Adds Logs Panel as a visualization. [#19504]
* Reporting: Generate and email PDF reports based on Dashboards (Enterprise)
* CLI: Fix version selection for plugin install. [#19498]
* Graph: Fix minor issue with series override color picker and custom color. [#19516]
* Splunk plugin needs to be updated when upgrading from 6.3 to 6.4
* Azure Monitor: Remove support for cross resource queries (#19115)'. [#19346]
* Graphite: Time range expansion reduced from 1 minute to 1 second. [#19246]
* grafana/toolkit: Add plugin creation task. [#19207]
* Alerting: Prevents creating alerts from unsupported queries. [#19250]
* Alerting: Truncate PagerDuty summary when greater than 1024 characters. [#18730]
* Cloudwatch: Fix autocomplete for Gamelift dimensions. [#19146]
* Dashboard: Fix export for sharing when panels use default data source. [#19315]
* Database: Rewrite system statistics query to perform better. [#19178]
* Gauge/BarGauge: Fix issue with [object Object] in titles . [#19217]
* MSSQL: Revert usage of new connectionstring format introduced by #18384. [#19203]
* Multi-LDAP: Do not fail-fast on invalid credentials. [#19261]
* MySQL, Postgres, MSSQL: Fix validating query with template variables in
alert. [#19237]
* MySQL, Postgres: Update raw sql when query builder updates. [#19209]
* MySQL: Limit datasource error details returned from the backend. [#19373]
* Reporting: Created scheduled PDF reports for any dashboard (Enterprise).
* API: Readonly datasources should not be created via the API. [#19006]
* Alerting: Include configured AlertRuleTags in Webhooks notifier. [#18233]
* Annotations: Add annotations support to Loki. [#18949]
* Annotations: Use a single row to represent a region. [#17673]
* Auth: Allow inviting existing users when login form is disabled. [#19048]
* Azure Monitor: Add support for cross resource queries. [#19115]
* CLI: Allow installing custom binary plugins. [#17551]
* Dashboard: Adds Logs Panel (alpha) as visualization option for Dashboards. [#18641]
* Dashboard: Reuse query results between panels . [#16660]
* Dashboard: Set time to to 23:59:59 when setting To time using calendar. [#18595]
* DataLinks: Add DataLinks support to Gauge, BarGauge and stat panel. [#18605]
* DataLinks: Enable access to labels & field names. [#18918]
* DataLinks: Enable multiple data links per panel. [#18434]
* Elasticsearch: allow templating queries to order by doc_count. [#18870]
* Explore: Add throttling when doing live queries. [#19085]
* Explore: Adds ability to go back to dashboard, optionally with query
changes. [#17982]
* Explore: Reduce default time range to last hour. [#18212]
* Gauge/BarGauge: Support decimals for min/max. [#18368]
* Graph: New series override transform constant that renders a single point
as a line across the whole graph. [#19102]
* Image rendering: Add deprecation warning when PhantomJS is used for
rendering images. [#18933]
* InfluxDB: Enable interpolation within ad-hoc filter values. [#18077]
* LDAP: Allow an user to be synchronized against LDAP. [#18976]
* Ldap: Add ldap debug page. [#18759]
* Loki: Remove prefetching of default label values. [#18213]
* Metrics: Add failed alert notifications metric. [#18089]
* OAuth: Support JMES path lookup when retrieving user email. [#14683]
* OAuth: return GitLab groups as a part of user info (enable team sync). [#18388]
* Panels: Add unit for electrical charge - ampere-hour. [#18950]
* Plugin: AzureMonitor - Reapply MetricNamespace support. [#17282]
* Plugins: better warning when plugins fail to load. [#18671]
* Postgres: Add support for scram sha 256 authentication. [#18397]
* RemoteCache: Support SSL with Redis. [#18511]
* SingleStat: The gauge option in now disabled/hidden (unless it's an old
panel with it already enabled) . [#18610]
* Stackdriver: Add extra alignment period options. [#18909]
* Units: Add South African Rand (ZAR) to currencies. [#18893]
* Units: Adding T,P,E,Z,and Y bytes. [#18706]
* Alerting: Notification is sent when state changes from no_data to ok. [#18920]
* Alerting: fix duplicate alert states when the alert fails to save to the
database. [#18216]
* Alerting: fix response popover prompt when add notification channels. [#18967]
* CloudWatch: Fix alerting for queries with Id (using GetMetricData). [#17899]
* Explore: Fix auto completion on label values for Loki. [#18988]
* Explore: Fix crash using back button with a zoomed in graph. [#19122]
* Explore: only run queries in Explore if Graph/Table is shown. [#19000]
* MSSQL: Change connectionstring to URL format to fix using passwords with
semicolon. [#18384]
* MSSQL: Fix memory leak when debug enabled. [#19049]
* Provisioning: Allow escaping literal '$' with '$\$' in configs to avoid
interpolation. [#18045]
* TimePicker: Fix hiding time picker dropdown in FireFox. [#19154]
* Various breaking changes in the annotations HTTP API for region annotations.
- Update to version 6.3.7
* CloudWatch: Fix high CPU load [#20579]
- Update to version 6.3.6
* Metrics: Adds setting for turning off total stats metrics. [#19142]
* Database: Rewrite system statistics query to perform better. [#19178]
* Explore: Fix error when switching from prometheus to loki data sources. [#18599]
- Update to version 6.3.5
* Dashboard: Fix dashboards init failed loading error for dashboards with
panel links that had missing properties. [#18786]
* Editor: Fix issue where only entire lines were being copied. [#18806]
* Explore: Fix query field layout in splitted view for Safari browsers. [#18654]
* LDAP: multildap + ldap integration. [#18588]
* Profile/UserAdmin: Fix for user agent parser crashes grafana-server on
32-bit builds. [#18788]
* Prometheus: Prevents panel editor crash when switching to Prometheus data
source. [#18616]
* Prometheus: Changes brace-insertion behavior to be less annoying. [#18698]
- Update to version 6.3.4
* Annotations: Fix failing annotation query when time series query is
cancelled. [#18532]
* Auth: Do not set SameSite cookie attribute if cookie_samesite is none. [#18462]
* DataLinks: Apply scoped variables to data links correctly. [#18454]
* DataLinks: Respect timezone when displaying datapoint's timestamp in graph
context menu. [#18461]
* DataLinks: Use datapoint timestamp correctly when interpolating variables. [#18459]
* Explore: Fix loading error for empty queries. [#18488]
* Graph: Fix legend issue clicking on series line icon and issue with
horizontal scrollbar being visible on windows. [#18563]
* Graphite: Avoid glob of single-value array variables . [#18420]
* Prometheus: Fix queries with label_replace remove the \$1 match when
loading query editor. [#18480]
* Prometheus: More consistently allows for multi-line queries in editor. [#18362]
* TimeSeries: Assume values are all numbers. [#18540]
- Update to version 6.3.2
* Gauge/BarGauge: Fix issue with lost thresholds and an issue loading Gauge
with avg stat. [#18375]
- Update to version 6.3.1
* PanelLinks: Fix crash issue with Gauge & Bar Gauge panels with panel links
(drill down links). [#18430]
- Update to version 6.3.0
* OAuth: Do not set SameSite OAuth cookie if cookie_samesite is None. [#18392]
* PanelLinks: Fix render issue when there is no panel description. [#18408]
* Auth Proxy: Include additional headers as part of the cache key. [#18298]
* OAuth: Fix 'missing saved state' OAuth login failure due to SameSite cookie
policy. [#18332]
* cli: fix for recognizing when in dev mode.. [#18334]
* Build grafana images consistently. [#18224]
* Docs: SAML. [#18069]
* Permissions: Show plugins in nav for non admin users but hide plugin
configuration. [#18234]
* TimePicker: Increase max height of quick range dropdown. [#18247]
* DataLinks: Fix incorrect interpolation of \${\_\_series_name} . [#18251]
* Loki: Display live tailed logs in correct order in Explore. [#18031]
* PhantomJS: Fix rendering on Debian Buster. [#18162]
* TimePicker: Fix style issue for custom range popover. [#18244]
* Timerange: Fix a bug where custom time ranges didn't respect UTC. [#18248]
* remote_cache: Fix redis connstr parsing. [#18204]
* Alerting: Add tags to alert rules. [#10989]
* Alerting: Attempt to send email notifications to all given email addresses. [#16881]
* Alerting: Improve alert rule testing. [#16286]
* Alerting: Support for configuring content field for Discord alert notifier. [#17017]
* Alertmanager: Replace illegal chars with underscore in label names. [#17002]
* Auth: Allow expiration of API keys. [#17678]
* Auth: Return device, os and browser when listing user auth tokens in HTTP
API. [#17504]
* Auth: Support list and revoke of user auth tokens in UI. [#17434]
* AzureMonitor: change clashing built-in Grafana variables/macro names for
Azure Logs. [#17140]
* CloudWatch: Made region visible for AWS Cloudwatch Expressions. [#17243]
* Cloudwatch: Add AWS DocDB metrics. [#17241]
* Dashboard: Use timezone dashboard setting when exporting to CSV. [#18002]
* Data links. [#17267]
* Elasticsearch: Support for visualizing logs in Explore . [#17605]
* Explore: Adds Live option for supported data sources. [#17062]
* Explore: Adds orgId to URL for sharing purposes. [#17895]
* Explore: Adds support for new loki 'start' and 'end' params for labels
endpoint. [#17512]
* Explore: Adds support for toggling raw query mode in explore. [#17870]
* Explore: Allow switching between metrics and logs . [#16959]
* Explore: Combines the timestamp and local time columns into one. [#17775]
* Explore: Display log lines context . [#17097]
* Explore: Don't parse log levels if provided by field or label. [#17180]
* Explore: Improves performance of Logs element by limiting re-rendering. [#17685]
* Explore: Support for new LogQL filtering syntax. [#16674]
* Explore: Use new TimePicker from Grafana/UI. [#17793]
* Explore: handle newlines in LogRow Highlighter. [#17425]
* Graph: Added new fill gradient option. [#17528]
* GraphPanel: Don't sort series when legend table & sort column is not
visible. [#17095]
* InfluxDB: Support for visualizing logs in Explore. [#17450]
* Logging: Login and Logout actions (#17760). [#17883]
* Logging: Move log package to pkg/infra. [#17023]
* Metrics: Expose stats about roles as metrics. [#17469]
* MySQL/Postgres/MSSQL: Add parsing for day, weeks and year intervals in
macros. [#13086]
* MySQL: Add support for periodically reloading client certs. [#14892]
* Plugins: replace dataFormats list with skipDataQuery flag in plugin.json. [#16984]
* Prometheus: Take timezone into account for step alignment. [#17477]
* Prometheus: Use overridden panel range for \$\_\_range instead of dashboard
range. [#17352]
* Prometheus: added time range filter to series labels query. [#16851]
* Provisioning: Support folder that doesn't exist yet in dashboard
provisioning. [#17407]
* Refresh picker: Handle empty intervals. [#17585]
* Singlestat: Add y min/max config to singlestat sparklines. [#17527]
* Snapshot: use given key and deleteKey. [#16876]
* Templating: Correctly display __text in multi-value variable after page
reload. [#17840]
* Templating: Support selecting all filtered values of a multi-value
variable. [#16873]
* Tracing: allow propagation with Zipkin headers. [#17009]
* Users: Disable users removed from LDAP. [#16820]
* SAML: Add SAML as an authentication option (Enterprise)
* AddPanel: Fix issue when removing moved add panel widget . [#17659]
* CLI: Fix encrypt-datasource-passwords fails with sql error. [#18014]
* Elasticsearch: Fix default max concurrent shard requests. [#17770]
* Explore: Fix browsing back to dashboard panel. [#17061]
* Explore: Fix filter by series level in logs graph. [#17798]
* Explore: Fix issues when loading and both graph/table are collapsed. [#17113]
* Explore: Fix selection/copy of log lines. [#17121]
* Fix: Wrap value of multi variable in array when coming from URL. [#16992]
* Frontend: Fix for Json tree component not working. [#17608]
* Graphite: Fix for issue with alias function being moved last. [#17791]
* Graphite: Fix issue with seriesByTag & function with variable param. [#17795]
* Graphite: use POST for /metrics/find requests. [#17814]
* HTTP Server: Serve Grafana with a custom URL path prefix. [#17048]
* InfluxDB: Fix single quotes are not escaped in label value filters. [#17398]
* Prometheus: Correctly escape '|' literals in interpolated PromQL variables. [#16932]
* Prometheus: Fix when adding label for metrics which contains colons in
Explore. [#16760]
* SinglestatPanel: Remove background color when value turns null. [#17552]
- Update to version 6.2.5
* Grafana-CLI: Wrapper for `grafana-cli` within RPM/DEB packages and
config/homepath are now global flags. [#17695]
* Panel: Fully escape html in drilldown links (was only sanitized before). [#17731]
* Config: Fix connectionstring for remote_cache in defaults.ini. [#17675]
* Elasticsearch: Fix empty query (via template variable) should be sent as
wildcard. [#17488]
* HTTP-Server: Fix Strict-Transport-Security header. [#17644]
* TablePanel: fix annotations display. [#17646]
- Update to version 6.2.4
* Grafana-CLI: Fix receiving flags via command line . [#17617]
* HTTPServer: Fix X-XSS-Protection header formatting. [#17620]
- Update to version 6.2.3
* AuthProxy: Optimistic lock pattern for remote cache Set. [#17485]
* HTTPServer: Options for returning new headers X-Content-Type-Options,
X-XSS-Protection and Strict-Transport-Security. [#17522]
* Auth Proxy: Fix non-negative cache TTL. [#17495]
* Grafana-CLI: Fix receiving configuration flags from the command line. [#17606]
* OAuth: Fix for wrong user token updated on OAuth refresh in DS proxy. [#17541]
* remote_cache: Fix redis. [#17483]
- Update to version 6.2.2
* Security: Prevent CSV formula injection attack when exporting data. [#17363]
* CloudWatch: Fix error when hiding/disabling queries. [#17283]
* Database: Fix slow permission query in folder/dashboard search. [#17427]
* Explore: Fix updating time range before running queries. [#17349]
* Plugins: Fix plugin config page navigation when using subpath. [#17364]
- Update to version 6.2.1
* CLI: Add command to migrate all data sources to use encrypted password fields . [#17118]
* Gauge/BarGauge: Improvements to auto value font size . [#17292]
* Auth Proxy: Resolve database is locked errors. [#17274]
* Database: Retry transaction if sqlite returns database is locked error. [#17276]
* Explore: Fix filtering query by clicked value when a Prometheus Table is
clicked. [#17083]
* Singlestat: Fix issue with value placement and line wraps. [#17249]
* Tech: Update jQuery to 3.4.1 to fix issue on iOS 10 based browsers as well
as Chrome 53.x. [#17290]
- Update to version 6.2.0
* BarGauge: Fix for negative min values. [#17192]
* Gauge/BarGauge: Fix for issues editing min & max options. [#17174]
* Search: Make only folder name only open search with current folder filter. [#17226]
* AzureMonitor: Revert to clearing chained dropdowns. [#17212]
* Data source plugins that process hidden queries need to add a
'hiddenQueries: true' attribute in plugin.json. [#17124]
* Plugins: Support templated urls in plugin routes. [#16599]
* Packaging: New MSI windows installer package\*\*. [#17073]
* Dashboard: Fix blank dashboard after window resize with panel without
title. [#16942]
* Dashboard: Fix lazy loading & expanding collapsed rows on mobile. [#17055]
* Dashboard: Fix scrolling issues for Edge browser. [#17033]
* Dashboard: Show refresh button in first kiosk(tv) mode. [#17032]
* Explore: Fix empty result from data source should render logs container. [#16999]
* Explore: Filter query by clicked value when clicking in a Prometheus Table [#17083]
* Explore: Makes it possible to zoom in Explore/Loki/Graph without exception. [#16991]
* Gauge: Fix orientation issue after switching from BarGauge to Gauge. [#17064]
* GettingStarted: Fix layout issues in getting started panel. [#16941]
* InfluxDB: Fix HTTP method should default to GET. [#16949]
* Panels: Fix alert icon position in panel header. [#17070]
* Panels: Fix panel error tooltip not showing. [#16993]
* Plugins: Fix how datemath utils are exposed to plugins. [#16976]
* Singlestat: fixed centering issue for very small panels. [#16944]
* Search: Scroll issue in dashboard search in latest Chrome. [#17054]
* Gauge: Adds background shade to gauge track and improves height usage. [#17019]
* RemoteCache: Avoid race condition in Set causing error on insert. . [#17082]
* Admin: Add more stats about roles. [#16667]
* Alert list panel: Support variables in filters. [#16892]
* Alerting: Adjust label for send on all alerts to default . [#16554]
* Alerting: Makes timeouts and retries configurable. [#16259]
* Alerting: No notification when going from no data to pending. [#16905]
* Alerting: Pushover alert, support for different sound for OK. [#16525]
* Auth: Enable retries and transaction for some db calls for auth tokens. [#16785]
* AzureMonitor: Adds support for multiple subscriptions per data source. [#16922]
* Bar Gauge: New multi series enabled gauge like panel with horizontal and
vertical layouts and 3 display modes. [#16918]
* Build: Upgrades to golang 1.12.4. [#16545]
* CloudWatch: Update AWS/IoT metric and dimensions. [#16337]
* Config: Show user-friendly error message instead of stack trace. [#16564]
* Dashboard: Enable filtering dashboards in search by current folder. [#16790]
* Dashboard: Lazy load out of view panels . [#15554]
* DataProxy: Restore Set-Cookie header after proxy request. [#16838]
* Data Sources: Add pattern validation for time input on data source config
pages. [#16837]
* Elasticsearch: Add 7.x version support. [#16646]
* Explore: Adds reconnect for failing data source. [#16226]
* Explore: Support user timezone. [#16469]
* InfluxDB: Add support for POST HTTP verb. [#16690]
* Loki: Search is now case insensitive. [#15948]
* OAuth: Update jwt regexp to include `=`. [#16521]
* Panels: No title will no longer make panel header take up space. [#16884]
* Prometheus: Adds tracing headers for Prometheus datasource. [#16724]
* Provisioning: Add API endpoint to reload provisioning configs. [#16579]
* Provisioning: Do not allow deletion of provisioned dashboards. [#16211]
* Provisioning: Interpolate env vars in provisioning files. [#16499]
* Provisioning: Support FolderUid in Dashboard Provisioning Config. [#16559]
* Security: Add new setting allow_embedding. [#16853]
* Security: Store data source passwords encrypted in secureJsonData. [#16175]
* UX: Improve Grafana usage for smaller screens. [#16783]
* Units: Add angle units, Arc Minutes and Seconds. [#16271]
* CloudWatch: Fix query order not affecting series ordering & color. [#16408]
* CloudWatch: Use default alias if there is no alias for metrics. [#16732]
* Config: Fix bug where timeouts for alerting was not parsed correctly. [#16784]
* Elasticsearch: Fix view percentiles metric in table without date histogram. [#15686]
* Explore: Prevents histogram loading from killing Prometheus instance. [#16768]
* Graph: Allow override decimals to fully override. [#16414]
* Mixed Data Source: Fix error when one query is disabled. [#16409]
* Search: Fix search limits and add a page parameter. [#16458]
* Security: Responses from backend should not be cached. [#16848]
* Gauge Panel: The suffix / prefix options have been removed from the new
Gauge Panel (introduced in v6.0). [#16870]
- Update to version 6.1.6
* Security: Bump jQuery to 3.4.0 . [#16761]
* Playlist: Fix loading dashboards by tag. [#16727]
- Update to version 6.1.4
* DataPanel: Added missing built-in interval variables to scopedVars. [#16556]
* Explore: Adds maxDataPoints to data source query options . [#16513]
* Explore: Recalculate intervals on run query. [#16510]
* Heatmap: Fix for empty graph when panel is too narrow (#16378). [#16460]
* Heatmap: Fix auto decimals when bucket name is not number. [#16609]
* QueryInspector: Now shows error responses again. [#16514]
- Update to version 6.1.3
* Graph: Fix auto decimals in legend values for some units like `ms` and
`s`. [#16455]
* Graph: Fix png rendering with legend to the right. [#16463]
* Singlestat: Use decimals when manually specified. [#16451]
* Fix broken UI switches: Default Data Source switch, Explore Logs switches,
Gauge option switches. [#16303]
- Update to version 6.1.2
* Graph: Fix series legend color for hidden series. [#16438]
* Graph: Fix tooltip highlight on white theme. [#16429]
* Styles: Fix menu hover highlight border. [#16431]
* Singlestat Panel: Correctly use the override decimals. [#16413]
- Update to version 6.1.1
* Graphite: Editing graphite query function now works again. [#16390]
* Playlist: Kiosk & auto fit panels modes are working normally again . [#16403]
* QueryEditors: Toggle edit mode now always work on slower computers. [#16394]
- Update to version 6.1.0
* CloudWatch: Fix for dimension value list when changing dimension key. [#16356]
* Graphite: Editing function arguments now works again. [#16297]
* InfluxDB: Fix tag names with periods in alert evaluation. [#16255]
* PngRendering: Fix for panel height & title centering . [#16351]
* Templating: Fix for editing query variables. [#16299]
* Prometheus: adhoc filter support [#8253]
* Permissions: Editors can become admin for dashboards, folders and teams
they create. [#15977]
* Alerting: Don't include non-existing image in MS Teams notifications. [#16116]
* Api: Invalid org invite code [#10506]
* Annotations: Fix for native annotations filtered by template variable with
pipe. [#15515]
* Dashboard: Fix for time regions spanning across midnight. [#16201]
* Data Source: Handles nil jsondata field gracefully [#14239]
* Data Source: Empty user/password was not updated when updating data sources [#15608]
* Elasticsearch: Fix using template variables in the alias field. [#16229]
* Elasticsearch: Fix incorrect index pattern padding in alerting queries. [#15892]
* Explore: Fix for Prometheus autocomplete not working in Firefox. [#16192]
* Explore: Fix for url does not keep query after browser refresh. [#16189]
* Gauge: Interpolate scoped variables in repeated gauges [#15739]
* Graphite: Fix issue with using series ref and series by tag. [#16111]
* Graphite: Fix variable quoting when variable value is numeric. [#16149]
* Heatmap: Fix Y-axis tick labels being in wrong order for some Prometheus
queries. [#15932]
* Heatmap: Negative values are now displayed correctly in graph & legend. [#15953]
* Heatmap: legend shows wrong colors for small values [#14019]
* InfluxDB: Always close request body even for error status codes. [#16207]
* ManageDashboards: Fix for checkboxes not appearing properly Firefox . [#15981]
* Playlist: Leaving playlist now always stops playlist . [#15791]
* Prometheus: fixes regex ad-hoc filters variables with wildcards. [#16234]
* TablePanel: Column color style now works even after removing columns. [#16227]
* TablePanel: Fix for white text on white background when value is null. [#16199]
- Update to version 6.0.2
* Alerting: Fix issue with AlertList panel links resulting in panel not
found errors. [#15975]
* Dashboard: Improved error handling when rendering dashboard panels. [#15970]
* LDAP: Fix allow anonymous server bind for ldap search. [#15872]
* Discord: Fix discord notifier so it doesn't crash when there are no image
generated. [#15833]
* Panel Edit: Prevent search in VizPicker from stealing focus. [#15802]
* Data Source admin: Fix url of back button in data source edit page, when
root_url configured. [#15759]
- Update to version 6.0.1
* Metrics: Fix broken usagestats metrics for /metrics [#15651]
* Dashboard: append &kiosk to the url in Kiosk mode [#15765]
* Dashboard: respect header in kiosk=tv mode with autofitpanels [#15650]
* Image rendering: Fix image rendering issue for dashboards with auto
refresh. [#15818]
* Dashboard: Fix only users that can edit a dashboard should be able to
update panel json. [#15805]
* LDAP: fix allow anonymous initial bind for ldap search. [#15803]
* UX: ixed scrollbar not visible initially (only after manual scroll). [#15798]
* Data Source admin TestData [#15793]
* Dashboard: Fix scrolling issue that caused scroll to be locked to bottom. [#15792]
* Explore: Viewers with viewers_can_edit should be able to access /explore. [#15787]
* Security fix: limit access to org admin and alerting pages. [#15761]
* Panel Edit minInterval changes did not persist [#15757]
* Teams: Fix bug when getting teams for user. [#15595]
* Stackdriver: fix for float64 bounds for distribution metrics [#14509]
* Stackdriver: no reducers available for distribution type [#15179]
- Update to version 6.0.0
* Dashboard: fixes click after scroll in series override menu [#15621]
* MySQL: fix mysql query using \_interval_ms variable throws error [#14507]
* Influxdb: Add support for alerting on InfluxDB queries that use the
non_negative_difference function [#15415]
* Alerting: Fix percent_diff calculation when points are nulls [#15443]
* Alerting: Fix handling of alert urls with true flags [#15454]
* AzureMonitor: Enable alerting by converting Azure Monitor API to Go [#14623]
* Security: Fix CSRF Token validation for POSTs [#1441]
* Internal Metrics Edition has been added to the build_info metric. This will
break any Graphite queries using this metric. Edition will be a new label
for the Prometheus metric. [#15363]
* Gauge: Fix issue with gauge requests being cancelled [#15366]
* Gauge: Accept decimal inputs for thresholds [#15372]
* UI: Fix error caused by named colors that are not part of named colors
palette [#15373]
* Search: Bug pressing special regexp chars in input fields [#12972]
* Permissions: No need to have edit permissions to be able to 'Save as' [#13066]
* Alerting: Adds support for Google Hangouts Chat notifications [#11221]
* Elasticsearch: Support bucket script pipeline aggregations [#5968]
* Influxdb: Add support for time zone (`tz`) clause [#10322]
* Snapshots: Enable deletion of public snapshot [#14109]
* Provisioning: Provisioning support for alert notifiers [#10487]
* Explore: A whole new way to do ad-hoc metric queries and exploration. Split
view in half and compare metrics & logs.
* Auth: Replace remember me cookie solution for Grafana's builtin, LDAP and
OAuth authentication with a solution based on short-lived tokens [#15303]
* Search: Fix for issue with scrolling the 'tags filter' dropdown, fixes [#14486]
* Prometheus: fix annotation always using 60s step regardless of
dashboard range [#14795]
* Annotations: Fix creating annotation when graph panel has no data points
position the popup outside viewport [#13765]
* Piechart/Flot: Fix multiple piechart instances with donut bug [#15062]
* Postgres: Fix default port not added when port not configured [#15189]
* Alerting: Fix crash bug when alert notifier folders are missing [#15295]
* Dashboard: Fix save provisioned dashboard modal [#15219]
* Dashboard: Fix having a long query in prometheus dashboard query editor
* blocks 30% of the query field when on OSX and having native scrollbars
[#15122]
* Explore: Fix issue with wrapping on long queries [#15222]
* Explore: Fix cut & paste adds newline before and after selection [#15223]
* Dataproxy: Fix global data source proxy timeout not added to correct http
client [#15258]
* Text Panel: The text panel does no longer by default allow unsanitized
HTML. [#4117]
* Dashboard: Panel property `minSpan` replaced by `maxPerRow`. Dashboard
* migration will automatically migrate all dashboard panels using the
`minSpan` property to the new `maxPerRow` property [#12991]
- Update to version 5.4.3
* MySQL only update session in mysql database when required [#14540]
* Alerting Invalid frequency causes division by zero in alert scheduler [#14810]
* Dashboard Dashboard links do not update when time range changes [#14493]
* Limits Support more than 1000 data sources per org [#13883]
* Backend fix signed in user for orgId=0 result should return active org id [#14574]
* Provisioning Adds orgId to user dto for provisioned dashboards [#14678]
- Update to version 5.4.2
* Data Source admin: Fix for issue creating new data source when same name
exists [#14467]
* OAuth: Fix for oauth auto login setting, can now be set using env variable [#14435]
- Update to version 5.4.1
* Stackdriver: Fix issue with data proxy and Authorization header [#14262]
* Units: fixedUnit for Flow:l/min and mL/min [#14294]
* Logging: Fix for issue where data proxy logged a secret when debug logging
was enabled, now redacted. [#14319]
* TSDB: Fix always take dashboard timezone into consideration when handle
custom time ranges: Add support for alerting on InfluxDB queries that use
the cumulative_sum function. [#14314]
* Embedded Graphs: Iframe graph panels should now work as usual. [#14284]
* Postgres: Improve PostgreSQL Query Editor if using different Schemas, [#14313]
* Quotas: Fix updating org & user quotas. [#14347]
* Cloudwatch: Add the AWS/SES Cloudwatch metrics of BounceRate and
ComplaintRate to auto complete list. [#14401]
* Dashboard Search: Fix filtering by tag issues.
* Graph: Fix time region issues, [#14425]
- Update to version 5.4.0
* Cloudwatch: Fix invalid time range causes segmentation fault [#14150]
* Cloudwatch: AWS/CodeBuild metrics and dimensions [#14167]
* MySQL: Fix `$__timeFrom()` and `$__timeTo()` should respect local time zone [#14228]
* Graph: Fix legend always visible even if configured to be hidden [#14144]
* Elasticsearch: Fix regression when using data source version 6.0+ and
alerting [#14175]
* Alerting: Introduce alert debouncing with the `FOR` setting. [#7886]
* Alerting: Option to disable OK alert notifications [#12330]
* Postgres/MySQL/MSSQL: Adds support for configuration of max open/idle
connections and connection max lifetime. Also, panels with multiple SQL
queries will now be executed concurrently [#11711]
* MySQL: Graphical query builder [#13762]
* MySQL: Support connecting thru Unix socket for MySQL data source [#12342]
* MSSQL: Add encrypt setting to allow configuration of how data sent between
client and server are encrypted [#13629]
* Stackdriver: Not possible to authenticate using GCE metadata server [#13669]
* Teams: Team preferences (theme, home dashboard, timezone) support [#12550]
* Graph: Time regions support enabling highlight of weekdays and/or certain
timespans [#5930]
* OAuth: Automatic redirect to sign-in with OAuth [#11893]
* Stackdriver: Template query editor [#13561]
* Security: Upgrade macaron session package to fix security issue. [#14043]
* Postgres/MySQL/MSSQL data sources now per default uses `max open
connections` = `unlimited` (earlier 10), `max idle connections` = `2`
(earlier 10) and `connection max lifetime` = `4` hours (earlier unlimited).
- Update to version 5.3.4
* Alerting: Delete alerts when parent folder was deleted [#13322]
* MySQL: Fix `$__timeFilter()` should respect local time zone [#13769]
* Dashboard: Fix data source selection in panel by enter key [#13932]
* Graph: Fix table legend height when positioned below graph and using
Internet Explorer 11 [#13903]
* Dataproxy: Drop origin and referer http headers [#13328]
- Update to version 5.3.3
* Fix file exfiltration vulnerability
- Update to version 5.3.2
* InfluxDB/Graphite/Postgres: Prevent XSS in query editor [#13667]
* Postgres: Fix template variables error [#13692]
* Cloudwatch: Fix service panic because of race conditions [#13674]
* Cloudwatch: Fix check for invalid percentile statistics [#13633]
* Stackdriver/Cloudwatch: Allow user to change unit in graph panel if
cloudwatch/stackdriver data source response doesn't include unit [#13718]
* Stackdriver: stackdriver user-metrics duplicated response when multiple
resource types [#13691]
* Variables: Fix text box template variable doesn't work properly without a
default value [#13666]
* Variables: Fix variable dependency check when using `${var}` format [#13600]
* Dashboard: Fix kiosk=1 url parameter should put dashboard in kiosk mode [#13764]
* LDAP: Fix super admins can also be admins of orgs [#13710]
* Provisioning: Fix deleting provisioned dashboard folder should cleanup
provisioning meta data [#13280]
- Update to version 5.3.1
* Render: Fix PhantomJS render of graph panel when legend displayed as table
to the right [#13616]
* Stackdriver: Filter option disappears after removing initial filter [#13607]
* Elasticsearch: Fix no limit size in terms aggregation for alerting queries [#13172]
* InfluxDB: Fix for annotation issue that caused text to be shown twice [#13553]
* Variables: Fix nesting variables leads to exception and missing refresh [#13628]
* Variables: Prometheus: Single letter labels are not supported [#13641]
* Graph: Fix graph time formatting for Last 24h ranges [#13650]
* Playlist: Fix cannot add dashboards with long names to playlist [#13464]
* HTTP API: Fix /api/org/users so that query and limit querystrings works
- Update to version 5.3.0
* Stackdriver: Filter wildcards and regex matching are not yet supported [#13495]
* Stackdriver: Support the distribution metric type for heatmaps [#13559]
* Cloudwatch: Automatically set graph yaxis unit [#13575]
* Stackdriver: Fix for missing ngInject [#13511]
* Permissions: Fix for broken permissions selector [#13507]
* Alerting: Alert reminders deduping not working as expected when running
multiple Grafana instances [#13492]
* Annotations: Enable template variables in tagged annotations queries [#9735]
* Stackdriver: Support for Google Stackdriver data source [#13289]
* Alerting: Notification reminders [#7330]
* Dashboard: TV & Kiosk mode changes, new cycle view mode button in dashboard
toolbar [#13025]
* OAuth: Gitlab OAuth with support for filter by groups [#5623]
* Postgres: Graphical query builder [#10095]
* LDAP: Define Grafana Admin permission in ldap group mappings [#2469]
* LDAP: Client certificates support [#12805]
* Profile: List teams that the user is member of in current/active
organization [#12476]
* Configuration: Allow auto-assigning users to specific organization (other
than Main. Org) [#1823]
* Dataproxy: Pass configured/auth headers to a data source [#10971]
* CloudWatch: GetMetricData support [#11487]
* Postgres: TimescaleDB support, e.g. use `time_bucket` for grouping by time
when option enabled [#12680]
* Cleanup: Make temp file time to live configurable [#11607]
* Postgres data source no longer automatically adds time column alias when
using the $__timeGroup alias.
* Kiosk mode now also hides submenu (variables)
* ?inactive url parameter no longer supported, replaced with kiosk=tv url parameter
* Dashboard: Auto fit dashboard panels to optimize space used for current TV
or Monitor [#12768]
* Frontend: Convert all Frontend Karma tests to Jest tests [#12224]
* Backend: Upgrade to golang 1.11 [#13030]
- Update to version 5.2.4
* GrafanaCli: Fix issue with grafana-cli install plugin resulting in
corrupt http response from source error. [#13079]
- Update to version 5.2.3
* Important fix for LDAP & OAuth login vulnerability
- Update to version 5.2.2
* Prometheus: Fix graph panel bar width issue in aligned prometheus queries [#12379]
* Dashboard: Dashboard links not updated when changing variables [#12506]
* Postgres/MySQL/MSSQL: Fix connection leak [#12636]
* Plugins: Fix loading of external plugins [#12551]
* Dashboard: Remove unwanted scrollbars in embedded panels [#12589]
* Prometheus: Prevent error using \$\_\_interval_ms in query [#12533]
- Update to version 5.2.1
* Auth Proxy: Important security fix for whitelist of IP address feature [#12444]
* UI: Fix - Grafana footer overlapping page [#12430]
* Logging: Errors should be reported before crashing [#12438]
- Update to version 5.2.0
* Plugins: Handle errors correctly when loading data source plugin [#12383]
* Render: Enhance error message if phantomjs executable is not found [#11868]
* Dashboard: Set correct text in drop down when variable is present in url [#11968]
* LDAP: Handle 'dn' ldap attribute more gracefully [#12385]
* Dashboard: Import dashboard to folder [#10796]
* Permissions: Important security fix for API keys with viewer role [#12343]
* Dashboard: Fix so panel titles doesn't wrap [#11074]
* Dashboard: Prevent double-click when saving dashboard [#11963]
* Dashboard: AutoFocus the add-panel search filter [#12189]
* Units: W/m2 (energy), l/h (flow) and kPa (pressure) [#11233]
* Units: Liter/min (flow) and milliLiter/min (flow) [#12282]
* Alerting: Fix mobile notifications for Microsoft Teams alert notifier [#11484]
* Influxdb: Add support for mode function [#12286]
* Cloudwatch: Fix panic caused by bad timerange settings [#12199]
* Auth Proxy: Whitelist proxy IP address instead of client IP address [#10707]
* User Management: Make sure that a user always has a current org assigned [#11076]
* Snapshots: Fix: annotations not properly extracted leading to incorrect
rendering of annotations [#12278]
* LDAP: Allow use of DN in group_search_filter_user_attribute and member_of [#3132]
* Graph: Fix legend decimals precision calculation [#11792]
* Dashboard: Make sure to process panels in collapsed rows when exporting
dashboard [#12256]
* Dashboard: Dashboard link doesn't work when 'As dropdown' option is checked [#12315]
* Dashboard: Fix regressions after save modal changes, including adhoc
template issues [#12240]
* Elasticsearch: Alerting support [#5893]
* Build: Crosscompile and packages Grafana on arm, windows, linux and darwin [#11920]
* Login: Change admin password after first login [#11882]
* Alert list panel: Updated to support filtering alerts by name, dashboard
title, folder, tags [#11500]
* Dashboard: Modified time range and variables are now not saved by default [#10748]
* Graph: Show invisible highest value bucket in histogram [#11498]
* Dashboard: Enable 'Save As...' if user has edit permission [#11625]
* Prometheus: Query dates are now step-aligned [#10434]
* Prometheus: Table columns order now changes when rearrange queries [#11690]
* Variables: Fix variable interpolation when using multiple formatting types [#11800]
* Dashboard: Fix date selector styling for dark/light theme in time picker
control [#11616]
* Discord: Alert notification channel type for Discord, [#7964]
* InfluxDB: Support SELECT queries in templating query, [#5013]
* InfluxDB: Support count distinct aggregation [#11645]
* Dashboard: JSON Model under dashboard settings can now be updated & changes
saved. [#1429]
* Security: Fix XSS vulnerabilities in dashboard links [#11813]
* Singlestat: Fix 'time of last point' shows local time when dashboard
timezone set to UTC [#10338]
* Prometheus: Add support for passing timeout parameter to Prometheus [#11788]
* Login: Add optional option sign out url for generic oauth [#9847]
* Login: Use proxy server from environment variable if available [#9703]
* Invite users: Friendlier error message when smtp is not configured [#12087]
* Graphite: Don't send distributed tracing headers when using direct/browser
access mode [#11494]
* Sidenav: Show create dashboard link for viewers if at least editor in one
folder [#11858]
* SQL: Second epochs are now correctly converted to ms. [#12085]
* Singlestat: Fix singlestat threshold tooltip [#11971]
* Dashboard: Hide grid controls in fullscreen/low-activity views [#11771]
* Dashboard: Validate uid when importing dashboards [#11515]
* Alert list panel: Show alerts for user with viewer role [#11167]
* Provisioning: Verify checksum of dashboards before updating to reduce load
on database [#11670]
* Provisioning: Support symlinked files in dashboard provisioning config
files [#11958]
* Dashboard list panel: Search dashboards by folder [#11525]
* Sidenav: Always show server admin link in sidenav if grafana admin [#11657]
- Update to version 5.1.4
* Permissions: Important security fix for API keys with viewer role [#12343]
- Update to version 5.1.3
* Scroll: Graph panel / legend texts shifts on the left each time we move
scrollbar on firefox [#11830]
- Update to version 5.1.2
* Database: Fix MySql migration issue [#11862]
* Google Analytics: Enable Google Analytics anonymizeIP setting for GDPR [#11656]
- Update to version 5.1.1
* LDAP: LDAP login with MariaDB/MySQL database and dn>100 chars not possible [#11754]
* Build: AppVeyor Windows build missing version and commit info [#11758]
* Scroll: Scroll can't start in graphs on Chrome mobile [#11710]
* Units: Revert renaming of unit key ppm [#11743]
- Update to version 5.1.0
* Folders: Default permissions on folder are not shown as inherited in its
dashboards [#11668]
* Templating: Allow more than 20 previews when creating a variable [#11508]
* Dashboard: Row edit icon not shown [#11466]
* SQL: Unsupported data types for value column using time series query [#11703]
* Prometheus: Prometheus query inspector expands to be very large on
autocomplete queries [#11673]
* MSSQL: New Microsoft SQL Server data source [#10093]
* Prometheus: The heatmap panel now support Prometheus histograms [#10009]
* Postgres/MySQL: Ability to insert 0s or nulls for missing intervals [#9487]
* Postgres/MySQL/MSSQL: Fix precision for the time column in table mode [#11306]
* Graph: Align left and right Y-axes to one level [#1271]
* Graph: Thresholds for Right Y axis [#7107]
* Graph: Support multiple series stacking in histogram mode [#8151]
* Alerting: Pausing/un alerts now updates new_state_date [#10942]
* Alerting: Support Pagerduty notification channel using Pagerduty V2 API [#10531]
* Templating: Add comma templating format [#10632]
* Prometheus: Show template variable candidate in query editor [#9210]
* Prometheus: Support POST for query and query_range [#9859]
* Alerting: Add support for retries on alert queries [#5855]
* Table: Table plugin value mappings [#7119]
* IE11: IE 11 compatibility [#11165]
* Scrolling: Better scrolling experience [#11053]
* Folders: A folder admin cannot add user/team permissions for folder/its
dashboards [#11173]
* Provisioning: Improved workflow for provisioned dashboards [#10883]
* OpsGenie: Add triggered alerts as description [#11046]
* Cloudwatch: Support high resolution metrics [#10925]
* Cloudwatch: Add dimension filtering to CloudWatch `dimension_values()` [#10029]
* Units: Second to HH:mm:ss formatter [#11107]
* Singlestat: Add color to prefix and postfix in singlestat panel [#11143]
* Dashboards: Version cleanup fails on old databases with many entries [#11278]
* Server: Adjust permissions of unix socket [#11343]
* Shortcuts: Add shortcut for duplicate panel [#11102]
* AuthProxy: Support IPv6 in Auth proxy white list [#11330]
* SMTP: Don't connect to STMP server using TLS unless configured. [#7189]
* Prometheus: Escape backslash in labels correctly. [#10555]
* Variables: Case-insensitive sorting for template values [#11128]
* Annotations (native): Change default limit from 10 to 100 when querying api [#11569]
* MySQL/Postgres/MSSQL: PostgreSQL data source generates invalid query with
dates before 1970 [#11530]
* Kiosk: Adds url parameter for starting a dashboard in inactive mode [#11228]
* Dashboard: Enable closing timepicker using escape key [#11332]
* Data Sources: Rename direct access mode in the data source settings [#11391]
* Search: Display dashboards in folder indented [#11073]
* Units: Use B/s instead Bps for Bytes per second [#9342]
* Units: Radiation units [#11001]
* Units: Timeticks unit [#11183]
* Units: Concentration units and 'Normal cubic meter' [#11211]
* Units: New currency - Czech koruna [#11384]
* Avatar: Fix DISABLE_GRAVATAR option [#11095]
* Heatmap: Disable log scale when using time time series buckets [#10792]
* Provisioning: Remove `id` from json when provisioning dashboards, [#11138]
* Prometheus: tooltip for legend format not showing properly [#11516]
* Playlist: Empty playlists cannot be deleted [#11133]
* Switch Orgs: Alphabetic order in Switch Organization modal [#11556]
* Postgres: improve `$__timeFilter` macro [#11578]
* Permission list: Improved ux [#10747]
* Dashboard: Sizing and positioning of settings menu icons [#11572]
* Dashboard: Add search filter/tabs to new panel control [#10427]
* Folders: User with org viewer role should not be able to save/move
dashboards in/to general folder [#11553]
* Influxdb: Don't assume the first column in table response is time. [#11476]
- Update to version 5.0.4
* Dashboard Fix inability to link collapsed panels directly to [#11114]
* Dashboard Provisioning dashboard with alert rules should create alerts [#11247]
* Snapshots For snapshots, the Graph panel renders the legend incorrectly on
right hand side [#11318]
* Alerting Link back to Grafana returns wrong URL if root_path contains
sub-path components [#11403]
* Alerting Incorrect default value for upload images setting for alert
notifiers [#11413]
- Update to version 5.0.3
* Mysql: Mysql panic occurring occasionally upon Grafana dashboard access (a
bigger patch than the one in 5.0.2) [#11155]
- Update to version 5.0.2
* Mysql: Mysql panic occurring occasionally upon Grafana dashboard access [#11155]
* Dashboards: Should be possible to browse dashboard using only uid [#11231]
* Alerting: Fix bug where alerts from hidden panels where deleted [#11222]
* Import: Fix bug where dashboards with alerts couldn't be imported [#11227]
* Teams: Remove quota restrictions from teams [#11220]
* Render: Fix bug with legacy url redirection for panel rendering [#11180]
- Update to version 5.0.1
* Postgres: PostgreSQL error when using ipv6 address as hostname in
connection string [#11055]
* Dashboards: Changing templated value from dropdown is causing unsaved
changes [#11063]
* Prometheus: Fix bundled Prometheus 2.0 dashboard [#11016]
* Sidemenu: Profile menu 'invisible' when gravatar is disabled [#11097]
* Dashboard: Fix a bug with resizable handles for panels [#11103]
* Alerting: Telegram inline image mode fails when caption too long [#10975]
* Alerting: Fix silent failing validation [#11145]
* OAuth: Only use jwt token if it contains an email address [#11127]
- Update to version 5.0.0
* oauth Fix GitHub OAuth not working with private Organizations [#11028]
* kiosk white area over bottom panels in kiosk mode [#11010]
* alerting Fix OK state doesn't show up in Microsoft Teams [#11032]
* Permissions Fix search permissions issues [#10822]
* Permissions Fix problem issues displaying permissions lists [#10864]
* PNG-Rendering Fix problem rendering legend to the right [#10526]
* Reset password Fix problem with reset password form [#10870]
* Light theme Fix problem with light theme in safari, [#10869]
* Provisioning Now handles deletes when dashboard json files removed from
disk [#10865]
* MySQL: Fix issue with schema migration on old mysql (index too long) [#10779]
* GitHub OAuth: Fix fetching github orgs from private github org [#10823]
* Embedding:Fix issues with embedding panel [#10787]
* Dashboards: Dashboard folders, [#1611]
* Teams User groups (teams) implemented. Can be used in folder & dashboard
permission list.
* Dashboard grid: Panels are now laid out in a two dimensional grid (with x,
y, w, h). [#9093]
* Templating: Vertical repeat direction for panel repeats.
* UX: Major update to page header and navigation
* Dashboard settings: Combine dashboard settings views into one with side menu, [#9750]
* Persistent dashboard url's: New url's for dashboards that allows renaming
dashboards without breaking links. [#7883]
* dashboard.json files have been replaced with dashboard provisioning API.
* Config files for provisioning data sources as configuration have changed
from /etc/grafana/conf/datasources to /etc/grafana/provisioning/datasources.
* Pagerduty notifier now defaults to not auto resolve incidents. More details at [#10222]
* `GET /api/alerts` property dashboardUri renamed to url
* New grid engine for positioning dashboard panels
* Alerting: Add support for internal image store [#6922]
* Data Source Proxy: Add support for whitelisting specified cookies to be
be passed through to the data source when proxying [#5457]
* Postgres/MySQL: add \_\_timeGroup macro for mysql [#9596]
* Text: Text panel are now edited in the ace editor. [#9698]
* Teams: Add Microsoft Teams notifier as [#8523]
* Data Sources: Its now possible to configure data sources with config files [#1789]
* Graphite: Query editor updated to support new query by tag features [#9230]
* Dashboard history: New config file option versions_to_keep sets how many
versions per dashboard to store, [#9671]
* Dashboard as cfg: Load dashboards from file into Grafana on startup/change [#9654]
* Prometheus: Grafana can now send alerts to Prometheus Alertmanager while
firing [#7481]
* Table: Support multiple table formatted queries in table panel [#9170]
* Security: Protect against brute force (frequent) login attempts [#7616]
* Graph: Don't hide graph display options (Lines/Points) when draw mode is
unchecked [#9770]
* Alert panel: Adds placeholder text when no alerts are within the time range [#9624]
* Mysql: MySQL enable MaxOpenCon and MaxIdleCon regards how constring is
configured. [#9784]
* Cloudwatch: Fix broken query inspector for cloudwatch [#9661]
* Dashboard: Make it possible to start dashboards from search and dashboard
list panel [#1871]
* Annotations: Posting annotations now return the id of the annotation [#9798]
* Systemd: Use systemd notification ready flag [#10024]
* GitHub: Use organizations_url provided from github to verify user belongs
in org. [#10111]
* Backend: Fix bug where Grafana exited before all sub routines where finished [#10131]
* Azure: Adds support for Azure blob storage as external image stor [#8955]
* Telegram: Add support for inline image uploads to telegram notifier plugin [#9967]
* Sensu: Send alert message to sensu output [#9551]
* Singlestat: suppress error when result contains no datapoints [#9636]
* Postgres/MySQL: Control quoting in SQL-queries when using template variables [#9030]
* Pagerduty: Pagerduty don't auto resolve incidents by default anymore. [#10222]
* Cloudwatch: Fix for multi-valued templated queries. [#9903]
* RabbitMq: Remove support for publishing events to RabbitMQ [#9645]
* API: GET /api/dashboards/db/:slug deprecated, use GET /api/dashboards/uid/:uid
* API: DELETE /api/dashboards/db/:slug deprecated, use DELETE /api/dashboards/uid/:uid
* API: `uri` property in GET /api/search deprecated, use `url` or `uid` property
* API: `meta.slug` property in GET /api/dashboards/uid/:uid and GET
/api/dashboards/db/:slug deprecated, use `meta.url` or `dashboard.uid` property
Changes in grafana-natel-discrete-panel:
- Add recompress source service
- Add set_version source service
- Enable changesgenerate for tar_scm source service
- Update to version 0.0.9:
* split commands
* put back the history
Changes in openstack-cinder:
- Update to version cinder-11.2.3.dev29:
* Remove VxFlex OS credentials from connection\_properties
* Fix stable/pike gate
* tintri: Enable SSL with requests
* [Unity] Fix TypeError for test case test\_delete\_host\_wo\_lock
Changes in openstack-cinder:
- Update to version cinder-11.2.3.dev29:
* Remove VxFlex OS credentials from connection\_properties
* Fix stable/pike gate
* tintri: Enable SSL with requests
* [Unity] Fix TypeError for test case test\_delete\_host\_wo\_lock
Changes in openstack-monasca-installer:
- Add 0001-Add-support-for-ansible-2.9.patch
Changes in openstack-neutron:
- Update to version neutron-11.0.9.dev69:
* Do not block connection between br-int and br-phys on startup
* [EM releases] Move non-voting jobs to the experimental queue
- Update to version neutron-11.0.9.dev66:
* Fix pike gates, multiple fixes
Changes in openstack-neutron:
- Add 0001-Ensure-drop-flows-on-br-int-at-agent-startup-for-DVR-too.patch (LP#1887148)
- Update to version neutron-11.0.9.dev69:
* Do not block connection between br-int and br-phys on startup
* [EM releases] Move non-voting jobs to the experimental queue
- Update to version neutron-11.0.9.dev66:
* Fix pike gates, multiple fixes
Changes in openstack-nova:
- Update to version nova-16.1.9.dev76:
* Removed the host FQDN from the exception message
- Update to version nova-16.1.9.dev74:
* libvirt: Provide VIR\_MIGRATE\_PARAM\_PERSIST\_XML during live migration
- Update to version nova-16.1.9.dev73:
* Fix os-simple-tenant-usage result order
- Update to version nova-16.1.9.dev71:
* Fix false ERROR message at compute restart
- Update to version nova-16.1.9.dev69:
* Check cherry-pick hashes in pep8 tox target
- Update to version nova-16.1.9.dev67:
* libvirt: Do not reraise DiskNotFound exceptions during resize
- Update to version nova-16.1.9.dev66:
* Clean up allocation if unshelve fails due to neutron
* Reproduce bug 1862633
- Update to version nova-16.1.9.dev64:
* Init HostState.failed\_builds
- Update to version nova-16.1.9.dev62:
* Fix os\_CODENAME detection and repo refresh during ceph tests
Changes in openstack-nova:
- Update to version nova-16.1.9.dev76:
* Removed the host FQDN from the exception message
- Rebased patches:
+ 0004-Provide-VIR_MIGRATE_PARAM_PERSIST_XML-during-live-migration.patch dropped (merged upstream)
- Update to version nova-16.1.9.dev74:
* libvirt: Provide VIR\_MIGRATE\_PARAM\_PERSIST\_XML during live migration
- Add 0004-Provide-VIR_MIGRATE_PARAM_PERSIST_XML-during-live-migration.patch
* (bsc#1175484, CVE-2020-17376)
- Update to version nova-16.1.9.dev73:
* Fix os-simple-tenant-usage result order
- Update to version nova-16.1.9.dev71:
* Fix false ERROR message at compute restart
- Update to version nova-16.1.9.dev69:
* Check cherry-pick hashes in pep8 tox target
- Update to version nova-16.1.9.dev67:
* libvirt: Do not reraise DiskNotFound exceptions during resize
- Update to version nova-16.1.9.dev66:
* Clean up allocation if unshelve fails due to neutron
* Reproduce bug 1862633
- Update to version nova-16.1.9.dev64:
* Init HostState.failed\_builds
- Update to version nova-16.1.9.dev62:
* Fix os\_CODENAME detection and repo refresh during ceph tests
Changes in python-Django:
- Update to version 1.11.29 (bsc#1161919, CVE-2020-7471, bsc#1165022, CVE-2020-9402, bsc#1159447, CVE-2019-19844)
* Fixed CVE-2020-9402 -- Properly escaped tolerance parameter in GIS functions and aggregates on Oracle.
* Pinned PyYAML < 5.3 in test requirements.
* Fixed CVE-2020-7471 -- Properly escaped StringAgg(delimiter) parameter.
* Fixed timezones tests for PyYAML 5.3+.
* Fixed CVE-2019-19844 -- Used verified user email for password reset requests.
* Fixed #31073 -- Prevented CheckboxInput.get_context() from mutating attrs.
* Fixed #30826 -- Fixed crash of many JSONField lookups when one hand side is key transform.
* Fixed #30769 -- Fixed a crash when filtering against a subquery JSON/HStoreField annotation.
* Fixed #30672 -- Fixed crash of JSONField/HStoreField key transforms on expressions with params.
* Added patch CVE-2020-13254.patch
* Added patch CVE-2020-13596.patch
Changes in python-Flask-Cors:
- Add patches to fix a relative directory traversal issue
(boo#1175986, CVE-2020-25032):
* 0001-Handle-request_headers-None.patch
* 0002-Fix-request-path-normalization.patch
Changes in python-Pillow:
- Add 011-Fix-OOB-reads-in-FLI-decoding.patch
* From upstream, backported
* Fixes CVE-2020-10177, bsc#1173413
- Add 012-Fix-bounds-overflow-in-JPEG-2000-decoding.patch
* From upstream, backported
* Fixes CVE-2020-10994, bsc#1173418
- Add 013-Fix-bounds-overflow-in-PCX-decoding.patch
* From upstream, backported
* Fixes CVE-2020-10378, bsc#1173416
Changes in python-ardana-packager:
- fetch updated nova_host_aggregate from git
- Add missing novaclient required domain entries (bsc#1174006)
Changes in python-keystoneclient:
- add 2020-tests-pass.patch:
- Make tests pass in 2020
- update to version 3.13.1
- Updated from global requirements
- Update .gitreview for stable/pike
- Update UPPER_CONSTRAINTS_FILE for stable/pike
- import zuul job settings from project-config
- Avoid tox_install.sh for constraints support
Changes in python-keystonemiddleware:
- added 0001-Make-tests-pass-in-2022.patch
- removed 0001-Add-use_oslo_messaging-option.patch
- update to version 4.17.1
- Update .gitreview for stable/pike
- Update UPPER_CONSTRAINTS_FILE for stable/pike
- Add option to disable using oslo_message notifier
- Fix docs builds
- Updated from global requirements
- import zuul job settings from project-config
Changes in python-kombu:
- Add 0001-Fix-failing-unittests-of-pyamqp-transport.patch
Changes in python-straight-plugin:
- Add pip_no_plugins.patch to avoid error: 'UnboundLocalError:
local variable 'r' referenced before assignment', when there
is no plugin available.
- Initial packaging
Changes in python-urllib3:
- Update urllib3-fix-test-urls.patch. Adjust to match upstream solution.
- Add urllib3-fix-test-urls.patch. Fix tests failing on python checks for
CVE-2019-9740.
- Add urllib3-cve-2020-26137.patch. Don't allow control chars in request
method. (bsc#1177120, CVE-2020-26137)
Changes in release-notes-suse-openstack-cloud:
- Update to version 8.20200922:
* postgreSQL db replace changes are updated for suse openstack cloud section (SOC-11000)
Changes in storm:
- Fix duplicate BuildRequire on storm-kit
- update to 1.2.3 (SOC-9974, CVE-2019-0202, SOC-9998, CVE-2018-11779):
* 1.2.3
* [STORM-3233] - Upgrade zookeeper client to newest version (3.4.13)
* [STORM-3077] - Upgrade Disruptor version to 3.3.11
* [STORM-3083] - Upgrade HikariCP version to 2.4.7
* [STORM-3094] - Topology name needs to be validated at storm-client
* [STORM-3222] - Fix KafkaSpout internals to use LinkedList instead of ArrayList
* [STORM-3292] - Trident HiveState must flush writers when the batch commits
* [STORM-3013] - Deactivated topology restarts if data flows into Kafka
* [STORM-3028] - HdfsSpout does not handle empty files in case of ack enabled
* [STORM-3046] - Getting a NPE leading worker to die when starting a topology.
* [STORM-3047] - Ensure Trident emitter refreshPartitions is only called with partitions assigned to the emitter
* [STORM-3055] - never refresh connection
* [STORM-3068] - STORM_JAR_JVM_OPTS are not passed to storm-kafka-monitor properly
* [STORM-3082] - NamedTopicFilter can't handle topics that don't exist yet
* [STORM-3087] - FluxBuilder.canInvokeWithArgs is too permissive when the method parameter type is a primitive
* [STORM-3090] - The same offset value is used by the same partition number of different topics.
* [STORM-3097] - Remove storm-druid in 2.x and deprecate support for it in 1.x
* [STORM-3102] - Storm Kafka Client performance issues with Kafka Client v1.0.0
* [STORM-3109] - Wrong canonical path set to STORM_LOCAL_DIR in storm kill_workers
* [STORM-3110] - Supervisor does not kill all worker processes in secure mode in case of user mismatch
* [STORM-3121] - Fix flaky metrics tests in storm-core
* [STORM-3122] - FNFE due to race condition between 'async localizer' and 'update blob' timer thread
* [STORM-3123] - Storm Kafka Monitor does not work with Kafka over two-way SSL
* [STORM-3161] - Local mode should force setting min replication count to 1
* [STORM-3164] - Multilang storm.py uses traceback.format_exc incorrectly
* [STORM-3184] - Storm supervisor log showing keystore and truststore password in plaintext
* [STORM-3201] - kafka spout lag on UI needs some cleanup
* [STORM-3301] - The KafkaSpout can in some cases still replay tuples that were already committed
* [STORM-3381] - Upgrading to Zookeeper 3.4.14 added an LGPL dependency
* [STORM-3384] - storm set-log-level command throws wrong exception when the topology is not running
* [STORM-3086] - Update Flux documentation to demonstrate static factory methods (STORM-2796)
* [STORM-3089] - Document worker hooks on the hooks page
* [STORM-3199] - Metrics-ganglia depends on an LGPL library, so we shouldn't depend on it
* [STORM-3289] - Add note about KAFKA-7044 to storm-kafka-client compatibility docs
* [STORM-3330] - Migrate parts of storm-webapp, and reduce use of mocks for files
* 1.2.2
* [STORM-3026] - Upgrade ZK instance for security
* [STORM-3027] - Make Impersonation Optional
* [STORM-2896] - Support automatic migration of offsets from storm-kafka to storm-kafka-client KafkaSpout
* [STORM-2997] - Add logviewer ssl module in SECURITY.md
* [STORM-3006] - Distributed RPC documentation needs an update
* [STORM-3011] - Use default bin path in flight.bash if $JAVA_HOME is undefined
* [STORM-3022] - Decouple storm-hive UTs with Hive
* [STORM-3039] - Ports of killed topologies remain in TIME_WAIT state preventing to start new topology
* [STORM-3069] - Allow users to specify maven local repository directory for storm submit tool
* [STORM-2911] - SpoutConfig is serializable but does not declare a serialVersionUID field
* [STORM-2967] - Upgrade jackson to latest version 2.9.4
* [STORM-2968] - Exclude a few unwanted jars from storm-autocreds
* [STORM-2978] - The fix for STORM-2706 is broken, and adds a transitive dependency on Zookeeper 3.5.3-beta for projects that depend on e.g. storm-kafka
* [STORM-2979] - WorkerHooks EOFException during run_worker_shutdown_hooks
* [STORM-2981] - Upgrade Curator to lastest patch version
* [STORM-2985] - Add jackson-annotations to dependency management
* [STORM-2988] - 'Error on initialization of server mk-worker' when using org.apache.storm.metrics2.reporters.JmxStormReporter on worker
* [STORM-2989] - LogCleaner should preserve current worker.log.metrics
* [STORM-2993] - Storm HDFS bolt throws ClosedChannelException when Time rotation policy is used
* [STORM-2994] - KafkaSpout consumes messages but doesn't commit offsets
* [STORM-3043] - NullPointerException thrown in SimpleRecordTranslator.apply()
* [STORM-3052] - Let blobs un archive
* [STORM-3059] - KafkaSpout throws NPE when hitting a null tuple if the processing guarantee is not AT_LEAST_ONCE
* [STORM-2960] - Better to stress importance of setting up proper OS account for Storm processes
* [STORM-3060] - Configuration mapping between storm-kafka & storm-kafka-client
* [STORM-2952] - Deprecate storm-kafka in 1.x
* [STORM-3005] - [DRPC] LinearDRPCTopologyBuilder shouldn't be deprecated
Changes in storm-kit:
- Add _constraints to prevent build from running out of disk space
- Updated kit for storm-1.2.3
Changes in venv-openstack-cinder:
- Ensure that python-swiftclient is pulled into the built venv
via an explicit BuildRequires directive. (SOC-10522)
Changes in venv-openstack-swift:
- Ensure that python-oslo.log is pulled into the built venv by
explicitly requiring the package using a BuildRequires entry.
ImportantSUSE bug 1008037SUSE bug 1008038SUSE bug 1010940SUSE bug 1019021SUSE bug 1038785SUSE bug 1056094SUSE bug 1059235SUSE bug 1080682SUSE bug 1097775SUSE bug 1102126SUSE bug 1109957SUSE bug 1112959SUSE bug 1117080SUSE bug 1118896SUSE bug 1123561SUSE bug 1126503SUSE bug 1137479SUSE bug 1137528SUSE bug 1142121SUSE bug 1142542SUSE bug 1144453SUSE bug 1153452SUSE bug 1154231SUSE bug 1154232SUSE bug 1154830SUSE bug 1157968SUSE bug 1157969SUSE bug 1159447SUSE bug 1161919SUSE bug 1164133SUSE bug 1164134SUSE bug 1164135SUSE bug 1164136SUSE bug 1164137SUSE bug 1164138SUSE bug 1164139SUSE bug 1164140SUSE bug 1165022SUSE bug 1165393SUSE bug 1166389SUSE bug 1167440SUSE bug 1167532SUSE bug 1171162SUSE bug 1171823SUSE bug 1172450SUSE bug 1173413SUSE bug 1173416SUSE bug 1173418SUSE bug 1174006SUSE bug 1174145SUSE bug 1174242SUSE bug 1174302SUSE bug 1174583SUSE bug 1175484SUSE bug 1175986SUSE bug 1175993SUSE bug 1177120SUSE bug 1177948CVE-2016-8614 at SUSECVE-2016-8614 at NVDCVE-2016-8628 at SUSECVE-2016-8628 at NVDCVE-2016-8647 at SUSECVE-2016-8647 at NVDCVE-2016-9587 at SUSECVE-2016-9587 at NVDCVE-2017-7466 at SUSECVE-2017-7466 at NVDCVE-2017-7550 at SUSECVE-2017-7550 at NVDCVE-2018-10875 at SUSECVE-2018-10875 at NVDCVE-2018-11779 at SUSECVE-2018-11779 at NVDCVE-2018-16837 at SUSECVE-2018-16837 at NVDCVE-2018-16859 at SUSECVE-2018-16859 at NVDCVE-2018-16876 at SUSECVE-2018-16876 at NVDCVE-2018-18623 at SUSECVE-2018-18623 at NVDCVE-2018-18624 at SUSECVE-2018-18624 at NVDCVE-2018-18625 at SUSECVE-2018-18625 at NVDCVE-2019-0202 at SUSECVE-2019-0202 at NVDCVE-2019-10156 at SUSECVE-2019-10156 at NVDCVE-2019-10206 at SUSECVE-2019-10206 at NVDCVE-2019-10217 at SUSECVE-2019-10217 at NVDCVE-2019-14846 at SUSECVE-2019-14846 at NVDCVE-2019-14856 at SUSECVE-2019-14856 at NVDCVE-2019-14858 at SUSECVE-2019-14858 at NVDCVE-2019-14864 at SUSECVE-2019-14864 at NVDCVE-2019-14904 at SUSECVE-2019-14904 at NVDCVE-2019-14905 at SUSECVE-2019-14905 at NVDCVE-2019-19844 at SUSECVE-2019-19844 at NVDCVE-2019-3828 at SUSECVE-2019-3828 at NVDCVE-2020-10177 at SUSECVE-2020-10177 at NVDCVE-2020-10378 at SUSECVE-2020-10378 at NVDCVE-2020-10684 at SUSECVE-2020-10684 at NVDCVE-2020-10685 at SUSECVE-2020-10685 at NVDCVE-2020-10691 at SUSECVE-2020-10691 at NVDCVE-2020-10729 at SUSECVE-2020-10729 at NVDCVE-2020-10744 at SUSECVE-2020-10744 at NVDCVE-2020-10994 at SUSECVE-2020-10994 at NVDCVE-2020-11110 at SUSECVE-2020-11110 at NVDCVE-2020-14330 at SUSECVE-2020-14330 at NVDCVE-2020-14332 at SUSECVE-2020-14332 at NVDCVE-2020-14365 at SUSECVE-2020-14365 at NVDCVE-2020-1733 at SUSECVE-2020-1733 at NVDCVE-2020-1734 at SUSECVE-2020-1734 at NVDCVE-2020-1735 at SUSECVE-2020-1735 at NVDCVE-2020-1736 at SUSECVE-2020-1736 at NVDCVE-2020-1737 at SUSECVE-2020-1737 at NVDCVE-2020-17376 at SUSECVE-2020-17376 at NVDCVE-2020-1738 at SUSECVE-2020-1738 at NVDCVE-2020-1739 at SUSECVE-2020-1739 at NVDCVE-2020-1740 at SUSECVE-2020-1740 at NVDCVE-2020-1746 at SUSECVE-2020-1746 at NVDCVE-2020-1753 at SUSECVE-2020-1753 at NVDCVE-2020-25032 at SUSECVE-2020-25032 at NVDCVE-2020-26137 at SUSECVE-2020-26137 at NVDCVE-2020-7471 at SUSECVE-2020-7471 at NVDCVE-2020-9402 at SUSECVE-2020-9402 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for systemd (Important)SUSE OpenStack Cloud Crowbar 8
This update for systemd fixes the following issues:
- CVE-2020-1712 (bsc#bsc#1162108)
Fix a heap use-after-free vulnerability, when asynchronous
Polkit queries were performed while handling Dbus messages. A local
unprivileged attacker could have abused this flaw to crash systemd services or
potentially execute code and elevate their privileges, by sending specially
crafted Dbus messages.
- Unconfirmed fix for prevent hanging of systemctl during restart. (bsc#1139459)
- Fix warnings thrown during package installation. (bsc#1154043)
- Fix for system-udevd prevent crash within OES2018. (bsc#1151506)
- Fragments of masked units ought not be considered for 'NeedDaemonReload'. (bsc#1156482)
- Wait for workers to finish when exiting. (bsc#1106383)
- Improve log message when inotify limit is reached. (bsc#1155574)
- Mention in the man pages that alias names are only effective after command 'systemctl enable'. (bsc#1151377)
- Introduce function for reading virtual files in 'sysfs' and 'procfs'. (bsc#1133495, bsc#1159814)
ImportantSUSE bug 1106383SUSE bug 1133495SUSE bug 1139459SUSE bug 1151377SUSE bug 1151506SUSE bug 1154043SUSE bug 1155574SUSE bug 1156482SUSE bug 1159814SUSE bug 1162108CVE-2020-1712 at SUSECVE-2020-1712 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for java-1_7_0-openjdk (Important)SUSE OpenStack Cloud Crowbar 8
This update for java-1_7_0-openjdk fixes the following issues:
- Update to 2.6.24 - OpenJDK 7u281 (October 2020 CPU, bsc#1177943)
* Security fixes
+ JDK-8233624: Enhance JNI linkage
+ JDK-8236862, CVE-2020-14779: Enhance support of Proxy class
+ JDK-8237990, CVE-2020-14781: Enhanced LDAP contexts
+ JDK-8237995, CVE-2020-14782: Enhance certificate processing
+ JDK-8240124: Better VM Interning
+ JDK-8241114, CVE-2020-14792: Better range handling
+ JDK-8242680, CVE-2020-14796: Improved URI Support
+ JDK-8242685, CVE-2020-14797: Better Path Validation
+ JDK-8242695, CVE-2020-14798: Enhanced buffer support
+ JDK-8243302: Advanced class supports
+ JDK-8244136, CVE-2020-14803: Improved Buffer supports
+ JDK-8244479: Further constrain certificates
+ JDK-8244955: Additional Fix for JDK-8240124
+ JDK-8245407: Enhance zoning of times
+ JDK-8245412: Better class definitions
+ JDK-8245417: Improve certificate chain handling
+ JDK-8248574: Improve jpeg processing
+ JDK-8249927: Specify limits of jdk.serialProxyInterfaceLimit
+ JDK-8253019: Enhanced JPEG decoding
* Import of OpenJDK 7 u281 build 1
+ JDK-8145096: Undefined behaviour in HotSpot
+ JDK-8215265: C2: range check elimination may allow illegal
out of bound access
* Backports
+ JDK-8250861, PR3812: Crash in MinINode::Ideal(PhaseGVN*, bool)
ImportantSUSE bug 1177943CVE-2020-14779 at SUSECVE-2020-14779 at NVDCVE-2020-14781 at SUSECVE-2020-14781 at NVDCVE-2020-14782 at SUSECVE-2020-14782 at NVDCVE-2020-14792 at SUSECVE-2020-14792 at NVDCVE-2020-14796 at SUSECVE-2020-14796 at NVDCVE-2020-14797 at SUSECVE-2020-14797 at NVDCVE-2020-14798 at SUSECVE-2020-14798 at NVDCVE-2020-14803 at SUSECVE-2020-14803 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for openldap2 (Important)SUSE OpenStack Cloud Crowbar 8
This update for openldap2 fixes the following issues:
- CVE-2020-25692: Fixed an unauthenticated remote denial of service due to incorrect validation of modrdn equality rules (bsc#1178387).
ImportantSUSE bug 1178387CVE-2020-25692 at SUSECVE-2020-25692 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for MozillaFirefox (Important)SUSE OpenStack Cloud Crowbar 8
This update for MozillaFirefox fixes the following issues:
- Firefox Extended Support Release 78.4.1 ESR
* Fixed: Security fix
MFSA 2020-49 (bsc#1178588)
* CVE-2020-26950 (bmo#1675905)
Write side effects in MCallGetProperty opcode not accounted
for
ImportantSUSE bug 1178588CVE-2020-26950 at SUSECVE-2020-26950 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for postgresql, postgresql96, postgresql10 and postgresql12 (Moderate)SUSE OpenStack Cloud Crowbar 8
This update changes the internal packaging for postgresql, and so contains
all currently maintained postgresql versions across our SUSE Linux Enterprise 12
products.
* postgresql12 is shipped new in version 12.3 (bsc#1171924).
The server and client packages only on SUSE Linux Enterprise Server 12 SP5,
the libraries on SUSE Linux Enterprise Server 12 SP2 LTSS up to 12 SP5.
+ https://www.postgresql.org/about/news/2038/
+ https://www.postgresql.org/docs/12/release-12-3.html
* postgresql10 is updated to 10.13 (bsc#1171924).
On SUSE Linux Enterprise Server 12 SP2 LTSS up to 12 SP5.
+ https://www.postgresql.org/about/news/2038/
+ https://www.postgresql.org/docs/10/release-10-13.html
* postgresql96 is updated to 9.6.18 (bsc#1171924):
+ https://www.postgresql.org/about/news/2038/
+ https://www.postgresql.org/docs/9.6/release-9-6-18.html
On SUSE Linux Enterprise Server 12-SP2 and 12-SP3 LTSS only.
* postgresql 9.4 is updated to 9.4.26:
+ https://www.postgresql.org/about/news/2011/
+ https://www.postgresql.org/docs/9.4/release-9-4-26.html
+ https://www.postgresql.org/about/news/1994/
+ https://www.postgresql.org/docs/9.4/release-9-4-25.html
ModerateSUSE bug 1171924cpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for raptor (Important)SUSE OpenStack Cloud Crowbar 8
This update for raptor fixes the following issues:
- Fixed a heap overflow vulnerability (bsc#1178593, CVE-2017-18926).
- Update raptor to version 2.0.15
* Made several fixes to Turtle / N-Triples family of parsers and serializers
* Added utility functions for re-entrant sorting of objects and sequences.
* Made other fixes and improvements including fixing reported issues:
0000574, 0000575, 0000576, 0000577, 0000579, 0000581 and 0000584.
ImportantSUSE bug 1178593CVE-2017-18926 at SUSECVE-2017-18926 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for kernel-firmware (Important)SUSE OpenStack Cloud Crowbar 8
This update for kernel-firmware fixes the following issue:
- CVE-2020-12321: Updated the Intel Bluetooth firmware for buffer overflow security bugs (bsc#1178671).
ImportantSUSE bug 1178671CVE-2020-12321 at SUSECVE-2020-12321 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for krb5 (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for krb5 fixes the following security issue:
- CVE-2020-28196: Fixed an unbounded recursion via an ASN.1-encoded Kerberos message (bsc#1178512).
ModerateSUSE bug 1178512CVE-2020-28196 at SUSECVE-2020-28196 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for postgresql10 (Important)SUSE OpenStack Cloud Crowbar 8
This update for postgresql10 fixes the following issues:
Upgrade to version 10.15:
* CVE-2020-25695, bsc#1178666: Block DECLARE CURSOR ... WITH HOLD
and firing of deferred triggers within index expressions and
materialized view queries.
* CVE-2020-25694, bsc#1178667:
a) Fix usage of complex connection-string parameters in pg_dump,
pg_restore, clusterdb, reindexdb, and vacuumdb.
b) When psql's \connect command re-uses connection parameters,
ensure that all non-overridden parameters from a previous
connection string are re-used.
* CVE-2020-25696, bsc#1178668: Prevent psql's \gset command from
modifying specially-treated variables.
* https://www.postgresql.org/about/news/2111/
* https://www.postgresql.org/docs/10/release-10-15.html
Update to 10.14:
* CVE-2020-14349, bsc#1175193: Set a secure search_path in
logical replication walsenders and apply workers
* CVE-2020-14350, bsc#1175194: Make contrib modules' installation
scripts more secure.
* https://www.postgresql.org/docs/10/release-10-14.html
ImportantSUSE bug 1175193SUSE bug 1175194SUSE bug 1178666SUSE bug 1178667SUSE bug 1178668CVE-2020-14349 at SUSECVE-2020-14349 at NVDCVE-2020-14350 at SUSECVE-2020-14350 at NVDCVE-2020-25694 at SUSECVE-2020-25694 at NVDCVE-2020-25695 at SUSECVE-2020-25695 at NVDCVE-2020-25696 at SUSECVE-2020-25696 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for postgresql96 (Important)SUSE OpenStack Cloud Crowbar 8
This update for postgresql96 fixes the following issues:
Upgrade to version 9.6.20:
* CVE-2020-25695, bsc#1178666: Block DECLARE CURSOR ... WITH HOLD
and firing of deferred triggers within index expressions and
materialized view queries.
* CVE-2020-25694, bsc#1178667:
a) Fix usage of complex connection-string parameters in pg_dump,
pg_restore, clusterdb, reindexdb, and vacuumdb.
b) When psql's \connect command re-uses connection parameters,
ensure that all non-overridden parameters from a previous
connection string are re-used.
* CVE-2020-25696, bsc#1178668: Prevent psql's \gset command from
modifying specially-treated variables.
* https://www.postgresql.org/about/news/2111/
* https://www.postgresql.org/docs/9.6/release-9-6-20.html
Changes from 9.6.19:
* CVE-2020-14350, bsc#1175194: Make contrib modules installation
ImportantSUSE bug 1175194SUSE bug 1178666SUSE bug 1178667SUSE bug 1178668CVE-2020-14350 at SUSECVE-2020-14350 at NVDCVE-2020-25694 at SUSECVE-2020-25694 at NVDCVE-2020-25695 at SUSECVE-2020-25695 at NVDCVE-2020-25696 at SUSECVE-2020-25696 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for the Linux Kernel (Important)SUSE OpenStack Cloud Crowbar 8
The SUSE Linux Enterprise 12 SP3 kernel was updated to receive various security and bug fixes.
The following security bugs were fixed:
- CVE-2020-25705: A flaw in the way reply ICMP packets are limited in was found that allowed to quickly scan open UDP ports. This flaw allowed an off-path remote user to effectively bypassing source port UDP randomization. The highest threat from this vulnerability is to confidentiality and possibly integrity, because software and services that rely on UDP source port randomization (like DNS) are indirectly affected as well. Kernel versions may be vulnerable to this issue (bsc#1175721, bsc#1178782).
- CVE-2020-25668: Fixed a use-after-free in con_font_op() (bsc#1178123).
- CVE-2020-25656: Fixed a concurrency use-after-free in vt_do_kdgkb_ioctl (bnc#1177766).
- CVE-2020-14351: Fixed a race in the perf_mmap_close() function (bsc#1177086).
- CVE-2020-8694: Restricted energy meter to root access (bsc#1170415).
- CVE-2020-12352: Fixed an information leak when processing certain AMP packets aka 'BleedingTooth' (bsc#1177725).
- CVE-2020-25645: Fixed an issue which traffic between two Geneve endpoints may be unencrypted when IPsec is configured to encrypt traffic for the specific UDP port used by the GENEVE tunnel allowing anyone between the two endpoints to read the traffic unencrypted (bsc#1177511).
- CVE-2020-14381: Fixed a use-after-free in the fast user mutex (futex) wait operation, which could have lead to memory corruption and possibly privilege escalation (bsc#1176011).
- CVE-2020-25212: Fixed A TOCTOU mismatch in the NFS client code which could have been used by local attackers to corrupt memory (bsc#1176381).
- CVE-2020-14390: Fixed an out-of-bounds memory write leading to memory corruption or a denial of service when changing screen size (bnc#1176235).
- CVE-2020-25643: Fixed a memory corruption and a read overflow which could have caused by improper input validation in the ppp_cp_parse_cr function (bsc#1177206).
- CVE-2020-25641: Fixed a zero-length biovec request issued by the block subsystem could have caused the kernel to enter an infinite loop, causing a denial of service (bsc#1177121).
- CVE-2020-26088: Fixed an improper CAP_NET_RAW check in NFC socket creation could have been used by local attackers to create raw sockets, bypassing security mechanisms (bsc#1176990).
- CVE-2020-0432: Fixed an out of bounds write due to an integer overflow (bsc#1176721).
- CVE-2020-0431: Fixed an out of bounds write due to a missing bounds check (bsc#1176722).
- CVE-2020-0427: Fixed an out of bounds read due to a use after free (bsc#1176725).
- CVE-2020-0404: Fixed a linked list corruption due to an unusual root cause (bsc#1176423).
- CVE-2020-25284: Fixed an incomplete permission checking for access to rbd devices, which could have been leveraged by local attackers to map or unmap rbd block devices (bsc#1176482).
- CVE-2019-19063: Fixed two memory leaks in the rtl_usb_probe() function in drivers/net/wireless/realtek/rtlwifi/usb.c, which could have allowed an attacker to cause a denial of service (memory consumption) (bsc#1157298).
- CVE-2019-6133: In PolicyKit (aka polkit), the 'start time' protection mechanism can be bypassed because fork() is not atomic, and therefore authorization decisions are improperly cached. This is related to lack of uid checking in polkitbackend/polkitbackendinteractiveauthority.c (bsc#1121872).
- CVE-2017-18204: Fixed a denial of service in the ocfs2_setattr function of fs/ocfs2/file.c (bnc#1083244).
The following non-security bugs were fixed:
- hv: vmbus: Add timeout to vmbus_wait_for_unload (bsc#1177816).
- hyperv_fb: disable superfluous VERSION_WIN10_V5 case (bsc#1175306).
- hyperv_fb: Update screen_info after removing old framebuffer (bsc#1175306).
- mm, numa: fix bad pmd by atomically check for pmd_trans_huge when marking page tables prot_numa (bsc#1176816).
- net/packet: fix overflow in tpacket_rcv (bsc#1176069).
- ocfs2: give applications more IO opportunities during fstrim (bsc#1175228).
- video: hyperv: hyperv_fb: Obtain screen resolution from Hyper-V host (bsc#1175306).
- video: hyperv: hyperv_fb: Support deferred IO for Hyper-V frame buffer driver (bsc#1175306).
- video: hyperv: hyperv_fb: Use physical memory for fb on HyperV Gen 1 VMs (bsc#1175306).
- x86/kexec: Use up-to-dated screen_info copy to fill boot params (bsc#1175306).
- xen/blkback: use lateeoi irq binding (XSA-332 bsc#1177411).
- xen-blkfront: switch kcalloc to kvcalloc for large array allocation (bsc#1160917).
- xen: do not reschedule in preemption off sections (bsc#1175749).
- xen/events: add a new 'late EOI' evtchn framework (XSA-332 bsc#1177411).
- xen/events: add a proper barrier to 2-level uevent unmasking (XSA-332 bsc#1177411).
- xen/events: avoid removing an event channel while handling it (XSA-331 bsc#1177410).
- xen/events: block rogue events for some time (XSA-332 bsc#1177411).
- xen/events: defer eoi in case of excessive number of events (XSA-332 bsc#1177411).
- xen/events: do not use chip_data for legacy IRQs (XSA-332 bsc#1065600).
- xen/events: fix race in evtchn_fifo_unmask() (XSA-332 bsc#1177411).
- xen/events: switch user event channels to lateeoi model (XSA-332 bsc#1177411).
- xen/events: use a common cpu hotplug hook for event channels (XSA-332 bsc#1177411).
- xen/netback: use lateeoi irq binding (XSA-332 bsc#1177411).
- xen/pciback: use lateeoi irq binding (XSA-332 bsc#1177411).
- xen/scsiback: use lateeoi irq binding (XSA-332 bsc#1177411).
- xen uses irqdesc::irq_data_common::handler_data to store a per interrupt XEN data pointer which contains XEN specific information (XSA-332 bsc#1065600).
ImportantSUSE bug 1065600SUSE bug 1083244SUSE bug 1121826SUSE bug 1121872SUSE bug 1157298SUSE bug 1160917SUSE bug 1170415SUSE bug 1175228SUSE bug 1175306SUSE bug 1175721SUSE bug 1175749SUSE bug 1176011SUSE bug 1176069SUSE bug 1176235SUSE bug 1176253SUSE bug 1176278SUSE bug 1176381SUSE bug 1176382SUSE bug 1176423SUSE bug 1176482SUSE bug 1176721SUSE bug 1176722SUSE bug 1176725SUSE bug 1176816SUSE bug 1176896SUSE bug 1176990SUSE bug 1177027SUSE bug 1177086SUSE bug 1177121SUSE bug 1177165SUSE bug 1177206SUSE bug 1177226SUSE bug 1177410SUSE bug 1177411SUSE bug 1177511SUSE bug 1177513SUSE bug 1177725SUSE bug 1177766SUSE bug 1177816SUSE bug 1178123SUSE bug 1178622SUSE bug 1178782CVE-2017-18204 at SUSECVE-2017-18204 at NVDCVE-2019-19063 at SUSECVE-2019-19063 at NVDCVE-2019-6133 at SUSECVE-2019-6133 at NVDCVE-2020-0404 at SUSECVE-2020-0404 at NVDCVE-2020-0427 at SUSECVE-2020-0427 at NVDCVE-2020-0431 at SUSECVE-2020-0431 at NVDCVE-2020-0432 at SUSECVE-2020-0432 at NVDCVE-2020-12352 at SUSECVE-2020-12352 at NVDCVE-2020-14351 at SUSECVE-2020-14351 at NVDCVE-2020-14381 at SUSECVE-2020-14381 at NVDCVE-2020-14390 at SUSECVE-2020-14390 at NVDCVE-2020-25212 at SUSECVE-2020-25212 at NVDCVE-2020-25284 at SUSECVE-2020-25284 at NVDCVE-2020-25641 at SUSECVE-2020-25641 at NVDCVE-2020-25643 at SUSECVE-2020-25643 at NVDCVE-2020-25645 at SUSECVE-2020-25645 at NVDCVE-2020-25656 at SUSECVE-2020-25656 at NVDCVE-2020-25668 at SUSECVE-2020-25668 at NVDCVE-2020-25705 at SUSECVE-2020-25705 at NVDCVE-2020-26088 at SUSECVE-2020-26088 at NVDCVE-2020-8694 at SUSECVE-2020-8694 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for ucode-intel (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for ucode-intel fixes the following issues:
- Updated Intel CPU Microcode to 20201118 official release. (bsc#1178971)
- Removed TGL/06-8c-01/80 due to functional issues with some OEM platforms.
- CVE-2020-8695: Fixed Intel RAPL sidechannel attack (SGX) INTEL-SA-00389 (bsc#1170446)
- CVE-2020-8698: Fixed Fast Store Forward Predictor INTEL-SA-00381 (bsc#1173594)
- CVE-2020-8696: Vector Register Sampling Active INTEL-SA-00381 (bsc#1173592)
- Release notes:
- Security updates for [INTEL-SA-00381](https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00381.html).
- Security updates for [INTEL-SA-00389](https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00389.html).
- Update for functional issues. Refer to [Second Generation Intel? Xeon? Processor Scalable Family Specification Update](https://cdrdv2.intel.com/v1/dl/getContent/338848) for details.
- Update for functional issues. Refer to [Intel? Xeon? Processor Scalable Family Specification Update](https://cdrdv2.intel.com/v1/dl/getContent/613537) for details.
- Update for functional issues. Refer to [Intel? Xeon? Processor E5 v3 Product Family Specification Update](https://www.intel.com/content/www/us/en/processors/xeon/xeon-e5-v3-spec-update.html?wapkw=processor+spec+update+e5) for details.
- Update for functional issues. Refer to [10th Gen Intel? Core™ Processor Families Specification Update](https://www.intel.com/content/www/us/en/products/docs/processors/core/10th-gen-core-families-specification-update.html) for details.
- Update for functional issues. Refer to [8th and 9th Gen Intel? Core™ Processor Family Spec Update](https://www.intel.com/content/www/us/en/products/docs/processors/core/8th-gen-core-spec-update.html) for details.
- Update for functional issues. Refer to [7th Gen and 8th Gen (U Quad-Core) Intel? Processor Families Specification Update](https://www.intel.com/content/www/us/en/processors/core/7th-gen-core-family-spec-update.html) for details.
- Update for functional issues. Refer to [6th Gen Intel? Processor Family Specification Update](https://cdrdv2.intel.com/v1/dl/getContent/332689) for details.
- Update for functional issues. Refer to [Intel? Xeon? E3-1200 v6 Processor Family Specification Update](https://www.intel.com/content/www/us/en/processors/xeon/xeon-e3-1200v6-spec-update.html) for details.
- Update for functional issues. Refer to [Intel? Xeon? E-2100 and E-2200 Processor Family Specification Update](https://www.intel.com/content/www/us/en/products/docs/processors/xeon/xeon-e-2100-specification-update.html) for details.
### New Platforms
| Processor | Stepping | F-M-S/PI | Old Ver | New Ver | Products
|:---------------|:---------|:------------|:---------|:---------|:---------
| CPX-SP | A1 | 06-55-0b/bf | | 0700001e | Xeon Scalable Gen3
| LKF | B2/B3 | 06-8a-01/10 | | 00000028 | Core w/Hybrid Technology
| TGL | B1 | 06-8c-01/80 | | 00000068 | Core Gen11 Mobile
| CML-H | R1 | 06-a5-02/20 | | 000000e0 | Core Gen10 Mobile
| CML-S62 | G1 | 06-a5-03/22 | | 000000e0 | Core Gen10
| CML-S102 | Q0 | 06-a5-05/22 | | 000000e0 | Core Gen10
| CML-U62 V2 | K0 | 06-a6-01/80 | | 000000e0 | Core Gen10 Mobile
### Updated Platforms
| Processor | Stepping | F-M-S/PI | Old Ver | New Ver | Products
|:---------------|:---------|:------------|:---------|:---------|:---------
| HSX-E/EP | Cx/M1 | 06-3f-02/6f | 00000043 | 00000044 | Core Gen4 X series; Xeon E5 v3
| SKL-U/Y | D0 | 06-4e-03/c0 | 000000d6 | 000000e2 | Core Gen6 Mobile
| SKL-U23e | K1 | 06-4e-03/c0 | 000000d6 | 000000e2 | Core Gen6 Mobile
| SKX-SP | B1 | 06-55-03/97 | 01000157 | 01000159 | Xeon Scalable
| SKX-SP | H0/M0/U0 | 06-55-04/b7 | 02006906 | 02006a08 | Xeon Scalable
| SKX-D | M1 | 06-55-04/b7 | 02006906 | 02006a08 | Xeon D-21xx
| CLX-SP | B0 | 06-55-06/bf | 04002f01 | 04003003 | Xeon Scalable Gen2
| CLX-SP | B1 | 06-55-07/bf | 05002f01 | 05003003 | Xeon Scalable Gen2
| APL | D0 | 06-5c-09/03 | 00000038 | 00000040 | Pentium N/J4xxx, Celeron N/J3xxx, Atom x5/7-E39xx
| APL | E0 | 06-5c-0a/03 | 00000016 | 0000001e | Atom x5-E39xx
| SKL-H/S | R0/N0 | 06-5e-03/36 | 000000d6 | 000000e2 | Core Gen6; Xeon E3 v5
| GKL-R | R0 | 06-7a-08/01 | 00000016 | 00000018 | Pentium J5040/N5030, Celeron J4125/J4025/N4020/N4120
| ICL-U/Y | D1 | 06-7e-05/80 | 00000078 | 000000a0 | Core Gen10 Mobile
| AML-Y22 | H0 | 06-8e-09/10 | 000000d6 | 000000de | Core Gen8 Mobile
| KBL-U/Y | H0 | 06-8e-09/c0 | 000000d6 | 000000de | Core Gen7 Mobile
| CFL-U43e | D0 | 06-8e-0a/c0 | 000000d6 | 000000e0 | Core Gen8 Mobile
| WHL-U | W0 | 06-8e-0b/d0 | 000000d6 | 000000de | Core Gen8 Mobile
| AML-Y42 | V0 | 06-8e-0c/94 | 000000d6 | 000000de | Core Gen10 Mobile
| CML-Y42 | V0 | 06-8e-0c/94 | 000000d6 | 000000de | Core Gen10 Mobile
| WHL-U | V0 | 06-8e-0c/94 | 000000d6 | 000000de | Core Gen8 Mobile
| KBL-G/H/S/E3 | B0 | 06-9e-09/2a | 000000d6 | 000000de | Core Gen7; Xeon E3 v6
| CFL-H/S/E3 | U0 | 06-9e-0a/22 | 000000d6 | 000000de | Core Gen8 Desktop, Mobile, Xeon E
| CFL-S | B0 | 06-9e-0b/02 | 000000d6 | 000000de | Core Gen8
| CFL-H/S | P0 | 06-9e-0c/22 | 000000d6 | 000000de | Core Gen9
| CFL-H | R0 | 06-9e-0d/22 | 000000d6 | 000000de | Core Gen9 Mobile
| CML-U62 | A0 | 06-a6-00/80 | 000000ca | 000000e0 | Core Gen10 Mobile
ModerateSUSE bug 1170446SUSE bug 1173592SUSE bug 1173594SUSE bug 1178971CVE-2020-8695 at SUSECVE-2020-8695 at NVDCVE-2020-8696 at SUSECVE-2020-8696 at NVDCVE-2020-8698 at SUSECVE-2020-8698 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for bluez (Important)SUSE OpenStack Cloud Crowbar 8
This update for bluez fixes the following issues:
- CVE-2020-0556: Fixed improper access control which may lead to escalation of privilege and denial of service by an unauthenticated user (bsc#1166751).
ImportantSUSE bug 1166751CVE-2020-0556 at SUSECVE-2020-0556 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for MozillaFirefox (Important)SUSE OpenStack Cloud Crowbar 8
This update for MozillaFirefox fixes the following issues:
- Firefox Extended Support Release 78.5.0 ESR (bsc#1178824)
* CVE-2020-26951: Parsing mismatches could confuse and bypass security sanitizer for chrome privileged code
* CVE-2020-16012: Variable time processing of cross-origin images during drawImage calls
* CVE-2020-26953: Fullscreen could be enabled without displaying the security UI
* CVE-2020-26956: XSS through paste (manual and clipboard API)
* CVE-2020-26958: Requests intercepted through ServiceWorkers lacked MIME type restrictions
* CVE-2020-26959: Use-after-free in WebRequestService
* CVE-2020-26960: Potential use-after-free in uses of nsTArray
* CVE-2020-15999: Heap buffer overflow in freetype
* CVE-2020-26961: DoH did not filter IPv4 mapped IP Addresses
* CVE-2020-26965: Software keyboards may have remembered typed passwords
* CVE-2020-26966: Single-word search queries were also broadcast to local network
* CVE-2020-26968: Memory safety bugs fixed in Firefox 83 and Firefox ESR 78.5
ImportantSUSE bug 1178824CVE-2020-15999 at SUSECVE-2020-15999 at NVDCVE-2020-16012 at SUSECVE-2020-16012 at NVDCVE-2020-26951 at SUSECVE-2020-26951 at NVDCVE-2020-26953 at SUSECVE-2020-26953 at NVDCVE-2020-26956 at SUSECVE-2020-26956 at NVDCVE-2020-26958 at SUSECVE-2020-26958 at NVDCVE-2020-26959 at SUSECVE-2020-26959 at NVDCVE-2020-26960 at SUSECVE-2020-26960 at NVDCVE-2020-26961 at SUSECVE-2020-26961 at NVDCVE-2020-26965 at SUSECVE-2020-26965 at NVDCVE-2020-26966 at SUSECVE-2020-26966 at NVDCVE-2020-26968 at SUSECVE-2020-26968 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for LibVNCServer (Important)SUSE OpenStack Cloud Crowbar 8
This update for LibVNCServer fixes the following issues:
- CVE-2020-25708 [bsc#1178682], libvncserver/rfbserver.c has a divide by zero which could result in DoS
ImportantSUSE bug 1178682CVE-2020-25708 at SUSECVE-2020-25708 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for xorg-x11-server (Important)SUSE OpenStack Cloud Crowbar 8
This update for xorg-x11-server fixes the following issues:
- CVE-2020-25712: Fixed a heap-based buffer overflow which could have led to privilege escalation (bsc#1177596).
- CVE-2020-14360: Fixed an out of bounds memory accesses on too short request which could lead to denial of service (bsc#1174908).
ImportantSUSE bug 1174908SUSE bug 1177596CVE-2020-14360 at SUSECVE-2020-14360 at NVDCVE-2020-25712 at SUSECVE-2020-25712 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for python-setuptools (Important)SUSE OpenStack Cloud Crowbar 8
This update for python-setuptools fixes the following issues:
- Fixed a directory traversal in _download_http_url() (bsc#1176262 CVE-2019-20916)
ImportantSUSE bug 1176262CVE-2019-20916 at SUSECVE-2019-20916 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for python3 (Important)SUSE OpenStack Cloud Crowbar 8
This update for python3 fixes the following issues:
- Fixed a directory traversal in _download_http_url() (bsc#1176262 CVE-2019-20916)
ImportantSUSE bug 1176262CVE-2019-20916 at SUSECVE-2019-20916 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for gdm (Important)SUSE OpenStack Cloud Crowbar 8
This update for gdm fixes the following issues:
- CVE-2020-16125: Fixed a privilege escalation (bsc#1178150).
ImportantSUSE bug 1178150CVE-2020-16125 at SUSECVE-2020-16125 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for python-cryptography (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for python-cryptography fixes the following issues:
- CVE-2020-25659: Attempted to mitigate Bleichenbacher attacks on RSA decryption (bsc#1178168).
ModerateSUSE bug 1178168CVE-2020-25659 at SUSECVE-2020-25659 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for postgresql12 (Important)SUSE OpenStack Cloud Crowbar 8
This update for postgresql12 fixes the following issues:
Upgrade to version 12.5:
* CVE-2020-25695, bsc#1178666: Block DECLARE CURSOR ... WITH HOLD
and firing of deferred triggers within index expressions and
materialized view queries.
* CVE-2020-25694, bsc#1178667:
a) Fix usage of complex connection-string parameters in pg_dump,
pg_restore, clusterdb, reindexdb, and vacuumdb.
b) When psql's \connect command re-uses connection parameters,
ensure that all non-overridden parameters from a previous
connection string are re-used.
* CVE-2020-25696, bsc#1178668: Prevent psql's \gset command from
modifying specially-treated variables.
* Fix recently-added timetz test case so it works when the USA
is not observing daylight savings time.
(obsoletes postgresql-timetz.patch)
* https://www.postgresql.org/about/news/2111/
* https://www.postgresql.org/docs/12/release-12-5.html
The previous postgresql12 update already addressed:
Update to 12.4:
* CVE-2020-14349, bsc#1175193: Set a secure search_path in logical replication walsenders and apply workers
* CVE-2020-14350, bsc#1175194: Make contrib modules' installation scripts more secure.
* https://www.postgresql.org/docs/12/release-12-4.html
ImportantSUSE bug 1175193SUSE bug 1175194SUSE bug 1178666SUSE bug 1178667SUSE bug 1178668CVE-2020-14349 at SUSECVE-2020-14349 at NVDCVE-2020-14350 at SUSECVE-2020-14350 at NVDCVE-2020-25694 at SUSECVE-2020-25694 at NVDCVE-2020-25695 at SUSECVE-2020-25695 at NVDCVE-2020-25696 at SUSECVE-2020-25696 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for xen (Important)SUSE OpenStack Cloud Crowbar 8
This update for xen fixes the following issues:
- bsc#1178963 - stack corruption from XSA-346 change (XSA-355)
- bsc#1177409 - CVE-2020-27674: x86 PV guest INVLPG-like flushes may leave stale TLB entries (XSA-286)
- bsc#1177412 - CVE-2020-27672: Race condition in Xen mapping code (XSA-345)
- bsc#1177413 - CVE-2020-27671: undue deferral of IOMMU TLB flushes (XSA-346)
- bsc#1177414 - CVE-2020-27670: unsafe AMD IOMMU page table updates (XSA-347)
- bsc#1178591 - CVE-2020-28368: Intel RAPL sidechannel attack aka PLATYPUS attack aka XSA-351
ImportantSUSE bug 1177409SUSE bug 1177412SUSE bug 1177413SUSE bug 1177414SUSE bug 1178591SUSE bug 1178963CVE-2020-27670 at SUSECVE-2020-27670 at NVDCVE-2020-27671 at SUSECVE-2020-27671 at NVDCVE-2020-27672 at SUSECVE-2020-27672 at NVDCVE-2020-27674 at SUSECVE-2020-27674 at NVDCVE-2020-28368 at SUSECVE-2020-28368 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for mutt (Important)SUSE OpenStack Cloud Crowbar 8
This update for mutt fixes the following issues:
- Find and display the content of messages properly. (bsc#1179461)
- CVE-2020-28896: incomplete connection termination could send credentials over unencrypted connections. (bsc#1179035)
- Avoid that message with a million tiny parts can freeze MUA for several minutes. (bsc#1179113)
ImportantSUSE bug 1179035SUSE bug 1179113SUSE bug 1179461CVE-2020-28896 at SUSECVE-2020-28896 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for dbus-1 (Important)SUSE OpenStack Cloud Crowbar 8
This update for dbus-1 fixes the following issues:
Security issue fixed:
- CVE-2019-12749: Fixed an implementation flaw in DBUS_COOKIE_SHA1 which
could have allowed local attackers to bypass authentication (bsc#1137832).
ImportantSUSE bug 1137832CVE-2019-12749 at SUSECVE-2019-12749 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for openssl (Important)SUSE OpenStack Cloud Crowbar 8
This update for openssl fixes the following issues:
- CVE-2020-1971: Fixed a null pointer dereference in EDIPARTYNAME (bsc#1179491).
ImportantSUSE bug 1179491CVE-2020-1971 at SUSECVE-2020-1971 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for python (Important)SUSE OpenStack Cloud Crowbar 8
This update for python fixes the following issues:
- Fixed a directory traversal in _download_http_url() (bsc#1176262 CVE-2019-20916)
ImportantSUSE bug 1176262CVE-2019-20916 at SUSECVE-2019-20916 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for MozillaFirefox (Important)SUSE OpenStack Cloud Crowbar 8
This update for MozillaFirefox fixes the following issues:
- Firefox Extended Support Release 68.5.0 ESR
* CVE-2020-6796 (bmo#1610426)
Missing bounds check on shared memory read in the parent
process
* CVE-2020-6797 (bmo#1596668)
Extensions granted downloads.open permission could open
arbitrary applications on Mac OSX
* CVE-2020-6798 (bmo#1602944)
Incorrect parsing of template tag could result in JavaScript
injection
* CVE-2020-6799 (bmo#1606596)
Arbitrary code execution when opening pdf links from other
applications, when Firefox is configured as default pdf
reader
* CVE-2020-6800 (bmo#1595786, bmo#1596706, bmo#1598543,
bmo#1604851, bmo#1605777, bmo#1608580, bmo#1608785)
Memory safety bugs fixed in Firefox 73 and Firefox ESR 68.5
* Fixed: Fixed various issues opening files with spaces in
their path (bmo#1601905, bmo#1602726)
ImportantSUSE bug 1161799CVE-2020-6796 at SUSECVE-2020-6796 at NVDCVE-2020-6797 at SUSECVE-2020-6797 at NVDCVE-2020-6798 at SUSECVE-2020-6798 at NVDCVE-2020-6799 at SUSECVE-2020-6799 at NVDCVE-2020-6800 at SUSECVE-2020-6800 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for MozillaFirefox (Critical)SUSE OpenStack Cloud Crowbar 8
This update for MozillaFirefox fixes the following issues:
- Firefox Extended Support Release 78.6.0 ESR
* Fixed: Various stability, functionality, and security fixes
MFSA 2020-55 (bsc#1180039)
* CVE-2020-16042 (bmo#1679003)
Operations on a BigInt could have caused uninitialized memory
to be exposed
* CVE-2020-26971 (bmo#1663466)
Heap buffer overflow in WebGL
* CVE-2020-26973 (bmo#1680084)
CSS Sanitizer performed incorrect sanitization
* CVE-2020-26974 (bmo#1681022)
Incorrect cast of StyleGenericFlexBasis resulted in a heap
use-after-free
* CVE-2020-26978 (bmo#1677047)
Internal network hosts could have been probed by a malicious
webpage
* CVE-2020-35111 (bmo#1657916)
The proxy.onRequest API did not catch view-source URLs
* CVE-2020-35112 (bmo#1661365)
Opening an extension-less download may have inadvertently
launched an executable instead
* CVE-2020-35113 (bmo#1664831, bmo#1673589)
Memory safety bugs fixed in Firefox 84 and Firefox ESR 78.6
CriticalSUSE bug 1180039CVE-2020-16042 at SUSECVE-2020-16042 at NVDCVE-2020-26971 at SUSECVE-2020-26971 at NVDCVE-2020-26973 at SUSECVE-2020-26973 at NVDCVE-2020-26974 at SUSECVE-2020-26974 at NVDCVE-2020-26978 at SUSECVE-2020-26978 at NVDCVE-2020-35111 at SUSECVE-2020-35111 at NVDCVE-2020-35112 at SUSECVE-2020-35112 at NVDCVE-2020-35113 at SUSECVE-2020-35113 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for clamav (Important)SUSE OpenStack Cloud Crowbar 8
This update for clamav fixes the following issues:
clamav was updated to 0.103.0 to implement jsc#ECO-3010 and bsc#1118459.
* clamd can now reload the signature database without blocking
scanning. This multi-threaded database reload improvement was made
possible thanks to a community effort.
- Non-blocking database reloads are now the default behavior. Some
systems that are more constrained on RAM may need to disable
non-blocking reloads as it will temporarily consume two times as
much memory. We added a new clamd config option
ConcurrentDatabaseReload, which may be set to no.
* Fix clamav-milter.service (requires clamd.service to run)
* bsc#1119353, clamav-fips.patch: Fix freshclam crash in FIPS mode.
* Partial sync with SLE15.
Update to version 0.102.4
Accumulated security fixes:
* CVE-2020-3350: Fix a vulnerability wherein a malicious user could
replace a scan target's directory with a symlink to another path
to trick clamscan, clamdscan, or clamonacc into removing or moving
a different file (eg. a critical system file). The issue would
affect users that use the --move or --remove options for clamscan,
clamdscan, and clamonacc. (bsc#1174255)
* CVE-2020-3327: Fix a vulnerability in the ARJ archive parsing
module in ClamAV 0.102.3 that could cause a Denial-of-Service
(DoS) condition. Improper bounds checking results in an
out-of-bounds read which could cause a crash. The previous fix for
this CVE in 0.102.3 was incomplete. This fix correctly resolves
the issue.
* CVE-2020-3481: Fix a vulnerability in the EGG archive module in
ClamAV 0.102.0 - 0.102.3 could cause a Denial-of-Service (DoS)
condition. Improper error handling may result in a crash due to a
NULL pointer dereference. This vulnerability is mitigated for
those using the official ClamAV signature databases because the
file type signatures in daily.cvd will not enable the EGG archive
parser in versions affected by the vulnerability. (bsc#1174250)
* CVE-2020-3341: Fix a vulnerability in the PDF parsing module in
ClamAV 0.101 - 0.102.2 that could cause a Denial-of-Service (DoS)
condition. Improper size checking of a buffer used to initialize AES
decryption routines results in an out-of-bounds read which may cause
a crash. (bsc#1171981)
* CVE-2020-3123: A denial-of-service (DoS) condition may occur when
using the optional credit card data-loss-prevention (DLP) feature.
Improper bounds checking of an unsigned variable resulted in an
out-of-bounds read, which causes a crash.
* CVE-2019-15961: A Denial-of-Service (DoS) vulnerability may
occur when scanning a specially crafted email file as a result
of excessively long scan times. The issue is resolved by
implementing several maximums in parsing MIME messages and by
optimizing use of memory allocation. (bsc#1157763).
* CVE-2019-12900: An out of bounds write in the NSIS bzip2
(bsc#1149458)
* CVE-2019-12625: Introduce a configurable time limit to mitigate
zip bomb vulnerability completely. Default is 2 minutes,
configurable useing the clamscan --max-scantime and for clamd
using the MaxScanTime config option (bsc#1144504)
Update to version 0.101.3:
* ZIP bomb causes extreme CPU spikes (bsc#1144504)
Update to version 0.101.2 (bsc#1118459):
* Support for RAR v5 archive extraction.
* Incompatible changes to the arguments of cl_scandesc,
cl_scandesc_callback, and cl_scanmap_callback.
* Scanning options have been converted from a single flag
bit-field into a structure of multiple categorized flag
bit-fields.
* The CL_SCAN_HEURISTIC_ENCRYPTED scan option was replaced by
2 new scan options: CL_SCAN_HEURISTIC_ENCRYPTED_ARCHIVE, and
CL_SCAN_HEURISTIC_ENCRYPTED_DOC
* Incompatible clamd.conf and command line interface changes.
* Heuristic Alerts' (aka 'Algorithmic Detection') options have
been changed to make the names more consistent. The original
options are deprecated in 0.101, and will be removed in a
future feature release.
* For details, see https://blog.clamav.net/2018/12/clamav-01010-has-been-released.html ImportantSUSE bug 1118459SUSE bug 1119353SUSE bug 1144504SUSE bug 1149458SUSE bug 1157763SUSE bug 1171981SUSE bug 1174250SUSE bug 1174255CVE-2019-12900 at SUSECVE-2019-12900 at NVDCVE-2019-15961 at SUSECVE-2019-15961 at NVDCVE-2020-3123 at SUSECVE-2020-3123 at NVDCVE-2020-3327 at SUSECVE-2020-3327 at NVDCVE-2020-3341 at SUSECVE-2020-3341 at NVDCVE-2020-3350 at SUSECVE-2020-3350 at NVDCVE-2020-3481 at SUSECVE-2020-3481 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for cyrus-sasl (Important)SUSE OpenStack Cloud Crowbar 8
This update for cyrus-sasl fixes the following issues:
- CVE-2019-19906: Fixed an out-of-bounds write leading to unauthenticated remote denial-of-service in OpenLDAP via a malformed LDAP packet (bsc#1159635).
ImportantSUSE bug 1159635CVE-2019-19906 at SUSECVE-2019-19906 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for gcc9 (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for gcc9 fixes the following issues:
The GNU Compiler Collection is shipped in version 9.
A detailed changelog on what changed in GCC 9 is available at https://gcc.gnu.org/gcc-9/changes.html
The compilers have been added to the SUSE Linux Enterprise Toolchain Module.
To use these compilers, install e.g. gcc9, gcc9-c++ and build with CC=gcc-9
CXX=g++-9 set.
For SUSE Linux Enterprise base products, the libstdc++6, libgcc_s1 and
other compiler libraries have been switched from their gcc8 variants to
their gcc9 variants.
Security issues fixed:
- CVE-2019-15847: Fixed a miscompilation in the POWER9 back end, that optimized multiple calls of the __builtin_darn intrinsic into a single call. (bsc#1149145)
- CVE-2019-14250: Fixed a heap overflow in the LTO linker. (bsc#1142649)
Non-security issues fixed:
- Split out libstdc++ pretty-printers into a separate package supplementing gdb and the installed runtime. (bsc#1135254)
- Fixed miscompilation for vector shift on s390. (bsc#1141897)
ModerateSUSE bug 1114592SUSE bug 1135254SUSE bug 1141897SUSE bug 1142649SUSE bug 1142654SUSE bug 1148517SUSE bug 1149145CVE-2019-14250 at SUSECVE-2019-14250 at NVDCVE-2019-15847 at SUSECVE-2019-15847 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for xen (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for xen fixes the following issues:
- CVE-2020-29480: Fixed an issue which could have allowed leak of non-sensitive data to administrator guests (bsc#117949 XSA-115).
- CVE-2020-29481: Fixed an issue which could have allowd to new domains to inherit existing node permissions (bsc#1179498 XSA-322).
- CVE-2020-29483: Fixed an issue where guests could disturb domain cleanup (bsc#1179502 XSA-325).
- CVE-2020-29484: Fixed an issue where guests could crash xenstored via watchs (bsc#1179501 XSA-324).
- CVE-2020-29566: Fixed an undue recursion in x86 HVM context switch code (bsc#1179506 XSA-348).
- CVE-2020-29570: Fixed an issue where FIFO event channels control block related ordering (bsc#1179514 XSA-358).
- CVE-2020-29571: Fixed an issue where FIFO event channels control structure ordering (bsc#1179516 XSA-359).
- CVE-2020-29130: Fixed an out-of-bounds access while processing ARP packets (bsc#1179477).
- Fixed an issue where dump-core shows missing nr_pages during core (bsc#1176782).
- Multiple other bugs (bsc#1027519)
ModerateSUSE bug 1027519SUSE bug 1176782SUSE bug 1179477SUSE bug 1179496SUSE bug 1179498SUSE bug 1179501SUSE bug 1179502SUSE bug 1179506SUSE bug 1179514SUSE bug 1179516CVE-2020-29130 at SUSECVE-2020-29130 at NVDCVE-2020-29480 at SUSECVE-2020-29480 at NVDCVE-2020-29481 at SUSECVE-2020-29481 at NVDCVE-2020-29483 at SUSECVE-2020-29483 at NVDCVE-2020-29484 at SUSECVE-2020-29484 at NVDCVE-2020-29566 at SUSECVE-2020-29566 at NVDCVE-2020-29570 at SUSECVE-2020-29570 at NVDCVE-2020-29571 at SUSECVE-2020-29571 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for sudo (Important)SUSE OpenStack Cloud Crowbar 8
This update for sudo fixes the following issues:
Security issue fixed:
- CVE-2019-18634: Fixed a buffer overflow in the passphrase prompt that could occur when pwfeedback was enabled in /etc/sudoers (bsc#1162202).
Non-security issue fixed:
- Fixed an issue where sudo -l would ask for a password even though `listpw` was set to `never` (bsc#1162675).
ImportantSUSE bug 1162202SUSE bug 1162675CVE-2019-18634 at SUSECVE-2019-18634 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for dnsmasq (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for dnsmasq fixes the following issues:
Security issue fixed:
- CVE-2019-14834: Fixed a memory leak which could have allowed to remote attackers
to cause denial of service via DHCP response creation (bsc#1154849)
Other issue addressed:
- Removed cache size limit (bsc#1138743).
ModerateSUSE bug 1138743SUSE bug 1154849CVE-2019-14834 at SUSECVE-2019-14834 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for java-1_7_1-ibm (Important)SUSE OpenStack Cloud Crowbar 8
This update for java-1_7_1-ibm fixes the following issues:
Java was updated to 7.1 Service Refresh 4 Fix Pack 60 [bsc#1162972, bsc#1160968].
Security issues fixed:
- CVE-2020-2583: Fixed a serialization vulnerability in BeanContextSupport (bsc#1162972).
- CVE-2020-2593: Fixed an incorrect check in isBuiltinStreamHandler, causing URL normalization issues (bsc#1162972).
- CVE-2020-2604: Fixed a serialization issue in jdk.serialFilter (bsc#1162972).
- CVE-2020-2659: Fixed the incomplete enforcement of the maxDatagramSockets limit in DatagramChannelImpl (bsc#1162972).
Non-security issues fixed:
* Class Libraries:
IJ22333 HANG IN JAVA_JAVA_NET_SOCKETINPUTSTREAM_SOCKETREAD0 EVEN
WHEN TIMEOUT IS SET
IJ22350 JAVA 7 AND JAVA 8 NOT WORKING WELL WITH TRADITIONAL/SIMPLIFIED
CHINESE EDITION OF WINDOWS CLIENT SYSTEM
IJ22337 THE NAME OF THE REPUBLIC OF BELARUS IN THE RUSSIAN LOCALE
INCONSISTENT WITH CLDR
IJ22349 UPDATE TIMEZONE INFORMATION TO TZDATA2019C
* JIT Compiler:
IJ11368 JAVA JIT PPC: CRASH IN JIT COMPILED CODE ON PPC MACHINES
ImportantSUSE bug 1160968SUSE bug 1162972CVE-2020-2583 at SUSECVE-2020-2583 at NVDCVE-2020-2593 at SUSECVE-2020-2593 at NVDCVE-2020-2604 at SUSECVE-2020-2604 at NVDCVE-2020-2659 at SUSECVE-2020-2659 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for libexif (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for libexif fixes the following issues:
- CVE-2019-9278: Fixed an integer overflow (bsc#1160770).
- CVE-2018-20030: Fixed a denial of service by endless recursion (bsc#1120943).
ModerateSUSE bug 1120943SUSE bug 1160770CVE-2018-20030 at SUSECVE-2018-20030 at NVDCVE-2019-9278 at SUSECVE-2019-9278 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for openssl (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for openssl fixes the following issues:
Security issue fixed:
- CVE-2019-1551: Fixed an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli (bsc#1158809).
Non-security issue fixed:
- Fixed a crash in BN_copy (bsc#1160163).
ModerateSUSE bug 1117951SUSE bug 1158809SUSE bug 1160163CVE-2019-1551 at SUSECVE-2019-1551 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for nodejs6 (Important)SUSE OpenStack Cloud Crowbar 8
This update for nodejs6 fixes the following issues:
Security issues fixed:
- CVE-2019-15604: Fixed a remotely triggerable assertion in the TLS server via a crafted certificate string (CVE-2019-15604, bsc#1163104).
- CVE-2019-15605: Fixed an HTTP request smuggling vulnerability via malformed Transfer-Encoding header (CVE-2019-15605, bsc#1163102).
- CVE-2019-15606: Fixed the white space sanitation of HTTP headers (CVE-2019-15606, bsc#1163103).
ImportantSUSE bug 1163102SUSE bug 1163103SUSE bug 1163104CVE-2019-15604 at SUSECVE-2019-15604 at NVDCVE-2019-15605 at SUSECVE-2019-15605 at NVDCVE-2019-15606 at SUSECVE-2019-15606 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for ppp (Important)SUSE OpenStack Cloud Crowbar 8
This update for ppp fixes the following security issue:
- CVE-2020-8597: Fixed a buffer overflow in the eap_request and eap_response functions (bsc#1162610).
ImportantSUSE bug 1162610CVE-2020-8597 at SUSECVE-2020-8597 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for python3 (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for python3 fixes the following issues:
Update to 3.4.10 (jsc#SLE-9427, bsc#1159208) from 3.4.6:
Security issues fixed:
- Update expat copy from 2.1.1 to 2.2.0 to fix the following issues:
CVE-2012-0876, CVE-2016-0718, CVE-2016-4472, CVE-2017-9233, CVE-2016-9063
- CVE-2017-1000158: Fix an integer overflow in thePyString_DecodeEscape function in stringobject.c, resulting in heap-based bufferoverflow (bsc#1068664).
ModerateSUSE bug 1068664SUSE bug 1159208SUSE bug 1159623CVE-2012-0876 at SUSECVE-2012-0876 at NVDCVE-2016-0718 at SUSECVE-2016-0718 at NVDCVE-2016-4472 at SUSECVE-2016-4472 at NVDCVE-2016-9063 at SUSECVE-2016-9063 at NVDCVE-2017-1000158 at SUSECVE-2017-1000158 at NVDCVE-2017-9233 at SUSECVE-2017-9233 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for mariadb (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for mariadb fixes the following issues:
Security issue fixed:
- CVE-2019-2974: Fixed Server Optimizer (bsc#1154162).
ModerateSUSE bug 1154162CVE-2019-2974 at SUSECVE-2019-2974 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for java-1_7_1-ibm (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for java-1_7_1-ibm fixes the following issues:
- Update to 7.1 Service Refresh 4 Fix Pack 55 [bsc#1158442, bsc#1154212]
* Security fixes:
CVE-2019-2933 CVE-2019-2945 CVE-2019-2962 CVE-2019-2964
CVE-2019-2978 CVE-2019-2983 CVE-2019-2989 CVE-2019-2992
CVE-2019-2999 CVE-2019-2973 CVE-2019-2981
ModerateSUSE bug 1154212SUSE bug 1158442CVE-2019-2933 at SUSECVE-2019-2933 at NVDCVE-2019-2945 at SUSECVE-2019-2945 at NVDCVE-2019-2962 at SUSECVE-2019-2962 at NVDCVE-2019-2964 at SUSECVE-2019-2964 at NVDCVE-2019-2973 at SUSECVE-2019-2973 at NVDCVE-2019-2978 at SUSECVE-2019-2978 at NVDCVE-2019-2981 at SUSECVE-2019-2981 at NVDCVE-2019-2983 at SUSECVE-2019-2983 at NVDCVE-2019-2989 at SUSECVE-2019-2989 at NVDCVE-2019-2992 at SUSECVE-2019-2992 at NVDCVE-2019-2999 at SUSECVE-2019-2999 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for mariadb (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for mariadb fixes the following issues:
MariaDB was updated to version 10.0.40-3 (bsc#1162388).
Security issues fixed:
- CVE-2020-2574: Fixed a difficult to exploit vulnerability that allowed an attacker to crash the client (bsc#1162388).
- CVE-2019-18901: Fixed an unsafe path handling behavior in mysql-systemd-helper (bsc#1160895).
ModerateSUSE bug 1077717SUSE bug 1160895SUSE bug 1160912SUSE bug 1162388CVE-2019-18901 at SUSECVE-2019-18901 at NVDCVE-2020-2574 at SUSECVE-2020-2574 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for java-1_8_0-ibm (Important)SUSE OpenStack Cloud Crowbar 8
This update for java-1_8_0-ibm fixes the following issues:
Java 8.0 was updated to Service Refresh 6 Fix Pack 5 (bsc#1162972, bsc#1160968)
- CVE-2020-2583: Unlink Set of LinkedHashSets
- CVE-2019-4732: Untrusted DLL search path vulnerability
- CVE-2020-2593: Normalize normalization for all
- CVE-2020-2604: Better serial filter handling
- CVE-2020-2659: Enhance datagram socket support
ImportantSUSE bug 1160968SUSE bug 1162972CVE-2019-4732 at SUSECVE-2019-4732 at NVDCVE-2020-2583 at SUSECVE-2020-2583 at NVDCVE-2020-2593 at SUSECVE-2020-2593 at NVDCVE-2020-2604 at SUSECVE-2020-2604 at NVDCVE-2020-2659 at SUSECVE-2020-2659 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for log4j (Important)SUSE OpenStack Cloud Crowbar 8
This update for log4j fixes the following issues:
- CVE-2019-17571: Fixed a remote code execution by deserialization of untrusted data in SocketServer (bsc#1159646).
ImportantSUSE bug 1159646CVE-2019-17571 at SUSECVE-2019-17571 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for permissions (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for permissions fixes the following issues:
Security issues fixed:
- CVE-2020-8013: Fixed an issue where chkstat set unintended setuid/capabilities for mrsh and wodim (bsc#1163922).
Non-security issues fixed:
- Fixed a regression where chkstat broke when /proc was not available (bsc#1160764, bsc#1160594).
- Fixed capability handling when doing multiple permission changes at once (bsc#1161779).
ModerateSUSE bug 1123886SUSE bug 1160594SUSE bug 1160764SUSE bug 1161779SUSE bug 1163922CVE-2020-8013 at SUSECVE-2020-8013 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for python-aws-sam-translator, python-boto3, python-botocore, python-cfn-lint, python-jsonschema, python-nose2, python-parameterized, python-pathlib2, python-pytest-cov, python-requests, python-s3transfer (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for python-aws-sam-translator, python-boto3, python-botocore, python-cfn-lint, python-jsonschema, python-nose2, python-parameterized, python-pathlib2, python-pytest-cov, python-requests, python-s3transfer, python-jsonpatch, python-jsonpointer, python-scandir, python-PyYAML fixes the following issues:
python-cfn-lint was included as a new package in 0.21.4.
python-aws-sam-translator was updated to 1.11.0:
* Add ReservedConcurrentExecutions to globals
* Fix ElasticsearchHttpPostPolicy resource reference
* Support using AWS::Region in Ref and Sub
* Documentation and examples updates
* Add VersionDescription property to Serverless::Function
* Update ServerlessRepoReadWriteAccessPolicy
* Add additional template validation
Upgrade to 1.10.0:
* Add GSIs to DynamoDBReadPolicy and DynamoDBCrudPolicy
* Add DynamoDBReconfigurePolicy
* Add CostExplorerReadOnlyPolicy and OrganizationsListAccountsPolicy
* Add EKSDescribePolicy
* Add SESBulkTemplatedCrudPolicy
* Add FilterLogEventsPolicy
* Add SSMParameterReadPolicy
* Add SESEmailTemplateCrudPolicy
* Add s3:PutObjectAcl to S3CrudPolicy
* Add allow_credentials CORS option
* Add support for AccessLogSetting and CanarySetting Serverless::Api properties
* Add support for X-Ray in Serverless::Api
* Add support for MinimumCompressionSize in Serverless::Api
* Add Auth to Serverless::Api globals
* Remove trailing slashes from APIGW permissions
* Add SNS FilterPolicy and an example application
* Add Enabled property to Serverless::Function event sources
* Add support for PermissionsBoundary in Serverless::Function
* Fix boto3 client initialization
* Add PublicAccessBlockConfiguration property to S3 bucket resource
* Make PAY_PER_REQUEST default mode for Serverless::SimpleTable
* Add limited support for resolving intrinsics in Serverless::LayerVersion
* SAM now uses Flake8
* Add example application for S3 Events written in Go
* Updated several example applications
- Initial build
+ Version 1.9.0
- Add patch to drop compatible releases operator from setup.py,
required for SLES12 as the setuptools version is too old
+ ast_drop-compatible-releases-operator.patch
python-jsonschema was updated to 2.6.0:
* Improved performance on CPython by adding caching around ref resolution
Update to version 2.5.0:
* Improved performance on CPython by adding caching around ref
resolution (#203)
Update to version 2.4.0:
* Added a CLI (#134)
* Added absolute path and absolute schema path to errors (#120)
* Added ``relevance``
* Meta-schemas are now loaded via ``pkgutil``
* Added ``by_relevance`` and ``best_match`` (#91)
* Fixed ``format`` to allow adding formats for non-strings (#125)
* Fixed the ``uri`` format to reject URI references (#131)
- Install /usr/bin/jsonschema with update-alternatives support
python-nose2 was updated to 0.9.1:
* the prof plugin now uses cProfile instead of hotshot for profiling
* skipped tests now include the user's reason in junit XML's message field
* the prettyassert plugin mishandled multi-line function definitions
* Using a plugin's CLI flag when the plugin is already enabled via config
no longer errors
* nose2.plugins.prettyassert, enabled with --pretty-assert
* Cleanup code for EOLed python versions
* Dropped support for distutils.
* Result reporter respects failure status set by other plugins
* JUnit XML plugin now includes the skip reason in its output
Upgrade to 0.8.0:
List of changes is too long to show here, see
https://github.com/nose-devs/nose2/blob/master/docs/changelog.rst
changes between 0.6.5 and 0.8.0
Update to 0.7.0:
* Added parameterized_class feature, for parameterizing entire test
classes (many thanks to @TobyLL for their suggestions and help testing!)
* Fix DeprecationWarning on `inspect.getargs` (thanks @brettdh;
https://github.com/wolever/parameterized/issues/67)
* Make sure that `setUp` and `tearDown` methods work correctly (#40)
* Raise a ValueError when input is empty (thanks @danielbradburn;
https://github.com/wolever/parameterized/pull/48)
* Fix the order when number of cases exceeds 10 (thanks @ntflc;
https://github.com/wolever/parameterized/pull/49)
python-scandir was included in version 2.3.2.
python-requests was updated to version 2.20.1 (bsc#1111622)
* Fixed bug with unintended Authorization header stripping for
redirects using default ports (http/80, https/443).
* remove restriction for urllib3 < 1.24
Update to version 2.20.0:
* Bugfixes
+ Content-Type header parsing is now case-insensitive
(e.g. charset=utf8 v Charset=utf8).
+ Fixed exception leak where certain redirect urls would raise
uncaught urllib3 exceptions.
+ Requests removes Authorization header from requests redirected
from https to http on the same hostname. (CVE-2018-18074)
+ should_bypass_proxies now handles URIs without hostnames
(e.g. files).
* Dependencies
+ Requests now supports urllib3 v1.24.
* Deprecations
+ Requests has officially stopped support for Python 2.6.
Update to version 2.19.1:
* Fixed issue where status_codes.py’s init function failed trying
to append to a __doc__ value of None.
Update to version 2.19.0:
* Improvements
+ Warn about possible slowdown with cryptography version < 1.3.4
+ Check host in proxy URL, before forwarding request to adapter.
+ Maintain fragments properly across redirects. (RFC7231 7.1.2)
+ Removed use of cgi module to expedite library load time.
+ Added support for SHA-256 and SHA-512 digest auth algorithms.
+ Minor performance improvement to Request.content.
+ Migrate to using collections.abc for 3.7 compatibility.
* Bugfixes
+ Parsing empty Link headers with parse_header_links() no longer
return one bogus entry.
+ Fixed issue where loading the default certificate bundle from
a zip archive would raise an IOError.
+ Fixed issue with unexpected ImportError on windows system
which do not support winreg module.
+ DNS resolution in proxy bypass no longer includes the username
and password in the request. This also fixes the issue of DNS
queries failing on macOS.
+ Properly normalize adapter prefixes for url comparison.
+ Passing None as a file pointer to the files param no longer
raises an exception.
+ Calling copy on a RequestsCookieJar will now preserve the
cookie policy correctly.
* We now support idna v2.7 and urllib3 v1.23.
update to version 2.18.4:
* Improvements
+ Error messages for invalid headers now include the header name
for easier debugging
* Dependencies
+ We now support idna v2.6.
update to version 2.18.3:
* Improvements
+ Running $ python -m requests.help now includes the installed
version of idna.
* Bugfixes
+ Fixed issue where Requests would raise ConnectionError instead
of SSLError when encountering SSL problems when using urllib3
v1.22.
ModerateSUSE bug 1111622SUSE bug 1122668CVE-2018-18074 at SUSECVE-2018-18074 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for postgresql96 (Low)SUSE OpenStack Cloud Crowbar 8
This update for postgresql96 fixes the following issues:
PostgreSQL was updated to version 9.6.17.
Security issue fixed:
- CVE-2020-1720: Fixed a missing authorization check in the ALTER ... DEPENDS ON extension (bsc#1163985).
LowSUSE bug 1163985CVE-2020-1720 at SUSECVE-2020-1720 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for java-1_7_0-openjdk (Important)SUSE OpenStack Cloud Crowbar 8
This update for java-1_7_0-openjdk fixes the following issues:
Update java-1_7_0-openjdk to version jdk7u251 (January 2020 CPU, bsc#1160968):
- CVE-2020-2583: Unlink Set of LinkedHashSets
- CVE-2020-2590: Improve Kerberos interop capabilities
- CVE-2020-2593: Normalize normalization for all
- CVE-2020-2601: Better Ticket Granting Services
- CVE-2020-2604: Better serial filter handling
- CVE-2020-2659: Enhance datagram socket support
- CVE-2020-2654: Improve Object Identifier Processing
ImportantSUSE bug 1160968CVE-2020-2583 at SUSECVE-2020-2583 at NVDCVE-2020-2590 at SUSECVE-2020-2590 at NVDCVE-2020-2593 at SUSECVE-2020-2593 at NVDCVE-2020-2601 at SUSECVE-2020-2601 at NVDCVE-2020-2604 at SUSECVE-2020-2604 at NVDCVE-2020-2654 at SUSECVE-2020-2654 at NVDCVE-2020-2659 at SUSECVE-2020-2659 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for ipmitool (Important)SUSE OpenStack Cloud Crowbar 8
This update for ipmitool fixes the following issues:
- CVE-2020-5208: Fixed multiple remote code executtion vulnerabilities (bsc#1163026).
- picmg discover messages are now DEBUG and not INFO messages (bsc#1085469).
ImportantSUSE bug 1085469SUSE bug 1163026CVE-2020-5208 at SUSECVE-2020-5208 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for ardana-cinder, ardana-cobbler, ardana-designate, ardana-extensions-example, ardana-extensions-nsx, ardana-glance, ardana-heat, ardana-input-model, ardana-ironic, ardana-keystone, ardana-logging, ardana-monasca, ardana-monasca-transform, ardana-mq, ardana-neutron, ardana-nova, ardana-octavia, ardana-osconfig, ardana-tempest, crowbar-core, crowbar-ha, crowbar-openstack, crowbar-ui, keepalived, mariadb, openstack-cinder, openstack-dashboard, openstack-dashboard-theme-SUSE, openstack-heat, openstack-heat-templates, openstack-horizon-plugin-designate-ui, openstack-horizon-plugin-neutron-lbaas-ui, openstack-ironic, openstack-keystone, openstack-monasca-agent, openstack-neutron, openstack-neutron-gbp, openstack-neutron-vsphere, openstack-nova, openstack-octavia, openstack-octavia-amphora-image, openstack-resource-agents, openstack-sahara, openstack-trove, python-cinderlm, python-congressclient, python-designateclient, python-ironic-lib, python-networking-cisco, python-osc-lib, python-oslo.context, python-oslo.rootwrap, python-oslo.serialization, python-oslo.service, python-stevedore, python-taskflow, rubygem-crowbar-client, rubygem-pumavenv-openstack-swift (Important)SUSE OpenStack Cloud Crowbar 8
This update for ardana-cinder, ardana-cobbler, ardana-designate, ardana-extensions-example, ardana-extensions-nsx, ardana-glance, ardana-heat, ardana-input-model, ardana-ironic, ardana-keystone, ardana-logging, ardana-monasca, ardana-monasca-transform, ardana-mq, ardana-neutron, ardana-nova, ardana-octavia, ardana-osconfig, ardana-tempest, crowbar-core, crowbar-ha, crowbar-openstack, crowbar-ui, keepalived, mariadb, openstack-cinder, openstack-dashboard, openstack-dashboard-theme-SUSE, openstack-heat, openstack-heat-templates, openstack-horizon-plugin-designate-ui, openstack-horizon-plugin-neutron-lbaas-ui, openstack-ironic, openstack-keystone, openstack-monasca-agent, openstack-neutron, openstack-neutron-gbp, openstack-neutron-vsphere, openstack-nova, openstack-octavia, openstack-octavia-amphora-image, openstack-resource-agents, openstack-sahara, openstack-trove, python-cinderlm, python-congressclient, python-designateclient, python-ironic-lib, python-networking-cisco, python-osc-lib, python-oslo.context, python-oslo.rootwrap, python-oslo.serialization, python-oslo.service, python-stevedore, python-taskflow, rubygem-crowbar-client, rubygem-puma, venv-openstack-swift fixes the following issues:
Security issues fixed:
The update of rubygem-crowbar-client, rubygem-puma fixes the following security issues:
- CVE-2018-17954: Fixed an issue where crowbar was leaking the secret admin passwords to all nodes (bsc#1117080).
- CVE-2019-16770: Fixed a denial-of-service vulnerability that was exploitable by clients sending extraneous keepalive requests (bsc#1158675).
The update of mariadb to 10.2.29 fixes several security issues:
- CVE-2020-2574: Fixed a difficult to exploit vulnerability that allowed an attacker to crash the client (bsc#1162388).
- CVE-2019-18901: Fixed a difficult to exploit vulnerability that allowed an attacker to crash the client (bsc#1162388).
- CVE-2017-1002201: Fixed an issue where special characters did not escpae properly (bsc#1155089)
- CVE-2019-2737, CVE-2019-2739, CVE-2019-2740, CVE-2019-2758, CVE-2019-2805, CVE-2019-2938, CVE-2019-2974: Fixed an issue where could lead a remote attacker to cause denial of service (bsc#1156669)
Non-security issues fixed:
Changes in ardana-cinder:
- Update to version 8.0+git.1579279939.ee7da88:
* Add option to flatten snapshots when using SES (SOC-11054)
- Update to version 8.0+git.1571846011.1a2f62b:
* SCRD-4764 move v2.0 endpoints to v3 (SOC-9753)
Changes in ardana-cobbler:
- Update to version 8.0+git.1575037115.0326803:
* Set root device on SLES autoyast templates (SOC-7365)
Changes in ardana-designate:
- Update to version 8.0+git.1573597788.15b7984:
* Update gerrit location (SOC-9140)
Changes in ardana-extensions-example:
- Switch to new Gerrit Server
- Update to version 8.0+git.1534266307.db1ec28:
* SCPL-409 Fix .gitreview for stable/pike
Changes in ardana-extensions-nsx:
- Update to version 8.0+git.1567529036.a41a037:
* Update policy json templates for vmware-nsx (SOC-10254)
- Switch to new Gerrit Server
Changes in ardana-glance:
- Update to version 8.0+git.1571846045.ab9e3ea:
* SCRD-4764 move v2.0 endpoints to v3 (SOC-9753)
Changes in ardana-heat:
- Update to version 8.0+git.1571777596.14dce6a:
* SCRD-4764 remove V2.0 auth end points (SOC-9753)
Changes in ardana-input-model:
- Update to version 8.0+git.1582147997.b9ed134:
* Enable port security extension neutron (SOC-11027)
- Update to version 8.0+git.1573658751.38e822a:
* Move manila share to controller (SOC-10938)
Changes in ardana-ironic:
- Update to version 8.0+git.1571845225.006843d:
* SCRD-4764 remove V2.0 auth end points (SOC-9753)
Changes in ardana-keystone:
- Update to version 8.0+git.1573147067.09e3ea0:
* enable debug and insecure_debug on demand (SOC-10934)
Changes in ardana-logging:
- Update to version 8.0+git.1572452293.e65d714:
* use correct Keystone v3 params bsc#1117840 (SOC-9753)
Changes in ardana-monasca:
- Update to version 8.0+git.1572527728.9b34bdf:
* use correct Keystone v3 params bsc#1117840 (SOC-9753)
* SCRD-4764 remove V2.0 auth end points (SOC-9753)
Changes in ardana-monasca-transform:
- Update to version 8.0+git.1571845965.97714fb:
* SCRD-4764 remove V2.0 auth end points (SOC-9753)
Changes in ardana-mq:
- Update to version 8.0+git.1581024906.fbf0be3:
* Ensure HA queue sync wait fails (SOC-11083)
* Fix HA policy setting comments (SOC-10317, SOC-11082)
- Update to version 8.0+git.1580853688.4e72fc1:
* Set HA policy accordingly (SOC-10317, SOC-11082)
- Update to version 8.0+git.1579014733.a855e3a:
* Change the HA policy mirror (SOC-10317)
Changes in ardana-neutron:
- Update to version 8.0+git.1573050365.ff6fa06:
* Kill dhclient before restarting neutron-openvswitch-agent (SOC-9230)
- Update to version 8.0+git.1571846086.19cb7eb:
* SCRD-4764 move v2.0 endpoints to v3 (SOC-9753)
Changes in ardana-nova:
- Update to version 8.0+git.1571846125.584d988:
* SCRD-4764 remove V2.0 auth end points (SOC-9753)
Changes in ardana-octavia:
- Update to version 8.0+git.1575642049.1f321d0:
* Change event_streamer_driver to noop (bsc#1154235)
Changes in ardana-osconfig:
- Update to version 8.0+git.1581015942.2d21e63:
* Adjust 'fs.inotify.max_user_instances' to align with crowbar (bsc#1161351)
- Update to version 8.0+git.1580469528.0ac2a8b:
* Start OVS services before wicked service at boot (SOC-11067)
Changes in ardana-tempest:
- Update to version 8.0+git.1579261264.7dd213a:
* Create network resources needed by some heat tests (SOC-7028)
- Update to version 8.0+git.1573571182.8fa9823:
* Restrore designate test (SOC-9753)
- Update to version 8.0+git.1571846164.6279bc0:
* SCRD-4764 remove V2.0 auth end points (SOC-9753)
Changes in crowbar-core:
- Update to version 5.0+git.1582968668.1a55c77c5:
* Ignore CVE-2020-7595 in CI (bsc#1161517)
- Update to version 5.0+git.1582543433.f71d39544:
* Fix deployment queue display (SOC-10741)
- Update to version 5.0+git.1580209640.80f2ba3d9:
* network: start OVS before wickedd (SOC-11067)
- Update to version 5.0+git.1579705862.220974047:
* dns: add checks to designate migration (SOC-11047)
- Update to version 5.0+git.1579271614.eac1c490c:
* upgrade: Add the upgrade menu entry (SOC-11053)
* upgrade: Fix upgrade link (SOC-11053)
- Update to version 5.0+git.1578989446.a2d23b7e1:
* Do not log an error for a case that is correct (trivial)
- Update to version 5.0+git.1578472131.b88a31055:
* apache2: Restart after enabling SSL flag (SOC-11029)
- Update to version 5.0+git.1578295229.96952deab:
* Avoid nil crash when provisioner attributes are not set (bsc#1160048)
- Update to version 5.0+git.1578063264.d0223905b:
* Ignore CVE-2019-16770 (SOC-10999)
- Update to version 5.0+git.1576053049.a2f4c9820:
* upgrade: Remove DRBD specific code from the preparation parts (SOC-10985)
- Update to version 5.0+git.1575020613.fc167f4dc:
* List XEN nodes when failing precheck (trivial)
- Update to version 5.0+git.1574763025.0a6957f37:
* Disable installation repository (bsc#1152007)
* Disable automatic repo services (bsc#1152007)
* Designate: Don't add the admin node to the public network (SOC-10658)
- Update to version 5.0+git.1574715523.ee8e58f4b:
* upgrade: Check the result after commiting proposal (noref)
* upgrade: Do not try to disable services that might not exist (noref)
- Update to version 5.0+git.1574667034.76644f658:
* [upgrade] Remove existing upgrade directories from nodes (SOC-10956)
- Update to version 5.0+git.1574348992.88de970a6:
* [upgrade] Wait for keystone to be ready after start (bsc#1157206)
- Update to version 5.0+git.1574270784.294f0e830:
* upgrade: Ignore Cloud repository during repocheck (bsc#1152007)
- Update to version 5.0+git.1574165163.52870c62e:
* [upgrade] Call finalize_nodes_upgrade at the very end (bsc#1155942)
- Update to version 5.0+git.1574103089.1fbb5a51d:
* Ignore CVE-2019-13117 in CI builds (bsc#1157028)
* upgrade: Make the time before next upgrade configurable (SOC-10955)
* upgrade: Make sure cinder-volume is really stopped (bsc#1156305)
- Update to version 5.0+git.1573110008.449237f0d:
* Allow pacemaker remotes for upgrade (SOC-10133)
* upgrade: Precheck for unsaved proposals (SOC-10912)
- Update to version 5.0+git.1572880575.4a6efa3a1:
* upgrade: Add a precheck for XEN compute nodes presence (SOC-10495)
* upgrade: Reload repo config in repochecks (SOC-10718)
- Update to version 5.0+git.1572097431.519baa552:
* Ignore CVE-2017-1002201 in CI builds (bsc#1155089)
- Update to version 5.0+git.1571210032.8648ab99c:
* Revert 'Use block-migration when needed' (SOC-10133)
Changes in crowbar-ha:
- Update to version 5.0+git.1574286229.e0364c3:
* Drop g-haproxy location before group deletion (bsc#1156914)
Changes in crowbar-openstack:
- Update to version 5.0+git.1582911795.5081ef1da:
* designate: Mark as user managed (SOC-10233)
* Designate: make sure dns-server is active on a non-admin node (SOC-10636)
- Update to version 5.0+git.1580549331.ba1e1a0a3:
* [5.0] ec2-api: run keystone_register on cluster founder only (SOC-11079)
- Update to version 5.0+git.1579182968.f54cfa8f5:
* tempest: tempest run filters as templates (SOC-11052)
- Update to version 5.0+git.1578515319.fdab3a0b2:
* Install openstack client for neutron recipes (SOC-11039)
- Update to version 5.0+git.1576764142.8efe58655:
* Do not read data from barclamp that has not been saved (SOC-11028)
- Update to version 5.0+git.1576666547.b7a0b8814:
* Revert 'Octavia: Hide UI until complete (SOC-10550)'
- Update to version 5.0+git.1576250115.67b80cbca:
* [5.0] tempest: Update default image on schema (SOC-11023)
- Update to version 5.0+git.1576078873.ecc798ffe:
* neutron: Revert remove .openrc creation from neutron cookbooks (SOC-10378)
* keystone: Add OS_INTERFACE env var to .openrc (SOC-11006)
- Update to version 5.0+git.1574927541.694ac3863:
* designate: move keystone resource lookup to convergence (SOC-10887)
- Update to version 5.0+git.1574769056.07a7c373e:
* designate: declare all mdns servers as master on pool config (SOC-10952)
* designate: add support for SSL (SOC-10877)
* designate: change default configuration (SOC-10899)
- Update to version 5.0+git.1574421761.ace345683:
* Add tempest filter for designate (SOC-10288)
- Update to version 5.0+git.1574359417.113b616b2:
* horizon: install lbaas horizon dashboard (SOC-10883)
- Update to version 5.0+git.1572937880.ffb86e88b:
* Make sure the input file with ssh key exists (SOC-10133)
- Update to version 5.0+git.1571764038.ad48726d6:
* mysql: fix WSREP sync race (SOC-10717)
* mysql: stop service for mysql_install_db (SOC-10717)
* Do not use obsoleted --endpoint-type option with CLI
- Update to version 5.0+git.1571323259.7402ef5eb:
* [5.0] Tempest: blacklist test_volume_boot_pattern (SOC-10874)
- Update to version 5.0+git.1571241534.f4af21325:
* rabbitmq: fix migration 200 (SOC-10623)
* Fix Cloud 8 no-op migrations (SOC-10623)
* neutron-lbaas: remove loadbalancer/pool limit
* [5.0] Configurable timeout for Galera pre-sync
- Update to version 5.0+git.1571138324.edb9e8b56:
* horizon: tighten check for existence of monasca while deploying grafana
* monasca: improve detection if monasca-server is available
* monasca: install agent before run setup monitors in server
* Monasca: Handle node reinstall (jsc#SOC-10440, bsc#1148158 )
- Update to version 5.0+git.1570618886.06022a6ef:
* glance: Set barbican auth endpoint (bsc#1123191, SOC-10844)
* tempest: Add barbican run_filters from ardana (SOC-10844)
* Fix nova tempest tests (SOC-9298, SOC-10844)
- Update to version 5.0+git.1570505588.4bdc5aa6f:
* No rndc key if no public DNS server (SOC-10835)
Changes in crowbar-ui:
- Update to version 1.2.0+git.1575896697.a01a3a08:
* upgrade: Added missing error title
* travis: Stop testing against nodejs4
- Update to version 1.2.0+git.1572871359.50fc6087:
* Add title for XEN compute nodes precheck (SOC-10495)
Changes in keepalived:
- update to 2.0.19
- new BR pkgconfig(libnftnl) to fix nftables support
- add nftables to the BR
- added patch
* linux-4.15.patch
- add buildrequires for file-devel
- used in the checker to verify scripts
- enable json stats and config dump support
new BR: pkgconfig(json-c)
- enable http regexp support: new BR pcre2-devel
- disable dbus instance creation support as it is marked as
dangerous
- Add BFD build option to keepalived.spec rpm file
Issue #1114 identified that the keepalived.spec file was not being
generated to build BFD support even if keepalived had been
configured to support it.
- full changelog
https://keepalived.org/changelog.html
Changes in mariadb:
- update to 10.2.31 GA [bsc#1162388]
* Fixes for the following security vulnerabilities:
* 10.2.31: CVE-2020-2574
* 10.2.30: none
* release notes and changelog:
https://mariadb.com/kb/en/library/mariadb-10231-release-notes
https://mariadb.com/kb/en/library/mariadb-10231-changelog
https://mariadb.com/kb/en/library/mariadb-10230-release-notes
https://mariadb.com/kb/en/library/mariadb-10230-changelog
- refresh mariadb-10.1.12-deharcode-libdir.patch
- remove mariadb-10.2.29-bufferoverflowstrncat.patch (upstreamed)
- pack pam_user_map.so module in the /%{_lib}/security directory
and user_map.conf configuration file in the /etc/security directory
- fix race condition with mysql_upgrade_info status file by moving
it to the location owned by root (/var/lib/misc) CVE-2019-18901
[bsc#1160895]
- move .run-mysql_upgrade file from $datadir/.run-mysql_upgrade
to /var/lib/misc/.mariadb_run_upgrade so the mysql user can't
use it for a symlink attack [bsc#1160912]
- on BTRFS systems /var/lib/mysql is created as a subvolume with
755 permissions during the system installaion. Fix it to 700 as
mysql_install_db doesn't do it [bsc#1077717]
- add important options to mariadb.service and mariadb@.service
(ProtectSystem, ProtectHome and UMask) [bsc#1160878]
- mysql-systemd-helper: use systemd-tmpfiles instead of shell
script operations for a cleaner and safer creating of /run/mysql
[bsc#1160883]
- update to 10.2.29 GA
* Fixes for the following security vulnerabilities:
* 10.2.29: none
* 10.2.28: CVE-2019-2974, CVE-2019-2938
* 10.2.27: none
* 10.2.26: CVE-2019-2805, CVE-2019-2740, CVE-2019-2739,
CVE-2019-2737, CVE-2019-2758
* release notes and changelog:
https://mariadb.com/kb/en/library/mariadb-10229-release-notes
https://mariadb.com/kb/en/library/mariadb-10229-changelog
https://mariadb.com/kb/en/library/mariadb-10228-release-notes
https://mariadb.com/kb/en/library/mariadb-10228-changelog
https://mariadb.com/kb/en/library/mariadb-10227-release-notes
https://mariadb.com/kb/en/library/mariadb-10227-changelog
https://mariadb.com/kb/en/library/mariadb-10226-release-notes
https://mariadb.com/kb/en/library/mariadb-10226-changelog
- refresh
mariadb-10.0.15-logrotate-su.patch
mariadb-10.2.4-logrotate.patch
- add mariadb-10.2.29-bufferoverflowstrncat.patch to fix 'Statement
might be overflowing a buffer in strncat' error
- tracker bug [bsc#1156669]
- add main.gis_notembedded to the skipped tests (fails when latin1
is not set)
Changes in openstack-cinder:
- Update to version cinder-11.2.3.dev23:
* Fix handling of 'cinder\_encryption\_key\_id' image metadata
- Update to version cinder-11.2.3.dev21:
* Add retry to LVM deactivation
- Update to version cinder-11.2.3.dev19:
* Fix ceph: only close rbd image after snapshot iteration is finished
- Update to version cinder-11.2.3.dev17:
* Exclude disabled API versions from listing
Changes in openstack-cinder:
- Update to version cinder-11.2.3.dev23:
* Fix handling of 'cinder\_encryption\_key\_id' image metadata
- Update to version cinder-11.2.3.dev21:
* Add retry to LVM deactivation
- Update to version cinder-11.2.3.dev19:
* Fix ceph: only close rbd image after snapshot iteration is finished
- Update to version cinder-11.2.3.dev17:
* Exclude disabled API versions from listing
Changes in openstack-dashboard:
- Update to version horizon-12.0.5.dev2:
* Use python 2.7 as the default interpreter in tox
* OpenDev Migration Patch
12.0.4
Changes in openstack-dashboard-theme-SUSE:
- Update to version 2017.2+git.1573629528.6b21fa5:
* SCRD-7984 fixed help links
Changes in openstack-heat:
- Update to version heat-9.0.8.dev22:
* Do deepcopy when copying templates
- Update to version heat-9.0.8.dev21:
* Set stack.thread\_group\_mgr for cancel\_update
* Eliminate client race condition in convergence delete
* Delete snapshots using contemporary resources
- Update to version heat-9.0.8.dev15:
* Unskip StackSnapshotRestoreTest
- Update to version heat-9.0.8.dev14:
* Fix translate tenants in flavor
Changes in openstack-heat:
- Update to version heat-9.0.8.dev22:
* Do deepcopy when copying templates
- Update to version heat-9.0.8.dev21:
* Set stack.thread\_group\_mgr for cancel\_update
* Eliminate client race condition in convergence delete
* Delete snapshots using contemporary resources
- Update to version heat-9.0.8.dev15:
* Unskip StackSnapshotRestoreTest
- Update to version heat-9.0.8.dev14:
* Fix translate tenants in flavor
Changes in openstack-heat-templates:
- Update to version 0.0.0+git.1560033670.e3b5a52:
* Add example for running Zun container
* OpenDev Migration Patch
* Replace openstack.org git:// URLs with https://
* Remove docs, deprecated hooks, tests
* Update the bugs link to storyboard
* Use octavia resources for autoscaling example
* Fix the incorrect cirros default password
Changes in openstack-horizon-plugin-designate-ui:
- Update to version designate-dashboard-5.0.3.dev2:
* Fix list zones updated at same time
* OpenDev Migration Patch
5.0.2
Changes in openstack-horizon-plugin-neutron-lbaas-ui:
- Add _1481_project_ng_loadbalancersv2_panel.pyc file to package (SOC-10883)
The .pyc file needs to be removed when the package is uninstalled,
otherwise the panel will remain enabled in the dashboard and cause
errors.
Changes in openstack-ironic:
- Update to version ironic-9.1.8.dev8:
* Place upper bound on python-dracclient version
Changes in openstack-ironic:
- Update to version ironic-9.1.8.dev8:
* Place upper bound on python-dracclient version
Changes in openstack-keystone:
- Update to version keystone-12.0.4.dev5:
* Import LDAP job into project
Changes in openstack-keystone:
- Update to version keystone-12.0.4.dev5:
* Import LDAP job into project
Changes in openstack-monasca-agent:
- Added dependency:
* fdupes
* pwdutils and shadow-utils for useradd/groupadd
- added 0001-add-X.509-certificate-check-plugin.patch
Changes in openstack-neutron:
- Update to version neutron-11.0.9.dev60:
* Set DB retry for quota\_enforcement pecan\_wsgi hook
- Update to version neutron-11.0.9.dev58:
* don't clear skb mark when ovs is hw-offload enabled
- Update to version neutron-11.0.9.dev57:
* doc: add known limitation about attaching SR-IOV ports
- Update to version neutron-11.0.9.dev56:
* raise priority of dead vlan drop
- Update to version neutron-11.0.9.dev54:
* [Unit tests] Skip TestWSGIServer with IPv6 if no IPv6 enabled
- Update to version neutron-11.0.9.dev52:
* Initialize phys bridges before setup\_rpc
Changes in openstack-neutron:
- Update neutron-ha-tool to latest version:
* Add DHCP agent evacuation (SOC-11046)
- Update to version neutron-11.0.9.dev60:
* Set DB retry for quota\_enforcement pecan\_wsgi hook
- Update to version neutron-11.0.9.dev58:
* don't clear skb mark when ovs is hw-offload enabled
- neutron: Remove stop action from ovs-cleanup (bsc#1157482)
backport of https://review.opendev.org/#/c/695867/
- Update to version neutron-11.0.9.dev57:
* doc: add known limitation about attaching SR-IOV ports
- Update to version neutron-11.0.9.dev56:
* raise priority of dead vlan drop
- Update to version neutron-11.0.9.dev54:
* [Unit tests] Skip TestWSGIServer with IPv6 if no IPv6 enabled
- Update to version neutron-11.0.9.dev52:
* Initialize phys bridges before setup\_rpc
Changes in openstack-neutron-gbp:
- Update to version group-based-policy-7.3.1.dev72:
* Refactor static path code
- Update to version group-based-policy-7.3.1.dev71:
* Support named ip protocols for SecurityGroupRules
- Update to version group-based-policy-7.3.1.dev70:
* Allow both FIP and SNAT on a single port
- Update to version group-based-policy-7.3.1.dev69:
* Fix active-active AAP RPC query
- Update to version group-based-policy-7.3.1.dev67:
* [AIM] Add extra provided/consumed contracts to network extension
- Update to version group-based-policy-7.3.1.dev66:
* Active active AAP feature
- Update to version group-based-policy-7.3.1.dev64:
* Support cache option for legacy GBP driver
- Update to version group-based-policy-7.3.1.dev63:
* Fix host ID length in VM names table
- Update to version group-based-policy-7.3.1.dev62:
* Update\_proj\_descr in apic when project description is updated in os
- Update to version group-based-policy-7.3.1.dev61:
* Send port notifications when host\_route is getting updated
* Provide a control knob to use the internal EP interface
- Update to version group-based-policy-7.3.1.dev57:
* Fix pep8 failures seen on submitted patches
Changes in openstack-neutron-vsphere:
- Update to version networking-vsphere-2.0.1.dev133:
* Update to use Agent model from neutron.db.models
* Fix neutron-dvs-agent startup errors
* OpenDev Migration Patch
- Remove 0001-fix-dvs-agent-config.patch as changes
had been backported to stable/pike
- See https://review.opendev.org/#/c/682482
Changes in openstack-nova:
- Update to version nova-16.1.9.dev49:
* Use stable constraint for Tempest pinned stable branches
- Update to version nova-16.1.9.dev48:
* Avoid redundant initialize\_connection on source post live migration
* Error out interrupted builds
* Skip checking of target\_dev for vhostuser
* Functional reproduce for bug 1833581
* Prevent init\_host test to interfere with other tests
* Add functional test for resize crash compute restart revert
* Move restart\_compute\_service to a common place
* lxc: make use of filter python3 compatible
* cleanup evacuated instances not on hypervisor
* Delete resource providers for all nodes when deleting compute service
- Update to version nova-16.1.9.dev30:
* Explicitly fail if trying to attach SR-IOV port
* Stabilize unshelve notification sample tests
- Update to version nova-16.1.9.dev26:
* Fix listing deleted servers with a marker
* Add functional regression test for bug 1849409
- Update to version nova-16.1.9.dev22:
* Hook resource\_tracker to remove stale node information
- Update to version nova-16.1.9.dev20:
* Workaround missing RequestSpec.instance\_group.uuid
* Add regression recreate test for bug 1830747
- Update to version nova-16.1.9.dev16:
* Changing scheduler sync event from INFO to DEBUG
- Update to version nova-16.1.9.dev14:
* Only nil az during shelve offload
* Delete instance\_id\_mappings record in instance\_destroy
- Update to version nova-16.1.9.dev11:
* Revert 'openstack server create' to 'nova boot' in nova docs
* doc: fix and clarify --block-device usage in user docs
- Update to version nova-16.1.9.dev8:
* Functional reproduce for bug 1852207
Changes in openstack-nova:
- Update to version nova-16.1.9.dev49:
* Use stable constraint for Tempest pinned stable branches
- Update to version nova-16.1.9.dev48:
* Avoid redundant initialize\_connection on source post live migration
* Error out interrupted builds
* Skip checking of target\_dev for vhostuser
* Functional reproduce for bug 1833581
* Prevent init\_host test to interfere with other tests
* Add functional test for resize crash compute restart revert
* Move restart\_compute\_service to a common place
* lxc: make use of filter python3 compatible
* cleanup evacuated instances not on hypervisor
* Delete resource providers for all nodes when deleting compute service
- Update to version nova-16.1.9.dev30:
* Explicitly fail if trying to attach SR-IOV port
* Stabilize unshelve notification sample tests
- Update to version nova-16.1.9.dev26:
* Fix listing deleted servers with a marker
* Add functional regression test for bug 1849409
- Update to version nova-16.1.9.dev22:
* Hook resource\_tracker to remove stale node information
- Update to version nova-16.1.9.dev20:
* Workaround missing RequestSpec.instance\_group.uuid
* Add regression recreate test for bug 1830747
- Update to version nova-16.1.9.dev16:
* Changing scheduler sync event from INFO to DEBUG
- Update to version nova-16.1.9.dev14:
* Only nil az during shelve offload
* Delete instance\_id\_mappings record in instance\_destroy
- Update to version nova-16.1.9.dev11:
* Revert 'openstack server create' to 'nova boot' in nova docs
* doc: fix and clarify --block-device usage in user docs
- Update to version nova-16.1.9.dev8:
* Functional reproduce for bug 1852207
Changes in openstack-octavia:
- Update to version octavia-1.0.6.dev3:
* Fix urgent amphora two-way auth security bug
Changes in openstack-octavia-amphora-image:
- Update image to 0.1.2 to include udated keepalived 2.0.19
- Update image to 0.1.1 to include latest changes
- Add keepalived service
Changes in openstack-resource-agents:
- Update to version 1.0+git.1569436425.8b9c49f:
* Add a configurable delay to Nova Evacuate calls
* OpenDev Migration Patch
* NovaEvacuate: fix a syntax error
* NovaEvacuate: Support the new split-out IHA fence agents with backwards compatibility
* NovaEvacuate: Correctly handle stopped hypervisors
* neutron-ha-tool: do not replicate dhcp
* NovaCompute: Support parsing host option from /etc/nova/nova.conf.d
* NovaCompute: Use variable to avoid calling crudini a second time
* NovaEvacuate: Allow debug logging to be turned on easily
Changes in openstack-sahara:
- Update to version sahara-7.0.5.dev4:
* Run sahara-scenario using Python 3
* Enforce python 2 for documentation build
* Fix requirements(bandit)
* OpenDev Migration Patch
7.0.4
Changes in openstack-sahara:
- Update to version sahara-7.0.5.dev4:
* Run sahara-scenario using Python 3
* Enforce python 2 for documentation build
* Fix requirements (bandit)
* OpenDev Migration Patch
7.0.4
Changes in openstack-trove:
- Update to version trove-8.0.2.dev2:
* Add local bindep.txt
* OpenDev Migration Patch
8.0.1
Changes in openstack-trove:
- Update to version trove-8.0.2.dev2:
* Add local bindep.txt
* OpenDev Migration Patch
8.0.1
Changes in python-cinderlm:
- Update to version 0.0.2+git.1571845893.27f0b7b:
* SCRD-4764 remove V2.0 auth end points (SOC-9753)
Changes in python-congressclient:
- update to version 1.8.1
- Update .gitreview for stable/pike
- Update UPPER_CONSTRAINTS_FILE for stable/pike
- import zuul job settings from project-config
- Updated from global requirements
Changes in python-designateclient:
- update to version 2.7.1
- Update .gitreview for stable/pike
- Updated from global requirements
- import zuul job settings from project-config
- Update UPPER_CONSTRAINTS_FILE for stable/pike
- server-get/update show wrong values about 'id' and 'update_at'
Changes in python-ironic-lib:
- update to version 2.10.2
- Replace openstack.org git:// URLs with https://
- Make search for config drive partition case insensitive
- Revert 'Use dd conv=sparse when writing images to nodes'
- Check GPT table with sgdisk insread of partprobe
- Avoid tox_install.sh for constraints support
- Fix GPT bug with whole disk images
- import zuul job settings from project-config
Changes in python-networking-cisco:
- Update to version networking-cisco-6.1.1.dev65:
* Nexus: Add CA Bundle path to https doc
* Improve Nexus Ironic related doc and logs
* Upgrade release notes to include Tripleo/puppet
* Fix socket not closed errors in unit test logs
* Add release note about adding support for Rocky OpenStack
* Update publish-openstack-python-branch-tarball job
* Remove MultiConfigParser from SAF application
* More fixes for networking\_cisco rocky support
* Remove MultiConfigParser from the device manger config loader
* Ensure CFG agent is started after neutron config is written
* Removed older version of python added 3.5
* Begin process of supporting neutron Rocky
* Typo in tar command in doc install guide
* Add cisco providernet extension to Nexus doc
* Add missing policy to fix stable/queens unit tests
* Pin stestr version (1.1.0) for Mitaka
* Fix places in ucsm network driver using .ucsm instead of .ucsms
* Fix doc build under python3
* Fix mitaka bug with NeutronWorker missing parameter
* Eliminate 30 sec delay for Nexus replay thread
* Fix foreign key constraint violation while creating primary key with subnet\_id
* Put upper constraint on ncclient version to prevent breakages
* Improvements to the networking-cisco zuul jobs
* Remove deprecated host/interface map config
* Include device manager configuration file when starting config agent
* Fix pep8 and other tox environments locally
* Add rocky to CI
* Add bandit to tox and resolve Nexus SA errors
* Deprecate old ML2 Nexus/UCSM documentation file
* Secure Nexus https certificates by default
- Add tempest_plugin subpackage
Changes in python-osc-lib:
- update to version 1.7.1
- import zuul job settings from project-config
- Update UPPER_CONSTRAINTS_FILE for stable/pike
- Updated from global requirements
- Update .gitreview for stable/pike
- Avoid tox_install.sh for constraints support
Changes iython-oslo.context:
- update to version 2.17.2
- Fix sphinx-docs job for stable branch
- import zuul job settings from project-config
Changes in python-oslo.rootwrap:
- update to version 5.9.3
- Avoid tox_install.sh for constraints support
- Follow the new PTI for document build
- import zuul job settings from project-config
Changes in python-oslo.serialization:
- update to version 2.20.3
- import zuul job settings from project-config
- Fix sphinx-docs job for stable branch
Changes in python-oslo.service:
- update to version 1.25.2
- import zuul job settings from project-config
- Fix sphinx-docs job for stable branch
Changes in python-stevedore:
- update to version 1.25.2
- move doc requirements to doc/requirements.txt
- Use stable branch for upper-constraints
- remove duplicate sphinx dependency
- Avoid tox_install.sh for constraints support
- import zuul job settings from project-config
Changes in python-taskflow:
- update to version 2.14.2
- don't let tox_install.sh error if there is nothing to do
- import zuul job settings from project-config
- Updated from global requirements
- Use doc/requirements.txt
Changes in rubygem-crowbar-client:
- Update to 3.9.1
- Fix repocheck table output (SOC-10718)
- Enable restricted commands for Cloud8 (bsc#1117080, CVE-2018-17954)
Changes in rubygem-puma:
- Add CVE-2019-16770.patch (bsc#1158675, SOC-10999, CVE-2019-16770)
This patch fixes a DoS vulnerability a malicious client could use to
block a large amount of threads.
Changes in venv-openstack-swift:
- Fix lower version numver after inheriting the version from main
component (SCRD-8523)
- Revert: 'Inherit version number of venv from main component
(SCRD-8523)' as zypper reports the new version number as older
than what is released
- Inherit version number of venv from main component (SCRD-8523)
ImportantSUSE bug 1077717SUSE bug 1117080SUSE bug 1117840SUSE bug 1123191SUSE bug 1148158SUSE bug 1152007SUSE bug 1154235SUSE bug 1155089SUSE bug 1155942SUSE bug 1156305SUSE bug 1156669SUSE bug 1156914SUSE bug 1157028SUSE bug 1157206SUSE bug 1157482SUSE bug 1158675SUSE bug 1160048SUSE bug 1160878SUSE bug 1160883SUSE bug 1160895SUSE bug 1160912SUSE bug 1161351SUSE bug 1161517SUSE bug 1162388CVE-2017-1002201 at SUSECVE-2017-1002201 at NVDCVE-2018-17954 at SUSECVE-2018-17954 at NVDCVE-2019-13117 at SUSECVE-2019-13117 at NVDCVE-2019-16770 at SUSECVE-2019-16770 at NVDCVE-2019-18901 at SUSECVE-2019-18901 at NVDCVE-2019-2737 at SUSECVE-2019-2737 at NVDCVE-2019-2739 at SUSECVE-2019-2739 at NVDCVE-2019-2740 at SUSECVE-2019-2740 at NVDCVE-2019-2758 at SUSECVE-2019-2758 at NVDCVE-2019-2805 at SUSECVE-2019-2805 at NVDCVE-2019-2938 at SUSECVE-2019-2938 at NVDCVE-2019-2974 at SUSECVE-2019-2974 at NVDCVE-2020-2574 at SUSECVE-2020-2574 at NVDCVE-2020-7595 at SUSECVE-2020-7595 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for openstack-manila (Important)SUSE OpenStack Cloud Crowbar 8
This update for openstack-manila fixes the following issues:
- CVE-2020-9543: Fixed an issue where other project users to view, update,
delete, or share resources that do not belong to them, due to a
context-free lookup of a UUID (bsc#1165643)
ImportantSUSE bug 1165643CVE-2020-9543 at SUSECVE-2020-9543 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for squid (Important)SUSE OpenStack Cloud Crowbar 8
This update for squid fixes the following issues:
- CVE-2019-12528: Fixed an information disclosure flaw in the FTP gateway (bsc#1162689).
- CVE-2019-12526: Fixed potential remote code execution during URN processing (bsc#1156326).
- CVE-2019-12523,CVE-2019-18676: Fixed multiple improper validations in URI processing (bsc#1156329).
- CVE-2019-18677: Fixed Cross-Site Request Forgery in HTTP Request processing (bsc#1156328).
- CVE-2019-18678: Fixed incorrect message parsing which could have led to HTTP request splitting issue (bsc#1156323).
- CVE-2019-18679: Fixed information disclosure when processing HTTP Digest Authentication (bsc#1156324).
- CVE-2020-8449: Fixed a buffer overflow when squid is acting as reverse-proxy (bsc#1162687).
- CVE-2020-8450: Fixed a buffer overflow when squid is acting as reverse-proxy (bsc#1162687).
- CVE-2020-8517: Fixed a buffer overflow in ext_lm_group_acl when processing NTLM Authentication credentials (bsc#1162691).
ImportantSUSE bug 1156323SUSE bug 1156324SUSE bug 1156326SUSE bug 1156328SUSE bug 1156329SUSE bug 1162687SUSE bug 1162689SUSE bug 1162691CVE-2019-12523 at SUSECVE-2019-12523 at NVDCVE-2019-12526 at SUSECVE-2019-12526 at NVDCVE-2019-12528 at SUSECVE-2019-12528 at NVDCVE-2019-18676 at SUSECVE-2019-18676 at NVDCVE-2019-18677 at SUSECVE-2019-18677 at NVDCVE-2019-18678 at SUSECVE-2019-18678 at NVDCVE-2019-18679 at SUSECVE-2019-18679 at NVDCVE-2020-8449 at SUSECVE-2020-8449 at NVDCVE-2020-8450 at SUSECVE-2020-8450 at NVDCVE-2020-8517 at SUSECVE-2020-8517 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for MozillaFirefox (Important)SUSE OpenStack Cloud Crowbar 8
This update for MozillaFirefox fixes the following issues:
- Firefox Extended Support Release 68.4.1 ESR
* Fixed: Security fix
MFSA 2020-03 (bsc#1160498)
* CVE-2019-17026 (bmo#1607443)
IonMonkey type confusion with StoreElementHole and
FallibleStoreElement
- Firefox Extended Support Release 68.4.0 ESR
* Fixed: Various security fixes
MFSA 2020-02 (bsc#1160305)
* CVE-2019-17015 (bmo#1599005)
Memory corruption in parent process during new content
process initialization on Windows
* CVE-2019-17016 (bmo#1599181)
Bypass of @namespace CSS sanitization during pasting
* CVE-2019-17017 (bmo#1603055)
Type Confusion in XPCVariant.cpp
* CVE-2019-17021 (bmo#1599008)
Heap address disclosure in parent process during content
process initialization on Windows
* CVE-2019-17022 (bmo#1602843)
CSS sanitization does not escape HTML tags
* CVE-2019-17024 (bmo#1507180, bmo#1595470, bmo#1598605,
bmo#1601826)
Memory safety bugs fixed in Firefox 72 and Firefox ESR 68.4
ImportantSUSE bug 1160305SUSE bug 1160498CVE-2019-17015 at SUSECVE-2019-17015 at NVDCVE-2019-17016 at SUSECVE-2019-17016 at NVDCVE-2019-17017 at SUSECVE-2019-17017 at NVDCVE-2019-17021 at SUSECVE-2019-17021 at NVDCVE-2019-17022 at SUSECVE-2019-17022 at NVDCVE-2019-17024 at SUSECVE-2019-17024 at NVDCVE-2019-17026 at SUSECVE-2019-17026 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for postgresql10 (Low)SUSE OpenStack Cloud Crowbar 8
This update for postgresql10 fixes the following issues:
PostgreSQL was updated to version 10.12.
Security issue fixed:
- CVE-2020-1720: Fixed a missing authorization check in the ALTER ... DEPENDS ON extension (bsc#1163985).
LowSUSE bug 1163985CVE-2020-1720 at SUSECVE-2020-1720 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for MozillaFirefox (Important)SUSE OpenStack Cloud Crowbar 8
This update for MozillaFirefox fixes the following issues:
MozillaFirefox was updated to 68.6.0 ESR (MFSA 2020-09 bsc#1132665 bsc#1166238)
- CVE-2020-6805: Fixed a use-after-free when removing data about origins
- CVE-2020-6806: Fixed improper protections against state confusion
- CVE-2020-6807: Fixed a use-after-free in cubeb during stream destruction
- CVE-2020-6811: Fixed an issue where copy as cURL' feature did not fully
escape website-controlled data potentially leading to command injection
- CVE-2019-20503: Fixed out of bounds reads in sctp_load_addresses_from_init
- CVE-2020-6812: Fixed an issue where the names of AirPods with personally
identifiable information were exposed to websites with camera or microphone
permission
- CVE-2020-6814: Fixed multiple memory safety bugs
- Fixed an issue with minimizing a window (bsc#1132665).
ImportantSUSE bug 1132665SUSE bug 1166238CVE-2019-20503 at SUSECVE-2019-20503 at NVDCVE-2020-6805 at SUSECVE-2020-6805 at NVDCVE-2020-6806 at SUSECVE-2020-6806 at NVDCVE-2020-6807 at SUSECVE-2020-6807 at NVDCVE-2020-6811 at SUSECVE-2020-6811 at NVDCVE-2020-6812 at SUSECVE-2020-6812 at NVDCVE-2020-6814 at SUSECVE-2020-6814 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for tomcat (Important)SUSE OpenStack Cloud Crowbar 8
This update for tomcat fixes the following issues:
- CVE-2020-1938: Fixed a file contents disclosure vulnerability (bsc#1164692).
ImportantSUSE bug 1164692CVE-2020-1938 at SUSECVE-2020-1938 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Recommended update for python-botocore (Important)SUSE OpenStack Cloud Crowbar 8
This update for python-boto3, python-botocore and python-futures fixes the following issues:
python-botocore was updated to 1.13.33:
- Fix for python3-botocore versioning issues between SLES12 SP3 Teradata and Public Cloud Module. (bsc#1129696)
- Remove the broken attempt to avoid using the bundled requests module provided by the source. (boo#1088310)
- Update to the latest SDK components. (bsc#1146853, bsc#1146854)
- Add support for urllib 1.25 for CVE-2019-9947. (boo#1136184)
- Fix implementing MD5 header injection into new operations if they are necessary and create default session configuration. (bsc#1118021, bsc#1118024, bsc#1118027)
- Add attribute 'ssl_context' to 'AWSHTTPSConnection'. (bsc#1095041)
python-boto3 was updated to 1.10.33.
python-futures also provides python2-futures in the python2 build.
ImportantSUSE bug 1069697SUSE bug 1075263SUSE bug 1088310SUSE bug 1095041SUSE bug 1118021SUSE bug 1118024SUSE bug 1118027SUSE bug 1129696SUSE bug 1136184SUSE bug 1146853SUSE bug 1146854CVE-2019-9947 at SUSECVE-2019-9947 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for libzypp (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for libzypp fixes the following issues:
Security issue fixed:
- CVE-2019-18900: Fixed assert cookie file that was world readable (bsc#1158763).
ModerateSUSE bug 1158763CVE-2019-18900 at SUSECVE-2019-18900 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for python-cffi, python-cryptography (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for python-cffi, python-cryptography fixes the following issues:
Security issue fixed:
- CVE-2018-10903: Fixed GCM tag forgery via truncated tag in finalize_with_tag API (bsc#1101820).
Non-security issues fixed:
python-cffi was updated to 1.11.2 (bsc#1138748, jsc#ECO-1256, jsc#PM-1598):
- fixed a build failure on i586 (bsc#1111657)
- Salt was unable to highstate in snapshot 20171129 (bsc#1070737)
- Update pytest in spec to add c directory tests in addition to
testing directory.
- update to version 1.11.2:
* Fix Windows issue with managing the thread-state on CPython 3.0 to
3.5
- Update pytest in spec to add c directory tests in addition to
testing directory.
- Omit test_init_once_multithread tests as they rely on multiple
threads finishing in a given time. Returns sporadic pass/fail
within build.
- Update to 1.11.1:
* Fix tests, remove deprecated C API usage
* Fix (hack) for 3.6.0/3.6.1/3.6.2 giving incompatible binary
extensions (cpython issue #29943)
* Fix for 3.7.0a1+
- Update to 1.11.0:
* Support the modern standard types char16_t and char32_t. These
work like wchar_t: they represent one unicode character, or when
used as charN_t * or charN_t[] they represent a unicode string.
The difference with wchar_t is that they have a known, fixed
size. They should work at all places that used to work with
wchar_t (please report an issue if I missed something). Note
that with set_source(), you need to make sure that these types
are actually defined by the C source you provide (if used in
cdef()).
* Support the C99 types float _Complex and double _Complex. Note
that libffi doesn't support them, which means that in the ABI
mode you still cannot call C functions that take complex
numbers directly as arguments or return type.
* Fixed a rare race condition when creating multiple FFI instances
from multiple threads. (Note that you aren't meant to create
many FFI instances: in inline mode, you should write
ffi = cffi.FFI() at module level just after import cffi; and in
out-of-line mode you don't instantiate FFI explicitly at all.)
* Windows: using callbacks can be messy because the CFFI internal
error messages show up to stderr-but stderr goes nowhere in many
applications. This makes it particularly hard to get started
with the embedding mode. (Once you get started, you can at least
use @ffi.def_extern(onerror=...) and send the error logs where
it makes sense for your application, or record them in log
files, and so on.) So what is new in CFFI is that now, on
Windows CFFI will try to open a non-modal MessageBox (in addition
to sending raw messages to stderr). The MessageBox is only
visible if the process stays alive: typically, console
applications that crash close immediately, but that is also the
situation where stderr should be visible anyway.
* Progress on support for callbacks in NetBSD.
* Functions returning booleans would in some case still return 0
or 1 instead of False or True. Fixed.
* ffi.gc() now takes an optional third parameter, which gives an
estimate of the size (in bytes) of the object. So far, this is
only used by PyPy, to make the next GC occur more quickly
(issue #320). In the future, this might have an effect on
CPython too (provided the CPython issue 31105 is addressed).
* Add a note to the documentation: the ABI mode gives function
objects that are slower to call than the API mode does. For
some reason it is often thought to be faster. It is not!
- Update to 1.10.1:
* Fixed the line numbers reported in case of cdef() errors. Also,
I just noticed, but pycparser always supported the preprocessor
directive # 42 'foo.h' to mean 'from the next line, we're in
file foo.h starting from line 42';, which it puts in the error
messages.
- update to 1.10.0:
* Issue #295: use calloc() directly instead of PyObject_Malloc()+memset()
to handle ffi.new() with a default allocator. Speeds up ffi.new(large-array)
where most of the time you never touch most of the array.
* Some OS/X build fixes ('only with Xcode but without CLT';).
* Improve a couple of error messages: when getting mismatched versions of
cffi and its backend; and when calling functions which cannot be called with
libffi because an argument is a struct that is 'too complicated'; (and not
a struct pointer, which always works).
* Add support for some unusual compilers (non-msvc, non-gcc, non-icc, non-clang)
* Implemented the remaining cases for ffi.from_buffer. Now all
buffer/memoryview objects can be passed. The one remaining check is against
passing unicode strings in Python 2. (They support the buffer interface, but
that gives the raw bytes behind the UTF16/UCS4 storage, which is most of the
times not what you expect. In Python 3 this has been fixed and the unicode
strings don't support the memoryview interface any more.)
* The C type _Bool or bool now converts to a Python boolean when reading,
instead of the content of the byte as an integer. The potential
incompatibility here is what occurs if the byte contains a value different
from 0 and 1. Previously, it would just return it; with this change, CFFI
raises an exception in this case. But this case means 'undefined behavior';
in C; if you really have to interface with a library relying on this,
don't use bool in the CFFI side. Also, it is still valid to use a byte
string as initializer for a bool[], but now it must only contain \x00 or
\x01. As an aside, ffi.string() no longer works on bool[] (but it never made
much sense, as this function stops at the first zero).
* ffi.buffer is now the name of cffi's buffer type, and ffi.buffer() works
like before but is the constructor of that type.
* ffi.addressof(lib, 'name') now works also in in-line mode, not only in
out-of-line mode. This is useful for taking the address of global variables.
* Issue #255: cdata objects of a primitive type (integers, floats, char) are
now compared and ordered by value. For example, <cdata 'int' 42> compares
equal to 42 and <cdata 'char' b'A'> compares equal to b'A'. Unlike C,
<cdata 'int' -1> does not compare equal to ffi.cast('unsigned int', -1): it
compares smaller, because -1 < 4294967295.
* PyPy: ffi.new() and ffi.new_allocator()() did not record 'memory pressure';,
causing the GC to run too infrequently if you call ffi.new() very often
and/or with large arrays. Fixed in PyPy 5.7.
* Support in ffi.cdef() for numeric expressions with + or -. Assumes that
there is no overflow; it should be fixed first before we add more general
support for arbitrary arithmetic on constants.
- do not generate HTML documentation for packages that are indirect
dependencies of Sphinx
(see docs at https://cffi.readthedocs.org/ )
- update to 1.9.1
- Structs with variable-sized arrays as their last field: now we track the
length of the array after ffi.new() is called, just like we always tracked
the length of ffi.new('int[]', 42). This lets us detect out-of-range
accesses to array items. This also lets us display a better repr(), and
have the total size returned by ffi.sizeof() and ffi.buffer(). Previously
both functions would return a result based on the size of the declared
structure type, with an assumed empty array. (Thanks andrew for starting
this refactoring.)
- Add support in cdef()/set_source() for unspecified-length arrays in
typedefs: typedef int foo_t[...];. It was already supported for global
variables or structure fields.
- I turned in v1.8 a warning from cffi/model.py into an error: 'enum xxx' has
no values explicitly defined: refusing to guess which integer type it is
meant to be (unsigned/signed, int/long). Now I'm turning it back to a
warning again; it seems that guessing that the enum has size int is a
99%-safe bet. (But not 100%, so it stays as a warning.)
- Fix leaks in the code handling FILE * arguments. In CPython 3 there is a
remaining issue that is hard to fix: if you pass a Python file object to a
FILE * argument, then os.dup() is used and the new file descriptor is only
closed when the GC reclaims the Python file object-and not at the earlier
time when you call close(), which only closes the original file descriptor.
If this is an issue, you should avoid this automatic convertion of Python
file objects: instead, explicitly manipulate file descriptors and call
fdopen() from C (...via cffi).
- When passing a void * argument to a function with a different pointer type,
or vice-versa, the cast occurs automatically, like in C. The same occurs
for initialization with ffi.new() and a few other places. However, I
thought that char * had the same property-but I was mistaken. In C you get
the usual warning if you try to give a char * to a char ** argument, for
example. Sorry about the confusion. This has been fixed in CFFI by giving
for now a warning, too. It will turn into an error in a future version.
- Issue #283: fixed ffi.new() on structures/unions with nested anonymous
structures/unions, when there is at least one union in the mix. When
initialized with a list or a dict, it should now behave more closely like
the { } syntax does in GCC.
- CPython 3.x: experimental: the generated C extension modules now use the
'limited API';, which means that, as a compiled .so/.dll, it should work
directly on any version of CPython >= 3.2. The name produced by distutils
is still version-specific. To get the version-independent name, you can
rename it manually to NAME.abi3.so, or use the very recent setuptools 26.
- Added ffi.compile(debug=...), similar to python setup.py build --debug but
defaulting to True if we are running a debugging version of Python itself.
- Removed the restriction that ffi.from_buffer() cannot be used on byte
strings. Now you can get a char * out of a byte string, which is valid as
long as the string object is kept alive. (But don't use it to modify the
string object! If you need this, use bytearray or other official
techniques.)
- PyPy 5.4 can now pass a byte string directly to a char * argument (in older
versions, a copy would be made). This used to be a CPython-only
optimization.
- ffi.gc(p, None) removes the destructor on an object previously created by
another call to ffi.gc()
- bool(ffi.cast('primitive type', x)) now returns False if the value is zero
(including -0.0), and True otherwise. Previously this would only return
False for cdata objects of a pointer type when the pointer is NULL.
- bytearrays: ffi.from_buffer(bytearray-object) is now supported. (The reason
it was not supported was that it was hard to do in PyPy, but it works since
PyPy 5.3.) To call a C function with a char * argument from a buffer
object-now including bytearrays-you write lib.foo(ffi.from_buffer(x)).
Additionally, this is now supported: p[0:length] = bytearray-object. The
problem with this was that a iterating over bytearrays gives numbers
instead of characters. (Now it is implemented with just a memcpy, of
course, not actually iterating over the characters.)
- C++: compiling the generated C code with C++ was supposed to work, but
failed if you make use the bool type (because that is rendered as the C
_Bool type, which doesn't exist in C++).
- help(lib) and help(lib.myfunc) now give useful information, as well as
dir(p) where p is a struct or pointer-to-struct.
- update for multipython build
- disable 'negative left shift' warning in test suite to prevent
failures with gcc6, until upstream fixes the undefined code
in question (bsc#981848)
- Update to version 1.6.0:
* ffi.list_types()
* ffi.unpack()
* extern 'Python+C';
* in API mode, lib.foo.__doc__ contains the C signature now.
* Yet another attempt at robustness of ffi.def_extern() against
CPython's interpreter shutdown logic.
- Update in SLE-12 (bsc#1138748, jsc#ECO-1256, jsc#PM-1598)
- Make this version of the package compatible with OpenSSL 1.1.1d, thus fixing bsc#1149792.
- bsc#1101820 CVE-2018-10903 GCM tag forgery via truncated tag in
finalize_with_tag API
- Add proper conditional for the python2, the ifpython works only
for the requires/etc
- add missing dependency on python ssl
- update to version 2.1.4:
* Added X509_up_ref for an upcoming pyOpenSSL release.
- update to version 2.1.3:
* Updated Windows, macOS, and manylinux1 wheels to be compiled with
OpenSSL 1.1.0g.
- update to version 2.1.2:
* Corrected a bug with the manylinux1 wheels where OpenSSL's stack
was marked executable.
- fix BuildRequires conditions for python3
- update to 2.1.1
- Fix cffi version requirement.
- Disable memleak tests to fix build with OpenSSL 1.1 (bsc#1055478)
- update to 2.0.3
- update to 2.0.2
- update to 2.0
- update to 1.9
- add python-packaging to requirements explicitly instead of relying
on setuptools to pull it in
- Switch to singlespec approach
- update to 1.8.1
- Adust Requires and BuildRequires ModerateSUSE bug 1055478SUSE bug 1070737SUSE bug 1101820SUSE bug 1111657SUSE bug 1138748SUSE bug 1149792SUSE bug 981848CVE-2018-10903 at SUSECVE-2018-10903 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for spamassassin (Important)SUSE OpenStack Cloud Crowbar 8
This update for spamassassin fixes the following issues:
- CVE-2018-11805: Fixed an issue with delimiter handling in rule files
related to is_regexp_valid() (bsc#1118987).
- CVE-2020-1930: Fixed an issue with rule configuration (.cf) files which
can be configured to run system commands (bsc#1162197).
- CVE-2020-1931: Fixed an issue with rule configuration (.cf) files which
can be configured to run system commands with warnings (bsc#1162200).
ImportantSUSE bug 1118987SUSE bug 1162197SUSE bug 1162200CVE-2018-11805 at SUSECVE-2018-11805 at NVDCVE-2020-1930 at SUSECVE-2020-1930 at NVDCVE-2020-1931 at SUSECVE-2020-1931 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for python3 (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for python3 fixes the following issue:
- CVE-2019-18348: Fixed a CRLF injection via the host part
of the url passed to urlopen(). Now an InvalidURL exception
is raised (bsc#1155094).
- CVE-2019-9674: Improved the documentation to reflect the
dangers of zip-bombs (bsc#1162825).
- CVE-2020-8492: Fixed a regular expression in urllib that
was prone to denial of service via HTTP (bsc#1162367).
- Fixed an issue with version missmatch (bsc#1162224).
- Rename idle icons to idle3 in order to not conflict with python2
variant of the package. (bsc#1165894)
ModerateSUSE bug 1155094SUSE bug 1162224SUSE bug 1162367SUSE bug 1162825SUSE bug 1165894CVE-2019-18348 at SUSECVE-2019-18348 at NVDCVE-2019-9674 at SUSECVE-2019-9674 at NVDCVE-2020-8492 at SUSECVE-2020-8492 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for mozilla-nspr, mozilla-nss (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for mozilla-nspr, mozilla-nss fixes the following issues:
mozilla-nss was updated to NSS 3.47.1:
Security issues fixed:
- CVE-2019-17006: Added length checks for cryptographic primitives (bsc#1159819).
- CVE-2019-11745: EncryptUpdate should use maxout, not block size (bsc#1158527).
- CVE-2019-11727: Fixed vulnerability sign CertificateVerify with PKCS#1 v1.5 signatures issue (bsc#1141322).
mozilla-nspr was updated to version 4.23:
- Whitespace in C files was cleaned up and no longer uses tab characters for indenting.
ModerateSUSE bug 1141322SUSE bug 1158527SUSE bug 1159819CVE-2019-11745 at SUSECVE-2019-11745 at NVDCVE-2019-17006 at SUSECVE-2019-17006 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for libxslt (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for libxslt fixes the following issue:
- CVE-2019-18197: Fixed a dangling pointer in xsltCopyText which may have led to information disclosure (bsc#1154609).
ModerateSUSE bug 1154609CVE-2019-18197 at SUSECVE-2019-18197 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for MozillaFirefox (Important)SUSE OpenStack Cloud Crowbar 8
This update for MozillaFirefox fixes the following issues:
- Mozilla Firefox 68.6.1esr
MFSA 2020-11 (bsc#1168630)
* CVE-2020-6819 (bmo#1620818)
Use-after-free while running the nsDocShell destructor
* CVE-2020-6820 (bmo#1626728)
Use-after-free when handling a ReadableStream
ImportantSUSE bug 1168630CVE-2020-6819 at SUSECVE-2020-6819 at NVDCVE-2020-6820 at SUSECVE-2020-6820 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for rubygem-actionview-4_2 (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for rubygem-actionview-4_2 fixes the following issues:
- CVE-2020-5267: Fixed an XSS vulnerability in ActionView (bsc#1167240).
ModerateSUSE bug 1167240CVE-2020-5267 at SUSECVE-2020-5267 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for MozillaFirefox (Important)SUSE OpenStack Cloud Crowbar 8
This update for MozillaFirefox to version 68.7.0 ESR fixes the following issues:
- CVE-2020-6821: Uninitialized memory could be read when using the WebGL copyTexSubImage method (bsc#1168874).
- CVE-2020-6822: Fixed out of bounds write in GMPDecodeData when processing large images (bsc#1168874).
- CVE-2020-6825: Fixed Memory safety bugs (bsc#1168874).
- CVE-2020-6827: Custom Tabs could have the URI spoofed (bsc#1168874).
- CVE-2020-6828: Preference overwrite via crafted Intent (bsc#1168874).
ImportantSUSE bug 1168874CVE-2020-6821 at SUSECVE-2020-6821 at NVDCVE-2020-6822 at SUSECVE-2020-6822 at NVDCVE-2020-6825 at SUSECVE-2020-6825 at NVDCVE-2020-6827 at SUSECVE-2020-6827 at NVDCVE-2020-6828 at SUSECVE-2020-6828 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for git (Important)SUSE OpenStack Cloud Crowbar 8
This update for git fixes the following issues:
Security issue fixed:
- CVE-2020-5260: With a crafted URL that contains a newline in it, the credential
helper machinery can be fooled to give credential information for a wrong host (bsc#1168930).
Non-security issue fixed:
git was updated to 2.26.0 for SHA256 support (bsc#1167890, jsc#SLE-11608):
- the xinetd snippet was removed
- the System V init script for the git-daemon was replaced by a systemd
service file of the same name.
git 2.26.0:
* 'git rebase' now uses a different backend that is based on the
'merge' machinery by default. The 'rebase.backend' configuration
variable reverts to old behaviour when set to 'apply'
* Improved handling of sparse checkouts
* Improvements to many commands and internal features
git 2.25.1:
* 'git commit' now honors advise.statusHints
* various updates, bug fixes and documentation updates
git 2.25.0:
* The branch description ('git branch --edit-description') has been
used to fill the body of the cover letters by the format-patch
command; this has been enhanced so that the subject can also be
filled.
* A few commands learned to take the pathspec from the standard input
or a named file, instead of taking it as the command line
arguments, with the '--pathspec-from-file' option.
* Test updates to prepare for SHA-2 transition continues.
* Redo 'git name-rev' to avoid recursive calls.
* When all files from some subdirectory were renamed to the root
directory, the directory rename heuristics would fail to detect that
as a rename/merge of the subdirectory to the root directory, which has
been corrected.
* HTTP transport had possible allocator/deallocator mismatch, which
has been corrected.
git 2.24.1:
* CVE-2019-1348: The --export-marks option of fast-import is
exposed also via the in-stream command feature export-marks=...
and it allows overwriting arbitrary paths (bsc#1158785)
* CVE-2019-1349: on Windows, when submodules are cloned
recursively, under certain circumstances Git could be fooled
into using the same Git directory twice (bsc#1158787)
* CVE-2019-1350: Incorrect quoting of command-line arguments
allowed remote code execution during a recursive clone in
conjunction with SSH URLs (bsc#1158788)
* CVE-2019-1351: on Windows mistakes drive letters outside of
the US-English alphabet as relative paths (bsc#1158789)
* CVE-2019-1352: on Windows was unaware of NTFS Alternate Data
Streams (bsc#1158790)
* CVE-2019-1353: when run in the Windows Subsystem for Linux
while accessing a working directory on a regular Windows
drive, none of the NTFS protections were active (bsc#1158791)
* CVE-2019-1354: on Windows refuses to write tracked files with
filenames that contain backslashes (bsc#1158792)
* CVE-2019-1387: Recursive clones vulnerability that is caused
by too-lax validation of submodule names, allowing very
targeted attacks via remote code execution in recursive
clones (bsc#1158793)
* CVE-2019-19604: a recursive clone followed by a submodule
update could execute code contained within the repository
without the user explicitly having asked for that (bsc#1158795)
- Fix building with asciidoctor and without DocBook4 stylesheets.
git 2.24.0
* The command line parser learned '--end-of-options' notation.
* A mechanism to affect the default setting for a (related) group of
configuration variables is introduced.
* 'git fetch' learned '--set-upstream' option to help those who first
clone from their private fork they intend to push to, add the true
upstream via 'git remote add' and then 'git fetch' from it.
* fixes and improvements to UI, workflow and features, bash completion fixes
* part of it merged upstream
* the Makefile attempted to download some documentation, banned
git 2.23.0:
* The '--base' option of 'format-patch' computed the patch-ids for
prerequisite patches in an unstable way, which has been updated
to compute in a way that is compatible with 'git patch-id
--stable'.
* The 'git log' command by default behaves as if the --mailmap
option was given.
* fixes and improvements to UI, workflow and features
git 2.22.1:
* A relative pathname given to 'git init --template=<path> <repo>'
ought to be relative to the directory 'git init' gets invoked in,
but it instead was made relative to the repository, which has been
corrected.
* 'git worktree add' used to fail when another worktree connected to
the same repository was corrupt, which has been corrected.
* 'git am -i --resolved' segfaulted after trying to see a commit as
if it were a tree, which has been corrected.
* 'git merge --squash' is designed to update the working tree and the
index without creating the commit, and this cannot be countermanded
by adding the '--commit' option; the command now refuses to work
when both options are given.
* Update to Unicode 12.1 width table.
* 'git request-pull' learned to warn when the ref we ask them to pull
from in the local repository and in the published repository are
different.
* 'git fetch' into a lazy clone forgot to fetch base objects that are
necessary to complete delta in a thin packfile, which has been
corrected.
* The URL decoding code has been updated to avoid going past the end
of the string while parsing %-<hex>-<hex> sequence.
* 'git clean' silently skipped a path when it cannot lstat() it; now
it gives a warning.
* 'git rm' to resolve a conflicted path leaked an internal message
'needs merge' before actually removing the path, which was
confusing. This has been corrected.
* Many more bugfixes and code cleanups.
- removal of SuSEfirewall2 service, since SuSEfirewall2 has been replaced by
firewalld, see [1].
[1]: https://lists.opensuse.org/opensuse-factory/2019-01/msg00490.html
git 2.22.0:
* The filter specification '--filter=sparse:path=<path>' used to
create a lazy/partial clone has been removed. Using a blob that is
part of the project as sparse specification is still supported with
the '--filter=sparse:oid=<blob>' option
* 'git checkout --no-overlay' can be used to trigger a new mode of
checking out paths out of the tree-ish, that allows paths that
match the pathspec that are in the current index and working tree
and are not in the tree-ish.
* Four new configuration variables {author,committer}.{name,email}
have been introduced to override user.{name,email} in more specific
cases.
* 'git branch' learned a new subcommand '--show-current'.
* The command line completion (in contrib/) has been taught to
complete more subcommand parameters.
* The completion helper code now pays attention to repository-local
configuration (when available), which allows --list-cmds to honour
a repository specific setting of completion.commands, for example.
* The list of conflicted paths shown in the editor while concluding a
conflicted merge was shown above the scissors line when the
clean-up mode is set to 'scissors', even though it was commented
out just like the list of updated paths and other information to
help the user explain the merge better.
* 'git rebase' that was reimplemented in C did not set ORIG_HEAD
correctly, which has been corrected.
* 'git worktree add' used to do a 'find an available name with stat
and then mkdir', which is race-prone. This has been fixed by using
mkdir and reacting to EEXIST in a loop.
- update git-web AppArmor profile for bash and tar usrMerge (bsc#1132350)
git 2.21.0:
* Historically, the '-m' (mainline) option can only be used for 'git
cherry-pick' and 'git revert' when working with a merge commit.
This version of Git no longer warns or errors out when working with
a single-parent commit, as long as the argument to the '-m' option
is 1 (i.e. it has only one parent, and the request is to pick or
revert relative to that first parent). Scripts that relied on the
behaviour may get broken with this change.
* Small fixes and features for fast-export and fast-import.
* The 'http.version' configuration variable can be used with recent
enough versions of cURL library to force the version of HTTP used
to talk when fetching and pushing.
* 'git push $there $src:$dst' rejects when $dst is not a fully
qualified refname and it is not clear what the end user meant.
* Update 'git multimail' from the upstream.
* A new date format '--date=human' that morphs its output depending
on how far the time is from the current time has been introduced.
'--date=auto:human' can be used to use this new format (or any
existing format) when the output is going to the pager or to the
terminal, and otherwise the default format.
- Fix worktree creation race (bsc#1114225).
git 2.20.1:
* portability fixes
* 'git help -a' did not work well when an overly long alias was
defined
* no longer squelched an error message when the run_command API
failed to run a missing command
git 2.20.0:
* 'git help -a' now gives verbose output (same as 'git help -av').
Those who want the old output may say 'git help --no-verbose -a'..
* 'git send-email' learned to grab address-looking string on any
trailer whose name ends with '-by'.
* 'git format-patch' learned new '--interdiff' and '--range-diff'
options to explain the difference between this version and the
previous attempt in the cover letter (or after the three-dashes as
a comment).
* Developer builds now use -Wunused-function compilation option.
* Fix a bug in which the same path could be registered under multiple
worktree entries if the path was missing (for instance, was removed
manually). Also, as a convenience, expand the number of cases in
which --force is applicable.
* The overly large Documentation/config.txt file have been split into
million little pieces. This potentially allows each individual piece
to be included into the manual page of the command it affects more easily.
* Malformed or crafted data in packstream can make our code attempt
to read or write past the allocated buffer and abort, instead of
reporting an error, which has been fixed.
* Fix for a long-standing bug that leaves the index file corrupt when
it shrinks during a partial commit.
* 'git merge' and 'git pull' that merges into an unborn branch used
to completely ignore '--verify-signatures', which has been
corrected.
* ...and much more features and fixes
- fix CVE-2018-19486 (bsc#1117257)
git 2.19.2:
* various bug fixes for multiple subcommands and operations
git 2.19.1:
* CVE-2018-17456: Specially crafted .gitmodules files may have
allowed arbitrary code execution when the repository is cloned
with --recurse-submodules (bsc#1110949)
git 2.19.0:
* 'git diff' compares the index and the working tree. For paths
added with intent-to-add bit, the command shows the full contents
of them as added, but the paths themselves were not marked as new
files. They are now shown as new by default.
* 'git apply' learned the '--intent-to-add' option so that an
otherwise working-tree-only application of a patch will add new
paths to the index marked with the 'intent-to-add' bit.
* 'git grep' learned the '--column' option that gives not just the
line number but the column number of the hit.
* The '-l' option in 'git branch -l' is an unfortunate short-hand for
'--create-reflog', but many users, both old and new, somehow expect
it to be something else, perhaps '--list'. This step warns when '-l'
is used as a short-hand for '--create-reflog' and warns about the
future repurposing of the it when it is used.
* The userdiff pattern for .php has been updated.
* The content-transfer-encoding of the message 'git send-email' sends
out by default was 8bit, which can cause trouble when there is an
overlong line to bust RFC 5322/2822 limit. A new option 'auto' to
automatically switch to quoted-printable when there is such a line
in the payload has been introduced and is made the default.
* 'git checkout' and 'git worktree add' learned to honor
checkout.defaultRemote when auto-vivifying a local branch out of a
remote tracking branch in a repository with multiple remotes that
have tracking branches that share the same names.
(merge 8d7b558bae ab/checkout-default-remote later to maint).
* 'git grep' learned the '--only-matching' option.
* 'git rebase --rebase-merges' mode now handles octopus merges as
well.
* Add a server-side knob to skip commits in exponential/fibbonacci
stride in an attempt to cover wider swath of history with a smaller
number of iterations, potentially accepting a larger packfile
transfer, instead of going back one commit a time during common
ancestor discovery during the 'git fetch' transaction.
(merge 42cc7485a2 jt/fetch-negotiator-skipping later to maint).
* A new configuration variable core.usereplacerefs has been added,
primarily to help server installations that want to ignore the
replace mechanism altogether.
* Teach 'git tag -s' etc. a few configuration variables (gpg.format
that can be set to 'openpgp' or 'x509', and gpg.<format>.program
that is used to specify what program to use to deal with the format)
to allow x.509 certs with CMS via 'gpgsm' to be used instead of
openpgp via 'gnupg'.
* Many more strings are prepared for l10n.
* 'git p4 submit' learns to ask its own pre-submit hook if it should
continue with submitting.
* The test performed at the receiving end of 'git push' to prevent
bad objects from entering repository can be customized via
receive.fsck.* configuration variables; we now have gained a
counterpart to do the same on the 'git fetch' side, with
fetch.fsck.* configuration variables.
* 'git pull --rebase=interactive' learned 'i' as a short-hand for
'interactive'.
* 'git instaweb' has been adjusted to run better with newer Apache on
RedHat based distros.
* 'git range-diff' is a reimplementation of 'git tbdiff' that lets us
compare individual patches in two iterations of a topic.
* The sideband code learned to optionally paint selected keywords at
the beginning of incoming lines on the receiving end.
* 'git branch --list' learned to take the default sort order from the
'branch.sort' configuration variable, just like 'git tag --list'
pays attention to 'tag.sort'.
* 'git worktree' command learned '--quiet' option to make it less
verbose.
git 2.18.0:
* improvements to rename detection logic
* When built with more recent cURL, GIT_SSL_VERSION can now
specify 'tlsv1.3' as its value.
* 'git mergetools' learned talking to guiffy.
* various other workflow improvements and fixes
* performance improvements and other developer visible fixes
Update to git 2.16.4: security fix release
git 2.17.1:
* Submodule 'names' come from the untrusted .gitmodules file, but
we blindly append them to $GIT_DIR/modules to create our on-disk
repo paths. This means you can do bad things by putting '../'
into the name. We now enforce some rules for submodule names
which will cause Git to ignore these malicious names
(CVE-2018-11235, bsc#1095219)
* It was possible to trick the code that sanity-checks paths on
NTFS into reading random piece of memory
(CVE-2018-11233, bsc#1095218)
* Support on the server side to reject pushes to repositories
that attempt to create such problematic .gitmodules file etc.
as tracked contents, to help hosting sites protect their
customers by preventing malicious contents from spreading.
git 2.17.0:
* 'diff' family of commands learned '--find-object=<object-id>' option
to limit the findings to changes that involve the named object.
* 'git format-patch' learned to give 72-cols to diffstat, which is
consistent with other line length limits the subcommand uses for
its output meant for e-mails.
* The log from 'git daemon' can be redirected with a new option; one
relevant use case is to send the log to standard error (instead of
syslog) when running it from inetd.
* 'git rebase' learned to take '--allow-empty-message' option.
* 'git am' has learned the '--quit' option, in addition to the
existing '--abort' option; having the pair mirrors a few other
commands like 'rebase' and 'cherry-pick'.
* 'git worktree add' learned to run the post-checkout hook, just like
'git clone' runs it upon the initial checkout.
* 'git tag' learned an explicit '--edit' option that allows the
message given via '-m' and '-F' to be further edited.
* 'git fetch --prune-tags' may be used as a handy short-hand for
getting rid of stale tags that are locally held.
* The new '--show-current-patch' option gives an end-user facing way
to get the diff being applied when 'git rebase' (and 'git am')
stops with a conflict.
* 'git add -p' used to offer '/' (look for a matching hunk) as a
choice, even there was only one hunk, which has been corrected.
Also the single-key help is now given only for keys that are
enabled (e.g. help for '/' won't be shown when there is only one
hunk).
* Since Git 1.7.9, 'git merge' defaulted to --no-ff (i.e. even when
the side branch being merged is a descendant of the current commit,
create a merge commit instead of fast-forwarding) when merging a
tag object. This was appropriate default for integrators who pull
signed tags from their downstream contributors, but caused an
unnecessary merges when used by downstream contributors who
habitually 'catch up' their topic branches with tagged releases
from the upstream. Update 'git merge' to default to --no-ff only
when merging a tag object that does *not* sit at its usual place in
refs/tags/ hierarchy, and allow fast-forwarding otherwise, to
mitigate the problem.
* 'git status' can spend a lot of cycles to compute the relation
between the current branch and its upstream, which can now be
disabled with '--no-ahead-behind' option.
* 'git diff' and friends learned funcname patterns for Go language
source files.
* 'git send-email' learned '--reply-to=<address>' option.
* Funcname pattern used for C# now recognizes 'async' keyword.
* In a way similar to how 'git tag' learned to honor the pager
setting only in the list mode, 'git config' learned to ignore the
pager setting when it is used for setting values (i.e. when the
purpose of the operation is not to 'show').
- Use %license instead of %doc [bsc#1082318]
git 2.16.3:
* 'git status' after moving a path in the working tree (hence
making it appear 'removed') and then adding with the -N option
(hence making that appear 'added') detected it as a rename, but
did not report the old and new pathnames correctly.
* 'git commit --fixup' did not allow '-m<message>' option to be
used at the same time; allow it to annotate resulting commit
with more text.
* When resetting the working tree files recursively, the working
tree of submodules are now also reset to match.
* Fix for a commented-out code to adjust it to a rather old API
change around object ID.
* When there are too many changed paths, 'git diff' showed a
warning message but in the middle of a line.
* The http tracing code, often used to debug connection issues,
learned to redact potentially sensitive information from its
output so that it can be more safely sharable.
* Crash fix for a corner case where an error codepath tried to
unlock what it did not acquire lock on.
* The split-index mode had a few corner case bugs fixed.
* Assorted fixes to 'git daemon'.
* Completion of 'git merge -s<strategy>' (in contrib/) did not
work well in non-C locale.
* Workaround for segfault with more recent versions of SVN.
* Recently introduced leaks in fsck have been plugged.
* Travis CI integration now builds the executable in 'script'
phase to follow the established practice, rather than during
'before_script' phase. This allows the CI categorize the
failures better ('failed' is project's fault, 'errored' is
build environment's).
- Drop superfluous xinetd snippet, no longer used (bsc#1084460)
- Build with asciidoctor for the recent distros (bsc#1075764)
- Move %{?systemd_requires} to daemon subpackage
- Create subpackage for libsecret credential helper.
git 2.16.2:
* An old regression in 'git describe --all $annotated_tag^0' has
been fixed.
* 'git svn dcommit' did not take into account the fact that a
svn+ssh:// URL with a username@ (typically used for pushing)
refers to the same SVN repository without the username@ and
failed when svn.pushmergeinfo option is set.
* 'git merge -Xours/-Xtheirs' learned to use our/their version
when resolving a conflicting updates to a symbolic link.
* 'git clone $there $here' is allowed even when here directory
exists as long as it is an empty directory, but the command
incorrectly removed it upon a failure of the operation.
* 'git stash -- <pathspec>' incorrectly blew away untracked files
in the directory that matched the pathspec, which has been
corrected.
* 'git add -p' was taught to ignore local changes to submodules
as they do not interfere with the partial addition of regular
changes anyway.
git 2.16.1:
* 'git clone' segfaulted when cloning a project that happens to
track two paths that differ only in case on a case insensitive
filesystem
git 2.16.0 (CVE-2017-15298, bsc#1063412):
* See https://raw.github.com/git/git/master/Documentation/RelNotes/2.16.0.txt
git 2.15.1:
* fix 'auto' column output
* fixes to moved lines diffing
* documentation updates
* fix use of repositories immediately under the root directory
* improve usage of libsecret
* fixes to various error conditions in git commands
- Rewrite from sysv init to systemd unit file for git-daemon
(bsc#1069803)
- Replace references to /var/adm/fillup-templates with new
%_fillupdir macro (bsc#1069468)
- split off p4 to a subpackage (bsc#1067502)
- Build with the external libsha1detectcoll (bsc#1042644)
git 2.15.0:
* Use of an empty string as a pathspec element that is used for
'everything matches' is still warned and Git asks users to use a
more explicit '.' for that instead. Removal scheduled for 2.16
* Git now avoids blindly falling back to '.git' when the setup
sequence said we are _not_ in Git repository (another corner
case removed)
* 'branch --set-upstream' was retired, deprecated since 1.8
* many other improvements and updates
git 2.14.3:
* git send-email understands more cc: formats
* fixes so gitk --bisect
* git commit-tree fixed to handle -F file alike
* Prevent segfault in 'git cat-file --textconv'
* Fix function header parsing for HTML
* Various small fixes to user commands and and internal functions
git 2.14.2:
* fixes to color output
* http.{sslkey,sslCert} now interpret '~[username]/' prefix
* fixes to walking of reflogs via 'log -g' and friends
* various fixes to output correctness
* 'git push --recurse-submodules $there HEAD:$target' is now
propagated down to the submodules
* 'git clone --recurse-submodules --quiet' c$how propagates quiet
option down to submodules.
* 'git svn --localtime' correctness fixes
* 'git grep -L' and 'git grep --quiet -L' now report same exit code
* fixes to 'git apply' when converting line endings
* Various Perl scripts did not use safe_pipe_capture() instead
of backticks, leaving them susceptible to end-user input.
CVE-2017-14867 bsc#1061041
* 'git cvsserver' no longer is invoked by 'git daemon' by
default
git 2.14.1 (bsc#1052481):
* Security fix for CVE-2017-1000117: A malicious third-party can
give a crafted 'ssh://...' URL to an unsuspecting victim, and
an attempt to visit the URL can result in any program that
exists on the victim's machine being executed. Such a URL could
be placed in the .gitmodules file of a malicious project, and
an unsuspecting victim could be tricked into running
'git clone --recurse-submodules' to trigger the vulnerability.
* A 'ssh://...' URL can result in a 'ssh' command line with a
hostname that begins with a dash '-', which would cause the
'ssh' command to instead (mis)treat it as an option. This is
now prevented by forbidding such a hostname (which should not
impact any real-world usage).
* Similarly, when GIT_PROXY_COMMAND is configured, the command
is run with host and port that are parsed out from 'ssh://...'
URL; a poorly written GIT_PROXY_COMMAND could be tricked into
treating a string that begins with a dash '-' as an option.
This is now prevented by forbidding such a hostname and port
number (again, which should not impact any real-world usage).
* In the same spirit, a repository name that begins with a dash
'-' is also forbidden now.
git 2.14.0:
* Use of an empty string as a pathspec element that is used for
'everything matches' is deprecated, use '.'
* Avoid blindly falling back to '.git' when the setup sequence
indicates operation not on a Git repository
* 'indent heuristics' are now the default.
* Builds with pcre2
* Many bug fixes, improvements and updates
git 2.13.4:
* Update the character width tables.
* Fix an alias that contained an uppercase letter
* Progress meter fixes
* git gc concurrency fixes
git 2.13.3:
* various internal bug fixes
* Fix a regression to 'git rebase -i'
* Correct unaligned 32-bit access in pack-bitmap code
* Tighten error checks for invalid 'git apply' input
* The split index code did not honor core.sharedrepository setting
correctly
* Fix 'git branch --list' handling of color.branch.local
git 2.13.2:
* 'collision detecting' SHA-1 update for platform fixes
* 'git checkout --recurse-submodules' did not quite work with a
submodule that itself has submodules.
* The 'run-command' API implementation has been made more robust
against dead-locking in a threaded environment.
* 'git clean -d' now only cleans ignored files with '-x'
* 'git status --ignored' did not list ignored and untracked files
without '-uall'
* 'git pull --rebase --autostash' didn't auto-stash when the local
history fast-forwards to the upstream.
* 'git describe --contains' gives as much weight to lightweight
tags as annotated tags
* Fix 'git stash push <pathspec>' from a subdirectory
git 2.13.1:
* Setting 'log.decorate=false' in the configuration file did not
take effect in v2.13, which has been corrected.
* corrections to documentation and command help output
* garbage collection fixes
* memory leaks fixed
* receive-pack now makes sure that the push certificate records
the same set of push options used for pushing
* shell completion corrections for git stash
* fix 'git clone --config var=val' with empty strings
* internal efficiency improvements
* Update sha1 collision detection code for big-endian platforms
and platforms not supporting unaligned fetches
- Fix packaging of documentation
git 2.13.0:
* empty string as a pathspec element for 'everything matches'
is still warned, for future removal.
* deprecated argument order 'git merge <msg> HEAD <commit>...'
was removed
* default location '~/.git-credential-cache/socket' for the
socket used to communicate with the credential-cache daemon
moved to '~/.cache/git/credential/socket'.
* now avoid blindly falling back to '.git' when the setup
sequence indicated otherwise
* many workflow features, improvements and bug fixes
* add a hardened implementation of SHA1 in response to practical
collision attacks (CVE-2005-4900, bsc#1042640)
* CVE-2017-8386: On a server running git-shell as login shell to
restrict user to git commands, remote users may have been able
to have git service programs spawn an interactive pager
and thus escape the shell restrictions. (bsc#1038395)
Changes in pcre2:
- Include the libraries, development and tools packages.
git uses only libpcre2-8 so far, but this allows further
application usage of pcre2.
ImportantSUSE bug 1167890SUSE bug 1168930CVE-2020-5260 at SUSECVE-2020-5260 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for fwupdate (Important)SUSE OpenStack Cloud Crowbar 8
This update for fwupdate fixes the following issues:
- Add SBAT section to EFI images (bsc#1182057)
ImportantSUSE bug 1182057cpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for spamassassin (Important)SUSE OpenStack Cloud Crowbar 8
This update for spamassassin fixes the following issues:
- spamassassin was updated to version 3.4.5
- CVE-2019-12420: memory leak via crafted messages (bsc#1159133)
- CVE-2020-1946: security update (bsc#1184221)
ImportantSUSE bug 1159133SUSE bug 1184221CVE-2019-12420 at SUSECVE-2019-12420 at NVDCVE-2020-1946 at SUSECVE-2020-1946 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for rubygem-actionpack-4_2 (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for rubygem-actionpack-4_2 fixes the following issues:
- CVE-2019-16782: Possible Information Leak / Session Hijack Vulnerability in Rack (bsc#1159548)
ModerateSUSE bug 1159548CVE-2019-16782 at SUSECVE-2019-16782 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for xorg-x11-server (Important)SUSE OpenStack Cloud Crowbar 8
This update for xorg-x11-server fixes the following issues:
- CVE-2021-3472: XChangeFeedbackControl Integer Underflow Privilege Escalation (bsc#1180128)
ImportantSUSE bug 1180128CVE-2021-3472 at SUSECVE-2021-3472 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for clamav (Important)SUSE OpenStack Cloud Crowbar 8
This update for clamav fixes the following issues:
- CVE-2021-1252: Fix for Excel XLM parser infinite loop. (bsc#1184532)
- CVE-2021-1404: Fix for PDF parser buffer over-read; possible crash. (bsc#1184533)
- CVE-2021-1405: Fix for mail parser NULL-dereference crash. (bsc#1184534)
- Fix errors when scanning files > 4G (bsc#1181256)
- Update clamav.keyring
- Update to 0.103.2
ImportantSUSE bug 1181256SUSE bug 1184532SUSE bug 1184533SUSE bug 1184534CVE-2021-1252 at SUSECVE-2021-1252 at NVDCVE-2021-1404 at SUSECVE-2021-1404 at NVDCVE-2021-1405 at SUSECVE-2021-1405 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for qemu (Important)SUSE OpenStack Cloud Crowbar 8
This update for qemu fixes the following issues:
- Fix OOB access in sm501 device emulation (CVE-2020-12829, bsc#1172385)
- Fix OOB access possibility in MegaRAID SAS 8708EM2 emulation (CVE-2020-13362 bsc#1172383)
- Fix use-after-free in usb xhci packet handling (CVE-2020-25723, bsc#1178934)
- Fix use-after-free in usb ehci packet handling (CVE-2020-25084, bsc#1176673)
- Fix OOB access in usb hcd-ohci emulation (CVE-2020-25624, bsc#1176682)
- Fix infinite loop (DoS) in usb hcd-ohci emulation (CVE-2020-25625, bsc#1176684)
- Fix guest triggerable assert in shared network handling code (CVE-2020-27617, bsc#1178174)
- Fix infinite loop (DoS) in e1000e device emulation (CVE-2020-28916, bsc#1179468)
- Fix OOB access in atapi emulation (CVE-2020-29443, bsc#1181108)
- Fix null pointer deref. (DoS) in mmio ops (CVE-2020-15469, bsc#1173612)
- Fix infinite loop (DoS) in e1000 device emulation (CVE-2021-20257, bsc#1182577)
- Fix OOB access (stack overflow) in rtl8139 NIC emulation (CVE-2021-3416, bsc#1182968)
- Fix OOB access (stack overflow) in other NIC emulations (CVE-2021-3416)
- Fix OOB access in SLIRP ARP packet processing (CVE-2020-29130, bsc#1179467)
- Fix null pointer dereference possibility (DoS) in MegaRAID SAS 8708EM2 emulation (CVE-2020-13659 bsc#1172386
- Fix OOB access in iscsi (CVE-2020-11947 bsc#1180523)
- Fix OOB access in vmxnet3 emulation (CVE-2021-20203 bsc#1181639)
- Fix buffer overflow in the XGMAC device (CVE-2020-15863, bsc#1174386)
- Fix DoS in packet processing of various emulated NICs (CVE-2020-16092 bsc#1174641)
- Fix OOB access while processing USB packets (CVE-2020-14364 bsc#1175441)
- Fix package scripts to not use hard coded paths for temporary working directories and log files (bsc#1182425)
- Fix potential privilege escalation in virtfs (CVE-2021-20181 bsc#1182137)
- Fix OOB access possibility in ES1370 audio device emulation (CVE-2020-13361 bsc#1172384)
- Fix OOB access in ROM loading (CVE-2020-13765 bsc#1172478)
ImportantSUSE bug 1172383SUSE bug 1172384SUSE bug 1172385SUSE bug 1172386SUSE bug 1172478SUSE bug 1173612SUSE bug 1174386SUSE bug 1174641SUSE bug 1175441SUSE bug 1176673SUSE bug 1176682SUSE bug 1176684SUSE bug 1178174SUSE bug 1178934SUSE bug 1179467SUSE bug 1179468SUSE bug 1180523SUSE bug 1181108SUSE bug 1181639SUSE bug 1182137SUSE bug 1182425SUSE bug 1182577SUSE bug 1182968CVE-2020-11947 at SUSECVE-2020-11947 at NVDCVE-2020-12829 at SUSECVE-2020-12829 at NVDCVE-2020-13361 at SUSECVE-2020-13361 at NVDCVE-2020-13362 at SUSECVE-2020-13362 at NVDCVE-2020-13659 at SUSECVE-2020-13659 at NVDCVE-2020-13765 at SUSECVE-2020-13765 at NVDCVE-2020-14364 at SUSECVE-2020-14364 at NVDCVE-2020-15469 at SUSECVE-2020-15469 at NVDCVE-2020-15863 at SUSECVE-2020-15863 at NVDCVE-2020-16092 at SUSECVE-2020-16092 at NVDCVE-2020-25084 at SUSECVE-2020-25084 at NVDCVE-2020-25624 at SUSECVE-2020-25624 at NVDCVE-2020-25625 at SUSECVE-2020-25625 at NVDCVE-2020-25723 at SUSECVE-2020-25723 at NVDCVE-2020-27617 at SUSECVE-2020-27617 at NVDCVE-2020-28916 at SUSECVE-2020-28916 at NVDCVE-2020-29130 at SUSECVE-2020-29130 at NVDCVE-2020-29443 at SUSECVE-2020-29443 at NVDCVE-2021-20181 at SUSECVE-2021-20181 at NVDCVE-2021-20203 at SUSECVE-2021-20203 at NVDCVE-2021-20257 at SUSECVE-2021-20257 at NVDCVE-2021-3416 at SUSECVE-2021-3416 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for xen (Important)SUSE OpenStack Cloud Crowbar 8
This update for xen fixes the following issues:
- CVE-2021-20257: xen: infinite loop issue in the e1000 NIC emulator (bsc#1182846).
- CVE-2021-27379: Fixed an issue where entries in the IOMMU were not being updated
under certain circumstances due to improper backport of XSA-321 (XSA-366, bsc#1182431).
ImportantSUSE bug 1182431SUSE bug 1182846CVE-2021-20257 at SUSECVE-2021-20257 at NVDCVE-2021-27379 at SUSECVE-2021-27379 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for sudo (Important)SUSE OpenStack Cloud Crowbar 8
This update for sudo fixes the following issues:
- L3: Tenable Scan reports sudo is vulnerable to CVE-2021-3156 (bsc#1183936)
ImportantSUSE bug 1183936CVE-2021-3156 at SUSECVE-2021-3156 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for MozillaFirefox (Important)SUSE OpenStack Cloud Crowbar 8
This update for MozillaFirefox fixes the following issues:
- Firefox was updated to 78.10.0 ESR (bsc#1184960)
* CVE-2021-23994: Out of bound write due to lazy initialization
* CVE-2021-23995: Use-after-free in Responsive Design Mode
* CVE-2021-23998: Secure Lock icon could have been spoofed
* CVE-2021-23961: More internal network hosts could have been probed by a malicious webpage
* CVE-2021-23999: Blob URLs may have been granted additional privileges
* CVE-2021-24002: Arbitrary FTP command execution on FTP servers using an encoded URL
* CVE-2021-29945: Incorrect size computation in WebAssembly JIT could lead to null-reads
* CVE-2021-29946: Port blocking could be bypassed
ImportantSUSE bug 1184960CVE-2021-23961 at SUSECVE-2021-23961 at NVDCVE-2021-23994 at SUSECVE-2021-23994 at NVDCVE-2021-23995 at SUSECVE-2021-23995 at NVDCVE-2021-23998 at SUSECVE-2021-23998 at NVDCVE-2021-23999 at SUSECVE-2021-23999 at NVDCVE-2021-24002 at SUSECVE-2021-24002 at NVDCVE-2021-29945 at SUSECVE-2021-29945 at NVDCVE-2021-29946 at SUSECVE-2021-29946 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for libnettle (Important)SUSE OpenStack Cloud Crowbar 8
This update for libnettle fixes the following issues:
- CVE-2021-20305: Fixed the multiply function which was being called with out-of-range scalars (bsc#1184401, bsc#1183835).
ImportantSUSE bug 1183835SUSE bug 1184401CVE-2021-20305 at SUSECVE-2021-20305 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for gdm (Important)SUSE OpenStack Cloud Crowbar 8
This update for gdm fixes the following issues:
- Avoid the signal SIGTRAP when gdm exits (bsc#1184456).
ImportantSUSE bug 1184456cpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for tomcat (Important)SUSE OpenStack Cloud Crowbar 8
This update for tomcat fixes the following issues:
- CVE-2021-25329: Complete fix for CVE-2020-9484 (bsc#1182909)
ImportantSUSE bug 1182909CVE-2021-25329 at SUSECVE-2021-25329 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for java-1_7_0-openjdk (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for java-1_7_0-openjdk fixes the following issues:
- Update to 2.6.25 - OpenJDK 7u291 (January 2021 CPU, bsc#1181239)
* Security fixes
+ JDK-8247619: Improve Direct Buffering of Characters
* Import of OpenJDK 7 u291 build 1
+ JDK-8254177: (tz) Upgrade time-zone data to tzdata2020b
+ JDK-8254982: (tz) Upgrade time-zone data to tzdata2020c
+ JDK-8255226: (tz) Upgrade time-zone data to tzdata2020d
ModerateSUSE bug 1181239cpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for cups (Important)SUSE OpenStack Cloud Crowbar 8
This update for cups fixes the following issues:
- CVE-2021-25317: ownership of /var/log/cups could allow privilege escalation from lp user to root via symlink attacks (bsc#1184161)
ImportantSUSE bug 1184161CVE-2021-25317 at SUSECVE-2021-25317 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for bind (Important)SUSE OpenStack Cloud Crowbar 8
This update for bind fixes the following issues:
- CVE-2021-25214: Fixed a broken inbound incremental zone update (IXFR) which could have caused named to terminate unexpectedly (bsc#1185345).
- CVE-2021-25215: Fixed an assertion check which could have failed while answering queries for DNAME records that required the DNAME to be processed to resolve itself (bsc#1185345).
- CVE-2021-25216: Fixed an issue where policy negotiation can be targeted by a buffer overflow attack (bsc#1185345).
- MD5 warning message using host, dig, nslookup (bind-utils) with FIPS enabled (bsc#1181495).
ImportantSUSE bug 1181495SUSE bug 1185345CVE-2021-25214 at SUSECVE-2021-25214 at NVDCVE-2021-25215 at SUSECVE-2021-25215 at NVDCVE-2021-25216 at SUSECVE-2021-25216 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for samba (Important)SUSE OpenStack Cloud Crowbar 8
This update for samba fixes the following issues:
- CVE-2021-20254: Fixed a buffer overrun in sids_to_unixids() (bsc#1184677).
- Avoid free'ing our own pointer in memcache when memcache_trim attempts to reduce cache size (bsc#1179156).
- Adjust smbcacls '--propagate-inheritance' feature to align with upstream (bsc#1178469).
ImportantSUSE bug 1178469SUSE bug 1179156SUSE bug 1184677CVE-2021-20254 at SUSECVE-2021-20254 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for avahi (Important)SUSE OpenStack Cloud Crowbar 8
This update for avahi fixes the following issues:
- CVE-2021-3468: avoid infinite loop by handling HUP event in client_work (bsc#1184521).
ImportantSUSE bug 1184521CVE-2021-3468 at SUSECVE-2021-3468 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for python3 (Important)SUSE OpenStack Cloud Crowbar 8
This update for python3 fixes the following issues:
Security issues fixed:
- CVE-2020-27619: where Lib/test/multibytecodec_support calls eval() on content retrieved via HTTP. (bsc#1178009)
Other fixes:
- Make sure to close the 'import_failed.map' file after the exception
has been raised in order to avoid ResourceWarnings when the
failing import is part of a try...except block
ImportantCVE-2020-27619 at SUSECVE-2020-27619 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for the Linux Kernel (Important)SUSE OpenStack Cloud Crowbar 8
The SUSE Linux Enterprise 12 SP2 LTSS kernel was updated to receive various security and bugfixes.
The following security bugs were fixed:
- CVE-2020-36312: Fixed an issue in virt/kvm/kvm_main.c that had a kvm_io_bus_unregister_dev memory leak upon a kmalloc failure (bnc#1184509).
- CVE-2021-29650: Fixed an issue inside the netfilter subsystem that allowed attackers to cause a denial of service (panic) because net/netfilter/x_tables.c and include/linux/netfilter/x_tables.h lack a full memory barrier upon the assignment of a new table value (bnc#1184208).
- CVE-2020-27673: Fixed an issue in Xen where a guest OS users could have caused a denial of service (host OS hang) via a high rate of events to dom0 (bnc#1177411, bnc#1184583).
- CVE-2021-29154: Fixed BPF JIT compilers that allowed to execute arbitrary code within the kernel context (bnc#1184391).
- CVE-2020-25673: Fixed NFC endless loops caused by repeated llcp_sock_connect() (bsc#1178181).
- CVE-2020-25672: Fixed NFC memory leak in llcp_sock_connect() (bsc#1178181).
- CVE-2020-25671: Fixed NFC refcount leak in llcp_sock_connect() (bsc#1178181).
- CVE-2020-25670: Fixed NFC refcount leak in llcp_sock_bind() (bsc#1178181).
- CVE-2021-28950: Fixed an issue in fs/fuse/fuse_i.h where a 'stall on CPU' could have occured because a retry loop continually finds the same bad inode (bnc#1184194, bnc#1184211).
- CVE-2020-36322: Fixed an issue inside the FUSE filesystem implementation where fuse_do_getattr() calls make_bad_inode() in inappropriate situations, could have caused a system crash. NOTE: the original fix for this vulnerability was incomplete, and its incompleteness is tracked as CVE-2021-28950 (bnc#1184211).
- CVE-2021-30002: Fixed a memory leak issue when a webcam device exists (bnc#1184120).
- CVE-2021-3483: Fixed a use-after-free bug in nosy_ioctl() (bsc#1184393).
- CVE-2021-20219: Fixed a denial of service vulnerability in drivers/tty/n_tty.c of the Linux kernel. In this flaw a local attacker with a normal user privilege could have delayed the loop and cause a threat to the system availability (bnc#1184397).
- CVE-2021-29265: Fixed an issue in usbip_sockfd_store in drivers/usb/usbip/stub_dev.c that allowed attackers to cause a denial of service (GPF) because the stub-up sequence has race conditions during an update of the local and shared status (bnc#1184167).
- CVE-2021-29264: Fixed an issue in drivers/net/ethernet/freescale/gianfar.c in the Freescale Gianfar Ethernet driver that allowed attackers to cause a system crash because a negative fragment size is calculated in situations involving an rx queue overrun when jumbo packets are used and NAPI is enabled (bnc#1184168).
- CVE-2021-28972: Fixed an issue in drivers/pci/hotplug/rpadlpar_sysfs.c where the RPA PCI Hotplug driver had a user-tolerable buffer overflow when writing a new device name to the driver from userspace, allowing userspace to write data to the kernel stack frame directly. This occurs because add_slot_store and remove_slot_store mishandle drc_name '\0' termination (bnc#1184198).
- CVE-2021-28660: Fixed rtw_wx_set_scan in drivers/staging/rtl8188eu/os_dep/ioctl_linux.c that allowed writing beyond the end of the ssid array (bnc#1183593).
- CVE-2020-0433: Fixed blk_mq_queue_tag_busy_iter of blk-mq-tag.c, where a possible use after free due to improper locking could have happened. This could have led to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation (bnc#1176720).
- CVE-2021-28038: Fixed an issue with Xen PV. A certain part of the netback driver lacks necessary treatment of errors such as failed memory allocations (as a result of changes to the handling of grant mapping errors). A host OS denial of service may occur during misbehavior of a networking frontend driver. NOTE: this issue exists because of an incomplete fix for CVE-2021-26931 (bnc#1183022, bnc#1183069).
- CVE-2021-27365: Fixed an issue inside the iSCSI data structures that does not have appropriate length constraints or checks, and can exceed the PAGE_SIZE value. An unprivileged user can send a Netlink message that is associated with iSCSI, and has a length up to the maximum length of a Netlink message (bnc#1182715).
- CVE-2021-27363: Fixed an issue with a kernel pointer leak that could have been used to determine the address of the iscsi_transport structure. When an iSCSI transport is registered with the iSCSI subsystem, the transport's handle is available to unprivileged users via the sysfs file system, at /sys/class/iscsi_transport/$TRANSPORT_NAME/handle. When read, the show_transport_handle function (in drivers/scsi/scsi_transport_iscsi.c) is called, which leaks the handle. This handle is actually the pointer to an iscsi_transport struct in the kernel module's global variables (bnc#1182716).
- CVE-2021-27364: Fixed an issue in drivers/scsi/scsi_transport_iscsi.c where an unprivileged user can craft Netlink messages (bnc#1182717).
- CVE-2020-1749: Fixed a flaw inside of some networking protocols in IPsec, such as VXLAN and GENEVE tunnels over IPv6. When an encrypted tunnel is created between two hosts, the kernel isn't correctly routing tunneled data over the encrypted link; rather sending the data unencrypted. This would allow anyone in between the two endpoints to read the traffic unencrypted. The main threat from this vulnerability is to data confidentiality (bnc#1165629).
The following non-security bugs were fixed:
- bluetooth: eliminate the potential race condition when removing the HCI controller (bsc#1184611).
- Btrfs: add missing extents release on file extent cluster relocation error (bsc#1159483).
- btrfs: change timing for qgroup reserved space for ordered extents to fix reserved space leak (bsc#1172247).
- btrfs: Cleanup try_flush_qgroup (bsc#1182047).
- btrfs: Do not flush from btrfs_delayed_inode_reserve_metadata (bsc#1182047).
- btrfs: drop unused parameter qgroup_reserved (bsc#1182261).
- btrfs: fix qgroup data rsv leak caused by falloc failure (bsc#1182261).
- btrfs: fix qgroup_free wrong num_bytes in btrfs_subvolume_reserve_metadata (bsc#1182261).
- btrfs: Free correct amount of space in btrfs_delayed_inode_reserve_metadata (bsc#1182047).
- btrfs: inode: move qgroup reserved space release to the callers of insert_reserved_file_extent() (bsc#1172247).
- btrfs: inode: refactor the parameters of insert_reserved_file_extent() (bsc#1172247).
- btrfs: make btrfs_ordered_extent naming consistent with btrfs_file_extent_item (bsc#1172247).
- btrfs: qgroup: allow to unreserve range without releasing other ranges (bsc#1120163).
- btrfs: qgroup: Always free PREALLOC META reserve in btrfs_delalloc_release_extents() (bsc#1155179).
- btrfs: qgroup: do not commit transaction when we already hold the handle (bsc#1178634).
- btrfs: qgroup: Do not hold qgroup_ioctl_lock in btrfs_qgroup_inherit() (bsc#1165823).
- btrfs: qgroup: do not try to wait flushing if we're already holding a transaction (bsc#1179575).
- btrfs: qgroup: Fix a bug that prevents qgroup to be re-enabled after disable (bsc#1172247).
- btrfs: qgroup: fix data leak caused by race between writeback and truncate (bsc#1172247).
- btrfs: qgroup: fix qgroup meta rsv leak for subvolume operations (bsc#1177856).
- btrfs: qgroup: Fix reserved data space leak if we have multiple reserve calls (bsc#1152975).
- btrfs: qgroup: Fix the wrong target io_tree when freeing reserved data space (bsc#1152974).
- btrfs: qgroup: fix wrong qgroup metadata reserve for delayed inode (bsc#1177855).
- btrfs: qgroup: mark qgroup inconsistent if we're inherting snapshot to a new qgroup (bsc#1165823).
- btrfs: qgroup: remove ASYNC_COMMIT mechanism in favor of reserve retry-after-EDQUOT (bsc#1120163).
- btrfs: qgroup: try to flush qgroup space when we get -EDQUOT (bsc#1120163).
- btrfs: remove unused parameter from btrfs_subvolume_release_metadata (bsc#1182261).
- btrfs: tracepoints: Fix bad entry members of qgroup events (bsc#1155186).
- btrfs: tracepoints: Fix wrong parameter order for qgroup events (bsc#1155184).
- ext4: check journal inode extents more carefully (bsc#1173485).
- ext4: do not allow overlapping system zones (bsc#1173485).
- ext4: handle error of ext4_setup_system_zone() on remount (bsc#1173485).
- hv_netvsc: remove ndo_poll_controller (bsc#1185248).
- KVM: Add proper lockdep assertion in I/O bus unregister (bsc#1185555).
- KVM: Destroy I/O bus devices on unregister failure _after_ sync'ing SRCU (bsc#1185556).
- KVM: Stop looking for coalesced MMIO zones if the bus is destroyed (bsc#1185557).
- xen-netback: respect gnttab_map_refs()'s return value (bsc#1183022 XSA-367).
- Xen/gnttab: handle p2m update errors on a per-slot basis (bsc#1183022 XSA-367).
ImportantSUSE bug 1120163SUSE bug 1152974SUSE bug 1152975SUSE bug 1155179SUSE bug 1155184SUSE bug 1155186SUSE bug 1159483SUSE bug 1165629SUSE bug 1165823SUSE bug 1172247SUSE bug 1173485SUSE bug 1176720SUSE bug 1177411SUSE bug 1177855SUSE bug 1177856SUSE bug 1178181SUSE bug 1178634SUSE bug 1179575SUSE bug 1182047SUSE bug 1182261SUSE bug 1182715SUSE bug 1182716SUSE bug 1182717SUSE bug 1183022SUSE bug 1183069SUSE bug 1183593SUSE bug 1184120SUSE bug 1184167SUSE bug 1184168SUSE bug 1184194SUSE bug 1184198SUSE bug 1184208SUSE bug 1184211SUSE bug 1184391SUSE bug 1184393SUSE bug 1184397SUSE bug 1184509SUSE bug 1184583SUSE bug 1184611SUSE bug 1185248SUSE bug 1185555SUSE bug 1185556SUSE bug 1185557CVE-2020-0433 at SUSECVE-2020-0433 at NVDCVE-2020-1749 at SUSECVE-2020-1749 at NVDCVE-2020-25670 at SUSECVE-2020-25670 at NVDCVE-2020-25671 at SUSECVE-2020-25671 at NVDCVE-2020-25672 at SUSECVE-2020-25672 at NVDCVE-2020-25673 at SUSECVE-2020-25673 at NVDCVE-2020-27673 at SUSECVE-2020-27673 at NVDCVE-2020-36312 at SUSECVE-2020-36312 at NVDCVE-2020-36322 at SUSECVE-2020-36322 at NVDCVE-2021-20219 at SUSECVE-2021-20219 at NVDCVE-2021-27363 at SUSECVE-2021-27363 at NVDCVE-2021-27364 at SUSECVE-2021-27364 at NVDCVE-2021-27365 at SUSECVE-2021-27365 at NVDCVE-2021-28038 at SUSECVE-2021-28038 at NVDCVE-2021-28660 at SUSECVE-2021-28660 at NVDCVE-2021-28950 at SUSECVE-2021-28950 at NVDCVE-2021-28972 at SUSECVE-2021-28972 at NVDCVE-2021-29154 at SUSECVE-2021-29154 at NVDCVE-2021-29264 at SUSECVE-2021-29264 at NVDCVE-2021-29265 at SUSECVE-2021-29265 at NVDCVE-2021-29650 at SUSECVE-2021-29650 at NVDCVE-2021-30002 at SUSECVE-2021-30002 at NVDCVE-2021-3483 at SUSECVE-2021-3483 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for djvulibre (Important)SUSE OpenStack Cloud Crowbar 8
This update for djvulibre fixes the following issues:
Security issues fixed:
- CVE-2021-32491 [bsc#1185900]: Integer overflow in function render() in tools/ddjvu via crafted djvu file
- CVE-2021-32492 [bsc#1185904]: Out of bounds read in function DJVU:DataPool:has_data() via crafted djvu file
- CVE-2021-32493 [bsc#1185905]: Heap buffer overflow in function DJVU:GBitmap:decode() via crafted djvu file
ImportantSUSE bug 1185900SUSE bug 1185904SUSE bug 1185905CVE-2019-18804 at SUSECVE-2019-18804 at NVDCVE-2021-32491 at SUSECVE-2021-32491 at NVDCVE-2021-32492 at SUSECVE-2021-32492 at NVDCVE-2021-32493 at SUSECVE-2021-32493 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for graphviz (Critical)SUSE OpenStack Cloud Crowbar 8
This update for graphviz fixes the following issues:
- CVE-2020-18032: Fixed possible remote code execution via buffer overflow (bsc#1185833).
CriticalSUSE bug 1185833CVE-2020-18032 at SUSECVE-2020-18032 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for rubygem-actionpack-4_2 (Important)SUSE OpenStack Cloud Crowbar 8
This update for rubygem-actionpack-4_2 fixes the following issues:
- CVE-2021-22885: Fixed possible information disclosure / unintended method execution in Action Pack (bsc#1185715).
ImportantSUSE bug 1185715CVE-2021-22885 at SUSECVE-2021-22885 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for libxml2 (Important)SUSE OpenStack Cloud Crowbar 8
This update for libxml2 fixes the following issues:
Security issues fixed:
CVE-2021-3537: NULL pointer dereference in valid.c:xmlValidBuildAContentModel (bsc#1185698)
- CVE-2021-3518: Fixed a use after free in xinclude.c:xmlXIncludeDoProcess (bsc#1185408).
- CVE-2021-3517: Fixed a heap based buffer overflow in entities.c:xmlEncodeEntitiesInternal (bsc#1185410).
- CVE-2021-3516: Fixed a use after free in entities.c:xmlEncodeEntitiesInternal (bsc#1185409).
ImportantSUSE bug 1185408SUSE bug 1185409SUSE bug 1185410SUSE bug 1185698CVE-2021-3516 at SUSECVE-2021-3516 at NVDCVE-2021-3517 at SUSECVE-2021-3517 at NVDCVE-2021-3518 at SUSECVE-2021-3518 at NVDCVE-2021-3537 at SUSECVE-2021-3537 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for dnsmasq (Important)SUSE OpenStack Cloud Crowbar 8
This update for dnsmasq fixes the following issues:
- bsc#1177077: Fixed DNSpooq vulnerabilities
- CVE-2020-25684, CVE-2020-25685, CVE-2020-25686:
Fixed multiple Cache Poisoning attacks.
- CVE-2020-25681, CVE-2020-25682, CVE-2020-25683, CVE-2020-25687:
Fixed multiple potential Heap-based overflows when DNSSEC is
enabled.
- Retry query to other servers on receipt of SERVFAIL rcode
(bsc#1176076)
ImportantSUSE bug 1176076SUSE bug 1177077CVE-2020-25681 at SUSECVE-2020-25681 at NVDCVE-2020-25682 at SUSECVE-2020-25682 at NVDCVE-2020-25683 at SUSECVE-2020-25683 at NVDCVE-2020-25684 at SUSECVE-2020-25684 at NVDCVE-2020-25685 at SUSECVE-2020-25685 at NVDCVE-2020-25686 at SUSECVE-2020-25686 at NVDCVE-2020-25687 at SUSECVE-2020-25687 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for flac (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for flac fixes the following issues:
- CVE-2020-0499: Fixed an out-of-bounds access (bsc#1180099).
ModerateSUSE bug 1180099CVE-2020-0499 at SUSECVE-2020-0499 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for dovecot22 (Important)SUSE OpenStack Cloud Crowbar 8
This update for dovecot22 fixes the following issues:
- CVE-2020-24386: Fixed an issue with IMAP hibernation that allowed users to access other users' emails (bsc#1180405).
ImportantSUSE bug 1180405CVE-2020-24386 at SUSECVE-2020-24386 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for python-httplib2 (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for python-httplib2 contains the following fixes:
Security fixes included in this update:
- CVE-2021-21240: Fixed a regular expression denial of service via malicious header (bsc#1182053).
- CVE-2020-11078: Fixed an issue where an attacker could change request headers and body (bsc#1171998).
Non security fixes included in this update:
- Update in SLE to 0.19.0 (bsc#1182053, CVE-2021-21240)
- update to 0.19.0:
* auth: parse headers using pyparsing instead of regexp
* auth: WSSE token needs to be string not bytes
- update to 0.18.1: (bsc#1171998, CVE-2020-11078)
* explicit build-backend workaround for pip build isolation bug
* IMPORTANT security vulnerability CWE-93 CRLF injection
Force %xx quote of space, CR, LF characters in uri.
* Ship test suite in source dist
- update to 0.17.3:
* bugfixes
- Update to 0.17.1
* python3: no_proxy was not checked with https
* feature: Http().redirect_codes set, works after follow(_all)_redirects check
This allows one line workaround for old gcloud library that uses 308
response without redirect semantics.
* IMPORTANT cache invalidation change, fix 307 keep method, add 308 Redirects
* proxy: username/password as str compatible with pysocks
* python2: regression in connect() error handling
* add support for password protected certificate files
* feature: Http.close() to clean persistent connections and sensitive data
- Update to 0.14.0:
* Python3: PROXY_TYPE_SOCKS5 with str user/pass raised TypeError
- version update to 0.13.1
0.13.1
* Python3: Use no_proxy
https://github.com/httplib2/httplib2/pull/140
0.13.0
* Allow setting TLS max/min versions
https://github.com/httplib2/httplib2/pull/138
0.12.3
* No changes to library. Distribute py3 wheels.
0.12.1
* Catch socket timeouts and clear dead connection
https://github.com/httplib2/httplib2/issues/18
https://github.com/httplib2/httplib2/pull/111
* Officially support Python 3.7 (package metadata)
https://github.com/httplib2/httplib2/issues/123
0.12.0
* Drop support for Python 3.3
* ca_certs from environment HTTPLIB2_CA_CERTS or certifi
https://github.com/httplib2/httplib2/pull/117
* PROXY_TYPE_HTTP with non-empty user/pass raised TypeError: bytes required
https://github.com/httplib2/httplib2/pull/115
* Revert http:443->https workaround
https://github.com/httplib2/httplib2/issues/112
* eliminate connection pool read race
https://github.com/httplib2/httplib2/pull/110
* cache: stronger safename
https://github.com/httplib2/httplib2/pull/101
0.11.3
* No changes, just reupload of 0.11.2 after fixing automatic release conditions in Travis.
0.11.2
* proxy: py3 NameError basestring
https://github.com/httplib2/httplib2/pull/100
0.11.1
* Fix HTTP(S)ConnectionWithTimeout AttributeError proxy_info
https://github.com/httplib2/httplib2/pull/97
0.11.0
* Add DigiCert Global Root G2 serial 033af1e6a711a9a0bb2864b11d09fae5
https://github.com/httplib2/httplib2/pull/91
* python3 proxy support
https://github.com/httplib2/httplib2/pull/90
* If no_proxy environment value ends with comma then proxy is not used
https://github.com/httplib2/httplib2/issues/11
* fix UnicodeDecodeError using socks5 proxy
https://github.com/httplib2/httplib2/pull/64
* Respect NO_PROXY env var in proxy_info_from_url
https://github.com/httplib2/httplib2/pull/58
* NO_PROXY=bar was matching foobar (suffix without dot delimiter)
New behavior matches curl/wget:
- no_proxy=foo.bar will only skip proxy for exact hostname match
- no_proxy=.wild.card will skip proxy for any.subdomains.wild.card
https://github.com/httplib2/httplib2/issues/94
* Bugfix for Content-Encoding: deflate
https://stackoverflow.com/a/22311297
- deleted patches
- httplib2 started to use certifi and this is already bent to
use system certificate bundle
ModerateSUSE bug 1171998SUSE bug 1182053CVE-2020-11078 at SUSECVE-2020-11078 at NVDCVE-2021-21240 at SUSECVE-2021-21240 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for djvulibre (Important)SUSE OpenStack Cloud Crowbar 8
This update for djvulibre fixes the following issues:
- CVE-2021-3500: Stack overflow in function DJVU:DjVuDocument:get_djvu_file() via crafted djvu file (bsc#1186253)
ImportantSUSE bug 1186253CVE-2021-3500 at SUSECVE-2021-3500 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for dhcp (Important)SUSE OpenStack Cloud Crowbar 8
This update for dhcp fixes the following issues:
- CVE-2021-25217: A buffer overrun in lease file parsing code can be used to exploit a common vulnerability shared by dhcpd and dhclient (bsc#1186382)
ImportantSUSE bug 1186382CVE-2021-25217 at SUSECVE-2021-25217 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for libwebp (Critical)SUSE OpenStack Cloud Crowbar 8
This update for libwebp fixes the following issues:
- CVE-2018-25010: Fixed heap-based buffer overflow in ApplyFilter() (bsc#1185685).
- CVE-2020-36330: Fixed heap-based buffer overflow in ChunkVerifyAndAssign() (bsc#1185691).
- CVE-2020-36332: Fixed extreme memory allocation when reading a file (bsc#1185674).
- CVE-2020-36329: Fixed use-after-free in EmitFancyRGB() (bsc#1185652).
- CVE-2018-25012: Fixed heap-based buffer overflow in GetLE24() (bsc#1185690).
- CVE-2018-25013: Fixed heap-based buffer overflow in ShiftBytes() (bsc#1185654).
- CVE-2020-36331: Fixed heap-based buffer overflow in ChunkAssignData() (bsc#1185686).
- CVE-2018-25009: Fixed heap-based buffer overflow in GetLE16() (bsc#1185673).
- CVE-2018-25011: Fixed fail on multiple image chunks (bsc#1186247).
CriticalSUSE bug 1185652SUSE bug 1185654SUSE bug 1185673SUSE bug 1185674SUSE bug 1185685SUSE bug 1185686SUSE bug 1185690SUSE bug 1185691SUSE bug 1186247CVE-2018-25009 at SUSECVE-2018-25009 at NVDCVE-2018-25010 at SUSECVE-2018-25010 at NVDCVE-2018-25011 at SUSECVE-2018-25011 at NVDCVE-2018-25012 at SUSECVE-2018-25012 at NVDCVE-2018-25013 at SUSECVE-2018-25013 at NVDCVE-2020-36329 at SUSECVE-2020-36329 at NVDCVE-2020-36330 at SUSECVE-2020-36330 at NVDCVE-2020-36331 at SUSECVE-2020-36331 at NVDCVE-2020-36332 at SUSECVE-2020-36332 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for polkit (Important)SUSE OpenStack Cloud Crowbar 8
This update for polkit fixes the following issues:
- CVE-2021-3560: Fixed a local privilege escalation using polkit_system_bus_name_get_creds_sync() (bsc#1186497).
ImportantSUSE bug 1186497CVE-2021-3560 at SUSECVE-2021-3560 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for gstreamer-plugins-bad (Important)SUSE OpenStack Cloud Crowbar 8
This update for gstreamer-plugins-bad fixes the following issues:
- CVE-2021-3185: Fixed buffer overflow in gst_h264_slice_parse_dec_ref_pic_marking (bsc#1181255).
ImportantSUSE bug 1181255CVE-2021-3185 at SUSECVE-2021-3185 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for MozillaFirefox (Important)SUSE OpenStack Cloud Crowbar 8
This update for MozillaFirefox fixes the following issues:
Firefox Extended Support Release 78.11.0 ESR (bsc#1186696)
* CVE-2021-29964: Out of bounds-read when parsing a `WM_COPYDATA` message
* CVE-2021-29967: Memory safety bugs fixed in Firefox
ImportantSUSE bug 1185633SUSE bug 1186696CVE-2021-29951 at SUSECVE-2021-29951 at NVDCVE-2021-29964 at SUSECVE-2021-29964 at NVDCVE-2021-29967 at SUSECVE-2021-29967 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for libX11 (Important)SUSE OpenStack Cloud Crowbar 8
This update for libX11 fixes the following issues:
- Regression in the fix for CVE-2021-31535, causing segfaults for xforms applications like fdesign (bsc#1186643)
ImportantSUSE bug 1186643CVE-2021-31535 at SUSECVE-2021-31535 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for qemu (Important)SUSE OpenStack Cloud Crowbar 8
This update for qemu fixes the following issues:
- Fix OOB access during mmio operations (CVE-2020-13754, bsc#1172382)
- Fix out-of-bounds read information disclosure in icmp6_send_echoreply (CVE-2020-10756, bsc#1172380)
- Fix out-of-bound heap buffer access via an interrupt ID field (CVE-2021-20221, bsc#1181933)
- For the record, these issues are fixed in this package already.
Most are alternate references to previously mentioned issues:
(CVE-2019-15890, bsc#1149813, CVE-2020-8608, bsc#1163019,
CVE-2020-14364, bsc#1175534, CVE-2020-25707, bsc#1178683,
CVE-2020-25723, bsc#1178935, CVE-2020-29130, bsc#1179477,
CVE-2021-20257, bsc#1182846, CVE-2021-3419, bsc#1182975,
bsc#1094725)
ImportantSUSE bug 1094725SUSE bug 1149813SUSE bug 1163019SUSE bug 1172380SUSE bug 1172382SUSE bug 1175534SUSE bug 1178683SUSE bug 1178935SUSE bug 1179477SUSE bug 1181933SUSE bug 1182846SUSE bug 1182975CVE-2019-15890 at SUSECVE-2019-15890 at NVDCVE-2020-10756 at SUSECVE-2020-10756 at NVDCVE-2020-13754 at SUSECVE-2020-13754 at NVDCVE-2020-14364 at SUSECVE-2020-14364 at NVDCVE-2020-25707 at SUSECVE-2020-25707 at NVDCVE-2020-25723 at SUSECVE-2020-25723 at NVDCVE-2020-29130 at SUSECVE-2020-29130 at NVDCVE-2020-8608 at SUSECVE-2020-8608 at NVDCVE-2021-20221 at SUSECVE-2021-20221 at NVDCVE-2021-20257 at SUSECVE-2021-20257 at NVDCVE-2021-3419 at SUSECVE-2021-3419 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for java-1_7_1-ibm (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for java-1_7_1-ibm fixes the following issues:
- Update to Java 7.1 Service Refresh 4 Fix Pack 75 [bsc#1180063, bsc#1177943]
CVE-2020-14792 CVE-2020-14797 CVE-2020-14782 CVE-2020-14781
CVE-2020-14779 CVE-2020-14798 CVE-2020-14796 CVE-2020-14803
* Class Libraries:
- Z/OS specific C function send_file is changing the file pointer position
* Security:
- Add the new oracle signer certificate
- Certificate parsing error
- JVM memory growth can be caused by the IBMPKCS11IMPL crypto provider
- Remove check for websphere signed jars
- sessionid.hashcode generates too many collisions
- The Java 8 IBM certpath provider does not honor the user
specified system property for CLR connect timeout
ModerateSUSE bug 1177943SUSE bug 1180063CVE-2020-14779 at SUSECVE-2020-14779 at NVDCVE-2020-14781 at SUSECVE-2020-14781 at NVDCVE-2020-14782 at SUSECVE-2020-14782 at NVDCVE-2020-14792 at SUSECVE-2020-14792 at NVDCVE-2020-14796 at SUSECVE-2020-14796 at NVDCVE-2020-14797 at SUSECVE-2020-14797 at NVDCVE-2020-14798 at SUSECVE-2020-14798 at NVDCVE-2020-14803 at SUSECVE-2020-14803 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for spice (Important)SUSE OpenStack Cloud Crowbar 8
This update for spice fixes the following issues:
- CVE-2021-20201: client initiated renegotiation causing denial of service (bsc#1181686)
ImportantSUSE bug 1181686CVE-2021-20201 at SUSECVE-2021-20201 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for ucode-intel (Important)SUSE OpenStack Cloud Crowbar 8
This update for ucode-intel fixes the following issues:
Updated to Intel CPU Microcode 20210608 release.
- CVE-2020-24513: A domain bypass transient execution vulnerability was discovered on some Intel Atom processors that use a micro-architectural incident channel. (INTEL-SA-00465 bsc#1179833)
See also: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00465.html
- CVE-2020-24511: The IBRS feature to mitigate Spectre variant 2 transient execution side channel vulnerabilities may not fully prevent non-root (guest) branches from controlling the branch predictions of the root (host) (INTEL-SA-00464 bsc#1179836)
See also https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00464.html)
- CVE-2020-24512: Fixed trivial data value cache-lines such as all-zero value cache-lines may lead to changes in cache-allocation or write-back behavior for such cache-lines (bsc#1179837 INTEL-SA-00464)
See also https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00464.html)
- CVE-2020-24489: Fixed Intel VT-d device pass through potential local privilege escalation (INTEL-SA-00442 bsc#1179839)
See also https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00442.html
Other fixes:
- Update for functional issues. Refer to [Third Generation Intel Xeon Processor Scalable Family Specification Update](https://cdrdv2.intel.com/v1/dl/getContent/637780)for details.
- Update for functional issues. Refer to [Second Generation Intel Xeon Processor Scalable Family Specification Update](https://cdrdv2.intel.com/v1/dl/getContent/338848) for details.
- Update for functional issues. Refer to [Intel Xeon Processor Scalable Family Specification Update](https://cdrdv2.intel.com/v1/dl/getContent/613537) for details.
- Update for functional issues. Refer to [Intel Xeon Processor D-1500, D-1500 NS and D-1600 NS Spec Update](https://www.intel.com/content/www/us/en/products/docs/processors/xeon/xeon-d-1500-specification-update.html) for details.
- Update for functional issues. Refer to [Intel Xeon E7-8800 and E7-4800 v3 Processor Specification Update](https://www.intel.com/content/www/us/en/processors/xeon/xeon-e7-v3-spec-update.html) for details.
- Update for functional issues. Refer to [Intel Xeon Processor E5 v3 Product Family Specification Update](https://www.intel.com/content/www/us/en/processors/xeon/xeon-e5-v3-spec-update.html?wapkw=processor+spec+update+e5) for details.
- Update for functional issues. Refer to [10th Gen Intel Core Processor Families Specification Update](https://www.intel.com/content/www/us/en/products/docs/processors/core/10th-gen-core-families-specification-update.html) for details.
- Update for functional issues. Refer to [8th and 9th Gen Intel Core Processor Family Spec Update](https://www.intel.com/content/www/us/en/products/docs/processors/core/8th-gen-core-spec-update.html) for details.
- Update for functional issues. Refer to [7th Gen and 8th Gen (U Quad-Core) Intel Processor Families Specification Update](https://www.intel.com/content/www/us/en/processors/core/7th-gen-core-family-spec-update.html) for details.
- Update for functional issues. Refer to [6th Gen Intel Processor Family Specification Update](https://cdrdv2.intel.com/v1/dl/getContent/332689) for details.
- Update for functional issues. Refer to [Intel Xeon E3-1200 v6 Processor Family Specification Update](https://www.intel.com/content/www/us/en/processors/xeon/xeon-e3-1200v6-spec-update.html) for details.
- Update for functional issues. Refer to [Intel Xeon E-2100 and E-2200 Processor Family Specification Update](https://www.intel.com/content/www/us/en/products/docs/processors/xeon/xeon-e-2100-specification-update.html) for details.
- New platforms:
| Processor | Stepping | F-M-S/PI | Old Ver | New Ver | Products
|:---------------|:---------|:------------|:---------|:---------|:---------
| CLX-SP | A0 | 06-55-05/b7 | | 03000010 | Xeon Scalable Gen2
| ICX-SP | C0 | 06-6a-05/87 | | 0c0002f0 | Xeon Scalable Gen3
| ICX-SP | D0 | 06-6a-06/87 | | 0d0002a0 | Xeon Scalable Gen3
| SNR | B0 | 06-86-04/01 | | 0b00000f | Atom P59xxB
| SNR | B1 | 06-86-05/01 | | 0b00000f | Atom P59xxB
| TGL | B1 | 06-8c-01/80 | | 00000088 | Core Gen11 Mobile
| TGL-R | C0 | 06-8c-02/c2 | | 00000016 | Core Gen11 Mobile
| TGL-H | R0 | 06-8d-01/c2 | | 0000002c | Core Gen11 Mobile
| EHL | B1 | 06-96-01/01 | | 00000011 | Pentium J6426/N6415, Celeron J6412/J6413/N6210/N6211, Atom x6000E
| JSL | A0/A1 | 06-9c-00/01 | | 0000001d | Pentium N6000/N6005, Celeron N4500/N4505/N5100/N5105
| RKL-S | B0 | 06-a7-01/02 | | 00000040 | Core Gen11
- Updated platforms:
| Processor | Stepping | F-M-S/PI | Old Ver | New Ver | Products
|:---------------|:---------|:------------|:---------|:---------|:---------
| HSX-E/EP | Cx/M1 | 06-3f-02/6f | 00000044 | 00000046 | Core Gen4 X series; Xeon E5 v3
| HSX-EX | E0 | 06-3f-04/80 | 00000016 | 00000019 | Xeon E7 v3
| SKL-U/Y | D0 | 06-4e-03/c0 | 000000e2 | 000000ea | Core Gen6 Mobile
| SKL-U23e | K1 | 06-4e-03/c0 | 000000e2 | 000000ea | Core Gen6 Mobile
| BDX-ML | B0/M0/R0 | 06-4f-01/ef | 0b000038 | 0b00003e | Xeon E5/E7 v4; Core i7-69xx/68xx
| SKX-SP | B1 | 06-55-03/97 | 01000159 | 0100015b | Xeon Scalable
| SKX-SP | H0/M0/U0 | 06-55-04/b7 | 02006a0a | 02006b06 | Xeon Scalable
| SKX-D | M1 | 06-55-04/b7 | 02006a0a | 02006b06 | Xeon D-21xx
| CLX-SP | B0 | 06-55-06/bf | 04003006 | 04003102 | Xeon Scalable Gen2
| CLX-SP | B1 | 06-55-07/bf | 05003006 | 05003102 | Xeon Scalable Gen2
| CPX-SP | A1 | 06-55-0b/bf | 0700001e | 07002302 | Xeon Scalable Gen3
| BDX-DE | V2/V3 | 06-56-03/10 | 07000019 | 0700001b | Xeon D-1518/19/21/27/28/31/33/37/41/48, Pentium D1507/08/09/17/19
| BDX-DE | Y0 | 06-56-04/10 | 0f000017 | 0f000019 | Xeon D-1557/59/67/71/77/81/87
| BDX-NS | A0 | 06-56-05/10 | 0e00000f | 0e000012 | Xeon D-1513N/23/33/43/53
| APL | D0 | 06-5c-09/03 | 00000040 | 00000044 | Pentium N/J4xxx, Celeron N/J3xxx, Atom x5/7-E39xx
| APL | E0 | 06-5c-0a/03 | 0000001e | 00000020 | Atom x5-E39xx
| SKL-H/S | R0/N0 | 06-5e-03/36 | 000000e2 | 000000ea | Core Gen6; Xeon E3 v5
| DNV | B0 | 06-5f-01/01 | 0000002e | 00000034 | Atom C Series
| GLK | B0 | 06-7a-01/01 | 00000034 | 00000036 | Pentium Silver N/J5xxx, Celeron N/J4xxx
| GKL-R | R0 | 06-7a-08/01 | 00000018 | 0000001a | Pentium J5040/N5030, Celeron J4125/J4025/N4020/N4120
| ICL-U/Y | D1 | 06-7e-05/80 | 000000a0 | 000000a6 | Core Gen10 Mobile
| LKF | B2/B3 | 06-8a-01/10 | 00000028 | 0000002a | Core w/Hybrid Technology
| AML-Y22 | H0 | 06-8e-09/10 | 000000de | 000000ea | Core Gen8 Mobile
| KBL-U/Y | H0 | 06-8e-09/c0 | 000000de | 000000ea | Core Gen7 Mobile
| CFL-U43e | D0 | 06-8e-0a/c0 | 000000e0 | 000000ea | Core Gen8 Mobile
| WHL-U | W0 | 06-8e-0b/d0 | 000000de | 000000ea | Core Gen8 Mobile
| AML-Y42 | V0 | 06-8e-0c/94 | 000000de | 000000ea | Core Gen10 Mobile
| CML-Y42 | V0 | 06-8e-0c/94 | 000000de | 000000ea | Core Gen10 Mobile
| WHL-U | V0 | 06-8e-0c/94 | 000000de | 000000ea | Core Gen8 Mobile
| KBL-G/H/S/E3 | B0 | 06-9e-09/2a | 000000de | 000000ea | Core Gen7; Xeon E3 v6
| CFL-H/S/E3 | U0 | 06-9e-0a/22 | 000000de | 000000ea | Core Gen8 Desktop, Mobile, Xeon E
| CFL-S | B0 | 06-9e-0b/02 | 000000de | 000000ea | Core Gen8
| CFL-H/S | P0 | 06-9e-0c/22 | 000000de | 000000ea | Core Gen9
| CFL-H | R0 | 06-9e-0d/22 | 000000de | 000000ea | Core Gen9 Mobile
| CML-H | R1 | 06-a5-02/20 | 000000e0 | 000000ea | Core Gen10 Mobile
| CML-S62 | G1 | 06-a5-03/22 | 000000e0 | 000000ea | Core Gen10
| CML-S102 | Q0 | 06-a5-05/22 | 000000e0 | 000000ec | Core Gen10
| CML-U62 | A0 | 06-a6-00/80 | 000000e0 | 000000e8 | Core Gen10 Mobile
| CML-U62 V2 | K0 | 06-a6-01/80 | 000000e0 | 000000ea | Core Gen10 Mobile
ImportantSUSE bug 1179833SUSE bug 1179836SUSE bug 1179837SUSE bug 1179839CVE-2020-24489 at SUSECVE-2020-24489 at NVDCVE-2020-24511 at SUSECVE-2020-24511 at NVDCVE-2020-24512 at SUSECVE-2020-24512 at NVDCVE-2020-24513 at SUSECVE-2020-24513 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for python-Pillow (Important)SUSE OpenStack Cloud Crowbar 8
This update for python-Pillow fixes the following issues:
- CVE-2021-25292: Fixed a backtracking regex in PDF parser could be used as a DOS attack (bsc#1183101).
- CVE-2021-25290: Fixed a negative-offset memcpy with an invalid size in TiffDecode.c (bsc#1183105).
- CVE-2021-27922,CVE-2021-27923: Fixed improper reported size of a contained image (bsc#1183108,bsc#1183107)
- CVE-2020-35653: Fixed buffer over-read in PcxDecode when decoding a crafted PCX file (bsc#1180834).
- CVE-2021-25287: Fixed out-of-bounds read in J2kDecode in j2ku_graya_la (bsc#1185805).
- CVE-2021-25288: Fixed out-of-bounds read in J2kDecode in j2ku_gray_i (bsc#1185803).
- CVE-2021-28675: Fixed DoS in PsdImagePlugin (bsc#1185804).
- CVE-2021-28677: Fixed DoS in the open phase via a malicious EPS file (bsc#1185785).
- CVE-2021-28676: Fixed infinite loop in FliDecode.c (bsc#1185786).
ImportantSUSE bug 1180834SUSE bug 1183101SUSE bug 1183105SUSE bug 1183107SUSE bug 1183108SUSE bug 1185785SUSE bug 1185786SUSE bug 1185803SUSE bug 1185804SUSE bug 1185805CVE-2020-35653 at SUSECVE-2020-35653 at NVDCVE-2021-25287 at SUSECVE-2021-25287 at NVDCVE-2021-25288 at SUSECVE-2021-25288 at NVDCVE-2021-25290 at SUSECVE-2021-25290 at NVDCVE-2021-25292 at SUSECVE-2021-25292 at NVDCVE-2021-27922 at SUSECVE-2021-27922 at NVDCVE-2021-27923 at SUSECVE-2021-27923 at NVDCVE-2021-28675 at SUSECVE-2021-28675 at NVDCVE-2021-28676 at SUSECVE-2021-28676 at NVDCVE-2021-28677 at SUSECVE-2021-28677 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for caribou (Important)SUSE OpenStack Cloud Crowbar 8
This update for caribou fixes the following issues:
Security issue fixed:
- CVE-2021-3567: Fixed a segfault when attempting to use shifted characters (bsc#1186617).
ImportantSUSE bug 1186617CVE-2021-3567 at SUSECVE-2021-3567 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for freeradius-server (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for freeradius-server fixes the following issues:
- Do not log passwords in logfiles (bsc#1184016)
ModerateSUSE bug 1184016cpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for java-1_8_0-openjdk (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for java-1_8_0-openjdk fixes the following issues:
- Update to version jdk8u292 (icedtea 3.19.0).
- CVE-2021-2161: Fixed incomplete enforcement of JAR signing disabled algorithms (bsc#1185055).
ModerateSUSE bug 1185055CVE-2021-2163 at SUSECVE-2021-2163 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for ImageMagick (Important)SUSE OpenStack Cloud Crowbar 8
This update for ImageMagick fixes the following issues:
- CVE-2020-19667: Fixed a stack buffer overflow in XPM coder could result in a crash (bsc#1179103).
- CVE-2020-25664: Fixed a heap-based buffer overflow in PopShortPixel (bsc#1179202).
- CVE-2020-25665: Fixed a heap-based buffer overflow in WritePALMImage (bsc#1179208).
- CVE-2020-25666: Fixed an outside the range of representable values of type 'int' and signed integer overflow (bsc#1179212).
- CVE-2020-25674: Fixed a heap-based buffer overflow in WriteOnePNGImage (bsc#1179223).
- CVE-2020-25675: Fixed an outside the range of representable values of type 'long' and integer overflow (bsc#1179240).
- CVE-2020-25676: Fixed an outside the range of representable values of type 'long' and integer overflow at MagickCore/pixel.c (bsc#1179244).
- CVE-2020-27750: Fixed an division by zero in MagickCore/colorspace-private.h (bsc#1179260).
- CVE-2020-27751: Fixed an integer overflow in MagickCore/quantum-export.c (bsc#1179269).
- CVE-2020-27752: Fixed a heap-based buffer overflow in PopShortPixel in MagickCore/quantum-private.h (bsc#1179346).
- CVE-2020-27753: Fixed memory leaks in AcquireMagickMemory function (bsc#1179397).
- CVE-2020-27754: Fixed an outside the range of representable values of type 'long' and signed integer overflow at MagickCore/quantize.c (bsc#1179336).
- CVE-2020-27755: Fixed memory leaks in ResizeMagickMemory function in ImageMagick/MagickCore/memory.c (bsc#1179345).
- CVE-2020-27757: Fixed an outside the range of representable values of type 'unsigned long long' at MagickCore/quantum-private.h (bsc#1179268).
- CVE-2020-27759: Fixed an outside the range of representable values of type 'int' at MagickCore/quantize.c (bsc#1179313).
- CVE-2020-27760: Fixed a division by zero at MagickCore/enhance.c (bsc#1179281).
- CVE-2020-27761: Fixed an outside the range of representable values of type 'unsigned long' at coders/palm.c (bsc#1179315).
- CVE-2020-27762: Fixed an outside the range of representable values of type 'unsigned char' (bsc#1179278).
- CVE-2020-27763: Fixed a division by zero at MagickCore/resize.c (bsc#1179312).
- CVE-2020-27764: Fixed an outside the range of representable values of type 'unsigned long' at MagickCore/statistic.c (bsc#1179317).
- CVE-2020-27765: Fixed a division by zero at MagickCore/segment.c (bsc#1179311).
- CVE-2020-27766: Fixed an outside the range of representable values of type 'unsigned long' at MagickCore/statistic.c (bsc#1179361).
- CVE-2020-27767: Fixed an outside the range of representable values of type 'float' at MagickCore/quantum.h (bsc#1179322).
- CVE-2020-27768: Fixed an outside the range of representable values of type 'unsigned int' at MagickCore/quantum-private.h (bsc#1179339).
- CVE-2020-27769: Fixed an outside the range of representable values of type 'float' at MagickCore/quantize.c (bsc#1179321).
- CVE-2020-27770: Fixed an unsigned offset overflowed at MagickCore/string.c (bsc#1179343).
- CVE-2020-27771: Fixed an outside the range of representable values of type 'unsigned char' at coders/pdf.c (bsc#1179327).
- CVE-2020-27772: Fixed an outside the range of representable values of type 'unsigned int' at coders/bmp.c (bsc#1179347).
- CVE-2020-27773: Fixed a division by zero at MagickCore/gem-private.h (bsc#1179285).
- CVE-2020-27774: Fixed an integer overflow at MagickCore/statistic.c (bsc#1179333).
- CVE-2020-27775: Fixed an outside the range of representable values of type 'unsigned char' at MagickCore/quantum.h (bsc#1179338).
- CVE-2020-27776: Fixed an outside the range of representable values of type 'unsigned long' at MagickCore/statistic.c (bsc#1179362).
ImportantSUSE bug 1179103SUSE bug 1179202SUSE bug 1179208SUSE bug 1179212SUSE bug 1179223SUSE bug 1179240SUSE bug 1179244SUSE bug 1179260SUSE bug 1179268SUSE bug 1179269SUSE bug 1179278SUSE bug 1179281SUSE bug 1179285SUSE bug 1179311SUSE bug 1179312SUSE bug 1179313SUSE bug 1179315SUSE bug 1179317SUSE bug 1179321SUSE bug 1179322SUSE bug 1179327SUSE bug 1179333SUSE bug 1179336SUSE bug 1179338SUSE bug 1179339SUSE bug 1179343SUSE bug 1179345SUSE bug 1179346SUSE bug 1179347SUSE bug 1179361SUSE bug 1179362SUSE bug 1179397CVE-2020-19667 at SUSECVE-2020-19667 at NVDCVE-2020-25664 at SUSECVE-2020-25664 at NVDCVE-2020-25665 at SUSECVE-2020-25665 at NVDCVE-2020-25666 at SUSECVE-2020-25666 at NVDCVE-2020-25674 at SUSECVE-2020-25674 at NVDCVE-2020-25675 at SUSECVE-2020-25675 at NVDCVE-2020-25676 at SUSECVE-2020-25676 at NVDCVE-2020-27750 at SUSECVE-2020-27750 at NVDCVE-2020-27751 at SUSECVE-2020-27751 at NVDCVE-2020-27752 at SUSECVE-2020-27752 at NVDCVE-2020-27753 at SUSECVE-2020-27753 at NVDCVE-2020-27754 at SUSECVE-2020-27754 at NVDCVE-2020-27755 at SUSECVE-2020-27755 at NVDCVE-2020-27757 at SUSECVE-2020-27757 at NVDCVE-2020-27759 at SUSECVE-2020-27759 at NVDCVE-2020-27760 at SUSECVE-2020-27760 at NVDCVE-2020-27761 at SUSECVE-2020-27761 at NVDCVE-2020-27762 at SUSECVE-2020-27762 at NVDCVE-2020-27763 at SUSECVE-2020-27763 at NVDCVE-2020-27764 at SUSECVE-2020-27764 at NVDCVE-2020-27765 at SUSECVE-2020-27765 at NVDCVE-2020-27766 at SUSECVE-2020-27766 at NVDCVE-2020-27767 at SUSECVE-2020-27767 at NVDCVE-2020-27768 at SUSECVE-2020-27768 at NVDCVE-2020-27769 at SUSECVE-2020-27769 at NVDCVE-2020-27770 at SUSECVE-2020-27770 at NVDCVE-2020-27771 at SUSECVE-2020-27771 at NVDCVE-2020-27772 at SUSECVE-2020-27772 at NVDCVE-2020-27773 at SUSECVE-2020-27773 at NVDCVE-2020-27774 at SUSECVE-2020-27774 at NVDCVE-2020-27775 at SUSECVE-2020-27775 at NVDCVE-2020-27776 at SUSECVE-2020-27776 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for webkit2gtk3 (Important)SUSE OpenStack Cloud Crowbar 8
This update for webkit2gtk3 fixes the following issues:
- Update to version 2.32.1:
+ Improve handling of Media Capture devices.
+ Improve WebAudio playback.
+ Improve video orientation handling.
+ Improve seeking support for MSE playback.
+ Improve flush support in EME decryptors.
+ Fix HTTP status codes for requests done through a custom URI handler.
+ Fix the Bubblewrap sandbox in certain 32-bit systems.
+ Fix inconsistencies between the WebKitWebView.is-muted property
state and values returned by
webkit_web_view_is_playing_audio().
+ Fix the build with ENABLE_VIDEO=OFF.
+ Fix wrong timestamps for long-lived cookies.
+ Fix UI process crash when failing to load favicons.
+ Fix several crashes and rendering issues.
- Including Security fixes for: CVE-2021-1788, CVE-2021-1844, CVE-2021-1871,
CVE-2020-27918, CVE-2020-29623, CVE-2021-1765, CVE-2021-1789, CVE-2021-1799,
CVE-2021-1801, CVE-2021-1870, CVE-2020-13558, CVE-2020-13584, CVE-2020-9983,
CVE-2020-13543, CVE-2020-9947, CVE-2020-9948, CVE-2020-9951.
ImportantSUSE bug 1177087SUSE bug 1179122SUSE bug 1179451SUSE bug 1182286SUSE bug 1184155SUSE bug 1184262CVE-2020-13543 at SUSECVE-2020-13543 at NVDCVE-2020-13558 at SUSECVE-2020-13558 at NVDCVE-2020-13584 at SUSECVE-2020-13584 at NVDCVE-2020-27918 at SUSECVE-2020-27918 at NVDCVE-2020-29623 at SUSECVE-2020-29623 at NVDCVE-2020-9947 at SUSECVE-2020-9947 at NVDCVE-2020-9948 at SUSECVE-2020-9948 at NVDCVE-2020-9951 at SUSECVE-2020-9951 at NVDCVE-2020-9983 at SUSECVE-2020-9983 at NVDCVE-2021-1765 at SUSECVE-2021-1765 at NVDCVE-2021-1788 at SUSECVE-2021-1788 at NVDCVE-2021-1789 at SUSECVE-2021-1789 at NVDCVE-2021-1799 at SUSECVE-2021-1799 at NVDCVE-2021-1801 at SUSECVE-2021-1801 at NVDCVE-2021-1844 at SUSECVE-2021-1844 at NVDCVE-2021-1870 at SUSECVE-2021-1870 at NVDCVE-2021-1871 at SUSECVE-2021-1871 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for apache2 (Important)SUSE OpenStack Cloud Crowbar 8
This update for apache2 fixes the following issues:
- fixed CVE-2021-30641 [bsc#1187174]: MergeSlashes regression
- fixed CVE-2021-31618 [bsc#1186924]: NULL pointer dereference on specially crafted HTTP/2 request
- fixed CVE-2020-35452 [bsc#1186922]: Single zero byte stack overflow in mod_auth_digest
- fixed CVE-2021-26690 [bsc#1186923]: mod_session NULL pointer dereference in parser
- fixed CVE-2021-26691 [bsc#1187017]: Heap overflow in mod_session
ImportantSUSE bug 1186922SUSE bug 1186923SUSE bug 1186924SUSE bug 1187017SUSE bug 1187174CVE-2020-35452 at SUSECVE-2020-35452 at NVDCVE-2021-26690 at SUSECVE-2021-26690 at NVDCVE-2021-26691 at SUSECVE-2021-26691 at NVDCVE-2021-30641 at SUSECVE-2021-30641 at NVDCVE-2021-31618 at SUSECVE-2021-31618 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for xterm (Important)SUSE OpenStack Cloud Crowbar 8
This update for xterm fixes the following issues:
- CVE-2021-27135: Fixed buffer-overflow when clicking on selected utf8 text. (bsc#1182091)
ImportantSUSE bug 1182091CVE-2021-27135 at SUSECVE-2021-27135 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for rubygem-nokogiri (Important)SUSE OpenStack Cloud Crowbar 8
This update for rubygem-nokogiri fixes the following issues:
- CVE-2019-5477: Fixed a command injection vulnerability (bsc#1146578).
- CVE-2020-26247: Fixed an XXE vulnerability in Nokogiri::XML::Schema (bsc#1180507).
ImportantSUSE bug 1146578SUSE bug 1180507CVE-2019-5477 at SUSECVE-2019-5477 at NVDCVE-2020-26247 at SUSECVE-2020-26247 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for ovmf (Important)SUSE OpenStack Cloud Crowbar 8
This update for ovmf fixes the following issues:
- Fixed a possible buffer overflow in IScsiDxe (bsc#1186151)
ImportantSUSE bug 1186151cpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for ansible (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for ansible fixes the following issues:
- Update to 2.9.22:
- CVE-2021-3447: multiple modules expose secured values (bsc#1183684)
- CVE-2021-20228: basic.py no_log with fallback option (bsc#1181935)
- CVE-2021-20191: multiple collections exposes secured values (bsc#1181119)
- CVE-2021-20180: bitbucket_pipeline_variable exposes sensitive values (bsc#1180942)
- CVE-2021-20178: user data leak in snmp_facts module (bsc#1180816)
ModerateSUSE bug 1180816SUSE bug 1180942SUSE bug 1181119SUSE bug 1181935SUSE bug 1183684CVE-2021-20178 at SUSECVE-2021-20178 at NVDCVE-2021-20180 at SUSECVE-2021-20180 at NVDCVE-2021-20191 at SUSECVE-2021-20191 at NVDCVE-2021-20228 at SUSECVE-2021-20228 at NVDCVE-2021-3447 at SUSECVE-2021-3447 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for libnettle (Important)SUSE OpenStack Cloud Crowbar 8
This update for libnettle fixes the following issues:
- CVE-2021-3580: Fixed a remote denial of service in the RSA decryption via manipulated ciphertext (bsc#1187060).
ImportantSUSE bug 1187060CVE-2021-3580 at SUSECVE-2021-3580 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for libgcrypt (Important)SUSE OpenStack Cloud Crowbar 8
This update for libgcrypt fixes the following issues:
- CVE-2021-33560: Fixed a side-channel against ElGamal encryption, caused by missing exponent blinding (bsc#1187212).
ImportantSUSE bug 1187212CVE-2021-33560 at SUSECVE-2021-33560 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for openexr (Important)SUSE OpenStack Cloud Crowbar 8
This update for openexr fixes the following issues:
- Fixed CVE-2021-3479 [bsc#1184354]: Out-of-memory caused by allocation of a very large buffer
- Fixed CVE-2021-3605 [bsc#1187395]: Heap buffer overflow in the rleUncompress function
- Fixed CVE-2021-3598 [bsc#1187310]: Heap buffer overflow in Imf_3_1:CharPtrIO:readChars
ImportantSUSE bug 1184354SUSE bug 1187310SUSE bug 1187395CVE-2021-3479 at SUSECVE-2021-3479 at NVDCVE-2021-3598 at SUSECVE-2021-3598 at NVDCVE-2021-3605 at SUSECVE-2021-3605 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for postgresql, postgresql12, postgresql13 (Important)SUSE OpenStack Cloud Crowbar 8
This update for postgresql, postgresql12, postgresql13 fixes the following issues:
Initial packaging of PostgreSQL 13:
* https://www.postgresql.org/about/news/2077/
* https://www.postgresql.org/docs/13/release-13.html
Changes in postgresql:
- Bump postgresql major version to 13.
Changes in postgresql12:
- %ghost the symlinks to pg_config and ecpg. (bsc#1178961)
- BuildRequire libpq5 and libecpg6 when not building them to avoid dangling symlinks in the devel package. (bsc#1179765)
- Fix a DST problem in the test suite.
Changes in postgresql13:
- Add postgresql-icu68.patch: fix build with ICU 68
- %ghost the symlinks to pg_config and ecpg. (bsc#1178961)
- BuildRequire libpq5 and libecpg6 when not building them to avoid dangling symlinks in the devel package. (bsc#1179765)
Upgrade to version 13.1:
* CVE-2020-25695, bsc#1178666: Block DECLARE CURSOR ... WITH HOLD
and firing of deferred triggers within index expressions and
materialized view queries.
* CVE-2020-25694, bsc#1178667:
a) Fix usage of complex connection-string parameters in pg_dump,
pg_restore, clusterdb, reindexdb, and vacuumdb.
b) When psql's \connect command re-uses connection parameters,
ensure that all non-overridden parameters from a previous
connection string are re-used.
* CVE-2020-25696, bsc#1178668: Prevent psql's \gset command from
modifying specially-treated variables.
* Fix recently-added timetz test case so it works when the USA
is not observing daylight savings time.
(obsoletes postgresql-timetz.patch)
* https://www.postgresql.org/about/news/2111/
* https://www.postgresql.org/docs/13/release-13-1.html
- Fix a DST problem in the test suite.
ImportantSUSE bug 1178666SUSE bug 1178667SUSE bug 1178668SUSE bug 1178961SUSE bug 1179765CVE-2020-25694 at SUSECVE-2020-25694 at NVDCVE-2020-25695 at SUSECVE-2020-25695 at NVDCVE-2020-25696 at SUSECVE-2020-25696 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for arpwatch (Important)SUSE OpenStack Cloud Crowbar 8
This update for arpwatch fixes the following issues:
- CVE-2021-25321: Fixed local privilege escalation from runtime user to root (bsc#1186240).
ImportantSUSE bug 1186240CVE-2021-25321 at SUSECVE-2021-25321 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for libsolv (Important)SUSE OpenStack Cloud Crowbar 8
This update for libsolv fixes the following issues:
Security issues fixed:
- CVE-2019-20387: Fixed heap-buffer-overflow in repodata_schema2id (bsc#1161510)
- CVE-2021-3200: testcase_read: error out if repos are added or the system is changed too late (bsc#1186229)
Other issues fixed:
- backport support for blacklisted packages to support ptf packages and retracted patches
- fix ruleinfo of complex dependencies returning the wrong origin
- fix SOLVER_FLAG_FOCUS_BEST updateing packages without reason
- fix add_complex_recommends() selecting conflicted packages in rare cases
- fix potential segfault in resolve_jobrules
- fix solv_zchunk decoding error if large chunks are used
ImportantSUSE bug 1161510SUSE bug 1186229CVE-2019-20387 at SUSECVE-2019-20387 at NVDCVE-2021-3200 at SUSECVE-2021-3200 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Recommended update for the Azure and AWS SDKs (Important)SUSE OpenStack Cloud Crowbar 8
This update for the SLE Public Cloud module provides the following fixes:
Azure SDK update:
This update for the Azure SDK and CLI adds support for the AHB (Azure Hybrid Benefit).
(bsc#1176784, jsc#ECO-3105)
AWS SDK update:
This update for the AWS SDK updates python-boto3 to version 1.17.9 and aws-cli to 1.19.9.
(bsc#1182421, jsc#ECO-3352)
Security fix for python-urllib3:
- Improve performance of sub-authority splitting in URL. (bsc#1187045, CVE-2021-33503)
ImportantSUSE bug 1125671SUSE bug 1154393SUSE bug 1175289SUSE bug 1176784SUSE bug 1176785SUSE bug 1182421SUSE bug 1187045CVE-2021-33503 at SUSECVE-2021-33503 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for python-urllib3, python-requests (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for python-urllib3 and python-requests fixes the following issues:
Security fix:
- Improve performance of sub-authority splitting in URL. (bsc#1187045, CVE-2021-33503)
Non-security changes:
- Update python-urllib3 to version 1.25.10 to stay compatible with changes needed in the
Server and Public Cloud products. (bsc#1182421, jsc#ECO-3352)
- Update python-requests to version 2.24.0 to stay compatible with changes needed in the
Server and Public Cloud products. (bsc#1176784, jsc#ECO-3105))
ModerateSUSE bug 1176784SUSE bug 1182421SUSE bug 1187045CVE-2021-33503 at SUSECVE-2021-33503 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for openssh (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for openssh fixes the following issues:
- CVE-2020-14145: Fixed a potential information leak during host key exchange (bsc#1173513).
ModerateSUSE bug 1173513CVE-2020-14145 at SUSECVE-2020-14145 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for sudo (Important)SUSE OpenStack Cloud Crowbar 8
This update for sudo fixes the following issues:
- A Heap-based buffer overflow in sudo could be exploited to allow a user to gain root privileges
[bsc#1181090,CVE-2021-3156]
- It was possible for a user to test for the existence of a directory due to a Race Condition in `sudoedit`
[bsc#1180684,CVE-2021-23239]
- A Possible Symlink Attack vector existed in `sudoedit` if SELinux was running in permissive mode [bsc#1180685,
CVE-2021-23240]
- It was possible for a User to enable Debug Settings not Intended for them [bsc#1180687]
ImportantSUSE bug 1180684SUSE bug 1180685SUSE bug 1180687SUSE bug 1181090CVE-2021-23239 at SUSECVE-2021-23239 at NVDCVE-2021-23240 at SUSECVE-2021-23240 at NVDCVE-2021-3156 at SUSECVE-2021-3156 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for MozillaFirefox (Important)SUSE OpenStack Cloud Crowbar 8
This update for MozillaFirefox fixes the following issues:
Firefox Extended Support Release 78.12.0 ESR
* Fixed: Various stability, functionality, and security fixes
MFSA 2021-29 (bsc#1188275)
* CVE-2021-29970: Use-after-free in accessibility features of a document
* CVE-2021-30547: Out of bounds write in ANGLE
* CVE-2021-29976: Memory safety bugs fixed in Firefox 90 and Firefox ESR 78.12
ImportantSUSE bug 1188275CVE-2021-29970 at SUSECVE-2021-29970 at NVDCVE-2021-29976 at SUSECVE-2021-29976 at NVDCVE-2021-30547 at SUSECVE-2021-30547 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for MozillaFirefox (Important)SUSE OpenStack Cloud Crowbar 8
This update for MozillaFirefox fixes the following issues:
- Firefox Extended Support Release 78.7.0 ESR (MFSA 2021-04, bsc#1181414)
* CVE-2021-23953: Fixed a Cross-origin information leakage via redirected PDF requests
* CVE-2021-23954: Fixed a type confusion when using logical assignment operators in JavaScript switch statements
* CVE-2020-26976: Fixed an issue where HTTPS pages could have been intercepted by a registered service worker when they should not have been
* CVE-2021-23960: Fixed a use-after-poison for incorrectly redeclared JavaScript variables during GC
* CVE-2021-23964: Fixed Memory safety bugs
ImportantSUSE bug 1181414CVE-2020-26976 at SUSECVE-2020-26976 at NVDCVE-2021-23953 at SUSECVE-2021-23953 at NVDCVE-2021-23954 at SUSECVE-2021-23954 at NVDCVE-2021-23960 at SUSECVE-2021-23960 at NVDCVE-2021-23964 at SUSECVE-2021-23964 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for systemd (Important)SUSE OpenStack Cloud Crowbar 8
This update for systemd fixes the following issues:
Security issues fixed:
- CVE-2021-33910: Fixed a denial of service (stack exhaustion) in systemd (PID 1) (bsc#1188063)
Other fixes:
- mount-util: shorten the loop a bit (#7545)
- mount-util: do not use the official MAX_HANDLE_SZ (#7523)
- mount-util: tape over name_to_handle_at() flakiness (#7517) (bsc#1184761)
- mount-util: fix bad indenting
- mount-util: EOVERFLOW might have other causes than buffer size issues
- mount-util: fix error propagation in fd_fdinfo_mnt_id()
- mount-util: drop exponential buffer growing in name_to_handle_at_loop()
- udev: port udev_has_devtmpfs() to use path_get_mnt_id()
- mount-util: add new path_get_mnt_id() call that queries the mnt ID of a path
- mount-util: add name_to_handle_at_loop() wrapper around name_to_handle_at()
- mount-util: accept that name_to_handle_at() might fail with EPERM (#5499)
- basic: fallback to the fstat if we don't have access to the /proc/self/fdinfo
- sysusers: use the usual comment style
- test/TEST-21-SYSUSERS: add tests for new functionality
- sysusers: allow admin/runtime overrides to command-line config
- basic/strv: add function to insert items at position
- sysusers: allow the shell to be specified
- sysusers: move various user credential validity checks to src/basic/
- man: reformat table in sysusers.d(5)
- sysusers: take configuration as positional arguments
- sysusers: emit a bit more info at debug level when locking fails
- sysusers: allow force reusing existing user/group IDs (#8037)
- sysusers: ensure GID in uid:gid syntax exists
- sysusers: make ADD_GROUP always create a group
- test: add TEST-21-SYSUSERS test
- sysuser: use OrderedHashmap
- sysusers: allow uid:gid in sysusers.conf files
- sysusers: fix memleak (#4430)
- These commits implement the option '--replace' for systemd-sysusers
so %sysusers_create_package can be introduced in SLE and packages
can rely on this rpm macro without wondering whether the macro is
available on the different target the package is submitted to.
- Expect 644 permissions for /usr/lib/udev/compat-symlink-generation (bsc#1185807)
- systemctl: add --value option
- execute: make sure to call into PAM after initializing resource limits (bsc#1184967)
- rlimit-util: introduce setrlimit_closest_all()
- system-conf: drop reference to ShutdownWatchdogUsec=
- core: rename ShutdownWatchdogSec to RebootWatchdogSec (bsc#1185331)
- Return -EAGAIN instead of -EALREADY from unit_reload (bsc#1185046)
- rules: don't ignore Xen virtual interfaces anymore (bsc#1178561)
- write_net_rules: set execute bits (bsc#1178561)
- udev: rework network device renaming
- Revert 'Revert 'udev: network device renaming - immediately give up if the target name isn't available''
ImportantSUSE bug 1178561SUSE bug 1184761SUSE bug 1184967SUSE bug 1185046SUSE bug 1185331SUSE bug 1185807SUSE bug 1188063CVE-2021-33910 at SUSECVE-2021-33910 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for python-pip (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for python-pip fixes the following issues:
- CVE-2021-3572: Fixed incorrect handling of unicode separators in git references (bsc#1186819).
ModerateSUSE bug 1186819CVE-2021-3572 at SUSECVE-2021-3572 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for linuxptp (Important)SUSE OpenStack Cloud Crowbar 8
This update for linuxptp fixes the following issues:
- CVE-2021-3570: Validate the messageLength field of incoming messages. (bsc#1187646)
ImportantSUSE bug 1187646CVE-2021-3570 at SUSECVE-2021-3570 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for the Linux Kernel (Important)SUSE OpenStack Cloud Crowbar 8
The SUSE Linux Enterprise 12 SP3 kernel was updated to receive various security and bugfixes.
The following security bugs were fixed:
- CVE-2021-22555: Fixed an heap out-of-bounds write in net/netfilter/x_tables.c that could allow local provilege escalation. (bsc#1188116)
- CVE-2021-33909: Fixed an out-of-bounds write in the filesystem layer that allows to obtain full root privileges. (bsc#1188062)
- CVE-2021-3609: Fixed a race condition in the CAN BCM networking protocol which allows for local privilege escalation. (bsc#1187215)
- CVE-2021-0605: Fixed an out-of-bounds read which could lead to local information disclosure in the kernel with System execution privileges needed. (bsc#1187601)
- CVE-2021-0512: Fixed a possible out-of-bounds write which could lead to local escalation of privilege with no additional execution privileges needed. (bsc#1187595)
- CVE-2021-34693: Fixed a bug in net/can/bcm.c which could allow local users to obtain sensitive information from kernel stack memory because parts of a data structure are uninitialized. (bsc#1187452)
- CVE-2020-36385: Fixed a use-after-free flaw in ucma.c which allows for local privilege escalation. (bsc#1187050)
- CVE-2021-0129: Fixed an improper access control in BlueZ that may have allowed an authenticated user to potentially enable information disclosure via adjacent access. (bsc#1186463)
- CVE-2020-26558: Fixed a flaw in the Bluetooth LE and BR/EDR secure pairing that could permit a nearby man-in-the-middle attacker to identify the Passkey used during pairing. (bsc#1179610)
- CVE-2020-36386: Fixed an out-of-bounds read in hci_extended_inquiry_result_evt. (bsc#1187038)
- CVE-2020-24588: Fixed a bug that could allow an adversary to abuse devices that support receiving non-SSP A-MSDU frames to inject arbitrary network packets. (bsc#1185861)
- CVE-2021-32399: Fixed a race condition in net/bluetooth/hci_request.c for removal of the HCI controller. (bsc#1184611)
- CVE-2021-33034: Fixed an issue in net/bluetooth/hci_event.c where a use-after-free leads to writing an arbitrary value. (bsc#1186111)
- CVE-2020-26139: Fixed a bug that allows an Access Point (AP) to forward EAPOL frames to other clients even though the sender has not yet successfully authenticated. This might be abused in projected Wi-Fi networks to launch denial-of-service attacks against connected clients and made it easier to exploit other vulnerabilities in connected clients. (bsc#1186062)
- CVE-2021-23134: Fixed a use After Free vulnerability in nfc sockets which allows local attackers to elevate their privileges. (bsc#1186060)
- CVE-2020-24586: Fixed a bug that, under the right circumstances, allows to inject arbitrary network packets and/or exfiltrate user data when another device sends fragmented frames encrypted using WEP, CCMP, or GCMP. (bsc#1185859)
- CVE-2020-26141: Fixed a flaw that could allows an adversary to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-confidentiality protocol. (bsc#1185987)
- CVE-2020-26145: Fixed a bug in the WEP, WPA, WPA2, and WPA3 implementations that could allows an adversary to inject arbitrary network packets. (bsc#1185860)
- CVE-2020-24587: Fixed a bug that allows an adversary to decrypt selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP encryption key is periodically renewed. (bsc#1185862)
- CVE-2020-26147: Fixed a bug in the WEP, WPA, WPA2, and WPA3 implementations that could allows an adversary to inject packets and/or exfiltrate selected fragments when another device sends fragmented frames. (bsc#1185987)
The following non-security bugs were fixed:
- Bluetooth: SMP: Fail if remote and local public keys are identical (git-fixes).
- Drivers: hv: vmbus: Increase wait time for VMbus unload (bsc#1185724).
- Drivers: hv: vmbus: Initialize unload_event statically (bsc#1185724).
- hv_netvsc: Add handlers for ethtool get/set msg level (bsc#1175462).
- hv_netvsc: avoid retry on send during shutdown (bsc#1175462).
- hv_netvsc: avoid unnecessary wakeups on subchannel creation (bsc#1175462).
- hv_netvsc: cancel subchannel setup before halting device (bsc#1175462).
- hv_netvsc: change GPAD teardown order on older versions (bsc#1175462).
- hv_netvsc: common detach logic (bsc#1175462).
- hv_netvsc: delay setup of VF device (bsc#1175462).
- hv_netvsc: disable NAPI before channel close (bsc#1175462).
- hv_netvsc: Ensure correct teardown message sequence order (bsc#1175462).
- hv_netvsc: Fix a deadlock by getting rtnl lock earlier in netvsc_probe() (bsc#1175462).
- hv_netvsc: Fix a network regression after ifdown/ifup (bsc#1175462).
- hv_netvsc: fix deadlock on hotplug (bsc#1175462).
- hv_netvsc: Fix error handling in netvsc_attach() (bsc#1175462).
- hv_netvsc: fix error unwind handling if vmbus_open fails (bsc#1175462).
- hv_netvsc: Fix extra rcu_read_unlock in netvsc_recv_callback() (bsc#1175462).
- hv_netvsc: fix handling of fallback to single queue mode (bsc#1175462).
- hv_netvsc: Fix hash key value reset after other ops (bsc#1175462).
- hv_netvsc: Fix IP header checksum for coalesced packets (bsc#1175462).
- hv_netvsc: Fix net device attach on older Windows hosts (bsc#1175462).
- hv_netvsc: fix network namespace issues with VF support (bsc#1175462).
- hv_netvsc: Fix NULL dereference at single queue mode fallback (bsc#1175462).
- hv_netvsc: fix race during initialization (bsc#1175462).
- hv_netvsc: fix race on sub channel creation (bsc#1175462).
- hv_netvsc: fix race that may miss tx queue wakeup (bsc#1175462).
- hv_netvsc: fix schedule in RCU context (bsc#1175462).
- hv_netvsc: Fix the variable sizes in ipsecv2 and rsc offload (bsc#1175462).
- hv_netvsc: Fix tx_table init in rndis_set_subchannel() (bsc#1175462).
- hv_netvsc: Fix unwanted wakeup after tx_disable (bsc#1175462).
- hv_netvsc: Fix unwanted wakeup in netvsc_attach() (bsc#1175462).
- hv_netvsc: flag software created hash value (bsc#1175462).
- hv_netvsc: netvsc_teardown_gpadl() split (bsc#1175462).
- hv_netvsc: only wake transmit queue if link is up (bsc#1175462).
- hv_netvsc: pass netvsc_device to rndis halt (bsc#1175462).
- hv_netvsc: preserve hw_features on mtu/channels/ringparam changes (bsc#1175462).
- hv_netvsc: Refactor assignments of struct netvsc_device_info (bsc#1175462).
- hv_netvsc: set master device (bsc#1175462).
- hv_netvsc: Set tx_table to equal weight after subchannels open (bsc#1175462).
- hv_netvsc: Simplify num_chn checking in rndis_filter_device_add() (bsc#1175462).
- hv_netvsc: Split netvsc_revoke_buf() and netvsc_teardown_gpadl() (bsc#1175462).
- hv_netvsc: split sub-channel setup into async and sync (bsc#1175462).
- hv_netvsc: typo in NDIS RSS parameters structure (bsc#1175462).
- hv_netvsc: use RCU to fix concurrent rx and queue changes (bsc#1175462).
- hv_netvsc: use reciprocal divide to speed up percent calculation (bsc#1175462).
- hv_netvsc: Use Windows version instead of NVSP version on GPAD teardown (bsc#1175462).
- kgraft: truncate the output from state_show() sysfs attr (bsc#1186235).
- mm, memory_hotplug: do not clear numa_node association after hot_remove (bsc#1115026).
- mm: consider __HW_POISON pages when allocating from pcp lists (bsc#1187388).
- scsi: storvsc: Enable scatterlist entry lengths > 4Kbytes (bsc#1187193).
- video: hyperv_fb: Add ratelimit on error message (bsc#1185724).
ImportantSUSE bug 1115026SUSE bug 1175462SUSE bug 1179610SUSE bug 1184611SUSE bug 1185724SUSE bug 1185859SUSE bug 1185860SUSE bug 1185861SUSE bug 1185862SUSE bug 1185863SUSE bug 1185898SUSE bug 1185987SUSE bug 1186060SUSE bug 1186062SUSE bug 1186111SUSE bug 1186235SUSE bug 1186390SUSE bug 1186463SUSE bug 1187038SUSE bug 1187050SUSE bug 1187193SUSE bug 1187215SUSE bug 1187388SUSE bug 1187452SUSE bug 1187595SUSE bug 1187601SUSE bug 1187934SUSE bug 1188062SUSE bug 1188063SUSE bug 1188116CVE-2020-24586 at SUSECVE-2020-24586 at NVDCVE-2020-24587 at SUSECVE-2020-24587 at NVDCVE-2020-24588 at SUSECVE-2020-24588 at NVDCVE-2020-26139 at SUSECVE-2020-26139 at NVDCVE-2020-26141 at SUSECVE-2020-26141 at NVDCVE-2020-26145 at SUSECVE-2020-26145 at NVDCVE-2020-26147 at SUSECVE-2020-26147 at NVDCVE-2020-26558 at SUSECVE-2020-26558 at NVDCVE-2020-36385 at SUSECVE-2020-36385 at NVDCVE-2020-36386 at SUSECVE-2020-36386 at NVDCVE-2021-0129 at SUSECVE-2021-0129 at NVDCVE-2021-0512 at SUSECVE-2021-0512 at NVDCVE-2021-0605 at SUSECVE-2021-0605 at NVDCVE-2021-22555 at SUSECVE-2021-22555 at NVDCVE-2021-23134 at SUSECVE-2021-23134 at NVDCVE-2021-32399 at SUSECVE-2021-32399 at NVDCVE-2021-33034 at SUSECVE-2021-33034 at NVDCVE-2021-33909 at SUSECVE-2021-33909 at NVDCVE-2021-34693 at SUSECVE-2021-34693 at NVDCVE-2021-3609 at SUSECVE-2021-3609 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for ardana-cobbler, cassandra, cassandra-kit, crowbar-core, crowbar-openstack, documentation-suse-openstack-cloud, grafana, kibana, openstack-heat-templates, openstack-monasca-installer, openstack-nova, python-Django, python-elementpath, python-eventlet, python-py, python-pysaml2, python-six, python-xmlschema (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for ardana-cobbler, cassandra, cassandra-kit, crowbar-core, crowbar-openstack, documentation-suse-openstack-cloud, grafana, kibana, openstack-heat-templates, openstack-monasca-installer, openstack-nova, python-Django, python-elementpath, python-eventlet, python-py, python-pysaml2, python-six, python-xmlschema fixes the following issues:
Security fixes included on this update:
cassandra-kit:
- CVE-2020-17516: Internode encryption enforcement vulnerability
cassandra:
- CVE-2020-17516: Internode encryption enforcement vulnerability
- CVE-2017-5929 logback: Fixed a serialization vulnerability in SocketServer and ServerSocketReceiver
crowbar-core:
CVE-2020-26247: Potentially XXE or SSRF attacks by parsed Nokogiri::XML::Schema
grafana:
- CVE-2021-27358: Unauthenticated remote attackers to trigger a Denial of Service via a remote API call
kibana:
- CVE-2017-11481: Fixed an XSS via URL fields
- CVE-2017-11499: Fixed a constant hashtable seeds vulnerability
python-Django:
- CVE-2021-28658: Potential directory-traversal via uploaded files
- CVE-2021-31542: Potential directory-traversal via uploaded files
- CVE-2021-33203: Potential directory traversal via admindocs
- CVE-2021-33571: Possible indeterminate SSRF, RFI, and LFI attacks since validators accepted leading zeros in IPv4 addresses
- CVE-2021-23336: Fixed web cache poisoning via django.utils.http.limited_parse_qsl
python-eventlet:
- CVE-2021-21419: Improper handling of highly compressed data and memory allocation with excessive size value
python-pysaml2:
- CVE-2021-21238: Fixed an improper verification of cryptographic signatures for signed SAML documents
- CVE-2021-21239: Fixed an improper verification of cryptographic signatures when using CryptoBackendXmlSec1()_
python-py:
- CVE-2020-29651: Regular expression denial of service in svnwc.py
rubygem-activerecord-session_store:
- CVE-2019-25025: Fixed a hijack sessions by using timing attacks targeting the session id
CVE-2019-16782
Non-security fixes included on this update:
Changes in ardana-cobbler:
- Update to version 8.0+git.1614096566.e8c2b27:
* Change install_recommended to true (bsc#1181828)
Changes in cassandra:
- update to 3.11.10 (bsc#1181689, CVE-2020-17516)
* Fix digest computation for queries with fetched but non queried columns (CASSANDRA-15962)
* Reduce amount of allocations during batch statement execution (CASSANDRA-16201)
* Update jflex-1.6.0.jar to match upstream (CASSANDRA-16393)
* Fix DecimalDeserializer#toString OOM (CASSANDRA-14925)
* Rate limit validation compactions using compaction_throughput_mb_per_sec (CASSANDRA-16161)
* SASI's `max_compaction_flush_memory_in_mb` settings over 100GB revert to default of 1GB (CASSANDRA-16071)
* Prevent unbounded number of pending flushing tasks (CASSANDRA-16261)
* Improve empty hint file handling during startup (CASSANDRA-16162)
* Allow empty string in collections with COPY FROM in cqlsh (CASSANDRA-16372)
* Fix skipping on pre-3.0 created compact storage sstables due to missing primary key liveness (CASSANDRA-16226)
* Extend the exclusion of replica filtering protection to other indices instead of just SASI (CASSANDRA-16311)
* Synchronize transaction logs for JBOD (CASSANDRA-16225)
* Fix the counting of cells per partition (CASSANDRA-16259)
* Fix serial read/non-applying CAS linearizability (CASSANDRA-12126)
* Avoid potential NPE in JVMStabilityInspector (CASSANDRA-16294)
* Improved check of num_tokens against the length of initial_token (CASSANDRA-14477)
* Fix a race condition on ColumnFamilyStore and TableMetrics (CASSANDRA-16228)
* Remove the SEPExecutor blocking behavior (CASSANDRA-16186)
* Fix invalid cell value skipping when reading from disk (CASSANDRA-16223)
* Prevent invoking enable/disable gossip when not in NORMAL (CASSANDRA-16146)
* Wait for schema agreement when bootstrapping (CASSANDRA-15158)
* Fix the histogram merge of the table metrics (CASSANDRA-16259)
* Synchronize Keyspace instance store/clear (CASSANDRA-16210)
* Fix ColumnFilter to avoid querying cells of unselected complex columns (CASSANDRA-15977)
* Fix memory leak in CompressedChunkReader (CASSANDRA-15880)
* Don't attempt value skipping with mixed version cluster (CASSANDRA-15833)
* Avoid failing compactions with very large partitions (CASSANDRA-15164)
* Make sure LCS handles duplicate sstable added/removed notifications correctly (CASSANDRA-14103)
* Fix OOM when terminating repair session (CASSANDRA-15902)
* Avoid marking shutting down nodes as up after receiving gossip shutdown message (CASSANDRA-16094)
* Check SSTables for latest version before dropping compact storage (CASSANDRA-16063)
* Handle unexpected columns due to schema races (CASSANDRA-15899)
* Add flag to ignore unreplicated keyspaces during repair (CASSANDRA-15160)
* Package tools/bin scripts as executable (CASSANDRA-16151)
* Fixed a NullPointerException when calling nodetool enablethrift (CASSANDRA-16127)
* Correctly interpret SASI's `max_compaction_flush_memory_in_mb` setting in megabytes not bytes (CASSANDRA-16071)
* Fix short read protection for GROUP BY queries (CASSANDRA-15459)
* Frozen RawTuple is not annotated with frozen in the toString method (CASSANDRA-15857)
Merged from 3.0:
* Use IF NOT EXISTS for index and UDT create statements in snapshot schema files (CASSANDRA-13935)
* Fix gossip shutdown order (CASSANDRA-15816)
* Remove broken 'defrag-on-read' optimization (CASSANDRA-15432)
* Check for endpoint collision with hibernating nodes (CASSANDRA-14599)
* Operational improvements and hardening for replica filtering protection (CASSANDRA-15907)
* stop_paranoid disk failure policy is ignored on CorruptSSTableException after node is up (CASSANDRA-15191)
* Forbid altering UDTs used in partition keys (CASSANDRA-15933)
* Fix empty/null json string representation (CASSANDRA-15896)
* 3.x fails to start if commit log has range tombstones from a column which is also deleted (CASSANDRA-15970)
* Handle difference in timestamp precision between java8 and java11 in LogFIle.java (CASSANDRA-16050)
Merged from 2.2:
* Fix CQL parsing of collections when the column type is reversed (CASSANDRA-15814)
* Only allow strings to be passed to JMX authentication (CASSANDRA-16077)
* Fix cqlsh output when fetching all rows in batch mode (CASSANDRA-15905)
* Upgrade Jackson to 2.9.10 (CASSANDRA-15867)
* Fix CQL formatting of read command restrictions for slow query log (CASSANDRA-15503)
* Allow sstableloader to use SSL on the native port (CASSANDRA-14904)
* Backport CASSANDRA-12189: escape string literals (CASSANDRA-15948)
* Avoid hinted handoff per-host throttle being arounded to 0 in large cluster (CASSANDRA-15859)
* Avoid emitting empty range tombstones from RangeTombstoneList (CASSANDRA-15924)
* Avoid thread starvation, and improve compare-and-swap performance, in the slab allocators (CASSANDRA-15922)
* Add token to tombstone warning and error messages (CASSANDRA-15890)
* Fixed range read concurrency factor computation and capped as 10 times tpc cores (CASSANDRA-15752)
* Catch exception on bootstrap resume and init native transport (CASSANDRA-15863)
* Fix replica-side filtering returning stale data with CL > ONE (CASSANDRA-8272, CASSANDRA-8273)
* Fix duplicated row on 2.x upgrades when multi-rows range tombstones interact with collection ones (CASSANDRA-15805)
* Rely on snapshotted session infos on StreamResultFuture.maybeComplete to avoid race conditions (CASSANDRA-15667)
* EmptyType doesn't override writeValue so could attempt to write bytes when expected not to (CASSANDRA-15790)
* Fix index queries on partition key columns when some partitions contains only static data (CASSANDRA-13666)
* Avoid creating duplicate rows during major upgrades (CASSANDRA-15789)
* liveDiskSpaceUsed and totalDiskSpaceUsed get corrupted if IndexSummaryRedistribution gets interrupted (CASSANDRA-15674)
* Fix Debian init start/stop (CASSANDRA-15770)
* Fix infinite loop on index query paging in tables with clustering (CASSANDRA-14242)
* Fix chunk index overflow due to large sstable with small chunk length (CASSANDRA-15595)
* Allow selecting static column only when querying static index (CASSANDRA-14242)
* cqlsh return non-zero status when STDIN CQL fails (CASSANDRA-15623)
* Don't skip sstables in slice queries based only on local min/max/deletion timestamp (CASSANDRA-15690)
* Memtable memory allocations may deadlock (CASSANDRA-15367)
* Run evictFromMembership in GossipStage (CASSANDRA-15592)
* Fix nomenclature of allow and deny lists (CASSANDRA-15862)
* Remove generated files from source artifact (CASSANDRA-15849)
* Remove duplicated tools binaries from tarballs (CASSANDRA-15768)
* Duplicate results with DISTINCT queries in mixed mode (CASSANDRA-15501)
* Disable JMX rebinding (CASSANDRA-15653)
* Fix writing of snapshot manifest when the table has table-backed secondary indexes (CASSANDRA-10968)
* Fix parse error in cqlsh COPY FROM and formatting for map of blobs (CASSANDRA-15679)
* Fix Commit log replays when static column clustering keys are collections (CASSANDRA-14365)
* Fix Red Hat init script on newer systemd versions (CASSANDRA-15273)
* Allow EXTRA_CLASSPATH to work on tar/source installations (CASSANDRA-15567)
* Fix bad UDT sstable metadata serialization headers written by C* 3.0 on upgrade and in sstablescrub (CASSANDRA-15035)
* Fix nodetool compactionstats showing extra pending task for TWCS - patch implemented (CASSANDRA-15409)
* Fix SELECT JSON formatting for the 'duration' type (CASSANDRA-15075)
* Fix LegacyLayout to have same behavior as 2.x when handling unknown column names (CASSANDRA-15081)
* Update nodetool help stop output (CASSANDRA-15401)
* Run in-jvm upgrade dtests in circleci (CASSANDRA-15506)
* Include updates to static column in mutation size calculations (CASSANDRA-15293)
* Fix point-in-time recoevery ignoring timestamp of updates to static columns (CASSANDRA-15292)
* GC logs are also put under $CASSANDRA_LOG_DIR (CASSANDRA-14306)
* Fix sstabledump's position key value when partitions have multiple rows (CASSANDRA-14721)
* Avoid over-scanning data directories in LogFile.verify() (CASSANDRA-15364)
* Bump generations and document changes to system_distributed and system_traces in 3.0, 3.11
(CASSANDRA-15441)
* Fix system_traces creation timestamp; optimise system keyspace upgrades (CASSANDRA-15398)
* Fix various data directory prefix matching issues (CASSANDRA-13974)
* Minimize clustering values in metadata collector (CASSANDRA-15400)
* Avoid over-trimming of results in mixed mode clusters (CASSANDRA-15405)
* validate value sizes in LegacyLayout (CASSANDRA-15373)
* Ensure that tracing doesn't break connections in 3.x/4.0 mixed mode by default (CASSANDRA-15385)
* Make sure index summary redistribution does not start when compactions are paused (CASSANDRA-15265)
* Ensure legacy rows have primary key livenessinfo when they contain illegal cells (CASSANDRA-15365)
* Fix race condition when setting bootstrap flags (CASSANDRA-14878)
* Fix NativeLibrary.tryOpenDirectory callers for Windows (CASSANDRA-15426)
* Fix SELECT JSON output for empty blobs (CASSANDRA-15435)
* In-JVM DTest: Set correct internode message version for upgrade test (CASSANDRA-15371)
* In-JVM DTest: Support NodeTool in dtest (CASSANDRA-15429)
* Fix NativeLibrary.tryOpenDirectory callers for Windows (CASSANDRA-15426)
* Fix SASI non-literal string comparisons (range operators) (CASSANDRA-15169)
* Make sure user defined compaction transactions are always closed (CASSANDRA-15123)
* Fix cassandra-env.sh to use $CASSANDRA_CONF to find cassandra-jaas.config (CASSANDRA-14305)
* Fixed nodetool cfstats printing index name twice (CASSANDRA-14903)
* Add flag to disable SASI indexes, and warnings on creation (CASSANDRA-14866)
* Add ability to cap max negotiable protocol version (CASSANDRA-15193)
* Gossip tokens on startup if available (CASSANDRA-15335)
* Fix resource leak in CompressedSequentialWriter (CASSANDRA-15340)
* Fix bad merge that reverted CASSANDRA-14993 (CASSANDRA-15289)
* Fix LegacyLayout RangeTombstoneList IndexOutOfBoundsException when upgrading and RangeTombstone bounds are asymmetric (CASSANDRA-15172)
* Fix NPE when using allocate_tokens_for_keyspace on new DC/rack (CASSANDRA-14952)
* Filter sstables earlier when running cleanup (CASSANDRA-15100)
* Use mean row count instead of mean column count for index selectivity calculation (CASSANDRA-15259)
* Avoid updating unchanged gossip states (CASSANDRA-15097)
* Prevent recreation of previously dropped columns with a different kind (CASSANDRA-14948)
* Prevent client requests from blocking on executor task queue (CASSANDRA-15013)
* Toughen up column drop/recreate type validations (CASSANDRA-15204)
* LegacyLayout should handle paging states that cross a collection column (CASSANDRA-15201)
* Prevent RuntimeException when username or password is empty/null (CASSANDRA-15198)
* Multiget thrift query returns null records after digest mismatch (CASSANDRA-14812)
* Skipping illegal legacy cells can break reverse iteration of indexed partitions (CASSANDRA-15178)
* Handle paging states serialized with a different version than the session's (CASSANDRA-15176)
* Throw IOE instead of asserting on unsupporter peer versions (CASSANDRA-15066)
* Update token metadata when handling MOVING/REMOVING_TOKEN events (CASSANDRA-15120)
* Add ability to customize cassandra log directory using $CASSANDRA_LOG_DIR (CASSANDRA-15090)
* Skip cells with illegal column names when reading legacy sstables (CASSANDRA-15086)
* Fix assorted gossip races and add related runtime checks (CASSANDRA-15059)
* Fix mixed mode partition range scans with limit (CASSANDRA-15072)
* cassandra-stress works with frozen collections: list and set (CASSANDRA-14907)
* Fix handling FS errors on writing and reading flat files - LogTransaction and hints (CASSANDRA-15053)
* Avoid double closing the iterator to avoid overcounting the number of requests (CASSANDRA-15058)
* Improve `nodetool status -r` speed (CASSANDRA-14847)
* Improve merkle tree size and time on heap (CASSANDRA-14096)
* Add missing commands to nodetool_completion (CASSANDRA-14916)
* Anti-compaction temporarily corrupts sstable state for readers (CASSANDRA-15004)
* Catch non-IOException in FileUtils.close to make sure that all resources are closed (CASSANDRA-15225)
* Handle exceptions during authentication/authorization (CASSANDRA-15041)
* Support cross version messaging in in-jvm upgrade dtests (CASSANDRA-15078)
* Fix index summary redistribution cancellation (CASSANDRA-15045)
* Fixing invalid CQL in security documentation (CASSANDRA-15020)
* Allow instance class loaders to be garbage collected for inJVM dtest (CASSANDRA-15170)
* Add support for network topology and query tracing for inJVM dtest (CASSANDRA-15319)
* Correct sstable sorting for garbagecollect and levelled compaction (CASSANDRA-14870)
* Severe concurrency issues in STCS,DTCS,TWCS,TMD.Topology,TypeParser
* Add a script to make running the cqlsh tests in cassandra repo easier (CASSANDRA-14951)
* If SizeEstimatesRecorder misses a 'onDropTable' notification, the size_estimates table will never be cleared for that table. (CASSANDRA-14905)
* Counters fail to increment in 2.1/2.2 to 3.X mixed version clusters (CASSANDRA-14958)
* Streaming needs to synchronise access to LifecycleTransaction (CASSANDRA-14554)
* Fix cassandra-stress write hang with default options (CASSANDRA-14616)
* Differentiate between slices and RTs when decoding legacy bounds (CASSANDRA-14919)
* Netty epoll IOExceptions caused by unclean client disconnects being logged at INFO (CASSANDRA-14909)
* Unfiltered.isEmpty conflicts with Row extends AbstractCollection.isEmpty (CASSANDRA-14588)
* RangeTombstoneList doesn't properly clean up mergeable or superseded rts in some cases (CASSANDRA-14894)
* Fix handling of collection tombstones for dropped columns from legacy sstables (CASSANDRA-14912)
* Throw exception if Columns serialized subset encode more columns than possible (CASSANDRA-14591)
* Drop/add column name with different Kind can result in corruption (CASSANDRA-14843)
* Fix missing rows when reading 2.1 SSTables with static columns in 3.0 (CASSANDRA-14873)
* Move TWCS message 'No compaction necessary for bucket size' to Trace level (CASSANDRA-14884)
* Sstable min/max metadata can cause data loss (CASSANDRA-14861)
* Dropped columns can cause reverse sstable iteration to return prematurely (CASSANDRA-14838)
* Legacy sstables with multi block range tombstones create invalid bound sequences (CASSANDRA-14823)
* Expand range tombstone validation checks to multiple interim request stages (CASSANDRA-14824)
* Reverse order reads can return incomplete results (CASSANDRA-14803)
* Avoid calling iter.next() in a loop when notifying indexers about range tombstones (CASSANDRA-14794)
* Fix purging semi-expired RT boundaries in reversed iterators (CASSANDRA-14672)
* DESC order reads can fail to return the last Unfiltered in the partition (CASSANDRA-14766)
* Fix corrupted collection deletions for dropped columns in 3.0 2.{1,2} messages (CASSANDRA-14568)
* Fix corrupted static collection deletions in 3.0 2.{1,2} messages (CASSANDRA-14568)
* Handle failures in parallelAllSSTableOperation (cleanup/upgradesstables/etc) (CASSANDRA-14657)
* Improve TokenMetaData cache populating performance avoid long locking (CASSANDRA-14660)
* Backport: Flush netty client messages immediately (not by default) (CASSANDRA-13651)
* Fix static column order for SELECT * wildcard queries (CASSANDRA-14638)
* sstableloader should use discovered broadcast address to connect intra-cluster (CASSANDRA-14522)
* Fix reading columns with non-UTF names from schema (CASSANDRA-14468)
* Don't enable client transports when bootstrap is pending (CASSANDRA-14525)
* MigrationManager attempts to pull schema from different major version nodes (CASSANDRA-14928)
* Fix incorrect cqlsh results when selecting same columns multiple times (CASSANDRA-13262)
* Returns null instead of NaN or Infinity in JSON strings (CASSANDRA-14377)
* Paged Range Slice queries with DISTINCT can drop rows from results (CASSANDRA-14956)
* Validate supported column type with SASI analyzer (CASSANDRA-13669)
* Remove BTree.Builder Recycler to reduce memory usage (CASSANDRA-13929)
* Reduce nodetool GC thread count (CASSANDRA-14475)
* Fix New SASI view creation during Index Redistribution (CASSANDRA-14055)
* Remove string formatting lines from BufferPool hot path (CASSANDRA-14416)
* Update metrics to 3.1.5 (CASSANDRA-12924)
* Detect OpenJDK jvm type and architecture (CASSANDRA-12793)
* Don't use guava collections in the non-system keyspace jmx attributes (CASSANDRA-12271)
* Allow existing nodes to use all peers in shadow round (CASSANDRA-13851)
* Fix cqlsh to read connection.ssl cqlshrc option again (CASSANDRA-14299)
* Downgrade log level to trace for CommitLogSegmentManager (CASSANDRA-14370)
* CQL fromJson(null) throws NullPointerException (CASSANDRA-13891)
* Serialize empty buffer as empty string for json output format (CASSANDRA-14245)
* Allow logging implementation to be interchanged for embedded testing (CASSANDRA-13396)
* SASI tokenizer for simple delimiter based entries (CASSANDRA-14247)
* Fix Loss of digits when doing CAST from varint/bigint to decimal (CASSANDRA-14170)
* RateBasedBackPressure unnecessarily invokes a lock on the Guava RateLimiter (CASSANDRA-14163)
* Fix wildcard GROUP BY queries (CASSANDRA-14209)
* Fix corrupted static collection deletions in 3.0 -> 2.{1,2} messages (CASSANDRA-14568)
* Fix potential IndexOutOfBoundsException with counters (CASSANDRA-14167)
* Always close RT markers returned by ReadCommand#executeLocally() (CASSANDRA-14515)
* Reverse order queries with range tombstones can cause data loss (CASSANDRA-14513)
* Fix regression of lagging commitlog flush log message (CASSANDRA-14451)
* Add Missing dependencies in pom-all (CASSANDRA-14422)
* Cleanup StartupClusterConnectivityChecker and PING Verb (CASSANDRA-14447)
* Fix deprecated repair error notifications from 3.x clusters to legacy JMX clients (CASSANDRA-13121)
* Cassandra not starting when using enhanced startup scripts in windows (CASSANDRA-14418)
* Fix progress stats and units in compactionstats (CASSANDRA-12244)
* Better handle missing partition columns in system_schema.columns (CASSANDRA-14379)
* Delay hints store excise by write timeout to avoid race with decommission (CASSANDRA-13740)
* Deprecate background repair and probablistic read_repair_chance table options
(CASSANDRA-13910)
* Add missed CQL keywords to documentation (CASSANDRA-14359)
* Fix unbounded validation compactions on repair / revert CASSANDRA-13797 (CASSANDRA-14332)
* Avoid deadlock when running nodetool refresh before node is fully up (CASSANDRA-14310)
* Handle all exceptions when opening sstables (CASSANDRA-14202)
* Handle incompletely written hint descriptors during startup (CASSANDRA-14080)
* Handle repeat open bound from SRP in read repair (CASSANDRA-14330)
* Respect max hint window when hinting for LWT (CASSANDRA-14215)
* Adding missing WriteType enum values to v3, v4, and v5 spec (CASSANDRA-13697)
* Don't regenerate bloomfilter and summaries on startup (CASSANDRA-11163)
* Fix NPE when performing comparison against a null frozen in LWT (CASSANDRA-14087)
* Log when SSTables are deleted (CASSANDRA-14302)
* Fix batch commitlog sync regression (CASSANDRA-14292)
* Write to pending endpoint when view replica is also base replica (CASSANDRA-14251)
* Chain commit log marker potential performance regression in batch commit mode (CASSANDRA-14194)
* Fully utilise specified compaction threads (CASSANDRA-14210)
* Pre-create deletion log records to finish compactions quicker (CASSANDRA-12763)
* Fix bug that prevented compaction of SSTables after full repairs (CASSANDRA-14423)
* Incorrect counting of pending messages in OutboundTcpConnection (CASSANDRA-11551)
* Fix compaction failure caused by reading un-flushed data (CASSANDRA-12743)
* Use Bounds instead of Range for sstables in anticompaction (CASSANDRA-14411)
* Fix JSON queries with IN restrictions and ORDER BY clause (CASSANDRA-14286)
* Backport circleci yaml (CASSANDRA-14240)
* Check checksum before decompressing data (CASSANDRA-14284)
* CVE-2017-5929 Security vulnerability in Logback warning in NEWS.txt (CASSANDRA-14183)
- Use %license macro
Changes in cassandra-kit:
- Update to Cassandra 3.11.10 (bsc#1181689, CVE-2020-17516)
Changes in crowbar-core:
- Update to version 5.0+git.1622489449.a8e60e238:
* avoid v4.1.5 of delayed_job_active_record (noref)
* add CVE-2020-26247 to travis ignore list (bsc#1180507)
Changes in crowbar-openstack:
- Update to version 5.0+git.1616001417.67fd9c2a1:
* monasca: restart Kibana on update (bsc#1044849)
- Update to version 5.0+git.1615542070.7841c34b7:
* monasca: fix monasca-server reinstall state check (SOC-11471)
Changes in documentation-suse-openstack-cloud:
- Update to version 8.20210512:
* Moved Monasca deployment to immediately after keystone (SOC-11525) (#1312)
- Update to version 8.20210511:
* Update the correct SLES version to suse-12.3 (SOC-11521) (#1321)
* Renamed the repo name from SLE12-SP3-HA to SLE-HA12-SP3 (SOC-11523) (#1320)
- Update to version 8.20210511:
* Add bm-power-status playbook to add sles compute section (#1317)
- Update to version 8.20210507:
* Add instructions for checking MySQL cert expiry (SOC-11422) (#1311)
- Update to version 8.20210304:
* Add nova and heat db purge cron jobs to maintenance section (SOC-9876) (#1307)
Changes in grafana:
- Add CVE-2021-27358.patch (bsc#1183803, CVE-2021-27358)
* Prevent unauthenticated remote attackers from causing a DoS through the
snapshots API.
Changes in kibana:
- Ensure /etc/sysconfig/kibana is present
- Update to Kibana 4.6.6 (bsc#1044849, CVE-2017-11499, ESA-2017-14,
ESA-2017-16)
* [4.6] ignore forked code for babel transpile build phase (#13483)
* Allow more than match queries in custom filters (#8614) (#10857)
* [state] don't make extra $location.replace() calls (#9954)
* [optimizer] move to querystring-browser package for up-to-date api
* [state/unhashUrl] use encode-uri-query to generate cleanly encoded urls
* server: refactor log_interceptor to be more DRY (#9617)
* server: downgrade ECANCELED logs to debug (#9616)
* server: do not treat logged warnings as errors (#8746) (#9610)
* [server/logger] downgrade EPIPE errors to debug level (#9023)
* Add basepath when redirecting from a trailling slash (#9035)
* [es/kibanaIndex] use unmapped_type rather than ignore_unmapped (#8968)
* [server/shortUrl] validate urls before shortening them
- Add CVE-2017-11481.patch (bsc#1044849, CVE-2017-11481)
* This fixes an XSS vulnerability in URL fields
- Remove %dir declaration from /opt/kibana/optimize to ensure
no files owned by root end up in there
- Exclude /opt/kibana/optimize from %fdupes
- Restart service on upgrade
- Do not copy LICENSE.txt and README.txt to /opt/kibana
- Fix rpmlint warnings/errors
- Switch to explicit patch application
- Fix source URL
- Fix logic for systemd/systemv detection
Changes in openstack-heat-templates:
- Update to version 0.0.0+git.1623056900.7917e18:
* Fix zuul config for heat-templates-check
- Update to version 0.0.0+git.1621405516.71a0f7a:
* Remove testr
Changes in openstack-monasca-installer:
- Add 0001-fix-influxdb-stop-task.patch (SOC-11470)
- Add 0001-fix-cassandra-deployment.patch (SOC-11470)
Changes in openstack-nova:
- Update to version nova-16.1.9.dev92:
* Lowercase ironic driver hash ring and ignore case in cache
* Include only required fields in ironic node cache
* Add resource\_class to fields in ironic node cache
- Update to version nova-16.1.9.dev86:
* [stable-only] Move grenade jobs to experimental
* Update resources once in update\_available\_resource
* rt: Make resource tracker always invoking get\_inventory()
- Update to version nova-16.1.9.dev81:
* [stable-only] gate: Pin CEPH\_RELEASE to nautilus in LM hook
- Update to version nova-16.1.9.dev80:
* [placement] Add status and links fields to version document at /
Changes in openstack-nova:
- Update to version nova-16.1.9.dev92:
* Lowercase ironic driver hash ring and ignore case in cache
* Include only required fields in ironic node cache
* Add resource\_class to fields in ironic node cache
- Update to version nova-16.1.9.dev86:
* [stable-only] Move grenade jobs to experimental
* Update resources once in update\_available\_resource
* rt: Make resource tracker always invoking get\_inventory()
- Update to version nova-16.1.9.dev81:
* [stable-only] gate: Pin CEPH\_RELEASE to nautilus in LM hook
- Update to version nova-16.1.9.dev80:
* [placement] Add status and links fields to version document at /
Changes in python-Django:
- Add CVE-2021-33203.patch (bsc#1186608, CVE-2021-33203)
* Fixed potential path-traversal via admindocs' TemplateDetailView.
- Add CVE-2021-33571.patch (bsc#1186611, CVE-2021-33571)
* Prevented leading zeros in IPv4 addresses.
- Add CVE-2021-31542.patch (bsc#1185623, CVE-2021-31542)
* Fixed CVE-2021-31542 -- Tightened path and file name sanitation in file
uploads.
- Add CVE-2021-28658.patch (bsc#1184148, CVE-2021-28658)
* Fixed potential directory-traversal via uploaded files
- Add CVE-2021-23336.patch (bsc#1182433, CVE-2021-23336)
* Fixed web cache poisoning via django.utils.http.limited_parse_qsl()
Changes in python-eventlet:
- Add 0001-websocket-fd-leak-when-client-did-not-close-connecti.patch
- Add 0002-websocket-Limit-maximum-uncompressed-frame-length-to.patch (bsc#1185836 CVE-2021-21419)
* websocket: Limit maximum uncompressed frame length to 8MiB
Changes in python-py:
- Add CVE-2020-29651.patch ((bsc#1179805, CVE-2020-29651)
* svnwc: fix regular expression vulnerable to DoS in blame
functionality
Changes in python-pysaml2:
- Add %dir declaration for %{_licensedir}
- Fix CVE-2021-21238, bsc#1181277 with
0004-Strengthen-XSW-tests.patch ,
0005-Fix-the-parser-to-not-break-on-ePTID-AttributeValues.patch ,
0006-Add-xsd-schemas.patch ,
0007-Fix-CVE-2021-21238-SAML-XML-Signature-wrapping.patch .
This adds a dependency on python-xmlschema, which depends on
python-elementpath and build depends python-pathlib2, which depends on
python-scandir, thus all these need to be added for this to work.
The used python-xmlschema needs to support the sandbox argument
which was added in 1.2.0 and refined in 1.2.1, but that version
doesn't support python2, so a patched version that does both is
needed.
0009-Make-previous-commits-python2-compatible.patch to
not add a dependency on reportlib_resources and make other
changes python2 compatible.
- Fix CVE-2021-21239, bsc#1181278 with
0008-Fix-CVE-2021-21239-Restrict-the-key-data-that-xmlsec.patch
Changes in venv-openstack-keystone:
- Add python-xmlschema and python-elementpath for new python-pysaml2 version.
Changes in python-xmlschema:
- Add missed BuildRequires on pathlib2
- Add 3 patches to backport sandbox argument, which is needed by a security fix
in python-pysaml2 and one patch to make backport python2 compatible.
- Upstream url changed
- Add rpmlintrc to make it work on Leap 42.3
- Update to 1.0.18:
* Fix for *ModelVisitor.iter_unordered_content()*
* Fixed default converter, AbderaConverter and JsonMLConverter for xs:anyType decode
* Fixed validation tests with all converters
* Added UnorderedConverter to validation tests
- Update to 1.0.17:
* Enhancement of validation-only speed (~15%)
* Added *is_valid()* and *iter_errors()* to module API
- Update to 1.0.16:
* Improved XMLResource class for working with compressed files
* Fix for validation with XSD wildcards and 'lax' process content
* Fix ambiguous items validation for xs:choice and xs:sequence models
- Handle UnicodeDecodeErrors during build process
- Update to 1.0.15:
* Improved XPath 2.0 bindings
* Added logging for schema initialization and building (handled with argument loglevel)
* Update encoding of collapsed contents with a new model based reordering method
* Removed XLink namespace from meta-schema (loaded from a fallback location like XHTML)
* Fixed half of failed W3C instance tests (remain 255 over 15344 tests)
- Initial commit, needed by pytest 5.1.2
Changes in python-elementpath:
- Update to 1.3.1:
* Improved schema proxy
* Improved XSD type matching using paths
* Cached parent path for XPathContext (only Python 3)
* Improve typed selection with TypedAttribute and TypedElement named-tuples
* Add iter_results to XPathContext
* Remove XMLSchemaProxy from package
* Fix descendant shortcut operator '//'
* Fix text() function
* Fix typed select of '(name)' token
* Fix 24-hour time for DateTime
- Skip test_hashing to fix 32bit builds
- Initial commit needed by python-xmlschema
Changes in python-six:
- Update in SLE-12 (bsc#1176784, jsc#ECO-3105, jsc#PM-2352)
- Fix testsuite on SLE-12
+ Add python to BuildRequires for suse_version less 1500
- Fix dbm deps as the MU for provides: python-dbm was not released
on sle12 yet
- Add requirement on pytest > 4.0 to see the pytest module works
with this MU
- Do not cause buildcycle with previous change but rather
install the egg-info prepared metadata from the tarball
- use setuptools for building to support pip 10.x (bsc#1166139)
- update to 1.14.0
* Add `six.assertNotRegex`
* `six.moves._dummy_thread` now points to the `_thread` module on
Python 3.9+. Python 3.7 and later requires threading and deprecated the
`_dummy_thread` module
* Remove support for Python 2.6 and Python 3.2
* `six.wraps` now ignores missing attributes
- Pull in dbm/gdbm module from python for testing
- update to 0.13.0:
- Issue #298, pull request #299: Add `six.moves.dbm_ndbm`.
- Issue #155: Add `six.moves.collections_abc`, which aliases the `collections`
module on Python 2-3.2 and the `collections.abc` on Python 3.3 and greater.
- Pull request #304: Re-add distutils fallback in `setup.py`.
- Pull request #305: On Python 3.7, `with_metaclass` supports classes using PEP
- Simplify the pytest call
- Fix pytest call
- Fixdocumentation package generating
- Change %pretrans back to %pre to fix bootstrap issue
boo#1123064 bsc#1143893
- Require just base python module, even full python is too much
and it is not required here
- Update to 0.12.0:
* `six.add_metaclass` now preserves `__qualname__` from the
original class.
* Add `six.ensure_binary`, `six.ensure_text`, and
`six.ensure_str`.
- Because of cyclical dependencies between six and Sphinx, we
need to to do multibuild.
- Include in SLE-12 (FATE#326838, bsc#1113302)
- remove egg-info directory in %pretrans
- fix egg-info directory pattern
- match any version of egg-info for a certain python version
- Break the cycilical dependency on python-setuptools.
- Remove argparse dependency
- build python3 subpackage (FATE#324435, bsc#1073879)
- remove egg-info directory before installation if it exists,
because setuptools produce directory and six switched to distutils
that produce a file
(and because rpm can't handle that by itself)
fixes bsc#1057496
- Fix Source url
- README->README.rst, add CHANGES
- update to version 1.11.0:
* Pull request #178: `with_metaclass` now properly proxies
`__prepare__` to the underlying metaclass.
* Pull request #191: Allow `with_metaclass` to work with metaclasses
implemented in C.
* Pull request #203: Add parse_http_list and parse_keqv_list to
moved urllib.request.
* Pull request #172 and issue #171: Add unquote_to_bytes to moved
urllib.parse.
* Pull request #167: Add `six.moves.getoutput`.
* Pull request #80: Add `six.moves.urllib_parse.splitvalue`.
* Pull request #75: Add `six.moves.email_mime_image`.
* Pull request #72: Avoid creating reference cycles through
tracebacks in `reraise`.
- Submit 1.9.0 to SLE-12 (fate#319030, fate#318838, bsc#940812)
- sanitize release line in specfile
Changes in rubygem-activerecord-session_store.SUSE_SLE-12-SP4_Update_Products_Cloud9_Update:
- added CVE-2019-25025.patch (CVE-2019-25025, bsc#1183174)
* This requires CVE-2019-16782.patch to be included in rubygem-actionpack-4_2
to work correctly.
Changes in venv-openstack-keystone:
- Add python-xmlschema and python-elementpath for new python-pysaml2 version.
- Add python-defusedxml (bsc#1019074)
- Inherit version number of venv from main component (SCRD-8523)
ModerateSUSE bug 1019074SUSE bug 1044849SUSE bug 1057496SUSE bug 1073879SUSE bug 1113302SUSE bug 1123064SUSE bug 1143893SUSE bug 1166139SUSE bug 1176784SUSE bug 1179805SUSE bug 1180507SUSE bug 1181277SUSE bug 1181278SUSE bug 1181689SUSE bug 1181828SUSE bug 1182433SUSE bug 1183174SUSE bug 1183803SUSE bug 1184148SUSE bug 1185623SUSE bug 1185836SUSE bug 1186608SUSE bug 1186611SUSE bug 940812CVE-2017-11481 at SUSECVE-2017-11481 at NVDCVE-2017-11499 at SUSECVE-2017-11499 at NVDCVE-2017-5929 at SUSECVE-2017-5929 at NVDCVE-2019-25025 at SUSECVE-2019-25025 at NVDCVE-2020-17516 at SUSECVE-2020-17516 at NVDCVE-2020-26247 at SUSECVE-2020-26247 at NVDCVE-2020-29651 at SUSECVE-2020-29651 at NVDCVE-2021-21238 at SUSECVE-2021-21238 at NVDCVE-2021-21239 at SUSECVE-2021-21239 at NVDCVE-2021-21419 at SUSECVE-2021-21419 at NVDCVE-2021-23336 at SUSECVE-2021-23336 at NVDCVE-2021-27358 at SUSECVE-2021-27358 at NVDCVE-2021-28658 at SUSECVE-2021-28658 at NVDCVE-2021-31542 at SUSECVE-2021-31542 at NVDCVE-2021-33203 at SUSECVE-2021-33203 at NVDCVE-2021-33571 at SUSECVE-2021-33571 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for qemu (Important)SUSE OpenStack Cloud Crowbar 8
This update for qemu fixes the following issues:
Security issues fixed:
- CVE-2021-3595: Fixed slirp: invalid pointer initialization may lead to information disclosure (tftp) (bsc#1187366)
- CVE-2021-3592: Fix for slirp: invalid pointer initialization may lead to information disclosure (bootp) (bsc#1187364)
- CVE-2021-3594: Fix for slirp: invalid pointer initialization may lead to information disclosure (udp) (bsc#1187367)
- CVE-2021-3593: Fix for slirp: invalid pointer initialization may lead to information disclosure (udp6) (bsc#1187365)
- CVE-2021-3611: Fix intel-hda segmentation fault due to stack overflow (bsc#1187529)
ImportantSUSE bug 1187364SUSE bug 1187365SUSE bug 1187366SUSE bug 1187367SUSE bug 1187529CVE-2021-3592 at SUSECVE-2021-3592 at NVDCVE-2021-3593 at SUSECVE-2021-3593 at NVDCVE-2021-3594 at SUSECVE-2021-3594 at NVDCVE-2021-3595 at SUSECVE-2021-3595 at NVDCVE-2021-3611 at SUSECVE-2021-3611 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for dbus-1 (Important)SUSE OpenStack Cloud Crowbar 8
This update for dbus-1 fixes the following issues:
- CVE-2020-35512: Fixed a bug where users with the same numeric UID could lead to use-after-free and undefined behaviour. (bsc#1187105)
- CVE-2020-12049: Fixed a bug where a truncated messages lead to resource exhaustion. (bsc#1172505)
ImportantSUSE bug 1172505SUSE bug 1187105CVE-2020-12049 at SUSECVE-2020-12049 at NVDCVE-2020-35512 at SUSECVE-2020-35512 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for webkit2gtk3 (Important)SUSE OpenStack Cloud Crowbar 8
This update for webkit2gtk3 fixes the following issues:
Update to version 2.32.3:
- CVE-2021-21775: Fixed a use-after-free vulnerability in the way certain events are processed for ImageLoader objects. A specially crafted web page can lead to a potential information leak and further memory corruption. A victim must be tricked into visiting a malicious web page to trigger this vulnerability. (bsc#1188697)
- CVE-2021-21779: Fixed a use-after-free vulnerability in the way that WebKit GraphicsContext handles certain events. A specially crafted web page can lead to a potential information leak and further memory corruption. A victim must be tricked into visiting a malicious web page to trigger this vulnerability. (bsc#1188697)
- CVE-2021-30663: An integer overflow was addressed with improved input validation. (bsc#1188697)
- CVE-2021-30665: A memory corruption issue was addressed with improved state management. (bsc#1188697)
- CVE-2021-30689: A logic issue was addressed with improved state management. (bsc#1188697)
- CVE-2021-30720: A logic issue was addressed with improved restrictions. (bsc#1188697)
- CVE-2021-30734: Multiple memory corruption issues were addressed with improved memory handling. (bsc#1188697)
- CVE-2021-30744: A cross-origin issue with iframe elements was addressed with improved tracking of security origins. (bsc#1188697)
- CVE-2021-30749: Multiple memory corruption issues were addressed with improved memory handling. (bsc#1188697)
- CVE-2021-30758: A type confusion issue was addressed with improved state handling. (bsc#1188697)
- CVE-2021-30795: A use after free issue was addressed with improved memory management. (bsc#1188697)
- CVE-2021-30797: This issue was addressed with improved checks. (bsc#1188697)
- CVE-2021-30799: Multiple memory corruption issues were addressed with improved memory handling. (bsc#1188697)
ImportantSUSE bug 1188697CVE-2021-21775 at SUSECVE-2021-21775 at NVDCVE-2021-21779 at SUSECVE-2021-21779 at NVDCVE-2021-30663 at SUSECVE-2021-30663 at NVDCVE-2021-30665 at SUSECVE-2021-30665 at NVDCVE-2021-30689 at SUSECVE-2021-30689 at NVDCVE-2021-30720 at SUSECVE-2021-30720 at NVDCVE-2021-30734 at SUSECVE-2021-30734 at NVDCVE-2021-30744 at SUSECVE-2021-30744 at NVDCVE-2021-30749 at SUSECVE-2021-30749 at NVDCVE-2021-30758 at SUSECVE-2021-30758 at NVDCVE-2021-30795 at SUSECVE-2021-30795 at NVDCVE-2021-30797 at SUSECVE-2021-30797 at NVDCVE-2021-30799 at SUSECVE-2021-30799 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for djvulibre (Important)SUSE OpenStack Cloud Crowbar 8
This update for djvulibre fixes the following issues:
- CVE-2021-3630: out-of-bounds write in DJVU:DjVuTXT:decode() in DjVuText.cpp (bsc#1187869)
ImportantSUSE bug 1187869CVE-2021-3630 at SUSECVE-2021-3630 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for python-Pillow (Important)SUSE OpenStack Cloud Crowbar 8
This update for python-Pillow fixes the following issues:
- CVE-2021-34552: Fixed a buffer overflow in Convert.c (bsc#1188574)
ImportantSUSE bug 1188574CVE-2021-34552 at SUSECVE-2021-34552 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for cpio (Important)SUSE OpenStack Cloud Crowbar 8
This update for cpio fixes the following issues:
It was possible to trigger Remote code execution due to a integer overflow (CVE-2021-38185, bsc#1189206)
ImportantSUSE bug 1189206CVE-2021-38185 at SUSECVE-2021-38185 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for libcares2 (Important)SUSE OpenStack Cloud Crowbar 8
This update for libcares2 fixes the following issues:
- CVE-2021-3672: Fixed input validation on hostnames (bsc#1188881).
ImportantSUSE bug 1188881CVE-2021-3672 at SUSECVE-2021-3672 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for MozillaFirefox (Important)SUSE OpenStack Cloud Crowbar 8
This update for MozillaFirefox fixes the following issues:
Firefox Extended Support Release 78.13.0 ESR (MFSA 2021-34, bsc#1188891):
- CVE-2021-29986: Race condition when resolving DNS names could have led to memory corruption
- CVE-2021-29988: Memory corruption as a result of incorrect style treatment
- CVE-2021-29984: Incorrect instruction reordering during JIT optimization
- CVE-2021-29980: Uninitialized memory in a canvas object could have led to memory corruption
- CVE-2021-29985: Use-after-free media channels
- CVE-2021-29989: Memory safety bugs fixed in Firefox 91 and Firefox ESR 78.13
ImportantSUSE bug 1188891CVE-2021-29980 at SUSECVE-2021-29980 at NVDCVE-2021-29984 at SUSECVE-2021-29984 at NVDCVE-2021-29985 at SUSECVE-2021-29985 at NVDCVE-2021-29986 at SUSECVE-2021-29986 at NVDCVE-2021-29988 at SUSECVE-2021-29988 at NVDCVE-2021-29989 at SUSECVE-2021-29989 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for rubygem-puma (Important)SUSE OpenStack Cloud Crowbar 8
This update for rubygem-puma fixes the following issues:
- CVE-2021-29509: Incomplete fix for CVE-2019-16770 allows Denial of Service (bsc#1188527)
ImportantSUSE bug 1188527CVE-2021-29509 at SUSECVE-2021-29509 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Recommended update for cpio (Critical)SUSE OpenStack Cloud Crowbar 8
This update for cpio fixes the following issues:
- A regression in the previous update could lead to crashes (bsc#1189465)
CriticalSUSE bug 1189465CVE-2021-38185 at SUSECVE-2021-38185 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for java-1_8_0-openjdk (Important)SUSE OpenStack Cloud Crowbar 8
This update for java-1_8_0-openjdk fixes the following issues:
- Update to version jdk8u302 (icedtea 3.20.0)
- CVE-2021-2341: Improve file transfers. (bsc#1188564)
- CVE-2021-2369: Better jar file validation. (bsc#1188565)
- CVE-2021-2388: Enhance compiler validation. (bsc#1188566)
- CVE-2021-2161: Less ambiguous processing. (bsc#1185056)
ImportantSUSE bug 1185056SUSE bug 1188564SUSE bug 1188565SUSE bug 1188566CVE-2021-2161 at SUSECVE-2021-2161 at NVDCVE-2021-2341 at SUSECVE-2021-2341 at NVDCVE-2021-2369 at SUSECVE-2021-2369 at NVDCVE-2021-2388 at SUSECVE-2021-2388 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for cpio (Important)SUSE OpenStack Cloud Crowbar 8
This update for cpio fixes the following issues:
- A patch previously applied to remedy CVE-2021-38185 introduced a regression
that had the potential to cause a segmentation fault in cpio. [bsc#1189465]
ImportantSUSE bug 1189465CVE-2021-38185 at SUSECVE-2021-38185 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for python-PyYAML (Important)SUSE OpenStack Cloud Crowbar 8
This update for python-PyYAML fixes the following issues:
- Update to 5.3.1.
- CVE-2020-14343: A vulnerability was discovered in the PyYAML library,
where it was susceptible to arbitrary code execution when it processes
untrusted YAML files through the full_load method or with the FullLoader
loader. Applications that use the library to process untrusted input
may be vulnerable to this flaw. This flaw allows an attacker to
execute arbitrary code on the system by abusing the python/object/new
constructor. This flaw is due to an incomplete fix for CVE-2020-1747.
ImportantSUSE bug 1174514CVE-2020-14343 at SUSECVE-2020-14343 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for openssl (Important)SUSE OpenStack Cloud Crowbar 8
This update for openssl fixes the following security issue:
- CVE-2021-3712: a bug in the code for printing certificate details could lead
to a buffer overrun that a malicious actor could exploit to crash the
application, causing a denial-of-service attack. [bsc#1189521]
ImportantSUSE bug 1189521CVE-2021-3712 at SUSECVE-2021-3712 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for openvswitch (Important)SUSE OpenStack Cloud Crowbar 8
This update for openvswitch fixes the following issues:
- openvswitch was updated to 2.7.12
- CVE-2020-27827: Fixed a memory leak when parsing lldp packets (bsc#1181345)
A lot more minor bugs have been fixed with this openvswitch version. Please refer to the changelog of
the openvswitch.rpm file in order to obtain a list of all changes.
ImportantSUSE bug 1117483SUSE bug 1181345CVE-2020-27827 at SUSECVE-2020-27827 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for aspell (Important)SUSE OpenStack Cloud Crowbar 8
This update for aspell fixes the following issues:
- CVE-2019-25051: Fixed heap-buffer-overflow in acommon:ObjStack:dup_top (bsc#1188576).
ImportantSUSE bug 1188576CVE-2019-25051 at SUSECVE-2019-25051 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for bind (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for bind fixes the following issues:
- CVE-2020-8622: A truncated TSIG response can lead to an assertion failure (bsc#1175443).
ModerateSUSE bug 1175443SUSE bug 1188888CVE-2020-8622 at SUSECVE-2020-8622 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for mysql-connector-java (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for mysql-connector-java fixes the following issues:
- CVE-2020-2875: Unauthenticated attacker with network access via multiple protocols can compromise MySQL Connectors. (bsc#1173600)
- CVE-2020-2934: Fixed a vulnerability which could cause a partial denial of service of MySQL Connectors. (bsc#1173600)
- CVE-2020-2933: Fixed a vulnerability which could allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. (bsc#1173600)
ModerateSUSE bug 1173600CVE-2020-2875 at SUSECVE-2020-2875 at NVDCVE-2020-2933 at SUSECVE-2020-2933 at NVDCVE-2020-2934 at SUSECVE-2020-2934 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for openexr (Important)SUSE OpenStack Cloud Crowbar 8
This update for openexr fixes the following issues:
- CVE-2021-20298 [bsc#1188460]: Fixed Out-of-memory in B44Compressor
- CVE-2021-20299 [bsc#1188459]: Fixed Null-dereference READ in Imf_2_5:Header:operator
- CVE-2021-20300 [bsc#1188458]: Fixed Integer-overflow in Imf_2_5:hufUncompress
- CVE-2021-20302 [bsc#1188462]: Fixed Floating-point-exception in Imf_2_5:precalculateTileInfot
- CVE-2021-20303 [bsc#1188457]: Fixed Heap-buffer-overflow in Imf_2_5::copyIntoFrameBuffer
- CVE-2021-20304 [bsc#1188461]: Fixed Undefined-shift in Imf_2_5:hufDecode
ImportantSUSE bug 1188457SUSE bug 1188458SUSE bug 1188459SUSE bug 1188460SUSE bug 1188461SUSE bug 1188462CVE-2021-20298 at SUSECVE-2021-20298 at NVDCVE-2021-20299 at SUSECVE-2021-20299 at NVDCVE-2021-20300 at SUSECVE-2021-20300 at NVDCVE-2021-20302 at SUSECVE-2021-20302 at NVDCVE-2021-20303 at SUSECVE-2021-20303 at NVDCVE-2021-20304 at SUSECVE-2021-20304 at NVDCVE-2021-3476 at SUSECVE-2021-3476 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for libesmtp (Important)SUSE OpenStack Cloud Crowbar 8
This update for libesmtp fixes the following issues:
- CVE-2019-19977: Fix stack-based buffer over-read in ntlm/ntlmstruct.c (bsc#1160462).
ImportantSUSE bug 1160462SUSE bug 1189097CVE-2019-19977 at SUSECVE-2019-19977 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for rubygem-addressable (Important)SUSE OpenStack Cloud Crowbar 8
This update for rubygem-addressable fixes the following issues:
- CVE-2021-32740: Fixed denial of service via maliciously crafted templates (bsc#1188207).
ImportantSUSE bug 1188207CVE-2021-32740 at SUSECVE-2021-32740 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for file (Important)SUSE OpenStack Cloud Crowbar 8
This update for file fixes the following issues:
- CVE-2019-18218: Fixed heap-based buffer overflow in cdf_read_property_info in cdf.c (bsc#1154661).
ImportantSUSE bug 1154661CVE-2019-18218 at SUSECVE-2019-18218 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for xen (Important)SUSE OpenStack Cloud Crowbar 8
This update for xen fixes the following issues:
- CVE-2021-3594: slirp: invalid pointer initialization may lead to information disclosure (udp)(bsc#1187378).
- CVE-2021-3595: slirp: invalid pointer initialization may lead to information disclosure (tftp)(bsc#1187376).
- CVE-2021-28698: long running loops in grant table handling (XSA-380)(bsc#1189378).
- CVE-2021-28699: inadequate grant-v2 status frames array bounds check (XSA-382)(bsc#1189380).
- CVE-2021-20255: Fixed stack overflow via infinite recursion in eepro100 (bsc#1182654)
- CVE-2021-28690: xen: x86: TSX Async Abort protections not restored after S3 (bsc#1186434)
- CVE-2021-28692: xen: inappropriate x86 IOMMU timeout detection / handling (bsc#1186429)
- CVE-2021-28694,CVE-2021-28695,CVE-2021-28696: IOMMU page mapping issues on x86 (XSA-378)(bsc#1189373).
- CVE-2021-0089: xen: Speculative Code Store Bypass (bsc#1186433)
- CVE-2021-28697: grant table v2 status pages may remain accessible after de-allocation (XSA-379)(bsc#1189376).
- CVE-2021-3592: slirp: invalid pointer initialization may lead to information disclosure (bootp)(bsc#1187369).
- Prevent superpage allocation in the LAPIC and ACPI_INFO range (bsc#1189882).
ImportantSUSE bug 1182654SUSE bug 1186429SUSE bug 1186433SUSE bug 1186434SUSE bug 1187369SUSE bug 1187376SUSE bug 1187378SUSE bug 1189373SUSE bug 1189376SUSE bug 1189378SUSE bug 1189380SUSE bug 1189882CVE-2021-0089 at SUSECVE-2021-0089 at NVDCVE-2021-20255 at SUSECVE-2021-20255 at NVDCVE-2021-28690 at SUSECVE-2021-28690 at NVDCVE-2021-28692 at SUSECVE-2021-28692 at NVDCVE-2021-28694 at SUSECVE-2021-28694 at NVDCVE-2021-28695 at SUSECVE-2021-28695 at NVDCVE-2021-28696 at SUSECVE-2021-28696 at NVDCVE-2021-28697 at SUSECVE-2021-28697 at NVDCVE-2021-28698 at SUSECVE-2021-28698 at NVDCVE-2021-28699 at SUSECVE-2021-28699 at NVDCVE-2021-3592 at SUSECVE-2021-3592 at NVDCVE-2021-3594 at SUSECVE-2021-3594 at NVDCVE-2021-3595 at SUSECVE-2021-3595 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Recommended update for mozilla-nspr, mozilla-nss (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for mozilla-nspr fixes the following issues:
mozilla-nspr was updated to version 4.32:
* implement new socket option PR_SockOpt_DontFrag
* support larger DNS records by increasing the default buffer
size for DNS queries
* Lock access to PRCallOnceType members in PR_CallOnce* for
thread safety bmo#1686138
* PR_GetSystemInfo supports a new flag PR_SI_RELEASE_BUILD to get
information about the operating system build version.
Mozilla NSS was updated to version 3.68:
* bmo#1713562 - Fix test leak.
* bmo#1717452 - NSS 3.68 should depend on NSPR 4.32.
* bmo#1693206 - Implement PKCS8 export of ECDSA keys.
* bmo#1712883 - DTLS 1.3 draft-43.
* bmo#1655493 - Support SHA2 HW acceleration using Intel SHA Extension.
* bmo#1713562 - Validate ECH public names.
* bmo#1717610 - Add function to get seconds from epoch from pkix::Time.
update to NSS 3.67
* bmo#1683710 - Add a means to disable ALPN.
* bmo#1715720 - Fix nssckbi version number in NSS 3.67 (was supposed to be incremented in 3.66).
* bmo#1714719 - Set NSS_USE_64 on riscv64 target when using GYP/Ninja.
* bmo#1566124 - Fix counter increase in ppc-gcm-wrap.c.
* bmo#1566124 - Fix AES_GCM mode on ppc64le for messages of length more than 255-byte.
update to NSS 3.66
* bmo#1710716 - Remove Expired Sonera Class2 CA from NSS.
* bmo#1710716 - Remove Expired Root Certificates from NSS - QuoVadis Root Certification Authority.
* bmo#1708307 - Remove Trustis FPS Root CA from NSS.
* bmo#1707097 - Add Certum Trusted Root CA to NSS.
* bmo#1707097 - Add Certum EC-384 CA to NSS.
* bmo#1703942 - Add ANF Secure Server Root CA to NSS.
* bmo#1697071 - Add GLOBALTRUST 2020 root cert to NSS.
* bmo#1712184 - NSS tools manpages need to be updated to reflect that sqlite is the default database.
* bmo#1712230 - Don't build ppc-gcm.s with clang integrated assembler.
* bmo#1712211 - Strict prototype error when trying to compile nss code that includes blapi.h.
* bmo#1710773 - NSS needs FIPS 180-3 FIPS indicators.
* bmo#1709291 - Add VerifyCodeSigningCertificateChain.
update to NSS 3.65
* bmo#1709654 - Update for NetBSD configuration.
* bmo#1709750 - Disable HPKE test when fuzzing.
* bmo#1566124 - Optimize AES-GCM for ppc64le.
* bmo#1699021 - Add AES-256-GCM to HPKE.
* bmo#1698419 - ECH -10 updates.
* bmo#1692930 - Update HPKE to final version.
* bmo#1707130 - NSS should use modern algorithms in PKCS#12 files by default.
* bmo#1703936 - New coverity/cpp scanner errors.
* bmo#1697303 - NSS needs to update it's csp clearing to FIPS 180-3 standards.
* bmo#1702663 - Need to support RSA PSS with Hashing PKCS #11 Mechanisms.
* bmo#1705119 - Deadlock when using GCM and non-thread safe tokens.
update to NSS 3.64
* bmo#1705286 - Properly detect mips64.
* bmo#1687164 - Introduce NSS_DISABLE_CRYPTO_VSX and
disable_crypto_vsx.
* bmo#1698320 - replace __builtin_cpu_supports('vsx') with
ppc_crypto_support() for clang.
* bmo#1613235 - Add POWER ChaCha20 stream cipher vector
acceleration.
Fixed in 3.63
* bmo#1697380 - Make a clang-format run on top of helpful contributions.
* bmo#1683520 - ECCKiila P384, change syntax of nested structs
initialization to prevent build isses with GCC 4.8.
* bmo#1683520 - [lib/freebl/ecl] P-384: allow zero scalars in dual
scalar multiplication.
* bmo#1683520 - ECCKiila P521, change syntax of nested structs
initialization to prevent build isses with GCC 4.8.
* bmo#1683520 - [lib/freebl/ecl] P-521: allow zero scalars in dual
scalar multiplication.
* bmo#1696800 - HACL* update March 2021 - c95ab70fcb2bc21025d8845281bc4bc8987ca683.
* bmo#1694214 - tstclnt can't enable middlebox compat mode.
* bmo#1694392 - NSS does not work with PKCS #11 modules not supporting
profiles.
* bmo#1685880 - Minor fix to prevent unused variable on early return.
* bmo#1685880 - Fix for the gcc compiler version 7 to support setenv
with nss build.
* bmo#1693217 - Increase nssckbi.h version number for March 2021 batch
of root CA changes, CA list version 2.48.
* bmo#1692094 - Set email distrust after to 21-03-01 for Camerfirma's
'Chambers of Commerce' and 'Global Chambersign' roots.
* bmo#1618407 - Symantec root certs - Set CKA_NSS_EMAIL_DISTRUST_AFTER.
* bmo#1693173 - Add GlobalSign R45, E45, R46, and E46 root certs to NSS.
* bmo#1683738 - Add AC RAIZ FNMT-RCM SERVIDORES SEGUROS root cert to NSS.
* bmo#1686854 - Remove GeoTrust PCA-G2 and VeriSign Universal root certs
from NSS.
* bmo#1687822 - Turn off Websites trust bit for the “Staat der
Nederlanden Root CA - G3” root cert in NSS.
* bmo#1692094 - Turn off Websites Trust Bit for 'Chambers of Commerce
Root - 2008' and 'Global Chambersign Root - 2008’.
* bmo#1694291 - Tracing fixes for ECH.
update to NSS 3.62
* bmo#1688374 - Fix parallel build NSS-3.61 with make
* bmo#1682044 - pkix_Build_GatherCerts() + pkix_CacheCert_Add()
can corrupt 'cachedCertTable'
* bmo#1690583 - Fix CH padding extension size calculation
* bmo#1690421 - Adjust 3.62 ABI report formatting for new libabigail
* bmo#1690421 - Install packaged libabigail in docker-builds image
* bmo#1689228 - Minor ECH -09 fixes for interop testing, fuzzing
* bmo#1674819 - Fixup a51fae403328, enum type may be signed
* bmo#1681585 - Add ECH support to selfserv
* bmo#1681585 - Update ECH to Draft-09
* bmo#1678398 - Add Export/Import functions for HPKE context
* bmo#1678398 - Update HPKE to draft-07
update to NSS 3.61
* bmo#1682071 - Fix issue with IKE Quick mode deriving incorrect key
values under certain conditions.
* bmo#1684300 - Fix default PBE iteration count when NSS is compiled
with NSS_DISABLE_DBM.
* bmo#1651411 - Improve constant-timeness in RSA operations.
* bmo#1677207 - Upgrade Google Test version to latest release.
* bmo#1654332 - Add aarch64-make target to nss-try.
Update to NSS 3.60.1:
Notable changes in NSS 3.60:
* TLS 1.3 Encrypted Client Hello (draft-ietf-tls-esni-08) support
has been added, replacing the previous ESNI (draft-ietf-tls-esni-01)
implementation. See bmo#1654332 for more information.
* December 2020 batch of Root CA changes, builtins library updated
to version 2.46. See bmo#1678189, bmo#1678166, and bmo#1670769
for more information.
Update to NSS 3.59.1:
* bmo#1679290 - Fix potential deadlock with certain third-party
PKCS11 modules
Update to NSS 3.59:
Notable changes:
* Exported two existing functions from libnss:
CERT_AddCertToListHeadWithData and CERT_AddCertToListTailWithData
Bugfixes
* bmo#1607449 - Lock cert->nssCertificate to prevent a potential data race
* bmo#1672823 - Add Wycheproof test cases for HMAC, HKDF, and DSA
* bmo#1663661 - Guard against NULL token in nssSlot_IsTokenPresent
* bmo#1670835 - Support enabling and disabling signatures via Crypto Policy
* bmo#1672291 - Resolve libpkix OCSP failures on SHA1 self-signed
root certs when SHA1 signatures are disabled.
* bmo#1644209 - Fix broken SelectedCipherSuiteReplacer filter to
solve some test intermittents
* bmo#1672703 - Tolerate the first CCS in TLS 1.3 to fix a regression in
our CVE-2020-25648 fix that broke purple-discord
(boo#1179382)
* bmo#1666891 - Support key wrap/unwrap with RSA-OAEP
* bmo#1667989 - Fix gyp linking on Solaris
* bmo#1668123 - Export CERT_AddCertToListHeadWithData and
CERT_AddCertToListTailWithData from libnss
* bmo#1634584 - Set CKA_NSS_SERVER_DISTRUST_AFTER for Trustis FPS Root CA
* bmo#1663091 - Remove unnecessary assertions in the streaming
ASN.1 decoder that affected decoding certain PKCS8
private keys when using NSS debug builds
* bmo#670839 - Use ARM crypto extension for AES, SHA1 and SHA2 on MacOS.
update to NSS 3.58
Bugs fixed:
* bmo#1641480 (CVE-2020-25648)
Tighten CCS handling for middlebox compatibility mode.
* bmo#1631890 - Add support for Hybrid Public Key Encryption
(draft-irtf-cfrg-hpke) support for TLS Encrypted Client Hello
(draft-ietf-tls-esni).
* bmo#1657255 - Add CI tests that disable SHA1/SHA2 ARM crypto
extensions.
* bmo#1668328 - Handle spaces in the Python path name when using
gyp on Windows.
* bmo#1667153 - Add PK11_ImportDataKey for data object import.
* bmo#1665715 - Pass the embedded SCT list extension (if present)
to TrustDomain::CheckRevocation instead of the notBefore value.
update to NSS 3.57
* The following CA certificates were Added:
bmo#1663049 - CN=Trustwave Global Certification Authority
SHA-256 Fingerprint: 97552015F5DDFC3C8788C006944555408894450084F100867086BC1A2BB58DC8
bmo#1663049 - CN=Trustwave Global ECC P256 Certification Authority
SHA-256 Fingerprint: 945BBC825EA554F489D1FD51A73DDF2EA624AC7019A05205225C22A78CCFA8B4
bmo#1663049 - CN=Trustwave Global ECC P384 Certification Authority
SHA-256 Fingerprint: 55903859C8C0C3EBB8759ECE4E2557225FF5758BBD38EBD48276601E1BD58097
* The following CA certificates were Removed:
bmo#1651211 - CN=EE Certification Centre Root CA
SHA-256 Fingerprint: 3E84BA4342908516E77573C0992F0979CA084E4685681FF195CCBA8A229B8A76
bmo#1656077 - O=Government Root Certification Authority; C=TW
SHA-256 Fingerprint: 7600295EEFE85B9E1FD624DB76062AAAAE59818A54D2774CD4C0B2C01131E1B3
* Trust settings for the following CA certificates were Modified:
bmo#1653092 - CN=OISTE WISeKey Global Root GA CA
Websites (server authentication) trust bit removed.
* https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.57_release_notes
update to NSS 3.56
Notable changes
* bmo#1650702 - Support SHA-1 HW acceleration on ARMv8
* bmo#1656981 - Use MPI comba and mulq optimizations on x86-64 MacOS.
* bmo#1654142 - Add CPU feature detection for Intel SHA extension.
* bmo#1648822 - Add stricter validation of DH keys in FIPS mode.
* bmo#1656986 - Properly detect arm64 during GYP build architecture
detection.
* bmo#1652729 - Add build flag to disable RC2 and relocate to
lib/freebl/deprecated.
* bmo#1656429 - Correct RTT estimate used in 0-RTT anti-replay.
* bmo#1588941 - Send empty certificate message when scheme selection
fails.
* bmo#1652032 - Fix failure to build in Windows arm64 makefile
cross-compilation.
* bmo#1625791 - Fix deadlock issue in nssSlot_IsTokenPresent.
* bmo#1653975 - Fix 3.53 regression by setting 'all' as the default
makefile target.
* bmo#1659792 - Fix broken libpkix tests with unexpired PayPal cert.
* bmo#1659814 - Fix interop.sh failures with newer tls-interop
commit and dependencies.
* bmo#1656519 - NSPR dependency updated to 4.28
update to NSS 3.55
Notable changes
* P384 and P521 elliptic curve implementations are replaced with
verifiable implementations from Fiat-Crypto [0] and ECCKiila [1].
* PK11_FindCertInSlot is added. With this function, a given slot
can be queried with a DER-Encoded certificate, providing performance
and usability improvements over other mechanisms. (bmo#1649633)
* DTLS 1.3 implementation is updated to draft-38. (bmo#1647752)
Relevant Bugfixes
* bmo#1631583 (CVE-2020-6829, CVE-2020-12400) - Replace P384 and
P521 with new, verifiable implementations from Fiat-Crypto and ECCKiila.
* bmo#1649487 - Move overzealous assertion in VFY_EndWithSignature.
* bmo#1631573 (CVE-2020-12401) - Remove unnecessary scalar padding.
* bmo#1636771 (CVE-2020-12403) - Explicitly disable multi-part
ChaCha20 (which was not functioning correctly) and more strictly
enforce tag length.
* bmo#1649648 - Don't memcpy zero bytes (sanitizer fix).
* bmo#1649316 - Don't memcpy zero bytes (sanitizer fix).
* bmo#1649322 - Don't memcpy zero bytes (sanitizer fix).
* bmo#1653202 - Fix initialization bug in blapitest when compiled
with NSS_DISABLE_DEPRECATED_SEED.
* bmo#1646594 - Fix AVX2 detection in makefile builds.
* bmo#1649633 - Add PK11_FindCertInSlot to search a given slot
for a DER-encoded certificate.
* bmo#1651520 - Fix slotLock race in NSC_GetTokenInfo.
* bmo#1647752 - Update DTLS 1.3 implementation to draft-38.
* bmo#1649190 - Run cipher, sdr, and ocsp tests under standard test cycle in CI.
* bmo#1649226 - Add Wycheproof ECDSA tests.
* bmo#1637222 - Consistently enforce IV requirements for DES and 3DES.
* bmo#1067214 - Enforce minimum PKCS#1 v1.5 padding length in
RSA_CheckSignRecover.
* bmo#1646324 - Advertise PKCS#1 schemes for certificates in the
signature_algorithms extension.
update to NSS 3.54
Notable changes
* Support for TLS 1.3 external pre-shared keys (bmo#1603042).
* Use ARM Cryptography Extension for SHA256, when available
(bmo#1528113)
* The following CA certificates were Added:
bmo#1645186 - certSIGN Root CA G2.
bmo#1645174 - e-Szigno Root CA 2017.
bmo#1641716 - Microsoft ECC Root Certificate Authority 2017.
bmo#1641716 - Microsoft RSA Root Certificate Authority 2017.
* The following CA certificates were Removed:
bmo#1645199 - AddTrust Class 1 CA Root.
bmo#1645199 - AddTrust External CA Root.
bmo#1641718 - LuxTrust Global Root 2.
bmo#1639987 - Staat der Nederlanden Root CA - G2.
bmo#1618402 - Symantec Class 2 Public Primary Certification Authority - G4.
bmo#1618402 - Symantec Class 1 Public Primary Certification Authority - G4.
bmo#1618402 - VeriSign Class 3 Public Primary Certification Authority - G3.
* A number of certificates had their Email trust bit disabled.
See bmo#1618402 for a complete list.
Bugs fixed
* bmo#1528113 - Use ARM Cryptography Extension for SHA256.
* bmo#1603042 - Add TLS 1.3 external PSK support.
* bmo#1642802 - Add uint128 support for HACL* curve25519 on Windows.
* bmo#1645186 - Add 'certSIGN Root CA G2' root certificate.
* bmo#1645174 - Add Microsec's 'e-Szigno Root CA 2017' root certificate.
* bmo#1641716 - Add Microsoft's non-EV root certificates.
* bmo1621151 - Disable email trust bit for 'O=Government
Root Certification Authority; C=TW' root.
* bmo#1645199 - Remove AddTrust root certificates.
* bmo#1641718 - Remove 'LuxTrust Global Root 2' root certificate.
* bmo#1639987 - Remove 'Staat der Nederlanden Root CA - G2' root
certificate.
* bmo#1618402 - Remove Symantec root certificates and disable email trust
bit.
* bmo#1640516 - NSS 3.54 should depend on NSPR 4.26.
* bmo#1642146 - Fix undefined reference to `PORT_ZAlloc_stub' in seed.c.
* bmo#1642153 - Fix infinite recursion building NSS.
* bmo#1642638 - Fix fuzzing assertion crash.
* bmo#1642871 - Enable SSL_SendSessionTicket after resumption.
* bmo#1643123 - Support SSL_ExportEarlyKeyingMaterial with External PSKs.
* bmo#1643557 - Fix numerous compile warnings in NSS.
* bmo#1644774 - SSL gtests to use ClearServerCache when resetting
self-encrypt keys.
* bmo#1645479 - Don't use SECITEM_MakeItem in secutil.c.
* bmo#1646520 - Stricter enforcement of ASN.1 INTEGER encoding.
ModerateSUSE bug 1029961SUSE bug 1174697SUSE bug 1176206SUSE bug 1176934SUSE bug 1179382SUSE bug 1188891CVE-2020-12400 at SUSECVE-2020-12400 at NVDCVE-2020-12401 at SUSECVE-2020-12401 at NVDCVE-2020-12403 at SUSECVE-2020-12403 at NVDCVE-2020-25648 at SUSECVE-2020-25648 at NVDCVE-2020-6829 at SUSECVE-2020-6829 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for transfig (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for transfig fixes the following issues:
Update to version 3.2.8, including fixes for
- CVE-2021-3561: overflow in fig2dev/read.c in function read_colordef() (bsc#1186329).
- CVE-2020-21683: Fixed buffer overflow in the shade_or_tint_name_after_declare_color in genpstricks.c (bsc#1189325).
- CVE-2020-21682: Fixed buffer overflow in the set_fill component in genge.c (bsc#1189346).
- CVE-2020-21681: Fixed buffer overflow in the set_color component in genge.c (bsc#1189345).
- CVE-2020-21680: Fixed stack-based buffer overflow in the put_arrow() component in genpict2e.c (bsc#1189343).
- CVE-2019-19797: out-of-bounds write in read_colordef in read.c (bsc#1159293).
- CVE-2019-19555: stack-based buffer overflow because of an incorrect sscanf (bsc#1161698).
- CVE-2019-19746: segmentation fault and out-of-bounds write because of an integer overflow via a large arrow type (bsc#1159130).
ModerateSUSE bug 1136882SUSE bug 1159130SUSE bug 1159293SUSE bug 1161698SUSE bug 1186329SUSE bug 1189325SUSE bug 1189343SUSE bug 1189345SUSE bug 1189346CVE-2019-19555 at SUSECVE-2019-19555 at NVDCVE-2019-19746 at SUSECVE-2019-19746 at NVDCVE-2019-19797 at SUSECVE-2019-19797 at NVDCVE-2020-21680 at SUSECVE-2020-21680 at NVDCVE-2020-21681 at SUSECVE-2020-21681 at NVDCVE-2020-21682 at SUSECVE-2020-21682 at NVDCVE-2020-21683 at SUSECVE-2020-21683 at NVDCVE-2021-3561 at SUSECVE-2021-3561 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for gtk-vnc (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for gtk-vnc fixes the following issues:
- CVE-2017-5885: Correctly validate color map range indexes (bsc#1024268).
- CVE-2017-5884: Fix bounds checking for RRE, hextile & copyrect encodings (bsc#1024266).
- Fix crash when opening connection from a GSocketAddress (bsc#1046782).
- Fix possible crash on connection failure (bsc#1188292).
ModerateSUSE bug 1024266SUSE bug 1024268SUSE bug 1046782SUSE bug 1188292CVE-2017-5884 at SUSECVE-2017-5884 at NVDCVE-2017-5885 at SUSECVE-2017-5885 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for openssl (Low)SUSE OpenStack Cloud Crowbar 8
This update for openssl fixes the following issues:
- CVE-2021-3712: This is an update for the incomplete fix for CVE-2021-3712.
Read buffer overruns processing ASN.1 strings (bsc#1189521).
LowSUSE bug 1189521CVE-2021-3712 at SUSECVE-2021-3712 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for ghostscript (Critical)SUSE OpenStack Cloud Crowbar 8
This update for ghostscript fixes the following issues:
- CVE-2021-3781: Fixed a trivial -dSAFER bypass command injection (bsc#1190381)
CriticalSUSE bug 1190381CVE-2021-3781 at SUSECVE-2021-3781 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for MozillaFirefox (Important)SUSE OpenStack Cloud Crowbar 8
This update for MozillaFirefox fixes the following issues:
This update contains the Firefox Extended Support Release 91.1.0 ESR.
* Fixed: Various stability, functionality, and security fixes
MFSA 2021-40 (bsc#1190269, bsc#1190274):
* CVE-2021-38492: Navigating to `mk:` URL scheme could load Internet Explorer
* CVE-2021-38495: Memory safety bugs fixed in Firefox 92 and Firefox ESR 91.1
Firefox 91.0.1esr ESR
* Fixed: Fixed an issue causing buttons on the tab bar to be
resized when loading certain websites (bug 1704404)
* Fixed: Fixed an issue which caused tabs from private windows
to be visible in non-private windows when viewing switch-to-
tab results in the address bar panel (bug 1720369)
* Fixed: Various stability fixes
* Fixed: Security fix MFSA 2021-37 (bsc#1189547)
* CVE-2021-29991 (bmo#1724896)
Header Splitting possible with HTTP/3 Responses
Firefox Extended Support Release 91.0 ESR
* New: Some of the highlights of the new Extended Support Release are:
- A number of user interface changes. For more information,
see the Firefox 89 release notes.
- Firefox now supports logging into Microsoft, work, and
school accounts using Windows single sign-on. Learn more
- On Windows, updates can now be applied in the background
while Firefox is not running.
- Firefox for Windows now offers a new page about:third-party
to help identify compatibility issues caused by third-party
applications
- Version 2 of Firefox's SmartBlock feature further improves
private browsing. Third party Facebook scripts are blocked to
prevent you from being tracked, but are now automatically
loaded 'just in time' if you decide to 'Log in with Facebook'
on any website.
- Enhanced the privacy of the Firefox Browser's Private
Browsing mode with Total Cookie Protection, which confines
cookies to the site where they were created, preventing
companis from using cookies to track your browsing across
sites. This feature was originally launched in Firefox's ETP
Strict mode.
- PDF forms now support JavaScript embedded in PDF files.
Some PDF forms use JavaScript for validation and other
interactive features.
- You'll encounter less website breakage in Private Browsing
and Strict Enhanced Tracking Protection with SmartBlock,
which provides stand-in scripts so that websites load
properly.
- Improved Print functionality with a cleaner design and
better integration with your computer's printer settings.
- Firefox now protects you from supercookies, a type of
tracker that can stay hidden in your browser and track you
online, even after you clear cookies. By isolating
supercookies, Firefox prevents them from tracking your web
browsing from one site to the next.
- Firefox now remembers your preferred location for saved
bookmarks, displays the bookmarks toolbar by default on new
tabs, and gives you easy access to all of your bookmarks via
a toolbar folder.
- Native support for macOS devices built with Apple Silicon
CPUs brings dramatic performance improvements over the non-
native build that was shipped in Firefox 83: Firefox launches
over 2.5 times faster and web apps are now twice as
responsive (per the SpeedoMeter 2.0 test). If you are on a
new Apple device, follow these steps to upgrade to the latest
Firefox.
- Pinch zooming will now be supported for our users with
Windows touchscreen devices and touchpads on Mac devices.
Firefox users may now use pinch to zoom on touch-capable
devices to zoom in and out of webpages.
- We’ve improved functionality and design for a number of
Firefox search features:
* Selecting a search engine at the bottom of the search
panel now enters search mode for that engine, allowing you to
see suggestions (if available) for your search terms. The old
behavior (immediately performing a search) is available with
a shift-click.
* When Firefox autocompletes the URL of one of your search
engines, you can now search with that engine directly in the
address bar by selecting the shortcut in the address bar
results.
* We’ve added buttons at the bottom of the search panel to
allow you to search your bookmarks, open tabs, and history.
- Firefox supports AcroForm, which will allow you to fill in,
print, and save supported PDF forms and the PDF viewer also
has a new fresh look.
- For our users in the US and Canada, Firefox can now save,
manage, and auto-fill credit card information for you, making
shopping on Firefox ever more convenient.
- In addition to our default, dark and light themes, with
this release, Firefox introduces the Alpenglow theme: a
colorful appearance for buttons, menus, and windows. You can
update your Firefox themes under settings or preferences.
* Changed: Firefox no longer supports Adobe Flash. There is no
setting available to re-enable Flash support.
* Enterprise: Various bug fixes and new policies have been
implemented in the latest version of Firefox. See more
details in the Firefox for Enterprise 91 Release Notes.
MFSA 2021-33 (bsc#1188891):
* CVE-2021-29986: Race condition when resolving DNS names could have led to
memory corruption
* CVE-2021-29981: Live range splitting could have led to conflicting
assignments in the JIT
* CVE-2021-29988: Memory corruption as a result of incorrect style treatment
* CVE-2021-29983: Firefox for Android could get stuck in fullscreen mode
* CVE-2021-29984: Incorrect instruction reordering during JIT optimization
* CVE-2021-29980: Uninitialized memory in a canvas object could have led to
memory corruption
* CVE-2021-29987: Users could have been tricked into accepting unwanted
permissions on Linux
* CVE-2021-29985: Use-after-free media channels
* CVE-2021-29982: Single bit data leak due to incorrect JIT optimization and
type confusion
* CVE-2021-29989: Memory safety bugs fixed in Firefox 91 and Firefox ESR 78.13
* CVE-2021-29990: Memory safety bugs fixed in Firefox 91
ImportantSUSE bug 1188891SUSE bug 1189547SUSE bug 1190269SUSE bug 1190274CVE-2021-29980 at SUSECVE-2021-29980 at NVDCVE-2021-29981 at SUSECVE-2021-29981 at NVDCVE-2021-29982 at SUSECVE-2021-29982 at NVDCVE-2021-29983 at SUSECVE-2021-29983 at NVDCVE-2021-29984 at SUSECVE-2021-29984 at NVDCVE-2021-29985 at SUSECVE-2021-29985 at NVDCVE-2021-29986 at SUSECVE-2021-29986 at NVDCVE-2021-29987 at SUSECVE-2021-29987 at NVDCVE-2021-29988 at SUSECVE-2021-29988 at NVDCVE-2021-29989 at SUSECVE-2021-29989 at NVDCVE-2021-29990 at SUSECVE-2021-29990 at NVDCVE-2021-29991 at SUSECVE-2021-29991 at NVDCVE-2021-38492 at SUSECVE-2021-38492 at NVDCVE-2021-38495 at SUSECVE-2021-38495 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for java-1_8_0-ibm (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for java-1_8_0-ibm fixes the following issues:
- Update to Java 8.0 Service Refresh 6 Fix Pack 20 [bsc#1180063,bsc#1177943]
CVE-2020-14792 CVE-2020-14797 CVE-2020-14781 CVE-2020-14779
CVE-2020-14798 CVE-2020-14796 CVE-2020-14803
* Class libraries:
- SOCKETADAPTOR$SOCKETINPUTSTREAM.READ is blocking for more time
that the set timeout
- Z/OS specific C function send_file is changing the file pointer
position
* Java Virtual Machine:
- Crash on iterate java stack
- Java process hang on SIGTERM
* JIT Compiler:
- JMS performance regression from JDK8 SR5 FP40 TO FP41
* Class Libraries:
- z15 high utilization following Z/VM and Linux migration from
z14 To z15
* Java Virtual Machine:
- Assertion failed when trying to write a class file
- Assertion failure at modronapi.cpp
- Improve the performance of defining and finding classes
* JIT Compiler:
- An assert in ppcbinaryencoding.cpp may trigger when running
with traps disabled on power
- AOT field offset off by n bytes
- Segmentation fault in jit module on ibm z platform ModerateSUSE bug 1177943SUSE bug 1180063CVE-2020-14779 at SUSECVE-2020-14779 at NVDCVE-2020-14781 at SUSECVE-2020-14781 at NVDCVE-2020-14792 at SUSECVE-2020-14792 at NVDCVE-2020-14796 at SUSECVE-2020-14796 at NVDCVE-2020-14797 at SUSECVE-2020-14797 at NVDCVE-2020-14798 at SUSECVE-2020-14798 at NVDCVE-2020-14803 at SUSECVE-2020-14803 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for xen (Important)SUSE OpenStack Cloud Crowbar 8
This update for xen fixes the following issues:
- CVE-2021-28701: Fixed race condition in XENMAPSPACE_grant_table handling (XSA-384) (bsc#1189632).
- Integrate bugfixes (bsc#1189373, bsc#1189378).
ImportantSUSE bug 1189373SUSE bug 1189378SUSE bug 1189632CVE-2021-28701 at SUSECVE-2021-28701 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for sqlite3 (Important)SUSE OpenStack Cloud Crowbar 8
This update for sqlite3 fixes the following issues:
sqlite3 is sync version 3.36.0 from Factory (jsc#SLE-16032).
The following CVEs have been fixed in upstream releases up to
this point, but were not mentioned in the change log so far:
* bsc#1173641, CVE-2020-15358: heap-based buffer overflow in
multiSelectOrderBy due to mishandling of query-flattener
optimization
* bsc#1164719, CVE-2020-9327: NULL pointer dereference and
segmentation fault because of generated column optimizations in
isAuxiliaryVtabOperator
* bsc#1160439, CVE-2019-20218: selectExpander in select.c proceeds
with WITH stack unwinding even after a parsing error
* bsc#1160438, CVE-2019-19959: memory-management error via
ext/misc/zipfile.c involving embedded '\0' input
* bsc#1160309, CVE-2019-19923: improper handling of certain uses
of SELECT DISTINCT in flattenSubquery may lead to null pointer
dereference
* bsc#1159850, CVE-2019-19924: improper error handling in
sqlite3WindowRewrite()
* bsc#1159847, CVE-2019-19925: improper handling of NULL pathname
during an update of a ZIP archive
* bsc#1159715, CVE-2019-19926: improper handling of certain
errors during parsing multiSelect in select.c
* bsc#1159491, CVE-2019-19880: exprListAppendList in window.c
allows attackers to trigger an invalid pointer dereference
* bsc#1158960, CVE-2019-19603: during handling of CREATE TABLE
and CREATE VIEW statements, does not consider confusion with
a shadow table name
* bsc#1158959, CVE-2019-19646: pragma.c mishandles NOT NULL in an
integrity_check PRAGMA command in certain cases of generated
columns
* bsc#1158958, CVE-2019-19645: alter.c allows attackers to trigger
infinite recursion via certain types of self-referential views
in conjunction with ALTER TABLE statements
* bsc#1158812, CVE-2019-19317: lookupName in resolve.c omits bits
from the colUsed bitmask in the case of a generated column,
which allows attackers to cause a denial of service
* bsc#1157818, CVE-2019-19244: sqlite3,sqlite2,sqlite: The
function sqlite3Select in select.c allows a crash if a
sub-select uses both DISTINCT and window functions, and also
has certain ORDER BY usage
* bsc#928701, CVE-2015-3415: sqlite3VdbeExec comparison operator
vulnerability
* bsc#928700, CVE-2015-3414: sqlite3,sqlite2: dequoting of
collation-sequence names
* CVE-2020-13434 bsc#1172115: integer overflow in
sqlite3_str_vappendf
* CVE-2020-13630 bsc#1172234: use-after-free in fts3EvalNextRow
* CVE-2020-13631 bsc#1172236: virtual table allowed to be renamed
to one of its shadow tables
* CVE-2020-13632 bsc#1172240: NULL pointer dereference via
crafted matchinfo() query
* CVE-2020-13435: Malicious SQL statements could have crashed the
process that is running SQLite (bsc#1172091)
ImportantSUSE bug 1157818SUSE bug 1158812SUSE bug 1158958SUSE bug 1158959SUSE bug 1158960SUSE bug 1159491SUSE bug 1159715SUSE bug 1159847SUSE bug 1159850SUSE bug 1160309SUSE bug 1160438SUSE bug 1160439SUSE bug 1164719SUSE bug 1172091SUSE bug 1172115SUSE bug 1172234SUSE bug 1172236SUSE bug 1172240SUSE bug 1173641SUSE bug 928700SUSE bug 928701CVE-2015-3414 at SUSECVE-2015-3414 at NVDCVE-2015-3415 at SUSECVE-2015-3415 at NVDCVE-2016-6153 at SUSECVE-2016-6153 at NVDCVE-2017-10989 at SUSECVE-2017-10989 at NVDCVE-2017-2518 at SUSECVE-2017-2518 at NVDCVE-2018-20346 at SUSECVE-2018-20346 at NVDCVE-2018-8740 at SUSECVE-2018-8740 at NVDCVE-2019-16168 at SUSECVE-2019-16168 at NVDCVE-2019-19244 at SUSECVE-2019-19244 at NVDCVE-2019-19317 at SUSECVE-2019-19317 at NVDCVE-2019-19603 at SUSECVE-2019-19603 at NVDCVE-2019-19645 at SUSECVE-2019-19645 at NVDCVE-2019-19646 at SUSECVE-2019-19646 at NVDCVE-2019-19880 at SUSECVE-2019-19880 at NVDCVE-2019-19923 at SUSECVE-2019-19923 at NVDCVE-2019-19924 at SUSECVE-2019-19924 at NVDCVE-2019-19925 at SUSECVE-2019-19925 at NVDCVE-2019-19926 at SUSECVE-2019-19926 at NVDCVE-2019-19959 at SUSECVE-2019-19959 at NVDCVE-2019-20218 at SUSECVE-2019-20218 at NVDCVE-2019-8457 at SUSECVE-2019-8457 at NVDCVE-2020-13434 at SUSECVE-2020-13434 at NVDCVE-2020-13435 at SUSECVE-2020-13435 at NVDCVE-2020-13630 at SUSECVE-2020-13630 at NVDCVE-2020-13631 at SUSECVE-2020-13631 at NVDCVE-2020-13632 at SUSECVE-2020-13632 at NVDCVE-2020-15358 at SUSECVE-2020-15358 at NVDCVE-2020-9327 at SUSECVE-2020-9327 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for python-Pillow (Important)SUSE OpenStack Cloud Crowbar 8
This update for python-Pillow fixes the following issues:
- CVE-2021-23437: Fixed regular expression denial of service (ReDoS) via the getrgb function (bsc#1190229).
ImportantSUSE bug 1190229CVE-2021-23437 at SUSECVE-2021-23437 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for python-urllib3 (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for python-urllib3 fixes the following security issue:
- CVE-2020-26137: A CRLF injection via HTTP request method was fixed (bsc#1177120)
Note that this was fixed in a previous version update to 1.25.9, this update just complements the tracking.
ModerateSUSE bug 1177120CVE-2020-26137 at SUSECVE-2020-26137 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for rubygem-activerecord-4_2 (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for rubygem-activerecord-4_2 fixes the following issues:
- CVE-2021-22880: Fixed possible DoS vector in PostgreSQL money type (bsc#1182169).
ModerateSUSE bug 1182169CVE-2021-22880 at SUSECVE-2021-22880 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for glibc (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for glibc fixes the following issues:
Security issues fixed:
- CVE-2021-35942: wordexp: handle overflow in positional parameter number (bsc#1187911)
- CVE-2021-33574: Use __pthread_attr_copy in mq_notify (bsc#1186489)
Also the following bug was fixed:
- Avoid concurrency problem in ldconfig (bsc#1117993)
ModerateSUSE bug 1117993SUSE bug 1186489SUSE bug 1187911CVE-2021-33574 at SUSECVE-2021-33574 at NVDCVE-2021-35942 at SUSECVE-2021-35942 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for webkit2gtk3 (Important)SUSE OpenStack Cloud Crowbar 8
This update for webkit2gtk3 fixes the following issues:
- Update to version 2.32.4
- CVE-2021-30858: Fixed a security bug that could allow maliciously crafted web content to achieve arbitrary code execution. (bsc#1190701)
- CVE-2021-21806: Fixed an exploitable use-after-free vulnerability via specially crafted HTML web page. (bsc#1188697)
ImportantSUSE bug 1188697SUSE bug 1190701CVE-2021-21806 at SUSECVE-2021-21806 at NVDCVE-2021-30858 at SUSECVE-2021-30858 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for apache2 (Important)SUSE OpenStack Cloud Crowbar 8
This update for apache2 fixes the following issues:
- CVE-2021-40438: Fixed a SRF via a crafted request uri-path. (bsc#1190703)
- CVE-2021-39275: Fixed an out-of-bounds write in ap_escape_quotes() via malicious input. (bsc#1190666)
- CVE-2021-34798: Fixed a NULL pointer dereference via malformed requests. (bsc#1190669)
ImportantSUSE bug 1190666SUSE bug 1190669SUSE bug 1190703CVE-2021-34798 at SUSECVE-2021-34798 at NVDCVE-2021-39275 at SUSECVE-2021-39275 at NVDCVE-2021-40438 at SUSECVE-2021-40438 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for python3 (Important)SUSE OpenStack Cloud Crowbar 8
This update for python3 fixes the following issues:
- Provide the newest setuptools wheel (bsc#1176262,
CVE-2019-20916) in their correct form (bsc#1180686).
ImportantSUSE bug 1176262SUSE bug 1180686CVE-2019-20916 at SUSECVE-2019-20916 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for MozillaFirefox (Important)SUSE OpenStack Cloud Crowbar 8
This update for MozillaFirefox fixes the following issues:
Firefox Extended Support Release 91.2.0 ESR
* Fixed: Various stability, functionality, and security fixes
MFSA 2021-45 (bsc#1191332)
* CVE-2021-38496: Use-after-free in MessageTask
* CVE-2021-38497: Validation message could have been overlaid on another origin
* CVE-2021-38498: Use-after-free of nsLanguageAtomService object
* CVE-2021-32810: Fixed Data race in crossbeam-deque
* CVE-2021-38500: Memory safety bugs fixed in Firefox 93, Firefox ESR 78.15, and Firefox ESR 91.2
* CVE-2021-38501: Memory safety bugs fixed in Firefox 93 and Firefox ESR 91.2
- Fixed crash in FIPS mode (bsc#1190710)
ImportantSUSE bug 1190710SUSE bug 1191332CVE-2021-32810 at SUSECVE-2021-32810 at NVDCVE-2021-38496 at SUSECVE-2021-38496 at NVDCVE-2021-38497 at SUSECVE-2021-38497 at NVDCVE-2021-38498 at SUSECVE-2021-38498 at NVDCVE-2021-38500 at SUSECVE-2021-38500 at NVDCVE-2021-38501 at SUSECVE-2021-38501 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for javapackages-tools, javassist, mysql-connector-java, protobuf, python-python-gflags (Important)SUSE OpenStack Cloud Crowbar 8
This update for javapackages-tools, javassist, mysql-connector-java, protobuf, python-python-gflags contains the following fixes:
Changes in mysql-connector-java:
- Restrict license to GPL-2.0-only
- Fix README adjustments
- Depend on log4j rather than log4j-mini and adjust log4j dependencies to
account for the lack of log4j12 Provides in some code streams.
- Add missing Group tag
- Update to 8.0.25 (SOC-11543)
Changes in 8.0.25
* No functional changes: version alignment with MySQL Server 8.0.25.
Changes in 8.0.24
* Bug#102188 (32526663), AccessControlException with AuthenticationLdapSaslClientPlugin.
* Bug#22508715, SETSESSIONMAXROWS() CALL ON CLOSED CONNECTION RESULTS IN NPE.
* Bug#102131 (32338451), UPDATABLERESULTSET NPE WHEN USING DERIVED QUERIES OR VIEWS.
* Bug#101596 (32151143), GET THE 'HOST' PROPERTY ERROR AFTER CALLING TRANSFORMPROPERTIES() METHOD.
* Bug#20391832, SETOBJECT() FOR TYPES.TIME RESULTS IN EXCEPTION WHEN VALUE HAS FRACTIONAL PART.
* Bug#97730 (31699993), xdev api: ConcurrentModificationException at Session.close.
* Bug#99708 (31510398), mysql-connector-java 8.0.20 ASSERTION FAILED: Unknown message type: 57 s.close.
* Bug#32122553, EXTRA BYTE IN COM_STMT_EXECUTE.
* Bug#101558 (32141210), NULLPOINTEREXCEPTION WHEN EXECUTING INVALID QUERY WITH USEUSAGEADVISOR ENABLED.
* Bug#102076 (32329915), CONTRIBUTION: MYSQL JDBC DRIVER RESULTSET.GETLONG() THROWS NUMBEROUTOFRANGE.
* Bug#31747910, BUG 30474158 FIX IMPROVES JDBC COMPLIANCE BUT CHANGES DEFAULT RESULTSETTYPE HANDLING.
* Bug#102321 (32405590), CALLING RESULTSETMETADATA.GETCOLUMNCLASSNAME RETURNS WRONG VALUE FOR DATETIME.
* WL#14453, Pluggable authentication: new default behavior & user-less authentications.
* WL#14392, Improve timeout error messages [classic].
* WL#14202, XProtocol: Support connection close notification.
Changes in 8.0.23
* Bug#21789378, FORCED TO SET SERVER TIMEZONE IN CONNECT STRING.
* Bug#95644 (30573281), JDBC GETDATE/GETTIME/GETTIMESTAMP INTERFACE BEHAVIOR CHANGE AFTER UPGRADE 8.0.
* Bug#94457 (29402209), CONNECTOR/J RESULTSET.GETOBJECT( ..., OFFSETDATETIME.CLASS ) THROWS.
* Bug#76775 (20959249), FRACTIONAL SECONDS IN TIME VALUES ARE NOT AVAILABLE VIA JDBC.
* Bug#99013 (31074051), AN EXTRA HOUR GETS ADDED TO THE TIMESTAMP WHEN SUBTRACTING INTERVAL 'N' DAYS.
* Bug#98695 (30962953), EXECUTION OF 'LOAD DATA LOCAL INFILE' COMMAND THROUGH JDBC FOR DATETIME COLUMN.
* Bug#101413 (32099505), JAVA.TIME.LOCALDATETIME CANNOT BE CAST TO JAVA.SQL.TIMESTAMP.
* Bug#101242 (32046007), CANNOT USE BYTEARRAYINPUTSTREAM AS ARGUMENTS IN PREPARED STATEMENTS AN MORE.
* WL#14274, Support for authentication_ldap_sasl_client(SCRAM-SHA-256) authentication plugin.
* WL#14206, Support for authentication_ldap_sasl_client(GSSAPI) authentication plugin.
* WL#14207, Replace language in APIs and source code/docs.
Changes in 8.0.22
* Bug#98667 (31711961), 'All pipe instances are busy' exception on multiple connections to named Pipe.
* Bug#96309 (31699357), MultiHost in loadbalance may lead to a TPS reduction during a quick switch.
* Bug#99076 (31083755), Unclear exception/error when connecting with jdbc:mysql to a mysqlx port.
* Bug#96870 (30304764), Contribution: Allow to disable AbandonedConnectionCleanupThread completely.
* WL#14115, Support for authentication_ldap_sasl_client (SCRAM-SHA-1) authentication plugin.
* WL#14096, Add option to specify LOAD DATA LOCAL allow list folder.
* WL#13780, Skip system-wide trust and key stores (incl. X DevAPI client certs).
* WL#14017, XProtocol -- support for configurable compression algorithms.
* Bug#92903 (28834903), MySQL Connector/j should support wildcard names or alternative names.
* Bug#99767 (31443178), Contribution: Check SubjectAlternativeName for TLS instead of commonName.
* Bug#93444 (29015453), LOCALDATETIME PARAMETER VA UES ALTERED WHEN CLIENT AND SERVER TIMEZONES DIFFER.
* WL#14052, Remove asynchronous variant of X Protocol.
* Bug#99713 (31418928), NPE DURING COM.MYSQL.CJ.SERVERPREPAREDQUERYBINDVALUE.STOREDATE().
* WL#14068, Remove legacy integration with JBoss.
Changes in 8.0.21
* WL#14051, Upgrade Protocol Buffers dependency to protobuf-java-3.11.4.
* WL#14042, Upgrade testsuite to JUnit 5.
* Bug#98237 (30911870), PREPAREDSTATEMENT.SETOBJECT(I, 'FALSE', TYPES.BOOLEAN) ALWAYS SETS TRUE OR 1.
* WL#13008, DevAPI: Add schema validation to create collection.
Changes in 8.0.20
* Bug#30805426, IN CASE OF ISAUTHMETHODSWITCHREQUESTPACKET , TOSERVERS > 1 ARE IGNORED.
* Bug#97714 (30570249), Contribution: Expose elapsed time for query interceptor
* Bug#97724 (30570721), Contribution: Allow \'3.\' formatted numbers.
* Bug#98536 (30877755), SIMPLEDATEFORMAT COULD CACHE A WRONG CALENDAR.
Fix for Bug#91112 (28125069), AGAIN WRONG JAVA.SQL.DATE.
* Bug#30474158, CONNECTOR/J 8 DOES NOT HONOR THE REQUESTED RESULTSETTYPE SCROLL_INSENSITIVE ETC.
* Bug#98445 (30832513), Connection option clientInfoProvider=ClientInfoProviderSP causes NPE.
* WL#12248, DevAPI: Connection compression.
* Bug#30636056, ResultSetUtil.resultSetToMap() can be unsafe to use.
* Bug#97757 (30584907), NULLPOINTEREXCEPTION WITH CACHERESULTSETMETADATA=TRUE AND EXECUTEQUERY OF 'SET'.
Changes in 8.0.19
* WL#13346, Support for mult-host and failover.
* Bug#97413 (30477722), DATABASEMETADATA IS BROKEN AFTER SERVER WL#13528.
* WL#13367, DNS SRV support.
* WL#12736, DevAPI: Specify TLS ciphers to be used by a client or session.
* Bug#96383 (30119545) RS.GETTIMESTAMP() HAS * DIFFERENT RESULTS FOR TIME FIELDS WITH USECURSORFETCH=TRUE.
* Bug#96059 (29999318), ERROR STREAMING MULTI RESULTSETS WITH MYSQL-CONNECTOR-JAVA 8.0.X.
* Bug#96442 (30151808), INCORRECT DATE ERROR WHEN CALLING GETMETADATA ON PREPARED STATEMENT.
Changes in 8.0.18
* WL#13347, Connectors should handle expired password sandbox without SET operations.
* Bug#84098 (25223123), endless loop in LoadBalancedAutoCommitInterceptor.
* Bug#23721537, MULTI-SELECT WITH EXECUTEASYNC() GIVES IMPROPER ERROR.
* Bug#95741 (29898567), METADATA QUERY USES UPPER() AROUND NUMERIC EXPRESSION.
* Bug#20913289, PSTMT.EXECUTEUPDATE() FAILS WHEN SQL MODE IS NO_BACKSLASH_ESCAPES.
* Bug#80441 (22850444), SYNTAX ERROR ON RESULTSET.UPDATEROW() WITH SQL_MODE NO_BACKSLASH_ESCAPES.
Changes in 8.0.17
* WL#13210, Generate Javadocs via ant.
* WL#12247, DevAPI: indexing array fields.
* WL#12726, DevAPI: Add overlaps and not_overlaps as operator.
* Bug#95503 (29821029), Operator IN not mapping consistently to the right X Plugin operation.
* WL#12942, Update README.md and add new CONTRIBUTING.md.
* WL#13125, Support fully qualified hostnames longer than 60 characters.
* Bug#95210 (29807741), ClassCastException in BlobFromLocator when connecting as jdbc:mysql:replication.
* Bug#29591275, THE JAR FILE NEEDS TO CONTAIN A README AND LICENSE FILE.
* WL#13124, Support new utf8mb4 bin collation.
* WL#13009, DevAPI: Deprecate methods.
* WL#11101, Remove de-cache and close of SSPSs on double call to close().
* Bug#89133 (27356869) CONTRIBUTION: UPDATE DA ABASEMETADATA.JAVA.
* Bug#11891000, DABATASEMETADATA.GETTABLES() IGNORES THE SCHEMA_PATTERN ARGUMENT.
* Bug#94101 (29277648), SETTING LOGSLOWQUERIES SHOULD NOT AUTOMATICALLY ENABLE PROFILESQL FOR QUERIES.
* Bug#74690 (20010454), PROFILEREVENT HOSTNAME HAS NO GETTER().
* Bug#70677 (17640628), CONNECTOR J WITH PROFILESQL - LOG CONTAINS LOTS OF STACKTRACE DATA.
* Bug#41172 (11750577), PROFILEREVENT.PACK() THROWS ARRAYINDEXOUTOFBOUNDSEXCEPTION.
* Bug#27453692, CHARACTERS GET GARBLED IN CONCAT() IN PS WHEN USECURSORFETCH=TRUE.
* Bug#94585 (29452669), GETTABLENAME() RETURNS NULL FOR A QUERY HAVING COUNT(*) WITH JDBC DRIVER V8.0.12.
* Bug#94442 (29446059), RESULTSETIMPL.GETDOUBLE IS INEFFICIENT BECAUSE OF BIGDECIMAL (RE)CONSTRUCTIONS.
Changes in 8.0.16
* WL#12825, Remove third-party libraries from sources and bundles.
* Bug#93590 (29054329), javax.net.ssl.SSLException: closing inbound before receiving peer's close_notify.
* Bug#94414 (29384853), Connector/J RPM package have version number in path.
* Bug#27786499, REDUNDANT FILES IN DEBIAN PACKAGE FOR DEBIAN9(COMMUNITY PACKAGE) FOR CJAVA.
* WL#12246, DevAPI: Prepared statement support.
* WL#10839, Adjust c/J tests to the new 'ON' default for explicit_defaults_for_timestamp.
* Bug#29329326, PLEASE AVOID SHOW PROCESSLIST IF POSSIBLE.
* WL#12460, DevAPI: Support new session reset functionality.
* WL#12459, DevAPI: Support connection-attributes.
* Bug#25650385, GETBYTE() RETURNS ERROR FOR BINARY() FLD.
* Bug#27784363, MYSQL 8.0 JDBC DRIVER THROWS NUMBERFORMATEXCEPTION FOR TEXT DATA
* Bug#93007 (28860051), LoadBalancedConnectionProxy.getGlobalBlacklist bug.
* Bug#29186870, CONNECTOR/J REGRESSION: NOT RETURNING PRECISION GETPROCEDURECOLUMNS.
* Bug#22038729, X DEVAPI: ANY API CALL AFTER A FAILED CALL PROC() RESULTS IN HANG.
* Bug#29244101, ADD MAPPING FOR UTF8MB4_ZH_0900_AS_CS COLLATION.
* Bug#92819 (28834959), EXPRPARSER THROWS WRONGARGUMENTEXCEPTION WHEN PARSING EMPTY JSON ARRAY.
* Bug#21921956, X DEVAPI: EXPRESSION PARSE ERROR WITH UNARY OPERATOR.
* Bug#94031 (29257922), WRONG JSON_UNQUOTE WORKAROUND.
* Bug#22931700, BINDINGS.GETBOOLEAN() ALWAYS RETURNS FALSE.
* Bug#25650912, ERROR MESSAGE NOT CLEAR WHEN WE PASS A CHAR DATA TO ANY TABLE API.
* Bug#25642021, CHANGEUSER() FAILS WHEN ENABLEPACKETDEBUG=TRUE.
Changes in 8.0.15
* Bug#94051 (29261254), Not recommended default for 'allowLoadLocalInfile'.
Changes in 8.0.14
* WL#12298, Connectors: Expose metadata about source and binaries in unified way.
* Bug#93111 (28894344), ConnectionUrl.java contains char U+00A7 (section sign).
* WL#12621, DevAPI: Handling of Default Schema.
* Bug#93340 (28970166), C/J BUILD SCRIPT IS TOO VERBOSE
* WL#12462, DevAPI: Be prepared for initial notice on connection.
* Bug#28924137, WL#12463:IF COLLECTION DOESN'T EXIST, COLL.COUNT() IS GIVING A WRONG ERROR MESSAGE.
* WL#12463, DevAPI: Standardize count method.
* Bug#92508 (28747636), mysql-connector in bootclasspath causing memory leak.
* Bug#25650514, UPDATEROW() CALL FAILS WITH NPE WHEN SSPS=TRUE AND TABLE HAS MULTI-FLD KEY.
* Bug#25650482, REFRESHROW() CALL AFTER UPDATEROW() API FAILS WHEN USESERVERPREPSTMTS=TRUE.
* Bug#92536 (28692243), UPDATEING SERVER SIDE PREPSTMTS RESULTSET FAIL.
* Bug#92625 (28731795), CONTRIBUTION: FIX OBSERVED NPE IN CLEARINPUTSTREAM.
* Bug#23045642, ADDING NO-DOC (MYSQLCONNJ-696) RESULTS IN EXCEPTION.
* Bug#91065 (28101003), ZERODATETIMEBEHAVIOR=CONVERT_TO_NULL SHOULD NOT APPLY TO 00:00:00 TIME COLUMNS.
* Bug#92574 (28706219), WHEN CONVERTING FROM VARCHAR TO JAVA BOOLEAN, 'N' IS NOT SUPPORTED.
* Bug#25642226, CHANGEUSER() NOT SETTING THE DATABASE PROPERLY WITH SHA USER.
* Bug#28606708, NAMED PIPE CONNECTION FOR X PROTOCOL RETURNS NPE, EXPECTED PROPER ERROR MESSAGE.
Changes in 8.0.13
* Bug#91317 (28207422), Wrong defaults on collation mappings.
* WL#12245, DevAPI: Implement connect timeout.
* Bug#21774249, UNIT TEST FAILS WITH ERROR ' 'CEST' IS UNRECOGNIZED TIME ZONE'.
* WL#11857, DevAPI: Implement connection pooling for xprotocol.
* Bug#91873 (28444461), REMOVE USEOLDUTF8BEHAVIOR CONNECTION PROPERTY.
* Bug#92264 (28594434), JSONPARSER PUTS UNNECESSARY MAXIMUM LIMIT ON JSONNUMBER TO 10 DIGITS.
* WL#12110, Extend PropertyDefinitions.PropertyKey usage.
* Bug#81063 (23098159), w/ rewriteBatchedStatements, when 2 tables involved, the rewriting not correct.
* Bug#84813 (25501750), rewriteBatchedStatements fails in INSERT.
* Bug#81196 (23227334), CONNECTOR/J NOT FOLLOWING DATABASE CHARACTER SET.
* Bug#72609 (18749544), SETDATE() NOT USING A PROLEPTIC GREGORIAN CALENDAR.
* Bug#87534 (26730196), UNION ALL query fails when useServerPrepStmts=true on database connection.
* Bug#89948 (27658489), Batched statements are not committed for useLocalTransactionState=true.
* BUG#22305979, WRONG RECORD UPDATED IF SENDFRACTIONALSECONDS=FALSE AND SMT IS SCROLLABLE.
* Bug#27102307, CHANGE USESSL AND VERIFYSERVERCERTIFICATE TO SSLMODE OPTION.
* Bug#28150662, CONNECTOR/J 8 MALFORMED DATABASE URL EXCEPTION WHIT CORRECT URL STRING.
* Bug#91421 (28246270), ALLOWED VALUES FOR ZERODATETIMEBEHAVIOR ARE INCOMPATIBLE WITH NETBEANS.
* Bug#23045604, XSESSION.GETURI() RETURNS NPE.
* Bug#21914769, NPE WHEN TRY TO EXECUTE INVALID JSON STRING.
* Bug#BUG#90887 (28034570), DATABASEMETADATAUSINGINFOSCHEMA#GETTABLES FAILS IF METHOD ARGUMENTS ARE NULL.
* Bug#28207088, C/JAVA: UPDATECLOB(INT COLUMNLABEL, JAVA.SQL.CLOB CLOB) IS FAILING.
* Bug#27629553, NPE FROM GETSESSION() FOR SSL CONNECTION WHEN NO PASSWORD PASSED.
Changes in 8.0.12
* Bug#28208000, MASTER : HANG IN ASYNCHRONOUS SELECT TEST.
* WL#10544, Update MySQL 8.0 keywords list.
* WL#11858, DevAPI: Core API v1 alignment.
* Bug#27652379, NPE FROM GETSESSION(PROPERTIES) WHEN HOST PARAMETER IS GIVEN IN SMALL LETTER.
* BUG#87600 (26724154), CONNECTOR THROWS 'MALFORMED DATABASE URL' ON NON MYSQL CONNECTION-URLS.
* BUG#26089880, GETCONNECTION('MYSQLX://..') RETURNS NON-X PROTOCOL CONNECTION.
* WL#11876, Improve connection properties design.
* WL#11933, Connector/J 8.0 X DevAPI reference documentation update.
* WL#11860, Ensure >= 75% code coverage.
* Bug#90753 (27977617), WAIT_TIMEOUT EXCEEDED MESSAGE NOT TRIGGERED.
* Bug#85941 (25924324), WASNULL NOT SET AFTER GETBYTES IS CALLED.
* Bug#28066709, COLLECTION.CREATEINDEX() TEST IS BROKEN AFTER WL#11808 IMPLEMENTATION.
* Bug#90872 (28027459), FILTERPARAMS CLASS IS NOT NEEDED.
* Bug#27522054, POSSIBLE ASYNC XPROTOCOL MESSAGE HANDLING PERF ISSUE.
The 'xdevapi.useAsyncProtocol' connection property default value is changed to 'false'.
Changes in 8.0.11
* WL#11293, DevAPI: Support new locking modes : NOWAIT and SKIP LOCKED.
* Bug#90029 (27678308), FAILURE WHEN GETTING GEOMCOLLECTION COLUMN TYPE.
* BUG#90024 (27677574), SOME TESTS FAILED AGAINST MYSQL 8.0.5 BECAUSE OF DEPRECATED FEATURES REMOVAL.
* Bug#86741 (26314325), Multi-Host connection with autocommit=0 getAutoCommit maybe wrong.
* Bug#27231383, PROVIDE MAVEN-FRIENDLY COMMERCIAL PACKAGES WITHOUT '-BIN'.
* Bug#26819691, SETTING PACKETDEBUGBUFFERSIZE=0 RESULTS IN CONNECTION FAILURE.
* Bug#88227 (27029657), Connector/J 5.1.44 cannot be used against MySQL 5.7.20 without warnings.
* Bug#27374581, CONNECTION FAILS WHEN GPL SERVER STARTED WITH TLS-VERSION=TLSV1.2.
* WL#11419, DevAPI: New document _id generation support.
* WL#11620, Change caching_sha2_password padding.
* WL#11604, DevAPI: Add SHA256_MEMORY support.
* BUG#86278 (26092824), SUPPORT CUSTOM CONSTRUCTION OF SSLSOCKET DURING CONNECTION ESTABLISHMENT.
* BUG#27226293, JSONNUMBER.GETINTEGER() & NUMBERFORMATEXCEPTION.
* WL#10527, Clean up Protocol and Session interfaces.
Changes in 8.0.9
* WL#11469, Update license header in GPL packages.
* BUG#27247349, WL#11208 : UNIQUE DOES NOT GIVE ERROR EVEN THOUGH IT IS NOT SUPPORTED.
* WL#11208, DevAPI: Collection.createIndex.
* WL#10156, Add setters/getters for connection properties to MysqlDataSource,
MysqlXADataSource and MysqlConnectionPoolDataSource.
* WL#11401, DevAPI: Remove configuration API.
* WL#10619, Ensure compatibility with new data dictionary.
* BUG#27217264, WL#10937: NULL POINTER EXCEPTION WHEN NULL IS PASSED AS _ID IN COLL.REPLACEONE.
* WL#10937, DevAPI: ReplaceOne, AddOrReplaceOne, GetOne, RemoveOne.
* Bug#26723646, JSON_MERGE() FUNCTION IS DEPRECATED IN MYSQL 8.0.
* Bug#27185332, WL#11210:ERROR IS THROWN WHEN NESTED EMPTY DOCUMENTS ARE INSERTED TO COLLECTION.
* Bug#27151601, WL#11210: DOCUMENT PATCH EXPRESSIONS ARE NOT SUPPORTED.
* WL#11210, DevAPI: Modify/MergePatch.
* Bug#79612 (22362474), CONNECTION ATTRIBUTES LOST WHEN CONNECTING WITHOUT DEFAULT DATABASE.
* WL#10152, Enable TLSv1.2 on mysqlx.
* Bug#27131768, NULL POINTER EXCEPTION IN CONNECTION.
* Bug#88232 (27047676), c/J does not rollback transaction when autoReconnect=true.
* Bug#88242 (27040063), autoReconnect and socketTimeout JDBC option makes wrong order of client packet.
* Bug#88021 (26939943), High GC pressure when driver configured with serversideprepared statements.
* Bug#26724085, CHARSET MAPPING TO BE UPDATED FOR MYSQL 8.0.3.
* Bug#87704 (26771560), THE STREAM GETS THE RESULT SET ?THE DRIVER SIDE GET WRONG ABOUT GETLONG().
* Bug#24924097, SERVER GREETING ERROR ISN'T RECOGNIZED DURING HANDSHAKE.
* Bug#26748909, MASTER : ERROR - NO OPERATIONS ALLOWED AFTER STATEMENT CLOSED FOR TOSTRING().
* Bug#26266731, CONCUR_UPDATABLE RESULTSET OPERATIONS FAIL AGAINST 8.0 FOR BOOLEAN COLUMN.
* WL#11239, DevAPI: Remove create table implementation.
* Bug#27131100, WL#11212 : SAVEPOINT CREATING WITH EMPTY STRING AND SPACE AS NAME.
* WL#11212, DevAPI: transaction save-points.
* WL#11060, Support new SHA-256 authentication system.
* Bug#87826 (26846249), MYSQL JDBC CONNECTOR/J DATABASEMETADATA NULL PATTERN HANDLING IS NON-COMPLIANT.
* WL#11163, Extract parameter setters, serverPrepare() and serverExecute() to core classes.
* BUG#26995710, WL#11161 : NULL POINTER EXCEPTION IN EXECUTEBATCH() AND CLOSE().
* WL#11161, Unify query bindings.
* WL#8469, Don't extract query text from packets when possible.
Changes in 8.0.8
* BUG#26722030, TEST FAILING DUE TO BINARY LOGGING ENABLED BY DEFAULT IN MYSQL 8.0.3.
* BUG#26722018, TESTS FAILING DUE TO CHANGE IN INFORMATION_SCHEMA.INNODB_SYS_* NAMING.
* BUG#26750807, MASTER : NULL POINTER EXCEPTION IN SCHEMA.DROPVIEW(NULL).
* BUG#26750705, MASTER : ERROR - UNSUPPORTED CONVERSION FROM TIME TO JAVA.SQL.DATE.
* WL#10620, DevAPI: SHA256 Authentication support.
* WL#10936, DevAPI: Row locking for Crud.Find.
* WL#9868, DevAPI: Configuration handling interface.
* WL#10935, DevAPI: Array or Object 'contains' operator.
* WL#9875, Prepare c/J 8.0 for DEB and RPM builds.
* BUG#26259384, CALLABLE STATEMENT GIVES ERROR IN C/JAVA WHEN RUN AGAINST MYSQL 8.0.
* Bug#26393132, NULLPOINTEREXCEPTION IS THROWN WHEN TRIED TO DROP A NULL COLLECTION.
* WL#10532, DevAPI: Cleanup Drop APIs.
* Bug#87429 (26633984), repeated close of ServerPreparedStatement causes memory leak.
* Bug#87379 (26646676), Perform actual TLS capabilities check when restricting TLSv1.2.
* Bug#85601 (25777822), Unit notation is missing in the description of the property involved in the time.
* Bug#87153 (26501245), INCORRECT RESULT OF DBMD.GETVERSIONCOLUMNS() AGAINST MYSQL 8.0.2+.
* Bug#78313 (21931572), proxies not handling Object.equals(Object) calls correctly.
* Bug#85885 (25874048), resultSetConcurrency and resultSetType are swapped in call to prepareStatement.
* Bug#74932 (20066806), ConnectionImp Doesn't Close Server Prepared Statement (PreparedStatement Leak).
* WL#10536, Deprecating COM_SHUTDOWN.
* Bug#25946965, UPDATE THE TIME ZONE MAPPINGS WITH LATEST TZ DATABASES.
* Bug#20182108, INCLUDE CUSTOM LOAD BALANCING STRATEGY USING PLUGIN API.
* Bug#26440544, CONNECTOR/J SHOULD NOT USE TX_{READ_ONLY,ISOLATION} WHICH IS PLANNED FOR REMOVAL.
* Bug#26399958, UNABLE TO CONNECT TO MYSQL 8.0.3.
* Bug#25650305, GETDATE(),GETTIME() AND GETTIMESTAMP() CALL WITH NULL CALENDAR RETURNS NPE.
Changes in 8.0.7
* Bug#26227653, WL#10528 DIFF BEHAVIOUR WHEN SYSTEM PROP JAVAX.NET.SSL.TRUSTSTORETYPE IS SET.
* WL#10528, DevAPI: Ensure all connectors are secure by default.
* WL#8305, Remove internal dependency on connection objects.
* Bug#22972057, X DEVAPI: CLIENT HANGS AFTER CONNECTION FAILURE.
* Bug#26140577, GIS TESTS ARE FAILING WITH MYSQL 8.0.1.
* WL#10765, DevAPI: Forbid modify() and remove() with no condition.
* Bug#26090721, CONNECTION FAILING WHEN SERVER STARTED WITH COLLATION UTF8MB4_DE_PB_0900_AI_CI.
* WL#10781, enum-based connection properties.
* Bug#73775 (19531384), DBMD.getProcedureColumns()/.getFunctionColumns() fail to filter by columnPattern.
* Bug#84324 (25321524), CallableStatement.extractProcedureName() not work when catalog name with dash.
* Bug#79561 (22333996), NullPointerException when calling a fully qualified stored procedure.
* Bug#84783 (25490163), query timeout is not working(thread hang).
* Bug#70704 (17653733), Deadlock using UpdatableResultSet.
* Bug#66430 (16714868), setCatalog on connection leaves ServerPreparedStatement cache for old catalog.
* Bug#70808 (17757070), Set sessionVariables in a single query.
* Bug#77192 (21170603), Description for the Property replicationConnetionGroup Missing from the Manual.
* Bug#83834 (25101890), Typo in Connector/J error message.
* WL#10531, Support utf8mb4 as default charset.
* Bug#85555 (25757019), useConfigs Can't find configuration template named, in mysql-connector-java 6.x
* WL#10529, Move version number to 8.0.
* WL#10530, DevAPI: Remove XSession, rename NodeSession to Session.
* Bug#23510958, CONCURRENT ASYNC OPERATIONS RESULT IN HANG.
* Bug#23597281, GETNODESESSION() CALL WITH SSL PARAMETERS RETURNS CJCOMMUNICATIONSEXCEPTION.
* Bug#25207784, C/J DOESN'T FOLLOW THE FINAL X DEVAPI MY-193 SPECIFICATION.
* Bug#25494338, ENABLEDSSLCIPHERSUITES PARAMETER NOT WORKING AS EXPECTED WITH X-PLUGIN.
* Bug#84084 (25215008), JAVA.LANG.ARRAYINDEXOUTOFBOUNDSEXCEPTION ON ATTEMPT TO GET VALUE FROM RESULTSET.
* WL#10553, Add mapping for Japanese utf8mb4 collation.
* Bug#25575103, NPE FROM CREATETABLE() WHEN SOME OF THE INPUTS ARE NULL.
* Bug#25575156, NPE FROM CREATEVIEW() WHEN SOME OF THE INPUTS ARE NULL.
* Bug#25636947, CONNECTION USING MYSQL CLIENT FAILS IF WE USE THE SSL CERTIFICATES FROM C/J SRC.
* Bug#25687718, INCORRECT TIME ZONE IDENTIFIER IN STATEMENTREGRESSIONTEST.
* Bug#25556597, RESULTSETTEST.TESTPADDING UNIT TEST IS FAILING IN 5.1.41 RELEASE PACKAGE.
* Bug#25517837, CONNECT PERFORMNACE DEGRADED BY 10% IN 5.1.41.
* Bug#25504578, CONNECT FAILS WHEN CONNECTIONCOLLATION=ISO-8859-13.
* Bug#25438355, Improper automatic deserialization of binary data.
* Bug#70785 (17756825), MySQL Connector/J inconsistent init state for autocommit.
* Bug#66884: Property 'elideSetAutoCommits' temporarily defaults to 'false' until this bug is fixed.
* Bug#75615 (21181249), Incorrect implementation of Connection.setNetworkTimeout().
* Bug#81706 (23535001), NullPointerException in driver.
* Bug#83052 (25048543), static method in com.mysql.jdbc.Util relies on null object.
* Bug#69526 (17035755), 'Abandoned connection cleanup thread' at mysql-connector-java-5.1.25.
* Bug#82826 (24942672), Unneeded version requirement for javax.net.ssl Import-Package on OSGi MANIFEST.MF.
Changes in 6.0.6
* Added Core TLS/SSL options for the mysqlx URI scheme.
* Updated collations map.
* Bug#24350526, UNEXPECTED BEHAVIOUR OF IS_NUMBER_SIGNED API IN C/JAVA.
* Bug#82707 (24512766), WRONG MILLI SECOND VALUE RETURNED FROM TIMESTAMP COLUMN.
* Bug#82005 (23702040), JDBCDATEVALUEFACTORY FAILS TO PARSE SOME DATES.
* Bug#83725 (25056803), NPE IN XPROTOCOL.GETPLUGINVERSION() WITH MYSQL 5.7.17.
* Bug#24525461, UPDATABLE RESULTSET FEATURE FAILS WHEN USESERVERPREPSTMTS=TRUE.
* Bug#24527173, QUERY EXECUTION USING PREPARED STMT FAILS WHEN USECURSORFETCH=TRUE.
* Bug#82964 (24658016), JSR-310 DATA TYPES CREATED THROUGH JAVA.SQL TYPES.
* Bug#81202 (23188159), RESULTSETIMPL.GETOBJECT THROWS NULLPOINTEREXCEPTION WHEN FIELD IS NULL.
* Bug#22931277, COLUMN.GETTYPE() RETURNS ERROR FOR VALID DATATYPES.
* BUG#24471057, UPDATE FAILS WHEN THE NEW VALUE IS OF TYPE DBDOC WHICH HAS ARRAY IN IT.
* Bug#81691 (23519211), GETLASTDOCUMENTIDS() DOESN'T REPORT IDS PROVIDED BY USER.
* Bug#82826 (24942672), Unneeded version requirement for javax.net.ssl Import-Package on OSGi MANIFEST.MF.
Changes in 6.0.5
* BUG#82896 (24613062), Unexpected behavior on attempt to connect to JDBC driver with unsupported URL.
* Added client-side failover during XSession initialization for multi-router configuration.
* Removed Extension interface. All extension classes now implement their specific interfaces.
* Bug#22988922, GETLENGTH() RETURNS -1 FOR LONGBLOB AND LONGTEXT FIELDS.
* Bug#24619829, NEW FAILURES IN C/JAVA UNITTESTS AGAINST MYSQL 8.0.
* Bug#75209 (20212882), Set useLocalTransactionState may result in partially committed transaction.
* Bug#48346 (11756431), Communications link failure when reading compressed data with compressed=true.
* Bug#80631 (22891845), ResultSet.getString return garbled result with json type data.
* Bug#64188 (13702433), MysqlXAConnection.MYSQL_ERROR_CODES_TO_XA_ERROR_CODES is missing XA error codes.
* Bug#72632 (18759269), NullPointerException for invalid JDBC URL.
* Bug#82115 (23743956), Some exceptions are intercepted twice or fail to set the init cause.
* Bug#78685 (21938551), Wrong results when retrieving the value of a BIT column as an integer.
* Bug#80615 (22954007), prepared statement leak when rewriteBatchedStatements=true and useServerPrepStmt.
* Extended X DevAPI with flexible parameter lists.
* Added a virtual NodeSession to X DevAPI.
Changes in 6.0.4
* X DevAPI URL prefix changed from 'mysql:x:' to 'mysqlx:'.
* Bug#24301468 X DEVAPI SSL CONNECTION FAILS ON WINDOWS
* The X DevAPI Table object now represents both database tables and views.
* Added support for matching against pattern for X DevAPI list_objects calls.
* Added Schema.getCollections(String pattern) and Schema.getTables(String pattern) interface methods.
* Switched to 'mysqlx' namespace for X DevAPI StmtExecute messages.
This change is incompatible to MySQL server versions < 5.7.14.
* Bug#82046 (23743947), MYSQL CONNECTOR JAVA OSGI METADATA BROKEN.
* Bug#21690043, CONNECT FAILS WHEN PASSWORD IS BLANK.
* Bug#22931433, GETTING VALUE OF BIT COLUMN RESULTS IN EXCEPTION.
Changes in 6.0.3
* Bug#23535571, EXCESSIVE MEMORY USAGE WHEN ENABLEPACKETDEBUG=TRUE.
* Bug#23212347, ALL API CALLS ON RESULTSET METADATA RESULTS IN NPE WHEN USESERVERPREPSTMTS=TRUE.
* Bug#23201930, CLIENT HANG WHEN RSLT CUNCURRENCY=CONCUR_UPDATABLE AND RSLTSET TYPE=FORWARD_ONLY.
* Bug#23188498, CLIENT HANG WHILE USING SERVERPREPSTMT WHEN PROFILESQL=TRUE AND USEIS=TRUE.
* Bug#22678872, NPE DURING UPDATE WITH FABRIC.
* Bug#71131 (18068303), Poor error message in CallableStatement.java.
* Bug#59462 (16736619), ConcurrentModificationException inside ConnectionImpl.closeAllOpenStatements().
* Bug#22848249, LOADBALANCECONNECTIONGROUPMANAGER.REMOVEHOST() NOT WORKING AS EXPECTED.
* Bug#22730682, ARRAYINDEXOUTOFBOUNDSEXCEPTION FROM CONNECTIONGROUPMANAGER.REMOVEHOST().
* Bug#77171 (21181466), On every connect getting sql_mode from server creates unnecessary exception.
* Bug#79343 (22353759), NPE in TimeUtil.loadTimeZoneMappings causing server time zone value unrecognized.
* Bug#22038729, X DevAPI: Any API call after a failed CALL PROC() results in hang
* Replace Schema.drop(), Collection.drop() by X DevAPI's session.dropSchema() and session.dropCollection().
* Added session.dropTable().
* Bug#22932078, GETTIMESTAMP() RETURNS WRONG VALUE FOR FRACTIONAL PART
* Extracted packet readers from MysqlaProtocol.
* Bug#22972057, X protocol CLIENT HANGS AFTER CONNECTION FAILURE
* Bug#23044312, NullPointerException in X protocol AsyncMessageReader due to race condition
* Returned support for MySQL 5.5 and 5.6.
Changes in 6.0.2
* Deprecate the EOF packet.
* Bug#75956, Inserting timestamps using a server PreparedStatement and useLegacyDatetimeCode=false
* Bug#22385172, CONNECTOR/J MANIFEST DOES NOT EXPOSE FABRIC (OSGi).
* Bug#22598938, FABRICMYSQLDATASOURCE.GETCONNECTION() NPE AFTER SWITCHOVER.
* Bug#21286268, CONNECTOR/J REPLICATION USE MASTER IF SLAVE IS UNAVAILABLE.
* Bug#21296840 & Bug#17910835, Server information in a group from Fabric is not refreshed after expired TTL.
* Bug#56122 (11763419), JDBC4 functionality failure when using replication connections.
* Added support for TLSv1.1 and TLSv1.2
* Bug#78961 (22096981), Can't call MySQL procedure with InOut parameters in Fabric environment.
* Bug#56100 (11763401), Replication driver routes DML statements to read-only slaves.
* StandardSSLSocketFactory implements SocketMetadata.
* Bug#21978216, GETTYPEINFO REPORT MAXIMUM PRECISION OF 255 FOR VARBINARY.
* Bug#78706 (21947042), Prefer TLS where supported by MySQL Server.
* Bug#21934573, FABRIC CODE INVOLVED IN THREAD DEADLOCK.
* Bug#21876798, CONNECTOR/J WITH MYSQL FABRIC AND SPRING PRODUCES PROXY ERROR.
Changes in 6.0.1
* Removed useJvmCharsetConverters connection property. JVM charset converters are now used in all cases.
* Refactored value decoding and removed all date/time connection properties
* Refactored connection properties
* Assume existence of INFORMATION_SCHEMA.PARAMETERS (and thus MySQL 5.5) when preparing stored procedure calls.
* Removed retainStatementAfterResultSetClose connection property.
* Null-merge of Bug#54095 (11761585) fix.
* Removed support code for MySQL server versions < 5.7.
* Bug#76859 (20969312), DBMD getColumns using I_S doesn't have column IS_GENERATEDCOLUMN as per JDBC 4.1.
* Added support for GENERATED COLUMNS.
* Update Time Zone mappings with IANA Time Zone database tsdata2015f and Unicode CLDR v.28.
* Update DatabaseMetaData SQL keywords.
* Added tests for Optimizer hints syntax introduced in MySQL 5.7.7.
* Bug#21860833, JSON DATA TYPE DOESN'T WORK WITH SSPS.
* Added support for JSON data type.
* Added support for JDBC 4.2 new features.
* Bug#16634180, LOCK WAIT TIMEOUT EXCEEDED CAUSES SQLEXCEPTION, SHOULD CAUSE SQLTRANSIENTEXCEPTION
* Bug#75849 (20536592), NPE in abortInternal() method on line 1358 of ConnectionImpl.
* Bug#78106 (21648826), Potential memory leak with inflater.
* Bug#78225 (21697684), DEFAULT NO_AUTO_CREATE_USER SQL_MODE BEHAVIOR BROKE SOME TESTS
* Bug#77665 (21415165), JDBC fails to connect with MySQL 5.0.
* Bug#77681 (21429909), rewrite replace sql like insert when rewriteBatchedStatements=true (contribution).
* Bug#77449 (21304726) Add 'truncateFractionalSeconds=true|false' property (contribution).
* Bug#50348 (11758179), mysql connector/j 5.1.10 render the wrong value for dateTime column in GMT DB.
* Bug#75670 (20433047), Connection fails with 'Public Key Retrieval is not allowed' for native auth.
* Bug#76187 (20675539), getTypeInfo report maximum precision of 255 for varchar.
* Add test for new syntax 'ALTER TABLE ... DISCARD|IMPORT PARTITION ...' introduced in MySQL 5.7.4.
* Bug#20727196, GETPROCEDURECOLUMNS() RETURNS EXCEPTION FOR FUNCTION WHICH RETURNS ENUM/SET TYPE.
* Bug#19803348, GETPROCEDURES() RETURNS INCORRECT OUTPUT WHEN USEINFORMATIONSCHEMA=FALSE.
* Bug#21215151, DATABASEMETADATA.GETCATALOGS() FAILS TO SORT RESULTS.
* Bug#72630 (18758686), NullPointerException during handshake in some situations
* Bug#20825727, CONNECT FAILURE WHEN TRY TO CONNECT SHA USER WITH DIFFERENT CHARSET.
* Flag RowDataDynamic.isInterrupted removed as it isn't needed.
* Bug#20518653, XSL FILES IN PACKAGES
* Bug#20804635, GETTIME() AND GETDATE() FUNCTIONS FAILS WHEN FRACTIONAL PART EXISTS
* Bug#62452 (16444069), NPE thrown in JDBC4MySQLPooledException when statement is closed.
* BUG#70927 (17810800), Connector/J COM_CHANGE_USER handling is broken
* Bug#75335 (20283655), Maven artifact for Connector/J is missing source jar.
* BUG#75592 (20408891), 'SHOW VARIABLES WHERE' is expensive.
* Bug#75113 (20821888), Fail in failover of the connection in MySQL fabric
* Bug#72077 (18425861), Fabric connection with username to a server with disabled auth throws NPE
* Add test for already fixed Bug#72546 (18719760), C/J Fabric createGroup() throws ClassCastException
* Bug#77217 (21184949), ClassCastException when executing a streaming PreparedStatement with Fabric
* Bug#19536760, GETSTRING() CALL AFTER RS.RELATIVE() RETURNS NULLPOINTEREXCEPTION
* BUG#20453712, CLOB.SETSTRING() WITH VALID INPUT RETURNS EXCEPTION
* BUG#20453671, CLOB.POSITION() API CALL WITH CLOB INPUT RETURNS EXCEPTION
* Bug#20685022, SSL CONNECTION TO MYSQL 5.7.6 COMMUNITY SERVER FAILS.
* Bug#20606107, TEST FAILURES WHEN RUNNING AGAINST 5.7.6 SERVER VERSION
* Bug#20533907, BUG#20204783 FIX EXPOSES WRONG BEAHAVIORS IN FAILOVER CONNECTIONS.
* Bug#20504139, GETFUNCTIONCOLUMNS() AND GETPROCEDURECOLUMNS() RETURNS ERROR FOR VALID INPUTS.
* Expose PreparedStatment.ParseInfo for external usage, with no capture of the connection
* Bug#75309 (20272931), mysql connector/J driver in streaming mode will in the blocking state.
* New property 'readOnlyPropagatesToServer' controls the implicit propagation of read only transaction access mode to server.
* Bug#54095 (11761585), Unnecessary call in newSetTimestampInternal.
* Bug#67760 (15936413), Deadlock when concurrently executing prepared statements with Timestamp objects.
* Bug#71084 (18028319), Wrong java.sql.Date stored if client and server time zones differ.
* Bug#75080 (20217686), NullPointerException during setTimestamp on Fabric connection.
* Bug#75168 (20204783), loadBalanceExceptionChecker interface cannot work using JDBC4/JDK7.
* Bug#73595 (19465516), Replace usage of StringBuffer in JDBC driver.
* Bug#18925727, SQL INJECTION IN MYSQL JDBC DRIVER.
* Bug#74998 (20112694), readRemainingMultiPackets not computed correctly for rows larger than 16 MB.
* Bug#73012 (19219158), Precedence between timezone options is unclear.
* Implement support for connecting through SOCKS proxies (WL#8105).
* Ant buildfile reworked to fix incompatibilities with latest Eclipse
* Bug#18474141, TESTSUITE.FABRIC TEST CASES FAIL IF NO FABRIC.TESTSUITE PROPERTIES PROVIDED
* Bug#19383371, CONNECT USING MYSQL_OLD_PASSWORD USER FAILS WHEN PWD IS BLANK
* Bug#17441747, C/J DOESN'T SUPPORT XA RECOVER OUTPUT FORMAT CHANGED IN MYSQL 5.7.
* Bug#19145408, Error messages may not be interpreted according to the proper character set
* Bug#19505524, UNIT TEST SUITE DOES NOT CONSIDER ALL THE PARAMETERS PASSED TO BUILD.XML.
* Bug#73474 (19365473), Invalid empty line in MANIFEST.MF
* Bug#70436 (17527948), Incorrect mapping of windows timezone to Olson timezone.
* Bug73163 (19171665), IndexOutOfBoundsException thrown preparing statement.
* Added support for gb18030 character set
* Bug#73663 (19479242), utf8mb4 does not work for connector/j >=5.1.13
* Bug#73594 (19450418), ClassCastException in MysqlXADataSource if pinGlobalTxToPhysicalConnection=true
* Bug#19354014, changeUser() call results in 'packets out of order' error when useCompression=true.
* Bug#73577 (19443777), CHANGEUSER() CALL WITH USECOMPRESSION=TRUE COULD LEAD TO IO FREEZE
* Bug#19172037, TEST FAILURES WHEN RUNNING AGAINST 5.6.20 SERVER VERSION
* Bug#71923 (18344403), Incorrect generated keys if ON DUPLICATE KEY UPDATE not exact.
* Bug#72502 (18691866), NullPointerException in isInterfaceJdbc() when using DynaTrace
* Bug#72890 (18970520), Java jdbc driver returns incorrect return code when it's part of XA transaction.
* Fabric client now supports Fabric 1.5. Older versions are no longer supported.
* Bug#71672 (18232840), Every SQL statement is checked if it contains 'ON DUPLICATE KEY UPDATE' or not.
* Bug#73070 (19034681), Preparing a stored procedure call with Fabric results in an exception
* Bug#73053 (19022745), Endless loop in MysqlIO.clearInputStream due to Linux kernel bug.
* Bug#18869381, CHANGEUSER() FOR SHA USER RESULTS IN NULLPOINTEREXCEPTION
* Bug#62577 (16722757), XA connection fails with ClassCastException
* Bug#18852587, CONNECT WITH A USER CREATED USING SHA256_PASSWORD PLUGIN FAILS WHEN PWD IS BLANK
* Bug#18852682, TEST TESTSHA256PASSWORDPLUGIN FAILS WHEN EXECUTE AGAINST COMMERCIAL SERVER
* failing tests when running test suite with Java 6+.
* Bug#72712 (18836319), No way to configure Connector JDBC to not do extra queries on connection
- Adjust log4j/log4j-mini dependencies to account for the lack of
log4j12/log4jmini12 Provides in some code streams.
Changes in javapackages-tools:
- Can't assume non-existence of python38 macros in Leap.
gh#openSUSE/python-rpm-macros#107
Test for suse_version instead. Only Tumbleweed has and needs the
python_subpackage_only support.
- Fix typo in spec file sitearch -> sitelib
- Fix the python subpackage generation
gh#openSUSE/python-rpm-macros#79
- Support python subpackages for each flavor
gh#openSUSE/python-rpm-macros#66
- Replace old nose with pytest gh#fedora-java/javapackages#86
- when building extra flavor, BuildRequire javapackages-filesystem:
/etc/java is being cleaned out of the filesystems package.
- Upgrade to version 5.3.1
- Define _rpmmacrodir for distributions that don't have it
- Use %{_rpmmacrodir} instead of %{_libexecdir}/rpm/macros.d: this
just happens to overlap in some distros.
- Rename gradle-local and ivy-local to javapackages-gradle and
javapackages-ivy and let them depend only on javapackages-tools
and javapackages-local. These packages only install files
produced during the javapackages-tools build. The dependencies
will be pulled by gradle-local, ivy-local and maven-local
meta-packages built in a separate spec file.
- Split maven-local meta-package out of javapackages-tools spec
file
- Make the ivy-local and maven-local sub-packages depend on the
right stuff, so that they actually can be used for building
- Provide both com.sun:tools and sun.jdk:jconsole that are part of
standard OpenJDK installation. These provides cannot be generated
from metadata due to build sequence.
+ fix directories for eclipse.conf too
- Make the javapackages-local package depend on java-devel. It is
used for package building and this avoids each package to require
java-devel itself.
- Replace the occurences of /usr/lib by libdir in configuration
files too
- Update to version 5.3.0
- Modified patch:
- Build the :extras flavour as noarch
+ we did not bump epoch of OpenJDK packages in SUSE
+ fix a potential generation of unresolvable requires
+ adapt the tests to not expect the epoch
- Switch to multibuild layout
- Update to version 5.2.0+git20180620.70fa2258:
* Rename the async kwarg in call_script to wait (reverses the logic)
* Actually bump version to 5.3.0 snapshot
* Bump version in VERSION file
* [man] s/Pacakge/Package/g
* Fix typos in README
* Fix configure-base.sh after filesystem macro split
* Split filesystem macros to separate macro file
* Introduce javapackages-filesystem package
* [java-functions] extend ABRT Java agent options
* change abrt-java-connector upstream URL
* Remove resolverSettings/prefixes from XMvn config
* Add macros to allow passing arbitrary options to XMvn
* [spec] Bump package version to 5.1.0
* Allow specifying custom repo when calling xmvn-install
- Update to version 5.0.0+git20180104.9367c8f6:
* [java-functions] Avoid colons in jar names
* Workaround for SCL enable scripts not working with -e
* Second argument to pom_xpath_inject is mandatory
* [mvn_artifact] Provide more helpful error messages
* Fix traceback on corrupt zipfile
* [test] Add reproducer for rhbz#1481005
* [spec] Fix default JRE path
* [readme] Fix typo
* Add initial content to README.md (#21)
* Decouple JAVA_HOME setting from java command alternatives
- Fix url to correct one https://github.com/fedora-java/javapackages
- Split to python and non-python edition for smaller depgraph
- Fix abs2rel shebang:
- Fix Requires on subpackages to point to javapackages-tools proper
- Update to version 4.7.0+git20170331.ef4057e7:
* Reimplement abs2rel in Python
* Don't expand {scl} in macro definitions
* Install expanded rpmfc attr files
* [spec] Avoid file conflicts between in SCL
* Fix macros.d directory ownership
* Make %ant macro enable SCL when needed
* [spec] Fix file conflicts between SCL and non-SCL packages
* Fix ownership of ivyxmldir
* [test] Force locale for python processes
* Don't include timestamp in generated pom.properties
* We switch to /usr/lib/ location for macros
- Try to reduce some dependencies bsc#1036025
- python-lxml 3.5.0 introduces validation for xml comments, and
one of the comments created in this package were not valid.
This patch fixes the problem. It backported from upstream and
should be in the next release.
https://github.com/mizdebsk/javapackages/commit/84211c0ee761e93ee507f5d37e9fc80ec377e89d
- Version update to 4.6.0:
* various bugfixes for maven tooling
* introduction to gradle-local package for gradle packaging
- Drop dependency over source-highlight as it causes build cycle
- Try to break buildcycle detected on Factory
- Fix build on SLE11
- Use python-devel instead of pkgconfig to build on sle11
- Add python-javapackages as requirement for main package
- Update requires on python packages to properly have all the needed
dependencies on runtime
- Install macros to /etc/rpm as we do in SUSE:
- Cleanup with spec-cleaner
- Fix rpmlint errors
- Enable maven-local
- Avoid unsatisfiable dependencies
- Enable unit tests
- Update to version 4.4.0
- create directories for java, so that ant build works
- Add virtual provide jpackage-utils-java9 to be able to
distinguish the presence of java9 compatibility
- fix bashisms
- SLES patch for ZipFile, having no attribute '__exit__' which was causing
ecj build failures
- set correct libxslt package when building for SLES
Changes in javassist:
+ Add OSGi manifest to the javassist.jar
- Allow building on systems that do not have java 9 or higher
- Install and package the maven pom and metadata files
- BuildRequire at least Java 9. This version uses APIs introduced
in Java 9
- Replace old $RPM_* shell vars by macros.
- Version update to 3.23.1:
* 3.23.1 Github PR #171
* 3.23 Fix leaking file handlers in ClassPool and removed
ClassPath.close(). Github issue #165
* 3.22 Java 9 supports.
JIRA JASSIST-261.
- Specify java target and source version 1.6 in order to allow
building with jdk9
- fix javadoc errors that are fatal with jdk9
- Version update to 3.21.0:
* various compiler settings
* Require java >= 1.6
- Update to version 3.19.0
* Including a number of bug fixes and Java 8 supports.
- Clean up specfile
- Remove redundant %clean section
- Build for java API 1.5
- Remove unzip requirement
- Update home page and download source Urls
Changes in protobuf:
- Update to 3.17.3:
C++
* Introduce FieldAccessListener.
* Stop emitting boilerplate {Copy/Merge}From in each ProtoBuf class
* Provide stable versions of SortAndUnique().
* Make sure to cache proto3 optional message fields when they are cleared.
* Expose UnsafeArena methods to Reflection.
* Use std::string::empty() rather than std::string::size() > 0.
* [Protoc] C++ Resolved an issue where NO_DESTROY and CONSTINIT are in incorrect order (#8296)
* Fix PROTOBUF_CONSTINIT macro redefinition (#8323)
* Delete StringPiecePod (#8353)
* Create a CMake option to control whether or not RTTI is enabled (#8347)
* Make util::Status more similar to absl::Status (#8405)
* The ::pb namespace is no longer exposed due to conflicts.
* Allow MessageDifferencer::TreatAsSet() (and friends) to override previous
calls instead of crashing.
* Reduce the size of generated proto headers for protos with string or
bytes fields.
* Move arena() operation on uncommon path to out-of-line routine
* For iterator-pair function parameter types, take both iterators by value.
* Code-space savings and perhaps some modest performance improvements in
* RepeatedPtrField.
* Eliminate nullptr check from every tag parse.
* Remove unused _$name$cached_byte_size fields.
* Serialize extension ranges together when not broken by a proto field in the
middle.
* Do out-of-line allocation and deallocation of string object in ArenaString.
* Streamline ParseContext::ParseMessage to avoid code bloat and improve
performance.
* New member functions RepeatedField::Assign, RepeatedPtrField::{Add, Assign}.
on an error path.
* util::DefaultFieldComparator will be final in a future version of protobuf.
* Subclasses should inherit from SimpleFieldComparator instead.
Kotlin
* Introduce support for Kotlin protos (#8272)
* Restrict extension setter and getter operators to non-nullable T.
Java
* Fixed parser to check that we are at a proper limit when a sub-message has
finished parsing.
* updating GSON and Guava to more recent versions (#8524)
* Reduce the time spent evaluating isExtensionNumber by storing the extension
ranges in a TreeMap for faster queries. This is particularly relevant for
protos which define a large number of extension ranges, for example when
each tag is defined as an extension.
* Fix java bytecode estimation logic for optional fields.
* Optimize Descriptor.isExtensionNumber.
* deps: update JUnit and Truth (#8319)
* Detect invalid overflow of byteLimit and return InvalidProtocolBufferException as documented.
* Exceptions thrown while reading from an InputStream in parseFrom are now
included as causes.
* Support potentially more efficient proto parsing from RopeByteStrings.
* Clarify runtime of ByteString.Output.toStringBuffer().
* Added UnsafeByteOperations to protobuf-lite (#8426)
Python
* Add MethodDescriptor.CopyToProto() (#8327)
* Remove unused python_protobuf.{cc,h} (#8513)
* Start publishing python aarch64 manylinux wheels normally (#8530)
* Fix constness issue detected by MSVC standard conforming mode (#8568)
* Make JSON parsing match C++ and Java when multiple fields from the same
oneof are present and all but one is null.
* Fix some constness / char literal issues being found by MSVC standard conforming mode (#8344)
* Switch on 'new' buffer API (#8339)
* Enable crosscompiling aarch64 python wheels under dockcross manylinux docker image (#8280)
* Fixed a bug in text format where a trailing colon was printed for repeated field.
* When TextFormat encounters a duplicate message map key, replace the current
one instead of merging.
Ruby
* Add support for proto3 json_name in compiler and field definitions (#8356)
* Fixed memory leak of Ruby arena objects. (#8461)
* Fix source gem compilation (#8471)
* Fix various exceptions in Ruby on 64-bit Windows (#8563)
* Fix crash when calculating Message hash values on 64-bit Windows (#8565)
General
* Support M1 (#8557)
- Update to 3.15.8:
- Fixed memory leak of Ruby arena objects (#8461)
- update to 3.15.7:
C++
* Remove the ::pb namespace (alias) (#8423)
Ruby
* Fix unbounded memory growth for Ruby <2.7 (#8429)
* Fixed message equality in cases where the message type is different (#8434)
- Can't assume non-existence of python38 macros in Leap.
gh#openSUSE/python-rpm-macros#107
Test for suse_version instead. Only Tumbleweed has and needs the
python_subpackage_only support.
- update to 3.15.6:
Ruby
* Fixed bug in string comparison logic (#8386)
* Fixed quadratic memory use in array append (#8379)
* Fixed SEGV when users pass nil messages (#8363)
* Fixed quadratic memory usage when appending to arrays (#8364)
* Ruby <2.7 now uses WeakMap too, which prevents memory leaks. (#8341)
* Fix for FieldDescriptor.get(msg) (#8330)
* Bugfix for Message.[] for repeated or map fields (#8313)
PHP
* read_property() handler is not supposed to return NULL (#8362)
Protocol Compiler
* Optional fields for proto3 are enabled by default, and no longer require
the --experimental_allow_proto3_optional flag.
C++
* Do not disable RTTI by default in the CMake build (#8377)
* Create a CMake option to control whether or not RTTI is enabled (#8361)
* Fix PROTOBUF_CONSTINIT macro redefinition (#8323)
* MessageDifferencer: fixed bug when using custom ignore with multiple
unknown fields
* Use init_seg in MSVC to push initialization to an earlier phase.
* Runtime no longer triggers -Wsign-compare warnings.
* Fixed -Wtautological-constant-out-of-range-compare warning.
* DynamicCastToGenerated works for nullptr input for even if RTTI is disabled
* Arena is refactored and optimized.
* Clarified/specified that the exact value of Arena::SpaceAllocated() is an
implementation detail users must not rely on. It should not be used in
unit tests.
* Change the signature of Any::PackFrom() to return false on error.
* Add fast reflection getter API for strings.
* Constant initialize the global message instances
* Avoid potential for missed wakeup in UnknownFieldSet
* Now Proto3 Oneof fields have 'has' methods for checking their presence in
C++.
* Bugfix for NVCC
* Return early in _InternalSerialize for empty maps.
* Adding functionality for outputting map key values in proto path logging
output (does not affect comparison logic) and stop printing 'value' in the
path. The modified print functionality is in the
MessageDifferencer::StreamReporter.
* Fixed https://github.com/protocolbuffers/protobuf/issues/8129
* Ensure that null char symbol, package and file names do not result in a
crash.
* Constant initialize the global message instances
* Pretty print 'max' instead of numeric values in reserved ranges.
* Removed remaining instances of std::is_pod, which is deprecated in C++20.
* Changes to reduce code size for unknown field handling by making uncommon
cases out of line.
* Fix std::is_pod deprecated in C++20 (#7180)
* Fix some -Wunused-parameter warnings (#8053)
* Fix detecting file as directory on zOS issue #8051 (#8052)
* Don't include sys/param.h for _BYTE_ORDER (#8106)
* remove CMAKE_THREAD_LIBS_INIT from pkgconfig CFLAGS (#8154)
* Fix TextFormatMapTest.DynamicMessage issue#5136 (#8159)
* Fix for compiler warning issue#8145 (#8160)
* fix: support deprecated enums for GCC < 6 (#8164)
* Fix some warning when compiling with Visual Studio 2019 on x64 target (#8125)
Python
* Provided an override for the reverse() method that will reverse the internal
collection directly instead of using the other methods of the BaseContainer.
* MessageFactory.CreateProtoype can be overridden to customize class creation.
* Fix PyUnknownFields memory leak (#7928)
* Add macOS big sur compatibility (#8126)
JavaScript
* Generate `getDescriptor` methods with `*` as their `this` type.
* Enforce `let/const` for generated messages.
* js/binary/utils.js: Fix jspb.utils.joinUnsignedDecimalString to work with
negative bitsLow and low but non-zero bitsHigh parameter. (#8170)
PHP
* Added support for PHP 8. (#8105)
* unregister INI entries and fix invalid read on shutdown (#8042)
* Fix PhpDoc comments for message accessors to include '|null'. (#8136)
* fix: convert native PHP floats to single precision (#8187)
* Fixed PHP to support field numbers >=2**28. (#8235)
* feat: add support for deprecated fields to PHP compiler (#8223)
* Protect against stack overflow if the user derives from Message. (#8248)
* Fixed clone for Message, RepeatedField, and MapField. (#8245)
* Updated upb to allow nonzero offset minutes in JSON timestamps. (#8258)
Ruby
* Added support for Ruby 3. (#8184)
* Rewrote the data storage layer to be based on upb_msg objects from the
upb library. This should lead to much better parsing performance,
particularly for large messages. (#8184).
* Fill out JRuby support (#7923)
* [Ruby] Fix: (SIGSEGV) gRPC-Ruby issue on Windows. memory alloc infinite
recursion/run out of memory (#8195)
* Fix jruby support to handle messages nested more than 1 level deep (#8194)
Java
* Avoid possible UnsupportedOperationException when using CodedInputSteam
with a direct ByteBuffer.
* Make Durations.comparator() and Timestamps.comparator() Serializable.
* Add more detailed error information for dynamic message field type
validation failure
* Removed declarations of functions declared in java_names.h from
java_helpers.h.
* Now Proto3 Oneof fields have 'has' methods for checking their presence in
Java.
* Annotates Java proto generated *_FIELD_NUMBER constants.
* Add -assumevalues to remove JvmMemoryAccessor on Android.
C#
* Fix parsing negative Int32Value that crosses segment boundary (#8035)
* Change ByteString to use memory and support unsafe create without copy (#7645)
* Optimize MapField serialization by removing MessageAdapter (#8143)
* Allow FileDescriptors to be parsed with extension registries (#8220)
* Optimize writing small strings (#8149)
- Updated URL to https://github.com/protocolbuffers/protobuf
- Update to v3.14.0
Protocol Compiler
* The proto compiler no longer requires a .proto filename when it is not
generating code.
* Added flag `--deterministic_output` to `protoc --encode=...`.
* Fixed deadlock when using google.protobuf.Any embedded in aggregate options.
C++
* Arenas are now unconditionally enabled. cc_enable_arenas no longer has
any effect.
* Removed inlined string support, which is incompatible with arenas.
* Fix a memory corruption bug in reflection when mixing optional and
non-optional fields.
* Make SpaceUsed() calculation more thorough for map fields.
* Add stack overflow protection for text format with unknown field values.
* FieldPath::FollowAll() now returns a bool to signal if an out-of-bounds
error was encountered.
* Performance improvements for Map.
* Minor formatting fix when dumping a descriptor to .proto format with
DebugString.
* UBSAN fix in RepeatedField
* When running under ASAN, skip a test that makes huge allocations.
* Fixed a crash that could happen when creating more than 256 extensions in
a single message.
* Fix a crash in BuildFile when passing in invalid descriptor proto.
* Parser security fix when operating with CodedInputStream.
* Warn against the use of AllowUnknownExtension.
* Migrated to C++11 for-range loops instead of index-based loops where
possible. This fixes a lot of warnings when compiling with -Wsign-compare.
* Fix segment fault for proto3 optional
* Adds a CMake option to build `libprotoc` separately
Java
* Bugfix in mergeFrom() when a oneof has multiple message fields.
* Fix RopeByteString.RopeInputStream.read() returning -1 when told to read
0 bytes when not at EOF.
* Redefine remove(Object) on primitive repeated field Lists to avoid
autoboxing.
* Support '\u' escapes in textformat string literals.
* Trailing empty spaces are no longer ignored for FieldMask.
* Fix FieldMaskUtil.subtract to recursively remove mask.
* Mark enums with `@java.lang.Deprecated` if the proto enum has option
`deprecated = true;`.
* Adding forgotten duration.proto to the lite library
Python
* Print google.protobuf.NullValue as null instead of 'NULL_VALUE' when it is
used outside WKT Value/Struct.
* Fix bug occurring when attempting to deep copy an enum type in python 3.
* Add a setuptools extension for generating Python protobufs
* Remove uses of pkg_resources in non-namespace packages
* [bazel/py] Omit google/__init__.py from the Protobuf runtime
* Removed the unnecessary setuptools package dependency for Python package
* Fix PyUnknownFields memory leak
PHP
* Added support for '==' to the PHP C extension
* Added `==` operators for Map and Array
* Native C well-known types
* Optimized away hex2bin() call in generated code
* New version of upb, and a new hash function wyhash in third_party
* add missing hasOneof method to check presence of oneof fields
Go:
* Update go_package options to reference google.golang.org/protobuf module.
C#:
* annotate ByteString.CopyFrom(ReadOnlySpan<byte>) as SecuritySafeCritical
* Fix C# optional field reflection when there are regular fields too
* Fix parsing negative Int32Value that crosses segment boundary
Javascript:
* JS: parse (un)packed fields conditionally
- from version 3.13.0
PHP:
* The C extension is completely rewritten. The new C extension has significantly
better parsing performance and fixes a handful of conformance issues. It will
also make it easier to add support for more features like proto2 and proto3 presence.
* The new C extension does not support PHP 5.x. PHP 5.x users can still use pure-PHP.
C++:
* Removed deprecated unsafe arena string accessors
* Enabled heterogeneous lookup for std::string keys in maps.
* Removed implicit conversion from StringPiece to std::string
* Fix use-after-destroy bug when the Map is allocated in the arena.
* Improved the randomness of map ordering
* Added stack overflow protection for text format with unknown fields
* Use std::hash for proto maps to help with portability.
* Added more Windows macros to proto whitelist.
* Arena constructors for map entry messages are now marked 'explicit'
(for regular messages they were already explicit).
* Fix subtle aliasing bug in RepeatedField::Add
* Fix mismatch between MapEntry ByteSize and Serialize with respect to unset
fields.
Python:
* JSON format conformance fixes:
* Reject lowercase t for Timestamp json format.
* Print full_name directly for extensions (no camelCase).
* Reject boolean values for integer fields.
* Reject NaN, Infinity, -Infinity that is not quoted.
* Base64 fixes for bytes fields: accept URL-safe base64 and missing padding.
* Bugfix for fields/files named 'async' or 'await'.
* Improved the error message when AttributeError is returned from __getattr__
in EnumTypeWrapper.
Java:
* Fixed a bug where setting optional proto3 enums with setFooValue() would
not mark the value as present.
* Add Subtract function to FieldMaskUtil.
C#:
* Dropped support for netstandard1.0 (replaced by support for netstandard1.1).
This was required to modernize the parsing stack to use the `Span<byte>`
type internally
* Add `ParseFrom(ReadOnlySequence<byte>)` method to enable GC friendly
parsing with reduced allocations and buffer copies
* Add support for serialization directly to a `IBufferWriter<byte>` or
to a `Span<byte>` to enable GC friendly serialization.
The new API is available as extension methods on the `IMessage` type
* Add `GOOGLE_PROTOBUF_REFSTRUCT_COMPATIBILITY_MODE` define to make
generated code compatible with old C# compilers (pre-roslyn compilers
from .NET framework and old versions of mono) that do not support
ref structs. Users that are still on a legacy stack that does
not support C# 7.2 compiler might need to use the new define
in their projects to be able to build the newly generated code
* Due to the major overhaul of parsing and serialization internals,
it is recommended to regenerate your generated code to achieve the best
performance (the legacy generated code will still work, but might incur
a slight performance penalty).
- Fix the python subpackage generation
gh#openSUSE/python-rpm-macros#79
- Support multiple python3 flavors gh#openSUSE/python-rpm-macros#66
- Update to version 3.12.3; notable changes since 3.11.4:
Protocol Compiler
* [experimental] Singular, non-message typed fields in proto3 now support
presence tracking. This is enabled by adding the 'optional' field label and
passing the --experimental_allow_proto3_optional flag to protoc.
* For usage info, see docs/field_presence.md.
* During this experimental phase, code generators should update to support
proto3 presence, see docs/implementing_proto3_presence.md for instructions.
* Allow duplicate symbol names when multiple descriptor sets are passed on
the command-line, to match the behavior when multiple .proto files are passed.
* Deterministic `protoc --descriptor_set_out` (#7175)
Objective-C
* Tweak the union used for Extensions to support old generated code. #7573
* Fix for the :protobuf_objc target in the Bazel BUILD file. (#7538)
if p['result'] == 'FAIL':
* [experimental] ObjC Proto3 optional support (#7421)
* Block subclassing of generated classes (#7124)
* Use references to Obj C classes instead of names in descriptors. (#7026)
* Revisit how the WKTs are bundled with ObjC. (#7173)
C++
* Simplified the template export macros to fix the build for mingw32. (#7539)
* [experimental] Added proto3 presence support.
* New descriptor APIs to support proto3 presence.
* Enable Arenas by default on all .proto files.
* Documented that users are not allowed to subclass Message or MessageLite.
* Mark generated classes as final; inheriting from protos is strongly discouraged.
* Add stack overflow protection for text format with unknown fields.
* Add accessors for map key and value FieldDescriptors.
* Add FieldMaskUtil::FromFieldNumbers().
* MessageDifferencer: use ParsePartial() on Any fields so the diff does not
fail when there are missing required fields.
* ReflectionOps::Merge(): lookup messages in the right factory, if it can.
* Added Descriptor::WellKnownTypes enum and Descriptor::well_known_type()
accessor as an easier way of determining if a message is a Well-Known Type.
* Optimized RepeatedField::Add() when it is used in a loop.
* Made proto move/swap more efficient.
* De-virtualize the GetArena() method in MessageLite.
* Improves performance of json_stream_parser.cc by factor 1000 (#7230)
* bug: #7076 undefine Windows OUT and OPTIONAL macros (#7087)
* Fixed a bug in FieldDescriptor::DebugString() that would erroneously print
an 'optional' label for a field in a oneof.
* Fix bug in parsing bool extensions that assumed they are always 1 byte.
* Fix off-by-one error in FieldOptions::ByteSize() when extensions are present.
* Clarified the comments to show an example of the difference between
Descriptor::extension and DescriptorPool::FindAllExtensions.
* Add a compiler option 'code_size' to force optimize_for=code_size on all
protos where this is possible.
Ruby
* Re-add binary gems for Ruby 2.3 and 2.4. These are EOL upstream, however
many people still use them and dropping support will require more
coordination.
* [experimental] Implemented proto3 presence for Ruby. (#7406)
* Stop building binary gems for ruby <2.5 (#7453)
* Fix for wrappers with a zero value (#7195)
* Fix for JSON serialization of 0/empty-valued wrapper types (#7198)
* Call 'Class#new' over rb_class_new_instance in decoding (#7352)
* Build extensions for Ruby 2.7 (#7027)
* assigning 'nil' to submessage should clear the field. (#7397)
Java
* [experimental] Added proto3 presence support.
* Mark java enum _VALUE constants as @Deprecated if the enum field is deprecated
* reduce <clinit> size for enums with allow_alias set to true.
* Sort map fields alphabetically by the field's key when printing textproto.
* Fixed a bug in map sorting that appeared in -rc1 and -rc2 (#7508).
* TextFormat.merge() handles Any as top level type.
* Throw a descriptive IllegalArgumentException when calling
getValueDescriptor() on enum special value UNRECOGNIZED instead of
ArrayIndexOutOfBoundsException.
* Fixed an issue with JsonFormat.printer() where setting printingEnumsAsInts()
would override the configuration passed into includingDefaultValueFields().
* Implement overrides of indexOf() and contains() on primitive lists returned
for repeated fields to avoid autoboxing the list contents.
* Add overload to FieldMaskUtil.fromStringList that accepts a descriptor.
* [bazel] Move Java runtime/toolchains into //java (#7190)
Python
* [experimental] Added proto3 presence support.
* [experimental] fast import protobuf module, only works with cpp generated code linked in.
* Truncate 'float' fields to 4 bytes of precision in setters for pure-Python
implementation (C++ extension was already doing this).
* Fixed a memory leak in C++ bindings.
* Added a deprecation warning when code tries to create Descriptor objects
directly.
* Fix unintended comparison between bytes and string in descriptor.py.
* Avoid printing excess digits for float fields in TextFormat.
* Remove Python 2.5 syntax compatibility from the proto compiler generated _pb2.py module code.
* Drop 3.3, 3.4 and use single version docker images for all python tests (#7396)
JavaScript
* Fix js message pivot selection (#6813)
PHP
* Persistent Descriptor Pool (#6899)
* Implement lazy loading of php class for proto messages (#6911)
* Correct @return in Any.unpack docblock (#7089)
* Ignore unknown enum value when ignore_unknown specified (#7455)
C#
* [experimental] Add support for proto3 presence fields in C# (#7382)
* Mark GetOption API as obsolete and expose the 'GetOptions()' method on descriptors instead (#7491)
* Remove Has/Clear members for C# message fields in proto2 (#7429)
* Enforce recursion depth checking for unknown fields (#7132)
* Fix conformance test failures for Google.Protobuf (#6910)
* Cleanup various bits of Google.Protobuf (#6674)
* Fix latest ArgumentException for C# extensions (#6938)
* Remove unnecessary branch from ReadTag (#7289)
Other
* Add a proto_lang_toolchain for javalite (#6882)
* [bazel] Update gtest and deprecate //external:{gtest,gtest_main} (#7237)
* Add application note for explicit presence tracking. (#7390)
* Howto doc for implementing proto3 presence in a code generator. (#7407)
- Python: Add requirement on python-six
- Update to version 3.11.4; notable changes since 3.9.2:
* C++: Make serialization method naming consistent
* C++: Moved ShutdownProtobufLibrary() to message_lite.h. For
backward compatibility a declaration is still available
in stubs/common.h, but users should prefer message_lite.h
* C++: Removed non-namespace macro EXPECT_OK()
* C++: Removed mathlimits.h from stubs in favor of using
std::numeric_limits from C++11
* C++: Support direct pickling of nested messages
* C++: Disable extension code gen for C#
* C++: Switch the proto parser to the faster MOMI parser
* C++: Unused imports of files defining descriptor extensions
will now be reported
* C++: Add proto2::util::RemoveSubranges to remove multiple
subranges in linear time
* C++: Support 32 bit values for ProtoStreamObjectWriter to Struct
* C++: Removed the internal-only header coded_stream_inl.h and
the internal-only methods defined there
* C++: Enforced no SWIG wrapping of descriptor_database.h
(other headers already had this restriction)
* C++: Implementation of the equivalent of the MOMI parser for
serialization. This removes one of the two serialization
routines, by making the fast array serialization routine
completely general. SerializeToCodedStream can now be
implemented in terms of the much much faster array
serialization. The array serialization regresses slightly,
but when array serialization is not possible this wins big
* C++: Add move constructor for Reflection's SetString
* Java: Remove the usage of MethodHandle, so that Android users
prior to API version 26 can use protobuf-java
* Java: Publish ProGuard config for javalite
* Java: Include unknown fields when merging proto3 messages in
Java lite builders
* Java: Have oneof enums implement a separate interface (other
than EnumLite) for clarity
* Java: Opensource Android Memory Accessors
* Java: Change ProtobufArrayList to use Object[] instead of
ArrayList for 5-10% faster parsing
* Java: Make a copy of JsonFormat.TypeRegistry at the protobuf
top level package. This will eventually replace
JsonFormat.TypeRegistry
* Java: Add Automatic-Module-Name entries to the Manifest
* Python: Add float_precision option in json format printer
* Python: Optionally print bytes fields as messages in unknown
fields, if possible
* Python: Experimental code gen (fast import protobuf module)
which only work with cpp generated code linked in
* Python: Add descriptor methods in descriptor_pool are deprecated
* Python: Added delitem for Python extension dict
* JavaScript: Remove guard for Symbol iterator for jspb.Map
* JavaScript: Remove deprecated boolean option to getResultBase64String()
* JavaScript: Change the parameter types of binaryReaderFn in
ExtensionFieldBinaryInfo to (number, ?, ?)
* JavaScript: Create dates.ts and time_of_days.ts to mirror Java
versions. This is a near-identical conversion of
c.g.type.util.{Dates,TimeOfDays} respectively
* JavaScript: Migrate moneys to TypeScript
* PHP: Increase php7.4 compatibility
* PHP: Implement lazy loading of php class for proto messages
* Ruby: Support hashes for struct initializers
* C#: Experimental proto2 support is now officially available
* C#: Change _Extensions property to normal body rather than expression
* Objective C: Remove OSReadLittle* due to alignment requirements
* Other: Override CocoaPods module to lowercase
* further bugfixes and optimisations
- Use tarball provided by upstream
- Small package cleanup
- Updated to version 3.9.2 (bsc#1162343)
(Objective-C)
* Remove OSReadLittle* due to alignment requirements. (#6678)
* Don't use unions and instead use memcpy for the type swaps. (#6672)
- Package also the protobuf-bom pom file
- Update to new upstream release 3.9.1
* Optimized the implementation of RepeatedPtrFieldBase.
* Added delimited parse and serialize util.
* Added FieldDescriptor::PrintableNameForExtension() and
DescriptorPool::FindExtensionByPrintableName(). The latter
will replace Reflection::FindKnownExtensionByName().
* Created a new Add method in repeated field that allows adding
a range of elements all at once.
* Drop building wheel for Python 3.4.
- Specify java source and target levels in order to build
compatible protobuf-java binaries
- Update to new upstream release 3.8.0
* Introduced new MOMI (maybe-outside-memory-interval) parser.
* Added use of C++ override keyword where appropriate.
* Always declare enums to be int-sized.
* Append '_' to C++ reserved keywords for message, enum, extension.
- Disable LTO (boo#1133277).
- fixes build with Bazel 0.22.0.
- Add protobuf-source package - some programs using gRPC and
protobuf need protobuf definitions which are included inside the
source code, but are not included in the devel package.
- Add maven pom files to the protobuf-java package
- update to version v3.6.1:
* PHP namespaces for nested messages and enums (#4536)
* Allows the json marshaller to be passed json marshal options (#4252)
* Make sure to delete temporary maps used by FileDescriptorTables
* fix python cpp kokoro build
* Change C# reflection to avoid using expression trees
* Updated checked-in generated code
* Removed unused variables in repeated_scalar_container.cc
* Removed unused code pertaining to shared_ptr
* Include no_package.proto in Python test
* Only check filenames when end with .py in _CalledFromGeneratedFile() (#4262)
* Convert descriptortype to type for upb_msgval_sizeof (#4357)
* Removed duplicate using statement from ReflectionUtil.cs
* Add support for power ppc64le
* Cat the test-suite.log on errors for presubits
* Address review comments
* Add third-party RPC implementation: raster - a network framework supports pbrpc by 'service' keyword.
* Delete javanano kokoro build configs.
* Updated Ruby conformance test failure list
* Removed use of some type traits
* Adopt php_metadata_namespace in php code generator (#4622)
* Move to Xcode 9.3 which also means a High Sierra image.
* Add protoc release script for Linux build.
* protoc-artifacts: Avoid storing temporary files and use fewer layers
* Rewrite go_benchmark
* Add files to build ruby artifact for mac on kokoro (#4814)
* Remove javanano.
* Comment out unused command from release script.
* Avoid direct check of class name (#4601)
* The JsonParseOptions::ignore_unknown_fields option behavior treats
* Fix php memory leak test (#4692)
* Fix benchmark build
* Add VS2017 optional component dependency details to the C# readme (#4128)
* Fix initialization with Visual Studio
* For windows, all python version should use /MT (#4468)
* use brew install instead of easy_install in OSX (#4537)
* Sync upb change (#4373)
* Always add -std=c++11 for mac (#4684)
* Add kokoro build status badges.
* Removed unrecognized option from no_package.proto
* Fixed up proto3_lite_unittest.cc
* Update Xcode settings
* Cleanup LICENSE file.
* Remove js_embed binary. (#4709)
* Fixed JS parsing of unspecified map keys
* Update version number to 3.6.0
* Deliberately call simple code to avoid Unity linker pruning
* Revert 'Move `compiler/plugin.pb.cc` to libprotobuf with the other WKT sources.'
* protoc-artifacts: Use ENTRYPOINT to enable devtoolset-1.1
* MinGW build failed
* Support using MSVC intrinsics in Log2FloorNonZero
* Fix array constructor in c extension for compatibility (#4667)
* Add space between class name and concat message (#4577)
* fix python
* Add performance.md and add instruction for linking tcmalloc
* Add script for run and upload the benchmark result to bq
* Add test for failing write of raw pointer to output stream
* [objectivec] Fix memory leak of exceptions raised by RaiseException() (#4556)
* Remove stray indent on normal imports.
* Fix python ext build on kokoro (#4527)
* Add compile test sources for to test include order.
* Fixed a Visual Studio 2017 build error. (#4488)
* fix linux kokoro build in docker
* Fixes MSVC compiler warning C4800 'Forcing value to bool 'true' or 'false'' (#4350)
* Updated Docker setup to use GCC 4.8
* Remove broken build status icons.
* Run autogen.sh in release script.
* Output *_pb2_grpc.py when use_grpc_plugin=True
* Adopt ruby_package in ruby generated code. (#4627)
* Cygwin build failed
* Work around an 'old runtime' issue with reflection
* Added Kokoro protoc release build for OS X (#4770)
* Updated change log for 3.6.1 release
* Move methods out of class (#4697)
* Fix to allow AOT compilers to play nicely with reflection
* Update Makefile.am for Java lite files.
* Added map_lite_test.proto to fix LiteTest
* Introduce a compatiblity shim to support .NET 3.5 delegate creation
* Revert 'Removed mention of Buffer in byteSourceToUint8Array'
* Add gogo benchmark
* Set ext.no_native = true for non mac platform
* Removed atomicops.h since it is no longer used
* Rename a shadowed variable.
* Add kokoro bazel configs for 3.6.x branch.
* Deleted scoped_ptr.h
* Check the message to be encoded is the wrong type. (#4885) (#4949)
* protoc-artifacts: Avoid checking out protobuf code
* Add conformance test for null value in list JSON
* Build ruby gem on kokoro (#4819)
* Try using a new version of Visual Studio on AppVeyor
* Make ruby release configs consistent with protoc.
* fix for API change in PHP 7.3 (#4898)
* Add .proto files to extract_includes.bat
* Update protoc build scripts.
* Blacklist all WELL_KNOWN_PROTOS from Bazel C++ code generation.
* Additional support for building and deploying ppcle_64 artifacts
* Fix php tests
* Cleanup + documentation for Java Lite runtime.
* Added Kokoro Windows release build config for protoc (#4766)
* typo
* fix golang kokoro linux build
* Fix spelling error of __GNUC_MINOR__
* Update code to work for Xcode 10b1 (#4729)
* Added pyext/thread_unsafe_shared_ptr.h
* Added missing .inc files to BUILD
* js message support for jstype string on integers (#4332)
* Improve error message when googletest is missing.
* Make assertEquals pass for message (#4947)
* Sync internal benchmark changes
* Removed some unused C++ source files
* Fix missing LIBPROTOC_EXPORT.
* Added new test source files to Makefile.am
* Update php version to 3.6.0 (#4736)
* Fix RepeatedField#delete_if (#4292)
* Merge branch (#4466)
* Implement array constructor in php c extension.
* protoc-artifacts: Update centos base from 6.6 to 6.9
* PHP array constructors for protobuf messages (#4530)
* Fix problem: cmake build failed in c++11 by clang
* Don't assume Windows builds use MSVC.
* Use legacy name in php runtime (#4741)
* Add file option php_metadata_namespace and ruby_package (#4609)
* Fix cpp benchmark dependency on mac
* Use the first enum value instead of 0 in DefaultValueObjectWriter::FindEnumDefault
* Check return value on write of raw pointer
* Delete unused directories.
* Replace //:protoc and similar default macro arguments with
* Add extra C# file to Makefile.am
* includes the expected class in the exception, otherwise the error is harder to track down (#3371)
* Update instructions about getting protobuf source.
* Add cpp tests under release docker image.
* fix java benchmark, fix dashboard build
* `update_file_lists.sh` depends on Bash features, thus needs Bash sebang.
* Rename build_artifacts.cfg to release.cfg (#4818)
* Fix bug: whether always_print_enums_as_ints is true or false, it always print the default value of enums as strings
* source code info for interpreted options; fix source code info for extension range options (#4342)
* Updated version numbers to 3.6.1
* Trim imports for bundled generated protos.
* Require C++11 and pass -std=c++11
* Remove the iOS Test App.
* fix duplicate mkdir in update_file_lists.sh
* Updated csharp/README.md to reflect testing changes
* Fix bazel build of examples.
* Add missing ruby/tests/test_ruby_package.proto
* Fix cpp_distcheck
* Updated the change log with changes for 3.6.0
* some fix
* CMake: Update CXX Standard management
* Add the files added in #4485.
* Change to deal all messages in one loop
* Fix php conformance test.
* Add __init__.py files to compiler and util subpackages (#4117)
* Updated .gitignore to exclude downloaded gmock/ directory
* Fix error in Clang UndefinedBehaviorSanitizer
* Work around MSVC issue with std::atomic initialization (#4777)
* Updated conformance failure lists
* Add back GeneratedClassName to public (#4686)
* Add continuous test for ruby 2.3, 2.4 and 2.5 (#4829)
* Throw error if user want to access message properties (#4603)
* fix json_decode call parameters (#4381)
* Move `compiler/plugin.pb.cc` to libprotobuf with the other WKT sources.
* PHP: fixed typo in message.c
* Add go benchmark
* Allow list values to be null when parsing
* Added instruction for existing ZLIB configuration
* Fix 32bit php tests
* Removed javanano from post_process_dist.sh
* Don't generate imports for the WKTs unless generating the WKTs.
* For encoding upb needs descriptor type instead of type. (#4354)
* Include googletest as a submodule (#3993)
* Write messages to backing field in generated C# cloning code (#4440)
* Integrated internal changes from Google
- bump soname version
update to version v3.5.2:
* Update release date
* Disable pip cache when testing uploaded packages
* Replace private timelib_update_ts with public date_timestamp_get
* Remove py2.6 support.
* Cherrypick for csharp, including:
* Update changelog
* Update changelog for 3.5.1
* Fix uploading binary wheel.
* Fix memory leak when creating map field via array.
* Update rake file to build of 2.1.6.
* Avoid using php_date_get_date_ce() in case date extension is not
* Update protoc-artfacts
* Fix string::back() usage in googletest.cc
* Fix memory leak in php7
* Support ruby2.5
* io_win32: support non-ASCII paths
* Explicitly propagate the status of Flush().
* Add discard unknown API in ruby. (#3990)
* Update version for 3.5.0.post1
* remove nullptr
* Fix more memory leak for php c extension (#4211)
* Bumping number to fix ruby 2.1 on mac
* io_win32_unittest: remove incorrect error check
* Fix memory leak when creating repeated field via array.
* Update version number for php c extension (#3896)
* Fix file permission for python package.
* Create containing directory before generating well_known_types_embed.cc
* Replace C++11 only method std::map::at
* Recursively clear unknown fields in submessages. (#3982)
* Update version number to 3.5.1
* io_win32_unittest: fix condition in GetCwdAsUtf8
* Add release log
* io_win32_unittest: use CWD as last tempdir
* Add PROTOBUF_ENABLE_TIMESTAMP to let user decide whether timestamp util
* Add support for Windows ARM64 build
* Add protobuf-all in post release
* Use fully qualifed name for DescriptorPool in Any.php to avoid name (#3886)
* Add _file_desc_by_toplevel_extension back
* Fix setup.py for windows build.
* io_win32_unittest: make //:win32_test run again
* Provide discardUnknonwnFields API in php (#3976)
* Update php c extension version number to 3.5.0.1
* Fix ruby gc_test in ruby 2.4 (#4011)
* Remove duplicate typedef. (#3975)
* Accept DatetimeInterface in fromDatetime
* io_win32: add more encoding-related tests
* Bump version number to 3.5.2
* Bump protoc-artifact version for a patch rebuild
* Call php method via function name instead of calling directly.
* Well known types are not initialized properly. (#4139)
* Use matching enum type for IsPOD.
* Fix several more memory leak
* Fix for php5.5
* Add backslach to make class explict in global namespace
* Fix compile error undefined reference to
`google::protobuf::internal::Release_CompareAndSwap(long volatile*, long, long)'
on s390x https://github.com/google/protobuf/issues/3937
- Conditionalize python2 and python3 in order to be able to build
without python2 present in distribution
* Use singlespec macros to simplify the logic
- Run fdupes on python modules to avoid duplicates
- Remove shebangs from import-only code
- Update to new upstream release 3.5.0
* Proto3 messages are now preserving unknown fields by default.
If you rely on unknowns fields being dropped, use
DiscardUnknownFields() explicitly.
* Deprecated the unsafe_arena_release_* and
unsafe_arena_add_allocated_* methods for string fields.
* Added move constructor and move assignment to RepeatedField,
RepeatedPtrField and google::protobuf::Any.
* Added perfect forwarding in Arena::CreateMessage.
* In-progress experimental support for implicit weak fields
with lite protos. This feature allows the linker to strip out
more unused messages and reduce binary size.
- Rename %soname to %sover to better reflect its use.
- Install LICENSE
- Update to 3.3.0 :
* C++:
* Fixed map fields serialization of DynamicMessage to correctly serialize
both key and value regardless of their presence.
* Parser now rejects field number 0 correctly.
* New API Message::SpaceUsedLong() that’s equivalent to
Message::SpaceUsed() but returns the value in size_t.
* JSON support
- New flag always_print_enums_as_ints in JsonPrintOptions.
- New flag preserve_proto_field_names in JsonPrintOptions. It will instruct
the JSON printer to use the original field name declared in the .proto
file instead of converting them to lowerCamelCase when printing JSON.
- JsonPrintOptions.always_print_primtive_fields now works for oneof message
fields.
- Fixed a bug that doesn’t allow different fields to set the same json_name
value.
- Fixed a performance bug that causes excessive memory copy when printing
large messages.
* Various performance optimizations.
* Java:
* Map field setters eagerly validate inputs and throw NullPointerExceptions
as appropriate.
* Added ByteBuffer overloads to the generated parsing methods and the Parser
interface.
* proto3 enum's getNumber() method now throws on UNRECOGNIZED values.
* Output of JsonFormat is now locale independent.
* Python:
* Added FindServiceByName() in the pure-Python DescriptorPool. This works only
for descriptors added with DescriptorPool.Add(). Generated descriptor_pool
does not support this yet.
* Added a descriptor_pool parameter for parsing Any in text_format.Parse().
* descriptor_pool.FindFileContainingSymbol() now is able to find nested
extensions.
* Extending empty [] to repeated field now sets parent message presence.
- Update to 3.2.0 :
* Added protoc version number to protoc plugin protocol. It can be used by
protoc plugin to detect which version of protoc is used with the plugin and
mitigate known problems in certain version of protoc.
* C++:
* The default parsing byte size limit has been raised from 64MB to 2GB.
* Added rvalue setters for non-arena string fields.
* Enabled debug logging for Android.
* Fixed a double-free problem when using Reflection::SetAllocatedMessage()
with extension fields.
* Fixed several deterministic serialization bugs:
* MessageLite::SerializeAsString() now respects the global deterministic
serialization flag.
* Extension fields are serialized deterministically as well. Fixed protocol
compiler to correctly report importing-self as an error.
* Fixed FileDescriptor::DebugString() to print custom options correctly.
* Various performance/codesize optimizations and cleanups.
* Java:
* The default parsing byte size limit has been raised from 64MB to 2GB.
* Added recursion limit when parsing JSON.
* Fixed a bug that enumType.getDescriptor().getOptions() doesn't have custom
options.
* Fixed generated code to support field numbers up to 2^29-1.
* Python:
* You can now assign NumPy scalars/arrays (np.int32, np.int64) to protobuf
fields, and assigning other numeric types has been optimized for
performance.
* Pure-Python: message types are now garbage-collectable.
* Python/C++: a lot of internal cleanup/refactoring.
- Increase soname to 13
- Generate python2-protobuf and python3-protobuf packages in Factory
- Make the python2-protobuf package provide and obsolete python-protobuf
to make the transition smooth in Tumbleweed
- Fix an issue with setup.py where some files are built on the
first invocation, but only copied on the second. This resulted
in an incomplete protobuf-python package.
- Update to protobuf v3.1.0. Protobuf v3.0.0 introduceced a new
version of the protocol buffer language, proto3, which supersedes
proto2.
The protoc compiler is able to read old proto2 protocol definitions,
and defaults to the proto2 syntax if a syntax is not specified, thus
packages can be recompiled to link to the new library. For backwards
compatibility, the old library version is available from the
protobuf2 package.
As the API for proto2 is not compatible to the proto3 API, proto3
should only be used for new Protocol Buffers, whereas current users
are advised to keep using proto2. For a detailed list of changes,
see https://github.com/google/protobuf/releases
- Use py_sitedir for library installation with setup.py install
- Drop protobuf-libs as it is just workaround for rpmlint issue
- Cleanup specfile:
* remove any conditionals for versions predating SLES 12/Leap 42.x
* add Provides: protobuf-libs to fix rpmlint warning
Changes in python-python-gflags:
- Don't provide python2-gflags, singlespec packages should use
correct name.
- Provide python-gflags in the python2 package
- Fix URL.
- Update to version 3.1.1
* Added PEP8 style method/function aliases.
- Update to version 3.1.0
* Python3 compatibility
* Removed UnrecognizedFlag exception.
* Replaced flags.DuplicateFlag with flags.DuplicateFlagError.
* Moved the validators.Error class to exceptions.ValidationError.
* Renamed IllegalFlagValue to IllegalFlagValueError.
* Removed MutualExclusionValidator class, in favor of flags.MarkFlagsAsMutualExclusive.
* Removed FlagValues.AddValidator method.
* Removed _helpers.GetMainModule.
* Use xml.dom.minidom to create XML strings, instead of manual crafting.
* Declared PEP8-style names.
* Added examples.
- Update to version 3.0.7
* Removed the unused method ShortestUniquePrefixes.
* Removed _GetCallingModule function alias.
- Update to version 3.0.6
* Declared pypi package classifiers.
* Added support for CLIF flag processing (not included in python-gflags repo
yet).
- Update to version 3.0.5
* Added a warning when FLAGS.SetDefault is used after flags were parsed.
* Added new function: MarkFlagsAsRequired.
- Update to version 3.0.4
* One more fix for setup.py - this time about third_party package.
- Update to version 3.0.3
* Fixed setup.py.
* --noflag if argument is given is no longer allowed.
* Python3 compatibility: removed need for cgi import.
* Disallowed unparsed flag usage after FLAGS.Reset()
- Update to version 3.0.2
* Fix MANIFEST.in to include all relevant files.
- Update to version 3.0.1
* Some changes for python3 compatibility.
* Automatically generate ordering operations for Flag.
* Add optional comma compatibility to whitespace-separated list flags.
* A lot of potentially backwards incompatible changes since 2.0.
* This version is NOT recommended to use in production. Some of the files and
documentation has been lost during export; this will be fixed in next
versions.
- Fix source URL
- Implement single-spec version
ImportantSUSE bug 1036025SUSE bug 1133277SUSE bug 1162343cpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for util-linux (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for util-linux fixes the following issues:
- CVE-2021-37600: Fixed an integer overflow which could lead to buffer overflow in get_sem_elements. (bsc#1188921)
- Prevent outdated pam files (bsc#1082293, bsc#1081947#c68).
- Do not trim read-only volumes (bsc#1106214).
- libmount: To prevent incorrect behavior, recognize more pseudofs and netfs (bsc#1122417).
- raw.service: Add RemainAfterExit=yes (bsc#1135534).
- agetty: Reload issue only if it is really needed (bsc#1085196)
- agetty: Return previous response of agetty for special characters (bsc#1085196, bsc#1125886)
- blockdev: Do not fail --report on kpartx-style partitions on multipath. (bsc#1168235)
- nologin: Add support for -c to prevent error from su -c. (bsc#1151708)
- Avoid triggering autofs in lookup_umount_fs_by_statfs. (bsc#1168389)
- libblkid: Do not trigger CDROM autoclose. (bsc#1084671)
- Avoid sulogin failing on not existing or not functional console devices. (bsc#1175514)
- Build with libudev support to support non-root users. (bsc#1169006)
- lscpu: avoid segfault on PowerPC systems with valid hardware configurations. (bsc#1175623, bsc#1178554, bsc#1178825)
- Fix for warning on mounts to CIFS with mount. (SG#57988, bsc#1174942)
ModerateSUSE bug 1081947SUSE bug 1082293SUSE bug 1084671SUSE bug 1085196SUSE bug 1106214SUSE bug 1122417SUSE bug 1125886SUSE bug 1135534SUSE bug 1135708SUSE bug 1151708SUSE bug 1168235SUSE bug 1168389SUSE bug 1169006SUSE bug 1174942SUSE bug 1175514SUSE bug 1175623SUSE bug 1178236SUSE bug 1178554SUSE bug 1178825SUSE bug 1188921CVE-2021-37600 at SUSECVE-2021-37600 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for strongswan (Important)SUSE OpenStack Cloud Crowbar 8
This update for strongswan fixes the following issues:
- CVE-2021-41991: Fixed an integer overflow when replacing certificates in cache. (bsc#1191435)
ImportantSUSE bug 1191435CVE-2021-41991 at SUSECVE-2021-41991 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for postgresql10 (Important)SUSE OpenStack Cloud Crowbar 8
This update for postgresql10 fixes the following issues:
- Fix for build with llvm12 on s390x. (bsc#1185952)
- Re-enable 'icu' for PostgreSQL 10. (bsc#1179945)
- Add postgresqlXX-server-devel as a dependency for postgresql13-server-devel. (bsc#1187751)
- Upgrade to version 10.18. (bsc#1190177)
Upgrade to version 10.17 (already released for SUSE Linux Enterprise 12 SP5):
- CVE-2021-32027: Fixed integer overflows in array subscripting calculations (bsc#1185924).
- CVE-2021-32028: Fixed mishandling of junk columns in INSERT ... ON CONFLICT ... UPDATE target lists (bsc#1185925).
- Don't use %_stop_on_removal, because it was meant to be private and got removed from openSUSE. %_restart_on_update is also private, but still supported and needed for now (bsc#1183168).
- Re-enable build of the llvmjit subpackage on SLE, but it will only be delivered on PackageHub for now (bsc#1183118).
- Disable icu for PostgreSQL 10 (and older) on TW (bsc#1179945).
- Fixed an issue droping irregular warning messages by removing the package. (bsc#1178961)
- Fixed an issue when build does not build the requiements to avoid dangling symlinks in the devel package. (bsc#1179765)
- Fix recently-added timetz test case so it works when the USA is not observing daylight savings time.
ImportantSUSE bug 1178961SUSE bug 1179765SUSE bug 1179945SUSE bug 1183118SUSE bug 1183168SUSE bug 1185924SUSE bug 1185925SUSE bug 1185952SUSE bug 1187751SUSE bug 1190177CVE-2021-32027 at SUSECVE-2021-32027 at NVDCVE-2021-32028 at SUSECVE-2021-32028 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Recommended update for ardana-horizon, ardana-logging, ardana-monasca, ardana-mq, ardana-osconfig, crowbar-ha, crowbar-openstack, kibana, openstack-neutron, openstack-nova, python-Django, release-notes-suse-openstack-cloud, sleshammer, spark (Important)SUSE OpenStack Cloud Crowbar 8
This update for ardana-horizon, ardana-logging, ardana-monasca, ardana-mq, ardana-osconfig, crowbar-ha, crowbar-openstack, kibana, openstack-neutron, openstack-nova, python-Django, release-notes-suse-openstack-cloud, sleshammer, spark fixes the following issues:
Security fix from this update:
python-Django1
- CVE-2021-3281: Fixed a potential directory traversal when extracting
archives (bsc#1181379).
Changes in ardana-horizon_Update:
- Update to version 8.0+git.1610733160.0f577f4:
* Add Fix for logfile permissions (bsc#1179189)
Changes in ardana-logging_Update:
- Update to version 8.0+git.1610573640.452aed1:
* Remove some files from upgrade.yml (bsc#1179189)
Changes in ardana-monasca_Update:
- Update to version 8.0+git.1610740501.5dca121:
* Add Fix for logfile permissions (bsc#1179189)
Changes in ardana-mq_Update:
- Update to version 8.0+git.1605176800.52cccfa:
* Re-enable mirroring of fanout and reply queues (bsc#1177611)
Changes in ardana-osconfig_Update:
- Update to version 8.0+git.1610643571.91b88d6:
* Remove SLES-12-SP3-LTSS repos (bsc#1180916)
Changes in crowbar-ha:
- Update to version 5.0+git.1610564036.b75ee1b:
* [5.0] crowbar-pacemaker: Cluster member SSH key improvements
Changes in crowbar-openstack:
- Update to version 5.0+git.1610402513.08dca931e:
* neutron: Fix handling of networks with non-ascii names (SOC-11429)
- Update to version 5.0+git.1610372799.621afb999:
* keystone: fix keystone node lookup (SOC-11333, bsc#1164838)
Changes in kibana:
- Add 0001-Configurable-custom-response-headers-for-server.patch
(bsc#1171909, CVE-2020-10743)
- Added kibana.yml symlink (bsc#1048688, FATE#323204)
Changes in openstack-nova_Update:
- Update to version nova-16.1.9.dev78:
* [stable-only] Cap bandit to 1.6.2
Changes in python-Django_Update:
- Add CVE-2021-3281.patch (bsc#1181379, CVE-2021-3281)
* Fixes a potential directory traversal when extracting archives
Changes in release-notes-suse-openstack-cloud:
- Fix incorrect issue number for bsc#1179955
- Update to version 8.20201214:
* Add workaround for secure boot issue when shim package is updated. (bsc#1179955)
Changes in spark_Update:
- Add _constraints to prevent build from running out of disk space.
Changes in sleshammer:
- Really drop etc/udev/rules.d/70-persistent-net.rules from the overlay
it was still present in the tarball. (SOC-9288)
- added ruby2.1-rubygem-crowbar-client providing crowbarctl
ImportantSUSE bug 1048688SUSE bug 1164838SUSE bug 1177611SUSE bug 1179189SUSE bug 1179955SUSE bug 1180916SUSE bug 1181379CVE-2016-8611 at SUSECVE-2016-8611 at NVDCVE-2020-10743 at SUSECVE-2020-10743 at NVDCVE-2021-3281 at SUSECVE-2021-3281 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for opensc (Important)SUSE OpenStack Cloud Crowbar 8
This update for opensc fixes the following issues:
- CVE-2021-42780: Fixed use after return in insert_pin() (bsc#1192005).
- CVE-2021-42779: Fixed use after free in sc_file_valid() (bsc#1191992).
- CVE-2021-42781: Fixed multiple heap buffer overflows in pkcs15-oberthur.c (bsc#1192000).
- CVE-2021-42782: Stack buffer overflow issues in various places (bsc#1191957).
ImportantSUSE bug 1191957SUSE bug 1191992SUSE bug 1192000SUSE bug 1192005CVE-2021-42779 at SUSECVE-2021-42779 at NVDCVE-2021-42780 at SUSECVE-2021-42780 at NVDCVE-2021-42781 at SUSECVE-2021-42781 at NVDCVE-2021-42782 at SUSECVE-2021-42782 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for transfig (Important)SUSE OpenStack Cloud Crowbar 8
This update for transfig fixes the following issues:
Update to fig2dev version 3.2.8 Patchlevel 8b (Aug 2021)
- bsc#1190618, CVE-2020-21529: stack buffer overflow in the bezier_spline function in genepic.c.
- bsc#1190615, CVE-2020-21530: segmentation fault in the read_objects function in read.c.
- bsc#1190617, CVE-2020-21531: global buffer overflow in the conv_pattern_index function in gencgm.c.
- bsc#1190616, CVE-2020-21532: global buffer overflow in the setfigfont function in genepic.c.
- bsc#1190612, CVE-2020-21533: stack buffer overflow in the read_textobject function in read.c.
- bsc#1190611, CVE-2020-21534: global buffer overflow in the get_line function in read.c.
- bsc#1190607, CVE-2020-21535: segmentation fault in the gencgm_start function in gencgm.c.
- bsc#1192019, CVE-2021-32280: NULL pointer dereference in compute_closed_spline() in trans_spline.c
ImportantSUSE bug 1190607SUSE bug 1190611SUSE bug 1190612SUSE bug 1190615SUSE bug 1190616SUSE bug 1190617SUSE bug 1190618SUSE bug 1192019CVE-2020-21529 at SUSECVE-2020-21529 at NVDCVE-2020-21530 at SUSECVE-2020-21530 at NVDCVE-2020-21531 at SUSECVE-2020-21531 at NVDCVE-2020-21532 at SUSECVE-2020-21532 at NVDCVE-2020-21533 at SUSECVE-2020-21533 at NVDCVE-2020-21534 at SUSECVE-2020-21534 at NVDCVE-2020-21535 at SUSECVE-2020-21535 at NVDCVE-2021-32280 at SUSECVE-2021-32280 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for binutils (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for binutils fixes the following issues:
Update to binutils 2.37:
* The GNU Binutils sources now requires a C99 compiler and library to
build.
* Support for the arm-symbianelf format has been removed.
* Support for Realm Management Extension (RME) for AArch64 has been
added.
* A new linker option '-z report-relative-reloc' for x86 ELF targets
has been added to report dynamic relative relocations.
* A new linker option '-z start-stop-gc' has been added to disable
special treatment of __start_*/__stop_* references when
--gc-sections.
* A new linker options '-Bno-symbolic' has been added which will
cancel the '-Bsymbolic' and '-Bsymbolic-functions' options.
* The readelf tool has a new command line option which can be used to
specify how the numeric values of symbols are reported.
--sym-base=0|8|10|16 tells readelf to display the values in base 8,
base 10 or base 16. A sym base of 0 represents the default action
of displaying values under 10000 in base 10 and values above that in
base 16.
* A new format has been added to the nm program. Specifying
'--format=just-symbols' (or just using -j) will tell the program to
only display symbol names and nothing else.
* A new command line option '--keep-section-symbols' has been added to
objcopy and strip. This stops the removal of unused section symbols
when the file is copied. Removing these symbols saves space, but
sometimes they are needed by other tools.
* The '--weaken', '--weaken-symbol' and '--weaken-symbols' options
supported by objcopy now make undefined symbols weak on targets that
support weak symbols.
* Readelf and objdump can now display and use the contents of .debug_sup
sections.
* Readelf and objdump will now follow links to separate debug info
files by default. This behaviour can be stopped via the use of the
new '-wN' or '--debug-dump=no-follow-links' options for readelf and
the '-WN' or '--dwarf=no-follow-links' options for objdump. Also
the old behaviour can be restored by the use of the
'--enable-follow-debug-links=no' configure time option.
The semantics of the =follow-links option have also been slightly
changed. When enabled, the option allows for the loading of symbol
tables and string tables from the separate files which can be used
to enhance the information displayed when dumping other sections,
but it does not automatically imply that information from the
separate files should be displayed.
If other debug section display options are also enabled (eg
'--debug-dump=info') then the contents of matching sections in both
the main file and the separate debuginfo file *will* be displayed.
This is because in most cases the debug section will only be present
in one of the files.
If however non-debug section display options are enabled (eg
'--sections') then the contents of matching parts of the separate
debuginfo file will *not* be displayed. This is because in most
cases the user probably only wanted to load the symbol information
from the separate debuginfo file. In order to change this behaviour
a new command line option --process-links can be used. This will
allow di0pslay options to applied to both the main file and any
separate debuginfo files.
* Nm has a new command line option: '--quiet'. This suppresses 'no
symbols' diagnostic.
Update to binutils 2.36:
New features in the Assembler:
General:
* When setting the link order attribute of ELF sections, it is now
possible to use a numeric section index instead of symbol name.
* Added a .nop directive to generate a single no-op instruction in
a target neutral manner. This instruction does have an effect on
DWARF line number generation, if that is active.
* Removed --reduce-memory-overheads and --hash-size as gas now
uses hash tables that can be expand and shrink automatically.
X86/x86_64:
* Add support for AVX VNNI, HRESET, UINTR, TDX, AMX and Key
Locker instructions.
* Support non-absolute segment values for lcall and ljmp.
* Add {disp16} pseudo prefix to x86 assembler.
* Configure with --enable-x86-used-note by default for Linux/x86.
ARM/AArch64:
* Add support for Cortex-A78, Cortex-A78AE and Cortex-X1,
Cortex-R82, Neoverse V1, and Neoverse N2 cores.
* Add support for ETMv4 (Embedded Trace Macrocell), ETE (Embedded
Trace Extension), TRBE (Trace Buffer Extension), CSRE (Call
Stack Recorder Extension) and BRBE (Branch Record Buffer
Extension) system registers.
* Add support for Armv8-R and Armv8.7-A ISA extensions.
* Add support for DSB memory nXS barrier, WFET and WFIT
instruction for Armv8.7.
* Add support for +csre feature for -march. Add CSR PDEC
instruction for CSRE feature in AArch64.
* Add support for +flagm feature for -march in Armv8.4 AArch64.
* Add support for +ls64 feature for -march in Armv8.7
AArch64. Add atomic 64-byte load/store instructions for this
feature.
* Add support for +pauth (Pointer Authentication) feature for
-march in AArch64.
New features in the Linker:
* Add --error-handling-script=<NAME> command line option to allow
a helper script to be invoked when an undefined symbol or a
missing library is encountered. This option can be suppressed
via the configure time switch: --enable-error-handling-script=no.
* Add -z x86-64-{baseline|v[234]} to the x86 ELF linker to mark
x86-64-{baseline|v[234]} ISA level as needed.
* Add -z unique-symbol to avoid duplicated local symbol names.
* The creation of PE format DLLs now defaults to using a more
secure set of DLL characteristics.
* The linker now deduplicates the types in .ctf sections. The new
command-line option --ctf-share-types describes how to do this:
its default value, share-unconflicted, produces the most compact
output.
* The linker now omits the 'variable section' from .ctf sections
by default, saving space. This is almost certainly what you
want unless you are working on a project that has its own
analogue of symbol tables that are not reflected in the ELF
symtabs.
New features in other binary tools:
* The ar tool's previously unused l modifier is now used for
specifying dependencies of a static library. The arguments of
this option (or --record-libdeps long form option) will be
stored verbatim in the __.LIBDEP member of the archive, which
the linker may read at link time.
* Readelf can now display the contents of LTO symbol table
sections when asked to do so via the --lto-syms command line
option.
* Readelf now accepts the -C command line option to enable the
demangling of symbol names. In addition the --demangle=<style>,
--no-demangle, --recurse-limit and --no-recurse-limit options
are also now availale.
Update to binutils 2.35.1:
* This is a point release over the previous 2.35 version, containing bug
fixes, and as an exception to the usual rule, one new feature. The
new feature is the support for a new directive in the assembler:
'.nop'. This directive creates a single no-op instruction in whatever
encoding is correct for the target architecture. Unlike the .space or
.fill this is a real instruction, and it does affect the generation of
DWARF line number tables, should they be enabled.
Update to binutils 2.35:
* The assembler can now produce DWARF-5 format line number tables.
* Readelf now has a 'lint' mode to enable extra checks of the files it is processing.
* Readelf will now display '[...]' when it has to truncate a symbol name.
The old behaviour - of displaying as many characters as possible, up to
the 80 column limit - can be restored by the use of the --silent-truncation
option.
* The linker can now produce a dependency file listing the inputs that it
has processed, much like the -M -MP option supported by the compiler.
Update to binutils 2.34:
* The disassembler (objdump --disassemble) now has an option to
generate ascii art thats show the arcs between that start and end
points of control flow instructions.
* The binutils tools now have support for debuginfod. Debuginfod is a
HTTP service for distributing ELF/DWARF debugging information as
well as source code. The tools can now connect to debuginfod
servers in order to download debug information about the files that
they are processing.
* The assembler and linker now support the generation of ELF format
files for the Z80 architecture.
Update to binutils 2.33.1:
* Adds support for the Arm Scalable Vector Extension version 2
(SVE2) instructions, the Arm Transactional Memory Extension (TME)
instructions and the Armv8.1-M Mainline and M-profile Vector
Extension (MVE) instructions.
* Adds support for the Arm Cortex-A76AE, Cortex-A77 and Cortex-M35P
processors and the AArch64 Cortex-A34, Cortex-A65, Cortex-A65AE,
Cortex-A76AE, and Cortex-A77 processors.
* Adds a .float16 directive for both Arm and AArch64 to allow
encoding of 16-bit floating point literals.
* For MIPS, Add -m[no-]fix-loongson3-llsc option to fix (or not)
Loongson3 LLSC Errata. Add a --enable-mips-fix-loongson3-llsc=[yes|no]
configure time option to set the default behavior. Set the default
if the configure option is not used to 'no'.
* The Cortex-A53 Erratum 843419 workaround now supports a choice of
which workaround to use. The option --fix-cortex-a53-843419 now
takes an optional argument --fix-cortex-a53-843419[=full|adr|adrp]
which can be used to force a particular workaround to be used.
See --help for AArch64 for more details.
* Add support for GNU_PROPERTY_AARCH64_FEATURE_1_BTI and
GNU_PROPERTY_AARCH64_FEATURE_1_PAC in ELF GNU program properties
in the AArch64 ELF linker.
* Add -z force-bti for AArch64 to enable GNU_PROPERTY_AARCH64_FEATURE_1_BTI
on output while warning about missing GNU_PROPERTY_AARCH64_FEATURE_1_BTI
on inputs and use PLTs protected with BTI.
* Add -z pac-plt for AArch64 to pick PAC enabled PLTs.
* Add --source-comment[=<txt>] option to objdump which if present,
provides a prefix to source code lines displayed in a disassembly.
* Add --set-section-alignment <section-name>=<power-of-2-align>
option to objcopy to allow the changing of section alignments.
* Add --verilog-data-width option to objcopy for verilog targets to
control width of data elements in verilog hex format.
* The separate debug info file options of readelf (--debug-dump=links
and --debug-dump=follow) and objdump (--dwarf=links and
--dwarf=follow-links) will now display and/or follow multiple
links if more than one are present in a file. (This usually
happens when gcc's -gsplit-dwarf option is used).
In addition objdump's --dwarf=follow-links now also affects its
other display options, so that for example, when combined with
--syms it will cause the symbol tables in any linked debug info
files to also be displayed. In addition when combined with
--disassemble the --dwarf= follow-links option will ensure that
any symbol tables in the linked files are read and used when
disassembling code in the main file.
* Add support for dumping types encoded in the Compact Type Format
to objdump and readelf.
The following security fixes are addressed by the update:
- CVE-2021-20197: Fixed a race condition which allows users to own arbitrary files (bsc#1181452).
- CVE-2021-20284: Fixed a heap-based buffer overflow in _bfd_elf_slurp_secondary_reloc_section in elf.c (bsc#1183511).
- CVE-2021-3487: Fixed a denial of service via excessive debug section size causing excessive memory consumption in bfd's dwarf2.c read_section() (bsc#1184620).
- CVE-2020-35448: Fixed a heap-based buffer over-read in bfd_getl_signed_32() in libbfd.c (bsc#1184794).
- CVE-2020-16590: Fixed a double free vulnerability in process_symbol_table() (bsc#1179898).
- CVE-2020-16591: Fixed an invalid read in process_symbol_table() (bsc#1179899).
- CVE-2020-16592: Fixed an use-after-free in bfd_hash_lookup() (bsc#1179900).
- CVE-2020-16593: Fixed a null pointer dereference in scan_unit_for_symbols() (bsc#1179901).
- CVE-2020-16598: Fixed a null pointer dereference in debug_get_real_type() (bsc#1179902).
- CVE-2020-16599: Fixed a null pointer dereference in _bfd_elf_get_symbol_version_string() (bsc#1179903)
- CVE-2020-35493: Fixed heap-based buffer overflow in bfd_pef_parse_function_stubs function in bfd/pef.c via crafted PEF file (bsc#1180451).
- CVE-2020-35496: Fixed multiple null pointer dereferences in bfd module due to not checking return value of bfd_malloc (bsc#1180454).
- CVE-2020-35507: Fixed a null pointer dereference in bfd_pef_parse_function_stubs() (bsc#1180461).
- CVE-2019-17451: Fixed an integer overflow leading to a SEGV in _bfd_dwarf2_find_nearest_line() in dwarf2.c (bsc#1153768).
- CVE-2019-17450: Fixed a potential denial of service in find_abstract_instance() in dwarf2.c (bsc#1153770).
- CVE-2019-9077: Fixed a heap-based buffer overflow in process_mips_specific() in readelf.c via a malformed MIPS option section (bsc#1126826).
- CVE-2019-9075: Fixed a heap-based buffer overflow in _bfd_archive_64_bit_slurp_armap() in archive64.c (bsc#1126829).
- CVE-2019-9074: Fixed a out-of-bounds read leading to a SEGV in bfd_getl32() in libbfd.c (bsc#1126831).
- CVE-2019-12972: Fixed a heap-based buffer over-read in _bfd_doprnt() in bfd.c (bsc#1140126).
- CVE-2019-14444: Fixed an integer overflow apply_relocations() in readelf.c (bsc#1143609).
- CVE-2019-14250: Fixed an integer overflow in simple_object_elf_match() in simple-object-elf.c (bsc#1142649).
ModerateSUSE bug 1126826SUSE bug 1126829SUSE bug 1126831SUSE bug 1140126SUSE bug 1142649SUSE bug 1143609SUSE bug 1153768SUSE bug 1153770SUSE bug 1157755SUSE bug 1160254SUSE bug 1160590SUSE bug 1163333SUSE bug 1163744SUSE bug 1179036SUSE bug 1179341SUSE bug 1179898SUSE bug 1179899SUSE bug 1179900SUSE bug 1179901SUSE bug 1179902SUSE bug 1179903SUSE bug 1180451SUSE bug 1180454SUSE bug 1180461SUSE bug 1181452SUSE bug 1182252SUSE bug 1183511SUSE bug 1184620SUSE bug 1184794CVE-2019-12972 at SUSECVE-2019-12972 at NVDCVE-2019-14250 at SUSECVE-2019-14250 at NVDCVE-2019-14444 at SUSECVE-2019-14444 at NVDCVE-2019-17450 at SUSECVE-2019-17450 at NVDCVE-2019-17451 at SUSECVE-2019-17451 at NVDCVE-2019-9074 at SUSECVE-2019-9074 at NVDCVE-2019-9075 at SUSECVE-2019-9075 at NVDCVE-2019-9077 at SUSECVE-2019-9077 at NVDCVE-2020-16590 at SUSECVE-2020-16590 at NVDCVE-2020-16591 at SUSECVE-2020-16591 at NVDCVE-2020-16592 at SUSECVE-2020-16592 at NVDCVE-2020-16593 at SUSECVE-2020-16593 at NVDCVE-2020-16598 at SUSECVE-2020-16598 at NVDCVE-2020-16599 at SUSECVE-2020-16599 at NVDCVE-2020-35448 at SUSECVE-2020-35448 at NVDCVE-2020-35493 at SUSECVE-2020-35493 at NVDCVE-2020-35496 at SUSECVE-2020-35496 at NVDCVE-2020-35507 at SUSECVE-2020-35507 at NVDCVE-2021-20197 at SUSECVE-2021-20197 at NVDCVE-2021-20284 at SUSECVE-2021-20284 at NVDCVE-2021-3487 at SUSECVE-2021-3487 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for binutils (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for binutils fixes the following issues:
- For compatibility on old code stream that expect 'brcl 0,label' to
not be disassembled as 'jgnop label' on s390x. (bsc#1192267)
This reverts IBM zSeries HLASM support for now.
- Fixed that ppc64 optflags did not enable LTO (bsc#1188941).
- Fix empty man-pages from broken release tarball
- Fixed a memory corruption with rpath option (bsc#1191473).
- Fixed slow performance of stripping some binaries (bsc#1183909).
Security issue fixed:
- CVE-2021-20294: Fixed out-of-bounds write in print_dynamic_symbol in readelf (bnc#1184519)
ModerateSUSE bug 1183909SUSE bug 1184519SUSE bug 1188941SUSE bug 1191473SUSE bug 1192267CVE-2021-20294 at SUSECVE-2021-20294 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for pcre (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for pcre fixes the following issues:
Update pcre to version 8.45:
- CVE-2020-14155: Fixed integer overflow via a large number after a '(?C' substring (bsc#1172974).
- CVE-2019-20838: Fixed buffer over-read in JIT compiler (bsc#1172973).
- CVE-2017-7244: Fixed invalid read in _pcre32_xclass() (bsc#1030807).
- CVE-2017-7245: Fixed buffer overflow in the pcre32_copy_substring (bsc#1030805).
- CVE-2017-7246: Fixed another buffer overflow in the pcre32_copy_substring (bsc#1030803).
- CVE-2017-7186: Fixed denial of service caused by an invalid Unicode property lookup (bsc#1030066).
- CVE-2017-6004: Fixed denial of service via crafted regular expression (bsc#1025709).
ModerateSUSE bug 1025709SUSE bug 1030066SUSE bug 1030803SUSE bug 1030805SUSE bug 1030807SUSE bug 1172973SUSE bug 1172974CVE-2017-6004 at SUSECVE-2017-6004 at NVDCVE-2017-7186 at SUSECVE-2017-7186 at NVDCVE-2017-7244 at SUSECVE-2017-7244 at NVDCVE-2017-7245 at SUSECVE-2017-7245 at NVDCVE-2017-7246 at SUSECVE-2017-7246 at NVDCVE-2019-20838 at SUSECVE-2019-20838 at NVDCVE-2020-14155 at SUSECVE-2020-14155 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for qemu (Important)SUSE OpenStack Cloud Crowbar 8
This update for qemu fixes the following issues:
Security issues fixed:
- Fix out-of-bounds write in UAS (USB Attached SCSI) device emulation (bsc#1189702, CVE-2021-3713)
- Fix heap use-after-free in virtio_net_receive_rcu (bsc#1189938, CVE-2021-3748)
ImportantSUSE bug 1189702SUSE bug 1189938CVE-2021-3713 at SUSECVE-2021-3713 at NVDCVE-2021-3748 at SUSECVE-2021-3748 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for MozillaFirefox (Important)SUSE OpenStack Cloud Crowbar 8
This update for MozillaFirefox fixes the following issues:
MozillaFirefox was updated to Extended Support Release 91.3.0 ESR
* Fixed: Various stability, functionality, and security fixes
MFSA 2021-49 (bsc#1192250)
* CVE-2021-38503: iframe sandbox rules did not apply to XSLT stylesheets
* CVE-2021-38504: Use-after-free in file picker dialog
* CVE-2021-38505: Windows 10 Cloud Clipboard may have recorded sensitive user data
* CVE-2021-38506: Firefox could be coaxed into going into fullscreen mode without notification or warning
* CVE-2021-38507: Opportunistic Encryption in HTTP2 could be used to bypass the Same-Origin-Policy on services hosted on other ports
* CVE-2021-38508: Permission Prompt could be overlaid, resulting in user confusion and potential spoofing
* CVE-2021-38509: Javascript alert box could have been spoofed onto an arbitrary domain
* CVE-2021-38510: Download Protections were bypassed by .inetloc files on Mac OS
* MOZ-2021-0008: Use-after-free in HTTP2 Session object
* MOZ-2021-0007: Memory safety bugs fixed in Firefox 94 and Firefox ESR 91.3
ImportantSUSE bug 1192250CVE-2021-38503 at SUSECVE-2021-38503 at NVDCVE-2021-38504 at SUSECVE-2021-38504 at NVDCVE-2021-38505 at SUSECVE-2021-38505 at NVDCVE-2021-38506 at SUSECVE-2021-38506 at NVDCVE-2021-38507 at SUSECVE-2021-38507 at NVDCVE-2021-38508 at SUSECVE-2021-38508 at NVDCVE-2021-38509 at SUSECVE-2021-38509 at NVDCVE-2021-38510 at SUSECVE-2021-38510 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for ardana-ansible, ardana-monasca, documentation-suse-openstack-cloud, openstack-ec2-api, openstack-heat-templates, python-Django, python-monasca-common, rubygem-redcarpet, rubygem-puma (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for ardana-ansible, ardana-monasca, documentation-suse-openstack-cloud, openstack-ec2-api, openstack-heat-templates, python-Django, python-monasca-common, rubygem-redcarpet, rubygem-puma contains the following fixes:
Security fixes included in this update:
rubygem-redcarpet:
CVE-2020-26298: Fixed XSS via HTML escaping when processing quotes. (bsc#1180837)
rubygem-puma:
CVE-2021-41136: Fixed build of the Java state machine for parsing HTTP. (bsc#1191681)
Non-security fixes included in this update:
Changes in ardana-ansible:
* Patch service.py to skip blank lines.
Changes in ardana-monasca:
* Use specific TLS versions for monasca-thresh DB connections. (SOC-11543)
Changes in documentation-suse-openstack-cloud:
* CI: only run on DocBook/AsciiDoc paths, make upload fails nonfatal
* DC files: Update to 2021 stylesheets (#1327)
* CI: Use GitHub Actions
Changes in openstack-ec2-api:
* Remove jobs corresponds to obselete featuresets
* OpenDev Migration Patch
Changes in openstack-heat-templates:
* [ussuri][goal] Update contributor documentation
Changes in python-Django:
- Add missing dependency for CVE-2021-31542
Changes in python-monasca-common:
- Remove renderspec source service.
- Retry publish once on failures. (SOC-11543)
ModerateSUSE bug 1180837SUSE bug 1191681CVE-2020-26298 at SUSECVE-2020-26298 at NVDCVE-2021-41136 at SUSECVE-2021-41136 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for samba (Important)SUSE OpenStack Cloud Crowbar 8
This update for samba fixes the following issues:
- CVE-2016-2124: Fixed not to fallback to non spnego authentication if we require kerberos (bsc#1014440).
- CVE-2020-25717: Fixed privilege escalation inside an AD Domain where a user could become root on domain members (bsc#1192284).
ImportantSUSE bug 1014440SUSE bug 1192284CVE-2016-2124 at SUSECVE-2016-2124 at NVDCVE-2020-25717 at SUSECVE-2020-25717 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for postgresql, postgresql13, postgresql14 (Important)SUSE OpenStack Cloud Crowbar 8
This update for postgresql, postgresql13 and postgresql14 fixes the following issues:
Security issues fixed:
- CVE-2021-23214: Make the server reject extraneous data after an SSL or GSS encryption handshake (bsc#1192516).
- CVE-2021-23222: Make libpq reject extraneous data after an SSL or GSS encryption handshake (bsc#1192516).
This update also ships postgresql14 to SUSE Linux Enterprise 12 SP5. (jsc#SLE-22673)
On older service packs only libpq5 and libecpg6 are being replaced by the postgresql14 variants.
Feature changes in postgresql14:
- https://www.postgresql.org/about/news/postgresql-14-released-2318/
- https://www.postgresql.org/docs/14/release-14.html
ImportantSUSE bug 1192516CVE-2021-23214 at SUSECVE-2021-23214 at NVDCVE-2021-23222 at SUSECVE-2021-23222 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for postgresql96 (Important)SUSE OpenStack Cloud Crowbar 8
This update for postgresql96 fixes the following issues:
- CVE-2021-23214: Make the server reject extraneous data after an SSL or GSS encryption handshake (bsc#1192516).
- CVE-2021-23222: Make libpq reject extraneous data after an SSL or GSS encryption handshake (bsc#1192516).
ImportantSUSE bug 1192516CVE-2021-23214 at SUSECVE-2021-23214 at NVDCVE-2021-23222 at SUSECVE-2021-23222 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for postgresql10 (Important)SUSE OpenStack Cloud Crowbar 8
This update for postgresql10 fixes the following issues:
- CVE-2021-23214: Make the server reject extraneous data after an SSL or GSS encryption handshake (bsc#1192516).
- CVE-2021-23222: Make libpq reject extraneous data after an SSL or GSS encryption handshake (bsc#1192516).
ImportantSUSE bug 1192516CVE-2021-23214 at SUSECVE-2021-23214 at NVDCVE-2021-23222 at SUSECVE-2021-23222 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for webkit2gtk3 (Important)SUSE OpenStack Cloud Crowbar 8
This update for webkit2gtk3 fixes the following issues:
- CVE-2021-42762: Updated seccomp rules with latest changes from flatpak (bsc#1191937).
ImportantSUSE bug 1191937CVE-2021-42762 at SUSECVE-2021-42762 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for java-1_8_0-openjdk (Important)SUSE OpenStack Cloud Crowbar 8
This update for java-1_8_0-openjdk fixes the following issues:
Update to version OpenJDK 8u312 (October 2021 CPU):
- CVE-2021-35550: Fixed weak ciphers preferred over stronger ones for TLS (bsc#1191901).
- CVE-2021-35556: Fixed excessive memory allocation in RTFParser (bsc#1191910).
- CVE-2021-35559: Fixed excessive memory allocation in RTFReader (bsc#1191911).
- CVE-2021-35561: Fixed excessive memory allocation in HashMap and HashSet (bsc#1191912).
- CVE-2021-35564: Fixed certificates with end dates too far in the future can corrupt keystore (bsc#1191913).
- CVE-2021-35565: Fixed loop in HttpsServer triggered during TLS session close (bsc#1191909).
- CVE-2021-35567: Fixed incorrect principal selection when using Kerberos Constrained Delegation (bsc#1191903).
- CVE-2021-35578: Fixed unexpected exception raised during TLS handshake (bsc#1191904).
- CVE-2021-35586: Fixed excessive memory allocation in BMPImageReader (bsc#1191914).
- CVE-2021-35588: Fixed incomplete validation of inner class references in ClassFileParser (bsc#1191905)
- CVE-2021-35603: Fixed non-constant comparison during TLS handshakes (bsc#1191906).
ImportantSUSE bug 1191901SUSE bug 1191903SUSE bug 1191904SUSE bug 1191905SUSE bug 1191906SUSE bug 1191909SUSE bug 1191910SUSE bug 1191911SUSE bug 1191912SUSE bug 1191913SUSE bug 1191914CVE-2021-35550 at SUSECVE-2021-35550 at NVDCVE-2021-35556 at SUSECVE-2021-35556 at NVDCVE-2021-35559 at SUSECVE-2021-35559 at NVDCVE-2021-35561 at SUSECVE-2021-35561 at NVDCVE-2021-35564 at SUSECVE-2021-35564 at NVDCVE-2021-35565 at SUSECVE-2021-35565 at NVDCVE-2021-35567 at SUSECVE-2021-35567 at NVDCVE-2021-35578 at SUSECVE-2021-35578 at NVDCVE-2021-35586 at SUSECVE-2021-35586 at NVDCVE-2021-35588 at SUSECVE-2021-35588 at NVDCVE-2021-35603 at SUSECVE-2021-35603 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for java-1_7_0-openjdk (Important)SUSE OpenStack Cloud Crowbar 8
This update for java-1_7_0-openjdk fixes the following issues:
Update to OpenJDK 7u321 (October 2021 CPU):
- CVE-2021-35550: Fixed weak ciphers preferred over stronger ones for TLS (bsc#1191901).
- CVE-2021-35556: Fixed excessive memory allocation in RTFParser (bsc#1191910).
- CVE-2021-35559: Fixed excessive memory allocation in RTFReader (bsc#1191911).
- CVE-2021-35561: Fixed excessive memory allocation in HashMap and HashSet (bsc#1191912).
- CVE-2021-35564: Fixed certificates with end dates too far in the future can corrupt keystore (bsc#1191913).
- CVE-2021-35565: Fixed loop in HttpsServer triggered during TLS session close (bsc#1191909).
- CVE-2021-35586: Fixed excessive memory allocation in BMPImageReader (bsc#1191914).
- CVE-2021-35588: Fixed incomplete validation of inner class references in ClassFileParser (bsc#1191905)
- CVE-2021-35603: Fixed non-constant comparison during TLS handshakes (bsc#1191906).
ImportantSUSE bug 1191901SUSE bug 1191905SUSE bug 1191906SUSE bug 1191909SUSE bug 1191910SUSE bug 1191911SUSE bug 1191912SUSE bug 1191913SUSE bug 1191914CVE-2021-35550 at SUSECVE-2021-35550 at NVDCVE-2021-35556 at SUSECVE-2021-35556 at NVDCVE-2021-35559 at SUSECVE-2021-35559 at NVDCVE-2021-35561 at SUSECVE-2021-35561 at NVDCVE-2021-35564 at SUSECVE-2021-35564 at NVDCVE-2021-35565 at SUSECVE-2021-35565 at NVDCVE-2021-35586 at SUSECVE-2021-35586 at NVDCVE-2021-35588 at SUSECVE-2021-35588 at NVDCVE-2021-35603 at SUSECVE-2021-35603 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for ruby2.1 (Important)SUSE OpenStack Cloud Crowbar 8
This update for ruby2.1 fixes the following issues:
- CVE-2020-25613: Fixed potential HTTP request smuggling in WEBrick (bsc#1177125).
- CVE-2021-31799: Fixed Command injection vulnerability in RDoc (bsc#1190375).
- CVE-2021-31810: Fixed trusting FTP PASV responses vulnerability in Net:FTP (bsc#1188161).
- CVE-2021-32066: Fixed StartTLS stripping vulnerability in Net:IMAP (bsc#1188160).
ImportantSUSE bug 1177125SUSE bug 1188160SUSE bug 1188161SUSE bug 1190375CVE-2020-25613 at SUSECVE-2020-25613 at NVDCVE-2021-31799 at SUSECVE-2021-31799 at NVDCVE-2021-31810 at SUSECVE-2021-31810 at NVDCVE-2021-32066 at SUSECVE-2021-32066 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for xen (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for xen fixes the following issues:
- CVE-2021-28704, CVE-2021-28707, CVE-2021-28708: Fixed PoD operations on misaligned GFNs (XSA-388) (bsc#1192557).
- CVE-2021-28705, CVE-2021-28709: Fixed issues with partially successful P2M updates on x86 (XSA-389) (bsc#1192559).
- CVE-2021-28706: Fixed guests may exceed their designated memory limit (XSA-385) (bsc#1192554).
ModerateSUSE bug 1192554SUSE bug 1192557SUSE bug 1192559CVE-2021-28704 at SUSECVE-2021-28704 at NVDCVE-2021-28705 at SUSECVE-2021-28705 at NVDCVE-2021-28706 at SUSECVE-2021-28706 at NVDCVE-2021-28707 at SUSECVE-2021-28707 at NVDCVE-2021-28708 at SUSECVE-2021-28708 at NVDCVE-2021-28709 at SUSECVE-2021-28709 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for clamav (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for clamav fixes the following issues:
- CVE-2018-14679: Fixed off-by-one issue in embedded libmspack that could lead to denial of service (bsc#1103032).
- Update to 0.103.4 (bsc#1192346).
- Update to 0.103.3 (bsc#1188284).
ModerateSUSE bug 1103032SUSE bug 1188284SUSE bug 1192346CVE-2018-14679 at SUSECVE-2018-14679 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for webkit2gtk3 (Important)SUSE OpenStack Cloud Crowbar 8
This update for webkit2gtk3 fixes the following issues:
- CVE-2021-30846: Fixed memory corruption issue that could lead to arbitrary code execution when processing maliciously crafted web content (bsc#1192063).
- CVE-2021-30851: Fixed memory corruption vulnerability that could lead to arbitrary code execution when processing maliciously crafted web content (bsc#1192063).
ImportantSUSE bug 1192063CVE-2021-30846 at SUSECVE-2021-30846 at NVDCVE-2021-30851 at SUSECVE-2021-30851 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for the Linux Kernel (Important)SUSE OpenStack Cloud Crowbar 8
The SUSE Linux Enterprise 12 SP3 LTSS kernel was updated to receive various security and bugfixes.
The following security bugs were fixed:
- Unprivileged BPF has been disabled by default to reduce attack surface as too many security issues have happened in the past (jsc#SLE-22573)
You can reenable via systemctl setting /proc/sys/kernel/unprivileged_bpf_disabled to 0. (kernel.unprivileged_bpf_disabled = 0)
- CVE-2021-31916: An out-of-bounds (OOB) memory write flaw was found in list_devices in drivers/md/dm-ioctl.c in the Multi-device driver module in the Linux kernel A bound check failure allowed an attacker with special user (CAP_SYS_ADMIN) privilege to gain access to out-of-bounds memory leading to a system crash or a leak of internal kernel information. The highest threat from this vulnerability is to system availability (bnc#1192781).
- CVE-2021-20322: Make the ipv4 and ipv6 ICMP exception caches less predictive to avoid information leaks about UDP ports in use. (bsc#1191790)
- CVE-2021-34981: Fixed file refcounting in cmtp when cmtp_attach_device fails (bsc#1191961).
- CVE-2020-12655: An issue was discovered in xfs_agf_verify in fs/xfs/libxfs/xfs_alloc.c. Attackers may trigger a sync of excessive duration via an XFS v5 image with crafted metadata, aka CID-d0c7feaf8767 (bnc#1171217).
- CVE-2021-43389: There was an array-index-out-of-bounds flaw in the detach_capi_ctr function in drivers/isdn/capi/kcapi.c (bnc#1191958).
- CVE-2021-37159: hso_free_net_device in drivers/net/usb/hso.c called unregister_netdev without checking for the NETREG_REGISTERED state, leading to a use-after-free and a double free (bnc#1188601).
- CVE-2021-34556: An unprivileged BPF program can obtain sensitive information from kernel memory via a Speculative Store Bypass side-channel attack because the protection mechanism neglects the possibility of uninitialized memory locations on the BPF stack (bnc#1188983).
- CVE-2021-35477: An unprivileged BPF program can obtain sensitive information from kernel memory via a Speculative Store Bypass side-channel attack because a certain preempting store operation did not necessarily occur before a store operation that has an attacker-controlled value (bnc#1188985).
- CVE-2017-17862: kernel/bpf/verifier.c in the Linux kernel ignores unreachable code, even though it would still be processed by JIT compilers. This behavior, also considered an improper branch-pruning logic issue, could possibly be used by local users for denial of service (bnc#1073928).
- CVE-2017-17864: kernel/bpf/verifier.c in the Linux kernel mishandled states_equal comparisons between the pointer data type and the UNKNOWN_VALUE data type, which allowed local users to obtain potentially sensitive address information, aka a 'pointer leak (bnc#1073928).
- CVE-2021-20265: A flaw was found in the way memory resources were freed in the unix_stream_recvmsg function in the Linux kernel when a signal was pending. This flaw allowed an unprivileged local user to crash the system by exhausting available memory. The highest threat from this vulnerability is to system availability (bnc#1183089).
- CVE-2021-3772: Fixed sctp vtag check in sctp_sf_ootb (bsc#1190351).
- CVE-2021-3655: Missing size validations on inbound SCTP packets may have allowed the kernel to read uninitialized memory (bnc#1188563).
- CVE-2018-13405: The inode_init_owner function in fs/inode.c in the Linux kernel allowed local users to create files with an unintended group ownership, in a scenario where a directory is SGID to a certain group and is writable by a user who is not a member of that group. Here, the non-member can trigger creation of a plain file whose group ownership is that group. The intended behavior was that the non-member can trigger creation of a directory (but not a plain file) whose group ownership is that group. The non-member can escalate privileges by making the plain file executable and SGID (bnc#1100416 bnc#1129735).
- CVE-2021-3760: Fixed a use-after-free vulnerability with the ndev->rf_conn_info object (bsc#1190067).
- CVE-2021-42739: The firewire subsystem in the Linux kernel has a buffer overflow related to drivers/media/firewire/firedtv-avc.c and drivers/media/firewire/firedtv-ci.c, because avc_ca_pmt mishandled bounds checking (bnc#1184673).
- CVE-2021-3542: Fixed heap buffer overflow in firedtv driver (bsc#1186063).
- CVE-2021-33033: The Linux kernel has a use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c because the CIPSO and CALIPSO refcounting for the DOI definitions is mishandled, aka CID-ad5d07f4a9cd. This leads to writing an arbitrary value (bnc#1186109 bnc#1186390 bnc#1188876).
- CVE-2020-14305: An out-of-bounds memory write flaw was found in how the Linux kernel’s Voice Over IP H.323 connection tracking functionality handled connections on ipv6 port 1720. This flaw allowed an unauthenticated remote user to crash the system, causing a denial of service. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability (bnc#1173346).
- CVE-2021-3715: Fixed a use-after-free in route4_change() in net/sched/cls_route.c (bsc#1190349).
- CVE-2021-3896: Fixed a array-index-out-bounds in detach_capi_ctr in drivers/isdn/capi/kcapi.c (bsc#1191958).
- CVE-2021-42008: The decode_data function in drivers/net/hamradio/6pack.c in the Linux kernel has a slab out-of-bounds write. Input from a process that has the CAP_NET_ADMIN capability can lead to root access (bnc#1191315).
- CVE-2020-3702: Specifically timed and handcrafted traffic can cause internal errors in a WLAN device that lead to improper layer 2 Wi-Fi encryption with a consequent possibility of information disclosure over the air for a discrete set of traffic (bnc#1191193).
- CVE-2021-3752: Fixed a use after free vulnerability in the Linux kernel's bluetooth module. (bsc#1190023)
- CVE-2021-40490: A race condition was discovered in ext4_write_inline_data_end in fs/ext4/inline.c in the ext4 subsystem in the Linux kernel (bnc#1190159 bnc#1192775)
- CVE-2021-3640: Fixed a Use-After-Free vulnerability in function sco_sock_sendmsg() in the bluetooth stack (bsc#1188172).
- CVE-2021-38160: Data corruption or loss could be triggered by an untrusted device that supplies a buf->len value exceeding the buffer size in drivers/char/virtio_console.c (bsc#1190117)
- CVE-2021-3753: Fixed race out-of-bounds in virtual terminal handling (bsc#1190025).
- CVE-2021-3732: Mounting overlayfs inside an unprivileged user namespace can reveal files (bsc#1189706).
- CVE-2021-3653: A flaw was found in the KVM's AMD code for supporting SVM nested virtualization. The flaw occurs when processing the VMCB (virtual machine control block) provided by the L1 guest to spawn/handle a nested guest (L2). Due to improper validation of the 'int_ctl' field, this issue could allow a malicious L1 to enable AVIC support (Advanced Virtual Interrupt Controller) for the L2 guest. As a result, the L2 guest would be allowed to read/write physical pages of the host, resulting in a crash of the entire system, leak of sensitive data or potential guest-to-host escape. This flaw affects Linux kernel versions prior to 5.14-rc7 (bnc#1189399 bnc#1189420).
- CVE-2021-38198: arch/x86/kvm/mmu/paging_tmpl.h in the Linux kernel incorrectly computes the access permissions of a shadow page, leading to a missing guest protection page fault (bnc#1189262 bnc#1189278).
- CVE-2021-38204: drivers/usb/host/max3421-hcd.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (use-after-free and panic) by removing a MAX-3421 USB device in certain situations (bnc#1189291).
- CVE-2021-3679: A lack of CPU resource in the Linux kernel tracing module functionality in versions prior to 5.14-rc3 was found in the way user uses trace ring buffer in a specific way. Only privileged local users (with CAP_SYS_ADMIN capability) could use this flaw to starve the resources causing denial of service (bnc#1189057).
- CVE-2018-16882: A use-after-free issue was found in the way the Linux kernel's KVM hypervisor processed posted interrupts when nested(=1) virtualization is enabled. In nested_get_vmcs12_pages(), in case of an error while processing posted interrupt address, it unmaps the 'pi_desc_page' without resetting 'pi_desc' descriptor address, which is later used in pi_test_and_clear_on(). A guest user/process could use this flaw to crash the host kernel resulting in DoS or potentially gain privileged access to a system. Kernel versions and are vulnerable (bnc#1119934).
- CVE-2020-0429: In l2tp_session_delete and related functions of l2tp_core.c, there is possible memory corruption due to a use after free. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation (bnc#1176724).
- CVE-2020-4788: IBM Power9 (AIX 7.1, 7.2, and VIOS 3.1) processors could allow a local user to obtain sensitive information from the data in the L1 cache under extenuating circumstances. IBM X-Force ID: 189296 (bnc#1177666 bnc#1181158).
- CVE-2021-3659: Fixed a NULL pointer dereference in llsec_key_alloc() in net/mac802154/llsec.c (bsc#1188876).
- CVE-2021-37576: arch/powerpc/kvm/book3s_rtas.c in the Linux kernel on the powerpc platform allowed KVM guest OS users to cause host OS memory corruption via rtas_args.nargs, aka CID-f62f3c20647e (bnc#1188838).
The following non-security bugs were fixed:
- PCI: hv: Use expected affinity when unmasking IRQ (bsc#1185973).
- SUNRPC: improve error response to over-size gss credential (bsc#1190022).
- Update config files: Add CONFIG_BPF_UNPRIV_DEFAULT_OFF is not set
- blacklist.conf: Drop a line that was added by mistake
- bpf: Add kconfig knob for disabling unpriv bpf by default (jsc#SLE-22918)
- bpf: Disallow unprivileged bpf by default (jsc#SLE-22918).
- bpf: properly enforce index mask to prevent out-of-bounds speculation (bsc#1098425).
- config: disable unprivileged BPF by default (jsc#SLE-22918)
- cpufreq: intel_pstate: Add Icelake servers support in no-HWP mode (bsc#1185758,bsc#1192400).
- ftrace: Fix scripts/recordmcount.pl due to new binutils (bsc#1192267).
- hv: mana: adjust mana_select_queue to old API (jsc#SLE-18779, bsc#1185727).
- hv: mana: declare vzalloc (jsc#SLE-18779, bsc#1185726).
- hv: mana: fake bitmap API (jsc#SLE-18779, bsc#1185726).
- hv: mana: remove netdev_lockdep_set_classes usage (jsc#SLE-18779, bsc#1185727).
- kABI: protect struct bpf_map (kabi).
- mm: replace open coded page to virt conversion with page_to_virt() (jsc#SLE-18779, bsc#1185727).
- net/mlx4_en: Avoid scheduling restart task if it is already running (bsc#1181854 bsc#1181855).
- net/mlx4_en: Handle TX error CQE (bsc#1181854 bsc#1181855).
- net: mana: Add WARN_ON_ONCE in case of CQE read overflow (jsc#SLE-18779, bsc#1185727).
- net: mana: Add a driver for Microsoft Azure Network Adapter (MANA) (jsc#SLE-18779, bsc#1185727).
- net: mana: Add support for EQ sharing (jsc#SLE-18779, bsc#1185727).
- net: mana: Fix a memory leak in an error handling path in (jsc#SLE-18779, bsc#1185727).
- net: mana: Fix error handling in mana_create_rxq() (git-fixes, bsc#1191801).
- net: mana: Move NAPI from EQ to CQ (jsc#SLE-18779, bsc#1185727).
- net: mana: Use int to check the return value of mana_gd_poll_cq() (jsc#SLE-18779, bsc#1185727).
- net: mana: fix PCI_HYPERV dependency (jsc#SLE-18779, bsc#1185727).
- net: mana: remove redundant initialization of variable err (jsc#SLE-18779, bsc#1185727).
- net: sched: sch_teql: fix null-pointer dereference (bsc#1190717).
- s390/bpf: Fix 64-bit subtraction of the -0x80000000 constant (bsc#1190601).
- s390/bpf: Fix branch shortening during codegen pass (bsc#1190601).
- s390/bpf: Fix optimizing out zero-extensions (bsc#1190601).
- s390/bpf: Wrap JIT macro parameter usages in parentheses (bsc#1190601).
- s390: bpf: implement jitting of BPF_ALU | BPF_ARSH | BPF_* (bsc#1190601).
- scsi: sg: add sg_remove_request in sg_write (bsc#1171420 CVE2020-12770).
- sctp: check asoc peer.asconf_capable before processing asconf (bsc#1190351).
- sctp: fully initialize v4 addr in some functions (bsc#1188563).
- sctp: simplify addr copy (bsc#1188563).
- x86/CPU: Add more Icelake model numbers (bsc#1185758,bsc#1192400).
- x86/tlb: Flush global mappings when KAISER is disabled (bsc#1190194).
ImportantSUSE bug 1073928SUSE bug 1098425SUSE bug 1100416SUSE bug 1119934SUSE bug 1129735SUSE bug 1171217SUSE bug 1171420SUSE bug 1173346SUSE bug 1176724SUSE bug 1177666SUSE bug 1181158SUSE bug 1181854SUSE bug 1181855SUSE bug 1183089SUSE bug 1184673SUSE bug 1185726SUSE bug 1185727SUSE bug 1185758SUSE bug 1185973SUSE bug 1186109SUSE bug 1186390SUSE bug 1188172SUSE bug 1188563SUSE bug 1188601SUSE bug 1188838SUSE bug 1188876SUSE bug 1188983SUSE bug 1188985SUSE bug 1189057SUSE bug 1189262SUSE bug 1189278SUSE bug 1189291SUSE bug 1189399SUSE bug 1189420SUSE bug 1189706SUSE bug 1190022SUSE bug 1190023SUSE bug 1190025SUSE bug 1190067SUSE bug 1190117SUSE bug 1190159SUSE bug 1190194SUSE bug 1190349SUSE bug 1190351SUSE bug 1190601SUSE bug 1190717SUSE bug 1191193SUSE bug 1191315SUSE bug 1191790SUSE bug 1191801SUSE bug 1191958SUSE bug 1191961SUSE bug 1192267SUSE bug 1192400SUSE bug 1192775SUSE bug 1192781CVE-2017-17862 at SUSECVE-2017-17862 at NVDCVE-2017-17864 at SUSECVE-2017-17864 at NVDCVE-2018-13405 at SUSECVE-2018-13405 at NVDCVE-2018-16882 at SUSECVE-2018-16882 at NVDCVE-2020-0429 at SUSECVE-2020-0429 at NVDCVE-2020-12655 at SUSECVE-2020-12655 at NVDCVE-2020-14305 at SUSECVE-2020-14305 at NVDCVE-2020-3702 at SUSECVE-2020-3702 at NVDCVE-2020-4788 at SUSECVE-2020-4788 at NVDCVE-2021-20265 at SUSECVE-2021-20265 at NVDCVE-2021-20322 at SUSECVE-2021-20322 at NVDCVE-2021-31916 at SUSECVE-2021-31916 at NVDCVE-2021-33033 at SUSECVE-2021-33033 at NVDCVE-2021-34556 at SUSECVE-2021-34556 at NVDCVE-2021-34981 at SUSECVE-2021-34981 at NVDCVE-2021-3542 at SUSECVE-2021-3542 at NVDCVE-2021-35477 at SUSECVE-2021-35477 at NVDCVE-2021-3640 at SUSECVE-2021-3640 at NVDCVE-2021-3653 at SUSECVE-2021-3653 at NVDCVE-2021-3655 at SUSECVE-2021-3655 at NVDCVE-2021-3659 at SUSECVE-2021-3659 at NVDCVE-2021-3679 at SUSECVE-2021-3679 at NVDCVE-2021-3715 at SUSECVE-2021-3715 at NVDCVE-2021-37159 at SUSECVE-2021-37159 at NVDCVE-2021-3732 at SUSECVE-2021-3732 at NVDCVE-2021-3752 at SUSECVE-2021-3752 at NVDCVE-2021-3753 at SUSECVE-2021-3753 at NVDCVE-2021-37576 at SUSECVE-2021-37576 at NVDCVE-2021-3760 at SUSECVE-2021-3760 at NVDCVE-2021-3772 at SUSECVE-2021-3772 at NVDCVE-2021-38160 at SUSECVE-2021-38160 at NVDCVE-2021-38198 at SUSECVE-2021-38198 at NVDCVE-2021-38204 at SUSECVE-2021-38204 at NVDCVE-2021-3896 at SUSECVE-2021-3896 at NVDCVE-2021-40490 at SUSECVE-2021-40490 at NVDCVE-2021-42008 at SUSECVE-2021-42008 at NVDCVE-2021-42739 at SUSECVE-2021-42739 at NVDCVE-2021-43389 at SUSECVE-2021-43389 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for mozilla-nss (Important)SUSE OpenStack Cloud Crowbar 8
This update for mozilla-nss fixes the following issues:
Update to version 3.68.1:
- CVE-2021-43527: Fixed a Heap overflow in NSS when verifying DER-encoded DSA or RSA-PSS signatures (bsc#1193170).
ImportantSUSE bug 1193170CVE-2021-43527 at SUSECVE-2021-43527 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for openssh (Important)SUSE OpenStack Cloud Crowbar 8
This update for openssh fixes the following issues:
- CVE-2021-41617: Fixed privilege escalation when AuthorizedKeysCommand/AuthorizedPrincipalsCommand are configured (bsc#1190975).
ImportantSUSE bug 1190975CVE-2021-41617 at SUSECVE-2021-41617 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for MozillaFirefox (Important)SUSE OpenStack Cloud Crowbar 8
This update for MozillaFirefox fixes the following issues:
Update to Extended Support Release 91.4.0 (bsc#1193485):
- CVE-2021-43536: URL leakage when navigating while executing asynchronous function
- CVE-2021-43537: Heap buffer overflow when using structured clone
- CVE-2021-43538: Missing fullscreen and pointer lock notification when requesting both
- CVE-2021-43539: GC rooting failure when calling wasm instance methods
- CVE-2021-43541: External protocol handler parameters were unescaped
- CVE-2021-43542: XMLHttpRequest error codes could have leaked the existence of an external protocol handler
- CVE-2021-43543: Bypass of CSP sandbox directive when embedding
- CVE-2021-43545: Denial of Service when using the Location API in a loop
- CVE-2021-43546: Cursor spoofing could overlay user interface when native cursor is zoomed
- Memory safety bugs fixed in Firefox 95 and Firefox ESR 91.4
- Removed x-scheme-handler/ftp from MozillaFirefox.desktop (bsc#1193321)
ImportantSUSE bug 1193321SUSE bug 1193485CVE-2021-43536 at SUSECVE-2021-43536 at NVDCVE-2021-43537 at SUSECVE-2021-43537 at NVDCVE-2021-43538 at SUSECVE-2021-43538 at NVDCVE-2021-43539 at SUSECVE-2021-43539 at NVDCVE-2021-43541 at SUSECVE-2021-43541 at NVDCVE-2021-43542 at SUSECVE-2021-43542 at NVDCVE-2021-43543 at SUSECVE-2021-43543 at NVDCVE-2021-43545 at SUSECVE-2021-43545 at NVDCVE-2021-43546 at SUSECVE-2021-43546 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for glib-networking (Important)SUSE OpenStack Cloud Crowbar 8
This update for glib-networking fixes the following issues:
- CVE-2020-13645: Fixed a connection failure when the server identity is unset (bsc#1172460).
ImportantSUSE bug 1172460CVE-2020-13645 at SUSECVE-2020-13645 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for xorg-x11-server (Important)SUSE OpenStack Cloud Crowbar 8
This update for xorg-x11-server fixes the following issues:
- CVE-2021-4008: Fixed Privilege Escalation Vulnerability via Out-Of-Bounds Access in SProcRenderCompositeGlyphs (bsc#1193030).
ImportantSUSE bug 1193030CVE-2021-4008 at SUSECVE-2021-4008 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for storm (Critical)SUSE OpenStack Cloud Crowbar 8
This update for storm fixes the following issues:
- Remove JndiLookup from log4j 2.x jars during build to prevent 'log4shell' code injection. (bsc#1193641, bsc#1193611, CVE-2021-44228)
- Remove JMSAppender from log4j 1.2.x jars during build to prevent attacks when JMS is enabled (bsc#1193641, bsc#1193662, CVE-2021-4104)
CriticalSUSE bug 1193611SUSE bug 1193641SUSE bug 1193662CVE-2021-4104 at SUSECVE-2021-4104 at NVDCVE-2021-44228 at SUSECVE-2021-44228 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for log4j (Important)SUSE OpenStack Cloud Crowbar 8
This update for log4j fixes the following issue:
- CVE-2021-4104: Disable the JMSAppender class from log4j to protect against
the log4jshell vulnerability. [bsc#1193662]
ImportantSUSE bug 1193662CVE-2021-4104 at SUSECVE-2021-4104 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for xorg-x11-server (Important)SUSE OpenStack Cloud Crowbar 8
This update for xorg-x11-server fixes the following issues:
- CVE-2021-4009: The handler for the CreatePointerBarrier request of the XFixes
extension does not properly validate the request length leading to out of
bounds memory write. (bsc#1190487)
- CVE-2021-4011: The handlers for the RecordCreateContext and RecordRegisterClients
requests of the Record extension do not properly validate the request
length leading to out of bounds memory write. (bsc#1190489)
ImportantSUSE bug 1190487SUSE bug 1190489CVE-2021-4009 at SUSECVE-2021-4009 at NVDCVE-2021-4011 at SUSECVE-2021-4011 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Recommended update for samba (Important)SUSE OpenStack Cloud Crowbar 8
This update for samba fixes the following issues:
The username map advice from the CVE-2020-25717 advisory
note has undesired side effects for the local nt token. Fallback
to a SID/UID based mapping if the name based lookup fails (bsc#1192849).
ImportantSUSE bug 1192849CVE-2020-25717 at SUSECVE-2020-25717 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for chrony (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for chrony fixes the following issues:
Chrony was updated to 4.1:
* Add support for NTS servers specified by IP address (matching
Subject Alternative Name in server certificate)
* Add source-specific configuration of trusted certificates
* Allow multiple files and directories with trusted certificates
* Allow multiple pairs of server keys and certificates
* Add copy option to server/pool directive
* Increase PPS lock limit to 40% of pulse interval
* Perform source selection immediately after loading dump files
* Reload dump files for addresses negotiated by NTS-KE server
* Update seccomp filter and add less restrictive level
* Restart ongoing name resolution on online command
* Fix dump files to not include uncorrected offset
* Fix initstepslew to accept time from own NTP clients
* Reset NTP address and port when no longer negotiated by NTS-KE
server
- Update clknetsim to snapshot f89702d.
- Ensure the correct pool packages are installed for openSUSE and SLE (bsc#1180689).
- Enable syscallfilter unconditionally (bsc#1181826).
Chrony was updated to 4.0:
Enhancements
- Add support for Network Time Security (NTS) authentication
- Add support for AES-CMAC keys (AES128, AES256) with Nettle
- Add authselectmode directive to control selection of
unauthenticated sources
- Add binddevice, bindacqdevice, bindcmddevice directives
- Add confdir directive to better support fragmented
configuration
- Add sourcedir directive and 'reload sources' command to
support dynamic NTP sources specified in files
- Add clockprecision directive
- Add dscp directive to set Differentiated Services Code Point
(DSCP)
- Add -L option to limit log messages by severity
- Add -p option to print whole configuration with included
files
- Add -U option to allow start under non-root user
- Allow maxsamples to be set to 1 for faster update with -q/-Q
option
- Avoid replacing NTP sources with sources that have
unreachable address
- Improve pools to repeat name resolution to get 'maxsources'
sources
- Improve source selection with trusted sources
- Improve NTP loop test to prevent synchronisation to itself
- Repeat iburst when NTP source is switched from offline state
to online
- Update clock synchronisation status and leap status more
frequently
- Update seccomp filter
- Add 'add pool' command
- Add 'reset sources' command to drop all measurements
- Add authdata command to print details about NTP
authentication
- Add selectdata command to print details about source
selection
- Add -N option and sourcename command to print original names
of sources
- Add -a option to some commands to print also unresolved
sources
- Add -k, -p, -r options to clients command to select, limit,
reset data
- Bug fixes
- Don’t set interface for NTP responses to allow asymmetric
routing
- Handle RTCs that don’t support interrupts
- Respond to command requests with correct address on
multihomed hosts
- Removed features
- Drop support for RIPEMD keys (RMD128, RMD160, RMD256, RMD320)
- Drop support for long (non-standard) MACs in NTPv4 packets
(chrony 2.x clients using non-MD5/SHA1 keys need to use
option 'version 3')
- By default we don't write log files but log to journald, so
only recommend logrotate.
- Adjust and rename the sysconfig file, so that it matches the
expectations of chronyd.service (bsc#1173277).
Chrony was updated to 3.5.1:
* Create new file when writing pidfile (CVE-2020-14367, bsc#1174911)
- Add chrony-pool-suse and chrony-pool-openSUSE subpackages that
preconfigure chrony to use NTP servers from the respective
pools for SUSE and openSUSE (bsc#1156884, SLE-11424).
- Add chrony-pool-empty to still allow installing chrony without
preconfigured servers.
- Use iburst in the default pool statements to speed up initial
synchronisation (bsc#1172113).
- Update clknetsim to version 79ffe44 (fixes bsc#1162964).
Update to 3.5:
+ Add support for more accurate reading of PHC on Linux 5.0
+ Add support for hardware timestamping on interfaces with read-only timestamping configuration
+ Add support for memory locking and real-time priority on FreeBSD, NetBSD, Solaris
+ Update seccomp filter to work on more architectures
+ Validate refclock driver options
+ Fix bindaddress directive on FreeBSD
+ Fix transposition of hardware RX timestamp on Linux 4.13 and later
+ Fix building on non-glibc systems
- Fix location of helper script in chrony-dnssrv@.service (bsc#1128846).
- Read runtime servers from /var/run/netconfig/chrony.servers (bsc#1099272)
- Move chrony-helper to /usr/lib/chrony/helper, because there should be no executables in /usr/share.
- Remove discrepancies between spec file and chrony-tmpfiles (bsc#1115529)
Update to version 3.4
* Enhancements
+ Add filter option to server/pool/peer directive
+ Add minsamples and maxsamples options to hwtimestamp directive
+ Add support for faster frequency adjustments in Linux 4.19
+ Change default pidfile to /var/run/chrony/chronyd.pid to allow chronyd
without root privileges to remove it on exit
+ Disable sub-second polling intervals for distant NTP sources
+ Extend range of supported sub-second polling intervals
+ Get/set IPv4 destination/source address of NTP packets on FreeBSD
+ Make burst options and command useful with short polling intervals
+ Modify auto_offline option to activate when sending request failed
+ Respond from interface that received NTP request if possible
+ Add onoffline command to switch between online and offline state
according to current system network configuration
+ Improve example NetworkManager dispatcher script
* Bug fixes
+ Avoid waiting in Linux getrandom system call
+ Fix PPS support on FreeBSD and NetBSD
Update to version 3.3
* Enhancements:
+ Add burst option to server/pool directive
+ Add stratum and tai options to refclock directive
+ Add support for Nettle crypto library
+ Add workaround for missing kernel receive timestamps on Linux
+ Wait for late hardware transmit timestamps
+ Improve source selection with unreachable sources
+ Improve protection against replay attacks on symmetric mode
+ Allow PHC refclock to use socket in /var/run/chrony
+ Add shutdown command to stop chronyd
+ Simplify format of response to manual list command
+ Improve handling of unknown responses in chronyc
* Bug fixes:
+ Respond to NTPv1 client requests with zero mode
+ Fix -x option to not require CAP_SYS_TIME under non-root user
+ Fix acquisitionport directive to work with privilege separation
+ Fix handling of socket errors on Linux to avoid high CPU usage
+ Fix chronyc to not get stuck in infinite loop after clock step
- Added /etc/chrony.d/ directory to the package (bsc#1083597) Modifed default chrony.conf to add 'include /etc/chrony.d/*'
- Enable pps support
Upgraded to version 3.2:
Enhancements
* Improve stability with NTP sources and reference clocks
* Improve stability with hardware timestamping
* Improve support for NTP interleaved modes
* Control frequency of system clock on macOS 10.13 and later
* Set TAI-UTC offset of system clock with leapsectz directive
* Minimise data in client requests to improve privacy
* Allow transmit-only hardware timestamping
* Add support for new timestamping options introduced in Linux 4.13
* Add root delay, root dispersion and maximum error to tracking log
* Add mindelay and asymmetry options to server/peer/pool directive
* Add extpps option to PHC refclock to timestamp external PPS signal
* Add pps option to refclock directive to treat any refclock as PPS
* Add width option to refclock directive to filter wrong pulse edges
* Add rxfilter option to hwtimestamp directive
* Add -x option to disable control of system clock
* Add -l option to log to specified file instead of syslog
* Allow multiple command-line options to be specified together
* Allow starting without root privileges with -Q option
* Update seccomp filter for new glibc versions
* Dump history on exit by default with dumpdir directive
* Use hardening compiler options by default
Bug fixes
* Don't drop PHC samples with low-resolution system clock
* Ignore outliers in PHC tracking, RTC tracking, manual input
* Increase polling interval when peer is not responding
* Exit with error message when include directive fails
* Don't allow slash after hostname in allow/deny directive/command
* Try to connect to all addresses in chronyc before giving up
Upgraded to version 3.1:
- Enhancements
- Add support for precise cross timestamping of PHC on Linux
- Add minpoll, precision, nocrossts options to hwtimestamp directive
- Add rawmeasurements option to log directive and modify measurements
option to log only valid measurements from synchronised sources
- Allow sub-second polling interval with NTP sources
- Bug fixes
- Fix time smoothing in interleaved mode
Upgraded to version 3.0:
- Enhancements
- Add support for software and hardware timestamping on Linux
- Add support for client/server and symmetric interleaved modes
- Add support for MS-SNTP authentication in Samba
- Add support for truncated MACs in NTPv4 packets
- Estimate and correct for asymmetric network jitter
- Increase default minsamples and polltarget to improve stability with very low jitter
- Add maxjitter directive to limit source selection by jitter
- Add offset option to server/pool/peer directive
- Add maxlockage option to refclock directive
- Add -t option to chronyd to exit after specified time
- Add partial protection against replay attacks on symmetric mode
- Don't reset polling interval when switching sources to online state
- Allow rate limiting with very short intervals
- Improve maximum server throughput on Linux and NetBSD
- Remove dump files after start
- Add tab-completion to chronyc with libedit/readline
- Add ntpdata command to print details about NTP measurements
- Allow all source options to be set in add server/peer command
- Indicate truncated addresses/hostnames in chronyc output
- Print reference IDs as hexadecimal numbers to avoid confusion with IPv4 addresses
- Bug fixes
- Fix crash with disabled asynchronous name resolving
Upgraded to version 2.4.1:
- Bug fixes
- Fix processing of kernel timestamps on non-Linux systems
- Fix crash with smoothtime directive
- Fix validation of refclock sample times
- Fix parsing of refclock directive
update to 2.4:
- Enhancements
- Add orphan option to local directive for orphan mode
compatible with ntpd
- Add distance option to local directive to set activation
threshold (1 second by default)
- Add maxdrift directive to set maximum allowed drift of system
clock
- Try to replace NTP sources exceeding maximum distance
- Randomise source replacement to avoid getting stuck with bad
sources
- Randomise selection of sources from pools on start
- Ignore reference timestamp as ntpd doesn't always set it
correctly
- Modify tracking report to use same values as seen by NTP
clients
- Add -c option to chronyc to write reports in CSV format
- Provide detailed manual pages
- Bug fixes
- Fix SOCK refclock to work correctly when not specified as
last refclock
- Fix initstepslew and -q/-Q options to accept time from own
NTP clients
- Fix authentication with keys using 512-bit hash functions
- Fix crash on exit when multiple signals are received
- Fix conversion of very small floating-point numbers in
command packets
ModerateSUSE bug 1063704SUSE bug 1069468SUSE bug 1082318SUSE bug 1083597SUSE bug 1099272SUSE bug 1115529SUSE bug 1128846SUSE bug 1156884SUSE bug 1159840SUSE bug 1161119SUSE bug 1162964SUSE bug 1171806SUSE bug 1172113SUSE bug 1173277SUSE bug 1173760SUSE bug 1174075SUSE bug 1174911SUSE bug 1180689SUSE bug 1181826SUSE bug 1183783SUSE bug 1184400SUSE bug 1187906SUSE bug 1190926CVE-2020-14367 at SUSECVE-2020-14367 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for ansible (Important)SUSE OpenStack Cloud Crowbar 8
This update for ansible fixes the following issues:
Update to 2.9.27:
- CVE-2021-3620: ansible-connection module discloses sensitive info in traceback error message (bsc#1187725).
- CVE-2021-3583: Template Injection through yaml multi-line strings with ansible facts used in template (bsc#1188061).
- ansible module nmcli is broken in ansible 2.9.13 (bsc#1176460)
ImportantSUSE bug 1176460SUSE bug 1187725SUSE bug 1188061CVE-2021-3583 at SUSECVE-2021-3583 at NVDCVE-2021-3620 at SUSECVE-2021-3620 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for logstash (Important)SUSE OpenStack Cloud Crowbar 8
This update for logstash fixes the following issues:
Fixed vulnerability related to log4j version 1.2.x
- CVE-2021-4104: Fixed remote code execution through the JMS API via the ldap JNDI parser (bsc#1193662)
ImportantSUSE bug 1193662CVE-2021-4104 at SUSECVE-2021-4104 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for python (Important)SUSE OpenStack Cloud Crowbar 8
This update for python fixes the following issues:
- buffer overflow in PyCArg_repr in _ctypes/callproc.c,
which may lead to remote code execution (bsc#1181126, CVE-2021-3177).
- Provide the newest setuptools wheel (bsc#1176262,
CVE-2019-20916) in their correct form (bsc#1180686).
ImportantSUSE bug 1176262SUSE bug 1180686SUSE bug 1181126CVE-2019-20916 at SUSECVE-2019-20916 at NVDCVE-2021-3177 at SUSECVE-2021-3177 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for openvswitch (Important)SUSE OpenStack Cloud Crowbar 8
This update for openvswitch fixes the following issues:
- CVE-2020-35498: Fixed a denial of service related to the handling of Ethernet padding (bsc#1181742).
ImportantSUSE bug 1181742CVE-2020-35498 at SUSECVE-2020-35498 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for the Linux Kernel (Important)SUSE OpenStack Cloud Crowbar 8
The SUSE Linux Enterprise 12 SP3 kernel was updated to receive various security and bugfixes.
The following security bugs were fixed:
- CVE-2021-3347: A use-after-free was discovered in the PI futexes during fault handling, allowing local users to execute code in the kernel (bnc#1181349).
- CVE-2020-25211: Fixed a buffer overflow in ctnetlink_parse_tuple_filter() which could be triggered by a local attackers by injecting conntrack netlink configuration (bnc#1176395).
- CVE-2020-27835: A use-after-free in the infiniband hfi1 driver was found, specifically in the way user calls Ioctl after open dev file and fork. A local user could use this flaw to crash the system (bnc#1179878).
- CVE-2020-29569: Fixed a potential privilege escalation and information leaks related to the PV block backend, as used by Xen (bnc#1179509).
- CVE-2020-29568: Fixed a denial of service issue, related to processing watch events (bnc#1179508).
- CVE-2020-0444: Fixed a bad kfree due to a logic error in audit_data_to_entry (bnc#1180027).
- CVE-2020-0465: Fixed multiple missing bounds checks in hid-multitouch.c that could have led to local privilege escalation (bnc#1180029).
- CVE-2020-0466: Fixed a use-after-free due to a logic error in do_epoll_ctl and ep_loop_check_proc of eventpoll.c (bnc#1180031).
- CVE-2020-4788: Fixed an issue with IBM Power9 processors could have allowed a local user to obtain sensitive information from the data in the L1 cache under extenuating circumstances (bsc#1177666).
- CVE-2020-15436: Fixed a use after free vulnerability in fs/block_dev.c which could have allowed local users to gain privileges or cause a denial of service (bsc#1179141).
- CVE-2020-27068: Fixed an out-of-bounds read due to a missing bounds check in the nl80211_policy policy of nl80211.c (bnc#1180086).
- CVE-2020-27777: Fixed a privilege escalation in the Run-Time Abstraction Services (RTAS) interface, affecting guests running on top of PowerVM or KVM hypervisors (bnc#1179107).
- CVE-2020-27786: Fixed an out-of-bounds write in the MIDI implementation (bnc#1179601).
- CVE-2020-27825: Fixed a race in the trace_open and buffer resize calls (bsc#1179960).
- CVE-2020-29660: Fixed a locking inconsistency in the tty subsystem that may have allowed a read-after-free attack against TIOCGSID (bnc#1179745).
- CVE-2020-29661: Fixed a locking issue in the tty subsystem that allowed a use-after-free attack against TIOCSPGRP (bsc#1179745).
- CVE-2020-28974: Fixed a slab-out-of-bounds read in fbcon which could have been used by local attackers to read privileged information or potentially crash the kernel (bsc#1178589).
- CVE-2020-28915: Fixed a buffer over-read in the fbcon code which could have been used by local attackers to read kernel memory (bsc#1178886).
- CVE-2020-25669: Fixed a use-after-free read in sunkbd_reinit() (bsc#1178182).
- CVE-2020-15437: Fixed a null pointer dereference which could have allowed local users to cause a denial of service(bsc#1179140).
- CVE-2020-36158: Fixed a potential remote code execution in the Marvell mwifiex driver (bsc#1180559).
- CVE-2020-11668: Fixed the mishandling of invalid descriptors in the Xirlink camera USB driver (bnc#1168952).
- CVE-2020-25285: Fixed a race condition between hugetlb sysctl handlers in mm/hugetlb.c (bnc#1176485).
- CVE-2019-20934: Fixed a use-after-free in show_numa_stats() because NUMA fault statistics were inappropriately freed (bsc#1179663).
- CVE-2018-10902: It was found that the raw midi kernel driver did not protect against concurrent access which leads to a double realloc (double free) in snd_rawmidi_input_params() and snd_rawmidi_output_status() which are part of snd_rawmidi_ioctl() handler in rawmidi.c file. A malicious local attacker could possibly use this for privilege escalation (bnc#1105322).
The following non-security bugs were fixed:
- cifs: do not revalidate mountpoint dentries (bsc#1177440).
- cifs: fix potential use-after-free in cifs_echo_request() (bsc#1139944).
- cifs: ignore revalidate failures in case of process gets signaled (bsc#1177440).
- epoll: Keep a reference on files added to the check list (bsc#1180031).
- fix regression in 'epoll: Keep a reference on files added to the check list' (bsc#1180031, git-fixes).
- futex: Avoid freeing an active timer (bsc#969755).
- futex: Avoid violating the 10th rule of futex (bsc#969755).
- futex: Change locking rules (bsc#969755).
- futex: Do not enable IRQs unconditionally in put_pi_state() (bsc#969755).
- futex: Drop hb->lock before enqueueing on the rtmutex (bsc#969755).
- futex: Fix incorrect should_fail_futex() handling (bsc#969755).
- futex: Fix more put_pi_state() vs. exit_pi_state_list() races (bsc#969755).
- futex: Fix OWNER_DEAD fixup (bsc#969755).
- futex: Fix pi_state->owner serialization (bsc#969755).
- futex: Fix small (and harmless looking) inconsistencies (bsc#969755).
- futex: Futex_unlock_pi() determinism (bsc#969755).
- futex: Handle early deadlock return correctly (bsc#969755).
- futex: Handle transient 'ownerless' rtmutex state correctly (bsc#969755).
- futex: Pull rt_mutex_futex_unlock() out from under hb->lock (bsc#969755).
- futex: Rework futex_lock_pi() to use rt_mutex_*_proxy_lock() (bsc#969755).
- futex: Rework inconsistent rt_mutex/futex_q state (bsc#969755).
- futex,rt_mutex: Fix rt_mutex_cleanup_proxy_lock() (bsc#969755).
- futex,rt_mutex: Introduce rt_mutex_init_waiter() (bsc#969755).
- futex,rt_mutex: Provide futex specific rt_mutex API (bsc#969755).
- futex,rt_mutex: Restructure rt_mutex_finish_proxy_lock() (bsc#969755).
- HID: Fix slab-out-of-bounds read in hid_field_extract (bsc#1180052).
- IB/hfi1: Clean up hfi1_user_exp_rcv_setup function (bsc#1179878).
- IB/hfi1: Clean up pin_vector_pages() function (bsc#1179878).
- IB/hfi1: Fix the bail out code in pin_vector_pages() function (bsc#1179878).
- IB/hfi1: Move structure definitions from user_exp_rcv.c to user_exp_rcv.h (bsc#1179878).
- IB/hfi1: Name function prototype parameters (bsc#1179878).
- IB/hfi1: Use filedata rather than filepointer (bsc#1179878).
- locking/futex: Allow low-level atomic operations to return -EAGAIN (bsc#969755).
- mm/userfaultfd: do not access vma->vm_mm after calling handle_userfault() (bsc#1179204).
- scsi: iscsi: Fix a potential deadlock in the timeout handler (bsc#1178272).
- Use r3 instead of r13 for l1d fallback flush in do_uaccess_fush (bsc#1181096 ltc#190883).
- video: hyperv_fb: include vmalloc.h (bsc#1175306).
ImportantSUSE bug 1105322SUSE bug 1105323SUSE bug 1139944SUSE bug 1168952SUSE bug 1173942SUSE bug 1175306SUSE bug 1176395SUSE bug 1176485SUSE bug 1177440SUSE bug 1177666SUSE bug 1178182SUSE bug 1178272SUSE bug 1178589SUSE bug 1178886SUSE bug 1179107SUSE bug 1179140SUSE bug 1179141SUSE bug 1179204SUSE bug 1179419SUSE bug 1179508SUSE bug 1179509SUSE bug 1179601SUSE bug 1179616SUSE bug 1179663SUSE bug 1179666SUSE bug 1179745SUSE bug 1179877SUSE bug 1179878SUSE bug 1179960SUSE bug 1179961SUSE bug 1180008SUSE bug 1180027SUSE bug 1180028SUSE bug 1180029SUSE bug 1180030SUSE bug 1180031SUSE bug 1180032SUSE bug 1180052SUSE bug 1180086SUSE bug 1180559SUSE bug 1180562SUSE bug 1180815SUSE bug 1181096SUSE bug 1181158SUSE bug 1181349SUSE bug 1181553SUSE bug 969755CVE-2018-10902 at SUSECVE-2018-10902 at NVDCVE-2019-20934 at SUSECVE-2019-20934 at NVDCVE-2020-0444 at SUSECVE-2020-0444 at NVDCVE-2020-0465 at SUSECVE-2020-0465 at NVDCVE-2020-0466 at SUSECVE-2020-0466 at NVDCVE-2020-11668 at SUSECVE-2020-11668 at NVDCVE-2020-15436 at SUSECVE-2020-15436 at NVDCVE-2020-15437 at SUSECVE-2020-15437 at NVDCVE-2020-25211 at SUSECVE-2020-25211 at NVDCVE-2020-25285 at SUSECVE-2020-25285 at NVDCVE-2020-25669 at SUSECVE-2020-25669 at NVDCVE-2020-27068 at SUSECVE-2020-27068 at NVDCVE-2020-27777 at SUSECVE-2020-27777 at NVDCVE-2020-27786 at SUSECVE-2020-27786 at NVDCVE-2020-27825 at SUSECVE-2020-27825 at NVDCVE-2020-27835 at SUSECVE-2020-27835 at NVDCVE-2020-28915 at SUSECVE-2020-28915 at NVDCVE-2020-28974 at SUSECVE-2020-28974 at NVDCVE-2020-29568 at SUSECVE-2020-29568 at NVDCVE-2020-29569 at SUSECVE-2020-29569 at NVDCVE-2020-29660 at SUSECVE-2020-29660 at NVDCVE-2020-29661 at SUSECVE-2020-29661 at NVDCVE-2020-36158 at SUSECVE-2020-36158 at NVDCVE-2020-4788 at SUSECVE-2020-4788 at NVDCVE-2021-3347 at SUSECVE-2021-3347 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for wpa_supplicant (Important)SUSE OpenStack Cloud Crowbar 8
This update for wpa_supplicant fixes the following issues:
- CVE-2021-0326: P2P group information processing vulnerability (bsc#1181777).
- CVE-2019-16275: AP mode PMF disconnection protection bypass (bsc#1150934)
ImportantSUSE bug 1150934SUSE bug 1181777CVE-2019-16275 at SUSECVE-2019-16275 at NVDCVE-2021-0326 at SUSECVE-2021-0326 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for jasper (Important)SUSE OpenStack Cloud Crowbar 8
This update for jasper fixes the following issues:
- bsc#1179748 CVE-2020-27828: Fix heap overflow by checking maxrlvls
- bsc#1181483 CVE-2021-3272: Fix buffer over-read in jp2_decode
ImportantSUSE bug 1179748SUSE bug 1181483CVE-2020-27828 at SUSECVE-2020-27828 at NVDCVE-2021-3272 at SUSECVE-2021-3272 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for screen (Important)SUSE OpenStack Cloud Crowbar 8
This update for screen fixes the following issues:
- CVE-2021-26937: Fixed double width combining char handling that could lead to a denial of service or code execution (bsc#1182092).
ImportantSUSE bug 1182092CVE-2021-26937 at SUSECVE-2021-26937 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for bind (Important)SUSE OpenStack Cloud Crowbar 8
This update for bind fixes the following issues:
- CVE-2020-8625: A vulnerability in BIND's GSSAPI security policy
negotiation can be targeted by a buffer overflow attack [bsc#1182246, CVE-2020-8625]
ImportantSUSE bug 1182246CVE-2020-8625 at SUSECVE-2020-8625 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for java-1_7_1-ibm (Important)SUSE OpenStack Cloud Crowbar 8
This update for java-1_7_1-ibm fixes the following issues:
- Update to Java 7.1 Service Refresh 4 Fix Pack 80
[bsc#1182186, bsc#1181239, CVE-2020-27221, CVE-2020-14803]
* CVE-2020-27221: Potential for a stack-based buffer overflow
when the virtual machine or JNI natives are converting from
UTF-8 characters to platform encoding.
* CVE-2020-14803: Unauthenticated attacker with network access
via multiple protocols allows to compromise Java SE.
ImportantSUSE bug 1181239SUSE bug 1182186CVE-2020-14803 at SUSECVE-2020-14803 at NVDCVE-2020-27221 at SUSECVE-2020-27221 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for python-urllib3 (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for python-urllib3 fixes the following issues:
- CVE-2020-26116: Raise ValueError if method contains control characters and thus prevent CRLF injection into URLs (bsc#1177211).
ModerateSUSE bug 1177211CVE-2020-26116 at SUSECVE-2020-26116 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for krb5-appl (Important)SUSE OpenStack Cloud Crowbar 8
This update for krb5-appl fixes the following issues:
- CVE-2019-25017: Check the filenames sent by the server match those requested by the client (bsc#1131109).
- CVE-2019-25018: Disallow empty incoming filename or ones that refer to the current directory (bsc#1131109).
ImportantSUSE bug 1131109CVE-2019-25017 at SUSECVE-2019-25017 at NVDCVE-2019-25018 at SUSECVE-2019-25018 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for java-1_8_0-openjdk (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for java-1_8_0-openjdk fixes the following issues:
- Update to version jdk8u282 (icedtea 3.18.0)
* January 2021 CPU (bsc#1181239)
* Security fixes
+ JDK-8247619: Improve Direct Buffering of Characters (CVE-2020-14803)
* Import of OpenJDK 8 u282 build 01
+ JDK-6962725: Regtest javax/swing/JFileChooser/6738668/
/bug6738668.java fails under Linux
+ JDK-8025936: Windows .pdb and .map files does not have proper
dependencies setup
+ JDK-8030350: Enable additional compiler warnings for GCC
+ JDK-8031423: Test java/awt/dnd/DisposeFrameOnDragCrash/
/DisposeFrameOnDragTest.java fails by Timeout on Windows
+ JDK-8036122: Fix warning 'format not a string literal'
+ JDK-8051853: new
URI('x/').resolve('..').getSchemeSpecificPart() returns null!
+ JDK-8132664: closed/javax/swing/DataTransfer/DefaultNoDrop/
/DefaultNoDrop.java locks on Windows
+ JDK-8134632: Mark javax/sound/midi/Devices/
/InitializationHang.java as headful
+ JDK-8148854: Class names 'SomeClass' and 'LSomeClass;'
treated by JVM as an equivalent
+ JDK-8148916: Mark bug6400879.java as intermittently failing
+ JDK-8148983: Fix extra comma in changes for JDK-8148916
+ JDK-8160438: javax/swing/plaf/nimbus/8057791/bug8057791.java
fails
+ JDK-8165808: Add release barriers when allocating objects
with concurrent collection
+ JDK-8185003: JMX: Add a version of
ThreadMXBean.dumpAllThreads with a maxDepth argument
+ JDK-8202076: test/jdk/java/io/File/WinSpecialFiles.java on
windows with VS2017
+ JDK-8207766: [testbug] Adapt tests for Aix.
+ JDK-8212070: Introduce diagnostic flag to abort VM on failed
JIT compilation
+ JDK-8213448: [TESTBUG] enhance jfr/jvm/TestDumpOnCrash
+ JDK-8215727: Restore JFR thread sampler loop to old /
previous behavior
+ JDK-8220657: JFR.dump does not work when filename is set
+ JDK-8221342: [TESTBUG] Generate Dockerfile for docker testing
+ JDK-8224502: [TESTBUG] JDK docker test TestSystemMetrics.java
fails with access issues and OOM
+ JDK-8231209: [REDO] ThreadMXBean::getThreadAllocatedBytes()
can be quicker for self thread
+ JDK-8231968: getCurrentThreadAllocatedBytes default
implementation s/b getThreadAllocatedBytes
+ JDK-8232114: JVM crashed at imjpapi.dll in native code
+ JDK-8234270: [REDO] JDK-8204128 NMT might report incorrect
numbers for Compiler area
+ JDK-8234339: replace JLI_StrTok in java_md_solinux.c
+ JDK-8238448: RSASSA-PSS signature verification fail when
using certain odd key sizes
+ JDK-8242335: Additional Tests for RSASSA-PSS
+ JDK-8244225: stringop-overflow warning on strncpy call from
compile_the_world_in
+ JDK-8245400: Upgrade to LittleCMS 2.11
+ JDK-8248214: Add paddings for TaskQueueSuper to reduce
false-sharing cache contention
+ JDK-8249176: Update GlobalSignR6CA test certificates
+ JDK-8250665: Wrong translation for the month name of May in
ar_JO,LB,SY
+ JDK-8250928: JFR: Improve hash algorithm for stack traces
+ JDK-8251469: Better cleanup for
test/jdk/javax/imageio/SetOutput.java
+ JDK-8251840: Java_sun_awt_X11_XToolkit_getDefaultScreenData
should not be in make/mapfiles/libawt_xawt/mapfile-vers
+ JDK-8252384: [TESTBUG] Some tests refer to COMPAT provider
rather than JRE
+ JDK-8252395: [8u] --with-native-debug-symbols=external
doesn't include debuginfo files for binaries
+ JDK-8252497: Incorrect numeric currency code for ROL
+ JDK-8252754: Hash code calculation of JfrStackTrace is
inconsistent
+ JDK-8252904: VM crashes when JFR is used and JFR event class
is transformed
+ JDK-8252975: [8u] JDK-8252395 breaks the build for
--with-native-debug-symbols=internal
+ JDK-8253284: Zero OrderAccess barrier mappings are incorrect
+ JDK-8253550: [8u] JDK-8252395 breaks the build for make
STRIP_POLICY=no_strip
+ JDK-8253752: test/sun/management/jmxremote/bootstrap/
/RmiBootstrapTest.java fails randomly
+ JDK-8254081: java/security/cert/PolicyNode/
/GetPolicyQualifiers.java fails due to an expired certificate
+ JDK-8254144: Non-x86 Zero builds fail with return-type
warning in os_linux_zero.cpp
+ JDK-8254166: Zero: return-type warning in
zeroInterpreter_zero.cpp
+ JDK-8254683: [TEST_BUG] jdk/test/sun/tools/jconsole/
/WorkerDeadlockTest.java fails
+ JDK-8255003: Build failures on Solaris
ModerateSUSE bug 1181239CVE-2020-14803 at SUSECVE-2020-14803 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for crowbar-core, crowbar-openstack, grafana, influxdb, openstack-heat-templates, openstack-nova, python-Jinja2 (Important)SUSE OpenStack Cloud Crowbar 8
This update for crowbar-core, crowbar-openstack, grafana, influxdb, openstack-heat-templates, openstack-nova, python-Jinja2 fixes the following issues:
Security fixes included in this request:
grafana:
- CVE-2020-24303: Fixed an XXS with series overides. (bsc#1178243)
influxdb:
- CVE-2019-20933: Fixed an authentication bypass. (bsc#1178988)
python-Jinja2:
- CVE-2019-10906, CVE-2019-8341, CVE-2016-10745: 'SandboxedEnvironment' securely handles
'str.format_map' in order to prevent code execution through untrusted format strings.
(bsc#1132323, bsc#1125815, bsc#1132174)
Non-security fixes included in this request:
Changes in crowbar-core.SUSE_SLE-12-SP3_Update_Products_Cloud8:
- Update to version 5.0+git.1606840757.839a64745:
* ntp: Do not use rate-limiting (bsc#1179161)
Changes in crowbar-openstack.SUSE_SLE-12-SP3_Update_Products_Cloud8:
- Update to version 5.0+git.1604938523.ded915845:
* rabbitmq: Fix crm running check (SOC-11240)
Changes in grafana.SUSE_SLE-12-SP3_Update_Products_Cloud8_Update:
- Fix bsc#1178243 CVE-2020-24303 by adding
25401-Fix-XSS-vulnerability-with-series-overrides.patch
Changes in influxdb.SUSE_SLE-12-SP3_Update_Products_Cloud8:
- Add CVE-2019-20933.patch (bsc#1178988, CVE-2019-20933) to
fix authentication bypass
- Declare license files correctly
Changes in openstack-heat-templates.SUSE_SLE-12-SP3_Update_Products_Cloud8_Update:
- Update to version 0.0.0+git.1605509190.64f020b:
* Fix software config on rdo
* optimize size and time using --no-cache-dir
* add template for servers using Octavia
- Update to version 0.0.0+git.1604032742.c5733ee:
* Move heat-templates-check job to zuul v3
Changes in openstack-nova-doc.SUSE_SLE-12-SP3_Update_Products_Cloud8_Update:
- Update to version nova-16.1.9.dev77:
* Follow up for cherry-pick check for merge patch
Changes in openstack-nova.SUSE_SLE-12-SP3_Update_Products_Cloud8_Update:
- Update to version nova-16.1.9.dev77:
* Follow up for cherry-pick check for merge patch
Changes in python-Jinja2.SUSE_SLE-12-SP3_Update_Products_Cloud8_Update:
- add 0001-sandbox-str.format_map.patch (bsc#1132323, CVE-2019-10906, bsc#1125815, CVE-2019-8341)
* 'SandboxedEnvironment' securely handles 'str.format_map' in order
to prevent code execution through untrusted format strings. The
sandbox already handled 'str.format'.
- add 0001-SECURITY-support-sandboxing-in-format-expressions.patch (bsc#1132174, CVE-2016-10745)
- Allows Recommends and Suggest in Fedora
- Recommends only for SUSE
Changes in rubygem-crowbar-client:
- Update to 3.9.3
- Enable restricted commands for Cloud 7 (bsc#1117080, CVE-2018-17954)
ImportantSUSE bug 1117080SUSE bug 1125815SUSE bug 1132174SUSE bug 1132323SUSE bug 1178243SUSE bug 1178988SUSE bug 1179161CVE-2016-10745 at SUSECVE-2016-10745 at NVDCVE-2018-17954 at SUSECVE-2018-17954 at NVDCVE-2019-10906 at SUSECVE-2019-10906 at NVDCVE-2019-20933 at SUSECVE-2019-20933 at NVDCVE-2019-8341 at SUSECVE-2019-8341 at NVDCVE-2020-24303 at SUSECVE-2020-24303 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for python-Jinja2 (Important)SUSE OpenStack Cloud Crowbar 8
This update for python-Jinja2 fixes the following issues:
- CVE-2020-28493: Improve the speed of the 'urlize' filter by reducing regex
backtracking. Email matching requires a word character at the start of the
domain part, and only word characters in the TLD. (bsc#1181944)
ImportantSUSE bug 1181944CVE-2020-28493 at SUSECVE-2020-28493 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for java-1_8_0-ibm (Important)SUSE OpenStack Cloud Crowbar 8
This update for java-1_8_0-ibm fixes the following issues:
- Update to Java 8.0 Service Refresh 6 Fix Pack 25
[bsc#1182186, bsc#1181239, CVE-2020-27221, CVE-2020-14803]
* CVE-2020-27221: Potential for a stack-based buffer overflow
when the virtual machine or JNI natives are converting from
UTF-8 characters to platform encoding.
* CVE-2020-14803: Unauthenticated attacker with network access
via multiple protocols allows to compromise Java SE.
ImportantSUSE bug 1181239SUSE bug 1182186CVE-2020-14803 at SUSECVE-2020-14803 at NVDCVE-2020-27221 at SUSECVE-2020-27221 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for perl-XML-Twig (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for perl-XML-Twig fixes the following issues:
- Security fix [bsc#1008644, CVE-2016-9180]
* Added: the no_xxe option to XML::Twig::new, which causes the
parse to fail if external entities are used (to prevent
malicious XML to access the filesystem).
* Setting expand_external_ents to 0 or -1 currently doesn't work
as expected; To completely turn off expanding external entities
use no_xxe.
* Update documentation for XML::Twig to mention problems with
expand_external_ents and add information about new no_xxe argument
ModerateSUSE bug 1008644CVE-2016-9180 at SUSECVE-2016-9180 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for MozillaFirefox (Important)SUSE OpenStack Cloud Crowbar 8
This update for MozillaFirefox fixes the following issues:
- Firefox Extended Support Release 78.8.0 ESR
* Fixed: Various stability, functionality, and security fixes
MFSA 2021-08 (bsc#1182614)
* CVE-2021-23969: Content Security Policy violation report could have contained the destination of a redirect
* CVE-2021-23968: Content Security Policy violation report could have contained the destination of a redirect
* CVE-2021-23973: MediaError message property could have leaked information about cross-origin resources
* CVE-2021-23978: Memory safety bugs fixed in Firefox 86 and Firefox ESR 78.8
ImportantSUSE bug 1182357SUSE bug 1182614CVE-2021-23968 at SUSECVE-2021-23968 at NVDCVE-2021-23969 at SUSECVE-2021-23969 at NVDCVE-2021-23973 at SUSECVE-2021-23973 at NVDCVE-2021-23978 at SUSECVE-2021-23978 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for python-cryptography (Important)SUSE OpenStack Cloud Crowbar 8
This update for python-cryptography fixes the following issues:
- CVE-2020-36242: Using the Fernet class to symmetrically encrypt multi gigabyte
values could result in an integer overflow and buffer overflow (bsc#1182066).
ImportantSUSE bug 1182066CVE-2020-36242 at SUSECVE-2020-36242 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for python-cryptography (Important)SUSE OpenStack Cloud Crowbar 8
This update for python-cryptography fixes the following issues:
- CVE-2020-36242: Using the Fernet class to symmetrically encrypt multi gigabyte
values could result in an integer overflow and buffer overflow (bsc#1182066).
ImportantSUSE bug 1182066CVE-2020-36242 at SUSECVE-2020-36242 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for grub2 (Important)SUSE OpenStack Cloud Crowbar 8
This update for grub2 fixes the following issues:
grub2 now implements the new 'SBAT' method for SHIM based secure boot revocation. (bsc#1182057)
Following security issues are fixed that can violate secure boot constraints:
- CVE-2020-25632: Fixed a use-after-free in rmmod command (bsc#1176711)
- CVE-2020-25647: Fixed an out-of-bound write in grub_usb_device_initialize() (bsc#1177883)
- CVE-2020-27749: Fixed a stack buffer overflow in grub_parser_split_cmdline (bsc#1179264)
- CVE-2020-27779, CVE-2020-14372: Disallow cutmem and acpi commands in secure boot mode (bsc#1179265 bsc#1175970)
- CVE-2021-20225: Fixed a heap out-of-bounds write in short form option parser (bsc#1182262)
- CVE-2021-20233: Fixed a heap out-of-bound write due to mis-calculation of space required for quoting (bsc#1182263)
ImportantSUSE bug 1175970SUSE bug 1176711SUSE bug 1177883SUSE bug 1179264SUSE bug 1179265SUSE bug 1182057SUSE bug 1182262SUSE bug 1182263CVE-2020-14372 at SUSECVE-2020-14372 at NVDCVE-2020-25632 at SUSECVE-2020-25632 at NVDCVE-2020-25647 at SUSECVE-2020-25647 at NVDCVE-2020-27749 at SUSECVE-2020-27749 at NVDCVE-2020-27779 at SUSECVE-2020-27779 at NVDCVE-2021-20225 at SUSECVE-2021-20225 at NVDCVE-2021-20233 at SUSECVE-2021-20233 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for openldap2 (Important)SUSE OpenStack Cloud Crowbar 8
This update for openldap2 fixes the following issues:
- bsc#1182408 CVE-2020-36230 - an assertion failure in slapd in the
X.509 DN parsing in decode.c ber_next_element, resulting in denial
of service.
- bsc#1182411 CVE-2020-36229 - ldap_X509dn2bv crash in the X.509 DN
parsing in ad_keystring, resulting in denial of service.
- bsc#1182412 CVE-2020-36228 - integer underflow leading to crash
in the Certificate List Exact Assertion processing, resulting in
denial of service.
- bsc#1182413 CVE-2020-36227 - infinite loop in slapd with the
cancel_extop Cancel operation, resulting in denial of service.
- bsc#1182416 CVE-2020-36225 - double free and slapd crash in the
saslAuthzTo processing, resulting in denial of service.
- bsc#1182417 CVE-2020-36224 - invalid pointer free and slapd crash
in the saslAuthzTo processing, resulting in denial of service.
- bsc#1182415 CVE-2020-36226 - memch->bv_len miscalculation and slapd
crash in the saslAuthzTo processing, resulting in denial of service.
- bsc#1182419 CVE-2020-36222 - assertion failure in slapd in the
saslAuthzTo validation, resulting in denial of service.
- bsc#1182420 CVE-2020-36221 - slapd crashes in the Certificate Exact
Assertion processing, resulting in denial of service (schema_init.c
serialNumberAndIssuerCheck).
- bsc#1182418 CVE-2020-36223 - slapd crash in the Values Return Filter
control handling, resulting in denial of service (double free and
out-of-bounds read).
- bsc#1182279 CVE-2021-27212 - an assertion failure in slapd can occur
in the issuerAndThisUpdateCheck function via a crafted packet,
resulting in a denial of service (daemon exit) via a short timestamp.
This is related to schema_init.c and checkTime.
ImportantSUSE bug 1182279SUSE bug 1182408SUSE bug 1182411SUSE bug 1182412SUSE bug 1182413SUSE bug 1182415SUSE bug 1182416SUSE bug 1182417SUSE bug 1182418SUSE bug 1182419SUSE bug 1182420CVE-2020-36221 at SUSECVE-2020-36221 at NVDCVE-2020-36222 at SUSECVE-2020-36222 at NVDCVE-2020-36223 at SUSECVE-2020-36223 at NVDCVE-2020-36224 at SUSECVE-2020-36224 at NVDCVE-2020-36225 at SUSECVE-2020-36225 at NVDCVE-2020-36226 at SUSECVE-2020-36226 at NVDCVE-2020-36227 at SUSECVE-2020-36227 at NVDCVE-2020-36228 at SUSECVE-2020-36228 at NVDCVE-2020-36229 at SUSECVE-2020-36229 at NVDCVE-2020-36230 at SUSECVE-2020-36230 at NVDCVE-2021-27212 at SUSECVE-2021-27212 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for the Linux Kernel (Important)SUSE OpenStack Cloud Crowbar 8
The SUSE Linux Enterprise 12 SP3 kernel was updated to receive various security and bugfixes.
The following security bugs were fixed:
- CVE-2021-26930: Fixed an improper error handling in blkback's grant mapping (XSA-365 bsc#1181843).
- CVE-2021-26931: Fixed an issue where Linux kernel was treating grant mapping errors as bugs (XSA-362 bsc#1181753).
- CVE-2021-26932: Fixed improper error handling issues in Linux grant mapping (XSA-361 bsc#1181747).
- CVE-2020-28374: Fixed insufficient identifier checking in the LIO SCSI target code which could have been used
by remote attackers to read or write files via directory traversal in an XCOPY request (bsc#178372).
The following non-security bugs were fixed:
- cifs: report error instead of invalid when revalidating a dentry fails (bsc#1177440).
- xen/netback: fix spurious event detection for common event case (bsc#1182175).
ImportantSUSE bug 1177440SUSE bug 1178372SUSE bug 1181747SUSE bug 1181753SUSE bug 1181843SUSE bug 1182175CVE-2020-28374 at SUSECVE-2020-28374 at NVDCVE-2021-26930 at SUSECVE-2021-26930 at NVDCVE-2021-26931 at SUSECVE-2021-26931 at NVDCVE-2021-26932 at SUSECVE-2021-26932 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for wpa_supplicant (Important)SUSE OpenStack Cloud Crowbar 8
This update for wpa_supplicant fixes the following issues:
- CVE-2021-27803: P2P provision discovery processing vulnerability (bsc#1182805)
ImportantSUSE bug 1182805CVE-2021-27803 at SUSECVE-2021-27803 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for git (Important)SUSE OpenStack Cloud Crowbar 8
This update for git fixes the following issues:
- On case-insensitive filesystems, with support for symbolic links,
if Git is configured globally to apply delay-capable clean/smudge
filters (such as Git LFS), Git could be fooled into running
remote code during a clone. (bsc#1183026, CVE-2021-21300)
ImportantSUSE bug 1183026CVE-2021-21300 at SUSECVE-2021-21300 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for python (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for python fixes the following issues:
- python27 was upgraded to 2.7.18
- CVE-2021-23336: Fixed a potential web cache poisoning by using a semicolon in query parameters use of semicolon as a query string separator (bsc#1182379).
ModerateSUSE bug 1182379CVE-2019-18348 at SUSECVE-2019-18348 at NVDCVE-2021-23336 at SUSECVE-2021-23336 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for MozillaFirefox (Important)SUSE OpenStack Cloud Crowbar 8
This update for MozillaFirefox fixes the following issues:
- Firefox Extended Support Release 78.6.1 ESR
* Fixed: Critical security issue MFSA 2021-01 (bsc#1180623)
* CVE-2020-16044
Use-after-free write when handling a malicious COOKIE-ECHO SCTP chunk
ImportantSUSE bug 1180623CVE-2020-16044 at SUSECVE-2020-16044 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for glib2 (Important)SUSE OpenStack Cloud Crowbar 8
This update for glib2 fixes the following issues:
- CVE-2021-27218: g_byte_array_new_take takes a gsize as length but stores in a guint, this patch will refuse if the length is larger than guint. (bsc#1182328)
- CVE-2021-27219: g_memdup takes a guint as parameter and sometimes leads into an integer overflow, so add a g_memdup2 function which uses gsize to replace it. (bsc#1182362)
ImportantSUSE bug 1182328SUSE bug 1182362CVE-2021-27218 at SUSECVE-2021-27218 at NVDCVE-2021-27219 at SUSECVE-2021-27219 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for wavpack (Important)SUSE OpenStack Cloud Crowbar 8
This update for wavpack fixes the following issues:
- CVE-2020-35738: Fixed an out-of-bounds write in WavpackPackSamples (bsc#1180414).
ImportantSUSE bug 1180414CVE-2020-35738 at SUSECVE-2020-35738 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for nghttp2 (Important)SUSE OpenStack Cloud Crowbar 8
This update for nghttp2 fixes the following issues:
Security issues fixed:
- CVE-2020-11080: HTTP/2 Large Settings Frame DoS (bsc#1181358).
- CVE-2019-9513: Fixed HTTP/2 implementation that is vulnerable to resource loops, potentially leading to a denial of service (bsc#1146184).
- CVE-2019-9511: Fixed HTTP/2 implementations that are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service (bsc#1146182).
- CVE-2018-1000168: Fixed ALTSVC frame client side denial of service (bsc#1088639).
- CVE-2016-1544: Fixed out of memory due to unlimited incoming HTTP header fields (bsc#966514).
Bug fixes and enhancements:
- Packages must not mark license files as %doc (bsc#1082318)
- Typo in description of libnghttp2_asio1 (bsc#962914)
- Fixed mistake in spec file (bsc#1125689)
- Fixed build issue with boost 1.70.0 (bsc#1134616)
- Fixed build issue with GCC 6 (bsc#964140)
- Feature: Add W&S module (FATE#326776, bsc#1112438)
ImportantSUSE bug 1082318SUSE bug 1088639SUSE bug 1112438SUSE bug 1125689SUSE bug 1134616SUSE bug 1146182SUSE bug 1146184SUSE bug 1181358SUSE bug 962914SUSE bug 964140SUSE bug 966514CVE-2016-1544 at SUSECVE-2016-1544 at NVDCVE-2018-1000168 at SUSECVE-2018-1000168 at NVDCVE-2019-9511 at SUSECVE-2019-9511 at NVDCVE-2019-9513 at SUSECVE-2019-9513 at NVDCVE-2020-11080 at SUSECVE-2020-11080 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for openssl (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for openssl fixes the following issues:
- CVE-2021-23840: Fixed an Integer overflow in CipherUpdate (bsc#1182333)
- CVE-2021-23841: Fixed a Null pointer dereference in X509_issuer_and_serial_hash() (bsc#1182331)
ModerateSUSE bug 1182331SUSE bug 1182333CVE-2021-23840 at SUSECVE-2021-23840 at NVDCVE-2021-23841 at SUSECVE-2021-23841 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for openstack-dashboard, release-notes-suse-openstack-cloud (Important)SUSE OpenStack Cloud Crowbar 8
This update for openstack-dashboard, release-notes-suse-openstack-cloud fixes the following issues:
- Fix open redirect (OSSA-2020-008, CVE-2020-29565)
- Fix horizon-nodejs jobs.
- Add workaround for secure boot issue when shim package is updated. (bsc#1179955)
ImportantSUSE bug 1179955CVE-2020-29565 at SUSECVE-2020-29565 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for MozillaFirefox (Important)SUSE OpenStack Cloud Crowbar 8
This update for MozillaFirefox fixes the following issues:
- Firefox was updated to 78.9.0 ESR (MFSA 2021-11, bsc#1183942)
* CVE-2021-23981: Texture upload into an unbound backing buffer resulted in an out-of-bound read
* CVE-2021-23982: Internal network hosts could have been probed by a malicious webpage
* CVE-2021-23984: Malicious extensions could have spoofed popup information
* CVE-2021-23987: Memory safety bugs
ImportantSUSE bug 1183942CVE-2021-23981 at SUSECVE-2021-23981 at NVDCVE-2021-23982 at SUSECVE-2021-23982 at NVDCVE-2021-23984 at SUSECVE-2021-23984 at NVDCVE-2021-23987 at SUSECVE-2021-23987 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for python-Django (Important)SUSE OpenStack Cloud Crowbar 8
This update for python-Django fixes the following issues:
- CVE-2021-45115: Fixed denial-of-service possibility in UserAttributeSimilarityValidator (bsc#1194115).
- CVE-2021-45116: Fixed potential information disclosure in dictsort template filter (bsc#1194117).
- CVE-2021-45452: Fixed potential directory-traversal via Storage.save() (bsc#1194116).
ImportantSUSE bug 1194115SUSE bug 1194116SUSE bug 1194117CVE-2021-45115 at SUSECVE-2021-45115 at NVDCVE-2021-45116 at SUSECVE-2021-45116 at NVDCVE-2021-45452 at SUSECVE-2021-45452 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for openvpn (Important)SUSE OpenStack Cloud Crowbar 8
This update for openvpn fixes the following issues:
- CVE-2022-0547: Fixed possible authentication bypass in external authentication plug-in (bsc#1197341).
ImportantSUSE bug 1197341CVE-2022-0547 at SUSECVE-2022-0547 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for java-1_7_1-ibm (Important)SUSE OpenStack Cloud Crowbar 8
This update for java-1_7_1-ibm fixes the following issues:
Update Java 7.1 to Service Refresh 7 Fix Pack 5 (bsc#1197126).
Including fixes for the following vulnerabilities:
CVE-2022-21366, CVE-2022-21365, CVE-2022-21360, CVE-2022-21349,
CVE-2022-21341, CVE-2022-21340, CVE-2022-21305, CVE-2022-21277,
CVE-2022-21299, CVE-2022-21296, CVE-2022-21282, CVE-2022-21294,
CVE-2022-21293, CVE-2022-21291, CVE-2022-21283, CVE-2022-21248,
CVE-2022-21271.
ImportantSUSE bug 1194925SUSE bug 1194926SUSE bug 1194927SUSE bug 1194928SUSE bug 1194929SUSE bug 1194930SUSE bug 1194931SUSE bug 1194932SUSE bug 1194933SUSE bug 1194934SUSE bug 1194935SUSE bug 1194937SUSE bug 1194939SUSE bug 1194940SUSE bug 1194941SUSE bug 1196500SUSE bug 1197126CVE-2022-21248 at SUSECVE-2022-21248 at NVDCVE-2022-21271 at SUSECVE-2022-21271 at NVDCVE-2022-21277 at SUSECVE-2022-21277 at NVDCVE-2022-21282 at SUSECVE-2022-21282 at NVDCVE-2022-21283 at SUSECVE-2022-21283 at NVDCVE-2022-21291 at SUSECVE-2022-21291 at NVDCVE-2022-21293 at SUSECVE-2022-21293 at NVDCVE-2022-21294 at SUSECVE-2022-21294 at NVDCVE-2022-21296 at SUSECVE-2022-21296 at NVDCVE-2022-21299 at SUSECVE-2022-21299 at NVDCVE-2022-21305 at SUSECVE-2022-21305 at NVDCVE-2022-21340 at SUSECVE-2022-21340 at NVDCVE-2022-21341 at SUSECVE-2022-21341 at NVDCVE-2022-21349 at SUSECVE-2022-21349 at NVDCVE-2022-21360 at SUSECVE-2022-21360 at NVDCVE-2022-21365 at SUSECVE-2022-21365 at NVDCVE-2022-21366 at SUSECVE-2022-21366 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for java-1_8_0-ibm (Important)SUSE OpenStack Cloud Crowbar 8
This update for java-1_8_0-ibm fixes the following issues:
Update Java 8.0 to Service Refresh 7 Fix Pack 5 (bsc#1197126).
Including fixes for the following vulnerabilities:
CVE-2022-21366, CVE-2022-21365, CVE-2022-21360, CVE-2022-21349,
CVE-2022-21341, CVE-2022-21340, CVE-2022-21305, CVE-2022-21277,
CVE-2022-21299, CVE-2022-21296, CVE-2022-21282, CVE-2022-21294,
CVE-2022-21293, CVE-2022-21291, CVE-2022-21283, CVE-2022-21248,
CVE-2022-21271.
Non-securtiy fix:
- Fixed a broken symlink for javaws (bsc#1195146).
ImportantSUSE bug 1194925SUSE bug 1194926SUSE bug 1194927SUSE bug 1194928SUSE bug 1194929SUSE bug 1194930SUSE bug 1194931SUSE bug 1194932SUSE bug 1194933SUSE bug 1194934SUSE bug 1194935SUSE bug 1194937SUSE bug 1194939SUSE bug 1194940SUSE bug 1194941SUSE bug 1195146SUSE bug 1196500SUSE bug 1197126CVE-2022-21248 at SUSECVE-2022-21248 at NVDCVE-2022-21271 at SUSECVE-2022-21271 at NVDCVE-2022-21277 at SUSECVE-2022-21277 at NVDCVE-2022-21282 at SUSECVE-2022-21282 at NVDCVE-2022-21283 at SUSECVE-2022-21283 at NVDCVE-2022-21291 at SUSECVE-2022-21291 at NVDCVE-2022-21293 at SUSECVE-2022-21293 at NVDCVE-2022-21294 at SUSECVE-2022-21294 at NVDCVE-2022-21296 at SUSECVE-2022-21296 at NVDCVE-2022-21299 at SUSECVE-2022-21299 at NVDCVE-2022-21305 at SUSECVE-2022-21305 at NVDCVE-2022-21340 at SUSECVE-2022-21340 at NVDCVE-2022-21341 at SUSECVE-2022-21341 at NVDCVE-2022-21349 at SUSECVE-2022-21349 at NVDCVE-2022-21360 at SUSECVE-2022-21360 at NVDCVE-2022-21365 at SUSECVE-2022-21365 at NVDCVE-2022-21366 at SUSECVE-2022-21366 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for zlib (Important)SUSE OpenStack Cloud Crowbar 8
This update for zlib fixes the following issues:
- CVE-2018-25032: Fixed memory corruption on deflate (bsc#1197459).
ImportantSUSE bug 1197459CVE-2018-25032 at SUSECVE-2018-25032 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for java-1_8_0-ibm (Important)SUSE OpenStack Cloud Crowbar 8
This update for java-1_8_0-ibm fixes the following issues:
- Update to Java 8.0 Service Refresh 7 Fix Pack 0
- CVE-2021-41035: before version 0.29.0, the openj9 JVM does not throw IllegalAccessError for MethodHandles that invoke inaccessible interface methods. (bsc#1194198, bsc#1192052)
- CVE-2021-35586: Excessive memory allocation in BMPImageReader. (bsc#1191914)
- CVE-2021-35564: Certificates with end dates too far in the future can corrupt keystore. (bsc#1191913)
- CVE-2021-35559: Excessive memory allocation in RTFReader. (bsc#1191911)
- CVE-2021-35556: Excessive memory allocation in RTFParser. (bsc#1191910)
- CVE-2021-35565: Loop in HttpsServer triggered during TLS session close. (bsc#1191909)
- CVE-2021-35588: Incomplete validation of inner class references in ClassFileParser. (bsc#1191905)
- CVE-2021-2341: Fixed a flaw inside the FtpClient. (bsc#1188564)
- CVE-2021-2369: JAR file handling problem containing multiple MANIFEST.MF files. (bsc#1188565)
- CVE-2021-2163: Incomplete enforcement of JAR signing disabled algorithms. (bsc#1185055)
- CVE-2021-35560: Fixed a vulnerability in the component Deployment. (bsc#1191902)
- CVE-2021-35578: Fixed unexpected exception raised during TLS handshake. (bsc#1191904)
ImportantSUSE bug 1185055SUSE bug 1188564SUSE bug 1188565SUSE bug 1191902SUSE bug 1191904SUSE bug 1191905SUSE bug 1191909SUSE bug 1191910SUSE bug 1191911SUSE bug 1191913SUSE bug 1191914SUSE bug 1192052SUSE bug 1194198SUSE bug 1194232CVE-2021-2163 at SUSECVE-2021-2163 at NVDCVE-2021-2341 at SUSECVE-2021-2341 at NVDCVE-2021-2369 at SUSECVE-2021-2369 at NVDCVE-2021-35556 at SUSECVE-2021-35556 at NVDCVE-2021-35559 at SUSECVE-2021-35559 at NVDCVE-2021-35560 at SUSECVE-2021-35560 at NVDCVE-2021-35564 at SUSECVE-2021-35564 at NVDCVE-2021-35565 at SUSECVE-2021-35565 at NVDCVE-2021-35578 at SUSECVE-2021-35578 at NVDCVE-2021-35586 at SUSECVE-2021-35586 at NVDCVE-2021-35588 at SUSECVE-2021-35588 at NVDCVE-2021-41035 at SUSECVE-2021-41035 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for mozilla-nss (Important)SUSE OpenStack Cloud Crowbar 8
This update for mozilla-nss fixes the following issues:
Mozilla NSS 3.68.3 (bsc#1197903):
- CVE-2022-1097: Fixed memory safety violations that could occur when PKCS#11
tokens are removed while in use.
ImportantSUSE bug 1197903CVE-2022-1097 at SUSECVE-2022-1097 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for MozillaFirefox (Important)SUSE OpenStack Cloud Crowbar 8
This update for MozillaFirefox fixes the following issues:
Firefox Extended Support Release 91.8.0 ESR (bsc#1197903):
MFSA 2022-14 (bsc#1197903)
* CVE-2022-1097: Fixed memory safety violations that could occur when PKCS#11 tokens are removed while in use
* CVE-2022-28281: Fixed an out of bounds write due to unexpected WebAuthN Extensions
* CVE-2022-1196: Fixed a use-after-free after VR Process destruction
* CVE-2022-28282: Fixed a use-after-free in DocumentL10n::TranslateDocument
* CVE-2022-28285: Fixed incorrect AliasSet used in JIT Codegen
* CVE-2022-28286: Fixed that iframe contents could be rendered outside the border
* CVE-2022-24713: Fixed a denial of service via complex regular expressions
* CVE-2022-28289: Memory safety bugs fixed in Firefox 99 and Firefox ESR 91.8
ImportantSUSE bug 1197903CVE-2022-1097 at SUSECVE-2022-1097 at NVDCVE-2022-1196 at SUSECVE-2022-1196 at NVDCVE-2022-24713 at SUSECVE-2022-24713 at NVDCVE-2022-28281 at SUSECVE-2022-28281 at NVDCVE-2022-28282 at SUSECVE-2022-28282 at NVDCVE-2022-28285 at SUSECVE-2022-28285 at NVDCVE-2022-28286 at SUSECVE-2022-28286 at NVDCVE-2022-28289 at SUSECVE-2022-28289 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for glibc (Important)SUSE OpenStack Cloud Crowbar 8
This update for glibc fixes the following issues:
- CVE-2020-1752: Fix use-after-free in glob when expanding ~user (bsc#1167631)
ImportantSUSE bug 1167631CVE-2020-1752 at SUSECVE-2020-1752 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for openjpeg2 (Important)SUSE OpenStack Cloud Crowbar 8
This update for openjpeg2 fixes the following issues:
- CVE-2016-1924: Fixed heap buffer overflow (bsc#980504).
- CVE-2016-3183: Fixed out-of-bounds read in sycc422_to_rgb function (bsc#971617).
- CVE-2016-4797: Fixed heap buffer overflow (bsc#980504).
- CVE-2018-14423: Fixed division-by-zero vulnerabilities in the functions pi_next_pcrl, pi_next_cprl,and pi_next_rpcl in lib/openjp3d/pi.c (bsc#1102016).
- CVE-2018-16375: Fixed missing checks for header_info.height and header_info.width in the function pnmtoimage in bin/jpwl/convert.c (bsc#1106882).
- CVE-2018-16376: Fixed heap-based buffer overflow function t2_encode_packet in lib/openmj2/t2.c (bsc#1106881).
- CVE-2018-20845: Fixed division-by-zero in the functions pi_next_pcrl, pi_next_cprl, and pi_next_rpcl in openmj2/pi.c (bsc#1140130).
- CVE-2018-20846: Fixed out-of-bounds accesses in pi_next_lrcp, pi_next_rlcp, pi_next_rpcl, pi_next_pcrl, pi_next_rpcl, and pi_next_cprl in openmj2/pi.c (bsc#1140205).
- CVE-2020-8112: Fixed heap-based buffer overflow in opj_t1_clbl_decode_processor in openjp2/t1.c (bsc#1162090).
- CVE-2020-15389: Fixed use-after-free if t a mix of valid and invalid files in a directory operated on by the decompressor (bsc#1173578).
- CVE-2020-27823: Fixed heap buffer over-write in opj_tcd_dc_level_shift_encode() (bsc#1180457).
- CVE-2021-29338: Fixed integer overflow that allows remote attackers to crash the application (bsc#1184774).
- CVE-2022-1122: Fixed segmentation fault in opj2_decompress due to uninitialized pointer (bsc#1197738).
ImportantSUSE bug 1102016SUSE bug 1106881SUSE bug 1106882SUSE bug 1140130SUSE bug 1140205SUSE bug 1162090SUSE bug 1173578SUSE bug 1180457SUSE bug 1184774SUSE bug 1197738SUSE bug 971617SUSE bug 980504CVE-2016-1924 at SUSECVE-2016-1924 at NVDCVE-2016-3183 at SUSECVE-2016-3183 at NVDCVE-2016-4797 at SUSECVE-2016-4797 at NVDCVE-2018-14423 at SUSECVE-2018-14423 at NVDCVE-2018-16375 at SUSECVE-2018-16375 at NVDCVE-2018-16376 at SUSECVE-2018-16376 at NVDCVE-2018-20845 at SUSECVE-2018-20845 at NVDCVE-2018-20846 at SUSECVE-2018-20846 at NVDCVE-2020-15389 at SUSECVE-2020-15389 at NVDCVE-2020-27823 at SUSECVE-2020-27823 at NVDCVE-2020-8112 at SUSECVE-2020-8112 at NVDCVE-2021-29338 at SUSECVE-2021-29338 at NVDCVE-2022-1122 at SUSECVE-2022-1122 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for mysql-connector-java (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for mysql-connector-java fixes the following issues:
- CVE-2021-2471: Fixed unauthorized access to critical data or complete access to all MySQL Connectors (bsc#1195557).
ModerateSUSE bug 1195557CVE-2021-2471 at SUSECVE-2021-2471 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for MozillaFirefox (Important)SUSE OpenStack Cloud Crowbar 8
This update for MozillaFirefox fixes the following issues:
- CVE-2021-4140: Fixed iframe sandbox bypass with XSLT (bsc#1194547).
- CVE-2022-22737: Fixed race condition when playing audio files (bsc#1194547).
- CVE-2022-22738: Fixed heap-buffer-overflow in blendGaussianBlur (bsc#1194547).
- CVE-2022-22739: Fixed missing throttling on external protocol launch dialog (bsc#1194547).
- CVE-2022-22740: Fixed use-after-free of ChannelEventQueue::mOwner (bsc#1194547).
- CVE-2022-22741: Fixed browser window spoof using fullscreen mode (bsc#1194547).
- CVE-2022-22742: Fixed out-of-bounds memory access when inserting text in edit mode (bsc#1194547).
- CVE-2022-22743: Fixed browser window spoof using fullscreen mode (bsc#1194547).
- CVE-2022-22744: Fixed possible command injection via the 'Copy as curl' feature in DevTools (bsc#1194547).
- CVE-2022-22745: Fixed leaking cross-origin URLs through securitypolicyviolation event (bsc#1194547).
- CVE-2022-22746: Fixed calling into reportValidity could have lead to fullscreen window spoof (bsc#1194547).
- CVE-2022-22747: Fixed crash when handling empty pkcs7 sequence(bsc#1194547).
- CVE-2022-22748: Fixed spoofed origin on external protocol launch dialog (bsc#1194547).
- CVE-2022-22751: Fixed memory safety bugs (bsc#1194547).
ImportantSUSE bug 1194547CVE-2021-4140 at SUSECVE-2021-4140 at NVDCVE-2022-22737 at SUSECVE-2022-22737 at NVDCVE-2022-22738 at SUSECVE-2022-22738 at NVDCVE-2022-22739 at SUSECVE-2022-22739 at NVDCVE-2022-22740 at SUSECVE-2022-22740 at NVDCVE-2022-22741 at SUSECVE-2022-22741 at NVDCVE-2022-22742 at SUSECVE-2022-22742 at NVDCVE-2022-22743 at SUSECVE-2022-22743 at NVDCVE-2022-22744 at SUSECVE-2022-22744 at NVDCVE-2022-22745 at SUSECVE-2022-22745 at NVDCVE-2022-22746 at SUSECVE-2022-22746 at NVDCVE-2022-22747 at SUSECVE-2022-22747 at NVDCVE-2022-22748 at SUSECVE-2022-22748 at NVDCVE-2022-22751 at SUSECVE-2022-22751 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for xz (Important)SUSE OpenStack Cloud Crowbar 8
This update for xz fixes the following issues:
- CVE-2022-1271: Fixed an incorrect escaping of malicious filenames (ZDI-CAN-16587). (bsc#1198062)
ImportantSUSE bug 1198062CVE-2022-1271 at SUSECVE-2022-1271 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for libexif (Important)SUSE OpenStack Cloud Crowbar 8
This update for libexif fixes the following issues:
- CVE-2020-0181: Fixed an integer overflow that could lead to denial of service
(bsc#1172802).
- CVE-2020-0198: Fixed and unsigned integer overflow that could lead to denial
of service (bsc#1172768).
- CVE-2020-0452: Fixed a buffer overflow check that could be optimized away
by the compiler (bsc#1178479).
ImportantSUSE bug 1172768SUSE bug 1172802SUSE bug 1178479CVE-2020-0181 at SUSECVE-2020-0181 at NVDCVE-2020-0198 at SUSECVE-2020-0198 at NVDCVE-2020-0452 at SUSECVE-2020-0452 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for openstack-monasca-agent, spark, spark-kit, zookeeper (Important)SUSE OpenStack Cloud Crowbar 8
This update for openstack-monasca-agent, spark, spark-kit, zookeeper fixes the following issues:
- CVE-2021-4104: Remove JMSAppender from log4j jars (bsc#1193662)
ImportantSUSE bug 1193662CVE-2021-4104 at SUSECVE-2021-4104 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for the Linux Kernel (Important)SUSE OpenStack Cloud Crowbar 8
The SUSE Linux Enterprise 12 SP3 kernel was updated.
The following security bugs were fixed:
- CVE-2022-1016: Fixed a vulnerability in the nf_tables component of the netfilter subsystem. This vulnerability gives an attacker a powerful primitive that can be used to both read from and write to relative stack data, which can lead to arbitrary code execution. (bsc#1197227)
- CVE-2022-1048: Fixed a race Condition in snd_pcm_hw_free leading to use-after-free due to the AB/BA lock with buffer_mutex and mmap_lock. (bsc#1197331)
- CVE-2022-0850: Fixed a kernel information leak vulnerability in iov_iter.c. (bsc#1196761)
- CVE-2021-45868: Fixed a wrong validation check in fs/quota/quota_tree.c which could lead to an use-after-free if there is a corrupted quota file. (bnc#1197366)
- CVE-2022-26966: Fixed an issue in drivers/net/usb/sr9700.c, which allowed attackers to obtain sensitive information from the memory via crafted frame lengths from a USB device. (bsc#1196836)
- CVE-2022-23036,CVE-2022-23037,CVE-2022-23038,CVE-2022-23039,CVE-2022-23040,CVE-2022-23041,CVE-2022-23042: Fixed multiple issues which could have lead to read/write access to memory pages or denial of service. These issues are related to the Xen PV device frontend drivers. (bsc#1196488)
- CVE-2022-26490: Fixed a buffer overflow in the st21nfca driver. An attacker with adjacent NFC access could crash the system or corrupt the system memory. (bsc#1196830)
The following non-security bugs were fixed:
- ax88179_178a: Merge memcpy + le32_to_cpus to get_unaligned_le32 (bsc#1196018).
- clocksource: Initialize cs->wd_list (git-fixes)
- llc: fix netdevice reference leaks in llc_ui_bind() (git-fixes).
- net: usb: ax88179_178a: Fix out-of-bounds accesses in RX fixup (bsc#1196018).
- net: usb: ax88179_178a: fix packet alignment padding (bsc#1196018).
- sched/autogroup: Fix possible Spectre-v1 indexing for (git-fixes)
- sr9700: sanity check for packet length (bsc#1196836).
- usb: host: xen-hcd: add missing unlock in error path (git-fixes).
- xen/usb: do not use gnttab_end_foreign_access() in xenhcd_gnttab_done() (bsc#1196488, XSA-396).
ImportantSUSE bug 1189562SUSE bug 1196018SUSE bug 1196488SUSE bug 1196761SUSE bug 1196830SUSE bug 1196836SUSE bug 1197227SUSE bug 1197331SUSE bug 1197366CVE-2021-45868 at SUSECVE-2021-45868 at NVDCVE-2022-0850 at SUSECVE-2022-0850 at NVDCVE-2022-1016 at SUSECVE-2022-1016 at NVDCVE-2022-1048 at SUSECVE-2022-1048 at NVDCVE-2022-23036 at SUSECVE-2022-23036 at NVDCVE-2022-23037 at SUSECVE-2022-23037 at NVDCVE-2022-23038 at SUSECVE-2022-23038 at NVDCVE-2022-23039 at SUSECVE-2022-23039 at NVDCVE-2022-23040 at SUSECVE-2022-23040 at NVDCVE-2022-23041 at SUSECVE-2022-23041 at NVDCVE-2022-23042 at SUSECVE-2022-23042 at NVDCVE-2022-26490 at SUSECVE-2022-26490 at NVDCVE-2022-26966 at SUSECVE-2022-26966 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for gzip (Important)SUSE OpenStack Cloud Crowbar 8
This update for gzip fixes the following issues:
- CVE-2022-1271: Fixed an incorrect escaping of malicious filenames (ZDI-CAN-16587). (bsc#1198062)
ImportantSUSE bug 1198062CVE-2022-1271 at SUSECVE-2022-1271 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for dnsmasq (Important)SUSE OpenStack Cloud Crowbar 8
This update for dnsmasq fixes the following issues:
- CVE-2021-3448: Fixed a potential DNS cache poisoning issue due to a constant
outgoing port being used when for certain use cases of the --server option
(bsc#1183709).
- CVE-2022-0934: Fixed an invalid memory access that could lead to remote denial
of service via crafted packet (bsc#1197872).
ImportantSUSE bug 1183709SUSE bug 1197872CVE-2021-3448 at SUSECVE-2021-3448 at NVDCVE-2022-0934 at SUSECVE-2022-0934 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for git (Important)SUSE OpenStack Cloud Crowbar 8
This update for git fixes the following issues:
- CVE-2022-24765: Fixed a potential command injection via git worktree (bsc#1198234).
ImportantSUSE bug 1198234CVE-2022-24765 at SUSECVE-2022-24765 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for libxml2 (Important)SUSE OpenStack Cloud Crowbar 8
This update for libxml2 fixes the following issues:
- CVE-2022-23308: Fixed use-after-free of ID and IDREF attributes. (bsc#1196490)
ImportantSUSE bug 1196490CVE-2022-23308 at SUSECVE-2022-23308 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for SDL (Important)SUSE OpenStack Cloud Crowbar 8
This update for SDL fixes the following issues:
- CVE-2020-14409: Fixed an integer overflow (and resultant SDL_memcpy heap corruption) in SDL_BlitCopy in video/SDL_blit_copy.c. (bsc#1181202)
- CVE-2020-14410: Fixed a heap-based buffer over-read in Blit_3or4_to_3or4__inversed_rgb in video/SDL_blit_N.c. (bsc#1181201)
- CVE-2021-33657: Fixed a Heap overflow problem in video/SDL_pixels.c. (bsc#1198001)
ImportantSUSE bug 1181201SUSE bug 1181202SUSE bug 1198001CVE-2020-14409 at SUSECVE-2020-14409 at NVDCVE-2020-14410 at SUSECVE-2020-14410 at NVDCVE-2021-33657 at SUSECVE-2021-33657 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for xen (Important)SUSE OpenStack Cloud Crowbar 8
This update for xen fixes the following issues:
- CVE-2022-26356: Fixed potential race conditions in dirty memory tracking that
could cause a denial of service in the host (bsc#1197423).
- CVE-2022-26357: Fixed a potential race condition in memory cleanup for hosts
using VT-d IOMMU hardware, which could lead to a denial of service in the host
(bsc#1197425).
- CVE-2022-26358,CVE-2022-26359,CVE-2022-26360,CVE-2022-26361: Fixed various memory
corruption issues for hosts using VT-d or AMD-Vi IOMMU hardware. These could be
leveraged by an attacker to cause a denial of service in the host (bsc#1197426).
- CVE-2022-0001, CVE-2022-0002, CVE-2021-26401: Added BHB speculation issue
mitigations (bsc#1196915).
ImportantSUSE bug 1196915SUSE bug 1197423SUSE bug 1197425SUSE bug 1197426CVE-2021-26401 at SUSECVE-2021-26401 at NVDCVE-2022-0001 at SUSECVE-2022-0001 at NVDCVE-2022-0002 at SUSECVE-2022-0002 at NVDCVE-2022-26356 at SUSECVE-2022-26356 at NVDCVE-2022-26357 at SUSECVE-2022-26357 at NVDCVE-2022-26358 at SUSECVE-2022-26358 at NVDCVE-2022-26359 at SUSECVE-2022-26359 at NVDCVE-2022-26360 at SUSECVE-2022-26360 at NVDCVE-2022-26361 at SUSECVE-2022-26361 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for webkit2gtk3 (Important)SUSE OpenStack Cloud Crowbar 8
This update for webkit2gtk3 fixes the following issues:
- Update to version 2.34.3 (bsc#1194019).
- CVE-2021-30887: Fixed logic issue allowing unexpectedly unenforced Content Security Policy when processing maliciously crafted web content.
- CVE-2021-30890: Fixed logic issue allowing universal cross site scripting when processing maliciously crafted web content.
ImportantSUSE bug 1194019CVE-2018-8518 at SUSECVE-2018-8518 at NVDCVE-2018-8523 at SUSECVE-2018-8523 at NVDCVE-2019-8551 at SUSECVE-2019-8551 at NVDCVE-2019-8558 at SUSECVE-2019-8558 at NVDCVE-2019-8559 at SUSECVE-2019-8559 at NVDCVE-2019-8563 at SUSECVE-2019-8563 at NVDCVE-2019-8674 at SUSECVE-2019-8674 at NVDCVE-2019-8681 at SUSECVE-2019-8681 at NVDCVE-2019-8684 at SUSECVE-2019-8684 at NVDCVE-2019-8687 at SUSECVE-2019-8687 at NVDCVE-2019-8688 at SUSECVE-2019-8688 at NVDCVE-2019-8689 at SUSECVE-2019-8689 at NVDCVE-2019-8690 at SUSECVE-2019-8690 at NVDCVE-2019-8707 at SUSECVE-2019-8707 at NVDCVE-2019-8719 at SUSECVE-2019-8719 at NVDCVE-2019-8726 at SUSECVE-2019-8726 at NVDCVE-2019-8733 at SUSECVE-2019-8733 at NVDCVE-2019-8763 at SUSECVE-2019-8763 at NVDCVE-2019-8765 at SUSECVE-2019-8765 at NVDCVE-2019-8766 at SUSECVE-2019-8766 at NVDCVE-2019-8768 at SUSECVE-2019-8768 at NVDCVE-2019-8782 at SUSECVE-2019-8782 at NVDCVE-2019-8808 at SUSECVE-2019-8808 at NVDCVE-2019-8815 at SUSECVE-2019-8815 at NVDCVE-2019-8821 at SUSECVE-2019-8821 at NVDCVE-2019-8822 at SUSECVE-2019-8822 at NVDCVE-2020-10018 at SUSECVE-2020-10018 at NVDCVE-2020-13753 at SUSECVE-2020-13753 at NVDCVE-2020-27918 at SUSECVE-2020-27918 at NVDCVE-2020-29623 at SUSECVE-2020-29623 at NVDCVE-2020-3885 at SUSECVE-2020-3885 at NVDCVE-2020-3894 at SUSECVE-2020-3894 at NVDCVE-2020-3895 at SUSECVE-2020-3895 at NVDCVE-2020-3897 at SUSECVE-2020-3897 at NVDCVE-2020-3900 at SUSECVE-2020-3900 at NVDCVE-2020-3901 at SUSECVE-2020-3901 at NVDCVE-2020-3902 at SUSECVE-2020-3902 at NVDCVE-2020-9802 at SUSECVE-2020-9802 at NVDCVE-2020-9803 at SUSECVE-2020-9803 at NVDCVE-2020-9805 at SUSECVE-2020-9805 at NVDCVE-2020-9947 at SUSECVE-2020-9947 at NVDCVE-2020-9948 at SUSECVE-2020-9948 at NVDCVE-2020-9951 at SUSECVE-2020-9951 at NVDCVE-2020-9952 at SUSECVE-2020-9952 at NVDCVE-2021-1765 at SUSECVE-2021-1765 at NVDCVE-2021-1788 at SUSECVE-2021-1788 at NVDCVE-2021-1817 at SUSECVE-2021-1817 at NVDCVE-2021-1820 at SUSECVE-2021-1820 at NVDCVE-2021-1825 at SUSECVE-2021-1825 at NVDCVE-2021-1826 at SUSECVE-2021-1826 at NVDCVE-2021-1844 at SUSECVE-2021-1844 at NVDCVE-2021-1871 at SUSECVE-2021-1871 at NVDCVE-2021-30661 at SUSECVE-2021-30661 at NVDCVE-2021-30666 at SUSECVE-2021-30666 at NVDCVE-2021-30682 at SUSECVE-2021-30682 at NVDCVE-2021-30761 at SUSECVE-2021-30761 at NVDCVE-2021-30762 at SUSECVE-2021-30762 at NVDCVE-2021-30809 at SUSECVE-2021-30809 at NVDCVE-2021-30818 at SUSECVE-2021-30818 at NVDCVE-2021-30823 at SUSECVE-2021-30823 at NVDCVE-2021-30836 at SUSECVE-2021-30836 at NVDCVE-2021-30846 at SUSECVE-2021-30846 at NVDCVE-2021-30848 at SUSECVE-2021-30848 at NVDCVE-2021-30849 at SUSECVE-2021-30849 at NVDCVE-2021-30851 at SUSECVE-2021-30851 at NVDCVE-2021-30858 at SUSECVE-2021-30858 at NVDCVE-2021-30884 at SUSECVE-2021-30884 at NVDCVE-2021-30887 at SUSECVE-2021-30887 at NVDCVE-2021-30888 at SUSECVE-2021-30888 at NVDCVE-2021-30889 at SUSECVE-2021-30889 at NVDCVE-2021-30890 at SUSECVE-2021-30890 at NVDCVE-2021-30897 at SUSECVE-2021-30897 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for cifs-utils (Important)SUSE OpenStack Cloud Crowbar 8
This update for cifs-utils fixes the following issues:
- CVE-2022-27239: Fixed a buffer overflow in the command line ip option (bsc#1197216).
ImportantSUSE bug 1197216CVE-2022-27239 at SUSECVE-2022-27239 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for aide (Important)SUSE OpenStack Cloud Crowbar 8
This update for aide fixes the following issues:
- CVE-2021-45417: Fix a bufferoverflow in base64 functions (bsc#1194735)
ImportantSUSE bug 1194735CVE-2021-45417 at SUSECVE-2021-45417 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for python-Twisted (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for python-Twisted fixes the following issues:
- CVE-2022-24801: Fixed to not be as lenient as earlier HTTP/1.1 RFCs to prevent HTTP
request smuggling. (bsc#1198086)
ModerateSUSE bug 1198086CVE-2022-24801 at SUSECVE-2022-24801 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for MozillaFirefox (Important)SUSE OpenStack Cloud Crowbar 8
This update for MozillaFirefox fixes the following issues:
This update contains the Firefox Extended Support Release 91.1.0 ESR.
* Fixed: Various stability, functionality, and security fixes
MFSA 2021-40 (bsc#1190269, bsc#1190274):
* CVE-2021-38492: Navigating to `mk:` URL scheme could load Internet Explorer
* CVE-2021-38495: Memory safety bugs fixed in Firefox 92 and Firefox ESR 91.1
Firefox 91.0.1esr ESR
* Fixed: Fixed an issue causing buttons on the tab bar to be
resized when loading certain websites (bug 1704404)
* Fixed: Fixed an issue which caused tabs from private windows
to be visible in non-private windows when viewing switch-to-
tab results in the address bar panel (bug 1720369)
* Fixed: Various stability fixes
* Fixed: Security fix MFSA 2021-37 (bsc#1189547)
* CVE-2021-29991 (bmo#1724896)
Header Splitting possible with HTTP/3 Responses
Firefox Extended Support Release 91.0 ESR
* New: Some of the highlights of the new Extended Support Release are:
- A number of user interface changes. For more information,
see the Firefox 89 release notes.
- Firefox now supports logging into Microsoft, work, and
school accounts using Windows single sign-on. Learn more
- On Windows, updates can now be applied in the background
while Firefox is not running.
- Firefox for Windows now offers a new page about:third-party
to help identify compatibility issues caused by third-party
applications
- Version 2 of Firefox's SmartBlock feature further improves
private browsing. Third party Facebook scripts are blocked to
prevent you from being tracked, but are now automatically
loaded 'just in time' if you decide to 'Log in with Facebook'
on any website.
- Enhanced the privacy of the Firefox Browser's Private
Browsing mode with Total Cookie Protection, which confines
cookies to the site where they were created, preventing
companis from using cookies to track your browsing across
sites. This feature was originally launched in Firefox's ETP
Strict mode.
- PDF forms now support JavaScript embedded in PDF files.
Some PDF forms use JavaScript for validation and other
interactive features.
- You'll encounter less website breakage in Private Browsing
and Strict Enhanced Tracking Protection with SmartBlock,
which provides stand-in scripts so that websites load
properly.
- Improved Print functionality with a cleaner design and
better integration with your computer's printer settings.
- Firefox now protects you from supercookies, a type of
tracker that can stay hidden in your browser and track you
online, even after you clear cookies. By isolating
supercookies, Firefox prevents them from tracking your web
browsing from one site to the next.
- Firefox now remembers your preferred location for saved
bookmarks, displays the bookmarks toolbar by default on new
tabs, and gives you easy access to all of your bookmarks via
a toolbar folder.
- Native support for macOS devices built with Apple Silicon
CPUs brings dramatic performance improvements over the non-
native build that was shipped in Firefox 83: Firefox launches
over 2.5 times faster and web apps are now twice as
responsive (per the SpeedoMeter 2.0 test). If you are on a
new Apple device, follow these steps to upgrade to the latest
Firefox.
- Pinch zooming will now be supported for our users with
Windows touchscreen devices and touchpads on Mac devices.
Firefox users may now use pinch to zoom on touch-capable
devices to zoom in and out of webpages.
- We’ve improved functionality and design for a number of
Firefox search features:
* Selecting a search engine at the bottom of the search
panel now enters search mode for that engine, allowing you to
see suggestions (if available) for your search terms. The old
behavior (immediately performing a search) is available with
a shift-click.
* When Firefox autocompletes the URL of one of your search
engines, you can now search with that engine directly in the
address bar by selecting the shortcut in the address bar
results.
* We’ve added buttons at the bottom of the search panel to
allow you to search your bookmarks, open tabs, and history.
- Firefox supports AcroForm, which will allow you to fill in,
print, and save supported PDF forms and the PDF viewer also
has a new fresh look.
- For our users in the US and Canada, Firefox can now save,
manage, and auto-fill credit card information for you, making
shopping on Firefox ever more convenient.
- In addition to our default, dark and light themes, with
this release, Firefox introduces the Alpenglow theme: a
colorful appearance for buttons, menus, and windows. You can
update your Firefox themes under settings or preferences.
* Changed: Firefox no longer supports Adobe Flash. There is no
setting available to re-enable Flash support.
* Enterprise: Various bug fixes and new policies have been
implemented in the latest version of Firefox. See more
details in the Firefox for Enterprise 91 Release Notes.
MFSA 2021-33 (bsc#1188891):
* CVE-2021-29986: Race condition when resolving DNS names could have led to
memory corruption
* CVE-2021-29981: Live range splitting could have led to conflicting
assignments in the JIT
* CVE-2021-29988: Memory corruption as a result of incorrect style treatment
* CVE-2021-29983: Firefox for Android could get stuck in fullscreen mode
* CVE-2021-29984: Incorrect instruction reordering during JIT optimization
* CVE-2021-29980: Uninitialized memory in a canvas object could have led to
memory corruption
* CVE-2021-29987: Users could have been tricked into accepting unwanted
permissions on Linux
* CVE-2021-29985: Use-after-free media channels
* CVE-2021-29982: Single bit data leak due to incorrect JIT optimization and
type confusion
* CVE-2021-29989: Memory safety bugs fixed in Firefox 91 and Firefox ESR 78.13
* CVE-2021-29990: Memory safety bugs fixed in Firefox 91
ImportantSUSE bug 1188891SUSE bug 1189547SUSE bug 1190269SUSE bug 1190274CVE-2021-29980 at SUSECVE-2021-29980 at NVDCVE-2021-29981 at SUSECVE-2021-29981 at NVDCVE-2021-29982 at SUSECVE-2021-29982 at NVDCVE-2021-29983 at SUSECVE-2021-29983 at NVDCVE-2021-29984 at SUSECVE-2021-29984 at NVDCVE-2021-29985 at SUSECVE-2021-29985 at NVDCVE-2021-29986 at SUSECVE-2021-29986 at NVDCVE-2021-29987 at SUSECVE-2021-29987 at NVDCVE-2021-29988 at SUSECVE-2021-29988 at NVDCVE-2021-29989 at SUSECVE-2021-29989 at NVDCVE-2021-29990 at SUSECVE-2021-29990 at NVDCVE-2021-29991 at SUSECVE-2021-29991 at NVDCVE-2021-38492 at SUSECVE-2021-38492 at NVDCVE-2021-38495 at SUSECVE-2021-38495 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for zsh (Important)SUSE OpenStack Cloud Crowbar 8
This update for zsh fixes the following issues:
- CVE-2018-0502: Fixed execve call vulnerability to program named on the second line when the beginning of a #! script file was mishandled. (bsc#1107296, bsc#1107294)
- CVE-2018-13259: Fixed execve call vulnerability to program name that is a substring of the intended one. (bsc#1107296, bsc#1107294)
ImportantSUSE bug 1107294SUSE bug 1107296CVE-2018-0502 at SUSECVE-2018-0502 at NVDCVE-2018-13259 at SUSECVE-2018-13259 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for bind (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for bind fixes the following issues:
- CVE-2021-25220: Fixed potentially incorrect answers by cached forwarders (bsc#1197135).
ModerateSUSE bug 1197135CVE-2021-25220 at SUSECVE-2021-25220 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for e2fsprogs (Important)SUSE OpenStack Cloud Crowbar 8
This update for e2fsprogs fixes the following issues:
- CVE-2022-1304: Fixed out-of-bounds read/write leading to segmentation fault
and possibly arbitrary code execution. (bsc#1198446)
ImportantSUSE bug 1198446CVE-2022-1304 at SUSECVE-2022-1304 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for documentation-suse-openstack-cloud, kibana, openstack-keystone, openstack-monasca-notification (Important)SUSE OpenStack Cloud Crowbar 8
This update for documentation-suse-openstack-cloud, kibana, openstack-keystone, openstack-monasca-notification fixes the following issues:
- CVE-2021-22141: Fixed URL redirection flaw (bsc#1186868).
- CVE-2021-38155: Fixed information disclosure during account locking (bsc#1189390).
The following non-security bugs were fixed:
- Fix smtp server authentication (bsc#1197204)
ImportantSUSE bug 1186868SUSE bug 1189390SUSE bug 1197204CVE-2021-22141 at SUSECVE-2021-22141 at NVDCVE-2021-38155 at SUSECVE-2021-38155 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for java-1_7_1-ibm (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for java-1_7_1-ibm fixes the following issues:
- Update to Java 7.1 Service Refresh 5 Fix Pack 0
- CVE-2021-41035: before version 0.29.0, the openj9 JVM does not throw IllegalAccessError for MethodHandles that invoke inaccessible interface methods. (bsc#1194198, bsc#1192052)
- CVE-2021-35586: Excessive memory allocation in BMPImageReader. (bsc#1191914)
- CVE-2021-35564: Certificates with end dates too far in the future can corrupt keystore. (bsc#1191913)
- CVE-2021-35559: Excessive memory allocation in RTFReader. (bsc#1191911)
- CVE-2021-35556: Excessive memory allocation in RTFParser. (bsc#1191910)
- CVE-2021-35565: Loop in HttpsServer triggered during TLS session close. (bsc#1191909)
- CVE-2021-35588: Incomplete validation of inner class references in ClassFileParser. (bsc#1191905)
- CVE-2021-2341: Fixed a flaw inside the FtpClient. (bsc#1188564)
- CVE-2021-2369: JAR file handling problem containing multiple MANIFEST.MF files. (bsc#1188565)
- CVE-2021-2432: Fixed a vulnerability in the omponent JNDI. (bsc#1188568)
- CVE-2021-2163: Incomplete enforcement of JAR signing disabled algorithms. (bsc#1185055)
ModerateSUSE bug 1185055SUSE bug 1188564SUSE bug 1188565SUSE bug 1188568SUSE bug 1191905SUSE bug 1191909SUSE bug 1191910SUSE bug 1191911SUSE bug 1191913SUSE bug 1191914SUSE bug 1192052SUSE bug 1194198SUSE bug 1194232CVE-2021-2163 at SUSECVE-2021-2163 at NVDCVE-2021-2341 at SUSECVE-2021-2341 at NVDCVE-2021-2369 at SUSECVE-2021-2369 at NVDCVE-2021-2432 at SUSECVE-2021-2432 at NVDCVE-2021-35556 at SUSECVE-2021-35556 at NVDCVE-2021-35559 at SUSECVE-2021-35559 at NVDCVE-2021-35564 at SUSECVE-2021-35564 at NVDCVE-2021-35565 at SUSECVE-2021-35565 at NVDCVE-2021-35586 at SUSECVE-2021-35586 at NVDCVE-2021-35588 at SUSECVE-2021-35588 at NVDCVE-2021-41035 at SUSECVE-2021-41035 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for openldap2 (Important)SUSE OpenStack Cloud Crowbar 8
This update for openldap2 fixes the following issues:
- CVE-2022-29155: Fixed SQL injection in back-sql (bsc#1199240).
- Fixed issue with SASL init that crashed slapd at startup under certain conditions (bsc#1198383).
ImportantSUSE bug 1198383SUSE bug 1199240CVE-2022-29155 at SUSECVE-2022-29155 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for gzip (Important)SUSE OpenStack Cloud Crowbar 8
This update for gzip fixes the following issues:
- CVE-2022-1271: Add hardening for zgrep. (bsc#1198062)
ImportantCVE-2022-1271 at SUSECVE-2022-1271 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for webkit2gtk3 (Important)SUSE OpenStack Cloud Crowbar 8
This update for webkit2gtk3 fixes the following issues:
Update to version 2.36.0 (bsc#1198290):
- CVE-2022-22624: Fixed use after free that may lead to arbitrary code execution.
- CVE-2022-22628: Fixed use after free that may lead to arbitrary code execution.
- CVE-2022-22629: Fixed a buffer overflow that may lead to arbitrary code execution.
- CVE-2022-22637: Fixed an unexpected cross-origin behavior due to a logic error.
Missing CVE reference for the update to 2.34.6 (bsc#1196133):
- CVE-2022-22594: Fixed a cross-origin issue in the IndexDB API.
ImportantSUSE bug 1196133SUSE bug 1198290CVE-2022-22594 at SUSECVE-2022-22594 at NVDCVE-2022-22624 at SUSECVE-2022-22624 at NVDCVE-2022-22628 at SUSECVE-2022-22628 at NVDCVE-2022-22629 at SUSECVE-2022-22629 at NVDCVE-2022-22637 at SUSECVE-2022-22637 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for curl (Important)SUSE OpenStack Cloud Crowbar 8
This update for curl fixes the following issues:
- CVE-2022-27781: Fixed CERTINFO never-ending busy-loop (bsc#1199223)
- CVE-2022-27782: Fixed TLS and SSH connection too eager reuse (bsc#1199224)
ImportantSUSE bug 1199223SUSE bug 1199224CVE-2022-27781 at SUSECVE-2022-27781 at NVDCVE-2022-27782 at SUSECVE-2022-27782 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for ucode-intel (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for ucode-intel fixes the following issues:
Updated to Intel CPU Microcode 20220510 release. (bsc#1199423)
Updated to Intel CPU Microcode 20220419 release. (bsc#1198717)
- CVE-2022-21151: Processor optimization removal or modification of security-critical code for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access (bsc#1199423).
ModerateSUSE bug 1198717SUSE bug 1199423CVE-2022-21151 at SUSECVE-2022-21151 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for MozillaFirefox (Important)SUSE OpenStack Cloud Crowbar 8
This update for MozillaFirefox fixes the following issues:
Firefox Extended Support Release 91.9.0 ESR (MFSA 2022-17)(bsc#1198970):
- CVE-2022-29914: Fullscreen notification bypass using popups
- CVE-2022-29909: Bypassing permission prompt in nested browsing contexts
- CVE-2022-29916: Leaking browser history with CSS variables
- CVE-2022-29911: iframe Sandbox bypass
- CVE-2022-29912: Reader mode bypassed SameSite cookies
- CVE-2022-29917: Memory safety bugs fixed in Firefox 100 and Firefox ESR 91.9
ImportantSUSE bug 1198970CVE-2022-29909 at SUSECVE-2022-29909 at NVDCVE-2022-29911 at SUSECVE-2022-29911 at NVDCVE-2022-29912 at SUSECVE-2022-29912 at NVDCVE-2022-29914 at SUSECVE-2022-29914 at NVDCVE-2022-29916 at SUSECVE-2022-29916 at NVDCVE-2022-29917 at SUSECVE-2022-29917 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for expat (Important)SUSE OpenStack Cloud Crowbar 8
This update for expat fixes the following issues:
- CVE-2021-45960: Fixed left shift in the storeAtts function in xmlparse.c that can lead to realloc misbehavior (bsc#1194251).
- CVE-2021-46143: Fixed integer overflow in m_groupSize in doProlog (bsc#1194362).
- CVE-2022-22822: Fixed integer overflow in addBinding in xmlparse.c (bsc#1194474).
- CVE-2022-22823: Fixed integer overflow in build_model in xmlparse.c (bsc#1194476).
- CVE-2022-22824: Fixed integer overflow in defineAttribute in xmlparse.c (bsc#1194477).
- CVE-2022-22825: Fixed integer overflow in lookup in xmlparse.c (bsc#1194478).
- CVE-2022-22826: Fixed integer overflow in nextScaffoldPart in xmlparse.c (bsc#1194479).
- CVE-2022-22827: Fixed integer overflow in storeAtts in xmlparse.c (bsc#1194480).
ImportantSUSE bug 1194251SUSE bug 1194362SUSE bug 1194474SUSE bug 1194476SUSE bug 1194477SUSE bug 1194478SUSE bug 1194479SUSE bug 1194480CVE-2021-45960 at SUSECVE-2021-45960 at NVDCVE-2021-46143 at SUSECVE-2021-46143 at NVDCVE-2022-22822 at SUSECVE-2022-22822 at NVDCVE-2022-22823 at SUSECVE-2022-22823 at NVDCVE-2022-22824 at SUSECVE-2022-22824 at NVDCVE-2022-22825 at SUSECVE-2022-22825 at NVDCVE-2022-22826 at SUSECVE-2022-22826 at NVDCVE-2022-22827 at SUSECVE-2022-22827 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for postgresql10 (Important)SUSE OpenStack Cloud Crowbar 8
This update for postgresql10 fixes the following issues:
- CVE-2022-1552: Confine additional operations within 'security restricted operation' sandboxes (bsc#1199475).
ImportantSUSE bug 1199475CVE-2022-1552 at SUSECVE-2022-1552 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for MozillaFirefox (Important)SUSE OpenStack Cloud Crowbar 8
This update for MozillaFirefox fixes the following issues:
Firefox Extended Support Release 91.9.1 ESR - MFSA 2022-19 (bsc#1199768):
- CVE-2022-1802: Prototype pollution in Top-Level Await implementation
- CVE-2022-1529: Untrusted input used in JavaScript object indexing, leading to prototype pollution
ImportantSUSE bug 1199768CVE-2022-1529 at SUSECVE-2022-1529 at NVDCVE-2022-1802 at SUSECVE-2022-1802 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for python-requests (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for python-requests fixes the following issues:
- CVE-2018-18074: Fixed to prevent the package to send an HTTP Authorization header to an http URI
upon receiving a same-hostname https-to-http redirect. (bsc#1111622)
ModerateSUSE bug 1111622CVE-2018-18074 at SUSECVE-2018-18074 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for libxml2 (Important)SUSE OpenStack Cloud Crowbar 8
This update for libxml2 fixes the following issues:
- CVE-2022-29824: Fixed integer overflow leading to out-of-bounds write in buf.c and tree.c (bsc#1199132).
- CVE-2017-16932: Prevent infinite recursion in parameter entities (bsc#1069689).
ImportantSUSE bug 1069689SUSE bug 1199132CVE-2017-16932 at SUSECVE-2017-16932 at NVDCVE-2022-29824 at SUSECVE-2022-29824 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for pcre2 (Important)SUSE OpenStack Cloud Crowbar 8
This update for pcre2 fixes the following issues:
- CVE-2022-1586: Fixed out-of-bounds read via missing Unicode property matching issue in JIT compiled regular expressions (bsc#1199232).
ImportantSUSE bug 1199232CVE-2022-1586 at SUSECVE-2022-1586 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for wpa_supplicant (Important)SUSE OpenStack Cloud Crowbar 8
This update for wpa_supplicant fixes the following issues:
- CVE-2022-23303, CVE-2022-23304: Fixed SAE/EAP-pwd side-channel attacks (bsc#1194732, bsc#1194733)
- CVE-2021-0326: Fixed P2P group information processing vulnerability (bsc#1181777)
- Fix systemd device ready dependencies in wpa_supplicant@.service file. (bsc#1182805)
- Limit P2P_DEVICE name to appropriate ifname size
- Enable SAE support(jsc#SLE-14992).
- Fix wicked wlan (bsc#1156920)
- Change wpa_supplicant.service to ensure wpa_supplicant gets started before
network. Fix WLAN config on boot with wicked. (bsc#1166933)
- Adjust the service to start after network.target wrt bsc#1165266
Update to 2.9 release:
* SAE changes
- disable use of groups using Brainpool curves
- improved protection against side channel attacks
[https://w1.fi/security/2019-6/]
* EAP-pwd changes
- disable use of groups using Brainpool curves
- allow the set of groups to be configured (eap_pwd_groups)
- improved protection against side channel attacks
[https://w1.fi/security/2019-6/]
* fixed FT-EAP initial mobility domain association using PMKSA caching
(disabled by default for backwards compatibility; can be enabled
with ft_eap_pmksa_caching=1)
* fixed a regression in OpenSSL 1.1+ engine loading
* added validation of RSNE in (Re)Association Response frames
* fixed DPP bootstrapping URI parser of channel list
* extended EAP-SIM/AKA fast re-authentication to allow use with FILS
* extended ca_cert_blob to support PEM format
* improved robustness of P2P Action frame scheduling
* added support for EAP-SIM/AKA using anonymous@realm identity
* fixed Hotspot 2.0 credential selection based on roaming consortium
to ignore credentials without a specific EAP method
* added experimental support for EAP-TEAP peer (RFC 7170)
* added experimental support for EAP-TLS peer with TLS v1.3
* fixed a regression in WMM parameter configuration for a TDLS peer
* fixed a regression in operation with drivers that offload 802.1X
4-way handshake
* fixed an ECDH operation corner case with OpenSSL
* SAE changes
- added support for SAE Password Identifier
- changed default configuration to enable only groups 19, 20, 21
(i.e., disable groups 25 and 26) and disable all unsuitable groups
completely based on REVmd changes
- do not regenerate PWE unnecessarily when the AP uses the
anti-clogging token mechanisms
- fixed some association cases where both SAE and FT-SAE were enabled
on both the station and the selected AP
- started to prefer FT-SAE over SAE AKM if both are enabled
- started to prefer FT-SAE over FT-PSK if both are enabled
- fixed FT-SAE when SAE PMKSA caching is used
- reject use of unsuitable groups based on new implementation guidance
in REVmd (allow only FFC groups with prime >= 3072 bits and ECC
groups with prime >= 256)
- minimize timing and memory use differences in PWE derivation
[https://w1.fi/security/2019-1/] (CVE-2019-9494, bsc#1131868)
* EAP-pwd changes
- minimize timing and memory use differences in PWE derivation
[https://w1.fi/security/2019-2/] (CVE-2019-9495, bsc#1131870)
- verify server scalar/element
[https://w1.fi/security/2019-4/] (CVE-2019-9497, CVE-2019-9498,
CVE-2019-9499, bsc#1131874, bsc#1131872, bsc#1131871, bsc#1131644)
- fix message reassembly issue with unexpected fragment
[https://w1.fi/security/2019-5/] (CVE-2019-11555, bsc#1133640)
- enforce rand,mask generation rules more strictly
- fix a memory leak in PWE derivation
- disallow ECC groups with a prime under 256 bits (groups 25, 26, and
27)
- SAE/EAP-pwd side-channel attack update
[https://w1.fi/security/2019-6/] (CVE-2019-13377, bsc#1144443)
* fixed CONFIG_IEEE80211R=y (FT) build without CONFIG_FILS=y
* Hotspot 2.0 changes
- do not indicate release number that is higher than the one
AP supports
- added support for release number 3
- enable PMF automatically for network profiles created from
credentials
* fixed OWE network profile saving
* fixed DPP network profile saving
* added support for RSN operating channel validation
(CONFIG_OCV=y and network profile parameter ocv=1)
* added Multi-AP backhaul STA support
* fixed build with LibreSSL
* number of MKA/MACsec fixes and extensions
* extended domain_match and domain_suffix_match to allow list of values
* fixed dNSName matching in domain_match and domain_suffix_match when
using wolfSSL
* started to prefer FT-EAP-SHA384 over WPA-EAP-SUITE-B-192 AKM if both
are enabled
* extended nl80211 Connect and external authentication to support
SAE, FT-SAE, FT-EAP-SHA384
* fixed KEK2 derivation for FILS+FT
* extended client_cert file to allow loading of a chain of PEM
encoded certificates
* extended beacon reporting functionality
* extended D-Bus interface with number of new properties
* fixed a regression in FT-over-DS with mac80211-based drivers
* OpenSSL: allow systemwide policies to be overridden
* extended driver flags indication for separate 802.1X and PSK
4-way handshake offload capability
* added support for random P2P Device/Interface Address use
* extended PEAP to derive EMSK to enable use with ERP/FILS
* extended WPS to allow SAE configuration to be added automatically
for PSK (wps_cred_add_sae=1)
* removed support for the old D-Bus interface (CONFIG_CTRL_IFACE_DBUS)
* extended domain_match and domain_suffix_match to allow list of values
* added a RSN workaround for misbehaving PMF APs that advertise
IGTK/BIP KeyID using incorrect byte order
* fixed PTK rekeying with FILS and FT
* fixed WPA packet number reuse with replayed messages and key
reinstallation
[https://w1.fi/security/2017-1/] (CVE-2017-13077, CVE-2017-13078,
CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13082,
CVE-2017-13086, CVE-2017-13087, CVE-2017-13088)
* fixed unauthenticated EAPOL-Key decryption in wpa_supplicant
[https://w1.fi/security/2018-1/] (CVE-2018-14526)
* added support for FILS (IEEE 802.11ai) shared key authentication
* added support for OWE (Opportunistic Wireless Encryption, RFC 8110;
and transition mode defined by WFA)
* added support for DPP (Wi-Fi Device Provisioning Protocol)
* added support for RSA 3k key case with Suite B 192-bit level
* fixed Suite B PMKSA caching not to update PMKID during each 4-way
handshake
* fixed EAP-pwd pre-processing with PasswordHashHash
* added EAP-pwd client support for salted passwords
* fixed a regression in TDLS prohibited bit validation
* started to use estimated throughput to avoid undesired signal
strength based roaming decision
* MACsec/MKA:
- new macsec_linux driver interface support for the Linux
kernel macsec module
- number of fixes and extensions
* added support for external persistent storage of PMKSA cache
(PMKSA_GET/PMKSA_ADD control interface commands; and
MESH_PMKSA_GET/MESH_PMKSA_SET for the mesh case)
* fixed mesh channel configuration pri/sec switch case
* added support for beacon report
* large number of other fixes, cleanup, and extensions
* added support for randomizing local address for GAS queries
(gas_rand_mac_addr parameter)
* fixed EAP-SIM/AKA/AKA' ext auth cases within TLS tunnel
* added option for using random WPS UUID (auto_uuid=1)
* added SHA256-hash support for OCSP certificate matching
* fixed EAP-AKA' to add AT_KDF into Synchronization-Failure
* fixed a regression in RSN pre-authentication candidate selection
* added option to configure allowed group management cipher suites
(group_mgmt network profile parameter)
* removed all PeerKey functionality
* fixed nl80211 AP and mesh mode configuration regression with
Linux 4.15 and newer
* added ap_isolate configuration option for AP mode
* added support for nl80211 to offload 4-way handshake into the driver
* added support for using wolfSSL cryptographic library
* SAE
- added support for configuring SAE password separately of the
WPA2 PSK/passphrase
- fixed PTK and EAPOL-Key integrity and key-wrap algorithm selection
for SAE;
note: this is not backwards compatible, i.e., both the AP and
station side implementations will need to be update at the same
time to maintain interoperability
- added support for Password Identifier
- fixed FT-SAE PMKID matching
* Hotspot 2.0
- added support for fetching of Operator Icon Metadata ANQP-element
- added support for Roaming Consortium Selection element
- added support for Terms and Conditions
- added support for OSEN connection in a shared RSN BSS
- added support for fetching Venue URL information
* added support for using OpenSSL 1.1.1
* FT
- disabled PMKSA caching with FT since it is not fully functional
- added support for SHA384 based AKM
- added support for BIP ciphers BIP-CMAC-256, BIP-GMAC-128,
BIP-GMAC-256 in addition to previously supported BIP-CMAC-128
- fixed additional IE inclusion in Reassociation Request frame when
using FT protocol
- CVE-2015-8041: Using O_WRONLY flag [http://w1.fi/security/2015-5/] ImportantSUSE bug 1131644SUSE bug 1131868SUSE bug 1131870SUSE bug 1131871SUSE bug 1131872SUSE bug 1131874SUSE bug 1133640SUSE bug 1144443SUSE bug 1156920SUSE bug 1165266SUSE bug 1166933SUSE bug 1167331SUSE bug 1182805SUSE bug 1194732SUSE bug 1194733CVE-2015-8041 at SUSECVE-2015-8041 at NVDCVE-2017-13077 at SUSECVE-2017-13077 at NVDCVE-2017-13078 at SUSECVE-2017-13078 at NVDCVE-2017-13079 at SUSECVE-2017-13079 at NVDCVE-2017-13080 at SUSECVE-2017-13080 at NVDCVE-2017-13081 at SUSECVE-2017-13081 at NVDCVE-2017-13082 at SUSECVE-2017-13082 at NVDCVE-2017-13086 at SUSECVE-2017-13086 at NVDCVE-2017-13087 at SUSECVE-2017-13087 at NVDCVE-2017-13088 at SUSECVE-2017-13088 at NVDCVE-2018-14526 at SUSECVE-2018-14526 at NVDCVE-2019-11555 at SUSECVE-2019-11555 at NVDCVE-2019-13377 at SUSECVE-2019-13377 at NVDCVE-2019-9494 at SUSECVE-2019-9494 at NVDCVE-2019-9495 at SUSECVE-2019-9495 at NVDCVE-2019-9497 at SUSECVE-2019-9497 at NVDCVE-2019-9498 at SUSECVE-2019-9498 at NVDCVE-2019-9499 at SUSECVE-2019-9499 at NVDCVE-2022-23303 at SUSECVE-2022-23303 at NVDCVE-2022-23304 at SUSECVE-2022-23304 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for postgresql14 (Important)SUSE OpenStack Cloud Crowbar 8
This update for postgresql14 fixes the following issues:
- CVE-2022-1552: Confine additional operations within 'security restricted operation' sandboxes (bsc#1199475).
ImportantSUSE bug 1199475CVE-2022-1552 at SUSECVE-2022-1552 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for openstack-neutron (Important)SUSE OpenStack Cloud Crowbar 8
This update for openstack-neutron fixes the following issues:
- CVE-2021-40797: Fixed routes middleware memory leak for nonexistent controllers (bsc#1190339).
- CVE-2021-40085: Fixed arbitrary dnsmasq reconfiguration via extra_dhcp_opts (bsc#1189794).
ImportantSUSE bug 1189794SUSE bug 1190339CVE-2021-40085 at SUSECVE-2021-40085 at NVDCVE-2021-40797 at SUSECVE-2021-40797 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for ImageMagick (Important)SUSE OpenStack Cloud Crowbar 8
This update for ImageMagick fixes the following issues:
- CVE-2022-1270: Fixed a memory corruption issue when parsing MIFF files (bsc#1198351).
- CVE-2022-28463: Fixed buffer overflow in coders/cin.c (bsc#1199350).
ImportantSUSE bug 1198351SUSE bug 1199350CVE-2022-1270 at SUSECVE-2022-1270 at NVDCVE-2022-28463 at SUSECVE-2022-28463 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for mailman (Important)SUSE OpenStack Cloud Crowbar 8
This update for mailman fixes the following issues:
- CVE-2021-44227: Preventing list moderator or list member accessing the admin UI (bsc#1193316).
- CVE-2021-43332: Preventing list moderator from cracking the list admin password encrypted in a CSRF token (bsc#1192741).
- CVE-2021-43331: Fixed XSS in Cgi/options.py (bsc#1192735).
- CVE-2021-42096: Add protection against remote privilege escalation via csrf_token derived from admin password (bsc#1191959).
ImportantSUSE bug 1191959SUSE bug 1192735SUSE bug 1192741SUSE bug 1193316CVE-2021-42096 at SUSECVE-2021-42096 at NVDCVE-2021-43331 at SUSECVE-2021-43331 at NVDCVE-2021-43332 at SUSECVE-2021-43332 at NVDCVE-2021-44227 at SUSECVE-2021-44227 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for polkit (Important)SUSE OpenStack Cloud Crowbar 8
This update for polkit fixes the following issues:
- CVE-2021-4034: Fixed a local privilege escalation in pkexec (bsc#1194568).
ImportantSUSE bug 1194568CVE-2021-4034 at SUSECVE-2021-4034 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for librelp (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for librelp fixes the following issues:
- CVE-2018-1000140: Fixed remote attack via specially crafted x509 certificates when connecting to rsyslog to trigger a stack buffer overflow and run arbitrary code (bsc#1086730).
ModerateSUSE bug 1086730CVE-2018-1000140 at SUSECVE-2018-1000140 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for rubygem-yajl-ruby (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for rubygem-yajl-ruby fixes the following issue:
-CVE-2022-24795: Fixed a heap-based buffer overflow when handling large inputs due to an integer overflow (bsc#1198405)
ModerateSUSE bug 1198405CVE-2022-24795 at SUSECVE-2022-24795 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for MozillaFirefox (Important)SUSE OpenStack Cloud Crowbar 8
This update for MozillaFirefox fixes the following issues:
Firefox Extended Support Release 91.10.0 ESR (MFSA 2022-21)(bsc#1200027)
- CVE-2022-31736: Cross-Origin resource's length leaked
- CVE-2022-31737: Heap buffer overflow in WebGL
- CVE-2022-31738: Browser window spoof using fullscreen mode
- CVE-2022-31739: Attacker-influenced path traversal when saving downloaded files
- CVE-2022-31740: Register allocation problem in WASM on arm64
- CVE-2022-31741: Uninitialized variable leads to invalid memory read
- CVE-2022-31742: Querying a WebAuthn token with a large number of allowCredential entries may have leaked cross-origin information
- CVE-2022-31747: Memory safety bugs fixed in Firefox 101 and Firefox ESR 91.10
ImportantSUSE bug 1200027CVE-2022-31736 at SUSECVE-2022-31736 at NVDCVE-2022-31737 at SUSECVE-2022-31737 at NVDCVE-2022-31738 at SUSECVE-2022-31738 at NVDCVE-2022-31739 at SUSECVE-2022-31739 at NVDCVE-2022-31740 at SUSECVE-2022-31740 at NVDCVE-2022-31741 at SUSECVE-2022-31741 at NVDCVE-2022-31742 at SUSECVE-2022-31742 at NVDCVE-2022-31747 at SUSECVE-2022-31747 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for strongswan (Important)SUSE OpenStack Cloud Crowbar 8
This update for strongswan fixes the following issues:
- CVE-2021-45079: Fixed authentication bypass in EAP authentication. (bsc#1194471)
ImportantSUSE bug 1194471CVE-2021-45079 at SUSECVE-2021-45079 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for mozilla-nss (Important)SUSE OpenStack Cloud Crowbar 8
This update for mozilla-nss fixes the following issues:
Mozilla NSS 3.68.4 (bsc#1200027)
* CVE-2022-31741: Initialize pointers passed to NSS_CMSDigestContext_FinishMultiple. (bmo#1767590)
ImportantSUSE bug 1200027CVE-2022-31741 at SUSECVE-2022-31741 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for grub2 (Important)SUSE OpenStack Cloud Crowbar 8
This update for grub2 fixes the following issues:
Security fixes and hardenings for boothole 3 / boothole 2022 (bsc#1198581)
- CVE-2021-3695: Fixed that a crafted PNG grayscale image could lead to out-of-bounds write in heap (bsc#1191184)
- CVE-2021-3696: Fixed that a crafted PNG image could lead to out-of-bound write during huffman table handling (bsc#1191185)
- CVE-2021-3697: Fixed that a crafted JPEG image could lead to buffer underflow write in the heap (bsc#1191186)
- CVE-2022-28733: Fixed fragmentation math in net/ip (bsc#1198460)
- CVE-2022-28734: Fixed an out-of-bound write for split http headers (bsc#1198493)
- CVE-2022-28736: Fixed a use-after-free in chainloader command (bsc#1198496)
- Update SBAT security contact (bsc#1193282)
- Bump grub's SBAT generation to 2
- Use boot disks in OpenFirmware, fixing regression caused when the root LV is completely in the boot LUN (bsc#1197948)
ImportantSUSE bug 1191184SUSE bug 1191185SUSE bug 1191186SUSE bug 1193282SUSE bug 1197948SUSE bug 1198460SUSE bug 1198493SUSE bug 1198496SUSE bug 1198581CVE-2021-3695 at SUSECVE-2021-3695 at NVDCVE-2021-3696 at SUSECVE-2021-3696 at NVDCVE-2021-3697 at SUSECVE-2021-3697 at NVDCVE-2022-28733 at SUSECVE-2022-28733 at NVDCVE-2022-28734 at SUSECVE-2022-28734 at NVDCVE-2022-28736 at SUSECVE-2022-28736 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for rubygem-sinatra (Important)SUSE OpenStack Cloud Crowbar 8
This update for rubygem-sinatra fixes the following issues:
- CVE-2022-29970: Fixed possible path traversal outside of public_dir when serving static files (bsc#1199138).
ImportantSUSE bug 1199138CVE-2022-29970 at SUSECVE-2022-29970 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for the Linux Kernel (Important)SUSE OpenStack Cloud Crowbar 8
The SUSE Linux Enterprise 12 SP3 kernel was updated to 3.12.31 to receive various security and bugfixes.
The following security bugs were fixed:
- CVE-2022-21127: Fixed a stale MMIO data transient which can be exploited to speculatively/transiently disclose information via spectre like attacks. (bsc#1199650)
- CVE-2022-21123: Fixed a stale MMIO data transient which can be exploited to speculatively/transiently disclose information via spectre like attacks. (bsc#1199650)
- CVE-2022-21125: Fixed a stale MMIO data transient which can be exploited to speculatively/transiently disclose information via spectre like attacks. (bsc#1199650)
- CVE-2022-21180: Fixed a stale MMIO data transient which can be exploited to speculatively/transiently disclose information via spectre like attacks. (bsc#1199650)
- CVE-2022-21166: Fixed a stale MMIO data transient which can be exploited to speculatively/transiently disclose information via spectre like attacks. (bsc#1199650)
- CVE-2022-1975: Fixed a bug that allows an attacker to crash the linux kernel by simulating nfc device from user-space. (bsc#1200143)
- CVE-2022-1974: Fixed an use-after-free that could causes kernel crash by simulating an nfc device from user-space. (bsc#1200144)
- CVE-2019-19377: Fixed an user-after-free that could be triggered when an attacker mounts a crafted btrfs filesystem image. (bnc#1158266)
- CVE-2022-1729: Fixed a sys_perf_event_open() race condition against self (bsc#1199507).
- CVE-2022-1184: Fixed an use-after-free and memory errors in ext4 when mounting and operating on a corrupted image. (bsc#1198577)
- CVE-2022-21499: Reinforce the kernel lockdown feature, until now it's been trivial to break out of it with kgdb or kdb. (bsc#1199426)
- CVE-2017-13695: Fixed a bug that caused a stack dump allowing local users to obtain sensitive information from kernel memory and bypass the KASLR protection mechanism via a crafted ACPI table. (bnc#1055710)
- CVE-2022-1652: Fixed a statically allocated error counter inside the floppy kernel module (bsc#1199063).
- CVE-2022-1734: Fixed a r/w use-after-free when non synchronized between cleanup routine and firmware download routine. (bnc#1199605)
- CVE-2022-30594: Fixed restriction bypass on setting the PT_SUSPEND_SECCOMP flag (bnc#1199505).
- CVE-2021-28688: Fixed XSA-365 that includes initialization of pointers such that subsequent cleanup code wouldn't use uninitialized or stale values. This initialization went too far and may under certain conditions also overwrite pointers which are in need of cleaning up. The lack of cleanup would result in leaking persistent grants. The leak in turn would prevent fully cleaning up after a respective guest has died, leaving around zombie domains (bnc#1183646).
- CVE-2020-10769: Fixed a buffer over-read flaw in the IPsec Cryptographic algorithm's module. This flaw allowed a local attacker with user privileges to cause a denial of service. (bnc#1173265)
- CVE-2021-33061: Fixed insufficient control flow management for the Intel(R) 82599 Ethernet Controllers and Adapters that may have allowed an authenticated user to potentially enable denial of service via local access (bnc#1196426).
- CVE-2022-1516: Fixed null-ptr-deref caused by x25_disconnect (bsc#1199012).
- CVE-2021-20321: Fixed a race condition accessing file object in the OverlayFS subsystem in the way users do rename in specific way with OverlayFS. A local user could have used this flaw to crash the system (bnc#1191647).
- CVE-2018-7755: Fixed an issue in the fd_locked_ioctl function in drivers/block/floppy.c. The floppy driver will copy a kernel pointer to user memory in response to the FDGETPRM ioctl. An attacker can send the FDGETPRM ioctl and use the obtained kernel pointer to discover the location of kernel code and data and bypass kernel security protections such as KASLR (bnc#1084513).
- CVE-2022-1419: Fixed a concurrency use-after-free in vgem_gem_dumb_create (bsc#1198742).
- CVE-2021-38208: Fixed a denial of service (NULL pointer dereference and BUG) by making a getsockname call after a certain type of failure of a bind call (bnc#1187055).
- CVE-2022-1353: Fixed access controll to kernel memory in the pfkey_register function in net/key/af_key.c. (bnc#1198516)
- CVE-2018-20784: Fixed a denial of service (infinite loop in update_blocked_averages) by mishandled leaf cfs_rq in kernel/sched/fair.c (bnc#1126703).
- CVE-2021-20292: Fixed object validation prior to performing operations on the object in nouveau_sgdma_create_ttm in Nouveau DRM subsystem (bnc#1183723).
- CVE-2022-28390: Fixed a double free in drivers/net/can/usb/ems_usb.c vulnerability in the Linux kernel (bnc#1198031).
- CVE-2022-28388: Fixed a double free in drivers/net/can/usb/usb_8dev.c vulnerability in the Linux kernel (bnc#1198032).
- CVE-2022-1011: Fixed an use-after-free vulnerability which could allow a local attacker to retireve (partial) /etc/shadow hashes or any other data from filesystem when he can mount a FUSE filesystems. (bnc#1197343)
The following non-security bugs were fixed:
- btrfs: tree-checker: fix incorrect printk format (bsc#1200249).
- net: mana: Add handling of CQE_RX_TRUNCATED (bsc#1195651).
- net: mana: Remove unnecessary check of cqe_type in mana_process_rx_cqe() (bsc#1195651).
- PCI: hv: Do not set PCI_COMMAND_MEMORY to reduce VM boot time (bsc#1199314).
- powerpc/pseries: extract host bridge from pci_bus prior to bus removal (bsc#1182171 ltc#190900 bsc#1198660 ltc#197803).
- powerpc/pseries: Fix use after free in remove_phb_dynamic() (bsc#1065729 bsc#1198660 ltc#197803).
- vmbus: do not return values for uninitalized channels (bsc#1051510 bsc#1198997).
- vt: vt_ioctl: fix race in VT_RESIZEX (bsc#1199785).
- x86/hyperv: Read TSC frequency from a synthetic MSR (bsc#1198962).
- x86/speculation: Fix redundant MDS mitigation message (bsc#1199650).
ImportantSUSE bug 1051510SUSE bug 1055710SUSE bug 1065729SUSE bug 1084513SUSE bug 1087082SUSE bug 1126703SUSE bug 1158266SUSE bug 1173265SUSE bug 1182171SUSE bug 1183646SUSE bug 1183723SUSE bug 1187055SUSE bug 1191647SUSE bug 1195651SUSE bug 1196426SUSE bug 1197343SUSE bug 1198031SUSE bug 1198032SUSE bug 1198516SUSE bug 1198577SUSE bug 1198660SUSE bug 1198687SUSE bug 1198742SUSE bug 1198962SUSE bug 1198997SUSE bug 1199012SUSE bug 1199063SUSE bug 1199314SUSE bug 1199426SUSE bug 1199505SUSE bug 1199507SUSE bug 1199605SUSE bug 1199650SUSE bug 1199785SUSE bug 1200143SUSE bug 1200144SUSE bug 1200249CVE-2017-13695 at SUSECVE-2017-13695 at NVDCVE-2018-20784 at SUSECVE-2018-20784 at NVDCVE-2018-7755 at SUSECVE-2018-7755 at NVDCVE-2019-19377 at SUSECVE-2019-19377 at NVDCVE-2020-10769 at SUSECVE-2020-10769 at NVDCVE-2021-20292 at SUSECVE-2021-20292 at NVDCVE-2021-20321 at SUSECVE-2021-20321 at NVDCVE-2021-28688 at SUSECVE-2021-28688 at NVDCVE-2021-33061 at SUSECVE-2021-33061 at NVDCVE-2021-38208 at SUSECVE-2021-38208 at NVDCVE-2022-1011 at SUSECVE-2022-1011 at NVDCVE-2022-1184 at SUSECVE-2022-1184 at NVDCVE-2022-1353 at SUSECVE-2022-1353 at NVDCVE-2022-1419 at SUSECVE-2022-1419 at NVDCVE-2022-1516 at SUSECVE-2022-1516 at NVDCVE-2022-1652 at SUSECVE-2022-1652 at NVDCVE-2022-1729 at SUSECVE-2022-1729 at NVDCVE-2022-1734 at SUSECVE-2022-1734 at NVDCVE-2022-1974 at SUSECVE-2022-1974 at NVDCVE-2022-1975 at SUSECVE-2022-1975 at NVDCVE-2022-21123 at SUSECVE-2022-21123 at NVDCVE-2022-21125 at SUSECVE-2022-21125 at NVDCVE-2022-21127 at SUSECVE-2022-21127 at NVDCVE-2022-21166 at SUSECVE-2022-21166 at NVDCVE-2022-21180 at SUSECVE-2022-21180 at NVDCVE-2022-21499 at SUSECVE-2022-21499 at NVDCVE-2022-28388 at SUSECVE-2022-28388 at NVDCVE-2022-28390 at SUSECVE-2022-28390 at NVDCVE-2022-30594 at SUSECVE-2022-30594 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for webkit2gtk3 (Important)SUSE OpenStack Cloud Crowbar 8
This update for webkit2gtk3 fixes the following issues:
Update to version 2.36.3 (bsc#1200106)
- CVE-2022-30293: Fixed heap-based buffer overflow in WebCore::TextureMapperLayer::setContentsLayer (bsc#1199287).
- CVE-2022-26700: Fixed memory corruption issue that may lead to code execution when processing maliciously crafted web content (bsc#1200106).
- CVE-2022-26709: Fixed use after free issue that may lead to code execution when processing maliciously crafted web content (bsc#1200106).
- CVE-2022-26716: Fixed use after free issue that may lead to code execution when processing maliciously crafted web content (bsc#1200106).
- CVE-2022-26717: Fixed memory corruption issue that may lead to code execution when processing maliciously crafted web content (bsc#1200106).
- CVE-2022-26719: Fixed memory corruption issue that may lead to code execution when processing maliciously crafted web content (bsc#1200106).
ImportantSUSE bug 1199287SUSE bug 1200106CVE-2022-26700 at SUSECVE-2022-26700 at NVDCVE-2022-26709 at SUSECVE-2022-26709 at NVDCVE-2022-26716 at SUSECVE-2022-26716 at NVDCVE-2022-26717 at SUSECVE-2022-26717 at NVDCVE-2022-26719 at SUSECVE-2022-26719 at NVDCVE-2022-30293 at SUSECVE-2022-30293 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for openssl (Important)SUSE OpenStack Cloud Crowbar 8
This update for openssl fixes the following issues:
- CVE-2022-1292: Fixed command injection in c_rehash (bsc#1199166).
ImportantSUSE bug 1199166CVE-2022-1292 at SUSECVE-2022-1292 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for apache2 (Important)SUSE OpenStack Cloud Crowbar 8
This update for apache2 fixes the following issues:
- CVE-2022-26377: Fixed possible request smuggling in mod_proxy_ajp (bsc#1200338)
- CVE-2022-28614: Fixed read beyond bounds via ap_rwrite() (bsc#1200340)
- CVE-2022-28615: Fixed read beyond bounds in ap_strcmp_match() (bsc#1200341)
- CVE-2022-29404: Fixed denial of service in mod_lua r:parsebody (bsc#1200345)
- CVE-2022-30556: Fixed information disclosure in mod_lua with websockets (bsc#1200350)
- CVE-2022-30522: Fixed mod_sed denial of service (bsc#1200352)
- CVE-2022-31813: Fixed mod_proxy X-Forwarded-For dropped by hop-by-hop mechanism (bsc#1200348)
ImportantSUSE bug 1200338SUSE bug 1200340SUSE bug 1200341SUSE bug 1200345SUSE bug 1200348SUSE bug 1200350SUSE bug 1200352CVE-2022-26377 at SUSECVE-2022-26377 at NVDCVE-2022-28614 at SUSECVE-2022-28614 at NVDCVE-2022-28615 at SUSECVE-2022-28615 at NVDCVE-2022-29404 at SUSECVE-2022-29404 at NVDCVE-2022-30522 at SUSECVE-2022-30522 at NVDCVE-2022-30556 at SUSECVE-2022-30556 at NVDCVE-2022-31813 at SUSECVE-2022-31813 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for python-Twisted (Important)SUSE OpenStack Cloud Crowbar 8
This update for python-Twisted fixes the following issues:
- CVE-2022-21716: Fixed that ssh server accepts an infinite amount of data using all the available memory (bsc#1196739).
ImportantSUSE bug 1196739CVE-2022-21716 at SUSECVE-2022-21716 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for log4j (Important)SUSE OpenStack Cloud Crowbar 8
This update for log4j fixes the following issues:
- CVE-2022-23307: Fix deserialization issue by removing the chainsaw sub-package. (bsc#1194844)
- CVE-2022-23305: Fix SQL injection by removing src/main/java/org/apache/log4j/jdbc/JDBCAppender.java. (bsc#1194843)
- CVE-2022-23302: Fix remote code execution by removing src/main/java/org/apache/log4j/net/JMSSink.java. (bsc#1194842)
ImportantSUSE bug 1194842SUSE bug 1194843SUSE bug 1194844CVE-2022-23302 at SUSECVE-2022-23302 at NVDCVE-2022-23305 at SUSECVE-2022-23305 at NVDCVE-2022-23307 at SUSECVE-2022-23307 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for SUSE Manager Client Tools (Important)SUSE OpenStack Cloud Crowbar 8
This update fixes the following issues:
golang-github-QubitProducts-exporter_exporter:
- Adapted to build on Enterprise Linux.
- Fix build for RedHat 7
- Require Go >= 1.14 also for CentOS
- Add support for CentOS
- Replace %{?systemd_requires} with %{?systemd_ordering}
golang-github-prometheus-alertmanager:
- CVE-2022-21698: Denial of service using InstrumentHandlerCounter.
* Update vendor tarball with prometheus/client_golang 1.11.1 (bsc#1196338, jsc#SLE-24077)
- Update required Go version to 1.16
- Update to version 0.23.0:
* amtool: Detect version drift and warn users (#2672)
* Add ability to skip TLS verification for amtool (#2663)
* Fix empty isEqual in amtool. (#2668)
* Fix main tests (#2670)
* cli: add new template render command (#2538)
* OpsGenie: refer to alert instead of incident (#2609)
* Docs: target_match and source_match are DEPRECATED (#2665)
* Fix test not waiting for cluster member to be ready
- Added hardening to systemd service(s) (bsc#1181400)
golang-github-prometheus-node_exporter:
- CVE-2022-21698: Denial of service using InstrumentHandlerCounter.
* Update vendor tarball with prometheus/client_golang 1.11.1
(bsc#1196338, jsc#SLE-24238, jsc#SLE-24239)
- Update to 1.3.0
* [CHANGE] Add path label to rapl collector #2146
* [CHANGE] Exclude filesystems under /run/credentials #2157
* [CHANGE] Add TCPTimeouts to netstat default filter #2189
* [FEATURE] Add lnstat collector for metrics from /proc/net/stat/ #1771
* [FEATURE] Add darwin powersupply collector #1777
* [FEATURE] Add support for monitoring GPUs on Linux #1998
* [FEATURE] Add Darwin thermal collector #2032
* [FEATURE] Add os release collector #2094
* [FEATURE] Add netdev.address-info collector #2105
* [FEATURE] Add clocksource metrics to time collector #2197
* [ENHANCEMENT] Support glob textfile collector directories #1985
* [ENHANCEMENT] ethtool: Expose node_ethtool_info metric #2080
* [ENHANCEMENT] Use include/exclude flags for ethtool filtering #2165
* [ENHANCEMENT] Add flag to disable guest CPU metrics #2123
* [ENHANCEMENT] Add DMI collector #2131
* [ENHANCEMENT] Add threads metrics to processes collector #2164
* [ENHANCMMENT] Reduce timer GC delays in the Linux filesystem collector #2169
* [ENHANCMMENT] Add TCPTimeouts to netstat default filter #2189
* [ENHANCMMENT] Use SysctlTimeval for boottime collector on BSD #2208
* [BUGFIX] ethtool: Sanitize metric names #2093
* [BUGFIX] Fix ethtool collector for multiple interfaces #2126
* [BUGFIX] Fix possible panic on macOS #2133
* [BUGFIX] Collect flag_info and bug_info only for one core #2156
* [BUGFIX] Prevent duplicate ethtool metric names #2187
- Update to 1.2.2
* Bug fixes
Fix processes collector long int parsing #2112
- Update to 1.2.1
* Removed
Remove obsolete capture permission denied error patch that is already included upstream
Fix zoneinfo parsing prometheus/procfs#386
Fix nvme collector log noise #2091
Fix rapl collector log noise #2092
- Update to 1.2.0
* Changes
Rename filesystem collector flags to match other collectors #2012
Make node_exporter print usage to STDOUT #203
* Features
Add conntrack statistics metrics #1155
Add ethtool stats collector #1832
Add flag to ignore network speed if it is unknown #1989
Add tapestats collector for Linux #2044
Add nvme collector #2062
* Enhancements
Add ErrorLog plumbing to promhttp #1887
Add more Infiniband counters #2019
netclass: retrieve interface names and filter before parsing #2033
Add time zone offset metric #2060
Handle errors from disabled PSI subsystem #1983
Fix panic when using backwards compatible flags #2000
Fix wrong value for OpenBSD memory buffer cache #2015
Only initiate collectors once #2048
Handle small backwards jumps in CPU idle #2067
- Apply patch to capture permission denied error for 'energy_uj' file (bsc#1190535)
grafana:
- Update to version 8.3.5 (jsc#SLE-23439, jsc#SLE-23422)
+ Security:
* Fixes XSS vulnerability in handling data sources
(bsc#1195726, CVE-2022-21702)
* Fixes cross-origin request forgery vulnerability
(bsc#1195727, CVE-2022-21703)
* Fixes Insecure Direct Object Reference vulnerability in Teams
API (bsc#1195728, CVE-2022-21713)
- Update to Go 1.17.
- Add build-time dependency on `wire`.
- Update license to GNU Affero General Public License v3.0.
- Update to version 8.3.4
* GetUserInfo: return an error if no user was found
(bsc#1194873, CVE-2022-21673)
+ Features and enhancements:
* Alerting: Allow configuration of non-ready alertmanagers.
* Alerting: Allow customization of Google chat message.
* AppPlugins: Support app plugins with only default nav.
* InfluxDB: query editor: skip fields in metadata queries.
* Postgres/MySQL/MSSQL: Cancel in-flight SQL query if user
cancels query in grafana.
* Prometheus: Forward oauth tokens after prometheus datasource
migration.
+ Bug fixes:
* Azure Monitor: Bug fix for variable interpolations in metrics
dropdowns.
* Azure Monitor: Improved error messages for variable queries.
* CloudMonitoring: Fixes broken variable queries that use group
bys.
* Configuration: You can now see your expired API keys if you
have no active ones.
* Elasticsearch: Fix handling multiple datalinks for a single
field.
* Export: Fix error being thrown when exporting dashboards
using query variables that reference the default datasource.
* ImportDashboard: Fixes issue with importing dashboard and
name ending up in uid.
* Login: Page no longer overflows on mobile.
* Plugins: Set backend metadata property for core plugins.
* Prometheus: Fill missing steps with null values.
* Prometheus: Fix interpolation of $__rate_interval variable.
* Prometheus: Interpolate variables with curly brackets syntax.
* Prometheus: Respect the http-method data source setting.
* Table: Fixes issue with field config applied to wrong fields
when hiding columns.
* Toolkit: Fix bug with rootUrls not being properly parsed when
signing a private plugin.
* Variables: Fix so data source variables are added to adhoc
configuration.
+ Plugin development fixes & changes:
* Toolkit: Revert build config so tslib is bundled with plugins
to prevent plugins from crashing.
- Update to version 8.3.3:
* BarChart: Use new data error view component to show actions
in panel edit.
* CloudMonitor: Iterate over pageToken for resources.
* Macaron: Prevent WriteHeader invalid HTTP status code panic.
* AnnoListPanel: Fix interpolation of variables in tags.
* CloudWatch: Allow queries to have no dimensions specified.
* CloudWatch: Fix broken queries for users migrating from
8.2.4/8.2.5 to 8.3.0.
* CloudWatch: Make sure MatchExact flag gets the right value.
* Dashboards: Fix so that empty folders can be deleted from the
manage dashboards/folders page.
* InfluxDB: Improve handling of metadata query errors in
InfluxQL.
* Loki: Fix adding of ad hoc filters for queries with parser
and line_format expressions.
* Prometheus: Fix running of exemplar queries for non-histogram
metrics.
* Prometheus: Interpolate template variables in interval.
* StateTimeline: Fix toolitp not showing when for frames with
multiple fields.
* TraceView: Fix virtualized scrolling when trace view is
opened in right pane in Explore.
* Variables: Fix repeating panels for on time range changed
variables.
* Variables: Fix so queryparam option works for scoped
- Update to version 8.3.2
+ Security: Fixes CVE-2021-43813 and CVE-2021-43815.
- Update to version 8.3.1
+ Security: Fixes CVE-2021-43798.
- Update to version 8.3.0
* Alerting: Prevent folders from being deleted when they
contain alerts.
* Alerting: Show full preview value in tooltip.
* BarGauge: Limit title width when name is really long.
* CloudMonitoring: Avoid to escape regexps in filters.
* CloudWatch: Add support for AWS Metric Insights.
* TooltipPlugin: Remove other panels' shared tooltip in edit
panel.
* Visualizations: Limit y label width to 40% of visualization
width.
* Alerting: Clear alerting rule evaluation errors after
intermittent failures.
* Alerting: Fix refresh on legacy Alert List panel.
* Dashboard: Fix queries for panels with non-integer widths.
* Explore: Fix url update inconsistency.
* Prometheus: Fix range variables interpolation for time ranges
smaller than 1 second.
* ValueMappings: Fixes issue with regex value mapping that only
sets color.
- Update to version 8.3.0-beta2
+ Breaking changes:
* Grafana 8 Alerting enabled by default for installations that
do not use legacy alerting.
* Keep Last State for 'If execution error or timeout' when
upgrading to Grafana 8 alerting.
* Alerting: Create DatasourceError alert if evaluation returns
error.
* Alerting: Make Unified Alerting enabled by default for those
who do not use legacy alerting.
* Alerting: Support mute timings configuration through the api
for the embedded alert manager.
* CloudWatch: Add missing AWS/Events metrics.
* Docs: Add easier to find deprecation notices to certain data
sources and to the changelog.
* Plugins Catalog: Enable install controls based on the
pluginAdminEnabled flag.
* Table: Add space between values for the DefaultCell and
JSONViewCell.
* Tracing: Make query editors available in dashboard for Tempo
and Zipkin.
* AccessControl: Renamed orgs roles, removed fixed:orgs:reader
introduced in beta1.
* Azure Monitor: Add trap focus for modals in grafana/ui and
other small a11y fixes for Azure Monitor.
* CodeEditor: Prevent suggestions from being clipped.
* Dashboard: Fix cache timeout persistence.
* Datasource: Fix stable sort order of query responses.
* Explore: Fix error in query history when removing last item.
* Logs: Fix requesting of older logs when flipped order.
* Prometheus: Fix running of health check query based on access
mode.
* TextPanel: Fix suggestions for existing panels.
* Tracing: Fix incorrect indentations due to reoccurring
spanIDs.
* Tracing: Show start time of trace with milliseconds
precision.
* Variables: Make renamed or missing variable section
expandable.
* Select: Select menus now properly scroll during keyboard
navigation.
- Update to version 8.3.0-beta1
* Alerting: Add UI for contact point testing with custom
annotations and labels.
* Alerting: Make alert state indicator in panel header work
with Grafana 8 alerts.
* Alerting: Option for Discord notifier to use webhook name.
* Annotations: Deprecate AnnotationsSrv.
* Auth: Omit all base64 paddings in JWT tokens for the JWT
auth.
* Azure Monitor: Clean up fields when editing Metrics.
* AzureMonitor: Add new starter dashboards.
* AzureMonitor: Add starter dashboard for app monitoring with
Application Insights.
* Barchart/Time series: Allow x axis label.
* CLI: Improve error handling for installing plugins.
* CloudMonitoring: Migrate to use backend plugin SDK contracts.
* CloudWatch Logs: Add retry strategy for hitting max
concurrent queries.
* CloudWatch: Add AWS RoboMaker metrics and dimension.
* CloudWatch: Add AWS Transfer metrics and dimension.
* Dashboard: replace datasource name with a reference object.
* Dashboards: Show logs on time series when hovering.
* Elasticsearch: Add support for Elasticsearch 8.0 (Beta).
* Elasticsearch: Add time zone setting to Date Histogram
aggregation.
* Elasticsearch: Enable full range log volume histogram.
* Elasticsearch: Full range logs volume.
* Explore: Allow changing the graph type.
* Explore: Show ANSI colors when highlighting matched words in
the logs panel.
* Graph(old) panel: Listen to events from Time series panel.
* Import: Load gcom dashboards from URL.
* LibraryPanels: Improves export and import of library panels
between orgs.
* OAuth: Support PKCE.
* Panel edit: Overrides now highlight correctly when searching.
* PanelEdit: Display drag indicators on draggable sections.
* Plugins: Refactor Plugin Management.
* Prometheus: Add custom query parameters when creating
PromLink url.
* Prometheus: Remove limits on metrics, labels, and values in
Metrics Browser.
* StateTimeline: Share cursor with rest of the panels.
* Tempo: Add error details when json upload fails.
* Tempo: Add filtering for service graph query.
* Tempo: Add links to nodes in Service Graph pointing to
Prometheus metrics.
* Time series/Bar chart panel: Add ability to sort series via
legend.
* TimeSeries: Allow multiple axes for the same unit.
* TraceView: Allow span links defined on dataFrame.
* Transformations: Support a rows mode in labels to fields.
* ValueMappings: Don't apply field config defaults to time
fields.
* Variables: Only update panels that are impacted by variable
change.
* API: Fix dashboard quota limit for imports.
* Alerting: Fix rule editor issues with Azure Monitor data
source.
* Azure monitor: Make sure alert rule editor is not enabled
when template variables are being used.
* CloudMonitoring: Fix annotation queries.
* CodeEditor: Trigger the latest getSuggestions() passed to
CodeEditor.
* Dashboard: Remove the current panel from the list of options
in the Dashboard datasource.
* Encryption: Fix decrypting secrets in alerting migration.
* InfluxDB: Fix corner case where index is too large in ALIAS
* NavBar: Order App plugins alphabetically.
* NodeGraph: Fix zooming sensitivity on touchpads.
* Plugins: Add OAuth pass-through logic to api/ds/query
endpoint.
* Snapshots: Fix panel inspector for snapshot data.
* Tempo: Fix basic auth password reset on adding tag.
* ValueMapping: Fixes issue with regex mappings.
* grafana/ui: Enable slider marks display.
- Update to version 8.2.7
- Update to version 8.2.6
* Security: Upgrade Docker base image to Alpine 3.14.3.
* Security: Upgrade Go to 1.17.2.
* TimeSeries: Fix fillBelowTo wrongly affecting fills of
unrelated series.
- Update to version 8.2.5
* Fix No Data behaviour in Legacy Alerting.
* Alerting: Fix a bug where the metric in the evaluation string
was not correctly populated.
* Alerting: Fix no data behaviour in Legacy Alerting for alert
rules using the AND operator.
* CloudMonitoring: Ignore min and max aggregation in MQL
queries.
* Dashboards: 'Copy' is no longer added to new dashboard
titles.
* DataProxy: Fix overriding response body when response is a
WebSocket upgrade.
* Elasticsearch: Use field configured in query editor as field
for date_histogram aggregations.
* Explore: Fix running queries without a datasource property
set.
* InfluxDB: Fix numeric aliases in queries.
* Plugins: Ensure consistent plugin settings list response.
* Tempo: Fix validation of float durations.
* Tracing: Correct tags for each span are shown.
- Update to version 8.2.4
+ Security: Fixes CVE-2021-41244.
- Update to version 8.2.3
+ Security: Fixes CVE-2021-41174.
- Update to version 8.2.2
* Annotations: We have improved tag search performance.
* Application: You can now configure an error-template title.
* AzureMonitor: We removed a restriction from the resource
filter query.
* Packaging: We removed the ProcSubset option in systemd. This
option prevented Grafana from starting in LXC environments.
* Prometheus: We removed the autocomplete limit for metrics.
* Table: We improved the styling of the type icons to make them
more distinct from column / field name.
* ValueMappings: You can now use value mapping in stat, gauge,
bar gauge, and pie chart visualizations.
* Alerting: Fix panic when Slack's API sends unexpected
response.
* Alerting: The Create Alert button now appears on the
dashboard panel when you are working with a default
datasource.
* Explore: We fixed the problem where the Explore log panel
disappears when an Elasticsearch logs query returns no
results.
* Graph: You can now see annotation descriptions on hover.
* Logs: The system now uses the JSON parser only if the line is
parsed to an object.
* Prometheus: We fixed the issue where the system did not reuse
TCP connections when querying from Grafana alerting.
* Prometheus: We fixed the problem that resulted in an error
when a user created a query with a $__interval min step.
* RowsToFields: We fixed the issue where the system was not
properly interpreting number values.
* Scale: We fixed how the system handles NaN percent when data
min = data max.
* Table panel: You can now create a filter that includes
special characters.
- Update to version 8.2.1
* Dashboard: Fix rendering of repeating panels.
* Datasources: Fix deletion of data source if plugin is not
found.
* Packaging: Remove systemcallfilters sections from systemd
unit files.
* Prometheus: Add Headers to HTTP client options.
- Update to version 8.2.0
* AWS: Updated AWS authentication documentation.
* Alerting: Added support Alertmanager data source for upstream
Prometheus AM implementation.
* Alerting: Allows more characters in label names so
notifications are sent.
* Alerting: Get alert rules for a dashboard or a panel using
/api/v1/rules endpoints.
* Annotations: Improved rendering performance of event markers.
* CloudWatch Logs: Skip caching for log queries.
* Explore: Added an opt-in configuration for Node Graph in
Jaeger, Zipkin, and Tempo.
* Packaging: Add stricter systemd unit options.
* Prometheus: Metrics browser can now handle label values with
* CodeEditor: Ensure that we trigger the latest onSave callback
provided to the component.
* DashboardList/AlertList: Fix for missing All folder value.
* Plugins: Create a mock icon component to prevent console
errors.
- Update to version 8.2.0-beta2
* AccessControl: Document new permissions restricting data
source access.
* TimePicker: Add fiscal years and search to time picker.
* Alerting: Added support for Unified Alerting with Grafana HA.
* Alerting: Added support for tune rule evaluation using
configuration options.
* Alerting: Cleanups alertmanager namespace from key-value
store when disabling Grafana 8 alerts.
* Alerting: Remove ngalert feature toggle and introduce two new
settings for enabling Grafana 8 alerts and disabling them for
specific organisations.
* CloudWatch: Introduced new math expression where it is
necessary to specify the period field.
* InfluxDB: Added support for $__interval and $__interval_ms in
Flux queries for alerting.
* InfluxDB: Flux queries can use more precise start and end
timestamps with nanosecond-precision.
* Plugins Catalog: Make the catalog the default way to interact
with plugins.
* Prometheus: Removed autocomplete limit for metrics.
* Alerting: Fixed an issue where the edit page crashes if you
tried to preview an alert without a condition set.
* Alerting: Fixed rules migration to keep existing Grafana 8
alert rules.
* Alerting: Fixed the silence file content generated during
* Analytics: Fixed an issue related to interaction event
propagation in Azure Application Insights.
* BarGauge: Fixed an issue where the cell color was lit even
though there was no data.
* BarGauge: Improved handling of streaming data.
* CloudMonitoring: Fixed INT64 label unmarshal error.
* ConfirmModal: Fixes confirm button focus on modal open.
* Dashboard: Add option to generate short URL for variables
with values containing spaces.
* Explore: No longer hides errors containing refId property.
* Fixed an issue that produced State timeline panel tooltip
error when data was not in sync.
* InfluxDB: InfluxQL query editor is set to always use
resultFormat.
* Loki: Fixed creating context query for logs with parsed
labels.
* PageToolbar: Fixed alignment of titles.
* Plugins Catalog: Update to the list of available panels after
an install, update or uninstall.
* TimeSeries: Fixed an issue where the shared cursor was not
showing when hovering over in old Graph panel.
* Variables: Fixed issues related to change of focus or refresh
pages when pressing enter in a text box variable input.
* Variables: Panel no longer crash when using the adhoc
variable in data links.
- Update to version 8.2.0-beta1
* AccessControl: Introduce new permissions to restrict access
for reloading provisioning configuration.
* Alerting: Add UI to edit Cortex/Loki namespace, group names,
and group evaluation interval.
* Alerting: Add a Test button to test contact point.
* Alerting: Allow creating/editing recording rules for Loki and
Cortex.
* Alerting: Metrics should have the label org instead of user.
* Alerting: Sort notification channels by name to make them
easier to locate.
* Alerting: Support org level isolation of notification
* AzureMonitor: Add data links to deep link to Azure Portal
Azure Resource Graph.
* AzureMonitor: Add support for annotations from Azure Monitor
Metrics and Azure Resource Graph services.
* AzureMonitor: Show error message when subscriptions request
fails in ConfigEditor.
* Chore: Update to Golang 1.16.7.
* CloudWatch Logs: Add link to X-Ray data source for trace IDs
in logs.
* CloudWatch Logs: Disable query path using websockets (Live)
feature.
* CloudWatch/Logs: Don't group dataframes for non time series
* Cloudwatch: Migrate queries that use multiple stats to one
query per stat.
* Dashboard: Keep live timeseries moving left (v2).
* Datasources: Introduce response_limit for datasource
responses.
* Explore: Add filter by trace or span ID to trace to logs
* Explore: Download traces as JSON in Explore Inspector.
* Explore: Reuse Dashboard's QueryRows component.
* Explore: Support custom display label for derived fields
buttons for Loki datasource.
* Grafana UI: Update monaco-related dependencies.
* Graphite: Deprecate browser access mode.
* InfluxDB: Improve handling of intervals in alerting.
* InfluxDB: InfluxQL query editor: Handle unusual characters in
tag values better.
* Jaeger: Add ability to upload JSON file for trace data.
* LibraryElements: Enable specifying UID for new and existing
library elements.
* LibraryPanels: Remove library panel icon from the panel
header so you can no longer tell that a panel is a library
panel from the dashboard view.
* Logs panel: Scroll to the bottom on page refresh when sorting
in ascending order.
* Loki: Add fuzzy search to label browser.
* Navigation: Implement active state for items in the Sidemenu.
* Packaging: Update PID file location from /var/run to /run.
* Plugins: Add Hide OAuth Forward config option.
* Postgres/MySQL/MSSQL: Add setting to limit the maximum number
of rows processed.
* Prometheus: Add browser access mode deprecation warning.
* Prometheus: Add interpolation for built-in-time variables to
backend.
* Tempo: Add ability to upload trace data in JSON format.
* TimeSeries/XYChart: Allow grid lines visibility control in
XYChart and TimeSeries panels.
* Transformations: Convert field types to time string number or
boolean.
* Value mappings: Add regular-expression based value mapping.
* Zipkin: Add ability to upload trace JSON.
* Admin: Prevent user from deleting user's current/active
organization.
* LibraryPanels: Fix library panel getting saved in the
dashboard's folder.
* OAuth: Make generic teams URL and JMES path configurable.
* QueryEditor: Fix broken copy-paste for mouse middle-click
* Thresholds: Fix undefined color in 'Add threshold'.
* Timeseries: Add wide-to-long, and fix multi-frame output.
* TooltipPlugin: Fix behavior of Shared Crosshair when Tooltip
is set to All.
* Grafana UI: Fix TS error property css is missing in type.
- Update to version 8.1.8
- Update to version 8.1.7
* Alerting: Fix alerts with evaluation interval more than 30
seconds resolving before notification.
* Elasticsearch/Prometheus: Fix usage of proper SigV4 service
namespace.
- Update to version 8.1.6
+ Security: Fixes CVE-2021-39226.
- Update to version 8.1.5
* BarChart: Fixes panel error that happens on second refresh.
- Update to version 8.1.4
+ Features and enhancements
* Explore: Ensure logs volume bar colors match legend colors.
* LDAP: Search all DNs for users.
* Alerting: Fix notification channel migration.
* Annotations: Fix blank panels for queries with unknown data
sources.
* BarChart: Fix stale values and x axis labels.
* Graph: Make old graph panel thresholds work even if ngalert
is enabled.
* InfluxDB: Fix regex to identify / as separator.
* LibraryPanels: Fix update issues related to library panels in
rows.
* Variables: Fix variables not updating inside a Panel when the
preceding Row uses 'Repeat For'.
- Update to version 8.1.3
+ Bug fixes
* Alerting: Fix alert flapping in the internal alertmanager.
* Alerting: Fix request handler failed to convert dataframe
'results' to plugins.DataTimeSeriesSlice: input frame is not
recognized as a time series.
* Dashboard: Fix UIDs are not preserved when importing/creating
dashboards thru importing .json file.
* Dashboard: Forces panel re-render when exiting panel edit.
* Dashboard: Prevent folder from changing when navigating to
general settings.
* Docker: Force use of libcrypto1.1 and libssl1.1 versions to
fix CVE-2021-3711.
* Elasticsearch: Fix metric names for alert queries.
* Elasticsearch: Limit Histogram field parameter to numeric
values.
* Elasticsearch: Prevent pipeline aggregations to show up in
terms order by options.
* LibraryPanels: Prevent duplicate repeated panels from being
created.
* Loki: Fix ad-hoc filter in dashboard when used with parser.
* Plugins: Track signed files + add warn log for plugin assets
which are not signed.
* Postgres/MySQL/MSSQL: Fix region annotations not displayed
correctly.
* Prometheus: Fix validate selector in metrics browser.
* Security: Fix stylesheet injection vulnerability.
* Security: Fix short URL vulnerability.
- Update to version 8.1.2
* AzureMonitor: Add support for PostgreSQL and MySQL Flexible
Servers.
* Datasource: Change HTTP status code for failed datasource
health check to 400.
* Explore: Add span duration to left panel in trace viewer.
* Plugins: Use file extension allowlist when serving plugin
assets instead of checking for UNIX executable.
* Profiling: Add support for binding pprof server to custom
network interfaces.
* Search: Make search icon keyboard navigable.
* Template variables: Keyboard navigation improvements.
* Tooltip: Display ms within minute time range.
* Alerting: Fix saving LINE contact point.
* Annotations: Fix alerting annotation coloring.
* Annotations: Alert annotations are now visible in the correct
Panel.
* Auth: Hide SigV4 config UI and disable middleware when its
config flag is disabled.
* Dashboard: Prevent incorrect panel layout by comparing window
width against theme breakpoints.
* Explore: Fix showing of full log context.
* PanelEdit: Fix 'Actual' size by passing the correct panel
size to Dashboard.
* Plugins: Fix TLS datasource settings.
* Variables: Fix issue with empty drop downs on navigation.
* Variables: Fix URL util converting false into true.
* Toolkit: Fix matchMedia not found error.
- Update to version 8.1.1
* CloudWatch Logs: Fix crash when no region is selected.
- Update to version 8.1.0
* Alerting: Deduplicate receivers during migration.
* ColorPicker: Display colors as RGBA.
* Select: Make portalling the menu opt-in, but opt-in
everywhere.
* TimeRangePicker: Improve accessibility.
* Annotations: Correct annotations that are displayed upon page
refresh.
* Annotations: Fix Enabled button that disappeared from Grafana
v8.0.6.
* Annotations: Fix data source template variable that was not
available for annotations.
* AzureMonitor: Fix annotations query editor that does not
load.
* Geomap: Fix scale calculations.
* GraphNG: Fix y-axis autosizing.
* Live: Display stream rate and fix duplicate channels in list
* Loki: Update labels in log browser when time range changes in
dashboard.
* NGAlert: Send resolve signal to alertmanager on alerting ->
Normal.
* PasswordField: Prevent a password from being displayed when
you click the Enter button.
* Renderer: Remove debug.log file when Grafana is stopped.
* Security: Update dependencies to fix CVE-2021-36222.
- Update to version 8.1.0-beta3
* Alerting: Support label matcher syntax in alert rule list
filter.
* IconButton: Put tooltip text as aria-label.
* Live: Experimental HA with Redis.
* UI: FileDropzone component.
* CloudWatch: Add AWS LookoutMetrics.
* Docker: Fix builds by delaying go mod verify until all
required files are copied over.
* Exemplars: Fix disable exemplars only on the query that
failed.
* SQL: Fix SQL dataframe resampling (fill mode + time
intervals).
- Update to version 8.1.0-beta2
* Alerting: Expand the value string in alert annotations and
* Auth: Add Azure HTTP authentication middleware.
* Auth: Auth: Pass user role when using the authentication
proxy.
* Gazetteer: Update countries.json file to allow for linking to
3-letter country codes.
* Config: Fix Docker builds by correcting formatting in
sample.ini.
* Explore: Fix encoding of internal URLs.
- Update to version 8.1.0-beta1
* Alerting: Add Alertmanager notifications tab.
* Alerting: Add button to deactivate current Alertmanager
* Alerting: Add toggle in Loki/Prometheus data source
configuration to opt out of alerting UI.
* Alerting: Allow any 'evaluate for' value >=0 in the alert
rule form.
* Alerting: Load default configuration from status endpoint, if
Cortex Alertmanager returns empty user configuration.
* Alerting: view to display alert rule and its underlying data.
* Annotation panel: Release the annotation panel.
* Annotations: Add typeahead support for tags in built-in
annotations.
* AzureMonitor: Add curated dashboards for Azure services.
* AzureMonitor: Add support for deep links to Microsoft Azure
portal for Metrics.
* AzureMonitor: Remove support for different credentials for
Azure Monitor Logs.
* AzureMonitor: Support querying any Resource for Logs queries.
* Elasticsearch: Add frozen indices search support.
* Elasticsearch: Name fields after template variables values
instead of their name.
* Elasticsearch: add rate aggregation.
* Email: Allow configuration of content types for email
notifications.
* Explore: Add more meta information when line limit is hit.
* Explore: UI improvements to trace view.
* FieldOverrides: Added support to change display name in an
override field and have it be matched by a later rule.
* HTTP Client: Introduce dataproxy_max_idle_connections config
variable.
* InfluxDB: InfluxQL: adds tags to timeseries data.
* InfluxDB: InfluxQL: make measurement search case insensitive.
Legacy Alerting: Replace simplejson with a struct in webhook
notification channel.
* Legend: Updates display name for Last (not null) to just
Last*.
* Logs panel: Add option to show common labels.
* Loki: Add $__range variable.
* Loki: Add support for 'label_values(log stream selector,
label)' in templating.
* Loki: Add support for ad-hoc filtering in dashboard.
* MySQL Datasource: Add timezone parameter.
* NodeGraph: Show gradient fields in legend.
* PanelOptions: Don't mutate panel options/field config object
when updating.
* PieChart: Make pie gradient more subtle to match other
charts.
* Prometheus: Update PromQL typeahead and highlighting.
* Prometheus: interpolate variable for step field.
* Provisioning: Improve validation by validating across all
dashboard providers.
* SQL Datasources: Allow multiple string/labels columns with
time series.
* Select: Portal select menu to document.body.
* Team Sync: Add group mapping to support team sync in the
Generic OAuth provider.
* Tooltip: Make active series more noticeable.
* Tracing: Add support to configure trace to logs start and end
time.
* Transformations: Skip merge when there is only a single data
frame.
* ValueMapping: Added support for mapping text to color,
boolean values, NaN and Null. Improved UI for value mapping.
* Visualizations: Dynamically set any config (min, max, unit,
color, thresholds) from query results.
* live: Add support to handle origin without a value for the
port when matching with root_url.
* Alerting: Handle marshaling Inf values.
* AzureMonitor: Fix macro resolution for template variables.
* AzureMonitor: Fix queries with Microsoft.NetApp/../../volumes
resources.
* AzureMonitor: Request and concat subsequent resource pages.
* Bug: Fix parse duration for day.
* Datasources: Improve error handling for error messages.
* Explore: Correct the functionality of shift-enter shortcut
across all uses.
* Explore: Show all dataFrames in data tab in Inspector.
* GraphNG: Fix Tooltip mode 'All' for XYChart.
* Loki: Fix highlight of logs when using filter expressions
with backticks.
* Modal: Force modal content to overflow with scroll.
* Plugins: Ignore symlinked folders when verifying plugin
signature.
* Toolkit: Improve error messages when tasks fail.
- Update to version 8.0.7
- Update to version 8.0.6
* Alerting: Add annotation upon alert state change.
* Alerting: Allow space in label and annotation names.
* InfluxDB: Improve legend labels for InfluxDB query results.
* Alerting: Fix improper alert by changing the handling of
empty labels.
* CloudWatch/Logs: Reestablish Cloud Watch alert behavior.
* Dashboard: Avoid migration breaking on fieldConfig without
defaults field in folded panel.
* DashboardList: Fix issue not re-fetching dashboard list after
variable change.
* Database: Fix incorrect format of isolation level
configuration parameter for MySQL.
* InfluxDB: Correct tag filtering on InfluxDB data.
* Links: Fix links that caused a full page reload.
* Live: Fix HTTP error when InfluxDB metrics have an incomplete
or asymmetrical field set.
* Postgres/MySQL/MSSQL: Change time field to 'Time' for time
series queries.
* Postgres: Fix the handling of a null return value in query
* Tempo: Show hex strings instead of uints for IDs.
* TimeSeries: Improve tooltip positioning when tooltip
overflows.
* Transformations: Add 'prepare time series' transformer.
- Update to version 8.0.5
* Cloudwatch Logs: Send error down to client.
* Folders: Return 409 Conflict status when folder already
exists.
* TimeSeries: Do not show series in tooltip if it's hidden in
the viz.
* AzureMonitor: Fix issue where resource group name is missing
on the resource picker button.
* Chore: Fix AWS auth assuming role with workspace IAM.
* DashboardQueryRunner: Fixes unrestrained subscriptions being
* DateFormats: Fix reading correct setting key for
use_browser_locale.
* Links: Fix links to other apps outside Grafana when under sub
path.
* Snapshots: Fix snapshot absolute time range issue.
* Table: Fix data link color.
* Time Series: Fix X-axis time format when tick increment is
larger than a year.
* Tooltip Plugin: Prevent tooltip render if field is undefined.
- Update to version 8.0.4
* Live: Rely on app url for origin check.
* PieChart: Sort legend descending, update placeholder.
* TimeSeries panel: Do not reinitialize plot when thresholds
mode change.
* Elasticsearch: Allow case sensitive custom options in
date_histogram interval.
* Elasticsearch: Restore previous field naming strategy when
using variables.
* Explore: Fix import of queries between SQL data sources.
* InfluxDB: InfluxQL query editor: fix retention policy
handling.
* Loki: Send correct time range in template variable queries.
* TimeSeries: Preserve RegExp series overrides when migrating
from old graph panel.
- Update to version 8.0.3
* Alerting: Increase alertmanager_conf column if MySQL.
* Time series/Bar chart panel: Handle infinite numbers as nulls
when converting to plot array.
* TimeSeries: Ensure series overrides that contain color are
migrated, and migrate the previous fieldConfig when changing
the panel type.
* ValueMappings: Improve singlestat value mappings migration.
* Annotations: Fix annotation line and marker colors.
* AzureMonitor: Fix KQL template variable queries without
default workspace.
* CloudWatch/Logs: Fix missing response data for log queries.
* LibraryPanels: Fix crash in library panels list when panel
plugin is not found.
* LogsPanel: Fix performance drop when moving logs panel in
* Loki: Parse log levels when ANSI coloring is enabled.
* MSSQL: Fix issue with hidden queries still being executed.
* PanelEdit: Display the VisualizationPicker that was not
displayed if a panel has an unknown panel plugin.
* Plugins: Fix loading symbolically linked plugins.
* Prometheus: Fix issue where legend name was replaced with
name Value in stat and gauge panels.
* State Timeline: Fix crash when hovering over panel.
- Update to version 8.0.2
* Datasource: Add support for max_conns_per_host in dataproxy
settings.
* Configuration: Fix changing org preferences in FireFox.
* PieChart: Fix legend dimension limits.
* Postgres/MySQL/MSSQL: Fix panic in concurrent map writes.
* Variables: Hide default data source if missing from regex.
- Update to version 8.0.1
* Alerting/SSE: Fix 'count_non_null' reducer validation.
* Cloudwatch: Fix duplicated time series.
* Cloudwatch: Fix missing defaultRegion.
* Dashboard: Fix Dashboard init failed error on dashboards with
old singlestat panels in collapsed rows.
* Datasource: Fix storing timeout option as numeric.
* Postgres/MySQL/MSSQL: Fix annotation parsing for empty
* Postgres/MySQL/MSSQL: Numeric/non-string values are now
returned from query variables.
* Postgres: Fix an error that was thrown when the annotation
query did not return any results.
* StatPanel: Fix an issue with the appearance of the graph when
switching color mode.
* Visualizations: Fix an issue in the
Stat/BarGauge/Gauge/PieChart panels where all values mode
were showing the same name if they had the same value.
* Toolkit: Resolve external fonts when Grafana is served from a
sub path.
- Update to version 8.0.0
* The following endpoints were deprecated for Grafana v5.0 and
support for them has now been removed:
GET /dashboards/db/:slug
GET /dashboard-solo/db/:slug
GET /api/dashboard/db/:slug
DELETE /api/dashboards/db/:slug
* AzureMonitor: Require default subscription for workspaces()
template variable query.
* AzureMonitor: Use resource type display names in the UI.
* Dashboard: Remove support for loading and deleting dashboard
by slug.
* InfluxDB: Deprecate direct browser access in data source.
* VizLegend: Add a read-only property.
* AzureMonitor: Fix Azure Resource Graph queries in Azure
China.
* Checkbox: Fix vertical layout issue with checkboxes due to
fixed height.
* Dashboard: Fix Table view when editing causes the panel data
to not update.
* Dashboard: Fix issues where unsaved-changes warning is not
displayed.
* Login: Fixes Unauthorized message showing when on login page
or snapshot page.
* NodeGraph: Fix sorting markers in grid view.
* Short URL: Include orgId in generated short URLs.
* Variables: Support raw values of boolean type.
- Update to version 8.0.0-beta3
* The default HTTP method for Prometheus data source is now
POST.
* API: Support folder UID in dashboards API.
* Alerting: Add support for configuring avatar URL for the
Discord notifier.
* Alerting: Clarify that Threema Gateway Alerts support only
Basic IDs.
* Azure: Expose Azure settings to external plugins.
* AzureMonitor: Deprecate using separate credentials for Azure
Monitor Logs.
* AzureMonitor: Display variables in resource picker for Azure
* AzureMonitor: Hide application insights for data sources not
using it.
* AzureMonitor: Support querying subscriptions and resource
groups in Azure Monitor Logs.
* AzureMonitor: remove requirement for default subscription.
* CloudWatch: Add Lambda@Edge Amazon CloudFront metrics.
* CloudWatch: Add missing AWS AppSync metrics.
* ConfirmModal: Auto focus delete button.
* Explore: Add caching for queries that are run from logs
* Loki: Add formatting for annotations.
* Loki: Bring back processed bytes as meta information.
* NodeGraph: Display node graph collapsed by default with trace
view.
* Overrides: Include a manual override option to hide something
from visualization.
* PieChart: Support row data in pie charts.
* Prometheus: Update default HTTP method to POST for existing
data sources.
* Time series panel: Position tooltip correctly when window is
scrolled or resized.
* Admin: Fix infinite loading edit on the profile page.
* Color: Fix issues with random colors in string and date
* Dashboard: Fix issue with title or folder change has no
effect after exiting settings view.
* DataLinks: Fix an issue __series.name is not working in data
link.
* Datasource: Fix dataproxy timeout should always be applied
for outgoing data source HTTP requests.
* Elasticsearch: Fix NewClient not passing httpClientProvider
to client impl.
* Explore: Fix Browser title not updated on Navigation to
Explore.
* GraphNG: Remove fieldName and hideInLegend properties from
UPlotSeriesBuilder.
* OAuth: Fix fallback to auto_assign_org_role setting for Azure
AD OAuth when no role claims exists.
* PanelChrome: Fix issue with empty panel after adding a non
data panel and coming back from panel edit.
* StatPanel: Fix data link tooltip not showing for single
value.
* Table: Fix sorting for number fields.
* Table: Have text underline for datalink, and add support for
image datalink.
* Transformations: Prevent FilterByValue transform from
crashing panel edit.
- Update to version 8.0.0-beta2
* AppPlugins: Expose react-router to apps.
* AzureMonitor: Add Azure Resource Graph.
* AzureMonitor: Managed Identity configuration UI.
* AzureMonitor: Token provider with support for Managed
Identities.
* AzureMonitor: Update Logs workspace() template variable query
to return resource URIs.
* BarChart: Value label sizing.
* CloudMonitoring: Add support for preprocessing.
* CloudWatch: Add AWS/EFS StorageBytes metric.
* CloudWatch: Allow use of missing AWS namespaces using custom
* Datasource: Shared HTTP client provider for core backend data
sources and any data source using the data source proxy.
* InfluxDB: InfluxQL: allow empty tag values in the query
editor.
* Instrumentation: Instrument incoming HTTP request with
histograms by default.
* Library Panels: Add name endpoint & unique name validation to
AddLibraryPanelModal.
* Logs panel: Support details view.
* PieChart: Always show the calculation options dropdown in the
* PieChart: Remove beta flag.
* Plugins: Enforce signing for all plugins.
* Plugins: Remove support for deprecated backend plugin
protocol version.
* Tempo/Jaeger: Add better display name to legend.
* Timeline: Add time range zoom.
* Timeline: Adds opacity & line width option.
* Timeline: Value text alignment option.
* ValueMappings: Add duplicate action, and disable dismiss on
backdrop click.
* Zipkin: Add node graph view to trace response.
* Annotations panel: Remove subpath from dashboard links.
* Content Security Policy: Allow all image sources by default.
* Content Security Policy: Relax default template wrt. loading
of scripts, due to nonces not working.
* Datasource: Fix tracing propagation for alert execution by
introducing HTTP client outgoing tracing middleware.
* InfluxDB: InfluxQL always apply time interval end.
* Library Panels: Fixes 'error while loading library panels'.
* NewsPanel: Fixes rendering issue in Safari.
* PanelChrome: Fix queries being issued again when scrolling in
and out of view.
* Plugins: Fix Azure token provider cache panic and auth param
nil value.
* Snapshots: Fix key and deleteKey being ignored when creating
an external snapshot.
* Table: Fix issue with cell border not showing with colored
background cells.
* Table: Makes tooltip scrollable for long JSON values.
* TimeSeries: Fix for Connected null values threshold toggle
during panel editing.
* Variables: Fixes inconsistent selected states on dashboard
* Variables: Refreshes all panels even if panel is full screen.
* QueryField: Remove carriage return character from pasted text.
- Update to version 8.0.0-beta1
+ License update:
* AGPL License: Update license from Apache 2.0 to the GNU
Affero General Public License (AGPL).
* Removes the never refresh option for Query variables.
* Removes the experimental Tags feature for Variables.
+ Deprecations:
* The InfoBox & FeatureInfoBox are now deprecated please use
the Alert component instead with severity info.
* API: Add org users with pagination.
* API: Return 404 when deleting nonexistent API key.
* API: Return query results as JSON rather than base64 encoded
Arrow.
* Alerting: Allow sending notification tags to Opsgenie as
extra properties.
* Alerts: Replaces all uses of InfoBox & FeatureInfoBox with
Alert.
* Auth: Add support for JWT Authentication.
* AzureMonitor: Add support for
Microsoft.SignalRService/SignalR metrics.
* AzureMonitor: Azure settings in Grafana server config.
* AzureMonitor: Migrate Metrics query editor to React.
* BarChart panel: enable series toggling via legend.
* BarChart panel: Adds support for Tooltip in BarChartPanel.
* PieChart panel: Change look of highlighted pie slices.
* CloudMonitoring: Migrate config editor from angular to react.
* CloudWatch: Add Amplify Console metrics and dimensions.
* CloudWatch: Add missing Redshift metrics to CloudWatch data
* CloudWatch: Add metrics for managed RabbitMQ service.
* DashboardList: Enable templating on search tag input.
* Datasource config: correctly remove single custom http
header.
* Elasticsearch: Add generic support for template variables.
* Elasticsearch: Allow omitting field when metric supports
inline script.
* Elasticsearch: Allow setting a custom limit for log queries.
* Elasticsearch: Guess field type from first non-empty value.
* Elasticsearch: Use application/x-ndjson content type for
multisearch requests.
* Elasticsearch: Use semver strings to identify ES version.
* Explore: Add logs navigation to request more logs.
* Explore: Map Graphite queries to Loki.
* Explore: Scroll split panes in Explore independently.
* Explore: Wrap each panel in separate error boundary.
* FieldDisplay: Smarter naming of stat values when visualising
row values (all values) in stat panels.
* Graphite: Expand metric names for variables.
* Graphite: Handle unknown Graphite functions without breaking
the visual editor.
* Graphite: Show graphite functions descriptions.
* Graphite: Support request cancellation properly (Uses new
backendSrv.fetch Observable request API).
* InfluxDB: Flux: Improve handling of complex
response-structures.
* InfluxDB: Support region annotations.
* Inspector: Download logs for manual processing.
* Jaeger: Add node graph view for trace.
* Jaeger: Search traces.
* Loki: Use data source settings for alerting queries.
* NodeGraph: Exploration mode.
* OAuth: Add support for empty scopes.
* PanelChrome: New logic-less emotion based component with no
dependency on PanelModel or DashboardModel.
* PanelEdit: Adds a table view toggle to quickly view data in
table form.
* PanelEdit: Highlight matched words when searching options.
* PanelEdit: UX improvements.
* Plugins: PanelRenderer and simplified QueryRunner to be used
from plugins.
* Plugins: AuthType in route configuration and params
interpolation.
* Plugins: Enable plugin runtime install/uninstall
capabilities.
* Plugins: Support set body content in plugin routes.
* Plugins: Introduce marketplace app.
* Plugins: Moving the DataSourcePicker to grafana/runtime so it
can be reused in plugins.
* Prometheus: Add custom query params for alert and exemplars
* Prometheus: Use fuzzy string matching to autocomplete metric
names and label.
* Routing: Replace Angular routing with react-router.
* Slack: Use chat.postMessage API by default.
* Tempo: Search for Traces by querying Loki directly from
Tempo.
* Tempo: Show graph view of the trace.
* Themes: Switch theme without reload using global shortcut.
* TimeSeries panel: Add support for shared cursor.
* TimeSeries panel: Do not crash the panel if there is no time
series data in the response.
* Variables: Do not save repeated panels, rows and scopedVars.
* Variables: Removes experimental Tags feature.
* Variables: Removes the never refresh option.
* Visualizations: Unify tooltip options across visualizations.
* Visualizations: Refactor and unify option creation between
new visualizations.
* Visualizations: Remove singlestat panel.
* APIKeys: Fixes issue with adding first api key.
* Alerting: Add checks for non supported units - disable
defaulting to seconds.
* Alerting: Fix issue where Slack notifications won't link to
user IDs.
* Alerting: Omit empty message in PagerDuty notifier.
* AzureMonitor: Fix migration error from older versions of App
Insights queries.
* CloudWatch: Fix AWS/Connect dimensions.
* CloudWatch: Fix broken AWS/MediaTailor dimension name.
* Dashboards: Allow string manipulation as advanced variable
format option.
* DataLinks: Includes harmless extended characters like
Cyrillic characters.
* Drawer: Fixes title overflowing its container.
* Explore: Fix issue when some query errors were not shown.
* Generic OAuth: Prevent adding duplicated users.
* Graphite: Handle invalid annotations.
* Graphite: Fix autocomplete when tags are not available.
* InfluxDB: Fix Cannot read property 'length' of undefined in
when parsing response.
* Instrumentation: Enable tracing when Jaeger host and port are
* Instrumentation: Prefix metrics with grafana.
* MSSQL: By default let driver choose port.
* OAuth: Add optional strict parsing of role_attribute_path.
* Panel: Fixes description markdown with inline code being
rendered on newlines and full width.
* PanelChrome: Ignore data updates & errors for non data
panels.
* Permissions: Fix inherited folder permissions can prevent new
permissions being added to a dashboard.
* Plugins: Remove pre-existing plugin installs when installing
with grafana-cli.
* Plugins: Support installing to folders with whitespace and
fix pluginUrl trailing and leading whitespace failures.
* Postgres/MySQL/MSSQL: Don't return connection failure details
to the client.
* Postgres: Fix ms precision of interval in time group macro
when TimescaleDB is enabled.
* Provisioning: Use dashboard checksum field as change
indicator.
* SQL: Fix so that all captured errors are returned from sql
engine.
* Shortcuts: Fixes panel shortcuts so they always work.
* Table: Fixes so border is visible for cells with links.
* Variables: Clear query when data source type changes.
* Variables: Filters out builtin variables from unknown list.
* Button: Introduce buttonStyle prop.
* DataQueryRequest: Remove deprecated props showingGraph and
showingTabel and exploreMode.
* grafana/ui: Update React Hook Form to v7.
* IconButton: Introduce variant for red and blue icon buttons.
* Plugins: Expose the getTimeZone function to be able to get
the current selected timeZone.
* TagsInput: Add className to TagsInput.
* VizLegend: Move onSeriesColorChanged to PanelContext
(breaking change).
- Update to version 7.5.13
* Alerting: Fix NoDataFound for alert rules using AND operator.
mgr-cfg:
- Version 4.3.6-1
* Corrected source URL in spec file
* Fix installation problem for SLE15SP4 due missing python-selinux
* Fix python selinux package name depending on build target (bsc#1193600)
* Do not build python 2 package for SLE15SP4 and higher
* Remove unused legacy code
mgr-custom-info:
- Version 4.3.3-1
* Remove unused legacy code
mgr-daemon:
- Version 4.3.4-1
* Corrected source URLs in spec file
* Update translation strings
mgr-osad:
- Version 4.3.6-1
* Corrected source URL in spec file.
* Do not build python 2 package for SLE15SP4 and higher
* Removed spacewalk-selinux dependencies.
* Updated source url.
mgr-push:
- Version 4.3.4-1
* Corrected source URLs in spec file
mgr-virtualization:
- Version 4.3.5-1
* Corrected source URLs in spec file.
* Do not build python 2 package for SLE15SP4 and higher
prometheus-blackbox_exporter:
- Enhanced to build on Enterprise Linux 8
prometheus-postgres_exporter:
- Updated for RHEL8.
python-hwdata:
- Require python macros for building
rhnlib:
- Version 4.3.4-1
* Reorganize python files
spacecmd:
- Version 4.3.11-1
* on full system update call schedulePackageUpdate API (bsc#1197507)
* parse boolean paramaters correctly (bsc#1197689)
* Add parameter to set containerized proxy SSH port
* Add proxy config generation subcommand
* Option 'org_createfirst' added to perform initial organization and user creation
* Added gettext build requirement for RHEL.
* Removed RHEL 5 references.
* Include group formulas configuration in spacecmd group_backup and
spacecmd group_restore. This changes backup format to json,
previously used plain text is still supported for reading (bsc#1190462)
* Update translation strings
* Improved event history listing and added new system_eventdetails
command to retrieve the details of an event
* Make schedule_deletearchived to get all actions without display limit
* Allow passing a date limit for schedule_deletearchived on spacecmd (bsc#1181223)
spacewalk-client-tools:
- Version 4.3.9-1
* Corrected source URLs in spec file.
* do not build python 2 package for SLE15
* Remove unused legacy code
* Update translation strings
spacewalk-koan:
- Version 4.3.5-1
* Corrected source URLs in spec file.
spacewalk-oscap:
- Version 4.3.5-1
* Corrected source URLs in spec file.
* Do not build python 2 package for SLE15SP4 and higher
spacewalk-remote-utils:
- Version 4.3.3-1
* Adapt the package for changes in rhnlib
supportutils-plugin-susemanager-client:
- Version 4.3.2-1
* Add proxy containers config and logs
suseRegisterInfo:
- Version 4.3.3-1
* Bump version to 4.3.0
supportutils-plugin-salt:
- Add support for Salt Bundle
uyuni-common-libs:
- Version 4.3.4-1
* implement more decompression algorithms for reposync (bsc#1196704)
* Reorganize python files
* Add decompression of zck files to fileutils
ImportantSUSE bug 1181223SUSE bug 1181400SUSE bug 1190462SUSE bug 1190535SUSE bug 1193600SUSE bug 1194873SUSE bug 1195726SUSE bug 1195727SUSE bug 1195728SUSE bug 1196338SUSE bug 1196704SUSE bug 1197507SUSE bug 1197689CVE-2021-36222 at SUSECVE-2021-36222 at NVDCVE-2021-3711 at SUSECVE-2021-3711 at NVDCVE-2021-39226 at SUSECVE-2021-39226 at NVDCVE-2021-41174 at SUSECVE-2021-41174 at NVDCVE-2021-41244 at SUSECVE-2021-41244 at NVDCVE-2021-43798 at SUSECVE-2021-43798 at NVDCVE-2021-43813 at SUSECVE-2021-43813 at NVDCVE-2021-43815 at SUSECVE-2021-43815 at NVDCVE-2022-21673 at SUSECVE-2022-21673 at NVDCVE-2022-21698 at SUSECVE-2022-21698 at NVDCVE-2022-21702 at SUSECVE-2022-21702 at NVDCVE-2022-21703 at SUSECVE-2022-21703 at NVDCVE-2022-21713 at SUSECVE-2022-21713 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for fwupdate (Important)SUSE OpenStack Cloud Crowbar 8
This update of fwupdate fixes the following issue:
- rebuild with new secure boot key due to grub2 boothole 3 issues (bsc#1198581)
ImportantSUSE bug 1198581cpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for python3 (Important)SUSE OpenStack Cloud Crowbar 8
This update for python3 fixes the following issues:
- CVE-2015-20107: avoid command injection in the mailcap module (bsc#1198511).
ImportantSUSE bug 1070738SUSE bug 1198511SUSE bug 1199441CVE-2015-20107 at SUSECVE-2015-20107 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for openssl (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for openssl fixes the following issues:
- CVE-2022-2068: Fixed more shell code injection issues in c_rehash. (bsc#1200550)
ModerateSUSE bug 1200550CVE-2022-2068 at SUSECVE-2022-2068 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for oracleasm (Important)SUSE OpenStack Cloud Crowbar 8
This update of oracleasm fixes the following issue:
- rebuild with new secure boot key due to grub2 boothole 3 issues (bsc#1198581)
ImportantSUSE bug 1198581cpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for python (Important)SUSE OpenStack Cloud Crowbar 8
This update for python fixes the following issues:
- CVE-2015-20107: avoid command injection in the mailcap module (bsc#1198511).
ImportantSUSE bug 1198511CVE-2015-20107 at SUSECVE-2015-20107 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for sysstat (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for sysstat fixes the following issues:
Security issue fixed:
- CVE-2019-19725: Fixed double free in check_file_actlst in sa_common.c (bsc#1159104).
Bug fixes:
- Enable log information of starting/stoping services. (bsc#1144923, jsc#SLE-5958)
ModerateSUSE bug 1144923SUSE bug 1159104CVE-2019-19725 at SUSECVE-2019-19725 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for dpdk (Important)SUSE OpenStack Cloud Crowbar 8
This update of dpdk fixes the following issue:
- rebuild with new secure boot key due to grub2 boothole 3 issues (bsc#1198581)
ImportantSUSE bug 1198581cpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for MozillaFirefox (Important)SUSE OpenStack Cloud Crowbar 8
This update for MozillaFirefox fixes the following issues:
Update to Firefox Extended Support Release 91.11.0 ESR (MFSA 2022-25) (bsc#1200793):
- CVE-2022-2200: Undesired attributes could be set as part of prototype pollution (bmo#1771381)
- CVE-2022-31744: CSP bypass enabling stylesheet injection (bmo#1757604)
- CVE-2022-34468: CSP sandbox header without `allow-scripts` can be bypassed via retargeted javascript: URI (bmo#1768537)
- CVE-2022-34470: Use-after-free in nsSHistory (bmo#1765951)
- CVE-2022-34472: Unavailable PAC file resulted in OCSP requests being blocked (bmo#1770123)
- CVE-2022-34478: Microsoft protocols can be attacked if a user accepts a prompt (bmo#1773717)
- CVE-2022-34479: A popup window could be resized in a way to overlay the address bar with web content (bmo#1745595)
- CVE-2022-34481: Potential integer overflow in ReplaceElementsAt (bmo#1497246)
- CVE-2022-34484: Memory safety bugs fixed in Firefox 102 and Firefox ESR 91.11 (bmo#1763634, bmo#1772651)
ImportantSUSE bug 1200793CVE-2022-2200 at SUSECVE-2022-2200 at NVDCVE-2022-31744 at SUSECVE-2022-31744 at NVDCVE-2022-34468 at SUSECVE-2022-34468 at NVDCVE-2022-34470 at SUSECVE-2022-34470 at NVDCVE-2022-34472 at SUSECVE-2022-34472 at NVDCVE-2022-34478 at SUSECVE-2022-34478 at NVDCVE-2022-34479 at SUSECVE-2022-34479 at NVDCVE-2022-34481 at SUSECVE-2022-34481 at NVDCVE-2022-34484 at SUSECVE-2022-34484 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for rsyslog (Important)SUSE OpenStack Cloud Crowbar 8
This update for rsyslog fixes the following issues:
- CVE-2022-24903: fix potential heap buffer overflow in modules for TCP syslog reception (bsc#1199061)
ImportantSUSE bug 1199061CVE-2022-24903 at SUSECVE-2022-24903 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for pcre (Important)SUSE OpenStack Cloud Crowbar 8
This update for pcre fixes the following issues:
- CVE-2022-1586: Fixed unicode property matching issue. (bsc#1199232)
ImportantSUSE bug 1199232CVE-2022-1586 at SUSECVE-2022-1586 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for rubygem-rack (Critical)SUSE OpenStack Cloud Crowbar 8
This update for rubygem-rack fixes the following issues:
- CVE-2022-30122: Fixed crafted multipart POST request may cause a DoS (bsc#1200748)
- CVE-2022-30123: Fixed crafted requests can cause shell escape sequences (bsc#1200750)
The following non-security bug was fixed:
- Fixed a regression in CVE-2022-30122 patch (bsc#1201588).
CriticalSUSE bug 1200748SUSE bug 1200750SUSE bug 1201588CVE-2022-30122 at SUSECVE-2022-30122 at NVDCVE-2022-30123 at SUSECVE-2022-30123 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for samba (Critical)SUSE OpenStack Cloud Crowbar 8
This update for samba fixes the following issues:
- CVE-2021-44142: Fixed out-of-Bound Read/Write on Samba vfs_fruit module. (bsc#1194859)
CriticalSUSE bug 1194859CVE-2021-44142 at SUSECVE-2021-44142 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for rubygem-tzinfo (Important)SUSE OpenStack Cloud Crowbar 8
This update for rubygem-tzinfo fixes the following issues:
- CVE-2022-31163: Fixed relative path traversal vulnerability that allows TZInfo::Timezone.get to load arbitrary files (bsc#1201835).
ImportantSUSE bug 1201835CVE-2022-31163 at SUSECVE-2022-31163 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for python-Twisted (Important)SUSE OpenStack Cloud Crowbar 8
This update for python-Twisted fixes the following issues:
- CVE-2020-10108: Fixed an HTTP request smuggling issue (bsc#1166457).
- CVE-2020-10109: Fixed an HTTP request smuggling issue (bsc#1166458).
ImportantSUSE bug 1166457SUSE bug 1166458CVE-2020-10108 at SUSECVE-2020-10108 at NVDCVE-2020-10109 at SUSECVE-2020-10109 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for python-Django (Important)SUSE OpenStack Cloud Crowbar 8
This update for python-Django fixes the following issues:
- CVE-2022-22818: Fixed possible XSS via {% debug %} template tag (bsc#1195086)
- CVE-2022-23833: Fixed denial-of-service possibility in file uploads. (bsc#1195088)
A regression in the fix for CVE-2021-45452 was fixed (bsc#1194116)
ImportantSUSE bug 1194116SUSE bug 1195086SUSE bug 1195088CVE-2021-45452 at SUSECVE-2021-45452 at NVDCVE-2022-22818 at SUSECVE-2022-22818 at NVDCVE-2022-23833 at SUSECVE-2022-23833 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for rubygem-rails-html-sanitizer (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for rubygem-rails-html-sanitizer fixes the following issues:
- CVE-2022-32209: Fixed a potential content injection under specific
configurations (bsc#1201183).
ModerateSUSE bug 1201183CVE-2022-32209 at SUSECVE-2022-32209 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for python-Babel (Important)SUSE OpenStack Cloud Crowbar 8
This update for python-Babel fixes the following issues:
- CVE-2021-42771: Fixed relative path traversal leading to loading arbitrary
locale files on disk and executing arbitrary code (bsc#1185768).
ImportantSUSE bug 1185768CVE-2021-42771 at SUSECVE-2021-42771 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for net-snmp (Important)SUSE OpenStack Cloud Crowbar 8
This update for net-snmp fixes the following issues:
- CVE-2020-15862: Make extended MIB read-only (bsc#1174961)
ImportantSUSE bug 1100146SUSE bug 1145864SUSE bug 1152968SUSE bug 1174961SUSE bug 1178021SUSE bug 1178351SUSE bug 1179009SUSE bug 1179699SUSE bug 1184839CVE-2020-15862 at SUSECVE-2020-15862 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for keepalived (Important)SUSE OpenStack Cloud Crowbar 8
This update for keepalived fixes the following issues:
- CVE-2021-44225: Fix a potential privilege escalation due to
insufficient control in the D-Bus policy (bsc#1193115).
ImportantSUSE bug 1193115CVE-2021-44225 at SUSECVE-2021-44225 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for python-rsa (Important)SUSE OpenStack Cloud Crowbar 8
This update for python-rsa fixes the following issues:
- CVE-2020-13757: Fixed an issue where leading null bytes in a
ciphertext would be ignored during decryption, leading to a
potential information leak (bsc#1172389).
ImportantSUSE bug 1172389CVE-2020-13757 at SUSECVE-2020-13757 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for ardana-ansible, ardana-cobbler, grafana, openstack-heat-templates, openstack-murano, python-Django, rabbitmq-server, rubygem-puma (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for ardana-ansible, ardana-cobbler, grafana, openstack-heat-templates, openstack-murano, python-Django, rabbitmq-server, rubygem-puma fixes the following issues:
Security updates included on this update:
ardana-ansible, ardana-cobbler, grafana, openstack-heat-templates, openstack-murano, rabbitmq-server:
- CVE-2020-1734: Fixed vulnerability where shell was enabled by default in a pipe lookup plugin subprocess. (SOC-11662, bnc#1164139)
- CVE-2021-44716: Fixed uncontrolled memory consumption in go's net/http. (bsc#1193597)
- CVE-2019-11287: Fixed DoS via 'X-Reason' HTTP Header in malicious Erlang format string. (bsc#1157665)
grafana:
- CVE-2021-39226: Fixed snapshot authentication bypass (bsc#1191454).
- CVE-2021-44716: Fixed uncontrolled memory consumption in go's net/http (bsc#1193597).
python-Django:
- CVE-2022-28346: Fixed vulnerability that could lead to SQL injection in QuerySet.annotate(),aggregate() and extra(). (bsc#1198398)
- CVE-2022-34265: Fixed vulnerability that could lead to SQL injection via Trunc(kind) and Extract(lookup_name) arguments. (bsc#1201186)
rubygem puma:
- CVE-2022-24790: Fixed HTTP request smuggling vulnerability. (bsc#1197818)
Additional information about the this update:
Changes in ardana-ansible:
- Update to version 8.0+git.1660773729.3789a6d:
* Mitigate CVE-2020-1734 (SOC-11662)
Changes in ardana-cobbler:
- Update to version 8.0+git.1660773402.d845a45:
* Mitigate CVE-2020-1734 (SOC-11662)
Changes in grafana:
- Add CVE-2021-39226 patch (bsc#1191454, CVE-2021-39226)
* snapshot authentication bypass
- Bump Go to 1.16 (bsc#1193597, CVE-2021-44716)
* Fix Go net/http: limit growth of header canonicalization cache.
Changes in openstack-heat-templates:
- Update to version 0.0.0+git.1654529662.75fa04a:
* doc: Comment out language option
Changes in openstack-murano:
- Update to version murano-4.0.2.dev3:
* [stable-only] Remove periodic-stable-jobs template
Changes in openstack-murano:
- Update to version murano-4.0.2.dev3:
* [stable-only] Remove periodic-stable-jobs template
Changes in rabbitmq-server:
- add explanation-format patch to fix CVE-2019-11287 (bsc#1157665)
Changes in python-Django:
- Rename Django-1.11.29.tar.gz.asc to Django-1.11.29.tar.gz.checksums.txt
to avoid source_validator incorrectly trying to use it as a detached
signature file for the sources tarball.
- Remove unnecessary project.diff file.
- Add CVE-2022-28346 patch (bsc#1198398, CVE-2022-28346)
* Potential SQL injection in QuerySet.annotate(),aggregate() and extra()
- Add CVE-2022-34265 patch (bsc#1201186, CVE-2022-34265)
* SQL injection via Trunc(kind) and Extract(lookup_name) arguments
Changes in rubygem-puma:
- Add CVE-2022-24790: Fixed HTTP request smuggling vulnerability (bsc#1197818).
ModerateSUSE bug 1157665SUSE bug 1191454SUSE bug 1193597SUSE bug 1197818SUSE bug 1198398SUSE bug 1201186CVE-2019-11287 at SUSECVE-2019-11287 at NVDCVE-2020-1734 at SUSECVE-2020-1734 at NVDCVE-2021-39226 at SUSECVE-2021-39226 at NVDCVE-2021-44716 at SUSECVE-2021-44716 at NVDCVE-2022-24790 at SUSECVE-2022-24790 at NVDCVE-2022-28346 at SUSECVE-2022-28346 at NVDCVE-2022-34265 at SUSECVE-2022-34265 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for libsndfile (Important)SUSE OpenStack Cloud Crowbar 8
This update for libsndfile fixes the following issues:
- CVE-2021-4156: Fixed heap buffer overflow in flac_buffer_copy that
could potentially lead to heap exploitation (bsc#1194006).
ImportantSUSE bug 1194006CVE-2021-4156 at SUSECVE-2021-4156 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for elasticsearch, elasticsearch-kit, kafka, kafka-kit, logstash, openstack-monasca-agent, openstack-monasca-log-metrics, openstack-monasca-log-persister, openstack-monasca-log-transformer, openstack-monasca-persister-java, openstack-monasca-persister-java-kit, openstack-monasca-thresh, openstack-monasca-thresh-kit, spark, spark-kit, venv-openstack-monasca, zookeeper, zookeeper-kit (Important)SUSE OpenStack Cloud Crowbar 8
This update for elasticsearch, elasticsearch-kit, kafka, kafka-kit, logstash, openstack-monasca-agent, openstack-monasca-log-metrics, openstack-monasca-log-persister, openstack-monasca-log-transformer, openstack-monasca-persister-java, openstack-monasca-persister-java-kit, openstack-monasca-thresh, openstack-monasca-thresh-kit, spark, spark-kit, venv-openstack-monasca, zookeeper, zookeeper-kit fixes the following issues:
- CVE-2021-4104: Fixed remote code execution through JMS API via the ldap JNDI parser (bsc#1193662).
- CVE-2022-23302: Fixed remote code execution in Log4j 1.x when application is configured to use JMSSink (bsc#1194842).
- CVE-2022-23305: Fixed SQL injection in Log4j 1.x when application is configured to use JDBCAppender (bsc#1194843).
- CVE-2022-23307: Fixed deserialization flaw in the Chainsaw component of Log4j 1 that could lead to malicious code execution (bsc#1194844).
ImportantSUSE bug 1193662SUSE bug 1194842SUSE bug 1194843SUSE bug 1194844CVE-2021-4104 at SUSECVE-2021-4104 at NVDCVE-2022-23302 at SUSECVE-2022-23302 at NVDCVE-2022-23305 at SUSECVE-2022-23305 at NVDCVE-2022-23307 at SUSECVE-2022-23307 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for clamav (Important)SUSE OpenStack Cloud Crowbar 8
This update for clamav fixes the following issues:
- CVE-2022-20698: Fixed invalid pointer read allowing denial of service crash. (bsc#1194731)
ImportantSUSE bug 1194731CVE-2022-20698 at SUSECVE-2022-20698 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for xen (Important)SUSE OpenStack Cloud Crowbar 8
This update for xen fixes the following issues:
- CVE-2022-23034: Fixed possible DoS by a PV guest Xen while unmapping a grant. (XSA-394) (bsc#1194581)
- CVE-2022-23035: Fixed insufficient cleanup of passed-through device IRQs. (XSA-395) (bsc#1194588)
ImportantSUSE bug 1194581SUSE bug 1194588CVE-2022-23034 at SUSECVE-2022-23034 at NVDCVE-2022-23035 at SUSECVE-2022-23035 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for the Linux Kernel (Important)SUSE OpenStack Cloud Crowbar 8
The SUSE Linux Enterprise 12 SP3 LTSS kernel was updated to receive various security and bugfixes.
The following security bugs were fixed:
- CVE-2018-25020: Fixed an overflow in the BPF subsystem due to a mishandling of a long jump over an instruction sequence where inner instructions require substantial expansions into multiple BPF instructions. This affects kernel/bpf/core.c and net/core/filter.c (bnc#1193575).
- CVE-2019-0136: Fixed insufficient access control in the Intel(R) PROSet/Wireless WiFi Software driver that may have allowed an unauthenticated user to potentially enable denial of service via adjacent access (bnc#1193157).
- CVE-2020-35519: Fixed out-of-bounds memory access in x25_bind in net/x25/af_x25.c. A bounds check failure allowed a local attacker with a user account on the system to gain access to out-of-bounds memory, leading to a system crash or a leak of internal kernel information (bnc#1183696).
- CVE-2021-0935: Fixed possible out of bounds write in ip6_xmit of ip6_output.c due to a use after free. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation (bnc#1192032).
- CVE-2021-28711: Fixed issue with xen/blkfront to harden blkfront against event channel storms (XSA-391) (bsc#1193440).
- CVE-2021-28712: Fixed issue with xen/netfront to harden netfront against event channel storms (XSA-391) (bsc#1193440).
- CVE-2021-28713: Fixed issue with xen/console to harden hvc_xen against event channel storms (XSA-391) (bsc#1193440).
- CVE-2021-28715: Fixed issue with xen/netback to do not queue unlimited number of packages (XSA-392) (bsc#1193442).
- CVE-2021-33098: Fixed improper input validation in the Intel(R) Ethernet ixgbe driver that may have allowed an authenticated user to potentially cause denial of service via local access (bnc#1192877).
- CVE-2021-3564: Fixed double-free memory corruption in the Linux kernel HCI device initialization subsystem that could have been used by attaching malicious HCI TTY Bluetooth devices. A local user could use this flaw to crash the system (bnc#1186207).
- CVE-2021-39648: Fixed possible disclosure of kernel heap memory due to a race condition in gadget_dev_desc_UDC_show of configfs.c. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation (bnc#1193861).
- CVE-2021-39657: Fixed out of bounds read due to a missing bounds check in ufshcd_eh_device_reset_handler of ufshcd.c. This could lead to local information disclosure with System execution privileges needed (bnc#1193864).
- CVE-2021-4002: Fixed incorrect TLBs flush in hugetlbfs after huge_pmd_unshare (bsc#1192946).
- CVE-2021-4083: Fixed a read-after-free memory flaw inside the garbage collection for Unix domain socket file handlers when users call close() and fget() simultaneouslyand can potentially trigger a race condition (bnc#1193727).
- CVE-2021-4149: Fixed btrfs unlock newly allocated extent buffer after error (bsc#1194001).
- CVE-2021-4155: Fixed XFS map issue when unwritten blocks in XFS_IOC_{ALLOC,FREE}SP just like fallocate (bsc#1194272).
- CVE-2021-4197: Use cgroup open-time credentials for process migraton perm checks (bsc#1194302).
- CVE-2021-4202: Fixed NFC race condition by adding NCI_UNREG flag (bsc#1194529).
- CVE-2021-43976: Fixed insufficient access control in drivers/net/wireless/marvell/mwifiex/usb.c that allowed an attacker who connect a crafted USB device to cause denial of service (bnc#1192847).
- CVE-2021-45095: Fixed refcount leak in pep_sock_accept in net/phonet/pep.c (bnc#1193867).
- CVE-2021-45485: Fixed information leak in the IPv6 implementation in net/ipv6/output_core.c (bnc#1194094).
- CVE-2021-45486: Fixed information leak inside the IPv4 implementation caused by very small hash table (bnc#1194087).
- CVE-2022-0330: Fixed flush TLBs before releasing backing store (bsc#1194880).
The following non-security bugs were fixed:
- fget: clarify and improve __fget_files() implementation (bsc#1193727).
- hv_netvsc: Fix the queue_mapping in netvsc_vf_xmit() (bsc#1193507).
- hv_netvsc: Set needed_headroom according to VF (bsc#1193507).
- kprobes: Limit max data_size of the kretprobe instances (bsc#1193669).
- memstick: rtsx_usb_ms: fix UAF
- moxart: fix potential use-after-free on remove path (bsc1194516).
- net/x25: fix a race in x25_bind() (networking-stable-19_03_15).
- net: mana: Add RX fencing (bsc#1193507).
- net: mana: Allow setting the number of queues while the NIC is down (bsc#1193507).
- net: mana: Fix spelling mistake 'calledd' -> 'called' (bsc#1193507).
- net: mana: Fix the netdev_err()'s vPort argument in mana_init_port() (bsc#1193507).
- net: mana: Improve the HWC error handling (bsc#1193507).
- net: mana: Support hibernation and kexec (bsc#1193507).
- net: mana: Use kcalloc() instead of kzalloc() (bsc#1193507).
- recordmcount.pl: fix typo in s390 mcount regex (bsc#1192267).
- recordmcount.pl: look for jgnop instruction as well as bcrl on s390 (bsc#1192267).
- ring-buffer: Protect ring_buffer_reset() from reentrancy (bsc#1179960).
- tty: hvc: replace BUG_ON() with negative return value (git-fixes).
- xen-netfront: do not assume sk_buff_head list is empty in error handling (git-fixes).
- xen-netfront: do not use ~0U as error return value for xennet_fill_frags() (git-fixes).
- xen/blkfront: do not take local copy of a request from the ring page (git-fixes).
- xen/blkfront: do not trust the backend response data blindly (git-fixes).
- xen/blkfront: read response from backend only once (git-fixes).
- xen/netfront: disentangle tx_skb_freelist (git-fixes).
- xen/netfront: do not bug in case of too many frags (bnc#1012382).
- xen/netfront: do not cache skb_shinfo() (bnc#1012382).
- xen/netfront: do not read data from request on the ring page (git-fixes).
- xen/netfront: do not trust the backend response data blindly (git-fixes).
- xen/netfront: read response from backend only once (git-fixes).
- xen: sync include/xen/interface/io/ring.h with Xen's newest version (git-fixes).
ImportantSUSE bug 1012382SUSE bug 1179960SUSE bug 1183696SUSE bug 1186207SUSE bug 1192032SUSE bug 1192267SUSE bug 1192847SUSE bug 1192877SUSE bug 1192946SUSE bug 1193157SUSE bug 1193440SUSE bug 1193442SUSE bug 1193507SUSE bug 1193575SUSE bug 1193669SUSE bug 1193727SUSE bug 1193861SUSE bug 1193864SUSE bug 1193867SUSE bug 1194001SUSE bug 1194087SUSE bug 1194094SUSE bug 1194272SUSE bug 1194302SUSE bug 1194516SUSE bug 1194529SUSE bug 1194880CVE-2018-25020 at SUSECVE-2018-25020 at NVDCVE-2019-0136 at SUSECVE-2019-0136 at NVDCVE-2020-35519 at SUSECVE-2020-35519 at NVDCVE-2021-0935 at SUSECVE-2021-0935 at NVDCVE-2021-28711 at SUSECVE-2021-28711 at NVDCVE-2021-28712 at SUSECVE-2021-28712 at NVDCVE-2021-28713 at SUSECVE-2021-28713 at NVDCVE-2021-28715 at SUSECVE-2021-28715 at NVDCVE-2021-33098 at SUSECVE-2021-33098 at NVDCVE-2021-3564 at SUSECVE-2021-3564 at NVDCVE-2021-39648 at SUSECVE-2021-39648 at NVDCVE-2021-39657 at SUSECVE-2021-39657 at NVDCVE-2021-4002 at SUSECVE-2021-4002 at NVDCVE-2021-4083 at SUSECVE-2021-4083 at NVDCVE-2021-4149 at SUSECVE-2021-4149 at NVDCVE-2021-4155 at SUSECVE-2021-4155 at NVDCVE-2021-4197 at SUSECVE-2021-4197 at NVDCVE-2021-4202 at SUSECVE-2021-4202 at NVDCVE-2021-43976 at SUSECVE-2021-43976 at NVDCVE-2021-45095 at SUSECVE-2021-45095 at NVDCVE-2021-45485 at SUSECVE-2021-45485 at NVDCVE-2021-45486 at SUSECVE-2021-45486 at NVDCVE-2022-0330 at SUSECVE-2022-0330 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for python-waitress (Important)SUSE OpenStack Cloud Crowbar 8
This update for python-waitress fixes the following issues:
- CVE-2022-24761: Fixed a bug to avoid inconsistent interpretation of HTTP requests leading to request smuggling. (bsc#1197255)
ImportantSUSE bug 1197255CVE-2022-24761 at SUSECVE-2022-24761 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for python-Mako (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for python-Mako fixes the following issues:
- CVE-2022-40023: Fixed regular expression Denial of Service when using the Lexer class to parse (bsc#1203246).
ModerateSUSE bug 1203246CVE-2022-40023 at SUSECVE-2022-40023 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for rubygem-actionview-4_2 (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for rubygem-actionview-4_2 fixes the following issues:
- CVE-2022-27777: Fixed cross-site scripting vulnerability in Action View tag helpers (bsc#1199060).
ModerateSUSE bug 1199060CVE-2022-27777 at SUSECVE-2022-27777 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for rubygem-nokogiri (Important)SUSE OpenStack Cloud Crowbar 8
This update for rubygem-nokogiri fixes the following issues:
- CVE-2022-24836: Fixes possibility to DoS because of inefficient RE in HTML encoding. (bsc#1198408)
- CVE-2022-29181: Fixes Improper Handling of Unexpected Data Typesi. (bsc#1199782)
ImportantSUSE bug 1198408SUSE bug 1199782CVE-2022-24836 at SUSECVE-2022-24836 at NVDCVE-2022-29181 at SUSECVE-2022-29181 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for apache2-mod_wsgi (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for apache2-mod_wsgi fixes the following issues:
- CVE-2022-2255: Hardened the trusted proxy header filter to avoid bypass. (bsc#1201634)
ModerateSUSE bug 1201634CVE-2022-2255 at SUSECVE-2022-2255 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for python-Twisted (Important)SUSE OpenStack Cloud Crowbar 8
This update for python-Twisted fixes the following issues:
- CVE-2022-39348: Fixed NameVirtualHost Host header injection (bsc#1204781).
ImportantSUSE bug 1204781CVE-2019-12387 at SUSECVE-2019-12387 at NVDCVE-2020-10108 at SUSECVE-2020-10108 at NVDCVE-2022-21712 at SUSECVE-2022-21712 at NVDCVE-2022-39348 at SUSECVE-2022-39348 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for rubygem-loofah (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for rubygem-loofah fixes the following issues:
- CVE-2019-15587: Fixed issue in sanitization of crafted SVG elements (bsc#1154751).
ModerateSUSE bug 1154751CVE-2018-8048 at SUSECVE-2018-8048 at NVDCVE-2019-15587 at SUSECVE-2019-15587 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for libvirt (Important)SUSE OpenStack Cloud Crowbar 8
This update for libvirt fixes the following issues:
- CVE-2021-4147: libxl: Fix libvirtd deadlocks and segfaults. (bsc#1194041)
- CVE-2021-3975: Add missing lock in qemuProcessHandleMonitorEOF. (bsc#1192876)
ImportantSUSE bug 1192876SUSE bug 1193981SUSE bug 1194041CVE-2021-3975 at SUSECVE-2021-3975 at NVDCVE-2021-4147 at SUSECVE-2021-4147 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for virglrenderer (Important)SUSE OpenStack Cloud Crowbar 8
This update for virglrenderer fixes the following issues:
- CVE-2022-0135: Fixed out-of-bonds write in read_transfer_data() (bsc#1195389).
ImportantSUSE bug 1195389CVE-2022-0135 at SUSECVE-2022-0135 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for expat (Important)SUSE OpenStack Cloud Crowbar 8
This update for expat fixes the following issues:
- CVE-2022-23852: Fixed signed integer overflow in XML_GetBuffer (bsc#1195054).
- CVE-2022-23990: Fixed integer overflow in the doProlog function (bsc#1195217).
ImportantSUSE bug 1195054SUSE bug 1195217CVE-2022-23852 at SUSECVE-2022-23852 at NVDCVE-2022-23990 at SUSECVE-2022-23990 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for tiff (Important)SUSE OpenStack Cloud Crowbar 8
This update for tiff fixes the following issues:
- CVE-2017-17095: Fixed DoS in tools/pal2rgb.c in pal2rgb (bsc#1071031).
- CVE-2019-17546: Fixed integer overflow that potentially causes a heap-based buffer overflow via a crafted RGBA image (bsc#1154365).
- CVE-2020-19131: Fixed buffer overflow in tiffcrop that may cause DoS via the invertImage() function (bsc#1190312).
- CVE-2020-35521: Fixed memory allocation failure in tif_read.c (bsc#1182808).
- CVE-2020-35522: Fixed memory allocation failure in tif_pixarlog.c (bsc#1182809).
- CVE-2020-35523: Fixed integer overflow in tif_getimage.c (bsc#1182811).
- CVE-2020-35524: Fixed heap-based buffer overflow in TIFF2PDF tool (bsc#1182812).
- CVE-2022-22844: Fixed out-of-bounds read in _TIFFmemcpy in tif_unix.c (bsc#1194539).
ImportantSUSE bug 1071031SUSE bug 1154365SUSE bug 1182808SUSE bug 1182809SUSE bug 1182811SUSE bug 1182812SUSE bug 1190312SUSE bug 1194539CVE-2017-17095 at SUSECVE-2017-17095 at NVDCVE-2019-17546 at SUSECVE-2019-17546 at NVDCVE-2020-19131 at SUSECVE-2020-19131 at NVDCVE-2020-35521 at SUSECVE-2020-35521 at NVDCVE-2020-35522 at SUSECVE-2020-35522 at NVDCVE-2020-35523 at SUSECVE-2020-35523 at NVDCVE-2020-35524 at SUSECVE-2020-35524 at NVDCVE-2022-22844 at SUSECVE-2022-22844 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for tcpdump (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for tcpdump fixes the following issues:
- CVE-2018-16301: Fixed segfault when handling large files (bsc#1195825).
ModerateSUSE bug 1195825CVE-2018-16301 at SUSECVE-2018-16301 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for xerces-j2 (Important)SUSE OpenStack Cloud Crowbar 8
This update for xerces-j2 fixes the following issues:
- CVE-2022-23437: Fixed infinite loop within Apache XercesJ xml parser (bsc#1195108).
ImportantSUSE bug 1195108CVE-2022-23437 at SUSECVE-2022-23437 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for MozillaFirefox (Important)SUSE OpenStack Cloud Crowbar 8
This update for MozillaFirefox fixes the following issues:
Firefox Extended Support Release 91.6.0 ESR / MFSA 2022-05 (bsc#1195682)
- CVE-2022-22753: Privilege Escalation to SYSTEM on Windows via Maintenance Service
- CVE-2022-22754: Extensions could have bypassed permission confirmation during update
- CVE-2022-22756: Drag and dropping an image could have resulted in the dropped object being an executable
- CVE-2022-22759: Sandboxed iframes could have executed script if the parent appended elements
- CVE-2022-22760: Cross-Origin responses could be distinguished between script and non-script content-types
- CVE-2022-22761: frame-ancestors Content Security Policy directive was not enforced for framed extension pages
- CVE-2022-22763: Script Execution during invalid object state
- CVE-2022-22764: Memory safety bugs fixed in Firefox 97 and Firefox ESR 91.6
Firefox Extended Support Release 91.5.1 ESR (bsc#1195230)
- Fixed an issue that allowed unexpected data to be submitted in some of our search telemetry
ImportantSUSE bug 1195230SUSE bug 1195682CVE-2022-22753 at SUSECVE-2022-22753 at NVDCVE-2022-22754 at SUSECVE-2022-22754 at NVDCVE-2022-22756 at SUSECVE-2022-22756 at NVDCVE-2022-22759 at SUSECVE-2022-22759 at NVDCVE-2022-22760 at SUSECVE-2022-22760 at NVDCVE-2022-22761 at SUSECVE-2022-22761 at NVDCVE-2022-22763 at SUSECVE-2022-22763 at NVDCVE-2022-22764 at SUSECVE-2022-22764 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for ucode-intel (Important)SUSE OpenStack Cloud Crowbar 8
This update for ucode-intel fixes the following issues:
Updated to Intel CPU Microcode 20220207 release.
- CVE-2021-0146: Fixed a potential security vulnerability in some Intel Processors may allow escalation of privilege (bsc#1192615)
- CVE-2021-0127: Intel Processor Breakpoint Control Flow (bsc#1195779)
- CVE-2021-0145: Fast store forward predictor - Cross Domain Training (bsc#1195780)
- CVE-2021-33120: Out of bounds read for some Intel Atom processors (bsc#1195781)
- Security updates for [INTEL-SA-00528](https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00528.html)
- Security updates for [INTEL-SA-00532](https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00532.html)
ImportantSUSE bug 1192615SUSE bug 1195779SUSE bug 1195780SUSE bug 1195781CVE-2021-0127 at SUSECVE-2021-0127 at NVDCVE-2021-0145 at SUSECVE-2021-0145 at NVDCVE-2021-0146 at SUSECVE-2021-0146 at NVDCVE-2021-33120 at SUSECVE-2021-33120 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for apache2 (Important)SUSE OpenStack Cloud Crowbar 8
This update for apache2 fixes the following issues:
- CVE-2021-44224: Fixed NULL dereference or SSRF in forward proxy configurations. (bsc#1193943)
- CVE-2021-44790: Fixed buffer overflow when parsing multipart content in mod_lua. (bsc#1193942)
ImportantSUSE bug 1193942SUSE bug 1193943CVE-2021-44224 at SUSECVE-2021-44224 at NVDCVE-2021-44790 at SUSECVE-2021-44790 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for cyrus-sasl (Important)SUSE OpenStack Cloud Crowbar 8
This update for cyrus-sasl fixes the following issues:
- CVE-2022-24407: Fixed SQL injection in sql_auxprop_store in plugins/sql.c (bsc#1196036).
ImportantSUSE bug 1196036CVE-2022-24407 at SUSECVE-2022-24407 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for webkit2gtk3 (Important)SUSE OpenStack Cloud Crowbar 8
This update for webkit2gtk3 fixes the following issues:
Update to version 2.34.5 (bsc#1195735):
- CVE-2022-22589: A validation issue was addressed with improved input sanitization.
- CVE-2022-22590: A use after free issue was addressed with improved memory management.
- CVE-2022-22592: A logic issue was addressed with improved state management.
Update to version 2.34.4 (bsc#1195064):
- CVE-2021-30934: A buffer overflow issue was addressed with improved memory handling.
- CVE-2021-30936: A use after free issue was addressed with improved memory management.
- CVE-2021-30951: A use after free issue was addressed with improved memory management.
- CVE-2021-30952: An integer overflow was addressed with improved input validation.
- CVE-2021-30953: An out-of-bounds read was addressed with improved bounds checking.
- CVE-2021-30954: A type confusion issue was addressed with improved memory handling.
- CVE-2021-30984: A race condition was addressed with improved state handling.
- CVE-2022-22594: A cross-origin issue in the IndexDB API was addressed with improved input validation.
The following CVEs were addressed in a previous update:
- CVE-2021-45481: Incorrect memory allocation in WebCore::ImageBufferCairoImageSurfaceBackend::create.
- CVE-2021-45482: A use-after-free in WebCore::ContainerNode::firstChild.
- CVE-2021-45483: A use-after-free in WebCore::Frame::page.
ImportantSUSE bug 1195064SUSE bug 1195735CVE-2021-30934 at SUSECVE-2021-30934 at NVDCVE-2021-30936 at SUSECVE-2021-30936 at NVDCVE-2021-30951 at SUSECVE-2021-30951 at NVDCVE-2021-30952 at SUSECVE-2021-30952 at NVDCVE-2021-30953 at SUSECVE-2021-30953 at NVDCVE-2021-30954 at SUSECVE-2021-30954 at NVDCVE-2021-30984 at SUSECVE-2021-30984 at NVDCVE-2021-45481 at SUSECVE-2021-45481 at NVDCVE-2021-45482 at SUSECVE-2021-45482 at NVDCVE-2021-45483 at SUSECVE-2021-45483 at NVDCVE-2022-22589 at SUSECVE-2022-22589 at NVDCVE-2022-22590 at SUSECVE-2022-22590 at NVDCVE-2022-22592 at SUSECVE-2022-22592 at NVDCVE-2022-22594 at SUSECVE-2022-22594 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for expat (Important)SUSE OpenStack Cloud Crowbar 8
This update for expat fixes the following issues:
- CVE-2022-25236: Fixed possible namespace-separator characters insertion into namespace URIs (bsc#1196025).
- CVE-2022-25235: Fixed UTF-8 character validation in a certain context (bsc#1196026).
- CVE-2022-25313: Fixed stack exhaustion in build_model() via uncontrolled recursion (bsc#1196168).
- CVE-2022-25314: Fixed integer overflow in copyString (bsc#1196169).
- CVE-2022-25315: Fixed integer overflow in storeRawNames (bsc#1196171).
ImportantSUSE bug 1196025SUSE bug 1196026SUSE bug 1196168SUSE bug 1196169SUSE bug 1196171CVE-2022-25235 at SUSECVE-2022-25235 at NVDCVE-2022-25236 at SUSECVE-2022-25236 at NVDCVE-2022-25313 at SUSECVE-2022-25313 at NVDCVE-2022-25314 at SUSECVE-2022-25314 at NVDCVE-2022-25315 at SUSECVE-2022-25315 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for zsh (Important)SUSE OpenStack Cloud Crowbar 8
This update for zsh fixes the following issues:
- CVE-2021-45444: Fixed a vulnerability where arbitrary shell commands could be
executed related to prompt expansion (bsc#1196435).
- CVE-2019-20044: Fixed a vulnerability where shell privileges would not be
properly dropped when unsetting the PRIVILEGED option (bsc#1163882).
- CVE-2018-1100: Fixed a potential code execution via a stack-based buffer
overflow in utils.c:checkmailpath() (bsc#1089030).
ImportantSUSE bug 1089030SUSE bug 1163882SUSE bug 1196435CVE-2018-1100 at SUSECVE-2018-1100 at NVDCVE-2019-20044 at SUSECVE-2019-20044 at NVDCVE-2021-45444 at SUSECVE-2021-45444 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for python-Twisted (Important)SUSE OpenStack Cloud Crowbar 8
This update for python-Twisted fixes the following issues:
- CVE-2022-21712: Fixed secret exposure in cross-origin redirects (bsc#1195667, GHSA-92x2-jw7w-xvvx) from
ImportantSUSE bug 1195667CVE-2022-21712 at SUSECVE-2022-21712 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for the Linux Kernel (Important)SUSE OpenStack Cloud Crowbar 8
The SUSE Linux Enterprise 12 SP3 kernel was updated to receive various security and bugfixes.
Transient execution side-channel attacks attacking the Branch History Buffer (BHB),
named 'Branch Target Injection' and 'Intra-Mode Branch History Injection' are now mitigated.
The following security bugs were fixed:
- CVE-2022-0001: Fixed Branch History Injection vulnerability (bsc#1191580).
- CVE-2022-0002: Fixed Intra-Mode Branch Target Injection vulnerability (bsc#1191580).
- CVE-2022-0617: Fixed a null pointer dereference in UDF file system functionality. A local user could crash the system by triggering udf_file_write_iter() via a malicious UDF image. (bsc#1196079)
- CVE-2022-0492: Fixed a privilege escalation related to cgroups v1 release_agent feature, which allowed bypassing namespace isolation unexpectedly (bsc#1195543).
- CVE-2022-24448: Fixed an issue in fs/nfs/dir.c. If an application sets the O_DIRECTORY flag, and tries to open a regular file, nfs_atomic_open() performs a regular lookup. If a regular file is found, ENOTDIR should have occured, but the server instead returned uninitialized data in the file descriptor (bsc#1195612).
- CVE-2021-0920: Fixed a local privilege escalation due to a use-after-free bug in unix_gc (bsc#1193731).
- CVE-2016-10905: Fixed a use-after-free is gfs2_clear_rgrpd() and read_rindex_entry() (bsc#1146312).
ImportantSUSE bug 1146312SUSE bug 1185973SUSE bug 1191580SUSE bug 1193731SUSE bug 1194463SUSE bug 1195536SUSE bug 1195543SUSE bug 1195612SUSE bug 1195908SUSE bug 1195939SUSE bug 1196079SUSE bug 1196612CVE-2016-10905 at SUSECVE-2016-10905 at NVDCVE-2021-0920 at SUSECVE-2021-0920 at NVDCVE-2022-0001 at SUSECVE-2022-0001 at NVDCVE-2022-0002 at SUSECVE-2022-0002 at NVDCVE-2022-0492 at SUSECVE-2022-0492 at NVDCVE-2022-0617 at SUSECVE-2022-0617 at NVDCVE-2022-24448 at SUSECVE-2022-24448 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for MozillaFirefox (Important)SUSE OpenStack Cloud Crowbar 8
This update for MozillaFirefox fixes the following issues:
Firefox Extended Support Release 91.6.1 ESR (bsc#1196809):
- CVE-2022-26485: Use-after-free in XSLT parameter processing
- CVE-2022-26486: Use-after-free in WebGPU IPC Framework
ImportantSUSE bug 1196809CVE-2022-26485 at SUSECVE-2022-26485 at NVDCVE-2022-26486 at SUSECVE-2022-26486 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for tomcat (Important)SUSE OpenStack Cloud Crowbar 8
This update for tomcat fixes the following issues:
Security issues fixed:
- CVE-2022-23181: Fixed time of check, time of use vulnerability that allowed local privilege escalation. (bsc#1195255)
- Remove log4j dependency, which is currently directly in use (bsc#1196137)
- Make the package RPM conflict even more specific to conflict with java-openjdk-headless >= 9 (bsc#1196091)
ImportantSUSE bug 1195255SUSE bug 1196091SUSE bug 1196137CVE-2022-23181 at SUSECVE-2022-23181 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for webkit2gtk3 (Important)SUSE OpenStack Cloud Crowbar 8
This update for webkit2gtk3 fixes the following issues:
Update to version 2.34.6 (bsc#1196133):
- CVE-2022-22620: Processing maliciously crafted web content may have lead to arbitrary code execution.
ImportantSUSE bug 1196133CVE-2022-22620 at SUSECVE-2022-22620 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for libcaca (Important)SUSE OpenStack Cloud Crowbar 8
This update for libcaca fixes the following issues:
- CVE-2021-30498, CVE-2021-30499: If an image has a size of 0x0, when exporting, no
data is written and space is allocated for the header only, not taking into
account that sprintf appends a NUL byte (bsc#1184751, bsc#1184752).
ImportantSUSE bug 1184751SUSE bug 1184752CVE-2021-30498 at SUSECVE-2021-30498 at NVDCVE-2021-30499 at SUSECVE-2021-30499 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for MozillaFirefox (Important)SUSE OpenStack Cloud Crowbar 8
This update for MozillaFirefox fixes the following issues:
Firefox Extended Support Release 91.7.0 ESR (bsc#1196900):
- CVE-2022-26383: Browser window spoof using fullscreen mode
- CVE-2022-26384: iframe allow-scripts sandbox bypass
- CVE-2022-26387: Time-of-check time-of-use bug when verifying add-on signatures
- CVE-2022-26381: Use-after-free in text reflows
- CVE-2022-26386: Temporary files downloaded to /tmp and accessible by other local users
ImportantSUSE bug 1196900CVE-2022-26381 at SUSECVE-2022-26381 at NVDCVE-2022-26383 at SUSECVE-2022-26383 at NVDCVE-2022-26384 at SUSECVE-2022-26384 at NVDCVE-2022-26386 at SUSECVE-2022-26386 at NVDCVE-2022-26387 at SUSECVE-2022-26387 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for expat (Important)SUSE OpenStack Cloud Crowbar 8
This update for expat fixes the following issues:
- Fixed a regression caused by the patch for CVE-2022-25236 (bsc#1196784).
ImportantSUSE bug 1196025SUSE bug 1196784CVE-2022-25236 at SUSECVE-2022-25236 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for openssl (Important)SUSE OpenStack Cloud Crowbar 8
This update for openssl fixes the following issues:
- CVE-2022-0778: Infinite loop in BN_mod_sqrt() reachable when parsing certificates (bsc#1196877).
ImportantSUSE bug 1196877CVE-2022-0778 at SUSECVE-2022-0778 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for java-1_8_0-openjdk (Important)SUSE OpenStack Cloud Crowbar 8
This update for java-1_8_0-openjdk fixes the following issues:
Update to version jdk8u322 (icedtea-3.22.0)
Including the following security fixes:
- CVE-2022-21248, bsc#1194926: Enhance cross VM serialization
- CVE-2022-21283, bsc#1194937: Better String matching
- CVE-2022-21293, bsc#1194935: Improve String constructions
- CVE-2022-21294, bsc#1194934: Enhance construction of Identity maps
- CVE-2022-21282, bsc#1194933: Better resolution of URIs
- CVE-2022-21296, bsc#1194932: Improve SAX Parser configuration management
- CVE-2022-21299, bsc#1194931: Improved scanning of XML entities
- CVE-2022-21305, bsc#1194939: Better array indexing
- CVE-2022-21340, bsc#1194940: Verify Jar Verification
- CVE-2022-21341, bsc#1194941: Improve serial forms for transport
- CVE-2022-21349: Improve Solaris font rendering
- CVE-2022-21360, bsc#1194929: Enhance BMP image support
- CVE-2022-21365, bsc#1194928: Enhanced BMP processing
ImportantSUSE bug 1193314SUSE bug 1193444SUSE bug 1193491SUSE bug 1194926SUSE bug 1194928SUSE bug 1194929SUSE bug 1194931SUSE bug 1194932SUSE bug 1194933SUSE bug 1194934SUSE bug 1194935SUSE bug 1194937SUSE bug 1194939SUSE bug 1194940SUSE bug 1194941SUSE bug 1195163CVE-2022-21248 at SUSECVE-2022-21248 at NVDCVE-2022-21282 at SUSECVE-2022-21282 at NVDCVE-2022-21283 at SUSECVE-2022-21283 at NVDCVE-2022-21293 at SUSECVE-2022-21293 at NVDCVE-2022-21294 at SUSECVE-2022-21294 at NVDCVE-2022-21296 at SUSECVE-2022-21296 at NVDCVE-2022-21299 at SUSECVE-2022-21299 at NVDCVE-2022-21305 at SUSECVE-2022-21305 at NVDCVE-2022-21340 at SUSECVE-2022-21340 at NVDCVE-2022-21341 at SUSECVE-2022-21341 at NVDCVE-2022-21349 at SUSECVE-2022-21349 at NVDCVE-2022-21360 at SUSECVE-2022-21360 at NVDCVE-2022-21365 at SUSECVE-2022-21365 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for python-lxml (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for python-lxml fixes the following issues:
- CVE-2021-43818: Removed SVG image data URLs since they can embed script
content (bsc#1193752).
- CVE-2021-28957: Fixed a potential XSS due to improper input sanitization (bsc#1184177).
- CVE-2020-27783: Fixed a potential XSS due to improper HTML parsing (bsc#1179534).
- CVE-2018-19787: Fixed a potential XSS due to improper input sanitization (bsc#1118088).
ModerateSUSE bug 1118088SUSE bug 1179534SUSE bug 1184177SUSE bug 1193752CVE-2018-19787 at SUSECVE-2018-19787 at NVDCVE-2020-27783 at SUSECVE-2020-27783 at NVDCVE-2021-28957 at SUSECVE-2021-28957 at NVDCVE-2021-43818 at SUSECVE-2021-43818 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for glibc (Important)SUSE OpenStack Cloud Crowbar 8
This update for glibc fixes the following issues:
- CVE-2022-23219: Fixed buffer overflow in sunrpc clnt_create for 'unix' (bsc#1194768)
- CVE-2022-23218: Fixed buffer overflow in sunrpc svcunix_create (bsc#1194770)
- CVE-2021-3999: Fixed getcwd to set errno to ERANGE for size == 1 (bsc#1194640)
ImportantSUSE bug 1194640SUSE bug 1194768SUSE bug 1194770CVE-2021-3999 at SUSECVE-2021-3999 at NVDCVE-2022-23218 at SUSECVE-2022-23218 at NVDCVE-2022-23219 at SUSECVE-2022-23219 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for apache2 (Important)SUSE OpenStack Cloud Crowbar 8
This update for apache2 fixes the following issues:
- CVE-2022-23943: heap out-of-bounds write in mod_sed (bsc#1197098).
- CVE-2022-22720: HTTP request smuggling due to incorrect error handling (bsc#1197095).
- CVE-2022-22719: use of uninitialized value of in r:parsebody in mod_lua (bsc#1197091).
- CVE-2022-22721: possible buffer overflow with very large or unlimited LimitXMLRequestBody (bsc#1197096).
ImportantSUSE bug 1197091SUSE bug 1197095SUSE bug 1197096SUSE bug 1197098CVE-2022-22719 at SUSECVE-2022-22719 at NVDCVE-2022-22720 at SUSECVE-2022-22720 at NVDCVE-2022-22721 at SUSECVE-2022-22721 at NVDCVE-2022-23943 at SUSECVE-2022-23943 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for rubygem-rack (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for rubygem-rack fixes the following issues:
- CVE-2023-27539: Fixed denial of service in header parsing (bsc#1209503).
ModerateSUSE bug 1209503CVE-2023-27539 at SUSECVE-2023-27539 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for openstack-cinder, openstack-nova, python-oslo.utils (Important)SUSE OpenStack Cloud Crowbar 8
This update for openstack-cinder, openstack-nova, python-oslo.utils contains the following fixes:
Security fixes included on this update:
openstack-cinder, openstack-nova:
- CVE-2022-47951: Fixed file access control through custom VMDK flat descriptor. (bsc#1207321)
Non-security changes included on this update:
Changes in openstack-cinder:
- Fixed file access control through custom VMDK flat descriptor. (bsc#1207321, CVE-2022-47951)
Changes in openstack-nova:
- Fixed file access control through custom VMDK flat descriptor. (bsc#1207321, CVE-2022-47951)
Changes in python-oslo.utils:
- Report format specific details when using JSON output format. (bsc#1207321)
ImportantSUSE bug 1207321CVE-2022-47951 at SUSECVE-2022-47951 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for dnsmasq (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for dnsmasq fixes the following issues:
- CVE-2023-28450: Fixed default maximum size for EDNS.0 UDP packets (bsc#1209358).
ModerateSUSE bug 1209358CVE-2023-28450 at SUSECVE-2023-28450 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for python-cryptography (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for python-cryptography fixes the following issues:
- CVE-2023-23931: Fixed memory corruption in Cipher.update_into (bsc#1208036).
ModerateSUSE bug 1208036CVE-2023-23931 at SUSECVE-2023-23931 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for openstack-heat, python-Werkzeug (Important)SUSE OpenStack Cloud Crowbar 8
This update for openstack-heat, python-Werkzeug contains the following fixes:
Security fixes included on this update:
openstack-heat:
- CVE-2023-1625: Fixed an issue where parameter values marked as 'hidden' would be shown in the stack's environment. (bsc#1209774)
python-Werkzeug:
- CVE-2023-25577: Fixed an unbounded resource usage when parsing multipart forms with many fields. (bsc#1208283)
ImportantSUSE bug 1208283SUSE bug 1209774CVE-2023-1625 at SUSECVE-2023-1625 at NVDCVE-2023-25577 at SUSECVE-2023-25577 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for libwebp (Important)SUSE OpenStack Cloud Crowbar 8
This update for libwebp fixes the following issues:
- CVE-2023-1999: Fixed double free (bsc#1210212).
ImportantSUSE bug 1210212CVE-2023-1999 at SUSECVE-2023-1999 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for python-sqlparse (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for python-sqlparse fixes the following issues:
- CVE-2023-30608: Fixed a regular rexpression that is vulnerable to ReDOS (bsc#1210617).
ModerateSUSE bug 1210617CVE-2023-30608 at SUSECVE-2023-30608 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for python-tornado (Low)SUSE OpenStack Cloud Crowbar 8
This update for python-tornado fixes the following issues:
- CVE-2023-28370: Fixed an open redirect issue in the static file
handler (bsc#1211741).
LowSUSE bug 1211741CVE-2023-28370 at SUSECVE-2023-28370 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for python-Django (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for python-Django fixes the following issues:
- CVE-2023-36053: Fixed potential regular expression denial of service vulnerability in EmailValidator/URLValidator (bsc#1212742).
ModerateSUSE bug 1212742CVE-2023-36053 at SUSECVE-2023-36053 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for python-swift3 (Important)SUSE OpenStack Cloud Crowbar 8
This update for python-swift3 fixes the following issues:
- CVE-2022-47950: Fixed an issue that could allow a remote attacker to
disclose local file contents via a crafted XML file (bsc#1207035).
ImportantSUSE bug 1207035CVE-2022-47950 at SUSECVE-2022-47950 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for tomcat (Important)SUSE OpenStack Cloud Crowbar 8
This update for tomcat fixes the following issues:
- Remove the log4j dependency as it is not used by the tomcat package (bsc#1196137)
Security hardening, related to Spring Framework vulnerabilities:
- Deprecate getResources() and always return null (bsc#1198136).
ImportantSUSE bug 1196137SUSE bug 1198136cpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for rubygem-actionpack-4_2 (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for rubygem-actionpack-4_2 fixes the following issues:
- CVE-2023-28362: Fixed XSS via User Supplied Values to redirect_to (bsc#1213312).
ModerateSUSE bug 1213312CVE-2023-28362 at SUSECVE-2023-28362 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for rubygem-rails-html-sanitizer (Important)SUSE OpenStack Cloud Crowbar 8
This update for rubygem-rails-html-sanitizer fixes the following issues:
- CVE-2022-23517: Fixed inefficient regular expression that is susceptible to excessive backtracking (bsc#1206433).
- CVE-2022-23518: Fixed XSS via data URIs when used in combination with Loofah (bsc#1206434).
- CVE-2022-23519: Fixed XSS vulnerability with certain configurations of Rails::Html::Sanitizer (bsc#1206435).
- CVE-2022-23520: Fixed XSS vulnerability with certain configurations of Rails::Html::Sanitizer (bsc#1206436).
ImportantSUSE bug 1206433SUSE bug 1206434SUSE bug 1206435SUSE bug 1206436CVE-2022-23517 at SUSECVE-2022-23517 at NVDCVE-2022-23518 at SUSECVE-2022-23518 at NVDCVE-2022-23519 at SUSECVE-2022-23519 at NVDCVE-2022-23520 at SUSECVE-2022-23520 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for python-Django (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for python-Django fixes the following issues:
- CVE-2023-41164: Fixed a potential denial of service vulnerability in django.utils.encoding.uri_to_iri() (bsc#1214667).
ModerateSUSE bug 1214667CVE-2023-41164 at SUSECVE-2023-41164 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for libwebp (Critical)SUSE OpenStack Cloud Crowbar 8
This update for libwebp fixes the following issues:
- CVE-2023-4863: Fixed a heap buffer overflow (bsc#1215231).
CriticalSUSE bug 1215231CVE-2023-4863 at SUSECVE-2023-4863 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for python-gevent (Important)SUSE OpenStack Cloud Crowbar 8
This update for python-gevent fixes the following issues:
- CVE-2023-41419: Fixed a http request smuggling (bsc#1215469).
ImportantSUSE bug 1215469CVE-2023-41419 at SUSECVE-2023-41419 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for python-setuptools (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for python-setuptools fixes the following issues:
- CVE-2022-40897: Fixed an excessive CPU usage that could be triggered
by fetching a malicious HTML document (bsc#1206667).
ModerateSUSE bug 1206667CVE-2022-40897 at SUSECVE-2022-40897 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for python-urllib3 (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for python-urllib3 fixes the following issues:
- CVE-2023-43804: Fixed a potential cookie leak via HTTP redirect if
the user manually set the corresponding header (bsc#1215968).
ModerateSUSE bug 1215968CVE-2023-43804 at SUSECVE-2023-43804 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for python-Django (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for python-Django fixes the following issues:
- CVE-2023-43665: Fixed a Denial-of-service in django.utils.text.Truncator. (bsc#1215978)
ModerateSUSE bug 1215978CVE-2023-43665 at SUSECVE-2023-43665 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for python-urllib3 (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for python-urllib3 fixes the following issues:
- CVE-2023-45803: Fix a request body leak that could occur when
receiving a 303 HTTP response (bsc#1216377).
ModerateSUSE bug 1216377CVE-2023-45803 at SUSECVE-2023-45803 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for rubygem-actionpack-4_2 (Important)SUSE OpenStack Cloud Crowbar 8
This update for rubygem-actionpack-4_2 fixes the following issues:
- CVE-2023-22795: Fixed possible ReDoS based DoS vulnerability in Action Dispatch via specially crafted HTTP header (bsc#1207451).
- CVE-2023-22792: Fixed possible ReDoS based DoS vulnerability in Action Dispatch via specially crafted cookies (bsc#1207455).
ImportantSUSE bug 1207451SUSE bug 1207455CVE-2023-22792 at SUSECVE-2023-22792 at NVDCVE-2023-22795 at SUSECVE-2023-22795 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for python-Pillow (Important)SUSE OpenStack Cloud Crowbar 8
This update for python-Pillow fixes the following issues:
- CVE-2023-44271: Fixed uncontrolled resource consumption when textlength in an ImageDraw instance operates on a long text argument (bsc#1216894).
ImportantSUSE bug 1216894CVE-2023-44271 at SUSECVE-2023-44271 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for rubygem-activerecord-4_2 (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for rubygem-activerecord-4_2 fixes the following issues:
- CVE-2022-44566: Fixed a potential denial of service due to an
inefficient comparison between integer and numeric values
(bsc#1207450).
ModerateSUSE bug 1207450CVE-2022-44566 at SUSECVE-2022-44566 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for rubygem-activerecord-4_2 (Important)SUSE OpenStack Cloud Crowbar 8
This update for rubygem-activerecord-4_2 contains the following fixes:
- CVE-2022-44566: Fixed a potential denial of service due to an inefficient
comparison between integer and numeric values. (bsc#1207450)
- fixed regression caused by fix for CVE-2022-44566. (bsc#1207450)
ImportantSUSE bug 1207450CVE-2022-44566 at SUSECVE-2022-44566 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for rubygem-activesupport-4_2 (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for rubygem-activesupport-4_2 fixes the following issues:
- CVE-2023-22796: Fixed a potential denial of service when passing a
crafted input to the underscore method due to an inefficient
regular expression (bsc#1207454).
ModerateSUSE bug 1207454CVE-2023-22796 at SUSECVE-2023-22796 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for rubygem-rack (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for rubygem-rack fixes the following issues:
- CVE-2022-44570: Fixed a potential denial of service when parsing a
RFC2183 multipart boundary (bsc#1207597).
- CVE-2022-44571: Fixed a potential denial of service when parsing a
Range header (bsc#1207599).
ModerateSUSE bug 1207597SUSE bug 1207599CVE-2022-44570 at SUSECVE-2022-44570 at NVDCVE-2022-44571 at SUSECVE-2022-44571 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for python-Django (Important)SUSE OpenStack Cloud Crowbar 8
This update for python-Django fixes the following issues:
- CVE-2023-24580: Fixed DOS in file uploads (bsc#1208082).
ImportantSUSE bug 1208082CVE-2023-24580 at SUSECVE-2023-24580 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for openstack-barbican (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for openstack-barbican contains the following fix:
Security fix included on this update:
openstack-barbican:
- CVE-2022-3100: Fixed an access policy bypass via query string injection (bsc#1203873).
Update for openstack-barbican:
- Add patch for CVE-2022-3100 to address access policy bypass via query string injection. (bsc#1203873, CVE-2022-3100)
ModerateSUSE bug 1203873CVE-2022-3100 at SUSECVE-2022-3100 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for python-cffi (Moderate)SUSE OpenStack Cloud Crowbar 8
This update for python-cffi fixes the following issues:
- CVE-2023-23931: Fixed memory corruption due to immutable python object being changed (bsc#1208036).
Bugfixes:
- Disabled broken tests related to Threads.
ModerateSUSE bug 1208036CVE-2023-23931 at SUSECVE-2023-23931 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for rubygem-rack (Important)SUSE OpenStack Cloud Crowbar 8
This update for rubygem-rack fixes the following issues:
- CVE-2024-25126: Fixed a denial-of-service vulnerability in Rack Content-Type parsing (bsc#1220239).
- CVE-2024-26141: Fixed a denial-of-service vulnerability in Range request header parsing (bsc#1220242).
- CVE-2024-26146: Fixed a denial-of-service vulnerability in Rack headers parsing routine (bsc#1220248).
ImportantSUSE bug 1220239SUSE bug 1220242SUSE bug 1220248CVE-2024-25126 at SUSECVE-2024-25126 at NVDCVE-2024-26141 at SUSECVE-2024-26141 at NVDCVE-2024-26146 at SUSECVE-2024-26146 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for python-Django (Important)SUSE OpenStack Cloud Crowbar 8
This update for python-Django fixes the following issues:
- CVE-2024-27351: Align the patch with the upstream one and make it more robust. (bsc#1220358)
ImportantSUSE bug 1220358CVE-2024-27351 at SUSECVE-2024-27351 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for python-Pillow (Important)SUSE OpenStack Cloud Crowbar 8
This update for python-Pillow fixes the following issues:
- CVE-2024-28219: Fixed buffer overflow in _imagingcms.c (bsc#1222262)
ImportantSUSE bug 1222262CVE-2024-28219 at SUSECVE-2024-28219 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for python-Pillow (Important)SUSE OpenStack Cloud Crowbar 8
This update for python-Pillow fixes the following issues:
- CVE-2023-50447: Fixed arbitrary code execution via the environment parameter. (bsc#1219048)
- CVE-2022-22817: Fixes evaluation of arbitrary expressions via PIL.ImageMath.eval. (bsc#1194521)
ImportantSUSE bug 1194521SUSE bug 1219048CVE-2022-22817 at SUSECVE-2022-22817 at NVDCVE-2023-50447 at SUSECVE-2023-50447 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for python-Django (Important)SUSE OpenStack Cloud Crowbar 8
This update for python-Django fixes the following issues:
- CVE-2024-24680: Fixed a denial-of-service in intcomma template filter (bsc#1219683).
- CVE-2024-27351: Fixed potential regular expression denial-of-service in ``django.utils.text.Truncator.words()`` (bsc#1220358).
ImportantSUSE bug 1219683SUSE bug 1220358CVE-2024-24680 at SUSECVE-2024-24680 at NVDCVE-2024-27351 at SUSECVE-2024-27351 at NVDcpe:/o:suse:suse-openstack-cloud-crowbar:8Security update for apache2 (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for apache2 fixes the following issues:
Security issue fixed:
- CVE-2017-9788: Uninitialized memory reflection in mod_auth_digest. (bsc#1048576)
Bug fixes:
- Include individual sysconfig.d files instead of the whole sysconfig.d directory.
- Include sysconfig.d/include.conf after httpd.conf is processed. (bsc#1023616, bsc#1043055)
ModerateSUSE bug 1023616SUSE bug 1043055SUSE bug 1048576CVE-2017-9788 at SUSECVE-2017-9788 at NVDcpe:/o:suse:sles:12:sp3Security update for libquicktime (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for libquicktime fixes the following issues:
Security issue fixed:
- CVE-2016-2399: Adjust patch to prevent endless loop when there are less than 256 bytes to read. (bsc#1022805)
ModerateSUSE bug 1022805CVE-2016-2399 at SUSECVE-2016-2399 at NVDcpe:/o:suse:sles:12:sp3Security update for libical (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for libical fixes the following issues:
Security issues fixed:
- CVE-2016-5824: libical 1.0 allows remote attackers to cause a denial of service (use-after-free)
via a crafted ics file. (bsc#986639)
- CVE-2016-5827: The icaltime_from_string function in libical 0.47 and 1.0 allows remote attackers
to cause a denial of service (out-of-bounds heap read) via a crafted string to the
icalparser_parse_string function. (bsc#986631)
- CVE-2016-9584: libical allows remote attackers to cause a denial of service (use-after-free) and
possibly read heap memory via a crafted ics file. (bsc#1015964)
Bug fixes:
- libical crashes while parsing timezones (bsc#1044995)
ModerateSUSE bug 1015964SUSE bug 1044995SUSE bug 986631SUSE bug 986639CVE-2016-5824 at SUSECVE-2016-5824 at NVDCVE-2016-5827 at SUSECVE-2016-5827 at NVDCVE-2016-9584 at SUSECVE-2016-9584 at NVDcpe:/o:suse:sles:12:sp3Security update for poppler (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for poppler fixes the following issues:
Security issues fixed:
- CVE-2017-9775: DoS stack buffer overflow in GfxState.cc in pdftocairo via a crafted PDF document (bsc#1045719)
- CVE-2017-9776: DoS integer overflow leading to heap buffer overflow in JBIG2Stream.cc via a crafted PDF document (bsc#1045721)
- CVE-2017-7515: Stack exhaustion due to infinite recursive call in pdfunite (bsc#1043088)
- CVE-2017-7511: Null pointer dereference in pdfunite via crafted documents (bsc#1041783)
- CVE-2017-9406: Memory leak in the gmalloc function in gmem.cc (bsc#1042803)
- CVE-2017-9408: Memory leak in the Object::initArray function (bsc#1042802)
ModerateSUSE bug 1041783SUSE bug 1042802SUSE bug 1042803SUSE bug 1043088SUSE bug 1045719SUSE bug 1045721CVE-2017-7511 at SUSECVE-2017-7511 at NVDCVE-2017-7515 at SUSECVE-2017-7515 at NVDCVE-2017-9406 at SUSECVE-2017-9406 at NVDCVE-2017-9408 at SUSECVE-2017-9408 at NVDCVE-2017-9775 at SUSECVE-2017-9775 at NVDCVE-2017-9776 at SUSECVE-2017-9776 at NVDcpe:/o:suse:sles:12:sp3Security update for systemd (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for systemd provides several fixes and enhancements.
Security issues fixed:
- CVE-2017-9217: Null pointer dereferencing that could lead to resolved aborting. (bsc#1040614)
- CVE-2017-9445: Possible out-of-bounds write triggered by a specially crafted TCP payload
from a DNS server. (bsc#1045290)
The update also fixed several non-security bugs:
- core/mount: Use the '-c' flag to not canonicalize paths when calling /bin/umount
- automount: Handle expire_tokens when the mount unit changes its state (bsc#1040942)
- automount: Rework propagation between automount and mount units
- build: Make sure tmpfiles.d/systemd-remote.conf get installed when necessary
- build: Fix systemd-journal-upload installation
- basic: Detect XEN Dom0 as no virtualization (bsc#1036873)
- virt: Make sure some errors are not ignored
- fstab-generator: Do not skip Before= ordering for noauto mountpoints
- fstab-gen: Do not convert device timeout into seconds when initializing JobTimeoutSec
- core/device: Use JobRunningTimeoutSec= for device units (bsc#1004995)
- fstab-generator: Apply the _netdev option also to device units (bsc#1004995)
- job: Add JobRunningTimeoutSec for JOB_RUNNING state (bsc#1004995)
- job: Ensure JobRunningTimeoutSec= survives serialization (bsc#1004995)
- rules: Export NVMe WWID udev attribute (bsc#1038865)
- rules: Introduce disk/by-id (model_serial) symbolic links for NVMe drives
- rules: Add rules for NVMe devices
- sysusers: Make group shadow support configurable (bsc#1029516)
- core: When deserializing a unit, fully restore its cgroup state (bsc#1029102)
- core: Introduce cg_mask_from_string()/cg_mask_to_string()
- core:execute: Fix handling failures of calling fork() in exec_spawn() (bsc#1040258)
- Fix systemd-sysv-convert when a package starts shipping service units (bsc#982303)
The database might be missing when upgrading a package which was
shipping no sysv init scripts nor unit files (at the time --save was
called) but the new version start shipping unit files.
- Disable group shadow support (bsc#1029516)
- Only check signature job error if signature job exists (bsc#1043758)
- Automounter issue in combination with NFS volumes (bsc#1040968)
- Missing symbolic link for SAS device in /dev/disk/by-path (bsc#1040153)
- Add minimal support for boot.d/* scripts in systemd-sysv-convert (bsc#1046750)
ModerateSUSE bug 1004995SUSE bug 1029102SUSE bug 1029516SUSE bug 1032029SUSE bug 1033238SUSE bug 1036873SUSE bug 1037120SUSE bug 1038865SUSE bug 1040153SUSE bug 1040258SUSE bug 1040614SUSE bug 1040942SUSE bug 1040968SUSE bug 1043758SUSE bug 1043900SUSE bug 1045290SUSE bug 1046750SUSE bug 982303SUSE bug 986216CVE-2017-9217 at SUSECVE-2017-9217 at NVDCVE-2017-9445 at SUSECVE-2017-9445 at NVDcpe:/o:suse:sles:12:sp3Security update for mariadb (Important)SUSE Linux Enterprise Server 12 SP3
This MariaDB update to version 10.0.31 GA fixes the following issues:
Security issues fixed:
- CVE-2017-3308: Subcomponent: Server: DML: Easily 'exploitable' vulnerability allows low
privileged attacker with network access via multiple protocols to compromise MariaDB Server.
Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or
frequently repeatable crash (complete DOS). (bsc#1048715)
- CVE-2017-3309: Subcomponent: Server: Optimizer: Easily 'exploitable' vulnerability allows low
privileged attacker with network access via multiple protocols to compromise MariaDB Server.
Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or
frequently repeatable crash (complete DOS). (bsc#1048715)
- CVE-2017-3453: Subcomponent: Server: Optimizer: Easily 'exploitable' vulnerability allows low
privileged attacker with network access via multiple protocols to compromise MariaDB Server.
Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or
frequently repeatable crash (complete DOS). (bsc#1048715)
- CVE-2017-3456: Subcomponent: Server: DML: Easily 'exploitable' vulnerability allows low
privileged attacker with network access via multiple protocols to compromise MariaDB Server.
Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or
frequently repeatable crash (complete DOS). (bsc#1048715)
- CVE-2017-3464: Subcomponent: Server: DDL: Easily 'exploitable' vulnerability allows low
privileged attacker with network access via multiple protocols to compromise MariaDB Server.
Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or
frequently repeatable crash (complete DOS). (bsc#1048715)
Bug fixes:
- switch from 'Restart=on-failure' to 'Restart=on-abort' in
mysql.service in order to follow the upstream. It also fixes
hanging mysql-systemd-helper when mariadb fails (e.g. because of
the misconfiguration) (bsc#963041)
- XtraDB updated to 5.6.36-82.0
- TokuDB updated to 5.6.36-82.0
- Innodb updated to 5.6.36
- Performance Schema updated to 5.6.36
Release notes and changelog:
- https://kb.askmonty.org/en/mariadb-10031-release-notes
- https://kb.askmonty.org/en/mariadb-10031-changelog
ImportantSUSE bug 1048715SUSE bug 963041CVE-2017-3308 at SUSECVE-2017-3308 at NVDCVE-2017-3309 at SUSECVE-2017-3309 at NVDCVE-2017-3453 at SUSECVE-2017-3453 at NVDCVE-2017-3456 at SUSECVE-2017-3456 at NVDCVE-2017-3464 at SUSECVE-2017-3464 at NVDcpe:/o:suse:sles:12:sp3Security update for wireshark (Moderate)SUSE Linux Enterprise Server 12 SP3
This wireshark update to version 2.2.8 fixes the following issues:
Security issues fixed:
- CVE-2017-11411: The openSAFETY dissectorcould crash or exhaust system memory because of missing
length validation. (bsc#1049621)
- CVE-2017-11410: The WBXML dissector could go into an infinite loop. (bsc#1049255)
- CVE-2017-11408: The AMQP dissector could crash. (bsc#1049255)
- CVE-2017-11407: The MQ dissector could crash. (bsc#1049255)
- CVE-2017-11406: The DOCSIS dissector could go into an infinite loop. (bsc#1049255)
ModerateSUSE bug 1049255SUSE bug 1049621CVE-2017-11406 at SUSECVE-2017-11406 at NVDCVE-2017-11407 at SUSECVE-2017-11407 at NVDCVE-2017-11408 at SUSECVE-2017-11408 at NVDCVE-2017-11410 at SUSECVE-2017-11410 at NVDCVE-2017-11411 at SUSECVE-2017-11411 at NVDcpe:/o:suse:sles:12:sp3Security update for ncurses (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for ncurses fixes the following issues:
Security issues fixed:
- CVE-2017-11112: Illegal address access in append_acs. (bsc#1047964)
- CVE-2017-11113: Dereferencing NULL pointer in _nc_parse_entry. (bsc#1047965)
- CVE-2017-10684, CVE-2017-10685: Add modified upstream fix from ncurses 6.0 to avoid broken
termcap format (bsc#1046853, bsc#1046858, bsc#1049344)
ModerateSUSE bug 1046853SUSE bug 1046858SUSE bug 1047964SUSE bug 1047965SUSE bug 1049344CVE-2017-10684 at SUSECVE-2017-10684 at NVDCVE-2017-10685 at SUSECVE-2017-10685 at NVDCVE-2017-11112 at SUSECVE-2017-11112 at NVDCVE-2017-11113 at SUSECVE-2017-11113 at NVDcpe:/o:suse:sles:12:sp3Security update for tcmu-runner (Important)SUSE Linux Enterprise Server 12 SP3
This update for tcmu-runner fixes the following issues:
- qcow handler opens up an information leak via the CheckConfig D-Bus method (bsc#1049491)
- glfs handler allows local DoS via crafted CheckConfig strings (bsc#1049485)
- UnregisterHandler dbus method in tcmu-runner daemon for non-existing handler causes denial of service (bsc#1049488)
- UnregisterHandler D-Bus method in tcmu-runner daemon for internal handler causes denial of service (bsc#1049489)
- Memory leaks can be triggered in tcmu-runner daemon by calling D-Bus method for (Un)RegisterHandler (bsc#1049490)
ImportantSUSE bug 1049485SUSE bug 1049488SUSE bug 1049489SUSE bug 1049490SUSE bug 1049491cpe:/o:suse:sles:12:sp3Security update for librsvg (Low)SUSE Linux Enterprise Server 12 SP3
This update librsvg to version 2.40.18 fixes the following issues:
Security issue fixed:
- CVE-2017-11464: A SIGFPE is raised in the function box_blur_line of rsvg-filter.c. (bsc#1049607)
LowSUSE bug 1049607CVE-2017-11464 at SUSECVE-2017-11464 at NVDcpe:/o:suse:sles:12:sp3Security update for libsoup (Important)SUSE Linux Enterprise Server 12 SP3
This update for libsoup fixes the following issues:
- A bug in the HTTP Chunked Encoding code has been fixed that could have been
exploited by attackers to cause a stack-based buffer overflow in client or
server code running libsoup (bsc#1052916, CVE-2017-2885).
ImportantSUSE bug 1052916CVE-2017-2885 at SUSECVE-2017-2885 at NVDcpe:/o:suse:sles:12:sp3Security update for strongswan (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for strongswan fixes the following issues:
CVE-2017-11185: Specific RSA signatures passed to the gmp plugin for verification can
cause a null-pointer dereference and it may lead to a denial of service (bsc#1051222)
ModerateSUSE bug 1051222CVE-2017-11185 at SUSECVE-2017-11185 at NVDcpe:/o:suse:sles:12:sp3Security update for openjpeg2 (Important)SUSE Linux Enterprise Server 12 SP3
This update for openjpeg2 fixes the following issues:
- CVE 2016-7163: Integer Overflow could lead to remote code execution (bsc#997857).
- CVE 2015-8871: Use-after-free in opj_j2k_write_mco function could lead to denial of service (bsc#979907).
ImportantSUSE bug 979907SUSE bug 997857CVE-2015-8871 at SUSECVE-2015-8871 at NVDCVE-2016-7163 at SUSECVE-2016-7163 at NVDcpe:/o:suse:sles:12:sp3Security update for libxml2 (Low)SUSE Linux Enterprise Server 12 SP3
This update for libxml2 fixes the following issues:
Security issues fixed:
- CVE-2017-8872: Out-of-bounds read in htmlParseTryOrFinish. (bsc#1038444)
LowSUSE bug 1038444CVE-2017-8872 at SUSECVE-2017-8872 at NVDcpe:/o:suse:sles:12:sp3Security update for curl (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for curl fixes the following issues:
- CVE-2017-1000100: TFP sends more than buffer size and it could lead to a denial of service (bsc#1051644)
- CVE-2017-1000101: URL globbing out of bounds read could lead to a denial of service (bsc#1051643)
ModerateSUSE bug 1051643SUSE bug 1051644CVE-2017-1000100 at SUSECVE-2017-1000100 at NVDCVE-2017-1000101 at SUSECVE-2017-1000101 at NVDcpe:/o:suse:sles:12:sp3Security update for java-1_8_0-openjdk (Important)SUSE Linux Enterprise Server 12 SP3
This java-1_8_0-openjdk update to version jdk8u141 (icedtea 3.5.0) fixes the following issues:
Security issues fixed:
- CVE-2017-10053: Improved image post-processing steps (bsc#1049305)
- CVE-2017-10067: Additional jar validation steps (bsc#1049306)
- CVE-2017-10074: Image conversion improvements (bsc#1049307)
- CVE-2017-10078: Better script accessibility for JavaScript (bsc#1049308)
- CVE-2017-10081: Right parenthesis issue (bsc#1049309)
- CVE-2017-10086: Unspecified vulnerability in subcomponent JavaFX (bsc#1049310)
- CVE-2017-10087: Better Thread Pool execution (bsc#1049311)
- CVE-2017-10089: Service Registration Lifecycle (bsc#1049312)
- CVE-2017-10090: Better handling of channel groups (bsc#1049313)
- CVE-2017-10096: Transform Transformer Exceptions (bsc#1049314)
- CVE-2017-10101: Better reading of text catalogs (bsc#1049315)
- CVE-2017-10102: Improved garbage collection (bsc#1049316)
- CVE-2017-10105: Unspecified vulnerability in subcomponent deployment (bsc#1049317)
- CVE-2017-10107: Less Active Activations (bsc#1049318)
- CVE-2017-10108: Better naming attribution (bsc#1049319)
- CVE-2017-10109: Better sourcing of code (bsc#1049320)
- CVE-2017-10110: Better image fetching (bsc#1049321)
- CVE-2017-10111: Rearrange MethodHandle arrangements (bsc#1049322)
- CVE-2017-10114: Unspecified vulnerability in subcomponent JavaFX (bsc#1049323)
- CVE-2017-10115: Higher quality DSA operations (bsc#1049324)
- CVE-2017-10116: Proper directory lookup processing (bsc#1049325)
- CVE-2017-10118: Higher quality ECDSA operations (bsc#1049326)
- CVE-2017-10125: Unspecified vulnerability in subcomponent deployment (bsc#1049327)
- CVE-2017-10135: Better handling of PKCS8 material (bsc#1049328)
- CVE-2017-10176: Additional elliptic curve support (bsc#1049329)
- CVE-2017-10193: Improve algorithm constraints implementation (bsc#1049330)
- CVE-2017-10198: Clear certificate chain connections (bsc#1049331)
- CVE-2017-10243: Unspecified vulnerability in subcomponent JAX-WS (bsc#1049332)
Bug fixes:
- Check registry registration location
- Improved certificate processing
- JMX diagnostic improvements
- Update to libpng 1.6.28
- Import of OpenJDK 8 u141 build 15 (bsc#1049302)
New features:
- Support using RSAandMGF1 with the SHA hash algorithms in the PKCS11 provider
ImportantSUSE bug 1049302SUSE bug 1049305SUSE bug 1049306SUSE bug 1049307SUSE bug 1049308SUSE bug 1049309SUSE bug 1049310SUSE bug 1049311SUSE bug 1049312SUSE bug 1049313SUSE bug 1049314SUSE bug 1049315SUSE bug 1049316SUSE bug 1049317SUSE bug 1049318SUSE bug 1049319SUSE bug 1049320SUSE bug 1049321SUSE bug 1049322SUSE bug 1049323SUSE bug 1049324SUSE bug 1049325SUSE bug 1049326SUSE bug 1049327SUSE bug 1049328SUSE bug 1049329SUSE bug 1049330SUSE bug 1049331SUSE bug 1049332CVE-2017-10053 at SUSECVE-2017-10053 at NVDCVE-2017-10067 at SUSECVE-2017-10067 at NVDCVE-2017-10074 at SUSECVE-2017-10074 at NVDCVE-2017-10078 at SUSECVE-2017-10078 at NVDCVE-2017-10081 at SUSECVE-2017-10081 at NVDCVE-2017-10086 at SUSECVE-2017-10086 at NVDCVE-2017-10087 at SUSECVE-2017-10087 at NVDCVE-2017-10089 at SUSECVE-2017-10089 at NVDCVE-2017-10090 at SUSECVE-2017-10090 at NVDCVE-2017-10096 at SUSECVE-2017-10096 at NVDCVE-2017-10101 at SUSECVE-2017-10101 at NVDCVE-2017-10102 at SUSECVE-2017-10102 at NVDCVE-2017-10105 at SUSECVE-2017-10105 at NVDCVE-2017-10107 at SUSECVE-2017-10107 at NVDCVE-2017-10108 at SUSECVE-2017-10108 at NVDCVE-2017-10109 at SUSECVE-2017-10109 at NVDCVE-2017-10110 at SUSECVE-2017-10110 at NVDCVE-2017-10111 at SUSECVE-2017-10111 at NVDCVE-2017-10114 at SUSECVE-2017-10114 at NVDCVE-2017-10115 at SUSECVE-2017-10115 at NVDCVE-2017-10116 at SUSECVE-2017-10116 at NVDCVE-2017-10118 at SUSECVE-2017-10118 at NVDCVE-2017-10125 at SUSECVE-2017-10125 at NVDCVE-2017-10135 at SUSECVE-2017-10135 at NVDCVE-2017-10176 at SUSECVE-2017-10176 at NVDCVE-2017-10193 at SUSECVE-2017-10193 at NVDCVE-2017-10198 at SUSECVE-2017-10198 at NVDCVE-2017-10243 at SUSECVE-2017-10243 at NVDcpe:/o:suse:sles:12:sp3Security update for freeradius-server (Important)SUSE Linux Enterprise Server 12 SP3
This update for freeradius-server fixes the following issues:
- update to 3.0.15 (bsc#1049086)
* Bind the lifetime of program name and python path to the module
* CVE-2017-10978: FR-GV-201: Check input / output length in make_secret() (bsc#1049086)
* CVE-2017-10983: FR-GV-206: Fix read overflow when decoding DHCP option 63 (bsc#1049086)
* CVE-2017-10984: FR-GV-301: Fix write overflow in data2vp_wimax() (bsc#1049086)
* CVE-2017-10985: FR-GV-302: Fix infinite loop and memory exhaustion with 'concat' attributes (bsc#1049086)
* CVE-2017-10986: FR-GV-303: Fix infinite read in dhcp_attr2vp() (bsc#1049086)
* CVE-2017-10987: FR-GV-304: Fix buffer over-read in fr_dhcp_decode_suboptions() (bsc#1049086)
* CVE-2017-10988: FR-GV-305: Decode 'signed' attributes correctly. (bsc#1049086)
* FR-AD-001: use strncmp() instead of memcmp() for bounded data
* Print messages when we see deprecated configuration items
* Show reasons why we couldn't parse a certificate expiry time
* Be more accepting about truncated ASN1 times.
* Fix OpenSSL API issue which could leak small amounts of memory.
* For Access-Reject, call rad_authlog() after running the
post-auth section, just like for Access-Accept.
* Don't crash when reading corrupted data from session resumption
cache.
* Parse port in dhcpclient.
* Don't leak memory for OpenSSL.
* Portability fixes taken from OpenBSD port collection.
* run rad_authlog after post-auth for Access-Reject.
* Don't process VMPS packets twice.
* Fix attribute truncation in rlm_perl
* Fix bug when processing huntgroups.
* FR-AD-002 - Bind the lifetime of program name and python path to the module
* FR-AD-003 - Pass correct statement length into sqlite3_prepare[_v2]
ImportantSUSE bug 1049086CVE-2017-10978 at SUSECVE-2017-10978 at NVDCVE-2017-10983 at SUSECVE-2017-10983 at NVDCVE-2017-10984 at SUSECVE-2017-10984 at NVDCVE-2017-10985 at SUSECVE-2017-10985 at NVDCVE-2017-10986 at SUSECVE-2017-10986 at NVDCVE-2017-10987 at SUSECVE-2017-10987 at NVDCVE-2017-10988 at SUSECVE-2017-10988 at NVDcpe:/o:suse:sles:12:sp3Security update for libplist (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for libplist fixes the following issues:
Security issues fixed:
- CVE-2017-6439: Heap-based buffer overflow in the parse_string_node function. (bsc#1029638)
- CVE-2017-6438: Heap-based buffer overflow in the parse_unicode_node function. (bsc#1029706)
- CVE-2017-6437: The base64encode function in base64.c allows local users to cause denial of service
(out-of-bounds read) via a crafted plist file. (bsc#1029707)
- CVE-2017-6436: Integer overflow in parse_string_node. (bsc#1029751)
- CVE-2017-6435: Crafted plist file could lead to Heap-buffer overflow. (bsc#1029639)
ModerateSUSE bug 1029638SUSE bug 1029639SUSE bug 1029706SUSE bug 1029707SUSE bug 1029751CVE-2017-6435 at SUSECVE-2017-6435 at NVDCVE-2017-6436 at SUSECVE-2017-6436 at NVDCVE-2017-6437 at SUSECVE-2017-6437 at NVDCVE-2017-6438 at SUSECVE-2017-6438 at NVDCVE-2017-6439 at SUSECVE-2017-6439 at NVDcpe:/o:suse:sles:12:sp3Security update for ImageMagick (Important)SUSE Linux Enterprise Server 12 SP3
This update for ImageMagick fixes the following issues:
Security issues fixed:
- CVE-2017-9439: A memory leak was found in the function ReadPDBImage incoders/pdb.c (bsc#1042826)
- CVE-2017-9440: A memory leak was found in the function ReadPSDChannelin coders/psd.c (bsc#1042812)
- CVE-2017-9501: An assertion failure could cause a denial of service via a crafted file (bsc#1043289)
- CVE-2017-11403: ReadMNGImage function in coders/png.c has an out-of-order CloseBlob call, resulting
in a use-after-free via acrafted file (bsc#1049072)
ImportantSUSE bug 1042812SUSE bug 1042826SUSE bug 1043289SUSE bug 1049072CVE-2017-11403 at SUSECVE-2017-11403 at NVDCVE-2017-9439 at SUSECVE-2017-9439 at NVDCVE-2017-9440 at SUSECVE-2017-9440 at NVDCVE-2017-9501 at SUSECVE-2017-9501 at NVDcpe:/o:suse:sles:12:sp3Security update for openvswitch (Important)SUSE Linux Enterprise Server 12 SP3
This update for openvswitch fixes the following issues:
- CVE-2017-9263: OpenFlow role status message can cause a call to abort() leading to application crash (bsc#1041470)
- CVE-2017-9265: Buffer over-read while parsing message could lead to crash or maybe arbitrary code execution (bsc#1041447)
- Do not restart the ovs-vswitchd and ovsdb-server services
on package updates (bsc#1002734)
- Do not restart the ovs-vswitchd, ovsdb-server and openvswitch
services on package removals. This facilitates potential future
package moves but also preserves connectivity when the package is
removed (bsc#1050896)
ImportantSUSE bug 1002734SUSE bug 1041447SUSE bug 1041470SUSE bug 1050896CVE-2017-9263 at SUSECVE-2017-9263 at NVDCVE-2017-9265 at SUSECVE-2017-9265 at NVDcpe:/o:suse:sles:12:sp3Security update for gnome-shell (Low)SUSE Linux Enterprise Server 12 SP3
This update for gnome-shell provides the following fixes:
- Fix not intuitive login screen for root user (bsc#1047262)
- Disable session selection button when it's hidden in user switch dialog (bsc#1034584, bsc#1034827)
- Fix app windows overlay app list in overview screen (bsc#1008539)
- Properly handle failures when loading extensions (bsc#1036494, CVE-2017-8288)
LowSUSE bug 1008539SUSE bug 1034584SUSE bug 1034827SUSE bug 1036494SUSE bug 1047262CVE-2017-8288 at SUSECVE-2017-8288 at NVDcpe:/o:suse:sles:12:sp3Security update for samba and resource-agents (Important)SUSE Linux Enterprise Server 12 SP3
This update provides Samba 4.6.7, which fixes the following issues:
- CVE-2017-11103: Metadata were being taken from the unauthenticated plaintext (the Ticket)
rather than the authenticated and encrypted KDC response. (bsc#1048278)
- Fix cephwrap_chdir(). (bsc#1048790)
- Fix ctdb logs to /var/log/log.ctdb instead of /var/log/ctdb. (bsc#1048339)
- Fix inconsistent ctdb socket path. (bsc#1048352)
- Fix non-admin cephx authentication. (bsc#1048387)
- CTDB cannot start when there is no persistent database. (bsc#1052577)
The CTDB resource agent was also fixed to not fail when the database is empty.
ImportantSUSE bug 1048278SUSE bug 1048339SUSE bug 1048352SUSE bug 1048387SUSE bug 1048790SUSE bug 1052577SUSE bug 1054017CVE-2017-11103 at SUSECVE-2017-11103 at NVDcpe:/o:suse:sles:12:sp3Security update for java-1_8_0-ibm (Important)SUSE Linux Enterprise Server 12 SP3
This update for java-1_8_0-ibm fixes the following issues:
- Version update to 8.0-4.10 [bsc#1053431]
CVE-2017-10111, CVE-2017-10110, CVE-2017-10107, CVE-2017-10101, CVE-2017-10096, CVE-2017-10090, CVE-2017-10089,
CVE-2017-10087, CVE-2017-10102, CVE-2017-10116, CVE-2017-10074, CVE-2017-10078, CVE-2017-10115, CVE-2017-10067,
CVE-2017-10125, CVE-2017-10243, CVE-2017-10109, CVE-2017-10108, CVE-2017-10053, CVE-2017-10105, CVE-2017-10081:
Multiple unspecified vulnerabilities in multiple Java components could lead to code execution or sandbox escape
More information can be found here: https://developer.ibm.com/javasdk/support/security-vulnerabilities/#Oracle_July_18_2017_CPU
ImportantSUSE bug 1053431CVE-2017-10053 at SUSECVE-2017-10053 at NVDCVE-2017-10067 at SUSECVE-2017-10067 at NVDCVE-2017-10074 at SUSECVE-2017-10074 at NVDCVE-2017-10078 at SUSECVE-2017-10078 at NVDCVE-2017-10081 at SUSECVE-2017-10081 at NVDCVE-2017-10087 at SUSECVE-2017-10087 at NVDCVE-2017-10089 at SUSECVE-2017-10089 at NVDCVE-2017-10090 at SUSECVE-2017-10090 at NVDCVE-2017-10096 at SUSECVE-2017-10096 at NVDCVE-2017-10101 at SUSECVE-2017-10101 at NVDCVE-2017-10102 at SUSECVE-2017-10102 at NVDCVE-2017-10105 at SUSECVE-2017-10105 at NVDCVE-2017-10107 at SUSECVE-2017-10107 at NVDCVE-2017-10108 at SUSECVE-2017-10108 at NVDCVE-2017-10109 at SUSECVE-2017-10109 at NVDCVE-2017-10110 at SUSECVE-2017-10110 at NVDCVE-2017-10111 at SUSECVE-2017-10111 at NVDCVE-2017-10115 at SUSECVE-2017-10115 at NVDCVE-2017-10116 at SUSECVE-2017-10116 at NVDCVE-2017-10125 at SUSECVE-2017-10125 at NVDCVE-2017-10243 at SUSECVE-2017-10243 at NVDcpe:/o:suse:sles:12:sp3Security update for libzypp (Important)SUSE Linux Enterprise Server 12 SP3
The Software Update Stack was updated to receive fixes and enhancements.
libzypp:
- CVE-2017-7435, CVE-2017-7436, CVE-2017-9269: Fix GPG check workflows, mainly for unsigned
repositories and packages. (bsc#1045735, bsc#1038984)
- Fix gpg-pubkey release (creation time) computation. (bsc#1036659)
- Update lsof blacklist. (bsc#1046417)
- Re-probe on refresh if the repository type changes. (bsc#1048315)
- Propagate proper error code to DownloadProgressReport. (bsc#1047785)
- Allow to trigger an appdata refresh unconditionally. (bsc#1009745)
- Support custom repo variables defined in /etc/zypp/vars.d.
yast2-pkg-bindings:
- Do not crash when the repository URL is not defined. (bsc#1043218)
ImportantSUSE bug 1009745SUSE bug 1036659SUSE bug 1038984SUSE bug 1043218SUSE bug 1045735SUSE bug 1046417SUSE bug 1047785SUSE bug 1048315CVE-2017-7435 at SUSECVE-2017-7435 at NVDCVE-2017-7436 at SUSECVE-2017-7436 at NVDCVE-2017-9269 at SUSECVE-2017-9269 at NVDcpe:/o:suse:sles:12:sp3Security update for java-1_7_1-ibm (Important)SUSE Linux Enterprise Server 12 SP3
This update for java-1_7_1-ibm fixes the following issues:
- Version update to 7.1-4.10 [bsc#1053431]
* CVE-2017-10111 CVE-2017-10110 CVE-2017-10107 CVE-2017-10101
CVE-2017-10096 CVE-2017-10090 CVE-2017-10089 CVE-2017-10087
CVE-2017-10102 CVE-2017-10116 CVE-2017-10074 CVE-2017-10115
CVE-2017-10067 CVE-2017-10125 CVE-2017-10243 CVE-2017-10109
CVE-2017-10108 CVE-2017-10053 CVE-2017-10105 CVE-2017-10081: Multiple unspecified vulnerabilities
in multiple Java components could lead to code execution or sandbox escape
More information can be found here: https://developer.ibm.com/javasdk/support/security-vulnerabilities/#Oracle_July_18_2017_CPU
ImportantSUSE bug 1053431CVE-2017-10053 at SUSECVE-2017-10053 at NVDCVE-2017-10067 at SUSECVE-2017-10067 at NVDCVE-2017-10074 at SUSECVE-2017-10074 at NVDCVE-2017-10081 at SUSECVE-2017-10081 at NVDCVE-2017-10087 at SUSECVE-2017-10087 at NVDCVE-2017-10089 at SUSECVE-2017-10089 at NVDCVE-2017-10090 at SUSECVE-2017-10090 at NVDCVE-2017-10096 at SUSECVE-2017-10096 at NVDCVE-2017-10101 at SUSECVE-2017-10101 at NVDCVE-2017-10102 at SUSECVE-2017-10102 at NVDCVE-2017-10105 at SUSECVE-2017-10105 at NVDCVE-2017-10107 at SUSECVE-2017-10107 at NVDCVE-2017-10108 at SUSECVE-2017-10108 at NVDCVE-2017-10109 at SUSECVE-2017-10109 at NVDCVE-2017-10110 at SUSECVE-2017-10110 at NVDCVE-2017-10111 at SUSECVE-2017-10111 at NVDCVE-2017-10115 at SUSECVE-2017-10115 at NVDCVE-2017-10116 at SUSECVE-2017-10116 at NVDCVE-2017-10125 at SUSECVE-2017-10125 at NVDCVE-2017-10243 at SUSECVE-2017-10243 at NVDcpe:/o:suse:sles:12:sp3Security update for the Linux Kernel (Important)SUSE Linux Enterprise Server 12 SP3
The SUSE Linux Enterprise 12 SP3 kernel was updated to 4.4.82 to receive various security and bugfixes.
The following security bugs were fixed:
- CVE-2017-1000111: Fixed a race condition in net-packet code that could be exploited to cause out-of-bounds memory access (bsc#1052365).
- CVE-2017-1000112: Fixed a race condition in net-packet code that could have been exploited by unprivileged users to gain root access. (bsc#1052311).
- CVE-2017-8831: The saa7164_bus_get function in drivers/media/pci/saa7164/saa7164-bus.c in the Linux kernel allowed local users to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact by changing a certain sequence-number value, aka a 'double fetch' vulnerability (bnc#1037994).
- CVE-2017-7542: The ip6_find_1stfragopt function in net/ipv6/output_core.c in the Linux kernel allowed local users to cause a denial of service (integer overflow and infinite loop) by leveraging the ability to open a raw socket (bnc#1049882).
- CVE-2017-11473: Buffer overflow in the mp_override_legacy_irq() function in arch/x86/kernel/acpi/boot.c in the Linux kernel allowed local users to gain privileges via a crafted ACPI table (bnc#1049603).
- CVE-2017-7533: Race condition in the fsnotify implementation in the Linux kernel allowed local users to gain privileges or cause a denial of service (memory corruption) via a crafted application that leverages simultaneous execution of the inotify_handle_event and vfs_rename functions (bnc#1049483 bnc#1050677).
- CVE-2017-7541: The brcmf_cfg80211_mgmt_tx function in drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c in the Linux kernel allowed local users to cause a denial of service (buffer overflow and system crash) or possibly gain privileges via a crafted NL80211_CMD_FRAME Netlink packet (bnc#1049645).
- CVE-2017-10810: Memory leak in the virtio_gpu_object_create function in drivers/gpu/drm/virtio/virtgpu_object.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) by triggering object-initialization failures (bnc#1047277).
The following non-security bugs were fixed:
- acpi/nfit: Add support of NVDIMM memory error notification in ACPI 6.2 (bsc#1052325).
- acpi/nfit: Issue Start ARS to retrieve existing records (bsc#1052325).
- acpi / processor: Avoid reserving IO regions too early (bsc#1051478).
- acpi / scan: Prefer devices without _HID for _ADR matching (git-fixes).
- Add 'shutdown' to 'struct class' (bsc#1053117).
- af_key: Add lock to key dump (bsc#1047653).
- af_key: Fix slab-out-of-bounds in pfkey_compile_policy (bsc#1047354).
- alsa: fm801: Initialize chip after IRQ handler is registered (bsc#1031717).
- alsa: hda - add more ML register definitions (bsc#1048356).
- alsa: hda - add sanity check to force the separate stream tags (bsc#1048356).
- alsa: hda: Add support for parsing new HDA capabilities (bsc#1048356).
- alsa: hdac: Add support for hda DMA Resume capability (bsc#1048356).
- alsa: hdac_regmap - fix the register access for runtime PM (bsc#1048356).
- alsa: hda: Fix cpu lockup when stopping the cmd dmas (bsc#1048356).
- alsa: hda - Fix endless loop of codec configure (bsc#1031717).
- alsa: hda: fix to wait for RIRB & CORB DMA to set (bsc#1048356).
- alsa: hda - Loop interrupt handling until really cleared (bsc#1048356).
- alsa: hda - move bus_parse_capabilities to core (bsc#1048356).
- alsa: hda - set input_path bitmap to zero after moving it to new place (bsc#1031717).
- alsa: hda - set intel audio clock to a proper value (bsc#1048356).
- arm64: kernel: restrict /dev/mem read() calls to linear region (bsc#1046651).
- arm64: mm: remove page_mapping check in __sync_icache_dcache (bsc#1040347).
- arm64: Update config files. Disable DEVKMEM
- b43: Add missing MODULE_FIRMWARE() (bsc#1037344).
- bcache: force trigger gc (bsc#1038078).
- bcache: only recovery I/O error for writethrough mode (bsc#1043652).
- bcache: only recovery I/O error for writethrough mode (bsc#1043652).
- bdi: Fix use-after-free in wb_congested_put() (bsc#1040307).
- blacklist.conf: 9eeacd3a2f17 not a bug fix (bnc#1050061)
- blacklist.conf: add inapplicable commits for wifi (bsc#1031717)
- blacklist.conf: add non-applicable fixes for iwlwifi (FATE#323335)
- blacklist.conf: add unapplicable/cosmetic iwlwifi fixes (bsc#1031717).
- blacklist.conf: add unapplicable drm fixes (bsc#1031717).
- blacklist.conf: Blacklist aa2369f11ff7 ('mm/gup.c: fix access_ok() argument type') (bsc#1051478) Fixes only a compile-warning.
- blacklist.conf: Blacklist c133c7615751 ('x86/nmi: Fix timeout test in test_nmi_ipi()') It only fixes a self-test (bsc#1051478).
- blacklist.conf: Blacklist c9525a3fab63 ('x86/watchdog: Fix Kconfig help text file path reference to lockup watchdog documentation') Updates only kconfig help-text (bsc#1051478).
- blkfront: add uevent for size change (bnc#1036632).
- blk-mq: map all HWQ also in hyperthreaded system (bsc#1045866).
- block: add kblock_mod_delayed_work_on() (bsc#1050211).
- block: Allow bdi re-registration (bsc#1040307).
- block: do not allow updates through sysfs until registration completes (bsc#1047027).
- block: Fix front merge check (bsc#1051239).
- block: Make blk_mq_delay_kick_requeue_list() rerun the queue at a quiet time (bsc#1050211).
- block: Make del_gendisk() safer for disks without queues (bsc#1040307).
- block: Move bdi_unregister() to del_gendisk() (bsc#1040307).
- block: provide bio_uninit() free freeing integrity/task associations (bsc#1050211).
- bluetooth: hidp: fix possible might sleep error in hidp_session_thread (bsc#1031784).
- brcmfmac: Fix glom_skb leak in brcmf_sdiod_recv_chain (bsc#1031717).
- btrfs: add cond_resched to btrfs_qgroup_trace_leaf_items (bsc#1028286).
- btrfs: Add WARN_ON for qgroup reserved underflow (bsc#1031515).
- btrfs: Do not clear SGID when inheriting ACLs (bsc#1030552).
- btrfs: fix lockup in find_free_extent with read-only block groups (bsc#1046682).
- btrfs: incremental send, fix invalid path for link commands (bsc#1051479).
- btrfs: incremental send, fix invalid path for unlink commands (bsc#1051479).
- btrfs: Manually implement device_total_bytes getter/setter (bsc#1043912).
- btrfs: resume qgroup rescan on rw remount (bsc#1047152).
- btrfs: Round down values which are written for total_bytes_size (bsc#1043912).
- btrfs: send, fix invalid path after renaming and linking file (bsc#1051479).
- cifs: Fix some return values in case of error in 'crypt_message' (bnc#1047802).
- clocksource/drivers/arm_arch_timer: Fix read and iounmap of incorrect variable (bsc#1045937).
- cpuidle: dt: Add missing 'of_node_put()' (bnc#1022476).
- crypto: s5p-sss - fix incorrect usage of scatterlists api (bsc#1048317).
- cx82310_eth: use skb_cow_head() to deal with cloned skbs (bsc# 1045154).
- cxgb4: fix a NULL dereference (bsc#1005778).
- cxgb4: fix BUG() on interrupt deallocating path of ULD (bsc#1005778).
- cxgb4: fix memory leak in init_one() (bsc#1005778).
- cxl: Unlock on error in probe (bsc#1034762, Pending SUSE Kernel Fixes).
- dentry name snapshots (bsc#1049483).
- device-dax: fix sysfs attribute deadlock (bsc#1048919).
- dm: fix second blk_delay_queue() parameter to be in msec units not (bsc#1047670).
- dm: make flush bios explicitly sync (bsc#1050211).
- dm raid1: fixes two crash cases if mirror leg failed (bsc#1043520)
- drivers/char: kmem: disable on arm64 (bsc#1046655).
- drivers: hv: As a bandaid, increase HV_UTIL_TIMEOUT from 30 to 60 seconds (bnc#1039153)
- drivers: hv: Fix a typo (fate#320485).
- drivers: hv: Fix the bug in generating the guest ID (fate#320485).
- drivers: hv: util: Fix a typo (fate#320485).
- drivers: hv: util: Make hv_poll_channel() a little more efficient (fate#320485).
- drivers: hv: vmbus: Close timing hole that can corrupt per-cpu page (fate#320485).
- drivers: hv: vmbus: Fix error code returned by vmbus_post_msg() (fate#320485).
- drivers: hv: vmbus: Get the current time from the current clocksource (fate#320485, bnc#1044112).
- drivers: hv: vmbus: Get the current time from the current clocksource (fate#320485, bnc#1044112, bnc#1042778, bnc#1029693).
- drivers: hv: vmbus: Increase the time between retries in vmbus_post_msg() (fate#320485, bnc#1044112).
- drivers: hv: vmbus: Increase the time between retries in vmbus_post_msg() (fate#320485, bnc#1044112).
- drivers: hv: vmbus: Move the code to signal end of message (fate#320485).
- drivers: hv: vmbus: Move the definition of generate_guest_id() (fate#320485).
- drivers: hv: vmbus: Move the definition of hv_x64_msr_hypercall_contents (fate#320485).
- drivers: hv: vmbus: Restructure the clockevents code (fate#320485).
- drm/amdgpu: Fix overflow of watermark calcs at > 4k resolutions (bsc#1031717).
- drm/bochs: Implement nomodeset (bsc#1047096).
- drm/i915/fbdev: Stop repeating tile configuration on stagnation (bsc#1031717).
- drm/i915: Fix scaler init during CRTC HW state readout (bsc#1031717).
- drm/i915: Serialize GTT/Aperture accesses on BXT (bsc#1046821).
- drm/virtio: do not leak bo on drm_gem_object_init failure (bsc#1047277).
- drm/vmwgfx: Fix large topology crash (bsc#1048155).
- drm/vmwgfx: Support topology greater than texture size (bsc#1048155).
- Drop patches; obsoleted by 'scsi: Add STARGET_CREATE_REMOVE state'
- efi/libstub: Skip GOP with PIXEL_BLT_ONLY format (bnc#974215).
- ext2: Do not clear SGID when inheriting ACLs (bsc#1030552).
- ext4: avoid unnecessary stalls in ext4_evict_inode() (bsc#1049486).
- ext4: Do not clear SGID when inheriting ACLs (bsc#1030552).
- ext4: handle the rest of ext4_mb_load_buddy() ENOMEM errors (bsc#1012829).
- Fix kABI breakage by HD-audio bus caps extensions (bsc#1048356).
- Fix kABI breakage by KVM CVE fix (bsc#1045922).
- fs/fcntl: f_setown, avoid undefined behaviour (bnc#1006180).
- fs: pass on flags in compat_writev (bsc#1050211).
- fuse: initialize the flock flag in fuse_file on allocation (git-fixes).
- gcov: add support for gcc version >= 6 (bsc#1051663).
- gcov: support GCC 7.1 (bsc#1051663).
- gfs2: fix flock panic issue (bsc#1012829).
- hpsa: limit transfer length to 1MB (bsc#1025461).
- hrtimer: Catch invalid clockids again (bsc#1047651).
- hrtimer: Revert CLOCK_MONOTONIC_RAW support (bsc#1047651).
- hv_netvsc: change netvsc device default duplex to FULL (fate#320485).
- hv_netvsc: Exclude non-TCP port numbers from vRSS hashing (bsc#1048421).
- hv_netvsc: Fix the carrier state error when data path is off (fate#320485).
- hv_netvsc: Fix the queue index computation in forwarding case (bsc#1048421).
- hv_netvsc: Remove unnecessary var link_state from struct netvsc_device_info (fate#320485).
- hv: print extra debug in kvp_on_msg in error paths (bnc#1039153).
- hv_utils: drop .getcrosststamp() support from PTP driver (fate#320485, bnc#1044112).
- hv_utils: drop .getcrosststamp() support from PTP driver (fate#320485, bnc#1044112, bnc#1042778, bnc#1029693).
- hv_utils: fix TimeSync work on pre-TimeSync-v4 hosts (fate#320485, bnc#1044112).
- hv_utils: fix TimeSync work on pre-TimeSync-v4 hosts (fate#320485, bnc#1044112, bnc#1042778, bnc#1029693).
- hv_util: switch to using timespec64 (fate#320485).
- hwpoison, memcg: forcibly uncharge LRU pages (bnc#1046105).
- hyperv: fix warning about missing prototype (fate#320485).
- hyperv: netvsc: Neaten netvsc_send_pkt by using a temporary (fate#320485).
- hyperv: remove unnecessary return variable (fate#320485).
- i2c: designware-baytrail: fix potential null pointer dereference on dev (bsc#1011913).
- i40e: add hw struct local variable (bsc#1039915).
- i40e: add private flag to control source pruning (bsc#1034075).
- i40e: add VSI info to macaddr messages (bsc#1039915).
- i40e: avoid looping to check whether we're in VLAN mode (bsc#1039915).
- i40e: avoid O(n^2) loop when deleting all filters (bsc#1039915).
- i40e: delete filter after adding its replacement when converting (bsc#1039915).
- i40e: do not add broadcast filter for VFs (bsc#1039915).
- i40e: do not allow i40e_vsi_(add|kill)_vlan to operate when VID<1 (bsc#1039915).
- i40e: drop is_vf and is_netdev fields in struct i40e_mac_filter (bsc#1039915).
- i40e: enable VSI broadcast promiscuous mode instead of adding broadcast filter (bsc#1039915).
- i40e: factor out addition/deletion of VLAN per each MAC address (bsc#1039915).
- i40e: fix ethtool to get EEPROM data from X722 interface (bsc#1047418).
- i40e: fix MAC filters when removing VLANs (bsc#1039915).
- i40e: fold the i40e_is_vsi_in_vlan check into i40e_put_mac_in_vlan (bsc#1039915).
- i40e/i40evf: Fix use after free in Rx cleanup path (bsc#1051689).
- i40e: implement __i40e_del_filter and use where applicable (bsc#1039915).
- i40e: make use of __dev_uc_sync and __dev_mc_sync (bsc#1039915).
- i40e: move all updates for VLAN mode into i40e_sync_vsi_filters (bsc#1039915).
- i40e: move i40e_put_mac_in_vlan and i40e_del_mac_all_vlan (bsc#1039915).
- i40e: no need to check is_vsi_in_vlan before calling i40e_del_mac_all_vlan (bsc#1039915).
- i40e: properly cleanup on allocation failure in i40e_sync_vsi_filters (bsc#1039915).
- i40e: recalculate vsi->active_filters from hash contents (bsc#1039915).
- i40e: refactor i40e_put_mac_in_vlan to avoid changing f->vlan (bsc#1039915).
- i40e: refactor i40e_update_filter_state to avoid passing aq_err (bsc#1039915).
- i40e: refactor Rx filter handling (bsc#1039915).
- i40e: Removal of workaround for simple MAC address filter deletion (bsc#1039915).
- i40e: remove code to handle dev_addr specially (bsc#1039915).
- i40e: removed unreachable code (bsc#1039915).
- i40e: remove duplicate add/delete adminq command code for filters (bsc#1039915).
- i40e: remove second check of VLAN_N_VID in i40e_vlan_rx_add_vid (bsc#1039915).
- i40e: rename i40e_put_mac_in_vlan and i40e_del_mac_all_vlan (bsc#1039915).
- i40e: restore workaround for removing default MAC filter (bsc#1039915).
- i40e: set broadcast promiscuous mode for each active VLAN (bsc#1039915).
- i40e: store MAC/VLAN filters in a hash with the MAC Address as key (bsc#1039915).
- i40e: use (add|rm)_vlan_all_mac helper functions when changing PVID (bsc#1039915).
- i40evf: fix merge error in older patch (bsc#1024346 FATE#321239 bsc#1024373 FATE#321247).
- i40e: when adding or removing MAC filters, correctly handle VLANs (bsc#1039915).
- i40e: When searching all MAC/VLAN filters, ignore removed filters (bsc#1039915).
- i40e: write HENA for VFs (bsc#1039915).
- IB/hfi1: Wait for QSFP modules to initialize (bsc#1019151).
- IB/iser: Fix connection teardown race condition (bsc#1050211).
- ibmvnic: Check for transport event on driver resume (bsc#1051556, bsc#1052709).
- ibmvnic: Initialize SCRQ's during login renegotiation (bsc#1052223).
- ibmvnic: Report rx buffer return codes as netdev_dbg (bsc#1052794).
- IB/rxe: Fix kernel panic from skb destructor (bsc#1049361).
- iio: hid-sensor: fix return of -EINVAL on invalid values in ret or value (bsc#1031717).
- include/linux/mmzone.h: simplify zone_intersects() (bnc#1047506).
- input: gpio-keys - fix check for disabling unsupported keys (bsc#1031717).
- introduce the walk_process_tree() helper (bnc#1022476).
- iommu/amd: Add flush counters to struct dma_ops_domain (bsc#1045709).
- iommu/amd: Add locking to per-domain flush-queue (bsc#1045709).
- iommu/amd: Add new init-state IOMMU_CMDLINE_DISABLED (bsc#1045715).
- iommu/amd: Add per-domain flush-queue data structures (bsc#1045709).
- iommu/amd: Add per-domain timer to flush per-cpu queues (bsc#1045709).
- iommu/amd: Check for error states first in iommu_go_to_state() (bsc#1045715).
- iommu/amd: Constify irq_domain_ops (bsc#1045709).
- iommu/amd: Disable IOMMUs at boot if they are enabled (bsc#1045715).
- iommu/amd: Enable ga_log_intr when enabling guest_mode (bsc1052533).
- iommu/amd: Fix interrupt remapping when disable guest_mode (bsc#1051471).
- iommu/amd: Fix schedule-while-atomic BUG in initialization code (bsc1052533).
- iommu/amd: Free already flushed ring-buffer entries before full-check (bsc#1045709).
- iommu/amd: Free IOMMU resources when disabled on command line (bsc#1045715).
- iommu/amd: Make use of the per-domain flush queue (bsc#1045709).
- iommu/amd: Ratelimit io-page-faults per device (bsc#1045709).
- iommu/amd: Reduce amount of MMIO when submitting commands (bsc#1045709).
- iommu/amd: Reduce delay waiting for command buffer space (bsc#1045709).
- iommu/amd: Remove amd_iommu_disabled check from amd_iommu_detect() (bsc#1045715).
- iommu/amd: Remove queue_release() function (bsc#1045709).
- iommu/amd: Rename free_on_init_error() (bsc#1045715).
- iommu/amd: Rip out old queue flushing code (bsc#1045709).
- iommu/amd: Set global pointers to NULL after freeing them (bsc#1045715).
- iommu/amd: Suppress IO_PAGE_FAULTs in kdump kernel (bsc#1045715 bsc#1043261).
- iommu: Remove a patch because it caused problems for users. See bsc#1048348.
- ipv4: Should use consistent conditional judgement for ip fragment in __ip_append_data and ip_finish_output (bsc#1041958).
- ipv6: Should use consistent conditional judgement for ip6 fragment between __ip6_append_data and ip6_finish_output (bsc#1041958).
- iw_cxgb4: Fix error return code in c4iw_rdev_open() (bsc#1026570).
- iwlwifi: 8000: fix MODULE_FIRMWARE input (FATE#321353, FATE#323335).
- iwlwifi: 9000: increase the number of queues (FATE#321353, FATE#323335).
- iwlwifi: add device ID for 8265 (FATE#321353, FATE#323335).
- iwlwifi: add device IDs for the 8265 device (FATE#321353, FATE#323335).
- iwlwifi: add disable_11ac module param (FATE#321353, FATE#323335).
- iwlwifi: add new 3168 series devices support (FATE#321353, FATE#323335).
- iwlwifi: add new 8260 PCI IDs (FATE#321353, FATE#323335).
- iwlwifi: add new 8265 (FATE#321353, FATE#323335).
- iwlwifi: add new 8265 series PCI ID (FATE#321353, FATE#323335).
- iwlwifi: Add new PCI IDs for 9260 and 5165 series (FATE#321353, FATE#323335).
- iwlwifi: Add PCI IDs for the new 3168 series (FATE#321353, FATE#323335).
- iwlwifi: Add PCI IDs for the new series 8165 (FATE#321353, FATE#323335).
- iwlwifi: add support for 12K Receive Buffers (FATE#321353, FATE#323335).
- iwlwifi: add support for getting HW address from CSR (FATE#321353, FATE#323335).
- iwlwifi: avoid d0i3 commands when no/init ucode is loaded (FATE#321353, FATE#323335).
- iwlwifi: bail out in case of bad trans state (FATE#321353, FATE#323335).
- iwlwifi: block the queues when we send ADD_STA for uAPSD (FATE#321353, FATE#323335).
- iwlwifi: change the Intel Wireless email address (FATE#321353, FATE#323335).
- iwlwifi: change the Intel Wireless email address (FATE#321353, FATE#323335).
- iwlwifi: check for valid ethernet address provided by OEM (FATE#321353, FATE#323335).
- iwlwifi: clean up transport debugfs handling (FATE#321353, FATE#323335).
- iwlwifi: clear ieee80211_tx_info->driver_data in the op_mode (FATE#321353, FATE#323335).
- iwlwifi: Document missing module options (FATE#321353, FATE#323335).
- iwlwifi: dump prph registers in a common place for all transports (FATE#321353, FATE#323335).
- iwlwifi: dvm: advertise NETIF_F_SG (FATE#321353, FATE#323335).
- iwlwifi: dvm: fix compare_const_fl.cocci warnings (FATE#321353, FATE#323335).
- iwlwifi: dvm: handle zero brightness for wifi LED (FATE#321353, FATE#323335).
- iwlwifi: dvm: remove a wrong dependency on m (FATE#321353, FATE#323335).
- iwlwifi: dvm: remove Kconfig default (FATE#321353, FATE#323335).
- iwlwifi: dvm: remove stray debug code (FATE#321353, FATE#323335).
- iwlwifi: export the _no_grab version of PRPH IO functions (FATE#321353, FATE#323335).
- iwlwifi: expose fw usniffer mode to more utilities (FATE#321353, FATE#323335).
- iwlwifi: fix double hyphen in MODULE_FIRMWARE for 8000 (FATE#321353, FATE#323335).
- iwlwifi: Fix firmware name maximum length definition (FATE#321353, FATE#323335).
- iwlwifi: fix name of ucode loaded for 8265 series (FATE#321353, FATE#323335).
- iwlwifi: fix printf specifier (FATE#321353, FATE#323335).
- iwlwifi: generalize d0i3_entry_timeout module parameter (FATE#321353, FATE#323335).
- iwlwifi: missing error code in iwl_trans_pcie_alloc() (bsc#1031717).
- iwlwifi: mvm: adapt the firmware assert log to new firmware (FATE#321353, FATE#323335).
- iwlwifi: mvm: add 9000-series RX API (FATE#321353, FATE#323335).
- iwlwifi: mvm: add 9000 series RX processing (FATE#321353, FATE#323335).
- iwlwifi: mvm: add a non-trigger window to fw dbg triggers (FATE#321353, FATE#323335).
- iwlwifi: mvm: add an option to start rs from HT/VHT rates (FATE#321353, FATE#323335).
- iwlwifi: mvm: Add a station in monitor mode (FATE#321353, FATE#323335).
- iwlwifi: mvm: add bt rrc and ttc to debugfs (FATE#321353, FATE#323335).
- iwlwifi: mvm: add bt settings to debugfs (FATE#321353, FATE#323335).
- iwlwifi: mvm: add ctdp operations to debugfs (FATE#321353, FATE#323335).
- iwlwifi: mvm: add CT-KILL notification (FATE#321353, FATE#323335).
- iwlwifi: mvm: add debug print if scan config is ignored (FATE#321353, FATE#323335).
- iwlwifi: mvm: add extended dwell time (FATE#321353, FATE#323335).
- iwlwifi: mvm: add new ADD_STA command version (FATE#321353, FATE#323335).
- iwlwifi: mvm: Add P2P client snoozing (FATE#321353, FATE#323335).
- iwlwifi: mvm: add registration to cooling device (FATE#321353, FATE#323335).
- iwlwifi: mvm: add registration to thermal zone (FATE#321353, FATE#323335).
- iwlwifi: mvm: add support for negative temperatures (FATE#321353, FATE#323335).
- iwlwifi: mvm: add tlv for multi queue rx support (FATE#321353, FATE#323335).
- iwlwifi: mvm: add trigger for firmware dump upon TDLS events (FATE#321353, FATE#323335).
- iwlwifi: mvm: add trigger for firmware dump upon TX response status (FATE#321353, FATE#323335).
- iwlwifi: mvm: advertise NETIF_F_SG (FATE#321353, FATE#323335).
- iwlwifi: mvm: Align bt-coex priority with requirements (FATE#321353, FATE#323335).
- iwlwifi: mvm: allow to disable beacon filtering for AP/GO interface (FATE#321353, FATE#323335).
- iwlwifi: mvm: avoid harmless -Wmaybe-uninialized warning (FATE#321353, FATE#323335).
- iwlwifi: mvm: avoid panics with thermal device usage (FATE#321353, FATE#323335).
- iwlwifi: mvm: avoid to WARN about gscan capabilities (FATE#321353, FATE#323335).
- iwlwifi: mvm: bail out if CTDP start operation fails (FATE#321353, FATE#323335).
- iwlwifi: mvm: bump firmware API to 21 (FATE#321353, FATE#323335).
- iwlwifi: mvm: bump max API to 20 (FATE#321353, FATE#323335).
- iwlwifi: mvm: change access to ieee80211_hdr (FATE#321353, FATE#323335).
- iwlwifi: mvm: change iwl_mvm_get_key_sta_id() to return the station (FATE#321353, FATE#323335).
- iwlwifi: mvm: change mcc update API (FATE#321353, FATE#323335).
- iwlwifi: mvm: change name of iwl_mvm_d3_update_gtk (FATE#321353, FATE#323335).
- iwlwifi: mvm: Change number of associated stations when station becomes associated (FATE#321353, FATE#323335).
- iwlwifi: mvm: change protocol offload flows (FATE#321353, FATE#323335).
- iwlwifi: mvm: change the check for ADD_STA status (FATE#321353, FATE#323335).
- iwlwifi: mvm: check FW's response for nvm access write cmd (FATE#321353, FATE#323335).
- iwlwifi: mvm: check iwl_mvm_wowlan_config_key_params() return value (FATE#321353, FATE#323335).
- iwlwifi: mvm: check minimum temperature notification length (FATE#321353, FATE#323335).
- iwlwifi: mvm: cleanup roc te on restart cleanup (FATE#321353, FATE#323335).
- iwlwifi: mvm: compare full command ID (FATE#321353, FATE#323335).
- iwlwifi: mvm: Configure fragmented scan for scheduled scan (FATE#321353, FATE#323335).
- iwlwifi: mvm: configure scheduled scan according to traffic conditions (FATE#321353, FATE#323335).
- iwlwifi: mvm: constify the parameters of a few functions in fw-dbg.c (FATE#321353, FATE#323335).
- iwlwifi: mvm: Disable beacon storing in D3 when WOWLAN configured (FATE#321353, FATE#323335).
- iwlwifi: mvm: disable DQA support (FATE#321353, FATE#323335).
- iwlwifi: mvm: do not ask beacons when P2P GO vif and no assoc sta (FATE#321353, FATE#323335).
- iwlwifi: mvm: do not keep an mvm ref when the interface is down (FATE#321353, FATE#323335).
- iwlwifi: mvm: do not let NDPs mess the packet tracking (FATE#321353, FATE#323335).
- iwlwifi: mvm: do not restart HW if suspend fails with unified image (FATE#321353, FATE#323335).
- iwlwifi: mvm: Do not switch to D3 image on suspend (FATE#321353, FATE#323335).
- iwlwifi: mvm: do not try to offload AES-CMAC in AP/IBSS modes (FATE#321353, FATE#323335).
- iwlwifi: mvm: drop low_latency_agg_frame_cnt_limit (FATE#321353, FATE#323335).
- iwlwifi: mvm: dump more registers upon error (FATE#321353, FATE#323335).
- iwlwifi: mvm: dump the radio registers when the firmware crashes (FATE#321353, FATE#323335).
- iwlwifi: mvm: enable L3 filtering (FATE#321353, FATE#323335).
- iwlwifi: mvm: Enable MPLUT only on supported hw (FATE#321353, FATE#323335).
- iwlwifi: mvm: enable VHT MU-MIMO for supported hardware (FATE#321353, FATE#323335).
- iwlwifi: mvm: extend time event duration (FATE#321353, FATE#323335).
- iwlwifi: mvm: fix accessing Null pointer during fw dump collection (FATE#321353, FATE#323335).
- iwlwifi: mvm: fix d3_test with unified D0/D3 images (FATE#321353, FATE#323335).
- iwlwifi: mvm: fix debugfs signedness warning (FATE#321353, FATE#323335).
- iwlwifi: mvm: fix extended dwell time (FATE#321353, FATE#323335).
- iwlwifi: mvm: fix incorrect fallthrough in iwl_mvm_check_running_scans() (FATE#321353, FATE#323335).
- iwlwifi: mvm: fix memory leaks in error paths upon fw error dump (FATE#321353, FATE#323335).
- iwlwifi: mvm: fix netdetect starting/stopping for unified images (FATE#321353, FATE#323335).
- iwlwifi: mvm: fix RSS key sizing (FATE#321353, FATE#323335).
- iwlwifi: mvm: fix unregistration of thermal in some error flows (FATE#321353, FATE#323335).
- iwlwifi: mvm: flush all used TX queues before suspending (FATE#321353, FATE#323335).
- iwlwifi: mvm: forbid U-APSD for P2P Client if the firmware does not support it (FATE#321353, FATE#323335).
- iwlwifi: mvm: handle pass all scan reporting (FATE#321353, FATE#323335).
- iwlwifi: mvm: ignore LMAC scan notifications when running UMAC scans (FATE#321353, FATE#323335).
- iwlwifi: mvm: infrastructure for frame-release message (FATE#321353, FATE#323335).
- iwlwifi: mvm: kill iwl_mvm_enable_agg_txq (FATE#321353, FATE#323335).
- iwlwifi: mvm: let the firmware choose the antenna for beacons (FATE#321353, FATE#323335).
- iwlwifi: mvm: make collecting fw debug data optional (FATE#321353, FATE#323335).
- iwlwifi: mvm: move fw-dbg code to separate file (FATE#321353, FATE#323335).
- iwlwifi: mvm: only release the trans ref if d0i3 is supported in fw (FATE#321353, FATE#323335).
- iwlwifi: mvm: prepare the code towards TSO implementation (FATE#321353, FATE#323335).
- iwlwifi: mvm: refactor d3 key update functions (FATE#321353, FATE#323335).
- iwlwifi: mvm: refactor the way fw_key_table is handled (FATE#321353, FATE#323335).
- iwlwifi: mvm: remove an extra tab (FATE#321353, FATE#323335).
- iwlwifi: mvm: Remove bf_vif from iwl_power_vifs (FATE#321353, FATE#323335).
- iwlwifi: mvm: Remove iwl_mvm_update_beacon_abort (FATE#321353, FATE#323335).
- iwlwifi: mvm: remove redundant d0i3 flag from the config struct (FATE#321353, FATE#323335).
- iwlwifi: mvm: remove shadowing variable (FATE#321353, FATE#323335).
- iwlwifi: mvm: remove stray nd_config element (FATE#321353, FATE#323335).
- iwlwifi: mvm: remove the vif parameter of iwl_mvm_configure_bcast_filter() (FATE#321353, FATE#323335).
- iwlwifi: mvm: remove unnecessary check in iwl_mvm_is_d0i3_supported() (FATE#321353, FATE#323335).
- iwlwifi: mvm: remove useless WARN_ON and rely on cfg80211's combination (FATE#321353, FATE#323335).
- iwlwifi: mvm: report wakeup for wowlan (FATE#321353, FATE#323335).
- iwlwifi: mvm: reset mvm->scan_type when firmware is started (FATE#321353, FATE#323335).
- iwlwifi: mvm: reset the fw_dump_desc pointer after ASSERT (bsc#1031717).
- iwlwifi: mvm: return the cooling state index instead of the budget (FATE#321353, FATE#323335).
- iwlwifi: mvm: ROC: cleanup time event info on FW failure (FATE#321353, FATE#323335).
- iwlwifi: mvm: ROC: Extend the ROC max delay duration & limit ROC duration (FATE#321353, FATE#323335).
- iwlwifi: mvm: rs: fix a potential out of bounds access (FATE#321353, FATE#323335).
- iwlwifi: mvm: rs: fix a theoretical access to uninitialized array elements (FATE#321353, FATE#323335).
- iwlwifi: mvm: rs: fix a warning message (FATE#321353, FATE#323335).
- iwlwifi: mvm: rs: fix TPC action decision algorithm (FATE#321353, FATE#323335).
- iwlwifi: mvm: rs: fix TPC statistics handling (FATE#321353, FATE#323335).
- iwlwifi: mvm: Send power command on BSS_CHANGED_BEACON_INFO if needed (FATE#321353, FATE#323335).
- iwlwifi: mvm: set default new STA as non-aggregated (FATE#321353, FATE#323335).
- iwlwifi: mvm: set the correct amsdu enum values (FATE#321353, FATE#323335).
- iwlwifi: mvm: set the correct descriptor size for tracing (FATE#321353, FATE#323335).
- iwlwifi: mvm: small update in the firmware API (FATE#321353, FATE#323335).
- iwlwifi: mvm: support A-MSDU in A-MPDU (FATE#321353, FATE#323335).
- iwlwifi: mvm: support beacon storing (FATE#321353, FATE#323335).
- iwlwifi: mvm: support description for user triggered fw dbg collection (FATE#321353, FATE#323335).
- iwlwifi: mvm: support rss queues configuration command (FATE#321353, FATE#323335).
- iwlwifi: mvm: Support setting continuous recording debug mode (FATE#321353, FATE#323335).
- iwlwifi: mvm: support setting minimum quota from debugfs (FATE#321353, FATE#323335).
- iwlwifi: mvm: support sw queue start/stop from mvm (FATE#321353, FATE#323335).
- iwlwifi: mvm: synchronize firmware DMA paging memory (FATE#321353, FATE#323335).
- iwlwifi: mvm: take care of padded packets (FATE#321353, FATE#323335).
- iwlwifi: mvm: take the transport ref back when leaving (FATE#321353, FATE#323335).
- iwlwifi: mvm: track low-latency sources separately (FATE#321353, FATE#323335).
- iwlwifi: mvm: unconditionally stop device after init (bsc#1031717).
- iwlwifi: mvm: unmap the paging memory before freeing it (FATE#321353, FATE#323335).
- iwlwifi: mvm: update GSCAN capabilities (FATE#321353, FATE#323335).
- iwlwifi: mvm: update ucode status before stopping device (FATE#321353, FATE#323335).
- iwlwifi: mvm: use build-time assertion for fw trigger ID (FATE#321353, FATE#323335).
- iwlwifi: mvm: use firmware station lookup, combine code (FATE#321353, FATE#323335).
- iwlwifi: mvm: various trivial cleanups (FATE#321353, FATE#323335).
- iwlwifi: mvm: writing zero bytes to debugfs causes a crash (FATE#321353, FATE#323335).
- iwlwifi: nvm: fix loading default NVM file (FATE#321353, FATE#323335).
- iwlwifi: nvm: fix up phy section when reading it (FATE#321353, FATE#323335).
- iwlwifi: pcie: add 9000 series multi queue rx DMA support (FATE#321353, FATE#323335).
- iwlwifi: pcie: add infrastructure for multi-queue rx (FATE#321353, FATE#323335).
- iwlwifi: pcie: add initial RTPM support for PCI (FATE#321353, FATE#323335).
- iwlwifi: pcie: Add new configuration to enable MSIX (FATE#321353, FATE#323335).
- iwlwifi: pcie: add pm_prepare and pm_complete ops (FATE#321353, FATE#323335).
- iwlwifi: pcie: add RTPM support when wifi is enabled (FATE#321353, FATE#323335).
- iwlwifi: pcie: aggregate Flow Handler configuration writes (FATE#321353, FATE#323335).
- iwlwifi: pcie: allow the op_mode to block the tx queues (FATE#321353, FATE#323335).
- iwlwifi: pcie: allow to pretend to have Tx CSUM for debug (FATE#321353, FATE#323335).
- iwlwifi: pcie: avoid restocks inside rx loop if not emergency (FATE#321353, FATE#323335).
- iwlwifi: pcie: buffer packets to avoid overflowing Tx queues (FATE#321353, FATE#323335).
- iwlwifi: pcie: build an A-MSDU using TSO core (FATE#321353, FATE#323335).
- iwlwifi: pcie: configure more RFH settings (FATE#321353, FATE#323335).
- iwlwifi: pcie: detect and workaround invalid write ptr behavior (FATE#321353, FATE#323335).
- iwlwifi: pcie: do not increment / decrement a bool (FATE#321353, FATE#323335).
- iwlwifi: pcie: enable interrupts before releasing the NIC's CPU (FATE#321353, FATE#323335).
- iwlwifi: pcie: enable multi-queue rx path (FATE#321353, FATE#323335).
- iwlwifi: pcie: extend device reset delay (FATE#321353, FATE#323335).
- iwlwifi: pcie: fine tune number of rxbs (FATE#321353, FATE#323335).
- iwlwifi: pcie: fix a race in firmware loading flow (FATE#321353, FATE#323335).
- iwlwifi: pcie: fix command completion name debug (bsc#1031717).
- iwlwifi: pcie: fix erroneous return value (FATE#321353, FATE#323335).
- iwlwifi: pcie: fix global table size (FATE#321353, FATE#323335).
- iwlwifi: pcie: fix identation in trans.c (FATE#321353, FATE#323335).
- iwlwifi: pcie: fix RF-Kill vs. firmware load race (FATE#321353, FATE#323335).
- iwlwifi: pcie: forbid RTPM on device removal (FATE#321353, FATE#323335).
- iwlwifi: pcie: mark command queue lock with separate lockdep class (FATE#321353, FATE#323335).
- iwlwifi: pcie: prevent skbs shadowing in iwl_trans_pcie_reclaim (FATE#321353, FATE#323335).
- iwlwifi: pcie: refactor RXBs reclaiming code (FATE#321353, FATE#323335).
- iwlwifi: pcie: remove ICT allocation message (FATE#321353, FATE#323335).
- iwlwifi: pcie: remove pointer from debug message (FATE#321353, FATE#323335).
- iwlwifi: pcie: re-organize code towards TSO (FATE#321353, FATE#323335).
- iwlwifi: pcie: set RB chunk size back to 64 (FATE#321353, FATE#323335).
- iwlwifi: pcie: update iwl_mpdu_desc fields (FATE#321353, FATE#323335).
- iwlwifi: print index in api/capa flags parsing message (FATE#321353, FATE#323335).
- iwlwifi: refactor the code that reads the MAC address from the NVM (FATE#321353, FATE#323335).
- iwlwifi: remove IWL_DL_LED (FATE#321353, FATE#323335).
- iwlwifi: remove unused parameter from grab_nic_access (FATE#321353, FATE#323335).
- iwlwifi: replace d0i3_mode and wowlan_d0i3 with more generic variables (FATE#321353, FATE#323335).
- iwlwifi: set max firmware version of 7265 to 17 (FATE#321353, FATE#323335).
- iwlwifi: support ucode with d0 unified image - regular and usniffer (FATE#321353, FATE#323335).
- iwlwifi: trans: make various conversion macros inlines (FATE#321353, FATE#323335).
- iwlwifi: trans: support a callback for ASYNC commands (FATE#321353, FATE#323335).
- iwlwifi: treat iwl_parse_nvm_data() MAC addr as little endian (FATE#321353, FATE#323335).
- iwlwifi: tt: move ucode_loaded check under mutex (FATE#321353, FATE#323335).
- iwlwifi: uninline iwl_trans_send_cmd (FATE#321353, FATE#323335).
- iwlwifi: update host command messages to new format (FATE#321353, FATE#323335).
- iwlwifi: Update PCI IDs for 8000 and 9000 series (FATE#321353, FATE#323335).
- iwlwifi: update support for 3168 series firmware and NVM (FATE#321353, FATE#323335).
- iwlwifi: various comments and code cleanups (FATE#321353, FATE#323335).
- kABI-fix for 'x86/panic: replace smp_send_stop() with kdump friendly version in panic path' (bsc#1051478).
- kABI: protect lwtunnel include in ip6_route.h (kabi).
- KABI protect struct acpi_nfit_desc (bsc#1052325).
- kABI: protect struct iscsi_tpg_attrib (kabi).
- kABI: protect struct se_lun (kabi).
- kABI: protect struct tpm_chip (kabi).
- kABI: protect struct xfrm_dst (kabi).
- kABI: protect struct xfrm_dst (kabi).
- kabi/severities: add drivers/scsi/hisi_sas to kabi severities
- kabi/severities: ignore kABi changes in iwlwifi stuff itself
- kvm: nVMX: fix msr bitmaps to prevent L2 from accessing L0 x2APIC (bsc#1051478).
- kvm: nVMX: Fix nested_vmx_check_msr_bitmap_controls (bsc#1051478).
- kvm: nVMX: Fix nested VPID vmx exec control (bsc#1051478).
- kvm: x86: avoid simultaneous queueing of both IRQ and SMI (bsc#1051478).
- libnvdimm: fix badblock range handling of ARS range (bsc#1023175).
- libnvdimm: fix badblock range handling of ARS range (bsc#1051048).
- libnvdimm, pmem: fix a NULL pointer BUG in nd_pmem_notify (bsc#1023175).
- libnvdimm, pmem: fix a NULL pointer BUG in nd_pmem_notify (bsc#1048919).
- libnvdimm, region: fix flush hint detection crash (bsc#1048919).
- lightnvm: fix 'warning: ‘ret’ may be used uninitialized' (FATE#319466).
- mac80211_hwsim: Replace bogus hrtimer clockid (bsc#1047651).
- md-cluster: Fix a memleak in an error handling path (bsc#1049289).
- md: do not return -EAGAIN in md_allow_write for external metadata arrays (bsc#1047174).
- md: fix sleep in atomic (bsc#1040351).
- mm: call page_ext_init() after all struct pages are initialized (VM Debugging Functionality, bsc#1047048).
- mm: fix classzone_idx underflow in shrink_zones() (VM Functionality, bsc#1042314).
- mm: make PR_SET_THP_DISABLE immediately active (bnc#1048891).
- mm, memory_hotplug: get rid of is_zone_device_section fix (bnc#1047595).
- mm/mmap.c: do not blow on PROT_NONE MAP_FIXED holes in the stack (bnc#1039348).
- mwifiex: do not update MCS set from hostapd (bsc#1031717).
- net: account for current skb length when deciding about UFO (bsc#1041958).
- net: add netdev_lockdep_set_classes() helper (fate#320485).
- net: ena: add hardware hints capability to the driver (bsc#1047121).
- net: ena: add hardware hints capability to the driver (bsc#1047121).
- net: ena: add missing return when ena_com_get_io_handlers() fails (bsc#1047121).
- net: ena: add missing return when ena_com_get_io_handlers() fails (bsc#1047121).
- net: ena: add missing unmap bars on device removal (bsc#1047121).
- net: ena: add missing unmap bars on device removal (bsc#1047121).
- net: ena: add reset reason for each device FLR (bsc#1047121).
- net: ena: add reset reason for each device FLR (bsc#1047121).
- net: ena: add support for out of order rx buffers refill (bsc#1047121).
- net: ena: add support for out of order rx buffers refill (bsc#1047121).
- net: ena: allow the driver to work with small number of msix vectors (bsc#1047121).
- net: ena: allow the driver to work with small number of msix vectors (bsc#1047121).
- net: ena: bug fix in lost tx packets detection mechanism (bsc#1047121).
- net: ena: bug fix in lost tx packets detection mechanism (bsc#1047121).
- net: ena: change return value for unsupported features unsupported return value (bsc#1047121).
- net: ena: change return value for unsupported features unsupported return value (bsc#1047121).
- net: ena: change sizeof() argument to be the type pointer (bsc#1047121).
- net: ena: change sizeof() argument to be the type pointer (bsc#1047121).
- net: ena: disable admin msix while working in polling mode (bsc#1047121).
- net: ena: disable admin msix while working in polling mode (bsc#1047121).
- net: ena: fix bug that might cause hang after consecutive open/close interface (bsc#1047121).
- net: ena: fix bug that might cause hang after consecutive open/close interface (bsc#1047121).
- net: ena: fix race condition between submit and completion admin command (bsc#1047121).
- net: ena: fix race condition between submit and completion admin command (bsc#1047121).
- net: ena: fix rare uncompleted admin command false alarm (bsc#1047121).
- net: ena: fix rare uncompleted admin command false alarm (bsc#1047121).
- net: ena: fix theoretical Rx hang on low memory systems (bsc#1047121).
- net: ena: fix theoretical Rx hang on low memory systems (bsc#1047121).
- net: ena: separate skb allocation to dedicated function (bsc#1047121).
- net: ena: separate skb allocation to dedicated function (bsc#1047121).
- net/ena: switch to pci_alloc_irq_vectors (bsc#1047121).
- net: ena: update driver's rx drop statistics (bsc#1047121).
- net: ena: update driver's rx drop statistics (bsc#1047121).
- net: ena: update ena driver to version 1.1.7 (bsc#1047121).
- net: ena: update ena driver to version 1.1.7 (bsc#1047121).
- net: ena: update ena driver to version 1.2.0 (bsc#1047121).
- net: ena: update ena driver to version 1.2.0 (bsc#1047121).
- net: ena: use lower_32_bits()/upper_32_bits() to split dma address (bsc#1047121).
- net: ena: use lower_32_bits()/upper_32_bits() to split dma address (bsc#1047121).
- net: ena: use napi_schedule_irqoff when possible (bsc#1047121).
- net: ena: use napi_schedule_irqoff when possible (bsc#1047121).
- net: handle NAPI_GRO_FREE_STOLEN_HEAD case also in napi_frags_finish() (bsc#1042286).
- net: hns: Bugfix for Tx timeout handling in hns driver (bsc#1048451).
- net: hyperv: use new api ethtool_{get|set}_link_ksettings (fate#320485).
- net/mlx4_core: Fixes missing capability bit in flags2 capability dump (bsc#1015337).
- net/mlx4_core: Fix namespace misalignment in QinQ VST support commit (bsc#1015337).
- net/mlx4_core: Fix sl_to_vl_change bit offset in flags2 dump (bsc#1015337).
- net/mlx5: Cancel delayed recovery work when unloading the driver (bsc#1015342).
- net/mlx5: Clean SRIOV eswitch resources upon VF creation failure (bsc#1015342).
- net/mlx5: Consider tx_enabled in all modes on remap (bsc#1015342).
- net/mlx5e: Add field select to MTPPS register (bsc#1015342).
- net/mlx5e: Add missing support for PTP_CLK_REQ_PPS request (bsc#1015342).
- net/mlx5e: Change 1PPS out scheme (bsc#1015342).
- net/mlx5e: Fix broken disable 1PPS flow (bsc#1015342).
- net/mlx5e: Fix outer_header_zero() check size (bsc#1015342).
- net/mlx5e: Fix TX carrier errors report in get stats ndo (bsc#1015342).
- net/mlx5e: Initialize CEE's getpermhwaddr address buffer to 0xff (bsc#1015342).
- net/mlx5e: Rename physical symbol errors counter (bsc#1015342).
- net/mlx5: Fix driver load error flow when firmware is stuck (git-fixes).
- net/mlx5: Fix mlx5_add_flow_rules call with correct num of dests (bsc#1015342).
- net/mlx5: Fix mlx5_ifc_mtpps_reg_bits structure size (bsc#1015342).
- net/mlx5: Fix offset of hca cap reserved field (bsc#1015342).
- net: phy: Do not perform software reset for Generic PHY (bsc#1042286).
- netvsc: add comments about callback's and NAPI (fate#320485).
- netvsc: Add #include's for csum_* function declarations (fate#320485).
- netvsc: add rtnl annotations in rndis (fate#320485).
- netvsc: add some rtnl_dereference annotations (fate#320485).
- netvsc: avoid race with callback (fate#320485).
- netvsc: change logic for change mtu and set_queues (fate#320485).
- netvsc: change max channel calculation (fate#320485).
- netvsc: change order of steps in setting queues (fate#320485).
- netvsc: Deal with rescinded channels correctly (fate#320485).
- netvsc: do not access netdev->num_rx_queues directly (fate#320485).
- netvsc: do not overload variable in same function (fate#320485).
- netvsc: do not print pointer value in error message (fate#320485).
- netvsc: eliminate unnecessary skb == NULL checks (fate#320485).
- netvsc: enable GRO (fate#320485).
- netvsc: Fix a bug in sub-channel handling (fate#320485).
- netvsc: fix and cleanup rndis_filter_set_packet_filter (fate#320485).
- netvsc: fix calculation of available send sections (fate#320485).
- netvsc: fix dereference before null check errors (fate#320485).
- netvsc: fix error unwind on device setup failure (fate#320485).
- netvsc: fix hang on netvsc module removal (fate#320485).
- netvsc: fix NAPI performance regression (fate#320485).
- netvsc: fix net poll mode (fate#320485).
- netvsc: fix netvsc_set_channels (fate#320485).
- netvsc: fix ptr_ret.cocci warnings (fate#320485).
- netvsc: fix rcu dereference warning from ethtool (fate#320485).
- netvsc: fix RCU warning in get_stats (fate#320485).
- netvsc: fix return value for set_channels (fate#320485).
- netvsc: fix rtnl deadlock on unregister of vf (fate#320485, bsc#1052442).
- netvsc: fix use after free on module removal (fate#320485).
- netvsc: fix warnings reported by lockdep (fate#320485).
- netvsc: fold in get_outbound_net_device (fate#320485).
- netvsc: force link update after MTU change (fate#320485).
- netvsc: handle offline mtu and channel change (fate#320485).
- netvsc: implement NAPI (fate#320485).
- netvsc: include rtnetlink.h (fate#320485).
- netvsc: Initialize all channel related state prior to opening the channel (fate#320485).
- netvsc: make sure and unregister datapath (fate#320485, bsc#1052899).
- netvsc: make sure napi enabled before vmbus_open (fate#320485).
- netvsc: mark error cases as unlikely (fate#320485).
- netvsc: move filter setting to rndis_device (fate#320485).
- netvsc: need napi scheduled during removal (fate#320485).
- netvsc: need rcu_derefence when accessing internal device info (fate#320485).
- netvsc: optimize calculation of number of slots (fate#320485).
- netvsc: optimize receive completions (fate#320485).
- netvsc: pass net_device to netvsc_init_buf and netvsc_connect_vsp (fate#320485).
- netvsc: prefetch the first incoming ring element (fate#320485).
- netvsc: Properly initialize the return value (fate#320485).
- netvsc: remove bogus rtnl_unlock (fate#320485).
- netvsc: remove no longer used max_num_rss queues (fate#320485).
- netvsc: Remove redundant use of ipv6_hdr() (fate#320485).
- netvsc: remove unnecessary indirection of page_buffer (fate#320485).
- netvsc: remove unnecessary lock on shutdown (fate#320485).
- netvsc: remove unused #define (fate#320485).
- netvsc: replace netdev_alloc_skb_ip_align with napi_alloc_skb (fate#320485).
- netvsc: save pointer to parent netvsc_device in channel table (fate#320485).
- netvsc: signal host if receive ring is emptied (fate#320485).
- netvsc: transparent VF management (fate#320485, bsc#1051979).
- netvsc: use ERR_PTR to avoid dereference issues (fate#320485).
- netvsc: use hv_get_bytes_to_read (fate#320485).
- netvsc: use napi_consume_skb (fate#320485).
- netvsc: use RCU to protect inner device structure (fate#320485).
- netvsc: uses RCU instead of removal flag (fate#320485).
- netvsc: use typed pointer for internal state (fate#320485).
- nfs: Cache aggressively when file is open for writing (bsc#1033587).
- nfs: Do not flush caches for a getattr that races with writeback (bsc#1033587).
- nfs: invalidate file size when taking a lock (git-fixes).
- nfs: only invalidate dentrys that are clearly invalid (bsc#1047118).
- nfs: Optimize fallocate by refreshing mapping when needed (git-fixes).
- nvme: add hostid token to fabric options (bsc#1045293).
- nvme: also provide a UUID in the WWID sysfs attribute (bsc#1048146).
- nvme: fabrics commands should use the fctype field for data direction (bsc#1043805).
- nvme-pci: fix CMB sysfs file removal in reset path (bsc#1050211).
- nvme/pci: Fix stuck nvme reset (bsc#1043805).
- nvmet: identify controller: improve standard compliance (bsc#1048146).
- nvme: wwid_show: strip trailing 0-bytes (bsc#1048146).
- ocfs2: Do not clear SGID when inheriting ACLs (bsc#1030552).
- ocfs2: fix deadlock caused by recursive locking in xattr (bsc#1012829).
- ocfs2: Make ocfs2_set_acl() static (bsc#1030552).
- pci: Add Mellanox device IDs (bsc#1051478).
- pci: Convert Mellanox broken INTx quirks to be for listed devices only (bsc#1051478).
- pci: Correct PCI_STD_RESOURCE_END usage (bsc#1051478).
- pci: dwc: dra7xx: Use RW1C for IRQSTATUS_MSI and IRQSTATUS_MAIN (bsc#1051478).
- pci: dwc: Fix uninitialized variable in dw_handle_msi_irq() (bsc#1051478).
- pci: Enable ECRC only if device supports it (bsc#1051478).
- pci: hv: Allocate interrupt descriptors with GFP_ATOMIC (fate#320295, bnc#1034113).
- pci: hv: Lock PCI bus on device eject (fate#320295, bnc#1034113). Replaces a change for (bnc#998664)
- pci/msi: fix the pci_alloc_irq_vectors_affinity stub (bsc#1050211).
- pci/msi: Ignore affinity if pre/post vector count is more than min_vecs (1050211).
- pci/pm: Fix native PME handling during system suspend/resume (bsc#1051478).
- pci: Support INTx masking on ConnectX-4 with firmware x.14.1100+ (bsc#1051478).
- perf/x86: Fix spurious NMI with PEBS Load Latency event (bsc#1051478).
- perf/x86/intel: Cure bogus unwind from PEBS entries (bsc#1051478).
- perf/x86/intel: Fix PEBSv3 record drain (bsc#1051478).
- pipe: cap initial pipe capacity according to pipe-max-size limit (bsc#1045330).
- platform/x86: ideapad-laptop: Add IdeaPad 310-15IKB to no_hw_rfkill (bsc#1051022).
- platform/x86: ideapad-laptop: Add IdeaPad V310-15ISK to no_hw_rfkill (bsc#1051022).
- platform/x86: ideapad-laptop: Add IdeaPad V510-15IKB to no_hw_rfkill (bsc#1051022).
- platform/x86: ideapad-laptop: Add Lenovo Yoga 910-13IKB to no_hw_rfkill dmi list (bsc#1051022).
- platform/x86: ideapad-laptop: Add several models to no_hw_rfkill (bsc#1051022).
- platform/x86: ideapad-laptop: Add Y520-15IKBN to no_hw_rfkill (bsc#1051022).
- platform/x86: ideapad-laptop: Add Y700 15-ACZ to no_hw_rfkill DMI list (bsc#1051022).
- platform/x86: ideapad-laptop: Add Y720-15IKBN to no_hw_rfkill (bsc#1051022).
- pm / Hibernate: Fix scheduling while atomic during hibernation (bsc#1051059).
- powerpc: Add POWER9 architected mode to cputable (bsc#1048916, fate#321439).
- powerpc/fadump: Add a warning when 'fadump_reserve_mem=' is used (bsc#1049231).
- powerpc/ftrace: Pass the correct stack pointer for DYNAMIC_FTRACE_WITH_REGS (FATE#322421).
- powerpc/perf: Fix branch event code for power9 (fate#321438, Pending SUSE Kernel Fixes).
- powerpc/perf: Fix oops when kthread execs user process
- powerpc/perf: Fix SDAR_MODE value for continous sampling on Power9 (bsc#1053043 (git-fixes)).
- powerpc: Support POWER9 in architected mode (bsc#1048916, fate#321439).
- powerpc/tm: Fix saving of TM SPRs in core dump (fate#318470, git-fixes 08e1c01d6aed).
- prctl: propagate has_child_subreaper flag to every descendant (bnc#1022476).
- printk: Correctly handle preemption in console_unlock() (bsc#1046434).
- printk/xen: Force printk sync mode when migrating Xen guest (bsc#1043347).
- qed: Add missing static/local dcbx info (bsc#1019695).
- qed: Correct print in iscsi error-flow (bsc#1019695).
- qeth: fix L3 next-hop im xmit qeth hdr (bnc#1052773, LTC#157374).
- rbd: drop extra rbd_img_request_get (bsc#1045596).
- rbd: make sure pages are freed by libceph (bsc#1045596).
- rdma/bnxt_re: checking for NULL instead of IS_ERR() (bsc#1052925).
- rdma/iw_cxgb4: Always wake up waiter in c4iw_peer_abort_intr() (bsc#1026570).
- rdma/mlx5: Fix existence check for extended address vector (bsc#1015342).
- rdma/qedr: Prevent memory overrun in verbs' user responses (bsc#1022604 FATE#321747).
- reiserfs: Do not clear SGID when inheriting ACLs (bsc#1030552).
- Remove upstream commit e14b4db7a567 netvsc: fix race during initialization will be replaced by following changes
- reorder upstream commit d0c2c9973ecd net: use core MTU range checking in virt drivers
- Revert 'ACPI / video: Add force_native quirk for HP Pavilion dv6' (bsc#1031717).
- Revert 'Add 'shutdown' to 'struct class'.' (kabi).
- Revert 'KVM: x86: fix emulation of RSM and IRET instructions' (kabi).
- Revert 'Make file credentials available to the seqfile interfaces' (kabi).
- Revert 'mm/list_lru.c: fix list_lru_count_node() to be race free' (kabi).
- Revert 'netvsc: optimize calculation of number of slots' (fate#320485).
- Revert 'powerpc/numa: Fix percpu allocations to be NUMA aware' (bsc#1048914).
- Revert 'powerpc/numa: Fix percpu allocations to be NUMA aware' (bsc#1048914).
- Revert '/proc/iomem: only expose physical resource addresses to privileged users' (kabi).
- Revert 'tpm: Issue a TPM2_Shutdown for TPM2 devices.' (kabi).
- rpm/kernel-binary.spec.in: find-debuginfo.sh should not touch build-id This needs rpm-4.14+ (bsc#964063).
- s390/crash: Remove unused KEXEC_NOTE_BYTES (bsc#1049706).
- s390/kdump: remove code to create ELF notes in the crashed system (bsc#1049706).
- sched/core: Allow __sched_setscheduler() in interrupts when PI is not used (bnc#1022476).
- sched/debug: Print the scheduler topology group mask (bnc#1022476).
- sched/fair, cpumask: Export for_each_cpu_wrap() (bnc#1022476).
- sched/fair: Fix O(nr_cgroups) in load balance path (bnc#1022476).
- sched/fair: Use task_groups instead of leaf_cfs_rq_list to walk all cfs_rqs (bnc#1022476).
- sched/topology: Add sched_group_capacity debugging (bnc#1022476).
- sched/topology: Fix building of overlapping sched-groups (bnc#1022476).
- sched/topology: Fix overlapping sched_group_capacity (bnc#1022476).
- sched/topology: Move comment about asymmetric node setups (bnc#1022476).
- sched/topology: Refactor function build_overlap_sched_groups() (bnc#1022476).
- sched/topology: Remove FORCE_SD_OVERLAP (bnc#1022476).
- sched/topology: Simplify build_overlap_sched_groups() (bnc#1022476).
- sched/topology: Small cleanup (bnc#1022476).
- sched/topology: Verify the first group matches the child domain (bnc#1022476).
- scsi: aacraid: Do not copy uninitialized stack memory to userspace (bsc#1048912).
- scsi: aacraid: fix leak of data from stack back to userspace (bsc#1048912).
- scsi: aacraid: fix PCI error recovery path (bsc#1048912).
- scsi: Add STARGET_CREATE_REMOVE state to scsi_target_state (bsc#1013887).
- scsi: bnx2i: missing error code in bnx2i_ep_connect() (bsc#1048221).
- scsi: bnx2i: missing error code in bnx2i_ep_connect() (bsc#1048221).
- scsi_devinfo: fixup string compare (bsc#1037404).
- scsi_dh_alua: suppress errors from unsupported devices (bsc#1038792).
- scsi: hisi_sas: add pci_dev in hisi_hba struct (bsc#1049298).
- scsi: hisi_sas: add v2 hw internal abort timeout workaround (bsc#1049298).
- scsi: hisi_sas: controller reset for multi-bits ECC and AXI fatal errors (bsc#1049298).
- scsi: hisi_sas: fix NULL deference when TMF timeouts (bsc#1049298).
- scsi: hisi_sas: fix timeout check in hisi_sas_internal_task_abort() (bsc#1049298).
- scsi: hisi_sas: optimise DMA slot memory (bsc#1049298).
- scsi: hisi_sas: optimise the usage of hisi_hba.lock (bsc#1049298).
- scsi: hisi_sas: relocate get_ata_protocol() (bsc#1049298).
- scsi: hisi_sas: workaround a SoC SATA IO processing bug (bsc#1049298).
- scsi: hisi_sas: workaround SoC about abort timeout bug (bsc#1049298).
- scsi: hisi_sas: workaround STP link SoC bug (bsc#1049298).
- scsi: kABI fix for new state STARGET_CREATED_REMOVE (bsc#1013887).
- scsi: lpfc: Add auto EQ delay logic (bsc#1042257).
- scsi: lpfc: Added recovery logic for running out of NVMET IO context resources (bsc#1037838).
- scsi: lpfc: Adding additional stats counters for nvme (bsc#1037838).
- scsi: lpfc: Add MDS Diagnostic support (bsc#1037838).
- scsi: lpfc: Cleanup entry_repost settings on SLI4 queues (bsc#1037838).
- scsi: lpfc: do not double count abort errors (bsc#1048912).
- scsi: lpfc: Driver responds LS_RJT to Beacon Off ELS - Linux (bsc#1044623).
- scsi: lpfc: Fix crash after firmware flash when IO is running (bsc#1044623).
- scsi: lpfc: Fix crash doing IO with resets (bsc#1044623).
- scsi: lpfc: Fix crash in lpfc_sli_ringtxcmpl_put when nvmet gets an abort request (bsc#1044623).
- scsi: lpfc: Fix debugfs root inode 'lpfc' not getting deleted on driver unload (bsc#1037838).
- scsi: lpfc: Fix defects reported by Coverity Scan (bsc#1042257).
- scsi: lpfc: fix linking against modular NVMe support (bsc#1048912).
- scsi: lpfc: Fix NMI watchdog assertions when running nvmet IOPS tests (bsc#1037838).
- scsi: lpfc: Fix NVMEI driver not decrementing counter causing bad rport state (bsc#1037838).
- scsi: lpfc: Fix nvme io stoppage after link bounce (bsc#1045404).
- scsi: lpfc: Fix NVMEI's handling of NVMET's PRLI response attributes (bsc#1037838).
- scsi: lpfc: Fix NVME I+T not registering NVME as a supported FC4 type (bsc#1037838).
- scsi: lpfc: Fix nvmet RQ resource needs for large block writes (bsc#1037838).
- scsi: lpfc: fix refcount error on node list (bsc#1045404).
- scsi: lpfc: Fix SLI3 drivers attempting NVME ELS commands (bsc#1044623).
- scsi: lpfc: Fix system crash when port is reset (bsc#1037838).
- scsi: lpfc: Fix system panic when express lane enabled (bsc#1044623).
- scsi: lpfc: Fix used-RPI accounting problem (bsc#1037838).
- scsi: lpfc: Reduce time spent in IRQ for received NVME commands (bsc#1044623).
- scsi: lpfc: Separate NVMET data buffer pool fir ELS/CT (bsc#1037838).
- scsi: lpfc: Separate NVMET RQ buffer posting from IO resources SGL/iocbq/context (bsc#1037838).
- scsi: lpfc: update to revision to 11.4.0.1 (bsc#1044623).
- scsi: lpfc: update version to 11.2.0.14 (bsc#1037838).
- scsi: lpfc: Vport creation is failing with 'Link Down' error (bsc#1044623).
- scsi: qedf: Fix a return value in case of error in 'qedf_alloc_global_queues' (bsc#1048912).
- scsi: qedi: Fix return code in qedi_ep_connect() (bsc#1048912).
- scsi: qedi: Remove WARN_ON for untracked cleanup (bsc#1044443).
- scsi: qedi: Remove WARN_ON from clear task context (bsc#1044443).
- scsi: storvsc: Prefer kcalloc over kzalloc with multiply (fate#320485).
- scsi: storvsc: remove return at end of void function (fate#320485).
- scsi: storvsc: Workaround for virtual DVD SCSI version (fate#320485, bnc#1044636).
- sfc: Add ethtool -m support for QSFP modules (bsc#1049619).
- smartpqi: limit transfer length to 1MB (bsc#1025461).
- smsc75xx: use skb_cow_head() to deal with cloned skbs (bsc#1045154).
- sr9700: use skb_cow_head() to deal with cloned skbs (bsc#1045154).
- string.h: add memcpy_and_pad() (bsc#1048146).
- sysctl: do not print negative flag for proc_douintvec (bnc#1046985).
- Temporarily disable iwlwifi-expose-default-fallback-ucode-api ... for updating iwlwifi stack
- timers: Plug locking race vs. timer migration (bnc#1022476).
- tools: hv: Add clean up for included files in Ubuntu net config (fate#320485).
- tools: hv: Add clean up function for Ubuntu config (fate#320485).
- tools: hv: properly handle long paths (fate#320485).
- tools: hv: set allow-hotplug for VF on Ubuntu (fate#320485).
- tools: hv: set hotplug for VF on Suse (fate#320485).
- Tools: hv: vss: Thaw the filesystem and continue if freeze call has timed out (fate#320485).
- tpm: Issue a TPM2_Shutdown for TPM2 devices (bsc#1053117).
- tpm: KABI fix (bsc#1053117).
- tpm_tis: Fix IRQ autoprobing when using platform_device (bsc#1020645, fate#321435, fate#321507, fate#321600, Pending fixes 2017-07-06).
- tpm_tis: Use platform_get_irq (bsc#1020645, fate#321435, fate#321507, fate#321600, Pending fixes 2017-07-06).
- tpm/tpm_crb: fix priv->cmd_size initialisation (bsc#1020645, fate#321435, fate#321507, fate#321600, Pending SUSE Kernel Fixes).
- udf: Fix deadlock between writeback and udf_setsize() (bsc#1012829).
- udf: Fix races with i_size changes during readpage (bsc#1012829).
- Update config files: add CONFIG_IWLWIFI_PCIE_RTPM=y (FATE#323335)
- vfs: fix missing inode_get_dev sites (bsc#1052049).
- vmbus: cleanup header file style (fate#320485).
- vmbus: expose debug info for drivers (fate#320485).
- vmbus: fix spelling errors (fate#320485).
- vmbus: introduce in-place packet iterator (fate#320485).
- vmbus: only reschedule tasklet if time limit exceeded (fate#320485).
- vmbus: re-enable channel tasklet (fate#320485).
- vmbus: remove unnecessary initialization (fate#320485).
- vmbus: remove useless return's (fate#320485).
- x86/dmi: Switch dmi_remap() from ioremap() to ioremap_cache() (bsc#1051399).
- x86/hyperv: Check frequency MSRs presence according to the specification (fate#320485).
- x86/LDT: Print the real LDT base address (bsc#1051478).
- x86/mce: Make timer handling more robust (bsc#1042422).
- x86/panic: replace smp_send_stop() with kdump friendly version in panic path (bsc#1051478).
- x86/platform/uv/BAU: Disable BAU on single hub configurations (bsc#1050320).
- x86/platform/uv/BAU: Fix congested_response_us not taking effect (bsc#1050322).
- xen: allocate page for shared info page from low memory (bnc#1038616).
- xen/balloon: do not online new memory initially (bnc#1028173).
- xen: hold lock_device_hotplug throughout vcpu hotplug operations (bsc#1042422).
- xen-netfront: Rework the fix for Rx stall during OOM and network stress (git-fixes).
- xen/pvh*: Support > 32 VCPUs at domain restore (bnc#1045563).
- xfrm: NULL dereference on allocation failure (bsc#1047343).
- xfrm: Oops on error in pfkey_msg2xfrm_state() (bsc#1047653).
- xfs: detect and handle invalid iclog size set by mkfs (bsc#1043598).
- xfs: detect and trim torn writes during log recovery (bsc#1036215).
- xfs: do not BUG() on mixed direct and mapped I/O (bsc#1050188).
- xfs: Do not clear SGID when inheriting ACLs (bsc#1030552).
- xfs: refactor and open code log record crc check (bsc#1036215).
- xfs: refactor log record start detection into a new helper (bsc#1036215).
- xfs: return start block of first bad log record during recovery (bsc#1036215).
- xfs: support a crc verification only log record pass (bsc#1036215).
- xgene: Do not fail probe, if there is no clk resource for SGMII interfaces (bsc#1048501).
- xilinx network drivers: disable (bsc#1046170).
ImportantSUSE bug 1005778SUSE bug 1006180SUSE bug 1011913SUSE bug 1012829SUSE bug 1013887SUSE bug 1015337SUSE bug 1015342SUSE bug 1016119SUSE bug 1019151SUSE bug 1019695SUSE bug 1020645SUSE bug 1022476SUSE bug 1022600SUSE bug 1022604SUSE bug 1023175SUSE bug 1024346SUSE bug 1024373SUSE bug 1025461SUSE bug 1026570SUSE bug 1028173SUSE bug 1028286SUSE bug 1029693SUSE bug 1030552SUSE bug 1031515SUSE bug 1031717SUSE bug 1031784SUSE bug 1033587SUSE bug 1034075SUSE bug 1034113SUSE bug 1034762SUSE bug 1036215SUSE bug 1036632SUSE bug 1037344SUSE bug 1037404SUSE bug 1037838SUSE bug 1037994SUSE bug 1038078SUSE bug 1038616SUSE bug 1038792SUSE bug 1039153SUSE bug 1039348SUSE bug 1039915SUSE bug 1040307SUSE bug 1040347SUSE bug 1040351SUSE bug 1041958SUSE bug 1042257SUSE bug 1042286SUSE bug 1042314SUSE bug 1042422SUSE bug 1042778SUSE bug 1043261SUSE bug 1043347SUSE bug 1043520SUSE bug 1043598SUSE bug 1043652SUSE bug 1043805SUSE bug 1043912SUSE bug 1044112SUSE bug 1044443SUSE bug 1044623SUSE bug 1044636SUSE bug 1045154SUSE bug 1045293SUSE bug 1045330SUSE bug 1045404SUSE bug 1045563SUSE bug 1045596SUSE bug 1045709SUSE bug 1045715SUSE bug 1045866SUSE bug 1045922SUSE bug 1045937SUSE bug 1046105SUSE bug 1046170SUSE bug 1046434SUSE bug 1046651SUSE bug 1046655SUSE bug 1046682SUSE bug 1046821SUSE bug 1046985SUSE bug 1047027SUSE bug 1047048SUSE bug 1047096SUSE bug 1047118SUSE bug 1047121SUSE bug 1047152SUSE bug 1047174SUSE bug 1047277SUSE bug 1047343SUSE bug 1047354SUSE bug 1047418SUSE bug 1047506SUSE bug 1047595SUSE bug 1047651SUSE bug 1047653SUSE bug 1047670SUSE bug 1047802SUSE bug 1048146SUSE bug 1048155SUSE bug 1048221SUSE bug 1048317SUSE bug 1048348SUSE bug 1048356SUSE bug 1048421SUSE bug 1048451SUSE bug 1048501SUSE bug 1048891SUSE bug 1048912SUSE bug 1048914SUSE bug 1048916SUSE bug 1048919SUSE bug 1049231SUSE bug 1049289SUSE bug 1049298SUSE bug 1049361SUSE bug 1049483SUSE bug 1049486SUSE bug 1049603SUSE bug 1049619SUSE bug 1049645SUSE bug 1049706SUSE bug 1049882SUSE bug 1050061SUSE bug 1050188SUSE bug 1050211SUSE bug 1050320SUSE bug 1050322SUSE bug 1050677SUSE bug 1051022SUSE bug 1051048SUSE bug 1051059SUSE bug 1051239SUSE bug 1051399SUSE bug 1051471SUSE bug 1051478SUSE bug 1051479SUSE bug 1051556SUSE bug 1051663SUSE bug 1051689SUSE bug 1051979SUSE bug 1052049SUSE bug 1052223SUSE bug 1052311SUSE bug 1052325SUSE bug 1052365SUSE bug 1052442SUSE bug 1052533SUSE bug 1052709SUSE bug 1052773SUSE bug 1052794SUSE bug 1052899SUSE bug 1052925SUSE bug 1053043SUSE bug 1053117SUSE bug 964063SUSE bug 974215SUSE bug 998664CVE-2017-1000111 at SUSECVE-2017-1000111 at NVDCVE-2017-1000112 at SUSECVE-2017-1000112 at NVDCVE-2017-10810 at SUSECVE-2017-10810 at NVDCVE-2017-11473 at SUSECVE-2017-11473 at NVDCVE-2017-7533 at SUSECVE-2017-7533 at NVDCVE-2017-7541 at SUSECVE-2017-7541 at NVDCVE-2017-7542 at SUSECVE-2017-7542 at NVDCVE-2017-8831 at SUSECVE-2017-8831 at NVDcpe:/o:suse:sles:12:sp3Security update for quagga (Important)SUSE Linux Enterprise Server 12 SP3
This update provides Quagga 1.1.1, which brings several fixes and enhancements.
Security issues fixed:
- CVE-2017-5495: Telnet 'vty' interface DoS due to unbounded memory allocation. (bsc#1021669)
- CVE-2016-1245: Stack overrun in IPv6 RA receive code. (bsc#1005258)
Bug fixes:
- Do not enable zebra's TCP interface (port 2600) to use default UNIX socket for communication
between the daemons. (fate#323170)
Between 0.99.22.1 and 1.1.1 the following improvements have been implemented:
- Changed the default of 'link-detect' state, controlling whether zebra will respond to
link-state events and consider an interface to be down when link is down. To retain the
current behavior save your config before updating, otherwise remove the 'link-detect'
flag from your config prior to updating. There is also a new global 'default link-detect
(on|off)' flag to configure the global default.
- Greatly improved nexthop resolution for recursive routes.
- Event driven nexthop resolution for BGP.
- Route tags support.
- Transport of TE related metrics over OSPF, IS-IS.
- IPv6 Multipath for zebra and BGP.
- Multicast RIB support has been extended. It still is IPv4 only.
- RIP for IPv4 now supports equal-cost multipath (ECMP).
- route-maps have a new action 'set ipv6 next-hop peer-address'.
- route-maps have a new action 'set as-path prepend last-as'.
- 'next-hop-self all' to override nexthop on iBGP route reflector setups.
- New pimd daemon provides IPv4 PIM-SSM multicast routing.
- IPv6 address management has been improved regarding tentative addresses. This is visible in
that a freshly configured address will not immediately be marked as usable.
- Recursive route support has been overhauled. Scripts parsing 'show ip route' output may need
adaptation.
- A large amount of changes has been merged for ospf6d. Careful evaluation prior to deployment
is recommended.
- Multiprotocol peerings over IPv6 now try to find a more appropriate IPv4 nexthop by looking at
the interface.
- Relaxed bestpath criteria for multipath and improved display of multipath routes in 'show ip bgp'.
Scripts parsing this output may need to be updated.
- Support for iBGP TTL security.
ImportantSUSE bug 1005258SUSE bug 1021669SUSE bug 1034273CVE-2016-1245 at SUSECVE-2016-1245 at NVDCVE-2017-5495 at SUSECVE-2017-5495 at NVDcpe:/o:suse:sles:12:sp3Security update for expat (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for expat fixes the following issues:
- CVE-2016-9063: Possible integer overflow to fix inside XML_Parse leading to unexpected behaviour (bsc#1047240)
- CVE-2017-9233: External Entity Vulnerability could lead to denial of service (bsc#1047236)
ModerateSUSE bug 1047236SUSE bug 1047240CVE-2016-9063 at SUSECVE-2016-9063 at NVDCVE-2017-9233 at SUSECVE-2017-9233 at NVDcpe:/o:suse:sles:12:sp3Security update for git (Important)SUSE Linux Enterprise Server 12 SP3
This update for git fixes the following issues:
- CVE-2017-1000117: A client side code execution via shell injection when receiving special submodule strings from a malicious server was fixed (bsc#1052481)
ImportantSUSE bug 1052481CVE-2017-1000117 at SUSECVE-2017-1000117 at NVDcpe:/o:suse:sles:12:sp3Security update for icu (Moderate)SUSE Linux Enterprise Server 12 SP3
icu was updated to fix two security issues.
These security issues were fixed:
- CVE-2014-8147: The resolveImplicitLevels function in common/ubidi.c in the Unicode Bidirectional
Algorithm implementation in ICU4C in International Components for Unicode (ICU) used an integer
data type that is inconsistent with a header file, which allowed remote attackers to cause a
denial of service (incorrect malloc followed by invalid free) or possibly execute arbitrary code
via crafted text (bsc#929629).
- CVE-2014-8146: The resolveImplicitLevels function in common/ubidi.c in the Unicode Bidirectional
Algorithm implementation in ICU4C in International Components for Unicode (ICU) did not properly
track directionally isolated pieces of text, which allowed remote attackers to cause a denial of
service (heap-based buffer overflow) or possibly execute arbitrary code via crafted text
(bsc#929629).
ModerateSUSE bug 929629CVE-2014-8146 at SUSECVE-2014-8146 at NVDCVE-2014-8147 at SUSECVE-2014-8147 at NVDcpe:/o:suse:sles:12:sp3Security update for xen (Important)SUSE Linux Enterprise Server 12 SP3
This update for xen fixes several issues.
These security issues were fixed:
- CVE-2017-12135: Unbounded recursion in grant table code allowed a malicious
guest to crash the host or potentially escalate privileges/leak information
(XSA-226, bsc#1051787).
- CVE-2017-12137: Incorrectly-aligned updates to pagetables allowed for
privilege escalation (XSA-227, bsc#1051788).
- CVE-2017-12136: Race conditions with maptrack free list handling allows a
malicious guest administrator to crash the host or escalate their privilege to
that of the host (XSA-228, bsc#1051789).
- CVE-2017-11434: The dhcp_decode function in slirp/bootp.c allowed local guest
OS users to cause a denial of service (out-of-bounds read) via a crafted DHCP
options string (bsc#1049578).
- CVE-2017-10664: qemu-nbd did not ignore SIGPIPE, which allowed remote
attackers to cause a denial of service (daemon crash) by disconnecting during a
server-to-client reply attempt (bsc#1046637).
- CVE-2017-12855: Premature clearing of GTF_writing / GTF_reading lead to
potentially leaking sensitive information (XSA-230 bsc#1052686.
These non-security issues were fixed:
- bsc#1055695: XEN: 11SP4 and 12SP3 HVM guests can not be restored after the save using xl stack
- bsc#1035231: Migration of HVM domU did not use superpages on destination dom0
- bsc#1002573: Optimized LVM functions in block-dmmd block-dmmd
ImportantSUSE bug 1002573SUSE bug 1026236SUSE bug 1027519SUSE bug 1035231SUSE bug 1046637SUSE bug 1049578SUSE bug 1051787SUSE bug 1051788SUSE bug 1051789SUSE bug 1052686SUSE bug 1055695CVE-2017-10664 at SUSECVE-2017-10664 at NVDCVE-2017-11434 at SUSECVE-2017-11434 at NVDCVE-2017-12135 at SUSECVE-2017-12135 at NVDCVE-2017-12136 at SUSECVE-2017-12136 at NVDCVE-2017-12137 at SUSECVE-2017-12137 at NVDCVE-2017-12855 at SUSECVE-2017-12855 at NVDcpe:/o:suse:sles:12:sp3Security update for libzypp, zypper (Important)SUSE Linux Enterprise Server 12 SP3
The Software Update Stack was updated to receive fixes and enhancements.
libzypp:
- Adapt to work with GnuPG 2.1.23. (bsc#1054088)
- Support signing with subkeys. (bsc#1008325)
- Enhance sort order for media.1/products. (bsc#1054671)
zypper:
- Also show a gpg key's subkeys. (bsc#1008325)
- Improve signature check callback messages. (bsc#1045735)
- Add options to tune the GPG check settings. (bsc#1045735)
- Adapt download callback to report and handle unsigned packages. (bsc#1038984, CVE-2017-7436)
- Report missing/optional files as 'not found' rather than 'error'. (bsc#1047785)
ImportantSUSE bug 1008325SUSE bug 1038984SUSE bug 1045735SUSE bug 1047785SUSE bug 1054088SUSE bug 1054671SUSE bug 1055920CVE-2017-7436 at SUSECVE-2017-7436 at NVDcpe:/o:suse:sles:12:sp3Security update for postgresql96 (Important)SUSE Linux Enterprise Server 12 SP3
This update for postgresql96 fixes the following issues:
* CVE-2017-7547: Further restrict visibility of pg_user_mappings.umoptions, to protect passwords stored as user mapping options. (bsc#1051685)
* CVE-2017-7546: Disallow empty passwords in all password-based authentication methods. (bsc#1051684)
* CVE-2017-7548: lo_put() function ignores ACLs. (bsc#1053259)
The changelog for this release is here:
https://www.postgresql.org/docs/9.6/static/release-9-6-4.html
ImportantSUSE bug 1051684SUSE bug 1051685SUSE bug 1053259CVE-2017-7546 at SUSECVE-2017-7546 at NVDCVE-2017-7547 at SUSECVE-2017-7547 at NVDCVE-2017-7548 at SUSECVE-2017-7548 at NVDcpe:/o:suse:sles:12:sp3Security update for gdk-pixbuf (Important)SUSE Linux Enterprise Server 12 SP3
This update for gdk-pixbuf fixes the following issues:
- CVE-2017-2862: JPEG gdk_pixbuf__jpeg_image_load_increment Code Execution Vulnerability (bsc#1048289)
- CVE-2017-2870: tiff_image_parse Code Execution Vulnerability (bsc#1048544)
- CVE-2017-6313: A dangerous integer underflow in io-icns.c (bsc#1027024)
- CVE-2017-6314: Infinite loop in io-tiff.c (bsc#1027025)
- CVE-2017-6312: Out-of-bounds read on io-ico.c (bsc#1027026)
ImportantSUSE bug 1027024SUSE bug 1027025SUSE bug 1027026SUSE bug 1048289SUSE bug 1048544SUSE bug 1049877CVE-2017-2862 at SUSECVE-2017-2862 at NVDCVE-2017-2870 at SUSECVE-2017-2870 at NVDCVE-2017-6312 at SUSECVE-2017-6312 at NVDCVE-2017-6313 at SUSECVE-2017-6313 at NVDCVE-2017-6314 at SUSECVE-2017-6314 at NVDcpe:/o:suse:sles:12:sp3Security update for evince (Important)SUSE Linux Enterprise Server 12 SP3
This update for evince fixes the following issue:
- CVE-2017-1000083: Remote attackers could have used the comicbook mode of evince to inject shell code (bsc#1046856).
ImportantSUSE bug 1046856CVE-2017-1000083 at SUSECVE-2017-1000083 at NVDcpe:/o:suse:sles:12:sp3Security update for qemu (Important)SUSE Linux Enterprise Server 12 SP3
This update for qemu fixes the following issues:
Security issues fixed:
* CVE-2017-10664: Fix DOS vulnerability in qemu-nbd (bsc#1046636)
* CVE-2017-10806: Fix DOS from stack overflow in debug messages of usb redirection
support (bsc#1047674)
* CVE-2017-11334: Fix OOB access during DMA operation (bsc#1048902)
* CVE-2017-11434: Fix OOB access parsing dhcp slirp options (bsc#1049381)
Following non-security issues were fixed:
- Postrequire acl for setfacl
- Prerequire shadow for groupadd
- The recent security fix for CVE-2017-11334 adversely affects Xen.
Include two additional patches to make sure Xen is going to be OK.
- Pre-add group kvm for qemu-tools (bsc#1011144)
- Fixed a few more inaccuracies in the support docs.
- Fix support docs to indicate ARM64 is now fully L3 supported in
SLES 12 SP3. Apply a few additional clarifications in the support
docs. (bsc#1050268)
- Adjust to libvdeplug-devel package naming changes.
- Fix migration with xhci (bsc#1048296)
- Increase VNC delay to fix missing keyboard input events (bsc#1031692)
- Remove build dependency package iasl used for seabios
ImportantSUSE bug 1011144SUSE bug 1031692SUSE bug 1046636SUSE bug 1047674SUSE bug 1048296SUSE bug 1048902SUSE bug 1049381SUSE bug 1050268CVE-2017-10664 at SUSECVE-2017-10664 at NVDCVE-2017-10806 at SUSECVE-2017-10806 at NVDCVE-2017-11334 at SUSECVE-2017-11334 at NVDCVE-2017-11434 at SUSECVE-2017-11434 at NVDcpe:/o:suse:sles:12:sp3Security update for cvs (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for cvs fixes the following issues:
- CVE-2017-12836: A leading dash in the argument of the '-d' option could lead to argument injection (bsc#1053364)
ModerateSUSE bug 1053364CVE-2017-12836 at SUSECVE-2017-12836 at NVDcpe:/o:suse:sles:12:sp3Security update for xen (Important)SUSE Linux Enterprise Server 12 SP3
This update for xen fixes several issues.
These security issues were fixed:
- CVE-2017-14316: Missing bound check in function `alloc_heap_pages` for an
internal array allowed attackers using crafted hypercalls to execute
arbitrary code within Xen (XSA-231, bsc#1056278)
- CVE-2017-14318: The function __gnttab_cache_flush missed a check for grant
tables, allowing a malicious guest to crash the host or for x86 PV guests to
potentially escalate privileges (XSA-232, bsc#1056280)
- CVE-2017-14317: A race in cxenstored may have cause a double-free allowind for
DoS of the xenstored daemon (XSA-233, bsc#1056281).
- CVE-2017-14319: An error while handling grant mappings allowed malicious or
buggy x86 PV guest to escalate its privileges or crash the hypervisor (XSA-234,
bsc#1056282).
These non-security issues were fixed:
- bsc#1057358: Fixed boot into SUSE Linux Enterprise 12.3 with secure boot
- bsc#1055695: Fixed restoring updates for HVM guests for ballooned domUs
ImportantSUSE bug 1027519SUSE bug 1055695SUSE bug 1056278SUSE bug 1056280SUSE bug 1056281SUSE bug 1056282SUSE bug 1057358CVE-2017-14316 at SUSECVE-2017-14316 at NVDCVE-2017-14317 at SUSECVE-2017-14317 at NVDCVE-2017-14318 at SUSECVE-2017-14318 at NVDCVE-2017-14319 at SUSECVE-2017-14319 at NVDcpe:/o:suse:sles:12:sp3Security update for the Linux Kernel (Important)SUSE Linux Enterprise Server 12 SP3
The SUSE Linux Enterprise 12 SP3 kernel was updated to receive the following security fixes:
- CVE-2017-1000251: The native Bluetooth stack in the Linux Kernel was
vulnerable to a stack overflow while processing L2CAP configuration
responses, resulting in a potential remote denial-of-service vulnerability
but no remote code execution due to use of CONFIG_CC_STACKPROTECTOR.
[bnc#1057389]
ImportantSUSE bug 1057389CVE-2017-1000251 at SUSECVE-2017-1000251 at NVDcpe:/o:suse:sles:12:sp3Security update for gcc48 (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for gcc48 fixes the following issues:
Security issues fixed:
- A new option -fstack-clash-protection is now offered, which mitigates the stack clash type of attacks. [bnc#1039513]
Future maintenance releases of packages will be built with this option.
- CVE-2017-11671: Fixed rdrand/rdseed code generation issue [bsc#1050947]
Bugs fixed:
- Enable LFS support in 32bit libgcov.a. [bsc#1044016]
- Bump libffi version in libffi.pc to 3.0.11.
- Fix libffi issue for armv7l. [bsc#988274]
- Properly diagnose missing -fsanitize=address support on ppc64le. [bnc#1028744]
- Backport patch for PR65612. [bnc#1022062]
- Fixed DR#1288. [bnc#1011348]
ModerateSUSE bug 1011348SUSE bug 1022062SUSE bug 1028744SUSE bug 1039513SUSE bug 1044016SUSE bug 1050947SUSE bug 988274CVE-2017-11671 at SUSECVE-2017-11671 at NVDcpe:/o:suse:sles:12:sp3Security update for emacs (Important)SUSE Linux Enterprise Server 12 SP3
This update for emacs fixes one issues.
This security issue was fixed:
- CVE-2017-14482: Remote code execution via mails with 'Content-Type: text/enriched' (bsc#1058425)
ImportantSUSE bug 1058425CVE-2017-14482 at SUSECVE-2017-14482 at NVDcpe:/o:suse:sles:12:sp3Security update for libzip (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for libzip fixes one issues.
This security issue was fixed:
- CVE-2017-14107: The _zip_read_eocd64 function mishandled EOCD records, which
allowed remote attackers to cause a denial of service (memory allocation
failure in _zip_cdir_grow in zip_dirent.c) via a crafted ZIP archive (bsc#1056996).
ModerateSUSE bug 1056996CVE-2017-14107 at SUSECVE-2017-14107 at NVDcpe:/o:suse:sles:12:sp3Security update for apache2 (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for apache2 fixes the following security issue:
- CVE-2017-9798: Prevent use-after-free use of memory that allowed for an
information leak via OPTIONS (bsc#1058058).
ModerateSUSE bug 1058058CVE-2017-9798 at SUSECVE-2017-9798 at NVDcpe:/o:suse:sles:12:sp3Security update for spice (Important)SUSE Linux Enterprise Server 12 SP3
This update for spice fixes the following security issues:
- CVE-2017-7506: Fixed an out-of-bounds memory access when processing specially
crafted messages from authenticated attacker to the spice server resulting into
crash and/or server memory leak (bsc#1046779).
ImportantSUSE bug 1046779CVE-2017-7506 at SUSECVE-2017-7506 at NVDcpe:/o:suse:sles:12:sp3Security update for wireshark (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for wireshark to version 2.2.9 fixes several issues.
These security issues were fixed:
- CVE-2017-13767: The MSDP dissector could have gone into an infinite loop.
This was addressed by adding length validation (bsc#1056248).
- CVE-2017-13766: The Profinet I/O dissector could have crash with an
out-of-bounds write. This was addressed by adding string validation
(bsc#1056249).
- CVE-2017-13765: The IrCOMM dissector had a buffer over-read and application
crash. This was addressed by adding length validation (bsc#1056251).
- CVE-2017-9766: PROFINET IO data with a high recursion depth allowed remote
attackers to cause a denial of service (stack exhaustion) in the
dissect_IODWriteReq function (bsc#1045341).
- CVE-2017-9617: Deeply nested DAAP data may have cause stack exhaustion
(uncontrolled recursion) in the dissect_daap_one_tag function in the DAAP
dissector (bsc#1044417).
ModerateSUSE bug 1044417SUSE bug 1045341SUSE bug 1056248SUSE bug 1056249SUSE bug 1056251CVE-2017-13765 at SUSECVE-2017-13765 at NVDCVE-2017-13766 at SUSECVE-2017-13766 at NVDCVE-2017-13767 at SUSECVE-2017-13767 at NVDCVE-2017-9617 at SUSECVE-2017-9617 at NVDCVE-2017-9766 at SUSECVE-2017-9766 at NVDcpe:/o:suse:sles:12:sp3Security update for tiff (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for tiff to version 4.0.8 fixes a several bugs and security issues:
These security issues were fixed:
- CVE-2017-7595: The JPEGSetupEncode function allowed remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted image (bsc#1033127).
- CVE-2016-10371: The TIFFWriteDirectoryTagCheckedRational function allowed remote attackers to cause a denial of service (assertion failure and application exit) via a crafted TIFF file (bsc#1038438).
- CVE-2017-7598: Error in tif_dirread.c allowed remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted image (bsc#1033118).
- CVE-2017-7596: Undefined behavior because of floats outside their expected value range, which allowed remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image (bsc#1033126).
- CVE-2017-7597: Undefined behavior because of floats outside their expected value range, which allowed remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image (bsc#1033120).
- CVE-2017-7599: Undefined behavior because of shorts outside their expected value range, which allowed remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image (bsc#1033113).
- CVE-2017-7600: Undefined behavior because of chars outside their expected value range, which allowed remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image (bsc#1033112).
- CVE-2017-7601: Because of a shift exponent too large for 64-bit type long undefined behavior was caused, which allowed remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image (bsc#1033111).
- CVE-2017-7602: Prevent signed integer overflow, which allowed remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image (bsc#1033109).
- CVE-2017-7592: The putagreytile function had a left-shift undefined behavior issue, which might allowed remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image (bsc#1033131).
- CVE-2017-7593: Ensure that tif_rawdata is properly initialized, to prevent remote attackers to obtain sensitive information from process memory via a crafted image (bsc#1033129).
- CVE-2017-7594: The OJPEGReadHeaderInfoSecTablesDcTable function allowed remote attackers to cause a denial of service (memory leak) via a crafted image (bsc#1033128).
- CVE-2017-9403: Prevent memory leak in function TIFFReadDirEntryLong8Array, which allowed attackers to cause a denial of service via a crafted file (bsc#1042805).
- CVE-2017-9404: Fixed memory leak vulnerability in function OJPEGReadHeaderInfoSecTablesQTable, which allowed attackers to cause a denial of service via a crafted file (bsc#1042804).
These various other issues were fixed:
- Fix uint32 overflow in TIFFReadEncodedStrip() that caused an
integer division by zero. Reported by Agostino Sarubbo.
- fix heap-based buffer overflow on generation of PixarLog / LUV
compressed files, with ColorMap, TransferFunction attached and
nasty plays with bitspersample. The fix for LUV has not been
tested, but suffers from the same kind of issue of PixarLog.
- modify ChopUpSingleUncompressedStrip() to instanciate compute
ntrips as TIFFhowmany_32(td->td_imagelength, rowsperstrip),
instead of a logic based on the total size of data. Which is
faulty is the total size of data is not sufficient to fill the
whole image, and thus results in reading outside of the
StripByCounts/StripOffsets arrays when using
TIFFReadScanline()
- make OJPEGDecode() early exit in case of failure in
OJPEGPreDecode(). This will avoid a divide by zero, and
potential other issues.
- fix misleading indentation as warned by GCC.
- revert change done on 2016-01-09 that made Param member of
TIFFFaxTabEnt structure a uint16 to reduce size of the
binary. It happens that the Hylafax software uses the tables
that follow this typedef (TIFFFaxMainTable, TIFFFaxWhiteTable,
TIFFFaxBlackTable), although they are not in a public libtiff
header.
- add TIFFReadRGBAStripExt() and TIFFReadRGBATileExt() variants
of the functions without ext, with an extra argument to control
the stop_on_error behaviour.
- fix potential memory leaks in error code path of
TIFFRGBAImageBegin().
- increase libjpeg max memory usable to 10 MB instead of libjpeg
1MB default. This helps when creating files with 'big' tile,
without using libjpeg temporary files.
- add _TIFFcalloc()
- return 0 in Encode functions instead of -1 when
TIFFFlushData1() fails.
- only run JPEGFixupTagsSubsampling() if the YCbCrSubsampling
tag is not explicitly present. This helps a bit to reduce the
I/O amount when the tag is present (especially on cloud hosted
files).
- in LZWPostEncode(), increase, if necessary, the code bit-width
after flushing the remaining code and before emitting the EOI
code.
- fix memory leak in error code path of PixarLogSetupDecode().
- fix potential memory leak in
OJPEGReadHeaderInfoSecTablesQTable,
OJPEGReadHeaderInfoSecTablesDcTable and
OJPEGReadHeaderInfoSecTablesAcTable
- avoid crash in Fax3Close() on empty file.
- TIFFFillStrip(): add limitation to the number of bytes read
in case td_stripbytecount[strip] is bigger than reasonable,
so as to avoid excessive memory allocation.
- fix memory leak when the underlying codec (ZIP, PixarLog)
succeeds its setupdecode() method, but PredictorSetup fails.
- TIFFFillStrip() and TIFFFillTile(): avoid excessive memory
allocation in case of shorten files. Only effective on 64 bit
builds and non-mapped cases.
- TIFFFillStripPartial() / TIFFSeek(), avoid potential integer
overflows with read_ahead in CHUNKY_STRIP_READ_SUPPORT mode.
- avoid excessive memory allocation in case of shorten files.
Only effective on 64 bit builds.
- update tif_rawcc in CHUNKY_STRIP_READ_SUPPORT mode with
tif_rawdataloaded when calling TIFFStartStrip() or
TIFFFillStripPartial().
- avoid potential int32 overflow in TIFFYCbCrToRGBInit() Fixes
- avoid potential int32 overflows in multiply_ms() and add_ms().
- fix out-of-buffer read in PackBitsDecode() Fixes
- LogL16InitState(): avoid excessive memory allocation when
RowsPerStrip tag is missing.
- update dec_bitsleft at beginning of LZWDecode(), and update
tif_rawcc at end of LZWDecode(). This is needed to properly
work with the latest chnges in tif_read.c in
CHUNKY_STRIP_READ_SUPPORT mode.
- PixarLogDecode(): resync tif_rawcp with next_in and tif_rawcc
with avail_in at beginning and end of function, similarly to
what is done in LZWDecode(). Likely needed so that it works
properly with latest chnges in tif_read.c in
CHUNKY_STRIP_READ_SUPPORT mode.
- initYCbCrConversion(): add basic validation of luma and
refBlackWhite coefficients (just check they are not NaN for
now), to avoid potential float to int overflows.
- _TIFFVSetField(): fix outside range cast of double to float.
- initYCbCrConversion(): check luma[1] is not zero to avoid division by zero
- _TIFFVSetField(): fix outside range cast of double to float.
- initYCbCrConversion(): check luma[1] is not zero to avoid
division by zero.
- initYCbCrConversion(): stricter validation for refBlackWhite
coefficients values.
- avoid uint32 underflow in cpDecodedStrips that can cause
various issues, such as buffer overflows in the library.
- fix readContigStripsIntoBuffer() in -i (ignore) mode so that
the output buffer is correctly incremented to avoid write
outside bounds.
- add 3 extra bytes at end of strip buffer in
readSeparateStripsIntoBuffer() to avoid read outside of heap
allocated buffer.
- fix integer division by zero when BitsPerSample is missing.
- fix null pointer dereference in -r mode when the image has no
StripByteCount tag.
- avoid potential division by zero is BitsPerSamples tag is
missing.
- when TIFFGetField(, TIFFTAG_NUMBEROFINKS, ) is called, limit
the return number of inks to SamplesPerPixel, so that code
that parses ink names doesn't go past the end of the buffer.
- avoid potential division by zero is BitsPerSamples tag is
missing.
- fix uint32 underflow/overflow that can cause heap-based buffer
overflow.
- replace assert( (bps % 8) == 0 ) by a non assert check.
- fix 2 heap-based buffer overflows (in PSDataBW and
PSDataColorContig).
- prevent heap-based buffer overflow in -j mode on a paletted
image.
- fix wrong usage of memcpy() that can trigger unspecified behaviour.
- avoid potential invalid memory read in t2p_writeproc.
- avoid potential heap-based overflow in t2p_readwrite_pdf_image_tile().
- remove extraneous TIFFClose() in error code path, that caused
double free.
- error out cleanly in cpContig2SeparateByRow and
cpSeparate2ContigByRow if BitsPerSample != 8 to avoid heap
based overflow.
- avoid integer division by zero.
- call TIFFClose() in error code paths.
- emit appropriate message if the input file is empty.
- close TIFF handle in error code path.
ModerateSUSE bug 1033109SUSE bug 1033111SUSE bug 1033112SUSE bug 1033113SUSE bug 1033118SUSE bug 1033120SUSE bug 1033126SUSE bug 1033127SUSE bug 1033128SUSE bug 1033129SUSE bug 1033131SUSE bug 1038438SUSE bug 1042804SUSE bug 1042805CVE-2016-10371 at SUSECVE-2016-10371 at NVDCVE-2017-7592 at SUSECVE-2017-7592 at NVDCVE-2017-7593 at SUSECVE-2017-7593 at NVDCVE-2017-7594 at SUSECVE-2017-7594 at NVDCVE-2017-7595 at SUSECVE-2017-7595 at NVDCVE-2017-7596 at SUSECVE-2017-7596 at NVDCVE-2017-7597 at SUSECVE-2017-7597 at NVDCVE-2017-7598 at SUSECVE-2017-7598 at NVDCVE-2017-7599 at SUSECVE-2017-7599 at NVDCVE-2017-7600 at SUSECVE-2017-7600 at NVDCVE-2017-7601 at SUSECVE-2017-7601 at NVDCVE-2017-7602 at SUSECVE-2017-7602 at NVDCVE-2017-9403 at SUSECVE-2017-9403 at NVDCVE-2017-9404 at SUSECVE-2017-9404 at NVDcpe:/o:suse:sles:12:sp3Security update for liblouis (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for liblouis fixes several issues.
These security issues were fixed:
- CVE-2017-13738: Prevent illegal address access in the _lou_getALine function that allowed to cause remote DoS (bsc#1056105).
- CVE-2017-13739: Prevent heap-based buffer overflow in the function resolveSubtable() that could have caused DoS or remote code execution (bsc#1056101).
- CVE-2017-13740: Prevent stack-based buffer overflow in the function parseChars() that could have caused DoS or possibly unspecified other impact (bsc#1056097)
- CVE-2017-13741: Prevent use-after-free in function compileBrailleIndicator() that allowed to cause remote DoS (bsc#1056095).
- CVE_2017-13742: Prevent stack-based buffer overflow in function includeFile that allowed to cause remote DoS (bsc#1056093).
- CVE-2017-13743: Prevent buffer overflow triggered in the function _lou_showString() that allowed to cause remote DoS (bsc#1056090).
- CVE-2017-13744: Prevent illegal address access in the function _lou_getALine() that allowed to cause remote DoS (bsc#1056088).
ModerateSUSE bug 1056088SUSE bug 1056090SUSE bug 1056093SUSE bug 1056095SUSE bug 1056097SUSE bug 1056101SUSE bug 1056105CVE-2017-13738 at SUSECVE-2017-13738 at NVDCVE-2017-13739 at SUSECVE-2017-13739 at NVDCVE-2017-13740 at SUSECVE-2017-13740 at NVDCVE-2017-13741 at SUSECVE-2017-13741 at NVDCVE-2017-13743 at SUSECVE-2017-13743 at NVDCVE-2017-13744 at SUSECVE-2017-13744 at NVDcpe:/o:suse:sles:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3
This update for MozillaFirefox to ESR 52.3 fixes several issues.
These security issues were fixed:
- CVE-2017-7807 Domain hijacking through AppCache fallback (bsc#1052829)
- CVE-2017-7791 Spoofing following page navigation with data: protocol and modal alerts (bsc#1052829)
- CVE-2017-7792 Buffer overflow viewing certificates with an extremely long OID (bsc#1052829)
- CVE-2017-7782 WindowsDllDetourPatcher allocates memory without DEP protections (bsc#1052829)
- CVE-2017-7787 Same-origin policy bypass with iframes through page reloads (bsc#1052829)
- CVE-2017-7786 Buffer overflow while painting non-displayable SVG (bsc#1052829)
- CVE-2017-7785 Buffer overflow manipulating ARIA attributes in DOM (bsc#1052829)
- CVE-2017-7784 Use-after-free with image observers (bsc#1052829)
- CVE-2017-7753 Out-of-bounds read with cached style data and pseudo-elements (bsc#1052829)
- CVE-2017-7798 XUL injection in the style editor in devtools (bsc#1052829)
- CVE-2017-7804 Memory protection bypass through WindowsDllDetourPatcher (bsc#1052829)
- CVE-2017-7779 Memory safety bugs fixed in Firefox 55 and Firefox ESR 52.3 (bsc#1052829)
- CVE-2017-7800 Use-after-free in WebSockets during disconnection (bsc#1052829)
- CVE-2017-7801 Use-after-free with marquee during window resizing (bsc#1052829)
- CVE-2017-7802 Use-after-free resizing image elements (bsc#1052829)
- CVE-2017-7803 CSP containing 'sandbox' improperly applied (bsc#1052829)
ImportantSUSE bug 1052829CVE-2017-7753 at SUSECVE-2017-7753 at NVDCVE-2017-7779 at SUSECVE-2017-7779 at NVDCVE-2017-7782 at SUSECVE-2017-7782 at NVDCVE-2017-7784 at SUSECVE-2017-7784 at NVDCVE-2017-7785 at SUSECVE-2017-7785 at NVDCVE-2017-7786 at SUSECVE-2017-7786 at NVDCVE-2017-7787 at SUSECVE-2017-7787 at NVDCVE-2017-7791 at SUSECVE-2017-7791 at NVDCVE-2017-7792 at SUSECVE-2017-7792 at NVDCVE-2017-7798 at SUSECVE-2017-7798 at NVDCVE-2017-7800 at SUSECVE-2017-7800 at NVDCVE-2017-7801 at SUSECVE-2017-7801 at NVDCVE-2017-7802 at SUSECVE-2017-7802 at NVDCVE-2017-7803 at SUSECVE-2017-7803 at NVDCVE-2017-7804 at SUSECVE-2017-7804 at NVDCVE-2017-7807 at SUSECVE-2017-7807 at NVDcpe:/o:suse:sles:12:sp3Security update for libvirt (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for libvirt fixes several issues.
This security issue was fixed:
- bsc#1053600: Escape ssh commed line to prevent interpreting malicious
hostname as arguments, allowing for command execution
These non-security issues were fixed:
- bsc#1049505, bsc#1051017: Security manager: Don't autogenerate seclabels of
type 'none' when AppArmor is inactive
- bsc#1045693: Support chardevs with ARM machines
ModerateSUSE bug 1045693SUSE bug 1049505SUSE bug 1051017SUSE bug 1053600cpe:/o:suse:sles:12:sp3Security update for dnsmasq (Important)SUSE Linux Enterprise Server 12 SP3
This update for dnsmasq fixes the following security issues:
- CVE-2017-14491: 2 byte heap based overflow. [bsc#1060354]
- CVE-2017-14492: heap based overflow. [bsc#1060355]
- CVE-2017-14493: stack based overflow. [bsc#1060360]
- CVE-2017-14494: DHCP - info leak. [bsc#1060361]
- CVE-2017-14495: DNS - OOM DoS. [bsc#1060362]
- CVE-2017-14496: DNS - DoS Integer underflow. [bsc#1060364]
ImportantSUSE bug 1060354SUSE bug 1060355SUSE bug 1060360SUSE bug 1060361SUSE bug 1060362SUSE bug 1060364CVE-2017-14491 at SUSECVE-2017-14491 at NVDCVE-2017-14492 at SUSECVE-2017-14492 at NVDCVE-2017-14493 at SUSECVE-2017-14493 at NVDCVE-2017-14494 at SUSECVE-2017-14494 at NVDCVE-2017-14495 at SUSECVE-2017-14495 at NVDCVE-2017-14496 at SUSECVE-2017-14496 at NVDcpe:/o:suse:sles:12:sp3Security update for openjpeg2 (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for openjpeg2 fixes several issues.
These security issues were fixed:
- CVE-2016-10507: Integer overflow vulnerability in the bmp24toimage function
allowed remote attackers to cause a denial of service (heap-based buffer
over-read and application crash) via a crafted bmp file (bsc#1056421).
- CVE-2017-14039: A heap-based buffer overflow was discovered in the
opj_t2_encode_packet function. The vulnerability caused an out-of-bounds write,
which may have lead to remote denial of service or possibly unspecified other
impact (bsc#1056622).
- CVE-2017-14164: A size-validation issue was discovered in opj_j2k_write_sot.
The vulnerability caused an out-of-bounds write, which may have lead to remote
DoS or possibly remote code execution (bsc#1057511).
- CVE-2017-14040: An invalid write access was discovered in bin/jp2/convert.c,
triggering a crash in the tgatoimage function. The vulnerability may have lead
to remote denial of service or possibly unspecified other impact (bsc#1056621).
- CVE-2017-14041: A stack-based buffer overflow was discovered in the
pgxtoimage function. The vulnerability caused an out-of-bounds write, which may
have lead to remote denial of service or possibly remote code execution
(bsc#1056562).
ModerateSUSE bug 1056421SUSE bug 1056562SUSE bug 1056621SUSE bug 1056622SUSE bug 1057511CVE-2016-10507 at SUSECVE-2016-10507 at NVDCVE-2017-14039 at SUSECVE-2017-14039 at NVDCVE-2017-14040 at SUSECVE-2017-14040 at NVDCVE-2017-14041 at SUSECVE-2017-14041 at NVDCVE-2017-14164 at SUSECVE-2017-14164 at NVDcpe:/o:suse:sles:12:sp3Security update for krb5 (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for krb5 fixes several issues.
This security issue was fixed:
- CVE-2017-11462: Prevent automatic security context deletion to prevent
double-free (bsc#1056995)
These non-security issues were fixed:
- Set 'rdns' and 'dns_canonicalize_hostname' to false in krb5.conf
in order to improve client security in handling service principle
names. (bsc#1054028)
- Prevent kadmind.service startup failure caused by absence of
LDAP service. (bsc#903543)
- Remove main package's dependency on systemd (bsc#1032680)
ModerateSUSE bug 1032680SUSE bug 1054028SUSE bug 1056995SUSE bug 903543CVE-2017-11462 at SUSECVE-2017-11462 at NVDcpe:/o:suse:sles:12:sp3Security update for MozillaFirefox, mozilla-nss (Important)SUSE Linux Enterprise Server 12 SP3
This update for MozillaFirefox to ESR 52.4, mozilla-nss fixes the following issues:
This security issue was fixed for mozilla-nss:
- CVE-2017-7805: Prevent use-after-free in TLS 1.2 when generating handshake hashes (bsc#1061005)
These security issues were fixed for Firefox
- CVE-2017-7825: Fixed some Tibetan and Arabic unicode characters rendering (bsc#1060445).
- CVE-2017-7805: Prevent Use-after-free in TLS 1.2 generating handshake hashes (bsc#1060445).
- CVE-2017-7819: Prevent Use-after-free while resizing images in design mode (bsc#1060445).
- CVE-2017-7818: Prevent Use-after-free during ARIA array manipulation (bsc#1060445).
- CVE-2017-7793: Prevent Use-after-free with Fetch API (bsc#1060445).
- CVE-2017-7824: Prevent Buffer overflow when drawing and validating elements with ANGLE (bsc#1060445).
- CVE-2017-7810: Fixed several memory safety bugs (bsc#1060445).
- CVE-2017-7823: CSP sandbox directive did not create a unique origin (bsc#1060445).
- CVE-2017-7814: Blob and data URLs bypassed phishing and malware protection warnings (bsc#1060445).
ImportantSUSE bug 1060445SUSE bug 1061005CVE-2017-7793 at SUSECVE-2017-7793 at NVDCVE-2017-7805 at SUSECVE-2017-7805 at NVDCVE-2017-7810 at SUSECVE-2017-7810 at NVDCVE-2017-7814 at SUSECVE-2017-7814 at NVDCVE-2017-7818 at SUSECVE-2017-7818 at NVDCVE-2017-7819 at SUSECVE-2017-7819 at NVDCVE-2017-7823 at SUSECVE-2017-7823 at NVDCVE-2017-7824 at SUSECVE-2017-7824 at NVDCVE-2017-7825 at SUSECVE-2017-7825 at NVDcpe:/o:suse:sles:12:sp3Security update for samba (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for samba fixes several issues.
These security issues were fixed:
- CVE-2017-12163: Prevent client short SMB1 write from writing server memory to
file, leaking information from the server to the client (bsc#1058624)
- CVE-2017-12150: Always enforce smb signing when it is configured (bsc#1058622)
- CVE-2017-12151: Keep required encryption across SMB3 dfs redirects (bsc#1058565)
The following non-security issue was fixed:
- Fix GUID string format on GetPrinter info request. (bsc#1050707)
ModerateSUSE bug 1050707SUSE bug 1058565SUSE bug 1058622SUSE bug 1058624CVE-2017-12150 at SUSECVE-2017-12150 at NVDCVE-2017-12151 at SUSECVE-2017-12151 at NVDCVE-2017-12163 at SUSECVE-2017-12163 at NVDcpe:/o:suse:sles:12:sp3Security update for xerces-j2 (Moderate)SUSE Linux Enterprise Server 12 SP3
xerces-j2 was updated to fix several issues.
This security issue was fixed:
- bsc#814241: Prevent possible DoS through very long attribute names
This non-security issue was fixed:
- Prevent StackOverflowError when applying a pattern restriction on long strings
while trying to validate an XML file against a schema (bsc#1047536, bsc#879138)
ModerateSUSE bug 1047536SUSE bug 814241SUSE bug 879138cpe:/o:suse:sles:12:sp3Security update for xen (Important)SUSE Linux Enterprise Server 12 SP3
This update for xen fixes several issues:
These security issues were fixed:
- CVE-2017-5526: The ES1370 audio device emulation support was vulnerable to a
memory leakage issue allowing a privileged user inside the guest to cause a DoS
and/or potentially crash the Qemu process on the host (bsc#1059777)
- bsc#1061084: Missing cleanup in the page type system allowed a malicious or
buggy PV guest to cause DoS (XSA-242)
- bsc#1061086: A problem in the shadow pagetable code allowed a malicious or
buggy HVM guest to cause DoS or cause hypervisor memory corruption potentially
allowing the guest to escalate its privilege (XSA-243)
- bsc#1061087: Problematic handling of the selector fields in the Interrupt
Descriptor Table (IDT) allowed a malicious or buggy x86 PV guest to escalate
its privileges or cause DoS (XSA-244)
- bsc#1061077 Missing checks in the handling of DMOPs allowed malicious or
buggy stub domain kernels or tool stacks otherwise living outside of Domain0 to
cause a DoS (XSA-238)
- bsc#1061080: Intercepted I/O write operations with less than a full machine
word's worth of data were not properly handled, which allowed a malicious
unprivileged x86 HVM guest to obtain sensitive information from the host or
other guests (XSA-239)
- bsc#1061081: In certain configurations of linear page tables a stack overflow
might have occured that allowed a malicious or buggy PV guest to cause DoS and
potentially privilege escalation and information leaks (XSA-240)
- bsc#1061082: Under certain conditions x86 PV guests could have caused the
hypervisor to miss a necessary TLB flush for a page. This allowed a malicious
x86 PV guest to access all of system memory, allowing for privilege escalation,
DoS, and information leaks (XSA-241)
- bsc#1061076: Multiple issues existed with the setup of PCI MSI interrupts
that allowed a malicious or buggy guest to cause DoS and potentially privilege
escalation and information leaks (XSA-237)
- bsc#1055321: When dealing with the grant map space of add-to-physmap
operations, ARM specific code failed to release a lock. This allowed a
malicious guest administrator to cause DoS (XSA-235)
ImportantSUSE bug 1027519SUSE bug 1055321SUSE bug 1059777SUSE bug 1061076SUSE bug 1061077SUSE bug 1061080SUSE bug 1061081SUSE bug 1061082SUSE bug 1061084SUSE bug 1061086SUSE bug 1061087CVE-2017-5526 at SUSECVE-2017-5526 at NVDcpe:/o:suse:sles:12:sp3Security update for git (Important)SUSE Linux Enterprise Server 12 SP3
This update for git fixes the following issues:
This security issue was fixed:
- CVE-2017-14867: Git used unsafe Perl scripts to support subcommands such as
cvsserver, which allowed attackers to execute arbitrary OS commands via shell
metacharacters in a module name (bsc#1061041).
ImportantSUSE bug 1061041CVE-2017-14867 at SUSECVE-2017-14867 at NVDcpe:/o:suse:sles:12:sp3Security update for wpa_supplicant (Important)SUSE Linux Enterprise Server 12 SP3
This update for wpa_supplicant fixes the security issues:
- Several vulnerabilities in standard conforming implementations of the WPA2
protocol have been discovered and published under the code name KRACK. This
update remedies those issues in a backwards compatible manner, i.e. the
updated wpa_supplicant can interface properly with both vulnerable and
patched implementations of WPA2, but an attacker won't be able to exploit the
KRACK weaknesses in those connections anymore even if the other party is
still vulnerable. [bsc#1056061, CVE-2017-13078, CVE-2017-13079,
CVE-2017-13080, CVE-2017-13081, CVE-2017-13087, CVE-2017-13088]
ImportantSUSE bug 1056061CVE-2017-13078 at SUSECVE-2017-13078 at NVDCVE-2017-13079 at SUSECVE-2017-13079 at NVDCVE-2017-13080 at SUSECVE-2017-13080 at NVDCVE-2017-13081 at SUSECVE-2017-13081 at NVDCVE-2017-13087 at SUSECVE-2017-13087 at NVDCVE-2017-13088 at SUSECVE-2017-13088 at NVDcpe:/o:suse:sles:12:sp3Security update for curl (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for curl fixes the following issues:
Security issues fixed:
- CVE-2017-1000254: FTP PWD response parser out of bounds read (bsc#1061876)
- CVE-2017-1000257: IMAP FETCH response out of bounds read (bsc#1063824)
Bugs fixed:
- Fixed error 'error:1408F10B:SSL routines' when connecting to ftps via proxy (bsc#1060653)
ModerateSUSE bug 1060653SUSE bug 1061876SUSE bug 1063824CVE-2017-1000254 at SUSECVE-2017-1000254 at NVDCVE-2017-1000257 at SUSECVE-2017-1000257 at NVDcpe:/o:suse:sles:12:sp3Security update for openvpn (Important)SUSE Linux Enterprise Server 12 SP3
This update for openvpn fixes the following issues:
- CVE-2017-12166: Lack of bound check in read_key in old legacy key handling before using values could be used for a remote buffer overflow (bsc#1060877).
ImportantSUSE bug 1060877CVE-2017-12166 at SUSECVE-2017-12166 at NVDcpe:/o:suse:sles:12:sp3Security update for the Linux Kernel (Important)SUSE Linux Enterprise Server 12 SP3
The SUSE Linux Enterprise 12 SP3 kernel was updated to 4.4.92 to receive various security and bugfixes.
The following security bugs were fixed:
- CVE-2017-1000252: The KVM subsystem in the Linux kernel allowed guest OS users to cause a denial of service (assertion failure, and hypervisor hang or crash) via an out-of bounds guest_irq value, related to arch/x86/kvm/vmx.c and virt/kvm/eventfd.c (bnc#1058038).
- CVE-2017-11472: The acpi_ns_terminate() function in drivers/acpi/acpica/nsutils.c in the Linux kernel did not flush the operand cache and causes a kernel stack dump, which allowed local users to obtain sensitive information from kernel memory and bypass the KASLR protection mechanism (in the kernel through 4.9) via a crafted ACPI table (bnc#1049580).
- CVE-2017-12134: The xen_biovec_phys_mergeable function in drivers/xen/biomerge.c in Xen might allow local OS guest users to corrupt block device data streams and consequently obtain sensitive memory information, cause a denial of service, or gain host OS privileges by leveraging incorrect block IO merge-ability calculation (bnc#1051790 bsc#1053919).
- CVE-2017-12153: A security flaw was discovered in the nl80211_set_rekey_data() function in net/wireless/nl80211.c in the Linux kernel This function did not check whether the required attributes are present in a Netlink request. This request can be issued by a user with the CAP_NET_ADMIN capability and may result in a NULL pointer dereference and system crash (bnc#1058410).
- CVE-2017-12154: The prepare_vmcs02 function in arch/x86/kvm/vmx.c in the Linux kernel did not ensure that the 'CR8-load exiting' and 'CR8-store exiting' L0 vmcs02 controls exist in cases where L1 omits the 'use TPR shadow' vmcs12 control, which allowed KVM L2 guest OS users to obtain read and write access to the hardware CR8 register (bnc#1058507).
- CVE-2017-13080: Wi-Fi Protected Access (WPA and WPA2) allowed reinstallation of the Group Temporal Key (GTK) during the group key handshake, allowing an attacker within radio range to replay frames from access points to clients (bnc#1056061 1063479 1063667 1063671).
- CVE-2017-14051: An integer overflow in the qla2x00_sysfs_write_optrom_ctl function in drivers/scsi/qla2xxx/qla_attr.c in the Linux kernel allowed local users to cause a denial of service (memory corruption and system crash) by leveraging root access (bnc#1056588).
- CVE-2017-14106: The tcp_disconnect function in net/ipv4/tcp.c in the Linux kernel allowed local users to cause a denial of service (__tcp_select_window divide-by-zero error and system crash) by triggering a disconnect within a certain tcp_recvmsg code path (bnc#1056982).
- CVE-2017-14489: The iscsi_if_rx function in drivers/scsi/scsi_transport_iscsi.c in the Linux kernel allowed local users to cause a denial of service (panic) by leveraging incorrect length validation (bnc#1059051).
- CVE-2017-15265: Use-after-free vulnerability in the Linux kernel before 4.14-rc5 allowed local users to have unspecified impact via vectors related to /dev/snd/seq (bnc#1062520).
- CVE-2017-15649: net/packet/af_packet.c in the Linux kernel allowed local users to gain privileges via crafted system calls that trigger mishandling of packet_fanout data structures, because of a race condition (involving fanout_add and packet_do_bind) that leads to a use-after-free, a different vulnerability than CVE-2017-6346 (bnc#1064388).
The following non-security bugs were fixed:
- acpi: apd: Add clock frequency for Hisilicon Hip07/08 I2C controller (bsc#1049291).
- acpi: apd: Fix HID for Hisilicon Hip07/08 (bsc#1049291).
- acpi: apei: Enable APEI multiple GHES source to share a single external IRQ (bsc#1053627).
- acpica: iort: Update SMMU models for revision C (bsc#1036060).
- acpi: irq: Fix return code of acpi_gsi_to_irq() (bsc#1053627).
- acpi/nfit: Fix memory corruption/Unregister mce decoder on failure (bsc#1057047).
- acpi: pci: fix GIC irq model default PCI IRQ polarity (bsc#1053629).
- acpi/processor: Check for duplicate processor ids at hotplug time (bnc#1056230).
- acpi/processor: Implement DEVICE operator for processor enumeration (bnc#1056230).
- ahci: do not use MSI for devices with the silly Intel NVMe remapping scheme (bsc#1048912).
- ahci: thunderx2: stop engine fix update (bsc#1057031).
- alsa: au88x0: avoid theoretical uninitialized access (bnc#1012382).
- alsa: compress: Remove unused variable (bnc#1012382).
- alsa: hda - Add stereo mic quirk for Lenovo G50-70 (17aa:3978) (bsc#1020657).
- alsa: hda - Implement mic-mute LED mode enum (bsc#1055013).
- alsa: hda/realtek - Add support headphone Mic for ALC221 of HP platform (bsc#1024405).
- alsa: hda - Workaround for i915 KBL breakage (bsc#1048356,bsc#1047989,bsc#1055272).
- alsa: ice1712: Add support for STAudio ADCIII (bsc#1048934).
- alsa: usb-audio: Apply sample rate quirk to Sennheiser headset (bsc#1052580).
- alsa: usb-audio: Check out-of-bounds access by corrupted buffer descriptor (bnc#1012382).
- alsa: usx2y: Suppress kernel warning at page allocation failures (bnc#1012382).
- arc: Re-enable MMU upon Machine Check exception (bnc#1012382).
- arm64: add function to get a cpu's MADT GICC table (bsc#1062279).
- arm64: do not trace atomic operations (bsc#1055290).
- arm64: dts: Add Broadcom Vulcan PMU in dts (fate#319481).
- arm64: fault: Route pte translation faults via do_translation_fault (bnc#1012382).
- arm64: Make sure SPsel is always set (bnc#1012382).
- arm64: mm: select CONFIG_ARCH_PROC_KCORE_TEXT (bsc#1046529).
- arm64: pci: Fix struct acpi_pci_root_ops allocation failure path (bsc#1056849).
- arm64/perf: Access pmu register using <read/write>_sys_reg (bsc#1062279).
- arm64/perf: Add Broadcom Vulcan PMU support (fate#319481).
- arm64/perf: Changed events naming as per the ARM ARM (fate#319481).
- arm64/perf: Define complete ARMv8 recommended implementation defined events (fate#319481).
- arm64: perf: do not expose CHAIN event in sysfs (bsc#1062279).
- arm64: perf: Extend event config for ARMv8.1 (bsc#1062279).
- arm64/perf: Filter common events based on PMCEIDn_EL0 (fate#319481).
- arm64: perf: Ignore exclude_hv when kernel is running in HYP (bsc#1062279).
- arm64: perf: move to common attr_group fields (bsc#1062279).
- arm64: perf: Use the builtin_platform_driver (bsc#1062279).
- arm64: pmu: add fallback probe table (bsc#1062279).
- arm64: pmu: Hoist pmu platform device name (bsc#1062279).
- arm64: pmu: Probe default hw/cache counters (bsc#1062279).
- arm64: pmuv3: handle pmuv3+ (bsc#1062279).
- arm64: pmuv3: handle !PMUv3 when probing (bsc#1062279).
- arm64: pmuv3: use arm_pmu ACPI framework (bsc#1062279).
- arm64: pmu: Wire-up Cortex A53 L2 cache events and DTLB refills (bsc#1062279).
- arm: 8635/1: nommu: allow enabling REMAP_VECTORS_TO_RAM (bnc#1012382).
- arm: dts: r8a7790: Use R-Car Gen 2 fallback binding for msiof nodes (bnc#1012382).
- arm/perf: Convert to hotplug state machine (bsc#1062279).
- arm/perf: Fix hotplug state machine conversion (bsc#1062279).
- arm/perf: Use multi instance instead of custom list (bsc#1062279).
- arm: pxa: add the number of DMA requestor lines (bnc#1012382).
- arm: pxa: fix the number of DMA requestor lines (bnc#1012382).
- arm: remove duplicate 'const' annotations' (bnc#1012382).
- asoc: dapm: fix some pointer error handling (bnc#1012382).
- asoc: dapm: handle probe deferrals (bnc#1012382).
- audit: log 32-bit socketcalls (bnc#1012382).
- bcache: correct cache_dirty_target in __update_writeback_rate() (bnc#1012382).
- bcache: Correct return value for sysfs attach errors (bnc#1012382).
- bcache: do not subtract sectors_to_gc for bypassed IO (bnc#1012382).
- bcache: fix bch_hprint crash and improve output (bnc#1012382).
- bcache: fix for gc and write-back race (bnc#1012382).
- bcache: Fix leak of bdev reference (bnc#1012382).
- bcache: initialize dirty stripes in flash_dev_run() (bnc#1012382).
- blacklist.conf: a7b8829d242b1a58107e9c02b09e93aec446d55c is not applicable
- blacklist.conf: Add commit b5accbb0dfae
- blacklist.conf: add one more
- blacklist.conf: Blacklist d12fe87e62d7 signal/testing: Do not look for __SI_FAULT in userspace It just fixes a self-test.
- blacklist.conf: e859afe1ee0c5ae981c55387ccd45eba258a7842 is not applicable
- blacklist.conf: fixes on relevant for MIPS/driver not in our tree
- blacklist.conf: gcc7 compiler warning (bsc#1056849)
- block: genhd: add device_add_disk_with_groups (bsc#1060400).
- block: Relax a check in blk_start_queue() (bnc#1012382).
- block: return on congested block device (FATE#321994).
- bluetooth: bnep: fix possible might sleep error in bnep_session (bsc#1031784).
- bluetooth: cmtp: fix possible might sleep error in cmtp_session (bsc#1031784).
- bnx2x: Do not log mc removal needlessly (bsc#1019680 FATE#321692).
- bnxt: add a missing rcu synchronization (bnc#1038583).
- bnxt: do not busy-poll when link is down (bnc#1038583).
- bnxt_en: Add a callback to inform RDMA driver during PCI shutdown (bsc#1053309).
- bnxt_en: Add additional chip ID definitions (bsc#1053309).
- bnxt_en: Add bnxt_get_num_stats() to centrally get the number of ethtool stats (bsc#1053309).
- bnxt_en: Add missing logic to handle TPA end error conditions (bsc#1053309).
- bnxt_en: Add PCI IDs for BCM57454 VF devices (bsc#1053309).
- bnxt_en: Allow the user to set ethtool stats-block-usecs to 0 (bsc#1053309).
- bnxt_en: Call bnxt_dcb_init() after getting firmware DCBX configuration (bsc#1053309).
- bnxt_en: Check status of firmware DCBX agent before setting DCB_CAP_DCBX_HOST (bsc#1053309).
- bnxt_en: Do not setup MAC address in bnxt_hwrm_func_qcaps() (bsc#963575 FATE#320144).
- bnxt_en: Enable MRU enables bit when configuring VNIC MRU (bnc#1038583).
- bnxt_en: Fix and clarify link_info->advertising (bnc#1038583).
- bnxt_en: Fix a VXLAN vs GENEVE issue (bnc#1038583).
- bnxt_en: Fix bug in ethtool -L (bsc#1053309).
- bnxt_en: Fix netpoll handling (bsc#1053309).
- bnxt_en: Fix NULL pointer dereference in a failure path during open (bnc#1038583).
- bnxt_en: Fix NULL pointer dereference in reopen failure path (bnc#1038583).
- bnxt_en: fix pci cleanup in bnxt_init_one() failure path (bnc#1038583).
- bnxt_en: Fix race conditions in .ndo_get_stats64() (bsc#1053309).
- bnxt_en: Fix ring arithmetic in bnxt_setup_tc() (bnc#1038583).
- bnxt_en: Fix SRIOV on big-endian architecture (bsc#1053309).
- bnxt_en: Fix TX push operation on ARM64 (bnc#1038583).
- bnxt_en: Fix 'uninitialized variable' bug in TPA code path (bnc#1038583).
- bnxt_en: Fix VF virtual link state (bnc#1038583).
- bnxt_en: Fix xmit_more with BQL (bsc#1053309).
- bnxt_en: Free MSIX vectors when unregistering the device from bnxt_re (bsc#1020412 FATE#321671).
- bnxt_en: Implement ndo_bridge_{get|set}link methods (bsc#1053309).
- bnxt_en: Implement xmit_more (bsc#1053309).
- bnxt_en: initialize rc to zero to avoid returning garbage (bnc#1038583).
- bnxt_en: Optimize doorbell write operations for newer chips (bsc#1053309).
- bnxt_en: Pad TX packets below 52 bytes (bnc#1038583).
- bnxt_en: Pass in sh parameter to bnxt_set_dflt_rings() (bsc#1053309).
- bnxt_en: Refactor TPA code path (bnc#1038583).
- bnxt_en: Report firmware DCBX agent (bsc#1053309).
- bnxt_en: Retrieve the hardware bridge mode from the firmware (bsc#1053309).
- bnxt_en: Set ETS min_bw parameter for older firmware (bsc#1053309).
- bnxt_en: Support for Short Firmware Message (bsc#1053309).
- bnxt_en: Update firmware interface spec to 1.8.0 (bsc#1053309).
- bnxt: fix unsigned comparsion with 0 (bsc#1053309).
- bnxt: fix unused variable warnings (bsc#1053309).
- bnxt_re: Do not issue cmd to delete GID for QP1 GID entry before the QP is destroyed (bsc#1056596).
- bnxt_re: Fix compare and swap atomic operands (bsc#1056596).
- bnxt_re: Fix memory leak in FRMR path (bsc#1056596).
- bnxt_re: Fix race between the netdev register and unregister events (bsc#1037579).
- bnxt_re: Fix update of qplib_qp.mtu when modified (bsc#1056596).
- bnxt_re: Free up devices in module_exit path (bsc#1056596).
- bnxt_re: Remove RTNL lock dependency in bnxt_re_query_port (bsc#1056596).
- bnxt_re: Stop issuing further cmds to FW once a cmd times out (bsc#1056596).
- brcmfmac: setup passive scan if requested by user-space (bnc#1012382).
- bridge: netlink: register netdevice before executing changelink (bnc#1012382).
- bsg-lib: do not free job in bsg_prepare_job (bnc#1012382).
- btrfs: change how we decide to commit transactions during flushing (bsc#1060197).
- btrfs: fix early ENOSPC due to delalloc (bsc#1049226).
- btrfs: fix NULL pointer dereference from free_reloc_roots() (bnc#1012382).
- btrfs: nowait aio: Correct assignment of pos (FATE#321994).
- btrfs: nowait aio support (FATE#321994).
- btrfs: prevent to set invalid default subvolid (bnc#1012382).
- btrfs: propagate error to btrfs_cmp_data_prepare caller (bnc#1012382).
- btrfs: qgroup: move noisy underflow warning to debugging build (bsc#1055755).
- ceph: avoid accessing freeing inode in ceph_check_delayed_caps() (bsc#1048228).
- ceph: avoid invalid memory dereference in the middle of umount (bsc#1048228).
- ceph: avoid panic in create_session_open_msg() if utsname() returns NULL (bsc#1061451).
- ceph: check negative offsets in ceph_llseek() (bsc#1061451).
- ceph: cleanup writepage_nounlock() (bsc#1048228).
- ceph: do not re-send interrupted flock request (bsc#1048228).
- ceph: fix message order check in handle_cap_export() (bsc#1061451).
- ceph: fix NULL pointer dereference in ceph_flush_snaps() (bsc#1061451).
- ceph: fix readpage from fscache (bsc#1057015).
- ceph: getattr before read on ceph.* xattrs (bsc#1048228).
- ceph: handle epoch barriers in cap messages (bsc#1048228).
- ceph: limit osd read size to CEPH_MSG_MAX_DATA_LEN (bsc#1061451).
- ceph: limit osd write size (bsc#1061451).
- ceph: new mount option that specifies fscache uniquifier (bsc#1048228).
- ceph: redirty page when writepage_nounlock() skips unwritable page (bsc#1048228).
- ceph: remove special ack vs commit behavior (bsc#1048228).
- ceph: remove useless page->mapping check in writepage_nounlock() (bsc#1048228).
- ceph: re-request max size after importing caps (bsc#1048228).
- ceph: stop on-going cached readdir if mds revokes FILE_SHARED cap (bsc#1061451).
- ceph: update ceph_dentry_info::lease_session when necessary (bsc#1048228).
- ceph: update the 'approaching max_size' code (bsc#1048228).
- ceph: validate correctness of some mount options (bsc#1061451).
- ceph: when seeing write errors on an inode, switch to sync writes (bsc#1048228).
- cifs: add build_path_from_dentry_optional_prefix() (fate#323482).
- cifs: add use_ipc flag to SMB2_ioctl() (fate#323482).
- cifs: Fix maximum SMB2 header size (bsc#1056185).
- cifs: Fix SMB3.1.1 guest authentication to Samba (bnc#1012382).
- cifs: Fix sparse warnings (fate#323482).
- cifs: implement get_dfs_refer for SMB2+ (fate#323482).
- cifs: let ses->ipc_tid hold smb2 TreeIds (fate#323482).
- cifs: move DFS response parsing out of SMB1 code (fate#323482).
- cifs: release auth_key.response for reconnect (bnc#1012382).
- cifs: remove any preceding delimiter from prefix_path (fate#323482).
- cifs: set signing flag in SMB2+ TreeConnect if needed (fate#323482).
- cifs: use DFS pathnames in SMB2+ Create requests (fate#323482).
- clocksource/drivers/arm_arch_timer: Fix mem frame loop initialization (bsc#1055709).
- cpufreq: intel_pstate: Disable energy efficiency optimization (bsc#1054654).
- crush: assume weight_set != null imples weight_set_size > 0 (bsc#1048228).
- crush: crush_init_workspace starts with struct crush_work (bsc#1048228).
- crush: implement weight and id overrides for straw2 (bsc#1048228).
- crush: remove an obsolete comment (bsc#1048228).
- crypto: AF_ALG - remove SGL terminator indicator when chaining (bnc#1012382).
- crypto: chcr - Add ctr mode and process large sg entries for cipher (bsc#1048325).
- crypto: chcr - Avoid changing request structure (bsc#1048325).
- crypto: chcr - Ensure Destination sg entry size less than 2k (bsc#1048325).
- crypto: chcr - Fix fallback key setting (bsc#1048325).
- crypto: chcr - Pass lcb bit setting to firmware (bsc#1048325).
- crypto: chcr - Return correct error code (bsc#1048325).
- crypto: talitos - Do not provide setkey for non hmac hashing algs (bnc#1012382).
- crypto: talitos - fix sha224 (bnc#1012382).
- cxgb4: Fix stack out-of-bounds read due to wrong size to t4_record_mbox() (bsc#1021424 bsc#1022743).
- cxgb4: update latest firmware version supported (bsc#1048327).
- cxgbit: add missing __kfree_skb() (bsc#1052095).
- cxgbit: fix sg_nents calculation (bsc#1052095).
- cxl: Fix driver use count (bnc#1012382).
- device-dax: fix cdev leak (bsc#1057047).
- dmaengine: mmp-pdma: add number of requestors (bnc#1012382).
- dmaengine: mv_xor_v2: do not use descriptors not acked by async_tx (bsc#1056849).
- dmaengine: mv_xor_v2: enable XOR engine after its configuration (bsc#1056849).
- dmaengine: mv_xor_v2: fix tx_submit() implementation (bsc#1056849).
- dmaengine: mv_xor_v2: handle mv_xor_v2_prep_sw_desc() error properly (bsc#1056849).
- dmaengine: mv_xor_v2: properly handle wrapping in the array of HW descriptors (bsc#1056849).
- dmaengine: mv_xor_v2: remove interrupt coalescing (bsc#1056849).
- dmaengine: mv_xor_v2: set DMA mask to 40 bits (bsc#1056849).
- dm mpath: do not lock up a CPU with requeuing activity (bsc#1048912).
- documentation: arm64: pmu: Add Broadcom Vulcan PMU binding (fate#319481).
- driver-core: platform: Add platform_irq_count() (bsc#1062279).
- driver core: platform: Do not read past the end of 'driver_override' buffer (bnc#1012382).
- drivers: base: cacheinfo: fix boot error message when acpi is enabled (bsc#1057849).
- drivers: firmware: psci: drop duplicate const from psci_of_match (FATE#319482 bnc#1012382).
- drivers: hv: fcopy: restore correct transfer length (bnc#1012382).
- drivers: net: phy: xgene: Fix mdio write (bsc#1057383).
- drivers: net: xgene: Fix wrong logical operation (bsc#1056827).
- drivers/perf: arm_pmu_acpi: avoid perf IRQ init when guest PMU is off (bsc#1062279).
- drivers/perf: arm_pmu_acpi: Release memory obtained by kasprintf (bsc#1062279).
- drivers/perf: arm_pmu: add ACPI framework (bsc#1062279).
- drivers/perf: arm_pmu: add common attr group fields (bsc#1062279).
- drivers/perf: arm_pmu: Always consider IRQ0 as an error (bsc#1062279).
- drivers/perf: arm_pmu: Avoid leaking pmu->irq_affinity on error (bsc#1062279).
- drivers/perf: arm_pmu: avoid NULL dereference when not using devicetree (bsc#1062279).
- drivers/perf: arm-pmu: convert arm_pmu_mutex to spinlock (bsc#1062279).
- drivers/perf: arm_pmu: Defer the setting of __oprofile_cpu_pmu (bsc#1062279).
- drivers/perf: arm_pmu: define armpmu_init_fn (bsc#1062279).
- drivers/perf: arm_pmu: expose a cpumask in sysfs (bsc#1062279).
- drivers/perf: arm_pmu: factor out pmu registration (bsc#1062279).
- drivers/perf: arm-pmu: Fix handling of SPI lacking 'interrupt-affinity' property (bsc#1062279).
- drivers/perf: arm_pmu: Fix NULL pointer dereference during probe (bsc#1062279).
- drivers/perf: arm-pmu: fix RCU usage on pmu resume from low-power (bsc#1062279).
- drivers/perf: arm_pmu: Fix reference count of a device_node in of_pmu_irq_cfg (bsc#1062279).
- drivers/perf: arm_pmu: fold init into alloc (bsc#1062279).
- drivers/perf: arm_pmu: handle no platform_device (bsc#1062279).
- drivers/perf: arm-pmu: Handle per-interrupt affinity mask (bsc#1062279).
- drivers/perf: arm_pmu: implement CPU_PM notifier (bsc#1062279).
- drivers/perf: arm_pmu: make info messages more verbose (bsc#1062279).
- drivers/perf: arm_pmu: manage interrupts per-cpu (bsc#1062279).
- drivers/perf: arm_pmu: move irq request/free into probe (bsc#1062279).
- drivers/perf: arm_pmu: only use common attr_groups (bsc#1062279).
- drivers/perf: arm_pmu: remove pointless PMU disabling (bsc#1062279).
- drivers/perf: arm_pmu: rename irq request/free functions (bsc#1062279).
- drivers/perf: arm_pmu: Request PMU SPIs with IRQF_PER_CPU (bsc#1062279).
- drivers/perf: arm_pmu: rework per-cpu allocation (bsc#1062279).
- drivers/perf: arm_pmu: simplify cpu_pmu_request_irqs() (bsc#1062279).
- drivers/perf: arm_pmu: split cpu-local irq request/free (bsc#1062279).
- drivers/perf: arm_pmu: split irq request from enable (bsc#1062279).
- drivers/perf: arm_pmu: split out platform device probe logic (bsc#1062279).
- drivers/perf: kill armpmu_register (bsc#1062279).
- drm: Add driver-private objects to atomic state (bsc#1055493).
- drm/amdkfd: fix improper return value on error (bnc#1012382).
- drm: bridge: add DT bindings for TI ths8135 (bnc#1012382).
- drm/dp: Introduce MST topology state to track available link bandwidth (bsc#1055493).
- drm_fourcc: Fix DRM_FORMAT_MOD_LINEAR #define (bnc#1012382).
- drm/i915/bios: ignore HDMI on port A (bnc#1012382).
- drm/vmwgfx: Limit max desktop dimensions to 8Kx8K (bsc#1048155).
- e1000e: use disable_hardirq() also for MSIX vectors in e1000_netpoll() (bsc#1022912 FATE#321246).
- edac, sb_edac: Assign EDAC memory controller per h/w controller (bsc#1061721).
- edac, sb_edac: Avoid creating SOCK memory controller (bsc#1061721).
- edac, sb_edac: Bump driver version and do some cleanups (bsc#1061721).
- edac, sb_edac: Carve out dimm-populating loop (bsc#1061721).
- edac, sb_edac: Check if ECC enabled when at least one DIMM is present (bsc#1061721).
- edac, sb_edac: Classify memory mirroring modes (bsc#1061721).
- edac, sb_edac: Classify PCI-IDs by topology (bsc#1061721).
- edac, sb_edac: Do not create a second memory controller if HA1 is not present (bsc#1061721).
- edac, sb_edac: Do not use 'Socket#' in the memory controller name (bsc#1061721).
- edac, sb_edac: Drop NUM_CHANNELS from 8 back to 4 (bsc#1061721).
- edac, sb_edac: Fix mod_name (bsc#1061721).
- edac, sb_edac: Get rid of ->show_interleave_mode() (bsc#1061721).
- edac, sb_edac: Remove double buffering of error records (bsc#1061721).
- edac, sb_edac: Remove NULL pointer check on array pci_tad (bsc#1061721).
- edac, skx_edac: Handle systems with segmented PCI busses (bsc#1063102).
- edac, thunderx: Fix a warning during l2c debugfs node creation (bsc#1057038).
- edac, thunderx: Fix error handling path in thunderx_lmc_probe() (bsc#1057038).
- efi/fb: Avoid reconfiguration of BAR that covers the framebuffer (bsc#1051987).
- efi/fb: Correct PCI_STD_RESOURCE_END usage (bsc#1051987).
- ext4: do not allow encrypted operations without keys (bnc#1012382).
- ext4: fix incorrect quotaoff if the quota feature is enabled (bnc#1012382).
- ext4: fix quota inconsistency during orphan cleanup for read-only mounts (bnc#1012382).
- ext4: nowait aio support (FATE#321994).
- extcon: axp288: Use vbus-valid instead of -present to determine cable presence (bnc#1012382).
- exynos-gsc: Do not swap cb/cr for semi planar formats (bnc#1012382).
- f2fs: check hot_data for roll-forward recovery (bnc#1012382).
- fix flags ordering (bsc#1034075 comment 131)
- Fix mpage_writepage() for pages with buffers (bsc#1050471).
- fix whitespace according to upstream commit
- fix xen_swiotlb_dma_mmap prototype (bnc#1012382).
- fs/epoll: cache leftmost node (bsc#1056427).
- fs: Introduce filemap_range_has_page() (FATE#321994).
- fs: Introduce RWF_NOWAIT and FMODE_AIO_NOWAIT (FATE#321994).
- fs/mpage.c: fix mpage_writepage() for pages with buffers (bsc#1050471). Update to version in mainline
- fs/proc: kcore: use kcore_list type to check for vmalloc/module address (bsc#1046529).
- fs: return if direct I/O will trigger writeback (FATE#321994).
- fs: Separate out kiocb flags setup based on RWF_* flags (FATE#321994).
- fs: Use RWF_* flags for AIO operations (FATE#321994).
- ftrace: Fix kmemleak in unregister_ftrace_graph (bnc#1012382).
- ftrace: Fix memleak when unregistering dynamic ops when tracing disabled (bnc#1012382).
- ftrace: Fix selftest goto location on error (bnc#1012382).
- genirq: Fix for_each_action_of_desc() macro (bsc#1061064).
- getcwd: Close race with d_move called by lustre (bsc#1052593).
- gfs2: Do not clear SGID when inheriting ACLs (bsc#1012829).
- gfs2: Fix debugfs glocks dump (bnc#1012382).
- gfs2: Fix reference to ERR_PTR in gfs2_glock_iter_next (bnc#1012382).
- gianfar: Fix Tx flow control deactivation (bnc#1012382).
- hid: i2c-hid: allocate hid buffers for real worst case (bnc#1012382).
- Hid: usbhid: Add HID_QUIRK_NOGET for Aten CS-1758 KVM switch (bnc#1022967).
- hwmon: (gl520sm) Fix overflows and crash seen when writing into limit attributes (bnc#1012382).
- i2c: designware: Add ACPI HID for Hisilicon Hip07/08 I2C controller (bsc#1049291).
- i2c: designware: Convert to use unified device property API (bsc#1049291).
- i2c: meson: fix wrong variable usage in meson_i2c_put_data (bnc#1012382).
- i2c: xgene: Set ACPI_COMPANION_I2C (bsc#1053633).
- i2c: xgene-slimpro: Add ACPI support by using PCC mailbox (bsc#1053633).
- i2c: xgene-slimpro: include linux/io.h for memremap (bsc#1053633).
- i2c: xgene-slimpro: Use a single function to send command message (bsc#1053633).
- i40e/i40evf: fix out-of-bounds read of cpumask (bsc#1053685).
- i40e: Initialize 64-bit statistics TX ring seqcount (bsc#1024346 FATE#321239 bsc#1024373 FATE#321247).
- i40iw: Add missing memory barriers (bsc#969476 FATE#319648 bsc#969477 FATE#319816).
- i40iw: Fix port number for query QP (bsc#969476 FATE#319648 bsc#969477 FATE#319816).
- ib/core: Add generic function to extract IB speed from netdev (bsc#1056596).
- ib/core: Add ordered workqueue for RoCE GID management (bsc#1056596).
- ib/core: Fix for core panic (bsc#1022595 FATE#322350).
- ib/core: Fix the validations of a multicast LID in attach or detach operations (bsc#1022595 FATE#322350).
- ib/hns: checking for IS_ERR() instead of NULL (bsc#1056849).
- ib/i40iw: Fix error code in i40iw_create_cq() (bsc#969476 FATE#319648 bsc#969477 FATE#319816).
- ib/ipoib: Fix deadlock over vlan_mutex (bnc#1012382 bsc#1022595 FATE#322350).
- ib/ipoib: Replace list_del of the neigh->list with list_del_init (FATE#322350 bnc#1012382 bsc#1022595).
- ib/ipoib: rtnl_unlock can not come after free_netdev (FATE#322350 bnc#1012382 bsc#1022595).
- ib/mlx5: Change logic for dispatching IB events for port state (bsc#1015342 FATE#321688 bsc#1015343 FATE#321689).
- ib/mlx5: Fix cached MR allocation flow (bsc#1015342 FATE#321688 bsc#1015343 FATE#321689).
- ib/mlx5: Fix Raw Packet QP event handler assignment (bsc#966170 FATE#320225 bsc#966172 FATE#320226).
- ibmvnic: Clean up resources on probe failure (fate#323285, bsc#1058116).
- ibmvnic: Set state UP (bsc#1062962).
- ib/qib: fix false-postive maybe-uninitialized warning (FATE#321231 FATE#321473 FATE#322149 FATE#322153 bnc#1012382).
- ib/rxe: Add dst_clone() in prepare_ipv6_hdr() (bsc#1049361).
- ib/rxe: Avoid ICRC errors by copying into the skb first (bsc#1049361).
- ib/rxe: Disable completion upcalls when a CQ is destroyed (bsc#1049361).
- ib/rxe: Fix destination cache for IPv6 (bsc#1049361).
- ib/rxe: Fix up rxe_qp_cleanup() (bsc#1049361).
- ib/rxe: Fix up the responder's find_resources() function (bsc#1049361).
- ib/rxe: Handle NETDEV_CHANGE events (bsc#1049361).
- ib/rxe: Move refcounting earlier in rxe_send() (bsc#1049361).
- ib/rxe: Remove dangling prototype (bsc#1049361).
- ib/rxe: Remove unneeded initialization in prepare6() (bsc#1049361).
- ib/rxe: Set dma_mask and coherent_dma_mask (bsc#1049361).
- igb: re-assign hw address pointer on reset after PCI error (bnc#1012382).
- iio: ad7793: Fix the serial interface reset (bnc#1012382).
- iio: adc: axp288: Drop bogus AXP288_ADC_TS_PIN_CTRL register modifications (bnc#1012382).
- iio: adc: hx711: Add DT binding for avia,hx711 (bnc#1012382).
- iio: adc: mcp320x: Fix oops on module unload (bnc#1012382).
- iio: adc: mcp320x: Fix readout of negative voltages (bnc#1012382).
- iio: adc: twl4030: Disable the vusb3v1 rugulator in the error handling path of 'twl4030_madc_probe()' (bnc#1012382).
- iio: adc: twl4030: Fix an error handling path in 'twl4030_madc_probe()' (bnc#1012382).
- iio: ad_sigma_delta: Implement a dedicated reset function (bnc#1012382).
- iio: core: Return error for failed read_reg (bnc#1012382).
- input: i8042 - add Gigabyte P57 to the keyboard reset table (bnc#1012382).
- iommu/arm-smmu-v3, acpi: Add temporary Cavium SMMU-V3 IORT model number definitions (bsc#1036060).
- iommu/arm-smmu-v3: Increase CMDQ drain timeout value (bsc#1035479). Refresh patch to mainline version
- iommu/io-pgtable-arm: Check for leaf entry before dereferencing it (bnc#1012382).
- iommu/vt-d: Avoid calling virt_to_phys() on null pointer (bsc#1061067).
- ipv6: accept 64k - 1 packet length in ip6_find_1stfragopt() (bnc#1012382).
- ipv6: add rcu grace period before freeing fib6_node (bnc#1012382).
- ipv6: fix memory leak with multiple tables during netns destruction (bnc#1012382).
- ipv6: fix sparse warning on rt6i_node (bnc#1012382).
- ipv6: fix typo in fib6_net_exit() (bnc#1012382).
- irqchip/gic-v3-its: Fix command buffer allocation (bsc#1057067).
- iscsi-target: fix invalid flags in text response (bsc#1052095).
- iw_cxgb4: put ep reference in pass_accept_req() (FATE#321658 bsc#1005778 FATE#321660 bsc#1005780 FATE#321661 bsc#1005781).
- iwlwifi: add workaround to disable wide channels in 5GHz (bnc#1012382).
- iwlwifi: mvm: do not send CTDP commands via debugfs if not supported (bsc#1031717).
- kabi: arm64: compatibility workaround for lse atomics (bsc#1055290).
- kabi fix drivers/nvme/target/nvmet.h (bsc#1058550).
- KABI fixup struct nvmet_sq (bsc#1063349).
- kABI: protect enum fs_flow_table_type (bsc#1015342 FATE#321688 bsc#1015343 FATE#321689).
- kABI: protect enum pid_type (kabi).
- kABI: protect struct iscsi_np (kabi).
- kABI: protect struct mlx5_priv (bsc#1015342 FATE#321688 bsc#1015343 FATE#321689).
- kABI: protect struct rm_data_op (kabi).
- kABI: protect struct sdio_func (kabi).
- kabi/severities: add fs/ceph to kabi severities (bsc#1048228).
- kabi/severities: Ignore drivers/scsi/cxgbi (bsc#1052094)
- kabi/severities: Ignore kABI changes due to last patchset (bnc#1053472)
- kabi/severities: ignore nfs_pgio_data_destroy
- kABI: uninline task_tgid_nr_nr (kabi).
- kABI: Workaround kABI breakage of AMD-AVIC fixes (bsc#1044503).
- kernel/*: switch to memdup_user_nul() (bsc#1048893).
- kernel/sysctl_binary.c: check name array length in deprecated_sysctl_warning() (FATE#323821).
- keys: fix writing past end of user-supplied buffer in keyring_read() (bnc#1012382).
- keys: prevent creating a different user's keyrings (bnc#1012382).
- keys: prevent KEYCTL_READ on negative key (bnc#1012382).
- kvm: Add struct kvm_vcpu pointer parameter to get_enable_apicv() (bsc#1044503).
- kvm: arm64: Restore host physical timer access on hyp_panic() (bsc#1054082).
- kvm: arm/arm64: Fix bug in advertising KVM_CAP_MSI_DEVID capability (bsc#1054082).
- kvm: async_pf: Fix #DF due to inject 'Page not Present' and 'Page Ready' exceptions simultaneously (bsc#1061017).
- kvm, pkeys: do not use PKRU value in vcpu->arch.guest_fpu.state (bsc#1055935).
- kvm: PPC: Book3S: Fix race and leak in kvm_vm_ioctl_create_spapr_tce() (bnc#1012382).
- kvm: SVM: Add a missing 'break' statement (bsc#1061017).
- kvm: SVM: Add irqchip_split() checks before enabling AVIC (bsc#1044503).
- kvm: SVM: delete avic_vm_id_bitmap (2 megabyte static array) (bsc#1059500).
- kvm: SVM: Refactor AVIC vcpu initialization into avic_init_vcpu() (bsc#1044503).
- kvm: VMX: do not change SN bit in vmx_update_pi_irte() (bsc#1061017).
- kvm: VMX: remove WARN_ON_ONCE in kvm_vcpu_trigger_posted_interrupt (bsc#1061017).
- kvm: VMX: use cmpxchg64 (bnc#1012382).
- kvm: x86: block guest protection keys unless the host has them enabled (bsc#1055935).
- kvm: x86: kABI workaround for PKRU fixes (bsc#1055935).
- kvm: x86: simplify handling of PKRU (bsc#1055935).
- libata: transport: Remove circular dependency at free time (bnc#1012382).
- libceph: abort already submitted but abortable requests when map or pool goes full (bsc#1048228).
- libceph: add an epoch_barrier field to struct ceph_osd_client (bsc#1048228).
- libceph: advertise support for NEW_OSDOP_ENCODING and SERVER_LUMINOUS (bsc#1048228).
- libceph: advertise support for OSD_POOLRESEND (bsc#1048228).
- libceph: allow requests to return immediately on full conditions if caller wishes (bsc#1048228).
- libceph: always populate t->target_{oid,oloc} in calc_target() (bsc#1048228).
- libceph: always signal completion when done (bsc#1048228).
- libceph: apply_upmap() (bsc#1048228).
- libceph: avoid unnecessary pi lookups in calc_target() (bsc#1048228).
- libceph: ceph_connection_operations::reencode_message() method (bsc#1048228).
- libceph: ceph_decode_skip_* helpers (bsc#1048228).
- libceph: compute actual pgid in ceph_pg_to_up_acting_osds() (bsc#1048228).
- libceph, crush: per-pool crush_choose_arg_map for crush_do_rule() (bsc#1048228).
- libceph: delete from need_resend_linger before check_linger_pool_dne() (bsc#1048228).
- libceph: do not allow bidirectional swap of pg-upmap-items (bsc#1061451).
- libceph: do not call encode_request_finish() on MOSDBackoff messages (bsc#1048228).
- libceph: do not call ->reencode_message() more than once per message (bsc#1048228).
- libceph: do not pass pgid by value (bsc#1048228).
- libceph: drop need_resend from calc_target() (bsc#1048228).
- libceph: encode_{pgid,oloc}() helpers (bsc#1048228).
- libceph: fallback for when there isn't a pool-specific choose_arg (bsc#1048228).
- libceph: fix old style declaration warnings (bsc#1048228).
- libceph: foldreq->last_force_resend into ceph_osd_request_target (bsc#1048228).
- libceph: get rid of ack vs commit (bsc#1048228).
- libceph: handle non-empty dest in ceph_{oloc,oid}_copy() (bsc#1048228).
- libceph: initialize last_linger_id with a large integer (bsc#1048228).
- libceph: introduce and switch to decode_pg_mapping() (bsc#1048228).
- libceph: introduce ceph_spg, ceph_pg_to_primary_shard() (bsc#1048228).
- libceph: kill __{insert,lookup,remove}_pg_mapping() (bsc#1048228).
- libceph: make DEFINE_RB_* helpers more general (bsc#1048228).
- libceph: make encode_request_*() work with r_mempool requests (bsc#1048228).
- libceph: make RECOVERY_DELETES feature create a new interval (bsc#1048228).
- libceph: make sure need_resend targets reflect latest map (bsc#1048228).
- libceph: MOSDOp v8 encoding (actual spgid + full hash) (bsc#1048228).
- libceph: new features macros (bsc#1048228).
- libceph: new pi->last_force_request_resend (bsc#1048228).
- libceph: NULL deref on osdmap_apply_incremental() error path (bsc#1048228).
- libceph: osd_request_timeout option (bsc#1048228).
- libceph: osd_state is 32 bits wide in luminous (bsc#1048228).
- libceph: pg_upmap[_items] infrastructure (bsc#1048228).
- libceph: pool deletion detection (bsc#1048228).
- libceph: potential NULL dereference in ceph_msg_data_create() (bsc#1048228).
- libceph: remove ceph_sanitize_features() workaround (bsc#1048228).
- libceph: remove now unused finish_request() wrapper (bsc#1048228).
- libceph: remove req->r_replay_version (bsc#1048228).
- libceph: resend on PG splits if OSD has RESEND_ON_SPLIT (bsc#1048228).
- libceph: respect RADOS_BACKOFF backoffs (bsc#1048228).
- libceph: set -EINVAL in one place in crush_decode() (bsc#1048228).
- libceph: support SERVER_JEWEL feature bits (bsc#1048228).
- libceph: take osdc->lock in osdmap_show() and dump flags in hex (bsc#1048228).
- libceph: upmap semantic changes (bsc#1048228).
- libceph: use alloc_pg_mapping() in __decode_pg_upmap_items() (bsc#1048228).
- libceph: use target pi for calc_target() calculations (bsc#1048228).
- lib: test_rhashtable: fix for large entry counts (bsc#1055359).
- lib: test_rhashtable: Fix KASAN warning (bsc#1055359).
- lightnvm: remove unused rq parameter of nvme_nvm_rqtocmd() to kill warning (FATE#319466).
- locking/rwsem: Fix down_write_killable() for CONFIG_RWSEM_GENERIC_SPINLOCK=y (bsc#969756).
- locking/rwsem-spinlock: Fix EINTR branch in __down_write_common() (bsc#969756).
- lpfc: Add Buffer to Buffer credit recovery support (bsc#1052384).
- lpfc: convert info messages to standard messages (bsc#1052384).
- lpfc: Correct issues with FAWWN and FDISCs (bsc#1052384).
- lpfc: Correct return error codes to align with nvme_fc transport (bsc#1052384).
- lpfc: Fix bad sgl reposting after 2nd adapter reset (bsc#1052384).
- lpfc: Fix crash in lpfc nvmet when fc port is reset (bsc#1052384).
- lpfc: Fix duplicate NVME rport entries and namespaces (bsc#1052384).
- lpfc: Fix handling of FCP and NVME FC4 types in Pt2Pt topology (bsc#1052384).
- lpfc: fix 'integer constant too large' error on 32bit archs (bsc#1052384).
- lpfc: Fix loop mode target discovery (bsc#1052384).
- lpfc: Fix MRQ > 1 context list handling (bsc#1052384).
- lpfc: Fix NVME PRLI handling during RSCN (bsc#1052384).
- lpfc: Fix nvme target failure after 2nd adapter reset (bsc#1052384).
- lpfc: Fix oops when NVME Target is discovered in a nonNVME environment (bsc#1052384).
- lpfc: Fix plogi collision that causes illegal state transition (bsc#1052384).
- lpfc: Fix rediscovery on switch blade pull (bsc#1052384).
- lpfc: Fix relative offset error on large nvmet target ios (bsc#1052384).
- lpfc: fixup crash during storage failover operations (bsc#1042847).
- lpfc: Limit amount of work processed in IRQ (bsc#1052384).
- lpfc: lpfc version bump 11.4.0.3 (bsc#1052384).
- lpfc: remove console log clutter (bsc#1052384).
- lpfc: support nvmet_fc defer_rcv callback (bsc#1052384).
- lsm: fix smack_inode_removexattr and xattr_getsecurity memleak (bnc#1012382).
- mac80211: flush hw_roc_start work before cancelling the ROC (bnc#1012382).
- md/bitmap: disable bitmap_resize for file-backed bitmaps (bsc#1061172).
- md/raid10: submit bio directly to replacement disk (bnc#1012382).
- md/raid5: fix a race condition in stripe batch (linux-stable).
- md/raid5: preserve STRIPE_ON_UNPLUG_LIST in break_stripe_batch_list (bnc#1012382).
- md/raid5: release/flush io in raid5_do_work() (bnc#1012382).
- media: uvcvideo: Prevent heap overflow when accessing mapped controls (bnc#1012382).
- media: v4l2-compat-ioctl32: Fix timespec conversion (bnc#1012382).
- megaraid_sas: Fix probing cards without io port (bsc#1053681).
- mips: Ensure bss section ends on a long-aligned address (bnc#1012382).
- mips: Fix minimum alignment requirement of IRQ stack (git-fixes).
- mips: IRQ Stack: Unwind IRQ stack onto task stack (bnc#1012382).
- mips: Lantiq: Fix another request_mem_region() return code check (bnc#1012382).
- mips: math-emu: <MAXA|MINA>.<D|S>: Fix cases of both infinite inputs (bnc#1012382).
- mips: math-emu: <MAXA|MINA>.<D|S>: Fix cases of input values with opposite signs (bnc#1012382).
- mips: math-emu: <MAX|MAXA|MIN|MINA>.<D|S>: Fix cases of both inputs zero (bnc#1012382).
- mips: math-emu: <MAX|MAXA|MIN|MINA>.<D|S>: Fix quiet NaN propagation (bnc#1012382).
- mips: math-emu: <MAX|MIN>.<D|S>: Fix cases of both inputs negative (bnc#1012382).
- mips: math-emu: MINA.<D|S>: Fix some cases of infinity and zero inputs (bnc#1012382).
- mips: ralink: Fix incorrect assignment on ralink_soc (bnc#1012382).
- mlx5: Avoid that mlx5_ib_sg_to_klms() overflows the klms array (bsc#966170 FATE#320225 bsc#966172 FATE#320226).
- mm: avoid marking swap cached page as lazyfree (VM Functionality, bsc#1061775).
- mm/backing-dev.c: fix an error handling path in 'cgwb_create()' (bnc#1063475).
- mmc: mmc: correct the logic for setting HS400ES signal voltage (bsc#1054082).
- mm,compaction: serialize waitqueue_active() checks (for real) (bsc#971975).
- mmc: sdhci-xenon: add set_power callback (bsc#1057035).
- mmc: sdhci-xenon: Fix the work flow in xenon_remove() (bsc#1057035).
- mmc: sdio: fix alignment issue in struct sdio_func (bnc#1012382).
- mm: discard memblock data later (bnc#1063460).
- mm: fix data corruption caused by lazyfree page (VM Functionality, bsc#1061775).
- mm, madvise: ensure poisoned pages are removed from per-cpu lists (VM hw poison -- git fixes).
- mm/memblock.c: reversed logic in memblock_discard() (bnc#1063460).
- mm: meminit: mark init_reserved_page as __meminit (bnc#1063509).
- mm/memory_hotplug: change pfn_to_section_nr/section_nr_to_pfn macro to inline function (bnc#1063501).
- mm/memory_hotplug: define find_{smallest|biggest}_section_pfn as unsigned long (bnc#1063520).
- mm/page_alloc.c: apply gfp_allowed_mask before the first allocation attempt (bnc#971975 VM -- git fixes).
- mm: prevent double decrease of nr_reserved_highatomic (bnc#1012382).
- mm/vmalloc.c: huge-vmap: fail gracefully on unexpected huge vmap mappings (bsc#1046529).
- mptsas: Fixup device hotplug for VMWare ESXi (bsc#1030850).
- net: core: Prevent from dereferencing null pointer when releasing SKB (bnc#1012382).
- net: ethernet: hip04: Call SET_NETDEV_DEV() (bsc#1049336).
- netfilter: fix IS_ERR_VALUE usage (bsc#1052888).
- netfilter: invoke synchronize_rcu after set the _hook_ to NULL (bnc#1012382).
- netfilter: nfnl_cthelper: fix incorrect helper->expect_class_max (bnc#1012382).
- netfilter: x_tables: pack percpu counter allocations (bsc#1052888).
- netfilter: x_tables: pass xt_counters struct instead of packet counter (bsc#1052888).
- netfilter: x_tables: pass xt_counters struct to counter allocator (bsc#1052888).
- net: hns: add acpi function of xge led control (bsc#1049336).
- net: hns: Fix a skb used after free bug (bsc#1049336).
- net/mlx4_core: Enable 4K UAR if SRIOV module parameter is not enabled (bsc#966191 FATE#320230 bsc#966186 FATE#320228).
- net/mlx5: Check device capability for maximum flow counters (bsc#1015342 FATE#321688 bsc#1015343 FATE#321689).
- net/mlx5: Delay events till ib registration ends (bsc#1015342 FATE#321688 bsc#1015343 FATE#321689).
- net/mlx5e: Check for qos capability in dcbnl_initialize (bsc#1015342 FATE#321688 bsc#1015343 FATE#321689).
- net/mlx5e: Do not add/remove 802.1ad rules when changing 802.1Q VLAN filter (bsc#1015342 FATE#321688 bsc#1015343 FATE#321689).
- net/mlx5e: Fix calculated checksum offloads counters (bsc#1015342 FATE#321688 bsc#1015343 FATE#321689).
- net/mlx5e: Fix dangling page pointer on DMA mapping error (bsc#1015342 FATE#321688 bsc#1015343 FATE#321689).
- net/mlx5e: Fix DCB_CAP_ATTR_DCBX capability for DCBNL getcap (bsc#1015342 FATE#321688 bsc#1015343 FATE#321689).
- net/mlx5e: Fix inline header size for small packets (bsc#1015342 FATE#321688 bsc#1015343 FATE#321689).
- net/mlx5e: Print netdev features correctly in error message (bsc#1015342 FATE#321688 bsc#1015343 FATE#321689).
- net/mlx5e: Schedule overflow check work to mlx5e workqueue (bsc#966170 FATE#320225 bsc#966172 FATE#320226).
- net/mlx5: E-Switch, Unload the representors in the correct order (bsc#1015342 FATE#321688 bsc#1015343 FATE#321689).
- net/mlx5: Fix arm SRQ command for ISSI version 0 (bsc#1015342 FATE#321688 bsc#1015343 FATE#321689).
- net/mlx5: Fix command completion after timeout access invalid structure (bsc#966318 FATE#320158 bsc#966316 FATE#320159).
- net/mlx5: Fix counter list hardware structure (bsc#1015342 FATE#321688 bsc#1015343 FATE#321689).
- net/mlx5: Remove the flag MLX5_INTERFACE_STATE_SHUTDOWN (bsc#966170 FATE#320225 bsc#966172 FATE#320226).
- net/mlx5: Skip mlx5_unload_one if mlx5_load_one fails (bsc#966170 FATE#320225 bsc#966172 FATE#320226).
- net: mvpp2: fix the mac address used when using PPv2.2 (bsc#1032150).
- net: mvpp2: use {get, put}_cpu() instead of smp_processor_id() (bsc#1032150).
- net/packet: check length in getsockopt() called with PACKET_HDRLEN (bnc#1012382).
- net: phy: Fix lack of reference count on PHY driver (bsc#1049336).
- net: phy: Fix PHY module checks and NULL deref in phy_attach_direct() (bsc#1049336).
- netvsc: Initialize 64-bit stats seqcount (fate#320485).
- new helper: memdup_user_nul() (bsc#1048893).
- nfsd: Fix general protection fault in release_lock_stateid() (bnc#1012382).
- nfs: flush data when locking a file to ensure cache coherence for mmap (bsc#981309).
- nvme: allow timed-out ios to retry (bsc#1063349).
- nvme-fabrics: generate spec-compliant UUID NQNs (bsc#1057498).
- nvme-fc: address target disconnect race conditions in fcp io submit (bsc#1052384).
- nvme-fc: do not override opts->nr_io_queues (bsc#1052384).
- nvme-fc: kABI fix for defer_rcv() callback (bsc#1052384).
- nvme_fc/nvmet_fc: revise Create Association descriptor length (bsc#1052384).
- nvme_fc: Reattach to localports on re-registration (bsc#1052384).
- nvme-fc: revise TRADDR parsing (bsc#1052384).
- nvme-fc: update tagset nr_hw_queues after queues reinit (bsc#1052384).
- nvme-fc: use blk_mq_delay_run_hw_queue instead of open-coding it (bsc#1052384).
- nvme: fix hostid parsing (bsc#1049272).
- nvme: fix sqhd reference when admin queue connect fails (bsc#1063349).
- nvme: fix visibility of 'uuid' ns attribute (bsc#1060400).
- nvme-loop: update tagset nr_hw_queues after reconnecting/resetting (bsc#1052384).
- nvme: protect against simultaneous shutdown invocations (FATE#319965 bnc#1012382 bsc#964944).
- nvme-rdma: update tagset nr_hw_queues after reconnecting/resetting (bsc#1052384).
- nvme: stop aer posting if controller state not live (bsc#1063349).
- nvmet: avoid unneeded assignment of submit_bio return value (bsc#1052384).
- nvmet_fc: Accept variable pad lengths on Create Association LS (bsc#1052384).
- nvmet_fc: add defer_req callback for deferment of cmd buffer return (bsc#1052384).
- nvmet-fc: correct use after free on list teardown (bsc#1052384).
- nvmet-fc: eliminate incorrect static markers on local variables (bsc#1052384).
- nvmet-fc: fix byte swapping in nvmet_fc_ls_create_association (bsc#1052384).
- nvmet_fc: Simplify sg list handling (bsc#1052384).
- nvmet: implement valid sqhd values in completions (bsc#1063349).
- nvmet: Move serial number from controller to subsystem (bsc#1058550).
- nvmet: prefix version configfs file with attr (bsc#1052384).
- nvmet: preserve controller serial number between reboots (bsc#1058550).
- nvmet: synchronize sqhd update (bsc#1063349).
- nvme: use device_add_disk_with_groups() (bsc#1060400).
- of: fix '/cpus' reference leak in of_numa_parse_cpu_nodes() (bsc#1056827).
- ovl: fix dentry leak for default_permissions (bsc#1054084).
- parisc: perf: Fix potential NULL pointer dereference (bnc#1012382).
- partitions/efi: Fix integer overflow in GPT size calculation (FATE#322379 bnc#1012382 bsc#1020989).
- pci: Allow PCI express root ports to find themselves (bsc#1061046).
- pci: fix oops when try to find Root Port for a PCI device (bsc#1061046).
- pci: Fix race condition with driver_override (bnc#1012382).
- pci: Mark AMD Stoney GPU ATS as broken (bsc#1061046).
- pci: rockchip: Handle regulator_get_current_limit() failure correctly (bsc#1056849).
- pci: rockchip: Use normal register bank for config accessors (bsc#1056849).
- pci: shpchp: Enable bridge bus mastering if MSI is enabled (bnc#1012382).
- percpu_ref: allow operation mode switching operations to be called concurrently (bsc#1055096).
- percpu_ref: remove unnecessary RCU grace period for staggered atomic switching confirmation (bsc#1055096).
- percpu_ref: reorganize __percpu_ref_switch_to_atomic() and relocate percpu_ref_switch_to_atomic() (bsc#1055096).
- percpu_ref: restructure operation mode switching (bsc#1055096).
- percpu_ref: unify staggered atomic switching wait behavior (bsc#1055096).
- perf: arm: acpi: remove cpu hotplug statemachine dependency (bsc#1062279).
- perf: arm: platform: remove cpu hotplug statemachine dependency (bsc#1062279).
- perf: arm: replace irq_get_percpu_devid_partition call (bsc#1062279).
- perf: arm: temporary workaround for build errors (bsc#1062279).
- perf: Convert to using %pOF instead of full_name (bsc#1062279).
- perf/x86: Fix RDPMC vs. mm_struct tracking (bsc#1061831).
- perf/x86: kABI Workaround for 'perf/x86: Fix RDPMC vs. mm_struct tracking' (bsc#1061831).
- perf: xgene: Add APM X-Gene SoC Performance Monitoring Unit driver (bsc#1036737).
- perf: xgene: Include module.h (bsc#1036737).
- perf: xgene: Move PMU leaf functions into function pointer structure (bsc#1036737).
- perf: xgene: Parse PMU subnode from the match table (bsc#1036737).
- phy: Do not increment MDIO bus refcount unless it's a different owner (bsc#1049336).
- phy: fix error case of phy_led_triggers_(un)register (bsc#1049336).
- pm / Domains: Fix unsafe iteration over modified list of domains (bsc#1056849).
- powerpc: Fix DAR reporting when alignment handler faults (bnc#1012382).
- powerpc: Fix unused function warning 'lmb_to_memblock' (FATE#322022).
- powerpc/perf: Cleanup of PM_BR_CMPL vs. PM_BRU_CMPL in Power9 event list (bsc#1056686, fate#321438, bsc#1047238, git-fixes 34922527a2bc).
- powerpc/perf: Factor out PPMU_ONLY_COUNT_RUN check code from power8 (fate#321438, bsc#1053043, git-fixes efe881afdd999).
- powerpc/pseries: Add pseries hotplug workqueue (FATE#322022).
- powerpc/pseries: Auto-online hotplugged memory (FATE#322022).
- powerpc/pseries: Check memory device state before onlining/offlining (FATE#322022).
- powerpc/pseries: Correct possible read beyond dlpar sysfs buffer (FATE#322022).
- powerpc/pseries: Do not attempt to acquire drc during memory hot add for assigned lmbs (FATE#322022).
- powerpc/pseries: Fix build break when MEMORY_HOTREMOVE=n (FATE#322022).
- powerpc/pseries: fix memory leak in queue_hotplug_event() error path (FATE#322022).
- powerpc/pseries: Fix parent_dn reference leak in add_dt_node() (bnc#1012382).
- powerpc/pseries: Implement indexed-count hotplug memory add (FATE#322022).
- powerpc/pseries: Implement indexed-count hotplug memory remove (FATE#322022).
- powerpc/pseries: Introduce memory hotplug READD operation (FATE#322022).
- powerpc/pseries: Make the acquire/release of the drc for memory a seperate step (FATE#322022).
- powerpc/pseries: Remove call to memblock_add() (FATE#322022).
- powerpc/pseries: Revert 'Auto-online hotplugged memory' (FATE#322022).
- powerpc/pseries: Update affinity for memory and cpus specified in a PRRN event (FATE#322022).
- powerpc/pseries: Use kernel hotplug queue for PowerVM hotplug events (FATE#322022).
- powerpc/pseries: Use lmb_is_removable() to check removability (FATE#322022).
- powerpc/pseries: Verify CPU does not exist before adding (FATE#322022).
- qeth: add network device features for VLAN devices (bnc#1053472, LTC#157385).
- qlge: avoid memcpy buffer overflow (bnc#1012382).
- r8169: Add support for restarting auto-negotiation (bsc#1050742).
- r8169:Correct the way of setting RTL8168DP ephy (bsc#1050742).
- r8169:fix system hange problem (bsc#1050742).
- r8169:Fix typo in setting RTL8168H PHY parameter (bsc#1050742).
- r8169:Fix typo in setting RTL8168H PHY PFM mode (bsc#1050742).
- r8169:Remove unnecessary phy reset for pcie nic when setting link spped (bsc#1050742).
- r8169:Update the way of reading RTL8168H PHY register 'rg_saw_cnt' (bsc#1050742).
- rda=sRDMA: Fix the composite message user notification (bnc#1012382).
- rdma/bnxt_re: Allocate multiple notification queues (bsc#1037579).
- rdma/bnxt_re: Implement the alloc/get_hw_stats callback (bsc#1037579).
- rdma: Fix return value check for ib_get_eth_speed() (bsc#1056596).
- rdma/qedr: Parse VLAN ID correctly and ignore the value of zero (bsc#1019695 FATE#321703 bsc#1019699 FATE#321702 bsc#1022604 FATE#321747).
- rdma/qedr: Parse vlan priority as sl (bsc#1019695 FATE#321703 bsc#1019699 FATE#321702 bsc#1022604 FATE#321747).
- rds: ib: add error handle (bnc#1012382).
- Remove patch 0407-nvme_fc-change-failure-code-on-remoteport-connectivi.patch (bsc#1037838)
- Remove superfluous hunk in bigmem backport (bsc#1064436).
- Revert 'ceph: SetPageError() for writeback pages if writepages fails' (bsc#1048228).
- Revert 'ipv6: add rcu grace period before freeing fib6_node' (kabi).
- Revert 'ipv6: fix sparse warning on rt6i_node' (kabi).
- Revert 'net: fix percpu memory leaks' (bnc#1012382).
- Revert 'net: phy: Correctly process PHY_HALTED in phy_stop_machine()' (bnc#1012382).
- Revert 'net: use lib/percpu_counter API for fragmentation mem accounting' (bnc#1012382).
- Revert 'Update patches.fixes/xfs-refactor-log-record-unpack-and-data-processing.patch (bsc#1043598, bsc#1036215).' This reverts commit 54e17b011580b532415d2aee5e875c8cf0460df4.
- Revert 'x86/acpi: Enable MADT APIs to return disabled apicids' (bnc#1056230).
- Revert 'x86/acpi: Set persistent cpuid <-> nodeid mapping when booting' (bnc#1056230).
- Revert 'xfs: detect and handle invalid iclog size set by mkfs (bsc#1043598).' This reverts commit caf0b124b172568b3e39544cb9abfdaa7fb3d852.
- Revert 'xfs: detect and trim torn writes during log recovery (bsc#1036215).' This reverts commit a7a591776e8628a33f0223ca9a3f46c1e79bd908.
- Revert 'xfs: refactor and open code log record crc check (bsc#1036215).' This reverts commit 6aef5e1fee21246222618f2337c84d6093281561.
- Revert 'xfs: refactor log record start detection into a new helper (bsc#1036215).' This reverts commit a424c875bdc05dcf3bb0d1af740b644773091cf0.
- Revert 'xfs: return start block of first bad log record during recovery (bsc#1036215).' This reverts commit cb0ce8b2f1435d7ac9aaeb5d5709e73946d55bed.
- Revert 'xfs: support a crc verification only log record pass (bsc#1036215).' This reverts commit f5c0c41b1f3626750f1f0d76b6d71fac673854d2.
- Rewrote KVM kABI fix patches for addressing regressions (bsc#1063570)
- rtnetlink: fix rtnl_vfinfo_size (bsc#1056261).
- s390/cpcmd,vmcp: avoid GFP_DMA allocations (bnc#1060249, LTC#159112).
- s390/diag: add diag26c support (bnc#1053472, LTC#156729).
- s390: export symbols for crash-kmp (bsc#1053915).
- s390: Include uapi/linux/if_ether.h instead of linux/if_ether.h (bsc#1053472).
- s390/pci: do not cleanup in arch_setup_msi_irqs (bnc#1053472, LTC#157731).
- s390/pci: fix handling of PEC 306 (bnc#1053472, LTC#157731).
- s390/pci: improve error handling during fmb (de)registration (bnc#1053472, LTC#157731).
- s390/pci: improve error handling during interrupt deregistration (bnc#1053472, LTC#157731).
- s390/pci: improve pci hotplug (bnc#1053472, LTC#157731).
- s390/pci: improve unreg_ioat error handling (bnc#1053472, LTC#157731).
- s390/pci: introduce clp_get_state (bnc#1053472, LTC#157731).
- s390/pci: provide more debug information (bnc#1053472, LTC#157731).
- s390/pci: recognize name clashes with uids (bnc#1053472, LTC#157731).
- s390/qdio: avoid reschedule of outbound tasklet once killed (bnc#1060249, LTC#159885).
- s390/qeth: no ETH header for outbound AF_IUCV (bnc#1053472, LTC#156276).
- s390/qeth: size calculation outbound buffers (bnc#1053472, LTC#156276).
- s390/qeth: use diag26c to get MAC address on L2 (bnc#1053472, LTC#156729).
- s390/topology: alternative topology for topology-less machines (bnc#1060249, LTC#159177).
- s390/topology: always use s390 specific sched_domain_topology_level (bnc#1060249, LTC#159177).
- s390/topology: enable / disable topology dynamically (bnc#1060249, LTC#159177).
- sched/cpuset/pm: Fix cpuset vs. suspend-resume bugs (bnc#1012382).
- scsi: csiostor: add check for supported fw version (bsc#1005776).
- scsi: csiostor: add support for Chelsio T6 adapters (bsc#1005776).
- scsi: csiostor: fix use after free in csio_hw_use_fwconfig() (bsc#1005776).
- scsi: csiostor: switch to pci_alloc_irq_vectors (bsc#1005776).
- scsi: csiostor: update module version (bsc#1052093).
- scsi: cxgb4i: assign rxqs in round robin mode (bsc#1052094).
- scsi: fixup kernel warning during rmmod() (bsc#1052360).
- scsi: hisi_sas: add missing break in switch statement (bsc#1056849).
- scsi: ILLEGAL REQUEST + ASC==27 => target failure (bsc#1059465).
- scsi: libfc: fix a deadlock in fc_rport_work (bsc#1063695).
- scsi: lpfc: Ensure io aborts interlocked with the target (bsc#1056587).
- scsi: megaraid_sas: Check valid aen class range to avoid kernel panic (bnc#1012382).
- scsi: megaraid_sas: Return pended IOCTLs with cmd_status MFI_STAT_WRONG_STATE in case adapter is dead (bnc#1012382).
- scsi: qedf: Fix a potential NULL pointer dereference (bsc#1048912).
- scsi: qedf: Limit number of CQs (bsc#1040813).
- scsi: qedi: off by one in qedi_get_cmd_from_tid() (bsc#1004527, FATE#321744).
- scsi: qla2xxx: Fix uninitialized work element (bsc#1019675,FATE#321701).
- scsi: scsi_transport_fc: Also check for NOTPRESENT in fc_remote_port_add() (bsc#1037890).
- scsi: scsi_transport_fc: set scsi_target_id upon rescan (bsc#1058135).
- scsi: sd: Do not override max_sectors_kb sysfs setting (bsc#1025461).
- scsi: sd: Remove LBPRZ dependency for discards (bsc#1060985). This patch is originally part of a larger series which can't be easily backported to SLE-12. For a reasoning why we think it's safe to apply, see bsc#1060985, comment 20.
- scsi: sg: close race condition in sg_remove_sfp_usercontext() (bsc#1064206).
- scsi: sg: do not return bogus Sg_requests (bsc#1064206).
- scsi: sg: factor out sg_fill_request_table() (bnc#1012382).
- scsi: sg: fixup infoleak when using SG_GET_REQUEST_TABLE (bnc#1012382).
- scsi: sg: off by one in sg_ioctl() (bnc#1012382).
- scsi: sg: only check for dxfer_len greater than 256M (bsc#1064206).
- scsi: sg: remove 'save_scat_len' (bnc#1012382).
- scsi: sg: use standard lists for sg_requests (bnc#1012382).
- scsi: storvsc: fix memory leak on ring buffer busy (bnc#1012382).
- scsi_transport_fc: Also check for NOTPRESENT in fc_remote_port_add() (bsc#1037890).
- scsi: zfcp: add handling for FCP_RESID_OVER to the fcp ingress path (bnc#1012382).
- scsi: zfcp: fix capping of unsuccessful GPN_FT SAN response trace records (bnc#1012382).
- scsi: zfcp: fix missing trace records for early returns in TMF eh handlers (bnc#1012382).
- scsi: zfcp: fix passing fsf_req to SCSI trace on TMF to correlate with HBA (bnc#1012382).
- scsi: zfcp: fix payload with full FCP_RSP IU in SCSI trace records (bnc#1012382).
- scsi: zfcp: fix queuecommand for scsi_eh commands when DIX enabled (bnc#1012382).
- scsi: zfcp: trace HBA FSF response by default on dismiss or timedout late response (bnc#1012382).
- scsi: zfcp: trace high part of 'new' 64 bit SCSI LUN (bnc#1012382).
- seccomp: fix the usage of get/put_seccomp_filter() in seccomp_get_filter() (bnc#1012382).
- sh_eth: use correct name for ECMR_MPDE bit (bnc#1012382).
- skd: Avoid that module unloading triggers a use-after-free (bnc#1012382).
- skd: Submit requests to firmware before triggering the doorbell (bnc#1012382).
- SMB3: Do not ignore O_SYNC/O_DSYNC and O_DIRECT flags (bnc#1012382).
- SMB: Validate negotiate (to protect against downgrade) even if signing off (bnc#1012382).
- staging: iio: ad7192: Fix - use the dedicated reset function avoiding dma from stack (bnc#1012382).
- stm class: Fix a use-after-free (bnc#1012382).
- supported.conf: clear mistaken external support flag for cifs.ko (bsc#1053802).
- supported.conf: enable dw_mmc-rockchip driver References: bsc#1064064
- swiotlb-xen: implement xen_swiotlb_dma_mmap callback (bnc#1012382).
- sysctl: fix lax sysctl_check_table() sanity check (bsc#1048893).
- sysctl: fold sysctl_writes_strict checks into helper (bsc#1048893).
- sysctl: kdoc'ify sysctl_writes_strict (bsc#1048893).
- sysctl: simplify unsigned int support (bsc#1048893).
- team: call netdev_change_features out of team lock (bsc#1055567).
- team: fix memory leaks (bnc#1012382).
- timer/sysclt: Restrict timer migration sysctl values to 0 and 1 (bnc#1012382).
- tpm: fix: return rc when devm_add_action() fails (bsc#1020645, fate#321435, fate#321507, fate#321600, bsc#1034048, git-fixes 8e0ee3c9faed).
- tpm: read burstcount from TPM_STS in one 32-bit transaction (bsc#1020645, fate#321435, fate#321507, fate#321600, bsc#1034048, git-fixes 27084efee0c3).
- tpm_tis_core: Choose appropriate timeout for reading burstcount (bsc#1020645, fate#321435, fate#321507, fate#321600, bsc#1034048, git-fixes aec04cbdf723).
- tpm_tis_core: convert max timeouts from msec to jiffies (bsc#1020645, fate#321435, fate#321507, fate#321600, bsc#1034048, git-fixes aec04cbdf723).
- tracing: Apply trace_clock changes to instance max buffer (bnc#1012382).
- tracing: Erase irqsoff trace with empty write (bnc#1012382).
- tracing: Fix trace_pipe behavior for instance traces (bnc#1012382).
- ttpci: address stringop overflow warning (bnc#1012382).
- tty: fix __tty_insert_flip_char regression (bnc#1012382).
- tty: goldfish: Fix a parameter of a call to free_irq (bnc#1012382).
- tty: improve tty_insert_flip_char() fast path (bnc#1012382).
- tty: improve tty_insert_flip_char() slow path (bnc#1012382).
- tty: pl011: fix initialization order of QDF2400 E44 (bsc#1054082).
- tty: serial: msm: Support more bauds (git-fixes).
- ubifs: Correctly evict xattr inodes (bsc#1012829).
- ubifs: Do not leak kernel memory to the MTD (bsc#1012829).
- Update patches.drivers/0029-perf-xgene-Remove-bogus-IS_ERR-check.patch (bsc#1036737).
- Update patches.drivers/tpm-141-fix-RC-value-check-in-tpm2_seal_trusted.patch (bsc#1020645, fate#321435, fate#321507, fate#321600, bsc#1034048, git-fixes 5ca4c20cfd37).
- usb: chipidea: vbus event may exist before starting gadget (bnc#1012382).
- usb: core: fix device node leak (bsc#1047487).
- usb: core: harden cdc_parse_cdc_header (bnc#1012382).
- usb: devio: Do not corrupt user memory (bnc#1012382).
- usb: dummy-hcd: fix connection failures (wrong speed) (bnc#1012382).
- usb: dummy-hcd: Fix erroneous synchronization change (bnc#1012382).
- usb: dummy-hcd: fix infinite-loop resubmission bug (bnc#1012382).
- usb: fix out-of-bounds in usb_set_configuration (bnc#1012382).
- usb: gadgetfs: fix copy_to_user while holding spinlock (bnc#1012382).
- usb: gadgetfs: Fix crash caused by inadequate synchronization (bnc#1012382).
- usb: gadget: inode.c: fix unbalanced spin_lock in ep0_write (bnc#1012382).
- usb: gadget: mass_storage: set msg_registered after msg registered (bnc#1012382).
- usb: gadget: udc: atmel: set vbus irqflags explicitly (bnc#1012382).
- usb: g_mass_storage: Fix deadlock when driver is unbound (bnc#1012382).
- usb: Increase quirk delay for USB devices (bnc#1012382).
- usb: pci-quirks.c: Corrected timeout values used in handshake (bnc#1012382).
- usb: plusb: Add support for PL-27A1 (bnc#1012382).
- usb: renesas_usbhs: fix the BCLR setting condition for non-DCP pipe (bnc#1012382).
- usb: renesas_usbhs: fix usbhsf_fifo_clear() for RX direction (bnc#1012382).
- usb: serial: mos7720: fix control-message error handling (bnc#1012382).
- usb: serial: mos7840: fix control-message error handling (bnc#1012382).
- usb-storage: unusual_devs entry to fix write-access regression for Seagate external drives (bnc#1012382).
- usb: uas: fix bug in handling of alternate settings (bnc#1012382).
- uwb: ensure that endpoint is interrupt (bnc#1012382).
- uwb: properly check kthread_run return value (bnc#1012382).
- vfs: Return -ENXIO for negative SEEK_HOLE / SEEK_DATA offsets (bnc#1012382).
- video: fbdev: aty: do not leak uninitialized padding in clk to userspace (bnc#1012382).
- Workaround for kABI compatibility with DP-MST patches (bsc#1055493).
- x86/acpi: Restore the order of CPU IDs (bnc#1056230).
- x86/cpu/amd: Hide unused legacy_fixup_core_id() function (bsc#1060229).
- x86/cpu/amd: Limit cpu_core_id fixup to families older than F17h (bsc#1060229).
- x86/cpu: Remove unused and undefined __generic_processor_info() declaration (bnc#1056230).
- x86 edac, sb_edac.c: Take account of channel hashing when needed (bsc#1061721).
- x86/fpu: Do not let userspace set bogus xcomp_bv (bnc#1012382).
- x86/fsgsbase/64: Report FSBASE and GSBASE correctly in core dumps (bnc#1012382).
- x86/ldt: Fix off by one in get_segment_base() (bsc#1061872).
- x86/mm: Fix boot crash caused by incorrect loop count calculation in sync_global_pgds() (bsc#1058512).
- x86/mm: Fix fault error path using unsafe vma pointer (fate#321300).
- x86/mm: Fix use-after-free of ldt_struct (bsc#1055963).
- x86/mshyperv: Remove excess #includes from mshyperv.h (fate#320485).
- xfs/dmapi: fix incorrect file->f_path.dentry->d_inode usage (bsc#1055896).
- xfs: fix inobt inode allocation search optimization (bsc#1012829).
- xfs: handle error if xfs_btree_get_bufs fails (bsc#1059863).
- xfs: nowait aio support (FATE#321994).
- xfs: remove kmem_zalloc_greedy (bnc#1012382).
- xgene: Always get clk source, but ignore if it's missing for SGMII ports (bsc#1048501).
- xgene: Do not fail probe, if there is no clk resource for SGMII interfaces (bsc#1048501).
- xhci: fix finding correct bus_state structure for USB 3.1 hosts (bnc#1012382).
ImportantSUSE bug 1004527SUSE bug 1005776SUSE bug 1005778SUSE bug 1005780SUSE bug 1005781SUSE bug 1012382SUSE bug 1012829SUSE bug 1015342SUSE bug 1015343SUSE bug 1019675SUSE bug 1019680SUSE bug 1019695SUSE bug 1019699SUSE bug 1020412SUSE bug 1020645SUSE bug 1020657SUSE bug 1020989SUSE bug 1021424SUSE bug 1022595SUSE bug 1022604SUSE bug 1022743SUSE bug 1022912SUSE bug 1022967SUSE bug 1024346SUSE bug 1024373SUSE bug 1024405SUSE bug 1025461SUSE bug 1030850SUSE bug 1031717SUSE bug 1031784SUSE bug 1032150SUSE bug 1034048SUSE bug 1034075SUSE bug 1035479SUSE bug 1036060SUSE bug 1036215SUSE bug 1036737SUSE bug 1037579SUSE bug 1037838SUSE bug 1037890SUSE bug 1038583SUSE bug 1040813SUSE bug 1042847SUSE bug 1043598SUSE bug 1044503SUSE bug 1046529SUSE bug 1047238SUSE bug 1047487SUSE bug 1047989SUSE bug 1048155SUSE bug 1048228SUSE bug 1048325SUSE bug 1048327SUSE bug 1048356SUSE bug 1048501SUSE bug 1048893SUSE bug 1048912SUSE bug 1048934SUSE bug 1049226SUSE bug 1049272SUSE bug 1049291SUSE bug 1049336SUSE bug 1049361SUSE bug 1049580SUSE bug 1050471SUSE bug 1050742SUSE bug 1051790SUSE bug 1051987SUSE bug 1052093SUSE bug 1052094SUSE bug 1052095SUSE bug 1052360SUSE bug 1052384SUSE bug 1052580SUSE bug 1052593SUSE bug 1052888SUSE bug 1053043SUSE bug 1053309SUSE bug 1053472SUSE bug 1053627SUSE bug 1053629SUSE bug 1053633SUSE bug 1053681SUSE bug 1053685SUSE bug 1053802SUSE bug 1053915SUSE bug 1053919SUSE bug 1054082SUSE bug 1054084SUSE bug 1054654SUSE bug 1055013SUSE bug 1055096SUSE bug 1055272SUSE bug 1055290SUSE bug 1055359SUSE bug 1055493SUSE bug 1055567SUSE bug 1055709SUSE bug 1055755SUSE bug 1055896SUSE bug 1055935SUSE bug 1055963SUSE bug 1056061SUSE bug 1056185SUSE bug 1056230SUSE bug 1056261SUSE bug 1056427SUSE bug 1056587SUSE bug 1056588SUSE bug 1056596SUSE bug 1056686SUSE bug 1056827SUSE bug 1056849SUSE bug 1056982SUSE bug 1057015SUSE bug 1057031SUSE bug 1057035SUSE bug 1057038SUSE bug 1057047SUSE bug 1057067SUSE bug 1057383SUSE bug 1057498SUSE bug 1057849SUSE bug 1058038SUSE bug 1058116SUSE bug 1058135SUSE bug 1058410SUSE bug 1058507SUSE bug 1058512SUSE bug 1058550SUSE bug 1059051SUSE bug 1059465SUSE bug 1059500SUSE bug 1059863SUSE bug 1060197SUSE bug 1060229SUSE bug 1060249SUSE bug 1060400SUSE bug 1060985SUSE bug 1061017SUSE bug 1061046SUSE bug 1061064SUSE bug 1061067SUSE bug 1061172SUSE bug 1061451SUSE bug 1061721SUSE bug 1061775SUSE bug 1061831SUSE bug 1061872SUSE bug 1062279SUSE bug 1062520SUSE bug 1062962SUSE bug 1063102SUSE bug 1063349SUSE bug 1063460SUSE bug 1063475SUSE bug 1063479SUSE bug 1063501SUSE bug 1063509SUSE bug 1063520SUSE bug 1063570SUSE bug 1063667SUSE bug 1063671SUSE bug 1063695SUSE bug 1064064SUSE bug 1064206SUSE bug 1064388SUSE bug 1064436SUSE bug 963575SUSE bug 964944SUSE bug 966170SUSE bug 966172SUSE bug 966186SUSE bug 966191SUSE bug 966316SUSE bug 966318SUSE bug 969476SUSE bug 969477SUSE bug 969756SUSE bug 971975SUSE bug 981309CVE-2017-1000252 at SUSECVE-2017-1000252 at NVDCVE-2017-11472 at SUSECVE-2017-11472 at NVDCVE-2017-12134 at SUSECVE-2017-12134 at NVDCVE-2017-12153 at SUSECVE-2017-12153 at NVDCVE-2017-12154 at SUSECVE-2017-12154 at NVDCVE-2017-13080 at SUSECVE-2017-13080 at NVDCVE-2017-14051 at SUSECVE-2017-14051 at NVDCVE-2017-14106 at SUSECVE-2017-14106 at NVDCVE-2017-14489 at SUSECVE-2017-14489 at NVDCVE-2017-15265 at SUSECVE-2017-15265 at NVDCVE-2017-15649 at SUSECVE-2017-15649 at NVDcpe:/o:suse:sles:12:sp3Security update for libvirt (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for libvirt fixes the following issues:
Security issue fixed:
- CVE-2017-1000256: Ensure TLS clients always verify the server certificate in the serial/TLS support. (bsc#1062563)
Non security issue fixed:
- libvirt-daemon-qemu requires libvirt-daemon-driver-storage (bsc#1062620)
ModerateSUSE bug 1062563SUSE bug 1062620CVE-2017-1000256 at SUSECVE-2017-1000256 at NVDcpe:/o:suse:sles:12:sp3Security update for tcpdump (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for tcpdump to version 4.9.2 fixes several issues.
These security issues were fixed:
- CVE-2017-11108: Prevent remote attackers to cause DoS (heap-based buffer over-read and application crash) via crafted packet data. The crash occured in the EXTRACT_16BITS function, called from the stp_print function for the Spanning Tree Protocol (bsc#1047873, bsc#1057247).
- CVE-2017-11543: Prevent buffer overflow in the sliplink_print function in print-sl.c that allowed remote DoS (bsc#1057247).
- CVE-2017-13011: Prevent buffer overflow in bittok2str_internal() that allowed remote DoS (bsc#1057247)
- CVE-2017-12989: Prevent infinite loop in the RESP parser that allowed remote DoS (bsc#1057247)
- CVE-2017-12990: Prevent infinite loop in the ISAKMP parser that allowed remote DoS (bsc#1057247)
- CVE-2017-12995: Prevent infinite loop in the DNS parser that allowed remote DoS (bsc#1057247)
- CVE-2017-12997: Prevent infinite loop in the LLDP parser that allowed remote DoS (bsc#1057247)
- CVE-2017-11541: Prevent heap-based buffer over-read in the lldp_print function in print-lldp.c, related to util-print.c that allowed remote DoS (bsc#1057247).
- CVE-2017-11542: Prevent heap-based buffer over-read in the pimv1_print function in print-pim.c that allowed remote DoS (bsc#1057247).
- CVE-2017-12893: Prevent buffer over-read in the SMB/CIFS parser that allowed remote DoS (bsc#1057247)
- CVE-2017-12894: Prevent buffer over-read in several protocol parsers that allowed remote DoS (bsc#1057247)
- CVE-2017-12895: Prevent buffer over-read in the ICMP parser that allowed remote DoS (bsc#1057247)
- CVE-2017-12896: Prevent buffer over-read in the ISAKMP parser that allowed remote DoS (bsc#1057247)
- CVE-2017-12897: Prevent buffer over-read in the ISO CLNS parser that allowed remote DoS (bsc#1057247)
- CVE-2017-12898: Prevent buffer over-read in the NFS parser that allowed remote DoS (bsc#1057247)
- CVE-2017-12899: Prevent buffer over-read in the DECnet parser that allowed remote DoS (bsc#1057247)
- CVE-2017-12900: Prevent buffer over-read in the in several protocol parsers that allowed remote DoS (bsc#1057247)
- CVE-2017-12901: Prevent buffer over-read in the EIGRP parser that allowed remote DoS (bsc#1057247)
- CVE-2017-12902: Prevent buffer over-read in the Zephyr parser that allowed remote DoS (bsc#1057247)
- CVE-2017-12985: Prevent buffer over-read in the IPv6 parser that allowed remote DoS (bsc#1057247)
- CVE-2017-12986: Prevent buffer over-read in the IPv6 routing header parser that allowed remote DoS (bsc#1057247)
- CVE-2017-12987: Prevent buffer over-read in the 802.11 parser that allowed remote DoS (bsc#1057247)
- CVE-2017-12988: Prevent buffer over-read in the telnet parser that allowed remote DoS (bsc#1057247)
- CVE-2017-12991: Prevent buffer over-read in the BGP parser that allowed remote DoS (bsc#1057247)
- CVE-2017-12992: Prevent buffer over-read in the RIPng parser that allowed remote DoS (bsc#1057247)
- CVE-2017-12993: Prevent buffer over-read in the Juniper protocols parser that allowed remote DoS (bsc#1057247)
- CVE-2017-12994: Prevent buffer over-read in the BGP parser that allowed remote DoS (bsc#1057247)
- CVE-2017-12996: Prevent buffer over-read in the PIMv2 parser that allowed remote DoS (bsc#1057247)
- CVE-2017-12998: Prevent buffer over-read in the IS-IS parser that allowed remote DoS (bsc#1057247)
- CVE-2017-12999: Prevent buffer over-read in the IS-IS parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13000: Prevent buffer over-read in the IEEE 802.15.4 parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13001: Prevent buffer over-read in the NFS parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13002: Prevent buffer over-read in the AODV parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13003: Prevent buffer over-read in the LMP parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13004: Prevent buffer over-read in the Juniper protocols parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13005: Prevent buffer over-read in the NFS parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13006: Prevent buffer over-read in the L2TP parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13007: Prevent buffer over-read in the Apple PKTAP parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13008: Prevent buffer over-read in the IEEE 802.11 parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13009: Prevent buffer over-read in the IPv6 mobility parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13010: Prevent buffer over-read in the BEEP parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13012: Prevent buffer over-read in the ICMP parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13013: Prevent buffer over-read in the ARP parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13014: Prevent buffer over-read in the White Board protocol parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13015: Prevent buffer over-read in the EAP parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13016: Prevent buffer over-read in the ISO ES-IS parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13017: Prevent buffer over-read in the DHCPv6 parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13018: Prevent buffer over-read in the PGM parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13019: Prevent buffer over-read in the PGM parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13020: Prevent buffer over-read in the VTP parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13021: Prevent buffer over-read in the ICMPv6 parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13022: Prevent buffer over-read in the IP parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13023: Prevent buffer over-read in the IPv6 mobility parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13024: Prevent buffer over-read in the IPv6 mobility parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13025: Prevent buffer over-read in the IPv6 mobility parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13026: Prevent buffer over-read in the ISO IS-IS parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13027: Prevent buffer over-read in the LLDP parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13028: Prevent buffer over-read in the BOOTP parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13029: Prevent buffer over-read in the PPP parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13030: Prevent buffer over-read in the PIM parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13031: Prevent buffer over-read in the IPv6 fragmentation header parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13032: Prevent buffer over-read in the RADIUS parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13033: Prevent buffer over-read in the VTP parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13034: Prevent buffer over-read in the PGM parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13035: Prevent buffer over-read in the ISO IS-IS parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13036: Prevent buffer over-read in the OSPFv3 parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13037: Prevent buffer over-read in the IP parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13038: Prevent buffer over-read in the PPP parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13039: Prevent buffer over-read in the ISAKMP parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13040: Prevent buffer over-read in the MPTCP parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13041: Prevent buffer over-read in the ICMPv6 parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13042: Prevent buffer over-read in the HNCP parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13043: Prevent buffer over-read in the BGP parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13044: Prevent buffer over-read in the HNCP parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13045: Prevent buffer over-read in the VQP parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13046: Prevent buffer over-read in the BGP parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13047: Prevent buffer over-read in the ISO ES-IS parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13048: Prevent buffer over-read in the RSVP parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13049: Prevent buffer over-read in the Rx protocol parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13050: Prevent buffer over-read in the RPKI-Router parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13051: Prevent buffer over-read in the RSVP parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13052: Prevent buffer over-read in the CFM parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13053: Prevent buffer over-read in the BGP parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13054: Prevent buffer over-read in the LLDP parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13055: Prevent buffer over-read in the ISO IS-IS parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13687: Prevent buffer over-read in the Cisco HDLC parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13688: Prevent buffer over-read in the OLSR parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13689: Prevent buffer over-read in the IKEv1 parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13690: Prevent buffer over-read in the IKEv2 parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13725: Prevent buffer over-read in the IPv6 routing header parser that allowed remote DoS (bsc#1057247)
- Prevent segmentation fault in ESP decoder with OpenSSL 1.1 (bsc#1057247)
ModerateSUSE bug 1047873SUSE bug 1057247CVE-2017-11108 at SUSECVE-2017-11108 at NVDCVE-2017-11541 at SUSECVE-2017-11541 at NVDCVE-2017-11542 at SUSECVE-2017-11542 at NVDCVE-2017-11543 at SUSECVE-2017-11543 at NVDCVE-2017-12893 at SUSECVE-2017-12893 at NVDCVE-2017-12894 at SUSECVE-2017-12894 at NVDCVE-2017-12895 at SUSECVE-2017-12895 at NVDCVE-2017-12896 at SUSECVE-2017-12896 at NVDCVE-2017-12897 at SUSECVE-2017-12897 at NVDCVE-2017-12898 at SUSECVE-2017-12898 at NVDCVE-2017-12899 at SUSECVE-2017-12899 at NVDCVE-2017-12900 at SUSECVE-2017-12900 at NVDCVE-2017-12901 at SUSECVE-2017-12901 at NVDCVE-2017-12902 at SUSECVE-2017-12902 at NVDCVE-2017-12985 at SUSECVE-2017-12985 at NVDCVE-2017-12986 at SUSECVE-2017-12986 at NVDCVE-2017-12987 at SUSECVE-2017-12987 at NVDCVE-2017-12988 at SUSECVE-2017-12988 at NVDCVE-2017-12989 at SUSECVE-2017-12989 at NVDCVE-2017-12990 at SUSECVE-2017-12990 at NVDCVE-2017-12991 at SUSECVE-2017-12991 at NVDCVE-2017-12992 at SUSECVE-2017-12992 at NVDCVE-2017-12993 at SUSECVE-2017-12993 at NVDCVE-2017-12994 at SUSECVE-2017-12994 at NVDCVE-2017-12995 at SUSECVE-2017-12995 at NVDCVE-2017-12996 at SUSECVE-2017-12996 at NVDCVE-2017-12997 at SUSECVE-2017-12997 at NVDCVE-2017-12998 at SUSECVE-2017-12998 at NVDCVE-2017-12999 at SUSECVE-2017-12999 at NVDCVE-2017-13000 at SUSECVE-2017-13000 at NVDCVE-2017-13001 at SUSECVE-2017-13001 at NVDCVE-2017-13002 at SUSECVE-2017-13002 at NVDCVE-2017-13003 at SUSECVE-2017-13003 at NVDCVE-2017-13004 at SUSECVE-2017-13004 at NVDCVE-2017-13005 at SUSECVE-2017-13005 at NVDCVE-2017-13006 at SUSECVE-2017-13006 at NVDCVE-2017-13007 at SUSECVE-2017-13007 at NVDCVE-2017-13008 at SUSECVE-2017-13008 at NVDCVE-2017-13009 at SUSECVE-2017-13009 at NVDCVE-2017-13010 at SUSECVE-2017-13010 at NVDCVE-2017-13011 at SUSECVE-2017-13011 at NVDCVE-2017-13012 at SUSECVE-2017-13012 at NVDCVE-2017-13013 at SUSECVE-2017-13013 at NVDCVE-2017-13014 at SUSECVE-2017-13014 at NVDCVE-2017-13015 at SUSECVE-2017-13015 at NVDCVE-2017-13016 at SUSECVE-2017-13016 at NVDCVE-2017-13017 at SUSECVE-2017-13017 at NVDCVE-2017-13018 at SUSECVE-2017-13018 at NVDCVE-2017-13019 at SUSECVE-2017-13019 at NVDCVE-2017-13020 at SUSECVE-2017-13020 at NVDCVE-2017-13021 at SUSECVE-2017-13021 at NVDCVE-2017-13022 at SUSECVE-2017-13022 at NVDCVE-2017-13023 at SUSECVE-2017-13023 at NVDCVE-2017-13024 at SUSECVE-2017-13024 at NVDCVE-2017-13025 at SUSECVE-2017-13025 at NVDCVE-2017-13026 at SUSECVE-2017-13026 at NVDCVE-2017-13027 at SUSECVE-2017-13027 at NVDCVE-2017-13028 at SUSECVE-2017-13028 at NVDCVE-2017-13029 at SUSECVE-2017-13029 at NVDCVE-2017-13030 at SUSECVE-2017-13030 at NVDCVE-2017-13031 at SUSECVE-2017-13031 at NVDCVE-2017-13032 at SUSECVE-2017-13032 at NVDCVE-2017-13033 at SUSECVE-2017-13033 at NVDCVE-2017-13034 at SUSECVE-2017-13034 at NVDCVE-2017-13035 at SUSECVE-2017-13035 at NVDCVE-2017-13036 at SUSECVE-2017-13036 at NVDCVE-2017-13037 at SUSECVE-2017-13037 at NVDCVE-2017-13038 at SUSECVE-2017-13038 at NVDCVE-2017-13039 at SUSECVE-2017-13039 at NVDCVE-2017-13040 at SUSECVE-2017-13040 at NVDCVE-2017-13041 at SUSECVE-2017-13041 at NVDCVE-2017-13042 at SUSECVE-2017-13042 at NVDCVE-2017-13043 at SUSECVE-2017-13043 at NVDCVE-2017-13044 at SUSECVE-2017-13044 at NVDCVE-2017-13045 at SUSECVE-2017-13045 at NVDCVE-2017-13046 at SUSECVE-2017-13046 at NVDCVE-2017-13047 at SUSECVE-2017-13047 at NVDCVE-2017-13048 at SUSECVE-2017-13048 at NVDCVE-2017-13049 at SUSECVE-2017-13049 at NVDCVE-2017-13050 at SUSECVE-2017-13050 at NVDCVE-2017-13051 at SUSECVE-2017-13051 at NVDCVE-2017-13052 at SUSECVE-2017-13052 at NVDCVE-2017-13053 at SUSECVE-2017-13053 at NVDCVE-2017-13054 at SUSECVE-2017-13054 at NVDCVE-2017-13055 at SUSECVE-2017-13055 at NVDCVE-2017-13687 at SUSECVE-2017-13687 at NVDCVE-2017-13688 at SUSECVE-2017-13688 at NVDCVE-2017-13689 at SUSECVE-2017-13689 at NVDCVE-2017-13690 at SUSECVE-2017-13690 at NVDCVE-2017-13725 at SUSECVE-2017-13725 at NVDcpe:/o:suse:sles:12:sp3Security update for wireshark (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for wireshark fixes the following issues:
Wireshark was updated to 2.2.10, fixing security issues and bugs:
* CVE-2017-15191: DMP dissector crash (wnpa-sec-2017-44)
* CVE-2017-15192: BT ATT dissector crash (wnpa-sec-2017-42)
* CVE-2017-15193: MBIM dissector crash (wnpa-sec-2017-43)
ModerateSUSE bug 1062645CVE-2017-15191 at SUSECVE-2017-15191 at NVDCVE-2017-15192 at SUSECVE-2017-15192 at NVDCVE-2017-15193 at SUSECVE-2017-15193 at NVDcpe:/o:suse:sles:12:sp3Security update for wget (Important)SUSE Linux Enterprise Server 12 SP3
This update for wget fixes the following security issues:
- CVE-2017-13089,CVE-2017-13090: Missing checks for negative remaining_chunk_size in skip_short_body and fd_read_body could
cause stack buffer overflows, which could have been exploited by malicious servers. (bsc#1064715,bsc#1064716)
ImportantSUSE bug 1064715SUSE bug 1064716CVE-2017-13089 at SUSECVE-2017-13089 at NVDCVE-2017-13090 at SUSECVE-2017-13090 at NVDcpe:/o:suse:sles:12:sp3Security update for qemu (Important)SUSE Linux Enterprise Server 12 SP3
This update for qemu to version 2.9.1 fixes several issues.
It also announces that the qed storage format will be no longer supported in SLE 15 (fate#324200).
These security issues were fixed:
- CVE-2017-15268: Qemu allowed remote attackers to cause a memory leak by triggering slow data-channel read operations, related to io/channel-websock.c (bsc#1062942)
- CVE-2017-15289: The mode4and5 write functions allowed local OS guest privileged users to cause a denial of service (out-of-bounds write access and Qemu process crash) via vectors related to dst calculation (bsc#1063122)
- CVE-2017-15038: Race condition in the v9fs_xattrwalk function local guest OS users to obtain sensitive information from host heap memory via vectors related to reading extended attributes (bsc#1062069)
- CVE-2017-10911: The make_response function in the Linux kernel allowed guest OS users to obtain sensitive information from host OS (or other guest OS) kernel memory by leveraging the copying of uninitialized padding fields in Xen block-interface response structures (bsc#1057378)
- CVE-2017-12809: The IDE disk and CD/DVD-ROM Emulator support allowed local guest OS privileged users to cause a denial of service (NULL pointer dereference and QEMU process crash) by flushing an empty CDROM device drive (bsc#1054724)
- CVE-2017-14167: Integer overflow in the load_multiboot function allowed local guest OS users to execute arbitrary code on the host via crafted multiboot header address values, which trigger an out-of-bounds write (bsc#1057585)
- CVE-2017-13672: The VGA display emulator support allowed local guest OS privileged users to cause a denial of service (out-of-bounds read and QEMU process crash) via vectors involving display update (bsc#1056334)
- CVE-2017-13711: Use-after-free vulnerability allowed attackers to cause a denial of service (QEMU instance crash) by leveraging failure to properly clear ifq_so from pending packets (bsc#1056291).
These non-security issues were fixed:
- Fixed not being able to build from rpm sources due to undefined macro (bsc#1057966)
- Fiedx package build failure against new glibc (bsc#1055587)
ImportantSUSE bug 1054724SUSE bug 1055587SUSE bug 1056291SUSE bug 1056334SUSE bug 1057378SUSE bug 1057585SUSE bug 1057966SUSE bug 1062069SUSE bug 1062942SUSE bug 1063122CVE-2017-10911 at SUSECVE-2017-10911 at NVDCVE-2017-12809 at SUSECVE-2017-12809 at NVDCVE-2017-13672 at SUSECVE-2017-13672 at NVDCVE-2017-13711 at SUSECVE-2017-13711 at NVDCVE-2017-14167 at SUSECVE-2017-14167 at NVDCVE-2017-15038 at SUSECVE-2017-15038 at NVDCVE-2017-15268 at SUSECVE-2017-15268 at NVDCVE-2017-15289 at SUSECVE-2017-15289 at NVDcpe:/o:suse:sles:12:sp3Security update for webkit2gtk3 (Important)SUSE Linux Enterprise Server 12 SP3
This update for webkit2gtk3 to version 2.18.0 fixes the following issues:
These security issues were fixed:
- CVE-2017-7039: An issue was fixed that allowed remote attackers to execute
arbitrary code or cause a denial of service (memory corruption and application
crash) via a crafted web site (bsc#1050469).
- CVE-2017-7018: An issue was fixed that allowed remote attackers to execute
arbitrary code or cause a denial of service (memory corruption and application
crash) via a crafted web site (bsc#1050469).
- CVE-2017-7030: An issue was fixed that allowed remote attackers to execute
arbitrary code or cause a denial of service (memory corruption and application
crash) via a crafted web site (bsc#1050469).
- CVE-2017-7037: An issue was fixed that allowed remote attackers to execute
arbitrary code or cause a denial of service (memory corruption and application
crash) via a crafted web site (bsc#1050469).
- CVE-2017-7034: An issue was fixed that allowed remote attackers to execute
arbitrary code or cause a denial of service (memory corruption and application
crash) via a crafted web site (bsc#1050469).
- CVE-2017-7055: An issue was fixed that allowed remote attackers to execute
arbitrary code or cause a denial of service (memory corruption and application
crash) via a crafted web site (bsc#1050469).
- CVE-2017-7056: An issue was fixed that allowed remote attackers to execute
arbitrary code or cause a denial of service (memory corruption and application
crash) via a crafted web site (bsc#1050469).
- CVE-2017-7064: An issue was fixed that allowed remote attackers to bypass
intended memory-read restrictions via a crafted app (bsc#1050469).
- CVE-2017-7061: An issue was fixed that allowed remote attackers to execute
arbitrary code or cause a denial of service (memory corruption and application
crash) via a crafted web site (bsc#1050469).
- CVE-2017-7048: An issue was fixed that allowed remote attackers to execute
arbitrary code or cause a denial of service (memory corruption and application
crash) via a crafted web site (bsc#1050469).
- CVE-2017-7046: An issue was fixed that allowed remote attackers to execute
arbitrary code or cause a denial of service (memory corruption and
application crash) via a crafted web site (bsc#1050469).
- CVE-2017-2538: An issue was fixed that allowed remote attackers to execute
arbitrary code or cause a denial of service (memory corruption and application
crash) via a crafted web site (bsc#1045460)
- CVE-2017-2496: An issue was fixed that allowed remote attackers to execute
arbitrary code or cause a denial of service (memory corruption and application
crash) via a crafted web site.
- CVE-2017-2539: An issue was fixed that allowed remote attackers to execute
arbitrary code or cause a denial of service (memory corruption and application
crash) via a crafted web site.
- CVE-2017-2510: An issue was fixed that allowed remote attackers to conduct
Universal XSS (UXSS) attacks via a crafted web site that improperly
interacts with pageshow events.
- CVE-2017-2365: An issue was fixed that allowed remote attackers to bypass the
Same Origin Policy and obtain sensitive information via a crafted web
site (bsc#1024749)
- CVE-2017-2366: An issue was fixed that allowed remote attackers to execute
arbitrary code or cause a denial of service (memory corruption and
application crash) via a crafted web site (bsc#1024749)
- CVE-2017-2373: An issue was fixed that allowed remote attackers to execute
arbitrary code or cause a denial of service (memory corruption and
application crash) via a crafted web site (bsc#1024749)
- CVE-2017-2363: An issue was fixed that allowed remote attackers to bypass the
Same Origin Policy and obtain sensitive information via a crafted web
site (bsc#1024749)
- CVE-2017-2362: An issue was fixed that allowed remote attackers to execute
arbitrary code or cause a denial of service (memory corruption and
application crash) via a crafted web site (bsc#1024749)
- CVE-2017-2350: An issue was fixed that allowed remote attackers to bypass the
Same Origin Policy and obtain sensitive information via a crafted web
site (bsc#1024749)
- CVE-2017-2350: An issue was fixed that allowed remote attackers to bypass the
Same Origin Policy and obtain sensitive information via a crafted web site
(bsc#1024749)
- CVE-2017-2354: An issue was fixed that allowed remote attackers to execute
arbitrary code or cause a denial of service (memory corruption and
application crash) via a crafted web site (bsc#1024749).
- CVE-2017-2355: An issue was fixed that allowed remote attackers to execute
arbitrary code or cause a denial of service (uninitialized memory
access and application crash) via a crafted web site (bsc#1024749)
- CVE-2017-2356: An issue was fixed that allowed remote attackers to execute
arbitrary code or cause a denial of service (memory corruption and
application crash) via a crafted web site (bsc#1024749)
- CVE-2017-2371: An issue was fixed that allowed remote attackers to launch
popups via a crafted web site (bsc#1024749)
- CVE-2017-2364: An issue was fixed that allowed remote attackers to bypass the
Same Origin Policy and obtain sensitive information via a crafted web
site (bsc#1024749)
- CVE-2017-2369: An issue was fixed that allowed remote attackers to execute
arbitrary code or cause a denial of service (memory corruption and
application crash) via a crafted web site (bsc#1024749)
- CVE-2016-7656: An issue was fixed that allowed remote attackers to execute
arbitrary code or cause a denial of service (memory corruption and
application crash) via a crafted web site (bsc#1020950)
- CVE-2016-7635: An issue was fixed that allowed remote attackers to execute
arbitrary code or cause a denial of service (memory corruption and
application crash) via a crafted web site (bsc#1020950)
- CVE-2016-7654: An issue was fixed that allowed remote attackers to execute
arbitrary code or cause a denial of service (memory corruption and
application crash) via a crafted web site (bsc#1020950)
- CVE-2016-7639: An issue was fixed that allowed remote attackers to execute
arbitrary code or cause a denial of service (memory corruption and
application crash) via a crafted web site (bsc#1020950)
- CVE-2016-7645: An issue was fixed that allowed remote attackers to execute
arbitrary code or cause a denial of service (memory corruption and
application crash) via a crafted web site (bsc#1020950)
- CVE-2016-7652: An issue was fixed that allowed remote attackers to execute
arbitrary code or cause a denial of service (memory corruption and
application crash) via a crafted web site (bsc#1020950)
- CVE-2016-7641: An issue was fixed that allowed remote attackers to execute
arbitrary code or cause a denial of service (memory corruption and
application crash) via a crafted web site (bsc#1020950)
- CVE-2016-7632: An issue was fixed that allowed remote attackers to execute
arbitrary code or cause a denial of service (memory corruption and
application crash) via a crafted web site (bsc#1020950)
- CVE-2016-7599: An issue was fixed that allowed remote attackers to bypass the
Same Origin Policy and obtain sensitive information via a crafted web
site that used HTTP redirects (bsc#1020950)
- CVE-2016-7592: An issue was fixed that allowed remote attackers to obtain
sensitive information via crafted JavaScript prompts on a web site (bsc#1020950)
- CVE-2016-7589: An issue was fixed that allowed remote attackers to execute
arbitrary code or cause a denial of service (memory corruption and
application crash) via a crafted web site (bsc#1020950)
- CVE-2016-7623: An issue was fixed that allowed remote attackers to obtain
sensitive information via a blob URL on a web site (bsc#1020950)
- CVE-2016-7586: An issue was fixed that allowed remote attackers to obtain
sensitive information via a crafted web site (bsc#1020950)
For other non-security fixes please check the changelog.
ImportantSUSE bug 1020950SUSE bug 1024749SUSE bug 1045460SUSE bug 1050469CVE-2016-7586 at SUSECVE-2016-7586 at NVDCVE-2016-7589 at SUSECVE-2016-7589 at NVDCVE-2016-7592 at SUSECVE-2016-7592 at NVDCVE-2016-7599 at SUSECVE-2016-7599 at NVDCVE-2016-7623 at SUSECVE-2016-7623 at NVDCVE-2016-7632 at SUSECVE-2016-7632 at NVDCVE-2016-7635 at SUSECVE-2016-7635 at NVDCVE-2016-7639 at SUSECVE-2016-7639 at NVDCVE-2016-7641 at SUSECVE-2016-7641 at NVDCVE-2016-7645 at SUSECVE-2016-7645 at NVDCVE-2016-7652 at SUSECVE-2016-7652 at NVDCVE-2016-7654 at SUSECVE-2016-7654 at NVDCVE-2016-7656 at SUSECVE-2016-7656 at NVDCVE-2017-2350 at SUSECVE-2017-2350 at NVDCVE-2017-2354 at SUSECVE-2017-2354 at NVDCVE-2017-2355 at SUSECVE-2017-2355 at NVDCVE-2017-2356 at SUSECVE-2017-2356 at NVDCVE-2017-2362 at SUSECVE-2017-2362 at NVDCVE-2017-2363 at SUSECVE-2017-2363 at NVDCVE-2017-2364 at SUSECVE-2017-2364 at NVDCVE-2017-2365 at SUSECVE-2017-2365 at NVDCVE-2017-2366 at SUSECVE-2017-2366 at NVDCVE-2017-2369 at SUSECVE-2017-2369 at NVDCVE-2017-2371 at SUSECVE-2017-2371 at NVDCVE-2017-2373 at SUSECVE-2017-2373 at NVDCVE-2017-2496 at SUSECVE-2017-2496 at NVDCVE-2017-2510 at SUSECVE-2017-2510 at NVDCVE-2017-2538 at SUSECVE-2017-2538 at NVDCVE-2017-2539 at SUSECVE-2017-2539 at NVDCVE-2017-7018 at SUSECVE-2017-7018 at NVDCVE-2017-7030 at SUSECVE-2017-7030 at NVDCVE-2017-7034 at SUSECVE-2017-7034 at NVDCVE-2017-7037 at SUSECVE-2017-7037 at NVDCVE-2017-7039 at SUSECVE-2017-7039 at NVDCVE-2017-7046 at SUSECVE-2017-7046 at NVDCVE-2017-7048 at SUSECVE-2017-7048 at NVDCVE-2017-7055 at SUSECVE-2017-7055 at NVDCVE-2017-7056 at SUSECVE-2017-7056 at NVDCVE-2017-7061 at SUSECVE-2017-7061 at NVDCVE-2017-7064 at SUSECVE-2017-7064 at NVDcpe:/o:suse:sles:12:sp3Security update for SuSEfirewall2 (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for SuSEfirewall2 fixes the following issues:
- CVE-2017-15638: Fixed security issue with too open implicit portmapper rules
(bsc#1064127): A source net restriction for _rpc_ services
was not taken into account for the implicitly added rules for port 111,
making the portmap service accessible to everyone in the affected zone when
the 'rpc' matching was used.
ModerateSUSE bug 1064127CVE-2017-15638 at SUSECVE-2017-15638 at NVDcpe:/o:suse:sles:12:sp3Security update for sssd (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for sssd provides the following fixes:
Security issues fixed:
- CVE-2017-12173: Fixed unsanitized input when searching in local cache database (bsc#1061832).
Non security issues fixed:
- Fixed a segfault issue in ldap_rfc_2307_fallback_to_local_users. (bsc#1055123)
- Install /var/lib/sss/mc directory to correct sssd cache invalidation behaviour. (bsc#1039567)
ModerateSUSE bug 1039567SUSE bug 1055123SUSE bug 1061832CVE-2017-12173 at SUSECVE-2017-12173 at NVDcpe:/o:suse:sles:12:sp3Security update for krb5 (Important)SUSE Linux Enterprise Server 12 SP3
This update for krb5 fixes the following issues:
Security issues fixed:
- CVE-2017-15088: A buffer overflow in get_matching_data() was fixed that could under specific circumstances be used to execute code (bsc#1065274)
ImportantSUSE bug 1065274CVE-2017-15088 at SUSECVE-2017-15088 at NVDcpe:/o:suse:sles:12:sp3Security update for ImageMagick (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for ImageMagick fixes the following issues:
Security issues fixed:
* CVE-2017-15033: A denial of service attack (memory leak) was fixed in ReadYUVImage in coders/yuv.c [bsc#1061873]
* CVE-2017-11446: An infinite loop in ReadPESImage was fixed. (bsc#1049379)
* CVE-2017-12433: A memory leak in ReadPESImage in coders/pes.c was fixed. (bsc#1052545)
* CVE-2017-12428: A memory leak in ReadWMFImage in coders/wmf.c was fixed. (bsc#1052249)
* CVE-2017-12431: A use-after-free in ReadWMFImage was fixed. (bsc#1052253)
* CVE-2017-11534: A memory leak in the lite_font_map() in coders/wmf.c was fixed. (bsc#1050135)
* CVE-2017-13133: A memory exhaustion in load_level function in coders/xcf.c was fixed. (bsc#1055219)
* CVE-2017-13139: A out-of-bounds read in the ReadOneMNGImage was fixed. (bsc#1055430)
This update also reverts an incorrect fix for CVE-2016-7530 [bsc#1054924].
ModerateSUSE bug 1049379SUSE bug 1050135SUSE bug 1052249SUSE bug 1052253SUSE bug 1052545SUSE bug 1054924SUSE bug 1055219SUSE bug 1055430SUSE bug 1061873CVE-2016-7530 at SUSECVE-2016-7530 at NVDCVE-2017-11446 at SUSECVE-2017-11446 at NVDCVE-2017-11534 at SUSECVE-2017-11534 at NVDCVE-2017-12428 at SUSECVE-2017-12428 at NVDCVE-2017-12431 at SUSECVE-2017-12431 at NVDCVE-2017-12433 at SUSECVE-2017-12433 at NVDCVE-2017-13133 at SUSECVE-2017-13133 at NVDCVE-2017-13139 at SUSECVE-2017-13139 at NVDCVE-2017-15033 at SUSECVE-2017-15033 at NVDcpe:/o:suse:sles:12:sp3Security update for shadow (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for shadow fixes several issues.
This security issue was fixed:
- CVE-2017-12424: The newusers tool could have been forced to manipulate
internal data structures in ways unintended by the authors. Malformed input may
have lead to crashes (with a buffer overflow or other memory corruption) or
other unspecified behaviors (bsc#1052261).
These non-security issues were fixed:
- bsc#1023895: Fixed man page to not contain invalid options and also prevent
warnings when using these options in certain settings
- bsc#980486: Reset user in /var/log/tallylog because of the usage of pam_tally2
ModerateSUSE bug 1023895SUSE bug 1052261SUSE bug 980486CVE-2017-12424 at SUSECVE-2017-12424 at NVDcpe:/o:suse:sles:12:sp3Security update for java-1_8_0-openjdk (Important)SUSE Linux Enterprise Server 12 SP3
This update for java-1_8_0-openjdk fixes the following issues:
- Update to version jdk8u151 (icedtea 3.6.0)
Security issues fixed:
- CVE-2017-10274: Handle smartcard clean up better (bsc#1064071)
- CVE-2017-10281: Better queuing priorities (bsc#1064072)
- CVE-2017-10285: Unreferenced references (bsc#1064073)
- CVE-2017-10295: Better URL connections (bsc#1064075)
- CVE-2017-10388: Correct Kerberos ticket grants (bsc#1064086)
- CVE-2017-10346: Better invokespecial checks (bsc#1064078)
- CVE-2017-10350: Better Base Exceptions (bsc#1064082)
- CVE-2017-10347: Better timezone processing (bsc#1064079)
- CVE-2017-10349: Better X processing (bsc#1064081)
- CVE-2017-10345: Better keystore handling (bsc#1064077)
- CVE-2017-10348: Better processing of unresolved permissions (bsc#1064080)
- CVE-2017-10357: Process Proxy presentation (bsc#1064085)
- CVE-2017-10355: More stable connection processing (bsc#1064083)
- CVE-2017-10356: Update storage implementations (bsc#1064084)
- CVE-2016-10165: Improve CMS header processing (bsc#1064069)
- CVE-2016-9840, CVE-2016-9841, CVE-2016-9842, CVE-2016-9843: Upgrade compression library (bsc#1064070)
Bug fixes:
- Fix bsc#1032647, bsc#1052009 with btrfs subvolumes and overlayfs
ImportantSUSE bug 1032647SUSE bug 1052009SUSE bug 1064069SUSE bug 1064070SUSE bug 1064071SUSE bug 1064072SUSE bug 1064073SUSE bug 1064075SUSE bug 1064077SUSE bug 1064078SUSE bug 1064079SUSE bug 1064080SUSE bug 1064081SUSE bug 1064082SUSE bug 1064083SUSE bug 1064084SUSE bug 1064085SUSE bug 1064086CVE-2016-10165 at SUSECVE-2016-10165 at NVDCVE-2016-9840 at SUSECVE-2016-9840 at NVDCVE-2016-9841 at SUSECVE-2016-9841 at NVDCVE-2016-9842 at SUSECVE-2016-9842 at NVDCVE-2016-9843 at SUSECVE-2016-9843 at NVDCVE-2017-10274 at SUSECVE-2017-10274 at NVDCVE-2017-10281 at SUSECVE-2017-10281 at NVDCVE-2017-10285 at SUSECVE-2017-10285 at NVDCVE-2017-10295 at SUSECVE-2017-10295 at NVDCVE-2017-10345 at SUSECVE-2017-10345 at NVDCVE-2017-10346 at SUSECVE-2017-10346 at NVDCVE-2017-10347 at SUSECVE-2017-10347 at NVDCVE-2017-10348 at SUSECVE-2017-10348 at NVDCVE-2017-10349 at SUSECVE-2017-10349 at NVDCVE-2017-10350 at SUSECVE-2017-10350 at NVDCVE-2017-10355 at SUSECVE-2017-10355 at NVDCVE-2017-10356 at SUSECVE-2017-10356 at NVDCVE-2017-10357 at SUSECVE-2017-10357 at NVDCVE-2017-10388 at SUSECVE-2017-10388 at NVDcpe:/o:suse:sles:12:sp3Security update for tomcat (Important)SUSE Linux Enterprise Server 12 SP3
This update for tomcat fixes the following issues:
Security issues fixed:
- CVE-2017-5664: A problem in handling error pages was fixed, to avoid potential file overwrites during error page handling. (bsc#1042910).
- CVE-2017-7674: A CORS Filter issue could lead to client and server side cache poisoning (bsc#1053352)
- CVE-2017-12617: A remote code execution possibility via JSP Upload was fixed (bsc#1059554)
Non security bugs fixed:
- Fix tomcat-digest classpath error (bsc#977410)
- Fix packaged /etc/alternatives symlinks for api libs that caused
rpm -V to report link mismatch (bsc#1019016)
ImportantSUSE bug 1019016SUSE bug 1042910SUSE bug 1053352SUSE bug 1059554SUSE bug 977410CVE-2017-12617 at SUSECVE-2017-12617 at NVDCVE-2017-5664 at SUSECVE-2017-5664 at NVDCVE-2017-7674 at SUSECVE-2017-7674 at NVDcpe:/o:suse:sles:12:sp3Security update for file (Moderate)SUSE Linux Enterprise Server 12 SP3
The GNU file utility was updated to version 5.22.
Security issues fixed:
- CVE-2014-9621: The ELF parser in file allowed remote attackers to cause a denial of service via a long string. (bsc#913650)
- CVE-2014-9620: The ELF parser in file allowed remote attackers to cause a denial of service via a large number of notes. (bsc#913651)
- CVE-2014-9653: readelf.c in file did not consider that pread calls sometimes read only a subset of the available data, which allows remote attackers to cause a denial of service (uninitialized memory access) or possibly have unspecified other impact via a crafted ELF file. (bsc#917152)
- CVE-2014-8116: The ELF parser (readelf.c) in file allowed remote attackers to cause a denial of service (CPU consumption or crash) via a large number of (1) program or (2) section headers or (3) invalid capabilities. (bsc#910253)
- CVE-2014-8117: softmagic.c in file did not properly limit recursion, which allowed remote attackers to cause a denial of service (CPU consumption or crash) via unspecified vectors. (bsc#910253)
Version update to file version 5.22
* add indirect relative for TIFF/Exif
* restructure elf note printing to avoid repeated messages
* add note limit, suggested by Alexander Cherepanov
* Bail out on partial pread()'s (Alexander Cherepanov)
* Fix incorrect bounds check in file_printable (Alexander Cherepanov)
* PR/405: ignore SIGPIPE from uncompress programs
* change printable -> file_printable and use it in more places for safety
* in ELF, instead of '(uses dynamic libraries)' when PT_INTERP is present print the interpreter name.
Version update to file version 5.21
* there was an incorrect free in magic_load_buffers()
* there was an out of bounds read for some pascal strings
* there was a memory leak in magic lists
* don't interpret strings printed from files using the current
locale, convert them to ascii format first.
* there was an out of bounds read in elf note reads
Update to file version 5.20
* recognize encrypted CDF documents
* add magic_load_buffers from Brooks Davis
* add thumbs.db support
Additional non-security bug fixes:
* Fixed a memory corruption during rpmbuild (bsc#1063269)
* Backport of a fix for an increased printable string length as found in file 5.30 (bsc#996511)
* file command throws 'Composite Document File V2 Document, corrupt: Can't read SSAT' error against excel 97/2003 file format. (bsc#1009966)
ModerateSUSE bug 1009966SUSE bug 1063269SUSE bug 910252SUSE bug 910253SUSE bug 913650SUSE bug 913651SUSE bug 917152SUSE bug 996511CVE-2014-8116 at SUSECVE-2014-8116 at NVDCVE-2014-8117 at SUSECVE-2014-8117 at NVDCVE-2014-9620 at SUSECVE-2014-9620 at NVDCVE-2014-9621 at SUSECVE-2014-9621 at NVDCVE-2014-9653 at SUSECVE-2014-9653 at NVDcpe:/o:suse:sles:12:sp3Security update for xorg-x11-server (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for xorg-x11-server fixes several issues.
These security issues were fixed:
- CVE-2017-13721: Missing validation of shmseg resource id in Xext/XShm
could lead to shared memory segments of other users beeing freed
(bnc#1052984)
- CVE-2017-13723: A local denial of service via unusual characters in XkbAtomText and XkbStringText was fixed (bnc#1051150)
- CVE-2017-12184,CVE-2017-12185,CVE-2017-12186,CVE-2017-12187: Fixed
unvalidated lengths in multiple extensions (bsc#1063034)
- CVE-2017-12183: Fixed some unvalidated lengths in the XFIXES
extension. (bsc#1063035)
- CVE-2017-12180,CVE-2017-12181,CVE-2017-12182: Fixed various unvalidated
lengths in the XFree86-VidMode/XFree86-DGA/XFree86-DRI extensions
(bsc#1063037)
- CVE-2017-12179: Fixed an integer overflow and unvalidated length in
(S)ProcXIBarrierReleasePointer in Xi (bsc#1063038)
- CVE-2017-12178: Fixed a wrong extra length check in
ProcXIChangeHierarchy in Xi (bsc#1063039)
- CVE-2017-12177: Fixed an unvalidated variable-length request in
ProcDbeGetVisualInfo (bsc#1063040)
- CVE-2017-12176: Fixed an unvalidated extra length in
ProcEstablishConnection (bsc#1063041)
These non-security issues were fixed:
- Make colormap/gamma glue code work with the RandR extension disabled. This prevents it
from crashing and showing wrong colors. (bsc#1061107)
- Recognize ssh as a remote client to fix launching applications remotely when using DRI3.
(bsc#1022727)
ModerateSUSE bug 1022727SUSE bug 1051150SUSE bug 1052984SUSE bug 1061107SUSE bug 1063034SUSE bug 1063035SUSE bug 1063037SUSE bug 1063038SUSE bug 1063039SUSE bug 1063040SUSE bug 1063041CVE-2017-12176 at SUSECVE-2017-12176 at NVDCVE-2017-12177 at SUSECVE-2017-12177 at NVDCVE-2017-12178 at SUSECVE-2017-12178 at NVDCVE-2017-12179 at SUSECVE-2017-12179 at NVDCVE-2017-12180 at SUSECVE-2017-12180 at NVDCVE-2017-12181 at SUSECVE-2017-12181 at NVDCVE-2017-12182 at SUSECVE-2017-12182 at NVDCVE-2017-12183 at SUSECVE-2017-12183 at NVDCVE-2017-12184 at SUSECVE-2017-12184 at NVDCVE-2017-12185 at SUSECVE-2017-12185 at NVDCVE-2017-12186 at SUSECVE-2017-12186 at NVDCVE-2017-12187 at SUSECVE-2017-12187 at NVDCVE-2017-13721 at SUSECVE-2017-13721 at NVDCVE-2017-13723 at SUSECVE-2017-13723 at NVDcpe:/o:suse:sles:12:sp3Recommended update for tboot (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for tboot fixes the following issues:
Security issue fixed:
- CVE-2017-16837: Certain function pointers in Trusted Boot (tboot) through 1.9.6 are
notvalidated and can cause arbitrary code execution, which allows local users
tooverwrite dynamic PCRs of Trusted Platform Module (TPM) by h (bsc#1068390)
Bug fixes:
- Fixed failed trusted boot on some systems like Intel Xeon 'Purley 8s' processors. The
following error message showed: 'TBOOT: wait-for-sipi loop timed-out'. Booting continued
but 'TXT measured launch' was wrongly reported as FALSE. (bsc#1057555)
ModerateSUSE bug 1057555SUSE bug 1068390CVE-2017-16837 at SUSECVE-2017-16837 at NVDcpe:/o:suse:sles:12:sp3Security update for perl (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for perl fixes the following issues:
Security issues fixed:
- CVE-2017-12837: Heap-based buffer overflow in the S_regatom function in regcomp.c in Perl 5 before
5.24.3-RC1 and 5.26.x before 5.26.1-RC1 allows remote attackers to cause a denial of service
(out-of-bounds write) via a regular expression with a '\N{}' escape and the case-insensitive
modifier. (bnc#1057724)
- CVE-2017-12883: Buffer overflow in the S_grok_bslash_N function in regcomp.c in Perl 5 before
5.24.3-RC1 and 5.26.x before 5.26.1-RC1 allows remote attackers to disclose sensitive information
or cause a denial of service (application crash) via a crafted regular expression with an invalid
'\N{U+...}' escape. (bnc#1057721)
- CVE-2017-6512: Race condition in the rmtree and remove_tree functions in the File-Path module
before 2.13 for Perl allows attackers to set the mode on arbitrary files via vectors involving
directory-permission loosening logic. (bnc#1047178)
Bug fixes:
- backport set_capture_string changes from upstream (bsc#999735)
- reformat baselibs.conf as source validator workaround
ModerateSUSE bug 1047178SUSE bug 1057721SUSE bug 1057724SUSE bug 999735CVE-2017-12837 at SUSECVE-2017-12837 at NVDCVE-2017-12883 at SUSECVE-2017-12883 at NVDCVE-2017-6512 at SUSECVE-2017-6512 at NVDcpe:/o:suse:sles:12:sp3Security update for kernel-firmware (Important)SUSE Linux Enterprise Server 12 SP3
This update for kernel-firmware fixes the following issues:
- Update Intel WiFi firmwares for the 3160, 7260 and 7265 adapters.
Security issues fixed are part of the 'KRACK' attacks affecting the firmware:
- CVE-2017-13080: The reinstallation of the Group Temporal key could be used for replay attacks (bsc#1066295):
- CVE-2017-13081: The reinstallation of the Integrity Group Temporal key could be used for replay attacks (bsc#1066295):
ImportantSUSE bug 1066295CVE-2017-13080 at SUSECVE-2017-13080 at NVDCVE-2017-13081 at SUSECVE-2017-13081 at NVDcpe:/o:suse:sles:12:sp3Security update for xen (Important)SUSE Linux Enterprise Server 12 SP3
This update for xen to version 4.9.1 (bsc#1027519) fixes several issues.
This new feature was added:
- Support migration of HVM domains larger than 1 TB
These security issues were fixed:
- bsc#1068187: Failure to recognize errors in the Populate on Demand (PoD) code
allowed for DoS (XSA-246)
- bsc#1068191: Missing p2m error checking in PoD code allowed unprivileged guests
to retain a writable mapping of freed memory leading to information leaks,
privilege escalation or DoS (XSA-247).
- CVE-2017-15289: The mode4and5 write functions allowed local OS guest privileged
users to cause a denial of service (out-of-bounds write access and Qemu process
crash) via vectors related to dst calculation (bsc#1063123)
- CVE-2017-15597: A grant copy operation being done on a grant of a dying domain
allowed a malicious guest administrator to corrupt hypervisor memory, allowing
for DoS or potentially privilege escalation and information leaks (bsc#1061075).
This non-security issue was fixed:
- bsc#1055047: Fixed --initrd-inject option in virt-install
ImportantSUSE bug 1027519SUSE bug 1055047SUSE bug 1061075SUSE bug 1063123SUSE bug 1068187SUSE bug 1068191CVE-2017-15289 at SUSECVE-2017-15289 at NVDCVE-2017-15597 at SUSECVE-2017-15597 at NVDcpe:/o:suse:sles:12:sp3Security update for samba (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for samba fixes the following issues:
Security issues fixed:
- CVE-2017-14746: Use-after-free vulnerability (bsc#1060427).
- CVE-2017-15275: Server heap memory information leak (bsc#1063008).
- CVE-2017-12163: Prevent client short SMB1 write from writing server memory to file (bsc#1058624).
- CVE-2017-12151: Keep required encryption across SMB3 dfs redirects (bsc#1058565).
- CVE-2017-12150: Some code path don't enforce smb signing when they should (bsc#1058565).
Bug fixes:
- Samba was updated to 4.6.9 (bsc#1065066) see release notes for details.
* https://www.samba.org/samba/history/samba-4.6.9.html
ModerateSUSE bug 1058565SUSE bug 1058622SUSE bug 1058624SUSE bug 1060427SUSE bug 1063008SUSE bug 1065066CVE-2017-12150 at SUSECVE-2017-12150 at NVDCVE-2017-12151 at SUSECVE-2017-12151 at NVDCVE-2017-12163 at SUSECVE-2017-12163 at NVDCVE-2017-14746 at SUSECVE-2017-14746 at NVDCVE-2017-15275 at SUSECVE-2017-15275 at NVDcpe:/o:suse:sles:12:sp3Security update for openssl (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for openssl fixes the following issues:
Security issues fixed:
- CVE-2017-3735: openssl1,openssl: Malformed X.509 IPAdressFamily could cause OOB read (bsc#1056058)
- CVE-2017-3736: openssl: bn_sqrx8x_internal carry bug on x86_64 (bsc#1066242)
- Out of bounds read+crash in DES_fcrypt (bsc#1065363)
- openssl DEFAULT_SUSE cipher list is missing ECDHE-ECDSA ciphers (bsc#1055825)
ModerateSUSE bug 1055825SUSE bug 1056058SUSE bug 1065363SUSE bug 1066242CVE-2017-3735 at SUSECVE-2017-3735 at NVDCVE-2017-3736 at SUSECVE-2017-3736 at NVDcpe:/o:suse:sles:12:sp3Security update for binutils (Moderate)SUSE Linux Enterprise Server 12 SP3
GNU binutil was updated to the 2.29.1 release, bringing various new features, fixing a lot of bugs and security issues.
Following security issues are being addressed by this release:
* 18750 bsc#1030296 CVE-2014-9939
* 20891 bsc#1030585 CVE-2017-7225
* 20892 bsc#1030588 CVE-2017-7224
* 20898 bsc#1030589 CVE-2017-7223
* 20905 bsc#1030584 CVE-2017-7226
* 20908 bsc#1031644 CVE-2017-7299
* 20909 bsc#1031656 CVE-2017-7300
* 20921 bsc#1031595 CVE-2017-7302
* 20922 bsc#1031593 CVE-2017-7303
* 20924 bsc#1031638 CVE-2017-7301
* 20931 bsc#1031590 CVE-2017-7304
* 21135 bsc#1030298 CVE-2017-7209
* 21137 bsc#1029909 CVE-2017-6965
* 21139 bsc#1029908 CVE-2017-6966
* 21156 bsc#1029907 CVE-2017-6969
* 21157 bsc#1030297 CVE-2017-7210
* 21409 bsc#1037052 CVE-2017-8392
* 21412 bsc#1037057 CVE-2017-8393
* 21414 bsc#1037061 CVE-2017-8394
* 21432 bsc#1037066 CVE-2017-8396
* 21440 bsc#1037273 CVE-2017-8421
* 21580 bsc#1044891 CVE-2017-9746
* 21581 bsc#1044897 CVE-2017-9747
* 21582 bsc#1044901 CVE-2017-9748
* 21587 bsc#1044909 CVE-2017-9750
* 21594 bsc#1044925 CVE-2017-9755
* 21595 bsc#1044927 CVE-2017-9756
* 21787 bsc#1052518 CVE-2017-12448
* 21813 bsc#1052503, CVE-2017-12456, bsc#1052507, CVE-2017-12454, bsc#1052509, CVE-2017-12453, bsc#1052511, CVE-2017-12452, bsc#1052514, CVE-2017-12450, bsc#1052503, CVE-2017-12456, bsc#1052507, CVE-2017-12454, bsc#1052509, CVE-2017-12453, bsc#1052511, CVE-2017-12452, bsc#1052514, CVE-2017-12450
* 21933 bsc#1053347 CVE-2017-12799
* 21990 bsc#1058480 CVE-2017-14333
* 22018 bsc#1056312 CVE-2017-13757
* 22047 bsc#1057144 CVE-2017-14129
* 22058 bsc#1057149 CVE-2017-14130
* 22059 bsc#1057139 CVE-2017-14128
* 22113 bsc#1059050 CVE-2017-14529
* 22148 bsc#1060599 CVE-2017-14745
* 22163 bsc#1061241 CVE-2017-14974
* 22170 bsc#1060621 CVE-2017-14729
Update to binutils 2.29. [fate#321454, fate#321494, fate#323293]:
* The MIPS port now supports microMIPS eXtended Physical Addressing (XPA)
instructions for assembly and disassembly.
* The MIPS port now supports the microMIPS Release 5 ISA for assembly and
disassembly.
* The MIPS port now supports the Imagination interAptiv MR2 processor,
which implements the MIPS32r3 ISA, the MIPS16e2 ASE as well as a couple
of implementation-specific regular MIPS and MIPS16e2 ASE instructions.
* The SPARC port now supports the SPARC M8 processor, which implements the
Oracle SPARC Architecture 2017.
* The MIPS port now supports the MIPS16e2 ASE for assembly and disassembly.
* Add support for ELF SHF_GNU_MBIND and PT_GNU_MBIND_XXX.
* Add support for the wasm32 ELF conversion of the WebAssembly file format.
* Add --inlines option to objdump, which extends the --line-numbers option
so that inlined functions will display their nesting information.
* Add --merge-notes options to objcopy to reduce the size of notes in
a binary file by merging and deleting redundant notes.
* Add support for locating separate debug info files using the build-id
method, where the separate file has a name based upon the build-id of
the original file.
- GAS specific:
* Add support for ELF SHF_GNU_MBIND.
* Add support for the WebAssembly file format and wasm32 ELF conversion.
* PowerPC gas now checks that the correct register class is used in
instructions. For instance, 'addi %f4,%cr3,%r31' warns three times
that the registers are invalid.
* Add support for the Texas Instruments PRU processor.
* Support for the ARMv8-R architecture and Cortex-R52 processor has been
added to the ARM port.
- GNU ld specific:
* Support for -z shstk in the x86 ELF linker to generate
GNU_PROPERTY_X86_FEATURE_1_SHSTK in ELF GNU program properties.
* Add support for GNU_PROPERTY_X86_FEATURE_1_SHSTK in ELF GNU program
properties in the x86 ELF linker.
* Add support for GNU_PROPERTY_X86_FEATURE_1_IBT in ELF GNU program
properties in the x86 ELF linker.
* Support for -z ibtplt in the x86 ELF linker to generate IBT-enabled
PLT.
* Support for -z ibt in the x86 ELF linker to generate IBT-enabled
PLT as well as GNU_PROPERTY_X86_FEATURE_1_IBT in ELF GNU program
properties.
* Add support for ELF SHF_GNU_MBIND and PT_GNU_MBIND_XXX.
* Add support for ELF GNU program properties.
* Add support for the Texas Instruments PRU processor.
* When configuring for arc*-*-linux* targets the default linker emulation will
change if --with-cpu=nps400 is used at configure time.
* Improve assignment of LMAs to orphan sections in some edge cases where a
mixture of both AT>LMA_REGION and AT(LMA) are used.
* Orphan sections placed after an empty section that has an AT(LMA) will now
take an load memory address starting from LMA.
* Section groups can now be resolved (the group deleted and the group members
placed like normal sections) at partial link time either using the new
linker option --force-group-allocation or by placing FORCE_GROUP_ALLOCATION
into the linker script.
- Add riscv64 target, tested with gcc7 and downstream newlib 2.4.0
- Prepare riscv32 target (gh#riscv/riscv-newlib#8)
- Make compressed debug section handling explicit, disable for
old products and enable for gas on all architectures otherwise. [bsc#1029995]
- Remove empty rpath component removal optimization from to workaround
CMake rpath handling. [bsc#1025282]
Minor security bugs fixed:
PR 21147, PR 21148, PR 21149, PR 21150, PR 21151, PR 21155, PR 21158, PR 21159
- Update to binutils 2.28.
* Add support for locating separate debug info files using the build-id
method, where the separate file has a name based upon the build-id of
the original file.
* This version of binutils fixes a problem with PowerPC VLE 16A and 16D
relocations which were functionally swapped, for example,
R_PPC_VLE_HA16A performed like R_PPC_VLE_HA16D while R_PPC_VLE_HA16D
performed like R_PPC_VLE_HA16A. This could have been fixed by
renumbering relocations, which would keep object files created by an
older version of gas compatible with a newer ld. However, that would
require an ABI update, affecting other assemblers and linkers that
create and process the relocations correctly. It is recommended that
all VLE object files be recompiled, but ld can modify the relocations
if --vle-reloc-fixup is passed to ld. If the new ld command line
option is not used, ld will ld warn on finding relocations inconsistent
with the instructions being relocated.
* The nm program has a new command line option (--with-version-strings)
which will display a symbol's version information, if any, after the
symbol's name.
* The ARC port of objdump now accepts a -M option to specify the extra
instruction class(es) that should be disassembled.
* The --remove-section option for objcopy and strip now accepts section
patterns starting with an exclamation point to indicate a non-matching
section. A non-matching section is removed from the set of sections
matched by an earlier --remove-section pattern.
* The --only-section option for objcopy now accepts section patterns
starting with an exclamation point to indicate a non-matching section.
A non-matching section is removed from the set of sections matched by
an earlier --only-section pattern.
* New --remove-relocations=SECTIONPATTERN option for objcopy and strip.
This option can be used to remove sections containing relocations.
The SECTIONPATTERN is the section to which the relocations apply, not
the relocation section itself.
- GAS specific:
* Add support for the RISC-V architecture.
* Add support for the ARM Cortex-M23 and Cortex-M33 processors.
- GNU ld specific:
* The EXCLUDE_FILE linker script construct can now be applied outside of the
section list in order for the exclusions to apply over all input sections
in the list.
* Add support for the RISC-V architecture.
* The command line option --no-eh-frame-hdr can now be used in ELF based
linkers to disable the automatic generation of .eh_frame_hdr sections.
* Add --in-implib=<infile> to the ARM linker to enable specifying a set of
Secure Gateway veneers that must exist in the output import library
specified by --out-implib=<outfile> and the address they must have.
As such, --in-implib is only supported in combination with --cmse-implib.
* Extended the --out-implib=<file> option, previously restricted to x86 PE
targets, to any ELF based target. This allows the generation of an import
library for an ELF executable, which can then be used by another application
to link against the executable.
- GOLD specific:
* Add -z bndplt option (x86-64 only) to support Intel MPX.
* Add --orphan-handling option.
* Add --stub-group-multi option (PowerPC only).
* Add --target1-rel, --target1-abs, --target2 options (Arm only).
* Add -z stack-size option.
* Add --be8 option (Arm only).
* Add HIDDEN support in linker scripts.
* Add SORT_BY_INIT_PRIORITY support in linker scripts.
- Other fixes:
* Fix section alignment on .gnu_debuglink. [bso#21193]
* Add s390x to gold_archs.
* Fix alignment frags for aarch64 (bsc#1003846)
* Call ldconfig for libbfd
* Fix an assembler problem with clang on ARM.
* Restore monotonically increasing section offsets.
- Update to binutils 2.27.
* Add a configure option, --enable-64-bit-archive, to force use of a
64-bit format when creating an archive symbol index.
* Add --elf-stt-common= option to objcopy for ELF targets to control
whether to convert common symbols to the STT_COMMON type.
- GAS specific:
* Default to --enable-compressed-debug-sections=gas for Linux/x86 targets.
* Add --no-pad-sections to stop the assembler from padding the end of output
sections up to their alignment boundary.
* Support for the ARMv8-M architecture has been added to the ARM port.
Support for the ARMv8-M Security and DSP Extensions has also been added
to the ARM port.
* ARC backend accepts .extInstruction, .extCondCode, .extAuxRegister, and
.extCoreRegister pseudo-ops that allow an user to define custom
instructions, conditional codes, auxiliary and core registers.
* Add a configure option --enable-elf-stt-common to decide whether ELF
assembler should generate common symbols with the STT_COMMON type by
default. Default to no.
* New command line option --elf-stt-common= for ELF targets to control
whether to generate common symbols with the STT_COMMON type.
* Add ability to set section flags and types via numeric values for ELF
based targets.
* Add a configure option --enable-x86-relax-relocations to decide whether
x86 assembler should generate relax relocations by default. Default to
yes, except for x86 Solaris targets older than Solaris 12.
* New command line option -mrelax-relocations= for x86 target to control
whether to generate relax relocations.
* New command line option -mfence-as-lock-add=yes for x86 target to encode
lfence, mfence and sfence as 'lock addl $0x0, (%[re]sp)'.
* Add assembly-time relaxation option for ARC cpus.
* Add --with-cpu=TYPE configure option for ARC gas. This allows the default
cpu type to be adjusted at configure time.
- GOLD specific:
* Add a configure option --enable-relro to decide whether -z relro should
be enabled by default. Default to yes.
* Add support for s390, MIPS, AArch64, and TILE-Gx architectures.
* Add support for STT_GNU_IFUNC symbols.
* Add support for incremental linking (--incremental).
- GNU ld specific:
* Add a configure option --enable-relro to decide whether -z relro should
be enabled in ELF linker by default. Default to yes for all Linux
targets except FRV, HPPA, IA64 and MIPS.
* Support for -z noreloc-overflow in the x86-64 ELF linker to disable
relocation overflow check.
* Add -z common/-z nocommon options for ELF targets to control whether to
convert common symbols to the STT_COMMON type during a relocatable link.
* Support for -z nodynamic-undefined-weak in the x86 ELF linker, which
avoids dynamic relocations against undefined weak symbols in executable.
* The NOCROSSREFSTO command was added to the linker script language.
* Add --no-apply-dynamic-relocs to the AArch64 linker to do not apply
link-time values for dynamic relocations.
ModerateSUSE bug 1003846SUSE bug 1025282SUSE bug 1029907SUSE bug 1029908SUSE bug 1029909SUSE bug 1029995SUSE bug 1030296SUSE bug 1030297SUSE bug 1030298SUSE bug 1030583SUSE bug 1030584SUSE bug 1030585SUSE bug 1030588SUSE bug 1030589SUSE bug 1031590SUSE bug 1031593SUSE bug 1031595SUSE bug 1031638SUSE bug 1031644SUSE bug 1031656SUSE bug 1033122SUSE bug 1037052SUSE bug 1037057SUSE bug 1037061SUSE bug 1037062SUSE bug 1037066SUSE bug 1037070SUSE bug 1037072SUSE bug 1037273SUSE bug 1038874SUSE bug 1038875SUSE bug 1038876SUSE bug 1038877SUSE bug 1038878SUSE bug 1038880SUSE bug 1038881SUSE bug 1044891SUSE bug 1044897SUSE bug 1044901SUSE bug 1044909SUSE bug 1044925SUSE bug 1044927SUSE bug 1046094SUSE bug 1052061SUSE bug 1052496SUSE bug 1052503SUSE bug 1052507SUSE bug 1052509SUSE bug 1052511SUSE bug 1052514SUSE bug 1052518SUSE bug 1053347SUSE bug 1056312SUSE bug 1056437SUSE bug 1057139SUSE bug 1057144SUSE bug 1057149SUSE bug 1058480SUSE bug 1059050SUSE bug 1060599SUSE bug 1060621SUSE bug 1061241SUSE bug 437293SUSE bug 445037SUSE bug 546106SUSE bug 561142SUSE bug 578249SUSE bug 590820SUSE bug 691290SUSE bug 698346SUSE bug 713504SUSE bug 776968SUSE bug 863764SUSE bug 938658SUSE bug 970239CVE-2014-9939 at SUSECVE-2014-9939 at NVDCVE-2017-12448 at SUSECVE-2017-12448 at NVDCVE-2017-12450 at SUSECVE-2017-12450 at NVDCVE-2017-12452 at SUSECVE-2017-12452 at NVDCVE-2017-12453 at SUSECVE-2017-12453 at NVDCVE-2017-12454 at SUSECVE-2017-12454 at NVDCVE-2017-12456 at SUSECVE-2017-12456 at NVDCVE-2017-12799 at SUSECVE-2017-12799 at NVDCVE-2017-13757 at SUSECVE-2017-13757 at NVDCVE-2017-14128 at SUSECVE-2017-14128 at NVDCVE-2017-14129 at SUSECVE-2017-14129 at NVDCVE-2017-14130 at SUSECVE-2017-14130 at NVDCVE-2017-14333 at SUSECVE-2017-14333 at NVDCVE-2017-14529 at SUSECVE-2017-14529 at NVDCVE-2017-14729 at SUSECVE-2017-14729 at NVDCVE-2017-14745 at SUSECVE-2017-14745 at NVDCVE-2017-14974 at SUSECVE-2017-14974 at NVDCVE-2017-6965 at SUSECVE-2017-6965 at NVDCVE-2017-6966 at SUSECVE-2017-6966 at NVDCVE-2017-6969 at SUSECVE-2017-6969 at NVDCVE-2017-7209 at SUSECVE-2017-7209 at NVDCVE-2017-7210 at SUSECVE-2017-7210 at NVDCVE-2017-7223 at SUSECVE-2017-7223 at NVDCVE-2017-7224 at SUSECVE-2017-7224 at NVDCVE-2017-7225 at SUSECVE-2017-7225 at NVDCVE-2017-7226 at SUSECVE-2017-7226 at NVDCVE-2017-7227 at SUSECVE-2017-7227 at NVDCVE-2017-7299 at SUSECVE-2017-7299 at NVDCVE-2017-7300 at SUSECVE-2017-7300 at NVDCVE-2017-7301 at SUSECVE-2017-7301 at NVDCVE-2017-7302 at SUSECVE-2017-7302 at NVDCVE-2017-7303 at SUSECVE-2017-7303 at NVDCVE-2017-7304 at SUSECVE-2017-7304 at NVDCVE-2017-7614 at SUSECVE-2017-7614 at NVDCVE-2017-8392 at SUSECVE-2017-8392 at NVDCVE-2017-8393 at SUSECVE-2017-8393 at NVDCVE-2017-8394 at SUSECVE-2017-8394 at NVDCVE-2017-8395 at SUSECVE-2017-8395 at NVDCVE-2017-8396 at SUSECVE-2017-8396 at NVDCVE-2017-8397 at SUSECVE-2017-8397 at NVDCVE-2017-8398 at SUSECVE-2017-8398 at NVDCVE-2017-8421 at SUSECVE-2017-8421 at NVDCVE-2017-9038 at SUSECVE-2017-9038 at NVDCVE-2017-9039 at SUSECVE-2017-9039 at NVDCVE-2017-9040 at SUSECVE-2017-9040 at NVDCVE-2017-9041 at SUSECVE-2017-9041 at NVDCVE-2017-9042 at SUSECVE-2017-9042 at NVDCVE-2017-9043 at SUSECVE-2017-9043 at NVDCVE-2017-9044 at SUSECVE-2017-9044 at NVDCVE-2017-9746 at SUSECVE-2017-9746 at NVDCVE-2017-9747 at SUSECVE-2017-9747 at NVDCVE-2017-9748 at SUSECVE-2017-9748 at NVDCVE-2017-9750 at SUSECVE-2017-9750 at NVDCVE-2017-9755 at SUSECVE-2017-9755 at NVDCVE-2017-9756 at SUSECVE-2017-9756 at NVDCVE-2017-9954 at SUSECVE-2017-9954 at NVDCVE-2017-9955 at SUSECVE-2017-9955 at NVDcpe:/o:suse:sles:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3
This update for MozillaFirefox ESR 52.5 fixes the following issues:
Security issues fixed:
- CVE-2017-7826: Memory safety bugs fixed (bsc#1068101).
- CVE-2017-7828: Use-after-free of PressShell while restyling layout (bsc#1068101).
- CVE-2017-7830: Cross-origin URL information leak through Resource Timing API (bsc#1068101).
Mozilla Foundation Security Advisory (MFSA 2017-25):
- https://www.mozilla.org/en-US/security/advisories/mfsa2017-25/
ImportantSUSE bug 1068101CVE-2017-7826 at SUSECVE-2017-7826 at NVDCVE-2017-7828 at SUSECVE-2017-7828 at NVDCVE-2017-7830 at SUSECVE-2017-7830 at NVDcpe:/o:suse:sles:12:sp3Security update for libXcursor (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for libXcursor fixes the following issues:
Security issue fixed:
- CVE-2017-16612: Fix integeroverflow while parsing images and a signedness issue while parsing comments (bsc#1065386).
ModerateSUSE bug 1065386CVE-2017-16612 at SUSECVE-2017-16612 at NVDcpe:/o:suse:sles:12:sp3Security update for shibboleth-sp (Important)SUSE Linux Enterprise Server 12 SP3
This update for shibboleth-sp fixes the following issues:
Security issue fixed:
- CVE-2017-16852: Fix critical security checks in the Dynamic MetadataProvider plugin in Shibboleth Service (bsc#1068689).
ImportantSUSE bug 1068689CVE-2017-16852 at SUSECVE-2017-16852 at NVDcpe:/o:suse:sles:12:sp3Security update for the Linux Kernel (Important)SUSE Linux Enterprise Server 12 SP3
The SUSE Linux Enterprise 12 SP3 kernel was updated to receive various security and bugfixes.
The following security bugs were fixed:
- CVE-2017-1000405: A bug in the THP CoW support could be used by local attackers to corrupt memory of other processes and cause them to crash (bnc#1069496).
- CVE-2017-16939: The XFRM dump policy implementation in net/xfrm/xfrm_user.c in the Linux kernel allowed local users to gain privileges or cause a denial of service (use-after-free) via a crafted SO_RCVBUF setsockopt system call in conjunction with XFRM_MSG_GETPOLICY Netlink messages (bnc#1069702).
The following non-security bugs were fixed:
Fix a build issue on ppc64le systems (bsc#1070805)
ImportantSUSE bug 1069496SUSE bug 1069702SUSE bug 1070805CVE-2017-1000405 at SUSECVE-2017-1000405 at NVDCVE-2017-16939 at SUSECVE-2017-16939 at NVDcpe:/o:suse:sles:12:sp3Security update for openssh (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for openssh fixes the following issues:
Security issue fixed:
- CVE-2017-15906: Stricter checking of operations in read-only mode in sftp server (bsc#1065000).
Bug fixes:
- FIPS: Startup selfchecks (bsc#1068310).
- FIPS: Silent complaints about unsupported key exchange methods (bsc#1006166).
- Refine handling of sockets for X11 forwarding to remove reintroduced CVE-2008-1483 (bsc#1069509).
- Test configuration before running daemon to prevent looping resulting in service shutdown (bsc#1048367)
ModerateSUSE bug 1006166SUSE bug 1048367SUSE bug 1065000SUSE bug 1068310SUSE bug 1069509CVE-2008-1483 at SUSECVE-2008-1483 at NVDCVE-2017-15906 at SUSECVE-2017-15906 at NVDcpe:/o:suse:sles:12:sp3Security update for opensaml (Important)SUSE Linux Enterprise Server 12 SP3
This update for opensaml fixes the following issues:
Security issue fixed:
- CVE-2017-16853: Fix the DynamicMetadataProvider class to properly configure itself with the MetadataFilter plugins, to avoid possible MITM attacks (bsc#1068685).
ImportantSUSE bug 1068685CVE-2017-16853 at SUSECVE-2017-16853 at NVDcpe:/o:suse:sles:12:sp3Security update for openvswitch (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for openvswitch fixes the following issues:
Security issue fixed:
- CVE-2017-14970: Add upstream patches to fix memory leaks (bsc#1061310).
Bug fixes:
- Fix rpmlint warnings (bsc#1057357).
- Add missing post/postun scriptlets for the ovn-common sub-package (bsc#1054094).
ModerateSUSE bug 1054094SUSE bug 1057357SUSE bug 1061310CVE-2017-14970 at SUSECVE-2017-14970 at NVDcpe:/o:suse:sles:12:sp3Security update for libapr-util1 (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for libapr-util1 fixes the following issues:
Security issue fixed:
- CVE-2017-12618: DoS via crafted SDBM database files in apr_sdbm*() functions (bsc#1064990)
ModerateSUSE bug 1064990CVE-2017-12618 at SUSECVE-2017-12618 at NVDcpe:/o:suse:sles:12:sp3Security update for openssl (Important)SUSE Linux Enterprise Server 12 SP3
This update for openssl fixes the following issues:
- OpenSSL Security Advisory [07 Dec 2017]
* CVE-2017-3737: OpenSSL 1.0.2 (starting from version 1.0.2b) introduced an \'error state\' mechanism. The intent was that if a fatal error occurred during a handshake then OpenSSL would move into the error state and would immediately fail if you attempted to continue the handshake. This works as designed for the explicit handshake functions (SSL_do_handshake(), SSL_accept() and SSL_connect()), however due to a bug it does not work correctly if SSL_read() or SSL_write() is called directly. In that scenario, if the handshake fails then a fatal error will be returned in the initial function call. If SSL_read()/SSL_write() is subsequently called by the application for the same SSL object then it will succeed and the data is passed without being decrypted/encrypted directly from the SSL/TLS record layer. In order to exploit this issue an application bug would have to be present that resulted in a call to SSL_read()/SSL_write() being issued after having already received a fatal error. OpenSSL version 1.0.2b-1.0.2m are affected. Fixed in OpenSSL 1.0.2n. OpenSSL 1.1.0 is not affected. (bsc#1071905)
* CVE-2017-3738: There is an overflow bug in the AVX2 Montgomery multiplication procedure used in exponentiation with 1024-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH1024 are considered just feasible, because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be significant. However, for an attack on TLS to be meaningful, the server would have to share the DH1024 private key among multiple clients, which is no longer an option since CVE-2016-0701. This only affects processors that support the AVX2 but not ADX extensions like Intel Haswell (4th generation). Note: The impact from this issue is similar to CVE-2017-3736, CVE-2017-3732 and CVE-2015-3193. (bsc#1071906)
ImportantSUSE bug 1071905SUSE bug 1071906CVE-2017-3737 at SUSECVE-2017-3737 at NVDCVE-2017-3738 at SUSECVE-2017-3738 at NVDcpe:/o:suse:sles:12:sp3Security update for ImageMagick (Important)SUSE Linux Enterprise Server 12 SP3
This update for ImageMagick fixes the following issues:
* CVE-2017-14989: use-after-free in RenderFreetype in MagickCore/annotate.c could lead to denial of service [bsc#1061254]
* CVE-2017-14682: GetNextToken in MagickCore/token.c heap buffer overflow could lead to denial of service [bsc#1060176]
* Memory leak in WriteINLINEImage in coders/inline.c could lead to denial of service [bsc#1052744]
* CVE-2017-14607: out of bounds read flaw related to ReadTIFFImagehas could possibly disclose potentially sensitive memory [bsc#1059778]
* CVE-2017-11640: NULL pointer deref in WritePTIFImage() in coders/tiff.c [bsc#1050632]
* CVE-2017-14342: a memory exhaustion vulnerability in ReadWPGImage in coders/wpg.c could lead to denial of service [bsc#1058485]
* CVE-2017-14341: Infinite loop in the ReadWPGImage function [bsc#1058637]
* CVE-2017-16546: problem in the function ReadWPGImage in coders/wpg.c could lead to denial of service [bsc#1067181]
* CVE-2017-16545: The ReadWPGImage function in coders/wpg.c in validation problems could lead to denial of service [bsc#1067184]
* CVE-2017-16669: problem in coders/wpg.c could allow remote attackers to cause a denial of service via crafted file [bsc#1067409]
* CVE-2017-14175: Lack of End of File check could lead to denial of service [bsc#1057719]
* CVE-2017-14138: memory leak vulnerability in ReadWEBPImage in coders/webp.c could lead to denial of service [bsc#1057157]
* CVE-2017-13769: denial of service issue in function WriteTHUMBNAILImage in coders/thumbnail.c [bsc#1056432]
* CVE-2017-13134: a heap-based buffer over-read was found in thefunction SFWScan in coders/sfw.c, which allows attackers to cause adenial of service via a crafted file. [bsc#1055214]
* CVE-2017-15217: memory leak in ReadSGIImage in coders/sgi.c [bsc#1062750]
* CVE-2017-11478: ReadOneDJVUImage in coders/djvu.c in ImageMagick allows remote attackers to cause a DoS [bsc#1049796]
* CVE-2017-15930: Null Pointer dereference while transfering JPEG scanlines could lead to denial of service [bsc#1066003]
* CVE-2017-12983: Heap-based buffer overflow in the ReadSFWImage function in coders/sfw.c inImageMagick 7.0.6-8 allows remote attackers to cause a denial of service [bsc#1054757]
* CVE-2017-14531: memory exhaustion issue in ReadSUNImage incoders/sun.c. [bsc#1059666]
* CVE-2017-12435: Memory exhaustion in ReadSUNImage in coders/sun.c, which allows attackers to cause denial of service [bsc#1052553]
* CVE-2017-12587: User controlable large loop in the ReadPWPImage in coders\pwp.c could lead to denial of service [bsc#1052450]
* CVE-2017-11523: ReadTXTImage in coders/txt.c allows remote attackers to cause a denial of service [bsc#1050083]
* CVE-2017-14173: unction ReadTXTImage is vulnerable to a integer overflow that could lead to denial of service [bsc#1057729]
* CVE-2017-11188: ImageMagick: The ReadDPXImage function in codersdpx.c in ImageMagick 7.0.6-0 has a largeloop vulnerability that can cause CPU exhaustion via a crafted DPX file, relatedto lack of an EOF check. [bnc#1048457]
* CVE-2017-11527: ImageMagick: ReadDPXImage in coders/dpx.c allows remote attackers to cause DoS [bnc#1050116]
* CVE-2017-11535: GraphicsMagick, ImageMagick: Heap-based buffer over-read in WritePSImage() in coders/ps.c [bnc#1050139]
* CVE-2017-11752: ImageMagick: ReadMAGICKImage in coders/magick.c allows to cause DoS [bnc#1051441]
* CVE-2017-12140: ImageMagick: ReadDCMImage in codersdcm.c has a ninteger signedness error leading to excessive memory consumption [bnc#1051847]
* CVE-2017-12669: ImageMagick: Memory leak in WriteCALSImage in coders/cals.c [bnc#1052689]
* CVE-2017-12662: GraphicsMagick, ImageMagick: Memory leak in WritePDFImage in coders/pdf.c [bnc#1052758]
* CVE-2017-12644: ImageMagick: Memory leak in ReadDCMImage in codersdcm.c [bnc#1052764]
* CVE-2017-14172: ImageMagick: Lack of end of file check in ReadPSImage() could lead to a denial of service [bnc#1057730]
* CVE-2017-14733: GraphicsMagick: Heap overflow on ReadRLEImage in coders/rle.c could lead to denial of service [bnc#1060577]
ImportantSUSE bug 1048457SUSE bug 1049796SUSE bug 1050083SUSE bug 1050116SUSE bug 1050139SUSE bug 1050632SUSE bug 1051441SUSE bug 1051847SUSE bug 1052450SUSE bug 1052553SUSE bug 1052689SUSE bug 1052744SUSE bug 1052758SUSE bug 1052764SUSE bug 1054757SUSE bug 1055214SUSE bug 1056432SUSE bug 1057157SUSE bug 1057719SUSE bug 1057729SUSE bug 1057730SUSE bug 1058485SUSE bug 1058637SUSE bug 1059666SUSE bug 1059778SUSE bug 1060176SUSE bug 1060577SUSE bug 1061254SUSE bug 1062750SUSE bug 1066003SUSE bug 1067181SUSE bug 1067184SUSE bug 1067409CVE-2017-11188 at SUSECVE-2017-11188 at NVDCVE-2017-11478 at SUSECVE-2017-11478 at NVDCVE-2017-11523 at SUSECVE-2017-11523 at NVDCVE-2017-11527 at SUSECVE-2017-11527 at NVDCVE-2017-11535 at SUSECVE-2017-11535 at NVDCVE-2017-11640 at SUSECVE-2017-11640 at NVDCVE-2017-11752 at SUSECVE-2017-11752 at NVDCVE-2017-12140 at SUSECVE-2017-12140 at NVDCVE-2017-12435 at SUSECVE-2017-12435 at NVDCVE-2017-12587 at SUSECVE-2017-12587 at NVDCVE-2017-12644 at SUSECVE-2017-12644 at NVDCVE-2017-12662 at SUSECVE-2017-12662 at NVDCVE-2017-12669 at SUSECVE-2017-12669 at NVDCVE-2017-12983 at SUSECVE-2017-12983 at NVDCVE-2017-13134 at SUSECVE-2017-13134 at NVDCVE-2017-13769 at SUSECVE-2017-13769 at NVDCVE-2017-14138 at SUSECVE-2017-14138 at NVDCVE-2017-14172 at SUSECVE-2017-14172 at NVDCVE-2017-14173 at SUSECVE-2017-14173 at NVDCVE-2017-14175 at SUSECVE-2017-14175 at NVDCVE-2017-14341 at SUSECVE-2017-14341 at NVDCVE-2017-14342 at SUSECVE-2017-14342 at NVDCVE-2017-14531 at SUSECVE-2017-14531 at NVDCVE-2017-14607 at SUSECVE-2017-14607 at NVDCVE-2017-14682 at SUSECVE-2017-14682 at NVDCVE-2017-14733 at SUSECVE-2017-14733 at NVDCVE-2017-14989 at SUSECVE-2017-14989 at NVDCVE-2017-15217 at SUSECVE-2017-15217 at NVDCVE-2017-15930 at SUSECVE-2017-15930 at NVDCVE-2017-16545 at SUSECVE-2017-16545 at NVDCVE-2017-16546 at SUSECVE-2017-16546 at NVDCVE-2017-16669 at SUSECVE-2017-16669 at NVDcpe:/o:suse:sles:12:sp3Security update for postgresql96 (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for postgresql96 fixes the following issues:
Security issues fixed:
- CVE-2017-15098: Fix crash due to rowtype mismatch in json{b}_populate_recordset() (bsc#1067844).
- CVE-2017-15099: Ensure that INSERT ... ON CONFLICT DO UPDATE checks table permissions and RLS policies in all cases (bsc#1067841).
Bug fixes:
- Update to version 9.6.6:
* https://www.postgresql.org/docs/9.6/static/release-9-6-6.html
* https://www.postgresql.org/docs/9.6/static/release-9-6-5.html
ModerateSUSE bug 1067841SUSE bug 1067844CVE-2017-15098 at SUSECVE-2017-15098 at NVDCVE-2017-15099 at SUSECVE-2017-15099 at NVDcpe:/o:suse:sles:12:sp3Security update for the Linux Kernel (Important)SUSE Linux Enterprise Server 12 SP3
The SUSE Linux Enterprise 12 SP3 kernel was updated to 4.4.103 to receive various security and bugfixes.
The following security bugs were fixed:
- CVE-2017-1000410: The Linux kernel was affected by an information lea that lies in the processing of incoming L2CAP commands - ConfigRequest, and ConfigResponse messages. (bnc#1070535).
- CVE-2017-11600: net/xfrm/xfrm_policy.c in the Linux kernel did not ensure that the dir value of xfrm_userpolicy_id is XFRM_POLICY_MAX or less, which allowed local users to cause a denial of service (out-of-bounds access) or possibly have unspecified other impact via an XFRM_MSG_MIGRATE xfrm Netlink message (bnc#1050231).
- CVE-2017-12193: The assoc_array_insert_into_terminal_node function in lib/assoc_array.c in the Linux kernel mishandled node splitting, which allowed local users to cause a denial of service (NULL pointer dereference and panic) via a crafted application, as demonstrated by the keyring key type, and key addition and link creation operations (bnc#1066192).
- CVE-2017-15115: The sctp_do_peeloff function in net/sctp/socket.c in the Linux kernel did not check whether the intended netns is used in a peel-off action, which allowed local users to cause a denial of service (use-after-free and system crash) or possibly have unspecified other impact via crafted system calls (bnc#1068671).
- CVE-2017-16528: sound/core/seq_device.c in the Linux kernel allowed local users to cause a denial of service (snd_rawmidi_dev_seq_free use-after-free and system crash) or possibly have unspecified other impact via a crafted USB device (bnc#1066629).
- CVE-2017-16536: The cx231xx_usb_probe function in drivers/media/usb/cx231xx/cx231xx-cards.c in the Linux kernel allowed local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a crafted USB device (bnc#1066606).
- CVE-2017-16537: The imon_probe function in drivers/media/rc/imon.c in the Linux kernel allowed local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a crafted USB device (bnc#1066573).
- CVE-2017-16645: The ims_pcu_get_cdc_union_desc function in drivers/input/misc/ims-pcu.c in the Linux kernel allowed local users to cause a denial of service (ims_pcu_parse_cdc_data out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device (bnc#1067132).
- CVE-2017-16646: drivers/media/usb/dvb-usb/dib0700_devices.c in the Linux kernel allowed local users to cause a denial of service (BUG and system crash) or possibly have unspecified other impact via a crafted USB device (bnc#1067105).
- CVE-2017-16994: The walk_hugetlb_range function in mm/pagewalk.c in the Linux kernel mishandled holes in hugetlb ranges, which allowed local users to obtain sensitive information from uninitialized kernel memory via crafted use of the mincore() system call (bnc#1069996).
- CVE-2017-17448: net/netfilter/nfnetlink_cthelper.c in the Linux kernel did not require the CAP_NET_ADMIN capability for new, get, and del operations, which allowed local users to bypass intended access restrictions because the nfnl_cthelper_list data structure is shared across all net namespaces (bnc#1071693).
- CVE-2017-17449: The __netlink_deliver_tap_skb function in net/netlink/af_netlink.c in the Linux kernel did not restrict observations of Netlink messages to a single net namespace, which allowed local users to obtain sensitive information by leveraging the CAP_NET_ADMIN capability to sniff an nlmon interface for all Netlink activity on the system (bnc#1071694).
- CVE-2017-17450: net/netfilter/xt_osf.c in the Linux kernel did not require the CAP_NET_ADMIN capability for add_callback and remove_callback operations, which allowed local users to bypass intended access restrictions because the xt_osf_fingers data structure is shared across all net namespaces (bnc#1071695).
- CVE-2017-7482: Fixed an overflow when decoding a krb5 principal. (bnc#1046107).
- CVE-2017-8824: The dccp_disconnect function in net/dccp/proto.c in the Linux kernel allowed local users to gain privileges or cause a denial of service (use-after-free) via an AF_UNSPEC connect system call during the DCCP_LISTEN state (bnc#1070771).
The following non-security bugs were fixed:
- acpi / APD: Add clock frequency for ThunderX2 I2C controller (bsc#1067225).
- Add references (bsc#1062941, bsc#1037404, bsc#1012523, bsc#1038299) The scsi_devinfo patches are relevant for all bugs related to HITACHI OPEN-V:
- adm80211: return an error if adm8211_alloc_rings() fails (bsc#1031717).
- adv7604: Initialize drive strength to default when using DT (bnc#1012382).
- af_netlink: ensure that NLMSG_DONE never fails in dumps (bnc#1012382).
- alsa: caiaq: Fix stray URB at probe error path (bnc#1012382).
- alsa: hda: Abort capability probe at invalid register read (bsc#1048356).
- alsa: hda: Add Raven PCI ID (bnc#1012382).
- alsa: hda - Apply ALC269_FIXUP_NO_SHUTUP on HDA_FIXUP_ACT_PROBE (bnc#1012382).
- alsa: hda/ca0132 - Fix memory leak at error path (bsc#1031717).
- alsa: hda - fix headset mic problem for Dell machines with alc236 (bnc#1012382).
- alsa: hda - No loopback on ALC299 codec (git-fixes).
- alsa: hda/realtek: Add headset mic support for Intel NUC Skull Canyon (bsc#1031717).
- alsa: hda/realtek - Add new codec ID ALC299 (bnc#1012382).
- alsa: hda/realtek - Add support for ALC236/ALC3204 (bnc#1012382).
- alsa: hda/realtek - Fix ALC700 family no sound issue (bsc#1031717).
- alsa: hda: Remove superfluous '-' added by printk conversion (bnc#1012382).
- alsa: hda: Workaround for KBL codec power control (bsc#1048356,bsc#1047989,bsc#1055272,bsc#1058413).
- alsa: line6: Fix leftover URB at error-path during probe (bnc#1012382).
- alsa: pcm: update tstamp only if audio_tstamp changed (bsc#1031717).
- alsa: seq: Avoid invalid lockdep class warning (bsc#1031717).
- alsa: seq: Enable 'use' locking in all configurations (bnc#1012382).
- alsa: seq: Fix copy_from_user() call inside lock (bnc#1012382).
- alsa: seq: Fix nested rwsem annotation for lockdep splat (bnc#1012382).
- alsa: seq: Fix OSS sysex delivery in OSS emulation (bnc#1012382).
- alsa: timer: Add missing mutex lock for compat ioctls (bnc#1012382).
- alsa: timer: Remove kernel warning at compat ioctl error paths (bsc#1031717).
- alsa: usb-audio: Add native DSD support for Pro-Ject Pre Box S2 Digital (bnc#1012382).
- alsa: usb-audio: Add sanity checks in v2 clock parsers (bsc#1031717).
- alsa: usb-audio: Add sanity checks to FE parser (bsc#1031717).
- alsa: usb-audio: Fix potential out-of-bound access at parsing SU (bsc#1031717).
- alsa: usb-audio: Kill stray URB at exiting (bnc#1012382).
- alsa: usb-audio: uac1: Invalidate ctl on interrupt (bsc#1031717).
- alsa: vx: Do not try to update capture stream before running (bnc#1012382).
- alsa: vx: Fix possible transfer overflow (bnc#1012382).
- Apply generic ppc build fixes to vanilla (bsc#1070805)
- arm64: dts: NS2: reserve memory for Nitro firmware (bnc#1012382).
- arm64: ensure __dump_instr() checks addr_limit (bnc#1012382).
- arm: 8715/1: add a private asm/unaligned.h (bnc#1012382).
- arm: 8720/1: ensure dump_instr() checks addr_limit (bnc#1012382).
- arm: 8721/1: mm: dump: check hardware RO bit for LPAE (bnc#1012382).
- arm: 8722/1: mm: make STRICT_KERNEL_RWX effective for LPAE (bnc#1012382).
- arm: crypto: reduce priority of bit-sliced AES cipher (bnc#1012382).
- arm: dts: Fix am335x and dm814x scm syscon to probe children (bnc#1012382).
- arm: dts: Fix compatible for ti81xx uarts for 8250 (bnc#1012382).
- arm: dts: Fix omap3 off mode pull defines (bnc#1012382).
- arm: dts: mvebu: pl310-cache disable double-linefill (bnc#1012382).
- arm: OMAP2+: Fix init for multiple quirks for the same SoC (bnc#1012382).
- arm: omap2plus_defconfig: Fix probe errors on UARTs 5 and 6 (bnc#1012382).
- arm: pxa: Do not rely on public mmc header to include leds.h (bnc#1012382).
- asm/sections: add helpers to check for section data (bsc#1063026).
- asoc: adau17x1: Workaround for noise bug in ADC (bnc#1012382).
- asoc: cs42l56: Fix reset GPIO name in example DT binding (bsc#1031717).
- asoc: davinci-mcasp: Fix an error handling path in 'davinci_mcasp_probe()' (bsc#1031717).
- asoc: rsnd: do not double free kctrl (bnc#1012382).
- asoc: samsung: Fix possible double iounmap on s3c24xx driver probe failure (bsc#1031717).
- asoc: wm_adsp: Do not overrun firmware file buffer when reading region data (bnc#1012382).
- ata: ATA_BMDMA should depend on HAS_DMA (bnc#1012382).
- ata: fixes kernel crash while tracing ata_eh_link_autopsy event (bnc#1012382).
- ata: SATA_HIGHBANK should depend on HAS_DMA (bnc#1012382).
- ata: SATA_MV should depend on HAS_DMA (bnc#1012382).
- ath10k: convert warning about non-existent OTP board id to debug message (git-fixes).
- ath10k: fix a warning during channel switch with multiple vaps (bsc#1031717).
- ath10k: fix board data fetch error message (bsc#1031717).
- ath10k: fix diag_read to collect data for larger memory (bsc#1031717).
- ath10k: fix incorrect txpower set by P2P_DEVICE interface (bnc#1012382).
- ath10k: fix potential memory leak in ath10k_wmi_tlv_op_pull_fw_stats() (bnc#1012382).
- ath10k: free cached fw bin contents when get board id fails (bsc#1031717).
- ath10k: ignore configuring the incorrect board_id (bnc#1012382).
- ath10k: set CTS protection VDEV param only if VDEV is up (bnc#1012382).
- ath9k_htc: check for underflow in ath9k_htc_rx_msg() (bsc#1031717).
- ath9k: off by one in ath9k_hw_nvram_read_array() (bsc#1031717).
- autofs: do not fail mount for transient error (bsc#1065180).
- backlight: adp5520: Fix error handling in adp5520_bl_probe() (bnc#1012382).
- backlight: lcd: Fix race condition during register (bnc#1012382).
- bcache: check ca->alloc_thread initialized before wake up it (bnc#1012382).
- bio-integrity: bio_integrity_advance must update integrity seed (bsc#1046054).
- bio-integrity: bio_trim should truncate integrity vector accordingly (bsc#1046054).
- bio-integrity: Do not allocate integrity context for bio w/o data (bsc#1046054).
- bio-integrity: fix interface for bio_integrity_trim (bsc#1046054).
- bio: partially revert 'fix interface for bio_integrity_trim' (bsc#1046054).
- blacklist.conf: Add ath10k, mmc and rtl8192u commits (bsc#1031717)
- blacklist.conf: Add drm/i915 blacklist (bsc#1031717)
- blacklist.conf: added misc commits (bsc#1031717)
- blacklist.conf: Add misc entries (bsc#1031717)
- blacklist.conf: Add non-applicable commit ID (bsc#1066812)
- blacklist.conf: Add non-applicable commits (bsc#1066812)
- blacklist.conf: blacklisted 16af97dc5a89 (bnc#1053919)
- blacklist.conf: Blacklist two commits (bbb3be170ac2 and ccf1e0045eea).
- blacklist.conf: Update blacklist (bsc#1031717)
- blacklist.conf: Update iwlwifi blacklist (bsc#1031717)
- blacklist.conf: yet another serial entry (bsc#1031717)
- block: Fix a race between blk_cleanup_queue() and timeout handling (FATE#319965, bsc#964944).
- block: Make q_usage_counter also track legacy requests (bsc#1057820).
- bluetooth: btusb: fix QCA Rome suspend/resume (bnc#1012382).
- bnxt_en: Do not use rtnl lock to protect link change logic in workqueue (bsc#1020412 FATE#321671).
- bnxt_en: Fix a variable scoping in bnxt_hwrm_do_send_msg() (bsc#1053309).
- bnxt_en: Fix possible corrupted NVRAM parameters from firmware response (bsc#1020412 FATE#321671).
- bnxt_en: Fix possible corruption in DCB parameters from firmware (bsc#1020412 FATE#321671).
- bnxt_en: Fix VF PCIe link speed and width logic (bsc#1020412 FATE#321671).
- bnxt_en: Need to unconditionally shut down RoCE in bnxt_shutdown (bsc#1053309).
- bnxt_re: Make room for mapping beyond 32 entries (bsc#1056596).
- bonding: discard lowest hash bit for 802.3ad layer3+4 (bnc#1012382).
- bpf: one perf event close won't free bpf program attached by another perf event (bnc#1012382).
- bpf/verifier: reject BPF_ALU64|BPF_END (bnc#1012382).
- brcmfmac: add length check in brcmf_cfg80211_escan_handler() (bnc#1012382).
- brcmfmac: remove setting IBSS mode when stopping AP (bnc#1012382).
- brcmsmac: make some local variables 'static const' to reduce stack size (bnc#1012382).
- bt8xx: fix memory leak (bnc#1012382).
- btrfs: return the actual error value from from btrfs_uuid_tree_iterate (bnc#1012382).
- bus: mbus: fix window size calculation for 4GB windows (bnc#1012382).
- can: c_can: do not indicate triple sampling support for D_CAN (bnc#1012382).
- can: esd_usb2: Fix can_dlc value for received RTR, frames (bnc#1012382).
- can: gs_usb: fix busy loop if no more TX context is available (bnc#1012382).
- can: kvaser_usb: Correct return value in printout (bnc#1012382).
- can: kvaser_usb: Ignore CMD_FLUSH_QUEUE_REPLY messages (bnc#1012382).
- can: sun4i: fix loopback mode (bnc#1012382).
- can: sun4i: handle overrun in RX FIFO (bnc#1012382).
- cdc_ncm: Set NTB format again after altsetting switch for Huawei devices (bnc#1012382).
- ceph: clean up unsafe d_parent accesses in build_dentry_path (FATE#322288 bnc#1012382).
- ceph: disable cached readdir after dropping positive dentry (bsc#1069277).
- ceph: -EINVAL on decoding failure in ceph_mdsc_handle_fsmap() (bsc#1069277).
- ceph: present consistent fsid, regardless of arch endianness (bsc#1069277).
- ceph: unlock dangling spinlock in try_flush_caps() (bsc#1065639).
- cgroup, net_cls: iterate the fds of only the tasks which are being migrated (bnc#1064926).
- cifs: check MaxPathNameComponentLength != 0 before using it (bnc#1012382).
- cifs: fix circular locking dependency (bsc#1064701).
- cifs: Reconnect expired SMB sessions (bnc#1012382).
- clk: ti: dra7-atl-clock: fix child-node lookups (bnc#1012382).
- clk: ti: dra7-atl-clock: Fix of_node reference counting (bnc#1012382).
- clockevents/drivers/cs5535: Improve resilience to spurious interrupts (bnc#1012382).
- cma: fix calculation of aligned offset (VM Functionality, bsc#1050060).
- coda: fix 'kernel memory exposure attempt' in fsync (bnc#1012382).
- cpufreq: CPPC: add acpi_PROCESSOR dependency (bnc#1012382).
- crypto: dh - Do not permit 'key' or 'g' size longer than 'p' (bsc#1048317).
- crypto: dh - Do not permit 'p' to be 0 (bsc#1048317).
- crypto: dh - Fix double free of ctx->p (bsc#1048317).
- crypto: dh - fix memleak in setkey (bsc#1048317).
- crypto: rsa - fix buffer overread when stripping leading zeroes (bsc#1048317).
- crypto: shash - Fix zero-length shash ahash digest crash (bnc#1012382).
- crypto: vmx - disable preemption to enable vsx in aes_ctr.c (bnc#1012382).
- crypto: x86/sha1-mb - fix panic due to unaligned access (bnc#1012382).
- crypto: xts - Add ECB dependency (bnc#1012382).
- cx231xx: Fix I2C on Internal Master 3 Bus (bnc#1012382).
- cxgb4: Fix error codes in c4iw_create_cq() (bsc#1048327).
- cxl: Fix DAR check & use REGION_ID instead of opencoding (bsc#1066223).
- cxl: Fix leaking pid refs in some error paths (bsc#1066223).
- cxl: Force context lock during EEH flow (bsc#1066223).
- cxl: Prevent adapter reset if an active context exists (bsc#1066223).
- cxl: Route eeh events to all drivers in cxl_pci_error_detected() (bsc#1066223).
- direct-io: Prevent NULL pointer access in submit_page_section (bnc#1012382).
- Disable IPMI fix patches due to regression (bsc#1071833)
- Disable patches.kernel.org/4.4.93-022-fix-unbalanced-page-refcounting-in-bio_map_use.patch (bsc#1070767)
- dmaengine: dmatest: warn user when dma test times out (bnc#1012382).
- dmaengine: edma: Align the memcpy acnt array size with the transfer (bnc#1012382).
- dmaengine: zx: set DMA_CYCLIC cap_mask bit (bnc#1012382).
- dm bufio: fix integer overflow when limiting maximum cache size (bnc#1012382).
- dm: fix race between dm_get_from_kobject() and __dm_destroy() (bnc#1012382).
- dm mpath: remove annoying message of 'blk_get_request() returned -11' (bsc#1066812).
- dm raid: fix NULL pointer dereference for raid1 without bitmap (bsc#1042957, FATE#321488).
- dm rq: Avoid that request processing stalls sporadically (bsc#1042978).
- drivers: base: cacheinfo: fix x86 with CONFIG_OF enabled (bsc#1070001).
- drivers: dma-mapping: Do not leave an invalid area->pages pointer in dma_common_contiguous_remap() (Git-fixes, bsc#1065692).
- drivers/fbdev/efifb: Allow BAR to be moved instead of claiming it (bsc#1051987).
- drivers: of: Fix of_pci.h header guard (bsc#1065959).
- drm/amdgpu: when dpm disabled, also need to stop/start vce (bnc#1012382).
- drm/amdkfd: NULL dereference involving create_process() (bsc#1031717).
- drm: Apply range restriction after color adjustment when allocation (bnc#1012382).
- drm/armada: Fix compile fail (bnc#1012382).
- drm: drm_minor_register(): Clean up debugfs on failure (bnc#1012382).
- drm: gma500: fix logic error (bsc#1031717).
- drm/i915/bxt: set min brightness from VBT (bsc#1031717).
- drm/i915: Do not try indexed reads to alternate slave addresses (bsc#1031717).
- drm/i915: fix backlight invert for non-zero minimum brightness (bsc#1031717).
- drm/i915: Prevent zero length 'index' write (bsc#1031717).
- drm/i915: Read timings from the correct transcoder in intel_crtc_mode_get() (bsc#1031717).
- drm/msm: fix an integer overflow test (bnc#1012382).
- drm/msm: Fix potential buffer overflow issue (bnc#1012382).
- drm/nouveau/bsp/g92: disable by default (bnc#1012382).
- drm/nouveau/gr: fallback to legacy paths during firmware lookup (bsc#1031717).
- drm/nouveau/mmu: flush tlbs before deleting page tables (bnc#1012382).
- drm/omap: Fix error handling path in 'omap_dmm_probe()' (bsc#1031717).
- drm/panel: simple: Add missing panel_simple_unprepare() calls (bsc#1031717).
- drm/radeon: Avoid double gpu reset by adding a timeout on IB ring tests (bsc#1066175).
- drm/sti: sti_vtg: Handle return NULL error from devm_ioremap_nocache (bnc#1012382).
- drm/vc4: Fix leak of HDMI EDID (bsc#1031717).
- drm/vmwgfx: Fix Ubuntu 17.10 Wayland black screen issue (bnc#1012382).
- Drop obsolete patch (bsc#1067734)
- e1000e: Avoid receiver overrun interrupt bursts (bsc#969470 FATE#319819).
- e1000e: Fix error path in link detection (bnc#1012382).
- e1000e: Fix return value test (bnc#1012382).
- e1000e: Separate signaling for link check/link up (bnc#1012382).
- ecryptfs: fix dereference of NULL user_key_payload (bnc#1012382).
- eCryptfs: use after free in ecryptfs_release_messaging() (bsc#1070404).
- epoll: avoid calling ep_call_nested() from ep_poll_safewake() (bsc#1056427).
- epoll: remove ep_call_nested() from ep_eventpoll_poll() (bsc#1056427).
- ext4: cleanup goto next group (bsc#1066285).
- ext4: do not use stripe_width if it is not set (bnc#1012382).
- ext4: fix fault handling when mounted with -o dax,ro (bsc#1069484).
- ext4: fix interaction between i_size, fallocate, and delalloc after a crash (bnc#1012382).
- ext4: fix stripe-unaligned allocations (bnc#1012382).
- ext4: in ext4_seek_{hole,data}, return -ENXIO for negative offsets (bnc#1012382).
- ext4: prevent data corruption with inline data + DAX (bsc#1064591).
- ext4: prevent data corruption with journaling + DAX (bsc#1064591).
- ext4: reduce lock contention in __ext4_new_inode (bsc#1066285).
- extcon: palmas: Check the parent instance to prevent the NULL (bnc#1012382).
- exynos4-is: fimc-is: Unmap region obtained by of_iomap() (bnc#1012382).
- f2fs crypto: add missing locking for keyring_key access (bnc#1012382).
- f2fs crypto: replace some BUG_ON()'s with error checks (bnc#1012382).
- f2fs: do not wait for writeback in write_begin (bnc#1012382).
- fealnx: Fix building error on MIPS (bnc#1012382).
- fix a page leak in vhost_scsi_iov_to_sgl() error recovery (bnc#1012382).
- Fix tracing sample code warning (bnc#1012382).
- fix unbalanced page refcounting in bio_map_user_iov (bnc#1012382).
- Fixup patches.fixes/block-Make-q_usage_counter-also-track-legacy-request.patch. (bsc#1062496)
- fm10k: Use smp_rmb rather than read_barrier_depends (bnc#1012382).
- fs/9p: Compare qid.path in v9fs_test_inode (bsc#1070404).
- fs-cache: fix dereference of NULL user_key_payload (bnc#1012382).
- fscrypt: fix dereference of NULL user_key_payload (bnc#1012382).
- fscrypt: lock mutex before checking for bounce page pool (bnc#1012382).
- fscrypto: require write access to mount to set encryption policy (bnc#1012382).
- fuse: fix READDIRPLUS skipping an entry (bnc#1012382).
- gpu: drm: mgag200: mgag200_main:- Handle error from pci_iomap (bnc#1012382).
- hid: elo: clear BTN_LEFT mapping (bsc#1065866).
- hid: usbhid: fix out-of-bounds bug (bnc#1012382).
- hsi: ssi_protocol: double free in ssip_pn_xmit() (bsc#1031717).
- hwmon: (xgene) Fix up error handling path mixup in 'xgene_hwmon_probe()' (bsc#).
- i2c: at91: ensure state is restored after suspending (bnc#1012382).
- i2c: bcm2835: Add support for dynamic clock (bsc#1066660).
- i2c: bcm2835: Add support for Repeated Start Condition (bsc#1066660).
- i2c: bcm2835: Avoid possible NULL ptr dereference (bsc#1066660).
- i2c: bcm2835: Can't support I2C_M_IGNORE_NAK (bsc#1066660).
- i2c: bcm2835: Do not complain on -EPROBE_DEFER from getting our clock (bsc#1066660).
- i2c: bcm2835: Fix hang for writing messages larger than 16 bytes (bsc#1066660).
- i2c: bcm2835: Protect against unexpected TXW/RXR interrupts (bsc#1066660).
- i2c: bcm2835: Support i2c-dev ioctl I2C_TIMEOUT (bsc#1066660).
- i2c: bcm2835: Use dev_dbg logging on transfer errors (bsc#1066660).
- i2c: cadance: fix ctrl/addr reg write order (bsc#1031717).
- i2c: imx: Use correct function to write to register (bsc#1031717).
- i2c: ismt: Separate I2C block read from SMBus block read (bnc#1012382).
- i2c: riic: correctly finish transfers (bnc#1012382).
- i2c: riic: fix restart condition (git-fixes).
- i2c: xlp9xx: Enable HWMON class probing for xlp9xx (bsc#1067225).
- i2c: xlp9xx: Get clock frequency with clk API (bsc#1067225).
- i2c: xlp9xx: Handle I2C_M_RECV_LEN in msg->flags (bsc#1067225).
- i40e: Fix incorrect use of tx_itr_setting when checking for Rx ITR setup (bsc#1024346 FATE#321239 bsc#1024373 FATE#321247).
- i40e: fix the calculation of VFs mac addresses (bsc#1024346 FATE#321239 bsc#1024373 FATE#321247).
- i40e: only redistribute MSI-X vectors when needed (bsc#1024346 FATE#321239 bsc#1024373 FATE#321247).
- i40e: Use smp_rmb rather than read_barrier_depends (bnc#1012382).
- i40evf: Use smp_rmb rather than read_barrier_depends (bnc#1012382).
- i40iw: Remove UDA QP from QoS list if creation fails (bsc#1024376 FATE#321249).
- ib/core: Fix calculation of maximum RoCE MTU (bsc#1022595 FATE#322350).
- ib/core: Fix unable to change lifespan entry for hw_counters (FATE#321231 FATE#321473).
- ib/core: Namespace is mandatory input for address resolution (bsc#1022595 FATE#322350).
- ib/hfi1: Add MODULE_FIRMWARE statements (bsc#1036800).
- ib/ipoib: Clean error paths in add port (bsc#1022595 FATE#322350).
- ib/ipoib: Prevent setting negative values to max_nonsrq_conn_qp (bsc#1022595 FATE#322350).
- ib/ipoib: Remove double pointer assigning (bsc#1022595 FATE#322350).
- ib/ipoib: Set IPOIB_NEIGH_TBL_FLUSH after flushed completion initialization (bsc#1022595 FATE#322350).
- ib/mlx5: Fix RoCE Address Path fields (bsc#966170 FATE#320225 bsc#966172 FATE#320226).
- ibmvnic: Add netdev_dbg output for debugging (fate#323285).
- ibmvnic: Add vnic client data to login buffer (bsc#1069942).
- ibmvnic: Convert vnic server reported statistics to cpu endian (fate#323285).
- ibmvnic: Enable scatter-gather support (bsc#1066382).
- ibmvnic: Enable TSO support (bsc#1066382).
- ibmvnic: Feature implementation of Vital Product Data (VPD) for the ibmvnic driver (bsc#1069942).
- ibmvnic: Fix calculation of number of TX header descriptors (bsc#1066382).
- ibmvnic: fix dma_mapping_error call (bsc#1069942).
- ibmvnic: Fix failover error path for non-fatal resets (bsc#1066382).
- ibmvnic: Implement .get_channels (fate#323285).
- ibmvnic: Implement .get_ringparam (fate#323285).
- ibmvnic: Implement per-queue statistics reporting (fate#323285).
- ibmvnic: Let users change net device features (bsc#1066382).
- ibmvnic: Update reset infrastructure to support tunable parameters (bsc#1066382).
- ib/rxe: check for allocation failure on elem (FATE#322149).
- ib/rxe: do not crash, if allocation of crc algorithm failed (bsc#1051635).
- ib/rxe: put the pool on allocation failure (FATE#322149).
- ib/srp: Avoid that a cable pull can trigger a kernel crash (bsc#1022595 FATE#322350).
- ib/srpt: Do not accept invalid initiator port names (bnc#1012382).
- ib/uverbs: Fix device cleanup (bsc#1022595 FATE#322350).
- ib/uverbs: Fix NULL pointer dereference during device removal (bsc#1022595 FATE#322350).
- igb: close/suspend race in netif_device_detach (bnc#1012382).
- igb: Fix hw_dbg logging in igb_update_flash_i210 (bnc#1012382).
- igb: reset the PHY before reading the PHY ID (bnc#1012382).
- igb: Use smp_rmb rather than read_barrier_depends (bnc#1012382).
- igbvf: Use smp_rmb rather than read_barrier_depends (bnc#1012382).
- iio: adc: xilinx: Fix error handling (bnc#1012382).
- iio: dummy: events: Add missing break (bsc#1031717).
- iio: light: fix improper return value (bnc#1012382).
- iio: trigger: free trigger resource correctly (bnc#1012382).
- ima: do not update security.ima if appraisal status is not INTEGRITY_PASS (bnc#1012382).
- input: ar1021_i2c - fix too long name in driver's device table (bsc#1031717).
- input: edt-ft5x06 - fix setting gain, offset, and threshold via device tree (bsc#1031717).
- input: elan_i2c - add ELAN060C to the acpi table (bnc#1012382).
- input: elan_i2c - add ELAN0611 to the acpi table (bnc#1012382).
- input: gtco - fix potential out-of-bound access (bnc#1012382).
- input: mpr121 - handle multiple bits change of status register (bnc#1012382).
- input: mpr121 - set missing event capability (bnc#1012382).
- input: ti_am335x_tsc - fix incorrect step config for 5 wire touchscreen (bsc#1031717).
- input: twl4030-pwrbutton - use correct device for irq request (bsc#1031717).
- input: ucb1400_ts - fix suspend and resume handling (bsc#1031717).
- input: uinput - avoid crash when sending FF request to device going away (bsc#1031717).
- iommu/amd: Finish TLB flush in amd_iommu_unmap() (bnc#1012382).
- iommu/vt-d: Do not register bus-notifier under dmar_global_lock (bsc#1069793).
- ip6_gre: only increase err_count for some certain type icmpv6 in ip6gre_err (bnc#1012382).
- ip6_gre: skb_push ipv6hdr before packing the header in ip6gre_header (bnc#1012382).
- ipip: only increase err_count for some certain type icmp in ipip_err (bnc#1012382).
- ipmi: fix unsigned long underflow (bnc#1012382).
- ipmi: Pick up slave address from SMBIOS on an acpi device (bsc#1070006).
- ipmi: Prefer acpi system interfaces over SMBIOS ones (bsc#1070006).
- ipmi_si: Clean up printks (bsc#1070006).
- ipmi_si: fix memory leak on new_smi (bsc#1070006).
- ipsec: do not ignore crypto err in ah4 input (bnc#1012382).
- ipv6: flowlabel: do not leave opt->tot_len with garbage (bnc#1012382).
- ipv6: only call ip6_route_dev_notify() once for NETDEV_UNREGISTER (bnc#1012382).
- ipvs: make drop_entry protection effective for SIP-pe (bsc#1056365).
- irqchip/crossbar: Fix incorrect type of local variables (bnc#1012382).
- isa: Prevent NULL dereference in isa_bus driver callbacks (bsc#1031717).
- iscsi-target: Fix non-immediate TMR reference leak (bnc#1012382).
- isdn/i4l: fetch the ppp_write buffer in one shot (bnc#1012382).
- isofs: fix timestamps beyond 2027 (bnc#1012382).
- iwlwifi: mvm: fix the coex firmware API (bsc#1031717).
- iwlwifi: mvm: return -ENODATA when reading the temperature with the FW down (bsc#1031717).
- iwlwifi: mvm: set the RTS_MIMO_PROT bit in flag mask when sending sta to fw (bsc#1031717).
- iwlwifi: mvm: use IWL_HCMD_NOCOPY for MCAST_FILTER_CMD (bnc#1012382).
- iwlwifi: split the regulatory rules when the bandwidth flags require it (bsc#1031717).
- ixgbe: add mask for 64 RSS queues (bnc#1012382).
- ixgbe: do not disable FEC from the driver (bnc#1012382).
- ixgbe: fix AER error handling (bnc#1012382).
- ixgbe: Fix skb list corruption on Power systems (bnc#1012382).
- ixgbe: handle close/suspend race with netif_device_detach/present (bnc#1012382).
- ixgbe: Reduce I2C retry count on X550 devices (bnc#1012382).
- ixgbevf: Use smp_rmb rather than read_barrier_depends (bnc#1012382).
- kABI: protect struct l2tp_tunnel (kabi).
- kABI: protect struct regulator_dev (kabi).
- kABI: protect structs rt_rq+root_domain (kabi).
- kABI: protect typedef rds_rdma_cookie_t (kabi).
- kabi/severities: Ignore drivers/nvme/target (bsc#1063349)
- kabi/severities: Ignore kABI changes for qla2xxx (bsc#1043017)
- kernel-docs: unpack the source instead of using kernel-source (bsc#1057199).
- kernel/sysctl_binary.c: check name array length in deprecated_sysctl_warning() (FATE#323821).
- kernel/sysctl.c: remove duplicate UINT_MAX check on do_proc_douintvec_conv() (bsc#1066470).
- kernel/watchdog: Prevent false positives with turbo modes (bnc#1063516).
- keys: do not let add_key() update an uninstantiated key (bnc#1012382).
- keys: do not revoke uninstantiated key in request_key_auth_new() (bsc#1031717).
- keys: encrypted: fix dereference of NULL user_key_payload (bnc#1012382).
- keys: fix cred refcount leak in request_key_auth_new() (bsc#1031717).
- keys: fix key refcount leak in keyctl_assume_authority() (bsc#1031717).
- keys: fix key refcount leak in keyctl_read_key() (bsc#1031717).
- keys: fix NULL pointer dereference during ASN.1 parsing [ver #2] (bnc#1012382).
- keys: fix out-of-bounds read during ASN.1 parsing (bnc#1012382).
- keys: Fix race between updating and finding a negative key (bnc#1012382).
- keys: return full count in keyring_read() if buffer is too small (bnc#1012382).
- keys: trusted: fix writing past end of buffer in trusted_read() (bnc#1012382).
- keys: trusted: sanitize all key material (bnc#1012382).
- kvm: nVMX: fix guest CR4 loading when emulating L2 to L1 exit (bnc#1012382).
- kvm: nVMX: set IDTR and GDTR limits when loading L1 host state (bnc#1012382).
- kvm: PPC: Book 3S: XICS: correct the real mode ICP rejecting counter (bnc#1012382).
- kvm: SVM: obey guest PAT (bnc#1012382).
- l2tp: Avoid schedule while atomic in exit_net (bnc#1012382).
- l2tp: check ps->sock before running pppol2tp_session_ioctl() (bnc#1012382).
- l2tp: fix race condition in l2tp_tunnel_delete (bnc#1012382).
- libceph: do not WARN() if user tries to add invalid key (bsc#1069277).
- lib/digsig: fix dereference of NULL user_key_payload (bnc#1012382).
- libertas: Fix lbs_prb_rsp_limit_set() (bsc#1031717).
- lib/mpi: call cond_resched() from mpi_powm() loop (bnc#1012382).
- libnvdimm, namespace: fix label initialization to use valid seq numbers (bnc#1012382).
- libnvdimm, namespace: make 'resource' attribute only readable by root (bnc#1012382).
- libnvdimm, pfn: make 'resource' attribute only readable by root (FATE#319858).
- lib/ratelimit.c: use deferred printk() version (bsc#979928).
- locking/lockdep: Add nest_lock integrity test (bnc#1012382).
- lpfc: tie in to new dev_loss_tmo interface in nvme transport (bsc#1041873).
- mac80211: agg-tx: call drv_wake_tx_queue in proper context (bsc#1031717).
- mac80211: do not compare TKIP TX MIC key in reinstall prevention (bsc#1066472).
- mac80211: do not send SMPS action frame in AP mode when not needed (bsc#1031717).
- mac80211: Fix addition of mesh configuration element (git-fixes).
- mac80211: Fix BW upgrade for TDLS peers (bsc#1031717).
- mac80211: fix mgmt-tx abort cookie and leak (bsc#1031717).
- mac80211: fix power saving clients handling in iwlwifi (bnc#1012382).
- mac80211_hwsim: check HWSIM_ATTR_RADIO_NAME length (bnc#1012382).
- mac80211_hwsim: Fix memory leak in hwsim_new_radio_nl() (bsc#1031717).
- mac80211: Remove invalid flag operations in mesh TSF synchronization (bnc#1012382).
- mac80211: Remove unused 'beaconint_us' variable (bsc#1031717).
- mac80211: Remove unused 'i' variable (bsc#1031717).
- mac80211: Remove unused 'len' variable (bsc#1031717).
- mac80211: Remove unused 'rates_idx' variable (bsc#1031717).
- mac80211: Remove unused 'sband' and 'local' variables (bsc#1031717).
- mac80211: Remove unused 'struct ieee80211_rx_status' ptr (bsc#1031717).
- mac80211: Suppress NEW_PEER_CANDIDATE event if no room (bnc#1012382).
- mac80211: TDLS: always downgrade invalid chandefs (bsc#1031717).
- mac80211: TDLS: change BW calculation for WIDER_BW peers (bsc#1031717).
- mac80211: use constant time comparison with keys (bsc#1066471).
- md/linear: shutup lockdep warnning (FATE#321488 bnc#1012382 bsc#1042977).
- media: au0828: fix RC_CORE dependency (bsc#1031717).
- media: Do not do DMA on stack for firmware upload in the AS102 driver (bnc#1012382).
- media: em28xx: calculate left volume level correctly (bsc#1031717).
- media: mceusb: fix memory leaks in error path (bsc#1031717).
- media: rc: check for integer overflow (bnc#1012382).
- media: v4l2-ctrl: Fix flags field on Control events (bnc#1012382).
- mei: return error on notification request to a disconnected client (bnc#1012382).
- memremap: add scheduling point to devm_memremap_pages (bnc#1057079).
- mfd: ab8500-sysctrl: Handle probe deferral (bnc#1012382).
- mfd: axp20x: Fix axp288 PEK_DBR and PEK_DBF irqs being swapped (bnc#1012382).
- misc: panel: properly restore atomic counter on error path (bnc#1012382).
- mmc: block: return error on failed mmc_blk_get() (bsc#1031717).
- mmc: core: add driver strength selection when selecting hs400es (bsc#1069721).
- mmc: core: Fix access to HS400-ES devices (bsc#1031717).
- mmc: core/mmci: restore pre/post_req behaviour (bsc#1031717).
- mmc: dw_mmc: Fix the DTO timeout calculation (bsc#1069721).
- mm: check the return value of lookup_page_ext for all call sites (bnc#1068982).
- mmc: host: omap_hsmmc: avoid possible overflow of timeout value (bsc#1031717).
- mmc: host: omap_hsmmc: checking for NULL instead of IS_ERR() (bsc#1031717).
- mmc: mediatek: Fixed size in dma_free_coherent (bsc#1031717).
- mmc: s3cmci: include linux/interrupt.h for tasklet_struct (bnc#1012382).
- mmc: sd: limit SD card power limit according to cards capabilities (bsc#1031717).
- mm: distinguish CMA and MOVABLE isolation in has_unmovable_pages (bnc#1051406).
- mm: drop migrate type checks from has_unmovable_pages (bnc#1051406).
- mm, hwpoison: fixup 'mm: check the return value of lookup_page_ext for all call sites' (bnc#1012382).
- mm/madvise.c: fix freeing of locked page with MADV_FREE (bnc#1069152).
- mm/madvise.c: fix madvise() infinite loop under special circumstances (bnc#1070964).
- mm, memory_hotplug: add scheduling point to __add_pages (bnc#1057079).
- mm, memory_hotplug: do not fail offlining too early (bnc#1051406).
- mm, memory_hotplug: remove timeout from __offline_memory (bnc#1051406).
- mm, page_alloc: add scheduling point to memmap_init_zone (bnc#1057079).
- mm/page_alloc.c: broken deferred calculation (bnc#1068980).
- mm, page_alloc: fix potential false positive in __zone_watermark_ok (Git-fixes, bsc#1068978).
- mm/page_ext.c: check if page_ext is not prepared (bnc#1068982).
- mm/page_owner: avoid null pointer dereference (bnc#1068982).
- mm/pagewalk.c: report holes in hugetlb ranges (bnc#1012382).
- mm, sparse: do not swamp log with huge vmemmap allocation failures (bnc#1047901).
- net: 3com: typhoon: typhoon_init_one: fix incorrect return values (bnc#1012382).
- net: 3com: typhoon: typhoon_init_one: make return values more specific (bnc#1012382).
- net/9p: Switch to wait_event_killable() (bnc#1012382).
- net: Allow IP_MULTICAST_IF to set index to L3 slave (bnc#1012382).
- net: cdc_ether: fix divide by 0 on bad descriptors (bnc#1012382).
- net: cdc_ncm: GetNtbFormat endian fix (git-fixes).
- net: dsa: select NET_SWITCHDEV (bnc#1012382).
- net: emac: Fix napi poll list corruption (bnc#1012382).
- netfilter/ipvs: clear ipvs_property flag when SKB net namespace changed (bnc#1012382).
- netfilter: nf_ct_expect: Change __nf_ct_expect_check() return value (bnc#1012382).
- netfilter: nf_tables: fix oob access (bnc#1012382).
- netfilter: nft_meta: deal with PACKET_LOOPBACK in netdev family (bnc#1012382).
- netfilter: nft_queue: use raw_smp_processor_id() (bnc#1012382).
- net: ibm: ibmvnic: constify vio_device_id (fate#323285).
- net: ixgbe: Use new IXGBE_FLAG2_ROOT_RELAXED_ORDERING flag (bsc#1056652).
- net/mlx4_core: Fix VF overwrite of module param which disables DMFS on new probed PFs (FATE#321685 FATE#321686 FATE#321687 bnc#1012382 bsc#1015336 bsc#1015337 bsc#1015340).
- net/mlx4_en: fix overflow in mlx4_en_init_timestamp() (FATE#321685 FATE#321686 FATE#321687 bnc#1012382 bsc#1015336 bsc#1015337 bsc#1015340).
- net/mlx5: Delay events till mlx5 interface's add complete for pci resume (bsc#1015342 FATE#321688 bsc#1015343 FATE#321689).
- net/mlx5e: Increase Striding RQ minimum size limit to 4 multi-packet WQEs (bsc#1015342 FATE#321688 bsc#1015343 FATE#321689).
- net/mlx5: Fix health work queue spin lock to IRQ safe (bsc#1015342).
- net/mlx5: Loop over temp list to release delay events (bsc#1015342 FATE#321688 bsc#1015343 FATE#321689).
- net: mvneta: fix handling of the Tx descriptor counter (fate#319899).
- net: mvpp2: release reference to txq_cpu[] entry after unmapping (bnc#1012382 bsc#1032150).
- net: qmi_wwan: fix divide by 0 on bad descriptors (bnc#1012382).
- net/sctp: Always set scope_id in sctp_inet6_skb_msgname (bnc#1012382).
- net: Set sk_prot_creator when cloning sockets to the right proto (bnc#1012382).
- net/smc: dev_put for netdev after usage of ib_query_gid() (bsc#1066812).
- net: thunderx: Fix TCP/UDP checksum offload for IPv4 pkts (bsc#1069583).
- net: thunderx: Fix TCP/UDP checksum offload for IPv6 pkts (bsc#1069583).
- net/unix: do not show information about sockets from other namespaces (bnc#1012382).
- netvsc: use refcount_t for keeping track of sub channels (bsc#1062835).
- nfc: fix device-allocation error return (bnc#1012382).
- nfsd/callback: Cleanup callback cred on shutdown (bnc#1012382).
- nfsd: deal with revoked delegations appropriately (bnc#1012382).
- nfs: Do not disconnect open-owner on NFS4ERR_BAD_SEQID (bsc#989261).
- nfs: Fix typo in nomigration mount option (bnc#1012382).
- nfs: Fix ugly referral attributes (bnc#1012382).
- nilfs2: fix race condition that causes file system corruption (bnc#1012382).
- nl80211: Define policy for packet pattern attributes (bnc#1012382).
- nvme: add duplicate_connect option (bsc#1067734).
- nvme: add helper to compare options to controller (bsc#1067734).
- nvme: add transport SGL definitions (bsc#1057820).
- nvme: allow controller RESETTING to RECONNECTING transition (bsc#1037838).
- nvme-fabrics: Allow 0 as KATO value (bsc#1067734).
- nvme-fabrics: kABI fix for duplicate_connect option (bsc#1067734).
- nvme-fc: add a dev_loss_tmo field to the remoteport (bsc#1037838).
- nvme-fc: add dev_loss_tmo timeout and remoteport resume support (bsc#1037838).
- nvme-fc: add support for duplicate_connect option (bsc#1067734).
- nvme-fc: add uevent for auto-connect (bsc#1037838).
- nvme-fc: change ctlr state assignments during reset/reconnect (bsc#1037838).
- nvme-fc: check connectivity before initiating reconnects (bsc#1037838).
- nvme-fc: correct io termination handling (bsc#1067734).
- nvme-fc: correct io timeout behavior (bsc#1067734).
- nvme-fc: create fc class and transport device (bsc#1037838).
- nvme-fc: decouple ns references from lldd references (bsc#1067734).
- nvme-fc: fix iowait hang (bsc#1052384).
- nvme-fc: fix localport resume using stale values (bsc#1067734).
- nvme-fcloop: fix port deletes and callbacks (bsc#1037838).
- nvme-fc: move remote port get/put/free location (bsc#1037838).
- nvme-fc: on lldd/transport io error, terminate association (bsc#1042268).
- nvme-fc: Reattach to localports on re-registration (bsc#1052384).
- nvme-fc: remove NVME_FC_MAX_SEGMENTS (bsc#1067734).
- nvme-fc: remove unused 'queue_size' field (bsc#1042268).
- nvme-fc: retry initial controller connections 3 times (bsc#1067734).
- nvme-fc: use transport-specific sgl format (bsc#1057820).
- nvme: Fix memory order on async queue deletion (bnc#1012382).
- nvme: fix the definition of the doorbell buffer config support bit (bsc#1066812).
- nvme-rdma: add support for duplicate_connect option (bsc#1067734).
- nvme/rdma: Kick admin queue when a connection is going down (bsc#1059639).
- nvmet-fc: correct ref counting error when deferred rcv used (bsc#1067734).
- nvmet-fc: fix failing max io queue connections (bsc#1067734).
- nvmet-fc: on port remove call put outside lock (bsc#1067734).
- nvmet-fc: simplify sg list handling (bsc#1052384).
- nvmet: Fix fatal_err_work deadlock (bsc#1063349).
- ocfs2: fstrim: Fix start offset of first cluster group during fstrim (bnc#1012382).
- ocfs2: should wait dio before inode lock in ocfs2_setattr() (bnc#1012382).
- packet: avoid panic in packet_getsockopt() (bnc#1012382).
- packet: only test po->has_vnet_hdr once in packet_snd (bnc#1012382).
- parisc: Avoid trashing sr2 and sr3 in LWS code (bnc#1012382).
- parisc: Fix double-word compare and exchange in LWS code on 32-bit kernels (bnc#1012382).
- parisc: Fix validity check of pointer size argument in new CAS implementation (bnc#1012382).
- pci: Apply Cavium ThunderX ACS quirk to more Root Ports (bsc#1069250).
- pci: Apply _HPX settings only to relevant devices (bnc#1012382).
- pci: Enable Relaxed Ordering for Hisilicon Hip07 chip (bsc#1056652).
- pci: Mark Cavium CN8xxx to avoid bus reset (bsc#1069250).
- pci: Set Cavium ACS capability quirk flags to assert RR/CR/SV/UF (bsc#1069250).
- percpu: make this_cpu_generic_read() atomic w.r.t. interrupts (bnc#1012382).
- perf tools: Fix build failure on perl script context (bnc#1012382).
- perf tools: Only increase index if perf_evsel__new_idx() succeeds (bnc#1012382).
- perf/x86/intel/bts: Fix exclusive event reference leak (git-fixes d2878d642a4ed).
- phy: increase size of MII_BUS_ID_SIZE and bus_id (bnc#1012382).
- pkcs#7: fix unitialized boolean 'want' (bnc#1012382).
- pkcs7: Prevent NULL pointer dereference, since sinfo is not always set (bnc#1012382).
- platform/x86: acer-wmi: setup accelerometer when acpi device was found (bsc#1031717).
- platform/x86: hp-wmi: Do not shadow error values (bnc#1012382).
- platform/x86: hp-wmi: Fix detection for dock and tablet mode (bnc#1012382).
- platform/x86: hp-wmi: Fix error value for hp_wmi_tablet_state (bnc#1012382).
- platform/x86: intel_mid_thermal: Fix module autoload (bnc#1012382).
- platform/x86: sony-laptop: Fix error handling in sony_nc_setup_rfkill() (bsc#1031717).
- pm / OPP: Add missing of_node_put(np) (bnc#1012382).
- power: bq27xxx_battery: Fix bq27541 AveragePower register address (bsc#1031717).
- power: bq27xxx: fix reading for bq27000 and bq27010 (bsc#1031717).
- powerCap: Fix an error code in powercap_register_zone() (bsc#1031717).
- power: ipaq-micro-battery: freeing the wrong variable (bsc#1031717).
- powerpc/64: Fix race condition in setting lock bit in idle/wakeup code (bsc#1066223).
- powerpc/64s/hash: Allow MAP_FIXED allocations to cross 128TB boundary (bsc#1070169).
- powerpc/64s/hash: Fix 128TB-512TB virtual address boundary case allocation (bsc#1070169).
- powerpc/64s/hash: Fix 512T hint detection to use >= 128T (bsc#1070169).
- powerpc/64s/hash: Fix fork() with 512TB process address space (bsc#1070169).
- powerpc/64s/slice: Use addr limit when computing slice mask (bsc#1070169).
- powerpc/bpf/jit: Disable classic BPF JIT on ppc64le (bsc#1066223).
- powerpc/corenet: explicitly disable the SDHC controller on kmcoge4 (bnc#1012382).
- powerpc: Correct instruction code for xxlor instruction (bsc#1066223).
- powerpc: Fix VSX enabling/flushing to also test MSR_FP and MSR_VEC (bsc#1066223).
- powerpc/hotplug: Improve responsiveness of hotplug change (FATE#322022, bsc#1067906).
- powerpc/mm: Fix check of multiple 16G pages from device tree (bsc#1066223).
- powerpc/mm: Fix virt_addr_valid() etc. on 64-bit hash (bsc#1066223).
- powerpc/mm/hash64: Fix subpage protection with 4K HPTE config (bsc#1010201, bsc#1066223).
- powerpc/mm/hash: Free the subpage_prot_table correctly (bsc#1066223).
- powerpc/numa: Fix multiple bugs in memory_hotplug_max() (bsc#1066223).
- powerpc/numa: Fix whitespace in hot_add_drconf_memory_max() (bsc#1066223).
- powerpc/opal: Fix EBUSY bug in acquiring tokens (bsc#1066223).
- powerpc/powernv/ioda: Fix endianness when reading TCEs (bsc#1066223).
- powerpc/powernv: Make opal_event_shutdown() callable from IRQ context (bsc#1066223).
- powerpc/pseries/vio: Dispose of virq mapping on vdevice unregister (bsc#1067888).
- powerpc/signal: Properly handle return value from uprobe_deny_signal() (bsc#1066223).
- powerpc/sysrq: Fix oops whem ppmu is not registered (bsc#1066223).
- powerpc/vphn: Fix numa update end-loop bug (FATE#322022, bsc#1067906).
- powerpc/vphn: Improve recognition of PRRN/VPHN (FATE#322022, bsc#1067906).
- powerpc/vphn: Update CPU topology when VPHN enabled (FATE#322022, bsc#1067906).
- power: supply: bq27xxx_battery: Fix register map for BQ27510 and BQ27520 ('bsc#1069270').
- power: supply: isp1704: Fix unchecked return value of devm_kzalloc (bsc#1031717).
- power: supply: lp8788: prevent out of bounds array access (bsc#1031717).
- power_supply: tps65217-charger: Fix NULL deref during property export (bsc#1031717).
- ppp: fix race in ppp device destruction (bnc#1012382).
- printk/console: Always disable boot consoles that use init memory before it is freed (bsc#1063026).
- printk/console: Enhance the check for consoles using init memory (bsc#1063026).
- printk: include <asm/sections.h> instead of <asm-generic/sections.h> (bsc#1063026).
- printk: Make sure to wake up printk kthread from irq work for pending output (bnc#744692, bnc#789311).
- printk: only unregister boot consoles when necessary (bsc#1063026).
- qla2xxx: Fix cable swap (bsc#1043017).
- qla2xxx: Fix notify ack without timeout handling (bsc#1043017).
- qla2xxx: Fix re-login for Nport Handle in use (bsc#1043017).
- qla2xxx: fix stale memory access (bsc#1043017).
- qla2xxx: Login state machine stuck at GPDB (bsc#1043017).
- qla2xxx: Recheck session state after RSCN (bsc#1043017).
- qla2xxx: relogin is being triggered too fast (bsc#1043017).
- qla2xxx: Retry switch command on timed out (bsc#1043017).
- qla2xxx: Serialize gpnid (bsc#1043017).
- quota: Check for register_shrinker() failure (bsc#1070404).
- r8169: Do not increment tx_dropped in TX ring cleaning (bsc#1031717).
- rbd: set discard_alignment to zero (bsc#1064320).
- rbd: use GFP_NOIO for parent stat and data requests (bnc#1012382).
- rcu: Allow for page faults in NMI handlers (bnc#1012382).
- rdma/uverbs: Prevent leak of reserved field (bsc#1022595 FATE#322350).
- rds: rdma: return appropriate error on rdma map failures (bnc#1012382).
- Refresh patches with upstream commit ID (bsc#1067734)
- regulator: core: Limit propagation of parent voltage count and list (bsc#1070145).
- regulator: fan53555: fix I2C device ids (bnc#1012382).
- Revert 'crypto: xts - Add ECB dependency' (bnc#1012382).
- Revert 'drm: bridge: add DT bindings for TI ths8135' (bnc#1012382).
- Revert 'phy: increase size of MII_BUS_ID_SIZE and bus_id' (kabi).
- Revert 'sctp: do not peel off an assoc from one netns to another one' (bnc#1012382).
- Revert 'tty: goldfish: Fix a parameter of a call to free_irq' (bnc#1012382).
- Revert 'uapi: fix linux/rds.h userspace compilation errors' (bnc#1012382).
- rpm/kernel-binary.spec.in: add the kernel-binary dependencies to kernel-binary-base (bsc#1060333).
- rpm/kernel-binary.spec.in: Correct supplements for recent SLE products (bsc#1067494)
- rpm/kernel-binary.spec.in: only rewrite modules.dep if non-zero in size (bsc#1056979).
- rpm/package-descriptions:
- rtc: ds1307: Fix relying on reset value for weekday (bsc#1031717).
- rtc: ds1374: wdt: Fix issue with timeout scaling from secs to wdt ticks (bsc#1031717).
- rtc: ds1374: wdt: Fix stop/start ioctl always returning -EINVAL (bsc#1031717).
- rtc: rtc-nuc900: fix loop timeout test (bsc#1031717).
- rtc: sa1100: fix unbalanced clk_prepare_enable/clk_disable_unprepare (bsc#1031717).
- rtlwifi: fix uninitialized rtlhal->last_suspend_sec time (bnc#1012382).
- rtlwifi: rtl8192ee: Fix memory leak when loading firmware (bnc#1012382).
- rtlwifi: rtl8821ae: Fix connection lost problem (bnc#1012382).
- rtlwifi: rtl8821ae: Fix HW_VAR_NAV_UPPER operation (bsc#1031717).
- s390/dasd: check for device error pointer within state change interrupts (bnc#1012382).
- s390/disassembler: add missing end marker for e7 table (bnc#1012382).
- s390/disassembler: correct disassembly lines alignment (bsc#1070825).
- s390/disassembler: increase show_code buffer size (bnc#1070825, LTC#161577).
- s390/disassembler: increase show_code buffer size (LTC#161577 bnc#1012382 bnc#1070825).
- s390: fix transactional execution control register handling (bnc#1012382).
- s390/kbuild: enable modversions for symbols exported from asm (bnc#1012382).
- s390/mm: fix write access check in gup_huge_pmd() (bnc#1066974, LTC#160551).
- s390/qeth: allow hsuid configuration in DOWN state (bnc#1070825, LTC#161871).
- s390/qeth: issue STARTLAN as first IPA command (bnc#1012382).
- s390/qeth: use ip_lock for hsuid configuration (bnc#1070825, LTC#161871).
- s390/runtime instrumention: fix possible memory corruption (bnc#1012382).
- sched/autogroup: Fix autogroup_move_group() to never skip sched_move_task() (bnc#1012382).
- sched: Make resched_cpu() unconditional (bnc#1012382).
- sched/rt: Simplify the IPI based RT balancing logic (bnc#1012382).
- scsi: aacraid: Check for PCI state of device in a generic way (bsc#1022607, FATE#321673).
- scsi: aacraid: Fix controller initialization failure (FATE#320140).
- scsi: bfa: fix access to bfad_im_port_s (bsc#1065101).
- scsi: check for device state in __scsi_remove_target() (bsc#1072589).
- scsi_devinfo: cleanly zero-pad devinfo strings (bsc#1062941).
- scsi: fcoe: move fcoe_interface_remove() out of fcoe_interface_cleanup() (bsc#1039542).
- scsi: fcoe: open-code fcoe_destroy_work() for NETDEV_UNREGISTER (bsc#1039542).
- scsi: fcoe: separate out fcoe_vport_remove() (bsc#1039542).
- scsi: ipr: Fix scsi-mq lockdep issue (bsc#1066213).
- scsi: ipr: Set no_report_opcodes for RAID arrays (bsc#1066213).
- scsi: libiscsi: fix shifting of DID_REQUEUE host byte (bsc#1056003).
- scsi: lpfc: Add Buffer to Buffer credit recovery support (bsc#1052384).
- scsi: lpfc: Add changes to assist in NVMET debugging (bsc#1041873).
- scsi: lpfc: Add nvme initiator devloss support (bsc#1041873).
- scsi: lpfc: Adjust default value of lpfc_nvmet_mrq (bsc#1067735).
- scsi: lpfc: Break up IO ctx list into a separate get and put list (bsc#1045404).
- scsi: lpfc: change version to 11.4.0.4 (bsc#1067735).
- scsi: lpfc: convert info messages to standard messages (bsc#1052384).
- scsi: lpfc: Correct driver deregistrations with host nvme transport (bsc#1067735).
- scsi: lpfc: Correct issues with FAWWN and FDISCs (bsc#1052384).
- scsi: lpfc: correct nvme sg segment count check (bsc#1067735).
- scsi: lpfc: correct port registrations with nvme_fc (bsc#1067735).
- scsi: lpfc: Correct return error codes to align with nvme_fc transport (bsc#1052384).
- scsi: lpfc: Disable NPIV support if NVME is enabled (bsc#1067735).
- scsi: lpfc: Driver fails to detect direct attach storage array (bsc#1067735).
- scsi: lpfc: Expand WQE capability of every NVME hardware queue (bsc#1067735).
- scsi: lpfc: Extend RDP support (bsc#1067735).
- scsi: lpfc: Fix a precedence bug in lpfc_nvme_io_cmd_wqe_cmpl() (bsc#1056587).
- scsi: lpfc: Fix bad sgl reposting after 2nd adapter reset (bsc#1052384).
- scsi: lpfc: fix build issue if NVME_FC_TARGET is not defined (bsc#1040073).
- scsi: lpfc: Fix counters so outstandng NVME IO count is accurate (bsc#1041873).
- scsi: lpfc: Fix crash after bad bar setup on driver attachment (bsc#1067735).
- scsi: lpfc: Fix crash during driver unload with running nvme traffic (bsc#1067735).
- scsi: lpfc: Fix crash in lpfc_nvme_fcp_io_submit during LIP (bsc#1067735).
- scsi: lpfc: Fix crash in lpfc nvmet when fc port is reset (bsc#1052384).
- scsi: lpfc: Fix crash receiving ELS while detaching driver (bsc#1067735).
- scsi: lpfc: Fix display for debugfs queInfo (bsc#1067735).
- scsi: lpfc: Fix driver handling of nvme resources during unload (bsc#1067735).
- scsi: lpfc: Fix duplicate NVME rport entries and namespaces (bsc#1052384).
- scsi: lpfc: Fix FCP hba_wqidx assignment (bsc#1067735).
- scsi: lpfc: Fix handling of FCP and NVME FC4 types in Pt2Pt topology (bsc#1052384).
- scsi: lpfc: Fix hard lock up NMI in els timeout handling (bsc#1067735).
- scsi: lpfc: fix 'integer constant too large' error on 32bit archs (bsc#1052384).
- scsi: lpfc: Fix loop mode target discovery (bsc#1052384).
- scsi: lpfc: Fix lpfc nvme host rejecting IO with Not Ready message (bsc#1067735).
- scsi: lpfc: Fix Lun Priority level shown as NA (bsc#1041873).
- scsi: lpfc: Fix ndlp ref count for pt2pt mode issue RSCN (bsc#1067735).
- scsi: lpfc: Fix NVME LS abort_xri (bsc#1067735).
- scsi: lpfc: Fix nvme port role handling in sysfs and debugfs handlers (bsc#1041873).
- scsi: lpfc: Fix NVME PRLI handling during RSCN (bsc#1052384).
- scsi: lpfc: Fix nvme target failure after 2nd adapter reset (bsc#1052384).
- scsi: lpfc: Fix nvmet node ref count handling (bsc#1041873).
- scsi: lpfc: Fix oops if nvmet_fc_register_targetport fails (bsc#1067735).
- scsi: lpfc: Fix oops of nvme host during driver unload (bsc#1067735).
- scsi: lpfc: Fix oops when NVME Target is discovered in a nonNVME environment.
- scsi: lpfc: fix pci hot plug crash in list_add call (bsc#1067735).
- scsi: lpfc: fix pci hot plug crash in timer management routines (bsc#1067735).
- scsi: lpfc: Fix plogi collision that causes illegal state transition (bsc#1052384).
- scsi: lpfc: Fix Port going offline after multiple resets (bsc#1041873).
- scsi: lpfc: Fix PRLI retry handling when target rejects it (bsc#1041873).
- scsi: lpfc: Fix rediscovery on switch blade pull (bsc#1052384).
- scsi: lpfc: Fix relative offset error on large nvmet target ios (bsc#1052384).
- scsi: lpfc: Fix return value of board_mode store routine in case of online failure (bsc#1041873).
- scsi: lpfc: Fix secure firmware updates (bsc#1067735).
- scsi: lpfc: Fix System panic after loading the driver (bsc#1041873).
- scsi: lpfc: Fix transition nvme-i rport handling to nport only (bsc#1041873).
- scsi: lpfc: Fix vports not logging into target (bsc#1041873).
- scsi: lpfc: Fix warning messages when NVME_TARGET_FC not defined (bsc#1067735).
- scsi: lpfc: FLOGI failures are reported when connected to a private loop (bsc#1067735).
- scsi: lpfc: Handle XRI_ABORTED_CQE in soft IRQ (bsc#1067735).
- scsi: lpfc: Limit amount of work processed in IRQ (bsc#1052384).
- scsi: lpfc: Linux LPFC driver does not process all RSCNs (bsc#1067735).
- scsi: lpfc: lpfc version bump 11.4.0.3 (bsc#1052384).
- scsi: lpfc: Make ktime sampling more accurate (bsc#1067735).
- scsi: lpfc: Move CQ processing to a soft IRQ (bsc#1067735).
- scsi: lpfc: Null pointer dereference when log_verbose is set to 0xffffffff (bsc#1041873).
- scsi: lpfc: PLOGI failures during NPIV testing (bsc#1067735).
- scsi: lpfc: Raise maximum NVME sg list size for 256 elements (bsc#1067735).
- scsi: lpfc: Reduce log spew on controller reconnects (bsc#1067735).
- scsi: lpfc: remove console log clutter (bsc#1052384).
- scsi: lpfc: Revise NVME module parameter descriptions for better clarity (bsc#1067735).
- scsi: lpfc: Set missing abort context (bsc#1067735).
- scsi: lpfc: small sg cnt cleanup (bsc#1067735).
- scsi: lpfc: spin_lock_irq() is not nestable (bsc#1045404).
- scsi: lpfc: update driver version to 11.4.0.5 (bsc#1067735).
- scsi: lpfc: update to revision to 11.4.0.0 (bsc#1041873).
- scsi: megaraid_sas: mismatch of allocated MFI frame size and length exposed in MFI MPT pass through command (bsc#1066767).
- scsi: qla2xxx: Cleanup debug message IDs (bsc#1043017).
- scsi: qla2xxx: Correction to vha->vref_count timeout (bsc#1066812).
- scsi: qla2xxx: Fix name server relogin (bsc#1043017).
- scsi: qla2xxx: Fix path recovery (bsc#1043017).
- scsi: qla2xxx: Initialize Work element before requesting IRQs (bsc#1019675,FATE#321701).
- scsi: qla2xxx: Replace usage of spin_lock with spin_lock_irqsave (bsc#1043017).
- scsi: qla2xxx: Retain loop test for fwdump length exceeding buffer length (bsc#1043017).
- scsi: qla2xxx: Turn on FW option for exchange check (bsc#1043017).
- scsi: qla2xxx: Use BIT_6 to acquire FAWWPN from switch (bsc#1066812).
- scsi: qla2xxx: Use fabric name for Get Port Speed command (bsc#1066812).
- scsi: qla2xxx: Use flag PFLG_DISCONNECTED (bsc#1043017).
- scsi: reset wait for IO completion (bsc#996376).
- scsi: scsi_devinfo: fixup string compare (bsc#1062941). updated patches.fixes/scsi_devinfo-fixup-string-compare.patch to the version merged upstream.
- scsi: scsi_devinfo: handle non-terminated strings (bsc#1062941).
- scsi: scsi_dh_emc: return success in clariion_std_inquiry() (bnc#1012382).
- scsi: sd_zbc: Fix sd_zbc_read_zoned_characteristics() (bsc#1066812).
- scsi: sg: close race condition in sg_remove_sfp_usercontext() (bsc#1064206).
- scsi: sg: do not return bogus Sg_requests (bsc#1064206).
- scsi: sg: only check for dxfer_len greater than 256M (bsc#1064206).
- scsi: sg: Re-fix off by one in sg_fill_request_table() (bnc#1012382).
- scsi: ufs: add capability to keep auto bkops always enabled (bnc#1012382).
- scsi: ufs-qcom: Fix module autoload (bnc#1012382).
- scsi: zfcp: fix erp_action use-before-initialize in REC action trace (bnc#1012382).
- sctp: add the missing sock_owned_by_user check in sctp_icmp_redirect (bnc#1012382).
- sctp: do not peel off an assoc from one netns to another one (bnc#1012382).
- sctp: do not peel off an assoc from one netns to another one (bnc#1012382).
- sctp: potential read out of bounds in sctp_ulpevent_type_enabled() (bnc#1012382).
- sctp: reset owner sk for data chunks on out queues when migrating a sock (bnc#1012382).
- security/keys: add CONFIG_KEYS_COMPAT to Kconfig (bnc#1012382).
- selftests: firmware: add empty string and async tests (bnc#1012382).
- selftests: firmware: send expected errors to /dev/null (bnc#1012382).
- serial: 8250_fintek: Fix rs485 disablement on invalid ioctl() (bsc#1031717).
- serial: 8250_uniphier: fix serial port index in private data (bsc#1031717).
- serial: Fix serial console on SNI RM400 machines (bsc#1031717).
- serial: omap: Fix EFR write on RTS deassertion (bnc#1012382).
- serial: Remove unused port type (bsc#1066045).
- serial: sh-sci: Fix register offsets for the IRDA serial port (bnc#1012382).
- slub: do not merge cache if slub_debug contains a never-merge flag (bnc#1012382).
- smb3: Validate negotiate request must always be signed (bsc#1064597).
- smb: fix leak of validate negotiate info response buffer (bsc#1064597).
- smb: fix validate negotiate info uninitialised memory use (bsc#1064597).
- sparc64: Migrate hvcons irq to panicked cpu (bnc#1012382).
- spi: SPI_FSL_DSPI should depend on HAS_DMA (bnc#1012382).
- spi: uapi: spidev: add missing ioctl header (bnc#1012382).
- staging: iio: cdc: fix improper return value (bnc#1012382).
- staging: lustre: hsm: stack overrun in hai_dump_data_field (bnc#1012382).
- staging: lustre: llite: do not invoke direct_IO for the EOF case (bnc#1012382).
- staging: lustre: ptlrpc: skip lock if export failed (bnc#1012382).
- staging: r8712u: Fix Sparse warning in rtl871x_xmit.c (bnc#1012382).
- staging: rtl8188eu: fix incorrect ERROR tags from logs (bnc#1012382).
- staging: rtl8712: fixed little endian problem (bnc#1012382).
- staging: rtl8712u: Fix endian settings for structs describing network packets (bnc#1012382).
- sunrpc: Fix tracepoint storage issues with svc_recv and svc_rqst_status (bnc#1012382).
- supported.conf:
- supported.conf: add test_syctl to new kselftests-kmp package FATE#323821 As per FATE#323821 we will require new FATE requests per each new selftest driver. We do not want to support these module on production runs but we do want to support them for QA / testing uses. The compromise is to package them into its own package, this will be the kselftests-kmp package. Selftests can also be used as proof of concept vehicle for issues by customers or ourselves. Vanilla kernels do not get test_sysctl given that driver was using built-in defaults, this also means we cannot run sefltests on config/s390x/zfcpdump which does not enable modules. Likeweise, since we had to *change* the kernel for test_syctl, it it also means we can't test test_syctl with vanilla kernels. It should be possible with other selftests drivers if they are present in vanilla kernels though.
- supported.conf: Support spidev (bsc#1066696)
- sysctl: add unsigned int range support (FATE#323821)
- target: fix ALUA state file path truncation (bsc#1064606).
- target: Fix node_acl demo-mode + uncached dynamic shutdown regression (bnc#1012382).
- target: fix PR state file path truncation (bsc#1064606).
- target: Fix QUEUE_FULL + SCSI task attribute handling (bnc#1012382).
- target/iscsi: Fix unsolicited data seq_end_offset calculation (bnc#1012382 bsc#1036489).
- target/rbd: handle zero length UNMAP requests early (bsc#1064320).
- target/rbd: use target_configure_unmap_from_queue() helper (bsc#1064320).
- tcp/dccp: fix ireq->opt races (bnc#1012382).
- tcp/dccp: fix lockdep splat in inet_csk_route_req() (bnc#1012382).
- tcp/dccp: fix other lockdep splats accessing ireq_opt (bnc#1012382).
- tcp: do not mangle skb->cb[] in tcp_make_synack() (bnc#1012382).
- tcp: fix tcp_mtu_probe() vs highest_sack (bnc#1012382).
- test: firmware_class: report errors properly on failure (bnc#1012382).
- test_sysctl: add dedicated proc sysctl test driver (FATE#323821)
- test_sysctl: add generic script to expand on tests (FATE#323821)
- test_sysctl: add simple proc_dointvec() case (FATE#323821).
- test_sysctl: add simple proc_douintvec() case (bsc#323821).
- test_sysctl: fix sysctl.sh by making it executable (FATE#323821).
- test_sysctl: test against int proc_dointvec() array support (FATE#323821).
- test_sysctl: test against PAGE_SIZE for int (FATE#323821)
- timer: Prevent timer value 0 for MWAITX (bsc#1065717).
- tipc: fix link attribute propagation bug (bnc#1012382).
- tipc: use only positive error codes in messages (bnc#1012382).
- tools: firmware: check for distro fallback udev cancel rule (bnc#1012382).
- tpm: constify transmit data pointers (bsc#1020645, git-fixes).
- tpm: kabi: do not bother with added const (bsc#1020645, git-fixes).
- tpm_tis_spi: Use DMA-safe memory for SPI transfers (bsc#1020645, git-fixes).
- tracing/samples: Fix creation and deletion of simple_thread_fn creation (bnc#1012382).
- tun: allow positive return values on dev_get_valid_name() call (bnc#1012382).
- tun: bail out from tun_get_user() if the skb is empty (bnc#1012382).
- tun: call dev_get_valid_name() before register_netdevice() (bnc#1012382).
- tun/tap: sanitize TUNSETSNDBUF input (bnc#1012382).
- uapi: fix linux/mroute6.h userspace compilation errors (bnc#1012382).
- uapi: fix linux/rds.h userspace compilation error (bnc#1012382).
- uapi: fix linux/rds.h userspace compilation errors (bnc#1012382).
- uapi: fix linux/rds.h userspace compilation errors (bnc#1012382).
- udpv6: Fix the checksum computation when HW checksum does not apply (bnc#1012382).
- Update config files to enable spidev on arm64. (bsc#1066696)
- Update preliminary FC-NVMe patches to mainline status (bsc#1067734)
- usb: Add delay-init quirk for Corsair K70 LUX keyboards (bnc#1012382).
- usb: cdc_acm: Add quirk for Elatec TWN3 (bnc#1012382).
- usb: core: fix out-of-bounds access bug in usb_get_bos_descriptor() (bnc#1012382).
- usb: devio: Revert 'USB: devio: Do not corrupt user memory' (bnc#1012382).
- usb: dummy-hcd: Fix deadlock caused by disconnect detection (bnc#1012382).
- usb: gadget: composite: Fix use-after-free in usb_composite_overwrite_options (bnc#1012382).
- usb: hcd: initialize hcd->flags to 0 when rm hcd (bnc#1012382).
- usb: hub: Allow reset retry for USB2 devices on connect bounce (bnc#1012382).
- usb: musb: Check for host-mode using is_host_active() on reset interrupt (bnc#1012382).
- usb: musb: sunxi: Explicitly release USB PHY on exit (bnc#1012382).
- usb: quirks: add quirk for WORLDE MINI MIDI keyboard (bnc#1012382).
- usb: renesas_usbhs: Fix DMAC sequence for receiving zero-length packet (bnc#1012382).
- usb: serial: console: fix use-after-free after failed setup (bnc#1012382).
- usb: serial: cp210x: add support for ELV TFD500 (bnc#1012382).
- usb: serial: ftdi_sio: add id for Cypress WICED dev board (bnc#1012382).
- usb: serial: garmin_gps: fix I/O after failed probe and remove (bnc#1012382).
- usb: serial: garmin_gps: fix memory leak on probe errors (bnc#1012382).
- usb: serial: metro-usb: add MS7820 device id (bnc#1012382).
- usb: serial: option: add support for TP-Link LTE module (bnc#1012382).
- usb: serial: qcserial: add Dell DW5818, DW5819 (bnc#1012382).
- usb: serial: qcserial: add pid/vid for Sierra Wireless EM7355 fw update (bnc#1012382).
- usb: usbfs: compute urb->actual_length for isochronous (bnc#1012382).
- usb: usbtest: fix NULL pointer dereference (bnc#1012382).
- usb: xhci: Handle error condition in xhci_stop_device() (bnc#1012382).
- vfs: expedite unmount (bsc#1024412).
- video: fbdev: pmag-ba-fb: Remove bad `__init' annotation (bnc#1012382).
- video: udlfb: Fix read EDID timeout (bsc#1031717).
- vlan: fix a use-after-free in vlan_device_event() (bnc#1012382).
- vsock: use new wait API for vsock_stream_sendmsg() (bnc#1012382).
- vti: fix use after free in vti_tunnel_xmit/vti6_tnl_xmit (bnc#1012382).
- watchdog: kempld: fix gcc-4.3 build (bnc#1012382).
- workqueue: Fix NULL pointer dereference (bnc#1012382).
- workqueue: replace pool->manager_arb mutex with a flag (bnc#1012382).
- x86/acpi/cstate: Allow ACPI C1 FFH MWAIT use on AMD systems (bsc#1069879).
- x86/alternatives: Fix alt_max_short macro to really be a max() (bnc#1012382).
- x86/decoder: Add new TEST instruction pattern (bnc#1012382).
- x86/MCE/AMD: Always give panic severity for UC errors in kernel context (git-fixes bf80bbd7dcf5).
- x86/microcode/AMD: Add support for fam17h microcode loading (bsc#1068032).
- x86/microcode/intel: Disable late loading on model 79 (bnc#1012382).
- x86/mm: fix use-after-free of vma during userfaultfd fault (Git-fixes, bsc#1069916).
- x86/oprofile/ppro: Do not use __this_cpu*() in preemptible context (bnc#1012382).
- x86/uaccess, sched/preempt: Verify access_ok() context (bnc#1012382).
- xen: do not print error message in case of missing Xenstore entry (bnc#1012382).
- xen/events: events_fifo: Do not use {get,put}_cpu() in xen_evtchn_fifo_init() (bnc#1065600).
- xen: fix booting ballooned down hvm guest (bnc#1065600).
- xen/gntdev: avoid out of bounds access in case of partial gntdev_mmap() (bnc#1012382).
- xen/manage: correct return value check on xenbus_scanf() (bnc#1012382).
- xen-netback: fix error handling output (bnc#1065600).
- xen: x86: mark xen_find_pt_base as __init (bnc#1065600).
- xen: xenbus driver must not accept invalid transaction ids (bnc#1012382).
- zd1211rw: fix NULL-deref at probe (bsc#1031717).
ImportantSUSE bug 1010201SUSE bug 1012382SUSE bug 1012523SUSE bug 1015336SUSE bug 1015337SUSE bug 1015340SUSE bug 1015342SUSE bug 1015343SUSE bug 1019675SUSE bug 1020412SUSE bug 1020645SUSE bug 1022595SUSE bug 1022607SUSE bug 1024346SUSE bug 1024373SUSE bug 1024376SUSE bug 1024412SUSE bug 1031717SUSE bug 1032150SUSE bug 1036489SUSE bug 1036800SUSE bug 1037404SUSE bug 1037838SUSE bug 1038299SUSE bug 1039542SUSE bug 1040073SUSE bug 1041873SUSE bug 1042268SUSE bug 1042957SUSE bug 1042977SUSE bug 1042978SUSE bug 1043017SUSE bug 1045404SUSE bug 1046054SUSE bug 1046107SUSE bug 1047901SUSE bug 1047989SUSE bug 1048317SUSE bug 1048327SUSE bug 1048356SUSE bug 1050060SUSE bug 1050231SUSE bug 1051406SUSE bug 1051635SUSE bug 1051987SUSE bug 1052384SUSE bug 1053309SUSE bug 1053919SUSE bug 1055272SUSE bug 1056003SUSE bug 1056365SUSE bug 1056427SUSE bug 1056587SUSE bug 1056596SUSE bug 1056652SUSE bug 1056979SUSE bug 1057079SUSE bug 1057199SUSE bug 1057820SUSE bug 1058413SUSE bug 1059639SUSE bug 1060333SUSE bug 1061756SUSE bug 1062496SUSE bug 1062835SUSE bug 1062941SUSE bug 1063026SUSE bug 1063349SUSE bug 1063516SUSE bug 1064206SUSE bug 1064320SUSE bug 1064591SUSE bug 1064597SUSE bug 1064606SUSE bug 1064701SUSE bug 1064926SUSE bug 1065101SUSE bug 1065180SUSE bug 1065600SUSE bug 1065639SUSE bug 1065692SUSE bug 1065717SUSE bug 1065866SUSE bug 1065959SUSE bug 1066045SUSE bug 1066175SUSE bug 1066192SUSE bug 1066213SUSE bug 1066223SUSE bug 1066285SUSE bug 1066382SUSE bug 1066470SUSE bug 1066471SUSE bug 1066472SUSE bug 1066573SUSE bug 1066606SUSE bug 1066629SUSE bug 1066660SUSE bug 1066696SUSE bug 1066767SUSE bug 1066812SUSE bug 1066974SUSE bug 1067105SUSE bug 1067132SUSE bug 1067225SUSE bug 1067494SUSE bug 1067734SUSE bug 1067735SUSE bug 1067888SUSE bug 1067906SUSE bug 1068671SUSE bug 1068978SUSE bug 1068980SUSE bug 1068982SUSE bug 1069152SUSE bug 1069250SUSE bug 1069270SUSE bug 1069277SUSE bug 1069484SUSE bug 1069583SUSE bug 1069721SUSE bug 1069793SUSE bug 1069879SUSE bug 1069916SUSE bug 1069942SUSE bug 1069996SUSE bug 1070001SUSE bug 1070006SUSE bug 1070145SUSE bug 1070169SUSE bug 1070404SUSE bug 1070535SUSE bug 1070767SUSE bug 1070771SUSE bug 1070805SUSE bug 1070825SUSE bug 1070964SUSE bug 1071693SUSE bug 1071694SUSE bug 1071695SUSE bug 1071833SUSE bug 1072589SUSE bug 744692SUSE bug 789311SUSE bug 964944SUSE bug 966170SUSE bug 966172SUSE bug 969470SUSE bug 979928SUSE bug 989261SUSE bug 996376CVE-2017-1000410 at SUSECVE-2017-1000410 at NVDCVE-2017-11600 at SUSECVE-2017-11600 at NVDCVE-2017-12193 at SUSECVE-2017-12193 at NVDCVE-2017-15115 at SUSECVE-2017-15115 at NVDCVE-2017-16528 at SUSECVE-2017-16528 at NVDCVE-2017-16536 at SUSECVE-2017-16536 at NVDCVE-2017-16537 at SUSECVE-2017-16537 at NVDCVE-2017-16645 at SUSECVE-2017-16645 at NVDCVE-2017-16646 at SUSECVE-2017-16646 at NVDCVE-2017-16994 at SUSECVE-2017-16994 at NVDCVE-2017-17448 at SUSECVE-2017-17448 at NVDCVE-2017-17449 at SUSECVE-2017-17449 at NVDCVE-2017-17450 at SUSECVE-2017-17450 at NVDCVE-2017-7482 at SUSECVE-2017-7482 at NVDCVE-2017-8824 at SUSECVE-2017-8824 at NVDcpe:/o:suse:sles:12:sp3Security update for java-1_8_0-ibm (Important)SUSE Linux Enterprise Server 12 SP3
This update for java-1_8_0-ibm fixes the following issues:
Security issues fixed:
- Security update to version 8.0.5.5 (bsc#1070162)
* CVE-2017-10346 CVE-2017-10285 CVE-2017-10388 CVE-2017-10309
CVE-2017-10356 CVE-2017-10293 CVE-2016-9841 CVE-2016-10165
CVE-2017-10355 CVE-2017-10357 CVE-2017-10348 CVE-2017-10349
CVE-2017-10347 CVE-2017-10350 CVE-2017-10281 CVE-2017-10295
CVE-2017-10345
ImportantSUSE bug 1070162CVE-2016-10165 at SUSECVE-2016-10165 at NVDCVE-2016-9841 at SUSECVE-2016-9841 at NVDCVE-2017-10281 at SUSECVE-2017-10281 at NVDCVE-2017-10285 at SUSECVE-2017-10285 at NVDCVE-2017-10293 at SUSECVE-2017-10293 at NVDCVE-2017-10295 at SUSECVE-2017-10295 at NVDCVE-2017-10309 at SUSECVE-2017-10309 at NVDCVE-2017-10345 at SUSECVE-2017-10345 at NVDCVE-2017-10346 at SUSECVE-2017-10346 at NVDCVE-2017-10347 at SUSECVE-2017-10347 at NVDCVE-2017-10348 at SUSECVE-2017-10348 at NVDCVE-2017-10349 at SUSECVE-2017-10349 at NVDCVE-2017-10350 at SUSECVE-2017-10350 at NVDCVE-2017-10355 at SUSECVE-2017-10355 at NVDCVE-2017-10356 at SUSECVE-2017-10356 at NVDCVE-2017-10357 at SUSECVE-2017-10357 at NVDCVE-2017-10388 at SUSECVE-2017-10388 at NVDcpe:/o:suse:sles:12:sp3Security update for evince (Important)SUSE Linux Enterprise Server 12 SP3
This update for evince fixes the following issues:
Security issue fixed:
- CVE-2017-1000083: Remove support for tar and tar-like commands in comics backend (bsc#1046856).
ImportantSUSE bug 1046856CVE-2017-1000083 at SUSECVE-2017-1000083 at NVDcpe:/o:suse:sles:12:sp3Security update for wireshark (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for wireshark fixes the following issues:
- CVE-2017-17083: NetBIOS dissector could crash. This was addressed in
epan/dissectors/packet-netbios.c by ensuring that write operations are bounded by the beginning of a buffer. (bsc#1070727)
- CVE-2017-17084: IWARP_MPA dissector could crash. This was addressed in epan/dissectors/packet-iwarp-mpa.c by
validating a ULPDU length. (bsc#1070727)
- CVE-2017-17085: the CIP Safety dissector could crash. This was addressed in epan/dissectors/packet-cipsafety.c
by validating the packet length. (bsc#1070727)
ModerateSUSE bug 1070727CVE-2017-17083 at SUSECVE-2017-17083 at NVDCVE-2017-17084 at SUSECVE-2017-17084 at NVDCVE-2017-17085 at SUSECVE-2017-17085 at NVDcpe:/o:suse:sles:12:sp3Security update for gdk-pixbuf (Low)SUSE Linux Enterprise Server 12 SP3
This update for gdk-pixbuf provides the following fixes:
- Add overflow checks when creating pixbuf structures in general
- Fix arithmetic overflow in the BMP loader (bsc#1053417)
- Adds support for BMPv3 with bitmasks (bsc#1053417)
LowSUSE bug 1053417cpe:/o:suse:sles:12:sp3Security update for java-1_7_1-ibm (Important)SUSE Linux Enterprise Server 12 SP3
This update for java-1_7_1-ibm fixes the following issues:
- Security update to version 7.1.4.15 [bsc#1070162]
* CVE-2017-10349: 'Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Serialization). Supported versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded: 8u144; JRockit: R28.3.15. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 3.1 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L).'
* CVE-2017-10348: 'Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Serialization). Supported versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded: 8u144; JRockit: R28.3.15. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 3.1 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L).'
* CVE-2017-10388: 'Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Serialization). Supported versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded: 8u144; JRockit: R28.3.15. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 3.1 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L).'
* CVE-2016-9841: 'Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Serialization). Supported versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded: 8u144; JRockit: R28.3.15. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 3.1 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L).'
* CVE-2017-10293: 'Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Serialization). Supported versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded: 8u144; JRockit: R28.3.15. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 3.1 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L).'
* CVE-2017-10345: 'Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Serialization). Supported versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded: 8u144; JRockit: R28.3.15. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 3.1 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L).'
* CVE-2017-10350: 'Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Serialization). Supported versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded: 8u144; JRockit: R28.3.15. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 3.1 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L).'
* CVE-2017-10356: 'Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Serialization). Supported versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded: 8u144; JRockit: R28.3.15. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 3.1 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L).'
* CVE-2017-10357: 'Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Serialization). Supported versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded: 8u144; JRockit: R28.3.15. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 3.1 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L).'
* CVE-2017-10347: 'Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Serialization). Supported versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded: 8u144; JRockit: R28.3.15. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 3.1 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L).'
* CVE-2017-10355: 'Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Serialization). Supported versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded: 8u144; JRockit: R28.3.15. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 3.1 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L).'
* CVE-2017-10285: 'Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Serialization). Supported versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded: 8u144; JRockit: R28.3.15. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 3.1 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L).'
* CVE-2017-10281: 'Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Serialization). Supported versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded: 8u144; JRockit: R28.3.15. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 3.1 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L).'
* CVE-2017-10295: 'Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Serialization). Supported versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded: 8u144; JRockit: R28.3.15. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 3.1 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L).'
* CVE-2017-10346: 'Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Serialization). Supported versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded: 8u144; JRockit: R28.3.15. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 3.1 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L).'
* CVE-2016-10165: 'Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Serialization). Supported versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded: 8u144; JRockit: R28.3.15. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 3.1 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L).'
ImportantSUSE bug 1070162CVE-2016-10165 at SUSECVE-2016-10165 at NVDCVE-2016-9841 at SUSECVE-2016-9841 at NVDCVE-2017-10281 at SUSECVE-2017-10281 at NVDCVE-2017-10285 at SUSECVE-2017-10285 at NVDCVE-2017-10293 at SUSECVE-2017-10293 at NVDCVE-2017-10295 at SUSECVE-2017-10295 at NVDCVE-2017-10345 at SUSECVE-2017-10345 at NVDCVE-2017-10346 at SUSECVE-2017-10346 at NVDCVE-2017-10347 at SUSECVE-2017-10347 at NVDCVE-2017-10348 at SUSECVE-2017-10348 at NVDCVE-2017-10349 at SUSECVE-2017-10349 at NVDCVE-2017-10350 at SUSECVE-2017-10350 at NVDCVE-2017-10355 at SUSECVE-2017-10355 at NVDCVE-2017-10356 at SUSECVE-2017-10356 at NVDCVE-2017-10357 at SUSECVE-2017-10357 at NVDCVE-2017-10388 at SUSECVE-2017-10388 at NVDcpe:/o:suse:sles:12:sp3Security update for gd (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for gd fixes one issues.
This security issue was fixed:
- CVE-2017-6362: Prevent double-free in gdImagePngPtr() that potentially allowed for DoS or remote code execution (bsc#1056993).
ModerateSUSE bug 1056993CVE-2017-6362 at SUSECVE-2017-6362 at NVDcpe:/o:suse:sles:12:sp3Security update for dpdk-thunderxdpdk (Moderate)SUSE Linux Enterprise Server 12 SP3
This update fixes the following issues:
- CVE-2018-1059: The DPDK vhost-user interface does not check to verify that all the requested guest
physical range is mapped and contiguous when performing Guest Physical Addresses to Host Virtual Addresses
translations. This may lead to a malicious guest exposing vhost-user backend process memory.
All versions before 18.02.1 are vulnerable. (bsc#1089638).
ModerateSUSE bug 1089638CVE-2018-1059 at SUSECVE-2018-1059 at NVDcpe:/o:suse:sles:12:sp3Security update for xdg-utils (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for xdg-utils fixes the following issues:
Security issue:
- CVE-2017-18266: Fix an argument injection when BROWSER contains %s (bsc#1093086).
ModerateSUSE bug 1093086CVE-2017-18266 at SUSECVE-2017-18266 at NVDcpe:/o:suse:sles:12:sp3Security update for oracleasm kmp (Moderate)SUSE Linux Enterprise Server 12 SP3
This update provides rebuilt kernel modules for SUSE Linux Enterprise 12 SP3 products
with retpoline enablement to address Spectre Variant 2 (CVE-2017-5715 bsc#1068032).
Following modules have been rebuilt:
- drbd
- oracleasm
- crash
- lttng-modules
ModerateSUSE bug 1068032CVE-2017-5715 at SUSECVE-2017-5715 at NVDcpe:/o:suse:sles:12:sp3Security update for xmltooling (Important)SUSE Linux Enterprise Server 12 SP3
This update for xmltooling fixes the following issues:
- CVE-2018-0486: Fixed a security bug when xmltooling mishandles digital
signatures of user attribute data, which allows remote attackers to obtain
sensitive information or conduct impersonation attacks via a crafted DTD
(bsc#1075975)
ImportantSUSE bug 1075975CVE-2018-0486 at SUSECVE-2018-0486 at NVDcpe:/o:suse:sles:12:sp3Security update for glibc (Important)SUSE Linux Enterprise Server 12 SP3
This update for glibc fixes the following issues:
- CVE-2017-18269: Fix SSE2 memmove issue when crossing 2GB boundary (bsc#1094150)
- CVE-2018-11236: Fix overflow in path length computation (bsc#1094161)
- CVE-2018-11237: Don't write beyond buffer destination in __mempcpy_avx512_no_vzeroupper (bsc#1094154)
Non security bugs fixed:
- Fix crash in resolver on memory allocation failure (bsc#1086690)
ImportantSUSE bug 1086690SUSE bug 1094150SUSE bug 1094154SUSE bug 1094161CVE-2017-18269 at SUSECVE-2017-18269 at NVDCVE-2018-11236 at SUSECVE-2018-11236 at NVDCVE-2018-11237 at SUSECVE-2018-11237 at NVDcpe:/o:suse:sles:12:sp3Security update for git (Important)SUSE Linux Enterprise Server 12 SP3
This update for git fixes several issues.
These security issues were fixed:
- CVE-2018-11233: Path sanity-checks on NTFS allowed attackers to read arbitrary memory (bsc#1095218)
- CVE-2018-11235: Arbitrary code execution when recursively cloning a malicious repository (bsc#1095219)
ImportantSUSE bug 1095218SUSE bug 1095219CVE-2018-11233 at SUSECVE-2018-11233 at NVDCVE-2018-11235 at SUSECVE-2018-11235 at NVDcpe:/o:suse:sles:12:sp3Security update for libvorbis (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for libvorbis fixes the following issues:
The following security issue was fixed:
- Fixed the validation of channels in mapping0_forward(), which previously
allowed remote attackers to cause a denial of service via specially crafted
files (CVE-2018-10392, bsc#1091070)
ModerateSUSE bug 1091070CVE-2018-10392 at SUSECVE-2018-10392 at NVDcpe:/o:suse:sles:12:sp3Security update for kernel-firmware (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for kernel-firmware fixes the following issues:
This security issue was fixed:
- CVE-2017-5715: Prevent unauthorized disclosure of information to an attacker
with local user access caused by speculative execution and indirect branch
prediction (bsc#1095735)
ModerateSUSE bug 1095735CVE-2017-5715 at SUSECVE-2017-5715 at NVDcpe:/o:suse:sles:12:sp3Security update for poppler (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for poppler fixes the following issues:
These security issues were fixed:
- CVE-2017-14517: Prevent NULL Pointer dereference in the XRef::parseEntry()
function via a crafted PDF document (bsc#1059066).
- CVE-2017-9865: Fixed a stack-based buffer overflow vulnerability
in GfxState.cc that would have allowed attackers to facilitate
a denial-of-service attack via specially crafted PDF
documents. (bsc#1045939)
- CVE-2017-14518: Remedy a floating point exception in
isImageInterpolationRequired() that could have been exploited using a
specially crafted PDF document. (bsc#1059101)
- CVE-2017-14520: Remedy a floating point exception in
Splash::scaleImageYuXd() that could have been exploited using a specially
crafted PDF document. (bsc#1059155)
- CVE-2017-14617: Fixed a floating point exception in Stream.cc,
which may lead to a potential attack when handling malicious PDF
files. (bsc#1060220)
- CVE-2017-14928: Fixed a NULL Pointer dereference in
AnnotRichMedia::Configuration::Configuration() in Annot.cc, which may
lead to a potential attack when handling malicious PDF
files. (bsc#1061092)
- CVE-2017-14975: Fixed a NULL pointer dereference vulnerability,
that existed because a data structure in FoFiType1C.cc was not
initialized, which allowed an attacker to launch a denial of service
attack. (bsc#1061263)
- CVE-2017-14976: Fixed a heap-based buffer over-read vulnerability in
FoFiType1C.cc that occurred when an out-of-bounds font dictionary index
was encountered, which allowed an attacker to launch a denial of service
attack. (bsc#1061264)
- CVE-2017-14977: Fixed a NULL pointer dereference vulnerability in the
FoFiTrueType::getCFFBlock() function in FoFiTrueType.cc that occurred
due to lack of validation of a table pointer, which allows an attacker
to launch a denial of service attack. (bsc#1061265)
- CVE-2017-15565: Prevent NULL Pointer dereference in the
GfxImageColorMap::getGrayLine() function via a crafted PDF document
(bsc#1064593).
- CVE-2017-1000456: Validate boundaries in TextPool::addWord to prevent
overflows in subsequent calculations (bsc#1074453).
ModerateSUSE bug 1045939SUSE bug 1059066SUSE bug 1059101SUSE bug 1059155SUSE bug 1060220SUSE bug 1061092SUSE bug 1061263SUSE bug 1061264SUSE bug 1061265SUSE bug 1064593SUSE bug 1074453CVE-2017-1000456 at SUSECVE-2017-1000456 at NVDCVE-2017-14517 at SUSECVE-2017-14517 at NVDCVE-2017-14518 at SUSECVE-2017-14518 at NVDCVE-2017-14520 at SUSECVE-2017-14520 at NVDCVE-2017-14617 at SUSECVE-2017-14617 at NVDCVE-2017-14928 at SUSECVE-2017-14928 at NVDCVE-2017-14975 at SUSECVE-2017-14975 at NVDCVE-2017-14976 at SUSECVE-2017-14976 at NVDCVE-2017-14977 at SUSECVE-2017-14977 at NVDCVE-2017-15565 at SUSECVE-2017-15565 at NVDCVE-2017-9865 at SUSECVE-2017-9865 at NVDcpe:/o:suse:sles:12:sp3Security update for ucode-intel (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for ucode-intel fixes the following issues:
Update to version 20180425 (bsc#1091836)
Fix provided for:
- GLK B0 6-7a-1/01 0000001e->00000022 Pentium Silver N/J5xxx, Celeron N/J4xxx
- Name microcodes which are not allowed to load late
with a *.early suffix
ModerateSUSE bug 1091836cpe:/o:suse:sles:12:sp3Security update for samba (Moderate)SUSE Linux Enterprise Server 12 SP3
Samba was updated to 4.6.14, fixing bugs and security issues:
Version update to 4.6.14 (bsc#1093664):
+ vfs_ceph: add fake async pwrite/pread send/recv hooks; (bso#13425).
+ Fix memory leak in vfs_ceph; (bso#13424).
+ winbind: avoid using fstrcpy(dcname,...) in _dual_init_connection;
(bso#13294).
+ s3:smb2_server: correctly maintain request counters for compound
requests; (bso#13215).
+ s3: smbd: Unix extensions attempts to change wrong field in fchown
call; (bso#13375).
+ s3:smbd: map nterror on smb2_flush errorpath; (bso#13338).
+ vfs_glusterfs: Fix the wrong pointer being sent in glfs_fsync_async;
(bso#13297).
+ s3: smbd: Fix possible directory fd leak if the underlying OS doesn't
support fdopendir(); (bso#13270).
+ s3: ldap: Ensure the ADS_STRUCT pointer doesn't get freed on error, we
don't own it here; (bso#13244).
+ s3:libsmb: allow -U'\\administrator' to work; (bso#13206).
+ CVE-2018-1057: s4:dsdb: fix unprivileged password changes;
(bso#13272); (bsc#1081024).
+ s3:smbd: Do not crash if we fail to init the session table;
(bso#13315).
+ libsmb: Use smb2 tcon if conn_protocol >= SMB2_02; (bso#13310).
+ smbXcli: Add 'force_channel_sequence'; (bso#13215).
+ smbd: Fix channel sequence number checks for long-running requests;
(bso#13215).
+ s3:smb2_server: allow logoff, close, unlock, cancel and echo on
expired sessions; (bso#13197).
+ s3:smbd: return the correct error for cancelled SMB2 notifies on
expired sessions; (bso#13197).
+ samba: Only use async signal-safe functions in signal handler;
(bso#13240).
+ subnet: Avoid a segfault when renaming subnet objects; (bso#13031).
- Fix vfs_ceph with 'aio read size' or 'aio write size' > 0;
(bsc#1093664).
+ vfs_ceph: add fake async pwrite/pread send/recv hooks; (bso#13425).
+ Fix memory leak in vfs_ceph; (bso#13424).
ModerateSUSE bug 1081024SUSE bug 1093664CVE-2018-1057 at SUSECVE-2018-1057 at NVDcpe:/o:suse:sles:12:sp3Security update for java-1_8_0-openjdk (Important)SUSE Linux Enterprise Server 12 SP3
This update for java-1_8_0-openjdk to version 8u171 fixes the following issues:
These security issues were fixed:
- S8180881: Better packaging of deserialization
- S8182362: Update CipherOutputStream Usage
- S8183032: Upgrade to LittleCMS 2.9
- S8189123: More consistent classloading
- S8189969, CVE-2018-2790, bsc#1090023: Manifest better manifest entries
- S8189977, CVE-2018-2795, bsc#1090025: Improve permission portability
- S8189981, CVE-2018-2796, bsc#1090026: Improve queuing portability
- S8189985, CVE-2018-2797, bsc#1090027: Improve tabular data portability
- S8189989, CVE-2018-2798, bsc#1090028: Improve container portability
- S8189993, CVE-2018-2799, bsc#1090029: Improve document portability
- S8189997, CVE-2018-2794, bsc#1090024: Enhance keystore mechanisms
- S8190478: Improved interface method selection
- S8190877: Better handling of abstract classes
- S8191696: Better mouse positioning
- S8192025, CVE-2018-2814, bsc#1090032: Less referential references
- S8192030: Better MTSchema support
- S8192757, CVE-2018-2815, bsc#1090033: Improve stub classes implementation
- S8193409: Improve AES supporting classes
- S8193414: Improvements in MethodType lookups
- S8193833, CVE-2018-2800, bsc#1090030: Better RMI connection support
For other changes please consult the changelog.
ImportantSUSE bug 1087066SUSE bug 1090023SUSE bug 1090024SUSE bug 1090025SUSE bug 1090026SUSE bug 1090027SUSE bug 1090028SUSE bug 1090029SUSE bug 1090030SUSE bug 1090032SUSE bug 1090033CVE-2018-2790 at SUSECVE-2018-2790 at NVDCVE-2018-2794 at SUSECVE-2018-2794 at NVDCVE-2018-2795 at SUSECVE-2018-2795 at NVDCVE-2018-2796 at SUSECVE-2018-2796 at NVDCVE-2018-2797 at SUSECVE-2018-2797 at NVDCVE-2018-2798 at SUSECVE-2018-2798 at NVDCVE-2018-2799 at SUSECVE-2018-2799 at NVDCVE-2018-2800 at SUSECVE-2018-2800 at NVDCVE-2018-2814 at SUSECVE-2018-2814 at NVDCVE-2018-2815 at SUSECVE-2018-2815 at NVDcpe:/o:suse:sles:12:sp3Security update for java-1_7_0-openjdk (Important)SUSE Linux Enterprise Server 12 SP3
This update for java-1_7_0-openjdk to version 7u181 fixes the following issues:
+ S8162488: JDK should be updated to use LittleCMS 2.8
+ S8180881: Better packaging of deserialization
+ S8182362: Update CipherOutputStream Usage
+ S8183032: Upgrade to LittleCMS 2.9
+ S8189123: More consistent classloading
+ S8190478: Improved interface method selection
+ S8190877: Better handling of abstract classes
+ S8191696: Better mouse positioning
+ S8192030: Better MTSchema support
+ S8193409: Improve AES supporting classes
+ S8193414: Improvements in MethodType lookups
+ S8189969, CVE-2018-2790, bsc#1090023: Manifest better manifest entries
+ S8189977, CVE-2018-2795, bsc#1090025: Improve permission portability
+ S8189981, CVE-2018-2796, bsc#1090026: Improve queuing portability
+ S8189985, CVE-2018-2797, bsc#1090027: Improve tabular data portability
+ S8189989, CVE-2018-2798, bsc#1090028: Improve container portability
+ S8189993, CVE-2018-2799, bsc#1090029: Improve document portability
+ S8189997, CVE-2018-2794, bsc#1090024: Enhance keystore mechanisms
+ S8192025, CVE-2018-2814, bsc#1090032: Less referential references
+ S8192757, CVE-2018-2815, bsc#1090033: Improve stub classes implementation
+ S8193833, CVE-2018-2800, bsc#1090030: Better RMI connection support
For additional changes please consult the changelog.
ImportantSUSE bug 1090023SUSE bug 1090024SUSE bug 1090025SUSE bug 1090026SUSE bug 1090027SUSE bug 1090028SUSE bug 1090029SUSE bug 1090030SUSE bug 1090032SUSE bug 1090033CVE-2018-2790 at SUSECVE-2018-2790 at NVDCVE-2018-2794 at SUSECVE-2018-2794 at NVDCVE-2018-2795 at SUSECVE-2018-2795 at NVDCVE-2018-2796 at SUSECVE-2018-2796 at NVDCVE-2018-2797 at SUSECVE-2018-2797 at NVDCVE-2018-2798 at SUSECVE-2018-2798 at NVDCVE-2018-2799 at SUSECVE-2018-2799 at NVDCVE-2018-2800 at SUSECVE-2018-2800 at NVDCVE-2018-2814 at SUSECVE-2018-2814 at NVDCVE-2018-2815 at SUSECVE-2018-2815 at NVDcpe:/o:suse:sles:12:sp3Security update for postgresql96 (Moderate)SUSE Linux Enterprise Server 12 SP3
PostgreSQL was updated to 9.6.9 fixing bugs and security issues:
Release notes:
- https://www.postgresql.org/about/news/1851/
- https://www.postgresql.org/docs/current/static/release-9-6-9.html
A dump/restore is not required for those running 9.6.X.
However, if you use the adminpack extension, you should update
it as per the first changelog entry below.
Also, if the function marking mistakes mentioned in the second
and third changelog entries below affect you, you will want to
take steps to correct your database catalogs.
Security issue fixed:
- CVE-2018-1115: Remove public execute privilege
from contrib/adminpack's pg_logfile_rotate() function
pg_logfile_rotate() is a deprecated wrapper for the core
function pg_rotate_logfile(). When that function was changed
to rely on SQL privileges for access control rather than a
hard-coded superuser check, pg_logfile_rotate() should have
been updated as well, but the need for this was missed. Hence,
if adminpack is installed, any user could request a logfile
rotation, creating a minor security issue.
After installing this update, administrators should update
adminpack by performing ALTER EXTENSION adminpack UPDATE in
each database in which adminpack is installed. (bsc#1091610)
ModerateSUSE bug 1091610CVE-2018-1115 at SUSECVE-2018-1115 at NVDcpe:/o:suse:sles:12:sp3Security update for gpg2 (Important)SUSE Linux Enterprise Server 12 SP3
This update for gpg2 fixes the following security issue:
- CVE-2018-12020: GnuPG mishandled the original filename during decryption and
verification actions, which allowed remote attackers to spoof the output that
GnuPG sends on file descriptor 2 to other programs that use the '--status-fd 2'
option (bsc#1096745)
ImportantSUSE bug 1096745CVE-2018-12020 at SUSECVE-2018-12020 at NVDcpe:/o:suse:sles:12:sp3Security update for rsync (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for rsync fixes one issues.
This security issue was fixed:
- CVE-2018-5764: The parse_arguments function in options.c did not prevent
multiple --protect-args uses, which allowed remote attackers to bypass an
argument-sanitization protection mechanism (bsc#1076503).
ModerateSUSE bug 1076503CVE-2018-5764 at SUSECVE-2018-5764 at NVDcpe:/o:suse:sles:12:sp3Security update for java-1_8_0-ibm (Important)SUSE Linux Enterprise Server 12 SP3
IBM Java was updated to version 8.0.5.15 [bsc#1093311, bsc#1085449]
Security fixes:
- CVE-2018-2826 CVE-2018-2825 CVE-2018-2814 CVE-2018-2794
CVE-2018-2783 CVE-2018-2799 CVE-2018-2798 CVE-2018-2797
CVE-2018-2796 CVE-2018-2795 CVE-2018-2800 CVE-2018-2790
CVE-2018-1417
- Removed translations in the java-1_8_0-ibm-devel-32bit package
as they conflict with those in java-1_8_0-ibm-devel.
ImportantSUSE bug 1085449SUSE bug 1093311CVE-2018-1417 at SUSECVE-2018-1417 at NVDCVE-2018-2783 at SUSECVE-2018-2783 at NVDCVE-2018-2790 at SUSECVE-2018-2790 at NVDCVE-2018-2794 at SUSECVE-2018-2794 at NVDCVE-2018-2795 at SUSECVE-2018-2795 at NVDCVE-2018-2796 at SUSECVE-2018-2796 at NVDCVE-2018-2797 at SUSECVE-2018-2797 at NVDCVE-2018-2798 at SUSECVE-2018-2798 at NVDCVE-2018-2799 at SUSECVE-2018-2799 at NVDCVE-2018-2800 at SUSECVE-2018-2800 at NVDCVE-2018-2814 at SUSECVE-2018-2814 at NVDCVE-2018-2825 at SUSECVE-2018-2825 at NVDCVE-2018-2826 at SUSECVE-2018-2826 at NVDcpe:/o:suse:sles:12:sp3Security update for procmail (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for procmail fixes the following issues:
- CVE-2017-16844: Heap-based buffer overflow in loadbuf function could lead to remote denial of service (bsc#1068648)
ModerateSUSE bug 1068648CVE-2017-16844 at SUSECVE-2017-16844 at NVDcpe:/o:suse:sles:12:sp3Security update for java-1_7_1-ibm (Important)SUSE Linux Enterprise Server 12 SP3
IBM Java was updated to 7.1.4.25 [bsc#1093311, bsc#1085449]:
Security fixes:
- CVE-2018-2814 CVE-2018-2794 CVE-2018-2783 CVE-2018-2799
CVE-2018-2798 CVE-2018-2797 CVE-2018-2796 CVE-2018-2795
CVE-2018-2800 CVE-2018-2790 CVE-2018-1417
ImportantSUSE bug 1085449SUSE bug 1093311CVE-2018-1417 at SUSECVE-2018-1417 at NVDCVE-2018-2783 at SUSECVE-2018-2783 at NVDCVE-2018-2790 at SUSECVE-2018-2790 at NVDCVE-2018-2794 at SUSECVE-2018-2794 at NVDCVE-2018-2795 at SUSECVE-2018-2795 at NVDCVE-2018-2796 at SUSECVE-2018-2796 at NVDCVE-2018-2797 at SUSECVE-2018-2797 at NVDCVE-2018-2798 at SUSECVE-2018-2798 at NVDCVE-2018-2799 at SUSECVE-2018-2799 at NVDCVE-2018-2800 at SUSECVE-2018-2800 at NVDCVE-2018-2814 at SUSECVE-2018-2814 at NVDcpe:/o:suse:sles:12:sp3Security update for ntp (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for ntp fixes the following issues:
- Update to 4.2.8p11 (bsc#1082210):
* CVE-2016-1549: Sybil vulnerability: ephemeral association
attack. While fixed in ntp-4.2.8p7, there are significant
additional protections for this issue in 4.2.8p11.
* CVE-2018-7182: ctl_getitem(): buffer read overrun
leads to undefined behavior and information leak. (bsc#1083426)
* CVE-2018-7170: Multiple authenticated ephemeral
associations. (bsc#1083424)
* CVE-2018-7184: Interleaved symmetric mode cannot
recover from bad state. (bsc#1083422)
* CVE-2018-7185: Unauthenticated packet can reset
authenticated interleaved association. (bsc#1083420)
* CVE-2018-7183: ntpq:decodearr() can write beyond its
buffer limit.(bsc#1083417)
- Don't use libevent's cached time stamps in sntp. (bsc#1077445)
This update is a reissue of the previous update with LTSS channels included.
ModerateSUSE bug 1077445SUSE bug 1082063SUSE bug 1082210SUSE bug 1083417SUSE bug 1083420SUSE bug 1083422SUSE bug 1083424SUSE bug 1083426CVE-2016-1549 at SUSECVE-2016-1549 at NVDCVE-2018-7170 at SUSECVE-2018-7170 at NVDCVE-2018-7182 at SUSECVE-2018-7182 at NVDCVE-2018-7183 at SUSECVE-2018-7183 at NVDCVE-2018-7184 at SUSECVE-2018-7184 at NVDCVE-2018-7185 at SUSECVE-2018-7185 at NVDcpe:/o:suse:sles:12:sp3Security update for bluez (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for bluez fixes the following issues:
Security issues fixed:
- CVE-2016-9800: Fix hcidump memory leak in pin_code_reply_dump() (bsc#1013721).
- CVE-2016-9804: Fix hcidump buffer overflow in commands_dump() (bsc#1013877).
- CVE-2016-7837: Fix possible buffer overflow, make sure we don't write past the end of the array (bsc#1026652).
- CVE-2017-1000250: Fix information disclosure vulnerability in service_search_attr_req (bsc#1057342).
ModerateSUSE bug 1013721SUSE bug 1013877SUSE bug 1026652SUSE bug 1057342CVE-2016-7837 at SUSECVE-2016-7837 at NVDCVE-2016-9800 at SUSECVE-2016-9800 at NVDCVE-2016-9804 at SUSECVE-2016-9804 at NVDCVE-2017-1000250 at SUSECVE-2017-1000250 at NVDcpe:/o:suse:sles:12:sp3Security update for the Linux Kernel (Important)SUSE Linux Enterprise Server 12 SP3
The SUSE Linux Enterprise 12 SP3 kernel was updated to 4.4.136 to receive various security and bugfixes.
The following security bugs were fixed:
- CVE-2018-5848: In the function wmi_set_ie(), the length validation code did
not handle unsigned integer overflow properly. As a result, a large value of
the 'ie_len' argument could have caused a buffer overflow (bnc#1097356).
- CVE-2017-18249: The add_free_nid function did not properly track an allocated
nid, which allowed local users to cause a denial of service (race condition) or
possibly have unspecified other impact via concurrent threads (bnc#1087036).
- CVE-2018-3665: Prevent disclosure of FPU registers (including XMM and AVX
registers) between processes. These registers might contain encryption keys
when doing SSE accelerated AES enc/decryption (bsc#1087086).
- CVE-2017-18241: Prevent a NULL pointer dereference by using a noflush_merge
option that triggers a NULL value for a flush_cmd_control data structure
(bnc#1086400).
- CVE-2017-17741: The KVM implementation in the Linux kernel allowed attackers
to obtain potentially sensitive information from kernel memory, aka a
write_mmio stack-based out-of-bounds read (bnc#1073311).
- CVE-2018-12233: In the ea_get function in fs/jfs/xattr.c, a memory
corruption bug in JFS can be triggered by calling setxattr twice with two
different extended attribute names on the same file. This vulnerability
can be triggered by an unprivileged user with the ability to create
files and execute programs. A kmalloc call is incorrect, leading to
slab-out-of-bounds in jfs_xattr (bnc#1097234).
The following non-security bugs were fixed:
- 8139too: Use disable_irq_nosync() in rtl8139_poll_controller() (bnc#1012382).
- ACPI: acpi_pad: Fix memory leak in power saving threads (bnc#1012382).
- ACPICA: acpi: acpica: fix acpi operand cache leak in nseval.c (bnc#1012382).
- ACPICA: Events: add a return on failure from acpi_hw_register_read (bnc#1012382).
- ACPI: processor_perflib: Do not send _PPC change notification if not ready (bnc#1012382).
- affs_lookup(): close a race with affs_remove_link() (bnc#1012382).
- af_key: Always verify length of provided sadb_key (bnc#1012382).
- aio: fix io_destroy(2) vs. lookup_ioctx() race (bnc#1012382).
- alsa: control: fix a redundant-copy issue (bnc#1012382).
- alsa: hda: Add Lenovo C50 All in one to the power_save blacklist (bnc#1012382).
- alsa: hda - Use IS_REACHABLE() for dependency on input (bnc#1012382 bsc#1031717).
- alsa: timer: Call notifier in the same spinlock (bnc#1012382 bsc#973378).
- alsa: timer: Fix pause event notification (bnc#1012382 bsc#973378).
- alsa: usb: mixer: volume quirk for CM102-A+/102S+ (bnc#1012382).
- alsa: vmaster: Propagate slave error (bnc#1012382).
- arc: Fix malformed ARC_EMUL_UNALIGNED default (bnc#1012382).
- arm64: Add ARCH_WORKAROUND_2 probing (bsc#1085308).
- arm64: Add per-cpu infrastructure to call ARCH_WORKAROUND_2 (bsc#1085308).
- arm64: Add 'ssbd' command-line option (bsc#1085308).
- arm64: Add this_cpu_ptr() assembler macro for use in entry.S (bsc#1085308).
- arm64: Add work around for Arm Cortex-A55 Erratum 1024718 (bnc#1012382).
- arm64: alternatives: Add dynamic patching feature (bsc#1085308).
- arm64: assembler: introduce ldr_this_cpu (bsc#1085308).
- arm64: Call ARCH_WORKAROUND_2 on transitions between EL0 and EL1 (bsc#1085308).
- arm64: do not call C code with el0's fp register (bsc#1085308).
- arm64: fix endianness annotation for __apply_alternatives()/get_alt_insn() (bsc#1085308).
- arm64: introduce mov_q macro to move a constant into a 64-bit register (bnc#1012382 bsc#1068032).
- arm64: lse: Add early clobbers to some input/output asm operands (bnc#1012382).
- arm64: spinlock: Fix theoretical trylock() A-B-A with LSE atomics (bnc#1012382).
- arm64: ssbd: Add global mitigation state accessor (bsc#1085308).
- arm64: ssbd: Add prctl interface for per-thread mitigation (bsc#1085308).
- arm64: ssbd: Introduce thread flag to control userspace mitigation (bsc#1085308).
- arm64: ssbd: Restore mitigation status on CPU resume (bsc#1085308).
- arm64: ssbd: Skip apply_ssbd if not using dynamic mitigation (bsc#1085308).
- arm: 8748/1: mm: Define vdso_start, vdso_end as array (bnc#1012382).
- arm: 8769/1: kprobes: Fix to use get_kprobe_ctlblk after irq-disabed (bnc#1012382).
- arm: 8770/1: kprobes: Prohibit probing on optimized_callback (bnc#1012382).
- arm: 8771/1: kprobes: Prohibit kprobes on do_undefinstr (bnc#1012382).
- arm: 8772/1: kprobes: Prohibit kprobes on get_user functions (bnc#1012382).
- arm/arm64: smccc: Add SMCCC-specific return codes (bsc#1085308).
- arm: dts: socfpga: fix GIC PPI warning (bnc#1012382).
- arm: OMAP1: clock: Fix debugfs_create_*() usage (bnc#1012382).
- arm: OMAP2+: timer: fix a kmemleak caused in omap_get_timer_dt (bnc#1012382).
- arm: OMAP3: Fix prm wake interrupt for resume (bnc#1012382).
- arm: OMAP: Fix dmtimer init for omap1 (bnc#1012382).
- asm-generic: provide generic_pmdp_establish() (bnc#1012382).
- ASoC: au1x: Fix timeout tests in au1xac97c_ac97_read() (bnc#1012382 bsc#1031717).
- ASoC: Intel: sst: remove redundant variable dma_dev_name (bnc#1012382).
- ASoC: samsung: i2s: Ensure the RCLK rate is properly determined (bnc#1012382).
- ASoC: topology: create TLV data for dapm widgets (bnc#1012382).
- ath10k: Fix kernel panic while using worker (ath10k_sta_rc_update_wk) (bnc#1012382).
- audit: move calcs after alloc and check when logging set loginuid (bnc#1012382).
- audit: return on memory error to avoid null pointer dereference (bnc#1012382).
- autofs: change autofs4_expire_wait()/do_expire_wait() to take struct path (bsc#1086716).
- autofs: change autofs4_wait() to take struct path (bsc#1086716).
- autofs: use path_has_submounts() to fix unreliable have_submount() checks (bsc#1086716).
- autofs: use path_is_mountpoint() to fix unreliable d_mountpoint() checks (bsc#1086716).
- batman-adv: fix header size check in batadv_dbg_arp() (bnc#1012382).
- batman-adv: fix multicast-via-unicast transmission with AP isolation (bnc#1012382).
- batman-adv: fix packet checksum in receive path (bnc#1012382).
- batman-adv: fix packet loss for broadcasted DHCP packets to a server (bnc#1012382).
- batman-adv: invalidate checksum on fragment reassembly (bnc#1012382).
- bcache: fix for allocator and register thread race (bnc#1012382).
- bcache: fix for data collapse after re-attaching an attached device (bnc#1012382).
- bcache: fix kcrashes with fio in RAID5 backend dev (bnc#1012382).
- bcache: properly set task state in bch_writeback_thread() (bnc#1012382).
- bcache: quit dc->writeback_thread when BCACHE_DEV_DETACHING is set (bnc#1012382).
- bcache: return attach error when no cache set exist (bnc#1012382).
- block: cancel workqueue entries on blk_mq_freeze_queue() (bsc#1090435).
- Bluetooth: Apply QCA Rome patches for some ATH3012 models (bsc#1082504, bsc#1095147).
- Bluetooth: btusb: Add device ID for RTL8822BE (bnc#1012382).
- Bluetooth: btusb: Add USB ID 7392:a611 for Edimax EW-7611ULB (bnc#1012382).
- bnx2x: use the right constant (bnc#1012382).
- bnxt_en: Check valid VNIC ID in bnxt_hwrm_vnic_set_tpa() (bnc#1012382).
- bonding: do not allow rlb updates to invalid mac (bnc#1012382).
- bpf: fix selftests/bpf test_kmod.sh failure when CONFIG_BPF_JIT_ALWAYS_ON=y (bnc#1012382).
- brcmfmac: Fix check for ISO3166 code (bnc#1012382).
- bridge: check iface upper dev when setting master via ioctl (bnc#1012382).
- Btrfs: bail out on error during replay_dir_deletes (bnc#1012382).
- Btrfs: fix copy_items() return value when logging an inode (bnc#1012382).
- Btrfs: fix crash when trying to resume balance without the resume flag (bnc#1012382).
- Btrfs: fix lockdep splat in btrfs_alloc_subvolume_writers (bnc#1012382).
- Btrfs: fix NULL pointer dereference in log_dir_items (bnc#1012382).
- Btrfs: Fix out of bounds access in btrfs_search_slot (bnc#1012382).
- Btrfs: Fix possible softlock on single core machines (bnc#1012382).
- Btrfs: fix reading stale metadata blocks after degraded raid1 mounts (bnc#1012382).
- Btrfs: fix scrub to repair raid6 corruption (bnc#1012382).
- Btrfs: fix xattr loss after power failure (bnc#1012382).
- Btrfs: send, fix issuing write op when processing hole in no data mode (bnc#1012382).
- Btrfs: set plug for fsync (bnc#1012382).
- Btrfs: tests/qgroup: Fix wrong tree backref level (bnc#1012382).
- cdrom: do not call check_disk_change() inside cdrom_open() (bnc#1012382).
- ceph: delete unreachable code in ceph_check_caps() (bsc#1096214).
- ceph: fix race of queuing delayed caps (bsc#1096214).
- cfg80211: further limit wiphy names to 64 bytes (bnc#1012382 git-fixes).
- cfg80211: further limit wiphy names to 64 bytes (git-fixes).
- cfg80211: limit wiphy names to 128 bytes (bnc#1012382).
- cifs: silence compiler warnings showing up with gcc-8.0.0 (bnc#1012382 bsc#1090734).
- Clarify (and fix) MAX_LFS_FILESIZE macros (bnc#1012382).
- clk: Do not show the incorrect clock phase (bnc#1012382).
- clk: rockchip: Prevent calculating mmc phase if clock rate is zero (bnc#1012382).
- clk: samsung: exynos3250: Fix PLL rates (bnc#1012382).
- clk: samsung: exynos5250: Fix PLL rates (bnc#1012382).
- clk: samsung: exynos5260: Fix PLL rates (bnc#1012382).
- clk: samsung: exynos5433: Fix PLL rates (bnc#1012382).
- clk: samsung: s3c2410: Fix PLL rates (bnc#1012382).
- clocksource/drivers/fsl_ftm_timer: Fix error return checking (bnc#1012382).
- config: arm64: enable Spectre-v4 per-thread mitigation
- Correct the prefix in references tag in previous patches (bsc#1041740).
- cpufreq: cppc_cpufreq: Fix cppc_cpufreq_init() failure path (bnc#1012382).
- cpufreq: CPPC: Initialize shared perf capabilities of CPUs (bnc#1012382).
- cpufreq: intel_pstate: Enable HWP by default (bnc#1012382).
- cpuidle: coupled: remove unused define cpuidle_coupled_lock (bnc#1012382).
- crypto: sunxi-ss - Add MODULE_ALIAS to sun4i-ss (bnc#1012382).
- crypto: vmx - Remove overly verbose printk from AES init routines (bnc#1012382).
- dccp: do not free ccid2_hc_tx_sock struct in dccp_disconnect() (bnc#1012382).
- dccp: fix tasklet usage (bnc#1012382).
- dlm: fix a clerical error when set SCTP_NODELAY (bsc#1091594).
- dlm: make sctp_connect_to_sock() return in specified time (bsc#1080542).
- dlm: remove O_NONBLOCK flag in sctp_connect_to_sock (bsc#1080542).
- dmaengine: ensure dmaengine helpers check valid callback (bnc#1012382).
- dmaengine: pl330: fix a race condition in case of threaded irqs (bnc#1012382).
- dmaengine: rcar-dmac: fix max_chunk_size for R-Car Gen3 (bnc#1012382).
- dmaengine: usb-dmac: fix endless loop in usb_dmac_chan_terminate_all() (bnc#1012382).
- dm thin: fix documentation relative to low water mark threshold (bnc#1012382).
- do d_instantiate/unlock_new_inode combinations safely (bnc#1012382).
- dp83640: Ensure against premature access to PHY registers after reset (bnc#1012382).
- drm/exynos: fix comparison to bitshift when dealing with a mask (bnc#1012382).
- drm/i915: Disable LVDS on Radiant P845 (bnc#1012382).
- drm/rockchip: Respect page offset for PRIME mmap calls (bnc#1012382).
- drm: set FMODE_UNSIGNED_OFFSET for drm files (bnc#1012382).
- e1000e: allocate ring descriptors with dma_zalloc_coherent (bnc#1012382).
- e1000e: Fix check_for_link return value with autoneg off (bnc#1012382 bsc#1075428).
- efi: Avoid potential crashes, fix the 'struct efi_pci_io_protocol_32' definition for mixed mode (bnc#1012382).
- enic: enable rq before updating rq descriptors (bnc#1012382).
- enic: set DMA mask to 47 bit (bnc#1012382).
- ext2: fix a block leak (bnc#1012382).
- fbdev: Fixing arbitrary kernel leak in case FBIOGETCMAP_SPARC in sbusfb_ioctl_helper() (bnc#1012382).
- firewire-ohci: work around oversized DMA reads on JMicron controllers (bnc#1012382).
- firmware: dmi: handle missing DMI data gracefully (bsc#1096037).
- firmware: dmi_scan: Fix handling of empty DMI strings (bnc#1012382).
- fix io_destroy()/aio_complete() race (bnc#1012382).
- Force log to disk before reading the AGF during a fstrim (bnc#1012382).
- fscache: Fix hanging wait on page discarded by writeback (bnc#1012382).
- fs/proc/proc_sysctl.c: fix potential page fault while unregistering sysctl table (bnc#1012382).
- futex: futex_wake_op, do not fail on invalid op (git-fixes).
- futex: futex_wake_op, fix sign_extend32 sign bits (bnc#1012382).
- futex: Remove duplicated code and fix undefined behaviour (bnc#1012382).
- futex: Remove unnecessary warning from get_futex_key (bnc#1012382).
- gfs2: Fix fallocate chunk size (bnc#1012382).
- gianfar: Fix Rx byte accounting for ndev stats (bnc#1012382).
- gpio: No NULL owner (bnc#1012382).
- gpio: rcar: Add Runtime PM handling for interrupts (bnc#1012382).
- hfsplus: stop workqueue when fill_super() failed (bnc#1012382).
- HID: roccat: prevent an out of bounds read in kovaplus_profile_activated() (bnc#1012382).
- hwmon: (nct6775) Fix writing pwmX_mode (bnc#1012382).
- hwmon: (pmbus/adm1275) Accept negative page register values (bnc#1012382).
- hwmon: (pmbus/max8688) Accept negative page register values (bnc#1012382).
- hwrng: stm32 - add reset during probe (bnc#1012382).
- hwtracing: stm: fix build error on some arches (bnc#1012382).
- i2c: mv64xxx: Apply errata delay only in standard mode (bnc#1012382).
- i2c: rcar: check master irqs before slave irqs (bnc#1012382).
- i2c: rcar: do not issue stop when HW does it automatically (bnc#1012382).
- i2c: rcar: init new messages in irq (bnc#1012382).
- i2c: rcar: make sure clocks are on when doing clock calculation (bnc#1012382).
- i2c: rcar: refactor setup of a msg (bnc#1012382).
- i2c: rcar: remove spinlock (bnc#1012382).
- i2c: rcar: remove unused IOERROR state (bnc#1012382).
- i2c: rcar: revoke START request early (bnc#1012382).
- i2c: rcar: rework hw init (bnc#1012382).
- IB/ipoib: Fix for potential no-carrier state (bnc#1012382).
- iio:kfifo_buf: check for uint overflow (bnc#1012382).
- ima: Fallback to the builtin hash algorithm (bnc#1012382).
- ima: Fix Kconfig to select TPM 2.0 CRB interface (bnc#1012382).
- init: fix false positives in W+X checking (bsc#1096982).
- input: elan_i2c - add ELAN0612 (Lenovo v330 14IKB) ACPI ID (bnc#1012382).
- Input: elan_i2c_smbus - fix corrupted stack (bnc#1012382).
- input: goodix - add new ACPI id for GPD Win 2 touch screen (bnc#1012382).
- ip6mr: only set ip6mr_table from setsockopt when ip6mr_new_table succeeds (bnc#1012382).
- ipc/shm: fix shmat() nil address after round-down when remapping (bnc#1012382).
- ipmi/powernv: Fix error return code in ipmi_powernv_probe() (bnc#1012382).
- ipmi_ssif: Fix kernel panic at msg_done_handler (bnc#1012382 bsc#1088871).
- ipv4: fix memory leaks in udp_sendmsg, ping_v4_sendmsg (bnc#1012382).
- ipv4: lock mtu in fnhe when received PMTU lower than net.ipv4.route.min_pmtu (bnc#1012382).
- ipv4: remove warning in ip_recv_error (bnc#1012382).
- ipv6: omit traffic class when calculating flow hash (bsc#1095042).
- irda: fix overly long udelay() (bnc#1012382).
- irqchip/gic-v3: Change pr_debug message to pr_devel (bnc#1012382).
- isdn: eicon: fix a missing-check bug (bnc#1012382).
- jffs2: Fix use-after-free bug in jffs2_iget()'s error handling path (bnc#1012382 git-fixes).
- kabi: vfs: Restore dentry_operations->d_manage (bsc#1086716).
- kasan: fix memory hotplug during boot (bnc#1012382).
- Kbuild: change CC_OPTIMIZE_FOR_SIZE definition (bnc#1012382).
- kconfig: Avoid format overflow warning from GCC 8.1 (bnc#1012382).
- kconfig: Do not leak main menus during parsing (bnc#1012382).
- kconfig: Fix automatic menu creation mem leak (bnc#1012382).
- kconfig: Fix expr_free() E_NOT leak (bnc#1012382).
- kdb: make 'mdr' command repeat (bnc#1012382).
- kernel: Fix memory leak on EP11 target list processing (bnc#1096751, LTC#168596).
- kernel/relay.c: limit kmalloc size to KMALLOC_MAX_SIZE (bnc#1012382).
- kernel/sys.c: fix potential Spectre v1 issue (bnc#1012382).
- kvm: Fix spelling mistake: 'cop_unsuable' -> 'cop_unusable' (bnc#1012382).
- kvm: lapic: stop advertising DIRECTED_EOI when in-kernel IOAPIC is in use (bnc#1012382).
- kvm: PPC: Book3S HV: Fix VRMA initialization with 2MB or 1GB memory backing (bnc#1012382).
- kvm: VMX: raise internal error for exception during invalid protected mode state (bnc#1012382).
- kvm: x86: fix KVM_XEN_HVM_CONFIG ioctl (bnc#1012382).
- kvm: x86: introduce linear_{read,write}_system (bnc#1012382).
- kvm: x86: pass kvm_vcpu to kvm_read_guest_virt and kvm_write_guest_virt_system (bnc#1012382).
- kvm: x86: Sync back MSR_IA32_SPEC_CTRL to VCPU data structure (bsc#1096242, bsc#1096281).
- kvm: x86: use correct privilege level for sgdt/sidt/fxsave/fxrstor access (bnc#1012382).
- l2tp: revert 'l2tp: fix missing print session offset info' (bnc#1012382).
- libata: blacklist Micron 500IT SSD with MU01 firmware (bnc#1012382).
- libata: Blacklist some Sandisk SSDs for NCQ (bnc#1012382).
- llc: better deal with too small mtu (bnc#1012382).
- llc: properly handle dev_queue_xmit() return value (bnc#1012382).
- lockd: lost rollback of set_grace_period() in lockd_down_net() (bnc#1012382 git-fixes).
- locking/qspinlock: Ensure node->count is updated before initialising node (bnc#1012382).
- locking/xchg/alpha: Add unconditional memory barrier to cmpxchg() (bnc#1012382).
- locking/xchg/alpha: Fix xchg() and cmpxchg() memory ordering bugs (bnc#1012382).
- m68k: set dma and coherent masks for platform FEC ethernets (bnc#1012382).
- mac80211: round IEEE80211_TX_STATUS_HEADROOM up to multiple of 4 (bnc#1012382).
- md raid10: fix NULL deference in handle_write_completed() (bnc#1012382 bsc#1056415).
- md/raid1: fix NULL pointer dereference (bnc#1012382).
- md: raid5: avoid string overflow warning (bnc#1012382).
- media: cx23885: Override 888 ImpactVCBe crystal frequency (bnc#1012382).
- media: cx23885: Set subdev host data to clk_freq pointer (bnc#1012382).
- media: cx25821: prevent out-of-bounds read on array card (bnc#1012382 bsc#1031717).
- media: dmxdev: fix error code for invalid ioctls (bnc#1012382).
- media: em28xx: USB bulk packet size fix (bnc#1012382).
- media: s3c-camif: fix out-of-bounds array access (bnc#1012382 bsc#1031717).
- mmap: introduce sane default mmap limits (bnc#1012382).
- mmap: relax file size limit for regular files (bnc#1012382).
- mmc: sdhci-iproc: fix 32bit writes for TRANSFER_MODE register (bnc#1012382).
- mm: do not allow deferred pages with NEED_PER_CPU_KM (bnc#1012382).
- mm: filemap: avoid unnecessary calls to lock_page when waiting for IO to complete during a read (bnc#1012382 bnc#971975).
- mm: filemap: remove redundant code in do_read_cache_page (bnc#1012382 bnc#971975).
- mm: fix races between address_space dereference and free in page_evicatable (bnc#1012382).
- mm: fix the NULL mapping case in __isolate_lru_page() (bnc#1012382).
- mm/kmemleak.c: wait for scan completion before disabling free (bnc#1012382).
- mm/ksm: fix interaction with THP (bnc#1012382).
- mm/mempolicy: add nodes_empty check in SYSC_migrate_pages (bnc#1012382).
- mm/mempolicy.c: avoid use uninitialized preferred_node (bnc#1012382).
- mm/mempolicy: fix the check of nodemask from user (bnc#1012382).
- mm, page_alloc: do not break __GFP_THISNODE by zonelist reset (bsc#1079152, VM Functionality).
- mm: pin address_space before dereferencing it while isolating an LRU page (bnc#1012382 bnc#1081500).
- net: bgmac: Fix endian access in bgmac_dma_tx_ring_free() (bnc#1012382).
- netdev-FAQ: clarify DaveM's position for stable backports (bnc#1012382).
- net: ethernet: sun: niu set correct packet size in skb (bnc#1012382).
- netfilter: ebtables: convert BUG_ONs to WARN_ONs (bnc#1012382).
- net: Fix untag for vlan packets without ethernet header (bnc#1012382).
- net: Fix vlan untag for bridge and vlan_dev with reorder_hdr off (bnc#1012382).
- netlabel: If PF_INET6, check sk_buff ip header version (bnc#1012382).
- net: metrics: add proper netlink validation (bnc#1012382).
- net/mlx4_en: Verify coalescing parameters are in range (bnc#1012382).
- net/mlx4: Fix irq-unsafe spinlock usage (bnc#1012382).
- net/mlx5: Protect from command bit overflow (bnc#1012382).
- net: mvneta: fix enable of all initialized RXQs (bnc#1012382).
- net/packet: refine check for priv area size (bnc#1012382).
- net: phy: broadcom: Fix bcm_write_exp() (bnc#1012382).
- net: qmi_wwan: add BroadMobi BM806U 2020:2033 (bnc#1012382).
- net_sched: fq: take care of throttled flows before reuse (bnc#1012382).
- net: support compat 64-bit time in {s,g}etsockopt (bnc#1012382).
- net/tcp/illinois: replace broken algorithm reference link (bnc#1012382).
- net: test tailroom before appending to linear skb (bnc#1012382).
- net-usb: add qmi_wwan if on lte modem wistron neweb d18q1 (bnc#1012382).
- net: usb: cdc_mbim: add flag FLAG_SEND_ZLP (bnc#1012382).
- net/usb/qmi_wwan.c: Add USB id for lt4120 modem (bnc#1012382).
- nfc: llcp: Limit size of SDP URI (bnc#1012382).
- nfs: Do not convert nfs_idmap_cache_timeout to jiffies (bnc#1012382 git-fixes).
- nfsv4: always set NFS_LOCK_LOST when a lock is lost (bnc#1012382 bsc#1068951).
- ntb_transport: Fix bug with max_mw_size parameter (bnc#1012382).
- nvme-pci: Fix nvme queue cleanup if IRQ setup fails (bnc#1012382).
- ocfs2/acl: use 'ip_xattr_sem' to protect getting extended attribute (bnc#1012382).
- ocfs2/dlm: do not handle migrate lockres if already in shutdown (bnc#1012382).
- ocfs2: return -EROFS to mount.ocfs2 if inode block is invalid (bnc#1012382).
- ocfs2: return error when we attempt to access a dirty bh in jbd2 (bnc#1012382 bsc#1070404).
- openvswitch: Do not swap table in nlattr_set() after OVS_ATTR_NESTED is found (bnc#1012382).
- packet: fix reserve calculation (bnc#1012382 git-fixes).
- packet: fix reserve calculation (git-fixes).
- packet: in packet_snd start writing at link layer allocation (bnc#1012382).
- parisc/pci: Switch LBA PCI bus from Hard Fail to Soft Fail mode (bnc#1012382).
- pci: Add function 1 DMA alias quirk for Marvell 88SE9220 (bnc#1012382).
- pci: Add function 1 DMA alias quirk for Marvell 9128 (bnc#1012382).
- pci: Restore config space on runtime resume despite being unbound (bnc#1012382).
- perf callchain: Fix attr.sample_max_stack setting (bnc#1012382).
- perf/cgroup: Fix child event counting bug (bnc#1012382).
- perf/core: Fix perf_output_read_group() (bnc#1012382).
- perf report: Fix memory corruption in --branch-history mode --branch-history (bnc#1012382).
- perf tests: Use arch__compare_symbol_names to compare symbols (bnc#1012382).
- pipe: cap initial pipe capacity according to pipe-max-size limit (bnc#1012382 bsc#1045330).
- powerpc/64s: Clear PCR on boot (bnc#1012382).
- powerpc: Add missing prototype for arch_irq_work_raise() (bnc#1012382).
- powerpc/bpf/jit: Fix 32-bit JIT for seccomp_data access (bnc#1012382).
- powerpc: Do not preempt_disable() in show_cpuinfo() (bnc#1012382 bsc#1066223).
- powerpc/mpic: Check if cpu_possible() in mpic_physmask() (bnc#1012382).
- powerpc/numa: Ensure nodes initialized for hotplug (bnc#1012382 bsc#1081514).
- powerpc/numa: Use ibm,max-associativity-domains to discover possible nodes (bnc#1012382 bsc#1081514).
- powerpc/perf: Fix kernel address leak via sampling registers (bnc#1012382).
- powerpc/perf: Prevent kernel address leak to userspace via BHRB buffer (bnc#1012382).
- powerpc/powernv: Fix NVRAM sleep in invalid context when crashing (bnc#1012382).
- powerpc/powernv: panic() on OPAL lower than V3 (bnc#1012382).
- powerpc/powernv: remove FW_FEATURE_OPALv3 and just use FW_FEATURE_OPAL (bnc#1012382).
- powerpc/powernv: Remove OPALv2 firmware define and references (bnc#1012382).
- proc: fix /proc/*/map_files lookup (bnc#1012382).
- procfs: fix pthread cross-thread naming if !PR_DUMPABLE (bnc#1012382).
- proc: meminfo: estimate available memory more conservatively (bnc#1012382).
- proc read mm's {arg,env}_{start,end} with mmap semaphore taken (bnc#1012382).
- qed: Fix mask for physical address in ILT entry (bnc#1012382).
- qla2xxx: Mask off Scope bits in retry delay (bsc#1068054).
- qmi_wwan: do not steal interfaces from class drivers (bnc#1012382).
- r8152: fix tx packets accounting (bnc#1012382).
- r8169: fix powering up RTL8168h (bnc#1012382).
- RDMA/mlx5: Avoid memory leak in case of XRCD dealloc failure (bnc#1012382).
- RDMA/ucma: Correct option size check using optlen (bnc#1012382).
- RDS: IB: Fix null pointer issue (bnc#1012382).
- Refreshed contents of patches (bsc#1085185)
- regulator: of: Add a missing 'of_node_put()' in an error handling path of 'of_regulator_match()' (bnc#1012382).
- regulatory: add NUL to request alpha2 (bnc#1012382).
- Revert 'arm: dts: imx6qdl-wandboard: Fix audio channel swap' (bnc#1012382).
- Revert 'ima: limit file hash setting by user to fix and log modes' (bnc#1012382).
- Revert 'ipc/shm: Fix shmat mmap nil-page protection' (bnc#1012382).
- Revert 'regulatory: add NUL to request alpha2' (kabi).
- Revert 'vti4: Do not override MTU passed on link creation via IFLA_MTU' (bnc#1012382).
- rtc: hctosys: Ensure system time does not overflow time_t (bnc#1012382).
- rtc: snvs: Fix usage of snvs_rtc_enable (bnc#1012382).
- rtc: tx4939: avoid unintended sign extension on a 24 bit shift (bnc#1012382).
- rtlwifi: rtl8192cu: Remove variable self-assignment in rf.c (bnc#1012382).
- rtnetlink: validate attributes in do_setlink() (bnc#1012382).
- s390: add assembler macros for CPU alternatives (bnc#1012382).
- s390/cio: clear timer when terminating driver I/O (bnc#1012382).
- s390/cio: fix return code after missing interrupt (bnc#1012382).
- s390/cpum_sf: ensure sample frequency of perf event attributes is non-zero (LTC#168035 bnc#1012382 bnc#1094532).
- s390: extend expoline to BC instructions (bnc#1012382).
- s390/ftrace: use expoline for indirect branches (bnc#1012382).
- s390/kernel: use expoline for indirect branches (bnc#1012382).
- s390/lib: use expoline for indirect branches (bnc#1012382).
- s390: move expoline assembler macros to a header (bnc#1012382).
- s390: move spectre sysfs attribute code (bnc#1012382).
- s390/qdio: do not release memory in qdio_setup_irq() (bnc#1012382).
- s390/qdio: fix access to uninitialized qdio_q fields (LTC#168037 bnc#1012382 bnc#1094532).
- s390: remove indirect branch from do_softirq_own_stack (bnc#1012382).
- s390: use expoline thunks in the BPF JIT (bnc#1012382).
- sched/rt: Fix rq->clock_update_flags lower than RQCF_ACT_SKIP warning (bnc#1012382).
- scripts/git-pre-commit:
- scsi: aacraid: fix shutdown crash when init fails (bnc#1012382).
- scsi: aacraid: Insure command thread is not recursively stopped (bnc#1012382).
- scsi: bnx2fc: Fix check in SCSI completion handler for timed out request (bnc#1012382).
- scsi: fas216: fix sense buffer initialization (bnc#1012382 bsc#1082979).
- scsi: libsas: defer ata device eh commands to libata (bnc#1012382).
- scsi: lpfc: Fix frequency of Release WQE CQEs (bnc#1012382).
- scsi: lpfc: Fix issue_lip if link is disabled (bnc#1012382 bsc#1080656).
- scsi: lpfc: Fix soft lockup in lpfc worker thread during LIP testing (bnc#1012382 bsc#1080656).
- scsi: mpt3sas: Do not mark fw_event workqueue as WQ_MEM_RECLAIM (bnc#1012382 bsc#1078583).
- scsi: mptfusion: Add bounds check in mptctl_hp_targetinfo() (bnc#1012382).
- scsi: qla2xxx: Avoid triggering undefined behavior in qla2x00_mbx_completion() (bnc#1012382).
- scsi: qla4xxx: skip error recovery in case of register disconnect (bnc#1012382).
- scsi: scsi_transport_srp: Fix shost to rport translation (bnc#1012382).
- scsi: sd: Keep disk read-only when re-reading partition (bnc#1012382).
- scsi: sg: allocate with __GFP_ZERO in sg_build_indirect() (bnc#1012382).
- scsi: storvsc: Increase cmd_per_lun for higher speed devices (bnc#1012382).
- scsi: sym53c8xx_2: iterator underflow in sym_getsync() (bnc#1012382).
- scsi: ufs: Enable quirk to ignore sending WRITE_SAME command (bnc#1012382).
- scsi: zfcp: fix infinite iteration on ERP ready list (LTC#168038 bnc#1012382 bnc#1094532).
- sctp: delay the authentication for the duplicated cookie-echo chunk (bnc#1012382).
- sctp: fix the issue that the cookie-ack with auth can't get processed (bnc#1012382).
- sctp: handle two v4 addrs comparison in sctp_inet6_cmp_addr (bnc#1012382).
- sctp: use the old asoc when making the cookie-ack chunk in dupcook_d (bnc#1012382).
- selftests: ftrace: Add a testcase for probepoint (bnc#1012382).
- selftests: ftrace: Add a testcase for string type with kprobe_event (bnc#1012382).
- selftests: ftrace: Add probe event argument syntax testcase (bnc#1012382).
- selftests: memfd: add config fragment for fuse (bnc#1012382).
- selftests/net: fixes psock_fanout eBPF test case (bnc#1012382).
- selftests/powerpc: Skip the subpage_prot tests if the syscall is unavailable (bnc#1012382).
- selftests: Print the test we're running to /dev/kmsg (bnc#1012382).
- selinux: KASAN: slab-out-of-bounds in xattr_getsecurity (bnc#1012382).
- serial: arc_uart: Fix out-of-bounds access through DT alias (bnc#1012382).
- serial: fsl_lpuart: Fix out-of-bounds access through DT alias (bnc#1012382).
- serial: imx: Fix out-of-bounds access through serial port index (bnc#1012382).
- serial: mxs-auart: Fix out-of-bounds access through serial port index (bnc#1012382).
- serial: samsung: fix maxburst parameter for DMA transactions (bnc#1012382).
- serial: samsung: Fix out-of-bounds access through serial port index (bnc#1012382).
- serial: xuartps: Fix out-of-bounds access through DT alias (bnc#1012382).
- sh: fix debug trap failure to process signals before return to user (bnc#1012382).
- sh: New gcc support (bnc#1012382).
- signals: avoid unnecessary taking of sighand->siglock (bnc#1012382 bnc#978907).
- sit: fix IFLA_MTU ignored on NEWLINK (bnc#1012382).
- smsc75xx: fix smsc75xx_set_features() (bnc#1012382).
- sock_diag: fix use-after-free read in __sk_free (bnc#1012382).
- sparc64: Fix build warnings with gcc 7 (bnc#1012382).
- sparc64: Make atomic_xchg() an inline function rather than a macro (bnc#1012382).
- spi: pxa2xx: Allow 64-bit DMA (bnc#1012382).
- sr: get/drop reference to device in revalidate and check_events (bnc#1012382).
- staging: rtl8192u: return -ENOMEM on failed allocation of priv->oldaddr (bnc#1012382).
- stm class: Use vmalloc for the master map (bnc#1012382).
- sunvnet: does not support GSO for sctp (bnc#1012382).
- swap: divide-by-zero when zero length swap file on ssd (bnc#1012382 bsc#1082153).
- tcp: avoid integer overflows in tcp_rcv_space_adjust() (bnc#1012382).
- tcp: ignore Fast Open on repair mode (bnc#1012382).
- tcp: purge write queue in tcp_connect_init() (bnc#1012382).
- team: use netdev_features_t instead of u32 (bnc#1012382).
- test_bpf: Fix testing with CONFIG_BPF_JIT_ALWAYS_ON=y on other arches (git-fixes).
- tg3: Fix vunmap() BUG_ON() triggered from tg3_free_consistent() (bnc#1012382).
- tick/broadcast: Use for_each_cpu() specially on UP kernels (bnc#1012382).
- time: Fix CLOCK_MONOTONIC_RAW sub-nanosecond accounting (bnc#1012382).
- tools/libbpf: handle issues with bpf ELF objects containing .eh_frames (bnc#1012382).
- tools lib traceevent: Fix get_field_str() for dynamic strings (bnc#1012382).
- tools lib traceevent: Simplify pointer print logic and fix %pF (bnc#1012382).
- tools/thermal: tmon: fix for segfault (bnc#1012382).
- tpm: do not suspend/resume if power stays on (bnc#1012382).
- tpm: self test failure should not cause suspend to fail (bnc#1012382).
- tracing: Fix crash when freeing instances with event triggers (bnc#1012382).
- tracing/hrtimer: Fix tracing bugs by taking all clock bases and modes into account (bnc#1012382).
- tracing/x86/xen: Remove zero data size trace events trace_xen_mmu_flush_tlb{_all} (bnc#1012382).
- udf: Provide saner default for invalid uid / gid (bnc#1012382).
- usb: dwc2: Fix dwc2_hsotg_core_init_disconnected() (bnc#1012382).
- usb: dwc2: Fix interval type issue (bnc#1012382).
- usb: dwc3: Update DWC_usb31 GTXFIFOSIZ reg fields (bnc#1012382).
- usb: gadget: composite: fix incorrect handling of OS desc requests (bnc#1012382).
- usb: gadget: ffs: Execute copy_to_user() with USER_DS set (bnc#1012382).
- usb: gadget: ffs: Let setup() return USB_GADGET_DELAYED_STATUS (bnc#1012382).
- usb: gadget: fsl_udc_core: fix ep valid checks (bnc#1012382).
- usb: gadget: f_uac2: fix bFirstInterface in composite gadget (bnc#1012382).
- usb: gadget: udc: change comparison to bitshift when dealing with a mask (bnc#1012382).
- usbip: usbip_host: delete device from busid_table after rebind (bnc#1012382).
- usbip: usbip_host: fix bad unlock balance during stub_probe() (bnc#1012382).
- usbip: usbip_host: fix NULL-ptr deref and use-after-free errors (bnc#1012382).
- usbip: usbip_host: refine probe and disconnect debug msgs to be useful (bnc#1012382).
- usbip: usbip_host: run rebind from exit when module is removed (bnc#1012382).
- usb: musb: call pm_runtime_{get,put}_sync before reading vbus registers (bnc#1012382).
- usb: musb: fix enumeration after resume (bnc#1012382).
- USB: OHCI: Fix NULL dereference in HCDs using HCD_LOCAL_MEM (bnc#1012382).
- USB: serial: cp210x: use tcflag_t to fix incompatible pointer type (bnc#1012382).
- vfs: add path_has_submounts() (bsc#1086716).
- vfs: add path_is_mountpoint() helper (bsc#1086716).
- vfs: change d_manage() to take a struct path (bsc#1086716).
- virtio-gpu: fix ioctl and expose the fixed status to userspace (bnc#1012382).
- virtio-net: Fix operstate for virtio when no VIRTIO_NET_F_STATUS (bnc#1012382).
- vmscan: do not force-scan file lru if its absolute size is small (bnc#1012382).
- vmw_balloon: fixing double free when batching mode is off (bnc#1012382).
- vti4: Do not count header length twice on tunnel setup (bnc#1012382).
- vti4: Do not override MTU passed on link creation via IFLA_MTU (bnc#1012382).
- watchdog: f71808e_wdt: Fix magic close handling (bnc#1012382).
- watchdog: sp5100_tco: Fix watchdog disable bit (bnc#1012382).
- workqueue: use put_device() instead of kfree() (bnc#1012382).
- x86/apic: Set up through-local-APIC mode on the boot CPU if 'noapic' specified (bnc#1012382).
- x86/boot: Fix early command-line parsing when partial word matches (bsc#1096140).
- x86/bugs: IBRS: make runtime disabling fully dynamic (bsc#1068032).
- x86/bugs: spec_ctrl must be cleared from cpu_caps_set when being disabled (bsc#1096140).
- x86/cpufeature: Remove unused and seldomly used cpu_has_xx macros (bnc#1012382).
- x86/crypto, x86/fpu: Remove X86_FEATURE_EAGER_FPU #ifdef from the crc32c code (bnc#1012382).
- x86/devicetree: Fix device IRQ settings in DT (bnc#1012382).
- x86/devicetree: Initialize device tree before using it (bnc#1012382).
- x86: ENABLE_IBRS is sometimes called early during boot while it should not. Let's drop the uoptimization for now. Fixes bsc#1098009 and bsc#1098012
- x86/fpu: Disable AVX when eagerfpu is off (bnc#1012382).
- x86/fpu: Hard-disable lazy FPU mode (bnc#1012382).
- x86/fpu: Revert ('x86/fpu: Disable AVX when eagerfpu is off') (bnc#1012382).
- x86/kexec: Avoid double free_page() upon do_kexec_load() failure (bnc#1012382).
- x86/pgtable: Do not set huge PUD/PMD on non-leaf entries (bnc#1012382).
- x86/pkeys: Do not special case protection key 0 (1041740).
- x86/pkeys: Override pkey when moving away from PROT_EXEC (1041740).
- x86/power: Fix swsusp_arch_resume prototype (bnc#1012382).
- x86: Remove unused function cpu_has_ht_siblings() (bnc#1012382).
- x86/topology: Update the 'cpu cores' field in /proc/cpuinfo correctly across CPU hotplug operations (bnc#1012382).
- xen/acpi: off by one in read_acpi_id() (bnc#1012382).
- xen/grant-table: Use put_page instead of free_page (bnc#1012382).
- xen-netfront: Fix race between device setup and open (bnc#1012382).
- xen/netfront: raise max number of slots in xennet_get_responses() (bnc#1076049).
- xen/pirq: fix error path cleanup when binding MSIs (bnc#1012382).
- xen-swiotlb: fix the check condition for xen_swiotlb_free_coherent (bnc#1012382).
- xen: xenbus: use put_device() instead of kfree() (bnc#1012382).
- xfrm: fix xfrm_do_migrate() with AEAD e.g(AES-GCM) (bnc#1012382).
- xfs: convert XFS_AGFL_SIZE to a helper function (bsc#1090955, bsc#1090534).
- xfs: detect agfl count corruption and reset agfl (bnc#1012382 bsc#1090534 bsc#1090955).
- xfs: detect agfl count corruption and reset agfl (bsc#1090955, bsc#1090534).
- xfs: do not log/recover swapext extent owner changes for deleted inodes (bsc#1090955).
- xfs: remove racy hasattr check from attr ops (bnc#1012382 bsc#1035432).
- xhci: Fix USB3 NULL pointer dereference at logical disconnect (git-fixes).
- xhci: Fix use-after-free in xhci_free_virt_device (git-fixes).
- xhci: zero usb device slot_id member when disabling and freeing a xhci slot (bnc#1012382).
- zorro: Set up z->dev.dma_mask for the DMA API (bnc#1012382).
- xfs: fix incorrect log_flushed on fsync (bnc#1012382).
ImportantSUSE bug 1012382SUSE bug 1024718SUSE bug 1031717SUSE bug 1035432SUSE bug 1041740SUSE bug 1045330SUSE bug 1056415SUSE bug 1066223SUSE bug 1068032SUSE bug 1068054SUSE bug 1068951SUSE bug 1070404SUSE bug 1073311SUSE bug 1075428SUSE bug 1076049SUSE bug 1078583SUSE bug 1079152SUSE bug 1080542SUSE bug 1080656SUSE bug 1081500SUSE bug 1081514SUSE bug 1082153SUSE bug 1082504SUSE bug 1082979SUSE bug 1085185SUSE bug 1085308SUSE bug 1086400SUSE bug 1086716SUSE bug 1087036SUSE bug 1087086SUSE bug 1088871SUSE bug 1090435SUSE bug 1090534SUSE bug 1090734SUSE bug 1090955SUSE bug 1091594SUSE bug 1094532SUSE bug 1095042SUSE bug 1095147SUSE bug 1096037SUSE bug 1096140SUSE bug 1096214SUSE bug 1096242SUSE bug 1096281SUSE bug 1096751SUSE bug 1096982SUSE bug 1097234SUSE bug 1097356SUSE bug 1098009SUSE bug 1098012SUSE bug 971975SUSE bug 973378SUSE bug 978907CVE-2017-17741 at SUSECVE-2017-17741 at NVDCVE-2017-18241 at SUSECVE-2017-18241 at NVDCVE-2017-18249 at SUSECVE-2017-18249 at NVDCVE-2018-12233 at SUSECVE-2018-12233 at NVDCVE-2018-3665 at SUSECVE-2018-3665 at NVDCVE-2018-5848 at SUSECVE-2018-5848 at NVDcpe:/o:suse:sles:12:sp3Security update for the Linux Kernel (Important)SUSE Linux Enterprise Server 12 SP3
The SUSE Linux Enterprise 12 SP3 kernel was updated to receive various security and bugfixes.
This update adds mitigations for various side channel attacks against modern CPUs that could disclose
content of otherwise unreadable memory (bnc#1068032).
- CVE-2017-5753 / 'SpectreAttack': Local attackers on systems with modern CPUs featuring
deep instruction pipelining could use attacker controllable speculative
execution over code patterns in the Linux Kernel to leak content from
otherwise not readable memory in the same address space, allowing
retrieval of passwords, cryptographic keys and other secrets.
This problem is mitigated by adding speculative fencing on affected
code paths throughout the Linux kernel.
- CVE-2017-5715 / 'SpectreAttack': Local attackers on systems with modern CPUs featuring
branch prediction could use mispredicted branches to speculatively execute
code patterns that in turn could be made to leak other non-readable
content in the same address space, an attack similar to CVE-2017-5753.
This problem is mitigated by disabling predictive branches, depending
on CPU architecture either by firmware updates and/or fixes in the
user-kernel privilege boundaries.
Please also check with your CPU / Hardware vendor for available
firmware or BIOS updates.
As this feature can have a performance impact, it can be disabled
using the 'nospec' kernel commandline option.
- CVE-2017-5754 / 'MeltdownAttack': Local attackers on systems with
modern CPUs featuring deep instruction pipelining could use code
patterns in userspace to speculative executive code that would read
otherwise read protected memory.
This problem is mitigated by unmapping the Linux Kernel from the user
address space during user code execution, following a approach called
'KAISER'. The terms used here are 'KAISER' / 'Kernel Address Isolation'
and 'PTI' / 'Page Table Isolation'.
This is only enabled by default on affected architectures.
This feature can be enabled / disabled by the 'pti=[on|off|auto]' or 'nopti' commandline options.
The following security bugs were fixed:
- CVE-2017-17806: The HMAC implementation (crypto/hmac.c) in the Linux
kernel did not validate that the underlying cryptographic hash algorithm
is unkeyed, allowing a local attacker able to use the AF_ALG-based hash
interface (CONFIG_CRYPTO_USER_API_HASH) and the SHA-3 hash algorithm
(CONFIG_CRYPTO_SHA3) to cause a kernel stack buffer overflow by executing
a crafted sequence of system calls that encounter a missing SHA-3
initialization (bnc#1073874).
- CVE-2017-17805: The Salsa20 encryption algorithm in the Linux kernel did
not correctly handle zero-length inputs, allowing a local attacker able to
use the AF_ALG-based skcipher interface (CONFIG_CRYPTO_USER_API_SKCIPHER)
to cause a denial of service (uninitialized-memory free and kernel
crash) or have unspecified other impact by executing a crafted sequence
of system calls that use the blkcipher_walk API. Both the generic
implementation (crypto/salsa20_generic.c) and x86 implementation
(arch/x86/crypto/salsa20_glue.c) of Salsa20 were vulnerable (bnc#1073792).
The following non-security bugs were fixed:
- Add undefine _unique_build_ids (bsc#964063)
- apei / ERST: Fix missing error handling in erst_reader() (bsc#1072556).
- arm: Hide finish_arch_post_lock_switch() from modules (bsc#1068032).
- autofs: fix careless error in recent commit (bnc#1012382 bsc#1065180).
- bnxt_en: Do not print 'Link speed -1 no longer supported' messages (bsc#1070116).
- bpf: prevent speculative execution in eBPF interpreter (bnc#1068032).
- carl9170: prevent speculative execution (bnc#1068032).
- ceph: drop negative child dentries before try pruning inode's alias (bsc#1073525).
- Check cmdline_find_option() retval properly and use boot_cpu_has().
- cifs: Fix NULL pointer deref on SMB2_tcon() failure (bsc#1071009).
- cw1200: prevent speculative execution (bnc#1068032).
- e1000e: Fix e1000_check_for_copper_link_ich8lan return value (bsc#1073809).
- Fix unsed variable warning in has_unmovable_pages (bsc#1073868).
- fs: prevent speculative execution (bnc#1068032).
- genwqe: Take R/W permissions into account when dealing with memory pages (bsc#1073090).
- ibmvnic: Include header descriptor support for ARP packets (bsc#1073912).
- ibmvnic: Increase maximum number of RX/TX queues (bsc#1073912).
- ibmvnic: Rename IBMVNIC_MAX_TX_QUEUES to IBMVNIC_MAX_QUEUES (bsc#1073912).
- ipv6: prevent speculative execution (bnc#1068032).
- iw_cxgb4: fix misuse of integer variable (bsc#963897,FATE#320114).
- iw_cxgb4: only insert drain cqes if wq is flushed (bsc#321658 FATE#1005778 bsc#321660 FATE#1005780 bsc#321661 FATE#1005781).
- kaiser: add 'nokaiser' boot option, using ALTERNATIVE.
- kaiser: align addition to x86/mm/Makefile.
- kaiser: asm/tlbflush.h handle noPGE at lower level.
- kaiser: cleanups while trying for gold link.
- kaiser: disabled on Xen PV.
- kaiser: do not set _PAGE_NX on pgd_none.
- kaiser: drop is_atomic arg to kaiser_pagetable_walk().
- kaiser: enhanced by kernel and user PCIDs.
- kaiser: ENOMEM if kaiser_pagetable_walk() NULL.
- kaiser: fix build and FIXME in alloc_ldt_struct().
- kaiser: fix perf crashes.
- kaiser: fix regs to do_nmi() ifndef CONFIG_KAISER.
- kaiser: fix unlikely error in alloc_ldt_struct().
- kaiser: KAISER depends on SMP.
- kaiser: kaiser_flush_tlb_on_return_to_user() check PCID.
- kaiser: kaiser_remove_mapping() move along the pgd.
- kaiser: Kernel Address Isolation.
- kaiser: load_new_mm_cr3() let SWITCH_USER_CR3 flush.
- kaiser: load_new_mm_cr3() let SWITCH_USER_CR3 flush user.
- kaiser: name that 0x1000 KAISER_SHADOW_PGD_OFFSET.
- kaiser: paranoid_entry pass cr3 need to paranoid_exit.
- kaiser: PCID 0 for kernel and 128 for user.
- kaiser: _pgd_alloc() without __GFP_REPEAT to avoid stalls.
- kaiser: stack map PAGE_SIZE at THREAD_SIZE-PAGE_SIZE.
- kaiser: tidied up asm/kaiser.h somewhat.
- kaiser: tidied up kaiser_add/remove_mapping slightly.
- kaiser: use ALTERNATIVE instead of x86_cr3_pcid_noflush.
- kaiser: vmstat show NR_KAISERTABLE as nr_overhead.
- kaiser: x86_cr3_pcid_noflush and x86_cr3_pcid_user.
- kvm: svm: Do not intercept new speculative control MSRs (bsc#1068032).
- kvm: x86: Add speculative control CPUID support for guests (bsc#1068032).
- locking/barriers: introduce new memory barrier gmb() (bnc#1068032).
- mm/mmu_context, sched/core: Fix mmu_context.h assumption (bsc#1068032).
- net/mlx5e: DCBNL, Implement tc with ets type and zero bandwidth (bsc#966170 FATE#320225 bsc#966172 FATE#320226).
- net: mpls: prevent speculative execution (bnc#1068032).
- nfs: revalidate '.' etc correctly on 'open' (bsc#1068951).
- nfs: revalidate '.' etc correctly on 'open' (git-fixes). Fix References: tag.
- nfsv4: always set NFS_LOCK_LOST when a lock is lost (bsc#1068951).
- nvme-fabrics: introduce init command check for a queue that is not alive (bsc#1072890).
- nvme-fc: check if queue is ready in queue_rq (bsc#1072890).
- nvme-fc: do not use bit masks for set/test_bit() numbers (bsc#1072890).
- nvme-loop: check if queue is ready in queue_rq (bsc#1072890).
- nvmet-fc: cleanup nvmet add_port/remove_port (bsc#1072890).
- nvmet_fc: correct broken add_port (bsc#1072890).
- p54: prevent speculative execution (bnc#1068032).
- powerpc/barrier: add gmb.
- powerpc: Secure memory rfi flush (bsc#1068032).
- ptrace: Add a new thread access check (bsc#1068032).
- qla2xxx: prevent speculative execution (bnc#1068032).
- s390: add ppa to system call and program check path (bsc#1068032).
- s390: introduce CPU alternatives (bsc#1068032).
- s390/qeth: add missing hash table initializations (bnc#1072216, LTC#162173).
- s390/qeth: fix early exit from error path (bnc#1072216, LTC#162173).
- s390/qeth: fix thinko in IPv4 multicast address tracking (bnc#1072216, LTC#162173).
- s390/spinlock: add gmb memory barrier (bsc#1068032).
- sched/core: Add switch_mm_irqs_off() and use it in the scheduler (bsc#1068032).
- sched/core: Idle_task_exit() shouldn't use switch_mm_irqs_off() (bsc#1068032).
- scsi_dh_alua: skip RTPG for devices only supporting active/optimized (bsc#1064311).
- scsi: lpfc: correct sg_seg_cnt attribute min vs default (bsc#1072166).
- scsi: qedi: Limit number for CQ queues (bsc#1072866).
- scsi_scan: Exit loop if TUR to LUN0 fails with 0x05/0x25 (bsc#1063043). This is specific to FUJITSU ETERNUS_DX* targets. They can return 'Illegal Request - Logical unit not supported' and processing should leave the timeout loop in this case.
- scsi: ses: check return code from ses_recv_diag() (bsc#1039616).
- scsi: ses: Fixup error message 'failed to get diagnostic page 0xffffffea' (bsc#1039616).
- scsi: ses: Fix wrong page error (bsc#1039616).
- scsi: ses: make page2 support optional (bsc#1039616).
- sfc: pass valid pointers from efx_enqueue_unwind (bsc#1017967 FATE#321663).
- thermal/int340x: prevent speculative execution (bnc#1068032).
- udf: prevent speculative execution (bnc#1068032).
- Update config files: enable KAISER.
- usb: host: fix incorrect updating of offset (bsc#1047487).
- userns: prevent speculative execution (bnc#1068032).
- uvcvideo: prevent speculative execution (bnc#1068032).
- vxlan: correctly handle ipv6.disable module parameter (bsc#1072962).
- x86/boot: Add early cmdline parsing for options with arguments.
- x86/CPU/AMD: Add speculative control support for AMD (bsc#1068032).
- x86/CPU/AMD: Make the LFENCE instruction serialized (bsc#1068032).
- x86/CPU/AMD: Remove now unused definition of MFENCE_RDTSC feature (bsc#1068032).
- x86/CPU: Check speculation control CPUID bit (bsc#1068032).
- x86/enter: Add macros to set/clear IBRS and set IBPB (bsc#1068032).
- x86/entry: Add a function to overwrite the RSB (bsc#1068032).
- x86/entry: Stuff RSB for entry to kernel for non-SMEP platform (bsc#1068032).
- x86/entry: Use IBRS on entry to kernel space (bsc#1068032).
- x86/feature: Enable the x86 feature to control Speculation (bsc#1068032).
- x86/idle: Disable IBRS when offlining a CPU and re-enable on wakeup (bsc#1068032).
- x86/idle: Toggle IBRS when going idle (bsc#1068032).
- x86/kaiser: Check boottime cmdline params.
- x86/kaiser: Move feature detection up (bsc#1068032).
- x86/kaiser: Reenable PARAVIRT.
- x86/kaiser: Rename and simplify X86_FEATURE_KAISER handling.
- x86/kvm: add MSR_IA32_SPEC_CTRL and MSR_IA32_PRED_CMD to kvm (bsc#1068032).
- x86/kvm: Add MSR_IA32_SPEC_CTRL and MSR_IA32_PRED_CMD to kvm (bsc#1068032).
- x86/kvm: Flush IBP when switching VMs (bsc#1068032).
- x86/kvm: Pad RSB on VM transition (bsc#1068032).
- x86/kvm: Toggle IBRS on VM entry and exit (bsc#1068032).
- x86/mm/64: Fix reboot interaction with CR4.PCIDE (bsc#1068032).
- x86/mm: Add a 'noinvpcid' boot option to turn off INVPCID (bsc#1068032).
- x86/mm: Add INVPCID helpers (bsc#1068032).
- x86/mm: Add the 'nopcid' boot option to turn off PCID (bsc#1068032).
- x86/mm: Build arch/x86/mm/tlb.c even on !SMP (bsc#1068032).
- x86/mm: Enable CR4.PCIDE on supported systems (bsc#1068032).
- x86/mm: Fix INVPCID asm constraint (bsc#1068032).
- x86/mm: If INVPCID is available, use it to flush global mappings (bsc#1068032).
- x86/mm: Make flush_tlb_mm_range() more predictable (bsc#1068032).
- x86/mm: Only set IBPB when the new thread cannot ptrace current thread (bsc#1068032).
- x86/mm: Reimplement flush_tlb_page() using flush_tlb_mm_range() (bsc#1068032).
- x86/mm: Remove flush_tlb() and flush_tlb_current_task() (bsc#1068032).
- x86/mm: Remove the UP asm/tlbflush.h code, always use the (formerly) SMP code (bsc#1068032).
- x86/mm, sched/core: Turn off IRQs in switch_mm() (bsc#1068032).
- x86/mm, sched/core: Uninline switch_mm() (bsc#1068032).
- x86/mm: Set IBPB upon context switch (bsc#1068032).
- x86/MSR: Move native_*msr(.. u64) to msr.h (bsc#1068032).
- x86/paravirt: Dont patch flush_tlb_single (bsc#1068032).
- x86/spec: Add IBRS control functions (bsc#1068032).
- x86/spec: Add 'nospec' chicken bit (bsc#1068032).
- x86/spec: Check CPUID direclty post microcode reload to support IBPB feature (bsc#1068032).
- x86/spec_ctrl: Add an Indirect Branch Predictor barrier (bsc#1068032).
- x86/spec_ctrl: Check whether IBPB is enabled before using it (bsc#1068032).
- x86/spec_ctrl: Check whether IBRS is enabled before using it (bsc#1068032).
- x86/svm: Add code to clear registers on VM exit (bsc#1068032).
- x86/svm: Clobber the RSB on VM exit (bsc#1068032).
- x86/svm: Set IBPB when running a different VCPU (bsc#1068032).
- x86/svm: Set IBRS value on VM entry and exit (bsc#1068032).
ImportantSUSE bug 1005778SUSE bug 1005780SUSE bug 1005781SUSE bug 1012382SUSE bug 1017967SUSE bug 1039616SUSE bug 1047487SUSE bug 1063043SUSE bug 1064311SUSE bug 1065180SUSE bug 1068032SUSE bug 1068951SUSE bug 1070116SUSE bug 1071009SUSE bug 1072166SUSE bug 1072216SUSE bug 1072556SUSE bug 1072866SUSE bug 1072890SUSE bug 1072962SUSE bug 1073090SUSE bug 1073525SUSE bug 1073792SUSE bug 1073809SUSE bug 1073868SUSE bug 1073874SUSE bug 1073912SUSE bug 963897SUSE bug 964063SUSE bug 966170SUSE bug 966172CVE-2017-17805 at SUSECVE-2017-17805 at NVDCVE-2017-17806 at SUSECVE-2017-17806 at NVDCVE-2017-5715 at SUSECVE-2017-5715 at NVDCVE-2017-5753 at SUSECVE-2017-5753 at NVDCVE-2017-5754 at SUSECVE-2017-5754 at NVDcpe:/o:suse:sles:12:sp3Security update for mariadb (Important)SUSE Linux Enterprise Server 12 SP3
MariaDB was updated to 10.0.35 (bsc#1090518)
Notable changes:
* PCRE updated to 8.42
* XtraDB updated to 5.6.39-83.1
* TokuDB updated to 5.6.39-83.1
* InnoDB updated to 5.6.40
* The embedded server library now supports SSL when connecting
to remote servers [bsc#1088681], [CVE-2018-2767]
* MDEV-15249 - Crash in MVCC read after IMPORT TABLESPACE
* MDEV-14988 - innodb_read_only tries to modify files if
transactions were recovered in COMMITTED state
* MDEV-14773 - DROP TABLE hangs for InnoDB table with FULLTEXT index
* MDEV-15723 - Crash in INFORMATION_SCHEMA.INNODB_SYS_TABLES when
accessing corrupted record
* fixes for the following security vulnerabilities:
CVE-2018-2782, CVE-2018-2784, CVE-2018-2787, CVE-2018-2766,
CVE-2018-2755, CVE-2018-2819, CVE-2018-2817, CVE-2018-2761,
CVE-2018-2781, CVE-2018-2771, CVE-2018-2813
* Release notes and changelog:
* https://kb.askmonty.org/en/mariadb-10035-release-notes
* https://kb.askmonty.org/en/mariadb-10035-changelog
ImportantSUSE bug 1088681SUSE bug 1090518CVE-2018-2755 at SUSECVE-2018-2755 at NVDCVE-2018-2761 at SUSECVE-2018-2761 at NVDCVE-2018-2766 at SUSECVE-2018-2766 at NVDCVE-2018-2767 at SUSECVE-2018-2767 at NVDCVE-2018-2771 at SUSECVE-2018-2771 at NVDCVE-2018-2781 at SUSECVE-2018-2781 at NVDCVE-2018-2782 at SUSECVE-2018-2782 at NVDCVE-2018-2784 at SUSECVE-2018-2784 at NVDCVE-2018-2787 at SUSECVE-2018-2787 at NVDCVE-2018-2813 at SUSECVE-2018-2813 at NVDCVE-2018-2817 at SUSECVE-2018-2817 at NVDCVE-2018-2819 at SUSECVE-2018-2819 at NVDcpe:/o:suse:sles:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3
This update for MozillaFirefox fixes the following security issue:
- CVE-2018-6126: Prevent heap buffer overflow in rasterizing paths in SVG with Skia (bsc#1096449).
ImportantSUSE bug 1096449CVE-2018-6126 at SUSECVE-2018-6126 at NVDcpe:/o:suse:sles:12:sp3Security update for tiff (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for tiff fixes the following issues:
These security issues were fixed:
- CVE-2017-18013: There was a Null-Pointer Dereference in the tif_print.c TIFFPrintDirectory function, as demonstrated by a tiffinfo crash. (bsc#1074317)
- CVE-2018-10963: The TIFFWriteDirectorySec() function in tif_dirwrite.c allowed remote attackers to cause a denial of service (assertion failure and application crash) via a crafted file, a different vulnerability than CVE-2017-13726. (bsc#1092949)
- CVE-2018-7456: Prevent a NULL Pointer dereference in the function TIFFPrintDirectory when using the tiffinfo tool to print crafted TIFF information, a different vulnerability than CVE-2017-18013 (bsc#1082825)
- CVE-2017-11613: Prevent denial of service in the TIFFOpen function. During the TIFFOpen process, td_imagelength is not checked. The value of td_imagelength can be directly controlled by an input file. In the ChopUpSingleUncompressedStrip function, the _TIFFCheckMalloc function is called based on td_imagelength. If the value of td_imagelength is set close to the amount of system memory, it will hang the system or trigger the OOM killer (bsc#1082332)
- CVE-2018-8905: Prevent heap-based buffer overflow in the function LZWDecodeCompat via a crafted TIFF file (bsc#1086408)
- CVE-2016-8331: Prevent remote code execution because of incorrect handling of TIFF images. A crafted TIFF document could have lead to a type confusion vulnerability resulting in remote code execution. This vulnerability could have been be triggered via a TIFF file delivered to the application using LibTIFF's tag extension functionality (bsc#1007276)
- CVE-2016-3632: The _TIFFVGetField function allowed remote attackers to cause a denial of service (out-of-bounds write) or execute arbitrary code via a crafted TIFF image (bsc#974621)
ModerateSUSE bug 1007276SUSE bug 1074317SUSE bug 1082332SUSE bug 1082825SUSE bug 1086408SUSE bug 1092949SUSE bug 974621CVE-2016-3632 at SUSECVE-2016-3632 at NVDCVE-2016-8331 at SUSECVE-2016-8331 at NVDCVE-2017-11613 at SUSECVE-2017-11613 at NVDCVE-2017-13726 at SUSECVE-2017-13726 at NVDCVE-2017-18013 at SUSECVE-2017-18013 at NVDCVE-2018-10963 at SUSECVE-2018-10963 at NVDCVE-2018-7456 at SUSECVE-2018-7456 at NVDCVE-2018-8905 at SUSECVE-2018-8905 at NVDcpe:/o:suse:sles:12:sp3Security update for unixODBC (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for unixODBC to version 2.3.6 fixes the following issues:
- CVE-2018-7409: Buffer overflow in unicode_to_ansi_copy() was fixed in 2.3.5 (bsc#1082290)
- CVE-2018-7485: Swapped arguments in SQLWriteFileDSN() in odbcinst/SQLWriteFileDSN.c (bsc#1082484)
Other fixes:
- Enabled --enable-fastvalidate option in configure (bsc#1044970)
ModerateSUSE bug 1044970SUSE bug 1082060SUSE bug 1082290SUSE bug 1082484CVE-2018-7409 at SUSECVE-2018-7409 at NVDCVE-2018-7485 at SUSECVE-2018-7485 at NVDcpe:/o:suse:sles:12:sp3Security update for procps (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for procps fixes the following security issues:
- CVE-2018-1122: Prevent local privilege escalation in top. If a user ran top
with HOME unset in an attacker-controlled directory, the attacker could have
achieved privilege escalation by exploiting one of several vulnerabilities in
the config_file() function (bsc#1092100).
- CVE-2018-1123: Prevent denial of service in ps via mmap buffer overflow.
Inbuilt protection in ps maped a guard page at the end of the overflowed
buffer, ensuring that the impact of this flaw is limited to a crash (temporary
denial of service) (bsc#1092100).
- CVE-2018-1124: Prevent multiple integer overflows leading to a heap
corruption in file2strvec function. This allowed a privilege escalation for a
local attacker who can create entries in procfs by starting processes, which
could result in crashes or arbitrary code execution in proc utilities run by
other users (bsc#1092100).
- CVE-2018-1125: Prevent stack buffer overflow in pgrep. This vulnerability was
mitigated by FORTIFY limiting the impact to a crash (bsc#1092100).
- CVE-2018-1126: Ensure correct integer size in proc/alloc.* to prevent
truncation/integer overflow issues (bsc#1092100).
ModerateSUSE bug 1092100CVE-2018-1122 at SUSECVE-2018-1122 at NVDCVE-2018-1123 at SUSECVE-2018-1123 at NVDCVE-2018-1124 at SUSECVE-2018-1124 at NVDCVE-2018-1125 at SUSECVE-2018-1125 at NVDCVE-2018-1126 at SUSECVE-2018-1126 at NVDcpe:/o:suse:sles:12:sp3Security update for ImageMagick (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for ImageMagick fixes the following issues:
These security issues were fixed:
- CVE-2017-13758: Prevent heap-based buffer overflow in the TracePoint()
function (bsc#1056277).
- CVE-2017-10928: Prevent heap-based buffer over-read in the GetNextToken
function that allowed remote attackers to obtain sensitive information from
process memory or possibly have unspecified other impact via a crafted SVG
document (bsc#1047356).
- CVE-2018-9133: Long compute times in the tiff decoder have been fixed (bsc#1087820).
- CVE-2018-11251: Heap-based buffer over-read in ReadSUNImage in coders/sun.c, which allows attackers to cause denial of service (bsc#1094237).
- CVE-2017-18271: Infinite loop in the function ReadMIFFImage in coders/miff.c, which allows attackers to cause a denial of service (bsc#1094204).
- CVE-2018-11655: Memory leak in the GetImagePixelCache in MagickCore/cache.c was fixed (bsc#1095730)
- CVE-2018-10804: Memory leak in WriteTIFFImage in coders/tiff.c was fixed (bsc#1095813)
- CVE-2018-10805: Fixed memory leaks in bgr.c, rgb.c, cmyk.c, gray.c, ycbcr.c (bsc#1095812)
ModerateSUSE bug 1047356SUSE bug 1056277SUSE bug 1087820SUSE bug 1094204SUSE bug 1094237SUSE bug 1095730SUSE bug 1095812SUSE bug 1095813CVE-2017-10928 at SUSECVE-2017-10928 at NVDCVE-2017-13758 at SUSECVE-2017-13758 at NVDCVE-2017-18271 at SUSECVE-2017-18271 at NVDCVE-2018-10804 at SUSECVE-2018-10804 at NVDCVE-2018-10805 at SUSECVE-2018-10805 at NVDCVE-2018-11251 at SUSECVE-2018-11251 at NVDCVE-2018-11655 at SUSECVE-2018-11655 at NVDCVE-2018-9133 at SUSECVE-2018-9133 at NVDcpe:/o:suse:sles:12:sp3Security update for libvpx (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for libvpx fixes one issues.
This security issue was fixed:
- CVE-2017-13194: Fixed incorrect memory allocation related to odd frame width (bsc#1075992).
ModerateSUSE bug 1075992CVE-2017-13194 at SUSECVE-2017-13194 at NVDcpe:/o:suse:sles:12:sp3Security update for openssl (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for openssl fixes the following issues:
- CVE-2018-0732: During key agreement in a TLS handshake using a DH(E) based
ciphersuite a malicious server could have sent a very large prime value to the
client. This caused the client to spend an unreasonably long period of time
generating a key for this prime resulting in a hang until the client has
finished. This could be exploited in a Denial Of Service attack (bsc#1097158).
- Blinding enhancements for ECDSA and DSA (bsc#1097624, bsc#1098592)
ModerateSUSE bug 1097158SUSE bug 1097624SUSE bug 1098592CVE-2018-0732 at SUSECVE-2018-0732 at NVDcpe:/o:suse:sles:12:sp3Security update for libqt4 (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for libqt4 fixes the following issues:
LibQt4 was updated to 4.8.7 (bsc#1039291, CVE-2016-10040):
See
http://download.qt.io/official_releases/qt/4.8/4.8.7/changes-4.8.7
for more details.
Also libQtWebkit4 was updated to 2.3.4 to match libqt4.
Also following bugs were fixed:
- Enable libqt4-devel-32bit (bsc#982826)
- Fixed bolder font in Qt4 apps (boo#956357)
ModerateSUSE bug 1039291SUSE bug 1042657SUSE bug 956357SUSE bug 964458SUSE bug 982826CVE-2016-10040 at SUSECVE-2016-10040 at NVDcpe:/o:suse:sles:12:sp3Recommended update for ucode-intel (Important)SUSE Linux Enterprise Server 12 SP3
The Intel CPU microcode bundle was updated to the 20180703 release.
For the listed CPU chipsets this fixes CVE-2018-3640 (Spectre v3a)
and helps mitigating CVE-2018-3639 (Spectre v4) (bsc#1100147 bsc#1087082 bsc#1087083).
More information on:
https://downloadcenter.intel.com/download/27945/Linux-Processor-Microcode-Data-File
Following chipsets are fixed in this round:
Model Stepping F-MO-S/PI Old->New
---- updated platforms ------------------------------------
SNB-EP C1 6-2d-6/6d 0000061c->0000061d Xeon E5
SNB-EP C2 6-2d-7/6d 00000713->00000714 Xeon E5
IVT C0 6-3e-4/ed 0000042c->0000042d Xeon E5 v2; Core i7-4960X/4930K/4820K
IVT D1 6-3e-7/ed 00000713->00000714 Xeon E5 v2
HSX-E/EP/4S C0 6-3f-2/6f 0000003c->0000003d Xeon E5 v3
HSX-EX E0 6-3f-4/80 00000011->00000012 Xeon E7 v3
SKX-SP/D/W/X H0 6-55-4/b7 02000043->0200004d Xeon Bronze 31xx, Silver 41xx, Gold 51xx/61xx Platinum 81xx, D/W-21xx; Core i9-7xxxX
BDX-DE A1 6-56-5/10 0e000009->0e00000a Xeon D-15x3N
BDX-ML B/M/R0 6-4f-1/ef 0b00002c->0b00002e Xeon E5/E7 v4; Core i7-69xx/68xx
- Add a new style supplements for the recent kernels. (bsc#1096141)
ImportantSUSE bug 1087082SUSE bug 1087083SUSE bug 1096141SUSE bug 1100147CVE-2018-3639 at SUSECVE-2018-3639 at NVDCVE-2018-3640 at SUSECVE-2018-3640 at NVDcpe:/o:suse:sles:12:sp3Security update for gdk-pixbuf (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for gdk-pixbuf fixes the following security issue:
- CVE-2017-1000422: Prevent several integer overflow in the gif_get_lzw
function resulting in memory corruption and potential code execution
(bsc#1074462).
ModerateSUSE bug 1074462CVE-2017-1000422 at SUSECVE-2017-1000422 at NVDcpe:/o:suse:sles:12:sp3Security update for perl (Important)SUSE Linux Enterprise Server 12 SP3
This update for perl fixes the following issues:
These security issue were fixed:
- CVE-2018-6913: Fixed space calculation issues in pp_pack.c (bsc#1082216).
- CVE-2018-6798: Fixed heap buffer overflow in regexec.c (bsc#1082233).
- CVE-2018-6797: Fixed sharp-s regexp overflow (bsc#1082234).
- CVE-2018-12015: The Archive::Tar module allowed remote attackers to bypass a
directory-traversal protection mechanism and overwrite arbitrary files
(bsc#1096718)
This non-security issue was fixed:
- fix debugger crash in tab completion with Term::ReadLine::Gnu [bsc#1068565]
ImportantSUSE bug 1068565SUSE bug 1082216SUSE bug 1082233SUSE bug 1082234SUSE bug 1096718CVE-2018-12015 at SUSECVE-2018-12015 at NVDCVE-2018-6797 at SUSECVE-2018-6797 at NVDCVE-2018-6798 at SUSECVE-2018-6798 at NVDCVE-2018-6913 at SUSECVE-2018-6913 at NVDcpe:/o:suse:sles:12:sp3Security update for wireshark (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for wireshark to version 2.2.12 fixes the following issues:
- CVE-2018-5334: IxVeriWave file could crash (bsc#1075737)
- CVE-2018-5335: WCP dissector could crash (bsc#1075738)
- CVE-2018-5336: Multiple dissector crashes (bsc#1075739)
- CVE-2017-17935: Incorrect handling of '\n' in file_read_line function could
have lead to denial of service (bsc#1074171)
This release no longer enables the Linux kernel BPF JIT compiler via the
net.core.bpf_jit_enable sysctl, as this would make systems more vulnerable
to Spectre variant 1 CVE-2017-5753 - (bsc#1075748)
Further bug fixes and updated protocol support as listed in:
https://www.wireshark.org/docs/relnotes/wireshark-2.2.12.html
ModerateSUSE bug 1074171SUSE bug 1075737SUSE bug 1075738SUSE bug 1075739SUSE bug 1075748CVE-2017-17935 at SUSECVE-2017-17935 at NVDCVE-2018-5334 at SUSECVE-2018-5334 at NVDCVE-2018-5335 at SUSECVE-2018-5335 at NVDCVE-2018-5336 at SUSECVE-2018-5336 at NVDcpe:/o:suse:sles:12:sp3Security update for shadow (Important)SUSE Linux Enterprise Server 12 SP3
This update for shadow fixes the following issues:
- CVE-2016-6252: Incorrect integer handling could results in local privilege escalation (bsc#1099310)
ImportantSUSE bug 1099310CVE-2016-6252 at SUSECVE-2016-6252 at NVDcpe:/o:suse:sles:12:sp3Security update for openssh (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for openssh fixes the following issues:
Security issue fixed:
- CVE-2016-10708: Prevent DoS due to crashes caused by out-of-sequence NEWKEYS message (bsc#1076957).
ModerateSUSE bug 1076957CVE-2016-10708 at SUSECVE-2016-10708 at NVDcpe:/o:suse:sles:12:sp3Security update for libexif (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for libexif fixes several issues.
These security issues were fixed:
- CVE-2016-6328: Fixed integer overflow in parsing MNOTE entry data of the input
file (bsc#1055857)
- CVE-2017-7544: Fixed out-of-bounds heap read vulnerability in
exif_data_save_data_entry function in libexif/exif-data.c caused by improper
length computation of the allocated data of an ExifMnote entry which can cause
denial-of-service or possibly information disclosure (bsc#1059893)
ModerateSUSE bug 1055857SUSE bug 1059893CVE-2016-6328 at SUSECVE-2016-6328 at NVDCVE-2017-7544 at SUSECVE-2017-7544 at NVDcpe:/o:suse:sles:12:sp3Security update for rsyslog (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for rsyslog fixes the following issues:
The following security vulnerability was addressed:
CVE-2015-3243: Make sure that log files are not created world-readable (bsc#935393)
ModerateSUSE bug 935393CVE-2015-3243 at SUSECVE-2015-3243 at NVDcpe:/o:suse:sles:12:sp3Security update for python (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for python fixes the following issues:
The following security vulnerabilities were addressed:
- Add a check to Lib/wave.py that verifies that at least one channel is
provided. Prior to this, attackers could cause a denial of service via a
crafted wav format audio file. [bsc#1083507, CVE-2017-18207]
ModerateSUSE bug 1083507CVE-2017-18207 at SUSECVE-2017-18207 at NVDcpe:/o:suse:sles:12:sp3Security update for the Linux Kernel (Important)SUSE Linux Enterprise Server 12 SP3
The SUSE Linux Enterprise 12 SP3 kernel was updated to 4.4.140 to receive various security and bugfixes.
The following security bugs were fixed:
- CVE-2018-13053: The alarm_timer_nsleep function had an integer overflow via a
large relative timeout because ktime_add_safe was not used (bnc#1099924)
- CVE-2018-9385: Prevent overread of the 'driver_override' buffer (bsc#1100491)
- CVE-2018-13405: The inode_init_owner function allowed local users to create
files with an unintended group ownership allowing attackers to escalate
privileges by making a plain file executable and SGID (bnc#1100416)
- CVE-2018-13406: An integer overflow in the uvesafb_setcmap function could
have result in local attackers being able to crash the kernel or potentially
elevate privileges because kmalloc_array is not used (bnc#1100418)
The following non-security bugs were fixed:
- 1wire: family module autoload fails because of upper/lower case mismatch (bnc#1012382).
- ALSA: hda - Clean up ALC299 init code (bsc#1099810).
- ALSA: hda - Enable power_save_node for CX20722 (bsc#1099810).
- ALSA: hda - Fix a wrong FIXUP for alc289 on Dell machines (bsc#1099810).
- ALSA: hda - Fix incorrect usage of IS_REACHABLE() (bsc#1099810).
- ALSA: hda - Fix pincfg at resume on Lenovo T470 dock (bsc#1099810).
- ALSA: hda - Handle kzalloc() failure in snd_hda_attach_pcm_stream() (bnc#1012382).
- ALSA: hda - Use acpi_dev_present() (bsc#1099810).
- ALSA: hda - add a new condition to check if it is thinkpad (bsc#1099810).
- ALSA: hda - silence uninitialized variable warning in activate_amp_in() (bsc#1099810).
- ALSA: hda/patch_sigmatel: Add AmigaOne X1000 pinconfigs (bsc#1099810).
- ALSA: hda/realtek - Add a quirk for FSC ESPRIMO U9210 (bsc#1099810).
- ALSA: hda/realtek - Add headset mode support for Dell laptop (bsc#1099810).
- ALSA: hda/realtek - Add support headset mode for DELL WYSE (bsc#1099810).
- ALSA: hda/realtek - Clevo P950ER ALC1220 Fixup (bsc#1099810).
- ALSA: hda/realtek - Enable Thinkpad Dock device for ALC298 platform (bsc#1099810).
- ALSA: hda/realtek - Enable mic-mute hotkey for several Lenovo AIOs (bsc#1099810).
- ALSA: hda/realtek - Fix Dell headset Mic can't record (bsc#1099810).
- ALSA: hda/realtek - Fix pop noise on Lenovo P50 and co (bsc#1099810).
- ALSA: hda/realtek - Fix the problem of two front mics on more machines (bsc#1099810).
- ALSA: hda/realtek - Fixup for HP x360 laptops with BandO speakers (bsc#1099810).
- ALSA: hda/realtek - Fixup mute led on HP Spectre x360 (bsc#1099810).
- ALSA: hda/realtek - Make dock sound work on ThinkPad L570 (bsc#1099810).
- ALSA: hda/realtek - Refactor alc269_fixup_hp_mute_led_mic*() (bsc#1099810).
- ALSA: hda/realtek - Reorder ALC269 ASUS quirk entries (bsc#1099810).
- ALSA: hda/realtek - Support headset mode for ALC215/ALC285/ALC289 (bsc#1099810).
- ALSA: hda/realtek - Update ALC255 depop optimize (bsc#1099810).
- ALSA: hda/realtek - adjust the location of one mic (bsc#1099810).
- ALSA: hda/realtek - change the location for one of two front mics (bsc#1099810).
- ALSA: hda/realtek - set PINCFG_HEADSET_MIC to parse_flags (bsc#1099810).
- ALSA: hda/realtek - update ALC215 depop optimize (bsc#1099810).
- ALSA: hda/realtek - update ALC225 depop optimize (bsc#1099810).
- ALSA: hda/realtek: Fix mic and headset jack sense on Asus X705UD (bsc#1099810).
- ALSA: hda/realtek: Limit mic boost on T480 (bsc#1099810).
- ALSA: hda: Fix forget to free resource in error handling code path in hda_codec_driver_probe (bsc#1099810).
- ALSA: hda: add dock and led support for HP EliteBook 830 G5 (bsc#1099810).
- ALSA: hda: add dock and led support for HP ProBook 640 G4 (bsc#1099810).
- ALSA: hda: fix some klockwork scan warnings (bsc#1099810).
- ARM: 8764/1: kgdb: fix NUMREGBYTES so that gdb_regs[] is the correct size (bnc#1012382).
- ARM: dts: imx6q: Use correct SDMA script for SPI5 core (bnc#1012382).
- ASoC: cirrus: i2s: Fix LRCLK configuration (bnc#1012382).
- ASoC: cirrus: i2s: Fix {TX|RX}LinCtrlData setup (bnc#1012382).
- ASoC: dapm: delete dapm_kcontrol_data paths list before freeing it (bnc#1012382).
- Bluetooth: Fix connection if directed advertising and privacy is used (bnc#1012382).
- Bluetooth: hci_qca: Avoid missing rampatch failure with userspace fw loader (bnc#1012382).
- Btrfs: fix clone vs chattr NODATASUM race (bnc#1012382).
- Btrfs: fix unexpected cow in run_delalloc_nocow (bnc#1012382).
- Btrfs: make raid6 rebuild retry more (bnc#1012382).
- Correct the arguments to verbose() (bsc#1098425)
- HID: debug: check length before copy_to_user() (bnc#1012382).
- HID: hiddev: fix potential Spectre v1 (bnc#1012382).
- HID: i2c-hid: Fix 'incomplete report' noise (bnc#1012382).
- Hang/soft lockup in d_invalidate with simultaneous calls (bsc#1094248, bsc@1097140).
- IB/qib: Fix DMA api warning with debug kernel (bnc#1012382).
- Input: elan_i2c - add ELAN0618 (Lenovo v330 15IKB) ACPI ID (bnc#1012382).
- Input: elan_i2c_smbus - fix more potential stack buffer overflows (bnc#1012382).
- Input: elantech - enable middle button of touchpads on ThinkPad P52 (bnc#1012382).
- Input: elantech - fix V4 report decoding for module with middle key (bnc#1012382).
- MIPS: BCM47XX: Enable 74K Core ExternalSync for PCIe erratum (bnc#1012382).
- MIPS: io: Add barrier after register read in inX() (bnc#1012382).
- NFSv4: Fix possible 1-byte stack overflow in nfs_idmap_read_and_verify_message (bnc#1012382).
- PCI: pciehp: Clear Presence Detect and Data Link Layer Status Changed on resume (bnc#1012382).
- RDMA/mlx4: Discard unknown SQP work requests (bnc#1012382).
- Refresh with upstream commit:62290a5c194b since the typo fix has been merged in upstream. (bsc#1085185)
- Remove broken patches for dac9063 watchdog (bsc#1100843)
- Remove sorted section marker This branch contains a small sorted section with an old format that fails the current checker. Updating the section and scripts to the new format might make merges with other branches more difficult. Instead, simply remove the section marker.
- Revert 'Btrfs: fix scrub to repair raid6 corruption' (bnc#1012382).
- Revert 'kvm: nVMX: Enforce cpl=0 for VMX instructions (bsc#1099183).' This turned out to be superfluous for 4.4.x kernels.
- Revert 'scsi: lpfc: Fix 16gb hbas failing cq create (bsc#1089525).' This reverts commit b054499f7615e2ffa7571ac0d05c7d5c9a8c0327.
- UBIFS: Fix potential integer overflow in allocation (bnc#1012382).
- USB: serial: cp210x: add CESINEL device ids (bnc#1012382).
- USB: serial: cp210x: add Silicon Labs IDs for Windows Update (bnc#1012382).
- Update patches.fixes/nvme-expand-nvmf_check_if_ready-checks.patch (bsc#1098527).
- ath10k: fix rfc1042 header retrieval in QCA4019 with eth decap mode (bnc#1012382).
- atm: zatm: fix memcmp casting (bnc#1012382).
- backlight: as3711_bl: Fix Device Tree node lookup (bnc#1012382).
- backlight: max8925_bl: Fix Device Tree node lookup (bnc#1012382).
- backlight: tps65217_bl: Fix Device Tree node lookup (bnc#1012382).
- bcache: Add __printf annotation to __bch_check_keys() (bsc#1064232).
- bcache: Annotate switch fall-through (bsc#1064232).
- bcache: Fix a compiler warning in bcache_device_init() (bsc#1064232).
- bcache: Fix indentation (bsc#1064232).
- bcache: Fix kernel-doc warnings (bsc#1064232).
- bcache: Fix, improve efficiency of closure_sync() (bsc#1076110).
- bcache: Reduce the number of sparse complaints about lock imbalances (bsc#1064232).
- bcache: Remove an unused variable (bsc#1064232).
- bcache: Suppress more warnings about set-but-not-used variables (bsc#1064232).
- bcache: Use PTR_ERR_OR_ZERO() (bsc#1076110).
- bcache: add CACHE_SET_IO_DISABLE to struct cache_set flags (bsc#1064232).
- bcache: add backing_request_endio() for bi_end_io (bsc#1064232).
- bcache: add io_disable to struct cached_dev (bsc#1064232).
- bcache: add journal statistic (bsc#1076110).
- bcache: add stop_when_cache_set_failed option to backing device (bsc#1064232).
- bcache: add wait_for_kthread_stop() in bch_allocator_thread() (bsc#1064232).
- bcache: closures: move control bits one bit right (bsc#1076110).
- bcache: correct flash only vols (check all uuids) (bsc#1064232).
- bcache: count backing device I/O error for writeback I/O (bsc#1064232).
- bcache: fix cached_dev->count usage for bch_cache_set_error() (bsc#1064232).
- bcache: fix crashes in duplicate cache device register (bsc#1076110).
- bcache: fix error return value in memory shrink (bsc#1064232).
- bcache: fix high CPU occupancy during journal (bsc#1076110).
- bcache: fix inaccurate io state for detached bcache devices (bsc#1064232).
- bcache: fix incorrect sysfs output value of strip size (bsc#1064232).
- bcache: fix misleading error message in bch_count_io_errors() (bsc#1064232).
- bcache: fix using of loop variable in memory shrink (bsc#1064232).
- bcache: fix writeback target calc on large devices (bsc#1076110).
- bcache: fix wrong return value in bch_debug_init() (bsc#1076110).
- bcache: mark closure_sync() __sched (bsc#1076110).
- bcache: move closure debug file into debug directory (bsc#1064232).
- bcache: reduce cache_set devices iteration by devices_max_used (bsc#1064232).
- bcache: ret IOERR when read meets metadata error (bsc#1076110).
- bcache: return 0 from bch_debug_init() if CONFIG_DEBUG_FS=n (bsc#1064232).
- bcache: set CACHE_SET_IO_DISABLE in bch_cached_dev_error() (bsc#1064232).
- bcache: set dc->io_disable to true in conditional_stop_bcache_device() (bsc#1064232).
- bcache: set error_limit correctly (bsc#1064232).
- bcache: set writeback_rate_update_seconds in range [1, 60] seconds (bsc#1064232).
- bcache: stop bcache device when backing device is offline (bsc#1064232).
- bcache: stop dc->writeback_rate_update properly (bsc#1064232).
- bcache: stop writeback thread after detaching (bsc#1076110).
- bcache: store disk name in struct cache and struct cached_dev (bsc#1064232).
- bcache: use pr_info() to inform duplicated CACHE_SET_IO_DISABLE set (bsc#1064232).
- block: Fix transfer when chunk sectors exceeds max (bnc#1012382).
- bonding: re-evaluate force_primary when the primary slave name changes (bnc#1012382).
- bpf: properly enforce index mask to prevent out-of-bounds speculation (bsc#1098425).
- branch-check: fix long->int truncation when profiling branches (bnc#1012382).
- btrfs: scrub: Do not use inode pages for device replace (bnc#1012382).
- cdc_ncm: avoid padding beyond end of skb (bnc#1012382).
- ceph: fix dentry leak in splice_dentry() (bsc#1098236).
- ceph: fix use-after-free in ceph_statfs() (bsc#1098236).
- ceph: fix wrong check for the case of updating link count (bsc#1098236).
- ceph: prevent i_version from going back (bsc#1098236).
- ceph: support file lock on directory (bsc#1098236).
- cifs: Check for timeout on Negotiate stage (bsc#1091171).
- cifs: Fix infinite loop when using hard mount option (bnc#1012382).
- cpufreq: Fix new policy initialization during limits updates via sysfs (bnc#1012382).
- cpuidle: powernv: Fix promotion from snooze if next state disabled (bnc#1012382).
- dm thin: handle running out of data space vs concurrent discard (bnc#1012382).
- dm: convert DM printk macros to pr level macros (bsc#1099918).
- dm: fix printk() rate limiting code (bsc#1099918).
- drbd: fix access after free (bnc#1012382).
- driver core: Do not ignore class_dir_create_and_add() failure (bnc#1012382).
- e1000e: Ignore TSYNCRXCTL when getting I219 clock attributes (bsc#1075876).
- ext4: add more inode number paranoia checks (bnc#1012382).
- ext4: add more mount time checks of the superblock (bnc#1012382).
- ext4: always check block group bounds in ext4_init_block_bitmap() (bnc#1012382).
- ext4: check superblock mapped prior to committing (bnc#1012382).
- ext4: clear i_data in ext4_inode_info when removing inline data (bnc#1012382).
- ext4: fix fencepost error in check for inode count overflow during resize (bnc#1012382).
- ext4: fix unsupported feature message formatting (bsc#1098435).
- ext4: include the illegal physical block in the bad map ext4_error msg (bnc#1012382).
- ext4: make sure bitmaps and the inode table do not overlap with bg descriptors (bnc#1012382).
- ext4: only look at the bg_flags field if it is valid (bnc#1012382).
- ext4: update mtime in ext4_punch_hole even if no blocks are released (bnc#1012382).
- ext4: verify the depth of extent tree in ext4_find_extent() (bnc#1012382).
- fs/binfmt_misc.c: do not allow offset overflow (bsc#1099279).
- fuse: atomic_o_trunc should truncate pagecache (bnc#1012382).
- fuse: do not keep dead fuse_conn at fuse_fill_super() (bnc#1012382).
- fuse: fix control dir setup and teardown (bnc#1012382).
- hv_netvsc: avoid repeated updates of packet filter (bsc#1097492).
- hv_netvsc: defer queue selection to VF (bsc#1097492).
- hv_netvsc: enable multicast if necessary (bsc#1097492).
- hv_netvsc: filter multicast/broadcast (bsc#1097492).
- hv_netvsc: fix filter flags (bsc#1097492).
- hv_netvsc: fix locking during VF setup (bsc#1097492).
- hv_netvsc: fix locking for rx_mode (bsc#1097492).
- hv_netvsc: propagate rx filters to VF (bsc#1097492).
- i2c: rcar: fix resume by always initializing registers before transfer (bnc#1012382).
- iio:buffer: make length types match kfifo types (bnc#1012382).
- iommu/vt-d: Fix race condition in add_unmap() (bsc#1096790, bsc#1097034).
- ipmi:bt: Set the timeout before doing a capabilities check (bnc#1012382).
- ipv4: Fix error return value in fib_convert_metrics() (bnc#1012382).
- ipvs: fix buffer overflow with sync daemon and service (bnc#1012382).
- iwlmvm: tdls: Check TDLS channel switch support (bsc#1099810).
- iwlwifi: fix non_shared_ant for 9000 devices (bsc#1099810).
- jbd2: do not mark block as modified if the handle is out of credits (bnc#1012382).
- kabi/severities: add 'drivers/md/bcache/* PASS' since no one uses symboles expoted by bcache.
- kmod: fix wait on recursive loop (bsc#1099792).
- kmod: reduce atomic operations on kmod_concurrent and simplify (bsc#1099792).
- kmod: throttle kmod thread limit (bsc#1099792).
- kprobes/x86: Do not modify singlestep buffer while resuming (bnc#1012382).
- kvm: nVMX: Enforce cpl=0 for VMX instructions (bsc#1099183).
- lib/vsprintf: Remove atomic-unsafe support for %pCr (bnc#1012382).
- libata: Drop SanDisk SD7UB3Q*G1001 NOLPM quirk (bnc#1012382).
- libata: zpodd: make arrays cdb static, reduces object code size (bnc#1012382).
- libata: zpodd: small read overflow in eject_tray() (bnc#1012382).
- linvdimm, pmem: Preserve read-only setting for pmem devices (bnc#1012382).
- m68k/mm: Adjust VM area to be unmapped by gap size for __iounmap() (bnc#1012382).
- mac80211: Fix condition validating WMM IE (bsc#1099810,bsc#1099732).
- media: cx231xx: Add support for AverMedia DVD EZMaker 7 (bnc#1012382).
- media: cx25840: Use subdev host data for PLL override (bnc#1012382).
- media: dvb_frontend: fix locking issues at dvb_frontend_get_event() (bnc#1012382).
- media: smiapp: fix timeout checking in smiapp_read_nvm (bsc#1099918).
- media: v4l2-compat-ioctl32: prevent go past max size (bnc#1012382).
- mfd: intel-lpss: Program REMAP register in PIO mode (bnc#1012382).
- mips: ftrace: fix static function graph tracing (bnc#1012382).
- mm: hugetlb: yield when prepping struct pages (bnc#1012382).
- mtd: cfi_cmdset_0002: Avoid walking all chips when unlocking (bnc#1012382).
- mtd: cfi_cmdset_0002: Change definition naming to retry write operation (bnc#1012382).
- mtd: cfi_cmdset_0002: Change erase functions to check chip good only (bnc#1012382).
- mtd: cfi_cmdset_0002: Change erase functions to retry for error (bnc#1012382).
- mtd: cfi_cmdset_0002: Change write buffer to check correct value (bnc#1012382).
- mtd: cfi_cmdset_0002: Fix unlocking requests crossing a chip boudary (bnc#1012382).
- mtd: cfi_cmdset_0002: Use right chip in do_ppb_xxlock() (bnc#1012382).
- mtd: cfi_cmdset_0002: fix SEGV unlocking multiple chips (bnc#1012382).
- mtd: cmdlinepart: Update comment for introduction of OFFSET_CONTINUOUS (bsc#1099918).
- mtd: partitions: add helper for deleting partition (bsc#1099918).
- mtd: partitions: remove sysfs files when deleting all master's partitions (bsc#1099918).
- mtd: rawnand: mxc: set spare area size register explicitly (bnc#1012382).
- n_tty: Access echo_* variables carefully (bnc#1012382).
- n_tty: Fix stall at n_tty_receive_char_special() (bnc#1012382).
- net/sonic: Use dma_mapping_error() (bnc#1012382).
- net: qmi_wwan: Add Netgear Aircard 779S (bnc#1012382).
- netfilter: ebtables: handle string from userspace with care (bnc#1012382).
- netfilter: nf_log: do not hold nf_log_mutex during user access (bnc#1012382).
- netfilter: nf_tables: use WARN_ON_ONCE instead of BUG_ON in nft_do_chain() (bnc#1012382).
- nfsd: restrict rd_maxcount to svc_max_payload in nfsd_encode_readdir (bnc#1012382).
- nvme-fabrics: allow duplicate connections to the discovery controller (bsc#1098527).
- nvme-fabrics: allow internal passthrough command on deleting controllers (bsc#1098527).
- nvme-fabrics: centralize discovery controller defaults (bsc#1098527).
- nvme-fabrics: fix and refine state checks in __nvmf_check_ready (bsc#1098527).
- nvme-fabrics: refactor queue ready check (bsc#1098527).
- nvme-fc: change controllers first connect to use reconnect path (bsc#1098527).
- nvme-fc: fix nulling of queue data on reconnect (bsc#1098527).
- nvme-fc: remove reinit_request routine (bsc#1098527).
- nvme-fc: remove setting DNR on exception conditions (bsc#1098527).
- nvme-pci: initialize queue memory before interrupts (bnc#1012382).
- nvme: allow duplicate controller if prior controller being deleted (bsc#1098527).
- nvme: move init of keep_alive work item to controller initialization (bsc#1098527).
- nvme: reimplement nvmf_check_if_ready() to avoid kabi breakage (bsc#1098527).
- nvmet-fc: increase LS buffer count per fc port (bsc#1098527).
- nvmet: switch loopback target state to connecting when resetting (bsc#1098527).
- of: unittest: for strings, account for trailing \0 in property length field (bnc#1012382).
- ovl: fix random return value on mount (bsc#1099993).
- ovl: fix uid/gid when creating over whiteout (bsc#1099993).
- ovl: override creds with the ones from the superblock mounter (bsc#1099993).
- perf intel-pt: Fix 'Unexpected indirect branch' error (bnc#1012382).
- perf intel-pt: Fix MTC timing after overflow (bnc#1012382).
- perf intel-pt: Fix decoding to accept CBR between FUP and corresponding TIP (bnc#1012382).
- perf intel-pt: Fix packet decoding of CYC packets (bnc#1012382).
- perf intel-pt: Fix sync_switch INTEL_PT_SS_NOT_TRACING (bnc#1012382).
- perf tools: Fix symbol and object code resolution for vdso32 and vdsox32 (bnc#1012382).
- platform/x86: thinkpad_acpi: Adding new hotkey ID for Lenovo thinkpad (bsc#1099810).
- powerpc/64s: Exception macro for stack frame and initial register save (bsc#1094244).
- powerpc/64s: Fix mce accounting for powernv (bsc#1094244).
- powerpc/fadump: Unregister fadump on kexec down path (bnc#1012382).
- powerpc/mm/hash: Add missing isync prior to kernel stack SLB switch (bnc#1012382).
- powerpc/ptrace: Fix enforcement of DAWR constraints (bnc#1012382).
- powerpc/ptrace: Fix setting 512B aligned breakpoints with PTRACE_SET_DEBUGREG (bnc#1012382).
- powerpc: Machine check interrupt is a non-maskable interrupt (bsc#1094244).
- procfs: add tunable for fd/fdinfo dentry retention (bsc#10866542).
- qla2xxx: Fix NULL pointer derefrence for fcport search (bsc#1085657).
- qla2xxx: Fix inconsistent DMA mem alloc/free (bsc#1085657).
- qla2xxx: Fix kernel crash due to late workqueue allocation (bsc#1085657).
- regulator: Do not return or expect -errno from of_map_mode() (bsc#1099042).
- restore cond_resched() in shrink_dcache_parent() (bsc#1098599).
- rmdir(),rename(): do shrink_dcache_parent() only on success (bsc#1100340).
- s390/dasd: configurable IFCC handling (bsc#1097808).
- s390: Correct register corruption in critical section cleanup (bnc#1012382).
- sbitmap: check for valid bitmap in sbitmap_for_each (bsc#1090435).
- sched/sysctl: Check user input value of sysctl_sched_time_avg (bsc#1100089).
- scsi: ipr: Format HCAM overlay ID 0x41 (bsc#1097961).
- scsi: ipr: new IOASC update (bsc#1097961).
- scsi: lpfc: Change IO submit return to EBUSY if remote port is recovering (bsc#1092207).
- scsi: lpfc: Driver NVME load fails when CPU cnt > WQ resource cnt (bsc#1092207).
- scsi: lpfc: Fix 16gb hbas failing cq create (bsc#1089525).
- scsi: lpfc: Fix 16gb hbas failing cq create (bsc#1095453).
- scsi: lpfc: Fix MDS diagnostics failure (Rx lower than Tx) (bsc#1095453).
- scsi: lpfc: Fix crash in blk_mq layer when executing modprobe -r lpfc (bsc#1095453).
- scsi: lpfc: Fix port initialization failure (bsc#1095453).
- scsi: lpfc: Fix up log messages and stats counters in IO submit code path (bsc#1092207).
- scsi: lpfc: Handle new link fault code returned by adapter firmware (bsc#1092207).
- scsi: lpfc: correct oversubscription of nvme io requests for an adapter (bsc#1095453).
- scsi: lpfc: update driver version to 11.4.0.7-3 (bsc#1092207).
- scsi: lpfc: update driver version to 11.4.0.7-4 (bsc#1095453).
- scsi: qedi: Fix truncation of CHAP name and secret (bsc#1097931)
- scsi: qla2xxx: Fix setting lower transfer speed if GPSC fails (bnc#1012382).
- scsi: qla2xxx: Spinlock recursion in qla_target (bsc#1097501)
- scsi: sg: mitigate read/write abuse (bsc#1101296).
- scsi: zfcp: fix misleading REC trigger trace where erp_action setup failed (LTC#168765 bnc#1012382 bnc#1099713).
- scsi: zfcp: fix misleading REC trigger trace where erp_action setup failed (bnc#1099713, LTC#168765).
- scsi: zfcp: fix missing REC trigger trace for all objects in ERP_FAILED (LTC#168765 bnc#1012382 bnc#1099713).
- scsi: zfcp: fix missing REC trigger trace for all objects in ERP_FAILED (bnc#1099713, LTC#168765).
- scsi: zfcp: fix missing REC trigger trace on enqueue without ERP thread (LTC#168765 bnc#1012382 bnc#1099713).
- scsi: zfcp: fix missing REC trigger trace on enqueue without ERP thread (bnc#1099713, LTC#168765).
- scsi: zfcp: fix missing REC trigger trace on terminate_rport_io early return (LTC#168765 bnc#1012382 bnc#1099713).
- scsi: zfcp: fix missing REC trigger trace on terminate_rport_io early return (bnc#1099713, LTC#168765).
- scsi: zfcp: fix missing REC trigger trace on terminate_rport_io for ERP_FAILED (LTC#168765 bnc#1012382 bnc#1099713).
- scsi: zfcp: fix missing REC trigger trace on terminate_rport_io for ERP_FAILED (bnc#1099713, LTC#168765).
- scsi: zfcp: fix missing SCSI trace for result of eh_host_reset_handler (LTC#168765 bnc#1012382 bnc#1099713).
- scsi: zfcp: fix missing SCSI trace for result of eh_host_reset_handler (bnc#1099713, LTC#168765).
- scsi: zfcp: fix missing SCSI trace for retry of abort / scsi_eh TMF (LTC#168765 bnc#1012382 bnc#1099713).
- scsi: zfcp: fix missing SCSI trace for retry of abort / scsi_eh TMF (bnc#1099713, LTC#168765).
- serial: sh-sci: Use spin_{try}lock_irqsave instead of open coding version (bnc#1012382).
- signal/xtensa: Consistenly use SIGBUS in do_unaligned_user (bnc#1012382).
- sort and rename various hyperv patches
- spi: Fix scatterlist elements size in spi_map_buf (bnc#1012382).
- staging: android: ion: Return an ERR_PTR in ion_map_kernel (bnc#1012382).
- staging: comedi: quatech_daqp_cs: fix no-op loop daqp_ao_insn_write() (bnc#1012382).
- tcp: do not overshoot window_clamp in tcp_rcv_space_adjust() (bnc#1012382).
- tcp: verify the checksum of the first data segment in a new connection (bnc#1012382).
- thinkpad_acpi: Add support for HKEY version 0x200 (bsc#1099810).
- time: Make sure jiffies_to_msecs() preserves non-zero time periods (bnc#1012382).
- tracing: Fix missing return symbol in function_graph output (bnc#1012382).
- ubi: fastmap: Cancel work upon detach (bnc#1012382).
- ubi: fastmap: Correctly handle interrupted erasures in EBA (bnc#1012382).
- udf: Detect incorrect directory size (bnc#1012382).
- usb: cdc_acm: Add quirk for Uniden UBC125 scanner (bnc#1012382).
- usb: do not reset if a low-speed or full-speed device timed out (bnc#1012382).
- usb: musb: fix remote wakeup racing with suspend (bnc#1012382).
- video/fbdev/stifb: Return -ENOMEM after a failed kzalloc() in stifb_init_fb() (bsc#1090888 bsc#1099966).
- video: uvesafb: Fix integer overflow in allocation (bnc#1012382).
- w1: mxc_w1: Enable clock before calling clk_get_rate() on it (bnc#1012382).
- wait: add wait_event_killable_timeout() (bsc#1099792).
- watchdog: da9063: Fix setting/changing timeout (bsc#1100843).
- watchdog: da9063: Fix timeout handling during probe (bsc#1100843).
- watchdog: da9063: Fix updating timeout value (bsc#1100843).
- x86/cpu/amd: Derive L3 shared_cpu_map from cpu_llc_shared_mask (bsc#1094643).
- x86/mce: Fix incorrect 'Machine check from unknown source' message (bnc#1012382).
- x86/mce: Improve error message when kernel cannot recover (git-fixes b2f9d678e28c).
- x86/pti: do not report XenPV as vulnerable (bsc#1097551).
- xen: Remove unnecessary BUG_ON from __unbind_from_irq() (bnc#1012382).
- xfrm6: avoid potential infinite loop in _decode_session6() (bnc#1012382).
- xfrm: Ignore socket policies when rebuilding hash tables (bnc#1012382).
- xfrm: skip policies marked as dead while rehashing (bnc#1012382).
ImportantSUSE bug 1012382SUSE bug 1064232SUSE bug 1075876SUSE bug 1076110SUSE bug 1085185SUSE bug 1085657SUSE bug 1089525SUSE bug 1090435SUSE bug 1090888SUSE bug 1091171SUSE bug 1092207SUSE bug 1094244SUSE bug 1094248SUSE bug 1094643SUSE bug 1095453SUSE bug 1096790SUSE bug 1097034SUSE bug 1097140SUSE bug 1097492SUSE bug 1097501SUSE bug 1097551SUSE bug 1097808SUSE bug 1097931SUSE bug 1097961SUSE bug 1098016SUSE bug 1098236SUSE bug 1098425SUSE bug 1098435SUSE bug 1098527SUSE bug 1098599SUSE bug 1099042SUSE bug 1099183SUSE bug 1099279SUSE bug 1099713SUSE bug 1099732SUSE bug 1099792SUSE bug 1099810SUSE bug 1099918SUSE bug 1099924SUSE bug 1099966SUSE bug 1099993SUSE bug 1100089SUSE bug 1100340SUSE bug 1100416SUSE bug 1100418SUSE bug 1100491SUSE bug 1100843SUSE bug 1101296CVE-2018-13053 at SUSECVE-2018-13053 at NVDCVE-2018-13405 at SUSECVE-2018-13405 at NVDCVE-2018-13406 at SUSECVE-2018-13406 at NVDCVE-2018-9385 at SUSECVE-2018-9385 at NVDcpe:/o:suse:sles:12:sp3Security update for nautilus (Low)SUSE Linux Enterprise Server 12 SP3
This update for nautilus fixes the following issues:
Security issue fixed:
- CVE-2017-14604: Add a metadata::trusted metadata to the file once the user
acknowledges the file as trusted, and also remove the 'trusted' content in the
desktop file (bsc#1060031).
LowSUSE bug 1060031CVE-2017-14604 at SUSECVE-2017-14604 at NVDcpe:/o:suse:sles:12:sp3Security update for xen (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for xen fixes the following issues:
Security issues fixed:
- CVE-2018-3665: Fix Lazy FP Save/Restore issue (XSA-267) (bsc#1095242).
- CVE-2018-12891: Fix possible Denial of Service (DoS) via certain PV MMU operations that affect the entire host (XSA-264) (bsc#1097521).
- CVE-2018-12892: Fix libxl to honour the readonly flag on HVM emulated SCSI disks (XSA-266) (bsc#1097523).
- CVE-2018-12893: Fix crash/Denial of Service (DoS) via safety check (XSA-265) (bsc#1097522).
- CVE-2018-11806: Fix heap buffer overflow while reassembling fragmented datagrams (bsc#1096224).
Bug fixes:
- bsc#1027519: Add upstream patches from January.
- bsc#1087289: Fix xen scheduler crash.
ModerateSUSE bug 1027519SUSE bug 1087289SUSE bug 1095242SUSE bug 1096224SUSE bug 1097521SUSE bug 1097522SUSE bug 1097523CVE-2018-11806 at SUSECVE-2018-11806 at NVDCVE-2018-12891 at SUSECVE-2018-12891 at NVDCVE-2018-12892 at SUSECVE-2018-12892 at NVDCVE-2018-12893 at SUSECVE-2018-12893 at NVDCVE-2018-3665 at SUSECVE-2018-3665 at NVDcpe:/o:suse:sles:12:sp3Security update for ImageMagick (Important)SUSE Linux Enterprise Server 12 SP3
This update for ImageMagick fixes the following issues:
- security update (xcf.c):
* CVE-2017-14343: Memory leak vulnerability in ReadXCFImage could lead to denial of service via a crafted file.
CVE-2017-12691: The ReadOneLayer function in coders/xcf.c allows remote attackers to cause a denial of service
(memory consumption) via a crafted file.
[bsc#1058422]
- security update (pnm.c):
* CVE-2017-14042: A memory allocation failure was discovered in the ReadPNMImage function in coders/pnm.c and
could lead to remote denial of service [bsc#1056550]
- security update (psd.c):
* CVE-2017-15281: ReadPSDImage allows remote attackers to cause a denial of service (application crash) or
possibly have unspecified other impact via a crafted file [bsc#1063049]
* CVE-2017-13061: A length-validation vulnerability was found in the function ReadPSDLayersInternal in coders/psd.c,
which allows attackers to cause a denial of service (ReadPSDImage memory exhaustion) via a crafted file. [bsc#1055063]
* CVE-2017-12563: A Memory exhaustion vulnerability was found in the function ReadPSDImage in coders/psd.c,
which allows attackers to cause a denial of service. [bsc#1052460]
* CVE-2017-14174: Due to a lack of an EOF check (End of File) in ReadPSDLayersInternal could cause huge CPU consumption,
when a crafted PSD file, which claims a large 'length' field in the header but does not contain sufficient backing data,
is provided, the loop over \'length\' would consume huge CPU resources, since there is no EOF check inside the loop.[bsc#1057723]
- security update (meta.c):
* CVE-2017-13062: Amemory leak vulnerability was found in the function formatIPTC in coders/meta.c,
which allows attackers to cause a denial of service (WriteMETAImage memory consumption) via a crafted file [bsc#1055053]
- security update (gif.c):
* CVE-2017-15277: ReadGIFImage in coders/gif.c leaves the palette uninitialized when processing a GIF file that has neither
a global nor local palette. If the affected product is used as a library loaded into a process that operates on interesting
data, this data sometimes can be leaked via the uninitialized palette.[bsc#1063050]
ImportantSUSE bug 1052460SUSE bug 1055053SUSE bug 1055063SUSE bug 1056550SUSE bug 1057723SUSE bug 1058422SUSE bug 1063049SUSE bug 1063050CVE-2017-12563 at SUSECVE-2017-12563 at NVDCVE-2017-12691 at SUSECVE-2017-12691 at NVDCVE-2017-13061 at SUSECVE-2017-13061 at NVDCVE-2017-13062 at SUSECVE-2017-13062 at NVDCVE-2017-14042 at SUSECVE-2017-14042 at NVDCVE-2017-14174 at SUSECVE-2017-14174 at NVDCVE-2017-14343 at SUSECVE-2017-14343 at NVDCVE-2017-15277 at SUSECVE-2017-15277 at NVDCVE-2017-15281 at SUSECVE-2017-15281 at NVDcpe:/o:suse:sles:12:sp3Security update for util-linux (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for util-linux fixes the following issues:
This non-security issue was fixed:
- CVE-2018-7738: bash-completion/umount allowed local users to gain privileges
by embedding shell commands in a mountpoint name, which was mishandled during a
umount command by a different user (bsc#1084300).
These non-security issues were fixed:
- Fixed crash loop in lscpu (bsc#1072947).
- Fixed possible segfault of umount -a
- Fixed mount -a on NFS bind mounts (bsc#1080740).
- Fixed lsblk on NVMe (bsc#1078662).
ModerateSUSE bug 1072947SUSE bug 1078662SUSE bug 1080740SUSE bug 1084300CVE-2018-7738 at SUSECVE-2018-7738 at NVDcpe:/o:suse:sles:12:sp3Security update for libsndfile (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for libsndfile fixes the following issues:
Security issues fixed:
- CVE-2018-13139: Fix a stack-based buffer overflow in psf_memset in common.c that allows remote attackers to cause a denial of service (bsc#1100167).
- CVE-2017-17456: Prevent segmentation fault in the function d2alaw_array() that may have lead to a remote DoS (bsc#1071777)
- CVE-2017-17457: Prevent segmentation fault in the function d2ulaw_array() that may have lead to a remote DoS, a different vulnerability than CVE-2017-14246 (bsc#1071767)
ModerateSUSE bug 1071767SUSE bug 1071777SUSE bug 1100167CVE-2017-17456 at SUSECVE-2017-17456 at NVDCVE-2017-17457 at SUSECVE-2017-17457 at NVDCVE-2018-13139 at SUSECVE-2018-13139 at NVDcpe:/o:suse:sles:12:sp3Security update for libgcrypt (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for libgcrypt fixes the following issues:
The following security vulnerability was addressed:
- CVE-2018-0495: Mitigate a novel side-channel attack by enabling blinding for
ECDSA signatures (bsc#1097410).
The following other issues were fixed:
- Extended the fipsdrv dsa-sign and dsa-verify commands with the
--algo parameter for the FIPS testing of DSA SigVer and SigGen (bsc#1064455).
- Ensure libgcrypt20-hmac and libgcrypt20 are installed in the correct order. (bsc#1090766)
ModerateSUSE bug 1064455SUSE bug 1090766SUSE bug 1097410CVE-2018-0495 at SUSECVE-2018-0495 at NVDcpe:/o:suse:sles:12:sp3Security update for mutt (Important)SUSE Linux Enterprise Server 12 SP3
This update for mutt fixes the following issues:
Security issues fixed:
- bsc#1101428: Mutt 1.10.1 security release update.
- CVE-2018-14351: Fix imap/command.c that mishandles long IMAP status mailbox literal count size (bsc#1101583).
- CVE-2018-14353: Fix imap_quote_string in imap/util.c that has an integer underflow (bsc#1101581).
- CVE-2018-14362: Fix pop.c that does not forbid characters that may have unsafe interaction with message-cache pathnames (bsc#1101567).
- CVE-2018-14354: Fix arbitrary command execution from remote IMAP servers via backquote characters (bsc#1101578).
- CVE-2018-14352: Fix imap_quote_string in imap/util.c that does not leave room for quote characters (bsc#1101582).
- CVE-2018-14356: Fix pop.c that mishandles a zero-length UID (bsc#1101576).
- CVE-2018-14355: Fix imap/util.c that mishandles '..' directory traversal in a mailbox name (bsc#1101577).
- CVE-2018-14349: Fix imap/command.c that mishandles a NO response without a message (bsc#1101589).
- CVE-2018-14350: Fix imap/message.c that has a stack-based buffer overflow for a FETCH response with along INTERNALDATE field (bsc#1101588).
- CVE-2018-14363: Fix newsrc.c that does not properlyrestrict '/' characters that may have unsafe interaction with cache pathnames (bsc#1101566).
- CVE-2018-14359: Fix buffer overflow via base64 data (bsc#1101570).
- CVE-2018-14358: Fix imap/message.c that has a stack-based buffer overflow for a FETCH response with along RFC822.SIZE field (bsc#1101571).
- CVE-2018-14360: Fix nntp_add_group in newsrc.c that has a stack-based buffer overflow because of incorrect sscanf usage (bsc#1101569).
- CVE-2018-14357: Fix that remote IMAP servers are allowed to execute arbitrary commands via backquote characters (bsc#1101573).
- CVE-2018-14361: Fix that nntp.c proceeds even if memory allocation fails for messages data (bsc#1101568).
Bug fixes:
- mutt reports as neomutt and incorrect version (bsc#1094717)
- No sidebar available in mutt 1.6.1 from Tumbleweed snapshot 20160517 (bsc#980830)
- mutt-1.6.1 unusable when built with --enable-sidebar (bsc#982129)
- (neo)mutt displaying times in Zulu time (bsc#1061343)
- mutt unconditionally segfaults when displaying a message (bsc#986534)
ImportantSUSE bug 1061343SUSE bug 1094717SUSE bug 1101428SUSE bug 1101566SUSE bug 1101567SUSE bug 1101568SUSE bug 1101569SUSE bug 1101570SUSE bug 1101571SUSE bug 1101573SUSE bug 1101576SUSE bug 1101577SUSE bug 1101578SUSE bug 1101581SUSE bug 1101582SUSE bug 1101583SUSE bug 1101588SUSE bug 1101589SUSE bug 980830SUSE bug 982129SUSE bug 986534CVE-2014-9116 at SUSECVE-2014-9116 at NVDCVE-2018-14349 at SUSECVE-2018-14349 at NVDCVE-2018-14350 at SUSECVE-2018-14350 at NVDCVE-2018-14351 at SUSECVE-2018-14351 at NVDCVE-2018-14352 at SUSECVE-2018-14352 at NVDCVE-2018-14353 at SUSECVE-2018-14353 at NVDCVE-2018-14354 at SUSECVE-2018-14354 at NVDCVE-2018-14355 at SUSECVE-2018-14355 at NVDCVE-2018-14356 at SUSECVE-2018-14356 at NVDCVE-2018-14357 at SUSECVE-2018-14357 at NVDCVE-2018-14358 at SUSECVE-2018-14358 at NVDCVE-2018-14359 at SUSECVE-2018-14359 at NVDCVE-2018-14360 at SUSECVE-2018-14360 at NVDCVE-2018-14361 at SUSECVE-2018-14361 at NVDCVE-2018-14362 at SUSECVE-2018-14362 at NVDCVE-2018-14363 at SUSECVE-2018-14363 at NVDcpe:/o:suse:sles:12:sp3Security update for libevent (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for libevent fixes the following security issues:
- CVE-2016-10195: DNS remote stack overread vulnerability (bsc#1022917)
- CVE-2016-10196: stack/buffer overflow in evutil_parse_sockaddr_port() (bsc#1022918)
- CVE-2016-10197: out-of-bounds read in search_make_new() (bsc#1022919)
ModerateSUSE bug 1022917SUSE bug 1022918SUSE bug 1022919CVE-2016-10195 at SUSECVE-2016-10195 at NVDCVE-2016-10196 at SUSECVE-2016-10196 at NVDCVE-2016-10197 at SUSECVE-2016-10197 at NVDcpe:/o:suse:sles:12:sp3Security update for gdk-pixbuf (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for gdk-pixbuf fixes the following issues:
Security issue fixed:
- CVE-2015-4491: Fix integer multiplication overflow that allows for DoS or potentially RCE (bsc#1053417).
ModerateSUSE bug 1053417CVE-2015-4491 at SUSECVE-2015-4491 at NVDcpe:/o:suse:sles:12:sp3Security update for libcgroup (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for libcgroup fixes the following issues:
Security issue fixed:
- CVE-2018-14348: Fix daemon that creates /var/log/cgred with mode 0666 (bsc#1100365).
ModerateSUSE bug 1100365CVE-2018-14348 at SUSECVE-2018-14348 at NVDcpe:/o:suse:sles:12:sp3Security update for polkit (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for polkit fixes the following issues:
Security issue fixed:
- CVE-2018-1116: Fix uid comparison lacking in polkit_backend_interactive_authority_check_authorization (bsc#1099031).
ModerateSUSE bug 1099031CVE-2018-1116 at SUSECVE-2018-1116 at NVDcpe:/o:suse:sles:12:sp3Security update for ovmf (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for ovmf provide the following fix:
Security issues fixed:
- CVE-2018-0739: Update openssl to 1.0.2o to limit ASN.1 constructed types
recursive definition depth (bsc#1094290, bsc#1094291).
Bug fixes:
- Only use SLES-UEFI-CA-Certificate-2048.crt for the SUSE flavor to provide the
better compatibility. (bsc#1077330)
ModerateSUSE bug 1077330SUSE bug 1094290SUSE bug 1094291CVE-2018-0739 at SUSECVE-2018-0739 at NVDcpe:/o:suse:sles:12:sp3Security update for cups (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for cups fixes the following issues:
The following security vulnerabilities were fixed:
- CVE-2017-18248: Handle invalid characters properly in printing jobs. This fixes a problem that
was causing the DBUS library to abort the calling process. (bsc#1061066 bsc#1087018)
- Fixed a local privilege escalation to root and sandbox bypasses in the
scheduler
- CVE-2018-4180: Fixed a local privilege escalation to root in dnssd backend
(bsc#1096405)
- CVE-2018-4181: Limited local file reads as root via cupsd.conf include
directive (bsc#1096406)
- CVE-2018-4182: Fixed a sandbox bypass due to insecure error handling
(bsc#1096407)
- CVE-2018-4183: Fixed a sandbox bypass due to profile misconfiguration
(bsc#1096408)
The following other issue was fixed:
- Fixed authorization check for clients (like samba) connected through the
local socket when Kerberos authentication is enabled (bsc#1050082)
ModerateSUSE bug 1050082SUSE bug 1061066SUSE bug 1087018SUSE bug 1096405SUSE bug 1096406SUSE bug 1096407SUSE bug 1096408CVE-2017-18248 at SUSECVE-2017-18248 at NVDCVE-2018-4180 at SUSECVE-2018-4180 at NVDCVE-2018-4181 at SUSECVE-2018-4181 at NVDCVE-2018-4182 at SUSECVE-2018-4182 at NVDCVE-2018-4183 at SUSECVE-2018-4183 at NVDcpe:/o:suse:sles:12:sp3Security update for libtirpc (Important)SUSE Linux Enterprise Server 12 SP3
This update for libtirpc fixes the following issues:
Security issue fixed:
- bsc#968175: Fix remote crash of RPC services.
Bug fixes:
- bsc#1072183: Send RPC getport call as specified via parameter.
ImportantSUSE bug 1072183SUSE bug 968175cpe:/o:suse:sles:12:sp3Security update for curl (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for curl fixes one issues.
This security issue was fixed:
- CVE-2018-1000007: Prevent leaking authentication data to third parties when following redirects (bsc#1077001)
ModerateSUSE bug 1077001CVE-2018-1000007 at SUSECVE-2018-1000007 at NVDcpe:/o:suse:sles:12:sp3Security update for ceph (Important)SUSE Linux Enterprise Server 12 SP3
This update for ceph fixes the following issues:
- Update to version 12.2.7-420-gc0ef85b854:
* https://ceph.com/releases/12-2-7-luminous-released/
* luminous: osd: eternal stuck PG in 'unfound_recovery' (bsc#1094932)
* bluestore: db.slow used when db is not full (bsc#1092874)
* CVE-2018-10861: Ensure that ceph-mon does perform authorization on all OSD pool ops (bsc#1099162).
* CVE-2018-1129: cephx signature check bypass (bsc#1096748).
* CVE-2018-1128: cephx protocol was vulnerable to replay attack (bsc#1096748).
ImportantSUSE bug 1092874SUSE bug 1094932SUSE bug 1096748SUSE bug 1099162CVE-2018-10861 at SUSECVE-2018-10861 at NVDCVE-2018-1128 at SUSECVE-2018-1128 at NVDCVE-2018-1129 at SUSECVE-2018-1129 at NVDcpe:/o:suse:sles:12:sp3Security update for libsoup (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for libsoup fixes the following issues:
Security issue fixed:
- CVE-2018-12910: Fix crash when handling empty hostnames (bsc#1100097).
- CVE-2017-2885: Fix chunk decoding buffer overrun that could be exploited against either clients or servers (bsc#1052916).
Bug fixes:
- bsc#1086036: translation-update-upstream commented out for Leap
ModerateSUSE bug 1052916SUSE bug 1086036SUSE bug 1100097CVE-2017-2885 at SUSECVE-2017-2885 at NVDCVE-2018-12910 at SUSECVE-2018-12910 at NVDcpe:/o:suse:sles:12:sp3Security update for libvorbis (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for libvorbis fixes the following issues:
- CVE-2017-14633: out-of-bounds array read vulnerability exists in
function mapping0_forward() could lead to remote denial of service (bsc#1059811)
- CVE-2017-14632: Remote Code Execution upon freeing uninitialized
memory in function vorbis_analysis_headerout(bsc#1059809)
ModerateSUSE bug 1059809SUSE bug 1059811CVE-2017-14632 at SUSECVE-2017-14632 at NVDCVE-2017-14633 at SUSECVE-2017-14633 at NVDcpe:/o:suse:sles:12:sp3Security update for webkit2gtk3 (Important)SUSE Linux Enterprise Server 12 SP3
This update for webkit2gtk3 fixes the following issues:
Update to version 2.18.5:
+ Disable SharedArrayBuffers from Web API.
+ Reduce the precision of 'high' resolution time to 1ms.
+ bsc#1075419 - Security fixes: includes improvements to mitigate
the effects of Spectre and Meltdown (CVE-2017-5753 and CVE-2017-5715).
Update to version 2.18.4:
+ Make WebDriver implementation more spec compliant.
+ Fix a bug when trying to remove cookies before a web process is
spawned.
+ WebKitWebDriver process no longer links to
libjavascriptcoregtk.
+ Fix several memory leaks in GStreamer media backend.
+ bsc#1073654 - Security fixes: CVE-2017-13866, CVE-2017-13870,
CVE-2017-7156, CVE-2017-13856.
Update to version 2.18.3:
+ Improve calculation of font metrics to prevent scrollbars from
being shown unnecessarily in some cases.
+ Fix handling of null capabilities in WebDriver implementation.
+ Security fixes: CVE-2017-13798, CVE-2017-13788, CVE-2017-13803.
Update to version 2.18.2:
+ Fix rendering of arabic text.
+ Fix a crash in the web process when decoding GIF images.
+ Fix rendering of wind in Windy.com.
+ Fix several crashes and rendering issues.
Update to version 2.18.1:
+ Improve performance of GIF animations.
+ Fix garbled display in GMail.
+ Fix rendering of several material design icons when using the
web font.
+ Fix flickering when resizing the window in Wayland.
+ Prevent default kerberos authentication credentials from being
used in ephemeral sessions.
+ Fix a crash when webkit_web_resource_get_data() is cancelled.
+ Correctly handle touchmove and touchend events in
WebKitWebView.
+ Fix the build with enchant 2.1.1.
+ Fix the build in HPPA and Alpha.
+ Fix several crashes and rendering issues.
+ Security fixes: CVE-2017-7081, CVE-2017-7087, CVE-2017-7089,
CVE-2017-7090, CVE-2017-7091, CVE-2017-7092, CVE-2017-7093,
CVE-2017-7094, CVE-2017-7095, CVE-2017-7096, CVE-2017-7098,
CVE-2017-7099, CVE-2017-7100, CVE-2017-7102, CVE-2017-7104,
CVE-2017-7107, CVE-2017-7109, CVE-2017-7111, CVE-2017-7117,
CVE-2017-7120, CVE-2017-7142.
- Enable gold linker on s390/s390x on SLE15/Tumbleweed.
ImportantSUSE bug 1020950SUSE bug 1024749SUSE bug 1050469SUSE bug 1066892SUSE bug 1069925SUSE bug 1073654SUSE bug 1075419CVE-2016-4692 at SUSECVE-2016-4692 at NVDCVE-2016-4743 at SUSECVE-2016-4743 at NVDCVE-2016-7586 at SUSECVE-2016-7586 at NVDCVE-2016-7587 at SUSECVE-2016-7587 at NVDCVE-2016-7589 at SUSECVE-2016-7589 at NVDCVE-2016-7592 at SUSECVE-2016-7592 at NVDCVE-2016-7598 at SUSECVE-2016-7598 at NVDCVE-2016-7599 at SUSECVE-2016-7599 at NVDCVE-2016-7610 at SUSECVE-2016-7610 at NVDCVE-2016-7623 at SUSECVE-2016-7623 at NVDCVE-2016-7632 at SUSECVE-2016-7632 at NVDCVE-2016-7635 at SUSECVE-2016-7635 at NVDCVE-2016-7639 at SUSECVE-2016-7639 at NVDCVE-2016-7641 at SUSECVE-2016-7641 at NVDCVE-2016-7645 at SUSECVE-2016-7645 at NVDCVE-2016-7652 at SUSECVE-2016-7652 at NVDCVE-2016-7654 at SUSECVE-2016-7654 at NVDCVE-2016-7656 at SUSECVE-2016-7656 at NVDCVE-2017-13788 at SUSECVE-2017-13788 at NVDCVE-2017-13798 at SUSECVE-2017-13798 at NVDCVE-2017-13803 at SUSECVE-2017-13803 at NVDCVE-2017-13856 at SUSECVE-2017-13856 at NVDCVE-2017-13866 at SUSECVE-2017-13866 at NVDCVE-2017-13870 at SUSECVE-2017-13870 at NVDCVE-2017-2350 at SUSECVE-2017-2350 at NVDCVE-2017-2354 at SUSECVE-2017-2354 at NVDCVE-2017-2355 at SUSECVE-2017-2355 at NVDCVE-2017-2356 at SUSECVE-2017-2356 at NVDCVE-2017-2362 at SUSECVE-2017-2362 at NVDCVE-2017-2363 at SUSECVE-2017-2363 at NVDCVE-2017-2364 at SUSECVE-2017-2364 at NVDCVE-2017-2365 at SUSECVE-2017-2365 at NVDCVE-2017-2366 at SUSECVE-2017-2366 at NVDCVE-2017-2369 at SUSECVE-2017-2369 at NVDCVE-2017-2371 at SUSECVE-2017-2371 at NVDCVE-2017-2373 at SUSECVE-2017-2373 at NVDCVE-2017-2496 at SUSECVE-2017-2496 at NVDCVE-2017-2510 at SUSECVE-2017-2510 at NVDCVE-2017-2539 at SUSECVE-2017-2539 at NVDCVE-2017-5715 at SUSECVE-2017-5715 at NVDCVE-2017-5753 at SUSECVE-2017-5753 at NVDCVE-2017-5754 at SUSECVE-2017-5754 at NVDCVE-2017-7006 at SUSECVE-2017-7006 at NVDCVE-2017-7011 at SUSECVE-2017-7011 at NVDCVE-2017-7012 at SUSECVE-2017-7012 at NVDCVE-2017-7018 at SUSECVE-2017-7018 at NVDCVE-2017-7019 at SUSECVE-2017-7019 at NVDCVE-2017-7020 at SUSECVE-2017-7020 at NVDCVE-2017-7030 at SUSECVE-2017-7030 at NVDCVE-2017-7034 at SUSECVE-2017-7034 at NVDCVE-2017-7037 at SUSECVE-2017-7037 at NVDCVE-2017-7038 at SUSECVE-2017-7038 at NVDCVE-2017-7039 at SUSECVE-2017-7039 at NVDCVE-2017-7040 at SUSECVE-2017-7040 at NVDCVE-2017-7041 at SUSECVE-2017-7041 at NVDCVE-2017-7042 at SUSECVE-2017-7042 at NVDCVE-2017-7043 at SUSECVE-2017-7043 at NVDCVE-2017-7046 at SUSECVE-2017-7046 at NVDCVE-2017-7048 at SUSECVE-2017-7048 at NVDCVE-2017-7049 at SUSECVE-2017-7049 at NVDCVE-2017-7052 at SUSECVE-2017-7052 at NVDCVE-2017-7055 at SUSECVE-2017-7055 at NVDCVE-2017-7056 at SUSECVE-2017-7056 at NVDCVE-2017-7059 at SUSECVE-2017-7059 at NVDCVE-2017-7061 at SUSECVE-2017-7061 at NVDCVE-2017-7064 at SUSECVE-2017-7064 at NVDCVE-2017-7081 at SUSECVE-2017-7081 at NVDCVE-2017-7087 at SUSECVE-2017-7087 at NVDCVE-2017-7089 at SUSECVE-2017-7089 at NVDCVE-2017-7090 at SUSECVE-2017-7090 at NVDCVE-2017-7091 at SUSECVE-2017-7091 at NVDCVE-2017-7092 at SUSECVE-2017-7092 at NVDCVE-2017-7093 at SUSECVE-2017-7093 at NVDCVE-2017-7094 at SUSECVE-2017-7094 at NVDCVE-2017-7095 at SUSECVE-2017-7095 at NVDCVE-2017-7096 at SUSECVE-2017-7096 at NVDCVE-2017-7098 at SUSECVE-2017-7098 at NVDCVE-2017-7099 at SUSECVE-2017-7099 at NVDCVE-2017-7100 at SUSECVE-2017-7100 at NVDCVE-2017-7102 at SUSECVE-2017-7102 at NVDCVE-2017-7104 at SUSECVE-2017-7104 at NVDCVE-2017-7107 at SUSECVE-2017-7107 at NVDCVE-2017-7109 at SUSECVE-2017-7109 at NVDCVE-2017-7111 at SUSECVE-2017-7111 at NVDCVE-2017-7117 at SUSECVE-2017-7117 at NVDCVE-2017-7120 at SUSECVE-2017-7120 at NVDCVE-2017-7142 at SUSECVE-2017-7142 at NVDCVE-2017-7156 at SUSECVE-2017-7156 at NVDCVE-2017-7157 at SUSECVE-2017-7157 at NVDcpe:/o:suse:sles:12:sp3Security update for transfig (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for transfig fixes the following issues:
Security issue fixed:
- CVE-2017-16899: Fix array index error in the fig2dev program (bsc#1069257).
ModerateSUSE bug 1069257CVE-2017-16899 at SUSECVE-2017-16899 at NVDcpe:/o:suse:sles:12:sp3Security update for libvirt (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for libvirt fixes the following issues:
Security issue fixed:
- CVE-2018-3639: Add support for 'ssbd' and 'virt-ssbd' CPUID feature bits to address V4 Speculative Store Bypass aka 'Memory Disambiguation' (bsc#1092885).
Bug fixes:
- bsc#1094325: Enable virsh blockresize for XEN guests (FATE#325467).
- bsc#1095556: Fix qemu VM creating with --boot uefi due to missing AppArmor profile.
- bsc#1094725: Fix `virsh blockresize` to work with Xen qdisks.
- bsc#1094480: Fix `virsh list` to list domains with `xl list`.
- bsc#1087416: Fix missing video device within guest with default installation by virt-mamanger.
- bsc#1079150: Fix libvirt-guests start dependency.
- bsc#1076861: Fix locking of lockspace resource '/devcfs/disks/uatidmsvn1-xvda'.
- bsc#1074014: Fix KVM live migration when shutting down cluster node.
- bsc#959329: Fix wrong state of VMs in virtual manager.
ModerateSUSE bug 1074014SUSE bug 1076861SUSE bug 1079150SUSE bug 1087416SUSE bug 1092885SUSE bug 1094325SUSE bug 1094480SUSE bug 1094725SUSE bug 1095556SUSE bug 959329CVE-2018-3639 at SUSECVE-2018-3639 at NVDcpe:/o:suse:sles:12:sp3Security update for samba (Important)SUSE Linux Enterprise Server 12 SP3
This update for samba fixes the following issues:
The following security vulnerability was fixed:
- CVE-2018-10858: Fixed insufficient input validation on client directory
listing in libsmbclient; (bsc#1103411);
The following other change was made:
- s3: winbind: Fix 'winbind normalize names' in wb_getpwsid();
- winbind: honor 'winbind use default domain' with empty domain (bsc#1087303)
- winbind: do not modify credentials in NTLM passthru (bsc#1068059)
- net: fix net ads keytab handling (bsc#1067700)
- fix vfs_ceph flock stub
ImportantSUSE bug 1067700SUSE bug 1068059SUSE bug 1087303SUSE bug 1103411CVE-2018-10858 at SUSECVE-2018-10858 at NVDcpe:/o:suse:sles:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3
This update for MozillaFirefox to version ESR 52.9 fixes the following issues:
- CVE-2018-5188: Various memory safety bugs (bsc#1098998)
- CVE-2018-12368: No warning when opening executable SettingContent-ms files
- CVE-2018-12366: Invalid data handling during QCMS transformations
- CVE-2018-12365: Compromised IPC child process can list local filenames
- CVE-2018-12364: CSRF attacks through 307 redirects and NPAPI plugins
- CVE-2018-12363: Use-after-free when appending DOM nodes
- CVE-2018-12362: Integer overflow in SSSE3 scaler
- CVE-2018-12360: Use-after-free when using focus()
- CVE-2018-5156: Media recorder segmentation fault when track type is changed during capture
- CVE-2018-12359: Buffer overflow using computed size of canvas element
ImportantSUSE bug 1098998CVE-2018-12359 at SUSECVE-2018-12359 at NVDCVE-2018-12360 at SUSECVE-2018-12360 at NVDCVE-2018-12362 at SUSECVE-2018-12362 at NVDCVE-2018-12363 at SUSECVE-2018-12363 at NVDCVE-2018-12364 at SUSECVE-2018-12364 at NVDCVE-2018-12365 at SUSECVE-2018-12365 at NVDCVE-2018-12366 at SUSECVE-2018-12366 at NVDCVE-2018-12368 at SUSECVE-2018-12368 at NVDCVE-2018-5156 at SUSECVE-2018-5156 at NVDCVE-2018-5188 at SUSECVE-2018-5188 at NVDcpe:/o:suse:sles:12:sp3Security update for clamav (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for clamav to version 0.100.1 fixes the following issues:
The following security vulnerabilities were addressed:
- CVE-2018-0360: HWP integer overflow, infinite loop vulnerability (bsc#1101410)
- CVE-2018-0361: PDF object length check, unreasonably long time to parse relatively small file (bsc#1101412)
- CVE-2018-1000085: Fixed a out-of-bounds heap read in XAR parser (bsc#1082858)
- CVE-2018-14679: Libmspack heap buffer over-read in CHM parser (bsc#1103040)
- Buffer over-read in unRAR code due to missing max value checks in table initialization
- PDF parser bugs
The following other changes were made:
- Disable YARA support for licensing reasons (bsc#1101654).
- Add HTTPS support for clamsubmit
- Fix for DNS resolution for users on IPv4-only machines where IPv6 is not
available or is link-local only
ModerateSUSE bug 1082858SUSE bug 1101410SUSE bug 1101412SUSE bug 1101654SUSE bug 1103040CVE-2018-0360 at SUSECVE-2018-0360 at NVDCVE-2018-0361 at SUSECVE-2018-0361 at NVDCVE-2018-1000085 at SUSECVE-2018-1000085 at NVDCVE-2018-14679 at SUSECVE-2018-14679 at NVDcpe:/o:suse:sles:12:sp3Security update for the Linux Kernel (Important)SUSE Linux Enterprise Server 12 SP3
The SUSE Linux Enterprise 12 SP3 kernel was updated to 4.4.143 to receive various security and bugfixes.
The following security bugs were fixed:
- CVE-2018-5390 aka 'SegmentSmack': Linux kernel could be forced to make very expensive calls to tcp_collapse_ofo_queue() and tcp_prune_ofo_queue() for every incoming packet which can lead to a denial of service (bnc#1102340).
- CVE-2018-14734: drivers/infiniband/core/ucma.c in the Linux kernel allowed ucma_leave_multicast to access a certain data structure after a cleanup step in ucma_process_join, which allowed attackers to cause a denial of service (use-after-free) (bnc#1103119).
- CVE-2017-18344: The timer_create syscall implementation in kernel/time/posix-timers.c didn't properly validate the sigevent->sigev_notify field, which lead to out-of-bounds access in the show_timer function (called when /proc/$PID/timers is read). This allowed userspace applications to read arbitrary kernel memory (on a kernel built with CONFIG_POSIX_TIMERS and CONFIG_CHECKPOINT_RESTORE) (bnc#1102851 bnc#1103580).
- CVE-2018-3620: Local attackers on baremetal systems could use speculative code patterns on hyperthreaded processors to read data present in the L1 Datacache used by other hyperthreads on the same CPU core, potentially leaking sensitive data. (bnc#1087081).
- CVE-2018-3646: Local attackers in virtualized guest systems could use speculative code patterns on hyperthreaded processors to read data present in the L1 Datacache used by other hyperthreads on the same CPU core, potentially leaking sensitive data, even from other virtual machines or the host system. (bnc#1089343).
The following non-security bugs were fixed:
- Add support for 5,25,50, and 100G to 802.3ad bonding driver (bsc#1096978)
- ahci: Disable LPM on Lenovo 50 series laptops with a too old BIOS (bnc#1012382).
- arm64: do not open code page table entry creation (bsc#1102197).
- arm64: kpti: Use early_param for kpti= command-line option (bsc#1102188).
- arm64: Make sure permission updates happen for pmd/pud (bsc#1102197).
- atm: zatm: Fix potential Spectre v1 (bnc#1012382).
- bcm63xx_enet: correct clock usage (bnc#1012382).
- bcm63xx_enet: do not write to random DMA channel on BCM6345 (bnc#1012382).
- blacklist 9fb8d5dc4b64 ('stop_machine: Disable preemption when waking two stopper threads') Preemption is already disabled inside cpu_stop_queue_two_works() in SLE12-SP3 because it does not have commit 6a19005157c4 ('stop_machine: Do not disable preemption in stop_two_cpus()')
- block: copy ioprio in __bio_clone_fast() (bsc#1082653).
- bpf: fix loading of BPF_MAXINSNS sized programs (bsc#1012382).
- bpf, x64: fix memleak when not converging after image (bsc#1012382).
- cachefiles: Fix missing clear of the CACHEFILES_OBJECT_ACTIVE flag (bsc#1099858).
- cachefiles: Fix refcounting bug in backing-file read monitoring (bsc#1099858).
- cachefiles: Wait rather than BUG'ing on 'Unexpected object collision' (bsc#1099858).
- cifs: fix bad/NULL ptr dereferencing in SMB2_sess_setup() (bsc#1090123).
- compiler, clang: always inline when CONFIG_OPTIMIZE_INLINING is disabled (bnc#1012382).
- compiler, clang: properly override 'inline' for clang (bnc#1012382).
- compiler, clang: suppress warning for unused static inline functions (bnc#1012382).
- compiler-gcc.h: Add __attribute__((gnu_inline)) to all inline declarations (bnc#1012382).
- cpu/hotplug: Add sysfs state interface (bsc#1089343).
- cpu/hotplug: Provide knobs to control SMT (bsc#1089343).
- cpu/hotplug: Split do_cpu_down() (bsc#1089343).
- crypto: crypto4xx - fix crypto4xx_build_pdr, crypto4xx_build_sdr leak (bnc#1012382).
- crypto: crypto4xx - remove bad list_del (bnc#1012382).
- drm/msm: Fix possible null dereference on failure of get_pages() (bsc#1102394).
- drm: re-enable error handling (bsc#1103884).
- fscache: Allow cancelled operations to be enqueued (bsc#1099858).
- fscache: Fix reference overput in fscache_attach_object() error handling (bsc#1099858).
- hid: usbhid: add quirk for innomedia INNEX GENESIS/ATARI adapter (bnc#1012382).
- ibmasm: do not write out of bounds in read handler (bnc#1012382).
- ibmvnic: Fix error recovery on login failure (bsc#1101789).
- iw_cxgb4: correctly enforce the max reg_mr depth (bnc#1012382).
- kabi protect includes in include/linux/inet.h (bsc#1095643).
- KABI protect net/core/utils.c includes (bsc#1095643).
- kABI: protect struct loop_device (kabi).
- kABI: reintroduce __static_cpu_has_safe (kabi).
- kbuild: fix # escaping in .cmd files for future Make (bnc#1012382).
- keys: DNS: fix parsing multiple options (bnc#1012382).
- kvm: arm/arm64: Drop resource size check for GICV window (bsc#1102215).
- kvm: arm/arm64: Set dist->spis to NULL after kfree (bsc#1102214).
- loop: add recursion validation to LOOP_CHANGE_FD (bnc#1012382).
- loop: remember whether sysfs_create_group() was done (bnc#1012382).
- mmc: dw_mmc: fix card threshold control configuration (bsc#1102203).
- mm: check VMA flags to avoid invalid PROT_NONE NUMA balancing (bsc#1097771).
- net: cxgb3_main: fix potential Spectre v1 (bnc#1012382).
- net: dccp: avoid crash in ccid3_hc_rx_send_feedback() (bnc#1012382).
- net: dccp: switch rx_tstamp_last_feedback to monotonic clock (bnc#1012382).
- netfilter: ebtables: reject non-bridge targets (bnc#1012382).
- netfilter: nf_queue: augment nfqa_cfg_policy (bnc#1012382).
- netfilter: x_tables: initialise match/target check parameter struct (bnc#1012382).
- net/mlx5: Fix command interface race in polling mode (bnc#1012382).
- net/mlx5: Fix incorrect raw command length parsing (bnc#1012382).
- net: mvneta: fix the Rx desc DMA address in the Rx path (bsc#1102207).
- net/nfc: Avoid stalls when nfc_alloc_send_skb() returned NULL (bnc#1012382).
- net: off by one in inet6_pton() (bsc#1095643).
- net: phy: marvell: Use strlcpy() for ethtool::get_strings (bsc#1102205).
- net_sched: blackhole: tell upper qdisc about dropped packets (bnc#1012382).
- net: sungem: fix rx checksum support (bnc#1012382).
- net/utils: generic inet_pton_with_scope helper (bsc#1095643).
- nvme-rdma: Check remotely invalidated rkey matches our expected rkey (bsc#1092001).
- nvme-rdma: default MR page size to 4k (bsc#1092001).
- nvme-rdma: do not complete requests before a send work request has completed (bsc#1092001).
- nvme-rdma: do not suppress send completions (bsc#1092001).
- nvme-rdma: Fix command completion race at error recovery (bsc#1090435).
- nvme-rdma: make nvme_rdma_[create|destroy]_queue_ib symmetrical (bsc#1092001).
- nvme-rdma: use inet_pton_with_scope helper (bsc#1095643).
- nvme-rdma: Use mr pool (bsc#1092001).
- nvme-rdma: wait for local invalidation before completing a request (bsc#1092001).
- ocfs2: subsystem.su_mutex is required while accessing the item->ci_parent (bnc#1012382).
- pci: ibmphp: Fix use-before-set in get_max_bus_speed() (bsc#1100132).
- perf tools: Move syscall number fallbacks from perf-sys.h to tools/arch/x86/include/asm/ (bnc#1012382).
- pm / hibernate: Fix oops at snapshot_write() (bnc#1012382).
- powerpc/64: Initialise thread_info for emergency stacks (bsc#1094244, bsc#1100930, bsc#1102683).
- qed: Limit msix vectors in kdump kernel to the minimum required count (bnc#1012382).
- r8152: napi hangup fix after disconnect (bnc#1012382).
- rdma/ucm: Mark UCM interface as BROKEN (bnc#1012382).
- rds: avoid unenecessary cong_update in loop transport (bnc#1012382).
- Revert 'sit: reload iphdr in ipip6_rcv' (bnc#1012382).
- Revert 'x86/cpufeature: Move some of the scattered feature bits to x86_capability' (kabi).
- Revert 'x86/cpu: Probe CPUID leaf 6 even when cpuid_level == 6' (kabi).
- rtlwifi: rtl8821ae: fix firmware is not ready to run (bnc#1012382).
- s390/qeth: fix error handling in adapter command callbacks (bnc#1103745, LTC#169699).
- sched/smt: Update sched_smt_present at runtime (bsc#1089343).
- smsc75xx: Add workaround for gigabit link up hardware errata (bsc#1100132).
- smsc95xx: Configure pause time to 0xffff when tx flow control enabled (bsc#1085536).
- tcp: fix Fast Open key endianness (bnc#1012382).
- tcp: prevent bogus FRTO undos with non-SACK flows (bnc#1012382).
- tools build: fix # escaping in .cmd files for future Make (bnc#1012382).
- uprobes/x86: Remove incorrect WARN_ON() in uprobe_init_insn() (bnc#1012382).
- usb: core: handle hub C_PORT_OVER_CURRENT condition (bsc#1100132).
- usb: quirks: add delay quirks for Corsair Strafe (bnc#1012382).
- usb: serial: ch341: fix type promotion bug in ch341_control_in() (bnc#1012382).
- usb: serial: cp210x: add another USB ID for Qivicon ZigBee stick (bnc#1012382).
- usb: serial: keyspan_pda: fix modem-status error handling (bnc#1012382).
- usb: serial: mos7840: fix status-register error handling (bnc#1012382).
- usb: yurex: fix out-of-bounds uaccess in read handler (bnc#1012382).
- vfio: platform: Fix reset module leak in error path (bsc#1102211).
- vhost_net: validate sock before trying to put its fd (bnc#1012382).
- vmw_balloon: fix inflation with batching (bnc#1012382).
- x86/alternatives: Add an auxilary section (bnc#1012382).
- x86/alternatives: Discard dynamic check after init (bnc#1012382).
- x86/apic: Ignore secondary threads if nosmt=force (bsc#1089343).
- x86/asm: Add _ASM_ARG* constants for argument registers to <asm/asm.h> (bnc#1012382).
- x86/boot: Simplify kernel load address alignment check (bnc#1012382).
- x86/CPU/AMD: Do not check CPUID max ext level before parsing SMP info (bsc#1089343).
- x86/cpu/AMD: Evaluate smp_num_siblings early (bsc#1089343).
- x86/CPU/AMD: Move TOPOEXT reenablement before reading smp_num_siblings (bsc#1089343). Update config files.
- x86/cpu/AMD: Remove the pointless detect_ht() call (bsc#1089343).
- x86/cpu/common: Provide detect_ht_early() (bsc#1089343).
- x86/cpufeature: Add helper macro for mask check macros (bnc#1012382).
- x86/cpufeature: Carve out X86_FEATURE_* (bnc#1012382).
- x86/cpufeature: Get rid of the non-asm goto variant (bnc#1012382).
- x86/cpufeature: Make sure DISABLED/REQUIRED macros are updated (bnc#1012382).
- x86/cpufeature: Move some of the scattered feature bits to x86_capability (bnc#1012382).
- x86/cpufeature: Replace the old static_cpu_has() with safe variant (bnc#1012382).
- x86/cpufeature: Speed up cpu_feature_enabled() (bnc#1012382).
- x86/cpufeature: Update cpufeaure macros (bnc#1012382).
- x86/cpu/intel: Evaluate smp_num_siblings early (bsc#1089343).
- x86/cpu: Probe CPUID leaf 6 even when cpuid_level == 6 (bnc#1012382).
- x86/cpu: Provide a config option to disable static_cpu_has (bnc#1012382).
- x86/cpu: Remove the pointless CPU printout (bsc#1089343).
- x86/cpu/topology: Provide detect_extended_topology_early() (bsc#1089343).
- x86/fpu: Add an XSTATE_OP() macro (bnc#1012382).
- x86/fpu: Get rid of xstate_fault() (bnc#1012382).
- x86/headers: Do not include asm/processor.h in asm/atomic.h (bnc#1012382).
- x86/mm/pkeys: Fix mismerge of protection keys CPUID bits (bnc#1012382).
- x86/mm: Simplify p[g4um]d_page() macros (1087081).
- x86/smpboot: Do not use smp_num_siblings in __max_logical_packages calculation (bsc#1089343).
- x86/smp: Provide topology_is_primary_thread() (bsc#1089343).
- x86/topology: Add topology_max_smt_threads() (bsc#1089343).
- x86/topology: Provide topology_smt_supported() (bsc#1089343).
- x86/vdso: Use static_cpu_has() (bnc#1012382).
- xen/grant-table: log the lack of grants (bnc#1085042).
- xen-netfront: Fix mismatched rtnl_unlock (bnc#1101658).
- xen-netfront: Update features after registering netdev (bnc#1101658).
- xhci: xhci-mem: off by one in xhci_stream_id_to_ring() (bnc#1012382).
ImportantSUSE bug 1012382SUSE bug 1082653SUSE bug 1085042SUSE bug 1085536SUSE bug 1087081SUSE bug 1089343SUSE bug 1090123SUSE bug 1090435SUSE bug 1092001SUSE bug 1094244SUSE bug 1095643SUSE bug 1096978SUSE bug 1097771SUSE bug 1099858SUSE bug 1100132SUSE bug 1100930SUSE bug 1101658SUSE bug 1101789SUSE bug 1102188SUSE bug 1102197SUSE bug 1102203SUSE bug 1102205SUSE bug 1102207SUSE bug 1102211SUSE bug 1102214SUSE bug 1102215SUSE bug 1102340SUSE bug 1102394SUSE bug 1102683SUSE bug 1102851SUSE bug 1103119SUSE bug 1103580SUSE bug 1103745SUSE bug 1103884CVE-2017-18344 at SUSECVE-2017-18344 at NVDCVE-2018-14734 at SUSECVE-2018-14734 at NVDCVE-2018-3620 at SUSECVE-2018-3620 at NVDCVE-2018-3646 at SUSECVE-2018-3646 at NVDCVE-2018-5390 at SUSECVE-2018-5390 at NVDcpe:/o:suse:sles:12:sp3Security update to ucode-intel (Important)SUSE Linux Enterprise Server 12 SP3
ucode-intel was updated to the 20180807 release.
For the listed CPU chipsets this fixes CVE-2018-3640 (Spectre v3a) and is
part of the mitigations for CVE-2018-3639 (Spectre v4) and CVE-2018-3646
(L1 Terminal fault).
(bsc#1104134 bsc#1087082 bsc#1087083 bsc#1089343)
Processor Identifier Version Products
Model Stepping F-MO-S/PI Old->New
---- new platforms ----------------------------------------
WSM-EP/WS U1 6-2c-2/03 0000001f Xeon E/L/X56xx, W36xx
NHM-EX D0 6-2e-6/04 0000000d Xeon E/L/X65xx/75xx
BXT C0 6-5c-2/01 00000014 Atom T5500/5700
APL E0 6-5c-a/03 0000000c Atom x5-E39xx
DVN B0 6-5f-1/01 00000024 Atom C3xxx
---- updated platforms ------------------------------------
NHM-EP/WS D0 6-1a-5/03 00000019->0000001d Xeon E/L/X/W55xx
NHM B1 6-1e-5/13 00000007->0000000a Core i7-8xx, i5-7xx; Xeon L3426, X24xx
WSM B1 6-25-2/12 0000000e->00000011 Core i7-6xx, i5-6xx/4xxM, i3-5xx/3xxM, Pentium G69xx, Celeon P45xx; Xeon L3406
WSM K0 6-25-5/92 00000004->00000007 Core i7-6xx, i5-6xx/5xx/4xx, i3-5xx/3xx, Pentium G69xx/P6xxx/U5xxx, Celeron P4xxx/U3xxx
SNB D2 6-2a-7/12 0000002d->0000002e Core Gen2; Xeon E3
WSM-EX A2 6-2f-2/05 00000037->0000003b Xeon E7
IVB E2 6-3a-9/12 0000001f->00000020 Core Gen3 Mobile
HSW-H/S/E3 Cx/Dx 6-3c-3/32 00000024->00000025 Core Gen4 Desktop; Xeon E3 v3
BDW-U/Y E/F 6-3d-4/c0 0000002a->0000002b Core Gen5 Mobile
HSW-ULT Cx/Dx 6-45-1/72 00000023->00000024 Core Gen4 Mobile and derived Pentium/Celeron
HSW-H Cx 6-46-1/32 00000019->0000001a Core Extreme i7-5xxxX
BDW-H/E3 E/G 6-47-1/22 0000001d->0000001e Core i5-5xxxR/C, i7-5xxxHQ/EQ; Xeon E3 v4
SKL-U/Y D0 6-4e-3/c0 000000c2->000000c6 Core Gen6 Mobile
BDX-DE V1 6-56-2/10 00000015->00000017 Xeon D-1520/40
BDX-DE V2/3 6-56-3/10 07000012->07000013 Xeon D-1518/19/21/27/28/31/33/37/41/48, Pentium D1507/08/09/17/19
BDX-DE Y0 6-56-4/10 0f000011->0f000012 Xeon D-1557/59/67/71/77/81/87
APL D0 6-5c-9/03 0000002c->00000032 Pentium N/J4xxx, Celeron N/J3xxx, Atom x5/7-E39xx
SKL-H/S/E3 R0 6-5e-3/36 000000c2->000000c6 Core Gen6; Xeon E3 v5
ImportantSUSE bug 1087082SUSE bug 1087083SUSE bug 1089343SUSE bug 1104134CVE-2018-3639 at SUSECVE-2018-3639 at NVDCVE-2018-3640 at SUSECVE-2018-3640 at NVDCVE-2018-3646 at SUSECVE-2018-3646 at NVDcpe:/o:suse:sles:12:sp3Security update for apache2 (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for apache2 fixes the following issues:
The following security vulnerability were fixed:
- CVE-2018-1333: Fixed a worker exhaustion that could have lead to a denial
of service via specially crafted HTTP/2 requests (bsc#1101689).
ModerateSUSE bug 1101689CVE-2018-1333 at SUSECVE-2018-1333 at NVDcpe:/o:suse:sles:12:sp3Security update for the Linux Kernel (Important)SUSE Linux Enterprise Server 12 SP3
The SUSE Linux Enterprise 12 SP3 Azure kernel was updated to 4.4.143 to receive various security and bugfixes.
The following security bugs were fixed:
- CVE-2018-3620: Local attackers on baremetal systems could use speculative code patterns on hyperthreaded processors to read data present in the L1 Datacache used by other hyperthreads on
the same CPU core, potentially leaking sensitive data. (bnc#1087081).
- CVE-2018-3646: Local attackers in virtualized guest systems could use speculative code patterns on hyperthreaded processors to read data present in the L1 Datacache used by other hyperthreads on the same CPU core, potentially leaking sensitive data, even from other virtual machines or the host system. (bnc#1089343).
- CVE-2018-5391: A flaw in the IP packet reassembly could be used by remote attackers to consume CPU time (bnc#1103097).
- CVE-2018-5390: Linux kernel versions 4.9+ can be forced to make very expensive calls to tcp_collapse_ofo_queue() and tcp_prune_ofo_queue() for every incoming packet which can lead to a denial of service (bnc#1102340).
- CVE-2018-14734: drivers/infiniband/core/ucma.c allowed ucma_leave_multicast to access a certain data structure after a cleanup step in ucma_process_join, which allowed attackers to cause a denial of service (use-after-free) (bnc#1103119).
- CVE-2017-18344: The timer_create syscall implementation in kernel/time/posix-timers.c didn't properly validate the sigevent->sigev_notify field, which leads to out-of-bounds access in the show_timer function (called when /proc/$PID/timers is read). This allowed userspace applications to read arbitrary kernel memory (on a kernel built with CONFIG_POSIX_TIMERS and CONFIG_CHECKPOINT_RESTORE) (bnc#1102851 1103580).
The following non-security bugs were fixed:
- 1wire: family module autoload fails because of upper/lower case mismatch (bnc#1012382).
- Add support for 5,25,50, and 100G to 802.3ad bonding driver (bsc#1096978)
- ahci: Disable LPM on Lenovo 50 series laptops with a too old BIOS (bnc#1012382).
- alsa: hda - Fix pincfg at resume on Lenovo T470 dock (bsc#1099810).
- alsa: hda - Handle kzalloc() failure in snd_hda_attach_pcm_stream() (bnc#1012382).
- alsa: hda/realtek - set PINCFG_HEADSET_MIC to parse_flags (bsc#1099810).
- arm64: do not open code page table entry creation (bsc#1102197).
- arm64: kpti: Use early_param for kpti= command-line option (bsc#1102188).
- arm64: Make sure permission updates happen for pmd/pud (bsc#1102197).
- arm: 8764/1: kgdb: fix NUMREGBYTES so that gdb_regs[] is the correct size (bnc#1012382).
- arm: dts: imx6q: Use correct SDMA script for SPI5 core (bnc#1012382).
- ASoC: cirrus: i2s: Fix LRCLK configuration (bnc#1012382).
- ASoC: cirrus: i2s: Fix {TX|RX}LinCtrlData setup (bnc#1012382).
- ASoC: dapm: delete dapm_kcontrol_data paths list before freeing it (bnc#1012382).
- ath10k: fix rfc1042 header retrieval in QCA4019 with eth decap mode (bnc#1012382).
- atm: zatm: fix memcmp casting (bnc#1012382).
- atm: zatm: Fix potential Spectre v1 (bnc#1012382).
- backlight: as3711_bl: Fix Device Tree node lookup (bnc#1012382).
- backlight: max8925_bl: Fix Device Tree node lookup (bnc#1012382).
- backlight: tps65217_bl: Fix Device Tree node lookup (bnc#1012382).
- bcache: add backing_request_endio() for bi_end_io (bsc#1064232).
- bcache: add CACHE_SET_IO_DISABLE to struct cache_set flags (bsc#1064232).
- bcache: add io_disable to struct cached_dev (bsc#1064232).
- bcache: add journal statistic (bsc#1076110).
- bcache: Add __printf annotation to __bch_check_keys() (bsc#1064232).
- bcache: add stop_when_cache_set_failed option to backing device (bsc#1064232).
- bcache: add wait_for_kthread_stop() in bch_allocator_thread() (bsc#1064232).
- bcache: Annotate switch fall-through (bsc#1064232).
- bcache: closures: move control bits one bit right (bsc#1076110).
- bcache: correct flash only vols (check all uuids) (bsc#1064232).
- bcache: count backing device I/O error for writeback I/O (bsc#1064232).
- bcache: Fix a compiler warning in bcache_device_init() (bsc#1064232).
- bcache: fix cached_dev->count usage for bch_cache_set_error() (bsc#1064232).
- bcache: fix crashes in duplicate cache device register (bsc#1076110).
- bcache: fix error return value in memory shrink (bsc#1064232).
- bcache: fix high CPU occupancy during journal (bsc#1076110).
- bcache: Fix, improve efficiency of closure_sync() (bsc#1076110).
- bcache: fix inaccurate io state for detached bcache devices (bsc#1064232).
- bcache: fix incorrect sysfs output value of strip size (bsc#1064232).
- bcache: Fix indentation (bsc#1064232).
- bcache: Fix kernel-doc warnings (bsc#1064232).
- bcache: fix misleading error message in bch_count_io_errors() (bsc#1064232).
- bcache: fix using of loop variable in memory shrink (bsc#1064232).
- bcache: fix writeback target calc on large devices (bsc#1076110).
- bcache: fix wrong return value in bch_debug_init() (bsc#1076110).
- bcache: mark closure_sync() __sched (bsc#1076110).
- bcache: move closure debug file into debug directory (bsc#1064232).
- bcache: reduce cache_set devices iteration by devices_max_used (bsc#1064232).
- bcache: Reduce the number of sparse complaints about lock imbalances (bsc#1064232).
- bcache: Remove an unused variable (bsc#1064232).
- bcache: ret IOERR when read meets metadata error (bsc#1076110).
- bcache: return 0 from bch_debug_init() if CONFIG_DEBUG_FS=n (bsc#1064232).
- bcache: set CACHE_SET_IO_DISABLE in bch_cached_dev_error() (bsc#1064232).
- bcache: set dc->io_disable to true in conditional_stop_bcache_device() (bsc#1064232).
- bcache: set error_limit correctly (bsc#1064232).
- bcache: set writeback_rate_update_seconds in range [1, 60] seconds (bsc#1064232).
- bcache: stop bcache device when backing device is offline (bsc#1064232).
- bcache: stop dc->writeback_rate_update properly (bsc#1064232).
- bcache: stop writeback thread after detaching (bsc#1076110).
- bcache: store disk name in struct cache and struct cached_dev (bsc#1064232).
- bcache: Suppress more warnings about set-but-not-used variables (bsc#1064232).
- bcache: use pr_info() to inform duplicated CACHE_SET_IO_DISABLE set (bsc#1064232).
- bcache: Use PTR_ERR_OR_ZERO() (bsc#1076110).
- bcm63xx_enet: correct clock usage (bnc#1012382).
- bcm63xx_enet: do not write to random DMA channel on BCM6345 (bnc#1012382).
- blkcg: simplify statistic accumulation code (bsc#1082979).
- block: copy ioprio in __bio_clone_fast() (bsc#1082653).
- block: Fix transfer when chunk sectors exceeds max (bnc#1012382).
- block/swim: Fix array bounds check (bsc#1082979).
- bluetooth: Fix connection if directed advertising and privacy is used (bnc#1012382).
- bluetooth: hci_qca: Avoid missing rampatch failure with userspace fw loader (bnc#1012382).
- bonding: re-evaluate force_primary when the primary slave name changes (bnc#1012382).
- bpf: fix loading of BPF_MAXINSNS sized programs (bsc#1012382).
- bpf, x64: fix memleak when not converging after image (bsc#1012382).
- btrfs: fix clone vs chattr NODATASUM race (bnc#1012382).
- btrfs: fix unexpected cow in run_delalloc_nocow (bnc#1012382).
- btrfs: make raid6 rebuild retry more (bnc#1012382).
- btrfs: scrub: Do not use inode pages for device replace (bnc#1012382).
- cachefiles: Fix missing clear of the CACHEFILES_OBJECT_ACTIVE flag (bsc#1099858).
- cachefiles: Fix refcounting bug in backing-file read monitoring (bsc#1099858).
- cachefiles: Wait rather than BUG'ing on 'Unexpected object collision' (bsc#1099858).
- cdc_ncm: avoid padding beyond end of skb (bnc#1012382).
- cifs: fix bad/NULL ptr dereferencing in SMB2_sess_setup() (bsc#1090123).
- cifs: Fix infinite loop when using hard mount option (bnc#1012382).
- compiler, clang: always inline when CONFIG_OPTIMIZE_INLINING is disabled (bnc#1012382).
- compiler, clang: properly override 'inline' for clang (bnc#1012382).
- compiler, clang: suppress warning for unused static inline functions (bnc#1012382).
- compiler-gcc.h: Add __attribute__((gnu_inline)) to all inline declarations (bnc#1012382).
- CONFIG_HOTPLUG_SMT=y
- cpufreq: Fix new policy initialization during limits updates via sysfs (bnc#1012382).
- cpu/hotplug: Add sysfs state interface (bsc#1089343).
- cpu/hotplug: Provide knobs to control SMT (bsc#1089343).
- cpu/hotplug: Split do_cpu_down() (bsc#1089343).
- cpuidle: powernv: Fix promotion from snooze if next state disabled (bnc#1012382).
- crypto: crypto4xx - fix crypto4xx_build_pdr, crypto4xx_build_sdr leak (bnc#1012382).
- crypto: crypto4xx - remove bad list_del (bnc#1012382).
- dm: convert DM printk macros to pr_<level> macros (bsc#1099918).
- dm: fix printk() rate limiting code (bsc#1099918).
- dm thin: handle running out of data space vs concurrent discard (bnc#1012382).
- dm thin metadata: remove needless work from __commit_transaction (bsc#1082979).
- drbd: fix access after free (bnc#1012382).
- driver core: Do not ignore class_dir_create_and_add() failure (bnc#1012382).
- drm/msm: Fix possible null dereference on failure of get_pages() (bsc#1102394).
- drm: re-enable error handling (bsc#1103884).
- esp6: fix memleak on error path in esp6_input (git-fixes).
- ext4: add more inode number paranoia checks (bnc#1012382).
- ext4: add more mount time checks of the superblock (bnc#1012382).
- ext4: always check block group bounds in ext4_init_block_bitmap() (bnc#1012382).
- ext4: check superblock mapped prior to committing (bnc#1012382).
- ext4: clear i_data in ext4_inode_info when removing inline data (bnc#1012382).
- ext4: fix fencepost error in check for inode count overflow during resize (bnc#1012382).
- ext4: include the illegal physical block in the bad map ext4_error msg (bnc#1012382).
- ext4: make sure bitmaps and the inode table do not overlap with bg descriptors (bnc#1012382).
- ext4: only look at the bg_flags field if it is valid (bnc#1012382).
- ext4: update mtime in ext4_punch_hole even if no blocks are released (bnc#1012382).
- ext4: verify the depth of extent tree in ext4_find_extent() (bnc#1012382).
- fscache: Allow cancelled operations to be enqueued (bsc#1099858).
- fscache: Fix reference overput in fscache_attach_object() error handling (bsc#1099858).
- fuse: atomic_o_trunc should truncate pagecache (bnc#1012382).
- fuse: do not keep dead fuse_conn at fuse_fill_super() (bnc#1012382).
- fuse: fix control dir setup and teardown (bnc#1012382).
- genirq: Make force irq threading setup more robust (bsc#1082979).
- hid: debug: check length before copy_to_user() (bnc#1012382).
- hid: hiddev: fix potential Spectre v1 (bnc#1012382).
- hid: i2c-hid: Fix 'incomplete report' noise (bnc#1012382).
- hid: usbhid: add quirk for innomedia INNEX GENESIS/ATARI adapter (bnc#1012382).
- i2c: rcar: fix resume by always initializing registers before transfer (bnc#1012382).
- ib/isert: fix T10-pi check mask setting (bsc#1082979).
- ibmasm: do not write out of bounds in read handler (bnc#1012382).
- ibmvnic: Fix error recovery on login failure (bsc#1101789).
- ibmvnic: Remove code to request error information (bsc#1104174).
- ibmvnic: Revise RX/TX queue error messages (bsc#1101331).
- ibmvnic: Update firmware error reporting with cause string (bsc#1104174).
- ib/qib: Fix DMA api warning with debug kernel (bnc#1012382).
- iio:buffer: make length types match kfifo types (bnc#1012382).
- input: elan_i2c - add ELAN0618 (Lenovo v330 15IKB) ACPI ID (bnc#1012382).
- input: elan_i2c_smbus - fix more potential stack buffer overflows (bnc#1012382).
- input: elantech - enable middle button of touchpads on ThinkPad P52 (bnc#1012382).
- input: elantech - fix V4 report decoding for module with middle key (bnc#1012382).
- iommu/vt-d: Fix race condition in add_unmap() (bsc#1096790, bsc#1097034).
- ipmi:bt: Set the timeout before doing a capabilities check (bnc#1012382).
- ipv4: Fix error return value in fib_convert_metrics() (bnc#1012382).
- ipvs: fix buffer overflow with sync daemon and service (bnc#1012382).
- iw_cxgb4: correctly enforce the max reg_mr depth (bnc#1012382).
- jbd2: do not mark block as modified if the handle is out of credits (bnc#1012382).
- kabi protect net/core/utils.c includes (bsc#1095643).
- kABI: protect struct loop_device (kabi).
- kABI: reintroduce __static_cpu_has_safe (kabi).
- kabi/severities: add 'drivers/md/bcache/* PASS' since no one uses symboles expoted by bcache.
- kbuild: fix # escaping in .cmd files for future Make (bnc#1012382).
- keys: DNS: fix parsing multiple options (bnc#1012382).
- kmod: fix wait on recursive loop (bsc#1099792).
- kmod: reduce atomic operations on kmod_concurrent and simplify (bsc#1099792).
- kmod: throttle kmod thread limit (bsc#1099792).
- kprobes/x86: Do not modify singlestep buffer while resuming (bnc#1012382).
- kvm: arm/arm64: Drop resource size check for GICV window (bsc#1102215).
- kvm: arm/arm64: Set dist->spis to NULL after kfree (bsc#1102214).
- libata: do not try to pass through NCQ commands to non-NCQ devices (bsc#1082979).
- libata: Drop SanDisk SD7UB3Q*G1001 NOLPM quirk (bnc#1012382).
- libata: zpodd: make arrays cdb static, reduces object code size (bnc#1012382).
- libata: zpodd: small read overflow in eject_tray() (bnc#1012382).
- lib/vsprintf: Remove atomic-unsafe support for %pCr (bnc#1012382).
- linvdimm, pmem: Preserve read-only setting for pmem devices (bnc#1012382).
- loop: add recursion validation to LOOP_CHANGE_FD (bnc#1012382).
- loop: remember whether sysfs_create_group() was done (bnc#1012382).
- m68k/mm: Adjust VM area to be unmapped by gap size for __iounmap() (bnc#1012382).
- media: cx231xx: Add support for AverMedia DVD EZMaker 7 (bnc#1012382).
- media: cx25840: Use subdev host data for PLL override (bnc#1012382).
- media: dvb_frontend: fix locking issues at dvb_frontend_get_event() (bnc#1012382).
- media: smiapp: fix timeout checking in smiapp_read_nvm (bsc#1099918).
- media: v4l2-compat-ioctl32: prevent go past max size (bnc#1012382).
- mfd: intel-lpss: Program REMAP register in PIO mode (bnc#1012382).
- mips: ftrace: fix static function graph tracing (bnc#1012382).
- mmc: dw_mmc: fix card threshold control configuration (bsc#1102203).
- mm: check VMA flags to avoid invalid PROT_NONE NUMA balancing (bsc#1097771).
- mm: hugetlb: yield when prepping struct pages (bnc#1012382).
- mtd: cfi_cmdset_0002: Avoid walking all chips when unlocking (bnc#1012382).
- mtd: cfi_cmdset_0002: Change definition naming to retry write operation (bnc#1012382).
- mtd: cfi_cmdset_0002: Change erase functions to check chip good only (bnc#1012382).
- mtd: cfi_cmdset_0002: Change erase functions to retry for error (bnc#1012382).
- mtd: cfi_cmdset_0002: Change write buffer to check correct value (bnc#1012382).
- mtd: cfi_cmdset_0002: fix SEGV unlocking multiple chips (bnc#1012382).
- mtd: cfi_cmdset_0002: Fix unlocking requests crossing a chip boudary (bnc#1012382).
- mtd: cfi_cmdset_0002: Use right chip in do_ppb_xxlock() (bnc#1012382).
- mtd: cmdlinepart: Update comment for introduction of OFFSET_CONTINUOUS (bsc#1099918).
- mtd: partitions: add helper for deleting partition (bsc#1099918).
- mtd: partitions: remove sysfs files when deleting all master's partitions (bsc#1099918).
- mtd: rawnand: mxc: set spare area size register explicitly (bnc#1012382).
- net: cxgb3_main: fix potential Spectre v1 (bnc#1012382).
- net: dccp: avoid crash in ccid3_hc_rx_send_feedback() (bnc#1012382).
- net: dccp: switch rx_tstamp_last_feedback to monotonic clock (bnc#1012382).
- netfilter: ebtables: handle string from userspace with care (bnc#1012382).
- netfilter: ebtables: reject non-bridge targets (bnc#1012382).
- netfilter: nf_log: do not hold nf_log_mutex during user access (bnc#1012382).
- netfilter: nf_queue: augment nfqa_cfg_policy (bnc#1012382).
- netfilter: nf_tables: use WARN_ON_ONCE instead of BUG_ON in nft_do_chain() (bnc#1012382).
- netfilter: x_tables: initialise match/target check parameter struct (bnc#1012382).
- net/mlx5: Fix command interface race in polling mode (bnc#1012382).
- net/mlx5: Fix incorrect raw command length parsing (bnc#1012382).
- net: mvneta: fix the Rx desc DMA address in the Rx path (bsc#1102207).
- net/nfc: Avoid stalls when nfc_alloc_send_skb() returned NULL (bnc#1012382).
- net: off by one in inet6_pton() (bsc#1095643).
- net: phy: marvell: Use strlcpy() for ethtool::get_strings (bsc#1102205).
- net: qmi_wwan: Add Netgear Aircard 779S (bnc#1012382).
- net_sched: blackhole: tell upper qdisc about dropped packets (bnc#1012382).
- net/sonic: Use dma_mapping_error() (bnc#1012382).
- net: sungem: fix rx checksum support (bnc#1012382).
- net/utils: generic inet_pton_with_scope helper (bsc#1095643).
- nfsd: restrict rd_maxcount to svc_max_payload in nfsd_encode_readdir (bnc#1012382).
- NFSv4: Fix possible 1-byte stack overflow in nfs_idmap_read_and_verify_message (bnc#1012382).
- n_tty: Access echo_* variables carefully (bnc#1012382).
- n_tty: Fix stall at n_tty_receive_char_special() (bnc#1012382).
- null_blk: use sector_div instead of do_div (bsc#1082979).
- nvme-pci: initialize queue memory before interrupts (bnc#1012382).
- nvme-rdma: Check remotely invalidated rkey matches our expected rkey (bsc#1092001).
- nvme-rdma: default MR page size to 4k (bsc#1092001).
- nvme-rdma: do not complete requests before a send work request has completed (bsc#1092001).
- nvme-rdma: do not suppress send completions (bsc#1092001).
- nvme-rdma: Fix command completion race at error recovery (bsc#1090435).
- nvme-rdma: make nvme_rdma_[create|destroy]_queue_ib symmetrical (bsc#1092001).
- nvme-rdma: use inet_pton_with_scope helper (bsc#1095643).
- nvme-rdma: Use mr pool (bsc#1092001).
- nvme-rdma: wait for local invalidation before completing a request (bsc#1092001).
- ocfs2: subsystem.su_mutex is required while accessing the item->ci_parent (bnc#1012382).
- of: unittest: for strings, account for trailing \0 in property length field (bnc#1012382).
- ovl: fix random return value on mount (bsc#1099993).
- ovl: fix uid/gid when creating over whiteout (bsc#1099993).
- ovl: override creds with the ones from the superblock mounter (bsc#1099993).
- pci: ibmphp: Fix use-before-set in get_max_bus_speed() (bsc#1100132).
- pci: pciehp: Clear Presence Detect and Data Link Layer Status Changed on resume (bnc#1012382).
- perf intel-pt: Fix decoding to accept CBR between FUP and corresponding TIP (bnc#1012382).
- perf intel-pt: Fix MTC timing after overflow (bnc#1012382).
- perf intel-pt: Fix packet decoding of CYC packets (bnc#1012382).
- perf intel-pt: Fix sync_switch INTEL_PT_SS_NOT_TRACING (bnc#1012382).
- perf intel-pt: Fix 'Unexpected indirect branch' error (bnc#1012382).
- perf tools: Fix symbol and object code resolution for vdso32 and vdsox32 (bnc#1012382).
- perf tools: Move syscall number fallbacks from perf-sys.h to tools/arch/x86/include/asm/ (bnc#1012382).
- PM / hibernate: Fix oops at snapshot_write() (bnc#1012382).
- powerpc/64: Initialise thread_info for emergency stacks (bsc#1094244, bsc#1100930, bsc#1102683).
- powerpc/64s: Exception macro for stack frame and initial register save (bsc#1094244).
- powerpc/64s: Fix mce accounting for powernv (bsc#1094244).
- powerpc/fadump: Unregister fadump on kexec down path (bnc#1012382).
- powerpc: Machine check interrupt is a non-maskable interrupt (bsc#1094244).
- powerpc/mm/hash: Add missing isync prior to kernel stack SLB switch (bnc#1012382).
- powerpc/ptrace: Fix enforcement of DAWR constraints (bnc#1012382).
- powerpc/ptrace: Fix setting 512B aligned breakpoints with PTRACE_SET_DEBUGREG (bnc#1012382).
- qed: Limit msix vectors in kdump kernel to the minimum required count (bnc#1012382).
- qla2xxx: Fix inconsistent DMA mem alloc/free (bsc#1085657).
- qla2xxx: Fix kernel crash due to late workqueue allocation (bsc#1085657).
- qla2xxx: Fix NULL pointer derefrence for fcport search (bsc#1085657).
- r8152: napi hangup fix after disconnect (bnc#1012382).
- RDMA/mlx4: Discard unknown SQP work requests (bnc#1012382).
- RDMA/ocrdma: Fix an error code in ocrdma_alloc_pd() (bsc#1082979).
- RDMA/ocrdma: Fix error codes in ocrdma_create_srq() (bsc#1082979).
- RDMA/ucm: Mark UCM interface as BROKEN (bnc#1012382).
- rds: avoid unenecessary cong_update in loop transport (bnc#1012382).
- restore cond_resched() in shrink_dcache_parent() (bsc#1098599).
- Revert 'block-cancel-workqueue-entries-on-blk_mq_freeze_queue' (bsc#1103717
- Revert 'Btrfs: fix scrub to repair raid6 corruption' (bnc#1012382).
- Revert 'sit: reload iphdr in ipip6_rcv' (bnc#1012382).
- Revert 'x86/cpufeature: Move some of the scattered feature bits to x86_capability' (kabi).
- Revert 'x86/cpu: Probe CPUID leaf 6 even when cpuid_level == 6' (kabi).
- rmdir(),rename(): do shrink_dcache_parent() only on success (bsc#1100340).
- rpm/config.sh: Add support for non-default upstream URL Currently the scripts assume Linus' tree as the upstream URL where to pull things from. One may want to package test kernels from other upstream repos. Add support to add an URL to config.sh.
- rtlwifi: rtl8821ae: fix firmware is not ready to run (bnc#1012382).
- run_oldconfig.sh: Add --olddefconfig as an alias to --yes On later kernels there is the make target 'olddefconfig'. This is equvalent to what the '--yes' option does. Therefore, add the option '--olddefconfig' as an alias.
- s390: Correct register corruption in critical section cleanup (bnc#1012382).
- s390/qeth: fix error handling in adapter command callbacks (bnc#1103745, LTC#169699).
- sched/smt: Update sched_smt_present at runtime (bsc#1089343).
- sched/sysctl: Check user input value of sysctl_sched_time_avg (bsc#1100089).
- scsi: lpfc: Change IO submit return to EBUSY if remote port is recovering (bsc#1092207).
- scsi: lpfc: correct oversubscription of nvme io requests for an adapter (bsc#1095453).
- scsi: lpfc: Driver NVME load fails when CPU cnt > WQ resource cnt (bsc#1092207).
- scsi: lpfc: Fix 16gb hbas failing cq create (bsc#1089525).
- scsi: lpfc: Fix 16gb hbas failing cq create (bsc#1095453).
- scsi: lpfc: Fix crash in blk_mq layer when executing modprobe -r lpfc (bsc#1095453).
- scsi: lpfc: Fix MDS diagnostics failure (Rx < Tx) (bsc#1095453).
- scsi: lpfc: Fix port initialization failure (bsc#1095453).
- scsi: lpfc: Fix up log messages and stats counters in IO submit code path (bsc#1092207).
- scsi: lpfc: Handle new link fault code returned by adapter firmware (bsc#1092207).
- scsi: lpfc: update driver version to 11.4.0.7-3 (bsc#1092207).
- scsi: lpfc: update driver version to 11.4.0.7-4 (bsc#1095453).
- scsi: qla2xxx: Fix setting lower transfer speed if GPSC fails (bnc#1012382).
- scsi: qla2xxx: Spinlock recursion in qla_target (bsc#1097501)
- scsi: qlogicpti: Fix an error handling path in 'qpti_sbus_probe()' (bsc#1082979).
- scsi: sg: fix minor memory leak in error path (bsc#1082979).
- scsi: sg: mitigate read/write abuse (bsc#1101296).
- scsi: target: fix crash with iscsi target and dvd (bsc#1082979).
- scsi: zfcp: fix misleading REC trigger trace where erp_action setup failed (LTC#168765 bnc#1012382 bnc#1099713).
- scsi: zfcp: fix missing REC trigger trace for all objects in ERP_FAILED (LTC#168765 bnc#1012382 bnc#1099713).
- scsi: zfcp: fix missing REC trigger trace on enqueue without ERP thread (LTC#168765 bnc#1012382 bnc#1099713).
- scsi: zfcp: fix missing REC trigger trace on terminate_rport_io early return (LTC#168765 bnc#1012382 bnc#1099713).
- scsi: zfcp: fix missing REC trigger trace on terminate_rport_io for ERP_FAILED (LTC#168765 bnc#1012382 bnc#1099713).
- scsi: zfcp: fix missing SCSI trace for result of eh_host_reset_handler (LTC#168765 bnc#1012382 bnc#1099713).
- scsi: zfcp: fix missing SCSI trace for retry of abort / scsi_eh TMF (LTC#168765 bnc#1012382 bnc#1099713).
- serial: sh-sci: Use spin_{try}lock_irqsave instead of open coding version (bnc#1012382).
- signal/xtensa: Consistenly use SIGBUS in do_unaligned_user (bnc#1012382).
- smsc75xx: Add workaround for gigabit link up hardware errata (bsc#1100132).
- smsc95xx: Configure pause time to 0xffff when tx flow control enabled (bsc#1085536).
- spi: Fix scatterlist elements size in spi_map_buf (bnc#1012382).
- staging: android: ion: Return an ERR_PTR in ion_map_kernel (bnc#1012382).
- staging: comedi: quatech_daqp_cs: fix no-op loop daqp_ao_insn_write() (bnc#1012382).
- tcp: do not overshoot window_clamp in tcp_rcv_space_adjust() (bnc#1012382).
- tcp: fix Fast Open key endianness (bnc#1012382).
- tcp: prevent bogus FRTO undos with non-SACK flows (bnc#1012382).
- tcp: verify the checksum of the first data segment in a new connection (bnc#1012382).
- time: Make sure jiffies_to_msecs() preserves non-zero time periods (bnc#1012382).
- tracing: Fix missing return symbol in function_graph output (bnc#1012382).
- ubi: fastmap: Cancel work upon detach (bnc#1012382).
- ubi: fastmap: Correctly handle interrupted erasures in EBA (bnc#1012382).
- ubifs: Fix potential integer overflow in allocation (bnc#1012382).
- udf: Detect incorrect directory size (bnc#1012382).
- Update config files. CONFIG_X86_FAST_FEATURE_TESTS=y
- uprobes/x86: Remove incorrect WARN_ON() in uprobe_init_insn() (bnc#1012382).
- usb: cdc_acm: Add quirk for Uniden UBC125 scanner (bnc#1012382).
- usb: core: handle hub C_PORT_OVER_CURRENT condition (bsc#1100132).
- usb: do not reset if a low-speed or full-speed device timed out (bnc#1012382).
- usb: musb: fix remote wakeup racing with suspend (bnc#1012382).
- usb: quirks: add delay quirks for Corsair Strafe (bnc#1012382).
- usb: serial: ch341: fix type promotion bug in ch341_control_in() (bnc#1012382).
- usb: serial: cp210x: add another USB ID for Qivicon ZigBee stick (bnc#1012382).
- usb: serial: cp210x: add CESINEL device ids (bnc#1012382).
- usb: serial: cp210x: add Silicon Labs IDs for Windows Update (bnc#1012382).
- usb: serial: keyspan_pda: fix modem-status error handling (bnc#1012382).
- usb: serial: mos7840: fix status-register error handling (bnc#1012382).
- usb: yurex: fix out-of-bounds uaccess in read handler (bnc#1012382).
- vfio: platform: Fix reset module leak in error path (bsc#1102211).
- vhost_net: validate sock before trying to put its fd (bnc#1012382).
- video/fbdev/stifb: Return -ENOMEM after a failed kzalloc() in stifb_init_fb() (bsc#1090888 bsc#1099966).
- video: uvesafb: Fix integer overflow in allocation (bnc#1012382).
- vmw_balloon: fix inflation with batching (bnc#1012382).
- w1: mxc_w1: Enable clock before calling clk_get_rate() on it (bnc#1012382).
- wait: add wait_event_killable_timeout() (bsc#1099792).
- watchdog: da9063: Fix setting/changing timeout (bsc#1100843).
- watchdog: da9063: Fix timeout handling during probe (bsc#1100843).
- watchdog: da9063: Fix updating timeout value (bsc#1100843).
- x86/alternatives: Add an auxilary section (bnc#1012382).
- x86/alternatives: Discard dynamic check after init (bnc#1012382).
- x86/apic: Ignore secondary threads if nosmt=force (bsc#1089343).
- x86/asm: Add _ASM_ARG* constants for argument registers to <asm/asm.h> (bnc#1012382).
- x86/boot: Simplify kernel load address alignment check (bnc#1012382).
- x86/CPU/AMD: Do not check CPUID max ext level before parsing SMP info (bsc#1089343).
- x86/cpu/AMD: Evaluate smp_num_siblings early (bsc#1089343).
- x86/CPU/AMD: Move TOPOEXT reenablement before reading smp_num_siblings (bsc#1089343). Update config files.
- x86/cpu/AMD: Remove the pointless detect_ht() call (bsc#1089343).
- x86/cpu/common: Provide detect_ht_early() (bsc#1089343).
- x86/cpufeature: Add helper macro for mask check macros (bnc#1012382).
- x86/cpufeature: Carve out X86_FEATURE_* (bnc#1012382).
- x86/cpufeature: Get rid of the non-asm goto variant (bnc#1012382).
- x86/cpufeature: Make sure DISABLED/REQUIRED macros are updated (bnc#1012382).
- x86/cpufeature: Move some of the scattered feature bits to x86_capability (bnc#1012382).
- x86/cpufeature: Replace the old static_cpu_has() with safe variant (bnc#1012382).
- x86/cpufeature: Speed up cpu_feature_enabled() (bnc#1012382).
- x86/cpufeature: Update cpufeaure macros (bnc#1012382).
- x86/cpu/intel: Evaluate smp_num_siblings early (bsc#1089343).
- x86/cpu: Probe CPUID leaf 6 even when cpuid_level == 6 (bnc#1012382).
- x86/cpu: Provide a config option to disable static_cpu_has (bnc#1012382).
- x86/cpu: Remove the pointless CPU printout (bsc#1089343).
- x86/cpu/topology: Provide detect_extended_topology_early() (bsc#1089343).
- x86/fpu: Add an XSTATE_OP() macro (bnc#1012382).
- x86/fpu: Get rid of xstate_fault() (bnc#1012382).
- x86/headers: Do not include asm/processor.h in asm/atomic.h (bnc#1012382).
- x86/mce: Fix incorrect 'Machine check from unknown source' message (bnc#1012382).
- x86/mm/pkeys: Fix mismerge of protection keys CPUID bits (bnc#1012382).
- x86/mm: Simplify p[g4um]d_page() macros (1087081).
- x86/smpboot: Do not use smp_num_siblings in __max_logical_packages calculation (bsc#1089343).
- x86/smp: Provide topology_is_primary_thread() (bsc#1089343).
- x86/topology: Add topology_max_smt_threads() (bsc#1089343).
- x86/topology: Provide topology_smt_supported() (bsc#1089343).
- x86/vdso: Use static_cpu_has() (bnc#1012382).
- xen/grant-table: log the lack of grants (bnc#1085042).
- xen-netfront: Fix mismatched rtnl_unlock (bnc#1101658).
- xen-netfront: Update features after registering netdev (bnc#1101658).
- xen: Remove unnecessary BUG_ON from __unbind_from_irq() (bnc#1012382).
- xfrm6: avoid potential infinite loop in _decode_session6() (bnc#1012382).
- xfrm: Ignore socket policies when rebuilding hash tables (bnc#1012382).
- xfrm: skip policies marked as dead while rehashing (bnc#1012382).
- xhci: xhci-mem: off by one in xhci_stream_id_to_ring() (bnc#1012382).
ImportantSUSE bug 1012382SUSE bug 1023711SUSE bug 1064232SUSE bug 1076110SUSE bug 1078216SUSE bug 1082653SUSE bug 1082979SUSE bug 1085042SUSE bug 1085536SUSE bug 1085657SUSE bug 1087081SUSE bug 1087659SUSE bug 1089343SUSE bug 1089525SUSE bug 1090123SUSE bug 1090340SUSE bug 1090435SUSE bug 1090888SUSE bug 1091107SUSE bug 1092001SUSE bug 1092207SUSE bug 1093777SUSE bug 1094120SUSE bug 1094244SUSE bug 1095453SUSE bug 1095643SUSE bug 1096790SUSE bug 1096978SUSE bug 1097034SUSE bug 1097501SUSE bug 1097771SUSE bug 1098599SUSE bug 1099306SUSE bug 1099713SUSE bug 1099792SUSE bug 1099810SUSE bug 1099858SUSE bug 1099918SUSE bug 1099966SUSE bug 1099993SUSE bug 1100089SUSE bug 1100132SUSE bug 1100340SUSE bug 1100843SUSE bug 1100930SUSE bug 1101296SUSE bug 1101331SUSE bug 1101658SUSE bug 1101789SUSE bug 1102188SUSE bug 1102197SUSE bug 1102203SUSE bug 1102205SUSE bug 1102207SUSE bug 1102211SUSE bug 1102214SUSE bug 1102215SUSE bug 1102340SUSE bug 1102394SUSE bug 1102683SUSE bug 1102851SUSE bug 1103097SUSE bug 1103119SUSE bug 1103580SUSE bug 1103717SUSE bug 1103745SUSE bug 1103884SUSE bug 1104174SUSE bug 997935CVE-2017-18344 at SUSECVE-2017-18344 at NVDCVE-2018-14734 at SUSECVE-2018-14734 at NVDCVE-2018-3620 at SUSECVE-2018-3620 at NVDCVE-2018-3646 at SUSECVE-2018-3646 at NVDCVE-2018-5390 at SUSECVE-2018-5390 at NVDCVE-2018-5391 at SUSECVE-2018-5391 at NVDcpe:/o:suse:sles:12:sp3Security update for util-linux (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for util-linux fixes the following issues:
This non-security issue was fixed:
- CVE-2018-7738: bash-completion/umount allowed local users to gain privileges
by embedding shell commands in a mountpoint name, which was mishandled during a
umount command by a different user (bsc#1084300).
These non-security issues were fixed:
- Fixed crash loop in lscpu (bsc#1072947).
- Fixed possible segfault of umount -a
- Fixed mount -a on NFS bind mounts (bsc#1080740).
- Fixed lsblk on NVMe (bsc#1078662).
ModerateSUSE bug 1072947SUSE bug 1078662SUSE bug 1080740SUSE bug 1084300CVE-2018-7738 at SUSECVE-2018-7738 at NVDcpe:/o:suse:sles:12:sp3Security update for perl-Archive-Zip (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for perl-Archive-Zip fixes the following security issue:
- CVE-2018-10860: Prevent directory traversal caused by not properly sanitizing
paths while extracting zip files. An attacker able to provide a specially
crafted archive for processing could have used this flaw to write or overwrite
arbitrary files in the context of the perl interpreter (bsc#1099497)
ModerateSUSE bug 1099497CVE-2018-10860 at SUSECVE-2018-10860 at NVDcpe:/o:suse:sles:12:sp3Security update for xen (Important)SUSE Linux Enterprise Server 12 SP3
This update for xen fixes the following security issues:
- CVE-2018-3646: Systems with microprocessors utilizing speculative execution
and address translations may have allowed unauthorized disclosure of
information residing in the L1 data cache to an attacker with local user access
with guest OS privilege via a terminal page fault and a side-channel analysis
(bsc#1091107, bsc#1027519).
- Incorrect MSR_DEBUGCTL handling let guests enable BTS allowing a malicious or
buggy guest administrator can lock up the entire host (bsc#1103276)
ImportantSUSE bug 1027519SUSE bug 1091107SUSE bug 1103276CVE-2018-3646 at SUSECVE-2018-3646 at NVDcpe:/o:suse:sles:12:sp3Security update for procps (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for procps fixes the following security issues:
- CVE-2018-1122: Prevent local privilege escalation in top. If a user ran top
with HOME unset in an attacker-controlled directory, the attacker could have
achieved privilege escalation by exploiting one of several vulnerabilities in
the config_file() function (bsc#1092100).
- CVE-2018-1123: Prevent denial of service in ps via mmap buffer overflow.
Inbuilt protection in ps maped a guard page at the end of the overflowed
buffer, ensuring that the impact of this flaw is limited to a crash (temporary
denial of service) (bsc#1092100).
- CVE-2018-1124: Prevent multiple integer overflows leading to a heap
corruption in file2strvec function. This allowed a privilege escalation for a
local attacker who can create entries in procfs by starting processes, which
could result in crashes or arbitrary code execution in proc utilities run by
other users (bsc#1092100).
- CVE-2018-1125: Prevent stack buffer overflow in pgrep. This vulnerability was
mitigated by FORTIFY limiting the impact to a crash (bsc#1092100).
- CVE-2018-1126: Ensure correct integer size in proc/alloc.* to prevent
truncation/integer overflow issues (bsc#1092100).
ModerateSUSE bug 1092100CVE-2018-1122 at SUSECVE-2018-1122 at NVDCVE-2018-1123 at SUSECVE-2018-1123 at NVDCVE-2018-1124 at SUSECVE-2018-1124 at NVDCVE-2018-1125 at SUSECVE-2018-1125 at NVDCVE-2018-1126 at SUSECVE-2018-1126 at NVDcpe:/o:suse:sles:12:sp3Security update for libgcrypt (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for libgcrypt fixes the following issues:
The following security vulnerability was addressed:
- CVE-2018-0495: Mitigate a novel side-channel attack by enabling blinding for
ECDSA signatures (bsc#1097410).
The following other issues were fixed:
- Extended the fipsdrv dsa-sign and dsa-verify commands with the
--algo parameter for the FIPS testing of DSA SigVer and SigGen (bsc#1064455).
- Ensure libgcrypt20-hmac and libgcrypt20 are installed in the correct order. (bsc#1090766)
ModerateSUSE bug 1064455SUSE bug 1090766SUSE bug 1097410CVE-2018-0495 at SUSECVE-2018-0495 at NVDcpe:/o:suse:sles:12:sp3Security update for libcgroup (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for libcgroup fixes the following issues:
Security issue fixed:
- CVE-2018-14348: Fix daemon that creates /var/log/cgred with mode 0666 (bsc#1100365).
This updates also sets the permissions of already existing log files to proper values.
ModerateSUSE bug 1100365CVE-2018-14348 at SUSECVE-2018-14348 at NVDcpe:/o:suse:sles:12:sp3Security update for clamav (Important)SUSE Linux Enterprise Server 12 SP3
This update for clamav fixes the following issues:
- Update to security release 0.99.3 (bsc#1077732)
* CVE-2017-12376 (ClamAV Buffer Overflow in handle_pdfname Vulnerability)
* CVE-2017-12377 (ClamAV Mew Packet Heap Overflow Vulnerability)
* CVE-2017-12379 (ClamAV Buffer Overflow in messageAddArgument Vulnerability)
- these vulnerabilities could have allowed an unauthenticated,
remote attacker to cause a denial of service (DoS) condition
or potentially execute arbitrary code on an affected device.
* CVE-2017-12374 (ClamAV use-after-free Vulnerabilities)
* CVE-2017-12375 (ClamAV Buffer Overflow Vulnerability)
* CVE-2017-12378 (ClamAV Buffer Over Read Vulnerability)
* CVE-2017-12380 (ClamAV Null Dereference Vulnerability)
- these vulnerabilities could have allowed an unauthenticated,
remote attacker to cause a denial of service (DoS) condition on an affected device.
* CVE-2017-6420 (bsc#1052448)
- this vulnerability could have allowed remote attackers to cause a denial of service
(use-after-free) via a crafted PE file with WWPack compression.
* CVE-2017-6419 (bsc#1052449)
- ClamAV could have allowed remote attackers to cause a denial of service
(heap-based buffer overflow and application crash) or possibly
have unspecified other impact via a crafted CHM file.
* CVE-2017-11423 (bsc#1049423)
- ClamAV could have allowed remote attackers to cause a denial of service
(stack-based buffer over-read and application crash) via a crafted CAB file.
* CVE-2017-6418 (bsc#1052466)
- ClamAV could have allowed remote attackers to cause a denial
of service (out-of-bounds read) via a crafted e-mail message.
- update upstream keys in the keyring
- provide and obsolete clamav-nodb to trigger it's removal in Leap
bsc#1040662
ImportantSUSE bug 1040662SUSE bug 1049423SUSE bug 1052448SUSE bug 1052449SUSE bug 1052466SUSE bug 1077732CVE-2017-11423 at SUSECVE-2017-11423 at NVDCVE-2017-12374 at SUSECVE-2017-12374 at NVDCVE-2017-12375 at SUSECVE-2017-12375 at NVDCVE-2017-12376 at SUSECVE-2017-12376 at NVDCVE-2017-12377 at SUSECVE-2017-12377 at NVDCVE-2017-12378 at SUSECVE-2017-12378 at NVDCVE-2017-12379 at SUSECVE-2017-12379 at NVDCVE-2017-12380 at SUSECVE-2017-12380 at NVDCVE-2017-6418 at SUSECVE-2017-6418 at NVDCVE-2017-6419 at SUSECVE-2017-6419 at NVDCVE-2017-6420 at SUSECVE-2017-6420 at NVDcpe:/o:suse:sles:12:sp3Security update for gdm (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for gdm fixes the following security issue:
- CVE-2018-14424: The daemon in GDM did not properly unexport display objects
from its D-Bus interface when they are destroyed, which allowed a local
attacker to trigger a use-after-free via a specially crafted sequence of D-Bus
method calls, resulting in a denial of service or potential code execution
(bsc#1103737).
ModerateSUSE bug 1103737CVE-2018-14424 at SUSECVE-2018-14424 at NVDcpe:/o:suse:sles:12:sp3Security update for gd (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for gd fixes one issues.
This security issue was fixed:
- CVE-2018-5711: Prevent integer signedness error that could have lead to an
infinite loop via a crafted GIF file allowing for DoS (bsc#1076391)
ModerateSUSE bug 1076391CVE-2018-5711 at SUSECVE-2018-5711 at NVDcpe:/o:suse:sles:12:sp3Recommended update for apache2 (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for apache2 fixes several issues.
These security issues were fixed:
- CVE-2017-9789: When under stress (closing many connections) the HTTP/2
handling code would sometimes access memory after it has been freed, resulting
in potentially erratic behaviour (bsc#1048575).
- CVE-2017-7659: A maliciously constructed HTTP/2 request could cause mod_http2
to dereference a NULL pointer and crash the server process (bsc#1045160).
These non-security issues were fixed:
- Use the full path to a2enmod and a2dismod in the apache-22-24-upgrade script (bsc#1042037)
- Fall back to 'localhost' as hostname in gensslcert (bsc#1057406)
ModerateSUSE bug 1042037SUSE bug 1045160SUSE bug 1048575SUSE bug 1057406CVE-2017-7659 at SUSECVE-2017-7659 at NVDCVE-2017-9789 at SUSECVE-2017-9789 at NVDcpe:/o:suse:sles:12:sp3Security update for spice-gtk (Important)SUSE Linux Enterprise Server 12 SP3
This update for spice-gtk fixes the following issues:
Security issues fixed:
- CVE-2018-10873: Fix potential heap corruption when demarshalling (bsc#1104448)
- CVE-2018-10893: Avoid buffer overflow on image lz checks (bsc#1101295)
ImportantSUSE bug 1101295SUSE bug 1104448CVE-2018-10873 at SUSECVE-2018-10873 at NVDCVE-2018-10893 at SUSECVE-2018-10893 at NVDcpe:/o:suse:sles:12:sp3Security update for spice (Important)SUSE Linux Enterprise Server 12 SP3
This update for spice fixes the following issues:
Security issues fixed:
- CVE-2018-10873: Fix potential heap corruption when demarshalling (bsc#1104448)
- CVE-2018-10893: Avoid buffer overflow on image lz checks (bsc#1101295)
ImportantSUSE bug 1101295SUSE bug 1104448CVE-2018-10873 at SUSECVE-2018-10873 at NVDCVE-2018-10893 at SUSECVE-2018-10893 at NVDcpe:/o:suse:sles:12:sp3Security update for dovecot22 (Important)SUSE Linux Enterprise Server 12 SP3
This update for dovecot22 fixes the following issues:
Security issue fixed:
- CVE-2017-15130: Fixed a potential denial of service via TLS SNI config
lookups, which would slow the process down and could have led to exhaustive
memory allocation and/or process restarts (bsc#1082828)
ImportantSUSE bug 1082828CVE-2017-15130 at SUSECVE-2017-15130 at NVDcpe:/o:suse:sles:12:sp3Security update for java-1_7_1-ibm (Important)SUSE Linux Enterprise Server 12 SP3
This update for java-1_7_1-ibm fixes the following issues:
Security issues fixed:
- CVE-2018-1517: Fixed a flaw in the java.math component in IBM SDK, which may
allow an attacker to inflict a denial-of-service attack with specially
crafted String data.
- CVE-2018-1656: Protect against path traversal attacks when extracting
compressed dump files.
- CVE-2018-2940: Fixed an easily exploitable vulnerability in the libraries
subcomponent, which allowed unauthenticated attackers with network access
via multiple protocols to compromise the Java SE, leading to
unauthorized read access.
- CVE-2018-2952: Fixed an easily exploitable vulnerability in the concurrency
subcomponent, which allowed unauthenticated attackers with network access
via multiple protocols to compromise the Java SE, leading to denial of
service.
- CVE-2018-2973: Fixed a difficult to exploit vulnerability in the JSSE
subcomponent, which allowed unauthenticated attackers with network access
via SSL/TLS to compromise the Java SE, leading to unauthorized creation,
deletion or modification access to critical data.
- CVE-2018-12539: Fixed a vulnerability in which users other than the process
owner may be able to use Java Attach API to connect to the IBM JVM on the
same machine and use Attach API operations, including the ability to execute
untrusted arbitrary code.
Other changes made:
- Various JIT/JVM crash fixes
- Version update to 7.1.4.30 (bsc#1104668)
You can find detailed information about this update [here](https://developer.ibm.com/javasdk/support/security-vulnerabilities/#IBM_Security_Update_August_2018).
ImportantSUSE bug 1104668CVE-2018-12539 at SUSECVE-2018-12539 at NVDCVE-2018-1517 at SUSECVE-2018-1517 at NVDCVE-2018-1656 at SUSECVE-2018-1656 at NVDCVE-2018-2940 at SUSECVE-2018-2940 at NVDCVE-2018-2952 at SUSECVE-2018-2952 at NVDCVE-2018-2973 at SUSECVE-2018-2973 at NVDcpe:/o:suse:sles:12:sp3Security update for python3 (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for python3 provides the following fixes:
These security issues were fixed:
- CVE-2018-1061: Prevent catastrophic backtracking in the difflib.IS_LINE_JUNK
method. An attacker could have used this flaw to cause denial of service
(bsc#1088004).
- CVE-2018-1060: Prevent catastrophic backtracking in pop3lib's apop() method.
An attacker could have used this flaw to cause denial of service (bsc#1088009).
These non-security issues were fixed:
- Sort files and directories when creating tarfile archives so that they are created in a
more predictable way. (bsc#1086001)
- Add -fwrapv to OPTS (bsc#1107030)
ModerateSUSE bug 1086001SUSE bug 1088004SUSE bug 1088009SUSE bug 1107030CVE-2018-1060 at SUSECVE-2018-1060 at NVDCVE-2018-1061 at SUSECVE-2018-1061 at NVDcpe:/o:suse:sles:12:sp3Security update for tomcat (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for tomcat to 8.0.53 fixes the following issues:
Security issue fixed:
- CVE-2018-1336: An improper handing of overflow in the UTF-8 decoder with
supplementary characters could have lead to an infinite loop in the decoder
causing a Denial of Service (bsc#1102400).
- CVE-2018-8034: The host name verification when using TLS with the WebSocket
client was missing. It is now enabled by default (bsc#1102379).
- CVE-2018-8037: If an async request was completed by the application at the
same time as the container triggered the async timeout, a race condition
existed that could have resulted in a user seeing a response intended for a
different user. An additional issue was present in the NIO and NIO2 connectors
that did not correctly track the closure of the connection when an async
request was completed by the application and timed out by the container at the
same time. This could also have resulted in a user seeing a response intended
for another user (bsc#1102410).
- CVE-2018-8014: Fix insecure default CORS filter settings (bsc#1093697).
Bug fixes:
- bsc#1067720: Avoid overwriting of customer's configuration during update.
- bsc#1095472: Add Obsoletes for tomcat6 packages.
ModerateSUSE bug 1067720SUSE bug 1093697SUSE bug 1095472SUSE bug 1102379SUSE bug 1102400SUSE bug 1102410CVE-2018-1336 at SUSECVE-2018-1336 at NVDCVE-2018-8014 at SUSECVE-2018-8014 at NVDCVE-2018-8034 at SUSECVE-2018-8034 at NVDCVE-2018-8037 at SUSECVE-2018-8037 at NVDcpe:/o:suse:sles:12:sp3Security update for curl (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for curl fixes the following issues:
This security issue was fixed:
- CVE-2018-14618: Prevent integer overflow in the NTLM authentication code (bsc#1106019)
This non-security issue was fixed:
- Fixed erroneous debug message when paired with OpenSSL (bsc#1089533)
ModerateSUSE bug 1089533SUSE bug 1106019CVE-2018-14618 at SUSECVE-2018-14618 at NVDcpe:/o:suse:sles:12:sp3Security update for the Linux Kernel (Important)SUSE Linux Enterprise Server 12 SP3
The SUSE Linux Enterprise 12 SP3 kernel was updated to 4.4.155 to receive various security and bugfixes.
The following security bugs were fixed:
- CVE-2018-13093: Prevent NULL pointer dereference and panic in lookup_slow()
on a NULL inode->i_ops pointer when doing pathwalks on a corrupted xfs image.
This occured because of a lack of proper validation that cached inodes are free
during allocation (bnc#1100001).
- CVE-2018-13095: Prevent denial of service (memory corruption and BUG) that
could have occurred for a corrupted xfs image upon encountering an inode that
is in extent format, but has more extents than fit in the inode fork
(bnc#1099999).
- CVE-2018-13094: Prevent OOPS that may have occured for a corrupted xfs image
after xfs_da_shrink_inode() is called with a NULL bp (bnc#1100000).
- CVE-2018-12896: Prevent integer overflow in the POSIX timer code that was
caused by the way the overrun accounting works. Depending on interval and
expiry time values, the overrun can be larger than INT_MAX, but the accounting
is int based. This basically made the accounting values, which are visible to
user space via timer_getoverrun(2) and siginfo::si_overrun, random. This
allowed a local user to cause a denial of service (signed integer overflow) via
crafted mmap, futex, timer_create, and timer_settime system calls
(bnc#1099922).
- CVE-2018-16658: Prevent information leak in cdrom_ioctl_drive_status that
could have been used by local attackers to read kernel memory (bnc#1107689).
- CVE-2018-6555: The irda_setsockopt function allowed local users to cause a
denial of service (ias_object use-after-free and system crash) or possibly have
unspecified other impact via an AF_IRDA socket (bnc#1106511).
- CVE-2018-6554: Prevent memory leak in the irda_bind function that allowed
local users to cause a denial of service (memory consumption) by repeatedly
binding an AF_IRDA socket (bnc#1106509).
- CVE-2018-1129: A flaw was found in the way signature calculation was handled
by cephx authentication protocol. An attacker having access to ceph cluster
network who is able to alter the message payload was able to bypass signature
checks done by cephx protocol (bnc#1096748).
- CVE-2018-1128: It was found that cephx authentication protocol did not verify
ceph clients correctly and was vulnerable to replay attack. Any attacker having
access to ceph cluster network who is able to sniff packets on network can use
this vulnerability to authenticate with ceph service and perform actions
allowed by ceph service (bnc#1096748).
- CVE-2018-10938: A crafted network packet sent remotely by an attacker forced
the kernel to enter an infinite loop in the cipso_v4_optptr() function leading
to a denial-of-service (bnc#1106016).
- CVE-2018-15572: The spectre_v2_select_mitigation function did not always fill
RSB upon a context switch, which made it easier for attackers to conduct
userspace-userspace spectreRSB attacks (bnc#1102517).
- CVE-2018-10902: Protect against concurrent access to prevent double realloc
(double free) in snd_rawmidi_input_params() and snd_rawmidi_output_status(). A
malicious local attacker could have used this for privilege escalation
(bnc#1105322 1105323).
- CVE-2018-9363: Prevent buffer overflow in hidp_process_report (bsc#1105292)
- CVE-2018-10883: A local user could have caused an out-of-bounds write in
jbd2_journal_dirty_metadata(), a denial of service, and a system crash by
mounting and operating on a crafted ext4 filesystem image (bsc#1099863).
- CVE-2018-10879: A local user could have caused a use-after-free in
ext4_xattr_set_entry function and a denial of service or unspecified other
impact by renaming a file in a crafted ext4 filesystem image (bsc#1099844).
- CVE-2018-10878: A local user could have caused an out-of-bounds write and a
denial of service or unspecified other impact by mounting and operating a
crafted ext4 filesystem image (bsc#1099813).
- CVE-2018-10876: A use-after-free was possible in ext4_ext_remove_space()
function when mounting and operating a crafted ext4 image (bsc#1099811).
- CVE-2018-10877: Prevent out-of-bound access in the ext4_ext_drop_refs()
function when operating on a crafted ext4 filesystem image (bsc#1099846).
- CVE-2018-10881: A local user could have caused an out-of-bound access in
ext4_get_group_info function, a denial of service, and a system crash by
mounting and operating on a crafted ext4 filesystem image (bsc#1099864).
- CVE-2018-10882: A local user could have caused an out-of-bound write, a
denial of service, and a system crash by unmounting a crafted ext4 filesystem
image (bsc#1099849).
- CVE-2018-10880: Prevent stack-out-of-bounds write in the ext4 filesystem code
when mounting and writing to a crafted ext4 image in ext4_update_inline_data().
An attacker could have used this to cause a system crash and a denial of
service (bsc#1099845).
The following non-security bugs were fixed:
- 9p/net: Fix zero-copy path in the 9p virtio transport (bnc#1012382).
- 9p/virtio: fix off-by-one error in sg list bounds check (bnc#1012382).
- 9p: fix multiple NULL-pointer-dereferences (bnc#1012382).
- ACPI / LPSS: Add missing prv_offset setting for byt/cht PWM devices (bnc#1012382).
- ACPI / PCI: Bail early in acpi_pci_add_bus() if there is no ACPI handle (bnc#1012382).
- ACPI / PM: save NVS memory for ASUS 1025C laptop (bnc#1012382).
- ACPI: save NVS memory for Lenovo G50-45 (bnc#1012382).
- ALSA: cs5535audio: Fix invalid endian conversion (bnc#1012382).
- ALSA: emu10k1: Rate-limit error messages about page errors (bnc#1012382).
- ALSA: emu10k1: add error handling for snd_ctl_add (bnc#1012382).
- ALSA: fm801: add error handling for snd_ctl_add (bnc#1012382).
- ALSA: hda - Sleep for 10ms after entering D3 on Conexant codecs (bnc#1012382).
- ALSA: hda - Turn CX8200 into D3 as well upon reboot (bnc#1012382).
- ALSA: hda/ca0132: fix build failure when a local macro is defined (bnc#1012382).
- ALSA: hda: Correct Asrock B85M-ITX power_save blacklist entry (bnc#1012382).
- ALSA: memalloc: Do not exceed over the requested size (bnc#1012382).
- ALSA: rawmidi: Change resized buffers atomically (bnc#1012382).
- ALSA: snd-aoa: add of_node_put() in error path (bsc#1099810).
- ALSA: usb-audio: Apply rate limit to warning messages in URB complete callback (bnc#1012382).
- ALSA: virmidi: Fix too long output trigger loop (bnc#1012382).
- ALSA: vx222: Fix invalid endian conversions (bnc#1012382).
- ALSA: vxpocket: Fix invalid endian conversions (bnc#1012382).
- ARC: Enable machine_desc->init_per_cpu for !CONFIG_SMP (bnc#1012382).
- ARC: Explicitly add -mmedium-calls to CFLAGS (bnc#1012382).
- ARC: Fix CONFIG_SWAP (bnc#1012382).
- ARC: mm: allow mprotect to make stack mappings executable (bnc#1012382).
- ARM: 8780/1: ftrace: Only set kernel memory back to read-only after boot (bnc#1012382).
- ARM: dts: Cygnus: Fix I2C controller interrupt type (bnc#1012382).
- ARM: dts: am3517.dtsi: Disable reference to OMAP3 OTG controller (bnc#1012382).
- ARM: dts: am437x: make edt-ft5x06 a wakeup source (bnc#1012382).
- ARM: dts: da850: Fix interrups property for gpio (bnc#1012382).
- ARM: dts: imx6sx: fix irq for pcie bridge (bnc#1012382).
- ARM: fix put_user() for gcc-8 (bnc#1012382).
- ARM: imx_v4_v5_defconfig: Select ULPI support (bnc#1012382).
- ARM: imx_v6_v7_defconfig: Select ULPI support (bnc#1012382).
- ARM: pxa: irq: fix handling of ICMR registers in suspend/resume (bnc#1012382).
- ARM: tegra: Fix Tegra30 Cardhu PCA954x reset (bnc#1012382).
- ASoC: Intel: cht_bsw_max98090: remove useless code, align with ChromeOS driver.
- ASoC: Intel: cht_bsw_max98090_ti: Fix jack initialization (bnc#1012382).
- ASoC: dpcm: do not merge format from invalid codec dai (bnc#1012382).
- ASoC: dpcm: fix BE dai not hw_free and shutdown (bnc#1012382).
- ASoC: pxa: Fix module autoload for platform drivers (bnc#1012382).
- ASoC: sirf: Fix potential NULL pointer dereference (bnc#1012382).
- Add reference to bsc#1091171 (bnc#1012382; bsc#1091171).
- Bluetooth: avoid killing an already killed socket (bnc#1012382).
- Bluetooth: btusb: Add a new Realtek 8723DE ID 2ff8:b011 (bnc#1012382).
- Bluetooth: btusb: Remove Yoga 920 from the btusb_needs_reset_resume_table (bsc#1087092).
- Bluetooth: btusb: Use DMI matching for QCA reset_resume quirking (bsc#1087092).
- Bluetooth: hci_qca: Fix 'Sleep inside atomic section' warning (bnc#1012382).
- Documentation/spec_ctrl: Do some minor cleanups (bnc#1012382).
- HID: hid-plantronics: Re-resend Update to map button for PTT products (bnc#1012382).
- HID: i2c-hid: check if device is there before really probing (bnc#1012382).
- HID: wacom: Correct touch maximum XY of 2nd-gen Intuos (bnc#1012382).
- IB/core: Make testing MR flags for writability a static inline function (bnc#1012382).
- IB/core: Remove duplicate declaration of gid_cache_wq (bsc#1056596).
- IB/iser: Do not reduce max_sectors (bsc#1063646).
- IB/mlx4: Fix an error handling path in 'mlx4_ib_rereg_user_mr()'.
- IB/mlx4: Mark user MR as writable if actual virtual memory is writable (bnc#1012382).
- IB/mlx5: Fetch soft WQE's on fatal error state (bsc#1015342 bsc#1015343).
- IB/mlx5: Use 'kvfree()' for memory allocated by 'kvzalloc()' (bsc#1015342 bsc#1015343).
- IB/ocrdma: fix out of bounds access to local buffer (bnc#1012382).
- Input: elan_i2c - add ACPI ID for lenovo ideapad 330 (bnc#1012382).
- Input: elan_i2c - add another ACPI ID for Lenovo Ideapad 330-15AST (bnc#1012382).
- Input: i8042 - add Lenovo LaVie Z to the i8042 reset list (bnc#1012382).
- KVM/Eventfd: Avoid crash when assign and deassign specific eventfd in parallel (bnc#1012382).
- KVM: MMU: always terminate page walks at level 1 (bsc#1062604).
- KVM: MMU: simplify last_pte_bitmap (bsc#1062604).
- KVM: VMX: Work around kABI breakage in 'enum vmx_l1d_flush_state' (bsc#1106369).
- KVM: VMX: fixes for vmentry_l1d_flush module parameter (bsc#1106369).
- KVM: arm/arm64: Skip updating PMD entry if no change (bnc#1012382).
- KVM: arm/arm64: Skip updating PTE entry if no change (bnc#1012382).
- KVM: irqfd: fix race between EPOLLHUP and irq_bypass_register_consumer (bnc#1012382).
- KVM: nVMX: update last_nonleaf_level when initializing nested EPT (bsc#1062604).
- MIPS: Correct the 64-bit DSP accumulator register size (bnc#1012382).
- MIPS: Fix off-by-one in pci_resource_to_user() (bnc#1012382).
- MIPS: ath79: fix register address in ath79_ddr_wb_flush() (bnc#1012382).
- MIPS: lib: Provide MIPS64r6 __multi3() for GCC lower than < 7 (bnc#1012382).
- NET: stmmac: align DMA stuff to largest cache line length (bnc#1012382).
- PCI: Prevent sysfs disable of device while driver is attached (bnc#1012382).
- PCI: Skip MPS logic for Virtual Functions (VFs) (bnc#1012382).
- PCI: hotplug: Do not leak pci_slot on registration failure (bnc#1012382).
- PCI: pciehp: Fix use-after-free on unplug (bnc#1012382).
- PCI: pciehp: Request control of native hotplug only if supported (bnc#1012382).
- PM / sleep: wakeup: Fix build error caused by missing SRCU support (bnc#1012382).
- RDMA/i40iw: Avoid panic when objects are being created and destroyed (bsc#969476 bsc#969477).
- RDMA/i40iw: Avoid panic when reading back the IRQ affinity hint (bsc#969476 bsc#969477).
- RDMA/i40iw: Avoid reference leaks when processing the AEQ (bsc#969476 bsc#969477).
- RDMA/i40w: Hold read semaphore while looking after VMA (bsc#1024376).
- RDMA/mad: Convert BUG_ONs to error flows (bnc#1012382).
- RDMA/mlx5: Use proper spec flow label type (bsc#1015342 bsc#1015343).
- Revert 'MIPS: BCM47XX: Enable 74K Core ExternalSync for PCIe erratum' (bnc#1012382).
- Revert 'UBIFS: Fix potential integer overflow in allocation' (bnc#1012382).
- Revert 'f2fs: handle dirty segments inside refresh_sit_entry' (bsc#1106281).
- Revert 'mm: page_alloc: skip over regions of invalid pfns where possible' (bnc#1107078).
- Revert 'block-cancel-workqueue-entries-on-blk_mq_freeze_queue' (bsc#1103717).
- Smack: Mark inode instant in smack_task_to_inode (bnc#1012382).
- USB: musb: fix external abort on suspend (bsc#1085536).
- USB: option: add support for DW5821e (bnc#1012382).
- USB: serial: metro-usb: stop I/O after failed open (bsc#1085539).
- USB: serial: sierra: fix potential deadlock at close (bnc#1012382).
- Workaround kABI breakage by __must_check drop of strscpy() (bsc#1107319).
- afs: Fix directory permissions check (bsc#1106283).
- arc: fix build errors in arc/include/asm/delay.h (bnc#1012382).
- arc: fix type warnings in arc/mm/cache.c (bnc#1012382).
- arm64: make secondary_start_kernel() notrace (bnc#1012382).
- arm64: mm: check for upper PAGE_SHIFT bits in pfn_valid() (bnc#1012382).
- ath: Add regulatory mapping for APL13_WORLD (bnc#1012382).
- ath: Add regulatory mapping for APL2_FCCA (bnc#1012382).
- ath: Add regulatory mapping for Bahamas (bnc#1012382).
- ath: Add regulatory mapping for Bermuda (bnc#1012382).
- ath: Add regulatory mapping for ETSI8_WORLD (bnc#1012382).
- ath: Add regulatory mapping for FCC3_ETSIC (bnc#1012382).
- ath: Add regulatory mapping for Serbia (bnc#1012382).
- ath: Add regulatory mapping for Tanzania (bnc#1012382).
- ath: Add regulatory mapping for Uganda (bnc#1012382).
- atl1c: reserve min skb headroom (bnc#1012382).
- atm: Preserve value of skb->truesize when accounting to vcc (bsc#1089066).
- audit: allow not equal op for audit by executable (bnc#1012382).
- backlight: as3711_bl: Fix Device Tree node leaks (bsc#1106929).
- backlight: lm3630a: Bump REG_MAX value to 0x50 instead of 0x1F (bsc#1106929).
- bcache: avoid unncessary cache prefetch bch_btree_node_get() (bsc#1064232).
- bcache: calculate the number of incremental GC nodes according to the total of btree nodes (bsc#1064232).
- bcache: display rate debug parameters to 0 when writeback is not running (bsc#1064232).
- bcache: do not check return value of debugfs_create_dir() (bsc#1064232).
- bcache: finish incremental GC (bsc#1064232).
- bcache: fix I/O significant decline while backend devices registering (bsc#1064232).
- bcache: fix error setting writeback_rate through sysfs interface (bsc#1064232).
- bcache: free heap cache_set->flush_btree in bch_journal_free (bsc#1064232).
- bcache: make the pr_err statement used for ENOENT only in sysfs_attatch section (bsc#1064232).
- bcache: release dc->writeback_lock properly in bch_writeback_thread() (bsc#1064232).
- bcache: set max writeback rate when I/O request is idle (bsc#1064232).
- bcache: simplify the calculation of the total amount of flash dirty data (bsc#1064232).
- be2net: remove unused old custom busy-poll fields (bsc#1021121 ).
- blkdev: __blkdev_direct_IO_simple: fix leak in error case (bsc#1083663).
- block: bio_iov_iter_get_pages: fix size of last iovec (bsc#1083663).
- block: bio_iov_iter_get_pages: pin more pages for multi-segment IOs (bsc#1083663).
- block: do not use interruptible wait anywhere (bnc#1012382).
- bnx2x: Fix invalid memory access in rss hash config path (bnc#1012382).
- bnx2x: Fix receiving tx-timeout in error or recovery state (bnc#1012382).
- bnxt_en: Always set output parameters in bnxt_get_max_rings() (bsc#963575).
- bnxt_en: Fix for system hang if request_irq fails (bnc#1012382).
- bnxt_en: Fix inconsistent BNXT_FLAG_AGG_RINGS logic (bsc#1020412 ).
- bpf: fix references to free_bpf_prog_info() in comments (bnc#1012382).
- brcmfmac: Add support for bcm43364 wireless chipset (bnc#1012382).
- brcmfmac: stop watchdog before detach and free everything (bnc#1012382).
- bridge: Propagate vlan add failure to user (bnc#1012382).
- btrfs: Do not remove block group still has pinned down bytes (bsc#1086457).
- btrfs: add barriers to btrfs_sync_log before log_commit_wait wakeups (bnc#1012382).
- btrfs: do not leak ret from do_chunk_alloc (bnc#1012382).
- btrfs: qgroup: Finish rescan when hit the last leaf of extent tree (bnc#1012382).
- btrfs: quota: Set rescan progress to (u64)-1 if we hit last leaf.
- btrfs: round down size diff when shrinking/growing device (bsc#1097105).
- can: ems_usb: Fix memory leak on ems_usb_disconnect() (bnc#1012382).
- can: mpc5xxx_can: check of_iomap return before use (bnc#1012382).
- can: xilinx_can: fix RX loop if RXNEMP is asserted without RXOK (bnc#1012382).
- can: xilinx_can: fix RX overflow interrupt not being enabled (bnc#1012382).
- can: xilinx_can: fix device dropping off bus on RX overrun (bnc#1012382).
- can: xilinx_can: fix incorrect clear of non-processed interrupts (bnc#1012382).
- can: xilinx_can: fix recovery from error states not being propagated (bnc#1012382).
- can: xilinx_can: keep only 1-2 frames in TX FIFO to fix TX accounting (bnc#1012382).
- cdrom: Fix info leak/OOB read in cdrom_ioctl_drive_status (bnc#1012382).
- ceph: fix incorrect use of strncpy (bsc#1107319).
- ceph: return errors from posix_acl_equiv_mode() correctly (bsc#1107320).
- cifs: Fix stack out-of-bounds in smb{2,3}_create_lease_buf() (bsc#1012382).
- cifs: add missing debug entries for kconfig options (bnc#1012382).
- cifs: check kmalloc before use (bsc#1012382).
- cifs: store the leaseKey in the fid on SMB2_open (bsc#1012382).
- clk: tegra: Fix PLL_U post divider and initial rate on Tegra30 (bnc#1012382).
- crypto: ablkcipher - fix crash flushing dcache in error path (bnc#1012382).
- crypto: authenc - do not leak pointers to authenc keys (bnc#1012382).
- crypto: authencesn - do not leak pointers to authenc keys (bnc#1012382).
- crypto: blkcipher - fix crash flushing dcache in error path (bnc#1012382).
- crypto: padlock-aes - Fix Nano workaround data corruption (bnc#1012382).
- crypto: vmac - require a block cipher with 128-bit block size (bnc#1012382).
- crypto: vmac - separate tfm and request context (bnc#1012382).
- crypto: vmx - Fix sleep-in-atomic bugs (bsc#1048317).
- cxgb4: when disabling dcb set txq dcb priority to 0 (bnc#1012382).
- cxl: Fix wrong comparison in cxl_adapter_context_get() (bsc#1055014).
- dccp: fix undefined behavior with 'cwnd' shift in ccid2_cwnd_restart() (bnc#1012382).
- disable loading f2fs module on PAGE_SIZE > 4KB (bnc#1012382).
- dm cache metadata: save in-core policy_hint_size to on-disk superblock (bnc#1012382).
- dma-iommu: Fix compilation when !CONFIG_IOMMU_DMA (bnc#1012382).
- dmaengine: k3dma: Off by one in k3_of_dma_simple_xlate() (bnc#1012382).
- dmaengine: pxa_dma: remove duplicate const qualifier (bnc#1012382).
- driver core: Partially revert 'driver core: correct device's shutdown order' (bnc#1012382).
- drivers: net: lmc: fix case value for target abort error (bnc#1012382).
- drm/armada: fix colorkey mode property (bnc#1012382).
- drm/atmel-hlcdc: check stride values in the first plane (bsc#1106929).
- drm/atomic: Handling the case when setting old crtc for plane (bnc#1012382).
- drm/bridge: adv7511: Reset registers on hotplug (bnc#1012382).
- drm/cirrus: Use drm_framebuffer_put to avoid kernel oops in clean-up (bsc#1101822).
- drm/drivers: add support for using the arch wc mapping API.
- drm/exynos/dsi: mask frame-done interrupt (bsc#1106929).
- drm/exynos: decon5433: Fix WINCONx reset value (bnc#1012382).
- drm/exynos: decon5433: Fix per-plane global alpha for XRGB modes (bnc#1012382).
- drm/exynos: gsc: Fix support for NV16/61, YUV420/YVU420 and YUV422 modes (bnc#1012382).
- drm/gma500: fix psb_intel_lvds_mode_valid()'s return type (bnc#1012382).
- drm/i915/userptr: reject zero user_size (bsc#1090888).
- drm/i915: Correctly handle limited range YCbCr data on VLV/CHV (bsc#1087092).
- drm/imx: fix typo in ipu_plane_formats (bsc#1106929).
- drm/imx: imx-ldb: check if channel is enabled before printing warning (bnc#1012382).
- drm/imx: imx-ldb: disable LDB on driver bind (bnc#1012382).
- drm/msm/hdmi: Use bitwise operators when building register values (bsc#1106929).
- drm/nouveau/gem: off by one bugs in nouveau_gem_pushbuf_reloc_apply() (bnc#1012382).
- drm/panel: type promotion bug in s6e8aa0_read_mtp_id() (bsc#1105769).
- drm/radeon: fix mode_valid's return type (bnc#1012382).
- drm: Add DP PSR2 sink enable bit (bnc#1012382).
- drm: Reject getfb for multi-plane framebuffers (bsc#1106929).
- enic: do not call enic_change_mtu in enic_probe
- enic: handle mtu change for vf properly (bnc#1012382).
- enic: initialize enic->rfs_h.lock in enic_probe (bnc#1012382).
- esp6: fix memleak on error path in esp6_input
- ext4: check for NUL characters in extended attribute's name (bnc#1012382).
- ext4: check for allocation block validity with block group locked (bsc#1104495).
- ext4: do not update s_last_mounted of a frozen fs (bsc#1101841).
- ext4: factor out helper ext4_sample_last_mounted() (bsc#1101841).
- ext4: fix check to prevent initializing reserved inodes (bsc#1104319).
- ext4: fix false negatives *and* false positives in ext4_check_descriptors() (bsc#1103445).
- ext4: fix inline data updates with checksums enabled (bsc#1104494).
- ext4: fix spectre gadget in ext4_mb_regular_allocator() (bnc#1012382).
- ext4: reset error code in ext4_find_entry in fallback (bnc#1012382).
- ext4: sysfs: print ext4_super_block fields as little-endian (bsc#1106229).
- f2fs: fix to do not trigger writeback during recovery (bnc#1012382).
- fat: fix memory allocation failure handling of match_strdup() (bnc#1012382).
- fb: fix lost console when the user unplugs a USB adapter (bnc#1012382).
- fbdev: omapfb: off by one in omapfb_register_client() (bsc#1106929).
- fix __legitimize_mnt()/mntput() race (bnc#1012382).
- fix mntput/mntput race (bnc#1012382).
- fork: unconditionally clear stack on fork (bnc#1012382).
- fs/9p/xattr.c: catch the error of p9_client_clunk when setting xattr failed (bnc#1012382).
- fs/dax.c: fix inefficiency in dax_writeback_mapping_range() (bsc#1106185).
- fs/quota: Fix spectre gadget in do_quotactl (bnc#1012382).
- fs: aio: fix the increment of aio-nr and counting against aio-max-nr (bsc#1068075, bsc#1078921).
- fuse: Add missed unlock_page() to fuse_readpages_fill() (bnc#1012382).
- fuse: Do not access pipe->buffers without pipe_lock() (bnc#1012382).
- fuse: Fix oops at process_init_reply() (bnc#1012382).
- fuse: fix double request_end() (bnc#1012382).
- fuse: fix unlocked access to processing queue (bnc#1012382).
- fuse: umount should wait for all requests (bnc#1012382).
- genirq/proc: Return proper error code when irq_set_affinity() fails (bnc#1105392).
- getxattr: use correct xattr length (bnc#1012382).
- hfsplus: Do not clear SGID when inheriting ACLs (bsc#1030552).
- hvc_opal: do not set tb_ticks_per_usec in udbg_init_opal_common() (bnc#1012382).
- hwrng: exynos - Disable runtime PM on driver unbind.
- i2c: davinci: Avoid zero value of CLKH (bnc#1012382).
- i2c: imx: Fix race condition in dma read (bnc#1012382).
- i2c: imx: Fix reinit_completion() use (bnc#1012382).
- i2c: ismt: fix wrong device address when unmap the data buffer (bnc#1012382).
- i40e: use cpumask_copy instead of direct assignment (bsc#1053685).
- i40iw: Fix memory leak in error path of create QP (bsc#969476 bsc#969477).
- i40iw: Use correct address in dst_neigh_lookup for IPv6 (bsc#969476 bsc#969477).
- ibmvnic: Include missing return code checks in reset function (bnc#1107966).
- ieee802154: at86rf230: switch from BUG_ON() to WARN_ON() on problem (bnc#1012382).
- ieee802154: at86rf230: use __func__ macro for debug messages (bnc#1012382).
- ieee802154: fakelb: switch from BUG_ON() to WARN_ON() on problem (bnc#1012382).
- igb: Fix not adding filter elements to the list (bsc#1024361 bsc#1024365).
- iio: ad9523: Fix displayed phase (bnc#1012382).
- iio: ad9523: Fix return value for ad952x_store() (bnc#1012382).
- inet: frag: enforce memory limits earlier (bnc#1012382 bsc#970506).
- iommu/amd: make sure TLB to be flushed before IOVA freed (bsc#1106105).
- iommu/vt-d: Add definitions for PFSID (bnc#1012382).
- iommu/vt-d: Fix dev iotlb pfsid use (bnc#1012382).
- iommu/vt-d: Ratelimit each dmar fault printing (bsc#1106105).
- ioremap: Update pgtable free interfaces with addr (bnc#1012382).
- ip: hash fragments consistently (bnc#1012382).
- ip: in cmsg IP(V6)_ORIGDSTADDR call pskb_may_pull (bnc#1012382).
- ipconfig: Correctly initialise ic_nameservers (bnc#1012382).
- ipv4+ipv6: Make INET*_ESP select CRYPTO_ECHAINIV (bnc#1012382).
- ipv4: Return EINVAL when ping_group_range sysctl does not map to user ns (bnc#1012382).
- ipv4: remove BUG_ON() from fib_compute_spec_dst (bnc#1012382).
- ipv6: fix useless rol32 call on hash (bnc#1012382).
- ipv6: mcast: fix unsolicited report interval after receiving querys (bnc#1012382).
- ipvlan: use ETH_MAX_MTU as max mtu (bsc#1033962).
- iscsi target: fix session creation failure handling (bnc#1012382).
- isdn: Disable IIOCDBGVAR (bnc#1012382).
- iw_cxgb4: remove duplicate memcpy() in c4iw_create_listen() (bsc#969476 bsc#969477).
- iwlwifi: pcie: fix race in Rx buffer allocator (bnc#1012382).
- ixgbe: Be more careful when modifying MAC filters (bnc#1012382).
- jfs: Do not clear SGID when inheriting ACLs (bsc#1030552).
- jump_label: Add RELEASE barrier after text changes (bsc#1105271).
- jump_label: Fix concurrent static_key_enable/disable() (bsc#1105271).
- jump_label: Move CPU hotplug locking (bsc#1105271).
- jump_label: Provide hotplug context variants (bsc#1105271).
- jump_label: Reduce the size of struct static_key (bsc#1105271).
- jump_label: Reorder hotplug lock and jump_label_lock (bsc#1105271).
- jump_label: Split out code under the hotplug lock (bsc#1105271).
- jump_label: remove bug.h, atomic.h dependencies for HAVE_JUMP_LABEL (bsc#1105271).
- kABI: protect enum tcp_ca_event (kabi).
- kABI: reexport tcp_send_ack (kabi).
- kabi/severities: Ignore missing cpu_tss_tramp (bsc#1099597)
- kabi: x86/speculation/l1tf: Increase l1tf memory limit for Nehalem+ (bnc#1105536).
- kasan: do not emit builtin calls when sanitization is off (bnc#1012382).
- kasan: fix shadow_size calculation error in kasan_module_alloc (bnc#1012382).
- kbuild: verify that $DEPMOD is installed (bnc#1012382).
- kernel: improve spectre mitigation (bnc#1106934, LTC#171029).
- kprobes/x86: Fix %p uses in error messages (bnc#1012382).
- kprobes: Make list and blacklist root user read only (bnc#1012382).
- kthread, tracing: Do not expose half-written comm when creating kthreads (bsc#1104897).
- kvm: x86: vmx: fix vpid leak (bnc#1012382).
- l2tp: use sk_dst_check() to avoid race on sk->sk_dst_cache (bnc#1012382).
- lib/rhashtable: consider param->min_size when setting initial table size (bnc#1012382).
- libata: Fix command retry decision (bnc#1012382).
- libceph: check authorizer reply/challenge length before reading (bsc#1096748).
- libceph: factor out __ceph_x_decrypt() (bsc#1096748).
- libceph: factor out __prepare_write_connect() (bsc#1096748).
- libceph: factor out encrypt_authorizer() (bsc#1096748).
- libceph: store ceph_auth_handshake pointer in ceph_connection (bsc#1096748).
- libceph: weaken sizeof check in ceph_x_verify_authorizer_reply() (bsc#1096748).
- llc: use refcount_inc_not_zero() for llc_sap_find() (bnc#1012382).
- locking/lockdep: Do not record IRQ state within lockdep code (bnc#1012382).
- locks: pass inode pointer to locks_free_lock_context (bsc@1099832).
- locks: prink more detail when there are leaked locks (bsc#1099832).
- locks: restore a warn for leaked locks on close (bsc#1099832).
- m68k: fix 'bad page state' oops on ColdFire boot (bnc#1012382).
- mac80211: add stations tied to AP_VLANs during hw reconfig (bnc#1012382).
- md/raid10: fix that replacement cannot complete recovery after reassemble (bnc#1012382).
- md: fix NULL dereference of mddev->pers in remove_and_add_spares() (bnc#1012382).
- media: omap3isp: fix unbalanced dma_iommu_mapping (bnc#1012382).
- media: rcar_jpu: Add missing clk_disable_unprepare() on error in jpu_open() (bnc#1012382).
- media: rtl28xxu: be sure that it won't go past the array size (bsc#1050431).
- media: s5p-jpeg: fix number of components macro (bsc#1050431).
- media: saa7164: Fix driver name in debug output (bnc#1012382).
- media: si470x: fix __be16 annotations (bnc#1012382).
- media: siano: get rid of __le32/__le16 cast warnings (bnc#1012382).
- media: staging: omap4iss: Include asm/cacheflush.h after generic includes (bnc#1012382).
- media: videobuf2-core: do not call memop 'finish' when queueing (bnc#1012382).
- memory: tegra: Apply interrupts mask per SoC (bnc#1012382).
- memory: tegra: Do not handle spurious interrupts (bnc#1012382).
- mfd: cros_ec: Fail early if we cannot identify the EC (bnc#1012382).
- microblaze: Fix simpleImage format generation (bnc#1012382).
- mm/hugetlb: filter out hugetlb pages if HUGEPAGE migration is not supported (bnc#1106697).
- mm/memory.c: check return value of ioremap_prot (bnc#1012382).
- mm/slub.c: add __printf verification to slab_err() (bnc#1012382).
- mm/tlb: Remove tlb_remove_table() non-concurrent condition (bnc#1012382).
- mm: Add vm_insert_pfn_prot() (bnc#1012382).
- mm: fix cache mode tracking in vm_insert_mixed() (bnc#1012382).
- mm: memcg: fix use after free in mem_cgroup_iter() (bnc#1012382).
- mm: vmalloc: avoid racy handling of debugobjects in vunmap (bnc#1012382).
- mm: x86: move _PAGE_SWP_SOFT_DIRTY from bit 7 to bit 1 (bnc#1012382).
- mtd: rawnand: fsl_ifc: fix FSL NAND driver to read all ONFI parameter pages (bnc#1012382).
- mtd: ubi: wl: Fix error return code in ubi_wl_init().
- mwifiex: correct histogram data with appropriate index (bnc#1012382).
- mwifiex: handle race during mwifiex_usb_disconnect (bnc#1012382).
- net/9p/client.c: version pointer uninitialized (bnc#1012382).
- net/9p/trans_fd.c: fix race-condition by flushing workqueue before the kfree() (bnc#1012382).
- net/ethernet/freescale/fman: fix cross-build error (bnc#1012382).
- net/ipv4: Set oif in fib_compute_spec_dst (bnc#1012382).
- net/mlx4_core: Save the qpn from the input modifier in RST2INIT wrapper (bnc#1012382).
- net/mlx5: Add missing SET_DRIVER_VERSION command translation (bsc#1015342 bsc#1015343).
- net/mlx5: E-Switch, Include VF RDMA stats in vport statistics (bsc#966170 bsc#966172).
- net/mlx5: Eswitch, Use 'kvfree()' for memory allocated by 'kvzalloc()' (bsc#1015342 bsc#1015343).
- net/mlx5: Fix wrong size allocation for QoS ETC TC regitster (bsc#966170 bsc#966172).
- net/mlx5: Vport, Use 'kvfree()' for memory allocated by 'kvzalloc()' (bsc#966170 bsc#966172).
- net/mlx5e: Do not allow aRFS for encapsulated packets (bsc#1015342 bsc#1015343).
- net/mlx5e: Err if asked to offload TC match on frag being first (bsc#1015342 bsc#1015343).
- net/mlx5e: Fix quota counting in aRFS expire flow (bsc#1015342 bsc#1015343).
- net/mlx5e: Refine ets validation function (bsc#966170 bsc#966172).
- net: 6lowpan: fix reserved space for single frames (bnc#1012382).
- net: Do not copy pfmemalloc flag in __copy_skb_header() (bnc#1012382).
- net: add skb_condense() helper (bsc#1089066).
- net: adjust skb->truesize in ___pskb_trim() (bsc#1089066).
- net: adjust skb->truesize in pskb_expand_head() (bsc#1089066).
- net: axienet: Fix double deregister of mdio (bnc#1012382).
- net: caif: Add a missing rcu_read_unlock() in caif_flow_cb (bnc#1012382).
- net: davinci_emac: match the mdio device against its compatible if possible (bnc#1012382).
- net: dsa: Do not suspend/resume closed slave_dev (bnc#1012382).
- net: ena: Fix use of uninitialized DMA address bits field (bsc#1027968).
- net: fix amd-xgbe flow-control issue (bnc#1012382).
- net: hamradio: use eth_broadcast_addr (bnc#1012382).
- net: lan78xx: Fix misplaced tasklet_schedule() call (bnc#1012382).
- net: lan78xx: fix rx handling before first packet is send (bnc#1012382).
- net: mac802154: tx: expand tailroom if necessary (bnc#1012382).
- net: phy: fix flag masking in __set_phy_supported (bnc#1012382).
- net: prevent ISA drivers from building on PPC32 (bnc#1012382).
- net: propagate dev_get_valid_name return code (bnc#1012382).
- net: qca_spi: Avoid packet drop during initial sync (bnc#1012382).
- net: qca_spi: Fix log level if probe fails (bnc#1012382).
- net: qca_spi: Make sure the QCA7000 reset is triggered (bnc#1012382).
- net: socket: fix potential spectre v1 gadget in socketcall (bnc#1012382).
- net: usb: rtl8150: demote allmulti message to dev_dbg() (bnc#1012382).
- net: vmxnet3: use new api ethtool_{get|set}_link_ksettings (bsc#1091860 bsc#1098253).
- net_sched: Fix missing res info when create new tc_index filter (bnc#1012382).
- net_sched: fix NULL pointer dereference when delete tcindex filter (bnc#1012382).
- netfilter: conntrack: dccp: treat SYNC/SYNCACK as invalid if no prior state (bnc#1012382).
- netfilter: ipset: List timing out entries with 'timeout 1' instead of zero (bnc#1012382).
- netfilter: ipv6: nf_defrag: reduce struct net memory waste (bnc#1012382).
- netfilter: ipvs: do not create conn for ABORT packet in sctp_conn_schedule (bsc#1102797).
- netfilter: ipvs: fix the issue that sctp_conn_schedule drops non-INIT packet (bsc#1102797).
- netfilter: x_tables: set module owner for icmp(6) matches (bnc#1012382).
- netlink: Do not shift on 64 for ngroups (bnc#1012382).
- netlink: Do not shift with UB on nlk->ngroups (bnc#1012382).
- netlink: Do not subscribe to non-existent groups (bnc#1012382).
- netlink: Fix spectre v1 gadget in netlink_create() (bnc#1012382).
- netlink: do not enter direct reclaim from netlink_trim() (bsc#1042286).
- nfsd: fix potential use-after-free in nfsd4_decode_getdeviceinfo (bnc#1012382).
- nl80211: Add a missing break in parse_station_flags (bnc#1012382).
- nohz: Fix local_timer_softirq_pending() (bnc#1012382).
- nvme-fc: release io queues to allow fast fail (bsc#1102486).
- nvme: if_ready checks to fail io to deleting controller (bsc#1102486).
- nvme: kABI-compliant version of nvmf_fail_nonready_command() (bsc#1102486).
- nvmet-fc: fix target sgl list on large transfers (bsc#1102486).
- osf_getdomainname(): use copy_to_user() (bnc#1012382).
- ovl: Do d_type check only if work dir creation was successful (bnc#1012382).
- ovl: Ensure upper filesystem supports d_type (bnc#1012382).
- ovl: warn instead of error if d_type is not supported (bnc#1012382).
- packet: refine ring v3 block size test to hold one frame (bnc#1012382).
- packet: reset network header if packet shorter than ll reserved space (bnc#1012382).
- parisc: Define mb() and add memory barriers to assembler unlock sequences (bnc#1012382).
- parisc: Enable CONFIG_MLONGCALLS by default (bnc#1012382).
- parisc: Remove ordered stores from syscall.S (bnc#1012382).
- parisc: Remove unnecessary barriers from spinlock.h (bnc#1012382).
- perf auxtrace: Fix queue resize (bnc#1012382).
- perf llvm-utils: Remove bashism from kernel include fetch script (bnc#1012382).
- perf report powerpc: Fix crash if callchain is empty (bnc#1012382).
- perf test session topology: Fix test on s390 (bnc#1012382).
- perf/x86/intel/uncore: Correct fixed counter index check for NHM (bnc#1012382).
- perf/x86/intel/uncore: Correct fixed counter index check in generic code (bnc#1012382).
- perf: fix invalid bit in diagnostic entry (bnc#1012382).
- pinctrl: at91-pio4: add missing of_node_put (bnc#1012382).
- pinctrl: freescale: off by one in imx1_pinconf_group_dbg_show() (bnc#1012382).
- pnfs/blocklayout: off by one in bl_map_stripe() (bnc#1012382).
- powerpc/32: Add a missing include header (bnc#1012382).
- powerpc/64s: Default l1d_size to 64K in RFI fallback flush (bsc#1068032).
- powerpc/64s: Fix compiler store ordering to SLB shadow area (bnc#1012382).
- powerpc/8xx: fix invalid register expression in head_8xx.S (bnc#1012382).
- powerpc/chrp/time: Make some functions static, add missing header include (bnc#1012382).
- powerpc/embedded6xx/hlwd-pic: Prevent interrupts from being handled by Starlet (bnc#1012382).
- powerpc/fadump: handle crash memory ranges array index overflow (bsc#1103269).
- powerpc/fadump: merge adjacent memory ranges to reduce PT_LOAD segements (bsc#1103269).
- powerpc/lib: Fix the feature fixup tests to actually work (bsc#1066223).
- powerpc/powermac: Add missing prototype for note_bootable_part() (bnc#1012382).
- powerpc/powermac: Mark variable x as unused (bnc#1012382).
- powerpc/pseries: Fix endianness while restoring of r3 in MCE handler (bnc#1012382).
- powerpc/topology: Get topology for shared processors at boot (bsc#1104683).
- powerpc64s: Show ori31 availability in spectre_v1 sysfs file not v2 (bsc#1068032, bsc#1080157).
- powerpc: Avoid code patching freed init sections (bnc#1107735).
- powerpc: make feature-fixup tests fortify-safe (bsc#1066223).
- provide special timeout module parameters for EC2 (bsc#1065364).
- ptp: fix missing break in switch (bnc#1012382).
- pwm: tiehrpwm: Fix disabling of output of PWMs (bnc#1012382).
- qed: Add sanity check for SIMD fastpath handler (bnc#1012382).
- qed: Correct Multicast API to reflect existence of 256 approximate buckets (bsc#1019695 bsc#1019699 bsc#1022604).
- qed: Do not advertise DCBX_LLD_MANAGED capability (bsc#1019695 bsc#1019699 bsc#1022604).
- qed: Fix possible memory leak in Rx error path handling (bsc#1019695 bsc#1019699 bsc#1022604 ).
- qed: Fix possible race for the link state value (bnc#1012382).
- qed: Fix setting of incorrect eswitch mode (bsc#1019695 bsc#1019699 bsc#1022604).
- qed: Fix use of incorrect size in memcpy call (bsc#1019695 bsc#1019699 bsc#1022604).
- qede: Adverstise software timestamp caps when PHC is not available (bsc#1019695 bsc#1019699 bsc#1022604).
- qlge: Fix netdev features configuration (bsc#1098822).
- qlogic: check kstrtoul() for errors (bnc#1012382).
- random: mix rdrand with entropy sent in from userspace (bnc#1012382).
- readahead: stricter check for bdi io_pages (VM Functionality).
- regulator: pfuze100: add .is_enable() for pfuze100_swb_regulator_ops (bnc#1012382).
- reiserfs: fix broken xattr handling (heap corruption, bad retval) (bnc#1012382).
- ring_buffer: tracing: Inherit the tracing setting to next ring buffer (bnc#1012382).
- root dentries need RCU-delayed freeing (bnc#1012382).
- rsi: Fix 'invalid vdd' warning in mmc (bnc#1012382).
- rtc: ensure rtc_set_alarm fails when alarms are not supported (bnc#1012382).
- rtnetlink: add rtnl_link_state check in rtnl_configure_link (bnc#1012382).
- s390/cpum_sf: Add data entry sizes to sampling trailer entry (bnc#1012382).
- s390/kvm: fix deadlock when killed by oom (bnc#1012382).
- s390/lib: use expoline for all bcr instructions (bnc#1106934, LTC#171029).
- s390/pci: fix out of bounds access during irq setup (bnc#1012382).
- s390/qdio: reset old sbal_state flags (bnc#1012382).
- s390/qeth: do not clobber buffer on async TX completion (bnc#1104485, LTC#170349).
- s390/qeth: fix race when setting MAC address (bnc#1104485, LTC#170726).
- s390: add explicit <linux/stringify.h> for jump label (bsc#1105271).
- s390: detect etoken facility (bnc#1106934, LTC#171029).
- s390: fix br_r1_trampoline for machines without exrl (bnc#1012382 bnc#1106934 LTC#171029).
- sched/fair: Avoid divide by zero when rebalancing domains (bsc#1096254).
- scripts/tar-up.sh: Do not package gitlog-excludes file Also fix the evaluation of gitlog-excludes file, too
- scsi: 3w-xxxx: fix a missing-check bug (bnc#1012382).
- scsi: core: Avoid that SCSI device removal through sysfs triggers a deadlock (bnc#1012382).
- scsi: fcoe: drop frames in ELS LOGO error path (bnc#1012382).
- scsi: hpsa: limit transfer length to 1MB, not 512kB (bsc#1102346).
- scsi: libiscsi: fix possible NULL pointer dereference in case of TMF (bnc#1012382).
- scsi: megaraid: silence a static checker bug (bnc#1012382).
- scsi: megaraid_sas: Increase timeout by 1 sec for non-RAID fastpath IOs (bnc#1012382).
- scsi: qla2xxx: Fix ISP recovery on unload (bnc#1012382).
- scsi: qla2xxx: Return error when TMF returns (bnc#1012382).
- scsi: scsi_dh: replace too broad 'TP9' string with the exact models (bnc#1012382).
- scsi: sr: Avoid that opening a CD-ROM hangs with runtime power management enabled (bnc#1012382).
- scsi: sysfs: Introduce sysfs_{un,}break_active_protection() (bnc#1012382).
- scsi: ufs: fix exception event handling (bnc#1012382).
- scsi: vmw_pvscsi: Return DID_RESET for status SAM_STAT_COMMAND_TERMINATED (bnc#1012382).
- scsi: xen-scsifront: add error handling for xenbus_printf (bnc#1012382).
- scsi_debug: call resp_XXX function after setting host_scribble (bsc#1069138).
- scsi_debug: reset injection flags for every_nth > 0 (bsc#1069138).
- selftest/seccomp: Fix the flag name SECCOMP_FILTER_FLAG_TSYNC (bnc#1012382).
- selftest/seccomp: Fix the seccomp(2) signature (bnc#1012382).
- selftests/ftrace: Add snapshot and tracing_on test case (bnc#1012382).
- selftests/x86/sigreturn/64: Fix spurious failures on AMD CPUs (bnc#1012382).
- selftests: pstore: return Kselftest Skip code for skipped tests (bnc#1012382).
- selftests: static_keys: return Kselftest Skip code for skipped tests (bnc#1012382).
- selftests: sync: add config fragment for testing sync framework (bnc#1012382).
- selftests: user: return Kselftest Skip code for skipped tests (bnc#1012382).
- selftests: zram: return Kselftest Skip code for skipped tests (bnc#1012382).
- serial: 8250_dw: always set baud rate in dw8250_set_termios (bnc#1012382).
- sfc: stop the TX queue before pushing new buffers (bsc#1017967 ).
- skbuff: Unconditionally copy pfmemalloc in __skb_clone() (bnc#1012382).
- slab: __GFP_ZERO is incompatible with a constructor (bnc#1107060).
- smb3: Do not send SMB3 SET_INFO if nothing changed (bnc#1012382).
- smb3: do not request leases in symlink creation and query (bnc#1012382).
- spi: davinci: fix a NULL pointer dereference (bnc#1012382).
- squashfs: be more careful about metadata corruption (bnc#1012382).
- squashfs: more metadata hardening (bnc#1012382).
- squashfs: more metadata hardenings (bnc#1012382).
- staging: android: ion: check for kref overflow (bnc#1012382).
- string: drop __must_check from strscpy() and restore strscpy() usages in cgroup (bsc#1107319).
- sys: do not hold uts_sem while accessing userspace memory (bnc#1106995).
- target_core_rbd: use RCU in free_device (bsc#1105524).
- tcp: Fix missing range_truesize enlargement in the backport (bnc#1012382).
- tcp: add max_quickacks param to tcp_incr_quickack and tcp_enter_quickack_mode (bnc#1012382).
- tcp: add one more quick ack after after ECN events (bnc#1012382).
- tcp: do not aggressively quick ack after ECN events (bnc#1012382).
- tcp: do not cancel delay-AcK on DCTCP special ACK (bnc#1012382).
- tcp: do not delay ACK in DCTCP upon CE status change (bnc#1012382).
- tcp: do not force quickack when receiving out-of-order packets (bnc#1012382).
- tcp: fix dctcp delayed ACK schedule (bnc#1012382).
- tcp: helpers to send special DCTCP ack (bnc#1012382).
- tcp: identify cryptic messages as TCP seq # bugs (bnc#1012382).
- tcp: refactor tcp_ecn_check_ce to remove sk type cast (bnc#1012382).
- tcp: remove DELAYED ACK events in DCTCP (bnc#1012382).
- tg3: Add higher cpu clock for 5762 (bnc#1012382).
- thermal: exynos: fix setting rising_threshold for Exynos5433 (bnc#1012382).
- timekeeping: Eliminate the stale declaration of ktime_get_raw_and_real_ts64() (bsc#969470).
- tools/power turbostat: Read extended processor family from CPUID (bnc#1012382).
- tools/power turbostat: fix -S on UP systems (bnc#1012382).
- tools: usb: ffs-test: Fix build on big endian systems (bnc#1012382).
- tpm: fix race condition in tpm_common_write() (bnc#1012382).
- tracing/blktrace: Fix to allow setting same value (bnc#1012382).
- tracing/kprobes: Fix trace_probe flags on enable_trace_kprobe() failure (bnc#1012382).
- tracing: Do not call start/stop() functions when tracing_on does not change (bnc#1012382).
- tracing: Fix double free of event_trigger_data (bnc#1012382).
- tracing: Fix possible double free in event_enable_trigger_func() (bnc#1012382).
- tracing: Quiet gcc warning about maybe unused link variable (bnc#1012382).
- tracing: Use __printf markup to silence compiler (bnc#1012382).
- tty: Fix data race in tty_insert_flip_string_fixed_flag (bnc#1012382).
- turn off -Wattribute-alias (bnc#1012382).
- ubi: Be more paranoid while seaching for the most recent Fastmap (bnc#1012382).
- ubi: Fix Fastmap's update_vol() (bnc#1012382).
- ubi: Fix races around ubi_refill_pools() (bnc#1012382).
- ubi: Introduce vol_ignored() (bnc#1012382).
- ubi: Rework Fastmap attach base code (bnc#1012382).
- ubi: fastmap: Erase outdated anchor PEBs during attach (bnc#1012382).
- ubifs: Check data node size before truncate (bsc#1106276).
- ubifs: Fix memory leak in lprobs self-check (bsc#1106278).
- ubifs: Fix synced_i_size calculation for xattr inodes (bsc#1106275).
- ubifs: xattr: Do not operate on deleted inodes (bsc#1106271).
- udl-kms: change down_interruptible to down (bnc#1012382).
- udl-kms: fix crash due to uninitialized memory (bnc#1012382).
- udl-kms: handle allocation failure (bnc#1012382).
- udlfb: set optimal write delay (bnc#1012382).
- uprobes: Use synchronize_rcu() not synchronize_sched() (bnc#1012382).
- usb/phy: fix PPC64 build errors in phy-fsl-usb.c (bnc#1012382).
- usb: audio-v2: Correct the comment for struct uac_clock_selector_descriptor (bsc#1099810).
- usb: cdc_acm: Add quirk for Castles VEGA3000 (bnc#1012382).
- usb: dwc2: debugfs: Do not touch RX FIFO during register dump (bsc#1100132).
- usb: dwc2: fix isoc split in transfer with no data (bnc#1012382).
- usb: gadget: composite: fix delayed_status race condition when set_interface (bnc#1012382).
- usb: gadget: dwc2: fix memory leak in gadget_init() (bnc#1012382).
- usb: gadget: f_fs: Only return delayed status when len is 0 (bnc#1012382).
- usb: gadget: f_uac2: fix endianness of 'struct cntrl_*_lay3' (bnc#1012382).
- usb: gadget: r8a66597: Fix a possible sleep-in-atomic-context bugs in r8a66597_queue() (bnc#1012382).
- usb: gadget: r8a66597: Fix two possible sleep-in-atomic-context bugs in init_controller() (bnc#1012382).
- usb: hub: Do not wait for connect state at resume for powered-off ports (bnc#1012382).
- usb: renesas_usbhs: gadget: fix spin_lock_init() for &uep->lock (bsc#1085536).
- usb: xhci: increase CRS timeout value (bnc#1012382).
- usbip: usbip_detach: Fix memory, udev context and udev leak (bnc#1012382).
- userns: move user access out of the mutex (bnc#1012382).
- vfs: add the sb_start_intwrite_trylock() helper (bsc#1101841).
- virtio_balloon: fix another race between migration and ballooning (bnc#1012382).
- vmw_balloon: VMCI_DOORBELL_SET does not check status (bnc#1012382).
- vmw_balloon: do not use 2MB without batching (bnc#1012382).
- vmw_balloon: fix VMCI use when balloon built into kernel (bnc#1012382).
- vmw_balloon: fix inflation of 64-bit GFNs (bnc#1012382).
- vmxnet3: Replace msleep(1) with usleep_range() (bsc#1091860 bsc#1098253).
- vmxnet3: add receive data ring support (bsc#1091860 bsc#1098253).
- vmxnet3: add support for get_coalesce, set_coalesce ethtool operations (bsc#1091860 bsc#1098253).
- vmxnet3: allow variable length transmit data ring buffer (bsc#1091860 bsc#1098253).
- vmxnet3: avoid assumption about invalid dma_pa in vmxnet3_set_mc() (bsc#1091860 bsc#1098253).
- vmxnet3: avoid format strint overflow warning (bsc#1091860 bsc#1098253).
- vmxnet3: avoid xmit reset due to a race in vmxnet3 (bsc#1091860 bsc#1098253).
- vmxnet3: fix incorrect dereference when rxvlan is disabled (bsc#1091860 bsc#1098253).
- vmxnet3: fix non static symbol warning (bsc#1091860 bsc#1098253).
- vmxnet3: fix tx data ring copy for variable size (bsc#1091860 bsc#1098253).
- vmxnet3: increase default rx ring sizes (bsc#1091860 bsc#1098253).
- vmxnet3: introduce command to register memory region (bsc#1091860 bsc#1098253).
- vmxnet3: introduce generalized command interface to configure the device (bsc#1091860 bsc#1098253).
- vmxnet3: prepare for version 3 changes (bsc#1091860 bsc#1098253).
- vmxnet3: remove redundant initialization of pointer 'rq' (bsc#1091860 bsc#1098253).
- vmxnet3: remove unused flag 'rxcsum' from struct vmxnet3_adapter (bsc#1091860 bsc#1098253).
- vmxnet3: set the DMA mask before the first DMA map operation (bsc#1091860 bsc#1098253).
- vmxnet3: update to version 3 (bsc#1091860 bsc#1098253).
- vmxnet3: use DMA memory barriers where required (bsc#1091860 bsc#1098253).
- vmxnet3: use correct flag to indicate LRO feature (bsc#1091860 bsc#1098253).
- vsock: split dwork to avoid reinitializations (bnc#1012382).
- vti6: Fix dev->max_mtu setting (bsc#1033962).
- vti6: fix PMTU caching and reporting on xmit (bnc#1012382).
- wlcore: sdio: check for valid platform device data before suspend (bnc#1012382).
- x86/MCE: Remove min interval polling limitation (bnc#1012382).
- x86/amd: do not set X86_BUG_SYSRET_SS_ATTRS when running under Xen (bnc#1012382).
- x86/asm/entry/32: Simplify pushes of zeroed pt_regs->REGs (bnc#1012382).
- x86/bugs: Move the l1tf function and define pr_fmt properly (bnc#1012382).
- x86/bugs: Respect nospec command line option (bsc#1068032).
- x86/cpu/AMD: Fix erratum 1076 (CPB bit) (bnc#1012382).
- x86/cpu: Make alternative_msr_write work for 32-bit code (bnc#1012382).
- x86/cpu: Re-apply forced caps every time CPU caps are re-read (bnc#1012382).
- x86/cpufeatures: Add CPUID_7_EDX CPUID leaf (bnc#1012382).
- x86/cpufeatures: Clean up Spectre v2 related CPUID flags (bnc#1012382).
- x86/entry/64/compat: Clear registers for compat syscalls, to reduce speculation attack surface (bnc#1012382).
- x86/entry/64: Remove %ebx handling from error_entry/exit (bnc#1102715).
- x86/init: fix build with CONFIG_SWAP=n (bnc#1012382).
- x86/irqflags: Mark native_restore_fl extern inline (bnc#1012382).
- x86/irqflags: Provide a declaration for native_save_fl.
- x86/mm/kmmio: Make the tracer robust against L1TF (bnc#1012382).
- x86/mm/pat: Fix L1TF stable backport for CPA (bnc#1012382).
- x86/mm/pat: Fix L1TF stable backport for CPA, 2nd call (bnc#1012382).
- x86/mm/pat: Make set_memory_np() L1TF safe (bnc#1012382).
- x86/mm: Add TLB purge to free pmd/pte page interfaces (bnc#1012382).
- x86/mm: Disable ioremap free page handling on x86-PAE (bnc#1012382).
- x86/mm: Give each mm TLB flush generation a unique ID (bnc#1012382).
- x86/paravirt: Fix spectre-v2 mitigations for paravirt guests (bnc#1012382).
- x86/paravirt: Make native_save_fl() extern inline (bnc#1012382).
- x86/process: Correct and optimize TIF_BLOCKSTEP switch (bnc#1012382).
- x86/process: Optimize TIF checks in __switch_to_xtra() (bnc#1012382).
- x86/process: Optimize TIF_NOTSC switch (bnc#1012382).
- x86/process: Re-export start_thread() (bnc#1012382).
- x86/spectre: Add missing family 6 check to microcode check (bnc#1012382).
- x86/spectre_v2: Do not check microcode versions when running under hypervisors (bnc#1012382).
- x86/speculation/l1tf: Exempt zeroed PTEs from inversion (bnc#1012382).
- x86/speculation/l1tf: Extend 64bit swap file size limit (bnc#1012382).
- x86/speculation/l1tf: Fix off-by-one error when warning that system has too much RAM (bnc#1105536).
- x86/speculation/l1tf: Fix overflow in l1tf_pfn_limit() on 32bit (bnc#1012382).
- x86/speculation/l1tf: Fix up CPU feature flags (bnc#1012382).
- x86/speculation/l1tf: Fix up pte->pfn conversion for PAE (bnc#1012382).
- x86/speculation/l1tf: Increase l1tf memory limit for Nehalem+ (bnc#1105536).
- x86/speculation/l1tf: Invert all not present mappings (bnc#1012382).
- x86/speculation/l1tf: Make pmd/pud_mknotpresent() invert (bnc#1012382).
- x86/speculation/l1tf: Protect PAE swap entries against L1TF (bnc#1012382).
- x86/speculation/l1tf: Suggest what to do on systems with too much RAM (bnc#1105536).
- x86/speculation/l1tf: Unbreak !__HAVE_ARCH_PFN_MODIFY_ALLOWED architectures (bnc#1012382).
- x86/speculation: Add <asm/msr-index.h> dependency (bnc#1012382).
- x86/speculation: Add basic IBPB (Indirect Branch Prediction Barrier) support (bnc#1012382).
- x86/speculation: Clean up various Spectre related details (bnc#1012382).
- x86/speculation: Correct Speculation Control microcode blacklist again (bnc#1012382).
- x86/speculation: Move firmware_restrict_branch_speculation_*() from C to CPP (bnc#1012382).
- x86/speculation: Update Speculation Control microcode blacklist (bnc#1012382).
- x86/speculation: Use ARCH_CAPABILITIES to skip L1D flush on vmentry (bsc#1106369).
- x86/speculation: Use IBRS if available before calling into firmware (bnc#1012382).
- x86/speculation: Use Indirect Branch Prediction Barrier in context switch (bnc#1012382).
- x86/xen: Add call of speculative_store_bypass_ht_init() to PV paths (bnc#1012382).
- xen-netfront: wait xenbus state change when load module manually (bnc#1012382).
- xen/blkback: do not keep persistent grants too long (bsc#1085042).
- xen/blkback: move persistent grants flags to bool (bsc#1085042).
- xen/blkfront: cleanup stale persistent grants (bsc#1085042).
- xen/blkfront: reorder tests in xlblk_init() (bsc#1085042).
- xen/netfront: do not cache skb_shinfo() (bnc#1012382).
- xen: set cpu capabilities from xen_start_kernel() (bnc#1012382).
- xfrm: fix missing dst_release() after policy blocking lbcast and multicast (bnc#1012382).
- xfrm: free skb if nlsk pointer is NULL (bnc#1012382).
- xfrm_user: prevent leaking 2 bytes of kernel memory (bnc#1012382).
- xfs: Remove dead code from inode recover function (bsc#1105396).
- xfs: repair malformed inode items during log recovery (bsc#1105396).
- xhci: Fix perceived dead host due to runtime suspend race with event handler (bnc#1012382).
- zswap: re-check zswap_is_full() after do zswap_shrink() (bnc#1012382).
ImportantSUSE bug 1012382SUSE bug 1015342SUSE bug 1015343SUSE bug 1017967SUSE bug 1019695SUSE bug 1019699SUSE bug 1020412SUSE bug 1021121SUSE bug 1022604SUSE bug 1024361SUSE bug 1024365SUSE bug 1024376SUSE bug 1027968SUSE bug 1030552SUSE bug 1031492SUSE bug 1033962SUSE bug 1042286SUSE bug 1048317SUSE bug 1050431SUSE bug 1053685SUSE bug 1055014SUSE bug 1056596SUSE bug 1062604SUSE bug 1063646SUSE bug 1064232SUSE bug 1065364SUSE bug 1066223SUSE bug 1068032SUSE bug 1068075SUSE bug 1069138SUSE bug 1078921SUSE bug 1080157SUSE bug 1083663SUSE bug 1085042SUSE bug 1085536SUSE bug 1085539SUSE bug 1086457SUSE bug 1087092SUSE bug 1089066SUSE bug 1090888SUSE bug 1091171SUSE bug 1091860SUSE bug 1096254SUSE bug 1096748SUSE bug 1097105SUSE bug 1098253SUSE bug 1098822SUSE bug 1099597SUSE bug 1099810SUSE bug 1099811SUSE bug 1099813SUSE bug 1099832SUSE bug 1099844SUSE bug 1099845SUSE bug 1099846SUSE bug 1099849SUSE bug 1099863SUSE bug 1099864SUSE bug 1099922SUSE bug 1099999SUSE bug 1100000SUSE bug 1100001SUSE bug 1100132SUSE bug 1101822SUSE bug 1101841SUSE bug 1102346SUSE bug 1102486SUSE bug 1102517SUSE bug 1102715SUSE bug 1102797SUSE bug 1103269SUSE bug 1103445SUSE bug 1103717SUSE bug 1104319SUSE bug 1104485SUSE bug 1104494SUSE bug 1104495SUSE bug 1104683SUSE bug 1104897SUSE bug 1105271SUSE bug 1105292SUSE bug 1105322SUSE bug 1105323SUSE bug 1105392SUSE bug 1105396SUSE bug 1105524SUSE bug 1105536SUSE bug 1105769SUSE bug 1106016SUSE bug 1106105SUSE bug 1106185SUSE bug 1106229SUSE bug 1106271SUSE bug 1106275SUSE bug 1106276SUSE bug 1106278SUSE bug 1106281SUSE bug 1106283SUSE bug 1106369SUSE bug 1106509SUSE bug 1106511SUSE bug 1106697SUSE bug 1106929SUSE bug 1106934SUSE bug 1106995SUSE bug 1107060SUSE bug 1107078SUSE bug 1107319SUSE bug 1107320SUSE bug 1107689SUSE bug 1107735SUSE bug 1107966SUSE bug 963575SUSE bug 966170SUSE bug 966172SUSE bug 969470SUSE bug 969476SUSE bug 969477SUSE bug 970506CVE-2018-10876 at SUSECVE-2018-10876 at NVDCVE-2018-10877 at SUSECVE-2018-10877 at NVDCVE-2018-10878 at SUSECVE-2018-10878 at NVDCVE-2018-10879 at SUSECVE-2018-10879 at NVDCVE-2018-10880 at SUSECVE-2018-10880 at NVDCVE-2018-10881 at SUSECVE-2018-10881 at NVDCVE-2018-10882 at SUSECVE-2018-10882 at NVDCVE-2018-10883 at SUSECVE-2018-10883 at NVDCVE-2018-10902 at SUSECVE-2018-10902 at NVDCVE-2018-10938 at SUSECVE-2018-10938 at NVDCVE-2018-1128 at SUSECVE-2018-1128 at NVDCVE-2018-1129 at SUSECVE-2018-1129 at NVDCVE-2018-12896 at SUSECVE-2018-12896 at NVDCVE-2018-13093 at SUSECVE-2018-13093 at NVDCVE-2018-13094 at SUSECVE-2018-13094 at NVDCVE-2018-13095 at SUSECVE-2018-13095 at NVDCVE-2018-15572 at SUSECVE-2018-15572 at NVDCVE-2018-16658 at SUSECVE-2018-16658 at NVDCVE-2018-6554 at SUSECVE-2018-6554 at NVDCVE-2018-6555 at SUSECVE-2018-6555 at NVDCVE-2018-9363 at SUSECVE-2018-9363 at NVDcpe:/o:suse:sles:12:sp3Security update for openslp (Important)SUSE Linux Enterprise Server 12 SP3
This update for openslp fixes the following issues:
- CVE-2017-17833: Prevent heap-related memory corruption issue which may have
manifested itself as a denial-of-service or a remote code-execution
vulnerability (bsc#1090638)
- Prevent out of bounds reads in message parsing
ImportantSUSE bug 1090638CVE-2017-17833 at SUSECVE-2017-17833 at NVDcpe:/o:suse:sles:12:sp3Security update for ImageMagick (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for ImageMagick fixes the following issues:
The following security vulnerabilities were fixed:
- CVE-2018-16329: Prevent NULL pointer dereference in the GetMagickProperty
function leading to DoS (bsc#1106858)
- CVE-2018-16323: ReadXBMImage left data uninitialized when processing an XBM
file that has a negative pixel value. If the affected code was used as a
library loaded into a process that includes sensitive information, that
information sometimes can be leaked via the image data (bsc#1106855)
- CVE-2018-14434: Fixed a memory leak for a colormap in WriteMPCImage
(bsc#1102003)
- CVE-2018-14435: Fixed a memory leak in DecodeImage in coders/pcd.c
(bsc#1102007)
- CVE-2018-14436: Fixed a memory leak in ReadMIFFImage in coders/miff.c
(bsc#1102005)
- CVE-2018-14437: Fixed a memory leak in parse8BIM in coders/meta.c
(bsc#1102004)
- Disable PS, PS2, PS3, XPS and PDF coders in default policy.xml (bsc#1105592)
ModerateSUSE bug 1102003SUSE bug 1102004SUSE bug 1102005SUSE bug 1102007SUSE bug 1105592SUSE bug 1106855SUSE bug 1106858CVE-2018-14434 at SUSECVE-2018-14434 at NVDCVE-2018-14435 at SUSECVE-2018-14435 at NVDCVE-2018-14436 at SUSECVE-2018-14436 at NVDCVE-2018-14437 at SUSECVE-2018-14437 at NVDCVE-2018-16323 at SUSECVE-2018-16323 at NVDCVE-2018-16329 at SUSECVE-2018-16329 at NVDcpe:/o:suse:sles:12:sp3Security update for liblouis (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for liblouis, python-louis, python3-louis fixes the
following issues:
Security issues fixed:
- CVE-2018-11440: Fixed a stack-based buffer overflow in the function
parseChars() in compileTranslationTable.c (bsc#1095189)
- CVE-2018-11577: Fixed a segmentation fault in lou_logPrint in logging.c
(bsc#1095945)
- CVE-2018-11683: Fixed a stack-based buffer overflow in the function
parseChars() in compileTranslationTable.c (different vulnerability than
CVE-2018-11440) (bsc#1095827)
- CVE-2018-11684: Fixed stack-based buffer overflow in the function
includeFile() in compileTranslationTable.c (bsc#1095826)
- CVE-2018-11685: Fixed a stack-based buffer overflow in the function
compileHyphenation() in compileTranslationTable.c (bsc#1095825)
- CVE-2018-12085: Fixed a stack-based buffer overflow in the function
parseChars() in compileTranslationTable.c (different vulnerability than
CVE-2018-11440) (bsc#1097103)
ModerateSUSE bug 1095189SUSE bug 1095825SUSE bug 1095826SUSE bug 1095827SUSE bug 1095945SUSE bug 1097103CVE-2018-11440 at SUSECVE-2018-11440 at NVDCVE-2018-11577 at SUSECVE-2018-11577 at NVDCVE-2018-11683 at SUSECVE-2018-11683 at NVDCVE-2018-11684 at SUSECVE-2018-11684 at NVDCVE-2018-11685 at SUSECVE-2018-11685 at NVDCVE-2018-12085 at SUSECVE-2018-12085 at NVDcpe:/o:suse:sles:12:sp3Security update for libzypp, zypper (Important)SUSE Linux Enterprise Server 12 SP3
This update for libzypp, zypper fixes the following issues:
Update libzypp to version 16.17.20:
Security issues fixed:
- PackageProvider: Validate deta rpms before caching (bsc#1091624,
bsc#1088705, CVE-2018-7685)
- PackageProvider: Validate downloaded rpm package signatures before
caching (bsc#1091624, bsc#1088705, CVE-2018-7685)
Other bugs fixed:
- lsof: use '-K i' if lsof supports it (bsc#1099847, bsc#1036304)
- Handle http error 502 Bad Gateway in curl backend (bsc#1070851)
- RepoManager: Explicitly request repo2solv to generate application
pseudo packages.
- libzypp-devel should not require cmake (bsc#1101349)
- HardLocksFile: Prevent against empty commit without Target having
been been loaded (bsc#1096803)
- Avoid zombie tar processes (bsc#1076192)
Update to zypper to version 1.13.45:
Security issues fixed:
- Improve signature check callback messages (bsc#1045735, CVE-2017-9269)
- add/modify repo: Add options to tune the GPG check settings
(bsc#1045735, CVE-2017-9269)
Other bugs fixed:
- XML <install-summary> attribute `packages-to-change` added (bsc#1102429)
- man: Strengthen that `--config FILE' affects zypper.conf,
not zypp.conf (bsc#1100028)
- Prevent nested calls to exit() if aborted by a signal (bsc#1092413)
- ansi.h: Prevent ESC sequence strings from going out of scope (bsc#1092413)
- Fix: zypper bash completion expands non-existing options (bsc#1049825)
- Improve signature check callback messages (bsc#1045735)
- add/modify repo: Add options to tune the GPG check settings (bsc#1045735)
ImportantSUSE bug 1036304SUSE bug 1045735SUSE bug 1049825SUSE bug 1070851SUSE bug 1076192SUSE bug 1088705SUSE bug 1091624SUSE bug 1092413SUSE bug 1096803SUSE bug 1099847SUSE bug 1100028SUSE bug 1101349SUSE bug 1102429CVE-2017-9269 at SUSECVE-2017-9269 at NVDCVE-2018-7685 at SUSECVE-2018-7685 at NVDcpe:/o:suse:sles:12:sp3Security update for apache2 (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for apache2 fixes the following issues:
Security issues fixed:
- CVE-2016-8743: Fixed liberal whitespace interpretation accepted from requests
and sent in response lines and headers. Accepting these different behaviors
represented a security concern when httpd participates in any chain of
proxies or interacts with back-end application servers, either through
mod_proxy or using conventional CGI mechanisms, and may result in request
smuggling, response splitting and cache pollution. (bsc#1016715)
- CVE-2016-4975: Fixed possible CRLF injection allowing HTTP response splitting
attacks for sites which use mod_userdir. This issue was mitigated by changes
which prohibit CR or LF injection into the 'Location' or other outbound
header key or value. (bsc#1104826)
ModerateSUSE bug 1016715SUSE bug 1104826CVE-2016-4975 at SUSECVE-2016-4975 at NVDCVE-2016-8743 at SUSECVE-2016-8743 at NVDcpe:/o:suse:sles:12:sp3Security update for libXcursor (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for libXcursor fixes the following security issue:
- CVE-2015-9262: _XcursorThemeInherits allowed remote attackers to cause denial
of service or potentially code execution via a one-byte heap overflow
(bsc#1103511).
ModerateSUSE bug 1103511CVE-2015-9262 at SUSECVE-2015-9262 at NVDcpe:/o:suse:sles:12:sp3Security update for java-1_8_0-ibm (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for java-1_8_0-ibm to 8.0.5.20 fixes the following security issues:
- CVE-2018-2952: Vulnerability in subcomponent: Concurrency. Difficult to
exploit vulnerability allowed unauthenticated attacker with network access via
multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful
attacks of this vulnerability can result in unauthorized ability to cause a
partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit
(bsc#1104668)
- CVE-2018-2940: Vulnerability in subcomponent: Libraries. Easily exploitable
vulnerability allowed unauthenticated attacker with network access via multiple
protocols to compromise Java SE, Java SE Embedded. Successful attacks require
human interaction from a person other than the attacker. Successful attacks of
this vulnerability can result in unauthorized read access to a subset of Java
SE, Java SE Embedded accessible data (bsc#1104668)
- CVE-2018-2973: Vulnerability in subcomponent: JSSE. Difficult to exploit
vulnerability allowed unauthenticated attacker with network access via SSL/TLS
to compromise Java SE, Java SE Embedded. Successful attacks of this
vulnerability can result in unauthorized creation, deletion or modification
access to critical data or all Java SE, Java SE Embedded accessible data
(bsc#1104668)
- CVE-2018-2964: Vulnerability in subcomponent: Deployment. Difficult to
exploit vulnerability allowed unauthenticated attacker with network access via
multiple protocols to compromise Java SE. Successful attacks require human
interaction from a person other than the attacker. Successful attacks of this
vulnerability can result in takeover of Java SE. (bsc#1104668)
- CVE-2016-0705: Prevent double free in the dsa_priv_decode function that
allowed remote attackers to cause a denial of service (memory corruption) or
possibly have unspecified other impact via a malformed DSA private key
(bsc#1104668)
- CVE-2017-3732: Prevent carry propagating bug in the x86_64 Montgomery
squaring procedure (bsc#1104668)
- CVE-2017-3736: Prevent carry propagating bug in the x86_64 Montgomery
squaring procedure (bsc#1104668)
- CVE-2018-1517: Unspecified vulnerability (bsc#1104668)
- CVE-2018-1656: Unspecified vulnerability (bsc#1104668)
- CVE-2018-12539: Users other than the process owner might have been able to
use Java Attach API to connect to an IBM JVM on the same machine and use Attach
API operations, which includes the ability to execute untrusted native code
(bsc#1104668)
ModerateSUSE bug 1104668CVE-2016-0705 at SUSECVE-2016-0705 at NVDCVE-2017-3732 at SUSECVE-2017-3732 at NVDCVE-2017-3736 at SUSECVE-2017-3736 at NVDCVE-2018-12539 at SUSECVE-2018-12539 at NVDCVE-2018-1517 at SUSECVE-2018-1517 at NVDCVE-2018-1656 at SUSECVE-2018-1656 at NVDCVE-2018-2940 at SUSECVE-2018-2940 at NVDCVE-2018-2952 at SUSECVE-2018-2952 at NVDCVE-2018-2964 at SUSECVE-2018-2964 at NVDCVE-2018-2973 at SUSECVE-2018-2973 at NVDcpe:/o:suse:sles:12:sp3Security update for ant (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for ant fixes the following issues:
Security issue fixed:
- CVE-2018-10886: Fixed a path traversal vulnerability in malformed zip file
paths, which allowed arbitrary file writes and could potentially lead to
code execution (bsc#1100053)
ModerateSUSE bug 1100053CVE-2018-10886 at SUSECVE-2018-10886 at NVDcpe:/o:suse:sles:12:sp3Security update for tiff (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for tiff fixes the following issues:
Security issues fixed:
- CVE-2018-10779: Fixed a heap-based buffer overflow in TIFFWriteScanline()
in tif_write.c (bsc#1092480)
- CVE-2017-17942: Fixed a heap-based buffer overflow in the function
PackBitsEncode in tif_packbits.c. (bsc#1074186)
- CVE-2016-5319: Fixed a beap-based buffer overflow in bmp2tiff (bsc#983440)
ModerateSUSE bug 1074186SUSE bug 1092480SUSE bug 983440CVE-2016-5319 at SUSECVE-2016-5319 at NVDCVE-2017-17942 at SUSECVE-2017-17942 at NVDCVE-2018-10779 at SUSECVE-2018-10779 at NVDcpe:/o:suse:sles:12:sp3Security update for gnutls (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for gnutls fixes the following issues:
Security issues fixed:
- Improved mitigations against Lucky 13 class of attacks
- 'Just in Time' PRIME + PROBE cache-based side channel attack can lead to plaintext recovery (CVE-2018-10846, bsc#1105460)
- HMAC-SHA-384 vulnerable to Lucky thirteen attack due to use of wrong constant (CVE-2018-10845, bsc#1105459)
- HMAC-SHA-256 vulnerable to Lucky thirteen attack due to not enough dummy function calls (CVE-2018-10844, bsc#1105437)
- The _asn1_check_identifier function in Libtasn1 caused a NULL pointer dereference and crash (CVE-2017-10790, bsc#1047002)
ModerateSUSE bug 1047002SUSE bug 1105437SUSE bug 1105459SUSE bug 1105460CVE-2017-10790 at SUSECVE-2017-10790 at NVDCVE-2018-10844 at SUSECVE-2018-10844 at NVDCVE-2018-10845 at SUSECVE-2018-10845 at NVDCVE-2018-10846 at SUSECVE-2018-10846 at NVDcpe:/o:suse:sles:12:sp3Security update for gd (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for gd fixes the following issues:
Security issue fixed:
- CVE-2018-1000222: Fixed a double free vulnerability in gdImageBmpPtr() that
could result in remote code execution. This could have been exploited via a
specially crafted JPEG image files. (bsc#1105434)
ModerateSUSE bug 1105434CVE-2018-1000222 at SUSECVE-2018-1000222 at NVDcpe:/o:suse:sles:12:sp3Security update for shadow (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for shadow fixes the following security issue:
- Prevent useradd from creating intermediate directories with mode 0777 (bsc#1106914)
ModerateSUSE bug 1106914cpe:/o:suse:sles:12:sp3Security update for the Linux Kernel (Important)SUSE Linux Enterprise Server 12 SP3
The SUSE Linux Enterprise 12 SP3 azure kernel was updated to 4.4.155 to receive various security and bugfixes.
The following security bugs were fixed:
- CVE-2018-13093: Prevent NULL pointer dereference and panic in lookup_slow()
on a NULL inode->i_ops pointer when doing pathwalks on a corrupted xfs image.
This occured because of a lack of proper validation that cached inodes are free
during allocation (bnc#1100001)
- CVE-2018-13095: Prevent denial of service (memory corruption and BUG) that
could have occurred for a corrupted xfs image upon encountering an inode that
is in extent format, but has more extents than fit in the inode fork
(bnc#1099999)
- CVE-2018-13094: Prevent OOPS that may have occured for a corrupted xfs image
after xfs_da_shrink_inode() is called with a NULL bp (bnc#1100000)
- CVE-2018-12896: Prevent integer overflow in the POSIX timer code that was
caused by the way the overrun accounting works. Depending on interval and
expiry time values, the overrun can be larger than INT_MAX, but the accounting
is int based. This basically made the accounting values, which are visible to
user space via timer_getoverrun(2) and siginfo::si_overrun, random. This
allowed a local user to cause a denial of service (signed integer overflow) via
crafted mmap, futex, timer_create, and timer_settime system calls (bnc#1099922)
- CVE-2018-16658: Prevent information leak in cdrom_ioctl_drive_status that
could have been used by local attackers to read kernel memory (bnc#1107689)
- CVE-2018-10940: The cdrom_ioctl_media_changed function allowed local
attackers to use a incorrect bounds check in the CDROM driver
CDROM_MEDIA_CHANGED ioctl to read out kernel memory (bsc#1092903)
- CVE-2018-6555: The irda_setsockopt function allowed local users to cause a
denial of service (ias_object use-after-free and system crash) or possibly have
unspecified other impact via an AF_IRDA socket (bnc#1106511)
- CVE-2018-6554: Prevent memory leak in the irda_bind function that allowed
local users to cause a denial of service (memory consumption) by repeatedly
binding an AF_IRDA socket (bnc#1106509)
- CVE-2018-1129: A flaw was found in the way signature calculation was handled
by cephx authentication protocol. An attacker having access to ceph cluster
network who is able to alter the message payload was able to bypass signature
checks done by cephx protocol (bnc#1096748)
- CVE-2018-1128: It was found that cephx authentication protocol did not verify
ceph clients correctly and was vulnerable to replay attack. Any attacker having
access to ceph cluster network who is able to sniff packets on network can use
this vulnerability to authenticate with ceph service and perform actions
allowed by ceph service (bnc#1096748)
- CVE-2018-10938: A crafted network packet sent remotely by an attacker forced
the kernel to enter an infinite loop in the cipso_v4_optptr() function leading
to a denial-of-service (bnc#1106016)
- CVE-2018-15572: The spectre_v2_select_mitigation function did not always fill
RSB upon a context switch, which made it easier for attackers to conduct
userspace-userspace spectreRSB attacks (bnc#1102517)
- CVE-2018-10902: Protect against concurrent access to prevent double realloc
(double free) in snd_rawmidi_input_params() and snd_rawmidi_output_status(). A
malicious local attacker could have used this for privilege escalation
(bnc#1105322).
- CVE-2018-9363: Prevent buffer overflow in hidp_process_report (bsc#1105292)
- CVE-2018-10883: A local user could have caused an out-of-bounds write in
jbd2_journal_dirty_metadata(), a denial of service, and a system crash by
mounting and operating on a crafted ext4 filesystem image (bsc#1099863)
- CVE-2018-10879: A local user could have caused a use-after-free in
ext4_xattr_set_entry function and a denial of service or unspecified other
impact by renaming a file in a crafted ext4 filesystem image (bsc#1099844)
- CVE-2018-10878: A local user could have caused an out-of-bounds write and a
denial of service or unspecified other impact by mounting and operating a
crafted ext4 filesystem image (bsc#1099813)
- CVE-2018-10876: A use-after-free was possible in ext4_ext_remove_space()
function when mounting and operating a crafted ext4 image (bsc#1099811)
- CVE-2018-10877: Prevent out-of-bound access in the ext4_ext_drop_refs()
function when operating on a crafted ext4 filesystem image (bsc#1099846)
- CVE-2018-10881: A local user could have caused an out-of-bound access in
ext4_get_group_info function, a denial of service, and a system crash by
mounting and operating on a crafted ext4 filesystem image (bsc#1099864)
- CVE-2018-10882: A local user could have caused an out-of-bound write, a
denial of service, and a system crash by unmounting a crafted ext4 filesystem
image (bsc#1099849)
- CVE-2018-10880: Prevent stack-out-of-bounds write in the ext4 filesystem code
when mounting and writing to a crafted ext4 image in ext4_update_inline_data().
An attacker could have used this to cause a system crash and a denial of
service (bsc#1099845)
The following non-security bugs were fixed:
- 9p/net: Fix zero-copy path in the 9p virtio transport (bnc#1012382).
- 9p/virtio: fix off-by-one error in sg list bounds check (bnc#1012382).
- 9p: fix multiple NULL-pointer-dereferences (bnc#1012382).
- ACPI / LPSS: Add missing prv_offset setting for byt/cht PWM devices (bnc#1012382).
- ACPI / PCI: Bail early in acpi_pci_add_bus() if there is no ACPI handle (bnc#1012382).
- ACPI / PM: save NVS memory for ASUS 1025C laptop (bnc#1012382).
- ACPI: save NVS memory for Lenovo G50-45 (bnc#1012382).
- ALSA: cs5535audio: Fix invalid endian conversion (bnc#1012382).
- ALSA: emu10k1: Rate-limit error messages about page errors (bnc#1012382).
- ALSA: emu10k1: add error handling for snd_ctl_add (bnc#1012382).
- ALSA: fm801: add error handling for snd_ctl_add (bnc#1012382).
- ALSA: hda - Sleep for 10ms after entering D3 on Conexant codecs (bnc#1012382).
- ALSA: hda - Turn CX8200 into D3 as well upon reboot (bnc#1012382).
- ALSA: hda/ca0132: fix build failure when a local macro is defined (bnc#1012382).
- ALSA: hda: Correct Asrock B85M-ITX power_save blacklist entry (bnc#1012382).
- ALSA: memalloc: Do not exceed over the requested size (bnc#1012382).
- ALSA: rawmidi: Change resized buffers atomically (bnc#1012382).
- ALSA: snd-aoa: add of_node_put() in error path (bsc#1099810).
- ALSA: usb-audio: Apply rate limit to warning messages in URB complete callback (bnc#1012382).
- ALSA: virmidi: Fix too long output trigger loop (bnc#1012382).
- ALSA: vx222: Fix invalid endian conversions (bnc#1012382).
- ALSA: vxpocket: Fix invalid endian conversions (bnc#1012382).
- ARC: Enable machine_desc->init_per_cpu for !CONFIG_SMP (bnc#1012382).
- ARC: Explicitly add -mmedium-calls to CFLAGS (bnc#1012382).
- ARC: Fix CONFIG_SWAP (bnc#1012382).
- ARC: mm: allow mprotect to make stack mappings executable (bnc#1012382).
- ARM: 8780/1: ftrace: Only set kernel memory back to read-only after boot (bnc#1012382).
- ARM: dts: Cygnus: Fix I2C controller interrupt type (bnc#1012382).
- ARM: dts: am3517.dtsi: Disable reference to OMAP3 OTG controller (bnc#1012382).
- ARM: dts: am437x: make edt-ft5x06 a wakeup source (bnc#1012382).
- ARM: dts: da850: Fix interrups property for gpio (bnc#1012382).
- ARM: dts: imx6sx: fix irq for pcie bridge (bnc#1012382).
- ARM: fix put_user() for gcc-8 (bnc#1012382).
- ARM: imx_v4_v5_defconfig: Select ULPI support (bnc#1012382).
- ARM: imx_v6_v7_defconfig: Select ULPI support (bnc#1012382).
- ARM: pxa: irq: fix handling of ICMR registers in suspend/resume (bnc#1012382).
- ARM: tegra: Fix Tegra30 Cardhu PCA954x reset (bnc#1012382).
- ASoC: Intel: cht_bsw_max98090: remove useless code, align with ChromeOS driver.
- ASoC: Intel: cht_bsw_max98090_ti: Fix jack initialization (bnc#1012382).
- ASoC: dpcm: do not merge format from invalid codec dai (bnc#1012382).
- ASoC: dpcm: fix BE dai not hw_free and shutdown (bnc#1012382).
- ASoC: pxa: Fix module autoload for platform drivers (bnc#1012382).
- ASoC: sirf: Fix potential NULL pointer dereference (bnc#1012382).
- Add reference to bsc#1091171 (bnc#1012382; bsc#1091171).
- Bluetooth: avoid killing an already killed socket (bnc#1012382).
- Bluetooth: btusb: Add a new Realtek 8723DE ID 2ff8:b011 (bnc#1012382).
- Bluetooth: btusb: Remove Yoga 920 from the btusb_needs_reset_resume_table (bsc#1087092).
- Bluetooth: btusb: Use DMI matching for QCA reset_resume quirking (bsc#1087092).
- Bluetooth: hci_qca: Fix 'Sleep inside atomic section' warning (bnc#1012382).
- Documentation/spec_ctrl: Do some minor cleanups (bnc#1012382).
- HID: hid-plantronics: Re-resend Update to map button for PTT products (bnc#1012382).
- HID: i2c-hid: check if device is there before really probing (bnc#1012382).
- HID: wacom: Correct touch maximum XY of 2nd-gen Intuos (bnc#1012382).
- IB/core: Make testing MR flags for writability a static inline function (bnc#1012382).
- IB/core: Remove duplicate declaration of gid_cache_wq (bsc#1056596).
- IB/iser: Do not reduce max_sectors (bsc#1063646).
- IB/mlx4: Fix an error handling path in 'mlx4_ib_rereg_user_mr()'.
- IB/mlx4: Mark user MR as writable if actual virtual memory is writable (bnc#1012382).
- IB/mlx5: Fetch soft WQE's on fatal error state (bsc#1015342 bsc#1015343).
- IB/mlx5: Use 'kvfree()' for memory allocated by 'kvzalloc()' (bsc#1015342 bsc#1015343).
- IB/ocrdma: fix out of bounds access to local buffer (bnc#1012382).
- Input: elan_i2c - add ACPI ID for lenovo ideapad 330 (bnc#1012382).
- Input: elan_i2c - add another ACPI ID for Lenovo Ideapad 330-15AST (bnc#1012382).
- Input: i8042 - add Lenovo LaVie Z to the i8042 reset list (bnc#1012382).
- KVM/Eventfd: Avoid crash when assign and deassign specific eventfd in parallel (bnc#1012382).
- KVM: MMU: always terminate page walks at level 1 (bsc#1062604).
- KVM: MMU: simplify last_pte_bitmap (bsc#1062604).
- KVM: VMX: Work around kABI breakage in 'enum vmx_l1d_flush_state' (bsc#1106369).
- KVM: VMX: fixes for vmentry_l1d_flush module parameter (bsc#1106369).
- KVM: arm/arm64: Skip updating PMD entry if no change (bnc#1012382).
- KVM: arm/arm64: Skip updating PTE entry if no change (bnc#1012382).
- KVM: irqfd: fix race between EPOLLHUP and irq_bypass_register_consumer (bnc#1012382).
- KVM: nVMX: update last_nonleaf_level when initializing nested EPT (bsc#1062604).
- MIPS: Correct the 64-bit DSP accumulator register size (bnc#1012382).
- MIPS: Fix off-by-one in pci_resource_to_user() (bnc#1012382).
- MIPS: ath79: fix register address in ath79_ddr_wb_flush() (bnc#1012382).
- MIPS: lib: Provide MIPS64r6 __multi3() for GCC < 7 (bnc#1012382).
- NET: stmmac: align DMA stuff to largest cache line length (bnc#1012382).
- PCI: Prevent sysfs disable of device while driver is attached (bnc#1012382).
- PCI: Skip MPS logic for Virtual Functions (VFs) (bnc#1012382).
- PCI: hotplug: Do not leak pci_slot on registration failure (bnc#1012382).
- PCI: pciehp: Fix use-after-free on unplug (bnc#1012382).
- PCI: pciehp: Request control of native hotplug only if supported (bnc#1012382).
- PM / sleep: wakeup: Fix build error caused by missing SRCU support (bnc#1012382).
- RDMA/i40iw: Avoid panic when objects are being created and destroyed (bsc#969476 bsc#969477).
- RDMA/i40iw: Avoid panic when reading back the IRQ affinity hint (bsc#969476 bsc#969477).
- RDMA/i40iw: Avoid reference leaks when processing the AEQ (bsc#969476 bsc#969477).
- RDMA/i40w: Hold read semaphore while looking after VMA (bsc#1024376).
- RDMA/mad: Convert BUG_ONs to error flows (bnc#1012382).
- RDMA/mlx5: Use proper spec flow label type (bsc#1015342 bsc#1015343).
- Revert 'MIPS: BCM47XX: Enable 74K Core ExternalSync for PCIe erratum' (bnc#1012382).
- Revert 'UBIFS: Fix potential integer overflow in allocation' (bnc#1012382).
- Revert 'f2fs: handle dirty segments inside refresh_sit_entry' (bsc#1106281).
- Revert 'mm: page_alloc: skip over regions of invalid pfns where possible' (bnc#1107078).
- Revert 'net: Do not copy pfmemalloc flag in __copy_skb_header()' (kabi).
- Revert 'netfilter: ipv6: nf_defrag: reduce struct net memory waste' (kabi).
- Revert 'skbuff: Unconditionally copy pfmemalloc in __skb_clone()' (kabi).
- Revert 'vsock: split dwork to avoid reinitializations' (kabi).
- Revert 'x86/mm: Give each mm TLB flush generation a unique ID' (kabi).
- Revert 'x86/speculation/l1tf: Fix up CPU feature flags' (kabi).
- Revert 'x86/speculation: Use Indirect Branch Prediction Barrier in context switch' (kabi).
- Smack: Mark inode instant in smack_task_to_inode (bnc#1012382).
- USB: musb: fix external abort on suspend (bsc#1085536).
- USB: option: add support for DW5821e (bnc#1012382).
- USB: serial: metro-usb: stop I/O after failed open (bsc#1085539).
- USB: serial: sierra: fix potential deadlock at close (bnc#1012382).
- Workaround kABI breakage by __must_check drop of strscpy() (bsc#1107319).
- afs: Fix directory permissions check (bsc#1106283).
- arc: fix build errors in arc/include/asm/delay.h (bnc#1012382).
- arc: fix type warnings in arc/mm/cache.c (bnc#1012382).
- arm64: make secondary_start_kernel() notrace (bnc#1012382).
- arm64: mm: check for upper PAGE_SHIFT bits in pfn_valid() (bnc#1012382).
- ath: Add regulatory mapping for APL13_WORLD (bnc#1012382).
- ath: Add regulatory mapping for APL2_FCCA (bnc#1012382).
- ath: Add regulatory mapping for Bahamas (bnc#1012382).
- ath: Add regulatory mapping for Bermuda (bnc#1012382).
- ath: Add regulatory mapping for ETSI8_WORLD (bnc#1012382).
- ath: Add regulatory mapping for FCC3_ETSIC (bnc#1012382).
- ath: Add regulatory mapping for Serbia (bnc#1012382).
- ath: Add regulatory mapping for Tanzania (bnc#1012382).
- ath: Add regulatory mapping for Uganda (bnc#1012382).
- atl1c: reserve min skb headroom (bnc#1012382).
- atm: Preserve value of skb->truesize when accounting to vcc (bsc#1089066).
- audit: allow not equal op for audit by executable (bnc#1012382).
- backlight: as3711_bl: Fix Device Tree node leaks (bsc#1106929).
- backlight: lm3630a: Bump REG_MAX value to 0x50 instead of 0x1F (bsc#1106929).
- bcache: avoid unncessary cache prefetch bch_btree_node_get() (bsc#1064232).
- bcache: calculate the number of incremental GC nodes according to the total of btree nodes (bsc#1064232).
- bcache: display rate debug parameters to 0 when writeback is not running (bsc#1064232).
- bcache: do not check return value of debugfs_create_dir() (bsc#1064232).
- bcache: finish incremental GC (bsc#1064232).
- bcache: fix I/O significant decline while backend devices registering (bsc#1064232).
- bcache: fix error setting writeback_rate through sysfs interface (bsc#1064232).
- bcache: free heap cache_set->flush_btree in bch_journal_free (bsc#1064232).
- bcache: make the pr_err statement used for ENOENT only in sysfs_attatch section (bsc#1064232).
- bcache: release dc->writeback_lock properly in bch_writeback_thread() (bsc#1064232).
- bcache: set max writeback rate when I/O request is idle (bsc#1064232).
- bcache: simplify the calculation of the total amount of flash dirty data (bsc#1064232).
- be2net: remove unused old custom busy-poll fields (bsc#1021121 ).
- blkdev: __blkdev_direct_IO_simple: fix leak in error case (bsc#1083663).
- block: bio_iov_iter_get_pages: fix size of last iovec (bsc#1083663).
- block: bio_iov_iter_get_pages: pin more pages for multi-segment IOs (bsc#1083663).
- block: do not use interruptible wait anywhere (bnc#1012382).
- bnx2x: Fix invalid memory access in rss hash config path (bnc#1012382).
- bnx2x: Fix receiving tx-timeout in error or recovery state (bnc#1012382).
- bnxt_en: Always set output parameters in bnxt_get_max_rings() (bsc#963575).
- bnxt_en: Fix for system hang if request_irq fails (bnc#1012382).
- bnxt_en: Fix inconsistent BNXT_FLAG_AGG_RINGS logic (bsc#1020412 ).
- bpf: fix references to free_bpf_prog_info() in comments (bnc#1012382).
- brcmfmac: Add support for bcm43364 wireless chipset (bnc#1012382).
- brcmfmac: stop watchdog before detach and free everything (bnc#1012382).
- bridge: Propagate vlan add failure to user (bnc#1012382).
- btrfs: Do not remove block group still has pinned down bytes (bsc#1086457).
- btrfs: add barriers to btrfs_sync_log before log_commit_wait wakeups (bnc#1012382).
- btrfs: do not leak ret from do_chunk_alloc (bnc#1012382).
- btrfs: qgroup: Finish rescan when hit the last leaf of extent tree (bnc#1012382).
- btrfs: quota: Set rescan progress to (u64)-1 if we hit last leaf.
- btrfs: round down size diff when shrinking/growing device (bsc#1097105).
- can: ems_usb: Fix memory leak on ems_usb_disconnect() (bnc#1012382).
- can: mpc5xxx_can: check of_iomap return before use (bnc#1012382).
- can: xilinx_can: fix RX loop if RXNEMP is asserted without RXOK (bnc#1012382).
- can: xilinx_can: fix RX overflow interrupt not being enabled (bnc#1012382).
- can: xilinx_can: fix device dropping off bus on RX overrun (bnc#1012382).
- can: xilinx_can: fix incorrect clear of non-processed interrupts (bnc#1012382).
- can: xilinx_can: fix recovery from error states not being propagated (bnc#1012382).
- can: xilinx_can: keep only 1-2 frames in TX FIFO to fix TX accounting (bnc#1012382).
- cdrom: Fix info leak/OOB read in cdrom_ioctl_drive_status (bnc#1012382).
- ceph: fix incorrect use of strncpy (bsc#1107319).
- ceph: return errors from posix_acl_equiv_mode() correctly (bsc#1107320).
- cifs: Fix stack out-of-bounds in smb{2,3}_create_lease_buf() (bsc#1012382).
- cifs: add missing debug entries for kconfig options (bnc#1012382).
- cifs: check kmalloc before use (bsc#1012382).
- cifs: store the leaseKey in the fid on SMB2_open (bsc#1012382).
- clk: tegra: Fix PLL_U post divider and initial rate on Tegra30 (bnc#1012382).
- crypto: ablkcipher - fix crash flushing dcache in error path (bnc#1012382).
- crypto: authenc - do not leak pointers to authenc keys (bnc#1012382).
- crypto: authencesn - do not leak pointers to authenc keys (bnc#1012382).
- crypto: blkcipher - fix crash flushing dcache in error path (bnc#1012382).
- crypto: padlock-aes - Fix Nano workaround data corruption (bnc#1012382).
- crypto: vmac - require a block cipher with 128-bit block size (bnc#1012382).
- crypto: vmac - separate tfm and request context (bnc#1012382).
- crypto: vmx - Fix sleep-in-atomic bugs (bsc#1048317).
- cxgb4: when disabling dcb set txq dcb priority to 0 (bnc#1012382).
- cxl: Fix wrong comparison in cxl_adapter_context_get() (bsc#1055014).
- dccp: fix undefined behavior with 'cwnd' shift in ccid2_cwnd_restart() (bnc#1012382).
- disable loading f2fs module on PAGE_SIZE > 4KB (bnc#1012382).
- dm cache metadata: save in-core policy_hint_size to on-disk superblock (bnc#1012382).
- dma-iommu: Fix compilation when !CONFIG_IOMMU_DMA (bnc#1012382).
- dmaengine: k3dma: Off by one in k3_of_dma_simple_xlate() (bnc#1012382).
- dmaengine: pxa_dma: remove duplicate const qualifier (bnc#1012382).
- driver core: Partially revert 'driver core: correct device's shutdown order' (bnc#1012382).
- drivers: net: lmc: fix case value for target abort error (bnc#1012382).
- drm/armada: fix colorkey mode property (bnc#1012382).
- drm/atmel-hlcdc: check stride values in the first plane (bsc#1106929).
- drm/atomic: Handling the case when setting old crtc for plane (bnc#1012382).
- drm/bridge: adv7511: Reset registers on hotplug (bnc#1012382).
- drm/cirrus: Use drm_framebuffer_put to avoid kernel oops in clean-up (bsc#1101822).
- drm/drivers: add support for using the arch wc mapping API.
- drm/exynos/dsi: mask frame-done interrupt (bsc#1106929).
- drm/exynos: decon5433: Fix WINCONx reset value (bnc#1012382).
- drm/exynos: decon5433: Fix per-plane global alpha for XRGB modes (bnc#1012382).
- drm/exynos: gsc: Fix support for NV16/61, YUV420/YVU420 and YUV422 modes (bnc#1012382).
- drm/gma500: fix psb_intel_lvds_mode_valid()'s return type (bnc#1012382).
- drm/i915/userptr: reject zero user_size (bsc#1090888).
- drm/i915: Correctly handle limited range YCbCr data on VLV/CHV (bsc#1087092).
- drm/imx: fix typo in ipu_plane_formats (bsc#1106929).
- drm/imx: imx-ldb: check if channel is enabled before printing warning (bnc#1012382).
- drm/imx: imx-ldb: disable LDB on driver bind (bnc#1012382).
- drm/msm/hdmi: Use bitwise operators when building register values (bsc#1106929).
- drm/nouveau/gem: off by one bugs in nouveau_gem_pushbuf_reloc_apply() (bnc#1012382).
- drm/panel: type promotion bug in s6e8aa0_read_mtp_id() (bsc#1105769).
- drm/radeon: fix mode_valid's return type (bnc#1012382).
- drm: Add DP PSR2 sink enable bit (bnc#1012382).
- drm: Reject getfb for multi-plane framebuffers (bsc#1106929).
- enic: do not call enic_change_mtu in enic_probe.
- enic: handle mtu change for vf properly (bnc#1012382).
- enic: initialize enic->rfs_h.lock in enic_probe (bnc#1012382).
- ext4: check for NUL characters in extended attribute's name (bnc#1012382).
- ext4: check for allocation block validity with block group locked (bsc#1104495).
- ext4: do not update s_last_mounted of a frozen fs (bsc#1101841).
- ext4: factor out helper ext4_sample_last_mounted() (bsc#1101841).
- ext4: fix check to prevent initializing reserved inodes (bsc#1104319).
- ext4: fix false negatives *and* false positives in ext4_check_descriptors() (bsc#1103445).
- ext4: fix inline data updates with checksums enabled (bsc#1104494).
- ext4: fix spectre gadget in ext4_mb_regular_allocator() (bnc#1012382).
- ext4: reset error code in ext4_find_entry in fallback (bnc#1012382).
- ext4: sysfs: print ext4_super_block fields as little-endian (bsc#1106229).
- f2fs: fix to do not trigger writeback during recovery (bnc#1012382).
- fat: fix memory allocation failure handling of match_strdup() (bnc#1012382).
- fb: fix lost console when the user unplugs a USB adapter (bnc#1012382).
- fbdev: omapfb: off by one in omapfb_register_client() (bsc#1106929).
- fix __legitimize_mnt()/mntput() race (bnc#1012382).
- fix mntput/mntput race (bnc#1012382).
- fork: unconditionally clear stack on fork (bnc#1012382).
- fs/9p/xattr.c: catch the error of p9_client_clunk when setting xattr failed (bnc#1012382).
- fs/dax.c: fix inefficiency in dax_writeback_mapping_range() (bsc#1106185).
- fs/quota: Fix spectre gadget in do_quotactl (bnc#1012382).
- fs: aio: fix the increment of aio-nr and counting against aio-max-nr (bsc#1068075, bsc#1078921).
- fuse: Add missed unlock_page() to fuse_readpages_fill() (bnc#1012382).
- fuse: Do not access pipe->buffers without pipe_lock() (bnc#1012382).
- fuse: Fix oops at process_init_reply() (bnc#1012382).
- fuse: fix double request_end() (bnc#1012382).
- fuse: fix unlocked access to processing queue (bnc#1012382).
- fuse: umount should wait for all requests (bnc#1012382).
- genirq/proc: Return proper error code when irq_set_affinity() fails (bnc#1105392).
- getxattr: use correct xattr length (bnc#1012382).
- hfsplus: Do not clear SGID when inheriting ACLs (bsc#1030552).
- hvc_opal: do not set tb_ticks_per_usec in udbg_init_opal_common() (bnc#1012382).
- hwrng: exynos - Disable runtime PM on driver unbind.
- i2c: davinci: Avoid zero value of CLKH (bnc#1012382).
- i2c: imx: Fix race condition in dma read (bnc#1012382).
- i2c: imx: Fix reinit_completion() use (bnc#1012382).
- i2c: ismt: fix wrong device address when unmap the data buffer (bnc#1012382).
- i40e: use cpumask_copy instead of direct assignment (bsc#1053685).
- i40iw: Fix memory leak in error path of create QP (bsc#969476 bsc#969477).
- i40iw: Use correct address in dst_neigh_lookup for IPv6 (bsc#969476 bsc#969477).
- ibmvnic: Include missing return code checks in reset function (bnc#1107966).
- ieee802154: at86rf230: switch from BUG_ON() to WARN_ON() on problem (bnc#1012382).
- ieee802154: at86rf230: use __func__ macro for debug messages (bnc#1012382).
- ieee802154: fakelb: switch from BUG_ON() to WARN_ON() on problem (bnc#1012382).
- igb: Fix not adding filter elements to the list (bsc#1024361 bsc#1024365).
- iio: ad9523: Fix displayed phase (bnc#1012382).
- iio: ad9523: Fix return value for ad952x_store() (bnc#1012382).
- inet: frag: enforce memory limits earlier (bnc#1012382 bsc#970506).
- iommu/amd: make sure TLB to be flushed before IOVA freed (bsc#1106105).
- iommu/vt-d: Add definitions for PFSID (bnc#1012382).
- iommu/vt-d: Fix dev iotlb pfsid use (bnc#1012382).
- iommu/vt-d: Ratelimit each dmar fault printing (bsc#1106105).
- ioremap: Update pgtable free interfaces with addr (bnc#1012382).
- ip: hash fragments consistently (bnc#1012382).
- ip: in cmsg IP(V6)_ORIGDSTADDR call pskb_may_pull (bnc#1012382).
- ipconfig: Correctly initialise ic_nameservers (bnc#1012382).
- ipv4+ipv6: Make INET*_ESP select CRYPTO_ECHAINIV (bnc#1012382).
- ipv4: Return EINVAL when ping_group_range sysctl does not map to user ns (bnc#1012382).
- ipv4: remove BUG_ON() from fib_compute_spec_dst (bnc#1012382).
- ipv6: fix useless rol32 call on hash (bnc#1012382).
- ipv6: mcast: fix unsolicited report interval after receiving querys (bnc#1012382).
- ipvlan: use ETH_MAX_MTU as max mtu (bsc#1033962).
- iscsi target: fix session creation failure handling (bnc#1012382).
- isdn: Disable IIOCDBGVAR (bnc#1012382).
- iw_cxgb4: remove duplicate memcpy() in c4iw_create_listen() (bsc#969476 bsc#969477).
- iwlwifi: pcie: fix race in Rx buffer allocator (bnc#1012382).
- ixgbe: Be more careful when modifying MAC filters (bnc#1012382).
- jfs: Do not clear SGID when inheriting ACLs (bsc#1030552).
- jump_label: Add RELEASE barrier after text changes (bsc#1105271).
- jump_label: Fix concurrent static_key_enable/disable() (bsc#1105271).
- jump_label: Move CPU hotplug locking (bsc#1105271).
- jump_label: Provide hotplug context variants (bsc#1105271).
- jump_label: Reduce the size of struct static_key (bsc#1105271).
- jump_label: Reorder hotplug lock and jump_label_lock (bsc#1105271).
- jump_label: Split out code under the hotplug lock (bsc#1105271).
- jump_label: remove bug.h, atomic.h dependencies for HAVE_JUMP_LABEL (bsc#1105271).
- kABI: protect enum tcp_ca_event (kabi).
- kABI: reexport tcp_send_ack (kabi).
- kabi/severities: Ignore missing cpu_tss_tramp (bsc#1099597)
- kabi: x86/speculation/l1tf: Increase l1tf memory limit for Nehalem+ (bnc#1105536).
- kasan: do not emit builtin calls when sanitization is off (bnc#1012382).
- kasan: fix shadow_size calculation error in kasan_module_alloc (bnc#1012382).
- kbuild: verify that $DEPMOD is installed (bnc#1012382).
- kernel: improve spectre mitigation (bnc#1106934, LTC#171029).
- kprobes/x86: Fix %p uses in error messages (bnc#1012382).
- kprobes: Make list and blacklist root user read only (bnc#1012382).
- kthread, tracing: Do not expose half-written comm when creating kthreads (bsc#1104897).
- kvm: x86: vmx: fix vpid leak (bnc#1012382).
- l2tp: use sk_dst_check() to avoid race on sk->sk_dst_cache (bnc#1012382).
- lib/rhashtable: consider param->min_size when setting initial table size (bnc#1012382).
- libata: Fix command retry decision (bnc#1012382).
- libceph: check authorizer reply/challenge length before reading (bsc#1096748).
- libceph: factor out __ceph_x_decrypt() (bsc#1096748).
- libceph: factor out __prepare_write_connect() (bsc#1096748).
- libceph: factor out encrypt_authorizer() (bsc#1096748).
- libceph: store ceph_auth_handshake pointer in ceph_connection (bsc#1096748).
- libceph: weaken sizeof check in ceph_x_verify_authorizer_reply() (bsc#1096748).
- llc: use refcount_inc_not_zero() for llc_sap_find() (bnc#1012382).
- locking/lockdep: Do not record IRQ state within lockdep code (bnc#1012382).
- locks: pass inode pointer to locks_free_lock_context (bsc@1099832).
- locks: prink more detail when there are leaked locks (bsc#1099832).
- locks: restore a warn for leaked locks on close (bsc#1099832).
- m68k: fix 'bad page state' oops on ColdFire boot (bnc#1012382).
- mac80211: add stations tied to AP_VLANs during hw reconfig (bnc#1012382).
- md/raid10: fix that replacement cannot complete recovery after reassemble (bnc#1012382).
- md: fix NULL dereference of mddev->pers in remove_and_add_spares() (bnc#1012382).
- media: omap3isp: fix unbalanced dma_iommu_mapping (bnc#1012382).
- media: rcar_jpu: Add missing clk_disable_unprepare() on error in jpu_open() (bnc#1012382).
- media: rtl28xxu: be sure that it won't go past the array size (bsc#1050431).
- media: s5p-jpeg: fix number of components macro (bsc#1050431).
- media: saa7164: Fix driver name in debug output (bnc#1012382).
- media: si470x: fix __be16 annotations (bnc#1012382).
- media: siano: get rid of __le32/__le16 cast warnings (bnc#1012382).
- media: staging: omap4iss: Include asm/cacheflush.h after generic includes (bnc#1012382).
- media: videobuf2-core: do not call memop 'finish' when queueing (bnc#1012382).
- memory: tegra: Apply interrupts mask per SoC (bnc#1012382).
- memory: tegra: Do not handle spurious interrupts (bnc#1012382).
- mfd: cros_ec: Fail early if we cannot identify the EC (bnc#1012382).
- microblaze: Fix simpleImage format generation (bnc#1012382).
- mm/hugetlb: filter out hugetlb pages if HUGEPAGE migration is not supported (bnc#1106697).
- mm/memory.c: check return value of ioremap_prot (bnc#1012382).
- mm/slub.c: add __printf verification to slab_err() (bnc#1012382).
- mm/tlb: Remove tlb_remove_table() non-concurrent condition (bnc#1012382).
- mm: Add vm_insert_pfn_prot() (bnc#1012382).
- mm: fix cache mode tracking in vm_insert_mixed() (bnc#1012382).
- mm: memcg: fix use after free in mem_cgroup_iter() (bnc#1012382).
- mm: vmalloc: avoid racy handling of debugobjects in vunmap (bnc#1012382).
- mm: x86: move _PAGE_SWP_SOFT_DIRTY from bit 7 to bit 1 (bnc#1012382).
- mtd: rawnand: fsl_ifc: fix FSL NAND driver to read all ONFI parameter pages (bnc#1012382).
- mtd: ubi: wl: Fix error return code in ubi_wl_init().
- mwifiex: correct histogram data with appropriate index (bnc#1012382).
- mwifiex: handle race during mwifiex_usb_disconnect (bnc#1012382).
- net/9p/client.c: version pointer uninitialized (bnc#1012382).
- net/9p/trans_fd.c: fix race-condition by flushing workqueue before the kfree() (bnc#1012382).
- net/ethernet/freescale/fman: fix cross-build error (bnc#1012382).
- net/ipv4: Set oif in fib_compute_spec_dst (bnc#1012382).
- net/mlx4_core: Save the qpn from the input modifier in RST2INIT wrapper (bnc#1012382).
- net/mlx5: Add missing SET_DRIVER_VERSION command translation (bsc#1015342 bsc#1015343).
- net/mlx5: E-Switch, Include VF RDMA stats in vport statistics (bsc#966170 bsc#966172).
- net/mlx5: Eswitch, Use 'kvfree()' for memory allocated by 'kvzalloc()' (bsc#1015342 bsc#1015343).
- net/mlx5: Fix wrong size allocation for QoS ETC TC regitster (bsc#966170 bsc#966172).
- net/mlx5: Vport, Use 'kvfree()' for memory allocated by 'kvzalloc()' (bsc#966170 bsc#966172).
- net/mlx5e: Do not allow aRFS for encapsulated packets (bsc#1015342 bsc#1015343).
- net/mlx5e: Err if asked to offload TC match on frag being first (bsc#1015342 bsc#1015343).
- net/mlx5e: Fix quota counting in aRFS expire flow (bsc#1015342 bsc#1015343).
- net/mlx5e: Refine ets validation function (bsc#966170 bsc#966172).
- net: 6lowpan: fix reserved space for single frames (bnc#1012382).
- net: Do not copy pfmemalloc flag in __copy_skb_header() (bnc#1012382).
- net: add skb_condense() helper (bsc#1089066).
- net: adjust skb->truesize in ___pskb_trim() (bsc#1089066).
- net: adjust skb->truesize in pskb_expand_head() (bsc#1089066).
- net: axienet: Fix double deregister of mdio (bnc#1012382).
- net: caif: Add a missing rcu_read_unlock() in caif_flow_cb (bnc#1012382).
- net: davinci_emac: match the mdio device against its compatible if possible (bnc#1012382).
- net: dsa: Do not suspend/resume closed slave_dev (bnc#1012382).
- net: ena: Fix use of uninitialized DMA address bits field (bsc#1027968).
- net: fix amd-xgbe flow-control issue (bnc#1012382).
- net: hamradio: use eth_broadcast_addr (bnc#1012382).
- net: lan78xx: Fix misplaced tasklet_schedule() call (bnc#1012382).
- net: lan78xx: fix rx handling before first packet is send (bnc#1012382).
- net: mac802154: tx: expand tailroom if necessary (bnc#1012382).
- net: phy: fix flag masking in __set_phy_supported (bnc#1012382).
- net: prevent ISA drivers from building on PPC32 (bnc#1012382).
- net: propagate dev_get_valid_name return code (bnc#1012382).
- net: qca_spi: Avoid packet drop during initial sync (bnc#1012382).
- net: qca_spi: Fix log level if probe fails (bnc#1012382).
- net: qca_spi: Make sure the QCA7000 reset is triggered (bnc#1012382).
- net: socket: fix potential spectre v1 gadget in socketcall (bnc#1012382).
- net: usb: rtl8150: demote allmulti message to dev_dbg() (bnc#1012382).
- net: vmxnet3: use new api ethtool_{get|set}_link_ksettings (bsc#1091860 bsc#1098253).
- net_sched: Fix missing res info when create new tc_index filter (bnc#1012382).
- net_sched: fix NULL pointer dereference when delete tcindex filter (bnc#1012382).
- netfilter: conntrack: dccp: treat SYNC/SYNCACK as invalid if no prior state (bnc#1012382).
- netfilter: ipset: List timing out entries with 'timeout 1' instead of zero (bnc#1012382).
- netfilter: ipv6: nf_defrag: reduce struct net memory waste (bnc#1012382).
- netfilter: ipvs: do not create conn for ABORT packet in sctp_conn_schedule (bsc#1102797).
- netfilter: ipvs: fix the issue that sctp_conn_schedule drops non-INIT packet (bsc#1102797).
- netfilter: x_tables: set module owner for icmp(6) matches (bnc#1012382).
- netlink: Do not shift on 64 for ngroups (bnc#1012382).
- netlink: Do not shift with UB on nlk->ngroups (bnc#1012382).
- netlink: Do not subscribe to non-existent groups (bnc#1012382).
- netlink: Fix spectre v1 gadget in netlink_create() (bnc#1012382).
- netlink: do not enter direct reclaim from netlink_trim() (bsc#1042286).
- nfsd: fix potential use-after-free in nfsd4_decode_getdeviceinfo (bnc#1012382).
- nl80211: Add a missing break in parse_station_flags (bnc#1012382).
- nohz: Fix local_timer_softirq_pending() (bnc#1012382).
- nvme-fc: release io queues to allow fast fail (bsc#1102486).
- nvme: if_ready checks to fail io to deleting controller (bsc#1102486).
- nvme: kABI-compliant version of nvmf_fail_nonready_command() (bsc#1102486).
- nvmet-fc: fix target sgl list on large transfers (bsc#1102486).
- osf_getdomainname(): use copy_to_user() (bnc#1012382).
- ovl: Do d_type check only if work dir creation was successful (bnc#1012382).
- ovl: Ensure upper filesystem supports d_type (bnc#1012382).
- ovl: warn instead of error if d_type is not supported (bnc#1012382).
- packet: refine ring v3 block size test to hold one frame (bnc#1012382).
- packet: reset network header if packet shorter than ll reserved space (bnc#1012382).
- parisc: Define mb() and add memory barriers to assembler unlock sequences (bnc#1012382).
- parisc: Enable CONFIG_MLONGCALLS by default (bnc#1012382).
- parisc: Remove ordered stores from syscall.S (bnc#1012382).
- parisc: Remove unnecessary barriers from spinlock.h (bnc#1012382).
- perf auxtrace: Fix queue resize (bnc#1012382).
- perf llvm-utils: Remove bashism from kernel include fetch script (bnc#1012382).
- perf report powerpc: Fix crash if callchain is empty (bnc#1012382).
- perf test session topology: Fix test on s390 (bnc#1012382).
- perf/x86/intel/uncore: Correct fixed counter index check for NHM (bnc#1012382).
- perf/x86/intel/uncore: Correct fixed counter index check in generic code (bnc#1012382).
- perf: fix invalid bit in diagnostic entry (bnc#1012382).
- pinctrl: at91-pio4: add missing of_node_put (bnc#1012382).
- pinctrl: freescale: off by one in imx1_pinconf_group_dbg_show() (bnc#1012382).
- pnfs/blocklayout: off by one in bl_map_stripe() (bnc#1012382).
- powerpc/32: Add a missing include header (bnc#1012382).
- powerpc/64s: Default l1d_size to 64K in RFI fallback flush (bsc#1068032).
- powerpc/64s: Fix compiler store ordering to SLB shadow area (bnc#1012382).
- powerpc/8xx: fix invalid register expression in head_8xx.S (bnc#1012382).
- powerpc/chrp/time: Make some functions static, add missing header include (bnc#1012382).
- powerpc/embedded6xx/hlwd-pic: Prevent interrupts from being handled by Starlet (bnc#1012382).
- powerpc/fadump: handle crash memory ranges array index overflow (bsc#1103269).
- powerpc/fadump: merge adjacent memory ranges to reduce PT_LOAD segements (bsc#1103269).
- powerpc/lib: Fix the feature fixup tests to actually work (bsc#1066223).
- powerpc/powermac: Add missing prototype for note_bootable_part() (bnc#1012382).
- powerpc/powermac: Mark variable x as unused (bnc#1012382).
- powerpc/pseries: Fix endianness while restoring of r3 in MCE handler (bnc#1012382).
- powerpc/topology: Get topology for shared processors at boot (bsc#1104683).
- powerpc64s: Show ori31 availability in spectre_v1 sysfs file not v2 (bsc#1068032, bsc#1080157).
- powerpc: Avoid code patching freed init sections (bnc#1107735).
- powerpc: make feature-fixup tests fortify-safe (bsc#1066223).
- provide special timeout module parameters for EC2 (bsc#1065364).
- ptp: fix missing break in switch (bnc#1012382).
- pwm: tiehrpwm: Fix disabling of output of PWMs (bnc#1012382).
- qed: Add sanity check for SIMD fastpath handler (bnc#1012382).
- qed: Correct Multicast API to reflect existence of 256 approximate buckets (bsc#1019695 bsc#1019699 bsc#1022604).
- qed: Do not advertise DCBX_LLD_MANAGED capability (bsc#1019695 bsc#1019699 bsc#1022604).
- qed: Fix possible memory leak in Rx error path handling (bsc#1019695 bsc#1019699 bsc#1022604 ).
- qed: Fix possible race for the link state value (bnc#1012382).
- qed: Fix setting of incorrect eswitch mode (bsc#1019695 bsc#1019699 bsc#1022604).
- qed: Fix use of incorrect size in memcpy call (bsc#1019695 bsc#1019699 bsc#1022604).
- qede: Adverstise software timestamp caps when PHC is not available (bsc#1019695 bsc#1019699 bsc#1022604).
- qlge: Fix netdev features configuration (bsc#1098822).
- qlogic: check kstrtoul() for errors (bnc#1012382).
- random: mix rdrand with entropy sent in from userspace (bnc#1012382).
- readahead: stricter check for bdi io_pages (VM Functionality).
- regulator: pfuze100: add .is_enable() for pfuze100_swb_regulator_ops (bnc#1012382).
- reiserfs: fix broken xattr handling (heap corruption, bad retval) (bnc#1012382).
- ring_buffer: tracing: Inherit the tracing setting to next ring buffer (bnc#1012382).
- root dentries need RCU-delayed freeing (bnc#1012382).
- rsi: Fix 'invalid vdd' warning in mmc (bnc#1012382).
- rtc: ensure rtc_set_alarm fails when alarms are not supported (bnc#1012382).
- rtnetlink: add rtnl_link_state check in rtnl_configure_link (bnc#1012382).
- s390/cpum_sf: Add data entry sizes to sampling trailer entry (bnc#1012382).
- s390/kvm: fix deadlock when killed by oom (bnc#1012382).
- s390/lib: use expoline for all bcr instructions (bnc#1106934, LTC#171029).
- s390/pci: fix out of bounds access during irq setup (bnc#1012382).
- s390/qdio: reset old sbal_state flags (bnc#1012382).
- s390/qeth: do not clobber buffer on async TX completion (bnc#1104485, LTC#170349).
- s390/qeth: fix race when setting MAC address (bnc#1104485, LTC#170726).
- s390: add explicit <linux/stringify.h> for jump label (bsc#1105271).
- s390: detect etoken facility (bnc#1106934, LTC#171029).
- s390: fix br_r1_trampoline for machines without exrl (bnc#1012382 bnc#1106934 LTC#171029).
- sched/fair: Avoid divide by zero when rebalancing domains (bsc#1096254).
- scsi: 3w-9xxx: fix a missing-check bug (bnc#1012382).
- scsi: 3w-xxxx: fix a missing-check bug (bnc#1012382).
- scsi: core: Avoid that SCSI device removal through sysfs triggers a deadlock (bnc#1012382).
- scsi: fcoe: drop frames in ELS LOGO error path (bnc#1012382).
- scsi: hpsa: limit transfer length to 1MB, not 512kB (bsc#1102346).
- scsi: libiscsi: fix possible NULL pointer dereference in case of TMF (bnc#1012382).
- scsi: megaraid: silence a static checker bug (bnc#1012382).
- scsi: megaraid_sas: Increase timeout by 1 sec for non-RAID fastpath IOs (bnc#1012382).
- scsi: qla2xxx: Fix ISP recovery on unload (bnc#1012382).
- scsi: qla2xxx: Return error when TMF returns (bnc#1012382).
- scsi: scsi_dh: replace too broad 'TP9' string with the exact models (bnc#1012382).
- scsi: sr: Avoid that opening a CD-ROM hangs with runtime power management enabled (bnc#1012382).
- scsi: sysfs: Introduce sysfs_{un,}break_active_protection() (bnc#1012382).
- scsi: ufs: fix exception event handling (bnc#1012382).
- scsi: vmw_pvscsi: Return DID_RESET for status SAM_STAT_COMMAND_TERMINATED (bnc#1012382).
- scsi: xen-scsifront: add error handling for xenbus_printf (bnc#1012382).
- scsi_debug: call resp_XXX function after setting host_scribble (bsc#1069138).
- scsi_debug: reset injection flags for every_nth > 0 (bsc#1069138).
- selftest/seccomp: Fix the flag name SECCOMP_FILTER_FLAG_TSYNC (bnc#1012382).
- selftest/seccomp: Fix the seccomp(2) signature (bnc#1012382).
- selftests/ftrace: Add snapshot and tracing_on test case (bnc#1012382).
- selftests/x86/sigreturn/64: Fix spurious failures on AMD CPUs (bnc#1012382).
- selftests: pstore: return Kselftest Skip code for skipped tests (bnc#1012382).
- selftests: static_keys: return Kselftest Skip code for skipped tests (bnc#1012382).
- selftests: sync: add config fragment for testing sync framework (bnc#1012382).
- selftests: user: return Kselftest Skip code for skipped tests (bnc#1012382).
- selftests: zram: return Kselftest Skip code for skipped tests (bnc#1012382).
- serial: 8250_dw: always set baud rate in dw8250_set_termios (bnc#1012382).
- sfc: stop the TX queue before pushing new buffers (bsc#1017967 ).
- skbuff: Unconditionally copy pfmemalloc in __skb_clone() (bnc#1012382).
- slab: __GFP_ZERO is incompatible with a constructor (bnc#1107060).
- smb3: Do not send SMB3 SET_INFO if nothing changed (bnc#1012382).
- smb3: do not request leases in symlink creation and query (bnc#1012382).
- spi: davinci: fix a NULL pointer dereference (bnc#1012382).
- squashfs: be more careful about metadata corruption (bnc#1012382).
- squashfs: more metadata hardening (bnc#1012382).
- squashfs: more metadata hardenings (bnc#1012382).
- staging: android: ion: check for kref overflow (bnc#1012382).
- string: drop __must_check from strscpy() and restore strscpy() usages in cgroup (bsc#1107319).
- sys: do not hold uts_sem while accessing userspace memory (bnc#1106995).
- target_core_rbd: use RCU in free_device (bsc#1105524).
- tcp: Fix missing range_truesize enlargement in the backport (bnc#1012382).
- tcp: add max_quickacks param to tcp_incr_quickack and tcp_enter_quickack_mode (bnc#1012382).
- tcp: add one more quick ack after after ECN events (bnc#1012382).
- tcp: do not aggressively quick ack after ECN events (bnc#1012382).
- tcp: do not cancel delay-AcK on DCTCP special ACK (bnc#1012382).
- tcp: do not delay ACK in DCTCP upon CE status change (bnc#1012382).
- tcp: do not force quickack when receiving out-of-order packets (bnc#1012382).
- tcp: fix dctcp delayed ACK schedule (bnc#1012382).
- tcp: helpers to send special DCTCP ack (bnc#1012382).
- tcp: identify cryptic messages as TCP seq # bugs (bnc#1012382).
- tcp: refactor tcp_ecn_check_ce to remove sk type cast (bnc#1012382).
- tcp: remove DELAYED ACK events in DCTCP (bnc#1012382).
- tg3: Add higher cpu clock for 5762 (bnc#1012382).
- thermal: exynos: fix setting rising_threshold for Exynos5433 (bnc#1012382).
- timekeeping: Eliminate the stale declaration of ktime_get_raw_and_real_ts64() (bsc#969470).
- tools/power turbostat: Read extended processor family from CPUID (bnc#1012382).
- tools/power turbostat: fix -S on UP systems (bnc#1012382).
- tools: usb: ffs-test: Fix build on big endian systems (bnc#1012382).
- tpm: fix race condition in tpm_common_write() (bnc#1012382).
- tracing/blktrace: Fix to allow setting same value (bnc#1012382).
- tracing/kprobes: Fix trace_probe flags on enable_trace_kprobe() failure (bnc#1012382).
- tracing: Do not call start/stop() functions when tracing_on does not change (bnc#1012382).
- tracing: Fix double free of event_trigger_data (bnc#1012382).
- tracing: Fix possible double free in event_enable_trigger_func() (bnc#1012382).
- tracing: Quiet gcc warning about maybe unused link variable (bnc#1012382).
- tracing: Use __printf markup to silence compiler (bnc#1012382).
- tty: Fix data race in tty_insert_flip_string_fixed_flag (bnc#1012382).
- turn off -Wattribute-alias (bnc#1012382).
- ubi: Be more paranoid while seaching for the most recent Fastmap (bnc#1012382).
- ubi: Fix Fastmap's update_vol() (bnc#1012382).
- ubi: Fix races around ubi_refill_pools() (bnc#1012382).
- ubi: Introduce vol_ignored() (bnc#1012382).
- ubi: Rework Fastmap attach base code (bnc#1012382).
- ubi: fastmap: Erase outdated anchor PEBs during attach (bnc#1012382).
- ubifs: Check data node size before truncate (bsc#1106276).
- ubifs: Fix memory leak in lprobs self-check (bsc#1106278).
- ubifs: Fix synced_i_size calculation for xattr inodes (bsc#1106275).
- ubifs: xattr: Do not operate on deleted inodes (bsc#1106271).
- udl-kms: change down_interruptible to down (bnc#1012382).
- udl-kms: fix crash due to uninitialized memory (bnc#1012382).
- udl-kms: handle allocation failure (bnc#1012382).
- udlfb: set optimal write delay (bnc#1012382).
- uprobes: Use synchronize_rcu() not synchronize_sched() (bnc#1012382).
- usb/phy: fix PPC64 build errors in phy-fsl-usb.c (bnc#1012382).
- usb: audio-v2: Correct the comment for struct uac_clock_selector_descriptor (bsc#1099810).
- usb: cdc_acm: Add quirk for Castles VEGA3000 (bnc#1012382).
- usb: dwc2: debugfs: Do not touch RX FIFO during register dump (bsc#1100132).
- usb: dwc2: fix isoc split in transfer with no data (bnc#1012382).
- usb: gadget: composite: fix delayed_status race condition when set_interface (bnc#1012382).
- usb: gadget: dwc2: fix memory leak in gadget_init() (bnc#1012382).
- usb: gadget: f_fs: Only return delayed status when len is 0 (bnc#1012382).
- usb: gadget: f_uac2: fix endianness of 'struct cntrl_*_lay3' (bnc#1012382).
- usb: gadget: r8a66597: Fix a possible sleep-in-atomic-context bugs in r8a66597_queue() (bnc#1012382).
- usb: gadget: r8a66597: Fix two possible sleep-in-atomic-context bugs in init_controller() (bnc#1012382).
- usb: hub: Do not wait for connect state at resume for powered-off ports (bnc#1012382).
- usb: renesas_usbhs: gadget: fix spin_lock_init() for &uep->lock (bsc#1085536).
- usb: xhci: increase CRS timeout value (bnc#1012382).
- usbip: usbip_detach: Fix memory, udev context and udev leak (bnc#1012382).
- userns: move user access out of the mutex (bnc#1012382).
- vfs: add the sb_start_intwrite_trylock() helper (bsc#1101841).
- virtio_balloon: fix another race between migration and ballooning (bnc#1012382).
- virtio_console: fix uninitialized variable use.
- vmw_balloon: VMCI_DOORBELL_SET does not check status (bnc#1012382).
- vmw_balloon: do not use 2MB without batching (bnc#1012382).
- vmw_balloon: fix VMCI use when balloon built into kernel (bnc#1012382).
- vmw_balloon: fix inflation of 64-bit GFNs (bnc#1012382).
- vmxnet3: Replace msleep(1) with usleep_range() (bsc#1091860 bsc#1098253).
- vmxnet3: add receive data ring support (bsc#1091860 bsc#1098253).
- vmxnet3: add support for get_coalesce, set_coalesce ethtool operations (bsc#1091860 bsc#1098253).
- vmxnet3: allow variable length transmit data ring buffer (bsc#1091860 bsc#1098253).
- vmxnet3: avoid assumption about invalid dma_pa in vmxnet3_set_mc() (bsc#1091860 bsc#1098253).
- vmxnet3: avoid format strint overflow warning (bsc#1091860 bsc#1098253).
- vmxnet3: avoid xmit reset due to a race in vmxnet3 (bsc#1091860 bsc#1098253).
- vmxnet3: fix incorrect dereference when rxvlan is disabled (bsc#1091860 bsc#1098253).
- vmxnet3: fix non static symbol warning (bsc#1091860 bsc#1098253).
- vmxnet3: fix tx data ring copy for variable size (bsc#1091860 bsc#1098253).
- vmxnet3: increase default rx ring sizes (bsc#1091860 bsc#1098253).
- vmxnet3: introduce command to register memory region (bsc#1091860 bsc#1098253).
- vmxnet3: introduce generalized command interface to configure the device (bsc#1091860 bsc#1098253).
- vmxnet3: prepare for version 3 changes (bsc#1091860 bsc#1098253).
- vmxnet3: remove redundant initialization of pointer 'rq' (bsc#1091860 bsc#1098253).
- vmxnet3: remove unused flag 'rxcsum' from struct vmxnet3_adapter (bsc#1091860 bsc#1098253).
- vmxnet3: set the DMA mask before the first DMA map operation (bsc#1091860 bsc#1098253).
- vmxnet3: update to version 3 (bsc#1091860 bsc#1098253).
- vmxnet3: use DMA memory barriers where required (bsc#1091860 bsc#1098253).
- vmxnet3: use correct flag to indicate LRO feature (bsc#1091860 bsc#1098253).
- vsock: split dwork to avoid reinitializations (bnc#1012382).
- vti6: Fix dev->max_mtu setting (bsc#1033962).
- vti6: fix PMTU caching and reporting on xmit (bnc#1012382).
- wlcore: sdio: check for valid platform device data before suspend (bnc#1012382).
- x86/MCE: Remove min interval polling limitation (bnc#1012382).
- x86/amd: do not set X86_BUG_SYSRET_SS_ATTRS when running under Xen (bnc#1012382).
- x86/asm/entry/32: Simplify pushes of zeroed pt_regs->REGs (bnc#1012382).
- x86/bugs: Move the l1tf function and define pr_fmt properly (bnc#1012382).
- x86/bugs: Respect nospec command line option (bsc#1068032).
- x86/cpu/AMD: Fix erratum 1076 (CPB bit) (bnc#1012382).
- x86/cpu: Make alternative_msr_write work for 32-bit code (bnc#1012382).
- x86/cpu: Re-apply forced caps every time CPU caps are re-read (bnc#1012382).
- x86/cpufeature: preserve numbers (kabi).
- x86/cpufeatures: Add CPUID_7_EDX CPUID leaf (bnc#1012382).
- x86/cpufeatures: Clean up Spectre v2 related CPUID flags (bnc#1012382).
- x86/entry/64/compat: Clear registers for compat syscalls, to reduce speculation attack surface (bnc#1012382).
- x86/entry/64: Remove %ebx handling from error_entry/exit (bnc#1102715).
- x86/init: fix build with CONFIG_SWAP=n (bnc#1012382).
- x86/irqflags: Mark native_restore_fl extern inline (bnc#1012382).
- x86/irqflags: Provide a declaration for native_save_fl.
- x86/mm/kmmio: Make the tracer robust against L1TF (bnc#1012382).
- x86/mm/pat: Fix L1TF stable backport for CPA (bnc#1012382).
- x86/mm/pat: Fix L1TF stable backport for CPA, 2nd call (bnc#1012382).
- x86/mm/pat: Make set_memory_np() L1TF safe (bnc#1012382).
- x86/mm: Add TLB purge to free pmd/pte page interfaces (bnc#1012382).
- x86/mm: Disable ioremap free page handling on x86-PAE (bnc#1012382).
- x86/mm: Give each mm TLB flush generation a unique ID (bnc#1012382).
- x86/paravirt: Fix spectre-v2 mitigations for paravirt guests (bnc#1012382).
- x86/paravirt: Make native_save_fl() extern inline (bnc#1012382).
- x86/process: Correct and optimize TIF_BLOCKSTEP switch (bnc#1012382).
- x86/process: Optimize TIF checks in __switch_to_xtra() (bnc#1012382).
- x86/process: Optimize TIF_NOTSC switch (bnc#1012382).
- x86/process: Re-export start_thread() (bnc#1012382).
- x86/spectre: Add missing family 6 check to microcode check (bnc#1012382).
- x86/spectre_v2: Do not check microcode versions when running under hypervisors (bnc#1012382).
- x86/speculation/l1tf: Exempt zeroed PTEs from inversion (bnc#1012382).
- x86/speculation/l1tf: Extend 64bit swap file size limit (bnc#1012382).
- x86/speculation/l1tf: Fix off-by-one error when warning that system has too much RAM (bnc#1105536).
- x86/speculation/l1tf: Fix overflow in l1tf_pfn_limit() on 32bit (bnc#1012382).
- x86/speculation/l1tf: Fix up CPU feature flags (bnc#1012382).
- x86/speculation/l1tf: Fix up pte->pfn conversion for PAE (bnc#1012382).
- x86/speculation/l1tf: Increase l1tf memory limit for Nehalem+ (bnc#1105536).
- x86/speculation/l1tf: Invert all not present mappings (bnc#1012382).
- x86/speculation/l1tf: Make pmd/pud_mknotpresent() invert (bnc#1012382).
- x86/speculation/l1tf: Protect PAE swap entries against L1TF (bnc#1012382).
- x86/speculation/l1tf: Suggest what to do on systems with too much RAM (bnc#1105536).
- x86/speculation/l1tf: Unbreak !__HAVE_ARCH_PFN_MODIFY_ALLOWED architectures (bnc#1012382).
- x86/speculation: Add <asm/msr-index.h> dependency (bnc#1012382).
- x86/speculation: Add basic IBPB (Indirect Branch Prediction Barrier) support (bnc#1012382).
- x86/speculation: Clean up various Spectre related details (bnc#1012382).
- x86/speculation: Correct Speculation Control microcode blacklist again (bnc#1012382).
- x86/speculation: Move firmware_restrict_branch_speculation_*() from C to CPP (bnc#1012382).
- x86/speculation: Update Speculation Control microcode blacklist (bnc#1012382).
- x86/speculation: Use ARCH_CAPABILITIES to skip L1D flush on vmentry (bsc#1106369).
- x86/speculation: Use IBRS if available before calling into firmware (bnc#1012382).
- x86/speculation: Use Indirect Branch Prediction Barrier in context switch (bnc#1012382).
- x86/xen: Add call of speculative_store_bypass_ht_init() to PV paths (bnc#1012382).
- xen-netfront: wait xenbus state change when load module manually (bnc#1012382).
- xen/blkback: do not keep persistent grants too long (bsc#1085042).
- xen/blkback: move persistent grants flags to bool (bsc#1085042).
- xen/blkfront: cleanup stale persistent grants (bsc#1085042).
- xen/blkfront: reorder tests in xlblk_init() (bsc#1085042).
- xen/netfront: do not cache skb_shinfo() (bnc#1012382).
- xen: avoid crash in disable_hotplug_cpu (bsc#1106594).
- xen: set cpu capabilities from xen_start_kernel() (bnc#1012382).
- xfrm: fix missing dst_release() after policy blocking lbcast and multicast (bnc#1012382).
- xfrm: free skb if nlsk pointer is NULL (bnc#1012382).
- xfrm_user: prevent leaking 2 bytes of kernel memory (bnc#1012382).
- xfs: Remove dead code from inode recover function (bsc#1105396).
- xfs: repair malformed inode items during log recovery (bsc#1105396).
- xhci: Fix perceived dead host due to runtime suspend race with event handler (bnc#1012382).
- zswap: re-check zswap_is_full() after do zswap_shrink() (bnc#1012382).
ImportantSUSE bug 1012382SUSE bug 1015342SUSE bug 1015343SUSE bug 1017967SUSE bug 1019695SUSE bug 1019699SUSE bug 1020412SUSE bug 1021121SUSE bug 1022604SUSE bug 1024361SUSE bug 1024365SUSE bug 1024376SUSE bug 1027968SUSE bug 1030552SUSE bug 1033962SUSE bug 1042286SUSE bug 1048317SUSE bug 1050431SUSE bug 1053685SUSE bug 1055014SUSE bug 1056596SUSE bug 1062604SUSE bug 1063646SUSE bug 1064232SUSE bug 1065364SUSE bug 1066223SUSE bug 1068032SUSE bug 1068075SUSE bug 1069138SUSE bug 1078921SUSE bug 1080157SUSE bug 1083663SUSE bug 1085042SUSE bug 1085536SUSE bug 1085539SUSE bug 1086457SUSE bug 1087092SUSE bug 1089066SUSE bug 1090888SUSE bug 1091171SUSE bug 1091860SUSE bug 1092903SUSE bug 1096254SUSE bug 1096748SUSE bug 1097105SUSE bug 1098253SUSE bug 1098822SUSE bug 1099597SUSE bug 1099810SUSE bug 1099811SUSE bug 1099813SUSE bug 1099832SUSE bug 1099844SUSE bug 1099845SUSE bug 1099846SUSE bug 1099849SUSE bug 1099863SUSE bug 1099864SUSE bug 1099922SUSE bug 1099999SUSE bug 1100000SUSE bug 1100001SUSE bug 1100132SUSE bug 1101822SUSE bug 1101841SUSE bug 1102346SUSE bug 1102486SUSE bug 1102517SUSE bug 1102715SUSE bug 1102797SUSE bug 1103269SUSE bug 1103445SUSE bug 1104319SUSE bug 1104485SUSE bug 1104494SUSE bug 1104495SUSE bug 1104683SUSE bug 1104897SUSE bug 1105271SUSE bug 1105292SUSE bug 1105322SUSE bug 1105392SUSE bug 1105396SUSE bug 1105524SUSE bug 1105536SUSE bug 1105769SUSE bug 1106016SUSE bug 1106105SUSE bug 1106185SUSE bug 1106229SUSE bug 1106271SUSE bug 1106275SUSE bug 1106276SUSE bug 1106278SUSE bug 1106281SUSE bug 1106283SUSE bug 1106369SUSE bug 1106509SUSE bug 1106511SUSE bug 1106594SUSE bug 1106697SUSE bug 1106929SUSE bug 1106934SUSE bug 1106995SUSE bug 1107060SUSE bug 1107078SUSE bug 1107319SUSE bug 1107320SUSE bug 1107689SUSE bug 1107735SUSE bug 1107966SUSE bug 963575SUSE bug 966170SUSE bug 966172SUSE bug 969470SUSE bug 969476SUSE bug 969477SUSE bug 970506CVE-2018-10876 at SUSECVE-2018-10876 at NVDCVE-2018-10877 at SUSECVE-2018-10877 at NVDCVE-2018-10878 at SUSECVE-2018-10878 at NVDCVE-2018-10879 at SUSECVE-2018-10879 at NVDCVE-2018-10880 at SUSECVE-2018-10880 at NVDCVE-2018-10881 at SUSECVE-2018-10881 at NVDCVE-2018-10882 at SUSECVE-2018-10882 at NVDCVE-2018-10883 at SUSECVE-2018-10883 at NVDCVE-2018-10902 at SUSECVE-2018-10902 at NVDCVE-2018-10938 at SUSECVE-2018-10938 at NVDCVE-2018-10940 at SUSECVE-2018-10940 at NVDCVE-2018-1128 at SUSECVE-2018-1128 at NVDCVE-2018-1129 at SUSECVE-2018-1129 at NVDCVE-2018-12896 at SUSECVE-2018-12896 at NVDCVE-2018-13093 at SUSECVE-2018-13093 at NVDCVE-2018-13094 at SUSECVE-2018-13094 at NVDCVE-2018-13095 at SUSECVE-2018-13095 at NVDCVE-2018-15572 at SUSECVE-2018-15572 at NVDCVE-2018-16658 at SUSECVE-2018-16658 at NVDCVE-2018-6554 at SUSECVE-2018-6554 at NVDCVE-2018-6555 at SUSECVE-2018-6555 at NVDCVE-2018-9363 at SUSECVE-2018-9363 at NVDcpe:/o:suse:sles:12:sp3Security update for libvirt (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for libvirt provides several fixes.
This security issue was fixed:
- CVE-2018-5748: Prevent resource exhaustion via qemuMonitorIORead() method which allowed to cause DoS (bsc#1076500).
These security issues were fixed:
- Add a qemu hook script providing functionality similar to Xen's block-dmmd script.
(fate#324177)
- schema: Make disk driver name attribute optional. (bsc#1073973)
- virt-create-rootfs: Handle all SLE 12 versions. (bsc#1072887)
- libvirt-guests: Fix the 'stop' operation when action is 'suspend'. (bsc#1070130)
- s390: Fix missing host cpu model info. (bsc#1065766)
- cpu: Add new EPYC CPU model. (bsc#1052825, fate#324038)
- pci: Fix the detection of the link's maximum speed. (bsc#1064947)
- nodedev: Increase the netlink socket buffer size. (bsc#1035442)
- storage: Fix a race between the volume creation and the pool refresh. (bsc#1062571)
- daemon: Drop the minsize directive from hypervisor logrotate files. (bsc#1062760)
ModerateSUSE bug 1035442SUSE bug 1052825SUSE bug 1062571SUSE bug 1062760SUSE bug 1064947SUSE bug 1065766SUSE bug 1070130SUSE bug 1072887SUSE bug 1073973SUSE bug 1076500CVE-2018-5748 at SUSECVE-2018-5748 at NVDcpe:/o:suse:sles:12:sp3Security update for wireshark (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for wireshark to version 2.4.9 fixes the following issues:
Wireshark was updated to 2.4.9 (bsc#1094301, bsc#1106514).
Security issues fixed:
- CVE-2018-16058: Bluetooth AVDTP dissector crash (wnpa-sec-2018-44)
- CVE-2018-16056: Bluetooth Attribute Protocol dissector crash (wnpa-sec-2018-45)
- CVE-2018-16057: Radiotap dissector crash (wnpa-sec-2018-46)
- CVE-2018-11355: Fix RTCP dissector crash (bsc#1094301).
- CVE-2018-14370: IEEE 802.11 dissector crash (wnpa-sec-2018-43, bsc#1101802)
- CVE-2018-14368: Bazaar dissector infinite loop (wnpa-sec-2018-40, bsc#1101794)
- CVE-2018-11362: Fix LDSS dissector crash (bsc#1094301).
- CVE-2018-11361: Fix IEEE 802.11 dissector crash (bsc#1094301).
- CVE-2018-11360: Fix GSM A DTAP dissector crash (bsc#1094301).
- CVE-2018-14342: BGP dissector large loop (wnpa-sec-2018-34, bsc#1101777)
- CVE-2018-14343: ASN.1 BER dissector crash (wnpa-sec-2018-37, bsc#1101786)
- CVE-2018-14340: Multiple dissectors could crash (wnpa-sec-2018-36, bsc#1101804)
- CVE-2018-14341: DICOM dissector crash (wnpa-sec-2018-39, bsc#1101776)
- CVE-2018-11358: Fix Q.931 dissector crash (bsc#1094301).
- CVE-2018-14344: ISMP dissector crash (wnpa-sec-2018-35, bsc#1101788)
- CVE-2018-11359: Fix multiple dissectors crashs (bsc#1094301).
- CVE-2018-11356: Fix DNS dissector crash (bsc#1094301).
- CVE-2018-14339: MMSE dissector infinite loop (wnpa-sec-2018-38, bsc#1101810)
- CVE-2018-11357: Fix multiple dissectors that could consume excessive memory (bsc#1094301).
- CVE-2018-14367: CoAP dissector crash (wnpa-sec-2018-42, bsc#1101791)
- CVE-2018-11354: Fix IEEE 1905.1a dissector crash (bsc#1094301).
- CVE-2018-14369: HTTP2 dissector crash (wnpa-sec-2018-41, bsc#1101800)
Further bug fixes and updated protocol support as listed in:
https://www.wireshark.org/docs/relnotes/wireshark-2.4.9.html
ModerateSUSE bug 1094301SUSE bug 1101776SUSE bug 1101777SUSE bug 1101786SUSE bug 1101788SUSE bug 1101791SUSE bug 1101794SUSE bug 1101800SUSE bug 1101802SUSE bug 1101804SUSE bug 1101810SUSE bug 1106514CVE-2018-11354 at SUSECVE-2018-11354 at NVDCVE-2018-11355 at SUSECVE-2018-11355 at NVDCVE-2018-11356 at SUSECVE-2018-11356 at NVDCVE-2018-11357 at SUSECVE-2018-11357 at NVDCVE-2018-11358 at SUSECVE-2018-11358 at NVDCVE-2018-11359 at SUSECVE-2018-11359 at NVDCVE-2018-11360 at SUSECVE-2018-11360 at NVDCVE-2018-11361 at SUSECVE-2018-11361 at NVDCVE-2018-11362 at SUSECVE-2018-11362 at NVDCVE-2018-14339 at SUSECVE-2018-14339 at NVDCVE-2018-14340 at SUSECVE-2018-14340 at NVDCVE-2018-14341 at SUSECVE-2018-14341 at NVDCVE-2018-14342 at SUSECVE-2018-14342 at NVDCVE-2018-14343 at SUSECVE-2018-14343 at NVDCVE-2018-14344 at SUSECVE-2018-14344 at NVDCVE-2018-14367 at SUSECVE-2018-14367 at NVDCVE-2018-14368 at SUSECVE-2018-14368 at NVDCVE-2018-14369 at SUSECVE-2018-14369 at NVDCVE-2018-14370 at SUSECVE-2018-14370 at NVDCVE-2018-16056 at SUSECVE-2018-16056 at NVDCVE-2018-16057 at SUSECVE-2018-16057 at NVDCVE-2018-16058 at SUSECVE-2018-16058 at NVDcpe:/o:suse:sles:12:sp3Security update for smt, yast2-smt (Important)SUSE Linux Enterprise Server 12 SP3
This update for yast2-smt to 3.0.14 and smt to 3.0.37 fixes the following issues:
These security issues were fixed in SMT:
- CVE-2018-12471: Xml External Entity processing in the RegistrationSharing
modules allowed to read arbitrary file read (bsc#1103809).
- CVE-2018-12470: SQL injection in RegistrationSharing module allows remote
attackers to run arbitrary SQL statements (bsc#1103810).
- CVE-2018-12472: Authentication bypass in sibling check facilitated further
attacks on SMT (bsc#1104076).
SUSE would like to thank Jake Miller for reporting these issues to us.
These non-security issues were fixed in SMT:
- Fix cron jobs randomization (bsc#1097560)
- Fix duplicate migration paths (bsc#1097824)
This non-security issue was fixed in yast2-smt:
- Remove cron job rescheduling (bsc#1097560)
- Added missing translation marks (bsc#1037811)
- Explicitly mention 'Organization Credentials' (fate#321759)
- Rearrange the SMT set-up dialog (bsc#977043)
- Make the Filter button default (bsc#1006984)
- Prevent exiting the repo selection dialog via hitting Enter in
the repository filter (bsc#1006984)
- report when error occurs during repo mirroring (bsc#1006989)
- Use TextEntry-based filter for repos (fate#319777)
ImportantSUSE bug 1006984SUSE bug 1006989SUSE bug 1037811SUSE bug 1097560SUSE bug 1097824SUSE bug 1103809SUSE bug 1103810SUSE bug 1104076SUSE bug 977043CVE-2018-12470 at SUSECVE-2018-12470 at NVDCVE-2018-12471 at SUSECVE-2018-12471 at NVDCVE-2018-12472 at SUSECVE-2018-12472 at NVDcpe:/o:suse:sles:12:sp3Security update for yast2-smt (Important)SUSE Linux Enterprise Server 12 SP3
This update fixes the following issue in yast2-smt:
- Remove cron job rescheduling (bsc#1097560)
This update is a requirement for the security update for SMT. Because of that it is
tagged as security to ensure that all users, even those that only install security updates,
install it.
ImportantSUSE bug 1097560cpe:/o:suse:sles:12:sp3Security update for openssl (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for openssl fixes the following issues:
These security issues were fixed:
- Prevent One&Done side-channel attack on RSA that allowed physically near
attackers to use EM emanations to recover information (bsc#1104789)
- CVE-2018-0737: The RSA Key generation algorithm has been shown to be
vulnerable to a cache timing side channel attack. An attacker with sufficient
access to mount cache timing attacks during the RSA key generation process
could have recovered the private key (bsc#1089039)
These non-security issues were fixed:
- Add openssl(cli) Provide so the packages that require the openssl
binary can require this instead of the new openssl meta package
(bsc#1101470)
- Fixed path to the engines which are under /lib64 on SLE-12 (bsc#1101246,
bsc#997043)
ModerateSUSE bug 1089039SUSE bug 1101246SUSE bug 1101470SUSE bug 1104789SUSE bug 1106197SUSE bug 997043CVE-2018-0737 at SUSECVE-2018-0737 at NVDcpe:/o:suse:sles:12:sp3Security update for ncurses (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for ncurses fixes several issues.
These security issues were fixed:
- CVE-2017-13734: Prevent illegal address access in the _nc_safe_strcat
function in strings.c that might have lead to a remote denial of service attack
(bsc#1056126).
- CVE-2017-13733: Prevent illegal address access in the fmt_entry function in
progs/dump_entry.c that might have lead to a remote denial of service attack
(bsc#1056127).
- CVE-2017-13732: Prevent illegal address access in the function dump_uses() in
progs/dump_entry.c that might have lead to a remote denial of service attack
(bsc#1056128).
- CVE-2017-13731: Prevent illegal address access in the function
postprocess_termcap() in parse_entry.c that might have lead to a remote denial
of service attack (bsc#1056129).
- CVE-2017-13730: Prevent illegal address access in the function
_nc_read_entry_source() in progs/tic.c that might have lead to a remote denial
of service attack (bsc#1056131).
- CVE-2017-13729: Prevent illegal address access in the _nc_save_str function
in alloc_entry.c that might have lead to a remote denial of service attack
(bsc#1056132).
- CVE-2017-13728: Prevent infinite loop in the next_char function in
comp_scan.c that might have lead to a remote denial of service attack
(bsc#1056136).
ModerateSUSE bug 1056126SUSE bug 1056127SUSE bug 1056128SUSE bug 1056129SUSE bug 1056131SUSE bug 1056132SUSE bug 1056136CVE-2017-13728 at SUSECVE-2017-13728 at NVDCVE-2017-13729 at SUSECVE-2017-13729 at NVDCVE-2017-13730 at SUSECVE-2017-13730 at NVDCVE-2017-13731 at SUSECVE-2017-13731 at NVDCVE-2017-13732 at SUSECVE-2017-13732 at NVDCVE-2017-13733 at SUSECVE-2017-13733 at NVDCVE-2017-13734 at SUSECVE-2017-13734 at NVDcpe:/o:suse:sles:12:sp3Security update for unzip (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for unzip fixes the following security issues:
- CVE-2014-9913: Specially crafted zip files could trigger invalid memory
writes possibly resulting in DoS or corruption (bsc#1013993)
- CVE-2015-7696: Specially crafted zip files with password protection could
trigger a crash and lead to denial of service (bsc#950110)
- CVE-2015-7697: Specially crafted zip files could trigger an endless loop and
lead to denial of service (bsc#950111)
- CVE-2016-9844: Specially crafted zip files could trigger invalid memory
writes possibly resulting in DoS or corruption (bsc#1013992)
- CVE-2018-1000035: Prevent heap-based buffer overflow in the processing of
password-protected archives that allowed an attacker to perform a denial of
service or to possibly achieve code execution (bsc#1080074).
- CVE-2014-9636: Prevent denial of service (out-of-bounds read or write and
crash) via an extra field with an uncompressed size smaller than the compressed
field size in a zip archive that advertises STORED method compression
(bsc#914442).
This non-security issue was fixed:
+- Allow processing of Windows zip64 archives (Windows archivers set
total_disks field to 0 but per standard, valid values are 1 and higher)
(bnc#910683)
ModerateSUSE bug 1013992SUSE bug 1013993SUSE bug 1080074SUSE bug 910683SUSE bug 914442SUSE bug 950110SUSE bug 950111CVE-2014-9636 at SUSECVE-2014-9636 at NVDCVE-2014-9913 at SUSECVE-2014-9913 at NVDCVE-2015-7696 at SUSECVE-2015-7696 at NVDCVE-2015-7697 at SUSECVE-2015-7697 at NVDCVE-2016-9844 at SUSECVE-2016-9844 at NVDCVE-2018-1000035 at SUSECVE-2018-1000035 at NVDcpe:/o:suse:sles:12:sp3Security update for ghostscript (Important)SUSE Linux Enterprise Server 12 SP3
This update for ghostscript to version 9.25 fixes the following issues:
These security issues were fixed:
- CVE-2018-17183: Remote attackers were be able to supply crafted PostScript to
potentially overwrite or replace error handlers to inject code (bsc#1109105)
- CVE-2018-15909: Prevent type confusion using the .shfill operator that could
have been used by attackers able to supply crafted PostScript files to crash
the interpreter or potentially execute code (bsc#1106172).
- CVE-2018-15908: Prevent attackers that are able to supply malicious
PostScript files to bypass .tempfile restrictions and write files
(bsc#1106171).
- CVE-2018-15910: Prevent a type confusion in the LockDistillerParams parameter
that could have been used to crash the interpreter or execute code
(bsc#1106173).
- CVE-2018-15911: Prevent use uninitialized memory access in the aesdecode
operator that could have been used to crash the interpreter or potentially
execute code (bsc#1106195).
- CVE-2018-16513: Prevent a type confusion in the setcolor function that could
have been used to crash the interpreter or possibly have unspecified other
impact (bsc#1107412).
- CVE-2018-16509: Incorrect 'restoration of privilege' checking during handling
of /invalidaccess exceptions could be have been used by attackers able to
supply crafted PostScript to execute code using the 'pipe' instruction
(bsc#1107410).
- CVE-2018-16510: Incorrect exec stack handling in the 'CS' and 'SC' PDF
primitives could have been used by remote attackers able to supply crafted PDFs
to crash the interpreter or possibly have unspecified other impact
(bsc#1107411).
- CVE-2018-16542: Prevent attackers able to supply crafted PostScript files
from using insufficient interpreter stack-size checking during error handling
to crash the interpreter (bsc#1107413).
- CVE-2018-16541: Prevent attackers able to supply crafted PostScript files
from using incorrect free logic in pagedevice replacement to crash the
interpreter (bsc#1107421).
- CVE-2018-16540: Prevent use-after-free in copydevice handling that could have
been used to crash the interpreter or possibly have unspecified other impact
(bsc#1107420).
- CVE-2018-16539: Prevent attackers able to supply crafted PostScript files
from using incorrect access checking in temp file handling to disclose contents
of files on the system otherwise not readable (bsc#1107422).
- CVE-2018-16543: gssetresolution and gsgetresolution allowed attackers to have
an unspecified impact (bsc#1107423).
- CVE-2018-16511: A type confusion in 'ztype' could have been used by remote
attackers able to supply crafted PostScript to crash the interpreter or
possibly have unspecified other impact (bsc#1107426).
- CVE-2018-16585: The .setdistillerkeys PostScript command was accepted even
though it is not intended for use during document processing (e.g., after the
startup phase). This lead to memory corruption, allowing remote attackers able
to supply crafted PostScript to crash the interpreter or possibly have
unspecified other impact (bsc#1107581).
- CVE-2018-16802: Incorrect 'restoration of privilege' checking when running
out of stack during exception handling could have been used by attackers able
to supply crafted PostScript to execute code using the 'pipe' instruction. This
is due to an incomplete fix for CVE-2018-16509 (bsc#1108027).
These non-security issues were fixed:
* Fixes problems with argument handling, some unintended results of the
security fixes to the SAFER file access restrictions (specifically accessing
ICC profile files).
* Avoid that ps2epsi fails with 'Error: /undefined in --setpagedevice--'
For additional changes please check http://www.ghostscript.com/doc/9.25/News.htm
and the changes file of the package.
ImportantSUSE bug 1106171SUSE bug 1106172SUSE bug 1106173SUSE bug 1106195SUSE bug 1107410SUSE bug 1107411SUSE bug 1107412SUSE bug 1107413SUSE bug 1107420SUSE bug 1107421SUSE bug 1107422SUSE bug 1107423SUSE bug 1107426SUSE bug 1107581SUSE bug 1108027SUSE bug 1109105CVE-2018-15908 at SUSECVE-2018-15908 at NVDCVE-2018-15909 at SUSECVE-2018-15909 at NVDCVE-2018-15910 at SUSECVE-2018-15910 at NVDCVE-2018-15911 at SUSECVE-2018-15911 at NVDCVE-2018-16509 at SUSECVE-2018-16509 at NVDCVE-2018-16510 at SUSECVE-2018-16510 at NVDCVE-2018-16511 at SUSECVE-2018-16511 at NVDCVE-2018-16513 at SUSECVE-2018-16513 at NVDCVE-2018-16539 at SUSECVE-2018-16539 at NVDCVE-2018-16540 at SUSECVE-2018-16540 at NVDCVE-2018-16541 at SUSECVE-2018-16541 at NVDCVE-2018-16542 at SUSECVE-2018-16542 at NVDCVE-2018-16543 at SUSECVE-2018-16543 at NVDCVE-2018-16585 at SUSECVE-2018-16585 at NVDCVE-2018-16802 at SUSECVE-2018-16802 at NVDCVE-2018-17183 at SUSECVE-2018-17183 at NVDcpe:/o:suse:sles:12:sp3Security update for mgetty (Important)SUSE Linux Enterprise Server 12 SP3
This update for mgetty fixes the following security issues:
- CVE-2018-16741: The function do_activate() did not properly sanitize shell
metacharacters to prevent command injection (bsc#1108752)
- CVE-2018-16745: The mail_to parameter was not sanitized, leading to a buffer
overflow if long untrusted input reached it (bsc#1108756)
- CVE-2018-16744: The mail_to parameter was not sanitized, leading to command
injection if untrusted input reached reach it (bsc#1108757)
- CVE-2018-16742: Prevent stack-based buffer overflow that could have been
triggered via a command-line parameter (bsc#1108762)
- CVE-2018-16743: The command-line parameter username wsa passed unsanitized to
strcpy(), which could have caused a stack-based buffer overflow (bsc#1108761)
ImportantSUSE bug 1108752SUSE bug 1108756SUSE bug 1108757SUSE bug 1108761SUSE bug 1108762CVE-2018-16741 at SUSECVE-2018-16741 at NVDCVE-2018-16742 at SUSECVE-2018-16742 at NVDCVE-2018-16743 at SUSECVE-2018-16743 at NVDCVE-2018-16744 at SUSECVE-2018-16744 at NVDCVE-2018-16745 at SUSECVE-2018-16745 at NVDcpe:/o:suse:sles:12:sp3Security update for systemd (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for systemd fixes several issues.
This security issue was fixed:
- CVE-2018-1049: Prevent race that can lead to DoS when using automounts (bsc#1076308).
These non-security issues were fixed:
- core: don't choke if a unit another unit triggers vanishes during reload
- delta: don't ignore PREFIX when the given argument is PREFIX/SUFFIX
- delta: extend skip logic to work on full directory paths (prefix+suffix) (bsc#1070428)
- delta: check if a prefix needs to be skipped only once
- delta: skip symlink paths when split-usr is enabled (#4591)
- sysctl: use raw file descriptor in sysctl_write (#7753)
- sd-netlink: don't take possesion of netlink fd from caller on failure (bsc#1074254)
- Fix the regexp used to detect broken by-id symlinks in /etc/crypttab
It was missing the following case: '/dev/disk/by-id/cr_-xxx'.
- sysctl: disable buffer while writing to /proc (bsc#1071558)
- Use read_line() and LONG_LINE_MAX to read values configuration files. (bsc#1071558)
- sysctl: no need to check for eof twice
- def: add new constant LONG_LINE_MAX
- fileio: add new helper call read_line() as bounded getline() replacement
- service: Don't stop unneeded units needed by restarted service (#7526) (bsc#1066156)
- gpt-auto-generator: fix the handling of the value returned by fstab_has_fstype() in add_swap() (#6280)
- gpt-auto-generator: disable gpt auto logic for swaps if at least one is defined in fstab (bsc#897422)
- fstab-util: introduce fstab_has_fstype() helper
- fstab-generator: ignore root=/dev/nfs (#3591)
- fstab-generator: don't process root= if it happens to be 'gpt-auto' (#3452)
- virt: use XENFEAT_dom0 to detect the hardware domain (#6442, #6662) (#7581) (bsc#1048510)
- analyze: replace --no-man with --man=no in the man page (bsc#1068251)
- udev: net_setup_link: don't error out when we couldn't apply link config (#7328)
- Add missing /etc/systemd/network directory
- Fix parsing of features in detect_vm_xen_dom0 (#7890) (bsc#1048510)
- sd-bus: use -- when passing arguments to ssh (#6706)
- systemctl: make sure we terminate the bus connection first, and then close the pager (#3550)
- sd-bus: bump message queue size (bsc#1075724)
- tmpfiles: downgrade warning about duplicate line
ModerateSUSE bug 1048510SUSE bug 1065276SUSE bug 1066156SUSE bug 1068251SUSE bug 1070428SUSE bug 1071558SUSE bug 1074254SUSE bug 1075724SUSE bug 1076308SUSE bug 897422CVE-2017-15908 at SUSECVE-2017-15908 at NVDCVE-2018-1049 at SUSECVE-2018-1049 at NVDcpe:/o:suse:sles:12:sp3Security update for openslp (Important)SUSE Linux Enterprise Server 12 SP3
This update for openslp fixes the following issues:
- CVE-2017-17833: Prevent heap-related memory corruption issue which may have
manifested itself as a denial-of-service or a remote code-execution
vulnerability (bsc#1090638)
- Prevent out of bounds reads in message parsing
ImportantSUSE bug 1090638CVE-2017-17833 at SUSECVE-2017-17833 at NVDcpe:/o:suse:sles:12:sp3Security update for the Linux Kernel (Important)SUSE Linux Enterprise Server 12 SP3
The SUSE Linux Enterprise 12 SP3 kernel was updated to 4.4.156 to receive various security and bugfixes.
The following security bugs were fixed:
- CVE-2018-16597: Incorrect access checking in overlayfs mounts could have been
used by local attackers to modify or truncate files in the underlying
filesystem (bnc#1106512).
- CVE-2018-14613: Prevent invalid pointer dereference in io_ctl_map_page() when
mounting and operating a crafted btrfs image, caused by a lack of block group
item validation in check_leaf_item (bsc#1102896)
- CVE-2018-14617: Prevent NULL pointer dereference and panic in
hfsplus_lookup() when opening a file (that is purportedly a hard link) in an
hfs+ filesystem that has malformed catalog data, and is mounted read-only
without a metadata directory (bsc#1102870)
- CVE-2018-16276: Incorrect bounds checking in the yurex USB driver in
yurex_read allowed local attackers to use user access read/writes to crash the
kernel or potentially escalate privileges (bsc#1106095)
- CVE-2018-7757: Memory leak in the sas_smp_get_phy_events function in
drivers/scsi/libsas/sas_expander.c allowed local users to cause a denial of
service (memory consumption) via many read accesses to files in the
/sys/class/sas_phy directory, as demonstrated by the
/sys/class/sas_phy/phy-1:0:12/invalid_dword_count file (bnc#1084536)
- CVE-2018-7480: The blkcg_init_queue function allowed local users to cause a
denial of service (double free) or possibly have unspecified other impact by
triggering a creation failure (bsc#1082863).
- CVE-2018-17182: The vmacache_flush_all function in mm/vmacache.c
mishandled sequence number overflows. An attacker can trigger a
use-after-free (and possibly gain privileges) via certain thread creation,
map, unmap, invalidation, and dereference operations (bnc#1108399).
The following non-security bugs were fixed:
- asm/sections: add helpers to check for section data (bsc#1063026).
- ASoC: wm8994: Fix missing break in switch (bnc#1012382).
- block: bvec_nr_vecs() returns value for wrong slab (bsc#1082979).
- bpf: fix overflow in prog accounting (bsc#1012382).
- btrfs: Add checker for EXTENT_CSUM (bsc#1102882, bsc#1102896, bsc#1102879, bsc#1102877, bsc#1102875,).
- btrfs: Add sanity check for EXTENT_DATA when reading out leaf (bsc#1102882, bsc#1102896, bsc#1102879, bsc#1102877, bsc#1102875,).
- btrfs: Check if item pointer overlaps with the item itself (bsc#1102882, bsc#1102896, bsc#1102879, bsc#1102877, bsc#1102875,).
- btrfs: Check that each block group has corresponding chunk at mount time (bsc#1102882, bsc#1102896, bsc#1102879, bsc#1102877, bsc#1102875,).
- btrfs: Introduce mount time chunk <-> dev extent mapping check (bsc#1102882, bsc#1102896, bsc#1102879, bsc#1102877, bsc#1102875,).
- btrfs: Move leaf and node validation checker to tree-checker.c (bsc#1102882, bsc#1102896, bsc#1102879, bsc#1102877, bsc#1102875,).
- btrfs: relocation: Only remove reloc rb_trees if reloc control has been initialized (bnc#1012382).
- btrfs: replace: Reset on-disk dev stats value after replace (bnc#1012382).
- btrfs: scrub: Do not use inode page cache in scrub_handle_errored_block() (bsc#1108096).
- btrfs: tree-checker: Add checker for dir item (bsc#1102882, bsc#1102896, bsc#1102879, bsc#1102877, bsc#1102875,).
- btrfs: tree-checker: Detect invalid and empty essential trees (bsc#1102882, bsc#1102896, bsc#1102879, bsc#1102877, bsc#1102875,).
- btrfs: tree-checker: Enhance btrfs_check_node output (bsc#1102882, bsc#1102896, bsc#1102879, bsc#1102877, bsc#1102875,).
- btrfs: tree-checker: Enhance output for btrfs_check_leaf (bsc#1102882, bsc#1102896, bsc#1102879, bsc#1102877, bsc#1102875,).
- btrfs: tree-checker: Enhance output for check_csum_item (bsc#1102882, bsc#1102896, bsc#1102879, bsc#1102877, bsc#1102875,).
- btrfs: tree-checker: Enhance output for check_extent_data_item (bsc#1102882, bsc#1102896, bsc#1102879, bsc#1102877, bsc#1102875,).
- btrfs: tree-checker: Fix false panic for sanity test (bsc#1102882, bsc#1102896, bsc#1102879, bsc#1102877, bsc#1102875,).
- btrfs: tree-checker: Replace root parameter with fs_info (bsc#1102882, bsc#1102896, bsc#1102879, bsc#1102877, bsc#1102875,).
- btrfs: tree-checker: use %zu format string for size_t (bsc#1102882, bsc#1102896, bsc#1102879, bsc#1102877, bsc#1102875,).
- btrfs: tree-checker: use %zu format string for size_t (bsc#1102882, bsc#1102896, bsc#1102879, bsc#1102877, bsc#1102875,).
- btrfs: tree-checker: Verify block_group_item (bsc#1102882, bsc#1102896, bsc#1102879, bsc#1102877, bsc#1102875,).
- btrfs: use correct compare function of dirty_metadata_bytes (bnc#1012382).
- btrfs: Verify that every chunk has corresponding block group at mount time (bsc#1102882, bsc#1102896, bsc#1102879, bsc#1102877, bsc#1102875,).
- cifs: check if SMB2 PDU size has been padded and suppress the warning (bnc#1012382).
- crypto: clarify licensing of OpenSSL asm code ().
- crypto: vmx - Remove overly verbose printk from AES XTS init (git-fixes).
- debugobjects: Make stack check warning more informative (bnc#1012382).
- dm kcopyd: avoid softlockup in run_complete_job (bnc#1012382).
- dm-mpath: do not try to access NULL rq (bsc#1110337).
- EDAC: Fix memleak in module init error path (bsc#1109441).
- EDAC, i7core: Fix memleaks and use-after-free on probe and remove (1109441).
- fat: validate ->i_start before using (bnc#1012382).
- Fixes: Commit cdbf92675fad ('mm: numa: avoid waiting on freed migrated pages') (bnc#1012382).
- Follow-up fix for patches.arch/01-jump_label-reduce-the-size-of-struct-static_key-kabi.patch (bsc#1108803).
- fork: do not copy inconsistent signal handler state to child (bnc#1012382).
- fs/dcache.c: fix kmemcheck splat at take_dentry_name_snapshot() (bnc#1012382).
- genirq: Delay incrementing interrupt count if it's disabled/pending (bnc#1012382).
- grow_cache: we still have a code which uses both __GFP_ZERO and constructors. The code seems to be correct and the warning does more harm than good so revert for the the meantime until we catch offenders. (bnc#1110297)
- hfsplus: do not return 0 when fill_super() failed (bnc#1012382).
- hfs: prevent crash on exit from failed search (bnc#1012382).
- ib_srp: Remove WARN_ON in srp_terminate_io() (bsc#1094562).
- ipvs: fix race between ip_vs_conn_new() and ip_vs_del_dest() (bnc#1012382).
- irqchip/bcm7038-l1: Hide cpu offline callback when building for !SMP (bnc#1012382).
- irqchip/gic-v3: Add missing barrier to 32bit version of gic_read_iar() (bnc#1012382).
- kabi protect hnae_ae_ops (bsc#1107924).
- kbuild: make missing $DEPMOD a Warning instead of an Error (bnc#1012382).
- l2tp: cast l2tp traffic counter to unsigned (bsc#1099810).
- mei: me: allow runtime pm for platform with D0i3 (bnc#1012382).
- mfd: sm501: Set coherent_dma_mask when creating subdevices (bnc#1012382).
- mm/fadvise.c: fix signed overflow UBSAN complaint (bnc#1012382).
- net/9p: fix error path of p9_virtio_probe (bnc#1012382).
- net: bcmgenet: use MAC link status for fixed phy (bnc#1012382).
- net: ena: Eliminate duplicate barriers on weakly-ordered archs (bsc#1108240).
- net: ena: fix device destruction to gracefully free resources (bsc#1108240).
- net: ena: fix driver when PAGE_SIZE == 64kB (bsc#1108240).
- net: ena: fix incorrect usage of memory barriers (bsc#1108240).
- net: ena: fix missing calls to READ_ONCE (bsc#1108240).
- net: ena: fix missing lock during device destruction (bsc#1108240).
- net: ena: fix potential double ena_destroy_device() (bsc#1108240).
- net: ena: fix surprise unplug NULL dereference kernel crash (bsc#1108240).
- net: hns: add netif_carrier_off before change speed and duplex (bsc#1107924).
- net: hns: add the code for cleaning pkt in chip (bsc#1107924).
- nvme_fc: add 'nvme_discovery' sysfs attribute to fc transport device (bsc#1044189).
- nvmet: fixup crash on NULL device path (bsc#1082979).
- ovl: modify ovl_permission() to do checks on two inodes (bsc#1106512)
- ovl: proper cleanup of workdir (bnc#1012382).
- ovl: rename is_merge to is_lowest (bnc#1012382).
- PCI: mvebu: Fix I/O space end address calculation (bnc#1012382).
- platform/x86: asus-nb-wmi: Add keymap entry for lid flip action on UX360 (bnc#1012382).
- powerpc/64: Do load of PACAKBASE in LOAD_HANDLER (bsc#1094244).
- powerpc/book3s: Fix MCE console messages for unrecoverable MCE (bsc#1094244).
- powerpc/fadump: cleanup crash memory ranges support (bsc#1103269).
- powerpc/fadump: re-register firmware-assisted dump if already registered (bsc#1108170, bsc#1108823).
- powerpc: Fix size calculation using resource_size() (bnc#1012382).
- powerpc/mce: Move 64-bit machine check code into mce.c (bsc#1094244).
- powerpc/perf/hv-24x7: Fix off-by-one error in request_buffer check (git-fixes).
- powerpc/powernv/ioda2: Reduce upper limit for DMA window size (bsc#1066223).
- powerpc/powernv: Rename machine_check_pSeries_early() to powernv (bsc#1094244).
- powerpc/pseries: Avoid using the size greater than RTAS_ERROR_LOG_MAX (bnc#1012382).
- powerpc/pseries: Disable CPU hotplug across migrations (bsc#1066223).
- powerpc/pseries: Remove prrn_work workqueue (bsc#1102495, bsc#1109337).
- powerpc/pseries: Remove unneeded uses of dlpar work queue (bsc#1102495, bsc#1109337).
- powerpc/tm: Fix userspace r13 corruption (bsc#1109333).
- RDMA/rw: Fix rdma_rw_ctx_signature_init() kernel-doc header (bsc#1082979).
- reiserfs: change j_timestamp type to time64_t (bnc#1012382).
- Revert 'ARM: imx_v6_v7_defconfig: Select ULPI support' (bnc#1012382).
- s390/dasd: fix hanging offline processing due to canceled worker (bnc#1012382).
- s390/lib: use expoline for all bcr instructions (LTC#171029 bnc#1012382 bnc#1106934).
- sch_hhf: fix null pointer dereference on init failure (bnc#1012382).
- sch_htb: fix crash on init failure (bnc#1012382).
- sch_multiq: fix double free on init failure (bnc#1012382).
- sch_netem: avoid null pointer deref on init failure (bnc#1012382).
- sch_tbf: fix two null pointer dereferences on init failure (bnc#1012382).
- scripts: modpost: check memory allocation results (bnc#1012382).
- scsi: aic94xx: fix an error code in aic94xx_init() (bnc#1012382).
- scsi: ipr: System hung while dlpar adding primary ipr adapter back (bsc#1109336).
- scsi: qla2xxx: Add changes for devloss timeout in driver (bsc#1084427).
- scsi: qla2xxx: Add FC-NVMe abort processing (bsc#1084427).
- scsi: qla2xxx: Add longer window for chip reset (bsc#1094555).
- scsi: qla2xxx: Avoid double completion of abort command (bsc#1094555).
- scsi: qla2xxx: Cleanup code to improve FC-NVMe error handling (bsc#1084427).
- scsi: qla2xxx: Cleanup for N2N code (bsc#1094555).
- scsi: qla2xxx: correctly shift host byte (bsc#1094555).
- scsi: qla2xxx: Correct setting of SAM_STAT_CHECK_CONDITION (bsc#1094555).
- scsi: qla2xxx: Delete session for nport id change (bsc#1094555).
- scsi: qla2xxx: Fix Async GPN_FT for FCP and FC-NVMe scan (bsc#1084427).
- scsi: qla2xxx: Fix crash on qla2x00_mailbox_command (bsc#1094555).
- scsi: qla2xxx: Fix double free bug after firmware timeout (bsc#1094555).
- scsi: qla2xxx: Fix driver unload by shutting down chip (bsc#1094555).
- scsi: qla2xxx: fix error message on <qla2400 (bsc#1094555).
- scsi: qla2xxx: Fix FC-NVMe IO abort during driver reset (bsc#1084427).
- scsi: qla2xxx: Fix function argument descriptions (bsc#1094555).
- scsi: qla2xxx: Fix Inquiry command being dropped in Target mode (bsc#1094555).
- scsi: qla2xxx: Fix issue reported by static checker for qla2x00_els_dcmd2_sp_done() (bsc#1094555).
- scsi: qla2xxx: Fix login retry count (bsc#1094555).
- scsi: qla2xxx: Fix Management Server NPort handle reservation logic (bsc#1094555).
- scsi: qla2xxx: Fix memory leak for allocating abort IOCB (bsc#1094555).
- scsi: qla2xxx: Fix n2n_ae flag to prevent dev_loss on PDB change (bsc#1084427).
- scsi: qla2xxx: Fix N2N link re-connect (bsc#1094555).
- scsi: qla2xxx: Fix NPIV deletion by calling wait_for_sess_deletion (bsc#1094555).
- scsi: qla2xxx: Fix race between switch cmd completion and timeout (bsc#1094555).
- scsi: qla2xxx: Fix race condition between iocb timeout and initialisation (bsc#1094555).
- scsi: qla2xxx: Fix redundant fc_rport registration (bsc#1094555).
- scsi: qla2xxx: Fix retry for PRLI RJT with reason of BUSY (bsc#1084427).
- scsi: qla2xxx: Fix Rport and session state getting out of sync (bsc#1094555).
- scsi: qla2xxx: Fix sending ADISC command for login (bsc#1094555).
- scsi: qla2xxx: Fix session state stuck in Get Port DB (bsc#1094555).
- scsi: qla2xxx: Fix stalled relogin (bsc#1094555).
- scsi: qla2xxx: Fix TMF and Multi-Queue config (bsc#1094555).
- scsi: qla2xxx: Fix unintended Logout (bsc#1094555).
- scsi: qla2xxx: Fix unintialized List head crash (bsc#1094555).
- scsi: qla2xxx: Flush mailbox commands on chip reset (bsc#1094555).
- scsi: qla2xxx: fx00 copypaste typo (bsc#1094555).
- scsi: qla2xxx: Migrate NVME N2N handling into state machine (bsc#1094555).
- scsi: qla2xxx: Move GPSC and GFPNID out of session management (bsc#1094555).
- scsi: qla2xxx: Prevent relogin loop by removing stale code (bsc#1094555).
- scsi: qla2xxx: Prevent sysfs access when chip is down (bsc#1094555).
- scsi: qla2xxx: Reduce redundant ADISC command for RSCNs (bsc#1094555).
- scsi: qla2xxx: remove irq save in qla2x00_poll() (bsc#1094555).
- scsi: qla2xxx: Remove nvme_done_list (bsc#1084427).
- scsi: qla2xxx: Remove stale debug value for login_retry flag (bsc#1094555).
- scsi: qla2xxx: Remove unneeded message and minor cleanup for FC-NVMe (bsc#1084427).
- scsi: qla2xxx: Restore ZIO threshold setting (bsc#1084427).
- scsi: qla2xxx: Return busy if rport going away (bsc#1084427).
- scsi: qla2xxx: Save frame payload size from ICB (bsc#1094555).
- scsi: qla2xxx: Set IIDMA and fcport state before qla_nvme_register_remote() (bsc#1084427).
- scsi: qla2xxx: Silent erroneous message (bsc#1094555).
- scsi: qla2xxx: Update driver version to 10.00.00.06-k (bsc#1084427).
- scsi: qla2xxx: Update driver version to 10.00.00.07-k (bsc#1094555).
- scsi: qla2xxx: Update driver version to 10.00.00.08-k (bsc#1094555).
- scsi: qla2xxx: Use dma_pool_zalloc() (bsc#1094555).
- scsi: qla2xxx: Use predefined get_datalen_for_atio() inline function (bsc#1094555).
- selftests/powerpc: Kill child processes on SIGINT (bnc#1012382).
- smb3: fix reset of bytes read and written stats (bnc#1012382).
- SMB3: Number of requests sent should be displayed for SMB3 not just CIFS (bnc#1012382).
- staging: android: ion: fix ION_IOC_{MAP,SHARE} use-after-free (bnc#1012382).
- staging: comedi: ni_mio_common: fix subdevice flags for PFI subdevice (bnc#1012382).
- tcp: do not restart timewait timer on rst reception (bnc#1012382).
- Update patches.suse/dm-Always-copy-cmd_flags-when-cloning-a-request.patch (bsc#1088087, bsc#1103156).
- usbip: vhci_sysfs: fix potential Spectre v1 (bsc#1096547).
- vti6: remove !skb->ignore_df check from vti6_xmit() (bnc#1012382).
- watchdog: w83627hf_wdt: Add quirk for Inves system (bsc#1106434).
- x86/entry/64: Remove %ebx handling from error_entry/exit (bnc#1102715).
- x86/pae: use 64 bit atomic xchg function in native_ptep_get_and_clear (bnc#1012382).
- x86/speculation/l1tf: Fix up pte->pfn conversion for PAE (bnc#1012382).
- xen: avoid crash in disable_hotplug_cpu (bsc#1106594).
- xfs: add a new xfs_iext_lookup_extent_before helper (bsc#1095344).
- xfs: add asserts for the mmap lock in xfs_{insert,collapse}_file_space (bsc#1095344).
- xfs: add a xfs_bmap_fork_to_state helper (bsc#1095344).
- xfs: add a xfs_iext_update_extent helper (bsc#1095344).
- xfs: add comments documenting the rebalance algorithm (bsc#1095344).
- xfs: add some comments to xfs_iext_insert/xfs_iext_insert_node (bsc#1095344).
- xfs: add xfs_trim_extent (bsc#1095344).
- xfs: allow unaligned extent records in xfs_bmbt_disk_set_all (bsc#1095344).
- xfs: borrow indirect blocks from freed extent when available (bsc#1095344).
- xfs: cleanup xfs_bmap_last_before (bsc#1095344).
- xfs: do not create overlapping extents in xfs_bmap_add_extent_delay_real (bsc#1095344).
- xfs: do not rely on extent indices in xfs_bmap_collapse_extents (bsc#1095344).
- xfs: do not rely on extent indices in xfs_bmap_insert_extents (bsc#1095344).
- xfs: do not set XFS_BTCUR_BPRV_WASDEL in xfs_bunmapi (bsc#1095344).
- xfs: during btree split, save new block key and ptr for future insertion (bsc#1095344).
- xfs: factor out a helper to initialize a local format inode fork (bsc#1095344).
- xfs: fix memory leak in xfs_iext_free_last_leaf (bsc#1095344).
- xfs: fix number of records handling in xfs_iext_split_leaf (bsc#1095344).
- xfs: fix transaction allocation deadlock in IO path (bsc#1090535).
- xfs: handle indlen shortage on delalloc extent merge (bsc#1095344).
- xfs: handle zero entries case in xfs_iext_rebalance_leaf (bsc#1095344).
- xfs: improve kmem_realloc (bsc#1095344).
- xfs: inline xfs_shift_file_space into callers (bsc#1095344).
- xfs: introduce the xfs_iext_cursor abstraction (bsc#1095344).
- xfs: iterate over extents in xfs_bmap_extents_to_btree (bsc#1095344).
- xfs: iterate over extents in xfs_iextents_copy (bsc#1095344).
- xfs: make better use of the 'state' variable in xfs_bmap_del_extent_real (bsc#1095344).
- xfs: merge xfs_bmap_read_extents into xfs_iread_extents (bsc#1095344).
- xfs: move pre/post-bmap tracing into xfs_iext_update_extent (bsc#1095344).
- xfs: move some code around inside xfs_bmap_shift_extents (bsc#1095344).
- xfs: move some more code into xfs_bmap_del_extent_real (bsc#1095344).
- xfs: move xfs_bmbt_irec and xfs_exntst_t to xfs_types.h (bsc#1095344).
- xfs: move xfs_iext_insert tracepoint to report useful information (bsc#1095344).
- xfs: new inode extent list lookup helpers (bsc#1095344).
- xfs: only run torn log write detection on dirty logs (bsc#1095753).
- xfs: pass an on-disk extent to xfs_bmbt_validate_extent (bsc#1095344).
- xfs: pass a struct xfs_bmbt_irec to xfs_bmbt_lookup_eq (bsc#1095344).
- xfs: pass a struct xfs_bmbt_irec to xfs_bmbt_update (bsc#1095344).
- xfs: pass struct xfs_bmbt_irec to xfs_bmbt_validate_extent (bsc#1095344).
- xfs: provide helper for counting extents from if_bytes (bsc#1095344).
- xfs: refactor delalloc accounting in xfs_bmap_add_extent_delay_real (bsc#1095344).
- xfs: refactor delalloc indlen reservation split into helper (bsc#1095344).
- xfs: refactor dir2 leaf readahead shadow buffer cleverness (bsc#1095344).
- xfs: refactor in-core log state update to helper (bsc#1095753).
- xfs: refactor unmount record detection into helper (bsc#1095753).
- xfs: refactor xfs_bmap_add_extent_delay_real (bsc#1095344).
- xfs: refactor xfs_bmap_add_extent_hole_delay (bsc#1095344).
- xfs: refactor xfs_bmap_add_extent_hole_real (bsc#1095344).
- xfs: refactor xfs_bmap_add_extent_unwritten_real (bsc#1095344).
- xfs: refactor xfs_bunmapi_cow (bsc#1095344).
- xfs: refactor xfs_del_extent_real (bsc#1095344).
- xfs: remove a duplicate assignment in xfs_bmap_add_extent_delay_real (bsc#1095344).
- xfs: remove all xfs_bmbt_set_* helpers except for xfs_bmbt_set_all (bsc#1095344).
- xfs: remove a superflous assignment in xfs_iext_remove_node (bsc#1095344).
- xfs: remove if_rdev (bsc#1095344).
- xfs: remove prev argument to xfs_bmapi_reserve_delalloc (bsc#1095344).
- xfs: remove support for inlining data/extents into the inode fork (bsc#1095344).
- xfs: remove the never fully implemented UUID fork format (bsc#1095344).
- xfs: remove the nr_extents argument to xfs_iext_insert (bsc#1095344).
- xfs: remove the nr_extents argument to xfs_iext_remove (bsc#1095344).
- xfs: remove XFS_BMAP_MAX_SHIFT_EXTENTS (bsc#1095344).
- xfs: remove XFS_BMAP_TRACE_EXLIST (bsc#1095344).
- xfs: remove xfs_bmbt_get_state (bsc#1095344).
- xfs: remove xfs_bmse_shift_one (bsc#1095344).
- xfs: rename bno to end in __xfs_bunmapi (bsc#1095344).
- xfs: replace xfs_bmbt_lookup_ge with xfs_bmbt_lookup_first (bsc#1095344).
- xfs: replace xfs_qm_get_rtblks with a direct call to xfs_bmap_count_leaves (bsc#1095344).
- xfs: rewrite getbmap using the xfs_iext_* helpers (bsc#1095344).
- xfs: rewrite xfs_bmap_count_leaves using xfs_iext_get_extent (bsc#1095344).
- xfs: rewrite xfs_bmap_first_unused to make better use of xfs_iext_get_extent (bsc#1095344).
- xfs: separate log head record discovery from verification (bsc#1095753).
- xfs: simplify the xfs_getbmap interface (bsc#1095344).
- xfs: simplify validation of the unwritten extent bit (bsc#1095344).
- xfs: split indlen reservations fairly when under reserved (bsc#1095344).
- xfs: split xfs_bmap_shift_extents (bsc#1095344).
- xfs: switch xfs_bmap_local_to_extents to use xfs_iext_insert (bsc#1095344).
- xfs: treat idx as a cursor in xfs_bmap_add_extent_delay_real (bsc#1095344).
- xfs: treat idx as a cursor in xfs_bmap_add_extent_hole_delay (bsc#1095344).
- xfs: treat idx as a cursor in xfs_bmap_add_extent_hole_real (bsc#1095344).
- xfs: treat idx as a cursor in xfs_bmap_add_extent_unwritten_real (bsc#1095344).
- xfs: treat idx as a cursor in xfs_bmap_collapse_extents (bsc#1095344).
- xfs: treat idx as a cursor in xfs_bmap_del_extent_* (bsc#1095344).
- xfs: update freeblocks counter after extent deletion (bsc#1095344).
- xfs: update got in xfs_bmap_shift_update_extent (bsc#1095344).
- xfs: use a b+tree for the in-core extent list (bsc#1095344).
- xfs: use correct state defines in xfs_bmap_del_extent_{cow,delay} (bsc#1095344).
- xfs: use new extent lookup helpers in xfs_bmapi_read (bsc#1095344).
- xfs: use new extent lookup helpers in xfs_bmapi_write (bsc#1095344).
- xfs: use new extent lookup helpers in __xfs_bunmapi (bsc#1095344).
- xfs: use the state defines in xfs_bmap_del_extent_real (bsc#1095344).
- xfs: use xfs_bmap_del_extent_delay for the data fork as well (bsc#1095344).
- xfs: use xfs_iext_*_extent helpers in xfs_bmap_shift_extents (bsc#1095344).
- xfs: use xfs_iext_*_extent helpers in xfs_bmap_split_extent_at (bsc#1095344).
- xfs: use xfs_iext_get_extent instead of open coding it (bsc#1095344).
- xfs: use xfs_iext_get_extent in xfs_bmap_first_unused (bsc#1095344).
ImportantSUSE bug 1012382SUSE bug 1044189SUSE bug 1063026SUSE bug 1066223SUSE bug 1082863SUSE bug 1082979SUSE bug 1084427SUSE bug 1084536SUSE bug 1087209SUSE bug 1088087SUSE bug 1090535SUSE bug 1091815SUSE bug 1094244SUSE bug 1094555SUSE bug 1094562SUSE bug 1095344SUSE bug 1095753SUSE bug 1096547SUSE bug 1099810SUSE bug 1102495SUSE bug 1102715SUSE bug 1102870SUSE bug 1102875SUSE bug 1102877SUSE bug 1102879SUSE bug 1102882SUSE bug 1102896SUSE bug 1103156SUSE bug 1103269SUSE bug 1106095SUSE bug 1106434SUSE bug 1106512SUSE bug 1106594SUSE bug 1106934SUSE bug 1107924SUSE bug 1108096SUSE bug 1108170SUSE bug 1108240SUSE bug 1108399SUSE bug 1108803SUSE bug 1108823SUSE bug 1109333SUSE bug 1109336SUSE bug 1109337SUSE bug 1109441SUSE bug 1110297SUSE bug 1110337CVE-2018-14613 at SUSECVE-2018-14613 at NVDCVE-2018-14617 at SUSECVE-2018-14617 at NVDCVE-2018-16276 at SUSECVE-2018-16276 at NVDCVE-2018-16597 at SUSECVE-2018-16597 at NVDCVE-2018-17182 at SUSECVE-2018-17182 at NVDCVE-2018-7480 at SUSECVE-2018-7480 at NVDCVE-2018-7757 at SUSECVE-2018-7757 at NVDcpe:/o:suse:sles:12:sp3Security update for libtasn1 (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for libtasn1 fixes one issue.
This security issue was fixed:
- CVE-2018-6003: Prevent a stack exhaustion in _asn1_decode_simple_ber
(lib/decoding.c) when decoding BER encoded structure allowed for DoS
(bsc#1076832).
ModerateSUSE bug 1076832CVE-2018-6003 at SUSECVE-2018-6003 at NVDcpe:/o:suse:sles:12:sp3Security update for texlive (Important)SUSE Linux Enterprise Server 12 SP3
This update for texlive fixes the following issue:
- CVE-2018-17407: Prevent buffer overflow when handling of Type 1 fonts allowed
arbitrary code execution when a malicious font was loaded by one of the
vulnerable tools: pdflatex, pdftex, dvips, or luatex (bsc#1109673)
ImportantSUSE bug 1109673CVE-2018-17407 at SUSECVE-2018-17407 at NVDcpe:/o:suse:sles:12:sp3Security update for java-1_8_0-openjdk (Important)SUSE Linux Enterprise Server 12 SP3
This update for java-1_8_0-openjdk to the jdk8u181 (icedtea 3.9.0) release fixes the following issues:
These security issues were fixed:
- CVE-2018-2938: Difficult to exploit vulnerability allowed unauthenticated
attacker with network access via multiple protocols to compromise Java SE.
Successful attacks of this vulnerability can result in takeover of Java SE
(bsc#1101644).
- CVE-2018-2940: Vulnerability in subcomponent: Libraries. Easily exploitable
vulnerability allowed unauthenticated attacker with network access via multiple
protocols to compromise Java SE, Java SE Embedded. Successful attacks require
human interaction from a person other than the attacker. Successful attacks of
this vulnerability can result in unauthorized read access to a subset of Java
SE, Java SE Embedded accessible data (bsc#1101645)
- CVE-2018-2952: Vulnerability in subcomponent: Concurrency. Difficult to
exploit vulnerability allowed unauthenticated attacker with network access via
multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful
attacks of this vulnerability can result in unauthorized ability to cause a
partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit
(bsc#1101651)
- CVE-2018-2973: Vulnerability in subcomponent: JSSE. Difficult to exploit
vulnerability allowed unauthenticated attacker with network access via SSL/TLS
to compromise Java SE, Java SE Embedded. Successful attacks of this
vulnerability can result in unauthorized creation, deletion or modification
access to critical data or all Java SE, Java SE Embedded accessible data
(bsc#1101656)
These non-security issues were fixed:
- Improve desktop file usage
- Better Internet address support
- speculative traps break when classes are redefined
- sun/security/pkcs11/ec/ReadCertificates.java fails intermittently
- Clean up code that saves the previous versions of redefined classes
- Prevent SIGSEGV in ReceiverTypeData::clean_weak_klass_links
- RedefineClasses() tests fail assert(((Metadata*)obj)->is_valid()) failed: obj is valid
- NMT is not enabled if NMT option is specified after class path specifiers
- EndEntityChecker should not process custom extensions after PKIX validation
- SupportedDSAParamGen.java failed with timeout
- Montgomery multiply intrinsic should use correct name
- When determining the ciphersuite lists, there is no debug output for disabled suites.
- sun/security/mscapi/SignedObjectChain.java fails on Windows
- On Windows Swing changes keyboard layout on a window activation
- IfNode::range_check_trap_proj() should handler dying subgraph with single if proj
- Even better Internet address support
- Newlines in JAXB string values of SOAP-requests are escaped to '
'
- TestFlushableGZIPOutputStream failing with IndexOutOfBoundsException
- Unable to use JDWP API in JDK 8 to debug JDK 9 VM
- Hotspot crash on Cassandra 3.11.1 startup with libnuma 2.0.3
- Performance drop with Java JDK 1.8.0_162-b32
- Upgrade time-zone data to tzdata2018d
- Fix potential crash in BufImg_SetupICM
- JDK 8u181 l10n resource file update
- Remove debug print statements from RMI fix
- (tz) Upgrade time-zone data to tzdata2018e
- ObjectInputStream filterCheck method throws NullPointerException
- adjust reflective access checks
ImportantSUSE bug 1101644SUSE bug 1101645SUSE bug 1101651SUSE bug 1101656SUSE bug 1106812CVE-2018-2938 at SUSECVE-2018-2938 at NVDCVE-2018-2940 at SUSECVE-2018-2940 at NVDCVE-2018-2952 at SUSECVE-2018-2952 at NVDCVE-2018-2973 at SUSECVE-2018-2973 at NVDCVE-2018-3639 at SUSECVE-2018-3639 at NVDcpe:/o:suse:sles:12:sp3Security update for qpdf (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for qpdf fixes the following issues:
qpdf was updated to 7.1.1.
Security issues fixed:
- CVE-2017-11627: A stack-consumption vulnerability which allows attackers to cause DoS (bsc#1050577).
- CVE-2017-11625: A stack-consumption vulnerability which allows attackers to cause DoS (bsc#1050579).
- CVE-2017-11626: A stack-consumption vulnerability which allows attackers to cause DoS (bsc#1050578).
- CVE-2017-11624: A stack-consumption vulnerability which allows attackers to cause DoS (bsc#1050581).
- CVE-2017-12595: Stack overflow when processing deeply nested arrays and dictionaries (bsc#1055960).
- CVE-2017-9209: Remote attackers can cause a denial of service (infinite recursion and stack consumption) via a crafted PDF document (bsc#1040312).
- CVE-2017-9210: Remote attackers can cause a denial of service (infinite recursion and stack consumption) via a crafted PDF document (bsc#1040313).
- CVE-2017-9208: Remote attackers can cause a denial of service (infinite recursion and stack consumption) via a crafted PDF document (bsc#1040311).
* Check release notes for detailed bug fixes.
* http://qpdf.sourceforge.net/files/qpdf-manual.html#ref.release-notes
ModerateSUSE bug 1040311SUSE bug 1040312SUSE bug 1040313SUSE bug 1050577SUSE bug 1050578SUSE bug 1050579SUSE bug 1050581SUSE bug 1055960CVE-2017-11624 at SUSECVE-2017-11624 at NVDCVE-2017-11625 at SUSECVE-2017-11625 at NVDCVE-2017-11626 at SUSECVE-2017-11626 at NVDCVE-2017-11627 at SUSECVE-2017-11627 at NVDCVE-2017-12595 at SUSECVE-2017-12595 at NVDCVE-2017-9208 at SUSECVE-2017-9208 at NVDCVE-2017-9209 at SUSECVE-2017-9209 at NVDCVE-2017-9210 at SUSECVE-2017-9210 at NVDcpe:/o:suse:sles:12:sp3Security update for soundtouch (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for soundtouch fixes the following security issue:
- CVE-2018-1000223: Prevent buffer overflow in WavInFile::readHeaderBlock()
that could have resulted in arbitrary code execution when opening maliocius
file in soundstretch utility (bsc#1103676)
ModerateSUSE bug 1103676CVE-2018-1000223 at SUSECVE-2018-1000223 at NVDcpe:/o:suse:sles:12:sp3Security update for postgresql10 (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for brings postgresql10 version 10.5 to SUSE Linux Enterprise 12 SP3. (FATE#325659 bnc#1108308)
This release marks the change of the versioning scheme for PostgreSQL
to a 'x.y' format. This means the next minor releases of PostgreSQL
will be 10.1, 10.2, ... and the next major release will be 11.
* Logical Replication
Logical replication extends the current replication features of
PostgreSQL with the ability to send modifications on a per-database
and per-table level to different PostgreSQL databases. Users can now
fine-tune the data replicated to various database clusters and will
have the ability to perform zero-downtime upgrades to future major
PostgreSQL versions.
* Declarative Table Partitioning
Table partitioning has existed for years in PostgreSQL but required a
user to maintain a nontrivial set of rules and triggers for the
partitioning to work. PostgreSQL 10 introduces a table partitioning
syntax that lets users easily create and maintain range and list
partitioned tables.
* Improved Query Parallelism
PostgreSQL 10 provides better support for parallelized queries by
allowing more parts of the query execution process to be
parallelized. Improvements include additional types of data scans that
are parallelized as well as optimizations when the data is recombined,
such as pre-sorting. These enhancements allow results to be returned
more quickly.
* Quorum Commit for Synchronous Replication
PostgreSQL 10 introduces quorum commit for synchronous replication,
which allows for flexibility in how a primary database receives
acknowledgement that changes were successfully written to remote
replicas.
ModerateSUSE bug 1108308cpe:/o:suse:sles:12:sp3Security update for libxml2 (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for libxml2 fixes the following security issues:
- CVE-2018-9251: The xz_decomp function allowed remote attackers to cause a
denial of service (infinite loop) via a crafted XML file that triggers
LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint (bsc#1088279).
- CVE-2018-14567: Prevent denial of service (infinite loop) via a crafted XML
file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint
(bsc#1105166).
- CVE-2018-14404: Prevent NULL pointer dereference in the xmlXPathCompOpEval()
function when parsing an invalid XPath expression in the XPATH_OP_AND or
XPATH_OP_OR case leading to a denial of service attack (bsc#1102046).
- CVE-2017-18258: The xz_head function allowed remote attackers to cause a
denial of service (memory consumption) via a crafted LZMA file, because the
decoder functionality did not restrict memory usage to what is required for a
legitimate file (bsc#1088601).
ModerateSUSE bug 1088279SUSE bug 1088601SUSE bug 1102046SUSE bug 1105166CVE-2017-18258 at SUSECVE-2017-18258 at NVDCVE-2018-14404 at SUSECVE-2018-14404 at NVDCVE-2018-14567 at SUSECVE-2018-14567 at NVDCVE-2018-9251 at SUSECVE-2018-9251 at NVDcpe:/o:suse:sles:12:sp3Security update for ImageMagick (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for ImageMagick fixes the following security issues:
- CVE-2017-11532: Prevent a memory leak vulnerability in the WriteMPCImage()
function in coders/mpc.c via a crafted file allowing for DoS (bsc#1050129)
- CVE-2018-16750: Prevent memory leak in the formatIPTCfromBuffer function
(bsc#1108283)
- CVE-2018-16749: Added missing NULL check in ReadOneJNGImage that allowed an
attacker to cause a denial of service (WriteBlob assertion failure and
application exit) via a crafted file (bsc#1108282)
- CVE-2018-16642: The function InsertRow allowed remote attackers to cause a
denial of service via a crafted image file due to an out-of-bounds write
(bsc#1107616)
- CVE-2018-16640: Prevent memory leak in the function ReadOneJNGImage
(bsc#1107619)
- CVE-2018-16643: The functions ReadDCMImage, ReadPWPImage, ReadCALSImage, and
ReadPICTImage did check the return value of the fputc function, which allowed
remote attackers to cause a denial of service via a crafted image file
(bsc#1107612)
- CVE-2018-16644: Added missing check for length in the functions ReadDCMImage
and ReadPICTImage, which allowed remote attackers to cause a denial of service
via a crafted image (bsc#1107609)
- CVE-2018-16645: Prevent excessive memory allocation issue in the functions
ReadBMPImage and ReadDIBImage, which allowed remote attackers to cause a denial
of service via a crafted image file (bsc#1107604)
- CVE-2018-16413: Prevent heap-based buffer over-read in the PushShortPixel
function leading to DoS (bsc#1106989)
This update also relaxes the restrictions of use of Postscript like formats to
'write' only. (bsc#1105592)
ModerateSUSE bug 1050129SUSE bug 1105592SUSE bug 1106989SUSE bug 1107604SUSE bug 1107609SUSE bug 1107612SUSE bug 1107616SUSE bug 1107619SUSE bug 1108282SUSE bug 1108283CVE-2017-11532 at SUSECVE-2017-11532 at NVDCVE-2018-16413 at SUSECVE-2018-16413 at NVDCVE-2018-16640 at SUSECVE-2018-16640 at NVDCVE-2018-16642 at SUSECVE-2018-16642 at NVDCVE-2018-16643 at SUSECVE-2018-16643 at NVDCVE-2018-16644 at SUSECVE-2018-16644 at NVDCVE-2018-16645 at SUSECVE-2018-16645 at NVDCVE-2018-16749 at SUSECVE-2018-16749 at NVDCVE-2018-16750 at SUSECVE-2018-16750 at NVDcpe:/o:suse:sles:12:sp3Security update for bind (Important)SUSE Linux Enterprise Server 12 SP3
This update for bind fixes several issues.
This security issue was fixed:
- CVE-2017-3145: Improper sequencing during cleanup could have lead to a
use-after-free error that triggered an assertion failure and crash in named
(bsc#1076118).
These non-security issues were fixed:
- Updated named.root file (bsc#1040039)
- Update bind.keys for DNSSEC root KSK rollover (bsc#1047184)
ImportantSUSE bug 1040039SUSE bug 1047184SUSE bug 1076118CVE-2017-3145 at SUSECVE-2017-3145 at NVDcpe:/o:suse:sles:12:sp3Security update for libX11 and libxcb (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for libX11 and libxcb fixes the following issue:
libX11:
These security issues were fixed:
- CVE-2018-14599: The function XListExtensions was vulnerable to an off-by-one
error caused by malicious server responses, leading to DoS or possibly
unspecified other impact (bsc#1102062).
- CVE-2018-14600: The function XListExtensions interpreted a variable as signed
instead of unsigned, resulting in an out-of-bounds write (of up to 128 bytes),
leading to DoS or remote code execution (bsc#1102068).
- CVE-2018-14598: A malicious server could have sent a reply in which the first
string overflows, causing a variable to be set to NULL that will be freed later
on, leading to DoS (segmentation fault) (bsc#1102073).
This non-security issue was fixed:
- Make use of the new 64-bit sequence number API in XCB 1.11.1 to avoid the 32-bit
sequence number wrap in libX11 (bsc#1094327).
libxcb:
- Expose 64-bit sequence number from XCB API so that Xlib and others can use it even
on 32-bit environment. (bsc#1094327)
ModerateSUSE bug 1094327SUSE bug 1102062SUSE bug 1102068SUSE bug 1102073CVE-2018-14598 at SUSECVE-2018-14598 at NVDCVE-2018-14599 at SUSECVE-2018-14599 at NVDCVE-2018-14600 at SUSECVE-2018-14600 at NVDcpe:/o:suse:sles:12:sp3Security update for axis (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for axis fixes the following security issue:
- CVE-2018-8032: Prevent cross-site scripting (XSS) attack in the default
servlet/services (bsc#1103658).
ModerateSUSE bug 1103658CVE-2018-8032 at SUSECVE-2018-8032 at NVDcpe:/o:suse:sles:12:sp3Security update for samba (Moderate)SUSE Linux Enterprise Server 12 SP3
Samba was updated to 4.6.15, bringing bug and security fixes. (bsc#1110943)
Following security issues were fixed:
- CVE-2018-10919: Fix unauthorized attribute access via searches. (bsc#1095057);
Non-security bugs fixed:
- Fix ctdb_mutex_ceph_rados_helper deadlock (bsc#1102230).
- Allow idmap_rid to have primary group other than 'Domain Users' (bsc#1087931).
- winbind: avoid using fstrcpy in _dual_init_connection.
- Fix ntlm authentications with 'winbind use default domain = yes' (bsc#1068059).
ModerateSUSE bug 1068059SUSE bug 1087931SUSE bug 1095057SUSE bug 1102230SUSE bug 1110943CVE-2018-10919 at SUSECVE-2018-10919 at NVDcpe:/o:suse:sles:12:sp3Security update for ImageMagick (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for ImageMagick fixes the following issues:
Security issues fixed:
- CVE-2018-18024: Fixed an infinite loop in the ReadBMPImage function of
the coders/bmp.c file. Remote attackers could leverage this vulnerability
to cause a denial of service via a crafted bmp file. (bsc#1111069)
- CVE-2018-18016: Fixed a memory leak in WritePCXImage (bsc#1111072).
- CVE-2018-17965: Fixed a memory leak in WriteSGIImage (bsc#1110747).
- CVE-2018-17966: Fixed a memory leak in WritePDBImage (bsc#1110746).
- CVE-2018-12600: ReadDIBImage and WriteDIBImage allowed attackers to
cause an out of bounds write via a crafted file. (bsc#1098545)
- CVE-2018-12599: ReadBMPImage and WriteBMPImage allowed attackers to
cause an out of bounds write via a crafted file. (bsc#1098546)
ModerateSUSE bug 1098545SUSE bug 1098546SUSE bug 1110746SUSE bug 1110747SUSE bug 1111069SUSE bug 1111072CVE-2017-13058 at SUSECVE-2017-13058 at NVDCVE-2018-12599 at SUSECVE-2018-12599 at NVDCVE-2018-12600 at SUSECVE-2018-12600 at NVDCVE-2018-17965 at SUSECVE-2018-17965 at NVDCVE-2018-17966 at SUSECVE-2018-17966 at NVDCVE-2018-18016 at SUSECVE-2018-18016 at NVDCVE-2018-18024 at SUSECVE-2018-18024 at NVDcpe:/o:suse:sles:12:sp3Security update for binutils (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for binutils to 2.31 fixes the following issues:
These security issues were fixed:
- CVE-2017-15996: readelf allowed remote attackers to cause a denial of service
(excessive memory allocation) or possibly have unspecified other impact via a
crafted ELF file that triggered a buffer overflow on fuzzed archive header
(bsc#1065643).
- CVE-2017-15939: Binary File Descriptor (BFD) library (aka libbfd) mishandled
NULL files in a .debug_line file table, which allowed remote attackers to cause
a denial of service (NULL pointer dereference and application crash) via a
crafted ELF file, related to concat_filename (bsc#1065689).
- CVE-2017-15938: the Binary File Descriptor (BFD) library (aka libbfd)
miscalculated DW_FORM_ref_addr die refs in the case of a relocatable object
file, which allowed remote attackers to cause a denial of service
(find_abstract_instance_name invalid memory read, segmentation fault, and
application crash) (bsc#1065693).
- CVE-2017-16826: The coff_slurp_line_table function the Binary File Descriptor
(BFD) library (aka libbfd) allowed remote attackers to cause a denial of
service (invalid memory access and application crash) or possibly have
unspecified other impact via a crafted PE file (bsc#1068640).
- CVE-2017-16832: The pe_bfd_read_buildid function in the Binary File
Descriptor (BFD) library (aka libbfd) did not validate size and offset values
in the data dictionary, which allowed remote attackers to cause a denial of
service (segmentation violation and application crash) or possibly have
unspecified other impact via a crafted PE file (bsc#1068643).
- CVE-2017-16831: Binary File Descriptor (BFD) library (aka libbfd) did not
validate the symbol count, which allowed remote attackers to cause a denial of
service (integer overflow and application crash, or excessive memory
allocation) or possibly have unspecified other impact via a crafted PE file
(bsc#1068887).
- CVE-2017-16830: The print_gnu_property_note function did not have
integer-overflow protection on 32-bit platforms, which allowed remote attackers
to cause a denial of service (segmentation violation and application crash) or
possibly have unspecified other impact via a crafted ELF file (bsc#1068888).
- CVE-2017-16829: The _bfd_elf_parse_gnu_properties function in the Binary File
Descriptor (BFD) library (aka libbfd) did not prevent negative pointers, which
allowed remote attackers to cause a denial of service (out-of-bounds read and
application crash) or possibly have unspecified other impact via a crafted ELF
file (bsc#1068950).
- CVE-2017-16828: The display_debug_frames function allowed remote attackers to
cause a denial of service (integer overflow and heap-based buffer over-read,
and application crash) or possibly have unspecified other impact via a crafted
ELF file (bsc#1069176).
- CVE-2017-16827: The aout_get_external_symbols function in the Binary File
Descriptor (BFD) library (aka libbfd) allowed remote attackers to cause a
denial of service (slurp_symtab invalid free and application crash) or possibly
have unspecified other impact via a crafted ELF file (bsc#1069202).
- CVE-2018-6323: The elf_object_p function in the Binary File Descriptor (BFD)
library (aka libbfd) had an unsigned integer overflow because bfd_size_type
multiplication is not used. A crafted ELF file allowed remote attackers to
cause a denial of service (application crash) or possibly have unspecified
other impact (bsc#1077745).
- CVE-2018-6543: Prevent integer overflow in the function
load_specific_debug_section() which resulted in `malloc()` with 0 size. A
crafted ELF file allowed remote attackers to cause a denial of service
(application crash) or possibly have unspecified other impact (bsc#1079103).
- CVE-2018-6759: The bfd_get_debug_link_info_1 function in the Binary File
Descriptor (BFD) library (aka libbfd) had an unchecked strnlen operation.
Remote attackers could have leveraged this vulnerability to cause a denial of
service (segmentation fault) via a crafted ELF file (bsc#1079741).
- CVE-2018-6872: The elf_parse_notes function in the Binary File Descriptor
(BFD) library (aka libbfd) allowed remote attackers to cause a denial of
service (out-of-bounds read and segmentation violation) via a note with a large
alignment (bsc#1080556).
- CVE-2018-7208: In the coff_pointerize_aux function in the Binary File
Descriptor (BFD) library (aka libbfd) an index was not validated, which allowed
remote attackers to cause a denial of service (segmentation fault) or possibly
have unspecified other impact via a crafted file, as demonstrated by objcopy of
a COFF object (bsc#1081527).
- CVE-2018-7570: The assign_file_positions_for_non_load_sections function in
the Binary File Descriptor (BFD) library (aka libbfd) allowed remote attackers
to cause a denial of service (NULL pointer dereference and application crash)
via an ELF file with a RELRO segment that lacks a matching LOAD segment, as
demonstrated by objcopy (bsc#1083528).
- CVE-2018-7569: The Binary File Descriptor (BFD) library (aka libbfd) allowed
remote attackers to cause a denial of service (integer underflow or overflow,
and application crash) via an ELF file with a corrupt DWARF FORM block, as
demonstrated by nm (bsc#1083532).
- CVE-2018-8945: The bfd_section_from_shdr function in the Binary File
Descriptor (BFD) library (aka libbfd) allowed remote attackers to cause a
denial of service (segmentation fault) via a large attribute section
(bsc#1086608).
- CVE-2018-7643: The display_debug_ranges function allowed remote attackers to
cause a denial of service (integer overflow and application crash) or possibly
have unspecified other impact via a crafted ELF file, as demonstrated by
objdump (bsc#1086784).
- CVE-2018-7642: The swap_std_reloc_in function in the Binary File Descriptor
(BFD) library (aka libbfd) allowed remote attackers to cause a denial of
service (aout_32_swap_std_reloc_out NULL pointer dereference and application
crash) via a crafted ELF file, as demonstrated by objcopy (bsc#1086786).
- CVE-2018-7568: The parse_die function in the Binary File Descriptor (BFD)
library (aka libbfd) allowed remote attackers to cause a denial of service
(integer overflow and application crash) via an ELF file with corrupt dwarf1
debug information, as demonstrated by nm (bsc#1086788).
- CVE-2018-10373: concat_filename in the Binary File Descriptor (BFD) library
(aka libbfd) allowed remote attackers to cause a denial of service (NULL
pointer dereference and application crash) via a crafted binary file, as
demonstrated by nm-new (bsc#1090997).
- CVE-2018-10372: process_cu_tu_index allowed remote attackers to cause a
denial of service (heap-based buffer over-read and application crash) via a
crafted binary file, as demonstrated by readelf (bsc#1091015).
- CVE-2018-10535: The ignore_section_sym function in the Binary File Descriptor
(BFD) library (aka libbfd) did not validate the output_section pointer in the
case of a symtab entry with a 'SECTION' type that has a '0' value, which
allowed remote attackers to cause a denial of service (NULL pointer dereference
and application crash) via a crafted file, as demonstrated by objcopy
(bsc#1091365).
- CVE-2018-10534: The _bfd_XX_bfd_copy_private_bfd_data_common function in the
Binary File Descriptor (BFD) library (aka libbfd) processesed a negative Data
Directory size with an unbounded loop that increased the value of
(external_IMAGE_DEBUG_DIRECTORY) *edd so that the address exceeded its own
memory region, resulting in an out-of-bounds memory write, as demonstrated by
objcopy copying private info with _bfd_pex64_bfd_copy_private_bfd_data_common
in pex64igen.c (bsc#1091368).
These non-security issues were fixed:
- The AArch64 port now supports showing disassembly notes which are emitted
when inconsistencies are found with the instruction that may result in the
instruction being invalid. These can be turned on with the option -M notes
to objdump.
- The AArch64 port now emits warnings when a combination of an instruction and
a named register could be invalid.
- Added O modifier to ar to display member offsets inside an archive
- The ADR and ADRL pseudo-instructions supported by the ARM assembler
now only set the bottom bit of the address of thumb function symbols
if the -mthumb-interwork command line option is active.
- Add --generate-missing-build-notes=[yes|no] option to create (or not) GNU
Build Attribute notes if none are present in the input sources. Add a
--enable-generate-build-notes=[yes|no] configure time option to set the
default behaviour. Set the default if the configure option is not used
to 'no'.
- Remove -mold-gcc command-line option for x86 targets.
- Add -O[2|s] command-line options to x86 assembler to enable alternate
shorter instruction encoding.
- Add support for .nops directive. It is currently supported only for
x86 targets.
- Speed up direct linking with DLLs for Cygwin and Mingw targets.
- Add a configure option --enable-separate-code to decide whether
-z separate-code should be enabled in ELF linker by default. Default
to yes for Linux/x86 targets. Note that -z separate-code can increase
disk and memory size.
- RISC-V: Fix symbol address problem with versioned symbols
- Restore riscv64-elf cross prefix via symlinks
- RISC-V: Don't enable relaxation in relocatable link
- Prevent linking faiures on i386 with assertion (bsc#1085784)
- Fix symbol size bug when relaxation deletes bytes
- Add --debug-dump=links option to readelf and --dwarf=links option to objdump
which displays the contents of any .gnu_debuglink or .gnu_debugaltlink
sections.
Add a --debug-dump=follow-links option to readelf and a --dwarf=follow-links
option to objdump which causes indirect links into separate debug info files
to be followed when dumping other DWARF sections.
- Add support for loaction views in DWARF debug line information.
- Add -z separate-code to generate separate code PT_LOAD segment.
- Add '-z undefs' command line option as the inverse of the '-z defs' option.
- Add -z globalaudit command line option to force audit libraries to be run
for every dynamic object loaded by an executable - provided that the loader
supports this functionality.
- Tighten linker script grammar around file name specifiers to prevent the use
of SORT_BY_ALIGNMENT and SORT_BY_INIT_PRIORITY on filenames. These would
previously be accepted but had no effect.
- The EXCLUDE_FILE directive can now be placed within any SORT_* directive
within input section lists.
- Fix linker relaxation with --wrap
- Add arm-none-eabi symlinks (bsc#1074741)
Former updates of binutils also fixed the following security issues, for which
there was not CVE assigned at the time the update was released or no mapping
between code change and CVE existed:
- CVE-2014-9939: Prevent stack buffer overflow when printing bad bytes in Intel
Hex objects (bsc#1030296).
- CVE-2017-7225: The find_nearest_line function in addr2line did not handle the
case where the main file name and the directory name are both empty, triggering
a NULL pointer dereference and an invalid write, and leading to a program crash
(bsc#1030585).
- CVE-2017-7224: The find_nearest_line function in objdump was vulnerable to an
invalid write (of size 1) while disassembling a corrupt binary that contains an
empty function name, leading to a program crash (bsc#1030588).
- CVE-2017-7223: GNU assembler in was vulnerable to a global buffer overflow
(of size 1) while attempting to unget an EOF character from the input stream,
potentially leading to a program crash (bsc#1030589).
- CVE-2017-7226: The pe_ILF_object_p function in the Binary File Descriptor
(BFD) library (aka libbfd) was vulnerable to a heap-based buffer over-read of
size 4049 because it used the strlen function instead of strnlen, leading to
program crashes in several utilities such as addr2line, size, and strings. It
could lead to information disclosure as well (bsc#1030584).
- CVE-2017-7299: The Binary File Descriptor (BFD) library (aka libbfd) had an
invalid read (of size 8) because the code to emit relocs (bfd_elf_final_link
function in bfd/elflink.c) did not check the format of the input file trying to
read the ELF reloc section header. The vulnerability leads to a GNU linker (ld)
program crash (bsc#1031644).
- CVE-2017-7300: The Binary File Descriptor (BFD) library (aka libbfd) had an
aout_link_add_symbols function in bfd/aoutx.h that is vulnerable to a
heap-based buffer over-read (off-by-one) because of an incomplete check for
invalid string offsets while loading symbols, leading to a GNU linker (ld)
program crash (bsc#1031656).
- CVE-2017-7302: The Binary File Descriptor (BFD) library (aka libbfd) had a
swap_std_reloc_out function in bfd/aoutx.h that is vulnerable to an invalid
read (of size 4) because of missing checks for relocs that could not be
recognised. This vulnerability caused Binutils utilities like strip to crash
(bsc#1031595).
- CVE-2017-7303: The Binary File Descriptor (BFD) library (aka libbfd) was
vulnerable to an invalid read (of size 4) because of missing a check (in the
find_link function) for null headers attempting to match them. This
vulnerability caused Binutils utilities like strip to crash (bsc#1031593).
- CVE-2017-7301: The Binary File Descriptor (BFD) library (aka libbfd) had an
aout_link_add_symbols function in bfd/aoutx.h that has an off-by-one
vulnerability because it did not carefully check the string offset. The
vulnerability could lead to a GNU linker (ld) program crash (bsc#1031638).
- CVE-2017-7304: The Binary File Descriptor (BFD) library (aka libbfd) was
vulnerable to an invalid read (of size 8) because of missing a check (in the
copy_special_section_fields function) for an invalid sh_link field attempting
to follow it. This vulnerability caused Binutils utilities like strip to crash
(bsc#1031590).
- CVE-2017-8392: The Binary File Descriptor (BFD) library (aka libbfd) was
vulnerable to an invalid read of size 8 because of missing a check to determine
whether symbols are NULL in the _bfd_dwarf2_find_nearest_line function. This
vulnerability caused programs that conduct an analysis of binary programs using
the libbfd library, such as objdump, to crash (bsc#1037052).
- CVE-2017-8393: The Binary File Descriptor (BFD) library (aka libbfd) was
vulnerable to a global buffer over-read error because of an assumption made by
code that runs for objcopy and strip, that SHT_REL/SHR_RELA sections are always
named starting with a .rel/.rela prefix. This vulnerability caused programs
that conduct an analysis of binary programs using the libbfd library, such as
objcopy and strip, to crash (bsc#1037057).
- CVE-2017-8394: The Binary File Descriptor (BFD) library (aka libbfd) was
vulnerable to an invalid read of size 4 due to NULL pointer dereferencing of
_bfd_elf_large_com_section. This vulnerability caused programs that conduct an
analysis of binary programs using the libbfd library, such as objcopy, to crash
(bsc#1037061).
- CVE-2017-8396: The Binary File Descriptor (BFD) library (aka libbfd) was
vulnerable to an invalid read of size 1 because the existing reloc offset range
tests didn't catch small negative offsets less than the size of the reloc
field. This vulnerability caused programs that conduct an analysis of binary
programs using the libbfd library, such as objdump, to crash (bsc#1037066).
- CVE-2017-8421: The function coff_set_alignment_hook in Binary File Descriptor
(BFD) library (aka libbfd) had a memory leak vulnerability which can cause
memory exhaustion in objdump via a crafted PE file (bsc#1037273).
- CVE-2017-9746: The disassemble_bytes function in objdump.c allowed remote
attackers to cause a denial of service (buffer overflow and application crash)
or possibly have unspecified other impact via a crafted binary file, as
demonstrated by mishandling of rae insns printing for this file during 'objdump
-D' execution (bsc#1044891).
- CVE-2017-9747: The ieee_archive_p function in the Binary File Descriptor
(BFD) library (aka libbfd) might have allowed remote attackers to cause a
denial of service (buffer overflow and application crash) or possibly have
unspecified other impact via a crafted binary file, as demonstrated by
mishandling of this file during 'objdump -D' execution (bsc#1044897).
- CVE-2017-9748: The ieee_object_p function in the Binary File Descriptor (BFD)
library (aka libbfd) might have allowed remote attackers to cause a denial of
service (buffer overflow and application crash) or possibly have unspecified
other impact via a crafted binary file, as demonstrated by mishandling of this
file during 'objdump -D' execution (bsc#1044901).
- CVE-2017-9750: opcodes/rx-decode.opc lacked bounds checks for certain scale
arrays, which allowed remote attackers to cause a denial of service (buffer
overflow and application crash) or possibly have unspecified other impact via a
crafted binary file, as demonstrated by mishandling of this file during
'objdump -D' execution (bsc#1044909).
- CVE-2017-9755: Not considering the the number of registers for bnd mode
allowed remote attackers to cause a denial of service (buffer overflow and
application crash) or possibly have unspecified other impact via a crafted
binary file, as demonstrated by mishandling of this file during 'objdump -D'
execution (bsc#1044925).
- CVE-2017-9756: The aarch64_ext_ldst_reglist function allowed remote attackers
to cause a denial of service (buffer overflow and application crash) or
possibly have unspecified other impact via a crafted binary file, as
demonstrated by mishandling of this file during 'objdump -D' execution
(bsc#1044927).
- CVE-2017-7209: The dump_section_as_bytes function in readelf accessed a NULL
pointer while reading section contents in a corrupt binary, leading to a
program crash (bsc#1030298).
- CVE-2017-6965: readelf wrote to illegal addresses while processing corrupt
input files containing symbol-difference relocations, leading to a heap-based
buffer overflow (bsc#1029909).
- CVE-2017-6966: readelf had a use-after-free (specifically read-after-free)
error while processing multiple, relocated sections in an MSP430 binary. This
is caused by mishandling of an invalid symbol index, and mishandling of state
across invocations (bsc#1029908).
- CVE-2017-6969: readelf was vulnerable to a heap-based buffer over-read while
processing corrupt RL78 binaries. The vulnerability can trigger program
crashes. It may lead to an information leak as well (bsc#1029907).
- CVE-2017-7210: objdump was vulnerable to multiple heap-based buffer
over-reads (of size 1 and size 8) while handling corrupt STABS enum type
strings in a crafted object file, leading to program crash (bsc#1030297).
ModerateSUSE bug 1029907SUSE bug 1029908SUSE bug 1029909SUSE bug 1030296SUSE bug 1030297SUSE bug 1030298SUSE bug 1030584SUSE bug 1030585SUSE bug 1030588SUSE bug 1030589SUSE bug 1031590SUSE bug 1031593SUSE bug 1031595SUSE bug 1031638SUSE bug 1031644SUSE bug 1031656SUSE bug 1037052SUSE bug 1037057SUSE bug 1037061SUSE bug 1037066SUSE bug 1037273SUSE bug 1044891SUSE bug 1044897SUSE bug 1044901SUSE bug 1044909SUSE bug 1044925SUSE bug 1044927SUSE bug 1065643SUSE bug 1065689SUSE bug 1065693SUSE bug 1068640SUSE bug 1068643SUSE bug 1068887SUSE bug 1068888SUSE bug 1068950SUSE bug 1069176SUSE bug 1069202SUSE bug 1074741SUSE bug 1077745SUSE bug 1079103SUSE bug 1079741SUSE bug 1080556SUSE bug 1081527SUSE bug 1083528SUSE bug 1083532SUSE bug 1085784SUSE bug 1086608SUSE bug 1086784SUSE bug 1086786SUSE bug 1086788SUSE bug 1090997SUSE bug 1091015SUSE bug 1091365SUSE bug 1091368CVE-2014-9939 at SUSECVE-2014-9939 at NVDCVE-2017-15938 at SUSECVE-2017-15938 at NVDCVE-2017-15939 at SUSECVE-2017-15939 at NVDCVE-2017-15996 at SUSECVE-2017-15996 at NVDCVE-2017-16826 at SUSECVE-2017-16826 at NVDCVE-2017-16827 at SUSECVE-2017-16827 at NVDCVE-2017-16828 at SUSECVE-2017-16828 at NVDCVE-2017-16829 at SUSECVE-2017-16829 at NVDCVE-2017-16830 at SUSECVE-2017-16830 at NVDCVE-2017-16831 at SUSECVE-2017-16831 at NVDCVE-2017-16832 at SUSECVE-2017-16832 at NVDCVE-2017-6965 at SUSECVE-2017-6965 at NVDCVE-2017-6966 at SUSECVE-2017-6966 at NVDCVE-2017-6969 at SUSECVE-2017-6969 at NVDCVE-2017-7209 at SUSECVE-2017-7209 at NVDCVE-2017-7210 at SUSECVE-2017-7210 at NVDCVE-2017-7223 at SUSECVE-2017-7223 at NVDCVE-2017-7224 at SUSECVE-2017-7224 at NVDCVE-2017-7225 at SUSECVE-2017-7225 at NVDCVE-2017-7226 at SUSECVE-2017-7226 at NVDCVE-2017-7299 at SUSECVE-2017-7299 at NVDCVE-2017-7300 at SUSECVE-2017-7300 at NVDCVE-2017-7301 at SUSECVE-2017-7301 at NVDCVE-2017-7302 at SUSECVE-2017-7302 at NVDCVE-2017-7303 at SUSECVE-2017-7303 at NVDCVE-2017-7304 at SUSECVE-2017-7304 at NVDCVE-2017-8392 at SUSECVE-2017-8392 at NVDCVE-2017-8393 at SUSECVE-2017-8393 at NVDCVE-2017-8394 at SUSECVE-2017-8394 at NVDCVE-2017-8396 at SUSECVE-2017-8396 at NVDCVE-2017-8421 at SUSECVE-2017-8421 at NVDCVE-2017-9746 at SUSECVE-2017-9746 at NVDCVE-2017-9747 at SUSECVE-2017-9747 at NVDCVE-2017-9748 at SUSECVE-2017-9748 at NVDCVE-2017-9750 at SUSECVE-2017-9750 at NVDCVE-2017-9755 at SUSECVE-2017-9755 at NVDCVE-2017-9756 at SUSECVE-2017-9756 at NVDCVE-2018-10372 at SUSECVE-2018-10372 at NVDCVE-2018-10373 at SUSECVE-2018-10373 at NVDCVE-2018-10534 at SUSECVE-2018-10534 at NVDCVE-2018-10535 at SUSECVE-2018-10535 at NVDCVE-2018-6323 at SUSECVE-2018-6323 at NVDCVE-2018-6543 at SUSECVE-2018-6543 at NVDCVE-2018-6759 at SUSECVE-2018-6759 at NVDCVE-2018-6872 at SUSECVE-2018-6872 at NVDCVE-2018-7208 at SUSECVE-2018-7208 at NVDCVE-2018-7568 at SUSECVE-2018-7568 at NVDCVE-2018-7569 at SUSECVE-2018-7569 at NVDCVE-2018-7570 at SUSECVE-2018-7570 at NVDCVE-2018-7642 at SUSECVE-2018-7642 at NVDCVE-2018-7643 at SUSECVE-2018-7643 at NVDCVE-2018-8945 at SUSECVE-2018-8945 at NVDcpe:/o:suse:sles:12:sp3Security update for fuse (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for fuse fixes the following security issue:
- CVE-2018-10906: fusermount was vulnerable to a restriction bypass when
SELinux is active. This allowed non-root users to mount a FUSE file system with
the 'allow_other' mount option regardless of whether 'user_allow_other' is set
in the fuse configuration. An attacker may use this flaw to mount a FUSE file
system, accessible by other users, and trick them into accessing files on that
file system, possibly causing Denial of Service or other unspecified effects
(bsc#1101797)
ModerateSUSE bug 1101797CVE-2018-10906 at SUSECVE-2018-10906 at NVDcpe:/o:suse:sles:12:sp3Security update for libXfont (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for libXfont fixes several issues.
These security issues were fixed:
- CVE-2017-13720: Improper check for end of string in PatterMatch caused invalid reads (bsc#1054285)
- CVE-2017-13722: Malformed PCF file could have caused DoS or leak information (bsc#1049692)
- Prevent the X server from accessing arbitrary files as root. It is not possible to leak information, but special files can be touched allowing for causing side effects (bsc#1050459)
ModerateSUSE bug 1049692SUSE bug 1050459SUSE bug 1054285CVE-2017-13720 at SUSECVE-2017-13720 at NVDCVE-2017-13722 at SUSECVE-2017-13722 at NVDcpe:/o:suse:sles:12:sp3Security update for ecryptfs-utils (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for ecryptfs-utils fixes the following issues:
- CVE-2015-8946: ecryptfs-setup-swap improperly configures encrypted swap when using GPT partitioning (bsc#989121)
- CVE-2016-6224: ecryptfs-setup-swap improperly configures encrypted swap when using GPT partitioning on a NVMe or MMC drive (bsc#989122)
ModerateSUSE bug 989121SUSE bug 989122CVE-2015-8946 at SUSECVE-2015-8946 at NVDCVE-2016-6224 at SUSECVE-2016-6224 at NVDcpe:/o:suse:sles:12:sp3Security update for libXdmcp (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for libXdmcp fixes the following issues:
- CVE-2017-2625: The generation of session key in XDM using libXdmcp might have used weak entropy, making
the session keys predictable (bsc#1025046)
ModerateSUSE bug 1025046CVE-2017-2625 at SUSECVE-2017-2625 at NVDcpe:/o:suse:sles:12:sp3Security update for libICE (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for libICE fixes the following issues:
- CVE-2017-2626: Creation of the ICE auth session cookies used insufficient randomness, making these cookies
predictable. A more random generation method has been implemented. (boo#1025068)
ModerateSUSE bug 1025068CVE-2017-2626 at SUSECVE-2017-2626 at NVDcpe:/o:suse:sles:12:sp3Security update for rpm (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for rpm fixes the following issues:
These security issues were fixed:
- CVE-2017-7500: rpm did not properly handle RPM installations when a
destination path was a symbolic link to a directory, possibly changing
ownership and permissions of an arbitrary directory, and RPM files being placed
in an arbitrary destination (bsc#943457).
- CVE-2017-7501: rpm used temporary files with predictable names when
installing an RPM. An attacker with ability to write in a directory where files
will be installed could create symbolic links to an arbitrary location and
modify content, and possibly permissions to arbitrary files, which could be
used for denial of service or possibly privilege escalation (bsc#943457)
This non-security issue was fixed:
- Use ksym-provides tool [bsc#1077692]
ModerateSUSE bug 1077692SUSE bug 943457CVE-2017-7500 at SUSECVE-2017-7500 at NVDCVE-2017-7501 at SUSECVE-2017-7501 at NVDcpe:/o:suse:sles:12:sp3Security update for tiff (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for tiff fixes the following issues:
- CVE-2018-17100: There is a int32 overflow in multiply_ms in tools/ppm2tiff.c, which can cause a denial of service (crash) or possibly have unspecified other impact via a crafted image file. (bsc#1108637)
- CVE-2018-17101: There are two out-of-bounds writes in cpTags in tools/tiff2bw.c and tools/pal2rgb.c, which can cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image file. (bsc#1108627)
- CVE-2018-17795: The function t2p_write_pdf in tiff2pdf.c allowed remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted TIFF file, a similar issue to CVE-2017-9935. (bsc#1110358)
- CVE-2018-16335: newoffsets handling in ChopUpSingleUncompressedStrip in tif_dirread.c allowed remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted TIFF file, as demonstrated by tiff2pdf. This is a different vulnerability than CVE-2018-15209. (bsc#1106853)
ModerateSUSE bug 1106853SUSE bug 1108627SUSE bug 1108637SUSE bug 1110358CVE-2017-11613 at SUSECVE-2017-11613 at NVDCVE-2017-9935 at SUSECVE-2017-9935 at NVDCVE-2018-16335 at SUSECVE-2018-16335 at NVDCVE-2018-17100 at SUSECVE-2018-17100 at NVDCVE-2018-17101 at SUSECVE-2018-17101 at NVDCVE-2018-17795 at SUSECVE-2018-17795 at NVDcpe:/o:suse:sles:12:sp3Security update for pam_pkcs11 (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for pam_pkcs11 provides the following fixes:
Security issues fixed (bsc#1105012):
- Fixed a logic bug in pampkcs11.c, leading to an authentication replay vulnerability
- Fixed a stack-based buffer overflow in opensshmapper.c
- Make sure memory is properly cleaned before invoking free()
Other changes:
- Add a systemd service file. (bsc#1049219)
ModerateSUSE bug 1049219SUSE bug 1105012cpe:/o:suse:sles:12:sp3Security update for jasper (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for jasper fixes the following issues:
Security issues fixed:
- CVE-2016-9262: Multiple integer overflows in the jas_realloc function in base/jas_malloc.c and
mem_resize function in base/jas_stream.c allow remote attackers to cause a denial of service via
a crafted image, which triggers use after free vulnerabilities. (bsc#1009994)
- CVE-2016-9388: The ras_getcmap function in ras_dec.c allows remote attackers to cause a denial
of service (assertion failure) via a crafted image file. (bsc#1010975)
- CVE-2016-9389: The jpc_irct and jpc_iict functions in jpc_mct.c allow remote attackers to cause a
denial of service (assertion failure). (bsc#1010968)
- CVE-2016-9390: The jas_seq2d_create function in jas_seq.c allows remote attackers to cause a
denial of service (assertion failure) via a crafted image file. (bsc#1010774)
- CVE-2016-9391: The jpc_bitstream_getbits function in jpc_bs.c allows remote attackers to cause a
denial of service (assertion failure) via a very large integer. (bsc#1010782)
- CVE-2017-1000050: The jp2_encode function in jp2_enc.c allows remote attackers to cause a denial
of service. (bsc#1047958)
CVEs already fixed with previous update:
- CVE-2016-9392: The calcstepsizes function in jpc_dec.c allows remote attackers to cause a denial
of service (assertion failure) via a crafted file. (bsc#1010757)
- CVE-2016-9393: The jpc_pi_nextrpcl function in jpc_t2cod.c allows remote attackers to cause a
denial of service (assertion failure) via a crafted file. (bsc#1010766)
- CVE-2016-9394: The jas_seq2d_create function in jas_seq.c allows remote attackers to cause a
denial of service (assertion failure) via a crafted file. (bsc#1010756)
ModerateSUSE bug 1009994SUSE bug 1010756SUSE bug 1010757SUSE bug 1010766SUSE bug 1010774SUSE bug 1010782SUSE bug 1010968SUSE bug 1010975SUSE bug 1047958CVE-2016-9262 at SUSECVE-2016-9262 at NVDCVE-2016-9388 at SUSECVE-2016-9388 at NVDCVE-2016-9389 at SUSECVE-2016-9389 at NVDCVE-2016-9390 at SUSECVE-2016-9390 at NVDCVE-2016-9391 at SUSECVE-2016-9391 at NVDCVE-2016-9392 at SUSECVE-2016-9392 at NVDCVE-2016-9393 at SUSECVE-2016-9393 at NVDCVE-2016-9394 at SUSECVE-2016-9394 at NVDCVE-2017-1000050 at SUSECVE-2017-1000050 at NVDcpe:/o:suse:sles:12:sp3Security update for ntp (Moderate)SUSE Linux Enterprise Server 12 SP3
NTP was updated to 4.2.8p12 (bsc#1111853):
- CVE-2018-12327: Fixed stack buffer overflow in the openhost() command-line call of NTPQ/NTPDC. (bsc#1098531)
- CVE-2018-7170: Add further tweaks to improve the fix for the ephemeral association time spoofing additional protection (bsc#1083424)
Please also see https://www.nwtime.org/network-time-foundation-publishes-ntp-4-2-8p12/ for more information.
ModerateSUSE bug 1083424SUSE bug 1098531SUSE bug 1111853CVE-2018-12327 at SUSECVE-2018-12327 at NVDCVE-2018-7170 at SUSECVE-2018-7170 at NVDcpe:/o:suse:sles:12:sp3Security update for postgresql96 (Important)SUSE Linux Enterprise Server 12 SP3
This update for postgresql96 to 9.6.10 fixes the following issues:
These security issues were fixed:
- CVE-2018-10915: libpq failed to properly reset its internal state between
connections. If an affected version of libpq was used with 'host' or 'hostaddr'
connection parameters from untrusted input, attackers could have bypassed
client-side connection security features, obtain access to higher privileged
connections or potentially cause other impact SQL injection, by causing the
PQescape() functions to malfunction (bsc#1104199)
- CVE-2018-10925: Add missing authorization check on certain statements
involved with 'INSERT ... ON CONFLICT DO UPDATE'. An attacker with 'CREATE
TABLE' privileges could have exploited this to read arbitrary bytes server
memory. If the attacker also had certain 'INSERT' and limited 'UPDATE'
privileges to a particular table, they could have exploited this to update
other columns in the same table (bsc#1104202)
For addition details please see
https://www.postgresql.org/docs/current/static/release-9-6-10.html
ImportantSUSE bug 1104199SUSE bug 1104202CVE-2018-10915 at SUSECVE-2018-10915 at NVDCVE-2018-10925 at SUSECVE-2018-10925 at NVDcpe:/o:suse:sles:12:sp3Security update for tomcat (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for tomcat fixes the following issues:
- CVE-2018-11784: When the default servlet in Apache Tomcat returned a redirect to a directory (e.g. redirecting to '/foo/' when the user requested '/foo') a specially crafted URL could be used to cause the redirect to be generated to any URI of the attackers choice. (bsc#1110850)
ModerateSUSE bug 1110850CVE-2018-11784 at SUSECVE-2018-11784 at NVDcpe:/o:suse:sles:12:sp3Security update for webkit2gtk3 (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for webkit2gtk3 to version 2.20.3 fixes the issues:
The following security vulnerabilities were addressed:
- CVE-2018-12911: Fixed an off-by-one error in xdg_mime_get_simple_globs
(boo#1101999)
- CVE-2017-13884: An unspecified issue allowed remote attackers to execute
arbitrary code or cause a denial of service (memory corruption and application
crash) via a crafted web site (bsc#1075775).
- CVE-2017-13885: An unspecified issue allowed remote attackers to execute
arbitrary code or cause a denial of service (memory corruption and application
crash) via a crafted web site (bsc#1075775).
- CVE-2017-7153: An unspecified issue allowed remote attackers to spoof
user-interface information (about whether the entire content is derived from a
valid TLS session) via a crafted web site that sends a 401 Unauthorized
redirect (bsc#1077535).
- CVE-2017-7160: An unspecified issue allowed remote attackers to execute
arbitrary code or cause a denial of service (memory corruption and application
crash) via a crafted web site (bsc#1075775).
- CVE-2017-7161: An unspecified issue allowed remote attackers to execute
arbitrary code via special characters that trigger command injection
(bsc#1075775, bsc#1077535).
- CVE-2017-7165: An unspecified issue allowed remote attackers to execute
arbitrary code or cause a denial of service (memory corruption and application
crash) via a crafted web site (bsc#1075775).
- CVE-2018-4088: An unspecified issue allowed remote attackers to execute
arbitrary code or cause a denial of service (memory corruption and application
crash) via a crafted web site (bsc#1075775).
- CVE-2018-4096: An unspecified issue allowed remote attackers to execute
arbitrary code or cause a denial of service (memory corruption and application
crash) via a crafted web site (bsc#1075775).
- CVE-2018-4200: An unspecified issue allowed remote attackers to execute
arbitrary code or cause a denial of service (memory corruption and application
crash) via a crafted web site that triggers a
WebCore::jsElementScrollHeightGetter use-after-free (bsc#1092280).
- CVE-2018-4204: An unspecified issue allowed remote attackers to execute
arbitrary code or cause a denial of service (memory corruption and application
crash) via a crafted web site (bsc#1092279).
- CVE-2018-4101: An unspecified issue allowed remote attackers to execute
arbitrary code or cause a denial of service (memory corruption and application
crash) via a crafted web site (bsc#1088182).
- CVE-2018-4113: An issue in the JavaScriptCore function in the 'WebKit'
component allowed attackers to trigger an assertion failure by leveraging
improper array indexing (bsc#1088182)
- CVE-2018-4114: An unspecified issue allowed remote attackers to execute
arbitrary code or cause a denial of service (memory corruption and application
crash) via a crafted web site (bsc#1088182)
- CVE-2018-4117: An unspecified issue allowed remote attackers to bypass the
Same Origin Policy and obtain sensitive information via a crafted web site
(bsc#1088182, bsc#1102530).
- CVE-2018-4118: An unspecified issue allowed remote attackers to execute
arbitrary code or cause a denial of service (memory corruption and application
crash) via a crafted web site (bsc#1088182)
- CVE-2018-4119: An unspecified issue allowed remote attackers to execute
arbitrary code or cause a denial of service (memory corruption and application
crash) via a crafted web site (bsc#1088182)
- CVE-2018-4120: An unspecified issue allowed remote attackers to execute
arbitrary code or cause a denial of service (memory corruption and application
crash) via a crafted web site (bsc#1088182).
- CVE-2018-4121: An unspecified issue allowed remote attackers to execute
arbitrary code or cause a denial of service (memory corruption and application
crash) via a crafted web site (bsc#1092278).
- CVE-2018-4122: An unspecified issue allowed remote attackers to execute
arbitrary code or cause a denial of service (memory corruption and application
crash) via a crafted web site (bsc#1088182).
- CVE-2018-4125: An unspecified issue allowed remote attackers to execute
arbitrary code or cause a denial of service (memory corruption and application
crash) via a crafted web site (bsc#1088182).
- CVE-2018-4127: An unspecified issue allowed remote attackers to execute
arbitrary code or cause a denial of service (memory corruption and application
crash) via a crafted web site (bsc#1088182).
- CVE-2018-4128: An unspecified issue allowed remote attackers to execute
arbitrary code or cause a denial of service (memory corruption and application
crash) via a crafted web site (bsc#1088182).
- CVE-2018-4129: An unspecified issue allowed remote attackers to execute
arbitrary code or cause a denial of service (memory corruption and application
crash) via a crafted web site (bsc#1088182).
- CVE-2018-4146: An unspecified issue allowed attackers to cause a denial of
service (memory corruption) via a crafted web site (bsc#1088182).
- CVE-2018-4161: An unspecified issue allowed remote attackers to execute
arbitrary code or cause a denial of service (memory corruption and application
crash) via a crafted web site (bsc#1088182).
- CVE-2018-4162: An unspecified issue allowed remote attackers to execute
arbitrary code or cause a denial of service (memory corruption and application
crash) via a crafted web site (bsc#1088182).
- CVE-2018-4163: An unspecified issue allowed remote attackers to execute
arbitrary code or cause a denial of service (memory corruption and application
crash) via a crafted web site (bsc#1088182).
- CVE-2018-4165: An unspecified issue allowed remote attackers to execute
arbitrary code or cause a denial of service (memory corruption and application
crash) via a crafted web site (bsc#1088182).
- CVE-2018-4190: An unspecified issue allowed remote attackers to obtain
sensitive credential information that is transmitted during a CSS mask-image
fetch (bsc#1097693)
- CVE-2018-4199: An unspecified issue allowed remote attackers to execute
arbitrary code or cause a denial of service (buffer overflow and application
crash) via a crafted web site (bsc#1097693)
- CVE-2018-4218: An unspecified issue allowed remote attackers to execute
arbitrary code or cause a denial of service (memory corruption and application
crash) via a crafted web site that triggers an @generatorState use-after-free
(bsc#1097693)
- CVE-2018-4222: An unspecified issue allowed remote attackers to execute
arbitrary code via a crafted web site that leverages a getWasmBufferFromValue
out-of-bounds read during WebAssembly compilation (bsc#1097693)
- CVE-2018-4232: An unspecified issue allowed remote attackers to overwrite
cookies via a crafted web site (bsc#1097693)
- CVE-2018-4233: An unspecified issue allowed remote attackers to execute
arbitrary code or cause a denial of service (memory corruption and application
crash) via a crafted web site (bsc#1097693)
- CVE-2018-4246: An unspecified issue allowed remote attackers to execute
arbitrary code via a crafted web site that leverages type confusion
(bsc#1104169)
- CVE-2018-11646: webkitFaviconDatabaseSetIconForPageURL and
webkitFaviconDatabaseSetIconURLForPageURL mishandled an unset pageURL, leading
to an application crash (bsc#1095611)
- CVE-2018-4133: A Safari cross-site scripting (XSS) vulnerability allowed
remote attackers to inject arbitrary web script or HTML via a crafted URL
(bsc#1088182).
- CVE-2018-11713: The libsoup network backend of WebKit unexpectedly failed to
use system proxy settings for WebSocket connections. As a result, users could
be deanonymized by crafted web sites via a WebSocket connection (bsc#1096060).
- CVE-2018-11712: The libsoup network backend of WebKit failed to perform TLS
certificate verification for WebSocket connections (bsc#1096061).
This update for webkit2gtk3 fixes the following issues:
- Fixed a crash when atk_object_ref_state_set is called on an AtkObject that's
being destroyed (bsc#1088932).
- Fixed crash when using Wayland with QXL/virtio (bsc#1079512)
- Disable Gigacage if mmap fails to allocate in Linux.
- Add user agent quirk for paypal website.
- Properly detect compiler flags, needed libs, and fallbacks for
usage of 64-bit atomic operations.
- Fix a network process crash when trying to get cookies of
about:blank page.
- Fix UI process crash when closing the window under Wayland.
- Fix several crashes and rendering issues.
- Do TLS error checking on GTlsConnection::accept-certificate to
finish the load earlier in case of errors.
- Properly close the connection to the nested wayland compositor
in the Web Process.
- Avoid painting backing stores for zero-opacity layers.
- Fix downloads started by context menu failing in some websites
due to missing user agent HTTP header.
- Fix video unpause when GStreamerGL is disabled.
- Fix several GObject introspection annotations.
- Update user agent quiks to fix Outlook.com and Chase.com.
- Fix several crashes and rendering issues.
- Improve error message when Gigacage cannot allocate virtual memory.
- Add missing WebKitWebProcessEnumTypes.h to webkit-web-extension.h.
- Improve web process memory monitor thresholds.
- Fix a web process crash when the web view is created and destroyed quickly.
- Fix a network process crash when load is cancelled while searching for
stored HTTP auth credentials.
- Fix the build when ENABLE_VIDEO, ENABLE_WEB_AUDIO and
ENABLE_XSLT are disabled.
- New API to retrieve and delete cookies with WebKitCookieManager.
- New web process API to detect when form is submitted via JavaScript.
- Several improvements and fixes in the touch/gestures support.
- Support for the “system” CSS font family.
- Complex text rendering improvements and fixes.
- More complete and spec compliant WebDriver implementation.
- Ensure DNS prefetching cannot be re-enabled if disabled by settings.
- Fix seek sometimes not working.
- Fix rendering of emojis that were using the wrong scale factor
in some cases.
- Fix rendering of combining enclosed keycap.
- Fix rendering scale of some layers in HiDPI.
- Fix a crash in Wayland when closing the web view.
- Fix crashes upower crashes when running inside a chroot or on
systems with broken dbus/upower.
- Fix memory leaks in GStreamer media backend when using
GStreamer 1.14.
- Fix several crashes and rendering issues.
- Add ENABLE_ADDRESS_SANITIZER to make it easier to build with
asan support.
- Fix a crash a under Wayland when using mesa software
rasterization.
- Make fullscreen video work again.
- Fix handling of missing GStreamer elements.
- Fix rendering when webm video is played twice.
- Fix kinetic scrolling sometimes jumping around.
- Fix build with ICU configured without collation support.
- WebSockets use system proxy settings now (requires libsoup 2.61.90).
- Show the context menu on long-press gesture.
- Add support for Shift + mouse scroll to scroll horizontally.
- Fix zoom gesture to actually zoom instead of changing the page
scale.
- Implement support for Graphics ARIA roles.
- Make sleep inhibitors work under Flatpak.
- Add get element CSS value command to WebDriver.
- Fix a crash aftter a swipe gesture.
- Fix several crashes and rendering issues.
- Fix crashes due to duplicated symbols in libjavascriptcoregtk
and libwebkit2gtk.
- Fix parsing of timeout values in WebDriver.
- Implement get timeouts command in WebDriver.
- Fix deadlock in GStreamer video sink during shutdown when
accelerated compositing is disabled.
- Fix several crashes and rendering issues.
- Add web process API to detect when form is submitted via
JavaScript.
- Add new API to replace
webkit_form_submission_request_get_text_fields() that is now
deprecated.
- Add WebKitWebView::web-process-terminated signal and deprecate
web-process-crashed.
- Fix rendering issues when editing text areas.
- Use FastMalloc based GstAllocator for GStreamer.
- Fix web process crash at startup in bmalloc.
- Fix several memory leaks in GStreamer media backend.
- WebKitWebDriver process no longer links to
libjavascriptcoregtk.
- Fix several crashes and rendering issues.
- Add new API to add, retrieve and delete cookies via
WebKitCookieManager.
- Add functions to WebSettings to convert font sizes between
points and pixels.
- Ensure cookie operations take effect when they happen before a
web process has been spawned.
- Automatically adjust font size when GtkSettings:gtk-xft-dpi
changes.
- Add initial resource load statistics support.
- Add API to expose availability of certain editing commands in
WebKitEditorState.
- Add API to query whether a WebKitNavigationAction is a redirect
or not.
- Improve complex text rendering.
- Add support for the 'system' CSS font family.
- Disable USE_GSTREAMER_GL
ModerateSUSE bug 1075775SUSE bug 1077535SUSE bug 1079512SUSE bug 1088182SUSE bug 1088932SUSE bug 1092278SUSE bug 1092279SUSE bug 1092280SUSE bug 1095611SUSE bug 1096060SUSE bug 1096061SUSE bug 1097693SUSE bug 1101999SUSE bug 1102530SUSE bug 1104169CVE-2017-13884 at SUSECVE-2017-13884 at NVDCVE-2017-13885 at SUSECVE-2017-13885 at NVDCVE-2017-7153 at SUSECVE-2017-7153 at NVDCVE-2017-7160 at SUSECVE-2017-7160 at NVDCVE-2017-7161 at SUSECVE-2017-7161 at NVDCVE-2017-7165 at SUSECVE-2017-7165 at NVDCVE-2018-11646 at SUSECVE-2018-11646 at NVDCVE-2018-11712 at SUSECVE-2018-11712 at NVDCVE-2018-11713 at SUSECVE-2018-11713 at NVDCVE-2018-12911 at SUSECVE-2018-12911 at NVDCVE-2018-4088 at SUSECVE-2018-4088 at NVDCVE-2018-4096 at SUSECVE-2018-4096 at NVDCVE-2018-4101 at SUSECVE-2018-4101 at NVDCVE-2018-4113 at SUSECVE-2018-4113 at NVDCVE-2018-4114 at SUSECVE-2018-4114 at NVDCVE-2018-4117 at SUSECVE-2018-4117 at NVDCVE-2018-4118 at SUSECVE-2018-4118 at NVDCVE-2018-4119 at SUSECVE-2018-4119 at NVDCVE-2018-4120 at SUSECVE-2018-4120 at NVDCVE-2018-4121 at SUSECVE-2018-4121 at NVDCVE-2018-4122 at SUSECVE-2018-4122 at NVDCVE-2018-4125 at SUSECVE-2018-4125 at NVDCVE-2018-4127 at SUSECVE-2018-4127 at NVDCVE-2018-4128 at SUSECVE-2018-4128 at NVDCVE-2018-4129 at SUSECVE-2018-4129 at NVDCVE-2018-4133 at SUSECVE-2018-4133 at NVDCVE-2018-4146 at SUSECVE-2018-4146 at NVDCVE-2018-4161 at SUSECVE-2018-4161 at NVDCVE-2018-4162 at SUSECVE-2018-4162 at NVDCVE-2018-4163 at SUSECVE-2018-4163 at NVDCVE-2018-4165 at SUSECVE-2018-4165 at NVDCVE-2018-4190 at SUSECVE-2018-4190 at NVDCVE-2018-4199 at SUSECVE-2018-4199 at NVDCVE-2018-4200 at SUSECVE-2018-4200 at NVDCVE-2018-4204 at SUSECVE-2018-4204 at NVDCVE-2018-4218 at SUSECVE-2018-4218 at NVDCVE-2018-4222 at SUSECVE-2018-4222 at NVDCVE-2018-4232 at SUSECVE-2018-4232 at NVDCVE-2018-4233 at SUSECVE-2018-4233 at NVDCVE-2018-4246 at SUSECVE-2018-4246 at NVDcpe:/o:suse:sles:12:sp3Security update for exempi (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for exempi fixes the following security issues:
- CVE-2017-18233: Prevent integer overflow in the Chunk class that allowed
remote attackers to cause a denial of service (infinite loop) via crafted XMP
data in a .avi file (bsc#1085584).
- CVE-2017-18238: The TradQT_Manager::ParseCachedBoxes function allowed remote
attackers to cause a denial of service (infinite loop) via crafted XMP data in
a .qt file (bsc#1085583).
- CVE-2018-7728: Fixed heap-based buffer overflow, which allowed denial of
service via crafted TIFF image (bsc#1085297).
- CVE-2018-7730: Fixed heap-based buffer overflow in
XMPFiles/source/FormatSupport/PSIR_FileWriter.cpp (bsc#1085295).
- CVE-2017-18236: The ASF_Support::ReadHeaderObject function allowed remote
attackers to cause a denial of service (infinite loop) via a crafted .asf file
(bsc#1085589).
- CVE-2017-18234: Prevent use-after-free that allowed remote attackers to cause
a denial of service or possibly have unspecified other impact via a .pdf file
containing JPEG data (bsc#1085585).
ModerateSUSE bug 1085295SUSE bug 1085297SUSE bug 1085583SUSE bug 1085584SUSE bug 1085585SUSE bug 1085589CVE-2017-18233 at SUSECVE-2017-18233 at NVDCVE-2017-18234 at SUSECVE-2017-18234 at NVDCVE-2017-18236 at SUSECVE-2017-18236 at NVDCVE-2017-18238 at SUSECVE-2017-18238 at NVDCVE-2018-7728 at SUSECVE-2018-7728 at NVDCVE-2018-7730 at SUSECVE-2018-7730 at NVDcpe:/o:suse:sles:12:sp3Security update for ImageMagick (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for ImageMagick fixes several issues.
These security issues were fixed:
- CVE-2017-18027: Prevent memory leak vulnerability in the function
ReadMATImage which allowed remote attackers to cause a denial of service via a
crafted file (bsc#1076051)
- CVE-2017-18029: Prevent memory leak in the function ReadMATImage which
allowed remote attackers to cause a denial of service via a crafted file
(bsc#1076021)
- CVE-2017-17681: Prevent infinite loop in the function ReadPSDChannelZip in
coders/psd.c, which allowed attackers to cause a denial of service (CPU
exhaustion) via a crafted psd image file (bsc#1072901).
- CVE-2017-18008: Prevent memory Leak in ReadPWPImage which allowed attackers
to cause a denial of service via a PWP file (bsc#1074309).
- CVE-2018-5685: Prevent infinite loop and application hang in the ReadBMPImage
function. Remote attackers could leverage this vulnerability to cause a denial
of service via an image file with a crafted bit-field mask value (bsc#1075939)
- CVE-2017-11639: Prevent heap-based buffer over-read in the WriteCIPImage()
function, related to the GetPixelLuma function in MagickCore/pixel-accessor.h
(bsc#1050635)
- CVE-2017-11525: Prevent memory consumption in the ReadCINImage function that
allowed remote attackers to cause a denial of service (bsc#1050098)
- CVE-2017-9262: The ReadJNGImage function in coders/png.c allowed attackers to
cause a denial of service (memory leak) via a crafted file (bsc#1043353).
- CVE-2017-9261: The ReadMNGImage function in coders/png.c allowed attackers to
cause a denial of service (memory leak) via a crafted file (bsc#1043354).
- CVE-2017-10995: The mng_get_long function in coders/png.c allowed remote
attackers to cause a denial of service (heap-based buffer over-read and
application crash) via a crafted MNG image (bsc#1047908).
- CVE-2017-11539: Prevent memory leak in the ReadOnePNGImage() function in
coders/png.c (bsc#1050037).
- CVE-2017-11505: The ReadOneJNGImage function in coders/png.c allowed remote
attackers to cause a denial of service (large loop and CPU consumption) via a
crafted file (bsc#1050072).
- CVE-2017-11526: The ReadOneMNGImage function in coders/png.c allowed remote
attackers to cause a denial of service (large loop and CPU consumption) via a
crafted file (bsc#1050100).
- CVE-2017-11750: The ReadOneJNGImage function in coders/png.c allowed remote
attackers to cause a denial of service (NULL pointer dereference) via a crafted
file (bsc#1051442).
- CVE-2017-12565: Prevent memory leak in the function ReadOneJNGImage in
coders/png.c, which allowed attackers to cause a denial of service
(bsc#1052470).
- CVE-2017-12676: Prevent memory leak in the function ReadOneJNGImage in
coders/png.c, which allowed attackers to cause a denial of service
(bsc#1052708).
- CVE-2017-12673: Prevent memory leak in the function ReadOneMNGImage in
coders/png.c, which allowed attackers to cause a denial of service
(bsc#1052717).
- CVE-2017-12671: Added NULL assignment in coders/png.c to prevent an invalid
free in the function RelinquishMagickMemory in MagickCore/memory.c, which
allowed attackers to cause a denial of service (bsc#1052721).
- CVE-2017-12643: Prevent a memory exhaustion vulnerability in ReadOneJNGImage
in coders\png.c (bsc#1052768).
- CVE-2017-12641: Prevent a memory leak vulnerability in ReadOneJNGImage in
coders\png.c (bsc#1052777).
- CVE-2017-12640: Prevent an out-of-bounds read vulnerability in
ReadOneMNGImage in coders/png.c (bsc#1052781).
- CVE-2017-12935: The ReadMNGImage function in coders/png.c mishandled large
MNG images, leading to an invalid memory read in the SetImageColorCallBack
function in magick/image.c (bsc#1054600).
- CVE-2017-13059: Prevent memory leak in the function WriteOneJNGImage in
coders/png.c, which allowed attackers to cause a denial of service
(WriteJNGImage memory consumption) via a crafted file (bsc#1055068).
- CVE-2017-13147: Prevent allocation failure in the function ReadMNGImage in
coders/png.c when a small MNG file has a MEND chunk with a large length value
(bsc#1055374).
- CVE-2017-13142: Added additional checks for short files to prevent a crafted
PNG file from triggering a crash (bsc#1055455).
- CVE-2017-13141: Prevent memory leak in ReadOnePNGImage in coders/png.c
(bsc#1055456).
- CVE-2017-14103: The ReadJNGImage and ReadOneJNGImage functions in
coders/png.c did not properly manage image pointers after certain error
conditions, which allowed remote attackers to conduct use-after-free attacks
via a crafted file, related to a ReadMNGImage out-of-order CloseBlob call
(bsc#1057000).
- CVE-2017-14649: ReadOneJNGImage in coders/png.c did not properly validate JNG
data, leading to a denial of service (assertion failure in
magick/pixel_cache.c, and application crash) (bsc#1060162).
- CVE-2017-15218: Prevent memory leak in ReadOneJNGImage in coders/png.c
(bsc#1062752).
- CVE-2017-17504: Prevent heap-based buffer over-read via a crafted file in
Magick_png_read_raw_profile, related to ReadOneMNGImage (bsc#1072362).
- CVE-2017-17884: Prevent memory leak in the function WriteOnePNGImage in
coders/png.c, which allowed attackers to cause a denial of service via a
crafted PNG image file (bsc#1074120).
- CVE-2017-17879: Prevent heap-based buffer over-read in ReadOneMNGImage in
coders/png.c, related to length calculation and caused by an off-by-one error
(bsc#1074125).
- CVE-2017-17914: Prevent crafted files to cause a large loop in
ReadOneMNGImage (bsc#1074185).
ModerateSUSE bug 1043353SUSE bug 1043354SUSE bug 1047908SUSE bug 1050037SUSE bug 1050072SUSE bug 1050098SUSE bug 1050100SUSE bug 1050635SUSE bug 1051442SUSE bug 1052470SUSE bug 1052708SUSE bug 1052717SUSE bug 1052721SUSE bug 1052768SUSE bug 1052777SUSE bug 1052781SUSE bug 1054600SUSE bug 1055068SUSE bug 1055374SUSE bug 1055455SUSE bug 1055456SUSE bug 1057000SUSE bug 1060162SUSE bug 1062752SUSE bug 1072362SUSE bug 1072901SUSE bug 1074120SUSE bug 1074125SUSE bug 1074185SUSE bug 1074309SUSE bug 1075939SUSE bug 1076021SUSE bug 1076051CVE-2017-10995 at SUSECVE-2017-10995 at NVDCVE-2017-11505 at SUSECVE-2017-11505 at NVDCVE-2017-11525 at SUSECVE-2017-11525 at NVDCVE-2017-11526 at SUSECVE-2017-11526 at NVDCVE-2017-11539 at SUSECVE-2017-11539 at NVDCVE-2017-11639 at SUSECVE-2017-11639 at NVDCVE-2017-11750 at SUSECVE-2017-11750 at NVDCVE-2017-12565 at SUSECVE-2017-12565 at NVDCVE-2017-12640 at SUSECVE-2017-12640 at NVDCVE-2017-12641 at SUSECVE-2017-12641 at NVDCVE-2017-12643 at SUSECVE-2017-12643 at NVDCVE-2017-12671 at SUSECVE-2017-12671 at NVDCVE-2017-12673 at SUSECVE-2017-12673 at NVDCVE-2017-12676 at SUSECVE-2017-12676 at NVDCVE-2017-12935 at SUSECVE-2017-12935 at NVDCVE-2017-13059 at SUSECVE-2017-13059 at NVDCVE-2017-13141 at SUSECVE-2017-13141 at NVDCVE-2017-13142 at SUSECVE-2017-13142 at NVDCVE-2017-13147 at SUSECVE-2017-13147 at NVDCVE-2017-14103 at SUSECVE-2017-14103 at NVDCVE-2017-14649 at SUSECVE-2017-14649 at NVDCVE-2017-15218 at SUSECVE-2017-15218 at NVDCVE-2017-17504 at SUSECVE-2017-17504 at NVDCVE-2017-17681 at SUSECVE-2017-17681 at NVDCVE-2017-17879 at SUSECVE-2017-17879 at NVDCVE-2017-17884 at SUSECVE-2017-17884 at NVDCVE-2017-17914 at SUSECVE-2017-17914 at NVDCVE-2017-18008 at SUSECVE-2017-18008 at NVDCVE-2017-18027 at SUSECVE-2017-18027 at NVDCVE-2017-18029 at SUSECVE-2017-18029 at NVDCVE-2017-9261 at SUSECVE-2017-9261 at NVDCVE-2017-9262 at SUSECVE-2017-9262 at NVDCVE-2018-5246 at SUSECVE-2018-5246 at NVDCVE-2018-5685 at SUSECVE-2018-5685 at NVDcpe:/o:suse:sles:12:sp3Security update for clamav (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for clamav fixes the following issues:
clamav was updated to version 0.100.2:
- CVE-2018-15378: Vulnerability in ClamAV's MEW unpacking feature that
could allow an unauthenticated, remote attacker to cause a denial of
service (DoS) condition on an affected device. (bsc#1110723)
- CVE-2018-14680, CVE-2018-14681, CVE-2018-14682: more fixes for embedded
libmspack. (bsc#1103040)
- Make freshclam more robust against lagging signature mirrors.
- On-Access 'Extra Scanning', an opt-in minor feature of
OnAccess scanning on Linux systems, has been disabled due to a
known issue with resource cleanup OnAccessExtraScanning will
be re-enabled in a future release when the issue is
resolved. In the mean-time, users who enabled the feature in
clamd.conf will see a warning informing them that the feature
is not active. For details, see:
https://bugzilla.clamav.net/show_bug.cgi?id=12048
- Restore exit code compatibility of freshclam with versions before
0.100.0 when the virus database is already up to date
(bsc#1104457).
ModerateSUSE bug 1103040SUSE bug 1104457SUSE bug 1110723CVE-2018-14680 at SUSECVE-2018-14680 at NVDCVE-2018-14681 at SUSECVE-2018-14681 at NVDCVE-2018-14682 at SUSECVE-2018-14682 at NVDCVE-2018-15378 at SUSECVE-2018-15378 at NVDcpe:/o:suse:sles:12:sp3Security update for net-snmp (Important)SUSE Linux Enterprise Server 12 SP3
This update for net-snmp fixes the following issues:
Security issues fixed:
- CVE-2018-18065: _set_key in agent/helpers/table_container.c had a NULL Pointer Exception bug that can be used by an authenticated attacker to remotely cause the instance to crash via a crafted UDP packet, resulting in Denial of Service. (bsc#1111122)
Non-security issues fixed:
- swintst_rpm: Protect against unspecified Group name (bsc#1102775)
- Add tsm and tlstm MIBs and the USM security module. (bsc#1081164)
- Fix agentx freezing on timeout (bsc#1027353)
ImportantSUSE bug 1027353SUSE bug 1081164SUSE bug 1102775SUSE bug 1111122CVE-2018-18065 at SUSECVE-2018-18065 at NVDcpe:/o:suse:sles:12:sp3Security update for libsndfile (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for libsndfile fixes the following issues:
- CVE-2017-16942: Divide-by-zero in the function wav_w64_read_fmt_chunk(), which may lead to Denial of service (bsc#1069874).
- CVE-2017-6892: Fixed an out-of-bounds read memory access in the aiff_read_chanmap() (bsc#1043978).
- CVE-2017-14634: In libsndfile 1.0.28, a divide-by-zero error exists in the function double64_init() in double64.c, which may lead to DoS when playing a crafted audio file. (bsc#1059911)
- CVE-2017-14245: An out of bounds read in the function d2alaw_array() in alaw.c of libsndfile 1.0.28 may lead to a remote DoS attack or information disclosure, related to mishandling of
the NAN and INFINITY floating-point values. (bsc#1059912)
- CVE-2017-14246: An out of bounds read in the function d2ulaw_array() in ulaw.c of libsndfile 1.0.28 may lead to a remote DoS attack or information disclosure, related to mishandling of
the NAN and INFINITY floating-point values.(bsc#1059913)
ModerateSUSE bug 1043978SUSE bug 1059911SUSE bug 1059912SUSE bug 1059913SUSE bug 1069874CVE-2017-14245 at SUSECVE-2017-14245 at NVDCVE-2017-14246 at SUSECVE-2017-14246 at NVDCVE-2017-14634 at SUSECVE-2017-14634 at NVDCVE-2017-16942 at SUSECVE-2017-16942 at NVDCVE-2017-6892 at SUSECVE-2017-6892 at NVDcpe:/o:suse:sles:12:sp3Security update for ImageMagick (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for ImageMagick fixes the following issues:
- CVE-2017-14997: GraphicsMagick allowed remote attackers to cause a denial of service (excessive memory allocation) because of an integer underflow in ReadPICTImage in coders/pict.c. [bsc#1112399]
- CVE-2018-16644: An regression in the security fix for the pict coder was fixed (bsc#1107609)
ModerateSUSE bug 1107609SUSE bug 1112399CVE-2017-14997 at SUSECVE-2017-14997 at NVDCVE-2018-16644 at SUSECVE-2018-16644 at NVDcpe:/o:suse:sles:12:sp3Security update for smt (Moderate)SUSE Linux Enterprise Server 12 SP3
SMT was updated to version 3.0.38.
Following security issue was fixed:
- CVE-2018-12472: Harden hostname check during sibling check by forcing double
reverse lookup (bsc#1104076)
Following non security issues were fixed:
- Add migration path check when registration sharing is enabled
- Fix sibling sync errors (bsc#1111056):
- Synchronize all registered products
- Handle duplicate registrations when syncing
- Force resync to the sibling instance in `upgrade` and
`synchronize` API calls
ModerateSUSE bug 1104076SUSE bug 1111056CVE-2018-12472 at SUSECVE-2018-12472 at NVDcpe:/o:suse:sles:12:sp3Security update for xen (Important)SUSE Linux Enterprise Server 12 SP3
This update for xen fixes the following issues:
XEN was updated to the Xen 4.9.3 bug fix only release (bsc#1027519)
- CVE-2018-17963: qemu_deliver_packet_iov accepted packet sizes greater than INT_MAX, which allows attackers to cause a denial of service or possibly have unspecified other impact. (bsc#1111014)
- CVE-2018-15470: oxenstored might not have enforced the configured quota-maxentity. This allowed a malicious or buggy guest to write as many xenstore entries as it wishes, causing unbounded memory usage in oxenstored. This can lead to a system-wide DoS. (XSA-272) (bsc#1103279)
- CVE-2018-15469: ARM never properly implemented grant table v2, either in the hypervisor or in Linux. Unfortunately, an ARM guest can still request v2 grant tables; they will simply not be properly set up, resulting in subsequent grant-related hypercalls hitting BUG() checks. An unprivileged guest can cause a BUG() check in the hypervisor, resulting in a denial-of-service (crash). (XSA-268) (bsc#1103275)
Note that SUSE does not ship ARM Xen, so we are not affected.
- CVE-2018-15468: The DEBUGCTL MSR contains several debugging features, some of which virtualise cleanly, but some do not. In particular, Branch Trace Store is not virtualised by the processor, and software has to be careful to configure it suitably not to lock up the core. As a result, it must only be available to fully trusted guests. Unfortunately, in the case that vPMU is disabled, all value checking was skipped, allowing the guest to choose any MSR_DEBUGCTL setting it likes. A malicious or buggy guest administrator (on Intel x86 HVM or PVH) can lock up the entire host, causing a Denial of Service. (XSA-269) (bsc#1103276)
- CVE-2018-3646: Systems with microprocessors utilizing speculative execution and address translations may have allowed unauthorized disclosure of information residing in the L1 data cache to an attacker with local user access with guest OS privilege via a terminal page fault and a side-channel analysis. (XSA-273) (bsc#1091107)
Non security issues fixed:
- The affinity reporting via 'xl vcpu-list' was broken (bsc#1106263)
- Kernel oops in fs/dcache.c called by d_materialise_unique() (bsc#1094508)
ImportantSUSE bug 1027519SUSE bug 1078292SUSE bug 1091107SUSE bug 1094508SUSE bug 1103275SUSE bug 1103276SUSE bug 1103279SUSE bug 1106263SUSE bug 1111014CVE-2018-15468 at SUSECVE-2018-15468 at NVDCVE-2018-15469 at SUSECVE-2018-15469 at NVDCVE-2018-15470 at SUSECVE-2018-15470 at NVDCVE-2018-17963 at SUSECVE-2018-17963 at NVDCVE-2018-3646 at SUSECVE-2018-3646 at NVDcpe:/o:suse:sles:12:sp3Security update for lcms2 (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for lcms2 fixes the following security issues:
- CVE-2016-10165: The Type_MLU_Read function allowed remote attackers to obtain
sensitive information or cause a denial of service via an image with a crafted
ICC profile, which triggered an out-of-bounds heap read (bsc#1021364).
- CVE-2018-16435: A integer overflow was fixed in the AllocateDataSet
function in cmscgats.c, that could lead to a heap-based buffer overflow
in the SetData function via a crafted file in the second argument to
cmsIT8LoadFromFile. (bsc#1108813)
- Ensure that LUT stages match channel count (bsc#1026649).
- sanitize input and output channels on MPE profiles (bsc#1026650).
ModerateSUSE bug 1021364SUSE bug 1026649SUSE bug 1026650SUSE bug 1108813CVE-2016-10165 at SUSECVE-2016-10165 at NVDCVE-2018-16435 at SUSECVE-2018-16435 at NVDcpe:/o:suse:sles:12:sp3Security update for qemu (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for qemu fixes the following issues:
These security issues were fixed:
- CVE-2018-12617: qmp_guest_file_read had an integer overflow that could have
been exploited by sending a crafted QMP command (including guest-file-read with
a large count value) to the agent via the listening socket causing DoS
(bsc#1098735).
- CVE-2018-11806: Prevent heap-based buffer overflow via incoming fragmented
datagrams (bsc#1096223).
With this release the mitigations for Spectre v4 are moved the the patches from
upstream (CVE-2018-3639, bsc#1092885).
This feature was added:
- Add support for block resize support for disks through the monitor (bsc#1094725).
ModerateSUSE bug 1092885SUSE bug 1094725SUSE bug 1096223SUSE bug 1098735CVE-2018-11806 at SUSECVE-2018-11806 at NVDCVE-2018-12617 at SUSECVE-2018-12617 at NVDCVE-2018-3639 at SUSECVE-2018-3639 at NVDcpe:/o:suse:sles:12:sp3Security update for python, python-base (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for python, python-base fixes the following issues:
Security issues fixed:
- CVE-2018-1000802: Prevent command injection in shutil module (make_archive
function) via passage of unfiltered user input (bsc#1109663).
- CVE-2018-1061: Fixed DoS via regular expression backtracking in
difflib.IS_LINE_JUNK method in difflib (bsc#1088004).
- CVE-2018-1060: Fixed DoS via regular expression catastrophic backtracking in
apop() method in pop3lib (bsc#1088009).
Bug fixes:
- bsc#1086001: python tarfile uses random order.
ModerateSUSE bug 1086001SUSE bug 1088004SUSE bug 1088009SUSE bug 1109663CVE-2018-1000802 at SUSECVE-2018-1000802 at NVDCVE-2018-1060 at SUSECVE-2018-1060 at NVDCVE-2018-1061 at SUSECVE-2018-1061 at NVDcpe:/o:suse:sles:12:sp3Security update for apache2 (Important)SUSE Linux Enterprise Server 12 SP3
This update for apache2 fixes the following issues:
Security issues fixed:
- CVE-2018-11763: In Apache HTTP Server by sending continuous, large SETTINGS frames a client can occupy a connection, server thread and CPU time without any connection timeout coming to effect. This affects only HTTP/2 connections. (bsc#1109961)
ImportantSUSE bug 1109961CVE-2018-11763 at SUSECVE-2018-11763 at NVDcpe:/o:suse:sles:12:sp3Security update for audiofile (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for audiofile fixes the following issues:
- CVE-2018-17095: A heap-based buffer overflow in Expand3To4Module::run could occurred when running sfconvert leading to crashes or code execution when handling untrusted soundfiles (bsc#1111586).
ModerateSUSE bug 1111586CVE-2018-17095 at SUSECVE-2018-17095 at NVDcpe:/o:suse:sles:12:sp3Security update for wireshark (Important)SUSE Linux Enterprise Server 12 SP3
This update for wireshark fixes the following issues:
Wireshark was updated to 2.4.10 (bsc#1111647).
Following security issues were fixed:
- CVE-2018-18227: MS-WSP dissector crash (wnpa-sec-2018-47)
- CVE-2018-12086: OpcUA dissector crash (wnpa-sec-2018-50)
Further bug fixes and updated protocol support that were done are listed in:
https://www.wireshark.org/docs/relnotes/wireshark-2.4.10.html
ImportantSUSE bug 1111647CVE-2018-12086 at SUSECVE-2018-12086 at NVDCVE-2018-18227 at SUSECVE-2018-18227 at NVDcpe:/o:suse:sles:12:sp3Security update for MozillaFirefox, MozillaFirefox-branding-SLE, llvm4, mozilla-nspr, mozilla-nss, apache2-mod_nss (Important)SUSE Linux Enterprise Server 12 SP3
This update for MozillaFirefox to ESR 60.2.2 fixes several issues.
These general changes are part of the version 60 release.
- New browser engine with speed improvements
- Redesigned graphical user interface elements
- Unified address and search bar for new installations
- New tab page listing top visited, recently visited and recommended pages
- Support for configuration policies in enterprise deployments via JSON files
- Support for Web Authentication, allowing the use of USB tokens for
authentication to web sites
The following changes affect compatibility:
- Now exclusively supports extensions built using the WebExtension API.
- Unsupported legacy extensions will no longer work in Firefox 60 ESR
- TLS certificates issued by Symantec before June 1st, 2016 are no longer trusted
The 'security.pki.distrust_ca_policy' preference can be set to 0 to reinstate
trust in those certificates
The following issues affect performance:
- new format for storing private keys, certificates and certificate trust
If the user home or data directory is on a network file system, it is
recommended that users set the following environment variable to avoid
slowdowns: NSS_SDB_USE_CACHE=yes
This setting is not recommended for local, fast file systems.
These security issues were fixed:
- CVE-2018-12381: Dragging and dropping Outlook email message results in page navigation (bsc#1107343).
- CVE-2017-16541: Proxy bypass using automount and autofs (bsc#1107343).
- CVE-2018-12376: Various memory safety bugs (bsc#1107343).
- CVE-2018-12377: Use-after-free in refresh driver timers (bsc#1107343).
- CVE-2018-12378: Use-after-free in IndexedDB (bsc#1107343).
- CVE-2018-12379: Out-of-bounds write with malicious MAR file (bsc#1107343).
- CVE-2018-12386: Type confusion in JavaScript allowed remote code execution (bsc#1110506)
- CVE-2018-12387: Array.prototype.push stack pointer vulnerability may enable exploits in the sandboxed content process (bsc#1110507)
- CVE-2018-12385: Crash in TransportSecurityInfo due to cached data (bsc#1109363)
- CVE-2018-12383: Setting a master password did not delete unencrypted previously stored passwords (bsc#1107343)
This update for mozilla-nspr to version 4.19 fixes the follwing issues
- Added TCP Fast Open functionality
- A socket without PR_NSPR_IO_LAYER will no longer trigger
an assertion when polling
This update for mozilla-nss to version 3.36.4 fixes the follwing issues
- Connecting to a server that was recently upgraded to TLS 1.3
would result in a SSL_RX_MALFORMED_SERVER_HELLO error.
- Fix a rare bug with PKCS#12 files.
- Replaces existing vectorized ChaCha20 code with verified
HACL* implementation.
- TLS 1.3 support has been updated to draft -23.
- Added formally verified implementations of non-vectorized Chacha20
and non-vectorized Poly1305 64-bit.
- The following CA certificates were Removed:
OU = Security Communication EV RootCA1
CN = CA Disig Root R1
CN = DST ACES CA X6
Certum CA, O=Unizeto Sp. z o.o.
StartCom Certification Authority
StartCom Certification Authority G2
T?BİTAK UEKAE K?k Sertifika Hizmet Sağlayıcısı - S?r?m 3
ACEDICOM Root
Certinomis - Autorit? Racine
T?RKTRUST Elektronik Sertifika Hizmet Sağlayıcısı
PSCProcert
CA 沃通根证书, O=WoSign CA Limited
Certification Authority of WoSign
Certification Authority of WoSign G2
CA WoSign ECC Root
Subject CN = VeriSign Class 3 Secure Server CA - G2
O = Japanese Government, OU = ApplicationCA
CN = WellsSecure Public Root Certificate Authority
CN = T?RKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H6
CN = Microsec e-Szigno Root
* The following CA certificates were Removed:
AddTrust Public CA Root
AddTrust Qualified CA Root
China Internet Network Information Center EV Certificates Root
CNNIC ROOT
ComSign Secured CA
GeoTrust Global CA 2
Secure Certificate Services
Swisscom Root CA 1
Swisscom Root EV CA 2
Trusted Certificate Services
UTN-USERFirst-Hardware
UTN-USERFirst-Object
* The following CA certificates were Added
CN = D-TRUST Root CA 3 2013
CN = TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1
GDCA TrustAUTH R5 ROOT
SSL.com Root Certification Authority RSA
SSL.com Root Certification Authority ECC
SSL.com EV Root Certification Authority RSA R2
SSL.com EV Root Certification Authority ECC
TrustCor RootCert CA-1
TrustCor RootCert CA-2
TrustCor ECA-1
* The Websites (TLS/SSL) trust bit was turned off for the following
CA certificates:
CN = Chambers of Commerce Root
CN = Global Chambersign Root
* TLS servers are able to handle a ClientHello statelessly, if the
client supports TLS 1.3. If the server sends a HelloRetryRequest,
it is possible to discard the server socket, and make a new socket
to handle any subsequent ClientHello. This better enables stateless
server operation. (This feature is added in support of QUIC, but it
also has utility for DTLS 1.3 servers.)
Due to the update of mozilla-nss apache2-mod_nss needs to be updated to
change to the SQLite certificate database, which is now the default (bsc#1108771)
ImportantSUSE bug 1012260SUSE bug 1021577SUSE bug 1026191SUSE bug 1041469SUSE bug 1041894SUSE bug 1049703SUSE bug 1061204SUSE bug 1064786SUSE bug 1065464SUSE bug 1066489SUSE bug 1073210SUSE bug 1078436SUSE bug 1091551SUSE bug 1092697SUSE bug 1094767SUSE bug 1096515SUSE bug 1107343SUSE bug 1108771SUSE bug 1108986SUSE bug 1109363SUSE bug 1109465SUSE bug 1110506SUSE bug 1110507SUSE bug 703591SUSE bug 839074SUSE bug 857131SUSE bug 893359CVE-2017-16541 at SUSECVE-2017-16541 at NVDCVE-2018-12376 at SUSECVE-2018-12376 at NVDCVE-2018-12377 at SUSECVE-2018-12377 at NVDCVE-2018-12378 at SUSECVE-2018-12378 at NVDCVE-2018-12379 at SUSECVE-2018-12379 at NVDCVE-2018-12381 at SUSECVE-2018-12381 at NVDCVE-2018-12383 at SUSECVE-2018-12383 at NVDCVE-2018-12385 at SUSECVE-2018-12385 at NVDCVE-2018-12386 at SUSECVE-2018-12386 at NVDCVE-2018-12387 at SUSECVE-2018-12387 at NVDcpe:/o:suse:sles:12:sp3Security update for curl (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for curl fixes the following issues:
- CVE-2018-16840: A use after free in closing SASL handles was fixed (bsc#1112758)
- CVE-2018-16842: A Out-of-bounds Read in tool_msgs.c was fixed which could lead to crashes (bsc#1113660)
ModerateSUSE bug 1112758SUSE bug 1113660CVE-2018-16840 at SUSECVE-2018-16840 at NVDCVE-2018-16842 at SUSECVE-2018-16842 at NVDcpe:/o:suse:sles:12:sp3Security update for soundtouch (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for soundtouch fixes the following issues:
- CVE-2018-17098: The WavFileBase class allowed remote attackers to cause a denial of service (heap corruption from size inconsistency) or possibly have unspecified other impact, as demonstrated by SoundStretch. (bsc#1108632)
- CVE-2018-17097: The WavFileBase class allowed remote attackers to cause a denial of service (double free) or possibly have unspecified other impact, as demonstrated by SoundStretch. (double free) (bsc#1108631)
- CVE-2018-17096: The BPMDetect class allowed remote attackers to cause a denial of service (assertion failure and application exit), as demonstrated by SoundStretch. (bsc#1108630)
ModerateSUSE bug 1108630SUSE bug 1108631SUSE bug 1108632CVE-2018-17096 at SUSECVE-2018-17096 at NVDCVE-2018-17097 at SUSECVE-2018-17097 at NVDCVE-2018-17098 at SUSECVE-2018-17098 at NVDcpe:/o:suse:sles:12:sp3Security update for opensc (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for opensc fixes the following issues:
- CVE-2018-16391: Fixed a denial of service when handling responses from a Muscle Card (bsc#1106998)
- CVE-2018-16392: Fixed a denial of service when handling responses from a TCOS Card (bsc#1106999)
- CVE-2018-16393: Fixed buffer overflows when handling responses from Gemsafe V1 Smartcards (bsc#1108318)
- CVE-2018-16418: Fixed buffer overflow when handling string concatenation in util_acl_to_str (bsc#1107039)
- CVE-2018-16419: Fixed several buffer overflows when handling responses from a Cryptoflex card (bsc#1107107)
- CVE-2018-16420: Fixed buffer overflows when handling responses from an ePass 2003 Card (bsc#1107097)
- CVE-2018-16422: Fixed single byte buffer overflow when handling responses from an esteid Card (bsc#1107038)
- CVE-2018-16423: Fixed double free when handling responses from a smartcard (bsc#1107037)
- CVE-2018-16426: Fixed endless recursion when handling responses from an IAS-ECC card (bsc#1107034)
- CVE-2018-16427: Fixed out of bounds reads when handling responses in OpenSC (bsc#1107033)
ModerateSUSE bug 1104812SUSE bug 1106998SUSE bug 1106999SUSE bug 1107033SUSE bug 1107034SUSE bug 1107037SUSE bug 1107038SUSE bug 1107039SUSE bug 1107097SUSE bug 1107107SUSE bug 1108318CVE-2018-16391 at SUSECVE-2018-16391 at NVDCVE-2018-16392 at SUSECVE-2018-16392 at NVDCVE-2018-16393 at SUSECVE-2018-16393 at NVDCVE-2018-16418 at SUSECVE-2018-16418 at NVDCVE-2018-16419 at SUSECVE-2018-16419 at NVDCVE-2018-16420 at SUSECVE-2018-16420 at NVDCVE-2018-16422 at SUSECVE-2018-16422 at NVDCVE-2018-16423 at SUSECVE-2018-16423 at NVDCVE-2018-16426 at SUSECVE-2018-16426 at NVDCVE-2018-16427 at SUSECVE-2018-16427 at NVDcpe:/o:suse:sles:12:sp3Security update for libarchive (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for libarchive fixes the following issues:
- CVE-2016-10209: The archive_wstring_append_from_mbs function in archive_string.c allowed remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted archive file. (bsc#1032089)
- CVE-2016-10349: The archive_le32dec function in archive_endian.h allowed remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted file. (bsc#1037008)
- CVE-2016-10350: The archive_read_format_cab_read_header function in archive_read_support_format_cab.c allowed remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted file. (bsc#1037009)
- CVE-2017-14166: libarchive allowed remote attackers to cause a denial of service (xml_data heap-based buffer over-read and application crash) via a crafted xar archive, related to the mishandling of empty strings in the atol8 function in archive_read_support_format_xar.c. (bsc#1057514)
- CVE-2017-14501: An out-of-bounds read flaw existed in parse_file_info in archive_read_support_format_iso9660.c when extracting a specially crafted iso9660 iso file, related to archive_read_format_iso9660_read_header. (bsc#1059139)
- CVE-2017-14502: read_header in archive_read_support_format_rar.c suffered from an off-by-one error for UTF-16 names in RAR archives, leading to an out-of-bounds read in archive_read_format_rar_read_header. (bsc#1059134)
- CVE-2017-14503: libarchive suffered from an out-of-bounds read within lha_read_data_none() in archive_read_support_format_lha.c when extracting a specially crafted lha archive, related to lha_crc16. (bsc#1059100)
ModerateSUSE bug 1032089SUSE bug 1037008SUSE bug 1037009SUSE bug 1057514SUSE bug 1059100SUSE bug 1059134SUSE bug 1059139CVE-2016-10209 at SUSECVE-2016-10209 at NVDCVE-2016-10349 at SUSECVE-2016-10349 at NVDCVE-2016-10350 at SUSECVE-2016-10350 at NVDCVE-2017-14166 at SUSECVE-2017-14166 at NVDCVE-2017-14501 at SUSECVE-2017-14501 at NVDCVE-2017-14502 at SUSECVE-2017-14502 at NVDCVE-2017-14503 at SUSECVE-2017-14503 at NVDcpe:/o:suse:sles:12:sp3Security update for libjpeg-turbo (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for libjpeg-turbo fixes the following issues:
Feature update:
- Update from version 1.3.1 to version 1.5.2 (fate#324061).
Security issue fixed:
- CVE-2017-15232: Fix NULL pointer dereference in jdpostct.c and jquant1.c (bsc#1062937).
ModerateSUSE bug 1062937CVE-2017-15232 at SUSECVE-2017-15232 at NVDcpe:/o:suse:sles:12:sp3security update for spice-vdagent (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for spice-vdagent provides the following fixes:
This security issue was fixed:
- CVE-2017-15108: Properly escape save directory that is passed to the shell to
prevent local attacker with access to the session the agent runs from injecting
arbitrary commands to be executed (bsc#1070724).
This non-security issue was fixed:
- Implement endian swapping, required for big-endian guests to connect to the spice client
successfully. (bsc#1012215)
ModerateSUSE bug 1012215SUSE bug 1070724CVE-2017-15108 at SUSECVE-2017-15108 at NVDcpe:/o:suse:sles:12:sp3Security update for the Linux Kernel (Important)SUSE Linux Enterprise Server 12 SP3
The SUSE Linux Enterprise 12 SP3 kernel was updated to 4.4.162 to receive various security and bugfixes.
The following security bugs were fixed:
- CVE-2018-14633: A security flaw was found in the chap_server_compute_md5() function in the ISCSI target code in a way an authentication request from an ISCSI initiator is processed. An unauthenticated remote attacker can cause a stack buffer overflow and smash up to 17 bytes of the stack. The attack requires the iSCSI target to be enabled on the victim host. Depending on how the target's code was built (i.e. depending on a compiler, compile flags and hardware architecture) an attack may lead to a system crash and thus to a denial-of-service or possibly to a non-authorized access to data exported by an iSCSI target. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is highly unlikely. (bnc#1107829).
- CVE-2018-18281: The mremap() syscall performs TLB flushes after dropping pagetable locks. If a syscall such as ftruncate() removes entries from the pagetables of a task that is in the middle of mremap(), a stale TLB entry can remain for a short time that permits access to a physical page after it has been released back to the page allocator and reused. (bnc#1113769).
- CVE-2018-18386: drivers/tty/n_tty.c allowed local attackers (who are able to access pseudo terminals) to hang/block further usage of any pseudo terminal devices due to an EXTPROC versus ICANON confusion in TIOCINQ (bnc#1094825).
- CVE-2018-18690: A local attacker able to set attributes on an xfs filesystem could make this filesystem non-operational until the next mount by triggering an unchecked error condition during an xfs attribute change, because xfs_attr_shortform_addname in fs/xfs/libxfs/xfs_attr.c mishandled ATTR_REPLACE operations with conversion of an attr from short to long form (bnc#1105025).
- CVE-2018-18710: An issue was discovered in the Linux kernel An information leak in cdrom_ioctl_select_disc in drivers/cdrom/cdrom.c could be used by local attackers to read kernel memory because a cast from unsigned long to int interferes with bounds checking. This is similar to CVE-2018-10940 and CVE-2018-16658 (bnc#1113751).
- CVE-2018-9516: A lack of certain checks in the hid_debug_events_read() function in the drivers/hid/hid-debug.c file might have resulted in receiving userspace buffer overflow and an out-of-bounds write or to the infinite loop. (bnc#1108498).
The following non-security bugs were fixed:
- 6lowpan: iphc: reset mac_header after decompress to fix panic (bnc#1012382).
- alsa: bebob: use address returned by kmalloc() instead of kernel stack for streaming DMA mapping (bnc#1012382).
- alsa: emu10k1: fix possible info leak to userspace on SNDRV_EMU10K1_IOCTL_INFO (bnc#1012382).
- alsa: hda: Add AZX_DCAPS_PM_RUNTIME for AMD Raven Ridge (bnc#1012382).
- alsa: hda - Fix cancel_work_sync() stall from jackpoll work (bnc#1012382).
- alsa: hda/realtek - Cannot adjust speaker's volume on Dell XPS 27 7760 (bnc#1012382).
- alsa: msnd: Fix the default sample sizes (bnc#1012382).
- alsa: pcm: Fix snd_interval_refine first/last with open min/max (bnc#1012382).
- alsa: usb-audio: Fix multiple definitions in AU0828_DEVICE() macro (bnc#1012382).
- apparmor: remove no-op permission check in policy_unpack (git-fixes).
- arc: build: Get rid of toolchain check (bnc#1012382).
- arc: clone syscall to setp r25 as thread pointer (bnc#1012382).
- arch/hexagon: fix kernel/dma.c build warning (bnc#1012382).
- arc: [plat-axs*]: Enable SWAP (bnc#1012382).
- arm64: bpf: jit JMP_JSET_{X,K} (bsc#1110613).
- arm64: Correct type for PUD macros (bsc#1110600).
- arm64: cpufeature: Track 32bit EL0 support (bnc#1012382).
- arm64: dts: qcom: db410c: Fix Bluetooth LED trigger (bnc#1012382).
- arm64: fix erroneous __raw_read_system_reg() cases (bsc#1110606).
- arm64: Fix potential race with hardware DBM in ptep_set_access_flags() (bsc#1110605).
- arm64: fpsimd: Avoid FPSIMD context leakage for the init task (bsc#1110603).
- arm64: jump_label.h: use asm_volatile_goto macro instead of 'asm goto' (bnc#1012382).
- arm64: kasan: avoid bad virt_to_pfn() (bsc#1110612).
- arm64: kasan: avoid pfn_to_nid() before page array is initialized (bsc#1110619).
- arm64/kasan: do not allocate extra shadow memory (bsc#1110611).
- arm64: kernel: Update kerneldoc for cpu_suspend() rename (bsc#1110602).
- arm64: kgdb: handle read-only text / modules (bsc#1110604).
- arm64: kvm: Sanitize PSTATE.M when being set from userspace (bnc#1012382).
- arm64: kvm: Tighten guest core register access from userspace (bnc#1012382).
- arm64/mm/kasan: do not use vmemmap_populate() to initialize shadow (bsc#1110618).
- arm64: ptrace: Avoid setting compat FP[SC]R to garbage if get_user fails (bsc#1110601).
- arm64: supported.conf: mark armmmci as not supported
- arm64 Update config files. (bsc#1110468) Set MMC_QCOM_DML to build-in and delete driver from supported.conf
- arm64: vdso: fix clock_getres for 4GiB-aligned res (bsc#1110614).
- arm: dts: at91: add new compatibility string for macb on sama5d3 (bnc#1012382).
- arm: dts: dra7: fix DCAN node addresses (bnc#1012382).
- arm: exynos: Clear global variable on init error path (bnc#1012382).
- arm: hisi: check of_iomap and fix missing of_node_put (bnc#1012382).
- arm: hisi: fix error handling and missing of_node_put (bnc#1012382).
- arm: hisi: handle of_iomap and fix missing of_node_put (bnc#1012382).
- arm: mvebu: declare asm symbols as character arrays in pmsu.c (bnc#1012382).
- ASoC: cs4265: fix MMTLR Data switch control (bnc#1012382).
- ASoC: dapm: Fix potential DAI widget pointer deref when linking DAIs (bnc#1012382).
- ASoC: sigmadsp: safeload should not have lower byte limit (bnc#1012382).
- ASoC: wm8804: Add ACPI support (bnc#1012382).
- ata: libahci: Correct setting of DEVSLP register (bnc#1012382).
- ath10k: disable bundle mgmt tx completion event support (bnc#1012382).
- ath10k: fix scan crash due to incorrect length calculation (bnc#1012382).
- ath10k: fix use-after-free in ath10k_wmi_cmd_send_nowait (bnc#1012382).
- ath10k: prevent active scans on potential unusable channels (bnc#1012382).
- ath10k: protect ath10k_htt_rx_ring_free with rx_ring.lock (bnc#1012382).
- audit: fix use-after-free in audit_add_watch (bnc#1012382).
- autofs: fix autofs_sbi() does not check super block type (bnc#1012382).
- binfmt_elf: Respect error return from `regset->active' (bnc#1012382).
- bluetooth: Add a new Realtek 8723DE ID 0bda:b009 (bnc#1012382).
- bluetooth: h5: Fix missing dependency on BT_HCIUART_SERDEV (bnc#1012382).
- bluetooth: hidp: Fix handling of strncpy for hid->name information (bnc#1012382).
- bnxt_en: Fix TX timeout during netpoll (bnc#1012382).
- bonding: avoid possible dead-lock (bnc#1012382).
- bpf: fix cb access in socket filter programs on tail calls (bsc#1012382).
- bpf: fix map not being uncharged during map creation failure (bsc#1012382).
- bpf, s390: fix potential memleak when later bpf_jit_prog fails (git-fixes).
- bpf, s390x: do not reload skb pointers in non-skb context (git-fixes).
- bsc#1106913: Replace with upstream variants
- btrfs: add a comp_refs() helper (dependency for bsc#1031392).
- btrfs: add missing initialization in btrfs_check_shared (Git-fixes bsc#1112262).
- btrfs: add tracepoints for outstanding extents mods (dependency for bsc#1031392).
- btrfs: add wrapper for counting BTRFS_MAX_EXTENT_SIZE (dependency for bsc#1031392).
- btrfs: cleanup extent locking sequence (dependency for bsc#1031392).
- btrfs: defrag: use btrfs_mod_outstanding_extents in cluster_pages_for_defrag (Follow up fixes for bsc#1031392).
- btrfs: delayed-inode: Remove wrong qgroup meta reservation calls (bsc#1031392).
- btrfs: delayed-inode: Use new qgroup meta rsv for delayed inode and item (bsc#1031392).
- btrfs: Enhance btrfs_trim_fs function to handle error better (Dependency for bsc#1113667).
- btrfs: Ensure btrfs_trim_fs can trim the whole filesystem (bsc#1113667).
- btrfs: fix error handling in btrfs_dev_replace_start (bsc#1107535).
- btrfs: fix invalid attempt to free reserved space on failure to cow range (dependency for bsc#1031392).
- btrfs: fix missing error return in btrfs_drop_snapshot (Git-fixes bsc#1109919).
- btrfs: Fix race condition between delayed refs and blockgroup removal (Git-fixes bsc#1112263).
- btrfs: Fix wrong btrfs_delalloc_release_extents parameter (bsc#1031392).
- btrfs: kill trans in run_delalloc_nocow and btrfs_cross_ref_exist (dependency for bsc#1031392).
- btrfs: make the delalloc block rsv per inode (dependency for bsc#1031392).
- btrfs: pass delayed_refs directly to btrfs_find_delayed_ref_head (dependency for bsc#1031392).
- btrfs: qgroup: Add quick exit for non-fs extents (dependency for bsc#1031392).
- btrfs: qgroup: Cleanup btrfs_qgroup_prepare_account_extents function (dependency for bsc#1031392).
- btrfs: qgroup: Cleanup the remaining old reservation counters (bsc#1031392).
- btrfs: qgroup: Commit transaction in advance to reduce early EDQUOT (bsc#1031392).
- btrfs: qgroup: Do not use root->qgroup_meta_rsv for qgroup (bsc#1031392).
- btrfs: qgroup: Fix wrong qgroup reservation update for relationship modification (bsc#1031392).
- btrfs: qgroup: Introduce function to convert META_PREALLOC into META_PERTRANS (bsc#1031392).
- btrfs: qgroup: Introduce helpers to update and access new qgroup rsv (bsc#1031392).
- btrfs: qgroup: Make qgroup_reserve and its callers to use separate reservation type (bsc#1031392).
- btrfs: qgroup: Skeleton to support separate qgroup reservation type (bsc#1031392).
- btrfs: qgroups: opencode qgroup_free helper (dependency for bsc#1031392).
- btrfs: qgroup: Split meta rsv type into meta_prealloc and meta_pertrans (bsc#1031392).
- btrfs: qgroup: Update trace events for metadata reservation (bsc#1031392).
- btrfs: qgroup: Update trace events to use new separate rsv types (bsc#1031392).
- btrfs: qgroup: Use independent and accurate per inode qgroup rsv (bsc#1031392).
- btrfs: qgroup: Use root::qgroup_meta_rsv_* to record qgroup meta reserved space (bsc#1031392).
- btrfs: qgroup: Use separate meta reservation type for delalloc (bsc#1031392).
- btrfs: remove type argument from comp_tree_refs (dependency for bsc#1031392).
- btrfs: rework outstanding_extents (dependency for bsc#1031392).
- btrfs: switch args for comp_*_refs (dependency for bsc#1031392).
- btrfs: Take trans lock before access running trans in check_delayed_ref (Follow up fixes for bsc#1031392).
- ceph: avoid a use-after-free in ceph_destroy_options() (bsc#1112007).
- cfg80211: fix a type issue in ieee80211_chandef_to_operating_class() (bnc#1012382).
- cfg80211: nl80211_update_ft_ies() to validate NL80211_ATTR_IE (bnc#1012382).
- cfq: Give a chance for arming slice idle timer in case of group_idle (bnc#1012382).
- cgroup: Fix deadlock in cpu hotplug path (bnc#1012382).
- cgroup, netclassid: add a preemption point to write_classid (bnc#1098996).
- cifs: check for STATUS_USER_SESSION_DELETED (bsc#1112902).
- cifs: connect to servername instead of IP for IPC$ share (bsc#1106359).
- cifs: fix memory leak in SMB2_open() (bsc#1112894).
- cifs: Fix use after free of a mid_q_entry (bsc#1112903).
- cifs: fix wrapping bugs in num_entries() (bnc#1012382).
- cifs: integer overflow in in SMB2_ioctl() (bsc#1012382).
- cifs: prevent integer overflow in nxt_dir_entry() (bnc#1012382).
- cifs: read overflow in is_valid_oplock_break() (bnc#1012382).
- clk: imx6ul: fix missing of_node_put() (bnc#1012382).
- clocksource/drivers/ti-32k: Add CLOCK_SOURCE_SUSPEND_NONSTOP flag for non-am43 SoCs (bnc#1012382).
- config.sh: set BUGZILLA_PRODUCT for SLE12-SP3
- coresight: Handle errors in finding input/output ports (bnc#1012382).
- coresight: tpiu: Fix disabling timeouts (bnc#1012382).
- cpu/hotplug: Fix SMT supported evaluation (bsc#1089343).
- crypto: mxs-dcp - Fix wait logic on chan threads (bnc#1012382).
- crypto: sharah - Unregister correct algorithms for SAHARA 3 (bnc#1012382).
- crypto: skcipher - Fix -Wstringop-truncation warnings (bnc#1012382).
- Define dependencies of in-kernel KMPs statically This allows us to use rpm's internal dependency generator (bsc#981083).
- Define early_radix_enabled() (bsc#1094244).
- dmaengine: pl330: fix irq race with terminate_all (bnc#1012382).
- dm cache: fix resize crash if user does not reload cache table (bnc#1012382).
- dm thin metadata: fix __udivdi3 undefined on 32-bit (bnc#1012382).
- dm thin metadata: try to avoid ever aborting transactions (bnc#1012382).
- Do not ship firmware (bsc#1054239). Pull firmware from kernel-firmware instead.
- drivers: net: cpsw: fix parsing of phy-handle DT property in dual_emac config (bnc#1012382).
- drivers: net: cpsw: fix segfault in case of bad phy-handle (bnc#1012382).
- drivers/tty: add error handling for pcmcia_loop_config (bnc#1012382).
- drm/amdgpu: Fix SDMA HQD destroy error on gfx_v7 (bnc#1012382).
- drm/amdkfd: Fix error codes in kfd_get_process (bnc#1012382).
- drm/nouveau/drm/nouveau: Use pm_runtime_get_noresume() in connector_detect() (bnc#1012382).
- drm/nouveau/TBDdevinit: do not fail when PMU/PRE_OS is missing from VBIOS (bnc#1012382).
- drm/nouveau: tegra: Detach from ARM DMA/IOMMU mapping (bnc#1012382).
- drm/virtio: fix bounds check in virtio_gpu_cmd_get_capset() (bsc#1106929)
- Drop dtb-source.spec and move the sources to kernel-source (bsc#1011920)
- e1000: check on netif_running() before calling e1000_up() (bnc#1012382).
- e1000: ensure to free old tx/rx rings in set_ringparam() (bnc#1012382).
- ebtables: arpreply: Add the standard target sanity check (bnc#1012382).
- edac, thunderx: Fix memory leak in thunderx_l2c_threaded_isr() (bsc#1114648).
- ethernet: ti: davinci_emac: add missing of_node_put after calling of_parse_phandle (bnc#1012382).
- ethtool: Remove trailing semicolon for static inline (bnc#1012382).
- ethtool: restore erroneously removed break in dev_ethtool (bsc#1114229).
- ext4: avoid divide by zero fault when deleting corrupted inline directories (bnc#1012382).
- ext4: do not mark mmp buffer head dirty (bnc#1012382).
- ext4: fix online resize's handling of a too-small final block group (bnc#1012382).
- ext4: fix online resizing for bigalloc file systems with a 1k block size (bnc#1012382).
- ext4: recalucate superblock checksum after updating free blocks/inodes (bnc#1012382).
- f2fs: do not set free of current section (bnc#1012382).
- f2fs: fix to do sanity check with {sit,nat}_ver_bitmap_bytesize (bnc#1012382).
- fbdev: Distinguish between interlaced and progressive modes (bnc#1012382).
- fbdev: fix broken menu dependencies (bsc#1106929)
- fbdev/omapfb: fix omapfb_memory_read infoleak (bnc#1012382).
- fbdev/via: fix defined but not used warning (bnc#1012382).
- floppy: Do not copy a kernel pointer to user memory in FDGETPRM ioctl (bnc#1012382).
- fs/cifs: do not translate SFM_SLASH (U+F026) to backslash (bnc#1012382).
- fs/cifs: suppress a string overflow warning (bnc#1012382).
- fs/eventpoll: loosen irq-safety when possible (bsc#1096052).
- gfs2: Special-case rindex for gfs2_grow (bnc#1012382).
- gpio: adp5588: Fix sleep-in-atomic-context bug (bnc#1012382).
- gpiolib: Mark gpio_suffixes array with __maybe_unused (bnc#1012382).
- gpio: ml-ioh: Fix buffer underwrite on probe error path (bnc#1012382).
- gpio: tegra: Move driver registration to subsys_init level (bnc#1012382).
- gso_segment: Reset skb->mac_len after modifying network header (bnc#1012382).
- hexagon: modify ffs() and fls() to return int (bnc#1012382).
- hid: hid-ntrig: add error handling for sysfs_create_group (bnc#1012382).
- hid: sony: Support DS4 dongle (bnc#1012382).
- hid: sony: Update device ids (bnc#1012382).
- hv: avoid crash in vmbus sysfs files (bnc#1108377).
- hwmon: (adt7475) Make adt7475_read_word() return errors (bnc#1012382).
- hwmon: (ina2xx) fix sysfs shunt resistor read access (bnc#1012382).
- i2c: i2c-scmi: fix for i2c_smbus_write_block_data (bnc#1012382).
- i2c: i801: Allow ACPI AML access I/O ports not reserved for SMBus (bnc#1012382).
- i2c: i801: fix DNV's SMBCTRL register offset (bnc#1012382).
- i2c: uniphier-f: issue STOP only for last message or I2C_M_STOP (bnc#1012382).
- i2c: uniphier: issue STOP only for last message or I2C_M_STOP (bnc#1012382).
- i2c: xiic: Make the start and the byte count write atomic (bnc#1012382).
- i2c: xlp9xx: Add support for SMBAlert (bsc#1103308).
- i2c: xlp9xx: Fix case where SSIF read transaction completes early (bsc#1103308).
- i2c: xlp9xx: Fix issue seen when updating receive length (bsc#1103308).
- i2c: xlp9xx: Make sure the transfer size is not more than I2C_SMBUS_BLOCK_SIZE (bsc#1103308).
- ib/ipoib: Avoid a race condition between start_xmit and cm_rep_handler (bnc#1012382).
- ib/srp: Avoid that sg_reset -d ${srp_device} triggers an infinite loop (bnc#1012382).
- input: atakbd - fix Atari CapsLock behaviour (bnc#1012382).
- input: atakbd - fix Atari keymap (bnc#1012382).
- input: atmel_mxt_ts - only use first T9 instance (bnc#1012382).
- input: elantech - enable middle button of touchpad on ThinkPad P72 (bnc#1012382).
- iommu/amd: Return devid as alias for ACPI HID devices (bsc#1106105).
- iommu/arm-smmu-v3: sync the OVACKFLG to PRIQ consumer register (bnc#1012382).
- iommu/ipmmu-vmsa: Fix allocation in atomic context (bnc#1012382).
- ip6_tunnel: be careful when accessing the inner header (bnc#1012382).
- ipmi:ssif: Add support for multi-part transmit messages > 2 parts (bsc#1103308).
- ip_tunnel: be careful when accessing the inner header (bnc#1012382).
- ipv4: fix use-after-free in ip_cmsg_recv_dstaddr() (bnc#1012382).
- ipv6: fix possible use-after-free in ip6_xmit() (bnc#1012382).
- iw_cxgb4: only allow 1 flush on user qps (bnc#1012382).
- ixgbe: pci_set_drvdata must be called before register_netdev (Git-fixes bsc#1109923).
- jffs2: return -ERANGE when xattr buffer is too small (bnc#1012382).
- KABI: move the new handler to end of machdep_calls and hide it from genksyms (bsc#1094244).
- kABI: protect struct hnae_desc_cb (kabi).
- kbuild: add .DELETE_ON_ERROR special target (bnc#1012382).
- kernel-obs-build.spec.in: add --no-hostonly-cmdline to dracut invocation (boo#1062303). call dracut with --no-hostonly-cmdline to avoid the random rootfs UUID being added into the initrd's /etc/cmdline.d/95root-dev.conf
- kernel-obs-build: use pae and lpae kernels where available (bsc#1073579).
- kernel/params.c: downgrade warning for unsafe parameters (bsc#1050549).
- kprobes/x86: Release insn_slot in failure path (bsc#1110006).
- kthread: fix boot hang (regression) on MIPS/OpenRISC (bnc#1012382).
- kthread: Fix use-after-free if kthread fork fails (bnc#1012382).
- kvm: nVMX: Do not expose MPX VMX controls when guest MPX disabled (bsc#1106240).
- kvm: nVMX: Do not flush TLB when vmcs12 uses VPID (bsc#1106240).
- kvm: PPC: Book3S HV: Do not truncate HPTE index in xlate function (bnc#1012382).
- kvm: x86: Do not re-{try,execute} after failed emulation in L2 (bsc#1106240).
- kvm: x86: Do not use kvm_x86_ops->mpx_supported() directly (bsc#1106240).
- kvm: x86: fix APIC page invalidation (bsc#1106240).
- kvm: x86: remove eager_fpu field of struct kvm_vcpu_arch (bnc#1012382).
- kvm/x86: remove WARN_ON() for when vm_munmap() fails (bsc#1106240).
- kvm: x86: SVM: Call x86_spec_ctrl_set_guest/host() with interrupts disabled (bsc#1106240).
- lib/test_hexdump.c: fix failure on big endian cpu (bsc#1106110).
- locking/osq_lock: Fix osq_lock queue corruption (bnc#1012382).
- locking/rwsem-xadd: Fix missed wakeup due to reordering of load (bnc#1012382).
- lpfc: fixup crash in lpfc_els_unsol_buffer() (bsc#1107318).
- mac80211: correct use of IEEE80211_VHT_CAP_RXSTBC_X (bnc#1012382).
- mac80211: fix a race between restart and CSA flows (bnc#1012382).
- mac80211: fix setting IEEE80211_KEY_FLAG_RX_MGMT for AP mode keys (bnc#1012382).
- mac80211: Fix station bandwidth setting after channel switch (bnc#1012382).
- mac80211_hwsim: correct use of IEEE80211_VHT_CAP_RXSTBC_X (bnc#1012382).
- mac80211: mesh: fix HWMP sequence numbering to follow standard (bnc#1012382).
- mac80211: restrict delayed tailroom needed decrement (bnc#1012382).
- mac80211: shorten the IBSS debug messages (bnc#1012382).
- mach64: detect the dot clock divider correctly on sparc (bnc#1012382).
- macintosh/via-pmu: Add missing mmio accessors (bnc#1012382).
- macros.kernel-source: define linux_arch for KMPs (boo#1098050). CONFIG_64BIT is no longer defined so KMP spec files need to include %{?linux_make_arch} in any make call to build modules or descent into the kernel directory for any reason.
- macros.kernel-source: pass -b properly in kernel module package (bsc#1107870).
- macros.kernel-source: pass -f properly in module subpackage (boo#1076393).
- md-cluster: clear another node's suspend_area after the copy is finished (bnc#1012382).
- md/raid1: exit sync request if MD_RECOVERY_INTR is set (git-fixes).
- md/raid5: fix data corruption of replacements after originals dropped (bnc#1012382).
- media: af9035: prevent buffer overflow on write (bnc#1012382).
- media: exynos4-is: Prevent NULL pointer dereference in __isp_video_try_fmt() (bnc#1012382).
- media: fsl-viu: fix error handling in viu_of_probe() (bnc#1012382).
- media: omap3isp: zero-initialize the isp cam_xclk{a,b} initial data (bnc#1012382).
- media: omap_vout: Fix a possible null pointer dereference in omap_vout_open() (bsc#1050431).
- media: s3c-camif: ignore -ENOIOCTLCMD from v4l2_subdev_call for s_power (bnc#1012382).
- media: soc_camera: ov772x: correct setting of banding filter (bnc#1012382).
- media: tm6000: add error handling for dvb_register_adapter (bnc#1012382).
- media: uvcvideo: Support realtek's UVC 1.5 device (bnc#1012382).
- media: v4l: event: Prevent freeing event subscriptions while accessed (bnc#1012382).
- media: videobuf2-core: check for q->error in vb2_core_qbuf() (bnc#1012382).
- media: videobuf-dma-sg: Fix dma_{sync,unmap}_sg() calls (bsc#1050431).
- mei: bus: type promotion bug in mei_nfc_if_version() (bnc#1012382).
- memory_hotplug: cond_resched in __remove_pages (bnc#1114178).
- mfd: omap-usb-host: Fix dts probe of children (bnc#1012382).
- mfd: ti_am335x_tscadc: Fix struct clk memory leak (bnc#1012382).
- misc: hmc6352: fix potential Spectre v1 (bnc#1012382).
- misc: mic: SCIF Fix scif_get_new_port() error handling (bnc#1012382).
- misc: ti-st: Fix memory leak in the error path of probe() (bnc#1012382).
- mmc: mmci: stop building qcom dml as module (bsc#1110468).
- mm: fix devmem_is_allowed() for sub-page System RAM intersections (bsc#1110006).
- mm: get rid of vmacache_flush_all() entirely (bnc#1012382).
- mm: madvise(MADV_DODUMP): allow hugetlbfs pages (bnc#1012382).
- mm: /proc/pid/pagemap: hide swap entries from unprivileged users (Git-fixes bsc#1109907).
- mm: shmem.c: Correctly annotate new inodes for lockdep (bnc#1012382).
- mm/vmstat.c: fix outdated vmstat_text (bnc#1012382).
- mm/vmstat.c: skip NR_TLB_REMOTE_FLUSH* properly (bnc#1012382).
- mm/vmstat.c: skip NR_TLB_REMOTE_FLUSH* properly (git fixes).
- module: exclude SHN_UNDEF symbols from kallsyms api (bnc#1012382).
- mtdchar: fix overflows in adjustment of `count` (bnc#1012382).
- mtd/maps: fix solutionengine.c printk format warnings (bnc#1012382).
- neighbour: confirm neigh entries when ARP packet is received (bnc#1012382).
- net/appletalk: fix minor pointer leak to userspace in SIOCFINDIPDDPRT (bnc#1012382).
- net: cadence: Fix a sleep-in-atomic-context bug in macb_halt_tx() (bnc#1012382).
- net: dcb: For wild-card lookups, use priority -1, not 0 (bnc#1012382).
- net: ethernet: mvneta: Fix napi structure mixup on armada 3700 (bsc#1110616).
- net: ethernet: ti: cpsw: fix mdio device reference leak (bnc#1012382).
- netfilter: x_tables: avoid stack-out-of-bounds read in xt_copy_counters_from_user (bnc#1012382).
- net: hns: fix length and page_offset overflow when CONFIG_ARM64_64K_PAGES (bnc#1012382).
- net: hp100: fix always-true check for link up state (bnc#1012382).
- net: ipv4: update fnhe_pmtu when first hop's MTU changes (bnc#1012382).
- net/ipv6: Display all addresses in output of /proc/net/if_inet6 (bnc#1012382).
- netlabel: check for IPV4MASK in addrinfo_get (bnc#1012382).
- net: macb: disable scatter-gather for macb on sama5d3 (bnc#1012382).
- net/mlx4: Use cpumask_available for eq->affinity_mask (bnc#1012382).
- net: mvneta: fix mtu change on port without link (bnc#1012382).
- net: mvneta: fix mvneta_config_rss on armada 3700 (bsc#1110615).
- net: mvpp2: Extract the correct ethtype from the skb for tx csum offload (bnc#1012382).
- net: systemport: Fix wake-up interrupt race during resume (bnc#1012382).
- net/usb: cancel pending work when unbinding smsc75xx (bnc#1012382).
- nfc: Fix possible memory corruption when handling SHDLC I-Frame commands (bnc#1012382).
- nfc: Fix the number of pipes (bnc#1012382).
- nfs: add nostatflush mount option (bsc#1065726).
- nfs: Avoid quadratic search when freeing delegations (bsc#1084760).
- nfsd: fix corrupted reply to badly ordered compound (bnc#1012382).
- nfs: Use an appropriate work queue for direct-write completion (bsc#1082519).
- nfsv4.0 fix client reference leak in callback (bnc#1012382).
- ocfs2: fix locking for res->tracking and dlm->tracking_list (bnc#1012382).
- ocfs2: fix ocfs2 read block panic (bnc#1012382).
- of: unittest: Disable interrupt node tests for old world MAC systems (bnc#1012382).
- ovl: Copy inode attributes after setting xattr (bsc#1107299).
- parport: sunbpp: fix error return code (bnc#1012382).
- partitions/aix: append null character to print data from disk (bnc#1012382).
- partitions/aix: fix usage of uninitialized lv_info and lvname structures (bnc#1012382).
- Pass x86 as architecture on x86_64 and i386 (bsc#1093118).
- pci: altera: Fix bool initialization in tlp_read_packet() (bsc#1109806).
- pci: designware: Fix I/O space page leak (bsc#1109806).
- pci: designware: Fix pci_remap_iospace() failure path (bsc#1109806).
- pci: hv: Use effective affinity mask (bsc#1109772).
- pci: OF: Fix I/O space page leak (bsc#1109806).
- pci: pciehp: Fix unprotected list iteration in IRQ handler (bsc#1109806).
- pci: Reprogram bridge prefetch registers on resume (bnc#1012382).
- pci: shpchp: Fix AMD POGO identification (bsc#1109806).
- pci: Supply CPU physical address (not bus address) to iomem_is_exclusive() (bsc#1109806).
- pci: versatile: Fix I/O space page leak (bsc#1109806).
- pci: versatile: Fix pci_remap_iospace() failure path (bsc#1109806).
- pci: xgene: Fix I/O space page leak (bsc#1109806).
- pci: xilinx: Add missing of_node_put() (bsc#1109806).
- perf powerpc: Fix callchain ip filtering (bnc#1012382).
- perf powerpc: Fix callchain ip filtering when return address is in a register (bnc#1012382).
- perf probe powerpc: Ignore SyS symbols irrespective of endianness (bnc#1012382).
- perf script python: Fix export-to-postgresql.py occasional failure (bnc#1012382).
- perf tools: Allow overriding MAX_NR_CPUS at compile time (bnc#1012382).
- phy: qcom-ufs: add MODULE_LICENSE tag (bsc#1110468).
- pinctrl: qcom: spmi-gpio: Fix pmic_gpio_config_get() to be compliant (bnc#1012382).
- pipe: actually allow root to exceed the pipe buffer limit (git-fixes).
- platform/x86: alienware-wmi: Correct a memory leak (bnc#1012382).
- platform/x86: toshiba_acpi: Fix defined but not used build warnings (bnc#1012382).
- pm / core: Clear the direct_complete flag on errors (bnc#1012382).
- powerpc/64s: move machine check SLB flushing to mm/slb.c (bsc#1094244).
- powerpc/kdump: Handle crashkernel memory reservation failure (bnc#1012382).
- powerpc/mce: Fix SLB rebolting during MCE recovery path (bsc#1094244).
- powerpc/numa: Skip onlining a offline node in kdump path (bsc#1109784).
- powerpc/numa: Use associativity if VPHN hcall is successful (bsc#1110363).
- powerpc/perf/hv-24x7: Fix passing of catalog version number (bsc#1053043).
- powerpc/powernv: opal_put_chars partial write fix (bnc#1012382).
- powerpc/pseries: Defer the logging of rtas error to irq work queue (bsc#1094244).
- powerpc/pseries: Define MCE error event section (bsc#1094244).
- powerpc/pseries: Display machine check error details (bsc#1094244).
- powerpc/pseries: Dump the SLB contents on SLB MCE errors (bsc#1094244).
- powerpc/pseries: Fix build break for SPLPAR=n and CPU hotplug (bsc#1079524, git-fixes).
- powerpc/pseries: Fix CONFIG_NUMA=n build (bsc#1067906, git-fixes).
- powerpc/pseries: Flush SLB contents on SLB MCE errors (bsc#1094244).
- powerpc/pseries/mm: call H_BLOCK_REMOVE (bsc#1109158).
- powerpc/pseries/mm: factorize PTE slot computation (bsc#1109158).
- powerpc/pseries/mm: Introducing FW_FEATURE_BLOCK_REMOVE (bsc#1109158).
- powerpc/rtas: Fix a potential race between CPU-Offline & Migration (bsc#1111870).
- powerpc/tm: Avoid possible userspace r1 corruption on reclaim (bsc#1109333).
- power: vexpress: fix corruption in notifier registration (bnc#1012382).
- printk: do not spin in printk when in nmi (bsc#1094244).
- proc: restrict kernel stack dumps to root (bnc#1012382).
- pstore: Fix incorrect persistent ram buffer mapping (bnc#1012382).
- qlcnic: fix Tx descriptor corruption on 82xx devices (bnc#1012382).
- r8169: Clear RTL_FLAG_TASK_*_PENDING when clearing RTL_FLAG_TASK_ENABLED (bnc#1012382).
- raid10 BUG_ON in raise_barrier when force is true and conf->barrier is 0 (bnc#1012382).
- rculist: add list_for_each_entry_from_rcu() (bsc#1084760).
- rculist: Improve documentation for list_for_each_entry_from_rcu() (bsc#1084760).
- rdma/cma: Do not ignore net namespace for unbound cm_id (bnc#1012382).
- rdma/cma: Protect cma dev list with lock (bnc#1012382).
- rdma/ucma: check fd type in ucma_migrate_id() (bnc#1012382).
- reiserfs: add check to detect corrupted directory entry (bsc#1109818).
- reiserfs: do not panic on bad directory entries (bsc#1109818).
- resource: Include resource end in walk_*() interfaces (bsc#1114648).
- Revert 'btrfs: qgroups: Retry after commit on getting EDQUOT' (bsc#1031392).
- Revert 'dma-buf/sync-file: Avoid enable fence signaling if poll(.timeout=0)' (bsc#1111363).
- Revert 'drm: Do not pass negative delta to ktime_sub_ns()' (bsc#1106929)
- Revert 'drm/i915: Initialize HWS page address after GPU reset' (bsc#1106929)
- Revert 'Drop kernel trampoline stack.' This reverts commit 85dead31706c1c1755adff90405ff9861c39c704.
- Revert 'kabi/severities: Ignore missing cpu_tss_tramp (bsc#1099597)' This reverts commit edde1f21880e3bfe244c6f98a3733b05b13533dc.
- Revert 'kvm: x86: remove eager_fpu field of struct kvm_vcpu_arch' (kabi).
- Revert 'media: v4l: event: Prevent freeing event subscriptions while accessed' (kabi).
- Revert 'mm: get rid of vmacache_flush_all() entirely' (kabi).
- Revert 'NFC: Fix the number of pipes' (kabi).
- Revert 'proc: restrict kernel stack dumps to root' (kabi).
- Revert 'Skip intel_crt_init for Dell XPS 8700' (bsc#1106929)
- Revert 'tcp: add tcp_ooo_try_coalesce() helper' (kabi).
- Revert 'tcp: call tcp_drop() from tcp_data_queue_ofo()' (kabi).
- Revert 'tcp: fix a stale ooo_last_skb after a replace' (kabi).
- Revert 'tcp: free batches of packets in tcp_prune_ofo_queue()' (kabi).
- Revert 'tcp: use an RB tree for ooo receive queue' (kabi).
- Revert 'usb: cdc-wdm: Fix a sleep-in-atomic-context bug in service_outstanding_interrupt()' (bnc#1012382).
- Revert 'x86/fpu: Finish excising 'eagerfpu'' (kabi).
- Revert 'x86/fpu: Remove struct fpu::counter' (kabi).
- Revert 'x86/fpu: Remove use_eager_fpu()' (kabi).
- ring-buffer: Allow for rescheduling when removing pages (bnc#1012382).
- rndis_wlan: potential buffer overflow in rndis_wlan_auth_indication() (bnc#1012382).
- rpm/kernel-binary.spec.in: Check module licenses (bsc#1083215,bsc#1083527)
- rpm/kernel-binary.spec.in: Do not sign modules if CONFIG_MODULE_SIG=n (bsc#1035053)
- rpm/kernel-binary.spec.in: Obsolete ftsteutates KMP (boo#997172)
- rpm/kernel-binary.spec.in: Only kernel-syzkaller needs gcc-devel (boo#1043591).
- rpm/kernel-docs.spec.in: Expand kernel tree directly from sources (bsc#1057199)
- rpm/kernel-docs.spec.in: Fix and cleanup for 4.13 doc build (bsc#1048129) The whole DocBook stuff has been deleted. The PDF build still non-working thus the sub-packaging disabled so far.
- rpm/kernel-docs.spec.in: refresh dependencies for PDF build (bsc#1048129) But it still does not work with Tex Live 2017, thus disabled yet. Also add texlive-anyfontsize for HTML math handling.
- rpm/kernel-module-subpackage: Generate proper supplements in the template ... instead of relying on find-provides.ksyms to do it (bsc#981083).
- rpm/kernel-source.spec.in: Do not list deleted depdendency helpers (bsc#981083).
- rpm/kernel-spec-macros: Try harder to detect Build Service environment (bsc#1078788)
- rtc: bq4802: add error handling for devm_ioremap (bnc#1012382).
- rtnl: limit IFLA_NUM_TX_QUEUES and IFLA_NUM_RX_QUEUES to 4096 (bnc#1012382).
- s390/chsc: Add exception handler for CHSC instruction (git-fixes).
- s390/extmem: fix gcc 8 stringop-overflow warning (bnc#1012382).
- s390/facilites: use stfle_fac_list array size for MAX_FACILITY_BIT (bnc#1108315, LTC#171326).
- s390/kdump: Fix elfcorehdr size calculation (git-fixes).
- s390/kdump: Make elfcorehdr size calculation ABI compliant (git-fixes).
- s390/mm: correct allocate_pgste proc_handler callback (git-fixes).
- s390/qeth: do not dump past end of unknown HW header (bnc#1012382).
- s390/qeth: fix race in used-buffer accounting (bnc#1012382).
- s390/qeth: handle failure on workqueue creation (git-fixes).
- s390/qeth: reset layer2 attribute on layer switch (bnc#1012382).
- s390/qeth: use vzalloc for QUERY OAT buffer (bnc#1108315, LTC#171527).
- s390: revert ELF_ET_DYN_BASE base changes (git-fixes).
- s390/stacktrace: fix address ranges for asynchronous and panic stack (git-fixes).
- sched/fair: Fix bandwidth timer clock drift condition (Git-fixes).
- sched/fair: Fix vruntime_normalized() for remote non-migration wakeup (Git-fixes).
- scsi: 3ware: fix return 0 on the error path of probe (bnc#1012382).
- scsi: bnx2i: add error handling for ioremap_nocache (bnc#1012382).
- scsi: ibmvscsi: Improve strings handling (bnc#1012382).
- scsi: klist: Make it safe to use klists in atomic context (bnc#1012382).
- scsi: target: fix __transport_register_session locking (bnc#1012382).
- scsi: target/iscsi: Make iscsit_ta_authentication() respect the output buffer size (bnc#1012382).
- selftests/efivarfs: add required kernel configs (bnc#1012382).
- selftest: timers: Tweak raw_skew to SKIP when ADJ_OFFSET/other clock adjustments are in progress (bnc#1012382).
- selinux: use GFP_NOWAIT in the AVC kmem_caches (bnc#1012382).
- serial: cpm_uart: return immediately from console poll (bnc#1012382).
- serial: imx: restore handshaking irq for imx1 (bnc#1012382).
- signal: Properly deliver SIGSEGV from x86 uprobes (bsc#1110006).
- slub: make ->cpu_partial unsigned int (bnc#1012382).
- smb2: fix missing files in root share directory listing (bnc#1012382).
- smb3: fill in statfs fsid and correct namelen (bsc#1112905).
- sound: enable interrupt after dma buffer initialization (bnc#1012382).
- spi: rspi: Fix interrupted DMA transfers (bnc#1012382).
- spi: rspi: Fix invalid SPI use during system suspend (bnc#1012382).
- spi: sh-msiof: Fix handling of write value for SISTR register (bnc#1012382).
- spi: sh-msiof: Fix invalid SPI use during system suspend (bnc#1012382).
- spi: tegra20-slink: explicitly enable/disable clock (bnc#1012382).
- srcu: Allow use of Tiny/Tree SRCU from both process and interrupt context (bsc#1050549).
- staging: android: ashmem: Fix mmap size validation (bnc#1012382).
- staging: rt5208: Fix a sleep-in-atomic bug in xd_copy_page (bnc#1012382).
- staging: rts5208: fix missing error check on call to rtsx_write_register (bnc#1012382).
- staging/rts5208: Fix read overflow in memcpy (bnc#1012382).
- stmmac: fix valid numbers of unicast filter entries (bnc#1012382).
- stop_machine: Atomically queue and wake stopper threads (git-fixes).
- target: log Data-Out timeouts as errors (bsc#1095805).
- target: log NOP ping timeouts as errors (bsc#1095805).
- target: split out helper for cxn timeout error stashing (bsc#1095805).
- target: stash sess_err_stats on Data-Out timeout (bsc#1095805).
- target: use ISCSI_IQN_LEN in iscsi_target_stat (bsc#1095805).
- tcp: add tcp_ooo_try_coalesce() helper (bnc#1012382).
- tcp: call tcp_drop() from tcp_data_queue_ofo() (bnc#1012382).
- tcp: fix a stale ooo_last_skb after a replace (bnc#1012382).
- tcp: free batches of packets in tcp_prune_ofo_queue() (bnc#1012382).
- tcp: increment sk_drops for dropped rx packets (bnc#1012382).
- tcp: use an RB tree for ooo receive queue (bnc#1012382).
- team: Forbid enslaving team device to itself (bnc#1012382).
- thermal: of-thermal: disable passive polling when thermal zone is disabled (bnc#1012382).
- Tools: hv: Fix a bug in the key delete code (bnc#1012382).
- tools/vm/page-types.c: fix 'defined but not used' warning (bnc#1012382).
- tools/vm/slabinfo.c: fix sign-compare warning (bnc#1012382).
- tpm: Restore functionality to xen vtpm driver (bsc#1020645, git-fixes).
- tsl2550: fix lux1_input error in low light (bnc#1012382).
- tty: Drop tty->count on tty_reopen() failure (bnc#1105428).
- tty: rocket: Fix possible buffer overwrite on register_PCI (bnc#1012382).
- tty: vt_ioctl: fix potential Spectre v1 (bnc#1012382).
- ubifs: Check for name being NULL while mounting (bnc#1012382).
- ucma: fix a use-after-free in ucma_resolve_ip() (bnc#1012382).
- uio: potential double frees if __uio_register_device() fails (bnc#1012382).
- usb: add quirk for WORLDE Controller KS49 or Prodipe MIDI 49C USB controller (bnc#1012382).
- usb: Add quirk to support DJI CineSSD (bnc#1012382).
- usb: Avoid use-after-free by flushing endpoints early in usb_set_interface() (bnc#1012382).
- usb: cdc-wdm: Fix a sleep-in-atomic-context bug in service_outstanding_interrupt() (bnc#1012382).
- usb: Do not die twice if PCI xhci host is not responding in resume (bnc#1012382).
- usb: fix error handling in usb_driver_claim_interface() (bnc#1012382).
- usb: gadget: fotg210-udc: Fix memory leak of fotg210->ep[i] (bnc#1012382).
- usb: gadget: serial: fix oops when data rx'd after close (bnc#1012382).
- usb: handle NULL config in usb_find_alt_setting() (bnc#1012382).
- usb: host: u132-hcd: Fix a sleep-in-atomic-context bug in u132_get_frame() (bnc#1012382).
- usb: misc: uss720: Fix two sleep-in-atomic-context bugs (bnc#1012382).
- usb: net2280: Fix erroneous synchronization change (bnc#1012382).
- usb: remove LPM management from usb_driver_claim_interface() (bnc#1012382).
- usb: serial: io_ti: fix array underflow in completion handler (bnc#1012382).
- usb: serial: kobil_sct: fix modem-status error handling (bnc#1012382).
- usb: serial: simple: add Motorola Tetra MTP6550 id (bnc#1012382).
- usb: serial: ti_usb_3410_5052: fix array underflow in completion handler (bnc#1012382).
- usb: usbdevfs: restore warning for nonsensical flags (bnc#1012382).
- usb: usbdevfs: sanitize flags more (bnc#1012382).
- usb: wusbcore: security: cast sizeof to int for comparison (bnc#1012382).
- usb: yurex: Check for truncation in yurex_read() (bnc#1012382).
- usb: yurex: Fix buffer over-read in yurex_write() (bnc#1012382).
- Use upstream version of pci-hyperv change 35a88a18d7
- uwb: hwa-rc: fix memory leak at probe (bnc#1012382).
- vfs: do not test owner for NFS in set_posix_acl() (bsc#1103405).
- video: goldfishfb: fix memory leak on driver remove (bnc#1012382).
- vmci: type promotion bug in qp_host_get_user_memory() (bnc#1012382).
- vmw_balloon: include asm/io.h (bnc#1012382).
- watchdog: w83627hf: Added NCT6102D support (bsc#1106434).
- wlcore: Add missing PM call for wlcore_cmd_wait_for_event_or_timeout() (bnc#1012382).
- wlcore: Fix memory leak in wlcore_cmd_wait_for_event_or_timeout (git-fixes).
- x86/apic: Fix restoring boot IRQ mode in reboot and kexec/kdump (bsc#1110006).
- x86/apic: Split disable_IO_APIC() into two functions to fix CONFIG_KEXEC_JUMP=y (bsc#1110006).
- x86/apic: Split out restore_boot_irq_mode() from disable_IO_APIC() (bsc#1110006).
- x86/boot: Fix 'run_size' calculation (bsc#1110006).
- x86/cpufeature: deduplicate X86_FEATURE_L1TF_PTEINV (kabi).
- x86/entry/64: Add two more instruction suffixes (bnc#1012382).
- x86/entry/64: Clear registers for exceptions/interrupts, to reduce speculation attack surface (bsc#1105931).
- x86/entry/64: sanitize extra registers on syscall entry (bsc#1105931).
- x86/fpu: Finish excising 'eagerfpu' (bnc#1012382).
- x86/fpu: Remove second definition of fpu in __fpu__restore_sig() (bsc#1110006).
- x86/fpu: Remove struct fpu::counter (bnc#1012382).
- x86/fpu: Remove use_eager_fpu() (bnc#1012382).
- x86/irq: implement irq_data_get_effective_affinity_mask() for v4.12 (bsc#1109772).
- x86/kaiser: Avoid loosing NMIs when using trampoline stack (bsc#1106293 bsc#1099597).
- x86/mm: Remove in_nmi() warning from vmalloc_fault() (bnc#1012382).
- x86: msr-index.h: Correct SNB_C1/C3_AUTO_UNDEMOTE defines (bsc#1110006).
- x86/numa_emulation: Fix emulated-to-physical node mapping (bnc#1012382).
- x86/paravirt: Fix some warning messages (bnc#1065600).
- x86/percpu: Fix this_cpu_read() (bsc#1110006).
- x86,sched: Allow topologies where NUMA nodes share an LLC (bsc#1091158, bsc#1101555).
- x86/spec_ctrl: Fix spec_ctrl reporting (bsc#1106913, bsc#1111516).
- x86/speculation: Apply IBPB more strictly to avoid cross-process data leak (bsc#1106913).
- x86/speculation: Enable cross-hyperthread spectre v2 STIBP mitigation (bsc#1106913).
- x86/speculation: Propagate information about RSB filling mitigation to sysfs (bsc#1106913).
- x86/time: Correct the attribute on jiffies' definition (bsc#1110006).
- x86/tsc: Add missing header to tsc_msr.c (bnc#1012382).
- x86/vdso: Fix asm constraints on vDSO syscall fallbacks (bsc#1110006).
- x86/vdso: Fix vDSO build if a retpoline is emitted (bsc#1110006).
- x86/vdso: Fix vDSO syscall fallback asm constraint regression (bsc#1110006).
- x86/vdso: Only enable vDSO retpolines when enabled and supported (bsc#1110006).
- xen: avoid crash in disable_hotplug_cpu (bnc#1012382 bsc#1106594 bsc#1042422).
- xen: fix GCC warning and remove duplicate EVTCHN_ROW/EVTCHN_COL usage (bnc#1012382).
- xen: issue warning message when out of grant maptrack entries (bsc#1105795).
- xen/manage: do not complain about an empty value in control/sysrq node (bnc#1012382).
- xen/netfront: do not bug in case of too many frags (bnc#1012382).
- xen-netfront: fix queue name setting (bnc#1012382).
- xen/netfront: fix waiting for xenbus state change (bnc#1012382).
- xen-netfront: fix warn message as irq device name has '/' (bnc#1012382).
- xen/x86/vpmu: Zero struct pt_regs before calling into sample handling code (bnc#1012382).
- xfrm: fix 'passing zero to ERR_PTR()' warning (bnc#1012382).
- xhci: Add missing CAS workaround for Intel Sunrise Point xHCI (bnc#1012382).
- xhci: Do not print a warning when setting link state for disabled ports (bnc#1012382).
- x86/kexec: Correct KEXEC_BACKUP_SRC_END off-by-one error (bsc#1114648).
ImportantSUSE bug 1011920SUSE bug 1012382SUSE bug 1012422SUSE bug 1020645SUSE bug 1031392SUSE bug 1035053SUSE bug 1042422SUSE bug 1043591SUSE bug 1048129SUSE bug 1050431SUSE bug 1050549SUSE bug 1053043SUSE bug 1054239SUSE bug 1057199SUSE bug 1065600SUSE bug 1065726SUSE bug 1067906SUSE bug 1073579SUSE bug 1076393SUSE bug 1078788SUSE bug 1079524SUSE bug 1082519SUSE bug 1083215SUSE bug 1083527SUSE bug 1084760SUSE bug 1089343SUSE bug 1091158SUSE bug 1093118SUSE bug 1094244SUSE bug 1094825SUSE bug 1095805SUSE bug 1096052SUSE bug 1098050SUSE bug 1098996SUSE bug 1099597SUSE bug 1101555SUSE bug 1103308SUSE bug 1103405SUSE bug 1104124SUSE bug 1105025SUSE bug 1105428SUSE bug 1105795SUSE bug 1105931SUSE bug 1106105SUSE bug 1106110SUSE bug 1106240SUSE bug 1106293SUSE bug 1106359SUSE bug 1106434SUSE bug 1106594SUSE bug 1106913SUSE bug 1106929SUSE bug 1107060SUSE bug 1107299SUSE bug 1107318SUSE bug 1107535SUSE bug 1107829SUSE bug 1107870SUSE bug 1108315SUSE bug 1108377SUSE bug 1108498SUSE bug 1109158SUSE bug 1109333SUSE bug 1109772SUSE bug 1109784SUSE bug 1109806SUSE bug 1109818SUSE bug 1109907SUSE bug 1109919SUSE bug 1109923SUSE bug 1110006SUSE bug 1110363SUSE bug 1110468SUSE bug 1110600SUSE bug 1110601SUSE bug 1110602SUSE bug 1110603SUSE bug 1110604SUSE bug 1110605SUSE bug 1110606SUSE bug 1110611SUSE bug 1110612SUSE bug 1110613SUSE bug 1110614SUSE bug 1110615SUSE bug 1110616SUSE bug 1110618SUSE bug 1110619SUSE bug 1111363SUSE bug 1111516SUSE bug 1111870SUSE bug 1112007SUSE bug 1112262SUSE bug 1112263SUSE bug 1112894SUSE bug 1112902SUSE bug 1112903SUSE bug 1112905SUSE bug 1113667SUSE bug 1113751SUSE bug 1113769SUSE bug 1114178SUSE bug 1114229SUSE bug 1114648SUSE bug 981083SUSE bug 997172CVE-2018-14633 at SUSECVE-2018-14633 at NVDCVE-2018-18281 at SUSECVE-2018-18281 at NVDCVE-2018-18386 at SUSECVE-2018-18386 at NVDCVE-2018-18690 at SUSECVE-2018-18690 at NVDCVE-2018-18710 at SUSECVE-2018-18710 at NVDCVE-2018-9516 at SUSECVE-2018-9516 at NVDcpe:/o:suse:sles:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3
This update for MozillaFirefox to version 52.6 several issues.
These security issues were fixed:
- CVE-2018-5091: Use-after-free with DTMF timers (bsc#1077291).
- CVE-2018-5095: Integer overflow in Skia library during edge builder allocation (bsc#1077291).
- CVE-2018-5096: Use-after-free while editing form elements (bsc#1077291).
- CVE-2018-5097: Use-after-free when source document is manipulated during XSLT (bsc#1077291).
- CVE-2018-5098: Use-after-free while manipulating form input elements (bsc#1077291).
- CVE-2018-5099: Use-after-free with widget listener (bsc#1077291).
- CVE-2018-5104: Use-after-free during font face manipulation (bsc#1077291).
- CVE-2018-5089: Fixed several memory safety bugs (bsc#1077291).
- CVE-2018-5117: URL spoofing with right-to-left text aligned left-to-right (bsc#1077291).
- CVE-2018-5102: Use-after-free in HTML media elements (bsc#1077291).
- CVE-2018-5103: Use-after-free during mouse event handling (bsc#1077291).
ImportantSUSE bug 1077291CVE-2018-5089 at SUSECVE-2018-5089 at NVDCVE-2018-5091 at SUSECVE-2018-5091 at NVDCVE-2018-5095 at SUSECVE-2018-5095 at NVDCVE-2018-5096 at SUSECVE-2018-5096 at NVDCVE-2018-5097 at SUSECVE-2018-5097 at NVDCVE-2018-5098 at SUSECVE-2018-5098 at NVDCVE-2018-5099 at SUSECVE-2018-5099 at NVDCVE-2018-5102 at SUSECVE-2018-5102 at NVDCVE-2018-5103 at SUSECVE-2018-5103 at NVDCVE-2018-5104 at SUSECVE-2018-5104 at NVDCVE-2018-5117 at SUSECVE-2018-5117 at NVDcpe:/o:suse:sles:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3
This update for MozillaFirefox fixes the following issues:
Security issues fixed:
- Update to Mozilla Firefox 60.3.0esr: MFSA 2018-27 (bsc#1112852)
- CVE-2018-12392: Crash with nested event loops.
- CVE-2018-12393: Integer overflow during Unicode conversion while loading JavaScript.
- CVE-2018-12395: WebExtension bypass of domain restrictions through header rewriting.
- CVE-2018-12396: WebExtension content scripts can execute in disallowed contexts.
- CVE-2018-12397: WebExtension local file access vulnerability.
- CVE-2018-12389: Memory safety bugs fixed in Firefox ESR 60.3.
- CVE-2018-12390: Memory safety bugs fixed in Firefox 63 and Firefox ESR 60.3.
ImportantSUSE bug 1112852CVE-2018-12389 at SUSECVE-2018-12389 at NVDCVE-2018-12390 at SUSECVE-2018-12390 at NVDCVE-2018-12392 at SUSECVE-2018-12392 at NVDCVE-2018-12393 at SUSECVE-2018-12393 at NVDCVE-2018-12395 at SUSECVE-2018-12395 at NVDCVE-2018-12396 at SUSECVE-2018-12396 at NVDCVE-2018-12397 at SUSECVE-2018-12397 at NVDcpe:/o:suse:sles:12:sp3Security update for systemd (Important)SUSE Linux Enterprise Server 12 SP3
This update for systemd fixes the following issues:
Security issues fixed:
- CVE-2018-15688: A buffer overflow vulnerability in the dhcp6 client of systemd allowed a malicious dhcp6 server to overwrite heap memory in systemd-networkd. (bsc#1113632)
- CVE-2018-15686: A vulnerability in unit_deserialize of systemd allows an attacker to supply arbitrary state across systemd re-execution via NotifyAccess. This can be used to improperly influence systemd execution and possibly lead to root privilege escalation. (bsc#1113665)
Non-security issues fixed:
- dhcp6: split assert_return() to be more debuggable when hit
- core: skip unit deserialization and move to the next one when unit_deserialize() fails
- core: properly handle deserialization of unknown unit types (#6476)
- core: don't create Requires for workdir if 'missing ok' (bsc#1113083)
- logind: use manager_get_user_by_pid() where appropriate
- logind: rework manager_get_{user|session}_by_pid() a bit
- login: fix user@.service case, so we don't allow nested sessions (#8051) (bsc#1112024)
- core: be more defensive if we can't determine per-connection socket peer (#7329)
- socket-util: introduce port argument in sockaddr_port()
- service: fixup ExecStop for socket-activated shutdown (#4120)
- service: Continue shutdown on socket activated unit on termination (#4108) (bsc#1106923)
- cryptsetup: build fixes for 'add support for sector-size= option'
- udev-rules: IMPORT cmdline does not recognize keys with similar names (bsc#1111278)
- core: keep the kernel coredump defaults when systemd-coredump is disabled
- core: shorten main() a bit, split out coredump initialization
- core: set RLIMIT_CORE to unlimited by default (bsc#1108835)
- core/mount: fstype may be NULL
- journald: don't ship systemd-journald-audit.socket (bsc#1109252)
- core: make 'tmpfs' dependencies on swapfs a 'default' dep, not an 'implicit' (bsc#1110445)
- mount: make sure we unmount tmpfs mounts before we deactivate swaps (#7076)
- tmp.mount.hm4: After swap.target (#3087)
- Ship systemd-sysv-install helper via the main package
This script was part of systemd-sysvinit sub-package but it was
wrong since systemd-sysv-install is a script used to redirect
enable/disable operations to chkconfig when the unit targets are
sysv init scripts. Therefore it's never been a SySV init tool.
ImportantSUSE bug 1106923SUSE bug 1108835SUSE bug 1109252SUSE bug 1110445SUSE bug 1111278SUSE bug 1112024SUSE bug 1113083SUSE bug 1113632SUSE bug 1113665CVE-2018-15686 at SUSECVE-2018-15686 at NVDCVE-2018-15688 at SUSECVE-2018-15688 at NVDcpe:/o:suse:sles:12:sp3Security update for postgresql10 (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for postgresql10 fixes the following issues:
Security issue fixed:
- CVE-2018-16850: Fixed improper quoting of transition table names when pg_dump emits CREATE TRIGGER could have caused privilege escalation (bsc#1114837).
Non-security issues fixed:
- Update to release 10.6:
* https://www.postgresql.org/docs/current/static/release-10-6.html
ModerateSUSE bug 1114837CVE-2018-16850 at SUSECVE-2018-16850 at NVDcpe:/o:suse:sles:12:sp3Security update for squid (Important)SUSE Linux Enterprise Server 12 SP3
This update for squid fixes the following issues:
Security issues fixed:
- CVE-2018-19131: Fixed Cross-Site-Scripting vulnerability in the TLS error handling (bsc#1113668).
- CVE-2018-19132: Fixed small memory leak in processing of SNMP packets (bsc#1113669).
Non-security issues fixed:
- Create runtime directories needed when SMP mode is enabled (bsc#1112695, bsc#1112066).
- Install license correctly (bsc#1082318).
ImportantSUSE bug 1082318SUSE bug 1112066SUSE bug 1112695SUSE bug 1113668SUSE bug 1113669CVE-2018-19131 at SUSECVE-2018-19131 at NVDCVE-2018-19132 at SUSECVE-2018-19132 at NVDcpe:/o:suse:sles:12:sp3Security update for mariadb (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for mariadb to version 10.0.33 fixes several issues.
These security issues were fixed:
- CVE-2017-10378: Vulnerability in subcomponent: Server: Optimizer. Easily
exploitable vulnerability allowed low privileged attacker with network access
via multiple protocols to compromise MySQL Server. Successful attacks of this
vulnerability can result in unauthorized ability to cause a hang or frequently
repeatable crash (complete DOS) of MySQL Server (bsc#1064115).
- CVE-2017-10268: Vulnerability in subcomponent: Server: Replication. Difficult
to exploit vulnerability allowed high privileged attacker with logon to the
infrastructure where MySQL Server executes to compromise MySQL Server.
Successful attacks of this vulnerability can result in unauthorized access to
critical data or complete access to all MySQL Server accessible data
(bsc#1064101).
These non-security issues were fixed:
- CHECK TABLE no longer returns an error when run on a CONNECT table
- 'Undo log record is too big.' error occurring in very narrow range of string
lengths
- Race condition between INFORMATION_SCHEMA.INNODB_SYS_TABLESTATS and
ALTER/DROP/TRUNCATE TABLE
- Wrong result after altering a partitioned table fixed bugs in InnoDB FULLTEXT
INDEX
- InnoDB FTS duplicate key error
- InnoDB crash after failed ADD INDEX and table_definition_cache eviction
- fts_create_doc_id() unnecessarily allocates 8 bytes for every inserted row
- IMPORT TABLESPACE may corrupt ROW_FORMAT=REDUNDANT tables
For additional details please see https://kb.askmonty.org/en/mariadb-10033-changelog
ModerateSUSE bug 1058722SUSE bug 1064101SUSE bug 1064115SUSE bug 1076505CVE-2017-10268 at SUSECVE-2017-10268 at NVDCVE-2017-10378 at SUSECVE-2017-10378 at NVDcpe:/o:suse:sles:12:sp3Security update for the Linux Kernel (Important)SUSE Linux Enterprise Server 12 SP3
The SUSE Linux Enterprise 12 SP3 kernel was updated to 4.4.114 to receive various security and bugfixes.
The following security bugs were fixed:
- CVE-2017-5715: Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis (bnc#1068032).
The previous fix using CPU Microcode has been complemented by building the Linux Kernel with return trampolines aka 'retpolines'.
- CVE-2017-15129: A use-after-free vulnerability was found in network namespaces code affecting the Linux kernel in the function get_net_ns_by_id() in net/core/net_namespace.c did not check for the net::count value after it has found a peer network in netns_ids idr, which could lead to double free and memory corruption. This vulnerability could allow an unprivileged local user to induce kernel memory corruption on the system, leading to a crash. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although it is thought to be unlikely (bnc#1074839).
- CVE-2017-17712: The raw_sendmsg() function in net/ipv4/raw.c in the Linux kernel has a race condition in inet->hdrincl that leads to uninitialized stack pointer usage; this allowed a local user to execute code and gain privileges (bnc#1073229).
- CVE-2017-17862: kernel/bpf/verifier.c in the Linux kernel ignored unreachable code, even though it would still be processed by JIT compilers. This behavior, also considered an improper branch-pruning logic issue, could possibly be used by local users for denial of service (bnc#1073928).
- CVE-2017-17864: kernel/bpf/verifier.c in the Linux kernel mishandled states_equal comparisons between the pointer data type and the UNKNOWN_VALUE data type, which allowed local users to obtain potentially sensitive address information, aka a 'pointer leak (bnc#1073928).
- CVE-2017-18017: The tcpmss_mangle_packet function in net/netfilter/xt_TCPMSS.c in the Linux kernel allowed remote attackers to cause a denial of service (use-after-free and memory corruption) or possibly have unspecified other impact by leveraging the presence of xt_TCPMSS in an iptables action (bnc#1074488).
- CVE-2018-5332: In the Linux kernel the rds_message_alloc_sgs() function did not validate a value that is used during DMA page allocation, leading to a heap-based out-of-bounds write (related to the rds_rdma_extra_size function in net/rds/rdma.c) (bnc#1075621).
- CVE-2018-5333: In the Linux kernel the rds_cmsg_atomic function in net/rds/rdma.c mishandled cases where page pinning fails or an invalid address is supplied, leading to an rds_atomic_free_op NULL pointer dereference (bnc#1075617).
- CVE-2018-1000004: In the Linux kernel a race condition vulnerability existed in the sound system, this can lead to a deadlock and denial of service condition (bnc#1076017).
The following non-security bugs were fixed:
- 8021q: fix a memory leak for VLAN 0 device (bnc#1012382).
- acpi / scan: Prefer devices without _HID/_CID for _ADR matching (bnc#1012382).
- af_key: fix buffer overread in parse_exthdrs() (bnc#1012382).
- af_key: fix buffer overread in verify_address_len() (bnc#1012382).
- afs: Adjust mode bits processing (bnc#1012382).
- afs: Connect up the CB.ProbeUuid (bnc#1012382).
- afs: Fix afs_kill_pages() (bnc#1012382).
- afs: Fix missing put_page() (bnc#1012382).
- afs: Fix page leak in afs_write_begin() (bnc#1012382).
- afs: Fix the maths in afs_fs_store_data() (bnc#1012382).
- afs: Flush outstanding writes when an fd is closed (bnc#1012382).
- afs: Migrate vlocation fields to 64-bit (bnc#1012382).
- afs: Populate and use client modification time (bnc#1012382).
- afs: Populate group ID from vnode status (bnc#1012382).
- afs: Prevent callback expiry timer overflow (bnc#1012382).
- alpha: fix build failures (bnc#1012382).
- alsa: aloop: Fix inconsistent format due to incomplete rule (bsc#1031717).
- alsa: aloop: Fix racy hw constraints adjustment (bsc#1031717).
- alsa: aloop: Release cable upon open error path (bsc#1031717).
- alsa: hda - Add HP ZBook 15u G3 Conexant CX20724 GPIO mute leds (bsc#1031717).
- alsa: hda - Add MIC_NO_PRESENCE fixup for 2 HP machines (bsc#1031717).
- alsa: hda - Add mute led support for HP EliteBook 840 G3 (bsc#1031717).
- alsa: hda - Add mute led support for HP ProBook 440 G4 (bsc#1031717).
- alsa: hda - add support for docking station for HP 820 G2 (bsc#1031717).
- alsa: hda - add support for docking station for HP 840 G3 (bsc#1031717).
- alsa: hda - Apply headphone noise quirk for another Dell XPS 13 variant (bsc#1031717).
- alsa: hda - Apply the existing quirk to iMac 14,1 (bsc#1031717).
- alsa: hda - change the location for one mic on a Lenovo machine (bsc#1031717).
- alsa: hda: Drop useless WARN_ON() (bsc#1031717).
- alsa: hda - Fix click noises on Samsung Ativ Book 8 (bsc#1031717).
- alsa: hda - fix headset mic detection issue on a Dell machine (bsc#1031717).
- alsa: hda - fix headset mic problem for Dell machines with alc274 (bsc#1031717).
- alsa: hda - Fix headset microphone detection for ASUS N551 and N751 (bsc#1031717).
- alsa: hda - Fix mic regression by ASRock mobo fixup (bsc#1031717).
- alsa: hda - Fix missing COEF init for ALC225/295/299 (bsc#1031717).
- alsa: hda - Fix surround output pins for ASRock B150M mobo (bsc#1031717).
- alsa: hda - On-board speaker fixup on ACER Veriton (bsc#1031717).
- alsa: hda/realtek - Add ALC256 HP depop function (bsc#1031717).
- alsa: hda/realtek - Add default procedure for suspend and resume state (bsc#1031717).
- alsa: hda/realtek - Add support for Acer Aspire E5-475 headset mic (bsc#1031717).
- alsa: hda/realtek - Add support for ALC1220 (bsc#1031717).
- alsa: hda/realtek - Add support for headset MIC for ALC622 (bsc#1031717).
- alsa: hda/realtek - ALC891 headset mode for Dell (bsc#1031717).
- alsa: hda/realtek - change the location for one of two front microphones (bsc#1031717).
- alsa: hda/realtek - Enable jack detection function for Intel ALC700 (bsc#1031717).
- alsa: hda/realtek - Fix ALC275 no sound issue (bsc#1031717).
- alsa: hda/realtek - Fix Dell AIO LineOut issue (bsc#1031717).
- alsa: hda/realtek - Fix headset and mic on several Asus laptops with ALC256 (bsc#1031717).
- alsa: hda/realtek - Fix headset mic and speaker on Asus X441SA/X441UV (bsc#1031717).
- alsa: hda/realtek - fix headset mic detection for MSI MS-B120 (bsc#1031717).
- alsa: hda/realtek - Fix headset mic on several Asus laptops with ALC255 (bsc#1031717).
- alsa: hda/realtek - Fix pincfg for Dell XPS 13 9370 (bsc#1031717).
- alsa: hda/realtek - Fix speaker support for Asus AiO ZN270IE (bsc#1031717).
- alsa: hda/realtek - Fix typo of pincfg for Dell quirk (bsc#1031717).
- alsa: hda/realtek - New codec device ID for ALC1220 (bsc#1031717).
- alsa: hda/realtek - New codecs support for ALC215/ALC285/ALC289 (bsc#1031717).
- alsa: hda/realtek - New codec support for ALC257 (bsc#1031717).
- alsa: hda/realtek - New codec support of ALC1220 (bsc#1031717).
- alsa: hda/realtek - No loopback on ALC225/ALC295 codec (bsc#1031717).
- alsa: hda/realtek - Remove ALC285 device ID (bsc#1031717).
- alsa: hda/realtek - Support Dell headset mode for ALC3271 (bsc#1031717).
- alsa: hda/realtek - Support headset mode for ALC234/ALC274/ALC294 (bsc#1031717).
- alsa: hda/realtek - There is no loopback mixer in the ALC234/274/294 (bsc#1031717).
- alsa: hda/realtek - Update headset mode for ALC225 (bsc#1031717).
- alsa: hda/realtek - Update headset mode for ALC298 (bsc#1031717).
- alsa: hda - Skip Realtek SKU check for Lenovo machines (bsc#1031717).
- alsa: pcm: Abort properly at pending signal in OSS read/write loops (bsc#1031717).
- alsa: pcm: Add missing error checks in OSS emulation plugin builder (bsc#1031717).
- alsa: pcm: Allow aborting mutex lock at OSS read/write loops (bsc#1031717).
- alsa: pcm: prevent UAF in snd_pcm_info (bsc#1031717).
- alsa: pcm: Remove incorrect snd_BUG_ON() usages (bsc#1031717).
- alsa: pcm: Remove yet superfluous WARN_ON() (bsc#1031717).
- alsa: rawmidi: Avoid racy info ioctl via ctl device (bsc#1031717).
- alsa: seq: Remove spurious WARN_ON() at timer check (bsc#1031717).
- alsa: usb-audio: Add check return value for usb_string() (bsc#1031717).
- alsa: usb-audio: Fix out-of-bound error (bsc#1031717).
- alsa: usb-audio: Fix the missing ctl name suffix at parsing SU (bsc#1031717).
- arc: uaccess: dont use 'l' gcc inline asm constraint modifier (bnc#1012382).
- arm64: Add skeleton to harden the branch predictor against aliasing attacks (bsc#1068032).
- arm64: Add trace_hardirqs_off annotation in ret_to_user (bsc#1068032).
- arm64: Branch predictor hardening for Cavium ThunderX2 (bsc#1068032).
- arm64/cpufeature: do not use mutex in bringup path (bsc#1068032).
- arm64: cpufeature: Pass capability structure to ->enable callback (bsc#1068032).
- arm64: cputype: Add MIDR values for Cavium ThunderX2 CPUs (bsc#1068032).
- arm64: cputype: Add missing MIDR values for Cortex-A72 and Cortex-A75 (bsc#1068032).
- arm64: debug: remove unused local_dbg_{enable, disable} macros (bsc#1068032).
- arm64: Define cputype macros for Falkor CPU (bsc#1068032).
- arm64: Disable TTBR0_EL1 during normal kernel execution (bsc#1068032).
- arm64: Do not force KPTI for CPUs that are not vulnerable (bsc#1076187).
- arm64: do not pull uaccess.h into *.S (bsc#1068032).
- arm64: Enable CONFIG_ARM64_SW_TTBR0_PAN (bsc#1068032).
- arm64: entry: Add exception trampoline page for exceptions from EL0 (bsc#1068032).
- arm64: entry: Add fake CPU feature for unmapping the kernel at EL0 (bsc#1068032).
- arm64: entry: Explicitly pass exception level to kernel_ventry macro (bsc#1068032).
- arm64: entry: Hook up entry trampoline to exception vectors (bsc#1068032).
- arm64: entry: remove pointless SPSR mode check (bsc#1068032).
- arm64: entry.S convert el0_sync (bsc#1068032).
- arm64: entry.S: convert el1_sync (bsc#1068032).
- arm64: entry.S: convert elX_irq (bsc#1068032).
- arm64: entry.S: move SError handling into a C function for future expansion (bsc#1068032).
- arm64: entry.S: Remove disable_dbg (bsc#1068032).
- arm64: erratum: Work around Falkor erratum #E1003 in trampoline code (bsc#1068032).
- arm64: explicitly mask all exceptions (bsc#1068032).
- arm64: factor out entry stack manipulation (bsc#1068032).
- arm64: factor out PAGE_* and CONT_* definitions (bsc#1068032).
- arm64: Factor out PAN enabling/disabling into separate uaccess_* macros (bsc#1068032).
- arm64: Factor out TTBR0_EL1 post-update workaround into a specific asm macro (bsc#1068032).
- arm64: factor work_pending state machine to C (bsc#1068032).
- arm64: fpsimd: Prevent registers leaking from dead tasks (bnc#1012382).
- arm64: Handle el1 synchronous instruction aborts cleanly (bsc#1068032).
- arm64: Handle faults caused by inadvertent user access with PAN enabled (bsc#1068032).
- arm64: head.S: get rid of x25 and x26 with 'global' scope (bsc#1068032).
- arm64: Implement branch predictor hardening for affected Cortex-A CPUs (bsc#1068032).
- arm64: Implement branch predictor hardening for Falkor (bsc#1068032).
- arm64: Initialise high_memory global variable earlier (bnc#1012382).
- arm64: introduce an order for exceptions (bsc#1068032).
- arm64: introduce mov_q macro to move a constant into a 64-bit register (bsc#1068032).
- arm64: Introduce uaccess_{disable,enable} functionality based on TTBR0_EL1 (bsc#1068032).
- arm64: kaslr: Put kernel vectors address in separate data page (bsc#1068032).
- arm64: Kconfig: Add CONFIG_UNMAP_KERNEL_AT_EL0 (bsc#1068032).
- arm64: Kconfig: Reword UNMAP_KERNEL_AT_EL0 kconfig entry (bsc#1068032).
- arm64: kill ESR_LNX_EXEC (bsc#1068032).
- arm64: kpti: Fix the interaction between ASID switching and software PAN (bsc#1068032).
- arm64: kvm: Fix SMCCC handling of unimplemented SMC/HVC calls (bsc#1076232).
- arm64: kvm: fix VTTBR_BADDR_MASK BUG_ON off-by-one (bnc#1012382).
- arm64: kvm: Make PSCI_VERSION a fast path (bsc#1068032).
- arm64: kvm: Use per-CPU vector when BP hardening is enabled (bsc#1068032).
- arm64: Mask all exceptions during kernel_exit (bsc#1068032).
- arm64: mm: Add arm64_kernel_unmapped_at_el0 helper (bsc#1068032).
- arm64: mm: Allocate ASIDs in pairs (bsc#1068032).
- arm64: mm: Fix and re-enable ARM64_SW_TTBR0_PAN (bsc#1068032).
- arm64: mm: hardcode rodata=true (bsc#1068032).
- arm64: mm: Introduce TTBR_ASID_MASK for getting at the ASID in the TTBR (bsc#1068032).
- arm64: mm: Invalidate both kernel and user ASIDs when performing TLBI (bsc#1068032).
- arm64: mm: Map entry trampoline into trampoline and kernel page tables (bsc#1068032).
- arm64: mm: Move ASID from TTBR0 to TTBR1 (bsc#1068032).
- arm64: mm: Remove pre_ttbr0_update_workaround for Falkor erratum #E1003 (bsc#1068032).
- arm64: mm: Rename post_ttbr0_update_workaround (bsc#1068032).
- arm64: mm: Temporarily disable ARM64_SW_TTBR0_PAN (bsc#1068032).
- arm64: mm: Use non-global mappings for kernel space (bsc#1068032).
- arm64: Move BP hardening to check_and_switch_context (bsc#1068032).
- arm64: Move post_ttbr_update_workaround to C code (bsc#1068032).
- arm64: Move the async/fiq helpers to explicitly set process context flags (bsc#1068032).
- arm64: SW PAN: Point saved ttbr0 at the zero page when switching to init_mm (bsc#1068032).
- arm64: SW PAN: Update saved ttbr0 value on enter_lazy_tlb (bsc#1068032).
- arm64: swp emulation: bound LL/SC retries before rescheduling (bsc#1068032).
- arm64: sysreg: Fix unprotected macro argmuent in write_sysreg (bsc#1068032).
- arm64: Take into account ID_AA64PFR0_EL1.CSV3 (bsc#1068032).
- arm64: thunderx2: remove branch predictor hardening References: bsc#1076232 This causes undefined instruction abort on the smc call from guest kernel. Disable until kvm is fixed.
- arm64: tls: Avoid unconditional zeroing of tpidrro_el0 for native tasks (bsc#1068032).
- arm64: Turn on KPTI only on CPUs that need it (bsc#1076187).
- arm64: use alternative auto-nop (bsc#1068032).
- arm64: use RET instruction for exiting the trampoline (bsc#1068032).
- arm64: xen: Enable user access before a privcmd hvc call (bsc#1068032).
- arm/arm64: kvm: Make default HYP mappings non-excutable (bsc#1068032).
- arm: avoid faulting on qemu (bnc#1012382).
- arm: BUG if jumping to usermode address in kernel mode (bnc#1012382).
- arm-ccn: perf: Prevent module unload while PMU is in use (bnc#1012382).
- arm: dma-mapping: disallow dma_get_sgtable() for non-kernel managed memory (bnc#1012382).
- arm: dts: am335x-evmsk: adjust mmc2 param to allow suspend (bnc#1012382).
- arm: dts: kirkwood: fix pin-muxing of MPP7 on OpenBlocks A7 (bnc#1012382).
- arm: dts: omap3: logicpd-torpedo-37xx-devkit: Fix MMC1 cd-gpio (bnc#1012382).
- arm: dts: ti: fix PCI bus dtc warnings (bnc#1012382).
- arm: kprobes: Align stack to 8-bytes in test code (bnc#1012382).
- arm: kprobes: Fix the return address of multiple kretprobes (bnc#1012382).
- arm: kvm: Fix VTTBR_BADDR_MASK BUG_ON off-by-one (bnc#1012382).
- arm: OMAP1: DMA: Correct the number of logical channels (bnc#1012382).
- arm: OMAP2+: Fix device node reference counts (bnc#1012382).
- arm: OMAP2+: gpmc-onenand: propagate error on initialization failure (bnc#1012382).
- arm: OMAP2+: Release device node after it is no longer needed (bnc#1012382).
- asm-prototypes: Clear any CPP defines before declaring the functions (git-fixes).
- asn.1: check for error from ASN1_OP_END__ACT actions (bnc#1012382).
- asn.1: fix out-of-bounds read when parsing indefinite length item (bnc#1012382).
- asoc: fsl_ssi: AC'97 ops need regmap, clock and cleaning up on failure (bsc#1031717).
- asoc: twl4030: fix child-node lookup (bsc#1031717).
- asoc: wm_adsp: Fix validation of firmware and coeff lengths (bsc#1031717).
- ath9k: fix tx99 potential info leak (bnc#1012382).
- atm: horizon: Fix irq release error (bnc#1012382).
- audit: ensure that 'audit=1' actually enables audit for PID 1 (bnc#1012382).
- axonram: Fix gendisk handling (bnc#1012382).
- backlight: pwm_bl: Fix overflow condition (bnc#1012382).
- bcache: add a comment in journal bucket reading (bsc#1076110).
- bcache: Avoid nested function definition (bsc#1076110).
- bcache: bch_allocator_thread() is not freezable (bsc#1076110).
- bcache: bch_writeback_thread() is not freezable (bsc#1076110).
- bcache: check return value of register_shrinker (bsc#1076110).
- bcache: documentation formatting, edited for clarity, stripe alignment notes (bsc#1076110).
- bcache: documentation updates and corrections (bsc#1076110).
- bcache: Do not reinvent the wheel but use existing llist API (bsc#1076110).
- bcache: do not write back data if reading it failed (bsc#1076110).
- bcache: explicitly destroy mutex while exiting (bnc#1012382).
- bcache: fix a comments typo in bch_alloc_sectors() (bsc#1076110).
- bcache: Fix building error on MIPS (bnc#1012382).
- bcache: fix sequential large write IO bypass (bsc#1076110).
- bcache: fix wrong cache_misses statistics (bnc#1012382).
- bcache: gc does not work when triggering by manual command (bsc#1076110, bsc#1038078).
- bcache: implement PI controller for writeback rate (bsc#1076110).
- bcache: increase the number of open buckets (bsc#1076110).
- bcache: only permit to recovery read error when cache device is clean (bnc#1012382 bsc#1043652).
- bcache: partition support: add 16 minors per bcacheN device (bsc#1076110, bsc#1019784).
- bcache: rearrange writeback main thread ratelimit (bsc#1076110).
- bcache: recover data from backing when data is clean (bnc#1012382 bsc#1043652).
- bcache: Remove redundant set_capacity (bsc#1076110).
- bcache: remove unused parameter (bsc#1076110).
- bcache: rewrite multiple partitions support (bsc#1076110, bsc#1038085).
- bcache: safeguard a dangerous addressing in closure_queue (bsc#1076110).
- bcache: silence static checker warning (bsc#1076110).
- bcache: smooth writeback rate control (bsc#1076110).
- bcache.txt: standardize document format (bsc#1076110).
- bcache: update bio->bi_opf bypass/writeback REQ_ flag hints (bsc#1076110).
- bcache: update bucket_in_use in real time (bsc#1076110).
- bcache: Update continue_at() documentation (bsc#1076110).
- bcache: use kmalloc to allocate bio in bch_data_verify() (bsc#1076110).
- bcache: use llist_for_each_entry_safe() in __closure_wake_up() (bsc#1076110).
- bcache: writeback rate clamping: make 32 bit safe (bsc#1076110).
- bcache: writeback rate shouldn't artifically clamp (bsc#1076110).
- be2net: restore properly promisc mode after queues reconfiguration (bsc#963844 FATE#320192).
- block: wake up all tasks blocked in get_request() (bnc#1012382).
- bluetooth: btusb: driver to enable the usb-wakeup feature (bnc#1012382).
- bnx2x: do not rollback VF MAC/VLAN filters we did not configure (bnc#1012382).
- bnx2x: fix possible overrun of VFPF multicast addresses array (bnc#1012382).
- bnx2x: prevent crash when accessing PTP with interface down (bnc#1012382).
- btrfs: add missing memset while reading compressed inline extents (bnc#1012382).
- btrfs: clear space cache inode generation always (bnc#1012382).
- btrfs: embed extent_changeset::range_changed to the structure (dependent patch, bsc#1031395).
- btrfs: qgroup: Fix qgroup reserved space underflow by only freeing reserved ranges (bsc#1031395).
- btrfs: qgroup: Fix qgroup reserved space underflow caused by buffered write and quotas being enabled (bsc#1031395).
- btrfs: qgroup: Introduce extent changeset for qgroup reserve functions (dependent patch, bsc#1031395).
- btrfs: qgroup: Return actually freed bytes for qgroup release or free data (bsc#1031395).
- btrfs: qgroup-test: Fix backport error in qgroup selftest (just to make CONFIG_BTRFS_FS_RUN_SANITY_TESTS pass compile).
- btrfs: ulist: make the finalization function public (dependent patch, bsc#1031395).
- btrfs: ulist: rename ulist_fini to ulist_release (dependent patch, bsc#1031395).
- can: af_can: canfd_rcv(): replace WARN_ONCE by pr_warn_once (bnc#1012382).
- can: af_can: can_rcv(): replace WARN_ONCE by pr_warn_once (bnc#1012382).
- can: ems_usb: cancel urb on -EPIPE and -EPROTO (bnc#1012382).
- can: esd_usb2: cancel urb on -EPIPE and -EPROTO (bnc#1012382).
- can: gs_usb: fix return value of the 'set_bittiming' callback (bnc#1012382).
- can: kvaser_usb: cancel urb on -EPIPE and -EPROTO (bnc#1012382).
- can: kvaser_usb: Fix comparison bug in kvaser_usb_read_bulk_callback() (bnc#1012382).
- can: kvaser_usb: free buf in error paths (bnc#1012382).
- can: kvaser_usb: ratelimit errors if incomplete messages are received (bnc#1012382).
- can: peak: fix potential bug in packet fragmentation (bnc#1012382).
- can: ti_hecc: Fix napi poll return value for repoll (bnc#1012382).
- can: usb_8dev: cancel urb on -EPIPE and -EPROTO (bnc#1012382).
- cdc-acm: apply quirk for card reader (bsc#1060279).
- cdrom: factor out common open_for_* code (bsc#1048585).
- cdrom: wait for tray to close (bsc#1048585).
- ceph: more accurate statfs (bsc#1077068).
- clk: imx6: refine hdmi_isfr's parent to make HDMI work on i.MX6 SoCs w/o VPU (bnc#1012382).
- clk: mediatek: add the option for determining PLL source clock (bnc#1012382).
- clk: tegra: Fix cclk_lp divisor register (bnc#1012382).
- config: arm64: enable HARDEN_BRANCH_PREDICTOR
- config: arm64: enable UNMAP_KERNEL_AT_EL0
- cpuidle: fix broadcast control when broadcast can not be entered (bnc#1012382).
- cpuidle: powernv: Pass correct drv->cpumask for registration (bnc#1012382).
- cpuidle: Validate cpu_dev in cpuidle_add_sysfs() (bnc#1012382).
- crypto: algapi - fix NULL dereference in crypto_remove_spawns() (bnc#1012382).
- crypto: chacha20poly1305 - validate the digest size (bnc#1012382).
- crypto: chelsio - select CRYPTO_GF128MUL (bsc#1048325).
- crypto: crypto4xx - increase context and scatter ring buffer elements (bnc#1012382).
- crypto: deadlock between crypto_alg_sem/rtnl_mutex/genl_mutex (bnc#1012382).
- crypto: mcryptd - protect the per-CPU queue with a lock (bnc#1012382).
- crypto: n2 - cure use after free (bnc#1012382).
- crypto: pcrypt - fix freeing pcrypt instances (bnc#1012382).
- crypto: s5p-sss - Fix completing crypto request in IRQ handler (bnc#1012382).
- crypto: tcrypt - fix buffer lengths in test_aead_speed() (bnc#1012382).
- cxl: Check if vphb exists before iterating over AFU devices (bsc#1066223).
- dax: Pass detailed error code from __dax_fault() (bsc#1072484).
- dccp: do not restart ccid2_hc_tx_rto_expire() if sk in closed state (bnc#1012382).
- delay: add poll_event_interruptible (bsc#1048585).
- dlm: fix malfunction of dlm_tool caused by debugfs changes (bsc#1077704).
- dmaengine: dmatest: move callback wait queue to thread context (bnc#1012382).
- dmaengine: Fix array index out of bounds warning in __get_unmap_pool() (bnc#1012382).
- dmaengine: pl330: fix double lock (bnc#1012382).
- dmaengine: ti-dma-crossbar: Correct am335x/am43xx mux value type (bnc#1012382).
- dm btree: fix serious bug in btree_split_beneath() (bnc#1012382).
- dm bufio: fix shrinker scans when (nr_to_scan < retain_target) (bnc#1012382).
- dm thin metadata: THIN_MAX_CONCURRENT_LOCKS should be 6 (bnc#1012382).
- drivers/firmware: Expose psci_get_version through psci_ops structure (bsc#1068032).
- drm/amd/amdgpu: fix console deadlock if late init failed (bnc#1012382).
- drm: extra printk() wrapper macros (bnc#1012382).
- drm/exynos/decon5433: set STANDALONE_UPDATE_F on output enablement (bnc#1012382).
- drm/exynos: gem: Drop NONCONTIG flag for buffers allocated without IOMMU (bnc#1012382).
- drm/omap: fix dmabuf mmap for dma_alloc'ed buffers (bnc#1012382).
- drm/radeon: fix atombios on big endian (bnc#1012382).
- drm/radeon: reinstate oland workaround for sclk (bnc#1012382).
- drm/radeon/si: add dpm quirk for Oland (bnc#1012382).
- drm/vmwgfx: Potential off by one in vmw_view_add() (bnc#1012382).
- dynamic-debug-howto: fix optional/omitted ending line number to be LARGE instead of 0 (bnc#1012382).
- edac, i5000, i5400: Fix definition of NRECMEMB register (bnc#1012382).
- edac, i5000, i5400: Fix use of MTR_DRAM_WIDTH macro (bnc#1012382).
- edac, sb_edac: Fix missing break in switch (bnc#1012382).
- eeprom: at24: check at24_read/write arguments (bnc#1012382).
- efi/esrt: Cleanup bad memory map log messages (bnc#1012382).
- efi: Move some sysfs files to be read-only by root (bnc#1012382).
- eventpoll.h: add missing epoll event masks (bnc#1012382).
- ext4: fix crash when a directory's i_size is too small (bnc#1012382).
- ext4: Fix ENOSPC handling in DAX page fault handle (bsc#1072484).
- ext4: fix fdatasync(2) after fallocate(2) operation (bnc#1012382).
- fbdev: controlfb: Add missing modes to fix out of bounds access (bnc#1012382).
- Fix EX_SIZE. We do not have the patches that shave off parts of the exception data.
- Fix mishandling of cases with MSR not being present (writing to MSR even though _state == -1).
- Fix return value from ib[rs|pb]_enabled()
- Fixup hang when calling 'nvme list' on all paths down (bsc#1070052).
- fjes: Fix wrong netdevice feature flags (bnc#1012382).
- flow_dissector: properly cap thoff field (bnc#1012382).
- fm10k: ensure we process SM mbx when processing VF mbx (bnc#1012382).
- fork: clear thread stack upon allocation (bsc#1077560).
- fscache: Fix the default for fscache_maybe_release_page() (bnc#1012382).
- futex: Prevent overflow by strengthen input validation (bnc#1012382).
- gcov: disable for COMPILE_TEST (bnc#1012382).
- gfs2: Take inode off order_write list when setting jdata flag (bnc#1012382).
- gpio: altera: Use handle_level_irq when configured as a level_high (bnc#1012382).
- hid: chicony: Add support for another ASUS Zen AiO keyboard (bnc#1012382).
- hid: xinmo: fix for out of range for THT 2P arcade controller (bnc#1012382).
- hrtimer: Reset hrtimer cpu base proper on CPU hotplug (bnc#1012382).
- hv: kvp: Avoid reading past allocated blocks from KVP file (bnc#1012382).
- hwmon: (asus_atk0110) fix uninitialized data access (bnc#1012382).
- i40iw: Account for IPv6 header when setting MSS (bsc#1024376 FATE#321249).
- i40iw: Allocate a sdbuf per CQP WQE (bsc#1024376 FATE#321249).
- i40iw: Cleanup AE processing (bsc#1024376 FATE#321249).
- i40iw: Clear CQP Head/Tail during initialization (bsc#1024376 FATE#321249).
- i40iw: Correct ARP index mask (bsc#1024376 FATE#321249).
- i40iw: Do not allow posting WR after QP is flushed (bsc#1024376 FATE#321249).
- i40iw: Do not free sqbuf when event is I40IW_TIMER_TYPE_CLOSE (bsc#1024376 FATE#321249).
- i40iw: Do not generate CQE for RTR on QP flush (bsc#1024376 FATE#321249).
- i40iw: Do not retransmit MPA request after it is ACKed (bsc#1024376 FATE#321249).
- i40iw: Fixes for static checker warnings (bsc#1024376 FATE#321249).
- i40iw: Ignore AE source field in AEQE for some AEs (bsc#1024376 FATE#321249).
- i40iw: Move cqp_cmd_head init to CQP initialization (bsc#1024376 FATE#321249).
- i40iw: Move exception_lan_queue to VSI structure (bsc#1024376 FATE#321249).
- i40iw: Move MPA request event for loopback after connect (bsc#1024376 FATE#321249).
- i40iw: Notify user of established connection after QP in RTS (bsc#1024376 FATE#321249).
- i40iw: Reinitialize IEQ on MTU change (bsc#1024376 FATE#321249).
- ib/hfi1: Fix misspelling in comment (bsc#973818, fate#319242).
- ib/hfi1: Prevent kernel QP post send hard lockups (bsc#973818 FATE#319242).
- ib/ipoib: Fix lockdep issue found on ipoib_ib_dev_heavy_flush (git-fixes).
- ib/ipoib: Fix race condition in neigh creation (bsc#1022595 FATE#322350).
- ib/ipoib: Grab rtnl lock on heavy flush when calling ndo_open/stop (bnc#1012382).
- ib/mlx4: Increase maximal message size under UD QP (bnc#1012382).
- ib/mlx5: Assign send CQ and recv CQ of UMR QP (bnc#1012382).
- ib/mlx5: Serialize access to the VMA list (bsc#1015342 FATE#321688 bsc#1015343 FATE#321689).
- ibmvnic: Allocate and request vpd in init_resources (bsc#1076872).
- ibmvnic: Do not handle RX interrupts when not up (bsc#1075066).
- ibmvnic: Fix IP offload control buffer (bsc#1076899).
- ibmvnic: Fix IPv6 packet descriptors (bsc#1076899).
- ibmvnic: Fix pending MAC address changes (bsc#1075627).
- ibmvnic: Modify buffer size and number of queues on failover (bsc#1076872).
- ibmvnic: Revert to previous mtu when unsupported value requested (bsc#1076872).
- ibmvnic: Wait for device response when changing MAC (bsc#1078681).
- ib/rdmavt: restore IRQs on error path in rvt_create_ah() (bsc#973818, fate#319242).
- ib/srpt: Disable RDMA access by the initiator (bnc#1012382).
- ib/srpt: Fix ACL lookup during login (bsc#1024296 FATE#321265).
- ib/uverbs: Fix command checking as part of ib_uverbs_ex_modify_qp() (FATE#321231 FATE#321473 FATE#322153 FATE#322149).
- igb: check memory allocation failure (bnc#1012382).
- ima: fix hash algorithm initialization (bnc#1012382).
- inet: frag: release spinlock before calling icmp_send() (bnc#1012382).
- input: 88pm860x-ts - fix child-node lookup (bnc#1012382).
- input: elantech - add new icbody type 15 (bnc#1012382).
- input: i8042 - add TUXEDO BU1406 (N24_25BU) to the nomux list (bnc#1012382).
- input: trackpoint - force 3 buttons if 0 button is reported (bnc#1012382).
- input: twl4030-vibra - fix sibling-node lookup (bnc#1012382).
- input: twl6040-vibra - fix child-node lookup (bnc#1012382).
- input: twl6040-vibra - fix DT node memory management (bnc#1012382).
- intel_th: pci: Add Gemini Lake support (bnc#1012382).
- iommu/arm-smmu-v3: Do not free page table ops twice (bnc#1012382).
- iommu/vt-d: Fix scatterlist offset handling (bnc#1012382).
- ip6_gre: remove the incorrect mtu limit for ipgre tap (bsc#1022912 FATE#321246).
- ip6_tunnel: disable dst caching if tunnel is dual-stack (bnc#1012382).
- ip_gre: remove the incorrect mtu limit for ipgre tap (bsc#1022912 FATE#321246).
- ipmi: Stop timers before cleaning up the module (bnc#1012382).
- ipv4: Fix use-after-free when flushing FIB tables (bnc#1012382).
- ipv4: igmp: guard against silly MTU values (bnc#1012382).
- ipv4: Make neigh lookup keys for loopback/point-to-point devices be INADDR_ANY (bnc#1012382).
- ipv6: Fix getsockopt() for sockets with default IPV6_AUTOFLOWLABEL (bnc#1012382).
- ipv6: fix possible mem leaks in ipv6_make_skb() (bnc#1012382).
- ipv6: fix udpv6 sendmsg crash caused by too small MTU (bnc#1012382).
- ipv6: ip6_make_skb() needs to clear cork.base.dst (git-fixes).
- ipv6: mcast: better catch silly mtu values (bnc#1012382).
- ipv6: reorder icmpv6_init() and ip6_mr_init() (bnc#1012382).
- ipvlan: fix ipv6 outbound device (bnc#1012382).
- ipvlan: remove excessive packet scrubbing (bsc#1070799).
- irda: vlsi_ir: fix check for DMA mapping errors (bnc#1012382).
- irqchip/crossbar: Fix incorrect type of register size (bnc#1012382).
- iscsi_iser: Re-enable 'iser_pi_guard' module parameter (bsc#1062129).
- iscsi-target: fix memory leak in lio_target_tiqn_addtpg() (bnc#1012382).
- iscsi-target: Make TASK_REASSIGN use proper se_cmd->cmd_kref (bnc#1012382).
- isdn: kcapi: avoid uninitialized data (bnc#1012382).
- iser-target: Fix possible use-after-free in connection establishment error (FATE#321732).
- iw_cxgb4: Only validate the MSN for successful completions (bnc#1012382).
- iw_cxgb4: reflect the original WR opcode in drain cqes (bsc#321658 FATE#1005778 bsc#321660 FATE#1005780 bsc#321661 FATE#1005781).
- iw_cxgb4: when flushing, complete all wrs in a chain (bsc#321658 FATE#1005778 bsc#321660 FATE#1005780 bsc#321661 FATE#1005781).
- ixgbe: fix use of uninitialized padding (bnc#1012382).
- jump_label: Invoke jump_label_test() via early_initcall() (bnc#1012382).
- kabi fix for new hash_cred function (bsc#1012917).
- kabi: Keep KVM stable after enable s390 wire up bpb feature (bsc#1076805).
- kABI: protect struct bpf_map (kabi).
- kABI: protect struct ipv6_pinfo (kabi).
- kABI: protect struct t10_alua_tg_pt_gp (kabi).
- kABI: protect struct usbip_device (kabi).
- kabi/severities: arm64: ignore cpu capability array
- kabi/severities: do not care about stuff_RSB
- kaiser: Set _PAGE_NX only if supported (bnc#1012382).
- kaiser: Set _PAGE_NX only if supported (bnc#1012382).
- kbuild: add '-fno-stack-check' to kernel build options (bnc#1012382).
- kbuild: modversions for EXPORT_SYMBOL() for asm (bsc#1074621 bsc#1068032).
- kbuild: pkg: use --transform option to prefix paths in tar (bnc#1012382).
- kdb: Fix handling of kallsyms_symbol_next() return value (bnc#1012382).
- kernel/acct.c: fix the acct->needcheck check in check_free_space() (bnc#1012382).
- kernel: make groups_sort calling a responsibility group_info allocators (bnc#1012382).
- kernel/signal.c: protect the SIGNAL_UNKILLABLE tasks from !sig_kernel_only() signals (bnc#1012382).
- kernel/signal.c: protect the traced SIGNAL_UNKILLABLE tasks from SIGKILL (bnc#1012382).
- kernel/signal.c: remove the no longer needed SIGNAL_UNKILLABLE check in complete_signal() (bnc#1012382).
- keys: add missing permission check for request_key() destination (bnc#1012382).
- kprobes/x86: Disable preemption in ftrace-based jprobes (bnc#1012382).
- kpti: Rename to PAGE_TABLE_ISOLATION (bnc#1012382).
- kpti: Report when enabled (bnc#1012382).
- kvm: Fix stack-out-of-bounds read in write_mmio (bnc#1012382).
- kvm: nVMX: reset nested_run_pending if the vCPU is going to be reset (bnc#1012382).
- kvm: nVMX: VMCLEAR should not cause the vCPU to shut down (bnc#1012382).
- kvm: pci-assign: do not map smm memory slot pages in vt-d page tables (bnc#1012382).
- kvm: s390: Enable all facility bits that are known good for passthrough (bsc#1076805).
- kvm: s390: wire up bpb feature (bsc#1076805).
- kvm: VMX: Fix enable VPID conditions (bnc#1012382).
- kvm: VMX: remove I/O port 0x80 bypass on Intel hosts (bnc#1012382).
- kvm: vmx: Scrub hardware GPRs at VM-exit (bnc#1012382 bsc#1068032).
- kvm: x86: Add memory barrier on vmcs field lookup (bnc#1012382).
- kvm: x86: correct async page present tracepoint (bnc#1012382).
- kvm: x86: Exit to user-mode on #UD intercept when emulator requires (bnc#1012382).
- kvm: X86: Fix load RFLAGS w/o the fixed bit (bnc#1012382).
- kvm: x86: fix RSM when PCID is non-zero (bnc#1012382).
- kvm: x86: inject exceptions produced by x86_decode_insn (bnc#1012382).
- kvm: x86: pvclock: Handle first-time write to pvclock-page contains random junk (bnc#1012382).
- l2tp: cleanup l2tp_tunnel_delete calls (bnc#1012382).
- lan78xx: Fix failure in USB Full Speed (bnc#1012382).
- libata: apply MAX_SEC_1024 to all LITEON EP1 series devices (bnc#1012382).
- libata: drop WARN from protocol error in ata_sff_qc_issue() (bnc#1012382).
- lib/genalloc.c: make the avail variable an atomic_long_t (bnc#1012382).
- macvlan: Only deliver one copy of the frame to the macvlan interface (bnc#1012382).
- md: more open-coded offset_in_page() (bsc#1076110).
- media: dvb: i2c transfers over usb cannot be done from stack (bnc#1012382).
- mfd: cros ec: spi: Do not send first message too soon (bnc#1012382).
- mfd: twl4030-audio: Fix sibling-node lookup (bnc#1012382).
- mfd: twl6040: Fix child-node lookup (bnc#1012382).
- mlxsw: reg: Fix SPVMLR max record count (bnc#1012382).
- mlxsw: reg: Fix SPVM max record count (bnc#1012382).
- mm: avoid returning VM_FAULT_RETRY from ->page_mkwrite handlers (bnc#1012382).
- mmc: core: Do not leave the block driver in a suspended state (bnc#1012382).
- mmc: mediatek: Fixed bug where clock frequency could be set wrong (bnc#1012382).
- mm: drop unused pmdp_huge_get_and_clear_notify() (bnc#1012382).
- mm: Handle 0 flags in _calc_vm_trans() macro (bnc#1012382).
- mm/mprotect: add a cond_resched() inside change_pmd_range() (bnc#1077871, bnc#1078002).
- mm/vmstat: Make NR_TLB_REMOTE_FLUSH_RECEIVED available even on UP (bnc#1012382).
- module: Add retpoline tag to VERMAGIC (bnc#1012382).
- module: set __jump_table alignment to 8 (bnc#1012382).
- more bio_map_user_iov() leak fixes (bnc#1012382).
- mtd: nand: Fix writing mtdoops to nand flash (bnc#1012382).
- net: Allow neigh contructor functions ability to modify the primary_key (bnc#1012382).
- net/appletalk: Fix kernel memory disclosure (bnc#1012382).
- net: bcmgenet: correct MIB access of UniMAC RUNT counters (bnc#1012382).
- net: bcmgenet: correct the RBUF_OVFL_CNT and RBUF_ERR_CNT MIB values (bnc#1012382).
- net: bcmgenet: power down internal phy if open or resume fails (bnc#1012382).
- net: bcmgenet: Power up the internal PHY before probing the MII (bnc#1012382).
- net: bcmgenet: reserved phy revisions must be checked first (bnc#1012382).
- net: bridge: fix early call to br_stp_change_bridge_id and plug newlink leaks (bnc#1012382).
- net: core: fix module type in sock_diag_bind (bnc#1012382).
- net: Do not allow negative values for busy_read and busy_poll sysctl interfaces (bnc#1012382).
- net: fec: fix multicast filtering hardware setup (bnc#1012382).
- netfilter: bridge: honor frag_max_size when refragmenting (bnc#1012382).
- netfilter: do not track fragmented packets (bnc#1012382).
- netfilter: ipvs: Fix inappropriate output of procfs (bnc#1012382).
- netfilter: nfnetlink_queue: fix secctx memory leak (bnc#1012382).
- netfilter: nfnetlink_queue: fix timestamp attribute (bsc#1074134).
- netfilter: nfnl_cthelper: fix a race when walk the nf_ct_helper_hash table (bnc#1012382).
- netfilter: nfnl_cthelper: Fix memory leak (bnc#1012382).
- netfilter: nfnl_cthelper: fix runtime expectation policy updates (bnc#1012382).
- net: Fix double free and memory corruption in get_net_ns_by_id() (bnc#1012382).
- net: igmp: fix source address check for IGMPv3 reports (bnc#1012382).
- net: igmp: Use correct source address on IGMPv3 reports (bnc#1012382).
- net: initialize msg.msg_flags in recvfrom (bnc#1012382).
- net: ipv4: fix for a race condition in raw_sendmsg (bnc#1012382).
- netlink: add a start callback for starting a netlink dump (bnc#1012382).
- net/mac80211/debugfs.c: prevent build failure with CONFIG_UBSAN=y (bnc#1012382).
- net/mlx5: Avoid NULL pointer dereference on steering cleanup (bsc#1015342 FATE#321688 bsc#1015343 FATE#321689).
- net/mlx5: Cleanup IRQs in case of unload failure (bsc#966170 FATE#320225 bsc#966172 FATE#320226).
- net/mlx5e: Add refcount to VXLAN structure (bsc#966170 FATE#320225 bsc#966172 FATE#320226).
- net/mlx5e: Fix ETS BW check (bsc#966170 FATE#320225 bsc#966172 FATE#320226).
- net/mlx5e: Fix features check of IPv6 traffic (bsc#966170 FATE#320225 bsc#966172 FATE#320226).
- net/mlx5e: Fix fixpoint divide exception in mlx5e_am_stats_compare (bsc#1015342).
- net/mlx5e: Fix possible deadlock of VXLAN lock (bsc#966170 FATE#320225 bsc#966172 FATE#320226).
- net/mlx5e: Prevent possible races in VXLAN control flow (bsc#966170 FATE#320225 bsc#966172 FATE#320226).
- net/mlx5: Fix error flow in CREATE_QP command (bsc#1015342 FATE#321688 bsc#1015343 FATE#321689).
- net/mlx5: Fix rate limit packet pacing naming and struct (bsc#1015342 FATE#321688 bsc#1015343 FATE#321689).
- net/mlx5: Stay in polling mode when command EQ destroy fails (bsc#966170 FATE#320225 bsc#966172 FATE#320226).
- net: mvmdio: disable/unprepare clocks in EPROBE_DEFER case (bnc#1012382).
- net: mvneta: clear interface link status on port disable (bnc#1012382).
- net: mvneta: eliminate wrong call to handle rx descriptor error (fate#319899).
- net: mvneta: use proper rxq_number in loop on rx queues (fate#319899).
- net/packet: fix a race in packet_bind() and packet_notifier() (bnc#1012382).
- net: phy: at803x: Change error to EINVAL for invalid MAC (bnc#1012382).
- net: phy: micrel: ksz9031: reconfigure autoneg after phy autoneg workaround (bnc#1012382).
- net: qdisc_pkt_len_init() should be more robust (bnc#1012382).
- net: qmi_wwan: add Sierra EM7565 1199:9091 (bnc#1012382).
- net: qmi_wwan: Add USB IDs for MDM6600 modem on Motorola Droid 4 (bnc#1012382).
- net: reevalulate autoflowlabel setting after sysctl setting (bnc#1012382).
- net: Resend IGMP memberships upon peer notification (bnc#1012382).
- net: sctp: fix array overrun read on sctp_timer_tbl (bnc#1012382).
- net: stmmac: enable EEE in MII, GMII or RGMII only (bnc#1012382).
- net: systemport: Pad packet before inserting TSB (bnc#1012382).
- net: systemport: Utilize skb_put_padto() (bnc#1012382).
- net: tcp: close sock if net namespace is exiting (bnc#1012382).
- net: wimax/i2400m: fix NULL-deref at probe (bnc#1012382).
- nfsd: auth: Fix gid sorting when rootsquash enabled (bnc#1012382).
- nfsd: Fix another OPEN stateid race (bnc#1012382).
- nfsd: fix nfsd_minorversion(.., NFSD_AVAIL) (bnc#1012382).
- nfsd: fix nfsd_reset_versions for NFSv4 (bnc#1012382).
- nfsd: Fix stateid races between OPEN and CLOSE (bnc#1012382).
- nfsd: Make init_open_stateid() a bit more whole (bnc#1012382).
- nfs: Do not take a reference on fl->fl_file for LOCK operation (bnc#1012382).
- nfs: Fix a typo in nfs_rename() (bnc#1012382).
- nfs: improve shinking of access cache (bsc#1012917).
- nfsv4.1 respect server's max size in CREATE_SESSION (bnc#1012382).
- nfsv4: Fix client recovery when server reboots multiple times (bnc#1012382).
- nohz: Prevent a timer interrupt storm in tick_nohz_stop_sched_tick() (bnc#1012382).
- n_tty: fix EXTPROC vs ICANON interaction with TIOCINQ (aka FIONREAD) (bnc#1012382).
- nvme_fc: correct hang in nvme_ns_remove() (bsc#1075811).
- nvme_fc: fix rogue admin cmds stalling teardown (bsc#1075811).
- nvme-pci: Remove watchdog timer (bsc#1066163).
- openrisc: fix issue handling 8 byte get_user calls (bnc#1012382).
- packet: fix crash in fanout_demux_rollover() (bnc#1012382).
- parisc: Fix alignment of pa_tlb_lock in assembly on 32-bit SMP kernel (bnc#1012382).
- parisc: Hide Diva-built-in serial aux and graphics card (bnc#1012382).
- partially revert tipc improve link resiliency when rps is activated (bsc#1068038).
- pci/AER: Report non-fatal errors only to the affected endpoint (bnc#1012382).
- pci: Avoid bus reset if bridge itself is broken (bnc#1012382).
- pci: Create SR-IOV virtfn/physfn links before attaching driver (bnc#1012382).
- pci: Detach driver before procfs & sysfs teardown on device remove (bnc#1012382).
- pci/PME: Handle invalid data when reading Root Status (bnc#1012382).
- pci / PM: Force devices to D0 in pci_pm_thaw_noirq() (bnc#1012382).
- perf symbols: Fix symbols__fixup_end heuristic for corner cases (bnc#1012382).
- perf test attr: Fix ignored test case result (bnc#1012382).
- phy: work around 'phys' references to usb-nop-xceiv devices (bnc#1012382).
- pinctrl: adi2: Fix Kconfig build problem (bnc#1012382).
- pinctrl: st: add irq_request/release_resources callbacks (bnc#1012382).
- pipe: avoid round_pipe_size() nr_pages overflow on 32-bit (bnc#1012382).
- powerpc/64: Add macros for annotating the destination of rfid/hrfid (bsc#1068032, bsc#1075087).
- powerpc/64: Convert fast_exception_return to use RFI_TO_USER/KERNEL (bsc#1068032, bsc#1075087).
- powerpc/64: Convert the syscall exit path to use RFI_TO_USER/KERNEL (bsc#1068032, bsc#1075087).
- powerpc/64s: Add EX_SIZE definition for paca exception save areas (bsc#1068032, bsc#1075087).
- powerpc/64s: Add support for RFI flush of L1-D cache (bsc#1068032, bsc#1075087).
- powerpc/64s: Allow control of RFI flush via debugfs (bsc#1068032, bsc#1075087).
- powerpc/64s: Convert slb_miss_common to use RFI_TO_USER/KERNEL (bsc#1068032, bsc#1075087).
- powerpc/64s: Simple RFI macro conversions (bsc#1068032, bsc#1075087).
- powerpc/64s: Support disabling RFI flush with no_rfi_flush and nopti (bsc#1068032, bsc#1075087).
- powerpc/64s: Wire up cpu_show_meltdown() (bsc#1068032).
- powerpc/asm: Allow including ppc_asm.h in asm files (bsc#1068032, bsc#1075087).
- powerpc/ipic: Fix status get and status clear (bnc#1012382).
- powerpc/perf: Dereference BHRB entries safely (bsc#1066223).
- powerpc/perf/hv-24x7: Fix incorrect comparison in memord (bnc#1012382).
- powerpc/powernv: Check device-tree for RFI flush settings (bsc#1068032, bsc#1075087).
- powerpc/powernv/cpufreq: Fix the frequency read by /proc/cpuinfo (bnc#1012382).
- powerpc/powernv/ioda2: Gracefully fail if too many TCE levels requested (bnc#1012382).
- powerpc/pseries: include linux/types.h in asm/hvcall.h (bsc#1068032, bsc#1075087).
- powerpc/pseries: Introduce H_GET_CPU_CHARACTERISTICS (bsc#1068032, bsc#1075087).
- powerpc/pseries: Query hypervisor for RFI flush settings (bsc#1068032, bsc#1075087).
- powerpc/pseries/rfi-flush: Call setup_rfi_flush() after LPM migration (bsc#1068032, bsc#1075087).
- powerpc/rfi-flush: Add DEBUG_RFI config option (bsc#1068032, bsc#1075087).
- powerpc/rfi-flush: Make setup_rfi_flush() not __init (bsc#1068032, bsc#1075087).
- powerpc/rfi-flush: Move RFI flush fields out of the paca (unbreak kABI) (bsc#1068032, bsc#1075087).
- powerpc/rfi-flush: Move the logic to avoid a redo into the sysfs code (bsc#1068032, bsc#1075087).
- powerpc/rfi-flush: prevent crash when changing flush type to fallback after system boot (bsc#1068032, bsc#1075087).
- ppp: Destroy the mutex when cleanup (bnc#1012382).
- pppoe: take ->needed_headroom of lower device into account on xmit (bnc#1012382).
- pti: unbreak EFI (bsc#1074709).
- r8152: fix the list rx_done may be used without initialization (bnc#1012382).
- r8152: prevent the driver from transmitting packets with carrier off (bnc#1012382).
- r8169: fix memory corruption on retrieval of hardware statistics (bnc#1012382).
- raid5: Set R5_Expanded on parity devices as well as data (bnc#1012382).
- ravb: Remove Rx overflow log messages (bnc#1012382).
- rbd: set max_segments to USHRT_MAX (bnc#1012382).
- rdma/cma: Avoid triggering undefined behavior (bnc#1012382).
- rdma/i40iw: Remove MSS change support (bsc#1024376 FATE#321249).
- rds: Fix NULL pointer dereference in __rds_rdma_map (bnc#1012382).
- rds: Heap OOB write in rds_message_alloc_sgs() (bnc#1012382).
- rds: null pointer dereference in rds_atomic_free_op (bnc#1012382).
- Re-enable fixup detection by CPU type in case hypervisor call fails.
- regulator: core: Rely on regulator_dev_release to free constraints (bsc#1074847).
- regulator: da9063: Return an error code on probe failure (bsc#1074847).
- regulator: pwm: Fix regulator ramp delay for continuous mode (bsc#1074847).
- regulator: Try to resolve regulators supplies on registration (bsc#1074847).
- Revert 'Bluetooth: btusb: driver to enable the usb-wakeup feature' (bnc#1012382).
- Revert 'drm/armada: Fix compile fail' (bnc#1012382).
- Revert 'drm/radeon: dont switch vt on suspend' (bnc#1012382).
- Revert 'ipsec: Fix aborted xfrm policy dump crash' (kabi).
- Revert 'kaiser: vmstat show NR_KAISERTABLE as nr_overhead' (kabi).
- Revert 'lib/genalloc.c: make the avail variable an atomic_long_t' (kabi).
- Revert 'module: Add retpoline tag to VERMAGIC' (bnc#1012382 kabi).
- Revert 'module: Add retpoline tag to VERMAGIC' (kabi).
- Revert 'netlink: add a start callback for starting a netlink dump' (kabi).
- Revert 'ocfs2: should wait dio before inode lock in ocfs2_setattr()' (bnc#1012382).
- Revert 'Re-enable fixup detection by CPU type in case hypervisor call fails.' The firmware update is required for the existing instructions to also do the cache flush.
- Revert 's390/kbuild: enable modversions for symbols exported from asm' (bnc#1012382).
- Revert 'sched/deadline: Use the revised wakeup rule for suspending constrained dl tasks' (kabi).
- Revert 'scsi: libsas: align sata_device's rps_resp on a cacheline' (kabi).
- Revert 'spi: SPI_FSL_DSPI should depend on HAS_DMA' (bnc#1012382).
- Revert 'userfaultfd: selftest: vm: allow to build in vm/ directory' (bnc#1012382).
- Revert 'x86/efi: Build our own page table structures' (bnc#1012382).
- Revert 'x86/efi: Hoist page table switching code into efi_call_virt()' (bnc#1012382).
- Revert 'x86/mm/pat: Ensure cpa->pfn only contains page frame numbers' (bnc#1012382).
- rfi-flush: Make DEBUG_RFI a CONFIG option (bsc#1068032, bsc#1075087).
- ring-buffer: Mask out the info bits when returning buffer page length (bnc#1012382).
- route: also update fnhe_genid when updating a route cache (bnc#1012382).
- route: update fnhe_expires for redirect when the fnhe exists (bnc#1012382).
- rtc: cmos: Initialize hpet timer before irq is registered (bsc#1077592).
- rtc: pcf8563: fix output clock rate (bnc#1012382).
- rtc: pl031: make interrupt optional (bnc#1012382).
- rtc: set the alarm to the next expiring timer (bnc#1012382).
- s390: always save and restore all registers on context switch (bnc#1012382).
- s390/cpuinfo: show facilities as reported by stfle (bnc#1076847, LTC#163740).
- s390: fix compat system call table (bnc#1012382).
- s390/pci: do not require AIS facility (bnc#1012382).
- s390/qeth: no ETH header for outbound AF_IUCV (LTC#156276 bnc#1012382 bnc#1053472).
- s390/runtime instrumentation: simplify task exit handling (bnc#1012382).
- sch_dsmark: fix invalid skb_cow() usage (bnc#1012382).
- sched/deadline: Make sure the replenishment timer fires in the next period (bnc#1012382).
- sched/deadline: Throttle a constrained deadline task activated after the deadline (bnc#1012382).
- sched/deadline: Use deadline instead of period when calculating overflow (bnc#1012382).
- sched/deadline: Use the revised wakeup rule for suspending constrained dl tasks (bnc#1012382).
- sched/deadline: Zero out positive runtime after throttling constrained tasks (git-fixes).
- sched/rt: Do not pull from current CPU if only one CPU to pull (bnc#1022476).
- scsi: bfa: integer overflow in debugfs (bnc#1012382).
- scsi: cxgb4i: fix Tx skb leak (bnc#1012382).
- scsi: handle ABORTED_COMMAND on Fujitsu ETERNUS (bsc#1069138).
- scsi: hpsa: cleanup sas_phy structures in sysfs when unloading (bnc#1012382).
- scsi: hpsa: destroy sas transport properties before scsi_host (bnc#1012382).
- scsi: libsas: align sata_device's rps_resp on a cacheline (bnc#1012382).
- scsi: lpfc: Use after free in lpfc_rq_buf_free() (bsc#1037838).
- scsi: mpt3sas: Fix IO error occurs on pulling out a drive from RAID1 volume created on two SATA drive (bnc#1012382).
- scsi: sd: change allow_restart to bool in sysfs interface (bnc#1012382).
- scsi: sd: change manage_start_stop to bool in sysfs interface (bnc#1012382).
- scsi: sg: disable SET_FORCE_LOW_DMA (bnc#1012382).
- scsi: sr: wait for the medium to become ready (bsc#1048585).
- sctp: do not allow the v4 socket to bind a v4mapped v6 address (bnc#1012382).
- sctp: do not free asoc when it is already dead in sctp_sendmsg (bnc#1012382).
- sctp: Replace use of sockets_allocated with specified macro (bnc#1012382).
- sctp: return error if the asoc has been peeled off in sctp_wait_for_sndbuf (bnc#1012382).
- sctp: use the right sk after waking up from wait_buf sleep (bnc#1012382).
- selftest/powerpc: Fix false failures for skipped tests (bnc#1012382).
- selftests/x86: Add test_vsyscall (bnc#1012382).
- selftests/x86/ldt_get: Add a few additional tests for limits (bnc#1012382).
- serial: 8250_pci: Add Amazon PCI serial device ID (bnc#1012382).
- serial: 8250: Preserve DLD[7:4] for PORT_XR17V35X (bnc#1012382).
- series.conf: move core networking (including netfilter) into sorted section
- series.conf: whitespace cleanup
- Set supported_modules_check 1 (bsc#1072163).
- sfc: do not warn on successful change of MAC (bnc#1012382).
- sh_eth: fix SH7757 GEther initialization (bnc#1012382).
- sh_eth: fix TSU resource handling (bnc#1012382).
- sit: update frag_off info (bnc#1012382).
- sock: free skb in skb_complete_tx_timestamp on error (bnc#1012382).
- sparc64/mm: set fields in deferred pages (bnc#1012382).
- spi_ks8995: fix 'BUG: key accdaa28 not in .data!' (bnc#1012382).
- spi: sh-msiof: Fix DMA transfer size check (bnc#1012382).
- spi: xilinx: Detect stall with Unknown commands (bnc#1012382).
- staging: android: ashmem: fix a race condition in ASHMEM_SET_SIZE ioctl (bnc#1012382).
- sunrpc: add auth_unix hash_cred() function (bsc#1012917).
- sunrpc: add generic_auth hash_cred() function (bsc#1012917).
- sunrpc: add hash_cred() function to rpc_authops struct (bsc#1012917).
- sunrpc: add RPCSEC_GSS hash_cred() function (bsc#1012917).
- sunrpc: Fix rpc_task_begin trace point (bnc#1012382).
- sunrpc: replace generic auth_cred hash with auth-specific function (bsc#1012917).
- sunrpc: use supplimental groups in auth hash (bsc#1012917).
- sunxi-rsb: Include OF based modalias in device uevent (bnc#1012382).
- sysfs/cpu: Add vulnerability folder (bnc#1012382).
- sysfs/cpu: Fix typos in vulnerability documentation (bnc#1012382).
- sysfs: spectre_v2, handle spec_ctrl (bsc#1075994 bsc#1075091).
- sysrq : fix Show Regs call trace on ARM (bnc#1012382).
- target: Avoid early CMD_T_PRE_EXECUTE failures during ABORT_TASK (bnc#1012382).
- target/file: Do not return error for UNMAP if length is zero (bnc#1012382).
- target: fix ALUA transition timeout handling (bnc#1012382).
- target:fix condition return in core_pr_dump_initiator_port() (bnc#1012382).
- target: fix race during implicit transition work flushes (bnc#1012382).
- target/iscsi: Fix a race condition in iscsit_add_reject_from_cmd() (bnc#1012382).
- target: Use system workqueue for ALUA transitions (bnc#1012382).
- tcp: correct memory barrier usage in tcp_check_space() (bnc#1012382).
- tcp: fix under-evaluated ssthresh in TCP Vegas (bnc#1012382).
- tcp md5sig: Use skb's saddr when replying to an incoming segment (bnc#1012382).
- tcp: __tcp_hdrlen() helper (bnc#1012382).
- tg3: Fix rx hang on MTU change with 5717/5719 (bnc#1012382).
- thermal/drivers/step_wise: Fix temperature regulation misbehavior (bnc#1012382).
- thermal: hisilicon: Handle return value of clk_prepare_enable (bnc#1012382).
- tipc: fix cleanup at module unload (bnc#1012382).
- tipc: fix memory leak in tipc_accept_from_sock() (bnc#1012382).
- tipc: improve link resiliency when rps is activated (bsc#1068038).
- tracing: Allocate mask_str buffer dynamically (bnc#1012382).
- tracing: Fix converting enum's from the map in trace_event_eval_update() (bnc#1012382).
- tracing: Fix crash when it fails to alloc ring buffer (bnc#1012382).
- tracing: Fix possible double free on failure of allocating trace buffer (bnc#1012382).
- tracing: Remove extra zeroing out of the ring buffer page (bnc#1012382).
- tty fix oops when rmmod 8250 (bnc#1012382).
- uas: Always apply US_FL_NO_ATA_1X quirk to Seagate devices (bnc#1012382).
- uas: ignore UAS for Norelsys NS1068(X) chips (bnc#1012382).
- udf: Avoid overflow when session starts at large offset (bnc#1012382).
- um: link vmlinux with -no-pie (bnc#1012382).
- usb: Add device quirk for Logitech HD Pro Webcam C925e (bnc#1012382).
- usb: add RESET_RESUME for ELSA MicroLink 56K (bnc#1012382).
- usb: core: Add type-specific length check of BOS descriptors (bnc#1012382).
- usb: core: prevent malicious bNumInterfaces overflow (bnc#1012382).
- usb: devio: Prevent integer overflow in proc_do_submiturb() (bnc#1012382).
- usb: Fix off by one in type-specific length check of BOS SSP capability (git-fixes).
- usb: fix usbmon BUG trigger (bnc#1012382).
- usb: gadget: configs: plug memory leak (bnc#1012382).
- usb: gadget: ffs: Forbid usb_ep_alloc_request from sleeping (bnc#1012382).
- usb: gadgetfs: Fix a potential memory leak in 'dev_config()' (bnc#1012382).
- usb: gadget: f_uvc: Sanity check wMaxPacketSize for SuperSpeed (bnc#1012382).
- usb: gadget: udc: remove pointer dereference after free (bnc#1012382).
- usb: hub: Cycle HUB power when initialization fails (bnc#1012382).
- usb: Increase usbfs transfer limit (bnc#1012382).
- usbip: Fix implicit fallthrough warning (bnc#1012382).
- usbip: Fix potential format overflow in userspace tools (bnc#1012382).
- usbip: fix stub_rx: get_pipe() to validate endpoint number (bnc#1012382).
- usbip: fix stub_rx: harden CMD_SUBMIT path to handle malicious input (bnc#1012382).
- usbip: fix stub_send_ret_submit() vulnerability to null transfer_buffer (bnc#1012382).
- usbip: fix usbip bind writing random string after command in match_busid (bnc#1012382).
- usbip: prevent leaking socket pointer address in messages (bnc#1012382).
- usbip: prevent vhci_hcd driver from leaking a socket pointer address (bnc#1012382).
- usbip: remove kernel addresses from usb device and urb debug msgs (bnc#1012382).
- usbip: stub: stop printing kernel pointer addresses in messages (bnc#1012382).
- usbip: vhci: stop printing kernel pointer addresses in messages (bnc#1012382).
- usb: misc: usb3503: make sure reset is low for at least 100us (bnc#1012382).
- usb: musb: da8xx: fix babble condition handling (bnc#1012382).
- usb: phy: isp1301: Add OF device ID table (bnc#1012382).
- usb: phy: isp1301: Fix build warning when CONFIG_OF is disabled (git-fixes).
- usb: phy: tahvo: fix error handling in tahvo_usb_probe() (bnc#1012382).
- usb: quirks: Add no-lpm quirk for KY-688 USB 3.1 Type-C Hub (bnc#1012382).
- usb: serial: cp210x: add IDs for LifeScan OneTouch Verio IQ (bnc#1012382).
- usb: serial: cp210x: add new device ID ELV ALC 8xxx (bnc#1012382).
- usb: serial: ftdi_sio: add id for Airbus DS P8GR (bnc#1012382).
- usb: serial: option: adding support for YUGA CLM920-NC5 (bnc#1012382).
- usb: serial: option: add Quectel BG96 id (bnc#1012382).
- usb: serial: option: add support for Telit ME910 PID 0x1101 (bnc#1012382).
- usb: serial: qcserial: add Sierra Wireless EM7565 (bnc#1012382).
- usb: uas and storage: Add US_FL_BROKEN_FUA for another JMicron JMS567 ID (bnc#1012382).
- usb: usbfs: Filter flags passed in from user space (bnc#1012382).
- usb: usbip: Fix possible deadlocks reported by lockdep (bnc#1012382).
- usb: xhci: Add XHCI_TRUST_TX_LENGTH for Renesas uPD720201 (bnc#1012382).
- usb: xhci: fix panic in xhci_free_virt_devices_depth_first (bnc#1012382).
- userfaultfd: selftest: vm: allow to build in vm/ directory (bnc#1012382).
- userfaultfd: shmem: __do_fault requires VM_FAULT_NOPAGE (bnc#1012382).
- video: fbdev: au1200fb: Release some resources if a memory allocation fails (bnc#1012382).
- video: fbdev: au1200fb: Return an error code if a memory allocation fails (bnc#1012382).
- virtio: release virtio index when fail to device_register (bnc#1012382).
- vmxnet3: repair memory leak (bnc#1012382).
- vsyscall: Fix permissions for emulate mode with KAISER/PTI (bnc#1012382).
- vt6655: Fix a possible sleep-in-atomic bug in vt6655_suspend (bnc#1012382).
- vti6: Do not report path MTU below IPV6_MIN_MTU (bnc#1012382).
- vti6: fix device register to report IFLA_INFO_KIND (bnc#1012382).
- workqueue: trigger WARN if queue_delayed_work() is called with NULL @wq (bnc#1012382).
- writeback: fix memory leak in wb_queue_work() (bnc#1012382).
- x.509: fix buffer overflow detection in sprint_oid() (bsc#1075078).
- x509: fix printing uninitialized stack memory when OID is empty (bsc#1075078).
- x.509: reject invalid BIT STRING for subjectPublicKey (bnc#1012382).
- x86/acpi: Handle SCI interrupts above legacy space gracefully (bsc#1068984).
- x86/acpi: Reduce code duplication in mp_override_legacy_irq() (bsc#1068984).
- x86/alternatives: Add missing '\n' at end of ALTERNATIVE inline asm (bnc#1012382).
- x86/alternatives: Fix optimize_nops() checking (bnc#1012382).
- x86/apic/vector: Fix off by one in error path (bnc#1012382).
- x86/asm/32: Make sync_core() handle missing CPUID on all 32-bit kernels (bnc#1012382).
- x86/boot: Fix early command-line parsing when matching at end (bsc#1068032).
- x86/cpu: Factor out application of forced CPU caps (bnc#1012382).
- x86/cpufeatures: Add X86_BUG_CPU_INSECURE (bnc#1012382).
- x86/cpufeatures: Add X86_BUG_SPECTRE_V[12] (bnc#1012382).
- x86/cpufeatures: Make CPU bugs sticky (bnc#1012382).
- x86/cpu: Implement CPU vulnerabilites sysfs functions (bnc#1012382).
- x86/cpu: Merge bugs.c and bugs_64.c (bnc#1012382).
- x86/cpu: Rename Merrifield2 to Moorefield (bsc#985025).
- x86/cpu: Rename 'WESTMERE2' family to 'NEHALEM_G' (bsc#985025).
- x86/cpu, x86/pti: Do not enable PTI on AMD processors (bnc#1012382).
- x86/Documentation: Add PTI description (bnc#1012382).
- x86/efi-bgrt: Replace early_memremap() with memremap() (bnc#1012382).
- x86/efi: Build our own page table structures (fate#320512).
- x86/efi: Hoist page table switching code into efi_call_virt() (fate#320512).
- x86/entry: Use SYSCALL_DEFINE() macros for sys_modify_ldt() (bnc#1012382).
- x86/hpet: Prevent might sleep splat on resume (bnc#1012382).
- x86/kasan: Clear kasan_zero_page after TLB flush (bnc#1012382).
- x86/kasan: Write protect kasan zero shadow (bnc#1012382).
- x86/microcode/intel: Extend BDW late-loading further with LLC size check (bnc#1012382).
- x86/microcode/intel: Extend BDW late-loading with a revision check (bnc#1012382).
- x86/mm/32: Move setup_clear_cpu_cap(X86_FEATURE_PCID) earlier (git-fixes).
- x86/mm: Disable PCID on 32-bit kernels (bnc#1012382).
- x86/mm/pat: Ensure cpa->pfn only contains page frame numbers (fate#320588).
- x86/PCI: Make broadcom_postcore_init() check acpi_disabled (bnc#1012382).
- x86/pti: Document fix wrong index (bnc#1012382).
- x86/pti/efi: broken conversion from efi to kernel page table (bnc#1012382).
- x86/pti: Rename BUG_CPU_INSECURE to BUG_CPU_MELTDOWN (bnc#1012382).
- x86/retpolines/spec_ctrl: disable IBRS on !SKL if retpolines are active (bsc#1068032).
- x86/smpboot: Remove stale TLB flush invocations (bnc#1012382).
- x86/spectre_v2: fix ordering in IBRS initialization (bsc#1075994 bsc#1075091).
- x86/spectre_v2: nospectre_v2 means nospec too (bsc#1075994 bsc#1075091).
- x86/tlb: Drop the _GPL from the cpu_tlbstate export (bnc#1012382).
- x86/vm86/32: Switch to flush_tlb_mm_range() in mark_screen_rdonly() (bnc#1012382).
- xen-netfront: avoid crashing on resume after a failure in talk_to_netback() (bnc#1012382).
- xen-netfront: Improve error handling during initialization (bnc#1012382).
- xfrm: Copy policy family in clone_policy (bnc#1012382).
- xfs: add configurable error support to metadata buffers (bsc#1068569).
- xfs: add configuration handlers for specific errors (bsc#1068569).
- xfs: add configuration of error failure speed (bsc#1068569).
- xfs: add 'fail at unmount' error handling configuration (bsc#1068569).
- xfs: Add infrastructure needed for error propagation during buffer IO failure (bsc#1068569).
- xfs: address kabi for xfs buffer retry infrastructure (kabi).
- xfs: configurable error behavior via sysfs (bsc#1068569).
- xfs: fix incorrect extent state in xfs_bmap_add_extent_unwritten_real (bnc#1012382).
- xfs: fix log block underflow during recovery cycle verification (bnc#1012382).
- xfs: fix up inode32/64 (re)mount handling (bsc#1069160).
- xfs: introduce metadata IO error class (bsc#1068569).
- xfs: introduce table-based init for error behaviors (bsc#1068569).
- xfs: Properly retry failed inode items in case of error during buffer writeback (bsc#1068569).
- xfs: remove xfs_trans_ail_delete_bulk (bsc#1068569).
- xhci: Do not add a virt_dev to the devs array before it's fully allocated (bnc#1012382).
- xhci: Fix ring leak in failure path of xhci_alloc_virt_device() (bnc#1012382).
- xhci: plat: Register shutdown for xhci_plat (bnc#1012382).
- zram: set physical queue limits to avoid array out of bounds accesses (bnc#1012382).
- x86/microcode/intel: Fix BDW late-loading revision check (bnc#1012382).
ImportantSUSE bug 1005778SUSE bug 1005780SUSE bug 1005781SUSE bug 1012382SUSE bug 1012917SUSE bug 1015342SUSE bug 1015343SUSE bug 1019784SUSE bug 1022476SUSE bug 1022595SUSE bug 1022912SUSE bug 1024296SUSE bug 1024376SUSE bug 1031395SUSE bug 1031492SUSE bug 1031717SUSE bug 1037838SUSE bug 1038078SUSE bug 1038085SUSE bug 1040182SUSE bug 1043652SUSE bug 1048325SUSE bug 1048585SUSE bug 1053472SUSE bug 1060279SUSE bug 1062129SUSE bug 1066163SUSE bug 1066223SUSE bug 1068032SUSE bug 1068038SUSE bug 1068569SUSE bug 1068984SUSE bug 1069138SUSE bug 1069160SUSE bug 1070052SUSE bug 1070799SUSE bug 1072163SUSE bug 1072484SUSE bug 1073229SUSE bug 1073928SUSE bug 1074134SUSE bug 1074488SUSE bug 1074621SUSE bug 1074709SUSE bug 1074839SUSE bug 1074847SUSE bug 1075066SUSE bug 1075078SUSE bug 1075087SUSE bug 1075091SUSE bug 1075397SUSE bug 1075428SUSE bug 1075617SUSE bug 1075621SUSE bug 1075627SUSE bug 1075811SUSE bug 1075994SUSE bug 1076017SUSE bug 1076110SUSE bug 1076187SUSE bug 1076232SUSE bug 1076805SUSE bug 1076847SUSE bug 1076872SUSE bug 1076899SUSE bug 1077068SUSE bug 1077560SUSE bug 1077592SUSE bug 1077704SUSE bug 1077871SUSE bug 1078002SUSE bug 1078681SUSE bug 963844SUSE bug 966170SUSE bug 966172SUSE bug 973818SUSE bug 985025CVE-2017-15129 at SUSECVE-2017-15129 at NVDCVE-2017-17712 at SUSECVE-2017-17712 at NVDCVE-2017-17862 at SUSECVE-2017-17862 at NVDCVE-2017-17864 at SUSECVE-2017-17864 at NVDCVE-2017-18017 at SUSECVE-2017-18017 at NVDCVE-2017-5715 at SUSECVE-2017-5715 at NVDCVE-2018-1000004 at SUSECVE-2018-1000004 at NVDCVE-2018-5332 at SUSECVE-2018-5332 at NVDCVE-2018-5333 at SUSECVE-2018-5333 at NVDcpe:/o:suse:sles:12:sp3Security update for libxml2 (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for libxml2 fixes one issue.
This security issue was fixed:
- CVE-2017-15412: Prevent use after free when calling XPath extension functions
that allowed remote attackers to cause DoS or potentially RCE (bsc#1077993)
- CVE-2016-5131: Use-after-free vulnerability in libxml2 allowed
remote attackers to cause a denial of service or possibly have
unspecified other impact via vectors related to the XPointer range-to
function. (bsc#1078813)
- CVE-2017-5130: Fixed a potential remote buffer overflow in function
xmlMemoryStrdup() (bsc#1078806)
ModerateSUSE bug 1077993SUSE bug 1078806SUSE bug 1078813CVE-2016-5131 at SUSECVE-2016-5131 at NVDCVE-2017-15412 at SUSECVE-2017-15412 at NVDCVE-2017-5130 at SUSECVE-2017-5130 at NVDcpe:/o:suse:sles:12:sp3Security update for openssl (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for openssl fixes the following issues:
Security issues fixed:
- CVE-2018-0734: Fixed timing vulnerability in DSA signature generation (bsc#1113652).
- CVE-2018-5407: Fixed elliptic curve scalar multiplication timing attack defenses (bsc#1113534).
- Add missing timing side channel patch for DSA signature generation (bsc#1113742).
Non-security issues fixed:
- Fixed infinite loop in DSA generation with incorrect parameters (bsc#1112209).
ModerateSUSE bug 1112209SUSE bug 1113534SUSE bug 1113652SUSE bug 1113742CVE-2018-0734 at SUSECVE-2018-0734 at NVDCVE-2018-5407 at SUSECVE-2018-5407 at NVDcpe:/o:suse:sles:12:sp3Security update for rpm (Important)SUSE Linux Enterprise Server 12 SP3
This update for rpm fixes the following issues:
These security issues were fixed:
- CVE-2017-7500: rpm did not properly handle RPM installations when a
destination path was a symbolic link to a directory, possibly changing
ownership and permissions of an arbitrary directory, and RPM files being placed
in an arbitrary destination (bsc#943457).
- CVE-2017-7501: rpm used temporary files with predictable names when
installing an RPM. An attacker with ability to write in a directory where files
will be installed could create symbolic links to an arbitrary location and
modify content, and possibly permissions to arbitrary files, which could be
used for denial of service or possibly privilege escalation (bsc#943457)
This is a reissue of the above security fixes for SUSE Linux Enterprise 12 GA, SP1 and SP2 LTSS,
they have already been released for SUSE Linux Enterprise Server 12 SP3.
ImportantSUSE bug 943457CVE-2017-7500 at SUSECVE-2017-7500 at NVDCVE-2017-7501 at SUSECVE-2017-7501 at NVDcpe:/o:suse:sles:12:sp3Security update for ghostscript (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for ghostscript fixes several issues.
These security issues were fixed:
- CVE-2017-9835: The gs_alloc_ref_array function allowed remote attackers to
cause a denial of service (heap-based buffer overflow and application crash) or
possibly have unspecified other impact via a crafted PostScript document
(bsc#1050879).
- CVE-2017-9216: Prevent NULL pointer dereference in the jbig2_huffman_get
function in jbig2_huffman.c which allowed for DoS (bsc#1040643).
- CVE-2016-10317: The fill_threshhold_buffer function in base/gxht_thresh.c
allowed remote attackers to cause a denial of service (heap-based buffer
overflow and application crash) or possibly have unspecified other impact via a
crafted PostScript document (bsc#1032230).
- CVE-2017-9612: The Ins_IP function in base/ttinterp.c allowed remote
attackers to cause a denial of service (use-after-free and application crash)
or possibly have unspecified other impact via a crafted document (bsc#1050891).
- CVE-2017-9726: The Ins_MDRP function in base/ttinterp.c allowed remote
attackers to cause a denial of service (heap-based buffer over-read and
application crash) or possibly have unspecified other impact via a crafted
document (bsc#1050889).
- CVE-2017-9727: The gx_ttfReader__Read function in base/gxttfb.c allowed
remote attackers to cause a denial of service (heap-based buffer over-read and
application crash) or possibly have unspecified other impact via a crafted
document (bsc#1050888).
- CVE-2017-9739: The Ins_JMPR function in base/ttinterp.c allowed remote
attackers to cause a denial of service (heap-based buffer over-read and
application crash) or possibly have unspecified other impact via a crafted
document (bsc#1050887).
- CVE-2017-11714: psi/ztoken.c mishandled references to the scanner state
structure, which allowed remote attackers to cause a denial of service
(application crash) or possibly have unspecified other impact via a crafted
PostScript document, related to an out-of-bounds read in the
igc_reloc_struct_ptr function in psi/igc.c (bsc#1051184).
- CVE-2016-10219: The intersect function in base/gxfill.c allowed remote
attackers to cause a denial of service (divide-by-zero error and application
crash) via a crafted file (bsc#1032138).
ModerateSUSE bug 1032138SUSE bug 1032230SUSE bug 1040643SUSE bug 1050879SUSE bug 1050887SUSE bug 1050888SUSE bug 1050889SUSE bug 1050891SUSE bug 1051184CVE-2016-10219 at SUSECVE-2016-10219 at NVDCVE-2016-10317 at SUSECVE-2016-10317 at NVDCVE-2017-11714 at SUSECVE-2017-11714 at NVDCVE-2017-9216 at SUSECVE-2017-9216 at NVDCVE-2017-9612 at SUSECVE-2017-9612 at NVDCVE-2017-9726 at SUSECVE-2017-9726 at NVDCVE-2017-9727 at SUSECVE-2017-9727 at NVDCVE-2017-9739 at SUSECVE-2017-9739 at NVDCVE-2017-9835 at SUSECVE-2017-9835 at NVDcpe:/o:suse:sles:12:sp3Security update for exiv2 (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for exiv2 fixes the following issues:
- CVE-2017-11591: A floating point exception in the Exiv2::ValueType function could lead to a remote denial of service attack via crafted input. (bsc#1050257)
- CVE-2017-14864: An invalid memory address dereference was discovered in Exiv2::getULong in types.cpp. The vulnerability caused a segmentation fault and application crash, which lead to denial of service. (bsc#1060995)
- CVE-2017-14862: An invalid memory address dereference was discovered in Exiv2::DataValue::read in value.cpp. The vulnerability caused a segmentation fault and application crash, which lead to denial of service. (bsc#1060996)
- CVE-2017-14859: An invalid memory address dereference was discovered in Exiv2::StringValueBase::read in value.cpp. The vulnerability caused a segmentation fault and application crash, which lead to denial of service. (bsc#1061000)
- CVE-2017-11683: There is a reachable assertion in the Internal::TiffReader::visitDirectory function in tiffvisitor.cpp that could lead to a remote denial of service attack via crafted input. (bsc#1051188)
- CVE-2017-17669: There is a heap-based buffer over-read in the Exiv2::Internal::PngChunk::keyTXTChunk function of pngchunk_int.cpp. A crafted PNG file would lead to a remote denial of service attack. (bsc#1072928)
- CVE-2018-10958: In types.cpp a large size value might have lead to a SIGABRT during an attempt at memory allocation for an Exiv2::Internal::PngChunk::zlibUncompress call. (bsc#1092952)
- CVE-2018-10998: readMetadata in jp2image.cpp allowed remote attackers to cause a denial of service (SIGABRT) by triggering an incorrect Safe::add call. (bsc#1093095)
- CVE-2018-11531: Exiv2 had a heap-based buffer overflow in getData in preview.cpp. (bsc#1095070)
ModerateSUSE bug 1050257SUSE bug 1051188SUSE bug 1060995SUSE bug 1060996SUSE bug 1061000SUSE bug 1072928SUSE bug 1092952SUSE bug 1093095SUSE bug 1095070CVE-2017-11591 at SUSECVE-2017-11591 at NVDCVE-2017-11683 at SUSECVE-2017-11683 at NVDCVE-2017-14859 at SUSECVE-2017-14859 at NVDCVE-2017-14862 at SUSECVE-2017-14862 at NVDCVE-2017-14864 at SUSECVE-2017-14864 at NVDCVE-2017-17669 at SUSECVE-2017-17669 at NVDCVE-2018-10958 at SUSECVE-2018-10958 at NVDCVE-2018-10998 at SUSECVE-2018-10998 at NVDCVE-2018-11531 at SUSECVE-2018-11531 at NVDcpe:/o:suse:sles:12:sp3Security update for tiff (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for tiff fixes the following issues:
Security issues fixed:
- CVE-2018-12900: Fixed heap-based buffer overflow in the cpSeparateBufToContigBuf (bsc#1099257).
- CVE-2018-18661: Fixed NULL pointer dereference in the function LZWDecode in the file tif_lzw.c (bsc#1113672).
- CVE-2018-18557: Fixed JBIG decode can lead to out-of-bounds write (bsc#1113094).
Non-security issues fixed:
- asan_build: build ASAN included
- debug_build: build more suitable for debugging
ModerateSUSE bug 1099257SUSE bug 1113094SUSE bug 1113672CVE-2018-12900 at SUSECVE-2018-12900 at NVDCVE-2018-18557 at SUSECVE-2018-18557 at NVDCVE-2018-18661 at SUSECVE-2018-18661 at NVDcpe:/o:suse:sles:12:sp3Security update for openssh (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for openssh fixes the following issues:
Following security issues have been fixed:
- CVE-2018-15473: OpenSSH was prone to a user existance oracle vulnerability due to not delaying bailout for an invalid authenticating user until after the packet containing the request has been fully parsed, related to auth2-gss.c, auth2-hostbased.c, and auth2-pubkey.c. (bsc#1105010)
The following non-security issues were fixed:
- Stop leaking File descriptors (bsc#964336)
- sftp-client.c returns wrong error code upon failure [bsc#1091396]
ModerateSUSE bug 1091396SUSE bug 1105010SUSE bug 964336CVE-2018-15473 at SUSECVE-2018-15473 at NVDcpe:/o:suse:sles:12:sp3Security update for dpdk (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for dpdk to version 16.11.8 provides the following security fix:
- CVE-2018-1059: restrict untrusted guest to misuse virtio to corrupt host application (ovs-dpdk) memory which could have lead all VM to lose connectivity (bsc#1089638)
and following non-security fixes:
- Enable the broadcom chipset family Broadcom NetXtreme II BCM57810 (bsc#1073363)
- Fix a latency problem by using cond_resched rather than schedule_timeout_interruptible (bsc#1069601)
- Fix a syntax error affecting csh environment configuration (bsc#1102310)
- Fixes in net/bnxt:
* Fix HW Tx checksum offload check
* Fix incorrect IO address handling in Tx
* Fix Rx ring count limitation
* Check access denied for HWRM commands
* Fix RETA size
* Fix close operation
- Fixes in eal/linux:
* Fix an invalid syntax in interrupts
* Fix return codes on thread naming failure
- Fixes in kni:
* Fix crash with null name
* Fix build with gcc 8.1
- Fixes in net/thunderx:
* Fix build with gcc optimization on
* Avoid sq door bell write on zero packet
- net/bonding: Fix MAC address reset
- vhost: Fix missing increment of log cache count
ModerateSUSE bug 1069601SUSE bug 1073363SUSE bug 1089638SUSE bug 1102310CVE-2018-1059 at SUSECVE-2018-1059 at NVDcpe:/o:suse:sles:12:sp3Security update for java-1_7_1-ibm (Important)SUSE Linux Enterprise Server 12 SP3
java-1_7_1-ibm was updated to Java 7.1 Service Refresh 4 Fix Pack 35 (bsc#1116574):
* Consumability
- IJ10515 AIX JAVA 7.1.3.10 GENERAL PROTECTION FAULT WHEN ATTEMPTING TO USE HEALTH CENTER API
* Class Libraries
- IJ10934 CVE-2018-13785
- IJ10935 CVE-2018-3136
- IJ10895 CVE-2018-3139
- IJ10932 CVE-2018-3149
- IJ10894 CVE-2018-3180
- IJ10933 CVE-2018-3214
- IJ09315 FLOATING POINT EXCEPTION FROM JAVA.TEXT.DECIMALFORMAT. FORMAT
- IJ09088 INTRODUCING A NEW PROPERTY FOR TURKEY TIMEZONE FOR PRODUCTS NOT IDENTIFYING TRT
- IJ08569 JAVA.IO.IOEXCEPTION OCCURS WHEN A FILECHANNEL IS BIGGER THAN 2GB ON AIX PLATFORM
- IJ10800 REMOVE EXPIRING ROOT CERTIFICATES IN IBM JDK’S CACERTS.
* Java Virtual Machine
- IJ10931 CVE-2018-3169
- IV91132 SOME CORE PATTERN SPECIFIERS ARE NOT HANDLED BY THE JVM ON LINUX
* JIT Compiler
- IJ08205 CRASH WHILE COMPILING
- IJ07886 INCORRECT CALUCATIONS WHEN USING NUMBERFORMAT.FORMAT() AND BIGDECIMAL.{FLOAT/DOUBLE }VALUE()
* ORB
- IX90187 CLIENTREQUESTIMPL.REINVO KE FAILS WITH JAVA.LANG.INDEXOUTOFBOUN DSEXCEPTION
* Security
- IJ10492 'EC KEYSIZE < 384' IS NOT HONORED USING THE 'JDK.TLS.DISABLEDALGORIT HMS' SECURITY PROPERTY
- IJ10491 AES/GCM CIPHER – AAD NOT RESET TO UN-INIT STATE AFTER DOFINAL( ) AND INIT( )
- IJ08442 HTTP PUBLIC KEY PINNING FINGERPRINT,PROBLEM WITH CONVERTING TO JKS KEYSTORE
- IJ09107 IBMPKCS11IMPL CRYPTO PROVIDER – INTERMITTENT ERROR WITH SECP521R1 SIGNATURE ON Z/OS
- IJ10136 IBMPKCS11IMPL – INTERMITTENT ERROR WITH SECP521R1 SIG ON Z/OS AND Z/LINUX
- IJ08530 IBMPKCS11IMPL PROVIDER USES THE WRONG RSA CIPHER MECHANISM FOR THE RSA/ECB/PKCS1PADDING CIPHER
- IJ08723 JAAS THROWS A ‘ARRAY INDEX OUT OF RANGE’ EXCEPTION
- IJ08704 THE SECURITY PROPERTY ‘JDK.CERTPATH.DISABLEDAL GORITHMS’ IS MISTAKENLY BEING USED TO FILTER JAR SIGNING ALGORITHMS
* z/OS Extentions
- PH01244 OUTPUT BUFFER TOO SHORT FOR GCM MODE ENCRYPTION USING IBMJCEHYBRID
ImportantSUSE bug 1116574CVE-2018-13785 at SUSECVE-2018-13785 at NVDCVE-2018-3136 at SUSECVE-2018-3136 at NVDCVE-2018-3139 at SUSECVE-2018-3139 at NVDCVE-2018-3149 at SUSECVE-2018-3149 at NVDCVE-2018-3169 at SUSECVE-2018-3169 at NVDCVE-2018-3180 at SUSECVE-2018-3180 at NVDCVE-2018-3214 at SUSECVE-2018-3214 at NVDcpe:/o:suse:sles:12:sp3Security update for ncurses (Important)SUSE Linux Enterprise Server 12 SP3
This update for ncurses fixes the following issue:
Security issue fixed:
- CVE-2018-19211: Fixed denial of service issue that was triggered by a NULL pointer dereference at function _nc_parse_entry (bsc#1115929).
ImportantSUSE bug 1115929CVE-2018-19211 at SUSECVE-2018-19211 at NVDcpe:/o:suse:sles:12:sp3Security update for freetype2 (Important)SUSE Linux Enterprise Server 12 SP3
This update for freetype2 fixes the following security issues:
- CVE-2016-10244: Make sure that the parse_charstrings function in
type1/t1load.c does ensure that a font contains a glyph name to prevent a DoS
through a heap-based buffer over-read or possibly have unspecified other
impact via a crafted file (bsc#1028103)
- CVE-2017-8105: Fix an out-of-bounds write caused by a heap-based
buffer overflow related to the t1_decoder_parse_charstrings function in
psaux/t1decode.ca (bsc#1035807)
- CVE-2017-8287: an out-of-bounds write caused by a heap-based buffer
overflow related to the t1_builder_close_contour function in psaux/psobjs.c
(bsc#1036457)
- Fix several integer overflow issues in truetype/ttinterp.c (bsc#1079600)
ImportantSUSE bug 1028103SUSE bug 1035807SUSE bug 1036457SUSE bug 1079600CVE-2016-10244 at SUSECVE-2016-10244 at NVDCVE-2017-7864 at SUSECVE-2017-7864 at NVDCVE-2017-8105 at SUSECVE-2017-8105 at NVDCVE-2017-8287 at SUSECVE-2017-8287 at NVDcpe:/o:suse:sles:12:sp3Security update for ImageMagick (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for ImageMagick fixes the following issues:
Security issues fixed:
- CVE-2018-18544: Fixed memory leak in the function WriteMSLImage (bsc#1113064).
Non-security issues fixed:
- Improve import documentation (bsc#1057246).
- Allow override system security policy (bsc#1117463).
- asan_build: build ASAN included
- debug_build: build more suitable for debugging
ModerateSUSE bug 1057246SUSE bug 1113064SUSE bug 1117463CVE-2018-18544 at SUSECVE-2018-18544 at NVDcpe:/o:suse:sles:12:sp3Security update for ipsec-tools (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for ipsec-tools fixes one issue.
This security issue was fixed:
- CVE-2016-10396: The racoon daemon contained a remotely exploitable
computational-complexity attack when parsing and storing ISAKMP fragments that
allowed a remote attacker to exhaust computational resources on the remote
endpoint by repeatedly sending ISAKMP fragment packets in a particular order
(bsc#1047443).
ModerateSUSE bug 1047443CVE-2016-10396 at SUSECVE-2016-10396 at NVDcpe:/o:suse:sles:12:sp3Security update for python-cryptography, python-pyOpenSSL (Important)SUSE Linux Enterprise Server 12 SP3
This update for python-cryptography, python-pyOpenSSL fixes the following issues:
Security issues fixed:
- CVE-2018-1000808: A memory leak due to missing reference checking in PKCS#12 store handling was fixed (bsc#1111634)
- CVE-2018-1000807: A use-after-free in X509 object handling was fixed (bsc#1111635)
- avoid bad interaction with python-cryptography package. (bsc#1021578)
ImportantSUSE bug 1021578SUSE bug 1111634SUSE bug 1111635CVE-2018-1000807 at SUSECVE-2018-1000807 at NVDCVE-2018-1000808 at SUSECVE-2018-1000808 at NVDcpe:/o:suse:sles:12:sp3Security update for java-1_8_0-ibm (Important)SUSE Linux Enterprise Server 12 SP3
java-1_8_0-ibm was updated to Java 8.0 Service Refresh 5 Fix Pack 25 (bsc#1116574)
* Class Libraries:
- IJ10934 CVE-2018-13785
- IJ10935 CVE-2018-3136
- IJ10895 CVE-2018-3139
- IJ10932 CVE-2018-3149
- IJ10894 CVE-2018-3180
- IJ10930 CVE-2018-3183
- IJ10933 CVE-2018-3214
- IJ09315 FLOATING POINT EXCEPTION FROM JAVA.TEXT.DECIMALFORMAT. FORMAT
- IJ09088 INTRODUCING A NEW PROPERTY FOR TURKEY TIMEZONE FOR PRODUCTS NOT IDENTIFYING TRT
- IJ10800 REMOVE EXPIRING ROOT CERTIFICATES IN IBM JDK’S CACERTS.
- IJ10566 SUPPORT EBCDIC CODE PAGE IBM-274 – BELGIUM EBCDIC
* Java Virtual Machine
- IJ08730 APPLICATION SIGNAL HANDLER NOT INVOKED FOR SIGABRT
- IJ10453 ASSERTION FAILURE AT CLASSPATHITEM.CPP
- IJ09574 CLASSLOADER DEFINED THROUGH SYSTEM PROPERTY ‘JAVA.SYSTEM.CLASS.LOADE R’ IS NOT HONORED.
- IJ10931 CVE-2018-3169
- IJ10618 GPU SORT: UNSPECIFIED LAUNCH FAILURE
- IJ10619 INCORRECT ILLEGALARGUMENTEXCEPTION BECAUSE OBJECT IS NOT AN INSTANCE OF DECLARING CLASS ON REFLECTIVE INVOCATION
- IJ10135 JVM HUNG IN GARBAGECOLLECTORMXBEAN.G ETLASTGCINFO() API
- IJ10680 RECURRENT ABORTED SCAVENGE
* ORB
- IX90187 CLIENTREQUESTIMPL.REINVO KE FAILS WITH JAVA.LANG.INDEXOUTOFBOUN DSEXCEPTION
* Reliability and Serviceability
- IJ09600 DTFJ AND JDMPVIEW FAIL TO PARSE WIDE REGISTER VALUES
* Security
- IJ10492 'EC KEYSIZE < 384' IS NOT HONORED USING THE 'JDK.TLS.DISABLEDALGORIT HMS' SECURITY PROPERTY
- IJ10310 ADD NULL CHECKING ON THE ENCRYPTION TYPES LIST TO CREDENTIALS.GETDEFAULTNA TIVECREDS() METHOD
- IJ10491 AES/GCM CIPHER – AAD NOT RESET TO UN-INIT STATE AFTER DOFINAL( ) AND INIT( )
- IJ08442 HTTP PUBLIC KEY PINNING FINGERPRINT,PROBLEM WITH CONVERTING TO JKS KEYSTORE
- IJ09107 IBMPKCS11IMPL CRYPTO PROVIDER – INTERMITTENT ERROR WITH SECP521R1 SIGNATURE ON Z/OS
- IJ10136 IBMPKCS11IMPL – INTERMITTENT ERROR WITH SECP521R1 SIG ON Z/OS AND Z/LINUX
- IJ08530 IBMPKCS11IMPL PROVIDER USES THE WRONG RSA CIPHER MECHANISM FOR THE RSA/ECB/PKCS1PADDING CIPHER
- IJ08723 JAAS THROWS A ‘ARRAY INDEX OUT OF RANGE’ EXCEPTION
- IJ08704 THE SECURITY PROPERTY ‘JDK.CERTPATH.DISABLEDAL GORITHMS’ IS MISTAKENLY BEING USED TO FILTER JAR SIGNING ALGORITHMS
* z/OS Extentions
- PH03889 ADD SUPPORT FOR TRY-WITH-RESOURCES TO COM.IBM.JZOS.ENQUEUE
- PH03414 ROLLOVER FROM SYE TO SAE FOR ICSF REASON CODE 3059
- PH04008 ZERTJSSE – Z SYSTEMS ENCRYPTION READINESS TOOL (ZERT) NEW SUPPORT IN THE Z/OS JAVA SDK
This includes the update to Java 8.0 Service Refresh 5 Fix Pack 22:
* Java Virtual Machine
- IJ09139 CUDA4J NOT AVAILABLE ON ALL PLATFORMS
* JIT Compiler
- IJ09089 CRASH DURING COMPILATION IN USEREGISTER ON X86-32
- IJ08655 FLOATING POINT ERROR (SIGFPE) IN ZJ9SYM1 OR ANY VM/JIT MODULE ON AN INSTRUCTION FOLLOWING A VECTOR INSTRUCTION
- IJ08850 CRASH IN ARRAYLIST$ITR.NEXT()
- IJ09601 JVM CRASHES ON A SIGBUS SIGNAL WHEN ACCESSING A DIRECTBYTEBUFFER
* z/OS Extentions
- PH02999 JZOS data management classes accept dataset names in code pages supported by z/OS system services
- PH01244 OUTPUT BUFFER TOO SHORT FOR GCM MODE ENCRYPTION USING IBMJCEHYBRID
Also the update to Java 8.0 Service Refresh 5 Fix Pack 21
* Class Libraries
- IJ08569 JAVA.IO.IOEXCEPTION OCCURS WHEN A FILECHANNEL IS BIGGER THAN 2GB ON AIX PLATFORM
- IJ08570 JAVA.LANG.UNSATISFIEDLIN KERROR WITH JAVA OPTION -DSUN.JAVA2D.CMM=SUN.JAV A2D.CMM.KCMS.KCMSSERVICE PROVIDER ON AIX PLATFORM
* Java Virtual Machine
- IJ08001 30% THROUGHPUT DROP FOR CERTAIN SYNCHRONIZATION WORKLOADS
- IJ07997 TRACEASSERT IN GARBAGE COLLECTOR(MEMORYSUBSPACE)
* JIT Compiler
- IJ08503 ASSERTION IS HIT DUE TO UNEXPECTED STACK HEIGHT IN DEBUGGING MODE
- IJ08375 CRASH DURING HARDWARE GENERATED GUARDED STORAGE EVENT WITHIN A TRANSACTIONAL EXECUTION REGION WHEN RUNNING WITH -XGC:CONCURRENTS
- IJ08205 CRASH WHILE COMPILING
- IJ09575 INCORRECT RESULT WHEN USING JAVA.LANG.MATH.MIN OR MAX ON 31-BIT JVM
- IJ07886 INCORRECT CALUCATIONS WHEN USING NUMBERFORMAT.FORMAT() AND BIGDECIMAL.{FLOAT/DOUBLE }VALUE()
ImportantSUSE bug 1116574CVE-2018-13785 at SUSECVE-2018-13785 at NVDCVE-2018-3136 at SUSECVE-2018-3136 at NVDCVE-2018-3139 at SUSECVE-2018-3139 at NVDCVE-2018-3149 at SUSECVE-2018-3149 at NVDCVE-2018-3169 at SUSECVE-2018-3169 at NVDCVE-2018-3180 at SUSECVE-2018-3180 at NVDCVE-2018-3183 at SUSECVE-2018-3183 at NVDCVE-2018-3214 at SUSECVE-2018-3214 at NVDcpe:/o:suse:sles:12:sp3Security update for xen (Important)SUSE Linux Enterprise Server 12 SP3
This update for xen fixes the following issues:
Security issues fixed:
- CVE-2018-18849: Fixed an out of bounds memory access issue was found in the LSI53C895A SCSI Host Bus Adapter emulation while writing a message in lsi_do_msgin (bsc#1114423).
- CVE-2018-18883: Fixed a NULL pointer dereference that could have been triggered by nested VT-x that where not properly restricted (XSA-278)(bsc#1114405).
- CVE-2018-19965: Fixed denial of service issue from attempting to use INVPCID with a non-canonical addresses (XSA-279)(bsc#1115045).
- CVE-2018-19966: Fixed issue introduced by XSA-240 that could have caused conflicts with shadow paging (XSA-280)(bsc#1115047).
- CVE-2018-19961 CVE-2018-19962: Fixed insufficient TLB flushing / improper large page mappings with AMD IOMMUs (XSA-275)(bsc#1115040).
Non-security issues fixed:
- Added upstream bug fixes (bsc#1027519).
- Fixed XEN SLE12-SP1 domU hang on SLE12-SP3 HV (bsc#1108940).
ImportantSUSE bug 1027519SUSE bug 1108940SUSE bug 1114405SUSE bug 1114423SUSE bug 1115040SUSE bug 1115045SUSE bug 1115047CVE-2018-18849 at SUSECVE-2018-18849 at NVDCVE-2018-18883 at SUSECVE-2018-18883 at NVDCVE-2018-19961 at SUSECVE-2018-19961 at NVDCVE-2018-19962 at SUSECVE-2018-19962 at NVDCVE-2018-19965 at SUSECVE-2018-19965 at NVDCVE-2018-19966 at SUSECVE-2018-19966 at NVDcpe:/o:suse:sles:12:sp3Security update for ghostscript (Important)SUSE Linux Enterprise Server 12 SP3
This update for ghostscript to version 9.26 fixes the following issues:
Security issues fixed:
- CVE-2018-19475: Fixed bypass of an intended access restriction in psi/zdevice2.c (bsc#1117327)
- CVE-2018-19476: Fixed bypass of an intended access restriction in psi/zicc.c (bsc#1117313)
- CVE-2018-19477: Fixed bypass of an intended access restriction in psi/zfjbig2.c (bsc#1117274)
- CVE-2018-19409: Check if another device is used correctly in LockSafetyParams (bsc#1117022)
- CVE-2018-18284: Fixed potential sandbox escape through 1Policy operator (bsc#1112229)
- CVE-2018-18073: Fixed leaks through operator in saved execution stacks (bsc#1111480)
- CVE-2018-17961: Fixed a -dSAFER sandbox escape by bypassing executeonly (bsc#1111479)
- CVE-2018-17183: Fixed a potential code injection by specially crafted PostScript files (bsc#1109105)
Version update to 9.26 (bsc#1117331):
- Security issues have been the primary focus
- Minor bug fixes and improvements
- For release summary see: http://www.ghostscript.com/doc/9.26/News.htm
ImportantSUSE bug 1109105SUSE bug 1111479SUSE bug 1111480SUSE bug 1112229SUSE bug 1117022SUSE bug 1117274SUSE bug 1117313SUSE bug 1117327SUSE bug 1117331CVE-2018-17183 at SUSECVE-2018-17183 at NVDCVE-2018-17961 at SUSECVE-2018-17961 at NVDCVE-2018-18073 at SUSECVE-2018-18073 at NVDCVE-2018-18284 at SUSECVE-2018-18284 at NVDCVE-2018-19409 at SUSECVE-2018-19409 at NVDCVE-2018-19475 at SUSECVE-2018-19475 at NVDCVE-2018-19476 at SUSECVE-2018-19476 at NVDCVE-2018-19477 at SUSECVE-2018-19477 at NVDcpe:/o:suse:sles:12:sp3Security update for cups (Important)SUSE Linux Enterprise Server 12 SP3
This update for cups fixes the following issues:
Security issue fixed:
- CVE-2018-4700: Fixed extremely predictable cookie generation that is effectively breaking the CSRF protection of the CUPS web interface (bsc#1115750).
ImportantSUSE bug 1115750CVE-2018-4700 at SUSECVE-2018-4700 at NVDcpe:/o:suse:sles:12:sp3Security update for git (Important)SUSE Linux Enterprise Server 12 SP3
This update for git fixes the following issue:
- CVE-2018-17456: Git allowed remote code execution during processing of a recursive 'git clone' of a superproject if a .gitmodules file has a URL field beginning with a '-' character. (boo#1110949).
ImportantSUSE bug 1110949CVE-2018-17456 at SUSECVE-2018-17456 at NVDcpe:/o:suse:sles:12:sp3Security update for openvswitch (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for openvswitch to version 2.7.6 fixes the following issues:
These security issues were fixed:
- CVE-2018-17205: Prevent OVS crash when reverting old flows in bundle commit
(bsc#1104467).
- CVE-2018-17206: Avoid buffer overread in BUNDLE action decoding
(bsc#1104467).
- CVE-2018-17204:When decoding a group mod, it validated the group type and
command after the whole group mod has been decoded. The OF1.5 decoder, however,
tried to use the type and command earlier, when it might still be invalid. This
caused an assertion failure (via OVS_NOT_REACHED) (bsc#1104467).
These non-security issues were fixed:
- ofproto/bond: Fix bond reconfiguration race condition.
- ofproto/bond: Fix bond post recirc rule leak.
- ofproto/bond: fix interal flow leak of tcp-balance bond
- systemd: Restart openvswitch service if a daemon crashes
- conntrack: Fix checks for TCP, UDP, and IPv6 header sizes.
- ofp-actions: Fix translation of set_field for nw_ecn
- netdev-dpdk: Fix mempool segfault.
- ofproto-dpif-upcall: Fix flow setup/delete race.
- learn: Fix memory leak in learn_parse_sepc()
- netdev-dpdk: fix mempool_configure error state
- vswitchd: Add --cleanup option to the 'appctl exit' command
- ofp-parse: Fix memory leak on error path in parse_ofp_group_mod_file().
- actions: Fix memory leak on error path in parse_ct_lb_action().
- dpif-netdev: Fix use-after-free error in reconfigure_datapath().
- bridge: Fix memory leak in bridge_aa_update_trunks().
- dpif-netlink: Fix multiple-free and fd leak on error path.
- ofp-print: Avoid array overread in print_table_instruction_features().
- flow: Fix buffer overread in flow_hash_symmetric_l3l4().
- systemd: start vswitchd after udev
- ofp-util: Check length of buckets in ofputil_pull_ofp15_group_mod().
- ovsdb-types: Fix memory leak on error path.
- tnl-ports: Fix loss of tunneling upon removal of a single tunnel port.
- netdev: check for NULL fields in netdev_get_addrs
- netdev-dpdk: vhost get stats fix.
- netdev-dpdk: use 64-bit arithmetic when converting rates.
- ofp-util: Fix buffer overread in ofputil_decode_bundle_add().
- ofp-util: Fix memory leaks on error cases in ofputil_decode_group_mod().
- ofp-util: Fix memory leaks when parsing OF1.5 group properties.
- ofp-actions: Fix buffer overread in decode_LEARN_specs().
- flow: Fix buffer overread for crafted IPv6 packets.
- ofp-actions: Properly interpret 'output:in_port'.
- ovs-ofctl: Avoid read overrun in ofperr_decode_msg().
- odp-util: Avoid misaligned references to ip6_hdr.
- ofproto-dpif-upcall: Fix action attr iteration.
- ofproto-dpif-upcall: Fix key attr iteration.
- netdev-dpdk: vhost get stats fix.
- netdev-dpdk: use 64-bit arithmetic when converting rates.
- ofp-util: Fix buffer overread in ofputil_decode_bundle_add().
- ofp-util: Fix memory leaks on error cases in ofputil_decode_group_mod().
- ofp-util: Fix memory leaks when parsing OF1.5 group properties.
- odp-util: Fix buffer overread in parsing string form of ODP flows.
- ovs-vsctl: Fix segfault when attempting to del-port from parent bridge.
ModerateSUSE bug 1104467CVE-2018-17204 at SUSECVE-2018-17204 at NVDCVE-2018-17205 at SUSECVE-2018-17205 at NVDCVE-2018-17206 at SUSECVE-2018-17206 at NVDcpe:/o:suse:sles:12:sp3Security update for qemu (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for qemu fixes the following issues:
Security issues fixed:
- CVE-2018-10839: Fixed NE2000 NIC emulation support that is vulnerable to an integer overflow, which could lead to buffer overflow issue. It could occur when receiving packets over the network. A user inside guest could use this flaw to crash the Qemu process resulting in DoS (bsc#1110910).
- CVE-2018-15746: Fixed qemu-seccomp.c that might allow local OS guest users to cause a denial of service (guest crash) by leveraging mishandling of the seccomp policy for threads other than the main thread (bsc#1106222).
- CVE-2018-17958: Fixed a Buffer Overflow in rtl8139_do_receive in hw/net/rtl8139.c because an incorrect integer data type is used (bsc#1111006).
- CVE-2018-17962: Fixed a Buffer Overflow in pcnet_receive in hw/net/pcnet.c because an incorrect integer data type is used (bsc#1111010).
- CVE-2018-17963: Fixed qemu_deliver_packet_iov in net/net.c that accepts packet sizes greater than INT_MAX, which allows attackers to cause a denial of service or possibly have unspecified other impact. (bsc#1111013)
- CVE-2018-18849: Fixed an out of bounds memory access issue that was found in the LSI53C895A SCSI Host Bus Adapter emulation while writing a message in lsi_do_msgin. It could occur during migration if the 'msg_len' field has an invalid value. A user/process could use this flaw to crash the Qemu process resulting in DoS (bsc#1114422).
Non-security issues fixed:
- Improving disk performance for qemu on xen (bsc#1100408)
ModerateSUSE bug 1100408SUSE bug 1106222SUSE bug 1110910SUSE bug 1111006SUSE bug 1111010SUSE bug 1111013SUSE bug 1114422CVE-2018-10839 at SUSECVE-2018-10839 at NVDCVE-2018-15746 at SUSECVE-2018-15746 at NVDCVE-2018-17958 at SUSECVE-2018-17958 at NVDCVE-2018-17962 at SUSECVE-2018-17962 at NVDCVE-2018-17963 at SUSECVE-2018-17963 at NVDCVE-2018-18849 at SUSECVE-2018-18849 at NVDcpe:/o:suse:sles:12:sp3Security update for tcpdump (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for tcpdump fixes the following issues:
Security issues fixed:
- CVE-2018-19519: Fixed a stack-based buffer over-read in the print_prefix function (bsc#1117267)
ModerateSUSE bug 1117267CVE-2018-19519 at SUSECVE-2018-19519 at NVDcpe:/o:suse:sles:12:sp3Security update for openldap2 (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for openldap2 fixes the following issues:
Security issue fixed:
- CVE-2017-17740: When both the nops module and the memberof overlay
are enabled, attempts to free a buffer that was allocated on the stack,
which allows remote attackers to cause a denial of service (slapd crash)
via a member MODDN operation. (bsc#1073313)
ModerateSUSE bug 1073313CVE-2017-17740 at SUSECVE-2017-17740 at NVDcpe:/o:suse:sles:12:sp3Security update for libqt5-qtbase (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for libqt5-qtbase fixes the following issues:
Security issues fixed:
- CVE-2018-15518: Fixed double free in QXmlStreamReader (bsc#1118595)
- CVE-2018-19873: Fixed Denial of Service on malformed BMP file in QBmpHandler (bsc#1118596)
ModerateSUSE bug 1118595SUSE bug 1118596CVE-2018-15518 at SUSECVE-2018-15518 at NVDCVE-2018-19873 at SUSECVE-2018-19873 at NVDcpe:/o:suse:sles:12:sp3Security update for bluez (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for bluez fixes the following issues:
Security issues fixed:
- CVE-2016-9800: Fixed a buffer overflow in the pin_code_reply_dump function (bsc#1013721)
- CVE-2016-9801: Fixed a buffer overflow in the set_ext_ctrl function (bsc#1013732)
ModerateSUSE bug 1013721SUSE bug 1013732CVE-2016-9800 at SUSECVE-2016-9800 at NVDCVE-2016-9801 at SUSECVE-2016-9801 at NVDcpe:/o:suse:sles:12:sp3Security update for tiff (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for tiff fixes the following issues:
Security issues fixed:
- CVE-2018-19210: Fixed NULL pointer dereference in the TIFFWriteDirectorySec function (bsc#1115717).
- CVE-2017-12944: Fixed denial of service issue in the TIFFReadDirEntryArray function (bsc#1054594).
- CVE-2016-10094: Fixed heap-based buffer overflow in the _tiffWriteProc function (bsc#1017693).
- CVE-2016-10093: Fixed heap-based buffer overflow in the _TIFFmemcpy function (bsc#1017693).
- CVE-2016-10092: Fixed heap-based buffer overflow in the TIFFReverseBits function (bsc#1017693).
- CVE-2016-6223: Fixed out-of-bounds read on memory-mapped files in TIFFReadRawStrip1() and TIFFReadRawTile1() (bsc#990460).
ModerateSUSE bug 1017693SUSE bug 1054594SUSE bug 1115717SUSE bug 990460CVE-2016-10092 at SUSECVE-2016-10092 at NVDCVE-2016-10093 at SUSECVE-2016-10093 at NVDCVE-2016-10094 at SUSECVE-2016-10094 at NVDCVE-2016-6223 at SUSECVE-2016-6223 at NVDCVE-2017-12944 at SUSECVE-2017-12944 at NVDCVE-2018-19210 at SUSECVE-2018-19210 at NVDcpe:/o:suse:sles:12:sp3Security update for ovmf (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for ovmf fixes the following issues:
Security issues fixed:
- CVE-2018-3613: Fixed AuthVariable Timestamp zeroing issue on APPEND_WRITE (bsc#1115916).
- CVE-2017-5731: Fixed privilege escalation via processing of malformed files in TianoCompress.c (bsc#1115917).
- CVE-2017-5732: Fixed privilege escalation via processing of malformed files in BaseUefiDecompressLib.c (bsc#1115917).
- CVE-2017-5733: Fixed privilege escalation via heap-based buffer overflow in MakeTable() function (bsc#1115917).
- CVE-2017-5734: Fixed privilege escalation via stack-based buffer overflow in MakeTable() function (bsc#1115917).
- CVE-2017-5735: Fixed privilege escalation via heap-based buffer overflow in Decode() function (bsc#1115917).
ModerateSUSE bug 1115916SUSE bug 1115917CVE-2017-5731 at SUSECVE-2017-5731 at NVDCVE-2017-5732 at SUSECVE-2017-5732 at NVDCVE-2017-5733 at SUSECVE-2017-5733 at NVDCVE-2017-5734 at SUSECVE-2017-5734 at NVDCVE-2017-5735 at SUSECVE-2017-5735 at NVDCVE-2018-3613 at SUSECVE-2018-3613 at NVDcpe:/o:suse:sles:12:sp3Security update for xen (Important)SUSE Linux Enterprise Server 12 SP3
This update for xen fixes several issues.
These security issues were fixed:
- CVE-2017-5753, CVE-2017-5715, CVE-2017-5754: Prevent information leaks via
side effects of speculative execution, aka 'Spectre' and 'Meltdown' attacks
(bsc#1074562, bsc#1068032)
- CVE-2017-15595: x86 PV guest OS users were able to cause a DoS (unbounded
recursion, stack consumption, and hypervisor crash) or possibly gain privileges
via crafted page-table stacking (bsc#1061081)
- CVE-2017-17566: Prevent PV guest OS users to cause a denial of service (host
OS crash) or gain host OS privileges in shadow mode by mapping a certain
auxiliary page (bsc#1070158).
- CVE-2017-17563: Prevent guest OS users to cause a denial of service (host OS
crash) or gain host OS privileges by leveraging an incorrect mask for
reference-count overflow checking in shadow mode (bsc#1070159).
- CVE-2017-17564: Prevent guest OS users to cause a denial of service (host OS
crash) or gain host OS privileges by leveraging incorrect error handling for
reference counting in shadow mode (bsc#1070160).
- CVE-2017-17565: Prevent PV guest OS users to cause a denial of service (host
OS crash) if shadow mode and log-dirty mode are in place, because of an
incorrect assertion related to M2P (bsc#1070163).
- CVE-2018-5683: The vga_draw_text function allowed local OS guest privileged
users to cause a denial of service (out-of-bounds read and QEMU process crash)
by leveraging improper memory address validation (bsc#1076116).
- CVE-2017-18030: The cirrus_invalidate_region function allowed local OS guest
privileged users to cause a denial of service (out-of-bounds array access and
QEMU process crash) via vectors related to negative pitch (bsc#1076180).
These non-security issues were fixed:
- bsc#1067317: pass cache=writeback|unsafe|directsync to qemu depending on the
libxl disk settings
- bsc#1051729: Prevent invalid symlinks after install of SLES 12 SP2
- bsc#1035442: Increased the value of LIBXL_DESTROY_TIMEOUT from 10 to 100
seconds. If many domUs shutdown in parallel the backends couldn't keep up
- bsc#1027519: Added several upstream patches
ImportantSUSE bug 1027519SUSE bug 1035442SUSE bug 1051729SUSE bug 1061081SUSE bug 1067317SUSE bug 1068032SUSE bug 1070158SUSE bug 1070159SUSE bug 1070160SUSE bug 1070163SUSE bug 1074562SUSE bug 1076116SUSE bug 1076180CVE-2017-15595 at SUSECVE-2017-15595 at NVDCVE-2017-17563 at SUSECVE-2017-17563 at NVDCVE-2017-17564 at SUSECVE-2017-17564 at NVDCVE-2017-17565 at SUSECVE-2017-17565 at NVDCVE-2017-17566 at SUSECVE-2017-17566 at NVDCVE-2017-18030 at SUSECVE-2017-18030 at NVDCVE-2017-5715 at SUSECVE-2017-5715 at NVDCVE-2017-5753 at SUSECVE-2017-5753 at NVDCVE-2017-5754 at SUSECVE-2017-5754 at NVDCVE-2018-5683 at SUSECVE-2018-5683 at NVDcpe:/o:suse:sles:12:sp3Security update for MozillaFirefox, mozilla-nspr and mozilla-nss (Important)SUSE Linux Enterprise Server 12 SP3
This update for MozillaFirefox, mozilla-nss and mozilla-nspr fixes the following issues:
Issues fixed in MozillaFirefox:
- Update to Firefox ESR 60.4 (bsc#1119105)
- CVE-2018-17466: Fixed a buffer overflow and out-of-bounds read in ANGLE library with TextureStorage11
- CVE-2018-18492: Fixed a use-after-free with select element
- CVE-2018-18493: Fixed a buffer overflow in accelerated 2D canvas with Skia
- CVE-2018-18494: Fixed a Same-origin policy violation using location attribute and performance.getEntries
to steal cross-origin URLs
- CVE-2018-18498: Fixed a integer overflow when calculating buffer sizes for images
- CVE-2018-12405: Fixed a few memory safety bugs
Issues fixed in mozilla-nss:
- Update to NSS 3.40.1 (bsc#1119105)
- CVE-2018-12404: Fixed a cache side-channel variant of the Bleichenbacher attack (bsc#1119069)
- CVE-2018-12384: Fixed an issue in the SSL handshake. NSS responded to an
SSLv2-compatible ClientHello with a ServerHello that had an all-zero random. (bsc#1106873)
- CVE-2018-0495: Fixed a memory-cache side-channel attack with ECDSA signatures (bsc#1097410)
- Fixed a decryption failure during FFDHE key exchange
- Various security fixes in the ASN.1 code
Issues fixed in mozilla-nspr:
- Update mozilla-nspr to 4.20 (bsc#1119105)
ImportantSUSE bug 1097410SUSE bug 1106873SUSE bug 1119069SUSE bug 1119105CVE-2018-0495 at SUSECVE-2018-0495 at NVDCVE-2018-12384 at SUSECVE-2018-12384 at NVDCVE-2018-12404 at SUSECVE-2018-12404 at NVDCVE-2018-12405 at SUSECVE-2018-12405 at NVDCVE-2018-17466 at SUSECVE-2018-17466 at NVDCVE-2018-18492 at SUSECVE-2018-18492 at NVDCVE-2018-18493 at SUSECVE-2018-18493 at NVDCVE-2018-18494 at SUSECVE-2018-18494 at NVDCVE-2018-18498 at SUSECVE-2018-18498 at NVDcpe:/o:suse:sles:12:sp3Security update for mailman (Important)SUSE Linux Enterprise Server 12 SP3
This update for mailman fixes the following security vulnerabilities:
- Fixed a XSS vulnerability and information leak in user options CGI, which
could be used to execute arbitrary scripts in the user's browser via
specially encoded URLs (bsc#1077358 CVE-2018-5950)
- Fixed a directory traversal vulnerability in MTA transports when using the
recommended Mailman Transport for Exim (bsc#925502 CVE-2015-2775)
- Fixed a XSS vulnerability, which allowed malicious listowners to inject
scripts into the listinfo pages (bsc#1099510 CVE-2018-0618)
- Fixed arbitrary text injection vulnerability in several mailman CGIs
(CVE-2018-13796 bsc#1101288)
- Fixed a CSRF vulnerability on the user options page (CVE-2016-6893 bsc#995352)
ImportantSUSE bug 1077358SUSE bug 1099510SUSE bug 1101288SUSE bug 925502SUSE bug 995352CVE-2015-2775 at SUSECVE-2015-2775 at NVDCVE-2016-6893 at SUSECVE-2016-6893 at NVDCVE-2018-0618 at SUSECVE-2018-0618 at NVDCVE-2018-13796 at SUSECVE-2018-13796 at NVDCVE-2018-5950 at SUSECVE-2018-5950 at NVDcpe:/o:suse:sles:12:sp3Security update for wireshark (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for wireshark fixes the following issues:
Update to Wireshark 2.4.11 (bsc#1117740).
Security issues fixed:
- CVE-2018-19625: The Wireshark dissection engine could crash (wnpa-sec-2018-51)
- CVE-2018-19626: The DCOM dissector could crash (wnpa-sec-2018-52)
- CVE-2018-19623: The LBMPDM dissector could crash (wnpa-sec-2018-53)
- CVE-2018-19622: The MMSE dissector could go into an infinite loop (wnpa-sec-2018-54)
- CVE-2018-19627: The IxVeriWave file parser could crash (wnpa-sec-2018-55)
- CVE-2018-19624: The PVFS dissector could crash (wnpa-sec-2018-56)
Further bug fixes and updated protocol support as listed in:
- https://www.wireshark.org/docs/relnotes/wireshark-2.4.11.html
ModerateSUSE bug 1117740CVE-2018-19622 at SUSECVE-2018-19622 at NVDCVE-2018-19623 at SUSECVE-2018-19623 at NVDCVE-2018-19624 at SUSECVE-2018-19624 at NVDCVE-2018-19625 at SUSECVE-2018-19625 at NVDCVE-2018-19626 at SUSECVE-2018-19626 at NVDCVE-2018-19627 at SUSECVE-2018-19627 at NVDcpe:/o:suse:sles:12:sp3Security update for glibc (Important)SUSE Linux Enterprise Server 12 SP3
This update for glibc fixes the following issues:
Security issues fixed:
- CVE-2017-8804: Fix memory leak after deserialization failure in xdr_bytes, xdr_string (bsc#1037930)
- CVE-2017-12132: Reduce EDNS payload size to 1200 bytes (bsc#1051791)
- CVE-2018-6485,CVE-2018-6551: Fix integer overflows in internal memalign and malloc functions (bsc#1079036)
- CVE-2018-1000001: Avoid underflow of malloced area (bsc#1074293)
Non security bugs fixed:
- Release read lock after resetting timeout (bsc#1073990)
ImportantSUSE bug 1037930SUSE bug 1051791SUSE bug 1073990SUSE bug 1074293SUSE bug 1079036CVE-2017-12132 at SUSECVE-2017-12132 at NVDCVE-2017-8804 at SUSECVE-2017-8804 at NVDCVE-2018-1000001 at SUSECVE-2018-1000001 at NVDCVE-2018-6485 at SUSECVE-2018-6485 at NVDCVE-2018-6551 at SUSECVE-2018-6551 at NVDcpe:/o:suse:sles:12:sp3Security update for quagga (Important)SUSE Linux Enterprise Server 12 SP3
This update for quagga fixes the security following issues:
- The Quagga BGP daemon contained a bug in the AS_PATH size calculation that
could have been exploited to facilitate a remote denial-of-service attack via
specially crafted BGP UPDATE messages. [CVE-2017-16227, bsc#1065641]
- The Quagga BGP daemon did not check whether data sent to peers via NOTIFY had
an invalid attribute length. It was possible to exploit this issue and cause
the bgpd process to leak sensitive information over the network to a
configured peer. [CVE-2018-5378, bsc#1079798]
- The Quagga BGP daemon used to double-free memory when processing certain
forms of UPDATE messages. This issue could be exploited by sending an
optional/transitive UPDATE attribute that all conforming eBGP speakers should
pass along. Consequently, a single UPDATE message could have affected many
bgpd processes across a wide area of a network. Through this vulnerability,
attackers could potentially have taken over control of affected bgpd
processes remotely. [CVE-2018-5379, bsc#1079799]
- It was possible to overrun internal BGP code-to-string conversion tables in
the Quagga BGP daemon. Configured peers could have exploited this issue and
cause bgpd to emit debug and warning messages into the logs that would
contained arbitrary bytes. [CVE-2018-5380, bsc#1079800]
- The Quagga BGP daemon could have entered an infinite loop if sent an invalid
OPEN message by a configured peer. If this issue was exploited, then bgpd
would cease to respond to any other events. BGP sessions would have been
dropped and not be reestablished. The CLI interface would have been
unresponsive. The bgpd daemon would have stayed in this state until
restarted. [CVE-2018-5381, bsc#1079801]
ImportantSUSE bug 1065641SUSE bug 1079798SUSE bug 1079799SUSE bug 1079800SUSE bug 1079801CVE-2017-16227 at SUSECVE-2017-16227 at NVDCVE-2018-5378 at SUSECVE-2018-5378 at NVDCVE-2018-5379 at SUSECVE-2018-5379 at NVDCVE-2018-5380 at SUSECVE-2018-5380 at NVDCVE-2018-5381 at SUSECVE-2018-5381 at NVDcpe:/o:suse:sles:12:sp3Security update for p7zip (Important)SUSE Linux Enterprise Server 12 SP3
This update for p7zip fixes the following issues:
Security issues fixed:
- CVE-2016-1372: Fixed multiple vulnerabilities when processing crafted 7z files (bsc#984650)
- CVE-2017-17969: Fixed a heap-based buffer overflow in a shrink decoder (bsc#1077725)
- CVE-2018-5996: Fixed memory corruption in RAR decompression. The complete RAR decoder was removed as it also has license issues (bsc#1077724 bsc#1077978)
ImportantSUSE bug 1077724SUSE bug 1077725SUSE bug 1077978SUSE bug 984650CVE-2016-1372 at SUSECVE-2016-1372 at NVDCVE-2017-17969 at SUSECVE-2017-17969 at NVDCVE-2018-5996 at SUSECVE-2018-5996 at NVDcpe:/o:suse:sles:12:sp3Security update for dovecot22 (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for dovecot22 fixes one issue.
This security issue was fixed:
- CVE-2017-15132: An abort of SASL authentication resulted in a memory leak in
dovecot's auth client used by login processes. The leak has impact in high
performance configuration where same login processes are reused and can cause
the process to crash due to memory exhaustion (bsc#1075608).
ModerateSUSE bug 1075608CVE-2017-15132 at SUSECVE-2017-15132 at NVDcpe:/o:suse:sles:12:sp3Security update for postgresql96 (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for postgresql96 to version 9.6.7 fixes the following issues:
- CVE-2018-1053: Ensure that all temporary files made by pg_upgrade are non-world-readable. (bsc#1077983)
A full changelog is available here:
https://www.postgresql.org/docs/9.6/static/release-9-6-7.html
ModerateSUSE bug 1077983CVE-2018-1053 at SUSECVE-2018-1053 at NVDcpe:/o:suse:sles:12:sp3Security update for libdb-4_8 (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for libdb-4_8 fixes the following issues:
- A DB_CONFIG file in the current working directory allowed local
users to obtain sensitive information via a symlink attack
involving a setgid or setuid application using libdb-4_8. (bsc#1043886)
ModerateSUSE bug 1043886cpe:/o:suse:sles:12:sp3Security update for dhcp (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for dhcp fixes several issues.
This security issue was fixed:
- CVE-2017-3144: OMAPI code didn't free socket descriptors when empty message
is received allowing DoS (bsc#1076119).
These non-security issues were fixed:
- Optimized if and when DNS client context and ports are initted (bsc#1073935)
- Relax permission of dhclient-script for libguestfs (bsc#987170)
- Modify dhclient-script to handle static route updates (bsc#1023415).
- Use only the 12 least significant bits of an inbound packet's TCI value as the VLAN ID
to fix some packages being wrongly discarded by the Linux packet filter. (bsc#1059061)
ModerateSUSE bug 1023415SUSE bug 1059061SUSE bug 1073935SUSE bug 1076119SUSE bug 987170CVE-2017-3144 at SUSECVE-2017-3144 at NVDcpe:/o:suse:sles:12:sp3Security update for systemd (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for systemd fixes the following issues:
Security issue fixed:
- CVE-2017-18078: tmpfiles: refuse to chown()/chmod() files which are
hardlinked, unless protected_hardlinks sysctl is on. This could be used
by local attackers to gain privileges (bsc#1077925)
Non Security issues fixed:
- core: use id unit when retrieving unit file state (#8038) (bsc#1075801)
- cryptsetup-generator: run cryptsetup service before swap unit (#5480)
- udev-rules: all values can contain escaped double quotes now (#6890)
- strv: fix buffer size calculation in strv_join_quoted()
- tmpfiles: change ownership of symlinks too
- stdio-bridge: Correctly propagate error
- stdio-bridge: remove dead code
- remove bus-proxyd (bsc#1057974)
- core/timer: Prevent timer looping when unit cannot start (bsc#1068588)
- Make systemd-timesyncd use the openSUSE NTP servers by default
Previously systemd-timesyncd used the Google Public NTP servers
time{1..4}.google.com
- Don't ship /usr/lib/systemd/system/tmp.mnt at all (bsc#1071224)
But we still ship a copy in /var.
Users who want to use tmpfs on /tmp are supposed to add a symlink in
/etc/ pointing to the copy shipped in /var.
To support the update path we automatically create the symlink if
tmp.mount in use is located in /usr.
- Enable systemd-networkd on Leap distros only (bsc#1071311)
ModerateSUSE bug 1057974SUSE bug 1068588SUSE bug 1071224SUSE bug 1071311SUSE bug 1075801SUSE bug 1077925CVE-2017-18078 at SUSECVE-2017-18078 at NVDcpe:/o:suse:sles:12:sp3Security update for ImageMagick (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for ImageMagick fixes the following issues:
- CVE-2017-9405: A memory leak in the ReadICONImage function was fixed that could lead to DoS via memory exhaustion (bsc#1042911)
- CVE-2017-9407: In ImageMagick, the ReadPALMImage function in palm.c allowed attackers to cause a denial of service (memory leak) via a crafted file. (bsc#1042824)
- CVE-2017-11166: In ReadXWDImage in coders\xwd.c a memoryleak could have caused memory exhaustion via a crafted length (bsc#1048110)
- CVE-2017-11170: ReadTGAImage in coders\tga.c allowed for memory exhaustion via invalid colors data in the header of a TGA or VST file (bsc#1048272)
- CVE-2017-11448: The ReadJPEGImage function in coders/jpeg.c in ImageMagick allowed remote attackers to obtain sensitive information from uninitialized memory locations via a crafted file. (bsc#1049375)
- CVE-2017-11450: A remote denial of service in coders/jpeg.c was fixed (bsc#1049374)
- CVE-2017-11528: ReadDIBImage in coders/dib.c allows remote attackers to cause DoS via memory exhaustion (bsc#1050119)
- CVE-2017-11530: ReadEPTImage in coders/ept.c allows remote attackers to cause DoS via memory exhaustion (bsc#1050122)
- CVE-2017-11531: When ImageMagick processed a crafted file in convert, it could lead to a Memory Leak in the WriteHISTOGRAMImage() function in coders/histogram.c. (bsc#1050126)
- CVE-2017-11533: A information leak by 1 byte due to heap-based buffer over-read in the WriteUILImage() in coders/uil.c was fixed (bsc#1050132)
- CVE-2017-11537: When ImageMagick processed a crafted file in convert, it can lead to a Floating Point Exception (FPE) in the WritePALMImage() function in coders/palm.c, related to an incorrect bits-per-pixel calculation. (bsc#1050048)
- CVE-2017-11638, CVE-2017-11642: A NULL pointer dereference in theWriteMAPImage() in coders/map.c was fixed which could lead to a crash (bsc#1050617)
- CVE-2017-12418: ImageMagick had memory leaks in the parse8BIMW and format8BIM functions in coders/meta.c, related to the WriteImage function in MagickCore/constitute.c. (bsc#1052207)
- CVE-2017-12427: ProcessMSLScript coders/msl.c allowed remote attackers to cause a DoS (bsc#1052248)
- CVE-2017-12429: A memory exhaustion flaw in ReadMIFFImage in coders/miff.c was fixed, which allowed attackers to cause DoS (bsc#1052251)
- CVE-2017-12432: In ImageMagick, a memory exhaustion vulnerability was found in the function ReadPCXImage in coders/pcx.c, which allowed attackers to cause a denial of service. (bsc#1052254)
- CVE-2017-12566: A memory leak in ReadMVGImage in coders/mvg.c, could have allowed attackers to cause DoS (bsc#1052472)
- CVE-2017-12654: The ReadPICTImage function in coders/pict.c in ImageMagick allowed attackers to cause a denial of service (memory leak) via a crafted file. (bsc#1052761)
- CVE-2017-12663: A memory leak in WriteMAPImage in coders/map.c was fixed that could lead to a DoS via memory exhaustion (bsc#1052754)
- CVE-2017-12664: ImageMagick had a memory leak vulnerability in WritePALMImage in coders/palm.c. (bsc#1052750)
- CVE-2017-12665: ImageMagick had a memory leak vulnerability in WritePICTImage in coders/pict.c. (bsc#1052747)
- CVE-2017-12668: ImageMagick had a memory leak vulnerability in WritePCXImage in coders/pcx.c. (bsc#1052688)
- CVE-2017-12674: A CPU exhaustion in ReadPDBImage in coders/pdb.c was fixed, which allowed attackers to cause DoS (bsc#1052711)
- CVE-2017-13058: In ImageMagick, a memory leak vulnerability was found in the function WritePCXImage in coders/pcx.c, which allowed attackers to cause a denial of service via a crafted file. (bsc#1055069)
- CVE-2017-13131: A memory leak vulnerability was found in thefunction ReadMIFFImage in coders/miff.c, which allowed attackers tocause a denial of service (memory consumption in NewL (bsc#1055229)
- CVE-2017-14060: A NULL Pointer Dereference issue in the ReadCUTImage function in coders/cut.c was fixed that could have caused a Denial of Service (bsc#1056768)
- CVE-2017-14139: A memory leak vulnerability in WriteMSLImage in coders/msl.c was fixed. (bsc#1057163)
- CVE-2017-14224: A heap-based buffer overflow in WritePCXImage in coders/pcx.c could lead to denial of service or code execution. (bsc#1058009)
- CVE-2017-17682: A large loop vulnerability was fixed in ExtractPostscript in coders/wpg.c, which allowed attackers to cause a denial of service (CPU exhaustion) (bsc#1072898)
- CVE-2017-17885: In ImageMagick, a memory leak vulnerability was found in the function ReadPICTImage in coders/pict.c, which allowed attackers to cause a denial of service via a crafted PICT image file. (bsc#1074119)
- CVE-2017-17934: A memory leak in the function MSLPopImage and ProcessMSLScript could have lead to a denial of service (bsc#1074170)
- CVE-2017-18028: A memory exhaustion in the function ReadTIFFImage in coders/tiff.c was fixed. (bsc#1076182)
- CVE-2018-5357: ImageMagick had memory leaks in the ReadDCMImage function in coders/dcm.c. (bsc#1075821)
- CVE-2018-6405: In the ReadDCMImage function in coders/dcm.c in ImageMagick, each redmap, greenmap, and bluemap variable can be overwritten by a new pointer. The previous pointer is lost, which leads to a memory leak. This allowed remote attackers to cause a denial of service. (bsc#1078433)
ModerateSUSE bug 1042824SUSE bug 1042911SUSE bug 1048110SUSE bug 1048272SUSE bug 1049374SUSE bug 1049375SUSE bug 1050048SUSE bug 1050119SUSE bug 1050122SUSE bug 1050126SUSE bug 1050132SUSE bug 1050617SUSE bug 1052207SUSE bug 1052248SUSE bug 1052251SUSE bug 1052254SUSE bug 1052472SUSE bug 1052688SUSE bug 1052711SUSE bug 1052747SUSE bug 1052750SUSE bug 1052754SUSE bug 1052761SUSE bug 1055069SUSE bug 1055229SUSE bug 1056768SUSE bug 1057163SUSE bug 1058009SUSE bug 1072898SUSE bug 1074119SUSE bug 1074170SUSE bug 1075821SUSE bug 1076182SUSE bug 1078433CVE-2017-11166 at SUSECVE-2017-11166 at NVDCVE-2017-11170 at SUSECVE-2017-11170 at NVDCVE-2017-11448 at SUSECVE-2017-11448 at NVDCVE-2017-11450 at SUSECVE-2017-11450 at NVDCVE-2017-11528 at SUSECVE-2017-11528 at NVDCVE-2017-11530 at SUSECVE-2017-11530 at NVDCVE-2017-11531 at SUSECVE-2017-11531 at NVDCVE-2017-11533 at SUSECVE-2017-11533 at NVDCVE-2017-11537 at SUSECVE-2017-11537 at NVDCVE-2017-11638 at SUSECVE-2017-11638 at NVDCVE-2017-11642 at SUSECVE-2017-11642 at NVDCVE-2017-12418 at SUSECVE-2017-12418 at NVDCVE-2017-12427 at SUSECVE-2017-12427 at NVDCVE-2017-12429 at SUSECVE-2017-12429 at NVDCVE-2017-12432 at SUSECVE-2017-12432 at NVDCVE-2017-12566 at SUSECVE-2017-12566 at NVDCVE-2017-12654 at SUSECVE-2017-12654 at NVDCVE-2017-12663 at SUSECVE-2017-12663 at NVDCVE-2017-12664 at SUSECVE-2017-12664 at NVDCVE-2017-12665 at SUSECVE-2017-12665 at NVDCVE-2017-12668 at SUSECVE-2017-12668 at NVDCVE-2017-12674 at SUSECVE-2017-12674 at NVDCVE-2017-13058 at SUSECVE-2017-13058 at NVDCVE-2017-13131 at SUSECVE-2017-13131 at NVDCVE-2017-14060 at SUSECVE-2017-14060 at NVDCVE-2017-14139 at SUSECVE-2017-14139 at NVDCVE-2017-14224 at SUSECVE-2017-14224 at NVDCVE-2017-17682 at SUSECVE-2017-17682 at NVDCVE-2017-17885 at SUSECVE-2017-17885 at NVDCVE-2017-17934 at SUSECVE-2017-17934 at NVDCVE-2017-18028 at SUSECVE-2017-18028 at NVDCVE-2017-9405 at SUSECVE-2017-9405 at NVDCVE-2017-9407 at SUSECVE-2017-9407 at NVDCVE-2018-5357 at SUSECVE-2018-5357 at NVDCVE-2018-6405 at SUSECVE-2018-6405 at NVDcpe:/o:suse:sles:12:sp3Security update for openexr (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for openexr fixes the following issues:
* CVE-2017-9110: In OpenEXR, an invalid read of size 2 in the hufDecode function in ImfHuf.cpp could cause the application to crash. (bsc#1040107)
* CVE-2017-9114: In OpenEXR, an invalid read of size 1 in the refill function in ImfFastHuf.cpp could cause the application to crash. (bsc#1040114)
* CVE-2017-12596: In OpenEXR, a crafted image causes a heap-based buffer over-read in the hufDecode function in IlmImf/ImfHuf.cpp during exrmaketiled execution; it could have resulted in denial of service or possibly unspecified other impact. (bsc#1052522)
ModerateSUSE bug 1040107SUSE bug 1040114SUSE bug 1052522CVE-2017-12596 at SUSECVE-2017-12596 at NVDCVE-2017-9110 at SUSECVE-2017-9110 at NVDCVE-2017-9114 at SUSECVE-2017-9114 at NVDcpe:/o:suse:sles:12:sp3Security update for ImageMagick (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for ImageMagick fixes several issues.
These security issues were fixed:
- CVE-2017-1000476: A CPU exhaustion vulnerability was found in the function
ReadDDSInfo in coders/dds.c, which allowed attackers to cause a denial of
service (bsc#1074610).
- CVE-2017-9409: The ReadMPCImage function in mpc.c allowed attackers to cause
a denial of service (memory leak) via a crafted file (bsc#1042948).
- CVE-2017-1000445: A NULL pointer dereference in the MagickCore component
might have lead to denial of service (bsc#1074425).
- CVE-2017-17680: Prevent a memory leak in the function ReadXPMImage in
coders/xpm.c, which allowed attackers to cause a denial of service via a
crafted XPM image file (a different vulnerability than CVE-2017-17882)
(bsc#1072902).
- CVE-2017-17882: Prevent a memory leak in the function ReadXPMImage in
coders/xpm.c, which allowed attackers to cause a denial of service via a
crafted XPM image file (a different vulnerability than CVE-2017-17680)
(bsc#1074122).
- CVE-2017-11449: coders/mpc did not enable seekable streams and thus could not
validate blob sizes, which allowed remote attackers to cause a denial of
service (application crash) or possibly have unspecified other impact via an
image received from stdin (bsc#1049373).
- CVE-2017-12430: A memory exhaustion in the function ReadMPCImage in
coders/mpc.c allowed attackers to cause DoS (bsc#1052252).
- CVE-2017-12642: Prevent a memory leak vulnerability in ReadMPCImage in
coders\mpc.c via crafted file allowing for DoS (bsc#1052771).
- CVE-2017-14249: A mishandled EOF check in ReadMPCImage in coders/mpc.c that
lead to a division by zero in GetPixelCacheTileSize in MagickCore/cache.c
allowed remote attackers to cause a denial of service via a crafted file
(bsc#1058082).
- Prevent memory leak via crafted file in pwp.c allowing for DoS (bsc#1051412)
ModerateSUSE bug 1042948SUSE bug 1049373SUSE bug 1051412SUSE bug 1052252SUSE bug 1052771SUSE bug 1058082SUSE bug 1072902SUSE bug 1074122SUSE bug 1074425SUSE bug 1074610CVE-2017-1000445 at SUSECVE-2017-1000445 at NVDCVE-2017-1000476 at SUSECVE-2017-1000476 at NVDCVE-2017-11449 at SUSECVE-2017-11449 at NVDCVE-2017-11751 at SUSECVE-2017-11751 at NVDCVE-2017-12430 at SUSECVE-2017-12430 at NVDCVE-2017-12642 at SUSECVE-2017-12642 at NVDCVE-2017-14249 at SUSECVE-2017-14249 at NVDCVE-2017-17680 at SUSECVE-2017-17680 at NVDCVE-2017-17882 at SUSECVE-2017-17882 at NVDCVE-2017-9409 at SUSECVE-2017-9409 at NVDcpe:/o:suse:sles:12:sp3Security update for cups (Important)SUSE Linux Enterprise Server 12 SP3
This update for cups fixes the following issues:
- CVE-2017-18190: Removed localhost.localdomain from list
of trustworthy hosts in scheduler/client.c to avoid arbitrary IPP
command execution in conjunction with DNS rebinding.
(bsc#1081557)
ImportantSUSE bug 1081557CVE-2017-18190 at SUSECVE-2017-18190 at NVDcpe:/o:suse:sles:12:sp3Security update for wavpack (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for wavpack fixes the following issues:
- CVE-2016-10169 CVE-2016-10170 CVE-2016-10171 CVE-2016-10172: Make sure upper and lower boundaries make sense, to avoid out of bounds memory reads that could lead to crashes or disclosing memory. (bsc#1021483)
ModerateSUSE bug 1021483CVE-2016-10169 at SUSECVE-2016-10169 at NVDCVE-2016-10170 at SUSECVE-2016-10170 at NVDCVE-2016-10171 at SUSECVE-2016-10171 at NVDCVE-2016-10172 at SUSECVE-2016-10172 at NVDcpe:/o:suse:sles:12:sp3Security update for squid (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for squid fixes the following issues:
Security issues fixed:
- CVE-2018-1000024: DoS fix caused by incorrect pointer handling when processing ESI
responses. This affects the default custom esi_parser (bsc#1077003).
- CVE-2018-1000027: DoS fix caused by incorrect pointer handing whien processing ESI
responses or downloading intermediate CA certificates (bsc#1077006).
ModerateSUSE bug 1077003SUSE bug 1077006CVE-2018-1000024 at SUSECVE-2018-1000024 at NVDCVE-2018-1000027 at SUSECVE-2018-1000027 at NVDcpe:/o:suse:sles:12:sp3Security update for augeas (Low)SUSE Linux Enterprise Server 12 SP3
This update for augeas fixes the following issues:
Security issue fixed:
- CVE-2017-7555: Fix a memory corruption bug could have lead to arbitrary code execution
by passing crafted strings that would be mis-handled by parse_name() (bsc#1054171).
LowSUSE bug 1054171CVE-2017-7555 at SUSECVE-2017-7555 at NVDcpe:/o:suse:sles:12:sp3Security update for glibc (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for glibc fixes the following issues:
- CVE-2017-12133: Avoid use-after-free read access in clntudp_call (bsc#1081556)
ModerateSUSE bug 1081556CVE-2017-12133 at SUSECVE-2017-12133 at NVDcpe:/o:suse:sles:12:sp3Security update for shadow (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for shadow fixes the following issues:
- CVE-2018-7169: Fixed an privilege escalation in newgidmap,
which allowed an unprivileged user to be placed in a user namespace where
setgroups(2) is allowed. (bsc#1081294)
ModerateSUSE bug 1081294CVE-2018-7169 at SUSECVE-2018-7169 at NVDcpe:/o:suse:sles:12:sp3Security update for java-1_8_0-ibm (Important)SUSE Linux Enterprise Server 12 SP3
This update for java-1_8_0-ibm fixes the following issues:
- Removed java-1_8_0-ibm-alsa and java-1_8_0-ibm-plugin entries in
baselibs.conf due to errors in osc source_validator
Version update to 8.0.5.10 [bsc#1082810]
* Security fixes:
CVE-2018-2639 CVE-2018-2638 CVE-2018-2633 CVE-2018-2637
CVE-2018-2634 CVE-2018-2582 CVE-2018-2641 CVE-2018-2618
CVE-2018-2603 CVE-2018-2599 CVE-2018-2602 CVE-2018-2678
CVE-2018-2677 CVE-2018-2663 CVE-2018-2588 CVE-2018-2579
* Defect fixes:
- IJ02608 Class Libraries: Change of namespace definitions with
handlers that implement javax.xml.ws.handler.soap.soaphandler
- IJ04280 Class Libraries: Deploy Upgrade to Oracle level 8u161-b12
- IJ03390 Class Libraries: JCL Upgrade to Oracle level 8u161-b12
- IJ04001 Class Libraries: Performance improvement with child
process on AIX
- IJ04281 Class Libraries: Startup time increase after applying
apar IV96905
- IJ03822 Class Libraries: Update timezone information to tzdata2017c
- IJ03440 Java Virtual Machine: Assertion failure during class creation
- IJ03717 Java Virtual Machine: Assertion for gencon with concurrent
scavenger on ZOS64
- IJ03513 Java Virtual Machine: Assertion in concurrent scavenger if
initial heap memory size -Xms is set too low
- IJ03994 Java Virtual Machine: Class.getmethods() does not return
all methods
- IJ03413 Java Virtual Machine: Hang creating thread after redefining
classes
- IJ03852 Java Virtual Machine: ICH408I message when groupaccess is
specified with -xshareclasses
- IJ03716 Java Virtual Machine: java/lang/linkageerror from
sun/misc/unsafe.definean onymousclass()
- IJ03116 Java Virtual Machine: java.fullversion string contains an
extra space
- IJ03347 Java Virtual Machine: java.lang.IllegalStateException in
related class MemoryMXBean
- IJ03878 Java Virtual Machine: java.lang.StackOverflowError is thrown
when custom security manager in place
- IJ03605 Java Virtual Machine: Legacy security for com.ibm.jvm.dump,
trace, log was not enabled by default
- IJ04248 JIT Compiler: ArrayIndexOutOfBoundsException is thrown when
converting BigDecimal to String
- IJ04250 JIT Compiler: Assertion failure with concurrentScavenge on Z14
- IJ03606 JIT Compiler: Java crashes with -version
- IJ04251 JIT Compiler: JIT compiled method that takes advantage of
AutoSIMD produces an incorrect result on x86
- IJ03854 JIT Compiler: JVM info message appears in stdout
- IJ03607 JIT Compiler: Result String contains a redundant dot when
converted from BigDecimal with 0 on all platforms
- IX90185 ORB: Upgrade ibmcfw.jar to version O1800.01
- IJ03715 Security: Add additional support for the IBMJCEPlus provider,
add support for new IBMJCEPlusFIPS provider
- IJ03800 Security: A fix in CMS provider for KDB integrity
- IJ04282 Security: Change in location and default of jurisdiction
policy files
- IJ03853 Security: IBMCAC provider does not support SHA224
- IJ02679 Security: IBMPKCS11Impl – Bad sessions are being allocated
internally
- IJ02706 Security: IBMPKCS11Impl – Bad sessions are being allocated
internally
- IJ03552 Security: IBMPKCS11Impl - Config file problem with the slot
specification attribute
- IJ01901 Security: IBMPKCS11Impl – SecureRandom.setSeed() exception
- IJ03801 Security: Issue with same DN certs, iKeyman GUI error with
stash, JKS Chain issue and JVM argument parse issue with iKeyman
- IJ03256 Security: javax.security.auth.Subject.toString() throws NPE
- PI93233 z/OS Extentions: Cipher.doFinal() fails when using
AES/GCM/nopadding with AAD data of 13 bytes and a block size
of 4081 to 4096
* Fixes in 8.0.5.7:
- IJ02605 Class Libraries: Update IBM-1371 charset with new specification
support
- IJ02541 Java Virtual Machine: Assertions in GC when jvmti runs with
Concurrent Scavenger
- IJ02443 Java Virtual Machine: Committed eden region size is bigger than
maximum eden region size
- IJ02378 Java Virtual Machine: Existing signal action for SIG_IGN/SIG_DFL
is not detected properly
- IJ02758 JIT Compiler: Crash in JIT module during method compilation
- IJ02733 JIT Compiler: Crash in jit module when compiling in non-default
configuration
* Fixes in 8.0.5.6:
- IJ02283 Java Virtual Machine: IllegalAccessException due to a missing
access check for the same class in MethodHandle apis
- IJ02082 Java Virtual Machine: The default value for class unloading kick
off threshold is not set
- IJ02018 JIT Compiler: Crash or assertion while attempting to acquire
VM access
- IJ02284 JIT Compiler: Division by zero in JIT compiler
- IV88941 JIT Compiler: JIT compiler takes far too long to compile a
method
- IJ02285 JIT Compiler: Performance degradation during class unloading in
Java 8 SR5
- Support Java jnlp files run from Firefox. [bsc#1076390]
ImportantSUSE bug 1076390SUSE bug 1082810SUSE bug 929900SUSE bug 955131CVE-2018-2579 at SUSECVE-2018-2579 at NVDCVE-2018-2582 at SUSECVE-2018-2582 at NVDCVE-2018-2588 at SUSECVE-2018-2588 at NVDCVE-2018-2599 at SUSECVE-2018-2599 at NVDCVE-2018-2602 at SUSECVE-2018-2602 at NVDCVE-2018-2603 at SUSECVE-2018-2603 at NVDCVE-2018-2618 at SUSECVE-2018-2618 at NVDCVE-2018-2633 at SUSECVE-2018-2633 at NVDCVE-2018-2634 at SUSECVE-2018-2634 at NVDCVE-2018-2637 at SUSECVE-2018-2637 at NVDCVE-2018-2638 at SUSECVE-2018-2638 at NVDCVE-2018-2639 at SUSECVE-2018-2639 at NVDCVE-2018-2641 at SUSECVE-2018-2641 at NVDCVE-2018-2663 at SUSECVE-2018-2663 at NVDCVE-2018-2677 at SUSECVE-2018-2677 at NVDCVE-2018-2678 at SUSECVE-2018-2678 at NVDcpe:/o:suse:sles:12:sp3Security update for java-1_7_0-openjdk (Important)SUSE Linux Enterprise Server 12 SP3
This update for java-1_7_0-openjdk fixes the following issues:
Security issues fixed in OpenJDK 7u171 (January 2018 CPU)(bsc#1076366):
- CVE-2018-2579: Improve key keying case
- CVE-2018-2588: Improve LDAP logins
- CVE-2018-2599: Improve reliability of DNS lookups
- CVE-2018-2602: Improve usage messages
- CVE-2018-2603: Improve PKCS usage
- CVE-2018-2618: Stricter key generation
- CVE-2018-2629: Improve GSS handling
- CVE-2018-2633: Improve LDAP lookup robustness
- CVE-2018-2634: Improve property negotiations
- CVE-2018-2637: Improve JMX supportive features
- CVE-2018-2641: Improve GTK initialization
- CVE-2018-2663: More refactoring for deserialization cases
- CVE-2018-2677: More refactoring for client deserialization cases
- CVE-2018-2678: More refactoring for naming
ImportantSUSE bug 1076366CVE-2018-2579 at SUSECVE-2018-2579 at NVDCVE-2018-2588 at SUSECVE-2018-2588 at NVDCVE-2018-2599 at SUSECVE-2018-2599 at NVDCVE-2018-2602 at SUSECVE-2018-2602 at NVDCVE-2018-2603 at SUSECVE-2018-2603 at NVDCVE-2018-2618 at SUSECVE-2018-2618 at NVDCVE-2018-2629 at SUSECVE-2018-2629 at NVDCVE-2018-2633 at SUSECVE-2018-2633 at NVDCVE-2018-2634 at SUSECVE-2018-2634 at NVDCVE-2018-2637 at SUSECVE-2018-2637 at NVDCVE-2018-2641 at SUSECVE-2018-2641 at NVDCVE-2018-2663 at SUSECVE-2018-2663 at NVDCVE-2018-2677 at SUSECVE-2018-2677 at NVDCVE-2018-2678 at SUSECVE-2018-2678 at NVDcpe:/o:suse:sles:12:sp3Security update for java-1_8_0-openjdk (Important)SUSE Linux Enterprise Server 12 SP3
This update for java-1_8_0-openjdk fixes the following issues:
Security issues fix in jdk8u161 (icedtea 3.7.0)(bsc#1076366):
- CVE-2018-2579: Improve key keying case
- CVE-2018-2582: Better interface invocations
- CVE-2018-2588: Improve LDAP logins
- CVE-2018-2599: Improve reliability of DNS lookups
- CVE-2018-2602: Improve usage messages
- CVE-2018-2603: Improve PKCS usage
- CVE-2018-2618: Stricter key generation
- CVE-2018-2629: Improve GSS handling
- CVE-2018-2633: Improve LDAP lookup robustness
- CVE-2018-2634: Improve property negotiations
- CVE-2018-2637: Improve JMX supportive features
- CVE-2018-2641: Improve GTK initialization
- CVE-2018-2663: More refactoring for deserialization cases
- CVE-2018-2677: More refactoring for client deserialization cases
- CVE-2018-2678: More refactoring for naming deserialization cases
ImportantSUSE bug 1076366CVE-2018-2579 at SUSECVE-2018-2579 at NVDCVE-2018-2582 at SUSECVE-2018-2582 at NVDCVE-2018-2588 at SUSECVE-2018-2588 at NVDCVE-2018-2599 at SUSECVE-2018-2599 at NVDCVE-2018-2602 at SUSECVE-2018-2602 at NVDCVE-2018-2603 at SUSECVE-2018-2603 at NVDCVE-2018-2618 at SUSECVE-2018-2618 at NVDCVE-2018-2629 at SUSECVE-2018-2629 at NVDCVE-2018-2633 at SUSECVE-2018-2633 at NVDCVE-2018-2634 at SUSECVE-2018-2634 at NVDCVE-2018-2637 at SUSECVE-2018-2637 at NVDCVE-2018-2641 at SUSECVE-2018-2641 at NVDCVE-2018-2663 at SUSECVE-2018-2663 at NVDCVE-2018-2677 at SUSECVE-2018-2677 at NVDCVE-2018-2678 at SUSECVE-2018-2678 at NVDcpe:/o:suse:sles:12:sp3Security update for kernel-firmware (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for kernel-firmware fixes the following issues:
- CVE-2015-1142857: Add 7.13.1.0 bnx2x firmware files to fix a ethernet flow control
vulnerability in SRIOV devices (bsc#1077355)
ModerateSUSE bug 1077355CVE-2015-1142857 at SUSECVE-2015-1142857 at NVDcpe:/o:suse:sles:12:sp3Security update for libcdio (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for libcdio fixes the following issues:
- CVE-2017-18201: Fixed a double free vulnerability (bsc#1082877).
ModerateSUSE bug 1082877CVE-2017-18201 at SUSECVE-2017-18201 at NVDcpe:/o:suse:sles:12:sp3Security update for java-1_7_1-ibm (Important)SUSE Linux Enterprise Server 12 SP3
This update for java-1_7_1-ibm fixes the following issues:
The version was updated to 7.1.4.20 [bsc#1082810]
* Security fixes:
- CVE-2018-2633 CVE-2018-2637 CVE-2018-2634 CVE-2018-2582
CVE-2018-2641 CVE-2018-2618 CVE-2018-2657 CVE-2018-2603
CVE-2018-2599 CVE-2018-2602 CVE-2018-2678 CVE-2018-2677
CVE-2018-2663 CVE-2018-2588 CVE-2018-2579
* Defect fixes:
- IJ04281 Class Libraries: Startup time increase after applying
apar IV96905
- IJ03822 Class Libraries: Update timezone information to tzdata2017c
- IJ03605 Java Virtual Machine: Legacy security for com.ibm.jvm.dump,
trace, log was not enabled by default
- IJ03607 JIT Compiler: Result String contains a redundant dot when
converted from BigDecimal with 0 on all platforms
- IX90185 ORB: Upgrade ibmcfw.jar to version O1800.01
- IJ04282 Security: Change in location and default of jurisdiction
policy files
- IJ03853 Security: IBMCAC provider does not support SHA224
- IJ02679 Security: IBMPKCS11Impl -- Bad sessions are being allocated
internally
- IJ02706 Security: IBMPKCS11Impl -- Bad sessions are being allocated
internally
- IJ03552 Security: IBMPKCS11Impl -- Config file problem with the slot
specification attribute
- IJ01901 Security: IBMPKCS11Impl -- SecureRandom.setSeed() exception
- IJ03801 Security: Issue with same DN certs, iKeyman GUI error with
stash, JKS Chain issue and JVM argument parse issue with iKeyman
- IJ03256 Security: javax.security.auth.Subject.toString() throws NPE
- IJ02284 JIT Compiler: Division by zero in JIT compiler
* SUSE fixes:
- Make it possible to run Java jnlp files from Firefox. (bsc#1057460)
- Fixed symlinks to policy files on update [bsc#1085018]
- Fixed jpackage-java-1_7_1-ibm-webstart.desktop file to allow
Java jnlp files run from Firefox. [bsc#1057460, bsc#1076390]
- Fix javaws segfaults when java expiration timer has elapsed. [bsc#929900]
- Provide IBM Java updates for IBMs PMR 55931,671,760 and for SUSEs
SR 110991601735. [bsc#966304]
ImportantSUSE bug 1057460SUSE bug 1076390SUSE bug 1082810SUSE bug 1085018SUSE bug 929900SUSE bug 955131SUSE bug 966304CVE-2018-2579 at SUSECVE-2018-2579 at NVDCVE-2018-2582 at SUSECVE-2018-2582 at NVDCVE-2018-2588 at SUSECVE-2018-2588 at NVDCVE-2018-2599 at SUSECVE-2018-2599 at NVDCVE-2018-2602 at SUSECVE-2018-2602 at NVDCVE-2018-2603 at SUSECVE-2018-2603 at NVDCVE-2018-2618 at SUSECVE-2018-2618 at NVDCVE-2018-2633 at SUSECVE-2018-2633 at NVDCVE-2018-2634 at SUSECVE-2018-2634 at NVDCVE-2018-2637 at SUSECVE-2018-2637 at NVDCVE-2018-2641 at SUSECVE-2018-2641 at NVDCVE-2018-2657 at SUSECVE-2018-2657 at NVDCVE-2018-2663 at SUSECVE-2018-2663 at NVDCVE-2018-2677 at SUSECVE-2018-2677 at NVDCVE-2018-2678 at SUSECVE-2018-2678 at NVDcpe:/o:suse:sles:12:sp3Security update for mariadb (Important)SUSE Linux Enterprise Server 12 SP3
This update for mariadb fixes the following issues:
MariaDB was updated to 10.0.34 (bsc#1078431)
The following security vulnerabilities are fixed:
- CVE-2018-2562: Vulnerability in the MySQL Server subcomponent: Server : Partition. Easily exploitable vulnerability allowed low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data.
- CVE-2018-2622: Vulnerability in the MySQL Server subcomponent: Server: DDL. Easily exploitable vulnerability allowed low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server.
- CVE-2018-2640: Vulnerability in the MySQL Server subcomponent: Server: Optimizer. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server.
- CVE-2018-2665: Vulnerability in the MySQL Server subcomponent: Server: Optimizer. Easily exploitable vulnerability allowed low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server.
- CVE-2018-2668: Vulnerability in the MySQL Server subcomponent: Server: Optimizer. Easily exploitable vulnerability allowed low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server.
- CVE-2018-2612: Vulnerability in the MySQL Server subcomponent: InnoDB. Easily exploitable vulnerability allowed high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all MySQL Server accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server.
The MariaDB external release notes and changelog for this release:
* https://kb.askmonty.org/en/mariadb-10034-release-notes
* https://kb.askmonty.org/en/mariadb-10034-changelog
ImportantSUSE bug 1078431CVE-2018-2562 at SUSECVE-2018-2562 at NVDCVE-2018-2612 at SUSECVE-2018-2612 at NVDCVE-2018-2622 at SUSECVE-2018-2622 at NVDCVE-2018-2640 at SUSECVE-2018-2640 at NVDCVE-2018-2665 at SUSECVE-2018-2665 at NVDCVE-2018-2668 at SUSECVE-2018-2668 at NVDcpe:/o:suse:sles:12:sp3Security update for ucode-intel (Important)SUSE Linux Enterprise Server 12 SP3
This update for ucode-intel fixes the following issues:
The Intel CPU microcode version was updated to version 20180312.
This update enables the IBPB+IBRS based mitigations of the Spectre v2 flaws (boo#1085207 CVE-2017-5715)
- New Platforms
- BDX-DE EGW A0 6-56-5:10 e000009
- SKX B1 6-55-3:97 1000140
- Updates
- SNB D2 6-2a-7:12 29->2d
- JKT C1 6-2d-6:6d 619->61c
- JKT C2 6-2d-7:6d 710->713
- IVB E2 6-3a-9:12 1c->1f
- IVT C0 6-3e-4:ed 428->42c
- IVT D1 6-3e-7:ed 70d->713
- HSW Cx/Dx 6-3c-3:32 22->24
- HSW-ULT Cx/Dx 6-45-1:72 20->23
- CRW Cx 6-46-1:32 17->19
- HSX C0 6-3f-2:6f 3a->3c
- HSX-EX E0 6-3f-4:80 0f->11
- BDW-U/Y E/F 6-3d-4:c0 25->2a
- BDW-H E/G 6-47-1:22 17->1d
- BDX-DE V0/V1 6-56-2:10 0f->15
- BDW-DE V2 6-56-3:10 700000d->7000012
- BDW-DE Y0 6-56-4:10 f00000a->f000011
- SKL-U/Y D0 6-4e-3:c0 ba->c2
- SKL R0 6-5e-3:36 ba->c2
- KBL-U/Y H0 6-8e-9:c0 62->84
- KBL B0 6-9e-9:2a 5e->84
- CFL D0 6-8e-a:c0 70->84
- CFL U0 6-9e-a:22 70->84
- CFL B0 6-9e-b:02 72->84
- SKX H0 6-55-4:b7 2000035->2000043
ImportantSUSE bug 1085207CVE-2017-5715 at SUSECVE-2017-5715 at NVDcpe:/o:suse:sles:12:sp3Security update for xmltooling (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for xmltooling fixes the following issues:
- CVE-2018-0489: Fixed a security bug when xmltooling mishandled digital
signatures of user data, which allows remote attackers to obtain
sensitive information or conduct impersonation attacks via crafted
XML data. NOTE: this issue exists because of an incomplete fix for
CVE-2018-0486. (bsc#1083247)
ModerateSUSE bug 1083247CVE-2018-0486 at SUSECVE-2018-0486 at NVDCVE-2018-0489 at SUSECVE-2018-0489 at NVDcpe:/o:suse:sles:12:sp3Security update for java-1_7_1-ibm (Important)SUSE Linux Enterprise Server 12 SP3
This update for java-1_7_1-ibm fixes the following issue:
The version was updated to 7.1.4.20 [bsc#1082810]
* Security fixes:
- CVE-2018-2633 CVE-2018-2637 CVE-2018-2634 CVE-2018-2582
CVE-2018-2641 CVE-2018-2618 CVE-2018-2657 CVE-2018-2603
CVE-2018-2599 CVE-2018-2602 CVE-2018-2678 CVE-2018-2677
CVE-2018-2663 CVE-2018-2588 CVE-2018-2579
* Defect fixes:
- IJ04281 Class Libraries: Startup time increase after applying
apar IV96905
- IJ03822 Class Libraries: Update timezone information to tzdata2017c
- IJ03605 Java Virtual Machine: Legacy security for com.ibm.jvm.dump,
trace, log was not enabled by default
- IJ03607 JIT Compiler: Result String contains a redundant dot when
converted from BigDecimal with 0 on all platforms
- IX90185 ORB: Upgrade ibmcfw.jar to version O1800.01
- IJ04282 Security: Change in location and default of jurisdiction
policy files
- IJ03853 Security: IBMCAC provider does not support SHA224
- IJ02679 Security: IBMPKCS11Impl -- Bad sessions are being allocated
internally
- IJ02706 Security: IBMPKCS11Impl -- Bad sessions are being allocated
internally
- IJ03552 Security: IBMPKCS11Impl -- Config file problem with the slot
specification attribute
- IJ01901 Security: IBMPKCS11Impl -- SecureRandom.setSeed() exception
- IJ03801 Security: Issue with same DN certs, iKeyman GUI error with
stash, JKS Chain issue and JVM argument parse issue with iKeyman
- IJ03256 Security: javax.security.auth.Subject.toString() throws NPE
- IJ02284 JIT Compiler: Division by zero in JIT compiler
* SUSE fixes:
- Make it possible to run Java jnlp files from Firefox. (bsc#1057460)
- Fixed jpackage-java-1_7_1-ibm-webstart.desktop file to allow
Java jnlp files run from Firefox. [bsc#1057460, bsc#1076390]
- Fix javaws segfaults when java expiration timer has elapsed. [bsc#929900]
- Provide IBM Java updates for IBMs PMR 55931,671,760 and for SUSEs
SR 110991601735. [bsc#966304]
- Ensure that all Java policy files are symlinked into the proper file system
locations. Without those symlinks, several OES iManager plugins did not
function properly. [bsc#1085018]
ImportantSUSE bug 1057460SUSE bug 1076390SUSE bug 1082810SUSE bug 1085018SUSE bug 929900SUSE bug 955131SUSE bug 966304CVE-2018-2579 at SUSECVE-2018-2579 at NVDCVE-2018-2582 at SUSECVE-2018-2582 at NVDCVE-2018-2588 at SUSECVE-2018-2588 at NVDCVE-2018-2599 at SUSECVE-2018-2599 at NVDCVE-2018-2602 at SUSECVE-2018-2602 at NVDCVE-2018-2603 at SUSECVE-2018-2603 at NVDCVE-2018-2618 at SUSECVE-2018-2618 at NVDCVE-2018-2633 at SUSECVE-2018-2633 at NVDCVE-2018-2634 at SUSECVE-2018-2634 at NVDCVE-2018-2637 at SUSECVE-2018-2637 at NVDCVE-2018-2641 at SUSECVE-2018-2641 at NVDCVE-2018-2657 at SUSECVE-2018-2657 at NVDCVE-2018-2663 at SUSECVE-2018-2663 at NVDCVE-2018-2677 at SUSECVE-2018-2677 at NVDCVE-2018-2678 at SUSECVE-2018-2678 at NVDcpe:/o:suse:sles:12:sp3Security update for samba, talloc, tevent (Moderate)SUSE Linux Enterprise Server 12 SP3
Samba was updated to version 4.6.13 to fix several bugs. (bsc#1084191)
Security issue fixed:
- CVE-2018-1050: DOS vulnerability when SPOOLSS is run externally (bsc#1081741).
The library talloc was updated to version 2.1.10:
- build, documentation and python3 improvements
The library tevent was updated to version 0.9.34 (bsc#1069666);
- Remove unused select backend
- Fix a race condition in tevent_threaded_schedule_immediate(); (bso#13130);
- make tevent_req_print() more robust against crashes
- Fix mutex locking in tevent_threaded_context_destructor().
- Re-init threading in tevent_re_initialise().
- Include the finish location in tevent_req_default_print().
ModerateSUSE bug 1069666SUSE bug 1081741SUSE bug 1084191CVE-2018-1050 at SUSECVE-2018-1050 at NVDcpe:/o:suse:sles:12:sp3Security update for postgresql96 (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for postgresql96 fixes the following issues:
Security issues fixed:
- CVE-2018-1058: Fixed uncontrolled search path element in pg_dump and other client applications (bsc#1081925).
Bug fixes:
- See release notes for details:
* https://www.postgresql.org/docs/9.6/static/release-9-6-8.html
ModerateSUSE bug 1081925CVE-2018-1058 at SUSECVE-2018-1058 at NVDcpe:/o:suse:sles:12:sp3Security update for qemu (Important)SUSE Linux Enterprise Server 12 SP3
This update for qemu fixes the following issues:
This update has the next round of Spectre v2 related patches, which
now integrate with corresponding changes in libvirt. (CVE-2017-5715
bsc#1068032)
The January 2018 release of qemu initially addressed the Spectre v2
vulnerability for KVM guests by exposing the spec-ctrl feature
for all x86 vcpu types, which was the quick and dirty approach,
but not the proper solution.
We replaced our initial patch by the patches from upstream.
This update defines spec_ctrl and ibpb cpu feature flags as well as new
cpu models which are clones of existing models with either -IBRS or -IBPB
added to the end of the model name. These new vcpu models explicitly
include the new feature(s), whereas the feature flags can be added
to the cpu parameter as with other features. In short, for continued
Spectre v2 protection, ensure that either the appropriate cpu feature
flag is added to the QEMU command-line, or one of the new cpu models is
used.
Although migration from older versions is supported, the new cpu
features won't be properly exposed to the guest until it is restarted
with the cpu features explicitly added. A reboot is insufficient.
A warning patch is added which attempts to detect a migration
from a qemu version which had the quick and dirty fix (it only
detects certain cases, but hopefully is helpful.)
For additional information on Spectre v2 as it relates to QEMU,
see:
https://www.qemu.org/2018/02/14/qemu-2-11-1-and-spectre-update/
A patch is added to continue to detect Spectre v2 mitigation
features (as shown by cpuid), and if found provide that feature
to guests, even if running on older KVM (kernel) versions which
do not yet expose that feature to QEMU. (bsc#1082276)
These two patches will be removed when we can reasonably assume
everyone is running with the appropriate updates.
Spectre fixes for IBM Z Series were included by providing more hw features
to guests (bsc#1076813)
Also security fixes for the following CVE issues are included:
- CVE-2017-17381: The Virtio Vring implementation in QEMU allowed local OS guest users to cause a denial of service (divide-by-zero error and QEMU process crash) by unsetting vring alignment while updating Virtio rings. (bsc#1071228)
- CVE-2017-16845: The PS2 driver in Qemu did not validate 'rptr' and 'count' values during guest migration, leading to out-of-bounds access. (bsc#1068613)
- CVE-2017-15119: The Network Block Device (NBD) server in Quick Emulator (QEMU), was vulnerable to a denial of service issue. It could occur if a client sent large option requests, making the server waste CPU time on reading up to 4GB per request. A client could use this flaw to keep the NBD server from serving other requests, resulting in DoS. (bsc#1070144)
- CVE-2017-18043: Integer overflow in the macro ROUND_UP (n, d) in Quick Emulator (Qemu) allowed a user to cause a denial of service (Qemu process crash). (bsc#1076775)
- CVE-2018-5683: The VGA driver in Qemu allowed local OS guest privileged users to cause a denial of service (out-of-bounds read and QEMU process crash) by leveraging improper memory address validation. (bsc#1076114)
- CVE-2018-7550: The multiboot functionality in Quick Emulator (aka QEMU) allowed local guest OS users to execute arbitrary code on the QEMU host via an out-of-bounds read or write memory access. (bsc#1083291)
- CVE-2017-15124: VNC server implementation in Quick Emulator (QEMU) was found to be vulnerable to an unbounded memory allocation issue, as it did not throttle the framebuffer updates sent to its client. If the client did not consume these updates, VNC server allocates growing memory to hold onto this data. A malicious remote VNC client could use this flaw to cause DoS to the server host. (bsc#1073489)
Additional bugs fixed:
- Fix pcihp for 1.6 and older machine types (bsc#1074572)
- Fix packaging dependencies (coreutils) for qemu-ksm package (bsc#1040202)
ImportantSUSE bug 1040202SUSE bug 1068032SUSE bug 1068613SUSE bug 1070144SUSE bug 1071228SUSE bug 1073489SUSE bug 1074572SUSE bug 1076114SUSE bug 1076775SUSE bug 1076813SUSE bug 1082276SUSE bug 1083291CVE-2017-15119 at SUSECVE-2017-15119 at NVDCVE-2017-15124 at SUSECVE-2017-15124 at NVDCVE-2017-16845 at SUSECVE-2017-16845 at NVDCVE-2017-17381 at SUSECVE-2017-17381 at NVDCVE-2017-18043 at SUSECVE-2017-18043 at NVDCVE-2017-5715 at SUSECVE-2017-5715 at NVDCVE-2018-5683 at SUSECVE-2018-5683 at NVDCVE-2018-7550 at SUSECVE-2018-7550 at NVDcpe:/o:suse:sles:12:sp3Security update for curl (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for curl fixes the following issues:
Following security issues were fixed:
- CVE-2018-1000120: A buffer overflow exists in the FTP URL handling that allowed an attacker to cause a denial of service or possible code execution (bsc#1084521).
- CVE-2018-1000121: A NULL pointer dereference exists in the LDAP code that allowed an attacker to cause a denial of service (bsc#1084524).
- CVE-2018-1000122: A buffer over-read exists in the RTSP+RTP handling code that allowed an attacker to cause a denial of service or information leakage (bsc#1084532).
ModerateSUSE bug 1084521SUSE bug 1084524SUSE bug 1084532CVE-2018-1000120 at SUSECVE-2018-1000120 at NVDCVE-2018-1000121 at SUSECVE-2018-1000121 at NVDCVE-2018-1000122 at SUSECVE-2018-1000122 at NVDcpe:/o:suse:sles:12:sp3Security update for libvorbis (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for libvorbis fixes the following issues:
- CVE-2018-5146: Fixed out of bounds memory write while processing Vorbis audio data (bsc#1085687).
ModerateSUSE bug 1085687CVE-2018-5146 at SUSECVE-2018-5146 at NVDcpe:/o:suse:sles:12:sp3Security update for the Linux Kernel (Important)SUSE Linux Enterprise Server 12 SP3
The SUSE Linux Enterprise 12 SP3 kernel was updated to 4.4.120 to receive various security and bugfixes.
The following security bugs were fixed:
- CVE-2017-13166: An elevation of privilege vulnerability in the v4l2 video driver. (bnc#1072865).
- CVE-2017-15951: The KEYS subsystem did not correctly synchronize the actions of updating versus finding a key in the 'negative' state to avoid a race condition, which allowed local users to cause a denial of service or possibly have unspecified other impact via crafted system calls (bnc#1062840 bnc#1065615).
- CVE-2017-16644: The hdpvr_probe function in drivers/media/usb/hdpvr/hdpvr-core.c allowed local users to cause a denial of service (improper error handling and system crash) or possibly have unspecified other impact via a crafted USB device (bnc#1067118).
- CVE-2017-16912: The 'get_pipe()' function (drivers/usb/usbip/stub_rx.c) allowed attackers to cause a denial of service (out-of-bounds read) via a specially crafted USB over IP packet (bnc#1078673).
- CVE-2017-16913: The 'stub_recv_cmd_submit()' function (drivers/usb/usbip/stub_rx.c) when handling CMD_SUBMIT packets allowed attackers to cause a denial of service (arbitrary memory allocation) via a specially crafted USB over IP packet (bnc#1078672).
- CVE-2017-17975: Use-after-free in the usbtv_probe function in drivers/media/usb/usbtv/usbtv-core.c allowed attackers to cause a denial of service (system crash) or possibly have unspecified other impact by triggering failure of audio registration, because a kfree of the usbtv data structure occurs during a usbtv_video_free call, but the usbtv_video_fail label's code attempts to both access and free this data structure (bnc#1074426).
- CVE-2017-18174: The amd_gpio_remove function in drivers/pinctrl/pinctrl-amd.c calls the pinctrl_unregister function, leading to a double free (bnc#1080533).
- CVE-2017-18208: The madvise_willneed function in mm/madvise.c allowed local users to cause a denial of service (infinite loop) by triggering use of MADVISE_WILLNEED for a DAX mapping (bnc#1083494).
- CVE-2018-1000026: A insufficient input validation vulnerability in bnx2x network card driver could result in DoS: Network card firmware assertion takes card off-line. This attack appear to be exploitable via An attacker on a must pass a very large, specially crafted packet to the bnx2x card. This can be done from an untrusted guest VM. (bnc#1079384).
- CVE-2018-8087: Memory leak in the hwsim_new_radio_nl function in drivers/net/wireless/mac80211_hwsim.c allowed local users to cause a denial of service (memory consumption) by triggering an out-of-array error case (bnc#1085053).
- CVE-2018-1068: Insufficient user provided offset checking in the ebtables compat code allowed local attackers to overwrite kernel memory and potentially execute code. (bsc#1085107)
The following non-security bugs were fixed:
- acpi / bus: Leave modalias empty for devices which are not present (bnc#1012382).
- acpi, nfit: fix health event notification (FATE#321135, FATE#321217, FATE#321256, FATE#321391, FATE#321393).
- acpi, nfit: fix register dimm error handling (FATE#321135, FATE#321217, FATE#321256, FATE#321391, FATE#321393).
- acpi: sbshc: remove raw pointer from printk() message (bnc#1012382).
- Add delay-init quirk for Corsair K70 RGB keyboards (bnc#1012382).
- add ip6_make_flowinfo helper (bsc#1042286).
- ahci: Add Intel Cannon Lake PCH-H PCI ID (bnc#1012382).
- ahci: Add PCI ids for Intel Bay Trail, Cherry Trail and Apollo Lake AHCI (bnc#1012382).
- ahci: Annotate PCI ids for mobile Intel chipsets as such (bnc#1012382).
- alpha: fix crash if pthread_create races with signal delivery (bnc#1012382).
- alpha: fix reboot on Avanti platform (bnc#1012382).
- alsa: hda/ca0132 - fix possible NULL pointer use (bnc#1012382).
- alsa: hda - Fix headset mic detection problem for two Dell machines (bnc#1012382).
- alsa: hda/realtek - Add headset mode support for Dell laptop (bsc#1031717).
- alsa: hda/realtek: PCI quirk for Fujitsu U7x7 (bnc#1012382).
- alsa: hda - Reduce the suspend time consumption for ALC256 (bsc#1031717).
- alsa: hda - Use IS_REACHABLE() for dependency on input (bsc#1031717).
- alsa: seq: Fix racy pool initializations (bnc#1012382).
- alsa: seq: Fix regression by incorrect ioctl_mutex usages (bnc#1012382).
- alsa: usb-audio: add implicit fb quirk for Behringer UFX1204 (bnc#1012382).
- alsa: usb-audio: Fix UAC2 get_ctl request with a RANGE attribute (bnc#1012382).
- amd-xgbe: Fix unused suspend handlers build warning (bnc#1012382).
- arm64: add PTE_ADDR_MASK (bsc#1068032).
- arm64: barrier: Add CSDB macros to control data-value prediction (bsc#1068032).
- arm64: define BUG() instruction without CONFIG_BUG (bnc#1012382).
- arm64: Disable unhandled signal log messages by default (bnc#1012382).
- arm64: dts: add #cooling-cells to CPU nodes (bnc#1012382).
- arm64: entry: Apply BP hardening for high-priority synchronous exceptions (bsc#1068032).
- arm64: entry: Apply BP hardening for suspicious interrupts from EL0 (bsc#1068032).
- arm64: entry: Ensure branch through syscall table is bounded under speculation (bsc#1068032).
- arm64: entry: Reword comment about post_ttbr_update_workaround (bsc#1068032).
- arm64: Force KPTI to be disabled on Cavium ThunderX (bsc#1068032).
- arm64: futex: Mask __user pointers prior to dereference (bsc#1068032).
- arm64: idmap: Use 'awx' flags for .idmap.text .pushsection directives (bsc#1068032).
- arm64: Implement array_index_mask_nospec() (bsc#1068032).
- arm64: Kconfig: select COMPAT_BINFMT_ELF only when BINFMT_ELF is set (bnc#1012382).
- arm64: kpti: Add ->enable callback to remap swapper using nG mappings (bsc#1068032).
- arm64: kpti: Make use of nG dependent on arm64_kernel_unmapped_at_el0() (bsc#1068032).
- arm64: Make USER_DS an inclusive limit (bsc#1068032).
- arm64: mm: Permit transitioning from Global to Non-Global without BBM (bsc#1068032).
- arm64: move TASK_* definitions to <asm/processor.h> (bsc#1068032).
- arm64: Run enable method for errata work arounds on late CPUs (bsc#1085045).
- arm64: uaccess: Do not bother eliding access_ok checks in __{get, put}_user (bsc#1068032).
- arm64: uaccess: Mask __user pointers for __arch_{clear, copy_*}_user (bsc#1068032).
- arm64: uaccess: Prevent speculative use of the current addr_limit (bsc#1068032).
- arm64: Use pointer masking to limit uaccess speculation (bsc#1068032).
- arm: 8731/1: Fix csum_partial_copy_from_user() stack mismatch (bnc#1012382).
- arm: AM33xx: PRM: Remove am33xx_pwrdm_read_prev_pwrst function (bnc#1012382).
- arm: dts: am4372: Correct the interrupts_properties of McASP (bnc#1012382).
- arm: dts: Fix omap4 hang with GPS connected to USB by using wakeupgen (bnc#1012382).
- arm: dts: ls1021a: fix incorrect clock references (bnc#1012382).
- arm: dts: s5pv210: add interrupt-parent for ohci (bnc#1012382).
- arm: dts: STi: Add gpio polarity for 'hdmi,hpd-gpio' property (bnc#1012382).
- arm: kvm: Fix SMCCC handling of unimplemented SMC/HVC calls (bnc#1012382).
- arm: OMAP2+: Fix SRAM virt to phys translation for save_secure_ram_context (bnc#1012382).
- arm: omap2: hide omap3_save_secure_ram on non-OMAP3 builds (git-fixes).
- arm: pxa/tosa-bt: add MODULE_LICENSE tag (bnc#1012382).
- arm: spear13xx: Fix dmas cells (bnc#1012382).
- arm: spear13xx: Fix spics gpio controller's warning (bnc#1012382).
- arm: spear600: Add missing interrupt-parent of rtc (bnc#1012382).
- arm: tegra: select USB_ULPI from EHCI rather than platform (bnc#1012382).
- asoc: au1x: Fix timeout tests in au1xac97c_ac97_read() (bsc#1031717).
- asoc: Intel: Kconfig: fix build when ACPI is not enabled (bnc#1012382).
- asoc: Intel: sst: Fix the return value of 'sst_send_byte_stream_mrfld()' (bsc#1031717).
- asoc: mediatek: add i2c dependency (bnc#1012382).
- asoc: nuc900: Fix a loop timeout test (bsc#1031717).
- asoc: pcm512x: add missing MODULE_DESCRIPTION/AUTHOR/LICENSE (bnc#1012382).
- asoc: rockchip: disable clock on error (bnc#1012382).
- asoc: rsnd: avoid duplicate free_irq() (bnc#1012382).
- asoc: rsnd: do not call free_irq() on Parent SSI (bnc#1012382).
- asoc: simple-card: Fix misleading error message (bnc#1012382).
- asoc: ux500: add MODULE_LICENSE tag (bnc#1012382).
- ata: ahci_xgene: free structure returned by acpi_get_object_info() (bsc#1082979).
- ata: pata_artop: remove redundant initialization of pio (bsc#1082979).
- ata: sata_dwc_460ex: remove incorrect locking (bsc#1082979).
- b2c2: flexcop: avoid unused function warnings (bnc#1012382).
- binder: add missing binder_unlock() (bnc#1012382).
- binder: check for binder_thread allocation failure in binder_poll() (bnc#1012382).
- binfmt_elf: compat: avoid unused function warning (bnc#1012382).
- blk-mq: add warning to __blk_mq_run_hw_queue() for ints disabled (bsc#1084772).
- blk-mq: stop 'delayed_run_work' in blk_mq_stop_hw_queue() (bsc#1084967).
- blk-mq: turn WARN_ON in __blk_mq_run_hw_queue into printk (bsc#1084772).
- blktrace: fix unlocked registration of tracepoints (bnc#1012382).
- block: fix an error code in add_partition() (bsc#1082979).
- block: Fix __bio_integrity_endio() documentation (bsc#1082979).
- bluetooth: btsdio: Do not bind to non-removable BCM43341 (bnc#1012382).
- bluetooth: btusb: Restore QCA Rome suspend/resume fix with a 'rewritten' version (bnc#1012382).
- bnx2x: Improve reliability in case of nested PCI errors (bnc#1012382).
- bnxt_en: Fix the 'Invalid VF' id check in bnxt_vf_ndo_prep routine (bnc#1012382).
- bpf: arsh is not supported in 32 bit alu thus reject it (bnc#1012382).
- bpf: avoid false sharing of map refcount with max_entries (bnc#1012382).
- bpf: fix 32-bit divide by zero (bnc#1012382).
- bpf: fix bpf_tail_call() x64 JIT (bnc#1012382).
- bpf: fix divides by zero (bnc#1012382).
- bpf: introduce BPF_JIT_ALWAYS_ON config (bnc#1012382).
- bpf: reject stores into ctx via st and xadd (bnc#1012382).
- bridge: implement missing ndo_uninit() (bsc#1042286).
- bridge: move bridge multicast cleanup to ndo_uninit (bsc#1042286).
- btrfs: copy fsid to super_block s_uuid (bsc#1080774).
- btrfs: fix crash due to not cleaning up tree log block's dirty bits (bnc#1012382).
- btrfs: fix deadlock in run_delalloc_nocow (bnc#1012382).
- btrfs: fix deadlock when writing out space cache (bnc#1012382).
- btrfs: Fix possible off-by-one in btrfs_search_path_in_tree (bnc#1012382).
- btrfs: Fix quota reservation leak on preallocated files (bsc#1079989).
- btrfs: fix unexpected -EEXIST when creating new inode (bnc#1012382).
- btrfs: Handle btrfs_set_extent_delalloc failure in fixup worker (bnc#1012382).
- can: flex_can: Correct the checking for frame length in flexcan_start_xmit() (bnc#1012382).
- cdrom: turn off autoclose by default (bsc#1080813).
- ceph: fix incorrect snaprealm when adding caps (bsc#1081735).
- ceph: fix un-balanced fsc->writeback_count update (bsc#1081735).
- cfg80211: check dev_set_name() return value (bnc#1012382).
- cfg80211: fix cfg80211_beacon_dup (bnc#1012382).
- cifs: dump IPC tcon in debug proc file (bsc#1071306).
- cifs: Fix autonegotiate security settings mismatch (bnc#1012382).
- cifs: Fix missing put_xid in cifs_file_strict_mmap (bnc#1012382).
- cifs: make IPC a regular tcon (bsc#1071306).
- cifs: use tcon_ipc instead of use_ipc parameter of SMB2_ioctl (bsc#1071306).
- cifs: zero sensitive data when freeing (bnc#1012382).
- clk: fix a panic error caused by accessing NULL pointer (bnc#1012382).
- console/dummy: leave .con_font_get set to NULL (bnc#1012382).
- cpufreq: Add Loongson machine dependencies (bnc#1012382).
- crypto: aesni - handle zero length dst buffer (bnc#1012382).
- crypto: af_alg - whitelist mask and type (bnc#1012382).
- crypto: caam - fix endless loop when DECO acquire fails (bnc#1012382).
- crypto: cryptd - pass through absence of ->setkey() (bnc#1012382).
- crypto: hash - introduce crypto_hash_alg_has_setkey() (bnc#1012382).
- crypto: poly1305 - remove ->setkey() method (bnc#1012382).
- crypto: s5p-sss - Fix kernel Oops in AES-ECB mode (bnc#1012382).
- crypto: tcrypt - fix S/G table for test_aead_speed() (bnc#1012382). (bnc#1012382).
- crypto: x86/twofish-3way - Fix %rbp usage (bnc#1012382).
- cw1200: fix bogus maybe-uninitialized warning (bnc#1012382).
- dccp: limit sk_filter trim to payload (bsc#1042286).
- dell-wmi, dell-laptop: depends DMI (bnc#1012382).
- direct-io: Fix sleep in atomic due to sync AIO (bsc#1084888).
- dlm: fix double list_del() (bsc#1082795).
- dlm: fix NULL pointer dereference in send_to_sock() (bsc#1082795).
- dmaengine: at_hdmac: fix potential NULL pointer dereference in atc_prep_dma_interleaved (bnc#1012382).
- dmaengine: dmatest: fix container_of member in dmatest_callback (bnc#1012382).
- dmaengine: ioat: Fix error handling path (bnc#1012382).
- dmaengine: jz4740: disable/unprepare clk if probe fails (bnc#1012382).
- dmaengine: zx: fix build warning (bnc#1012382).
- dm: correctly handle chained bios in dec_pending() (bnc#1012382).
- dn_getsockoptdecnet: move nf_{get/set}sockopt outside sock lock (bnc#1012382).
- do not put symlink bodies in pagecache into highmem (bnc#1012382).
- dpt_i2o: fix build warning (bnc#1012382).
- driver-core: use 'dev' argument in dev_dbg_ratelimited stub (bnc#1012382).
- drivers: hv: balloon: Correctly update onlined page count (fate#315887, bsc#1082632).
- drivers: hv: balloon: Initialize last_post_time on startup (fate#315887, bsc#1082632).
- drivers: hv: balloon: Show the max dynamic memory assigned (fate#315887, bsc#1082632).
- drivers: hv: kvp: Use MAX_ADAPTER_ID_SIZE for translating adapter id (fate#315887, bsc#1082632).
- drivers: hv: Turn off write permission on the hypercall page (fate#315887, bsc#1082632).
- drivers: hv: vmbus: Fix rescind handling (fate#315887, bsc#1082632).
- drivers: hv: vmbus: Fix rescind handling issues (fate#315887, bsc#1082632).
- drivers/net: fix eisa_driver probe section mismatch (bnc#1012382).
- drm/amdgpu: Avoid leaking PM domain on driver unbind (v2) (bnc#1012382).
- drm/amdgpu: Fix SDMA load/unload sequence on HWS disabled mode (bnc#1012382).
- drm/amdkfd: Fix SDMA oversubsription handling (bnc#1012382).
- drm/amdkfd: Fix SDMA ring buffer size calculation (bnc#1012382).
- drm/armada: fix leak of crtc structure (bnc#1012382).
- drm/edid: Add 6 bpc quirk for CPT panel in Asus UX303LA (bnc#1012382).
- drm/gma500: remove helper function (bnc#1012382).
- drm/gma500: Sanity-check pipe index (bnc#1012382).
- drm/nouveau: hide gcc-4.9 -Wmaybe-uninitialized (bnc#1012382).
- drm/nouveau/pci: do a msi rearm on init (bnc#1012382).
- drm/radeon: adjust tested variable (bnc#1012382).
- drm: rcar-du: Fix race condition when disabling planes at CRTC stop (bnc#1012382).
- drm: rcar-du: Use the VBK interrupt for vblank events (bnc#1012382).
- drm: Require __GFP_NOFAIL for the legacy drm_modeset_lock_all (bnc#1012382).
- drm/ttm: check the return value of kzalloc (bnc#1012382).
- drm/vmwgfx: use *_32_bits() macros (bnc#1012382).
- Drop SUSE-specific qla2xxx patches (bsc#1043726)
- e1000: fix disabling already-disabled warning (bnc#1012382).
- edac, octeon: Fix an uninitialized variable warning (bnc#1012382).
- em28xx: only use mt9v011 if camera support is enabled (bnc#1012382).
- enable DST_CACHE in non-vanilla configs except s390x/zfcpdump
- ext4: correct documentation for grpid mount option (bnc#1012382).
- ext4: do not unnecessarily allocate buffer in recently_deleted() (bsc#1080344).
- ext4: Fix data exposure after failed AIO DIO (bsc#1069135 bsc#1082864).
- ext4: save error to disk in __ext4_grp_locked_error() (bnc#1012382).
- f2fs: fix a bug caused by NULL extent tree (bsc#1082478). Does not affect SLE release but should be merged into leap updates
- fbdev: auo_k190x: avoid unused function warnings (bnc#1012382).
- fbdev: s6e8ax0: avoid unused function warnings (bnc#1012382).
- fbdev: sis: enforce selection of at least one backend (bnc#1012382).
- fbdev: sm712fb: avoid unused function warnings (bnc#1012382).
- fs: Avoid invalidation in interrupt context in dio_complete() (bsc#1073407 bsc#1069135).
- fs: Fix page cache inconsistency when mixing buffered and AIO DIO (bsc#1073407 bsc#1069135).
- fs: invalidate page cache after end_io() in dio completion (bsc#1073407 bsc#1069135).
- ftrace: Remove incorrect setting of glob search field (bnc#1012382).
- geneve: fix populating tclass in geneve_get_v6_dst (bsc#1042286).
- genirq/msi: Add stubs for get_cached_msi_msg/pci_write_msi_msg (bnc#1012382).
- genirq/msi: Fix populating multiple interrupts (bsc#1085047).
- genirq: Restore trigger settings in irq_modify_status() (bsc#1085056).
- genksyms: Fix segfault with invalid declarations (bnc#1012382).
- gianfar: fix a flooded alignment reports because of padding issue (bnc#1012382).
- go7007: add MEDIA_CAMERA_SUPPORT dependency (bnc#1012382).
- gpio: ath79: add missing MODULE_DESCRIPTION/LICENSE (bnc#1012382).
- gpio: intel-mid: Fix build warning when !CONFIG_PM (bnc#1012382).
- gpio: iop: add missing MODULE_DESCRIPTION/AUTHOR/LICENSE (bnc#1012382).
- gpio: xgene: mark PM functions as __maybe_unused (bnc#1012382).
- grace: replace BUG_ON by WARN_ONCE in exit_net hook (bnc#1012382).
- gre: build header correctly for collect metadata tunnels (bsc#1042286).
- gre: do not assign header_ops in collect metadata mode (bsc#1042286).
- gre: do not keep the GRE header around in collect medata mode (bsc#1042286).
- gre: reject GUE and FOU in collect metadata mode (bsc#1042286).
- hdpvr: hide unused variable (bnc#1012382).
- hid: quirks: Fix keyboard + touchpad on Toshiba Click Mini not working (bnc#1012382).
- hippi: Fix a Fix a possible sleep-in-atomic bug in rr_close (bnc#1012382).
- hrtimer: Ensure POSIX compliance (relative CLOCK_REALTIME hrtimers) (bnc#1012382).
- hv_netvsc: Add ethtool handler to set and get TCP hash levels (fate#315887, bsc#1082632).
- hv_netvsc: Add ethtool handler to set and get UDP hash levels (fate#315887, bsc#1082632).
- hv_netvsc: Add initialization of tx_table in netvsc_device_add() (fate#315887, bsc#1082632).
- hv_netvsc: Change the hash level variable to bit flags (fate#315887, bsc#1082632).
- hv_netvsc: Clean up an unused parameter in rndis_filter_set_rss_param() (fate#315887, bsc#1082632).
- hv_netvsc: Clean up unused parameter from netvsc_get_hash() (fate#315887, bsc#1082632).
- hv_netvsc: Clean up unused parameter from netvsc_get_rss_hash_opts() (fate#315887, bsc#1082632).
- hv_netvsc: copy_to_send buf can be void (fate#315887, bsc#1082632).
- hv_netvsc: do not need local xmit_more (fate#315887, bsc#1082632).
- hv_netvsc: drop unused macros (fate#315887, bsc#1082632).
- hv_netvsc: empty current transmit aggregation if flow blocked (fate#315887, bsc#1082632).
- hv_netvsc: Fix rndis_filter_close error during netvsc_remove (fate#315887, bsc#1082632).
- hv_netvsc: fix send buffer failure on MTU change (fate#315887, bsc#1082632).
- hv_netvsc: Fix the channel limit in netvsc_set_rxfh() (fate#315887, bsc#1082632).
- hv_netvsc: Fix the real number of queues of non-vRSS cases (fate#315887, bsc#1082632).
- hv_netvsc: Fix the receive buffer size limit (fate#315887, bsc#1082632).
- hv_netvsc: Fix the TX/RX buffer default sizes (fate#315887, bsc#1082632).
- hv_netvsc: hide warnings about uninitialized/missing rndis device (fate#315887, bsc#1082632).
- hv_netvsc: make const array ver_list static, reduces object code size (fate#315887, bsc#1082632).
- hv_netvsc: optimize initialization of RNDIS header (fate#315887, bsc#1082632).
- hv_netvsc: pass netvsc_device to receive callback (fate#315887, bsc#1082632).
- hv_netvsc: remove open_cnt reference count (fate#315887, bsc#1082632).
- hv_netvsc: Rename ind_table to rx_table (fate#315887, bsc#1082632).
- hv_netvsc: Rename tx_send_table to tx_table (fate#315887, bsc#1082632).
- hv_netvsc: replace divide with mask when computing padding (fate#315887, bsc#1082632).
- hv_netvsc: report stop_queue and wake_queue (fate#315887, bsc#1082632).
- hv_netvsc: simplify function args in receive status path (fate#315887, bsc#1082632).
- hv_netvsc: Simplify the limit check in netvsc_set_channels() (fate#315887, bsc#1082632).
- hv_netvsc: track memory allocation failures in ethtool stats (fate#315887, bsc#1082632).
- hv: preserve kabi by keeping hv_do_hypercall (bnc#1082632).
- hwmon: (pmbus) Use 64bit math for DIRECT format values (bnc#1012382).
- hwrng: exynos - use __maybe_unused to hide pm functions (bnc#1012382).
- hyper-v: trace vmbus_ongpadl_created() (fate#315887, bsc#1082632).
- hyper-v: trace vmbus_ongpadl_torndown() (fate#315887, bsc#1082632).
- hyper-v: trace vmbus_on_message() (fate#315887, bsc#1082632).
- hyper-v: trace vmbus_on_msg_dpc() (fate#315887, bsc#1082632).
- hyper-v: trace vmbus_onoffer() (fate#315887, bsc#1082632).
- hyper-v: trace vmbus_onoffer_rescind() (fate#315887, bsc#1082632).
- hyper-v: trace vmbus_onopen_result() (fate#315887, bsc#1082632).
- hyper-v: trace vmbus_onversion_response() (fate#315887, bsc#1082632).
- hyper-v: Use fast hypercall for HVCALL_SIGNAL_EVENT (fate#315887, bsc#1082632).
- i2c: remove __init from i2c_register_board_info() (bnc#1012382).
- i40iw: Correct Q1/XF object count equation (bsc#969476 FATE#319648 bsc#969477 FATE#319816).
- i40iw: Fix sequence number for the first partial FPDU (bsc#969476 FATE#319648 bsc#969477 FATE#319816).
- i40iw: Fix the connection ORD value for loopback (bsc#969476 FATE#319648 bsc#969477 FATE#319816).
- i40iw: Remove limit on re-posting AEQ entries to HW (bsc#969476 FATE#319648 bsc#969477 FATE#319816).
- i40iw: Selectively teardown QPs on IP addr change event (bsc#1024376 FATE#321249).
- i40iw: Validate correct IRD/ORD connection parameters (bsc#969476 FATE#319648 bsc#969477 FATE#319816).
- ib/hfi1: Fix for potential refcount leak in hfi1_open_file() (FATE#321231 FATE#321473).
- ib/iser: Handle lack of memory management extentions correctly (bsc#1082979).
- ib/mlx4: Fix incorrectly releasing steerable UD QPs when have only ETH ports (bnc#1012382).
- ib/mlx4: Fix mlx4_ib_alloc_mr error flow (bnc#1012382).
- ibmvnic: Account for VLAN header length in TX buffers (bsc#1085239).
- ibmvnic: Account for VLAN tag in L2 Header descriptor (bsc#1085239).
- ibmvnic: Allocate max queues stats buffers (bsc#1081498).
- ibmvnic: Allocate statistics buffers during probe (bsc#1082993).
- ibmvnic: Check for NULL skb's in NAPI poll routine (bsc#1081134, git-fixes).
- ibmvnic: Clean RX pool buffers during device close (bsc#1081134).
- ibmvnic: Clean up device close (bsc#1084610).
- ibmvnic: Correct goto target for tx irq initialization failure (bsc#1082223).
- ibmvnic: Do not attempt to login if RX or TX queues are not allocated (bsc#1082993).
- ibmvnic: Do not disable device during failover or partition migration (bsc#1084610).
- ibmvnic: Ensure that buffers are NULL after free (bsc#1080014).
- ibmvnic: Fix early release of login buffer (bsc#1081134, git-fixes).
- ibmvnic: fix empty firmware version and errors cleanup (bsc#1079038).
- ibmvnic: fix firmware version when no firmware level has been provided by the VIOS server (bsc#1079038).
- ibmvnic: Fix login buffer memory leaks (bsc#1081134).
- ibmvnic: Fix NAPI structures memory leak (bsc#1081134).
- ibmvnic: Fix recent errata commit (bsc#1085239).
- ibmvnic: Fix rx queue cleanup for non-fatal resets (bsc#1080014).
- ibmvnic: Fix TX descriptor tracking again (bsc#1082993).
- ibmvnic: Fix TX descriptor tracking (bsc#1081491).
- ibmvnic: Free and re-allocate scrqs when tx/rx scrqs change (bsc#1081498).
- ibmvnic: Free RX socket buffer in case of adapter error (bsc#1081134).
- ibmvnic: Generalize TX pool structure (bsc#1085224).
- ibmvnic: Handle TSO backing device errata (bsc#1085239).
- ibmvnic: Harden TX/RX pool cleaning (bsc#1082993).
- ibmvnic: Improve TX buffer accounting (bsc#1085224).
- ibmvnic: Keep track of supplementary TX descriptors (bsc#1081491).
- ibmvnic: Make napi usage dynamic (bsc#1081498).
- ibmvnic: Move active sub-crq count settings (bsc#1081498).
- ibmvnic: Pad small packets to minimum MTU size (bsc#1085239).
- ibmvnic: queue reset when CRQ gets closed during reset (bsc#1080263).
- ibmvnic: Remove skb->protocol checks in ibmvnic_xmit (bsc#1080384).
- ibmvnic: Rename active queue count variables (bsc#1081498).
- ibmvnic: Reorganize device close (bsc#1084610).
- ibmvnic: Report queue stops and restarts as debug output (bsc#1082993).
- ibmvnic: Reset long term map ID counter (bsc#1080364).
- ibmvnic: Split counters for scrq/pools/napi (bsc#1082223).
- ibmvnic: Update and clean up reset TX pool routine (bsc#1085224).
- ibmvnic: Update release RX pool routine (bsc#1085224).
- ibmvnic: Update TX and TX completion routines (bsc#1085224).
- ibmvnic: Update TX pool initialization routine (bsc#1085224).
- ibmvnic: Wait until reset is complete to set carrier on (bsc#1081134).
- ib/qib: Fix comparison error with qperf compare/swap test (FATE#321231 FATE#321473).
- ib/srpt: Remove an unused structure member (bsc#1082979).
- idle: i7300: add PCI dependency (bnc#1012382).
- igb: Free IRQs when device is hotplugged (bnc#1012382).
- iio: adc: axp288: remove redundant duplicate const on axp288_adc_channels (bnc#1012382).
- iio: adis_lib: Initialize trigger before requesting interrupt (bnc#1012382).
- iio: buffer: check if a buffer has been set up when poll is called (bnc#1012382).
- input: tca8418_keypad - hide gcc-4.9 -Wmaybe-uninitialized warning (bnc#1012382).
- input: tca8418_keypad - remove double read of key event register (git-fixes).
- iommu/amd: Add align parameter to alloc_irq_index() (bsc#975772).
- iommu/amd: Enforce alignment for MSI IRQs (bsc#975772).
- iommu/amd: Fix alloc_irq_index() increment (bsc#975772).
- iommu/amd: Limit the IOVA page range to the specified addresses (fate#321026).
- iommu/arm-smmu-v3: Cope with duplicated Stream IDs (bsc#1084926).
- iommu/iova: Fix underflow bug in __alloc_and_insert_iova_range (bsc#1084928).
- iommu/vt-d: Use domain instead of cache fetching (bsc#975772).
- ip6mr: fix stale iterator (bnc#1012382).
- ipc/msg: introduce msgctl(MSG_STAT_ANY) (bsc#1072689).
- ipc/sem: introduce semctl(SEM_STAT_ANY) (bsc#1072689).
- ipc/shm: introduce shmctl(SHM_STAT_ANY) (bsc#1072689).
- ip_tunnel: fix preempt warning in ip tunnel creation/updating (bnc#1012382).
- ip_tunnel: replace dst_cache with generic implementation (bnc#1012382).
- ipv4: allow local fragmentation in ip_finish_output_gso() (bsc#1042286).
- ipv4: fix checksum annotation in udp4_csum_init (bsc#1042286).
- ipv4: ipconfig: avoid unused ic_proto_used symbol (bnc#1012382).
- ipv4: update comment to document GSO fragmentation cases (bsc#1042286).
- ipv6: datagram: Refactor dst lookup and update codes to a new function (bsc#1042286).
- ipv6: datagram: Refactor flowi6 init codes to a new function (bsc#1042286).
- ipv6: datagram: Update dst cache of a connected datagram sk during pmtu update (bsc#1042286).
- ipv6: fix checksum annotation in udp6_csum_init (bsc#1042286).
- ipv6: icmp6: Allow icmp messages to be looped back (bnc#1012382).
- ipv6/ila: fix nlsize calculation for lwtunnel (bsc#1042286).
- ipv6: remove unused in6_addr struct (bsc#1042286).
- ipv6: tcp: fix endianness annotation in tcp_v6_send_response (bsc#1042286).
- ipv6: udp: Do a route lookup and update during release_cb (bsc#1042286).
- ipvlan: Add the skb->mark as flow4's member to lookup route (bnc#1012382).
- ipvlan: fix multicast processing (bsc#1042286).
- ipvlan: fix various issues in ipvlan_process_multicast() (bsc#1042286).
- irqchip/gic-v3: Use wmb() instead of smb_wmb() in gic_raise_softirq() (bnc#1012382).
- isdn: eicon: reduce stack size of sig_ind function (bnc#1012382).
- isdn: icn: remove a #warning (bnc#1012382).
- isdn: sc: work around type mismatch warning (bnc#1012382).
- jffs2: Fix use-after-free bug in jffs2_iget()'s error handling path (git-fixes).
- kABI: protect struct cpuinfo_x86 (kabi).
- kABI: protect struct ethtool_link_settings (bsc#1085050).
- kABI: protect struct ip_tunnel and reintroduce ip_tunnel_dst_reset_all (kabi).
- kABI: reintroduce crypto_poly1305_setkey (kabi).
- kabi: restore kabi after 'net: replace dst_cache ip6_tunnel implementation with the generic one' (bsc#1082897).
- kabi: restore nft_set_elem_destroy() signature (bsc#1042286).
- kabi: restore rhashtable_insert_slow() signature (bsc#1042286).
- kabi/severities: add sclp to KABI ignore list
- kabi/severities: add __x86_indirect_thunk_rsp
- kabi/severities: as per bsc#1068569 we can ignore XFS kabi The gods have spoken, let there be light.
- kabi/severities: Ignore kvm for KABI severities
- kabi: uninline sk_receive_skb() (bsc#1042286).
- kaiser: fix compile error without vsyscall (bnc#1012382).
- kaiser: fix intel_bts perf crashes (bnc#1012382).
- kasan: rework Kconfig settings (bnc#1012382).
- kernel/async.c: revert 'async: simplify lowest_in_progress()' (bnc#1012382).
- kernel: fix rwlock implementation (bnc#1079886, LTC#164371).
- kernfs: fix regression in kernfs_fop_write caused by wrong type (bnc#1012382).
- keys: encrypted: fix buffer overread in valid_master_desc() (bnc#1012382).
- kmemleak: add scheduling point to kmemleak_scan() (bnc#1012382).
- kvm: add X86_LOCAL_APIC dependency (bnc#1012382).
- kvm: ARM64: fix phy counter access failure in guest (bsc#1085015).
- kvm: arm/arm64: Check pagesize when allocating a hugepage at Stage 2 (bsc#1079029).
- kvm: nVMX: Fix kernel panics induced by illegal INVEPT/INVVPID types (bnc#1012382).
- kvm: nVMX: Fix races when sending nested PI while dest enters/leaves L2 (bnc#1012382).
- kvm: nVMX: invvpid handling improvements (bnc#1012382).
- kvm: nVMX: kmap() can't fail (bnc#1012382).
- kvm: nVMX: vmx_complete_nested_posted_interrupt() can't fail (bnc#1012382).
- kvm: PPC: Book3S PR: Fix svcpu copying with preemption enabled (bsc#1066223).
- kvm: s390: Add operation exception interception handler (FATE#324070, LTC#158959).
- kvm: s390: Add sthyi emulation (FATE#324070, LTC#158959).
- kvm: s390: Enable all facility bits that are known good for passthrough (FATE#324071, LTC#158956).
- kvm: s390: Extend diag 204 fields (FATE#324070, LTC#158959).
- kvm: s390: Fix STHYI buffer alignment for diag224 (FATE#324070, LTC#158959).
- kvm: s390: instruction-execution-protection support (LTC#162428).
- kvm: s390: Introduce BCD Vector Instructions to the guest (FATE#324072, LTC#158953).
- kvm: s390: Introduce Vector Enhancements facility 1 to the guest (FATE#324072, LTC#158953).
- kvm: s390: Limit sthyi execution (FATE#324070, LTC#158959).
- kvm: s390: Populate mask of non-hypervisor managed facility bits (FATE#324071, LTC#158956).
- kvm: VMX: clean up declaration of VPID/EPT invalidation types (bnc#1012382).
- kvm: VMX: Fix rflags cache during vCPU reset (bnc#1012382).
- kvm: VMX: Make indirect call speculation safe (bnc#1012382).
- kvm: x86: Do not re-execute instruction when not passing CR2 value (bnc#1012382).
- kvm: x86: emulator: Return to user-mode on L1 CPL=0 emulation failure (bnc#1012382).
- kvm: x86: fix escape of guest dr6 to the host (bnc#1012382).
- kvm: X86: Fix operand/address-size during instruction decoding (bnc#1012382).
- kvm: x86: ioapic: Clear Remote IRR when entry is switched to edge-triggered (bnc#1012382).
- kvm: x86: ioapic: Fix level-triggered EOI and IOAPIC reconfigure race (bnc#1012382).
- kvm: x86: ioapic: Preserve read-only values in the redirection table (bnc#1012382).
- kvm: x86: Make indirect calls in emulator speculation safe (bnc#1012382).
- kvm/x86: Reduce retpoline performance impact in slot_handle_level_range(), by always inlining iterator helper methods (bnc#1012382).
- l2tp: fix use-after-free during module unload (bsc#1042286).
- led: core: Fix brightness setting when setting delay_off=0 (bnc#1012382).
- leds: do not overflow sysfs buffer in led_trigger_show (bsc#1080464).
- libceph: check kstrndup() return value (bsc#1081735).
- lib/mpi: Fix umul_ppmm() for MIPS64r6 (bnc#1012382).
- lib/uuid.c: introduce a few more generic helpers (fate#315887, bsc#1082632).
- lib/uuid.c: use correct offset in uuid parser (fate#315887, bsc#1082632).
- livepatch: introduce shadow variable API (bsc#1082299 fate#313296). Shadow variables support.
- livepatch: __kgr_shadow_get_or_alloc() is local to shadow.c (bsc#1082299 fate#313296). Shadow variables support.
- lockd: fix 'list_add double add' caused by legacy signal interface (bnc#1012382).
- loop: fix concurrent lo_open/lo_release (bnc#1012382).
- mac80211: fix the update of path metric for RANN frame (bnc#1012382).
- mac80211: mesh: drop frames appearing to be from us (bnc#1012382).
- Make DST_CACHE a silent config option (bnc#1012382).
- mdio-sun4i: Fix a memory leak (bnc#1012382).
- md/raid1: Use a new variable to count flighting sync requests(bsc#1083048)
- media: cxusb, dib0700: ignore XC2028_I2C_FLUSH (bnc#1012382).
- media: dvb-usb-v2: lmedm04: Improve logic checking of warm start (bnc#1012382).
- media: dvb-usb-v2: lmedm04: move ts2020 attach to dm04_lme2510_tuner (bnc#1012382).
- media: r820t: fix r820t_write_reg for KASAN (bnc#1012382).
- media: s5k6aa: describe some function parameters (bnc#1012382).
- media: soc_camera: soc_scale_crop: add missing MODULE_DESCRIPTION/AUTHOR/LICENSE (bnc#1012382).
- media: ts2020: avoid integer overflows on 32 bit machines (bnc#1012382).
- media: usbtv: add a new usbid (bnc#1012382).
- media: v4l2-compat-ioctl32.c: add missing VIDIOC_PREPARE_BUF (bnc#1012382).
- media: v4l2-compat-ioctl32.c: avoid sizeof(type) (bnc#1012382).
- media: v4l2-compat-ioctl32.c: copy clip list in put_v4l2_window32 (bnc#1012382).
- media: v4l2-compat-ioctl32.c: copy m.userptr in put_v4l2_plane32 (bnc#1012382).
- media: v4l2-compat-ioctl32.c: do not copy back the result for certain errors (bnc#1012382).
- media: v4l2-compat-ioctl32.c: drop pr_info for unknown buffer type (bnc#1012382).
- media: v4l2-compat-ioctl32.c: fix ctrl_is_pointer (bnc#1012382).
- media: v4l2-compat-ioctl32.c: fix the indentation (bnc#1012382).
- media: v4l2-compat-ioctl32.c: make ctrl_is_pointer work for subdevs (bnc#1012382).
- media: v4l2-compat-ioctl32.c: move 'helper' functions to __get/put_v4l2_format32 (bnc#1012382).
- media: v4l2-compat-ioctl32: Copy v4l2_window->global_alpha (bnc#1012382).
- media: v4l2-compat-ioctl32.c: refactor compat ioctl32 logic (bnc#1012382).
- media: v4l2-ioctl.c: do not copy back the result for -ENOTTY (bnc#1012382).
- mmc: bcm2835: Do not overwrite max frequency unconditionally (bsc#983145, git-fixes).
- mm/early_ioremap: Fix boot hang with earlyprintk=efi,keep (bnc#1012382).
- mm: hide a #warning for COMPILE_TEST (bnc#1012382).
- mm/kmemleak.c: make cond_resched() rate-limiting more efficient (git-fixes).
- mm: pin address_space before dereferencing it while isolating an LRU page (bnc#1081500).
- mm,vmscan: Make unregister_shrinker() no-op if register_shrinker() failed (bnc#1012382).
- mn10300/misalignment: Use SIGSEGV SEGV_MAPERR to report a failed user copy (bnc#1012382).
- modsign: hide openssl output in silent builds (bnc#1012382).
- module/retpoline: Warn about missing retpoline in module (bnc#1012382).
- mpt3sas: Do not mark fw_event workqueue as WQ_MEM_RECLAIM (bsc#1078583).
- mptfusion: hide unused seq_mpt_print_ioc_summary function (bnc#1012382).
- mtd: cfi: convert inline functions to macros (bnc#1012382).
- mtd: cfi: enforce valid geometry configuration (bnc#1012382).
- mtd: ichxrom: maybe-uninitialized with gcc-4.9 (bnc#1012382).
- mtd: maps: add __init attribute (bnc#1012382).
- mtd: nand: brcmnand: Disable prefetch by default (bnc#1012382).
- mtd: nand: denali_pci: add missing MODULE_DESCRIPTION/AUTHOR/LICENSE (bnc#1012382).
- mtd: nand: Fix nand_do_read_oob() return value (bnc#1012382).
- mtd: nand: gpmi: Fix failure when a erased page has a bitflip at BBM (bnc#1012382).
- mtd: nand: sunxi: Fix ECC strength choice (bnc#1012382).
- mtd: sh_flctl: pass FIFO as physical address (bnc#1012382).
- mvpp2: fix multicast address filter (bnc#1012382).
- ncpfs: fix unused variable warning (bnc#1012382).
- ncr5380: shut up gcc indentation warning (bnc#1012382).
- net: add dst_cache support (bnc#1012382).
- net: arc_emac: fix arc_emac_rx() error paths (bnc#1012382).
- net: avoid skb_warn_bad_offload on IS_ERR (bnc#1012382).
- net: cdc_ncm: initialize drvflags before usage (bnc#1012382).
- net: dst_cache_per_cpu_dst_set() can be static (bnc#1012382).
- net: ena: add detection and recovery mechanism for handling missed/misrouted MSI-X (bsc#1083548).
- net: ena: add new admin define for future support of IPv6 RSS (bsc#1083548).
- net: ena: add power management ops to the ENA driver (bsc#1083548).
- net: ena: add statistics for missed tx packets (bsc#1083548).
- net: ena: fix error handling in ena_down() sequence (bsc#1083548).
- net: ena: fix race condition between device reset and link up setup (bsc#1083548).
- net: ena: fix rare kernel crash when bar memory remap fails (bsc#1083548).
- net: ena: fix wrong max Tx/Rx queues on ethtool (bsc#1083548).
- net: ena: improve ENA driver boot time (bsc#1083548).
- net: ena: increase ena driver version to 1.3.0 (bsc#1083548).
- net: ena: increase ena driver version to 1.5.0 (bsc#1083548).
- net: ena: reduce the severity of some printouts (bsc#1083548).
- net: ena: remove legacy suspend suspend/resume support (bsc#1083548).
- net: ena: Remove redundant unlikely() (bsc#1083548).
- net: ena: unmask MSI-X only after device initialization is completed (bsc#1083548).
- net: ethernet: cavium: Correct Cavium Thunderx NIC driver names accordingly to module name (bsc#1085011).
- net: ethernet: xilinx: Mark XILINX_LL_TEMAC broken on 64-bit (bnc#1012382).
- net: ethtool: Add back transceiver type (bsc#1085050).
- net: ethtool: remove error check for legacy setting transceiver type (bsc#1085050).
- netfilter: drop outermost socket lock in getsockopt() (bnc#1012382).
- netfilter: ebtables: CONFIG_COMPAT: do not trust userland offsets (bsc#1085107).
- netfilter: ebtables: fix erroneous reject of last rule (bsc#1085107).
- netfilter: ipt_CLUSTERIP: fix out-of-bounds accesses in clusterip_tg_check() (bnc#1012382).
- netfilter: ipvs: avoid unused variable warnings (bnc#1012382).
- netfilter: nf_queue: Make the queue_handler pernet (bnc#1012382).
- netfilter: nf_tables: fix a wrong check to skip the inactive rules (bsc#1042286).
- netfilter: nf_tables: fix inconsistent element expiration calculation (bsc#1042286).
- netfilter: nf_tables: fix *leak* when expr clone fail (bsc#1042286).
- netfilter: nf_tables: fix race when create new element in dynset (bsc#1042286).
- netfilter: on sockopt() acquire sock lock only in the required scope (bnc#1012382).
- netfilter: tee: select NF_DUP_IPV6 unconditionally (bsc#1042286).
- netfilter: x_tables: avoid out-of-bounds reads in xt_request_find_{match|target} (bnc#1012382).
- netfilter: x_tables: fix int overflow in xt_alloc_table_info() (bnc#1012382).
- netfilter: xt_RATEEST: acquire xt_rateest_mutex for hash insert (bnc#1012382).
- netfilter: xt_socket: fix transparent match for IPv6 request sockets (bsc#1042286).
- net: gianfar_ptp: move set_fipers() to spinlock protecting area (bnc#1012382).
- net: hns: add ACPI mode support for ethtool -p (bsc#1084041).
- net: hp100: remove unnecessary #ifdefs (bnc#1012382).
- net: igmp: add a missing rcu locking section (bnc#1012382).
- net/ipv4: Introduce IPSKB_FRAG_SEGS bit to inet_skb_parm.flags (bsc#1042286).
- netlink: fix nla_put_{u8,u16,u32} for KASAN (bnc#1012382).
- net/mlx5e: Fix loopback self test when GRO is off (bsc#1015342 FATE#321688 bsc#1015343 FATE#321689).
- net/mlx5e: Fix wrong delay calculation for overflow check scheduling (bsc#966170 FATE#320225 bsc#966172 FATE#320226).
- net/mlx5e: Verify inline header size do not exceed SKB linear size (bsc#1015342 FATE#321688 bsc#1015343 FATE#321689).
- net/mlx5: Use 128B cacheline size for 128B or larger cachelines (bsc#1015342 FATE#321688 bsc#1015343 FATE#321689).
- net: phy: Keep reporting transceiver type (bsc#1085050).
- net: replace dst_cache ip6_tunnel implementation with the generic one (bnc#1012382).
- net_sched: red: Avoid devision by zero (bnc#1012382).
- net_sched: red: Avoid illegal values (bnc#1012382).
- net/smc: fix NULL pointer dereference on sock_create_kern() error path (bsc#1082979).
- netvsc: allow controlling send/recv buffer size (fate#315887, bsc#1082632).
- netvsc: allow driver to be removed even if VF is present (fate#315887, bsc#1082632).
- netvsc: check error return when restoring channels and mtu (fate#315887, bsc#1082632).
- netvsc: cleanup datapath switch (fate#315887, bsc#1082632).
- netvsc: do not signal host twice if empty (fate#315887, bsc#1082632).
- netvsc: fix deadlock betwen link status and removal (fate#315887, bsc#1082632).
- netvsc: increase default receive buffer size (fate#315887, bsc#1082632).
- netvsc: keep track of some non-fatal overload conditions (fate#315887, bsc#1082632).
- netvsc: no need to allocate send/receive on numa node (fate#315887, bsc#1082632).
- netvsc: propagate MAC address change to VF slave (fate#315887, bsc#1082632).
- netvsc: remove unnecessary cast of void pointer (fate#315887, bsc#1082632).
- netvsc: remove unnecessary check for NULL hdr (fate#315887, bsc#1082632).
- netvsc: whitespace cleanup (fate#315887, bsc#1082632).
- net: vxlan: lwt: Fix vxlan local traffic (bsc#1042286).
- net: vxlan: lwt: Use source ip address during route lookup (bsc#1042286).
- nfs: Add a cond_resched() to nfs_commit_release_pages() (bsc#1077779).
- nfs: commit direct writes even if they fail partially (bnc#1012382).
- nfsd: check for use of the closed special stateid (bnc#1012382).
- nfsd: CLOSE SHOULD return the invalid special stateid for NFSv4.x (x>0) (bnc#1012382).
- nfsd: Ensure we check stateid validity in the seqid operation checks (bnc#1012382).
- nfs: Do not convert nfs_idmap_cache_timeout to jiffies (git-fixes).
- nfs: fix a deadlock in nfs client initialization (bsc#1074198).
- nfs/pnfs: fix nfs_direct_req ref leak when i/o falls back to the mds (bnc#1012382).
- nfs: reject request for id_legacy key without auxdata (bnc#1012382).
- nfs: Trunking detection should handle ERESTARTSYS/EINTR (bsc#1074198).
- nvme_fc: cleanup io completion (bsc#1079609).
- nvme_fc: correct abort race condition on resets (bsc#1079609).
- nvme_fc: fix abort race on teardown with lld reject (bsc#1083750).
- nvme_fc: fix ctrl create failures racing with workq items (bsc#1076982).
- nvme_fc: io timeout should defer abort to ctrl reset (bsc#1085054).
- nvme-fc: kick admin requeue list on disconnect (bsc#1077241).
- nvme-fc: merge error on sles12sp3 for reset_work (bsc#1079195).
- nvme_fc: minor fixes on sqsize (bsc#1076760).
- nvme_fc: on remoteport reuse, set new nport_id and role (bsc#1076760).
- nvme_fc: rework sqsize handling (bsc#1076760).
- nvme: Fix managing degraded controllers (bnc#1012382).
- nvme: Fix setting logical block format when revalidating (bsc#1079313).
- nvme: only start KATO if the controller is live (bsc#1083387).
- nvme-pci: clean up CMB initialization (bsc#1082979).
- nvme-pci: clean up SMBSZ bit definitions (bsc#1082979).
- nvme-pci: consistencly use ctrl->device for logging (bsc#1082979).
- nvme-pci: fix typos in comments (bsc#1082979).
- nvme-pci: Remap CMB SQ entries on every controller reset (bsc#1082979).
- nvme-pci: Use PCI bus address for data/queues in CMB (bsc#1082979).
- nvme: Quirks for PM1725 controllers (bsc#1082979).
- nvme_rdma: clear NVME_RDMA_Q_LIVE bit if reconnect fails (bsc#1083770).
- nvme-rdma: fix concurrent reset and reconnect (bsc#1082979).
- nvme: remove nvme_revalidate_ns (bsc#1079313).
- ocfs2: return error when we attempt to access a dirty bh in jbd2 (bsc#1070404).
- openvswitch: fix the incorrect flow action alloc size (bnc#1012382).
- ovl: fix failure to fsync lower dir (bnc#1012382).
- ovs/geneve: fix rtnl notifications on iface deletion (bsc#1042286).
- ovs/gre: fix rtnl notifications on iface deletion (bsc#1042286).
- ovs/gre,geneve: fix error path when creating an iface (bsc#1042286).
- ovs/vxlan: fix rtnl notifications on iface deletion (bsc#1042286).
- pci/ASPM: Do not retrain link if ASPM not possible (bnc#1071892).
- pci: hv: Do not sleep in compose_msi_msg() (fate#315887, bsc#1082632).
- pci: keystone: Fix interrupt-controller-node lookup (bnc#1012382).
- pci/MSI: Fix msi_desc->affinity memory leak when freeing MSI IRQs (bsc#1082979).
- perf bench numa: Fixup discontiguous/sparse numa nodes (bnc#1012382).
- perf top: Fix window dimensions change handling (bnc#1012382).
- perf/x86: Shut up false-positive -Wmaybe-uninitialized warning (bnc#1012382).
- pinctrl: sunxi: Fix A80 interrupt pin bank (bnc#1012382).
- pktcdvd: Fix pkt_setup_dev() error path (bnc#1012382).
- platform/x86: intel_mid_thermal: Fix suspend handlers unused warning (bnc#1012382).
- pm / devfreq: Propagate error from devfreq_add_device() (bnc#1012382).
- pm / wakeirq: Fix unbalanced IRQ enable for wakeirq (bsc#1031717).
- posix-timer: Properly check sigevent->sigev_notify (bnc#1012382).
- power: bq27xxx_battery: mark some symbols __maybe_unused (bnc#1012382).
- powerpc/64: Fix flush_(d|i)cache_range() called from modules (FATE#315275 LTC#103998 bnc#1012382 bnc#863764).
- powerpc/64s: Fix RFI flush dependency on HARDLOCKUP_DETECTOR (bnc#1012382).
- powerpc/64s: Improve RFI L1-D cache flush fallback (bsc#1068032, bsc#1075087).
- powerpc: Do not preempt_disable() in show_cpuinfo() (bsc#1066223).
- powerpc/numa: Ensure nodes initialized for hotplug (FATE#322022, bsc#1081514).
- powerpc/numa: Invalidate numa_cpu_lookup_table on cpu remove (bsc#1081512).
- powerpc/numa: Use ibm,max-associativity-domains to discover possible nodes (FATE#322022, bsc#1081514).
- powerpc/perf: Fix oops when grouping different pmu events (bnc#1012382).
- powerpc/powernv: Fix MCE handler to avoid trashing CR0/CR1 registers (bsc#1066223).
- powerpc/powernv: Move IDLE_STATE_ENTER_SEQ macro to cpuidle.h (bsc#1066223).
- powerpc/powernv: Support firmware disable of RFI flush (bsc#1068032, bsc#1075087).
- powerpc/pseries: Fix cpu hotplug crash with memoryless nodes (FATE#322022, bsc#1081514).
- powerpc/pseries: Support firmware disable of RFI flush (bsc#1068032, bsc#1075087).
- powerpc: Simplify module TOC handling (bnc#1012382).
- power: reset: zx-reboot: add missing MODULE_DESCRIPTION/AUTHOR/LICENSE (bnc#1012382).
- profile: hide unused functions when !CONFIG_PROC_FS (bnc#1012382).
- Provide a function to create a NUL-terminated string from unterminated data (bnc#1012382).
- pwc: hide unused label (bnc#1012382).
- qla2xxx: Add changes for devloss timeout in driver (bsc#1084427).
- qla2xxx: Add FC-NVMe abort processing (bsc#1084427).
- qla2xxx: asynchronous pci probing (bsc#1034503).
- qla2xxx: Cleanup code to improve FC-NVMe error handling (bsc#1084427).
- qla2xxx: Convert QLA_TGT_ABTS to TARGET_SCF_LOOKUP_LUN_FROM_TAG (bsc#1043726,FATE#324770).
- qla2xxx: do not check login_state if no loop id is assigned (bsc#1081681).
- qla2xxx: ensure async flags are reset correctly (bsc#1081681).
- qla2xxx: Fix Async GPN_FT for FCP and FC-NVMe scan (bsc#1084427).
- qla2xxx: Fix FC-NVMe IO abort during driver reset (bsc#1084427).
- qla2xxx: Fix incorrect tcm_qla2xxx_free_cmd use during TMR ABORT (v2) (bsc#1043726,FATE#324770).
- qla2xxx: Fix n2n_ae flag to prevent dev_loss on PDB change (bsc#1084427).
- qla2xxx: Fix NVMe entry_type for iocb packet on BE system (bsc#1043726,FATE#324770).
- qla2xxx: Fix retry for PRLI RJT with reason of BUSY (bsc#1084427).
- qla2xxx: Fixup locking for session deletion (bsc#1081681).
- qla2xxx: Remove nvme_done_list (bsc#1084427).
- qla2xxx: Remove unneeded message and minor cleanup for FC-NVMe (bsc#1084427).
- qla2xxx: remove use of FC-specific error codes (bsc#1043726,FATE#324770).
- qla2xxx: Restore ZIO threshold setting (bsc#1084427).
- qla2xxx: Return busy if rport going away (bsc#1084427).
- qla2xxx: Set IIDMA and fcport state before qla_nvme_register_remote() (bsc#1084427).
- qla2xxx: Update driver version to 10.00.00.06-k (bsc#1084427).
- qlcnic: fix deadlock bug (bnc#1012382).
- r8169: fix RTL8168EP take too long to complete driver initialization (bnc#1012382).
- rdma/cma: Make sure that PSN is not over max allowed (bnc#1012382).
- rdma/uverbs: Protect from command mask overflow (bsc#1082979).
- reiserfs: avoid a -Wmaybe-uninitialized warning (bnc#1012382).
- Revert 'Bluetooth: btusb: fix QCA Rome suspend/resume' (bnc#1012382).
- Revert 'bpf: avoid false sharing of map refcount with max_entries' (kabi).
- Revert 'netfilter: nf_queue: Make the queue_handler pernet' (kabi).
- Revert 'net: replace dst_cache ip6_tunnel implementation with the generic one' (kabi bnc#1082897).
- Revert 'power: bq27xxx_battery: Remove unneeded dependency in Kconfig' (bnc#1012382).
- Revert 'powerpc: Simplify module TOC handling' (kabi).
- Revert SUSE-specific qla2xxx patch 'Add module parameter for interrupt mode' (bsc#1043726)
- Revert 'x86/entry/64: Separate cpu_current_top_of_stack from TSS.sp0'
- Revert 'x86/entry/64: Use a per-CPU trampoline stack for IDT entries'
- rfi-flush: Move the logic to avoid a redo into the debugfs code (bsc#1068032, bsc#1075087).
- rfi-flush: Switch to new linear fallback flush (bsc#1068032, bsc#1075087).
- rhashtable: add rhashtable_lookup_get_insert_key() (bsc#1042286).
- rtc-opal: Fix handling of firmware error codes, prevent busy loops (bnc#1012382).
- rtlwifi: fix gcc-6 indentation warning (bnc#1012382).
- rtlwifi: rtl8821ae: Fix connection lost problem correctly (bnc#1012382).
- s390: add no-execute support (FATE#324087, LTC#158827).
- s390/dasd: fix handling of internal requests (bsc#1080321).
- s390/dasd: fix wrongly assigned configuration data (bnc#1012382).
- s390/dasd: prevent prefix I/O error (bnc#1012382).
- s390: fix handling of -1 in set{,fs}[gu]id16 syscalls (bnc#1012382).
- s390: hypfs: Move diag implementation and data definitions (FATE#324070, LTC#158959).
- s390: kvm: Cpu model support for msa6, msa7 and msa8 (FATE#324069, LTC#159031).
- s390: Make cpc_name accessible (FATE#324070, LTC#158959).
- s390: Make diag224 public (FATE#324070, LTC#158959).
- s390/mem_detect: use unsigned longs (FATE#324071, LTC#158956).
- s390/mm: align swapper_pg_dir to 16k (FATE#324087, LTC#158827).
- s390/mm: always use PAGE_KERNEL when mapping pages (FATE#324087, LTC#158827).
- s390/noexec: execute kexec datamover without DAT (FATE#324087, LTC#158827).
- s390/oprofile: fix address range for asynchronous stack (bsc#1082979).
- s390/pageattr: allow kernel page table splitting (FATE#324087, LTC#158827).
- s390/pageattr: avoid unnecessary page table splitting (FATE#324087, LTC#158827).
- s390/pageattr: handle numpages parameter correctly (FATE#324087, LTC#158827).
- s390/pci_dma: improve lazy flush for unmap (bnc#1079886, LTC#163393).
- s390/pci_dma: improve map_sg (bnc#1079886, LTC#163393).
- s390/pci_dma: make lazy flush independent from the tlb_refresh bit (bnc#1079886, LTC#163393).
- s390/pci_dma: remove dma address range check (bnc#1079886, LTC#163393).
- s390/pci_dma: simplify dma address calculation (bnc#1079886, LTC#163393).
- s390/pci_dma: split dma_update_trans (bnc#1079886, LTC#163393).
- s390/pci: fix dma address calculation in map_sg (bnc#1079886, LTC#163393).
- s390/pci: handle insufficient resources during dma tlb flush (bnc#1079886, LTC#163393).
- s390/pgtable: introduce and use generic csp inline asm (FATE#324087, LTC#158827).
- s390/pgtable: make pmd and pud helper functions available (FATE#324087, LTC#158827).
- s390/qeth: fix underestimated count of buffer elements (bnc#1082089, LTC#164529).
- s390: report new vector facilities (FATE#324088, LTC#158828).
- s390/sclp: Add hmfai field (FATE#324071, LTC#158956).
- s390/vmem: align segment and region tables to 16k (FATE#324087, LTC#158827).
- s390/vmem: introduce and use SEGMENT_KERNEL and REGION3_KERNEL (FATE#324087, LTC#158827).
- s390/vmem: simplify vmem code for read-only mappings (FATE#324087, LTC#158827).
- sched/rt: Up the root domain ref count when passing it around via IPIs (bnc#1012382).
- sched/rt: Use container_of() to get root domain in rto_push_irq_work_func() (bnc#1012382).
- scripts/kernel-doc: Do not fail with status != 0 if error encountered with -none (bnc#1012382).
- scsi: aacraid: Fix hang in kdump (bsc#1022607, FATE#321673).
- scsi: aacraid: Prevent crash in case of free interrupt during scsi EH path (bnc#1012382).
- scsi: advansys: fix build warning for PCI=n (bnc#1012382).
- scsi: advansys: fix uninitialized data access (bnc#1012382).
- scsi: do not look for NULL devices handlers by name (bsc#1082373).
- scsi: fas216: fix sense buffer initialization (bsc#1082979).
- scsi: fdomain: drop fdomain_pci_tbl when built-in (bnc#1012382).
- scsi: hisi_sas: directly attached disk LED feature for v2 hw (bsc#1083409).
- scsi: ibmvfc: fix misdefined reserved field in ibmvfc_fcp_rsp_info (bnc#1012382).
- scsi: initio: remove duplicate module device table (bnc#1012382 bsc#1082979).
- scsi: initio: remove duplicate module device table (bsc#1082979).
- scsi: libsas: fix error when getting phy events (bsc#1082979).
- scsi: libsas: fix memory leak in sas_smp_get_phy_events() (bsc#1082979).
- scsi: lpfc: Add WQ Full Logic for NVME Target (bsc#1080656).
- scsi: lpfc: Allow set of maximum outstanding SCSI cmd limit for a target (bsc#1080656).
- scsi: lpfc: Beef up stat counters for debug (bsc#1076693).
- scsi: lpfc: correct debug counters for abort (bsc#1080656).
- scsi: lpfc: do not dereference localport before it has been null checked (bsc#1076693).
- scsi: lpfc: Do not return internal MBXERR_ERROR code from probe function (bsc#1082979).
- scsi: lpfc: fix a couple of minor indentation issues (bsc#1076693).
- scsi: lpfc: Fix -EOVERFLOW behavior for NVMET and defer_rcv (bsc#1076693).
- scsi: lpfc: Fix header inclusion in lpfc_nvmet (bsc#1080656).
- scsi: lpfc: Fix infinite wait when driver unregisters a remote NVME port (bsc#1076693).
- scsi: lpfc: Fix IO failure during hba reset testing with nvme io (bsc#1080656).
- scsi: lpfc: Fix issue_lip if link is disabled (bsc#1080656).
- scsi: lpfc: Fix issues connecting with nvme initiator (bsc#1076693).
- scsi: lpfc: Fix nonrecovery of NVME controller after cable swap (bsc#1080656).
- scsi: lpfc: Fix PRLI handling when topology type changes (bsc#1080656).
- scsi: lpfc: Fix receive PRLI handling (bsc#1076693).
- scsi: lpfc: Fix RQ empty firmware trap (bsc#1080656).
- scsi: lpfc: Fix SCSI io host reset causing kernel crash (bsc#1080656).
- scsi: lpfc: Fix SCSI LUN discovery when SCSI and NVME enabled (bsc#1076693).
- scsi: lpfc: Fix soft lockup in lpfc worker thread during LIP testing (bsc#1080656).
- scsi: lpfc: Increase CQ and WQ sizes for SCSI (bsc#1080656).
- scsi: lpfc: Increase SCSI CQ and WQ sizes (bsc#1076693).
- scsi: lpfc: Indicate CONF support in NVMe PRLI (bsc#1080656).
- scsi: lpfc: move placement of target destroy on driver detach (bsc#1080656).
- scsi: lpfc: Treat SCSI Write operation Underruns as an error (bsc#1080656).
- scsi: lpfc: Update 11.4.0.7 modified files for 2018 Copyright (bsc#1080656).
- scsi: lpfc: update driver version to 11.4.0.6 (bsc#1076693).
- scsi: lpfc: update driver version to 11.4.0.7 (bsc#1080656).
- scsi: lpfc: Validate adapter support for SRIU option (bsc#1080656).
- scsi: mvumi: use __maybe_unused to hide pm functions (bnc#1012382).
- scsi: qla2xxx: Ability to process multiple SGEs in Command SGL for CT passthrough commands (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Accelerate SCSI BUSY status generation in target mode (bsc#1043725,FATE#324770).
- scsi: qla2xxx: Add ability to autodetect SFP type (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Add ability to send PRLO (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Add ability to use GPNFT/GNNFT for RSCN handling (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Add ATIO-Q processing for INTx mode (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Add boundary checks for exchanges to be offloaded (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Add command completion for error path (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Add debug knob for user control workload (bsc#1043725,FATE#324770).
- scsi: qla2xxx: Add debug logging routine for qpair (bsc#1043725,FATE#324770).
- scsi: qla2xxx: Added change to enable ZIO for FC-NVMe devices (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Add FC-NVMe command handling (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Add FC-NVMe F/W initialization and transport registration (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Add FC-NVMe port discovery and PRLI handling (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Add function call to qpair for door bell (bsc#1043725,FATE#324770).
- scsi: qla2xxx: Add fw_started flags to qpair (bsc#1043725,FATE#324770).
- scsi: qla2xxx: Add lock protection around host lookup (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Add LR distance support from nvram bit (bsc#1043726,FATE#324770).
- scsi: qla2xxx: add missing includes for qla_isr (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Add option for use reserve exch for ELS (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Add ql2xiniexchg parameter (bsc#1043725,FATE#324770).
- scsi: qla2xxx: Add retry limit for fabric scan logic (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Add support for minimum link speed (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Add switch command to simplify fabric discovery (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Add timeout ability to wait_for_sess_deletion() (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Add XCB counters to debugfs (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Allow ABTS, PURX, RIDA on ATIOQ for ISP83XX/27XX (bsc#1043725,FATE#324770).
- scsi: qla2xxx: Allow MBC_GET_PORT_DATABASE to query and save the port states (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Allow relogin and session creation after reset (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Allow SNS fabric login to be retried (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Allow target mode to accept PRLI in dual mode (bsc#1043726,FATE#324770).
- scsi: qla2xxx: avoid unused-function warning (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Change ha->wq max_active value to default (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Changes to support N2N logins (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Chip reset uses wrong lock during IO flush (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Cleanup FC-NVMe code (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Cleanup NPIV host in target mode during config teardown (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Clear fc4f_nvme flag (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Clear loop id after delete (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Combine Active command arrays (bsc#1043725,FATE#324770).
- scsi: qla2xxx: Convert 32-bit LUN usage to 64-bit (bsc#1043725,FATE#324770).
- scsi: qla2xxx: Defer processing of GS IOCB calls (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Delay loop id allocation at login (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Do not call abort handler function during chip reset (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Do not call dma_free_coherent with IRQ disabled (bsc#1043726,FATE#324770).
- scsi: qla2xxx: do not include <generated/utsrelease.h> (bsc#1043725,FATE#324770).
- scsi: qla2xxx: Enable Async TMF processing (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Enable ATIO interrupt handshake for ISP27XX (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Enable Target Multi Queue (bsc#1043725,FATE#324770).
- scsi: qla2xxx: Fix abort command deadlock due to spinlock (FATE#320146, bsc#966328).
- scsi: qla2xxx: fix a bunch of typos and spelling mistakes (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Fix a locking imbalance in qlt_24xx_handle_els() (bsc#1082979).
- scsi: qla2xxx: Fix compile warning (bsc#1043725,FATE#324770).
- scsi: qla2xxx: Fix FC-NVMe LUN discovery (bsc#1083223).
- scsi: qla2xxx: Fix Firmware dump size for Extended login and Exchange Offload (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Fix GPNFT/GNNFT error handling (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Fix gpnid error processing (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Fix incorrect handle for abort IOCB (bsc#1082979).
- scsi: qla2xxx: Fix login state machine freeze (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Fix login state machine stuck at GPDB (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Fix logo flag for qlt_free_session_done() (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Fix mailbox failure while deleting Queue pairs (bsc#1043725,FATE#324770).
- scsi: qla2xxx: Fix memory leak in dual/target mode (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Fix NPIV host cleanup in target mode (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Fix NPIV host enable after chip reset (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Fix NULL pointer access for fcport structure (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Fix NULL pointer crash due to active timer for ABTS (bsc#1082979).
- scsi: qla2xxx: Fix NULL pointer crash due to probe failure (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Fix oops in qla2x00_probe_one error path (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Fix PRLI state check (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Fix queue ID for async abort with Multiqueue (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Fix recursion while sending terminate exchange (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Fix Relogin being triggered too fast (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Fix re-login for Nport Handle in use (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Fix remoteport disconnect for FC-NVMe (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Fix scan state field for fcport (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Fix session cleanup for N2N (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Fix slow mem alloc behind lock (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Fix smatch warning in qla25xx_delete_{rsp|req}_que (bsc#1043726,FATE#324770).
- scsi: qla2xxx: fix spelling mistake of variable sfp_additonal_info (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Fix system crash for Notify ack timeout handling (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Fix system crash in qlt_plogi_ack_unref (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Fix system crash while triggering FW dump (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Fix system panic due to pointer access problem (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Fix target multiqueue configuration (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Fix task mgmt handling for NPIV (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Fix warning during port_name debug print (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Fix warning for code intentation in __qla24xx_handle_gpdb_event() (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Fix warning in qla2x00_async_iocb_timeout() (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Fix WWPN/WWNN in debug message (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Handle PCIe error for driver (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Include Exchange offload/Extended Login into FW dump (bsc#1043725,FATE#324770).
- scsi: qla2xxx: Increase ql2xmaxqdepth to 64 (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Increase verbosity of debug messages logged (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Migrate switch registration commands away from mailbox interface (bsc#1043726,FATE#324770).
- scsi: qla2xxx: move fields from qla_hw_data to qla_qpair (bsc#1043725,FATE#324770).
- scsi: qla2xxx: Move function prototype to correct header (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Move logging default mask to execute once only (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Move session delete to driver work queue (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Move target stat counters from vha to qpair (bsc#1043725,FATE#324770).
- scsi: qla2xxx: Move work element processing out of DPC thread (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Off by one in qlt_ctio_to_cmd() (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Preparation for Target MQ (bsc#1043725,FATE#324770).
- scsi: qla2xxx: Prevent multiple active discovery commands per session (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Prevent relogin trigger from sending too many commands (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Prevent sp->free null/uninitialized pointer dereference (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Print correct mailbox registers in failed summary (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Properly extract ADISC error codes (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Protect access to qpair members with qpair->qp_lock (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Query FC4 type during RSCN processing (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Recheck session state after RSCN (bsc#1043726,FATE#324770)
- scsi: qla2xxx: Reduce the use of terminate exchange (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Reduce trace noise for Async Events (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Reinstate module parameter ql2xenablemsix (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Relogin to target port on a cable swap (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Remove aborting ELS IOCB call issued as part of timeout (FATE#320146, bsc#966328).
- scsi: qla2xxx: Remove an unused structure member (bsc#1043725,FATE#324770).
- scsi: qla2xxx: Remove datasegs_per_cmd and datasegs_per_cont field (bsc#1043725,FATE#324770).
- scsi: qla2xxx: Remove extra register read (bsc#1043725,FATE#324770).
- scsi: qla2xxx: Remove extra register read (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Remove FC_NO_LOOP_ID for FCP and FC-NVMe Discovery (bsc#1084397).
- scsi: qla2xxx: Remove potential macro parameter side-effect in ql_dump_regs() (bsc#1043726,FATE#324770).
- scsi: qla2xxx: remove redundant assignment of d (bsc#1043726,FATE#324770).
- scsi: qla2xxx: remove redundant null check on tgt (bsc#1043725,FATE#324770).
- scsi: qla2xxx: Remove redundant wait when target is stopped (bsc#1043725,FATE#324770).
- scsi: qla2xxx: Remove session creation redundant code (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Remove unused argument from qlt_schedule_sess_for_deletion() (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Remove unused irq_cmd_count field (bsc#1043725,FATE#324770).
- scsi: qla2xxx: Remove unused tgt_enable_64bit_addr flag (bsc#1043725,FATE#324770).
- scsi: qla2xxx: remove writeq/readq function definitions (bsc#1043725,FATE#324770).
- scsi: qla2xxx: Replace fcport alloc with qla2x00_alloc_fcport (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Replace GPDB with async ADISC command (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Reset the logo flag, after target re-login (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Retry switch command on time out (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Send FC4 type NVMe to the management server (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Serialize GPNID for multiple RSCN (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Serialize session deletion by using work_lock (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Serialize session free in qlt_free_session_done (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Simpify unregistration of FC-NVMe local/remote ports (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Skip IRQ affinity for Target QPairs (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Skip zero queue count entry during FW dump capture (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Suppress a kernel complaint in qla_init_base_qpair() (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Tweak resource count dump (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Update Driver version to 10.00.00.00-k (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Update driver version to 10.00.00.01-k (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Update driver version to 10.00.00.02-k (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Update driver version to 10.00.00.03-k (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Update driver version to 10.00.00.04-k (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Update driver version to 10.00.00.05-k (bsc#1081681).
- scsi: qla2xxx: Update driver version to 9.01.00.00-k (bsc#1043725,FATE#324770).
- scsi: qla2xxx: Update fw_started flags at qpair creation (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Use BIT_6 to acquire FAWWPN from switch (bsc#1043726,FATE#324770)
- scsi: qla2xxx: Use chip reset to bring down laser on unload (bsc#1043726,FATE#324770).
- scsi: qla2xxx: use dma_mapping_error to check map errors (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Use FC-NVMe FC4 type for FDMI registration (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Use IOCB path to submit Control VP MBX command (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Use known NPort ID for Management Server login (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Use ql2xnvmeenable to enable Q-Pair for FC-NVMe (bsc#1043726,FATE#324770).
- scsi: qla2xxx: use shadow register for ISP27XX (bsc#1043725,FATE#324770).
- scsi: qla2xxx: Use shadow register for ISP27XX (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Use sp->free instead of hard coded call (bsc#1043726,FATE#324770).
- scsi: ses: do not get power status of SES device slot on probe (bsc#1082979).
- scsi: sim710: fix build warning (bnc#1012382).
- scsi: sr: workaround VMware ESXi cdrom emulation bug (bsc#1080813).
- scsi: storvsc: Fix scsi_cmd error assignments in storvsc_handle_error (bnc#1012382).
- scsi: storvsc: remove unnecessary channel inbound lock (fate#315887, bsc#1082632).
- scsi: sun_esp: fix device reference leaks (bsc#1082979).
- scsi: tcm_qla2xxx: Do not allow aborted cmd to advance (bsc#1043725,FATE#324770).
- scsi: ufs: ufshcd: fix potential NULL pointer dereference in ufshcd_config_vreg (bnc#1012382).
- sctp: make use of pre-calculated len (bnc#1012382).
- selinux: ensure the context is NUL terminated in security_context_to_sid_core() (bnc#1012382).
- selinux: general protection fault in sock_has_perm (bnc#1012382).
- selinux: skip bounded transition processing if the policy isn't loaded (bnc#1012382).
- serial: 8250_mid: fix broken DMA dependency (bnc#1012382).
- serial: 8250_uniphier: fix error return code in uniphier_uart_probe() (bsc#1031717).
- serial: imx: Only wakeup via RTSDEN bit if the system has RTS/CTS (bnc#1012382).
- series.conf: disable qla2xxx patches (bsc#1043725)
- sget(): handle failures of register_shrinker() (bnc#1012382).
- signal/openrisc: Fix do_unaligned_access to send the proper signal (bnc#1012382).
- signal/sh: Ensure si_signo is initialized in do_divide_error (bnc#1012382).
- SolutionEngine771x: fix Ether platform data (bnc#1012382).
- spi: atmel: fixed spin_lock usage inside atmel_spi_remove (bnc#1012382).
- spi: imx: do not access registers while clocks disabled (bnc#1012382).
- spi: sun4i: disable clocks in the remove function (bnc#1012382).
- ssb: mark ssb_bus_register as __maybe_unused (bnc#1012382).
- staging: android: ashmem: Fix a race condition in pin ioctls (bnc#1012382).
- staging: iio: adc: ad7192: fix external frequency setting (bnc#1012382).
- staging: rtl8188eu: Fix incorrect response to SIOCGIWESSID (bnc#1012382).
- staging: ste_rmi4: avoid unused function warnings (bnc#1012382).
- staging: unisys: visorinput depends on INPUT (bnc#1012382).
- staging: wilc1000: fix kbuild test robot error (bnc#1012382).
- sunrpc: Allow connect to return EHOSTUNREACH (bnc#1012382).
- target: Add support for TMR percpu reference counting (bsc#1043726,FATE#324770).
- target: Add TARGET_SCF_LOOKUP_LUN_FROM_TAG support for ABORT_TASK (bsc#1043726,FATE#324770).
- tc1100-wmi: fix build warning when CONFIG_PM not enabled (bnc#1012382).
- tc358743: fix register i2c_rd/wr function fix (git-fixes).
- tc358743: fix register i2c_rd/wr functions (bnc#1012382).
- tcp: do not set rtt_min to 1 (bsc#1042286).
- tcp: release sk_frag.page in tcp_disconnect (bnc#1012382).
- test_bpf: fix the dummy skb after dissector changes (bsc#1042286).
- tg3: Add workaround to restrict 5762 MRRS to 2048 (bnc#1012382).
- tg3: Enable PHY reset in MTU change path for 5720 (bnc#1012382).
- thermal: fix INTEL_SOC_DTS_IOSF_CORE dependencies (bnc#1012382).
- thermal: spear: use __maybe_unused for PM functions (bnc#1012382).
- tlan: avoid unused label with PCI=n (bnc#1012382).
- tools build: Add tools tree support for 'make -s' (bnc#1012382).
- tpm-dev-common: Reject too short writes (bsc#1020645, git-fixes).
- tpm: fix potential buffer overruns caused by bit glitches on the bus (bsc#1020645, git-fixes).
- tpm_i2c_infineon: fix potential buffer overruns caused by bit glitches on the bus (bsc#1020645, git-fixes).
- tpm_i2c_nuvoton: fix potential buffer overruns caused by bit glitches on the bus (bsc#1020645, git-fixes).
- tpm: st33zp24: fix potential buffer overruns caused by bit glitches on the bus (bsc#1020645, git-fixes).
- tpm_tis: fix potential buffer overruns caused by bit glitches on the bus (bsc#1020645, git-fixes).
- tty: cyclades: cyz_interrupt is only used for PCI (bnc#1012382).
- tty: hvc_xen: hide xen_console_remove when unused (bnc#1012382).
- tty: mxser: Remove ASYNC_CLOSING (bnc#1072363).
- ubi: block: Fix locking for idr_alloc/idr_remove (bnc#1012382).
- udp: restore UDPlite many-cast delivery (bsc#1042286).
- usb: build drivers/usb/common/ when USB_SUPPORT is set (bnc#1012382).
- usb: cdc-acm: Do not log urb submission errors on disconnect (bnc#1012382).
- usb: cdc_subset: only build when one driver is enabled (bnc#1012382).
- usb: dwc3: gadget: Set maxpacket size for ep0 IN (bnc#1012382).
- usb: f_fs: Prevent gadget unbind if it is already unbound (bnc#1012382).
- usb: gadget: do not dereference g until after it has been null checked (bnc#1012382).
- usb: gadget: f_fs: Process all descriptors during bind (bnc#1012382).
- usb: gadget: uvc: Missing files for configfs interface (bnc#1012382).
- usbip: fix 3eee23c3ec14 tcp_socket address still in the status file (bnc#1012382).
- usbip: keep usbip_device sockfd state in sync with tcp_socket (bnc#1012382).
- usbip: list: do not list devices attached to vhci_hcd (bnc#1012382).
- usbip: prevent bind loops on devices attached to vhci_hcd (bnc#1012382).
- usbip: vhci_hcd: clear just the USB_PORT_STAT_POWER bit (bnc#1012382).
- usb: ldusb: add PIDs for new CASSY devices supported by this driver (bnc#1012382).
- usb: musb/ux500: remove duplicate check for dma_is_compatible (bnc#1012382).
- usb: ohci: Proper handling of ed_rm_list to handle race condition between usb_kill_urb() and finish_unlinks() (bnc#1012382).
- usb: option: Add support for FS040U modem (bnc#1012382).
- usb: phy: msm add regulator dependency (bnc#1012382).
- usb: renesas_usbhs: missed the 'running' flag in usb_dmac with rx path (bnc#1012382).
- usb: serial: io_edgeport: fix possible sleep-in-atomic (bnc#1012382).
- usb: serial: pl2303: new device id for Chilitag (bnc#1012382).
- usb: serial: simple: add Motorola Tetra driver (bnc#1012382).
- usb: uas: unconditionally bring back host after reset (bnc#1012382).
- v4l: remove MEDIA_TUNER dependency for VIDEO_TUNER (bnc#1012382).
- vb2: V4L2_BUF_FLAG_DONE is set after DQBUF (bnc#1012382).
- vfs: do not do RCU lookup of empty pathnames (bnc#1012382).
- vhost_net: stop device during reset owner (bnc#1012382).
- video: fbdev: atmel_lcdfb: fix display-timings lookup (bnc#1012382).
- video: fbdev/mmp: add MODULE_LICENSE (bnc#1012382).
- video: fbdev: sis: remove unused variable (bnc#1012382).
- video: fbdev: via: remove possibly unused variables (bnc#1012382).
- video: Use bool instead int pointer for get_opt_bool() argument (bnc#1012382).
- virtio_balloon: prevent uninitialized variable use (bnc#1012382).
- vmbus: add per-channel sysfs info (fate#315887, bsc#1082632).
- vmbus: add prefetch to ring buffer iterator (fate#315887, bsc#1082632).
- vmbus: do not acquire the mutex in vmbus_hvsock_device_unregister() (fate#315887, bsc#1082632).
- vmbus: drop unused ring_buffer_info elements (fate#315887, bsc#1082632).
- vmbus: eliminate duplicate cached index (fate#315887, bsc#1082632).
- vmbus: hvsock: add proper sync for vmbus_hvsock_device_unregister() (fate#315887, bsc#1082632).
- vmbus: initialize reserved fields in messages (fate#315887, bsc#1082632).
- vmbus: make channel_message table constant (fate#315887, bsc#1082632).
- vmbus: more host signalling avoidance (fate#315887, bsc#1082632).
- vmbus: refactor hv_signal_on_read (fate#315887, bsc#1082632).
- vmbus: remove unused vmbus_sendpacket_ctl (fate#315887, bsc#1082632).
- vmbus: remove unused vmbus_sendpacket_multipagebuffer (fate#315887, bsc#1082632).
- vmbus: remove unused vmubs_sendpacket_pagebuffer_ctl (fate#315887, bsc#1082632).
- vmbus: Reuse uuid_le_to_bin() helper (fate#315887, bsc#1082632).
- vmbus: simplify hv_ringbuffer_read (fate#315887, bsc#1082632).
- vmbus: unregister device_obj->channels_kset (fate#315887, bsc#1082632).
- vmxnet3: prevent building with 64K pages (bnc#1012382).
- vxlan: consolidate csum flag handling (bsc#1042286).
- vxlan: consolidate output route calculation (bsc#1042286).
- vxlan: consolidate vxlan_xmit_skb and vxlan6_xmit_skb (bsc#1042286).
- vxlan: do not allow overwrite of config src addr (bsc#1042286).
- watchdog: imx2_wdt: restore previous timeout after suspend+resume (bnc#1012382).
- wireless: cw1200: use __maybe_unused to hide pm functions_ (bnc#1012382).
- x86: add MULTIUSER dependency for KVM (bnc#1012382).
- x86/asm: Fix inline asm call constraints for GCC 4.4 (bnc#1012382).
- x86/boot: Avoid warning for zero-filling .bss (bnc#1012382).
- x86: bpf_jit: small optimization in emit_bpf_tail_call() (bnc#1012382).
- x86/bugs: Drop one 'mitigation' from dmesg (bnc#1012382).
- x86/build: Silence the build with 'make -s' (bnc#1012382).
- x86/cpu/bugs: Make retpoline module warning conditional (bnc#1012382).
- x86/cpu: Change type of x86_cache_size variable to unsigned int (bnc#1012382).
- x86/entry/64: Separate cpu_current_top_of_stack from TSS.sp0 (bsc#1077560).
- x86/entry/64: Use a per-CPU trampoline stack for IDT entries (bsc#1077560).
- x86: fix build warnign with 32-bit PAE (bnc#1012382).
- x86/fpu/math-emu: Fix possible uninitialized variable use (bnc#1012382).
- x86/hyperv: Implement hv_get_tsc_page() (fate#315887, bsc#1082632).
- x86/hyper-v: include hyperv/ only when CONFIG_HYPERV is set (fate#315887, bsc#1082632).
- x86/hyper-v: Introduce fast hypercall implementation (fate#315887, bsc#1082632).
- x86/hyper-v: Make hv_do_hypercall() inline (fate#315887, bsc#1082632).
- x86/hyperv: Move TSC reading method to asm/mshyperv.h (fate#315887, bsc#1082632).
- x86/kaiser: fix build error with KASAN && !FUNCTION_GRAPH_TRACER (bnc#1012382).
- x86/kvm/vmx: do not use vm-exit instruction length for fast MMIO when running nested (bsc#1081431).
- x86/mce: Pin the timer when modifying (bsc#1080851,1076282).
- x86/microcode/AMD: Change load_microcode_amd()'s param to bool to fix preemptibility bug (bnc#1012382).
- x86/microcode/AMD: Do not load when running on a hypervisor (bsc#1081436 bsc#1081437).
- x86/microcode: Do the family check first (bnc#1012382).
- x86/microcode: Do the family check first (bsc#1081436 bsc#1081437).
- x86/mm/kmmio: Fix mmiotrace for page unaligned addresses (bnc#1012382).
- x86/mm/pkeys: Fix fill_sig_info_pkey (fate#321300).
- x86/nospec: Fix header guards names (bnc#1012382).
- x86/oprofile: Fix bogus GCC-8 warning in nmi_setup() (bnc#1012382).
- x86/paravirt: Remove 'noreplace-paravirt' cmdline option (bnc#1012382).
- x86/platform: Add PCI dependency for PUNIT_ATOM_DEBUG (bnc#1012382).
- x86/platform/olpc: Fix resume handler build warning (bnc#1012382).
- x86/pti: Make unpoison of pgd for trusted boot work for real (bnc#1012382).
- x86/ras/inject: Make it depend on X86_LOCAL_APIC=y (bnc#1012382).
- x86/retpoline: Avoid retpolines for built-in __init functions (bnc#1012382).
- x86/retpoline/hyperv: Convert assembler indirect jumps (fate#315887, bsc#1082632).
- x86/retpoline: Remove the esp/rsp thunk (bnc#1012382).
- x86/spectre: Check CONFIG_RETPOLINE in command line parser (bnc#1012382).
- x86/spectre: Fix an error message (git-fixes).
- x86/spectre: Fix spelling mistake: 'vunerable'-> 'vulnerable' (bnc#1012382).
- x86/spectre: Remove the out-of-tree RSB stuffing
- x86/spectre: Simplify spectre_v2 command line parsing (bnc#1012382).
- x86/speculation: Fix typo IBRS_ATT, which should be IBRS_ALL (bnc#1012382).
- x86/xen: Zero MSR_IA32_SPEC_CTRL before suspend (bnc#1065600).
- xen/gntdev: Fix off-by-one error when unmapping with holes (bnc#1012382).
- xen/gntdev: Fix partial gntdev_mmap() cleanup (bnc#1012382).
- xen-netfront: enable device after manual module load (bnc#1012382).
- xen-netfront: remove warning when unloading module (bnc#1012382).
- xen: XEN_ACPI_PROCESSOR is Dom0-only (bnc#1012382).
- xfrm: check id proto in validate_tmpl() (bnc#1012382).
- xfrm: Fix stack-out-of-bounds read on socket policy lookup (bnc#1012382).
- xfrm: Fix stack-out-of-bounds with misconfigured transport mode policies (bnc#1012382).
- xfrm_user: propagate sec ctx allocation errors (bsc#1042286).
- xfs: do not chain ioends during writepage submission (bsc#1077285 bsc#1043441).
- xfs: factor mapping out of xfs_do_writepage (bsc#1077285 bsc#1043441).
- xfs: Introduce writeback context for writepages (bsc#1077285 bsc#1043441).
- xfs: ioends require logically contiguous file offsets (bsc#1077285 bsc#1043441).
- xfs: quota: check result of register_shrinker() (bnc#1012382).
- xfs: quota: fix missed destroy of qi_tree_lock (bnc#1012382).
- xfs: reinit btree pointer on attr tree inactivation walk (bsc#1078787).
- xfs: remove nonblocking mode from xfs_vm_writepage (bsc#1077285 bsc#1043441).
- xfs: remove xfs_cancel_ioend (bsc#1077285 bsc#1043441).
- xfs: stop searching for free slots in an inode chunk when there are none (bsc#1072739).
- xfs: toggle readonly state around xfs_log_mount_finish (bsc#1073401).
- xfs: ubsan fixes (bnc#1012382).
- xfs: validate sb_logsunit is a multiple of the fs blocksize (bsc#1077513).
- xfs: write unmount record for ro mounts (bsc#1073401).
- xfs: xfs_cluster_write is redundant (bsc#1077285 bsc#1043441).
- xtensa: fix futex_atomic_cmpxchg_inatomic (bnc#1012382).
- zram: fix operator precedence to get offset (bsc#1082979).
ImportantSUSE bug 1006867SUSE bug 1012382SUSE bug 1015342SUSE bug 1015343SUSE bug 1020645SUSE bug 1022607SUSE bug 1024376SUSE bug 1027054SUSE bug 1031717SUSE bug 1033587SUSE bug 1034503SUSE bug 1042286SUSE bug 1043441SUSE bug 1043725SUSE bug 1043726SUSE bug 1062840SUSE bug 1065600SUSE bug 1065615SUSE bug 1066223SUSE bug 1067118SUSE bug 1068032SUSE bug 1068569SUSE bug 1069135SUSE bug 1070404SUSE bug 1071306SUSE bug 1071892SUSE bug 1072363SUSE bug 1072689SUSE bug 1072739SUSE bug 1072865SUSE bug 1073401SUSE bug 1073407SUSE bug 1074198SUSE bug 1074426SUSE bug 1075087SUSE bug 1076282SUSE bug 1076693SUSE bug 1076760SUSE bug 1076982SUSE bug 1077241SUSE bug 1077285SUSE bug 1077513SUSE bug 1077560SUSE bug 1077779SUSE bug 1078583SUSE bug 1078672SUSE bug 1078673SUSE bug 1078787SUSE bug 1079029SUSE bug 1079038SUSE bug 1079195SUSE bug 1079313SUSE bug 1079384SUSE bug 1079609SUSE bug 1079886SUSE bug 1079989SUSE bug 1080014SUSE bug 1080263SUSE bug 1080321SUSE bug 1080344SUSE bug 1080364SUSE bug 1080384SUSE bug 1080464SUSE bug 1080533SUSE bug 1080656SUSE bug 1080774SUSE bug 1080813SUSE bug 1080851SUSE bug 1081134SUSE bug 1081431SUSE bug 1081436SUSE bug 1081437SUSE bug 1081491SUSE bug 1081498SUSE bug 1081500SUSE bug 1081512SUSE bug 1081514SUSE bug 1081681SUSE bug 1081735SUSE bug 1082089SUSE bug 1082223SUSE bug 1082299SUSE bug 1082373SUSE bug 1082478SUSE bug 1082632SUSE bug 1082795SUSE bug 1082864SUSE bug 1082897SUSE bug 1082979SUSE bug 1082993SUSE bug 1083048SUSE bug 1083086SUSE bug 1083223SUSE bug 1083387SUSE bug 1083409SUSE bug 1083494SUSE bug 1083548SUSE bug 1083750SUSE bug 1083770SUSE bug 1084041SUSE bug 1084397SUSE bug 1084427SUSE bug 1084610SUSE bug 1084772SUSE bug 1084888SUSE bug 1084926SUSE bug 1084928SUSE bug 1084967SUSE bug 1085011SUSE bug 1085015SUSE bug 1085045SUSE bug 1085047SUSE bug 1085050SUSE bug 1085053SUSE bug 1085054SUSE bug 1085056SUSE bug 1085107SUSE bug 1085224SUSE bug 1085239SUSE bug 863764SUSE bug 966170SUSE bug 966172SUSE bug 966328SUSE bug 969476SUSE bug 969477SUSE bug 975772SUSE bug 983145CVE-2017-13166 at SUSECVE-2017-13166 at NVDCVE-2017-15951 at SUSECVE-2017-15951 at NVDCVE-2017-16644 at SUSECVE-2017-16644 at NVDCVE-2017-16912 at SUSECVE-2017-16912 at NVDCVE-2017-16913 at SUSECVE-2017-16913 at NVDCVE-2017-17975 at SUSECVE-2017-17975 at NVDCVE-2017-18174 at SUSECVE-2017-18174 at NVDCVE-2017-18208 at SUSECVE-2017-18208 at NVDCVE-2018-1000026 at SUSECVE-2018-1000026 at NVDCVE-2018-1068 at SUSECVE-2018-1068 at NVDCVE-2018-8087 at SUSECVE-2018-8087 at NVDcpe:/o:suse:sles:12:sp3Security update for clamav (Important)SUSE Linux Enterprise Server 12 SP3
This update for clamav fixes the following issues:
Security issues fixed:
- CVE-2012-6706: VMSF_DELTA filter inside the unrar implementation allows an arbitrary memory write (bsc#1045315).
- CVE-2017-6419: A heap-based buffer overflow that can lead to a denial of service in libmspack via a crafted CHM file (bsc#1052449).
- CVE-2017-11423: A stack-based buffer over-read that can lead to a denial of service in mspack via a crafted CAB file (bsc#1049423).
- CVE-2018-1000085: An out-of-bounds heap read vulnerability was found in XAR parser that can lead to a denial of service (bsc#1082858).
- CVE-2018-0202: Fixed two vulnerabilities in the PDF parsing code (bsc#1083915).
ImportantSUSE bug 1045315SUSE bug 1049423SUSE bug 1052449SUSE bug 1082858SUSE bug 1083915CVE-2012-6706 at SUSECVE-2012-6706 at NVDCVE-2017-11423 at SUSECVE-2017-11423 at NVDCVE-2017-6419 at SUSECVE-2017-6419 at NVDCVE-2018-0202 at SUSECVE-2018-0202 at NVDCVE-2018-1000085 at SUSECVE-2018-1000085 at NVDcpe:/o:suse:sles:12:sp3Security update for dhcp (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for dhcp fixes the following issues:
Security issues fixed:
- CVE-2018-5733: reference count overflow in dhcpd (bsc#1083303).
- CVE-2018-5732: buffer overflow in dhclient (bsc#1083302).
ModerateSUSE bug 1083302SUSE bug 1083303CVE-2018-5732 at SUSECVE-2018-5732 at NVDCVE-2018-5733 at SUSECVE-2018-5733 at NVDcpe:/o:suse:sles:12:sp3Security update for tomcat (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for tomcat fixes the following issues:
Security issues fixed:
- CVE-2018-1305: Fixed late application of security constraints that can lead to resource exposure for unauthorised users (bsc#1082481).
- CVE-2018-1304: Fixed incorrect handling of empty string URL in security constraints that can lead to unitended exposure of resources (bsc#1082480).
- CVE-2017-15706: Fixed incorrect documentation of CGI Servlet search algorithm that may lead to misconfiguration (bsc#1078677).
ModerateSUSE bug 1078677SUSE bug 1082480SUSE bug 1082481CVE-2017-15706 at SUSECVE-2017-15706 at NVDCVE-2018-1304 at SUSECVE-2018-1304 at NVDCVE-2018-1305 at SUSECVE-2018-1305 at NVDcpe:/o:suse:sles:12:sp3Security update for wireshark (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for wireshark fixes the following issues:
Security issue fixed (bsc#1082692):
- CVE-2018-7335: The IEEE 802.11 dissector could crash (wnpa-sec-2018-05)
- CVE-2018-7321: thrift long dissector loop (dissect_thrift_map)
- CVE-2018-7322: DICOM: inifinite loop (dissect_dcm_tag)
- CVE-2018-7323: WCCP: very long loop (dissect_wccp2_alternate_mask_value_set_element)
- CVE-2018-7324: SCCP: infinite loop (dissect_sccp_optional_parameters)
- CVE-2018-7325: RPKI-Router Protocol: infinite loop (dissect_rpkirtr_pdu)
- CVE-2018-7326: LLTD: infinite loop (dissect_lltd_tlv)
- CVE-2018-7327: openflow_v6: infinite loop (dissect_openflow_bundle_control_v6)
- CVE-2018-7328: USB-DARWIN: long loop (dissect_darwin_usb_iso_transfer)
- CVE-2018-7329: S7COMM: infinite loop (s7comm_decode_ud_cpu_alarm_main)
- CVE-2018-7330: thread_meshcop: infinite loop (get_chancount)
- CVE-2018-7331: GTP: infinite loop (dissect_gprscdr_GGSNPDPRecord, dissect_ber_set)
- CVE-2018-7332: RELOAD: infinite loop (dissect_statans)
- CVE-2018-7333: RPCoRDMA: infinite loop in get_write_list_chunk_count
- CVE-2018-7421: Multiple dissectors could go into large infinite loops (wnpa-sec-2018-06)
- CVE-2018-7334: The UMTS MAC dissector could crash (wnpa-sec-2018-07)
- CVE-2018-7337: The DOCSIS dissector could crash (wnpa-sec-2018-08)
- CVE-2018-7336: The FCP dissector could crash (wnpa-sec-2018-09)
- CVE-2018-7320: The SIGCOMP dissector could crash (wnpa-sec-2018-10)
- CVE-2018-7420: The pcapng file parser could crash (wnpa-sec-2018-11)
- CVE-2018-7417: The IPMI dissector could crash (wnpa-sec-2018-12)
- CVE-2018-7418: The SIGCOMP dissector could crash (wnpa-sec-2018-13)
- CVE-2018-7419: The NBAP disssector could crash (wnpa-sec-2018-14)
- CVE-2017-17997: Misuse of NULL pointer in MRDISC dissector (bsc#1077080).
ModerateSUSE bug 1077080SUSE bug 1082692CVE-2017-17997 at SUSECVE-2017-17997 at NVDCVE-2018-7320 at SUSECVE-2018-7320 at NVDCVE-2018-7321 at SUSECVE-2018-7321 at NVDCVE-2018-7322 at SUSECVE-2018-7322 at NVDCVE-2018-7323 at SUSECVE-2018-7323 at NVDCVE-2018-7324 at SUSECVE-2018-7324 at NVDCVE-2018-7325 at SUSECVE-2018-7325 at NVDCVE-2018-7326 at SUSECVE-2018-7326 at NVDCVE-2018-7327 at SUSECVE-2018-7327 at NVDCVE-2018-7328 at SUSECVE-2018-7328 at NVDCVE-2018-7329 at SUSECVE-2018-7329 at NVDCVE-2018-7330 at SUSECVE-2018-7330 at NVDCVE-2018-7331 at SUSECVE-2018-7331 at NVDCVE-2018-7332 at SUSECVE-2018-7332 at NVDCVE-2018-7333 at SUSECVE-2018-7333 at NVDCVE-2018-7334 at SUSECVE-2018-7334 at NVDCVE-2018-7335 at SUSECVE-2018-7335 at NVDCVE-2018-7336 at SUSECVE-2018-7336 at NVDCVE-2018-7337 at SUSECVE-2018-7337 at NVDCVE-2018-7417 at SUSECVE-2018-7417 at NVDCVE-2018-7418 at SUSECVE-2018-7418 at NVDCVE-2018-7419 at SUSECVE-2018-7419 at NVDCVE-2018-7420 at SUSECVE-2018-7420 at NVDCVE-2018-7421 at SUSECVE-2018-7421 at NVDcpe:/o:suse:sles:12:sp3Security update for glibc (Important)SUSE Linux Enterprise Server 12 SP3
This update for glibc fixes the following issues:
- A privilege escalation bug in the realpath() function has been fixed.
[CVE-2018-1000001, bsc#1074293]
- A memory leak and a buffer overflow in the dynamic ELF loader has been fixed.
[CVE-2017-1000408, CVE-2017-1000409, bsc#1071319]
- An issue in the code handling RPATHs was fixed that could have been exploited
by an attacker to execute code loaded from arbitrary libraries.
[CVE-2017-16997, bsc#1073231]
- A potential crash caused by a use-after-free bug in pthread_create() has been
fixed. [bsc#1053188]
- A bug that prevented users to build shared objects which use the optimized
libmvec.so API has been fixed. [bsc#1070905]
- A memory leak in the glob() function has been fixed. [CVE-2017-15670,
CVE-2017-15671, CVE-2017-15804, bsc#1064569, bsc#1064580, bsc#1064583]
- A bug that would lose the syscall error code value in case of crashes has
been fixed. [bsc#1063675]
ImportantSUSE bug 1051042SUSE bug 1053188SUSE bug 1063675SUSE bug 1064569SUSE bug 1064580SUSE bug 1064583SUSE bug 1070905SUSE bug 1071319SUSE bug 1073231SUSE bug 1074293CVE-2017-1000408 at SUSECVE-2017-1000408 at NVDCVE-2017-1000409 at SUSECVE-2017-1000409 at NVDCVE-2017-15670 at SUSECVE-2017-15670 at NVDCVE-2017-15671 at SUSECVE-2017-15671 at NVDCVE-2017-15804 at SUSECVE-2017-15804 at NVDCVE-2017-16997 at SUSECVE-2017-16997 at NVDCVE-2018-1000001 at SUSECVE-2018-1000001 at NVDcpe:/o:suse:sles:12:sp3Security update for librelp (Important)SUSE Linux Enterprise Server 12 SP3
This update for librelp fixes the following issues:
CVE-2018-1000140 (bsc#1086730):
librelp contained a stack-based buffer overflow in the checking of x509 certificates.
A remote attacker with an access to the rsyslog logging facility could have exploited
it by sending a specially crafted x509 certificate.
ImportantSUSE bug 1086730CVE-2018-1000140 at SUSECVE-2018-1000140 at NVDcpe:/o:suse:sles:12:sp3Security update for LibVNCServer (Important)SUSE Linux Enterprise Server 12 SP3
LibVNCServer was updated to fix two security issues.
These security issues were fixed:
- CVE-2018-7225: Missing input sanitization inside rfbserver.c rfbProcessClientNormalMessage() (bsc#1081493).
- CVE-2016-9942: Heap-based buffer overflow in ultra.c allowed remote servers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted FramebufferUpdate message with the Ultra type tile, such that the LZO payload decompressed length exceeds what is specified by the tile dimensions (bsc#1017712).
- CVE-2016-9941: Heap-based buffer overflow in rfbproto.c allowed remote servers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted FramebufferUpdate message containing a subrectangle outside of the client drawing area (bsc#1017711).
ImportantSUSE bug 1017711SUSE bug 1017712SUSE bug 1081493CVE-2016-9941 at SUSECVE-2016-9941 at NVDCVE-2016-9942 at SUSECVE-2016-9942 at NVDCVE-2018-7225 at SUSECVE-2018-7225 at NVDcpe:/o:suse:sles:12:sp3Security update for memcached (Important)SUSE Linux Enterprise Server 12 SP3
This update for memcached fixes the following issues:
- CVE-2017-9951: Fixed heap-based buffer over-read in try_read_command function which allowed remote attackers to cause a denial of service attack (bsc#1056865).
ImportantSUSE bug 1056865CVE-2017-9951 at SUSECVE-2017-9951 at NVDcpe:/o:suse:sles:12:sp3Security update for krb5 (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for krb5 provides the following fixes:
Security issues fixed:
- CVE-2018-5730: DN container check bypass by supplying special crafted data (bsc#1083927).
- CVE-2018-5729: Null pointer dereference in kadmind or DN container check bypass by supplying special crafted data (bsc#1083926).
Non-security issues fixed:
- Make it possible for legacy applications (e.g. SAP Netweaver) to remain compatible with
newer Kerberos. System administrators who are experiencing this kind of compatibility
issues may set the environment variable GSSAPI_ASSUME_MECH_MATCH to a non-empty value,
and make sure the environment variable is visible and effective to the application
startup script. (bsc#1057662)
- Fix a GSS failure in legacy applications by not indicating deprecated GSS mechanisms in
gss_indicate_mech() list. (bsc#1081725)
ModerateSUSE bug 1057662SUSE bug 1081725SUSE bug 1083926SUSE bug 1083927CVE-2018-5729 at SUSECVE-2018-5729 at NVDCVE-2018-5730 at SUSECVE-2018-5730 at NVDcpe:/o:suse:sles:12:sp3Security update for MozillaFirefox (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for MozillaFirefox fixes the following issues:
Security issues fixed in Firefox ESR 52.7.3 (bsc#1085130):
- CVE-2018-5125: Memory safety bugs fixed in Firefox 59 and Firefox ESR 52.7
- CVE-2018-5127: Buffer overflow manipulating SVG animatedPathSegList
- CVE-2018-5129: Out-of-bounds write with malformed IPC messages
- CVE-2018-5130: Mismatched RTP payload type can trigger memory corruption
- CVE-2018-5131: Fetch API improperly returns cached copies of no-store/no-cache resources
- CVE-2018-5144: Integer overflow during Unicode conversion
- CVE-2018-5145: Memory safety bugs fixed in Firefox ESR 52.7
- CVE-2018-5146: Out of bounds memory write in libvorbis (bsc#1085671)
- CVE-2018-5147: Out of bounds memory write in libtremor (bsc#1085671)
- CVE-2018-5148: Use-after-free in compositor (MFSA 2018-10) (bsc#1087059)
ModerateSUSE bug 1085130SUSE bug 1085671SUSE bug 1087059CVE-2018-5125 at SUSECVE-2018-5125 at NVDCVE-2018-5127 at SUSECVE-2018-5127 at NVDCVE-2018-5129 at SUSECVE-2018-5129 at NVDCVE-2018-5130 at SUSECVE-2018-5130 at NVDCVE-2018-5131 at SUSECVE-2018-5131 at NVDCVE-2018-5144 at SUSECVE-2018-5144 at NVDCVE-2018-5145 at SUSECVE-2018-5145 at NVDCVE-2018-5146 at SUSECVE-2018-5146 at NVDCVE-2018-5147 at SUSECVE-2018-5147 at NVDCVE-2018-5148 at SUSECVE-2018-5148 at NVDcpe:/o:suse:sles:12:sp3Security update for ImageMagick (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for ImageMagick fixes several issues.
These security issues were fixed:
- CVE-2018-8804: The WriteEPTImage function allowed remote attackers to cause a
denial of service (double free and application crash) or possibly have
unspecified other impact via a crafted file (bsc#1086011).
- CVE-2017-11524: The WriteBlob function allowed remote attackers to cause a
denial of service (assertion failure and application exit) via a crafted file
(bsc#1050087).
- CVE-2017-18209: Prevent NULL pointer dereference in the
GetOpenCLCachedFilesDirectory function caused by a memory allocation result
that was not checked, related to GetOpenCLCacheDirectory (bsc#1083628).
- CVE-2017-18211: Prevent NULL pointer dereference in the function
saveBinaryCLProgram caused by a program-lookup result not being checked,
related to CacheOpenCLKernel (bsc#1083634).
- CVE-2017-9500: Prevent assertion failure in the function
ResetImageProfileIterator, which allowed attackers to cause a denial of service
via a crafted file (bsc#1043290).
- CVE-2017-14739: The AcquireResampleFilterThreadSet function mishandled failed
memory allocation, which allowed remote attackers to cause a denial of service
(NULL Pointer Dereference in DistortImage in MagickCore/distort.c, and
application crash) via unspecified vectors (bsc#1060382).
- CVE-2017-16353: Prevent memory information disclosure in the DescribeImage
function caused by a heap-based buffer over-read. The portion of the code
containing the vulnerability is responsible for printing the IPTC Profile
information contained in the image. This vulnerability can be triggered with a
specially crafted MIFF file. There is an out-of-bounds buffer dereference
because certain increments were never checked (bsc#1066170).
- CVE-2017-16352: Prevent a heap-based buffer overflow in the 'Display visual
image directory' feature of the DescribeImage() function. One possible way to
trigger the vulnerability is to run the identify command on a specially crafted
MIFF format file with the verbose flag (bsc#1066168).
- CVE-2017-14314: Prevent off-by-one error in the DrawImage function that
allowed remote attackers to cause a denial of service (DrawDashPolygon
heap-based buffer over-read and application crash) via a crafted file
(bsc#1058630).
- CVE-2017-13768: Prevent NULL pointer dereference in the IdentifyImage
function that allowed an attacker to perform denial of service by sending a
crafted image file (bsc#1056434).
- CVE-2017-14505: Fixed handling of NULL arrays, which allowed attackers to
perform Denial of Service (NULL pointer dereference and application crash in
AcquireQuantumMemory within MagickCore/memory.c) by providing a crafted Image
File as input (bsc#1059735).
- CVE-2018-7470: The IsWEBPImageLossless function allowed attackers to cause a
denial of service (segmentation violation) via a crafted file (bsc#1082837).
- CVE-2018-7443: The ReadTIFFImage function did not properly validate the
amount of image data in a file, which allowed remote attackers to cause a
denial of service (memory allocation failure in the AcquireMagickMemory
function in MagickCore/memory.c) (bsc#1082792).
- CVE-2017-15016: Prevent NULL pointer dereference vulnerability in
ReadEnhMetaFile allowing for denial of service (bsc#1082291).
- CVE-2017-15017: Prevent NULL pointer dereference vulnerability in
ReadOneMNGImage allowing for denial of service (bsc#1082283).
- CVE-2017-12692: The ReadVIFFImage function allowed remote attackers to cause
a denial of service (memory consumption) via a crafted VIFF file (bsc#1082362).
- CVE-2017-12693: The ReadBMPImage function allowed remote attackers to cause a
denial of service (memory consumption) via a crafted BMP file (bsc#1082348).
ModerateSUSE bug 1043290SUSE bug 1050087SUSE bug 1056434SUSE bug 1058630SUSE bug 1059735SUSE bug 1060382SUSE bug 1066168SUSE bug 1066170SUSE bug 1082283SUSE bug 1082291SUSE bug 1082348SUSE bug 1082362SUSE bug 1082792SUSE bug 1082837SUSE bug 1083628SUSE bug 1083634SUSE bug 1086011CVE-2017-11524 at SUSECVE-2017-11524 at NVDCVE-2017-12692 at SUSECVE-2017-12692 at NVDCVE-2017-12693 at SUSECVE-2017-12693 at NVDCVE-2017-13768 at SUSECVE-2017-13768 at NVDCVE-2017-14314 at SUSECVE-2017-14314 at NVDCVE-2017-14505 at SUSECVE-2017-14505 at NVDCVE-2017-14739 at SUSECVE-2017-14739 at NVDCVE-2017-15016 at SUSECVE-2017-15016 at NVDCVE-2017-15017 at SUSECVE-2017-15017 at NVDCVE-2017-16352 at SUSECVE-2017-16352 at NVDCVE-2017-16353 at SUSECVE-2017-16353 at NVDCVE-2017-18209 at SUSECVE-2017-18209 at NVDCVE-2017-18211 at SUSECVE-2017-18211 at NVDCVE-2017-9500 at SUSECVE-2017-9500 at NVDCVE-2018-7443 at SUSECVE-2018-7443 at NVDCVE-2018-7470 at SUSECVE-2018-7470 at NVDCVE-2018-8804 at SUSECVE-2018-8804 at NVDcpe:/o:suse:sles:12:sp3Security update for graphite2 (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for graphite2 fixes the following issues:
- CVE-2018-7999: Fixed a NULL pointer dereference vulnerability in Segment.cpp that may cause a denial of serivce (bsc#1084850).
ModerateSUSE bug 1084850CVE-2018-7999 at SUSECVE-2018-7999 at NVDcpe:/o:suse:sles:12:sp3Security update for tiff (Important)SUSE Linux Enterprise Server 12 SP3
This update for tiff to version 4.0.9 fixes the following issues:
Security issues fixed:
- CVE-2014-8128: Fix out-of-bounds read with malformed TIFF image in multiple tools (bsc#969783).
- CVE-2015-7554: Fix invalid write in tiffsplit / _TIFFVGetField (bsc#960341).
- CVE-2016-10095: Fix stack-based buffer overflow in _TIFFVGetField (tif_dir.c) (bsc#1017690).
- CVE-2016-5318: Fix stackoverflow in thumbnail (bsc#983436).
- CVE-2017-16232: Fix memory-based DoS in tiff2bw (bsc#1069213).
ImportantSUSE bug 1017690SUSE bug 1069213SUSE bug 960341SUSE bug 969783SUSE bug 983436CVE-2014-8128 at SUSECVE-2014-8128 at NVDCVE-2015-7554 at SUSECVE-2015-7554 at NVDCVE-2016-10095 at SUSECVE-2016-10095 at NVDCVE-2016-5318 at SUSECVE-2016-5318 at NVDCVE-2017-16232 at SUSECVE-2017-16232 at NVDcpe:/o:suse:sles:12:sp3Security update for spice-gtk (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for spice-gtk fixes the following issues:
- CVE-2017-12194: A flaw was found in the way spice-client processed certain messages sent from the server. An attacker, having control of malicious spice-server, could use this flaw to crash the client or execute arbitrary code with permissions of the user running the client. spice-gtk versions through 0.34 are believed to be vulnerable. (bsc#1085415)
ModerateSUSE bug 1085415CVE-2017-12194 at SUSECVE-2017-12194 at NVDcpe:/o:suse:sles:12:sp3Security update for libidn (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for libidn fixes one issues.
This security issue was fixed:
- CVE-2017-14062: Prevent integer overflow in the decode_digit function that
allowed remote attackers to cause a denial of service or possibly have
unspecified other impact (bsc#1056450).
ModerateSUSE bug 1056450CVE-2017-14062 at SUSECVE-2017-14062 at NVDcpe:/o:suse:sles:12:sp3Security update for java-1_7_0-openjdk (Important)SUSE Linux Enterprise Server 12 SP3
This update for java-1_7_0-openjdk fixes the following issues:
Security issues fixed:
- CVE-2017-10356: Fix issue inside subcomponent Security (bsc#1064084).
- CVE-2017-10274: Fix issue inside subcomponent Smart Card IO (bsc#1064071).
- CVE-2017-10281: Fix issue inside subcomponent Serialization (bsc#1064072).
- CVE-2017-10285: Fix issue inside subcomponent RMI (bsc#1064073).
- CVE-2017-10295: Fix issue inside subcomponent Networking (bsc#1064075).
- CVE-2017-10388: Fix issue inside subcomponent Libraries (bsc#1064086).
- CVE-2017-10346: Fix issue inside subcomponent Hotspot (bsc#1064078).
- CVE-2017-10350: Fix issue inside subcomponent JAX-WS (bsc#1064082).
- CVE-2017-10347: Fix issue inside subcomponent Serialization (bsc#1064079).
- CVE-2017-10349: Fix issue inside subcomponent JAXP (bsc#1064081).
- CVE-2017-10345: Fix issue inside subcomponent Serialization (bsc#1064077).
- CVE-2017-10348: Fix issue inside subcomponent Libraries (bsc#1064080).
- CVE-2017-10357: Fix issue inside subcomponent Serialization (bsc#1064085).
- CVE-2017-10355: Fix issue inside subcomponent Networking (bsc#1064083).
- CVE-2017-10102: Fix incorrect handling of references in DGC (bsc#1049316).
- CVE-2017-10053: Fix reading of unprocessed image data in JPEGImageReader (bsc#1049305).
- CVE-2017-10067: Fix JAR verifier incorrect handling of missing digest (bsc#1049306).
- CVE-2017-10081: Fix incorrect bracket processing in function signature handling (bsc#1049309).
- CVE-2017-10087: Fix insufficient access control checks in ThreadPoolExecutor (bsc#1049311).
- CVE-2017-10089: Fix insufficient access control checks in ServiceRegistry (bsc#1049312).
- CVE-2017-10090: Fix insufficient access control checks in AsynchronousChannelGroupImpl (bsc#1049313).
- CVE-2017-10096: Fix insufficient access control checks in XML transformations (bsc#1049314).
- CVE-2017-10101: Fix unrestricted access to com.sun.org.apache.xml.internal.resolver (bsc#1049315).
- CVE-2017-10107: Fix insufficient access control checks in ActivationID (bsc#1049318).
- CVE-2017-10074: Fix integer overflows in range check loop predicates (bsc#1049307).
- CVE-2017-10110: Fix insufficient access control checks in ImageWatched (bsc#1049321).
- CVE-2017-10108: Fix unbounded memory allocation in BasicAttribute deserialization (bsc#1049319).
- CVE-2017-10109: Fix unbounded memory allocation in CodeSource deserialization (bsc#1049320).
- CVE-2017-10115: Fix unspecified vulnerability in subcomponent JCE (bsc#1049324).
- CVE-2017-10118: Fix ECDSA implementation timing attack (bsc#1049326).
- CVE-2017-10116: Fix LDAPCertStore following referrals to non-LDAP URL (bsc#1049325).
- CVE-2017-10135: Fix PKCS#8 implementation timing attack (bsc#1049328).
- CVE-2017-10176: Fix incorrect handling of certain EC points (bsc#1049329).
- CVE-2017-10074: Fix integer overflows in range check loop predicates (bsc#1049307).
- CVE-2017-10074: Fix integer overflows in range check loop predicates (bsc#1049307).
- CVE-2017-10111: Fix checks in LambdaFormEditor (bsc#1049322).
- CVE-2017-10243: Fix unspecified vulnerability in subcomponent JAX-WS (bsc#1049332).
- CVE-2017-10125: Fix unspecified vulnerability in subcomponent deployment (bsc#1049327).
- CVE-2017-10114: Fix unspecified vulnerability in subcomponent JavaFX (bsc#1049323).
- CVE-2017-10105: Fix unspecified vulnerability in subcomponent deployment (bsc#1049317).
- CVE-2017-10086: Fix unspecified in subcomponent JavaFX (bsc#1049310).
- CVE-2017-10198: Fix incorrect enforcement of certificate path restrictions (bsc#1049331).
- CVE-2017-10193: Fix incorrect key size constraint check (bsc#1049330).
Bug fixes:
- Drop Exec Shield workaround to fix crashes on recent kernels, where Exec Shield is gone (bsc#1052318).
ImportantSUSE bug 1049305SUSE bug 1049306SUSE bug 1049307SUSE bug 1049309SUSE bug 1049310SUSE bug 1049311SUSE bug 1049312SUSE bug 1049313SUSE bug 1049314SUSE bug 1049315SUSE bug 1049316SUSE bug 1049317SUSE bug 1049318SUSE bug 1049319SUSE bug 1049320SUSE bug 1049321SUSE bug 1049322SUSE bug 1049323SUSE bug 1049324SUSE bug 1049325SUSE bug 1049326SUSE bug 1049327SUSE bug 1049328SUSE bug 1049329SUSE bug 1049330SUSE bug 1049331SUSE bug 1049332SUSE bug 1052318SUSE bug 1064071SUSE bug 1064072SUSE bug 1064073SUSE bug 1064075SUSE bug 1064077SUSE bug 1064078SUSE bug 1064079SUSE bug 1064080SUSE bug 1064081SUSE bug 1064082SUSE bug 1064083SUSE bug 1064084SUSE bug 1064085SUSE bug 1064086CVE-2016-10165 at SUSECVE-2016-10165 at NVDCVE-2016-9840 at SUSECVE-2016-9840 at NVDCVE-2016-9841 at SUSECVE-2016-9841 at NVDCVE-2016-9842 at SUSECVE-2016-9842 at NVDCVE-2016-9843 at SUSECVE-2016-9843 at NVDCVE-2017-10053 at SUSECVE-2017-10053 at NVDCVE-2017-10067 at SUSECVE-2017-10067 at NVDCVE-2017-10074 at SUSECVE-2017-10074 at NVDCVE-2017-10081 at SUSECVE-2017-10081 at NVDCVE-2017-10086 at SUSECVE-2017-10086 at NVDCVE-2017-10087 at SUSECVE-2017-10087 at NVDCVE-2017-10089 at SUSECVE-2017-10089 at NVDCVE-2017-10090 at SUSECVE-2017-10090 at NVDCVE-2017-10096 at SUSECVE-2017-10096 at NVDCVE-2017-10101 at SUSECVE-2017-10101 at NVDCVE-2017-10102 at SUSECVE-2017-10102 at NVDCVE-2017-10105 at SUSECVE-2017-10105 at NVDCVE-2017-10107 at SUSECVE-2017-10107 at NVDCVE-2017-10108 at SUSECVE-2017-10108 at NVDCVE-2017-10109 at SUSECVE-2017-10109 at NVDCVE-2017-10110 at SUSECVE-2017-10110 at NVDCVE-2017-10111 at SUSECVE-2017-10111 at NVDCVE-2017-10114 at SUSECVE-2017-10114 at NVDCVE-2017-10115 at SUSECVE-2017-10115 at NVDCVE-2017-10116 at SUSECVE-2017-10116 at NVDCVE-2017-10118 at SUSECVE-2017-10118 at NVDCVE-2017-10125 at SUSECVE-2017-10125 at NVDCVE-2017-10135 at SUSECVE-2017-10135 at NVDCVE-2017-10176 at SUSECVE-2017-10176 at NVDCVE-2017-10193 at SUSECVE-2017-10193 at NVDCVE-2017-10198 at SUSECVE-2017-10198 at NVDCVE-2017-10243 at SUSECVE-2017-10243 at NVDCVE-2017-10274 at SUSECVE-2017-10274 at NVDCVE-2017-10281 at SUSECVE-2017-10281 at NVDCVE-2017-10285 at SUSECVE-2017-10285 at NVDCVE-2017-10295 at SUSECVE-2017-10295 at NVDCVE-2017-10345 at SUSECVE-2017-10345 at NVDCVE-2017-10346 at SUSECVE-2017-10346 at NVDCVE-2017-10347 at SUSECVE-2017-10347 at NVDCVE-2017-10348 at SUSECVE-2017-10348 at NVDCVE-2017-10349 at SUSECVE-2017-10349 at NVDCVE-2017-10350 at SUSECVE-2017-10350 at NVDCVE-2017-10355 at SUSECVE-2017-10355 at NVDCVE-2017-10356 at SUSECVE-2017-10356 at NVDCVE-2017-10357 at SUSECVE-2017-10357 at NVDCVE-2017-10388 at SUSECVE-2017-10388 at NVDcpe:/o:suse:sles:12:sp3Security update for libvirt (Important)SUSE Linux Enterprise Server 12 SP3
This update for libvirt and virt-manager fixes the following issues:
Security issues fixed:
- CVE-2017-5715: Fixes for speculative side channel attacks aka 'SpectreAttack' (var2) (bsc#1079869).
- CVE-2018-6764: Fixed guest executable code injection via libnss_dns.so loaded by libvirt_lxc before init (bsc#1080042).
- CVE-2018-1064: Fixed denial of service when reading from guest agent (bsc#1083625).
Non-security issues fixed in libvirt:
- bsc#1070615: Fixed TPM device passthrough failure on kernels >= 4.0.
- bsc#1082041: SUSE Linux Enterprise 11 SP4 hvm converted to pvhvm. Unless vm memory is on gig boundary, vm won't boot.
- bsc#1082161: Unable to change RTC basis or adjustment for Xen HVM guests using libvirt.
Non-security issues fixed in virt-manager:
- bsc#1086038: VM guests cannot be properly installed with virt-install
- bsc#1067018: KVM Guest creation failed - Property .cmt not found
- bsc#1054986: Fix openSUSE 15.0 detection. It has no content file or .treeinfo file
- bsc#1085757: Fallback to latest version of openSUSE when opensuse-unknown is detected for the ISO
ImportantSUSE bug 1054986SUSE bug 1067018SUSE bug 1070615SUSE bug 1079869SUSE bug 1080042SUSE bug 1082041SUSE bug 1082161SUSE bug 1083625SUSE bug 1085757SUSE bug 1086038CVE-2017-5715 at SUSECVE-2017-5715 at NVDCVE-2018-1064 at SUSECVE-2018-1064 at NVDCVE-2018-6764 at SUSECVE-2018-6764 at NVDcpe:/o:suse:sles:12:sp3Security update for policycoreutils (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for policycoreutils fixes the following issues:
- CVE-2018-1063: Fixed problem to prevent chcon from following symlinks in /tmp, /var/tmp, /var/run and /var/lib/debug (bsc#1083624).
ModerateSUSE bug 1083624CVE-2018-1063 at SUSECVE-2018-1063 at NVDcpe:/o:suse:sles:12:sp3Security update for openssl (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for openssl fixes the following issues:
- CVE-2018-0739: Constructed ASN.1 types with a recursive definition (such as can be found in PKCS7)
could eventually exceed the stack given malicious input with excessive recursion. This could result
in a Denial Of Service attack. There are no such structures used within SSL/TLS that come from
untrusted sources so this is considered safe. (bsc#1087102).
ModerateSUSE bug 1087102CVE-2018-0739 at SUSECVE-2018-0739 at NVDcpe:/o:suse:sles:12:sp3Security update for python3 (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for python3 fixes the following issues:
Security issue fixed:
- CVE-2017-18207: Fixed possible denial of service vulnerability by adding a check to Lib/wave.py that verifies that at least one channel is provided (bsc#1083507).
Bug fixes:
- Require python-Sphinx-latex for building on Leap 42.3 or newer.
ModerateSUSE bug 1083507CVE-2017-18207 at SUSECVE-2017-18207 at NVDcpe:/o:suse:sles:12:sp3Security update for evince (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for evince fixes the following issues:
- CVE-2017-1000159: Command injection in evince via filename when printing to PDF could lead to command execution (bsc#1070046)
ModerateSUSE bug 1070046CVE-2017-1000159 at SUSECVE-2017-1000159 at NVDcpe:/o:suse:sles:12:sp3Security update for mariadb (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for mariadb fixes several issues.
These security issues were fixed:
- CVE-2017-3636: Client programs had an unspecified vulnerability that could
lead to unauthorized access and denial of service (bsc#1049399)
- CVE-2017-3641: DDL unspecified vulnerability could lead to denial of service
(bsc#1049404)
- CVE-2017-3653: DML Unspecified vulnerability could lead to unauthorized
database access (bsc#1049417)
This non-security issues was fixed:
- Add ODBC support for Connect engine (bsc#1039034)
- Relax required version for mariadb-errormessages (bsc#1072665)
ModerateSUSE bug 1039034SUSE bug 1049399SUSE bug 1049404SUSE bug 1049417SUSE bug 1054591SUSE bug 1072665CVE-2017-3636 at SUSECVE-2017-3636 at NVDCVE-2017-3641 at SUSECVE-2017-3641 at NVDCVE-2017-3653 at SUSECVE-2017-3653 at NVDcpe:/o:suse:sles:12:sp3Security update for memcached (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for memcached fixes the following issues:
- CVE-2018-1000115: Insufficient Control of Network Message Volume (Network Amplification, CWE-406) vulnerability
in the UDP support of the memcached server could result in denial of service via network flood
(traffic amplification of 1:50,000 has been reported by reliable sources). (bsc#1083903)
- Home directory shouldn't be world readable bsc#1077718
ModerateSUSE bug 1077718SUSE bug 1083903CVE-2018-1000115 at SUSECVE-2018-1000115 at NVDcpe:/o:suse:sles:12:sp3Security update for ntp (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for ntp fixes the following issues:
- Update to 4.2.8p11 (bsc#1082210):
* CVE-2016-1549: Sybil vulnerability: ephemeral association
attack. While fixed in ntp-4.2.8p7, there are significant
additional protections for this issue in 4.2.8p11.
* CVE-2018-7182: ctl_getitem(): buffer read overrun
leads to undefined behavior and information leak. (bsc#1083426)
* CVE-2018-7170: Multiple authenticated ephemeral
associations. (bsc#1083424)
* CVE-2018-7184: Interleaved symmetric mode cannot
recover from bad state. (bsc#1083422)
* CVE-2018-7185: Unauthenticated packet can reset
authenticated interleaved association. (bsc#1083420)
* CVE-2018-7183: ntpq:decodearr() can write beyond its
buffer limit.(bsc#1083417)
- Don't use libevent's cached time stamps in sntp. (bsc#1077445)
ModerateSUSE bug 1077445SUSE bug 1082063SUSE bug 1082210SUSE bug 1083417SUSE bug 1083420SUSE bug 1083422SUSE bug 1083424SUSE bug 1083426CVE-2016-1549 at SUSECVE-2016-1549 at NVDCVE-2018-7170 at SUSECVE-2018-7170 at NVDCVE-2018-7182 at SUSECVE-2018-7182 at NVDCVE-2018-7183 at SUSECVE-2018-7183 at NVDCVE-2018-7184 at SUSECVE-2018-7184 at NVDCVE-2018-7185 at SUSECVE-2018-7185 at NVDcpe:/o:suse:sles:12:sp3Security update for wireshark (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for wireshark fixes the following issues:
- Update to wireshark 2.2.14, fix such issues:
* bsc#1088200 VUL-0: wireshark: multiple vulnerabilities
fixed in 2.2.14, 2.4.6
* CVE-2018-9256: LWAPP dissector crash
* CVE-2018-9260: IEEE 802.15.4 dissector crash
* CVE-2018-9261: NBAP dissector crash
* CVE-2018-9262: VLAN dissector crash
* CVE-2018-9263: Kerberos dissector crash
* CVE-2018-9264: ADB dissector crash
* CVE-2018-9265: tn3270 dissector has a memory leak
* CVE-2018-9266: ISUP dissector memory leak
* CVE-2018-9267: LAPD dissector memory leak
* CVE-2018-9268: SMB2 dissector memory leak
* CVE-2018-9269: GIOP dissector memory leak
* CVE-2018-9270: OIDS dissector memory leak
* CVE-2018-9271: multipart dissector memory leak
* CVE-2018-9272: h223 dissector memory leak
* CVE-2018-9273: pcp dissector memory leak
* CVE-2018-9274: failure message memory leak
* CVE-2018-9259: MP4 dissector crash
ModerateSUSE bug 1088200CVE-2018-9256 at SUSECVE-2018-9256 at NVDCVE-2018-9259 at SUSECVE-2018-9259 at NVDCVE-2018-9260 at SUSECVE-2018-9260 at NVDCVE-2018-9261 at SUSECVE-2018-9261 at NVDCVE-2018-9262 at SUSECVE-2018-9262 at NVDCVE-2018-9263 at SUSECVE-2018-9263 at NVDCVE-2018-9264 at SUSECVE-2018-9264 at NVDCVE-2018-9265 at SUSECVE-2018-9265 at NVDCVE-2018-9266 at SUSECVE-2018-9266 at NVDCVE-2018-9267 at SUSECVE-2018-9267 at NVDCVE-2018-9268 at SUSECVE-2018-9268 at NVDCVE-2018-9269 at SUSECVE-2018-9269 at NVDCVE-2018-9270 at SUSECVE-2018-9270 at NVDCVE-2018-9271 at SUSECVE-2018-9271 at NVDCVE-2018-9272 at SUSECVE-2018-9272 at NVDCVE-2018-9273 at SUSECVE-2018-9273 at NVDCVE-2018-9274 at SUSECVE-2018-9274 at NVDcpe:/o:suse:sles:12:sp3Security update for the Linux Kernel (Important)SUSE Linux Enterprise Server 12 SP3
The SUSE Linux Enterprise 12 SP3 kernel was updated to 4.4.126 to receive various security and bugfixes.
The following security bugs were fixed:
- CVE-2018-1091: In the flush_tmregs_to_thread function in arch/powerpc/kernel/ptrace.c, a guest kernel crash can be triggered from unprivileged userspace during a core dump on a POWER host due to a missing processor feature check and an erroneous use of transactional memory (TM) instructions in the core dump path, leading to a denial of service (bnc#1087231).
- CVE-2018-7740: The resv_map_release function in mm/hugetlb.c allowed local users to cause a denial of service (BUG) via a crafted application that made mmap system calls and has a large pgoff argument to the remap_file_pages system call (bnc#1084353).
- CVE-2018-8043: The unimac_mdio_probe function in drivers/net/phy/mdio-bcm-unimac.c did not validate certain resource availability, which allowed local users to cause a denial of service (NULL pointer dereference) (bnc#1084829).
- CVE-2017-18257: The __get_data_block function in fs/f2fs/data.c allowed local users to cause a denial of service (integer overflow and loop) via crafted use of the open and fallocate system calls with an FS_IOC_FIEMAP ioctl. (bnc#1088241)
- CVE-2018-8822: Incorrect buffer length handling in the ncp_read_kernel function in fs/ncpfs/ncplib_kernel.c could be exploited by malicious NCPFS servers to crash the kernel or execute code (bnc#1086162).
The following non-security bugs were fixed:
- acpica: Add header support for TPM2 table changes (bsc#1084452).
- acpica: Add support for new SRAT subtable (bsc#1085981).
- acpica: iasl: Update to IORT SMMUv3 disassembling (bsc#1085981).
- acpi/iort: numa: Add numa node mapping for smmuv3 devices (bsc#1085981).
- acpi, numa: fix pxm to online numa node associations (bnc#1012382).
- acpi / pmic: xpower: Fix power_table addresses (bnc#1012382).
- acpi/processor: Fix error handling in __acpi_processor_start() (bnc#1012382).
- acpi/processor: Replace racy task affinity logic (bnc#1012382).
- add mainline tag to various patches to be able to get further work done
- af_iucv: enable control sends in case of SEND_SHUTDOWN (bnc#1085507, LTC#165135).
- agp/intel: Flush all chipset writes after updating the GGTT (bnc#1012382).
- ahci: Add PCI-id for the Highpoint Rocketraid 644L card (bnc#1012382).
- alsa: aloop: Fix access to not-yet-ready substream via cable (bnc#1012382).
- alsa: aloop: Sync stale timer before release (bnc#1012382).
- alsa: firewire-digi00x: handle all MIDI messages on streaming packets (bnc#1012382).
- alsa: hda: Add a power_save blacklist (bnc#1012382).
- alsa: hda: add dock and led support for HP EliteBook 820 G3 (bnc#1012382).
- alsa: hda: add dock and led support for HP ProBook 640 G2 (bnc#1012382).
- alsa: hda/realtek - Always immediately update mute LED with pin VREF (bnc#1012382).
- alsa: hda/realtek - Fix dock line-out volume on Dell Precision 7520 (bnc#1012382).
- alsa: hda/realtek - Fix speaker no sound after system resume (bsc#1031717).
- alsa: hda - Revert power_save option default value (git-fixes).
- alsa: pcm: Fix UAF in snd_pcm_oss_get_formats() (bnc#1012382).
- alsa: usb-audio: Add a quirck for B&W PX headphones (bnc#1012382).
- alsa: usb-audio: Fix parsing descriptor of UAC2 processing unit (bnc#1012382).
- apparmor: Make path_max parameter readonly (bnc#1012382).
- arm64: Add ARM_SMCCC_ARCH_WORKAROUND_1 BP hardening support (bsc#1068032).
- arm64: Add missing Falkor part number for branch predictor hardening (bsc#1068032).
- arm64: capabilities: Handle duplicate entries for a capability (bsc#1068032).
- arm64: cpufeature: __this_cpu_has_cap() shouldn't stop early (bsc#1068032).
- arm64 / cpuidle: Use new cpuidle macro for entering retention state (bsc#1084328).
- arm64: Enforce BBM for huge IO/VMAP mappings (bsc#1088313).
- arm64: fix smccc compilation (bsc#1068032).
- arm64: Kill PSCI_GET_VERSION as a variant-2 workaround (bsc#1068032).
- arm64: KVM: Add SMCCC_ARCH_WORKAROUND_1 fast handling (bsc#1068032).
- arm64: KVM: Increment PC after handling an SMC trap (bsc#1068032).
- arm64: KVM: Report SMCCC_ARCH_WORKAROUND_1 BP hardening support (bsc#1068032).
- arm64: mm: do not write garbage into TTBR1_EL1 register (bsc#1085487).
- arm64: mm: fix thinko in non-global page table attribute check (bsc#1088050).
- arm64: Relax ARM_SMCCC_ARCH_WORKAROUND_1 discovery (bsc#1068032).
- arm: 8668/1: ftrace: Fix dynamic ftrace with DEBUG_RODATA and !FRAME_POINTER (bnc#1012382).
- arm/arm64: KVM: Add PSCI_VERSION helper (bsc#1068032).
- arm/arm64: KVM: Add smccc accessors to PSCI code (bsc#1068032).
- arm/arm64: KVM: Advertise SMCCC v1.1 (bsc#1068032).
- arm/arm64: KVM: Consolidate the PSCI include files (bsc#1068032).
- arm/arm64: KVM: Implement PSCI 1.0 support (bsc#1068032).
- arm/arm64: KVM: Turn kvm_psci_version into a static inline (bsc#1068032).
- arm/arm64: smccc: Implement SMCCC v1.1 inline primitive (bsc#1068032).
- arm/arm64: smccc: Make function identifiers an unsigned quantity (bsc#1068032).
- arm: DRA7: clockdomain: Change the CLKTRCTRL of CM_PCIE_CLKSTCTRL to SW_WKUP (bnc#1012382).
- arm: dts: Adjust moxart IRQ controller and flags (bnc#1012382).
- arm: dts: am335x-pepper: Fix the audio CODEC's reset pin (bnc#1012382).
- arm: dts: exynos: Correct Trats2 panel reset line (bnc#1012382).
- arm: dts: koelsch: Correct clock frequency of X2 DU clock input (bnc#1012382).
- arm: dts: LogicPD Torpedo: Fix I2C1 pinmux (bnc#1012382).
- arm: dts: LogicPD Torpedo: Fix I2C1 pinmux (bnc#1012382).
- arm: dts: omap3-n900: Fix the audio CODEC's reset pin (bnc#1012382).
- arm: dts: r8a7790: Correct parent of SSI[0-9] clocks (bnc#1012382).
- arm: dts: r8a7791: Correct parent of SSI[0-9] clocks (bnc#1012382).
- arm: mvebu: Fix broken PL310_ERRATA_753970 selects (bnc#1012382).
- asoc: rcar: ssi: do not set SSICR.CKDV = 000 with SSIWSR.CONT (bnc#1012382).
- ath10k: disallow DFS simulation if DFS channel is not enabled (bnc#1012382).
- ath10k: fix invalid STS_CAP_OFFSET_MASK (bnc#1012382).
- ath10k: update tdls teardown state to target (bnc#1012382).
- ath: Fix updating radar flags for coutry code India (bnc#1012382).
- batman-adv: handle race condition for claims between gateways (bnc#1012382).
- bcache: do not attach backing with duplicate UUID (bnc#1012382).
- blkcg: fix double free of new_blkg in blkcg_init_queue (bnc#1012382).
- blk-throttle: make sure expire time isn't too big (bnc#1012382).
- block: do not assign cmd_flags in __blk_rq_prep_clone (bsc#1088087).
- block-mq: stop workqueue items in blk_mq_stop_hw_queue() (bsc#1084967).
- bluetooth: btusb: Fix quirk for Atheros 1525/QCA6174 (bnc#1012382).
- bluetooth: hci_qca: Avoid setup failure on missing rampatch (bnc#1012382).
- bnx2x: Align RX buffers (bnc#1012382).
- bonding: refine bond_fold_stats() wrap detection (bnc#1012382).
- bpf: fix incorrect sign extension in check_alu_op() (bnc#1012382).
- bpf: skip unnecessary capability check (bnc#1012382).
- bpf, x64: implement retpoline for tail call (bnc#1012382).
- bpf, x64: increase number of passes (bnc#1012382).
- braille-console: Fix value returned by _braille_console_setup (bnc#1012382).
- brcmfmac: fix P2P_DEVICE ethernet address generation (bnc#1012382).
- bridge: check brport attr show in brport_show (bnc#1012382).
- btrfs: alloc_chunk: fix DUP stripe size handling (bnc#1012382).
- btrfs: Fix use-after-free when cleaning up fs_devs with a single stale device (bnc#1012382).
- btrfs: improve delayed refs iterations (bsc#1076033).
- btrfs: incremental send, fix invalid memory access (git-fixes).
- btrfs: preserve i_mode if __btrfs_set_acl() fails (bnc#1012382).
- btrfs: send, fix file hole not being preserved due to inline extent (bnc#1012382).
- can: cc770: Fix queue stall & dropped RTR reply (bnc#1012382).
- can: cc770: Fix stalls on rt-linux, remove redundant IRQ ack (bnc#1012382).
- can: cc770: Fix use after free in cc770_tx_interrupt() (bnc#1012382).
- ceph: only dirty ITER_IOVEC pages for direct read (bsc#1084898).
- ch9200: use skb_cow_head() to deal with cloned skbs (bsc#1088684).
- clk: bcm2835: Protect sections updating shared registers (bnc#1012382).
- clk: ns2: Correct SDIO bits (bnc#1012382).
- clk: qcom: msm8916: fix mnd_width for codec_digcodec (bnc#1012382).
- clk: si5351: Rename internal plls to avoid name collisions (bnc#1012382).
- coresight: Fix disabling of CoreSight TPIU (bnc#1012382).
- coresight: Fixes coresight DT parse to get correct output port ID (bnc#1012382).
- cpufreq: Fix governor module removal race (bnc#1012382).
- cpufreq: s3c24xx: Fix broken s3c_cpufreq_init() (bnc#1012382).
- cpufreq/sh: Replace racy task affinity logic (bnc#1012382).
- cpuidle: Add new macro to enter a retention idle state (bsc#1084328).
- cros_ec: fix nul-termination for firmware build info (bnc#1012382).
- crypto: cavium - fix memory leak on info (bsc#1086518).
- dcache: Add cond_resched in shrink_dentry_list (bsc#1086194).
- dccp: check sk for closed state in dccp_sendmsg() (bnc#1012382).
- dmaengine: imx-sdma: add 1ms delay to ensure SDMA channel is stopped (bnc#1012382).
- dmaengine: ti-dma-crossbar: Fix event mapping for TPCC_EVT_MUX_60_63 (bnc#1012382).
- dm: Always copy cmd_flags when cloning a request (bsc#1088087).
- driver: (adm1275) set the m,b and R coefficients correctly for power (bnc#1012382).
- drm: Allow determining if current task is output poll worker (bnc#1012382).
- drm/amdgpu/dce: Do not turn off DP sink when disconnected (bnc#1012382).
- drm/amdgpu: Fail fb creation from imported dma-bufs. (v2) (bnc#1012382).
- drm/amdgpu: Fix deadlock on runtime suspend (bnc#1012382).
- drm/amdgpu: fix KV harvesting (bnc#1012382).
- drm/amdgpu: Notify sbios device ready before send request (bnc#1012382).
- drm/amdkfd: Fix memory leaks in kfd topology (bnc#1012382).
- drm: Defer disabling the vblank IRQ until the next interrupt (for instant-off) (bnc#1012382).
- drm/edid: set ELD connector type in drm_edid_to_eld() (bnc#1012382).
- drm/i915/cmdparser: Do not check past the cmd length (bsc#1031717).
- drm/i915/psr: Check for the specific AUX_FRAME_SYNC cap bit (bsc#1031717).
- drm/msm: fix leak in failed get_pages (bnc#1012382).
- drm/nouveau: Fix deadlock on runtime suspend (bnc#1012382).
- drm/nouveau/kms: Increase max retries in scanout position queries (bnc#1012382).
- drm/omap: DMM: Check for DMM readiness after successful transaction commit (bnc#1012382).
- drm: qxl: Do not alloc fbdev if emulation is not supported (bnc#1012382).
- drm/radeon: Do not turn off DP sink when disconnected (bnc#1012382).
- drm/radeon: Fail fb creation from imported dma-bufs (bnc#1012382).
- drm/radeon: Fix deadlock on runtime suspend (bnc#1012382).
- drm/radeon: fix KV harvesting (bnc#1012382).
- drm: udl: Properly check framebuffer mmap offsets (bnc#1012382).
- drm/vmwgfx: Fix a destoy-while-held mutex problem (bnc#1012382).
- drm/vmwgfx: Fixes to vmwgfx_fb (bnc#1012382).
- e1000e: Avoid missed interrupts following ICR read (bsc#1075428).
- e1000e: Avoid receiver overrun interrupt bursts (bsc#1075428).
- e1000e: Fix check_for_link return value with autoneg off (bsc#1075428).
- e1000e: Fix link check race condition (bsc#1075428).
- e1000e: Fix queue interrupt re-raising in Other interrupt (bsc#1075428).
- e1000e: fix timing for 82579 Gigabit Ethernet controller (bnc#1012382).
- e1000e: Remove Other from EIAC (bsc#1075428).
- edac, sb_edac: Fix out of bound writes during DIMM configuration on KNL (git-fixes 3286d3eb906c).
- ext4: inplace xattr block update fails to deduplicate blocks (bnc#1012382).
- f2fs: relax node version check for victim data in gc (bnc#1012382).
- fib_semantics: Do not match route with mismatching tclassid (bnc#1012382).
- firmware/psci: Expose PSCI conduit (bsc#1068032).
- firmware/psci: Expose SMCCC version through psci_ops (bsc#1068032).
- fixup: sctp: verify size of a new chunk in _sctp_make_chunk() (bnc#1012382).
- fs/aio: Add explicit RCU grace period when freeing kioctx (bnc#1012382).
- fs/aio: Use RCU accessors for kioctx_table->table[] (bnc#1012382).
- fs/hugetlbfs/inode.c: change put_page/unlock_page order in hugetlbfs_fallocate() (git-fixes, bsc#1083745).
- fs: Teach path_connected to handle nfs filesystems with multiple roots (bnc#1012382).
- genirq: Track whether the trigger type has been set (git-fixes).
- genirq: Use irqd_get_trigger_type to compare the trigger type for shared IRQs (bnc#1012382).
- hdlc_ppp: carrier detect ok, do not turn off negotiation (bnc#1012382).
- hid: clamp input to logical range if no null state (bnc#1012382).
- hid: reject input outside logical range only if null state is set (bnc#1012382).
- hugetlbfs: fix offset overflow in hugetlbfs mmap (bnc#1084353).
- hv_balloon: fix bugs in num_pages_onlined accounting (fate#323887).
- hv_balloon: fix printk loglevel (fate#323887).
- hv_balloon: simplify hv_online_page()/hv_page_online_one() (fate#323887).
- i2c: i2c-scmi: add a MS HID (bnc#1012382).
- i2c: xlp9xx: Check for Bus state before every transfer (bsc#1084310).
- i2c: xlp9xx: Handle NACK on DATA properly (bsc#1084310).
- i2c: xlp9xx: Handle transactions with I2C_M_RECV_LEN properly (bsc#1060799).
- i2c: xlp9xx: return ENXIO on slave address NACK (bsc#1060799).
- i40e: Acquire NVM lock before reads on all devices (bnc#1012382).
- i40e: avoid NVM acquire deadlock during NVM update (git-fixes).
- ia64: fix module loading for gcc-5.4 (bnc#1012382).
- ib/ipoib: Avoid memory leak if the SA returns a different DGID (bnc#1012382).
- ib/ipoib: Update broadcast object if PKey value was changed in index 0 (bnc#1012382).
- ib/mlx4: Change vma from shared to private (bnc#1012382).
- ib/mlx4: Take write semaphore when changing the vma struct (bnc#1012382).
- ibmvfc: Avoid unnecessary port relogin (bsc#1085404).
- ibmvnic: Disable irqs before exiting reset from closed state (bsc#1084610).
- ibmvnic: Do not reset CRQ for Mobility driver resets (bsc#1088600).
- ibmvnic: Fix DMA mapping mistakes (bsc#1088600).
- ibmvnic: Fix failover case for non-redundant configuration (bsc#1088600).
- ibmvnic: Fix reset return from closed state (bsc#1084610).
- ibmvnic: Fix reset scheduler error handling (bsc#1088600).
- ibmvnic: Potential NULL dereference in clean_one_tx_pool() (bsc#1085224, git-fixes).
- ibmvnic: Remove unused TSO resources in TX pool structure (bsc#1085224).
- ibmvnic: Update TX pool cleaning routine (bsc#1085224).
- ibmvnic: Zero used TX descriptor counter on reset (bsc#1088600).
- ib/umem: Fix use of npages/nmap fields (bnc#1012382).
- ieee802154: 6lowpan: fix possible NULL deref in lowpan_device_event() (bnc#1012382).
- iio: st_pressure: st_accel: Initialise sensor platform data properly (bnc#1012382).
- iio: st_pressure: st_accel: pass correct platform data to init (git-fixes).
- ima: relax requiring a file signature for new files with zero length (bnc#1012382).
- infiniband/uverbs: Fix integer overflows (bnc#1012382).
- input: matrix_keypad - fix race when disabling interrupts (bnc#1012382).
- input: qt1070 - add OF device ID table (bnc#1012382).
- input: tsc2007 - check for presence and power down tsc2007 during probe (bnc#1012382).
- iommu/omap: Register driver before setting IOMMU ops (bnc#1012382).
- iommu/vt-d: clean up pr_irq if request_threaded_irq fails (bnc#1012382).
- ip6_vti: adjust vti mtu according to mtu of lower device (bnc#1012382).
- ipmi: do not probe ACPI devices if si_tryacpi is unset (bsc#1060799).
- ipmi: Fix the I2C address extraction from SPMI tables (bsc#1060799).
- ipmi_ssif: Fix kernel panic at msg_done_handler (bsc#1088871).
- ipmi_ssif: Fix logic around alert handling (bsc#1060799).
- ipmi_ssif: remove redundant null check on array client->adapter->name (bsc#1060799).
- ipmi_ssif: unlock on allocation failure (bsc#1060799).
- ipmi:ssif: Use i2c_adapter_id instead of adapter->nr (bsc#1060799).
- ipmi: Use the proper default value for register size in ACPI (bsc#1060799).
- ipmi/watchdog: fix wdog hang on panic waiting for ipmi response (bnc#1012382).
- ipv6: fix access to non-linear packet in ndisc_fill_redirect_hdr_option() (bnc#1012382).
- ipv6 sit: work around bogus gcc-8 -Wrestrict warning (bnc#1012382).
- ipvlan: add L2 check for packets arriving via virtual devices (bnc#1012382).
- irqchip/gic-v3-its: Add ACPI NUMA node mapping (bsc#1085981).
- irqchip/gic-v3-its: Allow GIC ITS number more than MAX_NUMNODES (bsc#1085981).
- irqchip/gic-v3-its: Ensure nr_ites >= nr_lpis (bnc#1012382).
- irqchip/gic-v3-its: Remove ACPICA version check for ACPI NUMA (bsc#1085981).
- kbuild: disable clang's default use of -fmerge-all-constants (bnc#1012382).
- kbuild: Handle builtin dtb file names containing hyphens (bnc#1012382).
- kprobes/x86: Fix kprobe-booster not to boost far call instructions (bnc#1012382).
- kprobes/x86: Fix to set RWX bits correctly before releasing trampoline (git-fixes).
- kprobes/x86: Set kprobes pages read-only (bnc#1012382).
- kvm: arm/arm64: Handle CPU_PM_ENTER_FAILED (bsc#1086499).
- kvm: arm/arm64: vgic: Add missing irq_lock to vgic_mmio_read_pending (bsc#1086499).
- kvm: arm/arm64: vgic: Do not populate multiple LRs with the same vintid (bsc#1086499).
- kvm: arm/arm64: vgic-its: Check result of allocation before use (bsc#).
- kvm: arm/arm64: vgic-its: Preserve the revious read from the pending table (bsc#1086499).
- kvm: arm/arm64: vgic-v3: Tighten synchronization for guests using v2 on v3 (bsc#1086499).
- kvm: mmu: Fix overlap between public and private memslots (bnc#1012382).
- kvm: nVMX: fix nested tsc scaling (bsc1087999).
- kvm: PPC: Book3S PR: Exit KVM on failed mapping (bnc#1012382).
- kvm/x86: fix icebp instruction handling (bnc#1012382).
- l2tp: do not accept arbitrary sockets (bnc#1012382).
- libata: Apply NOLPM quirk to Crucial M500 480 and 960GB SSDs (bnc#1012382).
- libata: Apply NOLPM quirk to Crucial MX100 512GB SSDs (bnc#1012382).
- libata: disable LPM for Crucial BX100 SSD 500GB drive (bnc#1012382).
- libata: Enable queued TRIM for Samsung SSD 860 (bnc#1012382).
- libata: fix length validation of ATAPI-relayed SCSI commands (bnc#1012382).
- libata: Make Crucial BX100 500GB LPM quirk apply to all firmware versions (bnc#1012382).
- libata: Modify quirks for MX100 to limit NCQ_TRIM quirk to MU01 version (bnc#1012382).
- libata: remove WARN() for DMA or PIO command without data (bnc#1012382).
- lock_parent() needs to recheck if dentry got __dentry_kill'ed under it (bnc#1012382).
- loop: Fix lost writes caused by missing flag (bnc#1012382).
- lpfc: update version to 11.4.0.7-1 (bsc#1085383).
- mac80211: do not parse encrypted management frames in ieee80211_frame_acked (bnc#1012382).
- mac80211: do not WARN on bad WMM parameters from buggy APs (bsc#1031717).
- mac80211_hwsim: enforce PS_MANUAL_POLL to be set after PS_ENABLED (bnc#1012382).
- mac80211: remove BUG() when interface type is invalid (bnc#1012382).
- md-cluster: fix wrong condition check in raid1_write_request (bsc#1085402).
- md/raid10: skip spare disk as 'first' disk (bnc#1012382).
- md/raid10: wait up frozen array in handle_write_completed (bnc#1012382).
- md/raid6: Fix anomily when recovering a single device in RAID6 (bnc#1012382).
- media: au0828: fix VIDEO_V4L2 dependency (bsc#1031717).
- media: bt8xx: Fix err 'bt878_probe()' (bnc#1012382).
- media: c8sectpfe: fix potential NULL pointer dereference in c8sectpfe_timer_interrupt (bnc#1012382).
- media: cpia2: Fix a couple off by one bugs (bnc#1012382).
- media: cx25821: prevent out-of-bounds read on array card (bsc#1031717).
- media/dvb-core: Race condition when writing to CAM (bnc#1012382).
- media: i2c/soc_camera: fix ov6650 sensor getting wrong clock (bnc#1012382).
- media: m88ds3103: do not call a non-initalized function (bnc#1012382).
- media: [RESEND] media: dvb-frontends: Add delay to Si2168 restart (bnc#1012382).
- media: s3c-camif: fix out-of-bounds array access (bsc#1031717).
- mfd: palmas: Reset the POWERHOLD mux during power off (bnc#1012382).
- mmc: avoid removing non-removable hosts during suspend (bnc#1012382).
- mmc: dw_mmc: fix falling from idmac to PIO mode when dw_mci_reset occurs (bnc#1012382).
- mmc: dw_mmc: Fix the DTO/CTO timeout overflow calculation for 32-bit systems (bsc#1088267).
- mmc: sdhci-of-esdhc: limit SD clock for ls1012a/ls1046a (bnc#1012382).
- mm: Fix false-positive VM_BUG_ON() in page_cache_{get,add}_speculative() (bnc#1012382).
- mm/hugetlb.c: do not call region_abort if region_chg fails (bnc#1084353).
- mm/vmalloc: add interfaces to free unmapped page table (bnc#1012382).
- mpls, nospec: Sanitize array index in mpls_label_ok() (bnc#1012382).
- mt7601u: check return value of alloc_skb (bnc#1012382).
- mtd: nand: fix interpretation of NAND_CMD_NONE in nand_command[_lp]() (bnc#1012382).
- mtd: nand: fsl_ifc: Fix nand waitfunc return value (bnc#1012382).
- mtip32xx: use runtime tag to initialize command header (bnc#1012382).
- net/8021q: create device with all possible features in wanted_features (bnc#1012382).
- net: ethernet: arc: Fix a potential memory leak if an optional regulator is deferred (bnc#1012382).
- net: ethernet: ti: cpsw: add check for in-band mode setting with RGMII PHY interface (bnc#1012382).
- net/faraday: Add missing include of of.h (bnc#1012382).
- net: fec: Fix unbalanced PM runtime calls (bnc#1012382).
- netfilter: add back stackpointer size checks (bnc#1012382).
- netfilter: bridge: ebt_among: add missing match size checks (bnc#1012382).
- netfilter: IDLETIMER: be syzkaller friendly (bnc#1012382).
- netfilter: ipv6: fix use-after-free Write in nf_nat_ipv6_manip_pkt (bnc#1012382).
- netfilter: nat: cope with negative port range (bnc#1012382).
- netfilter: use skb_to_full_sk in ip_route_me_harder (bnc#1012382).
- netfilter: x_tables: fix missing timer initialization in xt_LED (bnc#1012382).
- netfilter: xt_CT: fix refcnt leak on error path (bnc#1012382).
- net: Fix hlist corruptions in inet_evict_bucket() (bnc#1012382).
- net: fix race on decreasing number of TX queues (bnc#1012382).
- net: hns: Fix ethtool private flags (bsc#1085511).
- net: ipv4: avoid unused variable warning for sysctl (git-fixes).
- net: ipv4: do not allow setting net.ipv4.route.min_pmtu below 68 (bnc#1012382).
- net: ipv6: send unsolicited NA after DAD (git-fixes).
- net: ipv6: send unsolicited NA on admin up (bnc#1012382).
- net/iucv: Free memory obtained by kzalloc (bnc#1012382).
- netlink: avoid a double skb free in genlmsg_mcast() (bnc#1012382).
- netlink: ensure to loop over all netns in genlmsg_multicast_allns() (bnc#1012382).
- net: mpls: Pull common label check into helper (bnc#1012382).
- net: Only honor ifindex in IP_PKTINFO if non-0 (bnc#1012382).
- net: systemport: Rewrite __bcm_sysport_tx_reclaim() (bnc#1012382).
- net: xfrm: allow clearing socket xfrm policies (bnc#1012382).
- nfc: nfcmrvl: double free on error path (bnc#1012382).
- nfc: nfcmrvl: Include unaligned.h instead of access_ok.h (bnc#1012382).
- nfsd4: permit layoutget of executable-only files (bnc#1012382).
- nfs: Fix an incorrect type in struct nfs_direct_req (bnc#1012382).
- nospec: Allow index argument to have const-qualified type (bnc#1012382).
- nospec: Include <asm/barrier.h> dependency (bnc#1012382).
- nvme: do not send keep-alive frames during reset (bsc#1084223).
- nvme: do not send keep-alives to the discovery controller (bsc#1086607).
- nvme: expand nvmf_check_if_ready checks (bsc#1085058).
- nvme/rdma: do no start error recovery twice (bsc#1084967).
- nvmet_fc: prevent new io rqsts in possible isr completions (bsc#1083574).
- of: fix of_device_get_modalias returned length when truncating buffers (bnc#1012382).
- openvswitch: Delete conntrack entry clashing with an expectation (bnc#1012382).
- Partial revert 'e1000e: Avoid receiver overrun interrupt bursts' (bsc#1075428).
- pci/ACPI: Fix bus range comparison in pci_mcfg_lookup() (bsc#1084699).
- pci: Add function 1 DMA alias quirk for Highpoint RocketRAID 644L (bnc#1012382).
- pci: Add pci_reset_function_locked() (bsc#1084889).
- pci: Apply Cavium ACS quirk only to CN81xx/CN83xx/CN88xx devices (bsc#1084914).
- pci: Avoid FLR for Intel 82579 NICs (bsc#1084889).
- pci: Avoid slot reset if bridge itself is broken (bsc#1084918).
- pci: Export pcie_flr() (bsc#1084889).
- pci: hv: Fix 2 hang issues in hv_compose_msi_msg() (fate#323887, bsc#1087659, bsc#1087906).
- pci: hv: Fix a comment typo in _hv_pcifront_read_config() (fate#323887, bsc#1087659).
- pci: hv: Only queue new work items in hv_pci_devices_present() if necessary (fate#323887, bsc#1087659).
- pci: hv: Remove the bogus test in hv_eject_device_work() (fate#323887, bsc#1087659).
- pci: hv: Serialize the present and eject work items (fate#323887, bsc#1087659).
- pci: Mark Haswell Power Control Unit as having non-compliant BARs (bsc#1086015).
- pci/MSI: Stop disabling MSI/MSI-X in pci_device_shutdown() (bnc#1012382).
- pci: Probe for device reset support during enumeration (bsc#1084889).
- pci: Protect pci_error_handlers->reset_notify() usage with device_lock() (bsc#1084889).
- pci: Protect restore with device lock to be consistent (bsc#1084889).
- pci: Remove __pci_dev_reset() and pci_dev_reset() (bsc#1084889).
- pci: Remove redundant probes for device reset support (bsc#1084889).
- pci: Wait for up to 1000ms after FLR reset (bsc#1084889).
- perf inject: Copy events when reordering events in pipe mode (bnc#1012382).
- perf probe: Return errno when not hitting any event (bnc#1012382).
- perf session: Do not rely on evlist in pipe mode (bnc#1012382).
- perf sort: Fix segfault with basic block 'cycles' sort dimension (bnc#1012382).
- perf tests kmod-path: Do not fail if compressed modules are not supported (bnc#1012382).
- perf tools: Make perf_event__synthesize_mmap_events() scale (bnc#1012382).
- perf/x86/intel: Do not accidentally clear high bits in bdw_limit_period() (bnc#1012382).
- perf/x86/intel/uncore: Fix multi-domain PCI CHA enumeration bug on Skylake servers (bsc#1086357).
- pinctrl: Really force states during suspend/resume (bnc#1012382).
- platform/chrome: Use proper protocol transfer function (bnc#1012382).
- platform/x86: asus-nb-wmi: Add wapf4 quirk for the X302UA (bnc#1012382).
- power: supply: pda_power: move from timer to delayed_work (bnc#1012382).
- ppp: prevent unregistered channels from connecting to PPP units (bnc#1012382).
- pty: cancel pty slave port buf's work in tty_release (bnc#1012382).
- pwm: tegra: Increase precision in PWM rate calculation (bnc#1012382).
- qed: Free RoCE ILT Memory on rmmod qedr (bsc#1019695 FATE#321703 bsc#1019699 FATE#321702 bsc#1022604 FATE#321747).
- qed: Use after free in qed_rdma_free() (bsc#1019695 FATE#321703 bsc#1019699 FATE#321702 bsc#1022604 FATE#321747).
- qeth: repair SBAL elements calculation (bnc#1085507, LTC#165484).
- qlcnic: fix unchecked return value (bnc#1012382).
- rcutorture/configinit: Fix build directory error message (bnc#1012382).
- rdma/cma: Use correct size when writing netlink stats (bnc#1012382).
- rdma/core: Do not use invalid destination in determining port reuse (FATE#321231 FATE#321473 FATE#322153 FATE#322149).
- rdma/iwpm: Fix uninitialized error code in iwpm_send_mapinfo() (bnc#1012382).
- rdma/mlx5: Fix integer overflow while resizing CQ (bnc#1012382).
- rdma/ocrdma: Fix permissions for OCRDMA_RESET_STATS (bnc#1012382).
- rdma/ucma: Check that user does not overflow QP state (bnc#1012382).
- rdma/ucma: Fix access to non-initialized CM_ID object (bnc#1012382).
- rdma/ucma: Limit possible option size (bnc#1012382).
- regmap: Do not use format_val in regmap_bulk_read (bsc#1031717).
- regmap: Fix reversed bounds check in regmap_raw_write() (bsc#1031717).
- regmap: Format data for raw write in regmap_bulk_write (bsc#1031717).
- regmap-i2c: Off by one in regmap_i2c_smbus_i2c_read/write() (bsc#1031717).
- regulator: anatop: set default voltage selector for pcie (bnc#1012382).
- reiserfs: Make cancel_old_flush() reliable (bnc#1012382).
- Revert 'ARM: dts: LogicPD Torpedo: Fix I2C1 pinmux' (bnc#1012382).
- Revert 'e1000e: Separate signaling for link check/link up' (bsc#1075428).
- Revert 'genirq: Use irqd_get_trigger_type to compare the trigger type for shared IRQs' (bnc#1012382).
- Revert 'ipvlan: add L2 check for packets arriving via virtual devices' (reverted in upstream).
- Revert 'led: core: Fix brightness setting when setting delay_off=0' (bnc#1012382).
- rndis_wlan: add return value validation (bnc#1012382).
- rtc: cmos: Do not assume irq 8 for rtc when there are no legacy irqs (bnc#1012382).
- rtlwifi: rtl8723be: Fix loss of signal (bnc#1012382).
- rtlwifi: rtl_pci: Fix the bug when inactiveps is enabled (bnc#1012382).
- s390/mm: fix local TLB flushing vs. detach of an mm address space (bnc#1088324, LTC#166470).
- s390/mm: fix race on mm->context.flush_mm (bnc#1088324, LTC#166470).
- s390/mm: no local TLB flush for clearing-by-ASCE IDTE (bnc#1088324, LTC#166470).
- s390/qeth: apply takeover changes when mode is toggled (bnc#1085507, LTC#165490).
- s390/qeth: do not apply takeover changes to RXIP (bnc#1085507, LTC#165490).
- s390/qeth: fix double-free on IP add/remove race (bnc#1085507, LTC#165491).
- s390/qeth: fix IPA command submission race (bnc#1012382).
- s390/qeth: fix IP address lookup for L3 devices (bnc#1085507, LTC#165491).
- s390/qeth: fix IP removal on offline cards (bnc#1085507, LTC#165491).
- s390/qeth: fix SETIP command handling (bnc#1012382).
- s390/qeth: free netdevice when removing a card (bnc#1012382).
- s390/qeth: improve error reporting on IP add/removal (bnc#1085507, LTC#165491).
- s390/qeth: lock IP table while applying takeover changes (bnc#1085507, LTC#165490).
- s390/qeth: lock read device while queueing next buffer (bnc#1012382).
- s390/qeth: on channel error, reject further cmd requests (bnc#1012382).
- s390/qeth: update takeover IPs after configuration change (bnc#1085507, LTC#165490).
- s390/qeth: when thread completes, wake up all waiters (bnc#1012382).
- sched: act_csum: do not mangle TCP and UDP GSO packets (bnc#1012382).
- sched: Stop resched_cpu() from sending IPIs to offline CPUs (bnc#1012382).
- sched: Stop switched_to_rt() from sending IPIs to offline CPUs (bnc#1012382).
- scsi: core: scsi_get_device_flags_keyed(): Always return device flags (bnc#1012382).
- scsi: devinfo: apply to HP XP the same flags as Hitachi VSP (bnc#1012382).
- scsi: dh: add new rdac devices (bnc#1012382).
- scsi: lpfc: Add missing unlock in WQ full logic (bsc#1085383).
- scsi: lpfc: Code cleanup for 128byte wqe data type (bsc#1085383).
- scsi: lpfc: Fix mailbox wait for POST_SGL mbox command (bsc#1085383).
- scsi: lpfc: Fix NVME Initiator FirstBurst (bsc#1085383).
- scsi: lpfc: Fix SCSI lun discovery when port configured for both SCSI and NVME (bsc#1085383).
- scsi: lpfc: Memory allocation error during driver start-up on power8 (bsc#1085383).
- scsi: mac_esp: Replace bogus memory barrier with spinlock (bnc#1012382).
- scsi: sg: check for valid direction before starting the request (bnc#1012382).
- scsi: sg: fix SG_DXFER_FROM_DEV transfers (bnc#1012382).
- scsi: sg: fix static checker warning in sg_is_valid_dxfer (bnc#1012382).
- scsi: sg: only check for dxfer_len greater than 256M (bnc#1012382 bsc#1064206).
- scsi: virtio_scsi: always read VPD pages for multiqueue too (git-fixes).
- scsi: virtio_scsi: Always try to read VPD pages (bnc#1012382).
- sctp: fix dst refcnt leak in sctp_v4_get_dst (bnc#1012382).
- sctp: fix dst refcnt leak in sctp_v6_get_dst() (bnc#1012382).
- sctp: verify size of a new chunk in _sctp_make_chunk() (bnc#1012382).
- selftests/x86: Add tests for the STR and SLDT instructions (bnc#1012382).
- selftests/x86: Add tests for User-Mode Instruction Prevention (bnc#1012382).
- selftests/x86/entry_from_vm86: Add test cases for POPF (bnc#1012382).
- selftests/x86/entry_from_vm86: Exit with 1 if we fail (bnc#1012382).
- selinux: check for address length in selinux_socket_bind() (bnc#1012382).
- serial: 8250_pci: Add Brainboxes UC-260 4 port serial device (bnc#1012382).
- serial: sh-sci: prevent lockup on full TTY buffers (bnc#1012382).
- skbuff: Fix not waking applications when errors are enqueued (bnc#1012382).
- sm501fb: do not return zero on failure path in sm501fb_start() (bnc#1012382).
- solo6x10: release vb2 buffers in solo_stop_streaming() (bnc#1012382).
- spi: dw: Disable clock after unregistering the host (bnc#1012382).
- spi: omap2-mcspi: poll OMAP2_MCSPI_CHSTAT_RXS for PIO transfer (bnc#1012382).
- spi: sun6i: disable/unprepare clocks on remove (bnc#1012382).
- staging: android: ashmem: Fix lockdep issue during llseek (bnc#1012382).
- staging: android: ashmem: Fix possible deadlock in ashmem_ioctl (bnc#1012382).
- staging: comedi: fix comedi_nsamples_left (bnc#1012382).
- staging: lustre: ptlrpc: kfree used instead of kvfree (bnc#1012382).
- staging: ncpfs: memory corruption in ncp_read_kernel() (bnc#1012382).
- staging: speakup: Replace BUG_ON() with WARN_ON() (bnc#1012382).
- staging: unisys: visorhba: fix s-Par to boot with option CONFIG_VMAP_STACK set to y (bnc#1012382).
- staging: wilc1000: add check for kmalloc allocation failure (bnc#1012382).
- staging: wilc1000: fix unchecked return value (bnc#1012382).
- sysrq: Reset the watchdog timers while displaying high-resolution timers (bnc#1012382).
- target: prefer dbroot of /etc/target over /var/target (bsc#1087274).
- tcm_fileio: Prevent information leak for short reads (bnc#1012382).
- tcp: remove poll() flakes with FastOpen (bnc#1012382).
- tcp: sysctl: Fix a race to avoid unexpected 0 window from space (bnc#1012382).
- team: Fix double free in error path (bnc#1012382).
- test_firmware: fix setting old custom fw path back on exit (bnc#1012382).
- time: Change posix clocks ops interfaces to use timespec64 (bnc#1012382).
- timers, sched_clock: Update timeout for clock wrap (bnc#1012382).
- tools/usbip: fixes build with musl libc toolchain (bnc#1012382).
- tpm_i2c_infineon: fix potential buffer overruns caused by bit glitches on the bus (bnc#1012382).
- tpm_i2c_nuvoton: fix potential buffer overruns caused by bit glitches on the bus (bnc#1012382).
- tpm: st33zp24: fix potential buffer overruns caused by bit glitches on the bus (bnc#1012382).
- tpm/tpm_crb: Use start method value from ACPI table directly (bsc#1084452).
- tracing: probeevent: Fix to support minus offset from symbol (bnc#1012382).
- tty/serial: atmel: add new version check for usart (bnc#1012382).
- tty: vt: fix up tabstops properly (bnc#1012382).
- uas: fix comparison for error code (bnc#1012382).
- ubi: Fix race condition between ubi volume creation and udev (bnc#1012382).
- udplite: fix partial checksum initialization (bnc#1012382).
- usb: Do not print a warning if interface driver rebind is deferred at resume (bsc#1087211).
- usb: dwc2: Make sure we disconnect the gadget state (bnc#1012382).
- usb: gadget: bdc: 64-bit pointer capability check (bnc#1012382).
- usb: gadget: dummy_hcd: Fix wrong power status bit clear/reset in dummy_hub_control() (bnc#1012382).
- usb: gadget: f_fs: Fix use-after-free in ffs_fs_kill_sb() (bnc#1012382).
- usb: gadget: udc: Add missing platform_device_put() on error in bdc_pci_probe() (bnc#1012382).
- usb: quirks: add control message delay for 1b1c:1b20 (bnc#1012382).
- usb: storage: Add JMicron bridge 152d:2567 to unusual_devs.h (bnc#1012382).
- usb: usbmon: Read text within supplied buffer size (bnc#1012382).
- usb: usbmon: remove assignment from IS_ERR argument (bnc#1012382).
- veth: set peer GSO values (bnc#1012382).
- vgacon: Set VGA struct resource types (bnc#1012382).
- video: ARM CLCD: fix dma allocation size (bnc#1012382).
- video: fbdev: udlfb: Fix buffer on stack (bnc#1012382).
- video/hdmi: Allow 'empty' HDMI infoframes (bnc#1012382).
- vxlan: vxlan dev should inherit lowerdev's gso_max_size (bnc#1012382).
- wan: pc300too: abort path on failure (bnc#1012382).
- watchdog: hpwdt: Check source of NMI (bnc#1012382).
- watchdog: hpwdt: fix unused variable warning (bnc#1012382).
- watchdog: hpwdt: SMBIOS check (bnc#1012382).
- watchdog: sbsa: use 32-bit read for WCV (bsc#1085679).
- wil6210: fix memory access violation in wil_memcpy_from/toio_32 (bnc#1012382).
- workqueue: Allow retrieval of current task's work struct (bnc#1012382).
- x86/apic/vector: Handle legacy irq data correctly (bnc#1012382).
- x86/boot/64: Verify alignment of the LOAD segment (bnc#1012382).
- x86/build/64: Force the linker to use 2MB page size (bnc#1012382).
- x86/entry/64: Do not use IST entry for #BP stack (bsc#1087088).
- x86: i8259: export legacy_pic symbol (bnc#1012382).
- x86/kaiser: Duplicate cpu_tss for an entry trampoline usage (bsc#1077560 bsc#1083836).
- x86/kaiser: enforce trampoline stack alignment (bsc#1087260).
- x86/kaiser: Remove a user mapping of cpu_tss structure (bsc#1077560 bsc#1083836).
- x86/kaiser: Use a per-CPU trampoline stack for kernel entry (bsc#1077560).
- x86/MCE: Serialize sysfs changes (bnc#1012382).
- x86/mm: Fix vmalloc_fault to use pXd_large (bnc#1012382).
- x86/mm: implement free pmd/pte page interfaces (bnc#1012382).
- x86/module: Detect and skip invalid relocations (bnc#1012382).
- x86/speculation: Remove Skylake C2 from Speculation Control microcode blacklist (bsc#1087845).
- x86: Treat R_X86_64_PLT32 as R_X86_64_PC32 (bnc#1012382).
- x86/vm86/32: Fix POPF emulation (bnc#1012382).
- xen-blkfront: fix mq start/stop race (bsc#1085042).
- xen-netback: use skb to determine number of required guest Rx requests (bsc#1046610).
ImportantSUSE bug 1012382SUSE bug 1019695SUSE bug 1019699SUSE bug 1022604SUSE bug 1031717SUSE bug 1046610SUSE bug 1060799SUSE bug 1064206SUSE bug 1068032SUSE bug 1073059SUSE bug 1073069SUSE bug 1075428SUSE bug 1076033SUSE bug 1077560SUSE bug 1083574SUSE bug 1083745SUSE bug 1083836SUSE bug 1084223SUSE bug 1084310SUSE bug 1084328SUSE bug 1084353SUSE bug 1084452SUSE bug 1084610SUSE bug 1084699SUSE bug 1084829SUSE bug 1084889SUSE bug 1084898SUSE bug 1084914SUSE bug 1084918SUSE bug 1084967SUSE bug 1085042SUSE bug 1085058SUSE bug 1085224SUSE bug 1085383SUSE bug 1085402SUSE bug 1085404SUSE bug 1085487SUSE bug 1085507SUSE bug 1085511SUSE bug 1085679SUSE bug 1085981SUSE bug 1086015SUSE bug 1086162SUSE bug 1086194SUSE bug 1086357SUSE bug 1086499SUSE bug 1086518SUSE bug 1086607SUSE bug 1087088SUSE bug 1087211SUSE bug 1087231SUSE bug 1087260SUSE bug 1087274SUSE bug 1087659SUSE bug 1087845SUSE bug 1087906SUSE bug 1087999SUSE bug 1088050SUSE bug 1088087SUSE bug 1088241SUSE bug 1088267SUSE bug 1088313SUSE bug 1088324SUSE bug 1088600SUSE bug 1088684SUSE bug 1088871SUSE bug 802154CVE-2017-18257 at SUSECVE-2017-18257 at NVDCVE-2018-1091 at SUSECVE-2018-1091 at NVDCVE-2018-7740 at SUSECVE-2018-7740 at NVDCVE-2018-8043 at SUSECVE-2018-8043 at NVDCVE-2018-8822 at SUSECVE-2018-8822 at NVDcpe:/o:suse:sles:12:sp3Security update for PackageKit (Important)SUSE Linux Enterprise Server 12 SP3
- CVE-2018-1106: Drop the polkit rule which could allow users in wheel group to install
packages without root password (bsc#1086936).
ImportantSUSE bug 1086936CVE-2018-1106 at SUSECVE-2018-1106 at NVDcpe:/o:suse:sles:12:sp3Security update for rzsz (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for rzsz fixes the following issues:
- Update to 0.12.21~rc to fix bsc#1086416 and bsc#1090051
- CVE-2018-10195: segmentation fault in zsdata function could lead to denial of service (bsc#1090051)
ModerateSUSE bug 1076576SUSE bug 1086416SUSE bug 1090051CVE-2018-10195 at SUSECVE-2018-10195 at NVDcpe:/o:suse:sles:12:sp3Security update for perl (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for perl fixes the following issues:
Security issues fixed:
- CVE-2018-6913: Fixed space calculation issues in pp_pack.c (bsc#1082216).
- CVE-2018-6798: Fixed heap buffer overflow in regexec.c (bsc#1082233).
- CVE-2018-6797: Fixed sharp-s regexp overflow (bsc#1082234).
ModerateSUSE bug 1082216SUSE bug 1082233SUSE bug 1082234CVE-2018-6797 at SUSECVE-2018-6797 at NVDCVE-2018-6798 at SUSECVE-2018-6798 at NVDCVE-2018-6913 at SUSECVE-2018-6913 at NVDcpe:/o:suse:sles:12:sp3Security update for zsh (Important)SUSE Linux Enterprise Server 12 SP3
This update for zsh fixes the following issues:
- CVE-2014-10070: environment variable injection could lead to local privilege escalation (bnc#1082885)
- CVE-2014-10071: buffer overflow in exec.c could lead to denial of service. (bnc#1082977)
- CVE-2014-10072: buffer overflow In utils.c when scanning
very long directory paths for symbolic links. (bnc#1082975)
- CVE-2016-10714: In zsh before 5.3, an off-by-one error resulted in
undersized buffers that were intended to support PATH_MAX characters. (bnc#1083250)
- CVE-2017-18205: In builtin.c when sh compatibility mode is used, a NULL pointer dereference
could lead to denial of service (bnc#1082998)
- CVE-2018-1071: exec.c:hashcmd() function vulnerability could lead to denial of service. (bnc#1084656)
- CVE-2018-1083: Autocomplete vulnerability could lead to privilege escalation. (bnc#1087026)
- CVE-2018-7549: In params.c in zsh through 5.4.2, there is a crash during a copy of an empty hash table,
as demonstrated by typeset -p. (bnc#1082991)
- CVE-2017-18206: buffer overrun in xsymlinks could lead to denial of service (bnc#1083002)
- Autocomplete and REPORTTIME broken (bsc#896914)
ImportantSUSE bug 1082885SUSE bug 1082975SUSE bug 1082977SUSE bug 1082991SUSE bug 1082998SUSE bug 1083002SUSE bug 1083250SUSE bug 1084656SUSE bug 1087026SUSE bug 896914CVE-2014-10070 at SUSECVE-2014-10070 at NVDCVE-2014-10071 at SUSECVE-2014-10071 at NVDCVE-2014-10072 at SUSECVE-2014-10072 at NVDCVE-2016-10714 at SUSECVE-2016-10714 at NVDCVE-2017-18205 at SUSECVE-2017-18205 at NVDCVE-2017-18206 at SUSECVE-2017-18206 at NVDCVE-2018-1071 at SUSECVE-2018-1071 at NVDCVE-2018-1083 at SUSECVE-2018-1083 at NVDCVE-2018-7549 at SUSECVE-2018-7549 at NVDcpe:/o:suse:sles:12:sp3Recommended update for LibreOffice (Low)SUSE Linux Enterprise Server 12 SP3
LibreOffice was updated to version 6.0.3.
Following new features were added:
- The Notebookbar, although still an experimental feature, has been
enriched with two new variants: Grouped Bar Full for Writer, Calc and
Impress, and Tabbed Compact for Writer. The Special Characters dialog
has been reworked, with the addition of lists for Recent and Favorite
characters, along with a Search field. The Customize dialog has also
been redesigned, and is now more modern and intuitive.
- In Writer, a Form menu has been added, making it easier to access one
of the most powerful – and often unknown – LibreOffice features: the
ability to design forms, and create standards-compliant PDF forms. The
Find toolbar has been enhanced with a drop-down list of search types, to
speed up navigation. A new default table style has been added, together
with a new collection of table styles to reflect evolving visual trends.
- The Mail Merge function has been improved, and it is now possible to
use either a Writer document or an XLSX file as data source.
- In Calc, ODF 1.2-compliant functions SEARCHB, FINDB and REPLACEB have
been added, to improve support for the ISO standard format. Also, a
cell range selection or a selected group of shapes (images) can be now
exported in PNG or JPG format.
- In Impress, the default slide size has been switched to 16:9, to support
the most recent form factors of screens and projectors. As a consequence,
10 new Impress templates have been added, and a couple of old templates
have been updated.
Changes in components:
- The old WikiHelp has been replaced by the new Help Online system, with
attractive web pages that can also be displayed on mobile devices. In
general, LibreOffice Help has been updated both in terms of contents and
code, with other improvements due all along the life of the LibreOffice
6 family.
- User dictionaries now allow automatic affixation or compounding. This
is a general spell checking improvement in LibreOffice which can speed
up work for Writer users. Instead of manually handling several forms of a
new word in a language with rich morphology or compounding, the Hunspell
spell checker can automatically recognize a new word with affixes or
compounds, based on a “Grammar By” model.
Security features and changes:
- OpenPGP keys can be used to sign ODF documents on all desktop operating
systems, with experimental support for OpenPGP-based encryption. To enable
this feature, users will have to install the specific GPG software for
their operating systems.
- Document classification has also been improved, and allows multiple
policies (which are now exported to OOXML files). In Writer, marking
and signing are now supported at paragraph level.
Interoperability changes:
- OOXML interoperability has been improved in several areas: import of
SmartArt and import/export of ActiveX controls, support of embedded text
documents and spreadsheets, export of embedded videos to PPTX, export
of cross-references to DOCX, export of MailMerge fields to DOCX, and
improvements to the PPTX filter to prevent the creation of broken files.
- New filters for exporting Writer documents to ePub and importing
QuarkXPress files have also been added, together with an improved filter
for importing EMF+ (Enhanced Metafile Format Plus) files as used by
Microsoft Office documents. Some improvements have also been added
to the ODF export filter, making it easier for other ODF readers to
display visuals.
The full blog entry for the 6.0 release can be found here:
https://blog.documentfoundation.org/blog/2018/01/31/libreoffice-6/
The full release notes can be found here:
https://wiki.documentfoundation.org/ReleaseNotes/6.0
The libraries that LibreOffice depends on also have been udpated to their current versions.
LowSUSE bug 1042829SUSE bug 1077375SUSE bug 1080249SUSE bug 1083213SUSE bug 1083993SUSE bug 1088662SUSE bug 1089124CVE-2017-9432 at SUSECVE-2017-9432 at NVDCVE-2017-9433 at SUSECVE-2017-9433 at NVDCVE-2018-1055 at SUSECVE-2018-1055 at NVDCVE-2018-6871 at SUSECVE-2018-6871 at NVDcpe:/o:suse:sles:12:sp3security update for squid (Moderate)SUSE Linux Enterprise Server 12 SP3
This update fixes the following issues:
- CVE-2018-1172: Squid Proxy Cache Denial of Service vulnerability (bsc#1090089).
ModerateSUSE bug 1090089CVE-2018-1172 at SUSECVE-2018-1172 at NVDcpe:/o:suse:sles:12:sp3Security update for dovecot22 (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for dovecot22 fixes the following issues:
- CVE-2017-14461: dovecot22: rfc822_parse_domain (bsc#1082826)
Information Leak Vulnerability
ModerateSUSE bug 1082826CVE-2017-14461 at SUSECVE-2017-14461 at NVDcpe:/o:suse:sles:12:sp3Security update for patch (Important)SUSE Linux Enterprise Server 12 SP3
This update for patch fixes the following issues:
Security issues fixed:
- CVE-2018-1000156: Malicious patch files cause ed to execute arbitrary commands (bsc#1088420).
- CVE-2018-6951: Fixed NULL pointer dereference in the intuit_diff_type function in pch.c (bsc#1080918).
- CVE-2016-10713: Fixed out-of-bounds access within pch_write_line() in pch.c (bsc#1080918).
ImportantSUSE bug 1080918SUSE bug 1080951SUSE bug 1088420CVE-2016-10713 at SUSECVE-2016-10713 at NVDCVE-2018-1000156 at SUSECVE-2018-1000156 at NVDCVE-2018-6951 at SUSECVE-2018-6951 at NVDcpe:/o:suse:sles:12:sp3Security update for kernel-firmware (Important)SUSE Linux Enterprise Server 12 SP3
This update for kernel-firmware fixes the following issues:
- Add microcode_amd_fam17h.bin (bsc#1068032 CVE-2017-5715)
This new firmware disables branch prediction on AMD family 17h
processor to mitigate a attack on the branch predictor that could
lead to information disclosure from e.g. kernel memory (bsc#1068032
CVE-2017-5715).
ImportantSUSE bug 1068032CVE-2017-5715 at SUSECVE-2017-5715 at NVDcpe:/o:suse:sles:12:sp3Security update for the Linux Kernel (Important)SUSE Linux Enterprise Server 12 SP3
The SUSE Linux Enterprise 12 SP3 kernel was updated to receive various security and bugfixes.
This update is only provided as a fix update for IBM Z platform.
- CVE-2017-5753 / 'Spectre Attack': IBM Z fixes were included but not enabled in the previous update. This update enables those fixes.
- CVE-2017-5715 / 'Spectre Attack': IBM Z fixes were already included in the previous update. A bugfix for the patches has been applied on top.
- CVE-2017-5754: The IBM Z architecture is not affected by the 'Meltdown' attack.
ImportantSUSE bug 1068032CVE-2017-5715 at SUSECVE-2017-5715 at NVDCVE-2017-5753 at SUSECVE-2017-5753 at NVDcpe:/o:suse:sles:12:sp3Security update for apache2 (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for apache2 fixes the following issues:
* CVE-2018-1283: when mod_session is configured to forward its session data to CGI applications
(SessionEnv on, not the default), a remote user may influence their content by
using a \'Session\' header leading to unexpected behavior [bsc#1086814].
* CVE-2018-1301: due to an out of bound access after a size limit being reached by reading the HTTP header,
a specially crafted request could lead to remote denial of service. [bsc#1086817]
* CVE-2018-1303: a specially crafted HTTP request header could lead to crash due to an out of bound read
while preparing data to be cached in shared memory.[bsc#1086813]
* CVE-2017-15715: a regular expression could match '$' to a newline character in a malicious filename,
rather than matching only the end of the filename. leading to corruption of uploaded files.[bsc#1086774]
* CVE-2018-1312: when generating an HTTP Digest authentication challenge, the nonce sent to prevent
reply attacks was not correctly generated using a pseudo-random seed.
In a cluster of servers using a common Digest authentication configuration,
HTTP requests could be replayed across servers by an attacker without detection. [bsc#1086775]
* CVE-2017-15710: mod_authnz_ldap, if configured with AuthLDAPCharsetConfig,
uses the Accept-Language header value to lookup the right charset encoding when verifying the
user's credentials. If the header value is not present in the charset conversion table,
a fallback mechanism is used to truncate it to a two characters value to allow a quick retry
(for example, 'en-US' is truncated to 'en').
A header value of less than two characters forces an out of bound write of one NUL byte to a
memory location that is not part of the string. In the worst case, quite unlikely, the process
would crash which could be used as a Denial of Service attack. In the more likely case, this memory
is already reserved for future use and the issue has no effect at all. [bsc#1086820]
* CVE-2018-1302: when an HTTP/2 stream was destroyed after being handled, it
could have written a NULL pointer potentially to an already freed memory.
The memory pools maintained by the server make this vulnerability hard to trigger in usual configurations,
the reporter and the team could not reproduce it outside debug builds, so it is classified as low risk.
[bsc#1086820]
ModerateSUSE bug 1086774SUSE bug 1086775SUSE bug 1086813SUSE bug 1086814SUSE bug 1086817SUSE bug 1086820CVE-2017-15710 at SUSECVE-2017-15710 at NVDCVE-2017-15715 at SUSECVE-2017-15715 at NVDCVE-2018-1283 at SUSECVE-2018-1283 at NVDCVE-2018-1301 at SUSECVE-2018-1301 at NVDCVE-2018-1302 at SUSECVE-2018-1302 at NVDCVE-2018-1303 at SUSECVE-2018-1303 at NVDCVE-2018-1312 at SUSECVE-2018-1312 at NVDcpe:/o:suse:sles:12:sp3Security update for ImageMagick (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for ImageMagick fixes the following issues:
- CVE-2017-14325: In ImageMagick, a memory leak vulnerability was found in
the function PersistPixelCache in magick/cache.c, which allowed attackers
to cause a denial of service (memory consumption in ReadMPCImage in
coders/mpc.c) via a crafted file. [bsc#1058635]
- CVE-2017-17887: In ImageMagick, a memory leak vulnerability was found
in the function GetImagePixelCache in magick/cache.c, which allowed
attackers to cause a denial of service via a crafted MNG image file that
is processed by ReadOneMNGImage. [bsc#1074117]
- CVE-2017-18250: A NULL pointer dereference vulnerability was found in the function
LogOpenCLBuildFailure in MagickCore/opencl.c, which could lead to a denial of service
via a crafted file. [bsc#1087039]
- CVE-2017-18251: A memory leak vulnerability was found in the function ReadPCDImage in coders/pcd.c,
which could lead to a denial of service via a crafted file. [bsc#1087037]
- CVE-2017-18252: The MogrifyImageList function in MagickWand/mogrify.c could allow
attackers to cause a denial of service via a crafted file. [bsc#1087033]
- CVE-2017-18254: A memory leak vulnerability was found in the function WriteGIFImage in coders/gif.c,
which could lead to denial of service via a crafted file. [bsc#1087027]
- CVE-2018-8960: The ReadTIFFImage function in coders/tiff.c in
ImageMagick did not properly restrict memory allocation, leading to a
heap-based buffer over-read. [bsc#1086782]
- CVE-2018-9018: divide-by-zero in the ReadMNGImage function of coders/png.c.
Attackers could leverage this vulnerability to cause a crash and denial of service
via a crafted mng file. [bsc#1086773]
- CVE-2018-9135: heap-based buffer over-read in IsWEBPImageLossless in coders/webp.c
could lead to denial of service. [bsc#1087825]
- CVE-2018-10177: In ImageMagick, there was an infinite loop in the
ReadOneMNGImage function of the coders/png.c file. Remote attackers
could leverage this vulnerability to cause a denial of service via a
crafted mng file. [bsc#1089781]
- CVE-2017-10928: a heap-based buffer over-read in the GetNextToken function in token.c
could allow attackers to obtain sensitive information from process memory or possibly have
unspecified other impact via a crafted SVG document that is mishandled in the
GetUserSpaceCoordinateValue function in coders/svg.c. [bsc#1047356]
ModerateSUSE bug 1047356SUSE bug 1058635SUSE bug 1074117SUSE bug 1086773SUSE bug 1086782SUSE bug 1087027SUSE bug 1087033SUSE bug 1087037SUSE bug 1087039SUSE bug 1087825SUSE bug 1089781CVE-2017-1000476 at SUSECVE-2017-1000476 at NVDCVE-2017-10928 at SUSECVE-2017-10928 at NVDCVE-2017-11450 at SUSECVE-2017-11450 at NVDCVE-2017-14325 at SUSECVE-2017-14325 at NVDCVE-2017-17887 at SUSECVE-2017-17887 at NVDCVE-2017-18250 at SUSECVE-2017-18250 at NVDCVE-2017-18251 at SUSECVE-2017-18251 at NVDCVE-2017-18252 at SUSECVE-2017-18252 at NVDCVE-2017-18254 at SUSECVE-2017-18254 at NVDCVE-2018-10177 at SUSECVE-2018-10177 at NVDCVE-2018-8960 at SUSECVE-2018-8960 at NVDCVE-2018-9018 at SUSECVE-2018-9018 at NVDCVE-2018-9135 at SUSECVE-2018-9135 at NVDcpe:/o:suse:sles:12:sp3Security update for tiff (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for tiff fixes the following issues:
- CVE-2017-9935: There was a heap-based buffer overflow in the t2p_write_pdf function in tools/tiff2pdf.c. This heap overflow could lead to different damages. For example, a crafted TIFF document can lead to an out-of-bounds read in TIFFCleanup, an invalid free in TIFFClose or t2p_free, memory corruption in t2p_readwrite_pdf_image, or a double free in t2p_free. Given these possibilities, it probably could cause arbitrary code execution (bsc#1046077)
- CVE-2017-17973: There is a heap-based use-after-free in the t2p_writeproc function in tiff2pdf.c. (bsc#1074318)
- CVE-2018-5784: There is an uncontrolled resource consumption in the TIFFSetDirectory function of tif_dir.c. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted tif file. This occurs because the declared number of directory entries is not validated against the actual number of directory entries (bsc#1081690)
ModerateSUSE bug 1046077SUSE bug 1074318SUSE bug 1081690CVE-2017-17973 at SUSECVE-2017-17973 at NVDCVE-2017-9935 at SUSECVE-2017-9935 at NVDCVE-2018-5784 at SUSECVE-2018-5784 at NVDcpe:/o:suse:sles:12:sp3Security update for xen (Important)SUSE Linux Enterprise Server 12 SP3
This update for xen to version 4.9.2 fixes several issues.
This feature was added:
- Added script, udev rule and systemd service to watch for vcpu online/offline
events in a HVM domU. They are triggered via 'xl vcpu-set domU N'
These security issues were fixed:
- CVE-2018-8897: Prevent mishandling of debug exceptions on x86 (XSA-260, bsc#1090820)
- Handle HPET timers in IO-APIC mode correctly to prevent malicious or buggy
HVM guests from causing a hypervisor crash or potentially privilege
escalation/information leaks (XSA-261, bsc#1090822)
- Prevent unbounded loop, induced by qemu allowing an attacker to permanently
keep a physical CPU core busy (XSA-262, bsc#1090823)
- CVE-2018-10472: x86 HVM guest OS users (in certain configurations) were able
to read arbitrary dom0 files via QMP live insertion of a CDROM, in conjunction
with specifying the target file as the backing file of a snapshot
(bsc#1089152).
- CVE-2018-10471: x86 PV guest OS users were able to cause a denial of service
(out-of-bounds zero write and hypervisor crash) via unexpected INT 80
processing, because of an incorrect fix for CVE-2017-5754 (bsc#1089635).
- CVE-2018-7540: x86 PV guest OS users were able to cause a denial of service
(host OS CPU hang) via non-preemptable L3/L4 pagetable freeing (bsc#1080635).
- CVE-2018-7541: Guest OS users were able to cause a denial of service
(hypervisor crash) or gain privileges by triggering a grant-table transition
from v2 to v1 (bsc#1080662).
- CVE-2018-7542: x86 PVH guest OS users were able to cause a denial of service
(NULL pointer dereference and hypervisor crash) by leveraging the mishandling
of configurations that lack a Local APIC (bsc#1080634).
These non-security issues were fixed:
- bsc#1087252: Update built-in defaults for xenstored in stubdom, keep default
to run xenstored as daemon in dom0
- bsc#1087251: Preserve xen-syms from xen-dbg.gz to allow processing vmcores
with crash(1)
- bsc#1072834: Prevent unchecked MSR access error
ImportantSUSE bug 1027519SUSE bug 1072834SUSE bug 1080634SUSE bug 1080635SUSE bug 1080662SUSE bug 1087251SUSE bug 1087252SUSE bug 1089152SUSE bug 1089635SUSE bug 1090820SUSE bug 1090822SUSE bug 1090823CVE-2018-10471 at SUSECVE-2018-10471 at NVDCVE-2018-10472 at SUSECVE-2018-10472 at NVDCVE-2018-7540 at SUSECVE-2018-7540 at NVDCVE-2018-7541 at SUSECVE-2018-7541 at NVDCVE-2018-7542 at SUSECVE-2018-7542 at NVDCVE-2018-8897 at SUSECVE-2018-8897 at NVDcpe:/o:suse:sles:12:sp3Security update for libapr1 (Moderate)SUSE Linux Enterprise Server 12 SP3
This update fixes the following issues:
- CVE-2017-12613: DoS or information disclosure in pr_exp_time*() or apr_os_exp_time*() functions (bsc#1064982).
ModerateSUSE bug 1064982CVE-2017-12613 at SUSECVE-2017-12613 at NVDcpe:/o:suse:sles:12:sp3Security update for cairo (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for cairo fixes the following issues:
- CVE-2017-9814: out-of-bounds read in cairo-truetype-subset.c could lead to denial of service (bsc#1049092).
ModerateSUSE bug 1049092CVE-2017-9814 at SUSECVE-2017-9814 at NVDcpe:/o:suse:sles:12:sp3Security update for rsync (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for rsync fixes several issues.
These security issues were fixed:
- CVE-2017-17434: The daemon in rsync did not check for fnamecmp filenames in
the daemon_filter_list data structure (in the recv_files function in
receiver.c) and also did not apply the sanitize_paths protection mechanism to
pathnames found in 'xname follows' strings (in the read_ndx_and_attrs function
in rsync.c), which allowed remote attackers to bypass intended access
restrictions' (bsc#1071460).
- CVE-2017-17433: The recv_files function in receiver.c in the daemon in rsync,
proceeded with certain file metadata updates before checking for a filename in
the daemon_filter_list data structure, which allowed remote attackers to bypass
intended access restrictions (bsc#1071459).
- CVE-2017-16548: The receive_xattr function in xattrs.c in rsync did not check
for a trailing '\\0' character in an xattr name, which allowed remote attackers
to cause a denial of service (heap-based buffer over-read and application
crash) or possibly have unspecified other impact by sending crafted data to the
daemon (bsc#1066644).
This non-security issue was fixed:
- Stop file upload after errors like a full disk (bsc#1062063)
- Ensure -X flag works even when setting owner/group (bsc#1028842)
ModerateSUSE bug 1028842SUSE bug 1062063SUSE bug 1066644SUSE bug 1071459SUSE bug 1071460CVE-2017-16548 at SUSECVE-2017-16548 at NVDCVE-2017-17433 at SUSECVE-2017-17433 at NVDCVE-2017-17434 at SUSECVE-2017-17434 at NVDcpe:/o:suse:sles:12:sp3Security update for ncurses (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for ncurses fixes the following issues:
Security issues fixed:
- CVE-2017-13728: Fix infinite loop in the next_char function in comp_scan.c (bsc#1056136).
- CVE-2017-13730: Fix illegal address access in the function _nc_read_entry_source() (bsc#1056131).
- CVE-2017-13733: Fix illegal address access in the fmt_entry function (bsc#1056127).
- CVE-2017-13729: Fix illegal address access in the _nc_save_str (bsc#1056132).
- CVE-2017-13732: Fix illegal address access in the function dump_uses() (bsc#1056128).
- CVE-2017-13731: Fix illegal address access in the function postprocess_termcap() (bsc#1056129).
ModerateSUSE bug 1056127SUSE bug 1056128SUSE bug 1056129SUSE bug 1056131SUSE bug 1056132SUSE bug 1056136CVE-2017-13728 at SUSECVE-2017-13728 at NVDCVE-2017-13729 at SUSECVE-2017-13729 at NVDCVE-2017-13730 at SUSECVE-2017-13730 at NVDCVE-2017-13731 at SUSECVE-2017-13731 at NVDCVE-2017-13732 at SUSECVE-2017-13732 at NVDCVE-2017-13733 at SUSECVE-2017-13733 at NVDcpe:/o:suse:sles:12:sp3Security update for curl (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for curl fixes the following issues:
Security issues fixed:
- CVE-2017-8816: Buffer overrun flaw in the NTLM authentication code (bsc#1069226).
- CVE-2017-8817: Read out of bounds flaw in the FTP wildcard function (bsc#1069222).
ModerateSUSE bug 1069222SUSE bug 1069226CVE-2017-8816 at SUSECVE-2017-8816 at NVDCVE-2017-8817 at SUSECVE-2017-8817 at NVDcpe:/o:suse:sles:12:sp3Security update for perl-XML-LibXML (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for perl-XML-LibXML fixes the following issues:
Security issue fixed:
- CVE-2017-10672: Fix use-after-free that allows remote attackers to execute arbitrary code by controlling the arguments to a replaceChild call (bsc#1046848).
ModerateSUSE bug 1046848CVE-2017-10672 at SUSECVE-2017-10672 at NVDcpe:/o:suse:sles:12:sp3Security update for qemu (Important)SUSE Linux Enterprise Server 12 SP3
This update for qemu fixes the following issues:
A new feature was added:
- Support EPYC vCPU type (bsc#1052825 fate#324038)
Also a mitigation for a security problem has been applied:
- CVE-2017-5715: QEMU was updated to allow passing through new MSR and CPUID flags from
the host VM to the CPU, to allow enabling/disabling branch prediction features in the
Intel CPU. (bsc#1068032)
ImportantSUSE bug 1052825SUSE bug 1068032CVE-2017-5715 at SUSECVE-2017-5715 at NVDcpe:/o:suse:sles:12:sp3Security update for librsvg (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for librsvg fixes the following issues:
- CVE-2018-1000041: Input validation issue could lead to credentials leak. (bsc#1083232)
Update to version 2.40.20:
+ Except for emergencies, this will be the LAST RELEASE of the
librsvg-2.40.x series. We are moving to 2.41, which is vastly
improved over the 2.40 series. The API/ABI there remain unchaged,
so we strongly encourage you to upgrade your sources and binaries to
librsvg-2.41.x.
+ bgo#761175 - Allow masks and clips to reuse a node being drawn.
+ Don't access the file system when deciding whether to load a remote
file with a UNC path for a paint server (i.e. don't try to load it at all).
+ Vistual Studio: fixed and integrated introspection builds, so
introspection data is built directly from the Visual Studio project
(Chun-wei Fan).
+ Visual Studio: We now use HIGHENTROPYVA linker option on x64 builds,
to enhance the security of built binaries (Chun-wei Fan).
+ Fix generation of Vala bindings when compiling in read-only source
directories (Emmanuele Bassi).
Update to version 2.40.19:
+ bgo#621088: Using text objects as clipping paths is now supported.
+ bgo#587721: Fix rendering of text elements with transformations (Massimo).
+ bgo#777833 - Fix memory leaks when an RsvgHandle is disposed before
being closed (Philip Withnall).
+ bgo#782098 - Don't pass deprecated options to gtk-doc (Ting-Wei Lan).
+ bgo#786372 - Fix the default for the 'type' attribute of the <style> element.
+ bgo#785276 - Don't crash on single-byte files.
+ bgo#634514: Don't render unknown elements and their sub-elements.
+ bgo#777155 - Ignore patterns that have close-to-zero dimensions.
+ bgo#634324 - Fix Gaussian blurs with negative scaling.
+ Fix the <switch> element; it wasn't working at all.
+ Fix loading when rsvg_handle_write() is called one byte at a time.
+ bgo#787895 - Fix incorrect usage of libxml2. Thanks to Nick Wellnhofer
for advice on this.
+ Backported the test suite machinery from the master branch (Chun-wei Fan,
Federico Mena).
+ We now require Pango 1.38.0 or later (released in 2015).
+ We now require libxml2 2.9.0 or later (released in 2012).
ModerateSUSE bug 1083232CVE-2018-1000041 at SUSECVE-2018-1000041 at NVDcpe:/o:suse:sles:12:sp3Security update for libvorbis (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for libvorbis fixes the following issues:
Security issues fixed:
- CVE-2018-10393: Fixed stack-based buffer over-read in bark_noise_hybridm (bsc#1091072).
- CVE-2017-14160: Fixed out-of-bounds access inside bark_noise_hybridmp function (bsc#1059812).
ModerateSUSE bug 1059812SUSE bug 1091072CVE-2017-14160 at SUSECVE-2017-14160 at NVDCVE-2018-10393 at SUSECVE-2018-10393 at NVDcpe:/o:suse:sles:12:sp3Security update for curl (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for curl fixes several issues:
Security issues fixed:
- CVE-2018-1000301: Fixed a RTSP bad headers buffer over-read could crash the curl client (bsc#1092098)
Non security issues fixed:
- If the DEFAULT_SUSE cipher list is not available use the HIGH cipher alias before failing.
(bsc#1086825)
ModerateSUSE bug 1086825SUSE bug 1092098CVE-2018-1000301 at SUSECVE-2018-1000301 at NVDcpe:/o:suse:sles:12:sp3Security update for ghostscript (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for ghostscript fixes the following issues:
- CVE-2018-10194: A stack-based buffer overflow was fixed in gdevpdts.c (bsc#1090099)
ModerateSUSE bug 1090099CVE-2018-10194 at SUSECVE-2018-10194 at NVDcpe:/o:suse:sles:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3
This update for MozillaFirefox to the ESR 52.8 release fixes the following issues:
Mozil to Firefox ESR 52.8 (bsc#1092548)
Security issues fixed:
- MFSA 2018-12/CVE-2018-5159: Integer overflow and out-of-bounds write in Skia
- MFSA 2018-12/CVE-2018-5158: Malicious PDF can inject JavaScript into PDF Viewer
- MFSA 2018-12/CVE-2018-5168: Lightweight themes can be installed without user interaction
- MFSA 2018-12/CVE-2018-5150: Memory safety bugs fixed in Firefox 60 and Firefox ESR 52.8
- MFSA 2018-12/CVE-2018-5155: Use-after-free with SVG animations and text paths
- MFSA 2018-12/CVE-2018-5183: Backport critical security fixes in Skia
- MFSA 2018-12/CVE-2018-5157: Same-origin bypass of PDF Viewer to view protected PDF files
- MFSA 2018-12/CVE-2018-5154: Use-after-free with SVG animations and clip paths
- MFSA 2018-12/CVE-2018-5178: Buffer overflow during UTF-8 to Unicode string conversion through legacy extension
ImportantSUSE bug 1092548CVE-2018-5150 at SUSECVE-2018-5150 at NVDCVE-2018-5154 at SUSECVE-2018-5154 at NVDCVE-2018-5155 at SUSECVE-2018-5155 at NVDCVE-2018-5157 at SUSECVE-2018-5157 at NVDCVE-2018-5158 at SUSECVE-2018-5158 at NVDCVE-2018-5159 at SUSECVE-2018-5159 at NVDCVE-2018-5168 at SUSECVE-2018-5168 at NVDCVE-2018-5174 at SUSECVE-2018-5174 at NVDCVE-2018-5178 at SUSECVE-2018-5178 at NVDCVE-2018-5183 at SUSECVE-2018-5183 at NVDcpe:/o:suse:sles:12:sp3Security update for openjpeg2 (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for openjpeg2 fixes the following security issues:
- CVE-2015-1239: A double free vulnerability in the j2k_read_ppm_v3 function allowed remote attackers to cause a denial of service (crash) (bsc#1066713)
- CVE-2017-17479: A stack-based buffer overflow in the pgxtoimage function in jpwl/convert.c could crash the converter. (bsc#1072125)
- CVE-2017-17480: A stack-based buffer overflow in the pgxtovolume function in jp3d/convert.c could crash the converter. (bsc#1072124)
ModerateSUSE bug 1066713SUSE bug 1072124SUSE bug 1072125CVE-2015-1239 at SUSECVE-2015-1239 at NVDCVE-2017-17479 at SUSECVE-2017-17479 at NVDCVE-2017-17480 at SUSECVE-2017-17480 at NVDcpe:/o:suse:sles:12:sp3Security update for qemu (Important)SUSE Linux Enterprise Server 12 SP3
This update for qemu fixes several issues.
This security issue was fixed:
- CVE-2018-3639: Spectre v4 vulnerability mitigation support for KVM guests (bsc#1092885).
Systems with microprocessors utilizing speculative execution and speculative
execution of memory reads before the addresses of all prior memory writes are
known may allow unauthorized disclosure of information to an attacker with
local user access via a side-channel analysis.
This patch permits the new x86 cpu feature flag named 'ssbd' to be
presented to the guest, given that the host has this feature, and
KVM exposes it to the guest as well.
For this feature to be enabled please use the qemu commandline
-cpu $MODEL,+spec-ctrl,+ssbd
so the guest OS can take advantage of the feature.
spec-ctrl and ssbd support is also required in the host.
This non-security issue was fixed:
- bsc#1070615: Add new look up path 'sys/class/tpm' for tpm cancel path
ImportantSUSE bug 1070615SUSE bug 1092885CVE-2018-3639 at SUSECVE-2018-3639 at NVDcpe:/o:suse:sles:12:sp3Security update for the Linux Kernel (Important)SUSE Linux Enterprise Server 12 SP3
The SUSE Linux Enterprise 12 SP3 kernel was updated to 4.4.131 to receive various security and bugfixes.
The following security bugs were fixed:
- CVE-2018-3639: Information leaks using 'Memory Disambiguation' feature
in modern CPUs were mitigated, aka 'Spectre Variant 4' (bnc#1087082).
A new boot commandline option was introduced,
'spec_store_bypass_disable', which can have following values:
- auto: Kernel detects whether your CPU model contains an implementation
of Speculative Store Bypass and picks the most appropriate mitigation.
- on: disable Speculative Store Bypass
- off: enable Speculative Store Bypass
- prctl: Control Speculative Store Bypass per thread via
prctl. Speculative Store Bypass is enabled for a process by default. The
state of the control is inherited on fork.
- seccomp: Same as 'prctl' above, but all seccomp threads will disable
SSB unless they explicitly opt out.
The default is 'seccomp', meaning programs need explicit opt-in into the mitigation.
Status can be queried via the /sys/devices/system/cpu/vulnerabilities/spec_store_bypass file, containing:
- 'Vulnerable'
- 'Mitigation: Speculative Store Bypass disabled'
- 'Mitigation: Speculative Store Bypass disabled via prctl'
- 'Mitigation: Speculative Store Bypass disabled via prctl and seccomp'
- CVE-2018-8781: The udl_fb_mmap function in drivers/gpu/drm/udl/udl_fb.c
had an integer-overflow vulnerability allowing local users with access
to the udldrmfb driver to obtain full read and write permissions on
kernel physical pages, resulting in a code execution in kernel space
(bnc#1090643).
- CVE-2018-10124: The kill_something_info function in kernel/signal.c
might have allowed local users to cause a denial of service via an
INT_MIN argument (bnc#1089752).
- CVE-2018-10087: The kernel_wait4 function in kernel/exit.c might
have allowed local users to cause a denial of service by triggering an
attempted use of the -INT_MIN value (bnc#1089608).
- CVE-2018-1000199: An address corruption flaw was discovered while
modifying a h/w breakpoint via 'modify_user_hw_breakpoint' routine, an
unprivileged user/process could use this flaw to crash the system kernel
resulting in DoS OR to potentially escalate privileges on a the system. (bsc#1089895)
- CVE-2018-1130: The Linux kernel was vulnerable to a null pointer
dereference in dccp_write_xmit() function in net/dccp/output.c in that
allowed a local user to cause a denial of service by a number of certain
crafted system calls (bnc#1092904).
- CVE-2018-5803: An error in the _sctp_make_chunk() function when handling
SCTP, packet length could have been exploited by a malicious local user
to cause a kernel crash and a DoS. (bnc#1083900).
- CVE-2018-1065: The netfilter subsystem mishandled the case of
a rule blob that contains a jump but lacks a user-defined chain,
which allowed local users to cause a denial of service (NULL
pointer dereference) by leveraging the CAP_NET_RAW or CAP_NET_ADMIN
capability, related to arpt_do_table in net/ipv4/netfilter/arp_tables.c,
ipt_do_table in net/ipv4/netfilter/ip_tables.c, and ip6t_do_table in
net/ipv6/netfilter/ip6_tables.c (bnc#1083650 1091925).
- CVE-2018-7492: A NULL pointer dereference was found in the
net/rds/rdma.c __rds_rdma_map() function allowing local attackers to
cause a system panic and a denial-of-service, related to RDS_GET_MR and
RDS_GET_MR_FOR_DEST (bnc#1082962).
The following non-security bugs were fixed:
- acpica: Disassembler: Abort on an invalid/unknown AML opcode (bnc#1012382).
- acpica: Events: Add runtime stub support for event APIs (bnc#1012382).
- acpi / hotplug / PCI: Check presence of slot itself in get_slot_status() (bnc#1012382).
- acpi, PCI, irq: remove redundant check for null string pointer (bnc#1012382).
- acpi / scan: Send change uevent with offine environmental data (bsc#1082485).
- acpi / video: Add quirk to force acpi-video backlight on Samsung 670Z5E (bnc#1012382).
- alsa: asihpi: Hardening for potential Spectre v1 (bnc#1012382).
- alsa: control: Hardening for potential Spectre v1 (bnc#1012382).
- alsa: core: Report audio_tstamp in snd_pcm_sync_ptr (bnc#1012382).
- alsa: hda: Hardening for potential Spectre v1 (bnc#1012382).
- alsa: hda - New VIA controller suppor no-snoop path (bnc#1012382).
- alsa: hda/realtek - Add some fixes for ALC233 (bnc#1012382).
- alsa: hdspm: Hardening for potential Spectre v1 (bnc#1012382).
- alsa: line6: Use correct endpoint type for midi output (bnc#1012382).
- alsa: opl3: Hardening for potential Spectre v1 (bnc#1012382).
- alsa: oss: consolidate kmalloc/memset 0 call to kzalloc (bnc#1012382).
- alsa: pcm: Avoid potential races between OSS ioctls and read/write (bnc#1012382).
- alsa: pcm: Fix endless loop for XRUN recovery in OSS emulation (bnc#1012382).
- alsa: pcm: Fix mutex unbalance in OSS emulation ioctls (bnc#1012382).
- alsa: pcm: Fix UAF at PCM release via PCM timer access (bnc#1012382).
- alsa: pcm: potential uninitialized return values (bnc#1012382).
- alsa: pcm: Return -EBUSY for OSS ioctls changing busy streams (bnc#1012382).
- alsa: pcm: Use dma_bytes as size parameter in dma_mmap_coherent() (bnc#1012382).
- alsa: pcm: Use ERESTARTSYS instead of EINTR in OSS emulation (bnc#1012382).
- alsa: rawmidi: Fix missing input substream checks in compat ioctls (bnc#1012382).
- alsa: rme9652: Hardening for potential Spectre v1 (bnc#1012382).
- alsa: seq: oss: Fix unbalanced use lock for synth MIDI device (bnc#1012382).
- alsa: seq: oss: Hardening for potential Spectre v1 (bnc#1012382).
- alsa: usb-audio: Skip broken EU on Dell dock USB-audio (bsc#1090658).
- arm64: avoid overflow in VA_START and PAGE_OFFSET (bnc#1012382).
- arm64: futex: Fix undefined behaviour with FUTEX_OP_OPARG_SHIFT usage (bnc#1012382).
- arm: amba: Do not read past the end of sysfs 'driver_override' buffer (bnc#1012382).
- arm: amba: Fix race condition with driver_override (bnc#1012382).
- arm: amba: Make driver_override output consistent with other buses (bnc#1012382).
- arm: davinci: da8xx: Create DSP device only when assigned memory (bnc#1012382).
- arm: dts: am57xx-beagle-x15-common: Add overide powerhold property (bnc#1012382).
- arm: dts: at91: at91sam9g25: fix mux-mask pinctrl property (bnc#1012382).
- arm: dts: at91: sama5d4: fix pinctrl compatible string (bnc#1012382).
- arm: dts: dra7: Add power hold and power controller properties to palmas (bnc#1012382).
- arm: dts: imx53-qsrb: Pulldown PMIC IRQ pin (bnc#1012382).
- arm: dts: imx6qdl-wandboard: Fix audio channel swap (bnc#1012382).
- arm: dts: ls1021a: add 'fsl,ls1021a-esdhc' compatible string to esdhc node (bnc#1012382).
- arm: imx: Add MXC_CPU_IMX6ULL and cpu_is_imx6ull (bnc#1012382).
- arp: fix arp_filter on l3slave devices (bnc#1012382).
- arp: honour gratuitous ARP _replies_ (bnc#1012382).
- asoc: fsl_esai: Fix divisor calculation failure at lower ratio (bnc#1012382).
- asoc: Intel: cht_bsw_rt5645: Analog Mic support (bnc#1012382).
- asoc: rsnd: SSI PIO adjust to 24bit mode (bnc#1012382).
- asoc: ssm2602: Replace reg_default_raw with reg_default (bnc#1012382).
- async_tx: Fix DMA_PREP_FENCE usage in do_async_gen_syndrome() (bnc#1012382).
- ata: libahci: properly propagate return value of platform_get_irq() (bnc#1012382).
- ath5k: fix memory leak on buf on failed eeprom read (bnc#1012382).
- ath9k_hw: check if the chip failed to wake up (bnc#1012382).
- audit: add tty field to LOGIN event (bnc#1012382).
- autofs: mount point create should honour passed in mode (bnc#1012382).
- bcache: segregate flash only volume write streams (bnc#1012382).
- bcache: stop writeback thread after detaching (bnc#1012382).
- blacklist.conf: Add an omapdrm entry (bsc#1090708, bsc#1090718)
- blk-mq: fix bad clear of RQF_MQ_INFLIGHT in blk_mq_ct_ctx_init() (bsc#1085058).
- blk-mq: fix kernel oops in blk_mq_tag_idle() (bnc#1012382).
- block: correctly mask out flags in blk_rq_append_bio() (bsc#1085058).
- block/loop: fix deadlock after loop_set_status (bnc#1012382).
- block: sanity check for integrity intervals (bsc#1091728).
- bluetooth: Fix missing encryption refresh on Security Request (bnc#1012382).
- bluetooth: Send HCI Set Event Mask Page 2 command only when needed (bnc#1012382).
- bna: Avoid reading past end of buffer (bnc#1012382).
- bnx2x: Allow vfs to disable txvlan offload (bnc#1012382).
- bonding: do not set slave_dev npinfo before slave_enable_netpoll in bond_enslave (bnc#1012382).
- bonding: Do not update slave->link until ready to commit (bnc#1012382).
- bonding: fix the err path for dev hwaddr sync in bond_enslave (bnc#1012382).
- bonding: move dev_mc_sync after master_upper_dev_link in bond_enslave (bnc#1012382).
- bonding: process the err returned by dev_set_allmulti properly in bond_enslave (bnc#1012382).
- btrfs: fix incorrect error return ret being passed to mapping_set_error (bnc#1012382).
- btrfs: Fix wrong first_key parameter in replace_path (Followup fix for bsc#1084721).
- btrfs: Only check first key for committed tree blocks (bsc#1084721).
- btrfs: Validate child tree block's level and first key (bsc#1084721).
- bus: brcmstb_gisb: correct support for 64-bit address output (bnc#1012382).
- bus: brcmstb_gisb: Use register offsets with writes too (bnc#1012382).
- cdc_ether: flag the Cinterion AHS8 modem by gemalto as WWAN (bnc#1012382).
- cdrom: information leak in cdrom_ioctl_media_changed() (bnc#1012382).
- ceph: adding protection for showing cap reservation info (bsc#1089115).
- ceph: always update atime/mtime/ctime for new inode (bsc#1089115).
- ceph: check if mds create snaprealm when setting quota (fate#324665 bsc#1089115).
- ceph: do not check quota for snap inode (fate#324665 bsc#1089115).
- ceph: fix invalid point dereference for error case in mdsc destroy (bsc#1089115).
- ceph: fix root quota realm check (fate#324665 bsc#1089115).
- ceph: fix rsize/wsize capping in ceph_direct_read_write() (bsc#1089115).
- ceph: quota: add counter for snaprealms with quota (fate#324665 bsc#1089115).
- ceph: quota: add initial infrastructure to support cephfs quotas (fate#324665 bsc#1089115).
- ceph: quota: cache inode pointer in ceph_snap_realm (fate#324665 bsc#1089115).
- ceph: quota: do not allow cross-quota renames (fate#324665 bsc#1089115).
- ceph: quota: report root dir quota usage in statfs (fate#324665 bsc#1089115).
- ceph: quota: support for ceph.quota.max_bytes (fate#324665 bsc#1089115).
- ceph: quota: support for ceph.quota.max_files (fate#324665 bsc#1089115).
- ceph: quota: update MDS when max_bytes is approaching (fate#324665 bsc#1089115).
- cfg80211: make RATE_INFO_BW_20 the default (bnc#1012382).
- cifs: do not allow creating sockets except with SMB1 posix exensions (bnc#1012382).
- cifs: silence compiler warnings showing up with gcc-8.0.0 (bsc#1090734).
- cifs: silence lockdep splat in cifs_relock_file() (bnc#1012382).
- cifs: Use file_dentry() (bsc#1093008).
- clk: bcm2835: De-assert/assert PLL reset signal when appropriate (bnc#1012382).
- clk: Fix __set_clk_rates error print-string (bnc#1012382).
- clk: mvebu: armada-38x: add support for 1866MHz variants (bnc#1012382).
- clk: mvebu: armada-38x: add support for missing clocks (bnc#1012382).
- clk: scpi: fix return type of __scpi_dvfs_round_rate (bnc#1012382).
- clocksource/drivers/arm_arch_timer: Avoid infinite recursion when ftrace is enabled (bsc#1090225).
- cpumask: Add helper cpumask_available() (bnc#1012382).
- crypto: ahash - Fix early termination in hash walk (bnc#1012382).
- crypto: x86/cast5-avx - fix ECB encryption when long sg follows short one (bnc#1012382).
- cx25840: fix unchecked return values (bnc#1012382).
- cxgb4: fix incorrect cim_la output for T6 (bnc#1012382).
- cxgb4: Fix queue free path of ULD drivers (bsc#1022743 FATE#322540).
- cxgb4: FW upgrade fixes (bnc#1012382).
- cxgb4vf: Fix SGE FL buffer initialization logic for 64K pages (bnc#1012382).
- dmaengine: at_xdmac: fix rare residue corruption (bnc#1012382).
- dmaengine: imx-sdma: Handle return value of clk_prepare_enable (bnc#1012382).
- dm ioctl: remove double parentheses (bnc#1012382).
- Documentation: pinctrl: palmas: Add ti,palmas-powerhold-override property definition (bnc#1012382).
- Do not leak MNT_INTERNAL away from internal mounts (bnc#1012382).
- drivers/infiniband/core/verbs.c: fix build with gcc-4.4.4 (FATE#321732).
- drivers/infiniband/ulp/srpt/ib_srpt.c: fix build with gcc-4.4.4 (bnc#1024296,FATE#321265).
- drivers/misc/vmw_vmci/vmci_queue_pair.c: fix a couple integer overflow tests (bnc#1012382).
- drm/omap: fix tiled buffer stride calculations (bnc#1012382).
- drm/radeon: Fix PCIe lane width calculation (bnc#1012382).
- drm/virtio: fix vq wait_event condition (bnc#1012382).
- e1000e: fix race condition around skb_tstamp_tx() (bnc#1012382).
- e1000e: Undo e1000e_pm_freeze if __e1000_shutdown fails (bnc#1012382).
- edac, mv64x60: Fix an error handling path (bnc#1012382).
- Enable uinput driver (bsc#1092566).
- esp: Fix memleaks on error paths (git-fixes).
- ext4: add validity checks for bitmap block numbers (bnc#1012382).
- ext4: bugfix for mmaped pages in mpage_release_unused_pages() (bnc#1012382).
- ext4: do not allow r/w mounts if metadata blocks overlap the superblock (bnc#1012382).
- ext4: do not update checksum of new initialized bitmaps (bnc#1012382).
- ext4: fail ext4_iget for root directory if unallocated (bnc#1012382).
- ext4: fix bitmap position validation (bnc#1012382).
- ext4: fix deadlock between inline_data and ext4_expand_extra_isize_ea() (bnc#1012382).
- ext4: Fix hole length detection in ext4_ind_map_blocks() (bsc#1090953).
- ext4: fix off-by-one on max nr_pages in ext4_find_unwritten_pgoff() (bnc#1012382).
- ext4: prevent right-shifting extents beyond EXT_MAX_BLOCKS (bnc#1012382).
- ext4: set h_journal if there is a failure starting a reserved handle (bnc#1012382).
- fanotify: fix logic of events on child (bnc#1012382).
- fix race in drivers/char/random.c:get_reg() (bnc#1012382).
- frv: declare jiffies to be located in the .data section (bnc#1012382).
- fs: compat: Remove warning from COMPATIBLE_IOCTL (bnc#1012382).
- fs/proc: Stop trying to report thread stacks (bnc#1012382).
- fs/reiserfs/journal.c: add missing resierfs_warning() arg (bnc#1012382).
- genirq: Use cpumask_available() for check of cpumask variable (bnc#1012382).
- getname_kernel() needs to make sure that ->name != ->iname in long case (bnc#1012382).
- gpio: label descriptors using the device name (bnc#1012382).
- hdlcdrv: Fix divide by zero in hdlcdrv_ioctl (bnc#1012382).
- hid: core: Fix size as type u32 (bnc#1012382).
- hid: Fix hid_report_len usage (bnc#1012382).
- hid: hidraw: Fix crash on HIDIOCGFEATURE with a destroyed device (bnc#1012382).
- hid: i2c-hid: fix size check and type usage (bnc#1012382).
- hwmon: (ina2xx) Fix access to uninitialized mutex (git-fixes).
- hwmon: (ina2xx) Make calibration register value fixed (bnc#1012382).
- hypfs_kill_super(): deal with failed allocations (bnc#1012382).
- i40iw: Free IEQ resources (bsc#969476 FATE#319648 bsc#969477 FATE#319816).
- ib/core: Fix possible crash to access NULL netdev (bsc#966191 FATE#320230 bsc#966186 FATE#320228).
- ib/core: Generate GID change event regardless of RoCE GID table property (bsc#966191 FATE#320230 bsc#966186 FATE#320228).
- ib/mlx4: Fix corruption of RoCEv2 IPv4 GIDs (bsc#966191 FATE#320230 bsc#966186 FATE#320228).
- ib/mlx4: Include GID type when deleting GIDs from HW table under RoCE (bsc#966191 FATE#320230 bsc#966186 FATE#320228).
- ib/mlx5: Avoid passing an invalid QP type to firmware (bsc#1015342 FATE#321688 bsc#1015343 FATE#321689).
- ib/mlx5: Fix an error code in __mlx5_ib_modify_qp() (bsc#966170 FATE#320225 bsc#966172 FATE#320226).
- ib/mlx5: Fix incorrect size of klms in the memory region (bsc#966170 FATE#320225 bsc#966172 FATE#320226).
- ib/mlx5: Fix out-of-bounds read in create_raw_packet_qp_rq (bsc#966170 FATE#320225 bsc#966172 FATE#320226).
- ib/mlx5: revisit -Wmaybe-uninitialized warning (bsc#1015342 FATE#321688 bsc#1015343 FATE#321689).
- ib/mlx5: Set the default active rate and width to QDR and 4X (bsc#1015342 FATE#321688 bsc#1015343 FATE#321689).
- ibmvnic: Clean actual number of RX or TX pools (bsc#1092289).
- ibmvnic: Clear pending interrupt after device reset (bsc#1089644).
- ibmvnic: Define vnic_login_client_data name field as unsized array (bsc#1089198).
- ibmvnic: Do not notify peers on parameter change resets (bsc#1089198).
- ibmvnic: Handle all login error conditions (bsc#1089198).
- ib/srp: Fix completion vector assignment algorithm (bnc#1012382).
- ib/srp: Fix srp_abort() (bnc#1012382).
- ib/srpt: Fix abort handling (bnc#1012382).
- ib/srpt: Fix an out-of-bounds stack access in srpt_zerolength_write() (bnc#1024296,FATE#321265).
- iio: hi8435: avoid garbage event at first enable (bnc#1012382).
- iio: hi8435: cleanup reset gpio (bnc#1012382).
- iio: magnetometer: st_magn_spi: fix spi_device_id table (bnc#1012382).
- input: ALPS - fix multi-touch decoding on SS4 plus touchpads (git-fixes).
- input: ALPS - fix trackstick button handling on V8 devices (git-fixes).
- input: ALPS - fix TrackStick support for SS5 hardware (git-fixes).
- input: ALPS - fix two-finger scroll breakage in right side on ALPS touchpad (git-fixes).
- input: drv260x - fix initializing overdrive voltage (bnc#1012382).
- input: elan_i2c - check if device is there before really probing (bnc#1012382).
- input: elan_i2c - clear INT before resetting controller (bnc#1012382).
- input: elantech - force relative mode on a certain module (bnc#1012382).
- input: i8042 - add Lenovo ThinkPad L460 to i8042 reset list (bnc#1012382).
- input: i8042 - enable MUX on Sony VAIO VGN-CS series to fix touchpad (bnc#1012382).
- input: mousedev - fix implicit conversion warning (bnc#1012382).
- iommu/vt-d: Fix a potential memory leak (bnc#1012382).
- ip6_gre: better validate user provided tunnel names (bnc#1012382).
- ip6_tunnel: better validate user provided tunnel names (bnc#1012382).
- ipc/shm: fix use-after-free of shm file via remap_file_pages() (bnc#1012382).
- ipmi: create hardware-independent softdep for ipmi_devintf (bsc#1009062, bsc#1060799). Refresh patch to mainline version.
- ipsec: check return value of skb_to_sgvec always (bnc#1012382).
- ip_tunnel: better validate user provided tunnel names (bnc#1012382).
- ipv6: add RTA_TABLE and RTA_PREFSRC to rtm_ipv6_policy (bnc#1012382).
- ipv6: avoid dad-failures for addresses with NODAD (bnc#1012382).
- ipv6: sit: better validate user provided tunnel names (bnc#1012382).
- ipv6: the entire IPv6 header chain must fit the first fragment (bnc#1012382).
- iw_cxgb4: print mapped ports correctly (bsc#321658 FATE#1005778 bsc#321660 FATE#1005780 bsc#321661 FATE#1005781).
- jbd2: fix use after free in kjournald2() (bnc#1012382).
- jbd2: if the journal is aborted then do not allow update of the log tail (bnc#1012382).
- jffs2_kill_sb(): deal with failed allocations (bnc#1012382).
- jiffies.h: declare jiffies and jiffies_64 with ____cacheline_aligned_in_smp (bnc#1012382).
- kABI: add tty include to audit.c (kabi).
- kABI: protect hid report functions (kabi).
- kABI: protect jiffies types (kabi).
- kABI: protect skb_to_sgvec* (kabi).
- kABI: protect sound/timer.h include in sound pcm.c (kabi).
- kABI: protect struct cstate (kabi).
- kABI: protect struct _lowcore (kabi).
- kABI: protect tty include in audit.h (kabi).
- kabi/severities: Ignore kgr_shadow_* kABI changes
- kbuild: provide a __UNIQUE_ID for clang (bnc#1012382).
- kexec_file: do not add extra alignment to efi memmap (bsc#1044596).
- keys: DNS: limit the length of option strings (bnc#1012382).
- kGraft: fix small race in reversion code (bsc#1083125).
- kobject: do not use WARN for registration failures (bnc#1012382).
- kvm: Fix nopvspin static branch init usage (bsc#1056427).
- kvm: Introduce nopvspin kernel parameter (bsc#1056427).
- kvm: nVMX: Fix handling of lmsw instruction (bnc#1012382).
- kvm: PPC: Book3S PR: Check copy_to/from_user return values (bnc#1012382).
- kvm: SVM: do not zero out segment attributes if segment is unusable or not present (bnc#1012382).
- l2tp: check sockaddr length in pppol2tp_connect() (bnc#1012382).
- l2tp: fix missing print session offset info (bnc#1012382).
- lan78xx: Correctly indicate invalid OTP (bnc#1012382).
- leds: pca955x: Correct I2C Functionality (bnc#1012382).
- libceph, ceph: change permission for readonly debugfs entries (bsc#1089115).
- libceph: fix misjudgement of maximum monitor number (bsc#1089115).
- libceph: reschedule a tick in finish_hunting() (bsc#1089115).
- libceph: un-backoff on tick when we have a authenticated session (bsc#1089115).
- libceph: validate con->state at the top of try_write() (bsc#1089115).
- livepatch: Allow to call a custom callback when freeing shadow variables (bsc#1082299 fate#313296).
- livepatch: Initialize shadow variables safely by a custom callback (bsc#1082299 fate#313296).
- llc: delete timers synchronously in llc_sk_free() (bnc#1012382).
- llc: fix NULL pointer deref for SOCK_ZAPPED (bnc#1012382).
- llc: hold llc_sap before release_sock() (bnc#1012382).
- llist: clang: introduce member_address_is_nonnull() (bnc#1012382).
- lockd: fix lockd shutdown race (bnc#1012382).
- lockd: lost rollback of set_grace_period() in lockd_down_net() (git-fixes).
- mac80211: bail out from prep_connection() if a reconfig is ongoing (bnc#1012382).
- mceusb: sporadic RX truncation corruption fix (bnc#1012382).
- md: document lifetime of internal rdev pointer (bsc#1056415).
- md: fix two problems with setting the 're-add' device state (bsc#1089023).
- md: only allow remove_and_add_spares when no sync_thread running (bsc#1056415).
- md raid10: fix NULL deference in handle_write_completed() (git-fixes).
- md/raid10: reset the 'first' at the end of loop (bnc#1012382).
- md/raid5: make use of spin_lock_irq over local_irq_disable + spin_lock (bnc#1012382).
- media: v4l2-compat-ioctl32: do not oops on overlay (bnc#1012382).
- media: videobuf2-core: do not go out of the buffer range (bnc#1012382).
- mei: remove dev_err message on an unsupported ioctl (bnc#1012382).
- mISDN: Fix a sleep-in-atomic bug (bnc#1012382).
- mlx5: fix bug reading rss_hash_type from CQE (bnc#1012382).
- mmc: jz4740: Fix race condition in IRQ mask update (bnc#1012382).
- mm/filemap.c: fix NULL pointer in page_cache_tree_insert() (bnc#1012382).
- mm, slab: reschedule cache_reap() on the same CPU (bnc#1012382).
- mtd: cfi: cmdset_0001: Do not allow read/write to suspend erase block (bnc#1012382).
- mtd: cfi: cmdset_0001: Workaround Micron Erase suspend bug (bnc#1012382).
- mtd: cfi: cmdset_0002: Do not allow read/write to suspend erase block (bnc#1012382).
- mtd: jedec_probe: Fix crash in jedec_read_mfr() (bnc#1012382).
- neighbour: update neigh timestamps iff update is effective (bnc#1012382).
- net: af_packet: fix race in PACKET_{R|T}X_RING (bnc#1012382).
- net: cavium: liquidio: fix up 'Avoid dma_unmap_single on uninitialized ndata' (bnc#1012382).
- net: cdc_ncm: Fix TX zero padding (bnc#1012382).
- net: emac: fix reset timeout with AR8035 phy (bnc#1012382).
- net: ethernet: ti: cpsw: adjust cpsw fifos depth for fullduplex flow control (bnc#1012382).
- netfilter: bridge: ebt_among: add more missing match size checks (bnc#1012382).
- netfilter: ctnetlink: fix incorrect nf_ct_put during hash resize (bnc#1012382).
- netfilter: ctnetlink: Make some parameters integer to avoid enum mismatch (bnc#1012382).
- netfilter: nf_nat_h323: fix logical-not-parentheses warning (bnc#1012382).
- netfilter: x_tables: add and use xt_check_proc_name (bnc#1012382).
- net: fix deadlock while clearing neighbor proxy table (bnc#1012382).
- net: fix possible out-of-bound read in skb_network_protocol() (bnc#1012382).
- net: fool proof dev_valid_name() (bnc#1012382).
- net: freescale: fix potential null pointer dereference (bnc#1012382).
- net: hns: Fix ethtool private flags (bnc#1012382 bsc#1085511).
- net: ieee802154: fix net_device reference release too early (bnc#1012382).
- net/ipv6: Fix route leaking between VRFs (bnc#1012382).
- net/ipv6: Increment OUTxxx counters after netfilter hook (bnc#1012382).
- netlink: make sure nladdr has correct size in netlink_connect() (bnc#1012382).
- net: llc: add lock_sock in llc_ui_bind to avoid a race condition (bnc#1012382).
- net/mlx4: Check if Granular QoS per VF has been enabled before updating QP qos_vport (bnc#1012382).
- net/mlx4_core: Fix memory leak while delete slave's resources (bsc#966191 FATE#320230 bsc#966186 FATE#320228).
- net/mlx4_en: Avoid adding steering rules with invalid ring (bnc#1012382).
- net/mlx4_en: Fix mixed PFC and Global pause user control requests (bsc#1015336 FATE#321685 bsc#1015337 FATE#321686 bsc#1015340 FATE#321687).
- net/mlx4: Fix the check in attaching steering rules (bnc#1012382).
- net/mlx5: avoid build warning for uniprocessor (bnc#1012382).
- net/mlx5e: Add error print in ETS init (bsc#966170 FATE#320225 bsc#966172 FATE#320226).
- net/mlx5e: Check support before TC swap in ETS init (bsc#966170 FATE#320225 bsc#966172 FATE#320226).
- net/mlx5e: E-Switch, Use the name of static array instead of its address (bsc#1015342 FATE#321688 bsc#1015343 FATE#321689).
- net/mlx5e: Remove unused define MLX5_MPWRQ_STRIDES_PER_PAGE (bsc#1015342 FATE#321688 bsc#1015343 FATE#321689).
- net/mlx5: Fix error handling in load one (bsc#1015342 FATE#321688 bsc#1015343 FATE#321689).
- net/mlx5: Fix ingress/egress naming mistake (bsc#1015342 FATE#321688 bsc#1015343 FATE#321689).
- net/mlx5: Tolerate irq_set_affinity_hint() failures (bnc#1012382).
- net: move somaxconn init from sysctl code (bnc#1012382).
- net: phy: avoid genphy_aneg_done() for PHYs without clause 22 support (bnc#1012382).
- net: qca_spi: Fix alignment issues in rx path (bnc#1012382).
- net sched actions: fix dumping which requires several messages to user space (bnc#1012382).
- net/sched: fix NULL dereference in the error path of tcf_bpf_init() (bnc#1012382).
- net: validate attribute sizes in neigh_dump_table() (bnc#1012382).
- net: x25: fix one potential use-after-free issue (bnc#1012382).
- net: xfrm: use preempt-safe this_cpu_read() in ipcomp_alloc_tfms() (bnc#1012382).
- nfsv4.1: RECLAIM_COMPLETE must handle NFS4ERR_CONN_NOT_BOUND_TO_SESSION (bnc#1012382).
- nfsv4.1: Work around a Linux server bug.. (bnc#1012382).
- nospec: Kill array_index_nospec_mask_check() (bnc#1012382).
- nospec: Move array_index_nospec() parameter checking into separate macro (bnc#1012382).
- ovl: filter trusted xattr for non-admin (bnc#1012382).
- packet: fix bitfield update race (bnc#1012382).
- parisc: Fix out of array access in match_pci_device() (bnc#1012382).
- parport_pc: Add support for WCH CH382L PCI-E single parallel port card (bnc#1012382).
- partitions/msdos: Unable to mount UFS 44bsd partitions (bnc#1012382).
- pci/cxgb4: Extend T3 PCI quirk to T4+ devices (bsc#981348).
- pci: Make PCI_ROM_ADDRESS_MASK a 32-bit constant (bnc#1012382).
- perf/core: Correct event creation with PERF_FORMAT_GROUP (bnc#1012382).
- perf/core: Fix locking for children siblings group read (git-fixes).
- perf header: Set proper module name when build-id event found (bnc#1012382).
- perf/hwbp: Simplify the perf-hwbp code, fix documentation (bnc#1012382).
- perf intel-pt: Fix error recovery from missing TIP packet (bnc#1012382).
- perf intel-pt: Fix overlap detection to identify consecutive buffers correctly (bnc#1012382).
- perf intel-pt: Fix sync_switch (bnc#1012382).
- perf intel-pt: Fix timestamp following overflow (bnc#1012382).
- perf probe: Add warning message if there is unexpected event name (bnc#1012382).
- perf report: Ensure the perf DSO mapping matches what libdw sees (bnc#1012382).
- perf: Return proper values for user stack errors (bnc#1012382).
- perf tests: Decompress kernel module before objdump (bnc#1012382).
- perf tools: Fix copyfile_offset update of output offset (bnc#1012382).
- perf trace: Add mmap alias for s390 (bnc#1012382).
- pidns: disable pid allocation if pid_ns_prepare_proc() is failed in alloc_pid() (bnc#1012382).
- pNFS/flexfiles: missing error code in ff_layout_alloc_lseg() (bnc#1012382).
- powerpc/64: Fix smp_wmb barrier definition use use lwsync consistently (bnc#1012382).
- powerpc/64s: Add barrier_nospec (bsc#1068032, bsc#1080157).
- powerpc/64s: Add support for ori barrier_nospec patching (bsc#1068032, bsc#1080157).
- powerpc/64s: Enable barrier_nospec based on firmware settings (bsc#1068032, bsc#1080157).
- powerpc/64s: Enhance the information in cpu_show_meltdown() (bsc#1068032, bsc#1075087, bsc#1091041).
- powerpc/64s: Enhance the information in cpu_show_spectre_v1() (bsc#1068032).
- powerpc/64s: Fix section mismatch warnings from setup_rfi_flush() (bsc#1068032, bsc#1075087, bsc#1091041).
- powerpc/64s: Move cpu_show_meltdown() (bsc#1068032, bsc#1075087, bsc#1091041).
- powerpc/64s: Patch barrier_nospec in modules (bsc#1068032, bsc#1080157).
- powerpc/64s: Wire up cpu_show_spectre_v1() (bsc#1068032, bsc#1075087, bsc#1091041).
- powerpc/64s: Wire up cpu_show_spectre_v2() (bsc#1068032, bsc#1075087, bsc#1091041).
- powerpc/64: Use barrier_nospec in syscall entry (bsc#1068032, bsc#1080157).
- powerpc: Add security feature flags for Spectre/Meltdown (bsc#1068032, bsc#1075087, bsc#1091041).
- powerpc/[booke|4xx]: Do not clobber TCR[WP] when setting TCR[DIE] (bnc#1012382).
- powerpc/crash: Remove the test for cpu_online in the IPI callback (bsc#1088242).
- powerpc: Do not send system reset request through the oops path (bsc#1088242).
- powerpc/eeh: Fix enabling bridge MMIO windows (bnc#1012382).
- powerpc/lib: Fix off-by-one in alternate feature patching (bnc#1012382).
- powerpc/mm: allow memory hotplug into a memoryless node (bsc#1090663).
- powerpc/mm: Allow memory hotplug into an offline node (bsc#1090663).
- powerpc: Move default security feature flags (bsc#1068032, bsc#1075087, bsc#1091041).
- powerpc/powernv: define a standard delay for OPAL_BUSY type retry loops (bnc#1012382).
- powerpc/powernv: Fix OPAL NVRAM driver OPAL_BUSY loops (bnc#1012382).
- powerpc/powernv: Handle unknown OPAL errors in opal_nvram_write() (bnc#1012382).
- powerpc/powernv: Set or clear security feature flags (bsc#1068032, bsc#1075087, bsc#1091041).
- powerpc/powernv: Use the security flags in pnv_setup_rfi_flush() (bsc#1068032, bsc#1075087, bsc#1091041).
- powerpc/pseries: Add new H_GET_CPU_CHARACTERISTICS flags (bsc#1068032, bsc#1075087, bsc#1091041).
- powerpc/pseries: Fix clearing of security feature flags (bsc#1068032, bsc#1075087, bsc#1091041).
- powerpc/pseries: Restore default security feature flags on setup (bsc#1068032, bsc#1075087, bsc#1091041).
- powerpc/pseries: Set or clear security feature flags (bsc#1068032, bsc#1075087, bsc#1091041).
- powerpc/pseries: Use the security flags in pseries_setup_rfi_flush() (bsc#1068032, bsc#1075087, bsc#1091041).
- powerpc/rfi-flush: Always enable fallback flush on pseries (bsc#1068032, bsc#1075087, bsc#1091041).
- powerpc/rfi-flush: Differentiate enabled and patched flush types (bsc#1068032, bsc#1075087, bsc#1091041).
- powerpc/rfi-flush: Make it possible to call setup_rfi_flush() again (bsc#1068032, bsc#1075087, bsc#1091041). Update patches.suse/powerpc-pseries-rfi-flush-Call-setup_rfi_flush-after.patch (bsc#1068032, bsc#1075087, bsc#1091041).
- powerpc/spufs: Fix coredump of SPU contexts (bnc#1012382).
- powerpc: System reset avoid interleaving oops using die synchronisation (bsc#1088242).
- powerpc: Use barrier_nospec in copy_from_user() (bsc#1068032, bsc#1080157).
- pppoe: check sockaddr length in pppoe_connect() (bnc#1012382).
- pptp: remove a buggy dst release in pptp_connect() (bnc#1012382).
- qlge: Avoid reading past end of buffer (bnc#1012382).
- r8152: add Linksys USB3GIGV1 id (bnc#1012382).
- r8169: fix setting driver_data after register_netdev (bnc#1012382).
- radeon: hide pointless #warning when compile testing (bnc#1012382).
- random: use a tighter cap in credit_entropy_bits_safe() (bnc#1012382).
- random: use lockless method of accessing and updating f->reg_idx (bnc#1012382).
- ray_cs: Avoid reading past end of buffer (bnc#1012382).
- rdma/core: Avoid that ib_drain_qp() triggers an out-of-bounds stack access (FATE#321732).
- rdma/mlx5: Protect from NULL pointer derefence (bsc#1015342 FATE#321688 bsc#1015343 FATE#321689).
- rdma/qedr: fix QP's ack timeout configuration (bsc#1022604 FATE#321747).
- rdma/qedr: Fix QP state initialization race (bsc#1022604 FATE#321747).
- rdma/qedr: Fix rc initialization on CNQ allocation failure (bsc#1022604 FATE#321747).
- rdma/rxe: Fix an out-of-bounds read (FATE#322149).
- rdma/ucma: Check AF family prior resolving address (bnc#1012382).
- rdma/ucma: Check that device exists prior to accessing it (bnc#1012382).
- rdma/ucma: Check that device is connected prior to access it (bnc#1012382).
- rdma/ucma: Do not allow join attempts for unsupported AF family (bnc#1012382).
- rdma/ucma: Do not allow setting RDMA_OPTION_IB_PATH without an RDMA device (bnc#1012382).
- rdma/ucma: Ensure that CM_ID exists prior to access it (bnc#1012382).
- rdma/ucma: Fix use-after-free access in ucma_close (bnc#1012382).
- rdma/ucma: Introduce safer rdma_addr_size() variants (bnc#1012382).
- rds; Reset rs->rs_bound_addr in rds_add_bound() failure path (bnc#1012382).
- regulator: gpio: Fix some error handling paths in 'gpio_regulator_probe()' (bsc#1091960).
- resource: fix integer overflow at reallocation (bnc#1012382).
- Revert 'alsa: pcm: Fix mutex unbalance in OSS emulation ioctls' (kabi).
- Revert 'alsa: pcm: Return -EBUSY for OSS ioctls changing busy streams' (kabi).
- Revert 'arm: dts: am335x-pepper: Fix the audio CODEC's reset pin' (bnc#1012382).
- Revert 'arm: dts: omap3-n900: Fix the audio CODEC's reset pin' (bnc#1012382).
- Revert 'ath10k: send (re)assoc peer command when NSS changed' (bnc#1012382).
- Revert 'cpufreq: Fix governor module removal race' (bnc#1012382).
- Revert 'ip6_vti: adjust vti mtu according to mtu of lower device' (bnc#1012382).
- Revert 'KVM: Fix stack-out-of-bounds read in write_mmio' (bnc#1083635).
- Revert 'mtd: cfi: cmdset_0001: Do not allow read/write to suspend erase block.' (kabi).
- Revert 'mtd: cfi: cmdset_0001: Workaround Micron Erase suspend bug.' (kabi).
- Revert 'mtd: cfi: cmdset_0002: Do not allow read/write to suspend erase block.' (kabi).
- Revert 'mtip32xx: use runtime tag to initialize command header' (bnc#1012382).
- Revert 'PCI/MSI: Stop disabling MSI/MSI-X in pci_device_shutdown()' (bnc#1012382).
- Revert 'perf tests: Decompress kernel module before objdump' (bnc#1012382).
- Revert 'xhci: plat: Register shutdown for xhci_plat' (bnc#1012382).
- rpc_pipefs: fix double-dput() (bnc#1012382).
- rpm/config.sh: build against SP3 in OBS as well.
- rpm/config.sh: ensure sorted patches.
- rtc: interface: Validate alarm-time before handling rollover (bnc#1012382).
- rtc: opal: Handle disabled TPO in opal_get_tpo_time() (bnc#1012382).
- rtc: snvs: fix an incorrect check of return value (bnc#1012382).
- rtl8187: Fix NULL pointer dereference in priv->conf_mutex (bnc#1012382).
- rxrpc: check return value of skb_to_sgvec always (bnc#1012382).
- s390: add automatic detection of the spectre defense (bnc#1012382).
- s390: add optimized array_index_mask_nospec (bnc#1012382).
- s390: add options to change branch prediction behaviour for the kernel (bnc#1012382 bsc#1068032).
- s390: add sysfs attributes for spectre (bnc#1012382).
- s390/alternative: use a copy of the facility bit mask (bnc#1012382).
- s390/cio: update chpid descriptor after resource accessibility event (bnc#1012382).
- s390: correct module section names for expoline code revert (bnc#1012382).
- s390: correct nospec auto detection init order (bnc#1012382).
- s390/dasd: fix hanging safe offline (bnc#1012382).
- s390/dasd: fix IO error for newly defined devices (bnc#1093144, LTC#167398).
- s390: do not bypass BPENTER for interrupt system calls (bnc#1012382).
- s390: enable CPU alternatives unconditionally (bnc#1012382).
- s390/entry.S: fix spurious zeroing of r0 (bnc#1012382).
- s390: introduce execute-trampolines for branches (bnc#1012382).
- s390/ipl: ensure loadparm valid flag is set (bnc#1012382).
- s390: move nobp parameter functions to nospec-branch.c (bnc#1012382).
- s390: move _text symbol to address higher than zero (bnc#1012382).
- s390/qdio: do not merge ERROR output buffers (bnc#1012382).
- s390/qdio: do not retry EQBS after CCQ 96 (bnc#1012382).
- s390/qeth: consolidate errno translation (bnc#1093144, LTC#167507).
- s390/qeth: fix MAC address update sequence (bnc#1093144, LTC#167609).
- s390/qeth: translate SETVLAN/DELVLAN errors (bnc#1093144, LTC#167507).
- s390: Replace IS_ENABLED(EXPOLINE_*) with IS_ENABLED(CONFIG_EXPOLINE_*) (bnc#1012382).
- s390: report spectre mitigation via syslog (bnc#1012382).
- s390: run user space and KVM guests with modified branch prediction (bnc#1012382).
- s390: scrub registers on kernel entry and KVM exit (bnc#1012382).
- s390/uprobes: implement arch_uretprobe_is_alive() (bnc#1012382).
- sched/numa: Use down_read_trylock() for the mmap_sem (bnc#1012382).
- scsi: bnx2fc: fix race condition in bnx2fc_get_host_stats() (bnc#1012382).
- scsi: libiscsi: Allow sd_shutdown on bad transport (bnc#1012382).
- scsi: libsas: initialize sas_phy status according to response of DISCOVER (bnc#1012382).
- scsi: lpfc: Add per io channel NVME IO statistics (bsc#1088865).
- scsi: lpfc: Correct missing remoteport registration during link bounces (bsc#1088865).
- scsi: lpfc: Correct target queue depth application changes (bsc#1088865).
- scsi: lpfc: Enlarge nvmet asynchronous receive buffer counts (bsc#1088865).
- scsi: lpfc: Fix Abort request WQ selection (bsc#1088865).
- scsi: lpfc: Fix driver not recovering NVME rports during target link faults (bsc#1088865).
- scsi: lpfc: Fix lingering lpfc_wq resource after driver unload (bsc#1088865).
- scsi: lpfc: Fix multiple PRLI completion error path (bsc#1088865).
- scsi: lpfc: Fix NULL pointer access in lpfc_nvme_info_show (bsc#1088865).
- scsi: lpfc: Fix NULL pointer reference when resetting adapter (bsc#1088865).
- scsi: lpfc: Fix nvme remoteport registration race conditions (bsc#1088865).
- scsi: lpfc: Fix WQ/CQ creation for older asic's (bsc#1088865).
- scsi: lpfc: update driver version to 11.4.0.7-2 (bsc#1088865).
- scsi: mpt3sas: Proper handling of set/clear of 'ATA command pending' flag (bnc#1012382).
- scsi: mptsas: Disable WRITE SAME (bnc#1012382).
- scsi: sd: Defer spinning up drive while SANITIZE is in progress (bnc#1012382).
- sctp: do not check port in sctp_inet6_cmp_addr (bnc#1012382).
- sctp: do not leak kernel memory to user space (bnc#1012382).
- sctp: fix recursive locking warning in sctp_do_peeloff (bnc#1012382).
- sctp: sctp_sockaddr_af must check minimal addr length for AF_INET6 (bnc#1012382).
- selftests/powerpc: Fix TM resched DSCR test with some compilers (bnc#1012382).
- selinux: do not check open permission on sockets (bnc#1012382).
- selinux: Remove redundant check for unknown labeling behavior (bnc#1012382).
- selinux: Remove unnecessary check of array base in selinux_set_mapping() (bnc#1012382).
- serial: 8250: omap: Disable DMA for console UART (bnc#1012382).
- serial: mctrl_gpio: Add missing module license (bnc#1012382).
- serial: mctrl_gpio: export mctrl_gpio_disable_ms and mctrl_gpio_init (bnc#1012382).
- serial: sh-sci: Fix race condition causing garbage during shutdown (bnc#1012382).
- sh_eth: Use platform device for printing before register_netdev() (bnc#1012382).
- sit: reload iphdr in ipip6_rcv (bnc#1012382).
- skbuff: only inherit relevant tx_flags (bnc#1012382).
- skbuff: return -EMSGSIZE in skb_to_sgvec to prevent overflow (bnc#1012382).
- sky2: Increase D3 delay to sky2 stops working after suspend (bnc#1012382).
- slip: Check if rstate is initialized before uncompressing (bnc#1012382).
- sparc64: ldc abort during vds iso boot (bnc#1012382).
- spi: davinci: fix up dma_mapping_error() incorrect patch (bnc#1012382).
- staging: comedi: ni_mio_common: ack ai fifo error interrupts (bnc#1012382).
- staging: ion : Donnot wakeup kswapd in ion system alloc (bnc#1012382).
- staging: wlan-ng: prism2mgmt.c: fixed a double endian conversion before calling hfa384x_drvr_setconfig16, also fixes relative sparse warning (bnc#1012382).
- swap: divide-by-zero when zero length swap file on ssd (bsc#1082153).
- tags: honor COMPILED_SOURCE with apart output directory (bnc#1012382).
- tcp: better validation of received ack sequences (bnc#1012382).
- tcp: do not read out-of-bounds opsize (bnc#1012382).
- tcp: md5: reject TCP_MD5SIG or TCP_MD5SIG_EXT on established sockets (bnc#1012382).
- team: avoid adding twice the same option to the event list (bnc#1012382).
- team: fix netconsole setup over team (bnc#1012382).
- thermal: imx: Fix race condition in imx_thermal_probe() (bnc#1012382).
- thermal: power_allocator: fix one race condition issue for thermal_instances list (bnc#1012382).
- thunderbolt: Resume control channel after hibernation image is created (bnc#1012382).
- tipc: add policy for TIPC_NLA_NET_ADDR (bnc#1012382).
- tty: Do not call panic() at tty_ldisc_init() (bnc#1012382).
- tty: make n_tty_read() always abort if hangup is in progress (bnc#1012382).
- tty: n_gsm: Allow ADM response in addition to UA for control dlci (bnc#1012382).
- tty: n_gsm: Fix DLCI handling for ADM mode if debug & 2 is not set (bnc#1012382).
- tty: n_gsm: Fix long delays with control frame timeouts in ADM mode (bnc#1012382).
- tty: provide tty_name() even without CONFIG_TTY (bnc#1012382).
- tty: Use __GFP_NOFAIL for tty_ldisc_get() (bnc#1012382).
- ubi: fastmap: Do not flush fastmap work on detach (bnc#1012382).
- ubi: Fix error for write access (bnc#1012382).
- ubifs: Check ubifs_wbuf_sync() return code (bnc#1012382).
- ubi: Reject MLC NAND (bnc#1012382).
- um: Use POSIX ucontext_t instead of struct ucontext (bnc#1012382).
- Update config files, add expoline for s390x (bsc#1089393).
- Update patches.suse/x86-nospectre_v2-means-nospec-too.patch (bsc#1075994 bsc#1075091 bnc#1085958).
- usb: chipidea: properly handle host or gadget initialization failure (bnc#1012382).
- usb: core: Add quirk for HP v222w 16GB Mini (bnc#1012382).
- usb: dwc2: Improve gadget state disconnection handling (bnc#1012382).
- usb: dwc3: keystone: check return value (bnc#1012382).
- usb: dwc3: pci: Properly cleanup resource (bnc#1012382).
- usb: ene_usb6250: fix first command execution (bnc#1012382).
- usb: ene_usb6250: fix SCSI residue overwriting (bnc#1012382).
- usb:fix USB3 devices behind USB3 hubs not resuming at hibernate thaw (bnc#1012382).
- usb: gadget: align buffer size when allocating for OUT endpoint (bnc#1012382).
- usb: gadget: change len to size_t on alloc_ep_req() (bnc#1012382).
- usb: gadget: define free_ep_req as universal function (bnc#1012382).
- usb: gadget: f_hid: fix: Prevent accessing released memory (bnc#1012382).
- usb: gadget: fix request length error for isoc transfer (git-fixes).
- usb: gadget: fix usb_ep_align_maybe endianness and new usb_ep_align (bnc#1012382).
- usb: Increment wakeup count on remote wakeup (bnc#1012382).
- usbip: usbip_host: fix to hold parent lock for device_attach() calls (bnc#1012382).
- usbip: vhci_hcd: Fix usb device and sockfd leaks (bnc#1012382).
- usb: musb: gadget: misplaced out of bounds check (bnc#1012382).
- usb: serial: cp210x: add ELDAT Easywave RX09 id (bnc#1012382).
- usb: serial: cp210x: add ID for NI USB serial console (bnc#1012382).
- usb: serial: ftdi_sio: add RT Systems VX-8 cable (bnc#1012382).
- usb: serial: ftdi_sio: add support for Harman FirmwareHubEmulator (bnc#1012382).
- usb: serial: ftdi_sio: use jtag quirk for Arrow USB Blaster (bnc#1012382).
- usb: serial: simple: add libtransistor console (bnc#1012382).
- vfb: fix video mode and line_length being set when loaded (bnc#1012382).
- vfio/pci: Virtualize Maximum Payload Size (bnc#1012382).
- vfio/pci: Virtualize Maximum Read Request Size (bnc#1012382).
- vfio-pci: Virtualize PCIe & AF FLR (bnc#1012382).
- vhost: correctly remove wait queue during poll failure (bnc#1012382).
- virtio: add ability to iterate over vqs (bnc#1012382).
- virtio_console: free buffers after reset (bnc#1012382).
- virtio_net: check return value of skb_to_sgvec always (bnc#1012382).
- virtio_net: check return value of skb_to_sgvec in one more location (bnc#1012382).
- vlan: also check phy_driver ts_info for vlan's real device (bnc#1012382).
- vlan: Fix reading memory beyond skb->tail in skb_vlan_tagged_multi (bnc#1012382).
- vmxnet3: ensure that adapter is in proper state during force_close (bnc#1012382).
- vrf: Fix use after free and double free in vrf_finish_output (bnc#1012382).
- vt: change SGR 21 to follow the standards (bnc#1012382).
- vti6: better validate user provided tunnel names (bnc#1012382).
- vxlan: dont migrate permanent fdb entries during learn (bnc#1012382).
- watchdog: f71808e_wdt: Fix WD_EN register read (bnc#1012382).
- watchdog: hpwdt: Remove legacy NMI sourcing (bsc#1085185).
- wl1251: check return from call to wl1251_acx_arp_ip_filter (bnc#1012382).
- writeback: fix the wrong congested state variable definition (bnc#1012382).
- writeback: safer lock nesting (bnc#1012382).
- x86/asm: Do not use RBP as a temporary register in csum_partial_copy_generic() (bnc#1012382).
- x86/bugs: correctly force-disable IBRS on !SKL systems (bsc#1092497).
- x86/bugs: Make sure that _TIF_SSBD does not end up in _TIF_ALLWORK_MASK (bsc#1093215).
- x86/hweight: Do not clobber %rdi (bnc#1012382).
- x86/hweight: Get rid of the special calling convention (bnc#1012382).
- x86/ipc: Fix x32 version of shmid64_ds and msqid64_ds (bnc#1012382).
- x86/platform/UV: Add references to access fixed UV4A HUB MMRs (bsc#1076263 #fate#322814).
- x86/platform/uv/BAU: Replace hard-coded values with MMR definitions (bsc#1076263 #fate#322814).
- x86/platform/UV: Fix critical UV MMR address error (bsc#1076263
- x86/platform/UV: Fix GAM MMR changes in UV4A (bsc#1076263 #fate#322814).
- x86/platform/UV: Fix GAM MMR references in the UV x2apic code (bsc#1076263 #fate#322814).
- x86/platform/UV: Fix GAM Range Table entries less than 1GB (bsc#1091325).
- x86/platform/UV: Fix UV4A BAU MMRs (bsc#1076263 #fate#322814).
- x86/platform/UV: Fix UV4A support on new Intel Processors (bsc#1076263 #fate#322814).
- x86/platform/uv: Skip UV runtime services mapping in the efi_runtime_disabled case (bsc#1089925).
- x86/platform/UV: Update uv_mmrs.h to prepare for UV4A fixes (bsc#1076263 #fate#322814).
- x86/smpboot: Do not use mwait_play_dead() on AMD systems (bnc#1012382).
- x86/tsc: Prevent 32bit truncation in calc_hpet_ref() (bnc#1012382).
- x86/tsc: Provide 'tsc=unstable' boot parameter (bnc#1012382).
- xen: avoid type warning in xchg_xen_ulong (bnc#1012382).
- xen-netfront: Fix hang on device removal (bnc#1012382).
- xfrm: fix state migration copy replay sequence numbers (bnc#1012382).
- xfrm: Refuse to insert 32 bit userspace socket policies on 64 bit systems (bnc#1012382).
- xfrm_user: uncoditionally validate esn replay attribute struct (bnc#1012382).
- xfs: always verify the log tail during recovery (bsc#1036215).
- xfs: detect and handle invalid iclog size set by mkfs (bsc#1043598).
- xfs: detect and trim torn writes during log recovery (bsc#1036215).
- xfs: fix log recovery corruption error due to tail overwrite (bsc#1036215).
- xfs: fix recovery failure when log record header wraps log end (bsc#1036215).
- xfs: handle -EFSCORRUPTED during head/tail verification (bsc#1036215).
- xfs: refactor and open code log record crc check (bsc#1036215).
- xfs: refactor log record start detection into a new helper (bsc#1036215).
- xfs: return start block of first bad log record during recovery (bsc#1036215).
- xfs: support a crc verification only log record pass (bsc#1036215).
ImportantSUSE bug 1005778SUSE bug 1005780SUSE bug 1005781SUSE bug 1009062SUSE bug 1012382SUSE bug 1015336SUSE bug 1015337SUSE bug 1015340SUSE bug 1015342SUSE bug 1015343SUSE bug 1022604SUSE bug 1022743SUSE bug 1024296SUSE bug 1031492SUSE bug 1036215SUSE bug 1043598SUSE bug 1044596SUSE bug 1056415SUSE bug 1056427SUSE bug 1060799SUSE bug 1068032SUSE bug 1075087SUSE bug 1075091SUSE bug 1075994SUSE bug 1076263SUSE bug 1080157SUSE bug 1082153SUSE bug 1082299SUSE bug 1082485SUSE bug 1082962SUSE bug 1083125SUSE bug 1083635SUSE bug 1083650SUSE bug 1083900SUSE bug 1084721SUSE bug 1085058SUSE bug 1085185SUSE bug 1085511SUSE bug 1085958SUSE bug 1087082SUSE bug 1088242SUSE bug 1088865SUSE bug 1089023SUSE bug 1089115SUSE bug 1089198SUSE bug 1089393SUSE bug 1089608SUSE bug 1089644SUSE bug 1089752SUSE bug 1089895SUSE bug 1089925SUSE bug 1090225SUSE bug 1090643SUSE bug 1090658SUSE bug 1090663SUSE bug 1090708SUSE bug 1090718SUSE bug 1090734SUSE bug 1090953SUSE bug 1091041SUSE bug 1091325SUSE bug 1091728SUSE bug 1091925SUSE bug 1091960SUSE bug 1092289SUSE bug 1092497SUSE bug 1092566SUSE bug 1092904SUSE bug 1093008SUSE bug 1093144SUSE bug 1093215SUSE bug 1094019SUSE bug 802154SUSE bug 966170SUSE bug 966172SUSE bug 966186SUSE bug 966191SUSE bug 969476SUSE bug 969477SUSE bug 981348CVE-2018-1000199 at SUSECVE-2018-1000199 at NVDCVE-2018-10087 at SUSECVE-2018-10087 at NVDCVE-2018-10124 at SUSECVE-2018-10124 at NVDCVE-2018-1065 at SUSECVE-2018-1065 at NVDCVE-2018-1130 at SUSECVE-2018-1130 at NVDCVE-2018-3639 at SUSECVE-2018-3639 at NVDCVE-2018-5803 at SUSECVE-2018-5803 at NVDCVE-2018-7492 at SUSECVE-2018-7492 at NVDCVE-2018-8781 at SUSECVE-2018-8781 at NVDcpe:/o:suse:sles:12:sp3Security update for wget (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for wget fixes the following issues:
- CVE-2018-0494: Fixed a cookie injection vulnerability by checking for
and joining continuation lines. (bsc#1092061)
ModerateSUSE bug 1092061CVE-2018-0494 at SUSECVE-2018-0494 at NVDcpe:/o:suse:sles:12:sp3Security update for python (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for python fixes the following issues:
Security issues fixed:
- CVE-2017-1000158: Fixed integer overflows in PyString_DecodeEscape that could have resulted in
heap-based buffer overflow attacks and possible arbitrary code execution (bsc#1068664).
- CVE-2018-1000030: Fixed crash inside the Python interpreter when multiple threads used the same
I/O stream concurrently (bsc#1079300).
ModerateSUSE bug 1068664SUSE bug 1079300CVE-2017-1000158 at SUSECVE-2017-1000158 at NVDCVE-2018-1000030 at SUSECVE-2018-1000030 at NVDcpe:/o:suse:sles:12:sp3Security update for ImageMagick (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for ImageMagick fixes several issues.
These security issues were fixed:
- CVE-2018-5246: Fixed memory leak vulnerability in ReadPATTERNImage in
coders/pattern.c (bsc#1074973)
- CVE-2017-18022: Fixed memory leak vulnerability in MontageImageCommand in
MagickWand/montage.c (bsc#1074975)
- CVE-2018-5247: Fixed memory leak vulnerability in ReadRLAImage in
coders/rla.c (bsc#1074969)
- CVE-2017-12672: Fixed a memory leak vulnerability in the function
ReadMATImage in coders/mat.c, which allowed attackers to cause a denial
of service (bsc#1052720)
- CVE-2017-13060: Fixed a memory leak vulnerability in the function
ReadMATImage in coders/mat.c, which allowed attackers to cause a denial
of service via a crafted file (bsc#1055065)
- CVE-2017-11724: Fixed a memory leak vulnerability in the function
ReadMATImage in coders/mat.c involving the quantum_info and clone_info
data structures (bsc#1051446)
- CVE-2017-12670: Added validation in coders/mat.c to prevent an assertion
failure in the function DestroyImage in MagickCore/image.c, which
allowed attackers to cause a denial of service (bsc#1052731)
- CVE-2017-12667: Fixed a memory leak vulnerability in the function
ReadMATImage in coders/mat.c (bsc#1052732)
- CVE-2017-13146: Fixed a memory leak vulnerability in the function
ReadMATImage in coders/mat.c (bsc#1055323)
- CVE-2017-10800: Processing MATLAB images in coders/mat.c could have lead to a
denial of service (OOM) in ReadMATImage() if the size specified for a
MAT Object was larger than the actual amount of data (bsc#1047044)
- CVE-2017-13648: Fixed a memory leak vulnerability in the function
ReadMATImage in coders/mat.c (bsc#1055434)
- CVE-2017-11141: Fixed a memory leak vulnerability in the function
ReadMATImage in coders\mat.c that could have caused memory exhaustion
via a crafted MAT file, related to incorrect ordering of a
SetImageExtent call (bsc#1047898)
- CVE-2017-11529: The ReadMATImage function in coders/mat.c allowed remote
attackers to cause a denial of service (memory leak) via a crafted file
(bsc#1050120)
- CVE-2017-12564: Fixed a memory leak vulnerability in the function
ReadMATImage in coders/mat.c, which allowed attackers to cause a denial
of service (bsc#1052468)
- CVE-2017-12434: Added a missing NULL check in the function ReadMATImage in
coders/mat.c, which allowed attackers to cause a denial of service
(assertion failure) in DestroyImageInfo in image.c (bsc#1052550)
- CVE-2017-12675: Added a missing check for multidimensional data coders/mat.c,
that could have lead to a memory leak in the function ReadImage in
MagickCore/constitute.c, which allowed attackers to cause a denial of
service (bsc#1052710)
- CVE-2017-14326: Fixed a memory leak vulnerability in the function
ReadMATImage in coders/mat.c, which allowed attackers to cause a denial
of service via a crafted file (bsc#1058640)
- CVE-2017-11644: Processesing a crafted file in convert could have lead to a
memory leak in the ReadMATImage() function in coders/mat.c
(bsc#1050606)
- CVE-2017-13658: Added a missing NULL check in the ReadMATImage function in
coders/mat.c, which could have lead to a denial of service (assertion
failure and application exit) in the DestroyImageInfo function in
MagickCore/image.c (bsc#1055855)
- CVE-2017-14533: Fixed a memory leak vulnerability in the function
ReadMATImage in coders/mat.c (bsc#1059751)
- CVE-2017-17881: Fixed a memory leak vulnerability in the function
ReadMATImage in coders/mat.c, which allowed attackers to cause a denial of
service via a crafted MAT image file (bsc#1074123)
ModerateSUSE bug 1047044SUSE bug 1047898SUSE bug 1050120SUSE bug 1050606SUSE bug 1051446SUSE bug 1052468SUSE bug 1052550SUSE bug 1052710SUSE bug 1052720SUSE bug 1052731SUSE bug 1052732SUSE bug 1055065SUSE bug 1055323SUSE bug 1055434SUSE bug 1055855SUSE bug 1058640SUSE bug 1059751SUSE bug 1074123SUSE bug 1074969SUSE bug 1074973SUSE bug 1074975CVE-2017-10800 at SUSECVE-2017-10800 at NVDCVE-2017-11141 at SUSECVE-2017-11141 at NVDCVE-2017-11529 at SUSECVE-2017-11529 at NVDCVE-2017-11644 at SUSECVE-2017-11644 at NVDCVE-2017-11724 at SUSECVE-2017-11724 at NVDCVE-2017-12434 at SUSECVE-2017-12434 at NVDCVE-2017-12564 at SUSECVE-2017-12564 at NVDCVE-2017-12667 at SUSECVE-2017-12667 at NVDCVE-2017-12670 at SUSECVE-2017-12670 at NVDCVE-2017-12672 at SUSECVE-2017-12672 at NVDCVE-2017-12675 at SUSECVE-2017-12675 at NVDCVE-2017-13060 at SUSECVE-2017-13060 at NVDCVE-2017-13146 at SUSECVE-2017-13146 at NVDCVE-2017-13648 at SUSECVE-2017-13648 at NVDCVE-2017-13658 at SUSECVE-2017-13658 at NVDCVE-2017-14326 at SUSECVE-2017-14326 at NVDCVE-2017-14533 at SUSECVE-2017-14533 at NVDCVE-2017-17881 at SUSECVE-2017-17881 at NVDCVE-2017-18022 at SUSECVE-2017-18022 at NVDCVE-2018-5246 at SUSECVE-2018-5246 at NVDCVE-2018-5247 at SUSECVE-2018-5247 at NVDcpe:/o:suse:sles:12:sp3Security update for bash (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for bash fixes the following issues:
Security issues fixed:
- CVE-2016-7543: A code execution possibility via SHELLOPTS+PS4 variable was fixed (bsc#1001299)
- CVE-2016-0634: Arbitrary code execution via malicious hostname was fixed (bsc#1000396)
Non-security issues fixed:
- Fix repeating self-calling of traps due the combination of a non-interactive shell, a trap handler for SIGINT, an
external process in the trap handler, and a SIGINT within the trap after the external process runs. (bsc#1086247)
ModerateSUSE bug 1000396SUSE bug 1001299SUSE bug 1086247CVE-2016-0634 at SUSECVE-2016-0634 at NVDCVE-2016-7543 at SUSECVE-2016-7543 at NVDcpe:/o:suse:sles:12:sp3Security update for icu (Moderate)SUSE Linux Enterprise Server 12 SP3
icu was updated to fix two security issues.
These security issues were fixed:
- CVE-2014-8147: The resolveImplicitLevels function in common/ubidi.c
in the Unicode Bidirectional Algorithm implementation in ICU4C in
International Components for Unicode (ICU) used an integer data type
that is inconsistent with a header file, which allowed remote attackers
to cause a denial of service (incorrect malloc followed by invalid free)
or possibly execute arbitrary code via crafted text (bsc#929629).
- CVE-2014-8146: The resolveImplicitLevels function in common/ubidi.c
in the Unicode Bidirectional Algorithm implementation in ICU4C in
International Components for Unicode (ICU) did not properly track
directionally isolated pieces of text, which allowed remote attackers
to cause a denial of service (heap-based buffer overflow) or possibly
execute arbitrary code via crafted text (bsc#929629).
- CVE-2016-6293: The uloc_acceptLanguageFromHTTP function in
common/uloc.cpp in International Components for Unicode (ICU) for C/C++
did not ensure that there is a '\0' character at the end of a certain
temporary array, which allowed remote attackers to cause a denial of
service (out-of-bounds read) or possibly have unspecified other impact
via a call with a long httpAcceptLanguage argument (bsc#990636).
- CVE-2017-7868: International Components for Unicode (ICU) for C/C++
2017-02-13 has an out-of-bounds write caused by a heap-based buffer
overflow related to the utf8TextAccess function in common/utext.cpp and
the utext_moveIndex32* function (bsc#1034674)
- CVE-2017-7867: International Components for Unicode (ICU) for C/C++
2017-02-13 has an out-of-bounds write caused by a heap-based buffer
overflow related to the utf8TextAccess function in common/utext.cpp and
the utext_setNativeIndex* function (bsc#1034678)
- CVE-2017-14952: Double free in i18n/zonemeta.cpp in International
Components for Unicode (ICU) for C/C++ allowed remote attackers to
execute arbitrary code via a crafted string, aka a 'redundant UVector
entry clean up function call' issue (bnc#1067203)
- CVE-2017-17484: The ucnv_UTF8FromUTF8 function in ucnv_u8.cpp
in International Components for Unicode (ICU) for C/C++ mishandled
ucnv_convertEx calls for UTF-8 to UTF-8 conversion, which allowed remote
attackers to cause a denial of service (stack-based buffer overflow
and application crash) or possibly have unspecified other impact via a
crafted string, as demonstrated by ZNC (bnc#1072193)
- CVE-2017-15422: An integer overflow in icu during persian calendar
date processing could lead to incorrect years shown (bnc#1077999)
ModerateSUSE bug 1034674SUSE bug 1034678SUSE bug 1067203SUSE bug 1072193SUSE bug 1077999SUSE bug 1087932SUSE bug 929629SUSE bug 990636CVE-2014-8146 at SUSECVE-2014-8146 at NVDCVE-2014-8147 at SUSECVE-2014-8147 at NVDCVE-2016-6293 at SUSECVE-2016-6293 at NVDCVE-2017-14952 at SUSECVE-2017-14952 at NVDCVE-2017-15422 at SUSECVE-2017-15422 at NVDCVE-2017-17484 at SUSECVE-2017-17484 at NVDCVE-2017-7867 at SUSECVE-2017-7867 at NVDCVE-2017-7868 at SUSECVE-2017-7868 at NVDcpe:/o:suse:sles:12:sp3Security update for ceph (Important)SUSE Linux Enterprise Server 12 SP3
This update for ceph fixes the following issues:
Security issues fixed:
- CVE-2018-7262: rgw: malformed http headers can crash rgw (bsc#1081379).
- CVE-2017-16818: User reachable asserts allow for DoS (bsc#1063014).
Bug fixes:
- bsc#1061461: OSDs keep generating coredumps after adding new OSD node to cluster.
- bsc#1079076: RGW openssl fixes.
- bsc#1067088: Upgrade to SES5 restarted all nodes, majority of OSDs aborts during start.
- bsc#1056125: Some OSDs are down when doing performance testing on rbd image in EC Pool.
- bsc#1087269: allow_ec_overwrites option not in command options list.
- bsc#1051598: Fix mountpoint check for systemctl enable --runtime.
- bsc#1070357: Zabbix mgr module doesn't recover from HEALTH_ERR.
- bsc#1066502: After upgrading a single OSD from SES 4 to SES 5 the OSDs do not rejoin the cluster.
- bsc#1067119: Crushtool decompile creates wrong device entries (device 20 device20) for not existing / deleted OSDs.
- bsc#1060904: Loglevel misleading during keystone authentication.
- bsc#1056967: Monitors goes down after pool creation on cluster with 120 OSDs.
- bsc#1067705: Issues with RGW Multi-Site Federation between SES5 and RH Ceph Storage 2.
- bsc#1059458: Stopping / restarting rados gateway as part of deepsea stage.4 executions causes core-dump of radosgw.
- bsc#1087493: Commvault cannot reconnect to storage after restarting haproxy.
- bsc#1066182: Container synchronization between two Ceph clusters failed.
- bsc#1081600: Crash in civetweb/RGW.
- bsc#1054061: NFS-GANESHA service failing while trying to list mountpoint on client.
- bsc#1074301: OSDs keep aborting: SnapMapper failed asserts.
- bsc#1086340: XFS metadata corruption on rbd-nbd mapped image with journaling feature enabled.
- bsc#1080788: fsid mismatch when creating additional OSDs.
- bsc#1071386: Metadata spill onto block.slow.
ImportantSUSE bug 1051598SUSE bug 1054061SUSE bug 1056125SUSE bug 1056967SUSE bug 1059458SUSE bug 1060904SUSE bug 1061461SUSE bug 1063014SUSE bug 1066182SUSE bug 1066502SUSE bug 1067088SUSE bug 1067119SUSE bug 1067705SUSE bug 1070357SUSE bug 1071386SUSE bug 1074301SUSE bug 1079076SUSE bug 1080788SUSE bug 1081379SUSE bug 1081600SUSE bug 1086340SUSE bug 1087269SUSE bug 1087493CVE-2017-16818 at SUSECVE-2017-16818 at NVDCVE-2018-7262 at SUSECVE-2018-7262 at NVDcpe:/o:suse:sles:12:sp3Security update for jasper (Low)SUSE Linux Enterprise Server 12 SP3
This update for jasper fixes the following issues:
- CVE-2018-9055: denial of service via
a reachable assertion in the function jpc_firstone in
libjasper/jpc/jpc_math.c could lead to denial of service. (bsc#1087020)
LowSUSE bug 1087020CVE-2018-9055 at SUSECVE-2018-9055 at NVDcpe:/o:suse:sles:12:sp3Security update for libmodplug (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for libmodplug fixes the following issues:
- Update to version 0.8.9.0+git20170610.f6dd59a bsc#1022032:
* PSM: add missing line to commit
* ABC: prevent possible increment of p past end
* ABC: ensure read pointer is valid before incrementing
* ABC: terminate early when things don't work in substitute
* OKT: add one more bound check
* FAR: out by one on check
* ABC: 10 digit ints require null termination
* PSM: make sure reads occur of only valid ins
* ABC: cleanup tracks correctly.
* WAV: check that there is space for both headers
* OKT: ensure file size is enough to contain data
* ABC: initialize earlier
* ABC: ensure array access is bounded correctly.
* ABC: clean up loop exiting code
* ABC: avoid possibility of incrementing *p
* ABC: abort early if macro would be blank
* ABC: Use blankline more often
* ABC: Ensure for loop does not increment past end of loop
* Initialize nPatterns to 0 earlier
* Check memory position isn't over the memory length
* ABC: transpose only needs to look at notes (<26)
- Update to version 0.8.9.0+git20171024.e9fc46e:
* Spelling fixes
* Bump version number to 0.8.9.0
* MMCMP: Check that end pointer is within the file size
* WAV: ensure integer doesn't overflow
* XM: additional mempos check
* sndmix: Don't process row if its empty.
* snd_fx: dont include patterns of zero size in length calc
* MT2,AMF: prevent OOB reads
- Add patch for broken pc file where quite some upstream refer to
modplug directly without specifying the subdir it is in.
- Update to version 0.8.8.5
* Some security issues: CVE-2013-4233, CVE-2013-4234, as well as
many fixes suggested by static analyzers: clang build-scan, and coverity.
- Stop using dos2unix
- Run through spec-cleaner
- Use full URL in Source tag
ModerateSUSE bug 1022032CVE-2013-4233 at SUSECVE-2013-4233 at NVDCVE-2013-4234 at SUSECVE-2013-4234 at NVDcpe:/o:suse:sles:12:sp3Security update for perl-DBD-mysql (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for perl-DBD-mysql fixes the following issues:
- CVE-2017-10789: The DBD::mysql module when with mysql_ssl=1 setting enabled, means that SSL is optional (even though this setting's documentation has a \'your communication with the server will be encrypted\' statement), which could lead man-in-the-middle attackers to spoof servers via a cleartext-downgrade attack, a related issue to CVE-2015-3152. (bsc#1047059)
- CVE-2017-10788: The DBD::mysql module through 4.043 for Perl allows remote attackers to cause a denial of service (use-after-free and application crash) or possibly have unspecified other impact by triggering (1) certain error responses from a MySQL server or (2) a loss of a network connection to a MySQL server. The use-after-free defect was introduced by relying on incorrect Oracle mysql_stmt_close documentation and code examples. (bsc#1047095)
ModerateSUSE bug 1047059SUSE bug 1047095CVE-2017-10788 at SUSECVE-2017-10788 at NVDCVE-2017-10789 at SUSECVE-2017-10789 at NVDcpe:/o:suse:sles:12:sp3Security update for xen (Important)SUSE Linux Enterprise Server 12 SP3
This update for xen fixes the following issues:
Security issues fixed:
- CVE-2018-3639: Spectre V4 – Speculative Store Bypass aka 'Memory Disambiguation' (bsc#1092631)
This feature can be controlled by the 'ssbd=on/off' commandline flag for the XEN hypervisor.
- CVE-2018-10982: x86 vHPET interrupt injection errors (XSA-261 bsc#1090822)
- CVE-2018-10981: qemu may drive Xen into unbounded loop (XSA-262 bsc#1090823)
Other bugfixes:
- Upstream patches from Jan (bsc#1027519)
- additional fixes related to Page Table Isolation (XPTI). (bsc#1074562 XSA-254)
- qemu-system-i386 cannot handle more than 4 HW NICs (bsc#1090296)
ImportantSUSE bug 1027519SUSE bug 1074562SUSE bug 1090296SUSE bug 1090822SUSE bug 1090823SUSE bug 1092631CVE-2018-10981 at SUSECVE-2018-10981 at NVDCVE-2018-10982 at SUSECVE-2018-10982 at NVDCVE-2018-3639 at SUSECVE-2018-3639 at NVDcpe:/o:suse:sles:12:sp3Security update for webkit2gtk3 (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for webkit2gtk3 fixes the following issues:
Security issue fixed:
- CVE-2019-8375: Fixed an issue in UIProcess subsystem which could allow the script dialog
size to exceed the web view size leading to Buffer Overflow or other unspecified impact (bsc#1126768).
ModerateSUSE bug 1126768CVE-2019-8375 at SUSECVE-2019-8375 at NVDcpe:/o:suse:sles:12:sp3Security update for ImageMagick (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for ImageMagick fixes the following issues:
Security issues fixed:
- CVE-2019-9956: Fixed a stack-based buffer overflow in PopHexPixel() (bsc#1130330).
- CVE-2019-10650: Fixed a heap-based buffer over-read in WriteTIFFImage() (bsc#1131317).
- CVE-2019-7175: Fixed multiple memory leaks in DecodeImage function (bsc#1128649).
- CVE-2018-20467: Fixed infinite loop in coders/bmp.c (bsc#1120381).
- CVE-2019-7398: Fixed a memory leak in the function WriteDIBImage (bsc#1124365).
- CVE-2019-7397: Fixed a memory leak in the function WritePDFImage (bsc#1124366).
- CVE-2019-7395: Fixed a memory leak in the function WritePSDChannel (bsc#1124368).
- CVE-2018-16413: Fixed a heap-based buffer over-read in PushShortPixel() (bsc#1106989).
- CVE-2018-16412: Fixed a heap-based buffer over-read in ParseImageResourceBlocks() (bsc#1106996).
- CVE-2018-16644: Fixed a regression in dcm coder (bsc#1107609).
- CVE-2019-11007: Fixed a heap-based buffer overflow in ReadMNGImage() (bsc#1132060).
- CVE-2019-11008: Fixed a heap-based buffer overflow in WriteXWDImage() (bsc#1132054).
- CVE-2019-11009: Fixed a heap-based buffer over-read in ReadXWDImage() (bsc#1132053).
- Added extra -config- packages with Postscript/EPS/PDF readers still enabled.
Removing the PS decoders is used to harden ImageMagick against security issues within
ghostscript. Enabling them might impact security. (bsc#1122033)
These are two packages that can be selected:
- ImageMagick-config-6-SUSE: This has the PS decoders disabled.
- ImageMagick-config-6-upstream: This has the PS decoders enabled.
Depending on your local needs install either one of them. The default is the -SUSE configuration.
ModerateSUSE bug 1106989SUSE bug 1106996SUSE bug 1107609SUSE bug 1120381SUSE bug 1122033SUSE bug 1124365SUSE bug 1124366SUSE bug 1124368SUSE bug 1128649SUSE bug 1130330SUSE bug 1131317SUSE bug 1132053SUSE bug 1132054SUSE bug 1132060CVE-2018-16412 at SUSECVE-2018-16412 at NVDCVE-2018-16413 at SUSECVE-2018-16413 at NVDCVE-2018-16644 at SUSECVE-2018-16644 at NVDCVE-2018-20467 at SUSECVE-2018-20467 at NVDCVE-2019-10650 at SUSECVE-2019-10650 at NVDCVE-2019-11007 at SUSECVE-2019-11007 at NVDCVE-2019-11008 at SUSECVE-2019-11008 at NVDCVE-2019-11009 at SUSECVE-2019-11009 at NVDCVE-2019-7175 at SUSECVE-2019-7175 at NVDCVE-2019-7395 at SUSECVE-2019-7395 at NVDCVE-2019-7397 at SUSECVE-2019-7397 at NVDCVE-2019-7398 at SUSECVE-2019-7398 at NVDCVE-2019-9956 at SUSECVE-2019-9956 at NVDcpe:/o:suse:sles:12:sp3Security update for samba (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for samba fixes the following issues:
Security issue fixed:
- CVE-2019-3880: Fixed a path/symlink traversal vulnerability, which allowed an unprivileged user to save registry files outside a share (bsc#1131060).
Non-security issues fixed:
- Fix vfs_ceph ftruncate and fallocate handling (bsc#1127153).
- Abide by load_printers smb.conf parameter (bsc#1124223).
- s3:winbindd: let normalize_name_map() call find_domain_from_name_noinit() (bsc#1123755).
- s3:passdb: Do not return OK if we don't have pinfo set up (bsc#1099590).
- s3:winbind: Fix regression (bsc#1123755).
ModerateSUSE bug 1099590SUSE bug 1123755SUSE bug 1124223SUSE bug 1127153SUSE bug 1131060CVE-2019-3880 at SUSECVE-2019-3880 at NVDcpe:/o:suse:sles:12:sp3Security update for wireshark (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for wireshark to version 2.4.14 fixes the following issues:
Security issues fixed:
- CVE-2019-10895: NetScaler file parser crash.
- CVE-2019-10899: SRVLOC dissector crash.
- CVE-2019-10894: GSS-API dissector crash.
- CVE-2019-10896: DOF dissector crash.
- CVE-2019-10901: LDSS dissector crash.
- CVE-2019-10903: DCERPC SPOOLSS dissector crash.
Non-security issue fixed:
- Update to version 2.4.14 (bsc#1131945).
ModerateSUSE bug 1131945CVE-2019-10894 at SUSECVE-2019-10894 at NVDCVE-2019-10895 at SUSECVE-2019-10895 at NVDCVE-2019-10896 at SUSECVE-2019-10896 at NVDCVE-2019-10899 at SUSECVE-2019-10899 at NVDCVE-2019-10901 at SUSECVE-2019-10901 at NVDCVE-2019-10903 at SUSECVE-2019-10903 at NVDcpe:/o:suse:sles:12:sp3Security update for libvirt (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for libvirt fixes the following issues:
Security issues fixed:
- CVE-2019-3840: Fixed a null pointer dereference vulnerability in virJSONValueObjectHasKey function which could
have resulted in a remote denial of service via the guest agent (bsc#1127458).
- CVE-2019-3886: Fixed an information leak which allowed to retrieve the guest
hostname under readonly mode (bsc#1131595).
Other issue addressed:
- cpu: add Skylake-Server and Skylake-Server-IBRS CPU models (FATE#327261, bsc#1131955)
- libxl: save current memory value after successful balloon (bsc#1120813).
- libxl: support Xen's max_grant_frames setting with maxGrantFrames attribute on the xenbus controller (bsc#1126325).
- conf: add new 'xenbus' controller type
ModerateSUSE bug 1120813SUSE bug 1126325SUSE bug 1127458SUSE bug 1131595SUSE bug 1131955CVE-2019-3840 at SUSECVE-2019-3840 at NVDCVE-2019-3886 at SUSECVE-2019-3886 at NVDcpe:/o:suse:sles:12:sp3Security update for libssh2_org (Important)SUSE Linux Enterprise Server 12 SP3
This update for libssh2_org fixes the following issues:
- Incorrect upstream fix for CVE-2019-3859 broke public key authentication [bsc#1133528, bsc#1130103]
ImportantSUSE bug 1130103SUSE bug 1133528CVE-2019-3859 at SUSECVE-2019-3859 at NVDcpe:/o:suse:sles:12:sp3Security update for wpa_supplicant (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for wpa_supplicant fixes the following issues:
This security issue was fixed:
- CVE-2018-14526: Under certain conditions, the integrity of EAPOL-Key messages
was not checked, leading to a decryption oracle. An attacker within range of
the Access Point and client could have abused the vulnerability to recover
sensitive information (bsc#1104205).
This non-security issue was fixed:
- Enabled PWD as EAP method. This allows for password-based authentication,
which is easier to setup than most of the other methods, and is used by the
Eduroam network (bsc#1109209).
ModerateSUSE bug 1104205SUSE bug 1109209CVE-2018-14526 at SUSECVE-2018-14526 at NVDcpe:/o:suse:sles:12:sp3Security update for atftp (Important)SUSE Linux Enterprise Server 12 SP3
This update for atftp fixes the following issues:
Security issues fixed:
- CVE-2019-11366: Fixed a denial of service caused by a NULL pointer dereference because thread_list_mutex was not locked (bsc#1133145).
- CVE-2019-11365: Fixed a buffer overflow which could lead to remote code execution caused by an insecure use of strncpy() (bsc#1133114).
ImportantSUSE bug 1133114SUSE bug 1133145CVE-2019-11365 at SUSECVE-2019-11365 at NVDCVE-2019-11366 at SUSECVE-2019-11366 at NVDcpe:/o:suse:sles:12:sp3Security update for krb5 (Important)SUSE Linux Enterprise Server 12 SP3
This update for krb5 fixes the following issues:
Security issue fixed:
- CVE-2018-20217: Fixed an assertion issue with older encryption types (bsc#1120489)
ImportantSUSE bug 1120489CVE-2018-20217 at SUSECVE-2018-20217 at NVDcpe:/o:suse:sles:12:sp3Security update for libjpeg-turbo (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for libjpeg-turbo fixes the following issues:
The following security vulnerabilities were addressed:
- CVE-2018-14498: Fixed a heap-based buffer over read in get_8bit_row function
which could allow to an attacker to cause denial of service (bsc#1128712).
- CVE-2018-11813: Fixed the end-of-file mishandling in read_pixel in rdtarga.c,
which allowed remote attackers to cause a denial-of-service via crafted JPG
files due to a large loop (bsc#1096209)
- CVE-2018-1152: Fixed a denial of service in start_input_bmp() rdbmp.c caused
by a divide by zero when processing a crafted BMP image (bsc#1098155)
ModerateSUSE bug 1096209SUSE bug 1098155SUSE bug 1128712CVE-2018-1152 at SUSECVE-2018-1152 at NVDCVE-2018-11813 at SUSECVE-2018-11813 at NVDCVE-2018-14498 at SUSECVE-2018-14498 at NVDcpe:/o:suse:sles:12:sp3Security update for hostinfo, supportutils (Important)SUSE Linux Enterprise Server 12 SP3
This update for hostinfo, supportutils fixes the following issues:
Security issues fixed for supportutils:
- CVE-2018-19640: Fixed an issue where users could kill arbitrary processes (bsc#1118463).
- CVE-2018-19638: Fixed an issue where users could overwrite arbitrary log files (bsc#1118460).
- CVE-2018-19639: Fixed a code execution if run with -v (bsc#1118462).
- CVE-2018-19637: Fixed an issue where static temporary filename could allow overwriting of files (bsc#1117776).
- CVE-2018-19636: Fixed a local root exploit via inclusion of attacker controlled shell script (bsc#1117751).
Other issues fixed for supportutils:
- Fixed invalid exit code commands (bsc#1125666)
- SUSE separation in supportconfig (bsc#1125623)
- Clarified supportconfig(8) -x option (bsc#1115245)
- supportconfig: 3.0.127
- btrfs filesystem usage
- List products.d
- Dump lsof errors
- Added ha commands for corosync
- Dumped find errors in ib_info
Issues fixed in hostinfo:
- Removed extra kernel install dates (bsc#1099498)
- Resolved network bond issue (bsc#1054979)
ImportantSUSE bug 1054979SUSE bug 1099498SUSE bug 1115245SUSE bug 1117751SUSE bug 1117776SUSE bug 1118460SUSE bug 1118462SUSE bug 1118463SUSE bug 1125623SUSE bug 1125666CVE-2018-19636 at SUSECVE-2018-19636 at NVDCVE-2018-19637 at SUSECVE-2018-19637 at NVDCVE-2018-19638 at SUSECVE-2018-19638 at NVDCVE-2018-19639 at SUSECVE-2018-19639 at NVDCVE-2018-19640 at SUSECVE-2018-19640 at NVDcpe:/o:suse:sles:12:sp3Security update for openssl (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for openssl fixes the following issues:
- Reject invalid EC point coordinates (bsc#1131291)
This helps openssl using services that do not do this verification on their own.
ModerateSUSE bug 1131291cpe:/o:suse:sles:12:sp3Security update for webkit2gtk3 (Important)SUSE Linux Enterprise Server 12 SP3
This update for webkit2gtk3 to version 2.24.1 fixes the following issues:
Security issues fixed:
- CVE-2019-6201, CVE-2019-6251, CVE-2019-7285, CVE-2019-7292, CVE-2019-8503, CVE-2019-8506,
CVE-2019-8515, CVE-2019-8524, CVE-2019-8535, CVE-2019-8536, CVE-2019-8544, CVE-2019-8551,
CVE-2019-8558, CVE-2019-8559, CVE-2019-8563, CVE-2019-11070 (bsc#1132256).
ImportantSUSE bug 1132256CVE-2019-11070 at SUSECVE-2019-11070 at NVDCVE-2019-6201 at SUSECVE-2019-6201 at NVDCVE-2019-6251 at SUSECVE-2019-6251 at NVDCVE-2019-7285 at SUSECVE-2019-7285 at NVDCVE-2019-7292 at SUSECVE-2019-7292 at NVDCVE-2019-8503 at SUSECVE-2019-8503 at NVDCVE-2019-8506 at SUSECVE-2019-8506 at NVDCVE-2019-8515 at SUSECVE-2019-8515 at NVDCVE-2019-8524 at SUSECVE-2019-8524 at NVDCVE-2019-8535 at SUSECVE-2019-8535 at NVDCVE-2019-8536 at SUSECVE-2019-8536 at NVDCVE-2019-8544 at SUSECVE-2019-8544 at NVDCVE-2019-8551 at SUSECVE-2019-8551 at NVDCVE-2019-8558 at SUSECVE-2019-8558 at NVDCVE-2019-8559 at SUSECVE-2019-8559 at NVDCVE-2019-8563 at SUSECVE-2019-8563 at NVDcpe:/o:suse:sles:12:sp3Security update for audit (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for audit fixes the following issues:
Audit on SUSE Linux Enterprise 12 SP3 was updated to 2.8.1 to bring
new features and bugfixes. (bsc#1125535 FATE#326346)
* Many features were added to auparse_normalize
* cli option added to auditd and audispd for setting config dir
* In auditd, restore the umask after creating a log file
* Option added to auditd for skipping email verification
The full changelog can be found here: http://people.redhat.com/sgrubb/audit/ChangeLog
- Change openldap dependency to client only (bsc#1085003)
Minor security issue fixed:
- CVE-2015-5186: Audit: log terminal emulator escape sequences handling (bsc#941922)
ModerateSUSE bug 1042781SUSE bug 1085003SUSE bug 1125535SUSE bug 941922CVE-2015-5186 at SUSECVE-2015-5186 at NVDcpe:/o:suse:sles:12:sp3Security update for freeradius-server (Important)SUSE Linux Enterprise Server 12 SP3
This update for freeradius-server fixes the following issues:
Security issues fixed:
- CVE-2019-11235: Fixed an authentication bypass related to the EAP-PWD Commit frame and insufficent validation of elliptic curve points (bsc#1132549).
- CVE-2019-11234: Fixed an authentication bypass caused by reflecting privous values back to the server (bsc#1132664).
ImportantSUSE bug 1132549SUSE bug 1132664CVE-2019-11234 at SUSECVE-2019-11234 at NVDCVE-2019-11235 at SUSECVE-2019-11235 at NVDcpe:/o:suse:sles:12:sp3Security update for mutt (Important)SUSE Linux Enterprise Server 12 SP3
This update for mutt fixes the following issues:
Security issues fixed:
- bsc#1101428: Mutt 1.10.1 security release update.
- CVE-2018-14351: Fix imap/command.c that mishandles long IMAP status mailbox literal count size (bsc#1101583).
- CVE-2018-14353: Fix imap_quote_string in imap/util.c that has an integer underflow (bsc#1101581).
- CVE-2018-14362: Fix pop.c that does not forbid characters that may have unsafe interaction with message-cache pathnames (bsc#1101567).
- CVE-2018-14354: Fix arbitrary command execution from remote IMAP servers via backquote characters (bsc#1101578).
- CVE-2018-14352: Fix imap_quote_string in imap/util.c that does not leave room for quote characters (bsc#1101582).
- CVE-2018-14356: Fix pop.c that mishandles a zero-length UID (bsc#1101576).
- CVE-2018-14355: Fix imap/util.c that mishandles '..' directory traversal in a mailbox name (bsc#1101577).
- CVE-2018-14349: Fix imap/command.c that mishandles a NO response without a message (bsc#1101589).
- CVE-2018-14350: Fix imap/message.c that has a stack-based buffer overflow for a FETCH response with along INTERNALDATE field (bsc#1101588).
- CVE-2018-14363: Fix newsrc.c that does not properlyrestrict '/' characters that may have unsafe interaction with cache pathnames (bsc#1101566).
- CVE-2018-14359: Fix buffer overflow via base64 data (bsc#1101570).
- CVE-2018-14358: Fix imap/message.c that has a stack-based buffer overflow for a FETCH response with along RFC822.SIZE field (bsc#1101571).
- CVE-2018-14360: Fix nntp_add_group in newsrc.c that has a stack-based buffer overflow because of incorrect sscanf usage (bsc#1101569).
- CVE-2018-14357: Fix that remote IMAP servers are allowed to execute arbitrary commands via backquote characters (bsc#1101573).
- CVE-2018-14361: Fix that nntp.c proceeds even if memory allocation fails for messages data (bsc#1101568).
Bug fixes:
- mutt reports as neomutt and incorrect version (bsc#1094717)
- No sidebar available in mutt 1.6.1 from Tumbleweed snapshot 20160517 (bsc#980830)
- mutt-1.6.1 unusable when built with --enable-sidebar (bsc#982129)
- (neo)mutt displaying times in Zulu time (bsc#1061343)
- mutt unconditionally segfaults when displaying a message (bsc#986534)
ImportantSUSE bug 1061343SUSE bug 1094717SUSE bug 1101428SUSE bug 1101566SUSE bug 1101567SUSE bug 1101568SUSE bug 1101569SUSE bug 1101570SUSE bug 1101571SUSE bug 1101573SUSE bug 1101576SUSE bug 1101577SUSE bug 1101578SUSE bug 1101581SUSE bug 1101582SUSE bug 1101583SUSE bug 1101588SUSE bug 1101589SUSE bug 980830SUSE bug 982129SUSE bug 986534CVE-2014-9116 at SUSECVE-2014-9116 at NVDCVE-2018-14349 at SUSECVE-2018-14349 at NVDCVE-2018-14350 at SUSECVE-2018-14350 at NVDCVE-2018-14351 at SUSECVE-2018-14351 at NVDCVE-2018-14352 at SUSECVE-2018-14352 at NVDCVE-2018-14353 at SUSECVE-2018-14353 at NVDCVE-2018-14354 at SUSECVE-2018-14354 at NVDCVE-2018-14355 at SUSECVE-2018-14355 at NVDCVE-2018-14356 at SUSECVE-2018-14356 at NVDCVE-2018-14357 at SUSECVE-2018-14357 at NVDCVE-2018-14358 at SUSECVE-2018-14358 at NVDCVE-2018-14359 at SUSECVE-2018-14359 at NVDCVE-2018-14360 at SUSECVE-2018-14360 at NVDCVE-2018-14361 at SUSECVE-2018-14361 at NVDCVE-2018-14362 at SUSECVE-2018-14362 at NVDCVE-2018-14363 at SUSECVE-2018-14363 at NVDcpe:/o:suse:sles:12:sp3Security update for ovmf (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for ovmf fixes the following issues:
Security issue fixed:
- CVE-2019-0161: Fixed a stack overflow in UsbBusDxe and UsbBusPei, which could
potentially be triggered by a local unauthenticated user (bsc#1131361).
ModerateSUSE bug 1131361CVE-2019-0161 at SUSECVE-2019-0161 at NVDcpe:/o:suse:sles:12:sp3Security update for sqlite3 (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for sqlite3 fixes the following issues:
Security issue fixed:
- CVE-2018-8740: Fixed a NULL pointer dereference related to corrupted databases schemas (bsc#1085790).
- CVE-2017-10989: Fixed a heap-based buffer over-read in getNodeSize() (bsc#1132045).
ModerateSUSE bug 1085790SUSE bug 1132045CVE-2017-10989 at SUSECVE-2017-10989 at NVDCVE-2018-8740 at SUSECVE-2018-8740 at NVDcpe:/o:suse:sles:12:sp3Security update for jakarta-commons-fileupload (Important)SUSE Linux Enterprise Server 12 SP3
This update for jakarta-commons-fileupload fixes the following issue:
Security issue fixed:
- CVE-2016-1000031: Fixed remote execution (bsc#1128963, bsc#1128829).
ImportantSUSE bug 1128829SUSE bug 1128963CVE-2016-1000031 at SUSECVE-2016-1000031 at NVDcpe:/o:suse:sles:12:sp3Security update for java-1_8_0-openjdk (Important)SUSE Linux Enterprise Server 12 SP3
This update for java-1_8_0-openjdk to version 8u212 fixes the following issues:
Security issues fixed:
- CVE-2019-2602: Better String parsing (bsc#1132728).
- CVE-2019-2684: More dynamic RMI interactions (bsc#1132732).
- CVE-2019-2698: Fuzzing TrueType fonts - setCurrGlyphID() (bsc#1132729).
- CVE-2019-2422: Better FileChannel (bsc#1122293).
- CVE-2018-11212: Improve JPEG (bsc#1122299).
Non-Security issue fixed:
- Disable LTO (bsc#1133135).
- Added Japanese new era name.
ImportantSUSE bug 1122293SUSE bug 1122299SUSE bug 1132728SUSE bug 1132729SUSE bug 1132732SUSE bug 1133135CVE-2018-11212 at SUSECVE-2018-11212 at NVDCVE-2018-3639 at SUSECVE-2018-3639 at NVDCVE-2019-2422 at SUSECVE-2019-2422 at NVDCVE-2019-2426 at SUSECVE-2019-2426 at NVDCVE-2019-2602 at SUSECVE-2019-2602 at NVDCVE-2019-2684 at SUSECVE-2019-2684 at NVDCVE-2019-2698 at SUSECVE-2019-2698 at NVDcpe:/o:suse:sles:12:sp3Security update for libxslt (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for libxslt fixes the following issues:
- CVE-2019-11068: Fixed a protection mechanism bypass where callers of
xsltCheckRead() and xsltCheckWrite() would permit access upon receiving an
error (bsc#1132160).
ModerateSUSE bug 1132160CVE-2019-11068 at SUSECVE-2019-11068 at NVDcpe:/o:suse:sles:12:sp3Security update for ucode-intel (Important)SUSE Linux Enterprise Server 12 SP3
This update for ucode-intel fixes the following issues:
This update contains the Intel QSR 2019.1 Microcode release (bsc#1111331)
Four new speculative execution information leak issues have been identified in Intel CPUs. (bsc#1111331)
- CVE-2018-12126: Microarchitectural Store Buffer Data Sampling (MSBDS)
- CVE-2018-12127: Microarchitectural Fill Buffer Data Sampling (MFBDS)
- CVE-2018-12130: Microarchitectural Load Port Data Samling (MLPDS)
- CVE-2019-11091: Microarchitectural Data Sampling Uncacheable Memory (MDSUM)
These updates contain the CPU Microcode adjustments for the software mitigations.
For more information on this set of vulnerabilities, check out https://www.suse.com/support/kb/doc/?id=7023736
Release notes:
- Processor Identifier Version Products
- Model Stepping F-MO-S/PI Old->New
- ---- new platforms ----------------------------------------
- CLX-SP B1 6-55-7/bf 05000021 Xeon Scalable Gen2
- ---- updated platforms ------------------------------------
- SNB D2/G1/Q0 6-2a-7/12 0000002e->0000002f Core Gen2
- IVB E1/L1 6-3a-9/12 00000020->00000021 Core Gen3
- HSW C0 6-3c-3/32 00000025->00000027 Core Gen4
- BDW-U/Y E0/F0 6-3d-4/c0 0000002b->0000002d Core Gen5
- IVB-E/EP C1/M1/S1 6-3e-4/ed 0000042e->0000042f Core Gen3 X Series; Xeon E5 v2
- IVB-EX D1 6-3e-7/ed 00000714->00000715 Xeon E7 v2
- HSX-E/EP Cx/M1 6-3f-2/6f 00000041->00000043 Core Gen4 X series; Xeon E5 v3
- HSX-EX E0 6-3f-4/80 00000013->00000014 Xeon E7 v3
- HSW-U C0/D0 6-45-1/72 00000024->00000025 Core Gen4
- HSW-H C0 6-46-1/32 0000001a->0000001b Core Gen4
- BDW-H/E3 E0/G0 6-47-1/22 0000001e->00000020 Core Gen5
- SKL-U/Y D0/K1 6-4e-3/c0 000000c6->000000cc Core Gen6
- SKX-SP H0/M0/U0 6-55-4/b7 0200005a->0000005e Xeon Scalable
- SKX-D M1 6-55-4/b7 0200005a->0000005e Xeon D-21xx
- BDX-DE V1 6-56-2/10 00000019->0000001a Xeon D-1520/40
- BDX-DE V2/3 6-56-3/10 07000016->07000017 Xeon D-1518/19/21/27/28/31/33/37/41/48, Pentium D1507/08/09/17/19
- BDX-DE Y0 6-56-4/10 0f000014->0f000015 Xeon D-1557/59/67/71/77/81/87
- BDX-NS A0 6-56-5/10 0e00000c->0e00000d Xeon D-1513N/23/33/43/53
- APL D0 6-5c-9/03 00000036->00000038 Pentium N/J4xxx, Celeron N/J3xxx, Atom x5/7-E39xx
- SKL-H/S R0/N0 6-5e-3/36 000000c6->000000cc Core Gen6; Xeon E3 v5
- DNV B0 6-5f-1/01 00000024->0000002e Atom Processor C Series
- GLK B0 6-7a-1/01 0000002c->0000002e Pentium Silver N/J5xxx, Celeron N/J4xxx
- AML-Y22 H0 6-8e-9/10 0000009e->000000b4 Core Gen8 Mobile
- KBL-U/Y H0 6-8e-9/c0 0000009a->000000b4 Core Gen7 Mobile
- CFL-U43e D0 6-8e-a/c0 0000009e->000000b4 Core Gen8 Mobile
- WHL-U W0 6-8e-b/d0 000000a4->000000b8 Core Gen8 Mobile
- WHL-U V0 6-8e-d/94 000000b2->000000b8 Core Gen8 Mobile
- KBL-G/H/S/E3 B0 6-9e-9/2a 0000009a->000000b4 Core Gen7; Xeon E3 v6
- CFL-H/S/E3 U0 6-9e-a/22 000000aa->000000b4 Core Gen8 Desktop, Mobile, Xeon E
- CFL-S B0 6-9e-b/02 000000aa->000000b4 Core Gen8
- CFL-H/S P0 6-9e-c/22 000000a2->000000ae Core Gen9
ImportantSUSE bug 1111331CVE-2018-12126 at SUSECVE-2018-12126 at NVDCVE-2018-12127 at SUSECVE-2018-12127 at NVDCVE-2018-12130 at SUSECVE-2018-12130 at NVDCVE-2019-11091 at SUSECVE-2019-11091 at NVDcpe:/o:suse:sles:12:sp3Security update for qemu (Important)SUSE Linux Enterprise Server 12 SP3
This update for qemu fixes the following issues:
- CVE-2018-12126 CVE-2018-12127 CVE-2018-12130 CVE-2019-11091: Added x86 cpu feature 'md-clear' (bsc#1111331)
ImportantSUSE bug 1111331CVE-2018-12126 at SUSECVE-2018-12126 at NVDCVE-2018-12127 at SUSECVE-2018-12127 at NVDCVE-2018-12130 at SUSECVE-2018-12130 at NVDCVE-2019-11091 at SUSECVE-2019-11091 at NVDcpe:/o:suse:sles:12:sp3Security update for the Linux Kernel (Important)SUSE Linux Enterprise Server 12 SP3
The SUSE Linux Enterprise 12 SP3 kernel was updated to 4.4.178 to receive various security and bugfixes.
Four new speculative execution issues have been identified in Intel CPUs. (bsc#1111331)
- CVE-2018-12126: Microarchitectural Store Buffer Data Sampling (MSBDS)
- CVE-2018-12127: Microarchitectural Fill Buffer Data Sampling (MFBDS)
- CVE-2018-12130: Microarchitectural Load Port Data Samling (MLPDS)
- CVE-2019-11091: Microarchitectural Data Sampling Uncacheable Memory (MDSUM)
This kernel update contains software mitigations, utilizing CPU microcode updates shipped in parallel.
For more information on this set of information leaks, check out https://www.suse.com/support/kb/doc/?id=7023736
The following security issues fixed:
- CVE-2018-5814: Multiple race condition errors when handling probe, disconnect, and rebind operations could be exploited to trigger a use-after-free condition or a NULL pointer dereference by sending multiple USB over IP packets (bnc#1096480).
- CVE-2018-1000204: Prevent infoleak caused by incorrect handling of the SG_IO ioctl (bsc#1096728)
- CVE-2018-10853: A flaw was found in the way the KVM hypervisor emulated instructions such as sgdt/sidt/fxsave/fxrstor. It did not check current privilege(CPL) level while emulating unprivileged instructions. An unprivileged guest user/process could use this flaw to potentially escalate privileges inside guest (bnc#1097104).
- CVE-2018-15594: arch/x86/kernel/paravirt.c mishandled certain indirect calls, which made it easier for attackers to conduct Spectre-v2 attacks against paravirtual guests (bnc#1105348).
- CVE-2019-9503: A brcmfmac frame validation bypass was fixed (bnc#1132828).
- CVE-2019-3882: A flaw was fixed in the vfio interface implementation that permitted violation of the user's locked memory limit. If a device is bound to a vfio driver, such as vfio-pci, and the local attacker is administratively granted ownership of the device, it may cause a system memory exhaustion and thus a denial of service (DoS). Versions 3.10, 4.14 and 4.18 are vulnerable (bnc#1131416 bnc#1131427).
The following non-security bugs were fixed:
- 9p/net: fix memory leak in p9_client_create (bnc#1012382).
- 9p: use inode->i_lock to protect i_size_write() under 32-bit (bnc#1012382).
- acpi: acpi_pad: Do not launch acpi_pad threads on idle cpus (bsc#1113399).
- acpi / bus: Only call dmi_check_system() on X86 (git-fixes).
- acpi / button: make module loadable when booted in non-ACPI mode (bsc#1051510).
- acpi / device_sysfs: Avoid OF modalias creation for removed device (bnc#1012382).
- acpi: include ACPI button driver in base kernel (bsc#1062056).
- Add hlist_add_tail_rcu() (Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net) (bnc#1012382).
- alsa: bebob: use more identical mod_alias for Saffire Pro 10 I/O against Liquid Saffire 56 (bnc#1012382).
- alsa: compress: add support for 32bit calls in a 64bit kernel (bnc#1012382).
- alsa: compress: prevent potential divide by zero bugs (bnc#1012382).
- alsa: hda - Enforces runtime_resume after S3 and S4 for each codec (bnc#1012382).
- alsa: hda - Record the current power state before suspend/resume calls (bnc#1012382).
- alsa: pcm: Do not suspend stream in unrecoverable PCM state (bnc#1012382).
- alsa: pcm: Fix possible OOB access in PCM oss plugins (bnc#1012382).
- alsa: rawmidi: Fix potential Spectre v1 vulnerability (bnc#1012382).
- alsa: seq: oss: Fix Spectre v1 vulnerability (bnc#1012382).
- applicom: Fix potential Spectre v1 vulnerabilities (bnc#1012382).
- arc: fix __ffs return value to avoid build warnings (bnc#1012382).
- arc: uacces: remove lp_start, lp_end from clobber list (bnc#1012382).
- arcv2: Enable unaligned access in early ASM code (bnc#1012382).
- arm64: fix COMPAT_SHMLBA definition for large pages (bnc#1012382).
- arm64: Fix NUMA build error when !CONFIG_ACPI (fate#319981, git-fixes).
- arm64: Fix NUMA build error when !CONFIG_ACPI (git-fixes).
- arm64: hide __efistub_ aliases from kallsyms (bnc#1012382).
- arm64: kconfig: drop CONFIG_RTC_LIB dependency (bnc#1012382).
- arm64/kernel: fix incorrect EL0 check in inv_entry macro (bnc#1012382).
- arm64: mm: Add trace_irqflags annotations to do_debug_exception() (bnc#1012382).
- arm64: Relax GIC version check during early boot (bnc#1012382).
- arm64: support keyctl() system call in 32-bit mode (bnc#1012382).
- arm64: traps: disable irq in die() (bnc#1012382).
- arm: 8458/1: bL_switcher: add GIC dependency (bnc#1012382).
- arm: 8494/1: mm: Enable PXN when running non-LPAE kernel on LPAE processor (bnc#1012382).
- arm: 8510/1: rework ARM_CPU_SUSPEND dependencies (bnc#1012382).
- arm: 8824/1: fix a migrating irq bug when hotplug cpu (bnc#1012382).
- arm: dts: exynos: Add minimal clkout parameters to Exynos3250 PMU (bnc#1012382).
- arm: dts: exynos: Do not ignore real-world fuse values for thermal zone 0 on Exynos5420 (bnc#1012382).
- arm: imx6q: cpuidle: fix bug that CPU might not wake up at expected time (bnc#1012382).
- arm: OMAP2+: Variable 'reg' in function omap4_dsi_mux_pads() could be uninitialized (bnc#1012382).
- arm: pxa: ssp: unneeded to free devm_ allocated data (bnc#1012382).
- arm: s3c24xx: Fix boolean expressions in osiris_dvs_notify (bnc#1012382).
- ASoC: dapm: change snprintf to scnprintf for possible overflow (bnc#1012382).
- ASoC: fsl_esai: fix register setting issue in RIGHT_J mode (bnc#1012382).
- ASoC: imx-audmux: change snprintf to scnprintf for possible overflow (bnc#1012382).
- ASoC: Intel: Haswell/Broadwell: fix setting for .dynamic field (bnc#1012382).
- ASoC: topology: free created components in tplg load error (bnc#1012382).
- assoc_array: Fix shortcut creation (bnc#1012382).
- ath10k: avoid possible string overflow (bnc#1012382).
- ath9k_htc: Add a sanity check in ath9k_htc_ampdu_action() (bsc#1087092).
- atm: he: fix sign-extension overflow on large shift (bnc#1012382).
- autofs: drop dentry reference only when it is never used (bnc#1012382).
- autofs: fix error return in autofs_fill_super() (bnc#1012382).
- batman-adv: Avoid endless loop in bat-on-bat netdevice check (git-fixes).
- batman-adv: Fix lockdep annotation of batadv_tlv_container_remove (git-fixes).
- batman-adv: fix uninit-value in batadv_interface_tx() (bnc#1012382).
- batman-adv: Only put gw_node list reference when removed (git-fixes).
- batman-adv: Only put orig_node_vlan list reference when removed (git-fixes).
- bluetooth: Check L2CAP option sizes returned from l2cap_get_conf_opt (bnc#1012382).
- bnxt_en: Drop oversize TX packets to prevent errors (bnc#1012382).
- btrfs: Avoid possible qgroup_rsv_size overflow in btrfs_calculate_inode_block_rsv_size (git-fixes).
- btrfs: Fix bound checking in qgroup_trace_new_subtree_blocks (pending fix for bsc#1063638).
- btrfs: fix corruption reading shared and compressed extents after hole punching (bnc#1012382).
- btrfs: qgroup: Cleanup old subtree swap code (bsc#1063638).
- btrfs: qgroup: Do not trace subtree if we're dropping reloc tree (bsc#1063638).
- btrfs: qgroup: Introduce function to find all new tree blocks of reloc tree (bsc#1063638).
- btrfs: qgroup: Introduce function to trace two swaped extents (bsc#1063638).
- btrfs: qgroup: Introduce per-root swapped blocks infrastructure (bsc#1063638).
- btrfs: qgroup: Introduce trace event to analyse the number of dirty extents accounted (bsc#1063638 dependency).
- btrfs: qgroup: Only trace data extents in leaves if we're relocating data block group (bsc#1063638).
- btrfs: qgroup: Refactor btrfs_qgroup_trace_subtree_swap (bsc#1063638).
- btrfs: qgroup: Search commit root for rescan to avoid missing extent (bsc#1129326).
- btrfs: qgroup: Use delayed subtree rescan for balance (bsc#1063638).
- btrfs: qgroup: Use generation-aware subtree swap to mark dirty extents (bsc#1063638).
- btrfs: raid56: properly unmap parity page in finish_parity_scrub() (bnc#1012382).
- btrfs: relocation: Delay reloc tree deletion after merge_reloc_roots (bsc#1063638).
- btrfs: remove WARN_ON in log_dir_items (bnc#1012382).
- cdc-wdm: pass return value of recover_from_urb_loss (bsc#1129770).
- cfg80211: extend range deviation for DMG (bnc#1012382).
- cfg80211: size various nl80211 messages correctly (bnc#1012382).
- cifs: fix computation for MAX_SMB2_HDR_SIZE (bnc#1012382).
- cifs: fix POSIX lock leak and invalid ptr deref (bsc#1114542).
- cifs: Fix read after write for files with read caching (bnc#1012382).
- clk: ingenic: Fix round_rate misbehaving with non-integer dividers (bnc#1012382).
- clocksource/drivers/exynos_mct: Clear timer interrupt when shutdown (bnc#1012382).
- clocksource/drivers/exynos_mct: Move one-shot check from tick clear to ISR (bnc#1012382).
- cls_bpf: reset class and reuse major in da (git-fixes).
- coresight: coresight_unregister() function cleanup (bnc#1012382).
- coresight: 'DEVICE_ATTR_RO' should defined as static (bnc#1012382).
- coresight: etm4x: Check every parameter used by dma_xx_coherent (bnc#1012382).
- coresight: fixing lockdep error (bnc#1012382).
- coresight: release reference taken by 'bus_find_device()' (bnc#1012382).
- coresight: remove csdev's link from topology (bnc#1012382).
- coresight: removing bind/unbind options from sysfs (bnc#1012382).
- cpufreq: pxa2xx: remove incorrect __init annotation (bnc#1012382).
- cpufreq: tegra124: add missing of_node_put() (bnc#1012382).
- cpufreq: Use struct kobj_attribute instead of struct global_attr (bnc#1012382).
- cpu/hotplug: Handle unbalanced hotplug enable/disable (bnc#1012382).
- cpu/speculation: Add 'mitigations=' cmdline option (bsc#1112178).
- crypto: ahash - fix another early termination in hash walk (bnc#1012382).
- crypto: arm64/aes-ccm - fix logical bug in AAD MAC handling (bnc#1012382).
- crypto: caam - fixed handling of sg list (bnc#1012382).
- crypto: pcbc - remove bogus memcpy()s with src == dest (bnc#1012382).
- crypto: qat - remove unused and redundant pointer vf_info (bsc#1085539).
- crypto: tgr192 - fix unaligned memory access (bsc#1129770).
- cw1200: fix missing unlock on error in cw1200_hw_scan() (bsc#1129770).
- dccp: do not use ipv6 header for ipv4 flow (bnc#1012382).
- disable kgdboc failed by echo space to /sys/module/kgdboc/parameters/kgdboc (bnc#1012382).
- dmaengine: at_xdmac: Fix wrongfull report of a channel as in use (bnc#1012382).
- dmaengine: dmatest: Abort test in case of mapping error (bnc#1012382).
- dmaengine: usb-dmac: Make DMAC system sleep callbacks explicit (bnc#1012382).
- dm: disable DISCARD if the underlying storage no longer supports it (bsc#1114638).
- dm: fix to_sector() for 32bit (bnc#1012382).
- drivers: hv: vmbus: Fix bugs in rescind handling (bsc#1130567).
- drivers: hv: vmbus: Fix ring buffer signaling (bsc#1118506).
- drivers: hv: vmbus: Fix the offer_in_progress in vmbus_process_offer() (bsc#1130567).
- drivers: hv: vmbus: Offload the handling of channels to two workqueues (bsc#1130567).
- drivers: hv: vmbus: Reset the channel callback in vmbus_onoffer_rescind() (bsc#1130567).
- drm/msm: Unblock writer if reader closes file (bnc#1012382).
- drm/vmwgfx: Do not double-free the mode stored in par->set_mode (bsc#1106929)
- efi: stub: define DISABLE_BRANCH_PROFILING for all architectures (bnc#1012382).
- ext2: Fix underflow in ext2_max_size() (bnc#1012382).
- ext4: Avoid panic during forced reboot (bsc#1126356).
- ext4: brelse all indirect buffer in ext4_ind_remove_space() (bnc#1012382).
- ext4: fix data corruption caused by unaligned direct AIO (bnc#1012382).
- ext4: fix NULL pointer dereference while journal is aborted (bnc#1012382).
- extcon: usb-gpio: Do not miss event during suspend/resume (bnc#1012382).
- firmware: dmi: Optimize dmi_matches (git-fixes).
- floppy: check_events callback should not return a negative number (git-fixes).
- flow_dissector: Check for IP fragmentation even if not using IPv4 address (git-fixes).
- fs/9p: use fscache mutex rather than spinlock (bnc#1012382).
- fs/nfs: Fix nfs_parse_devname to not modify it's argument (git-fixes).
- fs/proc/proc_sysctl.c: fix NULL pointer dereference in put_links (bnc#1012382).
- fuse: continue to send FUSE_RELEASEDIR when FUSE_OPEN returns ENOSYS (git-fixes).
- fuse: fix possibly missed wake-up after abort (git-fixes).
- futex: Ensure that futex address is aligned in handle_futex_death() (bnc#1012382).
- futex,rt_mutex: Fix rt_mutex_cleanup_proxy_lock() (git-fixes).
- futex,rt_mutex: Restructure rt_mutex_finish_proxy_lock() (bnc#1012382).
- gpio: adnp: Fix testing wrong value in adnp_gpio_direction_input (bnc#1012382).
- gpio: vf610: Mask all GPIO interrupts (bnc#1012382).
- gro_cells: make sure device is up in gro_cells_receive() (bnc#1012382).
- hid-sensor-hub.c: fix wrong do_div() usage (bnc#1012382).
- hpet: Fix missing '=' character in the __setup() code of hpet_mmap_enable (bsc#1129770).
- hugetlbfs: fix races and page leaks during migration (bnc#1012382).
- hv_netvsc: Fix napi reschedule while receive completion is busy (bsc#1118506).
- hv_netvsc: fix race in napi poll when rescheduling (bsc#1118506).
- hv_netvsc: Fix the return status in RX path (bsc#1118506).
- hv_netvsc: use napi_schedule_irqoff (bsc#1118506).
- hv: v4.12 API for hyperv-iommu (bsc#1122822).
- hv: v4.12 API for hyperv-iommu (fate#327171, bsc#1122822).
- i2c: cadence: Fix the hold bit setting (bnc#1012382).
- i2c: tegra: fix maximum transfer size (bnc#1012382).
- ib/{hfi1, qib}: Fix WC.byte_len calculation for UD_SEND_WITH_IMM (bnc#1012382).
- ibmvnic: Enable GRO (bsc#1132227).
- ibmvnic: Fix completion structure initialization (bsc#1131659).
- ibmvnic: Fix netdev feature clobbering during a reset (bsc#1132227).
- input: elan_i2c - add id for touchpad found in Lenovo s21e-20 (bnc#1012382).
- input: matrix_keypad - use flush_delayed_work() (bnc#1012382).
- input: st-keyscan - fix potential zalloc NULL dereference (bnc#1012382).
- input: wacom_serial4 - add support for Wacom ArtPad II tablet (bnc#1012382).
- intel_th: Do not reference unassigned outputs (bnc#1012382).
- intel_th: gth: Fix an off-by-one in output unassigning (git-fixes).
- iommu/amd: Fix NULL dereference bug in match_hid_uid (bsc#1130345).
- iommu/amd: fix sg->dma_address for sg->offset bigger than PAGE_SIZE (bsc#1130346).
- iommu/amd: Reserve exclusion range in iova-domain (bsc#1130425).
- iommu/amd: Set exclusion range correctly (bsc#1130425).
- iommu: Do not print warning when IOMMU driver only supports unmanaged domains (bsc#1130130).
- iommu/hyper-v: Add Hyper-V stub IOMMU driver (bsc#1122822).
- iommu/hyper-v: Add Hyper-V stub IOMMU driver (fate#327171, bsc#1122822).
- iommu/vt-d: Check capability before disabling protected memory (bsc#1130347).
- ip6: fix PMTU discovery when using /127 subnets (git-fixes).
- ip6mr: Do not call __IP6_INC_STATS() from preemptible context (bnc#1012382).
- ip_tunnel: fix ip tunnel lookup in collect_md mode (git-fixes).
- ipvlan: disallow userns cap_net_admin to change global mode/flags (bnc#1012382).
- ipvs: Fix signed integer overflow when setsockopt timeout (bnc#1012382).
- irqchip/mmp: Only touch the PJ4 IRQ & FIQ bits on enable/disable (bnc#1012382).
- iscsi_ibft: Fix missing break in switch statement (bnc#1012382).
- isdn: avm: Fix string plus integer warning from Clang (bnc#1012382).
- isdn: i4l: isdn_tty: Fix some concurrency double-free bugs (bnc#1012382).
- isdn: isdn_tty: fix build warning of strncpy (bnc#1012382).
- iwlwifi: dbg: do not crash if the firmware crashes in the middle of a debug dump (bsc#1119086).
- jbd2: clear dirty flag when revoking a buffer from an older transaction (bnc#1012382).
- jbd2: fix compile warning when using JBUFFER_TRACE (bnc#1012382).
- kabi fixup gendisk disk_devt revert (bsc#1020989).
- kbuild: setlocalversion: print error to STDERR (bnc#1012382).
- kernel/sysctl.c: add missing range check in do_proc_dointvec_minmax_conv (bnc#1012382).
- keys: allow reaching the keys quotas exactly (bnc#1012382).
- keys: always initialize keyring_index_key::desc_len (bnc#1012382).
- keys: restrict /proc/keys by credentials at open time (bnc#1012382).
- keys: user: Align the payload buffer (bnc#1012382).
- kvm: Call kvm_arch_memslots_updated() before updating memslots (bsc#1132634).
- kvm: nSVM: clear events pending from svm_complete_interrupts() when exiting to L1 (bnc#1012382).
- kvm: nVMX: Apply addr size mask to effective address for VMX instructions (bsc#1132635).
- kvm: nVMX: Ignore limit checks on VMX instructions using flat segments (bnc#1012382).
- kvm: nVMX: Sign extend displacements of VMX instr's mem operands (bnc#1012382).
- kvm: Reject device ioctls from processes other than the VM's creator (bnc#1012382).
- kvm: VMX: Compare only a single byte for VMCS' 'launched' in vCPU-run (bsc#1132636).
- kvm: VMX: Zero out *all* general purpose registers after VM-Exit (bsc#1132637).
- kvm: x86: Emulate MSR_IA32_ARCH_CAPABILITIES on AMD hosts (bsc#1132534).
- kvm: X86: Fix residual mmio emulation request to userspace (bnc#1012382).
- kvm: x86/mmu: Do not cache MMIO accesses while memslots are in flux (bsc#1132638).
- l2tp: fix infoleak in l2tp_ip6_recvmsg() (git-fixes).
- leds: lp5523: fix a missing check of return value of lp55xx_read (bnc#1012382).
- libertas: call into generic suspend code before turning off power (bsc#1106110).
- libertas: fix suspend and resume for SDIO connected cards (bsc#1106110).
- lib/int_sqrt: optimize small argument (bnc#1012382).
- libnvdimm/pmem: Honor force_raw for legacy pmem regions (bsc#1131857).
- locking/lockdep: Add debug_locks check in __lock_downgrade() (bnc#1012382).
- locking/static_keys: Improve uninitialized key warning (bsc#1106913).
- m68k: Add -ffreestanding to CFLAGS (bnc#1012382).
- mac80211: do not initiate TDLS connection if station is not associated to AP (bnc#1012382).
- mac80211: fix miscounting of ttl-dropped frames (bnc#1012382).
- mac80211: fix 'warning: target metric may be used uninitialized' (bnc#1012382).
- mac80211_hwsim: propagate genlmsg_reply return code (bnc#1012382).
- mac8390: Fix mmio access size probe (bnc#1012382).
- md: Fix failed allocation of md_register_thread (bnc#1012382).
- mdio_bus: Fix use-after-free on device_register fails (bnc#1012382 git-fixes).
- md/raid1: do not clear bitmap bits on interrupted recovery (git-fixes).
- media: cx88: Get rid of spurious call to cx8800_start_vbi_dma() (bsc#1100132).
- media: uvcvideo: Avoid NULL pointer dereference at the end of streaming (bnc#1012382).
- media: uvcvideo: Fix 'type' check leading to overflow (bnc#1012382).
- media: uvcvideo: Fix uvc_alloc_entity() allocation alignment (bsc#1119086).
- media: v4l2-ctrls.c/uvc: zero v4l2_event (bnc#1012382).
- media: videobuf2-v4l2: drop WARN_ON in vb2_warn_zero_bytesused() (bnc#1012382).
- media: vivid: potential integer overflow in vidioc_g_edid() (bsc#11001132).
- mfd: ab8500-core: Return zero in get_register_interruptible() (bnc#1012382).
- mfd: db8500-prcmu: Fix some section annotations (bnc#1012382).
- mfd: mc13xxx: Fix a missing check of a register-read failure (bnc#1012382).
- mfd: qcom_rpm: write fw_version to CTRL_REG (bnc#1012382).
- mfd: ti_am335x_tscadc: Use PLATFORM_DEVID_AUTO while registering mfd cells (bnc#1012382).
- mfd: twl-core: Fix section annotations on {,un}protect_pm_master (bnc#1012382).
- mfd: wm5110: Add missing ASRC rate register (bnc#1012382).
- mips: loongson64: lemote-2f: Add IRQF_NO_SUSPEND to 'cascade' irqaction (bnc#1012382).
- mISDN: hfcpci: Test both vendor & device ID for Digium HFC4S (bnc#1012382).
- missing barriers in some of unix_sock ->addr and ->path accesses (bnc#1012382).
- mmc: bcm2835: reset host on timeout (bsc#1070872).
- mmc: block: Allow more than 8 partitions per card (bnc#1012382).
- mmc: core: fix using wrong io voltage if mmc_select_hs200 fails (bnc#1012382).
- mmc: core: shut up 'voltage-ranges unspecified' pr_info() (bnc#1012382).
- mmc: debugfs: Add a restriction to mmc debugfs clock setting (bnc#1012382).
- mmc: make MAN_BKOPS_EN message a debug (bnc#1012382).
- mmc: mmc: fix switch timeout issue caused by jiffies precision (bnc#1012382).
- mmc: pwrseq_simple: Make reset-gpios optional to match doc (bnc#1012382).
- mmc: pxamci: fix enum type confusion (bnc#1012382).
- mmc: sanitize 'bus width' in debug output (bnc#1012382).
- mmc: spi: Fix card detection during probe (bnc#1012382).
- mmc: tmio_mmc_core: do not claim spurious interrupts (bnc#1012382).
- mm/debug.c: fix __dump_page when mapping->host is not set (bsc#1131934).
- mm, memory_hotplug: fix off-by-one in is_pageblock_removable (git-fixes).
- mm, memory_hotplug: is_mem_section_removable do not pass the end of a zone (bnc#1012382).
- mm, memory_hotplug: test_pages_in_a_zone do not pass the end of zone (bnc#1012382).
- mm: move is_pageblock_removable_nolock() to mm/memory_hotplug.c (git-fixes prerequisity).
- mm/page_isolation.c: fix a wrong flag in set_migratetype_isolate() (bsc#1131935)
- mm/rmap: replace BUG_ON(anon_vma->degree) with VM_WARN_ON (bnc#1012382).
- mm/vmalloc: fix size check for remap_vmalloc_range_partial() (bnc#1012382).
- move power_up_on_resume flag to end of structure for kABI (bsc#1106110).
- mwifiex: pcie: tighten a check in mwifiex_pcie_process_event_ready() (bsc#1100132).
- ncpfs: fix build warning of strncpy (bnc#1012382).
- net: add description for len argument of dev_get_phys_port_name (git-fixes).
- net: Add __icmp_send helper (bnc#1012382).
- net: altera_tse: fix connect_local_phy error path (bnc#1012382).
- net: altera_tse: fix msgdma_tx_completion on non-zero fill_level case (bnc#1012382).
- net: avoid use IPCB in cipso_v4_error (bnc#1012382).
- net: diag: support v4mapped sockets in inet_diag_find_one_icsk() (bnc#1012382).
- net: do not decrement kobj reference count on init failure (git-fixes).
- net: dsa: mv88e6xxx: Fix u64 statistics (bnc#1012382).
- net: ena: fix race between link up and device initalization (bsc#1129278).
- net: ena: update driver version from 2.0.2 to 2.0.3 (bsc#1129278).
- netfilter: ipt_CLUSTERIP: fix use-after-free of proc entry (git-fixes).
- netfilter: nf_conntrack_tcp: Fix stack out of bounds when parsing TCP options (bnc#1012382).
- netfilter: nfnetlink_acct: validate NFACCT_FILTER parameters (bnc#1012382).
- netfilter: nfnetlink_log: just returns error for unknown command (bnc#1012382).
- netfilter: nfnetlink: use original skbuff when acking batches (git-fixes).
- netfilter: x_tables: enforce nul-terminated table name from getsockopt GET_ENTRIES (bnc#1012382).
- net: hns: Fix use after free identified by SLUB debug (bnc#1012382).
- net: hns: Fix wrong read accesses via Clause 45 MDIO protocol (bnc#1012382).
- net: hsr: fix memory leak in hsr_dev_finalize() (bnc#1012382).
- net/hsr: fix possible crash in add_timer() (bnc#1012382).
- netlabel: fix out-of-bounds memory accesses (bnc#1012382).
- net/mlx4_en: Force CHECKSUM_NONE for short ethernet frames (bnc#1012382).
- net: mv643xx_eth: disable clk on error path in mv643xx_eth_shared_probe() (bnc#1012382).
- net: nfc: Fix NULL dereference on nfc_llcp_build_tlv fails (bnc#1012382).
- net/packet: fix 4gb buffer limit due to overflow check (bnc#1012382).
- net/packet: Set __GFP_NOWARN upon allocation in alloc_pg_vec (bnc#1012382).
- net: phy: Micrel KSZ8061: link failure after cable connect (bnc#1012382).
- net: rose: fix a possible stack overflow (bnc#1012382).
- net: Set rtm_table to RT_TABLE_COMPAT for ipv6 for tables > 255 (bnc#1012382).
- net: set static variable an initial value in atl2_probe() (bnc#1012382).
- net: sit: fix UBSAN Undefined behaviour in check_6rd (bnc#1012382).
- net: stmmac: dwmac-rk: fix error handling in rk_gmac_powerup() (bnc#1012382).
- net-sysfs: call dev_hold if kobject_init_and_add success (git-fixes).
- net-sysfs: Fix mem leak in netdev_register_kobject (bnc#1012382).
- net: systemport: Fix reception of BPDUs (bnc#1012382).
- net: tcp_memcontrol: properly detect ancestor socket pressure (git-fixes).
- net/x25: fix a race in x25_bind() (bnc#1012382).
- net/x25: fix use-after-free in x25_device_event() (bnc#1012382).
- net/x25: reset state in x25_connect() (bnc#1012382).
- nfc: nci: memory leak in nci_core_conn_create() (git-fixes).
- nfs41: pop some layoutget errors to application (bnc#1012382).
- nfsd: fix memory corruption caused by readdir (bsc#1127445).
- nfsd: fix wrong check in write_v4_end_grace() (git-fixes).
- nfs: Do not recoalesce on error in nfs_pageio_complete_mirror() (git-fixes).
- nfs: Fix an I/O request leakage in nfs_do_recoalesce (git-fixes).
- nfs: Fix dentry revalidation on NFSv4 lookup (bsc#1132618).
- nfs: fix mount/umount race in nlmclnt (git-fixes).
- nfs: Fix NULL pointer dereference of dev_name (bnc#1012382).
- nfsv4.x: always serialize open/close operations (bsc#1114893).
- numa: change get_mempolicy() to use nr_node_ids instead of MAX_NUMNODES (bnc#1012382).
- packets: Always register packet sk in the same order (bnc#1012382).
- parport_pc: fix find_superio io compare code, should use equal test (bnc#1012382).
- pci-hyperv: increase HV_VP_SET_BANK_COUNT_MAX to handle 1792 vcpus (bsc#1122822).
- pci-hyperv: increase HV_VP_SET_BANK_COUNT_MAX to handle 1792 vcpus (fate#327171, bsc#1122822).
- perf auxtrace: Define auxtrace record alignment (bnc#1012382).
- perf bench: Copy kernel files needed to build mem{cpy,set} x86_64 benchmarks (bnc#1012382).
- perf intel-pt: Fix CYC timestamp calculation after OVF (bnc#1012382).
- perf intel-pt: Fix overlap calculation for padding (bnc#1012382).
- perf intel-pt: Fix TSC slip (bnc#1012382).
- perf/ring_buffer: Refuse to begin AUX transaction after rb->aux_mmap_count drops (bnc#1012382).
- perf symbols: Filter out hidden symbols from labels (bnc#1012382).
- perf: Synchronously free aux pages in case of allocation failure (bnc#1012382).
- perf tools: Handle TOPOLOGY headers with no CPU (bnc#1012382).
- perf/x86/amd: Add event map for AMD Family 17h (bsc#1114648).
- phonet: fix building with clang (bnc#1012382).
- pinctrl: meson: meson8b: fix the sdxc_a data 1..3 pins (bnc#1012382).
- platform/x86: Fix unmet dependency warning for SAMSUNG_Q10 (bnc#1012382).
- pm / Hibernate: Call flush_icache_range() on pages restored in-place (bnc#1012382).
- pm / wakeup: Rework wakeup source timer cancellation (bnc#1012382).
- powerpc/32: Clear on-stack exception marker upon exception return (bnc#1012382).
- powerpc/64: Call setup_barrier_nospec() from setup_arch() (bsc#1131107).
- powerpc/64: Disable the speculation barrier from the command line (bsc#1131107).
- powerpc/64: Make stf barrier PPC_BOOK3S_64 specific (bsc#1131107).
- powerpc/64s: Add new security feature flags for count cache flush (bsc#1131107).
- powerpc/64s: Add support for software count cache flush (bsc#1131107).
- powerpc/83xx: Also save/restore SPRG4-7 during suspend (bnc#1012382).
- powerpc: Always initialize input array when calling epapr_hypercall() (bnc#1012382).
- powerpc/asm: Add a patch_site macro & helpers for patching instructions (bsc#1131107).
- powerpc/fsl: Fix spectre_v2 mitigations reporting (bsc#1131107).
- powerpc/mm/hash: Handle mmap_min_addr correctly in get_unmapped_area topdown search (bsc#1131900).
- powerpc/numa: document topology_updates_enabled, disable by default (bsc#1133584).
- powerpc/numa: improve control of topology updates (bsc#1133584).
- powerpc/perf: Fix unit_sel/cache_sel checks (bsc#1053043).
- powerpc/perf: Remove l2 bus events from HW cache event array (bsc#1053043).
- powerpc/perf: Update raw-event code encoding comment for power8 (bsc#1053043, git-fixes).
- powerpc/powernv/cpuidle: Init all present cpus for deep states (bsc#1066223).
- powerpc/powernv: Make opal log only readable by root (bnc#1012382).
- powerpc/powernv: Query firmware for count cache flush settings (bsc#1131107).
- powerpc/pseries/mce: Fix misleading print for TLB mutlihit (bsc#1094244, git-fixes).
- powerpc/pseries: Query hypervisor for count cache flush settings (bsc#1131107).
- powerpc/security: Fix spectre_v2 reporting (bsc#1131107).
- powerpc/speculation: Support 'mitigations=' cmdline option (bsc#1112178).
- powerpc/tm: Add commandline option to disable hardware transactional memory (bsc#1118338).
- powerpc/tm: Add TM Unavailable Exception (bsc#1118338).
- powerpc/tm: Flip the HTM switch default to disabled (bsc#1125580).
- powerpc/vdso32: fix CLOCK_MONOTONIC on PPC64 (bsc#1131587).
- powerpc/vdso64: Fix CLOCK_MONOTONIC inconsistencies across Y2038 (bsc#1131587).
- powerpc/wii: properly disable use of BATs when requested (bnc#1012382).
- raid10: It's wrong to add len to sector_nr in raid10 reshape twice (bnc#1012382).
- ravb: Decrease TxFIFO depth of Q3 and Q2 to one (bnc#1012382).
- rcu: Do RCU GP kthread self-wakeup from softirq and interrupt (bnc#1012382).
- rdma/core: Do not expose unsupported counters (bsc#994770).
- rdma/srp: Rework SCSI device reset handling (bnc#1012382).
- Refresh patches.fixes/0001-net-mlx4-Fix-endianness-issue-in-qp-context-params.patch. (bsc#1132619)
- regulator: s2mpa01: Fix step values for some LDOs (bnc#1012382).
- regulator: s2mps11: Fix steps for buck7, buck8 and LDO35 (bnc#1012382).
- Revert 'bridge: do not add port to router list when receives query with source 0.0.0.0' (bnc#1012382).
- Revert 'mmc: block: do not use parameter prefix if built as module' (bnc#1012382).
- Revert 'scsi, block: fix duplicate bdi name registration crashes' (bsc#1020989).
- Revert 'USB: core: only clean up what we allocated' (bnc#1012382).
- route: set the deleted fnhe fnhe_daddr to 0 in ip_del_fnhe to fix a race (bnc#1012382).
- rsi: fix a dereference on adapter before it has been null checked (bsc#1085539).
- rtc: Fix overflow when converting time64_t to rtc_time (bnc#1012382).
- rtl8xxxu: Fix missing break in switch (bsc#1120902).
- s390/dasd: fix panic for failed online processing (bsc#1132589).
- s390/dasd: fix using offset into zero size array error (bnc#1012382).
- s390: Prevent hotplug rwsem recursion (bsc#1131980).
- s390/qeth: fix use-after-free in error path (bnc#1012382).
- s390/speculation: Support 'mitigations=' cmdline option (bsc#1112178).
- s390/virtio: handle find on invalid queue gracefully (bnc#1012382).
- sched/core: Fix cpu.max vs. cpuhotplug deadlock (bsc#1106913).
- sched/smt: Expose sched_smt_present static key (bsc#1106913).
- sched/smt: Make sched_smt_present track topology (bsc#1106913).
- scripts/git_sort/git_sort.py: Add fixes branch from mkp/scsi.git.
- scsi: csiostor: fix NULL pointer dereference in csio_vport_set_state() (bnc#1012382).
- scsi: isci: initialize shost fully before calling scsi_add_host() (bnc#1012382).
- scsi: libfc: free skb when receiving invalid flogi resp (bnc#1012382).
- scsi: libiscsi: Fix race between iscsi_xmit_task and iscsi_complete_task (bnc#1012382).
- scsi: libsas: Fix rphy phy_identifier for PHYs with end devices attached (bnc#1012382).
- scsi: qla4xxx: check return code of qla4xxx_copy_from_fwddb_param (bnc#1012382).
- scsi: sd: Fix a race between closing an sd device and sd I/O (bnc#1012382).
- scsi: storvsc: Fix a race in sub-channel creation that can cause panic ().
- scsi: storvsc: Fix a race in sub-channel creation that can cause panic (fate#323887).
- scsi: storvsc: Reduce default ring buffer size to 128 Kbytes ().
- scsi: storvsc: Reduce default ring buffer size to 128 Kbytes (fate#323887).
- scsi: target/iscsi: Avoid iscsit_release_commands_from_conn() deadlock (bnc#1012382).
- scsi: virtio_scsi: do not send sc payload with tmfs (bnc#1012382).
- scsi: zfcp: fix rport unblock if deleted SCSI devices on Scsi_Host (bnc#1012382).
- scsi: zfcp: fix scsi_eh host reset with port_forced ERP for non-NPIV FCP devices (bnc#1012382).
- sctp: fix the transports round robin issue when init is retransmitted (git-fixes).
- sctp: get sctphdr by offset in sctp_compute_cksum (bnc#1012382).
- serial: 8250_pci: Fix number of ports for ACCES serial cards (bnc#1012382).
- serial: 8250_pci: Have ACCES cards that use the four port Pericom PI7C9X7954 chip use the pci_pericom_setup() (bnc#1012382).
- serial: fsl_lpuart: fix maximum acceptable baud rate with over-sampling (bnc#1012382).
- serial: max310x: Fix to avoid potential NULL pointer dereference (bnc#1012382).
- serial: sh-sci: Fix setting SCSCR_TIE while transferring data (bnc#1012382).
- serial: sprd: adjust TIMEOUT to a big value (bnc#1012382).
- serial: sprd: clear timeout interrupt only rather than all interrupts (bnc#1012382).
- sit: check if IPv6 enabled before calling ip6_err_gen_icmpv6_unreach() (bnc#1012382).
- sky2: Disable MSI on Dell Inspiron 1545 and Gateway P-79 (bnc#1012382).
- sockfs: getxattr: Fail with -EOPNOTSUPP for invalid attribute names (bnc#1012382).
- staging: ashmem: Add missing include (bnc#1012382).
- staging: ashmem: Avoid deadlock with mmap/shrink (bnc#1012382).
- staging: goldfish: audio: fix compiliation on arm (bnc#1012382).
- staging: ion: Set minimum carveout heap allocation order to PAGE_SHIFT (bnc#1012382).
- staging: lustre: fix buffer overflow of string buffer (bnc#1012382).
- staging: rtl8188eu: avoid a null dereference on pmlmepriv (bsc#1085539).
- staging: vt6655: Fix interrupt race condition on device start up (bnc#1012382).
- staging: vt6655: Remove vif check from vnt_interrupt (bnc#1012382).
- stm class: Do not leak the chrdev in error path (bnc#1012382).
- stm class: Fix an endless loop in channel allocation (bnc#1012382).
- stm class: Fix a race in unlinking (bnc#1012382).
- stm class: Fix link list locking (bnc#1012382).
- stm class: Fix locking in unbinding policy path (bnc#1012382).
- stm class: Fix stm device initialization order (bnc#1012382).
- stm class: Fix unbalanced module/device refcounting (bnc#1012382).
- stm class: Fix unlocking braino in the error path (bnc#1012382).
- stm class: Guard output assignment against concurrency (bnc#1012382).
- stm class: Hide STM-specific options if STM is disabled (bnc#1012382).
- stm class: Prevent division by zero (bnc#1012382).
- stm class: Prevent user-controllable allocations (bnc#1012382).
- stm class: Support devices with multiple instances (bnc#1012382).
- stmmac: copy unicast mac address to MAC registers (bnc#1012382).
- stop_machine: Provide stop_machine_cpuslocked() (bsc#1131980).
- sunrpc: do not mark uninitialised items as VALID (bsc#1130737).
- sunrpc: init xdr_stream for zero iov_len, page_len (bsc#11303356).
- svm/avic: Fix invalidate logical APIC id entry (bsc#1132727).
- svm: Fix AVIC DFR and LDR handling (bsc#1130343).
- svm: Fix improper check when deactivate AVIC (bsc#1130344).
- tcp/dccp: drop SYN packets if accept queue is full (bnc#1012382).
- tcp/dccp: remove reqsk_put() from inet_child_forget() (git-fixes).
- tcp: do not use ipv6 header for ipv4 flow (bnc#1012382).
- tcp: handle inet_csk_reqsk_queue_add() failures (git-fixes).
- thermal: int340x_thermal: Fix a NULL vs IS_ERR() check (bnc#1012382).
- time: Introduce jiffies64_to_nsecs() (bsc#1113399).
- tmpfs: fix link accounting when a tmpfile is linked in (bnc#1012382).
- tmpfs: fix uninitialized return value in shmem_link (bnc#1012382).
- tpm: fix kdoc for tpm2_flush_context_cmd() (bsc#1020645).
- tpm: Fix the type of the return value in calc_tpm2_event_size() (bsc#1020645, git-fixes).
- tpm: tpm-interface.c drop unused macros (bsc#1020645).
- tty: atmel_serial: fix a potential NULL pointer dereference (bnc#1012382).
- udf: Fix crash on IO error during truncate (bnc#1012382).
- Update patches.fixes/SUNRPC-init-xdr_stream-for-zero-iov_len-page_len.patch (bsc#1130356).
- usb: core: only clean up what we allocated (bnc#1012382).
- usb: dwc2: Fix DMA alignment to start at allocated boundary (bsc#1100132).
- usb: dwc2: fix the incorrect bitmaps for the ports of multi_tt hub (bsc#1100132).
- usb: dwc3: gadget: Fix suspend/resume during device mode (bnc#1012382).
- usb: dwc3: gadget: Fix the uninitialized link_state when udc starts (bnc#1012382).
- usb: gadget: Add the gserial port checking in gs_start_tx() (bnc#1012382).
- usb: gadget: composite: fix dereference after null check coverify warning (bnc#1012382).
- usb: gadget: configfs: add mutex lock before unregister gadget (bnc#1012382).
- usb: gadget: Potential NULL dereference on allocation error (bnc#1012382).
- usb: gadget: rndis: free response queue during REMOTE_NDIS_RESET_MSG (bnc#1012382).
- usb: renesas_usbhs: gadget: fix unused-but-set-variable warning (bnc#1012382).
- usb: serial: cp210x: add ID for Ingenico 3070 (bnc#1012382).
- usb: serial: cp210x: add new device id (bnc#1012382).
- usb: serial: cypress_m8: fix interrupt-out transfer length (bsc#1119086).
- usb: serial: ftdi_sio: add additional NovaTech products (bnc#1012382).
- usb: serial: ftdi_sio: add ID for Hjelmslund Electronics USB485 (bnc#1012382).
- usb: serial: mos7720: fix mos_parport refcount imbalance on error path (bsc#1129770).
- usb: serial: option: add Olicard 600 (bnc#1012382).
- usb: serial: option: add Telit ME910 ECM composition (bnc#1012382).
- usb: serial: option: set driver_info for SIM5218 and compatibles (bsc#1129770).
- video: fbdev: Set pixclock = 0 in goldfishfb (bnc#1012382).
- vti4: Fix a ipip packet processing bug in 'IPCOMP' virtual tunnel (bnc#1012382).
- vxlan: Do not call gro_cells_destroy() before device is unregistered (bnc#1012382).
- vxlan: Fix GRO cells race condition between receive and link delete (bnc#1012382).
- vxlan: test dev->flags & IFF_UP before calling gro_cells_receive() (bnc#1012382).
- wlcore: Fix the return value in case of error in 'wlcore_vendor_cmd_smart_config_start()' (bsc#1120902).
- x86_64: increase stack size for KASAN_EXTRA (bnc#1012382).
- x86/apic: Provide apic_ack_irq() (bsc#1122822).
- x86/apic: Provide apic_ack_irq() (fate#327171, bsc#1122822).
- x86/CPU/AMD: Set the CPB bit unconditionally on F17h (bnc#1012382).
- x86/Hyper-V: Set x2apic destination mode to physical when x2apic is available (bsc#1122822).
- x86/Hyper-V: Set x2apic destination mode to physical when x2apic is available (fate#327171, bsc#1122822).
- x86/kexec: Do not setup EFI info if EFI runtime is not enabled (bnc#1012382).
- x86/mce: Improve error message when kernel cannot recover, p2 (bsc#1114648).
- x86/smp: Enforce CONFIG_HOTPLUG_CPU when SMP=y (bnc#1012382).
- x86/speculation: Remove redundant arch_smt_update() invocation (bsc#1111331).
- x86/speculation: Support 'mitigations=' cmdline option (bsc#1112178).
- x86/uaccess: Do not leak the AC flag into __put_user() value evaluation (bsc#1114648).
- x86/vdso: Add VCLOCK_HVCLOCK vDSO clock read method (bsc#1133308).
- xen-netback: fix occasional leak of grant ref mappings under memory pressure (bnc#1012382).
- xfrm_user: fix info leak in build_aevent() (git-fixes).
- xfrm_user: fix info leak in xfrm_notify_sa() (git-fixes).
- xhci: Do not let USB3 ports stuck in polling state prevent suspend (bsc#1047487).
- xhci: Fix port resume done detection for SS ports with LPM enabled (bnc#1012382).
- xtensa: SMP: fix ccount_timer_shutdown (bnc#1012382).
- xtensa: SMP: fix secondary CPU initialization (bnc#1012382).
- xtensa: SMP: limit number of possible CPUs by NR_CPUS (bnc#1012382).
- xtensa: smp_lx200_defconfig: fix vectors clash (bnc#1012382).
- xtensa: SMP: mark each possible CPU as present (bnc#1012382).
ImportantSUSE bug 1012382SUSE bug 1020645SUSE bug 1020989SUSE bug 1031492SUSE bug 1047487SUSE bug 1051510SUSE bug 1053043SUSE bug 1062056SUSE bug 1063638SUSE bug 1066223SUSE bug 1070872SUSE bug 1085539SUSE bug 1087092SUSE bug 1094244SUSE bug 1096480SUSE bug 1096728SUSE bug 1097104SUSE bug 1100132SUSE bug 1105348SUSE bug 1106110SUSE bug 1106913SUSE bug 1106929SUSE bug 1111331SUSE bug 1112178SUSE bug 1113399SUSE bug 1114542SUSE bug 1114638SUSE bug 1114648SUSE bug 1114893SUSE bug 1118338SUSE bug 1118506SUSE bug 1119086SUSE bug 1120902SUSE bug 1122822SUSE bug 1125580SUSE bug 1126356SUSE bug 1127445SUSE bug 1129278SUSE bug 1129326SUSE bug 1129770SUSE bug 1130130SUSE bug 1130343SUSE bug 1130344SUSE bug 1130345SUSE bug 1130346SUSE bug 1130347SUSE bug 1130356SUSE bug 1130425SUSE bug 1130567SUSE bug 1130737SUSE bug 1131107SUSE bug 1131416SUSE bug 1131427SUSE bug 1131587SUSE bug 1131659SUSE bug 1131857SUSE bug 1131900SUSE bug 1131934SUSE bug 1131935SUSE bug 1131980SUSE bug 1132227SUSE bug 1132534SUSE bug 1132589SUSE bug 1132618SUSE bug 1132619SUSE bug 1132634SUSE bug 1132635SUSE bug 1132636SUSE bug 1132637SUSE bug 1132638SUSE bug 1132727SUSE bug 1132828SUSE bug 1133308SUSE bug 1133584SUSE bug 994770CVE-2018-1000204 at SUSECVE-2018-1000204 at NVDCVE-2018-10853 at SUSECVE-2018-10853 at NVDCVE-2018-12126 at SUSECVE-2018-12126 at NVDCVE-2018-12127 at SUSECVE-2018-12127 at NVDCVE-2018-12130 at SUSECVE-2018-12130 at NVDCVE-2018-15594 at SUSECVE-2018-15594 at NVDCVE-2018-5814 at SUSECVE-2018-5814 at NVDCVE-2019-11091 at SUSECVE-2019-11091 at NVDCVE-2019-3882 at SUSECVE-2019-3882 at NVDCVE-2019-9503 at SUSECVE-2019-9503 at NVDcpe:/o:suse:sles:12:sp3Security update for the Linux Kernel (Important)SUSE Linux Enterprise Server 12 SP3
The SUSE Linux Enterprise 12 SP3 kernel for Azure was updated to 4.4.178 to receive various security and bugfixes.
Four new speculative execution issues have been identified in Intel CPUs. (bsc#1111331)
- CVE-2018-12126: Microarchitectural Store Buffer Data Sampling (MSBDS)
- CVE-2018-12127: Microarchitectural Fill Buffer Data Sampling (MFBDS)
- CVE-2018-12130: Microarchitectural Load Port Data Samling (MLPDS)
- CVE-2019-11091: Microarchitectural Data Sampling Uncacheable Memory (MDSUM)
This kernel update contains software mitigations, utilizing CPU microcode updates shipped in parallel.
For more information on this set of information leaks, check out https://www.suse.com/support/kb/doc/?id=7023736
The following security bugs were fixed:
- CVE-2018-8822: Incorrect buffer length handling in the ncp_read_kernel function in fs/ncpfs/ncplib_kernel.c could be exploited by malicious NCPFS servers to crash the kernel or execute code (bnc#1086162).
- CVE-2018-5814: Multiple race condition errors when handling probe, disconnect, and rebind operations can be exploited to trigger a use-after-free condition or a NULL pointer dereference by sending multiple USB over IP packets (bnc#1096480).
- CVE-2018-1000204: Prevent infoleak caused by incorrect handling of the SG_IO ioctl (bsc#1096728)
- CVE-2018-10853: A flaw was found in the way the KVM hypervisor emulated instructions such as sgdt/sidt/fxsave/fxrstor. It did not check current privilege(CPL) level while emulating unprivileged instructions. An unprivileged guest user/process could use this flaw to potentially escalate privileges inside guest (bnc#1097104).
- CVE-2018-15594: arch/x86/kernel/paravirt.c kernel mishandled certain indirect calls, which made it easier for attackers to conduct Spectre-v2 attacks against paravirtual guests (bnc#1105348).
- CVE-2019-9503: A brcmfmac frame validation bypass was fixed (bnc#1132828).
- CVE-2019-3882: A flaw was found in the Linux kernel's vfio interface implementation that permits violation of the user's locked memory limit. If a device is bound to a vfio driver, such as vfio-pci, and the local attacker is administratively granted ownership of the device, it may cause a system memory exhaustion and thus a denial of service (DoS). (bnc#1131416 bnc#1131427).
- CVE-2017-5753: Systems with microprocessors utilizing speculative execution and branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis (bnc#1068032).
This update disables IBRS on Skylake systems (the retpoline methods stay effective).
Additional performance improvements on the retpoline support were done by tuning compiler defaults.
The following non-security bugs were fixed:
- 9p/net: fix memory leak in p9_client_create (bnc#1012382).
- 9p: use inode->i_lock to protect i_size_write() under 32-bit (bnc#1012382).
- acpi: acpi_pad: Do not launch acpi_pad threads on idle cpus (bsc#1113399).
- acpi / bus: Only call dmi_check_system() on X86 (git-fixes).
- acpi / button: make module loadable when booted in non-ACPI mode (bsc#1051510).
- acpi / device_sysfs: Avoid OF modalias creation for removed device (bnc#1012382).
- Add hlist_add_tail_rcu() (Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net) (bnc#1012382).
- alsa: bebob: use more identical mod_alias for Saffire Pro 10 I/O against Liquid Saffire 56 (bnc#1012382).
- alsa: compress: add support for 32bit calls in a 64bit kernel (bnc#1012382).
- alsa: compress: prevent potential divide by zero bugs (bnc#1012382).
- alsa: hda - Enforces runtime_resume after S3 and S4 for each codec (bnc#1012382).
- alsa: hda - Record the current power state before suspend/resume calls (bnc#1012382).
- alsa: pcm: Do not suspend stream in unrecoverable PCM state (bnc#1012382).
- alsa: pcm: Fix possible OOB access in PCM oss plugins (bnc#1012382).
- alsa: rawmidi: Fix potential Spectre v1 vulnerability (bnc#1012382).
- alsa: seq: oss: Fix Spectre v1 vulnerability (bnc#1012382).
- applicom: Fix potential Spectre v1 vulnerabilities (bnc#1012382).
- arc: fix __ffs return value to avoid build warnings (bnc#1012382).
- arc: uacces: remove lp_start, lp_end from clobber list (bnc#1012382).
- arcv2: Enable unaligned access in early ASM code (bnc#1012382).
- arm64: fix COMPAT_SHMLBA definition for large pages (bnc#1012382).
- arm64: Fix NUMA build error when !CONFIG_ACPI (fate#319981, git-fixes).
- arm64: Fix NUMA build error when !CONFIG_ACPI (git-fixes).
- arm64: hide __efistub_ aliases from kallsyms (bnc#1012382).
- arm64: kconfig: drop CONFIG_RTC_LIB dependency (bnc#1012382).
- arm64/kernel: fix incorrect EL0 check in inv_entry macro (bnc#1012382).
- arm64: mm: Add trace_irqflags annotations to do_debug_exception() (bnc#1012382).
- arm64: Relax GIC version check during early boot (bnc#1012382).
- arm64: support keyctl() system call in 32-bit mode (bnc#1012382).
- arm64: traps: disable irq in die() (bnc#1012382).
- arm: 8458/1: bL_switcher: add GIC dependency (bnc#1012382).
- arm: 8494/1: mm: Enable PXN when running non-LPAE kernel on LPAE processor (bnc#1012382).
- arm: 8510/1: rework ARM_CPU_SUSPEND dependencies (bnc#1012382).
- arm: 8824/1: fix a migrating irq bug when hotplug cpu (bnc#1012382).
- arm: dts: exynos: Add minimal clkout parameters to Exynos3250 PMU (bnc#1012382).
- arm: dts: exynos: Do not ignore real-world fuse values for thermal zone 0 on Exynos5420 (bnc#1012382).
- arm: imx6q: cpuidle: fix bug that CPU might not wake up at expected time (bnc#1012382).
- arm: OMAP2+: Variable 'reg' in function omap4_dsi_mux_pads() could be uninitialized (bnc#1012382).
- arm: pxa: ssp: unneeded to free devm_ allocated data (bnc#1012382).
- arm: s3c24xx: Fix boolean expressions in osiris_dvs_notify (bnc#1012382).
- ASoC: dapm: change snprintf to scnprintf for possible overflow (bnc#1012382).
- ASoC: fsl_esai: fix register setting issue in RIGHT_J mode (bnc#1012382).
- ASoC: imx-audmux: change snprintf to scnprintf for possible overflow (bnc#1012382).
- ASoC: Intel: Haswell/Broadwell: fix setting for .dynamic field (bnc#1012382).
- ASoC: topology: free created components in tplg load error (bnc#1012382).
- assoc_array: Fix shortcut creation (bnc#1012382).
- ath10k: avoid possible string overflow (bnc#1012382).
- ath9k_htc: Add a sanity check in ath9k_htc_ampdu_action() (bsc#1087092).
- atm: he: fix sign-extension overflow on large shift (bnc#1012382).
- autofs: drop dentry reference only when it is never used (bnc#1012382).
- autofs: fix error return in autofs_fill_super() (bnc#1012382).
- batman-adv: Avoid endless loop in bat-on-bat netdevice check (git-fixes).
- batman-adv: Fix lockdep annotation of batadv_tlv_container_remove (git-fixes).
- batman-adv: fix uninit-value in batadv_interface_tx() (bnc#1012382).
- batman-adv: Only put gw_node list reference when removed (git-fixes).
- batman-adv: Only put orig_node_vlan list reference when removed (git-fixes).
- bluetooth: Check L2CAP option sizes returned from l2cap_get_conf_opt (bnc#1012382).
- bnxt_en: Drop oversize TX packets to prevent errors (bnc#1012382).
- btrfs: Avoid possible qgroup_rsv_size overflow in btrfs_calculate_inode_block_rsv_size (git-fixes).
- btrfs: Fix bound checking in qgroup_trace_new_subtree_blocks (pending fix for bsc#1063638).
- btrfs: fix corruption reading shared and compressed extents after hole punching (bnc#1012382).
- btrfs: qgroup: Cleanup old subtree swap code (bsc#1063638).
- btrfs: qgroup: Do not trace subtree if we're dropping reloc tree (bsc#1063638).
- btrfs: qgroup: Introduce function to find all new tree blocks of reloc tree (bsc#1063638).
- btrfs: qgroup: Introduce function to trace two swaped extents (bsc#1063638).
- btrfs: qgroup: Introduce per-root swapped blocks infrastructure (bsc#1063638).
- btrfs: qgroup: Introduce trace event to analyse the number of dirty extents accounted (bsc#1063638 dependency).
- btrfs: qgroup: Only trace data extents in leaves if we're relocating data block group (bsc#1063638).
- btrfs: qgroup: Refactor btrfs_qgroup_trace_subtree_swap (bsc#1063638).
- btrfs: qgroup: Search commit root for rescan to avoid missing extent (bsc#1129326).
- btrfs: qgroup: Use delayed subtree rescan for balance (bsc#1063638).
- btrfs: qgroup: Use generation-aware subtree swap to mark dirty extents (bsc#1063638).
- btrfs: raid56: properly unmap parity page in finish_parity_scrub() (bnc#1012382).
- btrfs: relocation: Delay reloc tree deletion after merge_reloc_roots (bsc#1063638).
- btrfs: remove WARN_ON in log_dir_items (bnc#1012382).
- cdc-wdm: pass return value of recover_from_urb_loss (bsc#1129770).
- cfg80211: extend range deviation for DMG (bnc#1012382).
- cfg80211: size various nl80211 messages correctly (bnc#1012382).
- cifs: fix computation for MAX_SMB2_HDR_SIZE (bnc#1012382).
- cifs: fix POSIX lock leak and invalid ptr deref (bsc#1114542).
- cifs: Fix read after write for files with read caching (bnc#1012382).
- clk: ingenic: Fix round_rate misbehaving with non-integer dividers (bnc#1012382).
- clocksource/drivers/exynos_mct: Clear timer interrupt when shutdown (bnc#1012382).
- clocksource/drivers/exynos_mct: Move one-shot check from tick clear to ISR (bnc#1012382).
- cls_bpf: reset class and reuse major in da (git-fixes).
- coresight: coresight_unregister() function cleanup (bnc#1012382).
- coresight: 'DEVICE_ATTR_RO' should defined as static (bnc#1012382).
- coresight: etm4x: Check every parameter used by dma_xx_coherent (bnc#1012382).
- coresight: fixing lockdep error (bnc#1012382).
- coresight: release reference taken by 'bus_find_device()' (bnc#1012382).
- coresight: remove csdev's link from topology (bnc#1012382).
- coresight: removing bind/unbind options from sysfs (bnc#1012382).
- cpufreq: pxa2xx: remove incorrect __init annotation (bnc#1012382).
- cpufreq: tegra124: add missing of_node_put() (bnc#1012382).
- cpufreq: Use struct kobj_attribute instead of struct global_attr (bnc#1012382).
- cpu/hotplug: Handle unbalanced hotplug enable/disable (bnc#1012382).
- cpu/speculation: Add 'mitigations=' cmdline option (bsc#1112178).
- crypto: ahash - fix another early termination in hash walk (bnc#1012382).
- crypto: arm64/aes-ccm - fix logical bug in AAD MAC handling (bnc#1012382).
- crypto: caam - fixed handling of sg list (bnc#1012382).
- crypto: pcbc - remove bogus memcpy()s with src == dest (bnc#1012382).
- crypto: qat - remove unused and redundant pointer vf_info (bsc#1085539).
- crypto: tgr192 - fix unaligned memory access (bsc#1129770).
- cw1200: fix missing unlock on error in cw1200_hw_scan() (bsc#1129770).
- dccp: do not use ipv6 header for ipv4 flow (bnc#1012382).
- Disable kgdboc failed by echo space to /sys/module/kgdboc/parameters/kgdboc (bnc#1012382).
- dmaengine: at_xdmac: Fix wrongfull report of a channel as in use (bnc#1012382).
- dmaengine: dmatest: Abort test in case of mapping error (bnc#1012382).
- dmaengine: usb-dmac: Make DMAC system sleep callbacks explicit (bnc#1012382).
- dm: disable DISCARD if the underlying storage no longer supports it (bsc#1114638).
- dm: fix to_sector() for 32bit (bnc#1012382).
- drivers: hv: vmbus: Fix bugs in rescind handling (bsc#1130567).
- drivers: hv: vmbus: Fix ring buffer signaling (bsc#1118506).
- drivers: hv: vmbus: Fix the offer_in_progress in vmbus_process_offer() (bsc#1130567).
- drivers: hv: vmbus: Offload the handling of channels to two workqueues (bsc#1130567).
- drivers: hv: vmbus: Offload the handling of channels to two workqueues (bsc#1130567).
- drivers: hv: vmbus: Reset the channel callback in vmbus_onoffer_rescind() (bsc#1130567).
- drm/msm: Unblock writer if reader closes file (bnc#1012382).
- drm/vmwgfx: Do not double-free the mode stored in par->set_mode (bsc#1106929)
- efi: stub: define DISABLE_BRANCH_PROFILING for all architectures (bnc#1012382).
- ext2: Fix underflow in ext2_max_size() (bnc#1012382).
- ext4: Avoid panic during forced reboot (bsc#1126356).
- ext4: brelse all indirect buffer in ext4_ind_remove_space() (bnc#1012382).
- ext4: fix data corruption caused by unaligned direct AIO (bnc#1012382).
- ext4: fix NULL pointer dereference while journal is aborted (bnc#1012382).
- extcon: usb-gpio: Do not miss event during suspend/resume (bnc#1012382).
- firmware: dmi: Optimize dmi_matches (git-fixes).
- floppy: check_events callback should not return a negative number (git-fixes).
- flow_dissector: Check for IP fragmentation even if not using IPv4 address (git-fixes).
- fs/9p: use fscache mutex rather than spinlock (bnc#1012382).
- fs/nfs: Fix nfs_parse_devname to not modify it's argument (git-fixes).
- fs/proc/proc_sysctl.c: fix NULL pointer dereference in put_links (bnc#1012382).
- fuse: continue to send FUSE_RELEASEDIR when FUSE_OPEN returns ENOSYS (git-fixes).
- fuse: fix possibly missed wake-up after abort (git-fixes).
- futex: Ensure that futex address is aligned in handle_futex_death() (bnc#1012382).
- futex,rt_mutex: Fix rt_mutex_cleanup_proxy_lock() (git-fixes).
- futex,rt_mutex: Restructure rt_mutex_finish_proxy_lock() (bnc#1012382).
- gpio: adnp: Fix testing wrong value in adnp_gpio_direction_input (bnc#1012382).
- gpio: vf610: Mask all GPIO interrupts (bnc#1012382).
- gro_cells: make sure device is up in gro_cells_receive() (bnc#1012382).
- hid-sensor-hub.c: fix wrong do_div() usage (bnc#1012382).
- hpet: Fix missing '=' character in the __setup() code of hpet_mmap_enable (bsc#1129770).
- hugetlbfs: fix races and page leaks during migration (bnc#1012382).
- hv_netvsc: Fix napi reschedule while receive completion is busy (bsc#1118506).
- hv_netvsc: fix race in napi poll when rescheduling (bsc#1118506).
- hv_netvsc: Fix the return status in RX path (bsc#1118506).
- hv_netvsc: use napi_schedule_irqoff (bsc#1118506).
- hv: v4.12 API for hyperv-iommu (bsc#1122822).
- hv: v4.12 API for hyperv-iommu (fate#327171, bsc#1122822).
- i2c: cadence: Fix the hold bit setting (bnc#1012382).
- i2c: tegra: fix maximum transfer size (bnc#1012382).
- IB/{hfi1, qib}: Fix WC.byte_len calculation for UD_SEND_WITH_IMM (bnc#1012382).
- ibmvnic: Enable GRO (bsc#1132227).
- ibmvnic: Fix completion structure initialization (bsc#1131659).
- ibmvnic: Fix netdev feature clobbering during a reset (bsc#1132227).
- Include ACPI button driver in base kernel (bsc#1062056).
- input: elan_i2c - add id for touchpad found in Lenovo s21e-20 (bnc#1012382).
- input: matrix_keypad - use flush_delayed_work() (bnc#1012382).
- input: st-keyscan - fix potential zalloc NULL dereference (bnc#1012382).
- input: wacom_serial4 - add support for Wacom ArtPad II tablet (bnc#1012382).
- intel_th: Do not reference unassigned outputs (bnc#1012382).
- intel_th: gth: Fix an off-by-one in output unassigning (git-fixes).
- iommu/amd: Fix NULL dereference bug in match_hid_uid (bsc#1130345).
- iommu/amd: fix sg->dma_address for sg->offset bigger than PAGE_SIZE (bsc#1130346).
- iommu/amd: Reserve exclusion range in iova-domain (bsc#1130425).
- iommu/amd: Set exclusion range correctly (bsc#1130425).
- iommu: Do not print warning when IOMMU driver only supports unmanaged domains (bsc#1130130).
- iommu/hyper-v: Add Hyper-V stub IOMMU driver (bsc#1122822).
- iommu/hyper-v: Add Hyper-V stub IOMMU driver (fate#327171, bsc#1122822).
- iommu/vt-d: Check capability before disabling protected memory (bsc#1130347).
- ip6: fix PMTU discovery when using /127 subnets (git-fixes).
- ip6mr: Do not call __IP6_INC_STATS() from preemptible context (bnc#1012382).
- ip_tunnel: fix ip tunnel lookup in collect_md mode (git-fixes).
- ipvlan: disallow userns cap_net_admin to change global mode/flags (bnc#1012382).
- ipvs: Fix signed integer overflow when setsockopt timeout (bnc#1012382).
- irqchip/mmp: Only touch the PJ4 IRQ & FIQ bits on enable/disable (bnc#1012382).
- iscsi_ibft: Fix missing break in switch statement (bnc#1012382).
- isdn: avm: Fix string plus integer warning from Clang (bnc#1012382).
- isdn: i4l: isdn_tty: Fix some concurrency double-free bugs (bnc#1012382).
- isdn: isdn_tty: fix build warning of strncpy (bnc#1012382).
- It's wrong to add len to sector_nr in raid10 reshape twice (bnc#1012382).
- iwlwifi: dbg: do not crash if the firmware crashes in the middle of a debug dump (bsc#1119086).
- jbd2: clear dirty flag when revoking a buffer from an older transaction (bnc#1012382).
- jbd2: fix compile warning when using JBUFFER_TRACE (bnc#1012382).
- kabi fixup gendisk disk_devt revert (bsc#1020989).
- kbuild: setlocalversion: print error to STDERR (bnc#1012382).
- kernel/sysctl.c: add missing range check in do_proc_dointvec_minmax_conv (bnc#1012382).
- keys: allow reaching the keys quotas exactly (bnc#1012382).
- keys: always initialize keyring_index_key::desc_len (bnc#1012382).
- keys: restrict /proc/keys by credentials at open time (bnc#1012382).
- keys: user: Align the payload buffer (bnc#1012382).
- kvm: Call kvm_arch_memslots_updated() before updating memslots (bsc#1132634).
- kvm: nSVM: clear events pending from svm_complete_interrupts() when exiting to L1 (bnc#1012382).
- kvm: nVMX: Apply addr size mask to effective address for VMX instructions (bsc#1132635).
- kvm: nVMX: Ignore limit checks on VMX instructions using flat segments (bnc#1012382).
- kvm: nVMX: Sign extend displacements of VMX instr's mem operands (bnc#1012382).
- kvm: Reject device ioctls from processes other than the VM's creator (bnc#1012382).
- kvm: VMX: Compare only a single byte for VMCS' 'launched' in vCPU-run (bsc#1132636).
- kvm: VMX: Zero out *all* general purpose registers after VM-Exit (bsc#1132637).
- kvm: x86: Emulate MSR_IA32_ARCH_CAPABILITIES on AMD hosts (bsc#1132534).
- kvm: X86: Fix residual mmio emulation request to userspace (bnc#1012382).
- kvm: x86/mmu: Do not cache MMIO accesses while memslots are in flux (bsc#1132638).
- l2tp: fix infoleak in l2tp_ip6_recvmsg() (git-fixes).
- leds: lp5523: fix a missing check of return value of lp55xx_read (bnc#1012382).
- libertas: call into generic suspend code before turning off power (bsc#1106110).
- libertas: fix suspend and resume for SDIO connected cards (bsc#1106110).
- lib/int_sqrt: optimize small argument (bnc#1012382).
- libnvdimm/pmem: Honor force_raw for legacy pmem regions (bsc#1131857).
- locking/lockdep: Add debug_locks check in __lock_downgrade() (bnc#1012382).
- locking/static_keys: Improve uninitialized key warning (bsc#1106913).
- m68k: Add -ffreestanding to CFLAGS (bnc#1012382).
- mac80211: do not initiate TDLS connection if station is not associated to AP (bnc#1012382).
- mac80211: fix miscounting of ttl-dropped frames (bnc#1012382).
- mac80211: fix 'warning: target metric may used uninitialized' (bnc#1012382).
- mac80211_hwsim: propagate genlmsg_reply return code (bnc#1012382).
- mac8390: Fix mmio access size probe (bnc#1012382).
- md: Fix failed allocation of md_register_thread (bnc#1012382).
- mdio_bus: Fix use-after-free on device_register fails (bnc#1012382 git-fixes).
- md/raid1: do not clear bitmap bits on interrupted recovery (git-fixes).
- media: cx88: Get rid of spurious call to cx8800_start_vbi_dma() (bsc#1100132).
- media: uvcvideo: Avoid NULL pointer dereference at the end of streaming (bnc#1012382).
- media: uvcvideo: Fix 'type' check leading to overflow (bnc#1012382).
- media: uvcvideo: Fix uvc_alloc_entity() allocation alignment (bsc#1119086).
- media: v4l2-ctrls.c/uvc: zero v4l2_event (bnc#1012382).
- media: videobuf2-v4l2: drop WARN_ON in vb2_warn_zero_bytesused() (bnc#1012382).
- media: vivid: potential integer overflow in vidioc_g_edid() (bsc#11001132).
- mfd: ab8500-core: Return zero in get_register_interruptible() (bnc#1012382).
- mfd: db8500-prcmu: Fix some section annotations (bnc#1012382).
- mfd: mc13xxx: Fix a missing check of a register-read failure (bnc#1012382).
- mfd: qcom_rpm: write fw_version to CTRL_REG (bnc#1012382).
- mfd: ti_am335x_tscadc: Use PLATFORM_DEVID_AUTO while registering mfd cells (bnc#1012382).
- mfd: twl-core: Fix section annotations on {,un}protect_pm_master (bnc#1012382).
- mfd: wm5110: Add missing ASRC rate register (bnc#1012382).
- mISDN: hfcpci: Test both vendor & device ID for Digium HFC4S (bnc#1012382).
- missing barriers in some of unix_sock ->addr and ->path accesses (bnc#1012382).
- mmc: bcm2835: reset host on timeout (bsc#1070872).
- mmc: block: Allow more than 8 partitions per card (bnc#1012382).
- mmc: core: fix using wrong io voltage if mmc_select_hs200 fails (bnc#1012382).
- mmc: core: shut up 'voltage-ranges unspecified' pr_info() (bnc#1012382).
- mmc: debugfs: Add a restriction to mmc debugfs clock setting (bnc#1012382).
- mmc: make MAN_BKOPS_EN message a debug (bnc#1012382).
- mmc: mmc: fix switch timeout issue caused by jiffies precision (bnc#1012382).
- mmc: pwrseq_simple: Make reset-gpios optional to match doc (bnc#1012382).
- mmc: pxamci: fix enum type confusion (bnc#1012382).
- mmc: sanitize 'bus width' in debug output (bnc#1012382).
- mmc: spi: Fix card detection during probe (bnc#1012382).
- mmc: tmio_mmc_core: do not claim spurious interrupts (bnc#1012382).
- mm/debug.c: fix __dump_page when mapping->host is not set (bsc#1131934).
- mm, memory_hotplug: fix off-by-one in is_pageblock_removable (git-fixes).
- mm, memory_hotplug: is_mem_section_removable do not pass the end of a zone (bnc#1012382).
- mm, memory_hotplug: test_pages_in_a_zone do not pass the end of zone (bnc#1012382).
- mm: move is_pageblock_removable_nolock() to mm/memory_hotplug.c (git-fixes prerequisity).
- mm/page_isolation.c: fix a wrong flag in set_migratetype_isolate() (bsc#1131935)
- mm/rmap: replace BUG_ON(anon_vma->degree) with VM_WARN_ON (bnc#1012382).
- mm/vmalloc: fix size check for remap_vmalloc_range_partial() (bnc#1012382).
- move power_up_on_resume flag to end of structure for kABI (bsc#1106110).
- mwifiex: pcie: tighten a check in mwifiex_pcie_process_event_ready() (bsc#1100132).
- ncpfs: fix build warning of strncpy (bnc#1012382).
- net: add description for len argument of dev_get_phys_port_name (git-fixes).
- net: Add __icmp_send helper (bnc#1012382).
- net: altera_tse: fix connect_local_phy error path (bnc#1012382).
- net: altera_tse: fix msgdma_tx_completion on non-zero fill_level case (bnc#1012382).
- net: avoid use IPCB in cipso_v4_error (bnc#1012382).
- net: diag: support v4mapped sockets in inet_diag_find_one_icsk() (bnc#1012382).
- net: do not decrement kobj reference count on init failure (git-fixes).
- net: dsa: mv88e6xxx: Fix u64 statistics (bnc#1012382).
- net: ena: fix race between link up and device initalization (bsc#1129278).
- net: ena: update driver version from 2.0.2 to 2.0.3 (bsc#1129278).
- netfilter: ipt_CLUSTERIP: fix use-after-free of proc entry (git-fixes).
- netfilter: nf_conntrack_tcp: Fix stack out of bounds when parsing TCP options (bnc#1012382).
- netfilter: nfnetlink_acct: validate NFACCT_FILTER parameters (bnc#1012382).
- netfilter: nfnetlink_log: just returns error for unknown command (bnc#1012382).
- netfilter: nfnetlink: use original skbuff when acking batches (git-fixes).
- netfilter: x_tables: enforce nul-terminated table name from getsockopt GET_ENTRIES (bnc#1012382).
- net: hns: Fix use after free identified by SLUB debug (bnc#1012382).
- net: hns: Fix wrong read accesses via Clause 45 MDIO protocol (bnc#1012382).
- net: hsr: fix memory leak in hsr_dev_finalize() (bnc#1012382).
- net/hsr: fix possible crash in add_timer() (bnc#1012382).
- netlabel: fix out-of-bounds memory accesses (bnc#1012382).
- net/mlx4_en: Force CHECKSUM_NONE for short ethernet frames (bnc#1012382).
- net: mv643xx_eth: disable clk on error path in mv643xx_eth_shared_probe() (bnc#1012382).
- net: nfc: Fix NULL dereference on nfc_llcp_build_tlv fails (bnc#1012382).
- net/packet: fix 4gb buffer limit due to overflow check (bnc#1012382).
- net/packet: Set __GFP_NOWARN upon allocation in alloc_pg_vec (bnc#1012382).
- net: phy: Micrel KSZ8061: link failure after cable connect (bnc#1012382).
- net: rose: fix a possible stack overflow (bnc#1012382).
- net: Set rtm_table to RT_TABLE_COMPAT for ipv6 for tables > 255 (bnc#1012382).
- net: set static variable an initial value in atl2_probe() (bnc#1012382).
- net: sit: fix UBSAN Undefined behaviour in check_6rd (bnc#1012382).
- net: stmmac: dwmac-rk: fix error handling in rk_gmac_powerup() (bnc#1012382).
- net-sysfs: call dev_hold if kobject_init_and_add success (git-fixes).
- net-sysfs: Fix mem leak in netdev_register_kobject (bnc#1012382).
- net: systemport: Fix reception of BPDUs (bnc#1012382).
- net: tcp_memcontrol: properly detect ancestor socket pressure (git-fixes).
- net/x25: fix a race in x25_bind() (bnc#1012382).
- net/x25: fix use-after-free in x25_device_event() (bnc#1012382).
- net/x25: reset state in x25_connect() (bnc#1012382).
- NFC: nci: memory leak in nci_core_conn_create() (git-fixes).
- nfs41: pop some layoutget errors to application (bnc#1012382).
- nfsd: fix memory corruption caused by readdir (bsc#1127445).
- nfsd: fix wrong check in write_v4_end_grace() (git-fixes).
- nfs: Do not recoalesce on error in nfs_pageio_complete_mirror() (git-fixes).
- nfs: Fix an I/O request leakage in nfs_do_recoalesce (git-fixes).
- nfs: Fix dentry revalidation on NFSv4 lookup (bsc#1132618).
- nfs: fix mount/umount race in nlmclnt (git-fixes).
- nfs: Fix NULL pointer dereference of dev_name (bnc#1012382).
- nfsv4.x: always serialize open/close operations (bsc#1114893).
- numa: change get_mempolicy() to use nr_node_ids instead of MAX_NUMNODES (bnc#1012382).
- packets: Always register packet sk in the same order (bnc#1012382).
- parport_pc: fix find_superio io compare code, should use equal test (bnc#1012382).
- pci-hyperv: increase HV_VP_SET_BANK_COUNT_MAX to handle 1792 vcpus (bsc#1122822).
- pci-hyperv: increase HV_VP_SET_BANK_COUNT_MAX to handle 1792 vcpus (fate#327171, bsc#1122822).
- perf auxtrace: Define auxtrace record alignment (bnc#1012382).
- perf bench: Copy kernel files needed to build mem{cpy,set} x86_64 benchmarks (bnc#1012382).
- perf intel-pt: Fix CYC timestamp calculation after OVF (bnc#1012382).
- perf intel-pt: Fix overlap calculation for padding (bnc#1012382).
- perf intel-pt: Fix TSC slip (bnc#1012382).
- perf/ring_buffer: Refuse to begin AUX transaction after rb->aux_mmap_count drops (bnc#1012382).
- perf symbols: Filter out hidden symbols from labels (bnc#1012382).
- perf: Synchronously free aux pages in case of allocation failure (bnc#1012382).
- perf tools: Handle TOPOLOGY headers with no CPU (bnc#1012382).
- perf/x86/amd: Add event map for AMD Family 17h (bsc#1114648).
- phonet: fix building with clang (bnc#1012382).
- pinctrl: meson: meson8b: fix the sdxc_a data 1..3 pins (bnc#1012382).
- platform/x86: Fix unmet dependency warning for SAMSUNG_Q10 (bnc#1012382).
- pm / Hibernate: Call flush_icache_range() on pages restored in-place (bnc#1012382).
- pm / wakeup: Rework wakeup source timer cancellation (bnc#1012382).
- powerpc/32: Clear on-stack exception marker upon exception return (bnc#1012382).
- powerpc/64: Call setup_barrier_nospec() from setup_arch() (bsc#1131107).
- powerpc/64: Disable the speculation barrier from the command line (bsc#1131107).
- powerpc/64: Make stf barrier PPC_BOOK3S_64 specific (bsc#1131107).
- powerpc/64s: Add new security feature flags for count cache flush (bsc#1131107).
- powerpc/64s: Add support for software count cache flush (bsc#1131107).
- powerpc/83xx: Also save/restore SPRG4-7 during suspend (bnc#1012382).
- powerpc: Always initialize input array when calling epapr_hypercall() (bnc#1012382).
- powerpc/asm: Add a patch_site macro & helpers for patching instructions (bsc#1131107).
- powerpc/fsl: Fix spectre_v2 mitigations reporting (bsc#1131107).
- powerpc/mm/hash: Handle mmap_min_addr correctly in get_unmapped_area topdown search (bsc#1131900).
- powerpc/numa: document topology_updates_enabled, disable by default (bsc#1133584).
- powerpc/numa: improve control of topology updates (bsc#1133584).
- powerpc/perf: Fix unit_sel/cache_sel checks (bsc#1053043).
- powerpc/perf: Remove l2 bus events from HW cache event array (bsc#1053043).
- powerpc/perf: Update raw-event code encoding comment for power8 (bsc#1053043, git-fixes).
- powerpc/powernv/cpuidle: Init all present cpus for deep states (bsc#1066223).
- powerpc/powernv: Make opal log only readable by root (bnc#1012382).
- powerpc/powernv: Query firmware for count cache flush settings (bsc#1131107).
- powerpc/pseries/mce: Fix misleading print for TLB mutlihit (bsc#1094244, git-fixes).
- powerpc/pseries: Query hypervisor for count cache flush settings (bsc#1131107).
- powerpc/security: Fix spectre_v2 reporting (bsc#1131107).
- powerpc/speculation: Support 'mitigations=' cmdline option (bsc#1112178).
- powerpc/tm: Add commandline option to disable hardware transactional memory (bsc#1118338).
- powerpc/tm: Add TM Unavailable Exception (bsc#1118338).
- powerpc/tm: Flip the HTM switch default to disabled (bsc#1125580).
- powerpc/vdso32: fix CLOCK_MONOTONIC on PPC64 (bsc#1131587).
- powerpc/vdso64: Fix CLOCK_MONOTONIC inconsistencies across Y2038 (bsc#1131587).
- powerpc/wii: properly disable use of BATs when requested (bnc#1012382).
- ravb: Decrease TxFIFO depth of Q3 and Q2 to one (bnc#1012382).
- rcu: Do RCU GP kthread self-wakeup from softirq and interrupt (bnc#1012382).
- rdma/core: Do not expose unsupported counters (bsc#994770).
- rdma/srp: Rework SCSI device reset handling (bnc#1012382).
- Refresh patches.fixes/0001-net-mlx4-Fix-endianness-issue-in-qp-context-params.patch. (bsc#1132619)
- regulator: s2mpa01: Fix step values for some LDOs (bnc#1012382).
- regulator: s2mps11: Fix steps for buck7, buck8 and LDO35 (bnc#1012382).
- Revert 'bridge: do not add port to router list when receives query with source 0.0.0.0' (bnc#1012382).
- Revert 'mmc: block: do not use parameter prefix if built as module' (bnc#1012382).
- Revert 'scsi, block: fix duplicate bdi name registration crashes' (bsc#1020989).
- Revert 'USB: core: only clean up what we allocated' (bnc#1012382).
- route: set the deleted fnhe fnhe_daddr to 0 in ip_del_fnhe to fix a race (bnc#1012382).
- rsi: fix a dereference on adapter before it has been null checked (bsc#1085539).
- rtc: Fix overflow when converting time64_t to rtc_time (bnc#1012382).
- rtl8xxxu: Fix missing break in switch (bsc#1120902).
- s390/dasd: fix panic for failed online processing (bsc#1132589).
- s390/dasd: fix using offset into zero size array error (bnc#1012382).
- s390: Prevent hotplug rwsem recursion (bsc#1131980).
- s390/qeth: fix use-after-free in error path (bnc#1012382).
- s390/speculation: Support 'mitigations=' cmdline option (bsc#1112178).
- s390/virtio: handle find on invalid queue gracefully (bnc#1012382).
- sched/core: Fix cpu.max vs. cpuhotplug deadlock (bsc#1106913).
- sched/smt: Expose sched_smt_present static key (bsc#1106913).
- sched/smt: Make sched_smt_present track topology (bsc#1106913).
- scsi: csiostor: fix NULL pointer dereference in csio_vport_set_state() (bnc#1012382).
- scsi: isci: initialize shost fully before calling scsi_add_host() (bnc#1012382).
- scsi: libfc: free skb when receiving invalid flogi resp (bnc#1012382).
- scsi: libiscsi: Fix race between iscsi_xmit_task and iscsi_complete_task (bnc#1012382).
- scsi: libsas: Fix rphy phy_identifier for PHYs with end devices attached (bnc#1012382).
- scsi: qla4xxx: check return code of qla4xxx_copy_from_fwddb_param (bnc#1012382).
- scsi: sd: Fix a race between closing an sd device and sd I/O (bnc#1012382).
- scsi: storvsc: Fix a race in sub-channel creation that can cause panic ().
- scsi: storvsc: Fix a race in sub-channel creation that can cause panic (fate#323887).
- scsi: storvsc: Reduce default ring buffer size to 128 Kbytes ().
- scsi: storvsc: Reduce default ring buffer size to 128 Kbytes (fate#323887).
- scsi: target/iscsi: Avoid iscsit_release_commands_from_conn() deadlock (bnc#1012382).
- scsi: virtio_scsi: do not send sc payload with tmfs (bnc#1012382).
- scsi: zfcp: fix rport unblock if deleted SCSI devices on Scsi_Host (bnc#1012382).
- scsi: zfcp: fix scsi_eh host reset with port_forced ERP for non-NPIV FCP devices (bnc#1012382).
- sctp: fix the transports round robin issue when init is retransmitted (git-fixes).
- sctp: get sctphdr by offset in sctp_compute_cksum (bnc#1012382).
- serial: 8250_pci: Fix number of ports for ACCES serial cards (bnc#1012382).
- serial: 8250_pci: Have ACCES cards that use the four port Pericom PI7C9X7954 chip use the pci_pericom_setup() (bnc#1012382).
- serial: fsl_lpuart: fix maximum acceptable baud rate with over-sampling (bnc#1012382).
- serial: max310x: Fix to avoid potential NULL pointer dereference (bnc#1012382).
- serial: sh-sci: Fix setting SCSCR_TIE while transferring data (bnc#1012382).
- serial: sprd: adjust TIMEOUT to a big value (bnc#1012382).
- serial: sprd: clear timeout interrupt only rather than all interrupts (bnc#1012382).
- sit: check if IPv6 enabled before calling ip6_err_gen_icmpv6_unreach() (bnc#1012382).
- sky2: Disable MSI on Dell Inspiron 1545 and Gateway P-79 (bnc#1012382).
- sockfs: getxattr: Fail with -EOPNOTSUPP for invalid attribute names (bnc#1012382).
- staging: ashmem: Add missing include (bnc#1012382).
- staging: ashmem: Avoid deadlock with mmap/shrink (bnc#1012382).
- staging: goldfish: audio: fix compiliation on arm (bnc#1012382).
- staging: ion: Set minimum carveout heap allocation order to PAGE_SHIFT (bnc#1012382).
- staging: lustre: fix buffer overflow of string buffer (bnc#1012382).
- staging: rtl8188eu: avoid a null dereference on pmlmepriv (bsc#1085539).
- staging: vt6655: Fix interrupt race condition on device start up (bnc#1012382).
- staging: vt6655: Remove vif check from vnt_interrupt (bnc#1012382).
- stm class: Do not leak the chrdev in error path (bnc#1012382).
- stm class: Fix an endless loop in channel allocation (bnc#1012382).
- stm class: Fix a race in unlinking (bnc#1012382).
- stm class: Fix link list locking (bnc#1012382).
- stm class: Fix locking in unbinding policy path (bnc#1012382).
- stm class: Fix stm device initialization order (bnc#1012382).
- stm class: Fix unbalanced module/device refcounting (bnc#1012382).
- stm class: Fix unlocking braino in the error path (bnc#1012382).
- stm class: Guard output assignment against concurrency (bnc#1012382).
- stm class: Hide STM-specific options if STM is disabled (bnc#1012382).
- stm class: Prevent division by zero (bnc#1012382).
- stm class: Prevent user-controllable allocations (bnc#1012382).
- stm class: Support devices with multiple instances (bnc#1012382).
- stmmac: copy unicast mac address to MAC registers (bnc#1012382).
- stop_machine: Provide stop_machine_cpuslocked() (bsc#1131980).
- sunrpc: do not mark uninitialised items as VALID (bsc#1130737).
- sunrpc: init xdr_stream for zero iov_len, page_len (bsc#11303356).
- svm/avic: Fix invalidate logical APIC id entry (bsc#1132727).
- svm: Fix AVIC DFR and LDR handling (bsc#1130343).
- svm: Fix improper check when deactivate AVIC (bsc#1130344).
- tcp/dccp: drop SYN packets if accept queue is full (bnc#1012382).
- tcp/dccp: remove reqsk_put() from inet_child_forget() (git-fixes).
- tcp: do not use ipv6 header for ipv4 flow (bnc#1012382).
- tcp: handle inet_csk_reqsk_queue_add() failures (git-fixes).
- thermal: int340x_thermal: Fix a NULL vs IS_ERR() check (bnc#1012382).
- time: Introduce jiffies64_to_nsecs() (bsc#1113399).
- tmpfs: fix link accounting when a tmpfile is linked in (bnc#1012382).
- tmpfs: fix uninitialized return value in shmem_link (bnc#1012382).
- tpm: fix kdoc for tpm2_flush_context_cmd() (bsc#1020645).
- tpm: Fix the type of the return value in calc_tpm2_event_size() (bsc#1020645, git-fixes).
- tpm: tpm-interface.c drop unused macros (bsc#1020645).
- tty: atmel_serial: fix a potential NULL pointer dereference (bnc#1012382).
- udf: Fix crash on IO error during truncate (bnc#1012382).
- Update patches.fixes/SUNRPC-init-xdr_stream-for-zero-iov_len-page_len.patch (bsc#1130356).
- usb: core: only clean up what we allocated (bnc#1012382).
- usb: dwc2: Fix DMA alignment to start at allocated boundary (bsc#1100132).
- usb: dwc2: fix the incorrect bitmaps for the ports of multi_tt hub (bsc#1100132).
- usb: dwc3: gadget: Fix suspend/resume during device mode (bnc#1012382).
- usb: dwc3: gadget: Fix the uninitialized link_state when udc starts (bnc#1012382).
- usb: gadget: Add the gserial port checking in gs_start_tx() (bnc#1012382).
- usb: gadget: composite: fix dereference after null check coverify warning (bnc#1012382).
- usb: gadget: configfs: add mutex lock before unregister gadget (bnc#1012382).
- usb: gadget: Potential NULL dereference on allocation error (bnc#1012382).
- usb: gadget: rndis: free response queue during REMOTE_NDIS_RESET_MSG (bnc#1012382).
- usb: renesas_usbhs: gadget: fix unused-but-set-variable warning (bnc#1012382).
- usb: serial: cp210x: add ID for Ingenico 3070 (bnc#1012382).
- usb: serial: cp210x: add new device id (bnc#1012382).
- usb: serial: cypress_m8: fix interrupt-out transfer length (bsc#1119086).
- usb: serial: ftdi_sio: add additional NovaTech products (bnc#1012382).
- usb: serial: ftdi_sio: add ID for Hjelmslund Electronics USB485 (bnc#1012382).
- usb: serial: mos7720: fix mos_parport refcount imbalance on error path (bsc#1129770).
- usb: serial: option: add Olicard 600 (bnc#1012382).
- usb: serial: option: add Telit ME910 ECM composition (bnc#1012382).
- usb: serial: option: set driver_info for SIM5218 and compatibles (bsc#1129770).
- video: fbdev: Set pixclock = 0 in goldfishfb (bnc#1012382).
- vti4: Fix a ipip packet processing bug in 'IPCOMP' virtual tunnel (bnc#1012382).
- vxlan: Do not call gro_cells_destroy() before device is unregistered (bnc#1012382).
- vxlan: Fix GRO cells race condition between receive and link delete (bnc#1012382).
- vxlan: test dev->flags & IFF_UP before calling gro_cells_receive() (bnc#1012382).
- wlcore: Fix the return value in case of error in 'wlcore_vendor_cmd_smart_config_start()' (bsc#1120902).
- x86_64: increase stack size for KASAN_EXTRA (bnc#1012382).
- x86/apic: Provide apic_ack_irq() (bsc#1122822).
- x86/apic: Provide apic_ack_irq() (fate#327171, bsc#1122822).
- x86/CPU/AMD: Set the CPB bit unconditionally on F17h (bnc#1012382).
- x86/Hyper-V: Set x2apic destination mode to physical when x2apic is available (bsc#1122822).
- x86/Hyper-V: Set x2apic destination mode to physical when x2apic is available (fate#327171, bsc#1122822).
- x86/kexec: Do not setup EFI info if EFI runtime is not enabled (bnc#1012382).
- x86/mce: Improve error message when kernel cannot recover, p2 (bsc#1114648).
- x86/smp: Enforce CONFIG_HOTPLUG_CPU when SMP=y (bnc#1012382).
- x86/speculation: Remove redundant arch_smt_update() invocation (bsc#1111331).
- x86/speculation: Support 'mitigations=' cmdline option (bsc#1112178).
- x86/uaccess: Do not leak the AC flag into __put_user() value evaluation (bsc#1114648).
- x86/vdso: Add VCLOCK_HVCLOCK vDSO clock read method (bsc#1133308).
- xen-netback: fix occasional leak of grant ref mappings under memory pressure (bnc#1012382).
- xfrm_user: fix info leak in build_aevent() (git-fixes).
- xfrm_user: fix info leak in xfrm_notify_sa() (git-fixes).
- xhci: Do not let USB3 ports stuck in polling state prevent suspend (bsc#1047487).
- xhci: Fix port resume done detection for SS ports with LPM enabled (bnc#1012382).
- xtensa: SMP: fix ccount_timer_shutdown (bnc#1012382).
- xtensa: SMP: fix secondary CPU initialization (bnc#1012382).
- xtensa: SMP: limit number of possible CPUs by NR_CPUS (bnc#1012382).
- xtensa: smp_lx200_defconfig: fix vectors clash (bnc#1012382).
- xtensa: SMP: mark each possible CPU as present (bnc#1012382).
ImportantSUSE bug 1012382SUSE bug 1020645SUSE bug 1020989SUSE bug 1023711SUSE bug 1031492SUSE bug 1047487SUSE bug 1051510SUSE bug 1053043SUSE bug 1062056SUSE bug 1063638SUSE bug 1066223SUSE bug 1068032SUSE bug 1070872SUSE bug 1078216SUSE bug 1085539SUSE bug 1086162SUSE bug 1087092SUSE bug 1087659SUSE bug 1093777SUSE bug 1094120SUSE bug 1094244SUSE bug 1096480SUSE bug 1096728SUSE bug 1097104SUSE bug 1100132SUSE bug 1103186SUSE bug 1105348SUSE bug 1106110SUSE bug 1106913SUSE bug 1106929SUSE bug 1107937SUSE bug 1111331SUSE bug 1112178SUSE bug 1113399SUSE bug 1114542SUSE bug 1114638SUSE bug 1114648SUSE bug 1114893SUSE bug 1118338SUSE bug 1118506SUSE bug 1119086SUSE bug 1120902SUSE bug 1122822SUSE bug 1125580SUSE bug 1126356SUSE bug 1127445SUSE bug 1129278SUSE bug 1129326SUSE bug 1129770SUSE bug 1130130SUSE bug 1130343SUSE bug 1130344SUSE bug 1130345SUSE bug 1130346SUSE bug 1130347SUSE bug 1130356SUSE bug 1130425SUSE bug 1130567SUSE bug 1130737SUSE bug 1131107SUSE bug 1131416SUSE bug 1131427SUSE bug 1131587SUSE bug 1131659SUSE bug 1131857SUSE bug 1131900SUSE bug 1131934SUSE bug 1131935SUSE bug 1131980SUSE bug 1132227SUSE bug 1132534SUSE bug 1132589SUSE bug 1132618SUSE bug 1132619SUSE bug 1132634SUSE bug 1132635SUSE bug 1132636SUSE bug 1132637SUSE bug 1132638SUSE bug 1132727SUSE bug 1132828SUSE bug 1133308SUSE bug 1133584SUSE bug 994770SUSE bug 997935CVE-2017-5753 at SUSECVE-2017-5753 at NVDCVE-2018-1000204 at SUSECVE-2018-1000204 at NVDCVE-2018-10853 at SUSECVE-2018-10853 at NVDCVE-2018-12126 at SUSECVE-2018-12126 at NVDCVE-2018-12127 at SUSECVE-2018-12127 at NVDCVE-2018-12130 at SUSECVE-2018-12130 at NVDCVE-2018-15594 at SUSECVE-2018-15594 at NVDCVE-2018-5814 at SUSECVE-2018-5814 at NVDCVE-2018-8822 at SUSECVE-2018-8822 at NVDCVE-2019-11091 at SUSECVE-2019-11091 at NVDCVE-2019-3882 at SUSECVE-2019-3882 at NVDCVE-2019-9503 at SUSECVE-2019-9503 at NVDcpe:/o:suse:sles:12:sp3Security update for xen (Important)SUSE Linux Enterprise Server 12 SP3
This update for xen fixes the following issues:
Four new speculative execution information leak issues have been identified in Intel CPUs. (bsc#1111331)
- CVE-2018-12126: Microarchitectural Store Buffer Data Sampling (MSBDS)
- CVE-2018-12127: Microarchitectural Fill Buffer Data Sampling (MFBDS)
- CVE-2018-12130: Microarchitectural Load Port Data Samling (MLPDS)
- CVE-2019-11091: Microarchitectural Data Sampling Uncacheable Memory (MDSUM)
These updates contain the XEN Hypervisor adjustments, that additionaly also use CPU Microcode updates.
The mitigation can be controlled via the 'mds' commandline option, see the documentation.
For more information on this set of vulnerabilities, check out https://www.suse.com/support/kb/doc/?id=7023736
Security issue fixed:
- CVE-2018-20815: Fixed a heap buffer overflow while loading device tree blob (bsc#1130680)
Other fixes:
- Added code to change LIBXL_HOTPLUG_TIMEOUT at runtime.
The included README has details about the impact of this change (bsc#1120095)
ImportantSUSE bug 1027519SUSE bug 1111331SUSE bug 1120095SUSE bug 1130680CVE-2018-12126 at SUSECVE-2018-12126 at NVDCVE-2018-12127 at SUSECVE-2018-12127 at NVDCVE-2018-12130 at SUSECVE-2018-12130 at NVDCVE-2018-20815 at SUSECVE-2018-20815 at NVDCVE-2019-11091 at SUSECVE-2019-11091 at NVDcpe:/o:suse:sles:12:sp3Security update for systemd (Important)SUSE Linux Enterprise Server 12 SP3
This update for systemd fixes the following issues:
Security issues fixed:
- CVE-2018-6954: Fixed a vulnerability in the symlink handling of systemd-tmpfiles
which allowed a local user to obtain ownership of arbitrary files (bsc#1080919).
- CVE-2019-3842: Fixed a vulnerability in pam_systemd which allowed a local user to escalate privileges (bsc#1132348).
- CVE-2019-6454: Fixed a denial of service caused by long dbus messages (bsc#1125352).
Non-security issues fixed:
- systemd-coredump: generate a stack trace of all core dumps (jsc#SLE-5933)
- udevd: notify when max number value of children is reached only once per batch of events (bsc#1132400)
- sd-bus: bump message queue size again (bsc#1132721)
- core: only watch processes when it's really necessary (bsc#955942 bsc#1128657)
- rules: load drivers only on 'add' events (bsc#1126056)
- sysctl: Don't pass null directive argument to '%s' (bsc#1121563)
- Do not automatically online memory on s390x (bsc#1127557)
ImportantSUSE bug 1080919SUSE bug 1121563SUSE bug 1125352SUSE bug 1126056SUSE bug 1127557SUSE bug 1128657SUSE bug 1130230SUSE bug 1132348SUSE bug 1132400SUSE bug 1132721SUSE bug 955942CVE-2018-6954 at SUSECVE-2018-6954 at NVDCVE-2019-3842 at SUSECVE-2019-3842 at NVDCVE-2019-6454 at SUSECVE-2019-6454 at NVDcpe:/o:suse:sles:12:sp3Security update for PackageKit (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for PackageKit fixes the following issues:
- Fixed displaying the license agreement pop up window during package update (bsc#1038425).
ModerateSUSE bug 1038425cpe:/o:suse:sles:12:sp3Security update for nmap (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for nmap fixes the following issues:
Security issue fixed:
- CVE-2018-15173: Fixed a remote denial of service attack via a crafted TCP-based service (bsc#1104139).
ModerateSUSE bug 1104139CVE-2018-15173 at SUSECVE-2018-15173 at NVDcpe:/o:suse:sles:12:sp3Security update for ucode-intel (Important)SUSE Linux Enterprise Server 12 SP3
This update for ucode-intel fixes the following issues:
ucode-intel was updated to official QSR 2019.1 microcode release (bsc#1111331
CVE-2018-12126 CVE-2018-12130 CVE-2018-12127 CVE-2019-11091)
---- new platforms ----------------------------------------
VLV C0 6-37-8/02 00000838 Atom Z series
VLV C0 6-37-8/0C 00000838 Celeron N2xxx, Pentium N35xx
VLV D0 6-37-9/0F 0000090c Atom E38xx
CHV C0 6-4c-3/01 00000368 Atom X series
CHV D0 6-4c-4/01 00000411 Atom X series
Readded Broadwell CPU ucode that was missing in last update:
BDX-ML B0/M0/R0 6-4f-1/ef 0b00002e->00000036 Xeon E5/E7 v4; Core i7-69xx/68xx
ImportantSUSE bug 1111331CVE-2018-12126 at SUSECVE-2018-12126 at NVDCVE-2018-12127 at SUSECVE-2018-12127 at NVDCVE-2018-12130 at SUSECVE-2018-12130 at NVDCVE-2019-11091 at SUSECVE-2019-11091 at NVDcpe:/o:suse:sles:12:sp3Security update for openssh (Important)SUSE Linux Enterprise Server 12 SP3
This update for openssh fixes the following issues:
Security issue fixed:
- CVE-2018-20685: Fixed an issue where scp client allows remote SSH servers to bypass intended access restrictions (bsc#1121571)
- CVE-2019-6109: Fixed an issue where the scp client would allow malicious remote SSH servers to manipulate terminal output via the object name, e.g. by inserting ANSI escape sequences (bsc#1121816)
- CVE-2019-6110: Fixed an issue where the scp client would allow malicious remote SSH servers to manipulate stderr output, e.g. by inserting ANSI escape sequences (bsc#1121818)
- CVE-2019-6111: Fixed an issue where the scp client would allow malicious remote SSH servers to execute directory traversal attacks and overwrite files (bsc#1121821)
ImportantSUSE bug 1121571SUSE bug 1121816SUSE bug 1121818SUSE bug 1121821CVE-2018-20685 at SUSECVE-2018-20685 at NVDCVE-2019-6109 at SUSECVE-2019-6109 at NVDCVE-2019-6110 at SUSECVE-2019-6110 at NVDCVE-2019-6111 at SUSECVE-2019-6111 at NVDcpe:/o:suse:sles:12:sp3Security update for sysstat (Low)SUSE Linux Enterprise Server 12 SP3
This update for sysstat fixes the following issues:
Security issues fixed:
- CVE-2018-19416: Fixed out-of-bounds read during a memmove call inside the remap_struct function (bsc#1117001).
- CVE-2018-19517: Fixed out-of-bounds read during a memset call inside the remap_struct function (bsc#1117260).
LowSUSE bug 1117001SUSE bug 1117260CVE-2018-19416 at SUSECVE-2018-19416 at NVDCVE-2018-19517 at SUSECVE-2018-19517 at NVDcpe:/o:suse:sles:12:sp3Security update for bluez (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for bluez fixes the following issues:
Security vulnerability addressed:
- CVE-2016-9797: Fixed a buffer over-read in l2cap_dump() (bsc#1013708).
- CVE-2016-9798: Fixed a use-after-free in conf_opt() (bsc#1013712).
- CVE-2016-9917: Fixed a heap-based buffer overflow in read_n() (bsc#1015171).
- CVE-2016-9802: Fixed a buffer over-read in l2cap_packet() (bsc#1013893).
- CVE-2016-9918: Fixed an out-of-bounds stack read in packet_hexdump(),
which could be triggered by processing a corrupted dump file and will result
in a crash of the hcidump tool (bsc#1015173)
ModerateSUSE bug 1013708SUSE bug 1013712SUSE bug 1013893SUSE bug 1015171SUSE bug 1015173CVE-2016-9797 at SUSECVE-2016-9797 at NVDCVE-2016-9798 at SUSECVE-2016-9798 at NVDCVE-2016-9802 at SUSECVE-2016-9802 at NVDCVE-2016-9917 at SUSECVE-2016-9917 at NVDCVE-2016-9918 at SUSECVE-2016-9918 at NVDcpe:/o:suse:sles:12:sp3Security update for java-1_7_1-ibm (Important)SUSE Linux Enterprise Server 12 SP3
This update for java-1_7_1-ibm fixes the following issues:
Update to Java 7.1 Service Refresh 4 Fix Pack 45.
Security issues fixed:
- CVE-2019-10245: Fixed Java bytecode verifier issue causing crashes (bsc#1134718).
- CVE-2019-2698: Fixed out of bounds access flaw in the 2D component (bsc#1132729).
- CVE-2019-2697: Fixed flaw inside the 2D component (bsc#1132734).
- CVE-2019-2602: Fixed flaw inside BigDecimal implementation (Component: Libraries) (bsc#1132728).
- CVE-2019-2684: Fixed flaw was found in the RMI registry implementation (bsc#1132732).
ImportantSUSE bug 1132728SUSE bug 1132729SUSE bug 1132732SUSE bug 1132734SUSE bug 1134718CVE-2019-10245 at SUSECVE-2019-10245 at NVDCVE-2019-2602 at SUSECVE-2019-2602 at NVDCVE-2019-2684 at SUSECVE-2019-2684 at NVDCVE-2019-2697 at SUSECVE-2019-2697 at NVDCVE-2019-2698 at SUSECVE-2019-2698 at NVDcpe:/o:suse:sles:12:sp3Security update for systemd (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for systemd provides the following fixes:
Security issues fixed:
- CVE-2018-16864, CVE-2018-16865: Fixed two memory corruptions through attacker-controlled alloca()s (bsc#1120323)
- CVE-2018-16866: Fixed an information leak in journald (bsc#1120323)
- Fixed an issue during system startup in relation to encrypted swap disks (bsc#1119971)
Non-security issues fixed:
- core: Queue loading transient units after setting their properties. (bsc#1115518)
- logind: Stop managing VT switches if no sessions are registered on that VT. (bsc#1101591)
- terminal-util: introduce vt_release() and vt_restore() helpers.
- terminal: Unify code for resetting kbd utf8 mode a bit.
- terminal Reset should honour default_utf8 kernel setting.
- logind: Make session_restore_vt() static.
- udev: Downgrade message when settting inotify watch up fails. (bsc#1005023)
- log: Never log into foreign fd #2 in PID 1 or its pre-execve() children. (bsc#1114981)
- udev: Ignore the exit code of systemd-detect-virt for memory hot-add. In SLE-12-SP3,
80-hotplug-cpu-mem.rules has a memory hot-add rule that uses systemd-detect-virt to
detect non-zvm environment. The systemd-detect-virt returns exit failure code when it
detected _none_ state. The exit failure code causes that the hot-add memory block can
not be set to online. (bsc#1076696)
ModerateSUSE bug 1005023SUSE bug 1076696SUSE bug 1101591SUSE bug 1114981SUSE bug 1115518SUSE bug 1119971SUSE bug 1120323CVE-2018-16864 at SUSECVE-2018-16864 at NVDCVE-2018-16865 at SUSECVE-2018-16865 at NVDCVE-2018-16866 at SUSECVE-2018-16866 at NVDcpe:/o:suse:sles:12:sp3Security update for screen (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for screen fixes the following issues:
Security issue fixed:
- CVE-2015-6806: Fixed a stack overflow due to deep recursion (bsc#944458).
Non-security issue fixed:
- Fixed segmentation faults related to altscreen and resizing screen (bsc#1130831).
ModerateSUSE bug 1130831SUSE bug 944458CVE-2015-6806 at SUSECVE-2015-6806 at NVDcpe:/o:suse:sles:12:sp3Security update for curl (Important)SUSE Linux Enterprise Server 12 SP3
This update for curl fixes the following issues:
Security issue fixed:
- CVE-2019-5436: Fixed a heap buffer overflow exists in tftp_receive_packet that receives data from a TFTP server (bsc#1135170).
ImportantSUSE bug 1135170CVE-2019-5436 at SUSECVE-2019-5436 at NVDcpe:/o:suse:sles:12:sp3Security update for libtasn1 (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for libtasn1 fixes the following issues:
Security issues fixed:
- CVE-2018-1000654: Fixed a denial of service in the asn1 parser (bsc#1105435).
- CVE-2017-6891: Fixed a stack overflow in asn1_find_node() (bsc#1040621).
ModerateSUSE bug 1040621SUSE bug 1105435CVE-2017-6891 at SUSECVE-2017-6891 at NVDCVE-2018-1000654 at SUSECVE-2018-1000654 at NVDcpe:/o:suse:sles:12:sp3Security update for wireshark (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for wireshark to version 2.4.12 fixes the following issues:
Security issues fixed:
- CVE-2019-5717: Fixed a denial of service in the P_MUL dissector (bsc#1121232)
- CVE-2019-5718: Fixed a denial of service in the RTSE dissector and other dissectors (bsc#1121233)
- CVE-2019-5719: Fixed a denial of service in the ISAKMP dissector (bsc#1121234)
- CVE-2019-5721: Fixed a denial of service in the ISAKMP dissector (bsc#1121235)
ModerateSUSE bug 1121232SUSE bug 1121233SUSE bug 1121234SUSE bug 1121235CVE-2019-5717 at SUSECVE-2019-5717 at NVDCVE-2019-5718 at SUSECVE-2019-5718 at NVDCVE-2019-5719 at SUSECVE-2019-5719 at NVDCVE-2019-5721 at SUSECVE-2019-5721 at NVDcpe:/o:suse:sles:12:sp3Security update for axis (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for axis fixes the following issues:
Security issue fixed:
- CVE-2012-5784, CVE-2014-3596: Fixed missing connection hostname check against X.509 certificate name (bsc#1134598).
ModerateSUSE bug 1134598CVE-2012-5784 at SUSECVE-2012-5784 at NVDCVE-2014-3596 at SUSECVE-2014-3596 at NVDcpe:/o:suse:sles:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3
This update for MozillaFirefox fixes the following issues:
Security issues fixed:
- CVE-2019-11691: Use-after-free in XMLHttpRequest
- CVE-2019-11692: Use-after-free removing listeners in the event listener manager
- CVE-2019-11693: Buffer overflow in WebGL bufferdata on Linux
- CVE-2019-11694: Uninitialized memory memory leakage in Windows sandbox
- CVE-2019-11698: Theft of user history data through drag and drop of hyperlinks to and from bookmarks
- CVE-2019-7317: Use-after-free in png_image_free of libpng library
- CVE-2019-9800: Memory safety bugs fixed in Firefox 67 and Firefox ESR 60.7
- CVE-2019-9815: Disable hyperthreading on content JavaScript threads on macOS
- CVE-2019-9816: Type confusion with object groups and UnboxedObjects
- CVE-2019-9817: Stealing of cross-domain images using canvas
- CVE-2019-9818: Use-after-free in crash generation server
- CVE-2019-9819: Compartment mismatch with fetch API
- CVE-2019-9820: Use-after-free of ChromeEventHandler by DocShell
Non-security issues fixed:
- Font and date adjustments to accommodate the new Reiwa era in Japan
- Update to Firefox ESR 60.7 (bsc#1135824)
ImportantSUSE bug 1135824CVE-2019-11691 at SUSECVE-2019-11691 at NVDCVE-2019-11692 at SUSECVE-2019-11692 at NVDCVE-2019-11693 at SUSECVE-2019-11693 at NVDCVE-2019-11694 at SUSECVE-2019-11694 at NVDCVE-2019-11698 at SUSECVE-2019-11698 at NVDCVE-2019-7317 at SUSECVE-2019-7317 at NVDCVE-2019-9800 at SUSECVE-2019-9800 at NVDCVE-2019-9815 at SUSECVE-2019-9815 at NVDCVE-2019-9816 at SUSECVE-2019-9816 at NVDCVE-2019-9817 at SUSECVE-2019-9817 at NVDCVE-2019-9818 at SUSECVE-2019-9818 at NVDCVE-2019-9819 at SUSECVE-2019-9819 at NVDCVE-2019-9820 at SUSECVE-2019-9820 at NVDcpe:/o:suse:sles:12:sp3Security update for gnome-shell (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for gnome-shell fixes the following issues:
Security issue fixed:
- CVE-2019-3820: Fixed a partial lock screen bypass (bsc#1124493).
Fixed bugs:
- Remove sessionList of endSessionDialog for security reasons (jsc#SLE-6660).
ModerateSUSE bug 1124493CVE-2019-3820 at SUSECVE-2019-3820 at NVDcpe:/o:suse:sles:12:sp3Security update for java-1_7_0-openjdk (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for java-1_7_0-openjdk fixes the following issues:
Update to 2.6.18 - OpenJDK 7u221 (April 2019 CPU)
Security issues fixed:
- CVE-2019-2602: Fixed flaw inside BigDecimal implementation (Component: Libraries) (bsc#1132728).
- CVE-2019-2684: Fixed flaw inside the RMI registry implementation (bsc#1132732).
- CVE-2019-2698: Fixed out of bounds access flaw in the 2D component (bsc#1132729).
- CVE-2019-2422: Fixed memory disclosure in FileChannelImpl (bsc#1122293).
- CVE-2018-11212: Fixed a Divide By Zero in alloc_sarray function in jmemmgr.c (bsc#1122299).
- CVE-2019-2426: Improve web server connections (bsc#1134297).
Bug fixes:
- Please check the package Changelog for detailed information.
ModerateSUSE bug 1122293SUSE bug 1122299SUSE bug 1132728SUSE bug 1132729SUSE bug 1132732SUSE bug 1134297CVE-2018-11212 at SUSECVE-2018-11212 at NVDCVE-2019-2422 at SUSECVE-2019-2422 at NVDCVE-2019-2426 at SUSECVE-2019-2426 at NVDCVE-2019-2602 at SUSECVE-2019-2602 at NVDCVE-2019-2684 at SUSECVE-2019-2684 at NVDCVE-2019-2698 at SUSECVE-2019-2698 at NVDcpe:/o:suse:sles:12:sp3Security update for apache2-mod_jk (Important)SUSE Linux Enterprise Server 12 SP3
This update for apache2-mod_jk fixes the following issue:
Security issue fixed:
- CVE-2018-11759: Fixed connector path traversal due to mishandled HTTP requests in httpd (bsc#1114612).
ImportantSUSE bug 1114612CVE-2018-11759 at SUSECVE-2018-11759 at NVDcpe:/o:suse:sles:12:sp3Security update for bind (Important)SUSE Linux Enterprise Server 12 SP3
This update for bind fixes the following issues:
Security issues fixed:
- CVE-2018-5740: Fixed a denial of service vulnerability in the 'deny-answer-aliases' feature (bsc#1104129).
- CVE-2019-6465: Fixed an issue where controls for zone transfers may not be properly applied to Dynamically Loadable Zones (bsc#1126069).
- CVE-2018-5745: An assertion failure can occur if a trust anchor rolls over to an unsupported key algorithm when using managed-keys. (bsc#1126068)
- CVE-2018-5743: Limiting simultaneous TCP clients is ineffective. (bsc#1133185)
ImportantSUSE bug 1104129SUSE bug 1126068SUSE bug 1126069SUSE bug 1133185CVE-2018-5740 at SUSECVE-2018-5740 at NVDCVE-2018-5743 at SUSECVE-2018-5743 at NVDCVE-2018-5745 at SUSECVE-2018-5745 at NVDCVE-2019-6465 at SUSECVE-2019-6465 at NVDcpe:/o:suse:sles:12:sp3Security update for python (Important)SUSE Linux Enterprise Server 12 SP3
This update for python fixes the following issues:
Security issues fixed:
- CVE-2019-9948: Fixed a 'file:' blacklist bypass in URIs by using the 'local-file:' scheme instead (bsc#1130847).
- CVE-2019-9636: Fixed an information disclosure because of incorrect handling of Unicode encoding during NFKC normalization (bsc#1129346).
ImportantSUSE bug 1129346SUSE bug 1130847CVE-2019-9636 at SUSECVE-2019-9636 at NVDCVE-2019-9948 at SUSECVE-2019-9948 at NVDcpe:/o:suse:sles:12:sp3Security update for ghostscript (Important)SUSE Linux Enterprise Server 12 SP3
This update for ghostscript to version 9.26a fixes the following issues:
Security issue fixed:
- CVE-2019-6116: subroutines within pseudo-operators must themselves be pseudo-operators (bsc#1122319)
ImportantSUSE bug 1122319CVE-2019-6116 at SUSECVE-2019-6116 at NVDcpe:/o:suse:sles:12:sp3Security update for vim (Important)SUSE Linux Enterprise Server 12 SP3
This update for vim fixes the following issue:
Security issue fixed:
- CVE-2019-12735: Fixed a potential arbitrary code execution vulnerability in getchar.c (bsc#1137443).
ImportantSUSE bug 1137443CVE-2019-12735 at SUSECVE-2019-12735 at NVDcpe:/o:suse:sles:12:sp3Security update for webkit2gtk3 (Important)SUSE Linux Enterprise Server 12 SP3
This update for webkit2gtk3 to version 2.22.5 fixes the following issues:
Security issues fixed:
- CVE-2018-4438: Fixed a logic issue which lead to memory corruption (bsc#1119554)
- CVE-2018-4437, CVE-2018-4441, CVE-2018-4442, CVE-2018-4443, CVE-2018-4464:
Fixed multiple memory corruption issues with improved memory handling
(bsc#1119553, bsc#1119555, bsc#1119556, bsc#1119557, bsc#1119558)
ImportantSUSE bug 1119553SUSE bug 1119554SUSE bug 1119555SUSE bug 1119556SUSE bug 1119557SUSE bug 1119558CVE-2018-4437 at SUSECVE-2018-4437 at NVDCVE-2018-4438 at SUSECVE-2018-4438 at NVDCVE-2018-4441 at SUSECVE-2018-4441 at NVDCVE-2018-4442 at SUSECVE-2018-4442 at NVDCVE-2018-4443 at SUSECVE-2018-4443 at NVDCVE-2018-4464 at SUSECVE-2018-4464 at NVDcpe:/o:suse:sles:12:sp3Security update for libcroco (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for libcroco fixes the following issues:
Security issues fixed:
- CVE-2017-7960: Fixed heap overflow (input: check end of input before reading a byte) (bsc#1034481).
- CVE-2017-7961: Fixed undefined behavior (tknzr: support only max long rgb values) (bsc#1034482).
- CVE-2017-8834: Fixed denial of service (memory allocation error) via a crafted CSS file (bsc#1043898).
- CVE-2017-8871: Fixed denial of service (infinite loop and CPU consumption) via a crafted CSS file (bsc#1043899).
ModerateSUSE bug 1034481SUSE bug 1034482SUSE bug 1043898SUSE bug 1043899CVE-2017-7960 at SUSECVE-2017-7960 at NVDCVE-2017-7961 at SUSECVE-2017-7961 at NVDCVE-2017-8834 at SUSECVE-2017-8834 at NVDCVE-2017-8871 at SUSECVE-2017-8871 at NVDcpe:/o:suse:sles:12:sp3Security update for sssd (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for sssd fixes the following issues:
Security issue fixed:
- CVE-2018-16838: Fixed an authentication bypass related to the Group Policy Objects implementation (bsc#1124194).
Non-security issue fixed:
- Create directory to download and cache GPOs (bsc#1132879)
ModerateSUSE bug 1124194SUSE bug 1132879CVE-2018-16838 at SUSECVE-2018-16838 at NVDcpe:/o:suse:sles:12:sp3Security update for the Linux Kernel (Important)SUSE Linux Enterprise Server 12 SP3
The SUSE Linux Enterprise 12 SP3 kernel for Azure was updated to receive various security and bugfixes.
The following security bugs were fixed:
- CVE-2018-19407: The vcpu_scan_ioapic function in arch/x86/kvm/x86.c allowed local users to cause a denial of service (NULL pointer dereference and BUG) via crafted system calls that reach a situation where ioapic was uninitialized (bnc#1116841).
- CVE-2018-19985: The function hso_probe read if_num from the USB device (as an u8) and used it without a length check to index an array, resulting in an OOB memory read in hso_probe or hso_get_config_data that could be used by local attackers (bnc#1120743).
- CVE-2018-3639: Systems with microprocessors utilizing speculative execution and speculative execution of memory reads before the addresses of all prior memory writes are known may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis, aka Speculative Store Bypass (SSB), Variant 4 (bnc#1087082).
- CVE-2018-1120: By mmap()ing a FUSE-backed file onto a process's memory containing command line arguments (or environment strings), an attacker can cause utilities from psutils or procps (such as ps, w) or any other program which made a read() call to the /proc/<pid>/cmdline (or /proc/<pid>/environ) files to block indefinitely (denial of service) or for some controlled time (as a synchronization primitive for other attacks) (bnc#1093158).
- CVE-2017-16939: The XFRM dump policy implementation in net/xfrm/xfrm_user.c allowed local users to gain privileges or cause a denial of service (use-after-free) via a crafted SO_RCVBUF setsockopt system call in conjunction with XFRM_MSG_GETPOLICY Netlink messages (bnc#1069702).
- CVE-2018-16884: NFS41+ shares mounted in different network namespaces at the same time can make bc_svc_process() use wrong back-channel IDs and cause a use-after-free vulnerability. Thus a malicious container user can cause a host kernel memory corruption and a system panic. Due to the nature of the flaw, privilege escalation cannot be fully ruled out (bnc#1119946).
- CVE-2018-20169: The USB subsystem mishandled size checks during the reading of an extra descriptor, related to __usb_get_extra_descriptor in drivers/usb/core/usb.c (bnc#1119714).
- CVE-2018-9568: In sk_clone_lock of sock.c, there is a possible memory corruption due to type confusion. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation (bnc#1118319).
- CVE-2018-16862: A security flaw was found in the way that the cleancache subsystem clears an inode after the final file truncation (removal). The new file created with the same inode may contain leftover pages from cleancache and the old file data instead of the new one (bnc#1117186).
- CVE-2018-19824: A local user could exploit a use-after-free in the ALSA driver by supplying a malicious USB Sound device (with zero interfaces) that is mishandled in usb_audio_probe in sound/usb/card.c (bnc#1118152).
The following non-security bugs were fixed:
- 9p: clear dangling pointers in p9stat_free (bnc#1012382).
- 9p locks: fix glock.client_id leak in do_lock (bnc#1012382).
- 9p/net: put a lower bound on msize (bnc#1012382).
- ACPI/IORT: Fix iort_get_platform_device_domain() uninitialized pointer value (bsc#1121239).
- ACPI/LPSS: Add alternative ACPI HIDs for Cherry Trail DMA controllers (bnc#1012382).
- ACPI/nfit, x86/mce: Handle only uncorrectable machine checks (bsc#1114648).
- ACPI/nfit, x86/mce: Validate a MCE's address before using it (bsc#1114648).
- ACPI/platform: Add SMB0001 HID to forbidden_id_list (bnc#1012382).
- af_iucv: Move sockaddr length checks to before accessing sa_family in bind and connect handlers (bnc#1012382).
- ahci: do not ignore result code of ahci_reset_controller() (bnc#1012382).
- aio: fix spectre gadget in lookup_ioctx (bnc#1012382).
- aio: hold an extra file reference over AIO read/write operations (bsc#1116027).
- ALSA: ac97: Fix incorrect bit shift at AC97-SPSA control write (bnc#1012382).
- ALSA: ca0106: Disable IZD on SB0570 DAC to fix audio pops (bnc#1012382).
- ALSA: control: Fix race between adding and removing a user element (bnc#1012382).
- ALSA: cs46xx: Potential NULL dereference in probe (bnc#1012382).
- ALSA: emu10k1: Fix potential Spectre v1 vulnerabilities (bnc#1012382).
- ALSA: emux: Fix potential Spectre v1 vulnerabilities (bnc#1012382).
- ALSA: hda - Add mic quirk for the Lenovo G50-30 (17aa:3905) (bnc#1012382).
- ALSA: hda: add mute LED support for HP EliteBook 840 G4 (bnc#1012382).
- ALSA: hda: Add support for AMD Stoney Ridge (bnc#1012382).
- ALSA: hda: Check the non-cached stream buffers more explicitly (bnc#1012382).
- ALSA: hda/tegra: clear pending irq handlers (bnc#1012382).
- ALSA: isa/wavefront: prevent some out of bound writes (bnc#1012382).
- ALSA: pcm: Call snd_pcm_unlink() conditionally at closing (bnc#1012382).
- ALSA: pcm: Fix interval evaluation with openmin/max (bnc#1012382).
- ALSA: pcm: Fix potential Spectre v1 vulnerability (bnc#1012382).
- ALSA: pcm: Fix starvation on down_write_nonblock() (bnc#1012382).
- ALSA: pcm: remove SNDRV_PCM_IOCTL1_INFO internal command (bnc#1012382).
- ALSA: rme9652: Fix potential Spectre v1 vulnerability (bnc#1012382).
- ALSA: sparc: Fix invalid snd_free_pages() at error path (bnc#1012382).
- ALSA: timer: Fix zero-division by continue of uninitialized instance (bnc#1012382).
- ALSA: trident: Suppress gcc string warning (bnc#1012382).
- ALSA: usb-audio: Avoid access before bLength check in build_audio_procunit() (bnc#1012382).
- ALSA: usb-audio: Fix an out-of-bound read in create_composite_quirks (bnc#1012382).
- ALSA: wss: Fix invalid snd_free_pages() at error path (bnc#1012382).
- amd/iommu: Fix Guest Virtual APIC Log Tail Address Register (bsc#1106105).
- ARC: change defconfig defaults to ARCv2 (bnc#1012382).
- ARC: [devboards] Add support of NFSv3 ACL (bnc#1012382).
- arch/alpha, termios: implement BOTHER, IBSHIFT and termios2 (bnc#1012382).
- ARC: io.h: Implement reads{x}()/writes{x}() (bnc#1012382).
- ARM64: Disable asm-operand-width warning for clang (bnc#1012382).
- ARM64: dts: stratix10: Correct System Manager register size (bnc#1012382).
- ARM64: Enabled ENA (Amazon network driver)
- ARM64: hardcode rodata_enabled=true earlier in the series (bsc#1114763).
- ARM64: PCI: ACPI support for legacy IRQs parsing and consolidation with DT code.
- ARM64: percpu: Initialize ret in the default case (bnc#1012382).
- ARM64: remove no-op -p linker flag (bnc#1012382).
- ARM: 8799/1: mm: fix pci_ioremap_io() offset check (bnc#1012382).
- ARM: 8814/1: mm: improve/fix ARM v7_dma_inv_range() unaligned address handling (bnc#1012382).
- ARM: dts: apq8064: add ahci ports-implemented mask (bnc#1012382).
- ARM: dts: imx53-qsb: disable 1.2GHz OPP (bnc#1012382).
- ARM: fix mis-applied iommu identity check (bsc#1116924).
- ARM: imx: update the cpu power up timing setting on i.mx6sx (bnc#1012382).
- ARM: kvm: fix building with gcc-8 (bsc#1121241).
- ARM: OMAP1: ams-delta: Fix possible use of uninitialized field (bnc#1012382).
- ARM: OMAP2+: prm44xx: Fix section annotation on omap44xx_prm_enable_io_wakeup (bnc#1012382).
- asix: Check for supported Wake-on-LAN modes (bnc#1012382).
- ASoC: ak4613: Enable cache usage to fix crashes on resume (bnc#1012382).
- ASoC: dapm: Recalculate audio map forcely when card instantiated (bnc#1012382).
- ASoC: omap-dmic: Add pm_qos handling to avoid overruns with CPU_IDLE (bnc#1012382).
- ASoC: omap-mcpdm: Add pm_qos handling to avoid under/overruns with CPU_IDLE (bnc#1012382).
- ASoC: spear: fix error return code in spdif_in_probe() (bnc#1012382).
- ASoC: wm8940: Enable cache usage to fix crashes on resume (bnc#1012382).
- ataflop: fix error handling during setup (bnc#1012382).
- ath10k: fix kernel panic due to race in accessing arvif list (bnc#1012382).
- ath10k: schedule hardware restart if WMI command times out (bnc#1012382).
- ax25: fix a use-after-free in ax25_fillin_cb() (bnc#1012382).
- ax88179_178a: Check for supported Wake-on-LAN modes (bnc#1012382).
- b43: Fix error in cordic routine (bnc#1012382).
- batman-adv: Expand merged fragment buffer for full packet (bnc#1012382).
- bcache: fix miss key refill->end in writeback (bnc#1012382).
- bfs: add sanity check at bfs_fill_super() (bnc#1012382).
- binfmt_elf: fix calculations for bss padding (bnc#1012382).
- bitops: protect variables in bit_clear_unless() macro (bsc#1116285).
- block: fix inheriting request priority from bio (bsc#1116924).
- block: respect virtual boundary mask in bvecs (bsc#1113412).
- Bluetooth: btbcm: Add entry for BCM4335C0 UART bluetooth (bnc#1012382).
- Bluetooth: SMP: fix crash in unpairing (bnc#1012382).
- bna: ethtool: Avoid reading past end of buffer (bnc#1012382).
- bnx2x: Assign unique DMAE channel number for FW DMAE transactions (bnc#1012382).
- bonding: fix 802.3ad state sent to partner when unbinding slave (bnc#1012382).
- bpf: fix check of allowed specifiers in bpf_trace_printk (bnc#1012382).
- bpf: generally move prog destruction to RCU deferral (bnc#1012382).
- bpf: support 8-byte metafield access (bnc#1012382).
- bpf, trace: check event type in bpf_perf_event_read (bsc#1119970).
- bpf, trace: use READ_ONCE for retrieving file ptr (bsc#1119967).
- bpf/verifier: Add spi variable to check_stack_write() (bnc#1012382).
- bpf/verifier: Pass instruction index to check_mem_access() and check_xadd() (bnc#1012382).
- bridge: do not add port to router list when receives query with source 0.0.0.0 (bnc#1012382).
- btrfs: Always try all copies when reading extent buffers (bnc#1012382).
- btrfs: do not attempt to trim devices that do not support it (bnc#1012382).
- btrfs: ensure path name is null terminated at btrfs_control_ioctl (bnc#1012382).
- btrfs: fix backport error in submit_stripe_bio (bsc#1114763).
- btrfs: fix data corruption due to cloning of eof block (bnc#1012382).
- btrfs: Fix memory barriers usage with device stats counters.
- btrfs: fix null pointer dereference on compressed write path error (bnc#1012382).
- btrfs: fix pinned underflow after transaction aborted (bnc#1012382).
- btrfs: fix use-after-free when dumping free space (bnc#1012382).
- btrfs: fix wrong dentries after fsync of file that got its parent replaced (bnc#1012382).
- btrfs: Handle error from btrfs_uuid_tree_rem call in _btrfs_ioctl_set_received_subvol.
- btrfs: Handle owner mismatch gracefully when walking up tree (bnc#1012382).
- btrfs: iterate all devices during trim, instead of fs_devices::alloc_list (bnc#1012382).
- btrfs: locking: Add extra check in btrfs_init_new_buffer() to avoid deadlock (bnc#1012382).
- btrfs: make sure we create all new block groups (bnc#1012382).
- btrfs: qgroup: Dirty all qgroups before rescan (bnc#1012382).
- btrfs: release metadata before running delayed refs (bnc#1012382).
- btrfs: reset max_extent_size on clear in a bitmap (bnc#1012382).
- btrfs: send, fix infinite loop due to directory rename dependencies (bnc#1012382).
- btrfs: set max_extent_size properly (bnc#1012382).
- btrfs: wait on caching when putting the bg cache (bnc#1012382).
- cachefiles: fix the race between cachefiles_bury_object() and rmdir(2) (bnc#1012382).
- can: dev: __can_get_echo_skb(): Do not crash the kernel if can_priv::echo_skb is accessed out of bounds (bnc#1012382).
- can: dev: can_get_echo_skb(): factor out non sending code to __can_get_echo_skb() (bnc#1012382).
- can: dev: __can_get_echo_skb(): print error message, if trying to echo non existing skb (bnc#1012382).
- can: dev: __can_get_echo_skb(): replace struct can_frame by canfd_frame to access frame length (bnc#1012382).
- can: rcar_can: Fix erroneous registration (bnc#1012382).
- cdc-acm: correct counting of UART states in serial state notification (bnc#1012382).
- cdc-acm: fix abnormal DATA RX issue for Mediatek Preloader (bnc#1012382).
- ceph: call setattr_prepare from ceph_setattr instead of inode_change_ok (bsc#1114763).
- ceph: do not update importing cap's mseq when handing cap export (bsc#1121275).
- ceph: fix dentry leak in ceph_readdir_prepopulate (bsc#1114839).
- ceph: quota: fix null pointer dereference in quota check (bsc#1114839).
- cfg80211: reg: Init wiphy_idx in regulatory_hint_core() (bnc#1012382).
- checkstack.pl: fix for aarch64 (bnc#1012382).
- CIFS: Fix error mapping for SMB2_LOCK command which caused OFD lock problem (bnc#1012382).
- CIFS: Fix separator when building path from dentry (bnc#1012382).
- CIFS: handle guest access errors to Windows shares (bnc#1012382).
- CIFS: In Kconfig CONFIG_CIFS_POSIX needs depends on legacy (insecure cifs) (bnc#1012382).
- clk: mmp: Off by one in mmp_clk_add() (bnc#1012382).
- clk: s2mps11: Add used attribute to s2mps11_dt_match.
- clk: s2mps11: Fix matching when built as module and DT node contains compatible (bnc#1012382).
- clk: samsung: exynos5420: Enable PERIS clocks for suspend (bnc#1012382).
- clockevents/drivers/i8253: Add support for PIT shutdown quirk (bnc#1012382).
- configfs: replace strncpy with memcpy (bnc#1012382).
- cpufeature: avoid warning when compiling with clang.
- cpufreq: imx6q: add return value check for voltage scale (bnc#1012382).
- cpuidle: Do not access cpuidle_devices when !CONFIG_CPU_IDLE (bnc#1012382).
- Cramfs: fix abad comparison when wrap-arounds occur (bnc#1012382).
- crypto: arm64/sha - avoid non-standard inline asm tricks (bnc#1012382).
- crypto: lrw - Fix out-of bounds access on counter overflow (bnc#1012382).
- crypto: shash - Fix a sleep-in-atomic bug in shash_setkey_unaligned (bnc#1012382).
- crypto, x86: aesni - fix token pasting for clang (bnc#1012382).
- crypto: x86/chacha20 - avoid sleeping with preemption disabled (bnc#1012382).
- cw1200: Do not leak memory if krealloc failes (bnc#1012382).
- cxgb4: Add support for new flash parts (bsc#1102439).
- cxgb4: assume flash part size to be 4MB, if it can't be determined (bsc#1102439).
- cxgb4: Fix FW flash errors (bsc#1102439).
- cxgb4: fix missing break in switch and indent return statements (bsc#1102439).
- cxgb4: support new ISSI flash parts (bsc#1102439).
- debugobjects: avoid recursive calls with kmemleak (bnc#1012382).
- disable stringop truncation warnings for now (bnc#1012382).
- dlm: fixed memory leaks after failed ls_remove_names allocation (bnc#1012382).
- dlm: lost put_lkb on error path in receive_convert() and receive_unlock() (bnc#1012382).
- dlm: memory leaks on error path in dlm_user_request() (bnc#1012382).
- dlm: possible memory leak on error path in create_lkb() (bnc#1012382).
- dmaengine: at_hdmac: fix memory leak in at_dma_xlate() (bnc#1012382).
- dmaengine: at_hdmac: fix module unloading (bnc#1012382).
- dmaengine: dma-jz4780: Return error if not probed from DT (bnc#1012382).
- dm cache metadata: ignore hints array being too small during resize.
- dm ioctl: harden copy_params()'s copy_from_user() from malicious users (bnc#1012382).
- dm-multipath: do not assign cmd_flags in setup_clone() (bsc#1103156).
- dm raid: stop using BUG() in __rdev_sectors() (bsc#1046264).
- dm thin: stop no_space_timeout worker when switching to write-mode.
- dpaa_eth: fix dpaa_get_stats64 to match prototype (bsc#1114763).
- driver/dma/ioat: Call del_timer_sync() without holding prep_lock (bnc#1012382).
- drivers: hv: vmbus: check the creation_status in vmbus_establish_gpadl() (bsc#1104098).
- drivers: hv: vmbus: Return -EINVAL for the sys files for unopened channels (bnc#1012382).
- drivers/misc/sgi-gru: fix Spectre v1 vulnerability (bnc#1012382).
- drivers/sbus/char: add of_node_put() (bnc#1012382).
- drivers/tty: add missing of_node_put() (bnc#1012382).
- drm/ast: change resolution may cause screen blurred (bnc#1012382).
- drm/ast: fixed cursor may disappear sometimes (bnc#1012382).
- drm/ast: fixed reading monitor EDID not stable issue (bnc#1012382).
- drm/ast: Fix incorrect free on ioregs (bsc#1106929)
- drm/ast: Remove existing framebuffers before loading driver (boo#1112963)
- drm/dp_mst: Check if primary mstb is null (bnc#1012382).
- drm/fb-helper: Ignore the value of fb_var_screeninfo.pixclock (bsc#1106929)
- drm/i915/hdmi: Add HDMI 2.0 audio clock recovery N values (bnc#1012382).
- drm/ioctl: Fix Spectre v1 vulnerabilities (bnc#1012382).
- drm/msm: Grab a vblank reference when waiting for commit_done (bnc#1012382).
- drm/nouveau/fbcon: fix oops without fbdev emulation (bnc#1012382).
- drm/omap: fix memory barrier bug in DMM driver (bnc#1012382).
- drm: rcar-du: Fix external clock error checks (bsc#1106929)
- drm: rcar-du: Fix vblank initialization (bsc#1106929)
- drm/rockchip: Allow driver to be shutdown on reboot/kexec (bnc#1012382).
- e1000: avoid null pointer dereference on invalid stat type (bnc#1012382).
- e1000: fix race condition between e1000_down() and e1000_watchdog (bnc#1012382).
- efi/libstub/arm64: Force 'hidden' visibility for section markers (bnc#1012382).
- efi/libstub/arm64: Set -fpie when building the EFI stub (bnc#1012382).
- exec: avoid gcc-8 warning for get_task_comm (bnc#1012382).
- exportfs: do not read dentry after free (bnc#1012382).
- ext2: fix potential use after free (bnc#1012382).
- ext4: add missing brelse() add_new_gdb_meta_bg()'s error path (bnc#1012382).
- ext4: add missing brelse() in set_flexbg_block_bitmap()'s error path (bnc#1012382).
- ext4: add missing brelse() update_backups()'s error path (bnc#1012382).
- ext4: avoid buffer leak in ext4_orphan_add() after prior errors (bnc#1012382).
- ext4: avoid possible double brelse() in add_new_gdb() on error path (bnc#1012382).
- ext4: avoid potential extra brelse in setup_new_flex_group_blocks() (bnc#1012382).
- ext4: fix argument checking in EXT4_IOC_MOVE_EXT (bnc#1012382).
- ext4: fix buffer leak in __ext4_read_dirblock() on error path (bnc#1012382).
- ext4: fix buffer leak in ext4_xattr_move_to_block() on error path (bnc#1012382).
- ext4: fix EXT4_IOC_GROUP_ADD ioctl (bnc#1012382).
- ext4: fix missing cleanup if ext4_alloc_flex_bg_array() fails while resizing (bnc#1012382).
- ext4: fix possible inode leak in the retry loop of ext4_resize_fs() (bnc#1012382).
- ext4: fix possible leak of sbi->s_group_desc_leak in error path (bnc#1012382).
- ext4: fix possible use after free in ext4_quota_enable (bnc#1012382).
- ext4: force inode writes when nfsd calls commit_metadata() (bnc#1012382).
- ext4: initialize retries variable in ext4_da_write_inline_data_begin() (bnc#1012382).
- ext4: missing unlock/put_page() in ext4_try_to_write_inline_data() (bnc#1012382).
- ext4: release bs.bh before re-using in ext4_xattr_block_find() (bnc#1012382).
- fbdev: fbcon: Fix unregister crash when more than one framebuffer (bsc#1106929)
- fbdev: fbmem: behave better with small rotated displays and many CPUs (bsc#1106929)
- fcoe: remove duplicate debugging message in fcoe_ctlr_vn_add (bsc#1114763).
- Fix kABI for 'Ensure we commit after writeback is complete' (bsc#1111809).
- floppy: fix race condition in __floppy_read_block_0().
- flow_dissector: do not dissect l4 ports for fragments (bnc#1012382).
- fork: record start_time late (bnc#1012382).
- fscache, cachefiles: remove redundant variable 'cache' (bnc#1012382).
- fscache: fix race between enablement and dropping of object (bsc#1107385).
- fscache: Fix race in fscache_op_complete() due to split atomic_sub & read .
- fscache: Pass the correct cancelled indications to fscache_op_complete().
- fs, elf: make sure to page align bss in load_elf_library (bnc#1012382).
- fs/exofs: fix potential memory leak in mount option parsing (bnc#1012382).
- fs/fat/fatent.c: add cond_resched() to fat_count_free_clusters() (bnc#1012382).
- fuse: Dont call set_page_dirty_lock() for ITER_BVEC pages for async_dio (bnc#1012382).
- fuse: fix blocked_waitq wakeup (bnc#1012382).
- fuse: fix leaked notify reply (bnc#1012382).
- fuse: Fix use-after-free in fuse_dev_do_read() (bnc#1012382).
- fuse: Fix use-after-free in fuse_dev_do_write() (bnc#1012382).
- fuse: set FR_SENT while locked (bnc#1012382).
- genirq: Fix race on spurious interrupt detection (bnc#1012382).
- genwqe: Fix size check (bnc#1012382).
- gfs2: Do not leave s_fs_info pointing to freed memory in init_sbd (bnc#1012382).
- gfs2: Fix loop in gfs2_rbm_find (bnc#1012382).
- gfs2_meta: ->mount() can get NULL dev_name (bnc#1012382).
- gfs2: Put bitmap buffers in put_super (bnc#1012382).
- git_sort.py: Remove non-existent remote tj/libata
- gpio: max7301: fix driver for use with CONFIG_VMAP_STACK (bnc#1012382).
- gpio: msic: fix error return code in platform_msic_gpio_probe() (bnc#1012382).
- gpu: host1x: fix error return code in host1x_probe() (bnc#1012382).
- gro_cell: add napi_disable in gro_cells_destroy (bnc#1012382).
- hfs: do not free node before using (bnc#1012382).
- hfsplus: do not free node before using (bnc#1012382).
- hfsplus: prevent btree data loss on root split (bnc#1012382).
- hfs: prevent btree data loss on root split (bnc#1012382).
- HID: hiddev: fix potential Spectre v1 (bnc#1012382).
- HID: uhid: forbid UHID_CREATE under KERNEL_DS or elevated privileges (bnc#1012382).
- hpwdt add dynamic debugging (bsc#1114417).
- hpwdt calculate reload value on each use (bsc#1114417).
- hugetlbfs: dirty pages as they are added to pagecache (bnc#1012382).
- hugetlbfs: fix bug in pgoff overflow checking (bnc#1012382).
- hugetlbfs: fix kernel BUG at fs/hugetlbfs/inode.c:444! (bnc#1012382).
- hwmon: (ibmpowernv) Remove bogus __init annotations (bnc#1012382).
- hwmon: (ina2xx) Fix current value calculation (bnc#1012382).
- hwmon: (pmbus) Fix page count auto-detection (bnc#1012382).
- hwmon: (w83795) temp4_type has writable permission (bnc#1012382).
- hwpoison, memory_hotplug: allow hwpoisoned pages to be offlined (bnc#1116336).
- i2c: axxia: properly handle master timeout (bnc#1012382).
- i2c: scmi: Fix probe error on devices with an empty SMB0001 ACPI device node (bnc#1012382).
- IB/hfi1: Fix an out-of-bounds access in get_hw_stats ().
- ibmveth: fix DMA unmap error in ibmveth_xmit_start error path (bnc#1012382).
- ibmvnic: Convert reset work item mutex to spin lock ().
- ibmvnic: fix accelerated VLAN handling ().
- ibmvnic: fix index in release_rx_pools (bsc#1115440).
- ibmvnic: Fix non-atomic memory allocation in IRQ context ().
- ibmvnic: Fix RX queue buffer cleanup (bsc#1115440, bsc#1115433).
- ibmvnic: remove ndo_poll_controller ().
- ibmvnic: Update driver queues after change in ring size support ().
- IB/ucm: Fix Spectre v1 vulnerability (bnc#1012382).
- ide: pmac: add of_node_put() (bnc#1012382).
- ieee802154: lowpan_header_create check must check daddr (bnc#1012382).
- igb: Remove superfluous reset to PHY and page 0 selection (bnc#1012382).
- iio: adc: at91: fix acking DRDY irq on simple conversions (bnc#1012382).
- iio: adc: at91: fix wrong channel number in triggered buffer mode (bnc#1012382).
- ima: fix showing large 'violations' or 'runtime_measurements_count' (bnc#1012382).
- Input: elan_i2c - add ACPI ID for Lenovo IdeaPad 330-15ARR (bnc#1012382).
- Input: elan_i2c - add ACPI ID for Lenovo IdeaPad 330-15IGM (bnc#1012382).
- Input: elan_i2c - add ACPI ID for touchpad in ASUS Aspire F5-573G (bnc#1012382).
- Input: elan_i2c - add ELAN0620 to the ACPI table (bnc#1012382).
- Input: elan_i2c - add support for ELAN0621 touchpad (bnc#1012382).
- Input: matrix_keypad - check for errors from of_get_named_gpio() (bnc#1012382).
- Input: omap-keypad - fix idle configuration to not block SoC idle states (bnc#1012382).
- Input: omap-keypad - fix keyboard debounce configuration (bnc#1012382).
- Input: restore EV_ABS ABS_RESERVED (bnc#1012382).
- Input: xpad - add GPD Win 2 Controller USB IDs (bnc#1012382).
- Input: xpad - add Mad Catz FightStick TE 2 VID/PID (bnc#1012382).
- Input: xpad - add more third-party controllers (bnc#1012382).
- Input: xpad - add PDP device id 0x02a4 (bnc#1012382).
- Input: xpad - add product ID for Xbox One S pad (bnc#1012382).
- Input: xpad - add support for PDP Xbox One controllers (bnc#1012382).
- Input: xpad - add support for Xbox1 PDP Camo series gamepad (bnc#1012382).
- Input: xpad - add USB IDs for Mad Catz Brawlstick and Razer Sabertooth (bnc#1012382).
- Input: xpad - avoid using __set_bit() for capabilities (bnc#1012382).
- Input: xpad - constify usb_device_id (bnc#1012382).
- Input: xpad - correctly sort vendor id's (bnc#1012382).
- Input: xpad - correct xbox one pad device name (bnc#1012382).
- Input: xpad - do not depend on endpoint order (bnc#1012382).
- Input: xpad - fix GPD Win 2 controller name (bnc#1012382).
- Input: xpad - fix PowerA init quirk for some gamepad models (bnc#1012382).
- Input: xpad - fix rumble on Xbox One controllers with 2015 firmware (bnc#1012382).
- Input: xpad - fix some coding style issues (bnc#1012382).
- Input: xpad - fix stuck mode button on Xbox One S pad (bnc#1012382).
- Input: xpad - fix Xbox One rumble stopping after 2.5 secs (bnc#1012382).
- Input: xpad - handle 'present' and 'gone' correctly (bnc#1012382).
- Input: xpad - move reporting xbox one home button to common function (bnc#1012382).
- Input: xpad - power off wireless 360 controllers on suspend (bnc#1012382).
- Input: xpad - prevent spurious input from wired Xbox 360 controllers (bnc#1012382).
- Input: xpad - quirk all PDP Xbox One gamepads (bnc#1012382).
- Input: xpad - remove spurious events of wireless xpad 360 controller (bnc#1012382).
- Input: xpad - remove unused function (bnc#1012382).
- Input: xpad - restore LED state after device resume (bnc#1012382).
- Input: xpad - simplify error condition in init_output (bnc#1012382).
- Input: xpad - sort supported devices by USB ID (bnc#1012382).
- Input: xpad - support some quirky Xbox One pads (bnc#1012382).
- Input: xpad - sync supported devices with 360Controller (bnc#1012382).
- Input: xpad - sync supported devices with XBCD (bnc#1012382).
- Input: xpad - sync supported devices with xboxdrv (bnc#1012382).
- Input: xpad - update Xbox One Force Feedback Support (bnc#1012382).
- Input: xpad - use LED API when identifying wireless controllers (bnc#1012382).
- Input: xpad - validate USB endpoint type during probe (bnc#1012382).
- Input: xpad - workaround dead irq_out after suspend/ resume (bnc#1012382).
- Input: xpad - xbox one elite controller support (bnc#1012382).
- intel_th: msu: Fix an off-by-one in attribute store (bnc#1012382).
- iommu/amd: Fix amd_iommu=force_isolation (bsc#1106105).
- iommu/arm-smmu: Ensure that page-table updates are visible before TLBI (bsc#1106237).
- iommu/ipmmu-vmsa: Fix crash on early domain free (bsc#1106105).
- iommu/vt-d: Fix NULL pointer dereference in prq_event_thread() (bsc#1106105).
- iommu/vt-d: Handle domain agaw being less than iommu agaw (bsc#1106105).
- iommu/vt-d: Use memunmap to free memremap (bsc#1106105).
- ip6mr: Fix potential Spectre v1 vulnerability (bnc#1012382).
- ipmi: Fix timer race with module unload (bnc#1012382).
- ip_tunnel: do not force DF when MTU is locked (bnc#1012382).
- ip_tunnel: Fix name string concatenate in __ip_tunnel_create() (bnc#1012382).
- ipv4: Fix potential Spectre v1 vulnerability (bnc#1012382).
- ipv4: ipv6: netfilter: Adjust the frag mem limit when truesize changes (bsc#1110286).
- ipv6: Check available headroom in ip6_xmit() even without options (bnc#1012382).
- ipv6: explicitly initialize udp6_addr in udp_sock_create6() (bnc#1012382).
- ipv6: Fix PMTU updates for UDP/raw sockets in presence of VRF (bnc#1012382).
- ipv6: mcast: fix a use-after-free in inet6_mc_check (bnc#1012382).
- ipv6/ndisc: Preserve IPv6 control buffer if protocol error handlers are called (bnc#1012382).
- ipv6: orphan skbs in reassembly unit (bnc#1012382).
- ipv6: set rt6i_protocol properly in the route when it is installed (bsc#1114190).
- ipv6: suppress sparse warnings in IP6_ECN_set_ce() (bnc#1012382).
- isdn: fix kernel-infoleak in capi_unlocked_ioctl (bnc#1012382).
- iser: set sector for ambiguous mr status errors (bnc#1012382).
- iwlwifi: mvm: fix regulatory domain update when the firmware starts (bnc#1012382).
- iwlwifi: mvm: support sta_statistics() even on older firmware (bnc#1012382).
- ixgbe: Add function for checking to see if we can reuse page (bsc#1100105).
- ixgbe: Add support for build_skb (bsc#1100105).
- ixgbe: Add support for padding packet (bsc#1100105).
- ixgbe: Break out Rx buffer page management (bsc#1100105).
- ixgbe: Fix output from ixgbe_dump (bsc#1100105).
- ixgbe: fix possible race in reset subtask (bsc#1101557).
- ixgbe: Make use of order 1 pages and 3K buffers independent of FCoE (bsc#1100105).
- ixgbe: Only DMA sync frame length (bsc#1100105).
- ixgbe: recognize 1000BaseLX SFP modules as 1Gbps (bnc#1012382).
- ixgbe: Refactor queue disable logic to take completion time into account (bsc#1101557).
- ixgbe: Reorder Tx/Rx shutdown to reduce time needed to stop device (bsc#1101557).
- ixgbe: Update code to better handle incrementing page count (bsc#1100105).
- ixgbe: Update driver to make use of DMA attributes in Rx path (bsc#1100105).
- ixgbe: Use length to determine if descriptor is done (bsc#1100105).
- jbd2: fix use after free in jbd2_log_do_checkpoint() (bnc#1012382).
- jffs2: free jffs2_sb_info through jffs2_kill_sb() (bnc#1012382).
- kabi: hwpoison, memory_hotplug: allow hwpoisoned pages to be offlined (bnc#1116336).
- kABI: protect get_vaddr_frames (kabi).
- kABI: protect struct azx (kabi).
- kABI: protect struct cfs_bandwidth (kabi).
- kABI: protect struct esp (kabi).
- kABI: protect struct fuse_io_priv (kabi).
- kABI: protect __usb_get_extra_descriptor (kabi).
- kABI: protect xen/xen-ops.h include in xlate_mmu.c (kabi).
- kabi: revert sig change on pnfs_read_resend_pnfs.
- kbuild: Add better clang cross build support (bnc#1012382).
- kbuild: Add __cc-option macro (bnc#1012382).
- kbuild: Add support to generate LLVM assembly files (bnc#1012382).
- kbuild: allow to use GCC toolchain not in Clang search path (bnc#1012382).
- kbuild: clang: add -no-integrated-as to KBUILD_[AC]FLAGS (bnc#1012382).
- kbuild: clang: Disable 'address-of-packed-member' warning (bnc#1012382).
- kbuild: clang: disable unused variable warnings only when constant (bnc#1012382).
- kbuild: clang: fix build failures with sparse check (bnc#1012382).
- kbuild: clang: remove crufty HOSTCFLAGS (bnc#1012382).
- kbuild: Consolidate header generation from ASM offset information (bnc#1012382).
- kbuild: consolidate redundant sed script ASM offset generation (bnc#1012382).
- kbuild: drop -Wno-unknown-warning-option from clang options (bnc#1012382).
- kbuild: fix asm-offset generation to work with clang (bnc#1012382).
- kbuild: fix kernel/bounds.c 'W=1' warning (bnc#1012382).
- kbuild: fix linker feature test macros when cross compiling with Clang (bnc#1012382).
- kbuild, LLVMLinux: Add -Werror to cc-option to support clang (bnc#1012382).
- kbuild: move cc-option and cc-disable-warning after incl. arch Makefile (bnc#1012382).
- kbuild: Set KBUILD_CFLAGS before incl. arch Makefile (bnc#1012382).
- kbuild: set no-integrated-as before incl. arch Makefile (bnc#1012382).
- kbuild: suppress packed-not-aligned warning for default setting only (bnc#1012382).
- kbuild: use -Oz instead of -Os when using clang (bnc#1012382).
- kdb: use memmove instead of overlapping memcpy (bnc#1012382).
- kdb: Use strscpy with destination buffer size (bnc#1012382).
- kernfs: Replace strncpy with memcpy (bnc#1012382).
- KEYS: put keyring if install_session_keyring_to_cred() fails (bnc#1012382).
- kgdboc: fix KASAN global-out-of-bounds bug in param_set_kgdboc_var() (bnc#1012382).
- kgdboc: Fix restrict error (bnc#1012382).
- kgdboc: Fix warning with module build (bnc#1012382).
- kgdboc: Passing ekgdboc to command line causes panic (bnc#1012382).
- kobject: Replace strncpy with memcpy (bnc#1012382).
- kprobes: Return error if we fail to reuse kprobe instead of BUG_ON() (bnc#1012382).
- KVM: arm64: Fix caching of host MDCR_EL2 value (bsc#1121242).
- KVM: arm: Restore banked registers and physical timer access on hyp_panic() (bsc#1121240).
- KVM: mmu: Fix race in emulated page table writes (bnc#1012382).
- KVM: nVMX: Always reflect #NM VM-exits to L1 (bsc#1106240).
- KVM: nVMX: Eliminate vmcs02 pool (bnc#1012382).
- KVM: nVMX: mark vmcs12 pages dirty on L2 exit (bnc#1012382).
- KVM: PPC: Move and undef TRACE_INCLUDE_PATH/FILE (bnc#1012382).
- KVM/SVM: Allow direct access to MSR_IA32_SPEC_CTRL (bnc#1012382 bsc#1068032).
- KVM/SVM: Ensure an IBPB on all affected CPUs when freeing a vmcb (bsc#1114648).
- KVM/VMX: Allow direct access to MSR_IA32_SPEC_CTRL (bnc#1012382 bsc#1068032 bsc#1096242 bsc#1096281).
- KVM/VMX: Emulate MSR_IA32_ARCH_CAPABILITIES (bnc#1012382).
- KVM/VMX: introduce alloc_loaded_vmcs (bnc#1012382).
- KVM/VMX: make MSR bitmaps per-VCPU (bnc#1012382).
- KVM/x86: Add IBPB support (bnc#1012382 bsc#1068032 bsc#1068032).
- KVM/x86: fix empty-body warnings (bnc#1012382).
- KVM/x86: Remove indirect MSR op calls from SPEC_CTRL (bnc#1012382).
- KVM/x86: Use jmp to invoke kvm_spurious_fault() from .fixup (bnc#1012382).
- lan78xx: Check for supported Wake-on-LAN modes (bnc#1012382).
- leds: call led_pwm_set() in leds-pwm to enforce default LED_OFF (bnc#1012382).
- leds: leds-gpio: Fix return value check in create_gpio_led() (bnc#1012382).
- leds: turn off the LED and wait for completion on unregistering LED class device (bnc#1012382).
- libata: whitelist all SAMSUNG MZ7KM* solid-state disks (bnc#1012382).
- libceph: bump CEPH_MSG_MAX_DATA_LEN (bsc#1114839).
- libceph: fall back to sendmsg for slab pages (bsc#1118316).
- libfc: sync strings with upstream versions (bsc#1114763).
- lib/interval_tree_test.c: allow full tree search (bnc#1012382).
- lib/interval_tree_test.c: allow users to limit scope of endpoint (bnc#1012382).
- lib/interval_tree_test.c: make test options module parameters (bnc#1012382).
- libnvdimm, {btt, blk}: do integrity setup before add_disk() (bsc#1118926).
- libnvdimm, dimm: fix dpa reservation vs uninitialized label area (bsc#1118936).
- libnvdimm: fix integer overflow static analysis warning (bsc#1118922).
- libnvdimm: fix nvdimm_bus_lock() vs device_lock() ordering (bsc#1118915).
- libnvdimm: Hold reference on parent while scheduling async init (bnc#1012382).
- lib/raid6: Fix arm64 test build (bnc#1012382).
- lib/rbtree_test.c: make input module parameters (bnc#1012382).
- lib/rbtree-test: lower default params (bnc#1012382).
- llc: do not use sk_eat_skb() (bnc#1012382).
- lockd: fix access beyond unterminated strings in prints (bnc#1012382).
- locking/lockdep: Fix debug_locks off performance problem (bnc#1012382).
- mac80211: Always report TX status (bnc#1012382).
- mac80211: Clear beacon_int in ieee80211_do_stop (bnc#1012382).
- mac80211: fix reordering of buffered broadcast packets (bnc#1012382).
- mac80211_hwsim: do not omit multicast announce of first added radio (bnc#1012382).
- mac80211_hwsim: fix module init error paths for netlink (bnc#1012382).
- mac80211_hwsim: Timer should be initialized before device registered (bnc#1012382).
- mac80211: ignore NullFunc frames in the duplicate detection (bnc#1012382).
- mac80211: ignore tx status for PS stations in ieee80211_tx_status_ext (bnc#1012382).
- mach64: fix display corruption on big endian machines (bnc#1012382).
- mach64: fix image corruption due to reading accelerator registers (bnc#1012382).
- matroxfb: fix size of memcpy (bnc#1012382).
- MD: do not check MD_SB_CHANGE_CLEAN in md_allow_write.
- MD: fix invalid stored role for a disk (bnc#1012382).
- MD: fix invalid stored role for a disk - try2 (bnc#1012382).
- media: dvb-frontends: fix i2c access helpers for KASAN (bnc#1012382).
- media: em28xx: fix input name for Terratec AV 350 (bnc#1012382).
- media: em28xx: Fix use-after-free when disconnecting (bnc#1012382).
- media: em28xx: make v4l2-compliance happier by starting sequence on zero (bnc#1012382).
- media: em28xx: use a default format if TRY_FMT fails (bnc#1012382).
- media: pci: cx23885: handle adding to list failure (bnc#1012382).
- media: tvp5150: fix width alignment during set_selection() (bnc#1012382).
- media: v4l: event: Add subscription to list before calling 'add' operation (bnc#1012382).
- media: vivid: free bitmap_cap when updating std/timings/etc (bnc#1012382).
- MIPS: Align kernel load address to 64KB (bnc#1012382).
- MIPS: DEC: Fix an int-handler.S CPU_DADDI_WORKAROUNDS regression (bnc#1012382).
- MIPS: Ensure pmd_present() returns false after pmd_mknotpresent() (bnc#1012382).
- MIPS: Fix FCSR Cause bit handling for correct SIGFPE issue (bnc#1012382).
- MIPS: fix mips_get_syscall_arg o32 check (bnc#1012382).
- MIPS: Handle non word sized instructions when examining frame (bnc#1012382).
- MIPS: kexec: Mark CPU offline before disabling local IRQ (bnc#1012382).
- MIPS: Loongson-3: Fix BRIDGE irq delivery problem (bnc#1012382).
- MIPS: Loongson-3: Fix CPU UART irq delivery problem (bnc#1012382).
- MIPS: microMIPS: Fix decoding of swsp16 instruction (bnc#1012382).
- MIPS: OCTEON: fix out of bounds array access on CN68XX (bnc#1012382).
- MIPS: ralink: Fix mt7620 nd_sd pinmux (bnc#1012382).
- misc: atmel-ssc: Fix section annotation on atmel_ssc_get_driver_data (bnc#1012382).
- misc: mic/scif: fix copy-paste error in scif_create_remote_lookup (bnc#1012382).
- mmc: core: Reset HPI enabled state during re-init and in case of errors (bnc#1012382).
- mm: cleancache: fix corruption on missed inode invalidation (bnc#1012382).
- mmc: OMAP: fix broken MMC on OMAP15XX/OMAP5910/OMAP310 (bnc#1012382).
- mmc: omap_hsmmc: fix DMA API warning (bnc#1012382).
- mmc: sdhci-pci-o2micro: Add quirk for O2 Micro dev 0x8620 rev 0x01 (bnc#1012382).
- mm, devm_memremap_pages: kill mapping 'System RAM' support (bnc#1012382).
- mm: do not bug_on on incorrect length in __mm_populate() (bnc#1012382).
- mm: do not miss the last page because of round-off error (bnc#1118798).
- mm, elf: handle vm_brk error (bnc#1012382).
- mm, hugetlb: fix huge_pte_alloc BUG_ON (bsc#1119204).
- mm: hwpoison: call shake_page() after try_to_unmap() for mlocked page (bnc#1116336).
- mm: lower the printk loglevel for __dump_page messages (generic hotplug debugability).
- mm, memory_hotplug: be more verbose for memory offline failures (generic hotplug debugability).
- mm, memory_hotplug: drop pointless block alignment checks from __offline_pages (generic hotplug debugability).
- mm, memory_hotplug: print reason for the offlining failure (generic hotplug debugability).
- mm: migration: fix migration of huge PMD shared pages (bnc#1012382).
- mm: mlock: avoid increase mm->locked_vm on mlock() when already mlock2(,MLOCK_ONFAULT) (bnc#1012382).
- mm/nommu.c: Switch __get_user_pages_unlocked() to use __get_user_pages() (bnc#1012382).
- mm: Preserve _PAGE_DEVMAP across mprotect() calls (bsc#1118790).
- mm: print more information about mapping in __dump_page (generic hotplug debugability).
- mm: put_and_wait_on_page_locked() while page is migrated (bnc#1109272).
- mm: refuse wrapped vm_brk requests (bnc#1012382).
- mm: remove write/force parameters from __get_user_pages_locked() (bnc#1012382 bsc#1027260).
- mm: remove write/force parameters from __get_user_pages_unlocked() (bnc#1012382 bsc#1027260).
- mm: replace __access_remote_vm() write parameter with gup_flags (bnc#1012382).
- mm: replace access_remote_vm() write parameter with gup_flags (bnc#1012382).
- mm: replace get_user_pages_locked() write/force parameters with gup_flags (bnc#1012382 bsc#1027260).
- mm: replace get_user_pages_unlocked() write/force parameters with gup_flags (bnc#1012382 bsc#1027260).
- mm: replace get_user_pages() write/force parameters with gup_flags (bnc#1012382 bsc#1027260).
- mm: replace get_vaddr_frames() write/force parameters with gup_flags (bnc#1012382).
- mm: thp: relax __GFP_THISNODE for MADV_HUGEPAGE mappings (bnc#1012382).
- modules: mark __inittest/__exittest as __maybe_unused (bnc#1012382).
- mount: Do not allow copying MNT_UNBINDABLE|MNT_LOCKED mounts (bnc#1012382).
- mount: Prevent MNT_DETACH from disconnecting locked mounts (bnc#1012382).
- mount: Retest MNT_LOCKED in do_umount (bnc#1012382).
- Move usb-audio UAF fix into sorted section
- mtd: docg3: do not set conflicting BCH_CONST_PARAMS option (bnc#1012382).
- mtd: spi-nor: Add support for is25wp series chips (bnc#1012382).
- mv88e6060: disable hardware level MAC learning (bnc#1012382).
- mwifiex: Fix NULL pointer dereference in skb_dequeue() (bnc#1012382).
- mwifiex: fix p2p device does not find in scan problem (bnc#1012382).
- namei: allow restricted O_CREAT of FIFOs and regular files (bnc#1012382).
- neighbour: Avoid writing before skb->head in neigh_hh_output() (bnc#1012382).
- net: 8139cp: fix a BUG triggered by changing mtu with network traffic (bnc#1012382).
- net/af_iucv: drop inbound packets with invalid flags (bnc#1114475, LTC#172679).
- net/af_iucv: fix skb handling on HiperTransport xmit error (bnc#1114475, LTC#172679).
- net: amd: add missing of_node_put() (bnc#1012382).
- net: bcmgenet: fix OF child-node lookup (bnc#1012382).
- net: bridge: remove ipv6 zero address check in mcast queries (bnc#1012382).
- net: cxgb3_main: fix a missing-check bug (bnc#1012382).
- net: drop skb on failure in ip_check_defrag() (bnc#1012382).
- net: drop write-only stack variable (bnc#1012382).
- net: ena: add functions for handling Low Latency Queues in ena_com (bsc#1117562).
- net: ena: add functions for handling Low Latency Queues in ena_netdev (bsc#1117562).
- net: ena: change rx copybreak default to reduce kernel memory pressure (bsc#1117562).
- net: ena: complete host info to match latest ENA spec (bsc#1117562).
- net: ena: enable Low Latency Queues (bsc#1117562).
- net: ena: explicit casting and initialization, and clearer error handling (bsc#1117562).
- net: ena: fix auto casting to boolean (bsc#1117562).
- net: ena: fix compilation error in xtensa architecture (bsc#1117562).
- net: ena: fix crash during ena_remove() (bsc#1108240).
- net: ena: fix crash during failed resume from hibernation (bsc#1117562).
- net: ena: fix indentations in ena_defs for better readability (bsc#1117562).
- net: ena: Fix Kconfig dependency on X86 (bsc#1117562).
- net: ena: fix NULL dereference due to untimely napi initialization (bsc#1117562).
- net: ena: fix rare bug when failed restart/resume is followed by driver removal (bsc#1117562).
- net: ena: fix warning in rmmod caused by double iounmap (bsc#1117562).
- net: ena: introduce Low Latency Queues data structures according to ENA spec (bsc#1117562).
- net: ena: limit refill Rx threshold to 256 to avoid latency issues (bsc#1117562).
- net: ena: minor performance improvement (bsc#1117562).
- net: ena: remove ndo_poll_controller (bsc#1117562).
- net: ena: remove redundant parameter in ena_com_admin_init() (bsc#1117562).
- net: ena: update driver version from 2.0.1 to 2.0.2 (bsc#1108240).
- net: ena: update driver version to 2.0.1 (bsc#1117562).
- net: ena: use CSUM_CHECKED device indication to report skb's checksum status (bsc#1117562).
- net: faraday: ftmac100: remove netif_running(netdev) check before disabling interrupts (bnc#1012382).
- netfilter: ipset: actually allow allowable CIDR 0 in hash:net,port,net (bnc#1012382).
- netfilter: ipset: Correct rcu_dereference() call in ip_set_put_comment() (bnc#1012382).
- netfilter: nf_tables: fix oops when inserting an element into a verdict map (bnc#1012382).
- netfilter: xt_IDLETIMER: add sysfs filename checking routine (bnc#1012382).
- net-gro: reset skb->pkt_type in napi_reuse_skb() (bnc#1012382).
- net: hisilicon: remove unexpected free_netdev (bnc#1012382).
- net: ibm: fix return type of ndo_start_xmit function ().
- net/ibmnvic: Fix deadlock problem in reset ().
- net/ibmvnic: Fix RTNL deadlock during device reset (bnc#1115431).
- net/ipv4: defensive cipso option parsing (bnc#1012382).
- net/ipv4: do not handle duplicate fragments as overlapping (bsc#1116345).
- net/ipv6: Fix index counter for unicast addresses in in6_dump_addrs (bnc#1012382).
- net/mlx4_core: Correctly set PFC param if global pause is turned off (bsc#1015336 bsc#1015337 bsc#1015340).
- net/mlx4_core: Fix uninitialized variable compilation warning (bnc#1012382).
- net/mlx4_core: Zero out lkey field in SW2HW_MPT fw command (bnc#1012382).
- net/mlx4: Fix UBSAN warning of signed integer overflow (bnc#1012382).
- net: phy: do not allow __set_phy_supported to add unsupported modes (bnc#1012382).
- net: Prevent invalid access to skb->prev in __qdisc_drop_all (bnc#1012382).
- net: qla3xxx: Remove overflowing shift statement (bnc#1012382).
- netrom: fix locking in nr_find_socket() (bnc#1012382).
- net: sched: gred: pass the right attribute to gred_change_table_def() (bnc#1012382).
- net: socket: fix a missing-check bug (bnc#1012382).
- net: stmmac: Fix stmmac_mdio_reset() when building stmmac as modules (bnc#1012382).
- net: thunderx: fix NULL pointer dereference in nic_remove (bnc#1012382).
- new helper: uaccess_kernel() (bnc#1012382).
- NFC: nfcmrvl_uart: fix OF child-node lookup (bnc#1012382).
- nfit: skip region registration for incomplete control regions (bsc#1118930).
- nfsd: Fix an Oops in free_session() (bnc#1012382).
- NFS: Ensure we commit after writeback is complete (bsc#1111809).
- NFSv4.1: Fix the r/wsize checking (bnc#1012382).
- NFSv4: Do not exit the state manager without clearing NFS4CLNT_MANAGER_RUNNING.
- nvme: validate controller state before rescheduling keep alive (bsc#1103257).
- ocfs2: fix a misuse a of brelse after failing ocfs2_check_dir_entry (bnc#1012382).
- ocfs2: fix deadlock caused by ocfs2_defrag_extent() (bnc#1012382).
- ocfs2: fix potential use after free (bnc#1012382).
- of: add helper to lookup compatible child node (bnc#1012382).
- packet: validate address length (bnc#1012382).
- packet: validate address length if non-zero (bnc#1012382).
- parisc: Fix address in HPMC IVA (bnc#1012382).
- parisc: Fix map_pages() to not overwrite existing pte entries (bnc#1012382).
- PCI: Add Device IDs for Intel GPU 'spurious interrupt' quirk (bnc#1012382).
- PCI/ASPM: Do not initialize link state when aspm_disabled is set (bsc#1109806).
- PCI/ASPM: Fix link_state teardown on device removal (bsc#1109806).
- PCI: vmd: Detach resources after stopping root bus (bsc#1106105).
- pcmcia: Implement CLKRUN protocol disabling for Ricoh bridges (bnc#1012382).
- perf/bpf: Convert perf_event_array to use struct file (bsc#1119967).
- perf/core: Do not leak event in the syscall error path (bnc#1012382).
- perf pmu: Suppress potential format-truncation warning (bnc#1012382).
- perf/ring_buffer: Prevent concurent ring buffer access (bnc#1012382).
- perf tools: Cleanup trace-event-info 'tdata' leak (bnc#1012382).
- perf tools: Disable parallelism for 'make clean' (bnc#1012382).
- perf tools: Free temporary 'sys' string in read_event_files() (bnc#1012382).
- pinctrl: qcom: spmi-mpp: Fix drive strength setting (bnc#1012382).
- pinctrl: qcom: spmi-mpp: Fix err handling of pmic_mpp_set_mux (bnc#1012382).
- pinctrl: spmi-mpp: Fix pmic_mpp_config_get() to be compliant (bnc#1012382).
- pinctrl: ssbi-gpio: Fix pm8xxx_pin_config_get() to be compliant (bnc#1012382).
- pinctrl: sunxi: a83t: Fix IRQ offset typo for PH11 (bnc#1012382).
- platform/x86: acerhdf: Add BIOS entry for Gateway LT31 v1.3307 (bnc#1012382).
- PM / devfreq: tegra: fix error return code in tegra_devfreq_probe() (bnc#1012382).
- pNFS: Fix a deadlock between read resends and layoutreturn.
- pNFS/flexfiles: Fix up the ff_layout_write_pagelist failure path.
- pNFS/flexfiles: When checking for available DSes, conditionally check for MDS io.
- pnfs: set NFS_IOHDR_REDO in pnfs_read_resend_pnfs.
- powerpc/64s: consolidate MCE counter increment (bsc#1094244).
- powerpc/boot: Ensure _zimage_start is a weak symbol (bnc#1012382).
- powerpc/boot: Fix random libfdt related build errors (bnc#1012382).
- powerpc/boot: Request no dynamic linker for boot wrapper (bsc#1070805).
- powerpc: Fix COFF zImage booting on old powermacs (bnc#1012382).
- powerpc/mm/radix: Use mm->task_size for boundary checking instead of addr_limit (bsc#1027457).
- powerpc/msi: Fix compile error on mpc83xx (bnc#1012382).
- powerpc/msi: Fix NULL pointer access in teardown code (bnc#1012382).
- powerpc/nohash: fix undefined behaviour when testing page size support (bnc#1012382).
- powerpc/numa: Suppress 'VPHN is not supported' messages (bnc#1012382).
- powerpc/powernv: Do not select the cpufreq governors (bsc#1066223).
- powerpc/powernv: Fix opal_event_shutdown() called with interrupts disabled (bsc#1066223).
- powerpc/powernv/pci: Work around races in PCI bridge enabling (bsc#1066223).
- powerpc/pseries: Fix DTL buffer registration (bsc#1066223).
- powerpc/pseries: Fix how we iterate over the DTL entries (bsc#1066223).
- powerpc/pseries/mobility: Extend start/stop topology update scope (bsc#1116950, bsc#1115709).
- powerpc/traps: restore recoverability of machine_check interrupts (bsc#1094244).
- power: supply: olpc_battery: correct the temperature units (bnc#1012382).
- printk: Fix panic caused by passing log_buf_len to command line (bnc#1012382).
- Provide a temporary fix for STIBP on-by-default (bsc#1116497).
- pstore: Convert console write to use ->write_buf (bnc#1012382).
- ptp: fix Spectre v1 vulnerability (bnc#1012382).
- pxa168fb: prepare the clock (bnc#1012382).
- qed: Fix bitmap_weight() check (bsc#1019695).
- qed: Fix PTT leak in qed_drain() (bnc#1012382).
- qed: Fix QM getters to always return a valid pq (bsc#1019695 ).
- qed: Fix reading wrong value in loop condition (bnc#1012382).
- r8152: Check for supported Wake-on-LAN Modes (bnc#1012382).
- r8169: fix NAPI handling under high load (bnc#1012382).
- rapidio/rionet: do not free skb before reading its length (bnc#1012382).
- RDMA/ucma: Fix Spectre v1 vulnerability (bnc#1012382).
- reiserfs: propagate errors from fill_with_dentries() properly (bnc#1012382).
- Reorder a few commits in kGraft out of tree section
- Revert 'Bluetooth: h5: Fix missing dependency on BT_HCIUART_SERDEV' (bnc#1012382).
- Revert 'ceph: fix dentry leak in splice_dentry()' (bsc#1114839).
- Revert 'drm/rockchip: Allow driver to be shutdown on reboot/kexec' (bsc#1106929)
- Revert 'exec: avoid gcc-8 warning for get_task_comm' (kabi).
- Revert 'iommu/io-pgtable-arm: Check for v7s-incapable systems' (bsc#1106105).
- Revert 'media: v4l: event: Add subscription to list before calling 'add' operation' (kabi).
- Revert 'media: videobuf2-core: do not call memop 'finish' when queueing' (bnc#1012382).
- Revert 'PCI/ASPM: Do not initialize link state when aspm_disabled is set' (bsc#1106105).
- Revert 'usb: musb: musb_host: Enable HCD_BH flag to handle urb return in bottom half' (bsc#1047487).
- Revert 'wlcore: Add missing PM call for wlcore_cmd_wait_for_event_or_timeout()' (bnc#1012382).
- Revert 'x86/kconfig: Fall back to ticket spinlocks' (kabi).
- rocker: fix rocker_tlv_put_* functions for KASAN (bnc#1012382).
- rpcrdma: Add RPCRDMA_HDRLEN_ERR.
- rpm/kernel-binary.spec.in: Add missing export BRP_SIGN_FILES (bsc#1115587).
- rps: flow_dissector: Fix uninitialized flow_keys used in __skb_get_hash possibly (bsc#1042286 bsc#1108145).
- rtc: hctosys: Add missing range error reporting (bnc#1012382).
- rtc: snvs: add a missing write sync (bnc#1012382).
- rtc: snvs: Add timeouts to avoid kernel lockups (bnc#1012382).
- rtnetlink: Disallow FDB configuration for non-Ethernet device (bnc#1012382).
- rtnetlink: ndo_dflt_fdb_dump() only work for ARPHRD_ETHER devices (bnc#1012382).
- s390/cpum_cf: Reject request for sampling in event initialization (bnc#1012382).
- s390/mm: Check for valid vma before zapping in gmap_discard (bnc#1012382).
- s390/mm: Fix ERROR: '__node_distance' undefined! (bnc#1012382).
- s390: qeth_core_mpc: Use ARRAY_SIZE instead of reimplementing its function (bnc#1114475, LTC#172682).
- s390/qeth: fix HiperSockets sniffer (bnc#1114475, LTC#172953).
- s390/qeth: fix length check in SNMP processing (bnc#1012382).
- s390: qeth: Fix potential array overrun in cmd/rc lookup (bnc#1114475, LTC#172682).
- s390/vdso: add missing FORCE to build targets (bnc#1012382).
- sbus: char: add of_node_put() (bnc#1012382).
- sc16is7xx: Fix for multi-channel stall (bnc#1012382).
- sched/cgroup: Fix cgroup entity load tracking tear-down (bnc#1012382).
- sched/fair: Fix throttle_list starvation with low CFS quota (bnc#1012382).
- sch_red: update backlog as well (bnc#1012382).
- scsi: aacraid: Fix typo in blink status (bnc#1012382).
- scsi: bfa: convert to strlcpy/strlcat (bnc#1012382 bsc#1019683, ).
- scsi: bnx2fc: Fix NULL dereference in error handling (bnc#1012382).
- scsi: core: Allow state transitions from OFFLINE to BLOCKED (bsc#1112246).
- scsi: Create two versions of scsi_internal_device_unblock() (bsc#1119877).
- scsi: csiostor: Avoid content leaks and casts (bnc#1012382).
- scsi: esp_scsi: Track residual for PIO transfers (bnc#1012382).
- scsi: Introduce scsi_start_queue() (bsc#1119877).
- scsi: libfc: check fc_frame_payload_get() return value for null (bsc#1103624, bsc#1104731).
- scsi: libfc: retry PRLI if we cannot analyse the payload (bsc#1104731).
- scsi: libiscsi: Fix NULL pointer dereference in iscsi_eh_session_reset (bnc#1012382).
- scsi: lpfc: Add Buffer overflow check, when nvme_info larger than PAGE_SIZE (bsc#1102660).
- scsi: lpfc: Correct soft lockup when running mds diagnostics (bnc#1012382).
- scsi: lpfc: devloss timeout race condition caused null pointer reference (bsc#1102660).
- scsi: lpfc: Fix abort error path for NVMET (bsc#1102660).
- scsi: lpfc: fix block guard enablement on SLI3 adapters (bsc#1079935).
- scsi: lpfc: Fix driver crash when re-registering NVME rports (bsc#1102660).
- scsi: lpfc: Fix ELS abort on SLI-3 adapters (bsc#1102660).
- scsi: lpfc: Fix list corruption on the completion queue (bsc#1102660).
- scsi: lpfc: Fix NVME Target crash in defer rcv logic (bsc#1102660).
- scsi: lpfc: Fix panic if driver unloaded when port is offline (bsc#1102660).
- scsi: lpfc: update driver version to 11.4.0.7-5 (bsc#1102660).
- scsi: Make __scsi_remove_device go straight from BLOCKED to DEL (bsc#1119877).
- scsi: megaraid_sas: fix a missing-check bug (bnc#1012382).
- scsi: Protect SCSI device state changes with a mutex (bsc#1119877).
- scsi: qedi: Add ISCSI_BOOT_SYSFS to Kconfig (bsc#1043083).
- scsi: qla2xxx: Fix crashes in qla2x00_probe_one on probe failure (bsc#1094973).
- scsi: qla2xxx: Fix incorrect port speed being set for FC adapters (bnc#1012382).
- scsi: qla2xxx: Fix small memory leak in qla2x00_probe_one on probe failure (bsc#1094973).
- scsi: Re-export scsi_internal_device_{,un}_block() (bsc#1119877).
- scsi: Split scsi_internal_device_block() (bsc#1119877).
- scsi: target: add emulate_pr backstore attr to toggle PR support (bsc#1091405).
- scsi: target: drop unused pi_prot_format attribute storage (bsc#1091405).
- scsi: ufs: fix bugs related to null pointer access and array size (bnc#1012382).
- scsi: ufs: fix race between clock gating and devfreq scaling work (bnc#1012382).
- scsi: ufshcd: Fix race between clk scaling and ungate work (bnc#1012382).
- scsi: ufshcd: release resources if probe fails (bnc#1012382).
- scsi: use 'inquiry_mutex' instead of 'state_mutex' (bsc#1119877).
- scsi: vmw_pscsi: Rearrange code to avoid multiple calls to free_irq during unload (bnc#1012382).
- scsi: zfcp: fix posting too many status read buffers leading to adapter shutdown (bnc#1012382).
- sctp: clear the transport of some out_chunk_list chunks in sctp_assoc_rm_peer (bnc#1012382).
- sctp: fix race on sctp_id2asoc (bnc#1012382).
- sctp: initialize sin6_flowinfo for ipv6 addrs in sctp_inet6addr_event (bnc#1012382).
- selftests: ftrace: Add synthetic event syntax testcase (bnc#1012382).
- selftests: Move networking/timestamping from Documentation (bnc#1012382).
- seq_file: fix incomplete reset on read from zero offset.
- ser_gigaset: use container_of() instead of detour (bnc#1012382).
- signal: Always deliver the kernel's SIGKILL and SIGSTOP to a pid namespace init (bnc#1012382).
- signal/GenWQE: Fix sending of SIGKILL (bnc#1012382).
- smb3: allow stats which track session and share reconnects to be reset (bnc#1012382).
- smb3: do not attempt cifs operation in smb3 query info error path (bnc#1012382).
- smb3: on kerberos mount if server does not specify auth type use krb5 (bnc#1012382).
- smsc75xx: Check for Wake-on-LAN modes (bnc#1012382).
- smsc95xx: Check for Wake-on-LAN modes (bnc#1012382).
- sock: Make sock->sk_stamp thread-safe (bnc#1012382).
- soc/tegra: pmc: Fix child-node lookup (bnc#1012382).
- sparc64: Fix exception handling in UltraSPARC-III memcpy (bnc#1012382).
- sparc64 mm: Fix more TSB sizing issues (bnc#1012382).
- sparc: Fix single-pcr perf event counter management (bnc#1012382).
- sparc/pci: Refactor dev_archdata initialization into pci_init_dev_archdata (bnc#1012382).
- spi: bcm2835: Avoid finishing transfer prematurely in IRQ mode (bnc#1012382).
- spi: bcm2835: Fix book-keeping of DMA termination (bnc#1012382).
- spi: bcm2835: Fix race on DMA termination (bnc#1012382).
- spi: bcm2835: Unbreak the build of esoteric configs (bnc#1012382).
- spi/bcm63xx: fix error return code in bcm63xx_spi_probe() (bnc#1012382).
- spi/bcm63xx-hspi: fix error return code in bcm63xx_hsspi_probe() (bnc#1012382).
- spi: xlp: fix error return code in xlp_spi_probe() (bnc#1012382).
- sr9800: Check for supported Wake-on-LAN modes (bnc#1012382).
- sr: pass down correctly sized SCSI sense buffer (bnc#1012382).
- Staging: lustre: remove two build warnings (bnc#1012382).
- staging: rts5208: fix gcc-8 logic error warning (bnc#1012382).
- staging: speakup: Replace strncpy with memcpy (bnc#1012382).
- sunrpc: correct the computation for page_ptr when truncating (bnc#1012382).
- SUNRPC: drop pointless static qualifier in xdr_get_next_encode_buffer() (bnc#1012382).
- SUNRPC: Fix a bogus get/put in generic_key_to_expire() (bnc#1012382).
- SUNRPC: Fix a potential race in xprt_connect().
- SUNRPC: fix cache_head leak due to queued request (bnc#1012382).
- SUNRPC: Fix leak of krb5p encode pages (bnc#1012382).
- svcrdma: Remove unused variable in rdma_copy_tail().
- swim: fix cleanup on setup error (bnc#1012382).
- swiotlb: clean up reporting (bnc#1012382).
- sysv: return 'err' instead of 0 in __sysv_write_inode (bnc#1012382).
- target/iscsi: avoid NULL dereference in CHAP auth error path (bsc#1117165).
- target: se_dev_attrib.emulate_pr ABI stability (bsc#1091405).
- tcp: fix NULL ref in tail loss probe (bnc#1012382).
- TC: Set DMA masks for devices (bnc#1012382).
- termios, tty/tty_baudrate.c: fix buffer overrun (bnc#1012382).
- tg3: Add PHY reset for 5717/5719/5720 in change ring and flow control paths (bnc#1012382).
- thermal: allow spear-thermal driver to be a module (bnc#1012382).
- thermal: allow u8500-thermal driver to be a module (bnc#1012382).
- timer/debug: Change /proc/timer_list from 0444 to 0400 (bnc#1012382).
- tmpfs: make lseek(SEEK_DATA/SEK_HOLE) return ENXIO with a negative offset (bnc#1012382).
- tpm: fix response size validation in tpm_get_random() (bsc#1020645).
- tpm: suppress transmit cmd error logs when TPM 1.2 is disabled/deactivated (bnc#1012382).
- tracing: Fix bad use of igrab in trace_uprobe.c (bsc#1120046).
- tracing: Fix memory leak in set_trigger_filter() (bnc#1012382).
- tracing: Fix memory leak of instance function hash filters (bnc#1012382).
- tracing: Skip more functions when doing stack tracing of events (bnc#1012382).
- tty: check name length in tty_find_polling_driver() (bnc#1012382).
- tty: serial: 8250_mtk: always resume the device in probe (bnc#1012382).
- tty: serial: sprd: fix error return code in sprd_probe() (bnc#1012382).
- tty: wipe buffer (bnc#1012382).
- tty: wipe buffer if not echoing data (bnc#1012382).
- tun: Consistently configure generic netdev params via rtnetlink (bnc#1012382).
- tun: forbid iface creation with rtnl ops (bnc#1012382).
- uio: ensure class is registered before devices (bnc#1012382).
- uio: Fix an Oops on load (bnc#1012382).
- uio: make symbol 'uio_class_registered' static.
- um: Avoid longjmp/setjmp symbol clashes with libpthread.a (bnc#1012382).
- um: Give start_idle_thread() a return code (bnc#1012382).
- unifdef: use memcpy instead of strncpy (bnc#1012382).
- uprobes: Fix handle_swbp() vs. unregister() + register() race once more (bnc#1012382).
- usb: appledisplay: Add 27' Apple Cinema Display (bnc#1012382).
- usb: cdc-acm: add entry for Hiro (Conexant) modem (bnc#1012382).
- usb: check usb_get_extra_descriptor for proper size (bnc#1012382).
- usb: chipidea: Prevent unbalanced IRQ disable (bnc#1012382).
- usb: core: Fix hub port connection events lost (bnc#1012382).
- usb: core: quirks: add RESET_RESUME quirk for Cherry G230 Stream series (bnc#1012382).
- usb: dwc3: omap: fix error return code in dwc3_omap_probe() (bnc#1012382).
- usb: ehci-omap: fix error return code in ehci_hcd_omap_probe() (bnc#1012382).
- usb: fix the usbfs flag sanitization for control transfers (bnc#1012382).
- usb: gadget: dummy: fix nonsensical comparisons (bnc#1012382).
- usb: gadget: storage: Fix Spectre v1 vulnerability (bnc#1012382).
- usb: imx21-hcd: fix error return code in imx21_probe() (bnc#1012382).
- usb: misc: appledisplay: add 20' Apple Cinema Display (bnc#1012382).
- usbnet: ipheth: fix potential recvmsg bug and recvmsg bug 2 (bnc#1012382).
- usb: omap_udc: fix crashes on probe error and module removal (bnc#1012382).
- usb: omap_udc: fix omap_udc_start() on 15xx machines (bnc#1012382).
- usb: omap_udc: fix USB gadget functionality on Palm Tungsten E (bnc#1012382).
- usb: omap_udc: use devm_request_irq() (bnc#1012382).
- usb: quirk: add no-LPM quirk on SanDisk Ultra Flair device (bnc#1012382).
- usb: quirks: Add delay-init quirk for Corsair K70 LUX RGB (bnc#1012382).
- usb: quirks: Add no-lpm quirk for Raydium touchscreens (bnc#1012382).
- usb: r8a66597: Fix a possible concurrency use-after-free bug in r8a66597_endpoint_disable() (bnc#1012382).
- usb: serial: option: add Fibocom NL678 series (bnc#1012382).
- usb: serial: option: add GosunCn ZTE WeLink ME3630 (bnc#1012382).
- usb: serial: option: add HP lt4132 (bnc#1012382).
- usb: serial: option: add Simcom SIM7500/SIM7600 (MBIM mode) (bnc#1012382).
- usb: serial: option: add Telit LN940 series (bnc#1012382).
- usb: serial: pl2303: add ids for Hewlett-Packard HP POS pole displays (bnc#1012382).
- usb-storage: fix bogus hardware error messages for ATA pass-thru devices (bnc#1012382).
- usb: usb-storage: Add new IDs to ums-realtek (bnc#1012382).
- usb: xhci: fix timeout for transition from RExit to U0 (bnc#1012382).
- usb: xhci: fix uninitialized completion when USB3 port got wrong status (bnc#1012382).
- usb: xhci: Prevent bus suspend if a port connect change or polling state is detected (bnc#1012382).
- v9fs_dir_readdir: fix double-free on p9stat_read error (bnc#1012382).
- vfs: Avoid softlockups in drop_pagecache_sb() (bsc#1118505).
- vhost: Fix Spectre V1 vulnerability (bnc#1012382).
- vhost: make sure used idx is seen before log in vhost_add_used_n() (bnc#1012382).
- vhost/scsi: truncate T10 PI iov_iter to prot_bytes (bnc#1012382).
- video: fbdev: pxa3xx_gcu: fix error return code in pxa3xx_gcu_probe() (bnc#1012382).
- virtio/s390: avoid race on vcdev->config (bnc#1012382).
- virtio/s390: fix race in ccw_io_helper() (bnc#1012382).
- VSOCK: Send reset control packet when socket is partially bound (bnc#1012382).
- vti6: flush x-netns xfrm cache when vti interface is removed (bnc#1012382).
- w1: omap-hdq: fix missing bus unregister at removal (bnc#1012382).
- x86: boot: Fix EFI stub alignment (bnc#1012382).
- x86/boot: #undef memcpy() et al in string.c (bnc#1012382).
- x86/build: Fix stack alignment for CLang (bnc#1012382).
- x86/build: Specify stack alignment for clang (bnc#1012382).
- x86/build: Use __cc-option for boot code compiler options (bnc#1012382).
- x86/build: Use cc-option to validate stack alignment parameter (bnc#1012382).
- x86/corruption-check: Fix panic in memory_corruption_check() when boot option without value is provided (bnc#1012382).
- x86/earlyprintk/efi: Fix infinite loop on some screen widths (bnc#1012382).
- x86/entry: spell EBX register correctly in documentation (bnc#1012382).
- x86/kbuild: Use cc-option to enable -falign-{jumps/loops} (bnc#1012382).
- x86/kconfig: Fall back to ticket spinlocks (bnc#1012382).
- x86/MCE: Export memory_error() (bsc#1114648).
- x86/MCE: Make correctable error detection look at the Deferred bit (bsc#1114648).
- x86/mm/kaslr: Use the _ASM_MUL macro for multiplication to work around Clang incompatibility (bnc#1012382).
- x86/mm/pat: Prevent hang during boot when mapping pages (bnc#1012382).
- x86/mtrr: Do not copy uninitialized gentry fields back to userspace (bnc#1012382).
- x86/speculation/l1tf: Drop the swap storage limit restriction when l1tf=off (bnc#1114871).
- x86/speculation: Use synthetic bits for IBRS/IBPB/STIBP (bnc#1012382).
- xen/balloon: Support xend-based toolstack (bnc#1065600).
- xen/blkfront: avoid NULL blkfront_info dereference on device removal (bsc#1111062).
- xen: fix race in xen_qlock_wait() (bnc#1012382).
- xen: fix xen_qlock_wait() (bnc#1012382).
- xen: make xen_qlock_wait() nestable (bnc#1012382).
- xen/netback: dont overflow meta array (bnc#1099523).
- xen/netfront: tolerate frags with no data (bnc#1012382).
- xen-swiotlb: use actually allocated size on check physical continuous (bnc#1012382).
- xen/x86: add diagnostic printout to xen_mc_flush() in case of error (bnc#1116183).
- xen: xlate_mmu: add missing header to fix 'W=1' warning (bnc#1012382).
- xfrm6: call kfree_skb when skb is toobig (bnc#1012382).
- xfrm: Clear sk_dst_cache when applying per-socket policy (bnc#1012382).
- xfrm: Fix bucket count reported to userspace (bnc#1012382).
- xfrm: use complete IPv6 addresses for hash (bsc#1109330).
- xfrm: Validate address prefix lengths in the xfrm selector (bnc#1012382).
- xfrm: validate template mode (bnc#1012382).
- xfs: Align compat attrlist_by_handle with native implementation.
- xfs/dmapi: restore event in xfs_getbmap (bsc#1114763).
- xfs: Fix error code in 'xfs_ioc_getbmap()'.
- xfs: fix quotacheck dquot id overflow infinite loop (bsc#1121621).
- xhci: Add quirk to workaround the errata seen on Cavium Thunder-X2 Soc (bsc#1117162).
- xhci: Do not prevent USB2 bus suspend in state check intended for USB3 only (bnc#1012382).
- xhci: Prevent U1/U2 link pm states if exit latency is too long (bnc#1012382).
- xprtrdma: checking for NULL instead of IS_ERR().
- xprtrdma: Disable pad optimization by default.
- xprtrdma: Disable RPC/RDMA backchannel debugging messages.
- xprtrdma: Fix additional uses of spin_lock_irqsave(rb_lock).
- xprtrdma: Fix backchannel allocation of extra rpcrdma_reps.
- xprtrdma: Fix Read chunk padding.
- xprtrdma: Fix receive buffer accounting.
- xprtrdma: Reset credit grant properly after a disconnect.
- xprtrdma: rpcrdma_bc_receive_call() should init rq_private_buf.len.
- xprtrdma: Serialize credit accounting again.
- xprtrdma: xprt_rdma_free() must not release backchannel reqs.
- xtensa: add NOTES section to the linker script (bnc#1012382).
- xtensa: enable coprocessors that are being flushed (bnc#1012382).
- xtensa: fix boot parameters address translation (bnc#1012382).
- xtensa: fix coprocessor context offset definitions (bnc#1012382).
- xtensa: make sure bFLT stack is 16 byte aligned (bnc#1012382).
- zram: close udev startup race condition as default groups (bnc#1012382).
ImportantSUSE bug 1012382SUSE bug 1015336SUSE bug 1015337SUSE bug 1015340SUSE bug 1019683SUSE bug 1019695SUSE bug 1020645SUSE bug 1027260SUSE bug 1027457SUSE bug 1042286SUSE bug 1043083SUSE bug 1046264SUSE bug 1047487SUSE bug 1048916SUSE bug 1065600SUSE bug 1066223SUSE bug 1068032SUSE bug 1069702SUSE bug 1070805SUSE bug 1079935SUSE bug 1087082SUSE bug 1091405SUSE bug 1093158SUSE bug 1094244SUSE bug 1094973SUSE bug 1096242SUSE bug 1096281SUSE bug 1099523SUSE bug 1100105SUSE bug 1101557SUSE bug 1102439SUSE bug 1102660SUSE bug 1103156SUSE bug 1103257SUSE bug 1103624SUSE bug 1104098SUSE bug 1104731SUSE bug 1105412SUSE bug 1106105SUSE bug 1106237SUSE bug 1106240SUSE bug 1106929SUSE bug 1107385SUSE bug 1108145SUSE bug 1108240SUSE bug 1109272SUSE bug 1109330SUSE bug 1109806SUSE bug 1110286SUSE bug 1111062SUSE bug 1111809SUSE bug 1112246SUSE bug 1112963SUSE bug 1113412SUSE bug 1114190SUSE bug 1114417SUSE bug 1114475SUSE bug 1114648SUSE bug 1114763SUSE bug 1114839SUSE bug 1114871SUSE bug 1115431SUSE bug 1115433SUSE bug 1115440SUSE bug 1115587SUSE bug 1115709SUSE bug 1116027SUSE bug 1116183SUSE bug 1116285SUSE bug 1116336SUSE bug 1116345SUSE bug 1116497SUSE bug 1116841SUSE bug 1116924SUSE bug 1116950SUSE bug 1117162SUSE bug 1117165SUSE bug 1117186SUSE bug 1117562SUSE bug 1118152SUSE bug 1118316SUSE bug 1118319SUSE bug 1118505SUSE bug 1118790SUSE bug 1118798SUSE bug 1118915SUSE bug 1118922SUSE bug 1118926SUSE bug 1118930SUSE bug 1118936SUSE bug 1119204SUSE bug 1119714SUSE bug 1119877SUSE bug 1119946SUSE bug 1119967SUSE bug 1119970SUSE bug 1120046SUSE bug 1120743SUSE bug 1121239SUSE bug 1121240SUSE bug 1121241SUSE bug 1121242SUSE bug 1121275SUSE bug 1121621CVE-2017-16939 at SUSECVE-2017-16939 at NVDCVE-2018-1120 at SUSECVE-2018-1120 at NVDCVE-2018-16862 at SUSECVE-2018-16862 at NVDCVE-2018-16884 at SUSECVE-2018-16884 at NVDCVE-2018-19407 at SUSECVE-2018-19407 at NVDCVE-2018-19824 at SUSECVE-2018-19824 at NVDCVE-2018-19985 at SUSECVE-2018-19985 at NVDCVE-2018-20169 at SUSECVE-2018-20169 at NVDCVE-2018-3639 at SUSECVE-2018-3639 at NVDCVE-2018-9568 at SUSECVE-2018-9568 at NVDcpe:/o:suse:sles:12:sp3Security update for postgresql10 (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for postgresql10 fixes the following issues:
Security issue fixed:
- CVE-2019-10130: Prevent row-level security policies from being bypassed via selectivity estimators (bsc#1134689).
Bug fixes:
- For a complete list of fixes check the release notes.
* https://www.postgresql.org/docs/10/release-10-8.html
* https://www.postgresql.org/docs/10/release-10-7.html
ModerateSUSE bug 1134689CVE-2019-10130 at SUSECVE-2019-10130 at NVDcpe:/o:suse:sles:12:sp3Security update for openssh (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for openssh fixes the following issues:
Security vulnerabilities addressed:
- CVE-2019-6109: Fixed an character encoding issue in the progress display of
the scp client that could be used to manipulate client output, allowing
for spoofing during file transfers (bsc#1121816).
- CVE-2019-6111: Properly validate object names received by the scp client to
prevent arbitrary file overwrites when interacting with a malicious SSH server
(bsc#1121821).
Other issues fixed:
- Fixed two race conditions in sshd relating to SIGHUP (bsc#1119183).
- Returned proper reason for port forwarding failures (bsc#1090671).
- Fixed a double free() in the KDF CAVS testing tool (bsc#1065237).
ModerateSUSE bug 1065237SUSE bug 1090671SUSE bug 1119183SUSE bug 1121816SUSE bug 1121821SUSE bug 1131709CVE-2019-6109 at SUSECVE-2019-6109 at NVDCVE-2019-6111 at SUSECVE-2019-6111 at NVDcpe:/o:suse:sles:12:sp3Security update for the Linux Kernel (Important)SUSE Linux Enterprise Server 12 SP3
The SUSE Linux Enterprise 12 SP3 kernel was updated to 4.4.180 to receive
various security and bugfixes.
The following security bugs were fixed:
- CVE-2019-11477: A sequence of SACKs may have been crafted such that one can
trigger an integer overflow, leading to a kernel panic. (bsc#1137586)
- CVE-2019-11478: It was possible to send a crafted sequence of SACKs which
will fragment the TCP retransmission queue. An attacker may have been able to
further exploit the fragmented queue to cause an expensive linked-list walk
for subsequent SACKs received for that same TCP connection.
- CVE-2019-11479: It was possible to send a crafted sequence of SACKs which
will fragment the RACK send map. A remote attacker may be able to further
exploit the fragmented send map to cause an expensive linked-list walk for
subsequent SACKs received for that same TCP connection. This would have
resulted in excess resource consumption due to low mss values.
- CVE-2019-3846: A flaw that allowed an attacker to corrupt memory and possibly
escalate privileges was found in the mwifiex kernel module while connecting
to a malicious wireless network. (bnc#1136424)
- CVE-2019-12382: An issue was discovered in drm_load_edid_firmware in
drivers/gpu/drm/drm_edid_load.c in the Linux kernel There was an unchecked
kstrdup of fwstr, which might allow an attacker to cause a denial of service
(NULL pointer dereference and system crash). (bnc#1136586)
- CVE-2019-5489: The mincore() implementation in mm/mincore.c in the Linux
kernel allowed local attackers to observe page cache access patterns of other
processes on the same system, potentially allowing sniffing of secret
information. (Fixing this affects the output of the fincore program.) Limited
remote exploitation may be possible, as demonstrated by latency differences
in accessing public files from an Apache HTTP Server. (bnc#1120843).
- CVE-2019-11833: fs/ext4/extents.c in the Linux kernel did not zero out the
unused memory region in the extent tree block, which might allow local users
to obtain sensitive information by reading uninitialized data in the
filesystem. (bnc#1135281)
- CVE-2018-7191: In the tun subsystem in the Linux kernel before 4.13.14,
dev_get_valid_name is not called before register_netdevice. This allowed
local users to cause a denial of service (NULL pointer dereference and panic)
via an ioctl(TUNSETIFF) call with a dev name containing a / character. This
is similar to CVE-2013-4343. (bnc#1135603)
- CVE-2019-11190: The Linux kernel allowed local users to bypass ASLR on setuid
programs (such as /bin/su) because install_exec_creds() is called too late in
load_elf_binary() in fs/binfmt_elf.c, and thus the ptrace_may_access() check
has a race condition when reading /proc/pid/stat. (bnc#1131543)
- CVE-2019-11815: An issue was discovered in rds_tcp_kill_sock in net/rds/tcp.c
in the Linux kernel There was a race condition leading to a use-after-free,
related to net namespace cleanup. (bnc#1134537)
- CVE-2019-11884: The do_hidp_sock_ioctl function in net/bluetooth/hidp/sock.c
in the Linux kernel allowed a local user to obtain potentially sensitive
information from kernel stack memory via a HIDPCONNADD command, because a
name field may not end with a '\0' character. (bnc#1134848)
- CVE-2018-17972: An issue was discovered in the proc_pid_stack function in
fs/proc/base.c in the Linux kernel It did not ensure that only root may
inspect the kernel stack of an arbitrary task, allowing a local attacker to
exploit racy stack unwinding and leak kernel task stack contents.
(bnc#1110785)
- CVE-2019-11486: The Siemens R3964 line discipline driver in
drivers/tty/n_r3964.c in the Linux kernel has multiple race conditions.
(bnc#1133188)
The following new features were implemented:
- Updated the Chelsio cxgb4vf driver with the latest upstream patches.
(fate#321660)
- Backported changes into e1000e kernel module to support systems using the
Intel I219-LM NIC chip. (fate#326719)
- Import QLogic/Cavium qedr driver (RDMA) into the kernel. (fate#321747)
- Update the QLogic/Cavium qed driver (NET). (fate#321703)
- Update the QLogic/Cavium qede driver (NET). (fate#321702)
- Update the Chelsio iw_cxgb4 driver with the latest upstream patches.
(fate#321661)
- Update the Chelsio cxgb4 driver with the latest upstream patches.
(fate#321658)
- Update support for Intel Omni Path (OPA) kernel driver. (fate#321473)
- Update the QIB driver to the latest upstream version for up-to-date
functionality and hardware support. (fate#321231)
The following non-security bugs were fixed:
- 9p locks: add mount option for lock retry interval (bnc#1012382).
- 9p: do not trust pdu content for stat item size (bnc#1012382).
- ACPI / SBS: Fix GPE storm on recent MacBookPro's (bnc#1012382).
- ALSA: PCM: check if ops are defined before suspending PCM (bnc#1012382).
- ALSA: core: Fix card races between register and disconnect (bnc#1012382).
- ALSA: echoaudio: add a check for ioremap_nocache (bnc#1012382).
- ALSA: info: Fix racy addition/deletion of nodes (bnc#1012382).
- ALSA: line6: use dynamic buffers (bnc#1012382).
- ALSA: opl3: fix mismatch between snd_opl3_drum_switch definition and declaration (bnc#1012382).
- ALSA: sb8: add a check for request_region (bnc#1012382).
- ALSA: seq: Fix OOB-reads from strlcpy (bnc#1012382).
- ARM: 8833/1: Ensure that NEON code always compiles with Clang (bnc#1012382).
- ARM: 8839/1: kprobe: make patch_lock a raw_spinlock_t (bnc#1012382).
- ARM: 8840/1: use a raw_spinlock_t in unwind (bnc#1012382).
- ARM: avoid Cortex-A9 livelock on tight dmb loops (bnc#1012382).
- ARM: dts: at91: Fix typo in ISC_D0 on PC9 (bnc#1012382).
- ARM: dts: pfla02: increase phy reset duration (bnc#1012382).
- ARM: iop: do not use using 64-bit DMA masks (bnc#1012382).
- ARM: orion: do not use using 64-bit DMA masks (bnc#1012382).
- ARM: samsung: Limit SAMSUNG_PM_CHECK config option to non-Exynos platforms (bnc#1012382).
- ASoC: Intel: avoid Oops if DMA setup fails (bnc#1012382).
- ASoC: cs4270: Set auto-increment bit for register writes (bnc#1012382).
- ASoC: fsl-asoc-card: fix object reference leaks in fsl_asoc_card_probe (bnc#1012382).
- ASoC: fsl_esai: fix channel swap issue when stream starts (bnc#1012382).
- ASoC: tlv320aic32x4: Fix Common Pins (bnc#1012382).
- ASoC:soc-pcm:fix a codec fixup issue in TDM case (bnc#1012382).
- Bluetooth: Align minimum encryption key size for LE and BR/EDR connections (bnc#1012382).
- Bluetooth: Fix decrementing reference count twice in releasing socket (bnc#1012382).
- CIFS: keep FileInfo handle live during oplock break (bsc#1106284, bsc#1131565).
- Correct bsc/FATE numbers.
- Do not jump to compute_result state from check_result state (bnc#1012382).
- Documentation: Add MDS vulnerability documentation (bnc#1012382).
- Documentation: Add nospectre_v1 parameter (bnc#1012382).
- Documentation: Correct the possible MDS sysfs values (bnc#1012382).
- Documentation: Move L1TF to separate directory (bnc#1012382).
- HID: debug: fix race condition with between rdesc_show() and device removal (bnc#1012382).
- HID: input: add mapping for Expose/Overview key (bnc#1012382).
- HID: input: add mapping for keyboard Brightness Up/Down/Toggle keys (bnc#1012382).
- IB/hfi1: Eliminate opcode tests on mr deref ().
- IB/hfi1: Unreserve a reserved request when it is completed ().
- IB/mlx4: Fix race condition between catas error reset and aliasguid flows (bnc#1012382).
- IB/mlx4: Increase the timeout for CM cache (bnc#1012382).
- IB/rdmavt: Add wc_flags and wc_immdata to cq entry trace ().
- IB/rdmavt: Fix frwr memory registration ().
- Input: snvs_pwrkey - initialize necessary driver data before enabling IRQ (bnc#1012382).
- KVM: fail KVM_SET_VCPU_EVENTS with invalid exception number (bnc#1012382).
- KVM: x86: Do not clear EFER during SMM transitions for 32-bit vCPU (bnc#1012382).
- KVM: x86: avoid misreporting level-triggered irqs as edge-triggered in tracing (bnc#1012382).
- MIPS: scall64-o32: Fix indirect syscall number load (bnc#1012382).
- NFS/pnfs: Bulk destroy of layouts needs to be safe w.r.t. umount (git-fixes).
- NFS: Add missing encode / decode sequence_maxsz to v4.2 operations (git-fixes).
- NFS: Fix I/O request leakages (git-fixes).
- NFS: Forbid setting AF_INET6 to 'struct sockaddr_in'->sin_family (bnc#1012382).
- PCI: Add function 1 DMA alias quirk for Marvell 9170 SATA controller (bnc#1012382).
- PCI: Mark AMD Stoney Radeon R7 GPU ATS as broken (bsc#1137142).
- PCI: Mark Atheros AR9462 to avoid bus reset (bsc#1135642).
- PCI: xilinx-nwl: Add missing of_node_put() (bsc#1100132).
- RDMA/iw_cxgb4: Fix the unchecked ep dereference (bsc#1005778 bsc#1005780 bsc#1005781).
- RDMA/qedr: Fix out of bounds index check in query pkey (bsc#1022604).
- Revert 'block/loop: Use global lock for ioctl() operation.' (bnc#1012382).
- Revert 'block: unexport DISK_EVENT_MEDIA_CHANGE for legacy/fringe drivers' (bsc#1110946).
- Revert 'cpu/speculation: Add 'mitigations=' cmdline option' (stable backports).
- Revert 'ide: unexport DISK_EVENT_MEDIA_CHANGE for ide-gd and ide-cd' (bsc#1110946).
- Revert 'kbuild: use -Oz instead of -Os when using clang' (bnc#1012382).
- Revert 'locking/lockdep: Add debug_locks check in __lock_downgrade()' (bnc#1012382).
- Revert 'netns: provide pure entropy for net_hash_mix()' (kabi).
- Revert 'sched: Add sched_smt_active()' (stable backports).
- Revert 'x86/MCE: Save microcode revision in machine check records' (kabi).
- Revert 'x86/kprobes: Verify stack frame on kretprobe' (kabi).
- Revert 'x86/speculation/mds: Add 'mitigations=' support for MDS' (stable backports).
- Revert 'x86/speculation: Support 'mitigations=' cmdline option' (stable backports).
- SoC: imx-sgtl5000: add missing put_device() (bnc#1012382).
- UAS: fix alignment of scatter/gather segments (bnc#1012382 bsc#1129770).
- UAS: fix alignment of scatter/gather segments (bsc#1129770).
- USB: Add new USB LPM helpers (bsc#1129770).
- USB: Consolidate LPM checks to avoid enabling LPM twice (bsc#1129770).
- USB: cdc-acm: fix unthrottle races (bsc#1135642).
- USB: core: Fix bug caused by duplicate interface PM usage counter (bnc#1012382).
- USB: core: Fix unterminated string returned by usb_string() (bnc#1012382).
- USB: serial: fix unthrottle races (bnc#1012382).
- USB: serial: use variable for status (bnc#1012382).
- USB: w1 ds2490: Fix bug caused by improper use of altsetting array (bnc#1012382).
- USB: yurex: Fix protection fault after device removal (bnc#1012382).
- X.509: unpack RSA signatureValue field from BIT STRING (git-fixes).
- appletalk: Fix compile regression (bnc#1012382).
- appletalk: Fix use-after-free in atalk_proc_exit (bnc#1012382).
- arm64/kernel: do not ban ADRP to work around Cortex-A53 erratum #843419 (bsc#1126040).
- arm64/kernel: rename module_emit_adrp_veneer->module_emit_veneer_for_adrp (bsc#1126040).
- arm64: Add helper to decode register from instruction (bsc#1126040).
- arm64: debug: Do not propagate UNKNOWN FAR into si_code for debug signals (bnc#1012382).
- arm64: debug: Ensure debug handlers check triggering exception level (bnc#1012382).
- arm64: futex: Fix FUTEX_WAKE_OP atomic ops with non-zero result value (bnc#1012382).
- arm64: futex: Restore oldval initialization to work around buggy compilers (bnc#1012382).
- arm64: module-plts: factor out PLT generation code for ftrace (bsc#1126040).
- arm64: module: do not BUG when exceeding preallocated PLT count (bsc#1126040).
- arm64: module: split core and init PLT sections (bsc#1126040).
- backlight: lm3630a: Return 0 on success in update_status functions (bsc#1106929)
- bcache: Move couple of functions to sysfs.c (bsc#1130972).
- bcache: Move couple of string arrays to sysfs.c (bsc#1130972).
- bcache: Populate writeback_rate_minimum attribute (bsc#1130972).
- bcache: account size of buckets used in uuid write to ca->meta_sectors_written (bsc#1130972).
- bcache: add MODULE_DESCRIPTION information (bsc#1130972).
- bcache: add a comment in super.c (bsc#1130972).
- bcache: add code comments for bset.c (bsc#1130972).
- bcache: add comment for cache_set->fill_iter (bsc#1130972).
- bcache: add identifier names to arguments of function definitions (bsc#1130972).
- bcache: add missing SPDX header (bsc#1130972).
- bcache: add separate workqueue for journal_write to avoid deadlock (bsc#1130972).
- bcache: add static const prefix to char * array declarations (bsc#1130972).
- bcache: add sysfs_strtoul_bool() for setting bit-field variables (bsc#1130972).
- bcache: add the missing comments for smp_mb()/smp_wmb() (bsc#1130972).
- bcache: cannot set writeback_running via sysfs if no writeback kthread created (bsc#1130972).
- bcache: comment on direct access to bvec table (bsc#1130972).
- bcache: correct dirty data statistics (bsc#1130972).
- bcache: do not assign in if condition in bcache_device_init() (bsc#1130972).
- bcache: do not assign in if condition in bcache_init() (bsc#1130972).
- bcache: do not assign in if condition register_bcache() (bsc#1130972).
- bcache: do not check NULL pointer before calling kmem_cache_destroy (bsc#1130972).
- bcache: do not check if debug dentry is ERR or NULL explicitly on remove (bsc#1130972).
- bcache: do not clone bio in bch_data_verify (bsc#1130972).
- bcache: do not mark writeback_running too early (bsc#1130972).
- bcache: export backing_dev_name via sysfs (bsc#1130972).
- bcache: export backing_dev_uuid via sysfs (bsc#1130972).
- bcache: fix code comments style (bsc#1130972).
- bcache: fix indent by replacing blank by tabs (bsc#1130972).
- bcache: fix indentation issue, remove tabs on a hunk of code (bsc#1130972).
- bcache: fix input integer overflow of congested threshold (bsc#1130972).
- bcache: fix input overflow to cache set sysfs file io_error_halflife (bnc#1012382).
- bcache: fix input overflow to journal_delay_ms (bsc#1130972).
- bcache: fix input overflow to sequential_cutoff (bnc#1012382).
- bcache: fix input overflow to writeback_delay (bsc#1130972).
- bcache: fix input overflow to writeback_rate_minimum (bsc#1130972).
- bcache: fix ioctl in flash device (bsc#1130972).
- bcache: fix mistaken code comments in bcache.h (bsc#1130972).
- bcache: fix mistaken comments in request.c (bsc#1130972).
- bcache: fix potential div-zero error of writeback_rate_i_term_inverse (bsc#1130972).
- bcache: fix potential div-zero error of writeback_rate_p_term_inverse (bsc#1130972).
- bcache: fix typo 'succesfully' to 'successfully' (bsc#1130972).
- bcache: fix typo in code comments of closure_return_with_destructor() (bsc#1130972).
- bcache: improve sysfs_strtoul_clamp() (bnc#1012382).
- bcache: introduce force_wake_up_gc() (bsc#1130972).
- bcache: make cutoff_writeback and cutoff_writeback_sync tunable (bsc#1130972).
- bcache: move open brace at end of function definitions to next line (bsc#1130972).
- bcache: never writeback a discard operation (bsc#1130972).
- bcache: not use hard coded memset size in bch_cache_accounting_clear() (bsc#1130972).
- bcache: option to automatically run gc thread after writeback (bsc#1130972).
- bcache: panic fix for making cache device (bsc#1130972).
- bcache: prefer 'help' in Kconfig (bsc#1130972).
- bcache: print number of keys in trace_bcache_journal_write (bsc#1130972).
- bcache: recal cached_dev_sectors on detach (bsc#1130972).
- bcache: remove unnecessary space before ioctl function pointer arguments (bsc#1130972).
- bcache: remove unused bch_passthrough_cache (bsc#1130972).
- bcache: remove useless parameter of bch_debug_init() (bsc#1130972).
- bcache: replace '%pF' by '%pS' in seq_printf() (bsc#1130972).
- bcache: replace Symbolic permissions by octal permission numbers (bsc#1130972).
- bcache: replace hard coded number with BUCKET_GC_GEN_MAX (bsc#1130972).
- bcache: replace printk() by pr_*() routines (bsc#1130972).
- bcache: set writeback_percent in a flexible range (bsc#1130972).
- bcache: split combined if-condition code into separate ones (bsc#1130972).
- bcache: stop using the deprecated get_seconds() (bsc#1130972).
- bcache: style fix to add a blank line after declarations (bsc#1130972).
- bcache: style fix to replace 'unsigned' by 'unsigned int' (bsc#1130972).
- bcache: style fixes for lines over 80 characters (bsc#1130972).
- bcache: trace missed reading by cache_missed (bsc#1130972).
- bcache: treat stale && dirty keys as bad keys (bsc#1130972).
- bcache: trivial - remove tailing backslash in macro BTREE_FLAG (bsc#1130972).
- bcache: update comment for bch_data_insert (bsc#1130972).
- bcache: use (REQ_META|REQ_PRIO) to indicate bio for metadata (bsc#1130972).
- bcache: use MAX_CACHES_PER_SET instead of magic number 8 in __bch_bucket_alloc_set (bsc#1130972).
- bcache: use REQ_PRIO to indicate bio for metadata (bsc#1130972).
- bcache: use routines from lib/crc64.c for CRC64 calculation (bsc#1130972).
- bcache: use sysfs_strtoul_bool() to set bit-field variables (bsc#1130972).
- bcache: writeback: properly order backing device IO (bsc#1130972).
- binfmt_elf: switch to new creds when switching to new mm (bnc#1012382).
- bitops: avoid integer overflow in GENMASK(_ULL) (bnc#1012382).
- block: check_events: do not bother with events if unsupported (bsc#1110946).
- block: disk_events: introduce event flags (bsc#1110946).
- block: do not leak memory in bio_copy_user_iov() (bnc#1012382).
- block: fix use-after-free on gendisk (bsc#1136448).
- bnxt_en: Improve multicast address setup logic (bnc#1012382).
- bonding: fix arp_validate toggling in active-backup mode (bnc#1012382).
- bonding: fix event handling for stacked bonds (bnc#1012382).
- bonding: show full hw address in sysfs for slave entries (bnc#1012382).
- bpf: reject wrong sized filters earlier (bnc#1012382).
- bridge: Fix error path for kobject_init_and_add() (bnc#1012382).
- btrfs: Do not panic when we can't find a root key (bsc#1112063).
- btrfs: Factor out common delayed refs init code (bsc#1134813).
- btrfs: Introduce init_delayed_ref_head (bsc#1134813).
- btrfs: Open-code add_delayed_data_ref (bsc#1134813).
- btrfs: Open-code add_delayed_tree_ref (bsc#1134813).
- btrfs: Use init_delayed_ref_common in add_delayed_data_ref (bsc#1134813).
- btrfs: Use init_delayed_ref_common in add_delayed_tree_ref (bsc#1134813).
- btrfs: Use init_delayed_ref_head in add_delayed_ref_head (bsc#1134813).
- btrfs: add a helper to return a head ref (bsc#1134813).
- btrfs: breakout empty head cleanup to a helper (bsc#1134813).
- btrfs: delayed-ref: Introduce better documented delayed ref structures (bsc#1063638 bsc#1128052 bsc#1108838).
- btrfs: delayed-ref: Use btrfs_ref to refactor btrfs_add_delayed_data_ref() (bsc#1063638 bsc#1128052 bsc#1108838).
- btrfs: delayed-ref: Use btrfs_ref to refactor btrfs_add_delayed_tree_ref() (bsc#1063638 bsc#1128052 bsc#1108838).
- btrfs: extent-tree: Fix a bug that btrfs is unable to add pinned bytes (bsc#1063638 bsc#1128052 bsc#1108838).
- btrfs: extent-tree: Open-code process_func in __btrfs_mod_ref (bsc#1063638 bsc#1128052 bsc#1108838).
- btrfs: extent-tree: Use btrfs_ref to refactor add_pinned_bytes() (bsc#1063638 bsc#1128052 bsc#1108838).
- btrfs: extent-tree: Use btrfs_ref to refactor btrfs_free_extent() (bsc#1063638 bsc#1128052 bsc#1108838).
- btrfs: extent-tree: Use btrfs_ref to refactor btrfs_inc_extent_ref() (bsc#1063638 bsc#1128052 bsc#1108838).
- btrfs: move all ref head cleanup to the helper function (bsc#1134813).
- btrfs: move extent_op cleanup to a helper (bsc#1134813).
- btrfs: move ref_mod modification into the if (ref) logic (bsc#1134813).
- btrfs: qgroup: Check bg while resuming relocation to avoid NULL pointer dereference (bsc#1134806).
- btrfs: qgroup: Do not scan leaf if we're modifying reloc tree (bsc#1063638 bsc#1128052 bsc#1108838).
- btrfs: qgroup: Move reserved data accounting from btrfs_delayed_ref_head to btrfs_qgroup_extent_record (bsc#1134162).
- btrfs: qgroup: Remove duplicated trace points for qgroup_rsv_add/release (bsc#1134160).
- btrfs: reloc: Also queue orphan reloc tree for cleanup to avoid BUG_ON() (bsc#1134338).
- btrfs: reloc: Fix NULL pointer dereference due to expanded reloc_root lifespan (bsc#1134651).
- btrfs: remove delayed_ref_node from ref_head (bsc#1134813).
- btrfs: split delayed ref head initialization and addition (bsc#1134813).
- btrfs: track refs in a rb_tree instead of a list (bsc#1134813).
- cdc-acm: cleaning up debug in data submission path (bsc#1136539).
- cdc-acm: fix race between reset and control messaging (bsc#1106110).
- cdc-acm: handle read pipe errors (bsc#1135878).
- cdc-acm: reassemble fragmented notifications (bsc#1136590).
- cdc-acm: store in and out pipes in acm structure (bsc#1136575).
- cdrom: Fix race condition in cdrom_sysctl_register (bnc#1012382).
- ceph: ensure d_name stability in ceph_dentry_hash() (bsc#1134564).
- ceph: fix ci->i_head_snapc leak (bsc#1122776).
- ceph: fix use-after-free on symlink traversal (bsc#1134565).
- ceph: only use d_name directly when parent is locked (bsc#1134566).
- cifs: Fix NULL pointer dereference of devname (bnc#1012382).
- cifs: do not attempt cifs operation on smb2+ rename error (bnc#1012382).
- cifs: fallback to older infolevels on findfirst queryinfo retry (bnc#1012382).
- cifs: use correct format characters (bnc#1012382).
- clk: fix mux clock documentation (bsc#1090888).
- coresight: etm4x: Add support to enable ETMv4.2 (bnc#1012382).
- cpu/speculation: Add 'mitigations=' cmdline option (bnc#1012382 bsc#1112178).
- cpupower: remove stringop-truncation waring (bsc#1119086).
- crypto: crypto4xx - properly set IV after de- and encrypt (bnc#1012382).
- crypto: sha256/arm - fix crash bug in Thumb2 build (bnc#1012382).
- crypto: sha512/arm - fix crash bug in Thumb2 build (bnc#1012382).
- crypto: vmx - CTR: always increment IV as quadword (bsc#1135661, bsc#1137162).
- crypto: vmx - fix copy-paste error in CTR mode (bsc#1135661, bsc#1137162).
- crypto: vmx - ghash: do nosimd fallback manually (bsc#1135661, bsc#1137162).
- crypto: vmx - return correct error code on failed setkey (bsc#1135661, bsc#1137162).
- crypto: vmx: Only call enable_kernel_vsx() (bsc#1135661, bsc#1137162).
- crypto: x86/poly1305 - fix overflow during partial reduction (bnc#1012382).
- debugfs: fix use-after-free on symlink traversal (bnc#1012382).
- device_cgroup: fix RCU imbalance in error case (bnc#1012382).
- dm thin: add sanity checks to thin-pool and external snapshot creation (bnc#1012382).
- dmaengine: imx-dma: fix warning comparison of distinct pointer types (bnc#1012382).
- dmaengine: tegra: avoid overflow of byte tracking (bnc#1012382).
- drivers/virt/fsl_hypervisor.c: dereferencing error pointers in ioctl (bnc#1012382).
- drivers/virt/fsl_hypervisor.c: prevent integer overflow in ioctl (bnc#1012382).
- drm/bridge: adv7511: Fix low refresh rate selection (bsc#1106929)
- drm/dp/mst: Configure no_stop_bit correctly for remote i2c xfers (bnc#1012382).
- drm/fb-helper: dpms_legacy(): Only set on connectors in use (bnc#1106929)
- drm/i915: Fix I915_EXEC_RING_MASK (bnc#1106929)
- drm/rockchip: shutdown drm subsystem on shutdown (bsc#1106929)
- drm/ttm: Remove warning about inconsistent mapping information (bnc#1131488)
- drm/vc4: ->x_scaling[1] should never be set to VC4_SCALING_NONE (bsc#1106929)
- drm/vc4: Account for interrupts in flight (bsc#1106929)
- drm/vc4: Allocate the right amount of space for boot-time CRTC state. (bsc#1106929)
- drm/vc4: Fix NULL pointer dereference in vc4_save_hang_state() (bsc#1106929)
- drm/vc4: Fix OOPSes from trying to cache a partially constructed BO. (bsc#1106929)
- drm/vc4: Fix a couple error codes in vc4_cl_lookup_bos() (bsc#1106929)
- drm/vc4: Fix compilation error reported by kbuild test bot (bsc#1106929)
- drm/vc4: Fix memory leak during gpu reset. (bsc#1106929)
- drm/vc4: Fix memory leak of the CRTC state. (bsc#1106929)
- drm/vc4: Fix oops when userspace hands in a bad BO. (bsc#1106929)
- drm/vc4: Fix overflow mem unreferencing when the binner runs dry. (bsc#1106929)
- drm/vc4: Fix races when the CS reads from render targets. (bsc#1106929)
- drm/vc4: Fix scaling of uni-planar formats (bsc#1106929)
- drm/vc4: Fix the 'no scaling' case on multi-planar YUV formats (bsc#1106929)
- drm/vc4: Flush the caches before the bin jobs, as well. (bsc#1106929)
- drm/vc4: Free hang state before destroying BO cache. (bsc#1106929)
- drm/vc4: Move IRQ enable to PM path (bsc#1106929)
- drm/vc4: Reset ->{x, y}_scaling[1] when dealing with uniplanar (bsc#1106929)
- drm/vc4: Set ->is_yuv to false when num_planes == 1 (bsc#1106929)
- drm/vc4: Use drm_free_large() on handles to match its allocation. (bsc#1106929)
- drm/vc4: fix a bounds check (bsc#1106929)
- drm/vmwgfx: NULL pointer dereference from vmw_cmd_dx_view_define() (bsc#1106929)
- drm/vmwgfx: integer underflow in vmw_cmd_dx_set_shader() leading to (bsc#1106929)
- dt-bindings: rcar-dmac: Document missing error interrupt (bsc#1085535).
- e1000e: Add Support for 38.4MHZ frequency (bsc#1108293 ).
- e1000e: Add Support for CannonLake (bsc#1108293).
- e1000e: Fix -Wformat-truncation warnings (bnc#1012382).
- e1000e: Initial Support for CannonLake (bsc#1108293 ).
- enic: fix build warning without CONFIG_CPUMASK_OFFSTACK (bnc#1012382).
- exportfs: fix 'passing zero to ERR_PTR()' warning (bsc#1136458).
- ext4: Return EAGAIN in case of DIO is beyond end of file (bsc#1136810).
- ext4: actually request zeroing of inode table after grow (bsc#1136451).
- ext4: add missing brelse() in add_new_gdb_meta_bg() (bnc#1012382).
- ext4: avoid panic during forced reboot due to aborted journal (bsc#1126356).
- ext4: cleanup bh release code in ext4_ind_remove_space() (bnc#1012382).
- ext4: fix ext4_show_options for file systems w/o journal (bsc#1136452).
- ext4: fix use-after-free race with debug_want_extra_isize (bsc#1136449).
- ext4: make sure enough credits are reserved for dioread_nolock writes (bsc#1136623).
- ext4: prohibit fstrim in norecovery mode (bnc#1012382).
- ext4: report real fs size after failed resize (bnc#1012382).
- ext4: wait for outstanding dio during truncate in nojournal mode (bsc#1136438).
- f2fs: do not use mutex lock in atomic context (bnc#1012382).
- f2fs: fix to do sanity check with current segment number (bnc#1012382).
- fbdev: fbmem: fix memory access if logo is bigger than the screen (bnc#1012382).
- fix incorrect error code mapping for OBJECTID_NOT_FOUND (bnc#1012382).
- fs/file.c: initialize init_files.resize_wait (bnc#1012382).
- fs/proc/proc_sysctl.c: Fix a NULL pointer dereference (bnc#1012382).
- fs: fix guard_bio_eod to check for real EOD errors (bnc#1012382).
- ftrace/x86_64: Emulate call function while updating in breakpoint handler (bsc#1099658).
- genirq: Prevent use-after-free and work list corruption (bnc#1012382).
- genirq: Respect IRQCHIP_SKIP_SET_WAKE in irq_chip_set_wake_parent() (bnc#1012382).
- gpio: gpio-omap: fix level interrupt idling (bnc#1012382).
- gpu: ipu-v3: dp: fix CSC handling (bnc#1012382).
- h8300: use cc-cross-prefix instead of hardcoding h8300-unknown-linux- (bnc#1012382).
- hugetlbfs: fix memory leak for resv_map (bnc#1012382).
- hwrng: virtio - Avoid repeated init of completion (bnc#1012382).
- i2c: core-smbus: prevent stack corruption on read I2C_BLOCK_DATA (bnc#1012382).
- ibmvnic: Add device identification to requested IRQs (bsc#1137739).
- ibmvnic: Do not close unopened driver during reset (bsc#1137752).
- ibmvnic: Fix unchecked return codes of memory allocations (bsc#1137752).
- ibmvnic: Refresh device multicast list after reset (bsc#1137752).
- ibmvnic: remove set but not used variable 'netdev' (bsc#1137739).
- igb: Fix WARN_ONCE on runtime suspend (bnc#1012382).
- iio/gyro/bmg160: Use millidegrees for temperature scale (bnc#1012382).
- iio: ad_sigma_delta: select channel when reading register (bnc#1012382).
- iio: adc: at91: disable adc channel interrupt in timeout case (bnc#1012382).
- iio: adc: xilinx: fix potential use-after-free on remove (bnc#1012382).
- include/linux/bitrev.h: fix constant bitrev (bnc#1012382).
- include/linux/swap.h: use offsetof() instead of custom __swapoffset macro (bnc#1012382).
- init: initialize jump labels before command line option parsing (bnc#1012382).
- io: accel: kxcjk1013: restore the range after resume (bnc#1012382).
- iommu/vt-d: Do not request page request irq under dmar_global_lock (bsc#1135013).
- iommu/vt-d: Make kernel parameter igfx_off work with vIOMMU (bsc#1135014).
- iommu/vt-d: Set intel_iommu_gfx_mapped correctly (bsc#1135015).
- ip6_tunnel: Match to ARPHRD_TUNNEL6 for dev type (bnc#1012382).
- ipmi:ssif: compare block number correctly for multi-part return messages (bsc#1135120).
- ipv4: Fix raw socket lookup for local traffic (bnc#1012382).
- ipv4: add sanity checks in ipv4_link_failure() (git-fixes).
- ipv4: ensure rcu_read_lock() in ipv4_link_failure() (bnc#1012382).
- ipv4: ip_do_fragment: Preserve skb_iif during fragmentation (bnc#1012382).
- ipv4: recompile ip options in ipv4_link_failure (bnc#1012382).
- ipv4: set the tcp_min_rtt_wlen range from 0 to one day (bnc#1012382).
- ipv6/flowlabel: wait rcu grace period before put_pid() (bnc#1012382).
- ipv6: Fix dangling pointer when ipv6 fragment (bnc#1012382).
- ipv6: fix a potential deadlock in do_ipv6_setsockopt() (bnc#1012382).
- ipv6: invert flowlabel sharing check in process and user mode (bnc#1012382).
- ipv6: sit: reset ip header pointer in ipip6_rcv (bnc#1012382).
- ipvs: do not schedule icmp errors from tunnels (bnc#1012382).
- jffs2: fix use-after-free on symlink traversal (bnc#1012382).
- kABI: protect ring_buffer_read_prepare (kabi).
- kABI: protect struct tlb_state (kabi).
- kABI: protect struct usb_interface (kabi).
- kABI: restore ___ptrace_may_access (kabi).
- kABI: restore icmp_send (kabi).
- kabi: arm64: fix kabi breakage on arch specific module (bsc#1126040)
- kabi: drop LINUX_MIB_TCPWQUEUETOOBIG snmp counter (bsc#1137586).
- kabi: move sysctl_tcp_min_snd_mss to preserve struct net layout (bsc#1137586).
- kbuild: clang: choose GCC_TOOLCHAIN_DIR not on LD (bnc#1012382).
- kbuild: simplify ld-option implementation (bnc#1012382).
- kconfig/[mn]conf: handle backspace (^H) key (bnc#1012382).
- kconfig: display recursive dependency resolution hint just once (bsc#1100132).
- kernel/sysctl.c: fix out-of-bounds access when setting file-max (bnc#1012382).
- keys: Timestamp new keys (bsc#1120902).
- kprobes: Fix error check when reusing optimized probes (bnc#1012382).
- kprobes: Mark ftrace mcount handler functions nokprobe (bnc#1012382).
- kprobes: Prohibit probing on bsearch() (bnc#1012382).
- leds: lp55xx: fix null deref on firmware load failure (bnc#1012382).
- lib/div64.c: off by one in shift (bnc#1012382).
- lib/int_sqrt: optimize initial value compute (bnc#1012382).
- lib/string.c: implement a basic bcmp (bnc#1012382).
- lib: add crc64 calculation routines (bsc#1130972).
- lib: do not depend on linux headers being installed (bsc#1130972).
- libata: fix using DMA buffers on stack (bnc#1012382).
- libnvdimm/btt: Fix a kmemdup failure check (bnc#1012382).
- lpfc: validate command in lpfc_sli4_scmd_to_wqidx_distr() (bsc#1129138).
- mac80211: do not call driver wake_tx_queue op during reconfig (bnc#1012382).
- mac80211_hwsim: validate number of different channels (bsc#1085539).
- md: use mddev_suspend/resume instead of ->quiesce() (bsc#1132212).
- media: mt9m111: set initial frame size other than 0x0 (bnc#1012382).
- media: mx2_emmaprp: Correct return type for mem2mem buffer helpers (bnc#1012382).
- media: pvrusb2: Prevent a buffer overflow (bsc#1135642).
- media: s5p-g2d: Correct return type for mem2mem buffer helpers (bnc#1012382).
- media: s5p-jpeg: Check for fmt_ver_flag when doing fmt enumeration (bnc#1012382).
- media: s5p-jpeg: Correct return type for mem2mem buffer helpers (bnc#1012382).
- media: sh_veu: Correct return type for mem2mem buffer helpers (bnc#1012382).
- media: v4l2: i2c: ov7670: Fix PLL bypass register values (bnc#1012382).
- media: vb2: do not call __vb2_queue_cancel if vb2_start_streaming failed (bsc#1120902).
- mm/cma.c: cma_declare_contiguous: correct err handling (bnc#1012382).
- mm/page_ext.c: fix an imbalance with kmemleak (bnc#1012382).
- mm/slab.c: kmemleak no scan alien caches (bnc#1012382).
- mm/vmalloc.c: fix kernel BUG at mm/vmalloc.c:512! (bnc#1012382).
- mm/vmstat.c: fix /proc/vmstat format for CONFIG_DEBUG_TLBFLUSH=y CONFIG_SMP=n (bnc#1012382).
- mm: mempolicy: make mbind() return -EIO when MPOL_MF_STRICT is specified (bnc#1012382).
- mmc: davinci: remove extraneous __init annotation (bnc#1012382).
- mmc: omap: fix the maximum timeout setting (bnc#1012382).
- modpost: file2alias: check prototype of handler (bnc#1012382).
- modpost: file2alias: go back to simple devtable lookup (bnc#1012382).
- mount: copy the port field into the cloned nfs_server structure (bsc#1136990).
- mt7601u: bump supported EEPROM version (bnc#1012382).
- mtd: Fix comparison in map_word_andequal() (git-fixes).
- mwifiex: Fix heap overflow in mwifiex_uap_parse_tail_ies() (bsc#1136935).
- net/ibmvnic: Remove tests of member address (bsc#1137739).
- net/ibmvnic: Update MAC address settings after adapter reset (bsc#1134760).
- net/ibmvnic: Update carrier state after link state change (bsc#1135100).
- net: atm: Fix potential Spectre v1 vulnerabilities (bnc#1012382).
- net: bridge: multicast: use rcu to access port list from br_multicast_start_querier (bnc#1012382).
- net: ena: fix return value of ena_com_config_llq_info() (bsc#1117562).
- net: ethernet: ti: fix possible object reference leak (bnc#1012382).
- net: ethtool: not call vzalloc for zero sized memory request (bnc#1012382).
- net: fou: do not use guehdr after iptunnel_pull_offloads in gue_udp_recv (bnc#1012382).
- net: hns: Fix WARNING when remove HNS driver with SMMU enabled (bnc#1012382).
- net: hns: Use NAPI_POLL_WEIGHT for hns driver (bnc#1012382).
- net: ibm: fix possible object reference leak (bnc#1012382).
- net: ks8851: Delay requesting IRQ until opened (bnc#1012382).
- net: ks8851: Dequeue RX packets explicitly (bnc#1012382).
- net: ks8851: Reassert reset pin if chip ID check fails (bnc#1012382).
- net: ks8851: Set initial carrier state to down (bnc#1012382).
- net: rds: force to destroy connection if t_sock is NULL in rds_tcp_kill_sock() (bnc#1012382).
- net: stmmac: move stmmac_check_ether_addr() to driver probe (bnc#1012382).
- net: ucc_geth - fix Oops when changing number of buffers in the ring (bnc#1012382).
- net: xilinx: fix possible object reference leak (bnc#1012382).
- netfilter: bridge: set skb transport_header before entering NF_INET_PRE_ROUTING (bnc#1012382).
- netfilter: compat: initialize all fields in xt_init (bnc#1012382).
- netfilter: ebtables: CONFIG_COMPAT: drop a bogus WARN_ON (bnc#1012382).
- netfilter: physdev: relax br_netfilter dependency (bnc#1012382).
- netns: provide pure entropy for net_hash_mix() (bnc#1012382).
- nfs: clean up rest of reqs when failing to add one (git-fixes).
- nfsd: Do not release the callback slot unless it was actually held (bnc#1012382).
- ntp: Allow TAI-UTC offset to be set to zero (bsc#1135642).
- nvme-fc: resolve io failures during connect (bsc#1116803).
- nvme: Do not allow to reset a reconnecting controller (bsc#1133874).
- ocfs2: fix a panic problem caused by o2cb_ctl (bnc#1012382).
- openvswitch: fix flow actions reallocation (bnc#1012382).
- pNFS: Skip invalid stateids when doing a bulk destroy (git-fixes).
- packet: Fix error path in packet_init (bnc#1012382).
- packet: validate msg_namelen in send directly (bnc#1012382).
- perf evsel: Free evsel->counts in perf_evsel__exit() (bnc#1012382).
- perf test: Fix failure of 'evsel-tp-sched' test on s390 (bnc#1012382).
- perf tests: Fix a memory leak in test__perf_evsel__tp_sched_test() (bnc#1012382).
- perf tests: Fix a memory leak of cpu_map object in the openat_syscall_event_on_all_cpus test (bnc#1012382).
- perf top: Fix error handling in cmd_top() (bnc#1012382).
- perf/core: Restore mmap record type correctly (bnc#1012382).
- perf/x86/intel: Allow PEBS multi-entry in watermark mode (git-fixes).
- perf/x86/intel: Fix handling of wakeup_events for multi-entry PEBS (bnc#1012382).
- platform/x86: sony-laptop: Fix unintentional fall-through (bnc#1012382).
- powerpc/64: Add CONFIG_PPC_BARRIER_NOSPEC (bnc#1012382).
- powerpc/64: Call setup_barrier_nospec() from setup_arch() (bnc#1012382 bsc#1131107).
- powerpc/64: Make meltdown reporting Book3S 64 specific (bnc#1012382).
- powerpc/64s: Include cpu header (bnc#1012382).
- powerpc/booke64: set RI in default MSR (bnc#1012382).
- powerpc/eeh: Fix race with driver un/bind (bsc#1066223).
- powerpc/fsl: Add FSL_PPC_BOOK3E as supported arch for nospectre_v2 boot arg (bnc#1012382).
- powerpc/fsl: Add barrier_nospec implementation for NXP PowerPC Book3E (bnc#1012382).
- powerpc/fsl: Add infrastructure to fixup branch predictor flush (bnc#1012382).
- powerpc/fsl: Add macro to flush the branch predictor (bnc#1012382).
- powerpc/fsl: Add nospectre_v2 command line argument (bnc#1012382).
- powerpc/fsl: Emulate SPRN_BUCSR register (bnc#1012382).
- powerpc/fsl: Enable runtime patching if nospectre_v2 boot arg is used (bnc#1012382).
- powerpc/fsl: Fix the flush of branch predictor (bnc#1012382).
- powerpc/fsl: Fixed warning: orphan section `__btb_flush_fixup' (bnc#1012382).
- powerpc/fsl: Flush branch predictor when entering KVM (bnc#1012382).
- powerpc/fsl: Flush the branch predictor at each kernel entry (32 bit) (bnc#1012382).
- powerpc/fsl: Flush the branch predictor at each kernel entry (64bit) (bnc#1012382).
- powerpc/fsl: Sanitize the syscall table for NXP PowerPC 32 bit platforms (bnc#1012382).
- powerpc/fsl: Update Spectre v2 reporting (bnc#1012382).
- powerpc/lib: fix book3s/32 boot failure due to code patching (bnc#1012382).
- powerpc/perf: Add blacklisted events for Power9 DD2.1 (bsc#1053043).
- powerpc/perf: Add blacklisted events for Power9 DD2.2 (bsc#1053043).
- powerpc/perf: Fix MMCRA corruption by bhrb_filter (bsc#1053043).
- powerpc/perf: Infrastructure to support addition of blacklisted events (bsc#1053043).
- powerpc/process: Fix sparse address space warnings (bsc#1066223).
- powerpc/xmon: Add RFI flush related fields to paca dump (bnc#1012382).
- qede: fix write to free'd pointer error and double free of ptp (bsc#1019695 bsc#1019696).
- qlcnic: Avoid potential NULL pointer dereference (bnc#1012382).
- qmi_wwan: add Olicard 600 (bnc#1012382).
- regulator: act8865: Fix act8600_sudcdc_voltage_ranges setting (bnc#1012382).
- rsi: improve kernel thread handling to fix kernel panic (bnc#1012382).
- rtc: da9063: set uie_unsupported when relevant (bnc#1012382).
- rtc: sh: Fix invalid alarm warning for non-enabled alarm (bnc#1012382).
- s390/3270: fix lockdep false positive on view->lock (bnc#1012382).
- s390/dasd: Fix capacity calculation for large volumes (bnc#1012382).
- s390: ctcm: fix ctcm_new_device error return code (bnc#1012382).
- sc16is7xx: missing unregister/delete driver on error in sc16is7xx_init() (bnc#1012382).
- sc16is7xx: move label 'err_spi' to correct section (git-fixes).
- sched/fair: Do not re-read ->h_load_next during hierarchical load calculation (bnc#1012382).
- sched/fair: Limit sched_cfs_period_timer() loop to avoid hard lockup (bnc#1012382).
- sched/numa: Fix a possible divide-by-zero (bnc#1012382).
- sched: Add sched_smt_active() (bnc#1012382).
- scsi: core: replace GFP_ATOMIC with GFP_KERNEL in scsi_scan.c (bnc#1012382).
- scsi: csiostor: fix missing data copy in csio_scsi_err_handler() (bnc#1012382).
- scsi: libsas: fix a race condition when smp task timeout (bnc#1012382).
- scsi: megaraid_sas: return error when create DMA pool failed (bnc#1012382).
- scsi: qla2xxx: Fix incorrect region-size setting in optrom SYSFS routines (bnc#1012382).
- scsi: qla4xxx: fix a potential NULL pointer dereference (bnc#1012382).
- scsi: storvsc: Fix calculation of sub-channel count (bnc#1012382).
- scsi: zfcp: reduce flood of fcrscn1 trace records on multi-element RSCN (bnc#1012382).
- sctp: initialize _pad of sockaddr_in before copying to user memory (bnc#1012382).
- selftests/net: correct the return value for run_netsocktests (bnc#1012382).
- selinux: never allow relabeling on context mounts (bnc#1012382).
- serial: uartps: console_setup() can't be placed to init section (bnc#1012382).
- slip: make slhc_free() silently accept an error pointer (bnc#1012382).
- soc/tegra: fuse: Fix illegal free of IO base address (bnc#1012382).
- soc: qcom: gsbi: Fix error handling in gsbi_probe() (bnc#1012382).
- staging: comedi: ni_usb6501: Fix possible double-free of ->usb_rx_buf (bnc#1012382).
- staging: comedi: ni_usb6501: Fix use of uninitialized mutex (bnc#1012382).
- staging: comedi: vmk80xx: Fix possible double-free of ->usb_rx_buf (bnc#1012382).
- staging: comedi: vmk80xx: Fix use of uninitialized semaphore (bnc#1012382).
- staging: iio: adt7316: allow adt751x to use internal vref for all dacs (bnc#1012382).
- staging: iio: adt7316: fix the dac read calculation (bnc#1012382).
- staging: iio: adt7316: fix the dac write calculation (bnc#1012382).
- supported.conf: add lib/crc64 because bcache uses it
- sysctl: handle overflow for file-max (bnc#1012382).
- tcp: Ensure DCTCP reacts to losses (bnc#1012382).
- tcp: add tcp_min_snd_mss sysctl (bsc#1137586).
- tcp: enforce tcp_min_snd_mss in tcp_mtu_probing() (bsc#1137586).
- tcp: limit payload size of sacked skbs (bsc#1137586).
- tcp: tcp_fragment() should apply sane memory limits (bsc#1137586).
- tcp: tcp_grow_window() needs to respect tcp_space() (bnc#1012382).
- team: fix possible recursive locking when add slaves (bnc#1012382).
- thermal/int340x_thermal: Add additional UUIDs (bnc#1012382).
- thermal/int340x_thermal: fix mode setting (bnc#1012382).
- timer/debug: Change /proc/timer_stats from 0644 to 0600 (bnc#1012382).
- tipc: check bearer name with right length in tipc_nl_compat_bearer_enable (bnc#1012382).
- tipc: check link name with right length in tipc_nl_compat_link_set (bnc#1012382).
- tipc: handle the err returned from cmd header function (bnc#1012382).
- tools lib traceevent: Fix buffer overflow in arg_eval (bnc#1012382).
- tools lib traceevent: Fix missing equality check for strcmp (bsc#1129770).
- tools/power turbostat: return the exit status of a command (bnc#1012382).
- tpm/tpm_crb: Avoid unaligned reads in crb_recv() (bnc#1012382).
- tpm/tpm_i2c_atmel: Return -E2BIG when the transfer is incomplete (bnc#1012382).
- trace: Fix preempt_enable_no_resched() abuse (bnc#1012382).
- tracing: Fix partial reading of trace event's id file (bsc#1136573).
- tracing: kdb: Fix ftdump to not sleep (bnc#1012382).
- treewide: Use DEVICE_ATTR_WO (bsc#1137739).
- tty/serial: atmel: Add is_half_duplex helper (bnc#1012382).
- tty/serial: atmel: RS485 HD w/DMA: enable RX after TX is stopped (bnc#1012382).
- tty: increase the default flip buffer limit to 2*640K (bnc#1012382).
- tty: ldisc: add sysctl to prevent autoloading of ldiscs (bnc#1012382).
- ufs: fix braino in ufs_get_inode_gid() for solaris UFS flavour (bsc#1136455).
- usb: cdc-acm: fix race during wakeup blocking TX traffic (bsc#1129770).
- usb: chipidea: Grab the (legacy) USB PHY by phandle first (bnc#1012382).
- usb: dwc3: Fix default lpm_nyet_threshold value (bnc#1012382).
- usb: gadget: net2272: Fix net2272_dequeue() (bnc#1012382).
- usb: gadget: net2280: Fix net2280_dequeue() (bnc#1012382).
- usb: gadget: net2280: Fix overrun of OUT messages (bnc#1012382).
- usb: u132-hcd: fix resource leak (bnc#1012382).
- usb: usbip: fix isoc packet num validation in get_pipe (bnc#1012382).
- usbnet: ipheth: fix potential null pointer dereference in ipheth_carrier_set (bnc#1012382).
- usbnet: ipheth: prevent TX queue timeouts when device not ready (bnc#1012382).
- vfio/pci: use correct format characters (bnc#1012382).
- vlan: disable SIOCSHWTSTAMP in container (bnc#1012382).
- vrf: sit mtu should not be updated when vrf netdev is the link (bnc#1012382).
- wlcore: Fix memory leak in case wl12xx_fetch_firmware failure (bnc#1012382).
- x86/Kconfig: Select SCHED_SMT if SMP enabled (bnc#1012382).
- x86/MCE: Save microcode revision in machine check records (bnc#1012382).
- x86/bugs: Add AMD's SPEC_CTRL MSR usage (bnc#1012382).
- x86/bugs: Change L1TF mitigation string to match upstream (bnc#1012382).
- x86/bugs: Fix the AMD SSBD usage of the SPEC_CTRL MSR (bnc#1012382).
- x86/bugs: Switch the selection of mitigation from CPU vendor to CPU features (bnc#1012382).
- x86/build: Mark per-CPU symbols as absolute explicitly for LLD (bnc#1012382).
- x86/build: Specify elf_i386 linker emulation explicitly for i386 objects (bnc#1012382).
- x86/cpu/bugs: Use __initconst for 'const' init data (bnc#1012382).
- x86/cpu/cyrix: Use correct macros for Cyrix calls on Geode processors (bnc#1012382).
- x86/cpufeatures: Hide AMD-specific speculation flags (bnc#1012382).
- x86/hpet: Prevent potential NULL pointer dereference (bnc#1012382).
- x86/hw_breakpoints: Make default case in hw_breakpoint_arch_parse() return an error (bnc#1012382).
- x86/kprobes: Verify stack frame on kretprobe (bnc#1012382).
- x86/mds: Add MDSUM variant to the MDS documentation (bnc#1012382).
- x86/microcode/intel: Add a helper which gives the microcode revision (bnc#1012382).
- x86/microcode/intel: Check microcode revision before updating sibling threads (bnc#1012382).
- x86/microcode: Make sure boot_cpu_data.microcode is up-to-date (bnc#1012382).
- x86/microcode: Update the new microcode revision unconditionally (bnc#1012382).
- x86/mm: Use WRITE_ONCE() when setting PTEs (bnc#1012382).
- x86/process: Consolidate and simplify switch_to_xtra() code (bnc#1012382).
- x86/speculataion: Mark command line parser data __initdata (bnc#1012382).
- x86/speculation/l1tf: Document l1tf in sysfs (bnc#1012382).
- x86/speculation/mds: Fix comment (bnc#1012382).
- x86/speculation/mds: Fix documentation typo (bnc#1012382).
- x86/speculation: Add command line control for indirect branch speculation (bnc#1012382).
- x86/speculation: Add prctl() control for indirect branch speculation (bnc#1012382).
- x86/speculation: Add seccomp Spectre v2 user space protection mode (bnc#1012382).
- x86/speculation: Avoid __switch_to_xtra() calls (bnc#1012382).
- x86/speculation: Clean up spectre_v2_parse_cmdline() (bnc#1012382).
- x86/speculation: Disable STIBP when enhanced IBRS is in use (bnc#1012382).
- x86/speculation: Enable prctl mode for spectre_v2_user (bnc#1012382).
- x86/speculation: Mark string arrays const correctly (bnc#1012382).
- x86/speculation: Move STIPB/IBPB string conditionals out of cpu_show_common() (bnc#1012382).
- x86/speculation: Prepare arch_smt_update() for PRCTL mode (bnc#1012382).
- x86/speculation: Prepare for conditional IBPB in switch_mm() (bnc#1012382).
- x86/speculation: Prepare for per task indirect branch speculation control (bnc#1012382).
- x86/speculation: Prevent stale SPEC_CTRL msr content (bnc#1012382).
- x86/speculation: Provide IBPB always command line options (bnc#1012382).
- x86/speculation: Remove SPECTRE_V2_IBRS in enum spectre_v2_mitigation (bnc#1012382).
- x86/speculation: Remove unnecessary ret variable in cpu_show_common() (bnc#1012382).
- x86/speculation: Rename SSBD update functions (bnc#1012382).
- x86/speculation: Reorder the spec_v2 code (bnc#1012382).
- x86/speculation: Reorganize speculation control MSRs update (bnc#1012382).
- x86/speculation: Split out TIF update (bnc#1012382).
- x86/speculation: Support 'mitigations=' cmdline option (bnc#1012382 bsc#1112178).
- x86/speculation: Support Enhanced IBRS on future CPUs (bnc#1012382).
- x86/speculation: Unify conditional spectre v2 print functions (bnc#1012382).
- x86/speculation: Update the TIF_SSBD comment (bnc#1012382).
- x86/vdso: Drop implicit common-page-size linker flag (bnc#1012382).
- x86/vdso: Pass --eh-frame-hdr to the linker (git-fixes).
- x86: vdso: Use $LD instead of $CC to link (bnc#1012382).
- x86_64: Add gap to int3 to allow for call emulation (bsc#1099658).
- x86_64: Allow breakpoints to emulate call instructions (bsc#1099658).
- xen: Prevent buffer overflow in privcmd ioctl (bnc#1012382).
- xenbus: drop useless LIST_HEAD in xenbus_write_watch() and xenbus_file_write() (bsc#1065600).
- xsysace: Fix error handling in ace_setup (bnc#1012382).
- xtensa: fix return_address (bnc#1012382).
ImportantSUSE bug 1005778SUSE bug 1005780SUSE bug 1005781SUSE bug 1012382SUSE bug 1019695SUSE bug 1019696SUSE bug 1022604SUSE bug 1053043SUSE bug 1063638SUSE bug 1065600SUSE bug 1066223SUSE bug 1085535SUSE bug 1085539SUSE bug 1090888SUSE bug 1099658SUSE bug 1100132SUSE bug 1106110SUSE bug 1106284SUSE bug 1106929SUSE bug 1108293SUSE bug 1108838SUSE bug 1110785SUSE bug 1110946SUSE bug 1112063SUSE bug 1112178SUSE bug 1116803SUSE bug 1117562SUSE bug 1119086SUSE bug 1120642SUSE bug 1120843SUSE bug 1120885SUSE bug 1120902SUSE bug 1122776SUSE bug 1125580SUSE bug 1126040SUSE bug 1126356SUSE bug 1128052SUSE bug 1129138SUSE bug 1129770SUSE bug 1130972SUSE bug 1131107SUSE bug 1131488SUSE bug 1131543SUSE bug 1131565SUSE bug 1132212SUSE bug 1132374SUSE bug 1132472SUSE bug 1133188SUSE bug 1133874SUSE bug 1134160SUSE bug 1134162SUSE bug 1134338SUSE bug 1134537SUSE bug 1134564SUSE bug 1134565SUSE bug 1134566SUSE bug 1134651SUSE bug 1134760SUSE bug 1134806SUSE bug 1134813SUSE bug 1134848SUSE bug 1135013SUSE bug 1135014SUSE bug 1135015SUSE bug 1135100SUSE bug 1135120SUSE bug 1135281SUSE bug 1135603SUSE bug 1135642SUSE bug 1135661SUSE bug 1135878SUSE bug 1136424SUSE bug 1136438SUSE bug 1136446SUSE bug 1136448SUSE bug 1136449SUSE bug 1136451SUSE bug 1136452SUSE bug 1136455SUSE bug 1136458SUSE bug 1136539SUSE bug 1136573SUSE bug 1136575SUSE bug 1136586SUSE bug 1136590SUSE bug 1136623SUSE bug 1136810SUSE bug 1136935SUSE bug 1136990SUSE bug 1137142SUSE bug 1137162SUSE bug 1137586SUSE bug 1137739SUSE bug 1137752SUSE bug 843419CVE-2013-4343 at SUSECVE-2013-4343 at NVDCVE-2018-17972 at SUSECVE-2018-17972 at NVDCVE-2018-7191 at SUSECVE-2018-7191 at NVDCVE-2019-11190 at SUSECVE-2019-11190 at NVDCVE-2019-11477 at SUSECVE-2019-11477 at NVDCVE-2019-11478 at SUSECVE-2019-11478 at NVDCVE-2019-11479 at SUSECVE-2019-11479 at NVDCVE-2019-11486 at SUSECVE-2019-11486 at NVDCVE-2019-11815 at SUSECVE-2019-11815 at NVDCVE-2019-11833 at SUSECVE-2019-11833 at NVDCVE-2019-11884 at SUSECVE-2019-11884 at NVDCVE-2019-12382 at SUSECVE-2019-12382 at NVDCVE-2019-3846 at SUSECVE-2019-3846 at NVDCVE-2019-5489 at SUSECVE-2019-5489 at NVDcpe:/o:suse:sles:12:sp3Security update for the Linux Kernel (Important)SUSE Linux Enterprise Server 12 SP3
The SUSE Linux Enterprise 12 SP3 kernel was updated to 4.4.180 to receive various security and bugfixes.
The following security bugs were fixed:
- CVE-2019-11477: A sequence of SACKs may have been crafted such that one can trigger an integer overflow, leading to a kernel panic.
- CVE-2019-11478: It was possible to send a crafted sequence of SACKs which will
fragment the TCP retransmission queue. An attacker may have been able to further exploit the fragmented queue to cause an
expensive linked-list walk for subsequent SACKs received for that same TCP connection.
- CVE-2019-11479: An attacker could force the Linux kernel to segment its responses into multiple TCP segments. This would drastically increased the bandwidth required to deliver the same amount of data. Further, it would consume additional resources such as CPU and NIC processing power.
- CVE-2019-3846: A flaw that allowed an attacker to corrupt memory and possibly escalate privileges was found in the mwifiex kernel module while connecting to a malicious wireless network. (bnc#1136424)
- CVE-2019-12382: An issue was discovered in drm_load_edid_firmware in drivers/gpu/drm/drm_edid_load.c in the Linux kernel, there was an unchecked kstrdup of fwstr, which might have allowed an attacker to cause a denial of service (NULL pointer dereference and system crash). (bnc#1136586)
- CVE-2019-5489: The mincore() implementation in mm/mincore.c in the Linux kernel allowed local attackers to observe page cache access patterns of other processes on the same system, potentially allowing sniffing of secret information. (Fixing this affects the output of the fincore program.) Limited remote exploitation may have been possible, as demonstrated by latency differences in accessing public files from an Apache HTTP Server. (bnc#1120843)
- CVE-2019-11833: fs/ext4/extents.c in the Linux kernel did not zero out the unused memory region in the extent tree block, which might have allowed local users to obtain sensitive information by reading uninitialized data in the filesystem. (bnc#1135281)
- CVE-2018-7191: In the tun subsystem in the Linux kernel, dev_get_valid_name was not called before register_netdevice. This allowed local users to cause a denial of service (NULL pointer dereference and panic) via an ioctl(TUNSETIFF) call with a dev name containing a / character. (bnc#1135603)
- CVE-2019-11190: The Linux kernel allowed local users to bypass ASLR on setuid programs (such as /bin/su) because install_exec_creds() was called too late in load_elf_binary() in fs/binfmt_elf.c, and thus the ptrace_may_access() check had a race condition when reading /proc/pid/stat. (bnc#1132472)
- CVE-2019-11815: An issue was discovered in rds_tcp_kill_sock in net/rds/tcp.c in the Linux kernel There was a race condition leading to a use-after-free, related to net namespace cleanup. (bnc#1134537)
- CVE-2019-11884: The do_hidp_sock_ioctl function in net/bluetooth/hidp/sock.c in the Linux kernel allowed a local user to obtain potentially sensitive information from kernel stack memory via a HIDPCONNADD command, because a name field may not end with a '\0' character. (bnc#1134848)
- CVE-2018-17972: An issue was discovered in the proc_pid_stack function in fs/proc/base.c in the Linux kernel It did not ensure that only root may inspect the kernel stack of an arbitrary task, allowing a local attacker to exploit racy stack unwinding and leak kernel task stack contents. (bnc#1110785)
- CVE-2019-11486: The Siemens R3964 line discipline driver in drivers/tty/n_r3964.c in the Linux kernel had multiple race conditions. (bnc#1133188)
The following non-security bugs were fixed:
- 9p locks: add mount option for lock retry interval (bnc#1012382).
- 9p: do not trust pdu content for stat item size (bnc#1012382).
- X.509: unpack RSA signatureValue field from BIT STRING (git-fixes).
- acpi / sbs: Fix GPE storm on recent MacBookPro's (bnc#1012382).
- alsa: core: Fix card races between register and disconnect (bnc#1012382).
- alsa: echoaudio: add a check for ioremap_nocache (bnc#1012382).
- alsa: info: Fix racy addition/deletion of nodes (bnc#1012382).
- alsa: line6: use dynamic buffers (bnc#1012382).
- alsa: opl3: fix mismatch between snd_opl3_drum_switch definition and declaration (bnc#1012382).
- alsa: pcm: check if ops are defined before suspending PCM (bnc#1012382).
- alsa: sb8: add a check for request_region (bnc#1012382).
- alsa: seq: Fix OOB-reads from strlcpy (bnc#1012382).
- appletalk: Fix compile regression (bnc#1012382).
- appletalk: Fix use-after-free in atalk_proc_exit (bnc#1012382).
- arm64/kernel: do not ban ADRP to work around Cortex-A53 erratum #843419 (bsc#1126040).
- arm64/kernel: rename module_emit_adrp_veneer->module_emit_veneer_for_adrp (bsc#1126040).
- arm64: Add helper to decode register from instruction (bsc#1126040).
- arm64: debug: Do not propagate UNKNOWN FAR into si_code for debug signals (bnc#1012382).
- arm64: debug: Ensure debug handlers check triggering exception level (bnc#1012382).
- arm64: futex: Fix FUTEX_WAKE_OP atomic ops with non-zero result value (bnc#1012382).
- arm64: futex: Restore oldval initialization to work around buggy compilers (bnc#1012382).
- arm64: module-plts: factor out PLT generation code for ftrace (bsc#1126040).
- arm64: module: do not BUG when exceeding preallocated PLT count (bsc#1126040).
- arm64: module: split core and init PLT sections (bsc#1126040).
- arm: 8833/1: Ensure that NEON code always compiles with Clang (bnc#1012382).
- arm: 8839/1: kprobe: make patch_lock a raw_spinlock_t (bnc#1012382).
- arm: 8840/1: use a raw_spinlock_t in unwind (bnc#1012382).
- arm: avoid Cortex-A9 livelock on tight dmb loops (bnc#1012382).
- arm: dts: at91: Fix typo in ISC_D0 on PC9 (bnc#1012382).
- arm: dts: pfla02: increase phy reset duration (bnc#1012382).
- arm: iop: do not use using 64-bit DMA masks (bnc#1012382).
- arm: orion: do not use using 64-bit DMA masks (bnc#1012382).
- arm: samsung: Limit SAMSUNG_PM_CHECK config option to non-Exynos platforms (bnc#1012382).
- asoc: Intel: avoid Oops if DMA setup fails (bnc#1012382).
- asoc: cs4270: Set auto-increment bit for register writes (bnc#1012382).
- asoc: fsl-asoc-card: fix object reference leaks in fsl_asoc_card_probe (bnc#1012382).
- asoc: fsl_esai: fix channel swap issue when stream starts (bnc#1012382).
- asoc: tlv320aic32x4: Fix Common Pins (bnc#1012382).
- asoc:soc-pcm:fix a codec fixup issue in TDM case (bnc#1012382).
- backlight: lm3630a: Return 0 on success in update_status functions (bsc#1106929)
- bcache: Move couple of functions to sysfs.c (bsc#1130972).
- bcache: Move couple of string arrays to sysfs.c (bsc#1130972).
- bcache: Populate writeback_rate_minimum attribute (bsc#1130972).
- bcache: account size of buckets used in uuid write to ca->meta_sectors_written (bsc#1130972).
- bcache: add MODULE_DESCRIPTION information (bsc#1130972).
- bcache: add a comment in super.c (bsc#1130972).
- bcache: add code comments for bset.c (bsc#1130972).
- bcache: add comment for cache_set->fill_iter (bsc#1130972).
- bcache: add identifier names to arguments of function definitions (bsc#1130972).
- bcache: add missing SPDX header (bsc#1130972).
- bcache: add separate workqueue for journal_write to avoid deadlock (bsc#1130972).
- bcache: add static const prefix to char * array declarations (bsc#1130972).
- bcache: add sysfs_strtoul_bool() for setting bit-field variables (bsc#1130972).
- bcache: add the missing comments for smp_mb()/smp_wmb() (bsc#1130972).
- bcache: cannot set writeback_running via sysfs if no writeback kthread created (bsc#1130972).
- bcache: comment on direct access to bvec table (bsc#1130972).
- bcache: correct dirty data statistics (bsc#1130972).
- bcache: do not assign in if condition in bcache_device_init() (bsc#1130972).
- bcache: do not assign in if condition in bcache_init() (bsc#1130972).
- bcache: do not assign in if condition register_bcache() (bsc#1130972).
- bcache: do not check NULL pointer before calling kmem_cache_destroy (bsc#1130972).
- bcache: do not check if debug dentry is ERR or NULL explicitly on remove (bsc#1130972).
- bcache: do not clone bio in bch_data_verify (bsc#1130972).
- bcache: do not mark writeback_running too early (bsc#1130972).
- bcache: export backing_dev_name via sysfs (bsc#1130972).
- bcache: export backing_dev_uuid via sysfs (bsc#1130972).
- bcache: fix code comments style (bsc#1130972).
- bcache: fix indent by replacing blank by tabs (bsc#1130972).
- bcache: fix indentation issue, remove tabs on a hunk of code (bsc#1130972).
- bcache: fix input integer overflow of congested threshold (bsc#1130972).
- bcache: fix input overflow to cache set sysfs file io_error_halflife (bnc#1012382).
- bcache: fix input overflow to journal_delay_ms (bsc#1130972).
- bcache: fix input overflow to sequential_cutoff (bnc#1012382).
- bcache: fix input overflow to writeback_delay (bsc#1130972).
- bcache: fix input overflow to writeback_rate_minimum (bsc#1130972).
- bcache: fix ioctl in flash device (bsc#1130972).
- bcache: fix mistaken code comments in bcache.h (bsc#1130972).
- bcache: fix mistaken comments in request.c (bsc#1130972).
- bcache: fix potential div-zero error of writeback_rate_i_term_inverse (bsc#1130972).
- bcache: fix potential div-zero error of writeback_rate_p_term_inverse (bsc#1130972).
- bcache: fix typo 'succesfully' to 'successfully' (bsc#1130972).
- bcache: fix typo in code comments of closure_return_with_destructor() (bsc#1130972).
- bcache: improve sysfs_strtoul_clamp() (bnc#1012382).
- bcache: introduce force_wake_up_gc() (bsc#1130972).
- bcache: make cutoff_writeback and cutoff_writeback_sync tunable (bsc#1130972).
- bcache: move open brace at end of function definitions to next line (bsc#1130972).
- bcache: never writeback a discard operation (bsc#1130972).
- bcache: not use hard coded memset size in bch_cache_accounting_clear() (bsc#1130972).
- bcache: option to automatically run gc thread after writeback (bsc#1130972).
- bcache: panic fix for making cache device (bsc#1130972).
- bcache: prefer 'help' in Kconfig (bsc#1130972).
- bcache: print number of keys in trace_bcache_journal_write (bsc#1130972).
- bcache: recal cached_dev_sectors on detach (bsc#1130972).
- bcache: remove unnecessary space before ioctl function pointer arguments (bsc#1130972).
- bcache: remove unused bch_passthrough_cache (bsc#1130972).
- bcache: remove useless parameter of bch_debug_init() (bsc#1130972).
- bcache: replace '%pF' by '%pS' in seq_printf() (bsc#1130972).
- bcache: replace Symbolic permissions by octal permission numbers (bsc#1130972).
- bcache: replace hard coded number with BUCKET_GC_GEN_MAX (bsc#1130972).
- bcache: replace printk() by pr_*() routines (bsc#1130972).
- bcache: set writeback_percent in a flexible range (bsc#1130972).
- bcache: split combined if-condition code into separate ones (bsc#1130972).
- bcache: stop using the deprecated get_seconds() (bsc#1130972).
- bcache: style fix to add a blank line after declarations (bsc#1130972).
- bcache: style fix to replace 'unsigned' by 'unsigned int' (bsc#1130972).
- bcache: style fixes for lines over 80 characters (bsc#1130972).
- bcache: trace missed reading by cache_missed (bsc#1130972).
- bcache: treat stale and dirty keys as bad keys (bsc#1130972).
- bcache: trivial - remove tailing backslash in macro BTREE_FLAG (bsc#1130972).
- bcache: update comment for bch_data_insert (bsc#1130972).
- bcache: use (REQ_META|REQ_PRIO) to indicate bio for metadata (bsc#1130972).
- bcache: use MAX_CACHES_PER_SET instead of magic number 8 in __bch_bucket_alloc_set (bsc#1130972).
- bcache: use REQ_PRIO to indicate bio for metadata (bsc#1130972).
- bcache: use routines from lib/crc64.c for CRC64 calculation (bsc#1130972).
- bcache: use sysfs_strtoul_bool() to set bit-field variables (bsc#1130972).
- bcache: writeback: properly order backing device IO (bsc#1130972).
- binfmt_elf: switch to new creds when switching to new mm (bnc#1012382).
- bitops: avoid integer overflow in GENMASK(_ULL) (bnc#1012382).
- block: check_events: do not bother with events if unsupported (bsc#1110946).
- block: disk_events: introduce event flags (bsc#1110946).
- block: do not leak memory in bio_copy_user_iov() (bnc#1012382).
- block: fix use-after-free on gendisk (bsc#1136448).
- bluetooth: Align minimum encryption key size for LE and BR/EDR connections (bnc#1012382).
- bluetooth: Fix decrementing reference count twice in releasing socket (bnc#1012382).
- bnxt_en: Improve multicast address setup logic (bnc#1012382).
- bonding: fix arp_validate toggling in active-backup mode (bnc#1012382).
- bonding: fix event handling for stacked bonds (bnc#1012382).
- bonding: show full hw address in sysfs for slave entries (bnc#1012382).
- bpf: reject wrong sized filters earlier (bnc#1012382).
- bridge: Fix error path for kobject_init_and_add() (bnc#1012382).
- btrfs: Do not panic when we can't find a root key (bsc#1112063).
- btrfs: Factor out common delayed refs init code (bsc#1134813).
- btrfs: Introduce init_delayed_ref_head (bsc#1134813).
- btrfs: Open-code add_delayed_data_ref (bsc#1134813).
- btrfs: Open-code add_delayed_tree_ref (bsc#1134813).
- btrfs: Use init_delayed_ref_common in add_delayed_data_ref (bsc#1134813).
- btrfs: Use init_delayed_ref_common in add_delayed_tree_ref (bsc#1134813).
- btrfs: Use init_delayed_ref_head in add_delayed_ref_head (bsc#1134813).
- btrfs: add a helper to return a head ref (bsc#1134813).
- btrfs: breakout empty head cleanup to a helper (bsc#1134813).
- btrfs: delayed-ref: Introduce better documented delayed ref structures (bsc#1063638 bsc#1128052 bsc#1108838).
- btrfs: delayed-ref: Use btrfs_ref to refactor btrfs_add_delayed_data_ref() (bsc#1063638 bsc#1128052 bsc#1108838).
- btrfs: delayed-ref: Use btrfs_ref to refactor btrfs_add_delayed_tree_ref() (bsc#1063638 bsc#1128052 bsc#1108838).
- btrfs: extent-tree: Fix a bug that btrfs is unable to add pinned bytes (bsc#1063638 bsc#1128052 bsc#1108838).
- btrfs: extent-tree: Open-code process_func in __btrfs_mod_ref (bsc#1063638 bsc#1128052 bsc#1108838).
- btrfs: extent-tree: Use btrfs_ref to refactor add_pinned_bytes() (bsc#1063638 bsc#1128052 bsc#1108838).
- btrfs: extent-tree: Use btrfs_ref to refactor btrfs_free_extent() (bsc#1063638 bsc#1128052 bsc#1108838).
- btrfs: extent-tree: Use btrfs_ref to refactor btrfs_inc_extent_ref() (bsc#1063638 bsc#1128052 bsc#1108838).
- btrfs: move all ref head cleanup to the helper function (bsc#1134813).
- btrfs: move extent_op cleanup to a helper (bsc#1134813).
- btrfs: move ref_mod modification into the if (ref) logic (bsc#1134813).
- btrfs: qgroup: Check bg while resuming relocation to avoid NULL pointer dereference (bsc#1134806).
- btrfs: qgroup: Do not scan leaf if we're modifying reloc tree (bsc#1063638 bsc#1128052 bsc#1108838).
- btrfs: qgroup: Move reserved data accounting from btrfs_delayed_ref_head to btrfs_qgroup_extent_record (bsc#1134162).
- btrfs: qgroup: Remove duplicated trace points for qgroup_rsv_add/release (bsc#1134160).
- btrfs: reloc: Also queue orphan reloc tree for cleanup to avoid BUG_ON() (bsc#1134338).
- btrfs: reloc: Fix NULL pointer dereference due to expanded reloc_root lifespan (bsc#1134651).
- btrfs: remove delayed_ref_node from ref_head (bsc#1134813).
- btrfs: split delayed ref head initialization and addition (bsc#1134813).
- btrfs: track refs in a rb_tree instead of a list (bsc#1134813).
- cdc-acm: cleaning up debug in data submission path (bsc#1136539).
- cdc-acm: fix race between reset and control messaging (bsc#1106110).
- cdc-acm: handle read pipe errors (bsc#1135878).
- cdc-acm: reassemble fragmented notifications (bsc#1136590).
- cdc-acm: store in and out pipes in acm structure (bsc#1136575).
- cdrom: Fix race condition in cdrom_sysctl_register (bnc#1012382).
- ceph: ensure d_name stability in ceph_dentry_hash() (bsc#1134564).
- ceph: fix ci->i_head_snapc leak (bsc#1122776).
- ceph: fix use-after-free on symlink traversal (bsc#1134565).
- ceph: only use d_name directly when parent is locked (bsc#1134566).
- cifs: Fix NULL pointer dereference of devname (bnc#1012382).
- cifs: do not attempt cifs operation on smb2+ rename error (bnc#1012382).
- cifs: fallback to older infolevels on findfirst queryinfo retry (bnc#1012382).
- cifs: keep FileInfo handle live during oplock break (bsc#1106284, bsc#1131565).
- cifs: use correct format characters (bnc#1012382).
- clk: fix mux clock documentation (bsc#1090888).
- coresight: etm4x: Add support to enable ETMv4.2 (bnc#1012382).
- cpu/speculation: Add 'mitigations=' cmdline option (bnc#1012382 bsc#1112178).
- cpupower: remove stringop-truncation waring (bsc#1119086).
- crypto: crypto4xx - properly set IV after de- and encrypt (bnc#1012382).
- crypto: sha256/arm - fix crash bug in Thumb2 build (bnc#1012382).
- crypto: sha512/arm - fix crash bug in Thumb2 build (bnc#1012382).
- crypto: vmx - CTR: always increment IV as quadword (bsc#1135661, bsc#1137162).
- crypto: vmx - fix copy-paste error in CTR mode (bsc#1135661, bsc#1137162).
- crypto: vmx - ghash: do nosimd fallback manually (bsc#1135661, bsc#1137162).
- crypto: vmx - return correct error code on failed setkey (bsc#1135661, bsc#1137162).
- crypto: vmx: Only call enable_kernel_vsx() (bsc#1135661, bsc#1137162).
- crypto: x86/poly1305 - fix overflow during partial reduction (bnc#1012382).
- debugfs: fix use-after-free on symlink traversal (bnc#1012382).
- device_cgroup: fix RCU imbalance in error case (bnc#1012382).
- dm thin: add sanity checks to thin-pool and external snapshot creation (bnc#1012382).
- dmaengine: imx-dma: fix warning comparison of distinct pointer types (bnc#1012382).
- dmaengine: tegra: avoid overflow of byte tracking (bnc#1012382).
- documentation: Add MDS vulnerability documentation (bnc#1012382).
- documentation: Add nospectre_v1 parameter (bnc#1012382).
- documentation: Correct the possible MDS sysfs values (bnc#1012382).
- documentation: Move L1TF to separate directory (bnc#1012382).
- drivers/virt/fsl_hypervisor.c: dereferencing error pointers in ioctl (bnc#1012382).
- drivers/virt/fsl_hypervisor.c: prevent integer overflow in ioctl (bnc#1012382).
- drm/bridge: adv7511: Fix low refresh rate selection (bsc#1106929)
- drm/dp/mst: Configure no_stop_bit correctly for remote i2c xfers (bnc#1012382).
- drm/fb-helper: dpms_legacy(): Only set on connectors in use (bnc#1106929)
- drm/i915: Fix I915_EXEC_RING_MASK (bnc#1106929)
- drm/rockchip: shutdown drm subsystem on shutdown (bsc#1106929)
- drm/ttm: Remove warning about inconsistent mapping information (bnc#1131488)
- drm/vc4: ->x_scaling[1] should never be set to VC4_SCALING_NONE (bsc#1106929)
- drm/vc4: Account for interrupts in flight (bsc#1106929)
- drm/vc4: Allocate the right amount of space for boot-time CRTC state. (bsc#1106929)
- drm/vc4: Fix NULL pointer dereference in vc4_save_hang_state() (bsc#1106929)
- drm/vc4: Fix OOPSes from trying to cache a partially constructed BO. (bsc#1106929)
- drm/vc4: Fix a couple error codes in vc4_cl_lookup_bos() (bsc#1106929)
- drm/vc4: Fix compilation error reported by kbuild test bot (bsc#1106929)
- drm/vc4: Fix memory leak during gpu reset. (bsc#1106929)
- drm/vc4: Fix memory leak of the CRTC state. (bsc#1106929)
- drm/vc4: Fix oops when userspace hands in a bad BO. (bsc#1106929)
- drm/vc4: Fix overflow mem unreferencing when the binner runs dry. (bsc#1106929)
- drm/vc4: Fix races when the CS reads from render targets. (bsc#1106929)
- drm/vc4: Fix scaling of uni-planar formats (bsc#1106929)
- drm/vc4: Fix the 'no scaling' case on multi-planar YUV formats (bsc#1106929)
- drm/vc4: Flush the caches before the bin jobs, as well. (bsc#1106929)
- drm/vc4: Free hang state before destroying BO cache. (bsc#1106929)
- drm/vc4: Move IRQ enable to PM path (bsc#1106929)
- drm/vc4: Reset ->{x, y}_scaling[1] when dealing with uniplanar (bsc#1106929)
- drm/vc4: Set ->is_yuv to false when num_planes == 1 (bsc#1106929)
- drm/vc4: Use drm_free_large() on handles to match its allocation. (bsc#1106929)
- drm/vc4: fix a bounds check (bsc#1106929)
- drm/vmwgfx: NULL pointer dereference from vmw_cmd_dx_view_define() (bsc#1106929)
- drm/vmwgfx: integer underflow in vmw_cmd_dx_set_shader() leading to (bsc#1106929)
- dt-bindings: rcar-dmac: Document missing error interrupt (bsc#1085535).
- e1000e: Add Support for 38.4MHZ frequency (bsc#1108293 ).
- e1000e: Add Support for CannonLake (bsc#1108293).
- e1000e: Fix -Wformat-truncation warnings (bnc#1012382).
- e1000e: Initial Support for CannonLake (bsc#1108293 ).
- enic: fix build warning without CONFIG_CPUMASK_OFFSTACK (bnc#1012382).
- exportfs: fix 'passing zero to ERR_PTR()' warning (bsc#1136458).
- ext4: Return EAGAIN in case of DIO is beyond end of file (bsc#1136810).
- ext4: actually request zeroing of inode table after grow (bsc#1136451).
- ext4: add missing brelse() in add_new_gdb_meta_bg() (bnc#1012382).
- ext4: avoid panic during forced reboot due to aborted journal (bsc#1126356).
- ext4: cleanup bh release code in ext4_ind_remove_space() (bnc#1012382).
- ext4: fix ext4_show_options for file systems w/o journal (bsc#1136452).
- ext4: fix use-after-free race with debug_want_extra_isize (bsc#1136449).
- ext4: make sure enough credits are reserved for dioread_nolock writes (bsc#1136623).
- ext4: prohibit fstrim in norecovery mode (bnc#1012382).
- ext4: report real fs size after failed resize (bnc#1012382).
- ext4: wait for outstanding dio during truncate in nojournal mode (bsc#1136438).
- f2fs: do not use mutex lock in atomic context (bnc#1012382).
- f2fs: fix to do sanity check with current segment number (bnc#1012382).
- fbdev: fbmem: fix memory access if logo is bigger than the screen (bnc#1012382).
- fix incorrect error code mapping for OBJECTID_NOT_FOUND (bnc#1012382).
- fs/file.c: initialize init_files.resize_wait (bnc#1012382).
- fs/proc/proc_sysctl.c: Fix a NULL pointer dereference (bnc#1012382).
- fs: fix guard_bio_eod to check for real EOD errors (bnc#1012382).
- ftrace/x86_64: Emulate call function while updating in breakpoint handler (bsc#1099658).
- genirq: Prevent use-after-free and work list corruption (bnc#1012382).
- genirq: Respect IRQCHIP_SKIP_SET_WAKE in irq_chip_set_wake_parent() (bnc#1012382).
- gpio: gpio-omap: fix level interrupt idling (bnc#1012382).
- gpu: ipu-v3: dp: fix CSC handling (bnc#1012382).
- h8300: use cc-cross-prefix instead of hardcoding h8300-unknown-linux- (bnc#1012382).
- hid: debug: fix race condition with between rdesc_show() and device removal (bnc#1012382).
- hid: input: add mapping for Expose/Overview key (bnc#1012382).
- hid: input: add mapping for keyboard Brightness Up/Down/Toggle keys (bnc#1012382).
- hugetlbfs: fix memory leak for resv_map (bnc#1012382).
- hwrng: virtio - Avoid repeated init of completion (bnc#1012382).
- i2c: core-smbus: prevent stack corruption on read I2C_BLOCK_DATA (bnc#1012382).
- ib/hfi1: Eliminate opcode tests on mr deref ().
- ib/hfi1: Unreserve a reserved request when it is completed ().
- ib/mlx4: Fix race condition between catas error reset and aliasguid flows (bnc#1012382).
- ib/mlx4: Increase the timeout for CM cache (bnc#1012382).
- ib/rdmavt: Add wc_flags and wc_immdata to cq entry trace ().
- ib/rdmavt: Fix frwr memory registration ().
- igb: Fix WARN_ONCE on runtime suspend (bnc#1012382).
- iio/gyro/bmg160: Use millidegrees for temperature scale (bnc#1012382).
- iio: ad_sigma_delta: select channel when reading register (bnc#1012382).
- iio: adc: at91: disable adc channel interrupt in timeout case (bnc#1012382).
- iio: adc: xilinx: fix potential use-after-free on remove (bnc#1012382).
- include/linux/bitrev.h: fix constant bitrev (bnc#1012382).
- include/linux/swap.h: use offsetof() instead of custom __swapoffset macro (bnc#1012382).
- init: initialize jump labels before command line option parsing (bnc#1012382).
- input: snvs_pwrkey - initialize necessary driver data before enabling IRQ (bnc#1012382).
- io: accel: kxcjk1013: restore the range after resume (bnc#1012382).
- iommu/vt-d: Do not request page request irq under dmar_global_lock (bsc#1135013).
- iommu/vt-d: Make kernel parameter igfx_off work with vIOMMU (bsc#1135014).
- iommu/vt-d: Set intel_iommu_gfx_mapped correctly (bsc#1135015).
- ip6_tunnel: Match to ARPHRD_TUNNEL6 for dev type (bnc#1012382).
- ipmi:ssif: compare block number correctly for multi-part return messages (bsc#1135120).
- ipv4: Fix raw socket lookup for local traffic (bnc#1012382).
- ipv4: add sanity checks in ipv4_link_failure() (git-fixes).
- ipv4: ensure rcu_read_lock() in ipv4_link_failure() (bnc#1012382).
- ipv4: ip_do_fragment: Preserve skb_iif during fragmentation (bnc#1012382).
- ipv4: recompile ip options in ipv4_link_failure (bnc#1012382).
- ipv4: set the tcp_min_rtt_wlen range from 0 to one day (bnc#1012382).
- ipv6/flowlabel: wait rcu grace period before put_pid() (bnc#1012382).
- ipv6: Fix dangling pointer when ipv6 fragment (bnc#1012382).
- ipv6: fix a potential deadlock in do_ipv6_setsockopt() (bnc#1012382).
- ipv6: invert flowlabel sharing check in process and user mode (bnc#1012382).
- ipv6: sit: reset ip header pointer in ipip6_rcv (bnc#1012382).
- ipvs: do not schedule icmp errors from tunnels (bnc#1012382).
- jffs2: fix use-after-free on symlink traversal (bnc#1012382).
- kABI: protect ring_buffer_read_prepare (kabi).
- kABI: protect struct tlb_state (kabi).
- kABI: protect struct usb_interface (kabi).
- kABI: restore ___ptrace_may_access (kabi).
- kABI: restore icmp_send (kabi).
- kabi: arm64: fix kabi breakage on arch specific module (bsc#1126040)
- kabi: drop LINUX_Mib_TCPWQUEUETOOBIG snmp counter (bsc#1137586).
- kabi: move sysctl_tcp_min_snd_mss to preserve struct net layout (bsc#1137586).
- kbuild: clang: choose GCC_TOOLCHAIN_DIR not on LD (bnc#1012382).
- kbuild: simplify ld-option implementation (bnc#1012382).
- kconfig/[mn]conf: handle backspace (^H) key (bnc#1012382).
- kconfig: display recursive dependency resolution hint just once (bsc#1100132).
- kernel/sysctl.c: fix out-of-bounds access when setting file-max (bnc#1012382).
- keys: Timestamp new keys (bsc#1120902).
- kprobes: Fix error check when reusing optimized probes (bnc#1012382).
- kprobes: Mark ftrace mcount handler functions nokprobe (bnc#1012382).
- kprobes: Prohibit probing on bsearch() (bnc#1012382).
- kvm: fail KVM_SET_VCPU_EVENTS with invalid exception number (bnc#1012382).
- kvm: x86: Do not clear EFER during SMM transitions for 32-bit vCPU (bnc#1012382).
- kvm: x86: avoid misreporting level-triggered irqs as edge-triggered in tracing (bnc#1012382).
- leds: lp55xx: fix null deref on firmware load failure (bnc#1012382).
- lib/div64.c: off by one in shift (bnc#1012382).
- lib/int_sqrt: optimize initial value compute (bnc#1012382).
- lib/string.c: implement a basic bcmp (bnc#1012382).
- lib: add crc64 calculation routines (bsc#1130972).
- lib: do not depend on linux headers being installed (bsc#1130972).
- libata: fix using DMA buffers on stack (bnc#1012382).
- libnvdimm/btt: Fix a kmemdup failure check (bnc#1012382).
- lpfc: validate command in lpfc_sli4_scmd_to_wqidx_distr() (bsc#1129138).
- mac80211: do not call driver wake_tx_queue op during reconfig (bnc#1012382).
- mac80211_hwsim: validate number of different channels (bsc#1085539).
- md: use mddev_suspend/resume instead of ->quiesce() (bsc#1132212).
- media: mt9m111: set initial frame size other than 0x0 (bnc#1012382).
- media: mx2_emmaprp: Correct return type for mem2mem buffer helpers (bnc#1012382).
- media: pvrusb2: Prevent a buffer overflow (bsc#1135642).
- media: s5p-g2d: Correct return type for mem2mem buffer helpers (bnc#1012382).
- media: s5p-jpeg: Check for fmt_ver_flag when doing fmt enumeration (bnc#1012382).
- media: s5p-jpeg: Correct return type for mem2mem buffer helpers (bnc#1012382).
- media: sh_veu: Correct return type for mem2mem buffer helpers (bnc#1012382).
- media: v4l2: i2c: ov7670: Fix PLL bypass register values (bnc#1012382).
- media: vb2: do not call __vb2_queue_cancel if vb2_start_streaming failed (bsc#1120902).
- mips: scall64-o32: Fix indirect syscall number load (bnc#1012382).
- mm/cma.c: cma_declare_contiguous: correct err handling (bnc#1012382).
- mm/page_ext.c: fix an imbalance with kmemleak (bnc#1012382).
- mm/slab.c: kmemleak no scan alien caches (bnc#1012382).
- mm/vmalloc.c: fix kernel BUG at mm/vmalloc.c:512! (bnc#1012382).
- mm/vmstat.c: fix /proc/vmstat format for CONFIG_DEBUG_TLBFLUSH=y CONFIG_SMP=n (bnc#1012382).
- mm: mempolicy: make mbind() return -EIO when MPOL_MF_STRICT is specified (bnc#1012382).
- mmc: davinci: remove extraneous __init annotation (bnc#1012382).
- mmc: omap: fix the maximum timeout setting (bnc#1012382).
- modpost: file2alias: check prototype of handler (bnc#1012382).
- modpost: file2alias: go back to simple devtable lookup (bnc#1012382).
- mount: copy the port field into the cloned nfs_server structure (bsc#1136990).
- mt7601u: bump supported EEPROM version (bnc#1012382).
- mtd: Fix comparison in map_word_andequal() (git-fixes).
- mwifiex: Fix heap overflow in mwifiex_uap_parse_tail_ies() (bsc#1136935).
- net/ibmvnic: Update MAC address settings after adapter reset (bsc#1134760).
- net/ibmvnic: Update carrier state after link state change (bsc#1135100).
- net: atm: Fix potential Spectre v1 vulnerabilities (bnc#1012382).
- net: bridge: multicast: use rcu to access port list from br_multicast_start_querier (bnc#1012382).
- net: ena: fix return value of ena_com_config_llq_info() (bsc#1117562).
- net: ethernet: ti: fix possible object reference leak (bnc#1012382).
- net: ethtool: not call vzalloc for zero sized memory request (bnc#1012382).
- net: fou: do not use guehdr after iptunnel_pull_offloads in gue_udp_recv (bnc#1012382).
- net: hns: Fix WARNING when remove HNS driver with SMMU enabled (bnc#1012382).
- net: hns: Use NAPI_POLL_WEIGHT for hns driver (bnc#1012382).
- net: ibm: fix possible object reference leak (bnc#1012382).
- net: ks8851: Delay requesting IRQ until opened (bnc#1012382).
- net: ks8851: Dequeue RX packets explicitly (bnc#1012382).
- net: ks8851: Reassert reset pin if chip ID check fails (bnc#1012382).
- net: ks8851: Set initial carrier state to down (bnc#1012382).
- net: rds: force to destroy connection if t_sock is NULL in rds_tcp_kill_sock() (bnc#1012382).
- net: stmmac: move stmmac_check_ether_addr() to driver probe (bnc#1012382).
- net: ucc_geth - fix Oops when changing number of buffers in the ring (bnc#1012382).
- net: xilinx: fix possible object reference leak (bnc#1012382).
- netfilter: bridge: set skb transport_header before entering NF_INET_PRE_ROUTING (bnc#1012382).
- netfilter: compat: initialize all fields in xt_init (bnc#1012382).
- netfilter: ebtables: CONFIG_COMPAT: drop a bogus WARN_ON (bnc#1012382).
- netfilter: physdev: relax br_netfilter dependency (bnc#1012382).
- netns: provide pure entropy for net_hash_mix() (bnc#1012382).
- nfs/pnfs: Bulk destroy of layouts needs to be safe w.r.t. umount (git-fixes).
- nfs: Add missing encode / decode sequence_maxsz to v4.2 operations (git-fixes).
- nfs: Fix I/O request leakages (git-fixes).
- nfs: Forbid setting AF_INET6 to 'struct sockaddr_in'->sin_family (bnc#1012382).
- nfs: clean up rest of reqs when failing to add one (git-fixes).
- nfsd: Do not release the callback slot unless it was actually held (bnc#1012382).
- ntp: Allow TAI-UTC offset to be set to zero (bsc#1135642).
- nvme-fc: resolve io failures during connect (bsc#1116803).
- nvme: Do not allow to reset a reconnecting controller (bsc#1133874).
- ocfs2: fix a panic problem caused by o2cb_ctl (bnc#1012382).
- openvswitch: fix flow actions reallocation (bnc#1012382).
- pNFS: Skip invalid stateids when doing a bulk destroy (git-fixes).
- packet: Fix error path in packet_init (bnc#1012382).
- packet: validate msg_namelen in send directly (bnc#1012382).
- pci: Add function 1 DMA alias quirk for Marvell 9170 SATA controller (bnc#1012382).
- pci: Mark AMD Stoney Radeon R7 GPU ATS as broken (bsc#1137142).
- pci: Mark Atheros AR9462 to avoid bus reset (bsc#1135642).
- pci: xilinx-nwl: Add missing of_node_put() (bsc#1100132).
- perf evsel: Free evsel->counts in perf_evsel__exit() (bnc#1012382).
- perf test: Fix failure of 'evsel-tp-sched' test on s390 (bnc#1012382).
- perf tests: Fix a memory leak in test__perf_evsel__tp_sched_test() (bnc#1012382).
- perf tests: Fix a memory leak of cpu_map object in the openat_syscall_event_on_all_cpus test (bnc#1012382).
- perf top: Fix error handling in cmd_top() (bnc#1012382).
- perf/core: Restore mmap record type correctly (bnc#1012382).
- perf/x86/intel: Allow PEBS multi-entry in watermark mode (git-fixes).
- perf/x86/intel: Fix handling of wakeup_events for multi-entry PEBS (bnc#1012382).
- platform/x86: sony-laptop: Fix unintentional fall-through (bnc#1012382).
- powerpc/64: Add CONFIG_PPC_BARRIER_NOSPEC (bnc#1012382).
- powerpc/64: Call setup_barrier_nospec() from setup_arch() (bnc#1012382 bsc#1131107).
- powerpc/64: Make meltdown reporting Book3S 64 specific (bnc#1012382).
- powerpc/64s: Include cpu header (bnc#1012382).
- powerpc/booke64: set RI in default MSR (bnc#1012382).
- powerpc/fsl: Add FSL_PPC_BOOK3E as supported arch for nospectre_v2 boot arg (bnc#1012382).
- powerpc/fsl: Add barrier_nospec implementation for NXP PowerPC Book3E (bnc#1012382).
- powerpc/fsl: Add infrastructure to fixup branch predictor flush (bnc#1012382).
- powerpc/fsl: Add macro to flush the branch predictor (bnc#1012382).
- powerpc/fsl: Add nospectre_v2 command line argument (bnc#1012382).
- powerpc/fsl: Emulate SPRN_BUCSR register (bnc#1012382).
- powerpc/fsl: Enable runtime patching if nospectre_v2 boot arg is used (bnc#1012382).
- powerpc/fsl: Fix the flush of branch predictor (bnc#1012382).
- powerpc/fsl: Fixed warning: orphan section `__btb_flush_fixup' (bnc#1012382).
- powerpc/fsl: Flush branch predictor when entering KVM (bnc#1012382).
- powerpc/fsl: Flush the branch predictor at each kernel entry (32 bit) (bnc#1012382).
- powerpc/fsl: Flush the branch predictor at each kernel entry (64bit) (bnc#1012382).
- powerpc/fsl: Sanitize the syscall table for NXP PowerPC 32 bit platforms (bnc#1012382).
- powerpc/fsl: Update Spectre v2 reporting (bnc#1012382).
- powerpc/lib: fix book3s/32 boot failure due to code patching (bnc#1012382).
- powerpc/xmon: Add RFI flush related fields to paca dump (bnc#1012382).
- qede: fix write to free'd pointer error and double free of ptp (bsc#1019695 bsc#1019696).
- qlcnic: Avoid potential NULL pointer dereference (bnc#1012382).
- qmi_wwan: add Olicard 600 (bnc#1012382).
- rdma/iw_cxgb4: Fix the unchecked ep dereference (bsc#1005778 bsc#1005780 bsc#1005781).
- rdma/qedr: Fix out of bounds index check in query pkey (bsc#1022604).
- regulator: act8865: Fix act8600_sudcdc_voltage_ranges setting (bnc#1012382).
- rsi: improve kernel thread handling to fix kernel panic (bnc#1012382).
- rtc: da9063: set uie_unsupported when relevant (bnc#1012382).
- rtc: sh: Fix invalid alarm warning for non-enabled alarm (bnc#1012382).
- s390/3270: fix lockdep false positive on view->lock (bnc#1012382).
- s390/dasd: Fix capacity calculation for large volumes (bnc#1012382).
- s390: ctcm: fix ctcm_new_device error return code (bnc#1012382).
- sc16is7xx: missing unregister/delete driver on error in sc16is7xx_init() (bnc#1012382).
- sc16is7xx: move label 'err_spi' to correct section (git-fixes).
- sched/fair: Do not re-read ->h_load_next during hierarchical load calculation (bnc#1012382).
- sched/fair: Limit sched_cfs_period_timer() loop to avoid hard lockup (bnc#1012382).
- sched/numa: Fix a possible divide-by-zero (bnc#1012382).
- sched: Add sched_smt_active() (bnc#1012382).
- scsi: core: replace GFP_ATOMIC with GFP_KERNEL in scsi_scan.c (bnc#1012382).
- scsi: csiostor: fix missing data copy in csio_scsi_err_handler() (bnc#1012382).
- scsi: libsas: fix a race condition when smp task timeout (bnc#1012382).
- scsi: megaraid_sas: return error when create DMA pool failed (bnc#1012382).
- scsi: qla2xxx: Fix incorrect region-size setting in optrom SYSFS routines (bnc#1012382).
- scsi: qla4xxx: fix a potential NULL pointer dereference (bnc#1012382).
- scsi: storvsc: Fix calculation of sub-channel count (bnc#1012382).
- scsi: zfcp: reduce flood of fcrscn1 trace records on multi-element RSCN (bnc#1012382).
- sctp: initialize _pad of sockaddr_in before copying to user memory (bnc#1012382).
- selftests/net: correct the return value for run_netsocktests (bnc#1012382).
- selinux: never allow relabeling on context mounts (bnc#1012382).
- serial: uartps: console_setup() can't be placed to init section (bnc#1012382).
- slip: make slhc_free() silently accept an error pointer (bnc#1012382).
- soc/tegra: fuse: Fix illegal free of IO base address (bnc#1012382).
- soc: imx-sgtl5000: add missing put_device() (bnc#1012382).
- soc: qcom: gsbi: Fix error handling in gsbi_probe() (bnc#1012382).
- staging: comedi: ni_usb6501: Fix possible double-free of ->usb_rx_buf (bnc#1012382).
- staging: comedi: ni_usb6501: Fix use of uninitialized mutex (bnc#1012382).
- staging: comedi: vmk80xx: Fix possible double-free of ->usb_rx_buf (bnc#1012382).
- staging: comedi: vmk80xx: Fix use of uninitialized semaphore (bnc#1012382).
- staging: iio: adt7316: allow adt751x to use internal vref for all dacs (bnc#1012382).
- staging: iio: adt7316: fix the dac read calculation (bnc#1012382).
- staging: iio: adt7316: fix the dac write calculation (bnc#1012382).
- supported.conf: add lib/crc64 because bcache uses it
- sysctl: handle overflow for file-max (bnc#1012382).
- tcp: Ensure DCTCP reacts to losses (bnc#1012382).
- tcp: add tcp_min_snd_mss sysctl (bsc#1137586).
- tcp: enforce tcp_min_snd_mss in tcp_mtu_probing() (bsc#1137586).
- tcp: limit payload size of sacked skbs (bsc#1137586).
- tcp: tcp_fragment() should apply sane memory limits (bsc#1137586).
- tcp: tcp_grow_window() needs to respect tcp_space() (bnc#1012382).
- team: fix possible recursive locking when add slaves (bnc#1012382).
- thermal/int340x_thermal: Add additional UUIDs (bnc#1012382).
- thermal/int340x_thermal: fix mode setting (bnc#1012382).
- timer/debug: Change /proc/timer_stats from 0644 to 0600 (bnc#1012382).
- tipc: check bearer name with right length in tipc_nl_compat_bearer_enable (bnc#1012382).
- tipc: check link name with right length in tipc_nl_compat_link_set (bnc#1012382).
- tipc: handle the err returned from cmd header function (bnc#1012382).
- tools lib traceevent: Fix buffer overflow in arg_eval (bnc#1012382).
- tools lib traceevent: Fix missing equality check for strcmp (bsc#1129770).
- tools/power turbostat: return the exit status of a command (bnc#1012382).
- tpm/tpm_crb: Avoid unaligned reads in crb_recv() (bnc#1012382).
- tpm/tpm_i2c_atmel: Return -E2BIG when the transfer is incomplete (bnc#1012382).
- trace: Fix preempt_enable_no_resched() abuse (bnc#1012382).
- tracing: Fix partial reading of trace event's id file (bsc#1136573).
- tracing: kdb: Fix ftdump to not sleep (bnc#1012382).
- tty/serial: atmel: Add is_half_duplex helper (bnc#1012382).
- tty/serial: atmel: RS485 HD w/DMA: enable RX after TX is stopped (bnc#1012382).
- tty: increase the default flip buffer limit to 2*640K (bnc#1012382).
- tty: ldisc: add sysctl to prevent autoloading of ldiscs (bnc#1012382).
- uas: fix alignment of scatter/gather segments (bnc#1012382 bsc#1129770).
- uas: fix alignment of scatter/gather segments (bsc#1129770).
- ufs: fix braino in ufs_get_inode_gid() for solaris UFS flavour (bsc#1136455).
- usb: Add new USB LPM helpers (bsc#1129770).
- usb: Consolidate LPM checks to avoid enabling LPM twice (bsc#1129770).
- usb: cdc-acm: fix race during wakeup blocking TX traffic (bsc#1129770).
- usb: cdc-acm: fix unthrottle races (bsc#1135642).
- usb: chipidea: Grab the (legacy) usb PHY by phandle first (bnc#1012382).
- usb: core: Fix bug caused by duplicate interface PM usage counter (bnc#1012382).
- usb: core: Fix unterminated string returned by usb_string() (bnc#1012382).
- usb: dwc3: Fix default lpm_nyet_threshold value (bnc#1012382).
- usb: gadget: net2272: Fix net2272_dequeue() (bnc#1012382).
- usb: gadget: net2280: Fix net2280_dequeue() (bnc#1012382).
- usb: gadget: net2280: Fix overrun of OUT messages (bnc#1012382).
- usb: serial: fix unthrottle races (bnc#1012382).
- usb: serial: use variable for status (bnc#1012382).
- usb: u132-hcd: fix resource leak (bnc#1012382).
- usb: usbip: fix isoc packet num validation in get_pipe (bnc#1012382).
- usb: w1 ds2490: Fix bug caused by improper use of altsetting array (bnc#1012382).
- usb: yurex: Fix protection fault after device removal (bnc#1012382).
- usbnet: ipheth: fix potential null pointer dereference in ipheth_carrier_set (bnc#1012382).
- usbnet: ipheth: prevent TX queue timeouts when device not ready (bnc#1012382).
- vfio/pci: use correct format characters (bnc#1012382).
- vlan: disable SIOCSHWTSTAMP in container (bnc#1012382).
- vrf: sit mtu should not be updated when vrf netdev is the link (bnc#1012382).
- wlcore: Fix memory leak in case wl12xx_fetch_firmware failure (bnc#1012382).
- x86/Kconfig: Select SCHED_SMT if SMP enabled (bnc#1012382).
- x86/MCE: Save microcode revision in machine check records (bnc#1012382).
- x86/bugs: Add AMD's SPEC_CTRL MSR usage (bnc#1012382).
- x86/bugs: Change L1TF mitigation string to match upstream (bnc#1012382).
- x86/bugs: Fix the AMD SSBD usage of the SPEC_CTRL MSR (bnc#1012382).
- x86/bugs: Switch the selection of mitigation from CPU vendor to CPU features (bnc#1012382).
- x86/build: Mark per-CPU symbols as absolute explicitly for LLD (bnc#1012382).
- x86/build: Specify elf_i386 linker emulation explicitly for i386 objects (bnc#1012382).
- x86/cpu/bugs: Use __initconst for 'const' init data (bnc#1012382).
- x86/cpu/cyrix: Use correct macros for Cyrix calls on Geode processors (bnc#1012382).
- x86/cpufeatures: Hide AMD-specific speculation flags (bnc#1012382).
- x86/hpet: Prevent potential NULL pointer dereference (bnc#1012382).
- x86/hw_breakpoints: Make default case in hw_breakpoint_arch_parse() return an error (bnc#1012382).
- x86/kprobes: Verify stack frame on kretprobe (bnc#1012382).
- x86/mds: Add MDSUM variant to the MDS documentation (bnc#1012382).
- x86/microcode/intel: Add a helper which gives the microcode revision (bnc#1012382).
- x86/microcode/intel: Check microcode revision before updating sibling threads (bnc#1012382).
- x86/microcode: Make sure boot_cpu_data.microcode is up-to-date (bnc#1012382).
- x86/microcode: Update the new microcode revision unconditionally (bnc#1012382).
- x86/mm: Use WRITE_ONCE() when setting PTEs (bnc#1012382).
- x86/process: Consolidate and simplify switch_to_xtra() code (bnc#1012382).
- x86/speculataion: Mark command line parser data __initdata (bnc#1012382).
- x86/speculation/l1tf: Document l1tf in sysfs (bnc#1012382).
- x86/speculation/mds: Fix comment (bnc#1012382).
- x86/speculation/mds: Fix documentation typo (bnc#1012382).
- x86/speculation: Add command line control for indirect branch speculation (bnc#1012382).
- x86/speculation: Add prctl() control for indirect branch speculation (bnc#1012382).
- x86/speculation: Add seccomp Spectre v2 user space protection mode (bnc#1012382).
- x86/speculation: Avoid __switch_to_xtra() calls (bnc#1012382).
- x86/speculation: Clean up spectre_v2_parse_cmdline() (bnc#1012382).
- x86/speculation: Disable STibP when enhanced IBRS is in use (bnc#1012382).
- x86/speculation: Enable prctl mode for spectre_v2_user (bnc#1012382).
- x86/speculation: Mark string arrays const correctly (bnc#1012382).
- x86/speculation: Move STIPB/ibPB string conditionals out of cpu_show_common() (bnc#1012382).
- x86/speculation: Prepare arch_smt_update() for PRCTL mode (bnc#1012382).
- x86/speculation: Prepare for conditional ibPB in switch_mm() (bnc#1012382).
- x86/speculation: Prepare for per task indirect branch speculation control (bnc#1012382).
- x86/speculation: Prevent stale SPEC_CTRL msr content (bnc#1012382).
- x86/speculation: Provide ibPB always command line options (bnc#1012382).
- x86/speculation: Remove SPECTRE_V2_ibRS in enum spectre_v2_mitigation (bnc#1012382).
- x86/speculation: Remove unnecessary ret variable in cpu_show_common() (bnc#1012382).
- x86/speculation: Rename SSBD update functions (bnc#1012382).
- x86/speculation: Reorder the spec_v2 code (bnc#1012382).
- x86/speculation: Reorganize speculation control MSRs update (bnc#1012382).
- x86/speculation: Split out TIF update (bnc#1012382).
- x86/speculation: Support 'mitigations=' cmdline option (bnc#1012382 bsc#1112178).
- x86/speculation: Support Enhanced ibRS on future CPUs (bnc#1012382).
- x86/speculation: Unify conditional spectre v2 print functions (bnc#1012382).
- x86/speculation: Update the TIF_SSBD comment (bnc#1012382).
- x86/vdso: Drop implicit common-page-size linker flag (bnc#1012382).
- x86/vdso: Pass --eh-frame-hdr to the linker (git-fixes).
- x86: vdso: Use $LD instead of $CC to link (bnc#1012382).
- x86_64: Add gap to int3 to allow for call emulation (bsc#1099658).
- x86_64: Allow breakpoints to emulate call instructions (bsc#1099658).
- xen: Prevent buffer overflow in privcmd ioctl (bnc#1012382).
- xenbus: drop useless LIST_HEAD in xenbus_write_watch() and xenbus_file_write() (bsc#1065600).
- xsysace: Fix error handling in ace_setup (bnc#1012382).
- xtensa: fix return_address (bnc#1012382).
ImportantSUSE bug 1005778SUSE bug 1005780SUSE bug 1005781SUSE bug 1012382SUSE bug 1019695SUSE bug 1019696SUSE bug 1022604SUSE bug 1063638SUSE bug 1065600SUSE bug 1085535SUSE bug 1085539SUSE bug 1090888SUSE bug 1099658SUSE bug 1100132SUSE bug 1106110SUSE bug 1106284SUSE bug 1106929SUSE bug 1108293SUSE bug 1108838SUSE bug 1110785SUSE bug 1110946SUSE bug 1112063SUSE bug 1112178SUSE bug 1116803SUSE bug 1117562SUSE bug 1119086SUSE bug 1120642SUSE bug 1120843SUSE bug 1120902SUSE bug 1122776SUSE bug 1126040SUSE bug 1126356SUSE bug 1128052SUSE bug 1129138SUSE bug 1129770SUSE bug 1130972SUSE bug 1131107SUSE bug 1131488SUSE bug 1131565SUSE bug 1132212SUSE bug 1132472SUSE bug 1133188SUSE bug 1133874SUSE bug 1134160SUSE bug 1134162SUSE bug 1134338SUSE bug 1134537SUSE bug 1134564SUSE bug 1134565SUSE bug 1134566SUSE bug 1134651SUSE bug 1134760SUSE bug 1134806SUSE bug 1134813SUSE bug 1134848SUSE bug 1135013SUSE bug 1135014SUSE bug 1135015SUSE bug 1135100SUSE bug 1135120SUSE bug 1135281SUSE bug 1135603SUSE bug 1135642SUSE bug 1135661SUSE bug 1135878SUSE bug 1136424SUSE bug 1136438SUSE bug 1136448SUSE bug 1136449SUSE bug 1136451SUSE bug 1136452SUSE bug 1136455SUSE bug 1136458SUSE bug 1136539SUSE bug 1136573SUSE bug 1136575SUSE bug 1136586SUSE bug 1136590SUSE bug 1136623SUSE bug 1136810SUSE bug 1136935SUSE bug 1136990SUSE bug 1137142SUSE bug 1137162SUSE bug 1137586SUSE bug 843419CVE-2018-17972 at SUSECVE-2018-17972 at NVDCVE-2018-7191 at SUSECVE-2018-7191 at NVDCVE-2019-11190 at SUSECVE-2019-11190 at NVDCVE-2019-11477 at SUSECVE-2019-11477 at NVDCVE-2019-11478 at SUSECVE-2019-11478 at NVDCVE-2019-11479 at SUSECVE-2019-11479 at NVDCVE-2019-11486 at SUSECVE-2019-11486 at NVDCVE-2019-11815 at SUSECVE-2019-11815 at NVDCVE-2019-11833 at SUSECVE-2019-11833 at NVDCVE-2019-11884 at SUSECVE-2019-11884 at NVDCVE-2019-12382 at SUSECVE-2019-12382 at NVDCVE-2019-3846 at SUSECVE-2019-3846 at NVDCVE-2019-5489 at SUSECVE-2019-5489 at NVDcpe:/o:suse:sles:12:sp3Security update for libvirt (Important)SUSE Linux Enterprise Server 12 SP3
This update for libvirt fixes the following issues:
Four new speculative execution information leak issues have been identified in Intel CPUs. (bsc#1111331)
- CVE-2018-12126: Microarchitectural Store Buffer Data Sampling (MSBDS)
- CVE-2018-12127: Microarchitectural Fill Buffer Data Sampling (MFBDS)
- CVE-2018-12130: Microarchitectural Load Port Data Sampling (MLPDS)
- CVE-2019-11091: Microarchitectural Data Sampling Uncacheable Memory (MDSUM)
These updates contain the libvirt adjustments, that pass through the new 'md-clear' CPU flag (bsc#1135273).
For more information on this set of vulnerabilities, check out https://www.suse.com/support/kb/doc/?id=7023736
ImportantSUSE bug 1111331SUSE bug 1135273CVE-2018-12126 at SUSECVE-2018-12126 at NVDCVE-2018-12127 at SUSECVE-2018-12127 at NVDCVE-2018-12130 at SUSECVE-2018-12130 at NVDCVE-2019-11091 at SUSECVE-2019-11091 at NVDcpe:/o:suse:sles:12:sp3Security update for gstreamer-plugins-base (Important)SUSE Linux Enterprise Server 12 SP3
This update for gstreamer-plugins-base fixes the following issue:
Security issue fixed:
- CVE-2019-9928: Fixed a heap-based overflow in the rtsp connection parser (bsc#1133375).
ImportantSUSE bug 1133375CVE-2019-9928 at SUSECVE-2019-9928 at NVDcpe:/o:suse:sles:12:sp3Security update for sqlite3 (Important)SUSE Linux Enterprise Server 12 SP3
This update for sqlite3 fixes the following issues:
Security issue fixed:
- CVE-2019-8457: Fixed a Heap out-of-bound read in rtreenode() when handling invalid rtree tables (bsc#1136976).
ImportantSUSE bug 1136976CVE-2019-8457 at SUSECVE-2019-8457 at NVDcpe:/o:suse:sles:12:sp3Security update for libssh2_org (Moderate)SUSE Linux Enterprise Server 12 SP3SUSE Linux Enterprise Server 12 SP3-LTSS
This update for libssh2_org fixes the following issues:
- Fix the previous fix for CVE-2019-3860 (bsc#1136570, bsc#1128481)
(Out-of-bounds reads with specially crafted SFTP packets)
ModerateSUSE bug 1128481SUSE bug 1136570CVE-2019-3860 at SUSECVE-2019-3860 at NVDcpe:/o:suse:sles-ltss:12:sp3cpe:/o:suse:sles:12:sp3Security update for wireshark (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for wireshark to version 2.4.15 fixes the following issues:
Security issue fixed:
- Fixed a denial of service in the dissection engine (bsc#1136021).
ModerateSUSE bug 1136021cpe:/o:suse:sles:12:sp3Recommended update for MozillaFirefox (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for MozillaFirefox to version 60.7.1 fixes the following issues:
Security issue fixed:
- CVE-2019-11707: Fixed a type confusion vulnerability in Arrary.pop (bsc#1138614)
Other issue addressed:
- Fixed broken language plugins (bsc#1137792)
ModerateSUSE bug 1137792SUSE bug 1138614CVE-2019-11707 at SUSECVE-2019-11707 at NVDcpe:/o:suse:sles:12:sp3Security update for java-1_8_0-ibm (Important)SUSE Linux Enterprise Server 12 SP3
This update for java-1_8_0-ibm fixes the following issues:
Update to Java 8.0 Service Refresh 5 Fix Pack 35.
Security issues fixed:
- CVE-2019-10245: Fixed Java bytecode verifier issue causing crashes (bsc#1134718).
- CVE-2019-2698: Fixed out of bounds access flaw in the 2D component (bsc#1132729).
- CVE-2019-2697: Fixed flaw inside the 2D component (bsc#1132734).
- CVE-2019-2602: Fixed flaw inside BigDecimal implementation (Component: Libraries) (bsc#1132728).
- CVE-2019-2684: Fixed flaw was found in the RMI registry implementation (bsc#1132732).
ImportantSUSE bug 1132728SUSE bug 1132729SUSE bug 1132732SUSE bug 1132734SUSE bug 1134718CVE-2019-10245 at SUSECVE-2019-10245 at NVDCVE-2019-2602 at SUSECVE-2019-2602 at NVDCVE-2019-2684 at SUSECVE-2019-2684 at NVDCVE-2019-2697 at SUSECVE-2019-2697 at NVDCVE-2019-2698 at SUSECVE-2019-2698 at NVDcpe:/o:suse:sles:12:sp3Security update for netpbm (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for netpbm fixes the following issues:
Security issues fixed:
- CVE-2018-8975: The pm_mallocarray2 function allowed remote attackers to cause
a denial of service (heap-based buffer over-read) via a crafted image file (bsc#1086777).
- CVE-2017-2579: Fixed out-of-bounds read in expandCodeOntoStack() (bsc#1024288).
- CVE-2017-2580: Fixed out-of-bounds write of heap data in addPixelToRaster() function (bsc#1024291).
- create netpbm-vulnerable subpackage and move pstopnm there (bsc#1136936)
ModerateSUSE bug 1024288SUSE bug 1024291SUSE bug 1086777SUSE bug 1136936CVE-2017-2579 at SUSECVE-2017-2579 at NVDCVE-2017-2580 at SUSECVE-2017-2580 at NVDCVE-2018-8975 at SUSECVE-2018-8975 at NVDcpe:/o:suse:sles:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3SUSE Linux Enterprise Server 12 SP3-LTSS
This update for MozillaFirefox fixes the following issues:
- Mozilla Firefox Firefox 60.7.2
MFSA 2019-19 (bsc#1138872)
- CVE-2019-11708: Fix sandbox escape using Prompt:Open.
* Insufficient vetting of parameters passed with the Prompt:Open IPC
message between child and parent processes could result in the non-sandboxed
parent process opening web content chosen by a compromised child process.
When combined with additional vulnerabilities this could result in executing
arbitrary code on the user's computer.
ImportantSUSE bug 1138872CVE-2019-11708 at SUSECVE-2019-11708 at NVDcpe:/o:suse:sles-ltss:12:sp3cpe:/o:suse:sles:12:sp3Security update for postgresql96 (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for postgresql96 fixes the following issues:
Security issue fixed:
- CVE-2019-10130: Prevent row-level security policies from being bypassed via selectivity estimators (bsc#1134689).
ModerateSUSE bug 1134689CVE-2019-10130 at SUSECVE-2019-10130 at NVDcpe:/o:suse:sles:12:sp3Security update for ImageMagick (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for ImageMagick fixes the following issues:
Security issues fixed:
- CVE-2019-11597: Fixed a heap-based buffer over-read in the WriteTIFFImage() (bsc#1138464).
- Fixed a file content disclosure via SVG and WMF decoding (bsc#1138425).- CVE-2019-11472: Fixed a denial of service in ReadXWDImage() (bsc#1133204).
- CVE-2019-11470: Fixed a denial of service in ReadCINImage() (bsc#1133205).
- CVE-2019-11506: Fixed a heap-based buffer overflow in the WriteMATLABImage() (bsc#1133498).
- CVE-2019-11505: Fixed a heap-based buffer overflow in the WritePDBImage() (bsc#1133501).
- CVE-2019-10131: Fixed a off-by-one read in formatIPTCfromBuffer function in coders/meta.c (bsc#1134075).
- CVE-2017-12806: Fixed a denial of service through memory exhaustion in format8BIM() (bsc#1135232).
- CVE-2017-12805: Fixed a denial of service through memory exhaustion in ReadTIFFImage() (bsc#1135236).
- CVE-2019-11598: Fixed a heap-based buffer over-read in WritePNMImage() (bsc#1136732)
We also now disable PCL in the -SUSE configuration, as it also uses ghostscript for decoding (bsc#1136183)
ModerateSUSE bug 1133204SUSE bug 1133205SUSE bug 1133498SUSE bug 1133501SUSE bug 1134075SUSE bug 1135232SUSE bug 1135236SUSE bug 1136183SUSE bug 1136732SUSE bug 1138425SUSE bug 1138464CVE-2017-12805 at SUSECVE-2017-12805 at NVDCVE-2017-12806 at SUSECVE-2017-12806 at NVDCVE-2019-10131 at SUSECVE-2019-10131 at NVDCVE-2019-11470 at SUSECVE-2019-11470 at NVDCVE-2019-11472 at SUSECVE-2019-11472 at NVDCVE-2019-11505 at SUSECVE-2019-11505 at NVDCVE-2019-11506 at SUSECVE-2019-11506 at NVDCVE-2019-11597 at SUSECVE-2019-11597 at NVDCVE-2019-11598 at SUSECVE-2019-11598 at NVDcpe:/o:suse:sles:12:sp3Security update for dnsmasq (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for dnsmasq fixes the following issues:
Security issue fixed:
- CVE-2017-15107: Fixed a vulnerability in DNSSEC implementation. Processing of
wildcard synthesized NSEC records may result improper validation for non-existance. (bsc#1076958)
Non-security issue fixed:
- Reload system dbus to pick up policy change on install (bsc#1054429).
ModerateSUSE bug 1054429SUSE bug 1076958CVE-2017-15107 at SUSECVE-2017-15107 at NVDcpe:/o:suse:sles:12:sp3Security update for glib2 (Important)SUSE Linux Enterprise Server 12 SP3
This update for glib2 provides the following fix:
Security issues fixed:
- CVE-2019-12450: Fixed an improper file permission when copy operation
takes place (bsc#1137001).
- CVE-2018-16428: Avoid a null pointer dereference that could crash glib2 users in markup processing (bnc#1107121).
- CVE-2018-16429: Fixed out-of-bounds read vulnerability ing_markup_parse_context_parse() (bsc#1107116).
Non-security issues fixed:
- Install dummy *-mimeapps.list files to prevent dead symlinks. (bsc#1061599)
ImportantSUSE bug 1061599SUSE bug 1107116SUSE bug 1107121SUSE bug 1137001CVE-2018-16428 at SUSECVE-2018-16428 at NVDCVE-2018-16429 at SUSECVE-2018-16429 at NVDCVE-2019-12450 at SUSECVE-2019-12450 at NVDcpe:/o:suse:sles:12:sp3Security update for elfutils (Low)SUSE Linux Enterprise Server 12 SP3
This update for elfutils fixes the following issues:
Security issues fixed:
- CVE-2018-16403: Fixed a heap-based buffer over-read that could have led to Denial of Service (bsc#1107067).
- CVE-2016-10254: Fixed a memory allocation failure in alloxate_elf (bsc#1030472).
- CVE-2019-7665: NT_PLATFORM core file note should be a zero terminated string (bsc#1125007).
- CVE-2016-10255: Fixed a memory allocation failure in libelf_set_rawdata_wrlock (bsc#1030476).
- CVE-2019-7150: Added a missing check in dwfl_segment_report_module which could have allowed truncated files
to be read (bsc#1123685).
- CVE-2018-16062: Fixed a heap-buffer-overflow (bsc#1106390).
- CVE-2017-7611: Fixed a heap-based buffer over-read that could have led to Denial of Service (bsc#1033088).
- CVE-2017-7613: Fixed denial of service caused by the missing validation of the number of sections
and the number of segments in a crafted ELF file (bsc#1033090).
- CVE-2017-7607: Fixed a heap-based buffer overflow in handle_gnu_hash (bsc#1033084).
- CVE-2017-7608: Fixed a heap-based buffer overflow in ebl_object_note_type_name() (bsc#1033085).
- CVE-2017-7610: Fixed a heap-based buffer overflow in check_group (bsc#1033087).
- CVE-2018-18521: Fixed multiple divide-by-zero vulnerabilities in function arlib_add_symbols() (bsc#1112723).
- CVE-2017-7612: Fixed a denial of service in check_sysv_hash() via a crafted ELF file (bsc#1033089).
- CVE-2018-18310: Fixed an invalid address read in dwfl_segment_report_module.c (bsc#1111973).
- CVE-2018-18520: Fixed bad handling of ar files inside are files (bsc#1112726).
LowSUSE bug 1030472SUSE bug 1030476SUSE bug 1033084SUSE bug 1033085SUSE bug 1033087SUSE bug 1033088SUSE bug 1033089SUSE bug 1033090SUSE bug 1106390SUSE bug 1107067SUSE bug 1111973SUSE bug 1112723SUSE bug 1112726SUSE bug 1123685SUSE bug 1125007CVE-2016-10254 at SUSECVE-2016-10254 at NVDCVE-2016-10255 at SUSECVE-2016-10255 at NVDCVE-2017-7607 at SUSECVE-2017-7607 at NVDCVE-2017-7608 at SUSECVE-2017-7608 at NVDCVE-2017-7610 at SUSECVE-2017-7610 at NVDCVE-2017-7611 at SUSECVE-2017-7611 at NVDCVE-2017-7612 at SUSECVE-2017-7612 at NVDCVE-2017-7613 at SUSECVE-2017-7613 at NVDCVE-2018-16062 at SUSECVE-2018-16062 at NVDCVE-2018-16403 at SUSECVE-2018-16403 at NVDCVE-2018-18310 at SUSECVE-2018-18310 at NVDCVE-2018-18520 at SUSECVE-2018-18520 at NVDCVE-2018-18521 at SUSECVE-2018-18521 at NVDCVE-2019-7150 at SUSECVE-2019-7150 at NVDCVE-2019-7665 at SUSECVE-2019-7665 at NVDcpe:/o:suse:sles:12:sp3Security update for postgresql10 (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for postgresql10 to version 10.9 fixes the following issue:
Security issue fixed:
- CVE-2019-10164: Fixed buffer-overflow vulnerabilities in SCRAM verifier parsing (bsc#1138034).
More information at https://www.postgresql.org/docs/10/release-10-9.html
ImportantSUSE bug 1138034CVE-2019-10164 at SUSECVE-2019-10164 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for avahi (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for avahi fixes the following issues:
Security issue fixed:
- CVE-2018-1000845: Fixed DNS amplification and reflection to spoofed addresses (DOS) (bsc#1120281)
ModerateSUSE bug 1120281CVE-2018-1000845 at SUSECVE-2018-1000845 at NVDcpe:/o:suse:sles:12:sp3Security update for glib2 (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for glib2 fixes the following issues:
Security issue fixed:
- CVE-2019-13012: Fixed improper restriction of file permissions when creating directories (bsc#1139959).
Non-security issue fixed:
- Added explicit requires between libglib2 and libgio2 (bsc#1140122).
ImportantSUSE bug 1139959SUSE bug 1140122CVE-2019-13012 at SUSECVE-2019-13012 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Important)SUSE Linux Enterprise Server 12 SP3SUSE Linux Enterprise Server 12 SP3-LTSS
The SUSE Linux Enterprise 12 SP3 kernel was updated to receive various security and bugfixes.
The following security bugs were fixed:
- CVE-2019-10638: In the Linux kernel, a device could be tracked by an attacker using the IP ID values the kernel produces for connection-less protocols (e.g., UDP and ICMP). When such traffic was sent to multiple destination IP addresses, it was possible to obtain hash collisions (of indices to the counter array) and thereby obtain the hashing key (via enumeration). An attack may have been conducted by hosting a crafted web page that uses WebRTC or gQUIC to force UDP traffic to attacker-controlled IP addresses (bnc#1140575 1140577).
- CVE-2019-10639: The Linux kernel allowed Information Exposure (partial kernel address disclosure), that lead to a KASLR bypass. Specifically, it was possible to extract the KASLR kernel image offset using the IP ID values the kernel produces for connection-less protocols (e.g., UDP and ICMP). When such traffic is sent to multiple destination IP addresses, it was possible to obtain hash collisions (of indices to the counter array) and thereby obtain the hashing key (via enumeration). This key contains enough bits from a kernel address (of a static variable) so when the key is extracted (via enumeration), the offset of the kernel image is exposed. This attack could be carried out remotely, by the attacker forcing the target device to send UDP or ICMP (or certain other) traffic to attacker-controlled IP addresses. Forcing a server to send UDP traffic is trivial if the server is a DNS server. ICMP traffic is trivial if the server answers ICMP Echo requests (ping). For client targets, if the target visited the attacker's web page, then WebRTC or gQUIC could be used to force UDP traffic to attacker-controlled IP addresses. NOTE: this attack against KASLR became viable because IP ID generation was changed to have a dependency on an address associated with a network namespace (bnc#1140577).
- CVE-2019-10126: A flaw was found in the Linux kernel. A heap based buffer overflow in mwifiex_uap_parse_tail_ies function in drivers/net/wireless/marvell/mwifiex/ie.c might have lead to memory corruption and possibly other consequences (bnc#1136935).
- CVE-2018-20836: An issue was discovered in the Linux kernel There was a race condition in smp_task_timedout() and smp_task_done() in drivers/scsi/libsas/sas_expander.c, leading to a use-after-free (bnc#1134395).
- CVE-2019-11599: The coredump implementation in the Linux kernel did not use locking or other mechanisms to prevent vma layout or vma flags changes while it ran, which allowed local users to obtain sensitive information, cause a denial of service, or possibly have unspecified other impact by triggering a race condition with mmget_not_zero or get_task_mm call. This is related to fs/userfaultfd.c, mm/mmap.c, fs/proc/task_mmu.c, and drivers/infiniband/core/uverbs_main.c (bnc#1131645 1133738).
- CVE-2019-12614: An issue was discovered in dlpar_parse_cc_property in arch/powerpc/platforms/pseries/dlpar.c in the Linux kernel There was an unchecked kstrdup of prop-name, which might have allowed an attacker to cause a denial of service (NULL pointer dereference and system crash) (bnc#1137194).
- CVE-2019-12819: An issue was discovered in the Linux kernel The function __mdiobus_register() in drivers/net/phy/mdio_bus.c calls put_device(), which would trigger a fixed_mdio_bus_init use-after-free. This would cause a denial of service (bnc#1138291).
- CVE-2019-12818: An issue was discovered in the Linux kernel The nfc_llcp_build_tlv function in net/nfc/llcp_commands.c may return NULL. If the caller did not check for this, it would trigger a NULL pointer dereference. This would cause a denial of service. This affected nfc_llcp_build_gb in net/nfc/llcp_core.c (bnc#1138293).
- CVE-2019-12456: A double-fetch bug in _ctl_ioctl_main() could lead to a local denial of service attack (bsc#1136922 CVE-2019-12456).
- CVE-2019-12380: An issue was discovered in the efi subsystem in the Linux kernel phys_efi_set_virtual_address_map in arch/x86/platform/efi/efi.c and efi_call_phys_prolog in arch/x86/platform/efi/efi_64.c mishandle memory allocation failures. NOTE: This id is disputed as not being an issue because ;All the code touched by the referenced commit runs only at boot, before any user processes are started. Therefore, there is no possibility for an unprivileged user to control it (bnc#1136598).
- CVE-2019-11487: The Linux kernel before allowed page-_refcount reference count overflow, with resultant use-after-free issues, if about 140 GiB of RAM exists. This is related to fs/fuse/dev.c, fs/pipe.c, fs/splice.c, include/linux/mm.h, include/linux/pipe_fs_i.h, kernel/trace/trace.c, mm/gup.c, and mm/hugetlb.c. It could occur with FUSE requests (bnc#1133190 1133191).
The following non-security bugs were fixed:
- Drop multiversion(kernel) from the KMP template (bsc#1127155).
- Fix ixgbe backport (bsc#1133140)
- Revert 'KMPs: obsolete older KMPs of the same flavour (bsc#1127155, bsc#1109137).' This reverts commit 4cc83da426b53d47f1fde9328112364eab1e9a19.
- Update 'TCP SACK Panic' series
- ACPI / CPPC: Check for valid PCC subspace only if PCC is used (bsc#1126961).
- ACPI / CPPC: Fix KASAN global out of bounds warning (bsc#1126961).
- ACPI / CPPC: Make CPPC ACPI driver aware of PCC subspace IDs (bsc#1126961).
- ACPI / CPPC: Update all pr_(debug/err) messages to log the susbspace id (bsc#1126961).
- ACPI / CPPC: Use 64-bit arithmetic instead of 32-bit (bsc#1126961).
- ACPI / CPPC: fix build issue with ktime_t used in logical operation (bsc#1126961).
- ACPI: CPPC: remove initial assignment of pcc_ss_data (bsc#1126961).
- at76c50x-usb: Do not register led_trigger if usb_register_driver failed (bsc#1135642).
- ath6kl: Only use match sets when firmware supports it (bsc#1120902).
- btrfs: check for refs on snapshot delete resume (bsc#1131335, bsc#1137004).
- btrfs: run delayed items before dropping the snapshot (bsc#1121263, bsc#1111188, bsc#1137004).
- btrfs: save drop_progress if we drop refs at all (bsc#1131336, bsc#1137004).
- ceph: fix potential use-after-free in ceph_mdsc_build_path (bsc#1138681).
- ceph: flush dirty inodes before proceeding with remount (bsc#1138681).
- ceph: print inode number in __caps_issued_mask debugging messages (bsc#1138681).
- cpu/hotplug: Provide cpus_read|write_[un]lock() (bsc#1138374, LTC#178199).
- cpu/hotplug: Provide lockdep_assert_cpus_held() (bsc#1138374, LTC#178199).
- cpufreq / CPPC: Add cpuinfo_cur_freq support for CPPC (bsc#1126961).
- cpufreq: CPPC: fix build in absence of v3 support (bsc#1126961).
- cpufreq: Replace 'max_transition_latency' with 'dynamic_switching' (bsc#1126961).
- cpufreq: cn99xx: set platform specific sampling rate (bsc#1126961).
- ibmvnic: Add device identification to requested IRQs (bsc#1137739).
- ibmvnic: Do not close unopened driver during reset (bsc#1137752).
- ibmvnic: Fix unchecked return codes of memory allocations (bsc#1137752).
- ibmvnic: Refresh device multicast list after reset (bsc#1137752).
- ibmvnic: remove set but not used variable 'netdev' (bsc#1137739).
- iwiwifi: fix bad monitor buffer register addresses (bsc#1129770).
- kabi: cpufreq: rename dynamic_switching to max_transition_latency (bsc#1126961).
- kernel/sys.c: prctl: fix false positive in validate_prctl_map() (bsc#1137749).
- libertas_tf: prevent underflow in process_cmdrequest() (bsc#1119086).
- mailbox: PCC: Move the MAX_PCC_SUBSPACES definition to header file (bsc#1126961).
- mailbox: pcc: Drop uninformative output during boot (bsc#1126961).
- mailbox: pcc: Fix crash when request PCC channel 0 (bsc#1126961).
- mwl8k: Fix rate_idx underflow (bsc#1135642).
- net/ibmvnic: Remove tests of member address (bsc#1137739).
- net: Remove NO_IRQ from powerpc-only network drivers (bsc#1137739).
- nvmet-fc: bring Disconnect into compliance with FC-NVME spec (bsc#1136889).
- nvmet-fc: fix issues with targetport assoc_list list walking (bsc#1136889).
- nvmet: fix fatal_err_work deadlock (bsc#1136889).
- nvmet_fc: support target port removal with nvmet layer (bsc#1136889).
- powerpc/cacheinfo: add cacheinfo_teardown, cacheinfo_rebuild (bsc#1138374, LTC#178199).
- powerpc/eeh: Fix race with driver un/bind (bsc#1066223).
- powerpc/perf: Add blacklisted events for Power9 DD2.1 (bsc#1053043).
- powerpc/perf: Add blacklisted events for Power9 DD2.2 (bsc#1053043).
- powerpc/perf: Fix MMCRA corruption by bhrb_filter (bsc#1053043).
- powerpc/perf: Infrastructure to support addition of blacklisted events (bsc#1053043).
- powerpc/process: Fix sparse address space warnings (bsc#1066223).
- powerpc/pseries/mobility: prevent cpu hotplug during DT update (bsc#1138374, LTC#178199).
- powerpc/pseries/mobility: rebuild cacheinfo hierarchy post-migration (bsc#1138374, LTC#178199).
- rtlwifi: fix false rates in _rtl8821ae_mrate_idx_to_arfr_id() (bsc#1120902).
- scsi: core: add new RDAC LENOVO/DE_Series device (bsc#1132390).
- scsi: qla2xxx: Fix FC-AL connection target discovery (bsc#1094555).
- scsi: qla2xxx: Fix N2N target discovery with Local loop (bsc#1094555).
- signals: avoid random wakeups in sigsuspend() (bsc#1137915)
- treewide: Use DEVICE_ATTR_WO (bsc#1137739).
- x86/entry/64/compat: Fix stack switching for XEN PV (bsc#1108382).
ImportantSUSE bug 1053043SUSE bug 1066223SUSE bug 1094555SUSE bug 1108382SUSE bug 1109137SUSE bug 1111188SUSE bug 1119086SUSE bug 1120902SUSE bug 1121263SUSE bug 1125580SUSE bug 1126961SUSE bug 1127155SUSE bug 1129770SUSE bug 1131335SUSE bug 1131336SUSE bug 1131645SUSE bug 1132390SUSE bug 1133140SUSE bug 1133190SUSE bug 1133191SUSE bug 1133738SUSE bug 1134395SUSE bug 1135642SUSE bug 1136598SUSE bug 1136889SUSE bug 1136922SUSE bug 1136935SUSE bug 1137004SUSE bug 1137194SUSE bug 1137739SUSE bug 1137749SUSE bug 1137752SUSE bug 1137915SUSE bug 1138291SUSE bug 1138293SUSE bug 1138374SUSE bug 1138681SUSE bug 1139751SUSE bug 1140575SUSE bug 1140577CVE-2018-20836 at SUSECVE-2018-20836 at NVDCVE-2019-10126 at SUSECVE-2019-10126 at NVDCVE-2019-10638 at SUSECVE-2019-10638 at NVDCVE-2019-10639 at SUSECVE-2019-10639 at NVDCVE-2019-11487 at SUSECVE-2019-11487 at NVDCVE-2019-11599 at SUSECVE-2019-11599 at NVDCVE-2019-12380 at SUSECVE-2019-12380 at NVDCVE-2019-12456 at SUSECVE-2019-12456 at NVDCVE-2019-12614 at SUSECVE-2019-12614 at NVDCVE-2019-12818 at SUSECVE-2019-12818 at NVDCVE-2019-12819 at SUSECVE-2019-12819 at NVDcpe:/o:suse:sles-ltss:12:sp3cpe:/o:suse:sles:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for MozillaFirefox, mozilla-nss fixes the following issues:
MozillaFirefox to version ESR 60.8:
- CVE-2019-9811: Sandbox escape via installation of malicious language pack (bsc#1140868).
- CVE-2019-11711: Script injection within domain through inner window reuse (bsc#1140868).
- CVE-2019-11712: Cross-origin POST requests can be made with NPAPI plugins by following 308 redirects (bsc#1140868).
- CVE-2019-11713: Use-after-free with HTTP/2 cached stream (bsc#1140868).
- CVE-2019-11729: Empty or malformed p256-ECDH public keys may trigger a segmentation fault (bsc#1140868).
- CVE-2019-11715: HTML parsing error can contribute to content XSS (bsc#1140868).
- CVE-2019-11717: Caret character improperly escaped in origins (bsc#1140868).
- CVE-2019-11719: Out-of-bounds read when importing curve25519 private key (bsc#1140868).
- CVE-2019-11730: Same-origin policy treats all files in a directory as having the same-origin (bsc#1140868).
- CVE-2019-11709: Multiple Memory safety bugs fixed (bsc#1140868).
mozilla-nss to version 3.44.1:
* Added IPSEC IKE support to softoken
* Many new FIPS test cases
ImportantSUSE bug 1140868CVE-2019-11709 at SUSECVE-2019-11709 at NVDCVE-2019-11711 at SUSECVE-2019-11711 at NVDCVE-2019-11712 at SUSECVE-2019-11712 at NVDCVE-2019-11713 at SUSECVE-2019-11713 at NVDCVE-2019-11715 at SUSECVE-2019-11715 at NVDCVE-2019-11717 at SUSECVE-2019-11717 at NVDCVE-2019-11719 at SUSECVE-2019-11719 at NVDCVE-2019-11729 at SUSECVE-2019-11729 at NVDCVE-2019-11730 at SUSECVE-2019-11730 at NVDCVE-2019-9811 at SUSECVE-2019-9811 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for polkit (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for polkit fixes the following issues:
Security issue fixed:
- CVE-2018-19788: Fixed handling of UIDs over MAX_UINT (bsc#1118277)
ModerateSUSE bug 1118277CVE-2018-19788 at SUSECVE-2018-19788 at NVDcpe:/o:suse:sles:12:sp3Security update for the Linux Kernel (Live Patch 15 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.140-94_42 fixes several issues.
The following security issues were fixed:
- CVE-2019-11477: Jonathan Looney discovered that the TCP_SKB_CB(skb)->tcp_gso_segs value was subject to an integer overflow when handling TCP Selective Acknowledgments (SACKs). A remote attacker could use this to cause a denial of service. (bsc#1137586)
- CVE-2019-11478: Jonathan Looney discovered that the TCP retransmission queue implementation in tcp_fragment could be fragmented when handling certain TCP Selective Acknowledgment (SACK) sequences. A remote attacker could use this to cause a denial of service. (bsc#1137586)
- CVE-2019-3846: A flaw that allowed an attacker to corrupt memory and possibly escalate privileges was found in the mwifiex kernel module while connecting to a malicious wireless network (bsc#1136424).
This update contains a regression fix for CVE-2019-11477 and CVE-2019-11478 (bsc#1140747).
ImportantSUSE bug 1136446SUSE bug 1137597SUSE bug 1140747CVE-2019-11477 at SUSECVE-2019-11477 at NVDCVE-2019-11478 at SUSECVE-2019-11478 at NVDCVE-2019-3846 at SUSECVE-2019-3846 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 16 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.143-94_47 fixes several issues.
The following security issues were fixed:
- CVE-2019-11477: Jonathan Looney discovered that the TCP_SKB_CB(skb)->tcp_gso_segs value was subject to an integer overflow when handling TCP Selective Acknowledgments (SACKs). A remote attacker could use this to cause a denial of service. (bsc#1137586)
- CVE-2019-11478: Jonathan Looney discovered that the TCP retransmission queue implementation in tcp_fragment could be fragmented when handling certain TCP Selective Acknowledgment (SACK) sequences. A remote attacker could use this to cause a denial of service. (bsc#1137586)
- CVE-2019-3846: A flaw that allowed an attacker to corrupt memory and possibly escalate privileges was found in the mwifiex kernel module while connecting to a malicious wireless network (bsc#1136424).
This update contains a regression fix for CVE-2019-11477 and CVE-2019-11478 (bsc#1140747).
ImportantSUSE bug 1136446SUSE bug 1137597SUSE bug 1140747CVE-2019-11477 at SUSECVE-2019-11477 at NVDCVE-2019-11478 at SUSECVE-2019-11478 at NVDCVE-2019-3846 at SUSECVE-2019-3846 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 17 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.155-94_50 fixes several issues.
The following security issues were fixed:
- CVE-2019-11477: Jonathan Looney discovered that the TCP_SKB_CB(skb)->tcp_gso_segs value was subject to an integer overflow when handling TCP Selective Acknowledgments (SACKs). A remote attacker could use this to cause a denial of service. (bsc#1137586)
- CVE-2019-11478: Jonathan Looney discovered that the TCP retransmission queue implementation in tcp_fragment could be fragmented when handling certain TCP Selective Acknowledgment (SACK) sequences. A remote attacker could use this to cause a denial of service. (bsc#1137586)
- CVE-2019-3846: A flaw that allowed an attacker to corrupt memory and possibly escalate privileges was found in the mwifiex kernel module while connecting to a malicious wireless network (bsc#1136424).
This update contains a regression fix for CVE-2019-11477 and CVE-2019-11478 (bsc#1140747).
ImportantSUSE bug 1136446SUSE bug 1137597SUSE bug 1140747CVE-2019-11477 at SUSECVE-2019-11477 at NVDCVE-2019-11478 at SUSECVE-2019-11478 at NVDCVE-2019-3846 at SUSECVE-2019-3846 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 18 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.156-94_57 fixes several issues.
The following security issues were fixed:
- CVE-2019-11477: Jonathan Looney discovered that the TCP_SKB_CB(skb)->tcp_gso_segs value was subject to an integer overflow when handling TCP Selective Acknowledgments (SACKs). A remote attacker could use this to cause a denial of service. (bsc#1137586)
- CVE-2019-11478: Jonathan Looney discovered that the TCP retransmission queue implementation in tcp_fragment could be fragmented when handling certain TCP Selective Acknowledgment (SACK) sequences. A remote attacker could use this to cause a denial of service. (bsc#1137586)
- CVE-2019-3846: A flaw that allowed an attacker to corrupt memory and possibly escalate privileges was found in the mwifiex kernel module while connecting to a malicious wireless network (bsc#1136424).
This update contains a regression fix for CVE-2019-11477 and CVE-2019-11478 (bsc#1140747).
ImportantSUSE bug 1136446SUSE bug 1137597SUSE bug 1140747CVE-2019-11477 at SUSECVE-2019-11477 at NVDCVE-2019-11478 at SUSECVE-2019-11478 at NVDCVE-2019-3846 at SUSECVE-2019-3846 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 19 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.156-94_61 fixes several issues.
The following security issues were fixed:
- CVE-2019-11477: Jonathan Looney discovered that the TCP_SKB_CB(skb)->tcp_gso_segs value was subject to an integer overflow when handling TCP Selective Acknowledgments (SACKs). A remote attacker could use this to cause a denial of service. (bsc#1137586)
- CVE-2019-11478: Jonathan Looney discovered that the TCP retransmission queue implementation in tcp_fragment could be fragmented when handling certain TCP Selective Acknowledgment (SACK) sequences. A remote attacker could use this to cause a denial of service. (bsc#1137586)
- CVE-2019-3846: A flaw that allowed an attacker to corrupt memory and possibly escalate privileges was found in the mwifiex kernel module while connecting to a malicious wireless network (bsc#1136424).
This update contains a regression fix for CVE-2019-11477 and CVE-2019-11478 (bsc#1140747).
ImportantSUSE bug 1136446SUSE bug 1137597SUSE bug 1140747CVE-2019-11477 at SUSECVE-2019-11477 at NVDCVE-2019-11478 at SUSECVE-2019-11478 at NVDCVE-2019-3846 at SUSECVE-2019-3846 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 20 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.156-94_64 fixes several issues.
The following security issues were fixed:
- CVE-2019-11477: Jonathan Looney discovered that the TCP_SKB_CB(skb)->tcp_gso_segs value was subject to an integer overflow when handling TCP Selective Acknowledgments (SACKs). A remote attacker could use this to cause a denial of service. (bsc#1137586)
- CVE-2019-11478: Jonathan Looney discovered that the TCP retransmission queue implementation in tcp_fragment could be fragmented when handling certain TCP Selective Acknowledgment (SACK) sequences. A remote attacker could use this to cause a denial of service. (bsc#1137586)
- CVE-2019-3846: A flaw that allowed an attacker to corrupt memory and possibly escalate privileges was found in the mwifiex kernel module while connecting to a malicious wireless network (bsc#1136424).
This update contains a regression fix for CVE-2019-11477 and CVE-2019-11478 (bsc#1140747).
ImportantSUSE bug 1136446SUSE bug 1137597SUSE bug 1140747CVE-2019-11477 at SUSECVE-2019-11477 at NVDCVE-2019-11478 at SUSECVE-2019-11478 at NVDCVE-2019-3846 at SUSECVE-2019-3846 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 21 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.162-94_69 fixes several issues.
The following security issues were fixed:
- CVE-2019-11477: Jonathan Looney discovered that the TCP_SKB_CB(skb)->tcp_gso_segs value was subject to an integer overflow when handling TCP Selective Acknowledgments (SACKs). A remote attacker could use this to cause a denial of service. (bsc#1137586)
- CVE-2019-11478: Jonathan Looney discovered that the TCP retransmission queue implementation in tcp_fragment could be fragmented when handling certain TCP Selective Acknowledgment (SACK) sequences. A remote attacker could use this to cause a denial of service. (bsc#1137586)
- CVE-2019-3846: A flaw that allowed an attacker to corrupt memory and possibly escalate privileges was found in the mwifiex kernel module while connecting to a malicious wireless network (bsc#1136424).
This update contains a regression fix for CVE-2019-11477 and CVE-2019-11478 (bsc#1140747).
ImportantSUSE bug 1136446SUSE bug 1137597SUSE bug 1140747CVE-2019-11477 at SUSECVE-2019-11477 at NVDCVE-2019-11478 at SUSECVE-2019-11478 at NVDCVE-2019-3846 at SUSECVE-2019-3846 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 22 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.162-94_72 fixes several issues.
The following security issues were fixed:
- CVE-2019-11477: Jonathan Looney discovered that the TCP_SKB_CB(skb)->tcp_gso_segs value was subject to an integer overflow when handling TCP Selective Acknowledgments (SACKs). A remote attacker could use this to cause a denial of service. (bsc#1137586)
- CVE-2019-11478: Jonathan Looney discovered that the TCP retransmission queue implementation in tcp_fragment could be fragmented when handling certain TCP Selective Acknowledgment (SACK) sequences. A remote attacker could use this to cause a denial of service. (bsc#1137586)
- CVE-2019-3846: A flaw that allowed an attacker to corrupt memory and possibly escalate privileges was found in the mwifiex kernel module while connecting to a malicious wireless network (bsc#1136424).
This update contains a regression fix for CVE-2019-11477 and CVE-2019-11478 (bsc#1140747).
ImportantSUSE bug 1136446SUSE bug 1137597SUSE bug 1140747CVE-2019-11477 at SUSECVE-2019-11477 at NVDCVE-2019-11478 at SUSECVE-2019-11478 at NVDCVE-2019-3846 at SUSECVE-2019-3846 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 23 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.175-94_79 fixes several issues.
The following security issues were fixed:
- CVE-2019-11477: Jonathan Looney discovered that the TCP_SKB_CB(skb)->tcp_gso_segs value was subject to an integer overflow when handling TCP Selective Acknowledgments (SACKs). A remote attacker could use this to cause a denial of service. (bsc#1137586)
- CVE-2019-11478: Jonathan Looney discovered that the TCP retransmission queue implementation in tcp_fragment could be fragmented when handling certain TCP Selective Acknowledgment (SACK) sequences. A remote attacker could use this to cause a denial of service. (bsc#1137586)
- CVE-2019-3846: A flaw that allowed an attacker to corrupt memory and possibly escalate privileges was found in the mwifiex kernel module while connecting to a malicious wireless network (bsc#1136424).
This update contains a regression fix for CVE-2019-11477 and CVE-2019-11478 (bsc#1140747).
ImportantSUSE bug 1136446SUSE bug 1137597SUSE bug 1140747CVE-2019-11477 at SUSECVE-2019-11477 at NVDCVE-2019-11478 at SUSECVE-2019-11478 at NVDCVE-2019-3846 at SUSECVE-2019-3846 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 24 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.176-94_88 fixes several issues.
The following security issues were fixed:
- CVE-2019-11477: Jonathan Looney discovered that the TCP_SKB_CB(skb)->tcp_gso_segs value was subject to an integer overflow when handling TCP Selective Acknowledgments (SACKs). A remote attacker could use this to cause a denial of service. (bsc#1137586)
- CVE-2019-11478: Jonathan Looney discovered that the TCP retransmission queue implementation in tcp_fragment could be fragmented when handling certain TCP Selective Acknowledgment (SACK) sequences. A remote attacker could use this to cause a denial of service. (bsc#1137586)
- CVE-2019-3846: A flaw that allowed an attacker to corrupt memory and possibly escalate privileges was found in the mwifiex kernel module while connecting to a malicious wireless network (bsc#1136424).
This update contains a regression fix for CVE-2019-11477 and CVE-2019-11478 (bsc#1140747).
ImportantSUSE bug 1136446SUSE bug 1137597SUSE bug 1140747CVE-2019-11477 at SUSECVE-2019-11477 at NVDCVE-2019-11478 at SUSECVE-2019-11478 at NVDCVE-2019-3846 at SUSECVE-2019-3846 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 25 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.178-94_91 fixes several issues.
The following security issues were fixed:
- CVE-2019-11477: Jonathan Looney discovered that the TCP_SKB_CB(skb)->tcp_gso_segs value was subject to an integer overflow when handling TCP Selective Acknowledgments (SACKs). A remote attacker could use this to cause a denial of service. (bsc#1137586)
- CVE-2019-11478: Jonathan Looney discovered that the TCP retransmission queue implementation in tcp_fragment could be fragmented when handling certain TCP Selective Acknowledgment (SACK) sequences. A remote attacker could use this to cause a denial of service. (bsc#1137586)
- CVE-2019-3846: A flaw that allowed an attacker to corrupt memory and possibly escalate privileges was found in the mwifiex kernel module while connecting to a malicious wireless network (bsc#1136424).
This update contains a regression fix for CVE-2019-11477 and CVE-2019-11478 (bsc#1140747).
ImportantSUSE bug 1136446SUSE bug 1137597SUSE bug 1140747CVE-2019-11477 at SUSECVE-2019-11477 at NVDCVE-2019-11478 at SUSECVE-2019-11478 at NVDCVE-2019-3846 at SUSECVE-2019-3846 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 26 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_97 fixes one issue.
The following security issue was fixed:
This update contains a regression fix for CVE-2019-11478 (bsc#1140747).
ImportantSUSE bug 1140747CVE-2019-11478 at SUSECVE-2019-11478 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for ucode-intel (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for ucode-intel fixes the following issues:
This update contains the Intel QSR 2019.1 Microcode release (bsc#1111331)
Four new speculative execution information leak issues have been identified in Intel CPUs. (bsc#1111331)
- CVE-2018-12126: Microarchitectural Store Buffer Data Sampling (MSBDS)
- CVE-2018-12127: Microarchitectural Fill Buffer Data Sampling (MFBDS)
- CVE-2018-12130: Microarchitectural Load Port Data Samling (MLPDS)
- CVE-2019-11091: Microarchitectural Data Sampling Uncacheable Memory (MDSUM)
These updates contain the CPU Microcode adjustments for the software mitigations.
For more information on this set of vulnerabilities, check out https://www.suse.com/support/kb/doc/?id=7023736
Release notes:
---- updated platforms ------------------------------------
SNB-E/EN/EP C1/M0 6-2d-6/6d 0000061d->0000061f Xeon E3/E5, Core X
SNB-E/EN/EP C2/M1 6-2d-7/6d 00000714->00000718 Xeon E3/E5, Core X
ImportantSUSE bug 1111331CVE-2018-12126 at SUSECVE-2018-12126 at NVDCVE-2018-12127 at SUSECVE-2018-12127 at NVDCVE-2018-12130 at SUSECVE-2018-12130 at NVDCVE-2019-11091 at SUSECVE-2019-11091 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for bzip2 (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for bzip2 fixes the following issues:
Security issue fixed:
- CVE-2019-12900: Fixed an out-of-bounds write in decompress.c with many selectors (bsc#1139083).
- CVE-2016-3189: Fixed a use-after-free in bzip2recover (bsc#985657).
ImportantSUSE bug 1139083SUSE bug 985657CVE-2016-3189 at SUSECVE-2016-3189 at NVDCVE-2019-12900 at SUSECVE-2019-12900 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for glibc (Moderate)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for glibc fixes the following issues:
Security issues fixed:
- CVE-2019-9169: Fixed a heap-based buffer over-read via an attempted case-insensitive regular-expression match (bsc#1127308).
- CVE-2009-5155: Fixed a denial of service in parse_reg_exp() (bsc#1127223).
Non-security issues fixed:
- Added cfi information for start routines in order to stop unwinding on S390 (bsc#1128574).
ModerateSUSE bug 1127223SUSE bug 1127308SUSE bug 1128574CVE-2009-5155 at SUSECVE-2009-5155 at NVDCVE-2019-9169 at SUSECVE-2019-9169 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for libsolv, libzypp, zypper (Moderate)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for libsolv, libzypp and zypper fixes the following issues:
libsolv was updated to version 0.6.36 fixes the following issues:
Security issues fixed:
- CVE-2018-20532: Fixed a NULL pointer dereference in testcase_read() (bsc#1120629).
- CVE-2018-20533: Fixed a NULL pointer dereference in testcase_str2dep_complex() (bsc#1120630).
- CVE-2018-20534: Fixed a NULL pointer dereference in pool_whatprovides() (bsc#1120631).
Non-security issues fixed:
- Made cleandeps jobs on patterns work (bsc#1137977).
- Fixed an issue multiversion packages that obsolete their own name (bsc#1127155).
- Keep consistent package name if there are multiple alternatives (bsc#1131823).
libzypp received following fixes:
- Fixes a bug where locking the kernel was not possible (bsc#1113296)
zypper received following fixes:
- Fixes a bug where the wrong exit code was set when refreshing
repos if --root was used (bsc#1134226)
- Improved the displaying of locks (bsc#1112911)
- Fixes an issue where `https` repository urls caused an error prompt to
appear twice (bsc#1110542)
- zypper will now always warn when no repositories are defined (bsc#1109893)
ModerateSUSE bug 1109893SUSE bug 1110542SUSE bug 1111319SUSE bug 1112911SUSE bug 1113296SUSE bug 1120629SUSE bug 1120630SUSE bug 1120631SUSE bug 1127155SUSE bug 1131823SUSE bug 1134226SUSE bug 1137977CVE-2018-20532 at SUSECVE-2018-20532 at NVDCVE-2018-20533 at SUSECVE-2018-20533 at NVDCVE-2018-20534 at SUSECVE-2018-20534 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for bzip2 (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for bzip2 fixes the following issues:
- Fixed a regression with the fix for CVE-2019-12900, which caused incompatibilities
with files that used many selectors (bsc#1139083).
ImportantSUSE bug 1139083CVE-2019-12900 at SUSECVE-2019-12900 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for polkit (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for polkit fixes the following issues:
Security issue fixed:
- CVE-2019-6133: Fixed improper caching of auth decisions, which could bypass
uid checking in the interactive backend (bsc#1121826).
ImportantSUSE bug 1121826CVE-2019-6133 at SUSECVE-2019-6133 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for java-1_8_0-openjdk (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for java-1_8_0-openjdk to version 8u222 fixes the following issues:
Security issues fixed:
- CVE-2019-2745: Improved ECC Implementation (bsc#1141784).
- CVE-2019-2762: Exceptional throw cases (bsc#1141782).
- CVE-2019-2766: Improve file protocol handling (bsc#1141789).
- CVE-2019-2769: Better copies of CopiesList (bsc#1141783).
- CVE-2019-2786: More limited privilege usage (bsc#1141787).
- CVE-2019-2816: Normalize normalization (bsc#1141785).
- CVE-2019-2842: Extended AES support (bsc#1141786).
- CVE-2019-7317: Improve PNG support (bsc#1141780).
- Certificate validation improvements
Non-security issue fixed:
- Fixed an issue where the installation failed when the manpages are not present (bsc#1115375)
ImportantSUSE bug 1115375SUSE bug 1141780SUSE bug 1141782SUSE bug 1141783SUSE bug 1141784SUSE bug 1141785SUSE bug 1141786SUSE bug 1141787SUSE bug 1141789CVE-2019-2745 at SUSECVE-2019-2745 at NVDCVE-2019-2762 at SUSECVE-2019-2762 at NVDCVE-2019-2766 at SUSECVE-2019-2766 at NVDCVE-2019-2769 at SUSECVE-2019-2769 at NVDCVE-2019-2786 at SUSECVE-2019-2786 at NVDCVE-2019-2816 at SUSECVE-2019-2816 at NVDCVE-2019-2842 at SUSECVE-2019-2842 at NVDCVE-2019-7317 at SUSECVE-2019-7317 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for python3 (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for python3 fixes the following issues:
- CVE-2019-10160: Fixed a regression in urlparse() and urlsplit() introduced by the fix for CVE-2019-9636 (bsc#1138459).
- CVE-2018-14647: Fixed a denial of service vulnerability caused by a crafted XML document (bsc#1109847).
- CVE-2018-1000802: Fixed a command injection in the shutil module (bsc#1109663).
ImportantSUSE bug 1109663SUSE bug 1109847SUSE bug 1138459CVE-2018-1000802 at SUSECVE-2018-1000802 at NVDCVE-2018-14647 at SUSECVE-2018-14647 at NVDCVE-2019-10160 at SUSECVE-2019-10160 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for evince (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for evince fixes the following issues:
Security issues fixed:
- CVE-2019-11459: Fixed an improper error handling in which could have led to use of uninitialized use of memory (bsc#1133037).
- CVE-2019-1010006: Fixed a buffer overflow in backend/tiff/tiff-document.c (bsc#1141619).
ImportantSUSE bug 1133037SUSE bug 1141619CVE-2019-1010006 at SUSECVE-2019-1010006 at NVDCVE-2019-11459 at SUSECVE-2019-11459 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for squid (Moderate)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for squid fixes the following issues:
Security issue fixed:
- CVE-2019-12529: Fixed a potential denial of service associated with HTTP Basic Authentication credentials (bsc#1141329).
- CVE-2019-12525: Fixed a denial of service during processing of HTTP Digest Authentication credentials (bsc#1141332).
- CVE-2019-13345: Fixed a cross site scripting vulnerability via user_name or auth parameter in cachemgr.cgi (bsc#1140738).
ModerateSUSE bug 1140738SUSE bug 1141329SUSE bug 1141332CVE-2019-12525 at SUSECVE-2019-12525 at NVDCVE-2019-12529 at SUSECVE-2019-12529 at NVDCVE-2019-13345 at SUSECVE-2019-13345 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for rsyslog (Important)SUSE Linux Enterprise Server 12 SP3
This update for rsyslog fixes the following issues:
Security issue fixed:
- CVE-2018-16881: Fixed a denial of service when both the imtcp module and Octet-Counted TCP Framing is enabled (bsc#1123164).
ImportantSUSE bug 1123164CVE-2018-16881 at SUSECVE-2018-16881 at NVDcpe:/o:suse:sles:12:sp3Security update for python (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for python fixes the following issues:
- CVE-2019-10160: Fixed a regression in urlparse() and urlsplit() introduced by the fix for CVE-2019-9636 (bsc#1138459).
- CVE-2018-20852: Fixed an information leak where cookies could be send to the wrong server because of incorrect domain validation (bsc#1141853).
ImportantSUSE bug 1138459SUSE bug 1141853CVE-2018-20852 at SUSECVE-2018-20852 at NVDCVE-2019-10160 at SUSECVE-2019-10160 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for postgresql96 (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for postgresql96 fixes the following issues:
Security issue fixed:
- CVE-2019-10208: Fixed arbitrary SQL execution via suitable SECURITY DEFINER function under the identity of the function owner (bsc#1145092).
ImportantSUSE bug 1145092CVE-2019-10208 at SUSECVE-2019-10208 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for libvirt (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for libvirt fixes the following issues:
Security issues fixed:
- CVE-2019-10161: Fixed virDomainSaveImageGetXMLDesc API which could accept a path
parameter pointing anywhere on the system and potentially leading to execution
of a malicious file with root privileges by libvirtd (bsc#1138301).
- CVE-2019-10167: Fixed an issue with virConnectGetDomainCapabilities API which
could have been used to execute arbitrary emulators (bsc#1138303).
Non-security issues fixed:
- Fixed an issue with short bitmaps when setting vcpu affinity using the vcpupin (bsc#1138734).
- Added support for overriding max threads per process limit (bsc#1133719)
ImportantSUSE bug 1133719SUSE bug 1138301SUSE bug 1138303SUSE bug 1138734CVE-2019-10161 at SUSECVE-2019-10161 at NVDCVE-2019-10167 at SUSECVE-2019-10167 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
The SUSE Linux Enterprise 12 SP3 kernel was updated to receive various security and bugfixes.
The following security bugs were fixed:
- CVE-2019-1125: Enable Spectre v1 swapgs mitigations (bsc#1139358).
- CVE-2018-20855: An issue was discovered in create_qp_common in drivers/infiniband/hw/mlx5/qp.c, mlx5_ib_create_qp_resp was never initialized, resulting in a leak of stack memory to userspace (bsc#1143045).
- CVE-2019-14284: The drivers/block/floppy.c allowed a denial of service by setup_format_params division-by-zero. Two consecutive ioctls can trigger the bug: the first one should set the drive geometry with .sect and .rate values that make F_SECT_PER_TRACK be zero. Next, the floppy format operation should be called. It can be triggered by an unprivileged local user even when a floppy disk has not been inserted. NOTE: QEMU creates the floppy device by default (bsc#1143189).
- CVE-2019-14283: The function set_geometry in drivers/block/floppy.c did not validate the sect and head fields, as demonstrated by an integer overflow and out-of-bounds read. It can be triggered by an unprivileged local user when a floppy disk has been inserted. NOTE: QEMU creates the floppy device by default (bsc#1143191).
- CVE-2019-11810: A NULL pointer dereference can occur when megasas_create_frame_pool() fails in megasas_alloc_cmds() in drivers/scsi/megaraid/megaraid_sas_base.c. This causes a Denial of Service, related to a use-after-free (bsc#1134399).
- CVE-2019-13648: In the Linux kernel on the powerpc platform, when hardware transactional memory is disabled, a local user can cause a denial of service (TM Bad Thing exception and system crash) via a sigreturn() system call that sends a crafted signal frame. This affects arch/powerpc/kernel/signal_32.c and arch/powerpc/kernel/signal_64.c (bnc#1142254).
- CVE-2019-13631: In parse_hid_report_descriptor in drivers/input/tablet/gtco.c, a malicious USB device can send an HID report that triggers an out-of-bounds write during generation of debugging messages (bsc#1142023).
- CVE-2019-15118: Fixed kernel stack exhaustion in check_input_term in sound/usb/mixer.c via mishandled recursion (bnc#1145922).
- CVE-2019-15117: Fixed out-of-bounds memory access in parse_audio_mixer_unit in sound/usb/mixer.c via mishandled short descriptor (bnc#1145920).
- CVE-2019-3819: A flaw was fixed in the function hid_debug_events_read() in drivers/hid/hid-debug.c file which may have enter an infinite loop with certain parameters passed from a userspace. A local privileged user ('root') could have caused a system lock up and a denial of service (bnc#1123161).
- CVE-2019-10207: Check for missing tty operations in bluetooth/hci_uart (bsc#1142857).
- CVE-2018-20856: Fixed a use-after-free issue in block/blk-core.c, where certain error case are mishandled (bnc#1143048).
The following non-security bugs were fixed:
- cifs: do not log STATUS_NOT_FOUND errors for DFS (bsc#1125674).
- dlm: Fix saving of NULL callbacks (bsc#1135365).
- bcache: Revert 'bcache: fix high CPU occupancy during journal' (bsc#1140652, bsc#1144288).
- bcache: Revert 'bcache: free heap cache_set->flush_btree in bch_journal_free' (bsc#1140652, bsc#1144288).
- bcache: add reclaimed_journal_buckets to struct cache_set (bsc#1140652, bsc#1144288).
- bcache: fix race in btree_flush_write() (bsc#1140652, bsc#1144288).
- bcache: fix stack corruption by PRECEDING_KEY() (bsc#1130972, bsc#1144257).
- bcache: only set BCACHE_DEV_WB_RUNNING when cached device attached (bsc#1130972, bsc#1144273).
- bcache: performance improvement for btree_flush_write() (bsc#1140652, bsc#1144288).
- bcache: remove retry_flush_write from struct cache_set (bsc#1140652, bsc#1144288).
- bonding: Force slave speed check after link state recovery for 802.3ad (bsc#1137584).
- clocksource: Defer override invalidation unless clock is unstable (bsc#1139826).
- kvm: mmu: Fix overflow on kvm mmu page limit calculation (bsc#1135335).
- kvmclock: fix TSC calibration for nested guests (bsc#1133860, jsc#PM-1211).
- mm, page_alloc: fix has_unmovable_pages for HugePages (bsc#1127034).
- powerpc/watchpoint: Restore NV GPRs while returning from exception (bsc#1140945, bsc#1141401, bsc#1141402, bsc#1141452, bsc#1141453, bsc#1141454).
- qla2xxx: performance degradation when enabling blk-mq (bsc#1128977).
- qlge: Deduplicate lbq_buf_size (bsc#1106061).
- qlge: Deduplicate rx buffer queue management (bsc#1106061).
- qlge: Factor out duplicated expression (bsc#1106061).
- qlge: Fix dma_sync_single calls (bsc#1106061).
- qlge: Fix irq masking in INTx mode (bsc#1106061).
- qlge: Refill empty buffer queues from wq (bsc#1106061).
- qlge: Refill rx buffers up to multiple of 16 (bsc#1106061).
- qlge: Remove bq_desc.maplen (bsc#1106061).
- qlge: Remove irq_cnt (bsc#1106061).
- qlge: Remove page_chunk.last_flag (bsc#1106061).
- qlge: Remove qlge_bq.len size (bsc#1106061).
- qlge: Remove rx_ring.sbq_buf_size (bsc#1106061).
- qlge: Remove rx_ring.type (bsc#1106061).
- qlge: Remove useless dma synchronization calls (bsc#1106061).
- qlge: Remove useless memset (bsc#1106061).
- qlge: Replace memset with assignment (bsc#1106061).
- qlge: Update buffer queue prod index despite oom (bsc#1106061).
- rbd: flush rbd_dev->watch_dwork after watch is unregistered (bsc#1143333).
- rbd: retry watch re-registration periodically (bsc#1143333).
- sched/fair: Do not free p->numa_faults with concurrent readers (bsc#1144920).
- sched/fair: Use RCU accessors consistently for ->numa_group (bsc#1144920).
- scsi: virtio_scsi: let host do exception handling (bsc#1141181).
- x86: mm: fix fast GUP with hyper-based TLB flushing (VM Functionality, bsc#1140903).
- x86: tsc: Add X86_FEATURE_TSC_KNOWN_FREQ flag (bsc#1133860, jsc#PM-1211).
- xen: let alloc_xenballooned_pages() fail if not enough memory free (XSA-300).
ImportantSUSE bug 1106061SUSE bug 1123161SUSE bug 1125674SUSE bug 1127034SUSE bug 1128977SUSE bug 1130972SUSE bug 1133860SUSE bug 1134399SUSE bug 1135335SUSE bug 1135365SUSE bug 1137584SUSE bug 1139358SUSE bug 1139826SUSE bug 1140652SUSE bug 1140903SUSE bug 1140945SUSE bug 1141181SUSE bug 1141401SUSE bug 1141402SUSE bug 1141452SUSE bug 1141453SUSE bug 1141454SUSE bug 1142023SUSE bug 1142254SUSE bug 1142857SUSE bug 1143045SUSE bug 1143048SUSE bug 1143189SUSE bug 1143191SUSE bug 1143333SUSE bug 1144257SUSE bug 1144273SUSE bug 1144288SUSE bug 1144920SUSE bug 1145920SUSE bug 1145922CVE-2018-20855 at SUSECVE-2018-20855 at NVDCVE-2018-20856 at SUSECVE-2018-20856 at NVDCVE-2019-10207 at SUSECVE-2019-10207 at NVDCVE-2019-1125 at SUSECVE-2019-1125 at NVDCVE-2019-11810 at SUSECVE-2019-11810 at NVDCVE-2019-13631 at SUSECVE-2019-13631 at NVDCVE-2019-13648 at SUSECVE-2019-13648 at NVDCVE-2019-14283 at SUSECVE-2019-14283 at NVDCVE-2019-14284 at SUSECVE-2019-14284 at NVDCVE-2019-15117 at SUSECVE-2019-15117 at NVDCVE-2019-15118 at SUSECVE-2019-15118 at NVDCVE-2019-3819 at SUSECVE-2019-3819 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for perl (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for perl fixes the following issues:
Security issue fixed:
- CVE-2018-18311: Fixed integer overflow with oversize environment (bsc#1114674).
ImportantSUSE bug 1114674CVE-2018-18311 at SUSECVE-2018-18311 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for libsolv, libzypp, zypper (Moderate)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for libsolv, libzypp and zypper fixes the following issues:
libsolv was updated to version 0.6.36 and fixes the following issues:
Security issues fixed:
- CVE-2018-20532: Fixed a NULL pointer dereference in testcase_read() (bsc#1120629).
- CVE-2018-20533: Fixed a NULL pointer dereference in testcase_str2dep_complex() (bsc#1120630).
- CVE-2018-20534: Fixed a NULL pointer dereference in pool_whatprovides() (bsc#1120631).
Non-security issues fixed:
- Made cleandeps jobs on patterns work (bsc#1137977).
- Fixed an issue multiversion packages that obsolete their own name (bsc#1127155).
- Keep consistent package name if there are multiple alternatives (bsc#1131823).
Fixes for libzypp:
- Fixes a bug where locking the kernel was not possible (bsc#1113296)
- Fixes a file descriptor leak (bsc#1116995)
- Will now run file conflict check on dry-run (best with download-only) (bsc#1140039)
Fixes for zypper:
- Fixes a bug where the wrong exit code was set when refreshing repos if --root was used (bsc#1134226)
- Improved the displaying of locks (bsc#1112911)
- Fixes an issue where `https` repository urls caused an error prompt to appear twice (bsc#1110542)
- zypper will now always warn when no repositories are defined (bsc#1109893)
- Fixes bash completion option detection (bsc#1049825)
ModerateSUSE bug 1049825SUSE bug 1109893SUSE bug 1110542SUSE bug 1111319SUSE bug 1112911SUSE bug 1113296SUSE bug 1116995SUSE bug 1120629SUSE bug 1120630SUSE bug 1120631SUSE bug 1127155SUSE bug 1131823SUSE bug 1134226SUSE bug 1137977SUSE bug 1140039SUSE bug 1145521CVE-2018-20532 at SUSECVE-2018-20532 at NVDCVE-2018-20533 at SUSECVE-2018-20533 at NVDCVE-2018-20534 at SUSECVE-2018-20534 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for java-1_7_1-ibm (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for java-1_7_1-ibm fixes the following issues:
Update to Java 7.1 Service Refresh 4 Fix Pack 50.
Security issues fixed:
- CVE-2019-11771: IBM Security Update July 2019 (bsc#1147021)
- CVE-2019-11775: IBM Security Update July 2019 (bsc#1147021)
- CVE-2019-4473: IBM Security Update July 2019 (bsc#1147021)
- CVE-2019-7317: Fixed issue inside Component AWT (libpng)(bsc#1141780).
- CVE-2019-2769: Fixed issue inside Component Utilities (bsc#1141783).
- CVE-2019-2762: Fixed issue inside Component Utilities (bsc#1141782).
- CVE-2019-2816: Fixed issue inside Component Networking (bsc#1141785).
- CVE-2019-2766: Fixed issue inside Component Networking (bsc#1141789).
ImportantSUSE bug 1141780SUSE bug 1141782SUSE bug 1141783SUSE bug 1141785SUSE bug 1141789SUSE bug 1147021CVE-2019-11771 at SUSECVE-2019-11771 at NVDCVE-2019-11775 at SUSECVE-2019-11775 at NVDCVE-2019-2762 at SUSECVE-2019-2762 at NVDCVE-2019-2766 at SUSECVE-2019-2766 at NVDCVE-2019-2769 at SUSECVE-2019-2769 at NVDCVE-2019-2816 at SUSECVE-2019-2816 at NVDCVE-2019-4473 at SUSECVE-2019-4473 at NVDCVE-2019-7317 at SUSECVE-2019-7317 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for curl (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for curl fixes the following issues:
Security issue fixed:
- CVE-2019-5482: Fixed TFTP small blocksize heap buffer overflow (bsc#1149496).
ImportantSUSE bug 1149496CVE-2019-5482 at SUSECVE-2019-5482 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for webkit2gtk3 (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for webkit2gtk3 fixes the following issues:
Updated to version 2.24.4 (bsc#1148931).
Security issues fixed:
- CVE-2019-8644, CVE-2019-8649, CVE-2019-8658, CVE-2019-8669, CVE-2019-8678,
CVE-2019-8680, CVE-2019-8683, CVE-2019-8684, CVE-2019-8688, CVE-2019-8595,
CVE-2019-8607, CVE-2019-8615, CVE-2019-8644, CVE-2019-8649, CVE-2019-8658,
CVE-2019-8666, CVE-2019-8669, CVE-2019-8671, CVE-2019-8672, CVE-2019-8673,
CVE-2019-8676, CVE-2019-8677, CVE-2019-8678, CVE-2019-8679, CVE-2019-8680,
CVE-2019-8681, CVE-2019-8683, CVE-2019-8684, CVE-2019-8686, CVE-2019-8687,
CVE-2019-8688, CVE-2019-8689, CVE-2019-8690
Non-security issues fixed:
- Improved loading of multimedia streams to avoid memory exhaustion due to excessive caching.
- Updated the user agent string to make happy certain websites which would claim that the browser being used was unsupported.
ImportantSUSE bug 1135715SUSE bug 1148931CVE-2019-8595 at SUSECVE-2019-8595 at NVDCVE-2019-8607 at SUSECVE-2019-8607 at NVDCVE-2019-8615 at SUSECVE-2019-8615 at NVDCVE-2019-8644 at SUSECVE-2019-8644 at NVDCVE-2019-8649 at SUSECVE-2019-8649 at NVDCVE-2019-8658 at SUSECVE-2019-8658 at NVDCVE-2019-8666 at SUSECVE-2019-8666 at NVDCVE-2019-8669 at SUSECVE-2019-8669 at NVDCVE-2019-8671 at SUSECVE-2019-8671 at NVDCVE-2019-8672 at SUSECVE-2019-8672 at NVDCVE-2019-8673 at SUSECVE-2019-8673 at NVDCVE-2019-8676 at SUSECVE-2019-8676 at NVDCVE-2019-8677 at SUSECVE-2019-8677 at NVDCVE-2019-8678 at SUSECVE-2019-8678 at NVDCVE-2019-8679 at SUSECVE-2019-8679 at NVDCVE-2019-8680 at SUSECVE-2019-8680 at NVDCVE-2019-8681 at SUSECVE-2019-8681 at NVDCVE-2019-8683 at SUSECVE-2019-8683 at NVDCVE-2019-8684 at SUSECVE-2019-8684 at NVDCVE-2019-8686 at SUSECVE-2019-8686 at NVDCVE-2019-8687 at SUSECVE-2019-8687 at NVDCVE-2019-8688 at SUSECVE-2019-8688 at NVDCVE-2019-8689 at SUSECVE-2019-8689 at NVDCVE-2019-8690 at SUSECVE-2019-8690 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for java-1_8_0-ibm (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for java-1_8_0-ibm fixes the following issues:
Update to Java 8.0 Service Refresh 5 Fix Pack 40.
Security issues fixed:
- CVE-2019-11771: IBM Security Update July 2019 (bsc#1147021)
- CVE-2019-11772: IBM Security Update July 2019 (bsc#1147021)
- CVE-2019-11775: IBM Security Update July 2019 (bsc#1147021)
- CVE-2019-4473: IBM Security Update July 2019 (bsc#1147021)
- CVE-2019-7317: Fixed issue inside Component AWT (libpng)(bsc#1141780).
- CVE-2019-2769: Fixed issue inside Component Utilities (bsc#1141783).
- CVE-2019-2762: Fixed issue inside Component Utilities (bsc#1141782).
- CVE-2019-2816: Fixed issue inside Component Networking (bsc#1141785).
- CVE-2019-2766: Fixed issue inside Component Networking (bsc#1141789).
- CVE-2019-2786: Fixed issue inside Component Security (bsc#1141787).
ImportantSUSE bug 1122292SUSE bug 1122299SUSE bug 1141780SUSE bug 1141782SUSE bug 1141783SUSE bug 1141785SUSE bug 1141787SUSE bug 1141789SUSE bug 1147021CVE-2018-11212 at SUSECVE-2018-11212 at NVDCVE-2019-11771 at SUSECVE-2019-11771 at NVDCVE-2019-11772 at SUSECVE-2019-11772 at NVDCVE-2019-11775 at SUSECVE-2019-11775 at NVDCVE-2019-2449 at SUSECVE-2019-2449 at NVDCVE-2019-2762 at SUSECVE-2019-2762 at NVDCVE-2019-2766 at SUSECVE-2019-2766 at NVDCVE-2019-2769 at SUSECVE-2019-2769 at NVDCVE-2019-2786 at SUSECVE-2019-2786 at NVDCVE-2019-2816 at SUSECVE-2019-2816 at NVDCVE-2019-4473 at SUSECVE-2019-4473 at NVDCVE-2019-7317 at SUSECVE-2019-7317 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for ibus (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for ibus fixes the following issues:
Security issue fixed:
- CVE-2019-14822: Fixed a misconfiguration of the DBus server that allowed an unprivileged user to monitor and send method calls to the ibus bus of another user. (bsc#1150011)
ImportantSUSE bug 1150011CVE-2019-14822 at SUSECVE-2019-14822 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for spice (Important)SUSE Linux Enterprise Server 12 SP3
This update for spice fixes the following issues:
Security issue fixed:
- CVE-2019-3813: Fixed a out-of-bounds read in the memslot_get_virt function that could lead to denial-of-service or code-execution (bsc#1122706).
ImportantSUSE bug 1122706CVE-2019-3813 at SUSECVE-2019-3813 at NVDcpe:/o:suse:sles:12:sp3Security update for openssl (Moderate)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for openssl fixes the following issues:
OpenSSL Security Advisory [10 September 2019]
- CVE-2019-1547: Added EC_GROUP_set_generator side channel attack avoidance (bsc#1150003).
- CVE-2019-1563: Fixed Bleichenbacher attack against cms/pkcs7 encryption transported key (bsc#1150250).
ModerateSUSE bug 1150003SUSE bug 1150250CVE-2019-1547 at SUSECVE-2019-1547 at NVDCVE-2019-1563 at SUSECVE-2019-1563 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for python3 (Important)SUSE Linux Enterprise Server 12 SP3
This update for python3 fixes the following issues:
Security issue fixed:
- CVE-2019-5010: Fixed a denial-of-service vulnerability in the X509 certificate parser (bsc#1122191)
- CVE-2018-20406: Fixed a integer overflow via a large LONG_BINPUT (bsc#1120644)
ImportantSUSE bug 1120644SUSE bug 1122191CVE-2018-20406 at SUSECVE-2018-20406 at NVDCVE-2019-5010 at SUSECVE-2019-5010 at NVDcpe:/o:suse:sles:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for MozillaFirefox to ESR 60.9 fixes the following issues:
Security issues fixed:
- CVE-2019-11742: Fixed a same-origin policy violation involving SVG filters and canvas to steal cross-origin images. (bsc#1149303)
- CVE-2019-11746: Fixed a use-after-free while manipulating video. (bsc#1149297)
- CVE-2019-11744: Fixed an XSS caused by breaking out of title and textarea elements using innerHTML. (bsc#1149304)
- CVE-2019-11753: Fixed a privilege escalation with Mozilla Maintenance Service in custom Firefox installation location. (bsc#1149295)
- CVE-2019-11752: Fixed a use-after-free while extracting a key value in IndexedDB. (bsc#1149296)
- CVE-2019-11743: Fixed a timing side-channel attack on cross-origin information, utilizing unload event attributes. (bsc#1149298)
- CVE-2019-11740: Fixed several memory safety bugs. (bsc#1149299)
ImportantSUSE bug 1149294SUSE bug 1149295SUSE bug 1149296SUSE bug 1149297SUSE bug 1149298SUSE bug 1149299SUSE bug 1149303SUSE bug 1149304SUSE bug 1149324CVE-2019-11740 at SUSECVE-2019-11740 at NVDCVE-2019-11742 at SUSECVE-2019-11742 at NVDCVE-2019-11743 at SUSECVE-2019-11743 at NVDCVE-2019-11744 at SUSECVE-2019-11744 at NVDCVE-2019-11746 at SUSECVE-2019-11746 at NVDCVE-2019-11752 at SUSECVE-2019-11752 at NVDCVE-2019-11753 at SUSECVE-2019-11753 at NVDCVE-2019-9812 at SUSECVE-2019-9812 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for dovecot22 (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for dovecot22 fixes the following issues:
- CVE-2019-11500: Fixed a potential remote code execution in the IMAP and ManageSieve protocol parsers (bsc#1145559).
ImportantSUSE bug 1145559CVE-2019-11500 at SUSECVE-2019-11500 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for ghostscript (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for ghostscript to 9.27 fixes the following issues:
Security issues fixed:
- CVE-2019-3835: Fixed an unauthorized file system access caused by an available superexec operator. (bsc#1129180)
- CVE-2019-3839: Fixed an unauthorized file system access caused by available privileged operators. (bsc#1134156)
- CVE-2019-12973: Fixed a denial-of-service vulnerability in the OpenJPEG function opj_t1_encode_cblks. (bsc#1140359)
- CVE-2019-14811: Fixed a safer mode bypass by .forceput exposure in .pdf_hook_DSC_Creator. (bsc#1146882)
- CVE-2019-14812: Fixed a safer mode bypass by .forceput exposure in setuserparams. (bsc#1146882)
- CVE-2019-14813: Fixed a safer mode bypass by .forceput exposure in setsystemparams. (bsc#1146882)
- CVE-2019-14817: Fixed a safer mode bypass by .forceput exposure in .pdfexectoken and other procedures. (bsc#1146884)
ImportantSUSE bug 1129180SUSE bug 1131863SUSE bug 1134156SUSE bug 1140359SUSE bug 1146882SUSE bug 1146884CVE-2019-12973 at SUSECVE-2019-12973 at NVDCVE-2019-14811 at SUSECVE-2019-14811 at NVDCVE-2019-14812 at SUSECVE-2019-14812 at NVDCVE-2019-14813 at SUSECVE-2019-14813 at NVDCVE-2019-14817 at SUSECVE-2019-14817 at NVDCVE-2019-3835 at SUSECVE-2019-3835 at NVDCVE-2019-3839 at SUSECVE-2019-3839 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for curl (Important)SUSE Linux Enterprise Server 12 SP3
This update for curl fixes the following issues:
Security issues fixed:
- CVE-2019-3823: Fixed a heap out-of-bounds read in the code handling the end-of-response for SMTP (bsc#1123378).
- CVE-2019-3822: Fixed a stack based buffer overflow in the function creating an outgoing NTLM type-3 message (bsc#1123377).
- CVE-2018-16890: Fixed a heap buffer out-of-bounds read in the function handling incoming NTLM type-2 messages (bsc#1123371).
ImportantSUSE bug 1123371SUSE bug 1123377SUSE bug 1123378CVE-2018-16890 at SUSECVE-2018-16890 at NVDCVE-2019-3822 at SUSECVE-2019-3822 at NVDCVE-2019-3823 at SUSECVE-2019-3823 at NVDcpe:/o:suse:sles:12:sp3Security update for libgcrypt (Moderate)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for libgcrypt fixes the following issues:
Security issues fixed:
- CVE-2019-13627: Mitigated ECDSA timing attack. (bsc#1148987)
ModerateSUSE bug 1148987CVE-2019-13627 at SUSECVE-2019-13627 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 19 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.156-94_61 fixes several issues.
The following security issues were fixed:
- CVE-2019-14835: A buffer overflow flaw was found in the way vhost functionality, that translates virtqueue buffers to IOVs, logged the buffer descriptors during migration. A privileged guest user able to pass descriptors with invalid length to the host when migration is underway, could use this flaw to increase their privileges on the host (bsc#1151021).
- CVE-2017-18379: Fixed an out of boundary access that happened in drivers/nvme/target/fc.c (bsc#1145604).
ImportantSUSE bug 1145604SUSE bug 1151021CVE-2017-18379 at SUSECVE-2017-18379 at NVDCVE-2019-14835 at SUSECVE-2019-14835 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 18 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.156-94_57 fixes several issues.
The following security issues were fixed:
- CVE-2019-14835: A buffer overflow flaw was found in the way vhost functionality, that translates virtqueue buffers to IOVs, logged the buffer descriptors during migration. A privileged guest user able to pass descriptors with invalid length to the host when migration is underway, could use this flaw to increase their privileges on the host (bsc#1151021).
- CVE-2017-18379: Fixed an out of boundary access that happened in drivers/nvme/target/fc.c (bsc#1145604).
ImportantSUSE bug 1145604SUSE bug 1151021CVE-2017-18379 at SUSECVE-2017-18379 at NVDCVE-2019-14835 at SUSECVE-2019-14835 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 22 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.162-94_72 fixes several issues.
The following security issues were fixed:
- CVE-2019-14835: A buffer overflow flaw was found in the way vhost functionality, that translates virtqueue buffers to IOVs, logged the buffer descriptors during migration. A privileged guest user able to pass descriptors with invalid length to the host when migration is underway, could use this flaw to increase their privileges on the host (bsc#1151021).
- CVE-2017-18379: Fixed an out of boundary access that happened in drivers/nvme/target/fc.c (bsc#1145604).
ImportantSUSE bug 1145604SUSE bug 1151021CVE-2017-18379 at SUSECVE-2017-18379 at NVDCVE-2019-14835 at SUSECVE-2019-14835 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 21 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.162-94_69 fixes several issues.
The following security issues were fixed:
- CVE-2019-14835: A buffer overflow flaw was found in the way vhost functionality, that translates virtqueue buffers to IOVs, logged the buffer descriptors during migration. A privileged guest user able to pass descriptors with invalid length to the host when migration is underway, could use this flaw to increase their privileges on the host (bsc#1151021).
- CVE-2017-18379: Fixed an out of boundary access that happened in drivers/nvme/target/fc.c (bsc#1145604).
ImportantSUSE bug 1145604SUSE bug 1151021CVE-2017-18379 at SUSECVE-2017-18379 at NVDCVE-2019-14835 at SUSECVE-2019-14835 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 20 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.156-94_64 fixes several issues.
The following security issues were fixed:
- CVE-2019-14835: A buffer overflow flaw was found in the way vhost functionality, that translates virtqueue buffers to IOVs, logged the buffer descriptors during migration. A privileged guest user able to pass descriptors with invalid length to the host when migration is underway, could use this flaw to increase their privileges on the host (bsc#1151021).
- CVE-2017-18379: Fixed an out of boundary access that happened in drivers/nvme/target/fc.c (bsc#1145604).
ImportantSUSE bug 1145604SUSE bug 1151021CVE-2017-18379 at SUSECVE-2017-18379 at NVDCVE-2019-14835 at SUSECVE-2019-14835 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 24 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.176-94_88 fixes several issues.
The following security issues were fixed:
- CVE-2019-14835: A buffer overflow flaw was found in the way vhost functionality, that translates virtqueue buffers to IOVs, logged the buffer descriptors during migration. A privileged guest user able to pass descriptors with invalid length to the host when migration is underway, could use this flaw to increase their privileges on the host (bsc#1151021).
- CVE-2017-18379: Fixed an out of boundary access that happened in drivers/nvme/target/fc.c (bsc#1145604).
ImportantSUSE bug 1145604SUSE bug 1151021CVE-2017-18379 at SUSECVE-2017-18379 at NVDCVE-2019-14835 at SUSECVE-2019-14835 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 23 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.175-94_79 fixes several issues.
The following security issues were fixed:
- CVE-2019-14835: A buffer overflow flaw was found in the way vhost functionality, that translates virtqueue buffers to IOVs, logged the buffer descriptors during migration. A privileged guest user able to pass descriptors with invalid length to the host when migration is underway, could use this flaw to increase their privileges on the host (bsc#1151021).
- CVE-2017-18379: Fixed an out of boundary access that happened in drivers/nvme/target/fc.c (bsc#1145604).
ImportantSUSE bug 1145604SUSE bug 1151021CVE-2017-18379 at SUSECVE-2017-18379 at NVDCVE-2019-14835 at SUSECVE-2019-14835 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 28 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_103 fixes several issues.
The following security issues were fixed:
- CVE-2019-14835: A buffer overflow flaw was found in the way vhost functionality, that translates virtqueue buffers to IOVs, logged the buffer descriptors during migration. A privileged guest user able to pass descriptors with invalid length to the host when migration is underway, could use this flaw to increase their privileges on the host (bsc#1151021).
- CVE-2017-18379: Fixed an out of boundary access that happened in drivers/nvme/target/fc.c (bsc#1145604).
ImportantSUSE bug 1145604SUSE bug 1151021CVE-2017-18379 at SUSECVE-2017-18379 at NVDCVE-2019-14835 at SUSECVE-2019-14835 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 27 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_100 fixes several issues.
The following security issues were fixed:
- CVE-2019-14835: A buffer overflow flaw was found in the way vhost functionality, that translates virtqueue buffers to IOVs, logged the buffer descriptors during migration. A privileged guest user able to pass descriptors with invalid length to the host when migration is underway, could use this flaw to increase their privileges on the host (bsc#1151021).
- CVE-2017-18379: Fixed an out of boundary access that happened in drivers/nvme/target/fc.c (bsc#1145604).
ImportantSUSE bug 1145604SUSE bug 1151021CVE-2017-18379 at SUSECVE-2017-18379 at NVDCVE-2019-14835 at SUSECVE-2019-14835 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 26 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_97 fixes several issues.
The following security issues were fixed:
- CVE-2019-14835: A buffer overflow flaw was found in the way vhost functionality, that translates virtqueue buffers to IOVs, logged the buffer descriptors during migration. A privileged guest user able to pass descriptors with invalid length to the host when migration is underway, could use this flaw to increase their privileges on the host (bsc#1151021).
- CVE-2017-18379: Fixed an out of boundary access that happened in drivers/nvme/target/fc.c (bsc#1145604).
ImportantSUSE bug 1145604SUSE bug 1151021CVE-2017-18379 at SUSECVE-2017-18379 at NVDCVE-2019-14835 at SUSECVE-2019-14835 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 25 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.178-94_91 fixes several issues.
The following security issues were fixed:
- CVE-2019-14835: A buffer overflow flaw was found in the way vhost functionality, that translates virtqueue buffers to IOVs, logged the buffer descriptors during migration. A privileged guest user able to pass descriptors with invalid length to the host when migration is underway, could use this flaw to increase their privileges on the host (bsc#1151021).
- CVE-2017-18379: Fixed an out of boundary access that happened in drivers/nvme/target/fc.c (bsc#1145604).
ImportantSUSE bug 1145604SUSE bug 1151021CVE-2017-18379 at SUSECVE-2017-18379 at NVDCVE-2019-14835 at SUSECVE-2019-14835 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for MozillaFirefox fixes the following issues:
Updated to new ESR version 68.1 (bsc#1149323).
In addition to the already fixed vulnerabilities released in previous ESR updates,
the following were also fixed:
CVE-2019-11751, CVE-2019-11736, CVE-2019-9812, CVE-2019-11748, CVE-2019-11749,
CVE-2019-11750, CVE-2019-11738, CVE-2019-11747, CVE-2019-11735.
Several run-time issues were also resolved (bsc#1117473, bsc#1124525, bsc#1133810).
The version displayed in Help > About is now correct (bsc#1087200).
ImportantSUSE bug 1087200SUSE bug 1109465SUSE bug 1117473SUSE bug 1123482SUSE bug 1124525SUSE bug 1133810SUSE bug 1140868SUSE bug 1145665SUSE bug 1149323CVE-2019-11709 at SUSECVE-2019-11709 at NVDCVE-2019-11710 at SUSECVE-2019-11710 at NVDCVE-2019-11711 at SUSECVE-2019-11711 at NVDCVE-2019-11712 at SUSECVE-2019-11712 at NVDCVE-2019-11713 at SUSECVE-2019-11713 at NVDCVE-2019-11714 at SUSECVE-2019-11714 at NVDCVE-2019-11715 at SUSECVE-2019-11715 at NVDCVE-2019-11716 at SUSECVE-2019-11716 at NVDCVE-2019-11717 at SUSECVE-2019-11717 at NVDCVE-2019-11718 at SUSECVE-2019-11718 at NVDCVE-2019-11719 at SUSECVE-2019-11719 at NVDCVE-2019-11720 at SUSECVE-2019-11720 at NVDCVE-2019-11721 at SUSECVE-2019-11721 at NVDCVE-2019-11723 at SUSECVE-2019-11723 at NVDCVE-2019-11724 at SUSECVE-2019-11724 at NVDCVE-2019-11725 at SUSECVE-2019-11725 at NVDCVE-2019-11727 at SUSECVE-2019-11727 at NVDCVE-2019-11728 at SUSECVE-2019-11728 at NVDCVE-2019-11729 at SUSECVE-2019-11729 at NVDCVE-2019-11730 at SUSECVE-2019-11730 at NVDCVE-2019-11733 at SUSECVE-2019-11733 at NVDCVE-2019-11735 at SUSECVE-2019-11735 at NVDCVE-2019-11736 at SUSECVE-2019-11736 at NVDCVE-2019-11738 at SUSECVE-2019-11738 at NVDCVE-2019-11740 at SUSECVE-2019-11740 at NVDCVE-2019-11742 at SUSECVE-2019-11742 at NVDCVE-2019-11743 at SUSECVE-2019-11743 at NVDCVE-2019-11744 at SUSECVE-2019-11744 at NVDCVE-2019-11746 at SUSECVE-2019-11746 at NVDCVE-2019-11747 at SUSECVE-2019-11747 at NVDCVE-2019-11748 at SUSECVE-2019-11748 at NVDCVE-2019-11749 at SUSECVE-2019-11749 at NVDCVE-2019-11750 at SUSECVE-2019-11750 at NVDCVE-2019-11751 at SUSECVE-2019-11751 at NVDCVE-2019-11752 at SUSECVE-2019-11752 at NVDCVE-2019-11753 at SUSECVE-2019-11753 at NVDCVE-2019-9811 at SUSECVE-2019-9811 at NVDCVE-2019-9812 at SUSECVE-2019-9812 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for binutils (Moderate)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for binutils fixes the following issues:
binutils was updated to current 2.32 branch @7b468db3 [jsc#ECO-368]:
Includes the following security fixes:
- CVE-2018-17358: Fixed invalid memory access in _bfd_stab_section_find_nearest_line in syms.c (bsc#1109412)
- CVE-2018-17359: Fixed invalid memory access exists in bfd_zalloc in opncls.c (bsc#1109413)
- CVE-2018-17360: Fixed heap-based buffer over-read in bfd_getl32 in libbfd.c (bsc#1109414)
- CVE-2018-17985: Fixed a stack consumption problem caused by the cplus_demangle_type (bsc#1116827)
- CVE-2018-18309: Fixed an invalid memory address dereference was discovered in read_reloc in reloc.c (bsc#1111996)
- CVE-2018-18483: Fixed get_count function provided by libiberty that allowed attackers to cause a denial of service or other unspecified impact (bsc#1112535)
- CVE-2018-18484: Fixed stack exhaustion in the C++ demangling functions provided by libiberty, caused by recursive stack frames (bsc#1112534)
- CVE-2018-18605: Fixed a heap-based buffer over-read issue was discovered in the function sec_merge_hash_lookup causing a denial of service (bsc#1113255)
- CVE-2018-18606: Fixed a NULL pointer dereference in _bfd_add_merge_section when attempting to merge sections with large alignments, causing denial of service (bsc#1113252)
- CVE-2018-18607: Fixed a NULL pointer dereference in elf_link_input_bfd when used for finding STT_TLS symbols without any TLS section, causing denial of service (bsc#1113247)
- CVE-2018-19931: Fixed a heap-based buffer overflow in bfd_elf32_swap_phdr_in in elfcode.h (bsc#1118831)
- CVE-2018-19932: Fixed an integer overflow and infinite loop caused by the IS_CONTAINED_BY_LMA (bsc#1118830)
- CVE-2018-20623: Fixed a use-after-free in the error function in elfcomm.c (bsc#1121035)
- CVE-2018-20651: Fixed a denial of service via a NULL pointer dereference in elf_link_add_object_symbols in elflink.c (bsc#1121034)
- CVE-2018-20671: Fixed an integer overflow that can trigger a heap-based buffer overflow in load_specific_debug_section in objdump.c (bsc#1121056)
- CVE-2018-1000876: Fixed integer overflow in bfd_get_dynamic_reloc_upper_bound,bfd_canonicalize_dynamic_reloc in objdump (bsc#1120640)
- CVE-2019-1010180: Fixed an out of bound memory access that could lead to crashes (bsc#1142772)
- Enable xtensa architecture (Tensilica lc6 and related)
- Use -ffat-lto-objects in order to provide assembly for static libs
(bsc#1141913).
- Fixed some LTO problems (bsc#1133131 bsc#1133232).
- riscv: Don't check ABI flags if no code section
Update to binutils 2.32:
* The binutils now support for the C-SKY processor series.
* The x86 assembler now supports a -mvexwig=[0|1] option to control
encoding of VEX.W-ignored (WIG) VEX instructions.
It also has a new -mx86-used-note=[yes|no] option to generate (or
not) x86 GNU property notes.
* The MIPS assembler now supports the Loongson EXTensions R2 (EXT2),
the Loongson EXTensions (EXT) instructions, the Loongson Content
Address Memory (CAM) ASE and the Loongson MultiMedia extensions
Instructions (MMI) ASE.
* The addr2line, c++filt, nm and objdump tools now have a default
limit on the maximum amount of recursion that is allowed whilst
demangling strings. This limit can be disabled if necessary.
* Objdump's --disassemble option can now take a parameter,
specifying the starting symbol for disassembly. Disassembly will
continue from this symbol up to the next symbol or the end of the
function.
* The BFD linker will now report property change in linker map file
when merging GNU properties.
* The BFD linker's -t option now doesn't report members within
archives, unless -t is given twice. This makes it more useful
when generating a list of files that should be packaged for a
linker bug report.
* The GOLD linker has improved warning messages for relocations that
refer to discarded sections.
- Improve relro support on s390 [fate#326356]
- Handle ELF compressed header alignment correctly.
ModerateSUSE bug 1109412SUSE bug 1109413SUSE bug 1109414SUSE bug 1111996SUSE bug 1112534SUSE bug 1112535SUSE bug 1113247SUSE bug 1113252SUSE bug 1113255SUSE bug 1116827SUSE bug 1118830SUSE bug 1118831SUSE bug 1120640SUSE bug 1121034SUSE bug 1121035SUSE bug 1121056SUSE bug 1133131SUSE bug 1133232SUSE bug 1141913SUSE bug 1142772CVE-2018-1000876 at SUSECVE-2018-1000876 at NVDCVE-2018-17358 at SUSECVE-2018-17358 at NVDCVE-2018-17359 at SUSECVE-2018-17359 at NVDCVE-2018-17360 at SUSECVE-2018-17360 at NVDCVE-2018-17985 at SUSECVE-2018-17985 at NVDCVE-2018-18309 at SUSECVE-2018-18309 at NVDCVE-2018-18483 at SUSECVE-2018-18483 at NVDCVE-2018-18484 at SUSECVE-2018-18484 at NVDCVE-2018-18605 at SUSECVE-2018-18605 at NVDCVE-2018-18606 at SUSECVE-2018-18606 at NVDCVE-2018-18607 at SUSECVE-2018-18607 at NVDCVE-2018-19931 at SUSECVE-2018-19931 at NVDCVE-2018-19932 at SUSECVE-2018-19932 at NVDCVE-2018-20623 at SUSECVE-2018-20623 at NVDCVE-2018-20651 at SUSECVE-2018-20651 at NVDCVE-2018-20671 at SUSECVE-2018-20671 at NVDCVE-2019-1010180 at SUSECVE-2019-1010180 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for sudo (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for sudo fixes the following issues:
Security issue fixed:
- CVE-2019-14287: Fixed an issue where a user with sudo privileges
that allowed them to run commands with an arbitrary uid, could
run commands as root, despite being forbidden to do so in sudoers
(bsc#1153674).
ImportantSUSE bug 1153674CVE-2019-14287 at SUSECVE-2019-14287 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for libpcap (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for libpcap fixes the following issues:
- CVE-2019-15165: Added sanity checks for PHB header length before allocating memory (bsc#1153332).
- CVE-2018-16301: Fixed a buffer overflow (bsc#1153332).
ImportantSUSE bug 1153332CVE-2018-16301 at SUSECVE-2018-16301 at NVDCVE-2019-15165 at SUSECVE-2019-15165 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for xen (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for xen fixes the following issues:
Security issues fixed:
- CVE-2019-15890: Fixed a use-after-free in SLiRP networking implementation of QEMU emulator
which could have led to Denial of Service (bsc#1149813).
- CVE-2019-12068: Fixed an issue in lsi which could lead to an infinite loop and denial of
service (bsc#1146874).
- CVE-2019-14378: Fixed a heap buffer overflow in SLiRp networking implementation of QEMU
emulator which could have led to execution of arbitrary code with privileges of the
QEMU process (bsc#1143797).
Other issue fixed:
- Fixed an issue where libxenlight could not restore domain vsa6535522 on live migration (bsc#1133818).
ImportantSUSE bug 1126140SUSE bug 1126141SUSE bug 1126192SUSE bug 1126195SUSE bug 1126196SUSE bug 1126197SUSE bug 1126198SUSE bug 1126201SUSE bug 1127400SUSE bug 1133818SUSE bug 1143797SUSE bug 1146874SUSE bug 1149813CVE-2018-12126 at SUSECVE-2018-12126 at NVDCVE-2018-12127 at SUSECVE-2018-12127 at NVDCVE-2018-12130 at SUSECVE-2018-12130 at NVDCVE-2019-11091 at SUSECVE-2019-11091 at NVDCVE-2019-12068 at SUSECVE-2019-12068 at NVDCVE-2019-14378 at SUSECVE-2019-14378 at NVDCVE-2019-15890 at SUSECVE-2019-15890 at NVDCVE-2019-17340 at SUSECVE-2019-17340 at NVDCVE-2019-17341 at SUSECVE-2019-17341 at NVDCVE-2019-17342 at SUSECVE-2019-17342 at NVDCVE-2019-17343 at SUSECVE-2019-17343 at NVDCVE-2019-17344 at SUSECVE-2019-17344 at NVDCVE-2019-17345 at SUSECVE-2019-17345 at NVDCVE-2019-17346 at SUSECVE-2019-17346 at NVDCVE-2019-17347 at SUSECVE-2019-17347 at NVDCVE-2019-17348 at SUSECVE-2019-17348 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for nfs-utils (Moderate)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for nfs-utils fixes the following issues:
- CVE-2019-3689: Fixed root-owned files stored in insecure /var/lib/nfs. (bsc#1150733)
ModerateSUSE bug 1150733CVE-2019-3689 at SUSECVE-2019-3689 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 20 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.156-94_64 fixes several issues.
The following security issues were fixed:
- CVE-2019-10220: Fixed a relative path escape in the Samba client module (bsc#1144903, bsc#1153108).
- CVE-2019-17133: Fixed a buffer overflow in cfg80211_mgd_wext_giwessid in net/wireless/wext-sme.c caused by long SSID IEs (bsc#1153158).
ImportantSUSE bug 1144903SUSE bug 1153108SUSE bug 1153158SUSE bug 1153161CVE-2019-10220 at SUSECVE-2019-10220 at NVDCVE-2019-17133 at SUSECVE-2019-17133 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 21 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.162-94_69 fixes several issues.
The following security issues were fixed:
- CVE-2019-10220: Fixed a relative path escape in the Samba client module (bsc#1144903, bsc#1153108).
- CVE-2019-17133: Fixed a buffer overflow in cfg80211_mgd_wext_giwessid in net/wireless/wext-sme.c caused by long SSID IEs (bsc#1153158).
ImportantSUSE bug 1144903SUSE bug 1153108SUSE bug 1153158SUSE bug 1153161CVE-2019-10220 at SUSECVE-2019-10220 at NVDCVE-2019-17133 at SUSECVE-2019-17133 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 22 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.162-94_72 fixes several issues.
The following security issues were fixed:
- CVE-2019-10220: Fixed a relative path escape in the Samba client module (bsc#1144903, bsc#1153108).
- CVE-2019-17133: Fixed a buffer overflow in cfg80211_mgd_wext_giwessid in net/wireless/wext-sme.c caused by long SSID IEs (bsc#1153158).
ImportantSUSE bug 1144903SUSE bug 1153108SUSE bug 1153158SUSE bug 1153161CVE-2019-10220 at SUSECVE-2019-10220 at NVDCVE-2019-17133 at SUSECVE-2019-17133 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 23 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.175-94_79 fixes several issues.
The following security issues were fixed:
- CVE-2019-10220: Fixed a relative path escape in the Samba client module (bsc#1144903, bsc#1153108).
- CVE-2019-17133: Fixed a buffer overflow in cfg80211_mgd_wext_giwessid in net/wireless/wext-sme.c caused by long SSID IEs (bsc#1153158).
ImportantSUSE bug 1144903SUSE bug 1153108SUSE bug 1153158SUSE bug 1153161CVE-2019-10220 at SUSECVE-2019-10220 at NVDCVE-2019-17133 at SUSECVE-2019-17133 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 24 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.176-94_88 fixes several issues.
The following security issues were fixed:
- CVE-2019-10220: Fixed a relative path escape in the Samba client module (bsc#1144903, bsc#1153108).
- CVE-2019-17133: Fixed a buffer overflow in cfg80211_mgd_wext_giwessid in net/wireless/wext-sme.c caused by long SSID IEs (bsc#1153158).
ImportantSUSE bug 1144903SUSE bug 1153108SUSE bug 1153158SUSE bug 1153161CVE-2019-10220 at SUSECVE-2019-10220 at NVDCVE-2019-17133 at SUSECVE-2019-17133 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 25 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.178-94_91 fixes several issues.
The following security issues were fixed:
- CVE-2019-10220: Fixed a relative path escape in the Samba client module (bsc#1144903, bsc#1153108).
- CVE-2019-17133: Fixed a buffer overflow in cfg80211_mgd_wext_giwessid in net/wireless/wext-sme.c caused by long SSID IEs (bsc#1153158).
ImportantSUSE bug 1144903SUSE bug 1153108SUSE bug 1153158SUSE bug 1153161CVE-2019-10220 at SUSECVE-2019-10220 at NVDCVE-2019-17133 at SUSECVE-2019-17133 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 26 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_97 fixes several issues.
The following security issues were fixed:
- CVE-2019-10220: Fixed a relative path escape in the Samba client module (bsc#1144903, bsc#1153108).
- CVE-2019-17133: Fixed a buffer overflow in cfg80211_mgd_wext_giwessid in net/wireless/wext-sme.c caused by long SSID IEs (bsc#1153158).
ImportantSUSE bug 1144903SUSE bug 1153108SUSE bug 1153158SUSE bug 1153161CVE-2019-10220 at SUSECVE-2019-10220 at NVDCVE-2019-17133 at SUSECVE-2019-17133 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 27 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_100 fixes several issues.
The following security issues were fixed:
- CVE-2019-10220: Fixed a relative path escape in the Samba client module (bsc#1144903, bsc#1153108).
- CVE-2019-17133: Fixed a buffer overflow in cfg80211_mgd_wext_giwessid in net/wireless/wext-sme.c caused by long SSID IEs (bsc#1153158).
ImportantSUSE bug 1144903SUSE bug 1153108SUSE bug 1153158SUSE bug 1153161CVE-2019-10220 at SUSECVE-2019-10220 at NVDCVE-2019-17133 at SUSECVE-2019-17133 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for libunwind (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for libunwind fixes the following issues:
Security issues fixed:
- CVE-2015-3239: Fixed a off-by-one in the dwarf_to_unw_regnum function (bsc#936786)
Non-security issues fixed:
- Fixed a dependency issue with libzmq5 (bsc#1122012)
- Fixed build on armv7 (bsc#976955)
ModerateSUSE bug 1122012SUSE bug 936786SUSE bug 976955CVE-2015-3239 at SUSECVE-2015-3239 at NVDcpe:/o:suse:sles:12:sp3Security update for the Linux Kernel (Live Patch 28 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_103 fixes several issues.
The following security issues were fixed:
- CVE-2019-10220: Fixed a relative path escape in the Samba client module (bsc#1144903, bsc#1153108).
- CVE-2019-17133: Fixed a buffer overflow in cfg80211_mgd_wext_giwessid in net/wireless/wext-sme.c caused by long SSID IEs (bsc#1153158).
ImportantSUSE bug 1144903SUSE bug 1153108SUSE bug 1153158SUSE bug 1153161CVE-2019-10220 at SUSECVE-2019-10220 at NVDCVE-2019-17133 at SUSECVE-2019-17133 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for MozillaFirefox to 68.2.0 ESR fixes the following issues:
Mozilla Firefox was updated to version 68.2.0 ESR (bsc#1154738).
Security issues fixed:
- CVE-2019-15903: Fixed a heap overflow in the expat library (bsc#1149429).
- CVE-2019-11757: Fixed a use-after-free when creating index updates in IndexedDB (bsc#1154738).
- CVE-2019-11758: Fixed a potentially exploitable crash due to 360 Total Security (bsc#1154738).
- CVE-2019-11759: Fixed a stack buffer overflow in HKDF output (bsc#1154738).
- CVE-2019-11760: Fixed a stack buffer overflow in WebRTC networking (bsc#1154738).
- CVE-2019-11761: Fixed an unintended access to a privileged JSONView object (bsc#1154738).
- CVE-2019-11762: Fixed a same-origin-property violation (bsc#1154738).
- CVE-2019-11763: Fixed an XSS bypass (bsc#1154738).
- CVE-2019-11764: Fixed several memory safety bugs (bsc#1154738).
Non-security issues fixed:
- Firefox 60.7 ESR changed the user interface language (bsc#1137990).
- Wrong Firefox GUI Language (bsc#1120374).
- Fixed an inadvertent crash report transmission without user opt-in (bsc#1074235).
- Firefox hangs randomly when browsing and scrolling (bsc#1043008).
- Firefox stops loading page until mouse is moved (bsc#1025108).
ImportantSUSE bug 1010399SUSE bug 1010405SUSE bug 1010406SUSE bug 1010408SUSE bug 1010409SUSE bug 1010421SUSE bug 1010423SUSE bug 1010424SUSE bug 1010425SUSE bug 1010426SUSE bug 1025108SUSE bug 1043008SUSE bug 1047281SUSE bug 1074235SUSE bug 1092611SUSE bug 1120374SUSE bug 1137990SUSE bug 1149429SUSE bug 1154738SUSE bug 959933SUSE bug 983922CVE-2016-2830 at SUSECVE-2016-2830 at NVDCVE-2016-5289 at SUSECVE-2016-5289 at NVDCVE-2016-5292 at SUSECVE-2016-5292 at NVDCVE-2016-9063 at SUSECVE-2016-9063 at NVDCVE-2016-9067 at SUSECVE-2016-9067 at NVDCVE-2016-9068 at SUSECVE-2016-9068 at NVDCVE-2016-9069 at SUSECVE-2016-9069 at NVDCVE-2016-9071 at SUSECVE-2016-9071 at NVDCVE-2016-9073 at SUSECVE-2016-9073 at NVDCVE-2016-9075 at SUSECVE-2016-9075 at NVDCVE-2016-9076 at SUSECVE-2016-9076 at NVDCVE-2016-9077 at SUSECVE-2016-9077 at NVDCVE-2017-7789 at SUSECVE-2017-7789 at NVDCVE-2018-5150 at SUSECVE-2018-5150 at NVDCVE-2018-5151 at SUSECVE-2018-5151 at NVDCVE-2018-5152 at SUSECVE-2018-5152 at NVDCVE-2018-5153 at SUSECVE-2018-5153 at NVDCVE-2018-5154 at SUSECVE-2018-5154 at NVDCVE-2018-5155 at SUSECVE-2018-5155 at NVDCVE-2018-5157 at SUSECVE-2018-5157 at NVDCVE-2018-5158 at SUSECVE-2018-5158 at NVDCVE-2018-5159 at SUSECVE-2018-5159 at NVDCVE-2018-5160 at SUSECVE-2018-5160 at NVDCVE-2018-5163 at SUSECVE-2018-5163 at NVDCVE-2018-5164 at SUSECVE-2018-5164 at NVDCVE-2018-5165 at SUSECVE-2018-5165 at NVDCVE-2018-5166 at SUSECVE-2018-5166 at NVDCVE-2018-5167 at SUSECVE-2018-5167 at NVDCVE-2018-5168 at SUSECVE-2018-5168 at NVDCVE-2018-5169 at SUSECVE-2018-5169 at NVDCVE-2018-5172 at SUSECVE-2018-5172 at NVDCVE-2018-5173 at SUSECVE-2018-5173 at NVDCVE-2018-5174 at SUSECVE-2018-5174 at NVDCVE-2018-5175 at SUSECVE-2018-5175 at NVDCVE-2018-5176 at SUSECVE-2018-5176 at NVDCVE-2018-5177 at SUSECVE-2018-5177 at NVDCVE-2018-5178 at SUSECVE-2018-5178 at NVDCVE-2018-5179 at SUSECVE-2018-5179 at NVDCVE-2018-5180 at SUSECVE-2018-5180 at NVDCVE-2018-5181 at SUSECVE-2018-5181 at NVDCVE-2018-5182 at SUSECVE-2018-5182 at NVDCVE-2018-5183 at SUSECVE-2018-5183 at NVDCVE-2019-11757 at SUSECVE-2019-11757 at NVDCVE-2019-11758 at SUSECVE-2019-11758 at NVDCVE-2019-11759 at SUSECVE-2019-11759 at NVDCVE-2019-11760 at SUSECVE-2019-11760 at NVDCVE-2019-11761 at SUSECVE-2019-11761 at NVDCVE-2019-11762 at SUSECVE-2019-11762 at NVDCVE-2019-11763 at SUSECVE-2019-11763 at NVDCVE-2019-11764 at SUSECVE-2019-11764 at NVDCVE-2019-15903 at SUSECVE-2019-15903 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for samba (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for samba fixes the following issues:
- CVE-2019-10218: Client code can return filenames containing path separators (bsc#1144902).
ImportantSUSE bug 1144902CVE-2019-10218 at SUSECVE-2019-10218 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for gdb (Moderate)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for gdb fixes the following issues:
Update to gdb 8.3.1: (jsc#ECO-368)
Security issues fixed:
- CVE-2019-1010180: Fixed a potential buffer overflow when loading ELF sections larger than the file. (bsc#1142772)
Upgrade libipt from v2.0 to v2.0.1.
- Enable librpm for version > librpm.so.3 [bsc#1145692]:
* Allow any librpm.so.x
* Add %build test to check for 'zypper install <rpm-packagename>'
message
- Copy gdbinit from fedora master @ 25caf28. Add
gdbinit.without-python, and use it for --without=python.
Rebase to 8.3 release (as in fedora 30 @ 1e222a3).
* DWARF index cache: GDB can now automatically save indices of DWARF
symbols on disk to speed up further loading of the same binaries.
* Ada task switching is now supported on aarch64-elf targets when
debugging a program using the Ravenscar Profile.
* Terminal styling is now available for the CLI and the TUI.
* Removed support for old demangling styles arm, edg, gnu, hp and
lucid.
* Support for new native configuration RISC-V GNU/Linux (riscv*-*-linux*).
- Implemented access to more POWER8 registers. [fate#326120, fate#325178]
- Also handle most new s390 arch13 instructions. [fate#327369, jsc#ECO-368]
ModerateSUSE bug 1115034SUSE bug 1142772SUSE bug 1145692CVE-2019-1010180 at SUSECVE-2019-1010180 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for libssh2_org (Moderate)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for libssh2_org fixes the following issue:
- CVE-2019-17498: Fixed an integer overflow in a bounds check that might have led to the disclosure of sensitive information or a denial of service (bsc#1154862).
ModerateSUSE bug 1154862CVE-2019-17498 at SUSECVE-2019-17498 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for libseccomp (Moderate)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for libseccomp fixes the following issues:
Update to new upstream release 2.4.1:
* Fix a BPF generation bug where the optimizer mistakenly
identified duplicate BPF code blocks.
Updated to 2.4.0 (bsc#1128828 CVE-2019-9893):
* Update the syscall table for Linux v5.0-rc5
* Added support for the SCMP_ACT_KILL_PROCESS action
* Added support for the SCMP_ACT_LOG action and SCMP_FLTATR_CTL_LOG attribute
* Added explicit 32-bit (SCMP_AX_32(...)) and 64-bit (SCMP_AX_64(...)) argument comparison macros to help protect against unexpected sign extension
* Added support for the parisc and parisc64 architectures
* Added the ability to query and set the libseccomp API level via seccomp_api_get(3) and seccomp_api_set(3)
* Return -EDOM on an endian mismatch when adding an architecture to a filter
* Renumber the pseudo syscall number for subpage_prot() so it no longer conflicts with spu_run()
* Fix PFC generation when a syscall is prioritized, but no rule exists
* Numerous fixes to the seccomp-bpf filter generation code
* Switch our internal hashing function to jhash/Lookup3 to MurmurHash3
* Numerous tests added to the included test suite, coverage now at ~92%
* Update our Travis CI configuration to use Ubuntu 16.04
* Numerous documentation fixes and updates
Update to release 2.3.3:
* Updated the syscall table for Linux v4.15-rc7
Update to release 2.3.2:
* Achieved full compliance with the CII Best Practices program
* Added Travis CI builds to the GitHub repository
* Added code coverage reporting with the '--enable-code-coverage' configure
flag and added Coveralls to the GitHub repository
* Updated the syscall tables to match Linux v4.10-rc6+
* Support for building with Python v3.x
* Allow rules with the -1 syscall if the SCMP\_FLTATR\_API\_TSKIP attribute is
set to true
* Several small documentation fixes
- ignore make check error for ppc64/ppc64le, bypass bsc#1142614
ModerateSUSE bug 1082318SUSE bug 1128828SUSE bug 1142614CVE-2019-9893 at SUSECVE-2019-9893 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
The SUSE Linux Enterprise 12-SP3 kernel was updated to receive various security and bugfixes.
The following security bugs were fixed:
- CVE-2018-12207: Untrusted virtual machines on Intel CPUs could exploit a race
condition in the Instruction Fetch Unit of the Intel CPU to cause a Machine
Exception during Page Size Change, causing the CPU core to be non-functional.
The Linux Kernel kvm hypervisor was adjusted to avoid page size changes in
executable pages by splitting / merging huge pages into small pages as
needed. More information can be found on https://www.suse.com/support/kb/doc/?id=7023735
- CVE-2019-16995: Fix a memory leak in hsr_dev_finalize() if hsr_add_port
failed to add a port, which may have caused denial of service (bsc#1152685).
- CVE-2019-11135: Aborting an asynchronous TSX operation on Intel CPUs with
Transactional Memory support could be used to facilitate sidechannel
information leaks out of microarchitectural buffers, similar to the
previously described 'Microarchitectural Data Sampling' attack.
The Linux kernel was supplemented with the option to disable TSX operation
altogether (requiring CPU Microcode updates on older systems) and better
flushing of microarchitectural buffers (VERW).
The set of options available is described in our TID at https://www.suse.com/support/kb/doc/?id=7024251
- CVE-2019-16233: drivers/scsi/qla2xxx/qla_os.c did not check the
alloc_workqueue return value, leading to a NULL pointer dereference.
(bsc#1150457).
- CVE-2019-10220: Added sanity checks on the pathnames passed to the user
space. (bsc#1144903).
- CVE-2019-17666: rtlwifi: Fix potential overflow in P2P code (bsc#1154372).
- CVE-2019-17133: cfg80211 wireless extension did not reject a long SSID IE,
leading to a Buffer Overflow (bsc#1153158).
- CVE-2019-16232: Fix a potential NULL pointer dereference in the Marwell
libertas driver (bsc#1150465).
- CVE-2019-16234: iwlwifi pcie driver did not check the alloc_workqueue return
value, leading to a NULL pointer dereference. (bsc#1150452).
- CVE-2019-17055: The AF_ISDN network module in the Linux kernel did not
enforce CAP_NET_RAW, which meant that unprivileged users could create a raw
socket (bnc#1152782).
- CVE-2019-17056: The AF_NFC network module did not enforce CAP_NET_RAW, which
meant that unprivileged users could create a raw socket (bsc#1152788).
- CVE-2019-16413: The 9p filesystem did not protect i_size_write() properly,
which caused an i_size_read() infinite loop and denial of service on SMP
systems (bnc#1151347).
- CVE-2019-15902: A backporting issue was discovered that re-introduced the
Spectre vulnerability it had aimed to eliminate. This occurred because the
backport process depends on cherry picking specific commits, and because two
(correctly ordered) code lines were swapped (bnc#1149376).
- CVE-2019-15291: Fixed a NULL pointer dereference issue that could be caused
by a malicious USB device (bnc#1146519).
- CVE-2019-15807: Fixed a memory leak in the SCSI module that could be abused
to cause denial of service (bnc#1148938).
- CVE-2019-13272: Fixed a mishandled the recording of the credentials of a
process that wants to create a ptrace relationship, which allowed local users
to obtain root access by leveraging certain scenarios with a parent-child
process relationship, where a parent drops privileges and calls execve
(potentially allowing control by an attacker). (bnc#1140671).
- CVE-2019-14821: An out-of-bounds access issue was fixed in the kernel's KVM
hypervisor. An unprivileged host user or process with access to '/dev/kvm'
device could use this flaw to crash the host kernel, resulting in a denial of
service or potentially escalating privileges on the system (bnc#1151350).
- CVE-2019-15505: An out-of-bounds issue had been fixed that could be caused by
crafted USB device traffic (bnc#1147122).
- CVE-2017-18595: A double free in allocate_trace_buffer was fixed
(bnc#1149555).
- CVE-2019-14835: A buffer overflow flaw was found in the kernel's vhost
functionality that translates virtqueue buffers to IOVs. A privileged guest
user able to pass descriptors with invalid length to the host could use this
flaw to increase their privileges on the host (bnc#1150112).
- CVE-2019-15216: A NULL pointer dereference was fixed that could be malicious
USB device (bnc#1146361).
- CVE-2019-15924: A a NULL pointer dereference has been fixed in the
drivers/net/ethernet/intel/fm10k module (bnc#1149612).
- CVE-2019-9456: An out-of-bounds write in the USB monitor driver has been
fixed. This issue could lead to local escalation of privilege with System
execution privileges needed. (bnc#1150025).
- CVE-2019-15926: An out-of-bounds access was fixed in the
drivers/net/wireless/ath/ath6kl module. (bnc#1149527).
- CVE-2019-15927: An out-of-bounds access was fixed in the sound/usb/mixer
module (bnc#1149522).
- CVE-2019-15666: There was an out-of-bounds array access in the net/xfrm
module that could cause denial of service (bnc#1148394).
- CVE-2017-18379: An out-of-boundary access was fixed in the
drivers/nvme/target module (bnc#1143187).
- CVE-2019-15219: A NULL pointer dereference was fixed that could be abused by
a malicious USB device (bnc#1146519 1146524).
- CVE-2019-15220: A use-after-free issue was fixed that could be caused by a
malicious USB device (bnc#1146519 1146526).
- CVE-2019-15221: A NULL pointer dereference was fixed that could be caused by
a malicious USB device (bnc#1146519 1146529).
- CVE-2019-14814: A heap-based buffer overflow was fixed in the marvell wifi
chip driver. That issue allowed local users to cause a denial of service
(system crash) or possibly execute arbitrary code (bnc#1146512).
- CVE-2019-14815: A missing length check while parsing WMM IEs was fixed
(bsc#1146512, bsc#1146514, bsc#1146516).
- CVE-2019-14816: A heap-based buffer overflow in the marvell wifi chip driver
was fixed. Local users would have abused this issue to cause a denial of
service (system crash) or possibly execute arbitrary code (bnc#1146516).
- CVE-2017-18509: An issue in net/ipv6 as fixed. By setting a specific socket
option, an attacker could control a pointer in kernel land and cause an
inet_csk_listen_stop general protection fault, or potentially execute
arbitrary code under certain circumstances. The issue can be triggered as
root (e.g., inside a default LXC container or with the CAP_NET_ADMIN
capability) or after namespace unsharing. (bnc#1145477)
- CVE-2019-9506: The Bluetooth BR/EDR specification used to permit sufficiently
low encryption key length and did not prevent an attacker from influencing
the key length negotiation. This allowed practical brute-force attacks (aka
'KNOB') that could decrypt traffic and inject arbitrary ciphertext without
the victim noticing (bnc#1137865).
- CVE-2019-15098: A NULL pointer dereference in drivers/net/wireless/ath was
fixed (bnc#1146378).
- CVE-2019-15290: A NULL pointer dereference in ath6kl_usb_alloc_urb_from_pipe
was fixed (bsc#1146378).
- CVE-2019-15239: A incorrect patch to net/ipv4 was fixed. By adding to a write
queue between disconnection and re-connection, a local attacker could trigger
multiple use-after-free conditions. This could result in kernel crashes or
potentially in privilege escalation. (bnc#1146589)
- CVE-2019-15212: A double-free issue was fixed in drivers/usb driver
(bnc#1146391).
- CVE-2016-10906: A use-after-free issue was fixed in drivers/net/ethernet/arc
(bnc#1146584).
- CVE-2019-15211: A use-after-free issue caused by a malicious USB device was
fixed in the drivers/media/v4l2-core driver (bnc#1146519).
- CVE-2019-15217: A a NULL pointer dereference issue caused by a malicious USB
device was fixed in the drivers/media/usb/zr364xx driver (bnc#1146519).
- CVE-2019-15214: An a use-after-free issue in the sound subsystem was fixed
(bnc#1146519).
- CVE-2019-15218: A NULL pointer dereference caused by a malicious USB device
was fixed in the drivers/media/usb/siano driver (bnc#1146413).
- CVE-2019-15215: A use-after-free issue caused by a malicious USB device was
fixed in the drivers/media/usb/cpia2 driver (bnc#1146425).
- CVE-2018-20976: A use-after-free issue was fixed in the fs/xfs driver
(bnc#1146285).
- CVE-2017-18551: An out-of-bounds write was fixed in the drivers/i2c driver
(bnc#1146163).
- CVE-2019-0154: An unprotected read access to i915 registers has been fixed
that could have been abused to facilitate a local denial-of-service attack.
(bsc#1135966)
- CVE-2019-0155: A privilege escalation vulnerability has been fixed in the
i915 module that allowed batch buffers from user mode to gain super user
privileges. (bsc#1135967)
The following non-security bugs were fixed:
- array_index_nospec: Sanitize speculative array (bsc#1155671)
- bonding/802.3ad: fix link_failure_count tracking (bsc#1141013).
- bonding/802.3ad: fix slave link initialization transition states (bsc#1141013).
- bonding: correctly update link status during mii-commit phase (bsc#1141013).
- bonding: fix active-backup transition (bsc#1141013).
- bonding: make speed, duplex setting consistent with link state (bsc#1141013).
- bonding: ratelimit failed speed/duplex update warning (bsc#1141013).
- bonding: require speed/duplex only for 802.3ad, alb and tlb (bsc#1141013).
- bonding: set default miimon value for non-arp modes if not set (bsc#1141013).
- bonding: speed/duplex update at NETDEV_UP event (bsc#1141013).
- cifs: fix panic in smb2_reconnect (bsc#1142458).
- cifs: handle netapp error codes (bsc#1136261).
- cpu/speculation: Uninline and export CPU mitigations helpers (bnc#1117665).
- ib/core, ipoib: Do not overreact to SM LID change event (bsc#1154103)
- ib/core: Add mitigation for Spectre V1 (bsc#1155671)
- ixgbe: sync the first fragment unconditionally (bsc#1133140).
- kvm: Convert kvm_lock to a mutex (bsc#1117665).
- kvm: lapic: cap __delay at lapic_timer_advance_ns (bsc#1149083).
- kvm: mmu: drop vcpu param in gpte_access (bsc#1117665).
- kvm: mmu: introduce kvm_mmu_gfn_{allow,disallow}_lpage (bsc#1117665).
- kvm: mmu: rename has_wrprotected_page to mmu_gfn_lpage_is_disallowed (bsc#1117665).
- kvm: vmx, svm: always run with EFER.NXE=1 when shadow paging is active (bsc#1117665).
- kvm: x86, powerpc: do not allow clearing largepages debugfs entry (bsc#1117665).
- kvm: x86: Do not release the page inside mmu_set_spte() (bsc#1117665).
- kvm: x86: MMU: Consolidate quickly_check_mmio_pf() and is_mmio_page_fault() (bsc#1117665).
- kvm: x86: MMU: Encapsulate the type of rmap-chain head in a new struct (bsc#1117665).
- kvm: x86: MMU: Move handle_mmio_page_fault() call to kvm_mmu_page_fault() (bsc#1117665).
- kvm: x86: MMU: Move initialization of parent_ptes out from kvm_mmu_alloc_page() (bsc#1117665).
- kvm: x86: MMU: Move parent_pte handling from kvm_mmu_get_page() to link_shadow_page() (bsc#1117665).
- kvm: x86: MMU: Remove unused parameter parent_pte from kvm_mmu_get_page() (bsc#1117665).
- kvm: x86: MMU: always set accessed bit in shadow PTEs (bsc#1117665).
- kvm: x86: Reduce the overhead when lapic_timer_advance is disabled (bsc#1149083).
- kvm: x86: add tracepoints around __direct_map and FNAME(fetch) (bsc#1117665).
- kvm: x86: adjust kvm_mmu_page member to save 8 bytes (bsc#1117665).
- kvm: x86: change kvm_mmu_page_get_gfn BUG_ON to WARN_ON (bsc#1117665).
- kvm: x86: extend usage of RET_MMIO_PF_* constants (bsc#1117665).
- kvm: x86: make FNAME(fetch) and __direct_map more similar (bsc#1117665).
- kvm: x86: mmu: Apply global mitigations knob to ITLB_MULTIHIT (bnc#1117665).
- kvm: x86: move nsec_to_cycles from x86.c to x86.h (bsc#1149083).
- kvm: x86: remove now unneeded hugepage gfn adjustment (bsc#1117665).
- kvm: x86: simplify ept_misconfig (bsc#1117665).
- media: smsusb: better handle optional alignment (bsc#1146413).
- pci: hv: Use bytes 4 and 5 from instance ID as the PCI domain numbers (bsc#1153263).
- powerpc/64s: support nospectre_v2 cmdline option (bsc#1131107).
- powerpc/pseries: correctly track irq state in default idle (bsc#1150727 bsc#1150942 ltc#178925 ltc#181484).
- powerpc/rtas: use device model APIs and serialization during LPM (bsc#1144123 ltc#178840).
- powerpc/security: Show powerpc_security_features in debugfs (bsc#1131107).
- scsi: scsi_transport_fc: Drop double list_del() (bsc#1084878) During the backport of 260f4aeddb48 ('scsi: scsi_transport_fc: return -EBUSY for deleted vport') an additional list_del() was introduced. The list entry will be freed in fc_vport_terminate(). Do not free it premature in fc_remove_host().
- swiotlb: Add support for DMA_ATTR_SKIP_CPU_SYNC in Xen-swiotlb unmap path (bsc#1133140).
- vmci: Release resource if the work is already queued (bsc#1051510).
- x86/cpu: Add Atom Tremont (Jacobsville) (bsc#1117665).
ImportantSUSE bug 1051510SUSE bug 1084878SUSE bug 1117665SUSE bug 1131107SUSE bug 1133140SUSE bug 1135966SUSE bug 1135967SUSE bug 1136261SUSE bug 1137865SUSE bug 1139073SUSE bug 1140671SUSE bug 1141013SUSE bug 1141054SUSE bug 1142458SUSE bug 1143187SUSE bug 1144123SUSE bug 1144903SUSE bug 1145477SUSE bug 1146042SUSE bug 1146163SUSE bug 1146285SUSE bug 1146361SUSE bug 1146378SUSE bug 1146391SUSE bug 1146413SUSE bug 1146425SUSE bug 1146512SUSE bug 1146514SUSE bug 1146516SUSE bug 1146519SUSE bug 1146524SUSE bug 1146526SUSE bug 1146529SUSE bug 1146540SUSE bug 1146543SUSE bug 1146547SUSE bug 1146550SUSE bug 1146584SUSE bug 1146589SUSE bug 1147022SUSE bug 1147122SUSE bug 1148394SUSE bug 1148938SUSE bug 1149083SUSE bug 1149376SUSE bug 1149522SUSE bug 1149527SUSE bug 1149555SUSE bug 1149612SUSE bug 1150025SUSE bug 1150112SUSE bug 1150452SUSE bug 1150457SUSE bug 1150465SUSE bug 1150727SUSE bug 1150942SUSE bug 1151347SUSE bug 1151350SUSE bug 1152685SUSE bug 1152782SUSE bug 1152788SUSE bug 1153158SUSE bug 1153263SUSE bug 1154103SUSE bug 1154372SUSE bug 1155131SUSE bug 1155671CVE-2016-10906 at SUSECVE-2016-10906 at NVDCVE-2017-18379 at SUSECVE-2017-18379 at NVDCVE-2017-18509 at SUSECVE-2017-18509 at NVDCVE-2017-18551 at SUSECVE-2017-18551 at NVDCVE-2017-18595 at SUSECVE-2017-18595 at NVDCVE-2018-12207 at SUSECVE-2018-12207 at NVDCVE-2018-20976 at SUSECVE-2018-20976 at NVDCVE-2019-0154 at SUSECVE-2019-0154 at NVDCVE-2019-0155 at SUSECVE-2019-0155 at NVDCVE-2019-10220 at SUSECVE-2019-10220 at NVDCVE-2019-11135 at SUSECVE-2019-11135 at NVDCVE-2019-13272 at SUSECVE-2019-13272 at NVDCVE-2019-14814 at SUSECVE-2019-14814 at NVDCVE-2019-14815 at SUSECVE-2019-14815 at NVDCVE-2019-14816 at SUSECVE-2019-14816 at NVDCVE-2019-14821 at SUSECVE-2019-14821 at NVDCVE-2019-14835 at SUSECVE-2019-14835 at NVDCVE-2019-15098 at SUSECVE-2019-15098 at NVDCVE-2019-15211 at SUSECVE-2019-15211 at NVDCVE-2019-15212 at SUSECVE-2019-15212 at NVDCVE-2019-15214 at SUSECVE-2019-15214 at NVDCVE-2019-15215 at SUSECVE-2019-15215 at NVDCVE-2019-15216 at SUSECVE-2019-15216 at NVDCVE-2019-15217 at SUSECVE-2019-15217 at NVDCVE-2019-15218 at SUSECVE-2019-15218 at NVDCVE-2019-15219 at SUSECVE-2019-15219 at NVDCVE-2019-15220 at SUSECVE-2019-15220 at NVDCVE-2019-15221 at SUSECVE-2019-15221 at NVDCVE-2019-15239 at SUSECVE-2019-15239 at NVDCVE-2019-15290 at SUSECVE-2019-15290 at NVDCVE-2019-15291 at SUSECVE-2019-15291 at NVDCVE-2019-15505 at SUSECVE-2019-15505 at NVDCVE-2019-15666 at SUSECVE-2019-15666 at NVDCVE-2019-15807 at SUSECVE-2019-15807 at NVDCVE-2019-15902 at SUSECVE-2019-15902 at NVDCVE-2019-15924 at SUSECVE-2019-15924 at NVDCVE-2019-15926 at SUSECVE-2019-15926 at NVDCVE-2019-15927 at SUSECVE-2019-15927 at NVDCVE-2019-16232 at SUSECVE-2019-16232 at NVDCVE-2019-16233 at SUSECVE-2019-16233 at NVDCVE-2019-16234 at SUSECVE-2019-16234 at NVDCVE-2019-16413 at SUSECVE-2019-16413 at NVDCVE-2019-16995 at SUSECVE-2019-16995 at NVDCVE-2019-17055 at SUSECVE-2019-17055 at NVDCVE-2019-17056 at SUSECVE-2019-17056 at NVDCVE-2019-17133 at SUSECVE-2019-17133 at NVDCVE-2019-17666 at SUSECVE-2019-17666 at NVDCVE-2019-9456 at SUSECVE-2019-9456 at NVDCVE-2019-9506 at SUSECVE-2019-9506 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for ucode-intel (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for ucode-intel fixes the following issues:
- Updated to 20191112 security release (bsc#1155988)
- Processor Identifier Version Products
- Model Stepping F-MO-S/PI Old->New
- ---- new platforms ----------------------------------------
- CML-U62 A0 6-a6-0/80 000000c6 Core Gen10 Mobile
- CNL-U D0 6-66-3/80 0000002a Core Gen8 Mobile
- SKX-SP B1 6-55-3/97 01000150 Xeon Scalable
- ICL U/Y D1 6-7e-5/80 00000046 Core Gen10 Mobile
- ---- updated platforms ------------------------------------
- SKL U/Y D0 6-4e-3/c0 000000cc->000000d4 Core Gen6 Mobile
- SKL H/S/E3 R0/N0 6-5e-3/36 000000cc->000000d4 Core Gen6
- AML-Y22 H0 6-8e-9/10 000000b4->000000c6 Core Gen8 Mobile
- KBL-U/Y H0 6-8e-9/c0 000000b4->000000c6 Core Gen7 Mobile
- CFL-U43e D0 6-8e-a/c0 000000b4->000000c6 Core Gen8 Mobile
- WHL-U W0 6-8e-b/d0 000000b8->000000c6 Core Gen8 Mobile
- AML-Y V0 6-8e-c/94 000000b8->000000c6 Core Gen10 Mobile
- CML-U42 V0 6-8e-c/94 000000b8->000000c6 Core Gen10 Mobile
- WHL-U V0 6-8e-c/94 000000b8->000000c6 Core Gen8 Mobile
- KBL-G/X H0 6-9e-9/2a 000000b4->000000c6 Core Gen7/Gen8
- KBL-H/S/E3 B0 6-9e-9/2a 000000b4->000000c6 Core Gen7; Xeon E3 v6
- CFL-H/S/E3 U0 6-9e-a/22 000000b4->000000c6 Core Gen8 Desktop, Mobile, Xeon E
- CFL-S B0 6-9e-b/02 000000b4->000000c6 Core Gen8
- CFL-H R0 6-9e-d/22 000000b8->000000c6 Core Gen9 Mobile
- Includes security fixes for:
- CVE-2019-11135: Added feature allowing to disable TSX RTM (bsc#1139073)
- CVE-2019-11139: A CPU microcode only fix for Voltage modulation issues (bsc#1141035)
- requires coreutils for the %post script (bsc#1154043)
ImportantSUSE bug 1139073SUSE bug 1141035SUSE bug 1154043SUSE bug 1155988CVE-2019-11135 at SUSECVE-2019-11135 at NVDCVE-2019-11139 at SUSECVE-2019-11139 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for libjpeg-turbo (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for libjpeg-turbo fixes the following issues:
- CVE-2019-2201: Several integer overflow issues and subsequent segfaults occurred in libjpeg-turbo,
when attempting to compress or decompress gigapixel images. [bsc#1156402]
ImportantSUSE bug 1156402CVE-2019-2201 at SUSECVE-2019-2201 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for ghostscript (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for ghostscript fixes the following issue:
- CVE-2019-14869: Fixed a possible dSAFER escape which could have allowed
an attacker to gain high privileges by a specially crafted Postscript
code (bsc#1156275).
ImportantSUSE bug 1156275CVE-2019-14869 at SUSECVE-2019-14869 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for ucode-intel (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for ucode-intel fixes the following issues:
- Updated to 20191112 official security release (bsc#1155988)
- Includes security fixes for:
- CVE-2019-11135: Added feature allowing to disable TSX RTM (bsc#1139073)
- CVE-2019-11139: A CPU microcode only fix for Voltage modulation issues (bsc#1141035)
ImportantSUSE bug 1139073SUSE bug 1141035SUSE bug 1155988CVE-2019-11135 at SUSECVE-2019-11135 at NVDCVE-2019-11139 at SUSECVE-2019-11139 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for sqlite3 (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for sqlite3 fixes the following issues:
- CVE-2017-2518: Fixed a use-after-free vulnerability which could have
led to buffer overflow via a crafted SQL statement (bsc#1155787).
ImportantSUSE bug 1155787CVE-2017-2518 at SUSECVE-2017-2518 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for cups (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for cups fixes the following issues:
- CVE-2019-8675: Fixed a stack buffer overflow in libcups's asn1_get_type function(bsc#1146358).
- CVE-2019-8696: Fixed a stack buffer overflow in libcups's asn1_get_packed function (bsc#1146359).
ImportantSUSE bug 1146358SUSE bug 1146359CVE-2019-8675 at SUSECVE-2019-8675 at NVDCVE-2019-8696 at SUSECVE-2019-8696 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for clamav (Moderate)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for clamav fixes the following issues:
Security issue fixed:
- CVE-2019-12625: Fixed a ZIP bomb issue by adding detection and heuristics for zips with overlapping files (bsc#1144504).
- CVE-2019-12900: Fixed an out-of-bounds write in decompress.c with many selectors (bsc#1149458).
Non-security issues fixed:
- Added the --max-scantime clamscan option and MaxScanTime clamd configuration option (bsc#1144504).
- Increased the startup timeout of clamd to 5 minutes to cater for the grown virus database as a workaround until clamd has learned to talk to systemd to extend the timeout as long as needed (bsc#1151839).
ModerateSUSE bug 1144504SUSE bug 1149458SUSE bug 1151839CVE-2019-12625 at SUSECVE-2019-12625 at NVDCVE-2019-12900 at SUSECVE-2019-12900 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for mailman (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for mailman fixes the following issues:
- CVE-2019-3693: Fixed a local privilege escalation from wwwrun to root (bsc#1154328).
ImportantSUSE bug 1154328CVE-2019-3693 at SUSECVE-2019-3693 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for java-1_7_0-openjdk (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for java-1_7_0-openjdk fixes the following issues:
Security issues fixed (October 2019 CPU bsc#1154212):
- CVE-2019-2933: Windows file handling redux
- CVE-2019-2945: Better socket support
- CVE-2019-2949: Better Kerberos ccache handling
- CVE-2019-2958: Build Better Processes
- CVE-2019-2964: Better support for patterns
- CVE-2019-2962: Better Glyph Images
- CVE-2019-2973: Better pattern compilation
- CVE-2019-2978: Improved handling of jar files
- CVE-2019-2981: Better Path supports
- CVE-2019-2983: Better serial attributes
- CVE-2019-2987: Better rendering of native glyphs
- CVE-2019-2988: Better Graphics2D drawing
- CVE-2019-2989: Improve TLS connection support
- CVE-2019-2992: Enhance font glyph mapping
- CVE-2019-2999: Commentary on Javadoc comments
- CVE-2019-2894: Enhance ECDSA operations (bsc#1152856).
ImportantSUSE bug 1152856SUSE bug 1154212CVE-2019-2894 at SUSECVE-2019-2894 at NVDCVE-2019-2933 at SUSECVE-2019-2933 at NVDCVE-2019-2945 at SUSECVE-2019-2945 at NVDCVE-2019-2949 at SUSECVE-2019-2949 at NVDCVE-2019-2958 at SUSECVE-2019-2958 at NVDCVE-2019-2962 at SUSECVE-2019-2962 at NVDCVE-2019-2964 at SUSECVE-2019-2964 at NVDCVE-2019-2973 at SUSECVE-2019-2973 at NVDCVE-2019-2978 at SUSECVE-2019-2978 at NVDCVE-2019-2981 at SUSECVE-2019-2981 at NVDCVE-2019-2983 at SUSECVE-2019-2983 at NVDCVE-2019-2987 at SUSECVE-2019-2987 at NVDCVE-2019-2988 at SUSECVE-2019-2988 at NVDCVE-2019-2989 at SUSECVE-2019-2989 at NVDCVE-2019-2992 at SUSECVE-2019-2992 at NVDCVE-2019-2999 at SUSECVE-2019-2999 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for LibVNCServer (Critical)SUSE Linux Enterprise Server 12 SP3
This update for LibVNCServer fixes the following issues:
Security issues fixed:
- CVE-2018-20749: Fixed a heap out of bounds write vulnerability in rfbserver.c (bsc#1123828)
- CVE-2018-20750: Fixed a heap out of bounds write vulnerability in rfbserver.c (bsc#1123832)
- CVE-2018-20748: Fixed multiple heap out-of-bound writes in VNC client code (bsc#1123823)
CriticalSUSE bug 1123823SUSE bug 1123828SUSE bug 1123832CVE-2018-20748 at SUSECVE-2018-20748 at NVDCVE-2018-20749 at SUSECVE-2018-20749 at NVDCVE-2018-20750 at SUSECVE-2018-20750 at NVDcpe:/o:suse:sles:12:sp3Security update for clamav (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for clamav fixes the following issues:
- CVE-2019-15961: Fixed a denial of service which might occur when
scanning a specially crafted email file as (bsc#1157763).
ImportantSUSE bug 1157763CVE-2019-15961 at SUSECVE-2019-15961 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for permissions (Moderate)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for permissions fixes the following issues:
- CVE-2019-3688: Changed wrong ownership in /usr/sbin/pinger to root:squid
which could have allowed a squid user to gain persistence by changing the
binary (bsc#1093414).
- CVE-2019-3690: Fixed a privilege escalation through untrusted symbolic
links (bsc#1150734).
- Fixed a regression which caused segmentation fault (bsc#1157198).
ModerateSUSE bug 1093414SUSE bug 1150734SUSE bug 1157198CVE-2019-3688 at SUSECVE-2019-3688 at NVDCVE-2019-3690 at SUSECVE-2019-3690 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 26 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_97 fixes several issues.
The following security issues were fixed:
- CVE-2018-20856: Fixed a use-after-free in __blk_drain_queue() due to an improper error handling (bsc#1156331).
- CVE-2019-13272: Fixed a privilege escalation from user to root due to improper handling of credentials by leveraging certain scenarios with a parent-child process relationship (bsc#1156321).
- CVE-2019-15239: Fixed a vulnerability where a local attacker could have triggered multiple use-after-free conditions resulted in privilege escalation (bsc#1156317).
- CVE-2019-10220: Fixed an issue where samba servers could inject relative paths in directory entry lists (bsc#1153108).
The following bugs were fixed:
- Fixed boot up hang revealed by int3 self test (bsc#1157770).
ImportantSUSE bug 1153108SUSE bug 1156317SUSE bug 1156321SUSE bug 1156331SUSE bug 1157770CVE-2018-20856 at SUSECVE-2018-20856 at NVDCVE-2019-10220 at SUSECVE-2019-10220 at NVDCVE-2019-13272 at SUSECVE-2019-13272 at NVDCVE-2019-15239 at SUSECVE-2019-15239 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 27 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_100 fixes several issues.
The following security issues were fixed:
- CVE-2018-20856: Fixed a use-after-free in __blk_drain_queue() due to an improper error handling (bsc#1156331).
- CVE-2019-13272: Fixed a privilege escalation from user to root due to improper handling of credentials by leveraging certain scenarios with a parent-child process relationship (bsc#1156321).
- CVE-2019-15239: Fixed a vulnerability where a local attacker could have triggered multiple use-after-free conditions resulted in privilege escalation (bsc#1156317).
- CVE-2019-10220: Fixed an issue where samba servers could inject relative paths in directory entry lists (bsc#1153108).
The following bugs were fixed:
- Fixed boot up hang revealed by int3 self test (bsc#1157770).
ImportantSUSE bug 1153108SUSE bug 1156317SUSE bug 1156321SUSE bug 1156331SUSE bug 1157770CVE-2018-20856 at SUSECVE-2018-20856 at NVDCVE-2019-10220 at SUSECVE-2019-10220 at NVDCVE-2019-13272 at SUSECVE-2019-13272 at NVDCVE-2019-15239 at SUSECVE-2019-15239 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 28 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_103 fixes several issues.
The following security issues were fixed:
- CVE-2019-13272: Fixed a privilege escalation from user to root due to improper handling of credentials by leveraging certain scenarios with a parent-child process relationship (bsc#1156321).
- CVE-2019-15239: Fixed a vulnerability where a local attacker could have triggered multiple use-after-free conditions resulted in privilege escalation (bsc#1156317).
- CVE-2019-10220: Fixed an issue where samba servers could inject relative paths in directory entry lists (bsc#1153108).
The following bugs were fixed:
- Fixed boot up hang revealed by int3 self test (bsc#1157770).
ImportantSUSE bug 1153108SUSE bug 1156317SUSE bug 1156321SUSE bug 1157770CVE-2019-10220 at SUSECVE-2019-10220 at NVDCVE-2019-13272 at SUSECVE-2019-13272 at NVDCVE-2019-15239 at SUSECVE-2019-15239 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 23 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.175-94_79 fixes several issues.
The following security issues were fixed:
- CVE-2018-20856: Fixed a use-after-free in block/blk-core.c due to improper error handling (bsc#1156331).
- CVE-2019-13272: Fixed a privilege escalation from user to root due to improper handling of credentials by leveraging
certain scenarios with a parent-child process relationship (bsc#1156321).
- CVE-2019-15239: Fixed a vulnerability where a local attacker could have triggered multiple use-after-free conditions
resulted in privilege escalation (bsc#1156317).
- CVE-2019-10220: Fixed an issue where samba servers could inject relative paths in directory entry lists (bsc#1153108).
ImportantSUSE bug 1153108SUSE bug 1156317SUSE bug 1156321SUSE bug 1156331CVE-2018-20856 at SUSECVE-2018-20856 at NVDCVE-2019-10220 at SUSECVE-2019-10220 at NVDCVE-2019-13272 at SUSECVE-2019-13272 at NVDCVE-2019-15239 at SUSECVE-2019-15239 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 24 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.176-94_88 fixes several issues.
The following security issues were fixed:
- CVE-2018-20856: Fixed a use-after-free in block/blk-core.c due to improper error handling (bsc#1156331).
- CVE-2019-13272: Fixed a privilege escalation from user to root due to improper handling of credentials by leveraging
certain scenarios with a parent-child process relationship (bsc#1156321).
- CVE-2019-15239: Fixed a vulnerability where a local attacker could have triggered multiple use-after-free conditions
resulted in privilege escalation (bsc#1156317).
- CVE-2019-10220: Fixed an issue where samba servers could inject relative paths in directory entry lists (bsc#1153108).
ImportantSUSE bug 1153108SUSE bug 1156317SUSE bug 1156321SUSE bug 1156331CVE-2018-20856 at SUSECVE-2018-20856 at NVDCVE-2019-10220 at SUSECVE-2019-10220 at NVDCVE-2019-13272 at SUSECVE-2019-13272 at NVDCVE-2019-15239 at SUSECVE-2019-15239 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 25 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.178-94_91 fixes several issues.
The following security issues were fixed:
- CVE-2018-20856: Fixed a use-after-free in block/blk-core.c due to improper error handling (bsc#1156331).
- CVE-2019-13272: Fixed a privilege escalation from user to root due to improper handling of credentials by leveraging
certain scenarios with a parent-child process relationship (bsc#1156321).
- CVE-2019-15239: Fixed a vulnerability where a local attacker could have triggered multiple use-after-free conditions
resulted in privilege escalation (bsc#1156317).
- CVE-2019-10220: Fixed an issue where samba servers could inject relative paths in directory entry lists (bsc#1153108).
ImportantSUSE bug 1153108SUSE bug 1156317SUSE bug 1156321SUSE bug 1156331CVE-2018-20856 at SUSECVE-2018-20856 at NVDCVE-2019-10220 at SUSECVE-2019-10220 at NVDCVE-2019-13272 at SUSECVE-2019-13272 at NVDCVE-2019-15239 at SUSECVE-2019-15239 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for strongswan (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for strongswan provides the following fixes:
Security issues fixed:
- CVE-2018-5388: Fixed a buffer underflow which may allow to a remote attacker
with local user credentials to resource exhaustion and denial of service while
reading from the socket (bsc#1094462).
- CVE-2018-10811: Fixed a denial of service during the IKEv2 key derivation if
the openssl plugin is used in FIPS mode and HMAC-MD5 is negotiated as PRF
(bsc#1093536).
- CVE-2018-16151,CVE-2018-16152: Fixed multiple flaws in the gmp plugin which
might lead to authorization bypass (bsc#1107874).
- CVE-2018-17540: Fixed an improper input validation in gmp plugin (bsc#1109845).
Other issues addressed:
- Fixed some client fails when the scep server URL is used with HTTPS protocol (bsc#1071853).
- Reject Diffie-Hellman key exchanges using primes smaller than 1024 bit.
- Handle unexpected informational message from SonicWall. (bsc#1009254)
ImportantSUSE bug 1009254SUSE bug 1071853SUSE bug 1093536SUSE bug 1094462SUSE bug 1107874SUSE bug 1109845CVE-2018-10811 at SUSECVE-2018-10811 at NVDCVE-2018-16151 at SUSECVE-2018-16151 at NVDCVE-2018-16152 at SUSECVE-2018-16152 at NVDCVE-2018-17540 at SUSECVE-2018-17540 at NVDCVE-2018-5388 at SUSECVE-2018-5388 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for xen (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for xen fixes the following issues:
- CVE-2019-19581: Fixed a potential out of bounds on 32-bit Arm (bsc#1158003 XSA-307).
- CVE-2019-19582: Fixed a potential infinite loop when x86 accesses to bitmaps with
a compile time known size of 64 (bsc#1158003 XSA-307).
- CVE-2019-19583: Fixed improper checks which could have allowed HVM/PVH guest userspace
code to crash the guest,leading to a guest denial of service (bsc#1158004 XSA-308).
- CVE-2019-19578: Fixed an issue where a malicious or buggy PV guest could have caused
hypervisor crash resulting in denial of service affecting the entire host (bsc#1158005 XSA-309).
- CVE-2019-19580: Fixed a privilege escalation where a malicious PV guest administrator
could have been able to escalate their privilege to that of the host (bsc#1158006 XSA-310).
- CVE-2019-19577: Fixed an issue where a malicious guest administrator could have caused Xen
to access data structures while they are being modified leading to a crash (bsc#1158007 XSA-311).
- CVE-2019-19579: Fixed a privilege escaltion where an untrusted domain with access
to a physical device can DMA into host memory (bsc#1157888 XSA-306).
- CVE-2019-18420: Malicious x86 PV guests may have caused a hypervisor crash,
resulting in a denial of service (bsc#1154448 XSA-296)
- CVE-2019-18425: 32-bit PV guest user mode could elevate its privileges to that
of the guest kernel. (bsc#1154456 XSA-298).
- CVE-2019-18421: A malicious PV guest administrator may have been able to
escalate their privilege to that of the host. (bsc#1154458 XSA-299).
- CVE-2019-18423: A malicious guest administrator may cause a hypervisor crash,
resulting in a denial of service (bsc#1154460 XSA-301).
- CVE-2019-18422: A malicious ARM guest might contrive to arrange for critical
Xen code to run with interrupts erroneously enabled. This could lead to data
corruption, denial of service, or possibly even privilege escalation. However
a precise attack technique has not been identified. (bsc#1154464 XSA-303)
- CVE-2019-18424: An untrusted domain with access to a physical device can DMA
into host memory, leading to privilege escalation. (bsc#1154461 XSA-302).
- CVE-2018-12207: Untrusted virtual machines on Intel CPUs could exploit a race
condition in the Instruction Fetch Unit of the Intel CPU to cause a Machine
Exception during Page Size Change, causing the CPU core to be non-functional.
(bsc#1155945 XSA-304)
- CVE-2019-11135: Aborting an asynchronous TSX operation on Intel CPUs with
Transactional Memory support could be used to facilitate sidechannel
information leaks out of microarchitectural buffers, similar to the
previously described 'Microarchitectural Data Sampling' attack. (bsc#1152497 XSA-305).
ImportantSUSE bug 1152497SUSE bug 1154448SUSE bug 1154456SUSE bug 1154458SUSE bug 1154460SUSE bug 1154461SUSE bug 1154464SUSE bug 1155945SUSE bug 1157888SUSE bug 1158003SUSE bug 1158004SUSE bug 1158005SUSE bug 1158006SUSE bug 1158007CVE-2018-12207 at SUSECVE-2018-12207 at NVDCVE-2019-11135 at SUSECVE-2019-11135 at NVDCVE-2019-18420 at SUSECVE-2019-18420 at NVDCVE-2019-18421 at SUSECVE-2019-18421 at NVDCVE-2019-18422 at SUSECVE-2019-18422 at NVDCVE-2019-18423 at SUSECVE-2019-18423 at NVDCVE-2019-18424 at SUSECVE-2019-18424 at NVDCVE-2019-18425 at SUSECVE-2019-18425 at NVDCVE-2019-19577 at SUSECVE-2019-19577 at NVDCVE-2019-19578 at SUSECVE-2019-19578 at NVDCVE-2019-19579 at SUSECVE-2019-19579 at NVDCVE-2019-19580 at SUSECVE-2019-19580 at NVDCVE-2019-19581 at SUSECVE-2019-19581 at NVDCVE-2019-19582 at SUSECVE-2019-19582 at NVDCVE-2019-19583 at SUSECVE-2019-19583 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for git (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for git fixes the following issues:
Security issues fixed:
- CVE-2019-1349: Fixed issue on Windows, when submodules are cloned recursively, under certain circumstances Git could be fooled into using the same Git directory twice (bsc#1158787).
- CVE-2019-19604: Fixed a recursive clone followed by a submodule update could execute code contained within the repository without the user explicitly having asked for that (bsc#1158795).
- CVE-2019-1387: Fixed recursive clones that are currently affected by a vulnerability that is caused by too-lax validation of submodule names, allowing very targeted attacks via remote code execution in recursive clones (bsc#1158793).
- CVE-2019-1354: Fixed issue on Windows that refuses to write tracked files with filenames that contain backslashes (bsc#1158792).
- CVE-2019-1353: Fixed issue when run in the Windows Subsystem for Linux while accessing a working directory on a regular Windows drive, none of the NTFS protections were active (bsc#1158791).
- CVE-2019-1352: Fixed issue on Windows was unaware of NTFS Alternate Data Streams (bsc#1158790).
- CVE-2019-1351: Fixed issue on Windows mistakes drive letters outside of the US-English alphabet as relative paths (bsc#1158789).
- CVE-2019-1350: Fixed incorrect quoting of command-line arguments allowed remote code execution during a recursive clone in conjunction with SSH URLs (bsc#1158788).
- CVE-2019-1348: Fixed the --export-marks option of fast-import is exposed also via the in-stream command feature export-marks=... and it allows overwriting arbitrary paths (bsc#1158785).
- Fixed an issue where git send-email fails to authenticate with SMTP server (bsc#1082023)
ImportantSUSE bug 1082023SUSE bug 1158785SUSE bug 1158787SUSE bug 1158788SUSE bug 1158789SUSE bug 1158790SUSE bug 1158791SUSE bug 1158792SUSE bug 1158793SUSE bug 1158795CVE-2019-1348 at SUSECVE-2019-1348 at NVDCVE-2019-1349 at SUSECVE-2019-1349 at NVDCVE-2019-1350 at SUSECVE-2019-1350 at NVDCVE-2019-1351 at SUSECVE-2019-1351 at NVDCVE-2019-1352 at SUSECVE-2019-1352 at NVDCVE-2019-1353 at SUSECVE-2019-1353 at NVDCVE-2019-1354 at SUSECVE-2019-1354 at NVDCVE-2019-1387 at SUSECVE-2019-1387 at NVDCVE-2019-19604 at SUSECVE-2019-19604 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for MozillaFirefox fixes the following issues:
Mozilla Firefox was updated to 68.3esr (MFSA 2019-37 bsc#1158328)
Security issues fixed:
- CVE-2019-17008: Fixed a use-after-free in worker destruction (bmo#1546331)
- CVE-2019-13722: Fixed a stack corruption due to incorrect number of arguments
in WebRTC code (bmo#1580156)
- CVE-2019-11745: Fixed an out of bounds write in NSS when encrypting with a
block cipher (bmo#1586176)
- CVE-2019-17009: Fixed an issue where updater temporary files accessible to
unprivileged processes (bmo#1510494)
- CVE-2019-17010: Fixed a use-after-free when performing device orientation
checks (bmo#1581084)
- CVE-2019-17005: Fixed a buffer overflow in plain text serializer (bmo#1584170)
- CVE-2019-17011: Fixed a use-after-free when retrieving a document
in antitracking (bmo#1591334)
- CVE-2019-17012: Fixed multiple memmory issues
(bmo#1449736, bmo#1533957, bmo#1560667,bmo#1567209, bmo#1580288, bmo#1585760,
bmo#1592502)
ImportantSUSE bug 1158328CVE-2019-11745 at SUSECVE-2019-11745 at NVDCVE-2019-13722 at SUSECVE-2019-13722 at NVDCVE-2019-17005 at SUSECVE-2019-17005 at NVDCVE-2019-17008 at SUSECVE-2019-17008 at NVDCVE-2019-17009 at SUSECVE-2019-17009 at NVDCVE-2019-17010 at SUSECVE-2019-17010 at NVDCVE-2019-17011 at SUSECVE-2019-17011 at NVDCVE-2019-17012 at SUSECVE-2019-17012 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3
This update for MozillaFirefox fixes the following issues:
Security issues fixed:
CVE-2018-18500: Fixed a use-after-free parsing HTML5 stream (boo#1122983).
CVE-2018-18501: Fixed multiple memory safety bugs (boo#1122983).
CVE-2018-18505: Fixed a privilege escalation through IPC channel messages (boo#1122983).
ImportantSUSE bug 1120374SUSE bug 1122983CVE-2018-18500 at SUSECVE-2018-18500 at NVDCVE-2018-18501 at SUSECVE-2018-18501 at NVDCVE-2018-18505 at SUSECVE-2018-18505 at NVDcpe:/o:suse:sles:12:sp3Security update for the Linux Kernel (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
The SUSE Linux Enterprise 12 SP 3 LTSS kernel was updated to receive various security and bugfixes.
The following security bugs were fixed:
- CVE-2019-14895: A heap-based buffer overflow was discovered in the Linux kernel in Marvell WiFi chip driver. The flaw could occur when the station attempts a connection negotiation during the handling of the remote devices country settings. This could have allowed the remote device to cause a denial of service (system crash) or possibly execute arbitrary code (bnc#1157158).
- CVE-2019-18660: The Linux kernel on powerpc allowed Information Exposure because the Spectre-RSB mitigation is not in place for all applicable CPUs. This is related to arch/powerpc/kernel/entry_64.S and arch/powerpc/kernel/security.c (bnc#1157038).
- CVE-2019-18683: An issue was discovered in drivers/media/platform/vivid in the Linux kernel. It is exploitable for privilege escalation on some Linux distributions where local users have /dev/video0 access, but only if the driver happens to be loaded. There are multiple race conditions during streaming stopping in this driver (part of the V4L2 subsystem). These issues are caused by wrong mutex locking in vivid_stop_generating_vid_cap(), vivid_stop_generating_vid_out(), sdr_cap_stop_streaming(), and the corresponding kthreads. At least one of these race conditions leads to a use-after-free (bnc#1155897).
- CVE-2019-19062: A memory leak in the crypto_report() function in crypto/crypto_user_base.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) by triggering crypto_report_alg() failures (bnc#1157333).
- CVE-2019-19065: A memory leak in the sdma_init() function in drivers/infiniband/hw/hfi1/sdma.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) by triggering rhashtable_init() failures (bnc#1157191).
- CVE-2019-19052: A memory leak in the gs_can_open() function in drivers/net/can/usb/gs_usb.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) by triggering usb_submit_urb() failures (bnc#1157324).
- CVE-2019-19074: A memory leak in the ath9k_wmi_cmd() function in drivers/net/wireless/ath/ath9k/wmi.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) (bnc#1157143).
- CVE-2019-19073: Memory leaks in drivers/net/wireless/ath/ath9k/htc_hst.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) by triggering wait_for_completion_timeout() failures. This affects the htc_config_pipe_credits() function, the htc_setup_complete() function, and the htc_connect_service() function (bnc#1157070).
- CVE-2019-16231: drivers/net/fjes/fjes_main.c in the Linux kernel 5.2.14 did not check the alloc_workqueue return value, leading to a NULL pointer dereference (bnc#1150466).
- CVE-2019-18805: An issue was discovered in net/ipv4/sysctl_net_ipv4.c in the Linux kernel There was a net/ipv4/tcp_input.c signed integer overflow in tcp_ack_update_rtt() when userspace writes a very large integer to /proc/sys/net/ipv4/tcp_min_rtt_wlen, leading to a denial of service or possibly unspecified other impact (bnc#1156187).
- CVE-2019-18680: An issue was discovered in the Linux kernel. There was a NULL pointer dereference in rds_tcp_kill_sock() in net/rds/tcp.c that will cause denial of service (bnc#1155898).
- CVE-2019-15213: An use-after-free was fixed caused by malicious USB device in drivers/media/usb/dvb-usb/dvb-usb-init.c (bsc#1146544).
- CVE-2019-19536: An uninitialized Kernel memory can leak to USB devices in drivers/net/can/usb/peak_usb/pcan_usb_pro.c (bsc#1158394).
- CVE-2019-19534: An uninitialized Kernel memory can leak to USB devices in drivers/net/can/usb/peak_usb/pcan_usb_core.c (bsc#1158398).
- CVE-2019-19530: An use-after-free bug that can be caused by a malicious USB device in the drivers/usb/class/cdc-acm.c driver (bsc#1158410).
- CVE-2019-19524: An use-after-free bug that can be caused by a malicious USB device in the drivers/input/ff-memless.c driver (bsc#1158413).
- CVE-2019-19525: An use-after-free bug that can be caused by a malicious USB device in the drivers/net/ieee802154/atusb.c driver (bsc#1158417).
- CVE-2019-19531: An use-after-free in yurex_delete may lead to denial of service (bsc#1158445).
- CVE-2019-19523: An use-after-free on disconnect in USB adutux (bsc#1158823).
- CVE-2019-19532: An out-of-bounds write bugs that can be caused by a malicious USB device in the Linux kernel HID drivers (bsc#1158824).
- CVE-2019-19332: An out-of-bounds memory write via kvm_dev_ioctl_get_cpuid (bsc#1158827).
- CVE-2019-19533: An info-leak bug that can be caused by a malicious USB device in the drivers/media/usb/ttusb-dec/ttusb_dec.c driver (bsc#1158834).
- CVE-2019-19527: An use-after-free bug that can be caused by a malicious USB device in the drivers/hid/usbhid/hiddev.c driver (bsc#1158900).
- CVE-2019-19535: An info-leak bug that can be caused by a malicious USB device in the drivers/net/can/usb/peak_usb/pcan_usb_fd.c driver (bsc#1158903).
- CVE-2019-19537: Two races in the USB character device registration and deregistration routines (bsc#1158904).
- CVE-2019-19338: An incomplete fix for Transaction Asynchronous Abort (TAA) (bsc#1158954).
The following non-security bugs were fixed:
- hyperv: set nvme msi interrupts to unmanaged (jsc#SLE-8953, jsc#SLE-9221, jsc#SLE-4941, bsc#1119461, bsc#1119465, bsc#1138190, bsc#1154905).
- ibmvnic: Bound waits for device queries (bsc#1155689 ltc#182047).
- ibmvnic: Fix completion structure initialization (bsc#1155689 ltc#182047).
- ibmvnic: Serialize device queries (bsc#1155689 ltc#182047).
- ibmvnic: Terminate waiting device threads after loss of service (bsc#1155689 ltc#182047).
- netfilter: nf_nat: do not bug when mapping already exists (bsc#1146612).
- powerpc/security/book3s64: Report L1TF status in sysfs (bsc#1091041).
- powerpc/security: Fix wrong message when RFI Flush is disable (bsc#1131107).
- sched/fair: WARN() and refuse to set buddy when !se->on_rq (bsc#1158132).
- x86/alternatives: Add int3_emulate_call() selftest (bsc#1153811).
- x86/alternatives: Fix int3_emulate_call() selftest stack corruption (bsc#1153811).
- xen/pv: Fix a boot up hang revealed by int3 self test (bsc#1153811).
- arp: Fix cache issue during Life Partition Migration (bsc#1152631).
- futexes: Fix speed on 4.12 kernel (bsc#1157464).
ImportantSUSE bug 1091041SUSE bug 1119461SUSE bug 1119465SUSE bug 1131107SUSE bug 1138190SUSE bug 1146544SUSE bug 1146612SUSE bug 1150466SUSE bug 1150483SUSE bug 1152631SUSE bug 1153811SUSE bug 1154905SUSE bug 1155689SUSE bug 1155897SUSE bug 1155898SUSE bug 1156187SUSE bug 1157038SUSE bug 1157042SUSE bug 1157070SUSE bug 1157143SUSE bug 1157158SUSE bug 1157191SUSE bug 1157324SUSE bug 1157333SUSE bug 1157464SUSE bug 1158132SUSE bug 1158394SUSE bug 1158398SUSE bug 1158410SUSE bug 1158413SUSE bug 1158417SUSE bug 1158445SUSE bug 1158823SUSE bug 1158824SUSE bug 1158827SUSE bug 1158834SUSE bug 1158900SUSE bug 1158903SUSE bug 1158904SUSE bug 1158954CVE-2019-14895 at SUSECVE-2019-14895 at NVDCVE-2019-15213 at SUSECVE-2019-15213 at NVDCVE-2019-16231 at SUSECVE-2019-16231 at NVDCVE-2019-18660 at SUSECVE-2019-18660 at NVDCVE-2019-18680 at SUSECVE-2019-18680 at NVDCVE-2019-18683 at SUSECVE-2019-18683 at NVDCVE-2019-18805 at SUSECVE-2019-18805 at NVDCVE-2019-19052 at SUSECVE-2019-19052 at NVDCVE-2019-19062 at SUSECVE-2019-19062 at NVDCVE-2019-19065 at SUSECVE-2019-19065 at NVDCVE-2019-19073 at SUSECVE-2019-19073 at NVDCVE-2019-19074 at SUSECVE-2019-19074 at NVDCVE-2019-19332 at SUSECVE-2019-19332 at NVDCVE-2019-19338 at SUSECVE-2019-19338 at NVDCVE-2019-19523 at SUSECVE-2019-19523 at NVDCVE-2019-19524 at SUSECVE-2019-19524 at NVDCVE-2019-19525 at SUSECVE-2019-19525 at NVDCVE-2019-19527 at SUSECVE-2019-19527 at NVDCVE-2019-19530 at SUSECVE-2019-19530 at NVDCVE-2019-19531 at SUSECVE-2019-19531 at NVDCVE-2019-19532 at SUSECVE-2019-19532 at NVDCVE-2019-19533 at SUSECVE-2019-19533 at NVDCVE-2019-19534 at SUSECVE-2019-19534 at NVDCVE-2019-19535 at SUSECVE-2019-19535 at NVDCVE-2019-19536 at SUSECVE-2019-19536 at NVDCVE-2019-19537 at SUSECVE-2019-19537 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for python-numpy (Important)SUSE Linux Enterprise Server 12 SP3
This update for python-numpy fixes the following issue:
Security issue fixed:
- CVE-2019-6446: Set allow_pickle to false by default to restrict loading untrusted content (bsc#1122208).
With this update we decrease the possibility of allowing remote attackers to execute arbitrary code by
misusing numpy.load(). A warning during runtime will show-up when the allow_pickle is not explicitly set.
NOTE: By applying this update the behavior of python-numpy changes, which might break your application.
In order to get the old behaviour back, you have to explicitly set `allow_pickle` to True. Be aware
that this should only be done for trusted input, as loading untrusted input might lead to arbitrary code
execution.
ImportantSUSE bug 1122208CVE-2019-6446 at SUSECVE-2019-6446 at NVDcpe:/o:suse:sles:12:sp3Security update for systemd (Important)SUSE Linux Enterprise Server 12 SP3
This update for systemd fixes the following issues:
Security vulnerability fixed:
- CVE-2019-6454: Fixed a crash of PID1 by sending specially crafted D-BUS
message on the system bus by an unprivileged user (bsc#1125352)
Other bug fixes and changes:
- journal-remote: set a limit on the number of fields in a message
- journal-remote: verify entry length from header
- journald: set a limit on the number of fields (1k)
- journald: do not store the iovec entry for process commandline on stack
- core: include Found state in device dumps
- device: fix serialization and deserialization of DeviceFound
- fix path in btrfs rule (#6844)
- assemble multidevice btrfs volumes without external tools (#6607) (bsc#1117025)
- Update systemd-system.conf.xml (bsc#1122000)
- units: inform user that the default target is started after exiting from rescue or emergency mode
- manager: don't skip sigchld handler for main and control pid for services (#3738)
- core: Add helper functions unit_{main, control}_pid
- manager: Fixing a debug printf formatting mistake (#3640)
- manager: Only invoke a single sigchld per unit within a cleanup cycle (bsc#1117382)
- core: update invoke_sigchld_event() to handle NULL ->sigchld_event()
- sd-event: expose the event loop iteration counter via sd_event_get_iteration() (#3631)
- unit: rework a bit how we keep the service fdstore from being destroyed during service restart (bsc#1122344)
- core: when restarting services, don't close fds
- cryptsetup: Add dependency on loopback setup to generated units
- journal-gateway: use localStorage['cursor'] only when it has valid value
- journal-gateway: explicitly declare local variables
- analyze: actually select longest activated-time of services
- sd-bus: fix implicit downcast of bitfield reported by LGTM
- core: free lines after reading them (bsc#1123892)
- pam_systemd: reword message about not creating a session (bsc#1111498)
- pam_systemd: suppress LOG_DEBUG log messages if debugging is off (bsc#1111498)
- main: improve RLIMIT_NOFILE handling (#5795) (bsc#1120658)
- sd-bus: if we receive an invalid dbus message, ignore and proceeed
- automount: don't pass non-blocking pipe to kernel.
- units: make sure initrd-cleanup.service terminates before switching to rootfs (bsc#1123333)
- units: add Wants=initrd-cleanup.service to initrd-switch-root.target (#4345) (bsc#1123333)
ImportantSUSE bug 1111498SUSE bug 1117025SUSE bug 1117382SUSE bug 1120658SUSE bug 1122000SUSE bug 1122344SUSE bug 1123333SUSE bug 1123892SUSE bug 1125352CVE-2019-6454 at SUSECVE-2019-6454 at NVDcpe:/o:suse:sles:12:sp3Security update for procps (Important)SUSE Linux Enterprise Server 12 SP3
This update for procps fixes the following security issues:
- CVE-2018-1122: Prevent local privilege escalation in top. If a user ran top
with HOME unset in an attacker-controlled directory, the attacker could have
achieved privilege escalation by exploiting one of several vulnerabilities in
the config_file() function (bsc#1092100).
- CVE-2018-1123: Prevent denial of service in ps via mmap buffer overflow.
Inbuilt protection in ps maped a guard page at the end of the overflowed
buffer, ensuring that the impact of this flaw is limited to a crash (temporary
denial of service) (bsc#1092100).
- CVE-2018-1124: Prevent multiple integer overflows leading to a heap
corruption in file2strvec function. This allowed a privilege escalation for a
local attacker who can create entries in procfs by starting processes, which
could result in crashes or arbitrary code execution in proc utilities run by
other users (bsc#1092100).
- CVE-2018-1125: Prevent stack buffer overflow in pgrep. This vulnerability was
mitigated by FORTIFY limiting the impact to a crash (bsc#1092100).
- CVE-2018-1126: Ensure correct integer size in proc/alloc.* to prevent
truncation/integer overflow issues (bsc#1092100).
(These issues were previously released for SUSE Linux Enterprise 12 SP3 and SP4.)
Also the following non-security issue was fixed:
- Fix CPU summary showing old data. (bsc#1121753)
ImportantSUSE bug 1092100SUSE bug 1121753CVE-2018-1122 at SUSECVE-2018-1122 at NVDCVE-2018-1123 at SUSECVE-2018-1123 at NVDCVE-2018-1124 at SUSECVE-2018-1124 at NVDCVE-2018-1125 at SUSECVE-2018-1125 at NVDCVE-2018-1126 at SUSECVE-2018-1126 at NVDcpe:/o:suse:sles:12:sp3Security update for kernel-firmware (Important)SUSE Linux Enterprise Server 12 SP3
This update for kernel-firmware fixes the following issues:
Security issue fixed:
- CVE-2018-5383: Fixed an implementation issue in Bluetooth where the eliptic curve parameters
were not sufficiently validated during Diffie-Hellman key exchange (bsc#1104301).
ImportantSUSE bug 1104301CVE-2018-5383 at SUSECVE-2018-5383 at NVDcpe:/o:suse:sles:12:sp3Security update for python (Important)SUSE Linux Enterprise Server 12 SP3
This update for python fixes the following issues:
Security issues fixed:
- CVE-2019-5010: Fixed a denial-of-service vulnerability in the X509 certificate parser (bsc#1122191).
- CVE-2018-14647: Fixed a denial-of-service vulnerability in Expat (bsc#1109847).
Non-security issue fixed:
- Fixed a bug where PyWeakReference struct was not initialized correctly leading to a crash (bsc#1073748).
ImportantSUSE bug 1073748SUSE bug 1109847SUSE bug 1122191CVE-2018-14647 at SUSECVE-2018-14647 at NVDCVE-2019-5010 at SUSECVE-2019-5010 at NVDcpe:/o:suse:sles:12:sp3Security update for java-1_7_0-openjdk (Important)SUSE Linux Enterprise Server 12 SP3
This update for java-1_7_0-openjdk to version 7u201 fixes the following issues:
Security issues fixed:
- CVE-2018-3136: Manifest better support (bsc#1112142)
- CVE-2018-3139: Better HTTP Redirection (bsc#1112143)
- CVE-2018-3149: Enhance JNDI lookups (bsc#1112144)
- CVE-2018-3169: Improve field accesses (bsc#1112146)
- CVE-2018-3180: Improve TLS connections stability (bsc#1112147)
- CVE-2018-3214: Better RIFF reading support (bsc#1112152)
- CVE-2018-13785: Upgrade JDK 8u to libpng 1.6.35 (bsc#1112153)
- CVE-2018-16435: heap-based buffer overflow in SetData function in cmsIT8LoadFromFile
- CVE-2018-2938: Support Derby connections (bsc#1101644)
- CVE-2018-2940: Better stack walking (bsc#1101645)
- CVE-2018-2952: Exception to Pattern Syntax (bsc#1101651)
- CVE-2018-2973: Improve LDAP support (bsc#1101656)
- CVE-2018-3639 cpu speculative store bypass mitigation
ImportantSUSE bug 1101644SUSE bug 1101645SUSE bug 1101651SUSE bug 1101656SUSE bug 1112142SUSE bug 1112143SUSE bug 1112144SUSE bug 1112146SUSE bug 1112147SUSE bug 1112152SUSE bug 1112153CVE-2018-13785 at SUSECVE-2018-13785 at NVDCVE-2018-16435 at SUSECVE-2018-16435 at NVDCVE-2018-2938 at SUSECVE-2018-2938 at NVDCVE-2018-2940 at SUSECVE-2018-2940 at NVDCVE-2018-2952 at SUSECVE-2018-2952 at NVDCVE-2018-2973 at SUSECVE-2018-2973 at NVDCVE-2018-3136 at SUSECVE-2018-3136 at NVDCVE-2018-3139 at SUSECVE-2018-3139 at NVDCVE-2018-3149 at SUSECVE-2018-3149 at NVDCVE-2018-3169 at SUSECVE-2018-3169 at NVDCVE-2018-3180 at SUSECVE-2018-3180 at NVDCVE-2018-3214 at SUSECVE-2018-3214 at NVDCVE-2018-3639 at SUSECVE-2018-3639 at NVDcpe:/o:suse:sles:12:sp3Security update for apache2 (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for apache2 fixes the following issues:
Security issues fixed:
- CVE-2018-17189: Fixed a denial of service in mod_http2, via slow and unneeded request bodies (bsc#1122838)
- CVE-2018-17199: Fixed that mod_session_cookie did not respect expiry time (bsc#1122839)
Non-security issue fixed:
- sysconfig.d is not created anymore if it already exists (bsc#1121086)
ModerateSUSE bug 1121086SUSE bug 1122838SUSE bug 1122839CVE-2018-17189 at SUSECVE-2018-17189 at NVDCVE-2018-17199 at SUSECVE-2018-17199 at NVDcpe:/o:suse:sles:12:sp3Security update for ceph (Important)SUSE Linux Enterprise Server 12 SP3
This update for ceph fixes the following issues:
Security issues fixed:
- CVE-2018-14662: mon: limit caps allowed to access the config store (bsc#1111177)
- CVE-2018-16846: rgw: enforce bounds on max-keys/max-uploads/max-parts (bsc#1114710)
- CVE-2018-16889: rgw: sanitize customer encryption keys from log output in v4 auth (bsc#1121567)
Non-security issue fixed:
- os/bluestore: avoid frequent allocator dump on bluefs rebalance failure (bsc#1113246)
ImportantSUSE bug 1111177SUSE bug 1113246SUSE bug 1114710SUSE bug 1121567CVE-2018-14662 at SUSECVE-2018-14662 at NVDCVE-2018-16846 at SUSECVE-2018-16846 at NVDCVE-2018-16889 at SUSECVE-2018-16889 at NVDcpe:/o:suse:sles:12:sp3Security update for webkit2gtk3 (Important)SUSE Linux Enterprise Server 12 SP3
This update for webkit2gtk3 to version 2.22.6 fixes the following issues:
Security issues fixed:
- CVE-2019-6212: Fixed multiple memory corruption vulnerabilities which could allow arbitrary code execution during the processing
of special crafted web-content.
- CVE-2019-6215: Fixed a type confusion vulnerability which could allow arbitrary code execution during the processing
of special crafted web-content.
- CVE-2019-6216: Fixed multiple memory corruption vulnerabilities which could allow arbitrary code execution during the processing
of special crafted web-content.
- CVE-2019-6217: Fixed multiple memory corruption vulnerabilities which could allow arbitrary code execution during the processing
of special crafted web-content.
- CVE-2019-6226: Fixed multiple memory corruption vulnerabilities which could allow arbitrary code execution during the processing
of special crafted web-content.
- CVE-2019-6227: Fixed a memory corruption vulnerability which could allow arbitrary code execution during the processing
of special crafted web-content.
- CVE-2019-6229: Fixed a logic issue by improving validation which could allow arbitrary code execution during the processing
of special crafted web-content.
- CVE-2019-6233: Fixed a memory corruption vulnerability which could allow arbitrary code execution during the processing
of special crafted web-content.
- CVE-2019-6234: Fixed a memory corruption vulnerability which could allow arbitrary code execution during the processing
of special crafted web-content.
Other issues addressed:
- Update to version 2.22.6 (bsc#1124937).
- Kinetic scrolling slow down smoothly when reaching the ends of pages, instead of abruptly, to better match the GTK+ behaviour.
- Fixed Web inspector magnifier under Wayland.
- Fixed garbled rendering of some websites (e.g. YouTube) while scrolling under X11.
- Fixed several crashes, race conditions, and rendering issues.
ImportantSUSE bug 1124937CVE-2019-6212 at SUSECVE-2019-6212 at NVDCVE-2019-6215 at SUSECVE-2019-6215 at NVDCVE-2019-6216 at SUSECVE-2019-6216 at NVDCVE-2019-6217 at SUSECVE-2019-6217 at NVDCVE-2019-6226 at SUSECVE-2019-6226 at NVDCVE-2019-6227 at SUSECVE-2019-6227 at NVDCVE-2019-6229 at SUSECVE-2019-6229 at NVDCVE-2019-6233 at SUSECVE-2019-6233 at NVDCVE-2019-6234 at SUSECVE-2019-6234 at NVDcpe:/o:suse:sles:12:sp3Security update for the Linux Kernel (Important)SUSE Linux Enterprise Server 12 SP3
The SUSE Linux Enterprise 12 SP3 kernel was updated to 4.4.175 to receive various security and bugfixes.
The following security bugs were fixed:
- CVE-2019-6974: kvm_ioctl_create_device in virt/kvm/kvm_main.c mishandled reference counting because of a race condition, leading to a use-after-free. (bnc#1124728)
- CVE-2019-7221: Fixed a user-after-free vulnerability in the KVM hypervisor related to the emulation of a preemption timer, allowing an guest user/process to crash the host kernel. (bsc#1124732).
- CVE-2019-7222: Fixed an information leakage in the KVM hypervisor related to handling page fault exceptions, which allowed a guest user/process to use this flaw to leak the host's stack memory contents to a guest (bsc#1124735).
- CVE-2018-1120: By mmap()ing a FUSE-backed file onto a process's memory containing command line arguments (or environment strings), an attacker could have caused utilities from psutils or procps (such as ps, w) or any other program which made a read() call to the /proc/<pid>/cmdline (or /proc/<pid>/environ) files to block indefinitely (denial of service) or for some controlled time (as a synchronization primitive for other attacks) (bnc#1093158).
- CVE-2018-16862: A security flaw was found in a way that the cleancache subsystem clears an inode after the final file truncation (removal). The new file created with the same inode may contain leftover pages from cleancache and the old file data instead of the new one (bnc#1117186).
- CVE-2018-16884: NFS41+ shares mounted in different network namespaces at the same time can make bc_svc_process() use wrong back-channel IDs and cause a use-after-free vulnerability. Thus a malicious container user can cause a host kernel memory corruption and a system panic. Due to the nature of the flaw, privilege escalation cannot be fully ruled out (bnc#1119946).
- CVE-2018-19407: The vcpu_scan_ioapic function in arch/x86/kvm/x86.c allowed local users to cause a denial of service (NULL pointer dereference and BUG) via crafted system calls that reach a situation where ioapic is uninitialized (bnc#1116841).
- CVE-2018-19824: A local user could exploit a use-after-free in the ALSA driver by supplying a malicious USB Sound device (with zero interfaces) that is mishandled in usb_audio_probe in sound/usb/card.c (bnc#1118152).
- CVE-2018-19985: The function hso_probe read if_num from the USB device (as an u8) and used it without a length check to index an array, resulting in an OOB memory read in hso_probe or hso_get_config_data that could be used by local attackers (bnc#1120743).
- CVE-2018-20169: The USB subsystem mishandled size checks during the reading of an extra descriptor, related to __usb_get_extra_descriptor in drivers/usb/core/usb.c (bnc#1119714).
- CVE-2018-5391: The Linux kernel was vulnerable to a denial of service attack with low rates of specially modified packets targeting IP fragment re-assembly. An attacker may cause a denial of service condition by sending specially crafted IP fragments. Various vulnerabilities in IP fragmentation have been discovered and fixed over the years. The current vulnerability (CVE-2018-5391) became exploitable in the Linux kernel with the increase of the IP fragment reassembly queue size (bnc#1103097).
- CVE-2018-9568: In sk_clone_lock of sock.c, there is a possible memory corruption due to type confusion. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. (bnc#1118319).
- CVE-2019-3459,CVE-2019-3460: Two remote information leak vulnerabilities in the Bluetooth stack were fixed that could potentially leak kernel information (bsc#1120758)
The following non-security bugs were fixed:
- 9p: clear dangling pointers in p9stat_free (bnc#1012382).
- 9p locks: fix glock.client_id leak in do_lock (bnc#1012382).
- 9p/net: put a lower bound on msize (bnc#1012382).
- acpi/iort: Fix iort_get_platform_device_domain() uninitialized pointer value (bsc#1121239).
- acpi/lpss: Add alternative ACPI HIDs for Cherry Trail DMA controllers (bnc#1012382).
- acpi/nfit: Block function zero DSMs (bsc#1123321).
- acpi/nfit: Fix ARS overflow continuation (bsc#1125000).
- acpi/nfit: fix cmd_rc for acpi_nfit_ctl to always return a value (bsc#1124775).
- acpi/nfit: Fix command-supported detection (bsc#1123323).
- acpi/nfit, x86/mce: Handle only uncorrectable machine checks (bsc#1114648).
- acpi/nfit, x86/mce: Validate a MCE's address before using it (bsc#1114648).
- acpi/platform: Add SMB0001 HID to forbidden_id_list (bnc#1012382).
- acpi/power: Skip duplicate power resource references in _PRx (bnc#1012382).
- acpi/processor: Fix the return value of acpi_processor_ids_walk() (git fixes (acpi)).
- af_iucv: Move sockaddr length checks to before accessing sa_family in bind and connect handlers (bnc#1012382).
- ahci: do not ignore result code of ahci_reset_controller() (bnc#1012382).
- aio: fix spectre gadget in lookup_ioctx (bnc#1012382).
- aio: hold an extra file reference over AIO read/write operations (bsc#1116027).
- alpha: Fix Eiger NR_IRQS to 128 (bnc#1012382).
- alpha: fix page fault handling for r16-r18 targets (bnc#1012382).
- ALSA: ac97: Fix incorrect bit shift at AC97-SPSA control write (bnc#1012382).
- ALSA: bebob: fix model-id of unit for Apogee Ensemble (bnc#1012382).
- ALSA: ca0106: Disable IZD on SB0570 DAC to fix audio pops (bnc#1012382).
- ALSA: compress: Fix stop handling on compressed capture streams (bnc#1012382).
- ALSA: control: Fix race between adding and removing a user element (bnc#1012382).
- ALSA: cs46xx: Potential NULL dereference in probe (bnc#1012382).
- ALSA: emu10k1: Fix potential Spectre v1 vulnerabilities (bnc#1012382).
- ALSA: emux: Fix potential Spectre v1 vulnerabilities (bnc#1012382).
- ALSA: hda - Add mic quirk for the Lenovo G50-30 (17aa:3905) (bnc#1012382).
- ALSA: hda: add mute LED support for HP EliteBook 840 G4 (bnc#1012382).
- ALSA: hda - Add quirk for HP EliteBook 840 G5 (bnc#1012382).
- ALSA: hda: Add support for AMD Stoney Ridge (bnc#1012382).
- ALSA: hda: Check the non-cached stream buffers more explicitly (bnc#1012382).
- ALSA: hda/realtek - Disable headset Mic VREF for headset mode of ALC225 (bnc#1012382).
- ALSA: hda - Serialize codec registrations (bnc#1012382).
- ALSA: hda/tegra: clear pending irq handlers (bnc#1012382).
- ALSA: isa/wavefront: prevent some out of bound writes (bnc#1012382).
- ALSA: pcm: Call snd_pcm_unlink() conditionally at closing (bnc#1012382).
- ALSA: pcm: Fix interval evaluation with openmin/max (bnc#1012382).
- ALSA: pcm: Fix potential Spectre v1 vulnerability (bnc#1012382).
- ALSA: pcm: Fix starvation on down_write_nonblock() (bnc#1012382).
- ALSA: pcm: remove SNDRV_PCM_IOCTL1_INFO internal command (bnc#1012382).
- ALSA: rme9652: Fix potential Spectre v1 vulnerability (bnc#1012382).
- ALSA: sparc: Fix invalid snd_free_pages() at error path (bnc#1012382).
- ALSA: timer: Fix zero-division by continue of uninitialized instance (bnc#1012382).
- ALSA: trident: Suppress gcc string warning (bnc#1012382).
- ALSA: usb-audio: Avoid access before bLength check in build_audio_procunit() (bnc#1012382).
- ALSA: usb-audio: Fix an out-of-bound read in create_composite_quirks (bnc#1012382).
- ALSA: usb-audio: Fix implicit fb endpoint setup by quirk (bnc#1012382).
- ALSA: wss: Fix invalid snd_free_pages() at error path (bnc#1012382).
- amd/iommu: Fix Guest Virtual APIC Log Tail Address Register (bsc#1106105).
- arc: change defconfig defaults to ARCv2 (bnc#1012382).
- arc: [devboards] Add support of NFSv3 ACL (bnc#1012382).
- arch/alpha, termios: implement BOTHER, IBSHIFT and termios2 (bnc#1012382).
- arc: io.h: Implement reads{x}()/writes{x}() (bnc#1012382).
- arc: perf: map generic branches to correct hardware condition (bnc#1012382).
- arm64: Disable asm-operand-width warning for clang (bnc#1012382).
- arm64: Do not trap host pointer auth use to EL2 (bnc#1012382).
- arm64: dts: stratix10: Correct System Manager register size (bnc#1012382).
- arm64: Enabled ENA (Amazon network driver) for arm64
- arm64: ftrace: do not adjust the LR value (bnc#1012382).
- arm64: hardcode rodata_enabled=true earlier in the series (bsc#1114763).
- arm64: hyp-stub: Forbid kprobing of the hyp-stub (bnc#1012382).
- arm64/kvm: consistently handle host HCR_EL2 flags (bnc#1012382).
- arm64: kvm: Skip MMIO insn after emulation (bnc#1012382).
- arm64: PCI: ACPI support for legacy IRQs parsing and consolidation with DT code (bsc#985031).
- arm64: percpu: Initialize ret in the default case (bnc#1012382).
- arm64: perf: set suppress_bind_attrs flag to true (bnc#1012382).
- arm64: remove no-op -p linker flag (bnc#1012382).
- arm: 8799/1: mm: fix pci_ioremap_io() offset check (bnc#1012382).
- arm: 8808/1: kexec:offline panic_smp_self_stop CPU (bnc#1012382).
- arm: 8814/1: mm: improve/fix ARM v7_dma_inv_range() unaligned address handling (bnc#1012382).
- arm: cns3xxx: Fix writing to wrong PCI config registers after alignment (bnc#1012382).
- arm: dts: apq8064: add ahci ports-implemented mask (bnc#1012382).
- arm: dts: da850-evm: Correct the sound card name (bnc#1012382).
- arm: dts: Fix OMAP4430 SDP Ethernet startup (bnc#1012382).
- arm: dts: imx53-qsb: disable 1.2GHz OPP (bnc#1012382).
- arm: dts: kirkwood: Fix polarity of GPIO fan lines (bnc#1012382).
- arm: dts: mmp2: fix TWSI2 (bnc#1012382).
- arm: fix mis-applied iommu identity check (bsc#1116924).
- arm: imx: update the cpu power up timing setting on i.mx6sx (bnc#1012382).
- arm: iop32x/n2100: fix PCI IRQ mapping (bnc#1012382).
- arm: kvm: fix building with gcc-8 (bsc#1121241).
- arm: OMAP1: ams-delta: Fix possible use of uninitialized field (bnc#1012382).
- arm: OMAP2+: hwmod: Fix some section annotations (bnc#1012382).
- arm: OMAP2+: prm44xx: Fix section annotation on omap44xx_prm_enable_io_wakeup (bnc#1012382).
- arm: pxa: avoid section mismatch warning (bnc#1012382).
- asix: Check for supported Wake-on-LAN modes (bnc#1012382).
- ASoC: ak4613: Enable cache usage to fix crashes on resume (bnc#1012382).
- ASoC: atom: fix a missing check of snd_pcm_lib_malloc_pages (bnc#1012382).
- ASoC: dapm: Recalculate audio map forcely when card instantiated (bnc#1012382).
- ASoC: fsl: Fix SND_SOC_EUKREA_TLV320 build error on i.MX8M (bnc#1012382).
- ASoC: Intel: mrfld: fix uninitialized variable access (bnc#1012382).
- ASoC: omap-dmic: Add pm_qos handling to avoid overruns with CPU_IDLE (bnc#1012382).
- ASoC: omap-mcpdm: Add pm_qos handling to avoid under/overruns with CPU_IDLE (bnc#1012382).
- ASoC: spear: fix error return code in spdif_in_probe() (bnc#1012382).
- ASoC: wm8940: Enable cache usage to fix crashes on resume (bnc#1012382).
- ata: Fix racy link clearance (bsc#1107866).
- ataflop: fix error handling during setup (bnc#1012382).
- ath10k: fix kernel panic due to race in accessing arvif list (bnc#1012382).
- ath10k: schedule hardware restart if WMI command times out (bnc#1012382).
- ax25: fix a use-after-free in ax25_fillin_cb() (bnc#1012382).
- ax88179_178a: Check for supported Wake-on-LAN modes (bnc#1012382).
- b43: Fix error in cordic routine (bnc#1012382).
- batman-adv: Avoid WARN on net_device without parent in netns (bnc#1012382).
- batman-adv: Expand merged fragment buffer for full packet (bnc#1012382).
- batman-adv: Force mac header to start of data on xmit (bnc#1012382).
- bcache: fix miss key refill->end in writeback (bnc#1012382).
- bfs: add sanity check at bfs_fill_super() (bnc#1012382).
- binfmt_elf: fix calculations for bss padding (bnc#1012382).
- bitops: protect variables in bit_clear_unless() macro (bsc#1116285).
- block: fix inheriting request priority from bio (bsc#1116924).
- block/loop: Use global lock for ioctl() operation (bnc#1012382).
- block: respect virtual boundary mask in bvecs (bsc#1113412).
- block/swim3: Fix -EBUSY error when re-opening device after unmount (Git-fixes).
- Bluetooth: btbcm: Add entry for BCM4335C0 UART bluetooth (bnc#1012382).
- Bluetooth: Fix unnecessary error message for HCI request completion (bnc#1012382).
- Bluetooth: SMP: fix crash in unpairing (bnc#1012382).
- bna: ethtool: Avoid reading past end of buffer (bnc#1012382).
- bnx2x: Assign unique DMAE channel number for FW DMAE transactions (bnc#1012382).
- bnxt_re: Fix couple of memory leaks that could lead to IOMMU call traces (bsc#1020413).
- bonding: fix 802.3ad state sent to partner when unbinding slave (bnc#1012382).
- bpf: fix check of allowed specifiers in bpf_trace_printk (bnc#1012382).
- bpf: generally move prog destruction to RCU deferral (bnc#1012382).
- bpf: support 8-byte metafield access (bnc#1012382).
- bpf, trace: check event type in bpf_perf_event_read (bsc#1119970).
- bpf, trace: use READ_ONCE for retrieving file ptr (bsc#1119967).
- bpf/verifier: Add spi variable to check_stack_write() (bnc#1012382).
- bpf/verifier: Pass instruction index to check_mem_access() and check_xadd() (bnc#1012382).
- bridge: do not add port to router list when receives query with source 0.0.0.0 (bnc#1012382).
- btrfs: Always try all copies when reading extent buffers (bnc#1012382).
- btrfs: do not attempt to trim devices that do not support it (bnc#1012382).
- btrfs: ensure path name is null terminated at btrfs_control_ioctl (bnc#1012382).
- btrfs: fix backport error in submit_stripe_bio (bsc#1114763).
- btrfs: fix data corruption due to cloning of eof block (bnc#1012382).
- btrfs: Fix memory barriers usage with device stats counters (git-fixes).
- btrfs: fix null pointer dereference on compressed write path error (bnc#1012382).
- btrfs: fix pinned underflow after transaction aborted (bnc#1012382).
- btrfs: fix use-after-free when dumping free space (bnc#1012382).
- btrfs: fix wrong dentries after fsync of file that got its parent replaced (bnc#1012382).
- btrfs: Handle error from btrfs_uuid_tree_rem call in _btrfs_ioctl_set_received_subvol (git-fixes).
- btrfs: Handle owner mismatch gracefully when walking up tree (bnc#1012382).
- btrfs: iterate all devices during trim, instead of fs_devices::alloc_list (bnc#1012382).
- btrfs: locking: Add extra check in btrfs_init_new_buffer() to avoid deadlock (bnc#1012382).
- btrfs: make sure we create all new block groups (bnc#1012382).
- btrfs: qgroup: Dirty all qgroups before rescan (bnc#1012382).
- btrfs: release metadata before running delayed refs (bnc#1012382).
- btrfs: reset max_extent_size on clear in a bitmap (bnc#1012382).
- btrfs: send, fix infinite loop due to directory rename dependencies (bnc#1012382).
- btrfs: set max_extent_size properly (bnc#1012382).
- btrfs: tree-checker: Check level for leaves and nodes (bnc#1012382).
- btrfs: tree-checker: Do not check max block group size as current max chunk size limit is unreliable (fixes for bnc#1012382 bsc#1102875 bsc#1102877 bsc#1102879 bsc#1102882 bsc#1102896).
- btrfs: tree-checker: Fix misleading group system information (bnc#1012382).
- btrfs: tree-check: reduce stack consumption in check_dir_item (bnc#1012382).
- btrfs: validate type when reading a chunk (bnc#1012382).
- btrfs: wait on caching when putting the bg cache (bnc#1012382).
- btrfs: wait on ordered extents on abort cleanup (bnc#1012382).
- cachefiles: fix the race between cachefiles_bury_object() and rmdir(2) (bnc#1012382).
- can: bcm: check timer values before ktime conversion (bnc#1012382).
- can: dev: __can_get_echo_skb(): Do not crash the kernel if can_priv::echo_skb is accessed out of bounds (bnc#1012382).
- can: dev: can_get_echo_skb(): factor out non sending code to __can_get_echo_skb() (bnc#1012382).
- can: dev: __can_get_echo_skb(): fix bogous check for non-existing skb by removing it (bnc#1012382).
- can: dev: __can_get_echo_skb(): print error message, if trying to echo non existing skb (bnc#1012382).
- can: dev: __can_get_echo_skb(): replace struct can_frame by canfd_frame to access frame length (bnc#1012382).
- can: gw: ensure DLC boundaries after CAN frame modification (bnc#1012382).
- can: rcar_can: Fix erroneous registration (bnc#1012382).
- cdc-acm: correct counting of UART states in serial state notification (bnc#1012382).
- cdc-acm: fix abnormal DATA RX issue for Mediatek Preloader (bnc#1012382).
- ceph: call setattr_prepare from ceph_setattr instead of inode_change_ok (bsc#1114763).
- ceph: clear inode pointer when snap realm gets dropped by its inode (bsc#1125809).
- ceph: do not update importing cap's mseq when handing cap export (bsc#1121275).
- ceph: fix dentry leak in ceph_readdir_prepopulate (bsc#1114839).
- ceph: quota: fix null pointer dereference in quota check (bsc#1114839).
- cfg80211: reg: Init wiphy_idx in regulatory_hint_core() (bnc#1012382).
- char/mwave: fix potential Spectre v1 vulnerability (bnc#1012382).
- checkstack.pl: fix for aarch64 (bnc#1012382).
- cifs: Always resolve hostname before reconnecting (bnc#1012382).
- cifs: check ntwrk_buf_start for NULL before dereferencing it (bnc#1012382).
- cifs: Do not count -ENODATA as failure for query directory (bnc#1012382).
- cifs: Do not hide EINTR after sending network packets (bnc#1012382).
- cifs: Fix error mapping for SMB2_LOCK command which caused OFD lock problem (bnc#1012382).
- cifs: Fix possible hang during async MTU reads and writes (bnc#1012382).
- cifs: Fix potential OOB access of lock element array (bnc#1012382).
- cifs: Fix separator when building path from dentry (bnc#1012382).
- cifs: handle guest access errors to Windows shares (bnc#1012382).
- cifs: In Kconfig CONFIG_CIFS_POSIX needs depends on legacy (insecure cifs) (bnc#1012382).
- cifs: Limit memory used by lock request calls to a page (bnc#1012382).
- clk: imx6q: reset exclusive gates on init (bnc#1012382).
- clk: imx6sl: ensure MMDC CH0 handshake is bypassed (bnc#1012382).
- clk: mmp: Off by one in mmp_clk_add() (bnc#1012382).
- clk: s2mps11: Add used attribute to s2mps11_dt_match (git-fixes).
- clk: s2mps11: Fix matching when built as module and DT node contains compatible (bnc#1012382).
- clk: samsung: exynos5420: Enable PERIS clocks for suspend (bnc#1012382).
- clockevents/drivers/i8253: Add support for PIT shutdown quirk (bnc#1012382).
- configfs: replace strncpy with memcpy (bnc#1012382).
- cpufeature: avoid warning when compiling with clang (Git-fixes).
- cpufreq: imx6q: add return value check for voltage scale (bnc#1012382).
- cpufreq: intel_pstate: Fix HWP on boot CPU after system resume (bsc#1120017).
- cpuidle: big.LITTLE: fix refcount leak (bnc#1012382).
- cpuidle: Do not access cpuidle_devices when !CONFIG_CPU_IDLE (bnc#1012382).
- cramfs: fix abad comparison when wrap-arounds occur (bnc#1012382).
- crypto: arm64/sha - avoid non-standard inline asm tricks (bnc#1012382).
- crypto: authencesn - Avoid twice completion call in decrypt path (bnc#1012382).
- crypto: authenc - fix parsing key with misaligned rta_len (bnc#1012382).
- crypto: cts - fix crash on short inputs (bnc#1012382).
- crypto: lrw - Fix out-of bounds access on counter overflow (bnc#1012382).
- crypto: shash - Fix a sleep-in-atomic bug in shash_setkey_unaligned (bnc#1012382).
- crypto: user - support incremental algorithm dumps (bsc#1120902).
- crypto: ux500 - Use proper enum in cryp_set_dma_transfer (bnc#1012382).
- crypto: ux500 - Use proper enum in hash_set_dma_transfer (bnc#1012382).
- crypto, x86: aesni - fix token pasting for clang (bnc#1012382).
- crypto: x86/chacha20 - avoid sleeping with preemption disabled (bnc#1012382).
- cw1200: Do not leak memory if krealloc failes (bnc#1012382).
- cw1200: Fix concurrency use-after-free bugs in cw1200_hw_scan() (bnc#1012382).
- cxgb4: Add support for new flash parts (bsc#1102439).
- cxgb4: assume flash part size to be 4MB, if it can't be determined (bsc#1102439).
- cxgb4: Fix FW flash errors (bsc#1102439).
- cxgb4: fix missing break in switch and indent return statements (bsc#1102439).
- cxgb4: support new ISSI flash parts (bsc#1102439).
- dccp: fool proof ccid_hc_[rt]x_parse_options() (bnc#1012382).
- debugfs: fix debugfs_rename parameter checking (bnc#1012382).
- debugobjects: avoid recursive calls with kmemleak (bnc#1012382).
- disable stringop truncation warnings for now (bnc#1012382).
- dlm: Do not swamp the CPU with callbacks queued during recovery (bnc#1012382).
- dlm: fixed memory leaks after failed ls_remove_names allocation (bnc#1012382).
- dlm: lost put_lkb on error path in receive_convert() and receive_unlock() (bnc#1012382).
- dlm: memory leaks on error path in dlm_user_request() (bnc#1012382).
- dlm: possible memory leak on error path in create_lkb() (bnc#1012382).
- dmaengine: at_hdmac: fix memory leak in at_dma_xlate() (bnc#1012382).
- dmaengine: at_hdmac: fix module unloading (bnc#1012382).
- dmaengine: dma-jz4780: Return error if not probed from DT (bnc#1012382).
- dmaengine: imx-dma: fix wrong callback invoke (bnc#1012382).
- dm cache metadata: ignore hints array being too small during resize (Git-fixes).
- dm crypt: add cryptographic data integrity protection (authenticated encryption) (Git-fixes).
- dm crypt: factor IV constructor out to separate function (Git-fixes).
- dm crypt: fix crash by adding missing check for auth key size (git-fixes).
- dm crypt: fix error return code in crypt_ctr() (git-fixes).
- dm crypt: fix memory leak in crypt_ctr_cipher_old() (git-fixes).
- dm crypt: introduce new format of cipher with 'capi:' prefix (Git-fixes).
- dm crypt: wipe kernel key copy after IV initialization (Git-fixes).
- dm: do not allow readahead to limit IO size (git fixes (readahead)).
- dm ioctl: harden copy_params()'s copy_from_user() from malicious users (bnc#1012382).
- dm kcopyd: Fix bug causing workqueue stalls (bnc#1012382).
- dm-multipath: do not assign cmd_flags in setup_clone() (bsc#1103156).
- dm raid: stop using BUG() in __rdev_sectors() (bsc#1046264).
- dm snapshot: Fix excessive memory usage and workqueue stalls (bnc#1012382).
- dm thin: fix bug where bio that overwrites thin block ignores FUA (bnc#1012382).
- dm thin: stop no_space_timeout worker when switching to write-mode (Git-fixes).
- Documentation/network: reword kernel version reference (bnc#1012382).
- dpaa_eth: fix dpaa_get_stats64 to match prototype (bsc#1114763).
- drbd: Avoid Clang warning about pointless switch statment (bnc#1012382).
- drbd: disconnect, if the wrong UUIDs are attached on a connected peer (bnc#1012382).
- drbd: narrow rcu_read_lock in drbd_sync_handshake (bnc#1012382).
- drbd: skip spurious timeout (ping-timeo) when failing promote (bnc#1012382).
- driver/dma/ioat: Call del_timer_sync() without holding prep_lock (bnc#1012382).
- drivers: core: Remove glue dirs from sysfs earlier (bnc#1012382).
- drivers: hv: vmbus: check the creation_status in vmbus_establish_gpadl() (bsc#1104098).
- drivers: hv: vmbus: Return -EINVAL for the sys files for unopened channels (bnc#1012382).
- drivers/misc/sgi-gru: fix Spectre v1 vulnerability (bnc#1012382).
- drivers/sbus/char: add of_node_put() (bnc#1012382).
- drivers/tty: add missing of_node_put() (bnc#1012382).
- drm/ast: change resolution may cause screen blurred (bnc#1012382).
- drm/ast: fixed cursor may disappear sometimes (bnc#1012382).
- drm/ast: fixed reading monitor EDID not stable issue (bnc#1012382).
- drm/ast: Fix incorrect free on ioregs (bsc#1106929)
- drm/ast: Remove existing framebuffers before loading driver (boo#1112963)
- drm/bufs: Fix Spectre v1 vulnerability (bnc#1012382).
- drm/dp_mst: Check if primary mstb is null (bnc#1012382).
- drm/fb-helper: Ignore the value of fb_var_screeninfo.pixclock (bsc#1106929)
- drm/hisilicon: hibmc: Do not carry error code in HiBMC framebuffer (bsc#1113766)
- drm/hisilicon: hibmc: Do not overwrite fb helper surface depth (bsc#1113766)
- drm/i915: Block fbdev HPD processing during suspend (bsc#1106929)
- drm/i915/hdmi: Add HDMI 2.0 audio clock recovery N values (bnc#1012382).
- drm/i915: Prevent a race during I915_GEM_MMAP ioctl with WC set (bsc#1106929)
- drm/ioctl: Fix Spectre v1 vulnerabilities (bnc#1012382).
- drm/modes: Prevent division by zero htotal (bnc#1012382).
- drm/msm: Grab a vblank reference when waiting for commit_done (bnc#1012382).
- drm/nouveau/fbcon: fix oops without fbdev emulation (bnc#1012382).
- drm/omap: fix memory barrier bug in DMM driver (bnc#1012382).
- drm: rcar-du: Fix external clock error checks (bsc#1106929)
- drm: rcar-du: Fix vblank initialization (bsc#1106929)
- drm/rockchip: Allow driver to be shutdown on reboot/kexec (bnc#1012382).
- drm/vmwgfx: Fix setting of dma masks (bsc#1106929)
- drm/vmwgfx: Return error code from vmw_execbuf_copy_fence_user (bsc#1106929)
- e1000: avoid null pointer dereference on invalid stat type (bnc#1012382).
- e1000e: allow non-monotonic SYSTIM readings (bnc#1012382).
- e1000: fix race condition between e1000_down() and e1000_watchdog (bnc#1012382).
- edac: Raise the maximum number of memory controllers (bsc#1120722).
- efi/libstub/arm64: Force 'hidden' visibility for section markers (bnc#1012382).
- efi/libstub/arm64: Set -fpie when building the EFI stub (bnc#1012382).
- efi/libstub/arm64: Use hidden attribute for struct screen_info reference (bsc#1122650).
- enic: fix checksum validation for IPv6 (bnc#1012382).
- exec: avoid gcc-8 warning for get_task_comm (bnc#1012382).
- exec: load_script: do not blindly truncate shebang string (bnc#1012382).
- exportfs: do not read dentry after free (bnc#1012382).
- ext2: fix potential use after free (bnc#1012382).
- ext4: add missing brelse() add_new_gdb_meta_bg()'s error path (bnc#1012382).
- ext4: add missing brelse() in set_flexbg_block_bitmap()'s error path (bnc#1012382).
- ext4: add missing brelse() update_backups()'s error path (bnc#1012382).
- ext4: avoid buffer leak in ext4_orphan_add() after prior errors (bnc#1012382).
- ext4: avoid possible double brelse() in add_new_gdb() on error path (bnc#1012382).
- ext4: avoid potential extra brelse in setup_new_flex_group_blocks() (bnc#1012382).
- ext4: fix a potential fiemap/page fault deadlock w/ inline_data (bnc#1012382).
- ext4: fix argument checking in EXT4_IOC_MOVE_EXT (bnc#1012382).
- ext4: fix buffer leak in __ext4_read_dirblock() on error path (bnc#1012382).
- ext4: fix buffer leak in ext4_xattr_move_to_block() on error path (bnc#1012382).
- ext4: Fix crash during online resizing (bsc#1122779).
- ext4: fix EXT4_IOC_GROUP_ADD ioctl (bnc#1012382).
- ext4: fix missing cleanup if ext4_alloc_flex_bg_array() fails while resizing (bnc#1012382).
- ext4: fix possible inode leak in the retry loop of ext4_resize_fs() (bnc#1012382).
- ext4: fix possible leak of sbi->s_group_desc_leak in error path (bnc#1012382).
- ext4: fix possible use after free in ext4_quota_enable (bnc#1012382).
- ext4: force inode writes when nfsd calls commit_metadata() (bnc#1012382).
- ext4: initialize retries variable in ext4_da_write_inline_data_begin() (bnc#1012382).
- ext4: missing unlock/put_page() in ext4_try_to_write_inline_data() (bnc#1012382).
- ext4: release bs.bh before re-using in ext4_xattr_block_find() (bnc#1012382).
- f2fs: Add sanity_check_inode() function (bnc#1012382).
- f2fs: avoid unneeded loop in build_sit_entries (bnc#1012382).
- f2fs: check blkaddr more accuratly before issue a bio (bnc#1012382).
- f2fs: clean up argument of recover_data (bnc#1012382).
- f2fs: clean up with is_valid_blkaddr() (bnc#1012382).
- f2fs: detect wrong layout (bnc#1012382).
- f2fs: enhance sanity_check_raw_super() to avoid potential overflow (bnc#1012382).
- f2fs: factor out fsync inode entry operations (bnc#1012382).
- f2fs: fix inode cache leak (bnc#1012382).
- f2fs: fix invalid memory access (bnc#1012382).
- f2fs: fix missing up_read (bnc#1012382).
- f2fs: fix to avoid reading out encrypted data in page cache (bnc#1012382).
- f2fs: fix to convert inline directory correctly (bnc#1012382).
- f2fs: fix to determine start_cp_addr by sbi->cur_cp_pack (bnc#1012382).
- f2fs: fix to do sanity check with block address in main area (bnc#1012382).
- f2fs: fix to do sanity check with block address in main area v2 (bnc#1012382).
- f2fs: fix to do sanity check with cp_pack_start_sum (bnc#1012382).
- f2fs: fix to do sanity check with node footer and iblocks (bnc#1012382).
- f2fs: fix to do sanity check with reserved blkaddr of inline inode (bnc#1012382).
- f2fs: fix to do sanity check with secs_per_zone (bnc#1012382).
- f2fs: fix to do sanity check with user_block_count (bnc#1012382).
- f2fs: fix validation of the block count in sanity_check_raw_super (bnc#1012382).
- f2fs: fix wrong return value of f2fs_acl_create (bnc#1012382).
- f2fs: free meta pages if sanity check for ckpt is failed (bnc#1012382).
- f2fs: give -EINVAL for norecovery and rw mount (bnc#1012382).
- f2fs: introduce and spread verify_blkaddr (bnc#1012382).
- f2fs: introduce get_checkpoint_version for cleanup (bnc#1012382).
- f2fs: move dir data flush to write checkpoint process (bnc#1012382).
- f2fs: move sanity checking of cp into get_valid_checkpoint (bnc#1012382).
- f2fs: not allow to write illegal blkaddr (bnc#1012382).
- f2fs: put directory inodes before checkpoint in roll-forward recovery (bnc#1012382).
- f2fs: read page index before freeing (bnc#1012382).
- f2fs: remove an obsolete variable (bnc#1012382).
- f2fs: return error during fill_super (bnc#1012382).
- f2fs: sanity check on sit entry (bnc#1012382).
- f2fs: use crc and cp version to determine roll-forward recovery (bnc#1012382).
- fbdev: fbcon: Fix unregister crash when more than one framebuffer (bsc#1106929)
- fbdev: fbmem: behave better with small rotated displays and many CPUs (bsc#1106929)
- fcoe: remove duplicate debugging message in fcoe_ctlr_vn_add (bsc#1114763).
- Fix kabi for 'Ensure we commit after writeback is complete' (bsc#1111809).
- Fix problem with sharetransport= and NFSv4 (bsc#1114893).
- floppy: fix race condition in __floppy_read_block_0() (Git-fixes).
- flow_dissector: do not dissect l4 ports for fragments (bnc#1012382).
- fork: record start_time late (bnc#1012382).
- fs: add the fsnotify call to vfs_iter_write (bnc#1012382).
- fscache, cachefiles: remove redundant variable 'cache' (bnc#1012382).
- fscache: fix race between enablement and dropping of object (bsc#1107385).
- fscache: Fix race in fscache_op_complete() due to split atomic_sub & read (Git-fixes).
- fscache: Pass the correct cancelled indications to fscache_op_complete() (Git-fixes).
- fs/dcache: Fix incorrect nr_dentry_unused accounting in shrink_dcache_sb() (bnc#1012382).
- fs: do not scan the inode cache before SB_BORN is set (bnc#1012382).
- fs, elf: make sure to page align bss in load_elf_library (bnc#1012382).
- fs/epoll: drop ovflist branch prediction (bnc#1012382).
- fs/exofs: fix potential memory leak in mount option parsing (bnc#1012382).
- fs/fat/fatent.c: add cond_resched() to fat_count_free_clusters() (bnc#1012382).
- fs: fix lost error code in dio_complete (bsc#1117744).
- fuse: call pipe_buf_release() under pipe lock (bnc#1012382).
- fuse: decrement NR_WRITEBACK_TEMP on the right page (bnc#1012382).
- fuse: Dont call set_page_dirty_lock() for ITER_BVEC pages for async_dio (bnc#1012382).
- fuse: fix blocked_waitq wakeup (bnc#1012382).
- fuse: fix leaked notify reply (bnc#1012382).
- fuse: Fix use-after-free in fuse_dev_do_read() (bnc#1012382).
- fuse: Fix use-after-free in fuse_dev_do_write() (bnc#1012382).
- fuse: handle zero sized retrieve correctly (bnc#1012382).
- fuse: set FR_SENT while locked (bnc#1012382).
- futex: Fix (possible) missed wakeup (bsc#1050549).
- gdrom: fix a memory leak bug (bnc#1012382).
- genirq: Fix race on spurious interrupt detection (bnc#1012382).
- genwqe: Fix size check (bnc#1012382).
- gfs2: Do not leave s_fs_info pointing to freed memory in init_sbd (bnc#1012382).
- gfs2: Fix loop in gfs2_rbm_find (bnc#1012382).
- gfs2_meta: ->mount() can get NULL dev_name (bnc#1012382).
- gfs2: Put bitmap buffers in put_super (bnc#1012382).
- gfs2: Revert 'Fix loop in gfs2_rbm_find' (bnc#1012382).
- git_sort.py: Remove non-existent remote tj/libata
- gpiolib: Fix return value of gpio_to_desc() stub if !GPIOLIB (Git-fixes).
- gpio: max7301: fix driver for use with CONFIG_VMAP_STACK (bnc#1012382).
- gpio: msic: fix error return code in platform_msic_gpio_probe() (bnc#1012382).
- gpio: pl061: handle failed allocations (bnc#1012382).
- gpu: host1x: fix error return code in host1x_probe() (bnc#1012382).
- gpu: ipu-v3: Fix CSI offsets for imx53 (bsc#1106929)
- gpu: ipu-v3: Fix i.MX51 CSI control registers offset (bsc#1106929)
- gro_cell: add napi_disable in gro_cells_destroy (bnc#1012382).
- hfs: do not free node before using (bnc#1012382).
- hfsplus: do not free node before using (bnc#1012382).
- hfsplus: prevent btree data loss on root split (bnc#1012382).
- hfs: prevent btree data loss on root split (bnc#1012382).
- hid: debug: fix the ring buffer implementation (bnc#1012382).
- hid: hiddev: fix potential Spectre v1 (bnc#1012382).
- hid: lenovo: Add checks to fix of_led_classdev_register (bnc#1012382).
- hid: uhid: forbid UHID_CREATE under KERNEL_DS or elevated privileges (bnc#1012382).
- hpwdt add dynamic debugging (bsc#1114417).
- hpwdt calculate reload value on each use (bsc#1114417).
- hugetlbfs: dirty pages as they are added to pagecache (bnc#1012382).
- hugetlbfs: fix bug in pgoff overflow checking (bnc#1012382).
- hugetlbfs: fix kernel BUG at fs/hugetlbfs/inode.c:444! (bnc#1012382).
- hwmon: (ibmpowernv) Remove bogus __init annotations (bnc#1012382).
- hwmon: (ina2xx) Fix current value calculation (bnc#1012382).
- hwmon: (lm80) fix a missing check of bus read in lm80 probe (bnc#1012382).
- hwmon: (lm80) fix a missing check of the status of SMBus read (bnc#1012382).
- hwmon: (lm80) Fix missing unlock on error in set_fan_div() (git-fixes).
- hwmon: (pmbus) Fix page count auto-detection (bnc#1012382).
- hwmon: (w83795) temp4_type has writable permission (bnc#1012382).
- hwpoison, memory_hotplug: allow hwpoisoned pages to be offlined (bnc#1116336).
- i2c-axxia: check for error conditions first (bnc#1012382).
- i2c: axxia: properly handle master timeout (bnc#1012382).
- i2c: dev: prevent adapter retries and timeout being set as minus value (bnc#1012382).
- i2c: scmi: Fix probe error on devices with an empty SMB0001 ACPI device node (bnc#1012382).
- IB/core: type promotion bug in rdma_rw_init_one_mr() ().
- IB/hfi1: Fix an out-of-bounds access in get_hw_stats ().
- ibmveth: Do not process frames after calling napi_reschedule (bcs#1123357).
- ibmveth: fix DMA unmap error in ibmveth_xmit_start error path (bnc#1012382).
- ibmvnic: Add ethtool private flag for driver-defined queue limits (bsc#1121726).
- ibmvnic: Convert reset work item mutex to spin lock ().
- ibmvnic: fix accelerated VLAN handling ().
- ibmvnic: fix index in release_rx_pools (bsc#1115440).
- ibmvnic: Fix non-atomic memory allocation in IRQ context ().
- ibmvnic: Increase maximum queue size limit (bsc#1121726).
- ibmvnic: Introduce driver limits for ring sizes (bsc#1121726).
- ibmvnic: remove ndo_poll_controller ().
- ibmvnic: Update driver queues after change in ring size support ().
- ib/rxe: Fix incorrect cache cleanup in error flow ().
- ib/rxe: replace kvfree with vfree ().
- ib/ucm: Fix Spectre v1 vulnerability (bnc#1012382).
- ide: pmac: add of_node_put() (bnc#1012382).
- ieee802154: lowpan_header_create check must check daddr (bnc#1012382).
- igb: Fix an issue that PME is not enabled during runtime suspend (bnc#1012382).
- igb: Remove superfluous reset to PHY and page 0 selection (bnc#1012382).
- iio: adc: at91: fix acking DRDY irq on simple conversions (bnc#1012382).
- iio: adc: at91: fix wrong channel number in triggered buffer mode (bnc#1012382).
- ima: fix showing large 'violations' or 'runtime_measurements_count' (bnc#1012382).
- inet: frags: add a pointer to struct netns_frags (bnc#1012382).
- inet: frags: better deal with smp races (bnc#1012382).
- inet: frags: break the 2GB limit for frags storage (bnc#1012382).
- inet: frags: change inet_frags_init_net() return value (bnc#1012382).
- inet: frags: do not clone skb in ip_expire() (bnc#1012382).
- inet: frags: fix ip6frag_low_thresh boundary (bnc#1012382).
- inet: frags: get rid of ipfrag_skb_cb/FRAG_CB (bnc#1012382).
- inet: frags: get rif of inet_frag_evicting() (bnc#1012382).
- inet: frags: refactor ipfrag_init() (bnc#1012382).
- inet: frags: refactor ipv6_frag_init() (bnc#1012382).
- inet: frags: refactor lowpan_net_frag_init() (bnc#1012382).
- inet: frags: remove inet_frag_maybe_warn_overflow() (bnc#1012382).
- inet: frags: remove some helpers (bnc#1012382).
- inet: frags: reorganize struct netns_frags (bnc#1012382).
- inet: frags: use rhashtables for reassembly units (bnc#1012382).
- Input: bma150 - register input device after setting private data (bnc#1012382).
- Input: elan_i2c - add ACPI ID for Lenovo IdeaPad 330-15ARR (bnc#1012382).
- Input: elan_i2c - add ACPI ID for Lenovo IdeaPad 330-15IGM (bnc#1012382).
- Input: elan_i2c - add ACPI ID for touchpad in ASUS Aspire F5-573G (bnc#1012382).
- Input: elan_i2c - add ACPI ID for touchpad in Lenovo V330-15ISK (bnc#1012382).
- Input: elan_i2c - add ELAN0620 to the ACPI table (bnc#1012382).
- Input: elan_i2c - add support for ELAN0621 touchpad (bnc#1012382).
- Input: elantech - enable 3rd button support on Fujitsu CELSIUS H780 (bnc#1012382).
- Input: matrix_keypad - check for errors from of_get_named_gpio() (bnc#1012382).
- Input: omap-keypad - fix idle configuration to not block SoC idle states (bnc#1012382).
- Input: omap-keypad - fix keyboard debounce configuration (bnc#1012382).
- Input: restore EV_ABS ABS_RESERVED (bnc#1012382).
- Input: xpad - add GPD Win 2 Controller USB IDs (bnc#1012382).
- Input: xpad - add Mad Catz FightStick TE 2 VID/PID (bnc#1012382).
- Input: xpad - add more third-party controllers (bnc#1012382).
- Input: xpad - add PDP device id 0x02a4 (bnc#1012382).
- Input: xpad - add product ID for Xbox One S pad (bnc#1012382).
- Input: xpad - add support for PDP Xbox One controllers (bnc#1012382).
- Input: xpad - add support for SteelSeries Stratus Duo (bnc#1012382).
- Input: xpad - add support for Xbox1 PDP Camo series gamepad (bnc#1012382).
- Input: xpad - add USB IDs for Mad Catz Brawlstick and Razer Sabertooth (bnc#1012382).
- Input: xpad - avoid using __set_bit() for capabilities (bnc#1012382).
- Input: xpad - constify usb_device_id (bnc#1012382).
- Input: xpad - correctly sort vendor id's (bnc#1012382).
- Input: xpad - correct xbox one pad device name (bnc#1012382).
- Input: xpad - do not depend on endpoint order (bnc#1012382).
- Input: xpad - fix GPD Win 2 controller name (bnc#1012382).
- Input: xpad - fix PowerA init quirk for some gamepad models (bnc#1012382).
- Input: xpad - fix rumble on Xbox One controllers with 2015 firmware (bnc#1012382).
- Input: xpad - fix some coding style issues (bnc#1012382).
- Input: xpad - fix stuck mode button on Xbox One S pad (bnc#1012382).
- Input: xpad - fix Xbox One rumble stopping after 2.5 secs (bnc#1012382).
- Input: xpad - handle 'present' and 'gone' correctly (bnc#1012382).
- Input: xpad - move reporting xbox one home button to common function (bnc#1012382).
- Input: xpad - power off wireless 360 controllers on suspend (bnc#1012382).
- Input: xpad - prevent spurious input from wired Xbox 360 controllers (bnc#1012382).
- Input: xpad - quirk all PDP Xbox One gamepads (bnc#1012382).
- Input: xpad - remove spurious events of wireless xpad 360 controller (bnc#1012382).
- Input: xpad - remove unused function (bnc#1012382).
- Input: xpad - restore LED state after device resume (bnc#1012382).
- Input: xpad - simplify error condition in init_output (bnc#1012382).
- Input: xpad - sort supported devices by USB ID (bnc#1012382).
- Input: xpad - support some quirky Xbox One pads (bnc#1012382).
- Input: xpad - sync supported devices with 360Controller (bnc#1012382).
- Input: xpad - sync supported devices with XBCD (bnc#1012382).
- Input: xpad - sync supported devices with xboxdrv (bnc#1012382).
- Input: xpad - update Xbox One Force Feedback Support (bnc#1012382).
- Input: xpad - use LED API when identifying wireless controllers (bnc#1012382).
- Input: xpad - validate USB endpoint type during probe (bnc#1012382).
- Input: xpad - workaround dead irq_out after suspend/ resume (bnc#1012382).
- Input: xpad - xbox one elite controller support (bnc#1012382).
- intel_pstate: Update frequencies of policy->cpus only from ->set_policy() (bsc#1120017).
- intel_th: msu: Fix an off-by-one in attribute store (bnc#1012382).
- iommu/amd: Call free_iova_fast with pfn in map_sg (bsc#1106105).
- iommu/amd: Fix amd_iommu=force_isolation (bsc#1106105).
- iommu/amd: Fix IOMMU page flush when detach device from a domain (bsc#1106105).
- iommu/amd: Unmap all mapped pages in error path of map_sg (bsc#1106105).
- iommu/arm-smmu: Ensure that page-table updates are visible before TLBI (bsc#1106237).
- iommu/arm-smmu-v3: Use explicit mb() when moving cons pointer (bnc#1012382).
- iommu/ipmmu-vmsa: Fix crash on early domain free (bsc#1106105).
- iommu/vt-d: Fix memory leak in intel_iommu_put_resv_regions() (bsc#1106105).
- iommu/vt-d: Fix NULL pointer dereference in prq_event_thread() (bsc#1106105).
- iommu/vt-d: Handle domain agaw being less than iommu agaw (bsc#1106105).
- iommu/vt-d: Use memunmap to free memremap (bsc#1106105).
- ip6mr: Fix potential Spectre v1 vulnerability (bnc#1012382).
- ip: add helpers to process in-order fragments faster (bnc#1012382).
- ipfrag: really prevent allocation on netns exit (bnc#1012382).
- ip: frags: fix crash in ip_do_fragment() (bnc#1012382).
- ipmi: Fix timer race with module unload (bnc#1012382).
- ipmi:ssif: Fix handling of multi-part return messages (bnc#1012382).
- ip: on queued skb use skb_header_pointer instead of pskb_may_pull (bnc#1012382).
- ip: process in-order fragments efficiently (bnc#1012382).
- ip_tunnel: do not force DF when MTU is locked (bnc#1012382).
- ip_tunnel: Fix name string concatenate in __ip_tunnel_create() (bnc#1012382).
- ip: use rb trees for IP frag queue (bnc#1012382).
- ipv4: Fix potential Spectre v1 vulnerability (bnc#1012382).
- ipv4: frags: precedence bug in ip_expire() (bnc#1012382).
- ipv4: ipv6: netfilter: Adjust the frag mem limit when truesize changes (bsc#1110286).
- ipv6: Check available headroom in ip6_xmit() even without options (bnc#1012382).
- ipv6: Consider sk_bound_dev_if when binding a socket to an address (bnc#1012382).
- ipv6: Consider sk_bound_dev_if when binding a socket to a v4 mapped address (bnc#1012382).
- ipv6: explicitly initialize udp6_addr in udp_sock_create6() (bnc#1012382).
- ipv6: fix kernel-infoleak in ipv6_local_error() (bnc#1012382).
- ipv6: Fix PMTU updates for UDP/raw sockets in presence of VRF (bnc#1012382).
- ipv6: frags: rewrite ip6_expire_frag_queue() (bnc#1012382).
- ipv6: mcast: fix a use-after-free in inet6_mc_check (bnc#1012382).
- ipv6/ndisc: Preserve IPv6 control buffer if protocol error handlers are called (bnc#1012382).
- ipv6: orphan skbs in reassembly unit (bnc#1012382).
- ipv6: set rt6i_protocol properly in the route when it is installed (bsc#1114190).
- ipv6: suppress sparse warnings in IP6_ECN_set_ce() (bnc#1012382).
- ipv6: Take rcu_read_lock in __inet6_bind for mapped addresses (bnc#1012382).
- irqchip/gic-v3-its: Align PCI Multi-MSI allocation on their size (bnc#1012382).
- isdn: fix kernel-infoleak in capi_unlocked_ioctl (bnc#1012382).
- isdn: hisax: hfc_pci: Fix a possible concurrency use-after-free bug in HFCPCI_l1hw() (bnc#1012382).
- iser: set sector for ambiguous mr status errors (bnc#1012382).
- iwlwifi: mvm: fix regulatory domain update when the firmware starts (bnc#1012382).
- iwlwifi: mvm: support sta_statistics() even on older firmware (bnc#1012382).
- ixgbe: Add function for checking to see if we can reuse page (bsc#1100105).
- ixgbe: Add support for build_skb (bsc#1100105).
- ixgbe: Add support for padding packet (bsc#1100105).
- ixgbe: Break out Rx buffer page management (bsc#1100105).
- ixgbe: Fix output from ixgbe_dump (bsc#1100105).
- ixgbe: fix possible race in reset subtask (bsc#1101557).
- ixgbe: Make use of order 1 pages and 3K buffers independent of FCoE (bsc#1100105).
- ixgbe: Only DMA sync frame length (bsc#1100105).
- ixgbe: recognize 1000BaseLX SFP modules as 1Gbps (bnc#1012382).
- ixgbe: Refactor queue disable logic to take completion time into account (bsc#1101557).
- ixgbe: Reorder Tx/Rx shutdown to reduce time needed to stop device (bsc#1101557).
- ixgbe: Update code to better handle incrementing page count (bsc#1100105).
- ixgbe: Update driver to make use of DMA attributes in Rx path (bsc#1100105).
- ixgbe: Use length to determine if descriptor is done (bsc#1100105).
- jbd2: fix use after free in jbd2_log_do_checkpoint() (bnc#1012382).
- jffs2: Fix use of uninitialized delayed_work, lockdep breakage (bnc#1012382).
- jffs2: free jffs2_sb_info through jffs2_kill_sb() (bnc#1012382).
- kabi: hwpoison, memory_hotplug: allow hwpoisoned pages to be offlined (bnc#1116336).
- kabi: protect get_vaddr_frames (kabi).
- kabi: protect linux/kfifo.h include in hid-debug (kabi).
- kabi: protect struct azx (kabi).
- kabi: protect struct cfs_bandwidth (kabi).
- kabi: protect struct esp (kabi).
- kabi: protect struct fuse_io_priv (kabi).
- kabi: protect struct hda_bus (kabi).
- kabi: protect __usb_get_extra_descriptor (kabi).
- kabi: protect xen/xen-ops.h include in xlate_mmu.c (kabi).
- kabi: reorder new slabinfo fields in struct kmem_cache_node (bnc#1116653).
- kabi: revert sig change on pnfs_read_resend_pnfs (git-fixes).
- kaweth: use skb_cow_head() to deal with cloned skbs (bnc#1012382).
- kbuild: Add better clang cross build support (bnc#1012382).
- kbuild: Add __cc-option macro (bnc#1012382).
- kbuild: Add support to generate LLVM assembly files (bnc#1012382).
- kbuild: allow to use GCC toolchain not in Clang search path (bnc#1012382).
- kbuild: clang: add -no-integrated-as to KBUILD_[AC]FLAGS (bnc#1012382).
- kbuild: clang: Disable 'address-of-packed-member' warning (bnc#1012382).
- kbuild: clang: disable unused variable warnings only when constant (bnc#1012382).
- kbuild: clang: fix build failures with sparse check (bnc#1012382).
- kbuild: clang: remove crufty HOSTCFLAGS (bnc#1012382).
- kbuild: Consolidate header generation from ASM offset information (bnc#1012382).
- kbuild: consolidate redundant sed script ASM offset generation (bnc#1012382).
- kbuild: drop -Wno-unknown-warning-option from clang options (bnc#1012382).
- kbuild: fix asm-offset generation to work with clang (bnc#1012382).
- kbuild: fix kernel/bounds.c 'W=1' warning (bnc#1012382).
- kbuild: fix linker feature test macros when cross compiling with Clang (bnc#1012382).
- kbuild, LLVMLinux: Add -Werror to cc-option to support clang (bnc#1012382).
- kbuild: move cc-option and cc-disable-warning after incl. arch Makefile (bnc#1012382).
- kbuild: Set KBUILD_CFLAGS before incl. arch Makefile (bnc#1012382).
- kbuild: set no-integrated-as before incl. arch Makefile (bnc#1012382).
- kbuild: suppress packed-not-aligned warning for default setting only (bnc#1012382).
- kbuild: use -Oz instead of -Os when using clang (bnc#1012382).
- kconfig: fix file name and line number of warn_ignored_character() (bnc#1012382).
- kconfig: fix memory leak when EOF is encountered in quotation (bnc#1012382).
- kdb: use memmove instead of overlapping memcpy (bnc#1012382).
- kdb: Use strscpy with destination buffer size (bnc#1012382).
- kernel/exit.c: release ptraced tasks before zap_pid_ns_processes (bnc#1012382).
- kernel/hung_task.c: break RCU locks based on jiffies (bnc#1012382).
- kernel-source.spec: Align source numbering.
- kernfs: Replace strncpy with memcpy (bnc#1012382).
- keys: put keyring if install_session_keyring_to_cred() fails (bnc#1012382).
- kgdboc: fix KASAN global-out-of-bounds bug in param_set_kgdboc_var() (bnc#1012382).
- kgdboc: Fix restrict error (bnc#1012382).
- kgdboc: Fix warning with module build (bnc#1012382).
- kgdboc: Passing ekgdboc to command line causes panic (bnc#1012382).
- kobject: Replace strncpy with memcpy (bnc#1012382).
- kprobes: Return error if we fail to reuse kprobe instead of BUG_ON() (bnc#1012382).
- kvm/arm64: Fix caching of host MDCR_EL2 value (bsc#1121242).
- kvm/arm: Restore banked registers and physical timer access on hyp_panic() (bsc#1121240).
- kvm/mmu: Fix race in emulated page table writes (bnc#1012382).
- kvm/nvmx: Always reflect #NM VM-exits to L1 (bsc#1106240).
- kvm/nvmx: Eliminate vmcs02 pool (bnc#1012382).
- kvm/nvmx: mark vmcs12 pages dirty on L2 exit (bnc#1012382).
- kvm/ppc: Move and undef TRACE_INCLUDE_PATH/FILE (bnc#1012382).
- kvm/svm: Allow direct access to MSR_IA32_SPEC_CTRL (bnc#1012382 bsc#1068032).
- kvm/svm: Ensure an IBPB on all affected CPUs when freeing a vmcb (bsc#1114648).
- kvm/vmx: Allow direct access to MSR_IA32_SPEC_CTRL (bnc#1012382 bsc#1068032 bsc#1096242 bsc#1096281).
- kvm/vmx: Emulate MSR_IA32_ARCH_CAPABILITIES (bnc#1012382).
- kvm/vmx: Fix x2apic check in vmx_msr_bitmap_mode() (bsc#1124166).
- kvm/vmx: introduce alloc_loaded_vmcs (bnc#1012382).
- kvm/vmx: make MSR bitmaps per-VCPU (bnc#1012382).
- kvm/vmx: Missing part of upstream commit 904e14fb7cb9 (bsc#1124166).
- kvm/x86: Add IBPB support (bnc#1012382 bsc#1068032 bsc#1068032).
- kvm/x86: fix empty-body warnings (bnc#1012382).
- kvm/x86: Fix single-step debugging (bnc#1012382).
- kvm/x86: Remove indirect MSR op calls from SPEC_CTRL (bnc#1012382).
- kvm/x86: svm: report MSR_IA32_MCG_EXT_CTL as unsupported (bnc#1012382).
- kvm/x86: Use jmp to invoke kvm_spurious_fault() from .fixup (bnc#1012382).
- l2tp: copy 4 more bytes to linear part if necessary (bnc#1012382).
- l2tp: fix reading optional fields of L2TPv3 (bnc#1012382).
- l2tp: remove l2specific_len dependency in l2tp_core (bnc#1012382).
- lan78xx: Check for supported Wake-on-LAN modes (bnc#1012382).
- leds: call led_pwm_set() in leds-pwm to enforce default LED_OFF (bnc#1012382).
- leds: leds-gpio: Fix return value check in create_gpio_led() (bnc#1012382).
- leds: turn off the LED and wait for completion on unregistering LED class device (bnc#1012382).
- libata: whitelist all SAMSUNG MZ7KM* solid-state disks (bnc#1012382).
- libceph: avoid KEEPALIVE_PENDING races in ceph_con_keepalive() (bsc#1125810).
- libceph: bump CEPH_MSG_MAX_DATA_LEN (bsc#1114839).
- libceph: fall back to sendmsg for slab pages (bsc#1118316).
- libfc: sync strings with upstream versions (bsc#1114763).
- lib/interval_tree_test.c: allow full tree search (bnc#1012382).
- lib/interval_tree_test.c: allow users to limit scope of endpoint (bnc#1012382).
- lib/interval_tree_test.c: make test options module parameters (bnc#1012382).
- libnvdimm, {btt, blk}: do integrity setup before add_disk() (bsc#1118926).
- libnvdimm, dimm: fix dpa reservation vs uninitialized label area (bsc#1118936).
- libnvdimm: fix ars_status output length calculation (bsc#1124777).
- libnvdimm: fix integer overflow static analysis warning (bsc#1118922).
- libnvdimm: fix nvdimm_bus_lock() vs device_lock() ordering (bsc#1118915).
- libnvdimm: Hold reference on parent while scheduling async init (bnc#1012382).
- libnvdimm, pfn: Pad pfn namespaces relative to other regions (bsc#1124811).
- libnvdimm: Use max contiguous area for namespace size (bsc#1124780).
- lib/raid6: Fix arm64 test build (bnc#1012382).
- lib/rbtree_test.c: make input module parameters (bnc#1012382).
- lib/rbtree-test: lower default params (bnc#1012382).
- llc: do not use sk_eat_skb() (bnc#1012382).
- lockd: fix access beyond unterminated strings in prints (bnc#1012382).
- locking/lockdep: Fix debug_locks off performance problem (bnc#1012382).
- locking/rwsem: Fix (possible) missed wakeup (bsc#1050549).
- loop: Fix double mutex_unlock(&loop_ctl_mutex) in loop_control_ioctl() (bnc#1012382).
- loop: Fold __loop_release into loop_release (bnc#1012382).
- loop: Get rid of loop_index_mutex (bnc#1012382).
- lsm: Check for NULL cred-security on free (bnc#1012382).
- mac80211: Always report TX status (bnc#1012382).
- mac80211: Clear beacon_int in ieee80211_do_stop (bnc#1012382).
- mac80211: ensure that mgmt tx skbs have tailroom for encryption (bnc#1012382).
- mac80211: fix radiotap vendor presence bitmap handling (bnc#1012382).
- mac80211: fix reordering of buffered broadcast packets (bnc#1012382).
- mac80211_hwsim: do not omit multicast announce of first added radio (bnc#1012382).
- mac80211_hwsim: fix module init error paths for netlink (bnc#1012382).
- mac80211_hwsim: Timer should be initialized before device registered (bnc#1012382).
- mac80211: ignore NullFunc frames in the duplicate detection (bnc#1012382).
- mac80211: ignore tx status for PS stations in ieee80211_tx_status_ext (bnc#1012382).
- mach64: fix display corruption on big endian machines (bnc#1012382).
- mach64: fix image corruption due to reading accelerator registers (bnc#1012382).
- matroxfb: fix size of memcpy (bnc#1012382).
- md: batch flush requests (bsc#1119680).
- md: do not check MD_SB_CHANGE_CLEAN in md_allow_write (Git-fixes).
- md: fix invalid stored role for a disk (bnc#1012382).
- md: fix invalid stored role for a disk - try2 (bnc#1012382).
- md: reorder flag_bits to match upstream commits
- media: DaVinci-VPBE: fix error handling in vpbe_initialize() (bnc#1012382).
- media: dvb-frontends: fix i2c access helpers for KASAN (bnc#1012382).
- media: em28xx: fix input name for Terratec AV 350 (bnc#1012382).
- media: em28xx: Fix misplaced reset of dev->v4l::field_count (bnc#1012382).
- media: em28xx: Fix use-after-free when disconnecting (bnc#1012382).
- media: em28xx: make v4l2-compliance happier by starting sequence on zero (bnc#1012382).
- media: em28xx: use a default format if TRY_FMT fails (bnc#1012382).
- media: firewire: Fix app_info parameter type in avc_ca{,_app}_info (bnc#1012382).
- media: pci: cx23885: handle adding to list failure (bnc#1012382).
- media: tvp5150: fix width alignment during set_selection() (bnc#1012382).
- media: v4l: event: Add subscription to list before calling 'add' operation (bnc#1012382).
- media: vb2: be sure to unlock mutex on errors (bnc#1012382).
- media: vb2: vb2_mmap: move lock up (bnc#1012382).
- media: vivid: fix error handling of kthread_run (bnc#1012382).
- media: vivid: free bitmap_cap when updating std/timings/etc (bnc#1012382).
- media: vivid: set min width/height to a value > 0 (bnc#1012382).
- memstick: Prevent memstick host from getting runtime suspended during card detection (bnc#1012382).
- mfd: tps6586x: Handle interrupts on suspend (bnc#1012382).
- mips: bpf: fix encoding bug for mm_srlv32_op (bnc#1012382).
- mips: cm: reprime error cause (bnc#1012382).
- mips: fix n32 compat_ipc_parse_version (bnc#1012382).
- mips: OCTEON: do not set octeon_dma_bar_type if PCI is disabled (bnc#1012382).
- mips: SiByte: Enable swiotlb for SWARM, LittleSur and BigSur (bnc#1012382).
- mips: VDSO: Include $(ccflags-vdso) in o32,n32 .lds builds (bnc#1012382).
- misc: atmel-ssc: Fix section annotation on atmel_ssc_get_driver_data (bnc#1012382).
- misc: mic/scif: fix copy-paste error in scif_create_remote_lookup (bnc#1012382).
- misc: vexpress: Off by one in vexpress_syscfg_exec() (bnc#1012382).
- mmc: atmel-mci: do not assume idle after atmci_request_end (bnc#1012382).
- mmc: bcm2835: Fix DMA channel leak on probe error (bsc#1120902).
- mmc: core: Reset HPI enabled state during re-init and in case of errors (bnc#1012382).
- mm: cleancache: fix corruption on missed inode invalidation (bnc#1012382).
- mmc: OMAP: fix broken MMC on OMAP15XX/OMAP5910/OMAP310 (bnc#1012382).
- mmc: omap_hsmmc: fix DMA API warning (bnc#1012382).
- mmc: sdhci-iproc: handle mmc_of_parse() errors during probe (bnc#1012382).
- mmc: sdhci-pci-o2micro: Add quirk for O2 Micro dev 0x8620 rev 0x01 (bnc#1012382).
- mm, devm_memremap_pages: kill mapping 'System RAM' support (bnc#1012382).
- mm: do not bug_on on incorrect length in __mm_populate() (bnc#1012382).
- mm: do not miss the last page because of round-off error (bnc#1118798).
- mm, elf: handle vm_brk error (bnc#1012382).
- mm, hugetlb: fix huge_pte_alloc BUG_ON (bsc#1119204).
- mm: hwpoison: call shake_page() after try_to_unmap() for mlocked page (bnc#1116336).
- mm: lower the printk loglevel for __dump_page messages (generic hotplug debugability).
- mm, memory_hotplug: be more verbose for memory offline failures (generic hotplug debugability).
- mm, memory_hotplug: drop pointless block alignment checks from __offline_pages (generic hotplug debugability).
- mm, memory_hotplug: print reason for the offlining failure (generic hotplug debugability).
- mm: migrate: do not rely on __PageMovable() of newpage after unlocking it (bnc#1012382).
- mm: migration: fix migration of huge PMD shared pages (bnc#1012382).
- mm: mlock: avoid increase mm->locked_vm on mlock() when already mlock2(,MLOCK_ONFAULT) (bnc#1012382).
- mm/nommu.c: Switch __get_user_pages_unlocked() to use __get_user_pages() (bnc#1012382).
- mm: only report isolation failures when offlining memory (generic hotplug debugability).
- mm, oom: fix use-after-free in oom_kill_process (bnc#1012382).
- mm, page_alloc: drop should_suppress_show_mem (bnc#1125892, bnc#1106061).
- mm/page-writeback.c: do not break integrity writeback on ->writepage() error (bnc#1012382).
- mm: Preserve _PAGE_DEVMAP across mprotect() calls (bsc#1118790).
- mm: print more information about mapping in __dump_page (generic hotplug debugability).
- mm, proc: be more verbose about unstable VMA flags in /proc/<pid>/smaps (bnc#1012382).
- mm: put_and_wait_on_page_locked() while page is migrated (bnc#1109272).
- mm: refuse wrapped vm_brk requests (bnc#1012382).
- mm: remove write/force parameters from __get_user_pages_locked() (bnc#1012382 bsc#1027260).
- mm: remove write/force parameters from __get_user_pages_unlocked() (bnc#1012382 bsc#1027260).
- mm: replace __access_remote_vm() write parameter with gup_flags (bnc#1012382).
- mm: replace access_remote_vm() write parameter with gup_flags (bnc#1012382).
- mm: replace get_user_pages_locked() write/force parameters with gup_flags (bnc#1012382 bsc#1027260).
- mm: replace get_user_pages_unlocked() write/force parameters with gup_flags (bnc#1012382 bsc#1027260).
- mm: replace get_user_pages() write/force parameters with gup_flags (bnc#1012382 bsc#1027260).
- mm: replace get_vaddr_frames() write/force parameters with gup_flags (bnc#1012382).
- mm, slab: faster active and free stats (bsc#1116653, VM Performance).
- mm/slab: improve performance of gathering slabinfo stats (bsc#1116653, VM Performance).
- mm, slab: maintain total slab count instead of active count (bsc#1116653, VM Performance).
- mm: thp: relax __GFP_THISNODE for MADV_HUGEPAGE mappings (bnc#1012382).
- modpost: validate symbol names also in find_elf_symbol (bnc#1012382).
- modules: mark __inittest/__exittest as __maybe_unused (bnc#1012382).
- mount: Do not allow copying MNT_UNBINDABLE|MNT_LOCKED mounts (bnc#1012382).
- mount: Prevent MNT_DETACH from disconnecting locked mounts (bnc#1012382).
- mount: Retest MNT_LOCKED in do_umount (bnc#1012382).
- Move patches to sorted range, p1
- Move /proc/sys/vm/procfs-drop-fd-dentries to /proc/sys/fs/procfs-drop-fd-dentries (bsc#1086652) This was incorrectly put in /proc/sys/vm.
- msi: Disable MSI also when pcie-octeon.pcie_disable on (bnc#1012382).
- mtd: docg3: do not set conflicting BCH_CONST_PARAMS option (bnc#1012382).
- mtd: rawnand: gpmi: fix MX28 bus master lockup problem (bnc#1012382).
- mtd: spi-nor: Add support for is25wp series chips (bnc#1012382).
- mv88e6060: disable hardware level MAC learning (bnc#1012382).
- mwifiex: Fix NULL pointer dereference in skb_dequeue() (bnc#1012382).
- mwifiex: fix p2p device does not find in scan problem (bnc#1012382).
- namei: allow restricted O_CREAT of FIFOs and regular files (bnc#1012382).
- neighbour: Avoid writing before skb->head in neigh_hh_output() (bnc#1012382).
- net: 8139cp: fix a BUG triggered by changing mtu with network traffic (bnc#1012382).
- net/af_iucv: drop inbound packets with invalid flags (bnc#1114475, LTC#172679).
- net/af_iucv: fix skb handling on HiperTransport xmit error (bnc#1114475, LTC#172679).
- net: amd: add missing of_node_put() (bnc#1012382).
- net: bcmgenet: fix OF child-node lookup (bnc#1012382).
- net: bridge: fix a bug on using a neighbour cache entry without checking its state (bnc#1012382).
- net: bridge: Fix ethernet header pointer before check skb forwardable (bnc#1012382).
- net: bridge: remove ipv6 zero address check in mcast queries (bnc#1012382).
- net: call sk_dst_reset when set SO_DONTROUTE (bnc#1012382).
- net: cxgb3_main: fix a missing-check bug (bnc#1012382).
- net: dp83640: expire old TX-skb (bnc#1012382).
- net: drop skb on failure in ip_check_defrag() (bnc#1012382).
- net: drop write-only stack variable (bnc#1012382).
- net: dsa: slave: Do not propagate flag changes on down slave interfaces (bnc#1012382).
- net: ena: add functions for handling Low Latency Queues in ena_com (bsc#1117562).
- net: ena: add functions for handling Low Latency Queues in ena_netdev (bsc#1117562).
- net: ena: change rx copybreak default to reduce kernel memory pressure (bsc#1117562).
- net: ena: complete host info to match latest ENA spec (bsc#1117562).
- net: ena: enable Low Latency Queues (bsc#1117562).
- net: ena: explicit casting and initialization, and clearer error handling (bsc#1117562).
- net: ena: fix auto casting to boolean (bsc#1117562).
- net: ena: fix compilation error in xtensa architecture (bsc#1117562).
- net: ena: fix crash during ena_remove() (bsc#1108240).
- net: ena: fix crash during failed resume from hibernation (bsc#1117562).
- net: ena: fix indentations in ena_defs for better readability (bsc#1117562).
- net: ena: Fix Kconfig dependency on X86 (bsc#1117562).
- net: ena: fix NULL dereference due to untimely napi initialization (bsc#1117562).
- net: ena: fix rare bug when failed restart/resume is followed by driver removal (bsc#1117562).
- net: ena: fix warning in rmmod caused by double iounmap (bsc#1117562).
- net: ena: introduce Low Latency Queues data structures according to ENA spec (bsc#1117562).
- net: ena: limit refill Rx threshold to 256 to avoid latency issues (bsc#1117562).
- net: ena: minor performance improvement (bsc#1117562).
- net: ena: remove ndo_poll_controller (bsc#1117562).
- net: ena: remove redundant parameter in ena_com_admin_init() (bsc#1117562).
- net: ena: update driver version from 2.0.1 to 2.0.2 (bsc#1108240).
- net: ena: update driver version to 2.0.1 (bsc#1117562).
- net: ena: use CSUM_CHECKED device indication to report skb's checksum status (bsc#1117562).
- net: faraday: ftmac100: remove netif_running(netdev) check before disabling interrupts (bnc#1012382).
- netfilter: ipset: actually allow allowable CIDR 0 in hash:net,port,net (bnc#1012382).
- netfilter: ipset: Correct rcu_dereference() call in ip_set_put_comment() (bnc#1012382).
- netfilter: nf_tables: fix oops when inserting an element into a verdict map (bnc#1012382).
- netfilter: xt_IDLETIMER: add sysfs filename checking routine (bnc#1012382).
- net: fix pskb_trim_rcsum_slow() with odd trim offset (bnc#1012382).
- net: Fix usage of pskb_trim_rcsum (bnc#1012382).
- net-gro: reset skb->pkt_type in napi_reuse_skb() (bnc#1012382).
- net: hisilicon: remove unexpected free_netdev (bnc#1012382).
- net: ibm: fix return type of ndo_start_xmit function ().
- net/ibmnvic: Fix deadlock problem in reset ().
- net/ibmvnic: Fix RTNL deadlock during device reset (bnc#1115431).
- net: ieee802154: 6lowpan: fix frag reassembly (bnc#1012382).
- net/ipv4: defensive cipso option parsing (bnc#1012382).
- net: ipv4: do not handle duplicate fragments as overlapping (bnc#1012382 bsc#1116345).
- net: ipv4: do not handle duplicate fragments as overlapping (bsc#1116345).
- net: ipv4: Fix memory leak in network namespace dismantle (bnc#1012382).
- net/ipv6: Fix index counter for unicast addresses in in6_dump_addrs (bnc#1012382).
- net/mlx4_core: Add masking for a few queries on HCA caps (bnc#1012382).
- net/mlx4_core: Correctly set PFC param if global pause is turned off (bsc#1015336 bsc#1015337 bsc#1015340).
- net/mlx4_core: Fix uninitialized variable compilation warning (bnc#1012382).
- net/mlx4_core: Zero out lkey field in SW2HW_MPT fw command (bnc#1012382).
- net/mlx4: Fix UBSAN warning of signed integer overflow (bnc#1012382).
- net: modify skb_rbtree_purge to return the truesize of all purged skbs (bnc#1012382).
- net: phy: do not allow __set_phy_supported to add unsupported modes (bnc#1012382).
- net: Prevent invalid access to skb->prev in __qdisc_drop_all (bnc#1012382).
- net: pskb_trim_rcsum() and CHECKSUM_COMPLETE are friends (bnc#1012382).
- net: qla3xxx: Remove overflowing shift statement (bnc#1012382).
- netrom: fix locking in nr_find_socket() (bnc#1012382).
- netrom: switch to sock timer API (bnc#1012382).
- net/rose: fix NULL ax25_cb kernel panic (bnc#1012382).
- net: sched: gred: pass the right attribute to gred_change_table_def() (bnc#1012382).
- net_sched: refetch skb protocol for each filter (bnc#1012382).
- net: socket: fix a missing-check bug (bnc#1012382).
- net: speed up skb_rbtree_purge() (bnc#1012382).
- net: stmmac: Fix stmmac_mdio_reset() when building stmmac as modules (bnc#1012382).
- net: systemport: Fix WoL with password after deep sleep (bnc#1012382).
- net: thunderx: fix NULL pointer dereference in nic_remove (bnc#1012382).
- new helper: uaccess_kernel() (bnc#1012382).
- nfc: nfcmrvl_uart: fix OF child-node lookup (bnc#1012382).
- nfc: nxp-nci: Include unaligned.h instead of access_ok.h (bnc#1012382).
- nfit: fix unchecked dereference in acpi_nfit_ctl (bsc#1125014).
- nfit: skip region registration for incomplete control regions (bsc#1118930).
- nfsd4: fix crash on writing v4_end_grace before nfsd startup (bnc#1012382).
- nfsd: Fix an Oops in free_session() (bnc#1012382).
- nfs: Ensure we commit after writeback is complete (bsc#1111809).
- nfs: nfs_compare_mount_options always compare auth flavors (bnc#1012382).
- nfsv4.1: Fix the r/wsize checking (bnc#1012382).
- nfsv4: Do not exit the state manager without clearing NFS4CLNT_MANAGER_RUNNING (git-fixes).
- niu: fix missing checks of niu_pci_eeprom_read (bnc#1012382).
- nvme: validate controller state before rescheduling keep alive (bsc#1103257).
- ocfs2: do not clear bh uptodate for block read (bnc#1012382).
- ocfs2: fix a misuse a of brelse after failing ocfs2_check_dir_entry (bnc#1012382).
- ocfs2: fix deadlock caused by ocfs2_defrag_extent() (bnc#1012382).
- ocfs2: fix panic due to unrecovered local alloc (bnc#1012382).
- ocfs2: fix potential use after free (bnc#1012382).
- of: add helper to lookup compatible child node (bnc#1012382).
- omap2fb: Fix stack memory disclosure (bsc#1106929)
- openvswitch: Avoid OOB read when parsing flow nlattrs (bnc#1012382).
- packet: Do not leak dev refcounts on error exit (bnc#1012382).
- packet: validate address length (bnc#1012382).
- packet: validate address length if non-zero (bnc#1012382).
- parisc: Fix address in HPMC IVA (bnc#1012382).
- parisc: Fix map_pages() to not overwrite existing pte entries (bnc#1012382).
- pci: Add Device IDs for Intel GPU 'spurious interrupt' quirk (bnc#1012382).
- pci: altera: Check link status before retrain link (bnc#1012382).
- pci: altera: Fix altera_pcie_link_is_up() (bnc#1012382).
- pci: altera: Move retrain from fixup to altera_pcie_host_init() (bnc#1012382).
- pci: altera: Poll for link training status after retraining the link (bnc#1012382).
- pci: altera: Poll for link up status after retraining the link (bnc#1012382).
- pci: altera: Reorder read/write functions (bnc#1012382).
- pci: altera: Rework config accessors for use without a struct pci_bus (bnc#1012382).
- pci/ASPM: Do not initialize link state when aspm_disabled is set (bsc#1109806).
- pci/ASPM: Fix link_state teardown on device removal (bsc#1109806).
- pci: vmd: Detach resources after stopping root bus (bsc#1106105).
- pcmcia: Implement CLKRUN protocol disabling for Ricoh bridges (bnc#1012382).
- perf/bpf: Convert perf_event_array to use struct file (bsc#1119967).
- perf/core: Do not leak event in the syscall error path (bnc#1012382).
- perf/core: Do not WARN() for impossible ring-buffer sizes (bnc#1012382).
- perf/core: Fix impossible ring-buffer sizes warning (bnc#1012382).
- perf intel-pt: Fix error with config term 'pt=0' (bnc#1012382).
- perf parse-events: Fix unchecked usage of strncpy() (bnc#1012382).
- perf pmu: Suppress potential format-truncation warning (bnc#1012382).
- perf/ring_buffer: Prevent concurent ring buffer access (bnc#1012382).
- perf svghelper: Fix unchecked usage of strncpy() (bnc#1012382).
- perf tests evsel-tp-sched: Fix bitwise operator (bnc#1012382).
- perf tools: Add Hygon Dhyana support (bnc#1012382).
- perf tools: Cleanup trace-event-info 'tdata' leak (bnc#1012382).
- perf tools: Disable parallelism for 'make clean' (bnc#1012382).
- perf tools: Free temporary 'sys' string in read_event_files() (bnc#1012382).
- perf unwind: Take pgoff into account when reporting elf to libdwfl (bnc#1012382).
- perf unwind: Unwind with libdw does not take symfs into account (bnc#1012382).
- perf/x86/intel/uncore: Add Node ID mask (bnc#1012382).
- pinctrl: msm: fix gpio-hog related boot issues (bnc#1012382).
- pinctrl: qcom: spmi-mpp: Fix drive strength setting (bnc#1012382).
- pinctrl: qcom: spmi-mpp: Fix err handling of pmic_mpp_set_mux (bnc#1012382).
- pinctrl: spmi-mpp: Fix pmic_mpp_config_get() to be compliant (bnc#1012382).
- pinctrl: ssbi-gpio: Fix pm8xxx_pin_config_get() to be compliant (bnc#1012382).
- pinctrl: sunxi: a83t: Fix IRQ offset typo for PH11 (bnc#1012382).
- platform/x86: acerhdf: Add BIOS entry for Gateway LT31 v1.3307 (bnc#1012382).
- platform/x86: asus-nb-wmi: Drop mapping of 0x33 and 0x34 scan codes (bnc#1012382).
- platform/x86: asus-nb-wmi: Map 0x35 to KEY_SCREENLOCK (bnc#1012382).
- platform/x86: asus-wmi: Tell the EC the OS will handle the display off hotkey (bnc#1012382).
- platform/x86: thinkpad_acpi: Proper model/release matching (bsc#1099810).
- pm / devfreq: tegra: fix error return code in tegra_devfreq_probe() (bnc#1012382).
- pNFS: Fix a deadlock between read resends and layoutreturn (git-fixes).
- pNFS/flexfiles: Fix up the ff_layout_write_pagelist failure path (git-fixes).
- pNFS/flexfiles: When checking for available DSes, conditionally check for MDS io (git-fixes).
- pnfs: set NFS_IOHDR_REDO in pnfs_read_resend_pnfs (git-fixes).
- powerpc/64s: consolidate MCE counter increment (bsc#1094244).
- powerpc/boot: Ensure _zimage_start is a weak symbol (bnc#1012382).
- powerpc/boot: Fix random libfdt related build errors (bnc#1012382).
- powerpc/boot: Request no dynamic linker for boot wrapper (bsc#1070805).
- powerpc/cacheinfo: Report the correct shared_cpu_map on big-cores (bsc#1109695).
- powerpc: Detect the presence of big-cores via 'ibm, thread-groups' (bsc#1109695).
- powerpc: Fix COFF zImage booting on old powermacs (bnc#1012382).
- powerpc: handle RFI (exrfi and fallback area) and STF (exrfi).
- powerpc, hotplug: Avoid to touch non-existent cpumasks (bsc#1109695).
- powerpc: make use of for_each_node_by_type() instead of open-coding it (bsc#1109695).
- powerpc/mm/radix: Use mm->task_size for boundary checking instead of addr_limit (bsc#1027457).
- powerpc/msi: Fix compile error on mpc83xx (bnc#1012382).
- powerpc/msi: Fix NULL pointer access in teardown code (bnc#1012382).
- powerpc/nohash: fix undefined behaviour when testing page size support (bnc#1012382).
- powerpc/numa: Suppress 'VPHN is not supported' messages (bnc#1012382).
- powerpc/powernv: Do not select the cpufreq governors (bsc#1066223).
- powerpc/powernv: Fix opal_event_shutdown() called with interrupts disabled (bsc#1066223).
- powerpc/powernv/pci: Work around races in PCI bridge enabling (bsc#1066223).
- powerpc/pseries: add of_node_put() in dlpar_detach_node() (bnc#1012382).
- powerpc/pseries/cpuidle: Fix preempt warning (bnc#1012382).
- powerpc/pseries: Fix DTL buffer registration (bsc#1066223).
- powerpc/pseries: Fix how we iterate over the DTL entries (bsc#1066223).
- powerpc/pseries/mobility: Extend start/stop topology update scope (bsc#1116950, bsc#1115709).
- powerpc/setup: Add cpu_to_phys_id array (bsc#1109695).
- powerpc/smp: Add cpu_l2_cache_map (bsc#1109695).
- powerpc/smp: Add Power9 scheduler topology (bsc#1109695).
- powerpc/smp: Rework CPU topology construction (bsc#1109695).
- powerpc/smp: Use cpu_to_chip_id() to find core siblings (bsc#1109695).
- powerpc/traps: restore recoverability of machine_check interrupts (bsc#1094244).
- powerpc/uaccess: fix warning/error with access_ok() (bnc#1012382).
- powerpc: Use cpu_smallcore_sibling_mask at SMT level on bigcores (bsc#1109695).
- powerpc/xmon: Fix invocation inside lock region (bsc#1122885).
- power: supply: olpc_battery: correct the temperature units (bnc#1012382).
- printk: Fix panic caused by passing log_buf_len to command line (bnc#1012382).
- proc: Remove empty line in /proc/self/status (bnc#1012382 bsc#1094823).
- Provide a temporary fix for STIBP on-by-default See bsc#1116497 for details.
- pstore: Convert console write to use ->write_buf (bnc#1012382).
- pstore/ram: Do not treat empty buffers as valid (bnc#1012382).
- ptp: check gettime64 return code in PTP_SYS_OFFSET ioctl (bnc#1012382).
- ptp: fix Spectre v1 vulnerability (bnc#1012382).
- pxa168fb: prepare the clock (bnc#1012382).
- qed: Fix bitmap_weight() check (bsc#1019695).
- qed: Fix PTT leak in qed_drain() (bnc#1012382).
- qed: Fix QM getters to always return a valid pq (bsc#1019695 ).
- qed: Fix reading wrong value in loop condition (bnc#1012382).
- r8152: Check for supported Wake-on-LAN Modes (bnc#1012382).
- r8169: Add support for new Realtek Ethernet (bnc#1012382).
- r8169: fix NAPI handling under high load (bnc#1012382).
- rapidio/rionet: do not free skb before reading its length (bnc#1012382).
- rbd: do not return 0 on unmap if RBD_DEV_FLAG_REMOVING is set (bsc#1125808).
- rcu: Force boolean subscript for expedited stall warnings (bnc#1012382).
- RDMA/bnxt_re: Fix a couple off by one bugs (bsc#1020413, ).
- RDMA/bnxt_re: Synchronize destroy_qp with poll_cq (bsc#1125446).
- RDMA/ucma: Fix Spectre v1 vulnerability (bnc#1012382).
- Refresh patches.kabi/x86-cpufeature-preserve-numbers.patch. (bsc#1122651)
- reiserfs: propagate errors from fill_with_dentries() properly (bnc#1012382).
- Revert 'Bluetooth: h5: Fix missing dependency on BT_HCIUART_SERDEV' (bnc#1012382).
- Revert 'ceph: fix dentry leak in splice_dentry()' (bsc#1114839).
- Revert 'cifs: In Kconfig CONFIG_CIFS_POSIX needs depends on legacy (insecure cifs)' (bnc#1012382).
- Revert 'drm/rockchip: Allow driver to be shutdown on reboot/kexec' (bsc#1106929)
- Revert 'exec: load_script: do not blindly truncate shebang string' (bnc#1012382).
- Revert 'Input: elan_i2c - add ACPI ID for touchpad in ASUS Aspire F5-573G' (bnc#1012382).
- Revert 'iommu/io-pgtable-arm: Check for v7s-incapable systems' (bsc#1106105).
- Revert 'loop: Fix double mutex_unlock(&loop_ctl_mutex) in loop_control_ioctl()' (bnc#1012382).
- Revert 'loop: Fold __loop_release into loop_release' (bnc#1012382).
- Revert 'loop: Get rid of loop_index_mutex' (bnc#1012382).
- Revert 'media: videobuf2-core: do not call memop 'finish' when queueing' (bnc#1012382).
- Revert 'mmc: bcm2835: Fix DMA channel leak on probe error (bsc#1120902).' The backport patch does not built properly.
- Revert 'PCI/ASPM: Do not initialize link state when aspm_disabled is set' (bsc#1106105).
- Revert 'usb: musb: musb_host: Enable HCD_BH flag to handle urb return in bottom half' (bsc#1047487).
- Revert 'wlcore: Add missing PM call for wlcore_cmd_wait_for_event_or_timeout()' (bnc#1012382).
- rhashtable: Add rhashtable_lookup() (bnc#1012382).
- rhashtable: add rhashtable_lookup_get_insert_key() (bnc#1012382 bsc#1042286).
- rhashtable: add schedule points (bnc#1012382).
- rhashtable: reorganize struct rhashtable layout (bnc#1012382).
- rocker: fix rocker_tlv_put_* functions for KASAN (bnc#1012382).
- rpcrdma: Add RPCRDMA_HDRLEN_ERR (git-fixes).
- rps: flow_dissector: Fix uninitialized flow_keys used in __skb_get_hash possibly (bsc#1042286 bsc#1108145).
- rtc: hctosys: Add missing range error reporting (bnc#1012382).
- rtc: snvs: add a missing write sync (bnc#1012382).
- rtc: snvs: Add timeouts to avoid kernel lockups (bnc#1012382).
- rtnetlink: Disallow FDB configuration for non-Ethernet device (bnc#1012382).
- rtnetlink: ndo_dflt_fdb_dump() only work for ARPHRD_ETHER devices (bnc#1012382).
- s390/cpum_cf: Reject request for sampling in event initialization (bnc#1012382).
- s390/early: improve machine detection (bnc#1012382).
- s390/mm: Check for valid vma before zapping in gmap_discard (bnc#1012382).
- s390/mm: Fix ERROR: '__node_distance' undefined! (bnc#1012382).
- s390: qeth_core_mpc: Use ARRAY_SIZE instead of reimplementing its function (bnc#1114475, LTC#172682).
- s390/qeth: fix HiperSockets sniffer (bnc#1114475, LTC#172953).
- s390/qeth: fix length check in SNMP processing (bnc#1012382).
- s390: qeth: Fix potential array overrun in cmd/rc lookup (bnc#1114475, LTC#172682).
- s390/smp: Fix calling smp_call_ipl_cpu() from ipl CPU (bnc#1012382).
- s390/smp: fix CPU hotplug deadlock with CPU rescan (bnc#1012382).
- s390/vdso: add missing FORCE to build targets (bnc#1012382).
- sata_rcar: fix deferred probing (bnc#1012382).
- sbus: char: add of_node_put() (bnc#1012382).
- sc16is7xx: Fix for multi-channel stall (bnc#1012382).
- sched/cgroup: Fix cgroup entity load tracking tear-down (bnc#1012382).
- sched/fair: Fix throttle_list starvation with low CFS quota (bnc#1012382).
- sched/wake_q: Document wake_q_add() (bsc#1050549).
- sched/wake_q: Fix wakeup ordering for wake_q (bsc#1050549).
- sched/wake_q: Reduce reference counting for special users (bsc#1050549).
- sch_red: update backlog as well (bnc#1012382).
- scripts/decode_stacktrace: only strip base path when a prefix of the path (bnc#1012382).
- scripts/git_sort/git_sort.py: Add mkp/scsi 5.0/scsi-fixes
- scsi: aacraid: Fix typo in blink status (bnc#1012382).
- scsi: bfa: convert to strlcpy/strlcat (bnc#1012382 bsc#1019683, ).
- scsi: bnx2fc: Fix NULL dereference in error handling (bnc#1012382).
- scsi: core: Allow state transitions from OFFLINE to BLOCKED (bsc#1112246).
- scsi: Create two versions of scsi_internal_device_unblock() (bsc#1119877).
- scsi: csiostor: Avoid content leaks and casts (bnc#1012382).
- scsi: esp_scsi: Track residual for PIO transfers (bnc#1012382).
- scsi: Introduce scsi_start_queue() (bsc#1119877).
- scsi: libfc: check fc_frame_payload_get() return value for null (bsc#1103624, bsc#1104731).
- scsi: libfc: retry PRLI if we cannot analyse the payload (bsc#1104731).
- scsi: libiscsi: Fix NULL pointer dereference in iscsi_eh_session_reset (bnc#1012382).
- scsi: lpfc: Add Buffer overflow check, when nvme_info larger than PAGE_SIZE (bsc#1102660).
- scsi: lpfc: Correct LCB RJT handling (bnc#1012382).
- scsi: lpfc: Correct MDS diag and nvmet configuration (bsc#1125796).
- scsi: lpfc: Correct soft lockup when running mds diagnostics (bnc#1012382).
- scsi: lpfc: devloss timeout race condition caused null pointer reference (bsc#1102660).
- scsi: lpfc: Fix abort error path for NVMET (bsc#1102660).
- scsi: lpfc: fix block guard enablement on SLI3 adapters (bsc#1079935).
- scsi: lpfc: Fix driver crash when re-registering NVME rports (bsc#1102660).
- scsi: lpfc: Fix ELS abort on SLI-3 adapters (bsc#1102660).
- scsi: lpfc: Fix list corruption on the completion queue (bsc#1102660).
- scsi: lpfc: Fix NVME Target crash in defer rcv logic (bsc#1102660).
- scsi: lpfc: Fix panic if driver unloaded when port is offline (bsc#1102660).
- scsi: lpfc: update driver version to 11.4.0.7-5 (bsc#1102660).
- scsi: Make __scsi_remove_device go straight from BLOCKED to DEL (bsc#1119877).
- scsi: megaraid: fix out-of-bound array accesses (bnc#1012382).
- scsi: megaraid_sas: fix a missing-check bug (bnc#1012382).
- scsi: mpt3sas: Add an I/O barrier (bsc#1117108).
- scsi: mpt3sas: Added support for nvme encapsulated request message (bsc#1117108).
- scsi: mpt3sas: Added support for SAS Device Discovery Error Event (bsc#1117108).
- scsi: mpt3sas: Adding support for SAS3616 HBA device (bsc#1117108).
- scsi: mpt3sas: Add ioc_<level> logging macros (bsc#1117108).
- scsi: mpt3sas: Add nvme device support in slave alloc, target alloc and probe (bsc#1117108).
- scsi: mpt3sas: Add PCI device ID for Andromeda (bsc#1117108).
- scsi: mpt3sas: Add-Task-management-debug-info-for-NVMe-drives (bsc#1117108).
- scsi: mpt3sas: Allow processing of events during driver unload (bsc#1117108).
- scsi: mpt3sas: always use first reserved smid for ioctl passthrough (bsc#1117108).
- scsi: mpt3sas: Annotate switch/case fall-through (bsc#1117108).
- scsi: mpt3sas: API's to remove nvme drive from sml (bsc#1117108).
- scsi: mpt3sas: API 's to support NVMe drive addition to SML (bsc#1117108).
- scsi: mpt3sas: As per MPI-spec, use combined reply queue for SAS3.5 controllers when HBA supports more than 16 MSI-x vectors (bsc#1117108).
- scsi: mpt3sas: Bug fix for big endian systems (bsc#1117108).
- scsi: mpt3sas: Bump mpt3sas driver version to v16.100.00.00 (bsc#1117108).
- scsi: mpt3sas: Cache enclosure pages during enclosure add (bsc#1117108).
- scsi: mpt3sas: check command status before attempting abort (bsc#1117108).
- scsi: mpt3sas: clarify mmio pointer types (bsc#1117108).
- scsi: mpt3sas: cleanup _scsih_pcie_enumeration_event() (bsc#1117108).
- scsi: mpt3sas: Configure reply post queue depth, DMA and sgl tablesize (bsc#1117108).
- scsi: mpt3sas: Convert logging uses with MPT3SAS_FMT and reply_q_name to %s: (bsc#1117108).
- scsi: mpt3sas: Convert logging uses with MPT3SAS_FMT without logging levels (bsc#1117108).
- scsi: mpt3sas: Convert mlsleading uses of pr_<level> with MPT3SAS_FMT (bsc#1117108).
- scsi: mpt3sas: Convert uses of pr_<level> with MPT3SAS_FMT to ioc_<level> (bsc#1117108).
- scsi: mpt3sas: Display chassis slot information of the drive (bsc#1117108).
- scsi: mpt3sas: Do not abort I/Os issued to NVMe drives while processing Async Broadcast primitive event (bsc#1117108).
- scsi: mpt3sas: Do not access the structure after decrementing it's instance reference count (bsc#1117108).
- scsi: mpt3sas: Do not use 32-bit atomic request descriptor for Ventura controllers (bsc#1117108).
- scsi: mpt3sas: Enhanced handling of Sense Buffer (bsc#1117108).
- scsi: mpt3sas: fix an out of bound write (bsc#1117108).
- scsi: mpt3sas: Fix a race condition in mpt3sas_base_hard_reset_handler() (bsc#1117108).
- scsi: mpt3sas: Fix calltrace observed while running IO & reset (bsc#1117108).
- scsi: mpt3sas: fix dma_addr_t casts (bsc#1117108).
- scsi: mpt3sas: Fixed memory leaks in driver (bsc#1117108).
- scsi: mpt3sas: Fix, False timeout prints for ioctl and other internal commands during controller reset (bsc#1117108).
- scsi: mpt3sas: fix format overflow warning (bsc#1117108).
- scsi: mpt3sas: Fix indentation (bsc#1117108).
- scsi: mpt3sas: Fix memory allocation failure test in 'mpt3sas_base_attach()' (bsc#1117108).
- scsi: mpt3sas: Fix nvme drives checking for tlr (bsc#1117108).
- scsi: mpt3sas: fix oops in error handlers after shutdown/unload (bsc#1117108).
- scsi: mpt3sas: Fix possibility of using invalid Enclosure Handle for SAS device after host reset (bsc#1117108).
- scsi: mpt3sas: fix possible memory leak (bsc#1117108).
- scsi: mpt3sas: fix pr_info message continuation (bsc#1117108).
- scsi: mpt3sas: Fix removal and addition of vSES device during host reset (bsc#1117108).
- scsi: mpt3sas: Fix sparse warnings (bsc#1117108).
- scsi: mpt3sas: fix spelling mistake: 'disbale' -> 'disable' (bsc#1117108).
- scsi: mpt3sas: For NVME device, issue a protocol level reset (bsc#1117108).
- scsi: mpt3sas: Handle NVMe PCIe device related events generated from firmware (bsc#1117108).
- scsi: mpt3sas: Improve kernel-doc headers (bsc#1117108).
- scsi: mpt3sas: Incorrect command status was set/marked as not used (bsc#1117108).
- scsi: mpt3sas: Increase event log buffer to support 24 port HBA's (bsc#1117108).
- scsi: mpt3sas: Introduce API to get BAR0 mapped buffer address (bsc#1117108).
- scsi: mpt3sas: Introduce Base function for cloning (bsc#1117108).
- scsi: mpt3sas: Introduce function to clone mpi reply (bsc#1117108).
- scsi: mpt3sas: Introduce function to clone mpi request (bsc#1117108).
- scsi: mpt3sas: Introduce mpt3sas_get_st_from_smid() (bsc#1117108).
- scsi: mpt3sas: Introduce struct mpt3sas_nvme_cmd (bsc#1117108).
- scsi: mpt3sas: Lockless access for chain buffers (bsc#1117108).
- scsi: mpt3sas: lockless command submission (bsc#1117108).
- scsi: mpt3sas: make function _get_st_from_smid static (bsc#1117108).
- scsi: mpt3sas: NVMe drive support for BTDHMAPPING ioctl command and log info (bsc#1117108).
- scsi: mpt3sas: open-code _scsih_scsi_lookup_get() (bsc#1117108).
- scsi: mpt3sas: Optimize I/O memory consumption in driver (bsc#1117108).
- scsi: mpt3sas: Pre-allocate RDPQ Array at driver boot time (bsc#1117108).
- scsi: mpt3sas: Processing of Cable Exception events (bsc#1117108).
- scsi: mpt3sas: Reduce memory footprint in kdump kernel (bsc#1117108).
- scsi: mpt3sas: remove a stray KERN_INFO (bsc#1117108).
- scsi: mpt3sas: Remove KERN_WARNING from panic uses (bsc#1117108).
- scsi: mpt3sas: remove redundant copy_from_user in _ctl_getiocinfo (bsc#1117108).
- scsi: mpt3sas: remove redundant wmb (bsc#1117108).
- scsi: mpt3sas: Remove set-but-not-used variables (bsc#1117108).
- scsi: mpt3sas: Remove unnecessary parentheses and simplify null checks (bsc#1117108).
- scsi: mpt3sas: Remove unused macro MPT3SAS_FMT (bsc#1117108).
- scsi: mpt3sas: Remove unused variable requeue_event (bsc#1117108).
- scsi: mpt3sas: Replace PCI pool old API (bsc#1117108).
- scsi: mpt3sas: Replace PCI pool old API (bsc#1117108).
- scsi: mpt3sas: Report Firmware Package Version from HBA Driver (bsc#1117108).
- scsi: mpt3sas: scan and add nvme device after controller reset (bsc#1117108).
- scsi: mpt3sas: separate out _base_recovery_check() (bsc#1117108).
- scsi: mpt3sas: set default value for cb_idx (bsc#1117108).
- scsi: mpt3sas: Set NVMe device queue depth as 128 (bsc#1117108).
- scsi: mpt3sas: SGL to PRP Translation for I/Os to NVMe devices (bsc#1117108).
- scsi: mpt3sas: simplify mpt3sas_scsi_issue_tm() (bsc#1117108).
- scsi: mpt3sas: simplify task management functions (bsc#1117108).
- scsi: mpt3sas: simplify _wait_for_commands_to_complete() (bsc#1117108).
- scsi: mpt3sas: Split _base_reset_handler(), mpt3sas_scsih_reset_handler() and mpt3sas_ctl_reset_handler() (bsc#1117108).
- scsi: mpt3sas: Swap I/O memory read value back to cpu endianness (bsc#1117108).
- scsi: mpt3sas: switch to generic DMA API (bsc#1117108).
- scsi: mpt3sas: switch to pci_alloc_irq_vectors (bsc#1117108).
- scsi: mpt3sas: Updated MPI headers to v2.00.48 (bsc#1117108).
- scsi: mpt3sas: Update driver version '25.100.00.00' (bsc#1117108).
- scsi: mpt3sas: Update driver version '26.100.00.00' (bsc#1117108).
- scsi: mpt3sas: Update MPI Headers (bsc#1117108).
- scsi: mpt3sas: Update mpt3sas driver version (bsc#1117108).
- scsi: mpt3sas: Use dma_pool_zalloc (bsc#1117108).
- scsi: mpt3sas: use list_splice_init() (bsc#1117108).
- scsi: mpt3sas: wait for and flush running commands on shutdown/unload (bsc#1117108).
- scsi: Protect SCSI device state changes with a mutex (bsc#1119877).
- scsi: qedi: Add ISCSI_BOOT_SYSFS to Kconfig (bsc#1043083).
- scsi: qla2xxx: Fix crashes in qla2x00_probe_one on probe failure (bsc#1094973).
- scsi: qla2xxx: Fix deadlock between ATIO and HW lock (bsc#1125794).
- scsi: qla2xxx: Fix incorrect port speed being set for FC adapters (bnc#1012382).
- scsi: qla2xxx: Fix small memory leak in qla2x00_probe_one on probe failure (bsc#1094973).
- scsi: Re-export scsi_internal_device_{,un}_block() (bsc#1119877).
- scsi: sd: Fix cache_type_store() (bnc#1012382).
- scsi: Split scsi_internal_device_block() (bsc#1119877).
- scsi: target: add emulate_pr backstore attr to toggle PR support (bsc#1091405).
- scsi: target: drop unused pi_prot_format attribute storage (bsc#1091405).
- scsi: target: make the pi_prot_format ConfigFS path readable (bsc#1123933).
- scsi: target: use consistent left-aligned ASCII INQUIRY data (bnc#1012382).
- scsi: ufs: fix bugs related to null pointer access and array size (bnc#1012382).
- scsi: ufs: fix race between clock gating and devfreq scaling work (bnc#1012382).
- scsi: ufshcd: Fix race between clk scaling and ungate work (bnc#1012382).
- scsi: ufshcd: release resources if probe fails (bnc#1012382).
- scsi: use 'inquiry_mutex' instead of 'state_mutex' (bsc#1119877).
- scsi: vmw_pscsi: Rearrange code to avoid multiple calls to free_irq during unload (bnc#1012382).
- scsi: zfcp: fix posting too many status read buffers leading to adapter shutdown (bnc#1012382).
- sctp: allocate sctp_sockaddr_entry with kzalloc (bnc#1012382).
- sctp: clear the transport of some out_chunk_list chunks in sctp_assoc_rm_peer (bnc#1012382).
- sctp: fix race on sctp_id2asoc (bnc#1012382).
- sctp: initialize sin6_flowinfo for ipv6 addrs in sctp_inet6addr_event (bnc#1012382).
- sd: disable logical block provisioning if 'lbpme' is not set (bsc#1086095 bsc#1078355).
- selftests: ftrace: Add synthetic event syntax testcase (bnc#1012382).
- selftests: Move networking/timestamping from Documentation (bnc#1012382).
- selinux: fix GPF on invalid policy (bnc#1012382).
- seq_buf: Make seq_buf_puts() null-terminate the buffer (bnc#1012382).
- seq_file: fix incomplete reset on read from zero offset (Git-fixes).
- ser_gigaset: use container_of() instead of detour (bnc#1012382).
- serial: fsl_lpuart: clear parity enable bit when disable parity (bnc#1012382).
- signal: Always deliver the kernel's SIGKILL and SIGSTOP to a pid namespace init (bnc#1012382).
- signal: Always notice exiting tasks (bnc#1012382).
- signal: Better detection of synchronous signals (bnc#1012382).
- signal/GenWQE: Fix sending of SIGKILL (bnc#1012382).
- signal: Restore the stop PTRACE_EVENT_EXIT (bnc#1012382).
- skge: potential memory corruption in skge_get_regs() (bnc#1012382).
- slab: alien caches must not be initialized if the allocation of the alien cache failed (bnc#1012382).
- smack: fix access permissions for keyring (bnc#1012382).
- smb3: allow stats which track session and share reconnects to be reset (bnc#1012382).
- smb3: do not attempt cifs operation in smb3 query info error path (bnc#1012382).
- smb3: on kerberos mount if server does not specify auth type use krb5 (bnc#1012382).
- smsc75xx: Check for Wake-on-LAN modes (bnc#1012382).
- smsc95xx: Check for Wake-on-LAN modes (bnc#1012382).
- smsc95xx: Use skb_cow_head to deal with cloned skbs (bnc#1012382).
- sock: Make sock->sk_stamp thread-safe (bnc#1012382).
- soc/tegra: Do not leak device tree node reference (bnc#1012382).
- soc/tegra: pmc: Fix child-node lookup (bnc#1012382).
- sparc64: Fix exception handling in UltraSPARC-III memcpy (bnc#1012382).
- sparc64 mm: Fix more TSB sizing issues (bnc#1012382).
- sparc: Fix single-pcr perf event counter management (bnc#1012382).
- sparc/pci: Refactor dev_archdata initialization into pci_init_dev_archdata (bnc#1012382).
- spi: bcm2835: Avoid finishing transfer prematurely in IRQ mode (bnc#1012382).
- spi: bcm2835: Fix book-keeping of DMA termination (bnc#1012382).
- spi: bcm2835: Fix race on DMA termination (bnc#1012382).
- spi: bcm2835: Unbreak the build of esoteric configs (bnc#1012382).
- spi/bcm63xx: fix error return code in bcm63xx_spi_probe() (bnc#1012382).
- spi/bcm63xx-hspi: fix error return code in bcm63xx_hsspi_probe() (bnc#1012382).
- spi: xlp: fix error return code in xlp_spi_probe() (bnc#1012382).
- sr9800: Check for supported Wake-on-LAN modes (bnc#1012382).
- sr: pass down correctly sized SCSI sense buffer (bnc#1012382).
- staging:iio:ad2s90: Make probe handle spi_setup failure (bnc#1012382).
- staging: iio: ad7780: update voltage on read (bnc#1012382).
- staging: iio: adc: ad7280a: handle error from __ad7280_read32() (bnc#1012382).
- staging: lustre: remove two build warnings (bnc#1012382).
- staging: rtl8188eu: Add device code for D-Link DWA-121 rev B1 (bnc#1012382).
- staging: rts5208: fix gcc-8 logic error warning (bnc#1012382).
- staging: speakup: Replace strncpy with memcpy (bnc#1012382).
- sunrpc: correct the computation for page_ptr when truncating (bnc#1012382).
- sunrpc: drop pointless static qualifier in xdr_get_next_encode_buffer() (bnc#1012382).
- sunrpc: Fix a bogus get/put in generic_key_to_expire() (bnc#1012382).
- sunrpc: Fix a potential race in xprt_connect() (git-fixes).
- sunrpc: fix cache_head leak due to queued request (bnc#1012382).
- sunrpc: Fix leak of krb5p encode pages (bnc#1012382).
- sunrpc: handle ENOMEM in rpcb_getport_async (bnc#1012382).
- sunvdc: Do not spin in an infinite loop when vio_ldc_send() returns EAGAIN (bnc#1012382).
- svcrdma: Remove unused variable in rdma_copy_tail() (git-fixes).
- swim: fix cleanup on setup error (bnc#1012382).
- swiotlb: clean up reporting (bnc#1012382).
- sysfs: Disable lockdep for driver bind/unbind files (bnc#1012382).
- sysv: return 'err' instead of 0 in __sysv_write_inode (bnc#1012382).
- target/iscsi: avoid NULL dereference in CHAP auth error path (bsc#1117165).
- target: se_dev_attrib.emulate_pr ABI stability (bsc#1091405).
- tcp: fix NULL ref in tail loss probe (bnc#1012382).
- TC: Set DMA masks for devices (bnc#1012382).
- termios, tty/tty_baudrate.c: fix buffer overrun (bnc#1012382).
- test_hexdump: use memcpy instead of strncpy (bnc#1012382).
- tg3: Add PHY reset for 5717/5719/5720 in change ring and flow control paths (bnc#1012382).
- thermal: allow spear-thermal driver to be a module (bnc#1012382).
- thermal: allow u8500-thermal driver to be a module (bnc#1012382).
- thermal: hwmon: inline helpers when CONFIG_THERMAL_HWMON is not set (bnc#1012382).
- timekeeping: Use proper seqcount initializer (bnc#1012382).
- timer/debug: Change /proc/timer_list from 0444 to 0400 (bnc#1012382).
- tipc: fix uninit-value in tipc_nl_compat_bearer_enable (bnc#1012382).
- tipc: fix uninit-value in tipc_nl_compat_doit (bnc#1012382).
- tipc: fix uninit-value in tipc_nl_compat_link_reset_stats (bnc#1012382).
- tipc: fix uninit-value in tipc_nl_compat_link_set (bnc#1012382).
- tipc: fix uninit-value in tipc_nl_compat_name_table_dump (bnc#1012382).
- tipc: use destination length for copy string (bnc#1012382).
- tmpfs: make lseek(SEEK_DATA/SEK_HOLE) return ENXIO with a negative offset (bnc#1012382).
- tpm: fix response size validation in tpm_get_random() (bsc#1020645, git-fixes).
- tpm: suppress transmit cmd error logs when TPM 1.2 is disabled/deactivated (bnc#1012382).
- tracing: Fix bad use of igrab in trace_uprobe.c (bsc#1120046).
- tracing: Fix memory leak in set_trigger_filter() (bnc#1012382).
- tracing: Fix memory leak of instance function hash filters (bnc#1012382).
- tracing: Skip more functions when doing stack tracing of events (bnc#1012382).
- tracing/uprobes: Fix output for multiple string arguments (bnc#1012382).
- tty: check name length in tty_find_polling_driver() (bnc#1012382).
- tty: Do not block on IO when ldisc change is pending (bnc#1105428).
- tty: Do not hold ldisc lock in tty_reopen() if ldisc present (bnc#1105428).
- tty: fix data race between tty_init_dev and flush of buf (bnc#1105428).
- tty: Handle problem if line discipline does not have receive_buf (bnc#1012382).
- tty: Hold tty_ldisc_lock() during tty_reopen() (bnc#1105428).
- tty/ldsem: Add lockdep asserts for ldisc_sem (bnc#1105428).
- tty/ldsem: Convert to regular lockdep annotations (bnc#1105428).
- tty/ldsem: Decrement wait_readers on timeouted down_read() (bnc#1105428).
- tty/ldsem: Wake up readers after timed out down_write() (bnc#1012382).
- tty/n_hdlc: fix __might_sleep warning (bnc#1012382).
- tty: serial: 8250_mtk: always resume the device in probe (bnc#1012382).
- tty: serial: samsung: Properly set flags in autoCTS mode (bnc#1012382).
- tty: serial: sprd: fix error return code in sprd_probe() (bnc#1012382).
- tty: Simplify tty->count math in tty_reopen() (bnc#1105428).
- tty: wipe buffer (bnc#1012382).
- tty: wipe buffer if not echoing data (bnc#1012382).
- tun: Consistently configure generic netdev params via rtnetlink (bnc#1012382).
- tun: forbid iface creation with rtnl ops (bnc#1012382).
- uapi/if_ether.h: move __UAPI_DEF_ETHHDR libc define (bnc#1012382).
- uapi/if_ether.h: prevent redefinition of struct ethhdr (bnc#1012382).
- ucc_geth: Reset BQL queue when stopping device (bnc#1012382).
- udf: Fix BUG on corrupted inode (bnc#1012382).
- uio: ensure class is registered before devices (bnc#1012382).
- uio: Fix an Oops on load (bnc#1012382).
- uio: make symbol 'uio_class_registered' static (git-fixes).
- um: Avoid longjmp/setjmp symbol clashes with libpthread.a (bnc#1012382).
- um: Avoid marking pages with 'changed protection' (bnc#1012382).
- um: Give start_idle_thread() a return code (bnc#1012382).
- unifdef: use memcpy instead of strncpy (bnc#1012382).
- Update ibmvnic: Fix RX queue buffer cleanup (bsc#1115440, bsc#1115433).
- uprobes: Fix handle_swbp() vs. unregister() + register() race once more (bnc#1012382).
- usb: Add USB_QUIRK_DELAY_CTRL_MSG quirk for Corsair K70 RGB (bnc#1012382).
- usb: appledisplay: Add 27' Apple Cinema Display (bnc#1012382).
- usb: cdc-acm: add entry for Hiro (Conexant) modem (bnc#1012382).
- usb: cdc-acm: send ZLP for Telit 3G Intel based modems (bnc#1012382).
- usb: check usb_get_extra_descriptor for proper size (bnc#1012382).
- usb: chipidea: Prevent unbalanced IRQ disable (bnc#1012382).
- usb: core: Fix hub port connection events lost (bnc#1012382).
- usb: core: quirks: add RESET_RESUME quirk for Cherry G230 Stream series (bnc#1012382).
- usb: dwc2: Remove unnecessary kfree (bnc#1012382).
- usb: dwc3: omap: fix error return code in dwc3_omap_probe() (bnc#1012382).
- usb: ehci-omap: fix error return code in ehci_hcd_omap_probe() (bnc#1012382).
- usb: fix the usbfs flag sanitization for control transfers (bnc#1012382).
- usb: gadget: dummy: fix nonsensical comparisons (bnc#1012382).
- usb: gadget: storage: Fix Spectre v1 vulnerability (bnc#1012382).
- usb: gadget: udc: net2272: Fix bitwise and boolean operations (bnc#1012382).
- usb: hub: delay hub autosuspend if USB3 port is still link training (bnc#1012382).
- usb: imx21-hcd: fix error return code in imx21_probe() (bnc#1012382).
- usb: misc: appledisplay: add 20' Apple Cinema Display (bnc#1012382).
- usbnet: ipheth: fix potential recvmsg bug and recvmsg bug 2 (bnc#1012382).
- usb: omap_udc: fix crashes on probe error and module removal (bnc#1012382).
- usb: omap_udc: fix omap_udc_start() on 15xx machines (bnc#1012382).
- usb: omap_udc: fix USB gadget functionality on Palm Tungsten E (bnc#1012382).
- usb: omap_udc: use devm_request_irq() (bnc#1012382).
- usb: phy: am335x: fix race condition in _probe (bnc#1012382).
- usb: quirk: add no-LPM quirk on SanDisk Ultra Flair device (bnc#1012382).
- usb: quirks: Add delay-init quirk for Corsair K70 LUX RGB (bnc#1012382).
- usb: quirks: Add no-lpm quirk for Raydium touchscreens (bnc#1012382).
- usb: r8a66597: Fix a possible concurrency use-after-free bug in r8a66597_endpoint_disable() (bnc#1012382).
- usb: serial: option: add Fibocom NL668 series (bnc#1012382).
- usb: serial: option: add Fibocom NL678 series (bnc#1012382).
- usb: serial: option: add GosunCn ZTE WeLink ME3630 (bnc#1012382).
- usb: serial: option: add HP lt4132 (bnc#1012382).
- usb: serial: option: add Simcom SIM7500/SIM7600 (MBIM mode) (bnc#1012382).
- usb: serial: option: add Telit LN940 series (bnc#1012382).
- usb: serial: pl2303: add ids for Hewlett-Packard HP POS pole displays (bnc#1012382).
- usb: serial: pl2303: add new PID to support PL2303TB (bnc#1012382).
- usb: serial: simple: add Motorola Tetra TPG2200 device id (bnc#1012382).
- usb: storage: add quirk for SMI SM3350 (bnc#1012382).
- usb: storage: do not insert sane sense for SPC3+ when bad sense specified (bnc#1012382).
- usb-storage: fix bogus hardware error messages for ATA pass-thru devices (bnc#1012382).
- usb: usb-storage: Add new IDs to ums-realtek (bnc#1012382).
- usb: xhci: fix timeout for transition from RExit to U0 (bnc#1012382).
- usb: xhci: fix uninitialized completion when USB3 port got wrong status (bnc#1012382).
- usb: xhci: Prevent bus suspend if a port connect change or polling state is detected (bnc#1012382).
- v9fs_dir_readdir: fix double-free on p9stat_read error (bnc#1012382).
- vfs: Avoid softlockups in drop_pagecache_sb() (bsc#1118505).
- vhost: Fix Spectre V1 vulnerability (bnc#1012382).
- vhost: make sure used idx is seen before log in vhost_add_used_n() (bnc#1012382).
- vhost/scsi: truncate T10 PI iov_iter to prot_bytes (bnc#1012382).
- video: clps711x-fb: release disp device node in probe() (bnc#1012382).
- video: fbdev: pxa3xx_gcu: fix error return code in pxa3xx_gcu_probe() (bnc#1012382).
- virtio/s390: avoid race on vcdev->config (bnc#1012382).
- virtio/s390: fix race in ccw_io_helper() (bnc#1012382).
- VSOCK: Send reset control packet when socket is partially bound (bnc#1012382).
- vti6: flush x-netns xfrm cache when vti interface is removed (bnc#1012382).
- vt: invoke notifier on screen size change (bnc#1012382).
- w1: omap-hdq: fix missing bus unregister at removal (bnc#1012382).
- writeback: do not decrement wb->refcnt if !wb->bdi (git fixes (writeback)).
- x86/a.out: Clear the dump structure initially (bnc#1012382).
- x86: boot: Fix EFI stub alignment (bnc#1012382).
- x86/boot: #undef memcpy() et al in string.c (bnc#1012382).
- x86/build: Fix stack alignment for CLang (bnc#1012382).
- x86/build: Specify stack alignment for clang (bnc#1012382).
- x86/build: Use __cc-option for boot code compiler options (bnc#1012382).
- x86/build: Use cc-option to validate stack alignment parameter (bnc#1012382).
- x86/corruption-check: Fix panic in memory_corruption_check() when boot option without value is provided (bnc#1012382).
- x86/earlyprintk/efi: Fix infinite loop on some screen widths (bnc#1012382).
- x86/entry: spell EBX register correctly in documentation (bnc#1012382).
- x86/fpu: Add might_fault() to user_insn() (bnc#1012382).
- x86/kaslr: Fix incorrect i8254 outb() parameters (bnc#1012382).
- x86/kbuild: Use cc-option to enable -falign-{jumps/loops} (bnc#1012382).
- x86/kconfig: Fall back to ticket spinlocks (bnc#1012382).
- x86/MCE: Export memory_error() (bsc#1114648).
- x86/MCE: Initialize mce.bank in the case of a fatal error in mce_no_way_out() (bnc#1012382).
- x86/MCE: Make correctable error detection look at the Deferred bit (bsc#1114648).
- x86/mm/kaslr: Use the _ASM_MUL macro for multiplication to work around Clang incompatibility (bnc#1012382).
- x86/mm/pat: Prevent hang during boot when mapping pages (bnc#1012382).
- x86/mtrr: Do not copy uninitialized gentry fields back to userspace (bnc#1012382).
- x86/PCI: Fix Broadcom CNB20LE unintended sign extension (redux) (bnc#1012382).
- x86/pkeys: Properly copy pkey state at fork() (bsc#1106105).
- x86/platform/UV: Use efi_runtime_lock to serialise BIOS calls (bnc#1012382).
- x86: respect memory size limiting via mem= parameter (bsc#1117645).
- x86/speculation/l1tf: Drop the swap storage limit restriction when l1tf=off (bnc#1114871).
- x86/speculation: Use synthetic bits for IBRS/IBPB/STIBP (bnc#1012382).
- x86/xen: dont add memory above max allowed allocation (bsc#1117645).
- xen/balloon: Support xend-based toolstack (bnc#1065600).
- xen/blkfront: avoid NULL blkfront_info dereference on device removal (bsc#1111062).
- xen: fix race in xen_qlock_wait() (bnc#1012382).
- xen: fix xen_qlock_wait() (bnc#1012382).
- xen: make xen_qlock_wait() nestable (bnc#1012382).
- xen/netback: dont overflow meta array (bnc#1099523).
- xen/netfront: tolerate frags with no data (bnc#1012382).
- xen-swiotlb: use actually allocated size on check physical continuous (bnc#1012382).
- xen/x86: add diagnostic printout to xen_mc_flush() in case of error (bnc#1116183).
- xen: xlate_mmu: add missing header to fix 'W=1' warning (bnc#1012382).
- xfrm6: call kfree_skb when skb is toobig (bnc#1012382).
- xfrm6_tunnel: Fix spi check in __xfrm6_tunnel_alloc_spi (bnc#1012382).
- xfrm: Clear sk_dst_cache when applying per-socket policy (bnc#1012382).
- xfrm: Fix bucket count reported to userspace (bnc#1012382).
- xfrm: use complete IPv6 addresses for hash (bsc#1109330).
- xfrm: Validate address prefix lengths in the xfrm selector (bnc#1012382).
- xfrm: validate template mode (bnc#1012382).
- xfs: Align compat attrlist_by_handle with native implementation (git-fixes).
- xfs/dmapi: restore event in xfs_getbmap (bsc#1114763).
- xfs: Fix error code in 'xfs_ioc_getbmap()' (git-fixes).
- xfs: fix quotacheck dquot id overflow infinite loop (bsc#1121621).
- xhci: Add quirk to workaround the errata seen on Cavium Thunder-X2 Soc (bsc#1117162).
- xhci: Do not prevent USB2 bus suspend in state check intended for USB3 only (bnc#1012382).
- xhci: Prevent U1/U2 link pm states if exit latency is too long (bnc#1012382).
- xprtrdma: checking for NULL instead of IS_ERR() (git-fixes).
- xprtrdma: Disable pad optimization by default (git-fixes).
- xprtrdma: Disable RPC/RDMA backchannel debugging messages (git-fixes).
- xprtrdma: Fix additional uses of spin_lock_irqsave(rb_lock) (git-fixes).
- xprtrdma: Fix backchannel allocation of extra rpcrdma_reps (git-fixes).
- xprtrdma: Fix Read chunk padding (git-fixes).
- xprtrdma: Fix receive buffer accounting (git-fixes).
- xprtrdma: Reset credit grant properly after a disconnect (git-fixes).
- xprtrdma: rpcrdma_bc_receive_call() should init rq_private_buf.len (git-fixes).
- xprtrdma: Serialize credit accounting again (git-fixes).
- xprtrdma: xprt_rdma_free() must not release backchannel reqs (git-fixes).
- xtensa: add NOTES section to the linker script (bnc#1012382).
- xtensa: enable coprocessors that are being flushed (bnc#1012382).
- xtensa: fix boot parameters address translation (bnc#1012382).
- xtensa: fix coprocessor context offset definitions (bnc#1012382).
- xtensa: make sure bFLT stack is 16 byte aligned (bnc#1012382).
- yama: Check for pid death before checking ancestry (bnc#1012382).
- zram: close udev startup race condition as default groups (bnc#1012382).
- xfrm: refine validation of template and selector families (bnc#1012382).
ImportantSUSE bug 1012382SUSE bug 1015336SUSE bug 1015337SUSE bug 1015340SUSE bug 1019683SUSE bug 1019695SUSE bug 1020413SUSE bug 1020645SUSE bug 1023175SUSE bug 1027260SUSE bug 1027457SUSE bug 1031492SUSE bug 1042286SUSE bug 1043083SUSE bug 1046264SUSE bug 1047487SUSE bug 1048916SUSE bug 1050549SUSE bug 1065600SUSE bug 1066223SUSE bug 1068032SUSE bug 1070805SUSE bug 1078355SUSE bug 1079935SUSE bug 1086095SUSE bug 1086423SUSE bug 1086652SUSE bug 1091405SUSE bug 1093158SUSE bug 1094244SUSE bug 1094823SUSE bug 1094973SUSE bug 1096242SUSE bug 1096281SUSE bug 1099523SUSE bug 1099810SUSE bug 1100105SUSE bug 1101557SUSE bug 1102439SUSE bug 1102660SUSE bug 1102875SUSE bug 1102877SUSE bug 1102879SUSE bug 1102882SUSE bug 1102896SUSE bug 1103097SUSE bug 1103156SUSE bug 1103257SUSE bug 1103624SUSE bug 1104098SUSE bug 1104731SUSE bug 1105428SUSE bug 1106061SUSE bug 1106105SUSE bug 1106237SUSE bug 1106240SUSE bug 1106929SUSE bug 1107385SUSE bug 1107866SUSE bug 1108145SUSE bug 1108240SUSE bug 1109272SUSE bug 1109330SUSE bug 1109695SUSE bug 1109806SUSE bug 1110286SUSE bug 1111062SUSE bug 1111174SUSE bug 1111809SUSE bug 1112246SUSE bug 1112963SUSE bug 1113412SUSE bug 1113766SUSE bug 1114190SUSE bug 1114417SUSE bug 1114475SUSE bug 1114648SUSE bug 1114763SUSE bug 1114839SUSE bug 1114871SUSE bug 1114893SUSE bug 1115431SUSE bug 1115433SUSE bug 1115440SUSE bug 1115482SUSE bug 1115709SUSE bug 1116027SUSE bug 1116183SUSE bug 1116285SUSE bug 1116336SUSE bug 1116345SUSE bug 1116497SUSE bug 1116653SUSE bug 1116841SUSE bug 1116924SUSE bug 1116950SUSE bug 1116962SUSE bug 1117108SUSE bug 1117162SUSE bug 1117165SUSE bug 1117186SUSE bug 1117562SUSE bug 1117645SUSE bug 1117744SUSE bug 1118152SUSE bug 1118316SUSE bug 1118319SUSE bug 1118505SUSE bug 1118790SUSE bug 1118798SUSE bug 1118915SUSE bug 1118922SUSE bug 1118926SUSE bug 1118930SUSE bug 1118936SUSE bug 1119204SUSE bug 1119680SUSE bug 1119714SUSE bug 1119877SUSE bug 1119946SUSE bug 1119967SUSE bug 1119970SUSE bug 1120017SUSE bug 1120046SUSE bug 1120722SUSE bug 1120743SUSE bug 1120758SUSE bug 1120902SUSE bug 1120950SUSE bug 1121239SUSE bug 1121240SUSE bug 1121241SUSE bug 1121242SUSE bug 1121275SUSE bug 1121621SUSE bug 1121726SUSE bug 1122650SUSE bug 1122651SUSE bug 1122779SUSE bug 1122885SUSE bug 1123321SUSE bug 1123323SUSE bug 1123357SUSE bug 1123933SUSE bug 1124166SUSE bug 1124728SUSE bug 1124732SUSE bug 1124735SUSE bug 1124775SUSE bug 1124777SUSE bug 1124780SUSE bug 1124811SUSE bug 1125000SUSE bug 1125014SUSE bug 1125446SUSE bug 1125794SUSE bug 1125796SUSE bug 1125808SUSE bug 1125809SUSE bug 1125810SUSE bug 1125892SUSE bug 985031CVE-2018-1120 at SUSECVE-2018-1120 at NVDCVE-2018-16862 at SUSECVE-2018-16862 at NVDCVE-2018-16884 at SUSECVE-2018-16884 at NVDCVE-2018-19407 at SUSECVE-2018-19407 at NVDCVE-2018-19824 at SUSECVE-2018-19824 at NVDCVE-2018-19985 at SUSECVE-2018-19985 at NVDCVE-2018-20169 at SUSECVE-2018-20169 at NVDCVE-2018-5391 at SUSECVE-2018-5391 at NVDCVE-2018-9568 at SUSECVE-2018-9568 at NVDCVE-2019-3459 at SUSECVE-2019-3459 at NVDCVE-2019-3460 at SUSECVE-2019-3460 at NVDCVE-2019-6974 at SUSECVE-2019-6974 at NVDCVE-2019-7221 at SUSECVE-2019-7221 at NVDCVE-2019-7222 at SUSECVE-2019-7222 at NVDcpe:/o:suse:sles:12:sp3Security update for java-1_8_0-openjdk (Important)SUSE Linux Enterprise Server 12 SP3
This update for java-1_8_0-openjdk to version 8u191 fixes the following issues:
Security issues fixed:
- CVE-2018-3136: Manifest better support (bsc#1112142)
- CVE-2018-3139: Better HTTP Redirection (bsc#1112143)
- CVE-2018-3149: Enhance JNDI lookups (bsc#1112144)
- CVE-2018-3169: Improve field accesses (bsc#1112146)
- CVE-2018-3180: Improve TLS connections stability (bsc#1112147)
- CVE-2018-3214: Better RIFF reading support (bsc#1112152)
- CVE-2018-13785: Upgrade JDK 8u to libpng 1.6.35 (bsc#1112153)
- CVE-2018-3183: Improve script engine support (bsc#1112148)
- CVE-2018-16435: heap-based buffer overflow in SetData function in cmsIT8LoadFromFile
ImportantSUSE bug 1112142SUSE bug 1112143SUSE bug 1112144SUSE bug 1112146SUSE bug 1112147SUSE bug 1112148SUSE bug 1112152SUSE bug 1112153CVE-2018-13785 at SUSECVE-2018-13785 at NVDCVE-2018-16435 at SUSECVE-2018-16435 at NVDCVE-2018-3136 at SUSECVE-2018-3136 at NVDCVE-2018-3139 at SUSECVE-2018-3139 at NVDCVE-2018-3149 at SUSECVE-2018-3149 at NVDCVE-2018-3169 at SUSECVE-2018-3169 at NVDCVE-2018-3180 at SUSECVE-2018-3180 at NVDCVE-2018-3183 at SUSECVE-2018-3183 at NVDCVE-2018-3214 at SUSECVE-2018-3214 at NVDcpe:/o:suse:sles:12:sp3Security update for ovmf (Important)SUSE Linux Enterprise Server 12 SP3
This update for ovmf fixes the following issues:
Security issues fixed:
- CVE-2018-12180: Fixed a buffer overflow in BlockIo service, which could lead
to memory read/write overrun (bsc#1127820).
- CVE-2018-12178: Fixed an improper DNS check upon receiving a new DNS packet (bsc#1127821).
- CVE-2018-3630: Fixed a logic error in FV parsing which could allow a local attacker to
bypass the chain of trust checks (bsc#1127822).
ImportantSUSE bug 1127820SUSE bug 1127821SUSE bug 1127822CVE-2018-12178 at SUSECVE-2018-12178 at NVDCVE-2018-12180 at SUSECVE-2018-12180 at NVDCVE-2018-3630 at SUSECVE-2018-3630 at NVDcpe:/o:suse:sles:12:sp3Security update for qemu (Important)SUSE Linux Enterprise Server 12 SP3
This update for qemu fixes the following issues:
Security vulnerabilities addressed:
- CVE-2019-6778: Fixed an out-of-bounds access in slirp (bsc#1123156)
- CVE-2018-16872: Fixed a host security vulnerability related to handling symlinks in usb-mtp (bsc#1119493)
- CVE-2018-19489: Fixed a Denial-of-Service in virtfs (bsc#1117275)
- CVE-2018-19364: Fixed an use-after-free vulnerability if virtfs interface is deliberately abused (bsc#1116717)
- CVE-2018-18954: Fixed an out-of-bounds access performing PowerNV memory operations (bsc#1114957)
- CVE-2017-13673: Fixed a reachable assert failure during during display update (bsc#1056386)
- CVE-2017-13672: Fixed an out-of-bounds read access during display update (bsc#1056334)
- CVE-2018-7858: Fixed an out-of-bounds access in cirrus when updating vga display allowing for Denial-of-Service (bsc#1084604)
Other bug fixes and changes:
- Fix pwrite64/pread64/write to return 0 over -1 for a zero length NULL buffer in qemu (bsc#1121600)
- Fix bad guest time after migration (bsc#1113231)
ImportantSUSE bug 1056334SUSE bug 1056386SUSE bug 1084604SUSE bug 1113231SUSE bug 1114957SUSE bug 1116717SUSE bug 1117275SUSE bug 1119493SUSE bug 1121600SUSE bug 1123156CVE-2017-13672 at SUSECVE-2017-13672 at NVDCVE-2017-13673 at SUSECVE-2017-13673 at NVDCVE-2018-16872 at SUSECVE-2018-16872 at NVDCVE-2018-18954 at SUSECVE-2018-18954 at NVDCVE-2018-19364 at SUSECVE-2018-19364 at NVDCVE-2018-19489 at SUSECVE-2018-19489 at NVDCVE-2018-7858 at SUSECVE-2018-7858 at NVDCVE-2019-6778 at SUSECVE-2019-6778 at NVDcpe:/o:suse:sles:12:sp3Security update for webkit2gtk3 (Important)SUSE Linux Enterprise Server 12 SP3
This update for webkit2gtk3 to version 2.22.4 fixes the following issues:
Security issues fixed:
CVE-2018-4191, CVE-2018-4197, CVE-2018-4299, CVE-2018-4306, CVE-2018-4309, CVE-2018-4392,
CVE-2018-4312, CVE-2018-4314, CVE-2018-4315, CVE-2018-4316, CVE-2018-4317, CVE-2018-4318,
CVE-2018-4319, CVE-2018-4323, CVE-2018-4328, CVE-2018-4358, CVE-2018-4359, CVE-2018-4361,
CVE-2018-4345, CVE-2018-4372, CVE-2018-4373, CVE-2018-4375, CVE-2018-4376, CVE-2018-4416,
CVE-2018-4378, CVE-2018-4382, CVE-2018-4386 (bsc#1110279, bsc#1116998).
ImportantSUSE bug 1110279SUSE bug 1116998CVE-2018-4191 at SUSECVE-2018-4191 at NVDCVE-2018-4197 at SUSECVE-2018-4197 at NVDCVE-2018-4207 at SUSECVE-2018-4207 at NVDCVE-2018-4208 at SUSECVE-2018-4208 at NVDCVE-2018-4209 at SUSECVE-2018-4209 at NVDCVE-2018-4210 at SUSECVE-2018-4210 at NVDCVE-2018-4212 at SUSECVE-2018-4212 at NVDCVE-2018-4213 at SUSECVE-2018-4213 at NVDCVE-2018-4261 at SUSECVE-2018-4261 at NVDCVE-2018-4262 at SUSECVE-2018-4262 at NVDCVE-2018-4263 at SUSECVE-2018-4263 at NVDCVE-2018-4264 at SUSECVE-2018-4264 at NVDCVE-2018-4265 at SUSECVE-2018-4265 at NVDCVE-2018-4266 at SUSECVE-2018-4266 at NVDCVE-2018-4267 at SUSECVE-2018-4267 at NVDCVE-2018-4270 at SUSECVE-2018-4270 at NVDCVE-2018-4272 at SUSECVE-2018-4272 at NVDCVE-2018-4273 at SUSECVE-2018-4273 at NVDCVE-2018-4278 at SUSECVE-2018-4278 at NVDCVE-2018-4284 at SUSECVE-2018-4284 at NVDCVE-2018-4299 at SUSECVE-2018-4299 at NVDCVE-2018-4306 at SUSECVE-2018-4306 at NVDCVE-2018-4309 at SUSECVE-2018-4309 at NVDCVE-2018-4312 at SUSECVE-2018-4312 at NVDCVE-2018-4314 at SUSECVE-2018-4314 at NVDCVE-2018-4315 at SUSECVE-2018-4315 at NVDCVE-2018-4316 at SUSECVE-2018-4316 at NVDCVE-2018-4317 at SUSECVE-2018-4317 at NVDCVE-2018-4318 at SUSECVE-2018-4318 at NVDCVE-2018-4319 at SUSECVE-2018-4319 at NVDCVE-2018-4323 at SUSECVE-2018-4323 at NVDCVE-2018-4328 at SUSECVE-2018-4328 at NVDCVE-2018-4345 at SUSECVE-2018-4345 at NVDCVE-2018-4358 at SUSECVE-2018-4358 at NVDCVE-2018-4359 at SUSECVE-2018-4359 at NVDCVE-2018-4361 at SUSECVE-2018-4361 at NVDCVE-2018-4372 at SUSECVE-2018-4372 at NVDCVE-2018-4373 at SUSECVE-2018-4373 at NVDCVE-2018-4375 at SUSECVE-2018-4375 at NVDCVE-2018-4376 at SUSECVE-2018-4376 at NVDCVE-2018-4378 at SUSECVE-2018-4378 at NVDCVE-2018-4382 at SUSECVE-2018-4382 at NVDCVE-2018-4386 at SUSECVE-2018-4386 at NVDCVE-2018-4392 at SUSECVE-2018-4392 at NVDCVE-2018-4416 at SUSECVE-2018-4416 at NVDcpe:/o:suse:sles:12:sp3Security update for LibVNCServer (Important)SUSE Linux Enterprise Server 12 SP3
This update for LibVNCServer fixes the following issues:
Security issues fixed:
- CVE-2018-15126: Fixed use-after-free in file transfer extension (bsc#1120114)
- CVE-2018-6307: Fixed use-after-free in file transfer extension server code (bsc#1120115)
- CVE-2018-20020: Fixed heap out-of-bound write inside structure in VNC client code (bsc#1120116)
- CVE-2018-15127: Fixed heap out-of-bounds write in rfbserver.c (bsc#1120117)
- CVE-2018-20019: Fixed multiple heap out-of-bound writes in VNC client code (bsc#1120118)
- CVE-2018-20023: Fixed information disclosure through improper initialization in VNC Repeater client code (bsc#1120119)
- CVE-2018-20022: Fixed information disclosure through improper initialization in VNC client code (bsc#1120120)
- CVE-2018-20024: Fixed NULL pointer dereference in VNC client code (bsc#1120121)
- CVE-2018-20021: Fixed infinite loop in VNC client code (bsc#1120122)
ImportantSUSE bug 1120114SUSE bug 1120115SUSE bug 1120116SUSE bug 1120117SUSE bug 1120118SUSE bug 1120119SUSE bug 1120120SUSE bug 1120121SUSE bug 1120122CVE-2018-15126 at SUSECVE-2018-15126 at NVDCVE-2018-15127 at SUSECVE-2018-15127 at NVDCVE-2018-20019 at SUSECVE-2018-20019 at NVDCVE-2018-20020 at SUSECVE-2018-20020 at NVDCVE-2018-20021 at SUSECVE-2018-20021 at NVDCVE-2018-20022 at SUSECVE-2018-20022 at NVDCVE-2018-20023 at SUSECVE-2018-20023 at NVDCVE-2018-20024 at SUSECVE-2018-20024 at NVDCVE-2018-6307 at SUSECVE-2018-6307 at NVDcpe:/o:suse:sles:12:sp3Security update for java-1_7_1-ibm (Important)SUSE Linux Enterprise Server 12 SP3
This update for java-1_7_1-ibm to version 7.1.4.40 fixes the following issues:
Security issues fixed:
- CVE-2019-2422: Fixed a memory disclosure in FileChannelImpl (bsc#1122293).
- CVE-2018-11212: Fixed an issue in alloc_sarray function in jmemmgr.c (bsc#1122299).
More information: https://developer.ibm.com/javasdk/support/security-vulnerabilities/#IBM_Security_Update_February_2019
ImportantSUSE bug 1122293SUSE bug 1122299CVE-2018-11212 at SUSECVE-2018-11212 at NVDCVE-2019-2422 at SUSECVE-2019-2422 at NVDcpe:/o:suse:sles:12:sp3Security update for java-1_8_0-ibm (Important)SUSE Linux Enterprise Server 12 SP3
This update for java-1_8_0-ibm to version 8.0.5.30 fixes the following issues:
Security issues fixed:
- CVE-2019-2422: Fixed a memory disclosure in FileChannelImpl (bsc#1122293).
- CVE-2018-11212: Fixed an issue in alloc_sarray function in jmemmgr.c (bsc#1122299).
- CVE-2018-1890: Fixed a local privilege escalation via RPATHs (bsc#1128158).
- CVE-2019-2449: Fixed a vulnerabilit which could allow remote atackers to delete arbitrary files (bsc#1122292).
More information: https://www-01.ibm.com/support/docview.wss?uid=ibm10873332
ImportantSUSE bug 1122292SUSE bug 1122293SUSE bug 1122299SUSE bug 1128158CVE-2018-11212 at SUSECVE-2018-11212 at NVDCVE-2018-1890 at SUSECVE-2018-1890 at NVDCVE-2019-2422 at SUSECVE-2019-2422 at NVDCVE-2019-2449 at SUSECVE-2019-2449 at NVDcpe:/o:suse:sles:12:sp3Security update for lftp (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for lftp fixes the following issues:
Security issue fixed:
- CVE-2018-10916: Fixed an improper file name sanitization which could lead to loss of integrity of
the local system (bsc#1103367).
Other issue addressed:
- The SSH login handling code detects password prompts more reliably (bsc#1120946).
ModerateSUSE bug 1103367SUSE bug 1120946CVE-2018-10916 at SUSECVE-2018-10916 at NVDcpe:/o:suse:sles:12:sp3Security update for libssh2_org (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for libssh2_org fixes the following issues:
Security issues fixed:
- CVE-2019-3861: Fixed Out-of-bounds reads with specially crafted SSH packets (bsc#1128490).
- CVE-2019-3862: Fixed Out-of-bounds memory comparison with specially crafted message channel request packet (bsc#1128492).
- CVE-2019-3860: Fixed Out-of-bounds reads with specially crafted SFTP packets (bsc#1128481).
- CVE-2019-3863: Fixed an Integer overflow in user authenticate keyboard interactive which could allow out-of-bounds writes
with specially crafted keyboard responses (bsc#1128493).
- CVE-2019-3856: Fixed a potential Integer overflow in keyboard interactive handling which could allow out-of-bounds write
with specially crafted payload (bsc#1128472).
- CVE-2019-3859: Fixed Out-of-bounds reads with specially crafted payloads due to unchecked use of _libssh2_packet_require
and _libssh2_packet_requirev (bsc#1128480).
- CVE-2019-3855: Fixed a potential Integer overflow in transport read which could allow out-of-bounds write with specially
crafted payload (bsc#1128471).
- CVE-2019-3858: Fixed a potential zero-byte allocation which could lead to an out-of-bounds read with a specially crafted
SFTP packet (bsc#1128476).
- CVE-2019-3857: Fixed a potential Integer overflow which could lead to zero-byte allocation and out-of-bounds with specially
crafted message channel request SSH packet (bsc#1128474).
Other issue addressed:
- Libbssh2 will stop using keys unsupported types in the known_hosts file (bsc#1091236).
ModerateSUSE bug 1091236SUSE bug 1128471SUSE bug 1128472SUSE bug 1128474SUSE bug 1128476SUSE bug 1128480SUSE bug 1128481SUSE bug 1128490SUSE bug 1128492SUSE bug 1128493CVE-2019-3855 at SUSECVE-2019-3855 at NVDCVE-2019-3856 at SUSECVE-2019-3856 at NVDCVE-2019-3857 at SUSECVE-2019-3857 at NVDCVE-2019-3858 at SUSECVE-2019-3858 at NVDCVE-2019-3859 at SUSECVE-2019-3859 at NVDCVE-2019-3860 at SUSECVE-2019-3860 at NVDCVE-2019-3861 at SUSECVE-2019-3861 at NVDCVE-2019-3862 at SUSECVE-2019-3862 at NVDCVE-2019-3863 at SUSECVE-2019-3863 at NVDcpe:/o:suse:sles:12:sp3Security update for openwsman (Important)SUSE Linux Enterprise Server 12 SP3
This update for openwsman fixes the following issues:
Security issues fixed:
- CVE-2019-3816: Fixed a vulnerability in openwsmand deamon which could lead to arbitary file disclosure (bsc#1122623).
- CVE-2019-3833: Fixed a vulnerability in process_connection() which could allow an attacker to trigger an infinite
loop which leads to Denial of Service (bsc#1122623).
ImportantSUSE bug 1122623CVE-2019-3816 at SUSECVE-2019-3816 at NVDCVE-2019-3833 at SUSECVE-2019-3833 at NVDcpe:/o:suse:sles:12:sp3Security update for wireshark (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for wireshark to version 2.4.13 fixes the following issues:
Security issues fixed:
- CVE-2019-9214: Avoided a dereference of a null coversation which could make RPCAP
dissector crash (bsc#1127367).
- CVE-2019-9209: Fixed a buffer overflow in time values which could make ASN.1 BER
and related dissectors crash (bsc#1127369).
- CVE-2019-9208: Fixed a null pointer dereference which could make TCAP dissector
crash (bsc#1127370).
Release notes: https://www.wireshark.org/docs/relnotes/wireshark-2.4.13.html
ModerateSUSE bug 1127367SUSE bug 1127369SUSE bug 1127370CVE-2019-9208 at SUSECVE-2019-9208 at NVDCVE-2019-9209 at SUSECVE-2019-9209 at NVDCVE-2019-9214 at SUSECVE-2019-9214 at NVDcpe:/o:suse:sles:12:sp3Security update for ghostscript (Important)SUSE Linux Enterprise Server 12 SP3
This update for ghostscript fixes the following issue:
Security issue fixed:
- CVE-2019-3838: Fixed a vulnerability which made forceput operator in DefineResource to be still accessible
which could allow access to file system outside of the constraints of -dSAFER (bsc#1129186).
ImportantSUSE bug 1129186CVE-2019-3838 at SUSECVE-2019-3838 at NVDcpe:/o:suse:sles:12:sp3Security update for ucode-intel (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for ucode-intel fixes the following issues:
Updated to the 20190312 bundle release (bsc#1129231)
New Platforms:
- AML-Y22 H0 6-8e-9/10 0000009e Core Gen8 Mobile
- WHL-U W0 6-8e-b/d0 000000a4 Core Gen8 Mobile
- WHL-U V0 6-8e-d/94 000000b2 Core Gen8 Mobile
- CFL-S P0 6-9e-c/22 000000a2 Core Gen9 Desktop
- CFL-H R0 6-9e-d/22 000000b0 Core Gen9 Mobile
Updated Platforms:
- HSX-E/EP Cx/M1 6-3f-2/6f 0000003d->00000041 Core Gen4 X series; Xeon E5 v3
- HSX-EX E0 6-3f-4/80 00000012->00000013 Xeon E7 v3
- SKX-SP H0/M0/U0 6-55-4/b7 0200004d->0000005a Xeon Scalable
- SKX-D M1 6-55-4/b7 0200004d->0000005a Xeon D-21xx
- BDX-DE V1 6-56-2/10 00000017->00000019 Xeon D-1520/40
- BDX-DE V2/3 6-56-3/10 07000013->07000016 Xeon D-1518/19/21/27/28/31/33/37/41/48, Pentium D1507/08/09/17/19
- BDX-DE Y0 6-56-4/10 0f000012->0f000014 Xeon D-1557/59/67/71/77/81/87
- BDX-NS A0 6-56-5/10 0e00000a->0e00000c Xeon D-1513N/23/33/43/53
- APL D0 6-5c-9/03 00000032->00000036 Pentium N/J4xxx, Celeron N/J3xxx, Atom x5/7-E39xx
- APL E0 6-5c-a/03 0000000c->00000010 Atom x5/7-E39xx
- GLK B0 6-7a-1/01 00000028->0000002c Pentium Silver N/J5xxx, Celeron N/J4xxx
- KBL-U/Y H0 6-8e-9/c0 0000008e->0000009a Core Gen7 Mobile
- CFL-U43e D0 6-8e-a/c0 00000096->0000009e Core Gen8 Mobile
- KBL-H/S/E3 B0 6-9e-9/2a 0000008e->0000009a Core Gen7; Xeon E3 v6
- CFL-H/S/E3 U0 6-9e-a/22 00000096->000000aa Core Gen8 Desktop, Mobile, Xeon E
- CFL-S B0 6-9e-b/02 0000008e->000000aa Core Gen8
ModerateSUSE bug 1129231cpe:/o:suse:sles:12:sp3Security update for ovmf (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for ovmf fixes the following issue:
Security issue fixed:
- CVE-2018-12181: Fixed a stack buffer overflow in the HII database when a corrupted Bitmap was used (bsc#1128503).
ModerateSUSE bug 1128503CVE-2018-12181 at SUSECVE-2018-12181 at NVDcpe:/o:suse:sles:12:sp3Security update for gd (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for gd fixes the following issues:
Security issues fixed:
- CVE-2019-6977: Fixed a heap-based buffer overflow the GD Graphics Library used in the imagecolormatch function (bsc#1123361).
- CVE-2019-6978: Fixed a double free in the gdImage*Ptr() functions (bsc#1123522).
ModerateSUSE bug 1123361SUSE bug 1123522CVE-2019-6977 at SUSECVE-2019-6977 at NVDCVE-2019-6978 at SUSECVE-2019-6978 at NVDcpe:/o:suse:sles:12:sp3Security update for w3m (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for w3m fixes several issues.
These security issues were fixed:
- CVE-2018-6196: Prevent infinite recursion in HTMLlineproc0 caused by the feed_table_block_tag function which did not prevent a negative indent value (bsc#1077559)
- CVE-2018-6197: Prevent NULL pointer dereference in formUpdateBuffer (bsc#1077568)
- CVE-2018-6198: w3m did not properly handle temporary files when the ~/.w3m directory is unwritable, which allowed a local attacker to craft a symlink attack to overwrite arbitrary files (bsc#1077572)
ModerateSUSE bug 1077559SUSE bug 1077568SUSE bug 1077572CVE-2018-6196 at SUSECVE-2018-6196 at NVDCVE-2018-6197 at SUSECVE-2018-6197 at NVDCVE-2018-6198 at SUSECVE-2018-6198 at NVDcpe:/o:suse:sles:12:sp3Security update for ntp (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for ntp fixes the following issues:
Security issue fixed:
- CVE-2019-8936: Fixed a null pointer exception which could allow an authenticated attcker to cause
segmentation fault to ntpd (bsc#1128525).
Other isses addressed:
- Fixed an issue which caused openSSL mismatch (bsc#1125401)
- Fixed several bugs in the BANCOMM reclock driver.
- Fixed ntp_loopfilter.c snprintf compilation warnings.
- Fixed spurious initgroups() error message.
- Fixed STA_NANO struct timex units.
- Fixed GPS week rollover in libparse.
- Fixed incorrect poll interval in packet.
- Added a missing check for ENABLE_CMAC.
ModerateSUSE bug 1125401SUSE bug 1128525CVE-2019-8936 at SUSECVE-2019-8936 at NVDcpe:/o:suse:sles:12:sp3Security update for the Linux Kernel (Important)SUSE Linux Enterprise Server 12 SP3
The SUSE Linux Enterprise 12 SP3 kernel was updated to 4.4.176 to receive various security and bugfixes.
The following security bugs were fixed:
- CVE-2019-9213: expand_downwards in mm/mmap.c lacked a check for the mmap minimum address, which made it easier for attackers to exploit kernel NULL pointer dereferences on non-SMAP platforms. This is related to a capability check for the wrong task (bnc#1128166).
- CVE-2019-2024: A use-after-free when disconnecting a source was fixed which could lead to crashes. bnc#1129179).
The following non-security bugs were fixed:
- ax25: fix possible use-after-free (bnc#1012382).
- block_dev: fix crash on chained bios with O_DIRECT (bsc#1090435).
- block: do not use bio->bi_vcnt to figure out segment number (bsc#1128893).
- bnxt_re: Fix couple of memory leaks that could lead to IOMMU call traces (bsc#1020413).
- bpf: fix replace_map_fd_with_map_ptr's ldimm64 second imm field (bsc#1012382).
- btrfs: ensure that a DUP or RAID1 block group has exactly two stripes (bsc#1128452).
- ceph: avoid repeatedly adding inode to mdsc->snap_flush_list (bsc#1126773).
- ch: add missing mutex_lock()/mutex_unlock() in ch_release() (bsc#1124235).
- ch: fixup refcounting imbalance for SCSI devices (bsc#1124235).
- copy_mount_string: Limit string length to PATH_MAX (bsc#1082943).
- device property: Fix the length used in PROPERTY_ENTRY_STRING() (bsc#1129770).
- drivers: hv: vmbus: Check for ring when getting debug info (bsc#1126389).
- drm: Fix error handling in drm_legacy_addctx (bsc#1106929)
- drm/nouveau/bios/ramcfg: fix missing parentheses when calculating RON (bsc#1106929)
- drm/nouveau/pmu: do not print reply values if exec is false (bsc#1106929)
- drm/radeon/evergreen_cs: fix missing break in switch statement (bsc#1106929)
- drm/vmwgfx: Do not double-free the mode stored in par->set_mode (bsc#1103429)
- enic: add wq clean up budget (bsc#1075697, bsc#1120691. bsc#1102959).
- enic: do not overwrite error code (bnc#1012382).
- fbdev: chipsfb: remove set but not used variable 'size' (bsc#1106929)
- ibmvnic: Report actual backing device speed and duplex values (bsc#1129923).
- ibmvscsi: Fix empty event pool access during host removal (bsc#1119019).
- input: mms114 - fix license module information (bsc#1087092).
- iommu/dmar: Fix buffer overflow during PCI bus notification (bsc#1129237).
- iommu/io-pgtable-arm-v7s: Only kmemleak_ignore L2 tables (bsc#1129238).
- iommu/vt-d: Check identity map for hot-added devices (bsc#1129239).
- iommu/vt-d: Fix NULL pointer reference in intel_svm_bind_mm() (bsc#1129240).
- ixgbe: fix crash in build_skb Rx code path (git-fixes).
- kabi: protect struct inet_peer (kabi).
- kallsyms: Handle too long symbols in kallsyms.c (bsc#1126805).
- KMPs: obsolete older KMPs of the same flavour (bsc#1127155, bsc#1109137).
- kvm: arm/arm64: vgic-its: Check CBASER/BASER validity before enabling the ITS (bsc#1109248).
- kvm: arm/arm64: vgic-its: Check GITS_BASER Valid bit before saving tables (bsc#1109248).
- kvm: arm/arm64: vgic-its: Fix return value for device table restore (bsc#1109248).
- kvm: arm/arm64: vgic-its: Fix vgic_its_restore_collection_table returned value (bsc#1109248).
- kvm: nVMX: Do not halt vcpu when L1 is injecting events to L2 (bsc#1129413).
- kvm: nVMX: Free the VMREAD/VMWRITE bitmaps if alloc_kvm_area() fails (bsc#1129414).
- kvm: nVMX: NMI-window and interrupt-window exiting should wake L2 from HLT (bsc#1129415).
- kvm: nVMX: Set VM instruction error for VMPTRLD of unbacked page (bsc#1129416).
- kvm: VMX: Do not allow reexecute_instruction() when skipping MMIO instr (bsc#1129417).
- kvm: vmx: Set IA32_TSC_AUX for legacy mode guests (bsc#1129418).
- kvm: x86: Add AMD's EX_CFG to the list of ignored MSRs (bsc#1127082).
- kvm: x86: IA32_ARCH_CAPABILITIES is always supported (bsc#1129419).
- libceph: handle an empty authorize reply (bsc#1126772).
- mdio_bus: Fix use-after-free on device_register fails (git-fixes).
- mfd: as3722: Handle interrupts on suspend (bnc#1012382).
- mfd: as3722: Mark PM functions as __maybe_unused (bnc#1012382).
- mISDN: fix a race in dev_expire_timer() (bnc#1012382).
- mlxsw: pci: Correctly determine if descriptor queue is full (git-fixes).
- mlxsw: reg: Use correct offset in field definiton (git-fixes).
- mm, devm_memremap_pages: mark devm_memremap_pages() EXPORT_SYMBOL_GPL (bnc#1012382).
- mm,memory_hotplug: fix scan_movable_pages() for gigantic hugepages (bsc#1127731).
- net: Add header for usage of fls64() (bnc#1012382).
- net: Do not allocate page fragments that are not skb aligned (bnc#1012382).
- net: dsa: bcm_sf2: Do not assume DSA master supports WoL (git-fixes).
- net: dsa: mv88e6xxx: fix port VLAN maps (git-fixes).
- net: Fix for_each_netdev_feature on Big endian (bnc#1012382).
- net: fix IPv6 prefix route residue (bnc#1012382).
- net/hamradio/6pack: Convert timers to use timer_setup() (git-fixes).
- net/hamradio/6pack: use mod_timer() to rearm timers (git-fixes).
- net: ipv4: use a dedicated counter for icmp_v4 redirect packets (bnc#1012382).
- net: lan78xx: Fix race in tx pending skb size calculation (git-fixes).
- net/mlx4_core: drop useless LIST_HEAD (git-fixes).
- net/mlx4_core: Fix qp mtt size calculation (git-fixes).
- net/mlx4_core: Fix reset flow when in command polling mode (git-fixes).
- net/mlx4: Fix endianness issue in qp context params (git-fixes).
- net/mlx5: Continue driver initialization despite debugfs failure (git-fixes).
- net/mlx5e: Fix TCP checksum in LRO buffers (git-fixes).
- net/mlx5: Fix driver load bad flow when having fw initializing timeout (git-fixes).
- net/mlx5: fix uaccess beyond 'count' in debugfs read/write handlers (git-fixes).
- net/mlx5: Fix use-after-free in self-healing flow (git-fixes).
- net/mlx5: Return success for PAGE_FAULT_RESUME in internal error state (git-fixes).
- net: mv643xx_eth: fix packet corruption with TSO and tiny unaligned packets (git-fixes).
- net: phy: Avoid polling PHY with PHY_IGNORE_INTERRUPTS (git-fixes).
- net: phy: bcm7xxx: Fix shadow mode 2 disabling (git-fixes).
- net: qca_spi: Fix race condition in spi transfers (git-fixes).
- net: stmmac: Fix a race in EEE enable callback (bnc#1012382).
- net: stmmac: Fix a race in EEE enable callback (git-fixes).
- net: thunderx: set tso_hdrs pointer to NULL in nicvf_free_snd_queue (git-fixes).
- net/x25: do not hold the cpu too long in x25_new_lci() (bnc#1012382).
- PCI/PME: Fix hotplug/sysfs remove deadlock in pcie_pme_remove() (bsc#1129241).
- perf/x86: Add sysfs entry to freeze counters on SMI (bsc#1121805).
- perf/x86/intel: Delay memory deallocation until x86_pmu_dead_cpu() (bsc#1121805).
- perf/x86/intel: Do not enable freeze-on-smi for PerfMon V1 (bsc#1121805).
- perf/x86/intel: Fix memory corruption (bsc#1121805).
- perf/x86/intel: Generalize dynamic constraint creation (bsc#1121805).
- perf/x86/intel: Implement support for TSX Force Abort (bsc#1121805).
- perf/x86/intel: Make cpuc allocations consistent (bsc#1121805).
- phy: micrel: Ensure interrupts are reenabled on resume (git-fixes).
- powerpc/pseries: Add CPU dlpar remove functionality (bsc#1128756).
- powerpc/pseries: Consolidate CPU hotplug code to hotplug-cpu.c (bsc#1128756).
- powerpc/pseries: Factor out common cpu hotplug code (bsc#1128756).
- powerpc/pseries: Perform full re-add of CPU for topology update post-migration (bsc#1128756).
- pppoe: fix reception of frames with no mac header (git-fixes).
- pptp: dst_release sk_dst_cache in pptp_sock_destruct (git-fixes).
- pseries/energy: Use OF accessor function to read ibm,drc-indexes (bsc#1129080).
- rdma/bnxt_re: Synchronize destroy_qp with poll_cq (bsc#1125446).
- Revert 'mm, devm_memremap_pages: mark devm_memremap_pages() EXPORT_SYMBOL_GPL' (bnc#1012382).
- Revert 'x86/platform/UV: Use efi_runtime_lock to serialise BIOS calls' (bsc#1128565).
- s390/qeth: cancel close_dev work before removing a card (LTC#175898, bsc#1127561).
- scsi: aacraid: Fix missing break in switch statement (bsc#1128696).
- scsi: ibmvscsi: Fix empty event pool access during host removal (bsc#1119019).
- scsi: lpfc: do not set queue->page_count to 0 if pc_sli4_params.wqpcnt is invalid (bsc#1127725).
- scsi: qla2xxx: Fix early srb free on abort (bsc#1121713).
- scsi: qla2xxx: Fix for double free of SRB structure (bsc#1121713).
- scsi: qla2xxx: Increase abort timeout value (bsc#1121713).
- scsi: qla2xxx: Move {get|rel}_sp to base_qpair struct (bsc#1121713).
- scsi: qla2xxx: Return switch command on a timeout (bsc#1121713).
- scsi: qla2xxx: Turn off IOCB timeout timer on IOCB completion (bsc#1121713).
- scsi: qla2xxx: Use correct qpair for ABTS/CMD (bsc#1121713).
- scsi: sym53c8xx: fix NULL pointer dereference panic in sym_int_sir() (bsc#1125315).
- sky2: Increase D3 delay again (bnc#1012382).
- tcp: clear icsk_backoff in tcp_write_queue_purge() (bnc#1012382).
- tcp: tcp_v4_err() should be more careful (bnc#1012382).
- team: avoid complex list operations in team_nl_cmd_options_set() (bnc#1012382).
- team: Free BPF filter when unregistering netdev (git-fixes).
- tracing: Do not free iter->trace in fail path of tracing_open_pipe() (bsc#1129581).
- vsock: cope with memory allocation failure at socket creation time (bnc#1012382).
- vxlan: test dev->flags & IFF_UP before calling netif_rx() (bnc#1012382).
- wireless: airo: potential buffer overflow in sprintf() (bsc#1120902).
- x86: Add TSX Force Abort CPUID/MSR (bsc#1121805).
- x86: Fix incorrect value for X86_FEATURE_TSX_FORCE_ABORT
- x86: livepatch: Treat R_X86_64_PLT32 as R_X86_64_PC32 (bnc#1012382).
- xen, cpu_hotplug: Prevent an out of bounds access (bsc#1065600).
- xen: remove pre-xen3 fallback handlers (bsc#1065600).
- xfs: remove filestream item xfs_inode reference (bsc#1127961).
ImportantSUSE bug 1012382SUSE bug 1020413SUSE bug 1065600SUSE bug 1070767SUSE bug 1075697SUSE bug 1082943SUSE bug 1087092SUSE bug 1090435SUSE bug 1102959SUSE bug 1103429SUSE bug 1106929SUSE bug 1109137SUSE bug 1109248SUSE bug 1119019SUSE bug 1119843SUSE bug 1120691SUSE bug 1120902SUSE bug 1121713SUSE bug 1121805SUSE bug 1124235SUSE bug 1125315SUSE bug 1125446SUSE bug 1126389SUSE bug 1126772SUSE bug 1126773SUSE bug 1126805SUSE bug 1127082SUSE bug 1127155SUSE bug 1127561SUSE bug 1127725SUSE bug 1127731SUSE bug 1127961SUSE bug 1128166SUSE bug 1128452SUSE bug 1128565SUSE bug 1128696SUSE bug 1128756SUSE bug 1128893SUSE bug 1129080SUSE bug 1129179SUSE bug 1129237SUSE bug 1129238SUSE bug 1129239SUSE bug 1129240SUSE bug 1129241SUSE bug 1129413SUSE bug 1129414SUSE bug 1129415SUSE bug 1129416SUSE bug 1129417SUSE bug 1129418SUSE bug 1129419SUSE bug 1129581SUSE bug 1129770SUSE bug 1129923CVE-2019-2024 at SUSECVE-2019-2024 at NVDCVE-2019-9213 at SUSECVE-2019-9213 at NVDcpe:/o:suse:sles:12:sp3Security update for openssl (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for openssl fixes the following issues:
Security issues fixed:
- The 9 Lives of Bleichenbacher's CAT: Cache Attacks on TLS Implementations (bsc#1117951)
- CVE-2019-1559: Fixed OpenSSL 0-byte Record Padding Oracle which under certain circumstances
a TLS server can be forced to respond differently to a client and lead to the decryption of the data (bsc#1127080).
Other issues addressed:
- Fixed IV handling in SHAEXT paths: aes/asm/aesni-sha*-x86_64.pl (bsc#1113975).
- Set TLS version to 0 in msg_callback for record messages to avoid confusing applications (bsc#1100078).
ModerateSUSE bug 1100078SUSE bug 1113975SUSE bug 1117951SUSE bug 1127080CVE-2019-1559 at SUSECVE-2019-1559 at NVDcpe:/o:suse:sles:12:sp3Recommended update for adcli, sssd (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for adcli and sssd provides the following improvement:
Security vulnerability fixed:
- CVE-2019-3811: Fix fallback_homedir returning '/' for empty home directories
(bsc#1121759)
Other fixes:
- Add an option to disable checking for trusted domains in the subdomains provider (bsc#1125617)
- Clear pid file in corner cases (bsc#1127670)
- Fix child unable to write to log file after SIGHUP (bsc#1127670)
- Include adcli in SUSE Linux Enterprise 12 SP3 for sssd-ad. (fate#326619, bsc#1109849)
The adcli enables sssd to do password renewal when using Active Directory.
ModerateSUSE bug 1109849SUSE bug 1110121SUSE bug 1121759SUSE bug 1125617SUSE bug 1127670CVE-2019-3811 at SUSECVE-2019-3811 at NVDcpe:/o:suse:sles:12:sp3Security update for sssd (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for sssd provides the following fixes:
This security issue was fixed:
- CVE-2018-10852: Set stricter permissions on /var/lib/sss/pipes/sudo to prevent the disclosure of sudo rules for arbitrary users (bsc#1098377)
These non-security issues were fixed:
- Fix a segmentation fault in sss_cache command. (bsc#1072728)
- Fix a failure in autofs initialisation sequence upon system boot. (bsc#1010700)
- Fix race condition on boot between SSSD and autofs. (bsc#1010700)
- Fix a bug where file descriptors were not closed (bsc#1080156)
- Fix an issue where sssd logs were not rotated properly (bsc#1080156)
- Remove whitespaces from netgroup entries (bsc#1087320)
- Remove misleading log messages (bsc#1101877)
- exit() the forked process if exec()-ing a child process fails (bsc#1110299)
- Do not schedule the machine renewal task if adcli is not executable (bsc#1110299)
ModerateSUSE bug 1010700SUSE bug 1072728SUSE bug 1080156SUSE bug 1087320SUSE bug 1098377SUSE bug 1101877SUSE bug 1110299CVE-2018-10852 at SUSECVE-2018-10852 at NVDcpe:/o:suse:sles:12:sp3Optional update for php72 (Moderate)SUSE Linux Enterprise Server 12 SP3
This update provides PHP 7.2 and subpackages to the SUSE Linux Enterprise 12 Web and Scripting Module.
It is a replacement of the php7 packages, the packages do not co-exist.
The mcrypt extensions was removed in PHP 7.2.
ModerateSUSE bug 1126314SUSE bug 1129032CVE-2018-20783 at SUSECVE-2018-20783 at NVDCVE-2019-9020 at SUSECVE-2019-9020 at NVDCVE-2019-9021 at SUSECVE-2019-9021 at NVDCVE-2019-9022 at SUSECVE-2019-9022 at NVDCVE-2019-9023 at SUSECVE-2019-9023 at NVDCVE-2019-9024 at SUSECVE-2019-9024 at NVDCVE-2019-9641 at SUSECVE-2019-9641 at NVDcpe:/o:suse:sles:12:sp3Security update for bash (Important)SUSE Linux Enterprise Server 12 SP3
This update for bash fixes the following issues:
Security issue fixed:
- CVE-2019-9924: Fixed a vulnerability in which shell did not prevent user BASH_CMDS
allowing the user to execute any command with the permissions of the shell (bsc#1130324).
ImportantSUSE bug 1130324CVE-2019-9924 at SUSECVE-2019-9924 at NVDcpe:/o:suse:sles:12:sp3Security update for file (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for file fixes the following issues:
The following security vulnerabilities were addressed:
- Fixed an out-of-bounds read in the function do_core_note in readelf.c, which
allowed remote attackers to cause a denial of service (application crash) via
a crafted ELF file (bsc#1096974 CVE-2018-10360).
- CVE-2019-8905: Fixed a stack-based buffer over-read in do_core_note in readelf.c
(bsc#1126118)
- CVE-2019-8906: Fixed an out-of-bounds read in do_core_note in readelf. c
(bsc#1126119)
- CVE-2019-8907: Fixed a stack corruption in do_core_note in readelf.c
(bsc#1126117)
ModerateSUSE bug 1096974SUSE bug 1096984SUSE bug 1126117SUSE bug 1126118SUSE bug 1126119CVE-2018-10360 at SUSECVE-2018-10360 at NVDCVE-2019-8905 at SUSECVE-2019-8905 at NVDCVE-2019-8906 at SUSECVE-2019-8906 at NVDCVE-2019-8907 at SUSECVE-2019-8907 at NVDcpe:/o:suse:sles:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3
This update for MozillaFirefox fixes the following issues:
Security issuess addressed:
- update to Firefox ESR 60.6.1 (bsc#1130262):
- CVE-2019-9813: Fixed Ionmonkey type confusion with __proto__ mutations
- CVE-2019-9810: Fixed IonMonkey MArraySlice incorrect alias information
- Update to Firefox ESR 60.6 (bsc#1129821):
- CVE-2018-18506: Fixed an issue with Proxy Auto-Configuration file
- CVE-2019-9801: Fixed an issue which could allow Windows programs to be exposed to web content
- CVE-2019-9788: Fixed multiple memory safety bugs
- CVE-2019-9790: Fixed a Use-after-free vulnerability when removing in-use DOM elements
- CVE-2019-9791: Fixed an incorrect Type inference for constructors entered through on-stack replacement
with IonMonkey
- CVE-2019-9792: Fixed an issue where IonMonkey leaks JS_OPTIMIZED_OUT magic value to script
- CVE-2019-9793: Fixed multiple improper bounds checks when Spectre mitigations are disabled
- CVE-2019-9794: Fixed an issue where command line arguments not discarded during execution
- CVE-2019-9795: Fixed a Type-confusion vulnerability in IonMonkey JIT compiler
- CVE-2019-9796: Fixed a Use-after-free vulnerability in SMIL animation controller
- Update to Firefox ESR 60.5.1 (bsc#1125330):
- CVE-2018-18356: Fixed a use-after-free vulnerability in the Skia library which can occur when
creating a path, leading to a potentially exploitable crash.
- CVE-2019-5785: Fixed an integer overflow vulnerability in the Skia library which can occur
after specific transform operations, leading to a potentially exploitable crash.
- CVE-2018-18335: Fixed a buffer overflow vulnerability in the Skia library which can occur with
Canvas 2D acceleration on macOS. This issue was addressed by disabling Canvas 2D acceleration
in Firefox ESR. Note: this does not affect other versions and platforms where Canvas 2D
acceleration is already disabled by default.
Other issue addressed:
- Fixed an issue with MozillaFirefox-translations-common which was causing error on update (bsc#1127987).
Release notes: https://www.mozilla.org/en-US/security/advisories/mfsa2019-12/
Release notes: https://www.mozilla.org/en-US/security/advisories/mfsa2019-08/
Release notes: https://www.mozilla.org/en-US/security/advisories/mfsa2019-05/
ImportantSUSE bug 1125330SUSE bug 1127987SUSE bug 1129821SUSE bug 1130262CVE-2018-18335 at SUSECVE-2018-18335 at NVDCVE-2018-18356 at SUSECVE-2018-18356 at NVDCVE-2018-18506 at SUSECVE-2018-18506 at NVDCVE-2019-5785 at SUSECVE-2019-5785 at NVDCVE-2019-9788 at SUSECVE-2019-9788 at NVDCVE-2019-9790 at SUSECVE-2019-9790 at NVDCVE-2019-9791 at SUSECVE-2019-9791 at NVDCVE-2019-9792 at SUSECVE-2019-9792 at NVDCVE-2019-9793 at SUSECVE-2019-9793 at NVDCVE-2019-9794 at SUSECVE-2019-9794 at NVDCVE-2019-9795 at SUSECVE-2019-9795 at NVDCVE-2019-9796 at SUSECVE-2019-9796 at NVDCVE-2019-9801 at SUSECVE-2019-9801 at NVDCVE-2019-9810 at SUSECVE-2019-9810 at NVDCVE-2019-9813 at SUSECVE-2019-9813 at NVDcpe:/o:suse:sles:12:sp3Security update for apache2 (Important)SUSE Linux Enterprise Server 12 SP3
This update for apache2 fixes the following issues:
* CVE-2019-0220: The Apache HTTP server did not use a consistent strategy for
URL normalization throughout all of its components. In particular,
consecutive slashes were not always collapsed. Attackers could potentially
abuse these inconsistencies to by-pass access control mechanisms and thus
gain unauthorized access to protected parts of the service. [bsc#1131241]
* CVE-2019-0217: A race condition in Apache's 'mod_auth_digest' when running in
a threaded server could have allowed users with valid credentials to
authenticate using another username, bypassing configured access control
restrictions. [bsc#1131239]
* CVE-2019-0211: A flaw in the Apache HTTP Server allowed less-privileged child
processes or threads to execute arbitrary code with the privileges of the
parent process. Attackers with control over CGI scripts or extension modules
run by the server could have abused this issue to potentially gain super user
privileges. [bsc#1131233]
* CVE-2019-0197: When HTTP/2 support was enabled in the Apache server for a
'http' host or H2Upgrade was enabled for h2 on a 'https' host, an Upgrade
request from http/1.1 to http/2 that was not the first request on a
connection could lead to a misconfiguration and crash. This issue could have
been abused to mount a denial-of-service attack. Servers that never enabled
the h2 protocol or that only enabled it for https: and did not configure the
'H2Upgrade on' are unaffected. [bsc#1131245]
* CVE-2019-0196: Through specially crafted network input the Apache's http/2
request handler could be lead to access previously freed memory while
determining the method of a request. This resulted in the request being
misclassified and thus being processed incorrectly. [bsc#1131237]
ImportantSUSE bug 1131233SUSE bug 1131237SUSE bug 1131239SUSE bug 1131241SUSE bug 1131245CVE-2019-0196 at SUSECVE-2019-0196 at NVDCVE-2019-0197 at SUSECVE-2019-0197 at NVDCVE-2019-0211 at SUSECVE-2019-0211 at NVDCVE-2019-0217 at SUSECVE-2019-0217 at NVDCVE-2019-0220 at SUSECVE-2019-0220 at NVDcpe:/o:suse:sles:12:sp3Security update for clamav (Important)SUSE Linux Enterprise Server 12 SP3
This update for clamav to version 0.100.3 fixes the following issues:
Security issues fixed (bsc#1130721):
- CVE-2019-1787: Fixed an out-of-bounds heap read condition which may occur
when scanning PDF documents.
- CVE-2019-1789: Fixed an out-of-bounds heap read condition which may occur
when scanning PE files (i.e. Windows EXE and DLL files).
- CVE-2019-1788: Fixed an out-of-bounds heap write condition which may occur
when scanning OLE2 files such as Microsoft Office 97-2003 documents.
ImportantSUSE bug 1130721CVE-2019-1787 at SUSECVE-2019-1787 at NVDCVE-2019-1788 at SUSECVE-2019-1788 at NVDCVE-2019-1789 at SUSECVE-2019-1789 at NVDcpe:/o:suse:sles:12:sp3Security update for SDL (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for SDL fixes the following issues:
Security issues fixed:
- CVE-2019-7572: Fixed a buffer over-read in IMA_ADPCM_nibble in audio/SDL_wave.c.(bsc#1124806).
- CVE-2019-7578: Fixed a heap-based buffer over-read in InitIMA_ADPCM in audio/SDL_wave.c (bsc#1125099).
- CVE-2019-7576: Fixed heap-based buffer over-read in InitMS_ADPCM in audio/SDL_wave.c (bsc#1124799).
- CVE-2019-7573: Fixed a heap-based buffer over-read in InitMS_ADPCM in audio/SDL_wave.c (bsc#1124805).
- CVE-2019-7635: Fixed a heap-based buffer over-read in Blit1to4 in video/SDL_blit_1.c. (bsc#1124827).
- CVE-2019-7636: Fixed a heap-based buffer over-read in SDL_GetRGB in video/SDL_pixels.c (bsc#1124826).
- CVE-2019-7638: Fixed a heap-based buffer over-read in Map1toN in video/SDL_pixels.c (bsc#1124824).
- CVE-2019-7574: Fixed a heap-based buffer over-read in IMA_ADPCM_decode in audio/SDL_wave.c (bsc#1124803).
- CVE-2019-7575: Fixed a heap-based buffer overflow in MS_ADPCM_decode in audio/SDL_wave.c (bsc#1124802).
- CVE-2019-7637: Fixed a heap-based buffer overflow in SDL_FillRect function in SDL_surface.c (bsc#1124825).
- CVE-2019-7577: Fixed a buffer over read in SDL_LoadWAV_RW in audio/SDL_wave.c (bsc#1124800).
ModerateSUSE bug 1124799SUSE bug 1124800SUSE bug 1124802SUSE bug 1124803SUSE bug 1124805SUSE bug 1124806SUSE bug 1124824SUSE bug 1124825SUSE bug 1124826SUSE bug 1124827SUSE bug 1125099CVE-2019-7572 at SUSECVE-2019-7572 at NVDCVE-2019-7573 at SUSECVE-2019-7573 at NVDCVE-2019-7574 at SUSECVE-2019-7574 at NVDCVE-2019-7575 at SUSECVE-2019-7575 at NVDCVE-2019-7576 at SUSECVE-2019-7576 at NVDCVE-2019-7577 at SUSECVE-2019-7577 at NVDCVE-2019-7578 at SUSECVE-2019-7578 at NVDCVE-2019-7635 at SUSECVE-2019-7635 at NVDCVE-2019-7636 at SUSECVE-2019-7636 at NVDCVE-2019-7637 at SUSECVE-2019-7637 at NVDCVE-2019-7638 at SUSECVE-2019-7638 at NVDcpe:/o:suse:sles:12:sp3Security update for dovecot22 (Important)SUSE Linux Enterprise Server 12 SP3
This update for dovecot22 fixes the following issues:
Security issues fixed:
- CVE-2019-7524: Fixed an improper file handling which could result in stack overflow allowing
local root escalation (bsc#1130116).
- CVE-2019-3814: Fixed a vulnerability related to SSL client certificate authentication (bsc#1123022).
Other issue fixed:
- Fixed handling of command continuation(bsc#1111789)
ImportantSUSE bug 1111789SUSE bug 1123022SUSE bug 1130116CVE-2019-3814 at SUSECVE-2019-3814 at NVDCVE-2019-7524 at SUSECVE-2019-7524 at NVDcpe:/o:suse:sles:12:sp3Security update for the Linux Kernel (Important)SUSE Linux Enterprise Server 12 SP3
The SUSE Linux Enterprise 12 SP3 Azure kernel was updated to 4.4.176 to receive various security and bugfixes.
The following security bugs were fixed:
- CVE-2019-2024: A use-after-free when disconnecting a source was fixed which could lead to crashes. bnc#1129179).
- CVE-2019-9213: expand_downwards in mm/mmap.c lacked a check for the mmap minimum address, which made it easier for attackers to exploit kernel NULL pointer dereferences on non-SMAP platforms. This is related to a capability check for the wrong task (bnc#1128166).
- CVE-2019-6974: kvm_ioctl_create_device in virt/kvm/kvm_main.c mishandled reference counting because of a race condition, leading to a use-after-free. (bnc#1124728)
- CVE-2019-3459, CVE-2019-3460: The Bluetooth stack suffered from two remote information leak vulnerabilities in the code that handles incoming L2cap configuration packets (bsc#1120758).
- CVE-2019-7221: Fixed a use-after-free vulnerability in the KVM hypervisor related to the emulation of a preemption timer, allowing an guest user/process to crash the host kernel. (bsc#1124732).
- CVE-2019-7222: Fixed an information leakage in the KVM hypervisor related to handling page fault exceptions, which allowed a guest user/process to use this flaw to leak the host's stack memory contents to a guest (bsc#1124735).
- CVE-2017-18249: The add_free_nid function in fs/f2fs/node.c did not properly track an allocated nid, which allowed local users to cause a denial of service (race condition) or possibly have unspecified other impact via concurrent threads (bnc#1087036).
The following non-security bugs were fixed:
- acpi/nfit: Block function zero DSMs (bsc#1123321).
- acpi, nfit: Fix ARS overflow continuation (bsc#1125000).
- acpi/nfit: fix cmd_rc for acpi_nfit_ctl to always return a value (bsc#1124775).
- acpi/nfit: Fix command-supported detection (bsc#1123323).
- acpi: power: Skip duplicate power resource references in _PRx (bnc#1012382).
- acpi / processor: Fix the return value of acpi_processor_ids_walk() (git fixes (acpi)).
- alpha: Fix Eiger NR_IRQS to 128 (bnc#1012382).
- alpha: fix page fault handling for r16-r18 targets (bnc#1012382).
- alsa: bebob: fix model-id of unit for Apogee Ensemble (bnc#1012382).
- alsa: compress: Fix stop handling on compressed capture streams (bnc#1012382).
- alsa: hda - Add quirk for HP EliteBook 840 G5 (bnc#1012382).
- alsa: hda/realtek - Disable headset Mic VREF for headset mode of ALC225 (bnc#1012382).
- alsa: hda - Serialize codec registrations (bnc#1012382).
- alsa: usb-audio: Fix implicit fb endpoint setup by quirk (bnc#1012382).
- ARC: perf: map generic branches to correct hardware condition (bnc#1012382).
- arm64: Do not trap host pointer auth use to EL2 (bnc#1012382).
- arm64: ftrace: do not adjust the LR value (bnc#1012382).
- arm64: hyp-stub: Forbid kprobing of the hyp-stub (bnc#1012382).
- arm64/kvm: consistently handle host HCR_EL2 flags (bnc#1012382).
- arm64: KVM: Skip MMIO insn after emulation (bnc#1012382).
- arm64: perf: set suppress_bind_attrs flag to true (bnc#1012382).
- ARM: 8808/1: kexec:offline panic_smp_self_stop CPU (bnc#1012382).
- ARM: cns3xxx: Fix writing to wrong PCI config registers after alignment (bnc#1012382).
- ARM: dts: da850-evm: Correct the sound card name (bnc#1012382).
- ARM: dts: Fix OMAP4430 SDP Ethernet startup (bnc#1012382).
- ARM: dts: kirkwood: Fix polarity of GPIO fan lines (bnc#1012382).
- ARM: dts: mmp2: fix TWSI2 (bnc#1012382).
- ARM: iop32x/n2100: fix PCI IRQ mapping (bnc#1012382).
- ARM: OMAP2+: hwmod: Fix some section annotations (bnc#1012382).
- ARM: pxa: avoid section mismatch warning (bnc#1012382).
- ASoC: atom: fix a missing check of snd_pcm_lib_malloc_pages (bnc#1012382).
- ASoC: fsl: Fix SND_SOC_EUKREA_TLV320 build error on i.MX8M (bnc#1012382).
- ASoC: Intel: mrfld: fix uninitialized variable access (bnc#1012382).
- ata: Fix racy link clearance (bsc#1107866).
- ax25: fix possible use-after-free (bnc#1012382).
- batman-adv: Avoid WARN on net_device without parent in netns (bnc#1012382).
- batman-adv: Force mac header to start of data on xmit (bnc#1012382).
- block_dev: fix crash on chained bios with O_DIRECT (bsc#1090435).
- block: do not use bio->bi_vcnt to figure out segment number (bsc#1128893).
- block/loop: Use global lock for ioctl() operation (bnc#1012382).
- block/swim3: Fix -EBUSY error when re-opening device after unmount (Git-fixes).
- bluetooth: Fix unnecessary error message for HCI request completion (bnc#1012382).
- bnxt_re: Fix couple of memory leaks that could lead to IOMMU call traces (bsc#1020413).
- bnxt_re: Fix couple of memory leaks that could lead to IOMMU call traces (bsc#1020413).
- bpf: fix replace_map_fd_with_map_ptr's ldimm64 second imm field (bsc#1012382).
- btrfs: ensure that a DUP or RAID1 block group has exactly two stripes (bsc#1128452).
- btrfs: tree-checker: Check level for leaves and nodes (bnc#1012382).
- btrfs: tree-checker: Do not check max block group size as current max chunk size limit is unreliable (fixes for bnc#1012382 bsc#1102875 bsc#1102877 bsc#1102879 bsc#1102882 bsc#1102896).
- btrfs: tree-checker: Fix misleading group system information (bnc#1012382).
- btrfs: tree-check: reduce stack consumption in check_dir_item (bnc#1012382).
- btrfs: validate type when reading a chunk (bnc#1012382).
- btrfs: wait on ordered extents on abort cleanup (bnc#1012382).
- can: bcm: check timer values before ktime conversion (bnc#1012382).
- can: dev: __can_get_echo_skb(): fix bogous check for non-existing skb by removing it (bnc#1012382).
- can: gw: ensure DLC boundaries after CAN frame modification (bnc#1012382).
- ceph: avoid repeatedly adding inode to mdsc->snap_flush_list (bsc#1126773).
- ceph: clear inode pointer when snap realm gets dropped by its inode (bsc#1125809).
- ch: add missing mutex_lock()/mutex_unlock() in ch_release() (bsc#1124235).
- char/mwave: fix potential Spectre v1 vulnerability (bnc#1012382).
- ch: fixup refcounting imbalance for SCSI devices (bsc#1124235).
- cifs: Always resolve hostname before reconnecting (bnc#1012382).
- cifs: check ntwrk_buf_start for NULL before dereferencing it (bnc#1012382).
- cifs: Do not count -ENODATA as failure for query directory (bnc#1012382).
- cifs: Do not hide EINTR after sending network packets (bnc#1012382).
- cifs: Fix possible hang during async MTU reads and writes (bnc#1012382).
- cifs: Fix potential OOB access of lock element array (bnc#1012382).
- cifs: Limit memory used by lock request calls to a page (bnc#1012382).
- clk: imx6q: reset exclusive gates on init (bnc#1012382).
- clk: imx6sl: ensure MMDC CH0 handshake is bypassed (bnc#1012382).
- copy_mount_string: Limit string length to PATH_MAX (bsc#1082943).
- cpufreq: intel_pstate: Fix HWP on boot CPU after system resume (bsc#1120017).
- cpuidle: big.LITTLE: fix refcount leak (bnc#1012382).
- crypto: authencesn - Avoid twice completion call in decrypt path (bnc#1012382).
- crypto: authenc - fix parsing key with misaligned rta_len (bnc#1012382).
- crypto: cts - fix crash on short inputs (bnc#1012382).
- crypto: user - support incremental algorithm dumps (bsc#1120902).
- crypto: ux500 - Use proper enum in cryp_set_dma_transfer (bnc#1012382).
- crypto: ux500 - Use proper enum in hash_set_dma_transfer (bnc#1012382).
- cw1200: Fix concurrency use-after-free bugs in cw1200_hw_scan() (bnc#1012382).
- dccp: fool proof ccid_hc_[rt]x_parse_options() (bnc#1012382).
- debugfs: fix debugfs_rename parameter checking (bnc#1012382).
- device property: Fix the length used in PROPERTY_ENTRY_STRING() (bsc#1129770).
- Disable MSI also when pcie-octeon.pcie_disable on (bnc#1012382).
- dlm: Do not swamp the CPU with callbacks queued during recovery (bnc#1012382).
- dmaengine: imx-dma: fix wrong callback invoke (bnc#1012382).
- dm crypt: add cryptographic data integrity protection (authenticated encryption) (Git-fixes).
- dm crypt: factor IV constructor out to separate function (Git-fixes).
- dm crypt: fix crash by adding missing check for auth key size (git-fixes).
- dm crypt: fix error return code in crypt_ctr() (git-fixes).
- dm crypt: fix memory leak in crypt_ctr_cipher_old() (git-fixes).
- dm crypt: introduce new format of cipher with 'capi:' prefix (Git-fixes).
- dm crypt: wipe kernel key copy after IV initialization (Git-fixes).
- dm: do not allow readahead to limit IO size (git fixes (readahead)).
- dm kcopyd: Fix bug causing workqueue stalls (bnc#1012382).
- dm snapshot: Fix excessive memory usage and workqueue stalls (bnc#1012382).
- dm thin: fix bug where bio that overwrites thin block ignores FUA (bnc#1012382).
- Documentation/network: reword kernel version reference (bnc#1012382).
- drbd: Avoid Clang warning about pointless switch statment (bnc#1012382).
- drbd: disconnect, if the wrong UUIDs are attached on a connected peer (bnc#1012382).
- drbd: narrow rcu_read_lock in drbd_sync_handshake (bnc#1012382).
- drbd: skip spurious timeout (ping-timeo) when failing promote (bnc#1012382).
- drivers: core: Remove glue dirs from sysfs earlier (bnc#1012382).
- Drivers: hv: vmbus: Check for ring when getting debug info (bsc#1126389).
- drm/bufs: Fix Spectre v1 vulnerability (bnc#1012382).
- drm: Fix error handling in drm_legacy_addctx (bsc#1106929)
- drm/i915: Block fbdev HPD processing during suspend (bsc#1106929)
- drm/i915: Prevent a race during I915_GEM_MMAP ioctl with WC set (bsc#1106929)
- drm/modes: Prevent division by zero htotal (bnc#1012382).
- drm/nouveau/bios/ramcfg: fix missing parentheses when calculating RON (bsc#1106929)
- drm/nouveau/pmu: do not print reply values if exec is false (bsc#1106929)
- drm/radeon/evergreen_cs: fix missing break in switch statement (bsc#1106929)
- drm/vmwgfx: Do not double-free the mode stored in par->set_mode (bsc#1103429)
- drm/vmwgfx: Fix setting of dma masks (bsc#1106929)
- drm/vmwgfx: Return error code from vmw_execbuf_copy_fence_user (bsc#1106929)
- e1000e: allow non-monotonic SYSTIM readings (bnc#1012382).
- EDAC: Raise the maximum number of memory controllers (bsc#1120722).
- efi/libstub/arm64: Use hidden attribute for struct screen_info reference (bsc#1122650).
- enic: add wq clean up budget (bsc#1075697, bsc#1120691. bsc#1102959).
- enic: do not overwrite error code (bnc#1012382).
- enic: fix checksum validation for IPv6 (bnc#1012382).
- exec: load_script: do not blindly truncate shebang string (bnc#1012382).
- ext4: fix a potential fiemap/page fault deadlock w/ inline_data (bnc#1012382).
- ext4: Fix crash during online resizing (bsc#1122779).
- f2fs: Add sanity_check_inode() function (bnc#1012382).
- f2fs: avoid unneeded loop in build_sit_entries (bnc#1012382).
- f2fs: check blkaddr more accuratly before issue a bio (bnc#1012382).
- f2fs: clean up argument of recover_data (bnc#1012382).
- f2fs: clean up with is_valid_blkaddr() (bnc#1012382).
- f2fs: detect wrong layout (bnc#1012382).
- f2fs: enhance sanity_check_raw_super() to avoid potential overflow (bnc#1012382).
- f2fs: factor out fsync inode entry operations (bnc#1012382).
- f2fs: fix inode cache leak (bnc#1012382).
- f2fs: fix invalid memory access (bnc#1012382).
- f2fs: fix missing up_read (bnc#1012382).
- f2fs: fix to avoid reading out encrypted data in page cache (bnc#1012382).
- f2fs: fix to convert inline directory correctly (bnc#1012382).
- f2fs: fix to determine start_cp_addr by sbi->cur_cp_pack (bnc#1012382).
- f2fs: fix to do sanity check with block address in main area (bnc#1012382).
- f2fs: fix to do sanity check with block address in main area v2 (bnc#1012382).
- f2fs: fix to do sanity check with cp_pack_start_sum (bnc#1012382).
- f2fs: fix to do sanity check with node footer and iblocks (bnc#1012382).
- f2fs: fix to do sanity check with reserved blkaddr of inline inode (bnc#1012382).
- f2fs: fix to do sanity check with secs_per_zone (bnc#1012382).
- f2fs: fix to do sanity check with user_block_count (bnc#1012382).
- f2fs: fix validation of the block count in sanity_check_raw_super (bnc#1012382).
- f2fs: fix wrong return value of f2fs_acl_create (bnc#1012382).
- f2fs: free meta pages if sanity check for ckpt is failed (bnc#1012382).
- f2fs: give -EINVAL for norecovery and rw mount (bnc#1012382).
- f2fs: introduce and spread verify_blkaddr (bnc#1012382).
- f2fs: introduce get_checkpoint_version for cleanup (bnc#1012382).
- f2fs: move dir data flush to write checkpoint process (bnc#1012382).
- f2fs: move sanity checking of cp into get_valid_checkpoint (bnc#1012382).
- f2fs: not allow to write illegal blkaddr (bnc#1012382).
- f2fs: put directory inodes before checkpoint in roll-forward recovery (bnc#1012382).
- f2fs: read page index before freeing (bnc#1012382).
- f2fs: remove an obsolete variable (bnc#1012382).
- f2fs: return error during fill_super (bnc#1012382).
- f2fs: sanity check on sit entry (bnc#1012382).
- f2fs: use crc and cp version to determine roll-forward recovery (bnc#1012382).
- fbdev: chipsfb: remove set but not used variable 'size' (bsc#1106929)
- Fix incorrect value for X86_FEATURE_TSX_FORCE_ABORT
- Fix problem with sharetransport= and NFSv4 (bsc#1114893).
- fs: add the fsnotify call to vfs_iter_write (bnc#1012382).
- fs/dcache: Fix incorrect nr_dentry_unused accounting in shrink_dcache_sb() (bnc#1012382).
- fs: do not scan the inode cache before SB_BORN is set (bnc#1012382).
- fs/epoll: drop ovflist branch prediction (bnc#1012382).
- fs: fix lost error code in dio_complete (bsc#1117744).
- fuse: call pipe_buf_release() under pipe lock (bnc#1012382).
- fuse: decrement NR_WRITEBACK_TEMP on the right page (bnc#1012382).
- fuse: handle zero sized retrieve correctly (bnc#1012382).
- futex: Fix (possible) missed wakeup (bsc#1050549).
- gdrom: fix a memory leak bug (bnc#1012382).
- gfs2: Revert 'Fix loop in gfs2_rbm_find' (bnc#1012382).
- gpiolib: Fix return value of gpio_to_desc() stub if !GPIOLIB (Git-fixes).
- gpio: pl061: handle failed allocations (bnc#1012382).
- gpu: ipu-v3: Fix CSI offsets for imx53 (bsc#1106929)
- gpu: ipu-v3: Fix i.MX51 CSI control registers offset (bsc#1106929)
- HID: debug: fix the ring buffer implementation (bnc#1012382).
- HID: lenovo: Add checks to fix of_led_classdev_register (bnc#1012382).
- hwmon: (lm80) fix a missing check of bus read in lm80 probe (bnc#1012382).
- hwmon: (lm80) fix a missing check of the status of SMBus read (bnc#1012382).
- hwmon: (lm80) Fix missing unlock on error in set_fan_div() (git-fixes).
- i2c-axxia: check for error conditions first (bnc#1012382).
- i2c: dev: prevent adapter retries and timeout being set as minus value (bnc#1012382).
- IB/core: type promotion bug in rdma_rw_init_one_mr() ().
- ibmveth: Do not process frames after calling napi_reschedule (bcs#1123357).
- ibmvnic: Add ethtool private flag for driver-defined queue limits (bsc#1121726).
- ibmvnic: Increase maximum queue size limit (bsc#1121726).
- ibmvnic: Introduce driver limits for ring sizes (bsc#1121726).
- ibmvnic: Report actual backing device speed and duplex values (bsc#1129923).
- ibmvscsi: Fix empty event pool access during host removal (bsc#1119019).
- IB/rxe: Fix incorrect cache cleanup in error flow ().
- IB/rxe: replace kvfree with vfree ().
- igb: Fix an issue that PME is not enabled during runtime suspend (bnc#1012382).
- inet: frags: add a pointer to struct netns_frags (bnc#1012382).
- inet: frags: better deal with smp races (bnc#1012382).
- inet: frags: break the 2GB limit for frags storage (bnc#1012382).
- inet: frags: change inet_frags_init_net() return value (bnc#1012382).
- inet: frags: do not clone skb in ip_expire() (bnc#1012382).
- inet: frags: fix ip6frag_low_thresh boundary (bnc#1012382).
- inet: frags: get rid of ipfrag_skb_cb/FRAG_CB (bnc#1012382).
- inet: frags: get rif of inet_frag_evicting() (bnc#1012382).
- inet: frags: refactor ipfrag_init() (bnc#1012382).
- inet: frags: refactor ipv6_frag_init() (bnc#1012382).
- inet: frags: refactor lowpan_net_frag_init() (bnc#1012382).
- inet: frags: remove inet_frag_maybe_warn_overflow() (bnc#1012382).
- inet: frags: remove some helpers (bnc#1012382).
- inet: frags: reorganize struct netns_frags (bnc#1012382).
- inet: frags: use rhashtables for reassembly units (bnc#1012382).
- input: bma150 - register input device after setting private data (bnc#1012382).
- input: elan_i2c - add ACPI ID for touchpad in Lenovo V330-15ISK (bnc#1012382).
- input: elantech - enable 3rd button support on Fujitsu CELSIUS H780 (bnc#1012382).
- input: mms114 - fix license module information (bsc#1087092).
- input: xpad - add support for SteelSeries Stratus Duo (bnc#1012382).
- intel_pstate: Update frequencies of policy->cpus only from ->set_policy() (bsc#1120017).
- iommu/amd: Call free_iova_fast with pfn in map_sg (bsc#1106105).
- iommu/amd: Fix IOMMU page flush when detach device from a domain (bsc#1106105).
- iommu/amd: Unmap all mapped pages in error path of map_sg (bsc#1106105).
- iommu/arm-smmu-v3: Use explicit mb() when moving cons pointer (bnc#1012382).
- iommu/dmar: Fix buffer overflow during PCI bus notification (bsc#1129237).
- iommu/io-pgtable-arm-v7s: Only kmemleak_ignore L2 tables (bsc#1129238).
- iommu/vt-d: Check identity map for hot-added devices (bsc#1129239).
- iommu/vt-d: Fix memory leak in intel_iommu_put_resv_regions() (bsc#1106105).
- iommu/vt-d: Fix NULL pointer reference in intel_svm_bind_mm() (bsc#1129240).
- ip: add helpers to process in-order fragments faster (bnc#1012382).
- ipfrag: really prevent allocation on netns exit (bnc#1012382).
- ip: frags: fix crash in ip_do_fragment() (bnc#1012382).
- ipmi:ssif: Fix handling of multi-part return messages (bnc#1012382).
- ip: on queued skb use skb_header_pointer instead of pskb_may_pull (bnc#1012382).
- ip: process in-order fragments efficiently (bnc#1012382).
- ip: use rb trees for IP frag queue (bnc#1012382).
- ipv4: frags: precedence bug in ip_expire() (bnc#1012382).
- ipv6: Consider sk_bound_dev_if when binding a socket to an address (bnc#1012382).
- ipv6: Consider sk_bound_dev_if when binding a socket to a v4 mapped address (bnc#1012382).
- ipv6: fix kernel-infoleak in ipv6_local_error() (bnc#1012382).
- ipv6: frags: rewrite ip6_expire_frag_queue() (bnc#1012382).
- ipv6: Take rcu_read_lock in __inet6_bind for mapped addresses (bnc#1012382).
- irqchip/gic-v3-its: Align PCI Multi-MSI allocation on their size (bnc#1012382).
- isdn: hisax: hfc_pci: Fix a possible concurrency use-after-free bug in HFCPCI_l1hw() (bnc#1012382).
- ixgbe: fix crash in build_skb Rx code path (git-fixes).
- jffs2: Fix use of uninitialized delayed_work, lockdep breakage (bnc#1012382).
- kABI: protect linux/kfifo.h include in hid-debug (kabi).
- kABI: protect struct hda_bus (kabi).
- kABI: protect struct inet_peer (kabi).
- kabi: reorder new slabinfo fields in struct kmem_cache_node (bnc#1116653).
- kallsyms: Handle too long symbols in kallsyms.c (bsc#1126805).
- kaweth: use skb_cow_head() to deal with cloned skbs (bnc#1012382).
- kconfig: fix file name and line number of warn_ignored_character() (bnc#1012382).
- kconfig: fix memory leak when EOF is encountered in quotation (bnc#1012382).
- kernel/exit.c: release ptraced tasks before zap_pid_ns_processes (bnc#1012382).
- kernel/hung_task.c: break RCU locks based on jiffies (bnc#1012382).
- KMPs: obsolete older KMPs of the same flavour (bsc#1127155, bsc#1109137).
- kvm: arm/arm64: vgic-its: Check CBASER/BASER validity before enabling the ITS (bsc#1109248).
- kvm: arm/arm64: vgic-its: Check GITS_BASER Valid bit before saving tables (bsc#1109248).
- kvm: arm/arm64: vgic-its: Fix return value for device table restore (bsc#1109248).
- kvm: arm/arm64: vgic-its: Fix vgic_its_restore_collection_table returned value (bsc#1109248).
- kvm: nVMX: Do not halt vcpu when L1 is injecting events to L2 (bsc#1129413).
- kvm: nVMX: Free the VMREAD/VMWRITE bitmaps if alloc_kvm_area() fails (bsc#1129414).
- kvm: nVMX: NMI-window and interrupt-window exiting should wake L2 from HLT (bsc#1129415).
- kvm: nVMX: Set VM instruction error for VMPTRLD of unbacked page (bsc#1129416).
- kvm: VMX: Do not allow reexecute_instruction() when skipping MMIO instr (bsc#1129417).
- kvm: VMX: Fix x2apic check in vmx_msr_bitmap_mode() (bsc#1124166).
- kvm: VMX: Missing part of upstream commit 904e14fb7cb9 (bsc#1124166).
- kvm: vmx: Set IA32_TSC_AUX for legacy mode guests (bsc#1129418).
- kvm: x86: Add AMD's EX_CFG to the list of ignored MSRs (bsc#1127082).
- kvm: x86: Fix single-step debugging (bnc#1012382).
- kvm: x86: IA32_ARCH_CAPABILITIES is always supported (bsc#1129419).
- kvm: x86: svm: report MSR_IA32_MCG_EXT_CTL as unsupported (bnc#1012382).
- l2tp: copy 4 more bytes to linear part if necessary (bnc#1012382).
- l2tp: fix reading optional fields of L2TPv3 (bnc#1012382).
- l2tp: remove l2specific_len dependency in l2tp_core (bnc#1012382).
- libceph: avoid KEEPALIVE_PENDING races in ceph_con_keepalive() (bsc#1125810).
- libceph: handle an empty authorize reply (bsc#1126772).
- libnvdimm: fix ars_status output length calculation (bsc#1124777).
- libnvdimm, pfn: Pad pfn namespaces relative to other regions (bsc#1124811).
- libnvdimm: Use max contiguous area for namespace size (bsc#1124780).
- locking/rwsem: Fix (possible) missed wakeup (bsc#1050549).
- loop: Fix double mutex_unlock(&loop_ctl_mutex) in loop_control_ioctl() (bnc#1012382).
- loop: Fold __loop_release into loop_release (bnc#1012382).
- loop: Get rid of loop_index_mutex (bnc#1012382).
- LSM: Check for NULL cred-security on free (bnc#1012382).
- mac80211: ensure that mgmt tx skbs have tailroom for encryption (bnc#1012382).
- mac80211: fix radiotap vendor presence bitmap handling (bnc#1012382).
- md: batch flush requests (bsc#1119680).
- mdio_bus: Fix use-after-free on device_register fails (git-fixes).
- media: DaVinci-VPBE: fix error handling in vpbe_initialize() (bnc#1012382).
- media: em28xx: Fix misplaced reset of dev->v4l::field_count (bnc#1012382).
- media: firewire: Fix app_info parameter type in avc_ca{,_app}_info (bnc#1012382).
- media: vb2: be sure to unlock mutex on errors (bnc#1012382).
- media: vb2: vb2_mmap: move lock up (bnc#1012382).
- media: vivid: fix error handling of kthread_run (bnc#1012382).
- media: vivid: set min width/height to a value > 0 (bnc#1012382).
- memstick: Prevent memstick host from getting runtime suspended during card detection (bnc#1012382).
- mfd: as3722: Handle interrupts on suspend (bnc#1012382).
- mfd: as3722: Mark PM functions as __maybe_unused (bnc#1012382).
- mfd: tps6586x: Handle interrupts on suspend (bnc#1012382).
- misc: vexpress: Off by one in vexpress_syscfg_exec() (bnc#1012382).
- mISDN: fix a race in dev_expire_timer() (bnc#1012382).
- mlxsw: pci: Correctly determine if descriptor queue is full (git-fixes).
- mlxsw: reg: Use correct offset in field definiton (git-fixes).
- mmc: atmel-mci: do not assume idle after atmci_request_end (bnc#1012382).
- mmc: bcm2835: Fix DMA channel leak on probe error (bsc#1120902).
- mmc: sdhci-iproc: handle mmc_of_parse() errors during probe (bnc#1012382).
- mm, devm_memremap_pages: mark devm_memremap_pages() EXPORT_SYMBOL_GPL (bnc#1012382).
- mm,memory_hotplug: fix scan_movable_pages() for gigantic hugepages (bsc#1127731).
- mm: migrate: do not rely on __PageMovable() of newpage after unlocking it (bnc#1012382).
- mm: only report isolation failures when offlining memory (generic hotplug debugability).
- mm, oom: fix use-after-free in oom_kill_process (bnc#1012382).
- mm, page_alloc: drop should_suppress_show_mem (bnc#1125892, bnc#1106061).
- mm/page-writeback.c: do not break integrity writeback on ->writepage() error (bnc#1012382).
- mm, proc: be more verbose about unstable VMA flags in /proc/<pid>/smaps (bnc#1012382).
- mm, slab: faster active and free stats (bsc#116653, VM Performance).
- mm/slab: improve performance of gathering slabinfo stats (bsc#116653, VM Performance).
- mm, slab: maintain total slab count instead of active count (bsc#116653, VM Performance).
- modpost: validate symbol names also in find_elf_symbol (bnc#1012382).
- mtd: rawnand: gpmi: fix MX28 bus master lockup problem (bnc#1012382).
- net: Add header for usage of fls64() (bnc#1012382).
- net: bridge: fix a bug on using a neighbour cache entry without checking its state (bnc#1012382).
- net: bridge: Fix ethernet header pointer before check skb forwardable (bnc#1012382).
- net: call sk_dst_reset when set SO_DONTROUTE (bnc#1012382).
- net: Do not allocate page fragments that are not skb aligned (bnc#1012382).
- net: dp83640: expire old TX-skb (bnc#1012382).
- net: dsa: bcm_sf2: Do not assume DSA master supports WoL (git-fixes).
- net: dsa: mv88e6xxx: fix port VLAN maps (git-fixes).
- net: dsa: slave: Do not propagate flag changes on down slave interfaces (bnc#1012382).
- net: Fix for_each_netdev_feature on Big endian (bnc#1012382).
- net: fix IPv6 prefix route residue (bnc#1012382).
- net: fix pskb_trim_rcsum_slow() with odd trim offset (bnc#1012382).
- net: Fix usage of pskb_trim_rcsum (bnc#1012382).
- net/hamradio/6pack: Convert timers to use timer_setup() (git-fixes).
- net/hamradio/6pack: use mod_timer() to rearm timers (git-fixes).
- net: ieee802154: 6lowpan: fix frag reassembly (bnc#1012382).
- net: ipv4: do not handle duplicate fragments as overlapping (bnc#1012382 bsc#1116345).
- net: ipv4: Fix memory leak in network namespace dismantle (bnc#1012382).
- net: ipv4: use a dedicated counter for icmp_v4 redirect packets (bnc#1012382).
- net: lan78xx: Fix race in tx pending skb size calculation (git-fixes).
- net/mlx4_core: Add masking for a few queries on HCA caps (bnc#1012382).
- net/mlx4_core: drop useless LIST_HEAD (git-fixes).
- net/mlx4_core: Fix qp mtt size calculation (git-fixes).
- net/mlx4_core: Fix reset flow when in command polling mode (git-fixes).
- net/mlx4: Fix endianness issue in qp context params (git-fixes).
- net/mlx5: Continue driver initialization despite debugfs failure (git-fixes).
- net/mlx5e: Fix TCP checksum in LRO buffers (git-fixes).
- net/mlx5: Fix driver load bad flow when having fw initializing timeout (git-fixes).
- net/mlx5: fix uaccess beyond 'count' in debugfs read/write handlers (git-fixes).
- net/mlx5: Fix use-after-free in self-healing flow (git-fixes).
- net/mlx5: Return success for PAGE_FAULT_RESUME in internal error state (git-fixes).
- net: modify skb_rbtree_purge to return the truesize of all purged skbs (bnc#1012382).
- net: mv643xx_eth: fix packet corruption with TSO and tiny unaligned packets (git-fixes).
- net: phy: Avoid polling PHY with PHY_IGNORE_INTERRUPTS (git-fixes).
- net: phy: bcm7xxx: Fix shadow mode 2 disabling (git-fixes).
- net: pskb_trim_rcsum() and CHECKSUM_COMPLETE are friends (bnc#1012382).
- net: qca_spi: Fix race condition in spi transfers (git-fixes).
- netrom: switch to sock timer API (bnc#1012382).
- net/rose: fix NULL ax25_cb kernel panic (bnc#1012382).
- net_sched: refetch skb protocol for each filter (bnc#1012382).
- net: speed up skb_rbtree_purge() (bnc#1012382).
- net: stmmac: Fix a race in EEE enable callback (bnc#1012382).
- net: stmmac: Fix a race in EEE enable callback (git-fixes).
- net: systemport: Fix WoL with password after deep sleep (bnc#1012382).
- net: thunderx: set tso_hdrs pointer to NULL in nicvf_free_snd_queue (git-fixes).
- net/x25: do not hold the cpu too long in x25_new_lci() (bnc#1012382).
- NFC: nxp-nci: Include unaligned.h instead of access_ok.h (bnc#1012382).
- nfit: fix unchecked dereference in acpi_nfit_ctl (bsc#1125014).
- nfsd4: fix crash on writing v4_end_grace before nfsd startup (bnc#1012382).
- NFS: nfs_compare_mount_options always compare auth flavors (bnc#1012382).
- niu: fix missing checks of niu_pci_eeprom_read (bnc#1012382).
- ocfs2: do not clear bh uptodate for block read (bnc#1012382).
- ocfs2: fix panic due to unrecovered local alloc (bnc#1012382).
- omap2fb: Fix stack memory disclosure (bsc#1106929)
- openvswitch: Avoid OOB read when parsing flow nlattrs (bnc#1012382).
- packet: Do not leak dev refcounts on error exit (bnc#1012382).
- pci: altera: Check link status before retrain link (bnc#1012382).
- pci: altera: Fix altera_pcie_link_is_up() (bnc#1012382).
- pci: altera: Move retrain from fixup to altera_pcie_host_init() (bnc#1012382).
- pci: altera: Poll for link training status after retraining the link (bnc#1012382).
- pci: altera: Poll for link up status after retraining the link (bnc#1012382).
- pci: altera: Reorder read/write functions (bnc#1012382).
- pci: altera: Rework config accessors for use without a struct pci_bus (bnc#1012382).
- pci/PME: Fix hotplug/sysfs remove deadlock in pcie_pme_remove() (bsc#1129241).
- perf/core: Do not WARN() for impossible ring-buffer sizes (bnc#1012382).
- perf/core: Fix impossible ring-buffer sizes warning (bnc#1012382).
- perf intel-pt: Fix error with config term 'pt=0' (bnc#1012382).
- perf parse-events: Fix unchecked usage of strncpy() (bnc#1012382).
- perf svghelper: Fix unchecked usage of strncpy() (bnc#1012382).
- perf tests evsel-tp-sched: Fix bitwise operator (bnc#1012382).
- perf tools: Add Hygon Dhyana support (bnc#1012382).
- perf unwind: Take pgoff into account when reporting elf to libdwfl (bnc#1012382).
- perf unwind: Unwind with libdw does not take symfs into account (bnc#1012382).
- perf/x86: Add sysfs entry to freeze counters on SMI (bsc#1121805).
- perf/x86/intel: Delay memory deallocation until x86_pmu_dead_cpu() (bsc#1121805).
- perf/x86/intel: Do not enable freeze-on-smi for PerfMon V1 (bsc#1121805).
- perf/x86/intel: Fix memory corruption (bsc#1121805).
- perf/x86/intel: Generalize dynamic constraint creation (bsc#1121805).
- perf/x86/intel: Implement support for TSX Force Abort (bsc#1121805).
- perf/x86/intel: Make cpuc allocations consistent (bsc#1121805).
- perf/x86/intel/uncore: Add Node ID mask (bnc#1012382).
- phy: micrel: Ensure interrupts are reenabled on resume (git-fixes).
- pinctrl: msm: fix gpio-hog related boot issues (bnc#1012382).
- platform/x86: asus-nb-wmi: Drop mapping of 0x33 and 0x34 scan codes (bnc#1012382).
- platform/x86: asus-nb-wmi: Map 0x35 to KEY_SCREENLOCK (bnc#1012382).
- platform/x86: asus-wmi: Tell the EC the OS will handle the display off hotkey (bnc#1012382).
- platform/x86: thinkpad_acpi: Proper model/release matching (bsc#1099810).
- powerpc/cacheinfo: Report the correct shared_cpu_map on big-cores (bsc#1109695).
- powerpc: Detect the presence of big-cores via 'ibm, thread-groups' (bsc#1109695).
- powerpc, hotplug: Avoid to touch non-existent cpumasks (bsc#1109695).
- powerpc: make use of for_each_node_by_type() instead of open-coding it (bsc#1109695).
- powerpc/pseries: Add CPU dlpar remove functionality (bsc#1128756).
- powerpc/pseries: add of_node_put() in dlpar_detach_node() (bnc#1012382).
- powerpc/pseries: Consolidate CPU hotplug code to hotplug-cpu.c (bsc#1128756).
- powerpc/pseries/cpuidle: Fix preempt warning (bnc#1012382).
- powerpc/pseries: Factor out common cpu hotplug code (bsc#1128756).
- powerpc/pseries: Perform full re-add of CPU for topology update post-migration (bsc#1128756).
- powerpc/setup: Add cpu_to_phys_id array (bsc#1109695).
- powerpc/smp: Add cpu_l2_cache_map (bsc#1109695).
- powerpc/smp: Add Power9 scheduler topology (bsc#1109695).
- powerpc/smp: Rework CPU topology construction (bsc#1109695).
- powerpc/smp: Use cpu_to_chip_id() to find core siblings (bsc#1109695).
- powerpc/uaccess: fix warning/error with access_ok() (bnc#1012382).
- powerpc: Use cpu_smallcore_sibling_mask at SMT level on bigcores (bsc#1109695).
- powerpc/xmon: Fix invocation inside lock region (bsc#1122885).
- pppoe: fix reception of frames with no mac header (git-fixes).
- pptp: dst_release sk_dst_cache in pptp_sock_destruct (git-fixes).
- proc: Remove empty line in /proc/self/status (bnc#1012382 bsc#1094823).
- pseries/energy: Use OF accessor function to read ibm,drc-indexes (bsc#1129080).
- pstore/ram: Do not treat empty buffers as valid (bnc#1012382).
- ptp: check gettime64 return code in PTP_SYS_OFFSET ioctl (bnc#1012382).
- r8169: Add support for new Realtek Ethernet (bnc#1012382).
- rbd: do not return 0 on unmap if RBD_DEV_FLAG_REMOVING is set (bsc#1125808).
- rcu: Force boolean subscript for expedited stall warnings (bnc#1012382).
- RDMA/bnxt_re: Fix a couple off by one bugs (bsc#1020413, ).
- RDMA/bnxt_re: Synchronize destroy_qp with poll_cq (bsc#1125446).
- Revert 'bs-upload-kernel: do not set %opensuse_bs' This reverts commit e89e2b8cbef05df6c874ba70af3cb4c57f82a821.
- Revert 'cifs: In Kconfig CONFIG_CIFS_POSIX needs depends on legacy (insecure cifs)' (bnc#1012382).
- Revert 'exec: load_script: do not blindly truncate shebang string' (bnc#1012382).
- Revert 'Input: elan_i2c - add ACPI ID for touchpad in ASUS Aspire F5-573G' (bnc#1012382).
- Revert 'loop: Fix double mutex_unlock(&loop_ctl_mutex) in loop_control_ioctl()' (bnc#1012382).
- Revert 'loop: Fold __loop_release into loop_release' (bnc#1012382).
- Revert 'loop: Get rid of loop_index_mutex' (bnc#1012382).
- Revert 'mmc: bcm2835: Fix DMA channel leak on probe error (bsc#1120902).' The backport patch does not built properly.
- Revert 'mm, devm_memremap_pages: mark devm_memremap_pages() EXPORT_SYMBOL_GPL' (bnc#1012382).
- Revert 'net: stmmac: Fix a race in EEE enable callback (git-fixes).' This reverts commit f323fa8d233c1f44aff17e6fae90c2c8be30edf9. The patch was already included in stable 4.4.176.
- Revert 'sd: disable logical block provisioning if 'lbpme' is not set' This reverts commit 96370bd87299c7a6883b3e2bf13818f60c8ba611. Patch not accepted upstream.
- Revert 'x86/platform/UV: Use efi_runtime_lock to serialise BIOS calls' (bsc#1128565).
- rhashtable: Add rhashtable_lookup() (bnc#1012382).
- rhashtable: add rhashtable_lookup_get_insert_key() (bnc#1012382 bsc#1042286).
- rhashtable: add schedule points (bnc#1012382).
- rhashtable: reorganize struct rhashtable layout (bnc#1012382).
- s390/early: improve machine detection (bnc#1012382).
- s390/qeth: cancel close_dev work before removing a card (LTC#175898, bsc#1127561).
- s390/smp: Fix calling smp_call_ipl_cpu() from ipl CPU (bnc#1012382).
- s390/smp: fix CPU hotplug deadlock with CPU rescan (bnc#1012382).
- sata_rcar: fix deferred probing (bnc#1012382).
- sched/wake_q: Document wake_q_add() (bsc#1050549).
- sched/wake_q: Fix wakeup ordering for wake_q (bsc#1050549).
- sched/wake_q: Reduce reference counting for special users (bsc#1050549).
- scripts/decode_stacktrace: only strip base path when a prefix of the path (bnc#1012382).
- scripts/git_sort/git_sort.py: Add mkp/scsi 5.0/scsi-fixes
- scsi: aacraid: Fix missing break in switch statement (bsc#1128696).
- scsi: ibmvscsi: Fix empty event pool access during host removal (bsc#1119019).
- scsi: lpfc: Correct LCB RJT handling (bnc#1012382).
- scsi: lpfc: Correct MDS diag and nvmet configuration (bsc#1125796).
- scsi: lpfc: do not set queue->page_count to 0 if pc_sli4_params.wqpcnt is invalid (bsc#1127725).
- scsi: megaraid: fix out-of-bound array accesses (bnc#1012382).
- scsi: mpt3sas: Add an I/O barrier (bsc#1117108).
- scsi: mpt3sas: Added support for nvme encapsulated request message (bsc#1117108).
- scsi: mpt3sas: Added support for SAS Device Discovery Error Event (bsc#1117108).
- scsi: mpt3sas: Adding support for SAS3616 HBA device (bsc#1117108).
- scsi: mpt3sas: Add ioc_<level> logging macros (bsc#1117108).
- scsi: mpt3sas: Add nvme device support in slave alloc, target alloc and probe (bsc#1117108).
- scsi: mpt3sas: Add PCI device ID for Andromeda (bsc#1117108).
- scsi: mpt3sas: Add-Task-management-debug-info-for-NVMe-drives (bsc#1117108).
- scsi: mpt3sas: Allow processing of events during driver unload (bsc#1117108).
- scsi: mpt3sas: always use first reserved smid for ioctl passthrough (bsc#1117108).
- scsi: mpt3sas: Annotate switch/case fall-through (bsc#1117108).
- scsi: mpt3sas: API's to remove nvme drive from sml (bsc#1117108).
- scsi: mpt3sas: API 's to support NVMe drive addition to SML (bsc#1117108).
- scsi: mpt3sas: As per MPI-spec, use combined reply queue for SAS3.5 controllers when HBA supports more than 16 MSI-x vectors (bsc#1117108).
- scsi: mpt3sas: Bug fix for big endian systems (bsc#1117108).
- scsi: mpt3sas: Bump mpt3sas driver version to v16.100.00.00 (bsc#1117108).
- scsi: mpt3sas: Cache enclosure pages during enclosure add (bsc#1117108).
- scsi: mpt3sas: check command status before attempting abort (bsc#1117108).
- scsi: mpt3sas: clarify mmio pointer types (bsc#1117108).
- scsi: mpt3sas: cleanup _scsih_pcie_enumeration_event() (bsc#1117108).
- scsi: mpt3sas: Configure reply post queue depth, DMA and sgl tablesize (bsc#1117108).
- scsi: mpt3sas: Convert logging uses with MPT3SAS_FMT and reply_q_name to %s: (bsc#1117108).
- scsi: mpt3sas: Convert logging uses with MPT3SAS_FMT without logging levels (bsc#1117108).
- scsi: mpt3sas: Convert mlsleading uses of pr_<level> with MPT3SAS_FMT (bsc#1117108).
- scsi: mpt3sas: Convert uses of pr_<level> with MPT3SAS_FMT to ioc_<level> (bsc#1117108).
- scsi: mpt3sas: Display chassis slot information of the drive (bsc#1117108).
- scsi: mpt3sas: Do not abort I/Os issued to NVMe drives while processing Async Broadcast primitive event (bsc#1117108).
- scsi: mpt3sas: Do not access the structure after decrementing it's instance reference count (bsc#1117108).
- scsi: mpt3sas: Do not use 32-bit atomic request descriptor for Ventura controllers (bsc#1117108).
- scsi: mpt3sas: Enhanced handling of Sense Buffer (bsc#1117108).
- scsi: mpt3sas: fix an out of bound write (bsc#1117108).
- scsi: mpt3sas: Fix a race condition in mpt3sas_base_hard_reset_handler() (bsc#1117108).
- scsi: mpt3sas: Fix calltrace observed while running IO & reset (bsc#1117108).
- scsi: mpt3sas: fix dma_addr_t casts (bsc#1117108).
- scsi: mpt3sas: Fixed memory leaks in driver (bsc#1117108).
- scsi: mpt3sas: Fix, False timeout prints for ioctl and other internal commands during controller reset (bsc#1117108).
- scsi: mpt3sas: fix format overflow warning (bsc#1117108).
- scsi: mpt3sas: Fix indentation (bsc#1117108).
- scsi: mpt3sas: Fix memory allocation failure test in 'mpt3sas_base_attach()' (bsc#1117108).
- scsi: mpt3sas: Fix nvme drives checking for tlr (bsc#1117108).
- scsi: mpt3sas: fix oops in error handlers after shutdown/unload (bsc#1117108).
- scsi: mpt3sas: Fix possibility of using invalid Enclosure Handle for SAS device after host reset (bsc#1117108).
- scsi: mpt3sas: fix possible memory leak (bsc#1117108).
- scsi: mpt3sas: fix pr_info message continuation (bsc#1117108).
- scsi: mpt3sas: Fix removal and addition of vSES device during host reset (bsc#1117108).
- scsi: mpt3sas: Fix sparse warnings (bsc#1117108).
- scsi: mpt3sas: fix spelling mistake: 'disbale' -> 'disable' (bsc#1117108).
- scsi: mpt3sas: For NVME device, issue a protocol level reset (bsc#1117108).
- scsi: mpt3sas: Handle NVMe PCIe device related events generated from firmware (bsc#1117108).
- scsi: mpt3sas: Improve kernel-doc headers (bsc#1117108).
- scsi: mpt3sas: Incorrect command status was set/marked as not used (bsc#1117108).
- scsi: mpt3sas: Increase event log buffer to support 24 port HBA's (bsc#1117108).
- scsi: mpt3sas: Introduce API to get BAR0 mapped buffer address (bsc#1117108).
- scsi: mpt3sas: Introduce Base function for cloning (bsc#1117108).
- scsi: mpt3sas: Introduce function to clone mpi reply (bsc#1117108).
- scsi: mpt3sas: Introduce function to clone mpi request (bsc#1117108).
- scsi: mpt3sas: Introduce mpt3sas_get_st_from_smid() (bsc#1117108).
- scsi: mpt3sas: Introduce struct mpt3sas_nvme_cmd (bsc#1117108).
- scsi: mpt3sas: Lockless access for chain buffers (bsc#1117108).
- scsi: mpt3sas: lockless command submission (bsc#1117108).
- scsi: mpt3sas: make function _get_st_from_smid static (bsc#1117108).
- scsi: mpt3sas: NVMe drive support for BTDHMAPPING ioctl command and log info (bsc#1117108).
- scsi: mpt3sas: open-code _scsih_scsi_lookup_get() (bsc#1117108).
- scsi: mpt3sas: Optimize I/O memory consumption in driver (bsc#1117108).
- scsi: mpt3sas: Pre-allocate RDPQ Array at driver boot time (bsc#1117108).
- scsi: mpt3sas: Processing of Cable Exception events (bsc#1117108).
- scsi: mpt3sas: Reduce memory footprint in kdump kernel (bsc#1117108).
- scsi: mpt3sas: remove a stray KERN_INFO (bsc#1117108).
- scsi: mpt3sas: Remove KERN_WARNING from panic uses (bsc#1117108).
- scsi: mpt3sas: remove redundant copy_from_user in _ctl_getiocinfo (bsc#1117108).
- scsi: mpt3sas: remove redundant wmb (bsc#1117108).
- scsi: mpt3sas: Remove set-but-not-used variables (bsc#1117108).
- scsi: mpt3sas: Remove unnecessary parentheses and simplify null checks (bsc#1117108).
- scsi: mpt3sas: Remove unused macro MPT3SAS_FMT (bsc#1117108).
- scsi: mpt3sas: Remove unused variable requeue_event (bsc#1117108).
- scsi: mpt3sas: Replace PCI pool old API (bsc#1117108).
- scsi: mpt3sas: Replace PCI pool old API (bsc#1117108).
- scsi: mpt3sas: Report Firmware Package Version from HBA Driver (bsc#1117108).
- scsi: mpt3sas: scan and add nvme device after controller reset (bsc#1117108).
- scsi: mpt3sas: separate out _base_recovery_check() (bsc#1117108).
- scsi: mpt3sas: set default value for cb_idx (bsc#1117108).
- scsi: mpt3sas: Set NVMe device queue depth as 128 (bsc#1117108).
- scsi: mpt3sas: SGL to PRP Translation for I/Os to NVMe devices (bsc#1117108).
- scsi: mpt3sas: simplify mpt3sas_scsi_issue_tm() (bsc#1117108).
- scsi: mpt3sas: simplify task management functions (bsc#1117108).
- scsi: mpt3sas: simplify _wait_for_commands_to_complete() (bsc#1117108).
- scsi: mpt3sas: Split _base_reset_handler(), mpt3sas_scsih_reset_handler() and mpt3sas_ctl_reset_handler() (bsc#1117108).
- scsi: mpt3sas: Swap I/O memory read value back to cpu endianness (bsc#1117108).
- scsi: mpt3sas: switch to generic DMA API (bsc#1117108).
- scsi: mpt3sas: switch to pci_alloc_irq_vectors (bsc#1117108).
- scsi: mpt3sas: Updated MPI headers to v2.00.48 (bsc#1117108).
- scsi: mpt3sas: Update driver version '25.100.00.00' (bsc#1117108).
- scsi: mpt3sas: Update driver version '26.100.00.00' (bsc#1117108).
- scsi: mpt3sas: Update MPI Headers (bsc#1117108).
- scsi: mpt3sas: Update mpt3sas driver version (bsc#1117108).
- scsi: mpt3sas: Use dma_pool_zalloc (bsc#1117108).
- scsi: mpt3sas: use list_splice_init() (bsc#1117108).
- scsi: mpt3sas: wait for and flush running commands on shutdown/unload (bsc#1117108).
- scsi: qla2xxx: Fix deadlock between ATIO and HW lock (bsc#1125794).
- scsi: qla2xxx: Fix early srb free on abort (bsc#1121713).
- scsi: qla2xxx: Fix for double free of SRB structure (bsc#1121713).
- scsi: qla2xxx: Increase abort timeout value (bsc#1121713).
- scsi: qla2xxx: Move {get|rel}_sp to base_qpair struct (bsc#1121713).
- scsi: qla2xxx: Return switch command on a timeout (bsc#1121713).
- scsi: qla2xxx: Turn off IOCB timeout timer on IOCB completion (bsc#1121713).
- scsi: qla2xxx: Use correct qpair for ABTS/CMD (bsc#1121713).
- scsi: sd: Fix cache_type_store() (bnc#1012382).
- scsi: sym53c8xx: fix NULL pointer dereference panic in sym_int_sir() (bsc#1125315).
- scsi: target: make the pi_prot_format ConfigFS path readable (bsc#1123933).
- scsi: target: use consistent left-aligned ASCII INQUIRY data (bnc#1012382).
- sctp: allocate sctp_sockaddr_entry with kzalloc (bnc#1012382).
- sd: disable logical block provisioning if 'lbpme' is not set (bsc#1086095 bsc#1078355).
- selinux: fix GPF on invalid policy (bnc#1012382).
- seq_buf: Make seq_buf_puts() null-terminate the buffer (bnc#1012382).
- serial: fsl_lpuart: clear parity enable bit when disable parity (bnc#1012382).
- series.conf: Move 'patches.fixes/aio-hold-an-extra-file-reference-over-AIO-read-write.patch' into sorted section.
- signal: Always notice exiting tasks (bnc#1012382).
- signal: Better detection of synchronous signals (bnc#1012382).
- signal: Restore the stop PTRACE_EVENT_EXIT (bnc#1012382).
- skge: potential memory corruption in skge_get_regs() (bnc#1012382).
- sky2: Increase D3 delay again (bnc#1012382).
- slab: alien caches must not be initialized if the allocation of the alien cache failed (bnc#1012382).
- smack: fix access permissions for keyring (bnc#1012382).
- smsc95xx: Use skb_cow_head to deal with cloned skbs (bnc#1012382).
- soc/tegra: Do not leak device tree node reference (bnc#1012382).
- staging:iio:ad2s90: Make probe handle spi_setup failure (bnc#1012382).
- staging: iio: ad7780: update voltage on read (bnc#1012382).
- staging: iio: adc: ad7280a: handle error from __ad7280_read32() (bnc#1012382).
- staging: rtl8188eu: Add device code for D-Link DWA-121 rev B1 (bnc#1012382).
- sunrpc: handle ENOMEM in rpcb_getport_async (bnc#1012382).
- sunvdc: Do not spin in an infinite loop when vio_ldc_send() returns EAGAIN (bnc#1012382).
- sysfs: Disable lockdep for driver bind/unbind files (bnc#1012382).
- tcp: clear icsk_backoff in tcp_write_queue_purge() (bnc#1012382).
- tcp: tcp_v4_err() should be more careful (bnc#1012382).
- team: avoid complex list operations in team_nl_cmd_options_set() (bnc#1012382).
- team: Free BPF filter when unregistering netdev (git-fixes).
- test_hexdump: use memcpy instead of strncpy (bnc#1012382).
- thermal: hwmon: inline helpers when CONFIG_THERMAL_HWMON is not set (bnc#1012382).
- timekeeping: Use proper seqcount initializer (bnc#1012382).
- tipc: fix uninit-value in tipc_nl_compat_bearer_enable (bnc#1012382).
- tipc: fix uninit-value in tipc_nl_compat_doit (bnc#1012382).
- tipc: fix uninit-value in tipc_nl_compat_link_reset_stats (bnc#1012382).
- tipc: fix uninit-value in tipc_nl_compat_link_set (bnc#1012382).
- tipc: fix uninit-value in tipc_nl_compat_name_table_dump (bnc#1012382).
- tipc: use destination length for copy string (bnc#1012382).
- tracing: Do not free iter->trace in fail path of tracing_open_pipe() (bsc#1129581).
- tracing/uprobes: Fix output for multiple string arguments (bnc#1012382).
- tty: Do not block on IO when ldisc change is pending (bnc#1105428).
- tty: Do not hold ldisc lock in tty_reopen() if ldisc present (bnc#1105428).
- tty: fix data race between tty_init_dev and flush of buf (bnc#1105428).
- tty: Handle problem if line discipline does not have receive_buf (bnc#1012382).
- tty: Hold tty_ldisc_lock() during tty_reopen() (bnc#1105428).
- tty/ldsem: Add lockdep asserts for ldisc_sem (bnc#1105428).
- tty/ldsem: Convert to regular lockdep annotations (bnc#1105428).
- tty/ldsem: Decrement wait_readers on timeouted down_read() (bnc#1105428).
- tty/ldsem: Wake up readers after timed out down_write() (bnc#1012382).
- tty/n_hdlc: fix __might_sleep warning (bnc#1012382).
- tty: serial: samsung: Properly set flags in autoCTS mode (bnc#1012382).
- tty: Simplify tty->count math in tty_reopen() (bnc#1105428).
- uapi/if_ether.h: move __UAPI_DEF_ETHHDR libc define (bnc#1012382).
- uapi/if_ether.h: prevent redefinition of struct ethhdr (bnc#1012382).
- ucc_geth: Reset BQL queue when stopping device (bnc#1012382).
- udf: Fix BUG on corrupted inode (bnc#1012382).
- um: Avoid marking pages with 'changed protection' (bnc#1012382).
- usb: Add USB_QUIRK_DELAY_CTRL_MSG quirk for Corsair K70 RGB (bnc#1012382).
- usb: cdc-acm: send ZLP for Telit 3G Intel based modems (bnc#1012382).
- usb: dwc2: Remove unnecessary kfree (bnc#1012382).
- usb: gadget: udc: net2272: Fix bitwise and boolean operations (bnc#1012382).
- usb: hub: delay hub autosuspend if USB3 port is still link training (bnc#1012382).
- usb: phy: am335x: fix race condition in _probe (bnc#1012382).
- usb: serial: pl2303: add new PID to support PL2303TB (bnc#1012382).
- usb: serial: simple: add Motorola Tetra TPG2200 device id (bnc#1012382).
- usb: storage: add quirk for SMI SM3350 (bnc#1012382).
- usb: storage: do not insert sane sense for SPC3+ when bad sense specified (bnc#1012382).
- video: clps711x-fb: release disp device node in probe() (bnc#1012382).
- vsock: cope with memory allocation failure at socket creation time (bnc#1012382).
- vt: invoke notifier on screen size change (bnc#1012382).
- vxlan: test dev->flags & IFF_UP before calling netif_rx() (bnc#1012382).
- wireless: airo: potential buffer overflow in sprintf() (bsc#1120902).
- writeback: do not decrement wb->refcnt if !wb->bdi (git fixes (writeback)).
- x86: Add TSX Force Abort CPUID/MSR (bsc#1121805).
- x86/a.out: Clear the dump structure initially (bnc#1012382).
- x86/fpu: Add might_fault() to user_insn() (bnc#1012382).
- x86/kaslr: Fix incorrect i8254 outb() parameters (bnc#1012382).
- x86: livepatch: Treat R_X86_64_PLT32 as R_X86_64_PC32 (bnc#1012382).
- x86/MCE: Initialize mce.bank in the case of a fatal error in mce_no_way_out() (bnc#1012382).
- x86/PCI: Fix Broadcom CNB20LE unintended sign extension (redux) (bnc#1012382).
- x86/pkeys: Properly copy pkey state at fork() (bsc#1106105).
- x86/platform/UV: Use efi_runtime_lock to serialise BIOS calls (bnc#1012382).
- x86: respect memory size limiting via mem= parameter (bsc#1117645).
- x86/xen: dont add memory above max allowed allocation (bsc#1117645).
- xen, cpu_hotplug: Prevent an out of bounds access (bsc#1065600).
- xen: remove pre-xen3 fallback handlers (bsc#1065600).
- xfrm6_tunnel: Fix spi check in __xfrm6_tunnel_alloc_spi (bnc#1012382).
- xfrm: refine validation of template and selector families (bnc#1012382).
- Yama: Check for pid death before checking ancestry (bnc#1012382).
- xfs: remove filestream item xfs_inode reference (bsc#1127961).
ImportantSUSE bug 1012382SUSE bug 1020413SUSE bug 1023175SUSE bug 1031492SUSE bug 1042286SUSE bug 1050549SUSE bug 1065600SUSE bug 1070767SUSE bug 1075697SUSE bug 1078355SUSE bug 1082943SUSE bug 1086095SUSE bug 1086652SUSE bug 1087036SUSE bug 1087092SUSE bug 1090435SUSE bug 1094823SUSE bug 1099810SUSE bug 1102875SUSE bug 1102877SUSE bug 1102879SUSE bug 1102882SUSE bug 1102896SUSE bug 1102959SUSE bug 1103429SUSE bug 1105428SUSE bug 1106061SUSE bug 1106105SUSE bug 1106929SUSE bug 1107866SUSE bug 1109137SUSE bug 1109248SUSE bug 1109695SUSE bug 1114893SUSE bug 1116345SUSE bug 1116653SUSE bug 1117108SUSE bug 1117645SUSE bug 1117744SUSE bug 1119019SUSE bug 1119680SUSE bug 1119843SUSE bug 1120017SUSE bug 1120691SUSE bug 1120722SUSE bug 1120758SUSE bug 1120902SUSE bug 1121713SUSE bug 1121726SUSE bug 1121805SUSE bug 1122650SUSE bug 1122651SUSE bug 1122779SUSE bug 1122885SUSE bug 1123321SUSE bug 1123323SUSE bug 1123357SUSE bug 1123933SUSE bug 1124166SUSE bug 1124235SUSE bug 1124728SUSE bug 1124732SUSE bug 1124735SUSE bug 1124775SUSE bug 1124777SUSE bug 1124780SUSE bug 1124811SUSE bug 1125000SUSE bug 1125014SUSE bug 1125315SUSE bug 1125446SUSE bug 1125794SUSE bug 1125796SUSE bug 1125808SUSE bug 1125809SUSE bug 1125810SUSE bug 1125892SUSE bug 1126389SUSE bug 1126772SUSE bug 1126773SUSE bug 1126805SUSE bug 1127082SUSE bug 1127155SUSE bug 1127561SUSE bug 1127725SUSE bug 1127731SUSE bug 1127961SUSE bug 1128166SUSE bug 1128452SUSE bug 1128565SUSE bug 1128696SUSE bug 1128756SUSE bug 1128893SUSE bug 1129080SUSE bug 1129179SUSE bug 1129237SUSE bug 1129238SUSE bug 1129239SUSE bug 1129240SUSE bug 1129241SUSE bug 1129413SUSE bug 1129414SUSE bug 1129415SUSE bug 1129416SUSE bug 1129417SUSE bug 1129418SUSE bug 1129419SUSE bug 1129581SUSE bug 1129770SUSE bug 1129923CVE-2017-18249 at SUSECVE-2017-18249 at NVDCVE-2019-2024 at SUSECVE-2019-2024 at NVDCVE-2019-3459 at SUSECVE-2019-3459 at NVDCVE-2019-3460 at SUSECVE-2019-3460 at NVDCVE-2019-6974 at SUSECVE-2019-6974 at NVDCVE-2019-7221 at SUSECVE-2019-7221 at NVDCVE-2019-7222 at SUSECVE-2019-7222 at NVDCVE-2019-9213 at SUSECVE-2019-9213 at NVDcpe:/o:suse:sles:12:sp3Security update for sqlite3 (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for sqlite3 fixes the following issues:
Security issues fixed:
- CVE-2018-20346: Fixed a remote code execution vulnerability in FTS3 (Magellan) (bsc#1119687).
- CVE-2018-20506: Fixed an integer overflow when FTS3 extension is enabled (bsc#1131576).
ModerateSUSE bug 1119687SUSE bug 1131576CVE-2018-20346 at SUSECVE-2018-20346 at NVDCVE-2018-20506 at SUSECVE-2018-20506 at NVDcpe:/o:suse:sles:12:sp3Security update for xen (Important)SUSE Linux Enterprise Server 12 SP3
This update for xen fixes the following issues:
Security issues fixed:
- CVE-2018-19967: Fixed HLE constructs that allowed guests to lock up the host,
resulting in a Denial of Service (DoS). (XSA-282) (bsc#1114988)
- CVE-2019-6778: Fixed a heap buffer overflow in tcp_emu() found in slirp (bsc#1123157).
- Fixed an issue which could allow malicious or buggy guests with passed through PCI devices to be able to
escalate their privileges, crash the host, or access data belonging to other guests. Additionally memory
leaks were also possible (bsc#1126140).
- Fixed a race condition issue which could allow malicious PV guests to escalate their privilege to that
of the hypervisor (bsc#1126141).
- Fixed an issue which could allow a malicious unprivileged guest userspace process to escalate its privilege
to that of other userspace processes in the same guest and potentially thereby to that
of the guest operating system (bsc#1126201).
- CVE-2019-9824: Fixed an information leak in SLiRP networking implementation which could allow a user/process
to read uninitialised stack memory contents (bsc#1129623).
- CVE-2018-19961 CVE-2018-19962: Fixed insufficient TLB flushing / improper large page mappings with AMD IOMMUs (XSA-275)(bsc#1115040).
- CVE-2018-19965: Fixed denial of service issue from attempting to use INVPCID with a non-canonical addresses (XSA-279)(bsc#1115045).
- CVE-2018-19966: Fixed issue introduced by XSA-240 that could have caused conflicts with shadow paging (XSA-280)(bsc#1115047).
- Fixed an issue which could allow malicious PV guests may cause a host crash or
gain access to data pertaining to other guests.Additionally, vulnerable configurations
are likely to be unstable even in the absence of an attack (bsc#1126198).
- Fixed multiple access violations introduced by XENMEM_exchange hypercall which could allow
a single PV guest to leak arbitrary amounts of memory, leading to a denial of service (bsc#1126192).
- Fixed an issue which could allow malicious 64bit PV guests to cause a host crash (bsc#1127400).
- Fixed an issue which could allow malicious or buggy x86 PV guest kernels to mount a Denial of Service
attack affecting the whole system (bsc#1126197).
- Fixed an issue which could allow an untrusted PV domain with access to a physical device to DMA into its own
pagetables leading to privilege escalation (bsc#1126195).
- Fixed an issue which could allow a malicious or buggy x86 PV guest kernels can mount a Denial of Service
attack affecting the whole system (bsc#1126196).
Other issues addressed:
- Upstream bug fixes (bsc#1027519)
- Fixed an issue where live migrations were failing when spectre was enabled on xen boot cmdline (bsc#1116380).
- Fixed an issue where setup of grant_tables and other variables may fail (bsc#1126325).
- Fixed a building issue (bsc#1119161).
- Fixed an issue where xpti=no-dom0 was not working as expected (bsc#1105528).
- Packages should no longer use /var/adm/fillup-templates (bsc#1069468).
- Added Xen cmdline option 'suse_vtsc_tolerance' to avoid TSC emulation for HVM domUs (bsc#1026236).
ImportantSUSE bug 1026236SUSE bug 1027519SUSE bug 1069468SUSE bug 1105528SUSE bug 1114988SUSE bug 1115040SUSE bug 1115045SUSE bug 1115047SUSE bug 1116380SUSE bug 1117756SUSE bug 1119161SUSE bug 1123157SUSE bug 1126140SUSE bug 1126141SUSE bug 1126192SUSE bug 1126195SUSE bug 1126196SUSE bug 1126197SUSE bug 1126198SUSE bug 1126201SUSE bug 1126325SUSE bug 1127400SUSE bug 1129623CVE-2018-19665 at SUSECVE-2018-19665 at NVDCVE-2018-19961 at SUSECVE-2018-19961 at NVDCVE-2018-19962 at SUSECVE-2018-19962 at NVDCVE-2018-19965 at SUSECVE-2018-19965 at NVDCVE-2018-19966 at SUSECVE-2018-19966 at NVDCVE-2018-19967 at SUSECVE-2018-19967 at NVDCVE-2019-6778 at SUSECVE-2019-6778 at NVDCVE-2019-9824 at SUSECVE-2019-9824 at NVDcpe:/o:suse:sles:12:sp3Security update for xmltooling (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for xmltooling fixes the following issue:
Security issue fixed:
- CVE-2019-9628: Fixed an improper handling of exception in XMLTooling library which could result in
denial of service against the application using XMLTooling (bsc#1129537).
ModerateSUSE bug 1129537CVE-2019-9628 at SUSECVE-2019-9628 at NVDcpe:/o:suse:sles:12:sp3Security update for the Linux Kernel (Important)SUSE Linux Enterprise Server 12 SP3
The SUSE Linux Enterprise 12 SP3 Azure kernel was updated to 4.4.162 to receive various security and bugfixes.
The following security bugs were fixed:
- CVE-2018-18281: The mremap() syscall performs TLB flushes after dropping pagetable locks. If a syscall such as ftruncate() removes entries from the pagetables of a task that is in the middle of mremap(), a stale TLB entry can remain for a short time that permits access to a physical page after it has been released back to the page allocator and reused. (bnc#1113769).
- CVE-2018-18710: An information leak in cdrom_ioctl_select_disc in drivers/cdrom/cdrom.c could be used by local attackers to read kernel memory because a cast from unsigned long to int interferes with bounds checking. This is similar to CVE-2018-10940 and CVE-2018-16658 (bnc#1113751).
- CVE-2018-18690: A local attacker able to set attributes on an xfs filesystem could make this filesystem non-operational until the next mount by triggering an unchecked error condition during an xfs attribute change, because xfs_attr_shortform_addname in fs/xfs/libxfs/xfs_attr.c mishandled ATTR_REPLACE operations with conversion of an attr from short to long form (bnc#1105025).
- CVE-2018-18386: drivers/tty/n_tty.c allowed local attackers (who are able to access pseudo terminals) to hang/block further usage of any pseudo terminal devices due to an EXTPROC versus ICANON confusion in TIOCINQ (bnc#1094825).
- CVE-2018-9516: In hid_debug_events_read of drivers/hid/hid-debug.c, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. (bnc#1108498).
- CVE-2018-14633: A security flaw was found in the chap_server_compute_md5() function in the ISCSI target code in a way an authentication request from an ISCSI initiator is processed. An unauthenticated remote attacker can cause a stack buffer overflow and smash up to 17 bytes of the stack. The attack requires the iSCSI target to be enabled on the victim host. Depending on how the target's code was built (i.e. depending on a compiler, compile flags and hardware architecture) an attack may lead to a system crash and thus to a denial-of-service or possibly to a non-authorized access to data exported by an iSCSI target. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is highly unlikely. (bnc#1107829).
- CVE-2018-17182: The vmacache_flush_all function in mm/vmacache.c mishandled sequence number overflows. An attacker can trigger a use-after-free (and possibly gain privileges) via certain thread creation, map, unmap, invalidation, and dereference operations (bnc#1108399).
- CVE-2018-16597: Incorrect access checking in overlayfs mounts could be used by local attackers to modify or truncate files in the underlying filesystem (bnc#1106512).
- CVE-2018-14613: There is an invalid pointer dereference in io_ctl_map_page() when mounting and operating a crafted btrfs image, because of a lack of block group item validation in check_leaf_item in fs/btrfs/tree-checker.c (bnc#1102896).
- CVE-2018-14617: There is a NULL pointer dereference and panic in hfsplus_lookup() in fs/hfsplus/dir.c when opening a file (that is purportedly a hard link) in an hfs+ filesystem that has malformed catalog data, and is mounted read-only without a metadata directory (bnc#1102870).
- CVE-2018-16276: Local attackers could use user access read/writes with incorrect bounds checking in the yurex USB driver to crash the kernel or potentially escalate privileges (bnc#1106095 bnc#1115593).
- CVE-2018-7757: Memory leak in the sas_smp_get_phy_events function in drivers/scsi/libsas/sas_expander.c allowed local users to cause a denial of service (memory consumption) via many read accesses to files in the /sys/class/sas_phy directory, as demonstrated by the /sys/class/sas_phy/phy-1:0:12/invalid_dword_count file (bnc#1087209).
- CVE-2018-7480: The blkcg_init_queue function in block/blk-cgroup.c allowed local users to cause a denial of service (double free) or possibly have unspecified other impact by triggering a creation failure (bnc#1082863).
The following non-security bugs were fixed:
- 6lowpan: iphc: reset mac_header after decompress to fix panic (bnc#1012382).
- alsa: bebob: use address returned by kmalloc() instead of kernel stack for streaming DMA mapping (bnc#1012382).
- alsa: emu10k1: fix possible info leak to userspace on SNDRV_EMU10K1_IOCTL_INFO (bnc#1012382).
- alsa: hda: Add AZX_DCAPS_PM_RUNTIME for AMD Raven Ridge (bnc#1012382).
- alsa: hda - Fix cancel_work_sync() stall from jackpoll work (bnc#1012382).
- alsa: hda/realtek - Cannot adjust speaker's volume on Dell XPS 27 7760 (bnc#1012382).
- alsa: msnd: Fix the default sample sizes (bnc#1012382).
- alsa: pcm: Fix snd_interval_refine first/last with open min/max (bnc#1012382).
- alsa: usb-audio: Fix multiple definitions in AU0828_DEVICE() macro (bnc#1012382).
- apparmor: remove no-op permission check in policy_unpack (git-fixes).
- arc: build: Get rid of toolchain check (bnc#1012382).
- arc: clone syscall to setp r25 as thread pointer (bnc#1012382).
- arch/hexagon: fix kernel/dma.c build warning (bnc#1012382).
- arch-symbols: use bash as interpreter since the script uses bashism.
- arc: [plat-axs*]: Enable SWAP (bnc#1012382).
- arm64: bpf: jit JMP_JSET_{X,K} (bsc#1110613).
- arm64: Correct type for PUD macros (bsc#1110600).
- arm64: cpufeature: Track 32bit EL0 support (bnc#1012382).
- arm64: dts: qcom: db410c: Fix Bluetooth LED trigger (bnc#1012382).
- arm64: fix erroneous __raw_read_system_reg() cases (bsc#1110606).
- arm64: Fix potential race with hardware DBM in ptep_set_access_flags() (bsc#1110605).
- arm64: fpsimd: Avoid FPSIMD context leakage for the init task (bsc#1110603).
- arm64: jump_label.h: use asm_volatile_goto macro instead of 'asm goto' (bnc#1012382).
- arm64: kasan: avoid bad virt_to_pfn() (bsc#1110612).
- arm64: kasan: avoid pfn_to_nid() before page array is initialized (bsc#1110619).
- arm64/kasan: do not allocate extra shadow memory (bsc#1110611).
- arm64: kernel: Update kerneldoc for cpu_suspend() rename (bsc#1110602).
- arm64: kgdb: handle read-only text / modules (bsc#1110604).
- arm64: KVM: Sanitize PSTATE.M when being set from userspace (bnc#1012382).
- arm64: KVM: Tighten guest core register access from userspace (bnc#1012382).
- arm64/mm/kasan: do not use vmemmap_populate() to initialize shadow (bsc#1110618).
- arm64: ptrace: Avoid setting compat FP[SC]R to garbage if get_user fails (bsc#1110601).
- arm64: supported.conf: mark armmmci as not supported
- arm64 Update config files. (bsc#1110468) Set MMC_QCOM_DML to build-in and delete driver from supported.conf
- arm64: vdso: fix clock_getres for 4GiB-aligned res (bsc#1110614).
- arm: dts: at91: add new compatibility string for macb on sama5d3 (bnc#1012382).
- arm: dts: dra7: fix DCAN node addresses (bnc#1012382).
- arm: exynos: Clear global variable on init error path (bnc#1012382).
- arm: hisi: check of_iomap and fix missing of_node_put (bnc#1012382).
- arm: hisi: fix error handling and missing of_node_put (bnc#1012382).
- arm: hisi: handle of_iomap and fix missing of_node_put (bnc#1012382).
- arm: mvebu: declare asm symbols as character arrays in pmsu.c (bnc#1012382).
- asm/sections: add helpers to check for section data (bsc#1063026).
- ASoC: cs4265: fix MMTLR Data switch control (bnc#1012382).
- ASoC: dapm: Fix potential DAI widget pointer deref when linking DAIs (bnc#1012382).
- ASoC: sigmadsp: safeload should not have lower byte limit (bnc#1012382).
- ASoC: wm8804: Add ACPI support (bnc#1012382).
- ASoC: wm8994: Fix missing break in switch (bnc#1012382).
- ata: libahci: Correct setting of DEVSLP register (bnc#1012382).
- ath10k: disable bundle mgmt tx completion event support (bnc#1012382).
- ath10k: fix scan crash due to incorrect length calculation (bnc#1012382).
- ath10k: fix use-after-free in ath10k_wmi_cmd_send_nowait (bnc#1012382).
- ath10k: prevent active scans on potential unusable channels (bnc#1012382).
- ath10k: protect ath10k_htt_rx_ring_free with rx_ring.lock (bnc#1012382).
- audit: fix use-after-free in audit_add_watch (bnc#1012382).
- autofs: fix autofs_sbi() does not check super block type (bnc#1012382).
- binfmt_elf: Respect error return from `regset->active' (bnc#1012382).
- block: bvec_nr_vecs() returns value for wrong slab (bsc#1082979).
- bluetooth: Add a new Realtek 8723DE ID 0bda:b009 (bnc#1012382).
- bluetooth: h5: Fix missing dependency on BT_HCIUART_SERDEV (bnc#1012382).
- bluetooth: hidp: Fix handling of strncpy for hid->name information (bnc#1012382).
- bnxt_en: Fix TX timeout during netpoll (bnc#1012382).
- bonding: avoid possible dead-lock (bnc#1012382).
- bpf: fix cb access in socket filter programs on tail calls (bsc#1012382).
- bpf: fix map not being uncharged during map creation failure (bsc#1012382).
- bpf: fix overflow in prog accounting (bsc#1012382).
- bpf, s390: fix potential memleak when later bpf_jit_prog fails (git-fixes).
- bpf, s390x: do not reload skb pointers in non-skb context (git-fixes).
- btrfs: add a comp_refs() helper (dependency for bsc#1031392).
- btrfs: Add checker for EXTENT_CSUM (bsc#1102882, bsc#1102896, bsc#1102879, bsc#1102877, bsc#1102875,).
- btrfs: add missing initialization in btrfs_check_shared (Git-fixes bsc#1112262).
- btrfs: Add sanity check for EXTENT_DATA when reading out leaf (bsc#1102882, bsc#1102896, bsc#1102879, bsc#1102877, bsc#1102875,).
- btrfs: add tracepoints for outstanding extents mods (dependency for bsc#1031392).
- btrfs: add wrapper for counting BTRFS_MAX_EXTENT_SIZE (dependency for bsc#1031392).
- btrfs: Check if item pointer overlaps with the item itself (bsc#1102882, bsc#1102896, bsc#1102879, bsc#1102877, bsc#1102875,).
- btrfs: Check that each block group has corresponding chunk at mount time (bsc#1102882, bsc#1102896, bsc#1102879, bsc#1102877, bsc#1102875,).
- btrfs: cleanup extent locking sequence (dependency for bsc#1031392).
- btrfs: defrag: use btrfs_mod_outstanding_extents in cluster_pages_for_defrag (Follow up fixes for bsc#1031392).
- btrfs: delayed-inode: Remove wrong qgroup meta reservation calls (bsc#1031392).
- btrfs: delayed-inode: Use new qgroup meta rsv for delayed inode and item (bsc#1031392).
- btrfs: Enhance btrfs_trim_fs function to handle error better (Dependency for bsc#1113667).
- btrfs: Ensure btrfs_trim_fs can trim the whole filesystem (bsc#1113667).
- btrfs: fix error handling in btrfs_dev_replace_start (bsc#1107535).
- btrfs: fix invalid attempt to free reserved space on failure to cow range (dependency for bsc#1031392).
- btrfs: fix missing error return in btrfs_drop_snapshot (Git-fixes bsc#1109919).
- btrfs: Fix race condition between delayed refs and blockgroup removal (Git-fixes bsc#1112263).
- btrfs: Fix wrong btrfs_delalloc_release_extents parameter (bsc#1031392).
- btrfs: Introduce mount time chunk <-> dev extent mapping check (bsc#1102882, bsc#1102896, bsc#1102879, bsc#1102877, bsc#1102875,).
- btrfs: kill trans in run_delalloc_nocow and btrfs_cross_ref_exist (dependency for bsc#1031392).
- btrfs: make the delalloc block rsv per inode (dependency for bsc#1031392).
- btrfs: Move leaf and node validation checker to tree-checker.c (bsc#1102882, bsc#1102896, bsc#1102879, bsc#1102877, bsc#1102875,).
- btrfs: pass delayed_refs directly to btrfs_find_delayed_ref_head (dependency for bsc#1031392).
- btrfs: qgroup: Add quick exit for non-fs extents (dependency for bsc#1031392).
- btrfs: qgroup: Cleanup btrfs_qgroup_prepare_account_extents function (dependency for bsc#1031392).
- btrfs: qgroup: Cleanup the remaining old reservation counters (bsc#1031392).
- btrfs: qgroup: Commit transaction in advance to reduce early EDQUOT (bsc#1031392).
- btrfs: qgroup: Do not use root->qgroup_meta_rsv for qgroup (bsc#1031392).
- btrfs: qgroup: Fix wrong qgroup reservation update for relationship modification (bsc#1031392).
- btrfs: qgroup: Introduce function to convert META_PREALLOC into META_PERTRANS (bsc#1031392).
- btrfs: qgroup: Introduce helpers to update and access new qgroup rsv (bsc#1031392).
- btrfs: qgroup: Make qgroup_reserve and its callers to use separate reservation type (bsc#1031392).
- btrfs: qgroup: Skeleton to support separate qgroup reservation type (bsc#1031392).
- btrfs: qgroups: opencode qgroup_free helper (dependency for bsc#1031392).
- btrfs: qgroup: Split meta rsv type into meta_prealloc and meta_pertrans (bsc#1031392).
- btrfs: qgroup: Update trace events for metadata reservation (bsc#1031392).
- btrfs: qgroup: Update trace events to use new separate rsv types (bsc#1031392).
- btrfs: qgroup: Use independent and accurate per inode qgroup rsv (bsc#1031392).
- btrfs: qgroup: Use root::qgroup_meta_rsv_* to record qgroup meta reserved space (bsc#1031392).
- btrfs: qgroup: Use separate meta reservation type for delalloc (bsc#1031392).
- btrfs: relocation: Only remove reloc rb_trees if reloc control has been initialized (bnc#1012382).
- btrfs: remove type argument from comp_tree_refs (dependency for bsc#1031392).
- btrfs: replace: Reset on-disk dev stats value after replace (bnc#1012382).
- btrfs: rework outstanding_extents (dependency for bsc#1031392).
- btrfs: scrub: Do not use inode page cache in scrub_handle_errored_block() (bsc#1108096).
- btrfs: switch args for comp_*_refs (dependency for bsc#1031392).
- btrfs: Take trans lock before access running trans in check_delayed_ref (Follow up fixes for bsc#1031392).
- btrfs: tree-checker: Add checker for dir item (bsc#1102882, bsc#1102896, bsc#1102879, bsc#1102877, bsc#1102875,).
- btrfs: tree-checker: Detect invalid and empty essential trees (bsc#1102882, bsc#1102896, bsc#1102879, bsc#1102877, bsc#1102875,).
- btrfs: tree-checker: Enhance btrfs_check_node output (bsc#1102882, bsc#1102896, bsc#1102879, bsc#1102877, bsc#1102875,).
- btrfs: tree-checker: Enhance output for btrfs_check_leaf (bsc#1102882, bsc#1102896, bsc#1102879, bsc#1102877, bsc#1102875,).
- btrfs: tree-checker: Enhance output for check_csum_item (bsc#1102882, bsc#1102896, bsc#1102879, bsc#1102877, bsc#1102875,).
- btrfs: tree-checker: Enhance output for check_extent_data_item (bsc#1102882, bsc#1102896, bsc#1102879, bsc#1102877, bsc#1102875,).
- btrfs: tree-checker: Fix false panic for sanity test (bsc#1102882, bsc#1102896, bsc#1102879, bsc#1102877, bsc#1102875,).
- btrfs: tree-checker: Replace root parameter with fs_info (bsc#1102882, bsc#1102896, bsc#1102879, bsc#1102877, bsc#1102875,).
- btrfs: tree-checker: use %zu format string for size_t (bsc#1102882, bsc#1102896, bsc#1102879, bsc#1102877, bsc#1102875,).
- btrfs: tree-checker: use %zu format string for size_t (bsc#1102882, bsc#1102896, bsc#1102879, bsc#1102877, bsc#1102875,).
- btrfs: tree-checker: Verify block_group_item (bsc#1102882, bsc#1102896, bsc#1102879, bsc#1102877, bsc#1102875,).
- btrfs: use correct compare function of dirty_metadata_bytes (bnc#1012382).
- btrfs: Verify that every chunk has corresponding block group at mount time (bsc#1102882, bsc#1102896, bsc#1102879, bsc#1102877, bsc#1102875,).
- ceph: avoid a use-after-free in ceph_destroy_options() (bsc#1112007).
- cfg80211: fix a type issue in ieee80211_chandef_to_operating_class() (bnc#1012382).
- cfg80211: nl80211_update_ft_ies() to validate NL80211_ATTR_IE (bnc#1012382).
- cfq: Give a chance for arming slice idle timer in case of group_idle (bnc#1012382).
- cgroup: Fix deadlock in cpu hotplug path (bnc#1012382).
- cgroup, netclassid: add a preemption point to write_classid (bnc#1098996).
- cifs: check for STATUS_USER_SESSION_DELETED (bsc#1112902).
- cifs: check if SMB2 PDU size has been padded and suppress the warning (bnc#1012382).
- cifs: connect to servername instead of IP for IPC$ share (bsc#1106359).
- cifs: fix memory leak in SMB2_open() (bsc#1112894).
- cifs: Fix use after free of a mid_q_entry (bsc#1112903).
- cifs: fix wrapping bugs in num_entries() (bnc#1012382).
- cifs: integer overflow in in SMB2_ioctl() (bsc#1012382).
- cifs: prevent integer overflow in nxt_dir_entry() (bnc#1012382).
- cifs: read overflow in is_valid_oplock_break() (bnc#1012382).
- clk: imx6ul: fix missing of_node_put() (bnc#1012382).
- clocksource/drivers/ti-32k: Add CLOCK_SOURCE_SUSPEND_NONSTOP flag for non-am43 SoCs (bnc#1012382).
- coresight: Handle errors in finding input/output ports (bnc#1012382).
- coresight: tpiu: Fix disabling timeouts (bnc#1012382).
- cpu/hotplug: Fix SMT supported evaluation (bsc#1089343).
- crypto: clarify licensing of OpenSSL asm code ().
- crypto: mxs-dcp - Fix wait logic on chan threads (bnc#1012382).
- crypto: sharah - Unregister correct algorithms for SAHARA 3 (bnc#1012382).
- crypto: skcipher - Fix -Wstringop-truncation warnings (bnc#1012382).
- crypto: vmx - Remove overly verbose printk from AES XTS init (git-fixes).
- debugobjects: Make stack check warning more informative (bnc#1012382).
- Define dependencies of in-kernel KMPs statically This allows us to use rpm's internal dependency generator (bsc#981083).
- Define early_radix_enabled() (bsc#1094244).
- dmaengine: pl330: fix irq race with terminate_all (bnc#1012382).
- dm cache: fix resize crash if user does not reload cache table (bnc#1012382).
- dm kcopyd: avoid softlockup in run_complete_job (bnc#1012382).
- dm-mpath: do not try to access NULL rq (bsc#1110337).
- dm-mpath: finally fixup cmd_flags (bsc#1110930).
- dm thin metadata: fix __udivdi3 undefined on 32-bit (bnc#1012382).
- dm thin metadata: try to avoid ever aborting transactions (bnc#1012382).
- Do not ship firmware (bsc#1054239). Pull firmware from kernel-firmware instead.
- drivers: HV: Send one page worth of kmsg dump over Hyper-V during panic (bug#1109038).
- drivers: hv: vmbus: Add comments on ring buffer signaling (bug#1109038).
- drivers: hv: vmbus: add numa_node to sysfs (bug#1109038).
- drivers: hv: vmbus: Cleanup synic memory free path (bug#1109038).
- drivers: hv: vmbus: do not mark HV_PCIE as perf_device (bug#1109038).
- drivers: hv: vmbus: enable VMBus protocol version 5.0 (bug#1109038).
- drivers: hv: vmbus: Expose per-channel interrupts and events counters (bsc#1109038).
- drivers: hv: vmbus: Fix a rescind issue (bsc#1109038).
- drivers: hv: vmbus: Fix bugs in rescind handling (bug#1109038).
- drivers: hv: vmbus: Fix ring buffer signaling (bug#1109038).
- drivers: hv: vmbus: Fix the issue with freeing up hv_ctl_table_hdr (bug#1109038).
- drivers: hv: vmbus: Fix the offer_in_progress in vmbus_process_offer() (bug#1109038).
- drivers: hv: vmbus: Get rid of MSR access from vmbus_drv.c (bug#1109038).
- drivers: hv: vmbus: Make panic reporting to be more useful (bsc#1109038).
- drivers: hv: vmbus: Make TLFS #define names architecture neutral (bug#1109038).
- drivers: hv: vmbus: Removed an unnecessary cast from void * (bug#1109038).
- drivers: hv: vmbus: Remove use of slow_virt_to_phys() (bug#1109038).
- drivers: hv: vmbus: Remove x86-isms from arch independent drivers (bsc#1109038).
- drivers: hv: vmbus: Remove x86 MSR refs in arch independent code (bug#1109038).
- drivers: hv: vmbus: Reset the channel callback in vmbus_onoffer_rescind() (bug#1109038).
- drivers: hv: vmbus: respect what we get from hv_get_synint_state() (bug#1109038).
- drivers: hv: vmbus: Use get/put_cpu() in vmbus_connect() (bug#1109038).
- drivers: hv: vmus: Fix the check for return value from kmsg get dump buffer (bug#1109038).
- drivers: net: cpsw: fix parsing of phy-handle DT property in dual_emac config (bnc#1012382).
- drivers: net: cpsw: fix segfault in case of bad phy-handle (bnc#1012382).
- drivers/tty: add error handling for pcmcia_loop_config (bnc#1012382).
- drm/amdgpu: Fix SDMA HQD destroy error on gfx_v7 (bnc#1012382).
- drm/amdkfd: Fix error codes in kfd_get_process (bnc#1012382).
- drm/hisilicon: hibmc: Do not carry error code in HiBMC framebuffer (bsc#1113766)
- drm/hisilicon: hibmc: Do not overwrite fb helper surface depth (bsc#1113766)
- drm/nouveau/drm/nouveau: Use pm_runtime_get_noresume() in connector_detect() (bnc#1012382).
- drm/nouveau/TBDdevinit: do not fail when PMU/PRE_OS is missing from VBIOS (bnc#1012382).
- drm/nouveau: tegra: Detach from ARM DMA/IOMMU mapping (bnc#1012382).
- drm/virtio: fix bounds check in virtio_gpu_cmd_get_capset() (bsc#1106929)
- Drop dtb-source.spec and move the sources to kernel-source (bsc#1011920)
- e1000: check on netif_running() before calling e1000_up() (bnc#1012382).
- e1000: ensure to free old tx/rx rings in set_ringparam() (bnc#1012382).
- ebtables: arpreply: Add the standard target sanity check (bnc#1012382).
- edac: Fix memleak in module init error path (bsc#1109441).
- edac, i7core: Fix memleaks and use-after-free on probe and remove (1109441).
- edac, thunderx: Fix memory leak in thunderx_l2c_threaded_isr() (bsc#1114648).
- ethernet: ti: davinci_emac: add missing of_node_put after calling of_parse_phandle (bnc#1012382).
- ethtool: Remove trailing semicolon for static inline (bnc#1012382).
- ethtool: restore erroneously removed break in dev_ethtool (bsc#1114229).
- ext4: avoid divide by zero fault when deleting corrupted inline directories (bnc#1012382).
- ext4: do not mark mmp buffer head dirty (bnc#1012382).
- ext4: fix online resize's handling of a too-small final block group (bnc#1012382).
- ext4: fix online resizing for bigalloc file systems with a 1k block size (bnc#1012382).
- ext4: recalucate superblock checksum after updating free blocks/inodes (bnc#1012382).
- f2fs: do not set free of current section (bnc#1012382).
- f2fs: fix to do sanity check with {sit,nat}_ver_bitmap_bytesize (bnc#1012382).
- fat: validate ->i_start before using (bnc#1012382).
- fbdev: Distinguish between interlaced and progressive modes (bnc#1012382).
- fbdev: fix broken menu dependencies (bsc#1106929)
- fbdev/omapfb: fix omapfb_memory_read infoleak (bnc#1012382).
- fbdev/via: fix defined but not used warning (bnc#1012382).
- Fixes: Commit cdbf92675fad ('mm: numa: avoid waiting on freed migrated pages') (bnc#1012382).
- fix init of hv_vp_index on SMP
- floppy: Do not copy a kernel pointer to user memory in FDGETPRM ioctl (bnc#1012382).
- fork: do not copy inconsistent signal handler state to child (bnc#1012382).
- fs/cifs: do not translate SFM_SLASH (U+F026) to backslash (bnc#1012382).
- fs/cifs: suppress a string overflow warning (bnc#1012382).
- fs/dcache.c: fix kmemcheck splat at take_dentry_name_snapshot() (bnc#1012382).
- fs/eventpoll: loosen irq-safety when possible (bsc#1096052).
- genirq: Delay incrementing interrupt count if it's disabled/pending (bnc#1012382).
- gfs2: Special-case rindex for gfs2_grow (bnc#1012382).
- gpio: adp5588: Fix sleep-in-atomic-context bug (bnc#1012382).
- gpiolib: Mark gpio_suffixes array with __maybe_unused (bnc#1012382).
- gpio: ml-ioh: Fix buffer underwrite on probe error path (bnc#1012382).
- gpio: tegra: Move driver registration to subsys_init level (bnc#1012382).
- gso_segment: Reset skb->mac_len after modifying network header (bnc#1012382).
- hexagon: modify ffs() and fls() to return int (bnc#1012382).
- hfsplus: do not return 0 when fill_super() failed (bnc#1012382).
- hfs: prevent crash on exit from failed search (bnc#1012382).
- hid: hid-ntrig: add error handling for sysfs_create_group (bnc#1012382).
- hid: hyperv: pr_err() strings should end with newlines (bug#1109038).
- hid: sony: Support DS4 dongle (bnc#1012382).
- hid: sony: Update device ids (bnc#1012382).
- hv: add SPDX license id to Kconfig (bug#1109038).
- hv: add SPDX license to trace (bug#1109038).
- hv: avoid crash in vmbus sysfs files (bnc#1108377).
- hv_balloon: trace post_status (bug#1109038).
- hv_netvsc: Add handlers for ethtool get/set msg level (bug#1109038).
- hv_netvsc: Add NetVSP v6 and v6.1 into version negotiation (bug#1109038).
- hv_netvsc: Add per-cpu ethtool stats for netvsc (bug#1109038).
- hv_netvsc: Add range checking for rx packet offset and length (bug#1109038).
- hv_netvsc: add trace points (bug#1109038).
- hv_netvsc: avoid retry on send during shutdown (bug#1109038).
- hv_netvsc: avoid unnecessary wakeups on subchannel creation (bug#1109038).
- hv_netvsc: cancel subchannel setup before halting device (bug#1109038).
- hv_netvsc: change GPAD teardown order on older versions (bug#1109038).
- hv_netvsc: Clean up extra parameter from rndis_filter_receive_data() (bug#1109038).
- hv_netvsc: common detach logic (bug#1109038).
- hv_netvsc: disable NAPI before channel close (bug#1109038).
- hv_netvsc: Ensure correct teardown message sequence order (bug#1109038).
- hv_netvsc: Fix a deadlock by getting rtnl lock earlier in netvsc_probe() (bug#1109038).
- hv_netvsc: Fix a network regression after ifdown/ifup (bug#1109038).
- hv_netvsc: fix bogus ifalias on network device (bug#1109038).
- hv_netvsc: fix deadlock on hotplug (bug#1109038).
- hv_netvsc: fix error unwind handling if vmbus_open fails (bug#1109038).
- hv/netvsc: fix handling of fallback to single queue mode (bug#1109038).
- hv_netvsc: Fix napi reschedule while receive completion is busy (bug#1109038).
- hv_netvsc: Fix net device attach on older Windows hosts (bug#1109038).
- hv_netvsc: fix network namespace issues with VF support (bug#1109038).
- hv/netvsc: Fix NULL dereference at single queue mode fallback (bug#1109038).
- hv_netvsc: fix race in napi poll when rescheduling (bug#1109038).
- hv_netvsc: fix schedule in RCU context (bug#1109038).
- hv_netvsc: Fix the return status in RX path (bug#1109038).
- hv_netvsc: Fix the variable sizes in ipsecv2 and rsc offload (bug#1109038).
- hv_netvsc: fix vf serial matching with pci slot info (bug#1109038).
- hv_netvsc: ignore devices that are not PCI (bug#1109038).
- hv_netvsc: move VF to same namespace as netvsc device (bug#1109038).
- hv_netvsc: netvsc_teardown_gpadl() split (bsc#1109038).
- hv_netvsc: only wake transmit queue if link is up (bug#1109038).
- hv_netvsc: pair VF based on serial number (bug#1109038).
- hv_netvsc: Pass net_device parameter to revoke and teardown functions (bug#1109038).
- hv_netvsc: pass netvsc_device to rndis halt (bug#1109038).
- hv_netvsc: preserve hw_features on mtu/channels/ringparam changes (bsc#1109038).
- hv_netvsc: propogate Hyper-V friendly name into interface alias (bug#1109038).
- hv_netvsc: select needed ucs2_string routine (bug#1109038).
- hv_netvsc: set master device (bug#1109038).
- hv_netvsc: Set tx_table to equal weight after subchannels open (bsc#1109038).
- hv_netvsc: Simplify num_chn checking in rndis_filter_device_add() (bug#1109038).
- hv_netvsc: simplify receive side calling arguments (bug#1109038).
- hv_netvsc: Split netvsc_revoke_buf() and netvsc_teardown_gpadl() (bug#1109038).
- hv_netvsc: split sub-channel setup into async and sync (bug#1109038).
- hv_netvsc: typo in NDIS RSS parameters structure (bug#1109038).
- hv_netvsc: use napi_schedule_irqoff (bug#1109038).
- hv_netvsc: use RCU to fix concurrent rx and queue changes (bug#1109038).
- hv_netvsc: use reciprocal divide to speed up percent calculation (bsc#1109038).
- hv_netvsc: Use the num_online_cpus() for channel limit (bsc#1109038).
- hv_netvsc: Use Windows version instead of NVSP version on GPAD teardown (bug#1109038).
- hv: Synthetic typo correction (bug#1109038).
- hv_vmbus: Correct the stale comments regarding cpu affinity (bug#1109038).
- hwmon: (adt7475) Make adt7475_read_word() return errors (bnc#1012382).
- hwmon: (ina2xx) fix sysfs shunt resistor read access (bnc#1012382).
- hwrng: core - document the quality field (git-fixes).
- hyper-v: Globalize vp_index (bug#1109038).
- hyper-v: use GFP_KERNEL for hv_context.hv_numa_map (bug#1109038).
- i2c: i2c-scmi: fix for i2c_smbus_write_block_data (bnc#1012382).
- i2c: i801: Allow ACPI AML access I/O ports not reserved for SMBus (bnc#1012382).
- i2c: i801: fix DNV's SMBCTRL register offset (bnc#1012382).
- i2c: uniphier-f: issue STOP only for last message or I2C_M_STOP (bnc#1012382).
- i2c: uniphier: issue STOP only for last message or I2C_M_STOP (bnc#1012382).
- i2c: xiic: Make the start and the byte count write atomic (bnc#1012382).
- i2c: xlp9xx: Add support for SMBAlert (bsc#1103308).
- i2c: xlp9xx: Fix case where SSIF read transaction completes early (bsc#1103308).
- i2c: xlp9xx: Fix issue seen when updating receive length (bsc#1103308).
- i2c: xlp9xx: Make sure the transfer size is not more than I2C_SMBUS_BLOCK_SIZE (bsc#1103308).
- IB/ipoib: Avoid a race condition between start_xmit and cm_rep_handler (bnc#1012382).
- IB/srp: Avoid that sg_reset -d ${srp_device} triggers an infinite loop (bnc#1012382).
- ib_srp: Remove WARN_ON in srp_terminate_io() (bsc#1094562).
- Input: atakbd - fix Atari CapsLock behaviour (bnc#1012382).
- Input: atakbd - fix Atari keymap (bnc#1012382).
- Input: atmel_mxt_ts - only use first T9 instance (bnc#1012382).
- Input: elantech - enable middle button of touchpad on ThinkPad P72 (bnc#1012382).
- iommu/amd: Return devid as alias for ACPI HID devices (bsc#1106105).
- iommu/arm-smmu-v3: sync the OVACKFLG to PRIQ consumer register (bnc#1012382).
- iommu/ipmmu-vmsa: Fix allocation in atomic context (bnc#1012382).
- ip6_tunnel: be careful when accessing the inner header (bnc#1012382).
- ipmi:ssif: Add support for multi-part transmit messages > 2 parts (bsc#1103308).
- ip_tunnel: be careful when accessing the inner header (bnc#1012382).
- ipv4: fix use-after-free in ip_cmsg_recv_dstaddr() (bnc#1012382).
- ipv6: fix possible use-after-free in ip6_xmit() (bnc#1012382).
- ipvs: fix race between ip_vs_conn_new() and ip_vs_del_dest() (bnc#1012382).
- irqchip/bcm7038-l1: Hide cpu offline callback when building for !SMP (bnc#1012382).
- irqchip/gic-v3: Add missing barrier to 32bit version of gic_read_iar() (bnc#1012382).
- iw_cxgb4: only allow 1 flush on user qps (bnc#1012382).
- ixgbe: pci_set_drvdata must be called before register_netdev (Git-fixes bsc#1109923).
- jffs2: return -ERANGE when xattr buffer is too small (bnc#1012382).
- KABI: move the new handler to end of machdep_calls and hide it from genksyms (bsc#1094244).
- kabi.pl: Consider GPL vs. non-GPL exports ()
- kabi protect hnae_ae_ops (bsc#1107924).
- kABI: protect struct hnae_desc_cb (kabi).
- kbuild: add .DELETE_ON_ERROR special target (bnc#1012382).
- kbuild: make missing $DEPMOD a Warning instead of an Error (bnc#1012382).
- kernel-{binary,docs}.spec sort dependencies.
- kernel-binary: pass ARCH= to kernel build Recent kernel does not save CONFIG_64BIT so it has to be specified by arch.
- kernel-binary: pass MAKE_ARGS to install script as well.
- kernel-binary.spec Remove superfluous [].
- kernel-binary undefine unique_debug_names Some tools do not understand names like usr/lib/debug/boot/vmlinux-4.12.14-11.10-default-4.12.14-11.10.ppc64le.debug
- kernel-obs-build.spec.in: add --no-hostonly-cmdline to dracut invocation (boo#1062303). call dracut with --no-hostonly-cmdline to avoid the random rootfs UUID being added into the initrd's /etc/cmdline.d/95root-dev.conf
- kernel-obs-build.spec.in: enable xfs module This allows the public cloud team to build images with XFS as root filesystem
- kernel-obs-build: use pae and lpae kernels where available (bsc#1073579).
- kernel/params.c: downgrade warning for unsafe parameters (bsc#1050549).
- kernel-source.spec: Align source numbering.
- kernel-*.spec: remove remaining occurences of %release from dependencies There is a mix of %release and %source_rel in manually added dependencies and the %release dependencies tend to fail due to rebuild sync issues. So get rid of them.
- kprobes/x86: Release insn_slot in failure path (bsc#1110006).
- kthread: fix boot hang (regression) on MIPS/OpenRISC (bnc#1012382).
- kthread: Fix use-after-free if kthread fork fails (bnc#1012382).
- KVM: nVMX: Do not expose MPX VMX controls when guest MPX disabled (bsc#1106240).
- KVM: nVMX: Do not flush TLB when vmcs12 uses VPID (bsc#1106240).
- KVM: PPC: Book3S HV: Do not truncate HPTE index in xlate function (bnc#1012382).
- KVM: x86: Do not re-{try,execute} after failed emulation in L2 (bsc#1106240).
- KVM: x86: Do not use kvm_x86_ops->mpx_supported() directly (bsc#1106240).
- KVM: x86: fix APIC page invalidation (bsc#1106240).
- KVM: x86: remove eager_fpu field of struct kvm_vcpu_arch (bnc#1012382).
- KVM/x86: remove WARN_ON() for when vm_munmap() fails (bsc#1106240).
- KVM: x86: SVM: Call x86_spec_ctrl_set_guest/host() with interrupts disabled (bsc#1106240).
- l2tp: cast l2tp traffic counter to unsigned (bsc#1099810).
- lib/test_hexdump.c: fix failure on big endian cpu (bsc#1106110).
- Limit kernel-source build to architectures for which we build binaries (bsc#1108281).
- locking/osq_lock: Fix osq_lock queue corruption (bnc#1012382).
- locking/rwsem-xadd: Fix missed wakeup due to reordering of load (bnc#1012382).
- lpfc: fixup crash in lpfc_els_unsol_buffer() (bsc#1107318).
- mac80211: correct use of IEEE80211_VHT_CAP_RXSTBC_X (bnc#1012382).
- mac80211: fix a race between restart and CSA flows (bnc#1012382).
- mac80211: fix setting IEEE80211_KEY_FLAG_RX_MGMT for AP mode keys (bnc#1012382).
- mac80211: Fix station bandwidth setting after channel switch (bnc#1012382).
- mac80211_hwsim: correct use of IEEE80211_VHT_CAP_RXSTBC_X (bnc#1012382).
- mac80211: mesh: fix HWMP sequence numbering to follow standard (bnc#1012382).
- mac80211: restrict delayed tailroom needed decrement (bnc#1012382).
- mac80211: shorten the IBSS debug messages (bnc#1012382).
- mach64: detect the dot clock divider correctly on sparc (bnc#1012382).
- macintosh/via-pmu: Add missing mmio accessors (bnc#1012382).
- macros.kernel-source: define linux_arch for KMPs (boo#1098050). CONFIG_64BIT is no longer defined so KMP spec files need to include %{?linux_make_arch} in any make call to build modules or descent into the kernel directory for any reason.
- macros.kernel-source: Fix building non-x86 KMPs
- macros.kernel-source: ignore errors when using make to print kernel release There is no way to handle the errors anyway and including the error into package version does not give good results.
- macros.kernel-source: pass -b properly in kernel module package (bsc#1107870).
- macros.kernel-source: pass -f properly in module subpackage (boo#1076393).
- md-cluster: clear another node's suspend_area after the copy is finished (bnc#1012382).
- md/raid1: exit sync request if MD_RECOVERY_INTR is set (git-fixes).
- md/raid5: fix data corruption of replacements after originals dropped (bnc#1012382).
- media: af9035: prevent buffer overflow on write (bnc#1012382).
- media: exynos4-is: Prevent NULL pointer dereference in __isp_video_try_fmt() (bnc#1012382).
- media: fsl-viu: fix error handling in viu_of_probe() (bnc#1012382).
- media: omap3isp: zero-initialize the isp cam_xclk{a,b} initial data (bnc#1012382).
- media: omap_vout: Fix a possible null pointer dereference in omap_vout_open() (bsc#1050431).
- media: s3c-camif: ignore -ENOIOCTLCMD from v4l2_subdev_call for s_power (bnc#1012382).
- media: soc_camera: ov772x: correct setting of banding filter (bnc#1012382).
- media: tm6000: add error handling for dvb_register_adapter (bnc#1012382).
- media: uvcvideo: Support realtek's UVC 1.5 device (bnc#1012382).
- media: v4l: event: Prevent freeing event subscriptions while accessed (bnc#1012382).
- media: videobuf2-core: check for q->error in vb2_core_qbuf() (bnc#1012382).
- media: videobuf-dma-sg: Fix dma_{sync,unmap}_sg() calls (bsc#1050431).
- mei: bus: type promotion bug in mei_nfc_if_version() (bnc#1012382).
- mei: me: allow runtime pm for platform with D0i3 (bnc#1012382).
- memory_hotplug: cond_resched in __remove_pages (bnc#1114178).
- mfd: omap-usb-host: Fix dts probe of children (bnc#1012382).
- mfd: sm501: Set coherent_dma_mask when creating subdevices (bnc#1012382).
- mfd: ti_am335x_tscadc: Fix struct clk memory leak (bnc#1012382).
- MIPS: ath79: fix system restart (bnc#1012382).
- MIPS: Fix ISA virt/bus conversion for non-zero PHYS_OFFSET (bnc#1012382).
- MIPS: jz4740: Bump zload address (bnc#1012382).
- MIPS: loongson64: cs5536: Fix PCI_OHCI_INT_REG reads (bnc#1012382).
- MIPS: Octeon: add missing of_node_put() (bnc#1012382).
- MIPS: VDSO: Match data page cache colouring when D$ aliases (bnc#1012382).
- MIPS: WARN_ON invalid DMA cache maintenance, not BUG_ON (bnc#1012382).
- misc: hmc6352: fix potential Spectre v1 (bnc#1012382).
- misc: mic: SCIF Fix scif_get_new_port() error handling (bnc#1012382).
- misc: ti-st: Fix memory leak in the error path of probe() (bnc#1012382).
- mkspec: do not build dtbs for architectures with no kernel.
- mkspec: fix perl warning
- mkspec: only build docs for default variant kernel.
- mmc: mmci: stop building qcom dml as module (bsc#1110468).
- mm/fadvise.c: fix signed overflow UBSAN complaint (bnc#1012382).
- mm: fix devmem_is_allowed() for sub-page System RAM intersections (bsc#1110006).
- mm: get rid of vmacache_flush_all() entirely (bnc#1012382).
- mm: madvise(MADV_DODUMP): allow hugetlbfs pages (bnc#1012382).
- mm: /proc/pid/pagemap: hide swap entries from unprivileged users (Git-fixes bsc#1109907).
- mm: shmem.c: Correctly annotate new inodes for lockdep (bnc#1012382).
- mm/vmstat.c: fix outdated vmstat_text (bnc#1012382).
- mm/vmstat.c: skip NR_TLB_REMOTE_FLUSH* properly (bnc#1012382).
- mm/vmstat.c: skip NR_TLB_REMOTE_FLUSH* properly (git fixes).
- module: exclude SHN_UNDEF symbols from kallsyms api (bnc#1012382).
- move changes without Git-commit out of sorted section
- mtdchar: fix overflows in adjustment of `count` (bnc#1012382).
- mtd/maps: fix solutionengine.c printk format warnings (bnc#1012382).
- neighbour: confirm neigh entries when ARP packet is received (bnc#1012382).
- net/9p: fix error path of p9_virtio_probe (bnc#1012382).
- net/appletalk: fix minor pointer leak to userspace in SIOCFINDIPDDPRT (bnc#1012382).
- net: bcmgenet: use MAC link status for fixed phy (bnc#1012382).
- net: cadence: Fix a sleep-in-atomic-context bug in macb_halt_tx() (bnc#1012382).
- net: dcb: For wild-card lookups, use priority -1, not 0 (bnc#1012382).
- net: ena: Eliminate duplicate barriers on weakly-ordered archs (bsc#1108240).
- net: ena: fix device destruction to gracefully free resources (bsc#1108240).
- net: ena: fix driver when PAGE_SIZE == 64kB (bsc#1108240).
- net: ena: fix incorrect usage of memory barriers (bsc#1108240).
- net: ena: fix missing calls to READ_ONCE (bsc#1108240).
- net: ena: fix missing lock during device destruction (bsc#1108240).
- net: ena: fix potential double ena_destroy_device() (bsc#1108240).
- net: ena: fix surprise unplug NULL dereference kernel crash (bsc#1108240).
- net: ethernet: mvneta: Fix napi structure mixup on armada 3700 (bsc#1110616).
- net: ethernet: ti: cpsw: fix mdio device reference leak (bnc#1012382).
- netfilter: x_tables: avoid stack-out-of-bounds read in xt_copy_counters_from_user (bnc#1012382).
- net: hns: add netif_carrier_off before change speed and duplex (bsc#1107924).
- net: hns: add the code for cleaning pkt in chip (bsc#1107924).
- net: hns: fix length and page_offset overflow when CONFIG_ARM64_64K_PAGES (bnc#1012382).
- net: hp100: fix always-true check for link up state (bnc#1012382).
- net: ipv4: update fnhe_pmtu when first hop's MTU changes (bnc#1012382).
- net/ipv6: Display all addresses in output of /proc/net/if_inet6 (bnc#1012382).
- netlabel: check for IPV4MASK in addrinfo_get (bnc#1012382).
- net: macb: disable scatter-gather for macb on sama5d3 (bnc#1012382).
- net/mlx4: Use cpumask_available for eq->affinity_mask (bnc#1012382).
- net: mvneta: fix mtu change on port without link (bnc#1012382).
- net: mvneta: fix mvneta_config_rss on armada 3700 (bsc#1110615).
- net: mvpp2: Extract the correct ethtype from the skb for tx csum offload (bnc#1012382).
- net: systemport: Fix wake-up interrupt race during resume (bnc#1012382).
- net/usb: cancel pending work when unbinding smsc75xx (bnc#1012382).
- netvsc: delay setup of VF device (bug#1109038).
- netvsc: fix race during initialization (bug#1109038).
- netvsc: fix race on sub channel creation (bug#1109038).
- netvsc: remove bonding setup script (bug#1109038).
- NFC: Fix possible memory corruption when handling SHDLC I-Frame commands (bnc#1012382).
- NFC: Fix the number of pipes (bnc#1012382).
- NFS: add nostatflush mount option (bsc#1065726).
- NFS: Avoid quadratic search when freeing delegations (bsc#1084760).
- nfsd: fix corrupted reply to badly ordered compound (bnc#1012382).
- NFS: Use an appropriate work queue for direct-write completion (bsc#1082519).
- NFSv4.0 fix client reference leak in callback (bnc#1012382).
- nvme_fc: add 'nvme_discovery' sysfs attribute to fc transport device (bsc#1044189).
- nvmet: fixup crash on NULL device path (bsc#1082979).
- ocfs2: fix locking for res->tracking and dlm->tracking_list (bnc#1012382).
- ocfs2: fix ocfs2 read block panic (bnc#1012382).
- of: unittest: Disable interrupt node tests for old world MAC systems (bnc#1012382).
- ovl: Copy inode attributes after setting xattr (bsc#1107299).
- ovl: modify ovl_permission() to do checks on two inodes (bsc#1106512)
- ovl: proper cleanup of workdir (bnc#1012382).
- ovl: rename is_merge to is_lowest (bnc#1012382).
- parport: sunbpp: fix error return code (bnc#1012382).
- partitions/aix: append null character to print data from disk (bnc#1012382).
- partitions/aix: fix usage of uninitialized lv_info and lvname structures (bnc#1012382).
- Pass x86 as architecture on x86_64 and i386 (bsc#1093118).
- pci: altera: Fix bool initialization in tlp_read_packet() (bsc#1109806).
- pci: designware: Fix I/O space page leak (bsc#1109806).
- pci: designware: Fix pci_remap_iospace() failure path (bsc#1109806).
- pci: hv: Convert remove_lock to refcount (bug#1109038).
- pci: hv: Do not wait forever on a device that has disappeared (bug#1109038).
- pci: hv: Fix return value check in hv_pci_assign_slots() (bug#1109038).
- pci: hv: Make sure the bus domain is really unique (bug#1109038).
- pci: hv: Remove unused reason for refcount handler (bug#1109038).
- pci: hv: Replace GFP_ATOMIC with GFP_KERNEL in new_pcichild_device() (bug#1109038).
- pci: hv: support reporting serial number as slot information (bug#1109038).
- pci: hv: Use effective affinity mask (bsc#1109038).
- pci: hv: Use effective affinity mask (bsc#1109772).
- pci: hv: Use list_for_each_entry() (bug#1109038).
- pci: mvebu: Fix I/O space end address calculation (bnc#1012382).
- pci: OF: Fix I/O space page leak (bsc#1109806).
- pci: pciehp: Fix unprotected list iteration in IRQ handler (bsc#1109806).
- pci: Reprogram bridge prefetch registers on resume (bnc#1012382).
- pci: shpchp: Fix AMD POGO identification (bsc#1109806).
- pci: Supply CPU physical address (not bus address) to iomem_is_exclusive() (bsc#1109806).
- pci: versatile: Fix I/O space page leak (bsc#1109806).
- pci: versatile: Fix pci_remap_iospace() failure path (bsc#1109806).
- pci: xgene: Fix I/O space page leak (bsc#1109806).
- pci: xilinx: Add missing of_node_put() (bsc#1109806).
- perf powerpc: Fix callchain ip filtering (bnc#1012382).
- perf powerpc: Fix callchain ip filtering when return address is in a register (bnc#1012382).
- perf probe powerpc: Ignore SyS symbols irrespective of endianness (bnc#1012382).
- perf script python: Fix export-to-postgresql.py occasional failure (bnc#1012382).
- perf tools: Allow overriding MAX_NR_CPUS at compile time (bnc#1012382).
- phy: qcom-ufs: add MODULE_LICENSE tag (bsc#1110468).
- pinctrl: qcom: spmi-gpio: Fix pmic_gpio_config_get() to be compliant (bnc#1012382).
- pipe: actually allow root to exceed the pipe buffer limit (git-fixes).
- platform/x86: alienware-wmi: Correct a memory leak (bnc#1012382).
- platform/x86: asus-nb-wmi: Add keymap entry for lid flip action on UX360 (bnc#1012382).
- platform/x86: toshiba_acpi: Fix defined but not used build warnings (bnc#1012382).
- PM / core: Clear the direct_complete flag on errors (bnc#1012382).
- powerpc/64: Do load of PACAKBASE in LOAD_HANDLER (bsc#1094244).
- powerpc/64s: move machine check SLB flushing to mm/slb.c (bsc#1094244).
- powerpc/book3s: Fix MCE console messages for unrecoverable MCE (bsc#1094244).
- powerpc/fadump: cleanup crash memory ranges support (bsc#1103269).
- powerpc/fadump: re-register firmware-assisted dump if already registered (bsc#1108170, bsc#1108823).
- powerpc: Fix size calculation using resource_size() (bnc#1012382).
- powerpc/kdump: Handle crashkernel memory reservation failure (bnc#1012382).
- powerpc/mce: Fix SLB rebolting during MCE recovery path (bsc#1094244).
- powerpc/mce: Move 64-bit machine check code into mce.c (bsc#1094244).
- powerpc/numa: Skip onlining a offline node in kdump path (bsc#1109784).
- powerpc/numa: Use associativity if VPHN hcall is successful (bsc#1110363).
- powerpc/perf/hv-24x7: Fix off-by-one error in request_buffer check (git-fixes).
- powerpc/perf/hv-24x7: Fix passing of catalog version number (bsc#1053043).
- powerpc/powernv/ioda2: Reduce upper limit for DMA window size (bsc#1066223).
- powerpc/powernv: opal_put_chars partial write fix (bnc#1012382).
- powerpc/powernv: Rename machine_check_pSeries_early() to powernv (bsc#1094244).
- powerpc/pseries: Avoid using the size greater than RTAS_ERROR_LOG_MAX (bnc#1012382).
- powerpc/pseries: Defer the logging of rtas error to irq work queue (bsc#1094244).
- powerpc/pseries: Define MCE error event section (bsc#1094244).
- powerpc/pseries: Disable CPU hotplug across migrations (bsc#1066223).
- powerpc/pseries: Display machine check error details (bsc#1094244).
- powerpc/pseries: Dump the SLB contents on SLB MCE errors (bsc#1094244).
- powerpc/pseries: Fix build break for SPLPAR=n and CPU hotplug (bsc#1079524, git-fixes).
- powerpc/pseries: Fix CONFIG_NUMA=n build (bsc#1067906, git-fixes).
- powerpc/pseries: Flush SLB contents on SLB MCE errors (bsc#1094244).
- powerpc/pseries/mm: call H_BLOCK_REMOVE (bsc#1109158).
- powerpc/pseries/mm: factorize PTE slot computation (bsc#1109158).
- powerpc/pseries/mm: Introducing FW_FEATURE_BLOCK_REMOVE (bsc#1109158).
- powerpc/pseries: Remove prrn_work workqueue (bsc#1102495, bsc#1109337).
- powerpc/pseries: Remove unneeded uses of dlpar work queue (bsc#1102495, bsc#1109337).
- powerpc/rtas: Fix a potential race between CPU-Offline & Migration (bsc#1111870).
- powerpc/tm: Avoid possible userspace r1 corruption on reclaim (bsc#1109333).
- powerpc/tm: Fix userspace r13 corruption (bsc#1109333).
- power: vexpress: fix corruption in notifier registration (bnc#1012382).
- printk: do not spin in printk when in nmi (bsc#1094244).
- proc: restrict kernel stack dumps to root (bnc#1012382).
- pstore: Fix incorrect persistent ram buffer mapping (bnc#1012382).
- qlcnic: fix Tx descriptor corruption on 82xx devices (bnc#1012382).
- r8169: Clear RTL_FLAG_TASK_*_PENDING when clearing RTL_FLAG_TASK_ENABLED (bnc#1012382).
- RAID10 BUG_ON in raise_barrier when force is true and conf->barrier is 0 (bnc#1012382).
- rculist: add list_for_each_entry_from_rcu() (bsc#1084760).
- rculist: Improve documentation for list_for_each_entry_from_rcu() (bsc#1084760).
- RDMA/cma: Do not ignore net namespace for unbound cm_id (bnc#1012382).
- RDMA/cma: Protect cma dev list with lock (bnc#1012382).
- RDMA/rw: Fix rdma_rw_ctx_signature_init() kernel-doc header (bsc#1082979).
- RDMA/ucma: check fd type in ucma_migrate_id() (bnc#1012382).
- README: Clean-up trailing whitespace
- reiserfs: add check to detect corrupted directory entry (bsc#1109818).
- reiserfs: change j_timestamp type to time64_t (bnc#1012382).
- reiserfs: do not panic on bad directory entries (bsc#1109818).
- resource: Include resource end in walk_*() interfaces (bsc#1114648).
- Revert 'ARM: imx_v6_v7_defconfig: Select ULPI support' (bnc#1012382).
- Revert 'btrfs: qgroups: Retry after commit on getting EDQUOT' (bsc#1031392).
- Revert 'dma-buf/sync-file: Avoid enable fence signaling if poll(.timeout=0)' (bsc#1111363).
- Revert 'drm: Do not pass negative delta to ktime_sub_ns()' (bsc#1106929)
- Revert 'drm/i915: Initialize HWS page address after GPU reset' (bsc#1106929)
- Revert 'Drop kernel trampoline stack.' This reverts commit 85dead31706c1c1755adff90405ff9861c39c704.
- Revert 'kabi/severities: Ignore missing cpu_tss_tramp (bsc#1099597)' This reverts commit edde1f21880e3bfe244c6f98a3733b05b13533dc.
- Revert 'KVM: x86: remove eager_fpu field of struct kvm_vcpu_arch' (kabi).
- Revert 'media: v4l: event: Prevent freeing event subscriptions while accessed' (kabi).
- Revert 'mm: get rid of vmacache_flush_all() entirely' (kabi).
- Revert 'proc: restrict kernel stack dumps to root' (kabi).
- Revert 'Skip intel_crt_init for Dell XPS 8700' (bsc#1106929)
- Revert 'usb: cdc-wdm: Fix a sleep-in-atomic-context bug in service_outstanding_interrupt()' (bnc#1012382).
- ring-buffer: Allow for rescheduling when removing pages (bnc#1012382).
- rndis_wlan: potential buffer overflow in rndis_wlan_auth_indication() (bnc#1012382).
- rpm/kernel-binary.spec.in: Check module licenses (bsc#1083215,bsc#1083527)
- rpm/kernel-binary.spec.in: Do not sign modules if CONFIG_MODULE_SIG=n (bsc#1035053)
- rpm/kernel-binary.spec.in: Obsolete ftsteutates KMP (boo#997172)
- rpm/kernel-binary.spec.in: Only kernel-syzkaller needs gcc-devel (boo#1043591).
- rpm/kernel-docs.spec.in: Expand kernel tree directly from sources (bsc#1057199)
- rpm/kernel-docs.spec.in: refresh dependencies for PDF build (bsc#1048129)
- rpm/kernel-module-subpackage: Generate proper supplements in the template ... instead of relying on find-provides.ksyms to do it (bsc#981083).
- rpm/kernel-source.spec.in: Do not list deleted depdendency helpers (bsc#981083).
- rpm/kernel-spec-macros: Try harder to detect Build Service environment (bsc#1078788)
- rpmsg: Correct support for MODULE_DEVICE_TABLE() (git-fixes).
- rtc: bq4802: add error handling for devm_ioremap (bnc#1012382).
- rtnl: limit IFLA_NUM_TX_QUEUES and IFLA_NUM_RX_QUEUES to 4096 (bnc#1012382).
- s390/chsc: Add exception handler for CHSC instruction (git-fixes).
- s390/dasd: fix hanging offline processing due to canceled worker (bnc#1012382).
- s390/extmem: fix gcc 8 stringop-overflow warning (bnc#1012382).
- s390/facilites: use stfle_fac_list array size for MAX_FACILITY_BIT (bnc#1108315, LTC#171326).
- s390/kdump: Fix elfcorehdr size calculation (git-fixes).
- s390/kdump: Make elfcorehdr size calculation ABI compliant (git-fixes).
- s390/lib: use expoline for all bcr instructions (LTC#171029 bnc#1012382 bnc#1106934).
- s390/mm: correct allocate_pgste proc_handler callback (git-fixes).
- s390/qeth: do not dump past end of unknown HW header (bnc#1012382).
- s390/qeth: fix race in used-buffer accounting (bnc#1012382).
- s390/qeth: handle failure on workqueue creation (git-fixes).
- s390/qeth: reset layer2 attribute on layer switch (bnc#1012382).
- s390/qeth: use vzalloc for QUERY OAT buffer (bnc#1108315, LTC#171527).
- s390: revert ELF_ET_DYN_BASE base changes (git-fixes).
- s390/stacktrace: fix address ranges for asynchronous and panic stack (git-fixes).
- sched/fair: Fix bandwidth timer clock drift condition (Git-fixes).
- sched/fair: Fix vruntime_normalized() for remote non-migration wakeup (Git-fixes).
- sched/isolcpus: Fix 'isolcpus=' boot parameter handling when !CONFIG_CPUMASK_OFFSTACK (bug#1109038).
- sch_hhf: fix null pointer dereference on init failure (bnc#1012382).
- sch_htb: fix crash on init failure (bnc#1012382).
- sch_multiq: fix double free on init failure (bnc#1012382).
- sch_netem: avoid null pointer deref on init failure (bnc#1012382).
- sch_tbf: fix two null pointer dereferences on init failure (bnc#1012382).
- scripts: modpost: check memory allocation results (bnc#1012382).
- scsi: 3ware: fix return 0 on the error path of probe (bnc#1012382).
- scsi: aic94xx: fix an error code in aic94xx_init() (bnc#1012382).
- scsi: bnx2i: add error handling for ioremap_nocache (bnc#1012382).
- scsi: ibmvscsi: Improve strings handling (bnc#1012382).
- scsi: ipr: System hung while dlpar adding primary ipr adapter back (bsc#1109336).
- scsi: klist: Make it safe to use klists in atomic context (bnc#1012382).
- scsi: netvsc: Use the vmbus function to calculate ring buffer percentage (bug#1109038).
- scsi: qla2xxx: Add changes for devloss timeout in driver (bsc#1084427).
- scsi: qla2xxx: Add FC-NVMe abort processing (bsc#1084427).
- scsi: qla2xxx: Add longer window for chip reset (bsc#1094555).
- scsi: qla2xxx: Avoid double completion of abort command (bsc#1094555).
- scsi: qla2xxx: Cleanup code to improve FC-NVMe error handling (bsc#1084427).
- scsi: qla2xxx: Cleanup for N2N code (bsc#1094555).
- scsi: qla2xxx: correctly shift host byte (bsc#1094555).
- scsi: qla2xxx: Correct setting of SAM_STAT_CHECK_CONDITION (bsc#1094555).
- scsi: qla2xxx: Delete session for nport id change (bsc#1094555).
- scsi: qla2xxx: Fix Async GPN_FT for FCP and FC-NVMe scan (bsc#1084427).
- scsi: qla2xxx: Fix crash on qla2x00_mailbox_command (bsc#1094555).
- scsi: qla2xxx: Fix double free bug after firmware timeout (bsc#1094555).
- scsi: qla2xxx: Fix driver unload by shutting down chip (bsc#1094555).
- scsi: qla2xxx: fix error message on <qla2400 (bsc#1094555).
- scsi: qla2xxx: Fix FC-NVMe IO abort during driver reset (bsc#1084427).
- scsi: qla2xxx: Fix function argument descriptions (bsc#1094555).
- scsi: qla2xxx: Fix Inquiry command being dropped in Target mode (bsc#1094555).
- scsi: qla2xxx: Fix issue reported by static checker for qla2x00_els_dcmd2_sp_done() (bsc#1094555).
- scsi: qla2xxx: Fix login retry count (bsc#1094555).
- scsi: qla2xxx: Fix Management Server NPort handle reservation logic (bsc#1094555).
- scsi: qla2xxx: Fix memory leak for allocating abort IOCB (bsc#1094555).
- scsi: qla2xxx: Fix n2n_ae flag to prevent dev_loss on PDB change (bsc#1084427).
- scsi: qla2xxx: Fix N2N link re-connect (bsc#1094555).
- scsi: qla2xxx: Fix NPIV deletion by calling wait_for_sess_deletion (bsc#1094555).
- scsi: qla2xxx: Fix race between switch cmd completion and timeout (bsc#1094555).
- scsi: qla2xxx: Fix race condition between iocb timeout and initialisation (bsc#1094555).
- scsi: qla2xxx: Fix redundant fc_rport registration (bsc#1094555).
- scsi: qla2xxx: Fix retry for PRLI RJT with reason of BUSY (bsc#1084427).
- scsi: qla2xxx: Fix Rport and session state getting out of sync (bsc#1094555).
- scsi: qla2xxx: Fix sending ADISC command for login (bsc#1094555).
- scsi: qla2xxx: Fix session state stuck in Get Port DB (bsc#1094555).
- scsi: qla2xxx: Fix stalled relogin (bsc#1094555).
- scsi: qla2xxx: Fix TMF and Multi-Queue config (bsc#1094555).
- scsi: qla2xxx: Fix unintended Logout (bsc#1094555).
- scsi: qla2xxx: Fix unintialized List head crash (bsc#1094555).
- scsi: qla2xxx: Flush mailbox commands on chip reset (bsc#1094555).
- scsi: qla2xxx: fx00 copypaste typo (bsc#1094555).
- scsi: qla2xxx: Migrate NVME N2N handling into state machine (bsc#1094555).
- scsi: qla2xxx: Move GPSC and GFPNID out of session management (bsc#1094555).
- scsi: qla2xxx: Prevent relogin loop by removing stale code (bsc#1094555).
- scsi: qla2xxx: Prevent sysfs access when chip is down (bsc#1094555).
- scsi: qla2xxx: Reduce redundant ADISC command for RSCNs (bsc#1094555).
- scsi: qla2xxx: remove irq save in qla2x00_poll() (bsc#1094555).
- scsi: qla2xxx: Remove nvme_done_list (bsc#1084427).
- scsi: qla2xxx: Remove stale debug value for login_retry flag (bsc#1094555).
- scsi: qla2xxx: Remove unneeded message and minor cleanup for FC-NVMe (bsc#1084427).
- scsi: qla2xxx: Restore ZIO threshold setting (bsc#1084427).
- scsi: qla2xxx: Return busy if rport going away (bsc#1084427).
- scsi: qla2xxx: Save frame payload size from ICB (bsc#1094555).
- scsi: qla2xxx: Set IIDMA and fcport state before qla_nvme_register_remote() (bsc#1084427).
- scsi: qla2xxx: Silent erroneous message (bsc#1094555).
- scsi: qla2xxx: Update driver version to 10.00.00.06-k (bsc#1084427).
- scsi: qla2xxx: Update driver version to 10.00.00.07-k (bsc#1094555).
- scsi: qla2xxx: Update driver version to 10.00.00.08-k (bsc#1094555).
- scsi: qla2xxx: Use dma_pool_zalloc() (bsc#1094555).
- scsi: qla2xxx: Use predefined get_datalen_for_atio() inline function (bsc#1094555).
- scsi: scsi_transport_fc: Add dummy initiator role to rport (bug#1109038).
- scsi: storsvc: do not set a bounce limit (bug#1109038).
- scsi: storvsc: Add support for FC rport (bug#1109038).
- scsi: storvsc: Allow only one remove lun work item to be issued per lun (bsc#1109038).
- scsi: storvsc: Avoid allocating memory for temp cpumasks (bug#1109038).
- scsi: storvsc: Avoid excessive host scan on controller change (bsc#1109038).
- scsi: storvsc: missing error code in storvsc_probe() (bsc#1109038).
- scsi: storvsc: Select channel based on available percentage of ring buffer to write (bug#1109038).
- scsi: storvsc: Set up correct queue depth values for IDE devices (bug#1109038).
- scsi: storvsc: Spread interrupts when picking a channel for I/O requests (bug#1109038).
- scsi: storvsc: use default I/O timeout handler for FC devices (bug#1109038).
- scsi: storvsc: use in place iterator function (bug#1109038).
- scsi: target: fix __transport_register_session locking (bnc#1012382).
- scsi: target/iscsi: Make iscsit_ta_authentication() respect the output buffer size (bnc#1012382).
- scsi: vmbus: Add function to report available ring buffer to write in total ring size percentage (bug#1109038).
- selftests/efivarfs: add required kernel configs (bnc#1012382).
- selftests/powerpc: Kill child processes on SIGINT (bnc#1012382).
- selftest: timers: Tweak raw_skew to SKIP when ADJ_OFFSET/other clock adjustments are in progress (bnc#1012382).
- selinux: use GFP_NOWAIT in the AVC kmem_caches (bnc#1012382).
- serial: cpm_uart: return immediately from console poll (bnc#1012382).
- serial: imx: restore handshaking irq for imx1 (bnc#1012382).
- signal: Properly deliver SIGSEGV from x86 uprobes (bsc#1110006).
- silence build warning in hyperv_init
- silence buildwarnings in hyperv/mmu.c
- slub: make ->cpu_partial unsigned int (bnc#1012382).
- smb2: fix missing files in root share directory listing (bnc#1012382).
- smb3: fill in statfs fsid and correct namelen (bsc#1112905).
- smb3: fix reset of bytes read and written stats (bnc#1012382).
- smb3: Number of requests sent should be displayed for SMB3 not just CIFS (bnc#1012382).
- sound: enable interrupt after dma buffer initialization (bnc#1012382).
- spi: rspi: Fix interrupted DMA transfers (bnc#1012382).
- spi: rspi: Fix invalid SPI use during system suspend (bnc#1012382).
- spi: sh-msiof: Fix handling of write value for SISTR register (bnc#1012382).
- spi: sh-msiof: Fix invalid SPI use during system suspend (bnc#1012382).
- spi: tegra20-slink: explicitly enable/disable clock (bnc#1012382).
- split-modules: use MAKE_ARGS
- srcu: Allow use of Tiny/Tree SRCU from both process and interrupt context (bsc#1050549).
- staging: android: ashmem: Fix mmap size validation (bnc#1012382).
- staging: android: ion: fix ION_IOC_{MAP,SHARE} use-after-free (bnc#1012382).
- staging: comedi: ni_mio_common: fix subdevice flags for PFI subdevice (bnc#1012382).
- staging: rt5208: Fix a sleep-in-atomic bug in xd_copy_page (bnc#1012382).
- staging: rts5208: fix missing error check on call to rtsx_write_register (bnc#1012382).
- staging/rts5208: Fix read overflow in memcpy (bnc#1012382).
- stmmac: fix valid numbers of unicast filter entries (bnc#1012382).
- stop_machine: Atomically queue and wake stopper threads (git-fixes).
- target: log Data-Out timeouts as errors (bsc#1095805).
- target: log NOP ping timeouts as errors (bsc#1095805).
- target: split out helper for cxn timeout error stashing (bsc#1095805).
- target: stash sess_err_stats on Data-Out timeout (bsc#1095805).
- target: use ISCSI_IQN_LEN in iscsi_target_stat (bsc#1095805).
- tcp: add tcp_ooo_try_coalesce() helper (bnc#1012382).
- tcp: call tcp_drop() from tcp_data_queue_ofo() (bnc#1012382).
- tcp: do not restart timewait timer on rst reception (bnc#1012382).
- tcp: fix a stale ooo_last_skb after a replace (bnc#1012382).
- tcp: free batches of packets in tcp_prune_ofo_queue() (bnc#1012382).
- tcp: increment sk_drops for dropped rx packets (bnc#1012382).
- tcp: use an RB tree for ooo receive queue (bnc#1012382).
- team: Forbid enslaving team device to itself (bnc#1012382).
- thermal: of-thermal: disable passive polling when thermal zone is disabled (bnc#1012382).
- tools: hv: fcopy: set 'error' in case an unknown operation was requested (bug#1109038).
- tools: hv: Fix a bug in the key delete code (bnc#1012382).
- tools: hv: fix compiler warnings about major/target_fname (bug#1109038).
- tools/hv: Fix IP reporting by KVP daemon with SRIOV (bug#1109038).
- tools: hv: fix snprintf warning in kvp_daemon (bug#1109038).
- tools: hv: ignore a NIC if it has been configured (bug#1109038).
- tools: hv: include string.h in hv_fcopy_daemon (bug#1109038).
- tools: hv: update buffer handling in hv_fcopy_daemon (bug#1109038).
- tools: hv: update lsvmbus to be compatible with python3 (bug#1109038).
- tools: hv: vss: fix loop device detection (bug#1109038).
- tools: hv: vss: Skip freezing filesystems backed by loop (bug#1109038).
- tools/vm/page-types.c: fix 'defined but not used' warning (bnc#1012382).
- tools/vm/slabinfo.c: fix sign-compare warning (bnc#1012382).
- tpm: Restore functionality to xen vtpm driver (bsc#1020645, git-fixes).
- tsl2550: fix lux1_input error in low light (bnc#1012382).
- tty: Drop tty->count on tty_reopen() failure (bnc#1105428).
- tty: rocket: Fix possible buffer overwrite on register_PCI (bnc#1012382).
- tty: vt_ioctl: fix potential Spectre v1 (bnc#1012382).
t usb: yurex: Fix buffer over-read in yurex_write() (bnc#1012382).
- ubifs: Check for name being NULL while mounting (bnc#1012382).
- ucma: fix a use-after-free in ucma_resolve_ip() (bnc#1012382).
- uio_hv_generic: add rescind support (bsc#1109038).
- uio_hv_generic: check that host supports monitor page (bsc#1109038).
- uio_hv_generic: create send and receive buffers (bsc#1109038).
- uio_hv_generic: fix configuration comments (bsc#1109038).
- uio_hv_generic: fix new type mismatch warnings (bsc#1109038).
- uio_hv_generic: fix type mismatch warnings (bsc#1109038).
- uio_hv_generic: use ISR callback method (bsc#1109038).
- uio_hv_generic: use standard mmap for resources (bsc#1109038).
- uio: potential double frees if __uio_register_device() fails (bnc#1012382).
- usb: add quirk for WORLDE Controller KS49 or Prodipe MIDI 49C USB controller (bnc#1012382).
- usb: Add quirk to support DJI CineSSD (bnc#1012382).
- usb: Avoid use-after-free by flushing endpoints early in usb_set_interface() (bnc#1012382).
- usb: cdc-wdm: Fix a sleep-in-atomic-context bug in service_outstanding_interrupt() (bnc#1012382).
- usb: Do not die twice if PCI xhci host is not responding in resume (bnc#1012382).
- usb: fix error handling in usb_driver_claim_interface() (bnc#1012382).
- usb: gadget: fotg210-udc: Fix memory leak of fotg210->ep[i] (bnc#1012382).
- usb: gadget: serial: fix oops when data rx'd after close (bnc#1012382).
- usb: handle NULL config in usb_find_alt_setting() (bnc#1012382).
- usb: host: u132-hcd: Fix a sleep-in-atomic-context bug in u132_get_frame() (bnc#1012382).
- usbip: vhci_sysfs: fix potential Spectre v1 (bsc#1096547).
- usb: misc: uss720: Fix two sleep-in-atomic-context bugs (bnc#1012382).
- usb: net2280: Fix erroneous synchronization change (bnc#1012382).
- usb: remove LPM management from usb_driver_claim_interface() (bnc#1012382).
- usb: serial: io_ti: fix array underflow in completion handler (bnc#1012382).
- usb: serial: kobil_sct: fix modem-status error handling (bnc#1012382).
- usb: serial: simple: add Motorola Tetra MTP6550 id (bnc#1012382).
- usb: serial: ti_usb_3410_5052: fix array underflow in completion handler (bnc#1012382).
- usb: usbdevfs: restore warning for nonsensical flags (bnc#1012382).
- usb: usbdevfs: sanitize flags more (bnc#1012382).
- usb: wusbcore: security: cast sizeof to int for comparison (bnc#1012382).
- usb: yurex: Check for truncation in yurex_read() (bnc#1012382).
- use the new async probing feature for the hyperv drivers (bug#1109038).
- Use upstream version of pci-hyperv change 35a88a18d7
- uwb: hwa-rc: fix memory leak at probe (bnc#1012382).
- vfs: do not test owner for NFS in set_posix_acl() (bsc#1103405).
- video: goldfishfb: fix memory leak on driver remove (bnc#1012382).
- vmbus: add monitor_id and subchannel_id to sysfs per channel (bsc#1109038).
- vmbus: do not return values for uninitalized channels (bug#1109038).
- vmbus: make channel attributes static (bsc#1109038).
- vmbus: make hv_get_ringbuffer_availbytes local (bsc#1109038).
- vmci: type promotion bug in qp_host_get_user_memory() (bnc#1012382).
- vmw_balloon: include asm/io.h (bnc#1012382).
- vti6: remove !skb->ignore_df check from vti6_xmit() (bnc#1012382).
- watchdog: w83627hf: Added NCT6102D support (bsc#1106434).
- watchdog: w83627hf_wdt: Add quirk for Inves system (bsc#1106434).
- wlcore: Add missing PM call for wlcore_cmd_wait_for_event_or_timeout() (bnc#1012382).
- wlcore: Fix memory leak in wlcore_cmd_wait_for_event_or_timeout (git-fixes).
- x86/apic: Fix restoring boot IRQ mode in reboot and kexec/kdump (bsc#1110006).
- x86/apic: Split disable_IO_APIC() into two functions to fix CONFIG_KEXEC_JUMP=y (bsc#1110006).
- x86/apic: Split out restore_boot_irq_mode() from disable_IO_APIC() (bsc#1110006).
- x86/boot: Fix 'run_size' calculation (bsc#1110006).
- x86/cpufeature: deduplicate X86_FEATURE_L1TF_PTEINV (kabi).
- x86/entry/64: Add two more instruction suffixes (bnc#1012382).
- x86/entry/64: Clear registers for exceptions/interrupts, to reduce speculation attack surface (bsc#1105931).
- x86/entry/64: Remove %ebx handling from error_entry/exit (bnc#1102715).
- x86/entry/64: sanitize extra registers on syscall entry (bsc#1105931).
- x86/fpu: Finish excising 'eagerfpu' (bnc#1012382).
- x86/fpu: Remove second definition of fpu in __fpu__restore_sig() (bsc#1110006).
- x86/fpu: Remove struct fpu::counter (bnc#1012382).
- x86/fpu: Remove use_eager_fpu() (bnc#1012382).
- x86/headers/UAPI: Use __u64 instead of u64 in <uapi/asm/hyperv.h> (bug#1109038).
- x86/hyperv: Add a function to read both TSC and TSC page value simulateneously (bsc#1109038).
- x86/hyperv: Add interrupt handler annotations (bug#1109038).
- x86/hyper-v: allocate and use Virtual Processor Assist Pages (bug#1109038).
- x86/hyper-V: Allocate the IDT entry early in boot (bug#1109038).
- x86/hyper-v: Check cpumask_to_vpset() return value in hyperv_flush_tlb_others_ex() (bug#1109038).
- x86/hyperv: Check for required priviliges in hyperv_init() (bsc#1109038).
- x86/hyper-v: Check for VP_INVAL in hyperv_flush_tlb_others() (bug#1109038).
- x86/hyperv: Clear vCPU banks between calls to avoid flushing unneeded vCPUs (bsc#1109038).
- x86/Hyper-V: Consolidate the allocation of the hypercall input page (bug#1109038).
- x86/hyper-v: define struct hv_enlightened_vmcs and clean field bits (bug#1109038).
- x86/hyper-v: detect nested features (bug#1109038).
- x86/hyperv: Do not use percpu areas for pcpu_flush/pcpu_flush_ex structures (bsc#1109038).
- x86/Hyper-V: Enable IPI enlightenments (bug#1109038).
- x86/Hyper-V: Enhanced IPI enlightenment (bug#1109038).
- x86/Hyper-V: Enlighten APIC access (bug#1109038).
- x86/hyperv: Fix hypercalls with extended CPU ranges for TLB flushing (bsc#1109038).
- x86/hyper-v: Fix the circular dependency in IPI enlightenment (bug#1109038).
- x86/hyper-v: Fix wrong merge conflict resolution (bug#1109038).
- x86/Hyper-V/hv_apic: Build the Hyper-V APIC conditionally (bug#1109038).
- x86/Hyper-V/hv_apic: Include asm/apic.h (bug#1109038).
- x86/hyper-v: Implement hv_do_fast_hypercall16 (bug#1109038).
- x86/hyper-v: Implement rep hypercalls (bug#1109038).
- x86/hyper-v: move definitions from TLFS to hyperv-tlfs.h (bug#1109038).
- x86/hyper-v: move hyperv.h out of uapi (bug#1109038).
- x86/hyper-v: move struct hv_flush_pcpu{,ex} definitions to common header (bug#1109038).
- x86/hyperv: Read TSC frequency from a synthetic MSR (bug#1109038).
- x86/hyperv: Redirect reenlightment notifications on CPU offlining (bug#1109038).
- x86/hyperv: Reenlightenment notifications support (bug#1109038).
- x86/hyper-v: Remove duplicated HV_X64_EX_PROCESSOR_MASKS_RECOMMENDED definition (bug#1109038).
- x86/hyper-v: rename ipi_arg_{ex,non_ex} structures (bug#1109038).
- x86/hyper-v: stash the max number of virtual/logical processor (bug#1109038).
- x86/hyperv: Stop suppressing X86_FEATURE_PCID (bsc#1109038).
- x86/hyper-v: Support extended CPU ranges for TLB flush hypercalls (bug#1109038).
- x86/hyper-v: Use cheaper HVCALL_FLUSH_VIRTUAL_ADDRESS_{LIST,SPACE} hypercalls when possible (bug#1109038).
- x86/hyper-v: Use cheaper HVCALL_SEND_IPI hypercall when possible (bug#1109038).
- x86/hyper-v: Use 'fast' hypercall for HVCALL_SEND_IPI (bug#1109038).
- x86/hyper-v: Use hypercall for remote TLB flush (bug#1109038).
- x86/irq: implement irq_data_get_effective_affinity_mask() for v4.12 (bsc#1109772).
- x86/kaiser: Avoid loosing NMIs when using trampoline stack (bsc#1106293 bsc#1099597).
- x86/kexec: Correct KEXEC_BACKUP_SRC_END off-by-one error (bsc#1114648).
- x86/kvm: rename HV_X64_MSR_APIC_ASSIST_PAGE to HV_X64_MSR_VP_ASSIST_PAGE (bug#1109038).
- x86/mm: Remove in_nmi() warning from vmalloc_fault() (bnc#1012382).
- x86: msr-index.h: Correct SNB_C1/C3_AUTO_UNDEMOTE defines (bsc#1110006).
- x86/numa_emulation: Fix emulated-to-physical node mapping (bnc#1012382).
- x86/pae: use 64 bit atomic xchg function in native_ptep_get_and_clear (bnc#1012382).
- x86/paravirt: Fix some warning messages (bnc#1065600).
- x86/percpu: Fix this_cpu_read() (bsc#1110006).
- x86,sched: Allow topologies where NUMA nodes share an LLC (bsc#1091158, bsc#1101555).
- x86/spec_ctrl: Fix spec_ctrl reporting (bsc#1106913, bsc#1111516).
- x86/speculation: Apply IBPB more strictly to avoid cross-process data leak (bsc#1106913).
- x86/speculation: Enable cross-hyperthread spectre v2 STIBP mitigation (bsc#1106913).
- x86/speculation/l1tf: Fix up pte->pfn conversion for PAE (bnc#1012382).
- x86/speculation: Propagate information about RSB filling mitigation to sysfs (bsc#1106913).
- x86/time: Correct the attribute on jiffies' definition (bsc#1110006).
- x86/tsc: Add missing header to tsc_msr.c (bnc#1012382).
- x86/vdso: Fix asm constraints on vDSO syscall fallbacks (bsc#1110006).
- x86/vdso: Fix vDSO build if a retpoline is emitted (bsc#1110006).
- x86/vdso: Fix vDSO syscall fallback asm constraint regression (bsc#1110006).
- x86/vdso: Only enable vDSO retpolines when enabled and supported (bsc#1110006).
- xen: avoid crash in disable_hotplug_cpu (bnc#1012382 bsc#1106594 bsc#1042422).
- xen/blkfront: correct purging of persistent grants (bnc#1065600).
- xen: fix GCC warning and remove duplicate EVTCHN_ROW/EVTCHN_COL usage (bnc#1012382).
- xen: issue warning message when out of grant maptrack entries (bsc#1105795).
- xen/manage: do not complain about an empty value in control/sysrq node (bnc#1012382).
- xen/netfront: do not bug in case of too many frags (bnc#1012382).
- xen-netfront: fix queue name setting (bnc#1012382).
- xen/netfront: fix waiting for xenbus state change (bnc#1012382).
- xen-netfront: fix warn message as irq device name has '/' (bnc#1012382).
- xen/x86/vpmu: Zero struct pt_regs before calling into sample handling code (bnc#1012382).
- xfrm: fix 'passing zero to ERR_PTR()' warning (bnc#1012382).
- xfs: add a new xfs_iext_lookup_extent_before helper (bsc#1095344).
- xfs: add asserts for the mmap lock in xfs_{insert,collapse}_file_space (bsc#1095344).
- xfs: add a xfs_bmap_fork_to_state helper (bsc#1095344).
- xfs: add a xfs_iext_update_extent helper (bsc#1095344).
- xfs: add comments documenting the rebalance algorithm (bsc#1095344).
- xfs: add some comments to xfs_iext_insert/xfs_iext_insert_node (bsc#1095344).
- xfs: add xfs_trim_extent (bsc#1095344).
- xfs: allow unaligned extent records in xfs_bmbt_disk_set_all (bsc#1095344).
- xfs: borrow indirect blocks from freed extent when available (bsc#1095344).
- xfs: cleanup xfs_bmap_last_before (bsc#1095344).
- xfs: do not create overlapping extents in xfs_bmap_add_extent_delay_real (bsc#1095344).
- xfs: do not rely on extent indices in xfs_bmap_collapse_extents (bsc#1095344).
- xfs: do not rely on extent indices in xfs_bmap_insert_extents (bsc#1095344).
- xfs: do not set XFS_BTCUR_BPRV_WASDEL in xfs_bunmapi (bsc#1095344).
- xfs: during btree split, save new block key & ptr for future insertion (bsc#1095344).
- xfs: factor out a helper to initialize a local format inode fork (bsc#1095344).
- xfs: fix memory leak in xfs_iext_free_last_leaf (bsc#1095344).
- xfs: fix number of records handling in xfs_iext_split_leaf (bsc#1095344).
- xfs: fix transaction allocation deadlock in IO path (bsc#1090535).
- xfs: handle indlen shortage on delalloc extent merge (bsc#1095344).
- xfs: handle zero entries case in xfs_iext_rebalance_leaf (bsc#1095344).
- xfs: improve kmem_realloc (bsc#1095344).
- xfs: inline xfs_shift_file_space into callers (bsc#1095344).
- xfs: introduce the xfs_iext_cursor abstraction (bsc#1095344).
- xfs: iterate over extents in xfs_bmap_extents_to_btree (bsc#1095344).
- xfs: iterate over extents in xfs_iextents_copy (bsc#1095344).
- xfs: make better use of the 'state' variable in xfs_bmap_del_extent_real (bsc#1095344).
- xfs: merge xfs_bmap_read_extents into xfs_iread_extents (bsc#1095344).
- xfs: move pre/post-bmap tracing into xfs_iext_update_extent (bsc#1095344).
- xfs: move some code around inside xfs_bmap_shift_extents (bsc#1095344).
- xfs: move some more code into xfs_bmap_del_extent_real (bsc#1095344).
- xfs: move xfs_bmbt_irec and xfs_exntst_t to xfs_types.h (bsc#1095344).
- xfs: move xfs_iext_insert tracepoint to report useful information (bsc#1095344).
- xfs: new inode extent list lookup helpers (bsc#1095344).
- xfs: only run torn log write detection on dirty logs (bsc#1095753).
- xfs: pass an on-disk extent to xfs_bmbt_validate_extent (bsc#1095344).
- xfs: pass a struct xfs_bmbt_irec to xfs_bmbt_lookup_eq (bsc#1095344).
- xfs: pass a struct xfs_bmbt_irec to xfs_bmbt_update (bsc#1095344).
- xfs: pass struct xfs_bmbt_irec to xfs_bmbt_validate_extent (bsc#1095344).
- xfs: provide helper for counting extents from if_bytes (bsc#1095344).
- xfs: refactor delalloc accounting in xfs_bmap_add_extent_delay_real (bsc#1095344).
- xfs: refactor delalloc indlen reservation split into helper (bsc#1095344).
- xfs: refactor dir2 leaf readahead shadow buffer cleverness (bsc#1095344).
- xfs: refactor in-core log state update to helper (bsc#1095753).
- xfs: refactor unmount record detection into helper (bsc#1095753).
- xfs: refactor xfs_bmap_add_extent_delay_real (bsc#1095344).
- xfs: refactor xfs_bmap_add_extent_hole_delay (bsc#1095344).
- xfs: refactor xfs_bmap_add_extent_hole_real (bsc#1095344).
- xfs: refactor xfs_bmap_add_extent_unwritten_real (bsc#1095344).
- xfs: refactor xfs_bunmapi_cow (bsc#1095344).
- xfs: refactor xfs_del_extent_real (bsc#1095344).
- xfs: remove a duplicate assignment in xfs_bmap_add_extent_delay_real (bsc#1095344).
- xfs: remove all xfs_bmbt_set_* helpers except for xfs_bmbt_set_all (bsc#1095344).
- xfs: remove a superflous assignment in xfs_iext_remove_node (bsc#1095344).
- xfs: remove if_rdev (bsc#1095344).
- xfs: remove prev argument to xfs_bmapi_reserve_delalloc (bsc#1095344).
- xfs: remove support for inlining data/extents into the inode fork (bsc#1095344).
- xfs: remove the never fully implemented UUID fork format (bsc#1095344).
- xfs: remove the nr_extents argument to xfs_iext_insert (bsc#1095344).
- xfs: remove the nr_extents argument to xfs_iext_remove (bsc#1095344).
- xfs: remove XFS_BMAP_MAX_SHIFT_EXTENTS (bsc#1095344).
- xfs: remove XFS_BMAP_TRACE_EXLIST (bsc#1095344).
- xfs: remove xfs_bmbt_get_state (bsc#1095344).
- xfs: remove xfs_bmse_shift_one (bsc#1095344).
- xfs: rename bno to end in __xfs_bunmapi (bsc#1095344).
- xfs: replace xfs_bmbt_lookup_ge with xfs_bmbt_lookup_first (bsc#1095344).
- xfs: replace xfs_qm_get_rtblks with a direct call to xfs_bmap_count_leaves (bsc#1095344).
- xfs: rewrite getbmap using the xfs_iext_* helpers (bsc#1095344).
- xfs: rewrite xfs_bmap_count_leaves using xfs_iext_get_extent (bsc#1095344).
- xfs: rewrite xfs_bmap_first_unused to make better use of xfs_iext_get_extent (bsc#1095344).
- xfs: separate log head record discovery from verification (bsc#1095753).
- xfs: simplify the xfs_getbmap interface (bsc#1095344).
- xfs: simplify validation of the unwritten extent bit (bsc#1095344).
- xfs: split indlen reservations fairly when under reserved (bsc#1095344).
- xfs: split xfs_bmap_shift_extents (bsc#1095344).
- xfs: switch xfs_bmap_local_to_extents to use xfs_iext_insert (bsc#1095344).
- xfs: treat idx as a cursor in xfs_bmap_add_extent_delay_real (bsc#1095344).
- xfs: treat idx as a cursor in xfs_bmap_add_extent_hole_delay (bsc#1095344).
- xfs: treat idx as a cursor in xfs_bmap_add_extent_hole_real (bsc#1095344).
- xfs: treat idx as a cursor in xfs_bmap_add_extent_unwritten_real (bsc#1095344).
- xfs: treat idx as a cursor in xfs_bmap_collapse_extents (bsc#1095344).
- xfs: treat idx as a cursor in xfs_bmap_del_extent_* (bsc#1095344).
- xfs: update freeblocks counter after extent deletion (bsc#1095344).
- xfs: update got in xfs_bmap_shift_update_extent (bsc#1095344).
- xfs: use a b+tree for the in-core extent list (bsc#1095344).
- xfs: use correct state defines in xfs_bmap_del_extent_{cow,delay} (bsc#1095344).
- xfs: use new extent lookup helpers in xfs_bmapi_read (bsc#1095344).
- xfs: use new extent lookup helpers in xfs_bmapi_write (bsc#1095344).
- xfs: use new extent lookup helpers in __xfs_bunmapi (bsc#1095344).
- xfs: use the state defines in xfs_bmap_del_extent_real (bsc#1095344).
- xfs: use xfs_bmap_del_extent_delay for the data fork as well (bsc#1095344).
- xfs: use xfs_iext_*_extent helpers in xfs_bmap_shift_extents (bsc#1095344).
- xfs: use xfs_iext_*_extent helpers in xfs_bmap_split_extent_at (bsc#1095344).
- xfs: use xfs_iext_get_extent instead of open coding it (bsc#1095344).
- xfs: use xfs_iext_get_extent in xfs_bmap_first_unused (bsc#1095344).
- xhci: Add missing CAS workaround for Intel Sunrise Point xHCI (bnc#1012382).
- xhci: Do not print a warning when setting link state for disabled ports (bnc#1012382).
ImportantSUSE bug 1011920SUSE bug 1012382SUSE bug 1012422SUSE bug 1020645SUSE bug 1031392SUSE bug 1035053SUSE bug 1042422SUSE bug 1043591SUSE bug 1044189SUSE bug 1048129SUSE bug 1050431SUSE bug 1050549SUSE bug 1053043SUSE bug 1054239SUSE bug 1057199SUSE bug 1062303SUSE bug 1063026SUSE bug 1065600SUSE bug 1065726SUSE bug 1066223SUSE bug 1067906SUSE bug 1073579SUSE bug 1076393SUSE bug 1078788SUSE bug 1079524SUSE bug 1082519SUSE bug 1082863SUSE bug 1082979SUSE bug 1083215SUSE bug 1083527SUSE bug 1084427SUSE bug 1084536SUSE bug 1084760SUSE bug 1087209SUSE bug 1088087SUSE bug 1089343SUSE bug 1090535SUSE bug 1091158SUSE bug 1093118SUSE bug 1094244SUSE bug 1094555SUSE bug 1094562SUSE bug 1094825SUSE bug 1095344SUSE bug 1095753SUSE bug 1095805SUSE bug 1096052SUSE bug 1096547SUSE bug 1098050SUSE bug 1098996SUSE bug 1099597SUSE bug 1099810SUSE bug 1101555SUSE bug 1102495SUSE bug 1102715SUSE bug 1102870SUSE bug 1102875SUSE bug 1102877SUSE bug 1102879SUSE bug 1102882SUSE bug 1102896SUSE bug 1103156SUSE bug 1103269SUSE bug 1103308SUSE bug 1103405SUSE bug 1104124SUSE bug 1105025SUSE bug 1105428SUSE bug 1105795SUSE bug 1105931SUSE bug 1106095SUSE bug 1106105SUSE bug 1106110SUSE bug 1106240SUSE bug 1106293SUSE bug 1106359SUSE bug 1106434SUSE bug 1106512SUSE bug 1106594SUSE bug 1106913SUSE bug 1106929SUSE bug 1106934SUSE bug 1107060SUSE bug 1107299SUSE bug 1107318SUSE bug 1107535SUSE bug 1107829SUSE bug 1107870SUSE bug 1107924SUSE bug 1108096SUSE bug 1108170SUSE bug 1108240SUSE bug 1108281SUSE bug 1108315SUSE bug 1108377SUSE bug 1108399SUSE bug 1108498SUSE bug 1108803SUSE bug 1108823SUSE bug 1109038SUSE bug 1109158SUSE bug 1109333SUSE bug 1109336SUSE bug 1109337SUSE bug 1109441SUSE bug 1109772SUSE bug 1109784SUSE bug 1109806SUSE bug 1109818SUSE bug 1109907SUSE bug 1109919SUSE bug 1109923SUSE bug 1110006SUSE bug 1110297SUSE bug 1110337SUSE bug 1110363SUSE bug 1110468SUSE bug 1110600SUSE bug 1110601SUSE bug 1110602SUSE bug 1110603SUSE bug 1110604SUSE bug 1110605SUSE bug 1110606SUSE bug 1110611SUSE bug 1110612SUSE bug 1110613SUSE bug 1110614SUSE bug 1110615SUSE bug 1110616SUSE bug 1110618SUSE bug 1110619SUSE bug 1110930SUSE bug 1111363SUSE bug 1111516SUSE bug 1111870SUSE bug 1112007SUSE bug 1112262SUSE bug 1112263SUSE bug 1112894SUSE bug 1112902SUSE bug 1112903SUSE bug 1112905SUSE bug 1113667SUSE bug 1113751SUSE bug 1113766SUSE bug 1113769SUSE bug 1114178SUSE bug 1114229SUSE bug 1114648SUSE bug 1115593SUSE bug 981083SUSE bug 997172CVE-2018-14613 at SUSECVE-2018-14613 at NVDCVE-2018-14617 at SUSECVE-2018-14617 at NVDCVE-2018-14633 at SUSECVE-2018-14633 at NVDCVE-2018-16276 at SUSECVE-2018-16276 at NVDCVE-2018-16597 at SUSECVE-2018-16597 at NVDCVE-2018-17182 at SUSECVE-2018-17182 at NVDCVE-2018-18281 at SUSECVE-2018-18281 at NVDCVE-2018-18386 at SUSECVE-2018-18386 at NVDCVE-2018-18690 at SUSECVE-2018-18690 at NVDCVE-2018-18710 at SUSECVE-2018-18710 at NVDCVE-2018-7480 at SUSECVE-2018-7480 at NVDCVE-2018-7757 at SUSECVE-2018-7757 at NVDCVE-2018-9516 at SUSECVE-2018-9516 at NVDcpe:/o:suse:sles:12:sp3Security update for wget (Important)SUSE Linux Enterprise Server 12 SP3
This update for wget fixes the following issues:
Security issue fixed:
- CVE-2019-5953: Fixed a buffer overflow vulnerability which might cause code execution (bsc#1131493).
ImportantSUSE bug 1131493CVE-2019-5953 at SUSECVE-2019-5953 at NVDcpe:/o:suse:sles:12:sp3Security update for qemu (Important)SUSE Linux Enterprise Server 12 SP3
This update for qemu fixes the following issues:
Security issues fixed:
- CVE-2019-9824: Fixed information leak in slirp (bsc#1129622).
- CVE-2019-8934: Added method to specify whether or not to expose certain ppc64 hostinformation (bsc#1126455).
- CVE-2019-3812: Fixed Out-of-bounds memory access and information leak in virtual monitor interface (bsc#1125721).
- CVE-2018-20815: Fixed a denial of service possibility in device tree processing (bsc#1130675).
Non-security issue fixed:
- Backported Skylake-Server vcpu model support from qemu v2.11 (FATE#327261 bsc#1131955).
- Added ability to set virtqueue size using virtqueue_size parameter (FATE#327255 bsc#1118900).
ImportantSUSE bug 1118900SUSE bug 1125721SUSE bug 1126455SUSE bug 1129622SUSE bug 1130675SUSE bug 1131955CVE-2018-20815 at SUSECVE-2018-20815 at NVDCVE-2019-3812 at SUSECVE-2019-3812 at NVDCVE-2019-8934 at SUSECVE-2019-8934 at NVDCVE-2019-9824 at SUSECVE-2019-9824 at NVDcpe:/o:suse:sles:12:sp3Security update for soundtouch (Moderate)SUSE Linux Enterprise Server 12 SP3
This update for soundtouch fixes the following issues:
Security issues fixed:
- CVE-2018-17098: Fixed a heap corruption from size inconsistency, which
allowed remote attackers to cause a denial of service or possibly have
other unspecified impact (bsc#1108632)
- CVE-2018-17097: Fixed a double free, which allowed remote attackers to cause
a denial of service or possibly have other unspecified impact (bsc#1108631)
ModerateSUSE bug 1108631SUSE bug 1108632CVE-2018-17097 at SUSECVE-2018-17097 at NVDCVE-2018-17098 at SUSECVE-2018-17098 at NVDcpe:/o:suse:sles:12:sp3Security update for python3 (Important)SUSE Linux Enterprise Server 12 SP3
This update for python3 fixes the following issues:
Security issue fixed:
- CVE-2019-9636: Fixed an information disclosure because of incorrect handling of Unicode encoding during NFKC normalization (bsc#1129346).
ImportantSUSE bug 1129346CVE-2019-9636 at SUSECVE-2019-9636 at NVDcpe:/o:suse:sles:12:sp3Security update for curl (Important)SUSE Linux Enterprise Server 12 SP3
This update for curl fixes the following issues:
Security issue fixed:
- CVE-2018-16839: Fixed a buffer overflow in the SASL authentication code (bsc#1112758).
ImportantSUSE bug 1112758SUSE bug 1131886CVE-2018-16839 at SUSECVE-2018-16839 at NVDcpe:/o:suse:sles:12:sp3Security update for freeradius-server (Moderate)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for freeradius-server fixes the following issues:
- CVE-2019-13456: Fixed a side-channel password leak in EAP-pwd
(bsc#1144524).
- CVE-2019-17185: Fixed a debial of service due to multithreaded
BN_CTX access (bsc#1166847).
- Fixed an issue in TLS-EAP where the OCSP verification, when an
intermediate client certificate was not explicitly trusted
(bsc#1146848).
ModerateSUSE bug 1144524SUSE bug 1146848SUSE bug 1166847CVE-2019-13456 at SUSECVE-2019-13456 at NVDCVE-2019-17185 at SUSECVE-2019-17185 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for cups (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for cups fixes the following issues:
- CVE-2020-3898: Fixed a heap buffer overflow in ppdFindOption() (bsc#1168422).
ImportantSUSE bug 1168422CVE-2020-3898 at SUSECVE-2020-3898 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for pam_radius (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for pam_radius fixes the following issues:
- CVE-2015-9542: Fixed a buffer overflow in password field (bsc#1163933).
- On s390x didn't decrypt passwords correctly (bsc#1141670).
ImportantSUSE bug 1141670SUSE bug 1163933CVE-2015-9542 at SUSECVE-2015-9542 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for webkit2gtk3 (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for webkit2gtk3 to version 2.28.1 fixes the following issues:
Security issues fixed:
- CVE-2020-10018: Fixed a denial of service because the m_deferredFocusedNodeChange data structure was mishandled (bsc#1165528).
- CVE-2020-11793: Fixed a potential arbitrary code execution caused by a use-after-free vulnerability (bsc#1169658).
- CVE-2019-8835: Fixed multiple memory corruption issues (bsc#1161719).
- CVE-2019-8844: Fixed multiple memory corruption issues (bsc#1161719).
- CVE-2019-8846: Fixed a use-after-free issue (bsc#1161719).
- CVE-2020-3862: Fixed a memory handling issue (bsc#1163809).
- CVE-2020-3867: Fixed an XSS issue (bsc#1163809).
- CVE-2020-3868: Fixed multiple memory corruption issues that could have lead to arbitrary code execution (bsc#1163809).
- CVE-2020-3864,CVE-2020-3865: Fixed logic issues in the DOM object context handling (bsc#1163809).
Non-security issues fixed:
- Add API to enable Process Swap on (Cross-site) Navigation.
- Add user messages API for the communication with the web extension.
- Add support for same-site cookies.
- Service workers are enabled by default.
- Add support for Pointer Lock API.
- Add flatpak sandbox support.
- Make ondemand hardware acceleration policy never leave accelerated compositing mode.
- Always use a light theme for rendering form controls.
- Add about:gpu to show information about the graphics stack.
- Fixed issues while trying to play a video on NextCloud.
- Fixed vertical alignment of text containing arabic diacritics.
- Fixed build with icu 65.1.
- Fixed page loading errors with websites using HSTS.
- Fixed web process crash when displaying a KaTeX formula.
- Fixed several crashes and rendering issues.
- Switched to a single web process for Evolution and geary (bsc#1159329).
ImportantSUSE bug 1155321SUSE bug 1156318SUSE bug 1159329SUSE bug 1161719SUSE bug 1163809SUSE bug 1165528SUSE bug 1169658CVE-2019-8625 at SUSECVE-2019-8625 at NVDCVE-2019-8710 at SUSECVE-2019-8710 at NVDCVE-2019-8720 at SUSECVE-2019-8720 at NVDCVE-2019-8743 at SUSECVE-2019-8743 at NVDCVE-2019-8764 at SUSECVE-2019-8764 at NVDCVE-2019-8766 at SUSECVE-2019-8766 at NVDCVE-2019-8769 at SUSECVE-2019-8769 at NVDCVE-2019-8771 at SUSECVE-2019-8771 at NVDCVE-2019-8782 at SUSECVE-2019-8782 at NVDCVE-2019-8783 at SUSECVE-2019-8783 at NVDCVE-2019-8808 at SUSECVE-2019-8808 at NVDCVE-2019-8811 at SUSECVE-2019-8811 at NVDCVE-2019-8812 at SUSECVE-2019-8812 at NVDCVE-2019-8813 at SUSECVE-2019-8813 at NVDCVE-2019-8814 at SUSECVE-2019-8814 at NVDCVE-2019-8815 at SUSECVE-2019-8815 at NVDCVE-2019-8816 at SUSECVE-2019-8816 at NVDCVE-2019-8819 at SUSECVE-2019-8819 at NVDCVE-2019-8820 at SUSECVE-2019-8820 at NVDCVE-2019-8823 at SUSECVE-2019-8823 at NVDCVE-2019-8835 at SUSECVE-2019-8835 at NVDCVE-2019-8844 at SUSECVE-2019-8844 at NVDCVE-2019-8846 at SUSECVE-2019-8846 at NVDCVE-2020-10018 at SUSECVE-2020-10018 at NVDCVE-2020-11793 at SUSECVE-2020-11793 at NVDCVE-2020-3862 at SUSECVE-2020-3862 at NVDCVE-2020-3864 at SUSECVE-2020-3864 at NVDCVE-2020-3865 at SUSECVE-2020-3865 at NVDCVE-2020-3867 at SUSECVE-2020-3867 at NVDCVE-2020-3868 at SUSECVE-2020-3868 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for shibboleth-sp (Moderate)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for shibboleth-sp fixes the following issues:
Security issue fixed:
- CVE-2019-19191: Fixed escalation to root by fixing ownership of log files (bsc#1157471).
ModerateSUSE bug 1157471CVE-2019-19191 at SUSECVE-2019-19191 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for ceph (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for ceph fixes the following issues:
- CVE-2020-12059: Fixed a denial of service caused by a specially crafted XML payload on POST requests (bsc#1170170).
ImportantSUSE bug 1170170CVE-2020-12059 at SUSECVE-2020-12059 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for LibVNCServer (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for LibVNCServer fixes the following issues:
- CVE-2019-15690: Fixed a heap buffer overflow (bsc#1160471).
- CVE-2019-15681: Fixed a memory leak which could have allowed to a remote attacker to read stack memory (bsc#1155419).
- CVE-2019-20788: Fixed a integer overflow and heap-based buffer overflow via a large height or width value (bsc#1170441).
ImportantSUSE bug 1155419SUSE bug 1160471SUSE bug 1170441CVE-2019-15681 at SUSECVE-2019-15681 at NVDCVE-2019-15690 at SUSECVE-2019-15690 at NVDCVE-2019-20788 at SUSECVE-2019-20788 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for icu (Moderate)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for icu fixes the following issues:
- CVE-2020-10531: Fixed integer overflow in UnicodeString:doAppend() (bsc#1166844).
ModerateSUSE bug 1166844CVE-2020-10531 at SUSECVE-2020-10531 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for openldap2 (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for openldap2 fixes the following issues:
- CVE-2020-12243: Fixed a denial of service related to recursive filters (bsc#1170771).
ImportantSUSE bug 1170771CVE-2020-12243 at SUSECVE-2020-12243 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for webkit2gtk3 (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for webkit2gtk3 fixes the following issues:
Security issue fixed:
- CVE-2020-3899: Fixed a memory consumption issue that could have led to remote code execution (bsc#1170643).
Non-security issues fixed:
- Update to version 2.28.2 (bsc#1170643):
+ Fix excessive CPU usage due to GdkFrameClock not being stopped.
+ Fix UI process crash when EGL_WL_bind_wayland_display extension
is not available.
+ Fix position of select popup menus in X11.
+ Fix playing of Youtube 'live stream'/H264 URLs.
+ Fix a crash under X11 when cairo uses xcb.
+ Fix the build in MIPS64.
+ Fix several crashes and rendering issues.
ImportantSUSE bug 1170643CVE-2020-3899 at SUSECVE-2020-3899 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for ghostscript (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for ghostscript to version 9.52 fixes the following issues:
- CVE-2020-12268: Fixed a heap-based buffer overflow in jbig2_image_compose (bsc#1170603).
ImportantSUSE bug 1170603CVE-2020-12268 at SUSECVE-2020-12268 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for MozillaFirefox fixes the following issues:
Update to version 68.8.0 ESR (bsc#1171186):
- CVE-2020-12387: Use-after-free during worker shutdown
- CVE-2020-12388: Sandbox escape with improperly guarded Access Tokens
- CVE-2020-12389: Sandbox escape with improperly separated process types
- CVE-2020-6831: Buffer overflow in SCTP chunk input validation
- CVE-2020-12392: Arbitrary local file access with 'Copy as cURL'
- CVE-2020-12393: Devtools' 'Copy as cURL' feature did not fully escape website-controlled data, potentially leading to command injection
- CVE-2020-12395: Memory safety bugs fixed in Firefox 76 and Firefox ESR 68.8
ImportantSUSE bug 1171186CVE-2020-12387 at SUSECVE-2020-12387 at NVDCVE-2020-12388 at SUSECVE-2020-12388 at NVDCVE-2020-12389 at SUSECVE-2020-12389 at NVDCVE-2020-12392 at SUSECVE-2020-12392 at NVDCVE-2020-12393 at SUSECVE-2020-12393 at NVDCVE-2020-12395 at SUSECVE-2020-12395 at NVDCVE-2020-6831 at SUSECVE-2020-6831 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for squid (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for squid fixes the following issues:
- CVE-2019-12519, CVE-2019-12521: fixes incorrect buffer handling that can
result in cache poisoning, remote execution, and denial of service attacks
when processing ESI responses (bsc#1169659).
- CVE-2020-11945: fixes a potential remote execution vulnerability
when using HTTP Digest Authentication (bsc#1170313).
- CVE-2019-12520, CVE-2019-12524: fixes a potential ACL bypass, cache-bypass
and cross-site scripting attack when processing invalid HTTP
Request messages (bsc#1170423).
ImportantSUSE bug 1169659SUSE bug 1170313SUSE bug 1170423CVE-2019-12519 at SUSECVE-2019-12519 at NVDCVE-2019-12520 at SUSECVE-2019-12520 at NVDCVE-2019-12521 at SUSECVE-2019-12521 at NVDCVE-2019-12524 at SUSECVE-2019-12524 at NVDCVE-2020-11945 at SUSECVE-2020-11945 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for apache2 (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for apache2 fixes the following issues:
- CVE-2020-1934: mod_proxy_ftp may use uninitialized memory when proxying to a malicious FTP server (bsc#1168404).
- CVE-2020-1927: mod_rewrite configurations vulnerable to open redirect (bsc#1168407).
- CVE-2020-1938: mod_proxy_ajp: Add 'secret' parameter to proxy workers to implement legacy AJP13 authentication (bsc#1169066).
ImportantSUSE bug 1168404SUSE bug 1168407SUSE bug 1169066CVE-2020-1927 at SUSECVE-2020-1927 at NVDCVE-2020-1934 at SUSECVE-2020-1934 at NVDCVE-2020-1938 at SUSECVE-2020-1938 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
The SUSE Linux Enterprise 12 SP3 kernel was updated to receive various security and bugfixes.
The following security bugs were fixed:
- CVE-2020-11494: An issue was discovered in slc_bump in drivers/net/can/slcan.c, which allowed attackers to read uninitialized can_frame data, potentially containing sensitive information from kernel stack memory, if the configuration lacks CONFIG_INIT_STACK_ALL (bnc#1168424).
- CVE-2020-10942: In get_raw_socket in drivers/vhost/net.c lacks validation of an sk_family field, which might allow attackers to trigger kernel stack corruption via crafted system calls (bnc#1167629).
- CVE-2020-8647: Fixed a use-after-free vulnerability in the vc_do_resize function in drivers/tty/vt/vt.c (bnc#1162929).
- CVE-2020-8649: Fixed a use-after-free vulnerability in the vgacon_invert_region function in drivers/video/console/vgacon.c (bnc#1162931).
- CVE-2020-9383: Fixed an issue in set_fdc in drivers/block/floppy.c, which leads to a wait_til_ready out-of-bounds read (bnc#1165111).
- CVE-2019-9458: In the video driver there was a use after free due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed (bnc#1168295).
- CVE-2019-3701: Fixed an issue in can_can_gw_rcv, which could cause a system crash (bnc#1120386).
- CVE-2019-19768: Fixed a use-after-free in the __blk_add_trace function in kernel/trace/blktrace.c (bnc#1159285).
- CVE-2020-11609: Fixed a NULL pointer dereference in the stv06xx subsystem caused by mishandling invalid descriptors (bnc#1168854).
- CVE-2020-10720: Fixed a use-after-free read in napi_gro_frags() (bsc#1170778).
- CVE-2020-10690: Fixed the race between the release of ptp_clock and cdev (bsc#1170056).
- CVE-2019-9455: Fixed a pointer leak due to a WARN_ON statement in a video driver. This could lead to local information disclosure with System execution privileges needed (bnc#1170345).
- CVE-2020-11608: Fixed an issue in drivers/media/usb/gspca/ov519.c caused by a NULL pointer dereferences in ov511_mode_init_regs and ov518_mode_init_regs when there are zero endpoints (bnc#1168829).
- CVE-2017-18255: The perf_cpu_time_max_percent_handler function in kernel/events/core.c allowed local users to cause a denial of service (integer overflow) or possibly have unspecified other impact via a large value, as demonstrated by an incorrect sample-rate calculation (bnc#1087813).
- CVE-2020-8648: There was a use-after-free vulnerability in the n_tty_receive_buf_common function in drivers/tty/n_tty.c (bnc#1162928).
- CVE-2020-2732: A flaw was discovered in the way that the KVM hypervisor handled instruction emulation for an L2 guest when nested virtualisation is enabled. Under some circumstances, an L2 guest may trick the L0 guest into accessing sensitive L1 resources that should be inaccessible to the L2 guest (bnc#1163971).
- CVE-2019-5108: Fixed a denial-of-service vulnerability caused by triggering AP to send IAPP location updates for stations before the required authentication process has completed (bnc#1159912).
- CVE-2020-8992: ext4_protect_reserved_inode in fs/ext4/block_validity.c allowed attackers to cause a denial of service (soft lockup) via a crafted journal size (bnc#1164069).
- CVE-2018-21008: Fixed a use-after-free which could be caused by the function rsi_mac80211_detach in the file drivers/net/wireless/rsi/rsi_91x_mac80211.c (bnc#1149591).
- CVE-2019-14896: A heap-based buffer overflow vulnerability was found in Marvell WiFi chip driver. A remote attacker could cause a denial of service (system crash) or, possibly execute arbitrary code, when the lbs_ibss_join_existing function is called after a STA connects to an AP (bnc#1157157).
- CVE-2019-14897: A stack-based buffer overflow was found in Marvell WiFi chip driver. An attacker is able to cause a denial of service (system crash) or, possibly execute arbitrary code, when a STA works in IBSS mode (allows connecting stations together without the use of an AP) and connects to another STA (bnc#1157155).
- CVE-2019-18675: Fixed an integer overflow in cpia2_remap_buffer in drivers/media/usb/cpia2/cpia2_core.c because cpia2 has its own mmap implementation. This allowed local users (with /dev/video0 access) to obtain read and write permissions on kernel physical pages, which can possibly result in a privilege escalation (bnc#1157804).
- CVE-2019-14615: Insufficient control flow in certain data structures for some Intel(R) Processors with Intel(R) Processor Graphics may have allowed an unauthenticated user to potentially enable information disclosure via local access (bnc#1160195, bsc#1165881).
- CVE-2019-19965: Fixed a NULL pointer dereference in drivers/scsi/libsas/sas_discover.c because of mishandling of port disconnection during discovery, related to a PHY down race condition (bnc#1159911).
- CVE-2019-20054: Fixed a NULL pointer dereference in drop_sysctl_table() in fs/proc/proc_sysctl.c, related to put_links (bnc#1159910).
- CVE-2019-20096: Fixed a memory leak in __feat_register_sp() in net/dccp/feat.c, which may cause denial of service (bnc#1159908).
- CVE-2019-19966: Fixed a use-after-free in cpia2_exit() in drivers/media/usb/cpia2/cpia2_v4l.c that will cause denial of service (bnc#1159841).
- CVE-2019-19447: Fixed an issue with mounting a crafted ext4 filesystem image, performing some operations, and unmounting could lead to a use-after-free in ext4_put_super in fs/ext4/super.c, related to dump_orphan_list in fs/ext4/super.c (bnc#1158819).
- CVE-2019-19319: Fixed an issue with a setxattr operation, after a mount of a crafted ext4 image, can cause a slab-out-of-bounds write access because of an ext4_xattr_set_entry use-after-free in fs/ext4/xattr.c when a large old_size value is used in a memset call (bnc#1158021).
- CVE-2019-19767: Fixed mishandling of ext4_expand_extra_isize, as demonstrated by use-after-free errors in __ext4_expand_extra_isize and ext4_xattr_set_entry, related to fs/ext4/inode.c and fs/ext4/super.c (bnc#1159297).
- CVE-2019-11091,CVE-2018-12126,CVE-2018-12130,CVE-2018-12127: Earlier mitigations for the 'MDS' Microarchitectural Data Sampling attacks were not complete.
An additional fix was added to the x86_64 fast systemcall path to further mitigate these attacks. (bsc#1164846 bsc#1170847)
The following non-security bugs were fixed:
- blk: Fix kabi due to blk_trace_mutex addition (bsc#1159285).
- blktrace: fix dereference after null check (bsc#1159285).
- blktrace: fix trace mutex deadlock (bsc#1159285).
- btrfs: fix btrfs_wait_ordered_range() so that it waits for all ordered extents (bsc#1163508).
- btrfs: fix panic during relocation after ENOSPC before writeback happens (bsc#1163508).
- btrfs: qgroup: Fix root item corruption when multiple same source snapshots are created with quota enabled (bsc#1158642)
- btrfs: relocation: fix reloc_root lifespan and access (bsc#1164009).
- enic: prevent waking up stopped tx queues over watchdog reset (bsc#1133147).
- fix PageHeadHuge() race with THP split (VM Functionality, bsc#1165311).
- fs/xfs: fix f_ffree value for statfs when project quota is set (bsc#1165985).
- ibmvnic: Bound waits for device queries (bsc#1155689 ltc#182047).
- ibmvnic: Fix completion structure initialization (bsc#1155689 ltc#182047).
- ibmvnic: Serialize device queries (bsc#1155689 ltc#182047).
- ibmvnic: Terminate waiting device threads after loss of service (bsc#1155689 ltc#182047).
- input: add safety guards to input_set_keycode() (bsc#1168075).
- ipv4: correct gso_size for UFO (bsc#1154844).
- ipv6: fix memory accounting during ipv6 queue expire (bsc#1162227) (bsc#1162227).
- ipvlan: do not add hardware address of master to its unicast filter list (bsc#1137325).
- md: add mddev->pers to avoid potential NULL pointer dereference (bsc#1056134).
- md/bitmap: do not read page from device with Bitmap_sync (bsc#1056134).
- md: change the initialization value for a spare device spot to MD_DISK_ROLE_SPARE (bsc#1056134).
- md: Delete gendisk before cleaning up the request queue (bsc#1056134).
- md: do not call bitmap_create() while array is quiesced (bsc#1056134).
- md: do not set In_sync if array is frozen (bsc#1056134).
- md: fix a potential deadlock of raid5/raid10 reshape (bsc#1056134).
- md: md.c: Return -ENODEV when mddev is NULL in rdev_attr_show (bsc#1056134).
- md: notify about new spare disk in the container (bsc#1056134).
- md/raid0: Fix buffer overflow at debug print (bsc#1164051).
- md/raid10: end bio when the device faulty (bsc#1056134).
- md/raid10: Fix raid10 replace hang when new added disk faulty (bsc#1056134).
- md/raid1,raid10: silence warning about wait-within-wait (bsc#1056134).
- md: return -ENODEV if rdev has no mddev assigned (bsc#1056134).
- media: ov519: add missing endpoint sanity checks (bsc#1168829).
- media: stv06xx: add missing descriptor sanity checks (bsc#1168854).
- net: ena: Add PCI shutdown handler to allow safe kexec (bsc#1167421, bsc#1167423).
- netfilter: conntrack: sctp: use distinct states for new SCTP connections (bsc#1159199).
- net/ibmvnic: Fix typo in retry check (bsc#1155689 ltc#182047).
- rpm/kernel-binary.spec.in: Replace Novell with SUSE
- sched/fair: Scale bandwidth quota and period without losing quota/period ratio precision (bsc#1161586).
- scsi: core: avoid repetitive logging of device offline messages (bsc#1145929).
- scsi: core: kABI fix already_offline (bsc#1145929).
- tcp: clear tp->packets_out when purging write queue (bsc#1154118).
- x86/mitigations: Clear CPU buffers on the SYSCALL fast path (bsc#1164846 bsc#1170847).
- xfs: also remove cached ACLs when removing the underlying attr (bsc#1165873).
- xfs: bulkstat should copy lastip whenever userspace supplies one (bsc#1165984).
ImportantSUSE bug 1056134SUSE bug 1087813SUSE bug 1120386SUSE bug 1133147SUSE bug 1137325SUSE bug 1145929SUSE bug 1149591SUSE bug 1154118SUSE bug 1154844SUSE bug 1155689SUSE bug 1157155SUSE bug 1157157SUSE bug 1157303SUSE bug 1157804SUSE bug 1158021SUSE bug 1158642SUSE bug 1158819SUSE bug 1159199SUSE bug 1159285SUSE bug 1159297SUSE bug 1159841SUSE bug 1159908SUSE bug 1159910SUSE bug 1159911SUSE bug 1159912SUSE bug 1160195SUSE bug 1161586SUSE bug 1162227SUSE bug 1162928SUSE bug 1162929SUSE bug 1162931SUSE bug 1163508SUSE bug 1163971SUSE bug 1164009SUSE bug 1164051SUSE bug 1164069SUSE bug 1164078SUSE bug 1164846SUSE bug 1165111SUSE bug 1165311SUSE bug 1165873SUSE bug 1165881SUSE bug 1165984SUSE bug 1165985SUSE bug 1167421SUSE bug 1167423SUSE bug 1167629SUSE bug 1168075SUSE bug 1168295SUSE bug 1168424SUSE bug 1168829SUSE bug 1168854SUSE bug 1170056SUSE bug 1170345SUSE bug 1170778SUSE bug 1170847CVE-2017-18255 at SUSECVE-2017-18255 at NVDCVE-2018-12126 at SUSECVE-2018-12126 at NVDCVE-2018-12127 at SUSECVE-2018-12127 at NVDCVE-2018-12130 at SUSECVE-2018-12130 at NVDCVE-2018-21008 at SUSECVE-2018-21008 at NVDCVE-2019-11091 at SUSECVE-2019-11091 at NVDCVE-2019-14615 at SUSECVE-2019-14615 at NVDCVE-2019-14896 at SUSECVE-2019-14896 at NVDCVE-2019-14897 at SUSECVE-2019-14897 at NVDCVE-2019-18675 at SUSECVE-2019-18675 at NVDCVE-2019-19066 at SUSECVE-2019-19066 at NVDCVE-2019-19319 at SUSECVE-2019-19319 at NVDCVE-2019-19447 at SUSECVE-2019-19447 at NVDCVE-2019-19767 at SUSECVE-2019-19767 at NVDCVE-2019-19768 at SUSECVE-2019-19768 at NVDCVE-2019-19965 at SUSECVE-2019-19965 at NVDCVE-2019-19966 at SUSECVE-2019-19966 at NVDCVE-2019-20054 at SUSECVE-2019-20054 at NVDCVE-2019-20096 at SUSECVE-2019-20096 at NVDCVE-2019-3701 at SUSECVE-2019-3701 at NVDCVE-2019-5108 at SUSECVE-2019-5108 at NVDCVE-2019-9455 at SUSECVE-2019-9455 at NVDCVE-2019-9458 at SUSECVE-2019-9458 at NVDCVE-2020-10690 at SUSECVE-2020-10690 at NVDCVE-2020-10720 at SUSECVE-2020-10720 at NVDCVE-2020-10942 at SUSECVE-2020-10942 at NVDCVE-2020-11494 at SUSECVE-2020-11494 at NVDCVE-2020-11608 at SUSECVE-2020-11608 at NVDCVE-2020-11609 at SUSECVE-2020-11609 at NVDCVE-2020-2732 at SUSECVE-2020-2732 at NVDCVE-2020-8647 at SUSECVE-2020-8647 at NVDCVE-2020-8648 at SUSECVE-2020-8648 at NVDCVE-2020-8649 at SUSECVE-2020-8649 at NVDCVE-2020-8992 at SUSECVE-2020-8992 at NVDCVE-2020-9383 at SUSECVE-2020-9383 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for python-PyYAML (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for python-PyYAML fixes the following issues:
- CVE-2020-1747: Fixed an arbitrary code execution when YAML files are parsed by FullLoader (bsc#1165439).
ImportantSUSE bug 1165439CVE-2020-1747 at SUSECVE-2020-1747 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for git (Moderate)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for git to 2.26.2 fixes the following issues:
Security issue fixed:
- CVE-2020-11008: Specially crafted URLs may have tricked the credentials helper
to providing credential information that is not appropriate for the protocol
in use and host being contacted (bsc#1169936).
Non-security issue fixed:
- Fixed git-daemon not starting after conversion from sysvinit to systemd service (bsc#1169605).
- Enabled access for git-daemon in firewall configuration (bsc#1170302).
- Fixed problems with recent switch to protocol v2, which caused fetches transferring unreasonable amount of data (bsc#1170741).
ModerateSUSE bug 1149792SUSE bug 1168930SUSE bug 1169605SUSE bug 1169786SUSE bug 1169936SUSE bug 1170302SUSE bug 1170741SUSE bug 1170939CVE-2020-11008 at SUSECVE-2020-11008 at NVDCVE-2020-5260 at SUSECVE-2020-5260 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for mailman (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for mailman fixes the following issues:
Security issue fixed:
- CVE-2020-12108: Fixed a content injection bug (bsc#1171363).
- CVE-2020-12137: Fixed a XSS vulnerability caused by MIME type confusion (bsc#1170558).
Non-security issue fixed:
- Fixed rights and ownership on /var/lib/mailman/archives (bsc#1167068).
- Don't default to invalid hosts for DEFAULT_EMAIL_HOST (bsc#682920).
ImportantSUSE bug 1167068SUSE bug 1170558SUSE bug 1171363SUSE bug 682920CVE-2020-12108 at SUSECVE-2020-12108 at NVDCVE-2020-12137 at SUSECVE-2020-12137 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 30 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_113 fixes several issues.
The following security issues were fixed:
- CVE-2020-12653: Fixed a buffer overflow in mwifiex_cmd_append_vsie_tlv() which could have allowed local users to gain privileges or cause a denial of service (bsc#1171254).
- CVE-2020-12654: Fixed a heap-based buffer overflow in mwifiex_ret_wmm_get_status() which could have been triggered by a remote AP to trigger (bsc#1171252).
ImportantSUSE bug 1171252SUSE bug 1171254CVE-2020-12653 at SUSECVE-2020-12653 at NVDCVE-2020-12654 at SUSECVE-2020-12654 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 29 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_107 fixes several issues.
The following security issues were fixed:
- CVE-2020-12653: Fixed a buffer overflow in mwifiex_cmd_append_vsie_tlv() which could have allowed local users to gain privileges or cause a denial of service (bsc#1171254).
- CVE-2020-12654: Fixed a heap-based buffer overflow in mwifiex_ret_wmm_get_status() which could have been triggered by a remote AP to trigger (bsc#1171252).
ImportantSUSE bug 1171252SUSE bug 1171254CVE-2020-12653 at SUSECVE-2020-12653 at NVDCVE-2020-12654 at SUSECVE-2020-12654 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 28 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_103 fixes several issues.
The following security issues were fixed:
- CVE-2020-12653: Fixed a buffer overflow in mwifiex_cmd_append_vsie_tlv() which could have allowed local users to gain privileges or cause a denial of service (bsc#1171254).
- CVE-2020-12654: Fixed a heap-based buffer overflow in mwifiex_ret_wmm_get_status() which could have been triggered by a remote AP to trigger (bsc#1171252).
ImportantSUSE bug 1171252SUSE bug 1171254CVE-2020-12653 at SUSECVE-2020-12653 at NVDCVE-2020-12654 at SUSECVE-2020-12654 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 27 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_100 fixes several issues.
The following security issues were fixed:
- CVE-2020-12653: Fixed a buffer overflow in mwifiex_cmd_append_vsie_tlv() which could have allowed local users to gain privileges or cause a denial of service (bsc#1171254).
- CVE-2020-12654: Fixed a heap-based buffer overflow in mwifiex_ret_wmm_get_status() which could have been triggered by a remote AP to trigger (bsc#1171252).
ImportantSUSE bug 1171252SUSE bug 1171254CVE-2020-12653 at SUSECVE-2020-12653 at NVDCVE-2020-12654 at SUSECVE-2020-12654 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 26 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_97 fixes several issues.
The following security issues were fixed:
- CVE-2020-12653: Fixed a buffer overflow in mwifiex_cmd_append_vsie_tlv() which could have allowed local users to gain privileges or cause a denial of service (bsc#1171254).
- CVE-2020-12654: Fixed a heap-based buffer overflow in mwifiex_ret_wmm_get_status() which could have been triggered by a remote AP to trigger (bsc#1171252).
ImportantSUSE bug 1171252SUSE bug 1171254CVE-2020-12653 at SUSECVE-2020-12653 at NVDCVE-2020-12654 at SUSECVE-2020-12654 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 25 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.178-94_91 fixes several issues.
The following security issues were fixed:
- CVE-2020-12653: Fixed a buffer overflow in mwifiex_cmd_append_vsie_tlv() which could have allowed local users to gain privileges or cause a denial of service (bsc#1171254).
- CVE-2020-12654: Fixed a heap-based buffer overflow in mwifiex_ret_wmm_get_status() which could have been triggered by a remote AP to trigger (bsc#1171252).
ImportantSUSE bug 1171252SUSE bug 1171254CVE-2020-12653 at SUSECVE-2020-12653 at NVDCVE-2020-12654 at SUSECVE-2020-12654 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for tomcat (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for tomcat fixes the following issues:
CVE-2020-9484 (bsc#1171928)
Apache Tomcat Remote Code Execution via session persistence
If an attacker was able to control the contents and name of a file on a
server configured to use the PersistenceManager, then the attacker could
have triggered a remote code execution via deserialization of the file under
their control.
CVE-2019-12418 (bsc#1159723)
Local privilege escalation by manipulating the RMI registry and performing a man-in-the-middle attack
When Tomcat is configured with the JMX Remote Lifecycle Listener, a local attacker without access to the Tomcat process or configuration files was able to manipulate the RMI registry to perform a man-in-the-middle attack to capture user names and passwords used to access the JMX interface.
The attacker could then use these credentials to access the JMX interface and gain complete control over the Tomcat instance.
CVE-2019-0221 (bsc#1136085)
The SSI printenv command echoed user provided data without escaping, which
made it vulnerable to XSS.
CVE-2019-17563 (bsc#1159729)
When using FORM authentication there was a narrow window where an attacker could perform a session fixation attack.
CVE-2019-17569 (bsc#1164825)
Invalid Transfer-Encoding headers were incorrectly processed leading to a possibility of HTTP Request Smuggling
if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header.
ImportantSUSE bug 1136085SUSE bug 1159723SUSE bug 1159729SUSE bug 1164825SUSE bug 1171928CVE-2019-0221 at SUSECVE-2019-0221 at NVDCVE-2019-12418 at SUSECVE-2019-12418 at NVDCVE-2019-17563 at SUSECVE-2019-17563 at NVDCVE-2019-17569 at SUSECVE-2019-17569 at NVDCVE-2020-9484 at SUSECVE-2020-9484 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for python (Moderate)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for python to version 2.7.17 fixes the following issues:
Syncing with lots of upstream bug fixes and security fixes.
Bug fixes:
- CVE-2019-9674: Improved the documentation to reflect the dangers of zip-bombs (bsc#1162825).
- CVE-2019-18348: Fixed a CRLF injection via the host part of the url passed to urlopen(). Now an InvalidURL exception is raised (bsc#1155094).
- CVE-2020-8492: Fixed a regular expression in urllib that was prone to denial of service via HTTP (bsc#1162367).
- Fixed mismatches between libpython and python-base versions (bsc#1162224).
- Fixed segfault in libpython2.7.so.1 (bsc#1073748).
- Unified packages among openSUSE:Factory and SLE versions (bsc#1159035).
- Added idle.desktop and idle.appdata.xml to provide IDLE in menus (bsc#1153830).
- Excluded tsl_check files from python-base to prevent file conflict with python-strict-tls-checks package (bsc#945401).
- Changed the name of idle3 icons to idle3.png to avoid collision with Python 2 version (bsc#1165894).
Additionally a new 'shared-python-startup' package is provided containing startup files.
python-rpm-macros was updated to fix:
- Do not write .pyc files for tests (bsc#1171561)
ModerateSUSE bug 1027282SUSE bug 1041090SUSE bug 1042670SUSE bug 1073269SUSE bug 1073748SUSE bug 1078326SUSE bug 1078485SUSE bug 1081750SUSE bug 1084650SUSE bug 1086001SUSE bug 1149792SUSE bug 1153830SUSE bug 1155094SUSE bug 1159035SUSE bug 1162224SUSE bug 1162367SUSE bug 1162825SUSE bug 1165894SUSE bug 1170411SUSE bug 1171561SUSE bug 945401CVE-2019-18348 at SUSECVE-2019-18348 at NVDCVE-2019-9674 at SUSECVE-2019-9674 at NVDCVE-2020-8492 at SUSECVE-2020-8492 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for krb5-appl (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for krb5-appl fixes the following issues:
- CVE-2020-10188: Fixed a remote root execution (bsc#1165787).
ImportantSUSE bug 1165787CVE-2020-10188 at SUSECVE-2020-10188 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for libexif (Moderate)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for libexif fixes the following issues:
Security issues fixed:
- CVE-2016-6328: Fixed an integer overflow in parsing MNOTE entry data of the input file (bsc#1055857).
- CVE-2017-7544: Fixed an out-of-bounds heap read vulnerability in exif_data_save_data_entry function in libexif/exif-data.c (bsc#1059893).
- CVE-2018-20030: Fixed a denial of service by endless recursion (bsc#1120943).
- CVE-2019-9278: Fixed an integer overflow (bsc#1160770).
- CVE-2020-0093: Fixed an out-of-bounds read in exif_data_save_data_entry (bsc#1171847).
- CVE-2020-12767: Fixed a divide-by-zero error in exif_entry_get_value (bsc#1171475).
- CVE-2020-13112: Fixed a time consumption DoS when parsing canon array markers (bsc#1172121).
- CVE-2020-13113: Fixed a potential use of uninitialized memory (bsc#1172105).
- CVE-2020-13114: Fixed various buffer overread fixes due to integer overflows in maker notes (bsc#1172116).
Non-security issues fixed:
- libexif was updated to version 0.6.22:
* New translations: ms
* Updated translations for most languages
* Some useful EXIF 2.3 tag added:
* EXIF_TAG_GAMMA
* EXIF_TAG_COMPOSITE_IMAGE
* EXIF_TAG_SOURCE_IMAGE_NUMBER_OF_COMPOSITE_IMAGE
* EXIF_TAG_SOURCE_EXPOSURE_TIMES_OF_COMPOSITE_IMAGE
* EXIF_TAG_GPS_H_POSITIONING_ERROR
* EXIF_TAG_CAMERA_OWNER_NAME
* EXIF_TAG_BODY_SERIAL_NUMBER
* EXIF_TAG_LENS_SPECIFICATION
* EXIF_TAG_LENS_MAKE
* EXIF_TAG_LENS_MODEL
* EXIF_TAG_LENS_SERIAL_NUMBER
ModerateSUSE bug 1055857SUSE bug 1059893SUSE bug 1120943SUSE bug 1160770SUSE bug 1171475SUSE bug 1171847SUSE bug 1172105SUSE bug 1172116SUSE bug 1172121CVE-2016-6328 at SUSECVE-2016-6328 at NVDCVE-2017-7544 at SUSECVE-2017-7544 at NVDCVE-2018-20030 at SUSECVE-2018-20030 at NVDCVE-2019-9278 at SUSECVE-2019-9278 at NVDCVE-2020-0093 at SUSECVE-2020-0093 at NVDCVE-2020-12767 at SUSECVE-2020-12767 at NVDCVE-2020-13112 at SUSECVE-2020-13112 at NVDCVE-2020-13113 at SUSECVE-2020-13113 at NVDCVE-2020-13114 at SUSECVE-2020-13114 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for qemu (Moderate)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for qemu fixes the following issues:
Security issues fixed:
- CVE-2020-1711: Fixed a potential OOB access in the iSCSI client code (bsc#1166240).
- CVE-2019-12068: Fixed a potential DoS in the LSI SCSI controller emulation (bsc#1146873).
- CVE-2020-1983: Fixed a use-after-free in the ip_reass function of slirp (bsc#1170940).
- CVE-2020-8608: Fixed a potential OOB access in slirp (bsc#1163018).
- CVE-2020-7039: Fixed a potential OOB access in slirp (bsc#1161066).
- CVE-2019-15890: Fixed a use-after-free during packet reassembly in slirp (bsc#1149811).
- Fixed multiple potential DoS issues in SLIRP, similar to CVE-2019-6778 (bsc#1123156).
Non-security issue fixed:
- Make sure that required memory is mapped properly during an incoming migration of a Xen HVM domU (bsc#1160024).
ModerateSUSE bug 1123156SUSE bug 1146873SUSE bug 1149811SUSE bug 1160024SUSE bug 1161066SUSE bug 1163018SUSE bug 1166240SUSE bug 1170940CVE-2019-12068 at SUSECVE-2019-12068 at NVDCVE-2019-15890 at SUSECVE-2019-15890 at NVDCVE-2019-6778 at SUSECVE-2019-6778 at NVDCVE-2020-1711 at SUSECVE-2020-1711 at NVDCVE-2020-1983 at SUSECVE-2020-1983 at NVDCVE-2020-7039 at SUSECVE-2020-7039 at NVDCVE-2020-8608 at SUSECVE-2020-8608 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for vim (Moderate)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for vim fixes the following issues:
- CVE-2019-20807: Fixed an issue where escaping from the restrictive mode of vim
was possible using interfaces (bsc#1172225 and bsc#1172031).
ModerateSUSE bug 1172031SUSE bug 1172225CVE-2019-20807 at SUSECVE-2019-20807 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for MozillaFirefox fixes the following issues:
- MozillaFirefox was updated to version 68.9.0 Extended Support Release (bsc#1172402).
- CVE-2020-12405: Fixed a use-after-free in SharedWorkerService.
- CVE-2020-12406: Fixed a JavaScript Type confusion with NativeTypes.
- CVE-2020-12410: Fixed multiple memory safety bugs.
ImportantSUSE bug 1172402CVE-2020-12405 at SUSECVE-2020-12405 at NVDCVE-2020-12406 at SUSECVE-2020-12406 at NVDCVE-2020-12410 at SUSECVE-2020-12410 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for ruby2.1 (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for ruby2.1 fixes the following issues:
Security issues fixed:
- CVE-2015-9096: Fixed an SMTP command injection via CRLFsequences in a RCPT TO or MAIL FROM command (bsc#1043983).
- CVE-2016-7798: Fixed an IV Reuse in GCM Mode (bsc#1055265).
- CVE-2017-0898: Fixed a buffer underrun vulnerability in Kernel.sprintf (bsc#1058755).
- CVE-2017-0899: Fixed an issue with malicious gem specifications, insufficient sanitation when printing gem specifications could have included terminal characters (bsc#1056286).
- CVE-2017-0900: Fixed an issue with malicious gem specifications, the query command could have led to a denial of service attack against clients (bsc#1056286).
- CVE-2017-0901: Fixed an issue with malicious gem specifications, potentially overwriting arbitrary files on the client system (bsc#1056286).
- CVE-2017-0902: Fixed an issue with malicious gem specifications, that could have enabled MITM attacks against clients (bsc#1056286).
- CVE-2017-0903: Fixed an unsafe object deserialization vulnerability (bsc#1062452).
- CVE-2017-9228: Fixed a heap out-of-bounds write in bitset_set_range() during regex compilation (bsc#1069607).
- CVE-2017-9229: Fixed an invalid pointer dereference in left_adjust_char_head() in oniguruma (bsc#1069632).
- CVE-2017-10784: Fixed an escape sequence injection vulnerability in the Basic authentication of WEBrick (bsc#1058754).
- CVE-2017-14033: Fixed a buffer underrun vulnerability in OpenSSL ASN1 decode (bsc#1058757).
- CVE-2017-14064: Fixed an arbitrary memory exposure during a JSON.generate call (bsc#1056782).
- CVE-2017-17405: Fixed a command injection vulnerability in Net::FTP (bsc#1073002).
- CVE-2017-17742: Fixed an HTTP response splitting issue in WEBrick (bsc#1087434).
- CVE-2017-17790: Fixed a command injection in lib/resolv.rb:lazy_initialize() (bsc#1078782).
- CVE-2018-6914: Fixed an unintentional file and directory creation with directory traversal in tempfile and tmpdir (bsc#1087441).
- CVE-2018-8777: Fixed a potential DoS caused by large requests in WEBrick (bsc#1087436).
- CVE-2018-8778: Fixed a buffer under-read in String#unpack (bsc#1087433).
- CVE-2018-8779: Fixed an unintentional socket creation by poisoned NUL byte in UNIXServer and UNIXSocket (bsc#1087440).
- CVE-2018-8780: Fixed an unintentional directory traversal by poisoned NUL byte in Dir (bsc#1087437).
- CVE-2018-16395: Fixed an issue with OpenSSL::X509::Name equality checking (bsc#1112530).
- CVE-2018-16396: Fixed an issue with tainted string handling, where the flag was not propagated in Array#pack and String#unpack with some directives (bsc#1112532).
- CVE-2018-1000073: Fixed a path traversal issue (bsc#1082007).
- CVE-2018-1000074: Fixed an unsafe object deserialization vulnerability in gem owner, allowing arbitrary code execution with specially crafted YAML (bsc#1082008).
- CVE-2018-1000075: Fixed an infinite loop vulnerability due to negative size in tar header causes Denial of Service (bsc#1082014).
- CVE-2018-1000076: Fixed an improper verification of signatures in tarballs (bsc#1082009).
- CVE-2018-1000077: Fixed an improper URL validation in the homepage attribute of ruby gems (bsc#1082010).
- CVE-2018-1000078: Fixed a XSS vulnerability in the homepage attribute when displayed via gem server (bsc#1082011).
- CVE-2018-1000079: Fixed a path traversal issue during gem installation allows to write to arbitrary filesystem locations (bsc#1082058).
- CVE-2019-8320: Fixed a directory traversal issue when decompressing tar files (bsc#1130627).
- CVE-2019-8321: Fixed an escape sequence injection vulnerability in verbose (bsc#1130623).
- CVE-2019-8322: Fixed an escape sequence injection vulnerability in gem owner (bsc#1130622).
- CVE-2019-8323: Fixed an escape sequence injection vulnerability in API response handling (bsc#1130620).
- CVE-2019-8324: Fixed an issue with malicious gems that may have led to arbitrary code execution (bsc#1130617).
- CVE-2019-8325: Fixed an escape sequence injection vulnerability in errors (bsc#1130611).
- CVE-2019-15845: Fixed a NUL injection vulnerability in File.fnmatch and File.fnmatch? (bsc#1152994).
- CVE-2019-16201: Fixed a regular expression denial of service vulnerability in WEBrick's digest access authentication (bsc#1152995).
- CVE-2019-16254: Fixed an HTTP response splitting vulnerability in WEBrick (bsc#1152992).
- CVE-2019-16255: Fixed a code injection vulnerability in Shell#[] and Shell#test (bsc#1152990).
- CVE-2020-10663: Fixed an unsafe object creation vulnerability in JSON (bsc#1171517).
Non-security issue fixed:
- Add conflicts to libruby to make sure ruby and ruby-stdlib are also updated when libruby is updated (bsc#1048072).
Also yast2-ruby-bindings on SLES 12 SP2 LTSS was updated to handle the updated ruby interpreter. (bsc#1172275)
ImportantSUSE bug 1043983SUSE bug 1048072SUSE bug 1055265SUSE bug 1056286SUSE bug 1056782SUSE bug 1058754SUSE bug 1058755SUSE bug 1058757SUSE bug 1062452SUSE bug 1069607SUSE bug 1069632SUSE bug 1073002SUSE bug 1078782SUSE bug 1082007SUSE bug 1082008SUSE bug 1082009SUSE bug 1082010SUSE bug 1082011SUSE bug 1082014SUSE bug 1082058SUSE bug 1087433SUSE bug 1087434SUSE bug 1087436SUSE bug 1087437SUSE bug 1087440SUSE bug 1087441SUSE bug 1112530SUSE bug 1112532SUSE bug 1130611SUSE bug 1130617SUSE bug 1130620SUSE bug 1130622SUSE bug 1130623SUSE bug 1130627SUSE bug 1152990SUSE bug 1152992SUSE bug 1152994SUSE bug 1152995SUSE bug 1171517SUSE bug 1172275CVE-2015-9096 at SUSECVE-2015-9096 at NVDCVE-2016-2339 at SUSECVE-2016-2339 at NVDCVE-2016-7798 at SUSECVE-2016-7798 at NVDCVE-2017-0898 at SUSECVE-2017-0898 at NVDCVE-2017-0899 at SUSECVE-2017-0899 at NVDCVE-2017-0900 at SUSECVE-2017-0900 at NVDCVE-2017-0901 at SUSECVE-2017-0901 at NVDCVE-2017-0902 at SUSECVE-2017-0902 at NVDCVE-2017-0903 at SUSECVE-2017-0903 at NVDCVE-2017-10784 at SUSECVE-2017-10784 at NVDCVE-2017-14033 at SUSECVE-2017-14033 at NVDCVE-2017-14064 at SUSECVE-2017-14064 at NVDCVE-2017-17405 at SUSECVE-2017-17405 at NVDCVE-2017-17742 at SUSECVE-2017-17742 at NVDCVE-2017-17790 at SUSECVE-2017-17790 at NVDCVE-2017-9228 at SUSECVE-2017-9228 at NVDCVE-2017-9229 at SUSECVE-2017-9229 at NVDCVE-2018-1000073 at SUSECVE-2018-1000073 at NVDCVE-2018-1000074 at SUSECVE-2018-1000074 at NVDCVE-2018-1000075 at SUSECVE-2018-1000075 at NVDCVE-2018-1000076 at SUSECVE-2018-1000076 at NVDCVE-2018-1000077 at SUSECVE-2018-1000077 at NVDCVE-2018-1000078 at SUSECVE-2018-1000078 at NVDCVE-2018-1000079 at SUSECVE-2018-1000079 at NVDCVE-2018-16395 at SUSECVE-2018-16395 at NVDCVE-2018-16396 at SUSECVE-2018-16396 at NVDCVE-2018-6914 at SUSECVE-2018-6914 at NVDCVE-2018-8777 at SUSECVE-2018-8777 at NVDCVE-2018-8778 at SUSECVE-2018-8778 at NVDCVE-2018-8779 at SUSECVE-2018-8779 at NVDCVE-2018-8780 at SUSECVE-2018-8780 at NVDCVE-2019-15845 at SUSECVE-2019-15845 at NVDCVE-2019-16201 at SUSECVE-2019-16201 at NVDCVE-2019-16254 at SUSECVE-2019-16254 at NVDCVE-2019-16255 at SUSECVE-2019-16255 at NVDCVE-2019-8320 at SUSECVE-2019-8320 at NVDCVE-2019-8321 at SUSECVE-2019-8321 at NVDCVE-2019-8322 at SUSECVE-2019-8322 at NVDCVE-2019-8323 at SUSECVE-2019-8323 at NVDCVE-2019-8324 at SUSECVE-2019-8324 at NVDCVE-2019-8325 at SUSECVE-2019-8325 at NVDCVE-2020-10663 at SUSECVE-2020-10663 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for java-1_7_0-openjdk (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for java-1_7_0-openjdk to version 7u261 fixes the following issues:
- CVE-2020-2756: Better mapping of serial ENUMs (bsc#1169511)
- CVE-2020-2757: Less Blocking Array Queues (bsc#1169511)
- CVE-2020-2773: Better signatures in XML (bsc#1169511)
- CVE-2020-2781: Improve TLS session handling (bsc#1169511)
- CVE-2020-2800: Better Headings for HTTP Servers (bsc#1169511)
- CVE-2020-2803: Enhance buffering of byte buffers (bsc#1169511)
- CVE-2020-2805: Enhance typing of methods (bsc#1169511)
- CVE-2020-2830: Better Scanner conversions (bsc#1169511)
ImportantSUSE bug 1169511CVE-2020-2756 at SUSECVE-2020-2756 at NVDCVE-2020-2757 at SUSECVE-2020-2757 at NVDCVE-2020-2773 at SUSECVE-2020-2773 at NVDCVE-2020-2781 at SUSECVE-2020-2781 at NVDCVE-2020-2800 at SUSECVE-2020-2800 at NVDCVE-2020-2803 at SUSECVE-2020-2803 at NVDCVE-2020-2805 at SUSECVE-2020-2805 at NVDCVE-2020-2830 at SUSECVE-2020-2830 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for tigervnc (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for tigervnc fixes the following issues:
- CVE-2019-15691: Fixed a use-after-return due to incorrect usage of stack memory in ZRLEDecoder (bsc#1159856).
- CVE-2019-15692: Fixed a heap-based buffer overflow in CopyRectDecode (bsc#1160250).
- CVE-2019-15693: Fixed a heap-based buffer overflow in TightDecoder::FilterGradient (bsc#1159858).
- CVE-2019-15694: Fixed a heap-based buffer overflow, caused by improper error handling in processing MemOutStream (bsc#1160251).
- CVE-2019-15695: Fixed a stack-based buffer overflow, which could be triggered from CMsgReader::readSetCursor (bsc#1159860).
ImportantSUSE bug 1159856SUSE bug 1159858SUSE bug 1159860SUSE bug 1160250SUSE bug 1160251SUSE bug 1160937CVE-2019-15691 at SUSECVE-2019-15691 at NVDCVE-2019-15692 at SUSECVE-2019-15692 at NVDCVE-2019-15693 at SUSECVE-2019-15693 at NVDCVE-2019-15694 at SUSECVE-2019-15694 at NVDCVE-2019-15695 at SUSECVE-2019-15695 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for ucode-intel (Moderate)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for ucode-intel fixes the following issues:
Updated Intel CPU Microcode to 20200602 (prerelease) (bsc#1172466)
This update contains security mitigations for:
- CVE-2020-0543: Fixed a side channel attack against special registers
which could have resulted in leaking of read values to cores other
than the one which called it. This attack is known as Special Register
Buffer Data Sampling (SRBDS) or 'CrossTalk' (bsc#1154824).
- CVE-2020-0548,CVE-2020-0549: Additional ucode updates were supplied to
mitigate the Vector Register and L1D Eviction Sampling aka 'CacheOutAttack'
attacks. (bsc#1156353)
Microcode Table:
Processor Identifier Version Products
Model Stepping F-MO-S/PI Old->New
---- new platforms ----------------------------------------
---- updated platforms ------------------------------------
HSW C0 6-3c-3/32 00000027->00000028 Core Gen4
BDW-U/Y E0/F0 6-3d-4/c0 0000002e->0000002f Core Gen5
HSW-U C0/D0 6-45-1/72 00000025->00000026 Core Gen4
HSW-H C0 6-46-1/32 0000001b->0000001c Core Gen4
BDW-H/E3 E0/G0 6-47-1/22 00000021->00000022 Core Gen5
SKL-U/Y D0 6-4e-3/c0 000000d6->000000dc Core Gen6 Mobile
SKL-U23e K1 6-4e-3/c0 000000d6->000000dc Core Gen6 Mobile
SKX-SP B1 6-55-3/97 01000151->01000157 Xeon Scalable
SKX-SP H0/M0/U0 6-55-4/b7 02000065->02006906 Xeon Scalable
SKX-D M1 6-55-4/b7 02000065->02006906 Xeon D-21xx
CLX-SP B0 6-55-6/bf 0400002c->04002f01 Xeon Scalable Gen2
CLX-SP B1 6-55-7/bf 0500002c->04002f01 Xeon Scalable Gen2
SKL-H/S R0/N0 6-5e-3/36 000000d6->000000dc Core Gen6; Xeon E3 v5
AML-Y22 H0 6-8e-9/10 000000ca->000000d6 Core Gen8 Mobile
KBL-U/Y H0 6-8e-9/c0 000000ca->000000d6 Core Gen7 Mobile
CFL-U43e D0 6-8e-a/c0 000000ca->000000d6 Core Gen8 Mobile
WHL-U W0 6-8e-b/d0 000000ca->000000d6 Core Gen8 Mobile
AML-Y42 V0 6-8e-c/94 000000ca->000000d6 Core Gen10 Mobile
CML-Y42 V0 6-8e-c/94 000000ca->000000d6 Core Gen10 Mobile
WHL-U V0 6-8e-c/94 000000ca->000000d6 Core Gen8 Mobile
KBL-G/H/S/E3 B0 6-9e-9/2a 000000ca->000000d6 Core Gen7; Xeon E3 v6
CFL-H/S/E3 U0 6-9e-a/22 000000ca->000000d6 Core Gen8 Desktop, Mobile, Xeon E
CFL-S B0 6-9e-b/02 000000ca->000000d6 Core Gen8
CFL-H/S P0 6-9e-c/22 000000ca->000000d6 Core Gen9
CFL-H R0 6-9e-d/22 000000ca->000000d6 Core Gen9 Mobile
Also contains the Intel CPU Microcode update to 20200520:
Processor Identifier Version Products
Model Stepping F-MO-S/PI Old->New
---- new platforms ----------------------------------------
---- updated platforms ------------------------------------
SNB-E/EN/EP C1/M0 6-2d-6/6d 0000061f->00000621 Xeon E3/E5, Core X
SNB-E/EN/EP C2/M1 6-2d-7/6d 00000718->0000071a Xeon E3/E5, Core X
ModerateSUSE bug 1154824SUSE bug 1156353SUSE bug 1172466CVE-2020-0543 at SUSECVE-2020-0543 at NVDCVE-2020-0548 at SUSECVE-2020-0548 at NVDCVE-2020-0549 at SUSECVE-2020-0549 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
The SUSE Linux Enterprise 12 SP3 kernel was updated to receive various security and bugfixes.
The following security bugs were fixed:
- CVE-2020-0543: Fixed a side channel attack against special registers which could have resulted in leaking of read values to cores other than the one which called it.
This attack is known as Special Register Buffer Data Sampling (SRBDS) or 'CrossTalk' (bsc#1154824).
- CVE-2020-12652: Fixed an issue which could have allowed local users to hold an incorrect lock during the ioctl operation and trigger a race condition (bsc#1171218).
- CVE-2020-12653: Fixed an issue in the wifi driver which could have allowed local users to gain privileges or cause a denial of service (bsc#1171195).
- CVE-2020-12654: Fixed an issue in he wifi driver which could have allowed a remote AP to trigger a heap-based buffer overflow (bsc#1171202).
- CVE-2020-12656: Fixed an improper handling of certain domain_release calls leadingch could have led to a memory leak (bsc#1171219).
- CVE-2020-12114: Fixed A pivot_root race condition which could have allowed local users to cause a denial of service (panic) by corrupting a mountpoint reference counter (bsc#1171098).
- CVE-2020-10757: Fixed an issue where remaping hugepage DAX to anon mmap could have caused user PTE access (bsc#1172317).
The following non-security bugs were fixed:
- can, slip: Protect tty->disc_data in write_wakeup and close with RCU (bsc#1171698).
- clocksource/drivers/hyper-v: Set TSC clocksource as default w/ InvariantTSC (bsc#1170620).
- Drivers: HV: Send one page worth of kmsg dump over Hyper-V during panic (bsc#1170618).
- Drivers: hv: vmbus: Fix the issue with freeing up hv_ctl_table_hdr (bsc#1170618).
- Drivers: hv: vmbus: Get rid of MSR access from vmbus_drv.c (bsc#1170618).
- Drivers: hv: vmbus: Make panic reporting to be more useful (bsc#1170618).
- Drivers: hv: vmus: Fix the check for return value from kmsg get dump buffer (bsc#1170618).
- EDAC: Convert to new X86 CPU match macros
- ibmvfc: do not send implicit logouts prior to NPIV login (bsc#1169625 ltc#184611).
- ibmvfc: Fix NULL return compiler warning (bsc#1161951 ltc#183551).
- KEYS: reaching the keys quotas correctly (bsc#1171689).
- NFS: Cleanup if nfs_match_client is interrupted (bsc#1169025).
- NFS: Fix a double unlock from nfs_match,get_client (bsc#1169025).
- NFS: make nfs_match_client killable (bsc#1169025).
- NFS: Unlock requests must never fail (bsc#1172032).
- random: always use batched entropy for get_random_u{32,64} (bsc#1164871).
- Revert 'ipc,sem: remove uneeded sem_undo_list lock usage in exit_sem()' (bsc#1172221).
- scsi: ibmvfc: Avoid loss of all paths during SVC node reboot (bsc#1161951 ltc#183551).
- scsi: ibmvfc: Fix NULL return compiler warning (bsc#1161951 ltc#183551).
- x86/dumpstack/64: Handle faults when printing the 'Stack: ' part of an OOPS (bsc#1170383).
- x86/hyperv: Allow guests to enable InvariantTSC (bsc#1170620).
- x86/Hyper-V: Free hv_panic_page when fail to register kmsg dump (bsc#1170618).
- x86/Hyper-V: Report crash data in die() when panic_on_oops is set (bsc#1170618).
- x86/Hyper-V: Report crash register data or kmsg before running crash kernel (bsc#1170618).
- x86/Hyper-V: Report crash register data when sysctl_record_panic_msg is not set (bsc#1170618).
- x86: hyperv: report value of misc_features (git fixes).
- x86/Hyper-V: Trigger crash enlightenment only once during system crash (bsc#1170618).
- x86/Hyper-V: Unload vmbus channel in hv panic callback (bsc#1170618).
ImportantSUSE bug 1154824SUSE bug 1161951SUSE bug 1164871SUSE bug 1169025SUSE bug 1169625SUSE bug 1170383SUSE bug 1170618SUSE bug 1170620SUSE bug 1171098SUSE bug 1171195SUSE bug 1171202SUSE bug 1171218SUSE bug 1171219SUSE bug 1171689SUSE bug 1171698SUSE bug 1172032SUSE bug 1172221SUSE bug 1172317CVE-2020-0543 at SUSECVE-2020-0543 at NVDCVE-2020-10757 at SUSECVE-2020-10757 at NVDCVE-2020-12114 at SUSECVE-2020-12114 at NVDCVE-2020-12652 at SUSECVE-2020-12652 at NVDCVE-2020-12653 at SUSECVE-2020-12653 at NVDCVE-2020-12654 at SUSECVE-2020-12654 at NVDCVE-2020-12656 at SUSECVE-2020-12656 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for virglrenderer (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for virglrenderer fixes the following issues:
- CVE-2019-18388: Fixed a null pointer dereference which could have led
to denial of service (bsc#1159479).
- CVE-2019-18390: Fixed an out of bound read which could have led to
denial of service (bsc#1159478).
- CVE-2019-18389: Fixed a heap buffer overflow which could have led to
guest escape or denial of service (bsc#1159482).
- CVE-2019-18391: Fixed a heap based buffer overflow which could have led to
guest escape or denial of service (bsc#1159486).
ImportantSUSE bug 1159478SUSE bug 1159479SUSE bug 1159482SUSE bug 1159486CVE-2019-18388 at SUSECVE-2019-18388 at NVDCVE-2019-18389 at SUSECVE-2019-18389 at NVDCVE-2019-18390 at SUSECVE-2019-18390 at NVDCVE-2019-18391 at SUSECVE-2019-18391 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for adns (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for adns fixes the following issues:
- CVE-2017-9103,CVE-2017-9104,CVE-2017-9105,CVE-2017-9109: Fixed an issue in local recursive resolver
which could have led to remote code execution (bsc#1172265).
- CVE-2017-9106: Fixed an issue with upstream DNS data sources which could have led to denial of
service (bsc#1172265).
- CVE-2017-9107: Fixed an issue when quering domain names which could have led to denial of service (bsc#1172265).
- CVE-2017-9108: Fixed an issue which could have led to denial of service (bsc#1172265).
ImportantSUSE bug 1172265CVE-2017-9103 at SUSECVE-2017-9103 at NVDCVE-2017-9104 at SUSECVE-2017-9104 at NVDCVE-2017-9105 at SUSECVE-2017-9105 at NVDCVE-2017-9106 at SUSECVE-2017-9106 at NVDCVE-2017-9107 at SUSECVE-2017-9107 at NVDCVE-2017-9108 at SUSECVE-2017-9108 at NVDCVE-2017-9109 at SUSECVE-2017-9109 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for xen (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for xen fixes the following issues:
- CVE-2020-0543: Fixed a side channel attack against special registers which could have resulted in leaking of read values to cores other than the one which called it.
This attack is known as Special Register Buffer Data Sampling (SRBDS) or 'CrossTalk' (bsc#1172205).
- CVE-2020-11742: Bad continuation handling in GNTTABOP_copy (bsc#1169392).
- CVE-2020-11740, CVE-2020-11741: xen: XSA-313 multiple xenoprof issues (bsc#1168140).
- CVE-2020-11739: Missing memory barriers in read-write unlock paths (bsc#1168142).
- CVE-2019-19583: Fixed improper checks which could have allowed HVM/PVH guest userspace code to crash the guest, leading to a guest denial of service (bsc#1158004 XSA-308).
- CVE-2019-19581: Fixed a potential out of bounds on 32-bit Arm (bsc#1158003 XSA-307).
- CVE-2019-19580: Fixed a privilege escalation where a malicious PV guest administrator could have been able to escalate their privilege to that of the host (bsc#1158006 XSA-310).
- CVE-2019-19579: Fixed a privilege escalation where an untrusted domain with access to a physical device can DMA into host memory (bsc#1157888 XSA-306).
- CVE-2019-19578: Fixed an issue where a malicious or buggy PV guest could have caused hypervisor crash resulting in denial of service affecting the entire host (bsc#1158005 XSA-309).
- CVE-2019-19577: Fixed an issue where a malicious guest administrator could have caused Xen to access data structures while they are being modified leading to a crash (bsc#1158007 XSA-311).
- Xenstored Crashed during VM install (bsc#1167152)
ImportantSUSE bug 1157888SUSE bug 1158003SUSE bug 1158004SUSE bug 1158005SUSE bug 1158006SUSE bug 1158007SUSE bug 1161181SUSE bug 1167152SUSE bug 1168140SUSE bug 1168142SUSE bug 1169392SUSE bug 1172205CVE-2019-19577 at SUSECVE-2019-19577 at NVDCVE-2019-19578 at SUSECVE-2019-19578 at NVDCVE-2019-19579 at SUSECVE-2019-19579 at NVDCVE-2019-19580 at SUSECVE-2019-19580 at NVDCVE-2019-19581 at SUSECVE-2019-19581 at NVDCVE-2019-19583 at SUSECVE-2019-19583 at NVDCVE-2020-0543 at SUSECVE-2020-0543 at NVDCVE-2020-11739 at SUSECVE-2020-11739 at NVDCVE-2020-11740 at SUSECVE-2020-11740 at NVDCVE-2020-11741 at SUSECVE-2020-11741 at NVDCVE-2020-11742 at SUSECVE-2020-11742 at NVDCVE-2020-7211 at SUSECVE-2020-7211 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for perl (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for perl fixes the following issues:
- CVE-2020-10543: Fixed a heap buffer overflow in regular expression compiler which could have
allowed overwriting of allocated memory with attacker's data (bsc#1171863).
- CVE-2020-10878: Fixed multiple integer overflows which could have allowed the insertion of
instructions into the compiled form of Perl regular expression (bsc#1171864).
- CVE-2020-12723: Fixed an attacker's corruption of the intermediate language state of a
compiled regular expression (bsc#1171866).
- Fixed utf8 handling in perldoc by useing 'term' instead of 'man' (bsc#1170601).
- Some packages make assumptions about the date and time they are built.
This update will solve the issues caused by calling the perl function timelocal
expressing the year with two digit only instead of four digits. (bsc#1102840) (bsc#1160039)
ImportantSUSE bug 1102840SUSE bug 1160039SUSE bug 1170601SUSE bug 1171863SUSE bug 1171864SUSE bug 1171866CVE-2020-10543 at SUSECVE-2020-10543 at NVDCVE-2020-10878 at SUSECVE-2020-10878 at NVDCVE-2020-12723 at SUSECVE-2020-12723 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for java-1_7_1-ibm (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for java-1_7_1-ibm fixes the following issues:
java-1_7_1-ibm was updated to Java 7.1 Service Refresh 4 Fix Pack 65 (bsc#1172277 and bsc#1169511)
- CVE-2020-2654: Fixed an issue which could have resulted in unauthorized ability to cause a partial denial of service
- CVE-2020-2756: Improved mapping of serial ENUMs
- CVE-2020-2757: Less Blocking Array Queues
- CVE-2020-2781: Improved TLS session handling
- CVE-2020-2800: Improved Headings for HTTP Servers
- CVE-2020-2803: Enhanced buffering of byte buffers
- CVE-2020-2805: Enhanced typing of methods
- CVE-2020-2830: Improved Scanner conversions
ImportantSUSE bug 1169511SUSE bug 1172277CVE-2020-2654 at SUSECVE-2020-2654 at NVDCVE-2020-2756 at SUSECVE-2020-2756 at NVDCVE-2020-2757 at SUSECVE-2020-2757 at NVDCVE-2020-2781 at SUSECVE-2020-2781 at NVDCVE-2020-2800 at SUSECVE-2020-2800 at NVDCVE-2020-2803 at SUSECVE-2020-2803 at NVDCVE-2020-2805 at SUSECVE-2020-2805 at NVDCVE-2020-2830 at SUSECVE-2020-2830 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for java-1_8_0-ibm (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for java-1_8_0-ibm fixes the following issues:
java-1_8_0-ibm was updated to Java 8.0 Service Refresh 6 Fix Pack 10 (bsc#1172277,bsc#1169511,bsc#1160968)
- CVE-2020-2654: Fixed an issue which could have resulted in unauthorized ability to cause a partial denial of service
- CVE-2020-2754: Forwarded references to Nashorn
- CVE-2020-2755: Improved Nashorn matching
- CVE-2020-2756: Improved mapping of serial ENUMs
- CVE-2020-2757: Less Blocking Array Queues
- CVE-2020-2781: Improved TLS session handling
- CVE-2020-2800: Improved Headings for HTTP Servers
- CVE-2020-2803: Enhanced buffering of byte buffers
- CVE-2020-2805: Enhanced typing of methods
- CVE-2020-2830: Improved Scanner conversions
- CVE-2019-2949: Fixed an issue which could have resulted in unauthorized access to critical data
- Added RSA PSS SUPPORT TO IBMPKCS11IMPL
- The pack200 and unpack200 alternatives should be slaves of java (bsc#1171352).
ImportantSUSE bug 1160968SUSE bug 1169511SUSE bug 1171352SUSE bug 1172277CVE-2019-2949 at SUSECVE-2019-2949 at NVDCVE-2020-2654 at SUSECVE-2020-2654 at NVDCVE-2020-2754 at SUSECVE-2020-2754 at NVDCVE-2020-2755 at SUSECVE-2020-2755 at NVDCVE-2020-2756 at SUSECVE-2020-2756 at NVDCVE-2020-2757 at SUSECVE-2020-2757 at NVDCVE-2020-2781 at SUSECVE-2020-2781 at NVDCVE-2020-2800 at SUSECVE-2020-2800 at NVDCVE-2020-2803 at SUSECVE-2020-2803 at NVDCVE-2020-2805 at SUSECVE-2020-2805 at NVDCVE-2020-2830 at SUSECVE-2020-2830 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for java-1_8_0-openjdk (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for java-1_8_0-openjdk to version jdk8u252 fixes the following issues:
- CVE-2020-2754: Forward references to Nashorn (bsc#1169511)
- CVE-2020-2755: Improve Nashorn matching (bsc#1169511)
- CVE-2020-2756: Better mapping of serial ENUMs (bsc#1169511)
- CVE-2020-2757: Less Blocking Array Queues (bsc#1169511)
- CVE-2020-2773: Better signatures in XML (bsc#1169511)
- CVE-2020-2781: Improve TLS session handling (bsc#1169511)
- CVE-2020-2800: Better Headings for HTTP Servers (bsc#1169511)
- CVE-2020-2803: Enhance buffering of byte buffers (bsc#1169511)
- CVE-2020-2805: Enhance typing of methods (bsc#1169511)
- CVE-2020-2830: Better Scanner conversions (bsc#1169511)
ImportantSUSE bug 1160398SUSE bug 1169511CVE-2020-2754 at SUSECVE-2020-2754 at NVDCVE-2020-2755 at SUSECVE-2020-2755 at NVDCVE-2020-2756 at SUSECVE-2020-2756 at NVDCVE-2020-2757 at SUSECVE-2020-2757 at NVDCVE-2020-2773 at SUSECVE-2020-2773 at NVDCVE-2020-2781 at SUSECVE-2020-2781 at NVDCVE-2020-2800 at SUSECVE-2020-2800 at NVDCVE-2020-2803 at SUSECVE-2020-2803 at NVDCVE-2020-2805 at SUSECVE-2020-2805 at NVDCVE-2020-2830 at SUSECVE-2020-2830 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
The SUSE Linux Enterprise 12 SP3 kernel was updated to receive various security and bugfixes.
The following security bugs were fixed:
- CVE-2020-10768: Fixed an issue with the prctl() function which could have allowed indirect branch speculation even after it has been disabled (bsc#1172783).
- CVE-2020-10767: Fixed an issue where the Indirect Branch Prediction Barrier (IBPB) would have been disabled when STIBP is unavailable or enhanced IBRS is available making the system vulnerable to spectre v2 (bsc#1172782).
- CVE-2020-10766: Fixed an issue with Linux scheduler which could have allowed an attacker to turn off the SSBD protection (bsc#1172781).
- xfs: Fix tail rounding in xfs_alloc_file_space() (bsc#1172049).
ImportantSUSE bug 1172049SUSE bug 1172781SUSE bug 1172782SUSE bug 1172783CVE-2020-10766 at SUSECVE-2020-10766 at NVDCVE-2020-10767 at SUSECVE-2020-10767 at NVDCVE-2020-10768 at SUSECVE-2020-10768 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for curl (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for curl fixes the following issues:
- CVE-2020-8177: Fixed an issue where curl could have been tricked by a malicious server to overwrite a local file when using the -J option (bsc#1173027).
ImportantSUSE bug 1173027CVE-2020-8177 at SUSECVE-2020-8177 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for ceph (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This is a version update for ceph to version 12.2.13:
Security issue fixed:
- CVE-2020-10753: Fixed an HTTP header injection via CORS ExposeHeader tag (bsc#1171921).
- Notable changes in this update for ceph:
* mgr: telemetry: backported and now available on SES5.5. Please
consider enabling via 'ceph telemetry on' (bsc#1171670)
* OSD heartbeat ping time: new health warning, options and admin
commands (bsc#1171960)
* 'osd_calc_pg_upmaps_max_stddev' ceph.conf parameter has been
removed; use 'upmap_max_deviation' instead (bsc#1171961)
* Default maximum concurrent bluestore rocksdb compaction threads
raised from 1 to 2 for improved ability to keep up with rgw
bucket index workloads (bsc#1171963)
- Bug fixes in this ceph update:
* mon: Error message displayed when mon_osd_max_split_count would be
exceeded is not as user-friendly as it could be (bsc#1126230)
* ceph_volume_client: remove ceph mds calls in favor of ceph fs
calls (bsc#1136082)
* rgw: crypt: permit RGW-AUTO/default with SSE-S3 headers
(bsc#1157607)
* mon/AuthMonitor: don't validate fs caps on authorize (bsc#1161096)
- Additional bug fixes:
* ceph-volume: strip _dmcrypt suffix in simple scan json output (bsc#1162553) ImportantSUSE bug 1126230SUSE bug 1136082SUSE bug 1157607SUSE bug 1161096SUSE bug 1162553SUSE bug 1171670SUSE bug 1171921SUSE bug 1171960SUSE bug 1171961SUSE bug 1171963CVE-2020-10753 at SUSECVE-2020-10753 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 31 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_116 fixes several issues.
The following security issues were fixed:
- CVE-2020-10757: Fixed an issue where remaping hugepage DAX to anon mmap could have caused user PTE access (bsc#1172437).
- CVE-2020-12653: Fixed an issue in the wifi driver which could have allowed local users to gain privileges or cause a denial of service (bsc#1171254).
- CVE-2020-12654: Fixed an issue in he wifi driver which could have allowed a remote AP to trigger a heap-based buffer overflow (bsc#1171252).
- CVE-2020-1749: Fixed an issue where some ipv6 protocols were not encrypted over ipsec tunnel (bsc#1165631).
ImportantSUSE bug 1165631SUSE bug 1171252SUSE bug 1171254SUSE bug 1172437CVE-2020-10757 at SUSECVE-2020-10757 at NVDCVE-2020-12653 at SUSECVE-2020-12653 at NVDCVE-2020-12654 at SUSECVE-2020-12654 at NVDCVE-2020-1749 at SUSECVE-2020-1749 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 30 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_113 fixes one issue.
The following security issue was fixed:
- CVE-2020-10757: Fixed an issue where remaping hugepage DAX to anon mmap could have caused user PTE access (bsc#1172437).
ImportantSUSE bug 1172437CVE-2020-10757 at SUSECVE-2020-10757 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 29 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_107 fixes one issue.
The following security issue was fixed:
- CVE-2020-10757: Fixed an issue where remaping hugepage DAX to anon mmap could have caused user PTE access (bsc#1172437).
ImportantSUSE bug 1172437CVE-2020-10757 at SUSECVE-2020-10757 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 28 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_103 fixes several issues.
The following security issues were fixed:
- CVE-2020-10757: Fixed an issue where remaping hugepage DAX to anon mmap could have caused user PTE access (bsc#1172437).
- CVE-2019-15666: Fixed an out of bounds read __xfrm_policy_unlink, which could have led to denial of service (bsc#1172140).
ImportantSUSE bug 1172140SUSE bug 1172437CVE-2019-15666 at SUSECVE-2019-15666 at NVDCVE-2020-10757 at SUSECVE-2020-10757 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 27 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_100 fixes several issues.
The following security issues were fixed:
- CVE-2020-10757: Fixed an issue where remaping hugepage DAX to anon mmap could have caused user PTE access (bsc#1172437).
- CVE-2019-15666: Fixed an out of bounds read __xfrm_policy_unlink, which could have led to denial of service (bsc#1172140).
ImportantSUSE bug 1172140SUSE bug 1172437CVE-2019-15666 at SUSECVE-2019-15666 at NVDCVE-2020-10757 at SUSECVE-2020-10757 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 26 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_97 fixes several issues.
The following security issues were fixed:
- CVE-2020-10757: Fixed an issue where remaping hugepage DAX to anon mmap could have caused user PTE access (bsc#1172437).
- CVE-2019-15666: Fixed an out of bounds read __xfrm_policy_unlink, which could have led to denial of service (bsc#1172140).
ImportantSUSE bug 1172140SUSE bug 1172437CVE-2019-15666 at SUSECVE-2019-15666 at NVDCVE-2020-10757 at SUSECVE-2020-10757 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for tomcat (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for tomcat fixes the following issues:
- CVE-2020-8022: Fixed a local root exploit due to improper permissions (bsc#1172405)
ImportantSUSE bug 1172405CVE-2020-8022 at SUSECVE-2020-8022 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for python3-requests (Moderate)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for python3-requests provides the following fix:
python-requests was updated to 2.20.1.
Update to version 2.20.1:
* Fixed bug with unintended Authorization header stripping for
redirects using default ports (http/80, https/443).
Update to version 2.20.0:
* Bugfixes
+ Content-Type header parsing is now case-insensitive
(e.g. charset=utf8 v Charset=utf8).
+ Fixed exception leak where certain redirect urls would raise
uncaught urllib3 exceptions.
+ Requests removes Authorization header from requests redirected
from https to http on the same hostname. (CVE-2018-18074)
+ should_bypass_proxies now handles URIs without hostnames
(e.g. files).
Update to version 2.19.1:
* Fixed issue where status_codes.py’s init function failed trying
to append to a __doc__ value of None.
Update to version 2.19.0:
* Improvements
+ Warn about possible slowdown with cryptography version < 1.3.4
+ Check host in proxy URL, before forwarding request to adapter.
+ Maintain fragments properly across redirects. (RFC7231 7.1.2)
+ Removed use of cgi module to expedite library load time.
+ Added support for SHA-256 and SHA-512 digest auth algorithms.
+ Minor performance improvement to Request.content.
* Bugfixes
+ Parsing empty Link headers with parse_header_links() no longer
return one bogus entry.
+ Fixed issue where loading the default certificate bundle from
a zip archive would raise an IOError.
+ Fixed issue with unexpected ImportError on windows system
which do not support winreg module.
+ DNS resolution in proxy bypass no longer includes the username
and password in the request. This also fixes the issue of DNS
queries failing on macOS.
+ Properly normalize adapter prefixes for url comparison.
+ Passing None as a file pointer to the files param no longer
raises an exception.
+ Calling copy on a RequestsCookieJar will now preserve the
cookie policy correctly.
Update to version 2.18.4:
* Improvements
+ Error messages for invalid headers now include the header name
for easier debugging
Update to version 2.18.3:
* Improvements
+ Running $ python -m requests.help now includes the installed
version of idna.
* Bugfixes
+ Fixed issue where Requests would raise ConnectionError instead
of SSLError when encountering SSL problems when using urllib3
v1.22.
- Add ca-certificates (and ca-certificates-mozilla) to dependencies, otherwise https
connections will fail.
ModerateSUSE bug 1054413SUSE bug 1073879SUSE bug 1111622SUSE bug 1122668SUSE bug 761500SUSE bug 922448SUSE bug 929736SUSE bug 935252SUSE bug 945455SUSE bug 947357SUSE bug 961596SUSE bug 967128CVE-2015-2296 at SUSECVE-2015-2296 at NVDCVE-2018-18074 at SUSECVE-2018-18074 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for mutt (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for mutt fixes the following issues:
- CVE-2020-14954: Fixed a response injection due to a STARTTLS buffering issue which was
affecting IMAP, SMTP, and POP3 (bsc#1173197).
- CVE-2020-14093: Fixed a potential IMAP Man-in-the-Middle attack via a PREAUTH response (bsc#1172906, bsc#1172935).
- CVE-2020-14154: Fixed an issue where Mutt was ignoring an expired certificate and was
proceeding with a connection (bsc#1172906, bsc#1172935).
ImportantSUSE bug 1172906SUSE bug 1172935SUSE bug 1173197CVE-2020-14093 at SUSECVE-2020-14093 at NVDCVE-2020-14154 at SUSECVE-2020-14154 at NVDCVE-2020-14954 at SUSECVE-2020-14954 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for squid (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for squid fixes the following issues:
- CVE-2020-14059: Fixed an issue where a client could potentially deny the service of a server
during TLS Handshake (bsc#1173304).
- CVE-2019-18860: Fixed handling of invalid domain names in cachemgr.cgi (bsc#1167373).
ImportantSUSE bug 1167373SUSE bug 1173304CVE-2019-18860 at SUSECVE-2019-18860 at NVDCVE-2020-14059 at SUSECVE-2020-14059 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for ntp (Moderate)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for ntp fixes the following issues:
ntp was updated to 4.2.8p15
- CVE-2020-11868: Fixed an issue which a server mode packet with spoofed source address
frequently send to the client ntpd could have caused denial of service (bsc#1169740).
- CVE-2018-8956: Fixed an issue which could have allowed remote attackers to prevent
a broadcast client from synchronizing its clock with a broadcast NTP server via spoofed
mode 3 and mode 5 packets (bsc#1171355).
- CVE-2020-13817: Fixed an issue which an off-path attacker with the ability to query time
from victim's ntpd instance could have modified the victim's clock by a limited amount (bsc#1172651).
- CVE-2020-15025: Fixed an issue which remote attacker could have caused denial of service by consuming
the memory when a CMAC key was used andassociated with a CMAC algorithm in the ntp.keys (bsc#1173334).
ModerateSUSE bug 1169740SUSE bug 1171355SUSE bug 1172651SUSE bug 1173334CVE-2018-8956 at SUSECVE-2018-8956 at NVDCVE-2020-11868 at SUSECVE-2020-11868 at NVDCVE-2020-13817 at SUSECVE-2020-13817 at NVDCVE-2020-15025 at SUSECVE-2020-15025 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 26 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_97 fixes several issues.
The following security issues were fixed:
- CVE-2019-14896: A heap-based buffer overflow vulnerability was found in the Marvell WiFi chip driver. A remote attacker could cause a denial of service (system crash) or, possibly execute arbitrary code, when the lbs_ibss_join_existing function is called after a STA connects to an AP (bsc#1157157).
- CVE-2019-14897: A stack-based buffer overflow was found in the Marvell WiFi chip driver. An attacker was able to cause a denial of service (system crash) or, possibly execute arbitrary code, when a STA works in IBSS mode (allows connecting stations together without the use of an AP) and connects to another STA (bsc#1157155).
ImportantSUSE bug 1160467SUSE bug 1160468CVE-2019-14896 at SUSECVE-2019-14896 at NVDCVE-2019-14897 at SUSECVE-2019-14897 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for mozilla-nspr, mozilla-nss (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for mozilla-nspr, mozilla-nss fixes the following issues:
mozilla-nss was updated to version 3.53.1
- CVE-2020-12402: Fixed a potential side channel attack during RSA key generation (bsc#1173032).
- CVE-2020-12399: Fixed a timing attack on DSA signature generation (bsc#1171978).
- CVE-2019-17006: Added length checks for cryptographic primitives (bsc#1159819).
- Fixed various FIPS issues in libfreebl3 which were causing segfaults in the test suite of chrony (bsc#1168669).
- Fixed an issue where Firefox tab was crashing (bsc#1170908).
Release notes: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.53_release_notes
mozilla-nspr to version 4.25
ImportantSUSE bug 1159819SUSE bug 1168669SUSE bug 1169746SUSE bug 1170908SUSE bug 1171978SUSE bug 1173022CVE-2019-17006 at SUSECVE-2019-17006 at NVDCVE-2020-12399 at SUSECVE-2020-12399 at NVDCVE-2020-12402 at SUSECVE-2020-12402 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 25 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.178-94_91 fixes several issues.
The following security issues were fixed:
- CVE-2019-14896: A heap-based buffer overflow vulnerability was found in the Marvell WiFi chip driver. A remote attacker could cause a denial of service (system crash) or, possibly execute arbitrary code, when the lbs_ibss_join_existing function is called after a STA connects to an AP (bsc#1157157).
- CVE-2019-14897: A stack-based buffer overflow was found in the Marvell WiFi chip driver. An attacker was able to cause a denial of service (system crash) or, possibly execute arbitrary code, when a STA works in IBSS mode (allows connecting stations together without the use of an AP) and connects to another STA (bsc#1157155).
ImportantSUSE bug 1160467SUSE bug 1160468CVE-2019-14896 at SUSECVE-2019-14896 at NVDCVE-2019-14897 at SUSECVE-2019-14897 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for openldap2 (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for openldap2 fixes the following issues:
- CVE-2020-8023: Fixed a potential local privilege escalation from ldap to root when OPENLDAP_CONFIG_BACKEND='ldap' was used (bsc#1172698).
- Changed DB_CONFIG to root:ldap permissions (bsc#1172704).
- Fixed an issue where slapd becomes unresponsive after many failed login/bind attempts(bsc#1170715).
ImportantSUSE bug 1170715SUSE bug 1172698SUSE bug 1172704CVE-2020-8023 at SUSECVE-2020-8023 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 24 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.176-94_88 fixes several issues.
The following security issues were fixed:
- CVE-2019-14896: A heap-based buffer overflow vulnerability was found in the Marvell WiFi chip driver. A remote attacker could cause a denial of service (system crash) or, possibly execute arbitrary code, when the lbs_ibss_join_existing function is called after a STA connects to an AP (bsc#1157157).
- CVE-2019-14897: A stack-based buffer overflow was found in the Marvell WiFi chip driver. An attacker was able to cause a denial of service (system crash) or, possibly execute arbitrary code, when a STA works in IBSS mode (allows connecting stations together without the use of an AP) and connects to another STA (bsc#1157155).
ImportantSUSE bug 1160467SUSE bug 1160468CVE-2019-14896 at SUSECVE-2019-14896 at NVDCVE-2019-14897 at SUSECVE-2019-14897 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for xen (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for xen fixes the following issues:
- CVE-2020-15563: Fixed inverted code paths in x86 dirty VRAM tracking (bsc#1173377).
- CVE-2020-15565: Fixed insufficient cache write-back under VT-d (bsc#1173378).
- CVE-2020-15567: Fixed non-atomic modification of live EPT PTE (bsc#1173380).
ImportantSUSE bug 1173377SUSE bug 1173378SUSE bug 1173380CVE-2020-15563 at SUSECVE-2020-15563 at NVDCVE-2020-15565 at SUSECVE-2020-15565 at NVDCVE-2020-15567 at SUSECVE-2020-15567 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 23 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.175-94_79 fixes several issues.
The following security issues were fixed:
- CVE-2019-14896: A heap-based buffer overflow vulnerability was found in the Marvell WiFi chip driver. A remote attacker could cause a denial of service (system crash) or, possibly execute arbitrary code, when the lbs_ibss_join_existing function is called after a STA connects to an AP (bsc#1157157).
- CVE-2019-14897: A stack-based buffer overflow was found in the Marvell WiFi chip driver. An attacker was able to cause a denial of service (system crash) or, possibly execute arbitrary code, when a STA works in IBSS mode (allows connecting stations together without the use of an AP) and connects to another STA (bsc#1157155).
ImportantSUSE bug 1160467SUSE bug 1160468CVE-2019-14896 at SUSECVE-2019-14896 at NVDCVE-2019-14897 at SUSECVE-2019-14897 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for MozillaFirefox to version 78.0.1 ESR fixes the following issues:
Security issues fixed:
- CVE-2020-12415: AppCache manifest poisoning due to url encoded character processing (bsc#1173576).
- CVE-2020-12416: Use-after-free in WebRTC VideoBroadcaster (bsc#1173576).
- CVE-2020-12417: Memory corruption due to missing sign-extension for ValueTags on ARM64 (bsc#1173576).
- CVE-2020-12418: Information disclosure due to manipulated URL object (bsc#1173576).
- CVE-2020-12419: Use-after-free in nsGlobalWindowInner (bsc#1173576).
- CVE-2020-12420: Use-After-Free when trying to connect to a STUN server (bsc#1173576).
- CVE-2020-12402: RSA Key Generation vulnerable to side-channel attack (bsc#1173576).
- CVE-2020-12421: Add-On updates did not respect the same certificate trust rules as software updates (bsc#1173576).
- CVE-2020-12422: Integer overflow in nsJPEGEncoder::emptyOutputBuffer (bsc#1173576).
- CVE-2020-12423: DLL Hijacking due to searching %PATH% for a library (bsc#1173576).
- CVE-2020-12424: WebRTC permission prompt could have been bypassed by a compromised content process (bsc#1173576).
- CVE-2020-12425: Out of bound read in Date.parse() (bsc#1173576).
- CVE-2020-12426: Memory safety bugs fixed in Firefox 78 (bsc#1173576).
- FIPS: MozillaFirefox: allow /proc/sys/crypto/fips_enabled (bsc#1167231).
Non-security issues fixed:
- Fixed interaction with freetype6 (bsc#1173613).
ImportantSUSE bug 1167231SUSE bug 1173576SUSE bug 1173613CVE-2020-12402 at SUSECVE-2020-12402 at NVDCVE-2020-12415 at SUSECVE-2020-12415 at NVDCVE-2020-12416 at SUSECVE-2020-12416 at NVDCVE-2020-12417 at SUSECVE-2020-12417 at NVDCVE-2020-12418 at SUSECVE-2020-12418 at NVDCVE-2020-12419 at SUSECVE-2020-12419 at NVDCVE-2020-12420 at SUSECVE-2020-12420 at NVDCVE-2020-12421 at SUSECVE-2020-12421 at NVDCVE-2020-12422 at SUSECVE-2020-12422 at NVDCVE-2020-12423 at SUSECVE-2020-12423 at NVDCVE-2020-12424 at SUSECVE-2020-12424 at NVDCVE-2020-12425 at SUSECVE-2020-12425 at NVDCVE-2020-12426 at SUSECVE-2020-12426 at NVDCVE-2020-6813 at SUSECVE-2020-6813 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for bind (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for bind fixes the following issues:
- Amended documentation referring to rule types 'krb5-subdomain'
and 'ms-subdomain'. This incorrect documentation could mislead
operators into believing that policies they had configured were
more restrictive than they actually were. [CVE-2018-5741]
- Further limit the number of queries that can be triggered from a
request. Root and TLD servers are no longer exempt from
max-recursion-queries. Fetches for missing name server address
records are limited to 4 for any domain. [CVE-2020-8616]
- Replaying a TSIG BADTIME response as a request could trigger an
assertion failure. [CVE-2020-8617]
[bsc#1109160, bsc#1171740,
CVE-2018-5741, bind-CVE-2018-5741.patch,
CVE-2020-8616, bind-CVE-2020-8616.patch,
CVE-2020-8617, bind-CVE-2020-8617.patch]
- Don't rely on /etc/insserv.conf anymore for proper dependencies
against nss-lookup.target in named.service and lwresd.service
(bsc#1118367 bsc#1118368)
- Using a drop-in file
ImportantSUSE bug 1109160SUSE bug 1118367SUSE bug 1118368SUSE bug 1171740CVE-2018-5741 at SUSECVE-2018-5741 at NVDCVE-2020-8616 at SUSECVE-2020-8616 at NVDCVE-2020-8617 at SUSECVE-2020-8617 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for squid (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for squid fixes the following issues:
- CVE-2020-15049.patch: fixes a Cache Poisoning and Request Smuggling
attack (CVE-2020-15049, bsc#1173455)
ImportantSUSE bug 1173455CVE-2020-15049 at SUSECVE-2020-15049 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for SUSE Manager Client Tools (Moderate)SUSE Linux Enterprise Server 12 SP3-LTSS
This update fixes the following issues:
cobbler:
- Calculate relative path for kernel and inited when generating
grub entry (bsc#1170231)
Added: fix-grub2-entry-paths.diff
- Fix os-release version detection for SUSE
Modified: sles15.patch
- Jinja2 template library fix (bsc#1141661)
- Removes string replace for textmode fix (bsc#1134195)
golang-github-prometheus-node_exporter:
- Update to 0.18.1
* [BUGFIX] Fix incorrect sysctl call in BSD meminfo collector, resulting in broken swap metrics on FreeBSD #1345
* [BUGFIX] Fix rollover bug in mountstats collector #1364
* Renamed interface label to device in netclass collector for consistency with
* other network metrics #1224
* The cpufreq metrics now separate the cpufreq and scaling data based on what the driver provides. #1248
* The labels for the network_up metric have changed, see issue #1236
* Bonding collector now uses mii_status instead of operstatus #1124
* Several systemd metrics have been turned off by default to improve performance #1254
* These include unit_tasks_current, unit_tasks_max, service_restart_total, and unit_start_time_seconds
* The systemd collector blacklist now includes automount, device, mount, and slice units by default. #1255
* [CHANGE] Bonding state uses mii_status #1124
* [CHANGE] Add a limit to the number of in-flight requests #1166
* [CHANGE] Renamed interface label to device in netclass collector #1224
* [CHANGE] Add separate cpufreq and scaling metrics #1248
* [CHANGE] Several systemd metrics have been turned off by default to improve performance #1254
* [CHANGE] Expand systemd collector blacklist #1255
* [CHANGE] Split cpufreq metrics into a separate collector #1253
* [FEATURE] Add a flag to disable exporter metrics #1148
* [FEATURE] Add kstat-based Solaris metrics for boottime, cpu and zfs collectors #1197
* [FEATURE] Add uname collector for FreeBSD #1239
* [FEATURE] Add diskstats collector for OpenBSD #1250
* [FEATURE] Add pressure collector exposing pressure stall information for Linux #1174
* [FEATURE] Add perf exporter for Linux #1274
* [ENHANCEMENT] Add Infiniband counters #1120
* [ENHANCEMENT] Add TCPSynRetrans to netstat default filter #1143
* [ENHANCEMENT] Move network_up labels into new metric network_info #1236
* [ENHANCEMENT] Use 64-bit counters for Darwin netstat
* [BUGFIX] Add fallback for missing /proc/1/mounts #1172
* [BUGFIX] Fix node_textfile_mtime_seconds to work properly on symlinks #1326
- Add network-online (Wants and After) dependency to systemd unit bsc#1143913
golang-github-prometheus-prometheus:
- Update change log and spec file
+ Modified spec file: default to golang 1.14 to avoid 'have choice' build issues in OBS.
+ Rebase and update patches for version 2.18.0
+ Changed:
* 0002-Default-settings.patch Changed
- Update to 2.18.0
+ Features
* Tracing: Added experimental Jaeger support #7148
+ Changes
* Federation: Only use local TSDB for federation (ignore remote read). #7096
* Rules: `rule_evaluations_total` and `rule_evaluation_failures_total` have a `rule_group` label now. #7094
+ Enhancements
* TSDB: Significantly reduce WAL size kept around after a block cut. #7098
* Discovery: Add `architecture` meta label for EC2. #7000
+ Bug fixes
* UI: Fixed wrong MinTime reported by /status. #7182
* React UI: Fixed multiselect legend on OSX. #6880
* Remote Write: Fixed blocked resharding edge case. #7122
* Remote Write: Fixed remote write not updating on relabel configs change. #7073
- Changes from 2.17.2
+ Bug fixes
* Federation: Register federation metrics #7081
* PromQL: Fix panic in parser error handling #7132
* Rules: Fix reloads hanging when deleting a rule group that is being evaluated #7138
* TSDB: Fix a memory leak when prometheus starts with an empty TSDB WAL #7135
* TSDB: Make isolation more robust to panics in web handlers #7129 #7136
- Changes from 2.17.1
+ Bug fixes
* TSDB: Fix query performance regression that increased memory and CPU usage #7051
- Changes from 2.17.0
+ Features
* TSDB: Support isolation #6841
* This release implements isolation in TSDB. API queries and recording rules are
guaranteed to only see full scrapes and full recording rules. This comes with a
certain overhead in resource usage. Depending on the situation, there might be
some increase in memory usage, CPU usage, or query latency.
+ Enhancements
* PromQL: Allow more keywords as metric names #6933
* React UI: Add normalization of localhost URLs in targets page #6794
* Remote read: Read from remote storage concurrently #6770
* Rules: Mark deleted rule series as stale after a reload #6745
* Scrape: Log scrape append failures as debug rather than warn #6852
* TSDB: Improve query performance for queries that partially hit the head #6676
* Consul SD: Expose service health as meta label #5313
* EC2 SD: Expose EC2 instance lifecycle as meta label #6914
* Kubernetes SD: Expose service type as meta label for K8s service role #6684
* Kubernetes SD: Expose label_selector and field_selector #6807
* Openstack SD: Expose hypervisor id as meta label #6962
+ Bug fixes
* PromQL: Do not escape HTML-like chars in query log #6834 #6795
* React UI: Fix data table matrix values #6896
* React UI: Fix new targets page not loading when using non-ASCII characters #6892
* Remote read: Fix duplication of metrics read from remote storage with external labels #6967 #7018
* Remote write: Register WAL watcher and live reader metrics for all remotes, not just the first one #6998
* Scrape: Prevent removal of metric names upon relabeling #6891
* Scrape: Fix 'superfluous response.WriteHeader call' errors when scrape fails under some circonstances #6986
* Scrape: Fix crash when reloads are separated by two scrape intervals #7011
- Changes from 2.16.0
+ Features
* React UI: Support local timezone on /graph #6692
* PromQL: add absent_over_time query function #6490
* Adding optional logging of queries to their own file #6520
+ Enhancements
* React UI: Add support for rules page and 'Xs ago' duration displays #6503
* React UI: alerts page, replace filtering togglers tabs with checkboxes #6543
* TSDB: Export metric for WAL write errors #6647
* TSDB: Improve query performance for queries that only touch the most recent 2h of data. #6651
* PromQL: Refactoring in parser errors to improve error messages #6634
* PromQL: Support trailing commas in grouping opts #6480
* Scrape: Reduce memory usage on reloads by reusing scrape cache #6670
* Scrape: Add metrics to track bytes and entries in the metadata cache #6675
* promtool: Add support for line-column numbers for invalid rules output #6533
* Avoid restarting rule groups when it is unnecessary #6450
+ Bug fixes
* React UI: Send cookies on fetch() on older browsers #6553
* React UI: adopt grafana flot fix for stacked graphs #6603
* React UI: broken graph page browser history so that back button works as expected #6659
* TSDB: ensure compactionsSkipped metric is registered, and log proper error if one is returned from head.Init #6616
* TSDB: return an error on ingesting series with duplicate labels #6664
* PromQL: Fix unary operator precedence #6579
* PromQL: Respect query.timeout even when we reach query.max-concurrency #6712
* PromQL: Fix string and parentheses handling in engine, which affected React UI #6612
* PromQL: Remove output labels returned by absent() if they are produced by multiple identical label matchers #6493
* Scrape: Validate that OpenMetrics input ends with `# EOF` #6505
* Remote read: return the correct error if configs can't be marshal'd to JSON #6622
* Remote write: Make remote client `Store` use passed context, which can affect shutdown timing #6673
* Remote write: Improve sharding calculation in cases where we would always be consistently behind by tracking pendingSamples #6511
* Ensure prometheus_rule_group metrics are deleted when a rule group is removed #6693
- Changes from 2.15.2
+ Bug fixes
* TSDB: Fixed support for TSDB blocks built with Prometheus before 2.1.0. #6564
* TSDB: Fixed block compaction issues on Windows. #6547
- Changes from 2.15.1
+ Bug fixes
* TSDB: Fixed race on concurrent queries against same data. #6512
- Changes from 2.15.0
+ Features
* API: Added new endpoint for exposing per metric metadata `/metadata`. #6420 #6442
+ Changes
* Discovery: Removed `prometheus_sd_kubernetes_cache_*` metrics. Additionally `prometheus_sd_kubernetes_workqueue_latency_seconds` and `prometheus_sd_kubernetes_workqueue_work_duration_seconds` metrics now show correct values in seconds. #6393
* Remote write: Changed `query` label on `prometheus_remote_storage_*` metrics to `remote_name` and `url`. #6043
+ Enhancements
* TSDB: Significantly reduced memory footprint of loaded TSDB blocks. #6418 #6461
* TSDB: Significantly optimized what we buffer during compaction which should result in lower memory footprint during compaction. #6422 #6452 #6468 #6475
* TSDB: Improve replay latency. #6230
* TSDB: WAL size is now used for size based retention calculation. #5886
* Remote read: Added query grouping and range hints to the remote read request #6401
* Remote write: Added `prometheus_remote_storage_sent_bytes_total` counter per queue. #6344
* promql: Improved PromQL parser performance. #6356
* React UI: Implemented missing pages like `/targets` #6276, TSDB status page #6281 #6267 and many other fixes and performance improvements.
* promql: Prometheus now accepts spaces between time range and square bracket. e.g `[ 5m]` #6065
+ Bug fixes
* Config: Fixed alertmanager configuration to not miss targets when configurations are similar. #6455
* Remote write: Value of `prometheus_remote_storage_shards_desired` gauge shows raw value of desired shards and it's updated correctly. #6378
* Rules: Prometheus now fails the evaluation of rules and alerts where metric results collide with labels specified in `labels` field. #6469
* API: Targets Metadata API `/targets/metadata` now accepts empty `match_targets` parameter as in the spec. #6303
- Changes from 2.14.0
+ Features
* API: `/api/v1/status/runtimeinfo` and `/api/v1/status/buildinfo` endpoints added for use by the React UI. #6243
* React UI: implement the new experimental React based UI. #5694 and many more
* Can be found by under `/new`.
* Not all pages are implemented yet.
* Status: Cardinality statistics added to the Runtime & Build Information page. #6125
+ Enhancements
* Remote write: fix delays in remote write after a compaction. #6021
* UI: Alerts can be filtered by state. #5758
+ Bug fixes
* Ensure warnings from the API are escaped. #6279
* API: lifecycle endpoints return 403 when not enabled. #6057
* Build: Fix Solaris build. #6149
* Promtool: Remove false duplicate rule warnings when checking rule files with alerts. #6270
* Remote write: restore use of deduplicating logger in remote write. #6113
* Remote write: do not reshard when unable to send samples. #6111
* Service discovery: errors are no longer logged on context cancellation. #6116, #6133
* UI: handle null response from API properly. #6071
- Changes from 2.13.1
+ Bug fixes
* Fix panic in ARM builds of Prometheus. #6110
* promql: fix potential panic in the query logger. #6094
* Multiple errors of http: superfluous response.WriteHeader call in the logs. #6145
- Changes from 2.13.0
+ Enhancements
* Metrics: renamed prometheus_sd_configs_failed_total to prometheus_sd_failed_configs and changed to Gauge #5254
* Include the tsdb tool in builds. #6089
* Service discovery: add new node address types for kubernetes. #5902
* UI: show warnings if query have returned some warnings. #5964
* Remote write: reduce memory usage of the series cache. #5849
* Remote read: use remote read streaming to reduce memory usage. #5703
* Metrics: added metrics for remote write max/min/desired shards to queue manager. #5787
* Promtool: show the warnings during label query. #5924
* Promtool: improve error messages when parsing bad rules. #5965
* Promtool: more promlint rules. #5515
+ Bug fixes
* UI: Fix a Stored DOM XSS vulnerability with query history [CVE-2019-10215](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10215). #6098
* Promtool: fix recording inconsistency due to duplicate labels. #6026
* UI: fixes service-discovery view when accessed from unhealthy targets. #5915
* Metrics format: OpenMetrics parser crashes on short input. #5939
* UI: avoid truncated Y-axis values. #6014
- Changes from 2.12.0
+ Features
* Track currently active PromQL queries in a log file. #5794
* Enable and provide binaries for `mips64` / `mips64le` architectures. #5792
+ Enhancements
* Improve responsiveness of targets web UI and API endpoint. #5740
* Improve remote write desired shards calculation. #5763
* Flush TSDB pages more precisely. tsdb#660
* Add `prometheus_tsdb_retention_limit_bytes` metric. tsdb#667
* Add logging during TSDB WAL replay on startup. tsdb#662
* Improve TSDB memory usage. tsdb#653, tsdb#643, tsdb#654, tsdb#642, tsdb#627
+ Bug fixes
* Check for duplicate label names in remote read. #5829
* Mark deleted rules' series as stale on next evaluation. #5759
* Fix JavaScript error when showing warning about out-of-sync server time. #5833
* Fix `promtool test rules` panic when providing empty `exp_labels`. #5774
* Only check last directory when discovering checkpoint number. #5756
* Fix error propagation in WAL watcher helper functions. #5741
* Correctly handle empty labels from alert templates. #5845
- Update Uyuni/SUSE Manager service discovery patch
+ Modified 0003-Add-Uyuni-service-discovery.patch:
+ Adapt service discovery to the new Uyuni API endpoints
+ Modified spec file: force golang 1.12 to fix build issues in SLE15SP2
- Update to Prometheus 2.11.2
grafana:
- Update to version 7.0.3
* Features / Enhancements
- Stats: include all fields. #24829, @ryantxu
- Variables: change VariableEditorList row action Icon to IconButton. #25217, @hshoff
* Bug fixes
- Cloudwatch: Fix dimensions of DDoSProtection. #25317, @papagian
- Configuration: Fix env var override of sections containing hyphen. #25178, @marefr
- Dashboard: Get panels in collapsed rows. #25079, @peterholmberg
- Do not show alerts tab when alerting is disabled. #25285, @dprokop
- Jaeger: fixes cascader option label duration value. #25129, @Estrax
- Transformations: Fixed Transform tab crash & no update after adding first transform. #25152, @torkelo
- Update to version 7.0.2
* Bug fixes
- Security: Urgent security patch release to fix CVE-2020-13379
- Update to version 7.0.1
* Features / Enhancements
- Datasource/CloudWatch: Makes CloudWatch Logs query history more readable. #24795, @kaydelaney
- Download CSV: Add date and time formatting. #24992, @ryantxu
- Table: Make last cell value visible when right aligned. #24921, @peterholmberg
- TablePanel: Adding sort order persistance. #24705, @torkelo
- Transformations: Display correct field name when using reduce transformation. #25068, @peterholmberg
- Transformations: Allow custom number input for binary operations. #24752, @ryantxu
* Bug fixes
- Dashboard/Links: Fixes dashboard links by tags not working. #24773, @KamalGalrani
- Dashboard/Links: Fixes open in new window for dashboard link. #24772, @KamalGalrani
- Dashboard/Links: Variables are resolved and limits to 100. #25076, @hugohaggmark
- DataLinks: Bring back variables interpolation in title. #24970, @dprokop
- Datasource/CloudWatch: Field suggestions no longer limited to prefix-only. #24855, @kaydelaney
- Explore/Table: Keep existing field types if possible. #24944, @kaydelaney
- Explore: Fix wrap lines toggle for results of queries with filter expression. #24915, @ivanahuckova
- Explore: fix undo in query editor. #24797, @zoltanbedi
- Explore: fix word break in type head info. #25014, @zoltanbedi
- Graph: Legend decimals now work as expected. #24931, @torkelo
- LoginPage: Fix hover color for service buttons. #25009, @tskarhed
- LogsPanel: Fix scrollbar. #24850, @ivanahuckova
- MoveDashboard: Fix for moving dashboard caused all variables to be lost. #25005, @torkelo
- Organize transformer: Use display name in field order comparer. #24984, @dprokop
- Panel: shows correct panel menu items in view mode. #24912, @hugohaggmark
- PanelEditor Fix missing labels and description if there is only single option in category. #24905, @dprokop
- PanelEditor: Overrides name matcher still show all original field names even after Field default display name is specified. #24933, @torkelo
- PanelInspector: Makes sure Data display options are visible. #24902, @hugohaggmark
- PanelInspector: Hides unsupported data display options for Panel type. #24918, @hugohaggmark
- PanelMenu: Make menu disappear on button press. #25015, @tskarhed
- Postgres: Fix add button. #25087, @phemmer
- Prometheus: Fix recording rules expansion. #24977, @ivanahuckova
- Stackdriver: Fix creating Service Level Objectives (SLO) datasource query variable. #25023, @papagian
- Update to version 7.0.0
* Breaking changes
- Removed PhantomJS: PhantomJS was deprecated in Grafana v6.4 and starting from Grafana v7.0.0, all PhantomJS support has been removed. This means that Grafana no longer ships with a built-in image renderer, and we advise you to install the Grafana Image Renderer plugin.
- Dashboard: A global minimum dashboard refresh interval is now enforced and defaults to 5 seconds.
- Interval calculation: There is now a new option Max data points that controls the auto interval $__interval calculation. Interval was previously calculated by dividing the panel width by the time range. With the new max data points option it is now easy to set $__interval to a dynamic value that is time range agnostic. For example if you set Max data points to 10 Grafana will dynamically set $__interval by dividing the current time range by 10.
- Datasource/Loki: Support for deprecated Loki endpoints has been removed.
- Backend plugins: Grafana now requires backend plugins to be signed, otherwise Grafana will not load/start them. This is an additional security measure to make sure backend plugin binaries and files haven't been tampered with. Refer to Upgrade Grafana for more information.
- @grafana/ui: Forms migration notice, see @grafana/ui changelog
- @grafana/ui: Select API change for creating custom values, see @grafana/ui changelog
+ Deprecation warnings
- Scripted dashboards is now deprecated. The feature is not removed but will be in a future release. We hope to address the underlying requirement of dynamic dashboards in a different way. #24059
- The unofficial first version of backend plugins together with usage of grafana/grafana-plugin-model is now deprecated and support for that will be removed in a future release. Please refer to backend plugins documentation for information about the new officially supported backend plugins.
* Features / Enhancements
- Backend plugins: Log deprecation warning when using the unofficial first version of backend plugins. #24675, @marefr
- Editor: New line on Enter, run query on Shift+Enter. #24654, @davkal
- Loki: Allow multiple derived fields with the same name. #24437, @aocenas
- Orgs: Add future deprecation notice. #24502, @torkelo
* Bug Fixes
- @grafana/toolkit: Use process.cwd() instead of PWD to get directory. #24677, @zoltanbedi
- Admin: Makes long settings values line break in settings page. #24559, @hugohaggmark
- Dashboard: Allow editing provisioned dashboard JSON and add confirmation when JSON is copied to dashboard. #24680, @dprokop
- Dashboard: Fix for strange 'dashboard not found' errors when opening links in dashboard settings. #24416, @torkelo
- Dashboard: Fix so default data source is selected when data source can't be found in panel editor. #24526, @mckn
- Dashboard: Fixed issue changing a panel from transparent back to normal in panel editor. #24483, @torkelo
- Dashboard: Make header names reflect the field name when exporting to CSV file from the the panel inspector. #24624, @peterholmberg
- Dashboard: Make sure side pane is displayed with tabs by default in panel editor. #24636, @dprokop
- Data source: Fix query/annotation help content formatting. #24687, @AgnesToulet
- Data source: Fixes async mount errors. #24579, @Estrax
- Data source: Fixes saving a data source without failure when URL doesn't specify a protocol. #24497, @aknuds1
- Explore/Prometheus: Show results of instant queries only in table. #24508, @ivanahuckova
- Explore: Fix rendering of react query editors. #24593, @ivanahuckova
- Explore: Fixes loading more logs in logs context view. #24135, @Estrax
- Graphite: Fix schema and dedupe strategy in rollup indicators for Metrictank queries. #24685, @torkelo
- Graphite: Makes query annotations work again. #24556, @hugohaggmark
- Logs: Clicking 'Load more' from context overlay doesn't expand log row. #24299, @kaydelaney
- Logs: Fix total bytes process calculation. #24691, @davkal
- Org/user/team preferences: Fixes so UI Theme can be set back to Default. #24628, @AgnesToulet
- Plugins: Fix manifest validation. #24573, @aknuds1
- Provisioning: Use proxy as default access mode in provisioning. #24669, @bergquist
- Search: Fix select item when pressing enter and Grafana is served using a sub path. #24634, @tskarhed
- Search: Save folder expanded state. #24496, @Clarity-89
- Security: Tag value sanitization fix in OpenTSDB data source. #24539, @rotemreiss
- Table: Do not include angular options in options when switching from angular panel. #24684, @torkelo
- Table: Fixed persisting column resize for time series fields. #24505, @torkelo
- Table: Fixes Cannot read property subRows of null. #24578, @hugohaggmark
- Time picker: Fixed so you can enter a relative range in the time picker without being converted to absolute range. #24534, @mckn
- Transformations: Make transform dropdowns not cropped. #24615, @dprokop
- Transformations: Sort order should be preserved as entered by user when using the reduce transformation. #24494, @hugohaggmark
- Units: Adds scale symbol for currencies with suffixed symbol. #24678, @hugohaggmark
- Variables: Fixes filtering options with more than 1000 entries. #24614, @hugohaggmark
- Variables: Fixes so Textbox variables read value from url. #24623, @hugohaggmark
- Zipkin: Fix error when span contains remoteEndpoint. #24524, @aocenas
- SAML: Switch from email to login for user login attribute mapping (Enterprise)
- Update Makefile and spec file
* Remove phantomJS patch from Makefile
* Fix multiline strings in Makefile
* Exclude s390 from SLE12 builds, golang 1.14 is not built for s390
- Add instructions for patching the Grafana javascript frontend.
- BuildRequires golang(API) instead of go metapackage version range
* BuildRequires: golang(API) >= 1.14 from
BuildRequires: ( go >= 1.14 with go < 1.15 )
- Update to version 6.7.3
- This version fixes bsc#1170557 and its corresponding CVE-2020-12245
- Admin: Fix Synced via LDAP message for non-LDAP external users. #23477, @alexanderzobnin
- Alerting: Fixes notifications for alerts with empty message in Google Hangouts notifier. #23559, @hugohaggmark
- AuthProxy: Fixes bug where long username could not be cached.. #22926, @jcmcken
- Dashboard: Fix saving dashboard when editing raw dashboard JSON model. #23314, @peterholmberg
- Dashboard: Try to parse 8 and 15 digit numbers as timestamps if parsing of time range as date fails. #21694, @jessetan
- DashboardListPanel: Fixed problem with empty panel after going into edit mode (General folder filter being automatically added) . #23426, @torkelo
- Data source: Handle datasource withCredentials option properly. #23380, @hvtuananh
- Security: Fix annotation popup XSS vulnerability. #23813, @torkelo
- Server: Exit Grafana with status code 0 if no error. #23312, @aknuds1
- TablePanel: Fix XSS issue in header column rename (backport). #23814, @torkelo
- Variables: Fixes error when setting adhoc variable values. #23580, @hugohaggmark
- Update to version 6.7.2:
(see installed changelog for the full list of changes)
- BackendSrv: Adds config to response to fix issue for external plugins that used this property . #23032, @torkelo
- Dashboard: Fixed issue with saving new dashboard after changing title . #23104, @dprokop
- DataLinks: make sure we use the correct datapoint when dataset contains null value.. #22981, @mckn
- Plugins: Fixed issue for plugins that imported dateMath util . #23069, @mckn
- Security: Fix for dashboard snapshot original dashboard link could contain XSS vulnerability in url. #23254, @torkelo
- Variables: Fixes issue with too many queries being issued for nested template variables after value change. #23220, @torkelo
- Plugins: Expose promiseToDigest. #23249, @torkelo
- Reporting (Enterprise): Fixes issue updating a report created by someone else
- Update to 6.7.1:
(see installed changelog for the full list of changes)
Bug Fixes
- Azure: Fixed dropdowns not showing current value. #22914, @torkelo
- BackendSrv: only add content-type on POST, PUT requests. #22910, @hugohaggmark
- Panels: Fixed size issue with panel internal size when exiting panel edit mode. #22912, @torkelo
- Reporting: fixes migrations compatibility with mysql (Enterprise)
- Reporting: Reduce default concurrency limit to 4 (Enterprise)
- Update to 6.7.0:
(see installed changelog for the full list of changes)
Bug Fixes
- AngularPanels: Fixed inner height calculation for angular panels . #22796, @torkelo
- BackendSrv: makes sure provided headers are correctly recognized and set. #22778, @hugohaggmark
- Forms: Fix input suffix position (caret-down in Select) . #22780, @torkelo
- Graphite: Fixed issue with query editor and next select metric now showing after selecting metric node . #22856, @torkelo
- Rich History: UX adjustments and fixes. #22729, @ivanahuckova
- Update to 6.7.0-beta1:
Breaking changes
- Slack: Removed Mention setting and instead introduce Mention Users, Mention Groups, and Mention Channel. The first two settings require user and group IDs, respectively. This change was necessary because the way of mentioning via the Slack API changed and mentions in Slack notifications no longer worked.
- Alerting: Reverts the behavior of diff and percent_diff to not always be absolute. Something we introduced by mistake in 6.1.0. Alerting now support diff(), diff_abs(), percent_diff() and percent_diff_abs(). #21338
- Notice about changes in backendSrv for plugin authors
In our mission to migrate away from AngularJS to React we have removed all AngularJS dependencies in the core data retrieval service backendSrv.
Removing the AngularJS dependencies in backendSrv has the unfortunate side effect of AngularJS digest no longer being triggered for any request made with backendSrv. Because of this, external plugins using backendSrv directly may suffer from strange behaviour in the UI.
To remedy this issue, as a plugin author you need to trigger the digest after a direct call to backendSrv.
Bug Fixes
API: Fix redirect issues. #22285, @papagian
Alerting: Don't include image_url field with Slack message if empty. #22372, @aknuds1
Alerting: Fixed bad background color for default notifications in alert tab . #22660, @krvajal
Annotations: In table panel when setting transform to annotation, they will now show up right away without a manual refresh. #22323, @krvajal
Azure Monitor: Fix app insights source to allow for new __timeFrom and __timeTo. #21879, @ChadNedzlek
BackendSrv: Fixes POST body for form data. gmark
CloudWatch: Credentials cache invalidation fix. #22473, @sunker
CloudWatch: Expand alias variables when query yields no result. #22695, @sunker
Dashboard: Fix bug with NaN in alerting. #22053, @a-melnyk
Explore: Fix display of multiline logs in log panel and explore. #22057, @thomasdraebing
Heatmap: Legend color range is incorrect when using custom min/max. #21748, @sv5d
Security: Fixed XSS issue in dashboard history diff . #22680, @torkelo
StatPanel: Fixes base color is being used for null values .
#22646, @torkelo
- Update to version 6.6.2:
(see installed changelog for the full list of changes)
- Update to version 6.6.1:
(see installed changelog for the full list of changes)
- Update to version 6.6.0:
(see installed changelog for the full list of changes)
- Update to version 6.5.3:
(see installed changelog for the full list of changes)
- Update to version 6.5.2:
(see installed changelog for the full list of changes)
- Update to version 6.5.1:
(see installed changelog for the full list of changes)
- Update to version 6.5.0
(see installed changelog for the full list of changes)
- Update to version 6.4.5:
* Create version 6.4.5
* CloudWatch: Fix high CPU load (#20579)
- Add obs-service-go_modules to download required modules into vendor.tar.gz
- Adjusted spec file to use vendor.tar.gz
- Adjusted Makefile to work with new filenames
- BuildRequire go1.14
- Update to version 6.4.4:
* DataLinks: Fix blur issues. #19883, @aocenas
* Docker: Makes it possible to parse timezones in the docker image. #20081, @xlson
* LDAP: All LDAP servers should be tried even if one of them returns a connection error. #20077, @jongyllen
* LDAP: No longer shows incorrectly matching groups based on role in debug page. #20018, @xlson
* Singlestat: Fix no data / null value mapping . #19951, @ryantxu
- Revert the spec file and make script
- Remove PhantomJS dependency
- Update to 6.4.3
* Bug Fixes
- Alerting: All notification channels should send even if one fails to send. #19807, @jan25
- AzureMonitor: Fix slate interference with dropdowns. #19799, @aocenas
- ContextMenu: make ContextMenu positioning aware of the viewport width. #19699, @krvajal
- DataLinks: Fix context menu not showing in singlestat-ish visualisations. #19809, @dprokop
- DataLinks: Fix url field not releasing focus. #19804, @aocenas
- Datasource: Fixes clicking outside of some query editors required 2 clicks. #19822, @aocenas
- Panels: Fixes default tab for visualizations without Queries Tab. #19803, @hugohaggmark
- Singlestat: Fixed issue with mapping null to text. #19689, @torkelo
- @grafana/toolkit: Don't fail plugin creation when git user.name config is not set. #19821, @dprokop
- @grafana/toolkit: TSLint line number off by 1. #19782, @fredwangwang
- Update to 6.4.2
* Bug Fixes
- CloudWatch: Changes incorrect dimension wmlid to wlmid . #19679, @ATTron
- Grafana Image Renderer: Fixes plugin page. #19664, @hugohaggmark
- Graph: Fixes auto decimals logic for y axis ticks that results in too many decimals for high values. #19618, @torkelo
- Graph: Switching to series mode should re-render graph. #19623, @torkelo
- Loki: Fix autocomplete on label values. #19579, @aocenas
- Loki: Removes live option for logs panel. #19533, @davkal
- Profile: Fix issue with user profile not showing more than sessions sessions in some cases. #19578, @huynhsamha
- Prometheus: Fixes so results in Panel always are sorted by query order. #19597, @hugohaggmark
- sted keys in YAML provisioning caused a server crash, #19547
- ImageRendering: Fixed issue with image rendering in enterprise build (Enterprise)
- Reporting: Fixed issue with reporting service when STMP was disabled (Enterprise).
- Changes from 6.4.0
* Features / Enhancements
- Build: Upgrade go to 1.12.10. #19499, @marefr
- DataLinks: Suggestions menu improvements. #19396, @dprokop
- Explore: Take root_url setting into account when redirecting from dashboard to explore. #19447, @ivanahuckova
- Explore: Update broken link to logql docs. #19510, @ivanahuckova
- Logs: Adds Logs Panel as a visualization. #19504, @davkal
* Bug Fixes
- CLI: Fix version selection for plugin install. #19498, @aocenas
- Graph: Fixes minor issue with series override color picker and custom color . #19516, @torkelo
- Changes from 6.4.0 Beta 2
* Features / Enhancements
- Azure Monitor: Remove support for cross resource queries (#19115)'. #19346, @sunker
- Docker: Upgrade packages to resolve reported vulnerabilities. #19188, @marefr
- Graphite: Time range expansion reduced from 1 minute to 1 second. #19246, @torkelo
- grafana/toolkit: Add plugin creation task. #19207, @dprokop
* Bug Fixes
- Alerting: Prevents creating alerts from unsupported queries. #19250, @hugohaggmark
- Alerting: Truncate PagerDuty summary when greater than 1024 characters. #18730, @nvllsvm
- Cloudwatch: Fix autocomplete for Gamelift dimensions. #19146, @kevinpz
- Dashboard: Fix export for sharing when panels use default data source. #19315, @torkelo
- Database: Rewrite system statistics query to perform better. #19178, @papagian
- Gauge/BarGauge: Fix issue with [object Object] in titles . #19217, @ryantxu
- MSSQL: Revert usage of new connectionstring format introduced by #18384. #19203, @marefr
- Multi-LDAP: Do not fail-fast on invalid credentials. #19261, @gotjosh
- MySQL, Postgres, MSSQL: Fix validating query with template variables in alert . #19237, @marefr
- MySQL, Postgres: Update raw sql when query builder updates. #19209, @marefr
- MySQL: Limit datasource error details returned from the backend. #19373, @marefr
- Changes from 6.4.0 Beta 1
* Features / Enhancements
- API: Readonly datasources should not be created via the API. #19006, @papagian
- Alerting: Include configured AlertRuleTags in Webhooks notifier. #18233, @dominic-miglar
- Annotations: Add annotations support to Loki. #18949, @aocenas
- Annotations: Use a single row to represent a region. #17673, @ryantxu
- Auth: Allow inviting existing users when login form is disabled. #19048, @548017
- Azure Monitor: Add support for cross resource queries. #19115, @sunker
- CLI: Allow installing custom binary plugins. #17551, @aocenas
- Dashboard: Adds Logs Panel (alpha) as visualization option for Dashboards. #18641, @hugohaggmark
- Dashboard: Reuse query results between panels . #16660, @ryantxu
- Dashboard: Set time to to 23:59:59 when setting To time using calendar. #18595, @simPod
- DataLinks: Add DataLinks support to Gauge, BarGauge and SingleStat2 panel. #18605, @ryantxu
- DataLinks: Enable access to labels & field names. #18918, @torkelo
- DataLinks: Enable multiple data links per panel. #18434, @dprokop
- Docker: switch docker image to alpine base with phantomjs support. #18468, @DanCech
- Elasticsearch: allow templating queries to order by doc_count. #18870, @hackery
- Explore: Add throttling when doing live queries. #19085, @aocenas
- Explore: Adds ability to go back to dashboard, optionally with query changes. #17982, @kaydelaney
- Explore: Reduce default time range to last hour. #18212, @davkal
- Gauge/BarGauge: Support decimals for min/max. #18368, @ryantxu
- Graph: New series override transform constant that renders a single point as a line across the whole graph. #19102, @davkal
- Image rendering: Add deprecation warning when PhantomJS is used for rendering images. #18933, @papagian
- InfluxDB: Enable interpolation within ad-hoc filter values. #18077, @kvc-code
- LDAP: Allow an user to be synchronized against LDAP. #18976, @gotjosh
- Ldap: Add ldap debug page. #18759, @peterholmberg
- Loki: Remove prefetching of default label values. #18213, @davkal
- Metrics: Add failed alert notifications metric. #18089, @koorgoo
- OAuth: Support JMES path lookup when retrieving user email. #14683, @bobmshannon
- OAuth: return GitLab groups as a part of user info (enable team sync). #18388, @alexanderzobnin
- Panels: Add unit for electrical charge - ampere-hour. #18950, @anirudh-ramesh
- Plugin: AzureMonitor - Reapply MetricNamespace support. #17282, @raphaelquati
- Plugins: better warning when plugins fail to load. #18671, @ryantxu
- Postgres: Add support for scram sha 256 authentication. #18397, @nonamef
- RemoteCache: Support SSL with Redis. #18511, @kylebrandt
- SingleStat: The gauge option in now disabled/hidden (unless it's an old panel with it already enabled) . #18610, @ryantxu
- Stackdriver: Add extra alignment period options. #18909, @sunker
- Units: Add South African Rand (ZAR) to currencies. #18893, @jeteon
- Units: Adding T,P,E,Z,and Y bytes. #18706, @chiqomar
* Bug Fixes
- Alerting: Notification is sent when state changes from no_data to ok. #18920, @papagian
- Alerting: fix duplicate alert states when the alert fails to save to the database. #18216, @kylebrandt
- Alerting: fix response popover prompt when add notification channels. #18967, @lzdw
- CloudWatch: Fix alerting for queries with Id (using GetMetricData). #17899, @alex-berger
- Explore: Fix auto completion on label values for Loki. #18988, @aocenas
- Explore: Fixes crash using back button with a zoomed in graph. #19122, @hugohaggmark
- Explore: Fixes so queries in Explore are only run if Graph/Table is shown. #19000, @hugohaggmark
- MSSQL: Change connectionstring to URL format to fix using passwords with semicolon. #18384, @Russiancold
- MSSQL: Fix memory leak when debug enabled. #19049, @briangann
- Provisioning: Allow escaping literal '$' with '$$' in configs to avoid interpolation. #18045, @kylebrandt
- TimePicker: Fixes hiding time picker dropdown in FireFox. #19154, @hugohaggmark
* Breaking changes
+ Annotations
There are some breaking changes in the annotations HTTP API for region annotations. Region annotations are now represented
using a single event instead of two seperate events. Check breaking changes in HTTP API below and HTTP API documentation for more details.
+ Docker
Grafana is now using Alpine 3.10 as docker base image.
+ HTTP API
- GET /api/alert-notifications now requires at least editor access.
New /api/alert-notifications/lookup returns less information than /api/alert-notifications and can be access by any authenticated user.
- GET /api/alert-notifiers now requires at least editor access
- GET /api/org/users now requires org admin role.
New /api/org/users/lookup returns less information than /api/org/users and can be access by users that are org admins,
admin in any folder or admin of any team.
- GET /api/annotations no longer returns regionId property.
- POST /api/annotations no longer supports isRegion property.
- PUT /api/annotations/:id no longer supports isRegion property.
- PATCH /api/annotations/:id no longer supports isRegion property.
- DELETE /api/annotations/region/:id has been removed.
* Deprecation notes
+ PhantomJS
- PhantomJS, which is used for rendering images of dashboards and panels,
is deprecated and will be removed in a future Grafana release.
A deprecation warning will from now on be logged when Grafana starts up if PhantomJS is in use.
Please consider migrating from PhantomJS to the Grafana Image Renderer plugin.
- Changes from 6.3.6
* Features / Enhancements
- Metrics: Adds setting for turning off total stats metrics. #19142, @marefr
* Bug Fixes
- Database: Rewrite system statistics query to perform better. #19178, @papagian
- Explore: Fixes error when switching from prometheus to loki data sources. #18599, @kaydelaney
- Rebase package spec. Use mostly from fedora, fix suse specified things and fix some errors.
- Add missing directories provisioning/datasources and provisioning/notifiers
and sample.yaml as described in packaging/rpm/control from upstream.
Missing directories are shown in logfiles.
- Version 6.3.5
* Upgrades
+ Build: Upgrade to go 1.12.9.
* Bug Fixes
+ Dashboard: Fixes dashboards init failed loading error for dashboards with panel links that had missing properties.
+ Editor: Fixes issue where only entire lines were being copied.
+ Explore: Fixes query field layout in splitted view for Safari browsers.
+ LDAP: multildap + ldap integration.
+ Profile/UserAdmin: Fix for user agent parser crashes grafana-server on 32-bit builds.
+ Prometheus: Prevents panel editor crash when switching to Prometheus datasource.
+ Prometheus: Changes brace-insertion behavior to be less annoying.
- Version 6.3.4
* Security: CVE-2019-15043 - Parts of the HTTP API allow unauthenticated use.
- Version 6.3.3
* Bug Fixes
+ Annotations: Fix failing annotation query when time series query is cancelled. #18532 1, @dprokop 1
+ Auth: Do not set SameSite cookie attribute if cookie_samesite is none. #18462 1, @papagian 3
+ DataLinks: Apply scoped variables to data links correctly. #18454 1, @dprokop 1
+ DataLinks: Respect timezone when displaying datapoint’s timestamp in graph context menu. #18461 2, @dprokop 1
+ DataLinks: Use datapoint timestamp correctly when interpolating variables. #18459 1, @dprokop 1
+ Explore: Fix loading error for empty queries. #18488 1, @davkal
+ Graph: Fixes legend issue clicking on series line icon and issue with horizontal scrollbar being visible on windows. #18563 1, @torkelo 2
+ Graphite: Avoid glob of single-value array variables . #18420, @gotjosh
+ Prometheus: Fix queries with label_replace remove the $1 match when loading query editor. #18480 5, @hugohaggmark 3
+ Prometheus: More consistently allows for multi-line queries in editor. #18362 2, @kaydelaney 2
+ TimeSeries: Assume values are all numbers. #18540 4, @ryantxu
- Version 6.3.2
* Bug Fixes
+ Gauge/BarGauge: Fixes issue with losts thresholds and issue loading Gauge with avg stat. #18375 12
- Version 6.3.1
* Bug Fixes
+ PanelLinks: Fix crash issue Gauge & Bar Gauge for panels with panel links (drill down links). #18430 2
- Version 6.3.0
* Features / Enhancements
+ OAuth: Do not set SameSite OAuth cookie if cookie_samesite is None. #18392 4, @papagian 3
+ Auth Proxy: Include additional headers as part of the cache key. #18298 6, @gotjosh
+ Build grafana images consistently. #18224 12, @hassanfarid
+ Docs: SAML. #18069 11, @gotjosh
+ Permissions: Show plugins in nav for non admin users but hide plugin configuration. #18234 1, @aocenas
+ TimePicker: Increase max height of quick range dropdown. #18247 2, @torkelo 2
+ Alerting: Add tags to alert rules. #10989 13, @Thib17 1
+ Alerting: Attempt to send email notifications to all given email addresses. #16881 1, @zhulongcheng
+ Alerting: Improve alert rule testing. #16286 2, @marefr
+ Alerting: Support for configuring content field for Discord alert notifier. #17017 2, @jan25
+ Alertmanager: Replace illegal chars with underscore in label names. #17002 5, @bergquist 1
+ Auth: Allow expiration of API keys. #17678, @papagian 3
+ Auth: Return device, os and browser when listing user auth tokens in HTTP API. #17504, @shavonn 1
+ Auth: Support list and revoke of user auth tokens in UI. #17434 2, @shavonn 1
+ AzureMonitor: change clashing built-in Grafana variables/macro names for Azure Logs. #17140, @shavonn 1
+ CloudWatch: Made region visible for AWS Cloudwatch Expressions. #17243 2, @utkarshcmu
+ Cloudwatch: Add AWS DocDB metrics. #17241, @utkarshcmu
+ Dashboard: Use timezone dashboard setting when exporting to CSV. #18002 1, @dehrax
+ Data links. #17267 11, @torkelo 2
+ Docker: Switch base image to ubuntu:latest from debian:stretch to avoid security issues… #17066 5, @bergquist 1
+ Elasticsearch: Support for visualizing logs in Explore . #17605 7, @marefr
+ Explore: Adds Live option for supported datasources. #17062 1, @hugohaggmark 3
+ Explore: Adds orgId to URL for sharing purposes. #17895 1, @kaydelaney 2
+ Explore: Adds support for new loki ‘start’ and ‘end’ params for labels endpoint. #17512, @kaydelaney 2
+ Explore: Adds support for toggling raw query mode in explore. #17870, @kaydelaney 2
+ Explore: Allow switching between metrics and logs . #16959 2, @marefr
+ Explore: Combines the timestamp and local time columns into one. #17775, @hugohaggmark 3
+ Explore: Display log lines context . #17097, @dprokop 1
+ Explore: Don’t parse log levels if provided by field or label. #17180 1, @marefr
+ Explore: Improves performance of Logs element by limiting re-rendering. #17685, @kaydelaney 2
+ Explore: Support for new LogQL filtering syntax. #16674 4, @davkal
+ Explore: Use new TimePicker from Grafana/UI. #17793, @hugohaggmark 3
+ Explore: handle newlines in LogRow Highlighter. #17425, @rrfeng 1
+ Graph: Added new fill gradient option. #17528 3, @torkelo 2
+ GraphPanel: Don’t sort series when legend table & sort column is not visible . #17095, @shavonn 1
+ InfluxDB: Support for visualizing logs in Explore. #17450 9, @hugohaggmark 3
+ Logging: Login and Logout actions (#17760). #17883 1, @ATTron
+ Logging: Move log package to pkg/infra. #17023, @zhulongcheng
+ Metrics: Expose stats about roles as metrics. #17469 2, @bergquist 1
+ MySQL/Postgres/MSSQL: Add parsing for day, weeks and year intervals in macros. #13086 6, @bernardd
+ MySQL: Add support for periodically reloading client certs. #14892, @tpetr
+ Plugins: replace dataFormats list with skipDataQuery flag in plugin.json. #16984, @ryantxu
+ Prometheus: Take timezone into account for step alignment. #17477, @fxmiii
+ Prometheus: Use overridden panel range for $__range instead of dashboard range. #17352, @patrick246
+ Prometheus: added time range filter to series labels query. #16851 3, @FUSAKLA
+ Provisioning: Support folder that doesn’t exist yet in dashboard provisioning. #17407 1, @Nexucis
+ Refresh picker: Handle empty intervals. #17585 1, @dehrax
+ Singlestat: Add y min/max config to singlestat sparklines. #17527 4, @pitr
+ Snapshot: use given key and deleteKey. #16876, @zhulongcheng
+ Templating: Correctly display __text in multi-value variable after page reload. #17840 1, @EduardSergeev
+ Templating: Support selecting all filtered values of a multi-value variable. #16873 2, @r66ad
+ Tracing: allow propagation with Zipkin headers. #17009 4, @jrockway
+ Users: Disable users removed from LDAP. #16820 2, @alexanderzobnin
* Bug Fixes
+ PanelLinks: Fix render issue when there is no panel description. #18408 3, @dehrax
+ OAuth: Fix “missing saved state” OAuth login failure due to SameSite cookie policy. #18332 1, @papagian 3
+ cli: fix for recognizing when in dev mode… #18334, @xlson
+ DataLinks: Fixes incorrect interpolation of ${__series_name} . #18251 1, @torkelo 2
+ Loki: Display live tailed logs in correct order in Explore. #18031 3, @kaydelaney 2
+ PhantomJS: Fixes rendering on Debian Buster. #18162 2, @xlson
+ TimePicker: Fixed style issue for custom range popover. #18244, @torkelo 2
+ Timerange: Fixes a bug where custom time ranges didn’t respect UTC. #18248 1, @kaydelaney 2
+ remote_cache: Fix redis connstr parsing. #18204 1, @mblaschke
+ AddPanel: Fix issue when removing moved add panel widget . #17659 2, @dehrax
+ CLI: Fix encrypt-datasource-passwords fails with sql error. #18014, @marefr
+ Elasticsearch: Fix default max concurrent shard requests. #17770 4, @marefr
+ Explore: Fix browsing back to dashboard panel. #17061, @jschill
+ Explore: Fix filter by series level in logs graph. #17798, @marefr
+ Explore: Fix issues when loading and both graph/table are collapsed. #17113, @marefr
+ Explore: Fix selection/copy of log lines. #17121, @marefr
+ Fix: Wrap value of multi variable in array when coming from URL. #16992 1, @aocenas
+ Frontend: Fix for Json tree component not working. #17608, @srid12
+ Graphite: Fix for issue with alias function being moved last. #17791, @torkelo 2
+ Graphite: Fixes issue with seriesByTag & function with variable param. #17795, @torkelo 2
+ Graphite: use POST for /metrics/find requests. #17814 2, @papagian 3
+ HTTP Server: Serve Grafana with a custom URL path prefix. #17048 6, @jan25
+ InfluxDB: Fixes single quotes are not escaped in label value filters. #17398 1, @Panzki
+ Prometheus: Correctly escape ‘|’ literals in interpolated PromQL variables. #16932, @Limess
+ Prometheus: Fix when adding label for metrics which contains colons in Explore. #16760, @tolwi
+ SinglestatPanel: Remove background color when value turns null. #17552 1, @druggieri
- Make phantomjs dependency configurable
- Create plugin directory and clean up (create in %install,
add to %files) handling of /var/lib/grafana/* and
mgr-cfg:
- Remove commented code in test files
- Replace spacewalk-usix with uyuni-common-libs
- Bump version to 4.1.0 (bsc#1154940)
- Add mgr manpage links
mgr-custom-info:
- Bump version to 4.1.0 (bsc#1154940)
mgr-daemon:
- Bump version to 4.1.0 (bsc#1154940)
- Fix systemd timer configuration on SLE12 (bsc#1142038)
mgr-osad:
- Separate osa-dispatcher and jabberd so it can be disabled independently
- Replace spacewalk-usix with uyuni-common-libs
- Bump version to 4.1.0 (bsc#1154940)
- Move /usr/share/rhn/config-defaults to uyuni-base-common
- Require uyuni-base-common for /etc/rhn (for osa-dispatcher)
- Ensure bytes type when using hashlib to avoid traceback (bsc#1138822)
mgr-push:
- Replace spacewalk-usix and spacewalk-backend-libs with uyuni-common-libs
- Bump version to 4.1.0 (bsc#1154940)
mgr-virtualization:
- Replace spacewalk-usix with uyuni-common-libs
- Bump version to 4.1.0 (bsc#1154940)
- Fix mgr-virtualization timer
rhnlib:
- Fix building
- Fix malformed XML response when data contains non-ASCII chars (bsc#1154968)
- Bump version to 4.1.0 (bsc#1154940)
- Fix bootstrapping SLE11SP4 trad client with SSL enabled (bsc#1148177)
spacecmd:
- Only report real error, not result (bsc#1171687)
- Use defined return values for spacecmd methods so scripts can
check for failure (bsc#1171687)
- Disable globbing for api subcommand to allow wildcards in filter
settings (bsc#1163871)
- Bugfix: attempt to purge SSM when it is empty (bsc#1155372)
- Bump version to 4.1.0 (bsc#1154940)
- Prevent error when piping stdout in Python 2 (bsc#1153090)
- Java api expects content as encoded string instead of encoded bytes like before (bsc#1153277)
- Enable building and installing for Ubuntu 16.04 and Ubuntu 18.04
- Add unit test for schedule, errata, user, utils, misc, configchannel
and kickstart modules
- Multiple minor bugfixes alongside the unit tests
- Bugfix: referenced variable before assignment.
- Add unit test for report, package, org, repo and group
spacewalk-client-tools:
- Add workaround for uptime overflow to spacewalk-update-status as well (bsc#1165921)
- Spell correctly 'successful' and 'successfully'
- Skip dmidecode data on aarch64 to prevent coredump (bsc#1113160)
- Replace spacewalk-usix with uyuni-common-libs
- Return a non-zero exit status on errors in rhn_check
- Bump version to 4.1.0 (bsc#1154940)
- Make a explicit requirement to systemd for spacewalk-client-tools
when rhnsd timer is installed
spacewalk-koan:
- Bump version to 4.1.0 (bsc#1154940)
- Require commands we use in merge-rd.sh
spacewalk-oscap:
- Bump version to 4.1.0 (bsc#1154940)
spacewalk-remote-utils:
- Update spacewalk-create-channel with RHEL 7.7 channel definitions
- Bump version to 4.1.0 (bsc#1154940)
supportutils-plugin-susemanager-client:
- Bump version to 4.1.0 (bsc#1154940)
suseRegisterInfo:
- SuseRegisterInfo only needs perl-base, not full perl (bsc#1168310)
- Bump version to 4.1.0 (bsc#1154940)
zypp-plugin-spacewalk:
- Prevent issue with non-ASCII characters in Python 2 systems (bsc#1172462)
ModerateSUSE bug 1113160SUSE bug 1134195SUSE bug 1138822SUSE bug 1141661SUSE bug 1142038SUSE bug 1143913SUSE bug 1148177SUSE bug 1153090SUSE bug 1153277SUSE bug 1154940SUSE bug 1154968SUSE bug 1155372SUSE bug 1163871SUSE bug 1165921SUSE bug 1168310SUSE bug 1170231SUSE bug 1170557SUSE bug 1171687SUSE bug 1172462CVE-2019-10215 at SUSECVE-2019-10215 at NVDCVE-2019-15043 at SUSECVE-2019-15043 at NVDCVE-2020-12245 at SUSECVE-2020-12245 at NVDCVE-2020-13379 at SUSECVE-2020-13379 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for xrdp (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for xrdp fixes the following issues:
- Security fixes (bsc#1173580, CVE-2020-4044):
+ Add patches:
* xrdp-cve-2020-4044-fix-0.patch
* xrdp-cve-2020-4044-fix-1.patch
+ Rebase SLE patch:
* xrdp-fate318398-change-expired-password.patch
- Update patch:
+ xrdp-Allow-sessions-with-32-bpp.patch.patch
ImportantSUSE bug 1173580CVE-2020-4044 at SUSECVE-2020-4044 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 30 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_113 fixes several issues.
The following security issues were fixed:
- CVE-2019-14896: A heap-based buffer overflow vulnerability was found in the Marvell WiFi chip driver. A remote attacker could cause a denial of service (system crash) or, possibly execute arbitrary code, when the lbs_ibss_join_existing function is called after a STA connects to an AP (bsc#1157157).
- CVE-2019-14897: A stack-based buffer overflow was found in the Marvell WiFi chip driver. An attacker was able to cause a denial of service (system crash) or, possibly execute arbitrary code, when a STA works in IBSS mode (allows connecting stations together without the use of an AP) and connects to another STA (bsc#1157155).
ImportantSUSE bug 1160467SUSE bug 1160468CVE-2019-14896 at SUSECVE-2019-14896 at NVDCVE-2019-14897 at SUSECVE-2019-14897 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for mailman (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for mailman fixes the following issues:
- CVE-2020-15011: Fixed a possible Arbitrary Content Injection via the private archive login page (bsc#1173369).
ImportantSUSE bug 1173369CVE-2020-15011 at SUSECVE-2020-15011 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 29 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_107 fixes several issues.
The following security issues were fixed:
- CVE-2019-14896: A heap-based buffer overflow vulnerability was found in the Marvell WiFi chip driver. A remote attacker could cause a denial of service (system crash) or, possibly execute arbitrary code, when the lbs_ibss_join_existing function is called after a STA connects to an AP (bsc#1157157).
- CVE-2019-14897: A stack-based buffer overflow was found in the Marvell WiFi chip driver. An attacker was able to cause a denial of service (system crash) or, possibly execute arbitrary code, when a STA works in IBSS mode (allows connecting stations together without the use of an AP) and connects to another STA (bsc#1157155).
ImportantSUSE bug 1160467SUSE bug 1160468CVE-2019-14896 at SUSECVE-2019-14896 at NVDCVE-2019-14897 at SUSECVE-2019-14897 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for samba (Moderate)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for samba fixes the following issues:
- CVE-2020-10745: Fixed an issue which parsing and packing of NBT and DNS packets containing dots could potentially have consumed excessive CPU (bsc#1173160).
ModerateSUSE bug 1173160CVE-2020-10745 at SUSECVE-2020-10745 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for webkit2gtk3 (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for webkit2gtk3 fixes the following issues:
- Update to version 2.28.3 (bsc#1173998):
+ Enable kinetic scrolling with async scrolling.
+ Fix web process hangs on large GitHub pages.
+ Bubblewrap sandbox should not attempt to bind empty paths.
+ Fix threading issues in the media player.
+ Fix several crashes and rendering issues.
+ Security fixes: CVE-2020-9802, CVE-2020-9803, CVE-2020-9805,
CVE-2020-9806, CVE-2020-9807, CVE-2020-9843, CVE-2020-9850,
CVE-2020-13753.
ImportantSUSE bug 1173998CVE-2020-13753 at SUSECVE-2020-13753 at NVDCVE-2020-9802 at SUSECVE-2020-9802 at NVDCVE-2020-9803 at SUSECVE-2020-9803 at NVDCVE-2020-9805 at SUSECVE-2020-9805 at NVDCVE-2020-9806 at SUSECVE-2020-9806 at NVDCVE-2020-9807 at SUSECVE-2020-9807 at NVDCVE-2020-9843 at SUSECVE-2020-9843 at NVDCVE-2020-9850 at SUSECVE-2020-9850 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for grub2 (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for grub2 fixes the following issues:
- Fix for CVE-2020-10713 (bsc#1168994)
- Fix for CVE-2020-14308 CVE-2020-14309, CVE-2020-14310, CVE-2020-14311
(bsc#1173812)
- Fix for CVE-2020-15706 (bsc#1174463)
- Fix for CVE-2020-15707 (bsc#1174570)
- Use overflow checking primitives where the arithmetic expression for buffer
allocations may include unvalidated data
- Use grub_calloc for overflow check and return NULL when it would occur
- Use gcc-9 compiler for overflow check builtins
- Backport gcc-9 build fixes
- Fix packed-not-aligned error on GCC 8 (bsc#1084632)
ImportantSUSE bug 1084632SUSE bug 1168994SUSE bug 1173812SUSE bug 1174463SUSE bug 1174570CVE-2020-10713 at SUSECVE-2020-10713 at NVDCVE-2020-14308 at SUSECVE-2020-14308 at NVDCVE-2020-14309 at SUSECVE-2020-14309 at NVDCVE-2020-14310 at SUSECVE-2020-14310 at NVDCVE-2020-14311 at SUSECVE-2020-14311 at NVDCVE-2020-15706 at SUSECVE-2020-15706 at NVDCVE-2020-15707 at SUSECVE-2020-15707 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 28 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_103 fixes several issues.
The following security issues were fixed:
- CVE-2019-14896: A heap-based buffer overflow vulnerability was found in the Marvell WiFi chip driver. A remote attacker could cause a denial of service (system crash) or, possibly execute arbitrary code, when the lbs_ibss_join_existing function is called after a STA connects to an AP (bsc#1157157).
- CVE-2019-14897: A stack-based buffer overflow was found in the Marvell WiFi chip driver. An attacker was able to cause a denial of service (system crash) or, possibly execute arbitrary code, when a STA works in IBSS mode (allows connecting stations together without the use of an AP) and connects to another STA (bsc#1157155).
ImportantSUSE bug 1160467SUSE bug 1160468CVE-2019-14896 at SUSECVE-2019-14896 at NVDCVE-2019-14897 at SUSECVE-2019-14897 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for ghostscript (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for ghostscript fixes the following issues:
- fixed CVE-2020-15900 Memory Corruption (SAFER Sandbox Breakout)
cf. https://bugs.ghostscript.com/show_bug.cgi?id=702582
(bsc#1174415)
ImportantSUSE bug 1174415CVE-2020-15900 at SUSECVE-2020-15900 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for MozillaFirefox (Moderate)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for MozillaFirefox fixes the following issues:
- Firefox Extended Support Release 78.1.0 ESR
* Fixed: Various stability, functionality, and security fixes (bsc#1174538)
* CVE-2020-15652: Potential leak of redirect targets when loading scripts in a worker
* CVE-2020-6514: WebRTC data channel leaks internal address to peer
* CVE-2020-15655: Extension APIs could be used to bypass Same-Origin Policy
* CVE-2020-15653: Bypassing iframe sandbox when allowing popups
* CVE-2020-6463: Use-after-free in ANGLE gl::Texture::onUnbindAsSamplerTexture
* CVE-2020-15656: Type confusion for special arguments in IonMonkey
* CVE-2020-15658: Overriding file type when saving to disk
* CVE-2020-15657: DLL hijacking due to incorrect loading path
* CVE-2020-15654: Custom cursor can overlay user interface
* CVE-2020-15659: Memory safety bugs fixed in Firefox 79 and Firefox ESR 78.1
ModerateSUSE bug 1173948SUSE bug 1174538CVE-2020-15652 at SUSECVE-2020-15652 at NVDCVE-2020-15653 at SUSECVE-2020-15653 at NVDCVE-2020-15654 at SUSECVE-2020-15654 at NVDCVE-2020-15655 at SUSECVE-2020-15655 at NVDCVE-2020-15656 at SUSECVE-2020-15656 at NVDCVE-2020-15657 at SUSECVE-2020-15657 at NVDCVE-2020-15658 at SUSECVE-2020-15658 at NVDCVE-2020-15659 at SUSECVE-2020-15659 at NVDCVE-2020-6463 at SUSECVE-2020-6463 at NVDCVE-2020-6514 at SUSECVE-2020-6514 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 27 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_100 fixes several issues.
The following security issues were fixed:
- CVE-2019-14896: A heap-based buffer overflow vulnerability was found in the Marvell WiFi chip driver. A remote attacker could cause a denial of service (system crash) or, possibly execute arbitrary code, when the lbs_ibss_join_existing function is called after a STA connects to an AP (bsc#1157157).
- CVE-2019-14897: A stack-based buffer overflow was found in the Marvell WiFi chip driver. An attacker was able to cause a denial of service (system crash) or, possibly execute arbitrary code, when a STA works in IBSS mode (allows connecting stations together without the use of an AP) and connects to another STA (bsc#1157155).
ImportantSUSE bug 1160467SUSE bug 1160468CVE-2019-14896 at SUSECVE-2019-14896 at NVDCVE-2019-14897 at SUSECVE-2019-14897 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for libX11 (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for libX11 fixes the following issues:
- Fixed XIM client heap overflows (CVE-2020-14344, bsc#1174628)
ImportantSUSE bug 1174628CVE-2020-14344 at SUSECVE-2020-14344 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
The SUSE Linux Enterprise 12 SP3 kernel was updated to receive various security and bugfixes.
The following security bugs were fixed:
- CVE-2020-10135: Legacy pairing and secure-connections pairing authentication in Bluetooth may have allowed an unauthenticated user to complete authentication without pairing credentials via adjacent access. An unauthenticated, adjacent attacker could impersonate a Bluetooth BR/EDR master or slave to pair with a previously paired remote device to successfully complete the authentication procedure without knowing the link key (bnc#1171988).
- CVE-2020-10711: A NULL pointer dereference flaw was found in the SELinux subsystem. This flaw occurs while importing the Commercial IP Security Option (CIPSO) protocol's category bitmap into the SELinux extensible bitmap via the' ebitmap_netlbl_import' routine. This flaw allowed a remote network user to crash the system kernel, resulting in a denial of service (bnc#1171191).
- CVE-2020-10751: A flaw was found in the SELinux LSM hook implementation, where it incorrectly assumed that an skb would only contain a single netlink message. The hook would incorrectly only validate the first netlink message in the skb and allow or deny the rest of the messages within the skb with the granted permission without further processing (bnc#1171189).
- CVE-2019-20812: An issue was discovered in the prb_calc_retire_blk_tmo() function in net/packet/af_packet.c can result in a denial of service (CPU consumption and soft lockup) in a certain failure case involving TPACKET_V3, aka CID-b43d1f9f7067 (bnc#1172453).
- CVE-2020-10732: A flaw was found in the implementation of userspace core dumps. This flaw allowed an attacker with a local account to crash a trivial program and exfiltrate private kernel data (bnc#1171220).
- CVE-2020-0305: In cdev_get of char_dev.c, there is a possible use-after-free due to a race condition. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation (bnc#1174462).
- CVE-2020-12771: btree_gc_coalesce in drivers/md/bcache/btree.c had a deadlock if a coalescing operation fails (bnc#1171732).
- CVE-2020-10773: A kernel stack information leak on s390/s390x was fixed (bnc#1172999).
- CVE-2020-14416: A race condition in tty->disc_data handling in the slip and slcan line discipline could lead to a use-after-free, aka CID-0ace17d56824. This affects drivers/net/slip/slip.c and drivers/net/can/slcan.c (bnc#1162002).
- CVE-2020-13974: drivers/tty/vt/keyboard.c had an integer overflow if k_ascii is called several times in a row, aka CID-b86dab054059. (bnc#1172775).
- CVE-2019-20810: go7007_snd_init in drivers/media/usb/go7007/snd-go7007.c in the Linux kernel did not call snd_card_free for a failure path, which causes a memory leak, aka CID-9453264ef586 (bnc#1172458).
The following non-security bugs were fixed:
- Drivers: hv: Change flag to write log level in panic msg to false (bsc#1170618).
- ibmvnic: Do not process device remove during device reset (bsc#1065729).
- ibmvnic: Do not process reset during or after device removal (bsc#1149652 ltc#179635).
- ibmvnic: Flush existing work items before device removal (bsc#1065729).
- ibmvnic: Harden device login requests (bsc#1170011 ltc#183538).
- ibmvnic: Skip fatal error reset after passive init (bsc#1171078 ltc#184239).
- ibmvnic: Unmap DMA address of TX descriptor buffers after use (bsc#1146351 ltc#180726).
- ibmvnic: continue to init in CRQ reset returns H_CLOSED (bsc#1173280 ltc#185369).
- intel_idle: Graceful probe failure when MWAIT is disabled (bsc#1174115).
- mm, vmstat: reduce zone->lock holding time by /proc/pagetypeinfo (bsc#1164910).
- net/ibmvnic: Fix missing { in __ibmvnic_reset (bsc#1149652 ltc#179635).
- net/ibmvnic: free reset work of removed device from queue (bsc#1149652 ltc#179635).
- net/ibmvnic: prevent more than one thread from running in reset (bsc#1152457 ltc#174432).
- net/ibmvnic: unlock rtnl_lock in reset so linkwatch_event can run (bsc#1152457 ltc#174432).
- udp: drop corrupt packets earlier to avoid data corruption (bsc#1173658).
ImportantSUSE bug 1065729SUSE bug 1146351SUSE bug 1149652SUSE bug 1152457SUSE bug 1162002SUSE bug 1164910SUSE bug 1170011SUSE bug 1170618SUSE bug 1171078SUSE bug 1171189SUSE bug 1171191SUSE bug 1171220SUSE bug 1171732SUSE bug 1171988SUSE bug 1172453SUSE bug 1172458SUSE bug 1172775SUSE bug 1172999SUSE bug 1173280SUSE bug 1173658SUSE bug 1174115SUSE bug 1174462SUSE bug 1174543CVE-2019-20810 at SUSECVE-2019-20810 at NVDCVE-2019-20812 at SUSECVE-2019-20812 at NVDCVE-2020-0305 at SUSECVE-2020-0305 at NVDCVE-2020-10135 at SUSECVE-2020-10135 at NVDCVE-2020-10711 at SUSECVE-2020-10711 at NVDCVE-2020-10732 at SUSECVE-2020-10732 at NVDCVE-2020-10751 at SUSECVE-2020-10751 at NVDCVE-2020-10773 at SUSECVE-2020-10773 at NVDCVE-2020-12771 at SUSECVE-2020-12771 at NVDCVE-2020-13974 at SUSECVE-2020-13974 at NVDCVE-2020-14416 at SUSECVE-2020-14416 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for python-ipaddress (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for python-ipaddress fixes the following issues:
- Add CVE-2020-14422-ipaddress-hash-collision.patch fixing
CVE-2020-14422 (bsc#1173274, bpo#41004), where hash collisions
in IPv4Interface and IPv6Interface could lead to DOS.
ImportantSUSE bug 1173274CVE-2020-14422 at SUSECVE-2020-14422 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for LibVNCServer (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for LibVNCServer fixes the following issues:
- security update
fix CVE-2018-21247 [bsc#1173874], uninitialized memory contents are vulnerable to Information leak
fix CVE-2019-20839 [bsc#1173875], buffer overflow in ConnectClientToUnixSock()
fix CVE-2019-20840 [bsc#1173876], unaligned accesses in hybiReadAndDecode can lead to denial of service
fix CVE-2020-14398 [bsc#1173880], improperly closed TCP connection causes an infinite loop in libvncclient/sockets.c
fix CVE-2020-14397 [bsc#1173700], NULL pointer dereference in libvncserver/rfbregion.c
fix CVE-2020-14399 [bsc#1173743], Byte-aligned data is accessed through uint32_t pointers in libvncclient/rfbproto.c.
fix CVE-2020-14400 [bsc#1173691], Byte-aligned data is accessed through uint16_t pointers in libvncserver/translate.c.
fix CVE-2020-14401 [bsc#1173694], potential integer overflows in libvncserver/scale.c
fix CVE-2020-14402 [bsc#1173701], out-of-bounds access via encodings.
fix CVE-2020-14403 [bsc#1173701], out-of-bounds access via encodings.
fix CVE-2020-14404 [bsc#1173701], out-of-bounds access via encodings.
fix CVE-2017-18922 [bsc#1173477], preauth buffer overwrite
ImportantSUSE bug 1173477SUSE bug 1173691SUSE bug 1173694SUSE bug 1173700SUSE bug 1173701SUSE bug 1173743SUSE bug 1173874SUSE bug 1173875SUSE bug 1173876SUSE bug 1173880CVE-2017-18922 at SUSECVE-2017-18922 at NVDCVE-2018-21247 at SUSECVE-2018-21247 at NVDCVE-2019-20839 at SUSECVE-2019-20839 at NVDCVE-2019-20840 at SUSECVE-2019-20840 at NVDCVE-2020-14397 at SUSECVE-2020-14397 at NVDCVE-2020-14398 at SUSECVE-2020-14398 at NVDCVE-2020-14399 at SUSECVE-2020-14399 at NVDCVE-2020-14400 at SUSECVE-2020-14400 at NVDCVE-2020-14401 at SUSECVE-2020-14401 at NVDCVE-2020-14402 at SUSECVE-2020-14402 at NVDCVE-2020-14403 at SUSECVE-2020-14403 at NVDCVE-2020-14404 at SUSECVE-2020-14404 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for xen (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for xen fixes the following issues:
- bsc#1174543 - secure boot related fixes
- bsc#1163019 - CVE-2020-8608: Potential OOB access due to unsafe snprintf() usages
ImportantSUSE bug 1163019SUSE bug 1174543CVE-2020-8608 at SUSECVE-2020-8608 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for dpdk (Moderate)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for dpdk to version 16.11.9 following issue:
- CVE-2019-14818: Fixed a memory leak vulnerability caused by a malicious container may lead to to denial of service (bsc#1156146).
- CVE-2020-12693: Fixed an authentication bypass via an alternate path or channel (boo#1172004).
- rebuilt with new signing key. (bsc#1174543)
ModerateSUSE bug 1156146SUSE bug 1171477SUSE bug 1171930SUSE bug 1174543CVE-2019-14818 at SUSECVE-2019-14818 at NVDCVE-2020-10722 at SUSECVE-2020-10722 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for libX11 (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for libX11 fixes the following issues:
- Fixed XIM client heap overflows (CVE-2020-14344, bsc#1174628).
ImportantSUSE bug 1174628CVE-2020-14344 at SUSECVE-2020-14344 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for xerces-c (Moderate)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for xerces-c fixes the following issues:
- CVE-2017-12627: Processing of external DTD paths could have resulted in a
null pointer dereference under certain conditions (bsc#1083630)
ModerateSUSE bug 1083630CVE-2017-12627 at SUSECVE-2017-12627 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for webkit2gtk3 (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for webkit2gtk3 fixes the following issues:
- Update to version 2.28.4 (bsc#1174662):
+ Fix several crashes and rendering issues.
+ Security fixes: CVE-2020-9862, CVE-2020-9893, CVE-2020-9894,
CVE-2020-9895, CVE-2020-9915, CVE-2020-9925.
ImportantSUSE bug 1174662CVE-2020-9862 at SUSECVE-2020-9862 at NVDCVE-2020-9893 at SUSECVE-2020-9893 at NVDCVE-2020-9894 at SUSECVE-2020-9894 at NVDCVE-2020-9895 at SUSECVE-2020-9895 at NVDCVE-2020-9915 at SUSECVE-2020-9915 at NVDCVE-2020-9925 at SUSECVE-2020-9925 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for dovecot22 (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for dovecot22 fixes the following issues:
- CVE-2020-12673: improper implementation of NTLM does not check message buffer size (bsc#1174922).
- CVE-2020-12674: improper implementation of RPA mechanism (bsc#1174923).
ImportantSUSE bug 1174922SUSE bug 1174923CVE-2020-12673 at SUSECVE-2020-12673 at NVDCVE-2020-12674 at SUSECVE-2020-12674 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for grub2 (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for grub2 fixes the following issues:
- CVE-2020-15705: Fail kernel validation without shim protocol (bsc#1174421).
- Add fibre channel device's ofpath support to grub-ofpathname and search hint to speed up root device discovery (bsc#1172745).
ImportantSUSE bug 1172745SUSE bug 1174421CVE-2020-15705 at SUSECVE-2020-15705 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for samba (Moderate)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for samba fixes the following issues:
- CVE-2019-14907: Fixed a Server-side crash after charset conversion failure during NTLMSSP processing (bsc#1160888).
ModerateSUSE bug 1160888CVE-2019-14907 at SUSECVE-2019-14907 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for xorg-x11-server (Moderate)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for xorg-x11-server fixes the following issues:
- CVE-2020-14347: Leak of uninitialized heap memory from the X server to clients on pixmap allocation (bsc#1174633, ZDI-CAN-11426).
- CVE-2020-14346: XIChangeHierarchy Integer Underflow Privilege Escalation Vulnerability (bsc#1174638, ZDI-CAN-11429).
- CVE-2020-14345: XKB out-of-bounds access privilege escalation vulnerability (bsc#1174635, ZDI-CAN-11428).
ModerateSUSE bug 1174633SUSE bug 1174635SUSE bug 1174638CVE-2020-14345 at SUSECVE-2020-14345 at NVDCVE-2020-14346 at SUSECVE-2020-14346 at NVDCVE-2020-14347 at SUSECVE-2020-14347 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for java-1_8_0-ibm (Moderate)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for java-1_8_0-ibm fixes the following issues:
- Update to Java 8.0 Service Refresh 6 [bsc#1158442, bsc#1154212]
* Security fixes:
CVE-2019-2933 CVE-2019-2945 CVE-2019-2958
CVE-2019-2962 CVE-2019-2964 CVE-2019-2975
CVE-2019-2978 CVE-2019-2983 CVE-2019-2988
CVE-2019-2989 CVE-2019-2992 CVE-2019-2996
CVE-2019-2999 CVE-2019-2973 CVE-2019-2981
CVE-2019-17631
ModerateSUSE bug 1154212SUSE bug 1158442CVE-2019-17631 at SUSECVE-2019-17631 at NVDCVE-2019-2933 at SUSECVE-2019-2933 at NVDCVE-2019-2945 at SUSECVE-2019-2945 at NVDCVE-2019-2958 at SUSECVE-2019-2958 at NVDCVE-2019-2962 at SUSECVE-2019-2962 at NVDCVE-2019-2964 at SUSECVE-2019-2964 at NVDCVE-2019-2973 at SUSECVE-2019-2973 at NVDCVE-2019-2975 at SUSECVE-2019-2975 at NVDCVE-2019-2978 at SUSECVE-2019-2978 at NVDCVE-2019-2981 at SUSECVE-2019-2981 at NVDCVE-2019-2983 at SUSECVE-2019-2983 at NVDCVE-2019-2988 at SUSECVE-2019-2988 at NVDCVE-2019-2989 at SUSECVE-2019-2989 at NVDCVE-2019-2992 at SUSECVE-2019-2992 at NVDCVE-2019-2996 at SUSECVE-2019-2996 at NVDCVE-2019-2999 at SUSECVE-2019-2999 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for xorg-x11-server (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for xorg-x11-server fixes the following issues:
- CVE-2020-14361: Fix XkbSelectEvents() integer underflow (bsc#1174910 ZDI-CAN-11573).
- CVE-2020-14362: Fix XRecordRegisterClients() Integer underflow (bsc#1174913 ZDI-CAN-11574).
ImportantSUSE bug 1174910SUSE bug 1174913CVE-2020-14361 at SUSECVE-2020-14361 at NVDCVE-2020-14362 at SUSECVE-2020-14362 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for apache2 (Moderate)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for apache2 fixes the following issues:
- CVE-2020-9490: Fixed a crash caused by a specially crafted value for the 'Cache-Digest' header in a HTTP/2 request (bsc#1175071).
- CVE-2020-11985: IP address spoofing when proxying using mod_remoteip and mod_rewrite (bsc#1175072).
- CVE-2020-11993: When trace/debug was enabled for the HTTP/2 module logging statements were made on the wrong connection (bsc#1175070).
ModerateSUSE bug 1175070SUSE bug 1175071SUSE bug 1175072CVE-2020-11985 at SUSECVE-2020-11985 at NVDCVE-2020-11993 at SUSECVE-2020-11993 at NVDCVE-2020-9490 at SUSECVE-2020-9490 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for java-1_8_0-ibm (Moderate)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for java-1_8_0-ibm fixes the following issues:
- Update to Java 8.0 Service Refresh 6 Fix Pack 15 [bsc#1175259, bsc#1174157]
CVE-2020-14577 CVE-2020-14578 CVE-2020-14579 CVE-2020-14581
CVE-2020-14556 CVE-2020-14621 CVE-2020-14593 CVE-2020-14583
CVE-2019-17639
* Class Libraries:
- JAVA.UTIL.ZIP.DEFLATER OPERATIONS THROW JAVA.LANG.INTERNALERROR
- JAVA 8 DECODER OBJECTS CONSUME A LARGE AMOUNT OF JAVA HEAP
- TRANSLATION MESSAGES UPDATE FOR JCL
- UPDATE TIMEZONE INFORMATION TO TZDATA2020A
* Java Virtual Machine:
- IBM JAVA REGISTERS A HANDLER BY DEFAULT FOR SIGABRT
- LARGE MEMORY FOOTPRINT HELD BY TRACECONTEXT OBJECT
* JIT Compiler:
- CRASH IN THE INTERPRETER AFTER OSR FROM INLINED SYNCHRONIZED METHOD
IN DEBUGGING MODE
- INTERMITTENT ASSERTION FAILURE REPORTED
- CRASH IN RESOLVECLASSREF() DURING AOT LOAD
- JIT CRASH DURING CLASS UNLOADING IN J9METHOD_HT::ONCLASSUNLOADING()
- SEGMENTATION FAULT WHILE COMPILING A METHOD
- UNEXPECTED CLASSCASTEXCEPTION THROWN IN HIGH LEVEL PARALLEL
APPLICATION ON IBM Z PLATFORM
* Security:
- CERTIFICATEEXCEPTION OCCURS WHEN FILE.ENCODING PROPERTY SET TO
NON DEFAULT VALUE
- CHANGES TO IBMJCE AND IBMJCEPLUS PROVIDERS
- IBMJCEPLUS FAILS, WHEN THE SECURITY MANAGER IS ENABLED, WITH
DEFAULT PERMISSIONS, SPECIFIED IN JAVA.POLICY FILE
- IN CERTAIN INSTANCES, IBMJCEPLUS PROVIDER THROWS EXCEPTION FROM
KEYFACTORY CLASS
ModerateSUSE bug 1174157SUSE bug 1175259CVE-2019-17639 at SUSECVE-2019-17639 at NVDCVE-2020-14556 at SUSECVE-2020-14556 at NVDCVE-2020-14577 at SUSECVE-2020-14577 at NVDCVE-2020-14578 at SUSECVE-2020-14578 at NVDCVE-2020-14579 at SUSECVE-2020-14579 at NVDCVE-2020-14581 at SUSECVE-2020-14581 at NVDCVE-2020-14583 at SUSECVE-2020-14583 at NVDCVE-2020-14593 at SUSECVE-2020-14593 at NVDCVE-2020-14621 at SUSECVE-2020-14621 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for squid (Critical)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for squid fixes the following issues:
- CVE-2020-24606: Fix livelocking in peerDigestHandleReply (bsc#1175671).
- CVE-2020-15811: Improve Transfer-Encoding handling (bsc#1175665).
- CVE-2020-15810: Enforce token characters for field-name (bsc#1175664).
CriticalSUSE bug 1175664SUSE bug 1175665SUSE bug 1175671CVE-2020-15810 at SUSECVE-2020-15810 at NVDCVE-2020-15811 at SUSECVE-2020-15811 at NVDCVE-2020-24606 at SUSECVE-2020-24606 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for libX11 (Moderate)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for libX11 fixes the following issues:
- CVE-2020-14363: Fix an integer overflow in init_om() (bsc#1175239).
ModerateSUSE bug 1175239CVE-2020-14363 at SUSECVE-2020-14363 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for java-1_7_1-ibm (Moderate)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for java-1_7_1-ibm fixes the following issues:
- Update to Java 7.1 Service Refresh 4 Fix Pack 70 [bsc#1175259, bsc#1174157]
CVE-2020-14577 CVE-2020-14578 CVE-2020-14579 CVE-2020-14621
CVE-2020-14593 CVE-2020-14583 CVE-2019-17639
* Class Libraries:
- UPDATE TIMEZONE INFORMATION TO TZDATA2020A
* Security:
- CERTIFICATEEXCEPTION OCCURS WHEN FILE.ENCODING PROPERTY SET TO
NON DEFAULT VALUE
ModerateSUSE bug 1174157SUSE bug 1175259CVE-2019-17639 at SUSECVE-2019-17639 at NVDCVE-2020-14577 at SUSECVE-2020-14577 at NVDCVE-2020-14578 at SUSECVE-2020-14578 at NVDCVE-2020-14579 at SUSECVE-2020-14579 at NVDCVE-2020-14583 at SUSECVE-2020-14583 at NVDCVE-2020-14593 at SUSECVE-2020-14593 at NVDCVE-2020-14621 at SUSECVE-2020-14621 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 28 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_103 fixes several issues.
The following security issues were fixed:
- CVE-2020-14331: Fixed a buffer over-write in vgacon_scroll (bsc#1174247).
- CVE-2019-0155: Fixed a privilege escalation in the i915 graphics driver (bsc#1173663).
- CVE-2019-16746: Fixed a buffer overflow in net/wireless/nl80211.c (bsc#1173659).
- CVE-2019-9458: Fixed a use-after-free in media/v4l (bsc#1173963).
- CVE-2020-11668: Fixed a memory corruption issue in the Xirlink camera USB driver (bsc#1173942).
- CVE-2019-19447: Fixed a use-after-free in ext4_put_super (bsc#1173869).
- CVE-2019-18680: Fixed a NULL pointer dereference in rds_tcp_kill_sock() in net/rds/tcp.c (bsc#1173867).
- CVE-2019-14816: Fixed a heap-based buffer overflow in the Marvell WiFi driver (bsc#1173666).
- CVE-2019-14814: Fixed a heap-based buffer overflow in the Marvell WiFi driver (bsc#1173664).
- CVE-2019-14815: Fixed a heap-based buffer overflow in the Marvell WiFi driver (bsc#1173665).
- CVE-2019-14901: Fixed a heap overflow in the Marvell WiFi driver (bsc#1173661).
- CVE-2019-14895: Fixed a heap-based buffer overflow in the Marvell WiFi driver (bsc#1173100).
ImportantSUSE bug 1173100SUSE bug 1173659SUSE bug 1173661SUSE bug 1173663SUSE bug 1173664SUSE bug 1173665SUSE bug 1173666SUSE bug 1173867SUSE bug 1173869SUSE bug 1173942SUSE bug 1173963SUSE bug 1174247CVE-2019-0155 at SUSECVE-2019-0155 at NVDCVE-2019-14814 at SUSECVE-2019-14814 at NVDCVE-2019-14815 at SUSECVE-2019-14815 at NVDCVE-2019-14816 at SUSECVE-2019-14816 at NVDCVE-2019-14895 at SUSECVE-2019-14895 at NVDCVE-2019-14901 at SUSECVE-2019-14901 at NVDCVE-2019-16746 at SUSECVE-2019-16746 at NVDCVE-2019-18680 at SUSECVE-2019-18680 at NVDCVE-2019-19447 at SUSECVE-2019-19447 at NVDCVE-2019-9458 at SUSECVE-2019-9458 at NVDCVE-2020-11668 at SUSECVE-2020-11668 at NVDCVE-2020-14331 at SUSECVE-2020-14331 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 29 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_107 fixes several issues.
The following security issues were fixed:
- CVE-2020-14331: Fixed a buffer over-write in vgacon_scroll (bsc#1174247).
- CVE-2019-0155: Fixed a privilege escalation in the i915 graphics driver (bsc#1173663).
- CVE-2019-16746: Fixed a buffer overflow in net/wireless/nl80211.c (bsc#1173659).
- CVE-2019-9458: Fixed a use-after-free in media/v4l (bsc#1173963).
- CVE-2020-11668: Fixed a memory corruption issue in the Xirlink camera USB driver (bsc#1173942).
- CVE-2019-19447: Fixed a use-after-free in ext4_put_super (bsc#1173869).
- CVE-2019-18680: Fixed a NULL pointer dereference in rds_tcp_kill_sock() in net/rds/tcp.c (bsc#1173867).
- CVE-2019-14901: Fixed a heap overflow in the Marvell WiFi driver (bsc#1173661).
- CVE-2019-14895: Fixed a heap-based buffer overflow in the Marvell WiFi driver (bsc#1173100).
ImportantSUSE bug 1173100SUSE bug 1173659SUSE bug 1173661SUSE bug 1173663SUSE bug 1173867SUSE bug 1173869SUSE bug 1173942SUSE bug 1173963SUSE bug 1174247CVE-2019-0155 at SUSECVE-2019-0155 at NVDCVE-2019-14895 at SUSECVE-2019-14895 at NVDCVE-2019-14901 at SUSECVE-2019-14901 at NVDCVE-2019-16746 at SUSECVE-2019-16746 at NVDCVE-2019-18680 at SUSECVE-2019-18680 at NVDCVE-2019-19447 at SUSECVE-2019-19447 at NVDCVE-2019-9458 at SUSECVE-2019-9458 at NVDCVE-2020-11668 at SUSECVE-2020-11668 at NVDCVE-2020-14331 at SUSECVE-2020-14331 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 30 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_113 fixes several issues.
The following security issues were fixed:
- CVE-2020-14331: Fixed a buffer over-write in vgacon_scroll (bsc#1174247).
- CVE-2019-16746: Fixed a buffer overflow in net/wireless/nl80211.c (bsc#1173659).
- CVE-2019-9458: Fixed a use-after-free in media/v4l (bsc#1173963).
- CVE-2020-11668: Fixed a memory corruption issue in the Xirlink camera USB driver (bsc#1173942).
- CVE-2019-19447: Fixed a use-after-free in ext4_put_super (bsc#1173869).
- CVE-2019-14895: Fixed a heap-based buffer overflow in the Marvell WiFi driver (bsc#1173100).
ImportantSUSE bug 1173100SUSE bug 1173659SUSE bug 1173869SUSE bug 1173942SUSE bug 1173963SUSE bug 1174247CVE-2019-14895 at SUSECVE-2019-14895 at NVDCVE-2019-16746 at SUSECVE-2019-16746 at NVDCVE-2019-19447 at SUSECVE-2019-19447 at NVDCVE-2019-9458 at SUSECVE-2019-9458 at NVDCVE-2020-11668 at SUSECVE-2020-11668 at NVDCVE-2020-14331 at SUSECVE-2020-14331 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 31 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_116 fixes several issues.
The following security issues were fixed:
- CVE-2020-14331: Fixed a buffer over-write in vgacon_scroll (bsc#1174247).
- CVE-2019-16746: Fixed a buffer overflow in net/wireless/nl80211.c (bsc#1173659).
- CVE-2020-11668: Fixed a memory corruption issue in the Xirlink camera USB driver (bsc#1173942).
ImportantSUSE bug 1173659SUSE bug 1173942SUSE bug 1174247CVE-2019-16746 at SUSECVE-2019-16746 at NVDCVE-2020-11668 at SUSECVE-2020-11668 at NVDCVE-2020-14331 at SUSECVE-2020-14331 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 32 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_121 fixes several issues.
The following security issues were fixed:
- CVE-2020-14331: Fixed a buffer over-write in vgacon_scroll (bsc#1174247).
- CVE-2019-16746: Fixed a buffer overflow in net/wireless/nl80211.c (bsc#1173659).
- CVE-2020-11668: Fixed a memory corruption issue in the Xirlink camera USB driver (bsc#1173942).
- CVE-2020-1749: Fixed a flaw in IPsec where some IPv6 protocols were not encrypted (bsc#1165631).
ImportantSUSE bug 1165631SUSE bug 1173659SUSE bug 1173942SUSE bug 1174247CVE-2019-16746 at SUSECVE-2019-16746 at NVDCVE-2020-11668 at SUSECVE-2020-11668 at NVDCVE-2020-14331 at SUSECVE-2020-14331 at NVDCVE-2020-1749 at SUSECVE-2020-1749 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 33 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_124 fixes several issues.
The following security issues were fixed:
- CVE-2020-14331: Fixed a buffer over-write in vgacon_scroll (bsc#1174247).
- CVE-2019-16746: Fixed a buffer overflow in net/wireless/nl80211.c (bsc#1173659).
- CVE-2020-11668: Fixed a memory corruption issue in the Xirlink camera USB driver (bsc#1173942).
- CVE-2020-1749: Fixed a flaw in IPsec where some IPv6 protocols were not encrypted (bsc#1165631).
ImportantSUSE bug 1165631SUSE bug 1173659SUSE bug 1173942SUSE bug 1174247CVE-2019-16746 at SUSECVE-2019-16746 at NVDCVE-2020-11668 at SUSECVE-2020-11668 at NVDCVE-2020-14331 at SUSECVE-2020-14331 at NVDCVE-2020-1749 at SUSECVE-2020-1749 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 34 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_127 fixes several issues.
The following security issues were fixed:
- CVE-2020-14331: Fixed a buffer over-write in vgacon_scroll (bsc#1174247).
- CVE-2019-16746: Fixed a buffer overflow in net/wireless/nl80211.c (bsc#1173659).
- CVE-2020-11668: Fixed a memory corruption issue in the Xirlink camera USB driver (bsc#1173942).
- CVE-2020-1749: Fixed a flaw in IPsec where some IPv6 protocols were not encrypted (bsc#1165631).
ImportantSUSE bug 1165631SUSE bug 1173659SUSE bug 1173942SUSE bug 1174247CVE-2019-16746 at SUSECVE-2019-16746 at NVDCVE-2020-11668 at SUSECVE-2020-11668 at NVDCVE-2020-14331 at SUSECVE-2020-14331 at NVDCVE-2020-1749 at SUSECVE-2020-1749 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for MozillaFirefox (Moderate)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for MozillaFirefox fixes the following issues:
- Firefox Extended Support Release 78.2.0 ESR
* Fixed: Various stability, functionality, and security fixes
- Mozilla Firefox ESR 78.2
MFSA 2020-38 (bsc#1175686)
* CVE-2020-15663 (bmo#1643199)
Downgrade attack on the Mozilla Maintenance Service could
have resulted in escalation of privilege
* CVE-2020-15664 (bmo#1658214)
Attacker-induced prompt for extension installation
* CVE-2020-15670 (bmo#1651001, bmo#1651449, bmo#1653626,
bmo#1656957)
Memory safety bugs fixed in Firefox 80 and Firefox ESR 78.2
- Fixed Firefox tab crash in FIPS mode (bsc#1174284).
- Fix broken translation-loading. (bsc#1173991)
* allow addon sideloading
* mark signatures for langpacks non-mandatory
* do not autodisable user profile scopes
- Google API key is not usable for geolocation service any more
ModerateSUSE bug 1173991SUSE bug 1174284SUSE bug 1175686CVE-2020-15663 at SUSECVE-2020-15663 at NVDCVE-2020-15664 at SUSECVE-2020-15664 at NVDCVE-2020-15670 at SUSECVE-2020-15670 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
The SUSE Linux Enterprise 12 SP3 kernel was updated to receive various security and bugfixes.
The following security bugs were fixed:
- CVE-2020-14314: Fixed a potential negative array index in do_split() (bsc#1173798).
- CVE-2020-14331: Fixed a missing check in vgacon scrollback handling (bsc#1174205).
- CVE-2020-16166: Fixed a potential issue which could have allowed remote attackers to make observations that help to obtain sensitive information about the internal state of the network RNG (bsc#1174757).
- CVE-2019-16746: Fixed an improper check of the length of variable elements in a beacon head, leading to a buffer overflow (bsc#1152107).
- CVE-2020-14386: Fixed a potential local privilege escalation via memory corruption (bsc#1176069).
The following non-security bugs were fixed:
- bonding: fix active-backup failover for current ARP slave (bsc#1174771).
- Drivers: hv: vmbus: Only notify Hyper-V for die events that are oops (bsc#1175127).
- ibmvnic: Fix IRQ mapping disposal in error path (bsc#1175112 ltc#187459).
- mm, vmstat: reduce zone->lock holding time by /proc/pagetypeinfo (bsc#1175691).
- ocfs2: add trimfs dlm lock resource (bsc#1175228).
- ocfs2: add trimfs lock to avoid duplicated trims in cluster (bsc#1175228).
- ocfs2: fix the application IO timeout when fstrim is running (bsc#1175228).
ImportantSUSE bug 1152107SUSE bug 1173798SUSE bug 1174205SUSE bug 1174757SUSE bug 1174771SUSE bug 1175112SUSE bug 1175127SUSE bug 1175228SUSE bug 1175691SUSE bug 1176069CVE-2019-16746 at SUSECVE-2019-16746 at NVDCVE-2020-14314 at SUSECVE-2020-14314 at NVDCVE-2020-14331 at SUSECVE-2020-14331 at NVDCVE-2020-14386 at SUSECVE-2020-14386 at NVDCVE-2020-16166 at SUSECVE-2020-16166 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for java-1_8_0-openjdk (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for java-1_8_0-openjdk fixes the following issues:
Update java-1_8_0-openjdk to version jdk8u242 (icedtea 3.15.0) (January 2020 CPU, bsc#1160968):
- CVE-2020-2583: Unlink Set of LinkedHashSets
- CVE-2020-2590: Improve Kerberos interop capabilities
- CVE-2020-2593: Normalize normalization for all
- CVE-2020-2601: Better Ticket Granting Services
- CVE-2020-2604: Better serial filter handling
- CVE-2020-2659: Enhance datagram socket support
- CVE-2020-2654: Improve Object Identifier Processing
ImportantSUSE bug 1160968CVE-2020-2583 at SUSECVE-2020-2583 at NVDCVE-2020-2590 at SUSECVE-2020-2590 at NVDCVE-2020-2593 at SUSECVE-2020-2593 at NVDCVE-2020-2601 at SUSECVE-2020-2601 at NVDCVE-2020-2604 at SUSECVE-2020-2604 at NVDCVE-2020-2654 at SUSECVE-2020-2654 at NVDCVE-2020-2659 at SUSECVE-2020-2659 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for tomcat (Moderate)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for tomcat fixes the following issues:
- CVE-2020-1935: Fixed an HTTP request smuggling vulnerability (bsc#1164860).
- CVE-2020-13935: Fixed a WebSocket DoS (bsc#1174117).
ModerateSUSE bug 1164860SUSE bug 1174117CVE-2020-13935 at SUSECVE-2020-13935 at NVDCVE-2020-1935 at SUSECVE-2020-1935 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for shim (Moderate)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for shim fixes the following issues:
- Update to the unified shim binary from SUSE Linux Enterprise 15-SP1 (bsc#1168994)
This update addresses the 'BootHole' security issue (master CVE CVE-2020-10713), by
disallowing binaries signed by the previous SUSE UEFI signing key from booting.
This update should only be installed after updates of grub2, the Linux kernel and (if used)
Xen from July / August 2020 are applied.
Additional fixes:
+ shim-install: install MokManager to \EFI\boot to process the pending MOK request (bsc#1175626, bsc#1175656)
ModerateSUSE bug 1168994SUSE bug 1175626SUSE bug 1175656CVE-2020-10713 at SUSECVE-2020-10713 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for libsolv (Moderate)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for libsolv fixes the following issues:
This is a reissue of an existing libsolv update that also included libsolv-devel for LTSS products.
libsolv was updated to version 0.6.36 fixes the following issues:
Security issues fixed:
- CVE-2018-20532: Fixed a NULL pointer dereference in testcase_read() (bsc#1120629).
- CVE-2018-20533: Fixed a NULL pointer dereference in testcase_str2dep_complex() (bsc#1120630).
- CVE-2018-20534: Fixed a NULL pointer dereference in pool_whatprovides() (bsc#1120631).
Non-security issues fixed:
- Made cleandeps jobs on patterns work (bsc#1137977).
- Fixed an issue multiversion packages that obsolete their own name (bsc#1127155).
- Keep consistent package name if there are multiple alternatives (bsc#1131823).
ModerateSUSE bug 1120629SUSE bug 1120630SUSE bug 1120631SUSE bug 1127155SUSE bug 1131823SUSE bug 1137977CVE-2018-20532 at SUSECVE-2018-20532 at NVDCVE-2018-20533 at SUSECVE-2018-20533 at NVDCVE-2018-20534 at SUSECVE-2018-20534 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for perl-DBI (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for perl-DBI fixes the following issues:
Security issues fixed:
- CVE-2020-14392: Memory corruption in XS functions when Perl stack is reallocated (bsc#1176412).
- CVE-2020-14393: Fixed a buffer overflow on an overlong DBD class name (bsc#1176409).
ImportantSUSE bug 1176409SUSE bug 1176412CVE-2020-14392 at SUSECVE-2020-14392 at NVDCVE-2020-14393 at SUSECVE-2020-14393 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for python3 (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for python3 fixes the following issues:
- CVE-2019-20907: Fixed denial of service by avoiding possible infinite loop in specifically crafted tarball (bsc#1174091).
- CVE-2020-14422: Fixed an improper computation of hash values in the IPv4Interface and IPv6Interface
could have led to denial of service (bsc#1173274).
- CVE-2019-16935: Fixed a reflected XSS in python/Lib/DocXMLRPCServer.py (bsc#1153238).
- CVE-2019-9947: Fixed an issue in urllib2 which allowed CRLF injection if the attacker controls a url parameter (bsc#1130840).
- If the locale is 'C', coerce it to C.UTF-8 (bsc#1162423).
ImportantSUSE bug 1088004SUSE bug 1088009SUSE bug 1130840SUSE bug 1141853SUSE bug 1149955SUSE bug 1153238SUSE bug 1162423SUSE bug 1173274SUSE bug 1174091SUSE bug 1174701CVE-2018-14647 at SUSECVE-2018-14647 at NVDCVE-2018-20852 at SUSECVE-2018-20852 at NVDCVE-2019-16056 at SUSECVE-2019-16056 at NVDCVE-2019-16935 at SUSECVE-2019-16935 at NVDCVE-2019-20907 at SUSECVE-2019-20907 at NVDCVE-2019-9947 at SUSECVE-2019-9947 at NVDCVE-2020-14422 at SUSECVE-2020-14422 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for samba (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for samba fixes the following issues:
- ZeroLogon: An elevation of privilege was possible with some configurations when an attacker established
a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC)
(CVE-2020-1472, bsc#1176579).
- Fixed an issue where multiple home folders were created(bsc#1174316, bso#13369).
- Fixed an issue where the net command was unable to negotiate SMB2 (bsc#1174120);
ImportantSUSE bug 1174120SUSE bug 1174316SUSE bug 1176579CVE-2020-1472 at SUSECVE-2020-1472 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for libqt5-qtbase (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for libqt5-qtbase fixes the following issues:
- CVE-2020-17507: Fixed a buffer overflow in XBM parser (bsc#1176315)
- Made handling of XDG_RUNTIME_DIR more secure (bsc#1172515)
ImportantSUSE bug 1172515SUSE bug 1176315CVE-2020-17507 at SUSECVE-2020-17507 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for MozillaFirefox fixes the following issues:
-Firefox was updated to 78.3.0 ESR (bsc#1176756, MFSA 2020-43)
- CVE-2020-15677: Download origin spoofing via redirect
- CVE-2020-15676: Fixed an XSS when pasting attacker-controlled data into a
contenteditable element
- CVE-2020-15678: When recursing through layers while scrolling, an iterator
may have become invalid, resulting in a potential use-after-free scenario
- CVE-2020-15673: Fixed memory safety bugs
- Enhance fix for wayland-detection (bsc#1174420)
- Attempt to fix langpack-parallelization by introducing separate
obj-dirs for each lang (bsc#1173986, bsc#1167976)
ImportantSUSE bug 1167976SUSE bug 1173986SUSE bug 1174420SUSE bug 1176756CVE-2020-15673 at SUSECVE-2020-15673 at NVDCVE-2020-15676 at SUSECVE-2020-15676 at NVDCVE-2020-15677 at SUSECVE-2020-15677 at NVDCVE-2020-15678 at SUSECVE-2020-15678 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for xen (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for xen fixes the following issues:
- CVE-2020-25604: Fixed a race condition when migrating timers between x86
HVM vCPU-s (bsc#1176343,XSA-336)
- CVE-2020-25595: Fixed an issue where PCI passthrough code was reading back hardware registers (bsc#1176344,XSA-337)
- CVE-2020-25597: Fixed an issue where a valid event channels may not turn invalid (bsc#1176346,XSA-338)
- CVE-2020-25596: Fixed a potential denial of service in x86 pv guest kernel via SYSENTER (bsc#1176345,XSA-339)
- CVE-2020-25603: Fixed an issue due to missing barriers when accessing/allocating an event channel (bsc#1176347,XSA-340)
- CVE-2020-25600: Fixed out of bounds event channels available to 32-bit x86 domains (bsc#1176348,XSA-342)
- CVE-2020-25599: Fixed race conditions with evtchn_reset() (bsc#1176349,XSA-343)
- CVE-2020-25601: Fixed an issue due to lack of preemption in evtchn_reset() / evtchn_destroy() (bsc#1176350,XSA-344)
- CVE-2020-14364: Fixed an out-of-bounds read/write access while processing usb packets (bsc#1175534).
- Various bug fixes (bsc#1027519)
ImportantSUSE bug 1175534SUSE bug 1176343SUSE bug 1176344SUSE bug 1176345SUSE bug 1176346SUSE bug 1176347SUSE bug 1176348SUSE bug 1176349SUSE bug 1176350CVE-2020-14364 at SUSECVE-2020-14364 at NVDCVE-2020-25595 at SUSECVE-2020-25595 at NVDCVE-2020-25596 at SUSECVE-2020-25596 at NVDCVE-2020-25597 at SUSECVE-2020-25597 at NVDCVE-2020-25599 at SUSECVE-2020-25599 at NVDCVE-2020-25600 at SUSECVE-2020-25600 at NVDCVE-2020-25601 at SUSECVE-2020-25601 at NVDCVE-2020-25603 at SUSECVE-2020-25603 at NVDCVE-2020-25604 at SUSECVE-2020-25604 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for perl-DBI (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for perl-DBI fixes the following issues:
- CVE-2019-20919: Fixed a NULL profile dereference in dbi_profile (bsc#1176764).
- CVE-2013-7490: Fixed memory corruption when using many arguments
to methods for CallbacksUsing (bsc#1176496).
ImportantSUSE bug 1176496SUSE bug 1176764CVE-2013-7490 at SUSECVE-2013-7490 at NVDCVE-2019-20919 at SUSECVE-2019-20919 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for java-1_7_0-openjdk (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for java-1_7_0-openjdk fixes the following issues:
- java-1_7_0-openjdk was updated to 2.6.23 (July 2020 CPU, bsc#1174157)
- JDK-8028431, CVE-2020-14579: NullPointerException in
- DerValue.equals(DerValue)
- JDK-8028591, CVE-2020-14578: NegativeArraySizeException in
- sun.security.util.DerInputStream.getUnalignedBitString()
- JDK-8230613: Better ASCII conversions
- JDK-8231800: Better listing of arrays
- JDK-8232014: Expand DTD support
- JDK-8233255: Better Swing Buttons
- JDK-8234032: Improve basic calendar services
- JDK-8234042: Better factory production of certificates
- JDK-8234418: Better parsing with CertificateFactory
- JDK-8234836: Improve serialization handling
- JDK-8236191: Enhance OID processing
- JDK-8237592, CVE-2020-14577: Enhance certificate verification
- JDK-8238002, CVE-2020-14581: Better matrix operations
- JDK-8238804: Enhance key handling process
- JDK-8238842: AIOOBE in GIFImageReader.initializeStringTable
- JDK-8238843: Enhanced font handing
- JDK-8238920, CVE-2020-14583: Better Buffer support
- JDK-8238925: Enhance WAV file playback
- JDK-8240119, CVE-2020-14593: Less Affine Transformations
- JDK-8240482: Improved WAV file playback
- JDK-8241379: Update JCEKS support
- JDK-8241522: Manifest improved jar headers redux
- JDK-8242136, CVE-2020-14621: Better XML namespace handling
- JDK-8040113: File not initialized in src/share/native/sun/awt/giflib/dgif_lib.c
- JDK-8054446: Repeated offer and remove on ConcurrentLinkedQueue lead to an OutOfMemoryError
- JDK-8077982: GIFLIB upgrade
- JDK-8081315: 8077982 giflib upgrade breaks system giflib builds with earlier versions
- JDK-8147087: Race when reusing PerRegionTable bitmaps may result in dropped remembered set entries
- JDK-8151582: (ch) test java/nio/channels/AsyncCloseAndInterrupt.java failing due to 'Connection succeeded'
- JDK-8155691: Update GIFlib library to the latest up-to-date
- JDK-8181841: A TSA server returns timestamp with precision higher than milliseconds
- JDK-8203190: SessionId.hashCode generates too many collisions
- JDK-8217676: Upgrade libpng to 1.6.37
- JDK-8220495: Update GIFlib library to the 5.1.8
- JDK-8226892: ActionListeners on JRadioButtons don't get notified when selection is changed with arrow keys
- JDK-8229899: Make java.io.File.isInvalid() less racy
- JDK-8230597: Update GIFlib library to the 5.2.1
- JDK-8230769: BufImg_SetupICM add ReleasePrimitiveArrayCritical call in early return
- JDK-8243541: (tz) Upgrade time-zone data to tzdata2020a
- JDK-8244548: JDK 8u: sun.misc.Version.jdkUpdateVersion() returns wrong result
ImportantSUSE bug 1174157CVE-2020-14577 at SUSECVE-2020-14577 at NVDCVE-2020-14578 at SUSECVE-2020-14578 at NVDCVE-2020-14579 at SUSECVE-2020-14579 at NVDCVE-2020-14581 at SUSECVE-2020-14581 at NVDCVE-2020-14583 at SUSECVE-2020-14583 at NVDCVE-2020-14593 at SUSECVE-2020-14593 at NVDCVE-2020-14621 at SUSECVE-2020-14621 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for tigervnc (Critical)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for tigervnc fixes the following issues:
- CVE-2020-26117: Server certificates were stored as certiticate
authorities, allowing malicious owners of these certificates
to impersonate any server after a client had added an exception
(bsc#1176733).
CriticalSUSE bug 1176733CVE-2020-26117 at SUSECVE-2020-26117 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for libproxy (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for libproxy fixes the following issues:
- CVE-2020-25219: Rewrote url::recvline to be nonrecursive (bsc#1176410).
- CVE-2020-26154: Fixed a buffer overflow when PAC is enabled (bsc#1177143).
ImportantSUSE bug 1176410SUSE bug 1177143CVE-2020-25219 at SUSECVE-2020-25219 at NVDCVE-2020-26154 at SUSECVE-2020-26154 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for freetype2 (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for freetype2 fixes the following issues:
- CVE-2020-15999: fixed a heap buffer overflow found in the handling of embedded PNG bitmaps (bsc#1177914).
ImportantSUSE bug 1177914CVE-2020-15999 at SUSECVE-2020-15999 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for glibc (Moderate)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for glibc fixes the following issues:
- CVE-2020-10029: Fixed a stack corruption from range reduction of pseudo-zero (bsc#1165784)
- Use posix_spawn on popen (bsc#1149332, bsc#1176013)
- Correct locking and cancellation cleanup in syslog functions (bsc#1172085)
- Fixed concurrent changes on nscd aware files (bsc#1171878)
ModerateSUSE bug 1149332SUSE bug 1165784SUSE bug 1171878SUSE bug 1172085SUSE bug 1176013CVE-2020-10029 at SUSECVE-2020-10029 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for MozillaFirefox fixes the following issues:
- Firefox Extended Support Release 78.4.0 ESR
* Fixed: Various stability, functionality, and security fixes MFSA 2020-46 (bsc#1177872, bsc#1176756)
* CVE-2020-15969 Use-after-free in usersctp
* CVE-2020-15683 Memory safety bugs fixed in Firefox 82 and Firefox ESR 78.4
* Fixed: Fixed legacy preferences not being properly applied when set via GPO
ImportantSUSE bug 1176756SUSE bug 1177872CVE-2020-15683 at SUSECVE-2020-15683 at NVDCVE-2020-15969 at SUSECVE-2020-15969 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for spice (Moderate)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for spice fixes the following issues:
- CVE-2020-14355: Fixed multiple buffer overflow vulnerabilities in QUIC image decoding (bsc#1177158).
ModerateSUSE bug 1177158CVE-2020-14355 at SUSECVE-2020-14355 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for spice-gtk (Moderate)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for spice-gtk fixes the following issues:
- CVE-2020-14355: Fixed multiple buffer overflow vulnerabilities in QUIC image decoding (bsc#1177158).
ModerateSUSE bug 1177158CVE-2020-14355 at SUSECVE-2020-14355 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for samba (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for samba fixes the following issues:
- CVE-2020-14383: An authenticated user can crash the DCE/RPC DNS with easily crafted records (bsc#1177613).
- CVE-2020-14323: Unprivileged user can crash winbind (bsc#1173994).
- CVE-2020-14318: Missing permissions check in SMB1/2/3 ChangeNotify (bsc#1173902).
ImportantSUSE bug 1173902SUSE bug 1173994SUSE bug 1177613CVE-2020-14318 at SUSECVE-2020-14318 at NVDCVE-2020-14323 at SUSECVE-2020-14323 at NVDCVE-2020-14383 at SUSECVE-2020-14383 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for libvirt (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for libvirt fixes the following issues:
CVE-2020-15708: Added a note to libvirtd.conf about polkit auth in SUSE distros (bsc#1174955).
CVE-2020-25637: Fixed a double free in qemuAgentGetInterfaces() (bsc#1177155).
ImportantSUSE bug 1174955SUSE bug 1177155CVE-2020-15708 at SUSECVE-2020-15708 at NVDCVE-2020-25637 at SUSECVE-2020-25637 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for sane-backends (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for sane-backends fixes the following issues:
- sane-backends version upgrade to 1.0.31:
* sane-backends version upgrade to 1.0.30
fixes memory corruption bugs CVE-2020-12861, CVE-2020-12862,
CVE-2020-12863, CVE-2020-12864, CVE-2020-12865,
CVE-2020-12866, CVE-2020-12867 (bsc#1172524)
* sane-backends version upgrade to 1.0.31
to further improve hardware enablement for scanner devices
(jsc#SLE-15561 and jsc#SLE-15560 with jsc#ECO-2418)
* The new escl backend cannot be provided for SLE12 because
it requires more additional software (avahi-client, libcurl,
and libpoppler-glib-devel) where in particular for libcurl
the one that is in SLE12 (via libcurl-devel-7.37.0) is likely
too old because with that building the escl backend fails with
'escl/escl.c:1267:34: error: 'CURLOPT_UNIX_SOCKET_PATH'
undeclared curl_easy_setopt(handle, CURLOPT_UNIX_SOCKET_PATH'
ImportantSUSE bug 1172524CVE-2017-6318 at SUSECVE-2017-6318 at NVDCVE-2020-12861 at SUSECVE-2020-12861 at NVDCVE-2020-12862 at SUSECVE-2020-12862 at NVDCVE-2020-12863 at SUSECVE-2020-12863 at NVDCVE-2020-12864 at SUSECVE-2020-12864 at NVDCVE-2020-12865 at SUSECVE-2020-12865 at NVDCVE-2020-12866 at SUSECVE-2020-12866 at NVDCVE-2020-12867 at SUSECVE-2020-12867 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for apache-commons-httpclient (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for apache-commons-httpclient fixes the following issues:
- http/conn/ssl/SSLConnectionSocketFactory.java ignores the
http.socket.timeout configuration setting during an SSL handshake,
which allows remote attackers to cause a denial of service (HTTPS
call hang) via unspecified vectors. [bsc#945190, CVE-2015-5262]
- org.apache.http.conn.ssl.AbstractVerifier does not properly
verify that the server hostname matches a domain name in the
subject's Common Name (CN) or subjectAltName field of the X.509
certificate, which allows MITM attackers to spoof SSL servers
via a 'CN=' string in a field in the distinguished name (DN)
of a certificate. [bsc#1178171, CVE-2014-3577]
ImportantSUSE bug 1178171SUSE bug 945190CVE-2014-3577 at SUSECVE-2014-3577 at NVDCVE-2015-5262 at SUSECVE-2015-5262 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for libqt5-qtbase (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for libqt5-qtbase fixes the following issues:
Security issues fixed:
- CVE-2020-0569: Fixed a potential local code execution by loading plugins from CWD (bsc#1161167).
- CVE-2018-19870: Fixed an improper check in QImage allocation which could allow Denial of Service
when opening crafted gif files (bsc#1118597).
- CVE-2018-19872: Fixed an issue which could allow a division by zero leading to crash (bsc#1130246).
ImportantSUSE bug 1118597SUSE bug 1130246SUSE bug 1161167CVE-2018-19870 at SUSECVE-2018-19870 at NVDCVE-2018-19872 at SUSECVE-2018-19872 at NVDCVE-2020-0569 at SUSECVE-2020-0569 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for java-1_8_0-openjdk (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for java-1_8_0-openjdk fixes the following issues:
- Fix regression '8250861: Crash in MinINode::Ideal(PhaseGVN*, bool)',
introduced in October 2020 CPU.
- Update to version jdk8u272 (icedtea 3.17.0) (July 2020 CPU,
bsc#1174157, and October 2020 CPU, bsc#1177943)
* New features
+ JDK-8245468: Add TLSv1.3 implementation classes from 11.0.7
+ PR3796: Allow the number of curves supported to be specified
* Security fixes
+ JDK-8028431, CVE-2020-14579: NullPointerException in
DerValue.equals(DerValue)
+ JDK-8028591, CVE-2020-14578: NegativeArraySizeException in
sun.security.util.DerInputStream.getUnalignedBitString()
+ JDK-8230613: Better ASCII conversions
+ JDK-8231800: Better listing of arrays
+ JDK-8232014: Expand DTD support
+ JDK-8233255: Better Swing Buttons
+ JDK-8233624: Enhance JNI linkage
+ JDK-8234032: Improve basic calendar services
+ JDK-8234042: Better factory production of certificates
+ JDK-8234418: Better parsing with CertificateFactory
+ JDK-8234836: Improve serialization handling
+ JDK-8236191: Enhance OID processing
+ JDK-8236196: Improve string pooling
+ JDK-8236862, CVE-2020-14779: Enhance support of Proxy class
+ JDK-8237117, CVE-2020-14556: Better ForkJoinPool behavior
+ JDK-8237592, CVE-2020-14577: Enhance certificate verification
+ JDK-8237990, CVE-2020-14781: Enhanced LDAP contexts
+ JDK-8237995, CVE-2020-14782: Enhance certificate processing
+ JDK-8238002, CVE-2020-14581: Better matrix operations
+ JDK-8238804: Enhance key handling process
+ JDK-8238842: AIOOBE in GIFImageReader.initializeStringTable
+ JDK-8238843: Enhanced font handing
+ JDK-8238920, CVE-2020-14583: Better Buffer support
+ JDK-8238925: Enhance WAV file playback
+ JDK-8240119, CVE-2020-14593: Less Affine Transformations
+ JDK-8240124: Better VM Interning
+ JDK-8240482: Improved WAV file playback
+ JDK-8241114, CVE-2020-14792: Better range handling
+ JDK-8241379: Update JCEKS support
+ JDK-8241522: Manifest improved jar headers redux
+ JDK-8242136, CVE-2020-14621: Better XML namespace handling
+ JDK-8242680, CVE-2020-14796: Improved URI Support
+ JDK-8242685, CVE-2020-14797: Better Path Validation
+ JDK-8242695, CVE-2020-14798: Enhanced buffer support
+ JDK-8243302: Advanced class supports
+ JDK-8244136, CVE-2020-14803: Improved Buffer supports
+ JDK-8244479: Further constrain certificates
+ JDK-8244955: Additional Fix for JDK-8240124
+ JDK-8245407: Enhance zoning of times
+ JDK-8245412: Better class definitions
+ JDK-8245417: Improve certificate chain handling
+ JDK-8248574: Improve jpeg processing
+ JDK-8249927: Specify limits of jdk.serialProxyInterfaceLimit
+ JDK-8253019: Enhanced JPEG decoding
* Import of OpenJDK 8 u262 build 01
+ JDK-4949105: Access Bridge lacks html tags parsing
+ JDK-8003209: JFR events for network utilization
+ JDK-8030680: 292 cleanup from default method code assessment
+ JDK-8035633: TEST_BUG: java/net/NetworkInterface/Equals.java
and some tests failed on windows intermittently
+ JDK-8041626: Shutdown tracing event
+ JDK-8141056: Erroneous assignment in HeapRegionSet.cpp
+ JDK-8149338: JVM Crash caused by Marlin renderer not handling
NaN coordinates
+ JDK-8151582: (ch) test java/nio/channels/
/AsyncCloseAndInterrupt.java failing due to 'Connection
succeeded'
+ JDK-8165675: Trace event for thread park has incorrect unit
for timeout
+ JDK-8176182: 4 security tests are not run
+ JDK-8178910: Problemlist sample tests
+ JDK-8183925: Decouple crash protection from watcher thread
+ JDK-8191393: Random crashes during cfree+0x1c
+ JDK-8195817: JFR.stop should require name of recording
+ JDK-8195818: JFR.start should increase autogenerated name by
one
+ JDK-8195819: Remove recording=x from jcmd JFR.check output
+ JDK-8199712: Flight Recorder
+ JDK-8202578: Revisit location for class unload events
+ JDK-8202835: jfr/event/os/TestSystemProcess.java fails on
missing events
+ JDK-8203287: Zero fails to build after JDK-8199712 (Flight
Recorder)
+ JDK-8203346: JFR: Inconsistent signature of
jfr_add_string_constant
+ JDK-8203664: JFR start failure after AppCDS archive created
with JFR StartFlightRecording
+ JDK-8203921: JFR thread sampling is missing fixes from
JDK-8194552
+ JDK-8203929: Limit amount of data for JFR.dump
+ JDK-8205516: JFR tool
+ JDK-8207392: [PPC64] Implement JFR profiling
+ JDK-8207829: FlightRecorderMXBeanImpl is leaking the first
classloader which calls it
+ JDK-8209960: -Xlog:jfr* doesn't work with the JFR
+ JDK-8210024: JFR calls virtual is_Java_thread from ~Thread()
+ JDK-8210776: Upgrade X Window System 6.8.2 to the latest XWD
1.0.7
+ JDK-8211239: Build fails without JFR: empty JFR events
signatures mismatch
+ JDK-8212232: Wrong metadata for the configuration of the
cutoff for old object sample events
+ JDK-8213015: Inconsistent settings between JFR.configure and
-XX:FlightRecorderOptions
+ JDK-8213421: Line number information for execution samples
always 0
+ JDK-8213617: JFR should record the PID of the recorded process
+ JDK-8213734: SAXParser.parse(File, ..) does not close
resources when Exception occurs.
+ JDK-8213914: [TESTBUG] Several JFR VM events are not covered
by tests
+ JDK-8213917: [TESTBUG] Shutdown JFR event is not covered by
test
+ JDK-8213966: The ZGC JFR events should be marked as
experimental
+ JDK-8214542: JFR: Old Object Sample event slow on a deep heap
in debug builds
+ JDK-8214750: Unnecessary <p> tags in jfr classes
+ JDK-8214896: JFR Tool left files behind
+ JDK-8214906: [TESTBUG] jfr/event/sampling/TestNative.java
fails with UnsatisfiedLinkError
+ JDK-8214925: JFR tool fails to execute
+ JDK-8215175: Inconsistencies in JFR event metadata
+ JDK-8215237: jdk.jfr.Recording javadoc does not compile
+ JDK-8215284: Reduce noise induced by periodic task
getFileSize()
+ JDK-8215355: Object monitor deadlock with no threads holding
the monitor (using jemalloc 5.1)
+ JDK-8215362: JFR GTest JfrTestNetworkUtilization fails
+ JDK-8215771: The jfr tool should pretty print reference chains
+ JDK-8216064: -XX:StartFlightRecording:settings= doesn't work
properly
+ JDK-8216486: Possibility of integer overflow in
JfrThreadSampler::run()
+ JDK-8216528: test/jdk/java/rmi/transport/
/runtimeThreadInheritanceLeak/
/RuntimeThreadInheritanceLeak.java failing with Xcomp
+ JDK-8216559: [JFR] Native libraries not correctly parsed from
/proc/self/maps
+ JDK-8216578: Remove unused/obsolete method in JFR code
+ JDK-8216995: Clean up JFR command line processing
+ JDK-8217744: [TESTBUG] JFR TestShutdownEvent fails on some
systems due to process surviving SIGINT
+ JDK-8217748: [TESTBUG] Exclude TestSig test case from JFR
TestShutdownEvent
+ JDK-8218935: Make jfr strncpy uses GCC 8.x friendly
+ JDK-8223147: JFR Backport
+ JDK-8223689: Add JFR Thread Sampling Support
+ JDK-8223690: Add JFR BiasedLock Event Support
+ JDK-8223691: Add JFR G1 Region Type Change Event Support
+ JDK-8223692: Add JFR G1 Heap Summary Event Support
+ JDK-8224172: assert(jfr_is_event_enabled(id)) failed:
invariant
+ JDK-8224475: JTextPane does not show images in HTML rendering
+ JDK-8226253: JAWS reports wrong number of radio buttons when
buttons are hidden.
+ JDK-8226779: [TESTBUG] Test JFR API from Java agent
+ JDK-8226892: ActionListeners on JRadioButtons don't get
notified when selection is changed with arrow keys
+ JDK-8227011: Starting a JFR recording in response to JVMTI
VMInit and / or Java agent premain corrupts memory
+ JDK-8227605: Kitchensink fails 'assert((((klass)->trace_id()
& (JfrTraceIdEpoch::leakp_in_use_this_epoch_bit())) != 0))
failed: invariant'
+ JDK-8229366: JFR backport allows unchecked writing to memory
+ JDK-8229401: Fix JFR code cache test failures
+ JDK-8229708: JFR backport code does not initialize
+ JDK-8229873: 8229401 broke jdk8u-jfr-incubator
+ JDK-8230448: [test] JFRSecurityTestSuite.java is failing on
Windows
+ JDK-8230707: JFR related tests are failing
+ JDK-8230782: Robot.createScreenCapture() fails if
'awt.robot.gtk' is set to false
+ JDK-8230856: Java_java_net_NetworkInterface_getByName0 on
unix misses ReleaseStringUTFChars in early return
+ JDK-8230947: TestLookForUntestedEvents.java is failing after
JDK-8230707
+ JDK-8231995: two jtreg tests failed after 8229366 is fixed
+ JDK-8233623: Add classpath exception to copyright in
EventHandlerProxyCreator.java file
+ JDK-8236002: CSR for JFR backport suggests not leaving out
the package-info
+ JDK-8236008: Some backup files were accidentally left in the
hotspot tree
+ JDK-8236074: Missed package-info
+ JDK-8236174: Should update javadoc since tags
+ JDK-8238076: Fix OpenJDK 7 Bootstrap Broken by JFR Backport
+ JDK-8238452: Keytool generates wrong expiration date if
validity is set to 2050/01/01
+ JDK-8238555: Allow Initialization of SunPKCS11 with NSS when
there are external FIPS modules in the NSSDB
+ JDK-8238589: Necessary code cleanup in JFR for JDK8u
+ JDK-8238590: Enable JFR by default during compilation in 8u
+ JDK-8239055: Wrong implementation of VMState.hasListener
+ JDK-8239476: JDK-8238589 broke windows build by moving
OrderedPair
+ JDK-8239479: minimal1 and zero builds are failing
+ JDK-8239867: correct over use of INCLUDE_JFR macro
+ JDK-8240375: Disable JFR by default for July 2020 release
+ JDK-8241444: Metaspace::_class_vsm not initialized if
compressed class pointers are disabled
+ JDK-8241902: AIX Build broken after integration of
JDK-8223147 (JFR Backport)
+ JDK-8242788: Non-PCH build is broken after JDK-8191393
* Import of OpenJDK 8 u262 build 02
+ JDK-8130737: AffineTransformOp can't handle child raster with
non-zero x-offset
+ JDK-8172559: [PIT][TEST_BUG] Move @test to be 1st annotation
in java/awt/image/Raster/TestChildRasterOp.java
+ JDK-8230926: [macosx] Two apostrophes are entered instead of
one with 'U.S. International - PC' layout
+ JDK-8240576: JVM crashes after transformation in C2
IdealLoopTree::merge_many_backedges
+ JDK-8242883: Incomplete backport of JDK-8078268: backport
test part
* Import of OpenJDK 8 u262 build 03
+ JDK-8037866: Replace the Fun class in tests with lambdas
+ JDK-8146612: C2: Precedence edges specification violated
+ JDK-8150986: serviceability/sa/jmap-hprof/
/JMapHProfLargeHeapTest.java failing because expects HPROF
JAVA PROFILE 1.0.1 file format
+ JDK-8229888: (zipfs) Updating an existing zip file does not
preserve original permissions
+ JDK-8230597: Update GIFlib library to the 5.2.1
+ JDK-8230769: BufImg_SetupICM add
ReleasePrimitiveArrayCritical call in early return
+ JDK-8233880, PR3798: Support compilers with multi-digit major
version numbers
+ JDK-8239852: java/util/concurrent tests fail with
-XX:+VerifyGraphEdges: assert(!VerifyGraphEdges) failed:
verification should have failed
+ JDK-8241638: launcher time metrics always report 1 on Linux
when _JAVA_LAUNCHER_DEBUG set
+ JDK-8243059: Build fails when --with-vendor-name contains a
comma
+ JDK-8243474: [TESTBUG] removed three tests of 0 bytes
+ JDK-8244461: [JDK 8u] Build fails with glibc 2.32
+ JDK-8244548: JDK 8u: sun.misc.Version.jdkUpdateVersion()
returns wrong result
* Import of OpenJDK 8 u262 build 04
+ JDK-8067796: (process) Process.waitFor(timeout, unit) doesn't
throw NPE if timeout is less than, or equal to zero when unit
== null
+ JDK-8148886: SEGV in sun.java2d.marlin.Renderer._endRendering
+ JDK-8171934:
ObjectSizeCalculator.getEffectiveMemoryLayoutSpecification()
does not recognize OpenJDK's HotSpot VM
+ JDK-8196969: JTreg Failure:
serviceability/sa/ClhsdbJstack.java causes NPE
+ JDK-8243539: Copyright info (Year) should be updated for fix
of 8241638
+ JDK-8244777: ClassLoaderStats VM Op uses constant hash value
* Import of OpenJDK 8 u262 build 05
+ JDK-7147060: com/sun/org/apache/xml/internal/security/
/transforms/ClassLoaderTest.java doesn't run in agentvm mode
+ JDK-8178374: Problematic ByteBuffer handling in
CipherSpi.bufferCrypt method
+ JDK-8181841: A TSA server returns timestamp with precision
higher than milliseconds
+ JDK-8227269: Slow class loading when running with JDWP
+ JDK-8229899: Make java.io.File.isInvalid() less racy
+ JDK-8236996: Incorrect Roboto font rendering on Windows with
subpixel antialiasing
+ JDK-8241750: x86_32 build failure after JDK-8227269
+ JDK-8244407: JVM crashes after transformation in C2
IdealLoopTree::split_fall_in
+ JDK-8244843: JapanEraNameCompatTest fails
* Import of OpenJDK 8 u262 build 06
+ JDK-8246223: Windows build fails after JDK-8227269
* Import of OpenJDK 8 u262 build 07
+ JDK-8233197: Invert JvmtiExport::post_vm_initialized() and
Jfr:on_vm_start() start-up order for correct option parsing
+ JDK-8243541: (tz) Upgrade time-zone data to tzdata2020a
+ JDK-8245167: Top package in method profiling shows null in JMC
+ JDK-8246703: [TESTBUG] Add test for JDK-8233197
* Import of OpenJDK 8 u262 build 08
+ JDK-8220293: Deadlock in JFR string pool
+ JDK-8225068: Remove DocuSign root certificate that is
expiring in May 2020
+ JDK-8225069: Remove Comodo root certificate that is expiring
in May 2020
* Import of OpenJDK 8 u262 build 09
+ JDK-8248399: Build installs jfr binary when JFR is disabled
* Import of OpenJDK 8 u262 build 10
+ JDK-8248715: New JavaTimeSupplementary localisation for 'in'
installed in wrong package
* Import of OpenJDK 8 u265 build 01
+ JDK-8249677: Regression in 8u after JDK-8237117: Better
ForkJoinPool behavior
+ JDK-8250546: Expect changed behaviour reported in JDK-8249846
* Import of OpenJDK 8 u272 build 01
+ JDK-8006205: [TESTBUG] NEED_TEST: please JTREGIFY
test/compiler/7177917/Test7177917.java
+ JDK-8035493: JVMTI PopFrame capability must instruct
compilers not to prune locals
+ JDK-8036088: Replace strtok() with its safe equivalent
strtok_s() in DefaultProxySelector.c
+ JDK-8039082: [TEST_BUG] Test java/awt/dnd/
/BadSerializationTest/BadSerializationTest.java fails
+ JDK-8075774: Small readability and performance improvements
for zipfs
+ JDK-8132206: move ScanTest.java into OpenJDK
+ JDK-8132376: Add @requires os.family to the client tests with
access to internal OS-specific API
+ JDK-8132745: minor cleanup of java/util/Scanner/ScanTest.java
+ JDK-8137087: [TEST_BUG] Cygwin failure of java/awt/
/appletviewer/IOExceptionIfEncodedURLTest/
/IOExceptionIfEncodedURLTest.sh
+ JDK-8145808: java/awt/Graphics2D/MTGraphicsAccessTest/
/MTGraphicsAccessTest.java hangs on Win. 8
+ JDK-8151788: NullPointerException from ntlm.Client.type3
+ JDK-8151834: Test SmallPrimeExponentP.java times out
intermittently
+ JDK-8153430: jdk regression test MletParserLocaleTest,
ParserInfiniteLoopTest reduce default timeout
+ JDK-8153583: Make OutputAnalyzer.reportDiagnosticSummary
public
+ JDK-8156169: Some sound tests rarely hangs because of
incorrect synchronization
+ JDK-8165936: Potential Heap buffer overflow when seaching
timezone info files
+ JDK-8166148: Fix for JDK-8165936 broke solaris builds
+ JDK-8167300: Scheduling failures during gcm should be fatal
+ JDK-8167615: Opensource unit/regression tests for JavaSound
+ JDK-8172012: [TEST_BUG] delays needed in
javax/swing/JTree/4633594/bug4633594.java
+ JDK-8177628: Opensource unit/regression tests for ImageIO
+ JDK-8183341: Better cleanup for javax/imageio/AllowSearch.java
+ JDK-8183351: Better cleanup for jdk/test/javax/imageio/spi/
/AppletContextTest/BadPluginConfigurationTest.sh
+ JDK-8193137: Nashorn crashes when given an empty script file
+ JDK-8194298: Add support for per Socket configuration of TCP
keepalive
+ JDK-8198004: javax/swing/JFileChooser/6868611/bug6868611.java
throws error
+ JDK-8200313: java/awt/Gtk/GtkVersionTest/GtkVersionTest.java
fails
+ JDK-8210147: adjust some WSAGetLastError usages in windows
network coding
+ JDK-8211714: Need to update vm_version.cpp to recognise
VS2017 minor versions
+ JDK-8214862: assert(proj != __null) at compile.cpp:3251
+ JDK-8217606: LdapContext#reconnect always opens a new
connection
+ JDK-8217647: JFR: recordings on 32-bit systems unreadable
+ JDK-8226697: Several tests which need the @key headful
keyword are missing it.
+ JDK-8229378: jdwp library loader in linker_md.c quietly
truncates on buffer overflow
+ JDK-8230303: JDB hangs when running monitor command
+ JDK-8230711: ConnectionGraph::unique_java_object(Node* N)
return NULL if n is not in the CG
+ JDK-8234617: C1: Incorrect result of field load due to
missing narrowing conversion
+ JDK-8235243: handle VS2017 15.9 and VS2019 in
abstract_vm_version
+ JDK-8235325: build failure on Linux after 8235243
+ JDK-8235687: Contents/MacOS/libjli.dylib cannot be a symlink
+ JDK-8237951: CTW: C2 compilation fails with 'malformed
control flow'
+ JDK-8238225: Issues reported after replacing symlink at
Contents/MacOS/libjli.dylib with binary
+ JDK-8239385: KerberosTicket client name refers wrongly to
sAMAccountName in AD
+ JDK-8239819: XToolkit: Misread of screen information memory
+ JDK-8240295: hs_err elapsed time in seconds is not accurate
enough
+ JDK-8241888: Mirror jdk.security.allowNonCaAnchor system
property with a security one
+ JDK-8242498: Invalid 'sun.awt.TimedWindowEvent' object leads
to JVM crash
+ JDK-8243489: Thread CPU Load event may contain wrong data for
CPU time under certain conditions
+ JDK-8244818: Java2D Queue Flusher crash while moving
application window to external monitor
+ JDK-8246310: Clean commented-out code about ModuleEntry
and PackageEntry in JFR
+ JDK-8246384: Enable JFR by default on supported architectures
for October 2020 release
+ JDK-8248643: Remove extra leading space in JDK-8240295 8u
backport
+ JDK-8249610: Make
sun.security.krb5.Config.getBooleanObject(String... keys)
method public
* Import of OpenJDK 8 u272 build 02
+ JDK-8023697: failed class resolution reports different class
name in detail message for the first and subsequent times
+ JDK-8025886: replace [[ and == bash extensions in regtest
+ JDK-8046274: Removing dependency on jakarta-regexp
+ JDK-8048933: -XX:+TraceExceptions output should include the
message
+ JDK-8076151: [TESTBUG] Test java/awt/FontClass/CreateFont/
/fileaccess/FontFile.java fails
+ JDK-8148854: Class names 'SomeClass' and 'LSomeClass;'
treated by JVM as an equivalent
+ JDK-8154313: Generated javadoc scattered all over the place
+ JDK-8163251: Hard coded loop limit prevents reading of smart
card data greater than 8k
+ JDK-8173300: [TESTBUG]compiler/tiered/NonTieredLevelsTest.java
fails with compiler.whitebox.SimpleTestCaseHelper(int) must be
compiled
+ JDK-8183349: Better cleanup for jdk/test/javax/imageio/
/plugins/shared/CanWriteSequence.java and WriteAfterAbort.java
+ JDK-8191678: [TESTBUG] Add keyword headful in java/awt
FocusTransitionTest test.
+ JDK-8201633: Problems with AES-GCM native acceleration
+ JDK-8211049: Second parameter of 'initialize' method is not
used
+ JDK-8219566: JFR did not collect call stacks when
MaxJavaStackTraceDepth is set to zero
+ JDK-8220165: Encryption using GCM results in
RuntimeException- input length out of bound
+ JDK-8220555: JFR tool shows potentially misleading message
when it cannot access a file
+ JDK-8224217: RecordingInfo should use textual representation
of path
+ JDK-8231779: crash
HeapWord*ParallelScavengeHeap::failed_mem_allocate
+ JDK-8238380, PR3798: java.base/unix/native/libjava/childproc.c
'multiple definition' link errors with GCC10
+ JDK-8238386, PR3798: (sctp) jdk.sctp/unix/native/libsctp/
/SctpNet.c 'multiple definition' link errors with GCC10
+ JDK-8238388, PR3798: libj2gss/NativeFunc.o 'multiple
definition' link errors with GCC10
+ JDK-8242556: Cannot load RSASSA-PSS public key with non-null
params from byte array
+ JDK-8250755: Better cleanup for jdk/test/javax/imageio/
/plugins/shared/CanWriteSequence.java
* Import of OpenJDK 8 u272 build 03
+ JDK-6574989: TEST_BUG:
javax/sound/sampled/Clip/bug5070081.java fails sometimes
+ JDK-8148754: C2 loop unrolling fails due to unexpected graph
shape
+ JDK-8192953: sun/management/jmxremote/bootstrap/*.sh tests
fail with error : revokeall.exe: Permission denied
+ JDK-8203357: Container Metrics
+ JDK-8209113: Use WeakReference for lastFontStrike for created
Fonts
+ JDK-8216283: Allow shorter method sampling interval than 10 ms
+ JDK-8221569: JFR tool produces incorrect output when both
--categories and --events are specified
+ JDK-8233097: Fontmetrics for large Fonts has zero width
+ JDK-8248851: CMS: Missing memory fences between free chunk
check and klass read
+ JDK-8250875: Incorrect parameter type for update_number in
JDK_Version::jdk_update
* Import of OpenJDK 8 u272 build 04
+ JDK-8061616: HotspotDiagnosticMXBean.getVMOption() throws
IllegalArgumentException for flags of type double
+ JDK-8177334: Update xmldsig implementation to Apache
Santuario 2.1.1
+ JDK-8217878: ENVELOPING XML signature no longer works in JDK
11
+ JDK-8218629: XML Digital Signature throws NAMESPACE_ERR
exception on OpenJDK 11, works 8/9/10
+ JDK-8243138: Enhance BaseLdapServer to support starttls
extended request
* Import of OpenJDK 8 u272 build 05
+ JDK-8026236: Add PrimeTest for BigInteger
+ JDK-8057003: Large reference arrays cause extremely long
synchronization times
+ JDK-8060721: Test runtime/SharedArchiveFile/
/LimitSharedSizes.java fails in jdk 9 fcs new
platforms/compiler
+ JDK-8152077: (cal) Calendar.roll does not always roll the
hours during daylight savings
+ JDK-8168517: java/lang/ProcessBuilder/Basic.java failed
+ JDK-8211163: UNIX version of Java_java_io_Console_echo does
not return a clean boolean
+ JDK-8220674: [TESTBUG] MetricsMemoryTester failcount test in
docker container only works with debug JVMs
+ JDK-8231213: Migrate SimpleDateFormatConstTest to JDK Repo
+ JDK-8236645: JDK 8u231 introduces a regression with
incompatible handling of XML messages
+ JDK-8240676: Meet not symmetric failure when running lucene
on jdk8
+ JDK-8243321: Add Entrust root CA - G4 to Oracle Root CA
program
+ JDK-8249158: THREAD_START and THREAD_END event posted in
primordial phase
+ JDK-8250627: Use -XX:+/-UseContainerSupport for
enabling/disabling Java container metrics
+ JDK-8251546: 8u backport of JDK-8194298 breaks AIX and
Solaris builds
+ JDK-8252084: Minimal VM fails to bootcycle: undefined symbol:
AgeTableTracer::is_tenuring_distribution_event_enabled
* Import of OpenJDK 8 u272 build 06
+ JDK-8064319: Need to enable -XX:+TraceExceptions in release
builds
+ JDK-8080462, PR3801: Update SunPKCS11 provider with PKCS11
v2.40 support
+ JDK-8160768: Add capability to custom resolve host/domain
names within the default JNDI LDAP provider
+ JDK-8161973: PKIXRevocationChecker.getSoftFailExceptions()
not working
+ JDK-8169925, PR3801: PKCS #11 Cryptographic Token Interface
license
+ JDK-8184762: ZapStackSegments should use optimized memset
+ JDK-8193234: When using -Xcheck:jni an internally allocated
buffer can leak
+ JDK-8219919: RuntimeStub name lost with
PrintFrameConverterAssembly
+ JDK-8220313: [TESTBUG] Update base image for Docker testing
to OL 7.6
+ JDK-8222079: Don't use memset to initialize fields decode_env
constructor in disassembler.cpp
+ JDK-8225695: 32-bit build failures after JDK-8080462 (Update
SunPKCS11 provider with PKCS11 v2.40 support)
+ JDK-8226575: OperatingSystemMXBean should be made container
aware
+ JDK-8226809: Circular reference in printed stack trace is not
correctly indented & ambiguous
+ JDK-8228835: Memory leak in PKCS11 provider when using AES GCM
+ JDK-8233621: Mismatch in jsse.enableMFLNExtension property
name
+ JDK-8238898, PR3801: Missing hash characters for header on
license file
+ JDK-8243320: Add SSL root certificates to Oracle Root CA
program
+ JDK-8244151: Update MUSCLE PC/SC-Lite headers to the latest
release 1.8.26
+ JDK-8245467: Remove 8u TLSv1.2 implementation files
+ JDK-8245469: Remove DTLS protocol implementation
+ JDK-8245470: Fix JDK8 compatibility issues
+ JDK-8245471: Revert JDK-8148188
+ JDK-8245472: Backport JDK-8038893 to JDK8
+ JDK-8245473: OCSP stapling support
+ JDK-8245474: Add TLS_KRB5 cipher suites support according to
RFC-2712
+ JDK-8245476: Disable TLSv1.3 protocol in the ClientHello
message by default
+ JDK-8245477: Adjust TLS tests location
+ JDK-8245653: Remove 8u TLS tests
+ JDK-8245681: Add TLSv1.3 regression test from 11.0.7
+ JDK-8251117: Cannot check P11Key size in P11Cipher and
P11AEADCipher
+ JDK-8251120, PR3793: [8u] HotSpot build assumes ENABLE_JFR is
set to either true or false
+ JDK-8251341: Minimal Java specification change
+ JDK-8251478: Backport TLSv1.3 regression tests to JDK8u
* Import of OpenJDK 8 u272 build 07
+ JDK-8246193: Possible NPE in ENC-PA-REP search in AS-REQ
* Import of OpenJDK 8 u272 build 08
+ JDK-8062947: Fix exception message to correctly represent
LDAP connection failure
+ JDK-8151678: com/sun/jndi/ldap/LdapTimeoutTest.java failed
due to timeout on DeadServerNoTimeoutTest is incorrect
+ JDK-8252573: 8u: Windows build failed after 8222079 backport
* Import of OpenJDK 8 u272 build 09
+ JDK-8252886: [TESTBUG] sun/security/ec/TestEC.java :
Compilation failed
* Import of OpenJDK 8 u272 build 10
+ JDK-8254673: Call to JvmtiExport::post_vm_start() was removed
by the fix for JDK-8249158
+ JDK-8254937: Revert JDK-8148854 for 8u272
* Backports
+ JDK-8038723, PR3806: Openup some PrinterJob tests
+ JDK-8041480, PR3806: ArrayIndexOutOfBoundsException when
JTable contains certain string
+ JDK-8058779, PR3805: Faster implementation of
String.replace(CharSequence, CharSequence)
+ JDK-8130125, PR3806: [TEST_BUG] add @modules to the several
client tests unaffected by the automated bulk update
+ JDK-8144015, PR3806: [PIT] failures of text layout font tests
+ JDK-8144023, PR3806: [PIT] failure of text measurements in
javax/swing/text/html/parser/Parser/6836089/bug6836089.java
+ JDK-8144240, PR3806: [macosx][PIT] AIOOB in
closed/javax/swing/text/GlyphPainter2/6427244/bug6427244.java
+ JDK-8145542, PR3806: The case failed automatically and thrown
java.lang.ArrayIndexOutOfBoundsException exception
+ JDK-8151725, PR3806: [macosx] ArrayIndexOOB exception when
displaying Devanagari text in JEditorPane
+ JDK-8152358, PR3800: code and comment cleanups found during
the hunt for 8077392
+ JDK-8152545, PR3804: Use preprocessor instead of compiling a
program to generate native nio constants
+ JDK-8152680, PR3806: Regression in
GlyphVector.getGlyphCharIndex behaviour
+ JDK-8158924, PR3806: Incorrect i18n text document layout
+ JDK-8166003, PR3806: [PIT][TEST_BUG] missing helper for
javax/swing/text/GlyphPainter2/6427244/bug6427244.java
+ JDK-8166068, PR3806: test/java/awt/font/GlyphVector/
/GetGlyphCharIndexTest.java does not compile
+ JDK-8169879, PR3806: [TEST_BUG] javax/swing/text/
/GlyphPainter2/6427244/bug6427244.java - compilation failed
+ JDK-8191512, PR3806: T2K font rasterizer code removal
+ JDK-8191522, PR3806: Remove Bigelow&Holmes Lucida fonts from
JDK sources
+ JDK-8236512, PR3801: PKCS11 Connection closed after
Cipher.doFinal and NoPadding
+ JDK-8254177, PR3809: (tz) Upgrade time-zone data to
tzdata2020b
* Bug fixes
+ PR3798: Fix format-overflow error on GCC 10, caused by
passing NULL to a '%s' directive
+ PR3795: ECDSAUtils for XML digital signatures should support
the same curve set as the rest of the JDK
+ PR3799: Adapt elliptic curve patches to JDK-8245468: Add
TLSv1.3 implementation classes from 11.0.7
+ PR3808: IcedTea does not install the JFR *.jfc files
+ PR3810: Enable JFR on x86 (32-bit) now that JDK-8252096 has
fixed its use with Shenandoah
+ PR3811: Don't attempt to install JFR files when JFR is
disabled
* Shenandoah
+ [backport] 8221435: Shenandoah should not mark through weak
roots
+ [backport] 8221629: Shenandoah: Cleanup class unloading logic
+ [backport] 8222992: Shenandoah: Pre-evacuate all roots
+ [backport] 8223215: Shenandoah: Support verifying subset of
roots
+ [backport] 8223774: Shenandoah: Refactor
ShenandoahRootProcessor and family
+ [backport] 8224210: Shenandoah: Refactor
ShenandoahRootScanner to support scanning CSet codecache roots
+ [backport] 8224508: Shenandoah: Need to update thread roots
in final mark for piggyback ref update cycle
+ [backport] 8224579: ResourceMark not declared in
shenandoahRootProcessor.inline.hpp with
--disable-precompiled-headers
+ [backport] 8224679: Shenandoah: Make
ShenandoahParallelCodeCacheIterator noncopyable
+ [backport] 8224751: Shenandoah: Shenandoah Verifier should
select proper roots according to current GC cycle
+ [backport] 8225014: Separate ShenandoahRootScanner method for
object_iterate
+ [backport] 8225216: gc/logging/TestMetaSpaceLog.java doesn't
work for Shenandoah
+ [backport] 8225573: Shenandoah: Enhance ShenandoahVerifier to
ensure roots to-space invariant
+ [backport] 8225590: Shenandoah: Refactor
ShenandoahClassLoaderDataRoots API
+ [backport] 8226413: Shenandoah: Separate root scanner for
SH::object_iterate()
+ [backport] 8230853: Shenandoah: replace leftover
assert(is_in(...)) with rich asserts
+ [backport] 8231198: Shenandoah: heap walking should visit all
roots most of the time
+ [backport] 8231244: Shenandoah: all-roots heap walking misses
some weak roots
+ [backport] 8237632: Shenandoah: accept NULL fwdptr to
cooperate with JVMTI and JFR
+ [backport] 8239786: Shenandoah: print per-cycle statistics
+ [backport] 8239926: Shenandoah: Shenandoah needs to mark
nmethod's metadata
+ [backport] 8240671: Shenandoah: refactor
ShenandoahPhaseTimings
+ [backport] 8240749: Shenandoah: refactor ShenandoahUtils
+ [backport] 8240750: Shenandoah: remove leftover files and
mentions of ShenandoahAllocTracker
+ [backport] 8240868: Shenandoah: remove CM-with-UR
piggybacking cycles
+ [backport] 8240872: Shenandoah: Avoid updating new regions
from start of evacuation
+ [backport] 8240873: Shenandoah: Short-cut arraycopy barriers
+ [backport] 8240915: Shenandoah: Remove unused fields in init
mark tasks
+ [backport] 8240948: Shenandoah: cleanup not-forwarded-objects
paths after JDK-8240868
+ [backport] 8241007: Shenandoah: remove
ShenandoahCriticalControlThreadPriority support
+ [backport] 8241062: Shenandoah: rich asserts trigger 'empty
statement' inspection
+ [backport] 8241081: Shenandoah: Do not modify
update-watermark concurrently
+ [backport] 8241093: Shenandoah: editorial changes in flag
descriptions
+ [backport] 8241139: Shenandoah: distribute mark-compact work
exactly to minimize fragmentation
+ [backport] 8241142: Shenandoah: should not use parallel
reference processing with single GC thread
+ [backport] 8241351: Shenandoah: fragmentation metrics overhaul
+ [backport] 8241435: Shenandoah: avoid disabling pacing with
'aggressive'
+ [backport] 8241520: Shenandoah: simplify region sequence
numbers handling
+ [backport] 8241534: Shenandoah: region status should include
update watermark
+ [backport] 8241574: Shenandoah: remove
ShenandoahAssertToSpaceClosure
+ [backport] 8241583: Shenandoah: turn heap lock asserts into
macros
+ [backport] 8241668: Shenandoah: make ShenandoahHeapRegion not
derive from ContiguousSpace
+ [backport] 8241673: Shenandoah: refactor anti-false-sharing
padding
+ [backport] 8241675: Shenandoah: assert(n->outcnt() > 0) at
shenandoahSupport.cpp:2858 with
java/util/Collections/FindSubList.java
+ [backport] 8241692: Shenandoah: remove
ShenandoahHeapRegion::_reserved
+ [backport] 8241700: Shenandoah: Fold
ShenandoahKeepAliveBarrier flag into ShenandoahSATBBarrier
+ [backport] 8241740: Shenandoah: remove
ShenandoahHeapRegion::_heap
+ [backport] 8241743: Shenandoah: refactor and inline
ShenandoahHeap::heap()
+ [backport] 8241748: Shenandoah: inline MarkingContext TAMS
methods
+ [backport] 8241838: Shenandoah: no need to trash cset during
final mark
+ [backport] 8241841: Shenandoah: ditch one of allocation type
counters in ShenandoahHeapRegion
+ [backport] 8241842: Shenandoah: inline
ShenandoahHeapRegion::region_number
+ [backport] 8241844: Shenandoah: rename
ShenandoahHeapRegion::region_number
+ [backport] 8241845: Shenandoah: align ShenandoahHeapRegions
to cache lines
+ [backport] 8241926: Shenandoah: only print heap changes for
operations that directly affect it
+ [backport] 8241983: Shenandoah: simplify FreeSet logging
+ [backport] 8241985: Shenandoah: simplify collectable garbage
logging
+ [backport] 8242040: Shenandoah: print allocation failure type
+ [backport] 8242041: Shenandoah: adaptive heuristics should
account evac reserve in free target
+ [backport] 8242042: Shenandoah: tune down
ShenandoahGarbageThreshold
+ [backport] 8242054: Shenandoah: New incremental-update mode
+ [backport] 8242075: Shenandoah: rename
ShenandoahHeapRegionSize flag
+ [backport] 8242082: Shenandoah: Purge Traversal mode
+ [backport] 8242083: Shenandoah: split 'Prepare Evacuation'
tracking into cset/freeset counters
+ [backport] 8242089: Shenandoah: per-worker stats should be
summed up, not averaged
+ [backport] 8242101: Shenandoah: coalesce and parallelise heap
region walks during the pauses
+ [backport] 8242114: Shenandoah: remove
ShenandoahHeapRegion::reset_alloc_metadata_to_shared
+ [backport] 8242130: Shenandoah: Simplify arraycopy-barrier
dispatching
+ [backport] 8242211: Shenandoah: remove
ShenandoahHeuristics::RegionData::_seqnum_last_alloc
+ [backport] 8242212: Shenandoah: initialize
ShenandoahHeuristics::_region_data eagerly
+ [backport] 8242213: Shenandoah: remove
ShenandoahHeuristics::_bytes_in_cset
+ [backport] 8242217: Shenandoah: Enable GC mode to be
diagnostic/experimental and have a name
+ [backport] 8242227: Shenandoah: transit regions to cset state
when adding to collection set
+ [backport] 8242228: Shenandoah: remove unused
ShenandoahCollectionSet methods
+ [backport] 8242229: Shenandoah: inline ShenandoahHeapRegion
liveness-related methods
+ [backport] 8242267: Shenandoah: regions space needs to be
aligned by os::vm_allocation_granularity()
+ [backport] 8242271: Shenandoah: add test to verify GC mode
unlock
+ [backport] 8242273: Shenandoah: accept either SATB or IU
barriers, but not both
+ [backport] 8242301: Shenandoah: Inline LRB runtime call
+ [backport] 8242316: Shenandoah: Turn NULL-check into assert
in SATB slow-path entry
+ [backport] 8242353: Shenandoah: micro-optimize region
liveness handling
+ [backport] 8242365: Shenandoah: use uint16_t instead of
jushort for liveness cache
+ [backport] 8242375: Shenandoah: Remove
ShenandoahHeuristic::record_gc_start/end methods
+ [backport] 8242641: Shenandoah: clear live data and update
TAMS optimistically
+ [backport] 8243238: Shenandoah: explicit GC request should
wait for a complete GC cycle
+ [backport] 8243301: Shenandoah: ditch
ShenandoahAllowMixedAllocs
+ [backport] 8243307: Shenandoah: remove
ShCollectionSet::live_data
+ [backport] 8243395: Shenandoah: demote guarantee in
ShenandoahPhaseTimings::record_workers_end
+ [backport] 8243463: Shenandoah: ditch total_pause counters
+ [backport] 8243464: Shenandoah: print statistic counters in
time order
+ [backport] 8243465: Shenandoah: ditch unused pause_other,
conc_other counters
+ [backport] 8243487: Shenandoah: make _num_phases illegal
phase type
+ [backport] 8243494: Shenandoah: set counters once per cycle
+ [backport] 8243573: Shenandoah: rename GCParPhases and
related code
+ [backport] 8243848: Shenandoah: Windows build fails after
JDK-8239786
+ [backport] 8244180: Shenandoah: carry Phase to
ShWorkerTimingsTracker explicitly
+ [backport] 8244200: Shenandoah: build breakages after
JDK-8241743
+ [backport] 8244226: Shenandoah: per-cycle statistics contain
worker data from previous cycles
+ [backport] 8244326: Shenandoah: global statistics should not
accept bogus samples
+ [backport] 8244509: Shenandoah: refactor
ShenandoahBarrierC2Support::test_* methods
+ [backport] 8244551: Shenandoah: Fix racy update of
update_watermark
+ [backport] 8244667: Shenandoah: SBC2Support::test_gc_state
takes loop for wrong control
+ [backport] 8244730: Shenandoah: gc/shenandoah/options/
/TestHeuristicsUnlock.java should only verify the heuristics
+ [backport] 8244732: Shenandoah: move heuristics code to
gc/shenandoah/heuristics
+ [backport] 8244737: Shenandoah: move mode code to
gc/shenandoah/mode
+ [backport] 8244739: Shenandoah: break superclass dependency
on ShenandoahNormalMode
+ [backport] 8244740: Shenandoah: rename ShenandoahNormalMode
to ShenandoahSATBMode
+ [backport] 8245461: Shenandoah: refine mode name()-s
+ [backport] 8245463: Shenandoah: refine ShenandoahPhaseTimings
constructor arguments
+ [backport] 8245464: Shenandoah: allocate collection set
bitmap at lower addresses
+ [backport] 8245465: Shenandoah: test_in_cset can use more
efficient encoding
+ [backport] 8245726: Shenandoah: lift/cleanup
ShenandoahHeuristics names and properties
+ [backport] 8245754: Shenandoah: ditch ShenandoahAlwaysPreTouch
+ [backport] 8245757: Shenandoah: AlwaysPreTouch should not
disable heap resizing or uncommits
+ [backport] 8245773: Shenandoah: Windows assertion failure
after JDK-8245464
+ [backport] 8245812: Shenandoah: compute root phase parallelism
+ [backport] 8245814: Shenandoah: reconsider format specifiers
for stats
+ [backport] 8245825: Shenandoah: Remove diagnostic flag
ShenandoahConcurrentScanCodeRoots
+ [backport] 8246162: Shenandoah: full GC does not mark code
roots when class unloading is off
+ [backport] 8247310: Shenandoah: pacer should not affect
interrupt status
+ [backport] 8247358: Shenandoah: reconsider free budget slice
for marking
+ [backport] 8247367: Shenandoah: pacer should wait on lock
instead of exponential backoff
+ [backport] 8247474: Shenandoah: Windows build warning after
JDK-8247310
+ [backport] 8247560: Shenandoah: heap iteration holds root
locks all the time
+ [backport] 8247593: Shenandoah: should not block pacing
reporters
+ [backport] 8247751: Shenandoah: options tests should run with
smaller heaps
+ [backport] 8247754: Shenandoah: mxbeans tests can be shorter
+ [backport] 8247757: Shenandoah: split heavy tests by
heuristics to improve parallelism
+ [backport] 8247860: Shenandoah: add update watermark line in
rich assert failure message
+ [backport] 8248041: Shenandoah: pre-Full GC root updates may
miss some roots
+ [backport] 8248652: Shenandoah: SATB buffer handling may
assume no forwarded objects
+ [backport] 8249560: Shenandoah: Fix racy GC request handling
+ [backport] 8249649: Shenandoah: provide per-cycle pacing stats
+ [backport] 8249801: Shenandoah: Clear soft-refs on requested
GC cycle
+ [backport] 8249953: Shenandoah: gc/shenandoah/mxbeans tests
should account for corner cases
+ Fix slowdebug build after JDK-8230853 backport
+ JDK-8252096: Shenandoah: adjust SerialPageShiftCount for
x86_32 and JFR
+ JDK-8252366: Shenandoah: revert/cleanup changes in
graphKit.cpp
+ Shenandoah: add JFR roots to root processor after JFR
integration
+ Shenandoah: add root statistics for string dedup table/queues
+ Shenandoah: enable low-frequency STW class unloading
+ Shenandoah: fix build failures after JDK-8244737 backport
+ Shenandoah: Fix build failure with +JFR -PCH
+ Shenandoah: fix forceful pacer claim
+ Shenandoah: fix formats in
ShenandoahStringSymbolTableUnlinkTask
+ Shenandoah: fix runtime linking failure due to non-compiled
shenandoahBarrierSetC1
+ Shenandoah: hook statistics printing to PrintGCDetails, not
PrintGC
+ Shenandoah: JNI weak roots are always cleared before Full GC
mark
+ Shenandoah: missing SystemDictionary roots in
ShenandoahHeapIterationRootScanner
+ Shenandoah: move barrier sets to their proper locations
+ Shenandoah: move parallelCleaning.* to shenandoah/
+ Shenandoah: pacer should use proper Atomics for intptr_t
+ Shenandoah: properly deallocates class loader metadata
+ Shenandoah: specialize String Table scans for better pause
performance
+ Shenandoah: Zero build fails after recent Atomic cleanup in
Pacer
* AArch64 port
+ JDK-8161072, PR3797: AArch64: jtreg
compiler/uncommontrap/TestDeoptOOM failure
+ JDK-8171537, PR3797: aarch64: compiler/c1/Test6849574.java
generates guarantee failure in C1
+ JDK-8183925, PR3797: [AArch64] Decouple crash protection from
watcher thread
+ JDK-8199712, PR3797: [AArch64] Flight Recorder
+ JDK-8203481, PR3797: Incorrect constraint for unextended_sp
in frame:safe_for_sender
+ JDK-8203699, PR3797: java/lang/invoke/SpecialInterfaceCall
fails with SIGILL on aarch64
+ JDK-8209413, PR3797: AArch64: NPE in clhsdb jstack command
+ JDK-8215961, PR3797: jdk/jfr/event/os/TestCPUInformation.java
fails on AArch64
+ JDK-8216989, PR3797:
CardTableBarrierSetAssembler::gen_write_ref_array_post_barrier()
does not check for zero length on AARCH64
+ JDK-8217368, PR3797: AArch64: C2 recursive stack locking
optimisation not triggered
+ JDK-8221658, PR3797: aarch64: add necessary predicate for
ubfx patterns
+ JDK-8237512, PR3797: AArch64: aarch64TestHook leaks a
BufferBlob
+ JDK-8246482, PR3797: Build failures with +JFR -PCH
+ JDK-8247979, PR3797: aarch64: missing side effect of killing
flags for clearArray_reg_reg
+ JDK-8248219, PR3797: aarch64: missing memory barrier in
fast_storefield and fast_accessfield
- Ignore whitespaces after the header or footer in PEM X.509 cert
(bsc#1171352)
ImportantSUSE bug 1171352SUSE bug 1174157SUSE bug 1177943CVE-2020-14556 at SUSECVE-2020-14556 at NVDCVE-2020-14577 at SUSECVE-2020-14577 at NVDCVE-2020-14578 at SUSECVE-2020-14578 at NVDCVE-2020-14579 at SUSECVE-2020-14579 at NVDCVE-2020-14581 at SUSECVE-2020-14581 at NVDCVE-2020-14583 at SUSECVE-2020-14583 at NVDCVE-2020-14593 at SUSECVE-2020-14593 at NVDCVE-2020-14621 at SUSECVE-2020-14621 at NVDCVE-2020-14779 at SUSECVE-2020-14779 at NVDCVE-2020-14781 at SUSECVE-2020-14781 at NVDCVE-2020-14782 at SUSECVE-2020-14782 at NVDCVE-2020-14792 at SUSECVE-2020-14792 at NVDCVE-2020-14796 at SUSECVE-2020-14796 at NVDCVE-2020-14797 at SUSECVE-2020-14797 at NVDCVE-2020-14798 at SUSECVE-2020-14798 at NVDCVE-2020-14803 at SUSECVE-2020-14803 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 33 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_124 fixes several issues.
The following security issues were fixed:
- CVE-2020-0429: In l2tp_session_delete and related functions of l2tp_core.c, there is possible memory corruption due to a use after free. This could lead to local escalation of privilege with system execution privileges needed. User interaction is not needed for exploitation. (bsc#1176724)
- CVE-2020-14381: Fixed a use-after-free in the fast user mutex (futex) wait operation, which could have lead to memory corruption and possibly privilege escalation (bsc#1176011).
- CVE-2020-0431: In kbd_keycode of keyboard.c, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. (bsc#1176722)
- CVE-2020-25212: A TOCTOU mismatch in the NFS client code could be used by local attackers to corrupt memory or possibly have unspecified other impact because a size check is in fs/nfs/nfs4proc.c instead of fs/nfs/nfs4xdr.c (bsc#1176381).
- CVE-2020-14386: Fixed a memory corruption which could have lead to an attacker gaining root privileges from unprivileged processes. The highest threat from this vulnerability is to data confidentiality and integrity (bsc#1176069).
ImportantSUSE bug 1176012SUSE bug 1176072SUSE bug 1176382SUSE bug 1176896SUSE bug 1176931CVE-2020-0429 at SUSECVE-2020-0429 at NVDCVE-2020-0431 at SUSECVE-2020-0431 at NVDCVE-2020-14381 at SUSECVE-2020-14381 at NVDCVE-2020-14386 at SUSECVE-2020-14386 at NVDCVE-2020-25212 at SUSECVE-2020-25212 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 32 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_121 fixes several issues.
The following security issues were fixed:
- CVE-2020-0429: In l2tp_session_delete and related functions of l2tp_core.c, there is possible memory corruption due to a use after free. This could lead to local escalation of privilege with system execution privileges needed. User interaction is not needed for exploitation. (bsc#1176724)
- CVE-2020-14381: Fixed a use-after-free in the fast user mutex (futex) wait operation, which could have lead to memory corruption and possibly privilege escalation (bsc#1176011).
- CVE-2020-0431: In kbd_keycode of keyboard.c, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. (bsc#1176722)
- CVE-2020-25212: A TOCTOU mismatch in the NFS client code could be used by local attackers to corrupt memory or possibly have unspecified other impact because a size check is in fs/nfs/nfs4proc.c instead of fs/nfs/nfs4xdr.c (bsc#1176381).
- CVE-2020-14386: Fixed a memory corruption which could have lead to an attacker gaining root privileges from unprivileged processes. The highest threat from this vulnerability is to data confidentiality and integrity (bsc#1176069).
ImportantSUSE bug 1176012SUSE bug 1176072SUSE bug 1176382SUSE bug 1176896SUSE bug 1176931CVE-2020-0429 at SUSECVE-2020-0429 at NVDCVE-2020-0431 at SUSECVE-2020-0431 at NVDCVE-2020-14381 at SUSECVE-2020-14381 at NVDCVE-2020-14386 at SUSECVE-2020-14386 at NVDCVE-2020-25212 at SUSECVE-2020-25212 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 31 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_116 fixes several issues.
The following security issues were fixed:
- CVE-2020-0429: In l2tp_session_delete and related functions of l2tp_core.c, there is possible memory corruption due to a use after free. This could lead to local escalation of privilege with system execution privileges needed. User interaction is not needed for exploitation. (bsc#1176724)
- CVE-2020-14381: Fixed a use-after-free in the fast user mutex (futex) wait operation, which could have lead to memory corruption and possibly privilege escalation (bsc#1176011).
- CVE-2020-0431: In kbd_keycode of keyboard.c, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. (bsc#1176722)
- CVE-2020-25212: A TOCTOU mismatch in the NFS client code could be used by local attackers to corrupt memory or possibly have unspecified other impact because a size check is in fs/nfs/nfs4proc.c instead of fs/nfs/nfs4xdr.c (bsc#1176381).
- CVE-2020-14386: Fixed a memory corruption which could have lead to an attacker gaining root privileges from unprivileged processes. The highest threat from this vulnerability is to data confidentiality and integrity (bsc#1176069).
ImportantSUSE bug 1176012SUSE bug 1176072SUSE bug 1176382SUSE bug 1176896SUSE bug 1176931CVE-2020-0429 at SUSECVE-2020-0429 at NVDCVE-2020-0431 at SUSECVE-2020-0431 at NVDCVE-2020-14381 at SUSECVE-2020-14381 at NVDCVE-2020-14386 at SUSECVE-2020-14386 at NVDCVE-2020-25212 at SUSECVE-2020-25212 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 35 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_130 fixes several issues.
The following security issues were fixed:
- CVE-2020-0429: In l2tp_session_delete and related functions of l2tp_core.c, there is possible memory corruption due to a use after free. This could lead to local escalation of privilege with system execution privileges needed. User interaction is not needed for exploitation. (bsc#1176724)
- CVE-2020-14381: Fixed a use-after-free in the fast user mutex (futex) wait operation, which could have lead to memory corruption and possibly privilege escalation (bsc#1176011).
- CVE-2020-0431: In kbd_keycode of keyboard.c, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. (bsc#1176722)
- CVE-2020-25212: A TOCTOU mismatch in the NFS client code could be used by local attackers to corrupt memory or possibly have unspecified other impact because a size check is in fs/nfs/nfs4proc.c instead of fs/nfs/nfs4xdr.c (bsc#1176381).
- CVE-2020-11668: Fixed an out of bounds write to the heap in drivers/media/usb/gspca/xirlink_cit.c (aka the Xirlink camera USB driver) caused by mishandling invalid descriptors (bsc#1168952).
- CVE-2020-1749: A flaw was found in the implementation of some networking protocols in IPsec, such as VXLAN and GENEVE tunnels over IPv6. When an encrypted tunnel is created between two hosts, the kernel isn't correctly routing tunneled data over the encrypted link, rather sending the data unencrypted. This would have allowed anyone in between the two endpoints to read the traffic unencrypted. (bsc#1165629)
ImportantSUSE bug 1165631SUSE bug 1173942SUSE bug 1176012SUSE bug 1176382SUSE bug 1176896SUSE bug 1176931CVE-2020-0429 at SUSECVE-2020-0429 at NVDCVE-2020-0431 at SUSECVE-2020-0431 at NVDCVE-2020-11668 at SUSECVE-2020-11668 at NVDCVE-2020-14381 at SUSECVE-2020-14381 at NVDCVE-2020-1749 at SUSECVE-2020-1749 at NVDCVE-2020-25212 at SUSECVE-2020-25212 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 30 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_113 fixes several issues.
The following security issues were fixed:
- CVE-2020-0429: In l2tp_session_delete and related functions of l2tp_core.c, there is possible memory corruption due to a use after free. This could lead to local escalation of privilege with system execution privileges needed. User interaction is not needed for exploitation. (bsc#1176724)
- CVE-2020-14381: Fixed a use-after-free in the fast user mutex (futex) wait operation, which could have lead to memory corruption and possibly privilege escalation (bsc#1176011).
- CVE-2020-0431: In kbd_keycode of keyboard.c, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. (bsc#1176722)
- CVE-2020-25212: A TOCTOU mismatch in the NFS client code could be used by local attackers to corrupt memory or possibly have unspecified other impact because a size check is in fs/nfs/nfs4proc.c instead of fs/nfs/nfs4xdr.c (bsc#1176381).
- CVE-2020-14386: Fixed a memory corruption which could have lead to an attacker gaining root privileges from unprivileged processes. The highest threat from this vulnerability is to data confidentiality and integrity (bsc#1176069).
ImportantSUSE bug 1176012SUSE bug 1176072SUSE bug 1176382SUSE bug 1176896SUSE bug 1176931CVE-2020-0429 at SUSECVE-2020-0429 at NVDCVE-2020-0431 at SUSECVE-2020-0431 at NVDCVE-2020-14381 at SUSECVE-2020-14381 at NVDCVE-2020-14386 at SUSECVE-2020-14386 at NVDCVE-2020-25212 at SUSECVE-2020-25212 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 34 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_127 fixes several issues.
The following security issues were fixed:
- CVE-2020-0429: In l2tp_session_delete and related functions of l2tp_core.c, there is possible memory corruption due to a use after free. This could lead to local escalation of privilege with system execution privileges needed. User interaction is not needed for exploitation. (bsc#1176724)
- CVE-2020-14381: Fixed a use-after-free in the fast user mutex (futex) wait operation, which could have lead to memory corruption and possibly privilege escalation (bsc#1176011).
- CVE-2020-0431: In kbd_keycode of keyboard.c, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. (bsc#1176722)
- CVE-2020-25212: A TOCTOU mismatch in the NFS client code could be used by local attackers to corrupt memory or possibly have unspecified other impact because a size check is in fs/nfs/nfs4proc.c instead of fs/nfs/nfs4xdr.c (bsc#1176381).
- CVE-2020-14386: Fixed a memory corruption which could have lead to an attacker gaining root privileges from unprivileged processes. The highest threat from this vulnerability is to data confidentiality and integrity (bsc#1176069).
ImportantSUSE bug 1176012SUSE bug 1176072SUSE bug 1176382SUSE bug 1176896SUSE bug 1176931CVE-2020-0429 at SUSECVE-2020-0429 at NVDCVE-2020-0431 at SUSECVE-2020-0431 at NVDCVE-2020-14381 at SUSECVE-2020-14381 at NVDCVE-2020-14386 at SUSECVE-2020-14386 at NVDCVE-2020-25212 at SUSECVE-2020-25212 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 29 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_107 fixes several issues.
The following security issues were fixed:
- CVE-2020-0429: In l2tp_session_delete and related functions of l2tp_core.c, there is possible memory corruption due to a use after free. This could lead to local escalation of privilege with system execution privileges needed. User interaction is not needed for exploitation. (bsc#1176724)
- CVE-2020-14381: Fixed a use-after-free in the fast user mutex (futex) wait operation, which could have lead to memory corruption and possibly privilege escalation (bsc#1176011).
- CVE-2020-0431: In kbd_keycode of keyboard.c, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. (bsc#1176722)
- CVE-2020-25212: A TOCTOU mismatch in the NFS client code could be used by local attackers to corrupt memory or possibly have unspecified other impact because a size check is in fs/nfs/nfs4proc.c instead of fs/nfs/nfs4xdr.c (bsc#1176381).
- CVE-2020-14386: Fixed a memory corruption which could have lead to an attacker gaining root privileges from unprivileged processes. The highest threat from this vulnerability is to data confidentiality and integrity (bsc#1176069).
ImportantSUSE bug 1176012SUSE bug 1176072SUSE bug 1176382SUSE bug 1176896SUSE bug 1176931CVE-2020-0429 at SUSECVE-2020-0429 at NVDCVE-2020-0431 at SUSECVE-2020-0431 at NVDCVE-2020-14381 at SUSECVE-2020-14381 at NVDCVE-2020-14386 at SUSECVE-2020-14386 at NVDCVE-2020-25212 at SUSECVE-2020-25212 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for gcc10 (Moderate)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for gcc10 fixes the following issues:
This update provides the GCC10 compiler suite and runtime libraries.
The base SUSE Linux Enterprise libraries libgcc_s1, libstdc++6 are replaced by
the gcc10 variants.
The new compiler variants are available with '-10' suffix, you can specify them
via:
CC=gcc-10
CXX=g++-10
or similar commands.
For a detailed changelog check out https://gcc.gnu.org/gcc-10/changes.html
ModerateSUSE bug 1172798SUSE bug 1172846SUSE bug 1173972SUSE bug 1174753SUSE bug 1174817SUSE bug 1175168CVE-2020-13844 at SUSECVE-2020-13844 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for ucode-intel (Moderate)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for ucode-intel fixes the following issues:
- Intel CPU Microcode updated to 20201027 prerelease
- CVE-2020-8695: Fixed Intel RAPL sidechannel attack (SGX) (bsc#1170446)
- CVE-2020-8698: Fixed Fast Store Forward Predictor INTEL-SA-00381 (bsc#1173594)
# New Platforms:
| Processor | Stepping | F-M-S/PI | Old Ver | New Ver | Products
|:---------------|:---------|:------------|:---------|:---------|:---------
| TGL | B1 | 06-8c-01/80 | | 00000068 | Core Gen11 Mobile
| CPX-SP | A1 | 06-55-0b/bf | | 0700001e | Xeon Scalable Gen3
| CML-H | R1 | 06-a5-02/20 | | 000000e0 | Core Gen10 Mobile
| CML-S62 | G1 | 06-a5-03/22 | | 000000e0 | Core Gen10
| CML-S102 | Q0 | 06-a5-05/22 | | 000000e0 | Core Gen10
| CML-U62 V2 | K0 | 06-a6-01/80 | | 000000e0 | Core Gen10 Mobile
# Updated Platforms:
| Processor | Stepping | F-M-S/PI | Old Ver | New Ver | Products
|:---------------|:---------|:------------|:---------|:---------|:---------
| GKL-R | R0 | 06-7a-08/01 | 00000016 | 00000018 | Pentium J5040/N5030, Celeron J4125/J4025/N4020/N4120
| SKL-U/Y | D0 | 06-4e-03/c0 | 000000d6 | 000000e2 | Core Gen6 Mobile
| SKL-U23e | K1 | 06-4e-03/c0 | 000000d6 | 000000e2 | Core Gen6 Mobile
| APL | D0 | 06-5c-09/03 | 00000038 | 00000040 | Pentium N/J4xxx, Celeron N/J3xxx, Atom x5/7-E39xx
| APL | E0 | 06-5c-0a/03 | 00000016 | 0000001e | Atom x5-E39xx
| SKL-H/S | R0/N0 | 06-5e-03/36 | 000000d6 | 000000e2 | Core Gen6; Xeon E3 v5
| HSX-E/EP | Cx/M1 | 06-3f-02/6f | 00000043 | 00000044 | Core Gen4 X series; Xeon E5 v3
| SKX-SP | B1 | 06-55-03/97 | 01000157 | 01000159 | Xeon Scalable
| SKX-SP | H0/M0/U0 | 06-55-04/b7 | 02006906 | 02006a08 | Xeon Scalable
| SKX-D | M1 | 06-55-04/b7 | 02006906 | 02006a08 | Xeon D-21xx
| CLX-SP | B0 | 06-55-06/bf | 04002f01 | 04003003 | Xeon Scalable Gen2
| CLX-SP | B1 | 06-55-07/bf | 05002f01 | 05003003 | Xeon Scalable Gen2
| ICL-U/Y | D1 | 06-7e-05/80 | 00000078 | 000000a0 | Core Gen10 Mobile
| AML-Y22 | H0 | 06-8e-09/10 | 000000d6 | 000000de | Core Gen8 Mobile
| KBL-U/Y | H0 | 06-8e-09/c0 | 000000d6 | 000000de | Core Gen7 Mobile
| CFL-U43e | D0 | 06-8e-0a/c0 | 000000d6 | 000000e0 | Core Gen8 Mobile
| WHL-U | W0 | 06-8e-0b/d0 | 000000d6 | 000000de | Core Gen8 Mobile
| AML-Y42 | V0 | 06-8e-0c/94 | 000000d6 | 000000de | Core Gen10 Mobile
| CML-Y42 | V0 | 06-8e-0c/94 | 000000d6 | 000000de | Core Gen10 Mobile
| WHL-U | V0 | 06-8e-0c/94 | 000000d6 | 000000de | Core Gen8 Mobile
| KBL-G/H/S/E3 | B0 | 06-9e-09/2a | 000000d6 | 000000de | Core Gen7; Xeon E3 v6
| CFL-H/S/E3 | U0 | 06-9e-0a/22 | 000000d6 | 000000de | Core Gen8 Desktop, Mobile, Xeon E
| CFL-S | B0 | 06-9e-0b/02 | 000000d6 | 000000de | Core Gen8
| CFL-H/S | P0 | 06-9e-0c/22 | 000000d6 | 000000de | Core Gen9
| CFL-H | R0 | 06-9e-0d/22 | 000000d6 | 000000de | Core Gen9 Mobile
| CML-U62 | A0 | 06-a6-00/80 | 000000ca | 000000e0 | Core Gen10 Mobile
ModerateSUSE bug 1170446SUSE bug 1173594CVE-2020-8695 at SUSECVE-2020-8695 at NVDCVE-2020-8698 at SUSECVE-2020-8698 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for systemd (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for systemd fixes the following issues:
- CVE-2020-1712 (bsc#bsc#1162108)
Fix a heap use-after-free vulnerability, when asynchronous
Polkit queries were performed while handling Dbus messages. A local
unprivileged attacker could have abused this flaw to crash systemd services or
potentially execute code and elevate their privileges, by sending specially
crafted Dbus messages.
- Unconfirmed fix for prevent hanging of systemctl during restart. (bsc#1139459)
- Fix warnings thrown during package installation. (bsc#1154043)
- Fix for system-udevd prevent crash within OES2018. (bsc#1151506)
- Fragments of masked units ought not be considered for 'NeedDaemonReload'. (bsc#1156482)
- Wait for workers to finish when exiting. (bsc#1106383)
- Improve log message when inotify limit is reached. (bsc#1155574)
- Mention in the man pages that alias names are only effective after command 'systemctl enable'. (bsc#1151377)
- Introduce function for reading virtual files in 'sysfs' and 'procfs'. (bsc#1133495, bsc#1159814)
ImportantSUSE bug 1106383SUSE bug 1133495SUSE bug 1139459SUSE bug 1151377SUSE bug 1151506SUSE bug 1154043SUSE bug 1155574SUSE bug 1156482SUSE bug 1159814SUSE bug 1162108CVE-2020-1712 at SUSECVE-2020-1712 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for java-1_7_0-openjdk (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for java-1_7_0-openjdk fixes the following issues:
- Update to 2.6.24 - OpenJDK 7u281 (October 2020 CPU, bsc#1177943)
* Security fixes
+ JDK-8233624: Enhance JNI linkage
+ JDK-8236862, CVE-2020-14779: Enhance support of Proxy class
+ JDK-8237990, CVE-2020-14781: Enhanced LDAP contexts
+ JDK-8237995, CVE-2020-14782: Enhance certificate processing
+ JDK-8240124: Better VM Interning
+ JDK-8241114, CVE-2020-14792: Better range handling
+ JDK-8242680, CVE-2020-14796: Improved URI Support
+ JDK-8242685, CVE-2020-14797: Better Path Validation
+ JDK-8242695, CVE-2020-14798: Enhanced buffer support
+ JDK-8243302: Advanced class supports
+ JDK-8244136, CVE-2020-14803: Improved Buffer supports
+ JDK-8244479: Further constrain certificates
+ JDK-8244955: Additional Fix for JDK-8240124
+ JDK-8245407: Enhance zoning of times
+ JDK-8245412: Better class definitions
+ JDK-8245417: Improve certificate chain handling
+ JDK-8248574: Improve jpeg processing
+ JDK-8249927: Specify limits of jdk.serialProxyInterfaceLimit
+ JDK-8253019: Enhanced JPEG decoding
* Import of OpenJDK 7 u281 build 1
+ JDK-8145096: Undefined behaviour in HotSpot
+ JDK-8215265: C2: range check elimination may allow illegal
out of bound access
* Backports
+ JDK-8250861, PR3812: Crash in MinINode::Ideal(PhaseGVN*, bool)
ImportantSUSE bug 1177943CVE-2020-14779 at SUSECVE-2020-14779 at NVDCVE-2020-14781 at SUSECVE-2020-14781 at NVDCVE-2020-14782 at SUSECVE-2020-14782 at NVDCVE-2020-14792 at SUSECVE-2020-14792 at NVDCVE-2020-14796 at SUSECVE-2020-14796 at NVDCVE-2020-14797 at SUSECVE-2020-14797 at NVDCVE-2020-14798 at SUSECVE-2020-14798 at NVDCVE-2020-14803 at SUSECVE-2020-14803 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for openldap2 (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for openldap2 fixes the following issues:
- CVE-2020-25692: Fixed an unauthenticated remote denial of service due to incorrect validation of modrdn equality rules (bsc#1178387).
ImportantSUSE bug 1178387CVE-2020-25692 at SUSECVE-2020-25692 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for MozillaFirefox fixes the following issues:
- Firefox Extended Support Release 78.4.1 ESR
* Fixed: Security fix
MFSA 2020-49 (bsc#1178588)
* CVE-2020-26950 (bmo#1675905)
Write side effects in MCallGetProperty opcode not accounted
for
ImportantSUSE bug 1178588CVE-2020-26950 at SUSECVE-2020-26950 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for postgresql, postgresql96, postgresql10 and postgresql12 (Moderate)SUSE Linux Enterprise Server 12 SP3-LTSS
This update changes the internal packaging for postgresql, and so contains
all currently maintained postgresql versions across our SUSE Linux Enterprise 12
products.
* postgresql12 is shipped new in version 12.3 (bsc#1171924).
The server and client packages only on SUSE Linux Enterprise Server 12 SP5,
the libraries on SUSE Linux Enterprise Server 12 SP2 LTSS up to 12 SP5.
+ https://www.postgresql.org/about/news/2038/
+ https://www.postgresql.org/docs/12/release-12-3.html
* postgresql10 is updated to 10.13 (bsc#1171924).
On SUSE Linux Enterprise Server 12 SP2 LTSS up to 12 SP5.
+ https://www.postgresql.org/about/news/2038/
+ https://www.postgresql.org/docs/10/release-10-13.html
* postgresql96 is updated to 9.6.18 (bsc#1171924):
+ https://www.postgresql.org/about/news/2038/
+ https://www.postgresql.org/docs/9.6/release-9-6-18.html
On SUSE Linux Enterprise Server 12-SP2 and 12-SP3 LTSS only.
* postgresql 9.4 is updated to 9.4.26:
+ https://www.postgresql.org/about/news/2011/
+ https://www.postgresql.org/docs/9.4/release-9-4-26.html
+ https://www.postgresql.org/about/news/1994/
+ https://www.postgresql.org/docs/9.4/release-9-4-25.html
ModerateSUSE bug 1171924cpe:/o:suse:sles-ltss:12:sp3Security update for raptor (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for raptor fixes the following issues:
- Fixed a heap overflow vulnerability (bsc#1178593, CVE-2017-18926).
- Update raptor to version 2.0.15
* Made several fixes to Turtle / N-Triples family of parsers and serializers
* Added utility functions for re-entrant sorting of objects and sequences.
* Made other fixes and improvements including fixing reported issues:
0000574, 0000575, 0000576, 0000577, 0000579, 0000581 and 0000584.
ImportantSUSE bug 1178593CVE-2017-18926 at SUSECVE-2017-18926 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for kernel-firmware (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for kernel-firmware fixes the following issue:
- CVE-2020-12321: Updated the Intel Bluetooth firmware for buffer overflow security bugs (bsc#1178671).
ImportantSUSE bug 1178671CVE-2020-12321 at SUSECVE-2020-12321 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for krb5 (Moderate)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for krb5 fixes the following security issue:
- CVE-2020-28196: Fixed an unbounded recursion via an ASN.1-encoded Kerberos message (bsc#1178512).
ModerateSUSE bug 1178512CVE-2020-28196 at SUSECVE-2020-28196 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 35 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_130 fixes one issue.
The following security issue was fixed:
- CVE-2020-25645: Fixed an an issue in IPsec that caused traffic between two Geneve endpoints to be unencrypted (bnc#1177513).
ImportantSUSE bug 1177513CVE-2020-25645 at SUSECVE-2020-25645 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 34 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_127 fixes one issue.
The following security issue was fixed:
- CVE-2020-25645: Fixed an an issue in IPsec that caused traffic between two Geneve endpoints to be unencrypted (bnc#1177513).
ImportantSUSE bug 1177513CVE-2020-25645 at SUSECVE-2020-25645 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 33 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_124 fixes one issue.
The following security issue was fixed:
- CVE-2020-25645: Fixed an an issue in IPsec that caused traffic between two Geneve endpoints to be unencrypted (bnc#1177513).
ImportantSUSE bug 1177513CVE-2020-25645 at SUSECVE-2020-25645 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 32 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_121 fixes one issue.
The following security issue was fixed:
- CVE-2020-25645: Fixed an an issue in IPsec that caused traffic between two Geneve endpoints to be unencrypted (bnc#1177513).
ImportantSUSE bug 1177513CVE-2020-25645 at SUSECVE-2020-25645 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 31 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_116 fixes one issue.
The following security issue was fixed:
- CVE-2020-25645: Fixed an an issue in IPsec that caused traffic between two Geneve endpoints to be unencrypted (bnc#1177513).
ImportantSUSE bug 1177513CVE-2020-25645 at SUSECVE-2020-25645 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 30 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_113 fixes one issue.
The following security issue was fixed:
- CVE-2020-25645: Fixed an an issue in IPsec that caused traffic between two Geneve endpoints to be unencrypted (bnc#1177513).
ImportantSUSE bug 1177513CVE-2020-25645 at SUSECVE-2020-25645 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 29 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_107 fixes one issue.
The following security issue was fixed:
- CVE-2020-25645: Fixed an an issue in IPsec that caused traffic between two Geneve endpoints to be unencrypted (bnc#1177513).
ImportantSUSE bug 1177513CVE-2020-25645 at SUSECVE-2020-25645 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for postgresql10 (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for postgresql10 fixes the following issues:
Upgrade to version 10.15:
* CVE-2020-25695, bsc#1178666: Block DECLARE CURSOR ... WITH HOLD
and firing of deferred triggers within index expressions and
materialized view queries.
* CVE-2020-25694, bsc#1178667:
a) Fix usage of complex connection-string parameters in pg_dump,
pg_restore, clusterdb, reindexdb, and vacuumdb.
b) When psql's \connect command re-uses connection parameters,
ensure that all non-overridden parameters from a previous
connection string are re-used.
* CVE-2020-25696, bsc#1178668: Prevent psql's \gset command from
modifying specially-treated variables.
* https://www.postgresql.org/about/news/2111/
* https://www.postgresql.org/docs/10/release-10-15.html
Update to 10.14:
* CVE-2020-14349, bsc#1175193: Set a secure search_path in
logical replication walsenders and apply workers
* CVE-2020-14350, bsc#1175194: Make contrib modules' installation
scripts more secure.
* https://www.postgresql.org/docs/10/release-10-14.html
ImportantSUSE bug 1175193SUSE bug 1175194SUSE bug 1178666SUSE bug 1178667SUSE bug 1178668CVE-2020-14349 at SUSECVE-2020-14349 at NVDCVE-2020-14350 at SUSECVE-2020-14350 at NVDCVE-2020-25694 at SUSECVE-2020-25694 at NVDCVE-2020-25695 at SUSECVE-2020-25695 at NVDCVE-2020-25696 at SUSECVE-2020-25696 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for u-boot (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for u-boot fixes the following issues:
Work around CVE-2019-11059 by disabling 64Bit descritptor size (bsc#1134853)
CVE-2019-11690 (bsc#1134157), CVE-2020-10648 (bsc#1167209), CVE-2019-13103 (bsc#1143463),
CVE-2019-14197 (bsc#1143821), CVE-2019-14200 (bsc#1143825), CVE-2019-14201 (bsc#1143827),
CVE-2019-14202 (bsc#1143828), CVE-2019-14203 (bsc#1143830), CVE-2019-14204 (bsc#1143831),
CVE-2019-14194 (bsc#1143818), CVE-2019-14198 (bsc#1143823), CVE-2019-14195 (bsc#1143819),
CVE-2019-14196 (bsc#1143820), CVE-2019-14299 (bsc#1143824), CVE-2019-14192 (bsc#1143777),
CVE-2019-14193 (bsc#1143817).
ImportantSUSE bug 1134157SUSE bug 1134853SUSE bug 1143463SUSE bug 1143777SUSE bug 1143817SUSE bug 1143818SUSE bug 1143819SUSE bug 1143820SUSE bug 1143821SUSE bug 1143823SUSE bug 1143824SUSE bug 1143825SUSE bug 1143827SUSE bug 1143828SUSE bug 1143830SUSE bug 1143831SUSE bug 1167209CVE-2019-11059 at SUSECVE-2019-11059 at NVDCVE-2019-11690 at SUSECVE-2019-11690 at NVDCVE-2019-13103 at SUSECVE-2019-13103 at NVDCVE-2019-14192 at SUSECVE-2019-14192 at NVDCVE-2019-14193 at SUSECVE-2019-14193 at NVDCVE-2019-14194 at SUSECVE-2019-14194 at NVDCVE-2019-14195 at SUSECVE-2019-14195 at NVDCVE-2019-14196 at SUSECVE-2019-14196 at NVDCVE-2019-14197 at SUSECVE-2019-14197 at NVDCVE-2019-14198 at SUSECVE-2019-14198 at NVDCVE-2019-14200 at SUSECVE-2019-14200 at NVDCVE-2019-14201 at SUSECVE-2019-14201 at NVDCVE-2019-14202 at SUSECVE-2019-14202 at NVDCVE-2019-14203 at SUSECVE-2019-14203 at NVDCVE-2019-14204 at SUSECVE-2019-14204 at NVDCVE-2019-14299 at SUSECVE-2019-14299 at NVDCVE-2020-10648 at SUSECVE-2020-10648 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for postgresql96 (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for postgresql96 fixes the following issues:
Upgrade to version 9.6.20:
* CVE-2020-25695, bsc#1178666: Block DECLARE CURSOR ... WITH HOLD
and firing of deferred triggers within index expressions and
materialized view queries.
* CVE-2020-25694, bsc#1178667:
a) Fix usage of complex connection-string parameters in pg_dump,
pg_restore, clusterdb, reindexdb, and vacuumdb.
b) When psql's \connect command re-uses connection parameters,
ensure that all non-overridden parameters from a previous
connection string are re-used.
* CVE-2020-25696, bsc#1178668: Prevent psql's \gset command from
modifying specially-treated variables.
* https://www.postgresql.org/about/news/2111/
* https://www.postgresql.org/docs/9.6/release-9-6-20.html
Changes from 9.6.19:
* CVE-2020-14350, bsc#1175194: Make contrib modules installation
ImportantSUSE bug 1175194SUSE bug 1178666SUSE bug 1178667SUSE bug 1178668CVE-2020-14350 at SUSECVE-2020-14350 at NVDCVE-2020-25694 at SUSECVE-2020-25694 at NVDCVE-2020-25695 at SUSECVE-2020-25695 at NVDCVE-2020-25696 at SUSECVE-2020-25696 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
The SUSE Linux Enterprise 12 SP3 kernel was updated to receive various security and bug fixes.
The following security bugs were fixed:
- CVE-2020-25705: A flaw in the way reply ICMP packets are limited in was found that allowed to quickly scan open UDP ports. This flaw allowed an off-path remote user to effectively bypassing source port UDP randomization. The highest threat from this vulnerability is to confidentiality and possibly integrity, because software and services that rely on UDP source port randomization (like DNS) are indirectly affected as well. Kernel versions may be vulnerable to this issue (bsc#1175721, bsc#1178782).
- CVE-2020-25668: Fixed a use-after-free in con_font_op() (bsc#1178123).
- CVE-2020-25656: Fixed a concurrency use-after-free in vt_do_kdgkb_ioctl (bnc#1177766).
- CVE-2020-14351: Fixed a race in the perf_mmap_close() function (bsc#1177086).
- CVE-2020-8694: Restricted energy meter to root access (bsc#1170415).
- CVE-2020-12352: Fixed an information leak when processing certain AMP packets aka 'BleedingTooth' (bsc#1177725).
- CVE-2020-25645: Fixed an issue which traffic between two Geneve endpoints may be unencrypted when IPsec is configured to encrypt traffic for the specific UDP port used by the GENEVE tunnel allowing anyone between the two endpoints to read the traffic unencrypted (bsc#1177511).
- CVE-2020-14381: Fixed a use-after-free in the fast user mutex (futex) wait operation, which could have lead to memory corruption and possibly privilege escalation (bsc#1176011).
- CVE-2020-25212: Fixed A TOCTOU mismatch in the NFS client code which could have been used by local attackers to corrupt memory (bsc#1176381).
- CVE-2020-14390: Fixed an out-of-bounds memory write leading to memory corruption or a denial of service when changing screen size (bnc#1176235).
- CVE-2020-25643: Fixed a memory corruption and a read overflow which could have caused by improper input validation in the ppp_cp_parse_cr function (bsc#1177206).
- CVE-2020-25641: Fixed a zero-length biovec request issued by the block subsystem could have caused the kernel to enter an infinite loop, causing a denial of service (bsc#1177121).
- CVE-2020-26088: Fixed an improper CAP_NET_RAW check in NFC socket creation could have been used by local attackers to create raw sockets, bypassing security mechanisms (bsc#1176990).
- CVE-2020-0432: Fixed an out of bounds write due to an integer overflow (bsc#1176721).
- CVE-2020-0431: Fixed an out of bounds write due to a missing bounds check (bsc#1176722).
- CVE-2020-0427: Fixed an out of bounds read due to a use after free (bsc#1176725).
- CVE-2020-0404: Fixed a linked list corruption due to an unusual root cause (bsc#1176423).
- CVE-2020-25284: Fixed an incomplete permission checking for access to rbd devices, which could have been leveraged by local attackers to map or unmap rbd block devices (bsc#1176482).
- CVE-2019-19063: Fixed two memory leaks in the rtl_usb_probe() function in drivers/net/wireless/realtek/rtlwifi/usb.c, which could have allowed an attacker to cause a denial of service (memory consumption) (bsc#1157298).
- CVE-2019-6133: In PolicyKit (aka polkit), the 'start time' protection mechanism can be bypassed because fork() is not atomic, and therefore authorization decisions are improperly cached. This is related to lack of uid checking in polkitbackend/polkitbackendinteractiveauthority.c (bsc#1121872).
- CVE-2017-18204: Fixed a denial of service in the ocfs2_setattr function of fs/ocfs2/file.c (bnc#1083244).
The following non-security bugs were fixed:
- hv: vmbus: Add timeout to vmbus_wait_for_unload (bsc#1177816).
- hyperv_fb: disable superfluous VERSION_WIN10_V5 case (bsc#1175306).
- hyperv_fb: Update screen_info after removing old framebuffer (bsc#1175306).
- mm, numa: fix bad pmd by atomically check for pmd_trans_huge when marking page tables prot_numa (bsc#1176816).
- net/packet: fix overflow in tpacket_rcv (bsc#1176069).
- ocfs2: give applications more IO opportunities during fstrim (bsc#1175228).
- video: hyperv: hyperv_fb: Obtain screen resolution from Hyper-V host (bsc#1175306).
- video: hyperv: hyperv_fb: Support deferred IO for Hyper-V frame buffer driver (bsc#1175306).
- video: hyperv: hyperv_fb: Use physical memory for fb on HyperV Gen 1 VMs (bsc#1175306).
- x86/kexec: Use up-to-dated screen_info copy to fill boot params (bsc#1175306).
- xen/blkback: use lateeoi irq binding (XSA-332 bsc#1177411).
- xen-blkfront: switch kcalloc to kvcalloc for large array allocation (bsc#1160917).
- xen: do not reschedule in preemption off sections (bsc#1175749).
- xen/events: add a new 'late EOI' evtchn framework (XSA-332 bsc#1177411).
- xen/events: add a proper barrier to 2-level uevent unmasking (XSA-332 bsc#1177411).
- xen/events: avoid removing an event channel while handling it (XSA-331 bsc#1177410).
- xen/events: block rogue events for some time (XSA-332 bsc#1177411).
- xen/events: defer eoi in case of excessive number of events (XSA-332 bsc#1177411).
- xen/events: do not use chip_data for legacy IRQs (XSA-332 bsc#1065600).
- xen/events: fix race in evtchn_fifo_unmask() (XSA-332 bsc#1177411).
- xen/events: switch user event channels to lateeoi model (XSA-332 bsc#1177411).
- xen/events: use a common cpu hotplug hook for event channels (XSA-332 bsc#1177411).
- xen/netback: use lateeoi irq binding (XSA-332 bsc#1177411).
- xen/pciback: use lateeoi irq binding (XSA-332 bsc#1177411).
- xen/scsiback: use lateeoi irq binding (XSA-332 bsc#1177411).
- xen uses irqdesc::irq_data_common::handler_data to store a per interrupt XEN data pointer which contains XEN specific information (XSA-332 bsc#1065600).
ImportantSUSE bug 1065600SUSE bug 1083244SUSE bug 1121826SUSE bug 1121872SUSE bug 1157298SUSE bug 1160917SUSE bug 1170415SUSE bug 1175228SUSE bug 1175306SUSE bug 1175721SUSE bug 1175749SUSE bug 1176011SUSE bug 1176069SUSE bug 1176235SUSE bug 1176253SUSE bug 1176278SUSE bug 1176381SUSE bug 1176382SUSE bug 1176423SUSE bug 1176482SUSE bug 1176721SUSE bug 1176722SUSE bug 1176725SUSE bug 1176816SUSE bug 1176896SUSE bug 1176990SUSE bug 1177027SUSE bug 1177086SUSE bug 1177121SUSE bug 1177165SUSE bug 1177206SUSE bug 1177226SUSE bug 1177410SUSE bug 1177411SUSE bug 1177511SUSE bug 1177513SUSE bug 1177725SUSE bug 1177766SUSE bug 1177816SUSE bug 1178123SUSE bug 1178622SUSE bug 1178782CVE-2017-18204 at SUSECVE-2017-18204 at NVDCVE-2019-19063 at SUSECVE-2019-19063 at NVDCVE-2019-6133 at SUSECVE-2019-6133 at NVDCVE-2020-0404 at SUSECVE-2020-0404 at NVDCVE-2020-0427 at SUSECVE-2020-0427 at NVDCVE-2020-0431 at SUSECVE-2020-0431 at NVDCVE-2020-0432 at SUSECVE-2020-0432 at NVDCVE-2020-12352 at SUSECVE-2020-12352 at NVDCVE-2020-14351 at SUSECVE-2020-14351 at NVDCVE-2020-14381 at SUSECVE-2020-14381 at NVDCVE-2020-14390 at SUSECVE-2020-14390 at NVDCVE-2020-25212 at SUSECVE-2020-25212 at NVDCVE-2020-25284 at SUSECVE-2020-25284 at NVDCVE-2020-25641 at SUSECVE-2020-25641 at NVDCVE-2020-25643 at SUSECVE-2020-25643 at NVDCVE-2020-25645 at SUSECVE-2020-25645 at NVDCVE-2020-25656 at SUSECVE-2020-25656 at NVDCVE-2020-25668 at SUSECVE-2020-25668 at NVDCVE-2020-25705 at SUSECVE-2020-25705 at NVDCVE-2020-26088 at SUSECVE-2020-26088 at NVDCVE-2020-8694 at SUSECVE-2020-8694 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for ucode-intel (Moderate)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for ucode-intel fixes the following issues:
- Updated Intel CPU Microcode to 20201118 official release. (bsc#1178971)
- Removed TGL/06-8c-01/80 due to functional issues with some OEM platforms.
- CVE-2020-8695: Fixed Intel RAPL sidechannel attack (SGX) INTEL-SA-00389 (bsc#1170446)
- CVE-2020-8698: Fixed Fast Store Forward Predictor INTEL-SA-00381 (bsc#1173594)
- CVE-2020-8696: Vector Register Sampling Active INTEL-SA-00381 (bsc#1173592)
- Release notes:
- Security updates for [INTEL-SA-00381](https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00381.html).
- Security updates for [INTEL-SA-00389](https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00389.html).
- Update for functional issues. Refer to [Second Generation Intel? Xeon? Processor Scalable Family Specification Update](https://cdrdv2.intel.com/v1/dl/getContent/338848) for details.
- Update for functional issues. Refer to [Intel? Xeon? Processor Scalable Family Specification Update](https://cdrdv2.intel.com/v1/dl/getContent/613537) for details.
- Update for functional issues. Refer to [Intel? Xeon? Processor E5 v3 Product Family Specification Update](https://www.intel.com/content/www/us/en/processors/xeon/xeon-e5-v3-spec-update.html?wapkw=processor+spec+update+e5) for details.
- Update for functional issues. Refer to [10th Gen Intel? Core™ Processor Families Specification Update](https://www.intel.com/content/www/us/en/products/docs/processors/core/10th-gen-core-families-specification-update.html) for details.
- Update for functional issues. Refer to [8th and 9th Gen Intel? Core™ Processor Family Spec Update](https://www.intel.com/content/www/us/en/products/docs/processors/core/8th-gen-core-spec-update.html) for details.
- Update for functional issues. Refer to [7th Gen and 8th Gen (U Quad-Core) Intel? Processor Families Specification Update](https://www.intel.com/content/www/us/en/processors/core/7th-gen-core-family-spec-update.html) for details.
- Update for functional issues. Refer to [6th Gen Intel? Processor Family Specification Update](https://cdrdv2.intel.com/v1/dl/getContent/332689) for details.
- Update for functional issues. Refer to [Intel? Xeon? E3-1200 v6 Processor Family Specification Update](https://www.intel.com/content/www/us/en/processors/xeon/xeon-e3-1200v6-spec-update.html) for details.
- Update for functional issues. Refer to [Intel? Xeon? E-2100 and E-2200 Processor Family Specification Update](https://www.intel.com/content/www/us/en/products/docs/processors/xeon/xeon-e-2100-specification-update.html) for details.
### New Platforms
| Processor | Stepping | F-M-S/PI | Old Ver | New Ver | Products
|:---------------|:---------|:------------|:---------|:---------|:---------
| CPX-SP | A1 | 06-55-0b/bf | | 0700001e | Xeon Scalable Gen3
| LKF | B2/B3 | 06-8a-01/10 | | 00000028 | Core w/Hybrid Technology
| TGL | B1 | 06-8c-01/80 | | 00000068 | Core Gen11 Mobile
| CML-H | R1 | 06-a5-02/20 | | 000000e0 | Core Gen10 Mobile
| CML-S62 | G1 | 06-a5-03/22 | | 000000e0 | Core Gen10
| CML-S102 | Q0 | 06-a5-05/22 | | 000000e0 | Core Gen10
| CML-U62 V2 | K0 | 06-a6-01/80 | | 000000e0 | Core Gen10 Mobile
### Updated Platforms
| Processor | Stepping | F-M-S/PI | Old Ver | New Ver | Products
|:---------------|:---------|:------------|:---------|:---------|:---------
| HSX-E/EP | Cx/M1 | 06-3f-02/6f | 00000043 | 00000044 | Core Gen4 X series; Xeon E5 v3
| SKL-U/Y | D0 | 06-4e-03/c0 | 000000d6 | 000000e2 | Core Gen6 Mobile
| SKL-U23e | K1 | 06-4e-03/c0 | 000000d6 | 000000e2 | Core Gen6 Mobile
| SKX-SP | B1 | 06-55-03/97 | 01000157 | 01000159 | Xeon Scalable
| SKX-SP | H0/M0/U0 | 06-55-04/b7 | 02006906 | 02006a08 | Xeon Scalable
| SKX-D | M1 | 06-55-04/b7 | 02006906 | 02006a08 | Xeon D-21xx
| CLX-SP | B0 | 06-55-06/bf | 04002f01 | 04003003 | Xeon Scalable Gen2
| CLX-SP | B1 | 06-55-07/bf | 05002f01 | 05003003 | Xeon Scalable Gen2
| APL | D0 | 06-5c-09/03 | 00000038 | 00000040 | Pentium N/J4xxx, Celeron N/J3xxx, Atom x5/7-E39xx
| APL | E0 | 06-5c-0a/03 | 00000016 | 0000001e | Atom x5-E39xx
| SKL-H/S | R0/N0 | 06-5e-03/36 | 000000d6 | 000000e2 | Core Gen6; Xeon E3 v5
| GKL-R | R0 | 06-7a-08/01 | 00000016 | 00000018 | Pentium J5040/N5030, Celeron J4125/J4025/N4020/N4120
| ICL-U/Y | D1 | 06-7e-05/80 | 00000078 | 000000a0 | Core Gen10 Mobile
| AML-Y22 | H0 | 06-8e-09/10 | 000000d6 | 000000de | Core Gen8 Mobile
| KBL-U/Y | H0 | 06-8e-09/c0 | 000000d6 | 000000de | Core Gen7 Mobile
| CFL-U43e | D0 | 06-8e-0a/c0 | 000000d6 | 000000e0 | Core Gen8 Mobile
| WHL-U | W0 | 06-8e-0b/d0 | 000000d6 | 000000de | Core Gen8 Mobile
| AML-Y42 | V0 | 06-8e-0c/94 | 000000d6 | 000000de | Core Gen10 Mobile
| CML-Y42 | V0 | 06-8e-0c/94 | 000000d6 | 000000de | Core Gen10 Mobile
| WHL-U | V0 | 06-8e-0c/94 | 000000d6 | 000000de | Core Gen8 Mobile
| KBL-G/H/S/E3 | B0 | 06-9e-09/2a | 000000d6 | 000000de | Core Gen7; Xeon E3 v6
| CFL-H/S/E3 | U0 | 06-9e-0a/22 | 000000d6 | 000000de | Core Gen8 Desktop, Mobile, Xeon E
| CFL-S | B0 | 06-9e-0b/02 | 000000d6 | 000000de | Core Gen8
| CFL-H/S | P0 | 06-9e-0c/22 | 000000d6 | 000000de | Core Gen9
| CFL-H | R0 | 06-9e-0d/22 | 000000d6 | 000000de | Core Gen9 Mobile
| CML-U62 | A0 | 06-a6-00/80 | 000000ca | 000000e0 | Core Gen10 Mobile
ModerateSUSE bug 1170446SUSE bug 1173592SUSE bug 1173594SUSE bug 1178971CVE-2020-8695 at SUSECVE-2020-8695 at NVDCVE-2020-8696 at SUSECVE-2020-8696 at NVDCVE-2020-8698 at SUSECVE-2020-8698 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for bluez (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for bluez fixes the following issues:
- CVE-2020-0556: Fixed improper access control which may lead to escalation of privilege and denial of service by an unauthenticated user (bsc#1166751).
ImportantSUSE bug 1166751CVE-2020-0556 at SUSECVE-2020-0556 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for MozillaFirefox fixes the following issues:
- Firefox Extended Support Release 78.5.0 ESR (bsc#1178824)
* CVE-2020-26951: Parsing mismatches could confuse and bypass security sanitizer for chrome privileged code
* CVE-2020-16012: Variable time processing of cross-origin images during drawImage calls
* CVE-2020-26953: Fullscreen could be enabled without displaying the security UI
* CVE-2020-26956: XSS through paste (manual and clipboard API)
* CVE-2020-26958: Requests intercepted through ServiceWorkers lacked MIME type restrictions
* CVE-2020-26959: Use-after-free in WebRequestService
* CVE-2020-26960: Potential use-after-free in uses of nsTArray
* CVE-2020-15999: Heap buffer overflow in freetype
* CVE-2020-26961: DoH did not filter IPv4 mapped IP Addresses
* CVE-2020-26965: Software keyboards may have remembered typed passwords
* CVE-2020-26966: Single-word search queries were also broadcast to local network
* CVE-2020-26968: Memory safety bugs fixed in Firefox 83 and Firefox ESR 78.5
ImportantSUSE bug 1178824CVE-2020-15999 at SUSECVE-2020-15999 at NVDCVE-2020-16012 at SUSECVE-2020-16012 at NVDCVE-2020-26951 at SUSECVE-2020-26951 at NVDCVE-2020-26953 at SUSECVE-2020-26953 at NVDCVE-2020-26956 at SUSECVE-2020-26956 at NVDCVE-2020-26958 at SUSECVE-2020-26958 at NVDCVE-2020-26959 at SUSECVE-2020-26959 at NVDCVE-2020-26960 at SUSECVE-2020-26960 at NVDCVE-2020-26961 at SUSECVE-2020-26961 at NVDCVE-2020-26965 at SUSECVE-2020-26965 at NVDCVE-2020-26966 at SUSECVE-2020-26966 at NVDCVE-2020-26968 at SUSECVE-2020-26968 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for LibVNCServer (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for LibVNCServer fixes the following issues:
- CVE-2020-25708 [bsc#1178682], libvncserver/rfbserver.c has a divide by zero which could result in DoS
ImportantSUSE bug 1178682CVE-2020-25708 at SUSECVE-2020-25708 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for xorg-x11-server (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for xorg-x11-server fixes the following issues:
- CVE-2020-25712: Fixed a heap-based buffer overflow which could have led to privilege escalation (bsc#1177596).
- CVE-2020-14360: Fixed an out of bounds memory accesses on too short request which could lead to denial of service (bsc#1174908).
ImportantSUSE bug 1174908SUSE bug 1177596CVE-2020-14360 at SUSECVE-2020-14360 at NVDCVE-2020-25712 at SUSECVE-2020-25712 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for python-setuptools (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for python-setuptools fixes the following issues:
- Fixed a directory traversal in _download_http_url() (bsc#1176262 CVE-2019-20916)
ImportantSUSE bug 1176262CVE-2019-20916 at SUSECVE-2019-20916 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for python3 (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for python3 fixes the following issues:
- Fixed a directory traversal in _download_http_url() (bsc#1176262 CVE-2019-20916)
ImportantSUSE bug 1176262CVE-2019-20916 at SUSECVE-2019-20916 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for gdm (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for gdm fixes the following issues:
- CVE-2020-16125: Fixed a privilege escalation (bsc#1178150).
ImportantSUSE bug 1178150CVE-2020-16125 at SUSECVE-2020-16125 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for python-cryptography (Moderate)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for python-cryptography fixes the following issues:
- CVE-2020-25659: Attempted to mitigate Bleichenbacher attacks on RSA decryption (bsc#1178168).
ModerateSUSE bug 1178168CVE-2020-25659 at SUSECVE-2020-25659 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for postgresql12 (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for postgresql12 fixes the following issues:
Upgrade to version 12.5:
* CVE-2020-25695, bsc#1178666: Block DECLARE CURSOR ... WITH HOLD
and firing of deferred triggers within index expressions and
materialized view queries.
* CVE-2020-25694, bsc#1178667:
a) Fix usage of complex connection-string parameters in pg_dump,
pg_restore, clusterdb, reindexdb, and vacuumdb.
b) When psql's \connect command re-uses connection parameters,
ensure that all non-overridden parameters from a previous
connection string are re-used.
* CVE-2020-25696, bsc#1178668: Prevent psql's \gset command from
modifying specially-treated variables.
* Fix recently-added timetz test case so it works when the USA
is not observing daylight savings time.
(obsoletes postgresql-timetz.patch)
* https://www.postgresql.org/about/news/2111/
* https://www.postgresql.org/docs/12/release-12-5.html
The previous postgresql12 update already addressed:
Update to 12.4:
* CVE-2020-14349, bsc#1175193: Set a secure search_path in logical replication walsenders and apply workers
* CVE-2020-14350, bsc#1175194: Make contrib modules' installation scripts more secure.
* https://www.postgresql.org/docs/12/release-12-4.html
ImportantSUSE bug 1175193SUSE bug 1175194SUSE bug 1178666SUSE bug 1178667SUSE bug 1178668CVE-2020-14349 at SUSECVE-2020-14349 at NVDCVE-2020-14350 at SUSECVE-2020-14350 at NVDCVE-2020-25694 at SUSECVE-2020-25694 at NVDCVE-2020-25695 at SUSECVE-2020-25695 at NVDCVE-2020-25696 at SUSECVE-2020-25696 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for xen (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for xen fixes the following issues:
- bsc#1178963 - stack corruption from XSA-346 change (XSA-355)
- bsc#1177409 - CVE-2020-27674: x86 PV guest INVLPG-like flushes may leave stale TLB entries (XSA-286)
- bsc#1177412 - CVE-2020-27672: Race condition in Xen mapping code (XSA-345)
- bsc#1177413 - CVE-2020-27671: undue deferral of IOMMU TLB flushes (XSA-346)
- bsc#1177414 - CVE-2020-27670: unsafe AMD IOMMU page table updates (XSA-347)
- bsc#1178591 - CVE-2020-28368: Intel RAPL sidechannel attack aka PLATYPUS attack aka XSA-351
ImportantSUSE bug 1177409SUSE bug 1177412SUSE bug 1177413SUSE bug 1177414SUSE bug 1178591SUSE bug 1178963CVE-2020-27670 at SUSECVE-2020-27670 at NVDCVE-2020-27671 at SUSECVE-2020-27671 at NVDCVE-2020-27672 at SUSECVE-2020-27672 at NVDCVE-2020-27674 at SUSECVE-2020-27674 at NVDCVE-2020-28368 at SUSECVE-2020-28368 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for mutt (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for mutt fixes the following issues:
- Find and display the content of messages properly. (bsc#1179461)
- CVE-2020-28896: incomplete connection termination could send credentials over unencrypted connections. (bsc#1179035)
- Avoid that message with a million tiny parts can freeze MUA for several minutes. (bsc#1179113)
ImportantSUSE bug 1179035SUSE bug 1179113SUSE bug 1179461CVE-2020-28896 at SUSECVE-2020-28896 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 30 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_113 fixes several issues.
The following security issues were fixed:
- CVE-2020-25668: Fixed a concurrency use-after-free in con_font_op (bsc#1178622).
- CVE-2020-8694: Fixed an insufficient access control in the Linux kernel driver for some Intel(R) Processors which might have allowed an authenticated user to potentially enable information disclosure via local access (bsc#1178700).
- CVE-2020-25705: Fixed a flaw which could have allowed an off-path remote user to effectively bypass source port UDP randomization (bsc#1178783).
ImportantSUSE bug 1178622SUSE bug 1178700SUSE bug 1178783CVE-2020-25668 at SUSECVE-2020-25668 at NVDCVE-2020-25705 at SUSECVE-2020-25705 at NVDCVE-2020-8694 at SUSECVE-2020-8694 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 31 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_116 fixes several issues.
The following security issues were fixed:
- CVE-2020-25668: Fixed a concurrency use-after-free in con_font_op (bsc#1178622).
- CVE-2020-8694: Fixed an insufficient access control in the Linux kernel driver for some Intel(R) Processors which might have allowed an authenticated user to potentially enable information disclosure via local access (bsc#1178700).
- CVE-2020-25705: Fixed a flaw which could have allowed an off-path remote user to effectively bypass source port UDP randomization (bsc#1178783).
ImportantSUSE bug 1178622SUSE bug 1178700SUSE bug 1178783CVE-2020-25668 at SUSECVE-2020-25668 at NVDCVE-2020-25705 at SUSECVE-2020-25705 at NVDCVE-2020-8694 at SUSECVE-2020-8694 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 32 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_121 fixes several issues.
The following security issues were fixed:
- CVE-2020-25668: Fixed a concurrency use-after-free in con_font_op (bsc#1178622).
- CVE-2020-8694: Fixed an insufficient access control in the Linux kernel driver for some Intel(R) Processors which might have allowed an authenticated user to potentially enable information disclosure via local access (bsc#1178700).
- CVE-2020-25705: Fixed a flaw which could have allowed an off-path remote user to effectively bypass source port UDP randomization (bsc#1178783).
ImportantSUSE bug 1178622SUSE bug 1178700SUSE bug 1178783CVE-2020-25668 at SUSECVE-2020-25668 at NVDCVE-2020-25705 at SUSECVE-2020-25705 at NVDCVE-2020-8694 at SUSECVE-2020-8694 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 33 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_124 fixes several issues.
The following security issues were fixed:
- CVE-2020-25668: Fixed a concurrency use-after-free in con_font_op (bsc#1178622).
- CVE-2020-8694: Fixed an insufficient access control in the Linux kernel driver for some Intel(R) Processors which might have allowed an authenticated user to potentially enable information disclosure via local access (bsc#1178700).
- CVE-2020-25705: Fixed a flaw which could have allowed an off-path remote user to effectively bypass source port UDP randomization (bsc#1178783).
ImportantSUSE bug 1178622SUSE bug 1178700SUSE bug 1178783CVE-2020-25668 at SUSECVE-2020-25668 at NVDCVE-2020-25705 at SUSECVE-2020-25705 at NVDCVE-2020-8694 at SUSECVE-2020-8694 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 34 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_127 fixes several issues.
The following security issues were fixed:
- CVE-2020-25668: Fixed a concurrency use-after-free in con_font_op (bsc#1178622).
- CVE-2020-8694: Fixed an insufficient access control in the Linux kernel driver for some Intel(R) Processors which might have allowed an authenticated user to potentially enable information disclosure via local access (bsc#1178700).
- CVE-2020-25705: Fixed a flaw which could have allowed an off-path remote user to effectively bypass source port UDP randomization (bsc#1178783).
ImportantSUSE bug 1178622SUSE bug 1178700SUSE bug 1178783CVE-2020-25668 at SUSECVE-2020-25668 at NVDCVE-2020-25705 at SUSECVE-2020-25705 at NVDCVE-2020-8694 at SUSECVE-2020-8694 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 35 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_130 fixes several issues.
The following security issues were fixed:
- CVE-2020-25668: Fixed a concurrency use-after-free in con_font_op (bsc#1178622).
- CVE-2020-8694: Fixed an insufficient access control in the Linux kernel driver for some Intel(R) Processors which might have allowed an authenticated user to potentially enable information disclosure via local access (bsc#1178700).
- CVE-2020-25705: Fixed a flaw which could have allowed an off-path remote user to effectively bypass source port UDP randomization (bsc#1178783).
ImportantSUSE bug 1178622SUSE bug 1178700SUSE bug 1178783CVE-2020-25668 at SUSECVE-2020-25668 at NVDCVE-2020-25705 at SUSECVE-2020-25705 at NVDCVE-2020-8694 at SUSECVE-2020-8694 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 36 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_135 fixes several issues.
The following security issues were fixed:
- CVE-2020-25645: Fixed an issue which traffic between two Geneve endpoints may be unencrypted when IPsec is configured to encrypt traffic for the specific UDP port used by the GENEVE tunnel allowing anyone between the two endpoints to read the traffic unencrypted (bsc#1177513).
- CVE-2020-0429: Fixed a memory corruption due to a use after free which could have led to to local privilege escalation (bsc#1176931).
- CVE-2020-11668: Fixed an issue where the Xirlink camera USB driver mishandled invalid descriptors (bsc#1173942).
- CVE-2020-1749: Use ip6_dst_lookup_flow instead of ip6_dst_lookup (bsc#1165631).
ImportantSUSE bug 1165631SUSE bug 1173942SUSE bug 1176931SUSE bug 1177513CVE-2020-0429 at SUSECVE-2020-0429 at NVDCVE-2020-11668 at SUSECVE-2020-11668 at NVDCVE-2020-1749 at SUSECVE-2020-1749 at NVDCVE-2020-25645 at SUSECVE-2020-25645 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for dbus-1 (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for dbus-1 fixes the following issues:
Security issue fixed:
- CVE-2019-12749: Fixed an implementation flaw in DBUS_COOKIE_SHA1 which
could have allowed local attackers to bypass authentication (bsc#1137832).
ImportantSUSE bug 1137832CVE-2019-12749 at SUSECVE-2019-12749 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for openssl (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for openssl fixes the following issues:
- CVE-2020-1971: Fixed a null pointer dereference in EDIPARTYNAME (bsc#1179491).
ImportantSUSE bug 1179491CVE-2020-1971 at SUSECVE-2020-1971 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for python (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for python fixes the following issues:
- Fixed a directory traversal in _download_http_url() (bsc#1176262 CVE-2019-20916)
ImportantSUSE bug 1176262CVE-2019-20916 at SUSECVE-2019-20916 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for MozillaFirefox fixes the following issues:
- Firefox Extended Support Release 68.5.0 ESR
* CVE-2020-6796 (bmo#1610426)
Missing bounds check on shared memory read in the parent
process
* CVE-2020-6797 (bmo#1596668)
Extensions granted downloads.open permission could open
arbitrary applications on Mac OSX
* CVE-2020-6798 (bmo#1602944)
Incorrect parsing of template tag could result in JavaScript
injection
* CVE-2020-6799 (bmo#1606596)
Arbitrary code execution when opening pdf links from other
applications, when Firefox is configured as default pdf
reader
* CVE-2020-6800 (bmo#1595786, bmo#1596706, bmo#1598543,
bmo#1604851, bmo#1605777, bmo#1608580, bmo#1608785)
Memory safety bugs fixed in Firefox 73 and Firefox ESR 68.5
* Fixed: Fixed various issues opening files with spaces in
their path (bmo#1601905, bmo#1602726)
ImportantSUSE bug 1161799CVE-2020-6796 at SUSECVE-2020-6796 at NVDCVE-2020-6797 at SUSECVE-2020-6797 at NVDCVE-2020-6798 at SUSECVE-2020-6798 at NVDCVE-2020-6799 at SUSECVE-2020-6799 at NVDCVE-2020-6800 at SUSECVE-2020-6800 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for MozillaFirefox (Critical)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for MozillaFirefox fixes the following issues:
- Firefox Extended Support Release 78.6.0 ESR
* Fixed: Various stability, functionality, and security fixes
MFSA 2020-55 (bsc#1180039)
* CVE-2020-16042 (bmo#1679003)
Operations on a BigInt could have caused uninitialized memory
to be exposed
* CVE-2020-26971 (bmo#1663466)
Heap buffer overflow in WebGL
* CVE-2020-26973 (bmo#1680084)
CSS Sanitizer performed incorrect sanitization
* CVE-2020-26974 (bmo#1681022)
Incorrect cast of StyleGenericFlexBasis resulted in a heap
use-after-free
* CVE-2020-26978 (bmo#1677047)
Internal network hosts could have been probed by a malicious
webpage
* CVE-2020-35111 (bmo#1657916)
The proxy.onRequest API did not catch view-source URLs
* CVE-2020-35112 (bmo#1661365)
Opening an extension-less download may have inadvertently
launched an executable instead
* CVE-2020-35113 (bmo#1664831, bmo#1673589)
Memory safety bugs fixed in Firefox 84 and Firefox ESR 78.6
CriticalSUSE bug 1180039CVE-2020-16042 at SUSECVE-2020-16042 at NVDCVE-2020-26971 at SUSECVE-2020-26971 at NVDCVE-2020-26973 at SUSECVE-2020-26973 at NVDCVE-2020-26974 at SUSECVE-2020-26974 at NVDCVE-2020-26978 at SUSECVE-2020-26978 at NVDCVE-2020-35111 at SUSECVE-2020-35111 at NVDCVE-2020-35112 at SUSECVE-2020-35112 at NVDCVE-2020-35113 at SUSECVE-2020-35113 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for clamav (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for clamav fixes the following issues:
clamav was updated to 0.103.0 to implement jsc#ECO-3010 and bsc#1118459.
* clamd can now reload the signature database without blocking
scanning. This multi-threaded database reload improvement was made
possible thanks to a community effort.
- Non-blocking database reloads are now the default behavior. Some
systems that are more constrained on RAM may need to disable
non-blocking reloads as it will temporarily consume two times as
much memory. We added a new clamd config option
ConcurrentDatabaseReload, which may be set to no.
* Fix clamav-milter.service (requires clamd.service to run)
* bsc#1119353, clamav-fips.patch: Fix freshclam crash in FIPS mode.
* Partial sync with SLE15.
Update to version 0.102.4
Accumulated security fixes:
* CVE-2020-3350: Fix a vulnerability wherein a malicious user could
replace a scan target's directory with a symlink to another path
to trick clamscan, clamdscan, or clamonacc into removing or moving
a different file (eg. a critical system file). The issue would
affect users that use the --move or --remove options for clamscan,
clamdscan, and clamonacc. (bsc#1174255)
* CVE-2020-3327: Fix a vulnerability in the ARJ archive parsing
module in ClamAV 0.102.3 that could cause a Denial-of-Service
(DoS) condition. Improper bounds checking results in an
out-of-bounds read which could cause a crash. The previous fix for
this CVE in 0.102.3 was incomplete. This fix correctly resolves
the issue.
* CVE-2020-3481: Fix a vulnerability in the EGG archive module in
ClamAV 0.102.0 - 0.102.3 could cause a Denial-of-Service (DoS)
condition. Improper error handling may result in a crash due to a
NULL pointer dereference. This vulnerability is mitigated for
those using the official ClamAV signature databases because the
file type signatures in daily.cvd will not enable the EGG archive
parser in versions affected by the vulnerability. (bsc#1174250)
* CVE-2020-3341: Fix a vulnerability in the PDF parsing module in
ClamAV 0.101 - 0.102.2 that could cause a Denial-of-Service (DoS)
condition. Improper size checking of a buffer used to initialize AES
decryption routines results in an out-of-bounds read which may cause
a crash. (bsc#1171981)
* CVE-2020-3123: A denial-of-service (DoS) condition may occur when
using the optional credit card data-loss-prevention (DLP) feature.
Improper bounds checking of an unsigned variable resulted in an
out-of-bounds read, which causes a crash.
* CVE-2019-15961: A Denial-of-Service (DoS) vulnerability may
occur when scanning a specially crafted email file as a result
of excessively long scan times. The issue is resolved by
implementing several maximums in parsing MIME messages and by
optimizing use of memory allocation. (bsc#1157763).
* CVE-2019-12900: An out of bounds write in the NSIS bzip2
(bsc#1149458)
* CVE-2019-12625: Introduce a configurable time limit to mitigate
zip bomb vulnerability completely. Default is 2 minutes,
configurable useing the clamscan --max-scantime and for clamd
using the MaxScanTime config option (bsc#1144504)
Update to version 0.101.3:
* ZIP bomb causes extreme CPU spikes (bsc#1144504)
Update to version 0.101.2 (bsc#1118459):
* Support for RAR v5 archive extraction.
* Incompatible changes to the arguments of cl_scandesc,
cl_scandesc_callback, and cl_scanmap_callback.
* Scanning options have been converted from a single flag
bit-field into a structure of multiple categorized flag
bit-fields.
* The CL_SCAN_HEURISTIC_ENCRYPTED scan option was replaced by
2 new scan options: CL_SCAN_HEURISTIC_ENCRYPTED_ARCHIVE, and
CL_SCAN_HEURISTIC_ENCRYPTED_DOC
* Incompatible clamd.conf and command line interface changes.
* Heuristic Alerts' (aka 'Algorithmic Detection') options have
been changed to make the names more consistent. The original
options are deprecated in 0.101, and will be removed in a
future feature release.
* For details, see https://blog.clamav.net/2018/12/clamav-01010-has-been-released.html ImportantSUSE bug 1118459SUSE bug 1119353SUSE bug 1144504SUSE bug 1149458SUSE bug 1157763SUSE bug 1171981SUSE bug 1174250SUSE bug 1174255CVE-2019-12900 at SUSECVE-2019-12900 at NVDCVE-2019-15961 at SUSECVE-2019-15961 at NVDCVE-2020-3123 at SUSECVE-2020-3123 at NVDCVE-2020-3327 at SUSECVE-2020-3327 at NVDCVE-2020-3341 at SUSECVE-2020-3341 at NVDCVE-2020-3350 at SUSECVE-2020-3350 at NVDCVE-2020-3481 at SUSECVE-2020-3481 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for cyrus-sasl (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for cyrus-sasl fixes the following issues:
- CVE-2019-19906: Fixed an out-of-bounds write leading to unauthenticated remote denial-of-service in OpenLDAP via a malformed LDAP packet (bsc#1159635).
ImportantSUSE bug 1159635CVE-2019-19906 at SUSECVE-2019-19906 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for gcc9 (Moderate)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for gcc9 fixes the following issues:
The GNU Compiler Collection is shipped in version 9.
A detailed changelog on what changed in GCC 9 is available at https://gcc.gnu.org/gcc-9/changes.html
The compilers have been added to the SUSE Linux Enterprise Toolchain Module.
To use these compilers, install e.g. gcc9, gcc9-c++ and build with CC=gcc-9
CXX=g++-9 set.
For SUSE Linux Enterprise base products, the libstdc++6, libgcc_s1 and
other compiler libraries have been switched from their gcc8 variants to
their gcc9 variants.
Security issues fixed:
- CVE-2019-15847: Fixed a miscompilation in the POWER9 back end, that optimized multiple calls of the __builtin_darn intrinsic into a single call. (bsc#1149145)
- CVE-2019-14250: Fixed a heap overflow in the LTO linker. (bsc#1142649)
Non-security issues fixed:
- Split out libstdc++ pretty-printers into a separate package supplementing gdb and the installed runtime. (bsc#1135254)
- Fixed miscompilation for vector shift on s390. (bsc#1141897)
ModerateSUSE bug 1114592SUSE bug 1135254SUSE bug 1141897SUSE bug 1142649SUSE bug 1142654SUSE bug 1148517SUSE bug 1149145CVE-2019-14250 at SUSECVE-2019-14250 at NVDCVE-2019-15847 at SUSECVE-2019-15847 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for xen (Moderate)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for xen fixes the following issues:
- CVE-2020-29480: Fixed an issue which could have allowed leak of non-sensitive data to administrator guests (bsc#117949 XSA-115).
- CVE-2020-29481: Fixed an issue which could have allowd to new domains to inherit existing node permissions (bsc#1179498 XSA-322).
- CVE-2020-29483: Fixed an issue where guests could disturb domain cleanup (bsc#1179502 XSA-325).
- CVE-2020-29484: Fixed an issue where guests could crash xenstored via watchs (bsc#1179501 XSA-324).
- CVE-2020-29566: Fixed an undue recursion in x86 HVM context switch code (bsc#1179506 XSA-348).
- CVE-2020-29570: Fixed an issue where FIFO event channels control block related ordering (bsc#1179514 XSA-358).
- CVE-2020-29571: Fixed an issue where FIFO event channels control structure ordering (bsc#1179516 XSA-359).
- CVE-2020-29130: Fixed an out-of-bounds access while processing ARP packets (bsc#1179477).
- Fixed an issue where dump-core shows missing nr_pages during core (bsc#1176782).
- Multiple other bugs (bsc#1027519)
ModerateSUSE bug 1027519SUSE bug 1176782SUSE bug 1179477SUSE bug 1179496SUSE bug 1179498SUSE bug 1179501SUSE bug 1179502SUSE bug 1179506SUSE bug 1179514SUSE bug 1179516CVE-2020-29130 at SUSECVE-2020-29130 at NVDCVE-2020-29480 at SUSECVE-2020-29480 at NVDCVE-2020-29481 at SUSECVE-2020-29481 at NVDCVE-2020-29483 at SUSECVE-2020-29483 at NVDCVE-2020-29484 at SUSECVE-2020-29484 at NVDCVE-2020-29566 at SUSECVE-2020-29566 at NVDCVE-2020-29570 at SUSECVE-2020-29570 at NVDCVE-2020-29571 at SUSECVE-2020-29571 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for sudo (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for sudo fixes the following issues:
Security issue fixed:
- CVE-2019-18634: Fixed a buffer overflow in the passphrase prompt that could occur when pwfeedback was enabled in /etc/sudoers (bsc#1162202).
Non-security issue fixed:
- Fixed an issue where sudo -l would ask for a password even though `listpw` was set to `never` (bsc#1162675).
ImportantSUSE bug 1162202SUSE bug 1162675CVE-2019-18634 at SUSECVE-2019-18634 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for java-1_7_1-ibm (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for java-1_7_1-ibm fixes the following issues:
Java was updated to 7.1 Service Refresh 4 Fix Pack 60 [bsc#1162972, bsc#1160968].
Security issues fixed:
- CVE-2020-2583: Fixed a serialization vulnerability in BeanContextSupport (bsc#1162972).
- CVE-2020-2593: Fixed an incorrect check in isBuiltinStreamHandler, causing URL normalization issues (bsc#1162972).
- CVE-2020-2604: Fixed a serialization issue in jdk.serialFilter (bsc#1162972).
- CVE-2020-2659: Fixed the incomplete enforcement of the maxDatagramSockets limit in DatagramChannelImpl (bsc#1162972).
Non-security issues fixed:
* Class Libraries:
IJ22333 HANG IN JAVA_JAVA_NET_SOCKETINPUTSTREAM_SOCKETREAD0 EVEN
WHEN TIMEOUT IS SET
IJ22350 JAVA 7 AND JAVA 8 NOT WORKING WELL WITH TRADITIONAL/SIMPLIFIED
CHINESE EDITION OF WINDOWS CLIENT SYSTEM
IJ22337 THE NAME OF THE REPUBLIC OF BELARUS IN THE RUSSIAN LOCALE
INCONSISTENT WITH CLDR
IJ22349 UPDATE TIMEZONE INFORMATION TO TZDATA2019C
* JIT Compiler:
IJ11368 JAVA JIT PPC: CRASH IN JIT COMPILED CODE ON PPC MACHINES
ImportantSUSE bug 1160968SUSE bug 1162972CVE-2020-2583 at SUSECVE-2020-2583 at NVDCVE-2020-2593 at SUSECVE-2020-2593 at NVDCVE-2020-2604 at SUSECVE-2020-2604 at NVDCVE-2020-2659 at SUSECVE-2020-2659 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for libexif (Moderate)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for libexif fixes the following issues:
- CVE-2019-9278: Fixed an integer overflow (bsc#1160770).
- CVE-2018-20030: Fixed a denial of service by endless recursion (bsc#1120943).
ModerateSUSE bug 1120943SUSE bug 1160770CVE-2018-20030 at SUSECVE-2018-20030 at NVDCVE-2019-9278 at SUSECVE-2019-9278 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for openssl (Moderate)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for openssl fixes the following issues:
Security issue fixed:
- CVE-2019-1551: Fixed an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli (bsc#1158809).
Non-security issue fixed:
- Fixed a crash in BN_copy (bsc#1160163).
ModerateSUSE bug 1117951SUSE bug 1158809SUSE bug 1160163CVE-2019-1551 at SUSECVE-2019-1551 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for ppp (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for ppp fixes the following security issue:
- CVE-2020-8597: Fixed a buffer overflow in the eap_request and eap_response functions (bsc#1162610).
ImportantSUSE bug 1162610CVE-2020-8597 at SUSECVE-2020-8597 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for python3 (Moderate)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for python3 fixes the following issues:
Update to 3.4.10 (jsc#SLE-9427, bsc#1159208) from 3.4.6:
Security issues fixed:
- Update expat copy from 2.1.1 to 2.2.0 to fix the following issues:
CVE-2012-0876, CVE-2016-0718, CVE-2016-4472, CVE-2017-9233, CVE-2016-9063
- CVE-2017-1000158: Fix an integer overflow in thePyString_DecodeEscape function in stringobject.c, resulting in heap-based bufferoverflow (bsc#1068664).
ModerateSUSE bug 1068664SUSE bug 1159208SUSE bug 1159623CVE-2012-0876 at SUSECVE-2012-0876 at NVDCVE-2016-0718 at SUSECVE-2016-0718 at NVDCVE-2016-4472 at SUSECVE-2016-4472 at NVDCVE-2016-9063 at SUSECVE-2016-9063 at NVDCVE-2017-1000158 at SUSECVE-2017-1000158 at NVDCVE-2017-9233 at SUSECVE-2017-9233 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for mariadb (Moderate)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for mariadb fixes the following issues:
Security issue fixed:
- CVE-2019-2974: Fixed Server Optimizer (bsc#1154162).
ModerateSUSE bug 1154162CVE-2019-2974 at SUSECVE-2019-2974 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for java-1_7_1-ibm (Moderate)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for java-1_7_1-ibm fixes the following issues:
- Update to 7.1 Service Refresh 4 Fix Pack 55 [bsc#1158442, bsc#1154212]
* Security fixes:
CVE-2019-2933 CVE-2019-2945 CVE-2019-2962 CVE-2019-2964
CVE-2019-2978 CVE-2019-2983 CVE-2019-2989 CVE-2019-2992
CVE-2019-2999 CVE-2019-2973 CVE-2019-2981
ModerateSUSE bug 1154212SUSE bug 1158442CVE-2019-2933 at SUSECVE-2019-2933 at NVDCVE-2019-2945 at SUSECVE-2019-2945 at NVDCVE-2019-2962 at SUSECVE-2019-2962 at NVDCVE-2019-2964 at SUSECVE-2019-2964 at NVDCVE-2019-2973 at SUSECVE-2019-2973 at NVDCVE-2019-2978 at SUSECVE-2019-2978 at NVDCVE-2019-2981 at SUSECVE-2019-2981 at NVDCVE-2019-2983 at SUSECVE-2019-2983 at NVDCVE-2019-2989 at SUSECVE-2019-2989 at NVDCVE-2019-2992 at SUSECVE-2019-2992 at NVDCVE-2019-2999 at SUSECVE-2019-2999 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for java-1_8_0-ibm (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for java-1_8_0-ibm fixes the following issues:
Java 8.0 was updated to Service Refresh 6 Fix Pack 5 (bsc#1162972, bsc#1160968)
- CVE-2020-2583: Unlink Set of LinkedHashSets
- CVE-2019-4732: Untrusted DLL search path vulnerability
- CVE-2020-2593: Normalize normalization for all
- CVE-2020-2604: Better serial filter handling
- CVE-2020-2659: Enhance datagram socket support
ImportantSUSE bug 1160968SUSE bug 1162972CVE-2019-4732 at SUSECVE-2019-4732 at NVDCVE-2020-2583 at SUSECVE-2020-2583 at NVDCVE-2020-2593 at SUSECVE-2020-2593 at NVDCVE-2020-2604 at SUSECVE-2020-2604 at NVDCVE-2020-2659 at SUSECVE-2020-2659 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for log4j (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for log4j fixes the following issues:
- CVE-2019-17571: Fixed a remote code execution by deserialization of untrusted data in SocketServer (bsc#1159646).
ImportantSUSE bug 1159646CVE-2019-17571 at SUSECVE-2019-17571 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for permissions (Moderate)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for permissions fixes the following issues:
Security issues fixed:
- CVE-2020-8013: Fixed an issue where chkstat set unintended setuid/capabilities for mrsh and wodim (bsc#1163922).
Non-security issues fixed:
- Fixed a regression where chkstat broke when /proc was not available (bsc#1160764, bsc#1160594).
- Fixed capability handling when doing multiple permission changes at once (bsc#1161779).
ModerateSUSE bug 1123886SUSE bug 1160594SUSE bug 1160764SUSE bug 1161779SUSE bug 1163922CVE-2020-8013 at SUSECVE-2020-8013 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for python-aws-sam-translator, python-boto3, python-botocore, python-cfn-lint, python-jsonschema, python-nose2, python-parameterized, python-pathlib2, python-pytest-cov, python-requests, python-s3transfer (Moderate)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for python-aws-sam-translator, python-boto3, python-botocore, python-cfn-lint, python-jsonschema, python-nose2, python-parameterized, python-pathlib2, python-pytest-cov, python-requests, python-s3transfer, python-jsonpatch, python-jsonpointer, python-scandir, python-PyYAML fixes the following issues:
python-cfn-lint was included as a new package in 0.21.4.
python-aws-sam-translator was updated to 1.11.0:
* Add ReservedConcurrentExecutions to globals
* Fix ElasticsearchHttpPostPolicy resource reference
* Support using AWS::Region in Ref and Sub
* Documentation and examples updates
* Add VersionDescription property to Serverless::Function
* Update ServerlessRepoReadWriteAccessPolicy
* Add additional template validation
Upgrade to 1.10.0:
* Add GSIs to DynamoDBReadPolicy and DynamoDBCrudPolicy
* Add DynamoDBReconfigurePolicy
* Add CostExplorerReadOnlyPolicy and OrganizationsListAccountsPolicy
* Add EKSDescribePolicy
* Add SESBulkTemplatedCrudPolicy
* Add FilterLogEventsPolicy
* Add SSMParameterReadPolicy
* Add SESEmailTemplateCrudPolicy
* Add s3:PutObjectAcl to S3CrudPolicy
* Add allow_credentials CORS option
* Add support for AccessLogSetting and CanarySetting Serverless::Api properties
* Add support for X-Ray in Serverless::Api
* Add support for MinimumCompressionSize in Serverless::Api
* Add Auth to Serverless::Api globals
* Remove trailing slashes from APIGW permissions
* Add SNS FilterPolicy and an example application
* Add Enabled property to Serverless::Function event sources
* Add support for PermissionsBoundary in Serverless::Function
* Fix boto3 client initialization
* Add PublicAccessBlockConfiguration property to S3 bucket resource
* Make PAY_PER_REQUEST default mode for Serverless::SimpleTable
* Add limited support for resolving intrinsics in Serverless::LayerVersion
* SAM now uses Flake8
* Add example application for S3 Events written in Go
* Updated several example applications
- Initial build
+ Version 1.9.0
- Add patch to drop compatible releases operator from setup.py,
required for SLES12 as the setuptools version is too old
+ ast_drop-compatible-releases-operator.patch
python-jsonschema was updated to 2.6.0:
* Improved performance on CPython by adding caching around ref resolution
Update to version 2.5.0:
* Improved performance on CPython by adding caching around ref
resolution (#203)
Update to version 2.4.0:
* Added a CLI (#134)
* Added absolute path and absolute schema path to errors (#120)
* Added ``relevance``
* Meta-schemas are now loaded via ``pkgutil``
* Added ``by_relevance`` and ``best_match`` (#91)
* Fixed ``format`` to allow adding formats for non-strings (#125)
* Fixed the ``uri`` format to reject URI references (#131)
- Install /usr/bin/jsonschema with update-alternatives support
python-nose2 was updated to 0.9.1:
* the prof plugin now uses cProfile instead of hotshot for profiling
* skipped tests now include the user's reason in junit XML's message field
* the prettyassert plugin mishandled multi-line function definitions
* Using a plugin's CLI flag when the plugin is already enabled via config
no longer errors
* nose2.plugins.prettyassert, enabled with --pretty-assert
* Cleanup code for EOLed python versions
* Dropped support for distutils.
* Result reporter respects failure status set by other plugins
* JUnit XML plugin now includes the skip reason in its output
Upgrade to 0.8.0:
List of changes is too long to show here, see
https://github.com/nose-devs/nose2/blob/master/docs/changelog.rst
changes between 0.6.5 and 0.8.0
Update to 0.7.0:
* Added parameterized_class feature, for parameterizing entire test
classes (many thanks to @TobyLL for their suggestions and help testing!)
* Fix DeprecationWarning on `inspect.getargs` (thanks @brettdh;
https://github.com/wolever/parameterized/issues/67)
* Make sure that `setUp` and `tearDown` methods work correctly (#40)
* Raise a ValueError when input is empty (thanks @danielbradburn;
https://github.com/wolever/parameterized/pull/48)
* Fix the order when number of cases exceeds 10 (thanks @ntflc;
https://github.com/wolever/parameterized/pull/49)
python-scandir was included in version 2.3.2.
python-requests was updated to version 2.20.1 (bsc#1111622)
* Fixed bug with unintended Authorization header stripping for
redirects using default ports (http/80, https/443).
* remove restriction for urllib3 < 1.24
Update to version 2.20.0:
* Bugfixes
+ Content-Type header parsing is now case-insensitive
(e.g. charset=utf8 v Charset=utf8).
+ Fixed exception leak where certain redirect urls would raise
uncaught urllib3 exceptions.
+ Requests removes Authorization header from requests redirected
from https to http on the same hostname. (CVE-2018-18074)
+ should_bypass_proxies now handles URIs without hostnames
(e.g. files).
* Dependencies
+ Requests now supports urllib3 v1.24.
* Deprecations
+ Requests has officially stopped support for Python 2.6.
Update to version 2.19.1:
* Fixed issue where status_codes.py’s init function failed trying
to append to a __doc__ value of None.
Update to version 2.19.0:
* Improvements
+ Warn about possible slowdown with cryptography version < 1.3.4
+ Check host in proxy URL, before forwarding request to adapter.
+ Maintain fragments properly across redirects. (RFC7231 7.1.2)
+ Removed use of cgi module to expedite library load time.
+ Added support for SHA-256 and SHA-512 digest auth algorithms.
+ Minor performance improvement to Request.content.
+ Migrate to using collections.abc for 3.7 compatibility.
* Bugfixes
+ Parsing empty Link headers with parse_header_links() no longer
return one bogus entry.
+ Fixed issue where loading the default certificate bundle from
a zip archive would raise an IOError.
+ Fixed issue with unexpected ImportError on windows system
which do not support winreg module.
+ DNS resolution in proxy bypass no longer includes the username
and password in the request. This also fixes the issue of DNS
queries failing on macOS.
+ Properly normalize adapter prefixes for url comparison.
+ Passing None as a file pointer to the files param no longer
raises an exception.
+ Calling copy on a RequestsCookieJar will now preserve the
cookie policy correctly.
* We now support idna v2.7 and urllib3 v1.23.
update to version 2.18.4:
* Improvements
+ Error messages for invalid headers now include the header name
for easier debugging
* Dependencies
+ We now support idna v2.6.
update to version 2.18.3:
* Improvements
+ Running $ python -m requests.help now includes the installed
version of idna.
* Bugfixes
+ Fixed issue where Requests would raise ConnectionError instead
of SSLError when encountering SSL problems when using urllib3
v1.22.
ModerateSUSE bug 1111622SUSE bug 1122668CVE-2018-18074 at SUSECVE-2018-18074 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for libpng16 (Moderate)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for libpng16 fixes the following issues:
Security issues fixed:
- CVE-2019-7317: Fixed a use-after-free vulnerability, triggered when
png_image_free() was called under png_safe_execute (bsc#1124211).
- CVE-2017-12652: Fixed an Input Validation Error related to the length of chunks (bsc#1141493).
ModerateSUSE bug 1124211SUSE bug 1141493CVE-2017-12652 at SUSECVE-2017-12652 at NVDCVE-2019-7317 at SUSECVE-2019-7317 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for postgresql96 (Low)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for postgresql96 fixes the following issues:
PostgreSQL was updated to version 9.6.17.
Security issue fixed:
- CVE-2020-1720: Fixed a missing authorization check in the ALTER ... DEPENDS ON extension (bsc#1163985).
LowSUSE bug 1163985CVE-2020-1720 at SUSECVE-2020-1720 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for java-1_7_0-openjdk (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for java-1_7_0-openjdk fixes the following issues:
Update java-1_7_0-openjdk to version jdk7u251 (January 2020 CPU, bsc#1160968):
- CVE-2020-2583: Unlink Set of LinkedHashSets
- CVE-2020-2590: Improve Kerberos interop capabilities
- CVE-2020-2593: Normalize normalization for all
- CVE-2020-2601: Better Ticket Granting Services
- CVE-2020-2604: Better serial filter handling
- CVE-2020-2659: Enhance datagram socket support
- CVE-2020-2654: Improve Object Identifier Processing
ImportantSUSE bug 1160968CVE-2020-2583 at SUSECVE-2020-2583 at NVDCVE-2020-2590 at SUSECVE-2020-2590 at NVDCVE-2020-2593 at SUSECVE-2020-2593 at NVDCVE-2020-2601 at SUSECVE-2020-2601 at NVDCVE-2020-2604 at SUSECVE-2020-2604 at NVDCVE-2020-2654 at SUSECVE-2020-2654 at NVDCVE-2020-2659 at SUSECVE-2020-2659 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for ipmitool (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for ipmitool fixes the following issues:
- CVE-2020-5208: Fixed multiple remote code executtion vulnerabilities (bsc#1163026).
- picmg discover messages are now DEBUG and not INFO messages (bsc#1085469).
ImportantSUSE bug 1085469SUSE bug 1163026CVE-2020-5208 at SUSECVE-2020-5208 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for squid (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for squid fixes the following issues:
- CVE-2019-12528: Fixed an information disclosure flaw in the FTP gateway (bsc#1162689).
- CVE-2019-12526: Fixed potential remote code execution during URN processing (bsc#1156326).
- CVE-2019-12523,CVE-2019-18676: Fixed multiple improper validations in URI processing (bsc#1156329).
- CVE-2019-18677: Fixed Cross-Site Request Forgery in HTTP Request processing (bsc#1156328).
- CVE-2019-18678: Fixed incorrect message parsing which could have led to HTTP request splitting issue (bsc#1156323).
- CVE-2019-18679: Fixed information disclosure when processing HTTP Digest Authentication (bsc#1156324).
- CVE-2020-8449: Fixed a buffer overflow when squid is acting as reverse-proxy (bsc#1162687).
- CVE-2020-8450: Fixed a buffer overflow when squid is acting as reverse-proxy (bsc#1162687).
- CVE-2020-8517: Fixed a buffer overflow in ext_lm_group_acl when processing NTLM Authentication credentials (bsc#1162691).
ImportantSUSE bug 1156323SUSE bug 1156324SUSE bug 1156326SUSE bug 1156328SUSE bug 1156329SUSE bug 1162687SUSE bug 1162689SUSE bug 1162691CVE-2019-12523 at SUSECVE-2019-12523 at NVDCVE-2019-12526 at SUSECVE-2019-12526 at NVDCVE-2019-12528 at SUSECVE-2019-12528 at NVDCVE-2019-18676 at SUSECVE-2019-18676 at NVDCVE-2019-18677 at SUSECVE-2019-18677 at NVDCVE-2019-18678 at SUSECVE-2019-18678 at NVDCVE-2019-18679 at SUSECVE-2019-18679 at NVDCVE-2020-8449 at SUSECVE-2020-8449 at NVDCVE-2020-8450 at SUSECVE-2020-8450 at NVDCVE-2020-8517 at SUSECVE-2020-8517 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for MozillaFirefox fixes the following issues:
- Firefox Extended Support Release 68.4.1 ESR
* Fixed: Security fix
MFSA 2020-03 (bsc#1160498)
* CVE-2019-17026 (bmo#1607443)
IonMonkey type confusion with StoreElementHole and
FallibleStoreElement
- Firefox Extended Support Release 68.4.0 ESR
* Fixed: Various security fixes
MFSA 2020-02 (bsc#1160305)
* CVE-2019-17015 (bmo#1599005)
Memory corruption in parent process during new content
process initialization on Windows
* CVE-2019-17016 (bmo#1599181)
Bypass of @namespace CSS sanitization during pasting
* CVE-2019-17017 (bmo#1603055)
Type Confusion in XPCVariant.cpp
* CVE-2019-17021 (bmo#1599008)
Heap address disclosure in parent process during content
process initialization on Windows
* CVE-2019-17022 (bmo#1602843)
CSS sanitization does not escape HTML tags
* CVE-2019-17024 (bmo#1507180, bmo#1595470, bmo#1598605,
bmo#1601826)
Memory safety bugs fixed in Firefox 72 and Firefox ESR 68.4
ImportantSUSE bug 1160305SUSE bug 1160498CVE-2019-17015 at SUSECVE-2019-17015 at NVDCVE-2019-17016 at SUSECVE-2019-17016 at NVDCVE-2019-17017 at SUSECVE-2019-17017 at NVDCVE-2019-17021 at SUSECVE-2019-17021 at NVDCVE-2019-17022 at SUSECVE-2019-17022 at NVDCVE-2019-17024 at SUSECVE-2019-17024 at NVDCVE-2019-17026 at SUSECVE-2019-17026 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for postgresql10 (Low)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for postgresql10 fixes the following issues:
PostgreSQL was updated to version 10.12.
Security issue fixed:
- CVE-2020-1720: Fixed a missing authorization check in the ALTER ... DEPENDS ON extension (bsc#1163985).
LowSUSE bug 1163985CVE-2020-1720 at SUSECVE-2020-1720 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for MozillaFirefox fixes the following issues:
MozillaFirefox was updated to 68.6.0 ESR (MFSA 2020-09 bsc#1132665 bsc#1166238)
- CVE-2020-6805: Fixed a use-after-free when removing data about origins
- CVE-2020-6806: Fixed improper protections against state confusion
- CVE-2020-6807: Fixed a use-after-free in cubeb during stream destruction
- CVE-2020-6811: Fixed an issue where copy as cURL' feature did not fully
escape website-controlled data potentially leading to command injection
- CVE-2019-20503: Fixed out of bounds reads in sctp_load_addresses_from_init
- CVE-2020-6812: Fixed an issue where the names of AirPods with personally
identifiable information were exposed to websites with camera or microphone
permission
- CVE-2020-6814: Fixed multiple memory safety bugs
- Fixed an issue with minimizing a window (bsc#1132665).
ImportantSUSE bug 1132665SUSE bug 1166238CVE-2019-20503 at SUSECVE-2019-20503 at NVDCVE-2020-6805 at SUSECVE-2020-6805 at NVDCVE-2020-6806 at SUSECVE-2020-6806 at NVDCVE-2020-6807 at SUSECVE-2020-6807 at NVDCVE-2020-6811 at SUSECVE-2020-6811 at NVDCVE-2020-6812 at SUSECVE-2020-6812 at NVDCVE-2020-6814 at SUSECVE-2020-6814 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for tomcat (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for tomcat fixes the following issues:
- CVE-2020-1938: Fixed a file contents disclosure vulnerability (bsc#1164692).
ImportantSUSE bug 1164692CVE-2020-1938 at SUSECVE-2020-1938 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for libzypp (Moderate)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for libzypp fixes the following issues:
Security issue fixed:
- CVE-2019-18900: Fixed assert cookie file that was world readable (bsc#1158763).
ModerateSUSE bug 1158763CVE-2019-18900 at SUSECVE-2019-18900 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for python-cffi, python-cryptography (Moderate)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for python-cffi, python-cryptography fixes the following issues:
Security issue fixed:
- CVE-2018-10903: Fixed GCM tag forgery via truncated tag in finalize_with_tag API (bsc#1101820).
Non-security issues fixed:
python-cffi was updated to 1.11.2 (bsc#1138748, jsc#ECO-1256, jsc#PM-1598):
- fixed a build failure on i586 (bsc#1111657)
- Salt was unable to highstate in snapshot 20171129 (bsc#1070737)
- Update pytest in spec to add c directory tests in addition to
testing directory.
- update to version 1.11.2:
* Fix Windows issue with managing the thread-state on CPython 3.0 to
3.5
- Update pytest in spec to add c directory tests in addition to
testing directory.
- Omit test_init_once_multithread tests as they rely on multiple
threads finishing in a given time. Returns sporadic pass/fail
within build.
- Update to 1.11.1:
* Fix tests, remove deprecated C API usage
* Fix (hack) for 3.6.0/3.6.1/3.6.2 giving incompatible binary
extensions (cpython issue #29943)
* Fix for 3.7.0a1+
- Update to 1.11.0:
* Support the modern standard types char16_t and char32_t. These
work like wchar_t: they represent one unicode character, or when
used as charN_t * or charN_t[] they represent a unicode string.
The difference with wchar_t is that they have a known, fixed
size. They should work at all places that used to work with
wchar_t (please report an issue if I missed something). Note
that with set_source(), you need to make sure that these types
are actually defined by the C source you provide (if used in
cdef()).
* Support the C99 types float _Complex and double _Complex. Note
that libffi doesn't support them, which means that in the ABI
mode you still cannot call C functions that take complex
numbers directly as arguments or return type.
* Fixed a rare race condition when creating multiple FFI instances
from multiple threads. (Note that you aren't meant to create
many FFI instances: in inline mode, you should write
ffi = cffi.FFI() at module level just after import cffi; and in
out-of-line mode you don't instantiate FFI explicitly at all.)
* Windows: using callbacks can be messy because the CFFI internal
error messages show up to stderr-but stderr goes nowhere in many
applications. This makes it particularly hard to get started
with the embedding mode. (Once you get started, you can at least
use @ffi.def_extern(onerror=...) and send the error logs where
it makes sense for your application, or record them in log
files, and so on.) So what is new in CFFI is that now, on
Windows CFFI will try to open a non-modal MessageBox (in addition
to sending raw messages to stderr). The MessageBox is only
visible if the process stays alive: typically, console
applications that crash close immediately, but that is also the
situation where stderr should be visible anyway.
* Progress on support for callbacks in NetBSD.
* Functions returning booleans would in some case still return 0
or 1 instead of False or True. Fixed.
* ffi.gc() now takes an optional third parameter, which gives an
estimate of the size (in bytes) of the object. So far, this is
only used by PyPy, to make the next GC occur more quickly
(issue #320). In the future, this might have an effect on
CPython too (provided the CPython issue 31105 is addressed).
* Add a note to the documentation: the ABI mode gives function
objects that are slower to call than the API mode does. For
some reason it is often thought to be faster. It is not!
- Update to 1.10.1:
* Fixed the line numbers reported in case of cdef() errors. Also,
I just noticed, but pycparser always supported the preprocessor
directive # 42 'foo.h' to mean 'from the next line, we're in
file foo.h starting from line 42';, which it puts in the error
messages.
- update to 1.10.0:
* Issue #295: use calloc() directly instead of PyObject_Malloc()+memset()
to handle ffi.new() with a default allocator. Speeds up ffi.new(large-array)
where most of the time you never touch most of the array.
* Some OS/X build fixes ('only with Xcode but without CLT';).
* Improve a couple of error messages: when getting mismatched versions of
cffi and its backend; and when calling functions which cannot be called with
libffi because an argument is a struct that is 'too complicated'; (and not
a struct pointer, which always works).
* Add support for some unusual compilers (non-msvc, non-gcc, non-icc, non-clang)
* Implemented the remaining cases for ffi.from_buffer. Now all
buffer/memoryview objects can be passed. The one remaining check is against
passing unicode strings in Python 2. (They support the buffer interface, but
that gives the raw bytes behind the UTF16/UCS4 storage, which is most of the
times not what you expect. In Python 3 this has been fixed and the unicode
strings don't support the memoryview interface any more.)
* The C type _Bool or bool now converts to a Python boolean when reading,
instead of the content of the byte as an integer. The potential
incompatibility here is what occurs if the byte contains a value different
from 0 and 1. Previously, it would just return it; with this change, CFFI
raises an exception in this case. But this case means 'undefined behavior';
in C; if you really have to interface with a library relying on this,
don't use bool in the CFFI side. Also, it is still valid to use a byte
string as initializer for a bool[], but now it must only contain \x00 or
\x01. As an aside, ffi.string() no longer works on bool[] (but it never made
much sense, as this function stops at the first zero).
* ffi.buffer is now the name of cffi's buffer type, and ffi.buffer() works
like before but is the constructor of that type.
* ffi.addressof(lib, 'name') now works also in in-line mode, not only in
out-of-line mode. This is useful for taking the address of global variables.
* Issue #255: cdata objects of a primitive type (integers, floats, char) are
now compared and ordered by value. For example, <cdata 'int' 42> compares
equal to 42 and <cdata 'char' b'A'> compares equal to b'A'. Unlike C,
<cdata 'int' -1> does not compare equal to ffi.cast('unsigned int', -1): it
compares smaller, because -1 < 4294967295.
* PyPy: ffi.new() and ffi.new_allocator()() did not record 'memory pressure';,
causing the GC to run too infrequently if you call ffi.new() very often
and/or with large arrays. Fixed in PyPy 5.7.
* Support in ffi.cdef() for numeric expressions with + or -. Assumes that
there is no overflow; it should be fixed first before we add more general
support for arbitrary arithmetic on constants.
- do not generate HTML documentation for packages that are indirect
dependencies of Sphinx
(see docs at https://cffi.readthedocs.org/ )
- update to 1.9.1
- Structs with variable-sized arrays as their last field: now we track the
length of the array after ffi.new() is called, just like we always tracked
the length of ffi.new('int[]', 42). This lets us detect out-of-range
accesses to array items. This also lets us display a better repr(), and
have the total size returned by ffi.sizeof() and ffi.buffer(). Previously
both functions would return a result based on the size of the declared
structure type, with an assumed empty array. (Thanks andrew for starting
this refactoring.)
- Add support in cdef()/set_source() for unspecified-length arrays in
typedefs: typedef int foo_t[...];. It was already supported for global
variables or structure fields.
- I turned in v1.8 a warning from cffi/model.py into an error: 'enum xxx' has
no values explicitly defined: refusing to guess which integer type it is
meant to be (unsigned/signed, int/long). Now I'm turning it back to a
warning again; it seems that guessing that the enum has size int is a
99%-safe bet. (But not 100%, so it stays as a warning.)
- Fix leaks in the code handling FILE * arguments. In CPython 3 there is a
remaining issue that is hard to fix: if you pass a Python file object to a
FILE * argument, then os.dup() is used and the new file descriptor is only
closed when the GC reclaims the Python file object-and not at the earlier
time when you call close(), which only closes the original file descriptor.
If this is an issue, you should avoid this automatic convertion of Python
file objects: instead, explicitly manipulate file descriptors and call
fdopen() from C (...via cffi).
- When passing a void * argument to a function with a different pointer type,
or vice-versa, the cast occurs automatically, like in C. The same occurs
for initialization with ffi.new() and a few other places. However, I
thought that char * had the same property-but I was mistaken. In C you get
the usual warning if you try to give a char * to a char ** argument, for
example. Sorry about the confusion. This has been fixed in CFFI by giving
for now a warning, too. It will turn into an error in a future version.
- Issue #283: fixed ffi.new() on structures/unions with nested anonymous
structures/unions, when there is at least one union in the mix. When
initialized with a list or a dict, it should now behave more closely like
the { } syntax does in GCC.
- CPython 3.x: experimental: the generated C extension modules now use the
'limited API';, which means that, as a compiled .so/.dll, it should work
directly on any version of CPython >= 3.2. The name produced by distutils
is still version-specific. To get the version-independent name, you can
rename it manually to NAME.abi3.so, or use the very recent setuptools 26.
- Added ffi.compile(debug=...), similar to python setup.py build --debug but
defaulting to True if we are running a debugging version of Python itself.
- Removed the restriction that ffi.from_buffer() cannot be used on byte
strings. Now you can get a char * out of a byte string, which is valid as
long as the string object is kept alive. (But don't use it to modify the
string object! If you need this, use bytearray or other official
techniques.)
- PyPy 5.4 can now pass a byte string directly to a char * argument (in older
versions, a copy would be made). This used to be a CPython-only
optimization.
- ffi.gc(p, None) removes the destructor on an object previously created by
another call to ffi.gc()
- bool(ffi.cast('primitive type', x)) now returns False if the value is zero
(including -0.0), and True otherwise. Previously this would only return
False for cdata objects of a pointer type when the pointer is NULL.
- bytearrays: ffi.from_buffer(bytearray-object) is now supported. (The reason
it was not supported was that it was hard to do in PyPy, but it works since
PyPy 5.3.) To call a C function with a char * argument from a buffer
object-now including bytearrays-you write lib.foo(ffi.from_buffer(x)).
Additionally, this is now supported: p[0:length] = bytearray-object. The
problem with this was that a iterating over bytearrays gives numbers
instead of characters. (Now it is implemented with just a memcpy, of
course, not actually iterating over the characters.)
- C++: compiling the generated C code with C++ was supposed to work, but
failed if you make use the bool type (because that is rendered as the C
_Bool type, which doesn't exist in C++).
- help(lib) and help(lib.myfunc) now give useful information, as well as
dir(p) where p is a struct or pointer-to-struct.
- update for multipython build
- disable 'negative left shift' warning in test suite to prevent
failures with gcc6, until upstream fixes the undefined code
in question (bsc#981848)
- Update to version 1.6.0:
* ffi.list_types()
* ffi.unpack()
* extern 'Python+C';
* in API mode, lib.foo.__doc__ contains the C signature now.
* Yet another attempt at robustness of ffi.def_extern() against
CPython's interpreter shutdown logic.
- Update in SLE-12 (bsc#1138748, jsc#ECO-1256, jsc#PM-1598)
- Make this version of the package compatible with OpenSSL 1.1.1d, thus fixing bsc#1149792.
- bsc#1101820 CVE-2018-10903 GCM tag forgery via truncated tag in
finalize_with_tag API
- Add proper conditional for the python2, the ifpython works only
for the requires/etc
- add missing dependency on python ssl
- update to version 2.1.4:
* Added X509_up_ref for an upcoming pyOpenSSL release.
- update to version 2.1.3:
* Updated Windows, macOS, and manylinux1 wheels to be compiled with
OpenSSL 1.1.0g.
- update to version 2.1.2:
* Corrected a bug with the manylinux1 wheels where OpenSSL's stack
was marked executable.
- fix BuildRequires conditions for python3
- update to 2.1.1
- Fix cffi version requirement.
- Disable memleak tests to fix build with OpenSSL 1.1 (bsc#1055478)
- update to 2.0.3
- update to 2.0.2
- update to 2.0
- update to 1.9
- add python-packaging to requirements explicitly instead of relying
on setuptools to pull it in
- Switch to singlespec approach
- update to 1.8.1
- Adust Requires and BuildRequires ModerateSUSE bug 1055478SUSE bug 1070737SUSE bug 1101820SUSE bug 1111657SUSE bug 1138748SUSE bug 1149792SUSE bug 981848CVE-2018-10903 at SUSECVE-2018-10903 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for spamassassin (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for spamassassin fixes the following issues:
- CVE-2018-11805: Fixed an issue with delimiter handling in rule files
related to is_regexp_valid() (bsc#1118987).
- CVE-2020-1930: Fixed an issue with rule configuration (.cf) files which
can be configured to run system commands (bsc#1162197).
- CVE-2020-1931: Fixed an issue with rule configuration (.cf) files which
can be configured to run system commands with warnings (bsc#1162200).
ImportantSUSE bug 1118987SUSE bug 1162197SUSE bug 1162200CVE-2018-11805 at SUSECVE-2018-11805 at NVDCVE-2020-1930 at SUSECVE-2020-1930 at NVDCVE-2020-1931 at SUSECVE-2020-1931 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for python3 (Moderate)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for python3 fixes the following issue:
- CVE-2019-18348: Fixed a CRLF injection via the host part
of the url passed to urlopen(). Now an InvalidURL exception
is raised (bsc#1155094).
- CVE-2019-9674: Improved the documentation to reflect the
dangers of zip-bombs (bsc#1162825).
- CVE-2020-8492: Fixed a regular expression in urllib that
was prone to denial of service via HTTP (bsc#1162367).
- Fixed an issue with version missmatch (bsc#1162224).
- Rename idle icons to idle3 in order to not conflict with python2
variant of the package. (bsc#1165894)
ModerateSUSE bug 1155094SUSE bug 1162224SUSE bug 1162367SUSE bug 1162825SUSE bug 1165894CVE-2019-18348 at SUSECVE-2019-18348 at NVDCVE-2019-9674 at SUSECVE-2019-9674 at NVDCVE-2020-8492 at SUSECVE-2020-8492 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 24 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.176-94_88 fixes several issues.
The following security issues were fixed:
- CVE-2020-1749: Fixed an issue in the networking protocols in encrypted IPsec tunnel (bsc#1165631)
- CVE-2019-5108: Fixed an issue where by triggering AP to send IAPP location updates for stations before the required authentication process has completed could have led to denial-of-service (bsc#1159913).
ImportantSUSE bug 1159913SUSE bug 1165631CVE-2019-5108 at SUSECVE-2019-5108 at NVDCVE-2020-1749 at SUSECVE-2020-1749 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for mozilla-nspr, mozilla-nss (Moderate)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for mozilla-nspr, mozilla-nss fixes the following issues:
mozilla-nss was updated to NSS 3.47.1:
Security issues fixed:
- CVE-2019-17006: Added length checks for cryptographic primitives (bsc#1159819).
- CVE-2019-11745: EncryptUpdate should use maxout, not block size (bsc#1158527).
- CVE-2019-11727: Fixed vulnerability sign CertificateVerify with PKCS#1 v1.5 signatures issue (bsc#1141322).
mozilla-nspr was updated to version 4.23:
- Whitespace in C files was cleaned up and no longer uses tab characters for indenting.
ModerateSUSE bug 1141322SUSE bug 1158527SUSE bug 1159819CVE-2019-11745 at SUSECVE-2019-11745 at NVDCVE-2019-17006 at SUSECVE-2019-17006 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 30 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_113 fixes several issues.
The following security issues were fixed:
- CVE-2020-1749: Fixed an issue in the networking protocols in encrypted IPsec tunnel (bsc#1165631)
- CVE-2019-5108: Fixed an issue where by triggering AP to send IAPP location updates for stations before the required authentication process has completed could have led to denial-of-service (bsc#1159913).
ImportantSUSE bug 1159913SUSE bug 1165631CVE-2019-5108 at SUSECVE-2019-5108 at NVDCVE-2020-1749 at SUSECVE-2020-1749 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 29 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_107 fixes several issues.
The following security issues were fixed:
- CVE-2020-1749: Fixed an issue in the networking protocols in encrypted IPsec tunnel (bsc#1165631)
- CVE-2019-5108: Fixed an issue where by triggering AP to send IAPP location updates for stations before the required authentication process has completed could have led to denial-of-service (bsc#1159913).
ImportantSUSE bug 1159913SUSE bug 1165631CVE-2019-5108 at SUSECVE-2019-5108 at NVDCVE-2020-1749 at SUSECVE-2020-1749 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 28 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_103 fixes several issues.
The following security issues were fixed:
- CVE-2020-1749: Fixed an issue in the networking protocols in encrypted IPsec tunnel (bsc#1165631)
- CVE-2019-5108: Fixed an issue where by triggering AP to send IAPP location updates for stations before the required authentication process has completed could have led to denial-of-service (bsc#1159913).
ImportantSUSE bug 1159913SUSE bug 1165631CVE-2019-5108 at SUSECVE-2019-5108 at NVDCVE-2020-1749 at SUSECVE-2020-1749 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 27 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_100 fixes several issues.
The following security issues were fixed:
- CVE-2020-1749: Fixed an issue in the networking protocols in encrypted IPsec tunnel (bsc#1165631)
- CVE-2019-5108: Fixed an issue where by triggering AP to send IAPP location updates for stations before the required authentication process has completed could have led to denial-of-service (bsc#1159913).
ImportantSUSE bug 1159913SUSE bug 1165631CVE-2019-5108 at SUSECVE-2019-5108 at NVDCVE-2020-1749 at SUSECVE-2020-1749 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 26 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_97 fixes several issues.
The following security issues were fixed:
- CVE-2020-1749: Fixed an issue in the networking protocols in encrypted IPsec tunnel (bsc#1165631)
- CVE-2019-5108: Fixed an issue where by triggering AP to send IAPP location updates for stations before the required authentication process has completed could have led to denial-of-service (bsc#1159913).
ImportantSUSE bug 1159913SUSE bug 1165631CVE-2019-5108 at SUSECVE-2019-5108 at NVDCVE-2020-1749 at SUSECVE-2020-1749 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 25 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.178-94_91 fixes several issues.
The following security issues were fixed:
- CVE-2020-1749: Fixed an issue in the networking protocols in encrypted IPsec tunnel (bsc#1165631)
- CVE-2019-5108: Fixed an issue where by triggering AP to send IAPP location updates for stations before the required authentication process has completed could have led to denial-of-service (bsc#1159913).
ImportantSUSE bug 1159913SUSE bug 1165631CVE-2019-5108 at SUSECVE-2019-5108 at NVDCVE-2020-1749 at SUSECVE-2020-1749 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for libxslt (Moderate)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for libxslt fixes the following issue:
- CVE-2019-18197: Fixed a dangling pointer in xsltCopyText which may have led to information disclosure (bsc#1154609).
ModerateSUSE bug 1154609CVE-2019-18197 at SUSECVE-2019-18197 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for MozillaFirefox fixes the following issues:
- Mozilla Firefox 68.6.1esr
MFSA 2020-11 (bsc#1168630)
* CVE-2020-6819 (bmo#1620818)
Use-after-free while running the nsDocShell destructor
* CVE-2020-6820 (bmo#1626728)
Use-after-free when handling a ReadableStream
ImportantSUSE bug 1168630CVE-2020-6819 at SUSECVE-2020-6819 at NVDCVE-2020-6820 at SUSECVE-2020-6820 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for MozillaFirefox to version 68.7.0 ESR fixes the following issues:
- CVE-2020-6821: Uninitialized memory could be read when using the WebGL copyTexSubImage method (bsc#1168874).
- CVE-2020-6822: Fixed out of bounds write in GMPDecodeData when processing large images (bsc#1168874).
- CVE-2020-6825: Fixed Memory safety bugs (bsc#1168874).
- CVE-2020-6827: Custom Tabs could have the URI spoofed (bsc#1168874).
- CVE-2020-6828: Preference overwrite via crafted Intent (bsc#1168874).
ImportantSUSE bug 1168874CVE-2020-6821 at SUSECVE-2020-6821 at NVDCVE-2020-6822 at SUSECVE-2020-6822 at NVDCVE-2020-6825 at SUSECVE-2020-6825 at NVDCVE-2020-6827 at SUSECVE-2020-6827 at NVDCVE-2020-6828 at SUSECVE-2020-6828 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for git (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for git fixes the following issues:
Security issue fixed:
- CVE-2020-5260: With a crafted URL that contains a newline in it, the credential
helper machinery can be fooled to give credential information for a wrong host (bsc#1168930).
Non-security issue fixed:
git was updated to 2.26.0 for SHA256 support (bsc#1167890, jsc#SLE-11608):
- the xinetd snippet was removed
- the System V init script for the git-daemon was replaced by a systemd
service file of the same name.
git 2.26.0:
* 'git rebase' now uses a different backend that is based on the
'merge' machinery by default. The 'rebase.backend' configuration
variable reverts to old behaviour when set to 'apply'
* Improved handling of sparse checkouts
* Improvements to many commands and internal features
git 2.25.1:
* 'git commit' now honors advise.statusHints
* various updates, bug fixes and documentation updates
git 2.25.0:
* The branch description ('git branch --edit-description') has been
used to fill the body of the cover letters by the format-patch
command; this has been enhanced so that the subject can also be
filled.
* A few commands learned to take the pathspec from the standard input
or a named file, instead of taking it as the command line
arguments, with the '--pathspec-from-file' option.
* Test updates to prepare for SHA-2 transition continues.
* Redo 'git name-rev' to avoid recursive calls.
* When all files from some subdirectory were renamed to the root
directory, the directory rename heuristics would fail to detect that
as a rename/merge of the subdirectory to the root directory, which has
been corrected.
* HTTP transport had possible allocator/deallocator mismatch, which
has been corrected.
git 2.24.1:
* CVE-2019-1348: The --export-marks option of fast-import is
exposed also via the in-stream command feature export-marks=...
and it allows overwriting arbitrary paths (bsc#1158785)
* CVE-2019-1349: on Windows, when submodules are cloned
recursively, under certain circumstances Git could be fooled
into using the same Git directory twice (bsc#1158787)
* CVE-2019-1350: Incorrect quoting of command-line arguments
allowed remote code execution during a recursive clone in
conjunction with SSH URLs (bsc#1158788)
* CVE-2019-1351: on Windows mistakes drive letters outside of
the US-English alphabet as relative paths (bsc#1158789)
* CVE-2019-1352: on Windows was unaware of NTFS Alternate Data
Streams (bsc#1158790)
* CVE-2019-1353: when run in the Windows Subsystem for Linux
while accessing a working directory on a regular Windows
drive, none of the NTFS protections were active (bsc#1158791)
* CVE-2019-1354: on Windows refuses to write tracked files with
filenames that contain backslashes (bsc#1158792)
* CVE-2019-1387: Recursive clones vulnerability that is caused
by too-lax validation of submodule names, allowing very
targeted attacks via remote code execution in recursive
clones (bsc#1158793)
* CVE-2019-19604: a recursive clone followed by a submodule
update could execute code contained within the repository
without the user explicitly having asked for that (bsc#1158795)
- Fix building with asciidoctor and without DocBook4 stylesheets.
git 2.24.0
* The command line parser learned '--end-of-options' notation.
* A mechanism to affect the default setting for a (related) group of
configuration variables is introduced.
* 'git fetch' learned '--set-upstream' option to help those who first
clone from their private fork they intend to push to, add the true
upstream via 'git remote add' and then 'git fetch' from it.
* fixes and improvements to UI, workflow and features, bash completion fixes
* part of it merged upstream
* the Makefile attempted to download some documentation, banned
git 2.23.0:
* The '--base' option of 'format-patch' computed the patch-ids for
prerequisite patches in an unstable way, which has been updated
to compute in a way that is compatible with 'git patch-id
--stable'.
* The 'git log' command by default behaves as if the --mailmap
option was given.
* fixes and improvements to UI, workflow and features
git 2.22.1:
* A relative pathname given to 'git init --template=<path> <repo>'
ought to be relative to the directory 'git init' gets invoked in,
but it instead was made relative to the repository, which has been
corrected.
* 'git worktree add' used to fail when another worktree connected to
the same repository was corrupt, which has been corrected.
* 'git am -i --resolved' segfaulted after trying to see a commit as
if it were a tree, which has been corrected.
* 'git merge --squash' is designed to update the working tree and the
index without creating the commit, and this cannot be countermanded
by adding the '--commit' option; the command now refuses to work
when both options are given.
* Update to Unicode 12.1 width table.
* 'git request-pull' learned to warn when the ref we ask them to pull
from in the local repository and in the published repository are
different.
* 'git fetch' into a lazy clone forgot to fetch base objects that are
necessary to complete delta in a thin packfile, which has been
corrected.
* The URL decoding code has been updated to avoid going past the end
of the string while parsing %-<hex>-<hex> sequence.
* 'git clean' silently skipped a path when it cannot lstat() it; now
it gives a warning.
* 'git rm' to resolve a conflicted path leaked an internal message
'needs merge' before actually removing the path, which was
confusing. This has been corrected.
* Many more bugfixes and code cleanups.
- removal of SuSEfirewall2 service, since SuSEfirewall2 has been replaced by
firewalld, see [1].
[1]: https://lists.opensuse.org/opensuse-factory/2019-01/msg00490.html
git 2.22.0:
* The filter specification '--filter=sparse:path=<path>' used to
create a lazy/partial clone has been removed. Using a blob that is
part of the project as sparse specification is still supported with
the '--filter=sparse:oid=<blob>' option
* 'git checkout --no-overlay' can be used to trigger a new mode of
checking out paths out of the tree-ish, that allows paths that
match the pathspec that are in the current index and working tree
and are not in the tree-ish.
* Four new configuration variables {author,committer}.{name,email}
have been introduced to override user.{name,email} in more specific
cases.
* 'git branch' learned a new subcommand '--show-current'.
* The command line completion (in contrib/) has been taught to
complete more subcommand parameters.
* The completion helper code now pays attention to repository-local
configuration (when available), which allows --list-cmds to honour
a repository specific setting of completion.commands, for example.
* The list of conflicted paths shown in the editor while concluding a
conflicted merge was shown above the scissors line when the
clean-up mode is set to 'scissors', even though it was commented
out just like the list of updated paths and other information to
help the user explain the merge better.
* 'git rebase' that was reimplemented in C did not set ORIG_HEAD
correctly, which has been corrected.
* 'git worktree add' used to do a 'find an available name with stat
and then mkdir', which is race-prone. This has been fixed by using
mkdir and reacting to EEXIST in a loop.
- update git-web AppArmor profile for bash and tar usrMerge (bsc#1132350)
git 2.21.0:
* Historically, the '-m' (mainline) option can only be used for 'git
cherry-pick' and 'git revert' when working with a merge commit.
This version of Git no longer warns or errors out when working with
a single-parent commit, as long as the argument to the '-m' option
is 1 (i.e. it has only one parent, and the request is to pick or
revert relative to that first parent). Scripts that relied on the
behaviour may get broken with this change.
* Small fixes and features for fast-export and fast-import.
* The 'http.version' configuration variable can be used with recent
enough versions of cURL library to force the version of HTTP used
to talk when fetching and pushing.
* 'git push $there $src:$dst' rejects when $dst is not a fully
qualified refname and it is not clear what the end user meant.
* Update 'git multimail' from the upstream.
* A new date format '--date=human' that morphs its output depending
on how far the time is from the current time has been introduced.
'--date=auto:human' can be used to use this new format (or any
existing format) when the output is going to the pager or to the
terminal, and otherwise the default format.
- Fix worktree creation race (bsc#1114225).
git 2.20.1:
* portability fixes
* 'git help -a' did not work well when an overly long alias was
defined
* no longer squelched an error message when the run_command API
failed to run a missing command
git 2.20.0:
* 'git help -a' now gives verbose output (same as 'git help -av').
Those who want the old output may say 'git help --no-verbose -a'..
* 'git send-email' learned to grab address-looking string on any
trailer whose name ends with '-by'.
* 'git format-patch' learned new '--interdiff' and '--range-diff'
options to explain the difference between this version and the
previous attempt in the cover letter (or after the three-dashes as
a comment).
* Developer builds now use -Wunused-function compilation option.
* Fix a bug in which the same path could be registered under multiple
worktree entries if the path was missing (for instance, was removed
manually). Also, as a convenience, expand the number of cases in
which --force is applicable.
* The overly large Documentation/config.txt file have been split into
million little pieces. This potentially allows each individual piece
to be included into the manual page of the command it affects more easily.
* Malformed or crafted data in packstream can make our code attempt
to read or write past the allocated buffer and abort, instead of
reporting an error, which has been fixed.
* Fix for a long-standing bug that leaves the index file corrupt when
it shrinks during a partial commit.
* 'git merge' and 'git pull' that merges into an unborn branch used
to completely ignore '--verify-signatures', which has been
corrected.
* ...and much more features and fixes
- fix CVE-2018-19486 (bsc#1117257)
git 2.19.2:
* various bug fixes for multiple subcommands and operations
git 2.19.1:
* CVE-2018-17456: Specially crafted .gitmodules files may have
allowed arbitrary code execution when the repository is cloned
with --recurse-submodules (bsc#1110949)
git 2.19.0:
* 'git diff' compares the index and the working tree. For paths
added with intent-to-add bit, the command shows the full contents
of them as added, but the paths themselves were not marked as new
files. They are now shown as new by default.
* 'git apply' learned the '--intent-to-add' option so that an
otherwise working-tree-only application of a patch will add new
paths to the index marked with the 'intent-to-add' bit.
* 'git grep' learned the '--column' option that gives not just the
line number but the column number of the hit.
* The '-l' option in 'git branch -l' is an unfortunate short-hand for
'--create-reflog', but many users, both old and new, somehow expect
it to be something else, perhaps '--list'. This step warns when '-l'
is used as a short-hand for '--create-reflog' and warns about the
future repurposing of the it when it is used.
* The userdiff pattern for .php has been updated.
* The content-transfer-encoding of the message 'git send-email' sends
out by default was 8bit, which can cause trouble when there is an
overlong line to bust RFC 5322/2822 limit. A new option 'auto' to
automatically switch to quoted-printable when there is such a line
in the payload has been introduced and is made the default.
* 'git checkout' and 'git worktree add' learned to honor
checkout.defaultRemote when auto-vivifying a local branch out of a
remote tracking branch in a repository with multiple remotes that
have tracking branches that share the same names.
(merge 8d7b558bae ab/checkout-default-remote later to maint).
* 'git grep' learned the '--only-matching' option.
* 'git rebase --rebase-merges' mode now handles octopus merges as
well.
* Add a server-side knob to skip commits in exponential/fibbonacci
stride in an attempt to cover wider swath of history with a smaller
number of iterations, potentially accepting a larger packfile
transfer, instead of going back one commit a time during common
ancestor discovery during the 'git fetch' transaction.
(merge 42cc7485a2 jt/fetch-negotiator-skipping later to maint).
* A new configuration variable core.usereplacerefs has been added,
primarily to help server installations that want to ignore the
replace mechanism altogether.
* Teach 'git tag -s' etc. a few configuration variables (gpg.format
that can be set to 'openpgp' or 'x509', and gpg.<format>.program
that is used to specify what program to use to deal with the format)
to allow x.509 certs with CMS via 'gpgsm' to be used instead of
openpgp via 'gnupg'.
* Many more strings are prepared for l10n.
* 'git p4 submit' learns to ask its own pre-submit hook if it should
continue with submitting.
* The test performed at the receiving end of 'git push' to prevent
bad objects from entering repository can be customized via
receive.fsck.* configuration variables; we now have gained a
counterpart to do the same on the 'git fetch' side, with
fetch.fsck.* configuration variables.
* 'git pull --rebase=interactive' learned 'i' as a short-hand for
'interactive'.
* 'git instaweb' has been adjusted to run better with newer Apache on
RedHat based distros.
* 'git range-diff' is a reimplementation of 'git tbdiff' that lets us
compare individual patches in two iterations of a topic.
* The sideband code learned to optionally paint selected keywords at
the beginning of incoming lines on the receiving end.
* 'git branch --list' learned to take the default sort order from the
'branch.sort' configuration variable, just like 'git tag --list'
pays attention to 'tag.sort'.
* 'git worktree' command learned '--quiet' option to make it less
verbose.
git 2.18.0:
* improvements to rename detection logic
* When built with more recent cURL, GIT_SSL_VERSION can now
specify 'tlsv1.3' as its value.
* 'git mergetools' learned talking to guiffy.
* various other workflow improvements and fixes
* performance improvements and other developer visible fixes
Update to git 2.16.4: security fix release
git 2.17.1:
* Submodule 'names' come from the untrusted .gitmodules file, but
we blindly append them to $GIT_DIR/modules to create our on-disk
repo paths. This means you can do bad things by putting '../'
into the name. We now enforce some rules for submodule names
which will cause Git to ignore these malicious names
(CVE-2018-11235, bsc#1095219)
* It was possible to trick the code that sanity-checks paths on
NTFS into reading random piece of memory
(CVE-2018-11233, bsc#1095218)
* Support on the server side to reject pushes to repositories
that attempt to create such problematic .gitmodules file etc.
as tracked contents, to help hosting sites protect their
customers by preventing malicious contents from spreading.
git 2.17.0:
* 'diff' family of commands learned '--find-object=<object-id>' option
to limit the findings to changes that involve the named object.
* 'git format-patch' learned to give 72-cols to diffstat, which is
consistent with other line length limits the subcommand uses for
its output meant for e-mails.
* The log from 'git daemon' can be redirected with a new option; one
relevant use case is to send the log to standard error (instead of
syslog) when running it from inetd.
* 'git rebase' learned to take '--allow-empty-message' option.
* 'git am' has learned the '--quit' option, in addition to the
existing '--abort' option; having the pair mirrors a few other
commands like 'rebase' and 'cherry-pick'.
* 'git worktree add' learned to run the post-checkout hook, just like
'git clone' runs it upon the initial checkout.
* 'git tag' learned an explicit '--edit' option that allows the
message given via '-m' and '-F' to be further edited.
* 'git fetch --prune-tags' may be used as a handy short-hand for
getting rid of stale tags that are locally held.
* The new '--show-current-patch' option gives an end-user facing way
to get the diff being applied when 'git rebase' (and 'git am')
stops with a conflict.
* 'git add -p' used to offer '/' (look for a matching hunk) as a
choice, even there was only one hunk, which has been corrected.
Also the single-key help is now given only for keys that are
enabled (e.g. help for '/' won't be shown when there is only one
hunk).
* Since Git 1.7.9, 'git merge' defaulted to --no-ff (i.e. even when
the side branch being merged is a descendant of the current commit,
create a merge commit instead of fast-forwarding) when merging a
tag object. This was appropriate default for integrators who pull
signed tags from their downstream contributors, but caused an
unnecessary merges when used by downstream contributors who
habitually 'catch up' their topic branches with tagged releases
from the upstream. Update 'git merge' to default to --no-ff only
when merging a tag object that does *not* sit at its usual place in
refs/tags/ hierarchy, and allow fast-forwarding otherwise, to
mitigate the problem.
* 'git status' can spend a lot of cycles to compute the relation
between the current branch and its upstream, which can now be
disabled with '--no-ahead-behind' option.
* 'git diff' and friends learned funcname patterns for Go language
source files.
* 'git send-email' learned '--reply-to=<address>' option.
* Funcname pattern used for C# now recognizes 'async' keyword.
* In a way similar to how 'git tag' learned to honor the pager
setting only in the list mode, 'git config' learned to ignore the
pager setting when it is used for setting values (i.e. when the
purpose of the operation is not to 'show').
- Use %license instead of %doc [bsc#1082318]
git 2.16.3:
* 'git status' after moving a path in the working tree (hence
making it appear 'removed') and then adding with the -N option
(hence making that appear 'added') detected it as a rename, but
did not report the old and new pathnames correctly.
* 'git commit --fixup' did not allow '-m<message>' option to be
used at the same time; allow it to annotate resulting commit
with more text.
* When resetting the working tree files recursively, the working
tree of submodules are now also reset to match.
* Fix for a commented-out code to adjust it to a rather old API
change around object ID.
* When there are too many changed paths, 'git diff' showed a
warning message but in the middle of a line.
* The http tracing code, often used to debug connection issues,
learned to redact potentially sensitive information from its
output so that it can be more safely sharable.
* Crash fix for a corner case where an error codepath tried to
unlock what it did not acquire lock on.
* The split-index mode had a few corner case bugs fixed.
* Assorted fixes to 'git daemon'.
* Completion of 'git merge -s<strategy>' (in contrib/) did not
work well in non-C locale.
* Workaround for segfault with more recent versions of SVN.
* Recently introduced leaks in fsck have been plugged.
* Travis CI integration now builds the executable in 'script'
phase to follow the established practice, rather than during
'before_script' phase. This allows the CI categorize the
failures better ('failed' is project's fault, 'errored' is
build environment's).
- Drop superfluous xinetd snippet, no longer used (bsc#1084460)
- Build with asciidoctor for the recent distros (bsc#1075764)
- Move %{?systemd_requires} to daemon subpackage
- Create subpackage for libsecret credential helper.
git 2.16.2:
* An old regression in 'git describe --all $annotated_tag^0' has
been fixed.
* 'git svn dcommit' did not take into account the fact that a
svn+ssh:// URL with a username@ (typically used for pushing)
refers to the same SVN repository without the username@ and
failed when svn.pushmergeinfo option is set.
* 'git merge -Xours/-Xtheirs' learned to use our/their version
when resolving a conflicting updates to a symbolic link.
* 'git clone $there $here' is allowed even when here directory
exists as long as it is an empty directory, but the command
incorrectly removed it upon a failure of the operation.
* 'git stash -- <pathspec>' incorrectly blew away untracked files
in the directory that matched the pathspec, which has been
corrected.
* 'git add -p' was taught to ignore local changes to submodules
as they do not interfere with the partial addition of regular
changes anyway.
git 2.16.1:
* 'git clone' segfaulted when cloning a project that happens to
track two paths that differ only in case on a case insensitive
filesystem
git 2.16.0 (CVE-2017-15298, bsc#1063412):
* See https://raw.github.com/git/git/master/Documentation/RelNotes/2.16.0.txt
git 2.15.1:
* fix 'auto' column output
* fixes to moved lines diffing
* documentation updates
* fix use of repositories immediately under the root directory
* improve usage of libsecret
* fixes to various error conditions in git commands
- Rewrite from sysv init to systemd unit file for git-daemon
(bsc#1069803)
- Replace references to /var/adm/fillup-templates with new
%_fillupdir macro (bsc#1069468)
- split off p4 to a subpackage (bsc#1067502)
- Build with the external libsha1detectcoll (bsc#1042644)
git 2.15.0:
* Use of an empty string as a pathspec element that is used for
'everything matches' is still warned and Git asks users to use a
more explicit '.' for that instead. Removal scheduled for 2.16
* Git now avoids blindly falling back to '.git' when the setup
sequence said we are _not_ in Git repository (another corner
case removed)
* 'branch --set-upstream' was retired, deprecated since 1.8
* many other improvements and updates
git 2.14.3:
* git send-email understands more cc: formats
* fixes so gitk --bisect
* git commit-tree fixed to handle -F file alike
* Prevent segfault in 'git cat-file --textconv'
* Fix function header parsing for HTML
* Various small fixes to user commands and and internal functions
git 2.14.2:
* fixes to color output
* http.{sslkey,sslCert} now interpret '~[username]/' prefix
* fixes to walking of reflogs via 'log -g' and friends
* various fixes to output correctness
* 'git push --recurse-submodules $there HEAD:$target' is now
propagated down to the submodules
* 'git clone --recurse-submodules --quiet' c$how propagates quiet
option down to submodules.
* 'git svn --localtime' correctness fixes
* 'git grep -L' and 'git grep --quiet -L' now report same exit code
* fixes to 'git apply' when converting line endings
* Various Perl scripts did not use safe_pipe_capture() instead
of backticks, leaving them susceptible to end-user input.
CVE-2017-14867 bsc#1061041
* 'git cvsserver' no longer is invoked by 'git daemon' by
default
git 2.14.1 (bsc#1052481):
* Security fix for CVE-2017-1000117: A malicious third-party can
give a crafted 'ssh://...' URL to an unsuspecting victim, and
an attempt to visit the URL can result in any program that
exists on the victim's machine being executed. Such a URL could
be placed in the .gitmodules file of a malicious project, and
an unsuspecting victim could be tricked into running
'git clone --recurse-submodules' to trigger the vulnerability.
* A 'ssh://...' URL can result in a 'ssh' command line with a
hostname that begins with a dash '-', which would cause the
'ssh' command to instead (mis)treat it as an option. This is
now prevented by forbidding such a hostname (which should not
impact any real-world usage).
* Similarly, when GIT_PROXY_COMMAND is configured, the command
is run with host and port that are parsed out from 'ssh://...'
URL; a poorly written GIT_PROXY_COMMAND could be tricked into
treating a string that begins with a dash '-' as an option.
This is now prevented by forbidding such a hostname and port
number (again, which should not impact any real-world usage).
* In the same spirit, a repository name that begins with a dash
'-' is also forbidden now.
git 2.14.0:
* Use of an empty string as a pathspec element that is used for
'everything matches' is deprecated, use '.'
* Avoid blindly falling back to '.git' when the setup sequence
indicates operation not on a Git repository
* 'indent heuristics' are now the default.
* Builds with pcre2
* Many bug fixes, improvements and updates
git 2.13.4:
* Update the character width tables.
* Fix an alias that contained an uppercase letter
* Progress meter fixes
* git gc concurrency fixes
git 2.13.3:
* various internal bug fixes
* Fix a regression to 'git rebase -i'
* Correct unaligned 32-bit access in pack-bitmap code
* Tighten error checks for invalid 'git apply' input
* The split index code did not honor core.sharedrepository setting
correctly
* Fix 'git branch --list' handling of color.branch.local
git 2.13.2:
* 'collision detecting' SHA-1 update for platform fixes
* 'git checkout --recurse-submodules' did not quite work with a
submodule that itself has submodules.
* The 'run-command' API implementation has been made more robust
against dead-locking in a threaded environment.
* 'git clean -d' now only cleans ignored files with '-x'
* 'git status --ignored' did not list ignored and untracked files
without '-uall'
* 'git pull --rebase --autostash' didn't auto-stash when the local
history fast-forwards to the upstream.
* 'git describe --contains' gives as much weight to lightweight
tags as annotated tags
* Fix 'git stash push <pathspec>' from a subdirectory
git 2.13.1:
* Setting 'log.decorate=false' in the configuration file did not
take effect in v2.13, which has been corrected.
* corrections to documentation and command help output
* garbage collection fixes
* memory leaks fixed
* receive-pack now makes sure that the push certificate records
the same set of push options used for pushing
* shell completion corrections for git stash
* fix 'git clone --config var=val' with empty strings
* internal efficiency improvements
* Update sha1 collision detection code for big-endian platforms
and platforms not supporting unaligned fetches
- Fix packaging of documentation
git 2.13.0:
* empty string as a pathspec element for 'everything matches'
is still warned, for future removal.
* deprecated argument order 'git merge <msg> HEAD <commit>...'
was removed
* default location '~/.git-credential-cache/socket' for the
socket used to communicate with the credential-cache daemon
moved to '~/.cache/git/credential/socket'.
* now avoid blindly falling back to '.git' when the setup
sequence indicated otherwise
* many workflow features, improvements and bug fixes
* add a hardened implementation of SHA1 in response to practical
collision attacks (CVE-2005-4900, bsc#1042640)
* CVE-2017-8386: On a server running git-shell as login shell to
restrict user to git commands, remote users may have been able
to have git service programs spawn an interactive pager
and thus escape the shell restrictions. (bsc#1038395)
Changes in pcre2:
- Include the libraries, development and tools packages.
git uses only libpcre2-8 so far, but this allows further
application usage of pcre2.
ImportantSUSE bug 1167890SUSE bug 1168930CVE-2020-5260 at SUSECVE-2020-5260 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 31 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_116 fixes several issues.
The following security issues were fixed:
- CVE-2021-27365: Fixed an issue where data structures did not have appropriate length constraints or checks, and could exceed the PAGE_SIZE value (bsc#1183491).
- CVE-2021-27363: Fixed a kernel pointer leak which could have been used to determine the address of the iscsi_transport structure (bsc#1183120).
- CVE-2021-27364: Fixed an issue where an unprivileged user could craft Netlink messages (bsc#1182717).
ImportantSUSE bug 1182717SUSE bug 1183120SUSE bug 1183491CVE-2021-27363 at SUSECVE-2021-27363 at NVDCVE-2021-27364 at SUSECVE-2021-27364 at NVDCVE-2021-27365 at SUSECVE-2021-27365 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 32 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_121 fixes several issues.
The following security issues were fixed:
- CVE-2021-27365: Fixed an issue where data structures did not have appropriate length constraints or checks, and could exceed the PAGE_SIZE value (bsc#1183491).
- CVE-2021-27363: Fixed a kernel pointer leak which could have been used to determine the address of the iscsi_transport structure (bsc#1183120).
- CVE-2021-27364: Fixed an issue where an unprivileged user could craft Netlink messages (bsc#1182717).
ImportantSUSE bug 1182717SUSE bug 1183120SUSE bug 1183491CVE-2021-27363 at SUSECVE-2021-27363 at NVDCVE-2021-27364 at SUSECVE-2021-27364 at NVDCVE-2021-27365 at SUSECVE-2021-27365 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 33 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_124 fixes several issues.
The following security issues were fixed:
- CVE-2021-27365: Fixed an issue where data structures did not have appropriate length constraints or checks, and could exceed the PAGE_SIZE value (bsc#1183491).
- CVE-2021-27363: Fixed a kernel pointer leak which could have been used to determine the address of the iscsi_transport structure (bsc#1183120).
- CVE-2021-27364: Fixed an issue where an unprivileged user could craft Netlink messages (bsc#1182717).
ImportantSUSE bug 1182717SUSE bug 1183120SUSE bug 1183491CVE-2021-27363 at SUSECVE-2021-27363 at NVDCVE-2021-27364 at SUSECVE-2021-27364 at NVDCVE-2021-27365 at SUSECVE-2021-27365 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 34 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_127 fixes several issues.
The following security issues were fixed:
- CVE-2021-27365: Fixed an issue where data structures did not have appropriate length constraints or checks, and could exceed the PAGE_SIZE value (bsc#1183491).
- CVE-2021-27363: Fixed a kernel pointer leak which could have been used to determine the address of the iscsi_transport structure (bsc#1183120).
- CVE-2021-27364: Fixed an issue where an unprivileged user could craft Netlink messages (bsc#1182717).
ImportantSUSE bug 1182717SUSE bug 1183120SUSE bug 1183491CVE-2021-27363 at SUSECVE-2021-27363 at NVDCVE-2021-27364 at SUSECVE-2021-27364 at NVDCVE-2021-27365 at SUSECVE-2021-27365 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 35 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_130 fixes several issues.
The following security issues were fixed:
- CVE-2021-27365: Fixed an issue where data structures did not have appropriate length constraints or checks, and could exceed the PAGE_SIZE value (bsc#1183491).
- CVE-2021-27363: Fixed a kernel pointer leak which could have been used to determine the address of the iscsi_transport structure (bsc#1183120).
- CVE-2021-27364: Fixed an issue where an unprivileged user could craft Netlink messages (bsc#1182717).
ImportantSUSE bug 1182717SUSE bug 1183120SUSE bug 1183491CVE-2021-27363 at SUSECVE-2021-27363 at NVDCVE-2021-27364 at SUSECVE-2021-27364 at NVDCVE-2021-27365 at SUSECVE-2021-27365 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 36 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_135 fixes several issues.
The following security issues were fixed:
- CVE-2021-27365: Fixed an issue where data structures did not have appropriate length constraints or checks, and could exceed the PAGE_SIZE value (bsc#1183491).
- CVE-2021-27363: Fixed a kernel pointer leak which could have been used to determine the address of the iscsi_transport structure (bsc#1183120).
- CVE-2021-27364: Fixed an issue where an unprivileged user could craft Netlink messages (bsc#1182717).
ImportantSUSE bug 1182717SUSE bug 1183120SUSE bug 1183491CVE-2021-27363 at SUSECVE-2021-27363 at NVDCVE-2021-27364 at SUSECVE-2021-27364 at NVDCVE-2021-27365 at SUSECVE-2021-27365 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 37 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_138 fixes several issues.
The following security issues were fixed:
- CVE-2021-27365: Fixed an issue where data structures did not have appropriate length constraints or checks, and could exceed the PAGE_SIZE value (bsc#1183491).
- CVE-2021-27363: Fixed a kernel pointer leak which could have been used to determine the address of the iscsi_transport structure (bsc#1183120).
- CVE-2021-27364: Fixed an issue where an unprivileged user could craft Netlink messages (bsc#1182717).
ImportantSUSE bug 1182717SUSE bug 1183120SUSE bug 1183491CVE-2021-27363 at SUSECVE-2021-27363 at NVDCVE-2021-27364 at SUSECVE-2021-27364 at NVDCVE-2021-27365 at SUSECVE-2021-27365 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 38 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_141 fixes several issues.
The following security issues were fixed:
- CVE-2021-27365: Fixed an issue where data structures did not have appropriate length constraints or checks, and could exceed the PAGE_SIZE value (bsc#1183491).
- CVE-2021-27363: Fixed a kernel pointer leak which could have been used to determine the address of the iscsi_transport structure (bsc#1183120).
- CVE-2021-27364: Fixed an issue where an unprivileged user could craft Netlink messages (bsc#1182717).
- CVE-2020-25645: Fixed an an issue in IPsec that caused traffic between two Geneve endpoints to be unencrypted (bsc#1177513).
- CVE-2020-0429: Fixed a memory corruption due to a use after free which could have led to local escalation of privilege with System execution privileges needed (bsc#1176931).
- CVE-2020-1749: Use ip6_dst_lookup_flow instead of ip6_dst_lookup (bsc#1165631).
ImportantSUSE bug 1165631SUSE bug 1176931SUSE bug 1177513SUSE bug 1182717SUSE bug 1183120SUSE bug 1183491CVE-2020-0429 at SUSECVE-2020-0429 at NVDCVE-2020-1749 at SUSECVE-2020-1749 at NVDCVE-2020-25645 at SUSECVE-2020-25645 at NVDCVE-2021-27363 at SUSECVE-2021-27363 at NVDCVE-2021-27364 at SUSECVE-2021-27364 at NVDCVE-2021-27365 at SUSECVE-2021-27365 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for fwupdate (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for fwupdate fixes the following issues:
- Add SBAT section to EFI images (bsc#1182057)
ImportantSUSE bug 1182057cpe:/o:suse:sles-ltss:12:sp3Security update for spamassassin (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for spamassassin fixes the following issues:
- spamassassin was updated to version 3.4.5
- CVE-2019-12420: memory leak via crafted messages (bsc#1159133)
- CVE-2020-1946: security update (bsc#1184221)
ImportantSUSE bug 1159133SUSE bug 1184221CVE-2019-12420 at SUSECVE-2019-12420 at NVDCVE-2020-1946 at SUSECVE-2020-1946 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for xorg-x11-server (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for xorg-x11-server fixes the following issues:
- CVE-2021-3472: XChangeFeedbackControl Integer Underflow Privilege Escalation (bsc#1180128)
ImportantSUSE bug 1180128CVE-2021-3472 at SUSECVE-2021-3472 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for clamav (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for clamav fixes the following issues:
- CVE-2021-1252: Fix for Excel XLM parser infinite loop. (bsc#1184532)
- CVE-2021-1404: Fix for PDF parser buffer over-read; possible crash. (bsc#1184533)
- CVE-2021-1405: Fix for mail parser NULL-dereference crash. (bsc#1184534)
- Fix errors when scanning files > 4G (bsc#1181256)
- Update clamav.keyring
- Update to 0.103.2
ImportantSUSE bug 1181256SUSE bug 1184532SUSE bug 1184533SUSE bug 1184534CVE-2021-1252 at SUSECVE-2021-1252 at NVDCVE-2021-1404 at SUSECVE-2021-1404 at NVDCVE-2021-1405 at SUSECVE-2021-1405 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for qemu (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for qemu fixes the following issues:
- Fix OOB access in sm501 device emulation (CVE-2020-12829, bsc#1172385)
- Fix OOB access possibility in MegaRAID SAS 8708EM2 emulation (CVE-2020-13362 bsc#1172383)
- Fix use-after-free in usb xhci packet handling (CVE-2020-25723, bsc#1178934)
- Fix use-after-free in usb ehci packet handling (CVE-2020-25084, bsc#1176673)
- Fix OOB access in usb hcd-ohci emulation (CVE-2020-25624, bsc#1176682)
- Fix infinite loop (DoS) in usb hcd-ohci emulation (CVE-2020-25625, bsc#1176684)
- Fix guest triggerable assert in shared network handling code (CVE-2020-27617, bsc#1178174)
- Fix infinite loop (DoS) in e1000e device emulation (CVE-2020-28916, bsc#1179468)
- Fix OOB access in atapi emulation (CVE-2020-29443, bsc#1181108)
- Fix null pointer deref. (DoS) in mmio ops (CVE-2020-15469, bsc#1173612)
- Fix infinite loop (DoS) in e1000 device emulation (CVE-2021-20257, bsc#1182577)
- Fix OOB access (stack overflow) in rtl8139 NIC emulation (CVE-2021-3416, bsc#1182968)
- Fix OOB access (stack overflow) in other NIC emulations (CVE-2021-3416)
- Fix OOB access in SLIRP ARP packet processing (CVE-2020-29130, bsc#1179467)
- Fix null pointer dereference possibility (DoS) in MegaRAID SAS 8708EM2 emulation (CVE-2020-13659 bsc#1172386
- Fix OOB access in iscsi (CVE-2020-11947 bsc#1180523)
- Fix OOB access in vmxnet3 emulation (CVE-2021-20203 bsc#1181639)
- Fix buffer overflow in the XGMAC device (CVE-2020-15863, bsc#1174386)
- Fix DoS in packet processing of various emulated NICs (CVE-2020-16092 bsc#1174641)
- Fix OOB access while processing USB packets (CVE-2020-14364 bsc#1175441)
- Fix package scripts to not use hard coded paths for temporary working directories and log files (bsc#1182425)
- Fix potential privilege escalation in virtfs (CVE-2021-20181 bsc#1182137)
- Fix OOB access possibility in ES1370 audio device emulation (CVE-2020-13361 bsc#1172384)
- Fix OOB access in ROM loading (CVE-2020-13765 bsc#1172478)
ImportantSUSE bug 1172383SUSE bug 1172384SUSE bug 1172385SUSE bug 1172386SUSE bug 1172478SUSE bug 1173612SUSE bug 1174386SUSE bug 1174641SUSE bug 1175441SUSE bug 1176673SUSE bug 1176682SUSE bug 1176684SUSE bug 1178174SUSE bug 1178934SUSE bug 1179467SUSE bug 1179468SUSE bug 1180523SUSE bug 1181108SUSE bug 1181639SUSE bug 1182137SUSE bug 1182425SUSE bug 1182577SUSE bug 1182968CVE-2020-11947 at SUSECVE-2020-11947 at NVDCVE-2020-12829 at SUSECVE-2020-12829 at NVDCVE-2020-13361 at SUSECVE-2020-13361 at NVDCVE-2020-13362 at SUSECVE-2020-13362 at NVDCVE-2020-13659 at SUSECVE-2020-13659 at NVDCVE-2020-13765 at SUSECVE-2020-13765 at NVDCVE-2020-14364 at SUSECVE-2020-14364 at NVDCVE-2020-15469 at SUSECVE-2020-15469 at NVDCVE-2020-15863 at SUSECVE-2020-15863 at NVDCVE-2020-16092 at SUSECVE-2020-16092 at NVDCVE-2020-25084 at SUSECVE-2020-25084 at NVDCVE-2020-25624 at SUSECVE-2020-25624 at NVDCVE-2020-25625 at SUSECVE-2020-25625 at NVDCVE-2020-25723 at SUSECVE-2020-25723 at NVDCVE-2020-27617 at SUSECVE-2020-27617 at NVDCVE-2020-28916 at SUSECVE-2020-28916 at NVDCVE-2020-29130 at SUSECVE-2020-29130 at NVDCVE-2020-29443 at SUSECVE-2020-29443 at NVDCVE-2021-20181 at SUSECVE-2021-20181 at NVDCVE-2021-20203 at SUSECVE-2021-20203 at NVDCVE-2021-20257 at SUSECVE-2021-20257 at NVDCVE-2021-3416 at SUSECVE-2021-3416 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for xen (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for xen fixes the following issues:
- CVE-2021-20257: xen: infinite loop issue in the e1000 NIC emulator (bsc#1182846).
- CVE-2021-27379: Fixed an issue where entries in the IOMMU were not being updated
under certain circumstances due to improper backport of XSA-321 (XSA-366, bsc#1182431).
ImportantSUSE bug 1182431SUSE bug 1182846CVE-2021-20257 at SUSECVE-2021-20257 at NVDCVE-2021-27379 at SUSECVE-2021-27379 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for sudo (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for sudo fixes the following issues:
- L3: Tenable Scan reports sudo is vulnerable to CVE-2021-3156 (bsc#1183936)
ImportantSUSE bug 1183936CVE-2021-3156 at SUSECVE-2021-3156 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for MozillaFirefox fixes the following issues:
- Firefox was updated to 78.10.0 ESR (bsc#1184960)
* CVE-2021-23994: Out of bound write due to lazy initialization
* CVE-2021-23995: Use-after-free in Responsive Design Mode
* CVE-2021-23998: Secure Lock icon could have been spoofed
* CVE-2021-23961: More internal network hosts could have been probed by a malicious webpage
* CVE-2021-23999: Blob URLs may have been granted additional privileges
* CVE-2021-24002: Arbitrary FTP command execution on FTP servers using an encoded URL
* CVE-2021-29945: Incorrect size computation in WebAssembly JIT could lead to null-reads
* CVE-2021-29946: Port blocking could be bypassed
ImportantSUSE bug 1184960CVE-2021-23961 at SUSECVE-2021-23961 at NVDCVE-2021-23994 at SUSECVE-2021-23994 at NVDCVE-2021-23995 at SUSECVE-2021-23995 at NVDCVE-2021-23998 at SUSECVE-2021-23998 at NVDCVE-2021-23999 at SUSECVE-2021-23999 at NVDCVE-2021-24002 at SUSECVE-2021-24002 at NVDCVE-2021-29945 at SUSECVE-2021-29945 at NVDCVE-2021-29946 at SUSECVE-2021-29946 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 33 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_124 fixes one issue.
The following security issues were fixed:
- CVE-2021-28688: Fixed an issue introduced by XSA-365 (bsc##1182294, bsc#1183646).
- CVE-2021-26930: Fixed an improper error handling in blkback's grant mapping (XSA-365 bsc#1182294).
- CVE-2021-26931: Fixed an issue where Linux kernel was treating grant mapping errors as bugs (XSA-362 bsc#1183022).
ImportantSUSE bug 1182294CVE-2021-26930 at SUSECVE-2021-26930 at NVDCVE-2021-26931 at SUSECVE-2021-26931 at NVDCVE-2021-28688 at SUSECVE-2021-28688 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 34 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_127 fixes one issue.
The following security issues were fixed:
- CVE-2021-28688: Fixed an issue introduced by XSA-365 (bsc##1182294, bsc#1183646).
- CVE-2021-26930: Fixed an improper error handling in blkback's grant mapping (XSA-365 bsc#1182294).
- CVE-2021-26931: Fixed an issue where Linux kernel was treating grant mapping errors as bugs (XSA-362 bsc#1183022).
ImportantSUSE bug 1182294CVE-2021-26930 at SUSECVE-2021-26930 at NVDCVE-2021-26931 at SUSECVE-2021-26931 at NVDCVE-2021-28688 at SUSECVE-2021-28688 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 35 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_130 fixes one issue.
The following security issues were fixed:
- CVE-2021-28688: Fixed an issue introduced by XSA-365 (bsc##1182294, bsc#1183646).
- CVE-2021-26930: Fixed an improper error handling in blkback's grant mapping (XSA-365 bsc#1182294).
- CVE-2021-26931: Fixed an issue where Linux kernel was treating grant mapping errors as bugs (XSA-362 bsc#1183022).
ImportantSUSE bug 1182294CVE-2021-26930 at SUSECVE-2021-26930 at NVDCVE-2021-26931 at SUSECVE-2021-26931 at NVDCVE-2021-28688 at SUSECVE-2021-28688 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 37 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_138 fixes one issue.
The following security issues were fixed:
- CVE-2021-28688: Fixed an issue introduced by XSA-365 (bsc##1182294, bsc#1183646).
- CVE-2021-26930: Fixed an improper error handling in blkback's grant mapping (XSA-365 bsc#1182294).
- CVE-2021-26931: Fixed an issue where Linux kernel was treating grant mapping errors as bugs (XSA-362 bsc#1183022).
ImportantSUSE bug 1182294CVE-2021-26930 at SUSECVE-2021-26930 at NVDCVE-2021-26931 at SUSECVE-2021-26931 at NVDCVE-2021-28688 at SUSECVE-2021-28688 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 38 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_141 fixes one issue.
The following security issue was fixed:
- CVE-2021-28688: Fixed an issue introduced by XSA-365 (bsc##1182294, bsc#1183646).
ImportantSUSE bug 1182294CVE-2021-28688 at SUSECVE-2021-28688 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 31 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_116 fixes one issue.
The following security issues were fixed:
- CVE-2021-28688: Fixed an issue introduced by XSA-365 (bsc##1182294, bsc#1183646).
- CVE-2021-26930: Fixed an improper error handling in blkback's grant mapping (XSA-365 bsc#1182294).
- CVE-2021-26931: Fixed an issue where Linux kernel was treating grant mapping errors as bugs (XSA-362 bsc#1183022).
ImportantSUSE bug 1182294CVE-2021-26930 at SUSECVE-2021-26930 at NVDCVE-2021-26931 at SUSECVE-2021-26931 at NVDCVE-2021-28688 at SUSECVE-2021-28688 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 32 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_121 fixes one issue.
The following security issues were fixed:
- CVE-2021-28688: Fixed an issue introduced by XSA-365 (bsc##1182294, bsc#1183646).
- CVE-2021-26930: Fixed an improper error handling in blkback's grant mapping (XSA-365 bsc#1182294).
- CVE-2021-26931: Fixed an issue where Linux kernel was treating grant mapping errors as bugs (XSA-362 bsc#1183022).
ImportantSUSE bug 1182294CVE-2021-26930 at SUSECVE-2021-26930 at NVDCVE-2021-26931 at SUSECVE-2021-26931 at NVDCVE-2021-28688 at SUSECVE-2021-28688 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 36 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_135 fixes one issue.
The following security issues were fixed:
- CVE-2021-28688: Fixed an issue introduced by XSA-365 (bsc##1182294, bsc#1183646).
- CVE-2021-26930: Fixed an improper error handling in blkback's grant mapping (XSA-365 bsc#1182294).
- CVE-2021-26931: Fixed an issue where Linux kernel was treating grant mapping errors as bugs (XSA-362 bsc#1183022).
ImportantSUSE bug 1182294CVE-2021-26930 at SUSECVE-2021-26930 at NVDCVE-2021-26931 at SUSECVE-2021-26931 at NVDCVE-2021-28688 at SUSECVE-2021-28688 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for libnettle (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for libnettle fixes the following issues:
- CVE-2021-20305: Fixed the multiply function which was being called with out-of-range scalars (bsc#1184401, bsc#1183835).
ImportantSUSE bug 1183835SUSE bug 1184401CVE-2021-20305 at SUSECVE-2021-20305 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for gdm (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for gdm fixes the following issues:
- Avoid the signal SIGTRAP when gdm exits (bsc#1184456).
ImportantSUSE bug 1184456cpe:/o:suse:sles-ltss:12:sp3Security update for tomcat (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for tomcat fixes the following issues:
- CVE-2021-25329: Complete fix for CVE-2020-9484 (bsc#1182909)
ImportantSUSE bug 1182909CVE-2021-25329 at SUSECVE-2021-25329 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for java-1_7_0-openjdk (Moderate)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for java-1_7_0-openjdk fixes the following issues:
- Update to 2.6.25 - OpenJDK 7u291 (January 2021 CPU, bsc#1181239)
* Security fixes
+ JDK-8247619: Improve Direct Buffering of Characters
* Import of OpenJDK 7 u291 build 1
+ JDK-8254177: (tz) Upgrade time-zone data to tzdata2020b
+ JDK-8254982: (tz) Upgrade time-zone data to tzdata2020c
+ JDK-8255226: (tz) Upgrade time-zone data to tzdata2020d
ModerateSUSE bug 1181239cpe:/o:suse:sles-ltss:12:sp3Security update for cups (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for cups fixes the following issues:
- CVE-2021-25317: ownership of /var/log/cups could allow privilege escalation from lp user to root via symlink attacks (bsc#1184161)
ImportantSUSE bug 1184161CVE-2021-25317 at SUSECVE-2021-25317 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for bind (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for bind fixes the following issues:
- CVE-2021-25214: Fixed a broken inbound incremental zone update (IXFR) which could have caused named to terminate unexpectedly (bsc#1185345).
- CVE-2021-25215: Fixed an assertion check which could have failed while answering queries for DNAME records that required the DNAME to be processed to resolve itself (bsc#1185345).
- CVE-2021-25216: Fixed an issue where policy negotiation can be targeted by a buffer overflow attack (bsc#1185345).
- MD5 warning message using host, dig, nslookup (bind-utils) with FIPS enabled (bsc#1181495).
ImportantSUSE bug 1181495SUSE bug 1185345CVE-2021-25214 at SUSECVE-2021-25214 at NVDCVE-2021-25215 at SUSECVE-2021-25215 at NVDCVE-2021-25216 at SUSECVE-2021-25216 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for samba (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for samba fixes the following issues:
- CVE-2021-20254: Fixed a buffer overrun in sids_to_unixids() (bsc#1184677).
- Avoid free'ing our own pointer in memcache when memcache_trim attempts to reduce cache size (bsc#1179156).
- Adjust smbcacls '--propagate-inheritance' feature to align with upstream (bsc#1178469).
ImportantSUSE bug 1178469SUSE bug 1179156SUSE bug 1184677CVE-2021-20254 at SUSECVE-2021-20254 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for avahi (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for avahi fixes the following issues:
- CVE-2021-3468: avoid infinite loop by handling HUP event in client_work (bsc#1184521).
ImportantSUSE bug 1184521CVE-2021-3468 at SUSECVE-2021-3468 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for python3 (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for python3 fixes the following issues:
Security issues fixed:
- CVE-2020-27619: where Lib/test/multibytecodec_support calls eval() on content retrieved via HTTP. (bsc#1178009)
Other fixes:
- Make sure to close the 'import_failed.map' file after the exception
has been raised in order to avoid ResourceWarnings when the
failing import is part of a try...except block
ImportantCVE-2020-27619 at SUSECVE-2020-27619 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
The SUSE Linux Enterprise 12 SP2 LTSS kernel was updated to receive various security and bugfixes.
The following security bugs were fixed:
- CVE-2020-36312: Fixed an issue in virt/kvm/kvm_main.c that had a kvm_io_bus_unregister_dev memory leak upon a kmalloc failure (bnc#1184509).
- CVE-2021-29650: Fixed an issue inside the netfilter subsystem that allowed attackers to cause a denial of service (panic) because net/netfilter/x_tables.c and include/linux/netfilter/x_tables.h lack a full memory barrier upon the assignment of a new table value (bnc#1184208).
- CVE-2020-27673: Fixed an issue in Xen where a guest OS users could have caused a denial of service (host OS hang) via a high rate of events to dom0 (bnc#1177411, bnc#1184583).
- CVE-2021-29154: Fixed BPF JIT compilers that allowed to execute arbitrary code within the kernel context (bnc#1184391).
- CVE-2020-25673: Fixed NFC endless loops caused by repeated llcp_sock_connect() (bsc#1178181).
- CVE-2020-25672: Fixed NFC memory leak in llcp_sock_connect() (bsc#1178181).
- CVE-2020-25671: Fixed NFC refcount leak in llcp_sock_connect() (bsc#1178181).
- CVE-2020-25670: Fixed NFC refcount leak in llcp_sock_bind() (bsc#1178181).
- CVE-2021-28950: Fixed an issue in fs/fuse/fuse_i.h where a 'stall on CPU' could have occured because a retry loop continually finds the same bad inode (bnc#1184194, bnc#1184211).
- CVE-2020-36322: Fixed an issue inside the FUSE filesystem implementation where fuse_do_getattr() calls make_bad_inode() in inappropriate situations, could have caused a system crash. NOTE: the original fix for this vulnerability was incomplete, and its incompleteness is tracked as CVE-2021-28950 (bnc#1184211).
- CVE-2021-30002: Fixed a memory leak issue when a webcam device exists (bnc#1184120).
- CVE-2021-3483: Fixed a use-after-free bug in nosy_ioctl() (bsc#1184393).
- CVE-2021-20219: Fixed a denial of service vulnerability in drivers/tty/n_tty.c of the Linux kernel. In this flaw a local attacker with a normal user privilege could have delayed the loop and cause a threat to the system availability (bnc#1184397).
- CVE-2021-29265: Fixed an issue in usbip_sockfd_store in drivers/usb/usbip/stub_dev.c that allowed attackers to cause a denial of service (GPF) because the stub-up sequence has race conditions during an update of the local and shared status (bnc#1184167).
- CVE-2021-29264: Fixed an issue in drivers/net/ethernet/freescale/gianfar.c in the Freescale Gianfar Ethernet driver that allowed attackers to cause a system crash because a negative fragment size is calculated in situations involving an rx queue overrun when jumbo packets are used and NAPI is enabled (bnc#1184168).
- CVE-2021-28972: Fixed an issue in drivers/pci/hotplug/rpadlpar_sysfs.c where the RPA PCI Hotplug driver had a user-tolerable buffer overflow when writing a new device name to the driver from userspace, allowing userspace to write data to the kernel stack frame directly. This occurs because add_slot_store and remove_slot_store mishandle drc_name '\0' termination (bnc#1184198).
- CVE-2021-28660: Fixed rtw_wx_set_scan in drivers/staging/rtl8188eu/os_dep/ioctl_linux.c that allowed writing beyond the end of the ssid array (bnc#1183593).
- CVE-2020-0433: Fixed blk_mq_queue_tag_busy_iter of blk-mq-tag.c, where a possible use after free due to improper locking could have happened. This could have led to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation (bnc#1176720).
- CVE-2021-28038: Fixed an issue with Xen PV. A certain part of the netback driver lacks necessary treatment of errors such as failed memory allocations (as a result of changes to the handling of grant mapping errors). A host OS denial of service may occur during misbehavior of a networking frontend driver. NOTE: this issue exists because of an incomplete fix for CVE-2021-26931 (bnc#1183022, bnc#1183069).
- CVE-2021-27365: Fixed an issue inside the iSCSI data structures that does not have appropriate length constraints or checks, and can exceed the PAGE_SIZE value. An unprivileged user can send a Netlink message that is associated with iSCSI, and has a length up to the maximum length of a Netlink message (bnc#1182715).
- CVE-2021-27363: Fixed an issue with a kernel pointer leak that could have been used to determine the address of the iscsi_transport structure. When an iSCSI transport is registered with the iSCSI subsystem, the transport's handle is available to unprivileged users via the sysfs file system, at /sys/class/iscsi_transport/$TRANSPORT_NAME/handle. When read, the show_transport_handle function (in drivers/scsi/scsi_transport_iscsi.c) is called, which leaks the handle. This handle is actually the pointer to an iscsi_transport struct in the kernel module's global variables (bnc#1182716).
- CVE-2021-27364: Fixed an issue in drivers/scsi/scsi_transport_iscsi.c where an unprivileged user can craft Netlink messages (bnc#1182717).
- CVE-2020-1749: Fixed a flaw inside of some networking protocols in IPsec, such as VXLAN and GENEVE tunnels over IPv6. When an encrypted tunnel is created between two hosts, the kernel isn't correctly routing tunneled data over the encrypted link; rather sending the data unencrypted. This would allow anyone in between the two endpoints to read the traffic unencrypted. The main threat from this vulnerability is to data confidentiality (bnc#1165629).
The following non-security bugs were fixed:
- bluetooth: eliminate the potential race condition when removing the HCI controller (bsc#1184611).
- Btrfs: add missing extents release on file extent cluster relocation error (bsc#1159483).
- btrfs: change timing for qgroup reserved space for ordered extents to fix reserved space leak (bsc#1172247).
- btrfs: Cleanup try_flush_qgroup (bsc#1182047).
- btrfs: Do not flush from btrfs_delayed_inode_reserve_metadata (bsc#1182047).
- btrfs: drop unused parameter qgroup_reserved (bsc#1182261).
- btrfs: fix qgroup data rsv leak caused by falloc failure (bsc#1182261).
- btrfs: fix qgroup_free wrong num_bytes in btrfs_subvolume_reserve_metadata (bsc#1182261).
- btrfs: Free correct amount of space in btrfs_delayed_inode_reserve_metadata (bsc#1182047).
- btrfs: inode: move qgroup reserved space release to the callers of insert_reserved_file_extent() (bsc#1172247).
- btrfs: inode: refactor the parameters of insert_reserved_file_extent() (bsc#1172247).
- btrfs: make btrfs_ordered_extent naming consistent with btrfs_file_extent_item (bsc#1172247).
- btrfs: qgroup: allow to unreserve range without releasing other ranges (bsc#1120163).
- btrfs: qgroup: Always free PREALLOC META reserve in btrfs_delalloc_release_extents() (bsc#1155179).
- btrfs: qgroup: do not commit transaction when we already hold the handle (bsc#1178634).
- btrfs: qgroup: Do not hold qgroup_ioctl_lock in btrfs_qgroup_inherit() (bsc#1165823).
- btrfs: qgroup: do not try to wait flushing if we're already holding a transaction (bsc#1179575).
- btrfs: qgroup: Fix a bug that prevents qgroup to be re-enabled after disable (bsc#1172247).
- btrfs: qgroup: fix data leak caused by race between writeback and truncate (bsc#1172247).
- btrfs: qgroup: fix qgroup meta rsv leak for subvolume operations (bsc#1177856).
- btrfs: qgroup: Fix reserved data space leak if we have multiple reserve calls (bsc#1152975).
- btrfs: qgroup: Fix the wrong target io_tree when freeing reserved data space (bsc#1152974).
- btrfs: qgroup: fix wrong qgroup metadata reserve for delayed inode (bsc#1177855).
- btrfs: qgroup: mark qgroup inconsistent if we're inherting snapshot to a new qgroup (bsc#1165823).
- btrfs: qgroup: remove ASYNC_COMMIT mechanism in favor of reserve retry-after-EDQUOT (bsc#1120163).
- btrfs: qgroup: try to flush qgroup space when we get -EDQUOT (bsc#1120163).
- btrfs: remove unused parameter from btrfs_subvolume_release_metadata (bsc#1182261).
- btrfs: tracepoints: Fix bad entry members of qgroup events (bsc#1155186).
- btrfs: tracepoints: Fix wrong parameter order for qgroup events (bsc#1155184).
- ext4: check journal inode extents more carefully (bsc#1173485).
- ext4: do not allow overlapping system zones (bsc#1173485).
- ext4: handle error of ext4_setup_system_zone() on remount (bsc#1173485).
- hv_netvsc: remove ndo_poll_controller (bsc#1185248).
- KVM: Add proper lockdep assertion in I/O bus unregister (bsc#1185555).
- KVM: Destroy I/O bus devices on unregister failure _after_ sync'ing SRCU (bsc#1185556).
- KVM: Stop looking for coalesced MMIO zones if the bus is destroyed (bsc#1185557).
- xen-netback: respect gnttab_map_refs()'s return value (bsc#1183022 XSA-367).
- Xen/gnttab: handle p2m update errors on a per-slot basis (bsc#1183022 XSA-367).
ImportantSUSE bug 1120163SUSE bug 1152974SUSE bug 1152975SUSE bug 1155179SUSE bug 1155184SUSE bug 1155186SUSE bug 1159483SUSE bug 1165629SUSE bug 1165823SUSE bug 1172247SUSE bug 1173485SUSE bug 1176720SUSE bug 1177411SUSE bug 1177855SUSE bug 1177856SUSE bug 1178181SUSE bug 1178634SUSE bug 1179575SUSE bug 1182047SUSE bug 1182261SUSE bug 1182715SUSE bug 1182716SUSE bug 1182717SUSE bug 1183022SUSE bug 1183069SUSE bug 1183593SUSE bug 1184120SUSE bug 1184167SUSE bug 1184168SUSE bug 1184194SUSE bug 1184198SUSE bug 1184208SUSE bug 1184211SUSE bug 1184391SUSE bug 1184393SUSE bug 1184397SUSE bug 1184509SUSE bug 1184583SUSE bug 1184611SUSE bug 1185248SUSE bug 1185555SUSE bug 1185556SUSE bug 1185557CVE-2020-0433 at SUSECVE-2020-0433 at NVDCVE-2020-1749 at SUSECVE-2020-1749 at NVDCVE-2020-25670 at SUSECVE-2020-25670 at NVDCVE-2020-25671 at SUSECVE-2020-25671 at NVDCVE-2020-25672 at SUSECVE-2020-25672 at NVDCVE-2020-25673 at SUSECVE-2020-25673 at NVDCVE-2020-27673 at SUSECVE-2020-27673 at NVDCVE-2020-36312 at SUSECVE-2020-36312 at NVDCVE-2020-36322 at SUSECVE-2020-36322 at NVDCVE-2021-20219 at SUSECVE-2021-20219 at NVDCVE-2021-27363 at SUSECVE-2021-27363 at NVDCVE-2021-27364 at SUSECVE-2021-27364 at NVDCVE-2021-27365 at SUSECVE-2021-27365 at NVDCVE-2021-28038 at SUSECVE-2021-28038 at NVDCVE-2021-28660 at SUSECVE-2021-28660 at NVDCVE-2021-28950 at SUSECVE-2021-28950 at NVDCVE-2021-28972 at SUSECVE-2021-28972 at NVDCVE-2021-29154 at SUSECVE-2021-29154 at NVDCVE-2021-29264 at SUSECVE-2021-29264 at NVDCVE-2021-29265 at SUSECVE-2021-29265 at NVDCVE-2021-29650 at SUSECVE-2021-29650 at NVDCVE-2021-30002 at SUSECVE-2021-30002 at NVDCVE-2021-3483 at SUSECVE-2021-3483 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for djvulibre (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for djvulibre fixes the following issues:
Security issues fixed:
- CVE-2021-32491 [bsc#1185900]: Integer overflow in function render() in tools/ddjvu via crafted djvu file
- CVE-2021-32492 [bsc#1185904]: Out of bounds read in function DJVU:DataPool:has_data() via crafted djvu file
- CVE-2021-32493 [bsc#1185905]: Heap buffer overflow in function DJVU:GBitmap:decode() via crafted djvu file
ImportantSUSE bug 1185900SUSE bug 1185904SUSE bug 1185905CVE-2019-18804 at SUSECVE-2019-18804 at NVDCVE-2021-32491 at SUSECVE-2021-32491 at NVDCVE-2021-32492 at SUSECVE-2021-32492 at NVDCVE-2021-32493 at SUSECVE-2021-32493 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for graphviz (Critical)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for graphviz fixes the following issues:
- CVE-2020-18032: Fixed possible remote code execution via buffer overflow (bsc#1185833).
CriticalSUSE bug 1185833CVE-2020-18032 at SUSECVE-2020-18032 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for libxml2 (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for libxml2 fixes the following issues:
Security issues fixed:
CVE-2021-3537: NULL pointer dereference in valid.c:xmlValidBuildAContentModel (bsc#1185698)
- CVE-2021-3518: Fixed a use after free in xinclude.c:xmlXIncludeDoProcess (bsc#1185408).
- CVE-2021-3517: Fixed a heap based buffer overflow in entities.c:xmlEncodeEntitiesInternal (bsc#1185410).
- CVE-2021-3516: Fixed a use after free in entities.c:xmlEncodeEntitiesInternal (bsc#1185409).
ImportantSUSE bug 1185408SUSE bug 1185409SUSE bug 1185410SUSE bug 1185698CVE-2021-3516 at SUSECVE-2021-3516 at NVDCVE-2021-3517 at SUSECVE-2021-3517 at NVDCVE-2021-3518 at SUSECVE-2021-3518 at NVDCVE-2021-3537 at SUSECVE-2021-3537 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for dnsmasq (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for dnsmasq fixes the following issues:
- bsc#1177077: Fixed DNSpooq vulnerabilities
- CVE-2020-25684, CVE-2020-25685, CVE-2020-25686:
Fixed multiple Cache Poisoning attacks.
- CVE-2020-25681, CVE-2020-25682, CVE-2020-25683, CVE-2020-25687:
Fixed multiple potential Heap-based overflows when DNSSEC is
enabled.
- Retry query to other servers on receipt of SERVFAIL rcode
(bsc#1176076)
ImportantSUSE bug 1176076SUSE bug 1177077CVE-2020-25681 at SUSECVE-2020-25681 at NVDCVE-2020-25682 at SUSECVE-2020-25682 at NVDCVE-2020-25683 at SUSECVE-2020-25683 at NVDCVE-2020-25684 at SUSECVE-2020-25684 at NVDCVE-2020-25685 at SUSECVE-2020-25685 at NVDCVE-2020-25686 at SUSECVE-2020-25686 at NVDCVE-2020-25687 at SUSECVE-2020-25687 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for flac (Moderate)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for flac fixes the following issues:
- CVE-2020-0499: Fixed an out-of-bounds access (bsc#1180099).
ModerateSUSE bug 1180099CVE-2020-0499 at SUSECVE-2020-0499 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for dovecot22 (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for dovecot22 fixes the following issues:
- CVE-2020-24386: Fixed an issue with IMAP hibernation that allowed users to access other users' emails (bsc#1180405).
ImportantSUSE bug 1180405CVE-2020-24386 at SUSECVE-2020-24386 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for djvulibre (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for djvulibre fixes the following issues:
- CVE-2021-3500: Stack overflow in function DJVU:DjVuDocument:get_djvu_file() via crafted djvu file (bsc#1186253)
ImportantSUSE bug 1186253CVE-2021-3500 at SUSECVE-2021-3500 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for dhcp (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for dhcp fixes the following issues:
- CVE-2021-25217: A buffer overrun in lease file parsing code can be used to exploit a common vulnerability shared by dhcpd and dhclient (bsc#1186382)
ImportantSUSE bug 1186382CVE-2021-25217 at SUSECVE-2021-25217 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for libwebp (Critical)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for libwebp fixes the following issues:
- CVE-2018-25010: Fixed heap-based buffer overflow in ApplyFilter() (bsc#1185685).
- CVE-2020-36330: Fixed heap-based buffer overflow in ChunkVerifyAndAssign() (bsc#1185691).
- CVE-2020-36332: Fixed extreme memory allocation when reading a file (bsc#1185674).
- CVE-2020-36329: Fixed use-after-free in EmitFancyRGB() (bsc#1185652).
- CVE-2018-25012: Fixed heap-based buffer overflow in GetLE24() (bsc#1185690).
- CVE-2018-25013: Fixed heap-based buffer overflow in ShiftBytes() (bsc#1185654).
- CVE-2020-36331: Fixed heap-based buffer overflow in ChunkAssignData() (bsc#1185686).
- CVE-2018-25009: Fixed heap-based buffer overflow in GetLE16() (bsc#1185673).
- CVE-2018-25011: Fixed fail on multiple image chunks (bsc#1186247).
CriticalSUSE bug 1185652SUSE bug 1185654SUSE bug 1185673SUSE bug 1185674SUSE bug 1185685SUSE bug 1185686SUSE bug 1185690SUSE bug 1185691SUSE bug 1186247CVE-2018-25009 at SUSECVE-2018-25009 at NVDCVE-2018-25010 at SUSECVE-2018-25010 at NVDCVE-2018-25011 at SUSECVE-2018-25011 at NVDCVE-2018-25012 at SUSECVE-2018-25012 at NVDCVE-2018-25013 at SUSECVE-2018-25013 at NVDCVE-2020-36329 at SUSECVE-2020-36329 at NVDCVE-2020-36330 at SUSECVE-2020-36330 at NVDCVE-2020-36331 at SUSECVE-2020-36331 at NVDCVE-2020-36332 at SUSECVE-2020-36332 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for polkit (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for polkit fixes the following issues:
- CVE-2021-3560: Fixed a local privilege escalation using polkit_system_bus_name_get_creds_sync() (bsc#1186497).
ImportantSUSE bug 1186497CVE-2021-3560 at SUSECVE-2021-3560 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 36 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_135 fixes several issues.
The following security issues were fixed:
- Fix a kernel warning during sysfs read (bsc#1186235)
- CVE-2020-36322: An issue was discovered in the FUSE filesystem implementation in the Linux kernel aka CID-5d069dbe8aaf. fuse_do_getattr() calls make_bad_inode() in inappropriate situations, causing a system crash. NOTE: the original fix for this vulnerability was incomplete, and its incompleteness is tracked as CVE-2021-28950 (bsc#1184952).
- CVE-2021-29154: BPF JIT compilers in the Linux kernel have incorrect computation of branch displacements, allowing them to execute arbitrary code within the kernel context. This affects arch/x86/net/bpf_jit_comp.c and arch/x86/net/bpf_jit_comp32.c (bsc#1184710)
ImportantSUSE bug 1184710SUSE bug 1184952SUSE bug 1186235CVE-2020-36322 at SUSECVE-2020-36322 at NVDCVE-2021-29154 at SUSECVE-2021-29154 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 35 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_130 fixes several issues.
The following security issues were fixed:
- Fix a kernel warning during sysfs read (bsc#1186235)
- CVE-2020-36322: An issue was discovered in the FUSE filesystem implementation in the Linux kernel aka CID-5d069dbe8aaf. fuse_do_getattr() calls make_bad_inode() in inappropriate situations, causing a system crash. NOTE: the original fix for this vulnerability was incomplete, and its incompleteness is tracked as CVE-2021-28950 (bsc#1184952).
- CVE-2021-29154: BPF JIT compilers in the Linux kernel have incorrect computation of branch displacements, allowing them to execute arbitrary code within the kernel context. This affects arch/x86/net/bpf_jit_comp.c and arch/x86/net/bpf_jit_comp32.c (bsc#1184710)
ImportantSUSE bug 1184710SUSE bug 1184952SUSE bug 1186235CVE-2020-36322 at SUSECVE-2020-36322 at NVDCVE-2021-29154 at SUSECVE-2021-29154 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 34 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_127 fixes several issues.
The following security issues were fixed:
- Fix a kernel warning during sysfs read (bsc#1186235)
- CVE-2020-36322: An issue was discovered in the FUSE filesystem implementation in the Linux kernel aka CID-5d069dbe8aaf. fuse_do_getattr() calls make_bad_inode() in inappropriate situations, causing a system crash. NOTE: the original fix for this vulnerability was incomplete, and its incompleteness is tracked as CVE-2021-28950 (bsc#1184952).
- CVE-2021-29154: BPF JIT compilers in the Linux kernel have incorrect computation of branch displacements, allowing them to execute arbitrary code within the kernel context. This affects arch/x86/net/bpf_jit_comp.c and arch/x86/net/bpf_jit_comp32.c (bsc#1184710)
ImportantSUSE bug 1184710SUSE bug 1184952SUSE bug 1186235CVE-2020-36322 at SUSECVE-2020-36322 at NVDCVE-2021-29154 at SUSECVE-2021-29154 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 33 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_124 fixes several issues.
The following security issues were fixed:
- Fix a kernel warning during sysfs read (bsc#1186235)
- CVE-2020-36322: An issue was discovered in the FUSE filesystem implementation in the Linux kernel aka CID-5d069dbe8aaf. fuse_do_getattr() calls make_bad_inode() in inappropriate situations, causing a system crash. NOTE: the original fix for this vulnerability was incomplete, and its incompleteness is tracked as CVE-2021-28950 (bsc#1184952).
- CVE-2021-29154: BPF JIT compilers in the Linux kernel have incorrect computation of branch displacements, allowing them to execute arbitrary code within the kernel context. This affects arch/x86/net/bpf_jit_comp.c and arch/x86/net/bpf_jit_comp32.c (bsc#1184710)
ImportantSUSE bug 1184710SUSE bug 1184952SUSE bug 1186235CVE-2020-36322 at SUSECVE-2020-36322 at NVDCVE-2021-29154 at SUSECVE-2021-29154 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 32 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_121 fixes several issues.
The following security issues were fixed:
- Fix a kernel warning during sysfs read (bsc#1186235)
- CVE-2020-36322: An issue was discovered in the FUSE filesystem implementation in the Linux kernel aka CID-5d069dbe8aaf. fuse_do_getattr() calls make_bad_inode() in inappropriate situations, causing a system crash. NOTE: the original fix for this vulnerability was incomplete, and its incompleteness is tracked as CVE-2021-28950 (bsc#1184952).
- CVE-2021-29154: BPF JIT compilers in the Linux kernel have incorrect computation of branch displacements, allowing them to execute arbitrary code within the kernel context. This affects arch/x86/net/bpf_jit_comp.c and arch/x86/net/bpf_jit_comp32.c (bsc#1184710)
ImportantSUSE bug 1184710SUSE bug 1184952SUSE bug 1186235CVE-2020-36322 at SUSECVE-2020-36322 at NVDCVE-2021-29154 at SUSECVE-2021-29154 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 38 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_141 fixes several issues.
The following security issues were fixed:
- CVE-2020-36322: Fixed an issue inside the FUSE filesystem implementation where fuse_do_getattr() calls make_bad_inode() in inappropriate situations, could have caused a system crash. NOTE: the original fix for this vulnerability was incomplete, and its incompleteness is tracked as CVE-2021-28950 (bsc#1184952).
- CVE-2021-29154: Fixed BPF JIT compilers that allowed to execute arbitrary code within the kernel context (bsc#1184710)
ImportantSUSE bug 1184710SUSE bug 1184952CVE-2020-36322 at SUSECVE-2020-36322 at NVDCVE-2021-29154 at SUSECVE-2021-29154 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 37 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_138 fixes several issues.
The following security issues were fixed:
- CVE-2020-36322: Fixed an issue inside the FUSE filesystem implementation where fuse_do_getattr() calls make_bad_inode() in inappropriate situations, could have caused a system crash. NOTE: the original fix for this vulnerability was incomplete, and its incompleteness is tracked as CVE-2021-28950 (bsc#1184952).
- CVE-2021-29154: Fixed BPF JIT compilers that allowed to execute arbitrary code within the kernel context (bsc#1184710)
ImportantSUSE bug 1184710SUSE bug 1184952CVE-2020-36322 at SUSECVE-2020-36322 at NVDCVE-2021-29154 at SUSECVE-2021-29154 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for gstreamer-plugins-bad (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for gstreamer-plugins-bad fixes the following issues:
- CVE-2021-3185: Fixed buffer overflow in gst_h264_slice_parse_dec_ref_pic_marking (bsc#1181255).
ImportantSUSE bug 1181255CVE-2021-3185 at SUSECVE-2021-3185 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for MozillaFirefox fixes the following issues:
Firefox Extended Support Release 78.11.0 ESR (bsc#1186696)
* CVE-2021-29964: Out of bounds-read when parsing a `WM_COPYDATA` message
* CVE-2021-29967: Memory safety bugs fixed in Firefox
ImportantSUSE bug 1185633SUSE bug 1186696CVE-2021-29951 at SUSECVE-2021-29951 at NVDCVE-2021-29964 at SUSECVE-2021-29964 at NVDCVE-2021-29967 at SUSECVE-2021-29967 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for libX11 (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for libX11 fixes the following issues:
- Regression in the fix for CVE-2021-31535, causing segfaults for xforms applications like fdesign (bsc#1186643)
ImportantSUSE bug 1186643CVE-2021-31535 at SUSECVE-2021-31535 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for qemu (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for qemu fixes the following issues:
- Fix OOB access during mmio operations (CVE-2020-13754, bsc#1172382)
- Fix out-of-bounds read information disclosure in icmp6_send_echoreply (CVE-2020-10756, bsc#1172380)
- Fix out-of-bound heap buffer access via an interrupt ID field (CVE-2021-20221, bsc#1181933)
- For the record, these issues are fixed in this package already.
Most are alternate references to previously mentioned issues:
(CVE-2019-15890, bsc#1149813, CVE-2020-8608, bsc#1163019,
CVE-2020-14364, bsc#1175534, CVE-2020-25707, bsc#1178683,
CVE-2020-25723, bsc#1178935, CVE-2020-29130, bsc#1179477,
CVE-2021-20257, bsc#1182846, CVE-2021-3419, bsc#1182975,
bsc#1094725)
ImportantSUSE bug 1094725SUSE bug 1149813SUSE bug 1163019SUSE bug 1172380SUSE bug 1172382SUSE bug 1175534SUSE bug 1178683SUSE bug 1178935SUSE bug 1179477SUSE bug 1181933SUSE bug 1182846SUSE bug 1182975CVE-2019-15890 at SUSECVE-2019-15890 at NVDCVE-2020-10756 at SUSECVE-2020-10756 at NVDCVE-2020-13754 at SUSECVE-2020-13754 at NVDCVE-2020-14364 at SUSECVE-2020-14364 at NVDCVE-2020-25707 at SUSECVE-2020-25707 at NVDCVE-2020-25723 at SUSECVE-2020-25723 at NVDCVE-2020-29130 at SUSECVE-2020-29130 at NVDCVE-2020-8608 at SUSECVE-2020-8608 at NVDCVE-2021-20221 at SUSECVE-2021-20221 at NVDCVE-2021-20257 at SUSECVE-2021-20257 at NVDCVE-2021-3419 at SUSECVE-2021-3419 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for java-1_7_1-ibm (Moderate)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for java-1_7_1-ibm fixes the following issues:
- Update to Java 7.1 Service Refresh 4 Fix Pack 75 [bsc#1180063, bsc#1177943]
CVE-2020-14792 CVE-2020-14797 CVE-2020-14782 CVE-2020-14781
CVE-2020-14779 CVE-2020-14798 CVE-2020-14796 CVE-2020-14803
* Class Libraries:
- Z/OS specific C function send_file is changing the file pointer position
* Security:
- Add the new oracle signer certificate
- Certificate parsing error
- JVM memory growth can be caused by the IBMPKCS11IMPL crypto provider
- Remove check for websphere signed jars
- sessionid.hashcode generates too many collisions
- The Java 8 IBM certpath provider does not honor the user
specified system property for CLR connect timeout
ModerateSUSE bug 1177943SUSE bug 1180063CVE-2020-14779 at SUSECVE-2020-14779 at NVDCVE-2020-14781 at SUSECVE-2020-14781 at NVDCVE-2020-14782 at SUSECVE-2020-14782 at NVDCVE-2020-14792 at SUSECVE-2020-14792 at NVDCVE-2020-14796 at SUSECVE-2020-14796 at NVDCVE-2020-14797 at SUSECVE-2020-14797 at NVDCVE-2020-14798 at SUSECVE-2020-14798 at NVDCVE-2020-14803 at SUSECVE-2020-14803 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for spice (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for spice fixes the following issues:
- CVE-2021-20201: client initiated renegotiation causing denial of service (bsc#1181686)
ImportantSUSE bug 1181686CVE-2021-20201 at SUSECVE-2021-20201 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for ucode-intel (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for ucode-intel fixes the following issues:
Updated to Intel CPU Microcode 20210608 release.
- CVE-2020-24513: A domain bypass transient execution vulnerability was discovered on some Intel Atom processors that use a micro-architectural incident channel. (INTEL-SA-00465 bsc#1179833)
See also: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00465.html
- CVE-2020-24511: The IBRS feature to mitigate Spectre variant 2 transient execution side channel vulnerabilities may not fully prevent non-root (guest) branches from controlling the branch predictions of the root (host) (INTEL-SA-00464 bsc#1179836)
See also https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00464.html)
- CVE-2020-24512: Fixed trivial data value cache-lines such as all-zero value cache-lines may lead to changes in cache-allocation or write-back behavior for such cache-lines (bsc#1179837 INTEL-SA-00464)
See also https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00464.html)
- CVE-2020-24489: Fixed Intel VT-d device pass through potential local privilege escalation (INTEL-SA-00442 bsc#1179839)
See also https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00442.html
Other fixes:
- Update for functional issues. Refer to [Third Generation Intel Xeon Processor Scalable Family Specification Update](https://cdrdv2.intel.com/v1/dl/getContent/637780)for details.
- Update for functional issues. Refer to [Second Generation Intel Xeon Processor Scalable Family Specification Update](https://cdrdv2.intel.com/v1/dl/getContent/338848) for details.
- Update for functional issues. Refer to [Intel Xeon Processor Scalable Family Specification Update](https://cdrdv2.intel.com/v1/dl/getContent/613537) for details.
- Update for functional issues. Refer to [Intel Xeon Processor D-1500, D-1500 NS and D-1600 NS Spec Update](https://www.intel.com/content/www/us/en/products/docs/processors/xeon/xeon-d-1500-specification-update.html) for details.
- Update for functional issues. Refer to [Intel Xeon E7-8800 and E7-4800 v3 Processor Specification Update](https://www.intel.com/content/www/us/en/processors/xeon/xeon-e7-v3-spec-update.html) for details.
- Update for functional issues. Refer to [Intel Xeon Processor E5 v3 Product Family Specification Update](https://www.intel.com/content/www/us/en/processors/xeon/xeon-e5-v3-spec-update.html?wapkw=processor+spec+update+e5) for details.
- Update for functional issues. Refer to [10th Gen Intel Core Processor Families Specification Update](https://www.intel.com/content/www/us/en/products/docs/processors/core/10th-gen-core-families-specification-update.html) for details.
- Update for functional issues. Refer to [8th and 9th Gen Intel Core Processor Family Spec Update](https://www.intel.com/content/www/us/en/products/docs/processors/core/8th-gen-core-spec-update.html) for details.
- Update for functional issues. Refer to [7th Gen and 8th Gen (U Quad-Core) Intel Processor Families Specification Update](https://www.intel.com/content/www/us/en/processors/core/7th-gen-core-family-spec-update.html) for details.
- Update for functional issues. Refer to [6th Gen Intel Processor Family Specification Update](https://cdrdv2.intel.com/v1/dl/getContent/332689) for details.
- Update for functional issues. Refer to [Intel Xeon E3-1200 v6 Processor Family Specification Update](https://www.intel.com/content/www/us/en/processors/xeon/xeon-e3-1200v6-spec-update.html) for details.
- Update for functional issues. Refer to [Intel Xeon E-2100 and E-2200 Processor Family Specification Update](https://www.intel.com/content/www/us/en/products/docs/processors/xeon/xeon-e-2100-specification-update.html) for details.
- New platforms:
| Processor | Stepping | F-M-S/PI | Old Ver | New Ver | Products
|:---------------|:---------|:------------|:---------|:---------|:---------
| CLX-SP | A0 | 06-55-05/b7 | | 03000010 | Xeon Scalable Gen2
| ICX-SP | C0 | 06-6a-05/87 | | 0c0002f0 | Xeon Scalable Gen3
| ICX-SP | D0 | 06-6a-06/87 | | 0d0002a0 | Xeon Scalable Gen3
| SNR | B0 | 06-86-04/01 | | 0b00000f | Atom P59xxB
| SNR | B1 | 06-86-05/01 | | 0b00000f | Atom P59xxB
| TGL | B1 | 06-8c-01/80 | | 00000088 | Core Gen11 Mobile
| TGL-R | C0 | 06-8c-02/c2 | | 00000016 | Core Gen11 Mobile
| TGL-H | R0 | 06-8d-01/c2 | | 0000002c | Core Gen11 Mobile
| EHL | B1 | 06-96-01/01 | | 00000011 | Pentium J6426/N6415, Celeron J6412/J6413/N6210/N6211, Atom x6000E
| JSL | A0/A1 | 06-9c-00/01 | | 0000001d | Pentium N6000/N6005, Celeron N4500/N4505/N5100/N5105
| RKL-S | B0 | 06-a7-01/02 | | 00000040 | Core Gen11
- Updated platforms:
| Processor | Stepping | F-M-S/PI | Old Ver | New Ver | Products
|:---------------|:---------|:------------|:---------|:---------|:---------
| HSX-E/EP | Cx/M1 | 06-3f-02/6f | 00000044 | 00000046 | Core Gen4 X series; Xeon E5 v3
| HSX-EX | E0 | 06-3f-04/80 | 00000016 | 00000019 | Xeon E7 v3
| SKL-U/Y | D0 | 06-4e-03/c0 | 000000e2 | 000000ea | Core Gen6 Mobile
| SKL-U23e | K1 | 06-4e-03/c0 | 000000e2 | 000000ea | Core Gen6 Mobile
| BDX-ML | B0/M0/R0 | 06-4f-01/ef | 0b000038 | 0b00003e | Xeon E5/E7 v4; Core i7-69xx/68xx
| SKX-SP | B1 | 06-55-03/97 | 01000159 | 0100015b | Xeon Scalable
| SKX-SP | H0/M0/U0 | 06-55-04/b7 | 02006a0a | 02006b06 | Xeon Scalable
| SKX-D | M1 | 06-55-04/b7 | 02006a0a | 02006b06 | Xeon D-21xx
| CLX-SP | B0 | 06-55-06/bf | 04003006 | 04003102 | Xeon Scalable Gen2
| CLX-SP | B1 | 06-55-07/bf | 05003006 | 05003102 | Xeon Scalable Gen2
| CPX-SP | A1 | 06-55-0b/bf | 0700001e | 07002302 | Xeon Scalable Gen3
| BDX-DE | V2/V3 | 06-56-03/10 | 07000019 | 0700001b | Xeon D-1518/19/21/27/28/31/33/37/41/48, Pentium D1507/08/09/17/19
| BDX-DE | Y0 | 06-56-04/10 | 0f000017 | 0f000019 | Xeon D-1557/59/67/71/77/81/87
| BDX-NS | A0 | 06-56-05/10 | 0e00000f | 0e000012 | Xeon D-1513N/23/33/43/53
| APL | D0 | 06-5c-09/03 | 00000040 | 00000044 | Pentium N/J4xxx, Celeron N/J3xxx, Atom x5/7-E39xx
| APL | E0 | 06-5c-0a/03 | 0000001e | 00000020 | Atom x5-E39xx
| SKL-H/S | R0/N0 | 06-5e-03/36 | 000000e2 | 000000ea | Core Gen6; Xeon E3 v5
| DNV | B0 | 06-5f-01/01 | 0000002e | 00000034 | Atom C Series
| GLK | B0 | 06-7a-01/01 | 00000034 | 00000036 | Pentium Silver N/J5xxx, Celeron N/J4xxx
| GKL-R | R0 | 06-7a-08/01 | 00000018 | 0000001a | Pentium J5040/N5030, Celeron J4125/J4025/N4020/N4120
| ICL-U/Y | D1 | 06-7e-05/80 | 000000a0 | 000000a6 | Core Gen10 Mobile
| LKF | B2/B3 | 06-8a-01/10 | 00000028 | 0000002a | Core w/Hybrid Technology
| AML-Y22 | H0 | 06-8e-09/10 | 000000de | 000000ea | Core Gen8 Mobile
| KBL-U/Y | H0 | 06-8e-09/c0 | 000000de | 000000ea | Core Gen7 Mobile
| CFL-U43e | D0 | 06-8e-0a/c0 | 000000e0 | 000000ea | Core Gen8 Mobile
| WHL-U | W0 | 06-8e-0b/d0 | 000000de | 000000ea | Core Gen8 Mobile
| AML-Y42 | V0 | 06-8e-0c/94 | 000000de | 000000ea | Core Gen10 Mobile
| CML-Y42 | V0 | 06-8e-0c/94 | 000000de | 000000ea | Core Gen10 Mobile
| WHL-U | V0 | 06-8e-0c/94 | 000000de | 000000ea | Core Gen8 Mobile
| KBL-G/H/S/E3 | B0 | 06-9e-09/2a | 000000de | 000000ea | Core Gen7; Xeon E3 v6
| CFL-H/S/E3 | U0 | 06-9e-0a/22 | 000000de | 000000ea | Core Gen8 Desktop, Mobile, Xeon E
| CFL-S | B0 | 06-9e-0b/02 | 000000de | 000000ea | Core Gen8
| CFL-H/S | P0 | 06-9e-0c/22 | 000000de | 000000ea | Core Gen9
| CFL-H | R0 | 06-9e-0d/22 | 000000de | 000000ea | Core Gen9 Mobile
| CML-H | R1 | 06-a5-02/20 | 000000e0 | 000000ea | Core Gen10 Mobile
| CML-S62 | G1 | 06-a5-03/22 | 000000e0 | 000000ea | Core Gen10
| CML-S102 | Q0 | 06-a5-05/22 | 000000e0 | 000000ec | Core Gen10
| CML-U62 | A0 | 06-a6-00/80 | 000000e0 | 000000e8 | Core Gen10 Mobile
| CML-U62 V2 | K0 | 06-a6-01/80 | 000000e0 | 000000ea | Core Gen10 Mobile
ImportantSUSE bug 1179833SUSE bug 1179836SUSE bug 1179837SUSE bug 1179839CVE-2020-24489 at SUSECVE-2020-24489 at NVDCVE-2020-24511 at SUSECVE-2020-24511 at NVDCVE-2020-24512 at SUSECVE-2020-24512 at NVDCVE-2020-24513 at SUSECVE-2020-24513 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for caribou (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for caribou fixes the following issues:
Security issue fixed:
- CVE-2021-3567: Fixed a segfault when attempting to use shifted characters (bsc#1186617).
ImportantSUSE bug 1186617CVE-2021-3567 at SUSECVE-2021-3567 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for freeradius-server (Moderate)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for freeradius-server fixes the following issues:
- Do not log passwords in logfiles (bsc#1184016)
ModerateSUSE bug 1184016cpe:/o:suse:sles-ltss:12:sp3Security update for java-1_8_0-openjdk (Moderate)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for java-1_8_0-openjdk fixes the following issues:
- Update to version jdk8u292 (icedtea 3.19.0).
- CVE-2021-2161: Fixed incomplete enforcement of JAR signing disabled algorithms (bsc#1185055).
ModerateSUSE bug 1185055CVE-2021-2163 at SUSECVE-2021-2163 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for ImageMagick (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for ImageMagick fixes the following issues:
- CVE-2020-19667: Fixed a stack buffer overflow in XPM coder could result in a crash (bsc#1179103).
- CVE-2020-25664: Fixed a heap-based buffer overflow in PopShortPixel (bsc#1179202).
- CVE-2020-25665: Fixed a heap-based buffer overflow in WritePALMImage (bsc#1179208).
- CVE-2020-25666: Fixed an outside the range of representable values of type 'int' and signed integer overflow (bsc#1179212).
- CVE-2020-25674: Fixed a heap-based buffer overflow in WriteOnePNGImage (bsc#1179223).
- CVE-2020-25675: Fixed an outside the range of representable values of type 'long' and integer overflow (bsc#1179240).
- CVE-2020-25676: Fixed an outside the range of representable values of type 'long' and integer overflow at MagickCore/pixel.c (bsc#1179244).
- CVE-2020-27750: Fixed an division by zero in MagickCore/colorspace-private.h (bsc#1179260).
- CVE-2020-27751: Fixed an integer overflow in MagickCore/quantum-export.c (bsc#1179269).
- CVE-2020-27752: Fixed a heap-based buffer overflow in PopShortPixel in MagickCore/quantum-private.h (bsc#1179346).
- CVE-2020-27753: Fixed memory leaks in AcquireMagickMemory function (bsc#1179397).
- CVE-2020-27754: Fixed an outside the range of representable values of type 'long' and signed integer overflow at MagickCore/quantize.c (bsc#1179336).
- CVE-2020-27755: Fixed memory leaks in ResizeMagickMemory function in ImageMagick/MagickCore/memory.c (bsc#1179345).
- CVE-2020-27757: Fixed an outside the range of representable values of type 'unsigned long long' at MagickCore/quantum-private.h (bsc#1179268).
- CVE-2020-27759: Fixed an outside the range of representable values of type 'int' at MagickCore/quantize.c (bsc#1179313).
- CVE-2020-27760: Fixed a division by zero at MagickCore/enhance.c (bsc#1179281).
- CVE-2020-27761: Fixed an outside the range of representable values of type 'unsigned long' at coders/palm.c (bsc#1179315).
- CVE-2020-27762: Fixed an outside the range of representable values of type 'unsigned char' (bsc#1179278).
- CVE-2020-27763: Fixed a division by zero at MagickCore/resize.c (bsc#1179312).
- CVE-2020-27764: Fixed an outside the range of representable values of type 'unsigned long' at MagickCore/statistic.c (bsc#1179317).
- CVE-2020-27765: Fixed a division by zero at MagickCore/segment.c (bsc#1179311).
- CVE-2020-27766: Fixed an outside the range of representable values of type 'unsigned long' at MagickCore/statistic.c (bsc#1179361).
- CVE-2020-27767: Fixed an outside the range of representable values of type 'float' at MagickCore/quantum.h (bsc#1179322).
- CVE-2020-27768: Fixed an outside the range of representable values of type 'unsigned int' at MagickCore/quantum-private.h (bsc#1179339).
- CVE-2020-27769: Fixed an outside the range of representable values of type 'float' at MagickCore/quantize.c (bsc#1179321).
- CVE-2020-27770: Fixed an unsigned offset overflowed at MagickCore/string.c (bsc#1179343).
- CVE-2020-27771: Fixed an outside the range of representable values of type 'unsigned char' at coders/pdf.c (bsc#1179327).
- CVE-2020-27772: Fixed an outside the range of representable values of type 'unsigned int' at coders/bmp.c (bsc#1179347).
- CVE-2020-27773: Fixed a division by zero at MagickCore/gem-private.h (bsc#1179285).
- CVE-2020-27774: Fixed an integer overflow at MagickCore/statistic.c (bsc#1179333).
- CVE-2020-27775: Fixed an outside the range of representable values of type 'unsigned char' at MagickCore/quantum.h (bsc#1179338).
- CVE-2020-27776: Fixed an outside the range of representable values of type 'unsigned long' at MagickCore/statistic.c (bsc#1179362).
ImportantSUSE bug 1179103SUSE bug 1179202SUSE bug 1179208SUSE bug 1179212SUSE bug 1179223SUSE bug 1179240SUSE bug 1179244SUSE bug 1179260SUSE bug 1179268SUSE bug 1179269SUSE bug 1179278SUSE bug 1179281SUSE bug 1179285SUSE bug 1179311SUSE bug 1179312SUSE bug 1179313SUSE bug 1179315SUSE bug 1179317SUSE bug 1179321SUSE bug 1179322SUSE bug 1179327SUSE bug 1179333SUSE bug 1179336SUSE bug 1179338SUSE bug 1179339SUSE bug 1179343SUSE bug 1179345SUSE bug 1179346SUSE bug 1179347SUSE bug 1179361SUSE bug 1179362SUSE bug 1179397CVE-2020-19667 at SUSECVE-2020-19667 at NVDCVE-2020-25664 at SUSECVE-2020-25664 at NVDCVE-2020-25665 at SUSECVE-2020-25665 at NVDCVE-2020-25666 at SUSECVE-2020-25666 at NVDCVE-2020-25674 at SUSECVE-2020-25674 at NVDCVE-2020-25675 at SUSECVE-2020-25675 at NVDCVE-2020-25676 at SUSECVE-2020-25676 at NVDCVE-2020-27750 at SUSECVE-2020-27750 at NVDCVE-2020-27751 at SUSECVE-2020-27751 at NVDCVE-2020-27752 at SUSECVE-2020-27752 at NVDCVE-2020-27753 at SUSECVE-2020-27753 at NVDCVE-2020-27754 at SUSECVE-2020-27754 at NVDCVE-2020-27755 at SUSECVE-2020-27755 at NVDCVE-2020-27757 at SUSECVE-2020-27757 at NVDCVE-2020-27759 at SUSECVE-2020-27759 at NVDCVE-2020-27760 at SUSECVE-2020-27760 at NVDCVE-2020-27761 at SUSECVE-2020-27761 at NVDCVE-2020-27762 at SUSECVE-2020-27762 at NVDCVE-2020-27763 at SUSECVE-2020-27763 at NVDCVE-2020-27764 at SUSECVE-2020-27764 at NVDCVE-2020-27765 at SUSECVE-2020-27765 at NVDCVE-2020-27766 at SUSECVE-2020-27766 at NVDCVE-2020-27767 at SUSECVE-2020-27767 at NVDCVE-2020-27768 at SUSECVE-2020-27768 at NVDCVE-2020-27769 at SUSECVE-2020-27769 at NVDCVE-2020-27770 at SUSECVE-2020-27770 at NVDCVE-2020-27771 at SUSECVE-2020-27771 at NVDCVE-2020-27772 at SUSECVE-2020-27772 at NVDCVE-2020-27773 at SUSECVE-2020-27773 at NVDCVE-2020-27774 at SUSECVE-2020-27774 at NVDCVE-2020-27775 at SUSECVE-2020-27775 at NVDCVE-2020-27776 at SUSECVE-2020-27776 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for webkit2gtk3 (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for webkit2gtk3 fixes the following issues:
- Update to version 2.32.1:
+ Improve handling of Media Capture devices.
+ Improve WebAudio playback.
+ Improve video orientation handling.
+ Improve seeking support for MSE playback.
+ Improve flush support in EME decryptors.
+ Fix HTTP status codes for requests done through a custom URI handler.
+ Fix the Bubblewrap sandbox in certain 32-bit systems.
+ Fix inconsistencies between the WebKitWebView.is-muted property
state and values returned by
webkit_web_view_is_playing_audio().
+ Fix the build with ENABLE_VIDEO=OFF.
+ Fix wrong timestamps for long-lived cookies.
+ Fix UI process crash when failing to load favicons.
+ Fix several crashes and rendering issues.
- Including Security fixes for: CVE-2021-1788, CVE-2021-1844, CVE-2021-1871,
CVE-2020-27918, CVE-2020-29623, CVE-2021-1765, CVE-2021-1789, CVE-2021-1799,
CVE-2021-1801, CVE-2021-1870, CVE-2020-13558, CVE-2020-13584, CVE-2020-9983,
CVE-2020-13543, CVE-2020-9947, CVE-2020-9948, CVE-2020-9951.
ImportantSUSE bug 1177087SUSE bug 1179122SUSE bug 1179451SUSE bug 1182286SUSE bug 1184155SUSE bug 1184262CVE-2020-13543 at SUSECVE-2020-13543 at NVDCVE-2020-13558 at SUSECVE-2020-13558 at NVDCVE-2020-13584 at SUSECVE-2020-13584 at NVDCVE-2020-27918 at SUSECVE-2020-27918 at NVDCVE-2020-29623 at SUSECVE-2020-29623 at NVDCVE-2020-9947 at SUSECVE-2020-9947 at NVDCVE-2020-9948 at SUSECVE-2020-9948 at NVDCVE-2020-9951 at SUSECVE-2020-9951 at NVDCVE-2020-9983 at SUSECVE-2020-9983 at NVDCVE-2021-1765 at SUSECVE-2021-1765 at NVDCVE-2021-1788 at SUSECVE-2021-1788 at NVDCVE-2021-1789 at SUSECVE-2021-1789 at NVDCVE-2021-1799 at SUSECVE-2021-1799 at NVDCVE-2021-1801 at SUSECVE-2021-1801 at NVDCVE-2021-1844 at SUSECVE-2021-1844 at NVDCVE-2021-1870 at SUSECVE-2021-1870 at NVDCVE-2021-1871 at SUSECVE-2021-1871 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for apache2 (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for apache2 fixes the following issues:
- fixed CVE-2021-30641 [bsc#1187174]: MergeSlashes regression
- fixed CVE-2021-31618 [bsc#1186924]: NULL pointer dereference on specially crafted HTTP/2 request
- fixed CVE-2020-35452 [bsc#1186922]: Single zero byte stack overflow in mod_auth_digest
- fixed CVE-2021-26690 [bsc#1186923]: mod_session NULL pointer dereference in parser
- fixed CVE-2021-26691 [bsc#1187017]: Heap overflow in mod_session
ImportantSUSE bug 1186922SUSE bug 1186923SUSE bug 1186924SUSE bug 1187017SUSE bug 1187174CVE-2020-35452 at SUSECVE-2020-35452 at NVDCVE-2021-26690 at SUSECVE-2021-26690 at NVDCVE-2021-26691 at SUSECVE-2021-26691 at NVDCVE-2021-30641 at SUSECVE-2021-30641 at NVDCVE-2021-31618 at SUSECVE-2021-31618 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for xterm (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for xterm fixes the following issues:
- CVE-2021-27135: Fixed buffer-overflow when clicking on selected utf8 text. (bsc#1182091)
ImportantSUSE bug 1182091CVE-2021-27135 at SUSECVE-2021-27135 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 39 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_144 fixes several issues.
The following issues were fixed:
- CVE-2021-33034: Fixed a use-after-free when destroying an hci_chan. This could lead to writing an arbitrary values (bsc#1186111).
- CVE-2021-28688: Fixed an issue introduced by XSA-365, leaving around zombie domains after xen guest has died (bsc#1183646).
- CVE-2020-0429: In l2tp_session_delete and related functions of l2tp_core.c, there is possible memory corruption due to a use after free. This could lead to local escalation of privilege with system execution privileges needed. (bsc#1176724).
- Fixed a regression with the last livepatch which caused a kernel warning during sysfs read (bsc#1186235).
ImportantSUSE bug 1176931SUSE bug 1182294SUSE bug 1186235SUSE bug 1186285CVE-2020-0429 at SUSECVE-2020-0429 at NVDCVE-2021-28688 at SUSECVE-2021-28688 at NVDCVE-2021-33034 at SUSECVE-2021-33034 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 38 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_141 fixes several issues.
The following issues were fixed:
- CVE-2021-33034: Fixed a use-after-free when destroying an hci_chan. This could lead to writing an arbitrary values (bsc#1186111).
- CVE-2021-32399: Fixed a race condition when removing the HCI controller (bnc#1184611).
- Fixed a regression with the last livepatch which caused a kernel warning during sysfs read (bsc#1186235).
ImportantSUSE bug 1185899SUSE bug 1186235SUSE bug 1186285CVE-2021-32399 at SUSECVE-2021-32399 at NVDCVE-2021-33034 at SUSECVE-2021-33034 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 37 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_138 fixes several issues.
The following issues were fixed:
- CVE-2021-33034: Fixed a use-after-free when destroying an hci_chan. This could lead to writing an arbitrary values (bsc#1186111).
- CVE-2021-32399: Fixed a race condition when removing the HCI controller (bnc#1184611).
- Fixed a regression with the last livepatch which caused a kernel warning during sysfs read (bsc#1186235).
ImportantSUSE bug 1185899SUSE bug 1186235SUSE bug 1186285CVE-2021-32399 at SUSECVE-2021-32399 at NVDCVE-2021-33034 at SUSECVE-2021-33034 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 36 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_135 fixes several issues.
The following security issues were fixed:
- CVE-2021-33034: Fixed a use-after-free when destroying an hci_chan. This could lead to writing an arbitrary values (bsc#1186111).
- CVE-2021-32399: Fixed a race condition when removing the HCI controller (bnc#1184611).
ImportantSUSE bug 1185899SUSE bug 1186285CVE-2021-32399 at SUSECVE-2021-32399 at NVDCVE-2021-33034 at SUSECVE-2021-33034 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 35 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_130 fixes several issues.
The following security issues were fixed:
- CVE-2021-33034: Fixed a use-after-free when destroying an hci_chan. This could lead to writing an arbitrary values (bsc#1186111).
- CVE-2021-32399: Fixed a race condition when removing the HCI controller (bnc#1184611).
ImportantSUSE bug 1185899SUSE bug 1186285CVE-2021-32399 at SUSECVE-2021-32399 at NVDCVE-2021-33034 at SUSECVE-2021-33034 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 34 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_127 fixes several issues.
The following security issues were fixed:
- CVE-2021-33034: Fixed a use-after-free when destroying an hci_chan. This could lead to writing an arbitrary values (bsc#1186111).
- CVE-2021-32399: Fixed a race condition when removing the HCI controller (bnc#1184611).
ImportantSUSE bug 1185899SUSE bug 1186285CVE-2021-32399 at SUSECVE-2021-32399 at NVDCVE-2021-33034 at SUSECVE-2021-33034 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 33 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_124 fixes several issues.
The following security issues were fixed:
- CVE-2021-33034: Fixed a use-after-free when destroying an hci_chan. This could lead to writing an arbitrary values (bsc#1186111).
- CVE-2021-32399: Fixed a race condition when removing the HCI controller (bnc#1184611).
ImportantSUSE bug 1185899SUSE bug 1186285CVE-2021-32399 at SUSECVE-2021-32399 at NVDCVE-2021-33034 at SUSECVE-2021-33034 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for ovmf (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for ovmf fixes the following issues:
- Fixed a possible buffer overflow in IScsiDxe (bsc#1186151)
ImportantSUSE bug 1186151cpe:/o:suse:sles-ltss:12:sp3Security update for libnettle (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for libnettle fixes the following issues:
- CVE-2021-3580: Fixed a remote denial of service in the RSA decryption via manipulated ciphertext (bsc#1187060).
ImportantSUSE bug 1187060CVE-2021-3580 at SUSECVE-2021-3580 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for libgcrypt (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for libgcrypt fixes the following issues:
- CVE-2021-33560: Fixed a side-channel against ElGamal encryption, caused by missing exponent blinding (bsc#1187212).
ImportantSUSE bug 1187212CVE-2021-33560 at SUSECVE-2021-33560 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for openexr (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for openexr fixes the following issues:
- Fixed CVE-2021-3479 [bsc#1184354]: Out-of-memory caused by allocation of a very large buffer
- Fixed CVE-2021-3605 [bsc#1187395]: Heap buffer overflow in the rleUncompress function
- Fixed CVE-2021-3598 [bsc#1187310]: Heap buffer overflow in Imf_3_1:CharPtrIO:readChars
ImportantSUSE bug 1184354SUSE bug 1187310SUSE bug 1187395CVE-2021-3479 at SUSECVE-2021-3479 at NVDCVE-2021-3598 at SUSECVE-2021-3598 at NVDCVE-2021-3605 at SUSECVE-2021-3605 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for postgresql, postgresql12, postgresql13 (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for postgresql, postgresql12, postgresql13 fixes the following issues:
Initial packaging of PostgreSQL 13:
* https://www.postgresql.org/about/news/2077/
* https://www.postgresql.org/docs/13/release-13.html
Changes in postgresql:
- Bump postgresql major version to 13.
Changes in postgresql12:
- %ghost the symlinks to pg_config and ecpg. (bsc#1178961)
- BuildRequire libpq5 and libecpg6 when not building them to avoid dangling symlinks in the devel package. (bsc#1179765)
- Fix a DST problem in the test suite.
Changes in postgresql13:
- Add postgresql-icu68.patch: fix build with ICU 68
- %ghost the symlinks to pg_config and ecpg. (bsc#1178961)
- BuildRequire libpq5 and libecpg6 when not building them to avoid dangling symlinks in the devel package. (bsc#1179765)
Upgrade to version 13.1:
* CVE-2020-25695, bsc#1178666: Block DECLARE CURSOR ... WITH HOLD
and firing of deferred triggers within index expressions and
materialized view queries.
* CVE-2020-25694, bsc#1178667:
a) Fix usage of complex connection-string parameters in pg_dump,
pg_restore, clusterdb, reindexdb, and vacuumdb.
b) When psql's \connect command re-uses connection parameters,
ensure that all non-overridden parameters from a previous
connection string are re-used.
* CVE-2020-25696, bsc#1178668: Prevent psql's \gset command from
modifying specially-treated variables.
* Fix recently-added timetz test case so it works when the USA
is not observing daylight savings time.
(obsoletes postgresql-timetz.patch)
* https://www.postgresql.org/about/news/2111/
* https://www.postgresql.org/docs/13/release-13-1.html
- Fix a DST problem in the test suite.
ImportantSUSE bug 1178666SUSE bug 1178667SUSE bug 1178668SUSE bug 1178961SUSE bug 1179765CVE-2020-25694 at SUSECVE-2020-25694 at NVDCVE-2020-25695 at SUSECVE-2020-25695 at NVDCVE-2020-25696 at SUSECVE-2020-25696 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for arpwatch (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for arpwatch fixes the following issues:
- CVE-2021-25321: Fixed local privilege escalation from runtime user to root (bsc#1186240).
ImportantSUSE bug 1186240CVE-2021-25321 at SUSECVE-2021-25321 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for libsolv (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for libsolv fixes the following issues:
Security issues fixed:
- CVE-2019-20387: Fixed heap-buffer-overflow in repodata_schema2id (bsc#1161510)
- CVE-2021-3200: testcase_read: error out if repos are added or the system is changed too late (bsc#1186229)
Other issues fixed:
- backport support for blacklisted packages to support ptf packages and retracted patches
- fix ruleinfo of complex dependencies returning the wrong origin
- fix SOLVER_FLAG_FOCUS_BEST updateing packages without reason
- fix add_complex_recommends() selecting conflicted packages in rare cases
- fix potential segfault in resolve_jobrules
- fix solv_zchunk decoding error if large chunks are used
ImportantSUSE bug 1161510SUSE bug 1186229CVE-2019-20387 at SUSECVE-2019-20387 at NVDCVE-2021-3200 at SUSECVE-2021-3200 at NVDcpe:/o:suse:sles-ltss:12:sp3Recommended update for the Azure and AWS SDKs (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the SLE Public Cloud module provides the following fixes:
Azure SDK update:
This update for the Azure SDK and CLI adds support for the AHB (Azure Hybrid Benefit).
(bsc#1176784, jsc#ECO-3105)
AWS SDK update:
This update for the AWS SDK updates python-boto3 to version 1.17.9 and aws-cli to 1.19.9.
(bsc#1182421, jsc#ECO-3352)
Security fix for python-urllib3:
- Improve performance of sub-authority splitting in URL. (bsc#1187045, CVE-2021-33503)
ImportantSUSE bug 1125671SUSE bug 1154393SUSE bug 1175289SUSE bug 1176784SUSE bug 1176785SUSE bug 1182421SUSE bug 1187045CVE-2021-33503 at SUSECVE-2021-33503 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for openssh (Moderate)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for openssh fixes the following issues:
- CVE-2020-14145: Fixed a potential information leak during host key exchange (bsc#1173513).
ModerateSUSE bug 1173513CVE-2020-14145 at SUSECVE-2020-14145 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for sudo (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for sudo fixes the following issues:
- A Heap-based buffer overflow in sudo could be exploited to allow a user to gain root privileges
[bsc#1181090,CVE-2021-3156]
- It was possible for a user to test for the existence of a directory due to a Race Condition in `sudoedit`
[bsc#1180684,CVE-2021-23239]
- A Possible Symlink Attack vector existed in `sudoedit` if SELinux was running in permissive mode [bsc#1180685,
CVE-2021-23240]
- It was possible for a User to enable Debug Settings not Intended for them [bsc#1180687]
ImportantSUSE bug 1180684SUSE bug 1180685SUSE bug 1180687SUSE bug 1181090CVE-2021-23239 at SUSECVE-2021-23239 at NVDCVE-2021-23240 at SUSECVE-2021-23240 at NVDCVE-2021-3156 at SUSECVE-2021-3156 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for MozillaFirefox fixes the following issues:
Firefox Extended Support Release 78.12.0 ESR
* Fixed: Various stability, functionality, and security fixes
MFSA 2021-29 (bsc#1188275)
* CVE-2021-29970: Use-after-free in accessibility features of a document
* CVE-2021-30547: Out of bounds write in ANGLE
* CVE-2021-29976: Memory safety bugs fixed in Firefox 90 and Firefox ESR 78.12
ImportantSUSE bug 1188275CVE-2021-29970 at SUSECVE-2021-29970 at NVDCVE-2021-29976 at SUSECVE-2021-29976 at NVDCVE-2021-30547 at SUSECVE-2021-30547 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for MozillaFirefox fixes the following issues:
- Firefox Extended Support Release 78.7.0 ESR (MFSA 2021-04, bsc#1181414)
* CVE-2021-23953: Fixed a Cross-origin information leakage via redirected PDF requests
* CVE-2021-23954: Fixed a type confusion when using logical assignment operators in JavaScript switch statements
* CVE-2020-26976: Fixed an issue where HTTPS pages could have been intercepted by a registered service worker when they should not have been
* CVE-2021-23960: Fixed a use-after-poison for incorrectly redeclared JavaScript variables during GC
* CVE-2021-23964: Fixed Memory safety bugs
ImportantSUSE bug 1181414CVE-2020-26976 at SUSECVE-2020-26976 at NVDCVE-2021-23953 at SUSECVE-2021-23953 at NVDCVE-2021-23954 at SUSECVE-2021-23954 at NVDCVE-2021-23960 at SUSECVE-2021-23960 at NVDCVE-2021-23964 at SUSECVE-2021-23964 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for systemd (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for systemd fixes the following issues:
Security issues fixed:
- CVE-2021-33910: Fixed a denial of service (stack exhaustion) in systemd (PID 1) (bsc#1188063)
Other fixes:
- mount-util: shorten the loop a bit (#7545)
- mount-util: do not use the official MAX_HANDLE_SZ (#7523)
- mount-util: tape over name_to_handle_at() flakiness (#7517) (bsc#1184761)
- mount-util: fix bad indenting
- mount-util: EOVERFLOW might have other causes than buffer size issues
- mount-util: fix error propagation in fd_fdinfo_mnt_id()
- mount-util: drop exponential buffer growing in name_to_handle_at_loop()
- udev: port udev_has_devtmpfs() to use path_get_mnt_id()
- mount-util: add new path_get_mnt_id() call that queries the mnt ID of a path
- mount-util: add name_to_handle_at_loop() wrapper around name_to_handle_at()
- mount-util: accept that name_to_handle_at() might fail with EPERM (#5499)
- basic: fallback to the fstat if we don't have access to the /proc/self/fdinfo
- sysusers: use the usual comment style
- test/TEST-21-SYSUSERS: add tests for new functionality
- sysusers: allow admin/runtime overrides to command-line config
- basic/strv: add function to insert items at position
- sysusers: allow the shell to be specified
- sysusers: move various user credential validity checks to src/basic/
- man: reformat table in sysusers.d(5)
- sysusers: take configuration as positional arguments
- sysusers: emit a bit more info at debug level when locking fails
- sysusers: allow force reusing existing user/group IDs (#8037)
- sysusers: ensure GID in uid:gid syntax exists
- sysusers: make ADD_GROUP always create a group
- test: add TEST-21-SYSUSERS test
- sysuser: use OrderedHashmap
- sysusers: allow uid:gid in sysusers.conf files
- sysusers: fix memleak (#4430)
- These commits implement the option '--replace' for systemd-sysusers
so %sysusers_create_package can be introduced in SLE and packages
can rely on this rpm macro without wondering whether the macro is
available on the different target the package is submitted to.
- Expect 644 permissions for /usr/lib/udev/compat-symlink-generation (bsc#1185807)
- systemctl: add --value option
- execute: make sure to call into PAM after initializing resource limits (bsc#1184967)
- rlimit-util: introduce setrlimit_closest_all()
- system-conf: drop reference to ShutdownWatchdogUsec=
- core: rename ShutdownWatchdogSec to RebootWatchdogSec (bsc#1185331)
- Return -EAGAIN instead of -EALREADY from unit_reload (bsc#1185046)
- rules: don't ignore Xen virtual interfaces anymore (bsc#1178561)
- write_net_rules: set execute bits (bsc#1178561)
- udev: rework network device renaming
- Revert 'Revert 'udev: network device renaming - immediately give up if the target name isn't available''
ImportantSUSE bug 1178561SUSE bug 1184761SUSE bug 1184967SUSE bug 1185046SUSE bug 1185331SUSE bug 1185807SUSE bug 1188063CVE-2021-33910 at SUSECVE-2021-33910 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 39 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_144 fixes several issues.
The following security issues were fixed:
- CVE-2021-0605: Fixed an out-of-bounds read which could lead to local information disclosure in the kernel with System execution privileges needed. (bsc#1187687)
- CVE-2021-0512: Fixed a possible out-of-bounds write which could lead to local escalation of privilege with no additional execution privileges needed. (bsc#1187597)
ImportantSUSE bug 1187597SUSE bug 1187687CVE-2021-0512 at SUSECVE-2021-0512 at NVDCVE-2021-0605 at SUSECVE-2021-0605 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 38 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_141 fixes several issues.
The following security issues were fixed:
- CVE-2021-0605: Fixed an out-of-bounds read which could lead to local information disclosure in the kernel with System execution privileges needed. (bsc#1187687)
- CVE-2021-0512: Fixed a possible out-of-bounds write which could lead to local escalation of privilege with no additional execution privileges needed. (bsc#1187597)
ImportantSUSE bug 1187597SUSE bug 1187687CVE-2021-0512 at SUSECVE-2021-0512 at NVDCVE-2021-0605 at SUSECVE-2021-0605 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 37 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_138 fixes several issues.
The following security issues were fixed:
- CVE-2021-0605: Fixed an out-of-bounds read which could lead to local information disclosure in the kernel with System execution privileges needed. (bsc#1187687)
- CVE-2021-0512: Fixed a possible out-of-bounds write which could lead to local escalation of privilege with no additional execution privileges needed. (bsc#1187597)
ImportantSUSE bug 1187597SUSE bug 1187687CVE-2021-0512 at SUSECVE-2021-0512 at NVDCVE-2021-0605 at SUSECVE-2021-0605 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 36 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_135 fixes several issues.
The following security issues were fixed:
- CVE-2021-0605: Fixed an out-of-bounds read which could lead to local information disclosure in the kernel with System execution privileges needed. (bsc#1187687)
- CVE-2021-0512: Fixed a possible out-of-bounds write which could lead to local escalation of privilege with no additional execution privileges needed. (bsc#1187597)
ImportantSUSE bug 1187597SUSE bug 1187687CVE-2021-0512 at SUSECVE-2021-0512 at NVDCVE-2021-0605 at SUSECVE-2021-0605 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 35 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_130 fixes several issues.
The following security issues were fixed:
- CVE-2021-0605: Fixed an out-of-bounds read which could lead to local information disclosure in the kernel with System execution privileges needed. (bsc#1187687)
- CVE-2021-0512: Fixed a possible out-of-bounds write which could lead to local escalation of privilege with no additional execution privileges needed. (bsc#1187597)
ImportantSUSE bug 1187597SUSE bug 1187687CVE-2021-0512 at SUSECVE-2021-0512 at NVDCVE-2021-0605 at SUSECVE-2021-0605 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 34 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_127 fixes several issues.
The following security issues were fixed:
- CVE-2021-0605: Fixed an out-of-bounds read which could lead to local information disclosure in the kernel with System execution privileges needed. (bsc#1187687)
- CVE-2021-0512: Fixed a possible out-of-bounds write which could lead to local escalation of privilege with no additional execution privileges needed. (bsc#1187597)
ImportantSUSE bug 1187597SUSE bug 1187687CVE-2021-0512 at SUSECVE-2021-0512 at NVDCVE-2021-0605 at SUSECVE-2021-0605 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for linuxptp (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for linuxptp fixes the following issues:
- CVE-2021-3570: Validate the messageLength field of incoming messages. (bsc#1187646)
ImportantSUSE bug 1187646CVE-2021-3570 at SUSECVE-2021-3570 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
The SUSE Linux Enterprise 12 SP3 kernel was updated to receive various security and bugfixes.
The following security bugs were fixed:
- CVE-2021-22555: Fixed an heap out-of-bounds write in net/netfilter/x_tables.c that could allow local provilege escalation. (bsc#1188116)
- CVE-2021-33909: Fixed an out-of-bounds write in the filesystem layer that allows to obtain full root privileges. (bsc#1188062)
- CVE-2021-3609: Fixed a race condition in the CAN BCM networking protocol which allows for local privilege escalation. (bsc#1187215)
- CVE-2021-0605: Fixed an out-of-bounds read which could lead to local information disclosure in the kernel with System execution privileges needed. (bsc#1187601)
- CVE-2021-0512: Fixed a possible out-of-bounds write which could lead to local escalation of privilege with no additional execution privileges needed. (bsc#1187595)
- CVE-2021-34693: Fixed a bug in net/can/bcm.c which could allow local users to obtain sensitive information from kernel stack memory because parts of a data structure are uninitialized. (bsc#1187452)
- CVE-2020-36385: Fixed a use-after-free flaw in ucma.c which allows for local privilege escalation. (bsc#1187050)
- CVE-2021-0129: Fixed an improper access control in BlueZ that may have allowed an authenticated user to potentially enable information disclosure via adjacent access. (bsc#1186463)
- CVE-2020-26558: Fixed a flaw in the Bluetooth LE and BR/EDR secure pairing that could permit a nearby man-in-the-middle attacker to identify the Passkey used during pairing. (bsc#1179610)
- CVE-2020-36386: Fixed an out-of-bounds read in hci_extended_inquiry_result_evt. (bsc#1187038)
- CVE-2020-24588: Fixed a bug that could allow an adversary to abuse devices that support receiving non-SSP A-MSDU frames to inject arbitrary network packets. (bsc#1185861)
- CVE-2021-32399: Fixed a race condition in net/bluetooth/hci_request.c for removal of the HCI controller. (bsc#1184611)
- CVE-2021-33034: Fixed an issue in net/bluetooth/hci_event.c where a use-after-free leads to writing an arbitrary value. (bsc#1186111)
- CVE-2020-26139: Fixed a bug that allows an Access Point (AP) to forward EAPOL frames to other clients even though the sender has not yet successfully authenticated. This might be abused in projected Wi-Fi networks to launch denial-of-service attacks against connected clients and made it easier to exploit other vulnerabilities in connected clients. (bsc#1186062)
- CVE-2021-23134: Fixed a use After Free vulnerability in nfc sockets which allows local attackers to elevate their privileges. (bsc#1186060)
- CVE-2020-24586: Fixed a bug that, under the right circumstances, allows to inject arbitrary network packets and/or exfiltrate user data when another device sends fragmented frames encrypted using WEP, CCMP, or GCMP. (bsc#1185859)
- CVE-2020-26141: Fixed a flaw that could allows an adversary to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-confidentiality protocol. (bsc#1185987)
- CVE-2020-26145: Fixed a bug in the WEP, WPA, WPA2, and WPA3 implementations that could allows an adversary to inject arbitrary network packets. (bsc#1185860)
- CVE-2020-24587: Fixed a bug that allows an adversary to decrypt selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP encryption key is periodically renewed. (bsc#1185862)
- CVE-2020-26147: Fixed a bug in the WEP, WPA, WPA2, and WPA3 implementations that could allows an adversary to inject packets and/or exfiltrate selected fragments when another device sends fragmented frames. (bsc#1185987)
The following non-security bugs were fixed:
- Bluetooth: SMP: Fail if remote and local public keys are identical (git-fixes).
- Drivers: hv: vmbus: Increase wait time for VMbus unload (bsc#1185724).
- Drivers: hv: vmbus: Initialize unload_event statically (bsc#1185724).
- hv_netvsc: Add handlers for ethtool get/set msg level (bsc#1175462).
- hv_netvsc: avoid retry on send during shutdown (bsc#1175462).
- hv_netvsc: avoid unnecessary wakeups on subchannel creation (bsc#1175462).
- hv_netvsc: cancel subchannel setup before halting device (bsc#1175462).
- hv_netvsc: change GPAD teardown order on older versions (bsc#1175462).
- hv_netvsc: common detach logic (bsc#1175462).
- hv_netvsc: delay setup of VF device (bsc#1175462).
- hv_netvsc: disable NAPI before channel close (bsc#1175462).
- hv_netvsc: Ensure correct teardown message sequence order (bsc#1175462).
- hv_netvsc: Fix a deadlock by getting rtnl lock earlier in netvsc_probe() (bsc#1175462).
- hv_netvsc: Fix a network regression after ifdown/ifup (bsc#1175462).
- hv_netvsc: fix deadlock on hotplug (bsc#1175462).
- hv_netvsc: Fix error handling in netvsc_attach() (bsc#1175462).
- hv_netvsc: fix error unwind handling if vmbus_open fails (bsc#1175462).
- hv_netvsc: Fix extra rcu_read_unlock in netvsc_recv_callback() (bsc#1175462).
- hv_netvsc: fix handling of fallback to single queue mode (bsc#1175462).
- hv_netvsc: Fix hash key value reset after other ops (bsc#1175462).
- hv_netvsc: Fix IP header checksum for coalesced packets (bsc#1175462).
- hv_netvsc: Fix net device attach on older Windows hosts (bsc#1175462).
- hv_netvsc: fix network namespace issues with VF support (bsc#1175462).
- hv_netvsc: Fix NULL dereference at single queue mode fallback (bsc#1175462).
- hv_netvsc: fix race during initialization (bsc#1175462).
- hv_netvsc: fix race on sub channel creation (bsc#1175462).
- hv_netvsc: fix race that may miss tx queue wakeup (bsc#1175462).
- hv_netvsc: fix schedule in RCU context (bsc#1175462).
- hv_netvsc: Fix the variable sizes in ipsecv2 and rsc offload (bsc#1175462).
- hv_netvsc: Fix tx_table init in rndis_set_subchannel() (bsc#1175462).
- hv_netvsc: Fix unwanted wakeup after tx_disable (bsc#1175462).
- hv_netvsc: Fix unwanted wakeup in netvsc_attach() (bsc#1175462).
- hv_netvsc: flag software created hash value (bsc#1175462).
- hv_netvsc: netvsc_teardown_gpadl() split (bsc#1175462).
- hv_netvsc: only wake transmit queue if link is up (bsc#1175462).
- hv_netvsc: pass netvsc_device to rndis halt (bsc#1175462).
- hv_netvsc: preserve hw_features on mtu/channels/ringparam changes (bsc#1175462).
- hv_netvsc: Refactor assignments of struct netvsc_device_info (bsc#1175462).
- hv_netvsc: set master device (bsc#1175462).
- hv_netvsc: Set tx_table to equal weight after subchannels open (bsc#1175462).
- hv_netvsc: Simplify num_chn checking in rndis_filter_device_add() (bsc#1175462).
- hv_netvsc: Split netvsc_revoke_buf() and netvsc_teardown_gpadl() (bsc#1175462).
- hv_netvsc: split sub-channel setup into async and sync (bsc#1175462).
- hv_netvsc: typo in NDIS RSS parameters structure (bsc#1175462).
- hv_netvsc: use RCU to fix concurrent rx and queue changes (bsc#1175462).
- hv_netvsc: use reciprocal divide to speed up percent calculation (bsc#1175462).
- hv_netvsc: Use Windows version instead of NVSP version on GPAD teardown (bsc#1175462).
- kgraft: truncate the output from state_show() sysfs attr (bsc#1186235).
- mm, memory_hotplug: do not clear numa_node association after hot_remove (bsc#1115026).
- mm: consider __HW_POISON pages when allocating from pcp lists (bsc#1187388).
- scsi: storvsc: Enable scatterlist entry lengths > 4Kbytes (bsc#1187193).
- video: hyperv_fb: Add ratelimit on error message (bsc#1185724).
ImportantSUSE bug 1115026SUSE bug 1175462SUSE bug 1179610SUSE bug 1184611SUSE bug 1185724SUSE bug 1185859SUSE bug 1185860SUSE bug 1185861SUSE bug 1185862SUSE bug 1185863SUSE bug 1185898SUSE bug 1185987SUSE bug 1186060SUSE bug 1186062SUSE bug 1186111SUSE bug 1186235SUSE bug 1186390SUSE bug 1186463SUSE bug 1187038SUSE bug 1187050SUSE bug 1187193SUSE bug 1187215SUSE bug 1187388SUSE bug 1187452SUSE bug 1187595SUSE bug 1187601SUSE bug 1187934SUSE bug 1188062SUSE bug 1188063SUSE bug 1188116CVE-2020-24586 at SUSECVE-2020-24586 at NVDCVE-2020-24587 at SUSECVE-2020-24587 at NVDCVE-2020-24588 at SUSECVE-2020-24588 at NVDCVE-2020-26139 at SUSECVE-2020-26139 at NVDCVE-2020-26141 at SUSECVE-2020-26141 at NVDCVE-2020-26145 at SUSECVE-2020-26145 at NVDCVE-2020-26147 at SUSECVE-2020-26147 at NVDCVE-2020-26558 at SUSECVE-2020-26558 at NVDCVE-2020-36385 at SUSECVE-2020-36385 at NVDCVE-2020-36386 at SUSECVE-2020-36386 at NVDCVE-2021-0129 at SUSECVE-2021-0129 at NVDCVE-2021-0512 at SUSECVE-2021-0512 at NVDCVE-2021-0605 at SUSECVE-2021-0605 at NVDCVE-2021-22555 at SUSECVE-2021-22555 at NVDCVE-2021-23134 at SUSECVE-2021-23134 at NVDCVE-2021-32399 at SUSECVE-2021-32399 at NVDCVE-2021-33034 at SUSECVE-2021-33034 at NVDCVE-2021-33909 at SUSECVE-2021-33909 at NVDCVE-2021-34693 at SUSECVE-2021-34693 at NVDCVE-2021-3609 at SUSECVE-2021-3609 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 39 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_144 fixes several issues.
The following security issues were fixed:
- CVE-2021-33909: Fixed an out-of-bounds write in the filesystem layer that allows to andobtain full root privileges. (bsc#1188062)
- CVE-2021-22555: Fixed an heap out-of-bounds write in net/netfilter/x_tables.c that could allow local provilege escalation. (bsc#1188116)
- CVE-2020-36385: Fixed a use-after-free vulnerability reached via the ctx_list in some ucma_migrate_id situations where ucma_close is called. (bnc#1187050)
ImportantSUSE bug 1187052SUSE bug 1188117SUSE bug 1188257CVE-2020-36385 at SUSECVE-2020-36385 at NVDCVE-2021-22555 at SUSECVE-2021-22555 at NVDCVE-2021-33909 at SUSECVE-2021-33909 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 38 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_141 fixes several issues.
The following security issues were fixed:
- CVE-2021-33909: Fixed an out-of-bounds write in the filesystem layer that allows to andobtain full root privileges. (bsc#1188062)
- CVE-2021-22555: Fixed an heap out-of-bounds write in net/netfilter/x_tables.c that could allow local provilege escalation. (bsc#1188116)
- CVE-2020-36385: Fixed a use-after-free vulnerability reached via the ctx_list in some ucma_migrate_id situations where ucma_close is called. (bnc#1187050)
ImportantSUSE bug 1187052SUSE bug 1188117SUSE bug 1188257CVE-2020-36385 at SUSECVE-2020-36385 at NVDCVE-2021-22555 at SUSECVE-2021-22555 at NVDCVE-2021-33909 at SUSECVE-2021-33909 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 37 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_138 fixes several issues.
The following security issues were fixed:
- CVE-2021-33909: Fixed an out-of-bounds write in the filesystem layer that allows to andobtain full root privileges. (bsc#1188062)
- CVE-2021-22555: Fixed an heap out-of-bounds write in net/netfilter/x_tables.c that could allow local provilege escalation. (bsc#1188116)
- CVE-2020-36385: Fixed a use-after-free vulnerability reached via the ctx_list in some ucma_migrate_id situations where ucma_close is called. (bnc#1187050)
ImportantSUSE bug 1187052SUSE bug 1188117SUSE bug 1188257CVE-2020-36385 at SUSECVE-2020-36385 at NVDCVE-2021-22555 at SUSECVE-2021-22555 at NVDCVE-2021-33909 at SUSECVE-2021-33909 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 36 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_135 fixes several issues.
The following security issues were fixed:
- CVE-2021-33909: Fixed an out-of-bounds write in the filesystem layer that allows to andobtain full root privileges. (bsc#1188062)
- CVE-2021-22555: Fixed an heap out-of-bounds write in net/netfilter/x_tables.c that could allow local provilege escalation. (bsc#1188116)
- CVE-2020-36385: Fixed a use-after-free vulnerability reached via the ctx_list in some ucma_migrate_id situations where ucma_close is called. (bnc#1187050)
ImportantSUSE bug 1187052SUSE bug 1188117SUSE bug 1188257CVE-2020-36385 at SUSECVE-2020-36385 at NVDCVE-2021-22555 at SUSECVE-2021-22555 at NVDCVE-2021-33909 at SUSECVE-2021-33909 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 35 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_130 fixes several issues.
The following security issues were fixed:
- CVE-2021-33909: Fixed an out-of-bounds write in the filesystem layer that allows to andobtain full root privileges. (bsc#1188062)
- CVE-2021-22555: Fixed an heap out-of-bounds write in net/netfilter/x_tables.c that could allow local provilege escalation. (bsc#1188116)
- CVE-2020-36385: Fixed a use-after-free vulnerability reached via the ctx_list in some ucma_migrate_id situations where ucma_close is called. (bnc#1187050)
ImportantSUSE bug 1187052SUSE bug 1188117SUSE bug 1188257CVE-2020-36385 at SUSECVE-2020-36385 at NVDCVE-2021-22555 at SUSECVE-2021-22555 at NVDCVE-2021-33909 at SUSECVE-2021-33909 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 34 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_127 fixes several issues.
The following security issues were fixed:
- CVE-2021-33909: Fixed an out-of-bounds write in the filesystem layer that allows to andobtain full root privileges. (bsc#1188062)
- CVE-2021-22555: Fixed an heap out-of-bounds write in net/netfilter/x_tables.c that could allow local provilege escalation. (bsc#1188116)
- CVE-2020-36385: Fixed a use-after-free vulnerability reached via the ctx_list in some ucma_migrate_id situations where ucma_close is called. (bnc#1187050)
ImportantSUSE bug 1187052SUSE bug 1188117SUSE bug 1188257CVE-2020-36385 at SUSECVE-2020-36385 at NVDCVE-2021-22555 at SUSECVE-2021-22555 at NVDCVE-2021-33909 at SUSECVE-2021-33909 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for qemu (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for qemu fixes the following issues:
Security issues fixed:
- CVE-2021-3595: Fixed slirp: invalid pointer initialization may lead to information disclosure (tftp) (bsc#1187366)
- CVE-2021-3592: Fix for slirp: invalid pointer initialization may lead to information disclosure (bootp) (bsc#1187364)
- CVE-2021-3594: Fix for slirp: invalid pointer initialization may lead to information disclosure (udp) (bsc#1187367)
- CVE-2021-3593: Fix for slirp: invalid pointer initialization may lead to information disclosure (udp6) (bsc#1187365)
- CVE-2021-3611: Fix intel-hda segmentation fault due to stack overflow (bsc#1187529)
ImportantSUSE bug 1187364SUSE bug 1187365SUSE bug 1187366SUSE bug 1187367SUSE bug 1187529CVE-2021-3592 at SUSECVE-2021-3592 at NVDCVE-2021-3593 at SUSECVE-2021-3593 at NVDCVE-2021-3594 at SUSECVE-2021-3594 at NVDCVE-2021-3595 at SUSECVE-2021-3595 at NVDCVE-2021-3611 at SUSECVE-2021-3611 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for dbus-1 (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for dbus-1 fixes the following issues:
- CVE-2020-35512: Fixed a bug where users with the same numeric UID could lead to use-after-free and undefined behaviour. (bsc#1187105)
- CVE-2020-12049: Fixed a bug where a truncated messages lead to resource exhaustion. (bsc#1172505)
ImportantSUSE bug 1172505SUSE bug 1187105CVE-2020-12049 at SUSECVE-2020-12049 at NVDCVE-2020-35512 at SUSECVE-2020-35512 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for webkit2gtk3 (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for webkit2gtk3 fixes the following issues:
Update to version 2.32.3:
- CVE-2021-21775: Fixed a use-after-free vulnerability in the way certain events are processed for ImageLoader objects. A specially crafted web page can lead to a potential information leak and further memory corruption. A victim must be tricked into visiting a malicious web page to trigger this vulnerability. (bsc#1188697)
- CVE-2021-21779: Fixed a use-after-free vulnerability in the way that WebKit GraphicsContext handles certain events. A specially crafted web page can lead to a potential information leak and further memory corruption. A victim must be tricked into visiting a malicious web page to trigger this vulnerability. (bsc#1188697)
- CVE-2021-30663: An integer overflow was addressed with improved input validation. (bsc#1188697)
- CVE-2021-30665: A memory corruption issue was addressed with improved state management. (bsc#1188697)
- CVE-2021-30689: A logic issue was addressed with improved state management. (bsc#1188697)
- CVE-2021-30720: A logic issue was addressed with improved restrictions. (bsc#1188697)
- CVE-2021-30734: Multiple memory corruption issues were addressed with improved memory handling. (bsc#1188697)
- CVE-2021-30744: A cross-origin issue with iframe elements was addressed with improved tracking of security origins. (bsc#1188697)
- CVE-2021-30749: Multiple memory corruption issues were addressed with improved memory handling. (bsc#1188697)
- CVE-2021-30758: A type confusion issue was addressed with improved state handling. (bsc#1188697)
- CVE-2021-30795: A use after free issue was addressed with improved memory management. (bsc#1188697)
- CVE-2021-30797: This issue was addressed with improved checks. (bsc#1188697)
- CVE-2021-30799: Multiple memory corruption issues were addressed with improved memory handling. (bsc#1188697)
ImportantSUSE bug 1188697CVE-2021-21775 at SUSECVE-2021-21775 at NVDCVE-2021-21779 at SUSECVE-2021-21779 at NVDCVE-2021-30663 at SUSECVE-2021-30663 at NVDCVE-2021-30665 at SUSECVE-2021-30665 at NVDCVE-2021-30689 at SUSECVE-2021-30689 at NVDCVE-2021-30720 at SUSECVE-2021-30720 at NVDCVE-2021-30734 at SUSECVE-2021-30734 at NVDCVE-2021-30744 at SUSECVE-2021-30744 at NVDCVE-2021-30749 at SUSECVE-2021-30749 at NVDCVE-2021-30758 at SUSECVE-2021-30758 at NVDCVE-2021-30795 at SUSECVE-2021-30795 at NVDCVE-2021-30797 at SUSECVE-2021-30797 at NVDCVE-2021-30799 at SUSECVE-2021-30799 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for libsndfile (Critical)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for libsndfile fixes the following issues:
- CVE-2018-13139: Fixed a stack-based buffer overflow in psf_memset in common.c in libsndfile 1.0.28allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact. (bsc#1100167)
- CVE-2018-19432: Fixed a NULL pointer dereference in the function sf_write_int in sndfile.c, which will lead to a denial of service. (bsc#1116993)
- CVE-2021-3246: Fixed a heap buffer overflow vulnerability in msadpcm_decode_block. (bsc#1188540)
- CVE-2018-19758: Fixed a heap-based buffer over-read at wav.c in wav_write_header in libsndfile 1.0.28 that will cause a denial of service. (bsc#1117954)
CriticalSUSE bug 1100167SUSE bug 1116993SUSE bug 1117954SUSE bug 1188540CVE-2018-13139 at SUSECVE-2018-13139 at NVDCVE-2018-19432 at SUSECVE-2018-19432 at NVDCVE-2018-19758 at SUSECVE-2018-19758 at NVDCVE-2021-3246 at SUSECVE-2021-3246 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for djvulibre (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for djvulibre fixes the following issues:
- CVE-2021-3630: out-of-bounds write in DJVU:DjVuTXT:decode() in DjVuText.cpp (bsc#1187869)
ImportantSUSE bug 1187869CVE-2021-3630 at SUSECVE-2021-3630 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for cpio (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for cpio fixes the following issues:
It was possible to trigger Remote code execution due to a integer overflow (CVE-2021-38185, bsc#1189206)
ImportantSUSE bug 1189206CVE-2021-38185 at SUSECVE-2021-38185 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for libcares2 (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for libcares2 fixes the following issues:
- CVE-2021-3672: Fixed input validation on hostnames (bsc#1188881).
ImportantSUSE bug 1188881CVE-2021-3672 at SUSECVE-2021-3672 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for MozillaFirefox fixes the following issues:
Firefox Extended Support Release 78.13.0 ESR (MFSA 2021-34, bsc#1188891):
- CVE-2021-29986: Race condition when resolving DNS names could have led to memory corruption
- CVE-2021-29988: Memory corruption as a result of incorrect style treatment
- CVE-2021-29984: Incorrect instruction reordering during JIT optimization
- CVE-2021-29980: Uninitialized memory in a canvas object could have led to memory corruption
- CVE-2021-29985: Use-after-free media channels
- CVE-2021-29989: Memory safety bugs fixed in Firefox 91 and Firefox ESR 78.13
ImportantSUSE bug 1188891CVE-2021-29980 at SUSECVE-2021-29980 at NVDCVE-2021-29984 at SUSECVE-2021-29984 at NVDCVE-2021-29985 at SUSECVE-2021-29985 at NVDCVE-2021-29986 at SUSECVE-2021-29986 at NVDCVE-2021-29988 at SUSECVE-2021-29988 at NVDCVE-2021-29989 at SUSECVE-2021-29989 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for fetchmail (Moderate)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for fetchmail fixes the following issues:
- CVE-2021-36386: DoS or information disclosure in some configurations (bsc#1188875)
- Change PASSWORDLEN from 64 to 256 [bsc#1188034]
- Set the hostname for SNI when using TLS [bsc#1182807]
- Allow --syslog option in daemon mode. (bsc#1033081)
- Set the hostname for SNI when using TLS. (bsc#1182807)
- Change PASSWORDLEN from 64 to 256 (bsc#1188034)
ModerateSUSE bug 1033081SUSE bug 1182807SUSE bug 1188034SUSE bug 1188875CVE-2021-36386 at SUSECVE-2021-36386 at NVDcpe:/o:suse:sles-ltss:12:sp3Recommended update for cpio (Critical)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for cpio fixes the following issues:
- A regression in the previous update could lead to crashes (bsc#1189465)
CriticalSUSE bug 1189465CVE-2021-38185 at SUSECVE-2021-38185 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for java-1_8_0-openjdk (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for java-1_8_0-openjdk fixes the following issues:
- Update to version jdk8u302 (icedtea 3.20.0)
- CVE-2021-2341: Improve file transfers. (bsc#1188564)
- CVE-2021-2369: Better jar file validation. (bsc#1188565)
- CVE-2021-2388: Enhance compiler validation. (bsc#1188566)
- CVE-2021-2161: Less ambiguous processing. (bsc#1185056)
ImportantSUSE bug 1185056SUSE bug 1188564SUSE bug 1188565SUSE bug 1188566CVE-2021-2161 at SUSECVE-2021-2161 at NVDCVE-2021-2341 at SUSECVE-2021-2341 at NVDCVE-2021-2369 at SUSECVE-2021-2369 at NVDCVE-2021-2388 at SUSECVE-2021-2388 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for cpio (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for cpio fixes the following issues:
- A patch previously applied to remedy CVE-2021-38185 introduced a regression
that had the potential to cause a segmentation fault in cpio. [bsc#1189465]
ImportantSUSE bug 1189465CVE-2021-38185 at SUSECVE-2021-38185 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for python-PyYAML (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for python-PyYAML fixes the following issues:
- Update to 5.3.1.
- CVE-2020-14343: A vulnerability was discovered in the PyYAML library,
where it was susceptible to arbitrary code execution when it processes
untrusted YAML files through the full_load method or with the FullLoader
loader. Applications that use the library to process untrusted input
may be vulnerable to this flaw. This flaw allows an attacker to
execute arbitrary code on the system by abusing the python/object/new
constructor. This flaw is due to an incomplete fix for CVE-2020-1747.
ImportantSUSE bug 1174514CVE-2020-14343 at SUSECVE-2020-14343 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for openssl (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for openssl fixes the following security issue:
- CVE-2021-3712: a bug in the code for printing certificate details could lead
to a buffer overrun that a malicious actor could exploit to crash the
application, causing a denial-of-service attack. [bsc#1189521]
ImportantSUSE bug 1189521CVE-2021-3712 at SUSECVE-2021-3712 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for unrar (Moderate)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for unrar to version 5.6.1 fixes several issues.
These security issues were fixed:
- CVE-2017-12938: Prevent remote attackers to bypass a directory-traversal
protection mechanism via vectors involving a symlink to the . directory, a
symlink to the .. directory, and a regular file (bsc#1054038).
- CVE-2017-12940: Prevent out-of-bounds read in the EncodeFileName::Decode call
within the Archive::ReadHeader15 function (bsc#1054038).
- CVE-2017-12941: Prevent an out-of-bounds read in the Unpack::Unpack20
function (bsc#1054038).
- CVE-2017-12942: Prevent a buffer overflow in the Unpack::LongLZ function
(bsc#1054038).
- CVE-2017-20006: Fixed heap-based buffer overflow in Unpack:CopyString (bsc#1187974).
These non-security issues were fixed:
- Added extraction support for .LZ archives created by Lzip compressor
- Enable unpacking of files in ZIP archives compressed with XZ algorithm and
encrypted with AES
- Added support for PAX extended headers inside of TAR archive
- If RAR recovery volumes (.rev files) are present in the same folder as usual
RAR volumes, archive test command verifies .rev contents after completing
testing .rar files
- By default unrar skips symbolic links with absolute paths in link target when
extracting unless -ola command line switch is specified
- Added support for AES-NI CPU instructions
- Support for a new RAR 5.0 archiving format
- Wildcard exclusion mask for folders
- Prevent conditional jumps depending on uninitialised values (bsc#1046882)
ModerateSUSE bug 1046882SUSE bug 1054038SUSE bug 1187974CVE-2012-6706 at SUSECVE-2012-6706 at NVDCVE-2017-12938 at SUSECVE-2017-12938 at NVDCVE-2017-12940 at SUSECVE-2017-12940 at NVDCVE-2017-12941 at SUSECVE-2017-12941 at NVDCVE-2017-12942 at SUSECVE-2017-12942 at NVDCVE-2017-20006 at SUSECVE-2017-20006 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for openvswitch (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for openvswitch fixes the following issues:
- openvswitch was updated to 2.7.12
- CVE-2020-27827: Fixed a memory leak when parsing lldp packets (bsc#1181345)
A lot more minor bugs have been fixed with this openvswitch version. Please refer to the changelog of
the openvswitch.rpm file in order to obtain a list of all changes.
ImportantSUSE bug 1117483SUSE bug 1181345CVE-2020-27827 at SUSECVE-2020-27827 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 34 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_127 fixes several issues.
The following security issues were fixed:
- CVE-2021-37576: On the powerpc platform KVM guest OS users could cause host OS memory corruption via rtas_args.nargs (bsc#1188838).
- CVE-2021-3609: Fixed a local privilege escalation via a race condition in net/can/bcm.c (bsc#1187215).
ImportantSUSE bug 1188323SUSE bug 1188842CVE-2021-3609 at SUSECVE-2021-3609 at NVDCVE-2021-37576 at SUSECVE-2021-37576 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 35 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_130 fixes several issues.
The following security issues were fixed:
- CVE-2021-37576: On the powerpc platform KVM guest OS users could cause host OS memory corruption via rtas_args.nargs (bsc#1188838).
- CVE-2021-3609: Fixed a local privilege escalation via a race condition in net/can/bcm.c (bsc#1187215).
ImportantSUSE bug 1188323SUSE bug 1188842CVE-2021-3609 at SUSECVE-2021-3609 at NVDCVE-2021-37576 at SUSECVE-2021-37576 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 36 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_135 fixes several issues.
The following security issues were fixed:
- CVE-2021-37576: On the powerpc platform KVM guest OS users could cause host OS memory corruption via rtas_args.nargs (bsc#1188838).
- CVE-2021-3609: Fixed a local privilege escalation via a race condition in net/can/bcm.c (bsc#1187215).
ImportantSUSE bug 1188323SUSE bug 1188842CVE-2021-3609 at SUSECVE-2021-3609 at NVDCVE-2021-37576 at SUSECVE-2021-37576 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 37 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_138 fixes several issues.
The following security issues were fixed:
- CVE-2021-37576: On the powerpc platform KVM guest OS users could cause host OS memory corruption via rtas_args.nargs (bsc#1188838).
- CVE-2021-3609: Fixed a local privilege escalation via a race condition in net/can/bcm.c (bsc#1187215).
ImportantSUSE bug 1188323SUSE bug 1188842CVE-2021-3609 at SUSECVE-2021-3609 at NVDCVE-2021-37576 at SUSECVE-2021-37576 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 38 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_141 fixes several issues.
The following security issues were fixed:
- CVE-2021-37576: On the powerpc platform KVM guest OS users could cause host OS memory corruption via rtas_args.nargs (bsc#1188838).
- CVE-2021-3609: Fixed a local privilege escalation via a race condition in net/can/bcm.c (bsc#1187215).
ImportantSUSE bug 1188323SUSE bug 1188842CVE-2021-3609 at SUSECVE-2021-3609 at NVDCVE-2021-37576 at SUSECVE-2021-37576 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 39 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_144 fixes several issues.
The following security issues were fixed:
- CVE-2021-37576: On the powerpc platform KVM guest OS users could cause host OS memory corruption via rtas_args.nargs (bsc#1188838).
- CVE-2021-3609: Fixed a local privilege escalation via a race condition in net/can/bcm.c (bsc#1187215).
ImportantSUSE bug 1188323SUSE bug 1188842CVE-2021-3609 at SUSECVE-2021-3609 at NVDCVE-2021-37576 at SUSECVE-2021-37576 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 40 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_147 fixes several issues.
The following security issues were fixed:
- CVE-2021-37576: On the powerpc platform KVM guest OS users could cause host OS memory corruption via rtas_args.nargs (bsc#1188838).
- CVE-2021-28688: The fix for XSA-365 includes initialization of pointers such that subsequent cleanup code wouldn't use uninitialized or stale values. This initialization went too far and may under certain conditions also overwrite pointers which are in need of cleaning up. (bsc#1183646)
- CVE-2020-0429: Fixed a potential local privilege escalation in l2tp_session_delete and related functions of l2tp_core.c (bsc#1176724).
ImportantSUSE bug 1176931SUSE bug 1182294SUSE bug 1188842CVE-2020-0429 at SUSECVE-2020-0429 at NVDCVE-2021-28688 at SUSECVE-2021-28688 at NVDCVE-2021-37576 at SUSECVE-2021-37576 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for aspell (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for aspell fixes the following issues:
- CVE-2019-25051: Fixed heap-buffer-overflow in acommon:ObjStack:dup_top (bsc#1188576).
ImportantSUSE bug 1188576CVE-2019-25051 at SUSECVE-2019-25051 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for bind (Moderate)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for bind fixes the following issues:
- CVE-2020-8622: A truncated TSIG response can lead to an assertion failure (bsc#1175443).
ModerateSUSE bug 1175443SUSE bug 1188888CVE-2020-8622 at SUSECVE-2020-8622 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for openexr (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for openexr fixes the following issues:
- CVE-2021-20298 [bsc#1188460]: Fixed Out-of-memory in B44Compressor
- CVE-2021-20299 [bsc#1188459]: Fixed Null-dereference READ in Imf_2_5:Header:operator
- CVE-2021-20300 [bsc#1188458]: Fixed Integer-overflow in Imf_2_5:hufUncompress
- CVE-2021-20302 [bsc#1188462]: Fixed Floating-point-exception in Imf_2_5:precalculateTileInfot
- CVE-2021-20303 [bsc#1188457]: Fixed Heap-buffer-overflow in Imf_2_5::copyIntoFrameBuffer
- CVE-2021-20304 [bsc#1188461]: Fixed Undefined-shift in Imf_2_5:hufDecode
ImportantSUSE bug 1188457SUSE bug 1188458SUSE bug 1188459SUSE bug 1188460SUSE bug 1188461SUSE bug 1188462CVE-2021-20298 at SUSECVE-2021-20298 at NVDCVE-2021-20299 at SUSECVE-2021-20299 at NVDCVE-2021-20300 at SUSECVE-2021-20300 at NVDCVE-2021-20302 at SUSECVE-2021-20302 at NVDCVE-2021-20303 at SUSECVE-2021-20303 at NVDCVE-2021-20304 at SUSECVE-2021-20304 at NVDCVE-2021-3476 at SUSECVE-2021-3476 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for libesmtp (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for libesmtp fixes the following issues:
- CVE-2019-19977: Fix stack-based buffer over-read in ntlm/ntlmstruct.c (bsc#1160462).
ImportantSUSE bug 1160462SUSE bug 1189097CVE-2019-19977 at SUSECVE-2019-19977 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for file (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for file fixes the following issues:
- CVE-2019-18218: Fixed heap-based buffer overflow in cdf_read_property_info in cdf.c (bsc#1154661).
ImportantSUSE bug 1154661CVE-2019-18218 at SUSECVE-2019-18218 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for xen (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for xen fixes the following issues:
- CVE-2021-3594: slirp: invalid pointer initialization may lead to information disclosure (udp)(bsc#1187378).
- CVE-2021-3595: slirp: invalid pointer initialization may lead to information disclosure (tftp)(bsc#1187376).
- CVE-2021-28698: long running loops in grant table handling (XSA-380)(bsc#1189378).
- CVE-2021-28699: inadequate grant-v2 status frames array bounds check (XSA-382)(bsc#1189380).
- CVE-2021-20255: Fixed stack overflow via infinite recursion in eepro100 (bsc#1182654)
- CVE-2021-28690: xen: x86: TSX Async Abort protections not restored after S3 (bsc#1186434)
- CVE-2021-28692: xen: inappropriate x86 IOMMU timeout detection / handling (bsc#1186429)
- CVE-2021-28694,CVE-2021-28695,CVE-2021-28696: IOMMU page mapping issues on x86 (XSA-378)(bsc#1189373).
- CVE-2021-0089: xen: Speculative Code Store Bypass (bsc#1186433)
- CVE-2021-28697: grant table v2 status pages may remain accessible after de-allocation (XSA-379)(bsc#1189376).
- CVE-2021-3592: slirp: invalid pointer initialization may lead to information disclosure (bootp)(bsc#1187369).
- Prevent superpage allocation in the LAPIC and ACPI_INFO range (bsc#1189882).
ImportantSUSE bug 1182654SUSE bug 1186429SUSE bug 1186433SUSE bug 1186434SUSE bug 1187369SUSE bug 1187376SUSE bug 1187378SUSE bug 1189373SUSE bug 1189376SUSE bug 1189378SUSE bug 1189380SUSE bug 1189882CVE-2021-0089 at SUSECVE-2021-0089 at NVDCVE-2021-20255 at SUSECVE-2021-20255 at NVDCVE-2021-28690 at SUSECVE-2021-28690 at NVDCVE-2021-28692 at SUSECVE-2021-28692 at NVDCVE-2021-28694 at SUSECVE-2021-28694 at NVDCVE-2021-28695 at SUSECVE-2021-28695 at NVDCVE-2021-28696 at SUSECVE-2021-28696 at NVDCVE-2021-28697 at SUSECVE-2021-28697 at NVDCVE-2021-28698 at SUSECVE-2021-28698 at NVDCVE-2021-28699 at SUSECVE-2021-28699 at NVDCVE-2021-3592 at SUSECVE-2021-3592 at NVDCVE-2021-3594 at SUSECVE-2021-3594 at NVDCVE-2021-3595 at SUSECVE-2021-3595 at NVDcpe:/o:suse:sles-ltss:12:sp3Recommended update for mozilla-nspr, mozilla-nss (Moderate)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for mozilla-nspr fixes the following issues:
mozilla-nspr was updated to version 4.32:
* implement new socket option PR_SockOpt_DontFrag
* support larger DNS records by increasing the default buffer
size for DNS queries
* Lock access to PRCallOnceType members in PR_CallOnce* for
thread safety bmo#1686138
* PR_GetSystemInfo supports a new flag PR_SI_RELEASE_BUILD to get
information about the operating system build version.
Mozilla NSS was updated to version 3.68:
* bmo#1713562 - Fix test leak.
* bmo#1717452 - NSS 3.68 should depend on NSPR 4.32.
* bmo#1693206 - Implement PKCS8 export of ECDSA keys.
* bmo#1712883 - DTLS 1.3 draft-43.
* bmo#1655493 - Support SHA2 HW acceleration using Intel SHA Extension.
* bmo#1713562 - Validate ECH public names.
* bmo#1717610 - Add function to get seconds from epoch from pkix::Time.
update to NSS 3.67
* bmo#1683710 - Add a means to disable ALPN.
* bmo#1715720 - Fix nssckbi version number in NSS 3.67 (was supposed to be incremented in 3.66).
* bmo#1714719 - Set NSS_USE_64 on riscv64 target when using GYP/Ninja.
* bmo#1566124 - Fix counter increase in ppc-gcm-wrap.c.
* bmo#1566124 - Fix AES_GCM mode on ppc64le for messages of length more than 255-byte.
update to NSS 3.66
* bmo#1710716 - Remove Expired Sonera Class2 CA from NSS.
* bmo#1710716 - Remove Expired Root Certificates from NSS - QuoVadis Root Certification Authority.
* bmo#1708307 - Remove Trustis FPS Root CA from NSS.
* bmo#1707097 - Add Certum Trusted Root CA to NSS.
* bmo#1707097 - Add Certum EC-384 CA to NSS.
* bmo#1703942 - Add ANF Secure Server Root CA to NSS.
* bmo#1697071 - Add GLOBALTRUST 2020 root cert to NSS.
* bmo#1712184 - NSS tools manpages need to be updated to reflect that sqlite is the default database.
* bmo#1712230 - Don't build ppc-gcm.s with clang integrated assembler.
* bmo#1712211 - Strict prototype error when trying to compile nss code that includes blapi.h.
* bmo#1710773 - NSS needs FIPS 180-3 FIPS indicators.
* bmo#1709291 - Add VerifyCodeSigningCertificateChain.
update to NSS 3.65
* bmo#1709654 - Update for NetBSD configuration.
* bmo#1709750 - Disable HPKE test when fuzzing.
* bmo#1566124 - Optimize AES-GCM for ppc64le.
* bmo#1699021 - Add AES-256-GCM to HPKE.
* bmo#1698419 - ECH -10 updates.
* bmo#1692930 - Update HPKE to final version.
* bmo#1707130 - NSS should use modern algorithms in PKCS#12 files by default.
* bmo#1703936 - New coverity/cpp scanner errors.
* bmo#1697303 - NSS needs to update it's csp clearing to FIPS 180-3 standards.
* bmo#1702663 - Need to support RSA PSS with Hashing PKCS #11 Mechanisms.
* bmo#1705119 - Deadlock when using GCM and non-thread safe tokens.
update to NSS 3.64
* bmo#1705286 - Properly detect mips64.
* bmo#1687164 - Introduce NSS_DISABLE_CRYPTO_VSX and
disable_crypto_vsx.
* bmo#1698320 - replace __builtin_cpu_supports('vsx') with
ppc_crypto_support() for clang.
* bmo#1613235 - Add POWER ChaCha20 stream cipher vector
acceleration.
Fixed in 3.63
* bmo#1697380 - Make a clang-format run on top of helpful contributions.
* bmo#1683520 - ECCKiila P384, change syntax of nested structs
initialization to prevent build isses with GCC 4.8.
* bmo#1683520 - [lib/freebl/ecl] P-384: allow zero scalars in dual
scalar multiplication.
* bmo#1683520 - ECCKiila P521, change syntax of nested structs
initialization to prevent build isses with GCC 4.8.
* bmo#1683520 - [lib/freebl/ecl] P-521: allow zero scalars in dual
scalar multiplication.
* bmo#1696800 - HACL* update March 2021 - c95ab70fcb2bc21025d8845281bc4bc8987ca683.
* bmo#1694214 - tstclnt can't enable middlebox compat mode.
* bmo#1694392 - NSS does not work with PKCS #11 modules not supporting
profiles.
* bmo#1685880 - Minor fix to prevent unused variable on early return.
* bmo#1685880 - Fix for the gcc compiler version 7 to support setenv
with nss build.
* bmo#1693217 - Increase nssckbi.h version number for March 2021 batch
of root CA changes, CA list version 2.48.
* bmo#1692094 - Set email distrust after to 21-03-01 for Camerfirma's
'Chambers of Commerce' and 'Global Chambersign' roots.
* bmo#1618407 - Symantec root certs - Set CKA_NSS_EMAIL_DISTRUST_AFTER.
* bmo#1693173 - Add GlobalSign R45, E45, R46, and E46 root certs to NSS.
* bmo#1683738 - Add AC RAIZ FNMT-RCM SERVIDORES SEGUROS root cert to NSS.
* bmo#1686854 - Remove GeoTrust PCA-G2 and VeriSign Universal root certs
from NSS.
* bmo#1687822 - Turn off Websites trust bit for the “Staat der
Nederlanden Root CA - G3” root cert in NSS.
* bmo#1692094 - Turn off Websites Trust Bit for 'Chambers of Commerce
Root - 2008' and 'Global Chambersign Root - 2008’.
* bmo#1694291 - Tracing fixes for ECH.
update to NSS 3.62
* bmo#1688374 - Fix parallel build NSS-3.61 with make
* bmo#1682044 - pkix_Build_GatherCerts() + pkix_CacheCert_Add()
can corrupt 'cachedCertTable'
* bmo#1690583 - Fix CH padding extension size calculation
* bmo#1690421 - Adjust 3.62 ABI report formatting for new libabigail
* bmo#1690421 - Install packaged libabigail in docker-builds image
* bmo#1689228 - Minor ECH -09 fixes for interop testing, fuzzing
* bmo#1674819 - Fixup a51fae403328, enum type may be signed
* bmo#1681585 - Add ECH support to selfserv
* bmo#1681585 - Update ECH to Draft-09
* bmo#1678398 - Add Export/Import functions for HPKE context
* bmo#1678398 - Update HPKE to draft-07
update to NSS 3.61
* bmo#1682071 - Fix issue with IKE Quick mode deriving incorrect key
values under certain conditions.
* bmo#1684300 - Fix default PBE iteration count when NSS is compiled
with NSS_DISABLE_DBM.
* bmo#1651411 - Improve constant-timeness in RSA operations.
* bmo#1677207 - Upgrade Google Test version to latest release.
* bmo#1654332 - Add aarch64-make target to nss-try.
Update to NSS 3.60.1:
Notable changes in NSS 3.60:
* TLS 1.3 Encrypted Client Hello (draft-ietf-tls-esni-08) support
has been added, replacing the previous ESNI (draft-ietf-tls-esni-01)
implementation. See bmo#1654332 for more information.
* December 2020 batch of Root CA changes, builtins library updated
to version 2.46. See bmo#1678189, bmo#1678166, and bmo#1670769
for more information.
Update to NSS 3.59.1:
* bmo#1679290 - Fix potential deadlock with certain third-party
PKCS11 modules
Update to NSS 3.59:
Notable changes:
* Exported two existing functions from libnss:
CERT_AddCertToListHeadWithData and CERT_AddCertToListTailWithData
Bugfixes
* bmo#1607449 - Lock cert->nssCertificate to prevent a potential data race
* bmo#1672823 - Add Wycheproof test cases for HMAC, HKDF, and DSA
* bmo#1663661 - Guard against NULL token in nssSlot_IsTokenPresent
* bmo#1670835 - Support enabling and disabling signatures via Crypto Policy
* bmo#1672291 - Resolve libpkix OCSP failures on SHA1 self-signed
root certs when SHA1 signatures are disabled.
* bmo#1644209 - Fix broken SelectedCipherSuiteReplacer filter to
solve some test intermittents
* bmo#1672703 - Tolerate the first CCS in TLS 1.3 to fix a regression in
our CVE-2020-25648 fix that broke purple-discord
(boo#1179382)
* bmo#1666891 - Support key wrap/unwrap with RSA-OAEP
* bmo#1667989 - Fix gyp linking on Solaris
* bmo#1668123 - Export CERT_AddCertToListHeadWithData and
CERT_AddCertToListTailWithData from libnss
* bmo#1634584 - Set CKA_NSS_SERVER_DISTRUST_AFTER for Trustis FPS Root CA
* bmo#1663091 - Remove unnecessary assertions in the streaming
ASN.1 decoder that affected decoding certain PKCS8
private keys when using NSS debug builds
* bmo#670839 - Use ARM crypto extension for AES, SHA1 and SHA2 on MacOS.
update to NSS 3.58
Bugs fixed:
* bmo#1641480 (CVE-2020-25648)
Tighten CCS handling for middlebox compatibility mode.
* bmo#1631890 - Add support for Hybrid Public Key Encryption
(draft-irtf-cfrg-hpke) support for TLS Encrypted Client Hello
(draft-ietf-tls-esni).
* bmo#1657255 - Add CI tests that disable SHA1/SHA2 ARM crypto
extensions.
* bmo#1668328 - Handle spaces in the Python path name when using
gyp on Windows.
* bmo#1667153 - Add PK11_ImportDataKey for data object import.
* bmo#1665715 - Pass the embedded SCT list extension (if present)
to TrustDomain::CheckRevocation instead of the notBefore value.
update to NSS 3.57
* The following CA certificates were Added:
bmo#1663049 - CN=Trustwave Global Certification Authority
SHA-256 Fingerprint: 97552015F5DDFC3C8788C006944555408894450084F100867086BC1A2BB58DC8
bmo#1663049 - CN=Trustwave Global ECC P256 Certification Authority
SHA-256 Fingerprint: 945BBC825EA554F489D1FD51A73DDF2EA624AC7019A05205225C22A78CCFA8B4
bmo#1663049 - CN=Trustwave Global ECC P384 Certification Authority
SHA-256 Fingerprint: 55903859C8C0C3EBB8759ECE4E2557225FF5758BBD38EBD48276601E1BD58097
* The following CA certificates were Removed:
bmo#1651211 - CN=EE Certification Centre Root CA
SHA-256 Fingerprint: 3E84BA4342908516E77573C0992F0979CA084E4685681FF195CCBA8A229B8A76
bmo#1656077 - O=Government Root Certification Authority; C=TW
SHA-256 Fingerprint: 7600295EEFE85B9E1FD624DB76062AAAAE59818A54D2774CD4C0B2C01131E1B3
* Trust settings for the following CA certificates were Modified:
bmo#1653092 - CN=OISTE WISeKey Global Root GA CA
Websites (server authentication) trust bit removed.
* https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.57_release_notes
update to NSS 3.56
Notable changes
* bmo#1650702 - Support SHA-1 HW acceleration on ARMv8
* bmo#1656981 - Use MPI comba and mulq optimizations on x86-64 MacOS.
* bmo#1654142 - Add CPU feature detection for Intel SHA extension.
* bmo#1648822 - Add stricter validation of DH keys in FIPS mode.
* bmo#1656986 - Properly detect arm64 during GYP build architecture
detection.
* bmo#1652729 - Add build flag to disable RC2 and relocate to
lib/freebl/deprecated.
* bmo#1656429 - Correct RTT estimate used in 0-RTT anti-replay.
* bmo#1588941 - Send empty certificate message when scheme selection
fails.
* bmo#1652032 - Fix failure to build in Windows arm64 makefile
cross-compilation.
* bmo#1625791 - Fix deadlock issue in nssSlot_IsTokenPresent.
* bmo#1653975 - Fix 3.53 regression by setting 'all' as the default
makefile target.
* bmo#1659792 - Fix broken libpkix tests with unexpired PayPal cert.
* bmo#1659814 - Fix interop.sh failures with newer tls-interop
commit and dependencies.
* bmo#1656519 - NSPR dependency updated to 4.28
update to NSS 3.55
Notable changes
* P384 and P521 elliptic curve implementations are replaced with
verifiable implementations from Fiat-Crypto [0] and ECCKiila [1].
* PK11_FindCertInSlot is added. With this function, a given slot
can be queried with a DER-Encoded certificate, providing performance
and usability improvements over other mechanisms. (bmo#1649633)
* DTLS 1.3 implementation is updated to draft-38. (bmo#1647752)
Relevant Bugfixes
* bmo#1631583 (CVE-2020-6829, CVE-2020-12400) - Replace P384 and
P521 with new, verifiable implementations from Fiat-Crypto and ECCKiila.
* bmo#1649487 - Move overzealous assertion in VFY_EndWithSignature.
* bmo#1631573 (CVE-2020-12401) - Remove unnecessary scalar padding.
* bmo#1636771 (CVE-2020-12403) - Explicitly disable multi-part
ChaCha20 (which was not functioning correctly) and more strictly
enforce tag length.
* bmo#1649648 - Don't memcpy zero bytes (sanitizer fix).
* bmo#1649316 - Don't memcpy zero bytes (sanitizer fix).
* bmo#1649322 - Don't memcpy zero bytes (sanitizer fix).
* bmo#1653202 - Fix initialization bug in blapitest when compiled
with NSS_DISABLE_DEPRECATED_SEED.
* bmo#1646594 - Fix AVX2 detection in makefile builds.
* bmo#1649633 - Add PK11_FindCertInSlot to search a given slot
for a DER-encoded certificate.
* bmo#1651520 - Fix slotLock race in NSC_GetTokenInfo.
* bmo#1647752 - Update DTLS 1.3 implementation to draft-38.
* bmo#1649190 - Run cipher, sdr, and ocsp tests under standard test cycle in CI.
* bmo#1649226 - Add Wycheproof ECDSA tests.
* bmo#1637222 - Consistently enforce IV requirements for DES and 3DES.
* bmo#1067214 - Enforce minimum PKCS#1 v1.5 padding length in
RSA_CheckSignRecover.
* bmo#1646324 - Advertise PKCS#1 schemes for certificates in the
signature_algorithms extension.
update to NSS 3.54
Notable changes
* Support for TLS 1.3 external pre-shared keys (bmo#1603042).
* Use ARM Cryptography Extension for SHA256, when available
(bmo#1528113)
* The following CA certificates were Added:
bmo#1645186 - certSIGN Root CA G2.
bmo#1645174 - e-Szigno Root CA 2017.
bmo#1641716 - Microsoft ECC Root Certificate Authority 2017.
bmo#1641716 - Microsoft RSA Root Certificate Authority 2017.
* The following CA certificates were Removed:
bmo#1645199 - AddTrust Class 1 CA Root.
bmo#1645199 - AddTrust External CA Root.
bmo#1641718 - LuxTrust Global Root 2.
bmo#1639987 - Staat der Nederlanden Root CA - G2.
bmo#1618402 - Symantec Class 2 Public Primary Certification Authority - G4.
bmo#1618402 - Symantec Class 1 Public Primary Certification Authority - G4.
bmo#1618402 - VeriSign Class 3 Public Primary Certification Authority - G3.
* A number of certificates had their Email trust bit disabled.
See bmo#1618402 for a complete list.
Bugs fixed
* bmo#1528113 - Use ARM Cryptography Extension for SHA256.
* bmo#1603042 - Add TLS 1.3 external PSK support.
* bmo#1642802 - Add uint128 support for HACL* curve25519 on Windows.
* bmo#1645186 - Add 'certSIGN Root CA G2' root certificate.
* bmo#1645174 - Add Microsec's 'e-Szigno Root CA 2017' root certificate.
* bmo#1641716 - Add Microsoft's non-EV root certificates.
* bmo1621151 - Disable email trust bit for 'O=Government
Root Certification Authority; C=TW' root.
* bmo#1645199 - Remove AddTrust root certificates.
* bmo#1641718 - Remove 'LuxTrust Global Root 2' root certificate.
* bmo#1639987 - Remove 'Staat der Nederlanden Root CA - G2' root
certificate.
* bmo#1618402 - Remove Symantec root certificates and disable email trust
bit.
* bmo#1640516 - NSS 3.54 should depend on NSPR 4.26.
* bmo#1642146 - Fix undefined reference to `PORT_ZAlloc_stub' in seed.c.
* bmo#1642153 - Fix infinite recursion building NSS.
* bmo#1642638 - Fix fuzzing assertion crash.
* bmo#1642871 - Enable SSL_SendSessionTicket after resumption.
* bmo#1643123 - Support SSL_ExportEarlyKeyingMaterial with External PSKs.
* bmo#1643557 - Fix numerous compile warnings in NSS.
* bmo#1644774 - SSL gtests to use ClearServerCache when resetting
self-encrypt keys.
* bmo#1645479 - Don't use SECITEM_MakeItem in secutil.c.
* bmo#1646520 - Stricter enforcement of ASN.1 INTEGER encoding.
ModerateSUSE bug 1029961SUSE bug 1174697SUSE bug 1176206SUSE bug 1176934SUSE bug 1179382SUSE bug 1188891CVE-2020-12400 at SUSECVE-2020-12400 at NVDCVE-2020-12401 at SUSECVE-2020-12401 at NVDCVE-2020-12403 at SUSECVE-2020-12403 at NVDCVE-2020-25648 at SUSECVE-2020-25648 at NVDCVE-2020-6829 at SUSECVE-2020-6829 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for transfig (Moderate)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for transfig fixes the following issues:
Update to version 3.2.8, including fixes for
- CVE-2021-3561: overflow in fig2dev/read.c in function read_colordef() (bsc#1186329).
- CVE-2020-21683: Fixed buffer overflow in the shade_or_tint_name_after_declare_color in genpstricks.c (bsc#1189325).
- CVE-2020-21682: Fixed buffer overflow in the set_fill component in genge.c (bsc#1189346).
- CVE-2020-21681: Fixed buffer overflow in the set_color component in genge.c (bsc#1189345).
- CVE-2020-21680: Fixed stack-based buffer overflow in the put_arrow() component in genpict2e.c (bsc#1189343).
- CVE-2019-19797: out-of-bounds write in read_colordef in read.c (bsc#1159293).
- CVE-2019-19555: stack-based buffer overflow because of an incorrect sscanf (bsc#1161698).
- CVE-2019-19746: segmentation fault and out-of-bounds write because of an integer overflow via a large arrow type (bsc#1159130).
ModerateSUSE bug 1136882SUSE bug 1159130SUSE bug 1159293SUSE bug 1161698SUSE bug 1186329SUSE bug 1189325SUSE bug 1189343SUSE bug 1189345SUSE bug 1189346CVE-2019-19555 at SUSECVE-2019-19555 at NVDCVE-2019-19746 at SUSECVE-2019-19746 at NVDCVE-2019-19797 at SUSECVE-2019-19797 at NVDCVE-2020-21680 at SUSECVE-2020-21680 at NVDCVE-2020-21681 at SUSECVE-2020-21681 at NVDCVE-2020-21682 at SUSECVE-2020-21682 at NVDCVE-2020-21683 at SUSECVE-2020-21683 at NVDCVE-2021-3561 at SUSECVE-2021-3561 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for gtk-vnc (Moderate)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for gtk-vnc fixes the following issues:
- CVE-2017-5885: Correctly validate color map range indexes (bsc#1024268).
- CVE-2017-5884: Fix bounds checking for RRE, hextile & copyrect encodings (bsc#1024266).
- Fix crash when opening connection from a GSocketAddress (bsc#1046782).
- Fix possible crash on connection failure (bsc#1188292).
ModerateSUSE bug 1024266SUSE bug 1024268SUSE bug 1046782SUSE bug 1188292CVE-2017-5884 at SUSECVE-2017-5884 at NVDCVE-2017-5885 at SUSECVE-2017-5885 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for openssl (Low)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for openssl fixes the following issues:
- CVE-2021-3712: This is an update for the incomplete fix for CVE-2021-3712.
Read buffer overruns processing ASN.1 strings (bsc#1189521).
LowSUSE bug 1189521CVE-2021-3712 at SUSECVE-2021-3712 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for ghostscript (Critical)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for ghostscript fixes the following issues:
- CVE-2021-3781: Fixed a trivial -dSAFER bypass command injection (bsc#1190381)
CriticalSUSE bug 1190381CVE-2021-3781 at SUSECVE-2021-3781 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for MozillaFirefox fixes the following issues:
This update contains the Firefox Extended Support Release 91.1.0 ESR.
* Fixed: Various stability, functionality, and security fixes
MFSA 2021-40 (bsc#1190269, bsc#1190274):
* CVE-2021-38492: Navigating to `mk:` URL scheme could load Internet Explorer
* CVE-2021-38495: Memory safety bugs fixed in Firefox 92 and Firefox ESR 91.1
Firefox 91.0.1esr ESR
* Fixed: Fixed an issue causing buttons on the tab bar to be
resized when loading certain websites (bug 1704404)
* Fixed: Fixed an issue which caused tabs from private windows
to be visible in non-private windows when viewing switch-to-
tab results in the address bar panel (bug 1720369)
* Fixed: Various stability fixes
* Fixed: Security fix MFSA 2021-37 (bsc#1189547)
* CVE-2021-29991 (bmo#1724896)
Header Splitting possible with HTTP/3 Responses
Firefox Extended Support Release 91.0 ESR
* New: Some of the highlights of the new Extended Support Release are:
- A number of user interface changes. For more information,
see the Firefox 89 release notes.
- Firefox now supports logging into Microsoft, work, and
school accounts using Windows single sign-on. Learn more
- On Windows, updates can now be applied in the background
while Firefox is not running.
- Firefox for Windows now offers a new page about:third-party
to help identify compatibility issues caused by third-party
applications
- Version 2 of Firefox's SmartBlock feature further improves
private browsing. Third party Facebook scripts are blocked to
prevent you from being tracked, but are now automatically
loaded 'just in time' if you decide to 'Log in with Facebook'
on any website.
- Enhanced the privacy of the Firefox Browser's Private
Browsing mode with Total Cookie Protection, which confines
cookies to the site where they were created, preventing
companis from using cookies to track your browsing across
sites. This feature was originally launched in Firefox's ETP
Strict mode.
- PDF forms now support JavaScript embedded in PDF files.
Some PDF forms use JavaScript for validation and other
interactive features.
- You'll encounter less website breakage in Private Browsing
and Strict Enhanced Tracking Protection with SmartBlock,
which provides stand-in scripts so that websites load
properly.
- Improved Print functionality with a cleaner design and
better integration with your computer's printer settings.
- Firefox now protects you from supercookies, a type of
tracker that can stay hidden in your browser and track you
online, even after you clear cookies. By isolating
supercookies, Firefox prevents them from tracking your web
browsing from one site to the next.
- Firefox now remembers your preferred location for saved
bookmarks, displays the bookmarks toolbar by default on new
tabs, and gives you easy access to all of your bookmarks via
a toolbar folder.
- Native support for macOS devices built with Apple Silicon
CPUs brings dramatic performance improvements over the non-
native build that was shipped in Firefox 83: Firefox launches
over 2.5 times faster and web apps are now twice as
responsive (per the SpeedoMeter 2.0 test). If you are on a
new Apple device, follow these steps to upgrade to the latest
Firefox.
- Pinch zooming will now be supported for our users with
Windows touchscreen devices and touchpads on Mac devices.
Firefox users may now use pinch to zoom on touch-capable
devices to zoom in and out of webpages.
- We’ve improved functionality and design for a number of
Firefox search features:
* Selecting a search engine at the bottom of the search
panel now enters search mode for that engine, allowing you to
see suggestions (if available) for your search terms. The old
behavior (immediately performing a search) is available with
a shift-click.
* When Firefox autocompletes the URL of one of your search
engines, you can now search with that engine directly in the
address bar by selecting the shortcut in the address bar
results.
* We’ve added buttons at the bottom of the search panel to
allow you to search your bookmarks, open tabs, and history.
- Firefox supports AcroForm, which will allow you to fill in,
print, and save supported PDF forms and the PDF viewer also
has a new fresh look.
- For our users in the US and Canada, Firefox can now save,
manage, and auto-fill credit card information for you, making
shopping on Firefox ever more convenient.
- In addition to our default, dark and light themes, with
this release, Firefox introduces the Alpenglow theme: a
colorful appearance for buttons, menus, and windows. You can
update your Firefox themes under settings or preferences.
* Changed: Firefox no longer supports Adobe Flash. There is no
setting available to re-enable Flash support.
* Enterprise: Various bug fixes and new policies have been
implemented in the latest version of Firefox. See more
details in the Firefox for Enterprise 91 Release Notes.
MFSA 2021-33 (bsc#1188891):
* CVE-2021-29986: Race condition when resolving DNS names could have led to
memory corruption
* CVE-2021-29981: Live range splitting could have led to conflicting
assignments in the JIT
* CVE-2021-29988: Memory corruption as a result of incorrect style treatment
* CVE-2021-29983: Firefox for Android could get stuck in fullscreen mode
* CVE-2021-29984: Incorrect instruction reordering during JIT optimization
* CVE-2021-29980: Uninitialized memory in a canvas object could have led to
memory corruption
* CVE-2021-29987: Users could have been tricked into accepting unwanted
permissions on Linux
* CVE-2021-29985: Use-after-free media channels
* CVE-2021-29982: Single bit data leak due to incorrect JIT optimization and
type confusion
* CVE-2021-29989: Memory safety bugs fixed in Firefox 91 and Firefox ESR 78.13
* CVE-2021-29990: Memory safety bugs fixed in Firefox 91
ImportantSUSE bug 1188891SUSE bug 1189547SUSE bug 1190269SUSE bug 1190274CVE-2021-29980 at SUSECVE-2021-29980 at NVDCVE-2021-29981 at SUSECVE-2021-29981 at NVDCVE-2021-29982 at SUSECVE-2021-29982 at NVDCVE-2021-29983 at SUSECVE-2021-29983 at NVDCVE-2021-29984 at SUSECVE-2021-29984 at NVDCVE-2021-29985 at SUSECVE-2021-29985 at NVDCVE-2021-29986 at SUSECVE-2021-29986 at NVDCVE-2021-29987 at SUSECVE-2021-29987 at NVDCVE-2021-29988 at SUSECVE-2021-29988 at NVDCVE-2021-29989 at SUSECVE-2021-29989 at NVDCVE-2021-29990 at SUSECVE-2021-29990 at NVDCVE-2021-29991 at SUSECVE-2021-29991 at NVDCVE-2021-38492 at SUSECVE-2021-38492 at NVDCVE-2021-38495 at SUSECVE-2021-38495 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 36 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_135 fixes several issues.
The following security issues were fixed:
- CVE-2021-3653: Fixed missing validation of the KVM `int_ctl` VMCB field that would have allowed a malicious L1 guest to enable AVIC support for the L2 guest (bsc#1189420).
- CVE-2021-38198: Fixed KVM MMU to use the correct inherited permissions to get shadow page (bsc#1189278).
ImportantSUSE bug 1189278SUSE bug 1189420CVE-2021-3653 at SUSECVE-2021-3653 at NVDCVE-2021-38198 at SUSECVE-2021-38198 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 40 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_147 fixes several issues.
The following security issues were fixed:
- CVE-2021-3653: Fixed missing validation of the KVM `int_ctl` VMCB field that would have allowed a malicious L1 guest to enable AVIC support for the L2 guest (bsc#1189420).
- CVE-2021-38198: Fixed KVM MMU to use the correct inherited permissions to get shadow page (bsc#1189278).
ImportantSUSE bug 1189278SUSE bug 1189420CVE-2021-3653 at SUSECVE-2021-3653 at NVDCVE-2021-38198 at SUSECVE-2021-38198 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 39 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_144 fixes several issues.
The following security issues were fixed:
- CVE-2021-3653: Fixed missing validation of the KVM `int_ctl` VMCB field that would have allowed a malicious L1 guest to enable AVIC support for the L2 guest (bsc#1189420).
- CVE-2021-38198: Fixed KVM MMU to use the correct inherited permissions to get shadow page (bsc#1189278).
ImportantSUSE bug 1189278SUSE bug 1189420CVE-2021-3653 at SUSECVE-2021-3653 at NVDCVE-2021-38198 at SUSECVE-2021-38198 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 38 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_141 fixes several issues.
The following security issues were fixed:
- CVE-2021-3653: Fixed missing validation of the KVM `int_ctl` VMCB field that would have allowed a malicious L1 guest to enable AVIC support for the L2 guest (bsc#1189420).
- CVE-2021-38198: Fixed KVM MMU to use the correct inherited permissions to get shadow page (bsc#1189278).
ImportantSUSE bug 1189278SUSE bug 1189420CVE-2021-3653 at SUSECVE-2021-3653 at NVDCVE-2021-38198 at SUSECVE-2021-38198 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 37 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_138 fixes several issues.
The following security issues were fixed:
- CVE-2021-3653: Fixed missing validation of the KVM `int_ctl` VMCB field that would have allowed a malicious L1 guest to enable AVIC support for the L2 guest (bsc#1189420).
- CVE-2021-38198: Fixed KVM MMU to use the correct inherited permissions to get shadow page (bsc#1189278).
ImportantSUSE bug 1189278SUSE bug 1189420CVE-2021-3653 at SUSECVE-2021-3653 at NVDCVE-2021-38198 at SUSECVE-2021-38198 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for java-1_8_0-ibm (Moderate)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for java-1_8_0-ibm fixes the following issues:
- Update to Java 8.0 Service Refresh 6 Fix Pack 20 [bsc#1180063,bsc#1177943]
CVE-2020-14792 CVE-2020-14797 CVE-2020-14781 CVE-2020-14779
CVE-2020-14798 CVE-2020-14796 CVE-2020-14803
* Class libraries:
- SOCKETADAPTOR$SOCKETINPUTSTREAM.READ is blocking for more time
that the set timeout
- Z/OS specific C function send_file is changing the file pointer
position
* Java Virtual Machine:
- Crash on iterate java stack
- Java process hang on SIGTERM
* JIT Compiler:
- JMS performance regression from JDK8 SR5 FP40 TO FP41
* Class Libraries:
- z15 high utilization following Z/VM and Linux migration from
z14 To z15
* Java Virtual Machine:
- Assertion failed when trying to write a class file
- Assertion failure at modronapi.cpp
- Improve the performance of defining and finding classes
* JIT Compiler:
- An assert in ppcbinaryencoding.cpp may trigger when running
with traps disabled on power
- AOT field offset off by n bytes
- Segmentation fault in jit module on ibm z platform ModerateSUSE bug 1177943SUSE bug 1180063CVE-2020-14779 at SUSECVE-2020-14779 at NVDCVE-2020-14781 at SUSECVE-2020-14781 at NVDCVE-2020-14792 at SUSECVE-2020-14792 at NVDCVE-2020-14796 at SUSECVE-2020-14796 at NVDCVE-2020-14797 at SUSECVE-2020-14797 at NVDCVE-2020-14798 at SUSECVE-2020-14798 at NVDCVE-2020-14803 at SUSECVE-2020-14803 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 35 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_130 fixes several issues.
The following security issues were fixed:
- CVE-2021-3653: Fixed missing validation of the KVM `int_ctl` VMCB field that would have allowed a malicious L1 guest to enable AVIC support for the L2 guest (bsc#1189420).
- CVE-2021-38198: Fixed KVM MMU to use the correct inherited permissions to get shadow page (bsc#1189278).
ImportantSUSE bug 1189278SUSE bug 1189420CVE-2021-3653 at SUSECVE-2021-3653 at NVDCVE-2021-38198 at SUSECVE-2021-38198 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for xen (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for xen fixes the following issues:
- CVE-2021-28701: Fixed race condition in XENMAPSPACE_grant_table handling (XSA-384) (bsc#1189632).
- Integrate bugfixes (bsc#1189373, bsc#1189378).
ImportantSUSE bug 1189373SUSE bug 1189378SUSE bug 1189632CVE-2021-28701 at SUSECVE-2021-28701 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for sqlite3 (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for sqlite3 fixes the following issues:
sqlite3 is sync version 3.36.0 from Factory (jsc#SLE-16032).
The following CVEs have been fixed in upstream releases up to
this point, but were not mentioned in the change log so far:
* bsc#1173641, CVE-2020-15358: heap-based buffer overflow in
multiSelectOrderBy due to mishandling of query-flattener
optimization
* bsc#1164719, CVE-2020-9327: NULL pointer dereference and
segmentation fault because of generated column optimizations in
isAuxiliaryVtabOperator
* bsc#1160439, CVE-2019-20218: selectExpander in select.c proceeds
with WITH stack unwinding even after a parsing error
* bsc#1160438, CVE-2019-19959: memory-management error via
ext/misc/zipfile.c involving embedded '\0' input
* bsc#1160309, CVE-2019-19923: improper handling of certain uses
of SELECT DISTINCT in flattenSubquery may lead to null pointer
dereference
* bsc#1159850, CVE-2019-19924: improper error handling in
sqlite3WindowRewrite()
* bsc#1159847, CVE-2019-19925: improper handling of NULL pathname
during an update of a ZIP archive
* bsc#1159715, CVE-2019-19926: improper handling of certain
errors during parsing multiSelect in select.c
* bsc#1159491, CVE-2019-19880: exprListAppendList in window.c
allows attackers to trigger an invalid pointer dereference
* bsc#1158960, CVE-2019-19603: during handling of CREATE TABLE
and CREATE VIEW statements, does not consider confusion with
a shadow table name
* bsc#1158959, CVE-2019-19646: pragma.c mishandles NOT NULL in an
integrity_check PRAGMA command in certain cases of generated
columns
* bsc#1158958, CVE-2019-19645: alter.c allows attackers to trigger
infinite recursion via certain types of self-referential views
in conjunction with ALTER TABLE statements
* bsc#1158812, CVE-2019-19317: lookupName in resolve.c omits bits
from the colUsed bitmask in the case of a generated column,
which allows attackers to cause a denial of service
* bsc#1157818, CVE-2019-19244: sqlite3,sqlite2,sqlite: The
function sqlite3Select in select.c allows a crash if a
sub-select uses both DISTINCT and window functions, and also
has certain ORDER BY usage
* bsc#928701, CVE-2015-3415: sqlite3VdbeExec comparison operator
vulnerability
* bsc#928700, CVE-2015-3414: sqlite3,sqlite2: dequoting of
collation-sequence names
* CVE-2020-13434 bsc#1172115: integer overflow in
sqlite3_str_vappendf
* CVE-2020-13630 bsc#1172234: use-after-free in fts3EvalNextRow
* CVE-2020-13631 bsc#1172236: virtual table allowed to be renamed
to one of its shadow tables
* CVE-2020-13632 bsc#1172240: NULL pointer dereference via
crafted matchinfo() query
* CVE-2020-13435: Malicious SQL statements could have crashed the
process that is running SQLite (bsc#1172091)
ImportantSUSE bug 1157818SUSE bug 1158812SUSE bug 1158958SUSE bug 1158959SUSE bug 1158960SUSE bug 1159491SUSE bug 1159715SUSE bug 1159847SUSE bug 1159850SUSE bug 1160309SUSE bug 1160438SUSE bug 1160439SUSE bug 1164719SUSE bug 1172091SUSE bug 1172115SUSE bug 1172234SUSE bug 1172236SUSE bug 1172240SUSE bug 1173641SUSE bug 928700SUSE bug 928701CVE-2015-3414 at SUSECVE-2015-3414 at NVDCVE-2015-3415 at SUSECVE-2015-3415 at NVDCVE-2016-6153 at SUSECVE-2016-6153 at NVDCVE-2017-10989 at SUSECVE-2017-10989 at NVDCVE-2017-2518 at SUSECVE-2017-2518 at NVDCVE-2018-20346 at SUSECVE-2018-20346 at NVDCVE-2018-8740 at SUSECVE-2018-8740 at NVDCVE-2019-16168 at SUSECVE-2019-16168 at NVDCVE-2019-19244 at SUSECVE-2019-19244 at NVDCVE-2019-19317 at SUSECVE-2019-19317 at NVDCVE-2019-19603 at SUSECVE-2019-19603 at NVDCVE-2019-19645 at SUSECVE-2019-19645 at NVDCVE-2019-19646 at SUSECVE-2019-19646 at NVDCVE-2019-19880 at SUSECVE-2019-19880 at NVDCVE-2019-19923 at SUSECVE-2019-19923 at NVDCVE-2019-19924 at SUSECVE-2019-19924 at NVDCVE-2019-19925 at SUSECVE-2019-19925 at NVDCVE-2019-19926 at SUSECVE-2019-19926 at NVDCVE-2019-19959 at SUSECVE-2019-19959 at NVDCVE-2019-20218 at SUSECVE-2019-20218 at NVDCVE-2019-8457 at SUSECVE-2019-8457 at NVDCVE-2020-13434 at SUSECVE-2020-13434 at NVDCVE-2020-13435 at SUSECVE-2020-13435 at NVDCVE-2020-13630 at SUSECVE-2020-13630 at NVDCVE-2020-13631 at SUSECVE-2020-13631 at NVDCVE-2020-13632 at SUSECVE-2020-13632 at NVDCVE-2020-15358 at SUSECVE-2020-15358 at NVDCVE-2020-9327 at SUSECVE-2020-9327 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for python-urllib3 (Moderate)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for python-urllib3 fixes the following security issue:
- CVE-2020-26137: A CRLF injection via HTTP request method was fixed (bsc#1177120)
Note that this was fixed in a previous version update to 1.25.9, this update just complements the tracking.
ModerateSUSE bug 1177120CVE-2020-26137 at SUSECVE-2020-26137 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for glibc (Moderate)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for glibc fixes the following issues:
Security issues fixed:
- CVE-2021-35942: wordexp: handle overflow in positional parameter number (bsc#1187911)
- CVE-2021-33574: Use __pthread_attr_copy in mq_notify (bsc#1186489)
Also the following bug was fixed:
- Avoid concurrency problem in ldconfig (bsc#1117993)
ModerateSUSE bug 1117993SUSE bug 1186489SUSE bug 1187911CVE-2021-33574 at SUSECVE-2021-33574 at NVDCVE-2021-35942 at SUSECVE-2021-35942 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for webkit2gtk3 (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for webkit2gtk3 fixes the following issues:
- Update to version 2.32.4
- CVE-2021-30858: Fixed a security bug that could allow maliciously crafted web content to achieve arbitrary code execution. (bsc#1190701)
- CVE-2021-21806: Fixed an exploitable use-after-free vulnerability via specially crafted HTML web page. (bsc#1188697)
ImportantSUSE bug 1188697SUSE bug 1190701CVE-2021-21806 at SUSECVE-2021-21806 at NVDCVE-2021-30858 at SUSECVE-2021-30858 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for apache2 (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for apache2 fixes the following issues:
- CVE-2021-40438: Fixed a SRF via a crafted request uri-path. (bsc#1190703)
- CVE-2021-39275: Fixed an out-of-bounds write in ap_escape_quotes() via malicious input. (bsc#1190666)
- CVE-2021-34798: Fixed a NULL pointer dereference via malformed requests. (bsc#1190669)
ImportantSUSE bug 1190666SUSE bug 1190669SUSE bug 1190703CVE-2021-34798 at SUSECVE-2021-34798 at NVDCVE-2021-39275 at SUSECVE-2021-39275 at NVDCVE-2021-40438 at SUSECVE-2021-40438 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for python3 (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for python3 fixes the following issues:
- Provide the newest setuptools wheel (bsc#1176262,
CVE-2019-20916) in their correct form (bsc#1180686).
ImportantSUSE bug 1176262SUSE bug 1180686CVE-2019-20916 at SUSECVE-2019-20916 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for MozillaFirefox fixes the following issues:
Firefox Extended Support Release 91.2.0 ESR
* Fixed: Various stability, functionality, and security fixes
MFSA 2021-45 (bsc#1191332)
* CVE-2021-38496: Use-after-free in MessageTask
* CVE-2021-38497: Validation message could have been overlaid on another origin
* CVE-2021-38498: Use-after-free of nsLanguageAtomService object
* CVE-2021-32810: Fixed Data race in crossbeam-deque
* CVE-2021-38500: Memory safety bugs fixed in Firefox 93, Firefox ESR 78.15, and Firefox ESR 91.2
* CVE-2021-38501: Memory safety bugs fixed in Firefox 93 and Firefox ESR 91.2
- Fixed crash in FIPS mode (bsc#1190710)
ImportantSUSE bug 1190710SUSE bug 1191332CVE-2021-32810 at SUSECVE-2021-32810 at NVDCVE-2021-38496 at SUSECVE-2021-38496 at NVDCVE-2021-38497 at SUSECVE-2021-38497 at NVDCVE-2021-38498 at SUSECVE-2021-38498 at NVDCVE-2021-38500 at SUSECVE-2021-38500 at NVDCVE-2021-38501 at SUSECVE-2021-38501 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 39 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_144 fixes several issues.
The following security issues were fixed:
- CVE-2021-3715: Fixed a user-after-free in the Linux kernel's Traffic Control networking subsystem which could lead to local privilege escalation. (bsc#1190350).
- CVE-2021-38160: Fixed a bug that could lead to a data corruption or loss. This can be triggered by an untrusted device that supplies a buf->len value exceeding the buffer size in drivers/char/virtio_console.c (bsc#1190118)
- CVE-2021-3640: Fixed a user-after-free bug in the function sco_sock_sendmsg which could lead to local privilege escalation. (bsc#1188613)
- CVE-2021-3573: Fixed a user-after-free bug in the function hci_sock_bound_ioctl which could lead to local privilege escalation. (bsc#1187054).
ImportantSUSE bug 1187054SUSE bug 1188613SUSE bug 1190118SUSE bug 1190350CVE-2021-3573 at SUSECVE-2021-3573 at NVDCVE-2021-3640 at SUSECVE-2021-3640 at NVDCVE-2021-3715 at SUSECVE-2021-3715 at NVDCVE-2021-38160 at SUSECVE-2021-38160 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 40 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_147 fixes several issues.
The following security issues were fixed:
- CVE-2021-3715: Fixed a user-after-free in the Linux kernel's Traffic Control networking subsystem which could lead to local privilege escalation. (bsc#1190350).
- CVE-2021-38160: Fixed a bug that could lead to a data corruption or loss. This can be triggered by an untrusted device that supplies a buf->len value exceeding the buffer size in drivers/char/virtio_console.c (bsc#1190118)
- CVE-2021-3640: Fixed a user-after-free bug in the function sco_sock_sendmsg which could lead to local privilege escalation. (bsc#1188613)
- CVE-2021-3573: Fixed a user-after-free bug in the function hci_sock_bound_ioctl which could lead to local privilege escalation. (bsc#1187054).
ImportantSUSE bug 1187054SUSE bug 1188613SUSE bug 1190118SUSE bug 1190350CVE-2021-3573 at SUSECVE-2021-3573 at NVDCVE-2021-3640 at SUSECVE-2021-3640 at NVDCVE-2021-3715 at SUSECVE-2021-3715 at NVDCVE-2021-38160 at SUSECVE-2021-38160 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 36 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_135 fixes several issues.
The following security issues were fixed:
- CVE-2021-3715: Fixed a user-after-free in the Linux kernel's Traffic Control networking subsystem which could lead to local privilege escalation. (bsc#1190350).
- CVE-2021-38160: Fixed a bug that could lead to a data corruption or loss. This can be triggered by an untrusted device that supplies a buf->len value exceeding the buffer size in drivers/char/virtio_console.c (bsc#1190118)
- CVE-2021-3640: Fixed a user-after-free bug in the function sco_sock_sendmsg which could lead to local privilege escalation. (bsc#1188613)
- CVE-2021-3573: Fixed a user-after-free bug in the function hci_sock_bound_ioctl which could lead to local privilege escalation. (bsc#1187054).
ImportantSUSE bug 1187054SUSE bug 1188613SUSE bug 1190118SUSE bug 1190350CVE-2021-3573 at SUSECVE-2021-3573 at NVDCVE-2021-3640 at SUSECVE-2021-3640 at NVDCVE-2021-3715 at SUSECVE-2021-3715 at NVDCVE-2021-38160 at SUSECVE-2021-38160 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 37 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_138 fixes several issues.
The following security issues were fixed:
- CVE-2021-3715: Fixed a user-after-free in the Linux kernel's Traffic Control networking subsystem which could lead to local privilege escalation. (bsc#1190350).
- CVE-2021-38160: Fixed a bug that could lead to a data corruption or loss. This can be triggered by an untrusted device that supplies a buf->len value exceeding the buffer size in drivers/char/virtio_console.c (bsc#1190118)
- CVE-2021-3640: Fixed a user-after-free bug in the function sco_sock_sendmsg which could lead to local privilege escalation. (bsc#1188613)
- CVE-2021-3573: Fixed a user-after-free bug in the function hci_sock_bound_ioctl which could lead to local privilege escalation. (bsc#1187054).
ImportantSUSE bug 1187054SUSE bug 1188613SUSE bug 1190118SUSE bug 1190350CVE-2021-3573 at SUSECVE-2021-3573 at NVDCVE-2021-3640 at SUSECVE-2021-3640 at NVDCVE-2021-3715 at SUSECVE-2021-3715 at NVDCVE-2021-38160 at SUSECVE-2021-38160 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 38 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_141 fixes several issues.
The following security issues were fixed:
- CVE-2021-3715: Fixed a user-after-free in the Linux kernel's Traffic Control networking subsystem which could lead to local privilege escalation. (bsc#1190350).
- CVE-2021-38160: Fixed a bug that could lead to a data corruption or loss. This can be triggered by an untrusted device that supplies a buf->len value exceeding the buffer size in drivers/char/virtio_console.c (bsc#1190118)
- CVE-2021-3640: Fixed a user-after-free bug in the function sco_sock_sendmsg which could lead to local privilege escalation. (bsc#1188613)
- CVE-2021-3573: Fixed a user-after-free bug in the function hci_sock_bound_ioctl which could lead to local privilege escalation. (bsc#1187054).
ImportantSUSE bug 1187054SUSE bug 1188613SUSE bug 1190118SUSE bug 1190350CVE-2021-3573 at SUSECVE-2021-3573 at NVDCVE-2021-3640 at SUSECVE-2021-3640 at NVDCVE-2021-3715 at SUSECVE-2021-3715 at NVDCVE-2021-38160 at SUSECVE-2021-38160 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for util-linux (Moderate)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for util-linux fixes the following issues:
- CVE-2021-37600: Fixed an integer overflow which could lead to buffer overflow in get_sem_elements. (bsc#1188921)
- Prevent outdated pam files (bsc#1082293, bsc#1081947#c68).
- Do not trim read-only volumes (bsc#1106214).
- libmount: To prevent incorrect behavior, recognize more pseudofs and netfs (bsc#1122417).
- raw.service: Add RemainAfterExit=yes (bsc#1135534).
- agetty: Reload issue only if it is really needed (bsc#1085196)
- agetty: Return previous response of agetty for special characters (bsc#1085196, bsc#1125886)
- blockdev: Do not fail --report on kpartx-style partitions on multipath. (bsc#1168235)
- nologin: Add support for -c to prevent error from su -c. (bsc#1151708)
- Avoid triggering autofs in lookup_umount_fs_by_statfs. (bsc#1168389)
- libblkid: Do not trigger CDROM autoclose. (bsc#1084671)
- Avoid sulogin failing on not existing or not functional console devices. (bsc#1175514)
- Build with libudev support to support non-root users. (bsc#1169006)
- lscpu: avoid segfault on PowerPC systems with valid hardware configurations. (bsc#1175623, bsc#1178554, bsc#1178825)
- Fix for warning on mounts to CIFS with mount. (SG#57988, bsc#1174942)
ModerateSUSE bug 1081947SUSE bug 1082293SUSE bug 1084671SUSE bug 1085196SUSE bug 1106214SUSE bug 1122417SUSE bug 1125886SUSE bug 1135534SUSE bug 1135708SUSE bug 1151708SUSE bug 1168235SUSE bug 1168389SUSE bug 1169006SUSE bug 1174942SUSE bug 1175514SUSE bug 1175623SUSE bug 1178236SUSE bug 1178554SUSE bug 1178825SUSE bug 1188921CVE-2021-37600 at SUSECVE-2021-37600 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for strongswan (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for strongswan fixes the following issues:
- CVE-2021-41991: Fixed an integer overflow when replacing certificates in cache. (bsc#1191435)
ImportantSUSE bug 1191435CVE-2021-41991 at SUSECVE-2021-41991 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for postgresql10 (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for postgresql10 fixes the following issues:
- Fix for build with llvm12 on s390x. (bsc#1185952)
- Re-enable 'icu' for PostgreSQL 10. (bsc#1179945)
- Add postgresqlXX-server-devel as a dependency for postgresql13-server-devel. (bsc#1187751)
- Upgrade to version 10.18. (bsc#1190177)
Upgrade to version 10.17 (already released for SUSE Linux Enterprise 12 SP5):
- CVE-2021-32027: Fixed integer overflows in array subscripting calculations (bsc#1185924).
- CVE-2021-32028: Fixed mishandling of junk columns in INSERT ... ON CONFLICT ... UPDATE target lists (bsc#1185925).
- Don't use %_stop_on_removal, because it was meant to be private and got removed from openSUSE. %_restart_on_update is also private, but still supported and needed for now (bsc#1183168).
- Re-enable build of the llvmjit subpackage on SLE, but it will only be delivered on PackageHub for now (bsc#1183118).
- Disable icu for PostgreSQL 10 (and older) on TW (bsc#1179945).
- Fixed an issue droping irregular warning messages by removing the package. (bsc#1178961)
- Fixed an issue when build does not build the requiements to avoid dangling symlinks in the devel package. (bsc#1179765)
- Fix recently-added timetz test case so it works when the USA is not observing daylight savings time.
ImportantSUSE bug 1178961SUSE bug 1179765SUSE bug 1179945SUSE bug 1183118SUSE bug 1183168SUSE bug 1185924SUSE bug 1185925SUSE bug 1185952SUSE bug 1187751SUSE bug 1190177CVE-2021-32027 at SUSECVE-2021-32027 at NVDCVE-2021-32028 at SUSECVE-2021-32028 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for opensc (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for opensc fixes the following issues:
- CVE-2021-42780: Fixed use after return in insert_pin() (bsc#1192005).
- CVE-2021-42779: Fixed use after free in sc_file_valid() (bsc#1191992).
- CVE-2021-42781: Fixed multiple heap buffer overflows in pkcs15-oberthur.c (bsc#1192000).
- CVE-2021-42782: Stack buffer overflow issues in various places (bsc#1191957).
ImportantSUSE bug 1191957SUSE bug 1191992SUSE bug 1192000SUSE bug 1192005CVE-2021-42779 at SUSECVE-2021-42779 at NVDCVE-2021-42780 at SUSECVE-2021-42780 at NVDCVE-2021-42781 at SUSECVE-2021-42781 at NVDCVE-2021-42782 at SUSECVE-2021-42782 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for transfig (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for transfig fixes the following issues:
Update to fig2dev version 3.2.8 Patchlevel 8b (Aug 2021)
- bsc#1190618, CVE-2020-21529: stack buffer overflow in the bezier_spline function in genepic.c.
- bsc#1190615, CVE-2020-21530: segmentation fault in the read_objects function in read.c.
- bsc#1190617, CVE-2020-21531: global buffer overflow in the conv_pattern_index function in gencgm.c.
- bsc#1190616, CVE-2020-21532: global buffer overflow in the setfigfont function in genepic.c.
- bsc#1190612, CVE-2020-21533: stack buffer overflow in the read_textobject function in read.c.
- bsc#1190611, CVE-2020-21534: global buffer overflow in the get_line function in read.c.
- bsc#1190607, CVE-2020-21535: segmentation fault in the gencgm_start function in gencgm.c.
- bsc#1192019, CVE-2021-32280: NULL pointer dereference in compute_closed_spline() in trans_spline.c
ImportantSUSE bug 1190607SUSE bug 1190611SUSE bug 1190612SUSE bug 1190615SUSE bug 1190616SUSE bug 1190617SUSE bug 1190618SUSE bug 1192019CVE-2020-21529 at SUSECVE-2020-21529 at NVDCVE-2020-21530 at SUSECVE-2020-21530 at NVDCVE-2020-21531 at SUSECVE-2020-21531 at NVDCVE-2020-21532 at SUSECVE-2020-21532 at NVDCVE-2020-21533 at SUSECVE-2020-21533 at NVDCVE-2020-21534 at SUSECVE-2020-21534 at NVDCVE-2020-21535 at SUSECVE-2020-21535 at NVDCVE-2021-32280 at SUSECVE-2021-32280 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for binutils (Moderate)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for binutils fixes the following issues:
Update to binutils 2.37:
* The GNU Binutils sources now requires a C99 compiler and library to
build.
* Support for the arm-symbianelf format has been removed.
* Support for Realm Management Extension (RME) for AArch64 has been
added.
* A new linker option '-z report-relative-reloc' for x86 ELF targets
has been added to report dynamic relative relocations.
* A new linker option '-z start-stop-gc' has been added to disable
special treatment of __start_*/__stop_* references when
--gc-sections.
* A new linker options '-Bno-symbolic' has been added which will
cancel the '-Bsymbolic' and '-Bsymbolic-functions' options.
* The readelf tool has a new command line option which can be used to
specify how the numeric values of symbols are reported.
--sym-base=0|8|10|16 tells readelf to display the values in base 8,
base 10 or base 16. A sym base of 0 represents the default action
of displaying values under 10000 in base 10 and values above that in
base 16.
* A new format has been added to the nm program. Specifying
'--format=just-symbols' (or just using -j) will tell the program to
only display symbol names and nothing else.
* A new command line option '--keep-section-symbols' has been added to
objcopy and strip. This stops the removal of unused section symbols
when the file is copied. Removing these symbols saves space, but
sometimes they are needed by other tools.
* The '--weaken', '--weaken-symbol' and '--weaken-symbols' options
supported by objcopy now make undefined symbols weak on targets that
support weak symbols.
* Readelf and objdump can now display and use the contents of .debug_sup
sections.
* Readelf and objdump will now follow links to separate debug info
files by default. This behaviour can be stopped via the use of the
new '-wN' or '--debug-dump=no-follow-links' options for readelf and
the '-WN' or '--dwarf=no-follow-links' options for objdump. Also
the old behaviour can be restored by the use of the
'--enable-follow-debug-links=no' configure time option.
The semantics of the =follow-links option have also been slightly
changed. When enabled, the option allows for the loading of symbol
tables and string tables from the separate files which can be used
to enhance the information displayed when dumping other sections,
but it does not automatically imply that information from the
separate files should be displayed.
If other debug section display options are also enabled (eg
'--debug-dump=info') then the contents of matching sections in both
the main file and the separate debuginfo file *will* be displayed.
This is because in most cases the debug section will only be present
in one of the files.
If however non-debug section display options are enabled (eg
'--sections') then the contents of matching parts of the separate
debuginfo file will *not* be displayed. This is because in most
cases the user probably only wanted to load the symbol information
from the separate debuginfo file. In order to change this behaviour
a new command line option --process-links can be used. This will
allow di0pslay options to applied to both the main file and any
separate debuginfo files.
* Nm has a new command line option: '--quiet'. This suppresses 'no
symbols' diagnostic.
Update to binutils 2.36:
New features in the Assembler:
General:
* When setting the link order attribute of ELF sections, it is now
possible to use a numeric section index instead of symbol name.
* Added a .nop directive to generate a single no-op instruction in
a target neutral manner. This instruction does have an effect on
DWARF line number generation, if that is active.
* Removed --reduce-memory-overheads and --hash-size as gas now
uses hash tables that can be expand and shrink automatically.
X86/x86_64:
* Add support for AVX VNNI, HRESET, UINTR, TDX, AMX and Key
Locker instructions.
* Support non-absolute segment values for lcall and ljmp.
* Add {disp16} pseudo prefix to x86 assembler.
* Configure with --enable-x86-used-note by default for Linux/x86.
ARM/AArch64:
* Add support for Cortex-A78, Cortex-A78AE and Cortex-X1,
Cortex-R82, Neoverse V1, and Neoverse N2 cores.
* Add support for ETMv4 (Embedded Trace Macrocell), ETE (Embedded
Trace Extension), TRBE (Trace Buffer Extension), CSRE (Call
Stack Recorder Extension) and BRBE (Branch Record Buffer
Extension) system registers.
* Add support for Armv8-R and Armv8.7-A ISA extensions.
* Add support for DSB memory nXS barrier, WFET and WFIT
instruction for Armv8.7.
* Add support for +csre feature for -march. Add CSR PDEC
instruction for CSRE feature in AArch64.
* Add support for +flagm feature for -march in Armv8.4 AArch64.
* Add support for +ls64 feature for -march in Armv8.7
AArch64. Add atomic 64-byte load/store instructions for this
feature.
* Add support for +pauth (Pointer Authentication) feature for
-march in AArch64.
New features in the Linker:
* Add --error-handling-script=<NAME> command line option to allow
a helper script to be invoked when an undefined symbol or a
missing library is encountered. This option can be suppressed
via the configure time switch: --enable-error-handling-script=no.
* Add -z x86-64-{baseline|v[234]} to the x86 ELF linker to mark
x86-64-{baseline|v[234]} ISA level as needed.
* Add -z unique-symbol to avoid duplicated local symbol names.
* The creation of PE format DLLs now defaults to using a more
secure set of DLL characteristics.
* The linker now deduplicates the types in .ctf sections. The new
command-line option --ctf-share-types describes how to do this:
its default value, share-unconflicted, produces the most compact
output.
* The linker now omits the 'variable section' from .ctf sections
by default, saving space. This is almost certainly what you
want unless you are working on a project that has its own
analogue of symbol tables that are not reflected in the ELF
symtabs.
New features in other binary tools:
* The ar tool's previously unused l modifier is now used for
specifying dependencies of a static library. The arguments of
this option (or --record-libdeps long form option) will be
stored verbatim in the __.LIBDEP member of the archive, which
the linker may read at link time.
* Readelf can now display the contents of LTO symbol table
sections when asked to do so via the --lto-syms command line
option.
* Readelf now accepts the -C command line option to enable the
demangling of symbol names. In addition the --demangle=<style>,
--no-demangle, --recurse-limit and --no-recurse-limit options
are also now availale.
Update to binutils 2.35.1:
* This is a point release over the previous 2.35 version, containing bug
fixes, and as an exception to the usual rule, one new feature. The
new feature is the support for a new directive in the assembler:
'.nop'. This directive creates a single no-op instruction in whatever
encoding is correct for the target architecture. Unlike the .space or
.fill this is a real instruction, and it does affect the generation of
DWARF line number tables, should they be enabled.
Update to binutils 2.35:
* The assembler can now produce DWARF-5 format line number tables.
* Readelf now has a 'lint' mode to enable extra checks of the files it is processing.
* Readelf will now display '[...]' when it has to truncate a symbol name.
The old behaviour - of displaying as many characters as possible, up to
the 80 column limit - can be restored by the use of the --silent-truncation
option.
* The linker can now produce a dependency file listing the inputs that it
has processed, much like the -M -MP option supported by the compiler.
Update to binutils 2.34:
* The disassembler (objdump --disassemble) now has an option to
generate ascii art thats show the arcs between that start and end
points of control flow instructions.
* The binutils tools now have support for debuginfod. Debuginfod is a
HTTP service for distributing ELF/DWARF debugging information as
well as source code. The tools can now connect to debuginfod
servers in order to download debug information about the files that
they are processing.
* The assembler and linker now support the generation of ELF format
files for the Z80 architecture.
Update to binutils 2.33.1:
* Adds support for the Arm Scalable Vector Extension version 2
(SVE2) instructions, the Arm Transactional Memory Extension (TME)
instructions and the Armv8.1-M Mainline and M-profile Vector
Extension (MVE) instructions.
* Adds support for the Arm Cortex-A76AE, Cortex-A77 and Cortex-M35P
processors and the AArch64 Cortex-A34, Cortex-A65, Cortex-A65AE,
Cortex-A76AE, and Cortex-A77 processors.
* Adds a .float16 directive for both Arm and AArch64 to allow
encoding of 16-bit floating point literals.
* For MIPS, Add -m[no-]fix-loongson3-llsc option to fix (or not)
Loongson3 LLSC Errata. Add a --enable-mips-fix-loongson3-llsc=[yes|no]
configure time option to set the default behavior. Set the default
if the configure option is not used to 'no'.
* The Cortex-A53 Erratum 843419 workaround now supports a choice of
which workaround to use. The option --fix-cortex-a53-843419 now
takes an optional argument --fix-cortex-a53-843419[=full|adr|adrp]
which can be used to force a particular workaround to be used.
See --help for AArch64 for more details.
* Add support for GNU_PROPERTY_AARCH64_FEATURE_1_BTI and
GNU_PROPERTY_AARCH64_FEATURE_1_PAC in ELF GNU program properties
in the AArch64 ELF linker.
* Add -z force-bti for AArch64 to enable GNU_PROPERTY_AARCH64_FEATURE_1_BTI
on output while warning about missing GNU_PROPERTY_AARCH64_FEATURE_1_BTI
on inputs and use PLTs protected with BTI.
* Add -z pac-plt for AArch64 to pick PAC enabled PLTs.
* Add --source-comment[=<txt>] option to objdump which if present,
provides a prefix to source code lines displayed in a disassembly.
* Add --set-section-alignment <section-name>=<power-of-2-align>
option to objcopy to allow the changing of section alignments.
* Add --verilog-data-width option to objcopy for verilog targets to
control width of data elements in verilog hex format.
* The separate debug info file options of readelf (--debug-dump=links
and --debug-dump=follow) and objdump (--dwarf=links and
--dwarf=follow-links) will now display and/or follow multiple
links if more than one are present in a file. (This usually
happens when gcc's -gsplit-dwarf option is used).
In addition objdump's --dwarf=follow-links now also affects its
other display options, so that for example, when combined with
--syms it will cause the symbol tables in any linked debug info
files to also be displayed. In addition when combined with
--disassemble the --dwarf= follow-links option will ensure that
any symbol tables in the linked files are read and used when
disassembling code in the main file.
* Add support for dumping types encoded in the Compact Type Format
to objdump and readelf.
The following security fixes are addressed by the update:
- CVE-2021-20197: Fixed a race condition which allows users to own arbitrary files (bsc#1181452).
- CVE-2021-20284: Fixed a heap-based buffer overflow in _bfd_elf_slurp_secondary_reloc_section in elf.c (bsc#1183511).
- CVE-2021-3487: Fixed a denial of service via excessive debug section size causing excessive memory consumption in bfd's dwarf2.c read_section() (bsc#1184620).
- CVE-2020-35448: Fixed a heap-based buffer over-read in bfd_getl_signed_32() in libbfd.c (bsc#1184794).
- CVE-2020-16590: Fixed a double free vulnerability in process_symbol_table() (bsc#1179898).
- CVE-2020-16591: Fixed an invalid read in process_symbol_table() (bsc#1179899).
- CVE-2020-16592: Fixed an use-after-free in bfd_hash_lookup() (bsc#1179900).
- CVE-2020-16593: Fixed a null pointer dereference in scan_unit_for_symbols() (bsc#1179901).
- CVE-2020-16598: Fixed a null pointer dereference in debug_get_real_type() (bsc#1179902).
- CVE-2020-16599: Fixed a null pointer dereference in _bfd_elf_get_symbol_version_string() (bsc#1179903)
- CVE-2020-35493: Fixed heap-based buffer overflow in bfd_pef_parse_function_stubs function in bfd/pef.c via crafted PEF file (bsc#1180451).
- CVE-2020-35496: Fixed multiple null pointer dereferences in bfd module due to not checking return value of bfd_malloc (bsc#1180454).
- CVE-2020-35507: Fixed a null pointer dereference in bfd_pef_parse_function_stubs() (bsc#1180461).
- CVE-2019-17451: Fixed an integer overflow leading to a SEGV in _bfd_dwarf2_find_nearest_line() in dwarf2.c (bsc#1153768).
- CVE-2019-17450: Fixed a potential denial of service in find_abstract_instance() in dwarf2.c (bsc#1153770).
- CVE-2019-9077: Fixed a heap-based buffer overflow in process_mips_specific() in readelf.c via a malformed MIPS option section (bsc#1126826).
- CVE-2019-9075: Fixed a heap-based buffer overflow in _bfd_archive_64_bit_slurp_armap() in archive64.c (bsc#1126829).
- CVE-2019-9074: Fixed a out-of-bounds read leading to a SEGV in bfd_getl32() in libbfd.c (bsc#1126831).
- CVE-2019-12972: Fixed a heap-based buffer over-read in _bfd_doprnt() in bfd.c (bsc#1140126).
- CVE-2019-14444: Fixed an integer overflow apply_relocations() in readelf.c (bsc#1143609).
- CVE-2019-14250: Fixed an integer overflow in simple_object_elf_match() in simple-object-elf.c (bsc#1142649).
ModerateSUSE bug 1126826SUSE bug 1126829SUSE bug 1126831SUSE bug 1140126SUSE bug 1142649SUSE bug 1143609SUSE bug 1153768SUSE bug 1153770SUSE bug 1157755SUSE bug 1160254SUSE bug 1160590SUSE bug 1163333SUSE bug 1163744SUSE bug 1179036SUSE bug 1179341SUSE bug 1179898SUSE bug 1179899SUSE bug 1179900SUSE bug 1179901SUSE bug 1179902SUSE bug 1179903SUSE bug 1180451SUSE bug 1180454SUSE bug 1180461SUSE bug 1181452SUSE bug 1182252SUSE bug 1183511SUSE bug 1184620SUSE bug 1184794CVE-2019-12972 at SUSECVE-2019-12972 at NVDCVE-2019-14250 at SUSECVE-2019-14250 at NVDCVE-2019-14444 at SUSECVE-2019-14444 at NVDCVE-2019-17450 at SUSECVE-2019-17450 at NVDCVE-2019-17451 at SUSECVE-2019-17451 at NVDCVE-2019-9074 at SUSECVE-2019-9074 at NVDCVE-2019-9075 at SUSECVE-2019-9075 at NVDCVE-2019-9077 at SUSECVE-2019-9077 at NVDCVE-2020-16590 at SUSECVE-2020-16590 at NVDCVE-2020-16591 at SUSECVE-2020-16591 at NVDCVE-2020-16592 at SUSECVE-2020-16592 at NVDCVE-2020-16593 at SUSECVE-2020-16593 at NVDCVE-2020-16598 at SUSECVE-2020-16598 at NVDCVE-2020-16599 at SUSECVE-2020-16599 at NVDCVE-2020-35448 at SUSECVE-2020-35448 at NVDCVE-2020-35493 at SUSECVE-2020-35493 at NVDCVE-2020-35496 at SUSECVE-2020-35496 at NVDCVE-2020-35507 at SUSECVE-2020-35507 at NVDCVE-2021-20197 at SUSECVE-2021-20197 at NVDCVE-2021-20284 at SUSECVE-2021-20284 at NVDCVE-2021-3487 at SUSECVE-2021-3487 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for binutils (Moderate)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for binutils fixes the following issues:
- For compatibility on old code stream that expect 'brcl 0,label' to
not be disassembled as 'jgnop label' on s390x. (bsc#1192267)
This reverts IBM zSeries HLASM support for now.
- Fixed that ppc64 optflags did not enable LTO (bsc#1188941).
- Fix empty man-pages from broken release tarball
- Fixed a memory corruption with rpath option (bsc#1191473).
- Fixed slow performance of stripping some binaries (bsc#1183909).
Security issue fixed:
- CVE-2021-20294: Fixed out-of-bounds write in print_dynamic_symbol in readelf (bnc#1184519)
ModerateSUSE bug 1183909SUSE bug 1184519SUSE bug 1188941SUSE bug 1191473SUSE bug 1192267CVE-2021-20294 at SUSECVE-2021-20294 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for pcre (Moderate)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for pcre fixes the following issues:
Update pcre to version 8.45:
- CVE-2020-14155: Fixed integer overflow via a large number after a '(?C' substring (bsc#1172974).
- CVE-2019-20838: Fixed buffer over-read in JIT compiler (bsc#1172973).
- CVE-2017-7244: Fixed invalid read in _pcre32_xclass() (bsc#1030807).
- CVE-2017-7245: Fixed buffer overflow in the pcre32_copy_substring (bsc#1030805).
- CVE-2017-7246: Fixed another buffer overflow in the pcre32_copy_substring (bsc#1030803).
- CVE-2017-7186: Fixed denial of service caused by an invalid Unicode property lookup (bsc#1030066).
- CVE-2017-6004: Fixed denial of service via crafted regular expression (bsc#1025709).
ModerateSUSE bug 1025709SUSE bug 1030066SUSE bug 1030803SUSE bug 1030805SUSE bug 1030807SUSE bug 1172973SUSE bug 1172974CVE-2017-6004 at SUSECVE-2017-6004 at NVDCVE-2017-7186 at SUSECVE-2017-7186 at NVDCVE-2017-7244 at SUSECVE-2017-7244 at NVDCVE-2017-7245 at SUSECVE-2017-7245 at NVDCVE-2017-7246 at SUSECVE-2017-7246 at NVDCVE-2019-20838 at SUSECVE-2019-20838 at NVDCVE-2020-14155 at SUSECVE-2020-14155 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for qemu (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for qemu fixes the following issues:
Security issues fixed:
- Fix out-of-bounds write in UAS (USB Attached SCSI) device emulation (bsc#1189702, CVE-2021-3713)
- Fix heap use-after-free in virtio_net_receive_rcu (bsc#1189938, CVE-2021-3748)
ImportantSUSE bug 1189702SUSE bug 1189938CVE-2021-3713 at SUSECVE-2021-3713 at NVDCVE-2021-3748 at SUSECVE-2021-3748 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for MozillaFirefox fixes the following issues:
MozillaFirefox was updated to Extended Support Release 91.3.0 ESR
* Fixed: Various stability, functionality, and security fixes
MFSA 2021-49 (bsc#1192250)
* CVE-2021-38503: iframe sandbox rules did not apply to XSLT stylesheets
* CVE-2021-38504: Use-after-free in file picker dialog
* CVE-2021-38505: Windows 10 Cloud Clipboard may have recorded sensitive user data
* CVE-2021-38506: Firefox could be coaxed into going into fullscreen mode without notification or warning
* CVE-2021-38507: Opportunistic Encryption in HTTP2 could be used to bypass the Same-Origin-Policy on services hosted on other ports
* CVE-2021-38508: Permission Prompt could be overlaid, resulting in user confusion and potential spoofing
* CVE-2021-38509: Javascript alert box could have been spoofed onto an arbitrary domain
* CVE-2021-38510: Download Protections were bypassed by .inetloc files on Mac OS
* MOZ-2021-0008: Use-after-free in HTTP2 Session object
* MOZ-2021-0007: Memory safety bugs fixed in Firefox 94 and Firefox ESR 91.3
ImportantSUSE bug 1192250CVE-2021-38503 at SUSECVE-2021-38503 at NVDCVE-2021-38504 at SUSECVE-2021-38504 at NVDCVE-2021-38505 at SUSECVE-2021-38505 at NVDCVE-2021-38506 at SUSECVE-2021-38506 at NVDCVE-2021-38507 at SUSECVE-2021-38507 at NVDCVE-2021-38508 at SUSECVE-2021-38508 at NVDCVE-2021-38509 at SUSECVE-2021-38509 at NVDCVE-2021-38510 at SUSECVE-2021-38510 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for samba (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for samba fixes the following issues:
- CVE-2016-2124: Fixed not to fallback to non spnego authentication if we require kerberos (bsc#1014440).
- CVE-2020-25717: Fixed privilege escalation inside an AD Domain where a user could become root on domain members (bsc#1192284).
ImportantSUSE bug 1014440SUSE bug 1192284CVE-2016-2124 at SUSECVE-2016-2124 at NVDCVE-2020-25717 at SUSECVE-2020-25717 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 36 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_135 fixes several issues.
The following security issues were fixed:
- CVE-2021-0935: Fixed use after free that could lead to local escalation of privilege in ip6_xmit of ip6_output.c (bsc#1192042).
- CVE-2021-3752: Fixed vulnerability in the linux kernel Bluetooth uaf module (bsc#1190432).
ImportantSUSE bug 1190432SUSE bug 1192042CVE-2021-0935 at SUSECVE-2021-0935 at NVDCVE-2021-3752 at SUSECVE-2021-3752 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 37 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_138 fixes several issues.
The following security issues were fixed:
- CVE-2021-0935: Fixed use after free that could lead to local escalation of privilege in ip6_xmit of ip6_output.c (bsc#1192042).
- CVE-2021-3752: Fixed vulnerability in the linux kernel Bluetooth uaf module (bsc#1190432).
ImportantSUSE bug 1190432SUSE bug 1192042CVE-2021-0935 at SUSECVE-2021-0935 at NVDCVE-2021-3752 at SUSECVE-2021-3752 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 38 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_141 fixes several issues.
The following security issues were fixed:
- CVE-2021-0935: Fixed use after free that could lead to local escalation of privilege in ip6_xmit of ip6_output.c (bsc#1192042).
- CVE-2021-3752: Fixed vulnerability in the linux kernel Bluetooth uaf module (bsc#1190432).
ImportantSUSE bug 1190432SUSE bug 1192042CVE-2021-0935 at SUSECVE-2021-0935 at NVDCVE-2021-3752 at SUSECVE-2021-3752 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 39 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_144 fixes several issues.
The following security issues were fixed:
- CVE-2021-0935: Fixed use after free that could lead to local escalation of privilege in ip6_xmit of ip6_output.c (bsc#1192042).
- CVE-2021-3752: Fixed vulnerability in the linux kernel Bluetooth uaf module (bsc#1190432).
ImportantSUSE bug 1190432SUSE bug 1192042CVE-2021-0935 at SUSECVE-2021-0935 at NVDCVE-2021-3752 at SUSECVE-2021-3752 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 40 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_147 fixes several issues.
The following security issues were fixed:
- CVE-2021-0935: Fixed use after free that could lead to local escalation of privilege in ip6_xmit of ip6_output.c (bsc#1192042).
- CVE-2021-3752: Fixed vulnerability in the linux kernel Bluetooth uaf module (bsc#1190432).
ImportantSUSE bug 1190432SUSE bug 1192042CVE-2021-0935 at SUSECVE-2021-0935 at NVDCVE-2021-3752 at SUSECVE-2021-3752 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for postgresql, postgresql13, postgresql14 (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for postgresql, postgresql13 and postgresql14 fixes the following issues:
Security issues fixed:
- CVE-2021-23214: Make the server reject extraneous data after an SSL or GSS encryption handshake (bsc#1192516).
- CVE-2021-23222: Make libpq reject extraneous data after an SSL or GSS encryption handshake (bsc#1192516).
This update also ships postgresql14 to SUSE Linux Enterprise 12 SP5. (jsc#SLE-22673)
On older service packs only libpq5 and libecpg6 are being replaced by the postgresql14 variants.
Feature changes in postgresql14:
- https://www.postgresql.org/about/news/postgresql-14-released-2318/
- https://www.postgresql.org/docs/14/release-14.html
ImportantSUSE bug 1192516CVE-2021-23214 at SUSECVE-2021-23214 at NVDCVE-2021-23222 at SUSECVE-2021-23222 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for postgresql96 (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for postgresql96 fixes the following issues:
- CVE-2021-23214: Make the server reject extraneous data after an SSL or GSS encryption handshake (bsc#1192516).
- CVE-2021-23222: Make libpq reject extraneous data after an SSL or GSS encryption handshake (bsc#1192516).
ImportantSUSE bug 1192516CVE-2021-23214 at SUSECVE-2021-23214 at NVDCVE-2021-23222 at SUSECVE-2021-23222 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for postgresql10 (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for postgresql10 fixes the following issues:
- CVE-2021-23214: Make the server reject extraneous data after an SSL or GSS encryption handshake (bsc#1192516).
- CVE-2021-23222: Make libpq reject extraneous data after an SSL or GSS encryption handshake (bsc#1192516).
ImportantSUSE bug 1192516CVE-2021-23214 at SUSECVE-2021-23214 at NVDCVE-2021-23222 at SUSECVE-2021-23222 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for webkit2gtk3 (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for webkit2gtk3 fixes the following issues:
- CVE-2021-42762: Updated seccomp rules with latest changes from flatpak (bsc#1191937).
ImportantSUSE bug 1191937CVE-2021-42762 at SUSECVE-2021-42762 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for java-1_8_0-openjdk (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for java-1_8_0-openjdk fixes the following issues:
Update to version OpenJDK 8u312 (October 2021 CPU):
- CVE-2021-35550: Fixed weak ciphers preferred over stronger ones for TLS (bsc#1191901).
- CVE-2021-35556: Fixed excessive memory allocation in RTFParser (bsc#1191910).
- CVE-2021-35559: Fixed excessive memory allocation in RTFReader (bsc#1191911).
- CVE-2021-35561: Fixed excessive memory allocation in HashMap and HashSet (bsc#1191912).
- CVE-2021-35564: Fixed certificates with end dates too far in the future can corrupt keystore (bsc#1191913).
- CVE-2021-35565: Fixed loop in HttpsServer triggered during TLS session close (bsc#1191909).
- CVE-2021-35567: Fixed incorrect principal selection when using Kerberos Constrained Delegation (bsc#1191903).
- CVE-2021-35578: Fixed unexpected exception raised during TLS handshake (bsc#1191904).
- CVE-2021-35586: Fixed excessive memory allocation in BMPImageReader (bsc#1191914).
- CVE-2021-35588: Fixed incomplete validation of inner class references in ClassFileParser (bsc#1191905)
- CVE-2021-35603: Fixed non-constant comparison during TLS handshakes (bsc#1191906).
ImportantSUSE bug 1191901SUSE bug 1191903SUSE bug 1191904SUSE bug 1191905SUSE bug 1191906SUSE bug 1191909SUSE bug 1191910SUSE bug 1191911SUSE bug 1191912SUSE bug 1191913SUSE bug 1191914CVE-2021-35550 at SUSECVE-2021-35550 at NVDCVE-2021-35556 at SUSECVE-2021-35556 at NVDCVE-2021-35559 at SUSECVE-2021-35559 at NVDCVE-2021-35561 at SUSECVE-2021-35561 at NVDCVE-2021-35564 at SUSECVE-2021-35564 at NVDCVE-2021-35565 at SUSECVE-2021-35565 at NVDCVE-2021-35567 at SUSECVE-2021-35567 at NVDCVE-2021-35578 at SUSECVE-2021-35578 at NVDCVE-2021-35586 at SUSECVE-2021-35586 at NVDCVE-2021-35588 at SUSECVE-2021-35588 at NVDCVE-2021-35603 at SUSECVE-2021-35603 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for java-1_7_0-openjdk (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for java-1_7_0-openjdk fixes the following issues:
Update to OpenJDK 7u321 (October 2021 CPU):
- CVE-2021-35550: Fixed weak ciphers preferred over stronger ones for TLS (bsc#1191901).
- CVE-2021-35556: Fixed excessive memory allocation in RTFParser (bsc#1191910).
- CVE-2021-35559: Fixed excessive memory allocation in RTFReader (bsc#1191911).
- CVE-2021-35561: Fixed excessive memory allocation in HashMap and HashSet (bsc#1191912).
- CVE-2021-35564: Fixed certificates with end dates too far in the future can corrupt keystore (bsc#1191913).
- CVE-2021-35565: Fixed loop in HttpsServer triggered during TLS session close (bsc#1191909).
- CVE-2021-35586: Fixed excessive memory allocation in BMPImageReader (bsc#1191914).
- CVE-2021-35588: Fixed incomplete validation of inner class references in ClassFileParser (bsc#1191905)
- CVE-2021-35603: Fixed non-constant comparison during TLS handshakes (bsc#1191906).
ImportantSUSE bug 1191901SUSE bug 1191905SUSE bug 1191906SUSE bug 1191909SUSE bug 1191910SUSE bug 1191911SUSE bug 1191912SUSE bug 1191913SUSE bug 1191914CVE-2021-35550 at SUSECVE-2021-35550 at NVDCVE-2021-35556 at SUSECVE-2021-35556 at NVDCVE-2021-35559 at SUSECVE-2021-35559 at NVDCVE-2021-35561 at SUSECVE-2021-35561 at NVDCVE-2021-35564 at SUSECVE-2021-35564 at NVDCVE-2021-35565 at SUSECVE-2021-35565 at NVDCVE-2021-35586 at SUSECVE-2021-35586 at NVDCVE-2021-35588 at SUSECVE-2021-35588 at NVDCVE-2021-35603 at SUSECVE-2021-35603 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for ruby2.1 (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for ruby2.1 fixes the following issues:
- CVE-2020-25613: Fixed potential HTTP request smuggling in WEBrick (bsc#1177125).
- CVE-2021-31799: Fixed Command injection vulnerability in RDoc (bsc#1190375).
- CVE-2021-31810: Fixed trusting FTP PASV responses vulnerability in Net:FTP (bsc#1188161).
- CVE-2021-32066: Fixed StartTLS stripping vulnerability in Net:IMAP (bsc#1188160).
ImportantSUSE bug 1177125SUSE bug 1188160SUSE bug 1188161SUSE bug 1190375CVE-2020-25613 at SUSECVE-2020-25613 at NVDCVE-2021-31799 at SUSECVE-2021-31799 at NVDCVE-2021-31810 at SUSECVE-2021-31810 at NVDCVE-2021-32066 at SUSECVE-2021-32066 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for xen (Moderate)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for xen fixes the following issues:
- CVE-2021-28704, CVE-2021-28707, CVE-2021-28708: Fixed PoD operations on misaligned GFNs (XSA-388) (bsc#1192557).
- CVE-2021-28705, CVE-2021-28709: Fixed issues with partially successful P2M updates on x86 (XSA-389) (bsc#1192559).
- CVE-2021-28706: Fixed guests may exceed their designated memory limit (XSA-385) (bsc#1192554).
ModerateSUSE bug 1192554SUSE bug 1192557SUSE bug 1192559CVE-2021-28704 at SUSECVE-2021-28704 at NVDCVE-2021-28705 at SUSECVE-2021-28705 at NVDCVE-2021-28706 at SUSECVE-2021-28706 at NVDCVE-2021-28707 at SUSECVE-2021-28707 at NVDCVE-2021-28708 at SUSECVE-2021-28708 at NVDCVE-2021-28709 at SUSECVE-2021-28709 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for clamav (Moderate)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for clamav fixes the following issues:
- CVE-2018-14679: Fixed off-by-one issue in embedded libmspack that could lead to denial of service (bsc#1103032).
- Update to 0.103.4 (bsc#1192346).
- Update to 0.103.3 (bsc#1188284).
ModerateSUSE bug 1103032SUSE bug 1188284SUSE bug 1192346CVE-2018-14679 at SUSECVE-2018-14679 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for webkit2gtk3 (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for webkit2gtk3 fixes the following issues:
- CVE-2021-30846: Fixed memory corruption issue that could lead to arbitrary code execution when processing maliciously crafted web content (bsc#1192063).
- CVE-2021-30851: Fixed memory corruption vulnerability that could lead to arbitrary code execution when processing maliciously crafted web content (bsc#1192063).
ImportantSUSE bug 1192063CVE-2021-30846 at SUSECVE-2021-30846 at NVDCVE-2021-30851 at SUSECVE-2021-30851 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
The SUSE Linux Enterprise 12 SP3 LTSS kernel was updated to receive various security and bugfixes.
The following security bugs were fixed:
- Unprivileged BPF has been disabled by default to reduce attack surface as too many security issues have happened in the past (jsc#SLE-22573)
You can reenable via systemctl setting /proc/sys/kernel/unprivileged_bpf_disabled to 0. (kernel.unprivileged_bpf_disabled = 0)
- CVE-2021-31916: An out-of-bounds (OOB) memory write flaw was found in list_devices in drivers/md/dm-ioctl.c in the Multi-device driver module in the Linux kernel A bound check failure allowed an attacker with special user (CAP_SYS_ADMIN) privilege to gain access to out-of-bounds memory leading to a system crash or a leak of internal kernel information. The highest threat from this vulnerability is to system availability (bnc#1192781).
- CVE-2021-20322: Make the ipv4 and ipv6 ICMP exception caches less predictive to avoid information leaks about UDP ports in use. (bsc#1191790)
- CVE-2021-34981: Fixed file refcounting in cmtp when cmtp_attach_device fails (bsc#1191961).
- CVE-2020-12655: An issue was discovered in xfs_agf_verify in fs/xfs/libxfs/xfs_alloc.c. Attackers may trigger a sync of excessive duration via an XFS v5 image with crafted metadata, aka CID-d0c7feaf8767 (bnc#1171217).
- CVE-2021-43389: There was an array-index-out-of-bounds flaw in the detach_capi_ctr function in drivers/isdn/capi/kcapi.c (bnc#1191958).
- CVE-2021-37159: hso_free_net_device in drivers/net/usb/hso.c called unregister_netdev without checking for the NETREG_REGISTERED state, leading to a use-after-free and a double free (bnc#1188601).
- CVE-2021-34556: An unprivileged BPF program can obtain sensitive information from kernel memory via a Speculative Store Bypass side-channel attack because the protection mechanism neglects the possibility of uninitialized memory locations on the BPF stack (bnc#1188983).
- CVE-2021-35477: An unprivileged BPF program can obtain sensitive information from kernel memory via a Speculative Store Bypass side-channel attack because a certain preempting store operation did not necessarily occur before a store operation that has an attacker-controlled value (bnc#1188985).
- CVE-2017-17862: kernel/bpf/verifier.c in the Linux kernel ignores unreachable code, even though it would still be processed by JIT compilers. This behavior, also considered an improper branch-pruning logic issue, could possibly be used by local users for denial of service (bnc#1073928).
- CVE-2017-17864: kernel/bpf/verifier.c in the Linux kernel mishandled states_equal comparisons between the pointer data type and the UNKNOWN_VALUE data type, which allowed local users to obtain potentially sensitive address information, aka a 'pointer leak (bnc#1073928).
- CVE-2021-20265: A flaw was found in the way memory resources were freed in the unix_stream_recvmsg function in the Linux kernel when a signal was pending. This flaw allowed an unprivileged local user to crash the system by exhausting available memory. The highest threat from this vulnerability is to system availability (bnc#1183089).
- CVE-2021-3772: Fixed sctp vtag check in sctp_sf_ootb (bsc#1190351).
- CVE-2021-3655: Missing size validations on inbound SCTP packets may have allowed the kernel to read uninitialized memory (bnc#1188563).
- CVE-2018-13405: The inode_init_owner function in fs/inode.c in the Linux kernel allowed local users to create files with an unintended group ownership, in a scenario where a directory is SGID to a certain group and is writable by a user who is not a member of that group. Here, the non-member can trigger creation of a plain file whose group ownership is that group. The intended behavior was that the non-member can trigger creation of a directory (but not a plain file) whose group ownership is that group. The non-member can escalate privileges by making the plain file executable and SGID (bnc#1100416 bnc#1129735).
- CVE-2021-3760: Fixed a use-after-free vulnerability with the ndev->rf_conn_info object (bsc#1190067).
- CVE-2021-42739: The firewire subsystem in the Linux kernel has a buffer overflow related to drivers/media/firewire/firedtv-avc.c and drivers/media/firewire/firedtv-ci.c, because avc_ca_pmt mishandled bounds checking (bnc#1184673).
- CVE-2021-3542: Fixed heap buffer overflow in firedtv driver (bsc#1186063).
- CVE-2021-33033: The Linux kernel has a use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c because the CIPSO and CALIPSO refcounting for the DOI definitions is mishandled, aka CID-ad5d07f4a9cd. This leads to writing an arbitrary value (bnc#1186109 bnc#1186390 bnc#1188876).
- CVE-2020-14305: An out-of-bounds memory write flaw was found in how the Linux kernel’s Voice Over IP H.323 connection tracking functionality handled connections on ipv6 port 1720. This flaw allowed an unauthenticated remote user to crash the system, causing a denial of service. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability (bnc#1173346).
- CVE-2021-3715: Fixed a use-after-free in route4_change() in net/sched/cls_route.c (bsc#1190349).
- CVE-2021-3896: Fixed a array-index-out-bounds in detach_capi_ctr in drivers/isdn/capi/kcapi.c (bsc#1191958).
- CVE-2021-42008: The decode_data function in drivers/net/hamradio/6pack.c in the Linux kernel has a slab out-of-bounds write. Input from a process that has the CAP_NET_ADMIN capability can lead to root access (bnc#1191315).
- CVE-2020-3702: Specifically timed and handcrafted traffic can cause internal errors in a WLAN device that lead to improper layer 2 Wi-Fi encryption with a consequent possibility of information disclosure over the air for a discrete set of traffic (bnc#1191193).
- CVE-2021-3752: Fixed a use after free vulnerability in the Linux kernel's bluetooth module. (bsc#1190023)
- CVE-2021-40490: A race condition was discovered in ext4_write_inline_data_end in fs/ext4/inline.c in the ext4 subsystem in the Linux kernel (bnc#1190159 bnc#1192775)
- CVE-2021-3640: Fixed a Use-After-Free vulnerability in function sco_sock_sendmsg() in the bluetooth stack (bsc#1188172).
- CVE-2021-38160: Data corruption or loss could be triggered by an untrusted device that supplies a buf->len value exceeding the buffer size in drivers/char/virtio_console.c (bsc#1190117)
- CVE-2021-3753: Fixed race out-of-bounds in virtual terminal handling (bsc#1190025).
- CVE-2021-3732: Mounting overlayfs inside an unprivileged user namespace can reveal files (bsc#1189706).
- CVE-2021-3653: A flaw was found in the KVM's AMD code for supporting SVM nested virtualization. The flaw occurs when processing the VMCB (virtual machine control block) provided by the L1 guest to spawn/handle a nested guest (L2). Due to improper validation of the 'int_ctl' field, this issue could allow a malicious L1 to enable AVIC support (Advanced Virtual Interrupt Controller) for the L2 guest. As a result, the L2 guest would be allowed to read/write physical pages of the host, resulting in a crash of the entire system, leak of sensitive data or potential guest-to-host escape. This flaw affects Linux kernel versions prior to 5.14-rc7 (bnc#1189399 bnc#1189420).
- CVE-2021-38198: arch/x86/kvm/mmu/paging_tmpl.h in the Linux kernel incorrectly computes the access permissions of a shadow page, leading to a missing guest protection page fault (bnc#1189262 bnc#1189278).
- CVE-2021-38204: drivers/usb/host/max3421-hcd.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (use-after-free and panic) by removing a MAX-3421 USB device in certain situations (bnc#1189291).
- CVE-2021-3679: A lack of CPU resource in the Linux kernel tracing module functionality in versions prior to 5.14-rc3 was found in the way user uses trace ring buffer in a specific way. Only privileged local users (with CAP_SYS_ADMIN capability) could use this flaw to starve the resources causing denial of service (bnc#1189057).
- CVE-2018-16882: A use-after-free issue was found in the way the Linux kernel's KVM hypervisor processed posted interrupts when nested(=1) virtualization is enabled. In nested_get_vmcs12_pages(), in case of an error while processing posted interrupt address, it unmaps the 'pi_desc_page' without resetting 'pi_desc' descriptor address, which is later used in pi_test_and_clear_on(). A guest user/process could use this flaw to crash the host kernel resulting in DoS or potentially gain privileged access to a system. Kernel versions and are vulnerable (bnc#1119934).
- CVE-2020-0429: In l2tp_session_delete and related functions of l2tp_core.c, there is possible memory corruption due to a use after free. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation (bnc#1176724).
- CVE-2020-4788: IBM Power9 (AIX 7.1, 7.2, and VIOS 3.1) processors could allow a local user to obtain sensitive information from the data in the L1 cache under extenuating circumstances. IBM X-Force ID: 189296 (bnc#1177666 bnc#1181158).
- CVE-2021-3659: Fixed a NULL pointer dereference in llsec_key_alloc() in net/mac802154/llsec.c (bsc#1188876).
- CVE-2021-37576: arch/powerpc/kvm/book3s_rtas.c in the Linux kernel on the powerpc platform allowed KVM guest OS users to cause host OS memory corruption via rtas_args.nargs, aka CID-f62f3c20647e (bnc#1188838).
The following non-security bugs were fixed:
- PCI: hv: Use expected affinity when unmasking IRQ (bsc#1185973).
- SUNRPC: improve error response to over-size gss credential (bsc#1190022).
- Update config files: Add CONFIG_BPF_UNPRIV_DEFAULT_OFF is not set
- blacklist.conf: Drop a line that was added by mistake
- bpf: Add kconfig knob for disabling unpriv bpf by default (jsc#SLE-22918)
- bpf: Disallow unprivileged bpf by default (jsc#SLE-22918).
- bpf: properly enforce index mask to prevent out-of-bounds speculation (bsc#1098425).
- config: disable unprivileged BPF by default (jsc#SLE-22918)
- cpufreq: intel_pstate: Add Icelake servers support in no-HWP mode (bsc#1185758,bsc#1192400).
- ftrace: Fix scripts/recordmcount.pl due to new binutils (bsc#1192267).
- hv: mana: adjust mana_select_queue to old API (jsc#SLE-18779, bsc#1185727).
- hv: mana: declare vzalloc (jsc#SLE-18779, bsc#1185726).
- hv: mana: fake bitmap API (jsc#SLE-18779, bsc#1185726).
- hv: mana: remove netdev_lockdep_set_classes usage (jsc#SLE-18779, bsc#1185727).
- kABI: protect struct bpf_map (kabi).
- mm: replace open coded page to virt conversion with page_to_virt() (jsc#SLE-18779, bsc#1185727).
- net/mlx4_en: Avoid scheduling restart task if it is already running (bsc#1181854 bsc#1181855).
- net/mlx4_en: Handle TX error CQE (bsc#1181854 bsc#1181855).
- net: mana: Add WARN_ON_ONCE in case of CQE read overflow (jsc#SLE-18779, bsc#1185727).
- net: mana: Add a driver for Microsoft Azure Network Adapter (MANA) (jsc#SLE-18779, bsc#1185727).
- net: mana: Add support for EQ sharing (jsc#SLE-18779, bsc#1185727).
- net: mana: Fix a memory leak in an error handling path in (jsc#SLE-18779, bsc#1185727).
- net: mana: Fix error handling in mana_create_rxq() (git-fixes, bsc#1191801).
- net: mana: Move NAPI from EQ to CQ (jsc#SLE-18779, bsc#1185727).
- net: mana: Use int to check the return value of mana_gd_poll_cq() (jsc#SLE-18779, bsc#1185727).
- net: mana: fix PCI_HYPERV dependency (jsc#SLE-18779, bsc#1185727).
- net: mana: remove redundant initialization of variable err (jsc#SLE-18779, bsc#1185727).
- net: sched: sch_teql: fix null-pointer dereference (bsc#1190717).
- s390/bpf: Fix 64-bit subtraction of the -0x80000000 constant (bsc#1190601).
- s390/bpf: Fix branch shortening during codegen pass (bsc#1190601).
- s390/bpf: Fix optimizing out zero-extensions (bsc#1190601).
- s390/bpf: Wrap JIT macro parameter usages in parentheses (bsc#1190601).
- s390: bpf: implement jitting of BPF_ALU | BPF_ARSH | BPF_* (bsc#1190601).
- scsi: sg: add sg_remove_request in sg_write (bsc#1171420 CVE2020-12770).
- sctp: check asoc peer.asconf_capable before processing asconf (bsc#1190351).
- sctp: fully initialize v4 addr in some functions (bsc#1188563).
- sctp: simplify addr copy (bsc#1188563).
- x86/CPU: Add more Icelake model numbers (bsc#1185758,bsc#1192400).
- x86/tlb: Flush global mappings when KAISER is disabled (bsc#1190194).
ImportantSUSE bug 1073928SUSE bug 1098425SUSE bug 1100416SUSE bug 1119934SUSE bug 1129735SUSE bug 1171217SUSE bug 1171420SUSE bug 1173346SUSE bug 1176724SUSE bug 1177666SUSE bug 1181158SUSE bug 1181854SUSE bug 1181855SUSE bug 1183089SUSE bug 1184673SUSE bug 1185726SUSE bug 1185727SUSE bug 1185758SUSE bug 1185973SUSE bug 1186109SUSE bug 1186390SUSE bug 1188172SUSE bug 1188563SUSE bug 1188601SUSE bug 1188838SUSE bug 1188876SUSE bug 1188983SUSE bug 1188985SUSE bug 1189057SUSE bug 1189262SUSE bug 1189278SUSE bug 1189291SUSE bug 1189399SUSE bug 1189420SUSE bug 1189706SUSE bug 1190022SUSE bug 1190023SUSE bug 1190025SUSE bug 1190067SUSE bug 1190117SUSE bug 1190159SUSE bug 1190194SUSE bug 1190349SUSE bug 1190351SUSE bug 1190601SUSE bug 1190717SUSE bug 1191193SUSE bug 1191315SUSE bug 1191790SUSE bug 1191801SUSE bug 1191958SUSE bug 1191961SUSE bug 1192267SUSE bug 1192400SUSE bug 1192775SUSE bug 1192781CVE-2017-17862 at SUSECVE-2017-17862 at NVDCVE-2017-17864 at SUSECVE-2017-17864 at NVDCVE-2018-13405 at SUSECVE-2018-13405 at NVDCVE-2018-16882 at SUSECVE-2018-16882 at NVDCVE-2020-0429 at SUSECVE-2020-0429 at NVDCVE-2020-12655 at SUSECVE-2020-12655 at NVDCVE-2020-14305 at SUSECVE-2020-14305 at NVDCVE-2020-3702 at SUSECVE-2020-3702 at NVDCVE-2020-4788 at SUSECVE-2020-4788 at NVDCVE-2021-20265 at SUSECVE-2021-20265 at NVDCVE-2021-20322 at SUSECVE-2021-20322 at NVDCVE-2021-31916 at SUSECVE-2021-31916 at NVDCVE-2021-33033 at SUSECVE-2021-33033 at NVDCVE-2021-34556 at SUSECVE-2021-34556 at NVDCVE-2021-34981 at SUSECVE-2021-34981 at NVDCVE-2021-3542 at SUSECVE-2021-3542 at NVDCVE-2021-35477 at SUSECVE-2021-35477 at NVDCVE-2021-3640 at SUSECVE-2021-3640 at NVDCVE-2021-3653 at SUSECVE-2021-3653 at NVDCVE-2021-3655 at SUSECVE-2021-3655 at NVDCVE-2021-3659 at SUSECVE-2021-3659 at NVDCVE-2021-3679 at SUSECVE-2021-3679 at NVDCVE-2021-3715 at SUSECVE-2021-3715 at NVDCVE-2021-37159 at SUSECVE-2021-37159 at NVDCVE-2021-3732 at SUSECVE-2021-3732 at NVDCVE-2021-3752 at SUSECVE-2021-3752 at NVDCVE-2021-3753 at SUSECVE-2021-3753 at NVDCVE-2021-37576 at SUSECVE-2021-37576 at NVDCVE-2021-3760 at SUSECVE-2021-3760 at NVDCVE-2021-3772 at SUSECVE-2021-3772 at NVDCVE-2021-38160 at SUSECVE-2021-38160 at NVDCVE-2021-38198 at SUSECVE-2021-38198 at NVDCVE-2021-38204 at SUSECVE-2021-38204 at NVDCVE-2021-3896 at SUSECVE-2021-3896 at NVDCVE-2021-40490 at SUSECVE-2021-40490 at NVDCVE-2021-42008 at SUSECVE-2021-42008 at NVDCVE-2021-42739 at SUSECVE-2021-42739 at NVDCVE-2021-43389 at SUSECVE-2021-43389 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for mozilla-nss (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for mozilla-nss fixes the following issues:
Update to version 3.68.1:
- CVE-2021-43527: Fixed a Heap overflow in NSS when verifying DER-encoded DSA or RSA-PSS signatures (bsc#1193170).
ImportantSUSE bug 1193170CVE-2021-43527 at SUSECVE-2021-43527 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for openssh (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for openssh fixes the following issues:
- CVE-2021-41617: Fixed privilege escalation when AuthorizedKeysCommand/AuthorizedPrincipalsCommand are configured (bsc#1190975).
ImportantSUSE bug 1190975CVE-2021-41617 at SUSECVE-2021-41617 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for MozillaFirefox fixes the following issues:
Update to Extended Support Release 91.4.0 (bsc#1193485):
- CVE-2021-43536: URL leakage when navigating while executing asynchronous function
- CVE-2021-43537: Heap buffer overflow when using structured clone
- CVE-2021-43538: Missing fullscreen and pointer lock notification when requesting both
- CVE-2021-43539: GC rooting failure when calling wasm instance methods
- CVE-2021-43541: External protocol handler parameters were unescaped
- CVE-2021-43542: XMLHttpRequest error codes could have leaked the existence of an external protocol handler
- CVE-2021-43543: Bypass of CSP sandbox directive when embedding
- CVE-2021-43545: Denial of Service when using the Location API in a loop
- CVE-2021-43546: Cursor spoofing could overlay user interface when native cursor is zoomed
- Memory safety bugs fixed in Firefox 95 and Firefox ESR 91.4
- Removed x-scheme-handler/ftp from MozillaFirefox.desktop (bsc#1193321)
ImportantSUSE bug 1193321SUSE bug 1193485CVE-2021-43536 at SUSECVE-2021-43536 at NVDCVE-2021-43537 at SUSECVE-2021-43537 at NVDCVE-2021-43538 at SUSECVE-2021-43538 at NVDCVE-2021-43539 at SUSECVE-2021-43539 at NVDCVE-2021-43541 at SUSECVE-2021-43541 at NVDCVE-2021-43542 at SUSECVE-2021-43542 at NVDCVE-2021-43543 at SUSECVE-2021-43543 at NVDCVE-2021-43545 at SUSECVE-2021-43545 at NVDCVE-2021-43546 at SUSECVE-2021-43546 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for glib-networking (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for glib-networking fixes the following issues:
- CVE-2020-13645: Fixed a connection failure when the server identity is unset (bsc#1172460).
ImportantSUSE bug 1172460CVE-2020-13645 at SUSECVE-2020-13645 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 36 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_135 fixes several issues.
The following security issues were fixed:
- CVE-2020-36158: Fixed a potential remote code execution in the Marvell mwifiex driver (bsc#1180562).
- CVE-2020-0465: Fixed multiple missing bounds checks in hid-multitouch.c that could have led to local privilege escalation (bnc#1180030).
- CVE-2020-0466: Fixed a use-after-free due to a logic error in do_epoll_ctl and ep_loop_check_proc of eventpoll.c (bnc#1180032.
- CVE-2020-29569: Fixed a use after free due to a logic error (bsc#1180008).
- CVE-2020-29660: Fixed a locking inconsistency in the tty subsystem that may have allowed a read-after-free attack against TIOCGSID (bsc#1179877).
- CVE-2020-29661: Fixed a locking issue in the tty subsystem that allowed a use-after-free attack against TIOCSPGRP (bsc#1179877).
ImportantSUSE bug 1179877SUSE bug 1180008SUSE bug 1180030SUSE bug 1180032SUSE bug 1180562CVE-2020-0465 at SUSECVE-2020-0465 at NVDCVE-2020-0466 at SUSECVE-2020-0466 at NVDCVE-2020-29569 at SUSECVE-2020-29569 at NVDCVE-2020-29660 at SUSECVE-2020-29660 at NVDCVE-2020-29661 at SUSECVE-2020-29661 at NVDCVE-2020-36158 at SUSECVE-2020-36158 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 35 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_130 fixes several issues.
The following security issues were fixed:
- CVE-2020-36158: Fixed a potential remote code execution in the Marvell mwifiex driver (bsc#1180562).
- CVE-2020-0465: Fixed multiple missing bounds checks in hid-multitouch.c that could have led to local privilege escalation (bnc#1180030).
- CVE-2020-0466: Fixed a use-after-free due to a logic error in do_epoll_ctl and ep_loop_check_proc of eventpoll.c (bnc#1180032.
- CVE-2020-29569: Fixed a use after free due to a logic error (bsc#1180008).
- CVE-2020-29660: Fixed a locking inconsistency in the tty subsystem that may have allowed a read-after-free attack against TIOCGSID (bsc#1179877).
- CVE-2020-29661: Fixed a locking issue in the tty subsystem that allowed a use-after-free attack against TIOCSPGRP (bsc#1179877).
ImportantSUSE bug 1179877SUSE bug 1180008SUSE bug 1180030SUSE bug 1180032SUSE bug 1180562CVE-2020-0465 at SUSECVE-2020-0465 at NVDCVE-2020-0466 at SUSECVE-2020-0466 at NVDCVE-2020-29569 at SUSECVE-2020-29569 at NVDCVE-2020-29660 at SUSECVE-2020-29660 at NVDCVE-2020-29661 at SUSECVE-2020-29661 at NVDCVE-2020-36158 at SUSECVE-2020-36158 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 41 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_150 fixes several issues.
The following security issues were fixed:
- CVE-2021-0935: In ip6_xmit of ip6_output.c, there is a possible out of bounds write due to a use after free. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. (bsc#1192032)
- CVE-2021-28688: The fix for XSA-365 includes initialization of pointers such that subsequent cleanup code wouldn't use uninitialized or stale values. This initialization went too far and may under certain conditions also overwrite pointers which are in need of cleaning up. The lack of cleanup would result in leaking persistent grants. The leak in turn would prevent fully cleaning up after a respective guest has died, leaving around zombie domains. (bsc#1183646)
ImportantSUSE bug 1182294SUSE bug 1192042CVE-2021-0935 at SUSECVE-2021-0935 at NVDCVE-2021-28688 at SUSECVE-2021-28688 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 40 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_147 fixes one issue.
The following security issue was fixed:
- CVE-2021-20322: Make the ipv4 and ipv6 ICMP exception caches less predictive to avoid information leaks about UDP ports in use. (bsc#1191790)
ImportantSUSE bug 1191813CVE-2021-20322 at SUSECVE-2021-20322 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 39 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_144 fixes one issue.
The following security issue was fixed:
- CVE-2021-20322: Make the ipv4 and ipv6 ICMP exception caches less predictive to avoid information leaks about UDP ports in use. (bsc#1191790)
ImportantSUSE bug 1191813CVE-2021-20322 at SUSECVE-2021-20322 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 38 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_141 fixes one issue.
The following security issue was fixed:
- CVE-2021-20322: Make the ipv4 and ipv6 ICMP exception caches less predictive to avoid information leaks about UDP ports in use. (bsc#1191790)
ImportantSUSE bug 1191813CVE-2021-20322 at SUSECVE-2021-20322 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 37 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_138 fixes one issue.
The following security issue was fixed:
- CVE-2021-20322: Make the ipv4 and ipv6 ICMP exception caches less predictive to avoid information leaks about UDP ports in use. (bsc#1191790)
ImportantSUSE bug 1191813CVE-2021-20322 at SUSECVE-2021-20322 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 34 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_127 fixes several issues.
The following security issues were fixed:
- CVE-2020-36158: Fixed a potential remote code execution in the Marvell mwifiex driver (bsc#1180562).
- CVE-2020-0465: Fixed multiple missing bounds checks in hid-multitouch.c that could have led to local privilege escalation (bnc#1180030).
- CVE-2020-0466: Fixed a use-after-free due to a logic error in do_epoll_ctl and ep_loop_check_proc of eventpoll.c (bnc#1180032.
- CVE-2020-29569: Fixed a use after free due to a logic error (bsc#1180008).
- CVE-2020-29660: Fixed a locking inconsistency in the tty subsystem that may have allowed a read-after-free attack against TIOCGSID (bsc#1179877).
- CVE-2020-29661: Fixed a locking issue in the tty subsystem that allowed a use-after-free attack against TIOCSPGRP (bsc#1179877).
ImportantSUSE bug 1179877SUSE bug 1180008SUSE bug 1180030SUSE bug 1180032SUSE bug 1180562CVE-2020-0465 at SUSECVE-2020-0465 at NVDCVE-2020-0466 at SUSECVE-2020-0466 at NVDCVE-2020-29569 at SUSECVE-2020-29569 at NVDCVE-2020-29660 at SUSECVE-2020-29660 at NVDCVE-2020-29661 at SUSECVE-2020-29661 at NVDCVE-2020-36158 at SUSECVE-2020-36158 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for xorg-x11-server (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for xorg-x11-server fixes the following issues:
- CVE-2021-4008: Fixed Privilege Escalation Vulnerability via Out-Of-Bounds Access in SProcRenderCompositeGlyphs (bsc#1193030).
ImportantSUSE bug 1193030CVE-2021-4008 at SUSECVE-2021-4008 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 33 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_124 fixes several issues.
The following security issues were fixed:
- CVE-2020-36158: Fixed a potential remote code execution in the Marvell mwifiex driver (bsc#1180562).
- CVE-2020-0465: Fixed multiple missing bounds checks in hid-multitouch.c that could have led to local privilege escalation (bnc#1180030).
- CVE-2020-0466: Fixed a use-after-free due to a logic error in do_epoll_ctl and ep_loop_check_proc of eventpoll.c (bnc#1180032.
- CVE-2020-29569: Fixed a use after free due to a logic error (bsc#1180008).
- CVE-2020-29660: Fixed a locking inconsistency in the tty subsystem that may have allowed a read-after-free attack against TIOCGSID (bsc#1179877).
- CVE-2020-29661: Fixed a locking issue in the tty subsystem that allowed a use-after-free attack against TIOCSPGRP (bsc#1179877).
ImportantSUSE bug 1179877SUSE bug 1180008SUSE bug 1180030SUSE bug 1180032SUSE bug 1180562CVE-2020-0465 at SUSECVE-2020-0465 at NVDCVE-2020-0466 at SUSECVE-2020-0466 at NVDCVE-2020-29569 at SUSECVE-2020-29569 at NVDCVE-2020-29660 at SUSECVE-2020-29660 at NVDCVE-2020-29661 at SUSECVE-2020-29661 at NVDCVE-2020-36158 at SUSECVE-2020-36158 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 32 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_121 fixes several issues.
The following security issues were fixed:
- CVE-2020-36158: Fixed a potential remote code execution in the Marvell mwifiex driver (bsc#1180562).
- CVE-2020-0465: Fixed multiple missing bounds checks in hid-multitouch.c that could have led to local privilege escalation (bnc#1180030).
- CVE-2020-0466: Fixed a use-after-free due to a logic error in do_epoll_ctl and ep_loop_check_proc of eventpoll.c (bnc#1180032.
- CVE-2020-29569: Fixed a use after free due to a logic error (bsc#1180008).
- CVE-2020-29660: Fixed a locking inconsistency in the tty subsystem that may have allowed a read-after-free attack against TIOCGSID (bsc#1179877).
- CVE-2020-29661: Fixed a locking issue in the tty subsystem that allowed a use-after-free attack against TIOCSPGRP (bsc#1179877).
ImportantSUSE bug 1179877SUSE bug 1180008SUSE bug 1180030SUSE bug 1180032SUSE bug 1180562CVE-2020-0465 at SUSECVE-2020-0465 at NVDCVE-2020-0466 at SUSECVE-2020-0466 at NVDCVE-2020-29569 at SUSECVE-2020-29569 at NVDCVE-2020-29660 at SUSECVE-2020-29660 at NVDCVE-2020-29661 at SUSECVE-2020-29661 at NVDCVE-2020-36158 at SUSECVE-2020-36158 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 31 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_116 fixes several issues.
The following security issues were fixed:
- CVE-2020-36158: Fixed a potential remote code execution in the Marvell mwifiex driver (bsc#1180562).
- CVE-2020-0465: Fixed multiple missing bounds checks in hid-multitouch.c that could have led to local privilege escalation (bnc#1180030).
- CVE-2020-0466: Fixed a use-after-free due to a logic error in do_epoll_ctl and ep_loop_check_proc of eventpoll.c (bnc#1180032.
- CVE-2020-29569: Fixed a use after free due to a logic error (bsc#1180008).
- CVE-2020-29660: Fixed a locking inconsistency in the tty subsystem that may have allowed a read-after-free attack against TIOCGSID (bsc#1179877).
- CVE-2020-29661: Fixed a locking issue in the tty subsystem that allowed a use-after-free attack against TIOCSPGRP (bsc#1179877).
ImportantSUSE bug 1179877SUSE bug 1180008SUSE bug 1180030SUSE bug 1180032SUSE bug 1180562CVE-2020-0465 at SUSECVE-2020-0465 at NVDCVE-2020-0466 at SUSECVE-2020-0466 at NVDCVE-2020-29569 at SUSECVE-2020-29569 at NVDCVE-2020-29660 at SUSECVE-2020-29660 at NVDCVE-2020-29661 at SUSECVE-2020-29661 at NVDCVE-2020-36158 at SUSECVE-2020-36158 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for log4j (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for log4j fixes the following issue:
- CVE-2021-4104: Disable the JMSAppender class from log4j to protect against
the log4jshell vulnerability. [bsc#1193662]
ImportantSUSE bug 1193662CVE-2021-4104 at SUSECVE-2021-4104 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for xorg-x11-server (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for xorg-x11-server fixes the following issues:
- CVE-2021-4009: The handler for the CreatePointerBarrier request of the XFixes
extension does not properly validate the request length leading to out of
bounds memory write. (bsc#1190487)
- CVE-2021-4011: The handlers for the RecordCreateContext and RecordRegisterClients
requests of the Record extension do not properly validate the request
length leading to out of bounds memory write. (bsc#1190489)
ImportantSUSE bug 1190487SUSE bug 1190489CVE-2021-4009 at SUSECVE-2021-4009 at NVDCVE-2021-4011 at SUSECVE-2021-4011 at NVDcpe:/o:suse:sles-ltss:12:sp3Recommended update for samba (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for samba fixes the following issues:
The username map advice from the CVE-2020-25717 advisory
note has undesired side effects for the local nt token. Fallback
to a SID/UID based mapping if the name based lookup fails (bsc#1192849).
ImportantSUSE bug 1192849CVE-2020-25717 at SUSECVE-2020-25717 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for chrony (Moderate)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for chrony fixes the following issues:
Chrony was updated to 4.1:
* Add support for NTS servers specified by IP address (matching
Subject Alternative Name in server certificate)
* Add source-specific configuration of trusted certificates
* Allow multiple files and directories with trusted certificates
* Allow multiple pairs of server keys and certificates
* Add copy option to server/pool directive
* Increase PPS lock limit to 40% of pulse interval
* Perform source selection immediately after loading dump files
* Reload dump files for addresses negotiated by NTS-KE server
* Update seccomp filter and add less restrictive level
* Restart ongoing name resolution on online command
* Fix dump files to not include uncorrected offset
* Fix initstepslew to accept time from own NTP clients
* Reset NTP address and port when no longer negotiated by NTS-KE
server
- Update clknetsim to snapshot f89702d.
- Ensure the correct pool packages are installed for openSUSE and SLE (bsc#1180689).
- Enable syscallfilter unconditionally (bsc#1181826).
Chrony was updated to 4.0:
Enhancements
- Add support for Network Time Security (NTS) authentication
- Add support for AES-CMAC keys (AES128, AES256) with Nettle
- Add authselectmode directive to control selection of
unauthenticated sources
- Add binddevice, bindacqdevice, bindcmddevice directives
- Add confdir directive to better support fragmented
configuration
- Add sourcedir directive and 'reload sources' command to
support dynamic NTP sources specified in files
- Add clockprecision directive
- Add dscp directive to set Differentiated Services Code Point
(DSCP)
- Add -L option to limit log messages by severity
- Add -p option to print whole configuration with included
files
- Add -U option to allow start under non-root user
- Allow maxsamples to be set to 1 for faster update with -q/-Q
option
- Avoid replacing NTP sources with sources that have
unreachable address
- Improve pools to repeat name resolution to get 'maxsources'
sources
- Improve source selection with trusted sources
- Improve NTP loop test to prevent synchronisation to itself
- Repeat iburst when NTP source is switched from offline state
to online
- Update clock synchronisation status and leap status more
frequently
- Update seccomp filter
- Add 'add pool' command
- Add 'reset sources' command to drop all measurements
- Add authdata command to print details about NTP
authentication
- Add selectdata command to print details about source
selection
- Add -N option and sourcename command to print original names
of sources
- Add -a option to some commands to print also unresolved
sources
- Add -k, -p, -r options to clients command to select, limit,
reset data
- Bug fixes
- Don’t set interface for NTP responses to allow asymmetric
routing
- Handle RTCs that don’t support interrupts
- Respond to command requests with correct address on
multihomed hosts
- Removed features
- Drop support for RIPEMD keys (RMD128, RMD160, RMD256, RMD320)
- Drop support for long (non-standard) MACs in NTPv4 packets
(chrony 2.x clients using non-MD5/SHA1 keys need to use
option 'version 3')
- By default we don't write log files but log to journald, so
only recommend logrotate.
- Adjust and rename the sysconfig file, so that it matches the
expectations of chronyd.service (bsc#1173277).
Chrony was updated to 3.5.1:
* Create new file when writing pidfile (CVE-2020-14367, bsc#1174911)
- Add chrony-pool-suse and chrony-pool-openSUSE subpackages that
preconfigure chrony to use NTP servers from the respective
pools for SUSE and openSUSE (bsc#1156884, SLE-11424).
- Add chrony-pool-empty to still allow installing chrony without
preconfigured servers.
- Use iburst in the default pool statements to speed up initial
synchronisation (bsc#1172113).
- Update clknetsim to version 79ffe44 (fixes bsc#1162964).
Update to 3.5:
+ Add support for more accurate reading of PHC on Linux 5.0
+ Add support for hardware timestamping on interfaces with read-only timestamping configuration
+ Add support for memory locking and real-time priority on FreeBSD, NetBSD, Solaris
+ Update seccomp filter to work on more architectures
+ Validate refclock driver options
+ Fix bindaddress directive on FreeBSD
+ Fix transposition of hardware RX timestamp on Linux 4.13 and later
+ Fix building on non-glibc systems
- Fix location of helper script in chrony-dnssrv@.service (bsc#1128846).
- Read runtime servers from /var/run/netconfig/chrony.servers (bsc#1099272)
- Move chrony-helper to /usr/lib/chrony/helper, because there should be no executables in /usr/share.
- Remove discrepancies between spec file and chrony-tmpfiles (bsc#1115529)
Update to version 3.4
* Enhancements
+ Add filter option to server/pool/peer directive
+ Add minsamples and maxsamples options to hwtimestamp directive
+ Add support for faster frequency adjustments in Linux 4.19
+ Change default pidfile to /var/run/chrony/chronyd.pid to allow chronyd
without root privileges to remove it on exit
+ Disable sub-second polling intervals for distant NTP sources
+ Extend range of supported sub-second polling intervals
+ Get/set IPv4 destination/source address of NTP packets on FreeBSD
+ Make burst options and command useful with short polling intervals
+ Modify auto_offline option to activate when sending request failed
+ Respond from interface that received NTP request if possible
+ Add onoffline command to switch between online and offline state
according to current system network configuration
+ Improve example NetworkManager dispatcher script
* Bug fixes
+ Avoid waiting in Linux getrandom system call
+ Fix PPS support on FreeBSD and NetBSD
Update to version 3.3
* Enhancements:
+ Add burst option to server/pool directive
+ Add stratum and tai options to refclock directive
+ Add support for Nettle crypto library
+ Add workaround for missing kernel receive timestamps on Linux
+ Wait for late hardware transmit timestamps
+ Improve source selection with unreachable sources
+ Improve protection against replay attacks on symmetric mode
+ Allow PHC refclock to use socket in /var/run/chrony
+ Add shutdown command to stop chronyd
+ Simplify format of response to manual list command
+ Improve handling of unknown responses in chronyc
* Bug fixes:
+ Respond to NTPv1 client requests with zero mode
+ Fix -x option to not require CAP_SYS_TIME under non-root user
+ Fix acquisitionport directive to work with privilege separation
+ Fix handling of socket errors on Linux to avoid high CPU usage
+ Fix chronyc to not get stuck in infinite loop after clock step
- Added /etc/chrony.d/ directory to the package (bsc#1083597) Modifed default chrony.conf to add 'include /etc/chrony.d/*'
- Enable pps support
Upgraded to version 3.2:
Enhancements
* Improve stability with NTP sources and reference clocks
* Improve stability with hardware timestamping
* Improve support for NTP interleaved modes
* Control frequency of system clock on macOS 10.13 and later
* Set TAI-UTC offset of system clock with leapsectz directive
* Minimise data in client requests to improve privacy
* Allow transmit-only hardware timestamping
* Add support for new timestamping options introduced in Linux 4.13
* Add root delay, root dispersion and maximum error to tracking log
* Add mindelay and asymmetry options to server/peer/pool directive
* Add extpps option to PHC refclock to timestamp external PPS signal
* Add pps option to refclock directive to treat any refclock as PPS
* Add width option to refclock directive to filter wrong pulse edges
* Add rxfilter option to hwtimestamp directive
* Add -x option to disable control of system clock
* Add -l option to log to specified file instead of syslog
* Allow multiple command-line options to be specified together
* Allow starting without root privileges with -Q option
* Update seccomp filter for new glibc versions
* Dump history on exit by default with dumpdir directive
* Use hardening compiler options by default
Bug fixes
* Don't drop PHC samples with low-resolution system clock
* Ignore outliers in PHC tracking, RTC tracking, manual input
* Increase polling interval when peer is not responding
* Exit with error message when include directive fails
* Don't allow slash after hostname in allow/deny directive/command
* Try to connect to all addresses in chronyc before giving up
Upgraded to version 3.1:
- Enhancements
- Add support for precise cross timestamping of PHC on Linux
- Add minpoll, precision, nocrossts options to hwtimestamp directive
- Add rawmeasurements option to log directive and modify measurements
option to log only valid measurements from synchronised sources
- Allow sub-second polling interval with NTP sources
- Bug fixes
- Fix time smoothing in interleaved mode
Upgraded to version 3.0:
- Enhancements
- Add support for software and hardware timestamping on Linux
- Add support for client/server and symmetric interleaved modes
- Add support for MS-SNTP authentication in Samba
- Add support for truncated MACs in NTPv4 packets
- Estimate and correct for asymmetric network jitter
- Increase default minsamples and polltarget to improve stability with very low jitter
- Add maxjitter directive to limit source selection by jitter
- Add offset option to server/pool/peer directive
- Add maxlockage option to refclock directive
- Add -t option to chronyd to exit after specified time
- Add partial protection against replay attacks on symmetric mode
- Don't reset polling interval when switching sources to online state
- Allow rate limiting with very short intervals
- Improve maximum server throughput on Linux and NetBSD
- Remove dump files after start
- Add tab-completion to chronyc with libedit/readline
- Add ntpdata command to print details about NTP measurements
- Allow all source options to be set in add server/peer command
- Indicate truncated addresses/hostnames in chronyc output
- Print reference IDs as hexadecimal numbers to avoid confusion with IPv4 addresses
- Bug fixes
- Fix crash with disabled asynchronous name resolving
Upgraded to version 2.4.1:
- Bug fixes
- Fix processing of kernel timestamps on non-Linux systems
- Fix crash with smoothtime directive
- Fix validation of refclock sample times
- Fix parsing of refclock directive
update to 2.4:
- Enhancements
- Add orphan option to local directive for orphan mode
compatible with ntpd
- Add distance option to local directive to set activation
threshold (1 second by default)
- Add maxdrift directive to set maximum allowed drift of system
clock
- Try to replace NTP sources exceeding maximum distance
- Randomise source replacement to avoid getting stuck with bad
sources
- Randomise selection of sources from pools on start
- Ignore reference timestamp as ntpd doesn't always set it
correctly
- Modify tracking report to use same values as seen by NTP
clients
- Add -c option to chronyc to write reports in CSV format
- Provide detailed manual pages
- Bug fixes
- Fix SOCK refclock to work correctly when not specified as
last refclock
- Fix initstepslew and -q/-Q options to accept time from own
NTP clients
- Fix authentication with keys using 512-bit hash functions
- Fix crash on exit when multiple signals are received
- Fix conversion of very small floating-point numbers in
command packets
ModerateSUSE bug 1063704SUSE bug 1069468SUSE bug 1082318SUSE bug 1083597SUSE bug 1099272SUSE bug 1115529SUSE bug 1128846SUSE bug 1156884SUSE bug 1159840SUSE bug 1161119SUSE bug 1162964SUSE bug 1171806SUSE bug 1172113SUSE bug 1173277SUSE bug 1173760SUSE bug 1174075SUSE bug 1174911SUSE bug 1180689SUSE bug 1181826SUSE bug 1183783SUSE bug 1184400SUSE bug 1187906SUSE bug 1190926CVE-2020-14367 at SUSECVE-2020-14367 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for python (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for python fixes the following issues:
- buffer overflow in PyCArg_repr in _ctypes/callproc.c,
which may lead to remote code execution (bsc#1181126, CVE-2021-3177).
- Provide the newest setuptools wheel (bsc#1176262,
CVE-2019-20916) in their correct form (bsc#1180686).
ImportantSUSE bug 1176262SUSE bug 1180686SUSE bug 1181126CVE-2019-20916 at SUSECVE-2019-20916 at NVDCVE-2021-3177 at SUSECVE-2021-3177 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for openvswitch (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for openvswitch fixes the following issues:
- CVE-2020-35498: Fixed a denial of service related to the handling of Ethernet padding (bsc#1181742).
ImportantSUSE bug 1181742CVE-2020-35498 at SUSECVE-2020-35498 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
The SUSE Linux Enterprise 12 SP3 kernel was updated to receive various security and bugfixes.
The following security bugs were fixed:
- CVE-2021-3347: A use-after-free was discovered in the PI futexes during fault handling, allowing local users to execute code in the kernel (bnc#1181349).
- CVE-2020-25211: Fixed a buffer overflow in ctnetlink_parse_tuple_filter() which could be triggered by a local attackers by injecting conntrack netlink configuration (bnc#1176395).
- CVE-2020-27835: A use-after-free in the infiniband hfi1 driver was found, specifically in the way user calls Ioctl after open dev file and fork. A local user could use this flaw to crash the system (bnc#1179878).
- CVE-2020-29569: Fixed a potential privilege escalation and information leaks related to the PV block backend, as used by Xen (bnc#1179509).
- CVE-2020-29568: Fixed a denial of service issue, related to processing watch events (bnc#1179508).
- CVE-2020-0444: Fixed a bad kfree due to a logic error in audit_data_to_entry (bnc#1180027).
- CVE-2020-0465: Fixed multiple missing bounds checks in hid-multitouch.c that could have led to local privilege escalation (bnc#1180029).
- CVE-2020-0466: Fixed a use-after-free due to a logic error in do_epoll_ctl and ep_loop_check_proc of eventpoll.c (bnc#1180031).
- CVE-2020-4788: Fixed an issue with IBM Power9 processors could have allowed a local user to obtain sensitive information from the data in the L1 cache under extenuating circumstances (bsc#1177666).
- CVE-2020-15436: Fixed a use after free vulnerability in fs/block_dev.c which could have allowed local users to gain privileges or cause a denial of service (bsc#1179141).
- CVE-2020-27068: Fixed an out-of-bounds read due to a missing bounds check in the nl80211_policy policy of nl80211.c (bnc#1180086).
- CVE-2020-27777: Fixed a privilege escalation in the Run-Time Abstraction Services (RTAS) interface, affecting guests running on top of PowerVM or KVM hypervisors (bnc#1179107).
- CVE-2020-27786: Fixed an out-of-bounds write in the MIDI implementation (bnc#1179601).
- CVE-2020-27825: Fixed a race in the trace_open and buffer resize calls (bsc#1179960).
- CVE-2020-29660: Fixed a locking inconsistency in the tty subsystem that may have allowed a read-after-free attack against TIOCGSID (bnc#1179745).
- CVE-2020-29661: Fixed a locking issue in the tty subsystem that allowed a use-after-free attack against TIOCSPGRP (bsc#1179745).
- CVE-2020-28974: Fixed a slab-out-of-bounds read in fbcon which could have been used by local attackers to read privileged information or potentially crash the kernel (bsc#1178589).
- CVE-2020-28915: Fixed a buffer over-read in the fbcon code which could have been used by local attackers to read kernel memory (bsc#1178886).
- CVE-2020-25669: Fixed a use-after-free read in sunkbd_reinit() (bsc#1178182).
- CVE-2020-15437: Fixed a null pointer dereference which could have allowed local users to cause a denial of service(bsc#1179140).
- CVE-2020-36158: Fixed a potential remote code execution in the Marvell mwifiex driver (bsc#1180559).
- CVE-2020-11668: Fixed the mishandling of invalid descriptors in the Xirlink camera USB driver (bnc#1168952).
- CVE-2020-25285: Fixed a race condition between hugetlb sysctl handlers in mm/hugetlb.c (bnc#1176485).
- CVE-2019-20934: Fixed a use-after-free in show_numa_stats() because NUMA fault statistics were inappropriately freed (bsc#1179663).
- CVE-2018-10902: It was found that the raw midi kernel driver did not protect against concurrent access which leads to a double realloc (double free) in snd_rawmidi_input_params() and snd_rawmidi_output_status() which are part of snd_rawmidi_ioctl() handler in rawmidi.c file. A malicious local attacker could possibly use this for privilege escalation (bnc#1105322).
The following non-security bugs were fixed:
- cifs: do not revalidate mountpoint dentries (bsc#1177440).
- cifs: fix potential use-after-free in cifs_echo_request() (bsc#1139944).
- cifs: ignore revalidate failures in case of process gets signaled (bsc#1177440).
- epoll: Keep a reference on files added to the check list (bsc#1180031).
- fix regression in 'epoll: Keep a reference on files added to the check list' (bsc#1180031, git-fixes).
- futex: Avoid freeing an active timer (bsc#969755).
- futex: Avoid violating the 10th rule of futex (bsc#969755).
- futex: Change locking rules (bsc#969755).
- futex: Do not enable IRQs unconditionally in put_pi_state() (bsc#969755).
- futex: Drop hb->lock before enqueueing on the rtmutex (bsc#969755).
- futex: Fix incorrect should_fail_futex() handling (bsc#969755).
- futex: Fix more put_pi_state() vs. exit_pi_state_list() races (bsc#969755).
- futex: Fix OWNER_DEAD fixup (bsc#969755).
- futex: Fix pi_state->owner serialization (bsc#969755).
- futex: Fix small (and harmless looking) inconsistencies (bsc#969755).
- futex: Futex_unlock_pi() determinism (bsc#969755).
- futex: Handle early deadlock return correctly (bsc#969755).
- futex: Handle transient 'ownerless' rtmutex state correctly (bsc#969755).
- futex: Pull rt_mutex_futex_unlock() out from under hb->lock (bsc#969755).
- futex: Rework futex_lock_pi() to use rt_mutex_*_proxy_lock() (bsc#969755).
- futex: Rework inconsistent rt_mutex/futex_q state (bsc#969755).
- futex,rt_mutex: Fix rt_mutex_cleanup_proxy_lock() (bsc#969755).
- futex,rt_mutex: Introduce rt_mutex_init_waiter() (bsc#969755).
- futex,rt_mutex: Provide futex specific rt_mutex API (bsc#969755).
- futex,rt_mutex: Restructure rt_mutex_finish_proxy_lock() (bsc#969755).
- HID: Fix slab-out-of-bounds read in hid_field_extract (bsc#1180052).
- IB/hfi1: Clean up hfi1_user_exp_rcv_setup function (bsc#1179878).
- IB/hfi1: Clean up pin_vector_pages() function (bsc#1179878).
- IB/hfi1: Fix the bail out code in pin_vector_pages() function (bsc#1179878).
- IB/hfi1: Move structure definitions from user_exp_rcv.c to user_exp_rcv.h (bsc#1179878).
- IB/hfi1: Name function prototype parameters (bsc#1179878).
- IB/hfi1: Use filedata rather than filepointer (bsc#1179878).
- locking/futex: Allow low-level atomic operations to return -EAGAIN (bsc#969755).
- mm/userfaultfd: do not access vma->vm_mm after calling handle_userfault() (bsc#1179204).
- scsi: iscsi: Fix a potential deadlock in the timeout handler (bsc#1178272).
- Use r3 instead of r13 for l1d fallback flush in do_uaccess_fush (bsc#1181096 ltc#190883).
- video: hyperv_fb: include vmalloc.h (bsc#1175306).
ImportantSUSE bug 1105322SUSE bug 1105323SUSE bug 1139944SUSE bug 1168952SUSE bug 1173942SUSE bug 1175306SUSE bug 1176395SUSE bug 1176485SUSE bug 1177440SUSE bug 1177666SUSE bug 1178182SUSE bug 1178272SUSE bug 1178589SUSE bug 1178886SUSE bug 1179107SUSE bug 1179140SUSE bug 1179141SUSE bug 1179204SUSE bug 1179419SUSE bug 1179508SUSE bug 1179509SUSE bug 1179601SUSE bug 1179616SUSE bug 1179663SUSE bug 1179666SUSE bug 1179745SUSE bug 1179877SUSE bug 1179878SUSE bug 1179960SUSE bug 1179961SUSE bug 1180008SUSE bug 1180027SUSE bug 1180028SUSE bug 1180029SUSE bug 1180030SUSE bug 1180031SUSE bug 1180032SUSE bug 1180052SUSE bug 1180086SUSE bug 1180559SUSE bug 1180562SUSE bug 1180815SUSE bug 1181096SUSE bug 1181158SUSE bug 1181349SUSE bug 1181553SUSE bug 969755CVE-2018-10902 at SUSECVE-2018-10902 at NVDCVE-2019-20934 at SUSECVE-2019-20934 at NVDCVE-2020-0444 at SUSECVE-2020-0444 at NVDCVE-2020-0465 at SUSECVE-2020-0465 at NVDCVE-2020-0466 at SUSECVE-2020-0466 at NVDCVE-2020-11668 at SUSECVE-2020-11668 at NVDCVE-2020-15436 at SUSECVE-2020-15436 at NVDCVE-2020-15437 at SUSECVE-2020-15437 at NVDCVE-2020-25211 at SUSECVE-2020-25211 at NVDCVE-2020-25285 at SUSECVE-2020-25285 at NVDCVE-2020-25669 at SUSECVE-2020-25669 at NVDCVE-2020-27068 at SUSECVE-2020-27068 at NVDCVE-2020-27777 at SUSECVE-2020-27777 at NVDCVE-2020-27786 at SUSECVE-2020-27786 at NVDCVE-2020-27825 at SUSECVE-2020-27825 at NVDCVE-2020-27835 at SUSECVE-2020-27835 at NVDCVE-2020-28915 at SUSECVE-2020-28915 at NVDCVE-2020-28974 at SUSECVE-2020-28974 at NVDCVE-2020-29568 at SUSECVE-2020-29568 at NVDCVE-2020-29569 at SUSECVE-2020-29569 at NVDCVE-2020-29660 at SUSECVE-2020-29660 at NVDCVE-2020-29661 at SUSECVE-2020-29661 at NVDCVE-2020-36158 at SUSECVE-2020-36158 at NVDCVE-2020-4788 at SUSECVE-2020-4788 at NVDCVE-2021-3347 at SUSECVE-2021-3347 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for wpa_supplicant (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for wpa_supplicant fixes the following issues:
- CVE-2021-0326: P2P group information processing vulnerability (bsc#1181777).
- CVE-2019-16275: AP mode PMF disconnection protection bypass (bsc#1150934)
ImportantSUSE bug 1150934SUSE bug 1181777CVE-2019-16275 at SUSECVE-2019-16275 at NVDCVE-2021-0326 at SUSECVE-2021-0326 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for jasper (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for jasper fixes the following issues:
- bsc#1179748 CVE-2020-27828: Fix heap overflow by checking maxrlvls
- bsc#1181483 CVE-2021-3272: Fix buffer over-read in jp2_decode
ImportantSUSE bug 1179748SUSE bug 1181483CVE-2020-27828 at SUSECVE-2020-27828 at NVDCVE-2021-3272 at SUSECVE-2021-3272 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for screen (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for screen fixes the following issues:
- CVE-2021-26937: Fixed double width combining char handling that could lead to a denial of service or code execution (bsc#1182092).
ImportantSUSE bug 1182092CVE-2021-26937 at SUSECVE-2021-26937 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for bind (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for bind fixes the following issues:
- CVE-2020-8625: A vulnerability in BIND's GSSAPI security policy
negotiation can be targeted by a buffer overflow attack [bsc#1182246, CVE-2020-8625]
ImportantSUSE bug 1182246CVE-2020-8625 at SUSECVE-2020-8625 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for java-1_7_1-ibm (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for java-1_7_1-ibm fixes the following issues:
- Update to Java 7.1 Service Refresh 4 Fix Pack 80
[bsc#1182186, bsc#1181239, CVE-2020-27221, CVE-2020-14803]
* CVE-2020-27221: Potential for a stack-based buffer overflow
when the virtual machine or JNI natives are converting from
UTF-8 characters to platform encoding.
* CVE-2020-14803: Unauthenticated attacker with network access
via multiple protocols allows to compromise Java SE.
ImportantSUSE bug 1181239SUSE bug 1182186CVE-2020-14803 at SUSECVE-2020-14803 at NVDCVE-2020-27221 at SUSECVE-2020-27221 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for krb5-appl (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for krb5-appl fixes the following issues:
- CVE-2019-25017: Check the filenames sent by the server match those requested by the client (bsc#1131109).
- CVE-2019-25018: Disallow empty incoming filename or ones that refer to the current directory (bsc#1131109).
ImportantSUSE bug 1131109CVE-2019-25017 at SUSECVE-2019-25017 at NVDCVE-2019-25018 at SUSECVE-2019-25018 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for java-1_8_0-openjdk (Moderate)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for java-1_8_0-openjdk fixes the following issues:
- Update to version jdk8u282 (icedtea 3.18.0)
* January 2021 CPU (bsc#1181239)
* Security fixes
+ JDK-8247619: Improve Direct Buffering of Characters (CVE-2020-14803)
* Import of OpenJDK 8 u282 build 01
+ JDK-6962725: Regtest javax/swing/JFileChooser/6738668/
/bug6738668.java fails under Linux
+ JDK-8025936: Windows .pdb and .map files does not have proper
dependencies setup
+ JDK-8030350: Enable additional compiler warnings for GCC
+ JDK-8031423: Test java/awt/dnd/DisposeFrameOnDragCrash/
/DisposeFrameOnDragTest.java fails by Timeout on Windows
+ JDK-8036122: Fix warning 'format not a string literal'
+ JDK-8051853: new
URI('x/').resolve('..').getSchemeSpecificPart() returns null!
+ JDK-8132664: closed/javax/swing/DataTransfer/DefaultNoDrop/
/DefaultNoDrop.java locks on Windows
+ JDK-8134632: Mark javax/sound/midi/Devices/
/InitializationHang.java as headful
+ JDK-8148854: Class names 'SomeClass' and 'LSomeClass;'
treated by JVM as an equivalent
+ JDK-8148916: Mark bug6400879.java as intermittently failing
+ JDK-8148983: Fix extra comma in changes for JDK-8148916
+ JDK-8160438: javax/swing/plaf/nimbus/8057791/bug8057791.java
fails
+ JDK-8165808: Add release barriers when allocating objects
with concurrent collection
+ JDK-8185003: JMX: Add a version of
ThreadMXBean.dumpAllThreads with a maxDepth argument
+ JDK-8202076: test/jdk/java/io/File/WinSpecialFiles.java on
windows with VS2017
+ JDK-8207766: [testbug] Adapt tests for Aix.
+ JDK-8212070: Introduce diagnostic flag to abort VM on failed
JIT compilation
+ JDK-8213448: [TESTBUG] enhance jfr/jvm/TestDumpOnCrash
+ JDK-8215727: Restore JFR thread sampler loop to old /
previous behavior
+ JDK-8220657: JFR.dump does not work when filename is set
+ JDK-8221342: [TESTBUG] Generate Dockerfile for docker testing
+ JDK-8224502: [TESTBUG] JDK docker test TestSystemMetrics.java
fails with access issues and OOM
+ JDK-8231209: [REDO] ThreadMXBean::getThreadAllocatedBytes()
can be quicker for self thread
+ JDK-8231968: getCurrentThreadAllocatedBytes default
implementation s/b getThreadAllocatedBytes
+ JDK-8232114: JVM crashed at imjpapi.dll in native code
+ JDK-8234270: [REDO] JDK-8204128 NMT might report incorrect
numbers for Compiler area
+ JDK-8234339: replace JLI_StrTok in java_md_solinux.c
+ JDK-8238448: RSASSA-PSS signature verification fail when
using certain odd key sizes
+ JDK-8242335: Additional Tests for RSASSA-PSS
+ JDK-8244225: stringop-overflow warning on strncpy call from
compile_the_world_in
+ JDK-8245400: Upgrade to LittleCMS 2.11
+ JDK-8248214: Add paddings for TaskQueueSuper to reduce
false-sharing cache contention
+ JDK-8249176: Update GlobalSignR6CA test certificates
+ JDK-8250665: Wrong translation for the month name of May in
ar_JO,LB,SY
+ JDK-8250928: JFR: Improve hash algorithm for stack traces
+ JDK-8251469: Better cleanup for
test/jdk/javax/imageio/SetOutput.java
+ JDK-8251840: Java_sun_awt_X11_XToolkit_getDefaultScreenData
should not be in make/mapfiles/libawt_xawt/mapfile-vers
+ JDK-8252384: [TESTBUG] Some tests refer to COMPAT provider
rather than JRE
+ JDK-8252395: [8u] --with-native-debug-symbols=external
doesn't include debuginfo files for binaries
+ JDK-8252497: Incorrect numeric currency code for ROL
+ JDK-8252754: Hash code calculation of JfrStackTrace is
inconsistent
+ JDK-8252904: VM crashes when JFR is used and JFR event class
is transformed
+ JDK-8252975: [8u] JDK-8252395 breaks the build for
--with-native-debug-symbols=internal
+ JDK-8253284: Zero OrderAccess barrier mappings are incorrect
+ JDK-8253550: [8u] JDK-8252395 breaks the build for make
STRIP_POLICY=no_strip
+ JDK-8253752: test/sun/management/jmxremote/bootstrap/
/RmiBootstrapTest.java fails randomly
+ JDK-8254081: java/security/cert/PolicyNode/
/GetPolicyQualifiers.java fails due to an expired certificate
+ JDK-8254144: Non-x86 Zero builds fail with return-type
warning in os_linux_zero.cpp
+ JDK-8254166: Zero: return-type warning in
zeroInterpreter_zero.cpp
+ JDK-8254683: [TEST_BUG] jdk/test/sun/tools/jconsole/
/WorkerDeadlockTest.java fails
+ JDK-8255003: Build failures on Solaris
ModerateSUSE bug 1181239CVE-2020-14803 at SUSECVE-2020-14803 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for java-1_8_0-ibm (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for java-1_8_0-ibm fixes the following issues:
- Update to Java 8.0 Service Refresh 6 Fix Pack 25
[bsc#1182186, bsc#1181239, CVE-2020-27221, CVE-2020-14803]
* CVE-2020-27221: Potential for a stack-based buffer overflow
when the virtual machine or JNI natives are converting from
UTF-8 characters to platform encoding.
* CVE-2020-14803: Unauthenticated attacker with network access
via multiple protocols allows to compromise Java SE.
ImportantSUSE bug 1181239SUSE bug 1182186CVE-2020-14803 at SUSECVE-2020-14803 at NVDCVE-2020-27221 at SUSECVE-2020-27221 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for perl-XML-Twig (Moderate)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for perl-XML-Twig fixes the following issues:
- Security fix [bsc#1008644, CVE-2016-9180]
* Added: the no_xxe option to XML::Twig::new, which causes the
parse to fail if external entities are used (to prevent
malicious XML to access the filesystem).
* Setting expand_external_ents to 0 or -1 currently doesn't work
as expected; To completely turn off expanding external entities
use no_xxe.
* Update documentation for XML::Twig to mention problems with
expand_external_ents and add information about new no_xxe argument
ModerateSUSE bug 1008644CVE-2016-9180 at SUSECVE-2016-9180 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for MozillaFirefox fixes the following issues:
- Firefox Extended Support Release 78.8.0 ESR
* Fixed: Various stability, functionality, and security fixes
MFSA 2021-08 (bsc#1182614)
* CVE-2021-23969: Content Security Policy violation report could have contained the destination of a redirect
* CVE-2021-23968: Content Security Policy violation report could have contained the destination of a redirect
* CVE-2021-23973: MediaError message property could have leaked information about cross-origin resources
* CVE-2021-23978: Memory safety bugs fixed in Firefox 86 and Firefox ESR 78.8
ImportantSUSE bug 1182357SUSE bug 1182614CVE-2021-23968 at SUSECVE-2021-23968 at NVDCVE-2021-23969 at SUSECVE-2021-23969 at NVDCVE-2021-23973 at SUSECVE-2021-23973 at NVDCVE-2021-23978 at SUSECVE-2021-23978 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for python-cryptography (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for python-cryptography fixes the following issues:
- CVE-2020-36242: Using the Fernet class to symmetrically encrypt multi gigabyte
values could result in an integer overflow and buffer overflow (bsc#1182066).
ImportantSUSE bug 1182066CVE-2020-36242 at SUSECVE-2020-36242 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for grub2 (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for grub2 fixes the following issues:
grub2 now implements the new 'SBAT' method for SHIM based secure boot revocation. (bsc#1182057)
Following security issues are fixed that can violate secure boot constraints:
- CVE-2020-25632: Fixed a use-after-free in rmmod command (bsc#1176711)
- CVE-2020-25647: Fixed an out-of-bound write in grub_usb_device_initialize() (bsc#1177883)
- CVE-2020-27749: Fixed a stack buffer overflow in grub_parser_split_cmdline (bsc#1179264)
- CVE-2020-27779, CVE-2020-14372: Disallow cutmem and acpi commands in secure boot mode (bsc#1179265 bsc#1175970)
- CVE-2021-20225: Fixed a heap out-of-bounds write in short form option parser (bsc#1182262)
- CVE-2021-20233: Fixed a heap out-of-bound write due to mis-calculation of space required for quoting (bsc#1182263)
ImportantSUSE bug 1175970SUSE bug 1176711SUSE bug 1177883SUSE bug 1179264SUSE bug 1179265SUSE bug 1182057SUSE bug 1182262SUSE bug 1182263CVE-2020-14372 at SUSECVE-2020-14372 at NVDCVE-2020-25632 at SUSECVE-2020-25632 at NVDCVE-2020-25647 at SUSECVE-2020-25647 at NVDCVE-2020-27749 at SUSECVE-2020-27749 at NVDCVE-2020-27779 at SUSECVE-2020-27779 at NVDCVE-2021-20225 at SUSECVE-2021-20225 at NVDCVE-2021-20233 at SUSECVE-2021-20233 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for openldap2 (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for openldap2 fixes the following issues:
- bsc#1182408 CVE-2020-36230 - an assertion failure in slapd in the
X.509 DN parsing in decode.c ber_next_element, resulting in denial
of service.
- bsc#1182411 CVE-2020-36229 - ldap_X509dn2bv crash in the X.509 DN
parsing in ad_keystring, resulting in denial of service.
- bsc#1182412 CVE-2020-36228 - integer underflow leading to crash
in the Certificate List Exact Assertion processing, resulting in
denial of service.
- bsc#1182413 CVE-2020-36227 - infinite loop in slapd with the
cancel_extop Cancel operation, resulting in denial of service.
- bsc#1182416 CVE-2020-36225 - double free and slapd crash in the
saslAuthzTo processing, resulting in denial of service.
- bsc#1182417 CVE-2020-36224 - invalid pointer free and slapd crash
in the saslAuthzTo processing, resulting in denial of service.
- bsc#1182415 CVE-2020-36226 - memch->bv_len miscalculation and slapd
crash in the saslAuthzTo processing, resulting in denial of service.
- bsc#1182419 CVE-2020-36222 - assertion failure in slapd in the
saslAuthzTo validation, resulting in denial of service.
- bsc#1182420 CVE-2020-36221 - slapd crashes in the Certificate Exact
Assertion processing, resulting in denial of service (schema_init.c
serialNumberAndIssuerCheck).
- bsc#1182418 CVE-2020-36223 - slapd crash in the Values Return Filter
control handling, resulting in denial of service (double free and
out-of-bounds read).
- bsc#1182279 CVE-2021-27212 - an assertion failure in slapd can occur
in the issuerAndThisUpdateCheck function via a crafted packet,
resulting in a denial of service (daemon exit) via a short timestamp.
This is related to schema_init.c and checkTime.
ImportantSUSE bug 1182279SUSE bug 1182408SUSE bug 1182411SUSE bug 1182412SUSE bug 1182413SUSE bug 1182415SUSE bug 1182416SUSE bug 1182417SUSE bug 1182418SUSE bug 1182419SUSE bug 1182420CVE-2020-36221 at SUSECVE-2020-36221 at NVDCVE-2020-36222 at SUSECVE-2020-36222 at NVDCVE-2020-36223 at SUSECVE-2020-36223 at NVDCVE-2020-36224 at SUSECVE-2020-36224 at NVDCVE-2020-36225 at SUSECVE-2020-36225 at NVDCVE-2020-36226 at SUSECVE-2020-36226 at NVDCVE-2020-36227 at SUSECVE-2020-36227 at NVDCVE-2020-36228 at SUSECVE-2020-36228 at NVDCVE-2020-36229 at SUSECVE-2020-36229 at NVDCVE-2020-36230 at SUSECVE-2020-36230 at NVDCVE-2021-27212 at SUSECVE-2021-27212 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
The SUSE Linux Enterprise 12 SP3 kernel was updated to receive various security and bugfixes.
The following security bugs were fixed:
- CVE-2021-26930: Fixed an improper error handling in blkback's grant mapping (XSA-365 bsc#1181843).
- CVE-2021-26931: Fixed an issue where Linux kernel was treating grant mapping errors as bugs (XSA-362 bsc#1181753).
- CVE-2021-26932: Fixed improper error handling issues in Linux grant mapping (XSA-361 bsc#1181747).
- CVE-2020-28374: Fixed insufficient identifier checking in the LIO SCSI target code which could have been used
by remote attackers to read or write files via directory traversal in an XCOPY request (bsc#178372).
The following non-security bugs were fixed:
- cifs: report error instead of invalid when revalidating a dentry fails (bsc#1177440).
- xen/netback: fix spurious event detection for common event case (bsc#1182175).
ImportantSUSE bug 1177440SUSE bug 1178372SUSE bug 1181747SUSE bug 1181753SUSE bug 1181843SUSE bug 1182175CVE-2020-28374 at SUSECVE-2020-28374 at NVDCVE-2021-26930 at SUSECVE-2021-26930 at NVDCVE-2021-26931 at SUSECVE-2021-26931 at NVDCVE-2021-26932 at SUSECVE-2021-26932 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for wpa_supplicant (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for wpa_supplicant fixes the following issues:
- CVE-2021-27803: P2P provision discovery processing vulnerability (bsc#1182805)
ImportantSUSE bug 1182805CVE-2021-27803 at SUSECVE-2021-27803 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for git (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for git fixes the following issues:
- On case-insensitive filesystems, with support for symbolic links,
if Git is configured globally to apply delay-capable clean/smudge
filters (such as Git LFS), Git could be fooled into running
remote code during a clone. (bsc#1183026, CVE-2021-21300)
ImportantSUSE bug 1183026CVE-2021-21300 at SUSECVE-2021-21300 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for python (Moderate)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for python fixes the following issues:
- python27 was upgraded to 2.7.18
- CVE-2021-23336: Fixed a potential web cache poisoning by using a semicolon in query parameters use of semicolon as a query string separator (bsc#1182379).
ModerateSUSE bug 1182379CVE-2019-18348 at SUSECVE-2019-18348 at NVDCVE-2021-23336 at SUSECVE-2021-23336 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for MozillaFirefox fixes the following issues:
- Firefox Extended Support Release 78.6.1 ESR
* Fixed: Critical security issue MFSA 2021-01 (bsc#1180623)
* CVE-2020-16044
Use-after-free write when handling a malicious COOKIE-ECHO SCTP chunk
ImportantSUSE bug 1180623CVE-2020-16044 at SUSECVE-2020-16044 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for glib2 (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for glib2 fixes the following issues:
- CVE-2021-27218: g_byte_array_new_take takes a gsize as length but stores in a guint, this patch will refuse if the length is larger than guint. (bsc#1182328)
- CVE-2021-27219: g_memdup takes a guint as parameter and sometimes leads into an integer overflow, so add a g_memdup2 function which uses gsize to replace it. (bsc#1182362)
ImportantSUSE bug 1182328SUSE bug 1182362CVE-2021-27218 at SUSECVE-2021-27218 at NVDCVE-2021-27219 at SUSECVE-2021-27219 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 37 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_138 fixes several issues.
The following security issues were fixed:
- CVE-2020-27786: Fixed a potential user after free which could have led to memory corruption or privilege escalation (bsc#1179616).
- CVE-2020-28374: Fixed insufficient identifier checking in the LIO SCSI target code which could have been used by remote attackers to read or write files via directory traversal in an XCOPY request (bsc#1178684).
- CVE-2020-25645: Fixed an issue where the traffic between two Geneve endpoints may have been unencrypted when IPsec was configured to encrypt traffic for the specific UDP port used by the GENEVE tunnel allowing anyone between the two endpoints to read the traffic unencrypted (bsc#1177513).
- CVE-2020-0429: Fixed a potential memory corruption due to a use after free which could have led local escalation of privilege with System execution privileges needed (bsc#1176931).
- CVE-2020-1749: Fixed an issue in some networking protocols in IPsec, such as VXLAN and GENEVE tunnels over IPv6 where the kernel was not correctly routing tunneled data over the encrypted link rather sending the data unencrypted (bsc#1165631).
ImportantSUSE bug 1165631SUSE bug 1176931SUSE bug 1177513SUSE bug 1178684SUSE bug 1179616CVE-2020-0429 at SUSECVE-2020-0429 at NVDCVE-2020-1749 at SUSECVE-2020-1749 at NVDCVE-2020-25645 at SUSECVE-2020-25645 at NVDCVE-2020-27786 at SUSECVE-2020-27786 at NVDCVE-2020-28374 at SUSECVE-2020-28374 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 36 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_135 fixes several issues.
The following security issues were fixed:
- CVE-2021-3347: Fixed a use-after-free in the PI futexes during fault handling, allowing local users to execute code in the kernel (bsc#1181553).
- CVE-2020-27786: Fixed a potential user after free which could have led to memory corruption or privilege escalation (bsc#1179616).
- CVE-2020-28374: Fixed insufficient identifier checking in the LIO SCSI target code which could have been used by remote attackers to read or write files via directory traversal in an XCOPY request (bsc#1178684).
ImportantSUSE bug 1178684SUSE bug 1179616SUSE bug 1181553CVE-2020-27786 at SUSECVE-2020-27786 at NVDCVE-2020-28374 at SUSECVE-2020-28374 at NVDCVE-2021-3347 at SUSECVE-2021-3347 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 35 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_130 fixes several issues.
The following security issues were fixed:
- CVE-2021-3347: Fixed a use-after-free in the PI futexes during fault handling, allowing local users to execute code in the kernel (bsc#1181553).
- CVE-2020-27786: Fixed a potential user after free which could have led to memory corruption or privilege escalation (bsc#1179616).
- CVE-2020-28374: Fixed insufficient identifier checking in the LIO SCSI target code which could have been used by remote attackers to read or write files via directory traversal in an XCOPY request (bsc#1178684).
ImportantSUSE bug 1178684SUSE bug 1179616SUSE bug 1181553CVE-2020-27786 at SUSECVE-2020-27786 at NVDCVE-2020-28374 at SUSECVE-2020-28374 at NVDCVE-2021-3347 at SUSECVE-2021-3347 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 34 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_127 fixes several issues.
The following security issues were fixed:
- CVE-2021-3347: Fixed a use-after-free in the PI futexes during fault handling, allowing local users to execute code in the kernel (bsc#1181553).
- CVE-2020-27786: Fixed a potential user after free which could have led to memory corruption or privilege escalation (bsc#1179616).
- CVE-2020-28374: Fixed insufficient identifier checking in the LIO SCSI target code which could have been used by remote attackers to read or write files via directory traversal in an XCOPY request (bsc#1178684).
ImportantSUSE bug 1178684SUSE bug 1179616SUSE bug 1181553CVE-2020-27786 at SUSECVE-2020-27786 at NVDCVE-2020-28374 at SUSECVE-2020-28374 at NVDCVE-2021-3347 at SUSECVE-2021-3347 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 33 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_124 fixes several issues.
The following security issues were fixed:
- CVE-2021-3347: Fixed a use-after-free in the PI futexes during fault handling, allowing local users to execute code in the kernel (bsc#1181553).
- CVE-2020-27786: Fixed a potential user after free which could have led to memory corruption or privilege escalation (bsc#1179616).
- CVE-2020-28374: Fixed insufficient identifier checking in the LIO SCSI target code which could have been used by remote attackers to read or write files via directory traversal in an XCOPY request (bsc#1178684).
ImportantSUSE bug 1178684SUSE bug 1179616SUSE bug 1181553CVE-2020-27786 at SUSECVE-2020-27786 at NVDCVE-2020-28374 at SUSECVE-2020-28374 at NVDCVE-2021-3347 at SUSECVE-2021-3347 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 32 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_121 fixes several issues.
The following security issues were fixed:
- CVE-2021-3347: Fixed a use-after-free in the PI futexes during fault handling, allowing local users to execute code in the kernel (bsc#1181553).
- CVE-2020-27786: Fixed a potential user after free which could have led to memory corruption or privilege escalation (bsc#1179616).
- CVE-2020-28374: Fixed insufficient identifier checking in the LIO SCSI target code which could have been used by remote attackers to read or write files via directory traversal in an XCOPY request (bsc#1178684).
ImportantSUSE bug 1178684SUSE bug 1179616SUSE bug 1181553CVE-2020-27786 at SUSECVE-2020-27786 at NVDCVE-2020-28374 at SUSECVE-2020-28374 at NVDCVE-2021-3347 at SUSECVE-2021-3347 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 31 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_116 fixes several issues.
The following security issues were fixed:
- CVE-2021-3347: Fixed a use-after-free in the PI futexes during fault handling, allowing local users to execute code in the kernel (bsc#1181553).
- CVE-2020-27786: Fixed a potential user after free which could have led to memory corruption or privilege escalation (bsc#1179616).
- CVE-2020-28374: Fixed insufficient identifier checking in the LIO SCSI target code which could have been used by remote attackers to read or write files via directory traversal in an XCOPY request (bsc#1178684).
ImportantSUSE bug 1178684SUSE bug 1179616SUSE bug 1181553CVE-2020-27786 at SUSECVE-2020-27786 at NVDCVE-2020-28374 at SUSECVE-2020-28374 at NVDCVE-2021-3347 at SUSECVE-2021-3347 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for wavpack (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for wavpack fixes the following issues:
- CVE-2020-35738: Fixed an out-of-bounds write in WavpackPackSamples (bsc#1180414).
ImportantSUSE bug 1180414CVE-2020-35738 at SUSECVE-2020-35738 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for nghttp2 (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for nghttp2 fixes the following issues:
Security issues fixed:
- CVE-2020-11080: HTTP/2 Large Settings Frame DoS (bsc#1181358).
- CVE-2019-9513: Fixed HTTP/2 implementation that is vulnerable to resource loops, potentially leading to a denial of service (bsc#1146184).
- CVE-2019-9511: Fixed HTTP/2 implementations that are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service (bsc#1146182).
- CVE-2018-1000168: Fixed ALTSVC frame client side denial of service (bsc#1088639).
- CVE-2016-1544: Fixed out of memory due to unlimited incoming HTTP header fields (bsc#966514).
Bug fixes and enhancements:
- Packages must not mark license files as %doc (bsc#1082318)
- Typo in description of libnghttp2_asio1 (bsc#962914)
- Fixed mistake in spec file (bsc#1125689)
- Fixed build issue with boost 1.70.0 (bsc#1134616)
- Fixed build issue with GCC 6 (bsc#964140)
- Feature: Add W&S module (FATE#326776, bsc#1112438)
ImportantSUSE bug 1082318SUSE bug 1088639SUSE bug 1112438SUSE bug 1125689SUSE bug 1134616SUSE bug 1146182SUSE bug 1146184SUSE bug 1181358SUSE bug 962914SUSE bug 964140SUSE bug 966514CVE-2016-1544 at SUSECVE-2016-1544 at NVDCVE-2018-1000168 at SUSECVE-2018-1000168 at NVDCVE-2019-9511 at SUSECVE-2019-9511 at NVDCVE-2019-9513 at SUSECVE-2019-9513 at NVDCVE-2020-11080 at SUSECVE-2020-11080 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for openssl (Moderate)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for openssl fixes the following issues:
- CVE-2021-23840: Fixed an Integer overflow in CipherUpdate (bsc#1182333)
- CVE-2021-23841: Fixed a Null pointer dereference in X509_issuer_and_serial_hash() (bsc#1182331)
ModerateSUSE bug 1182331SUSE bug 1182333CVE-2021-23840 at SUSECVE-2021-23840 at NVDCVE-2021-23841 at SUSECVE-2021-23841 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for MozillaFirefox fixes the following issues:
- Firefox was updated to 78.9.0 ESR (MFSA 2021-11, bsc#1183942)
* CVE-2021-23981: Texture upload into an unbound backing buffer resulted in an out-of-bound read
* CVE-2021-23982: Internal network hosts could have been probed by a malicious webpage
* CVE-2021-23984: Malicious extensions could have spoofed popup information
* CVE-2021-23987: Memory safety bugs
ImportantSUSE bug 1183942CVE-2021-23981 at SUSECVE-2021-23981 at NVDCVE-2021-23982 at SUSECVE-2021-23982 at NVDCVE-2021-23984 at SUSECVE-2021-23984 at NVDCVE-2021-23987 at SUSECVE-2021-23987 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 39 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_144 fixes several issues.
The following security issues were fixed:
- CVE-2022-0487: A use-after-free vulnerability was found in rtsx_usb_ms_drv_remove() in drivers/memstick/host/rtsx_usb_ms.c (bsc#1194516).
- CVE-2022-0492: Fixed a privilege escalation related to cgroups v1 release_agent feature, which allowed bypassing namespace isolation unexpectedly (bsc#1195543).
ImportantSUSE bug 1195908SUSE bug 1195949CVE-2022-0487 at SUSECVE-2022-0487 at NVDCVE-2022-0492 at SUSECVE-2022-0492 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 40 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_147 fixes several issues.
The following security issues were fixed:
- CVE-2022-0487: A use-after-free vulnerability was found in rtsx_usb_ms_drv_remove() in drivers/memstick/host/rtsx_usb_ms.c (bsc#1194516).
- CVE-2022-0492: Fixed a privilege escalation related to cgroups v1 release_agent feature, which allowed bypassing namespace isolation unexpectedly (bsc#1195543).
ImportantSUSE bug 1195908SUSE bug 1195949CVE-2022-0487 at SUSECVE-2022-0487 at NVDCVE-2022-0492 at SUSECVE-2022-0492 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 41 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_150 fixes several issues.
The following security issues were fixed:
- CVE-2022-0487: A use-after-free vulnerability was found in rtsx_usb_ms_drv_remove() in drivers/memstick/host/rtsx_usb_ms.c (bsc#1194516).
- CVE-2022-0492: Fixed a privilege escalation related to cgroups v1 release_agent feature, which allowed bypassing namespace isolation unexpectedly (bsc#1195543).
ImportantSUSE bug 1195908SUSE bug 1195949CVE-2022-0487 at SUSECVE-2022-0487 at NVDCVE-2022-0492 at SUSECVE-2022-0492 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 43 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_156 fixes one issue.
The following security issue was fixed:
- CVE-2021-28688: Fixed an issue introduced by XSA-365 (bsc#1183646).
ImportantSUSE bug 1182294CVE-2021-28688 at SUSECVE-2021-28688 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for openvpn (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for openvpn fixes the following issues:
- CVE-2022-0547: Fixed possible authentication bypass in external authentication plug-in (bsc#1197341).
ImportantSUSE bug 1197341CVE-2022-0547 at SUSECVE-2022-0547 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for java-1_7_1-ibm (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for java-1_7_1-ibm fixes the following issues:
Update Java 7.1 to Service Refresh 7 Fix Pack 5 (bsc#1197126).
Including fixes for the following vulnerabilities:
CVE-2022-21366, CVE-2022-21365, CVE-2022-21360, CVE-2022-21349,
CVE-2022-21341, CVE-2022-21340, CVE-2022-21305, CVE-2022-21277,
CVE-2022-21299, CVE-2022-21296, CVE-2022-21282, CVE-2022-21294,
CVE-2022-21293, CVE-2022-21291, CVE-2022-21283, CVE-2022-21248,
CVE-2022-21271.
ImportantSUSE bug 1194925SUSE bug 1194926SUSE bug 1194927SUSE bug 1194928SUSE bug 1194929SUSE bug 1194930SUSE bug 1194931SUSE bug 1194932SUSE bug 1194933SUSE bug 1194934SUSE bug 1194935SUSE bug 1194937SUSE bug 1194939SUSE bug 1194940SUSE bug 1194941SUSE bug 1196500SUSE bug 1197126CVE-2022-21248 at SUSECVE-2022-21248 at NVDCVE-2022-21271 at SUSECVE-2022-21271 at NVDCVE-2022-21277 at SUSECVE-2022-21277 at NVDCVE-2022-21282 at SUSECVE-2022-21282 at NVDCVE-2022-21283 at SUSECVE-2022-21283 at NVDCVE-2022-21291 at SUSECVE-2022-21291 at NVDCVE-2022-21293 at SUSECVE-2022-21293 at NVDCVE-2022-21294 at SUSECVE-2022-21294 at NVDCVE-2022-21296 at SUSECVE-2022-21296 at NVDCVE-2022-21299 at SUSECVE-2022-21299 at NVDCVE-2022-21305 at SUSECVE-2022-21305 at NVDCVE-2022-21340 at SUSECVE-2022-21340 at NVDCVE-2022-21341 at SUSECVE-2022-21341 at NVDCVE-2022-21349 at SUSECVE-2022-21349 at NVDCVE-2022-21360 at SUSECVE-2022-21360 at NVDCVE-2022-21365 at SUSECVE-2022-21365 at NVDCVE-2022-21366 at SUSECVE-2022-21366 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for java-1_8_0-ibm (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for java-1_8_0-ibm fixes the following issues:
Update Java 8.0 to Service Refresh 7 Fix Pack 5 (bsc#1197126).
Including fixes for the following vulnerabilities:
CVE-2022-21366, CVE-2022-21365, CVE-2022-21360, CVE-2022-21349,
CVE-2022-21341, CVE-2022-21340, CVE-2022-21305, CVE-2022-21277,
CVE-2022-21299, CVE-2022-21296, CVE-2022-21282, CVE-2022-21294,
CVE-2022-21293, CVE-2022-21291, CVE-2022-21283, CVE-2022-21248,
CVE-2022-21271.
Non-securtiy fix:
- Fixed a broken symlink for javaws (bsc#1195146).
ImportantSUSE bug 1194925SUSE bug 1194926SUSE bug 1194927SUSE bug 1194928SUSE bug 1194929SUSE bug 1194930SUSE bug 1194931SUSE bug 1194932SUSE bug 1194933SUSE bug 1194934SUSE bug 1194935SUSE bug 1194937SUSE bug 1194939SUSE bug 1194940SUSE bug 1194941SUSE bug 1195146SUSE bug 1196500SUSE bug 1197126CVE-2022-21248 at SUSECVE-2022-21248 at NVDCVE-2022-21271 at SUSECVE-2022-21271 at NVDCVE-2022-21277 at SUSECVE-2022-21277 at NVDCVE-2022-21282 at SUSECVE-2022-21282 at NVDCVE-2022-21283 at SUSECVE-2022-21283 at NVDCVE-2022-21291 at SUSECVE-2022-21291 at NVDCVE-2022-21293 at SUSECVE-2022-21293 at NVDCVE-2022-21294 at SUSECVE-2022-21294 at NVDCVE-2022-21296 at SUSECVE-2022-21296 at NVDCVE-2022-21299 at SUSECVE-2022-21299 at NVDCVE-2022-21305 at SUSECVE-2022-21305 at NVDCVE-2022-21340 at SUSECVE-2022-21340 at NVDCVE-2022-21341 at SUSECVE-2022-21341 at NVDCVE-2022-21349 at SUSECVE-2022-21349 at NVDCVE-2022-21360 at SUSECVE-2022-21360 at NVDCVE-2022-21365 at SUSECVE-2022-21365 at NVDCVE-2022-21366 at SUSECVE-2022-21366 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 42 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_153 fixes one issue.
The following security issue was fixed:
- CVE-2022-0492: Fixed a privilege escalation related to cgroups v1 release_agent feature, which allowed bypassing namespace isolation unexpectedly (bsc#1195543).
ImportantSUSE bug 1195908CVE-2022-0492 at SUSECVE-2022-0492 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for zlib (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for zlib fixes the following issues:
- CVE-2018-25032: Fixed memory corruption on deflate (bsc#1197459).
ImportantSUSE bug 1197459CVE-2018-25032 at SUSECVE-2018-25032 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for java-1_8_0-ibm (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for java-1_8_0-ibm fixes the following issues:
- Update to Java 8.0 Service Refresh 7 Fix Pack 0
- CVE-2021-41035: before version 0.29.0, the openj9 JVM does not throw IllegalAccessError for MethodHandles that invoke inaccessible interface methods. (bsc#1194198, bsc#1192052)
- CVE-2021-35586: Excessive memory allocation in BMPImageReader. (bsc#1191914)
- CVE-2021-35564: Certificates with end dates too far in the future can corrupt keystore. (bsc#1191913)
- CVE-2021-35559: Excessive memory allocation in RTFReader. (bsc#1191911)
- CVE-2021-35556: Excessive memory allocation in RTFParser. (bsc#1191910)
- CVE-2021-35565: Loop in HttpsServer triggered during TLS session close. (bsc#1191909)
- CVE-2021-35588: Incomplete validation of inner class references in ClassFileParser. (bsc#1191905)
- CVE-2021-2341: Fixed a flaw inside the FtpClient. (bsc#1188564)
- CVE-2021-2369: JAR file handling problem containing multiple MANIFEST.MF files. (bsc#1188565)
- CVE-2021-2163: Incomplete enforcement of JAR signing disabled algorithms. (bsc#1185055)
- CVE-2021-35560: Fixed a vulnerability in the component Deployment. (bsc#1191902)
- CVE-2021-35578: Fixed unexpected exception raised during TLS handshake. (bsc#1191904)
ImportantSUSE bug 1185055SUSE bug 1188564SUSE bug 1188565SUSE bug 1191902SUSE bug 1191904SUSE bug 1191905SUSE bug 1191909SUSE bug 1191910SUSE bug 1191911SUSE bug 1191913SUSE bug 1191914SUSE bug 1192052SUSE bug 1194198SUSE bug 1194232CVE-2021-2163 at SUSECVE-2021-2163 at NVDCVE-2021-2341 at SUSECVE-2021-2341 at NVDCVE-2021-2369 at SUSECVE-2021-2369 at NVDCVE-2021-35556 at SUSECVE-2021-35556 at NVDCVE-2021-35559 at SUSECVE-2021-35559 at NVDCVE-2021-35560 at SUSECVE-2021-35560 at NVDCVE-2021-35564 at SUSECVE-2021-35564 at NVDCVE-2021-35565 at SUSECVE-2021-35565 at NVDCVE-2021-35578 at SUSECVE-2021-35578 at NVDCVE-2021-35586 at SUSECVE-2021-35586 at NVDCVE-2021-35588 at SUSECVE-2021-35588 at NVDCVE-2021-41035 at SUSECVE-2021-41035 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for mozilla-nss (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for mozilla-nss fixes the following issues:
Mozilla NSS 3.68.3 (bsc#1197903):
- CVE-2022-1097: Fixed memory safety violations that could occur when PKCS#11
tokens are removed while in use.
ImportantSUSE bug 1197903CVE-2022-1097 at SUSECVE-2022-1097 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for MozillaFirefox fixes the following issues:
Firefox Extended Support Release 91.8.0 ESR (bsc#1197903):
MFSA 2022-14 (bsc#1197903)
* CVE-2022-1097: Fixed memory safety violations that could occur when PKCS#11 tokens are removed while in use
* CVE-2022-28281: Fixed an out of bounds write due to unexpected WebAuthN Extensions
* CVE-2022-1196: Fixed a use-after-free after VR Process destruction
* CVE-2022-28282: Fixed a use-after-free in DocumentL10n::TranslateDocument
* CVE-2022-28285: Fixed incorrect AliasSet used in JIT Codegen
* CVE-2022-28286: Fixed that iframe contents could be rendered outside the border
* CVE-2022-24713: Fixed a denial of service via complex regular expressions
* CVE-2022-28289: Memory safety bugs fixed in Firefox 99 and Firefox ESR 91.8
ImportantSUSE bug 1197903CVE-2022-1097 at SUSECVE-2022-1097 at NVDCVE-2022-1196 at SUSECVE-2022-1196 at NVDCVE-2022-24713 at SUSECVE-2022-24713 at NVDCVE-2022-28281 at SUSECVE-2022-28281 at NVDCVE-2022-28282 at SUSECVE-2022-28282 at NVDCVE-2022-28285 at SUSECVE-2022-28285 at NVDCVE-2022-28286 at SUSECVE-2022-28286 at NVDCVE-2022-28289 at SUSECVE-2022-28289 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for glibc (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for glibc fixes the following issues:
- CVE-2020-1752: Fix use-after-free in glob when expanding ~user (bsc#1167631)
ImportantSUSE bug 1167631CVE-2020-1752 at SUSECVE-2020-1752 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for openjpeg2 (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for openjpeg2 fixes the following issues:
- CVE-2016-1924: Fixed heap buffer overflow (bsc#980504).
- CVE-2016-3183: Fixed out-of-bounds read in sycc422_to_rgb function (bsc#971617).
- CVE-2016-4797: Fixed heap buffer overflow (bsc#980504).
- CVE-2018-14423: Fixed division-by-zero vulnerabilities in the functions pi_next_pcrl, pi_next_cprl,and pi_next_rpcl in lib/openjp3d/pi.c (bsc#1102016).
- CVE-2018-16375: Fixed missing checks for header_info.height and header_info.width in the function pnmtoimage in bin/jpwl/convert.c (bsc#1106882).
- CVE-2018-16376: Fixed heap-based buffer overflow function t2_encode_packet in lib/openmj2/t2.c (bsc#1106881).
- CVE-2018-20845: Fixed division-by-zero in the functions pi_next_pcrl, pi_next_cprl, and pi_next_rpcl in openmj2/pi.c (bsc#1140130).
- CVE-2018-20846: Fixed out-of-bounds accesses in pi_next_lrcp, pi_next_rlcp, pi_next_rpcl, pi_next_pcrl, pi_next_rpcl, and pi_next_cprl in openmj2/pi.c (bsc#1140205).
- CVE-2020-8112: Fixed heap-based buffer overflow in opj_t1_clbl_decode_processor in openjp2/t1.c (bsc#1162090).
- CVE-2020-15389: Fixed use-after-free if t a mix of valid and invalid files in a directory operated on by the decompressor (bsc#1173578).
- CVE-2020-27823: Fixed heap buffer over-write in opj_tcd_dc_level_shift_encode() (bsc#1180457).
- CVE-2021-29338: Fixed integer overflow that allows remote attackers to crash the application (bsc#1184774).
- CVE-2022-1122: Fixed segmentation fault in opj2_decompress due to uninitialized pointer (bsc#1197738).
ImportantSUSE bug 1102016SUSE bug 1106881SUSE bug 1106882SUSE bug 1140130SUSE bug 1140205SUSE bug 1162090SUSE bug 1173578SUSE bug 1180457SUSE bug 1184774SUSE bug 1197738SUSE bug 971617SUSE bug 980504CVE-2016-1924 at SUSECVE-2016-1924 at NVDCVE-2016-3183 at SUSECVE-2016-3183 at NVDCVE-2016-4797 at SUSECVE-2016-4797 at NVDCVE-2018-14423 at SUSECVE-2018-14423 at NVDCVE-2018-16375 at SUSECVE-2018-16375 at NVDCVE-2018-16376 at SUSECVE-2018-16376 at NVDCVE-2018-20845 at SUSECVE-2018-20845 at NVDCVE-2018-20846 at SUSECVE-2018-20846 at NVDCVE-2020-15389 at SUSECVE-2020-15389 at NVDCVE-2020-27823 at SUSECVE-2020-27823 at NVDCVE-2020-8112 at SUSECVE-2020-8112 at NVDCVE-2021-29338 at SUSECVE-2021-29338 at NVDCVE-2022-1122 at SUSECVE-2022-1122 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for MozillaFirefox fixes the following issues:
- CVE-2021-4140: Fixed iframe sandbox bypass with XSLT (bsc#1194547).
- CVE-2022-22737: Fixed race condition when playing audio files (bsc#1194547).
- CVE-2022-22738: Fixed heap-buffer-overflow in blendGaussianBlur (bsc#1194547).
- CVE-2022-22739: Fixed missing throttling on external protocol launch dialog (bsc#1194547).
- CVE-2022-22740: Fixed use-after-free of ChannelEventQueue::mOwner (bsc#1194547).
- CVE-2022-22741: Fixed browser window spoof using fullscreen mode (bsc#1194547).
- CVE-2022-22742: Fixed out-of-bounds memory access when inserting text in edit mode (bsc#1194547).
- CVE-2022-22743: Fixed browser window spoof using fullscreen mode (bsc#1194547).
- CVE-2022-22744: Fixed possible command injection via the 'Copy as curl' feature in DevTools (bsc#1194547).
- CVE-2022-22745: Fixed leaking cross-origin URLs through securitypolicyviolation event (bsc#1194547).
- CVE-2022-22746: Fixed calling into reportValidity could have lead to fullscreen window spoof (bsc#1194547).
- CVE-2022-22747: Fixed crash when handling empty pkcs7 sequence(bsc#1194547).
- CVE-2022-22748: Fixed spoofed origin on external protocol launch dialog (bsc#1194547).
- CVE-2022-22751: Fixed memory safety bugs (bsc#1194547).
ImportantSUSE bug 1194547CVE-2021-4140 at SUSECVE-2021-4140 at NVDCVE-2022-22737 at SUSECVE-2022-22737 at NVDCVE-2022-22738 at SUSECVE-2022-22738 at NVDCVE-2022-22739 at SUSECVE-2022-22739 at NVDCVE-2022-22740 at SUSECVE-2022-22740 at NVDCVE-2022-22741 at SUSECVE-2022-22741 at NVDCVE-2022-22742 at SUSECVE-2022-22742 at NVDCVE-2022-22743 at SUSECVE-2022-22743 at NVDCVE-2022-22744 at SUSECVE-2022-22744 at NVDCVE-2022-22745 at SUSECVE-2022-22745 at NVDCVE-2022-22746 at SUSECVE-2022-22746 at NVDCVE-2022-22747 at SUSECVE-2022-22747 at NVDCVE-2022-22748 at SUSECVE-2022-22748 at NVDCVE-2022-22751 at SUSECVE-2022-22751 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for xz (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for xz fixes the following issues:
- CVE-2022-1271: Fixed an incorrect escaping of malicious filenames (ZDI-CAN-16587). (bsc#1198062)
ImportantSUSE bug 1198062CVE-2022-1271 at SUSECVE-2022-1271 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for libexif (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for libexif fixes the following issues:
- CVE-2020-0181: Fixed an integer overflow that could lead to denial of service
(bsc#1172802).
- CVE-2020-0198: Fixed and unsigned integer overflow that could lead to denial
of service (bsc#1172768).
- CVE-2020-0452: Fixed a buffer overflow check that could be optimized away
by the compiler (bsc#1178479).
ImportantSUSE bug 1172768SUSE bug 1172802SUSE bug 1178479CVE-2020-0181 at SUSECVE-2020-0181 at NVDCVE-2020-0198 at SUSECVE-2020-0198 at NVDCVE-2020-0452 at SUSECVE-2020-0452 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
The SUSE Linux Enterprise 12 SP3 kernel was updated.
The following security bugs were fixed:
- CVE-2022-1016: Fixed a vulnerability in the nf_tables component of the netfilter subsystem. This vulnerability gives an attacker a powerful primitive that can be used to both read from and write to relative stack data, which can lead to arbitrary code execution. (bsc#1197227)
- CVE-2022-1048: Fixed a race Condition in snd_pcm_hw_free leading to use-after-free due to the AB/BA lock with buffer_mutex and mmap_lock. (bsc#1197331)
- CVE-2022-0850: Fixed a kernel information leak vulnerability in iov_iter.c. (bsc#1196761)
- CVE-2021-45868: Fixed a wrong validation check in fs/quota/quota_tree.c which could lead to an use-after-free if there is a corrupted quota file. (bnc#1197366)
- CVE-2022-26966: Fixed an issue in drivers/net/usb/sr9700.c, which allowed attackers to obtain sensitive information from the memory via crafted frame lengths from a USB device. (bsc#1196836)
- CVE-2022-23036,CVE-2022-23037,CVE-2022-23038,CVE-2022-23039,CVE-2022-23040,CVE-2022-23041,CVE-2022-23042: Fixed multiple issues which could have lead to read/write access to memory pages or denial of service. These issues are related to the Xen PV device frontend drivers. (bsc#1196488)
- CVE-2022-26490: Fixed a buffer overflow in the st21nfca driver. An attacker with adjacent NFC access could crash the system or corrupt the system memory. (bsc#1196830)
The following non-security bugs were fixed:
- ax88179_178a: Merge memcpy + le32_to_cpus to get_unaligned_le32 (bsc#1196018).
- clocksource: Initialize cs->wd_list (git-fixes)
- llc: fix netdevice reference leaks in llc_ui_bind() (git-fixes).
- net: usb: ax88179_178a: Fix out-of-bounds accesses in RX fixup (bsc#1196018).
- net: usb: ax88179_178a: fix packet alignment padding (bsc#1196018).
- sched/autogroup: Fix possible Spectre-v1 indexing for (git-fixes)
- sr9700: sanity check for packet length (bsc#1196836).
- usb: host: xen-hcd: add missing unlock in error path (git-fixes).
- xen/usb: do not use gnttab_end_foreign_access() in xenhcd_gnttab_done() (bsc#1196488, XSA-396).
ImportantSUSE bug 1189562SUSE bug 1196018SUSE bug 1196488SUSE bug 1196761SUSE bug 1196830SUSE bug 1196836SUSE bug 1197227SUSE bug 1197331SUSE bug 1197366CVE-2021-45868 at SUSECVE-2021-45868 at NVDCVE-2022-0850 at SUSECVE-2022-0850 at NVDCVE-2022-1016 at SUSECVE-2022-1016 at NVDCVE-2022-1048 at SUSECVE-2022-1048 at NVDCVE-2022-23036 at SUSECVE-2022-23036 at NVDCVE-2022-23037 at SUSECVE-2022-23037 at NVDCVE-2022-23038 at SUSECVE-2022-23038 at NVDCVE-2022-23039 at SUSECVE-2022-23039 at NVDCVE-2022-23040 at SUSECVE-2022-23040 at NVDCVE-2022-23041 at SUSECVE-2022-23041 at NVDCVE-2022-23042 at SUSECVE-2022-23042 at NVDCVE-2022-26490 at SUSECVE-2022-26490 at NVDCVE-2022-26966 at SUSECVE-2022-26966 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for gzip (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for gzip fixes the following issues:
- CVE-2022-1271: Fixed an incorrect escaping of malicious filenames (ZDI-CAN-16587). (bsc#1198062)
ImportantSUSE bug 1198062CVE-2022-1271 at SUSECVE-2022-1271 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for dnsmasq (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for dnsmasq fixes the following issues:
- CVE-2021-3448: Fixed a potential DNS cache poisoning issue due to a constant
outgoing port being used when for certain use cases of the --server option
(bsc#1183709).
- CVE-2022-0934: Fixed an invalid memory access that could lead to remote denial
of service via crafted packet (bsc#1197872).
ImportantSUSE bug 1183709SUSE bug 1197872CVE-2021-3448 at SUSECVE-2021-3448 at NVDCVE-2022-0934 at SUSECVE-2022-0934 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for tomcat (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for tomcat fixes the following issues:
- Remove the log4j dependency as it is not used by the tomcat package (bsc#1196137)
Security hardening, related to Spring Framework vulnerabilities:
- Deprecate getResources() and always return null (bsc#1198136).
ImportantSUSE bug 1196137SUSE bug 1198136cpe:/o:suse:sles-ltss:12:sp3Security update for git (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for git fixes the following issues:
- CVE-2022-24765: Fixed a potential command injection via git worktree (bsc#1198234).
ImportantSUSE bug 1198234CVE-2022-24765 at SUSECVE-2022-24765 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for libxml2 (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for libxml2 fixes the following issues:
- CVE-2022-23308: Fixed use-after-free of ID and IDREF attributes. (bsc#1196490)
ImportantSUSE bug 1196490CVE-2022-23308 at SUSECVE-2022-23308 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for SDL (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for SDL fixes the following issues:
- CVE-2020-14409: Fixed an integer overflow (and resultant SDL_memcpy heap corruption) in SDL_BlitCopy in video/SDL_blit_copy.c. (bsc#1181202)
- CVE-2020-14410: Fixed a heap-based buffer over-read in Blit_3or4_to_3or4__inversed_rgb in video/SDL_blit_N.c. (bsc#1181201)
- CVE-2021-33657: Fixed a Heap overflow problem in video/SDL_pixels.c. (bsc#1198001)
ImportantSUSE bug 1181201SUSE bug 1181202SUSE bug 1198001CVE-2020-14409 at SUSECVE-2020-14409 at NVDCVE-2020-14410 at SUSECVE-2020-14410 at NVDCVE-2021-33657 at SUSECVE-2021-33657 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for xen (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for xen fixes the following issues:
- CVE-2022-26356: Fixed potential race conditions in dirty memory tracking that
could cause a denial of service in the host (bsc#1197423).
- CVE-2022-26357: Fixed a potential race condition in memory cleanup for hosts
using VT-d IOMMU hardware, which could lead to a denial of service in the host
(bsc#1197425).
- CVE-2022-26358,CVE-2022-26359,CVE-2022-26360,CVE-2022-26361: Fixed various memory
corruption issues for hosts using VT-d or AMD-Vi IOMMU hardware. These could be
leveraged by an attacker to cause a denial of service in the host (bsc#1197426).
- CVE-2022-0001, CVE-2022-0002, CVE-2021-26401: Added BHB speculation issue
mitigations (bsc#1196915).
ImportantSUSE bug 1196915SUSE bug 1197423SUSE bug 1197425SUSE bug 1197426CVE-2021-26401 at SUSECVE-2021-26401 at NVDCVE-2022-0001 at SUSECVE-2022-0001 at NVDCVE-2022-0002 at SUSECVE-2022-0002 at NVDCVE-2022-26356 at SUSECVE-2022-26356 at NVDCVE-2022-26357 at SUSECVE-2022-26357 at NVDCVE-2022-26358 at SUSECVE-2022-26358 at NVDCVE-2022-26359 at SUSECVE-2022-26359 at NVDCVE-2022-26360 at SUSECVE-2022-26360 at NVDCVE-2022-26361 at SUSECVE-2022-26361 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for webkit2gtk3 (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for webkit2gtk3 fixes the following issues:
- Update to version 2.34.3 (bsc#1194019).
- CVE-2021-30887: Fixed logic issue allowing unexpectedly unenforced Content Security Policy when processing maliciously crafted web content.
- CVE-2021-30890: Fixed logic issue allowing universal cross site scripting when processing maliciously crafted web content.
ImportantSUSE bug 1194019CVE-2018-8518 at SUSECVE-2018-8518 at NVDCVE-2018-8523 at SUSECVE-2018-8523 at NVDCVE-2019-8551 at SUSECVE-2019-8551 at NVDCVE-2019-8558 at SUSECVE-2019-8558 at NVDCVE-2019-8559 at SUSECVE-2019-8559 at NVDCVE-2019-8563 at SUSECVE-2019-8563 at NVDCVE-2019-8674 at SUSECVE-2019-8674 at NVDCVE-2019-8681 at SUSECVE-2019-8681 at NVDCVE-2019-8684 at SUSECVE-2019-8684 at NVDCVE-2019-8687 at SUSECVE-2019-8687 at NVDCVE-2019-8688 at SUSECVE-2019-8688 at NVDCVE-2019-8689 at SUSECVE-2019-8689 at NVDCVE-2019-8690 at SUSECVE-2019-8690 at NVDCVE-2019-8707 at SUSECVE-2019-8707 at NVDCVE-2019-8719 at SUSECVE-2019-8719 at NVDCVE-2019-8726 at SUSECVE-2019-8726 at NVDCVE-2019-8733 at SUSECVE-2019-8733 at NVDCVE-2019-8763 at SUSECVE-2019-8763 at NVDCVE-2019-8765 at SUSECVE-2019-8765 at NVDCVE-2019-8766 at SUSECVE-2019-8766 at NVDCVE-2019-8768 at SUSECVE-2019-8768 at NVDCVE-2019-8782 at SUSECVE-2019-8782 at NVDCVE-2019-8808 at SUSECVE-2019-8808 at NVDCVE-2019-8815 at SUSECVE-2019-8815 at NVDCVE-2019-8821 at SUSECVE-2019-8821 at NVDCVE-2019-8822 at SUSECVE-2019-8822 at NVDCVE-2020-10018 at SUSECVE-2020-10018 at NVDCVE-2020-13753 at SUSECVE-2020-13753 at NVDCVE-2020-27918 at SUSECVE-2020-27918 at NVDCVE-2020-29623 at SUSECVE-2020-29623 at NVDCVE-2020-3885 at SUSECVE-2020-3885 at NVDCVE-2020-3894 at SUSECVE-2020-3894 at NVDCVE-2020-3895 at SUSECVE-2020-3895 at NVDCVE-2020-3897 at SUSECVE-2020-3897 at NVDCVE-2020-3900 at SUSECVE-2020-3900 at NVDCVE-2020-3901 at SUSECVE-2020-3901 at NVDCVE-2020-3902 at SUSECVE-2020-3902 at NVDCVE-2020-9802 at SUSECVE-2020-9802 at NVDCVE-2020-9803 at SUSECVE-2020-9803 at NVDCVE-2020-9805 at SUSECVE-2020-9805 at NVDCVE-2020-9947 at SUSECVE-2020-9947 at NVDCVE-2020-9948 at SUSECVE-2020-9948 at NVDCVE-2020-9951 at SUSECVE-2020-9951 at NVDCVE-2020-9952 at SUSECVE-2020-9952 at NVDCVE-2021-1765 at SUSECVE-2021-1765 at NVDCVE-2021-1788 at SUSECVE-2021-1788 at NVDCVE-2021-1817 at SUSECVE-2021-1817 at NVDCVE-2021-1820 at SUSECVE-2021-1820 at NVDCVE-2021-1825 at SUSECVE-2021-1825 at NVDCVE-2021-1826 at SUSECVE-2021-1826 at NVDCVE-2021-1844 at SUSECVE-2021-1844 at NVDCVE-2021-1871 at SUSECVE-2021-1871 at NVDCVE-2021-30661 at SUSECVE-2021-30661 at NVDCVE-2021-30666 at SUSECVE-2021-30666 at NVDCVE-2021-30682 at SUSECVE-2021-30682 at NVDCVE-2021-30761 at SUSECVE-2021-30761 at NVDCVE-2021-30762 at SUSECVE-2021-30762 at NVDCVE-2021-30809 at SUSECVE-2021-30809 at NVDCVE-2021-30818 at SUSECVE-2021-30818 at NVDCVE-2021-30823 at SUSECVE-2021-30823 at NVDCVE-2021-30836 at SUSECVE-2021-30836 at NVDCVE-2021-30846 at SUSECVE-2021-30846 at NVDCVE-2021-30848 at SUSECVE-2021-30848 at NVDCVE-2021-30849 at SUSECVE-2021-30849 at NVDCVE-2021-30851 at SUSECVE-2021-30851 at NVDCVE-2021-30858 at SUSECVE-2021-30858 at NVDCVE-2021-30884 at SUSECVE-2021-30884 at NVDCVE-2021-30887 at SUSECVE-2021-30887 at NVDCVE-2021-30888 at SUSECVE-2021-30888 at NVDCVE-2021-30889 at SUSECVE-2021-30889 at NVDCVE-2021-30890 at SUSECVE-2021-30890 at NVDCVE-2021-30897 at SUSECVE-2021-30897 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for cifs-utils (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for cifs-utils fixes the following issues:
- CVE-2022-27239: Fixed a buffer overflow in the command line ip option (bsc#1197216).
ImportantSUSE bug 1197216CVE-2022-27239 at SUSECVE-2022-27239 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 43 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_156 fixes several issues.
The following security issues were fixed:
- CVE-2022-1016: Fixed a vulnerability in the nf_tables component of the netfilter subsystem. This vulnerability gives an attacker a powerful primitive that can be used to both read from and write to relative stack data, which can lead to arbitrary code execution. (bsc#1197335)
- CVE-2022-1011: Fixed an use-after-free vulnerability which could allow a local attacker to retireve (partial) /etc/shadow hashes or any other data from filesystem when he can mount a FUSE filesystems. (bsc#1197344)
- CVE-2021-39713: Fixed a race condition in the network scheduling subsystem which could lead to a use-after-free (bsc#1197211).
ImportantSUSE bug 1197211SUSE bug 1197335SUSE bug 1197344CVE-2021-39713 at SUSECVE-2021-39713 at NVDCVE-2022-1011 at SUSECVE-2022-1011 at NVDCVE-2022-1016 at SUSECVE-2022-1016 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 42 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_153 fixes several issues.
The following security issues were fixed:
- CVE-2022-1016: Fixed a vulnerability in the nf_tables component of the netfilter subsystem. This vulnerability gives an attacker a powerful primitive that can be used to both read from and write to relative stack data, which can lead to arbitrary code execution. (bsc#1197335)
- CVE-2022-1011: Fixed an use-after-free vulnerability which could allow a local attacker to retireve (partial) /etc/shadow hashes or any other data from filesystem when he can mount a FUSE filesystems. (bsc#1197344)
- CVE-2021-39713: Fixed a race condition in the network scheduling subsystem which could lead to a use-after-free (bsc#1197211).
ImportantSUSE bug 1197211SUSE bug 1197335SUSE bug 1197344CVE-2021-39713 at SUSECVE-2021-39713 at NVDCVE-2022-1011 at SUSECVE-2022-1011 at NVDCVE-2022-1016 at SUSECVE-2022-1016 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 41 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_150 fixes several issues.
The following security issues were fixed:
- CVE-2022-1016: Fixed a vulnerability in the nf_tables component of the netfilter subsystem. This vulnerability gives an attacker a powerful primitive that can be used to both read from and write to relative stack data, which can lead to arbitrary code execution. (bsc#1197335)
- CVE-2022-1011: Fixed an use-after-free vulnerability which could allow a local attacker to retireve (partial) /etc/shadow hashes or any other data from filesystem when he can mount a FUSE filesystems. (bsc#1197344)
- CVE-2021-39713: Fixed a race condition in the network scheduling subsystem which could lead to a use-after-free (bsc#1197211).
ImportantSUSE bug 1197211SUSE bug 1197335SUSE bug 1197344CVE-2021-39713 at SUSECVE-2021-39713 at NVDCVE-2022-1011 at SUSECVE-2022-1011 at NVDCVE-2022-1016 at SUSECVE-2022-1016 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 40 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_147 fixes several issues.
The following security issues were fixed:
- CVE-2022-1016: Fixed a vulnerability in the nf_tables component of the netfilter subsystem. This vulnerability gives an attacker a powerful primitive that can be used to both read from and write to relative stack data, which can lead to arbitrary code execution. (bsc#1197335)
- CVE-2022-1011: Fixed an use-after-free vulnerability which could allow a local attacker to retireve (partial) /etc/shadow hashes or any other data from filesystem when he can mount a FUSE filesystems. (bsc#1197344)
- CVE-2021-39713: Fixed a race condition in the network scheduling subsystem which could lead to a use-after-free (bsc#1197211).
ImportantSUSE bug 1197211SUSE bug 1197335SUSE bug 1197344CVE-2021-39713 at SUSECVE-2021-39713 at NVDCVE-2022-1011 at SUSECVE-2022-1011 at NVDCVE-2022-1016 at SUSECVE-2022-1016 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 39 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_144 fixes several issues.
The following security issues were fixed:
- CVE-2022-1016: Fixed a vulnerability in the nf_tables component of the netfilter subsystem. This vulnerability gives an attacker a powerful primitive that can be used to both read from and write to relative stack data, which can lead to arbitrary code execution. (bsc#1197335)
- CVE-2022-1011: Fixed an use-after-free vulnerability which could allow a local attacker to retireve (partial) /etc/shadow hashes or any other data from filesystem when he can mount a FUSE filesystems. (bsc#1197344)
- CVE-2021-39713: Fixed a race condition in the network scheduling subsystem which could lead to a use-after-free (bsc#1197211).
ImportantSUSE bug 1197211SUSE bug 1197335SUSE bug 1197344CVE-2021-39713 at SUSECVE-2021-39713 at NVDCVE-2022-1011 at SUSECVE-2022-1011 at NVDCVE-2022-1016 at SUSECVE-2022-1016 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for aide (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for aide fixes the following issues:
- CVE-2021-45417: Fix a bufferoverflow in base64 functions (bsc#1194735)
ImportantSUSE bug 1194735CVE-2021-45417 at SUSECVE-2021-45417 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for MozillaFirefox fixes the following issues:
This update contains the Firefox Extended Support Release 91.1.0 ESR.
* Fixed: Various stability, functionality, and security fixes
MFSA 2021-40 (bsc#1190269, bsc#1190274):
* CVE-2021-38492: Navigating to `mk:` URL scheme could load Internet Explorer
* CVE-2021-38495: Memory safety bugs fixed in Firefox 92 and Firefox ESR 91.1
Firefox 91.0.1esr ESR
* Fixed: Fixed an issue causing buttons on the tab bar to be
resized when loading certain websites (bug 1704404)
* Fixed: Fixed an issue which caused tabs from private windows
to be visible in non-private windows when viewing switch-to-
tab results in the address bar panel (bug 1720369)
* Fixed: Various stability fixes
* Fixed: Security fix MFSA 2021-37 (bsc#1189547)
* CVE-2021-29991 (bmo#1724896)
Header Splitting possible with HTTP/3 Responses
Firefox Extended Support Release 91.0 ESR
* New: Some of the highlights of the new Extended Support Release are:
- A number of user interface changes. For more information,
see the Firefox 89 release notes.
- Firefox now supports logging into Microsoft, work, and
school accounts using Windows single sign-on. Learn more
- On Windows, updates can now be applied in the background
while Firefox is not running.
- Firefox for Windows now offers a new page about:third-party
to help identify compatibility issues caused by third-party
applications
- Version 2 of Firefox's SmartBlock feature further improves
private browsing. Third party Facebook scripts are blocked to
prevent you from being tracked, but are now automatically
loaded 'just in time' if you decide to 'Log in with Facebook'
on any website.
- Enhanced the privacy of the Firefox Browser's Private
Browsing mode with Total Cookie Protection, which confines
cookies to the site where they were created, preventing
companis from using cookies to track your browsing across
sites. This feature was originally launched in Firefox's ETP
Strict mode.
- PDF forms now support JavaScript embedded in PDF files.
Some PDF forms use JavaScript for validation and other
interactive features.
- You'll encounter less website breakage in Private Browsing
and Strict Enhanced Tracking Protection with SmartBlock,
which provides stand-in scripts so that websites load
properly.
- Improved Print functionality with a cleaner design and
better integration with your computer's printer settings.
- Firefox now protects you from supercookies, a type of
tracker that can stay hidden in your browser and track you
online, even after you clear cookies. By isolating
supercookies, Firefox prevents them from tracking your web
browsing from one site to the next.
- Firefox now remembers your preferred location for saved
bookmarks, displays the bookmarks toolbar by default on new
tabs, and gives you easy access to all of your bookmarks via
a toolbar folder.
- Native support for macOS devices built with Apple Silicon
CPUs brings dramatic performance improvements over the non-
native build that was shipped in Firefox 83: Firefox launches
over 2.5 times faster and web apps are now twice as
responsive (per the SpeedoMeter 2.0 test). If you are on a
new Apple device, follow these steps to upgrade to the latest
Firefox.
- Pinch zooming will now be supported for our users with
Windows touchscreen devices and touchpads on Mac devices.
Firefox users may now use pinch to zoom on touch-capable
devices to zoom in and out of webpages.
- We’ve improved functionality and design for a number of
Firefox search features:
* Selecting a search engine at the bottom of the search
panel now enters search mode for that engine, allowing you to
see suggestions (if available) for your search terms. The old
behavior (immediately performing a search) is available with
a shift-click.
* When Firefox autocompletes the URL of one of your search
engines, you can now search with that engine directly in the
address bar by selecting the shortcut in the address bar
results.
* We’ve added buttons at the bottom of the search panel to
allow you to search your bookmarks, open tabs, and history.
- Firefox supports AcroForm, which will allow you to fill in,
print, and save supported PDF forms and the PDF viewer also
has a new fresh look.
- For our users in the US and Canada, Firefox can now save,
manage, and auto-fill credit card information for you, making
shopping on Firefox ever more convenient.
- In addition to our default, dark and light themes, with
this release, Firefox introduces the Alpenglow theme: a
colorful appearance for buttons, menus, and windows. You can
update your Firefox themes under settings or preferences.
* Changed: Firefox no longer supports Adobe Flash. There is no
setting available to re-enable Flash support.
* Enterprise: Various bug fixes and new policies have been
implemented in the latest version of Firefox. See more
details in the Firefox for Enterprise 91 Release Notes.
MFSA 2021-33 (bsc#1188891):
* CVE-2021-29986: Race condition when resolving DNS names could have led to
memory corruption
* CVE-2021-29981: Live range splitting could have led to conflicting
assignments in the JIT
* CVE-2021-29988: Memory corruption as a result of incorrect style treatment
* CVE-2021-29983: Firefox for Android could get stuck in fullscreen mode
* CVE-2021-29984: Incorrect instruction reordering during JIT optimization
* CVE-2021-29980: Uninitialized memory in a canvas object could have led to
memory corruption
* CVE-2021-29987: Users could have been tricked into accepting unwanted
permissions on Linux
* CVE-2021-29985: Use-after-free media channels
* CVE-2021-29982: Single bit data leak due to incorrect JIT optimization and
type confusion
* CVE-2021-29989: Memory safety bugs fixed in Firefox 91 and Firefox ESR 78.13
* CVE-2021-29990: Memory safety bugs fixed in Firefox 91
ImportantSUSE bug 1188891SUSE bug 1189547SUSE bug 1190269SUSE bug 1190274CVE-2021-29980 at SUSECVE-2021-29980 at NVDCVE-2021-29981 at SUSECVE-2021-29981 at NVDCVE-2021-29982 at SUSECVE-2021-29982 at NVDCVE-2021-29983 at SUSECVE-2021-29983 at NVDCVE-2021-29984 at SUSECVE-2021-29984 at NVDCVE-2021-29985 at SUSECVE-2021-29985 at NVDCVE-2021-29986 at SUSECVE-2021-29986 at NVDCVE-2021-29987 at SUSECVE-2021-29987 at NVDCVE-2021-29988 at SUSECVE-2021-29988 at NVDCVE-2021-29989 at SUSECVE-2021-29989 at NVDCVE-2021-29990 at SUSECVE-2021-29990 at NVDCVE-2021-29991 at SUSECVE-2021-29991 at NVDCVE-2021-38492 at SUSECVE-2021-38492 at NVDCVE-2021-38495 at SUSECVE-2021-38495 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for zsh (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for zsh fixes the following issues:
- CVE-2018-0502: Fixed execve call vulnerability to program named on the second line when the beginning of a #! script file was mishandled. (bsc#1107296, bsc#1107294)
- CVE-2018-13259: Fixed execve call vulnerability to program name that is a substring of the intended one. (bsc#1107296, bsc#1107294)
ImportantSUSE bug 1107294SUSE bug 1107296CVE-2018-0502 at SUSECVE-2018-0502 at NVDCVE-2018-13259 at SUSECVE-2018-13259 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for bind (Moderate)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for bind fixes the following issues:
- CVE-2021-25220: Fixed potentially incorrect answers by cached forwarders (bsc#1197135).
ModerateSUSE bug 1197135CVE-2021-25220 at SUSECVE-2021-25220 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 39 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_144 fixes one issue.
The following security issue was fixed:
- CVE-2022-0330: A random memory access flaw was found in the Linux kernel's GPU i915 kernel driver functionality in the way a user may run malicious code on the GPU. This flaw allowed a local user to crash the system or escalate their privileges on the system. (bsc#1195950)
ImportantSUSE bug 1195950CVE-2022-0330 at SUSECVE-2022-0330 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 40 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_147 fixes one issue.
The following security issue was fixed:
- CVE-2022-0330: A random memory access flaw was found in the Linux kernel's GPU i915 kernel driver functionality in the way a user may run malicious code on the GPU. This flaw allowed a local user to crash the system or escalate their privileges on the system. (bsc#1195950)
ImportantSUSE bug 1195950CVE-2022-0330 at SUSECVE-2022-0330 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 41 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_150 fixes one issue.
The following security issue was fixed:
- CVE-2022-0330: A random memory access flaw was found in the Linux kernel's GPU i915 kernel driver functionality in the way a user may run malicious code on the GPU. This flaw allowed a local user to crash the system or escalate their privileges on the system. (bsc#1195950)
ImportantSUSE bug 1195950CVE-2022-0330 at SUSECVE-2022-0330 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 44 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_161 fixes several issues.
The following security issues were fixed:
- CVE-2022-1011: A use-after-free flaw was found in the FUSE filesystem in the way a user triggers write(). This flaw allowed a local user to gain unauthorized access to data from the FUSE filesystem, resulting in privilege escalation. (bsc#1197344)
- CVE-2021-39713: Fixed a race condition in the network scheduling subsystem which could lead to a use-after-free. (bsc#1197211)
- CVE-2021-28688: The fix for XSA-365 includes initialization of pointers such that subsequent cleanup code wouldn't use uninitialized or stale values. This initialization went too far and may under certain conditions also overwrite pointers which are in need of cleaning up. The lack of cleanup would result in leaking persistent grants. The leak in turn would prevent fully cleaning up after a respective guest has died, leaving around zombie domains. All Linux versions having the fix for XSA-365 applied are vulnerable. XSA-365 was classified to affect versions back to at least 3.11 (bsc#1182294)
ImportantSUSE bug 1182294SUSE bug 1197211SUSE bug 1197344CVE-2021-28688 at SUSECVE-2021-28688 at NVDCVE-2021-39713 at SUSECVE-2021-39713 at NVDCVE-2022-1011 at SUSECVE-2022-1011 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for e2fsprogs (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for e2fsprogs fixes the following issues:
- CVE-2022-1304: Fixed out-of-bounds read/write leading to segmentation fault
and possibly arbitrary code execution. (bsc#1198446)
ImportantSUSE bug 1198446CVE-2022-1304 at SUSECVE-2022-1304 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for java-1_7_1-ibm (Moderate)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for java-1_7_1-ibm fixes the following issues:
- Update to Java 7.1 Service Refresh 5 Fix Pack 0
- CVE-2021-41035: before version 0.29.0, the openj9 JVM does not throw IllegalAccessError for MethodHandles that invoke inaccessible interface methods. (bsc#1194198, bsc#1192052)
- CVE-2021-35586: Excessive memory allocation in BMPImageReader. (bsc#1191914)
- CVE-2021-35564: Certificates with end dates too far in the future can corrupt keystore. (bsc#1191913)
- CVE-2021-35559: Excessive memory allocation in RTFReader. (bsc#1191911)
- CVE-2021-35556: Excessive memory allocation in RTFParser. (bsc#1191910)
- CVE-2021-35565: Loop in HttpsServer triggered during TLS session close. (bsc#1191909)
- CVE-2021-35588: Incomplete validation of inner class references in ClassFileParser. (bsc#1191905)
- CVE-2021-2341: Fixed a flaw inside the FtpClient. (bsc#1188564)
- CVE-2021-2369: JAR file handling problem containing multiple MANIFEST.MF files. (bsc#1188565)
- CVE-2021-2432: Fixed a vulnerability in the omponent JNDI. (bsc#1188568)
- CVE-2021-2163: Incomplete enforcement of JAR signing disabled algorithms. (bsc#1185055)
ModerateSUSE bug 1185055SUSE bug 1188564SUSE bug 1188565SUSE bug 1188568SUSE bug 1191905SUSE bug 1191909SUSE bug 1191910SUSE bug 1191911SUSE bug 1191913SUSE bug 1191914SUSE bug 1192052SUSE bug 1194198SUSE bug 1194232CVE-2021-2163 at SUSECVE-2021-2163 at NVDCVE-2021-2341 at SUSECVE-2021-2341 at NVDCVE-2021-2369 at SUSECVE-2021-2369 at NVDCVE-2021-2432 at SUSECVE-2021-2432 at NVDCVE-2021-35556 at SUSECVE-2021-35556 at NVDCVE-2021-35559 at SUSECVE-2021-35559 at NVDCVE-2021-35564 at SUSECVE-2021-35564 at NVDCVE-2021-35565 at SUSECVE-2021-35565 at NVDCVE-2021-35586 at SUSECVE-2021-35586 at NVDCVE-2021-35588 at SUSECVE-2021-35588 at NVDCVE-2021-41035 at SUSECVE-2021-41035 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for openldap2 (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for openldap2 fixes the following issues:
- CVE-2022-29155: Fixed SQL injection in back-sql (bsc#1199240).
- Fixed issue with SASL init that crashed slapd at startup under certain conditions (bsc#1198383).
ImportantSUSE bug 1198383SUSE bug 1199240CVE-2022-29155 at SUSECVE-2022-29155 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for gzip (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for gzip fixes the following issues:
- CVE-2022-1271: Add hardening for zgrep. (bsc#1198062)
ImportantCVE-2022-1271 at SUSECVE-2022-1271 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for webkit2gtk3 (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for webkit2gtk3 fixes the following issues:
Update to version 2.36.0 (bsc#1198290):
- CVE-2022-22624: Fixed use after free that may lead to arbitrary code execution.
- CVE-2022-22628: Fixed use after free that may lead to arbitrary code execution.
- CVE-2022-22629: Fixed a buffer overflow that may lead to arbitrary code execution.
- CVE-2022-22637: Fixed an unexpected cross-origin behavior due to a logic error.
Missing CVE reference for the update to 2.34.6 (bsc#1196133):
- CVE-2022-22594: Fixed a cross-origin issue in the IndexDB API.
ImportantSUSE bug 1196133SUSE bug 1198290CVE-2022-22594 at SUSECVE-2022-22594 at NVDCVE-2022-22624 at SUSECVE-2022-22624 at NVDCVE-2022-22628 at SUSECVE-2022-22628 at NVDCVE-2022-22629 at SUSECVE-2022-22629 at NVDCVE-2022-22637 at SUSECVE-2022-22637 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for curl (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for curl fixes the following issues:
- CVE-2022-27781: Fixed CERTINFO never-ending busy-loop (bsc#1199223)
- CVE-2022-27782: Fixed TLS and SSH connection too eager reuse (bsc#1199224)
ImportantSUSE bug 1199223SUSE bug 1199224CVE-2022-27781 at SUSECVE-2022-27781 at NVDCVE-2022-27782 at SUSECVE-2022-27782 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for ucode-intel (Moderate)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for ucode-intel fixes the following issues:
Updated to Intel CPU Microcode 20220510 release. (bsc#1199423)
Updated to Intel CPU Microcode 20220419 release. (bsc#1198717)
- CVE-2022-21151: Processor optimization removal or modification of security-critical code for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access (bsc#1199423).
ModerateSUSE bug 1198717SUSE bug 1199423CVE-2022-21151 at SUSECVE-2022-21151 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for MozillaFirefox fixes the following issues:
Firefox Extended Support Release 91.9.0 ESR (MFSA 2022-17)(bsc#1198970):
- CVE-2022-29914: Fullscreen notification bypass using popups
- CVE-2022-29909: Bypassing permission prompt in nested browsing contexts
- CVE-2022-29916: Leaking browser history with CSS variables
- CVE-2022-29911: iframe Sandbox bypass
- CVE-2022-29912: Reader mode bypassed SameSite cookies
- CVE-2022-29917: Memory safety bugs fixed in Firefox 100 and Firefox ESR 91.9
ImportantSUSE bug 1198970CVE-2022-29909 at SUSECVE-2022-29909 at NVDCVE-2022-29911 at SUSECVE-2022-29911 at NVDCVE-2022-29912 at SUSECVE-2022-29912 at NVDCVE-2022-29914 at SUSECVE-2022-29914 at NVDCVE-2022-29916 at SUSECVE-2022-29916 at NVDCVE-2022-29917 at SUSECVE-2022-29917 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for expat (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for expat fixes the following issues:
- CVE-2021-45960: Fixed left shift in the storeAtts function in xmlparse.c that can lead to realloc misbehavior (bsc#1194251).
- CVE-2021-46143: Fixed integer overflow in m_groupSize in doProlog (bsc#1194362).
- CVE-2022-22822: Fixed integer overflow in addBinding in xmlparse.c (bsc#1194474).
- CVE-2022-22823: Fixed integer overflow in build_model in xmlparse.c (bsc#1194476).
- CVE-2022-22824: Fixed integer overflow in defineAttribute in xmlparse.c (bsc#1194477).
- CVE-2022-22825: Fixed integer overflow in lookup in xmlparse.c (bsc#1194478).
- CVE-2022-22826: Fixed integer overflow in nextScaffoldPart in xmlparse.c (bsc#1194479).
- CVE-2022-22827: Fixed integer overflow in storeAtts in xmlparse.c (bsc#1194480).
ImportantSUSE bug 1194251SUSE bug 1194362SUSE bug 1194474SUSE bug 1194476SUSE bug 1194477SUSE bug 1194478SUSE bug 1194479SUSE bug 1194480CVE-2021-45960 at SUSECVE-2021-45960 at NVDCVE-2021-46143 at SUSECVE-2021-46143 at NVDCVE-2022-22822 at SUSECVE-2022-22822 at NVDCVE-2022-22823 at SUSECVE-2022-22823 at NVDCVE-2022-22824 at SUSECVE-2022-22824 at NVDCVE-2022-22825 at SUSECVE-2022-22825 at NVDCVE-2022-22826 at SUSECVE-2022-22826 at NVDCVE-2022-22827 at SUSECVE-2022-22827 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for postgresql10 (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for postgresql10 fixes the following issues:
- CVE-2022-1552: Confine additional operations within 'security restricted operation' sandboxes (bsc#1199475).
ImportantSUSE bug 1199475CVE-2022-1552 at SUSECVE-2022-1552 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for MozillaFirefox fixes the following issues:
Firefox Extended Support Release 91.9.1 ESR - MFSA 2022-19 (bsc#1199768):
- CVE-2022-1802: Prototype pollution in Top-Level Await implementation
- CVE-2022-1529: Untrusted input used in JavaScript object indexing, leading to prototype pollution
ImportantSUSE bug 1199768CVE-2022-1529 at SUSECVE-2022-1529 at NVDCVE-2022-1802 at SUSECVE-2022-1802 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for python-requests (Moderate)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for python-requests fixes the following issues:
- CVE-2018-18074: Fixed to prevent the package to send an HTTP Authorization header to an http URI
upon receiving a same-hostname https-to-http redirect. (bsc#1111622)
ModerateSUSE bug 1111622CVE-2018-18074 at SUSECVE-2018-18074 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for libxml2 (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for libxml2 fixes the following issues:
- CVE-2022-29824: Fixed integer overflow leading to out-of-bounds write in buf.c and tree.c (bsc#1199132).
- CVE-2017-16932: Prevent infinite recursion in parameter entities (bsc#1069689).
ImportantSUSE bug 1069689SUSE bug 1199132CVE-2017-16932 at SUSECVE-2017-16932 at NVDCVE-2022-29824 at SUSECVE-2022-29824 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for pcre2 (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for pcre2 fixes the following issues:
- CVE-2022-1586: Fixed out-of-bounds read via missing Unicode property matching issue in JIT compiled regular expressions (bsc#1199232).
ImportantSUSE bug 1199232CVE-2022-1586 at SUSECVE-2022-1586 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for wpa_supplicant (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for wpa_supplicant fixes the following issues:
- CVE-2022-23303, CVE-2022-23304: Fixed SAE/EAP-pwd side-channel attacks (bsc#1194732, bsc#1194733)
- CVE-2021-0326: Fixed P2P group information processing vulnerability (bsc#1181777)
- Fix systemd device ready dependencies in wpa_supplicant@.service file. (bsc#1182805)
- Limit P2P_DEVICE name to appropriate ifname size
- Enable SAE support(jsc#SLE-14992).
- Fix wicked wlan (bsc#1156920)
- Change wpa_supplicant.service to ensure wpa_supplicant gets started before
network. Fix WLAN config on boot with wicked. (bsc#1166933)
- Adjust the service to start after network.target wrt bsc#1165266
Update to 2.9 release:
* SAE changes
- disable use of groups using Brainpool curves
- improved protection against side channel attacks
[https://w1.fi/security/2019-6/]
* EAP-pwd changes
- disable use of groups using Brainpool curves
- allow the set of groups to be configured (eap_pwd_groups)
- improved protection against side channel attacks
[https://w1.fi/security/2019-6/]
* fixed FT-EAP initial mobility domain association using PMKSA caching
(disabled by default for backwards compatibility; can be enabled
with ft_eap_pmksa_caching=1)
* fixed a regression in OpenSSL 1.1+ engine loading
* added validation of RSNE in (Re)Association Response frames
* fixed DPP bootstrapping URI parser of channel list
* extended EAP-SIM/AKA fast re-authentication to allow use with FILS
* extended ca_cert_blob to support PEM format
* improved robustness of P2P Action frame scheduling
* added support for EAP-SIM/AKA using anonymous@realm identity
* fixed Hotspot 2.0 credential selection based on roaming consortium
to ignore credentials without a specific EAP method
* added experimental support for EAP-TEAP peer (RFC 7170)
* added experimental support for EAP-TLS peer with TLS v1.3
* fixed a regression in WMM parameter configuration for a TDLS peer
* fixed a regression in operation with drivers that offload 802.1X
4-way handshake
* fixed an ECDH operation corner case with OpenSSL
* SAE changes
- added support for SAE Password Identifier
- changed default configuration to enable only groups 19, 20, 21
(i.e., disable groups 25 and 26) and disable all unsuitable groups
completely based on REVmd changes
- do not regenerate PWE unnecessarily when the AP uses the
anti-clogging token mechanisms
- fixed some association cases where both SAE and FT-SAE were enabled
on both the station and the selected AP
- started to prefer FT-SAE over SAE AKM if both are enabled
- started to prefer FT-SAE over FT-PSK if both are enabled
- fixed FT-SAE when SAE PMKSA caching is used
- reject use of unsuitable groups based on new implementation guidance
in REVmd (allow only FFC groups with prime >= 3072 bits and ECC
groups with prime >= 256)
- minimize timing and memory use differences in PWE derivation
[https://w1.fi/security/2019-1/] (CVE-2019-9494, bsc#1131868)
* EAP-pwd changes
- minimize timing and memory use differences in PWE derivation
[https://w1.fi/security/2019-2/] (CVE-2019-9495, bsc#1131870)
- verify server scalar/element
[https://w1.fi/security/2019-4/] (CVE-2019-9497, CVE-2019-9498,
CVE-2019-9499, bsc#1131874, bsc#1131872, bsc#1131871, bsc#1131644)
- fix message reassembly issue with unexpected fragment
[https://w1.fi/security/2019-5/] (CVE-2019-11555, bsc#1133640)
- enforce rand,mask generation rules more strictly
- fix a memory leak in PWE derivation
- disallow ECC groups with a prime under 256 bits (groups 25, 26, and
27)
- SAE/EAP-pwd side-channel attack update
[https://w1.fi/security/2019-6/] (CVE-2019-13377, bsc#1144443)
* fixed CONFIG_IEEE80211R=y (FT) build without CONFIG_FILS=y
* Hotspot 2.0 changes
- do not indicate release number that is higher than the one
AP supports
- added support for release number 3
- enable PMF automatically for network profiles created from
credentials
* fixed OWE network profile saving
* fixed DPP network profile saving
* added support for RSN operating channel validation
(CONFIG_OCV=y and network profile parameter ocv=1)
* added Multi-AP backhaul STA support
* fixed build with LibreSSL
* number of MKA/MACsec fixes and extensions
* extended domain_match and domain_suffix_match to allow list of values
* fixed dNSName matching in domain_match and domain_suffix_match when
using wolfSSL
* started to prefer FT-EAP-SHA384 over WPA-EAP-SUITE-B-192 AKM if both
are enabled
* extended nl80211 Connect and external authentication to support
SAE, FT-SAE, FT-EAP-SHA384
* fixed KEK2 derivation for FILS+FT
* extended client_cert file to allow loading of a chain of PEM
encoded certificates
* extended beacon reporting functionality
* extended D-Bus interface with number of new properties
* fixed a regression in FT-over-DS with mac80211-based drivers
* OpenSSL: allow systemwide policies to be overridden
* extended driver flags indication for separate 802.1X and PSK
4-way handshake offload capability
* added support for random P2P Device/Interface Address use
* extended PEAP to derive EMSK to enable use with ERP/FILS
* extended WPS to allow SAE configuration to be added automatically
for PSK (wps_cred_add_sae=1)
* removed support for the old D-Bus interface (CONFIG_CTRL_IFACE_DBUS)
* extended domain_match and domain_suffix_match to allow list of values
* added a RSN workaround for misbehaving PMF APs that advertise
IGTK/BIP KeyID using incorrect byte order
* fixed PTK rekeying with FILS and FT
* fixed WPA packet number reuse with replayed messages and key
reinstallation
[https://w1.fi/security/2017-1/] (CVE-2017-13077, CVE-2017-13078,
CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13082,
CVE-2017-13086, CVE-2017-13087, CVE-2017-13088)
* fixed unauthenticated EAPOL-Key decryption in wpa_supplicant
[https://w1.fi/security/2018-1/] (CVE-2018-14526)
* added support for FILS (IEEE 802.11ai) shared key authentication
* added support for OWE (Opportunistic Wireless Encryption, RFC 8110;
and transition mode defined by WFA)
* added support for DPP (Wi-Fi Device Provisioning Protocol)
* added support for RSA 3k key case with Suite B 192-bit level
* fixed Suite B PMKSA caching not to update PMKID during each 4-way
handshake
* fixed EAP-pwd pre-processing with PasswordHashHash
* added EAP-pwd client support for salted passwords
* fixed a regression in TDLS prohibited bit validation
* started to use estimated throughput to avoid undesired signal
strength based roaming decision
* MACsec/MKA:
- new macsec_linux driver interface support for the Linux
kernel macsec module
- number of fixes and extensions
* added support for external persistent storage of PMKSA cache
(PMKSA_GET/PMKSA_ADD control interface commands; and
MESH_PMKSA_GET/MESH_PMKSA_SET for the mesh case)
* fixed mesh channel configuration pri/sec switch case
* added support for beacon report
* large number of other fixes, cleanup, and extensions
* added support for randomizing local address for GAS queries
(gas_rand_mac_addr parameter)
* fixed EAP-SIM/AKA/AKA' ext auth cases within TLS tunnel
* added option for using random WPS UUID (auto_uuid=1)
* added SHA256-hash support for OCSP certificate matching
* fixed EAP-AKA' to add AT_KDF into Synchronization-Failure
* fixed a regression in RSN pre-authentication candidate selection
* added option to configure allowed group management cipher suites
(group_mgmt network profile parameter)
* removed all PeerKey functionality
* fixed nl80211 AP and mesh mode configuration regression with
Linux 4.15 and newer
* added ap_isolate configuration option for AP mode
* added support for nl80211 to offload 4-way handshake into the driver
* added support for using wolfSSL cryptographic library
* SAE
- added support for configuring SAE password separately of the
WPA2 PSK/passphrase
- fixed PTK and EAPOL-Key integrity and key-wrap algorithm selection
for SAE;
note: this is not backwards compatible, i.e., both the AP and
station side implementations will need to be update at the same
time to maintain interoperability
- added support for Password Identifier
- fixed FT-SAE PMKID matching
* Hotspot 2.0
- added support for fetching of Operator Icon Metadata ANQP-element
- added support for Roaming Consortium Selection element
- added support for Terms and Conditions
- added support for OSEN connection in a shared RSN BSS
- added support for fetching Venue URL information
* added support for using OpenSSL 1.1.1
* FT
- disabled PMKSA caching with FT since it is not fully functional
- added support for SHA384 based AKM
- added support for BIP ciphers BIP-CMAC-256, BIP-GMAC-128,
BIP-GMAC-256 in addition to previously supported BIP-CMAC-128
- fixed additional IE inclusion in Reassociation Request frame when
using FT protocol
- CVE-2015-8041: Using O_WRONLY flag [http://w1.fi/security/2015-5/] ImportantSUSE bug 1131644SUSE bug 1131868SUSE bug 1131870SUSE bug 1131871SUSE bug 1131872SUSE bug 1131874SUSE bug 1133640SUSE bug 1144443SUSE bug 1156920SUSE bug 1165266SUSE bug 1166933SUSE bug 1167331SUSE bug 1182805SUSE bug 1194732SUSE bug 1194733CVE-2015-8041 at SUSECVE-2015-8041 at NVDCVE-2017-13077 at SUSECVE-2017-13077 at NVDCVE-2017-13078 at SUSECVE-2017-13078 at NVDCVE-2017-13079 at SUSECVE-2017-13079 at NVDCVE-2017-13080 at SUSECVE-2017-13080 at NVDCVE-2017-13081 at SUSECVE-2017-13081 at NVDCVE-2017-13082 at SUSECVE-2017-13082 at NVDCVE-2017-13086 at SUSECVE-2017-13086 at NVDCVE-2017-13087 at SUSECVE-2017-13087 at NVDCVE-2017-13088 at SUSECVE-2017-13088 at NVDCVE-2018-14526 at SUSECVE-2018-14526 at NVDCVE-2019-11555 at SUSECVE-2019-11555 at NVDCVE-2019-13377 at SUSECVE-2019-13377 at NVDCVE-2019-9494 at SUSECVE-2019-9494 at NVDCVE-2019-9495 at SUSECVE-2019-9495 at NVDCVE-2019-9497 at SUSECVE-2019-9497 at NVDCVE-2019-9498 at SUSECVE-2019-9498 at NVDCVE-2019-9499 at SUSECVE-2019-9499 at NVDCVE-2022-23303 at SUSECVE-2022-23303 at NVDCVE-2022-23304 at SUSECVE-2022-23304 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for postgresql14 (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for postgresql14 fixes the following issues:
- CVE-2022-1552: Confine additional operations within 'security restricted operation' sandboxes (bsc#1199475).
ImportantSUSE bug 1199475CVE-2022-1552 at SUSECVE-2022-1552 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for ImageMagick (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for ImageMagick fixes the following issues:
- CVE-2022-1270: Fixed a memory corruption issue when parsing MIFF files (bsc#1198351).
- CVE-2022-28463: Fixed buffer overflow in coders/cin.c (bsc#1199350).
ImportantSUSE bug 1198351SUSE bug 1199350CVE-2022-1270 at SUSECVE-2022-1270 at NVDCVE-2022-28463 at SUSECVE-2022-28463 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for mailman (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for mailman fixes the following issues:
- CVE-2021-44227: Preventing list moderator or list member accessing the admin UI (bsc#1193316).
- CVE-2021-43332: Preventing list moderator from cracking the list admin password encrypted in a CSRF token (bsc#1192741).
- CVE-2021-43331: Fixed XSS in Cgi/options.py (bsc#1192735).
- CVE-2021-42096: Add protection against remote privilege escalation via csrf_token derived from admin password (bsc#1191959).
ImportantSUSE bug 1191959SUSE bug 1192735SUSE bug 1192741SUSE bug 1193316CVE-2021-42096 at SUSECVE-2021-42096 at NVDCVE-2021-43331 at SUSECVE-2021-43331 at NVDCVE-2021-43332 at SUSECVE-2021-43332 at NVDCVE-2021-44227 at SUSECVE-2021-44227 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for polkit (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for polkit fixes the following issues:
- CVE-2021-4034: Fixed a local privilege escalation in pkexec (bsc#1194568).
ImportantSUSE bug 1194568CVE-2021-4034 at SUSECVE-2021-4034 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for librelp (Moderate)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for librelp fixes the following issues:
- CVE-2018-1000140: Fixed remote attack via specially crafted x509 certificates when connecting to rsyslog to trigger a stack buffer overflow and run arbitrary code (bsc#1086730).
ModerateSUSE bug 1086730CVE-2018-1000140 at SUSECVE-2018-1000140 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for MozillaFirefox fixes the following issues:
Firefox Extended Support Release 91.10.0 ESR (MFSA 2022-21)(bsc#1200027)
- CVE-2022-31736: Cross-Origin resource's length leaked
- CVE-2022-31737: Heap buffer overflow in WebGL
- CVE-2022-31738: Browser window spoof using fullscreen mode
- CVE-2022-31739: Attacker-influenced path traversal when saving downloaded files
- CVE-2022-31740: Register allocation problem in WASM on arm64
- CVE-2022-31741: Uninitialized variable leads to invalid memory read
- CVE-2022-31742: Querying a WebAuthn token with a large number of allowCredential entries may have leaked cross-origin information
- CVE-2022-31747: Memory safety bugs fixed in Firefox 101 and Firefox ESR 91.10
ImportantSUSE bug 1200027CVE-2022-31736 at SUSECVE-2022-31736 at NVDCVE-2022-31737 at SUSECVE-2022-31737 at NVDCVE-2022-31738 at SUSECVE-2022-31738 at NVDCVE-2022-31739 at SUSECVE-2022-31739 at NVDCVE-2022-31740 at SUSECVE-2022-31740 at NVDCVE-2022-31741 at SUSECVE-2022-31741 at NVDCVE-2022-31742 at SUSECVE-2022-31742 at NVDCVE-2022-31747 at SUSECVE-2022-31747 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 40 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_147 fixes several issues.
The following security issues were fixed:
- CVE-2022-1048: Fixed a race Condition in snd_pcm_hw_free leading to use-after-free due to the AB/BA lock with buffer_mutex and mmap_lock (bsc#1197597).
- CVE-2022-30594: Fixed restriction bypass on setting the PT_SUSPEND_SECCOMP flag (bnc#1199602).
- Add missing module_mutex lock to module notifier for previous live patches (bsc#1199834).
ImportantSUSE bug 1197597SUSE bug 1199602SUSE bug 1199834CVE-2022-1048 at SUSECVE-2022-1048 at NVDCVE-2022-30594 at SUSECVE-2022-30594 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 41 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_150 fixes several issues.
The following security issues were fixed:
- CVE-2022-1048: Fixed a race Condition in snd_pcm_hw_free leading to use-after-free due to the AB/BA lock with buffer_mutex and mmap_lock (bsc#1197597).
- CVE-2022-30594: Fixed restriction bypass on setting the PT_SUSPEND_SECCOMP flag (bnc#1199602).
- Add missing module_mutex lock to module notifier for previous live patches (bsc#1199834).
ImportantSUSE bug 1197597SUSE bug 1199602SUSE bug 1199834CVE-2022-1048 at SUSECVE-2022-1048 at NVDCVE-2022-30594 at SUSECVE-2022-30594 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 42 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_153 fixes several issues.
The following security issues were fixed:
- CVE-2022-1048: Fixed a race Condition in snd_pcm_hw_free leading to use-after-free due to the AB/BA lock with buffer_mutex and mmap_lock (bsc#1197597).
- CVE-2022-30594: Fixed restriction bypass on setting the PT_SUSPEND_SECCOMP flag (bnc#1199602).
- Add missing module_mutex lock to module notifier for previous live patches (bsc#1199834).
ImportantSUSE bug 1197597SUSE bug 1199602SUSE bug 1199834CVE-2022-1048 at SUSECVE-2022-1048 at NVDCVE-2022-30594 at SUSECVE-2022-30594 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 43 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_156 fixes several issues.
The following security issues were fixed:
- CVE-2022-1048: Fixed a race Condition in snd_pcm_hw_free leading to use-after-free due to the AB/BA lock with buffer_mutex and mmap_lock (bsc#1197597).
- CVE-2022-30594: Fixed restriction bypass on setting the PT_SUSPEND_SECCOMP flag (bnc#1199602).
- Add missing module_mutex lock to module notifier for previous live patches (bsc#1199834).
ImportantSUSE bug 1197597SUSE bug 1199602SUSE bug 1199834CVE-2022-1048 at SUSECVE-2022-1048 at NVDCVE-2022-30594 at SUSECVE-2022-30594 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 44 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_161 fixes several issues.
The following security issue was fixed:
- CVE-2022-30594: Fixed restriction bypass on setting the PT_SUSPEND_SECCOMP flag (bnc#1199602).
- Add missing module_mutex lock to module notifier for previous live patches (bsc#1199834).
ImportantSUSE bug 1199602SUSE bug 1199834CVE-2022-30594 at SUSECVE-2022-30594 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for strongswan (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for strongswan fixes the following issues:
- CVE-2021-45079: Fixed authentication bypass in EAP authentication. (bsc#1194471)
ImportantSUSE bug 1194471CVE-2021-45079 at SUSECVE-2021-45079 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for mozilla-nss (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for mozilla-nss fixes the following issues:
Mozilla NSS 3.68.4 (bsc#1200027)
* CVE-2022-31741: Initialize pointers passed to NSS_CMSDigestContext_FinishMultiple. (bmo#1767590)
ImportantSUSE bug 1200027CVE-2022-31741 at SUSECVE-2022-31741 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for grub2 (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for grub2 fixes the following issues:
Security fixes and hardenings for boothole 3 / boothole 2022 (bsc#1198581)
- CVE-2021-3695: Fixed that a crafted PNG grayscale image could lead to out-of-bounds write in heap (bsc#1191184)
- CVE-2021-3696: Fixed that a crafted PNG image could lead to out-of-bound write during huffman table handling (bsc#1191185)
- CVE-2021-3697: Fixed that a crafted JPEG image could lead to buffer underflow write in the heap (bsc#1191186)
- CVE-2022-28733: Fixed fragmentation math in net/ip (bsc#1198460)
- CVE-2022-28734: Fixed an out-of-bound write for split http headers (bsc#1198493)
- CVE-2022-28736: Fixed a use-after-free in chainloader command (bsc#1198496)
- Update SBAT security contact (bsc#1193282)
- Bump grub's SBAT generation to 2
- Use boot disks in OpenFirmware, fixing regression caused when the root LV is completely in the boot LUN (bsc#1197948)
ImportantSUSE bug 1191184SUSE bug 1191185SUSE bug 1191186SUSE bug 1193282SUSE bug 1197948SUSE bug 1198460SUSE bug 1198493SUSE bug 1198496SUSE bug 1198581CVE-2021-3695 at SUSECVE-2021-3695 at NVDCVE-2021-3696 at SUSECVE-2021-3696 at NVDCVE-2021-3697 at SUSECVE-2021-3697 at NVDCVE-2022-28733 at SUSECVE-2022-28733 at NVDCVE-2022-28734 at SUSECVE-2022-28734 at NVDCVE-2022-28736 at SUSECVE-2022-28736 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for u-boot (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for u-boot fixes the following issues:
- A large buffer overflow could have lead to a denial of service in the IP Packet deframentation code.
(CVE-2022-30552, bsc#1200363)
- A Hole Descriptor Overwrite could have lead to an arbitrary out of bounds write primitive.
(CVE-2022-30790, bsc#1200364)
ImportantSUSE bug 1200363SUSE bug 1200364CVE-2022-30552 at SUSECVE-2022-30552 at NVDCVE-2022-30790 at SUSECVE-2022-30790 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
The SUSE Linux Enterprise 12 SP3 kernel was updated to 3.12.31 to receive various security and bugfixes.
The following security bugs were fixed:
- CVE-2022-21127: Fixed a stale MMIO data transient which can be exploited to speculatively/transiently disclose information via spectre like attacks. (bsc#1199650)
- CVE-2022-21123: Fixed a stale MMIO data transient which can be exploited to speculatively/transiently disclose information via spectre like attacks. (bsc#1199650)
- CVE-2022-21125: Fixed a stale MMIO data transient which can be exploited to speculatively/transiently disclose information via spectre like attacks. (bsc#1199650)
- CVE-2022-21180: Fixed a stale MMIO data transient which can be exploited to speculatively/transiently disclose information via spectre like attacks. (bsc#1199650)
- CVE-2022-21166: Fixed a stale MMIO data transient which can be exploited to speculatively/transiently disclose information via spectre like attacks. (bsc#1199650)
- CVE-2022-1975: Fixed a bug that allows an attacker to crash the linux kernel by simulating nfc device from user-space. (bsc#1200143)
- CVE-2022-1974: Fixed an use-after-free that could causes kernel crash by simulating an nfc device from user-space. (bsc#1200144)
- CVE-2019-19377: Fixed an user-after-free that could be triggered when an attacker mounts a crafted btrfs filesystem image. (bnc#1158266)
- CVE-2022-1729: Fixed a sys_perf_event_open() race condition against self (bsc#1199507).
- CVE-2022-1184: Fixed an use-after-free and memory errors in ext4 when mounting and operating on a corrupted image. (bsc#1198577)
- CVE-2022-21499: Reinforce the kernel lockdown feature, until now it's been trivial to break out of it with kgdb or kdb. (bsc#1199426)
- CVE-2017-13695: Fixed a bug that caused a stack dump allowing local users to obtain sensitive information from kernel memory and bypass the KASLR protection mechanism via a crafted ACPI table. (bnc#1055710)
- CVE-2022-1652: Fixed a statically allocated error counter inside the floppy kernel module (bsc#1199063).
- CVE-2022-1734: Fixed a r/w use-after-free when non synchronized between cleanup routine and firmware download routine. (bnc#1199605)
- CVE-2022-30594: Fixed restriction bypass on setting the PT_SUSPEND_SECCOMP flag (bnc#1199505).
- CVE-2021-28688: Fixed XSA-365 that includes initialization of pointers such that subsequent cleanup code wouldn't use uninitialized or stale values. This initialization went too far and may under certain conditions also overwrite pointers which are in need of cleaning up. The lack of cleanup would result in leaking persistent grants. The leak in turn would prevent fully cleaning up after a respective guest has died, leaving around zombie domains (bnc#1183646).
- CVE-2020-10769: Fixed a buffer over-read flaw in the IPsec Cryptographic algorithm's module. This flaw allowed a local attacker with user privileges to cause a denial of service. (bnc#1173265)
- CVE-2021-33061: Fixed insufficient control flow management for the Intel(R) 82599 Ethernet Controllers and Adapters that may have allowed an authenticated user to potentially enable denial of service via local access (bnc#1196426).
- CVE-2022-1516: Fixed null-ptr-deref caused by x25_disconnect (bsc#1199012).
- CVE-2021-20321: Fixed a race condition accessing file object in the OverlayFS subsystem in the way users do rename in specific way with OverlayFS. A local user could have used this flaw to crash the system (bnc#1191647).
- CVE-2018-7755: Fixed an issue in the fd_locked_ioctl function in drivers/block/floppy.c. The floppy driver will copy a kernel pointer to user memory in response to the FDGETPRM ioctl. An attacker can send the FDGETPRM ioctl and use the obtained kernel pointer to discover the location of kernel code and data and bypass kernel security protections such as KASLR (bnc#1084513).
- CVE-2022-1419: Fixed a concurrency use-after-free in vgem_gem_dumb_create (bsc#1198742).
- CVE-2021-38208: Fixed a denial of service (NULL pointer dereference and BUG) by making a getsockname call after a certain type of failure of a bind call (bnc#1187055).
- CVE-2022-1353: Fixed access controll to kernel memory in the pfkey_register function in net/key/af_key.c. (bnc#1198516)
- CVE-2018-20784: Fixed a denial of service (infinite loop in update_blocked_averages) by mishandled leaf cfs_rq in kernel/sched/fair.c (bnc#1126703).
- CVE-2021-20292: Fixed object validation prior to performing operations on the object in nouveau_sgdma_create_ttm in Nouveau DRM subsystem (bnc#1183723).
- CVE-2022-28390: Fixed a double free in drivers/net/can/usb/ems_usb.c vulnerability in the Linux kernel (bnc#1198031).
- CVE-2022-28388: Fixed a double free in drivers/net/can/usb/usb_8dev.c vulnerability in the Linux kernel (bnc#1198032).
- CVE-2022-1011: Fixed an use-after-free vulnerability which could allow a local attacker to retireve (partial) /etc/shadow hashes or any other data from filesystem when he can mount a FUSE filesystems. (bnc#1197343)
The following non-security bugs were fixed:
- btrfs: tree-checker: fix incorrect printk format (bsc#1200249).
- net: mana: Add handling of CQE_RX_TRUNCATED (bsc#1195651).
- net: mana: Remove unnecessary check of cqe_type in mana_process_rx_cqe() (bsc#1195651).
- PCI: hv: Do not set PCI_COMMAND_MEMORY to reduce VM boot time (bsc#1199314).
- powerpc/pseries: extract host bridge from pci_bus prior to bus removal (bsc#1182171 ltc#190900 bsc#1198660 ltc#197803).
- powerpc/pseries: Fix use after free in remove_phb_dynamic() (bsc#1065729 bsc#1198660 ltc#197803).
- vmbus: do not return values for uninitalized channels (bsc#1051510 bsc#1198997).
- vt: vt_ioctl: fix race in VT_RESIZEX (bsc#1199785).
- x86/hyperv: Read TSC frequency from a synthetic MSR (bsc#1198962).
- x86/speculation: Fix redundant MDS mitigation message (bsc#1199650).
ImportantSUSE bug 1051510SUSE bug 1055710SUSE bug 1065729SUSE bug 1084513SUSE bug 1087082SUSE bug 1126703SUSE bug 1158266SUSE bug 1173265SUSE bug 1182171SUSE bug 1183646SUSE bug 1183723SUSE bug 1187055SUSE bug 1191647SUSE bug 1195651SUSE bug 1196426SUSE bug 1197343SUSE bug 1198031SUSE bug 1198032SUSE bug 1198516SUSE bug 1198577SUSE bug 1198660SUSE bug 1198687SUSE bug 1198742SUSE bug 1198962SUSE bug 1198997SUSE bug 1199012SUSE bug 1199063SUSE bug 1199314SUSE bug 1199426SUSE bug 1199505SUSE bug 1199507SUSE bug 1199605SUSE bug 1199650SUSE bug 1199785SUSE bug 1200143SUSE bug 1200144SUSE bug 1200249CVE-2017-13695 at SUSECVE-2017-13695 at NVDCVE-2018-20784 at SUSECVE-2018-20784 at NVDCVE-2018-7755 at SUSECVE-2018-7755 at NVDCVE-2019-19377 at SUSECVE-2019-19377 at NVDCVE-2020-10769 at SUSECVE-2020-10769 at NVDCVE-2021-20292 at SUSECVE-2021-20292 at NVDCVE-2021-20321 at SUSECVE-2021-20321 at NVDCVE-2021-28688 at SUSECVE-2021-28688 at NVDCVE-2021-33061 at SUSECVE-2021-33061 at NVDCVE-2021-38208 at SUSECVE-2021-38208 at NVDCVE-2022-1011 at SUSECVE-2022-1011 at NVDCVE-2022-1184 at SUSECVE-2022-1184 at NVDCVE-2022-1353 at SUSECVE-2022-1353 at NVDCVE-2022-1419 at SUSECVE-2022-1419 at NVDCVE-2022-1516 at SUSECVE-2022-1516 at NVDCVE-2022-1652 at SUSECVE-2022-1652 at NVDCVE-2022-1729 at SUSECVE-2022-1729 at NVDCVE-2022-1734 at SUSECVE-2022-1734 at NVDCVE-2022-1974 at SUSECVE-2022-1974 at NVDCVE-2022-1975 at SUSECVE-2022-1975 at NVDCVE-2022-21123 at SUSECVE-2022-21123 at NVDCVE-2022-21125 at SUSECVE-2022-21125 at NVDCVE-2022-21127 at SUSECVE-2022-21127 at NVDCVE-2022-21166 at SUSECVE-2022-21166 at NVDCVE-2022-21180 at SUSECVE-2022-21180 at NVDCVE-2022-21499 at SUSECVE-2022-21499 at NVDCVE-2022-28388 at SUSECVE-2022-28388 at NVDCVE-2022-28390 at SUSECVE-2022-28390 at NVDCVE-2022-30594 at SUSECVE-2022-30594 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for webkit2gtk3 (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for webkit2gtk3 fixes the following issues:
Update to version 2.36.3 (bsc#1200106)
- CVE-2022-30293: Fixed heap-based buffer overflow in WebCore::TextureMapperLayer::setContentsLayer (bsc#1199287).
- CVE-2022-26700: Fixed memory corruption issue that may lead to code execution when processing maliciously crafted web content (bsc#1200106).
- CVE-2022-26709: Fixed use after free issue that may lead to code execution when processing maliciously crafted web content (bsc#1200106).
- CVE-2022-26716: Fixed use after free issue that may lead to code execution when processing maliciously crafted web content (bsc#1200106).
- CVE-2022-26717: Fixed memory corruption issue that may lead to code execution when processing maliciously crafted web content (bsc#1200106).
- CVE-2022-26719: Fixed memory corruption issue that may lead to code execution when processing maliciously crafted web content (bsc#1200106).
ImportantSUSE bug 1199287SUSE bug 1200106CVE-2022-26700 at SUSECVE-2022-26700 at NVDCVE-2022-26709 at SUSECVE-2022-26709 at NVDCVE-2022-26716 at SUSECVE-2022-26716 at NVDCVE-2022-26717 at SUSECVE-2022-26717 at NVDCVE-2022-26719 at SUSECVE-2022-26719 at NVDCVE-2022-30293 at SUSECVE-2022-30293 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for openssl (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for openssl fixes the following issues:
- CVE-2022-1292: Fixed command injection in c_rehash (bsc#1199166).
ImportantSUSE bug 1199166CVE-2022-1292 at SUSECVE-2022-1292 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for apache2 (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for apache2 fixes the following issues:
- CVE-2022-26377: Fixed possible request smuggling in mod_proxy_ajp (bsc#1200338)
- CVE-2022-28614: Fixed read beyond bounds via ap_rwrite() (bsc#1200340)
- CVE-2022-28615: Fixed read beyond bounds in ap_strcmp_match() (bsc#1200341)
- CVE-2022-29404: Fixed denial of service in mod_lua r:parsebody (bsc#1200345)
- CVE-2022-30556: Fixed information disclosure in mod_lua with websockets (bsc#1200350)
- CVE-2022-30522: Fixed mod_sed denial of service (bsc#1200352)
- CVE-2022-31813: Fixed mod_proxy X-Forwarded-For dropped by hop-by-hop mechanism (bsc#1200348)
ImportantSUSE bug 1200338SUSE bug 1200340SUSE bug 1200341SUSE bug 1200345SUSE bug 1200348SUSE bug 1200350SUSE bug 1200352CVE-2022-26377 at SUSECVE-2022-26377 at NVDCVE-2022-28614 at SUSECVE-2022-28614 at NVDCVE-2022-28615 at SUSECVE-2022-28615 at NVDCVE-2022-29404 at SUSECVE-2022-29404 at NVDCVE-2022-30522 at SUSECVE-2022-30522 at NVDCVE-2022-30556 at SUSECVE-2022-30556 at NVDCVE-2022-31813 at SUSECVE-2022-31813 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for log4j (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for log4j fixes the following issues:
- CVE-2022-23307: Fix deserialization issue by removing the chainsaw sub-package. (bsc#1194844)
- CVE-2022-23305: Fix SQL injection by removing src/main/java/org/apache/log4j/jdbc/JDBCAppender.java. (bsc#1194843)
- CVE-2022-23302: Fix remote code execution by removing src/main/java/org/apache/log4j/net/JMSSink.java. (bsc#1194842)
ImportantSUSE bug 1194842SUSE bug 1194843SUSE bug 1194844CVE-2022-23302 at SUSECVE-2022-23302 at NVDCVE-2022-23305 at SUSECVE-2022-23305 at NVDCVE-2022-23307 at SUSECVE-2022-23307 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for SUSE Manager Client Tools (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update fixes the following issues:
golang-github-QubitProducts-exporter_exporter:
- Adapted to build on Enterprise Linux.
- Fix build for RedHat 7
- Require Go >= 1.14 also for CentOS
- Add support for CentOS
- Replace %{?systemd_requires} with %{?systemd_ordering}
golang-github-prometheus-alertmanager:
- CVE-2022-21698: Denial of service using InstrumentHandlerCounter.
* Update vendor tarball with prometheus/client_golang 1.11.1 (bsc#1196338, jsc#SLE-24077)
- Update required Go version to 1.16
- Update to version 0.23.0:
* amtool: Detect version drift and warn users (#2672)
* Add ability to skip TLS verification for amtool (#2663)
* Fix empty isEqual in amtool. (#2668)
* Fix main tests (#2670)
* cli: add new template render command (#2538)
* OpsGenie: refer to alert instead of incident (#2609)
* Docs: target_match and source_match are DEPRECATED (#2665)
* Fix test not waiting for cluster member to be ready
- Added hardening to systemd service(s) (bsc#1181400)
golang-github-prometheus-node_exporter:
- CVE-2022-21698: Denial of service using InstrumentHandlerCounter.
* Update vendor tarball with prometheus/client_golang 1.11.1
(bsc#1196338, jsc#SLE-24238, jsc#SLE-24239)
- Update to 1.3.0
* [CHANGE] Add path label to rapl collector #2146
* [CHANGE] Exclude filesystems under /run/credentials #2157
* [CHANGE] Add TCPTimeouts to netstat default filter #2189
* [FEATURE] Add lnstat collector for metrics from /proc/net/stat/ #1771
* [FEATURE] Add darwin powersupply collector #1777
* [FEATURE] Add support for monitoring GPUs on Linux #1998
* [FEATURE] Add Darwin thermal collector #2032
* [FEATURE] Add os release collector #2094
* [FEATURE] Add netdev.address-info collector #2105
* [FEATURE] Add clocksource metrics to time collector #2197
* [ENHANCEMENT] Support glob textfile collector directories #1985
* [ENHANCEMENT] ethtool: Expose node_ethtool_info metric #2080
* [ENHANCEMENT] Use include/exclude flags for ethtool filtering #2165
* [ENHANCEMENT] Add flag to disable guest CPU metrics #2123
* [ENHANCEMENT] Add DMI collector #2131
* [ENHANCEMENT] Add threads metrics to processes collector #2164
* [ENHANCMMENT] Reduce timer GC delays in the Linux filesystem collector #2169
* [ENHANCMMENT] Add TCPTimeouts to netstat default filter #2189
* [ENHANCMMENT] Use SysctlTimeval for boottime collector on BSD #2208
* [BUGFIX] ethtool: Sanitize metric names #2093
* [BUGFIX] Fix ethtool collector for multiple interfaces #2126
* [BUGFIX] Fix possible panic on macOS #2133
* [BUGFIX] Collect flag_info and bug_info only for one core #2156
* [BUGFIX] Prevent duplicate ethtool metric names #2187
- Update to 1.2.2
* Bug fixes
Fix processes collector long int parsing #2112
- Update to 1.2.1
* Removed
Remove obsolete capture permission denied error patch that is already included upstream
Fix zoneinfo parsing prometheus/procfs#386
Fix nvme collector log noise #2091
Fix rapl collector log noise #2092
- Update to 1.2.0
* Changes
Rename filesystem collector flags to match other collectors #2012
Make node_exporter print usage to STDOUT #203
* Features
Add conntrack statistics metrics #1155
Add ethtool stats collector #1832
Add flag to ignore network speed if it is unknown #1989
Add tapestats collector for Linux #2044
Add nvme collector #2062
* Enhancements
Add ErrorLog plumbing to promhttp #1887
Add more Infiniband counters #2019
netclass: retrieve interface names and filter before parsing #2033
Add time zone offset metric #2060
Handle errors from disabled PSI subsystem #1983
Fix panic when using backwards compatible flags #2000
Fix wrong value for OpenBSD memory buffer cache #2015
Only initiate collectors once #2048
Handle small backwards jumps in CPU idle #2067
- Apply patch to capture permission denied error for 'energy_uj' file (bsc#1190535)
grafana:
- Update to version 8.3.5 (jsc#SLE-23439, jsc#SLE-23422)
+ Security:
* Fixes XSS vulnerability in handling data sources
(bsc#1195726, CVE-2022-21702)
* Fixes cross-origin request forgery vulnerability
(bsc#1195727, CVE-2022-21703)
* Fixes Insecure Direct Object Reference vulnerability in Teams
API (bsc#1195728, CVE-2022-21713)
- Update to Go 1.17.
- Add build-time dependency on `wire`.
- Update license to GNU Affero General Public License v3.0.
- Update to version 8.3.4
* GetUserInfo: return an error if no user was found
(bsc#1194873, CVE-2022-21673)
+ Features and enhancements:
* Alerting: Allow configuration of non-ready alertmanagers.
* Alerting: Allow customization of Google chat message.
* AppPlugins: Support app plugins with only default nav.
* InfluxDB: query editor: skip fields in metadata queries.
* Postgres/MySQL/MSSQL: Cancel in-flight SQL query if user
cancels query in grafana.
* Prometheus: Forward oauth tokens after prometheus datasource
migration.
+ Bug fixes:
* Azure Monitor: Bug fix for variable interpolations in metrics
dropdowns.
* Azure Monitor: Improved error messages for variable queries.
* CloudMonitoring: Fixes broken variable queries that use group
bys.
* Configuration: You can now see your expired API keys if you
have no active ones.
* Elasticsearch: Fix handling multiple datalinks for a single
field.
* Export: Fix error being thrown when exporting dashboards
using query variables that reference the default datasource.
* ImportDashboard: Fixes issue with importing dashboard and
name ending up in uid.
* Login: Page no longer overflows on mobile.
* Plugins: Set backend metadata property for core plugins.
* Prometheus: Fill missing steps with null values.
* Prometheus: Fix interpolation of $__rate_interval variable.
* Prometheus: Interpolate variables with curly brackets syntax.
* Prometheus: Respect the http-method data source setting.
* Table: Fixes issue with field config applied to wrong fields
when hiding columns.
* Toolkit: Fix bug with rootUrls not being properly parsed when
signing a private plugin.
* Variables: Fix so data source variables are added to adhoc
configuration.
+ Plugin development fixes & changes:
* Toolkit: Revert build config so tslib is bundled with plugins
to prevent plugins from crashing.
- Update to version 8.3.3:
* BarChart: Use new data error view component to show actions
in panel edit.
* CloudMonitor: Iterate over pageToken for resources.
* Macaron: Prevent WriteHeader invalid HTTP status code panic.
* AnnoListPanel: Fix interpolation of variables in tags.
* CloudWatch: Allow queries to have no dimensions specified.
* CloudWatch: Fix broken queries for users migrating from
8.2.4/8.2.5 to 8.3.0.
* CloudWatch: Make sure MatchExact flag gets the right value.
* Dashboards: Fix so that empty folders can be deleted from the
manage dashboards/folders page.
* InfluxDB: Improve handling of metadata query errors in
InfluxQL.
* Loki: Fix adding of ad hoc filters for queries with parser
and line_format expressions.
* Prometheus: Fix running of exemplar queries for non-histogram
metrics.
* Prometheus: Interpolate template variables in interval.
* StateTimeline: Fix toolitp not showing when for frames with
multiple fields.
* TraceView: Fix virtualized scrolling when trace view is
opened in right pane in Explore.
* Variables: Fix repeating panels for on time range changed
variables.
* Variables: Fix so queryparam option works for scoped
- Update to version 8.3.2
+ Security: Fixes CVE-2021-43813 and CVE-2021-43815.
- Update to version 8.3.1
+ Security: Fixes CVE-2021-43798.
- Update to version 8.3.0
* Alerting: Prevent folders from being deleted when they
contain alerts.
* Alerting: Show full preview value in tooltip.
* BarGauge: Limit title width when name is really long.
* CloudMonitoring: Avoid to escape regexps in filters.
* CloudWatch: Add support for AWS Metric Insights.
* TooltipPlugin: Remove other panels' shared tooltip in edit
panel.
* Visualizations: Limit y label width to 40% of visualization
width.
* Alerting: Clear alerting rule evaluation errors after
intermittent failures.
* Alerting: Fix refresh on legacy Alert List panel.
* Dashboard: Fix queries for panels with non-integer widths.
* Explore: Fix url update inconsistency.
* Prometheus: Fix range variables interpolation for time ranges
smaller than 1 second.
* ValueMappings: Fixes issue with regex value mapping that only
sets color.
- Update to version 8.3.0-beta2
+ Breaking changes:
* Grafana 8 Alerting enabled by default for installations that
do not use legacy alerting.
* Keep Last State for 'If execution error or timeout' when
upgrading to Grafana 8 alerting.
* Alerting: Create DatasourceError alert if evaluation returns
error.
* Alerting: Make Unified Alerting enabled by default for those
who do not use legacy alerting.
* Alerting: Support mute timings configuration through the api
for the embedded alert manager.
* CloudWatch: Add missing AWS/Events metrics.
* Docs: Add easier to find deprecation notices to certain data
sources and to the changelog.
* Plugins Catalog: Enable install controls based on the
pluginAdminEnabled flag.
* Table: Add space between values for the DefaultCell and
JSONViewCell.
* Tracing: Make query editors available in dashboard for Tempo
and Zipkin.
* AccessControl: Renamed orgs roles, removed fixed:orgs:reader
introduced in beta1.
* Azure Monitor: Add trap focus for modals in grafana/ui and
other small a11y fixes for Azure Monitor.
* CodeEditor: Prevent suggestions from being clipped.
* Dashboard: Fix cache timeout persistence.
* Datasource: Fix stable sort order of query responses.
* Explore: Fix error in query history when removing last item.
* Logs: Fix requesting of older logs when flipped order.
* Prometheus: Fix running of health check query based on access
mode.
* TextPanel: Fix suggestions for existing panels.
* Tracing: Fix incorrect indentations due to reoccurring
spanIDs.
* Tracing: Show start time of trace with milliseconds
precision.
* Variables: Make renamed or missing variable section
expandable.
* Select: Select menus now properly scroll during keyboard
navigation.
- Update to version 8.3.0-beta1
* Alerting: Add UI for contact point testing with custom
annotations and labels.
* Alerting: Make alert state indicator in panel header work
with Grafana 8 alerts.
* Alerting: Option for Discord notifier to use webhook name.
* Annotations: Deprecate AnnotationsSrv.
* Auth: Omit all base64 paddings in JWT tokens for the JWT
auth.
* Azure Monitor: Clean up fields when editing Metrics.
* AzureMonitor: Add new starter dashboards.
* AzureMonitor: Add starter dashboard for app monitoring with
Application Insights.
* Barchart/Time series: Allow x axis label.
* CLI: Improve error handling for installing plugins.
* CloudMonitoring: Migrate to use backend plugin SDK contracts.
* CloudWatch Logs: Add retry strategy for hitting max
concurrent queries.
* CloudWatch: Add AWS RoboMaker metrics and dimension.
* CloudWatch: Add AWS Transfer metrics and dimension.
* Dashboard: replace datasource name with a reference object.
* Dashboards: Show logs on time series when hovering.
* Elasticsearch: Add support for Elasticsearch 8.0 (Beta).
* Elasticsearch: Add time zone setting to Date Histogram
aggregation.
* Elasticsearch: Enable full range log volume histogram.
* Elasticsearch: Full range logs volume.
* Explore: Allow changing the graph type.
* Explore: Show ANSI colors when highlighting matched words in
the logs panel.
* Graph(old) panel: Listen to events from Time series panel.
* Import: Load gcom dashboards from URL.
* LibraryPanels: Improves export and import of library panels
between orgs.
* OAuth: Support PKCE.
* Panel edit: Overrides now highlight correctly when searching.
* PanelEdit: Display drag indicators on draggable sections.
* Plugins: Refactor Plugin Management.
* Prometheus: Add custom query parameters when creating
PromLink url.
* Prometheus: Remove limits on metrics, labels, and values in
Metrics Browser.
* StateTimeline: Share cursor with rest of the panels.
* Tempo: Add error details when json upload fails.
* Tempo: Add filtering for service graph query.
* Tempo: Add links to nodes in Service Graph pointing to
Prometheus metrics.
* Time series/Bar chart panel: Add ability to sort series via
legend.
* TimeSeries: Allow multiple axes for the same unit.
* TraceView: Allow span links defined on dataFrame.
* Transformations: Support a rows mode in labels to fields.
* ValueMappings: Don't apply field config defaults to time
fields.
* Variables: Only update panels that are impacted by variable
change.
* API: Fix dashboard quota limit for imports.
* Alerting: Fix rule editor issues with Azure Monitor data
source.
* Azure monitor: Make sure alert rule editor is not enabled
when template variables are being used.
* CloudMonitoring: Fix annotation queries.
* CodeEditor: Trigger the latest getSuggestions() passed to
CodeEditor.
* Dashboard: Remove the current panel from the list of options
in the Dashboard datasource.
* Encryption: Fix decrypting secrets in alerting migration.
* InfluxDB: Fix corner case where index is too large in ALIAS
* NavBar: Order App plugins alphabetically.
* NodeGraph: Fix zooming sensitivity on touchpads.
* Plugins: Add OAuth pass-through logic to api/ds/query
endpoint.
* Snapshots: Fix panel inspector for snapshot data.
* Tempo: Fix basic auth password reset on adding tag.
* ValueMapping: Fixes issue with regex mappings.
* grafana/ui: Enable slider marks display.
- Update to version 8.2.7
- Update to version 8.2.6
* Security: Upgrade Docker base image to Alpine 3.14.3.
* Security: Upgrade Go to 1.17.2.
* TimeSeries: Fix fillBelowTo wrongly affecting fills of
unrelated series.
- Update to version 8.2.5
* Fix No Data behaviour in Legacy Alerting.
* Alerting: Fix a bug where the metric in the evaluation string
was not correctly populated.
* Alerting: Fix no data behaviour in Legacy Alerting for alert
rules using the AND operator.
* CloudMonitoring: Ignore min and max aggregation in MQL
queries.
* Dashboards: 'Copy' is no longer added to new dashboard
titles.
* DataProxy: Fix overriding response body when response is a
WebSocket upgrade.
* Elasticsearch: Use field configured in query editor as field
for date_histogram aggregations.
* Explore: Fix running queries without a datasource property
set.
* InfluxDB: Fix numeric aliases in queries.
* Plugins: Ensure consistent plugin settings list response.
* Tempo: Fix validation of float durations.
* Tracing: Correct tags for each span are shown.
- Update to version 8.2.4
+ Security: Fixes CVE-2021-41244.
- Update to version 8.2.3
+ Security: Fixes CVE-2021-41174.
- Update to version 8.2.2
* Annotations: We have improved tag search performance.
* Application: You can now configure an error-template title.
* AzureMonitor: We removed a restriction from the resource
filter query.
* Packaging: We removed the ProcSubset option in systemd. This
option prevented Grafana from starting in LXC environments.
* Prometheus: We removed the autocomplete limit for metrics.
* Table: We improved the styling of the type icons to make them
more distinct from column / field name.
* ValueMappings: You can now use value mapping in stat, gauge,
bar gauge, and pie chart visualizations.
* Alerting: Fix panic when Slack's API sends unexpected
response.
* Alerting: The Create Alert button now appears on the
dashboard panel when you are working with a default
datasource.
* Explore: We fixed the problem where the Explore log panel
disappears when an Elasticsearch logs query returns no
results.
* Graph: You can now see annotation descriptions on hover.
* Logs: The system now uses the JSON parser only if the line is
parsed to an object.
* Prometheus: We fixed the issue where the system did not reuse
TCP connections when querying from Grafana alerting.
* Prometheus: We fixed the problem that resulted in an error
when a user created a query with a $__interval min step.
* RowsToFields: We fixed the issue where the system was not
properly interpreting number values.
* Scale: We fixed how the system handles NaN percent when data
min = data max.
* Table panel: You can now create a filter that includes
special characters.
- Update to version 8.2.1
* Dashboard: Fix rendering of repeating panels.
* Datasources: Fix deletion of data source if plugin is not
found.
* Packaging: Remove systemcallfilters sections from systemd
unit files.
* Prometheus: Add Headers to HTTP client options.
- Update to version 8.2.0
* AWS: Updated AWS authentication documentation.
* Alerting: Added support Alertmanager data source for upstream
Prometheus AM implementation.
* Alerting: Allows more characters in label names so
notifications are sent.
* Alerting: Get alert rules for a dashboard or a panel using
/api/v1/rules endpoints.
* Annotations: Improved rendering performance of event markers.
* CloudWatch Logs: Skip caching for log queries.
* Explore: Added an opt-in configuration for Node Graph in
Jaeger, Zipkin, and Tempo.
* Packaging: Add stricter systemd unit options.
* Prometheus: Metrics browser can now handle label values with
* CodeEditor: Ensure that we trigger the latest onSave callback
provided to the component.
* DashboardList/AlertList: Fix for missing All folder value.
* Plugins: Create a mock icon component to prevent console
errors.
- Update to version 8.2.0-beta2
* AccessControl: Document new permissions restricting data
source access.
* TimePicker: Add fiscal years and search to time picker.
* Alerting: Added support for Unified Alerting with Grafana HA.
* Alerting: Added support for tune rule evaluation using
configuration options.
* Alerting: Cleanups alertmanager namespace from key-value
store when disabling Grafana 8 alerts.
* Alerting: Remove ngalert feature toggle and introduce two new
settings for enabling Grafana 8 alerts and disabling them for
specific organisations.
* CloudWatch: Introduced new math expression where it is
necessary to specify the period field.
* InfluxDB: Added support for $__interval and $__interval_ms in
Flux queries for alerting.
* InfluxDB: Flux queries can use more precise start and end
timestamps with nanosecond-precision.
* Plugins Catalog: Make the catalog the default way to interact
with plugins.
* Prometheus: Removed autocomplete limit for metrics.
* Alerting: Fixed an issue where the edit page crashes if you
tried to preview an alert without a condition set.
* Alerting: Fixed rules migration to keep existing Grafana 8
alert rules.
* Alerting: Fixed the silence file content generated during
* Analytics: Fixed an issue related to interaction event
propagation in Azure Application Insights.
* BarGauge: Fixed an issue where the cell color was lit even
though there was no data.
* BarGauge: Improved handling of streaming data.
* CloudMonitoring: Fixed INT64 label unmarshal error.
* ConfirmModal: Fixes confirm button focus on modal open.
* Dashboard: Add option to generate short URL for variables
with values containing spaces.
* Explore: No longer hides errors containing refId property.
* Fixed an issue that produced State timeline panel tooltip
error when data was not in sync.
* InfluxDB: InfluxQL query editor is set to always use
resultFormat.
* Loki: Fixed creating context query for logs with parsed
labels.
* PageToolbar: Fixed alignment of titles.
* Plugins Catalog: Update to the list of available panels after
an install, update or uninstall.
* TimeSeries: Fixed an issue where the shared cursor was not
showing when hovering over in old Graph panel.
* Variables: Fixed issues related to change of focus or refresh
pages when pressing enter in a text box variable input.
* Variables: Panel no longer crash when using the adhoc
variable in data links.
- Update to version 8.2.0-beta1
* AccessControl: Introduce new permissions to restrict access
for reloading provisioning configuration.
* Alerting: Add UI to edit Cortex/Loki namespace, group names,
and group evaluation interval.
* Alerting: Add a Test button to test contact point.
* Alerting: Allow creating/editing recording rules for Loki and
Cortex.
* Alerting: Metrics should have the label org instead of user.
* Alerting: Sort notification channels by name to make them
easier to locate.
* Alerting: Support org level isolation of notification
* AzureMonitor: Add data links to deep link to Azure Portal
Azure Resource Graph.
* AzureMonitor: Add support for annotations from Azure Monitor
Metrics and Azure Resource Graph services.
* AzureMonitor: Show error message when subscriptions request
fails in ConfigEditor.
* Chore: Update to Golang 1.16.7.
* CloudWatch Logs: Add link to X-Ray data source for trace IDs
in logs.
* CloudWatch Logs: Disable query path using websockets (Live)
feature.
* CloudWatch/Logs: Don't group dataframes for non time series
* Cloudwatch: Migrate queries that use multiple stats to one
query per stat.
* Dashboard: Keep live timeseries moving left (v2).
* Datasources: Introduce response_limit for datasource
responses.
* Explore: Add filter by trace or span ID to trace to logs
* Explore: Download traces as JSON in Explore Inspector.
* Explore: Reuse Dashboard's QueryRows component.
* Explore: Support custom display label for derived fields
buttons for Loki datasource.
* Grafana UI: Update monaco-related dependencies.
* Graphite: Deprecate browser access mode.
* InfluxDB: Improve handling of intervals in alerting.
* InfluxDB: InfluxQL query editor: Handle unusual characters in
tag values better.
* Jaeger: Add ability to upload JSON file for trace data.
* LibraryElements: Enable specifying UID for new and existing
library elements.
* LibraryPanels: Remove library panel icon from the panel
header so you can no longer tell that a panel is a library
panel from the dashboard view.
* Logs panel: Scroll to the bottom on page refresh when sorting
in ascending order.
* Loki: Add fuzzy search to label browser.
* Navigation: Implement active state for items in the Sidemenu.
* Packaging: Update PID file location from /var/run to /run.
* Plugins: Add Hide OAuth Forward config option.
* Postgres/MySQL/MSSQL: Add setting to limit the maximum number
of rows processed.
* Prometheus: Add browser access mode deprecation warning.
* Prometheus: Add interpolation for built-in-time variables to
backend.
* Tempo: Add ability to upload trace data in JSON format.
* TimeSeries/XYChart: Allow grid lines visibility control in
XYChart and TimeSeries panels.
* Transformations: Convert field types to time string number or
boolean.
* Value mappings: Add regular-expression based value mapping.
* Zipkin: Add ability to upload trace JSON.
* Admin: Prevent user from deleting user's current/active
organization.
* LibraryPanels: Fix library panel getting saved in the
dashboard's folder.
* OAuth: Make generic teams URL and JMES path configurable.
* QueryEditor: Fix broken copy-paste for mouse middle-click
* Thresholds: Fix undefined color in 'Add threshold'.
* Timeseries: Add wide-to-long, and fix multi-frame output.
* TooltipPlugin: Fix behavior of Shared Crosshair when Tooltip
is set to All.
* Grafana UI: Fix TS error property css is missing in type.
- Update to version 8.1.8
- Update to version 8.1.7
* Alerting: Fix alerts with evaluation interval more than 30
seconds resolving before notification.
* Elasticsearch/Prometheus: Fix usage of proper SigV4 service
namespace.
- Update to version 8.1.6
+ Security: Fixes CVE-2021-39226.
- Update to version 8.1.5
* BarChart: Fixes panel error that happens on second refresh.
- Update to version 8.1.4
+ Features and enhancements
* Explore: Ensure logs volume bar colors match legend colors.
* LDAP: Search all DNs for users.
* Alerting: Fix notification channel migration.
* Annotations: Fix blank panels for queries with unknown data
sources.
* BarChart: Fix stale values and x axis labels.
* Graph: Make old graph panel thresholds work even if ngalert
is enabled.
* InfluxDB: Fix regex to identify / as separator.
* LibraryPanels: Fix update issues related to library panels in
rows.
* Variables: Fix variables not updating inside a Panel when the
preceding Row uses 'Repeat For'.
- Update to version 8.1.3
+ Bug fixes
* Alerting: Fix alert flapping in the internal alertmanager.
* Alerting: Fix request handler failed to convert dataframe
'results' to plugins.DataTimeSeriesSlice: input frame is not
recognized as a time series.
* Dashboard: Fix UIDs are not preserved when importing/creating
dashboards thru importing .json file.
* Dashboard: Forces panel re-render when exiting panel edit.
* Dashboard: Prevent folder from changing when navigating to
general settings.
* Docker: Force use of libcrypto1.1 and libssl1.1 versions to
fix CVE-2021-3711.
* Elasticsearch: Fix metric names for alert queries.
* Elasticsearch: Limit Histogram field parameter to numeric
values.
* Elasticsearch: Prevent pipeline aggregations to show up in
terms order by options.
* LibraryPanels: Prevent duplicate repeated panels from being
created.
* Loki: Fix ad-hoc filter in dashboard when used with parser.
* Plugins: Track signed files + add warn log for plugin assets
which are not signed.
* Postgres/MySQL/MSSQL: Fix region annotations not displayed
correctly.
* Prometheus: Fix validate selector in metrics browser.
* Security: Fix stylesheet injection vulnerability.
* Security: Fix short URL vulnerability.
- Update to version 8.1.2
* AzureMonitor: Add support for PostgreSQL and MySQL Flexible
Servers.
* Datasource: Change HTTP status code for failed datasource
health check to 400.
* Explore: Add span duration to left panel in trace viewer.
* Plugins: Use file extension allowlist when serving plugin
assets instead of checking for UNIX executable.
* Profiling: Add support for binding pprof server to custom
network interfaces.
* Search: Make search icon keyboard navigable.
* Template variables: Keyboard navigation improvements.
* Tooltip: Display ms within minute time range.
* Alerting: Fix saving LINE contact point.
* Annotations: Fix alerting annotation coloring.
* Annotations: Alert annotations are now visible in the correct
Panel.
* Auth: Hide SigV4 config UI and disable middleware when its
config flag is disabled.
* Dashboard: Prevent incorrect panel layout by comparing window
width against theme breakpoints.
* Explore: Fix showing of full log context.
* PanelEdit: Fix 'Actual' size by passing the correct panel
size to Dashboard.
* Plugins: Fix TLS datasource settings.
* Variables: Fix issue with empty drop downs on navigation.
* Variables: Fix URL util converting false into true.
* Toolkit: Fix matchMedia not found error.
- Update to version 8.1.1
* CloudWatch Logs: Fix crash when no region is selected.
- Update to version 8.1.0
* Alerting: Deduplicate receivers during migration.
* ColorPicker: Display colors as RGBA.
* Select: Make portalling the menu opt-in, but opt-in
everywhere.
* TimeRangePicker: Improve accessibility.
* Annotations: Correct annotations that are displayed upon page
refresh.
* Annotations: Fix Enabled button that disappeared from Grafana
v8.0.6.
* Annotations: Fix data source template variable that was not
available for annotations.
* AzureMonitor: Fix annotations query editor that does not
load.
* Geomap: Fix scale calculations.
* GraphNG: Fix y-axis autosizing.
* Live: Display stream rate and fix duplicate channels in list
* Loki: Update labels in log browser when time range changes in
dashboard.
* NGAlert: Send resolve signal to alertmanager on alerting ->
Normal.
* PasswordField: Prevent a password from being displayed when
you click the Enter button.
* Renderer: Remove debug.log file when Grafana is stopped.
* Security: Update dependencies to fix CVE-2021-36222.
- Update to version 8.1.0-beta3
* Alerting: Support label matcher syntax in alert rule list
filter.
* IconButton: Put tooltip text as aria-label.
* Live: Experimental HA with Redis.
* UI: FileDropzone component.
* CloudWatch: Add AWS LookoutMetrics.
* Docker: Fix builds by delaying go mod verify until all
required files are copied over.
* Exemplars: Fix disable exemplars only on the query that
failed.
* SQL: Fix SQL dataframe resampling (fill mode + time
intervals).
- Update to version 8.1.0-beta2
* Alerting: Expand the value string in alert annotations and
* Auth: Add Azure HTTP authentication middleware.
* Auth: Auth: Pass user role when using the authentication
proxy.
* Gazetteer: Update countries.json file to allow for linking to
3-letter country codes.
* Config: Fix Docker builds by correcting formatting in
sample.ini.
* Explore: Fix encoding of internal URLs.
- Update to version 8.1.0-beta1
* Alerting: Add Alertmanager notifications tab.
* Alerting: Add button to deactivate current Alertmanager
* Alerting: Add toggle in Loki/Prometheus data source
configuration to opt out of alerting UI.
* Alerting: Allow any 'evaluate for' value >=0 in the alert
rule form.
* Alerting: Load default configuration from status endpoint, if
Cortex Alertmanager returns empty user configuration.
* Alerting: view to display alert rule and its underlying data.
* Annotation panel: Release the annotation panel.
* Annotations: Add typeahead support for tags in built-in
annotations.
* AzureMonitor: Add curated dashboards for Azure services.
* AzureMonitor: Add support for deep links to Microsoft Azure
portal for Metrics.
* AzureMonitor: Remove support for different credentials for
Azure Monitor Logs.
* AzureMonitor: Support querying any Resource for Logs queries.
* Elasticsearch: Add frozen indices search support.
* Elasticsearch: Name fields after template variables values
instead of their name.
* Elasticsearch: add rate aggregation.
* Email: Allow configuration of content types for email
notifications.
* Explore: Add more meta information when line limit is hit.
* Explore: UI improvements to trace view.
* FieldOverrides: Added support to change display name in an
override field and have it be matched by a later rule.
* HTTP Client: Introduce dataproxy_max_idle_connections config
variable.
* InfluxDB: InfluxQL: adds tags to timeseries data.
* InfluxDB: InfluxQL: make measurement search case insensitive.
Legacy Alerting: Replace simplejson with a struct in webhook
notification channel.
* Legend: Updates display name for Last (not null) to just
Last*.
* Logs panel: Add option to show common labels.
* Loki: Add $__range variable.
* Loki: Add support for 'label_values(log stream selector,
label)' in templating.
* Loki: Add support for ad-hoc filtering in dashboard.
* MySQL Datasource: Add timezone parameter.
* NodeGraph: Show gradient fields in legend.
* PanelOptions: Don't mutate panel options/field config object
when updating.
* PieChart: Make pie gradient more subtle to match other
charts.
* Prometheus: Update PromQL typeahead and highlighting.
* Prometheus: interpolate variable for step field.
* Provisioning: Improve validation by validating across all
dashboard providers.
* SQL Datasources: Allow multiple string/labels columns with
time series.
* Select: Portal select menu to document.body.
* Team Sync: Add group mapping to support team sync in the
Generic OAuth provider.
* Tooltip: Make active series more noticeable.
* Tracing: Add support to configure trace to logs start and end
time.
* Transformations: Skip merge when there is only a single data
frame.
* ValueMapping: Added support for mapping text to color,
boolean values, NaN and Null. Improved UI for value mapping.
* Visualizations: Dynamically set any config (min, max, unit,
color, thresholds) from query results.
* live: Add support to handle origin without a value for the
port when matching with root_url.
* Alerting: Handle marshaling Inf values.
* AzureMonitor: Fix macro resolution for template variables.
* AzureMonitor: Fix queries with Microsoft.NetApp/../../volumes
resources.
* AzureMonitor: Request and concat subsequent resource pages.
* Bug: Fix parse duration for day.
* Datasources: Improve error handling for error messages.
* Explore: Correct the functionality of shift-enter shortcut
across all uses.
* Explore: Show all dataFrames in data tab in Inspector.
* GraphNG: Fix Tooltip mode 'All' for XYChart.
* Loki: Fix highlight of logs when using filter expressions
with backticks.
* Modal: Force modal content to overflow with scroll.
* Plugins: Ignore symlinked folders when verifying plugin
signature.
* Toolkit: Improve error messages when tasks fail.
- Update to version 8.0.7
- Update to version 8.0.6
* Alerting: Add annotation upon alert state change.
* Alerting: Allow space in label and annotation names.
* InfluxDB: Improve legend labels for InfluxDB query results.
* Alerting: Fix improper alert by changing the handling of
empty labels.
* CloudWatch/Logs: Reestablish Cloud Watch alert behavior.
* Dashboard: Avoid migration breaking on fieldConfig without
defaults field in folded panel.
* DashboardList: Fix issue not re-fetching dashboard list after
variable change.
* Database: Fix incorrect format of isolation level
configuration parameter for MySQL.
* InfluxDB: Correct tag filtering on InfluxDB data.
* Links: Fix links that caused a full page reload.
* Live: Fix HTTP error when InfluxDB metrics have an incomplete
or asymmetrical field set.
* Postgres/MySQL/MSSQL: Change time field to 'Time' for time
series queries.
* Postgres: Fix the handling of a null return value in query
* Tempo: Show hex strings instead of uints for IDs.
* TimeSeries: Improve tooltip positioning when tooltip
overflows.
* Transformations: Add 'prepare time series' transformer.
- Update to version 8.0.5
* Cloudwatch Logs: Send error down to client.
* Folders: Return 409 Conflict status when folder already
exists.
* TimeSeries: Do not show series in tooltip if it's hidden in
the viz.
* AzureMonitor: Fix issue where resource group name is missing
on the resource picker button.
* Chore: Fix AWS auth assuming role with workspace IAM.
* DashboardQueryRunner: Fixes unrestrained subscriptions being
* DateFormats: Fix reading correct setting key for
use_browser_locale.
* Links: Fix links to other apps outside Grafana when under sub
path.
* Snapshots: Fix snapshot absolute time range issue.
* Table: Fix data link color.
* Time Series: Fix X-axis time format when tick increment is
larger than a year.
* Tooltip Plugin: Prevent tooltip render if field is undefined.
- Update to version 8.0.4
* Live: Rely on app url for origin check.
* PieChart: Sort legend descending, update placeholder.
* TimeSeries panel: Do not reinitialize plot when thresholds
mode change.
* Elasticsearch: Allow case sensitive custom options in
date_histogram interval.
* Elasticsearch: Restore previous field naming strategy when
using variables.
* Explore: Fix import of queries between SQL data sources.
* InfluxDB: InfluxQL query editor: fix retention policy
handling.
* Loki: Send correct time range in template variable queries.
* TimeSeries: Preserve RegExp series overrides when migrating
from old graph panel.
- Update to version 8.0.3
* Alerting: Increase alertmanager_conf column if MySQL.
* Time series/Bar chart panel: Handle infinite numbers as nulls
when converting to plot array.
* TimeSeries: Ensure series overrides that contain color are
migrated, and migrate the previous fieldConfig when changing
the panel type.
* ValueMappings: Improve singlestat value mappings migration.
* Annotations: Fix annotation line and marker colors.
* AzureMonitor: Fix KQL template variable queries without
default workspace.
* CloudWatch/Logs: Fix missing response data for log queries.
* LibraryPanels: Fix crash in library panels list when panel
plugin is not found.
* LogsPanel: Fix performance drop when moving logs panel in
* Loki: Parse log levels when ANSI coloring is enabled.
* MSSQL: Fix issue with hidden queries still being executed.
* PanelEdit: Display the VisualizationPicker that was not
displayed if a panel has an unknown panel plugin.
* Plugins: Fix loading symbolically linked plugins.
* Prometheus: Fix issue where legend name was replaced with
name Value in stat and gauge panels.
* State Timeline: Fix crash when hovering over panel.
- Update to version 8.0.2
* Datasource: Add support for max_conns_per_host in dataproxy
settings.
* Configuration: Fix changing org preferences in FireFox.
* PieChart: Fix legend dimension limits.
* Postgres/MySQL/MSSQL: Fix panic in concurrent map writes.
* Variables: Hide default data source if missing from regex.
- Update to version 8.0.1
* Alerting/SSE: Fix 'count_non_null' reducer validation.
* Cloudwatch: Fix duplicated time series.
* Cloudwatch: Fix missing defaultRegion.
* Dashboard: Fix Dashboard init failed error on dashboards with
old singlestat panels in collapsed rows.
* Datasource: Fix storing timeout option as numeric.
* Postgres/MySQL/MSSQL: Fix annotation parsing for empty
* Postgres/MySQL/MSSQL: Numeric/non-string values are now
returned from query variables.
* Postgres: Fix an error that was thrown when the annotation
query did not return any results.
* StatPanel: Fix an issue with the appearance of the graph when
switching color mode.
* Visualizations: Fix an issue in the
Stat/BarGauge/Gauge/PieChart panels where all values mode
were showing the same name if they had the same value.
* Toolkit: Resolve external fonts when Grafana is served from a
sub path.
- Update to version 8.0.0
* The following endpoints were deprecated for Grafana v5.0 and
support for them has now been removed:
GET /dashboards/db/:slug
GET /dashboard-solo/db/:slug
GET /api/dashboard/db/:slug
DELETE /api/dashboards/db/:slug
* AzureMonitor: Require default subscription for workspaces()
template variable query.
* AzureMonitor: Use resource type display names in the UI.
* Dashboard: Remove support for loading and deleting dashboard
by slug.
* InfluxDB: Deprecate direct browser access in data source.
* VizLegend: Add a read-only property.
* AzureMonitor: Fix Azure Resource Graph queries in Azure
China.
* Checkbox: Fix vertical layout issue with checkboxes due to
fixed height.
* Dashboard: Fix Table view when editing causes the panel data
to not update.
* Dashboard: Fix issues where unsaved-changes warning is not
displayed.
* Login: Fixes Unauthorized message showing when on login page
or snapshot page.
* NodeGraph: Fix sorting markers in grid view.
* Short URL: Include orgId in generated short URLs.
* Variables: Support raw values of boolean type.
- Update to version 8.0.0-beta3
* The default HTTP method for Prometheus data source is now
POST.
* API: Support folder UID in dashboards API.
* Alerting: Add support for configuring avatar URL for the
Discord notifier.
* Alerting: Clarify that Threema Gateway Alerts support only
Basic IDs.
* Azure: Expose Azure settings to external plugins.
* AzureMonitor: Deprecate using separate credentials for Azure
Monitor Logs.
* AzureMonitor: Display variables in resource picker for Azure
* AzureMonitor: Hide application insights for data sources not
using it.
* AzureMonitor: Support querying subscriptions and resource
groups in Azure Monitor Logs.
* AzureMonitor: remove requirement for default subscription.
* CloudWatch: Add Lambda@Edge Amazon CloudFront metrics.
* CloudWatch: Add missing AWS AppSync metrics.
* ConfirmModal: Auto focus delete button.
* Explore: Add caching for queries that are run from logs
* Loki: Add formatting for annotations.
* Loki: Bring back processed bytes as meta information.
* NodeGraph: Display node graph collapsed by default with trace
view.
* Overrides: Include a manual override option to hide something
from visualization.
* PieChart: Support row data in pie charts.
* Prometheus: Update default HTTP method to POST for existing
data sources.
* Time series panel: Position tooltip correctly when window is
scrolled or resized.
* Admin: Fix infinite loading edit on the profile page.
* Color: Fix issues with random colors in string and date
* Dashboard: Fix issue with title or folder change has no
effect after exiting settings view.
* DataLinks: Fix an issue __series.name is not working in data
link.
* Datasource: Fix dataproxy timeout should always be applied
for outgoing data source HTTP requests.
* Elasticsearch: Fix NewClient not passing httpClientProvider
to client impl.
* Explore: Fix Browser title not updated on Navigation to
Explore.
* GraphNG: Remove fieldName and hideInLegend properties from
UPlotSeriesBuilder.
* OAuth: Fix fallback to auto_assign_org_role setting for Azure
AD OAuth when no role claims exists.
* PanelChrome: Fix issue with empty panel after adding a non
data panel and coming back from panel edit.
* StatPanel: Fix data link tooltip not showing for single
value.
* Table: Fix sorting for number fields.
* Table: Have text underline for datalink, and add support for
image datalink.
* Transformations: Prevent FilterByValue transform from
crashing panel edit.
- Update to version 8.0.0-beta2
* AppPlugins: Expose react-router to apps.
* AzureMonitor: Add Azure Resource Graph.
* AzureMonitor: Managed Identity configuration UI.
* AzureMonitor: Token provider with support for Managed
Identities.
* AzureMonitor: Update Logs workspace() template variable query
to return resource URIs.
* BarChart: Value label sizing.
* CloudMonitoring: Add support for preprocessing.
* CloudWatch: Add AWS/EFS StorageBytes metric.
* CloudWatch: Allow use of missing AWS namespaces using custom
* Datasource: Shared HTTP client provider for core backend data
sources and any data source using the data source proxy.
* InfluxDB: InfluxQL: allow empty tag values in the query
editor.
* Instrumentation: Instrument incoming HTTP request with
histograms by default.
* Library Panels: Add name endpoint & unique name validation to
AddLibraryPanelModal.
* Logs panel: Support details view.
* PieChart: Always show the calculation options dropdown in the
* PieChart: Remove beta flag.
* Plugins: Enforce signing for all plugins.
* Plugins: Remove support for deprecated backend plugin
protocol version.
* Tempo/Jaeger: Add better display name to legend.
* Timeline: Add time range zoom.
* Timeline: Adds opacity & line width option.
* Timeline: Value text alignment option.
* ValueMappings: Add duplicate action, and disable dismiss on
backdrop click.
* Zipkin: Add node graph view to trace response.
* Annotations panel: Remove subpath from dashboard links.
* Content Security Policy: Allow all image sources by default.
* Content Security Policy: Relax default template wrt. loading
of scripts, due to nonces not working.
* Datasource: Fix tracing propagation for alert execution by
introducing HTTP client outgoing tracing middleware.
* InfluxDB: InfluxQL always apply time interval end.
* Library Panels: Fixes 'error while loading library panels'.
* NewsPanel: Fixes rendering issue in Safari.
* PanelChrome: Fix queries being issued again when scrolling in
and out of view.
* Plugins: Fix Azure token provider cache panic and auth param
nil value.
* Snapshots: Fix key and deleteKey being ignored when creating
an external snapshot.
* Table: Fix issue with cell border not showing with colored
background cells.
* Table: Makes tooltip scrollable for long JSON values.
* TimeSeries: Fix for Connected null values threshold toggle
during panel editing.
* Variables: Fixes inconsistent selected states on dashboard
* Variables: Refreshes all panels even if panel is full screen.
* QueryField: Remove carriage return character from pasted text.
- Update to version 8.0.0-beta1
+ License update:
* AGPL License: Update license from Apache 2.0 to the GNU
Affero General Public License (AGPL).
* Removes the never refresh option for Query variables.
* Removes the experimental Tags feature for Variables.
+ Deprecations:
* The InfoBox & FeatureInfoBox are now deprecated please use
the Alert component instead with severity info.
* API: Add org users with pagination.
* API: Return 404 when deleting nonexistent API key.
* API: Return query results as JSON rather than base64 encoded
Arrow.
* Alerting: Allow sending notification tags to Opsgenie as
extra properties.
* Alerts: Replaces all uses of InfoBox & FeatureInfoBox with
Alert.
* Auth: Add support for JWT Authentication.
* AzureMonitor: Add support for
Microsoft.SignalRService/SignalR metrics.
* AzureMonitor: Azure settings in Grafana server config.
* AzureMonitor: Migrate Metrics query editor to React.
* BarChart panel: enable series toggling via legend.
* BarChart panel: Adds support for Tooltip in BarChartPanel.
* PieChart panel: Change look of highlighted pie slices.
* CloudMonitoring: Migrate config editor from angular to react.
* CloudWatch: Add Amplify Console metrics and dimensions.
* CloudWatch: Add missing Redshift metrics to CloudWatch data
* CloudWatch: Add metrics for managed RabbitMQ service.
* DashboardList: Enable templating on search tag input.
* Datasource config: correctly remove single custom http
header.
* Elasticsearch: Add generic support for template variables.
* Elasticsearch: Allow omitting field when metric supports
inline script.
* Elasticsearch: Allow setting a custom limit for log queries.
* Elasticsearch: Guess field type from first non-empty value.
* Elasticsearch: Use application/x-ndjson content type for
multisearch requests.
* Elasticsearch: Use semver strings to identify ES version.
* Explore: Add logs navigation to request more logs.
* Explore: Map Graphite queries to Loki.
* Explore: Scroll split panes in Explore independently.
* Explore: Wrap each panel in separate error boundary.
* FieldDisplay: Smarter naming of stat values when visualising
row values (all values) in stat panels.
* Graphite: Expand metric names for variables.
* Graphite: Handle unknown Graphite functions without breaking
the visual editor.
* Graphite: Show graphite functions descriptions.
* Graphite: Support request cancellation properly (Uses new
backendSrv.fetch Observable request API).
* InfluxDB: Flux: Improve handling of complex
response-structures.
* InfluxDB: Support region annotations.
* Inspector: Download logs for manual processing.
* Jaeger: Add node graph view for trace.
* Jaeger: Search traces.
* Loki: Use data source settings for alerting queries.
* NodeGraph: Exploration mode.
* OAuth: Add support for empty scopes.
* PanelChrome: New logic-less emotion based component with no
dependency on PanelModel or DashboardModel.
* PanelEdit: Adds a table view toggle to quickly view data in
table form.
* PanelEdit: Highlight matched words when searching options.
* PanelEdit: UX improvements.
* Plugins: PanelRenderer and simplified QueryRunner to be used
from plugins.
* Plugins: AuthType in route configuration and params
interpolation.
* Plugins: Enable plugin runtime install/uninstall
capabilities.
* Plugins: Support set body content in plugin routes.
* Plugins: Introduce marketplace app.
* Plugins: Moving the DataSourcePicker to grafana/runtime so it
can be reused in plugins.
* Prometheus: Add custom query params for alert and exemplars
* Prometheus: Use fuzzy string matching to autocomplete metric
names and label.
* Routing: Replace Angular routing with react-router.
* Slack: Use chat.postMessage API by default.
* Tempo: Search for Traces by querying Loki directly from
Tempo.
* Tempo: Show graph view of the trace.
* Themes: Switch theme without reload using global shortcut.
* TimeSeries panel: Add support for shared cursor.
* TimeSeries panel: Do not crash the panel if there is no time
series data in the response.
* Variables: Do not save repeated panels, rows and scopedVars.
* Variables: Removes experimental Tags feature.
* Variables: Removes the never refresh option.
* Visualizations: Unify tooltip options across visualizations.
* Visualizations: Refactor and unify option creation between
new visualizations.
* Visualizations: Remove singlestat panel.
* APIKeys: Fixes issue with adding first api key.
* Alerting: Add checks for non supported units - disable
defaulting to seconds.
* Alerting: Fix issue where Slack notifications won't link to
user IDs.
* Alerting: Omit empty message in PagerDuty notifier.
* AzureMonitor: Fix migration error from older versions of App
Insights queries.
* CloudWatch: Fix AWS/Connect dimensions.
* CloudWatch: Fix broken AWS/MediaTailor dimension name.
* Dashboards: Allow string manipulation as advanced variable
format option.
* DataLinks: Includes harmless extended characters like
Cyrillic characters.
* Drawer: Fixes title overflowing its container.
* Explore: Fix issue when some query errors were not shown.
* Generic OAuth: Prevent adding duplicated users.
* Graphite: Handle invalid annotations.
* Graphite: Fix autocomplete when tags are not available.
* InfluxDB: Fix Cannot read property 'length' of undefined in
when parsing response.
* Instrumentation: Enable tracing when Jaeger host and port are
* Instrumentation: Prefix metrics with grafana.
* MSSQL: By default let driver choose port.
* OAuth: Add optional strict parsing of role_attribute_path.
* Panel: Fixes description markdown with inline code being
rendered on newlines and full width.
* PanelChrome: Ignore data updates & errors for non data
panels.
* Permissions: Fix inherited folder permissions can prevent new
permissions being added to a dashboard.
* Plugins: Remove pre-existing plugin installs when installing
with grafana-cli.
* Plugins: Support installing to folders with whitespace and
fix pluginUrl trailing and leading whitespace failures.
* Postgres/MySQL/MSSQL: Don't return connection failure details
to the client.
* Postgres: Fix ms precision of interval in time group macro
when TimescaleDB is enabled.
* Provisioning: Use dashboard checksum field as change
indicator.
* SQL: Fix so that all captured errors are returned from sql
engine.
* Shortcuts: Fixes panel shortcuts so they always work.
* Table: Fixes so border is visible for cells with links.
* Variables: Clear query when data source type changes.
* Variables: Filters out builtin variables from unknown list.
* Button: Introduce buttonStyle prop.
* DataQueryRequest: Remove deprecated props showingGraph and
showingTabel and exploreMode.
* grafana/ui: Update React Hook Form to v7.
* IconButton: Introduce variant for red and blue icon buttons.
* Plugins: Expose the getTimeZone function to be able to get
the current selected timeZone.
* TagsInput: Add className to TagsInput.
* VizLegend: Move onSeriesColorChanged to PanelContext
(breaking change).
- Update to version 7.5.13
* Alerting: Fix NoDataFound for alert rules using AND operator.
mgr-cfg:
- Version 4.3.6-1
* Corrected source URL in spec file
* Fix installation problem for SLE15SP4 due missing python-selinux
* Fix python selinux package name depending on build target (bsc#1193600)
* Do not build python 2 package for SLE15SP4 and higher
* Remove unused legacy code
mgr-custom-info:
- Version 4.3.3-1
* Remove unused legacy code
mgr-daemon:
- Version 4.3.4-1
* Corrected source URLs in spec file
* Update translation strings
mgr-osad:
- Version 4.3.6-1
* Corrected source URL in spec file.
* Do not build python 2 package for SLE15SP4 and higher
* Removed spacewalk-selinux dependencies.
* Updated source url.
mgr-push:
- Version 4.3.4-1
* Corrected source URLs in spec file
mgr-virtualization:
- Version 4.3.5-1
* Corrected source URLs in spec file.
* Do not build python 2 package for SLE15SP4 and higher
prometheus-blackbox_exporter:
- Enhanced to build on Enterprise Linux 8
prometheus-postgres_exporter:
- Updated for RHEL8.
python-hwdata:
- Require python macros for building
rhnlib:
- Version 4.3.4-1
* Reorganize python files
spacecmd:
- Version 4.3.11-1
* on full system update call schedulePackageUpdate API (bsc#1197507)
* parse boolean paramaters correctly (bsc#1197689)
* Add parameter to set containerized proxy SSH port
* Add proxy config generation subcommand
* Option 'org_createfirst' added to perform initial organization and user creation
* Added gettext build requirement for RHEL.
* Removed RHEL 5 references.
* Include group formulas configuration in spacecmd group_backup and
spacecmd group_restore. This changes backup format to json,
previously used plain text is still supported for reading (bsc#1190462)
* Update translation strings
* Improved event history listing and added new system_eventdetails
command to retrieve the details of an event
* Make schedule_deletearchived to get all actions without display limit
* Allow passing a date limit for schedule_deletearchived on spacecmd (bsc#1181223)
spacewalk-client-tools:
- Version 4.3.9-1
* Corrected source URLs in spec file.
* do not build python 2 package for SLE15
* Remove unused legacy code
* Update translation strings
spacewalk-koan:
- Version 4.3.5-1
* Corrected source URLs in spec file.
spacewalk-oscap:
- Version 4.3.5-1
* Corrected source URLs in spec file.
* Do not build python 2 package for SLE15SP4 and higher
spacewalk-remote-utils:
- Version 4.3.3-1
* Adapt the package for changes in rhnlib
supportutils-plugin-susemanager-client:
- Version 4.3.2-1
* Add proxy containers config and logs
suseRegisterInfo:
- Version 4.3.3-1
* Bump version to 4.3.0
supportutils-plugin-salt:
- Add support for Salt Bundle
uyuni-common-libs:
- Version 4.3.4-1
* implement more decompression algorithms for reposync (bsc#1196704)
* Reorganize python files
* Add decompression of zck files to fileutils
ImportantSUSE bug 1181223SUSE bug 1181400SUSE bug 1190462SUSE bug 1190535SUSE bug 1193600SUSE bug 1194873SUSE bug 1195726SUSE bug 1195727SUSE bug 1195728SUSE bug 1196338SUSE bug 1196704SUSE bug 1197507SUSE bug 1197689CVE-2021-36222 at SUSECVE-2021-36222 at NVDCVE-2021-3711 at SUSECVE-2021-3711 at NVDCVE-2021-39226 at SUSECVE-2021-39226 at NVDCVE-2021-41174 at SUSECVE-2021-41174 at NVDCVE-2021-41244 at SUSECVE-2021-41244 at NVDCVE-2021-43798 at SUSECVE-2021-43798 at NVDCVE-2021-43813 at SUSECVE-2021-43813 at NVDCVE-2021-43815 at SUSECVE-2021-43815 at NVDCVE-2022-21673 at SUSECVE-2022-21673 at NVDCVE-2022-21698 at SUSECVE-2022-21698 at NVDCVE-2022-21702 at SUSECVE-2022-21702 at NVDCVE-2022-21703 at SUSECVE-2022-21703 at NVDCVE-2022-21713 at SUSECVE-2022-21713 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for fwupdate (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update of fwupdate fixes the following issue:
- rebuild with new secure boot key due to grub2 boothole 3 issues (bsc#1198581)
ImportantSUSE bug 1198581cpe:/o:suse:sles-ltss:12:sp3Security update for python3 (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for python3 fixes the following issues:
- CVE-2015-20107: avoid command injection in the mailcap module (bsc#1198511).
ImportantSUSE bug 1070738SUSE bug 1198511SUSE bug 1199441CVE-2015-20107 at SUSECVE-2015-20107 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for openssl (Moderate)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for openssl fixes the following issues:
- CVE-2022-2068: Fixed more shell code injection issues in c_rehash. (bsc#1200550)
ModerateSUSE bug 1200550CVE-2022-2068 at SUSECVE-2022-2068 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for oracleasm (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update of oracleasm fixes the following issue:
- rebuild with new secure boot key due to grub2 boothole 3 issues (bsc#1198581)
ImportantSUSE bug 1198581cpe:/o:suse:sles-ltss:12:sp3Security update for python (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for python fixes the following issues:
- CVE-2015-20107: avoid command injection in the mailcap module (bsc#1198511).
ImportantSUSE bug 1198511CVE-2015-20107 at SUSECVE-2015-20107 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for sysstat (Moderate)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for sysstat fixes the following issues:
Security issue fixed:
- CVE-2019-19725: Fixed double free in check_file_actlst in sa_common.c (bsc#1159104).
Bug fixes:
- Enable log information of starting/stoping services. (bsc#1144923, jsc#SLE-5958)
ModerateSUSE bug 1144923SUSE bug 1159104CVE-2019-19725 at SUSECVE-2019-19725 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for dpdk (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update of dpdk fixes the following issue:
- rebuild with new secure boot key due to grub2 boothole 3 issues (bsc#1198581)
ImportantSUSE bug 1198581cpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 40 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_147 fixes one issue.
The following security issue was fixed:
- CVE-2022-1734: Fixed a r/w use-after-free when non synchronized between cleanup routine and firmware download routine. (bnc#1199605)
ImportantSUSE bug 1199606CVE-2022-1734 at SUSECVE-2022-1734 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 41 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_150 fixes one issue.
The following security issue was fixed:
- CVE-2022-1734: Fixed a r/w use-after-free when non synchronized between cleanup routine and firmware download routine. (bnc#1199605)
ImportantSUSE bug 1199606CVE-2022-1734 at SUSECVE-2022-1734 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 42 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_153 fixes one issue.
The following security issue was fixed:
- CVE-2022-1734: Fixed a r/w use-after-free when non synchronized between cleanup routine and firmware download routine. (bnc#1199605)
ImportantSUSE bug 1199606CVE-2022-1734 at SUSECVE-2022-1734 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 43 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_156 fixes one issue.
The following security issue was fixed:
- CVE-2022-1734: Fixed a r/w use-after-free when non synchronized between cleanup routine and firmware download routine. (bnc#1199605)
ImportantSUSE bug 1199606CVE-2022-1734 at SUSECVE-2022-1734 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 44 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_161 fixes one issue.
The following security issue was fixed:
- CVE-2022-1734: Fixed a r/w use-after-free when non synchronized between cleanup routine and firmware download routine. (bnc#1199605)
ImportantSUSE bug 1199606CVE-2022-1734 at SUSECVE-2022-1734 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 45 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_164 fixes one issue.
The following security issue was fixed:
- CVE-2021-39713: Fixed a race condition in the network scheduling subsystem which could lead to a use-after-free. (bnc#1196973)
ImportantSUSE bug 1197211CVE-2021-39713 at SUSECVE-2021-39713 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for MozillaFirefox fixes the following issues:
Update to Firefox Extended Support Release 91.11.0 ESR (MFSA 2022-25) (bsc#1200793):
- CVE-2022-2200: Undesired attributes could be set as part of prototype pollution (bmo#1771381)
- CVE-2022-31744: CSP bypass enabling stylesheet injection (bmo#1757604)
- CVE-2022-34468: CSP sandbox header without `allow-scripts` can be bypassed via retargeted javascript: URI (bmo#1768537)
- CVE-2022-34470: Use-after-free in nsSHistory (bmo#1765951)
- CVE-2022-34472: Unavailable PAC file resulted in OCSP requests being blocked (bmo#1770123)
- CVE-2022-34478: Microsoft protocols can be attacked if a user accepts a prompt (bmo#1773717)
- CVE-2022-34479: A popup window could be resized in a way to overlay the address bar with web content (bmo#1745595)
- CVE-2022-34481: Potential integer overflow in ReplaceElementsAt (bmo#1497246)
- CVE-2022-34484: Memory safety bugs fixed in Firefox 102 and Firefox ESR 91.11 (bmo#1763634, bmo#1772651)
ImportantSUSE bug 1200793CVE-2022-2200 at SUSECVE-2022-2200 at NVDCVE-2022-31744 at SUSECVE-2022-31744 at NVDCVE-2022-34468 at SUSECVE-2022-34468 at NVDCVE-2022-34470 at SUSECVE-2022-34470 at NVDCVE-2022-34472 at SUSECVE-2022-34472 at NVDCVE-2022-34478 at SUSECVE-2022-34478 at NVDCVE-2022-34479 at SUSECVE-2022-34479 at NVDCVE-2022-34481 at SUSECVE-2022-34481 at NVDCVE-2022-34484 at SUSECVE-2022-34484 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for rsyslog (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for rsyslog fixes the following issues:
- CVE-2022-24903: fix potential heap buffer overflow in modules for TCP syslog reception (bsc#1199061)
ImportantSUSE bug 1199061CVE-2022-24903 at SUSECVE-2022-24903 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for pcre (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for pcre fixes the following issues:
- CVE-2022-1586: Fixed unicode property matching issue. (bsc#1199232)
ImportantSUSE bug 1199232CVE-2022-1586 at SUSECVE-2022-1586 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for samba (Critical)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for samba fixes the following issues:
- CVE-2021-44142: Fixed out-of-Bound Read/Write on Samba vfs_fruit module. (bsc#1194859)
CriticalSUSE bug 1194859CVE-2021-44142 at SUSECVE-2021-44142 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for net-snmp (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for net-snmp fixes the following issues:
- CVE-2020-15862: Make extended MIB read-only (bsc#1174961)
ImportantSUSE bug 1100146SUSE bug 1145864SUSE bug 1152968SUSE bug 1174961SUSE bug 1178021SUSE bug 1178351SUSE bug 1179009SUSE bug 1179699SUSE bug 1184839CVE-2020-15862 at SUSECVE-2020-15862 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 37 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_138 fixes several issues.
The following security issues were fixed:
- CVE-2018-25020: Fixed an issue in the BPF subsystem in the Linux kernel mishandled situations with a long jump over an instruction sequence where inner instructions require substantial expansions into multiple BPF instructions, leading to an overflow. (bsc#1193575)
- CVE-2020-3702: Fixed a bug which could be triggered with specifically timed and handcrafted traffic and cause internal errors in a WLAN device that lead to improper layer 2 Wi-Fi encryption with a consequent possibility of information disclosure. (bsc#1191193)
- CVE-2020-25670, CVE-2020-25671, CVE-2020-25672, CVE-2020-25673, CVE-2021-23134: Fixed multiple bugs in NFC subsytem (bsc#1178181, bsc#1186060).
- CVE-2019-0136: Fixed an insufficient access control which allow an unauthenticated user to execute a denial of service. (bsc#1193157)
- CVE-2021-42739: The firewire subsystem had a buffer overflow related to drivers/media/firewire/firedtv-avc.c and drivers/media/firewire/firedtv-ci.c, because avc_ca_pmt mishandled bounds checking (bsc#1184673).
ImportantSUSE bug 1186061SUSE bug 1191529SUSE bug 1192036SUSE bug 1193161SUSE bug 1193863SUSE bug 1194680CVE-2018-25020 at SUSECVE-2018-25020 at NVDCVE-2019-0136 at SUSECVE-2019-0136 at NVDCVE-2020-25670 at SUSECVE-2020-25670 at NVDCVE-2020-25671 at SUSECVE-2020-25671 at NVDCVE-2020-25672 at SUSECVE-2020-25672 at NVDCVE-2020-25673 at SUSECVE-2020-25673 at NVDCVE-2020-3702 at SUSECVE-2020-3702 at NVDCVE-2021-23134 at SUSECVE-2021-23134 at NVDCVE-2021-42739 at SUSECVE-2021-42739 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 38 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_141 fixes several issues.
The following security issues were fixed:
- CVE-2018-25020: Fixed an issue in the BPF subsystem in the Linux kernel mishandled situations with a long jump over an instruction sequence where inner instructions require substantial expansions into multiple BPF instructions, leading to an overflow. (bsc#1193575)
- CVE-2020-3702: Fixed a bug which could be triggered with specifically timed and handcrafted traffic and cause internal errors in a WLAN device that lead to improper layer 2 Wi-Fi encryption with a consequent possibility of information disclosure. (bsc#1191193)
- CVE-2020-25670, CVE-2020-25671, CVE-2020-25672, CVE-2020-25673, CVE-2021-23134: Fixed multiple bugs in NFC subsytem (bsc#1178181, bsc#1186060).
- CVE-2019-0136: Fixed an insufficient access control which allow an unauthenticated user to execute a denial of service. (bsc#1193157)
- CVE-2021-42739: The firewire subsystem had a buffer overflow related to drivers/media/firewire/firedtv-avc.c and drivers/media/firewire/firedtv-ci.c, because avc_ca_pmt mishandled bounds checking (bsc#1184673).
ImportantSUSE bug 1186061SUSE bug 1191529SUSE bug 1192036SUSE bug 1193161SUSE bug 1193863SUSE bug 1194680CVE-2018-25020 at SUSECVE-2018-25020 at NVDCVE-2019-0136 at SUSECVE-2019-0136 at NVDCVE-2020-25670 at SUSECVE-2020-25670 at NVDCVE-2020-25671 at SUSECVE-2020-25671 at NVDCVE-2020-25672 at SUSECVE-2020-25672 at NVDCVE-2020-25673 at SUSECVE-2020-25673 at NVDCVE-2020-3702 at SUSECVE-2020-3702 at NVDCVE-2021-23134 at SUSECVE-2021-23134 at NVDCVE-2021-42739 at SUSECVE-2021-42739 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 39 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_144 fixes several issues.
The following security issues were fixed:
- CVE-2018-25020: Fixed an issue in the BPF subsystem in the Linux kernel mishandled situations with a long jump over an instruction sequence where inner instructions require substantial expansions into multiple BPF instructions, leading to an overflow. (bsc#1193575)
- CVE-2020-3702: Fixed a bug which could be triggered with specifically timed and handcrafted traffic and cause internal errors in a WLAN device that lead to improper layer 2 Wi-Fi encryption with a consequent possibility of information disclosure. (bsc#1191193)
- CVE-2021-23134: Fixed a use After Free vulnerability in nfc sockets which allows local attackers to elevate their privileges. (bsc#1186060)
- CVE-2019-0136: Fixed an insufficient access control which allow an unauthenticated user to execute a denial of service. (bsc#1193157)
- CVE-2021-42739: The firewire subsystem had a buffer overflow related to drivers/media/firewire/firedtv-avc.c and drivers/media/firewire/firedtv-ci.c, because avc_ca_pmt mishandled bounds checking (bsc#1184673).
ImportantSUSE bug 1186061SUSE bug 1191529SUSE bug 1192036SUSE bug 1193161SUSE bug 1193863CVE-2018-25020 at SUSECVE-2018-25020 at NVDCVE-2019-0136 at SUSECVE-2019-0136 at NVDCVE-2020-3702 at SUSECVE-2020-3702 at NVDCVE-2021-23134 at SUSECVE-2021-23134 at NVDCVE-2021-42739 at SUSECVE-2021-42739 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 40 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_147 fixes several issues.
The following security issues were fixed:
- CVE-2018-25020: Fixed an issue in the BPF subsystem in the Linux kernel mishandled situations with a long jump over an instruction sequence where inner instructions require substantial expansions into multiple BPF instructions, leading to an overflow. (bsc#1193575)
- CVE-2020-3702: Fixed a bug which could be triggered with specifically timed and handcrafted traffic and cause internal errors in a WLAN device that lead to improper layer 2 Wi-Fi encryption with a consequent possibility of information disclosure. (bsc#1191193)
- CVE-2019-0136: Fixed an insufficient access control which allow an unauthenticated user to execute a denial of service. (bsc#1193157)
- CVE-2021-42739: The firewire subsystem had a buffer overflow related to drivers/media/firewire/firedtv-avc.c and drivers/media/firewire/firedtv-ci.c, because avc_ca_pmt mishandled bounds checking (bsc#1184673).
ImportantSUSE bug 1191529SUSE bug 1192036SUSE bug 1193161SUSE bug 1193863CVE-2018-25020 at SUSECVE-2018-25020 at NVDCVE-2019-0136 at SUSECVE-2019-0136 at NVDCVE-2020-3702 at SUSECVE-2020-3702 at NVDCVE-2021-42739 at SUSECVE-2021-42739 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 41 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_150 fixes several issues.
The following security issues were fixed:
- CVE-2018-25020: Fixed an issue in the BPF subsystem in the Linux kernel mishandled situations with a long jump over an instruction sequence where inner instructions require substantial expansions into multiple BPF instructions, leading to an overflow. (bsc#1193575)
- CVE-2019-0136: Fixed an insufficient access control which allow an unauthenticated user to execute a denial of service. (bsc#1193157)
ImportantSUSE bug 1193161SUSE bug 1193863CVE-2018-25020 at SUSECVE-2018-25020 at NVDCVE-2019-0136 at SUSECVE-2019-0136 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for libsndfile (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for libsndfile fixes the following issues:
- CVE-2021-4156: Fixed heap buffer overflow in flac_buffer_copy that
could potentially lead to heap exploitation (bsc#1194006).
ImportantSUSE bug 1194006CVE-2021-4156 at SUSECVE-2021-4156 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for clamav (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for clamav fixes the following issues:
- CVE-2022-20698: Fixed invalid pointer read allowing denial of service crash. (bsc#1194731)
ImportantSUSE bug 1194731CVE-2022-20698 at SUSECVE-2022-20698 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for xen (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for xen fixes the following issues:
- CVE-2022-23034: Fixed possible DoS by a PV guest Xen while unmapping a grant. (XSA-394) (bsc#1194581)
- CVE-2022-23035: Fixed insufficient cleanup of passed-through device IRQs. (XSA-395) (bsc#1194588)
ImportantSUSE bug 1194581SUSE bug 1194588CVE-2022-23034 at SUSECVE-2022-23034 at NVDCVE-2022-23035 at SUSECVE-2022-23035 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
The SUSE Linux Enterprise 12 SP3 LTSS kernel was updated to receive various security and bugfixes.
The following security bugs were fixed:
- CVE-2018-25020: Fixed an overflow in the BPF subsystem due to a mishandling of a long jump over an instruction sequence where inner instructions require substantial expansions into multiple BPF instructions. This affects kernel/bpf/core.c and net/core/filter.c (bnc#1193575).
- CVE-2019-0136: Fixed insufficient access control in the Intel(R) PROSet/Wireless WiFi Software driver that may have allowed an unauthenticated user to potentially enable denial of service via adjacent access (bnc#1193157).
- CVE-2020-35519: Fixed out-of-bounds memory access in x25_bind in net/x25/af_x25.c. A bounds check failure allowed a local attacker with a user account on the system to gain access to out-of-bounds memory, leading to a system crash or a leak of internal kernel information (bnc#1183696).
- CVE-2021-0935: Fixed possible out of bounds write in ip6_xmit of ip6_output.c due to a use after free. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation (bnc#1192032).
- CVE-2021-28711: Fixed issue with xen/blkfront to harden blkfront against event channel storms (XSA-391) (bsc#1193440).
- CVE-2021-28712: Fixed issue with xen/netfront to harden netfront against event channel storms (XSA-391) (bsc#1193440).
- CVE-2021-28713: Fixed issue with xen/console to harden hvc_xen against event channel storms (XSA-391) (bsc#1193440).
- CVE-2021-28715: Fixed issue with xen/netback to do not queue unlimited number of packages (XSA-392) (bsc#1193442).
- CVE-2021-33098: Fixed improper input validation in the Intel(R) Ethernet ixgbe driver that may have allowed an authenticated user to potentially cause denial of service via local access (bnc#1192877).
- CVE-2021-3564: Fixed double-free memory corruption in the Linux kernel HCI device initialization subsystem that could have been used by attaching malicious HCI TTY Bluetooth devices. A local user could use this flaw to crash the system (bnc#1186207).
- CVE-2021-39648: Fixed possible disclosure of kernel heap memory due to a race condition in gadget_dev_desc_UDC_show of configfs.c. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation (bnc#1193861).
- CVE-2021-39657: Fixed out of bounds read due to a missing bounds check in ufshcd_eh_device_reset_handler of ufshcd.c. This could lead to local information disclosure with System execution privileges needed (bnc#1193864).
- CVE-2021-4002: Fixed incorrect TLBs flush in hugetlbfs after huge_pmd_unshare (bsc#1192946).
- CVE-2021-4083: Fixed a read-after-free memory flaw inside the garbage collection for Unix domain socket file handlers when users call close() and fget() simultaneouslyand can potentially trigger a race condition (bnc#1193727).
- CVE-2021-4149: Fixed btrfs unlock newly allocated extent buffer after error (bsc#1194001).
- CVE-2021-4155: Fixed XFS map issue when unwritten blocks in XFS_IOC_{ALLOC,FREE}SP just like fallocate (bsc#1194272).
- CVE-2021-4197: Use cgroup open-time credentials for process migraton perm checks (bsc#1194302).
- CVE-2021-4202: Fixed NFC race condition by adding NCI_UNREG flag (bsc#1194529).
- CVE-2021-43976: Fixed insufficient access control in drivers/net/wireless/marvell/mwifiex/usb.c that allowed an attacker who connect a crafted USB device to cause denial of service (bnc#1192847).
- CVE-2021-45095: Fixed refcount leak in pep_sock_accept in net/phonet/pep.c (bnc#1193867).
- CVE-2021-45485: Fixed information leak in the IPv6 implementation in net/ipv6/output_core.c (bnc#1194094).
- CVE-2021-45486: Fixed information leak inside the IPv4 implementation caused by very small hash table (bnc#1194087).
- CVE-2022-0330: Fixed flush TLBs before releasing backing store (bsc#1194880).
The following non-security bugs were fixed:
- fget: clarify and improve __fget_files() implementation (bsc#1193727).
- hv_netvsc: Fix the queue_mapping in netvsc_vf_xmit() (bsc#1193507).
- hv_netvsc: Set needed_headroom according to VF (bsc#1193507).
- kprobes: Limit max data_size of the kretprobe instances (bsc#1193669).
- memstick: rtsx_usb_ms: fix UAF
- moxart: fix potential use-after-free on remove path (bsc1194516).
- net/x25: fix a race in x25_bind() (networking-stable-19_03_15).
- net: mana: Add RX fencing (bsc#1193507).
- net: mana: Allow setting the number of queues while the NIC is down (bsc#1193507).
- net: mana: Fix spelling mistake 'calledd' -> 'called' (bsc#1193507).
- net: mana: Fix the netdev_err()'s vPort argument in mana_init_port() (bsc#1193507).
- net: mana: Improve the HWC error handling (bsc#1193507).
- net: mana: Support hibernation and kexec (bsc#1193507).
- net: mana: Use kcalloc() instead of kzalloc() (bsc#1193507).
- recordmcount.pl: fix typo in s390 mcount regex (bsc#1192267).
- recordmcount.pl: look for jgnop instruction as well as bcrl on s390 (bsc#1192267).
- ring-buffer: Protect ring_buffer_reset() from reentrancy (bsc#1179960).
- tty: hvc: replace BUG_ON() with negative return value (git-fixes).
- xen-netfront: do not assume sk_buff_head list is empty in error handling (git-fixes).
- xen-netfront: do not use ~0U as error return value for xennet_fill_frags() (git-fixes).
- xen/blkfront: do not take local copy of a request from the ring page (git-fixes).
- xen/blkfront: do not trust the backend response data blindly (git-fixes).
- xen/blkfront: read response from backend only once (git-fixes).
- xen/netfront: disentangle tx_skb_freelist (git-fixes).
- xen/netfront: do not bug in case of too many frags (bnc#1012382).
- xen/netfront: do not cache skb_shinfo() (bnc#1012382).
- xen/netfront: do not read data from request on the ring page (git-fixes).
- xen/netfront: do not trust the backend response data blindly (git-fixes).
- xen/netfront: read response from backend only once (git-fixes).
- xen: sync include/xen/interface/io/ring.h with Xen's newest version (git-fixes).
ImportantSUSE bug 1012382SUSE bug 1179960SUSE bug 1183696SUSE bug 1186207SUSE bug 1192032SUSE bug 1192267SUSE bug 1192847SUSE bug 1192877SUSE bug 1192946SUSE bug 1193157SUSE bug 1193440SUSE bug 1193442SUSE bug 1193507SUSE bug 1193575SUSE bug 1193669SUSE bug 1193727SUSE bug 1193861SUSE bug 1193864SUSE bug 1193867SUSE bug 1194001SUSE bug 1194087SUSE bug 1194094SUSE bug 1194272SUSE bug 1194302SUSE bug 1194516SUSE bug 1194529SUSE bug 1194880CVE-2018-25020 at SUSECVE-2018-25020 at NVDCVE-2019-0136 at SUSECVE-2019-0136 at NVDCVE-2020-35519 at SUSECVE-2020-35519 at NVDCVE-2021-0935 at SUSECVE-2021-0935 at NVDCVE-2021-28711 at SUSECVE-2021-28711 at NVDCVE-2021-28712 at SUSECVE-2021-28712 at NVDCVE-2021-28713 at SUSECVE-2021-28713 at NVDCVE-2021-28715 at SUSECVE-2021-28715 at NVDCVE-2021-33098 at SUSECVE-2021-33098 at NVDCVE-2021-3564 at SUSECVE-2021-3564 at NVDCVE-2021-39648 at SUSECVE-2021-39648 at NVDCVE-2021-39657 at SUSECVE-2021-39657 at NVDCVE-2021-4002 at SUSECVE-2021-4002 at NVDCVE-2021-4083 at SUSECVE-2021-4083 at NVDCVE-2021-4149 at SUSECVE-2021-4149 at NVDCVE-2021-4155 at SUSECVE-2021-4155 at NVDCVE-2021-4197 at SUSECVE-2021-4197 at NVDCVE-2021-4202 at SUSECVE-2021-4202 at NVDCVE-2021-43976 at SUSECVE-2021-43976 at NVDCVE-2021-45095 at SUSECVE-2021-45095 at NVDCVE-2021-45485 at SUSECVE-2021-45485 at NVDCVE-2021-45486 at SUSECVE-2021-45486 at NVDCVE-2022-0330 at SUSECVE-2022-0330 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for libvirt (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for libvirt fixes the following issues:
- CVE-2021-4147: libxl: Fix libvirtd deadlocks and segfaults. (bsc#1194041)
- CVE-2021-3975: Add missing lock in qemuProcessHandleMonitorEOF. (bsc#1192876)
ImportantSUSE bug 1192876SUSE bug 1193981SUSE bug 1194041CVE-2021-3975 at SUSECVE-2021-3975 at NVDCVE-2021-4147 at SUSECVE-2021-4147 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for virglrenderer (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for virglrenderer fixes the following issues:
- CVE-2022-0135: Fixed out-of-bonds write in read_transfer_data() (bsc#1195389).
ImportantSUSE bug 1195389CVE-2022-0135 at SUSECVE-2022-0135 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for expat (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for expat fixes the following issues:
- CVE-2022-23852: Fixed signed integer overflow in XML_GetBuffer (bsc#1195054).
- CVE-2022-23990: Fixed integer overflow in the doProlog function (bsc#1195217).
ImportantSUSE bug 1195054SUSE bug 1195217CVE-2022-23852 at SUSECVE-2022-23852 at NVDCVE-2022-23990 at SUSECVE-2022-23990 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for tiff (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for tiff fixes the following issues:
- CVE-2017-17095: Fixed DoS in tools/pal2rgb.c in pal2rgb (bsc#1071031).
- CVE-2019-17546: Fixed integer overflow that potentially causes a heap-based buffer overflow via a crafted RGBA image (bsc#1154365).
- CVE-2020-19131: Fixed buffer overflow in tiffcrop that may cause DoS via the invertImage() function (bsc#1190312).
- CVE-2020-35521: Fixed memory allocation failure in tif_read.c (bsc#1182808).
- CVE-2020-35522: Fixed memory allocation failure in tif_pixarlog.c (bsc#1182809).
- CVE-2020-35523: Fixed integer overflow in tif_getimage.c (bsc#1182811).
- CVE-2020-35524: Fixed heap-based buffer overflow in TIFF2PDF tool (bsc#1182812).
- CVE-2022-22844: Fixed out-of-bounds read in _TIFFmemcpy in tif_unix.c (bsc#1194539).
ImportantSUSE bug 1071031SUSE bug 1154365SUSE bug 1182808SUSE bug 1182809SUSE bug 1182811SUSE bug 1182812SUSE bug 1190312SUSE bug 1194539CVE-2017-17095 at SUSECVE-2017-17095 at NVDCVE-2019-17546 at SUSECVE-2019-17546 at NVDCVE-2020-19131 at SUSECVE-2020-19131 at NVDCVE-2020-35521 at SUSECVE-2020-35521 at NVDCVE-2020-35522 at SUSECVE-2020-35522 at NVDCVE-2020-35523 at SUSECVE-2020-35523 at NVDCVE-2020-35524 at SUSECVE-2020-35524 at NVDCVE-2022-22844 at SUSECVE-2022-22844 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for tcpdump (Moderate)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for tcpdump fixes the following issues:
- CVE-2018-16301: Fixed segfault when handling large files (bsc#1195825).
ModerateSUSE bug 1195825CVE-2018-16301 at SUSECVE-2018-16301 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for xerces-j2 (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for xerces-j2 fixes the following issues:
- CVE-2022-23437: Fixed infinite loop within Apache XercesJ xml parser (bsc#1195108).
ImportantSUSE bug 1195108CVE-2022-23437 at SUSECVE-2022-23437 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 38 for SLE 12 SP3) (Critical)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_141 fixes several issues.
The following security issues were fixed:
- CVE-2021-4202: Fixed NFC race condition by adding NCI_UNREG flag (bsc#1194533).
- CVE-2021-4083: Fixed a read-after-free memory flaw inside the garbage collection for Unix domain socket file handlers when users call close() and fget() simultaneouslyand can potentially trigger a race condition (bnc#1194460).
CriticalSUSE bug 1194460SUSE bug 1194533CVE-2021-4083 at SUSECVE-2021-4083 at NVDCVE-2021-4202 at SUSECVE-2021-4202 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 39 for SLE 12 SP3) (Critical)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_144 fixes several issues.
The following security issues were fixed:
- CVE-2021-4202: Fixed NFC race condition by adding NCI_UNREG flag (bsc#1194533).
- CVE-2021-4083: Fixed a read-after-free memory flaw inside the garbage collection for Unix domain socket file handlers when users call close() and fget() simultaneouslyand can potentially trigger a race condition (bnc#1194460).
CriticalSUSE bug 1194460SUSE bug 1194533CVE-2021-4083 at SUSECVE-2021-4083 at NVDCVE-2021-4202 at SUSECVE-2021-4202 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 40 for SLE 12 SP3) (Critical)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_147 fixes several issues.
The following security issues were fixed:
- CVE-2021-4202: Fixed NFC race condition by adding NCI_UNREG flag (bsc#1194533).
- CVE-2021-4083: Fixed a read-after-free memory flaw inside the garbage collection for Unix domain socket file handlers when users call close() and fget() simultaneouslyand can potentially trigger a race condition (bnc#1194460).
CriticalSUSE bug 1194460SUSE bug 1194533CVE-2021-4083 at SUSECVE-2021-4083 at NVDCVE-2021-4202 at SUSECVE-2021-4202 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 41 for SLE 12 SP3) (Critical)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_150 fixes several issues.
The following security issues were fixed:
- CVE-2021-4202: Fixed NFC race condition by adding NCI_UNREG flag (bsc#1194533).
- CVE-2021-4083: Fixed a read-after-free memory flaw inside the garbage collection for Unix domain socket file handlers when users call close() and fget() simultaneouslyand can potentially trigger a race condition (bnc#1194460).
CriticalSUSE bug 1194460SUSE bug 1194533CVE-2021-4083 at SUSECVE-2021-4083 at NVDCVE-2021-4202 at SUSECVE-2021-4202 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 37 for SLE 12 SP3) (Critical)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_138 fixes several issues.
The following security issues were fixed:
- CVE-2021-4202: Fixed NFC race condition by adding NCI_UNREG flag (bsc#1194533).
- CVE-2021-4083: Fixed a read-after-free memory flaw inside the garbage collection for Unix domain socket file handlers when users call close() and fget() simultaneouslyand can potentially trigger a race condition (bnc#1194460).
CriticalSUSE bug 1194460SUSE bug 1194533CVE-2021-4083 at SUSECVE-2021-4083 at NVDCVE-2021-4202 at SUSECVE-2021-4202 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for MozillaFirefox fixes the following issues:
Firefox Extended Support Release 91.6.0 ESR / MFSA 2022-05 (bsc#1195682)
- CVE-2022-22753: Privilege Escalation to SYSTEM on Windows via Maintenance Service
- CVE-2022-22754: Extensions could have bypassed permission confirmation during update
- CVE-2022-22756: Drag and dropping an image could have resulted in the dropped object being an executable
- CVE-2022-22759: Sandboxed iframes could have executed script if the parent appended elements
- CVE-2022-22760: Cross-Origin responses could be distinguished between script and non-script content-types
- CVE-2022-22761: frame-ancestors Content Security Policy directive was not enforced for framed extension pages
- CVE-2022-22763: Script Execution during invalid object state
- CVE-2022-22764: Memory safety bugs fixed in Firefox 97 and Firefox ESR 91.6
Firefox Extended Support Release 91.5.1 ESR (bsc#1195230)
- Fixed an issue that allowed unexpected data to be submitted in some of our search telemetry
ImportantSUSE bug 1195230SUSE bug 1195682CVE-2022-22753 at SUSECVE-2022-22753 at NVDCVE-2022-22754 at SUSECVE-2022-22754 at NVDCVE-2022-22756 at SUSECVE-2022-22756 at NVDCVE-2022-22759 at SUSECVE-2022-22759 at NVDCVE-2022-22760 at SUSECVE-2022-22760 at NVDCVE-2022-22761 at SUSECVE-2022-22761 at NVDCVE-2022-22763 at SUSECVE-2022-22763 at NVDCVE-2022-22764 at SUSECVE-2022-22764 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for ucode-intel (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for ucode-intel fixes the following issues:
Updated to Intel CPU Microcode 20220207 release.
- CVE-2021-0146: Fixed a potential security vulnerability in some Intel Processors may allow escalation of privilege (bsc#1192615)
- CVE-2021-0127: Intel Processor Breakpoint Control Flow (bsc#1195779)
- CVE-2021-0145: Fast store forward predictor - Cross Domain Training (bsc#1195780)
- CVE-2021-33120: Out of bounds read for some Intel Atom processors (bsc#1195781)
- Security updates for [INTEL-SA-00528](https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00528.html)
- Security updates for [INTEL-SA-00532](https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00532.html)
ImportantSUSE bug 1192615SUSE bug 1195779SUSE bug 1195780SUSE bug 1195781CVE-2021-0127 at SUSECVE-2021-0127 at NVDCVE-2021-0145 at SUSECVE-2021-0145 at NVDCVE-2021-0146 at SUSECVE-2021-0146 at NVDCVE-2021-33120 at SUSECVE-2021-33120 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for apache2 (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for apache2 fixes the following issues:
- CVE-2021-44224: Fixed NULL dereference or SSRF in forward proxy configurations. (bsc#1193943)
- CVE-2021-44790: Fixed buffer overflow when parsing multipart content in mod_lua. (bsc#1193942)
ImportantSUSE bug 1193942SUSE bug 1193943CVE-2021-44224 at SUSECVE-2021-44224 at NVDCVE-2021-44790 at SUSECVE-2021-44790 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for cyrus-sasl (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for cyrus-sasl fixes the following issues:
- CVE-2022-24407: Fixed SQL injection in sql_auxprop_store in plugins/sql.c (bsc#1196036).
ImportantSUSE bug 1196036CVE-2022-24407 at SUSECVE-2022-24407 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 42 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_153 fixes several issues.
The following security issues were fixed:
- CVE-2021-0920: Fixed a local privilege escalation due to an use after free bug in unix_gc (bsc#1194463).
- CVE-2021-28688: Fixed XSA-365 that includes initialization of pointers such that subsequent cleanup code wouldn't use uninitialized or stale values. This initialization went too far and may under certain conditions also overwrite pointers which are in need of cleaning up. The lack of cleanup would result in leaking persistent grants. The leak in turn would prevent fully cleaning up after a respective guest has died, leaving around zombie domains (bsc#1182294).
ImportantSUSE bug 1182294SUSE bug 1194463CVE-2021-0920 at SUSECVE-2021-0920 at NVDCVE-2021-28688 at SUSECVE-2021-28688 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 41 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_150 fixes one issue.
The following security issue was fixed:
- CVE-2021-0920: Fixed a local privilege escalation due to an use after free bug in unix_gc (bsc#1194463).
ImportantSUSE bug 1194463CVE-2021-0920 at SUSECVE-2021-0920 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 40 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_147 fixes one issue.
The following security issue was fixed:
- CVE-2021-0920: Fixed a local privilege escalation due to an use after free bug in unix_gc (bsc#1194463).
ImportantSUSE bug 1194463CVE-2021-0920 at SUSECVE-2021-0920 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 39 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_144 fixes one issue.
The following security issue was fixed:
- CVE-2021-0920: Fixed a local privilege escalation due to an use after free bug in unix_gc (bsc#1194463).
ImportantSUSE bug 1194463CVE-2021-0920 at SUSECVE-2021-0920 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Live Patch 38 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for the Linux Kernel 4.4.180-94_141 fixes one issue.
The following security issue was fixed:
- CVE-2021-0920: Fixed a local privilege escalation due to an use after free bug in unix_gc (bsc#1194463).
ImportantSUSE bug 1194463CVE-2021-0920 at SUSECVE-2021-0920 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for webkit2gtk3 (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for webkit2gtk3 fixes the following issues:
Update to version 2.34.5 (bsc#1195735):
- CVE-2022-22589: A validation issue was addressed with improved input sanitization.
- CVE-2022-22590: A use after free issue was addressed with improved memory management.
- CVE-2022-22592: A logic issue was addressed with improved state management.
Update to version 2.34.4 (bsc#1195064):
- CVE-2021-30934: A buffer overflow issue was addressed with improved memory handling.
- CVE-2021-30936: A use after free issue was addressed with improved memory management.
- CVE-2021-30951: A use after free issue was addressed with improved memory management.
- CVE-2021-30952: An integer overflow was addressed with improved input validation.
- CVE-2021-30953: An out-of-bounds read was addressed with improved bounds checking.
- CVE-2021-30954: A type confusion issue was addressed with improved memory handling.
- CVE-2021-30984: A race condition was addressed with improved state handling.
- CVE-2022-22594: A cross-origin issue in the IndexDB API was addressed with improved input validation.
The following CVEs were addressed in a previous update:
- CVE-2021-45481: Incorrect memory allocation in WebCore::ImageBufferCairoImageSurfaceBackend::create.
- CVE-2021-45482: A use-after-free in WebCore::ContainerNode::firstChild.
- CVE-2021-45483: A use-after-free in WebCore::Frame::page.
ImportantSUSE bug 1195064SUSE bug 1195735CVE-2021-30934 at SUSECVE-2021-30934 at NVDCVE-2021-30936 at SUSECVE-2021-30936 at NVDCVE-2021-30951 at SUSECVE-2021-30951 at NVDCVE-2021-30952 at SUSECVE-2021-30952 at NVDCVE-2021-30953 at SUSECVE-2021-30953 at NVDCVE-2021-30954 at SUSECVE-2021-30954 at NVDCVE-2021-30984 at SUSECVE-2021-30984 at NVDCVE-2021-45481 at SUSECVE-2021-45481 at NVDCVE-2021-45482 at SUSECVE-2021-45482 at NVDCVE-2021-45483 at SUSECVE-2021-45483 at NVDCVE-2022-22589 at SUSECVE-2022-22589 at NVDCVE-2022-22590 at SUSECVE-2022-22590 at NVDCVE-2022-22592 at SUSECVE-2022-22592 at NVDCVE-2022-22594 at SUSECVE-2022-22594 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for expat (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for expat fixes the following issues:
- CVE-2022-25236: Fixed possible namespace-separator characters insertion into namespace URIs (bsc#1196025).
- CVE-2022-25235: Fixed UTF-8 character validation in a certain context (bsc#1196026).
- CVE-2022-25313: Fixed stack exhaustion in build_model() via uncontrolled recursion (bsc#1196168).
- CVE-2022-25314: Fixed integer overflow in copyString (bsc#1196169).
- CVE-2022-25315: Fixed integer overflow in storeRawNames (bsc#1196171).
ImportantSUSE bug 1196025SUSE bug 1196026SUSE bug 1196168SUSE bug 1196169SUSE bug 1196171CVE-2022-25235 at SUSECVE-2022-25235 at NVDCVE-2022-25236 at SUSECVE-2022-25236 at NVDCVE-2022-25313 at SUSECVE-2022-25313 at NVDCVE-2022-25314 at SUSECVE-2022-25314 at NVDCVE-2022-25315 at SUSECVE-2022-25315 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for zsh (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for zsh fixes the following issues:
- CVE-2021-45444: Fixed a vulnerability where arbitrary shell commands could be
executed related to prompt expansion (bsc#1196435).
- CVE-2019-20044: Fixed a vulnerability where shell privileges would not be
properly dropped when unsetting the PRIVILEGED option (bsc#1163882).
- CVE-2018-1100: Fixed a potential code execution via a stack-based buffer
overflow in utils.c:checkmailpath() (bsc#1089030).
ImportantSUSE bug 1089030SUSE bug 1163882SUSE bug 1196435CVE-2018-1100 at SUSECVE-2018-1100 at NVDCVE-2019-20044 at SUSECVE-2019-20044 at NVDCVE-2021-45444 at SUSECVE-2021-45444 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for the Linux Kernel (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
The SUSE Linux Enterprise 12 SP3 kernel was updated to receive various security and bugfixes.
Transient execution side-channel attacks attacking the Branch History Buffer (BHB),
named 'Branch Target Injection' and 'Intra-Mode Branch History Injection' are now mitigated.
The following security bugs were fixed:
- CVE-2022-0001: Fixed Branch History Injection vulnerability (bsc#1191580).
- CVE-2022-0002: Fixed Intra-Mode Branch Target Injection vulnerability (bsc#1191580).
- CVE-2022-0617: Fixed a null pointer dereference in UDF file system functionality. A local user could crash the system by triggering udf_file_write_iter() via a malicious UDF image. (bsc#1196079)
- CVE-2022-0492: Fixed a privilege escalation related to cgroups v1 release_agent feature, which allowed bypassing namespace isolation unexpectedly (bsc#1195543).
- CVE-2022-24448: Fixed an issue in fs/nfs/dir.c. If an application sets the O_DIRECTORY flag, and tries to open a regular file, nfs_atomic_open() performs a regular lookup. If a regular file is found, ENOTDIR should have occured, but the server instead returned uninitialized data in the file descriptor (bsc#1195612).
- CVE-2021-0920: Fixed a local privilege escalation due to a use-after-free bug in unix_gc (bsc#1193731).
- CVE-2016-10905: Fixed a use-after-free is gfs2_clear_rgrpd() and read_rindex_entry() (bsc#1146312).
ImportantSUSE bug 1146312SUSE bug 1185973SUSE bug 1191580SUSE bug 1193731SUSE bug 1194463SUSE bug 1195536SUSE bug 1195543SUSE bug 1195612SUSE bug 1195908SUSE bug 1195939SUSE bug 1196079SUSE bug 1196612CVE-2016-10905 at SUSECVE-2016-10905 at NVDCVE-2021-0920 at SUSECVE-2021-0920 at NVDCVE-2022-0001 at SUSECVE-2022-0001 at NVDCVE-2022-0002 at SUSECVE-2022-0002 at NVDCVE-2022-0492 at SUSECVE-2022-0492 at NVDCVE-2022-0617 at SUSECVE-2022-0617 at NVDCVE-2022-24448 at SUSECVE-2022-24448 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for MozillaFirefox fixes the following issues:
Firefox Extended Support Release 91.6.1 ESR (bsc#1196809):
- CVE-2022-26485: Use-after-free in XSLT parameter processing
- CVE-2022-26486: Use-after-free in WebGPU IPC Framework
ImportantSUSE bug 1196809CVE-2022-26485 at SUSECVE-2022-26485 at NVDCVE-2022-26486 at SUSECVE-2022-26486 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for webkit2gtk3 (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for webkit2gtk3 fixes the following issues:
Update to version 2.34.6 (bsc#1196133):
- CVE-2022-22620: Processing maliciously crafted web content may have lead to arbitrary code execution.
ImportantSUSE bug 1196133CVE-2022-22620 at SUSECVE-2022-22620 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for libcaca (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for libcaca fixes the following issues:
- CVE-2021-30498, CVE-2021-30499: If an image has a size of 0x0, when exporting, no
data is written and space is allocated for the header only, not taking into
account that sprintf appends a NUL byte (bsc#1184751, bsc#1184752).
ImportantSUSE bug 1184751SUSE bug 1184752CVE-2021-30498 at SUSECVE-2021-30498 at NVDCVE-2021-30499 at SUSECVE-2021-30499 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for MozillaFirefox fixes the following issues:
Firefox Extended Support Release 91.7.0 ESR (bsc#1196900):
- CVE-2022-26383: Browser window spoof using fullscreen mode
- CVE-2022-26384: iframe allow-scripts sandbox bypass
- CVE-2022-26387: Time-of-check time-of-use bug when verifying add-on signatures
- CVE-2022-26381: Use-after-free in text reflows
- CVE-2022-26386: Temporary files downloaded to /tmp and accessible by other local users
ImportantSUSE bug 1196900CVE-2022-26381 at SUSECVE-2022-26381 at NVDCVE-2022-26383 at SUSECVE-2022-26383 at NVDCVE-2022-26384 at SUSECVE-2022-26384 at NVDCVE-2022-26386 at SUSECVE-2022-26386 at NVDCVE-2022-26387 at SUSECVE-2022-26387 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for expat (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for expat fixes the following issues:
- Fixed a regression caused by the patch for CVE-2022-25236 (bsc#1196784).
ImportantSUSE bug 1196025SUSE bug 1196784CVE-2022-25236 at SUSECVE-2022-25236 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for openssl (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for openssl fixes the following issues:
- CVE-2022-0778: Infinite loop in BN_mod_sqrt() reachable when parsing certificates (bsc#1196877).
ImportantSUSE bug 1196877CVE-2022-0778 at SUSECVE-2022-0778 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for java-1_8_0-openjdk (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for java-1_8_0-openjdk fixes the following issues:
Update to version jdk8u322 (icedtea-3.22.0)
Including the following security fixes:
- CVE-2022-21248, bsc#1194926: Enhance cross VM serialization
- CVE-2022-21283, bsc#1194937: Better String matching
- CVE-2022-21293, bsc#1194935: Improve String constructions
- CVE-2022-21294, bsc#1194934: Enhance construction of Identity maps
- CVE-2022-21282, bsc#1194933: Better resolution of URIs
- CVE-2022-21296, bsc#1194932: Improve SAX Parser configuration management
- CVE-2022-21299, bsc#1194931: Improved scanning of XML entities
- CVE-2022-21305, bsc#1194939: Better array indexing
- CVE-2022-21340, bsc#1194940: Verify Jar Verification
- CVE-2022-21341, bsc#1194941: Improve serial forms for transport
- CVE-2022-21349: Improve Solaris font rendering
- CVE-2022-21360, bsc#1194929: Enhance BMP image support
- CVE-2022-21365, bsc#1194928: Enhanced BMP processing
ImportantSUSE bug 1193314SUSE bug 1193444SUSE bug 1193491SUSE bug 1194926SUSE bug 1194928SUSE bug 1194929SUSE bug 1194931SUSE bug 1194932SUSE bug 1194933SUSE bug 1194934SUSE bug 1194935SUSE bug 1194937SUSE bug 1194939SUSE bug 1194940SUSE bug 1194941SUSE bug 1195163CVE-2022-21248 at SUSECVE-2022-21248 at NVDCVE-2022-21282 at SUSECVE-2022-21282 at NVDCVE-2022-21283 at SUSECVE-2022-21283 at NVDCVE-2022-21293 at SUSECVE-2022-21293 at NVDCVE-2022-21294 at SUSECVE-2022-21294 at NVDCVE-2022-21296 at SUSECVE-2022-21296 at NVDCVE-2022-21299 at SUSECVE-2022-21299 at NVDCVE-2022-21305 at SUSECVE-2022-21305 at NVDCVE-2022-21340 at SUSECVE-2022-21340 at NVDCVE-2022-21341 at SUSECVE-2022-21341 at NVDCVE-2022-21349 at SUSECVE-2022-21349 at NVDCVE-2022-21360 at SUSECVE-2022-21360 at NVDCVE-2022-21365 at SUSECVE-2022-21365 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for glibc (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for glibc fixes the following issues:
- CVE-2022-23219: Fixed buffer overflow in sunrpc clnt_create for 'unix' (bsc#1194768)
- CVE-2022-23218: Fixed buffer overflow in sunrpc svcunix_create (bsc#1194770)
- CVE-2021-3999: Fixed getcwd to set errno to ERANGE for size == 1 (bsc#1194640)
ImportantSUSE bug 1194640SUSE bug 1194768SUSE bug 1194770CVE-2021-3999 at SUSECVE-2021-3999 at NVDCVE-2022-23218 at SUSECVE-2022-23218 at NVDCVE-2022-23219 at SUSECVE-2022-23219 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for apache2 (Important)SUSE Linux Enterprise Server 12 SP3-LTSS
This update for apache2 fixes the following issues:
- CVE-2022-23943: heap out-of-bounds write in mod_sed (bsc#1197098).
- CVE-2022-22720: HTTP request smuggling due to incorrect error handling (bsc#1197095).
- CVE-2022-22719: use of uninitialized value of in r:parsebody in mod_lua (bsc#1197091).
- CVE-2022-22721: possible buffer overflow with very large or unlimited LimitXMLRequestBody (bsc#1197096).
ImportantSUSE bug 1197091SUSE bug 1197095SUSE bug 1197096SUSE bug 1197098CVE-2022-22719 at SUSECVE-2022-22719 at NVDCVE-2022-22720 at SUSECVE-2022-22720 at NVDCVE-2022-22721 at SUSECVE-2022-22721 at NVDCVE-2022-23943 at SUSECVE-2022-23943 at NVDcpe:/o:suse:sles-ltss:12:sp3Security update for libssh2_org (Moderate)SUSE Linux Enterprise Server 12 SP3-BCL
This update for libssh2_org fixes the following issues:
- Fix the previous fix for CVE-2019-3860 (bsc#1136570, bsc#1128481)
(Out-of-bounds reads with specially crafted SFTP packets)
ModerateSUSE bug 1128481SUSE bug 1136570CVE-2019-3860 at SUSECVE-2019-3860 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for postgresql10 (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for postgresql10 to version 10.9 fixes the following issue:
Security issue fixed:
- CVE-2019-10164: Fixed buffer-overflow vulnerabilities in SCRAM verifier parsing (bsc#1138034).
More information at https://www.postgresql.org/docs/10/release-10-9.html
ImportantSUSE bug 1138034CVE-2019-10164 at SUSECVE-2019-10164 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for glib2 (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for glib2 fixes the following issues:
Security issue fixed:
- CVE-2019-13012: Fixed improper restriction of file permissions when creating directories (bsc#1139959).
Non-security issue fixed:
- Added explicit requires between libglib2 and libgio2 (bsc#1140122).
ImportantSUSE bug 1139959SUSE bug 1140122CVE-2019-13012 at SUSECVE-2019-13012 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for MozillaFirefox, mozilla-nss fixes the following issues:
MozillaFirefox to version ESR 60.8:
- CVE-2019-9811: Sandbox escape via installation of malicious language pack (bsc#1140868).
- CVE-2019-11711: Script injection within domain through inner window reuse (bsc#1140868).
- CVE-2019-11712: Cross-origin POST requests can be made with NPAPI plugins by following 308 redirects (bsc#1140868).
- CVE-2019-11713: Use-after-free with HTTP/2 cached stream (bsc#1140868).
- CVE-2019-11729: Empty or malformed p256-ECDH public keys may trigger a segmentation fault (bsc#1140868).
- CVE-2019-11715: HTML parsing error can contribute to content XSS (bsc#1140868).
- CVE-2019-11717: Caret character improperly escaped in origins (bsc#1140868).
- CVE-2019-11719: Out-of-bounds read when importing curve25519 private key (bsc#1140868).
- CVE-2019-11730: Same-origin policy treats all files in a directory as having the same-origin (bsc#1140868).
- CVE-2019-11709: Multiple Memory safety bugs fixed (bsc#1140868).
mozilla-nss to version 3.44.1:
* Added IPSEC IKE support to softoken
* Many new FIPS test cases
ImportantSUSE bug 1140868CVE-2019-11709 at SUSECVE-2019-11709 at NVDCVE-2019-11711 at SUSECVE-2019-11711 at NVDCVE-2019-11712 at SUSECVE-2019-11712 at NVDCVE-2019-11713 at SUSECVE-2019-11713 at NVDCVE-2019-11715 at SUSECVE-2019-11715 at NVDCVE-2019-11717 at SUSECVE-2019-11717 at NVDCVE-2019-11719 at SUSECVE-2019-11719 at NVDCVE-2019-11729 at SUSECVE-2019-11729 at NVDCVE-2019-11730 at SUSECVE-2019-11730 at NVDCVE-2019-9811 at SUSECVE-2019-9811 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for ucode-intel (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for ucode-intel fixes the following issues:
This update contains the Intel QSR 2019.1 Microcode release (bsc#1111331)
Four new speculative execution information leak issues have been identified in Intel CPUs. (bsc#1111331)
- CVE-2018-12126: Microarchitectural Store Buffer Data Sampling (MSBDS)
- CVE-2018-12127: Microarchitectural Fill Buffer Data Sampling (MFBDS)
- CVE-2018-12130: Microarchitectural Load Port Data Samling (MLPDS)
- CVE-2019-11091: Microarchitectural Data Sampling Uncacheable Memory (MDSUM)
These updates contain the CPU Microcode adjustments for the software mitigations.
For more information on this set of vulnerabilities, check out https://www.suse.com/support/kb/doc/?id=7023736
Release notes:
---- updated platforms ------------------------------------
SNB-E/EN/EP C1/M0 6-2d-6/6d 0000061d->0000061f Xeon E3/E5, Core X
SNB-E/EN/EP C2/M1 6-2d-7/6d 00000714->00000718 Xeon E3/E5, Core X
ImportantSUSE bug 1111331CVE-2018-12126 at SUSECVE-2018-12126 at NVDCVE-2018-12127 at SUSECVE-2018-12127 at NVDCVE-2018-12130 at SUSECVE-2018-12130 at NVDCVE-2019-11091 at SUSECVE-2019-11091 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for glibc (Moderate)SUSE Linux Enterprise Server 12 SP3-BCL
This update for glibc fixes the following issues:
Security issues fixed:
- CVE-2019-9169: Fixed a heap-based buffer over-read via an attempted case-insensitive regular-expression match (bsc#1127308).
- CVE-2009-5155: Fixed a denial of service in parse_reg_exp() (bsc#1127223).
Non-security issues fixed:
- Added cfi information for start routines in order to stop unwinding on S390 (bsc#1128574).
ModerateSUSE bug 1127223SUSE bug 1127308SUSE bug 1128574CVE-2009-5155 at SUSECVE-2009-5155 at NVDCVE-2019-9169 at SUSECVE-2019-9169 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for bzip2 (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for bzip2 fixes the following issues:
- Fixed a regression with the fix for CVE-2019-12900, which caused incompatibilities
with files that used many selectors (bsc#1139083).
ImportantSUSE bug 1139083CVE-2019-12900 at SUSECVE-2019-12900 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for polkit (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for polkit fixes the following issues:
Security issue fixed:
- CVE-2019-6133: Fixed improper caching of auth decisions, which could bypass
uid checking in the interactive backend (bsc#1121826).
ImportantSUSE bug 1121826CVE-2019-6133 at SUSECVE-2019-6133 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for java-1_8_0-openjdk (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for java-1_8_0-openjdk to version 8u222 fixes the following issues:
Security issues fixed:
- CVE-2019-2745: Improved ECC Implementation (bsc#1141784).
- CVE-2019-2762: Exceptional throw cases (bsc#1141782).
- CVE-2019-2766: Improve file protocol handling (bsc#1141789).
- CVE-2019-2769: Better copies of CopiesList (bsc#1141783).
- CVE-2019-2786: More limited privilege usage (bsc#1141787).
- CVE-2019-2816: Normalize normalization (bsc#1141785).
- CVE-2019-2842: Extended AES support (bsc#1141786).
- CVE-2019-7317: Improve PNG support (bsc#1141780).
- Certificate validation improvements
Non-security issue fixed:
- Fixed an issue where the installation failed when the manpages are not present (bsc#1115375)
ImportantSUSE bug 1115375SUSE bug 1141780SUSE bug 1141782SUSE bug 1141783SUSE bug 1141784SUSE bug 1141785SUSE bug 1141786SUSE bug 1141787SUSE bug 1141789CVE-2019-2745 at SUSECVE-2019-2745 at NVDCVE-2019-2762 at SUSECVE-2019-2762 at NVDCVE-2019-2766 at SUSECVE-2019-2766 at NVDCVE-2019-2769 at SUSECVE-2019-2769 at NVDCVE-2019-2786 at SUSECVE-2019-2786 at NVDCVE-2019-2816 at SUSECVE-2019-2816 at NVDCVE-2019-2842 at SUSECVE-2019-2842 at NVDCVE-2019-7317 at SUSECVE-2019-7317 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for python3 (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for python3 fixes the following issues:
- CVE-2019-10160: Fixed a regression in urlparse() and urlsplit() introduced by the fix for CVE-2019-9636 (bsc#1138459).
- CVE-2018-14647: Fixed a denial of service vulnerability caused by a crafted XML document (bsc#1109847).
- CVE-2018-1000802: Fixed a command injection in the shutil module (bsc#1109663).
ImportantSUSE bug 1109663SUSE bug 1109847SUSE bug 1138459CVE-2018-1000802 at SUSECVE-2018-1000802 at NVDCVE-2018-14647 at SUSECVE-2018-14647 at NVDCVE-2019-10160 at SUSECVE-2019-10160 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for evince (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for evince fixes the following issues:
Security issues fixed:
- CVE-2019-11459: Fixed an improper error handling in which could have led to use of uninitialized use of memory (bsc#1133037).
- CVE-2019-1010006: Fixed a buffer overflow in backend/tiff/tiff-document.c (bsc#1141619).
ImportantSUSE bug 1133037SUSE bug 1141619CVE-2019-1010006 at SUSECVE-2019-1010006 at NVDCVE-2019-11459 at SUSECVE-2019-11459 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for squid (Moderate)SUSE Linux Enterprise Server 12 SP3-BCL
This update for squid fixes the following issues:
Security issue fixed:
- CVE-2019-12529: Fixed a potential denial of service associated with HTTP Basic Authentication credentials (bsc#1141329).
- CVE-2019-12525: Fixed a denial of service during processing of HTTP Digest Authentication credentials (bsc#1141332).
- CVE-2019-13345: Fixed a cross site scripting vulnerability via user_name or auth parameter in cachemgr.cgi (bsc#1140738).
ModerateSUSE bug 1140738SUSE bug 1141329SUSE bug 1141332CVE-2019-12525 at SUSECVE-2019-12525 at NVDCVE-2019-12529 at SUSECVE-2019-12529 at NVDCVE-2019-13345 at SUSECVE-2019-13345 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for python (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for python fixes the following issues:
- CVE-2019-10160: Fixed a regression in urlparse() and urlsplit() introduced by the fix for CVE-2019-9636 (bsc#1138459).
- CVE-2018-20852: Fixed an information leak where cookies could be send to the wrong server because of incorrect domain validation (bsc#1141853).
ImportantSUSE bug 1138459SUSE bug 1141853CVE-2018-20852 at SUSECVE-2018-20852 at NVDCVE-2019-10160 at SUSECVE-2019-10160 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for postgresql96 (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for postgresql96 fixes the following issues:
Security issue fixed:
- CVE-2019-10208: Fixed arbitrary SQL execution via suitable SECURITY DEFINER function under the identity of the function owner (bsc#1145092).
ImportantSUSE bug 1145092CVE-2019-10208 at SUSECVE-2019-10208 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for libvirt (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for libvirt fixes the following issues:
Security issues fixed:
- CVE-2019-10161: Fixed virDomainSaveImageGetXMLDesc API which could accept a path
parameter pointing anywhere on the system and potentially leading to execution
of a malicious file with root privileges by libvirtd (bsc#1138301).
- CVE-2019-10167: Fixed an issue with virConnectGetDomainCapabilities API which
could have been used to execute arbitrary emulators (bsc#1138303).
Non-security issues fixed:
- Fixed an issue with short bitmaps when setting vcpu affinity using the vcpupin (bsc#1138734).
- Added support for overriding max threads per process limit (bsc#1133719)
ImportantSUSE bug 1133719SUSE bug 1138301SUSE bug 1138303SUSE bug 1138734CVE-2019-10161 at SUSECVE-2019-10161 at NVDCVE-2019-10167 at SUSECVE-2019-10167 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for the Linux Kernel (Important)SUSE Linux Enterprise Server 12 SP3-BCL
The SUSE Linux Enterprise 12 SP3 kernel was updated to receive various security and bugfixes.
The following security bugs were fixed:
- CVE-2019-1125: Enable Spectre v1 swapgs mitigations (bsc#1139358).
- CVE-2018-20855: An issue was discovered in create_qp_common in drivers/infiniband/hw/mlx5/qp.c, mlx5_ib_create_qp_resp was never initialized, resulting in a leak of stack memory to userspace (bsc#1143045).
- CVE-2019-14284: The drivers/block/floppy.c allowed a denial of service by setup_format_params division-by-zero. Two consecutive ioctls can trigger the bug: the first one should set the drive geometry with .sect and .rate values that make F_SECT_PER_TRACK be zero. Next, the floppy format operation should be called. It can be triggered by an unprivileged local user even when a floppy disk has not been inserted. NOTE: QEMU creates the floppy device by default (bsc#1143189).
- CVE-2019-14283: The function set_geometry in drivers/block/floppy.c did not validate the sect and head fields, as demonstrated by an integer overflow and out-of-bounds read. It can be triggered by an unprivileged local user when a floppy disk has been inserted. NOTE: QEMU creates the floppy device by default (bsc#1143191).
- CVE-2019-11810: A NULL pointer dereference can occur when megasas_create_frame_pool() fails in megasas_alloc_cmds() in drivers/scsi/megaraid/megaraid_sas_base.c. This causes a Denial of Service, related to a use-after-free (bsc#1134399).
- CVE-2019-13648: In the Linux kernel on the powerpc platform, when hardware transactional memory is disabled, a local user can cause a denial of service (TM Bad Thing exception and system crash) via a sigreturn() system call that sends a crafted signal frame. This affects arch/powerpc/kernel/signal_32.c and arch/powerpc/kernel/signal_64.c (bnc#1142254).
- CVE-2019-13631: In parse_hid_report_descriptor in drivers/input/tablet/gtco.c, a malicious USB device can send an HID report that triggers an out-of-bounds write during generation of debugging messages (bsc#1142023).
- CVE-2019-15118: Fixed kernel stack exhaustion in check_input_term in sound/usb/mixer.c via mishandled recursion (bnc#1145922).
- CVE-2019-15117: Fixed out-of-bounds memory access in parse_audio_mixer_unit in sound/usb/mixer.c via mishandled short descriptor (bnc#1145920).
- CVE-2019-3819: A flaw was fixed in the function hid_debug_events_read() in drivers/hid/hid-debug.c file which may have enter an infinite loop with certain parameters passed from a userspace. A local privileged user ('root') could have caused a system lock up and a denial of service (bnc#1123161).
- CVE-2019-10207: Check for missing tty operations in bluetooth/hci_uart (bsc#1142857).
- CVE-2018-20856: Fixed a use-after-free issue in block/blk-core.c, where certain error case are mishandled (bnc#1143048).
The following non-security bugs were fixed:
- cifs: do not log STATUS_NOT_FOUND errors for DFS (bsc#1125674).
- dlm: Fix saving of NULL callbacks (bsc#1135365).
- bcache: Revert 'bcache: fix high CPU occupancy during journal' (bsc#1140652, bsc#1144288).
- bcache: Revert 'bcache: free heap cache_set->flush_btree in bch_journal_free' (bsc#1140652, bsc#1144288).
- bcache: add reclaimed_journal_buckets to struct cache_set (bsc#1140652, bsc#1144288).
- bcache: fix race in btree_flush_write() (bsc#1140652, bsc#1144288).
- bcache: fix stack corruption by PRECEDING_KEY() (bsc#1130972, bsc#1144257).
- bcache: only set BCACHE_DEV_WB_RUNNING when cached device attached (bsc#1130972, bsc#1144273).
- bcache: performance improvement for btree_flush_write() (bsc#1140652, bsc#1144288).
- bcache: remove retry_flush_write from struct cache_set (bsc#1140652, bsc#1144288).
- bonding: Force slave speed check after link state recovery for 802.3ad (bsc#1137584).
- clocksource: Defer override invalidation unless clock is unstable (bsc#1139826).
- kvm: mmu: Fix overflow on kvm mmu page limit calculation (bsc#1135335).
- kvmclock: fix TSC calibration for nested guests (bsc#1133860, jsc#PM-1211).
- mm, page_alloc: fix has_unmovable_pages for HugePages (bsc#1127034).
- powerpc/watchpoint: Restore NV GPRs while returning from exception (bsc#1140945, bsc#1141401, bsc#1141402, bsc#1141452, bsc#1141453, bsc#1141454).
- qla2xxx: performance degradation when enabling blk-mq (bsc#1128977).
- qlge: Deduplicate lbq_buf_size (bsc#1106061).
- qlge: Deduplicate rx buffer queue management (bsc#1106061).
- qlge: Factor out duplicated expression (bsc#1106061).
- qlge: Fix dma_sync_single calls (bsc#1106061).
- qlge: Fix irq masking in INTx mode (bsc#1106061).
- qlge: Refill empty buffer queues from wq (bsc#1106061).
- qlge: Refill rx buffers up to multiple of 16 (bsc#1106061).
- qlge: Remove bq_desc.maplen (bsc#1106061).
- qlge: Remove irq_cnt (bsc#1106061).
- qlge: Remove page_chunk.last_flag (bsc#1106061).
- qlge: Remove qlge_bq.len size (bsc#1106061).
- qlge: Remove rx_ring.sbq_buf_size (bsc#1106061).
- qlge: Remove rx_ring.type (bsc#1106061).
- qlge: Remove useless dma synchronization calls (bsc#1106061).
- qlge: Remove useless memset (bsc#1106061).
- qlge: Replace memset with assignment (bsc#1106061).
- qlge: Update buffer queue prod index despite oom (bsc#1106061).
- rbd: flush rbd_dev->watch_dwork after watch is unregistered (bsc#1143333).
- rbd: retry watch re-registration periodically (bsc#1143333).
- sched/fair: Do not free p->numa_faults with concurrent readers (bsc#1144920).
- sched/fair: Use RCU accessors consistently for ->numa_group (bsc#1144920).
- scsi: virtio_scsi: let host do exception handling (bsc#1141181).
- x86: mm: fix fast GUP with hyper-based TLB flushing (VM Functionality, bsc#1140903).
- x86: tsc: Add X86_FEATURE_TSC_KNOWN_FREQ flag (bsc#1133860, jsc#PM-1211).
- xen: let alloc_xenballooned_pages() fail if not enough memory free (XSA-300).
ImportantSUSE bug 1106061SUSE bug 1123161SUSE bug 1125674SUSE bug 1127034SUSE bug 1128977SUSE bug 1130972SUSE bug 1133860SUSE bug 1134399SUSE bug 1135335SUSE bug 1135365SUSE bug 1137584SUSE bug 1139358SUSE bug 1139826SUSE bug 1140652SUSE bug 1140903SUSE bug 1140945SUSE bug 1141181SUSE bug 1141401SUSE bug 1141402SUSE bug 1141452SUSE bug 1141453SUSE bug 1141454SUSE bug 1142023SUSE bug 1142254SUSE bug 1142857SUSE bug 1143045SUSE bug 1143048SUSE bug 1143189SUSE bug 1143191SUSE bug 1143333SUSE bug 1144257SUSE bug 1144273SUSE bug 1144288SUSE bug 1144920SUSE bug 1145920SUSE bug 1145922CVE-2018-20855 at SUSECVE-2018-20855 at NVDCVE-2018-20856 at SUSECVE-2018-20856 at NVDCVE-2019-10207 at SUSECVE-2019-10207 at NVDCVE-2019-1125 at SUSECVE-2019-1125 at NVDCVE-2019-11810 at SUSECVE-2019-11810 at NVDCVE-2019-13631 at SUSECVE-2019-13631 at NVDCVE-2019-13648 at SUSECVE-2019-13648 at NVDCVE-2019-14283 at SUSECVE-2019-14283 at NVDCVE-2019-14284 at SUSECVE-2019-14284 at NVDCVE-2019-15117 at SUSECVE-2019-15117 at NVDCVE-2019-15118 at SUSECVE-2019-15118 at NVDCVE-2019-3819 at SUSECVE-2019-3819 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for perl (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for perl fixes the following issues:
Security issue fixed:
- CVE-2018-18311: Fixed integer overflow with oversize environment (bsc#1114674).
ImportantSUSE bug 1114674CVE-2018-18311 at SUSECVE-2018-18311 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for libsolv, libzypp, zypper (Moderate)SUSE Linux Enterprise Server 12 SP3-BCL
This update for libsolv, libzypp and zypper fixes the following issues:
libsolv was updated to version 0.6.36 and fixes the following issues:
Security issues fixed:
- CVE-2018-20532: Fixed a NULL pointer dereference in testcase_read() (bsc#1120629).
- CVE-2018-20533: Fixed a NULL pointer dereference in testcase_str2dep_complex() (bsc#1120630).
- CVE-2018-20534: Fixed a NULL pointer dereference in pool_whatprovides() (bsc#1120631).
Non-security issues fixed:
- Made cleandeps jobs on patterns work (bsc#1137977).
- Fixed an issue multiversion packages that obsolete their own name (bsc#1127155).
- Keep consistent package name if there are multiple alternatives (bsc#1131823).
Fixes for libzypp:
- Fixes a bug where locking the kernel was not possible (bsc#1113296)
- Fixes a file descriptor leak (bsc#1116995)
- Will now run file conflict check on dry-run (best with download-only) (bsc#1140039)
Fixes for zypper:
- Fixes a bug where the wrong exit code was set when refreshing repos if --root was used (bsc#1134226)
- Improved the displaying of locks (bsc#1112911)
- Fixes an issue where `https` repository urls caused an error prompt to appear twice (bsc#1110542)
- zypper will now always warn when no repositories are defined (bsc#1109893)
- Fixes bash completion option detection (bsc#1049825)
ModerateSUSE bug 1049825SUSE bug 1109893SUSE bug 1110542SUSE bug 1111319SUSE bug 1112911SUSE bug 1113296SUSE bug 1116995SUSE bug 1120629SUSE bug 1120630SUSE bug 1120631SUSE bug 1127155SUSE bug 1131823SUSE bug 1134226SUSE bug 1137977SUSE bug 1140039SUSE bug 1145521CVE-2018-20532 at SUSECVE-2018-20532 at NVDCVE-2018-20533 at SUSECVE-2018-20533 at NVDCVE-2018-20534 at SUSECVE-2018-20534 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for java-1_7_1-ibm (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for java-1_7_1-ibm fixes the following issues:
Update to Java 7.1 Service Refresh 4 Fix Pack 50.
Security issues fixed:
- CVE-2019-11771: IBM Security Update July 2019 (bsc#1147021)
- CVE-2019-11775: IBM Security Update July 2019 (bsc#1147021)
- CVE-2019-4473: IBM Security Update July 2019 (bsc#1147021)
- CVE-2019-7317: Fixed issue inside Component AWT (libpng)(bsc#1141780).
- CVE-2019-2769: Fixed issue inside Component Utilities (bsc#1141783).
- CVE-2019-2762: Fixed issue inside Component Utilities (bsc#1141782).
- CVE-2019-2816: Fixed issue inside Component Networking (bsc#1141785).
- CVE-2019-2766: Fixed issue inside Component Networking (bsc#1141789).
ImportantSUSE bug 1141780SUSE bug 1141782SUSE bug 1141783SUSE bug 1141785SUSE bug 1141789SUSE bug 1147021CVE-2019-11771 at SUSECVE-2019-11771 at NVDCVE-2019-11775 at SUSECVE-2019-11775 at NVDCVE-2019-2762 at SUSECVE-2019-2762 at NVDCVE-2019-2766 at SUSECVE-2019-2766 at NVDCVE-2019-2769 at SUSECVE-2019-2769 at NVDCVE-2019-2816 at SUSECVE-2019-2816 at NVDCVE-2019-4473 at SUSECVE-2019-4473 at NVDCVE-2019-7317 at SUSECVE-2019-7317 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for curl (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for curl fixes the following issues:
Security issue fixed:
- CVE-2019-5482: Fixed TFTP small blocksize heap buffer overflow (bsc#1149496).
ImportantSUSE bug 1149496CVE-2019-5482 at SUSECVE-2019-5482 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for webkit2gtk3 (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for webkit2gtk3 fixes the following issues:
Updated to version 2.24.4 (bsc#1148931).
Security issues fixed:
- CVE-2019-8644, CVE-2019-8649, CVE-2019-8658, CVE-2019-8669, CVE-2019-8678,
CVE-2019-8680, CVE-2019-8683, CVE-2019-8684, CVE-2019-8688, CVE-2019-8595,
CVE-2019-8607, CVE-2019-8615, CVE-2019-8644, CVE-2019-8649, CVE-2019-8658,
CVE-2019-8666, CVE-2019-8669, CVE-2019-8671, CVE-2019-8672, CVE-2019-8673,
CVE-2019-8676, CVE-2019-8677, CVE-2019-8678, CVE-2019-8679, CVE-2019-8680,
CVE-2019-8681, CVE-2019-8683, CVE-2019-8684, CVE-2019-8686, CVE-2019-8687,
CVE-2019-8688, CVE-2019-8689, CVE-2019-8690
Non-security issues fixed:
- Improved loading of multimedia streams to avoid memory exhaustion due to excessive caching.
- Updated the user agent string to make happy certain websites which would claim that the browser being used was unsupported.
ImportantSUSE bug 1135715SUSE bug 1148931CVE-2019-8595 at SUSECVE-2019-8595 at NVDCVE-2019-8607 at SUSECVE-2019-8607 at NVDCVE-2019-8615 at SUSECVE-2019-8615 at NVDCVE-2019-8644 at SUSECVE-2019-8644 at NVDCVE-2019-8649 at SUSECVE-2019-8649 at NVDCVE-2019-8658 at SUSECVE-2019-8658 at NVDCVE-2019-8666 at SUSECVE-2019-8666 at NVDCVE-2019-8669 at SUSECVE-2019-8669 at NVDCVE-2019-8671 at SUSECVE-2019-8671 at NVDCVE-2019-8672 at SUSECVE-2019-8672 at NVDCVE-2019-8673 at SUSECVE-2019-8673 at NVDCVE-2019-8676 at SUSECVE-2019-8676 at NVDCVE-2019-8677 at SUSECVE-2019-8677 at NVDCVE-2019-8678 at SUSECVE-2019-8678 at NVDCVE-2019-8679 at SUSECVE-2019-8679 at NVDCVE-2019-8680 at SUSECVE-2019-8680 at NVDCVE-2019-8681 at SUSECVE-2019-8681 at NVDCVE-2019-8683 at SUSECVE-2019-8683 at NVDCVE-2019-8684 at SUSECVE-2019-8684 at NVDCVE-2019-8686 at SUSECVE-2019-8686 at NVDCVE-2019-8687 at SUSECVE-2019-8687 at NVDCVE-2019-8688 at SUSECVE-2019-8688 at NVDCVE-2019-8689 at SUSECVE-2019-8689 at NVDCVE-2019-8690 at SUSECVE-2019-8690 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for java-1_8_0-ibm (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for java-1_8_0-ibm fixes the following issues:
Update to Java 8.0 Service Refresh 5 Fix Pack 40.
Security issues fixed:
- CVE-2019-11771: IBM Security Update July 2019 (bsc#1147021)
- CVE-2019-11772: IBM Security Update July 2019 (bsc#1147021)
- CVE-2019-11775: IBM Security Update July 2019 (bsc#1147021)
- CVE-2019-4473: IBM Security Update July 2019 (bsc#1147021)
- CVE-2019-7317: Fixed issue inside Component AWT (libpng)(bsc#1141780).
- CVE-2019-2769: Fixed issue inside Component Utilities (bsc#1141783).
- CVE-2019-2762: Fixed issue inside Component Utilities (bsc#1141782).
- CVE-2019-2816: Fixed issue inside Component Networking (bsc#1141785).
- CVE-2019-2766: Fixed issue inside Component Networking (bsc#1141789).
- CVE-2019-2786: Fixed issue inside Component Security (bsc#1141787).
ImportantSUSE bug 1122292SUSE bug 1122299SUSE bug 1141780SUSE bug 1141782SUSE bug 1141783SUSE bug 1141785SUSE bug 1141787SUSE bug 1141789SUSE bug 1147021CVE-2018-11212 at SUSECVE-2018-11212 at NVDCVE-2019-11771 at SUSECVE-2019-11771 at NVDCVE-2019-11772 at SUSECVE-2019-11772 at NVDCVE-2019-11775 at SUSECVE-2019-11775 at NVDCVE-2019-2449 at SUSECVE-2019-2449 at NVDCVE-2019-2762 at SUSECVE-2019-2762 at NVDCVE-2019-2766 at SUSECVE-2019-2766 at NVDCVE-2019-2769 at SUSECVE-2019-2769 at NVDCVE-2019-2786 at SUSECVE-2019-2786 at NVDCVE-2019-2816 at SUSECVE-2019-2816 at NVDCVE-2019-4473 at SUSECVE-2019-4473 at NVDCVE-2019-7317 at SUSECVE-2019-7317 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for ibus (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for ibus fixes the following issues:
Security issue fixed:
- CVE-2019-14822: Fixed a misconfiguration of the DBus server that allowed an unprivileged user to monitor and send method calls to the ibus bus of another user. (bsc#1150011)
ImportantSUSE bug 1150011CVE-2019-14822 at SUSECVE-2019-14822 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for openssl (Moderate)SUSE Linux Enterprise Server 12 SP3-BCL
This update for openssl fixes the following issues:
OpenSSL Security Advisory [10 September 2019]
- CVE-2019-1547: Added EC_GROUP_set_generator side channel attack avoidance (bsc#1150003).
- CVE-2019-1563: Fixed Bleichenbacher attack against cms/pkcs7 encryption transported key (bsc#1150250).
ModerateSUSE bug 1150003SUSE bug 1150250CVE-2019-1547 at SUSECVE-2019-1547 at NVDCVE-2019-1563 at SUSECVE-2019-1563 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for MozillaFirefox to ESR 60.9 fixes the following issues:
Security issues fixed:
- CVE-2019-11742: Fixed a same-origin policy violation involving SVG filters and canvas to steal cross-origin images. (bsc#1149303)
- CVE-2019-11746: Fixed a use-after-free while manipulating video. (bsc#1149297)
- CVE-2019-11744: Fixed an XSS caused by breaking out of title and textarea elements using innerHTML. (bsc#1149304)
- CVE-2019-11753: Fixed a privilege escalation with Mozilla Maintenance Service in custom Firefox installation location. (bsc#1149295)
- CVE-2019-11752: Fixed a use-after-free while extracting a key value in IndexedDB. (bsc#1149296)
- CVE-2019-11743: Fixed a timing side-channel attack on cross-origin information, utilizing unload event attributes. (bsc#1149298)
- CVE-2019-11740: Fixed several memory safety bugs. (bsc#1149299)
ImportantSUSE bug 1149294SUSE bug 1149295SUSE bug 1149296SUSE bug 1149297SUSE bug 1149298SUSE bug 1149299SUSE bug 1149303SUSE bug 1149304SUSE bug 1149324CVE-2019-11740 at SUSECVE-2019-11740 at NVDCVE-2019-11742 at SUSECVE-2019-11742 at NVDCVE-2019-11743 at SUSECVE-2019-11743 at NVDCVE-2019-11744 at SUSECVE-2019-11744 at NVDCVE-2019-11746 at SUSECVE-2019-11746 at NVDCVE-2019-11752 at SUSECVE-2019-11752 at NVDCVE-2019-11753 at SUSECVE-2019-11753 at NVDCVE-2019-9812 at SUSECVE-2019-9812 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for dovecot22 (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for dovecot22 fixes the following issues:
- CVE-2019-11500: Fixed a potential remote code execution in the IMAP and ManageSieve protocol parsers (bsc#1145559).
ImportantSUSE bug 1145559CVE-2019-11500 at SUSECVE-2019-11500 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for ghostscript (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for ghostscript to 9.27 fixes the following issues:
Security issues fixed:
- CVE-2019-3835: Fixed an unauthorized file system access caused by an available superexec operator. (bsc#1129180)
- CVE-2019-3839: Fixed an unauthorized file system access caused by available privileged operators. (bsc#1134156)
- CVE-2019-12973: Fixed a denial-of-service vulnerability in the OpenJPEG function opj_t1_encode_cblks. (bsc#1140359)
- CVE-2019-14811: Fixed a safer mode bypass by .forceput exposure in .pdf_hook_DSC_Creator. (bsc#1146882)
- CVE-2019-14812: Fixed a safer mode bypass by .forceput exposure in setuserparams. (bsc#1146882)
- CVE-2019-14813: Fixed a safer mode bypass by .forceput exposure in setsystemparams. (bsc#1146882)
- CVE-2019-14817: Fixed a safer mode bypass by .forceput exposure in .pdfexectoken and other procedures. (bsc#1146884)
ImportantSUSE bug 1129180SUSE bug 1131863SUSE bug 1134156SUSE bug 1140359SUSE bug 1146882SUSE bug 1146884CVE-2019-12973 at SUSECVE-2019-12973 at NVDCVE-2019-14811 at SUSECVE-2019-14811 at NVDCVE-2019-14812 at SUSECVE-2019-14812 at NVDCVE-2019-14813 at SUSECVE-2019-14813 at NVDCVE-2019-14817 at SUSECVE-2019-14817 at NVDCVE-2019-3835 at SUSECVE-2019-3835 at NVDCVE-2019-3839 at SUSECVE-2019-3839 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for libgcrypt (Moderate)SUSE Linux Enterprise Server 12 SP3-BCL
This update for libgcrypt fixes the following issues:
Security issues fixed:
- CVE-2019-13627: Mitigated ECDSA timing attack. (bsc#1148987)
ModerateSUSE bug 1148987CVE-2019-13627 at SUSECVE-2019-13627 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for MozillaFirefox fixes the following issues:
Updated to new ESR version 68.1 (bsc#1149323).
In addition to the already fixed vulnerabilities released in previous ESR updates,
the following were also fixed:
CVE-2019-11751, CVE-2019-11736, CVE-2019-9812, CVE-2019-11748, CVE-2019-11749,
CVE-2019-11750, CVE-2019-11738, CVE-2019-11747, CVE-2019-11735.
Several run-time issues were also resolved (bsc#1117473, bsc#1124525, bsc#1133810).
The version displayed in Help > About is now correct (bsc#1087200).
ImportantSUSE bug 1087200SUSE bug 1109465SUSE bug 1117473SUSE bug 1123482SUSE bug 1124525SUSE bug 1133810SUSE bug 1140868SUSE bug 1145665SUSE bug 1149323CVE-2019-11709 at SUSECVE-2019-11709 at NVDCVE-2019-11710 at SUSECVE-2019-11710 at NVDCVE-2019-11711 at SUSECVE-2019-11711 at NVDCVE-2019-11712 at SUSECVE-2019-11712 at NVDCVE-2019-11713 at SUSECVE-2019-11713 at NVDCVE-2019-11714 at SUSECVE-2019-11714 at NVDCVE-2019-11715 at SUSECVE-2019-11715 at NVDCVE-2019-11716 at SUSECVE-2019-11716 at NVDCVE-2019-11717 at SUSECVE-2019-11717 at NVDCVE-2019-11718 at SUSECVE-2019-11718 at NVDCVE-2019-11719 at SUSECVE-2019-11719 at NVDCVE-2019-11720 at SUSECVE-2019-11720 at NVDCVE-2019-11721 at SUSECVE-2019-11721 at NVDCVE-2019-11723 at SUSECVE-2019-11723 at NVDCVE-2019-11724 at SUSECVE-2019-11724 at NVDCVE-2019-11725 at SUSECVE-2019-11725 at NVDCVE-2019-11727 at SUSECVE-2019-11727 at NVDCVE-2019-11728 at SUSECVE-2019-11728 at NVDCVE-2019-11729 at SUSECVE-2019-11729 at NVDCVE-2019-11730 at SUSECVE-2019-11730 at NVDCVE-2019-11733 at SUSECVE-2019-11733 at NVDCVE-2019-11735 at SUSECVE-2019-11735 at NVDCVE-2019-11736 at SUSECVE-2019-11736 at NVDCVE-2019-11738 at SUSECVE-2019-11738 at NVDCVE-2019-11740 at SUSECVE-2019-11740 at NVDCVE-2019-11742 at SUSECVE-2019-11742 at NVDCVE-2019-11743 at SUSECVE-2019-11743 at NVDCVE-2019-11744 at SUSECVE-2019-11744 at NVDCVE-2019-11746 at SUSECVE-2019-11746 at NVDCVE-2019-11747 at SUSECVE-2019-11747 at NVDCVE-2019-11748 at SUSECVE-2019-11748 at NVDCVE-2019-11749 at SUSECVE-2019-11749 at NVDCVE-2019-11750 at SUSECVE-2019-11750 at NVDCVE-2019-11751 at SUSECVE-2019-11751 at NVDCVE-2019-11752 at SUSECVE-2019-11752 at NVDCVE-2019-11753 at SUSECVE-2019-11753 at NVDCVE-2019-9811 at SUSECVE-2019-9811 at NVDCVE-2019-9812 at SUSECVE-2019-9812 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for binutils (Moderate)SUSE Linux Enterprise Server 12 SP3-BCL
This update for binutils fixes the following issues:
binutils was updated to current 2.32 branch @7b468db3 [jsc#ECO-368]:
Includes the following security fixes:
- CVE-2018-17358: Fixed invalid memory access in _bfd_stab_section_find_nearest_line in syms.c (bsc#1109412)
- CVE-2018-17359: Fixed invalid memory access exists in bfd_zalloc in opncls.c (bsc#1109413)
- CVE-2018-17360: Fixed heap-based buffer over-read in bfd_getl32 in libbfd.c (bsc#1109414)
- CVE-2018-17985: Fixed a stack consumption problem caused by the cplus_demangle_type (bsc#1116827)
- CVE-2018-18309: Fixed an invalid memory address dereference was discovered in read_reloc in reloc.c (bsc#1111996)
- CVE-2018-18483: Fixed get_count function provided by libiberty that allowed attackers to cause a denial of service or other unspecified impact (bsc#1112535)
- CVE-2018-18484: Fixed stack exhaustion in the C++ demangling functions provided by libiberty, caused by recursive stack frames (bsc#1112534)
- CVE-2018-18605: Fixed a heap-based buffer over-read issue was discovered in the function sec_merge_hash_lookup causing a denial of service (bsc#1113255)
- CVE-2018-18606: Fixed a NULL pointer dereference in _bfd_add_merge_section when attempting to merge sections with large alignments, causing denial of service (bsc#1113252)
- CVE-2018-18607: Fixed a NULL pointer dereference in elf_link_input_bfd when used for finding STT_TLS symbols without any TLS section, causing denial of service (bsc#1113247)
- CVE-2018-19931: Fixed a heap-based buffer overflow in bfd_elf32_swap_phdr_in in elfcode.h (bsc#1118831)
- CVE-2018-19932: Fixed an integer overflow and infinite loop caused by the IS_CONTAINED_BY_LMA (bsc#1118830)
- CVE-2018-20623: Fixed a use-after-free in the error function in elfcomm.c (bsc#1121035)
- CVE-2018-20651: Fixed a denial of service via a NULL pointer dereference in elf_link_add_object_symbols in elflink.c (bsc#1121034)
- CVE-2018-20671: Fixed an integer overflow that can trigger a heap-based buffer overflow in load_specific_debug_section in objdump.c (bsc#1121056)
- CVE-2018-1000876: Fixed integer overflow in bfd_get_dynamic_reloc_upper_bound,bfd_canonicalize_dynamic_reloc in objdump (bsc#1120640)
- CVE-2019-1010180: Fixed an out of bound memory access that could lead to crashes (bsc#1142772)
- Enable xtensa architecture (Tensilica lc6 and related)
- Use -ffat-lto-objects in order to provide assembly for static libs
(bsc#1141913).
- Fixed some LTO problems (bsc#1133131 bsc#1133232).
- riscv: Don't check ABI flags if no code section
Update to binutils 2.32:
* The binutils now support for the C-SKY processor series.
* The x86 assembler now supports a -mvexwig=[0|1] option to control
encoding of VEX.W-ignored (WIG) VEX instructions.
It also has a new -mx86-used-note=[yes|no] option to generate (or
not) x86 GNU property notes.
* The MIPS assembler now supports the Loongson EXTensions R2 (EXT2),
the Loongson EXTensions (EXT) instructions, the Loongson Content
Address Memory (CAM) ASE and the Loongson MultiMedia extensions
Instructions (MMI) ASE.
* The addr2line, c++filt, nm and objdump tools now have a default
limit on the maximum amount of recursion that is allowed whilst
demangling strings. This limit can be disabled if necessary.
* Objdump's --disassemble option can now take a parameter,
specifying the starting symbol for disassembly. Disassembly will
continue from this symbol up to the next symbol or the end of the
function.
* The BFD linker will now report property change in linker map file
when merging GNU properties.
* The BFD linker's -t option now doesn't report members within
archives, unless -t is given twice. This makes it more useful
when generating a list of files that should be packaged for a
linker bug report.
* The GOLD linker has improved warning messages for relocations that
refer to discarded sections.
- Improve relro support on s390 [fate#326356]
- Handle ELF compressed header alignment correctly.
ModerateSUSE bug 1109412SUSE bug 1109413SUSE bug 1109414SUSE bug 1111996SUSE bug 1112534SUSE bug 1112535SUSE bug 1113247SUSE bug 1113252SUSE bug 1113255SUSE bug 1116827SUSE bug 1118830SUSE bug 1118831SUSE bug 1120640SUSE bug 1121034SUSE bug 1121035SUSE bug 1121056SUSE bug 1133131SUSE bug 1133232SUSE bug 1141913SUSE bug 1142772CVE-2018-1000876 at SUSECVE-2018-1000876 at NVDCVE-2018-17358 at SUSECVE-2018-17358 at NVDCVE-2018-17359 at SUSECVE-2018-17359 at NVDCVE-2018-17360 at SUSECVE-2018-17360 at NVDCVE-2018-17985 at SUSECVE-2018-17985 at NVDCVE-2018-18309 at SUSECVE-2018-18309 at NVDCVE-2018-18483 at SUSECVE-2018-18483 at NVDCVE-2018-18484 at SUSECVE-2018-18484 at NVDCVE-2018-18605 at SUSECVE-2018-18605 at NVDCVE-2018-18606 at SUSECVE-2018-18606 at NVDCVE-2018-18607 at SUSECVE-2018-18607 at NVDCVE-2018-19931 at SUSECVE-2018-19931 at NVDCVE-2018-19932 at SUSECVE-2018-19932 at NVDCVE-2018-20623 at SUSECVE-2018-20623 at NVDCVE-2018-20651 at SUSECVE-2018-20651 at NVDCVE-2018-20671 at SUSECVE-2018-20671 at NVDCVE-2019-1010180 at SUSECVE-2019-1010180 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for sudo (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for sudo fixes the following issues:
Security issue fixed:
- CVE-2019-14287: Fixed an issue where a user with sudo privileges
that allowed them to run commands with an arbitrary uid, could
run commands as root, despite being forbidden to do so in sudoers
(bsc#1153674).
ImportantSUSE bug 1153674CVE-2019-14287 at SUSECVE-2019-14287 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for libpcap (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for libpcap fixes the following issues:
- CVE-2019-15165: Added sanity checks for PHB header length before allocating memory (bsc#1153332).
- CVE-2018-16301: Fixed a buffer overflow (bsc#1153332).
ImportantSUSE bug 1153332CVE-2018-16301 at SUSECVE-2018-16301 at NVDCVE-2019-15165 at SUSECVE-2019-15165 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for xen (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for xen fixes the following issues:
Security issues fixed:
- CVE-2019-15890: Fixed a use-after-free in SLiRP networking implementation of QEMU emulator
which could have led to Denial of Service (bsc#1149813).
- CVE-2019-12068: Fixed an issue in lsi which could lead to an infinite loop and denial of
service (bsc#1146874).
- CVE-2019-14378: Fixed a heap buffer overflow in SLiRp networking implementation of QEMU
emulator which could have led to execution of arbitrary code with privileges of the
QEMU process (bsc#1143797).
Other issue fixed:
- Fixed an issue where libxenlight could not restore domain vsa6535522 on live migration (bsc#1133818).
ImportantSUSE bug 1126140SUSE bug 1126141SUSE bug 1126192SUSE bug 1126195SUSE bug 1126196SUSE bug 1126197SUSE bug 1126198SUSE bug 1126201SUSE bug 1127400SUSE bug 1133818SUSE bug 1143797SUSE bug 1146874SUSE bug 1149813CVE-2018-12126 at SUSECVE-2018-12126 at NVDCVE-2018-12127 at SUSECVE-2018-12127 at NVDCVE-2018-12130 at SUSECVE-2018-12130 at NVDCVE-2019-11091 at SUSECVE-2019-11091 at NVDCVE-2019-12068 at SUSECVE-2019-12068 at NVDCVE-2019-14378 at SUSECVE-2019-14378 at NVDCVE-2019-15890 at SUSECVE-2019-15890 at NVDCVE-2019-17340 at SUSECVE-2019-17340 at NVDCVE-2019-17341 at SUSECVE-2019-17341 at NVDCVE-2019-17342 at SUSECVE-2019-17342 at NVDCVE-2019-17343 at SUSECVE-2019-17343 at NVDCVE-2019-17344 at SUSECVE-2019-17344 at NVDCVE-2019-17345 at SUSECVE-2019-17345 at NVDCVE-2019-17346 at SUSECVE-2019-17346 at NVDCVE-2019-17347 at SUSECVE-2019-17347 at NVDCVE-2019-17348 at SUSECVE-2019-17348 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for nfs-utils (Moderate)SUSE Linux Enterprise Server 12 SP3-BCL
This update for nfs-utils fixes the following issues:
- CVE-2019-3689: Fixed root-owned files stored in insecure /var/lib/nfs. (bsc#1150733)
ModerateSUSE bug 1150733CVE-2019-3689 at SUSECVE-2019-3689 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for MozillaFirefox to 68.2.0 ESR fixes the following issues:
Mozilla Firefox was updated to version 68.2.0 ESR (bsc#1154738).
Security issues fixed:
- CVE-2019-15903: Fixed a heap overflow in the expat library (bsc#1149429).
- CVE-2019-11757: Fixed a use-after-free when creating index updates in IndexedDB (bsc#1154738).
- CVE-2019-11758: Fixed a potentially exploitable crash due to 360 Total Security (bsc#1154738).
- CVE-2019-11759: Fixed a stack buffer overflow in HKDF output (bsc#1154738).
- CVE-2019-11760: Fixed a stack buffer overflow in WebRTC networking (bsc#1154738).
- CVE-2019-11761: Fixed an unintended access to a privileged JSONView object (bsc#1154738).
- CVE-2019-11762: Fixed a same-origin-property violation (bsc#1154738).
- CVE-2019-11763: Fixed an XSS bypass (bsc#1154738).
- CVE-2019-11764: Fixed several memory safety bugs (bsc#1154738).
Non-security issues fixed:
- Firefox 60.7 ESR changed the user interface language (bsc#1137990).
- Wrong Firefox GUI Language (bsc#1120374).
- Fixed an inadvertent crash report transmission without user opt-in (bsc#1074235).
- Firefox hangs randomly when browsing and scrolling (bsc#1043008).
- Firefox stops loading page until mouse is moved (bsc#1025108).
ImportantSUSE bug 1010399SUSE bug 1010405SUSE bug 1010406SUSE bug 1010408SUSE bug 1010409SUSE bug 1010421SUSE bug 1010423SUSE bug 1010424SUSE bug 1010425SUSE bug 1010426SUSE bug 1025108SUSE bug 1043008SUSE bug 1047281SUSE bug 1074235SUSE bug 1092611SUSE bug 1120374SUSE bug 1137990SUSE bug 1149429SUSE bug 1154738SUSE bug 959933SUSE bug 983922CVE-2016-2830 at SUSECVE-2016-2830 at NVDCVE-2016-5289 at SUSECVE-2016-5289 at NVDCVE-2016-5292 at SUSECVE-2016-5292 at NVDCVE-2016-9063 at SUSECVE-2016-9063 at NVDCVE-2016-9067 at SUSECVE-2016-9067 at NVDCVE-2016-9068 at SUSECVE-2016-9068 at NVDCVE-2016-9069 at SUSECVE-2016-9069 at NVDCVE-2016-9071 at SUSECVE-2016-9071 at NVDCVE-2016-9073 at SUSECVE-2016-9073 at NVDCVE-2016-9075 at SUSECVE-2016-9075 at NVDCVE-2016-9076 at SUSECVE-2016-9076 at NVDCVE-2016-9077 at SUSECVE-2016-9077 at NVDCVE-2017-7789 at SUSECVE-2017-7789 at NVDCVE-2018-5150 at SUSECVE-2018-5150 at NVDCVE-2018-5151 at SUSECVE-2018-5151 at NVDCVE-2018-5152 at SUSECVE-2018-5152 at NVDCVE-2018-5153 at SUSECVE-2018-5153 at NVDCVE-2018-5154 at SUSECVE-2018-5154 at NVDCVE-2018-5155 at SUSECVE-2018-5155 at NVDCVE-2018-5157 at SUSECVE-2018-5157 at NVDCVE-2018-5158 at SUSECVE-2018-5158 at NVDCVE-2018-5159 at SUSECVE-2018-5159 at NVDCVE-2018-5160 at SUSECVE-2018-5160 at NVDCVE-2018-5163 at SUSECVE-2018-5163 at NVDCVE-2018-5164 at SUSECVE-2018-5164 at NVDCVE-2018-5165 at SUSECVE-2018-5165 at NVDCVE-2018-5166 at SUSECVE-2018-5166 at NVDCVE-2018-5167 at SUSECVE-2018-5167 at NVDCVE-2018-5168 at SUSECVE-2018-5168 at NVDCVE-2018-5169 at SUSECVE-2018-5169 at NVDCVE-2018-5172 at SUSECVE-2018-5172 at NVDCVE-2018-5173 at SUSECVE-2018-5173 at NVDCVE-2018-5174 at SUSECVE-2018-5174 at NVDCVE-2018-5175 at SUSECVE-2018-5175 at NVDCVE-2018-5176 at SUSECVE-2018-5176 at NVDCVE-2018-5177 at SUSECVE-2018-5177 at NVDCVE-2018-5178 at SUSECVE-2018-5178 at NVDCVE-2018-5179 at SUSECVE-2018-5179 at NVDCVE-2018-5180 at SUSECVE-2018-5180 at NVDCVE-2018-5181 at SUSECVE-2018-5181 at NVDCVE-2018-5182 at SUSECVE-2018-5182 at NVDCVE-2018-5183 at SUSECVE-2018-5183 at NVDCVE-2019-11757 at SUSECVE-2019-11757 at NVDCVE-2019-11758 at SUSECVE-2019-11758 at NVDCVE-2019-11759 at SUSECVE-2019-11759 at NVDCVE-2019-11760 at SUSECVE-2019-11760 at NVDCVE-2019-11761 at SUSECVE-2019-11761 at NVDCVE-2019-11762 at SUSECVE-2019-11762 at NVDCVE-2019-11763 at SUSECVE-2019-11763 at NVDCVE-2019-11764 at SUSECVE-2019-11764 at NVDCVE-2019-15903 at SUSECVE-2019-15903 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for samba (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for samba fixes the following issues:
- CVE-2019-10218: Client code can return filenames containing path separators (bsc#1144902).
ImportantSUSE bug 1144902CVE-2019-10218 at SUSECVE-2019-10218 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for gdb (Moderate)SUSE Linux Enterprise Server 12 SP3-BCL
This update for gdb fixes the following issues:
Update to gdb 8.3.1: (jsc#ECO-368)
Security issues fixed:
- CVE-2019-1010180: Fixed a potential buffer overflow when loading ELF sections larger than the file. (bsc#1142772)
Upgrade libipt from v2.0 to v2.0.1.
- Enable librpm for version > librpm.so.3 [bsc#1145692]:
* Allow any librpm.so.x
* Add %build test to check for 'zypper install <rpm-packagename>'
message
- Copy gdbinit from fedora master @ 25caf28. Add
gdbinit.without-python, and use it for --without=python.
Rebase to 8.3 release (as in fedora 30 @ 1e222a3).
* DWARF index cache: GDB can now automatically save indices of DWARF
symbols on disk to speed up further loading of the same binaries.
* Ada task switching is now supported on aarch64-elf targets when
debugging a program using the Ravenscar Profile.
* Terminal styling is now available for the CLI and the TUI.
* Removed support for old demangling styles arm, edg, gnu, hp and
lucid.
* Support for new native configuration RISC-V GNU/Linux (riscv*-*-linux*).
- Implemented access to more POWER8 registers. [fate#326120, fate#325178]
- Also handle most new s390 arch13 instructions. [fate#327369, jsc#ECO-368]
ModerateSUSE bug 1115034SUSE bug 1142772SUSE bug 1145692CVE-2019-1010180 at SUSECVE-2019-1010180 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for libssh2_org (Moderate)SUSE Linux Enterprise Server 12 SP3-BCL
This update for libssh2_org fixes the following issue:
- CVE-2019-17498: Fixed an integer overflow in a bounds check that might have led to the disclosure of sensitive information or a denial of service (bsc#1154862).
ModerateSUSE bug 1154862CVE-2019-17498 at SUSECVE-2019-17498 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for libseccomp (Moderate)SUSE Linux Enterprise Server 12 SP3-BCL
This update for libseccomp fixes the following issues:
Update to new upstream release 2.4.1:
* Fix a BPF generation bug where the optimizer mistakenly
identified duplicate BPF code blocks.
Updated to 2.4.0 (bsc#1128828 CVE-2019-9893):
* Update the syscall table for Linux v5.0-rc5
* Added support for the SCMP_ACT_KILL_PROCESS action
* Added support for the SCMP_ACT_LOG action and SCMP_FLTATR_CTL_LOG attribute
* Added explicit 32-bit (SCMP_AX_32(...)) and 64-bit (SCMP_AX_64(...)) argument comparison macros to help protect against unexpected sign extension
* Added support for the parisc and parisc64 architectures
* Added the ability to query and set the libseccomp API level via seccomp_api_get(3) and seccomp_api_set(3)
* Return -EDOM on an endian mismatch when adding an architecture to a filter
* Renumber the pseudo syscall number for subpage_prot() so it no longer conflicts with spu_run()
* Fix PFC generation when a syscall is prioritized, but no rule exists
* Numerous fixes to the seccomp-bpf filter generation code
* Switch our internal hashing function to jhash/Lookup3 to MurmurHash3
* Numerous tests added to the included test suite, coverage now at ~92%
* Update our Travis CI configuration to use Ubuntu 16.04
* Numerous documentation fixes and updates
Update to release 2.3.3:
* Updated the syscall table for Linux v4.15-rc7
Update to release 2.3.2:
* Achieved full compliance with the CII Best Practices program
* Added Travis CI builds to the GitHub repository
* Added code coverage reporting with the '--enable-code-coverage' configure
flag and added Coveralls to the GitHub repository
* Updated the syscall tables to match Linux v4.10-rc6+
* Support for building with Python v3.x
* Allow rules with the -1 syscall if the SCMP\_FLTATR\_API\_TSKIP attribute is
set to true
* Several small documentation fixes
- ignore make check error for ppc64/ppc64le, bypass bsc#1142614
ModerateSUSE bug 1082318SUSE bug 1128828SUSE bug 1142614CVE-2019-9893 at SUSECVE-2019-9893 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for the Linux Kernel (Important)SUSE Linux Enterprise Server 12 SP3-BCL
The SUSE Linux Enterprise 12-SP3 kernel was updated to receive various security and bugfixes.
The following security bugs were fixed:
- CVE-2018-12207: Untrusted virtual machines on Intel CPUs could exploit a race
condition in the Instruction Fetch Unit of the Intel CPU to cause a Machine
Exception during Page Size Change, causing the CPU core to be non-functional.
The Linux Kernel kvm hypervisor was adjusted to avoid page size changes in
executable pages by splitting / merging huge pages into small pages as
needed. More information can be found on https://www.suse.com/support/kb/doc/?id=7023735
- CVE-2019-16995: Fix a memory leak in hsr_dev_finalize() if hsr_add_port
failed to add a port, which may have caused denial of service (bsc#1152685).
- CVE-2019-11135: Aborting an asynchronous TSX operation on Intel CPUs with
Transactional Memory support could be used to facilitate sidechannel
information leaks out of microarchitectural buffers, similar to the
previously described 'Microarchitectural Data Sampling' attack.
The Linux kernel was supplemented with the option to disable TSX operation
altogether (requiring CPU Microcode updates on older systems) and better
flushing of microarchitectural buffers (VERW).
The set of options available is described in our TID at https://www.suse.com/support/kb/doc/?id=7024251
- CVE-2019-16233: drivers/scsi/qla2xxx/qla_os.c did not check the
alloc_workqueue return value, leading to a NULL pointer dereference.
(bsc#1150457).
- CVE-2019-10220: Added sanity checks on the pathnames passed to the user
space. (bsc#1144903).
- CVE-2019-17666: rtlwifi: Fix potential overflow in P2P code (bsc#1154372).
- CVE-2019-17133: cfg80211 wireless extension did not reject a long SSID IE,
leading to a Buffer Overflow (bsc#1153158).
- CVE-2019-16232: Fix a potential NULL pointer dereference in the Marwell
libertas driver (bsc#1150465).
- CVE-2019-16234: iwlwifi pcie driver did not check the alloc_workqueue return
value, leading to a NULL pointer dereference. (bsc#1150452).
- CVE-2019-17055: The AF_ISDN network module in the Linux kernel did not
enforce CAP_NET_RAW, which meant that unprivileged users could create a raw
socket (bnc#1152782).
- CVE-2019-17056: The AF_NFC network module did not enforce CAP_NET_RAW, which
meant that unprivileged users could create a raw socket (bsc#1152788).
- CVE-2019-16413: The 9p filesystem did not protect i_size_write() properly,
which caused an i_size_read() infinite loop and denial of service on SMP
systems (bnc#1151347).
- CVE-2019-15902: A backporting issue was discovered that re-introduced the
Spectre vulnerability it had aimed to eliminate. This occurred because the
backport process depends on cherry picking specific commits, and because two
(correctly ordered) code lines were swapped (bnc#1149376).
- CVE-2019-15291: Fixed a NULL pointer dereference issue that could be caused
by a malicious USB device (bnc#1146519).
- CVE-2019-15807: Fixed a memory leak in the SCSI module that could be abused
to cause denial of service (bnc#1148938).
- CVE-2019-13272: Fixed a mishandled the recording of the credentials of a
process that wants to create a ptrace relationship, which allowed local users
to obtain root access by leveraging certain scenarios with a parent-child
process relationship, where a parent drops privileges and calls execve
(potentially allowing control by an attacker). (bnc#1140671).
- CVE-2019-14821: An out-of-bounds access issue was fixed in the kernel's KVM
hypervisor. An unprivileged host user or process with access to '/dev/kvm'
device could use this flaw to crash the host kernel, resulting in a denial of
service or potentially escalating privileges on the system (bnc#1151350).
- CVE-2019-15505: An out-of-bounds issue had been fixed that could be caused by
crafted USB device traffic (bnc#1147122).
- CVE-2017-18595: A double free in allocate_trace_buffer was fixed
(bnc#1149555).
- CVE-2019-14835: A buffer overflow flaw was found in the kernel's vhost
functionality that translates virtqueue buffers to IOVs. A privileged guest
user able to pass descriptors with invalid length to the host could use this
flaw to increase their privileges on the host (bnc#1150112).
- CVE-2019-15216: A NULL pointer dereference was fixed that could be malicious
USB device (bnc#1146361).
- CVE-2019-15924: A a NULL pointer dereference has been fixed in the
drivers/net/ethernet/intel/fm10k module (bnc#1149612).
- CVE-2019-9456: An out-of-bounds write in the USB monitor driver has been
fixed. This issue could lead to local escalation of privilege with System
execution privileges needed. (bnc#1150025).
- CVE-2019-15926: An out-of-bounds access was fixed in the
drivers/net/wireless/ath/ath6kl module. (bnc#1149527).
- CVE-2019-15927: An out-of-bounds access was fixed in the sound/usb/mixer
module (bnc#1149522).
- CVE-2019-15666: There was an out-of-bounds array access in the net/xfrm
module that could cause denial of service (bnc#1148394).
- CVE-2017-18379: An out-of-boundary access was fixed in the
drivers/nvme/target module (bnc#1143187).
- CVE-2019-15219: A NULL pointer dereference was fixed that could be abused by
a malicious USB device (bnc#1146519 1146524).
- CVE-2019-15220: A use-after-free issue was fixed that could be caused by a
malicious USB device (bnc#1146519 1146526).
- CVE-2019-15221: A NULL pointer dereference was fixed that could be caused by
a malicious USB device (bnc#1146519 1146529).
- CVE-2019-14814: A heap-based buffer overflow was fixed in the marvell wifi
chip driver. That issue allowed local users to cause a denial of service
(system crash) or possibly execute arbitrary code (bnc#1146512).
- CVE-2019-14815: A missing length check while parsing WMM IEs was fixed
(bsc#1146512, bsc#1146514, bsc#1146516).
- CVE-2019-14816: A heap-based buffer overflow in the marvell wifi chip driver
was fixed. Local users would have abused this issue to cause a denial of
service (system crash) or possibly execute arbitrary code (bnc#1146516).
- CVE-2017-18509: An issue in net/ipv6 as fixed. By setting a specific socket
option, an attacker could control a pointer in kernel land and cause an
inet_csk_listen_stop general protection fault, or potentially execute
arbitrary code under certain circumstances. The issue can be triggered as
root (e.g., inside a default LXC container or with the CAP_NET_ADMIN
capability) or after namespace unsharing. (bnc#1145477)
- CVE-2019-9506: The Bluetooth BR/EDR specification used to permit sufficiently
low encryption key length and did not prevent an attacker from influencing
the key length negotiation. This allowed practical brute-force attacks (aka
'KNOB') that could decrypt traffic and inject arbitrary ciphertext without
the victim noticing (bnc#1137865).
- CVE-2019-15098: A NULL pointer dereference in drivers/net/wireless/ath was
fixed (bnc#1146378).
- CVE-2019-15290: A NULL pointer dereference in ath6kl_usb_alloc_urb_from_pipe
was fixed (bsc#1146378).
- CVE-2019-15239: A incorrect patch to net/ipv4 was fixed. By adding to a write
queue between disconnection and re-connection, a local attacker could trigger
multiple use-after-free conditions. This could result in kernel crashes or
potentially in privilege escalation. (bnc#1146589)
- CVE-2019-15212: A double-free issue was fixed in drivers/usb driver
(bnc#1146391).
- CVE-2016-10906: A use-after-free issue was fixed in drivers/net/ethernet/arc
(bnc#1146584).
- CVE-2019-15211: A use-after-free issue caused by a malicious USB device was
fixed in the drivers/media/v4l2-core driver (bnc#1146519).
- CVE-2019-15217: A a NULL pointer dereference issue caused by a malicious USB
device was fixed in the drivers/media/usb/zr364xx driver (bnc#1146519).
- CVE-2019-15214: An a use-after-free issue in the sound subsystem was fixed
(bnc#1146519).
- CVE-2019-15218: A NULL pointer dereference caused by a malicious USB device
was fixed in the drivers/media/usb/siano driver (bnc#1146413).
- CVE-2019-15215: A use-after-free issue caused by a malicious USB device was
fixed in the drivers/media/usb/cpia2 driver (bnc#1146425).
- CVE-2018-20976: A use-after-free issue was fixed in the fs/xfs driver
(bnc#1146285).
- CVE-2017-18551: An out-of-bounds write was fixed in the drivers/i2c driver
(bnc#1146163).
- CVE-2019-0154: An unprotected read access to i915 registers has been fixed
that could have been abused to facilitate a local denial-of-service attack.
(bsc#1135966)
- CVE-2019-0155: A privilege escalation vulnerability has been fixed in the
i915 module that allowed batch buffers from user mode to gain super user
privileges. (bsc#1135967)
The following non-security bugs were fixed:
- array_index_nospec: Sanitize speculative array (bsc#1155671)
- bonding/802.3ad: fix link_failure_count tracking (bsc#1141013).
- bonding/802.3ad: fix slave link initialization transition states (bsc#1141013).
- bonding: correctly update link status during mii-commit phase (bsc#1141013).
- bonding: fix active-backup transition (bsc#1141013).
- bonding: make speed, duplex setting consistent with link state (bsc#1141013).
- bonding: ratelimit failed speed/duplex update warning (bsc#1141013).
- bonding: require speed/duplex only for 802.3ad, alb and tlb (bsc#1141013).
- bonding: set default miimon value for non-arp modes if not set (bsc#1141013).
- bonding: speed/duplex update at NETDEV_UP event (bsc#1141013).
- cifs: fix panic in smb2_reconnect (bsc#1142458).
- cifs: handle netapp error codes (bsc#1136261).
- cpu/speculation: Uninline and export CPU mitigations helpers (bnc#1117665).
- ib/core, ipoib: Do not overreact to SM LID change event (bsc#1154103)
- ib/core: Add mitigation for Spectre V1 (bsc#1155671)
- ixgbe: sync the first fragment unconditionally (bsc#1133140).
- kvm: Convert kvm_lock to a mutex (bsc#1117665).
- kvm: lapic: cap __delay at lapic_timer_advance_ns (bsc#1149083).
- kvm: mmu: drop vcpu param in gpte_access (bsc#1117665).
- kvm: mmu: introduce kvm_mmu_gfn_{allow,disallow}_lpage (bsc#1117665).
- kvm: mmu: rename has_wrprotected_page to mmu_gfn_lpage_is_disallowed (bsc#1117665).
- kvm: vmx, svm: always run with EFER.NXE=1 when shadow paging is active (bsc#1117665).
- kvm: x86, powerpc: do not allow clearing largepages debugfs entry (bsc#1117665).
- kvm: x86: Do not release the page inside mmu_set_spte() (bsc#1117665).
- kvm: x86: MMU: Consolidate quickly_check_mmio_pf() and is_mmio_page_fault() (bsc#1117665).
- kvm: x86: MMU: Encapsulate the type of rmap-chain head in a new struct (bsc#1117665).
- kvm: x86: MMU: Move handle_mmio_page_fault() call to kvm_mmu_page_fault() (bsc#1117665).
- kvm: x86: MMU: Move initialization of parent_ptes out from kvm_mmu_alloc_page() (bsc#1117665).
- kvm: x86: MMU: Move parent_pte handling from kvm_mmu_get_page() to link_shadow_page() (bsc#1117665).
- kvm: x86: MMU: Remove unused parameter parent_pte from kvm_mmu_get_page() (bsc#1117665).
- kvm: x86: MMU: always set accessed bit in shadow PTEs (bsc#1117665).
- kvm: x86: Reduce the overhead when lapic_timer_advance is disabled (bsc#1149083).
- kvm: x86: add tracepoints around __direct_map and FNAME(fetch) (bsc#1117665).
- kvm: x86: adjust kvm_mmu_page member to save 8 bytes (bsc#1117665).
- kvm: x86: change kvm_mmu_page_get_gfn BUG_ON to WARN_ON (bsc#1117665).
- kvm: x86: extend usage of RET_MMIO_PF_* constants (bsc#1117665).
- kvm: x86: make FNAME(fetch) and __direct_map more similar (bsc#1117665).
- kvm: x86: mmu: Apply global mitigations knob to ITLB_MULTIHIT (bnc#1117665).
- kvm: x86: move nsec_to_cycles from x86.c to x86.h (bsc#1149083).
- kvm: x86: remove now unneeded hugepage gfn adjustment (bsc#1117665).
- kvm: x86: simplify ept_misconfig (bsc#1117665).
- media: smsusb: better handle optional alignment (bsc#1146413).
- pci: hv: Use bytes 4 and 5 from instance ID as the PCI domain numbers (bsc#1153263).
- powerpc/64s: support nospectre_v2 cmdline option (bsc#1131107).
- powerpc/pseries: correctly track irq state in default idle (bsc#1150727 bsc#1150942 ltc#178925 ltc#181484).
- powerpc/rtas: use device model APIs and serialization during LPM (bsc#1144123 ltc#178840).
- powerpc/security: Show powerpc_security_features in debugfs (bsc#1131107).
- scsi: scsi_transport_fc: Drop double list_del() (bsc#1084878) During the backport of 260f4aeddb48 ('scsi: scsi_transport_fc: return -EBUSY for deleted vport') an additional list_del() was introduced. The list entry will be freed in fc_vport_terminate(). Do not free it premature in fc_remove_host().
- swiotlb: Add support for DMA_ATTR_SKIP_CPU_SYNC in Xen-swiotlb unmap path (bsc#1133140).
- vmci: Release resource if the work is already queued (bsc#1051510).
- x86/cpu: Add Atom Tremont (Jacobsville) (bsc#1117665).
ImportantSUSE bug 1051510SUSE bug 1084878SUSE bug 1117665SUSE bug 1131107SUSE bug 1133140SUSE bug 1135966SUSE bug 1135967SUSE bug 1136261SUSE bug 1137865SUSE bug 1139073SUSE bug 1140671SUSE bug 1141013SUSE bug 1141054SUSE bug 1142458SUSE bug 1143187SUSE bug 1144123SUSE bug 1144903SUSE bug 1145477SUSE bug 1146042SUSE bug 1146163SUSE bug 1146285SUSE bug 1146361SUSE bug 1146378SUSE bug 1146391SUSE bug 1146413SUSE bug 1146425SUSE bug 1146512SUSE bug 1146514SUSE bug 1146516SUSE bug 1146519SUSE bug 1146524SUSE bug 1146526SUSE bug 1146529SUSE bug 1146540SUSE bug 1146543SUSE bug 1146547SUSE bug 1146550SUSE bug 1146584SUSE bug 1146589SUSE bug 1147022SUSE bug 1147122SUSE bug 1148394SUSE bug 1148938SUSE bug 1149083SUSE bug 1149376SUSE bug 1149522SUSE bug 1149527SUSE bug 1149555SUSE bug 1149612SUSE bug 1150025SUSE bug 1150112SUSE bug 1150452SUSE bug 1150457SUSE bug 1150465SUSE bug 1150727SUSE bug 1150942SUSE bug 1151347SUSE bug 1151350SUSE bug 1152685SUSE bug 1152782SUSE bug 1152788SUSE bug 1153158SUSE bug 1153263SUSE bug 1154103SUSE bug 1154372SUSE bug 1155131SUSE bug 1155671CVE-2016-10906 at SUSECVE-2016-10906 at NVDCVE-2017-18379 at SUSECVE-2017-18379 at NVDCVE-2017-18509 at SUSECVE-2017-18509 at NVDCVE-2017-18551 at SUSECVE-2017-18551 at NVDCVE-2017-18595 at SUSECVE-2017-18595 at NVDCVE-2018-12207 at SUSECVE-2018-12207 at NVDCVE-2018-20976 at SUSECVE-2018-20976 at NVDCVE-2019-0154 at SUSECVE-2019-0154 at NVDCVE-2019-0155 at SUSECVE-2019-0155 at NVDCVE-2019-10220 at SUSECVE-2019-10220 at NVDCVE-2019-11135 at SUSECVE-2019-11135 at NVDCVE-2019-13272 at SUSECVE-2019-13272 at NVDCVE-2019-14814 at SUSECVE-2019-14814 at NVDCVE-2019-14815 at SUSECVE-2019-14815 at NVDCVE-2019-14816 at SUSECVE-2019-14816 at NVDCVE-2019-14821 at SUSECVE-2019-14821 at NVDCVE-2019-14835 at SUSECVE-2019-14835 at NVDCVE-2019-15098 at SUSECVE-2019-15098 at NVDCVE-2019-15211 at SUSECVE-2019-15211 at NVDCVE-2019-15212 at SUSECVE-2019-15212 at NVDCVE-2019-15214 at SUSECVE-2019-15214 at NVDCVE-2019-15215 at SUSECVE-2019-15215 at NVDCVE-2019-15216 at SUSECVE-2019-15216 at NVDCVE-2019-15217 at SUSECVE-2019-15217 at NVDCVE-2019-15218 at SUSECVE-2019-15218 at NVDCVE-2019-15219 at SUSECVE-2019-15219 at NVDCVE-2019-15220 at SUSECVE-2019-15220 at NVDCVE-2019-15221 at SUSECVE-2019-15221 at NVDCVE-2019-15239 at SUSECVE-2019-15239 at NVDCVE-2019-15290 at SUSECVE-2019-15290 at NVDCVE-2019-15291 at SUSECVE-2019-15291 at NVDCVE-2019-15505 at SUSECVE-2019-15505 at NVDCVE-2019-15666 at SUSECVE-2019-15666 at NVDCVE-2019-15807 at SUSECVE-2019-15807 at NVDCVE-2019-15902 at SUSECVE-2019-15902 at NVDCVE-2019-15924 at SUSECVE-2019-15924 at NVDCVE-2019-15926 at SUSECVE-2019-15926 at NVDCVE-2019-15927 at SUSECVE-2019-15927 at NVDCVE-2019-16232 at SUSECVE-2019-16232 at NVDCVE-2019-16233 at SUSECVE-2019-16233 at NVDCVE-2019-16234 at SUSECVE-2019-16234 at NVDCVE-2019-16413 at SUSECVE-2019-16413 at NVDCVE-2019-16995 at SUSECVE-2019-16995 at NVDCVE-2019-17055 at SUSECVE-2019-17055 at NVDCVE-2019-17056 at SUSECVE-2019-17056 at NVDCVE-2019-17133 at SUSECVE-2019-17133 at NVDCVE-2019-17666 at SUSECVE-2019-17666 at NVDCVE-2019-9456 at SUSECVE-2019-9456 at NVDCVE-2019-9506 at SUSECVE-2019-9506 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for ucode-intel (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for ucode-intel fixes the following issues:
- Updated to 20191112 security release (bsc#1155988)
- Processor Identifier Version Products
- Model Stepping F-MO-S/PI Old->New
- ---- new platforms ----------------------------------------
- CML-U62 A0 6-a6-0/80 000000c6 Core Gen10 Mobile
- CNL-U D0 6-66-3/80 0000002a Core Gen8 Mobile
- SKX-SP B1 6-55-3/97 01000150 Xeon Scalable
- ICL U/Y D1 6-7e-5/80 00000046 Core Gen10 Mobile
- ---- updated platforms ------------------------------------
- SKL U/Y D0 6-4e-3/c0 000000cc->000000d4 Core Gen6 Mobile
- SKL H/S/E3 R0/N0 6-5e-3/36 000000cc->000000d4 Core Gen6
- AML-Y22 H0 6-8e-9/10 000000b4->000000c6 Core Gen8 Mobile
- KBL-U/Y H0 6-8e-9/c0 000000b4->000000c6 Core Gen7 Mobile
- CFL-U43e D0 6-8e-a/c0 000000b4->000000c6 Core Gen8 Mobile
- WHL-U W0 6-8e-b/d0 000000b8->000000c6 Core Gen8 Mobile
- AML-Y V0 6-8e-c/94 000000b8->000000c6 Core Gen10 Mobile
- CML-U42 V0 6-8e-c/94 000000b8->000000c6 Core Gen10 Mobile
- WHL-U V0 6-8e-c/94 000000b8->000000c6 Core Gen8 Mobile
- KBL-G/X H0 6-9e-9/2a 000000b4->000000c6 Core Gen7/Gen8
- KBL-H/S/E3 B0 6-9e-9/2a 000000b4->000000c6 Core Gen7; Xeon E3 v6
- CFL-H/S/E3 U0 6-9e-a/22 000000b4->000000c6 Core Gen8 Desktop, Mobile, Xeon E
- CFL-S B0 6-9e-b/02 000000b4->000000c6 Core Gen8
- CFL-H R0 6-9e-d/22 000000b8->000000c6 Core Gen9 Mobile
- Includes security fixes for:
- CVE-2019-11135: Added feature allowing to disable TSX RTM (bsc#1139073)
- CVE-2019-11139: A CPU microcode only fix for Voltage modulation issues (bsc#1141035)
- requires coreutils for the %post script (bsc#1154043)
ImportantSUSE bug 1139073SUSE bug 1141035SUSE bug 1154043SUSE bug 1155988CVE-2019-11135 at SUSECVE-2019-11135 at NVDCVE-2019-11139 at SUSECVE-2019-11139 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for libjpeg-turbo (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for libjpeg-turbo fixes the following issues:
- CVE-2019-2201: Several integer overflow issues and subsequent segfaults occurred in libjpeg-turbo,
when attempting to compress or decompress gigapixel images. [bsc#1156402]
ImportantSUSE bug 1156402CVE-2019-2201 at SUSECVE-2019-2201 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for ghostscript (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for ghostscript fixes the following issue:
- CVE-2019-14869: Fixed a possible dSAFER escape which could have allowed
an attacker to gain high privileges by a specially crafted Postscript
code (bsc#1156275).
ImportantSUSE bug 1156275CVE-2019-14869 at SUSECVE-2019-14869 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for ucode-intel (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for ucode-intel fixes the following issues:
- Updated to 20191112 official security release (bsc#1155988)
- Includes security fixes for:
- CVE-2019-11135: Added feature allowing to disable TSX RTM (bsc#1139073)
- CVE-2019-11139: A CPU microcode only fix for Voltage modulation issues (bsc#1141035)
ImportantSUSE bug 1139073SUSE bug 1141035SUSE bug 1155988CVE-2019-11135 at SUSECVE-2019-11135 at NVDCVE-2019-11139 at SUSECVE-2019-11139 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for sqlite3 (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for sqlite3 fixes the following issues:
- CVE-2017-2518: Fixed a use-after-free vulnerability which could have
led to buffer overflow via a crafted SQL statement (bsc#1155787).
ImportantSUSE bug 1155787CVE-2017-2518 at SUSECVE-2017-2518 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for cups (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for cups fixes the following issues:
- CVE-2019-8675: Fixed a stack buffer overflow in libcups's asn1_get_type function(bsc#1146358).
- CVE-2019-8696: Fixed a stack buffer overflow in libcups's asn1_get_packed function (bsc#1146359).
ImportantSUSE bug 1146358SUSE bug 1146359CVE-2019-8675 at SUSECVE-2019-8675 at NVDCVE-2019-8696 at SUSECVE-2019-8696 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for clamav (Moderate)SUSE Linux Enterprise Server 12 SP3-BCL
This update for clamav fixes the following issues:
Security issue fixed:
- CVE-2019-12625: Fixed a ZIP bomb issue by adding detection and heuristics for zips with overlapping files (bsc#1144504).
- CVE-2019-12900: Fixed an out-of-bounds write in decompress.c with many selectors (bsc#1149458).
Non-security issues fixed:
- Added the --max-scantime clamscan option and MaxScanTime clamd configuration option (bsc#1144504).
- Increased the startup timeout of clamd to 5 minutes to cater for the grown virus database as a workaround until clamd has learned to talk to systemd to extend the timeout as long as needed (bsc#1151839).
ModerateSUSE bug 1144504SUSE bug 1149458SUSE bug 1151839CVE-2019-12625 at SUSECVE-2019-12625 at NVDCVE-2019-12900 at SUSECVE-2019-12900 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for mailman (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for mailman fixes the following issues:
- CVE-2019-3693: Fixed a local privilege escalation from wwwrun to root (bsc#1154328).
ImportantSUSE bug 1154328CVE-2019-3693 at SUSECVE-2019-3693 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for java-1_7_0-openjdk (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for java-1_7_0-openjdk fixes the following issues:
Security issues fixed (October 2019 CPU bsc#1154212):
- CVE-2019-2933: Windows file handling redux
- CVE-2019-2945: Better socket support
- CVE-2019-2949: Better Kerberos ccache handling
- CVE-2019-2958: Build Better Processes
- CVE-2019-2964: Better support for patterns
- CVE-2019-2962: Better Glyph Images
- CVE-2019-2973: Better pattern compilation
- CVE-2019-2978: Improved handling of jar files
- CVE-2019-2981: Better Path supports
- CVE-2019-2983: Better serial attributes
- CVE-2019-2987: Better rendering of native glyphs
- CVE-2019-2988: Better Graphics2D drawing
- CVE-2019-2989: Improve TLS connection support
- CVE-2019-2992: Enhance font glyph mapping
- CVE-2019-2999: Commentary on Javadoc comments
- CVE-2019-2894: Enhance ECDSA operations (bsc#1152856).
ImportantSUSE bug 1152856SUSE bug 1154212CVE-2019-2894 at SUSECVE-2019-2894 at NVDCVE-2019-2933 at SUSECVE-2019-2933 at NVDCVE-2019-2945 at SUSECVE-2019-2945 at NVDCVE-2019-2949 at SUSECVE-2019-2949 at NVDCVE-2019-2958 at SUSECVE-2019-2958 at NVDCVE-2019-2962 at SUSECVE-2019-2962 at NVDCVE-2019-2964 at SUSECVE-2019-2964 at NVDCVE-2019-2973 at SUSECVE-2019-2973 at NVDCVE-2019-2978 at SUSECVE-2019-2978 at NVDCVE-2019-2981 at SUSECVE-2019-2981 at NVDCVE-2019-2983 at SUSECVE-2019-2983 at NVDCVE-2019-2987 at SUSECVE-2019-2987 at NVDCVE-2019-2988 at SUSECVE-2019-2988 at NVDCVE-2019-2989 at SUSECVE-2019-2989 at NVDCVE-2019-2992 at SUSECVE-2019-2992 at NVDCVE-2019-2999 at SUSECVE-2019-2999 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for clamav (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for clamav fixes the following issues:
- CVE-2019-15961: Fixed a denial of service which might occur when
scanning a specially crafted email file as (bsc#1157763).
ImportantSUSE bug 1157763CVE-2019-15961 at SUSECVE-2019-15961 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for permissions (Moderate)SUSE Linux Enterprise Server 12 SP3-BCL
This update for permissions fixes the following issues:
- CVE-2019-3688: Changed wrong ownership in /usr/sbin/pinger to root:squid
which could have allowed a squid user to gain persistence by changing the
binary (bsc#1093414).
- CVE-2019-3690: Fixed a privilege escalation through untrusted symbolic
links (bsc#1150734).
- Fixed a regression which caused segmentation fault (bsc#1157198).
ModerateSUSE bug 1093414SUSE bug 1150734SUSE bug 1157198CVE-2019-3688 at SUSECVE-2019-3688 at NVDCVE-2019-3690 at SUSECVE-2019-3690 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for strongswan (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for strongswan provides the following fixes:
Security issues fixed:
- CVE-2018-5388: Fixed a buffer underflow which may allow to a remote attacker
with local user credentials to resource exhaustion and denial of service while
reading from the socket (bsc#1094462).
- CVE-2018-10811: Fixed a denial of service during the IKEv2 key derivation if
the openssl plugin is used in FIPS mode and HMAC-MD5 is negotiated as PRF
(bsc#1093536).
- CVE-2018-16151,CVE-2018-16152: Fixed multiple flaws in the gmp plugin which
might lead to authorization bypass (bsc#1107874).
- CVE-2018-17540: Fixed an improper input validation in gmp plugin (bsc#1109845).
Other issues addressed:
- Fixed some client fails when the scep server URL is used with HTTPS protocol (bsc#1071853).
- Reject Diffie-Hellman key exchanges using primes smaller than 1024 bit.
- Handle unexpected informational message from SonicWall. (bsc#1009254)
ImportantSUSE bug 1009254SUSE bug 1071853SUSE bug 1093536SUSE bug 1094462SUSE bug 1107874SUSE bug 1109845CVE-2018-10811 at SUSECVE-2018-10811 at NVDCVE-2018-16151 at SUSECVE-2018-16151 at NVDCVE-2018-16152 at SUSECVE-2018-16152 at NVDCVE-2018-17540 at SUSECVE-2018-17540 at NVDCVE-2018-5388 at SUSECVE-2018-5388 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for xen (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for xen fixes the following issues:
- CVE-2019-19581: Fixed a potential out of bounds on 32-bit Arm (bsc#1158003 XSA-307).
- CVE-2019-19582: Fixed a potential infinite loop when x86 accesses to bitmaps with
a compile time known size of 64 (bsc#1158003 XSA-307).
- CVE-2019-19583: Fixed improper checks which could have allowed HVM/PVH guest userspace
code to crash the guest,leading to a guest denial of service (bsc#1158004 XSA-308).
- CVE-2019-19578: Fixed an issue where a malicious or buggy PV guest could have caused
hypervisor crash resulting in denial of service affecting the entire host (bsc#1158005 XSA-309).
- CVE-2019-19580: Fixed a privilege escalation where a malicious PV guest administrator
could have been able to escalate their privilege to that of the host (bsc#1158006 XSA-310).
- CVE-2019-19577: Fixed an issue where a malicious guest administrator could have caused Xen
to access data structures while they are being modified leading to a crash (bsc#1158007 XSA-311).
- CVE-2019-19579: Fixed a privilege escaltion where an untrusted domain with access
to a physical device can DMA into host memory (bsc#1157888 XSA-306).
- CVE-2019-18420: Malicious x86 PV guests may have caused a hypervisor crash,
resulting in a denial of service (bsc#1154448 XSA-296)
- CVE-2019-18425: 32-bit PV guest user mode could elevate its privileges to that
of the guest kernel. (bsc#1154456 XSA-298).
- CVE-2019-18421: A malicious PV guest administrator may have been able to
escalate their privilege to that of the host. (bsc#1154458 XSA-299).
- CVE-2019-18423: A malicious guest administrator may cause a hypervisor crash,
resulting in a denial of service (bsc#1154460 XSA-301).
- CVE-2019-18422: A malicious ARM guest might contrive to arrange for critical
Xen code to run with interrupts erroneously enabled. This could lead to data
corruption, denial of service, or possibly even privilege escalation. However
a precise attack technique has not been identified. (bsc#1154464 XSA-303)
- CVE-2019-18424: An untrusted domain with access to a physical device can DMA
into host memory, leading to privilege escalation. (bsc#1154461 XSA-302).
- CVE-2018-12207: Untrusted virtual machines on Intel CPUs could exploit a race
condition in the Instruction Fetch Unit of the Intel CPU to cause a Machine
Exception during Page Size Change, causing the CPU core to be non-functional.
(bsc#1155945 XSA-304)
- CVE-2019-11135: Aborting an asynchronous TSX operation on Intel CPUs with
Transactional Memory support could be used to facilitate sidechannel
information leaks out of microarchitectural buffers, similar to the
previously described 'Microarchitectural Data Sampling' attack. (bsc#1152497 XSA-305).
ImportantSUSE bug 1152497SUSE bug 1154448SUSE bug 1154456SUSE bug 1154458SUSE bug 1154460SUSE bug 1154461SUSE bug 1154464SUSE bug 1155945SUSE bug 1157888SUSE bug 1158003SUSE bug 1158004SUSE bug 1158005SUSE bug 1158006SUSE bug 1158007CVE-2018-12207 at SUSECVE-2018-12207 at NVDCVE-2019-11135 at SUSECVE-2019-11135 at NVDCVE-2019-18420 at SUSECVE-2019-18420 at NVDCVE-2019-18421 at SUSECVE-2019-18421 at NVDCVE-2019-18422 at SUSECVE-2019-18422 at NVDCVE-2019-18423 at SUSECVE-2019-18423 at NVDCVE-2019-18424 at SUSECVE-2019-18424 at NVDCVE-2019-18425 at SUSECVE-2019-18425 at NVDCVE-2019-19577 at SUSECVE-2019-19577 at NVDCVE-2019-19578 at SUSECVE-2019-19578 at NVDCVE-2019-19579 at SUSECVE-2019-19579 at NVDCVE-2019-19580 at SUSECVE-2019-19580 at NVDCVE-2019-19581 at SUSECVE-2019-19581 at NVDCVE-2019-19582 at SUSECVE-2019-19582 at NVDCVE-2019-19583 at SUSECVE-2019-19583 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for git (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for git fixes the following issues:
Security issues fixed:
- CVE-2019-1349: Fixed issue on Windows, when submodules are cloned recursively, under certain circumstances Git could be fooled into using the same Git directory twice (bsc#1158787).
- CVE-2019-19604: Fixed a recursive clone followed by a submodule update could execute code contained within the repository without the user explicitly having asked for that (bsc#1158795).
- CVE-2019-1387: Fixed recursive clones that are currently affected by a vulnerability that is caused by too-lax validation of submodule names, allowing very targeted attacks via remote code execution in recursive clones (bsc#1158793).
- CVE-2019-1354: Fixed issue on Windows that refuses to write tracked files with filenames that contain backslashes (bsc#1158792).
- CVE-2019-1353: Fixed issue when run in the Windows Subsystem for Linux while accessing a working directory on a regular Windows drive, none of the NTFS protections were active (bsc#1158791).
- CVE-2019-1352: Fixed issue on Windows was unaware of NTFS Alternate Data Streams (bsc#1158790).
- CVE-2019-1351: Fixed issue on Windows mistakes drive letters outside of the US-English alphabet as relative paths (bsc#1158789).
- CVE-2019-1350: Fixed incorrect quoting of command-line arguments allowed remote code execution during a recursive clone in conjunction with SSH URLs (bsc#1158788).
- CVE-2019-1348: Fixed the --export-marks option of fast-import is exposed also via the in-stream command feature export-marks=... and it allows overwriting arbitrary paths (bsc#1158785).
- Fixed an issue where git send-email fails to authenticate with SMTP server (bsc#1082023)
ImportantSUSE bug 1082023SUSE bug 1158785SUSE bug 1158787SUSE bug 1158788SUSE bug 1158789SUSE bug 1158790SUSE bug 1158791SUSE bug 1158792SUSE bug 1158793SUSE bug 1158795CVE-2019-1348 at SUSECVE-2019-1348 at NVDCVE-2019-1349 at SUSECVE-2019-1349 at NVDCVE-2019-1350 at SUSECVE-2019-1350 at NVDCVE-2019-1351 at SUSECVE-2019-1351 at NVDCVE-2019-1352 at SUSECVE-2019-1352 at NVDCVE-2019-1353 at SUSECVE-2019-1353 at NVDCVE-2019-1354 at SUSECVE-2019-1354 at NVDCVE-2019-1387 at SUSECVE-2019-1387 at NVDCVE-2019-19604 at SUSECVE-2019-19604 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for MozillaFirefox fixes the following issues:
Mozilla Firefox was updated to 68.3esr (MFSA 2019-37 bsc#1158328)
Security issues fixed:
- CVE-2019-17008: Fixed a use-after-free in worker destruction (bmo#1546331)
- CVE-2019-13722: Fixed a stack corruption due to incorrect number of arguments
in WebRTC code (bmo#1580156)
- CVE-2019-11745: Fixed an out of bounds write in NSS when encrypting with a
block cipher (bmo#1586176)
- CVE-2019-17009: Fixed an issue where updater temporary files accessible to
unprivileged processes (bmo#1510494)
- CVE-2019-17010: Fixed a use-after-free when performing device orientation
checks (bmo#1581084)
- CVE-2019-17005: Fixed a buffer overflow in plain text serializer (bmo#1584170)
- CVE-2019-17011: Fixed a use-after-free when retrieving a document
in antitracking (bmo#1591334)
- CVE-2019-17012: Fixed multiple memmory issues
(bmo#1449736, bmo#1533957, bmo#1560667,bmo#1567209, bmo#1580288, bmo#1585760,
bmo#1592502)
ImportantSUSE bug 1158328CVE-2019-11745 at SUSECVE-2019-11745 at NVDCVE-2019-13722 at SUSECVE-2019-13722 at NVDCVE-2019-17005 at SUSECVE-2019-17005 at NVDCVE-2019-17008 at SUSECVE-2019-17008 at NVDCVE-2019-17009 at SUSECVE-2019-17009 at NVDCVE-2019-17010 at SUSECVE-2019-17010 at NVDCVE-2019-17011 at SUSECVE-2019-17011 at NVDCVE-2019-17012 at SUSECVE-2019-17012 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for the Linux Kernel (Important)SUSE Linux Enterprise Server 12 SP3-BCL
The SUSE Linux Enterprise 12 SP 3 LTSS kernel was updated to receive various security and bugfixes.
The following security bugs were fixed:
- CVE-2019-14895: A heap-based buffer overflow was discovered in the Linux kernel in Marvell WiFi chip driver. The flaw could occur when the station attempts a connection negotiation during the handling of the remote devices country settings. This could have allowed the remote device to cause a denial of service (system crash) or possibly execute arbitrary code (bnc#1157158).
- CVE-2019-18660: The Linux kernel on powerpc allowed Information Exposure because the Spectre-RSB mitigation is not in place for all applicable CPUs. This is related to arch/powerpc/kernel/entry_64.S and arch/powerpc/kernel/security.c (bnc#1157038).
- CVE-2019-18683: An issue was discovered in drivers/media/platform/vivid in the Linux kernel. It is exploitable for privilege escalation on some Linux distributions where local users have /dev/video0 access, but only if the driver happens to be loaded. There are multiple race conditions during streaming stopping in this driver (part of the V4L2 subsystem). These issues are caused by wrong mutex locking in vivid_stop_generating_vid_cap(), vivid_stop_generating_vid_out(), sdr_cap_stop_streaming(), and the corresponding kthreads. At least one of these race conditions leads to a use-after-free (bnc#1155897).
- CVE-2019-19062: A memory leak in the crypto_report() function in crypto/crypto_user_base.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) by triggering crypto_report_alg() failures (bnc#1157333).
- CVE-2019-19065: A memory leak in the sdma_init() function in drivers/infiniband/hw/hfi1/sdma.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) by triggering rhashtable_init() failures (bnc#1157191).
- CVE-2019-19052: A memory leak in the gs_can_open() function in drivers/net/can/usb/gs_usb.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) by triggering usb_submit_urb() failures (bnc#1157324).
- CVE-2019-19074: A memory leak in the ath9k_wmi_cmd() function in drivers/net/wireless/ath/ath9k/wmi.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) (bnc#1157143).
- CVE-2019-19073: Memory leaks in drivers/net/wireless/ath/ath9k/htc_hst.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) by triggering wait_for_completion_timeout() failures. This affects the htc_config_pipe_credits() function, the htc_setup_complete() function, and the htc_connect_service() function (bnc#1157070).
- CVE-2019-16231: drivers/net/fjes/fjes_main.c in the Linux kernel 5.2.14 did not check the alloc_workqueue return value, leading to a NULL pointer dereference (bnc#1150466).
- CVE-2019-18805: An issue was discovered in net/ipv4/sysctl_net_ipv4.c in the Linux kernel There was a net/ipv4/tcp_input.c signed integer overflow in tcp_ack_update_rtt() when userspace writes a very large integer to /proc/sys/net/ipv4/tcp_min_rtt_wlen, leading to a denial of service or possibly unspecified other impact (bnc#1156187).
- CVE-2019-18680: An issue was discovered in the Linux kernel. There was a NULL pointer dereference in rds_tcp_kill_sock() in net/rds/tcp.c that will cause denial of service (bnc#1155898).
- CVE-2019-15213: An use-after-free was fixed caused by malicious USB device in drivers/media/usb/dvb-usb/dvb-usb-init.c (bsc#1146544).
- CVE-2019-19536: An uninitialized Kernel memory can leak to USB devices in drivers/net/can/usb/peak_usb/pcan_usb_pro.c (bsc#1158394).
- CVE-2019-19534: An uninitialized Kernel memory can leak to USB devices in drivers/net/can/usb/peak_usb/pcan_usb_core.c (bsc#1158398).
- CVE-2019-19530: An use-after-free bug that can be caused by a malicious USB device in the drivers/usb/class/cdc-acm.c driver (bsc#1158410).
- CVE-2019-19524: An use-after-free bug that can be caused by a malicious USB device in the drivers/input/ff-memless.c driver (bsc#1158413).
- CVE-2019-19525: An use-after-free bug that can be caused by a malicious USB device in the drivers/net/ieee802154/atusb.c driver (bsc#1158417).
- CVE-2019-19531: An use-after-free in yurex_delete may lead to denial of service (bsc#1158445).
- CVE-2019-19523: An use-after-free on disconnect in USB adutux (bsc#1158823).
- CVE-2019-19532: An out-of-bounds write bugs that can be caused by a malicious USB device in the Linux kernel HID drivers (bsc#1158824).
- CVE-2019-19332: An out-of-bounds memory write via kvm_dev_ioctl_get_cpuid (bsc#1158827).
- CVE-2019-19533: An info-leak bug that can be caused by a malicious USB device in the drivers/media/usb/ttusb-dec/ttusb_dec.c driver (bsc#1158834).
- CVE-2019-19527: An use-after-free bug that can be caused by a malicious USB device in the drivers/hid/usbhid/hiddev.c driver (bsc#1158900).
- CVE-2019-19535: An info-leak bug that can be caused by a malicious USB device in the drivers/net/can/usb/peak_usb/pcan_usb_fd.c driver (bsc#1158903).
- CVE-2019-19537: Two races in the USB character device registration and deregistration routines (bsc#1158904).
- CVE-2019-19338: An incomplete fix for Transaction Asynchronous Abort (TAA) (bsc#1158954).
The following non-security bugs were fixed:
- hyperv: set nvme msi interrupts to unmanaged (jsc#SLE-8953, jsc#SLE-9221, jsc#SLE-4941, bsc#1119461, bsc#1119465, bsc#1138190, bsc#1154905).
- ibmvnic: Bound waits for device queries (bsc#1155689 ltc#182047).
- ibmvnic: Fix completion structure initialization (bsc#1155689 ltc#182047).
- ibmvnic: Serialize device queries (bsc#1155689 ltc#182047).
- ibmvnic: Terminate waiting device threads after loss of service (bsc#1155689 ltc#182047).
- netfilter: nf_nat: do not bug when mapping already exists (bsc#1146612).
- powerpc/security/book3s64: Report L1TF status in sysfs (bsc#1091041).
- powerpc/security: Fix wrong message when RFI Flush is disable (bsc#1131107).
- sched/fair: WARN() and refuse to set buddy when !se->on_rq (bsc#1158132).
- x86/alternatives: Add int3_emulate_call() selftest (bsc#1153811).
- x86/alternatives: Fix int3_emulate_call() selftest stack corruption (bsc#1153811).
- xen/pv: Fix a boot up hang revealed by int3 self test (bsc#1153811).
- arp: Fix cache issue during Life Partition Migration (bsc#1152631).
- futexes: Fix speed on 4.12 kernel (bsc#1157464).
ImportantSUSE bug 1091041SUSE bug 1119461SUSE bug 1119465SUSE bug 1131107SUSE bug 1138190SUSE bug 1146544SUSE bug 1146612SUSE bug 1150466SUSE bug 1150483SUSE bug 1152631SUSE bug 1153811SUSE bug 1154905SUSE bug 1155689SUSE bug 1155897SUSE bug 1155898SUSE bug 1156187SUSE bug 1157038SUSE bug 1157042SUSE bug 1157070SUSE bug 1157143SUSE bug 1157158SUSE bug 1157191SUSE bug 1157324SUSE bug 1157333SUSE bug 1157464SUSE bug 1158132SUSE bug 1158394SUSE bug 1158398SUSE bug 1158410SUSE bug 1158413SUSE bug 1158417SUSE bug 1158445SUSE bug 1158823SUSE bug 1158824SUSE bug 1158827SUSE bug 1158834SUSE bug 1158900SUSE bug 1158903SUSE bug 1158904SUSE bug 1158954CVE-2019-14895 at SUSECVE-2019-14895 at NVDCVE-2019-15213 at SUSECVE-2019-15213 at NVDCVE-2019-16231 at SUSECVE-2019-16231 at NVDCVE-2019-18660 at SUSECVE-2019-18660 at NVDCVE-2019-18680 at SUSECVE-2019-18680 at NVDCVE-2019-18683 at SUSECVE-2019-18683 at NVDCVE-2019-18805 at SUSECVE-2019-18805 at NVDCVE-2019-19052 at SUSECVE-2019-19052 at NVDCVE-2019-19062 at SUSECVE-2019-19062 at NVDCVE-2019-19065 at SUSECVE-2019-19065 at NVDCVE-2019-19073 at SUSECVE-2019-19073 at NVDCVE-2019-19074 at SUSECVE-2019-19074 at NVDCVE-2019-19332 at SUSECVE-2019-19332 at NVDCVE-2019-19338 at SUSECVE-2019-19338 at NVDCVE-2019-19523 at SUSECVE-2019-19523 at NVDCVE-2019-19524 at SUSECVE-2019-19524 at NVDCVE-2019-19525 at SUSECVE-2019-19525 at NVDCVE-2019-19527 at SUSECVE-2019-19527 at NVDCVE-2019-19530 at SUSECVE-2019-19530 at NVDCVE-2019-19531 at SUSECVE-2019-19531 at NVDCVE-2019-19532 at SUSECVE-2019-19532 at NVDCVE-2019-19533 at SUSECVE-2019-19533 at NVDCVE-2019-19534 at SUSECVE-2019-19534 at NVDCVE-2019-19535 at SUSECVE-2019-19535 at NVDCVE-2019-19536 at SUSECVE-2019-19536 at NVDCVE-2019-19537 at SUSECVE-2019-19537 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for freeradius-server (Moderate)SUSE Linux Enterprise Server 12 SP3-BCL
This update for freeradius-server fixes the following issues:
- CVE-2019-13456: Fixed a side-channel password leak in EAP-pwd
(bsc#1144524).
- CVE-2019-17185: Fixed a debial of service due to multithreaded
BN_CTX access (bsc#1166847).
- Fixed an issue in TLS-EAP where the OCSP verification, when an
intermediate client certificate was not explicitly trusted
(bsc#1146848).
ModerateSUSE bug 1144524SUSE bug 1146848SUSE bug 1166847CVE-2019-13456 at SUSECVE-2019-13456 at NVDCVE-2019-17185 at SUSECVE-2019-17185 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for cups (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for cups fixes the following issues:
- CVE-2020-3898: Fixed a heap buffer overflow in ppdFindOption() (bsc#1168422).
ImportantSUSE bug 1168422CVE-2020-3898 at SUSECVE-2020-3898 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for pam_radius (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for pam_radius fixes the following issues:
- CVE-2015-9542: Fixed a buffer overflow in password field (bsc#1163933).
- On s390x didn't decrypt passwords correctly (bsc#1141670).
ImportantSUSE bug 1141670SUSE bug 1163933CVE-2015-9542 at SUSECVE-2015-9542 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for webkit2gtk3 (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for webkit2gtk3 to version 2.28.1 fixes the following issues:
Security issues fixed:
- CVE-2020-10018: Fixed a denial of service because the m_deferredFocusedNodeChange data structure was mishandled (bsc#1165528).
- CVE-2020-11793: Fixed a potential arbitrary code execution caused by a use-after-free vulnerability (bsc#1169658).
- CVE-2019-8835: Fixed multiple memory corruption issues (bsc#1161719).
- CVE-2019-8844: Fixed multiple memory corruption issues (bsc#1161719).
- CVE-2019-8846: Fixed a use-after-free issue (bsc#1161719).
- CVE-2020-3862: Fixed a memory handling issue (bsc#1163809).
- CVE-2020-3867: Fixed an XSS issue (bsc#1163809).
- CVE-2020-3868: Fixed multiple memory corruption issues that could have lead to arbitrary code execution (bsc#1163809).
- CVE-2020-3864,CVE-2020-3865: Fixed logic issues in the DOM object context handling (bsc#1163809).
Non-security issues fixed:
- Add API to enable Process Swap on (Cross-site) Navigation.
- Add user messages API for the communication with the web extension.
- Add support for same-site cookies.
- Service workers are enabled by default.
- Add support for Pointer Lock API.
- Add flatpak sandbox support.
- Make ondemand hardware acceleration policy never leave accelerated compositing mode.
- Always use a light theme for rendering form controls.
- Add about:gpu to show information about the graphics stack.
- Fixed issues while trying to play a video on NextCloud.
- Fixed vertical alignment of text containing arabic diacritics.
- Fixed build with icu 65.1.
- Fixed page loading errors with websites using HSTS.
- Fixed web process crash when displaying a KaTeX formula.
- Fixed several crashes and rendering issues.
- Switched to a single web process for Evolution and geary (bsc#1159329).
ImportantSUSE bug 1155321SUSE bug 1156318SUSE bug 1159329SUSE bug 1161719SUSE bug 1163809SUSE bug 1165528SUSE bug 1169658CVE-2019-8625 at SUSECVE-2019-8625 at NVDCVE-2019-8710 at SUSECVE-2019-8710 at NVDCVE-2019-8720 at SUSECVE-2019-8720 at NVDCVE-2019-8743 at SUSECVE-2019-8743 at NVDCVE-2019-8764 at SUSECVE-2019-8764 at NVDCVE-2019-8766 at SUSECVE-2019-8766 at NVDCVE-2019-8769 at SUSECVE-2019-8769 at NVDCVE-2019-8771 at SUSECVE-2019-8771 at NVDCVE-2019-8782 at SUSECVE-2019-8782 at NVDCVE-2019-8783 at SUSECVE-2019-8783 at NVDCVE-2019-8808 at SUSECVE-2019-8808 at NVDCVE-2019-8811 at SUSECVE-2019-8811 at NVDCVE-2019-8812 at SUSECVE-2019-8812 at NVDCVE-2019-8813 at SUSECVE-2019-8813 at NVDCVE-2019-8814 at SUSECVE-2019-8814 at NVDCVE-2019-8815 at SUSECVE-2019-8815 at NVDCVE-2019-8816 at SUSECVE-2019-8816 at NVDCVE-2019-8819 at SUSECVE-2019-8819 at NVDCVE-2019-8820 at SUSECVE-2019-8820 at NVDCVE-2019-8823 at SUSECVE-2019-8823 at NVDCVE-2019-8835 at SUSECVE-2019-8835 at NVDCVE-2019-8844 at SUSECVE-2019-8844 at NVDCVE-2019-8846 at SUSECVE-2019-8846 at NVDCVE-2020-10018 at SUSECVE-2020-10018 at NVDCVE-2020-11793 at SUSECVE-2020-11793 at NVDCVE-2020-3862 at SUSECVE-2020-3862 at NVDCVE-2020-3864 at SUSECVE-2020-3864 at NVDCVE-2020-3865 at SUSECVE-2020-3865 at NVDCVE-2020-3867 at SUSECVE-2020-3867 at NVDCVE-2020-3868 at SUSECVE-2020-3868 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for shibboleth-sp (Moderate)SUSE Linux Enterprise Server 12 SP3-BCL
This update for shibboleth-sp fixes the following issues:
Security issue fixed:
- CVE-2019-19191: Fixed escalation to root by fixing ownership of log files (bsc#1157471).
ModerateSUSE bug 1157471CVE-2019-19191 at SUSECVE-2019-19191 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for ceph (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for ceph fixes the following issues:
- CVE-2020-12059: Fixed a denial of service caused by a specially crafted XML payload on POST requests (bsc#1170170).
ImportantSUSE bug 1170170CVE-2020-12059 at SUSECVE-2020-12059 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for LibVNCServer (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for LibVNCServer fixes the following issues:
- CVE-2019-15690: Fixed a heap buffer overflow (bsc#1160471).
- CVE-2019-15681: Fixed a memory leak which could have allowed to a remote attacker to read stack memory (bsc#1155419).
- CVE-2019-20788: Fixed a integer overflow and heap-based buffer overflow via a large height or width value (bsc#1170441).
ImportantSUSE bug 1155419SUSE bug 1160471SUSE bug 1170441CVE-2019-15681 at SUSECVE-2019-15681 at NVDCVE-2019-15690 at SUSECVE-2019-15690 at NVDCVE-2019-20788 at SUSECVE-2019-20788 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for icu (Moderate)SUSE Linux Enterprise Server 12 SP3-BCL
This update for icu fixes the following issues:
- CVE-2020-10531: Fixed integer overflow in UnicodeString:doAppend() (bsc#1166844).
ModerateSUSE bug 1166844CVE-2020-10531 at SUSECVE-2020-10531 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for openldap2 (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for openldap2 fixes the following issues:
- CVE-2020-12243: Fixed a denial of service related to recursive filters (bsc#1170771).
ImportantSUSE bug 1170771CVE-2020-12243 at SUSECVE-2020-12243 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for webkit2gtk3 (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for webkit2gtk3 fixes the following issues:
Security issue fixed:
- CVE-2020-3899: Fixed a memory consumption issue that could have led to remote code execution (bsc#1170643).
Non-security issues fixed:
- Update to version 2.28.2 (bsc#1170643):
+ Fix excessive CPU usage due to GdkFrameClock not being stopped.
+ Fix UI process crash when EGL_WL_bind_wayland_display extension
is not available.
+ Fix position of select popup menus in X11.
+ Fix playing of Youtube 'live stream'/H264 URLs.
+ Fix a crash under X11 when cairo uses xcb.
+ Fix the build in MIPS64.
+ Fix several crashes and rendering issues.
ImportantSUSE bug 1170643CVE-2020-3899 at SUSECVE-2020-3899 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for ghostscript (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for ghostscript to version 9.52 fixes the following issues:
- CVE-2020-12268: Fixed a heap-based buffer overflow in jbig2_image_compose (bsc#1170603).
ImportantSUSE bug 1170603CVE-2020-12268 at SUSECVE-2020-12268 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for MozillaFirefox fixes the following issues:
Update to version 68.8.0 ESR (bsc#1171186):
- CVE-2020-12387: Use-after-free during worker shutdown
- CVE-2020-12388: Sandbox escape with improperly guarded Access Tokens
- CVE-2020-12389: Sandbox escape with improperly separated process types
- CVE-2020-6831: Buffer overflow in SCTP chunk input validation
- CVE-2020-12392: Arbitrary local file access with 'Copy as cURL'
- CVE-2020-12393: Devtools' 'Copy as cURL' feature did not fully escape website-controlled data, potentially leading to command injection
- CVE-2020-12395: Memory safety bugs fixed in Firefox 76 and Firefox ESR 68.8
ImportantSUSE bug 1171186CVE-2020-12387 at SUSECVE-2020-12387 at NVDCVE-2020-12388 at SUSECVE-2020-12388 at NVDCVE-2020-12389 at SUSECVE-2020-12389 at NVDCVE-2020-12392 at SUSECVE-2020-12392 at NVDCVE-2020-12393 at SUSECVE-2020-12393 at NVDCVE-2020-12395 at SUSECVE-2020-12395 at NVDCVE-2020-6831 at SUSECVE-2020-6831 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for squid (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for squid fixes the following issues:
- CVE-2019-12519, CVE-2019-12521: fixes incorrect buffer handling that can
result in cache poisoning, remote execution, and denial of service attacks
when processing ESI responses (bsc#1169659).
- CVE-2020-11945: fixes a potential remote execution vulnerability
when using HTTP Digest Authentication (bsc#1170313).
- CVE-2019-12520, CVE-2019-12524: fixes a potential ACL bypass, cache-bypass
and cross-site scripting attack when processing invalid HTTP
Request messages (bsc#1170423).
ImportantSUSE bug 1169659SUSE bug 1170313SUSE bug 1170423CVE-2019-12519 at SUSECVE-2019-12519 at NVDCVE-2019-12520 at SUSECVE-2019-12520 at NVDCVE-2019-12521 at SUSECVE-2019-12521 at NVDCVE-2019-12524 at SUSECVE-2019-12524 at NVDCVE-2020-11945 at SUSECVE-2020-11945 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for apache2 (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for apache2 fixes the following issues:
- CVE-2020-1934: mod_proxy_ftp may use uninitialized memory when proxying to a malicious FTP server (bsc#1168404).
- CVE-2020-1927: mod_rewrite configurations vulnerable to open redirect (bsc#1168407).
- CVE-2020-1938: mod_proxy_ajp: Add 'secret' parameter to proxy workers to implement legacy AJP13 authentication (bsc#1169066).
ImportantSUSE bug 1168404SUSE bug 1168407SUSE bug 1169066CVE-2020-1927 at SUSECVE-2020-1927 at NVDCVE-2020-1934 at SUSECVE-2020-1934 at NVDCVE-2020-1938 at SUSECVE-2020-1938 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for the Linux Kernel (Important)SUSE Linux Enterprise Server 12 SP3-BCL
The SUSE Linux Enterprise 12 SP3 kernel was updated to receive various security and bugfixes.
The following security bugs were fixed:
- CVE-2020-11494: An issue was discovered in slc_bump in drivers/net/can/slcan.c, which allowed attackers to read uninitialized can_frame data, potentially containing sensitive information from kernel stack memory, if the configuration lacks CONFIG_INIT_STACK_ALL (bnc#1168424).
- CVE-2020-10942: In get_raw_socket in drivers/vhost/net.c lacks validation of an sk_family field, which might allow attackers to trigger kernel stack corruption via crafted system calls (bnc#1167629).
- CVE-2020-8647: Fixed a use-after-free vulnerability in the vc_do_resize function in drivers/tty/vt/vt.c (bnc#1162929).
- CVE-2020-8649: Fixed a use-after-free vulnerability in the vgacon_invert_region function in drivers/video/console/vgacon.c (bnc#1162931).
- CVE-2020-9383: Fixed an issue in set_fdc in drivers/block/floppy.c, which leads to a wait_til_ready out-of-bounds read (bnc#1165111).
- CVE-2019-9458: In the video driver there was a use after free due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed (bnc#1168295).
- CVE-2019-3701: Fixed an issue in can_can_gw_rcv, which could cause a system crash (bnc#1120386).
- CVE-2019-19768: Fixed a use-after-free in the __blk_add_trace function in kernel/trace/blktrace.c (bnc#1159285).
- CVE-2020-11609: Fixed a NULL pointer dereference in the stv06xx subsystem caused by mishandling invalid descriptors (bnc#1168854).
- CVE-2020-10720: Fixed a use-after-free read in napi_gro_frags() (bsc#1170778).
- CVE-2020-10690: Fixed the race between the release of ptp_clock and cdev (bsc#1170056).
- CVE-2019-9455: Fixed a pointer leak due to a WARN_ON statement in a video driver. This could lead to local information disclosure with System execution privileges needed (bnc#1170345).
- CVE-2020-11608: Fixed an issue in drivers/media/usb/gspca/ov519.c caused by a NULL pointer dereferences in ov511_mode_init_regs and ov518_mode_init_regs when there are zero endpoints (bnc#1168829).
- CVE-2017-18255: The perf_cpu_time_max_percent_handler function in kernel/events/core.c allowed local users to cause a denial of service (integer overflow) or possibly have unspecified other impact via a large value, as demonstrated by an incorrect sample-rate calculation (bnc#1087813).
- CVE-2020-8648: There was a use-after-free vulnerability in the n_tty_receive_buf_common function in drivers/tty/n_tty.c (bnc#1162928).
- CVE-2020-2732: A flaw was discovered in the way that the KVM hypervisor handled instruction emulation for an L2 guest when nested virtualisation is enabled. Under some circumstances, an L2 guest may trick the L0 guest into accessing sensitive L1 resources that should be inaccessible to the L2 guest (bnc#1163971).
- CVE-2019-5108: Fixed a denial-of-service vulnerability caused by triggering AP to send IAPP location updates for stations before the required authentication process has completed (bnc#1159912).
- CVE-2020-8992: ext4_protect_reserved_inode in fs/ext4/block_validity.c allowed attackers to cause a denial of service (soft lockup) via a crafted journal size (bnc#1164069).
- CVE-2018-21008: Fixed a use-after-free which could be caused by the function rsi_mac80211_detach in the file drivers/net/wireless/rsi/rsi_91x_mac80211.c (bnc#1149591).
- CVE-2019-14896: A heap-based buffer overflow vulnerability was found in Marvell WiFi chip driver. A remote attacker could cause a denial of service (system crash) or, possibly execute arbitrary code, when the lbs_ibss_join_existing function is called after a STA connects to an AP (bnc#1157157).
- CVE-2019-14897: A stack-based buffer overflow was found in Marvell WiFi chip driver. An attacker is able to cause a denial of service (system crash) or, possibly execute arbitrary code, when a STA works in IBSS mode (allows connecting stations together without the use of an AP) and connects to another STA (bnc#1157155).
- CVE-2019-18675: Fixed an integer overflow in cpia2_remap_buffer in drivers/media/usb/cpia2/cpia2_core.c because cpia2 has its own mmap implementation. This allowed local users (with /dev/video0 access) to obtain read and write permissions on kernel physical pages, which can possibly result in a privilege escalation (bnc#1157804).
- CVE-2019-14615: Insufficient control flow in certain data structures for some Intel(R) Processors with Intel(R) Processor Graphics may have allowed an unauthenticated user to potentially enable information disclosure via local access (bnc#1160195, bsc#1165881).
- CVE-2019-19965: Fixed a NULL pointer dereference in drivers/scsi/libsas/sas_discover.c because of mishandling of port disconnection during discovery, related to a PHY down race condition (bnc#1159911).
- CVE-2019-20054: Fixed a NULL pointer dereference in drop_sysctl_table() in fs/proc/proc_sysctl.c, related to put_links (bnc#1159910).
- CVE-2019-20096: Fixed a memory leak in __feat_register_sp() in net/dccp/feat.c, which may cause denial of service (bnc#1159908).
- CVE-2019-19966: Fixed a use-after-free in cpia2_exit() in drivers/media/usb/cpia2/cpia2_v4l.c that will cause denial of service (bnc#1159841).
- CVE-2019-19447: Fixed an issue with mounting a crafted ext4 filesystem image, performing some operations, and unmounting could lead to a use-after-free in ext4_put_super in fs/ext4/super.c, related to dump_orphan_list in fs/ext4/super.c (bnc#1158819).
- CVE-2019-19319: Fixed an issue with a setxattr operation, after a mount of a crafted ext4 image, can cause a slab-out-of-bounds write access because of an ext4_xattr_set_entry use-after-free in fs/ext4/xattr.c when a large old_size value is used in a memset call (bnc#1158021).
- CVE-2019-19767: Fixed mishandling of ext4_expand_extra_isize, as demonstrated by use-after-free errors in __ext4_expand_extra_isize and ext4_xattr_set_entry, related to fs/ext4/inode.c and fs/ext4/super.c (bnc#1159297).
- CVE-2019-11091,CVE-2018-12126,CVE-2018-12130,CVE-2018-12127: Earlier mitigations for the 'MDS' Microarchitectural Data Sampling attacks were not complete.
An additional fix was added to the x86_64 fast systemcall path to further mitigate these attacks. (bsc#1164846 bsc#1170847)
The following non-security bugs were fixed:
- blk: Fix kabi due to blk_trace_mutex addition (bsc#1159285).
- blktrace: fix dereference after null check (bsc#1159285).
- blktrace: fix trace mutex deadlock (bsc#1159285).
- btrfs: fix btrfs_wait_ordered_range() so that it waits for all ordered extents (bsc#1163508).
- btrfs: fix panic during relocation after ENOSPC before writeback happens (bsc#1163508).
- btrfs: qgroup: Fix root item corruption when multiple same source snapshots are created with quota enabled (bsc#1158642)
- btrfs: relocation: fix reloc_root lifespan and access (bsc#1164009).
- enic: prevent waking up stopped tx queues over watchdog reset (bsc#1133147).
- fix PageHeadHuge() race with THP split (VM Functionality, bsc#1165311).
- fs/xfs: fix f_ffree value for statfs when project quota is set (bsc#1165985).
- ibmvnic: Bound waits for device queries (bsc#1155689 ltc#182047).
- ibmvnic: Fix completion structure initialization (bsc#1155689 ltc#182047).
- ibmvnic: Serialize device queries (bsc#1155689 ltc#182047).
- ibmvnic: Terminate waiting device threads after loss of service (bsc#1155689 ltc#182047).
- input: add safety guards to input_set_keycode() (bsc#1168075).
- ipv4: correct gso_size for UFO (bsc#1154844).
- ipv6: fix memory accounting during ipv6 queue expire (bsc#1162227) (bsc#1162227).
- ipvlan: do not add hardware address of master to its unicast filter list (bsc#1137325).
- md: add mddev->pers to avoid potential NULL pointer dereference (bsc#1056134).
- md/bitmap: do not read page from device with Bitmap_sync (bsc#1056134).
- md: change the initialization value for a spare device spot to MD_DISK_ROLE_SPARE (bsc#1056134).
- md: Delete gendisk before cleaning up the request queue (bsc#1056134).
- md: do not call bitmap_create() while array is quiesced (bsc#1056134).
- md: do not set In_sync if array is frozen (bsc#1056134).
- md: fix a potential deadlock of raid5/raid10 reshape (bsc#1056134).
- md: md.c: Return -ENODEV when mddev is NULL in rdev_attr_show (bsc#1056134).
- md: notify about new spare disk in the container (bsc#1056134).
- md/raid0: Fix buffer overflow at debug print (bsc#1164051).
- md/raid10: end bio when the device faulty (bsc#1056134).
- md/raid10: Fix raid10 replace hang when new added disk faulty (bsc#1056134).
- md/raid1,raid10: silence warning about wait-within-wait (bsc#1056134).
- md: return -ENODEV if rdev has no mddev assigned (bsc#1056134).
- media: ov519: add missing endpoint sanity checks (bsc#1168829).
- media: stv06xx: add missing descriptor sanity checks (bsc#1168854).
- net: ena: Add PCI shutdown handler to allow safe kexec (bsc#1167421, bsc#1167423).
- netfilter: conntrack: sctp: use distinct states for new SCTP connections (bsc#1159199).
- net/ibmvnic: Fix typo in retry check (bsc#1155689 ltc#182047).
- rpm/kernel-binary.spec.in: Replace Novell with SUSE
- sched/fair: Scale bandwidth quota and period without losing quota/period ratio precision (bsc#1161586).
- scsi: core: avoid repetitive logging of device offline messages (bsc#1145929).
- scsi: core: kABI fix already_offline (bsc#1145929).
- tcp: clear tp->packets_out when purging write queue (bsc#1154118).
- x86/mitigations: Clear CPU buffers on the SYSCALL fast path (bsc#1164846 bsc#1170847).
- xfs: also remove cached ACLs when removing the underlying attr (bsc#1165873).
- xfs: bulkstat should copy lastip whenever userspace supplies one (bsc#1165984).
ImportantSUSE bug 1056134SUSE bug 1087813SUSE bug 1120386SUSE bug 1133147SUSE bug 1137325SUSE bug 1145929SUSE bug 1149591SUSE bug 1154118SUSE bug 1154844SUSE bug 1155689SUSE bug 1157155SUSE bug 1157157SUSE bug 1157303SUSE bug 1157804SUSE bug 1158021SUSE bug 1158642SUSE bug 1158819SUSE bug 1159199SUSE bug 1159285SUSE bug 1159297SUSE bug 1159841SUSE bug 1159908SUSE bug 1159910SUSE bug 1159911SUSE bug 1159912SUSE bug 1160195SUSE bug 1161586SUSE bug 1162227SUSE bug 1162928SUSE bug 1162929SUSE bug 1162931SUSE bug 1163508SUSE bug 1163971SUSE bug 1164009SUSE bug 1164051SUSE bug 1164069SUSE bug 1164078SUSE bug 1164846SUSE bug 1165111SUSE bug 1165311SUSE bug 1165873SUSE bug 1165881SUSE bug 1165984SUSE bug 1165985SUSE bug 1167421SUSE bug 1167423SUSE bug 1167629SUSE bug 1168075SUSE bug 1168295SUSE bug 1168424SUSE bug 1168829SUSE bug 1168854SUSE bug 1170056SUSE bug 1170345SUSE bug 1170778SUSE bug 1170847CVE-2017-18255 at SUSECVE-2017-18255 at NVDCVE-2018-12126 at SUSECVE-2018-12126 at NVDCVE-2018-12127 at SUSECVE-2018-12127 at NVDCVE-2018-12130 at SUSECVE-2018-12130 at NVDCVE-2018-21008 at SUSECVE-2018-21008 at NVDCVE-2019-11091 at SUSECVE-2019-11091 at NVDCVE-2019-14615 at SUSECVE-2019-14615 at NVDCVE-2019-14896 at SUSECVE-2019-14896 at NVDCVE-2019-14897 at SUSECVE-2019-14897 at NVDCVE-2019-18675 at SUSECVE-2019-18675 at NVDCVE-2019-19066 at SUSECVE-2019-19066 at NVDCVE-2019-19319 at SUSECVE-2019-19319 at NVDCVE-2019-19447 at SUSECVE-2019-19447 at NVDCVE-2019-19767 at SUSECVE-2019-19767 at NVDCVE-2019-19768 at SUSECVE-2019-19768 at NVDCVE-2019-19965 at SUSECVE-2019-19965 at NVDCVE-2019-19966 at SUSECVE-2019-19966 at NVDCVE-2019-20054 at SUSECVE-2019-20054 at NVDCVE-2019-20096 at SUSECVE-2019-20096 at NVDCVE-2019-3701 at SUSECVE-2019-3701 at NVDCVE-2019-5108 at SUSECVE-2019-5108 at NVDCVE-2019-9455 at SUSECVE-2019-9455 at NVDCVE-2019-9458 at SUSECVE-2019-9458 at NVDCVE-2020-10690 at SUSECVE-2020-10690 at NVDCVE-2020-10720 at SUSECVE-2020-10720 at NVDCVE-2020-10942 at SUSECVE-2020-10942 at NVDCVE-2020-11494 at SUSECVE-2020-11494 at NVDCVE-2020-11608 at SUSECVE-2020-11608 at NVDCVE-2020-11609 at SUSECVE-2020-11609 at NVDCVE-2020-2732 at SUSECVE-2020-2732 at NVDCVE-2020-8647 at SUSECVE-2020-8647 at NVDCVE-2020-8648 at SUSECVE-2020-8648 at NVDCVE-2020-8649 at SUSECVE-2020-8649 at NVDCVE-2020-8992 at SUSECVE-2020-8992 at NVDCVE-2020-9383 at SUSECVE-2020-9383 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for python-PyYAML (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for python-PyYAML fixes the following issues:
- CVE-2020-1747: Fixed an arbitrary code execution when YAML files are parsed by FullLoader (bsc#1165439).
ImportantSUSE bug 1165439CVE-2020-1747 at SUSECVE-2020-1747 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for git (Moderate)SUSE Linux Enterprise Server 12 SP3-BCL
This update for git to 2.26.2 fixes the following issues:
Security issue fixed:
- CVE-2020-11008: Specially crafted URLs may have tricked the credentials helper
to providing credential information that is not appropriate for the protocol
in use and host being contacted (bsc#1169936).
Non-security issue fixed:
- Fixed git-daemon not starting after conversion from sysvinit to systemd service (bsc#1169605).
- Enabled access for git-daemon in firewall configuration (bsc#1170302).
- Fixed problems with recent switch to protocol v2, which caused fetches transferring unreasonable amount of data (bsc#1170741).
ModerateSUSE bug 1149792SUSE bug 1168930SUSE bug 1169605SUSE bug 1169786SUSE bug 1169936SUSE bug 1170302SUSE bug 1170741SUSE bug 1170939CVE-2020-11008 at SUSECVE-2020-11008 at NVDCVE-2020-5260 at SUSECVE-2020-5260 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for mailman (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for mailman fixes the following issues:
Security issue fixed:
- CVE-2020-12108: Fixed a content injection bug (bsc#1171363).
- CVE-2020-12137: Fixed a XSS vulnerability caused by MIME type confusion (bsc#1170558).
Non-security issue fixed:
- Fixed rights and ownership on /var/lib/mailman/archives (bsc#1167068).
- Don't default to invalid hosts for DEFAULT_EMAIL_HOST (bsc#682920).
ImportantSUSE bug 1167068SUSE bug 1170558SUSE bug 1171363SUSE bug 682920CVE-2020-12108 at SUSECVE-2020-12108 at NVDCVE-2020-12137 at SUSECVE-2020-12137 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for tomcat (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for tomcat fixes the following issues:
CVE-2020-9484 (bsc#1171928)
Apache Tomcat Remote Code Execution via session persistence
If an attacker was able to control the contents and name of a file on a
server configured to use the PersistenceManager, then the attacker could
have triggered a remote code execution via deserialization of the file under
their control.
CVE-2019-12418 (bsc#1159723)
Local privilege escalation by manipulating the RMI registry and performing a man-in-the-middle attack
When Tomcat is configured with the JMX Remote Lifecycle Listener, a local attacker without access to the Tomcat process or configuration files was able to manipulate the RMI registry to perform a man-in-the-middle attack to capture user names and passwords used to access the JMX interface.
The attacker could then use these credentials to access the JMX interface and gain complete control over the Tomcat instance.
CVE-2019-0221 (bsc#1136085)
The SSI printenv command echoed user provided data without escaping, which
made it vulnerable to XSS.
CVE-2019-17563 (bsc#1159729)
When using FORM authentication there was a narrow window where an attacker could perform a session fixation attack.
CVE-2019-17569 (bsc#1164825)
Invalid Transfer-Encoding headers were incorrectly processed leading to a possibility of HTTP Request Smuggling
if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header.
ImportantSUSE bug 1136085SUSE bug 1159723SUSE bug 1159729SUSE bug 1164825SUSE bug 1171928CVE-2019-0221 at SUSECVE-2019-0221 at NVDCVE-2019-12418 at SUSECVE-2019-12418 at NVDCVE-2019-17563 at SUSECVE-2019-17563 at NVDCVE-2019-17569 at SUSECVE-2019-17569 at NVDCVE-2020-9484 at SUSECVE-2020-9484 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for python (Moderate)SUSE Linux Enterprise Server 12 SP3-BCL
This update for python to version 2.7.17 fixes the following issues:
Syncing with lots of upstream bug fixes and security fixes.
Bug fixes:
- CVE-2019-9674: Improved the documentation to reflect the dangers of zip-bombs (bsc#1162825).
- CVE-2019-18348: Fixed a CRLF injection via the host part of the url passed to urlopen(). Now an InvalidURL exception is raised (bsc#1155094).
- CVE-2020-8492: Fixed a regular expression in urllib that was prone to denial of service via HTTP (bsc#1162367).
- Fixed mismatches between libpython and python-base versions (bsc#1162224).
- Fixed segfault in libpython2.7.so.1 (bsc#1073748).
- Unified packages among openSUSE:Factory and SLE versions (bsc#1159035).
- Added idle.desktop and idle.appdata.xml to provide IDLE in menus (bsc#1153830).
- Excluded tsl_check files from python-base to prevent file conflict with python-strict-tls-checks package (bsc#945401).
- Changed the name of idle3 icons to idle3.png to avoid collision with Python 2 version (bsc#1165894).
Additionally a new 'shared-python-startup' package is provided containing startup files.
python-rpm-macros was updated to fix:
- Do not write .pyc files for tests (bsc#1171561)
ModerateSUSE bug 1027282SUSE bug 1041090SUSE bug 1042670SUSE bug 1073269SUSE bug 1073748SUSE bug 1078326SUSE bug 1078485SUSE bug 1081750SUSE bug 1084650SUSE bug 1086001SUSE bug 1149792SUSE bug 1153830SUSE bug 1155094SUSE bug 1159035SUSE bug 1162224SUSE bug 1162367SUSE bug 1162825SUSE bug 1165894SUSE bug 1170411SUSE bug 1171561SUSE bug 945401CVE-2019-18348 at SUSECVE-2019-18348 at NVDCVE-2019-9674 at SUSECVE-2019-9674 at NVDCVE-2020-8492 at SUSECVE-2020-8492 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for krb5-appl (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for krb5-appl fixes the following issues:
- CVE-2020-10188: Fixed a remote root execution (bsc#1165787).
ImportantSUSE bug 1165787CVE-2020-10188 at SUSECVE-2020-10188 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for libexif (Moderate)SUSE Linux Enterprise Server 12 SP3-BCL
This update for libexif fixes the following issues:
Security issues fixed:
- CVE-2016-6328: Fixed an integer overflow in parsing MNOTE entry data of the input file (bsc#1055857).
- CVE-2017-7544: Fixed an out-of-bounds heap read vulnerability in exif_data_save_data_entry function in libexif/exif-data.c (bsc#1059893).
- CVE-2018-20030: Fixed a denial of service by endless recursion (bsc#1120943).
- CVE-2019-9278: Fixed an integer overflow (bsc#1160770).
- CVE-2020-0093: Fixed an out-of-bounds read in exif_data_save_data_entry (bsc#1171847).
- CVE-2020-12767: Fixed a divide-by-zero error in exif_entry_get_value (bsc#1171475).
- CVE-2020-13112: Fixed a time consumption DoS when parsing canon array markers (bsc#1172121).
- CVE-2020-13113: Fixed a potential use of uninitialized memory (bsc#1172105).
- CVE-2020-13114: Fixed various buffer overread fixes due to integer overflows in maker notes (bsc#1172116).
Non-security issues fixed:
- libexif was updated to version 0.6.22:
* New translations: ms
* Updated translations for most languages
* Some useful EXIF 2.3 tag added:
* EXIF_TAG_GAMMA
* EXIF_TAG_COMPOSITE_IMAGE
* EXIF_TAG_SOURCE_IMAGE_NUMBER_OF_COMPOSITE_IMAGE
* EXIF_TAG_SOURCE_EXPOSURE_TIMES_OF_COMPOSITE_IMAGE
* EXIF_TAG_GPS_H_POSITIONING_ERROR
* EXIF_TAG_CAMERA_OWNER_NAME
* EXIF_TAG_BODY_SERIAL_NUMBER
* EXIF_TAG_LENS_SPECIFICATION
* EXIF_TAG_LENS_MAKE
* EXIF_TAG_LENS_MODEL
* EXIF_TAG_LENS_SERIAL_NUMBER
ModerateSUSE bug 1055857SUSE bug 1059893SUSE bug 1120943SUSE bug 1160770SUSE bug 1171475SUSE bug 1171847SUSE bug 1172105SUSE bug 1172116SUSE bug 1172121CVE-2016-6328 at SUSECVE-2016-6328 at NVDCVE-2017-7544 at SUSECVE-2017-7544 at NVDCVE-2018-20030 at SUSECVE-2018-20030 at NVDCVE-2019-9278 at SUSECVE-2019-9278 at NVDCVE-2020-0093 at SUSECVE-2020-0093 at NVDCVE-2020-12767 at SUSECVE-2020-12767 at NVDCVE-2020-13112 at SUSECVE-2020-13112 at NVDCVE-2020-13113 at SUSECVE-2020-13113 at NVDCVE-2020-13114 at SUSECVE-2020-13114 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for qemu (Moderate)SUSE Linux Enterprise Server 12 SP3-BCL
This update for qemu fixes the following issues:
Security issues fixed:
- CVE-2020-1711: Fixed a potential OOB access in the iSCSI client code (bsc#1166240).
- CVE-2019-12068: Fixed a potential DoS in the LSI SCSI controller emulation (bsc#1146873).
- CVE-2020-1983: Fixed a use-after-free in the ip_reass function of slirp (bsc#1170940).
- CVE-2020-8608: Fixed a potential OOB access in slirp (bsc#1163018).
- CVE-2020-7039: Fixed a potential OOB access in slirp (bsc#1161066).
- CVE-2019-15890: Fixed a use-after-free during packet reassembly in slirp (bsc#1149811).
- Fixed multiple potential DoS issues in SLIRP, similar to CVE-2019-6778 (bsc#1123156).
Non-security issue fixed:
- Make sure that required memory is mapped properly during an incoming migration of a Xen HVM domU (bsc#1160024).
ModerateSUSE bug 1123156SUSE bug 1146873SUSE bug 1149811SUSE bug 1160024SUSE bug 1161066SUSE bug 1163018SUSE bug 1166240SUSE bug 1170940CVE-2019-12068 at SUSECVE-2019-12068 at NVDCVE-2019-15890 at SUSECVE-2019-15890 at NVDCVE-2019-6778 at SUSECVE-2019-6778 at NVDCVE-2020-1711 at SUSECVE-2020-1711 at NVDCVE-2020-1983 at SUSECVE-2020-1983 at NVDCVE-2020-7039 at SUSECVE-2020-7039 at NVDCVE-2020-8608 at SUSECVE-2020-8608 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for vim (Moderate)SUSE Linux Enterprise Server 12 SP3-BCL
This update for vim fixes the following issues:
- CVE-2019-20807: Fixed an issue where escaping from the restrictive mode of vim
was possible using interfaces (bsc#1172225 and bsc#1172031).
ModerateSUSE bug 1172031SUSE bug 1172225CVE-2019-20807 at SUSECVE-2019-20807 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for MozillaFirefox fixes the following issues:
- MozillaFirefox was updated to version 68.9.0 Extended Support Release (bsc#1172402).
- CVE-2020-12405: Fixed a use-after-free in SharedWorkerService.
- CVE-2020-12406: Fixed a JavaScript Type confusion with NativeTypes.
- CVE-2020-12410: Fixed multiple memory safety bugs.
ImportantSUSE bug 1172402CVE-2020-12405 at SUSECVE-2020-12405 at NVDCVE-2020-12406 at SUSECVE-2020-12406 at NVDCVE-2020-12410 at SUSECVE-2020-12410 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for ruby2.1 (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for ruby2.1 fixes the following issues:
Security issues fixed:
- CVE-2015-9096: Fixed an SMTP command injection via CRLFsequences in a RCPT TO or MAIL FROM command (bsc#1043983).
- CVE-2016-7798: Fixed an IV Reuse in GCM Mode (bsc#1055265).
- CVE-2017-0898: Fixed a buffer underrun vulnerability in Kernel.sprintf (bsc#1058755).
- CVE-2017-0899: Fixed an issue with malicious gem specifications, insufficient sanitation when printing gem specifications could have included terminal characters (bsc#1056286).
- CVE-2017-0900: Fixed an issue with malicious gem specifications, the query command could have led to a denial of service attack against clients (bsc#1056286).
- CVE-2017-0901: Fixed an issue with malicious gem specifications, potentially overwriting arbitrary files on the client system (bsc#1056286).
- CVE-2017-0902: Fixed an issue with malicious gem specifications, that could have enabled MITM attacks against clients (bsc#1056286).
- CVE-2017-0903: Fixed an unsafe object deserialization vulnerability (bsc#1062452).
- CVE-2017-9228: Fixed a heap out-of-bounds write in bitset_set_range() during regex compilation (bsc#1069607).
- CVE-2017-9229: Fixed an invalid pointer dereference in left_adjust_char_head() in oniguruma (bsc#1069632).
- CVE-2017-10784: Fixed an escape sequence injection vulnerability in the Basic authentication of WEBrick (bsc#1058754).
- CVE-2017-14033: Fixed a buffer underrun vulnerability in OpenSSL ASN1 decode (bsc#1058757).
- CVE-2017-14064: Fixed an arbitrary memory exposure during a JSON.generate call (bsc#1056782).
- CVE-2017-17405: Fixed a command injection vulnerability in Net::FTP (bsc#1073002).
- CVE-2017-17742: Fixed an HTTP response splitting issue in WEBrick (bsc#1087434).
- CVE-2017-17790: Fixed a command injection in lib/resolv.rb:lazy_initialize() (bsc#1078782).
- CVE-2018-6914: Fixed an unintentional file and directory creation with directory traversal in tempfile and tmpdir (bsc#1087441).
- CVE-2018-8777: Fixed a potential DoS caused by large requests in WEBrick (bsc#1087436).
- CVE-2018-8778: Fixed a buffer under-read in String#unpack (bsc#1087433).
- CVE-2018-8779: Fixed an unintentional socket creation by poisoned NUL byte in UNIXServer and UNIXSocket (bsc#1087440).
- CVE-2018-8780: Fixed an unintentional directory traversal by poisoned NUL byte in Dir (bsc#1087437).
- CVE-2018-16395: Fixed an issue with OpenSSL::X509::Name equality checking (bsc#1112530).
- CVE-2018-16396: Fixed an issue with tainted string handling, where the flag was not propagated in Array#pack and String#unpack with some directives (bsc#1112532).
- CVE-2018-1000073: Fixed a path traversal issue (bsc#1082007).
- CVE-2018-1000074: Fixed an unsafe object deserialization vulnerability in gem owner, allowing arbitrary code execution with specially crafted YAML (bsc#1082008).
- CVE-2018-1000075: Fixed an infinite loop vulnerability due to negative size in tar header causes Denial of Service (bsc#1082014).
- CVE-2018-1000076: Fixed an improper verification of signatures in tarballs (bsc#1082009).
- CVE-2018-1000077: Fixed an improper URL validation in the homepage attribute of ruby gems (bsc#1082010).
- CVE-2018-1000078: Fixed a XSS vulnerability in the homepage attribute when displayed via gem server (bsc#1082011).
- CVE-2018-1000079: Fixed a path traversal issue during gem installation allows to write to arbitrary filesystem locations (bsc#1082058).
- CVE-2019-8320: Fixed a directory traversal issue when decompressing tar files (bsc#1130627).
- CVE-2019-8321: Fixed an escape sequence injection vulnerability in verbose (bsc#1130623).
- CVE-2019-8322: Fixed an escape sequence injection vulnerability in gem owner (bsc#1130622).
- CVE-2019-8323: Fixed an escape sequence injection vulnerability in API response handling (bsc#1130620).
- CVE-2019-8324: Fixed an issue with malicious gems that may have led to arbitrary code execution (bsc#1130617).
- CVE-2019-8325: Fixed an escape sequence injection vulnerability in errors (bsc#1130611).
- CVE-2019-15845: Fixed a NUL injection vulnerability in File.fnmatch and File.fnmatch? (bsc#1152994).
- CVE-2019-16201: Fixed a regular expression denial of service vulnerability in WEBrick's digest access authentication (bsc#1152995).
- CVE-2019-16254: Fixed an HTTP response splitting vulnerability in WEBrick (bsc#1152992).
- CVE-2019-16255: Fixed a code injection vulnerability in Shell#[] and Shell#test (bsc#1152990).
- CVE-2020-10663: Fixed an unsafe object creation vulnerability in JSON (bsc#1171517).
Non-security issue fixed:
- Add conflicts to libruby to make sure ruby and ruby-stdlib are also updated when libruby is updated (bsc#1048072).
Also yast2-ruby-bindings on SLES 12 SP2 LTSS was updated to handle the updated ruby interpreter. (bsc#1172275)
ImportantSUSE bug 1043983SUSE bug 1048072SUSE bug 1055265SUSE bug 1056286SUSE bug 1056782SUSE bug 1058754SUSE bug 1058755SUSE bug 1058757SUSE bug 1062452SUSE bug 1069607SUSE bug 1069632SUSE bug 1073002SUSE bug 1078782SUSE bug 1082007SUSE bug 1082008SUSE bug 1082009SUSE bug 1082010SUSE bug 1082011SUSE bug 1082014SUSE bug 1082058SUSE bug 1087433SUSE bug 1087434SUSE bug 1087436SUSE bug 1087437SUSE bug 1087440SUSE bug 1087441SUSE bug 1112530SUSE bug 1112532SUSE bug 1130611SUSE bug 1130617SUSE bug 1130620SUSE bug 1130622SUSE bug 1130623SUSE bug 1130627SUSE bug 1152990SUSE bug 1152992SUSE bug 1152994SUSE bug 1152995SUSE bug 1171517SUSE bug 1172275CVE-2015-9096 at SUSECVE-2015-9096 at NVDCVE-2016-2339 at SUSECVE-2016-2339 at NVDCVE-2016-7798 at SUSECVE-2016-7798 at NVDCVE-2017-0898 at SUSECVE-2017-0898 at NVDCVE-2017-0899 at SUSECVE-2017-0899 at NVDCVE-2017-0900 at SUSECVE-2017-0900 at NVDCVE-2017-0901 at SUSECVE-2017-0901 at NVDCVE-2017-0902 at SUSECVE-2017-0902 at NVDCVE-2017-0903 at SUSECVE-2017-0903 at NVDCVE-2017-10784 at SUSECVE-2017-10784 at NVDCVE-2017-14033 at SUSECVE-2017-14033 at NVDCVE-2017-14064 at SUSECVE-2017-14064 at NVDCVE-2017-17405 at SUSECVE-2017-17405 at NVDCVE-2017-17742 at SUSECVE-2017-17742 at NVDCVE-2017-17790 at SUSECVE-2017-17790 at NVDCVE-2017-9228 at SUSECVE-2017-9228 at NVDCVE-2017-9229 at SUSECVE-2017-9229 at NVDCVE-2018-1000073 at SUSECVE-2018-1000073 at NVDCVE-2018-1000074 at SUSECVE-2018-1000074 at NVDCVE-2018-1000075 at SUSECVE-2018-1000075 at NVDCVE-2018-1000076 at SUSECVE-2018-1000076 at NVDCVE-2018-1000077 at SUSECVE-2018-1000077 at NVDCVE-2018-1000078 at SUSECVE-2018-1000078 at NVDCVE-2018-1000079 at SUSECVE-2018-1000079 at NVDCVE-2018-16395 at SUSECVE-2018-16395 at NVDCVE-2018-16396 at SUSECVE-2018-16396 at NVDCVE-2018-6914 at SUSECVE-2018-6914 at NVDCVE-2018-8777 at SUSECVE-2018-8777 at NVDCVE-2018-8778 at SUSECVE-2018-8778 at NVDCVE-2018-8779 at SUSECVE-2018-8779 at NVDCVE-2018-8780 at SUSECVE-2018-8780 at NVDCVE-2019-15845 at SUSECVE-2019-15845 at NVDCVE-2019-16201 at SUSECVE-2019-16201 at NVDCVE-2019-16254 at SUSECVE-2019-16254 at NVDCVE-2019-16255 at SUSECVE-2019-16255 at NVDCVE-2019-8320 at SUSECVE-2019-8320 at NVDCVE-2019-8321 at SUSECVE-2019-8321 at NVDCVE-2019-8322 at SUSECVE-2019-8322 at NVDCVE-2019-8323 at SUSECVE-2019-8323 at NVDCVE-2019-8324 at SUSECVE-2019-8324 at NVDCVE-2019-8325 at SUSECVE-2019-8325 at NVDCVE-2020-10663 at SUSECVE-2020-10663 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for java-1_7_0-openjdk (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for java-1_7_0-openjdk to version 7u261 fixes the following issues:
- CVE-2020-2756: Better mapping of serial ENUMs (bsc#1169511)
- CVE-2020-2757: Less Blocking Array Queues (bsc#1169511)
- CVE-2020-2773: Better signatures in XML (bsc#1169511)
- CVE-2020-2781: Improve TLS session handling (bsc#1169511)
- CVE-2020-2800: Better Headings for HTTP Servers (bsc#1169511)
- CVE-2020-2803: Enhance buffering of byte buffers (bsc#1169511)
- CVE-2020-2805: Enhance typing of methods (bsc#1169511)
- CVE-2020-2830: Better Scanner conversions (bsc#1169511)
ImportantSUSE bug 1169511CVE-2020-2756 at SUSECVE-2020-2756 at NVDCVE-2020-2757 at SUSECVE-2020-2757 at NVDCVE-2020-2773 at SUSECVE-2020-2773 at NVDCVE-2020-2781 at SUSECVE-2020-2781 at NVDCVE-2020-2800 at SUSECVE-2020-2800 at NVDCVE-2020-2803 at SUSECVE-2020-2803 at NVDCVE-2020-2805 at SUSECVE-2020-2805 at NVDCVE-2020-2830 at SUSECVE-2020-2830 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for tigervnc (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for tigervnc fixes the following issues:
- CVE-2019-15691: Fixed a use-after-return due to incorrect usage of stack memory in ZRLEDecoder (bsc#1159856).
- CVE-2019-15692: Fixed a heap-based buffer overflow in CopyRectDecode (bsc#1160250).
- CVE-2019-15693: Fixed a heap-based buffer overflow in TightDecoder::FilterGradient (bsc#1159858).
- CVE-2019-15694: Fixed a heap-based buffer overflow, caused by improper error handling in processing MemOutStream (bsc#1160251).
- CVE-2019-15695: Fixed a stack-based buffer overflow, which could be triggered from CMsgReader::readSetCursor (bsc#1159860).
ImportantSUSE bug 1159856SUSE bug 1159858SUSE bug 1159860SUSE bug 1160250SUSE bug 1160251SUSE bug 1160937CVE-2019-15691 at SUSECVE-2019-15691 at NVDCVE-2019-15692 at SUSECVE-2019-15692 at NVDCVE-2019-15693 at SUSECVE-2019-15693 at NVDCVE-2019-15694 at SUSECVE-2019-15694 at NVDCVE-2019-15695 at SUSECVE-2019-15695 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for ucode-intel (Moderate)SUSE Linux Enterprise Server 12 SP3-BCL
This update for ucode-intel fixes the following issues:
Updated Intel CPU Microcode to 20200602 (prerelease) (bsc#1172466)
This update contains security mitigations for:
- CVE-2020-0543: Fixed a side channel attack against special registers
which could have resulted in leaking of read values to cores other
than the one which called it. This attack is known as Special Register
Buffer Data Sampling (SRBDS) or 'CrossTalk' (bsc#1154824).
- CVE-2020-0548,CVE-2020-0549: Additional ucode updates were supplied to
mitigate the Vector Register and L1D Eviction Sampling aka 'CacheOutAttack'
attacks. (bsc#1156353)
Microcode Table:
Processor Identifier Version Products
Model Stepping F-MO-S/PI Old->New
---- new platforms ----------------------------------------
---- updated platforms ------------------------------------
HSW C0 6-3c-3/32 00000027->00000028 Core Gen4
BDW-U/Y E0/F0 6-3d-4/c0 0000002e->0000002f Core Gen5
HSW-U C0/D0 6-45-1/72 00000025->00000026 Core Gen4
HSW-H C0 6-46-1/32 0000001b->0000001c Core Gen4
BDW-H/E3 E0/G0 6-47-1/22 00000021->00000022 Core Gen5
SKL-U/Y D0 6-4e-3/c0 000000d6->000000dc Core Gen6 Mobile
SKL-U23e K1 6-4e-3/c0 000000d6->000000dc Core Gen6 Mobile
SKX-SP B1 6-55-3/97 01000151->01000157 Xeon Scalable
SKX-SP H0/M0/U0 6-55-4/b7 02000065->02006906 Xeon Scalable
SKX-D M1 6-55-4/b7 02000065->02006906 Xeon D-21xx
CLX-SP B0 6-55-6/bf 0400002c->04002f01 Xeon Scalable Gen2
CLX-SP B1 6-55-7/bf 0500002c->04002f01 Xeon Scalable Gen2
SKL-H/S R0/N0 6-5e-3/36 000000d6->000000dc Core Gen6; Xeon E3 v5
AML-Y22 H0 6-8e-9/10 000000ca->000000d6 Core Gen8 Mobile
KBL-U/Y H0 6-8e-9/c0 000000ca->000000d6 Core Gen7 Mobile
CFL-U43e D0 6-8e-a/c0 000000ca->000000d6 Core Gen8 Mobile
WHL-U W0 6-8e-b/d0 000000ca->000000d6 Core Gen8 Mobile
AML-Y42 V0 6-8e-c/94 000000ca->000000d6 Core Gen10 Mobile
CML-Y42 V0 6-8e-c/94 000000ca->000000d6 Core Gen10 Mobile
WHL-U V0 6-8e-c/94 000000ca->000000d6 Core Gen8 Mobile
KBL-G/H/S/E3 B0 6-9e-9/2a 000000ca->000000d6 Core Gen7; Xeon E3 v6
CFL-H/S/E3 U0 6-9e-a/22 000000ca->000000d6 Core Gen8 Desktop, Mobile, Xeon E
CFL-S B0 6-9e-b/02 000000ca->000000d6 Core Gen8
CFL-H/S P0 6-9e-c/22 000000ca->000000d6 Core Gen9
CFL-H R0 6-9e-d/22 000000ca->000000d6 Core Gen9 Mobile
Also contains the Intel CPU Microcode update to 20200520:
Processor Identifier Version Products
Model Stepping F-MO-S/PI Old->New
---- new platforms ----------------------------------------
---- updated platforms ------------------------------------
SNB-E/EN/EP C1/M0 6-2d-6/6d 0000061f->00000621 Xeon E3/E5, Core X
SNB-E/EN/EP C2/M1 6-2d-7/6d 00000718->0000071a Xeon E3/E5, Core X
ModerateSUSE bug 1154824SUSE bug 1156353SUSE bug 1172466CVE-2020-0543 at SUSECVE-2020-0543 at NVDCVE-2020-0548 at SUSECVE-2020-0548 at NVDCVE-2020-0549 at SUSECVE-2020-0549 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for the Linux Kernel (Important)SUSE Linux Enterprise Server 12 SP3-BCL
The SUSE Linux Enterprise 12 SP3 kernel was updated to receive various security and bugfixes.
The following security bugs were fixed:
- CVE-2020-0543: Fixed a side channel attack against special registers which could have resulted in leaking of read values to cores other than the one which called it.
This attack is known as Special Register Buffer Data Sampling (SRBDS) or 'CrossTalk' (bsc#1154824).
- CVE-2020-12652: Fixed an issue which could have allowed local users to hold an incorrect lock during the ioctl operation and trigger a race condition (bsc#1171218).
- CVE-2020-12653: Fixed an issue in the wifi driver which could have allowed local users to gain privileges or cause a denial of service (bsc#1171195).
- CVE-2020-12654: Fixed an issue in he wifi driver which could have allowed a remote AP to trigger a heap-based buffer overflow (bsc#1171202).
- CVE-2020-12656: Fixed an improper handling of certain domain_release calls leadingch could have led to a memory leak (bsc#1171219).
- CVE-2020-12114: Fixed A pivot_root race condition which could have allowed local users to cause a denial of service (panic) by corrupting a mountpoint reference counter (bsc#1171098).
- CVE-2020-10757: Fixed an issue where remaping hugepage DAX to anon mmap could have caused user PTE access (bsc#1172317).
The following non-security bugs were fixed:
- can, slip: Protect tty->disc_data in write_wakeup and close with RCU (bsc#1171698).
- clocksource/drivers/hyper-v: Set TSC clocksource as default w/ InvariantTSC (bsc#1170620).
- Drivers: HV: Send one page worth of kmsg dump over Hyper-V during panic (bsc#1170618).
- Drivers: hv: vmbus: Fix the issue with freeing up hv_ctl_table_hdr (bsc#1170618).
- Drivers: hv: vmbus: Get rid of MSR access from vmbus_drv.c (bsc#1170618).
- Drivers: hv: vmbus: Make panic reporting to be more useful (bsc#1170618).
- Drivers: hv: vmus: Fix the check for return value from kmsg get dump buffer (bsc#1170618).
- EDAC: Convert to new X86 CPU match macros
- ibmvfc: do not send implicit logouts prior to NPIV login (bsc#1169625 ltc#184611).
- ibmvfc: Fix NULL return compiler warning (bsc#1161951 ltc#183551).
- KEYS: reaching the keys quotas correctly (bsc#1171689).
- NFS: Cleanup if nfs_match_client is interrupted (bsc#1169025).
- NFS: Fix a double unlock from nfs_match,get_client (bsc#1169025).
- NFS: make nfs_match_client killable (bsc#1169025).
- NFS: Unlock requests must never fail (bsc#1172032).
- random: always use batched entropy for get_random_u{32,64} (bsc#1164871).
- Revert 'ipc,sem: remove uneeded sem_undo_list lock usage in exit_sem()' (bsc#1172221).
- scsi: ibmvfc: Avoid loss of all paths during SVC node reboot (bsc#1161951 ltc#183551).
- scsi: ibmvfc: Fix NULL return compiler warning (bsc#1161951 ltc#183551).
- x86/dumpstack/64: Handle faults when printing the 'Stack: ' part of an OOPS (bsc#1170383).
- x86/hyperv: Allow guests to enable InvariantTSC (bsc#1170620).
- x86/Hyper-V: Free hv_panic_page when fail to register kmsg dump (bsc#1170618).
- x86/Hyper-V: Report crash data in die() when panic_on_oops is set (bsc#1170618).
- x86/Hyper-V: Report crash register data or kmsg before running crash kernel (bsc#1170618).
- x86/Hyper-V: Report crash register data when sysctl_record_panic_msg is not set (bsc#1170618).
- x86: hyperv: report value of misc_features (git fixes).
- x86/Hyper-V: Trigger crash enlightenment only once during system crash (bsc#1170618).
- x86/Hyper-V: Unload vmbus channel in hv panic callback (bsc#1170618).
ImportantSUSE bug 1154824SUSE bug 1161951SUSE bug 1164871SUSE bug 1169025SUSE bug 1169625SUSE bug 1170383SUSE bug 1170618SUSE bug 1170620SUSE bug 1171098SUSE bug 1171195SUSE bug 1171202SUSE bug 1171218SUSE bug 1171219SUSE bug 1171689SUSE bug 1171698SUSE bug 1172032SUSE bug 1172221SUSE bug 1172317CVE-2020-0543 at SUSECVE-2020-0543 at NVDCVE-2020-10757 at SUSECVE-2020-10757 at NVDCVE-2020-12114 at SUSECVE-2020-12114 at NVDCVE-2020-12652 at SUSECVE-2020-12652 at NVDCVE-2020-12653 at SUSECVE-2020-12653 at NVDCVE-2020-12654 at SUSECVE-2020-12654 at NVDCVE-2020-12656 at SUSECVE-2020-12656 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for virglrenderer (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for virglrenderer fixes the following issues:
- CVE-2019-18388: Fixed a null pointer dereference which could have led
to denial of service (bsc#1159479).
- CVE-2019-18390: Fixed an out of bound read which could have led to
denial of service (bsc#1159478).
- CVE-2019-18389: Fixed a heap buffer overflow which could have led to
guest escape or denial of service (bsc#1159482).
- CVE-2019-18391: Fixed a heap based buffer overflow which could have led to
guest escape or denial of service (bsc#1159486).
ImportantSUSE bug 1159478SUSE bug 1159479SUSE bug 1159482SUSE bug 1159486CVE-2019-18388 at SUSECVE-2019-18388 at NVDCVE-2019-18389 at SUSECVE-2019-18389 at NVDCVE-2019-18390 at SUSECVE-2019-18390 at NVDCVE-2019-18391 at SUSECVE-2019-18391 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for adns (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for adns fixes the following issues:
- CVE-2017-9103,CVE-2017-9104,CVE-2017-9105,CVE-2017-9109: Fixed an issue in local recursive resolver
which could have led to remote code execution (bsc#1172265).
- CVE-2017-9106: Fixed an issue with upstream DNS data sources which could have led to denial of
service (bsc#1172265).
- CVE-2017-9107: Fixed an issue when quering domain names which could have led to denial of service (bsc#1172265).
- CVE-2017-9108: Fixed an issue which could have led to denial of service (bsc#1172265).
ImportantSUSE bug 1172265CVE-2017-9103 at SUSECVE-2017-9103 at NVDCVE-2017-9104 at SUSECVE-2017-9104 at NVDCVE-2017-9105 at SUSECVE-2017-9105 at NVDCVE-2017-9106 at SUSECVE-2017-9106 at NVDCVE-2017-9107 at SUSECVE-2017-9107 at NVDCVE-2017-9108 at SUSECVE-2017-9108 at NVDCVE-2017-9109 at SUSECVE-2017-9109 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for xen (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for xen fixes the following issues:
- CVE-2020-0543: Fixed a side channel attack against special registers which could have resulted in leaking of read values to cores other than the one which called it.
This attack is known as Special Register Buffer Data Sampling (SRBDS) or 'CrossTalk' (bsc#1172205).
- CVE-2020-11742: Bad continuation handling in GNTTABOP_copy (bsc#1169392).
- CVE-2020-11740, CVE-2020-11741: xen: XSA-313 multiple xenoprof issues (bsc#1168140).
- CVE-2020-11739: Missing memory barriers in read-write unlock paths (bsc#1168142).
- CVE-2019-19583: Fixed improper checks which could have allowed HVM/PVH guest userspace code to crash the guest, leading to a guest denial of service (bsc#1158004 XSA-308).
- CVE-2019-19581: Fixed a potential out of bounds on 32-bit Arm (bsc#1158003 XSA-307).
- CVE-2019-19580: Fixed a privilege escalation where a malicious PV guest administrator could have been able to escalate their privilege to that of the host (bsc#1158006 XSA-310).
- CVE-2019-19579: Fixed a privilege escalation where an untrusted domain with access to a physical device can DMA into host memory (bsc#1157888 XSA-306).
- CVE-2019-19578: Fixed an issue where a malicious or buggy PV guest could have caused hypervisor crash resulting in denial of service affecting the entire host (bsc#1158005 XSA-309).
- CVE-2019-19577: Fixed an issue where a malicious guest administrator could have caused Xen to access data structures while they are being modified leading to a crash (bsc#1158007 XSA-311).
- Xenstored Crashed during VM install (bsc#1167152)
ImportantSUSE bug 1157888SUSE bug 1158003SUSE bug 1158004SUSE bug 1158005SUSE bug 1158006SUSE bug 1158007SUSE bug 1161181SUSE bug 1167152SUSE bug 1168140SUSE bug 1168142SUSE bug 1169392SUSE bug 1172205CVE-2019-19577 at SUSECVE-2019-19577 at NVDCVE-2019-19578 at SUSECVE-2019-19578 at NVDCVE-2019-19579 at SUSECVE-2019-19579 at NVDCVE-2019-19580 at SUSECVE-2019-19580 at NVDCVE-2019-19581 at SUSECVE-2019-19581 at NVDCVE-2019-19583 at SUSECVE-2019-19583 at NVDCVE-2020-0543 at SUSECVE-2020-0543 at NVDCVE-2020-11739 at SUSECVE-2020-11739 at NVDCVE-2020-11740 at SUSECVE-2020-11740 at NVDCVE-2020-11741 at SUSECVE-2020-11741 at NVDCVE-2020-11742 at SUSECVE-2020-11742 at NVDCVE-2020-7211 at SUSECVE-2020-7211 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for perl (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for perl fixes the following issues:
- CVE-2020-10543: Fixed a heap buffer overflow in regular expression compiler which could have
allowed overwriting of allocated memory with attacker's data (bsc#1171863).
- CVE-2020-10878: Fixed multiple integer overflows which could have allowed the insertion of
instructions into the compiled form of Perl regular expression (bsc#1171864).
- CVE-2020-12723: Fixed an attacker's corruption of the intermediate language state of a
compiled regular expression (bsc#1171866).
- Fixed utf8 handling in perldoc by useing 'term' instead of 'man' (bsc#1170601).
- Some packages make assumptions about the date and time they are built.
This update will solve the issues caused by calling the perl function timelocal
expressing the year with two digit only instead of four digits. (bsc#1102840) (bsc#1160039)
ImportantSUSE bug 1102840SUSE bug 1160039SUSE bug 1170601SUSE bug 1171863SUSE bug 1171864SUSE bug 1171866CVE-2020-10543 at SUSECVE-2020-10543 at NVDCVE-2020-10878 at SUSECVE-2020-10878 at NVDCVE-2020-12723 at SUSECVE-2020-12723 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for java-1_7_1-ibm (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for java-1_7_1-ibm fixes the following issues:
java-1_7_1-ibm was updated to Java 7.1 Service Refresh 4 Fix Pack 65 (bsc#1172277 and bsc#1169511)
- CVE-2020-2654: Fixed an issue which could have resulted in unauthorized ability to cause a partial denial of service
- CVE-2020-2756: Improved mapping of serial ENUMs
- CVE-2020-2757: Less Blocking Array Queues
- CVE-2020-2781: Improved TLS session handling
- CVE-2020-2800: Improved Headings for HTTP Servers
- CVE-2020-2803: Enhanced buffering of byte buffers
- CVE-2020-2805: Enhanced typing of methods
- CVE-2020-2830: Improved Scanner conversions
ImportantSUSE bug 1169511SUSE bug 1172277CVE-2020-2654 at SUSECVE-2020-2654 at NVDCVE-2020-2756 at SUSECVE-2020-2756 at NVDCVE-2020-2757 at SUSECVE-2020-2757 at NVDCVE-2020-2781 at SUSECVE-2020-2781 at NVDCVE-2020-2800 at SUSECVE-2020-2800 at NVDCVE-2020-2803 at SUSECVE-2020-2803 at NVDCVE-2020-2805 at SUSECVE-2020-2805 at NVDCVE-2020-2830 at SUSECVE-2020-2830 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for java-1_8_0-ibm (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for java-1_8_0-ibm fixes the following issues:
java-1_8_0-ibm was updated to Java 8.0 Service Refresh 6 Fix Pack 10 (bsc#1172277,bsc#1169511,bsc#1160968)
- CVE-2020-2654: Fixed an issue which could have resulted in unauthorized ability to cause a partial denial of service
- CVE-2020-2754: Forwarded references to Nashorn
- CVE-2020-2755: Improved Nashorn matching
- CVE-2020-2756: Improved mapping of serial ENUMs
- CVE-2020-2757: Less Blocking Array Queues
- CVE-2020-2781: Improved TLS session handling
- CVE-2020-2800: Improved Headings for HTTP Servers
- CVE-2020-2803: Enhanced buffering of byte buffers
- CVE-2020-2805: Enhanced typing of methods
- CVE-2020-2830: Improved Scanner conversions
- CVE-2019-2949: Fixed an issue which could have resulted in unauthorized access to critical data
- Added RSA PSS SUPPORT TO IBMPKCS11IMPL
- The pack200 and unpack200 alternatives should be slaves of java (bsc#1171352).
ImportantSUSE bug 1160968SUSE bug 1169511SUSE bug 1171352SUSE bug 1172277CVE-2019-2949 at SUSECVE-2019-2949 at NVDCVE-2020-2654 at SUSECVE-2020-2654 at NVDCVE-2020-2754 at SUSECVE-2020-2754 at NVDCVE-2020-2755 at SUSECVE-2020-2755 at NVDCVE-2020-2756 at SUSECVE-2020-2756 at NVDCVE-2020-2757 at SUSECVE-2020-2757 at NVDCVE-2020-2781 at SUSECVE-2020-2781 at NVDCVE-2020-2800 at SUSECVE-2020-2800 at NVDCVE-2020-2803 at SUSECVE-2020-2803 at NVDCVE-2020-2805 at SUSECVE-2020-2805 at NVDCVE-2020-2830 at SUSECVE-2020-2830 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for java-1_8_0-openjdk (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for java-1_8_0-openjdk to version jdk8u252 fixes the following issues:
- CVE-2020-2754: Forward references to Nashorn (bsc#1169511)
- CVE-2020-2755: Improve Nashorn matching (bsc#1169511)
- CVE-2020-2756: Better mapping of serial ENUMs (bsc#1169511)
- CVE-2020-2757: Less Blocking Array Queues (bsc#1169511)
- CVE-2020-2773: Better signatures in XML (bsc#1169511)
- CVE-2020-2781: Improve TLS session handling (bsc#1169511)
- CVE-2020-2800: Better Headings for HTTP Servers (bsc#1169511)
- CVE-2020-2803: Enhance buffering of byte buffers (bsc#1169511)
- CVE-2020-2805: Enhance typing of methods (bsc#1169511)
- CVE-2020-2830: Better Scanner conversions (bsc#1169511)
ImportantSUSE bug 1160398SUSE bug 1169511CVE-2020-2754 at SUSECVE-2020-2754 at NVDCVE-2020-2755 at SUSECVE-2020-2755 at NVDCVE-2020-2756 at SUSECVE-2020-2756 at NVDCVE-2020-2757 at SUSECVE-2020-2757 at NVDCVE-2020-2773 at SUSECVE-2020-2773 at NVDCVE-2020-2781 at SUSECVE-2020-2781 at NVDCVE-2020-2800 at SUSECVE-2020-2800 at NVDCVE-2020-2803 at SUSECVE-2020-2803 at NVDCVE-2020-2805 at SUSECVE-2020-2805 at NVDCVE-2020-2830 at SUSECVE-2020-2830 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for the Linux Kernel (Important)SUSE Linux Enterprise Server 12 SP3-BCL
The SUSE Linux Enterprise 12 SP3 kernel was updated to receive various security and bugfixes.
The following security bugs were fixed:
- CVE-2020-10768: Fixed an issue with the prctl() function which could have allowed indirect branch speculation even after it has been disabled (bsc#1172783).
- CVE-2020-10767: Fixed an issue where the Indirect Branch Prediction Barrier (IBPB) would have been disabled when STIBP is unavailable or enhanced IBRS is available making the system vulnerable to spectre v2 (bsc#1172782).
- CVE-2020-10766: Fixed an issue with Linux scheduler which could have allowed an attacker to turn off the SSBD protection (bsc#1172781).
- xfs: Fix tail rounding in xfs_alloc_file_space() (bsc#1172049).
ImportantSUSE bug 1172049SUSE bug 1172781SUSE bug 1172782SUSE bug 1172783CVE-2020-10766 at SUSECVE-2020-10766 at NVDCVE-2020-10767 at SUSECVE-2020-10767 at NVDCVE-2020-10768 at SUSECVE-2020-10768 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for curl (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for curl fixes the following issues:
- CVE-2020-8177: Fixed an issue where curl could have been tricked by a malicious server to overwrite a local file when using the -J option (bsc#1173027).
ImportantSUSE bug 1173027CVE-2020-8177 at SUSECVE-2020-8177 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for ceph (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This is a version update for ceph to version 12.2.13:
Security issue fixed:
- CVE-2020-10753: Fixed an HTTP header injection via CORS ExposeHeader tag (bsc#1171921).
- Notable changes in this update for ceph:
* mgr: telemetry: backported and now available on SES5.5. Please
consider enabling via 'ceph telemetry on' (bsc#1171670)
* OSD heartbeat ping time: new health warning, options and admin
commands (bsc#1171960)
* 'osd_calc_pg_upmaps_max_stddev' ceph.conf parameter has been
removed; use 'upmap_max_deviation' instead (bsc#1171961)
* Default maximum concurrent bluestore rocksdb compaction threads
raised from 1 to 2 for improved ability to keep up with rgw
bucket index workloads (bsc#1171963)
- Bug fixes in this ceph update:
* mon: Error message displayed when mon_osd_max_split_count would be
exceeded is not as user-friendly as it could be (bsc#1126230)
* ceph_volume_client: remove ceph mds calls in favor of ceph fs
calls (bsc#1136082)
* rgw: crypt: permit RGW-AUTO/default with SSE-S3 headers
(bsc#1157607)
* mon/AuthMonitor: don't validate fs caps on authorize (bsc#1161096)
- Additional bug fixes:
* ceph-volume: strip _dmcrypt suffix in simple scan json output (bsc#1162553) ImportantSUSE bug 1126230SUSE bug 1136082SUSE bug 1157607SUSE bug 1161096SUSE bug 1162553SUSE bug 1171670SUSE bug 1171921SUSE bug 1171960SUSE bug 1171961SUSE bug 1171963CVE-2020-10753 at SUSECVE-2020-10753 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for tomcat (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for tomcat fixes the following issues:
- CVE-2020-8022: Fixed a local root exploit due to improper permissions (bsc#1172405)
ImportantSUSE bug 1172405CVE-2020-8022 at SUSECVE-2020-8022 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for python3-requests (Moderate)SUSE Linux Enterprise Server 12 SP3-BCL
This update for python3-requests provides the following fix:
python-requests was updated to 2.20.1.
Update to version 2.20.1:
* Fixed bug with unintended Authorization header stripping for
redirects using default ports (http/80, https/443).
Update to version 2.20.0:
* Bugfixes
+ Content-Type header parsing is now case-insensitive
(e.g. charset=utf8 v Charset=utf8).
+ Fixed exception leak where certain redirect urls would raise
uncaught urllib3 exceptions.
+ Requests removes Authorization header from requests redirected
from https to http on the same hostname. (CVE-2018-18074)
+ should_bypass_proxies now handles URIs without hostnames
(e.g. files).
Update to version 2.19.1:
* Fixed issue where status_codes.py’s init function failed trying
to append to a __doc__ value of None.
Update to version 2.19.0:
* Improvements
+ Warn about possible slowdown with cryptography version < 1.3.4
+ Check host in proxy URL, before forwarding request to adapter.
+ Maintain fragments properly across redirects. (RFC7231 7.1.2)
+ Removed use of cgi module to expedite library load time.
+ Added support for SHA-256 and SHA-512 digest auth algorithms.
+ Minor performance improvement to Request.content.
* Bugfixes
+ Parsing empty Link headers with parse_header_links() no longer
return one bogus entry.
+ Fixed issue where loading the default certificate bundle from
a zip archive would raise an IOError.
+ Fixed issue with unexpected ImportError on windows system
which do not support winreg module.
+ DNS resolution in proxy bypass no longer includes the username
and password in the request. This also fixes the issue of DNS
queries failing on macOS.
+ Properly normalize adapter prefixes for url comparison.
+ Passing None as a file pointer to the files param no longer
raises an exception.
+ Calling copy on a RequestsCookieJar will now preserve the
cookie policy correctly.
Update to version 2.18.4:
* Improvements
+ Error messages for invalid headers now include the header name
for easier debugging
Update to version 2.18.3:
* Improvements
+ Running $ python -m requests.help now includes the installed
version of idna.
* Bugfixes
+ Fixed issue where Requests would raise ConnectionError instead
of SSLError when encountering SSL problems when using urllib3
v1.22.
- Add ca-certificates (and ca-certificates-mozilla) to dependencies, otherwise https
connections will fail.
ModerateSUSE bug 1054413SUSE bug 1073879SUSE bug 1111622SUSE bug 1122668SUSE bug 761500SUSE bug 922448SUSE bug 929736SUSE bug 935252SUSE bug 945455SUSE bug 947357SUSE bug 961596SUSE bug 967128CVE-2015-2296 at SUSECVE-2015-2296 at NVDCVE-2018-18074 at SUSECVE-2018-18074 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for mutt (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for mutt fixes the following issues:
- CVE-2020-14954: Fixed a response injection due to a STARTTLS buffering issue which was
affecting IMAP, SMTP, and POP3 (bsc#1173197).
- CVE-2020-14093: Fixed a potential IMAP Man-in-the-Middle attack via a PREAUTH response (bsc#1172906, bsc#1172935).
- CVE-2020-14154: Fixed an issue where Mutt was ignoring an expired certificate and was
proceeding with a connection (bsc#1172906, bsc#1172935).
ImportantSUSE bug 1172906SUSE bug 1172935SUSE bug 1173197CVE-2020-14093 at SUSECVE-2020-14093 at NVDCVE-2020-14154 at SUSECVE-2020-14154 at NVDCVE-2020-14954 at SUSECVE-2020-14954 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for squid (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for squid fixes the following issues:
- CVE-2020-14059: Fixed an issue where a client could potentially deny the service of a server
during TLS Handshake (bsc#1173304).
- CVE-2019-18860: Fixed handling of invalid domain names in cachemgr.cgi (bsc#1167373).
ImportantSUSE bug 1167373SUSE bug 1173304CVE-2019-18860 at SUSECVE-2019-18860 at NVDCVE-2020-14059 at SUSECVE-2020-14059 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for ntp (Moderate)SUSE Linux Enterprise Server 12 SP3-BCL
This update for ntp fixes the following issues:
ntp was updated to 4.2.8p15
- CVE-2020-11868: Fixed an issue which a server mode packet with spoofed source address
frequently send to the client ntpd could have caused denial of service (bsc#1169740).
- CVE-2018-8956: Fixed an issue which could have allowed remote attackers to prevent
a broadcast client from synchronizing its clock with a broadcast NTP server via spoofed
mode 3 and mode 5 packets (bsc#1171355).
- CVE-2020-13817: Fixed an issue which an off-path attacker with the ability to query time
from victim's ntpd instance could have modified the victim's clock by a limited amount (bsc#1172651).
- CVE-2020-15025: Fixed an issue which remote attacker could have caused denial of service by consuming
the memory when a CMAC key was used andassociated with a CMAC algorithm in the ntp.keys (bsc#1173334).
ModerateSUSE bug 1169740SUSE bug 1171355SUSE bug 1172651SUSE bug 1173334CVE-2018-8956 at SUSECVE-2018-8956 at NVDCVE-2020-11868 at SUSECVE-2020-11868 at NVDCVE-2020-13817 at SUSECVE-2020-13817 at NVDCVE-2020-15025 at SUSECVE-2020-15025 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for mozilla-nspr, mozilla-nss (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for mozilla-nspr, mozilla-nss fixes the following issues:
mozilla-nss was updated to version 3.53.1
- CVE-2020-12402: Fixed a potential side channel attack during RSA key generation (bsc#1173032).
- CVE-2020-12399: Fixed a timing attack on DSA signature generation (bsc#1171978).
- CVE-2019-17006: Added length checks for cryptographic primitives (bsc#1159819).
- Fixed various FIPS issues in libfreebl3 which were causing segfaults in the test suite of chrony (bsc#1168669).
- Fixed an issue where Firefox tab was crashing (bsc#1170908).
Release notes: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.53_release_notes
mozilla-nspr to version 4.25
ImportantSUSE bug 1159819SUSE bug 1168669SUSE bug 1169746SUSE bug 1170908SUSE bug 1171978SUSE bug 1173022CVE-2019-17006 at SUSECVE-2019-17006 at NVDCVE-2020-12399 at SUSECVE-2020-12399 at NVDCVE-2020-12402 at SUSECVE-2020-12402 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for openldap2 (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for openldap2 fixes the following issues:
- CVE-2020-8023: Fixed a potential local privilege escalation from ldap to root when OPENLDAP_CONFIG_BACKEND='ldap' was used (bsc#1172698).
- Changed DB_CONFIG to root:ldap permissions (bsc#1172704).
- Fixed an issue where slapd becomes unresponsive after many failed login/bind attempts(bsc#1170715).
ImportantSUSE bug 1170715SUSE bug 1172698SUSE bug 1172704CVE-2020-8023 at SUSECVE-2020-8023 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for xen (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for xen fixes the following issues:
- CVE-2020-15563: Fixed inverted code paths in x86 dirty VRAM tracking (bsc#1173377).
- CVE-2020-15565: Fixed insufficient cache write-back under VT-d (bsc#1173378).
- CVE-2020-15567: Fixed non-atomic modification of live EPT PTE (bsc#1173380).
ImportantSUSE bug 1173377SUSE bug 1173378SUSE bug 1173380CVE-2020-15563 at SUSECVE-2020-15563 at NVDCVE-2020-15565 at SUSECVE-2020-15565 at NVDCVE-2020-15567 at SUSECVE-2020-15567 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for MozillaFirefox to version 78.0.1 ESR fixes the following issues:
Security issues fixed:
- CVE-2020-12415: AppCache manifest poisoning due to url encoded character processing (bsc#1173576).
- CVE-2020-12416: Use-after-free in WebRTC VideoBroadcaster (bsc#1173576).
- CVE-2020-12417: Memory corruption due to missing sign-extension for ValueTags on ARM64 (bsc#1173576).
- CVE-2020-12418: Information disclosure due to manipulated URL object (bsc#1173576).
- CVE-2020-12419: Use-after-free in nsGlobalWindowInner (bsc#1173576).
- CVE-2020-12420: Use-After-Free when trying to connect to a STUN server (bsc#1173576).
- CVE-2020-12402: RSA Key Generation vulnerable to side-channel attack (bsc#1173576).
- CVE-2020-12421: Add-On updates did not respect the same certificate trust rules as software updates (bsc#1173576).
- CVE-2020-12422: Integer overflow in nsJPEGEncoder::emptyOutputBuffer (bsc#1173576).
- CVE-2020-12423: DLL Hijacking due to searching %PATH% for a library (bsc#1173576).
- CVE-2020-12424: WebRTC permission prompt could have been bypassed by a compromised content process (bsc#1173576).
- CVE-2020-12425: Out of bound read in Date.parse() (bsc#1173576).
- CVE-2020-12426: Memory safety bugs fixed in Firefox 78 (bsc#1173576).
- FIPS: MozillaFirefox: allow /proc/sys/crypto/fips_enabled (bsc#1167231).
Non-security issues fixed:
- Fixed interaction with freetype6 (bsc#1173613).
ImportantSUSE bug 1167231SUSE bug 1173576SUSE bug 1173613CVE-2020-12402 at SUSECVE-2020-12402 at NVDCVE-2020-12415 at SUSECVE-2020-12415 at NVDCVE-2020-12416 at SUSECVE-2020-12416 at NVDCVE-2020-12417 at SUSECVE-2020-12417 at NVDCVE-2020-12418 at SUSECVE-2020-12418 at NVDCVE-2020-12419 at SUSECVE-2020-12419 at NVDCVE-2020-12420 at SUSECVE-2020-12420 at NVDCVE-2020-12421 at SUSECVE-2020-12421 at NVDCVE-2020-12422 at SUSECVE-2020-12422 at NVDCVE-2020-12423 at SUSECVE-2020-12423 at NVDCVE-2020-12424 at SUSECVE-2020-12424 at NVDCVE-2020-12425 at SUSECVE-2020-12425 at NVDCVE-2020-12426 at SUSECVE-2020-12426 at NVDCVE-2020-6813 at SUSECVE-2020-6813 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for bind (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for bind fixes the following issues:
- Amended documentation referring to rule types 'krb5-subdomain'
and 'ms-subdomain'. This incorrect documentation could mislead
operators into believing that policies they had configured were
more restrictive than they actually were. [CVE-2018-5741]
- Further limit the number of queries that can be triggered from a
request. Root and TLD servers are no longer exempt from
max-recursion-queries. Fetches for missing name server address
records are limited to 4 for any domain. [CVE-2020-8616]
- Replaying a TSIG BADTIME response as a request could trigger an
assertion failure. [CVE-2020-8617]
[bsc#1109160, bsc#1171740,
CVE-2018-5741, bind-CVE-2018-5741.patch,
CVE-2020-8616, bind-CVE-2020-8616.patch,
CVE-2020-8617, bind-CVE-2020-8617.patch]
- Don't rely on /etc/insserv.conf anymore for proper dependencies
against nss-lookup.target in named.service and lwresd.service
(bsc#1118367 bsc#1118368)
- Using a drop-in file
ImportantSUSE bug 1109160SUSE bug 1118367SUSE bug 1118368SUSE bug 1171740CVE-2018-5741 at SUSECVE-2018-5741 at NVDCVE-2020-8616 at SUSECVE-2020-8616 at NVDCVE-2020-8617 at SUSECVE-2020-8617 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for squid (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for squid fixes the following issues:
- CVE-2020-15049.patch: fixes a Cache Poisoning and Request Smuggling
attack (CVE-2020-15049, bsc#1173455)
ImportantSUSE bug 1173455CVE-2020-15049 at SUSECVE-2020-15049 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for SUSE Manager Client Tools (Moderate)SUSE Linux Enterprise Server 12 SP3-BCL
This update fixes the following issues:
cobbler:
- Calculate relative path for kernel and inited when generating
grub entry (bsc#1170231)
Added: fix-grub2-entry-paths.diff
- Fix os-release version detection for SUSE
Modified: sles15.patch
- Jinja2 template library fix (bsc#1141661)
- Removes string replace for textmode fix (bsc#1134195)
golang-github-prometheus-node_exporter:
- Update to 0.18.1
* [BUGFIX] Fix incorrect sysctl call in BSD meminfo collector, resulting in broken swap metrics on FreeBSD #1345
* [BUGFIX] Fix rollover bug in mountstats collector #1364
* Renamed interface label to device in netclass collector for consistency with
* other network metrics #1224
* The cpufreq metrics now separate the cpufreq and scaling data based on what the driver provides. #1248
* The labels for the network_up metric have changed, see issue #1236
* Bonding collector now uses mii_status instead of operstatus #1124
* Several systemd metrics have been turned off by default to improve performance #1254
* These include unit_tasks_current, unit_tasks_max, service_restart_total, and unit_start_time_seconds
* The systemd collector blacklist now includes automount, device, mount, and slice units by default. #1255
* [CHANGE] Bonding state uses mii_status #1124
* [CHANGE] Add a limit to the number of in-flight requests #1166
* [CHANGE] Renamed interface label to device in netclass collector #1224
* [CHANGE] Add separate cpufreq and scaling metrics #1248
* [CHANGE] Several systemd metrics have been turned off by default to improve performance #1254
* [CHANGE] Expand systemd collector blacklist #1255
* [CHANGE] Split cpufreq metrics into a separate collector #1253
* [FEATURE] Add a flag to disable exporter metrics #1148
* [FEATURE] Add kstat-based Solaris metrics for boottime, cpu and zfs collectors #1197
* [FEATURE] Add uname collector for FreeBSD #1239
* [FEATURE] Add diskstats collector for OpenBSD #1250
* [FEATURE] Add pressure collector exposing pressure stall information for Linux #1174
* [FEATURE] Add perf exporter for Linux #1274
* [ENHANCEMENT] Add Infiniband counters #1120
* [ENHANCEMENT] Add TCPSynRetrans to netstat default filter #1143
* [ENHANCEMENT] Move network_up labels into new metric network_info #1236
* [ENHANCEMENT] Use 64-bit counters for Darwin netstat
* [BUGFIX] Add fallback for missing /proc/1/mounts #1172
* [BUGFIX] Fix node_textfile_mtime_seconds to work properly on symlinks #1326
- Add network-online (Wants and After) dependency to systemd unit bsc#1143913
golang-github-prometheus-prometheus:
- Update change log and spec file
+ Modified spec file: default to golang 1.14 to avoid 'have choice' build issues in OBS.
+ Rebase and update patches for version 2.18.0
+ Changed:
* 0002-Default-settings.patch Changed
- Update to 2.18.0
+ Features
* Tracing: Added experimental Jaeger support #7148
+ Changes
* Federation: Only use local TSDB for federation (ignore remote read). #7096
* Rules: `rule_evaluations_total` and `rule_evaluation_failures_total` have a `rule_group` label now. #7094
+ Enhancements
* TSDB: Significantly reduce WAL size kept around after a block cut. #7098
* Discovery: Add `architecture` meta label for EC2. #7000
+ Bug fixes
* UI: Fixed wrong MinTime reported by /status. #7182
* React UI: Fixed multiselect legend on OSX. #6880
* Remote Write: Fixed blocked resharding edge case. #7122
* Remote Write: Fixed remote write not updating on relabel configs change. #7073
- Changes from 2.17.2
+ Bug fixes
* Federation: Register federation metrics #7081
* PromQL: Fix panic in parser error handling #7132
* Rules: Fix reloads hanging when deleting a rule group that is being evaluated #7138
* TSDB: Fix a memory leak when prometheus starts with an empty TSDB WAL #7135
* TSDB: Make isolation more robust to panics in web handlers #7129 #7136
- Changes from 2.17.1
+ Bug fixes
* TSDB: Fix query performance regression that increased memory and CPU usage #7051
- Changes from 2.17.0
+ Features
* TSDB: Support isolation #6841
* This release implements isolation in TSDB. API queries and recording rules are
guaranteed to only see full scrapes and full recording rules. This comes with a
certain overhead in resource usage. Depending on the situation, there might be
some increase in memory usage, CPU usage, or query latency.
+ Enhancements
* PromQL: Allow more keywords as metric names #6933
* React UI: Add normalization of localhost URLs in targets page #6794
* Remote read: Read from remote storage concurrently #6770
* Rules: Mark deleted rule series as stale after a reload #6745
* Scrape: Log scrape append failures as debug rather than warn #6852
* TSDB: Improve query performance for queries that partially hit the head #6676
* Consul SD: Expose service health as meta label #5313
* EC2 SD: Expose EC2 instance lifecycle as meta label #6914
* Kubernetes SD: Expose service type as meta label for K8s service role #6684
* Kubernetes SD: Expose label_selector and field_selector #6807
* Openstack SD: Expose hypervisor id as meta label #6962
+ Bug fixes
* PromQL: Do not escape HTML-like chars in query log #6834 #6795
* React UI: Fix data table matrix values #6896
* React UI: Fix new targets page not loading when using non-ASCII characters #6892
* Remote read: Fix duplication of metrics read from remote storage with external labels #6967 #7018
* Remote write: Register WAL watcher and live reader metrics for all remotes, not just the first one #6998
* Scrape: Prevent removal of metric names upon relabeling #6891
* Scrape: Fix 'superfluous response.WriteHeader call' errors when scrape fails under some circonstances #6986
* Scrape: Fix crash when reloads are separated by two scrape intervals #7011
- Changes from 2.16.0
+ Features
* React UI: Support local timezone on /graph #6692
* PromQL: add absent_over_time query function #6490
* Adding optional logging of queries to their own file #6520
+ Enhancements
* React UI: Add support for rules page and 'Xs ago' duration displays #6503
* React UI: alerts page, replace filtering togglers tabs with checkboxes #6543
* TSDB: Export metric for WAL write errors #6647
* TSDB: Improve query performance for queries that only touch the most recent 2h of data. #6651
* PromQL: Refactoring in parser errors to improve error messages #6634
* PromQL: Support trailing commas in grouping opts #6480
* Scrape: Reduce memory usage on reloads by reusing scrape cache #6670
* Scrape: Add metrics to track bytes and entries in the metadata cache #6675
* promtool: Add support for line-column numbers for invalid rules output #6533
* Avoid restarting rule groups when it is unnecessary #6450
+ Bug fixes
* React UI: Send cookies on fetch() on older browsers #6553
* React UI: adopt grafana flot fix for stacked graphs #6603
* React UI: broken graph page browser history so that back button works as expected #6659
* TSDB: ensure compactionsSkipped metric is registered, and log proper error if one is returned from head.Init #6616
* TSDB: return an error on ingesting series with duplicate labels #6664
* PromQL: Fix unary operator precedence #6579
* PromQL: Respect query.timeout even when we reach query.max-concurrency #6712
* PromQL: Fix string and parentheses handling in engine, which affected React UI #6612
* PromQL: Remove output labels returned by absent() if they are produced by multiple identical label matchers #6493
* Scrape: Validate that OpenMetrics input ends with `# EOF` #6505
* Remote read: return the correct error if configs can't be marshal'd to JSON #6622
* Remote write: Make remote client `Store` use passed context, which can affect shutdown timing #6673
* Remote write: Improve sharding calculation in cases where we would always be consistently behind by tracking pendingSamples #6511
* Ensure prometheus_rule_group metrics are deleted when a rule group is removed #6693
- Changes from 2.15.2
+ Bug fixes
* TSDB: Fixed support for TSDB blocks built with Prometheus before 2.1.0. #6564
* TSDB: Fixed block compaction issues on Windows. #6547
- Changes from 2.15.1
+ Bug fixes
* TSDB: Fixed race on concurrent queries against same data. #6512
- Changes from 2.15.0
+ Features
* API: Added new endpoint for exposing per metric metadata `/metadata`. #6420 #6442
+ Changes
* Discovery: Removed `prometheus_sd_kubernetes_cache_*` metrics. Additionally `prometheus_sd_kubernetes_workqueue_latency_seconds` and `prometheus_sd_kubernetes_workqueue_work_duration_seconds` metrics now show correct values in seconds. #6393
* Remote write: Changed `query` label on `prometheus_remote_storage_*` metrics to `remote_name` and `url`. #6043
+ Enhancements
* TSDB: Significantly reduced memory footprint of loaded TSDB blocks. #6418 #6461
* TSDB: Significantly optimized what we buffer during compaction which should result in lower memory footprint during compaction. #6422 #6452 #6468 #6475
* TSDB: Improve replay latency. #6230
* TSDB: WAL size is now used for size based retention calculation. #5886
* Remote read: Added query grouping and range hints to the remote read request #6401
* Remote write: Added `prometheus_remote_storage_sent_bytes_total` counter per queue. #6344
* promql: Improved PromQL parser performance. #6356
* React UI: Implemented missing pages like `/targets` #6276, TSDB status page #6281 #6267 and many other fixes and performance improvements.
* promql: Prometheus now accepts spaces between time range and square bracket. e.g `[ 5m]` #6065
+ Bug fixes
* Config: Fixed alertmanager configuration to not miss targets when configurations are similar. #6455
* Remote write: Value of `prometheus_remote_storage_shards_desired` gauge shows raw value of desired shards and it's updated correctly. #6378
* Rules: Prometheus now fails the evaluation of rules and alerts where metric results collide with labels specified in `labels` field. #6469
* API: Targets Metadata API `/targets/metadata` now accepts empty `match_targets` parameter as in the spec. #6303
- Changes from 2.14.0
+ Features
* API: `/api/v1/status/runtimeinfo` and `/api/v1/status/buildinfo` endpoints added for use by the React UI. #6243
* React UI: implement the new experimental React based UI. #5694 and many more
* Can be found by under `/new`.
* Not all pages are implemented yet.
* Status: Cardinality statistics added to the Runtime & Build Information page. #6125
+ Enhancements
* Remote write: fix delays in remote write after a compaction. #6021
* UI: Alerts can be filtered by state. #5758
+ Bug fixes
* Ensure warnings from the API are escaped. #6279
* API: lifecycle endpoints return 403 when not enabled. #6057
* Build: Fix Solaris build. #6149
* Promtool: Remove false duplicate rule warnings when checking rule files with alerts. #6270
* Remote write: restore use of deduplicating logger in remote write. #6113
* Remote write: do not reshard when unable to send samples. #6111
* Service discovery: errors are no longer logged on context cancellation. #6116, #6133
* UI: handle null response from API properly. #6071
- Changes from 2.13.1
+ Bug fixes
* Fix panic in ARM builds of Prometheus. #6110
* promql: fix potential panic in the query logger. #6094
* Multiple errors of http: superfluous response.WriteHeader call in the logs. #6145
- Changes from 2.13.0
+ Enhancements
* Metrics: renamed prometheus_sd_configs_failed_total to prometheus_sd_failed_configs and changed to Gauge #5254
* Include the tsdb tool in builds. #6089
* Service discovery: add new node address types for kubernetes. #5902
* UI: show warnings if query have returned some warnings. #5964
* Remote write: reduce memory usage of the series cache. #5849
* Remote read: use remote read streaming to reduce memory usage. #5703
* Metrics: added metrics for remote write max/min/desired shards to queue manager. #5787
* Promtool: show the warnings during label query. #5924
* Promtool: improve error messages when parsing bad rules. #5965
* Promtool: more promlint rules. #5515
+ Bug fixes
* UI: Fix a Stored DOM XSS vulnerability with query history [CVE-2019-10215](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10215). #6098
* Promtool: fix recording inconsistency due to duplicate labels. #6026
* UI: fixes service-discovery view when accessed from unhealthy targets. #5915
* Metrics format: OpenMetrics parser crashes on short input. #5939
* UI: avoid truncated Y-axis values. #6014
- Changes from 2.12.0
+ Features
* Track currently active PromQL queries in a log file. #5794
* Enable and provide binaries for `mips64` / `mips64le` architectures. #5792
+ Enhancements
* Improve responsiveness of targets web UI and API endpoint. #5740
* Improve remote write desired shards calculation. #5763
* Flush TSDB pages more precisely. tsdb#660
* Add `prometheus_tsdb_retention_limit_bytes` metric. tsdb#667
* Add logging during TSDB WAL replay on startup. tsdb#662
* Improve TSDB memory usage. tsdb#653, tsdb#643, tsdb#654, tsdb#642, tsdb#627
+ Bug fixes
* Check for duplicate label names in remote read. #5829
* Mark deleted rules' series as stale on next evaluation. #5759
* Fix JavaScript error when showing warning about out-of-sync server time. #5833
* Fix `promtool test rules` panic when providing empty `exp_labels`. #5774
* Only check last directory when discovering checkpoint number. #5756
* Fix error propagation in WAL watcher helper functions. #5741
* Correctly handle empty labels from alert templates. #5845
- Update Uyuni/SUSE Manager service discovery patch
+ Modified 0003-Add-Uyuni-service-discovery.patch:
+ Adapt service discovery to the new Uyuni API endpoints
+ Modified spec file: force golang 1.12 to fix build issues in SLE15SP2
- Update to Prometheus 2.11.2
grafana:
- Update to version 7.0.3
* Features / Enhancements
- Stats: include all fields. #24829, @ryantxu
- Variables: change VariableEditorList row action Icon to IconButton. #25217, @hshoff
* Bug fixes
- Cloudwatch: Fix dimensions of DDoSProtection. #25317, @papagian
- Configuration: Fix env var override of sections containing hyphen. #25178, @marefr
- Dashboard: Get panels in collapsed rows. #25079, @peterholmberg
- Do not show alerts tab when alerting is disabled. #25285, @dprokop
- Jaeger: fixes cascader option label duration value. #25129, @Estrax
- Transformations: Fixed Transform tab crash & no update after adding first transform. #25152, @torkelo
- Update to version 7.0.2
* Bug fixes
- Security: Urgent security patch release to fix CVE-2020-13379
- Update to version 7.0.1
* Features / Enhancements
- Datasource/CloudWatch: Makes CloudWatch Logs query history more readable. #24795, @kaydelaney
- Download CSV: Add date and time formatting. #24992, @ryantxu
- Table: Make last cell value visible when right aligned. #24921, @peterholmberg
- TablePanel: Adding sort order persistance. #24705, @torkelo
- Transformations: Display correct field name when using reduce transformation. #25068, @peterholmberg
- Transformations: Allow custom number input for binary operations. #24752, @ryantxu
* Bug fixes
- Dashboard/Links: Fixes dashboard links by tags not working. #24773, @KamalGalrani
- Dashboard/Links: Fixes open in new window for dashboard link. #24772, @KamalGalrani
- Dashboard/Links: Variables are resolved and limits to 100. #25076, @hugohaggmark
- DataLinks: Bring back variables interpolation in title. #24970, @dprokop
- Datasource/CloudWatch: Field suggestions no longer limited to prefix-only. #24855, @kaydelaney
- Explore/Table: Keep existing field types if possible. #24944, @kaydelaney
- Explore: Fix wrap lines toggle for results of queries with filter expression. #24915, @ivanahuckova
- Explore: fix undo in query editor. #24797, @zoltanbedi
- Explore: fix word break in type head info. #25014, @zoltanbedi
- Graph: Legend decimals now work as expected. #24931, @torkelo
- LoginPage: Fix hover color for service buttons. #25009, @tskarhed
- LogsPanel: Fix scrollbar. #24850, @ivanahuckova
- MoveDashboard: Fix for moving dashboard caused all variables to be lost. #25005, @torkelo
- Organize transformer: Use display name in field order comparer. #24984, @dprokop
- Panel: shows correct panel menu items in view mode. #24912, @hugohaggmark
- PanelEditor Fix missing labels and description if there is only single option in category. #24905, @dprokop
- PanelEditor: Overrides name matcher still show all original field names even after Field default display name is specified. #24933, @torkelo
- PanelInspector: Makes sure Data display options are visible. #24902, @hugohaggmark
- PanelInspector: Hides unsupported data display options for Panel type. #24918, @hugohaggmark
- PanelMenu: Make menu disappear on button press. #25015, @tskarhed
- Postgres: Fix add button. #25087, @phemmer
- Prometheus: Fix recording rules expansion. #24977, @ivanahuckova
- Stackdriver: Fix creating Service Level Objectives (SLO) datasource query variable. #25023, @papagian
- Update to version 7.0.0
* Breaking changes
- Removed PhantomJS: PhantomJS was deprecated in Grafana v6.4 and starting from Grafana v7.0.0, all PhantomJS support has been removed. This means that Grafana no longer ships with a built-in image renderer, and we advise you to install the Grafana Image Renderer plugin.
- Dashboard: A global minimum dashboard refresh interval is now enforced and defaults to 5 seconds.
- Interval calculation: There is now a new option Max data points that controls the auto interval $__interval calculation. Interval was previously calculated by dividing the panel width by the time range. With the new max data points option it is now easy to set $__interval to a dynamic value that is time range agnostic. For example if you set Max data points to 10 Grafana will dynamically set $__interval by dividing the current time range by 10.
- Datasource/Loki: Support for deprecated Loki endpoints has been removed.
- Backend plugins: Grafana now requires backend plugins to be signed, otherwise Grafana will not load/start them. This is an additional security measure to make sure backend plugin binaries and files haven't been tampered with. Refer to Upgrade Grafana for more information.
- @grafana/ui: Forms migration notice, see @grafana/ui changelog
- @grafana/ui: Select API change for creating custom values, see @grafana/ui changelog
+ Deprecation warnings
- Scripted dashboards is now deprecated. The feature is not removed but will be in a future release. We hope to address the underlying requirement of dynamic dashboards in a different way. #24059
- The unofficial first version of backend plugins together with usage of grafana/grafana-plugin-model is now deprecated and support for that will be removed in a future release. Please refer to backend plugins documentation for information about the new officially supported backend plugins.
* Features / Enhancements
- Backend plugins: Log deprecation warning when using the unofficial first version of backend plugins. #24675, @marefr
- Editor: New line on Enter, run query on Shift+Enter. #24654, @davkal
- Loki: Allow multiple derived fields with the same name. #24437, @aocenas
- Orgs: Add future deprecation notice. #24502, @torkelo
* Bug Fixes
- @grafana/toolkit: Use process.cwd() instead of PWD to get directory. #24677, @zoltanbedi
- Admin: Makes long settings values line break in settings page. #24559, @hugohaggmark
- Dashboard: Allow editing provisioned dashboard JSON and add confirmation when JSON is copied to dashboard. #24680, @dprokop
- Dashboard: Fix for strange 'dashboard not found' errors when opening links in dashboard settings. #24416, @torkelo
- Dashboard: Fix so default data source is selected when data source can't be found in panel editor. #24526, @mckn
- Dashboard: Fixed issue changing a panel from transparent back to normal in panel editor. #24483, @torkelo
- Dashboard: Make header names reflect the field name when exporting to CSV file from the the panel inspector. #24624, @peterholmberg
- Dashboard: Make sure side pane is displayed with tabs by default in panel editor. #24636, @dprokop
- Data source: Fix query/annotation help content formatting. #24687, @AgnesToulet
- Data source: Fixes async mount errors. #24579, @Estrax
- Data source: Fixes saving a data source without failure when URL doesn't specify a protocol. #24497, @aknuds1
- Explore/Prometheus: Show results of instant queries only in table. #24508, @ivanahuckova
- Explore: Fix rendering of react query editors. #24593, @ivanahuckova
- Explore: Fixes loading more logs in logs context view. #24135, @Estrax
- Graphite: Fix schema and dedupe strategy in rollup indicators for Metrictank queries. #24685, @torkelo
- Graphite: Makes query annotations work again. #24556, @hugohaggmark
- Logs: Clicking 'Load more' from context overlay doesn't expand log row. #24299, @kaydelaney
- Logs: Fix total bytes process calculation. #24691, @davkal
- Org/user/team preferences: Fixes so UI Theme can be set back to Default. #24628, @AgnesToulet
- Plugins: Fix manifest validation. #24573, @aknuds1
- Provisioning: Use proxy as default access mode in provisioning. #24669, @bergquist
- Search: Fix select item when pressing enter and Grafana is served using a sub path. #24634, @tskarhed
- Search: Save folder expanded state. #24496, @Clarity-89
- Security: Tag value sanitization fix in OpenTSDB data source. #24539, @rotemreiss
- Table: Do not include angular options in options when switching from angular panel. #24684, @torkelo
- Table: Fixed persisting column resize for time series fields. #24505, @torkelo
- Table: Fixes Cannot read property subRows of null. #24578, @hugohaggmark
- Time picker: Fixed so you can enter a relative range in the time picker without being converted to absolute range. #24534, @mckn
- Transformations: Make transform dropdowns not cropped. #24615, @dprokop
- Transformations: Sort order should be preserved as entered by user when using the reduce transformation. #24494, @hugohaggmark
- Units: Adds scale symbol for currencies with suffixed symbol. #24678, @hugohaggmark
- Variables: Fixes filtering options with more than 1000 entries. #24614, @hugohaggmark
- Variables: Fixes so Textbox variables read value from url. #24623, @hugohaggmark
- Zipkin: Fix error when span contains remoteEndpoint. #24524, @aocenas
- SAML: Switch from email to login for user login attribute mapping (Enterprise)
- Update Makefile and spec file
* Remove phantomJS patch from Makefile
* Fix multiline strings in Makefile
* Exclude s390 from SLE12 builds, golang 1.14 is not built for s390
- Add instructions for patching the Grafana javascript frontend.
- BuildRequires golang(API) instead of go metapackage version range
* BuildRequires: golang(API) >= 1.14 from
BuildRequires: ( go >= 1.14 with go < 1.15 )
- Update to version 6.7.3
- This version fixes bsc#1170557 and its corresponding CVE-2020-12245
- Admin: Fix Synced via LDAP message for non-LDAP external users. #23477, @alexanderzobnin
- Alerting: Fixes notifications for alerts with empty message in Google Hangouts notifier. #23559, @hugohaggmark
- AuthProxy: Fixes bug where long username could not be cached.. #22926, @jcmcken
- Dashboard: Fix saving dashboard when editing raw dashboard JSON model. #23314, @peterholmberg
- Dashboard: Try to parse 8 and 15 digit numbers as timestamps if parsing of time range as date fails. #21694, @jessetan
- DashboardListPanel: Fixed problem with empty panel after going into edit mode (General folder filter being automatically added) . #23426, @torkelo
- Data source: Handle datasource withCredentials option properly. #23380, @hvtuananh
- Security: Fix annotation popup XSS vulnerability. #23813, @torkelo
- Server: Exit Grafana with status code 0 if no error. #23312, @aknuds1
- TablePanel: Fix XSS issue in header column rename (backport). #23814, @torkelo
- Variables: Fixes error when setting adhoc variable values. #23580, @hugohaggmark
- Update to version 6.7.2:
(see installed changelog for the full list of changes)
- BackendSrv: Adds config to response to fix issue for external plugins that used this property . #23032, @torkelo
- Dashboard: Fixed issue with saving new dashboard after changing title . #23104, @dprokop
- DataLinks: make sure we use the correct datapoint when dataset contains null value.. #22981, @mckn
- Plugins: Fixed issue for plugins that imported dateMath util . #23069, @mckn
- Security: Fix for dashboard snapshot original dashboard link could contain XSS vulnerability in url. #23254, @torkelo
- Variables: Fixes issue with too many queries being issued for nested template variables after value change. #23220, @torkelo
- Plugins: Expose promiseToDigest. #23249, @torkelo
- Reporting (Enterprise): Fixes issue updating a report created by someone else
- Update to 6.7.1:
(see installed changelog for the full list of changes)
Bug Fixes
- Azure: Fixed dropdowns not showing current value. #22914, @torkelo
- BackendSrv: only add content-type on POST, PUT requests. #22910, @hugohaggmark
- Panels: Fixed size issue with panel internal size when exiting panel edit mode. #22912, @torkelo
- Reporting: fixes migrations compatibility with mysql (Enterprise)
- Reporting: Reduce default concurrency limit to 4 (Enterprise)
- Update to 6.7.0:
(see installed changelog for the full list of changes)
Bug Fixes
- AngularPanels: Fixed inner height calculation for angular panels . #22796, @torkelo
- BackendSrv: makes sure provided headers are correctly recognized and set. #22778, @hugohaggmark
- Forms: Fix input suffix position (caret-down in Select) . #22780, @torkelo
- Graphite: Fixed issue with query editor and next select metric now showing after selecting metric node . #22856, @torkelo
- Rich History: UX adjustments and fixes. #22729, @ivanahuckova
- Update to 6.7.0-beta1:
Breaking changes
- Slack: Removed Mention setting and instead introduce Mention Users, Mention Groups, and Mention Channel. The first two settings require user and group IDs, respectively. This change was necessary because the way of mentioning via the Slack API changed and mentions in Slack notifications no longer worked.
- Alerting: Reverts the behavior of diff and percent_diff to not always be absolute. Something we introduced by mistake in 6.1.0. Alerting now support diff(), diff_abs(), percent_diff() and percent_diff_abs(). #21338
- Notice about changes in backendSrv for plugin authors
In our mission to migrate away from AngularJS to React we have removed all AngularJS dependencies in the core data retrieval service backendSrv.
Removing the AngularJS dependencies in backendSrv has the unfortunate side effect of AngularJS digest no longer being triggered for any request made with backendSrv. Because of this, external plugins using backendSrv directly may suffer from strange behaviour in the UI.
To remedy this issue, as a plugin author you need to trigger the digest after a direct call to backendSrv.
Bug Fixes
API: Fix redirect issues. #22285, @papagian
Alerting: Don't include image_url field with Slack message if empty. #22372, @aknuds1
Alerting: Fixed bad background color for default notifications in alert tab . #22660, @krvajal
Annotations: In table panel when setting transform to annotation, they will now show up right away without a manual refresh. #22323, @krvajal
Azure Monitor: Fix app insights source to allow for new __timeFrom and __timeTo. #21879, @ChadNedzlek
BackendSrv: Fixes POST body for form data. gmark
CloudWatch: Credentials cache invalidation fix. #22473, @sunker
CloudWatch: Expand alias variables when query yields no result. #22695, @sunker
Dashboard: Fix bug with NaN in alerting. #22053, @a-melnyk
Explore: Fix display of multiline logs in log panel and explore. #22057, @thomasdraebing
Heatmap: Legend color range is incorrect when using custom min/max. #21748, @sv5d
Security: Fixed XSS issue in dashboard history diff . #22680, @torkelo
StatPanel: Fixes base color is being used for null values .
#22646, @torkelo
- Update to version 6.6.2:
(see installed changelog for the full list of changes)
- Update to version 6.6.1:
(see installed changelog for the full list of changes)
- Update to version 6.6.0:
(see installed changelog for the full list of changes)
- Update to version 6.5.3:
(see installed changelog for the full list of changes)
- Update to version 6.5.2:
(see installed changelog for the full list of changes)
- Update to version 6.5.1:
(see installed changelog for the full list of changes)
- Update to version 6.5.0
(see installed changelog for the full list of changes)
- Update to version 6.4.5:
* Create version 6.4.5
* CloudWatch: Fix high CPU load (#20579)
- Add obs-service-go_modules to download required modules into vendor.tar.gz
- Adjusted spec file to use vendor.tar.gz
- Adjusted Makefile to work with new filenames
- BuildRequire go1.14
- Update to version 6.4.4:
* DataLinks: Fix blur issues. #19883, @aocenas
* Docker: Makes it possible to parse timezones in the docker image. #20081, @xlson
* LDAP: All LDAP servers should be tried even if one of them returns a connection error. #20077, @jongyllen
* LDAP: No longer shows incorrectly matching groups based on role in debug page. #20018, @xlson
* Singlestat: Fix no data / null value mapping . #19951, @ryantxu
- Revert the spec file and make script
- Remove PhantomJS dependency
- Update to 6.4.3
* Bug Fixes
- Alerting: All notification channels should send even if one fails to send. #19807, @jan25
- AzureMonitor: Fix slate interference with dropdowns. #19799, @aocenas
- ContextMenu: make ContextMenu positioning aware of the viewport width. #19699, @krvajal
- DataLinks: Fix context menu not showing in singlestat-ish visualisations. #19809, @dprokop
- DataLinks: Fix url field not releasing focus. #19804, @aocenas
- Datasource: Fixes clicking outside of some query editors required 2 clicks. #19822, @aocenas
- Panels: Fixes default tab for visualizations without Queries Tab. #19803, @hugohaggmark
- Singlestat: Fixed issue with mapping null to text. #19689, @torkelo
- @grafana/toolkit: Don't fail plugin creation when git user.name config is not set. #19821, @dprokop
- @grafana/toolkit: TSLint line number off by 1. #19782, @fredwangwang
- Update to 6.4.2
* Bug Fixes
- CloudWatch: Changes incorrect dimension wmlid to wlmid . #19679, @ATTron
- Grafana Image Renderer: Fixes plugin page. #19664, @hugohaggmark
- Graph: Fixes auto decimals logic for y axis ticks that results in too many decimals for high values. #19618, @torkelo
- Graph: Switching to series mode should re-render graph. #19623, @torkelo
- Loki: Fix autocomplete on label values. #19579, @aocenas
- Loki: Removes live option for logs panel. #19533, @davkal
- Profile: Fix issue with user profile not showing more than sessions sessions in some cases. #19578, @huynhsamha
- Prometheus: Fixes so results in Panel always are sorted by query order. #19597, @hugohaggmark
- sted keys in YAML provisioning caused a server crash, #19547
- ImageRendering: Fixed issue with image rendering in enterprise build (Enterprise)
- Reporting: Fixed issue with reporting service when STMP was disabled (Enterprise).
- Changes from 6.4.0
* Features / Enhancements
- Build: Upgrade go to 1.12.10. #19499, @marefr
- DataLinks: Suggestions menu improvements. #19396, @dprokop
- Explore: Take root_url setting into account when redirecting from dashboard to explore. #19447, @ivanahuckova
- Explore: Update broken link to logql docs. #19510, @ivanahuckova
- Logs: Adds Logs Panel as a visualization. #19504, @davkal
* Bug Fixes
- CLI: Fix version selection for plugin install. #19498, @aocenas
- Graph: Fixes minor issue with series override color picker and custom color . #19516, @torkelo
- Changes from 6.4.0 Beta 2
* Features / Enhancements
- Azure Monitor: Remove support for cross resource queries (#19115)'. #19346, @sunker
- Docker: Upgrade packages to resolve reported vulnerabilities. #19188, @marefr
- Graphite: Time range expansion reduced from 1 minute to 1 second. #19246, @torkelo
- grafana/toolkit: Add plugin creation task. #19207, @dprokop
* Bug Fixes
- Alerting: Prevents creating alerts from unsupported queries. #19250, @hugohaggmark
- Alerting: Truncate PagerDuty summary when greater than 1024 characters. #18730, @nvllsvm
- Cloudwatch: Fix autocomplete for Gamelift dimensions. #19146, @kevinpz
- Dashboard: Fix export for sharing when panels use default data source. #19315, @torkelo
- Database: Rewrite system statistics query to perform better. #19178, @papagian
- Gauge/BarGauge: Fix issue with [object Object] in titles . #19217, @ryantxu
- MSSQL: Revert usage of new connectionstring format introduced by #18384. #19203, @marefr
- Multi-LDAP: Do not fail-fast on invalid credentials. #19261, @gotjosh
- MySQL, Postgres, MSSQL: Fix validating query with template variables in alert . #19237, @marefr
- MySQL, Postgres: Update raw sql when query builder updates. #19209, @marefr
- MySQL: Limit datasource error details returned from the backend. #19373, @marefr
- Changes from 6.4.0 Beta 1
* Features / Enhancements
- API: Readonly datasources should not be created via the API. #19006, @papagian
- Alerting: Include configured AlertRuleTags in Webhooks notifier. #18233, @dominic-miglar
- Annotations: Add annotations support to Loki. #18949, @aocenas
- Annotations: Use a single row to represent a region. #17673, @ryantxu
- Auth: Allow inviting existing users when login form is disabled. #19048, @548017
- Azure Monitor: Add support for cross resource queries. #19115, @sunker
- CLI: Allow installing custom binary plugins. #17551, @aocenas
- Dashboard: Adds Logs Panel (alpha) as visualization option for Dashboards. #18641, @hugohaggmark
- Dashboard: Reuse query results between panels . #16660, @ryantxu
- Dashboard: Set time to to 23:59:59 when setting To time using calendar. #18595, @simPod
- DataLinks: Add DataLinks support to Gauge, BarGauge and SingleStat2 panel. #18605, @ryantxu
- DataLinks: Enable access to labels & field names. #18918, @torkelo
- DataLinks: Enable multiple data links per panel. #18434, @dprokop
- Docker: switch docker image to alpine base with phantomjs support. #18468, @DanCech
- Elasticsearch: allow templating queries to order by doc_count. #18870, @hackery
- Explore: Add throttling when doing live queries. #19085, @aocenas
- Explore: Adds ability to go back to dashboard, optionally with query changes. #17982, @kaydelaney
- Explore: Reduce default time range to last hour. #18212, @davkal
- Gauge/BarGauge: Support decimals for min/max. #18368, @ryantxu
- Graph: New series override transform constant that renders a single point as a line across the whole graph. #19102, @davkal
- Image rendering: Add deprecation warning when PhantomJS is used for rendering images. #18933, @papagian
- InfluxDB: Enable interpolation within ad-hoc filter values. #18077, @kvc-code
- LDAP: Allow an user to be synchronized against LDAP. #18976, @gotjosh
- Ldap: Add ldap debug page. #18759, @peterholmberg
- Loki: Remove prefetching of default label values. #18213, @davkal
- Metrics: Add failed alert notifications metric. #18089, @koorgoo
- OAuth: Support JMES path lookup when retrieving user email. #14683, @bobmshannon
- OAuth: return GitLab groups as a part of user info (enable team sync). #18388, @alexanderzobnin
- Panels: Add unit for electrical charge - ampere-hour. #18950, @anirudh-ramesh
- Plugin: AzureMonitor - Reapply MetricNamespace support. #17282, @raphaelquati
- Plugins: better warning when plugins fail to load. #18671, @ryantxu
- Postgres: Add support for scram sha 256 authentication. #18397, @nonamef
- RemoteCache: Support SSL with Redis. #18511, @kylebrandt
- SingleStat: The gauge option in now disabled/hidden (unless it's an old panel with it already enabled) . #18610, @ryantxu
- Stackdriver: Add extra alignment period options. #18909, @sunker
- Units: Add South African Rand (ZAR) to currencies. #18893, @jeteon
- Units: Adding T,P,E,Z,and Y bytes. #18706, @chiqomar
* Bug Fixes
- Alerting: Notification is sent when state changes from no_data to ok. #18920, @papagian
- Alerting: fix duplicate alert states when the alert fails to save to the database. #18216, @kylebrandt
- Alerting: fix response popover prompt when add notification channels. #18967, @lzdw
- CloudWatch: Fix alerting for queries with Id (using GetMetricData). #17899, @alex-berger
- Explore: Fix auto completion on label values for Loki. #18988, @aocenas
- Explore: Fixes crash using back button with a zoomed in graph. #19122, @hugohaggmark
- Explore: Fixes so queries in Explore are only run if Graph/Table is shown. #19000, @hugohaggmark
- MSSQL: Change connectionstring to URL format to fix using passwords with semicolon. #18384, @Russiancold
- MSSQL: Fix memory leak when debug enabled. #19049, @briangann
- Provisioning: Allow escaping literal '$' with '$$' in configs to avoid interpolation. #18045, @kylebrandt
- TimePicker: Fixes hiding time picker dropdown in FireFox. #19154, @hugohaggmark
* Breaking changes
+ Annotations
There are some breaking changes in the annotations HTTP API for region annotations. Region annotations are now represented
using a single event instead of two seperate events. Check breaking changes in HTTP API below and HTTP API documentation for more details.
+ Docker
Grafana is now using Alpine 3.10 as docker base image.
+ HTTP API
- GET /api/alert-notifications now requires at least editor access.
New /api/alert-notifications/lookup returns less information than /api/alert-notifications and can be access by any authenticated user.
- GET /api/alert-notifiers now requires at least editor access
- GET /api/org/users now requires org admin role.
New /api/org/users/lookup returns less information than /api/org/users and can be access by users that are org admins,
admin in any folder or admin of any team.
- GET /api/annotations no longer returns regionId property.
- POST /api/annotations no longer supports isRegion property.
- PUT /api/annotations/:id no longer supports isRegion property.
- PATCH /api/annotations/:id no longer supports isRegion property.
- DELETE /api/annotations/region/:id has been removed.
* Deprecation notes
+ PhantomJS
- PhantomJS, which is used for rendering images of dashboards and panels,
is deprecated and will be removed in a future Grafana release.
A deprecation warning will from now on be logged when Grafana starts up if PhantomJS is in use.
Please consider migrating from PhantomJS to the Grafana Image Renderer plugin.
- Changes from 6.3.6
* Features / Enhancements
- Metrics: Adds setting for turning off total stats metrics. #19142, @marefr
* Bug Fixes
- Database: Rewrite system statistics query to perform better. #19178, @papagian
- Explore: Fixes error when switching from prometheus to loki data sources. #18599, @kaydelaney
- Rebase package spec. Use mostly from fedora, fix suse specified things and fix some errors.
- Add missing directories provisioning/datasources and provisioning/notifiers
and sample.yaml as described in packaging/rpm/control from upstream.
Missing directories are shown in logfiles.
- Version 6.3.5
* Upgrades
+ Build: Upgrade to go 1.12.9.
* Bug Fixes
+ Dashboard: Fixes dashboards init failed loading error for dashboards with panel links that had missing properties.
+ Editor: Fixes issue where only entire lines were being copied.
+ Explore: Fixes query field layout in splitted view for Safari browsers.
+ LDAP: multildap + ldap integration.
+ Profile/UserAdmin: Fix for user agent parser crashes grafana-server on 32-bit builds.
+ Prometheus: Prevents panel editor crash when switching to Prometheus datasource.
+ Prometheus: Changes brace-insertion behavior to be less annoying.
- Version 6.3.4
* Security: CVE-2019-15043 - Parts of the HTTP API allow unauthenticated use.
- Version 6.3.3
* Bug Fixes
+ Annotations: Fix failing annotation query when time series query is cancelled. #18532 1, @dprokop 1
+ Auth: Do not set SameSite cookie attribute if cookie_samesite is none. #18462 1, @papagian 3
+ DataLinks: Apply scoped variables to data links correctly. #18454 1, @dprokop 1
+ DataLinks: Respect timezone when displaying datapoint’s timestamp in graph context menu. #18461 2, @dprokop 1
+ DataLinks: Use datapoint timestamp correctly when interpolating variables. #18459 1, @dprokop 1
+ Explore: Fix loading error for empty queries. #18488 1, @davkal
+ Graph: Fixes legend issue clicking on series line icon and issue with horizontal scrollbar being visible on windows. #18563 1, @torkelo 2
+ Graphite: Avoid glob of single-value array variables . #18420, @gotjosh
+ Prometheus: Fix queries with label_replace remove the $1 match when loading query editor. #18480 5, @hugohaggmark 3
+ Prometheus: More consistently allows for multi-line queries in editor. #18362 2, @kaydelaney 2
+ TimeSeries: Assume values are all numbers. #18540 4, @ryantxu
- Version 6.3.2
* Bug Fixes
+ Gauge/BarGauge: Fixes issue with losts thresholds and issue loading Gauge with avg stat. #18375 12
- Version 6.3.1
* Bug Fixes
+ PanelLinks: Fix crash issue Gauge & Bar Gauge for panels with panel links (drill down links). #18430 2
- Version 6.3.0
* Features / Enhancements
+ OAuth: Do not set SameSite OAuth cookie if cookie_samesite is None. #18392 4, @papagian 3
+ Auth Proxy: Include additional headers as part of the cache key. #18298 6, @gotjosh
+ Build grafana images consistently. #18224 12, @hassanfarid
+ Docs: SAML. #18069 11, @gotjosh
+ Permissions: Show plugins in nav for non admin users but hide plugin configuration. #18234 1, @aocenas
+ TimePicker: Increase max height of quick range dropdown. #18247 2, @torkelo 2
+ Alerting: Add tags to alert rules. #10989 13, @Thib17 1
+ Alerting: Attempt to send email notifications to all given email addresses. #16881 1, @zhulongcheng
+ Alerting: Improve alert rule testing. #16286 2, @marefr
+ Alerting: Support for configuring content field for Discord alert notifier. #17017 2, @jan25
+ Alertmanager: Replace illegal chars with underscore in label names. #17002 5, @bergquist 1
+ Auth: Allow expiration of API keys. #17678, @papagian 3
+ Auth: Return device, os and browser when listing user auth tokens in HTTP API. #17504, @shavonn 1
+ Auth: Support list and revoke of user auth tokens in UI. #17434 2, @shavonn 1
+ AzureMonitor: change clashing built-in Grafana variables/macro names for Azure Logs. #17140, @shavonn 1
+ CloudWatch: Made region visible for AWS Cloudwatch Expressions. #17243 2, @utkarshcmu
+ Cloudwatch: Add AWS DocDB metrics. #17241, @utkarshcmu
+ Dashboard: Use timezone dashboard setting when exporting to CSV. #18002 1, @dehrax
+ Data links. #17267 11, @torkelo 2
+ Docker: Switch base image to ubuntu:latest from debian:stretch to avoid security issues… #17066 5, @bergquist 1
+ Elasticsearch: Support for visualizing logs in Explore . #17605 7, @marefr
+ Explore: Adds Live option for supported datasources. #17062 1, @hugohaggmark 3
+ Explore: Adds orgId to URL for sharing purposes. #17895 1, @kaydelaney 2
+ Explore: Adds support for new loki ‘start’ and ‘end’ params for labels endpoint. #17512, @kaydelaney 2
+ Explore: Adds support for toggling raw query mode in explore. #17870, @kaydelaney 2
+ Explore: Allow switching between metrics and logs . #16959 2, @marefr
+ Explore: Combines the timestamp and local time columns into one. #17775, @hugohaggmark 3
+ Explore: Display log lines context . #17097, @dprokop 1
+ Explore: Don’t parse log levels if provided by field or label. #17180 1, @marefr
+ Explore: Improves performance of Logs element by limiting re-rendering. #17685, @kaydelaney 2
+ Explore: Support for new LogQL filtering syntax. #16674 4, @davkal
+ Explore: Use new TimePicker from Grafana/UI. #17793, @hugohaggmark 3
+ Explore: handle newlines in LogRow Highlighter. #17425, @rrfeng 1
+ Graph: Added new fill gradient option. #17528 3, @torkelo 2
+ GraphPanel: Don’t sort series when legend table & sort column is not visible . #17095, @shavonn 1
+ InfluxDB: Support for visualizing logs in Explore. #17450 9, @hugohaggmark 3
+ Logging: Login and Logout actions (#17760). #17883 1, @ATTron
+ Logging: Move log package to pkg/infra. #17023, @zhulongcheng
+ Metrics: Expose stats about roles as metrics. #17469 2, @bergquist 1
+ MySQL/Postgres/MSSQL: Add parsing for day, weeks and year intervals in macros. #13086 6, @bernardd
+ MySQL: Add support for periodically reloading client certs. #14892, @tpetr
+ Plugins: replace dataFormats list with skipDataQuery flag in plugin.json. #16984, @ryantxu
+ Prometheus: Take timezone into account for step alignment. #17477, @fxmiii
+ Prometheus: Use overridden panel range for $__range instead of dashboard range. #17352, @patrick246
+ Prometheus: added time range filter to series labels query. #16851 3, @FUSAKLA
+ Provisioning: Support folder that doesn’t exist yet in dashboard provisioning. #17407 1, @Nexucis
+ Refresh picker: Handle empty intervals. #17585 1, @dehrax
+ Singlestat: Add y min/max config to singlestat sparklines. #17527 4, @pitr
+ Snapshot: use given key and deleteKey. #16876, @zhulongcheng
+ Templating: Correctly display __text in multi-value variable after page reload. #17840 1, @EduardSergeev
+ Templating: Support selecting all filtered values of a multi-value variable. #16873 2, @r66ad
+ Tracing: allow propagation with Zipkin headers. #17009 4, @jrockway
+ Users: Disable users removed from LDAP. #16820 2, @alexanderzobnin
* Bug Fixes
+ PanelLinks: Fix render issue when there is no panel description. #18408 3, @dehrax
+ OAuth: Fix “missing saved state” OAuth login failure due to SameSite cookie policy. #18332 1, @papagian 3
+ cli: fix for recognizing when in dev mode… #18334, @xlson
+ DataLinks: Fixes incorrect interpolation of ${__series_name} . #18251 1, @torkelo 2
+ Loki: Display live tailed logs in correct order in Explore. #18031 3, @kaydelaney 2
+ PhantomJS: Fixes rendering on Debian Buster. #18162 2, @xlson
+ TimePicker: Fixed style issue for custom range popover. #18244, @torkelo 2
+ Timerange: Fixes a bug where custom time ranges didn’t respect UTC. #18248 1, @kaydelaney 2
+ remote_cache: Fix redis connstr parsing. #18204 1, @mblaschke
+ AddPanel: Fix issue when removing moved add panel widget . #17659 2, @dehrax
+ CLI: Fix encrypt-datasource-passwords fails with sql error. #18014, @marefr
+ Elasticsearch: Fix default max concurrent shard requests. #17770 4, @marefr
+ Explore: Fix browsing back to dashboard panel. #17061, @jschill
+ Explore: Fix filter by series level in logs graph. #17798, @marefr
+ Explore: Fix issues when loading and both graph/table are collapsed. #17113, @marefr
+ Explore: Fix selection/copy of log lines. #17121, @marefr
+ Fix: Wrap value of multi variable in array when coming from URL. #16992 1, @aocenas
+ Frontend: Fix for Json tree component not working. #17608, @srid12
+ Graphite: Fix for issue with alias function being moved last. #17791, @torkelo 2
+ Graphite: Fixes issue with seriesByTag & function with variable param. #17795, @torkelo 2
+ Graphite: use POST for /metrics/find requests. #17814 2, @papagian 3
+ HTTP Server: Serve Grafana with a custom URL path prefix. #17048 6, @jan25
+ InfluxDB: Fixes single quotes are not escaped in label value filters. #17398 1, @Panzki
+ Prometheus: Correctly escape ‘|’ literals in interpolated PromQL variables. #16932, @Limess
+ Prometheus: Fix when adding label for metrics which contains colons in Explore. #16760, @tolwi
+ SinglestatPanel: Remove background color when value turns null. #17552 1, @druggieri
- Make phantomjs dependency configurable
- Create plugin directory and clean up (create in %install,
add to %files) handling of /var/lib/grafana/* and
mgr-cfg:
- Remove commented code in test files
- Replace spacewalk-usix with uyuni-common-libs
- Bump version to 4.1.0 (bsc#1154940)
- Add mgr manpage links
mgr-custom-info:
- Bump version to 4.1.0 (bsc#1154940)
mgr-daemon:
- Bump version to 4.1.0 (bsc#1154940)
- Fix systemd timer configuration on SLE12 (bsc#1142038)
mgr-osad:
- Separate osa-dispatcher and jabberd so it can be disabled independently
- Replace spacewalk-usix with uyuni-common-libs
- Bump version to 4.1.0 (bsc#1154940)
- Move /usr/share/rhn/config-defaults to uyuni-base-common
- Require uyuni-base-common for /etc/rhn (for osa-dispatcher)
- Ensure bytes type when using hashlib to avoid traceback (bsc#1138822)
mgr-push:
- Replace spacewalk-usix and spacewalk-backend-libs with uyuni-common-libs
- Bump version to 4.1.0 (bsc#1154940)
mgr-virtualization:
- Replace spacewalk-usix with uyuni-common-libs
- Bump version to 4.1.0 (bsc#1154940)
- Fix mgr-virtualization timer
rhnlib:
- Fix building
- Fix malformed XML response when data contains non-ASCII chars (bsc#1154968)
- Bump version to 4.1.0 (bsc#1154940)
- Fix bootstrapping SLE11SP4 trad client with SSL enabled (bsc#1148177)
spacecmd:
- Only report real error, not result (bsc#1171687)
- Use defined return values for spacecmd methods so scripts can
check for failure (bsc#1171687)
- Disable globbing for api subcommand to allow wildcards in filter
settings (bsc#1163871)
- Bugfix: attempt to purge SSM when it is empty (bsc#1155372)
- Bump version to 4.1.0 (bsc#1154940)
- Prevent error when piping stdout in Python 2 (bsc#1153090)
- Java api expects content as encoded string instead of encoded bytes like before (bsc#1153277)
- Enable building and installing for Ubuntu 16.04 and Ubuntu 18.04
- Add unit test for schedule, errata, user, utils, misc, configchannel
and kickstart modules
- Multiple minor bugfixes alongside the unit tests
- Bugfix: referenced variable before assignment.
- Add unit test for report, package, org, repo and group
spacewalk-client-tools:
- Add workaround for uptime overflow to spacewalk-update-status as well (bsc#1165921)
- Spell correctly 'successful' and 'successfully'
- Skip dmidecode data on aarch64 to prevent coredump (bsc#1113160)
- Replace spacewalk-usix with uyuni-common-libs
- Return a non-zero exit status on errors in rhn_check
- Bump version to 4.1.0 (bsc#1154940)
- Make a explicit requirement to systemd for spacewalk-client-tools
when rhnsd timer is installed
spacewalk-koan:
- Bump version to 4.1.0 (bsc#1154940)
- Require commands we use in merge-rd.sh
spacewalk-oscap:
- Bump version to 4.1.0 (bsc#1154940)
spacewalk-remote-utils:
- Update spacewalk-create-channel with RHEL 7.7 channel definitions
- Bump version to 4.1.0 (bsc#1154940)
supportutils-plugin-susemanager-client:
- Bump version to 4.1.0 (bsc#1154940)
suseRegisterInfo:
- SuseRegisterInfo only needs perl-base, not full perl (bsc#1168310)
- Bump version to 4.1.0 (bsc#1154940)
zypp-plugin-spacewalk:
- Prevent issue with non-ASCII characters in Python 2 systems (bsc#1172462)
ModerateSUSE bug 1113160SUSE bug 1134195SUSE bug 1138822SUSE bug 1141661SUSE bug 1142038SUSE bug 1143913SUSE bug 1148177SUSE bug 1153090SUSE bug 1153277SUSE bug 1154940SUSE bug 1154968SUSE bug 1155372SUSE bug 1163871SUSE bug 1165921SUSE bug 1168310SUSE bug 1170231SUSE bug 1170557SUSE bug 1171687SUSE bug 1172462CVE-2019-10215 at SUSECVE-2019-10215 at NVDCVE-2019-15043 at SUSECVE-2019-15043 at NVDCVE-2020-12245 at SUSECVE-2020-12245 at NVDCVE-2020-13379 at SUSECVE-2020-13379 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for xrdp (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for xrdp fixes the following issues:
- Security fixes (bsc#1173580, CVE-2020-4044):
+ Add patches:
* xrdp-cve-2020-4044-fix-0.patch
* xrdp-cve-2020-4044-fix-1.patch
+ Rebase SLE patch:
* xrdp-fate318398-change-expired-password.patch
- Update patch:
+ xrdp-Allow-sessions-with-32-bpp.patch.patch
ImportantSUSE bug 1173580CVE-2020-4044 at SUSECVE-2020-4044 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for mailman (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for mailman fixes the following issues:
- CVE-2020-15011: Fixed a possible Arbitrary Content Injection via the private archive login page (bsc#1173369).
ImportantSUSE bug 1173369CVE-2020-15011 at SUSECVE-2020-15011 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for samba (Moderate)SUSE Linux Enterprise Server 12 SP3-BCL
This update for samba fixes the following issues:
- CVE-2020-10745: Fixed an issue which parsing and packing of NBT and DNS packets containing dots could potentially have consumed excessive CPU (bsc#1173160).
ModerateSUSE bug 1173160CVE-2020-10745 at SUSECVE-2020-10745 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for webkit2gtk3 (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for webkit2gtk3 fixes the following issues:
- Update to version 2.28.3 (bsc#1173998):
+ Enable kinetic scrolling with async scrolling.
+ Fix web process hangs on large GitHub pages.
+ Bubblewrap sandbox should not attempt to bind empty paths.
+ Fix threading issues in the media player.
+ Fix several crashes and rendering issues.
+ Security fixes: CVE-2020-9802, CVE-2020-9803, CVE-2020-9805,
CVE-2020-9806, CVE-2020-9807, CVE-2020-9843, CVE-2020-9850,
CVE-2020-13753.
ImportantSUSE bug 1173998CVE-2020-13753 at SUSECVE-2020-13753 at NVDCVE-2020-9802 at SUSECVE-2020-9802 at NVDCVE-2020-9803 at SUSECVE-2020-9803 at NVDCVE-2020-9805 at SUSECVE-2020-9805 at NVDCVE-2020-9806 at SUSECVE-2020-9806 at NVDCVE-2020-9807 at SUSECVE-2020-9807 at NVDCVE-2020-9843 at SUSECVE-2020-9843 at NVDCVE-2020-9850 at SUSECVE-2020-9850 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for grub2 (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for grub2 fixes the following issues:
- Fix for CVE-2020-10713 (bsc#1168994)
- Fix for CVE-2020-14308 CVE-2020-14309, CVE-2020-14310, CVE-2020-14311
(bsc#1173812)
- Fix for CVE-2020-15706 (bsc#1174463)
- Fix for CVE-2020-15707 (bsc#1174570)
- Use overflow checking primitives where the arithmetic expression for buffer
allocations may include unvalidated data
- Use grub_calloc for overflow check and return NULL when it would occur
- Use gcc-9 compiler for overflow check builtins
- Backport gcc-9 build fixes
- Fix packed-not-aligned error on GCC 8 (bsc#1084632)
ImportantSUSE bug 1084632SUSE bug 1168994SUSE bug 1173812SUSE bug 1174463SUSE bug 1174570CVE-2020-10713 at SUSECVE-2020-10713 at NVDCVE-2020-14308 at SUSECVE-2020-14308 at NVDCVE-2020-14309 at SUSECVE-2020-14309 at NVDCVE-2020-14310 at SUSECVE-2020-14310 at NVDCVE-2020-14311 at SUSECVE-2020-14311 at NVDCVE-2020-15706 at SUSECVE-2020-15706 at NVDCVE-2020-15707 at SUSECVE-2020-15707 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for ghostscript (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for ghostscript fixes the following issues:
- fixed CVE-2020-15900 Memory Corruption (SAFER Sandbox Breakout)
cf. https://bugs.ghostscript.com/show_bug.cgi?id=702582
(bsc#1174415)
ImportantSUSE bug 1174415CVE-2020-15900 at SUSECVE-2020-15900 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for MozillaFirefox (Moderate)SUSE Linux Enterprise Server 12 SP3-BCL
This update for MozillaFirefox fixes the following issues:
- Firefox Extended Support Release 78.1.0 ESR
* Fixed: Various stability, functionality, and security fixes (bsc#1174538)
* CVE-2020-15652: Potential leak of redirect targets when loading scripts in a worker
* CVE-2020-6514: WebRTC data channel leaks internal address to peer
* CVE-2020-15655: Extension APIs could be used to bypass Same-Origin Policy
* CVE-2020-15653: Bypassing iframe sandbox when allowing popups
* CVE-2020-6463: Use-after-free in ANGLE gl::Texture::onUnbindAsSamplerTexture
* CVE-2020-15656: Type confusion for special arguments in IonMonkey
* CVE-2020-15658: Overriding file type when saving to disk
* CVE-2020-15657: DLL hijacking due to incorrect loading path
* CVE-2020-15654: Custom cursor can overlay user interface
* CVE-2020-15659: Memory safety bugs fixed in Firefox 79 and Firefox ESR 78.1
ModerateSUSE bug 1173948SUSE bug 1174538CVE-2020-15652 at SUSECVE-2020-15652 at NVDCVE-2020-15653 at SUSECVE-2020-15653 at NVDCVE-2020-15654 at SUSECVE-2020-15654 at NVDCVE-2020-15655 at SUSECVE-2020-15655 at NVDCVE-2020-15656 at SUSECVE-2020-15656 at NVDCVE-2020-15657 at SUSECVE-2020-15657 at NVDCVE-2020-15658 at SUSECVE-2020-15658 at NVDCVE-2020-15659 at SUSECVE-2020-15659 at NVDCVE-2020-6463 at SUSECVE-2020-6463 at NVDCVE-2020-6514 at SUSECVE-2020-6514 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for libX11 (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for libX11 fixes the following issues:
- Fixed XIM client heap overflows (CVE-2020-14344, bsc#1174628)
ImportantSUSE bug 1174628CVE-2020-14344 at SUSECVE-2020-14344 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for the Linux Kernel (Important)SUSE Linux Enterprise Server 12 SP3-BCL
The SUSE Linux Enterprise 12 SP3 kernel was updated to receive various security and bugfixes.
The following security bugs were fixed:
- CVE-2020-10135: Legacy pairing and secure-connections pairing authentication in Bluetooth may have allowed an unauthenticated user to complete authentication without pairing credentials via adjacent access. An unauthenticated, adjacent attacker could impersonate a Bluetooth BR/EDR master or slave to pair with a previously paired remote device to successfully complete the authentication procedure without knowing the link key (bnc#1171988).
- CVE-2020-10711: A NULL pointer dereference flaw was found in the SELinux subsystem. This flaw occurs while importing the Commercial IP Security Option (CIPSO) protocol's category bitmap into the SELinux extensible bitmap via the' ebitmap_netlbl_import' routine. This flaw allowed a remote network user to crash the system kernel, resulting in a denial of service (bnc#1171191).
- CVE-2020-10751: A flaw was found in the SELinux LSM hook implementation, where it incorrectly assumed that an skb would only contain a single netlink message. The hook would incorrectly only validate the first netlink message in the skb and allow or deny the rest of the messages within the skb with the granted permission without further processing (bnc#1171189).
- CVE-2019-20812: An issue was discovered in the prb_calc_retire_blk_tmo() function in net/packet/af_packet.c can result in a denial of service (CPU consumption and soft lockup) in a certain failure case involving TPACKET_V3, aka CID-b43d1f9f7067 (bnc#1172453).
- CVE-2020-10732: A flaw was found in the implementation of userspace core dumps. This flaw allowed an attacker with a local account to crash a trivial program and exfiltrate private kernel data (bnc#1171220).
- CVE-2020-0305: In cdev_get of char_dev.c, there is a possible use-after-free due to a race condition. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation (bnc#1174462).
- CVE-2020-12771: btree_gc_coalesce in drivers/md/bcache/btree.c had a deadlock if a coalescing operation fails (bnc#1171732).
- CVE-2020-10773: A kernel stack information leak on s390/s390x was fixed (bnc#1172999).
- CVE-2020-14416: A race condition in tty->disc_data handling in the slip and slcan line discipline could lead to a use-after-free, aka CID-0ace17d56824. This affects drivers/net/slip/slip.c and drivers/net/can/slcan.c (bnc#1162002).
- CVE-2020-13974: drivers/tty/vt/keyboard.c had an integer overflow if k_ascii is called several times in a row, aka CID-b86dab054059. (bnc#1172775).
- CVE-2019-20810: go7007_snd_init in drivers/media/usb/go7007/snd-go7007.c in the Linux kernel did not call snd_card_free for a failure path, which causes a memory leak, aka CID-9453264ef586 (bnc#1172458).
The following non-security bugs were fixed:
- Drivers: hv: Change flag to write log level in panic msg to false (bsc#1170618).
- ibmvnic: Do not process device remove during device reset (bsc#1065729).
- ibmvnic: Do not process reset during or after device removal (bsc#1149652 ltc#179635).
- ibmvnic: Flush existing work items before device removal (bsc#1065729).
- ibmvnic: Harden device login requests (bsc#1170011 ltc#183538).
- ibmvnic: Skip fatal error reset after passive init (bsc#1171078 ltc#184239).
- ibmvnic: Unmap DMA address of TX descriptor buffers after use (bsc#1146351 ltc#180726).
- ibmvnic: continue to init in CRQ reset returns H_CLOSED (bsc#1173280 ltc#185369).
- intel_idle: Graceful probe failure when MWAIT is disabled (bsc#1174115).
- mm, vmstat: reduce zone->lock holding time by /proc/pagetypeinfo (bsc#1164910).
- net/ibmvnic: Fix missing { in __ibmvnic_reset (bsc#1149652 ltc#179635).
- net/ibmvnic: free reset work of removed device from queue (bsc#1149652 ltc#179635).
- net/ibmvnic: prevent more than one thread from running in reset (bsc#1152457 ltc#174432).
- net/ibmvnic: unlock rtnl_lock in reset so linkwatch_event can run (bsc#1152457 ltc#174432).
- udp: drop corrupt packets earlier to avoid data corruption (bsc#1173658).
ImportantSUSE bug 1065729SUSE bug 1146351SUSE bug 1149652SUSE bug 1152457SUSE bug 1162002SUSE bug 1164910SUSE bug 1170011SUSE bug 1170618SUSE bug 1171078SUSE bug 1171189SUSE bug 1171191SUSE bug 1171220SUSE bug 1171732SUSE bug 1171988SUSE bug 1172453SUSE bug 1172458SUSE bug 1172775SUSE bug 1172999SUSE bug 1173280SUSE bug 1173658SUSE bug 1174115SUSE bug 1174462SUSE bug 1174543CVE-2019-20810 at SUSECVE-2019-20810 at NVDCVE-2019-20812 at SUSECVE-2019-20812 at NVDCVE-2020-0305 at SUSECVE-2020-0305 at NVDCVE-2020-10135 at SUSECVE-2020-10135 at NVDCVE-2020-10711 at SUSECVE-2020-10711 at NVDCVE-2020-10732 at SUSECVE-2020-10732 at NVDCVE-2020-10751 at SUSECVE-2020-10751 at NVDCVE-2020-10773 at SUSECVE-2020-10773 at NVDCVE-2020-12771 at SUSECVE-2020-12771 at NVDCVE-2020-13974 at SUSECVE-2020-13974 at NVDCVE-2020-14416 at SUSECVE-2020-14416 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for python-ipaddress (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for python-ipaddress fixes the following issues:
- Add CVE-2020-14422-ipaddress-hash-collision.patch fixing
CVE-2020-14422 (bsc#1173274, bpo#41004), where hash collisions
in IPv4Interface and IPv6Interface could lead to DOS.
ImportantSUSE bug 1173274CVE-2020-14422 at SUSECVE-2020-14422 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for LibVNCServer (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for LibVNCServer fixes the following issues:
- security update
fix CVE-2018-21247 [bsc#1173874], uninitialized memory contents are vulnerable to Information leak
fix CVE-2019-20839 [bsc#1173875], buffer overflow in ConnectClientToUnixSock()
fix CVE-2019-20840 [bsc#1173876], unaligned accesses in hybiReadAndDecode can lead to denial of service
fix CVE-2020-14398 [bsc#1173880], improperly closed TCP connection causes an infinite loop in libvncclient/sockets.c
fix CVE-2020-14397 [bsc#1173700], NULL pointer dereference in libvncserver/rfbregion.c
fix CVE-2020-14399 [bsc#1173743], Byte-aligned data is accessed through uint32_t pointers in libvncclient/rfbproto.c.
fix CVE-2020-14400 [bsc#1173691], Byte-aligned data is accessed through uint16_t pointers in libvncserver/translate.c.
fix CVE-2020-14401 [bsc#1173694], potential integer overflows in libvncserver/scale.c
fix CVE-2020-14402 [bsc#1173701], out-of-bounds access via encodings.
fix CVE-2020-14403 [bsc#1173701], out-of-bounds access via encodings.
fix CVE-2020-14404 [bsc#1173701], out-of-bounds access via encodings.
fix CVE-2017-18922 [bsc#1173477], preauth buffer overwrite
ImportantSUSE bug 1173477SUSE bug 1173691SUSE bug 1173694SUSE bug 1173700SUSE bug 1173701SUSE bug 1173743SUSE bug 1173874SUSE bug 1173875SUSE bug 1173876SUSE bug 1173880CVE-2017-18922 at SUSECVE-2017-18922 at NVDCVE-2018-21247 at SUSECVE-2018-21247 at NVDCVE-2019-20839 at SUSECVE-2019-20839 at NVDCVE-2019-20840 at SUSECVE-2019-20840 at NVDCVE-2020-14397 at SUSECVE-2020-14397 at NVDCVE-2020-14398 at SUSECVE-2020-14398 at NVDCVE-2020-14399 at SUSECVE-2020-14399 at NVDCVE-2020-14400 at SUSECVE-2020-14400 at NVDCVE-2020-14401 at SUSECVE-2020-14401 at NVDCVE-2020-14402 at SUSECVE-2020-14402 at NVDCVE-2020-14403 at SUSECVE-2020-14403 at NVDCVE-2020-14404 at SUSECVE-2020-14404 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for xen (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for xen fixes the following issues:
- bsc#1174543 - secure boot related fixes
- bsc#1163019 - CVE-2020-8608: Potential OOB access due to unsafe snprintf() usages
ImportantSUSE bug 1163019SUSE bug 1174543CVE-2020-8608 at SUSECVE-2020-8608 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for dpdk (Moderate)SUSE Linux Enterprise Server 12 SP3-BCL
This update for dpdk to version 16.11.9 following issue:
- CVE-2019-14818: Fixed a memory leak vulnerability caused by a malicious container may lead to to denial of service (bsc#1156146).
- CVE-2020-12693: Fixed an authentication bypass via an alternate path or channel (boo#1172004).
- rebuilt with new signing key. (bsc#1174543)
ModerateSUSE bug 1156146SUSE bug 1171477SUSE bug 1171930SUSE bug 1174543CVE-2019-14818 at SUSECVE-2019-14818 at NVDCVE-2020-10722 at SUSECVE-2020-10722 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for libX11 (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for libX11 fixes the following issues:
- Fixed XIM client heap overflows (CVE-2020-14344, bsc#1174628).
ImportantSUSE bug 1174628CVE-2020-14344 at SUSECVE-2020-14344 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for xerces-c (Moderate)SUSE Linux Enterprise Server 12 SP3-BCL
This update for xerces-c fixes the following issues:
- CVE-2017-12627: Processing of external DTD paths could have resulted in a
null pointer dereference under certain conditions (bsc#1083630)
ModerateSUSE bug 1083630CVE-2017-12627 at SUSECVE-2017-12627 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for webkit2gtk3 (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for webkit2gtk3 fixes the following issues:
- Update to version 2.28.4 (bsc#1174662):
+ Fix several crashes and rendering issues.
+ Security fixes: CVE-2020-9862, CVE-2020-9893, CVE-2020-9894,
CVE-2020-9895, CVE-2020-9915, CVE-2020-9925.
ImportantSUSE bug 1174662CVE-2020-9862 at SUSECVE-2020-9862 at NVDCVE-2020-9893 at SUSECVE-2020-9893 at NVDCVE-2020-9894 at SUSECVE-2020-9894 at NVDCVE-2020-9895 at SUSECVE-2020-9895 at NVDCVE-2020-9915 at SUSECVE-2020-9915 at NVDCVE-2020-9925 at SUSECVE-2020-9925 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for dovecot22 (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for dovecot22 fixes the following issues:
- CVE-2020-12673: improper implementation of NTLM does not check message buffer size (bsc#1174922).
- CVE-2020-12674: improper implementation of RPA mechanism (bsc#1174923).
ImportantSUSE bug 1174922SUSE bug 1174923CVE-2020-12673 at SUSECVE-2020-12673 at NVDCVE-2020-12674 at SUSECVE-2020-12674 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for grub2 (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for grub2 fixes the following issues:
- CVE-2020-15705: Fail kernel validation without shim protocol (bsc#1174421).
- Add fibre channel device's ofpath support to grub-ofpathname and search hint to speed up root device discovery (bsc#1172745).
ImportantSUSE bug 1172745SUSE bug 1174421CVE-2020-15705 at SUSECVE-2020-15705 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for samba (Moderate)SUSE Linux Enterprise Server 12 SP3-BCL
This update for samba fixes the following issues:
- CVE-2019-14907: Fixed a Server-side crash after charset conversion failure during NTLMSSP processing (bsc#1160888).
ModerateSUSE bug 1160888CVE-2019-14907 at SUSECVE-2019-14907 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for xorg-x11-server (Moderate)SUSE Linux Enterprise Server 12 SP3-BCL
This update for xorg-x11-server fixes the following issues:
- CVE-2020-14347: Leak of uninitialized heap memory from the X server to clients on pixmap allocation (bsc#1174633, ZDI-CAN-11426).
- CVE-2020-14346: XIChangeHierarchy Integer Underflow Privilege Escalation Vulnerability (bsc#1174638, ZDI-CAN-11429).
- CVE-2020-14345: XKB out-of-bounds access privilege escalation vulnerability (bsc#1174635, ZDI-CAN-11428).
ModerateSUSE bug 1174633SUSE bug 1174635SUSE bug 1174638CVE-2020-14345 at SUSECVE-2020-14345 at NVDCVE-2020-14346 at SUSECVE-2020-14346 at NVDCVE-2020-14347 at SUSECVE-2020-14347 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for java-1_8_0-ibm (Moderate)SUSE Linux Enterprise Server 12 SP3-BCL
This update for java-1_8_0-ibm fixes the following issues:
- Update to Java 8.0 Service Refresh 6 [bsc#1158442, bsc#1154212]
* Security fixes:
CVE-2019-2933 CVE-2019-2945 CVE-2019-2958
CVE-2019-2962 CVE-2019-2964 CVE-2019-2975
CVE-2019-2978 CVE-2019-2983 CVE-2019-2988
CVE-2019-2989 CVE-2019-2992 CVE-2019-2996
CVE-2019-2999 CVE-2019-2973 CVE-2019-2981
CVE-2019-17631
ModerateSUSE bug 1154212SUSE bug 1158442CVE-2019-17631 at SUSECVE-2019-17631 at NVDCVE-2019-2933 at SUSECVE-2019-2933 at NVDCVE-2019-2945 at SUSECVE-2019-2945 at NVDCVE-2019-2958 at SUSECVE-2019-2958 at NVDCVE-2019-2962 at SUSECVE-2019-2962 at NVDCVE-2019-2964 at SUSECVE-2019-2964 at NVDCVE-2019-2973 at SUSECVE-2019-2973 at NVDCVE-2019-2975 at SUSECVE-2019-2975 at NVDCVE-2019-2978 at SUSECVE-2019-2978 at NVDCVE-2019-2981 at SUSECVE-2019-2981 at NVDCVE-2019-2983 at SUSECVE-2019-2983 at NVDCVE-2019-2988 at SUSECVE-2019-2988 at NVDCVE-2019-2989 at SUSECVE-2019-2989 at NVDCVE-2019-2992 at SUSECVE-2019-2992 at NVDCVE-2019-2996 at SUSECVE-2019-2996 at NVDCVE-2019-2999 at SUSECVE-2019-2999 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for xorg-x11-server (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for xorg-x11-server fixes the following issues:
- CVE-2020-14361: Fix XkbSelectEvents() integer underflow (bsc#1174910 ZDI-CAN-11573).
- CVE-2020-14362: Fix XRecordRegisterClients() Integer underflow (bsc#1174913 ZDI-CAN-11574).
ImportantSUSE bug 1174910SUSE bug 1174913CVE-2020-14361 at SUSECVE-2020-14361 at NVDCVE-2020-14362 at SUSECVE-2020-14362 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for apache2 (Moderate)SUSE Linux Enterprise Server 12 SP3-BCL
This update for apache2 fixes the following issues:
- CVE-2020-9490: Fixed a crash caused by a specially crafted value for the 'Cache-Digest' header in a HTTP/2 request (bsc#1175071).
- CVE-2020-11985: IP address spoofing when proxying using mod_remoteip and mod_rewrite (bsc#1175072).
- CVE-2020-11993: When trace/debug was enabled for the HTTP/2 module logging statements were made on the wrong connection (bsc#1175070).
ModerateSUSE bug 1175070SUSE bug 1175071SUSE bug 1175072CVE-2020-11985 at SUSECVE-2020-11985 at NVDCVE-2020-11993 at SUSECVE-2020-11993 at NVDCVE-2020-9490 at SUSECVE-2020-9490 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for java-1_8_0-ibm (Moderate)SUSE Linux Enterprise Server 12 SP3-BCL
This update for java-1_8_0-ibm fixes the following issues:
- Update to Java 8.0 Service Refresh 6 Fix Pack 15 [bsc#1175259, bsc#1174157]
CVE-2020-14577 CVE-2020-14578 CVE-2020-14579 CVE-2020-14581
CVE-2020-14556 CVE-2020-14621 CVE-2020-14593 CVE-2020-14583
CVE-2019-17639
* Class Libraries:
- JAVA.UTIL.ZIP.DEFLATER OPERATIONS THROW JAVA.LANG.INTERNALERROR
- JAVA 8 DECODER OBJECTS CONSUME A LARGE AMOUNT OF JAVA HEAP
- TRANSLATION MESSAGES UPDATE FOR JCL
- UPDATE TIMEZONE INFORMATION TO TZDATA2020A
* Java Virtual Machine:
- IBM JAVA REGISTERS A HANDLER BY DEFAULT FOR SIGABRT
- LARGE MEMORY FOOTPRINT HELD BY TRACECONTEXT OBJECT
* JIT Compiler:
- CRASH IN THE INTERPRETER AFTER OSR FROM INLINED SYNCHRONIZED METHOD
IN DEBUGGING MODE
- INTERMITTENT ASSERTION FAILURE REPORTED
- CRASH IN RESOLVECLASSREF() DURING AOT LOAD
- JIT CRASH DURING CLASS UNLOADING IN J9METHOD_HT::ONCLASSUNLOADING()
- SEGMENTATION FAULT WHILE COMPILING A METHOD
- UNEXPECTED CLASSCASTEXCEPTION THROWN IN HIGH LEVEL PARALLEL
APPLICATION ON IBM Z PLATFORM
* Security:
- CERTIFICATEEXCEPTION OCCURS WHEN FILE.ENCODING PROPERTY SET TO
NON DEFAULT VALUE
- CHANGES TO IBMJCE AND IBMJCEPLUS PROVIDERS
- IBMJCEPLUS FAILS, WHEN THE SECURITY MANAGER IS ENABLED, WITH
DEFAULT PERMISSIONS, SPECIFIED IN JAVA.POLICY FILE
- IN CERTAIN INSTANCES, IBMJCEPLUS PROVIDER THROWS EXCEPTION FROM
KEYFACTORY CLASS
ModerateSUSE bug 1174157SUSE bug 1175259CVE-2019-17639 at SUSECVE-2019-17639 at NVDCVE-2020-14556 at SUSECVE-2020-14556 at NVDCVE-2020-14577 at SUSECVE-2020-14577 at NVDCVE-2020-14578 at SUSECVE-2020-14578 at NVDCVE-2020-14579 at SUSECVE-2020-14579 at NVDCVE-2020-14581 at SUSECVE-2020-14581 at NVDCVE-2020-14583 at SUSECVE-2020-14583 at NVDCVE-2020-14593 at SUSECVE-2020-14593 at NVDCVE-2020-14621 at SUSECVE-2020-14621 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for squid (Critical)SUSE Linux Enterprise Server 12 SP3-BCL
This update for squid fixes the following issues:
- CVE-2020-24606: Fix livelocking in peerDigestHandleReply (bsc#1175671).
- CVE-2020-15811: Improve Transfer-Encoding handling (bsc#1175665).
- CVE-2020-15810: Enforce token characters for field-name (bsc#1175664).
CriticalSUSE bug 1175664SUSE bug 1175665SUSE bug 1175671CVE-2020-15810 at SUSECVE-2020-15810 at NVDCVE-2020-15811 at SUSECVE-2020-15811 at NVDCVE-2020-24606 at SUSECVE-2020-24606 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for libX11 (Moderate)SUSE Linux Enterprise Server 12 SP3-BCL
This update for libX11 fixes the following issues:
- CVE-2020-14363: Fix an integer overflow in init_om() (bsc#1175239).
ModerateSUSE bug 1175239CVE-2020-14363 at SUSECVE-2020-14363 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for java-1_7_1-ibm (Moderate)SUSE Linux Enterprise Server 12 SP3-BCL
This update for java-1_7_1-ibm fixes the following issues:
- Update to Java 7.1 Service Refresh 4 Fix Pack 70 [bsc#1175259, bsc#1174157]
CVE-2020-14577 CVE-2020-14578 CVE-2020-14579 CVE-2020-14621
CVE-2020-14593 CVE-2020-14583 CVE-2019-17639
* Class Libraries:
- UPDATE TIMEZONE INFORMATION TO TZDATA2020A
* Security:
- CERTIFICATEEXCEPTION OCCURS WHEN FILE.ENCODING PROPERTY SET TO
NON DEFAULT VALUE
ModerateSUSE bug 1174157SUSE bug 1175259CVE-2019-17639 at SUSECVE-2019-17639 at NVDCVE-2020-14577 at SUSECVE-2020-14577 at NVDCVE-2020-14578 at SUSECVE-2020-14578 at NVDCVE-2020-14579 at SUSECVE-2020-14579 at NVDCVE-2020-14583 at SUSECVE-2020-14583 at NVDCVE-2020-14593 at SUSECVE-2020-14593 at NVDCVE-2020-14621 at SUSECVE-2020-14621 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for MozillaFirefox (Moderate)SUSE Linux Enterprise Server 12 SP3-BCL
This update for MozillaFirefox fixes the following issues:
- Firefox Extended Support Release 78.2.0 ESR
* Fixed: Various stability, functionality, and security fixes
- Mozilla Firefox ESR 78.2
MFSA 2020-38 (bsc#1175686)
* CVE-2020-15663 (bmo#1643199)
Downgrade attack on the Mozilla Maintenance Service could
have resulted in escalation of privilege
* CVE-2020-15664 (bmo#1658214)
Attacker-induced prompt for extension installation
* CVE-2020-15670 (bmo#1651001, bmo#1651449, bmo#1653626,
bmo#1656957)
Memory safety bugs fixed in Firefox 80 and Firefox ESR 78.2
- Fixed Firefox tab crash in FIPS mode (bsc#1174284).
- Fix broken translation-loading. (bsc#1173991)
* allow addon sideloading
* mark signatures for langpacks non-mandatory
* do not autodisable user profile scopes
- Google API key is not usable for geolocation service any more
ModerateSUSE bug 1173991SUSE bug 1174284SUSE bug 1175686CVE-2020-15663 at SUSECVE-2020-15663 at NVDCVE-2020-15664 at SUSECVE-2020-15664 at NVDCVE-2020-15670 at SUSECVE-2020-15670 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for the Linux Kernel (Important)SUSE Linux Enterprise Server 12 SP3-BCL
The SUSE Linux Enterprise 12 SP3 kernel was updated to receive various security and bugfixes.
The following security bugs were fixed:
- CVE-2020-14314: Fixed a potential negative array index in do_split() (bsc#1173798).
- CVE-2020-14331: Fixed a missing check in vgacon scrollback handling (bsc#1174205).
- CVE-2020-16166: Fixed a potential issue which could have allowed remote attackers to make observations that help to obtain sensitive information about the internal state of the network RNG (bsc#1174757).
- CVE-2019-16746: Fixed an improper check of the length of variable elements in a beacon head, leading to a buffer overflow (bsc#1152107).
- CVE-2020-14386: Fixed a potential local privilege escalation via memory corruption (bsc#1176069).
The following non-security bugs were fixed:
- bonding: fix active-backup failover for current ARP slave (bsc#1174771).
- Drivers: hv: vmbus: Only notify Hyper-V for die events that are oops (bsc#1175127).
- ibmvnic: Fix IRQ mapping disposal in error path (bsc#1175112 ltc#187459).
- mm, vmstat: reduce zone->lock holding time by /proc/pagetypeinfo (bsc#1175691).
- ocfs2: add trimfs dlm lock resource (bsc#1175228).
- ocfs2: add trimfs lock to avoid duplicated trims in cluster (bsc#1175228).
- ocfs2: fix the application IO timeout when fstrim is running (bsc#1175228).
ImportantSUSE bug 1152107SUSE bug 1173798SUSE bug 1174205SUSE bug 1174757SUSE bug 1174771SUSE bug 1175112SUSE bug 1175127SUSE bug 1175228SUSE bug 1175691SUSE bug 1176069CVE-2019-16746 at SUSECVE-2019-16746 at NVDCVE-2020-14314 at SUSECVE-2020-14314 at NVDCVE-2020-14331 at SUSECVE-2020-14331 at NVDCVE-2020-14386 at SUSECVE-2020-14386 at NVDCVE-2020-16166 at SUSECVE-2020-16166 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for java-1_8_0-openjdk (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for java-1_8_0-openjdk fixes the following issues:
Update java-1_8_0-openjdk to version jdk8u242 (icedtea 3.15.0) (January 2020 CPU, bsc#1160968):
- CVE-2020-2583: Unlink Set of LinkedHashSets
- CVE-2020-2590: Improve Kerberos interop capabilities
- CVE-2020-2593: Normalize normalization for all
- CVE-2020-2601: Better Ticket Granting Services
- CVE-2020-2604: Better serial filter handling
- CVE-2020-2659: Enhance datagram socket support
- CVE-2020-2654: Improve Object Identifier Processing
ImportantSUSE bug 1160968CVE-2020-2583 at SUSECVE-2020-2583 at NVDCVE-2020-2590 at SUSECVE-2020-2590 at NVDCVE-2020-2593 at SUSECVE-2020-2593 at NVDCVE-2020-2601 at SUSECVE-2020-2601 at NVDCVE-2020-2604 at SUSECVE-2020-2604 at NVDCVE-2020-2654 at SUSECVE-2020-2654 at NVDCVE-2020-2659 at SUSECVE-2020-2659 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for tomcat (Moderate)SUSE Linux Enterprise Server 12 SP3-BCL
This update for tomcat fixes the following issues:
- CVE-2020-1935: Fixed an HTTP request smuggling vulnerability (bsc#1164860).
- CVE-2020-13935: Fixed a WebSocket DoS (bsc#1174117).
ModerateSUSE bug 1164860SUSE bug 1174117CVE-2020-13935 at SUSECVE-2020-13935 at NVDCVE-2020-1935 at SUSECVE-2020-1935 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for shim (Moderate)SUSE Linux Enterprise Server 12 SP3-BCL
This update for shim fixes the following issues:
- Update to the unified shim binary from SUSE Linux Enterprise 15-SP1 (bsc#1168994)
This update addresses the 'BootHole' security issue (master CVE CVE-2020-10713), by
disallowing binaries signed by the previous SUSE UEFI signing key from booting.
This update should only be installed after updates of grub2, the Linux kernel and (if used)
Xen from July / August 2020 are applied.
Additional fixes:
+ shim-install: install MokManager to \EFI\boot to process the pending MOK request (bsc#1175626, bsc#1175656)
ModerateSUSE bug 1168994SUSE bug 1175626SUSE bug 1175656CVE-2020-10713 at SUSECVE-2020-10713 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for libsolv (Moderate)SUSE Linux Enterprise Server 12 SP3-BCL
This update for libsolv fixes the following issues:
This is a reissue of an existing libsolv update that also included libsolv-devel for LTSS products.
libsolv was updated to version 0.6.36 fixes the following issues:
Security issues fixed:
- CVE-2018-20532: Fixed a NULL pointer dereference in testcase_read() (bsc#1120629).
- CVE-2018-20533: Fixed a NULL pointer dereference in testcase_str2dep_complex() (bsc#1120630).
- CVE-2018-20534: Fixed a NULL pointer dereference in pool_whatprovides() (bsc#1120631).
Non-security issues fixed:
- Made cleandeps jobs on patterns work (bsc#1137977).
- Fixed an issue multiversion packages that obsolete their own name (bsc#1127155).
- Keep consistent package name if there are multiple alternatives (bsc#1131823).
ModerateSUSE bug 1120629SUSE bug 1120630SUSE bug 1120631SUSE bug 1127155SUSE bug 1131823SUSE bug 1137977CVE-2018-20532 at SUSECVE-2018-20532 at NVDCVE-2018-20533 at SUSECVE-2018-20533 at NVDCVE-2018-20534 at SUSECVE-2018-20534 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for perl-DBI (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for perl-DBI fixes the following issues:
Security issues fixed:
- CVE-2020-14392: Memory corruption in XS functions when Perl stack is reallocated (bsc#1176412).
- CVE-2020-14393: Fixed a buffer overflow on an overlong DBD class name (bsc#1176409).
ImportantSUSE bug 1176409SUSE bug 1176412CVE-2020-14392 at SUSECVE-2020-14392 at NVDCVE-2020-14393 at SUSECVE-2020-14393 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for python3 (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for python3 fixes the following issues:
- CVE-2019-20907: Fixed denial of service by avoiding possible infinite loop in specifically crafted tarball (bsc#1174091).
- CVE-2020-14422: Fixed an improper computation of hash values in the IPv4Interface and IPv6Interface
could have led to denial of service (bsc#1173274).
- CVE-2019-16935: Fixed a reflected XSS in python/Lib/DocXMLRPCServer.py (bsc#1153238).
- CVE-2019-9947: Fixed an issue in urllib2 which allowed CRLF injection if the attacker controls a url parameter (bsc#1130840).
- If the locale is 'C', coerce it to C.UTF-8 (bsc#1162423).
ImportantSUSE bug 1088004SUSE bug 1088009SUSE bug 1130840SUSE bug 1141853SUSE bug 1149955SUSE bug 1153238SUSE bug 1162423SUSE bug 1173274SUSE bug 1174091SUSE bug 1174701CVE-2018-14647 at SUSECVE-2018-14647 at NVDCVE-2018-20852 at SUSECVE-2018-20852 at NVDCVE-2019-16056 at SUSECVE-2019-16056 at NVDCVE-2019-16935 at SUSECVE-2019-16935 at NVDCVE-2019-20907 at SUSECVE-2019-20907 at NVDCVE-2019-9947 at SUSECVE-2019-9947 at NVDCVE-2020-14422 at SUSECVE-2020-14422 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for samba (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for samba fixes the following issues:
- ZeroLogon: An elevation of privilege was possible with some configurations when an attacker established
a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC)
(CVE-2020-1472, bsc#1176579).
- Fixed an issue where multiple home folders were created(bsc#1174316, bso#13369).
- Fixed an issue where the net command was unable to negotiate SMB2 (bsc#1174120);
ImportantSUSE bug 1174120SUSE bug 1174316SUSE bug 1176579CVE-2020-1472 at SUSECVE-2020-1472 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for libqt5-qtbase (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for libqt5-qtbase fixes the following issues:
- CVE-2020-17507: Fixed a buffer overflow in XBM parser (bsc#1176315)
- Made handling of XDG_RUNTIME_DIR more secure (bsc#1172515)
ImportantSUSE bug 1172515SUSE bug 1176315CVE-2020-17507 at SUSECVE-2020-17507 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for MozillaFirefox fixes the following issues:
-Firefox was updated to 78.3.0 ESR (bsc#1176756, MFSA 2020-43)
- CVE-2020-15677: Download origin spoofing via redirect
- CVE-2020-15676: Fixed an XSS when pasting attacker-controlled data into a
contenteditable element
- CVE-2020-15678: When recursing through layers while scrolling, an iterator
may have become invalid, resulting in a potential use-after-free scenario
- CVE-2020-15673: Fixed memory safety bugs
- Enhance fix for wayland-detection (bsc#1174420)
- Attempt to fix langpack-parallelization by introducing separate
obj-dirs for each lang (bsc#1173986, bsc#1167976)
ImportantSUSE bug 1167976SUSE bug 1173986SUSE bug 1174420SUSE bug 1176756CVE-2020-15673 at SUSECVE-2020-15673 at NVDCVE-2020-15676 at SUSECVE-2020-15676 at NVDCVE-2020-15677 at SUSECVE-2020-15677 at NVDCVE-2020-15678 at SUSECVE-2020-15678 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for xen (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for xen fixes the following issues:
- CVE-2020-25604: Fixed a race condition when migrating timers between x86
HVM vCPU-s (bsc#1176343,XSA-336)
- CVE-2020-25595: Fixed an issue where PCI passthrough code was reading back hardware registers (bsc#1176344,XSA-337)
- CVE-2020-25597: Fixed an issue where a valid event channels may not turn invalid (bsc#1176346,XSA-338)
- CVE-2020-25596: Fixed a potential denial of service in x86 pv guest kernel via SYSENTER (bsc#1176345,XSA-339)
- CVE-2020-25603: Fixed an issue due to missing barriers when accessing/allocating an event channel (bsc#1176347,XSA-340)
- CVE-2020-25600: Fixed out of bounds event channels available to 32-bit x86 domains (bsc#1176348,XSA-342)
- CVE-2020-25599: Fixed race conditions with evtchn_reset() (bsc#1176349,XSA-343)
- CVE-2020-25601: Fixed an issue due to lack of preemption in evtchn_reset() / evtchn_destroy() (bsc#1176350,XSA-344)
- CVE-2020-14364: Fixed an out-of-bounds read/write access while processing usb packets (bsc#1175534).
- Various bug fixes (bsc#1027519)
ImportantSUSE bug 1175534SUSE bug 1176343SUSE bug 1176344SUSE bug 1176345SUSE bug 1176346SUSE bug 1176347SUSE bug 1176348SUSE bug 1176349SUSE bug 1176350CVE-2020-14364 at SUSECVE-2020-14364 at NVDCVE-2020-25595 at SUSECVE-2020-25595 at NVDCVE-2020-25596 at SUSECVE-2020-25596 at NVDCVE-2020-25597 at SUSECVE-2020-25597 at NVDCVE-2020-25599 at SUSECVE-2020-25599 at NVDCVE-2020-25600 at SUSECVE-2020-25600 at NVDCVE-2020-25601 at SUSECVE-2020-25601 at NVDCVE-2020-25603 at SUSECVE-2020-25603 at NVDCVE-2020-25604 at SUSECVE-2020-25604 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for perl-DBI (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for perl-DBI fixes the following issues:
- CVE-2019-20919: Fixed a NULL profile dereference in dbi_profile (bsc#1176764).
- CVE-2013-7490: Fixed memory corruption when using many arguments
to methods for CallbacksUsing (bsc#1176496).
ImportantSUSE bug 1176496SUSE bug 1176764CVE-2013-7490 at SUSECVE-2013-7490 at NVDCVE-2019-20919 at SUSECVE-2019-20919 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for java-1_7_0-openjdk (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for java-1_7_0-openjdk fixes the following issues:
- java-1_7_0-openjdk was updated to 2.6.23 (July 2020 CPU, bsc#1174157)
- JDK-8028431, CVE-2020-14579: NullPointerException in
- DerValue.equals(DerValue)
- JDK-8028591, CVE-2020-14578: NegativeArraySizeException in
- sun.security.util.DerInputStream.getUnalignedBitString()
- JDK-8230613: Better ASCII conversions
- JDK-8231800: Better listing of arrays
- JDK-8232014: Expand DTD support
- JDK-8233255: Better Swing Buttons
- JDK-8234032: Improve basic calendar services
- JDK-8234042: Better factory production of certificates
- JDK-8234418: Better parsing with CertificateFactory
- JDK-8234836: Improve serialization handling
- JDK-8236191: Enhance OID processing
- JDK-8237592, CVE-2020-14577: Enhance certificate verification
- JDK-8238002, CVE-2020-14581: Better matrix operations
- JDK-8238804: Enhance key handling process
- JDK-8238842: AIOOBE in GIFImageReader.initializeStringTable
- JDK-8238843: Enhanced font handing
- JDK-8238920, CVE-2020-14583: Better Buffer support
- JDK-8238925: Enhance WAV file playback
- JDK-8240119, CVE-2020-14593: Less Affine Transformations
- JDK-8240482: Improved WAV file playback
- JDK-8241379: Update JCEKS support
- JDK-8241522: Manifest improved jar headers redux
- JDK-8242136, CVE-2020-14621: Better XML namespace handling
- JDK-8040113: File not initialized in src/share/native/sun/awt/giflib/dgif_lib.c
- JDK-8054446: Repeated offer and remove on ConcurrentLinkedQueue lead to an OutOfMemoryError
- JDK-8077982: GIFLIB upgrade
- JDK-8081315: 8077982 giflib upgrade breaks system giflib builds with earlier versions
- JDK-8147087: Race when reusing PerRegionTable bitmaps may result in dropped remembered set entries
- JDK-8151582: (ch) test java/nio/channels/AsyncCloseAndInterrupt.java failing due to 'Connection succeeded'
- JDK-8155691: Update GIFlib library to the latest up-to-date
- JDK-8181841: A TSA server returns timestamp with precision higher than milliseconds
- JDK-8203190: SessionId.hashCode generates too many collisions
- JDK-8217676: Upgrade libpng to 1.6.37
- JDK-8220495: Update GIFlib library to the 5.1.8
- JDK-8226892: ActionListeners on JRadioButtons don't get notified when selection is changed with arrow keys
- JDK-8229899: Make java.io.File.isInvalid() less racy
- JDK-8230597: Update GIFlib library to the 5.2.1
- JDK-8230769: BufImg_SetupICM add ReleasePrimitiveArrayCritical call in early return
- JDK-8243541: (tz) Upgrade time-zone data to tzdata2020a
- JDK-8244548: JDK 8u: sun.misc.Version.jdkUpdateVersion() returns wrong result
ImportantSUSE bug 1174157CVE-2020-14577 at SUSECVE-2020-14577 at NVDCVE-2020-14578 at SUSECVE-2020-14578 at NVDCVE-2020-14579 at SUSECVE-2020-14579 at NVDCVE-2020-14581 at SUSECVE-2020-14581 at NVDCVE-2020-14583 at SUSECVE-2020-14583 at NVDCVE-2020-14593 at SUSECVE-2020-14593 at NVDCVE-2020-14621 at SUSECVE-2020-14621 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for tigervnc (Critical)SUSE Linux Enterprise Server 12 SP3-BCL
This update for tigervnc fixes the following issues:
- CVE-2020-26117: Server certificates were stored as certiticate
authorities, allowing malicious owners of these certificates
to impersonate any server after a client had added an exception
(bsc#1176733).
CriticalSUSE bug 1176733CVE-2020-26117 at SUSECVE-2020-26117 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for libproxy (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for libproxy fixes the following issues:
- CVE-2020-25219: Rewrote url::recvline to be nonrecursive (bsc#1176410).
- CVE-2020-26154: Fixed a buffer overflow when PAC is enabled (bsc#1177143).
ImportantSUSE bug 1176410SUSE bug 1177143CVE-2020-25219 at SUSECVE-2020-25219 at NVDCVE-2020-26154 at SUSECVE-2020-26154 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for freetype2 (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for freetype2 fixes the following issues:
- CVE-2020-15999: fixed a heap buffer overflow found in the handling of embedded PNG bitmaps (bsc#1177914).
ImportantSUSE bug 1177914CVE-2020-15999 at SUSECVE-2020-15999 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for glibc (Moderate)SUSE Linux Enterprise Server 12 SP3-BCL
This update for glibc fixes the following issues:
- CVE-2020-10029: Fixed a stack corruption from range reduction of pseudo-zero (bsc#1165784)
- Use posix_spawn on popen (bsc#1149332, bsc#1176013)
- Correct locking and cancellation cleanup in syslog functions (bsc#1172085)
- Fixed concurrent changes on nscd aware files (bsc#1171878)
ModerateSUSE bug 1149332SUSE bug 1165784SUSE bug 1171878SUSE bug 1172085SUSE bug 1176013CVE-2020-10029 at SUSECVE-2020-10029 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for MozillaFirefox fixes the following issues:
- Firefox Extended Support Release 78.4.0 ESR
* Fixed: Various stability, functionality, and security fixes MFSA 2020-46 (bsc#1177872, bsc#1176756)
* CVE-2020-15969 Use-after-free in usersctp
* CVE-2020-15683 Memory safety bugs fixed in Firefox 82 and Firefox ESR 78.4
* Fixed: Fixed legacy preferences not being properly applied when set via GPO
ImportantSUSE bug 1176756SUSE bug 1177872CVE-2020-15683 at SUSECVE-2020-15683 at NVDCVE-2020-15969 at SUSECVE-2020-15969 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for spice (Moderate)SUSE Linux Enterprise Server 12 SP3-BCL
This update for spice fixes the following issues:
- CVE-2020-14355: Fixed multiple buffer overflow vulnerabilities in QUIC image decoding (bsc#1177158).
ModerateSUSE bug 1177158CVE-2020-14355 at SUSECVE-2020-14355 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for spice-gtk (Moderate)SUSE Linux Enterprise Server 12 SP3-BCL
This update for spice-gtk fixes the following issues:
- CVE-2020-14355: Fixed multiple buffer overflow vulnerabilities in QUIC image decoding (bsc#1177158).
ModerateSUSE bug 1177158CVE-2020-14355 at SUSECVE-2020-14355 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for samba (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for samba fixes the following issues:
- CVE-2020-14383: An authenticated user can crash the DCE/RPC DNS with easily crafted records (bsc#1177613).
- CVE-2020-14323: Unprivileged user can crash winbind (bsc#1173994).
- CVE-2020-14318: Missing permissions check in SMB1/2/3 ChangeNotify (bsc#1173902).
ImportantSUSE bug 1173902SUSE bug 1173994SUSE bug 1177613CVE-2020-14318 at SUSECVE-2020-14318 at NVDCVE-2020-14323 at SUSECVE-2020-14323 at NVDCVE-2020-14383 at SUSECVE-2020-14383 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for libvirt (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for libvirt fixes the following issues:
CVE-2020-15708: Added a note to libvirtd.conf about polkit auth in SUSE distros (bsc#1174955).
CVE-2020-25637: Fixed a double free in qemuAgentGetInterfaces() (bsc#1177155).
ImportantSUSE bug 1174955SUSE bug 1177155CVE-2020-15708 at SUSECVE-2020-15708 at NVDCVE-2020-25637 at SUSECVE-2020-25637 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for sane-backends (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for sane-backends fixes the following issues:
- sane-backends version upgrade to 1.0.31:
* sane-backends version upgrade to 1.0.30
fixes memory corruption bugs CVE-2020-12861, CVE-2020-12862,
CVE-2020-12863, CVE-2020-12864, CVE-2020-12865,
CVE-2020-12866, CVE-2020-12867 (bsc#1172524)
* sane-backends version upgrade to 1.0.31
to further improve hardware enablement for scanner devices
(jsc#SLE-15561 and jsc#SLE-15560 with jsc#ECO-2418)
* The new escl backend cannot be provided for SLE12 because
it requires more additional software (avahi-client, libcurl,
and libpoppler-glib-devel) where in particular for libcurl
the one that is in SLE12 (via libcurl-devel-7.37.0) is likely
too old because with that building the escl backend fails with
'escl/escl.c:1267:34: error: 'CURLOPT_UNIX_SOCKET_PATH'
undeclared curl_easy_setopt(handle, CURLOPT_UNIX_SOCKET_PATH'
ImportantSUSE bug 1172524CVE-2017-6318 at SUSECVE-2017-6318 at NVDCVE-2020-12861 at SUSECVE-2020-12861 at NVDCVE-2020-12862 at SUSECVE-2020-12862 at NVDCVE-2020-12863 at SUSECVE-2020-12863 at NVDCVE-2020-12864 at SUSECVE-2020-12864 at NVDCVE-2020-12865 at SUSECVE-2020-12865 at NVDCVE-2020-12866 at SUSECVE-2020-12866 at NVDCVE-2020-12867 at SUSECVE-2020-12867 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for apache-commons-httpclient (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for apache-commons-httpclient fixes the following issues:
- http/conn/ssl/SSLConnectionSocketFactory.java ignores the
http.socket.timeout configuration setting during an SSL handshake,
which allows remote attackers to cause a denial of service (HTTPS
call hang) via unspecified vectors. [bsc#945190, CVE-2015-5262]
- org.apache.http.conn.ssl.AbstractVerifier does not properly
verify that the server hostname matches a domain name in the
subject's Common Name (CN) or subjectAltName field of the X.509
certificate, which allows MITM attackers to spoof SSL servers
via a 'CN=' string in a field in the distinguished name (DN)
of a certificate. [bsc#1178171, CVE-2014-3577]
ImportantSUSE bug 1178171SUSE bug 945190CVE-2014-3577 at SUSECVE-2014-3577 at NVDCVE-2015-5262 at SUSECVE-2015-5262 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for libqt5-qtbase (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for libqt5-qtbase fixes the following issues:
Security issues fixed:
- CVE-2020-0569: Fixed a potential local code execution by loading plugins from CWD (bsc#1161167).
- CVE-2018-19870: Fixed an improper check in QImage allocation which could allow Denial of Service
when opening crafted gif files (bsc#1118597).
- CVE-2018-19872: Fixed an issue which could allow a division by zero leading to crash (bsc#1130246).
ImportantSUSE bug 1118597SUSE bug 1130246SUSE bug 1161167CVE-2018-19870 at SUSECVE-2018-19870 at NVDCVE-2018-19872 at SUSECVE-2018-19872 at NVDCVE-2020-0569 at SUSECVE-2020-0569 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for java-1_8_0-openjdk (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for java-1_8_0-openjdk fixes the following issues:
- Fix regression '8250861: Crash in MinINode::Ideal(PhaseGVN*, bool)',
introduced in October 2020 CPU.
- Update to version jdk8u272 (icedtea 3.17.0) (July 2020 CPU,
bsc#1174157, and October 2020 CPU, bsc#1177943)
* New features
+ JDK-8245468: Add TLSv1.3 implementation classes from 11.0.7
+ PR3796: Allow the number of curves supported to be specified
* Security fixes
+ JDK-8028431, CVE-2020-14579: NullPointerException in
DerValue.equals(DerValue)
+ JDK-8028591, CVE-2020-14578: NegativeArraySizeException in
sun.security.util.DerInputStream.getUnalignedBitString()
+ JDK-8230613: Better ASCII conversions
+ JDK-8231800: Better listing of arrays
+ JDK-8232014: Expand DTD support
+ JDK-8233255: Better Swing Buttons
+ JDK-8233624: Enhance JNI linkage
+ JDK-8234032: Improve basic calendar services
+ JDK-8234042: Better factory production of certificates
+ JDK-8234418: Better parsing with CertificateFactory
+ JDK-8234836: Improve serialization handling
+ JDK-8236191: Enhance OID processing
+ JDK-8236196: Improve string pooling
+ JDK-8236862, CVE-2020-14779: Enhance support of Proxy class
+ JDK-8237117, CVE-2020-14556: Better ForkJoinPool behavior
+ JDK-8237592, CVE-2020-14577: Enhance certificate verification
+ JDK-8237990, CVE-2020-14781: Enhanced LDAP contexts
+ JDK-8237995, CVE-2020-14782: Enhance certificate processing
+ JDK-8238002, CVE-2020-14581: Better matrix operations
+ JDK-8238804: Enhance key handling process
+ JDK-8238842: AIOOBE in GIFImageReader.initializeStringTable
+ JDK-8238843: Enhanced font handing
+ JDK-8238920, CVE-2020-14583: Better Buffer support
+ JDK-8238925: Enhance WAV file playback
+ JDK-8240119, CVE-2020-14593: Less Affine Transformations
+ JDK-8240124: Better VM Interning
+ JDK-8240482: Improved WAV file playback
+ JDK-8241114, CVE-2020-14792: Better range handling
+ JDK-8241379: Update JCEKS support
+ JDK-8241522: Manifest improved jar headers redux
+ JDK-8242136, CVE-2020-14621: Better XML namespace handling
+ JDK-8242680, CVE-2020-14796: Improved URI Support
+ JDK-8242685, CVE-2020-14797: Better Path Validation
+ JDK-8242695, CVE-2020-14798: Enhanced buffer support
+ JDK-8243302: Advanced class supports
+ JDK-8244136, CVE-2020-14803: Improved Buffer supports
+ JDK-8244479: Further constrain certificates
+ JDK-8244955: Additional Fix for JDK-8240124
+ JDK-8245407: Enhance zoning of times
+ JDK-8245412: Better class definitions
+ JDK-8245417: Improve certificate chain handling
+ JDK-8248574: Improve jpeg processing
+ JDK-8249927: Specify limits of jdk.serialProxyInterfaceLimit
+ JDK-8253019: Enhanced JPEG decoding
* Import of OpenJDK 8 u262 build 01
+ JDK-4949105: Access Bridge lacks html tags parsing
+ JDK-8003209: JFR events for network utilization
+ JDK-8030680: 292 cleanup from default method code assessment
+ JDK-8035633: TEST_BUG: java/net/NetworkInterface/Equals.java
and some tests failed on windows intermittently
+ JDK-8041626: Shutdown tracing event
+ JDK-8141056: Erroneous assignment in HeapRegionSet.cpp
+ JDK-8149338: JVM Crash caused by Marlin renderer not handling
NaN coordinates
+ JDK-8151582: (ch) test java/nio/channels/
/AsyncCloseAndInterrupt.java failing due to 'Connection
succeeded'
+ JDK-8165675: Trace event for thread park has incorrect unit
for timeout
+ JDK-8176182: 4 security tests are not run
+ JDK-8178910: Problemlist sample tests
+ JDK-8183925: Decouple crash protection from watcher thread
+ JDK-8191393: Random crashes during cfree+0x1c
+ JDK-8195817: JFR.stop should require name of recording
+ JDK-8195818: JFR.start should increase autogenerated name by
one
+ JDK-8195819: Remove recording=x from jcmd JFR.check output
+ JDK-8199712: Flight Recorder
+ JDK-8202578: Revisit location for class unload events
+ JDK-8202835: jfr/event/os/TestSystemProcess.java fails on
missing events
+ JDK-8203287: Zero fails to build after JDK-8199712 (Flight
Recorder)
+ JDK-8203346: JFR: Inconsistent signature of
jfr_add_string_constant
+ JDK-8203664: JFR start failure after AppCDS archive created
with JFR StartFlightRecording
+ JDK-8203921: JFR thread sampling is missing fixes from
JDK-8194552
+ JDK-8203929: Limit amount of data for JFR.dump
+ JDK-8205516: JFR tool
+ JDK-8207392: [PPC64] Implement JFR profiling
+ JDK-8207829: FlightRecorderMXBeanImpl is leaking the first
classloader which calls it
+ JDK-8209960: -Xlog:jfr* doesn't work with the JFR
+ JDK-8210024: JFR calls virtual is_Java_thread from ~Thread()
+ JDK-8210776: Upgrade X Window System 6.8.2 to the latest XWD
1.0.7
+ JDK-8211239: Build fails without JFR: empty JFR events
signatures mismatch
+ JDK-8212232: Wrong metadata for the configuration of the
cutoff for old object sample events
+ JDK-8213015: Inconsistent settings between JFR.configure and
-XX:FlightRecorderOptions
+ JDK-8213421: Line number information for execution samples
always 0
+ JDK-8213617: JFR should record the PID of the recorded process
+ JDK-8213734: SAXParser.parse(File, ..) does not close
resources when Exception occurs.
+ JDK-8213914: [TESTBUG] Several JFR VM events are not covered
by tests
+ JDK-8213917: [TESTBUG] Shutdown JFR event is not covered by
test
+ JDK-8213966: The ZGC JFR events should be marked as
experimental
+ JDK-8214542: JFR: Old Object Sample event slow on a deep heap
in debug builds
+ JDK-8214750: Unnecessary <p> tags in jfr classes
+ JDK-8214896: JFR Tool left files behind
+ JDK-8214906: [TESTBUG] jfr/event/sampling/TestNative.java
fails with UnsatisfiedLinkError
+ JDK-8214925: JFR tool fails to execute
+ JDK-8215175: Inconsistencies in JFR event metadata
+ JDK-8215237: jdk.jfr.Recording javadoc does not compile
+ JDK-8215284: Reduce noise induced by periodic task
getFileSize()
+ JDK-8215355: Object monitor deadlock with no threads holding
the monitor (using jemalloc 5.1)
+ JDK-8215362: JFR GTest JfrTestNetworkUtilization fails
+ JDK-8215771: The jfr tool should pretty print reference chains
+ JDK-8216064: -XX:StartFlightRecording:settings= doesn't work
properly
+ JDK-8216486: Possibility of integer overflow in
JfrThreadSampler::run()
+ JDK-8216528: test/jdk/java/rmi/transport/
/runtimeThreadInheritanceLeak/
/RuntimeThreadInheritanceLeak.java failing with Xcomp
+ JDK-8216559: [JFR] Native libraries not correctly parsed from
/proc/self/maps
+ JDK-8216578: Remove unused/obsolete method in JFR code
+ JDK-8216995: Clean up JFR command line processing
+ JDK-8217744: [TESTBUG] JFR TestShutdownEvent fails on some
systems due to process surviving SIGINT
+ JDK-8217748: [TESTBUG] Exclude TestSig test case from JFR
TestShutdownEvent
+ JDK-8218935: Make jfr strncpy uses GCC 8.x friendly
+ JDK-8223147: JFR Backport
+ JDK-8223689: Add JFR Thread Sampling Support
+ JDK-8223690: Add JFR BiasedLock Event Support
+ JDK-8223691: Add JFR G1 Region Type Change Event Support
+ JDK-8223692: Add JFR G1 Heap Summary Event Support
+ JDK-8224172: assert(jfr_is_event_enabled(id)) failed:
invariant
+ JDK-8224475: JTextPane does not show images in HTML rendering
+ JDK-8226253: JAWS reports wrong number of radio buttons when
buttons are hidden.
+ JDK-8226779: [TESTBUG] Test JFR API from Java agent
+ JDK-8226892: ActionListeners on JRadioButtons don't get
notified when selection is changed with arrow keys
+ JDK-8227011: Starting a JFR recording in response to JVMTI
VMInit and / or Java agent premain corrupts memory
+ JDK-8227605: Kitchensink fails 'assert((((klass)->trace_id()
& (JfrTraceIdEpoch::leakp_in_use_this_epoch_bit())) != 0))
failed: invariant'
+ JDK-8229366: JFR backport allows unchecked writing to memory
+ JDK-8229401: Fix JFR code cache test failures
+ JDK-8229708: JFR backport code does not initialize
+ JDK-8229873: 8229401 broke jdk8u-jfr-incubator
+ JDK-8230448: [test] JFRSecurityTestSuite.java is failing on
Windows
+ JDK-8230707: JFR related tests are failing
+ JDK-8230782: Robot.createScreenCapture() fails if
'awt.robot.gtk' is set to false
+ JDK-8230856: Java_java_net_NetworkInterface_getByName0 on
unix misses ReleaseStringUTFChars in early return
+ JDK-8230947: TestLookForUntestedEvents.java is failing after
JDK-8230707
+ JDK-8231995: two jtreg tests failed after 8229366 is fixed
+ JDK-8233623: Add classpath exception to copyright in
EventHandlerProxyCreator.java file
+ JDK-8236002: CSR for JFR backport suggests not leaving out
the package-info
+ JDK-8236008: Some backup files were accidentally left in the
hotspot tree
+ JDK-8236074: Missed package-info
+ JDK-8236174: Should update javadoc since tags
+ JDK-8238076: Fix OpenJDK 7 Bootstrap Broken by JFR Backport
+ JDK-8238452: Keytool generates wrong expiration date if
validity is set to 2050/01/01
+ JDK-8238555: Allow Initialization of SunPKCS11 with NSS when
there are external FIPS modules in the NSSDB
+ JDK-8238589: Necessary code cleanup in JFR for JDK8u
+ JDK-8238590: Enable JFR by default during compilation in 8u
+ JDK-8239055: Wrong implementation of VMState.hasListener
+ JDK-8239476: JDK-8238589 broke windows build by moving
OrderedPair
+ JDK-8239479: minimal1 and zero builds are failing
+ JDK-8239867: correct over use of INCLUDE_JFR macro
+ JDK-8240375: Disable JFR by default for July 2020 release
+ JDK-8241444: Metaspace::_class_vsm not initialized if
compressed class pointers are disabled
+ JDK-8241902: AIX Build broken after integration of
JDK-8223147 (JFR Backport)
+ JDK-8242788: Non-PCH build is broken after JDK-8191393
* Import of OpenJDK 8 u262 build 02
+ JDK-8130737: AffineTransformOp can't handle child raster with
non-zero x-offset
+ JDK-8172559: [PIT][TEST_BUG] Move @test to be 1st annotation
in java/awt/image/Raster/TestChildRasterOp.java
+ JDK-8230926: [macosx] Two apostrophes are entered instead of
one with 'U.S. International - PC' layout
+ JDK-8240576: JVM crashes after transformation in C2
IdealLoopTree::merge_many_backedges
+ JDK-8242883: Incomplete backport of JDK-8078268: backport
test part
* Import of OpenJDK 8 u262 build 03
+ JDK-8037866: Replace the Fun class in tests with lambdas
+ JDK-8146612: C2: Precedence edges specification violated
+ JDK-8150986: serviceability/sa/jmap-hprof/
/JMapHProfLargeHeapTest.java failing because expects HPROF
JAVA PROFILE 1.0.1 file format
+ JDK-8229888: (zipfs) Updating an existing zip file does not
preserve original permissions
+ JDK-8230597: Update GIFlib library to the 5.2.1
+ JDK-8230769: BufImg_SetupICM add
ReleasePrimitiveArrayCritical call in early return
+ JDK-8233880, PR3798: Support compilers with multi-digit major
version numbers
+ JDK-8239852: java/util/concurrent tests fail with
-XX:+VerifyGraphEdges: assert(!VerifyGraphEdges) failed:
verification should have failed
+ JDK-8241638: launcher time metrics always report 1 on Linux
when _JAVA_LAUNCHER_DEBUG set
+ JDK-8243059: Build fails when --with-vendor-name contains a
comma
+ JDK-8243474: [TESTBUG] removed three tests of 0 bytes
+ JDK-8244461: [JDK 8u] Build fails with glibc 2.32
+ JDK-8244548: JDK 8u: sun.misc.Version.jdkUpdateVersion()
returns wrong result
* Import of OpenJDK 8 u262 build 04
+ JDK-8067796: (process) Process.waitFor(timeout, unit) doesn't
throw NPE if timeout is less than, or equal to zero when unit
== null
+ JDK-8148886: SEGV in sun.java2d.marlin.Renderer._endRendering
+ JDK-8171934:
ObjectSizeCalculator.getEffectiveMemoryLayoutSpecification()
does not recognize OpenJDK's HotSpot VM
+ JDK-8196969: JTreg Failure:
serviceability/sa/ClhsdbJstack.java causes NPE
+ JDK-8243539: Copyright info (Year) should be updated for fix
of 8241638
+ JDK-8244777: ClassLoaderStats VM Op uses constant hash value
* Import of OpenJDK 8 u262 build 05
+ JDK-7147060: com/sun/org/apache/xml/internal/security/
/transforms/ClassLoaderTest.java doesn't run in agentvm mode
+ JDK-8178374: Problematic ByteBuffer handling in
CipherSpi.bufferCrypt method
+ JDK-8181841: A TSA server returns timestamp with precision
higher than milliseconds
+ JDK-8227269: Slow class loading when running with JDWP
+ JDK-8229899: Make java.io.File.isInvalid() less racy
+ JDK-8236996: Incorrect Roboto font rendering on Windows with
subpixel antialiasing
+ JDK-8241750: x86_32 build failure after JDK-8227269
+ JDK-8244407: JVM crashes after transformation in C2
IdealLoopTree::split_fall_in
+ JDK-8244843: JapanEraNameCompatTest fails
* Import of OpenJDK 8 u262 build 06
+ JDK-8246223: Windows build fails after JDK-8227269
* Import of OpenJDK 8 u262 build 07
+ JDK-8233197: Invert JvmtiExport::post_vm_initialized() and
Jfr:on_vm_start() start-up order for correct option parsing
+ JDK-8243541: (tz) Upgrade time-zone data to tzdata2020a
+ JDK-8245167: Top package in method profiling shows null in JMC
+ JDK-8246703: [TESTBUG] Add test for JDK-8233197
* Import of OpenJDK 8 u262 build 08
+ JDK-8220293: Deadlock in JFR string pool
+ JDK-8225068: Remove DocuSign root certificate that is
expiring in May 2020
+ JDK-8225069: Remove Comodo root certificate that is expiring
in May 2020
* Import of OpenJDK 8 u262 build 09
+ JDK-8248399: Build installs jfr binary when JFR is disabled
* Import of OpenJDK 8 u262 build 10
+ JDK-8248715: New JavaTimeSupplementary localisation for 'in'
installed in wrong package
* Import of OpenJDK 8 u265 build 01
+ JDK-8249677: Regression in 8u after JDK-8237117: Better
ForkJoinPool behavior
+ JDK-8250546: Expect changed behaviour reported in JDK-8249846
* Import of OpenJDK 8 u272 build 01
+ JDK-8006205: [TESTBUG] NEED_TEST: please JTREGIFY
test/compiler/7177917/Test7177917.java
+ JDK-8035493: JVMTI PopFrame capability must instruct
compilers not to prune locals
+ JDK-8036088: Replace strtok() with its safe equivalent
strtok_s() in DefaultProxySelector.c
+ JDK-8039082: [TEST_BUG] Test java/awt/dnd/
/BadSerializationTest/BadSerializationTest.java fails
+ JDK-8075774: Small readability and performance improvements
for zipfs
+ JDK-8132206: move ScanTest.java into OpenJDK
+ JDK-8132376: Add @requires os.family to the client tests with
access to internal OS-specific API
+ JDK-8132745: minor cleanup of java/util/Scanner/ScanTest.java
+ JDK-8137087: [TEST_BUG] Cygwin failure of java/awt/
/appletviewer/IOExceptionIfEncodedURLTest/
/IOExceptionIfEncodedURLTest.sh
+ JDK-8145808: java/awt/Graphics2D/MTGraphicsAccessTest/
/MTGraphicsAccessTest.java hangs on Win. 8
+ JDK-8151788: NullPointerException from ntlm.Client.type3
+ JDK-8151834: Test SmallPrimeExponentP.java times out
intermittently
+ JDK-8153430: jdk regression test MletParserLocaleTest,
ParserInfiniteLoopTest reduce default timeout
+ JDK-8153583: Make OutputAnalyzer.reportDiagnosticSummary
public
+ JDK-8156169: Some sound tests rarely hangs because of
incorrect synchronization
+ JDK-8165936: Potential Heap buffer overflow when seaching
timezone info files
+ JDK-8166148: Fix for JDK-8165936 broke solaris builds
+ JDK-8167300: Scheduling failures during gcm should be fatal
+ JDK-8167615: Opensource unit/regression tests for JavaSound
+ JDK-8172012: [TEST_BUG] delays needed in
javax/swing/JTree/4633594/bug4633594.java
+ JDK-8177628: Opensource unit/regression tests for ImageIO
+ JDK-8183341: Better cleanup for javax/imageio/AllowSearch.java
+ JDK-8183351: Better cleanup for jdk/test/javax/imageio/spi/
/AppletContextTest/BadPluginConfigurationTest.sh
+ JDK-8193137: Nashorn crashes when given an empty script file
+ JDK-8194298: Add support for per Socket configuration of TCP
keepalive
+ JDK-8198004: javax/swing/JFileChooser/6868611/bug6868611.java
throws error
+ JDK-8200313: java/awt/Gtk/GtkVersionTest/GtkVersionTest.java
fails
+ JDK-8210147: adjust some WSAGetLastError usages in windows
network coding
+ JDK-8211714: Need to update vm_version.cpp to recognise
VS2017 minor versions
+ JDK-8214862: assert(proj != __null) at compile.cpp:3251
+ JDK-8217606: LdapContext#reconnect always opens a new
connection
+ JDK-8217647: JFR: recordings on 32-bit systems unreadable
+ JDK-8226697: Several tests which need the @key headful
keyword are missing it.
+ JDK-8229378: jdwp library loader in linker_md.c quietly
truncates on buffer overflow
+ JDK-8230303: JDB hangs when running monitor command
+ JDK-8230711: ConnectionGraph::unique_java_object(Node* N)
return NULL if n is not in the CG
+ JDK-8234617: C1: Incorrect result of field load due to
missing narrowing conversion
+ JDK-8235243: handle VS2017 15.9 and VS2019 in
abstract_vm_version
+ JDK-8235325: build failure on Linux after 8235243
+ JDK-8235687: Contents/MacOS/libjli.dylib cannot be a symlink
+ JDK-8237951: CTW: C2 compilation fails with 'malformed
control flow'
+ JDK-8238225: Issues reported after replacing symlink at
Contents/MacOS/libjli.dylib with binary
+ JDK-8239385: KerberosTicket client name refers wrongly to
sAMAccountName in AD
+ JDK-8239819: XToolkit: Misread of screen information memory
+ JDK-8240295: hs_err elapsed time in seconds is not accurate
enough
+ JDK-8241888: Mirror jdk.security.allowNonCaAnchor system
property with a security one
+ JDK-8242498: Invalid 'sun.awt.TimedWindowEvent' object leads
to JVM crash
+ JDK-8243489: Thread CPU Load event may contain wrong data for
CPU time under certain conditions
+ JDK-8244818: Java2D Queue Flusher crash while moving
application window to external monitor
+ JDK-8246310: Clean commented-out code about ModuleEntry
and PackageEntry in JFR
+ JDK-8246384: Enable JFR by default on supported architectures
for October 2020 release
+ JDK-8248643: Remove extra leading space in JDK-8240295 8u
backport
+ JDK-8249610: Make
sun.security.krb5.Config.getBooleanObject(String... keys)
method public
* Import of OpenJDK 8 u272 build 02
+ JDK-8023697: failed class resolution reports different class
name in detail message for the first and subsequent times
+ JDK-8025886: replace [[ and == bash extensions in regtest
+ JDK-8046274: Removing dependency on jakarta-regexp
+ JDK-8048933: -XX:+TraceExceptions output should include the
message
+ JDK-8076151: [TESTBUG] Test java/awt/FontClass/CreateFont/
/fileaccess/FontFile.java fails
+ JDK-8148854: Class names 'SomeClass' and 'LSomeClass;'
treated by JVM as an equivalent
+ JDK-8154313: Generated javadoc scattered all over the place
+ JDK-8163251: Hard coded loop limit prevents reading of smart
card data greater than 8k
+ JDK-8173300: [TESTBUG]compiler/tiered/NonTieredLevelsTest.java
fails with compiler.whitebox.SimpleTestCaseHelper(int) must be
compiled
+ JDK-8183349: Better cleanup for jdk/test/javax/imageio/
/plugins/shared/CanWriteSequence.java and WriteAfterAbort.java
+ JDK-8191678: [TESTBUG] Add keyword headful in java/awt
FocusTransitionTest test.
+ JDK-8201633: Problems with AES-GCM native acceleration
+ JDK-8211049: Second parameter of 'initialize' method is not
used
+ JDK-8219566: JFR did not collect call stacks when
MaxJavaStackTraceDepth is set to zero
+ JDK-8220165: Encryption using GCM results in
RuntimeException- input length out of bound
+ JDK-8220555: JFR tool shows potentially misleading message
when it cannot access a file
+ JDK-8224217: RecordingInfo should use textual representation
of path
+ JDK-8231779: crash
HeapWord*ParallelScavengeHeap::failed_mem_allocate
+ JDK-8238380, PR3798: java.base/unix/native/libjava/childproc.c
'multiple definition' link errors with GCC10
+ JDK-8238386, PR3798: (sctp) jdk.sctp/unix/native/libsctp/
/SctpNet.c 'multiple definition' link errors with GCC10
+ JDK-8238388, PR3798: libj2gss/NativeFunc.o 'multiple
definition' link errors with GCC10
+ JDK-8242556: Cannot load RSASSA-PSS public key with non-null
params from byte array
+ JDK-8250755: Better cleanup for jdk/test/javax/imageio/
/plugins/shared/CanWriteSequence.java
* Import of OpenJDK 8 u272 build 03
+ JDK-6574989: TEST_BUG:
javax/sound/sampled/Clip/bug5070081.java fails sometimes
+ JDK-8148754: C2 loop unrolling fails due to unexpected graph
shape
+ JDK-8192953: sun/management/jmxremote/bootstrap/*.sh tests
fail with error : revokeall.exe: Permission denied
+ JDK-8203357: Container Metrics
+ JDK-8209113: Use WeakReference for lastFontStrike for created
Fonts
+ JDK-8216283: Allow shorter method sampling interval than 10 ms
+ JDK-8221569: JFR tool produces incorrect output when both
--categories and --events are specified
+ JDK-8233097: Fontmetrics for large Fonts has zero width
+ JDK-8248851: CMS: Missing memory fences between free chunk
check and klass read
+ JDK-8250875: Incorrect parameter type for update_number in
JDK_Version::jdk_update
* Import of OpenJDK 8 u272 build 04
+ JDK-8061616: HotspotDiagnosticMXBean.getVMOption() throws
IllegalArgumentException for flags of type double
+ JDK-8177334: Update xmldsig implementation to Apache
Santuario 2.1.1
+ JDK-8217878: ENVELOPING XML signature no longer works in JDK
11
+ JDK-8218629: XML Digital Signature throws NAMESPACE_ERR
exception on OpenJDK 11, works 8/9/10
+ JDK-8243138: Enhance BaseLdapServer to support starttls
extended request
* Import of OpenJDK 8 u272 build 05
+ JDK-8026236: Add PrimeTest for BigInteger
+ JDK-8057003: Large reference arrays cause extremely long
synchronization times
+ JDK-8060721: Test runtime/SharedArchiveFile/
/LimitSharedSizes.java fails in jdk 9 fcs new
platforms/compiler
+ JDK-8152077: (cal) Calendar.roll does not always roll the
hours during daylight savings
+ JDK-8168517: java/lang/ProcessBuilder/Basic.java failed
+ JDK-8211163: UNIX version of Java_java_io_Console_echo does
not return a clean boolean
+ JDK-8220674: [TESTBUG] MetricsMemoryTester failcount test in
docker container only works with debug JVMs
+ JDK-8231213: Migrate SimpleDateFormatConstTest to JDK Repo
+ JDK-8236645: JDK 8u231 introduces a regression with
incompatible handling of XML messages
+ JDK-8240676: Meet not symmetric failure when running lucene
on jdk8
+ JDK-8243321: Add Entrust root CA - G4 to Oracle Root CA
program
+ JDK-8249158: THREAD_START and THREAD_END event posted in
primordial phase
+ JDK-8250627: Use -XX:+/-UseContainerSupport for
enabling/disabling Java container metrics
+ JDK-8251546: 8u backport of JDK-8194298 breaks AIX and
Solaris builds
+ JDK-8252084: Minimal VM fails to bootcycle: undefined symbol:
AgeTableTracer::is_tenuring_distribution_event_enabled
* Import of OpenJDK 8 u272 build 06
+ JDK-8064319: Need to enable -XX:+TraceExceptions in release
builds
+ JDK-8080462, PR3801: Update SunPKCS11 provider with PKCS11
v2.40 support
+ JDK-8160768: Add capability to custom resolve host/domain
names within the default JNDI LDAP provider
+ JDK-8161973: PKIXRevocationChecker.getSoftFailExceptions()
not working
+ JDK-8169925, PR3801: PKCS #11 Cryptographic Token Interface
license
+ JDK-8184762: ZapStackSegments should use optimized memset
+ JDK-8193234: When using -Xcheck:jni an internally allocated
buffer can leak
+ JDK-8219919: RuntimeStub name lost with
PrintFrameConverterAssembly
+ JDK-8220313: [TESTBUG] Update base image for Docker testing
to OL 7.6
+ JDK-8222079: Don't use memset to initialize fields decode_env
constructor in disassembler.cpp
+ JDK-8225695: 32-bit build failures after JDK-8080462 (Update
SunPKCS11 provider with PKCS11 v2.40 support)
+ JDK-8226575: OperatingSystemMXBean should be made container
aware
+ JDK-8226809: Circular reference in printed stack trace is not
correctly indented & ambiguous
+ JDK-8228835: Memory leak in PKCS11 provider when using AES GCM
+ JDK-8233621: Mismatch in jsse.enableMFLNExtension property
name
+ JDK-8238898, PR3801: Missing hash characters for header on
license file
+ JDK-8243320: Add SSL root certificates to Oracle Root CA
program
+ JDK-8244151: Update MUSCLE PC/SC-Lite headers to the latest
release 1.8.26
+ JDK-8245467: Remove 8u TLSv1.2 implementation files
+ JDK-8245469: Remove DTLS protocol implementation
+ JDK-8245470: Fix JDK8 compatibility issues
+ JDK-8245471: Revert JDK-8148188
+ JDK-8245472: Backport JDK-8038893 to JDK8
+ JDK-8245473: OCSP stapling support
+ JDK-8245474: Add TLS_KRB5 cipher suites support according to
RFC-2712
+ JDK-8245476: Disable TLSv1.3 protocol in the ClientHello
message by default
+ JDK-8245477: Adjust TLS tests location
+ JDK-8245653: Remove 8u TLS tests
+ JDK-8245681: Add TLSv1.3 regression test from 11.0.7
+ JDK-8251117: Cannot check P11Key size in P11Cipher and
P11AEADCipher
+ JDK-8251120, PR3793: [8u] HotSpot build assumes ENABLE_JFR is
set to either true or false
+ JDK-8251341: Minimal Java specification change
+ JDK-8251478: Backport TLSv1.3 regression tests to JDK8u
* Import of OpenJDK 8 u272 build 07
+ JDK-8246193: Possible NPE in ENC-PA-REP search in AS-REQ
* Import of OpenJDK 8 u272 build 08
+ JDK-8062947: Fix exception message to correctly represent
LDAP connection failure
+ JDK-8151678: com/sun/jndi/ldap/LdapTimeoutTest.java failed
due to timeout on DeadServerNoTimeoutTest is incorrect
+ JDK-8252573: 8u: Windows build failed after 8222079 backport
* Import of OpenJDK 8 u272 build 09
+ JDK-8252886: [TESTBUG] sun/security/ec/TestEC.java :
Compilation failed
* Import of OpenJDK 8 u272 build 10
+ JDK-8254673: Call to JvmtiExport::post_vm_start() was removed
by the fix for JDK-8249158
+ JDK-8254937: Revert JDK-8148854 for 8u272
* Backports
+ JDK-8038723, PR3806: Openup some PrinterJob tests
+ JDK-8041480, PR3806: ArrayIndexOutOfBoundsException when
JTable contains certain string
+ JDK-8058779, PR3805: Faster implementation of
String.replace(CharSequence, CharSequence)
+ JDK-8130125, PR3806: [TEST_BUG] add @modules to the several
client tests unaffected by the automated bulk update
+ JDK-8144015, PR3806: [PIT] failures of text layout font tests
+ JDK-8144023, PR3806: [PIT] failure of text measurements in
javax/swing/text/html/parser/Parser/6836089/bug6836089.java
+ JDK-8144240, PR3806: [macosx][PIT] AIOOB in
closed/javax/swing/text/GlyphPainter2/6427244/bug6427244.java
+ JDK-8145542, PR3806: The case failed automatically and thrown
java.lang.ArrayIndexOutOfBoundsException exception
+ JDK-8151725, PR3806: [macosx] ArrayIndexOOB exception when
displaying Devanagari text in JEditorPane
+ JDK-8152358, PR3800: code and comment cleanups found during
the hunt for 8077392
+ JDK-8152545, PR3804: Use preprocessor instead of compiling a
program to generate native nio constants
+ JDK-8152680, PR3806: Regression in
GlyphVector.getGlyphCharIndex behaviour
+ JDK-8158924, PR3806: Incorrect i18n text document layout
+ JDK-8166003, PR3806: [PIT][TEST_BUG] missing helper for
javax/swing/text/GlyphPainter2/6427244/bug6427244.java
+ JDK-8166068, PR3806: test/java/awt/font/GlyphVector/
/GetGlyphCharIndexTest.java does not compile
+ JDK-8169879, PR3806: [TEST_BUG] javax/swing/text/
/GlyphPainter2/6427244/bug6427244.java - compilation failed
+ JDK-8191512, PR3806: T2K font rasterizer code removal
+ JDK-8191522, PR3806: Remove Bigelow&Holmes Lucida fonts from
JDK sources
+ JDK-8236512, PR3801: PKCS11 Connection closed after
Cipher.doFinal and NoPadding
+ JDK-8254177, PR3809: (tz) Upgrade time-zone data to
tzdata2020b
* Bug fixes
+ PR3798: Fix format-overflow error on GCC 10, caused by
passing NULL to a '%s' directive
+ PR3795: ECDSAUtils for XML digital signatures should support
the same curve set as the rest of the JDK
+ PR3799: Adapt elliptic curve patches to JDK-8245468: Add
TLSv1.3 implementation classes from 11.0.7
+ PR3808: IcedTea does not install the JFR *.jfc files
+ PR3810: Enable JFR on x86 (32-bit) now that JDK-8252096 has
fixed its use with Shenandoah
+ PR3811: Don't attempt to install JFR files when JFR is
disabled
* Shenandoah
+ [backport] 8221435: Shenandoah should not mark through weak
roots
+ [backport] 8221629: Shenandoah: Cleanup class unloading logic
+ [backport] 8222992: Shenandoah: Pre-evacuate all roots
+ [backport] 8223215: Shenandoah: Support verifying subset of
roots
+ [backport] 8223774: Shenandoah: Refactor
ShenandoahRootProcessor and family
+ [backport] 8224210: Shenandoah: Refactor
ShenandoahRootScanner to support scanning CSet codecache roots
+ [backport] 8224508: Shenandoah: Need to update thread roots
in final mark for piggyback ref update cycle
+ [backport] 8224579: ResourceMark not declared in
shenandoahRootProcessor.inline.hpp with
--disable-precompiled-headers
+ [backport] 8224679: Shenandoah: Make
ShenandoahParallelCodeCacheIterator noncopyable
+ [backport] 8224751: Shenandoah: Shenandoah Verifier should
select proper roots according to current GC cycle
+ [backport] 8225014: Separate ShenandoahRootScanner method for
object_iterate
+ [backport] 8225216: gc/logging/TestMetaSpaceLog.java doesn't
work for Shenandoah
+ [backport] 8225573: Shenandoah: Enhance ShenandoahVerifier to
ensure roots to-space invariant
+ [backport] 8225590: Shenandoah: Refactor
ShenandoahClassLoaderDataRoots API
+ [backport] 8226413: Shenandoah: Separate root scanner for
SH::object_iterate()
+ [backport] 8230853: Shenandoah: replace leftover
assert(is_in(...)) with rich asserts
+ [backport] 8231198: Shenandoah: heap walking should visit all
roots most of the time
+ [backport] 8231244: Shenandoah: all-roots heap walking misses
some weak roots
+ [backport] 8237632: Shenandoah: accept NULL fwdptr to
cooperate with JVMTI and JFR
+ [backport] 8239786: Shenandoah: print per-cycle statistics
+ [backport] 8239926: Shenandoah: Shenandoah needs to mark
nmethod's metadata
+ [backport] 8240671: Shenandoah: refactor
ShenandoahPhaseTimings
+ [backport] 8240749: Shenandoah: refactor ShenandoahUtils
+ [backport] 8240750: Shenandoah: remove leftover files and
mentions of ShenandoahAllocTracker
+ [backport] 8240868: Shenandoah: remove CM-with-UR
piggybacking cycles
+ [backport] 8240872: Shenandoah: Avoid updating new regions
from start of evacuation
+ [backport] 8240873: Shenandoah: Short-cut arraycopy barriers
+ [backport] 8240915: Shenandoah: Remove unused fields in init
mark tasks
+ [backport] 8240948: Shenandoah: cleanup not-forwarded-objects
paths after JDK-8240868
+ [backport] 8241007: Shenandoah: remove
ShenandoahCriticalControlThreadPriority support
+ [backport] 8241062: Shenandoah: rich asserts trigger 'empty
statement' inspection
+ [backport] 8241081: Shenandoah: Do not modify
update-watermark concurrently
+ [backport] 8241093: Shenandoah: editorial changes in flag
descriptions
+ [backport] 8241139: Shenandoah: distribute mark-compact work
exactly to minimize fragmentation
+ [backport] 8241142: Shenandoah: should not use parallel
reference processing with single GC thread
+ [backport] 8241351: Shenandoah: fragmentation metrics overhaul
+ [backport] 8241435: Shenandoah: avoid disabling pacing with
'aggressive'
+ [backport] 8241520: Shenandoah: simplify region sequence
numbers handling
+ [backport] 8241534: Shenandoah: region status should include
update watermark
+ [backport] 8241574: Shenandoah: remove
ShenandoahAssertToSpaceClosure
+ [backport] 8241583: Shenandoah: turn heap lock asserts into
macros
+ [backport] 8241668: Shenandoah: make ShenandoahHeapRegion not
derive from ContiguousSpace
+ [backport] 8241673: Shenandoah: refactor anti-false-sharing
padding
+ [backport] 8241675: Shenandoah: assert(n->outcnt() > 0) at
shenandoahSupport.cpp:2858 with
java/util/Collections/FindSubList.java
+ [backport] 8241692: Shenandoah: remove
ShenandoahHeapRegion::_reserved
+ [backport] 8241700: Shenandoah: Fold
ShenandoahKeepAliveBarrier flag into ShenandoahSATBBarrier
+ [backport] 8241740: Shenandoah: remove
ShenandoahHeapRegion::_heap
+ [backport] 8241743: Shenandoah: refactor and inline
ShenandoahHeap::heap()
+ [backport] 8241748: Shenandoah: inline MarkingContext TAMS
methods
+ [backport] 8241838: Shenandoah: no need to trash cset during
final mark
+ [backport] 8241841: Shenandoah: ditch one of allocation type
counters in ShenandoahHeapRegion
+ [backport] 8241842: Shenandoah: inline
ShenandoahHeapRegion::region_number
+ [backport] 8241844: Shenandoah: rename
ShenandoahHeapRegion::region_number
+ [backport] 8241845: Shenandoah: align ShenandoahHeapRegions
to cache lines
+ [backport] 8241926: Shenandoah: only print heap changes for
operations that directly affect it
+ [backport] 8241983: Shenandoah: simplify FreeSet logging
+ [backport] 8241985: Shenandoah: simplify collectable garbage
logging
+ [backport] 8242040: Shenandoah: print allocation failure type
+ [backport] 8242041: Shenandoah: adaptive heuristics should
account evac reserve in free target
+ [backport] 8242042: Shenandoah: tune down
ShenandoahGarbageThreshold
+ [backport] 8242054: Shenandoah: New incremental-update mode
+ [backport] 8242075: Shenandoah: rename
ShenandoahHeapRegionSize flag
+ [backport] 8242082: Shenandoah: Purge Traversal mode
+ [backport] 8242083: Shenandoah: split 'Prepare Evacuation'
tracking into cset/freeset counters
+ [backport] 8242089: Shenandoah: per-worker stats should be
summed up, not averaged
+ [backport] 8242101: Shenandoah: coalesce and parallelise heap
region walks during the pauses
+ [backport] 8242114: Shenandoah: remove
ShenandoahHeapRegion::reset_alloc_metadata_to_shared
+ [backport] 8242130: Shenandoah: Simplify arraycopy-barrier
dispatching
+ [backport] 8242211: Shenandoah: remove
ShenandoahHeuristics::RegionData::_seqnum_last_alloc
+ [backport] 8242212: Shenandoah: initialize
ShenandoahHeuristics::_region_data eagerly
+ [backport] 8242213: Shenandoah: remove
ShenandoahHeuristics::_bytes_in_cset
+ [backport] 8242217: Shenandoah: Enable GC mode to be
diagnostic/experimental and have a name
+ [backport] 8242227: Shenandoah: transit regions to cset state
when adding to collection set
+ [backport] 8242228: Shenandoah: remove unused
ShenandoahCollectionSet methods
+ [backport] 8242229: Shenandoah: inline ShenandoahHeapRegion
liveness-related methods
+ [backport] 8242267: Shenandoah: regions space needs to be
aligned by os::vm_allocation_granularity()
+ [backport] 8242271: Shenandoah: add test to verify GC mode
unlock
+ [backport] 8242273: Shenandoah: accept either SATB or IU
barriers, but not both
+ [backport] 8242301: Shenandoah: Inline LRB runtime call
+ [backport] 8242316: Shenandoah: Turn NULL-check into assert
in SATB slow-path entry
+ [backport] 8242353: Shenandoah: micro-optimize region
liveness handling
+ [backport] 8242365: Shenandoah: use uint16_t instead of
jushort for liveness cache
+ [backport] 8242375: Shenandoah: Remove
ShenandoahHeuristic::record_gc_start/end methods
+ [backport] 8242641: Shenandoah: clear live data and update
TAMS optimistically
+ [backport] 8243238: Shenandoah: explicit GC request should
wait for a complete GC cycle
+ [backport] 8243301: Shenandoah: ditch
ShenandoahAllowMixedAllocs
+ [backport] 8243307: Shenandoah: remove
ShCollectionSet::live_data
+ [backport] 8243395: Shenandoah: demote guarantee in
ShenandoahPhaseTimings::record_workers_end
+ [backport] 8243463: Shenandoah: ditch total_pause counters
+ [backport] 8243464: Shenandoah: print statistic counters in
time order
+ [backport] 8243465: Shenandoah: ditch unused pause_other,
conc_other counters
+ [backport] 8243487: Shenandoah: make _num_phases illegal
phase type
+ [backport] 8243494: Shenandoah: set counters once per cycle
+ [backport] 8243573: Shenandoah: rename GCParPhases and
related code
+ [backport] 8243848: Shenandoah: Windows build fails after
JDK-8239786
+ [backport] 8244180: Shenandoah: carry Phase to
ShWorkerTimingsTracker explicitly
+ [backport] 8244200: Shenandoah: build breakages after
JDK-8241743
+ [backport] 8244226: Shenandoah: per-cycle statistics contain
worker data from previous cycles
+ [backport] 8244326: Shenandoah: global statistics should not
accept bogus samples
+ [backport] 8244509: Shenandoah: refactor
ShenandoahBarrierC2Support::test_* methods
+ [backport] 8244551: Shenandoah: Fix racy update of
update_watermark
+ [backport] 8244667: Shenandoah: SBC2Support::test_gc_state
takes loop for wrong control
+ [backport] 8244730: Shenandoah: gc/shenandoah/options/
/TestHeuristicsUnlock.java should only verify the heuristics
+ [backport] 8244732: Shenandoah: move heuristics code to
gc/shenandoah/heuristics
+ [backport] 8244737: Shenandoah: move mode code to
gc/shenandoah/mode
+ [backport] 8244739: Shenandoah: break superclass dependency
on ShenandoahNormalMode
+ [backport] 8244740: Shenandoah: rename ShenandoahNormalMode
to ShenandoahSATBMode
+ [backport] 8245461: Shenandoah: refine mode name()-s
+ [backport] 8245463: Shenandoah: refine ShenandoahPhaseTimings
constructor arguments
+ [backport] 8245464: Shenandoah: allocate collection set
bitmap at lower addresses
+ [backport] 8245465: Shenandoah: test_in_cset can use more
efficient encoding
+ [backport] 8245726: Shenandoah: lift/cleanup
ShenandoahHeuristics names and properties
+ [backport] 8245754: Shenandoah: ditch ShenandoahAlwaysPreTouch
+ [backport] 8245757: Shenandoah: AlwaysPreTouch should not
disable heap resizing or uncommits
+ [backport] 8245773: Shenandoah: Windows assertion failure
after JDK-8245464
+ [backport] 8245812: Shenandoah: compute root phase parallelism
+ [backport] 8245814: Shenandoah: reconsider format specifiers
for stats
+ [backport] 8245825: Shenandoah: Remove diagnostic flag
ShenandoahConcurrentScanCodeRoots
+ [backport] 8246162: Shenandoah: full GC does not mark code
roots when class unloading is off
+ [backport] 8247310: Shenandoah: pacer should not affect
interrupt status
+ [backport] 8247358: Shenandoah: reconsider free budget slice
for marking
+ [backport] 8247367: Shenandoah: pacer should wait on lock
instead of exponential backoff
+ [backport] 8247474: Shenandoah: Windows build warning after
JDK-8247310
+ [backport] 8247560: Shenandoah: heap iteration holds root
locks all the time
+ [backport] 8247593: Shenandoah: should not block pacing
reporters
+ [backport] 8247751: Shenandoah: options tests should run with
smaller heaps
+ [backport] 8247754: Shenandoah: mxbeans tests can be shorter
+ [backport] 8247757: Shenandoah: split heavy tests by
heuristics to improve parallelism
+ [backport] 8247860: Shenandoah: add update watermark line in
rich assert failure message
+ [backport] 8248041: Shenandoah: pre-Full GC root updates may
miss some roots
+ [backport] 8248652: Shenandoah: SATB buffer handling may
assume no forwarded objects
+ [backport] 8249560: Shenandoah: Fix racy GC request handling
+ [backport] 8249649: Shenandoah: provide per-cycle pacing stats
+ [backport] 8249801: Shenandoah: Clear soft-refs on requested
GC cycle
+ [backport] 8249953: Shenandoah: gc/shenandoah/mxbeans tests
should account for corner cases
+ Fix slowdebug build after JDK-8230853 backport
+ JDK-8252096: Shenandoah: adjust SerialPageShiftCount for
x86_32 and JFR
+ JDK-8252366: Shenandoah: revert/cleanup changes in
graphKit.cpp
+ Shenandoah: add JFR roots to root processor after JFR
integration
+ Shenandoah: add root statistics for string dedup table/queues
+ Shenandoah: enable low-frequency STW class unloading
+ Shenandoah: fix build failures after JDK-8244737 backport
+ Shenandoah: Fix build failure with +JFR -PCH
+ Shenandoah: fix forceful pacer claim
+ Shenandoah: fix formats in
ShenandoahStringSymbolTableUnlinkTask
+ Shenandoah: fix runtime linking failure due to non-compiled
shenandoahBarrierSetC1
+ Shenandoah: hook statistics printing to PrintGCDetails, not
PrintGC
+ Shenandoah: JNI weak roots are always cleared before Full GC
mark
+ Shenandoah: missing SystemDictionary roots in
ShenandoahHeapIterationRootScanner
+ Shenandoah: move barrier sets to their proper locations
+ Shenandoah: move parallelCleaning.* to shenandoah/
+ Shenandoah: pacer should use proper Atomics for intptr_t
+ Shenandoah: properly deallocates class loader metadata
+ Shenandoah: specialize String Table scans for better pause
performance
+ Shenandoah: Zero build fails after recent Atomic cleanup in
Pacer
* AArch64 port
+ JDK-8161072, PR3797: AArch64: jtreg
compiler/uncommontrap/TestDeoptOOM failure
+ JDK-8171537, PR3797: aarch64: compiler/c1/Test6849574.java
generates guarantee failure in C1
+ JDK-8183925, PR3797: [AArch64] Decouple crash protection from
watcher thread
+ JDK-8199712, PR3797: [AArch64] Flight Recorder
+ JDK-8203481, PR3797: Incorrect constraint for unextended_sp
in frame:safe_for_sender
+ JDK-8203699, PR3797: java/lang/invoke/SpecialInterfaceCall
fails with SIGILL on aarch64
+ JDK-8209413, PR3797: AArch64: NPE in clhsdb jstack command
+ JDK-8215961, PR3797: jdk/jfr/event/os/TestCPUInformation.java
fails on AArch64
+ JDK-8216989, PR3797:
CardTableBarrierSetAssembler::gen_write_ref_array_post_barrier()
does not check for zero length on AARCH64
+ JDK-8217368, PR3797: AArch64: C2 recursive stack locking
optimisation not triggered
+ JDK-8221658, PR3797: aarch64: add necessary predicate for
ubfx patterns
+ JDK-8237512, PR3797: AArch64: aarch64TestHook leaks a
BufferBlob
+ JDK-8246482, PR3797: Build failures with +JFR -PCH
+ JDK-8247979, PR3797: aarch64: missing side effect of killing
flags for clearArray_reg_reg
+ JDK-8248219, PR3797: aarch64: missing memory barrier in
fast_storefield and fast_accessfield
- Ignore whitespaces after the header or footer in PEM X.509 cert
(bsc#1171352)
ImportantSUSE bug 1171352SUSE bug 1174157SUSE bug 1177943CVE-2020-14556 at SUSECVE-2020-14556 at NVDCVE-2020-14577 at SUSECVE-2020-14577 at NVDCVE-2020-14578 at SUSECVE-2020-14578 at NVDCVE-2020-14579 at SUSECVE-2020-14579 at NVDCVE-2020-14581 at SUSECVE-2020-14581 at NVDCVE-2020-14583 at SUSECVE-2020-14583 at NVDCVE-2020-14593 at SUSECVE-2020-14593 at NVDCVE-2020-14621 at SUSECVE-2020-14621 at NVDCVE-2020-14779 at SUSECVE-2020-14779 at NVDCVE-2020-14781 at SUSECVE-2020-14781 at NVDCVE-2020-14782 at SUSECVE-2020-14782 at NVDCVE-2020-14792 at SUSECVE-2020-14792 at NVDCVE-2020-14796 at SUSECVE-2020-14796 at NVDCVE-2020-14797 at SUSECVE-2020-14797 at NVDCVE-2020-14798 at SUSECVE-2020-14798 at NVDCVE-2020-14803 at SUSECVE-2020-14803 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for gcc10 (Moderate)SUSE Linux Enterprise Server 12 SP3-BCL
This update for gcc10 fixes the following issues:
This update provides the GCC10 compiler suite and runtime libraries.
The base SUSE Linux Enterprise libraries libgcc_s1, libstdc++6 are replaced by
the gcc10 variants.
The new compiler variants are available with '-10' suffix, you can specify them
via:
CC=gcc-10
CXX=g++-10
or similar commands.
For a detailed changelog check out https://gcc.gnu.org/gcc-10/changes.html
ModerateSUSE bug 1172798SUSE bug 1172846SUSE bug 1173972SUSE bug 1174753SUSE bug 1174817SUSE bug 1175168CVE-2020-13844 at SUSECVE-2020-13844 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for ucode-intel (Moderate)SUSE Linux Enterprise Server 12 SP3-BCL
This update for ucode-intel fixes the following issues:
- Intel CPU Microcode updated to 20201027 prerelease
- CVE-2020-8695: Fixed Intel RAPL sidechannel attack (SGX) (bsc#1170446)
- CVE-2020-8698: Fixed Fast Store Forward Predictor INTEL-SA-00381 (bsc#1173594)
# New Platforms:
| Processor | Stepping | F-M-S/PI | Old Ver | New Ver | Products
|:---------------|:---------|:------------|:---------|:---------|:---------
| TGL | B1 | 06-8c-01/80 | | 00000068 | Core Gen11 Mobile
| CPX-SP | A1 | 06-55-0b/bf | | 0700001e | Xeon Scalable Gen3
| CML-H | R1 | 06-a5-02/20 | | 000000e0 | Core Gen10 Mobile
| CML-S62 | G1 | 06-a5-03/22 | | 000000e0 | Core Gen10
| CML-S102 | Q0 | 06-a5-05/22 | | 000000e0 | Core Gen10
| CML-U62 V2 | K0 | 06-a6-01/80 | | 000000e0 | Core Gen10 Mobile
# Updated Platforms:
| Processor | Stepping | F-M-S/PI | Old Ver | New Ver | Products
|:---------------|:---------|:------------|:---------|:---------|:---------
| GKL-R | R0 | 06-7a-08/01 | 00000016 | 00000018 | Pentium J5040/N5030, Celeron J4125/J4025/N4020/N4120
| SKL-U/Y | D0 | 06-4e-03/c0 | 000000d6 | 000000e2 | Core Gen6 Mobile
| SKL-U23e | K1 | 06-4e-03/c0 | 000000d6 | 000000e2 | Core Gen6 Mobile
| APL | D0 | 06-5c-09/03 | 00000038 | 00000040 | Pentium N/J4xxx, Celeron N/J3xxx, Atom x5/7-E39xx
| APL | E0 | 06-5c-0a/03 | 00000016 | 0000001e | Atom x5-E39xx
| SKL-H/S | R0/N0 | 06-5e-03/36 | 000000d6 | 000000e2 | Core Gen6; Xeon E3 v5
| HSX-E/EP | Cx/M1 | 06-3f-02/6f | 00000043 | 00000044 | Core Gen4 X series; Xeon E5 v3
| SKX-SP | B1 | 06-55-03/97 | 01000157 | 01000159 | Xeon Scalable
| SKX-SP | H0/M0/U0 | 06-55-04/b7 | 02006906 | 02006a08 | Xeon Scalable
| SKX-D | M1 | 06-55-04/b7 | 02006906 | 02006a08 | Xeon D-21xx
| CLX-SP | B0 | 06-55-06/bf | 04002f01 | 04003003 | Xeon Scalable Gen2
| CLX-SP | B1 | 06-55-07/bf | 05002f01 | 05003003 | Xeon Scalable Gen2
| ICL-U/Y | D1 | 06-7e-05/80 | 00000078 | 000000a0 | Core Gen10 Mobile
| AML-Y22 | H0 | 06-8e-09/10 | 000000d6 | 000000de | Core Gen8 Mobile
| KBL-U/Y | H0 | 06-8e-09/c0 | 000000d6 | 000000de | Core Gen7 Mobile
| CFL-U43e | D0 | 06-8e-0a/c0 | 000000d6 | 000000e0 | Core Gen8 Mobile
| WHL-U | W0 | 06-8e-0b/d0 | 000000d6 | 000000de | Core Gen8 Mobile
| AML-Y42 | V0 | 06-8e-0c/94 | 000000d6 | 000000de | Core Gen10 Mobile
| CML-Y42 | V0 | 06-8e-0c/94 | 000000d6 | 000000de | Core Gen10 Mobile
| WHL-U | V0 | 06-8e-0c/94 | 000000d6 | 000000de | Core Gen8 Mobile
| KBL-G/H/S/E3 | B0 | 06-9e-09/2a | 000000d6 | 000000de | Core Gen7; Xeon E3 v6
| CFL-H/S/E3 | U0 | 06-9e-0a/22 | 000000d6 | 000000de | Core Gen8 Desktop, Mobile, Xeon E
| CFL-S | B0 | 06-9e-0b/02 | 000000d6 | 000000de | Core Gen8
| CFL-H/S | P0 | 06-9e-0c/22 | 000000d6 | 000000de | Core Gen9
| CFL-H | R0 | 06-9e-0d/22 | 000000d6 | 000000de | Core Gen9 Mobile
| CML-U62 | A0 | 06-a6-00/80 | 000000ca | 000000e0 | Core Gen10 Mobile
ModerateSUSE bug 1170446SUSE bug 1173594CVE-2020-8695 at SUSECVE-2020-8695 at NVDCVE-2020-8698 at SUSECVE-2020-8698 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for systemd (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for systemd fixes the following issues:
- CVE-2020-1712 (bsc#bsc#1162108)
Fix a heap use-after-free vulnerability, when asynchronous
Polkit queries were performed while handling Dbus messages. A local
unprivileged attacker could have abused this flaw to crash systemd services or
potentially execute code and elevate their privileges, by sending specially
crafted Dbus messages.
- Unconfirmed fix for prevent hanging of systemctl during restart. (bsc#1139459)
- Fix warnings thrown during package installation. (bsc#1154043)
- Fix for system-udevd prevent crash within OES2018. (bsc#1151506)
- Fragments of masked units ought not be considered for 'NeedDaemonReload'. (bsc#1156482)
- Wait for workers to finish when exiting. (bsc#1106383)
- Improve log message when inotify limit is reached. (bsc#1155574)
- Mention in the man pages that alias names are only effective after command 'systemctl enable'. (bsc#1151377)
- Introduce function for reading virtual files in 'sysfs' and 'procfs'. (bsc#1133495, bsc#1159814)
ImportantSUSE bug 1106383SUSE bug 1133495SUSE bug 1139459SUSE bug 1151377SUSE bug 1151506SUSE bug 1154043SUSE bug 1155574SUSE bug 1156482SUSE bug 1159814SUSE bug 1162108CVE-2020-1712 at SUSECVE-2020-1712 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for java-1_7_0-openjdk (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for java-1_7_0-openjdk fixes the following issues:
- Update to 2.6.24 - OpenJDK 7u281 (October 2020 CPU, bsc#1177943)
* Security fixes
+ JDK-8233624: Enhance JNI linkage
+ JDK-8236862, CVE-2020-14779: Enhance support of Proxy class
+ JDK-8237990, CVE-2020-14781: Enhanced LDAP contexts
+ JDK-8237995, CVE-2020-14782: Enhance certificate processing
+ JDK-8240124: Better VM Interning
+ JDK-8241114, CVE-2020-14792: Better range handling
+ JDK-8242680, CVE-2020-14796: Improved URI Support
+ JDK-8242685, CVE-2020-14797: Better Path Validation
+ JDK-8242695, CVE-2020-14798: Enhanced buffer support
+ JDK-8243302: Advanced class supports
+ JDK-8244136, CVE-2020-14803: Improved Buffer supports
+ JDK-8244479: Further constrain certificates
+ JDK-8244955: Additional Fix for JDK-8240124
+ JDK-8245407: Enhance zoning of times
+ JDK-8245412: Better class definitions
+ JDK-8245417: Improve certificate chain handling
+ JDK-8248574: Improve jpeg processing
+ JDK-8249927: Specify limits of jdk.serialProxyInterfaceLimit
+ JDK-8253019: Enhanced JPEG decoding
* Import of OpenJDK 7 u281 build 1
+ JDK-8145096: Undefined behaviour in HotSpot
+ JDK-8215265: C2: range check elimination may allow illegal
out of bound access
* Backports
+ JDK-8250861, PR3812: Crash in MinINode::Ideal(PhaseGVN*, bool)
ImportantSUSE bug 1177943CVE-2020-14779 at SUSECVE-2020-14779 at NVDCVE-2020-14781 at SUSECVE-2020-14781 at NVDCVE-2020-14782 at SUSECVE-2020-14782 at NVDCVE-2020-14792 at SUSECVE-2020-14792 at NVDCVE-2020-14796 at SUSECVE-2020-14796 at NVDCVE-2020-14797 at SUSECVE-2020-14797 at NVDCVE-2020-14798 at SUSECVE-2020-14798 at NVDCVE-2020-14803 at SUSECVE-2020-14803 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for openldap2 (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for openldap2 fixes the following issues:
- CVE-2020-25692: Fixed an unauthenticated remote denial of service due to incorrect validation of modrdn equality rules (bsc#1178387).
ImportantSUSE bug 1178387CVE-2020-25692 at SUSECVE-2020-25692 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for MozillaFirefox fixes the following issues:
- Firefox Extended Support Release 78.4.1 ESR
* Fixed: Security fix
MFSA 2020-49 (bsc#1178588)
* CVE-2020-26950 (bmo#1675905)
Write side effects in MCallGetProperty opcode not accounted
for
ImportantSUSE bug 1178588CVE-2020-26950 at SUSECVE-2020-26950 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for postgresql, postgresql96, postgresql10 and postgresql12 (Moderate)SUSE Linux Enterprise Server 12 SP3-BCL
This update changes the internal packaging for postgresql, and so contains
all currently maintained postgresql versions across our SUSE Linux Enterprise 12
products.
* postgresql12 is shipped new in version 12.3 (bsc#1171924).
The server and client packages only on SUSE Linux Enterprise Server 12 SP5,
the libraries on SUSE Linux Enterprise Server 12 SP2 LTSS up to 12 SP5.
+ https://www.postgresql.org/about/news/2038/
+ https://www.postgresql.org/docs/12/release-12-3.html
* postgresql10 is updated to 10.13 (bsc#1171924).
On SUSE Linux Enterprise Server 12 SP2 LTSS up to 12 SP5.
+ https://www.postgresql.org/about/news/2038/
+ https://www.postgresql.org/docs/10/release-10-13.html
* postgresql96 is updated to 9.6.18 (bsc#1171924):
+ https://www.postgresql.org/about/news/2038/
+ https://www.postgresql.org/docs/9.6/release-9-6-18.html
On SUSE Linux Enterprise Server 12-SP2 and 12-SP3 LTSS only.
* postgresql 9.4 is updated to 9.4.26:
+ https://www.postgresql.org/about/news/2011/
+ https://www.postgresql.org/docs/9.4/release-9-4-26.html
+ https://www.postgresql.org/about/news/1994/
+ https://www.postgresql.org/docs/9.4/release-9-4-25.html
ModerateSUSE bug 1171924cpe:/o:suse:sles-bcl:12:sp3Security update for raptor (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for raptor fixes the following issues:
- Fixed a heap overflow vulnerability (bsc#1178593, CVE-2017-18926).
- Update raptor to version 2.0.15
* Made several fixes to Turtle / N-Triples family of parsers and serializers
* Added utility functions for re-entrant sorting of objects and sequences.
* Made other fixes and improvements including fixing reported issues:
0000574, 0000575, 0000576, 0000577, 0000579, 0000581 and 0000584.
ImportantSUSE bug 1178593CVE-2017-18926 at SUSECVE-2017-18926 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for kernel-firmware (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for kernel-firmware fixes the following issue:
- CVE-2020-12321: Updated the Intel Bluetooth firmware for buffer overflow security bugs (bsc#1178671).
ImportantSUSE bug 1178671CVE-2020-12321 at SUSECVE-2020-12321 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for krb5 (Moderate)SUSE Linux Enterprise Server 12 SP3-BCL
This update for krb5 fixes the following security issue:
- CVE-2020-28196: Fixed an unbounded recursion via an ASN.1-encoded Kerberos message (bsc#1178512).
ModerateSUSE bug 1178512CVE-2020-28196 at SUSECVE-2020-28196 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for postgresql10 (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for postgresql10 fixes the following issues:
Upgrade to version 10.15:
* CVE-2020-25695, bsc#1178666: Block DECLARE CURSOR ... WITH HOLD
and firing of deferred triggers within index expressions and
materialized view queries.
* CVE-2020-25694, bsc#1178667:
a) Fix usage of complex connection-string parameters in pg_dump,
pg_restore, clusterdb, reindexdb, and vacuumdb.
b) When psql's \connect command re-uses connection parameters,
ensure that all non-overridden parameters from a previous
connection string are re-used.
* CVE-2020-25696, bsc#1178668: Prevent psql's \gset command from
modifying specially-treated variables.
* https://www.postgresql.org/about/news/2111/
* https://www.postgresql.org/docs/10/release-10-15.html
Update to 10.14:
* CVE-2020-14349, bsc#1175193: Set a secure search_path in
logical replication walsenders and apply workers
* CVE-2020-14350, bsc#1175194: Make contrib modules' installation
scripts more secure.
* https://www.postgresql.org/docs/10/release-10-14.html
ImportantSUSE bug 1175193SUSE bug 1175194SUSE bug 1178666SUSE bug 1178667SUSE bug 1178668CVE-2020-14349 at SUSECVE-2020-14349 at NVDCVE-2020-14350 at SUSECVE-2020-14350 at NVDCVE-2020-25694 at SUSECVE-2020-25694 at NVDCVE-2020-25695 at SUSECVE-2020-25695 at NVDCVE-2020-25696 at SUSECVE-2020-25696 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for postgresql96 (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for postgresql96 fixes the following issues:
Upgrade to version 9.6.20:
* CVE-2020-25695, bsc#1178666: Block DECLARE CURSOR ... WITH HOLD
and firing of deferred triggers within index expressions and
materialized view queries.
* CVE-2020-25694, bsc#1178667:
a) Fix usage of complex connection-string parameters in pg_dump,
pg_restore, clusterdb, reindexdb, and vacuumdb.
b) When psql's \connect command re-uses connection parameters,
ensure that all non-overridden parameters from a previous
connection string are re-used.
* CVE-2020-25696, bsc#1178668: Prevent psql's \gset command from
modifying specially-treated variables.
* https://www.postgresql.org/about/news/2111/
* https://www.postgresql.org/docs/9.6/release-9-6-20.html
Changes from 9.6.19:
* CVE-2020-14350, bsc#1175194: Make contrib modules installation
ImportantSUSE bug 1175194SUSE bug 1178666SUSE bug 1178667SUSE bug 1178668CVE-2020-14350 at SUSECVE-2020-14350 at NVDCVE-2020-25694 at SUSECVE-2020-25694 at NVDCVE-2020-25695 at SUSECVE-2020-25695 at NVDCVE-2020-25696 at SUSECVE-2020-25696 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for the Linux Kernel (Important)SUSE Linux Enterprise Server 12 SP3-BCL
The SUSE Linux Enterprise 12 SP3 kernel was updated to receive various security and bug fixes.
The following security bugs were fixed:
- CVE-2020-25705: A flaw in the way reply ICMP packets are limited in was found that allowed to quickly scan open UDP ports. This flaw allowed an off-path remote user to effectively bypassing source port UDP randomization. The highest threat from this vulnerability is to confidentiality and possibly integrity, because software and services that rely on UDP source port randomization (like DNS) are indirectly affected as well. Kernel versions may be vulnerable to this issue (bsc#1175721, bsc#1178782).
- CVE-2020-25668: Fixed a use-after-free in con_font_op() (bsc#1178123).
- CVE-2020-25656: Fixed a concurrency use-after-free in vt_do_kdgkb_ioctl (bnc#1177766).
- CVE-2020-14351: Fixed a race in the perf_mmap_close() function (bsc#1177086).
- CVE-2020-8694: Restricted energy meter to root access (bsc#1170415).
- CVE-2020-12352: Fixed an information leak when processing certain AMP packets aka 'BleedingTooth' (bsc#1177725).
- CVE-2020-25645: Fixed an issue which traffic between two Geneve endpoints may be unencrypted when IPsec is configured to encrypt traffic for the specific UDP port used by the GENEVE tunnel allowing anyone between the two endpoints to read the traffic unencrypted (bsc#1177511).
- CVE-2020-14381: Fixed a use-after-free in the fast user mutex (futex) wait operation, which could have lead to memory corruption and possibly privilege escalation (bsc#1176011).
- CVE-2020-25212: Fixed A TOCTOU mismatch in the NFS client code which could have been used by local attackers to corrupt memory (bsc#1176381).
- CVE-2020-14390: Fixed an out-of-bounds memory write leading to memory corruption or a denial of service when changing screen size (bnc#1176235).
- CVE-2020-25643: Fixed a memory corruption and a read overflow which could have caused by improper input validation in the ppp_cp_parse_cr function (bsc#1177206).
- CVE-2020-25641: Fixed a zero-length biovec request issued by the block subsystem could have caused the kernel to enter an infinite loop, causing a denial of service (bsc#1177121).
- CVE-2020-26088: Fixed an improper CAP_NET_RAW check in NFC socket creation could have been used by local attackers to create raw sockets, bypassing security mechanisms (bsc#1176990).
- CVE-2020-0432: Fixed an out of bounds write due to an integer overflow (bsc#1176721).
- CVE-2020-0431: Fixed an out of bounds write due to a missing bounds check (bsc#1176722).
- CVE-2020-0427: Fixed an out of bounds read due to a use after free (bsc#1176725).
- CVE-2020-0404: Fixed a linked list corruption due to an unusual root cause (bsc#1176423).
- CVE-2020-25284: Fixed an incomplete permission checking for access to rbd devices, which could have been leveraged by local attackers to map or unmap rbd block devices (bsc#1176482).
- CVE-2019-19063: Fixed two memory leaks in the rtl_usb_probe() function in drivers/net/wireless/realtek/rtlwifi/usb.c, which could have allowed an attacker to cause a denial of service (memory consumption) (bsc#1157298).
- CVE-2019-6133: In PolicyKit (aka polkit), the 'start time' protection mechanism can be bypassed because fork() is not atomic, and therefore authorization decisions are improperly cached. This is related to lack of uid checking in polkitbackend/polkitbackendinteractiveauthority.c (bsc#1121872).
- CVE-2017-18204: Fixed a denial of service in the ocfs2_setattr function of fs/ocfs2/file.c (bnc#1083244).
The following non-security bugs were fixed:
- hv: vmbus: Add timeout to vmbus_wait_for_unload (bsc#1177816).
- hyperv_fb: disable superfluous VERSION_WIN10_V5 case (bsc#1175306).
- hyperv_fb: Update screen_info after removing old framebuffer (bsc#1175306).
- mm, numa: fix bad pmd by atomically check for pmd_trans_huge when marking page tables prot_numa (bsc#1176816).
- net/packet: fix overflow in tpacket_rcv (bsc#1176069).
- ocfs2: give applications more IO opportunities during fstrim (bsc#1175228).
- video: hyperv: hyperv_fb: Obtain screen resolution from Hyper-V host (bsc#1175306).
- video: hyperv: hyperv_fb: Support deferred IO for Hyper-V frame buffer driver (bsc#1175306).
- video: hyperv: hyperv_fb: Use physical memory for fb on HyperV Gen 1 VMs (bsc#1175306).
- x86/kexec: Use up-to-dated screen_info copy to fill boot params (bsc#1175306).
- xen/blkback: use lateeoi irq binding (XSA-332 bsc#1177411).
- xen-blkfront: switch kcalloc to kvcalloc for large array allocation (bsc#1160917).
- xen: do not reschedule in preemption off sections (bsc#1175749).
- xen/events: add a new 'late EOI' evtchn framework (XSA-332 bsc#1177411).
- xen/events: add a proper barrier to 2-level uevent unmasking (XSA-332 bsc#1177411).
- xen/events: avoid removing an event channel while handling it (XSA-331 bsc#1177410).
- xen/events: block rogue events for some time (XSA-332 bsc#1177411).
- xen/events: defer eoi in case of excessive number of events (XSA-332 bsc#1177411).
- xen/events: do not use chip_data for legacy IRQs (XSA-332 bsc#1065600).
- xen/events: fix race in evtchn_fifo_unmask() (XSA-332 bsc#1177411).
- xen/events: switch user event channels to lateeoi model (XSA-332 bsc#1177411).
- xen/events: use a common cpu hotplug hook for event channels (XSA-332 bsc#1177411).
- xen/netback: use lateeoi irq binding (XSA-332 bsc#1177411).
- xen/pciback: use lateeoi irq binding (XSA-332 bsc#1177411).
- xen/scsiback: use lateeoi irq binding (XSA-332 bsc#1177411).
- xen uses irqdesc::irq_data_common::handler_data to store a per interrupt XEN data pointer which contains XEN specific information (XSA-332 bsc#1065600).
ImportantSUSE bug 1065600SUSE bug 1083244SUSE bug 1121826SUSE bug 1121872SUSE bug 1157298SUSE bug 1160917SUSE bug 1170415SUSE bug 1175228SUSE bug 1175306SUSE bug 1175721SUSE bug 1175749SUSE bug 1176011SUSE bug 1176069SUSE bug 1176235SUSE bug 1176253SUSE bug 1176278SUSE bug 1176381SUSE bug 1176382SUSE bug 1176423SUSE bug 1176482SUSE bug 1176721SUSE bug 1176722SUSE bug 1176725SUSE bug 1176816SUSE bug 1176896SUSE bug 1176990SUSE bug 1177027SUSE bug 1177086SUSE bug 1177121SUSE bug 1177165SUSE bug 1177206SUSE bug 1177226SUSE bug 1177410SUSE bug 1177411SUSE bug 1177511SUSE bug 1177513SUSE bug 1177725SUSE bug 1177766SUSE bug 1177816SUSE bug 1178123SUSE bug 1178622SUSE bug 1178782CVE-2017-18204 at SUSECVE-2017-18204 at NVDCVE-2019-19063 at SUSECVE-2019-19063 at NVDCVE-2019-6133 at SUSECVE-2019-6133 at NVDCVE-2020-0404 at SUSECVE-2020-0404 at NVDCVE-2020-0427 at SUSECVE-2020-0427 at NVDCVE-2020-0431 at SUSECVE-2020-0431 at NVDCVE-2020-0432 at SUSECVE-2020-0432 at NVDCVE-2020-12352 at SUSECVE-2020-12352 at NVDCVE-2020-14351 at SUSECVE-2020-14351 at NVDCVE-2020-14381 at SUSECVE-2020-14381 at NVDCVE-2020-14390 at SUSECVE-2020-14390 at NVDCVE-2020-25212 at SUSECVE-2020-25212 at NVDCVE-2020-25284 at SUSECVE-2020-25284 at NVDCVE-2020-25641 at SUSECVE-2020-25641 at NVDCVE-2020-25643 at SUSECVE-2020-25643 at NVDCVE-2020-25645 at SUSECVE-2020-25645 at NVDCVE-2020-25656 at SUSECVE-2020-25656 at NVDCVE-2020-25668 at SUSECVE-2020-25668 at NVDCVE-2020-25705 at SUSECVE-2020-25705 at NVDCVE-2020-26088 at SUSECVE-2020-26088 at NVDCVE-2020-8694 at SUSECVE-2020-8694 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for ucode-intel (Moderate)SUSE Linux Enterprise Server 12 SP3-BCL
This update for ucode-intel fixes the following issues:
- Updated Intel CPU Microcode to 20201118 official release. (bsc#1178971)
- Removed TGL/06-8c-01/80 due to functional issues with some OEM platforms.
- CVE-2020-8695: Fixed Intel RAPL sidechannel attack (SGX) INTEL-SA-00389 (bsc#1170446)
- CVE-2020-8698: Fixed Fast Store Forward Predictor INTEL-SA-00381 (bsc#1173594)
- CVE-2020-8696: Vector Register Sampling Active INTEL-SA-00381 (bsc#1173592)
- Release notes:
- Security updates for [INTEL-SA-00381](https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00381.html).
- Security updates for [INTEL-SA-00389](https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00389.html).
- Update for functional issues. Refer to [Second Generation Intel? Xeon? Processor Scalable Family Specification Update](https://cdrdv2.intel.com/v1/dl/getContent/338848) for details.
- Update for functional issues. Refer to [Intel? Xeon? Processor Scalable Family Specification Update](https://cdrdv2.intel.com/v1/dl/getContent/613537) for details.
- Update for functional issues. Refer to [Intel? Xeon? Processor E5 v3 Product Family Specification Update](https://www.intel.com/content/www/us/en/processors/xeon/xeon-e5-v3-spec-update.html?wapkw=processor+spec+update+e5) for details.
- Update for functional issues. Refer to [10th Gen Intel? Core™ Processor Families Specification Update](https://www.intel.com/content/www/us/en/products/docs/processors/core/10th-gen-core-families-specification-update.html) for details.
- Update for functional issues. Refer to [8th and 9th Gen Intel? Core™ Processor Family Spec Update](https://www.intel.com/content/www/us/en/products/docs/processors/core/8th-gen-core-spec-update.html) for details.
- Update for functional issues. Refer to [7th Gen and 8th Gen (U Quad-Core) Intel? Processor Families Specification Update](https://www.intel.com/content/www/us/en/processors/core/7th-gen-core-family-spec-update.html) for details.
- Update for functional issues. Refer to [6th Gen Intel? Processor Family Specification Update](https://cdrdv2.intel.com/v1/dl/getContent/332689) for details.
- Update for functional issues. Refer to [Intel? Xeon? E3-1200 v6 Processor Family Specification Update](https://www.intel.com/content/www/us/en/processors/xeon/xeon-e3-1200v6-spec-update.html) for details.
- Update for functional issues. Refer to [Intel? Xeon? E-2100 and E-2200 Processor Family Specification Update](https://www.intel.com/content/www/us/en/products/docs/processors/xeon/xeon-e-2100-specification-update.html) for details.
### New Platforms
| Processor | Stepping | F-M-S/PI | Old Ver | New Ver | Products
|:---------------|:---------|:------------|:---------|:---------|:---------
| CPX-SP | A1 | 06-55-0b/bf | | 0700001e | Xeon Scalable Gen3
| LKF | B2/B3 | 06-8a-01/10 | | 00000028 | Core w/Hybrid Technology
| TGL | B1 | 06-8c-01/80 | | 00000068 | Core Gen11 Mobile
| CML-H | R1 | 06-a5-02/20 | | 000000e0 | Core Gen10 Mobile
| CML-S62 | G1 | 06-a5-03/22 | | 000000e0 | Core Gen10
| CML-S102 | Q0 | 06-a5-05/22 | | 000000e0 | Core Gen10
| CML-U62 V2 | K0 | 06-a6-01/80 | | 000000e0 | Core Gen10 Mobile
### Updated Platforms
| Processor | Stepping | F-M-S/PI | Old Ver | New Ver | Products
|:---------------|:---------|:------------|:---------|:---------|:---------
| HSX-E/EP | Cx/M1 | 06-3f-02/6f | 00000043 | 00000044 | Core Gen4 X series; Xeon E5 v3
| SKL-U/Y | D0 | 06-4e-03/c0 | 000000d6 | 000000e2 | Core Gen6 Mobile
| SKL-U23e | K1 | 06-4e-03/c0 | 000000d6 | 000000e2 | Core Gen6 Mobile
| SKX-SP | B1 | 06-55-03/97 | 01000157 | 01000159 | Xeon Scalable
| SKX-SP | H0/M0/U0 | 06-55-04/b7 | 02006906 | 02006a08 | Xeon Scalable
| SKX-D | M1 | 06-55-04/b7 | 02006906 | 02006a08 | Xeon D-21xx
| CLX-SP | B0 | 06-55-06/bf | 04002f01 | 04003003 | Xeon Scalable Gen2
| CLX-SP | B1 | 06-55-07/bf | 05002f01 | 05003003 | Xeon Scalable Gen2
| APL | D0 | 06-5c-09/03 | 00000038 | 00000040 | Pentium N/J4xxx, Celeron N/J3xxx, Atom x5/7-E39xx
| APL | E0 | 06-5c-0a/03 | 00000016 | 0000001e | Atom x5-E39xx
| SKL-H/S | R0/N0 | 06-5e-03/36 | 000000d6 | 000000e2 | Core Gen6; Xeon E3 v5
| GKL-R | R0 | 06-7a-08/01 | 00000016 | 00000018 | Pentium J5040/N5030, Celeron J4125/J4025/N4020/N4120
| ICL-U/Y | D1 | 06-7e-05/80 | 00000078 | 000000a0 | Core Gen10 Mobile
| AML-Y22 | H0 | 06-8e-09/10 | 000000d6 | 000000de | Core Gen8 Mobile
| KBL-U/Y | H0 | 06-8e-09/c0 | 000000d6 | 000000de | Core Gen7 Mobile
| CFL-U43e | D0 | 06-8e-0a/c0 | 000000d6 | 000000e0 | Core Gen8 Mobile
| WHL-U | W0 | 06-8e-0b/d0 | 000000d6 | 000000de | Core Gen8 Mobile
| AML-Y42 | V0 | 06-8e-0c/94 | 000000d6 | 000000de | Core Gen10 Mobile
| CML-Y42 | V0 | 06-8e-0c/94 | 000000d6 | 000000de | Core Gen10 Mobile
| WHL-U | V0 | 06-8e-0c/94 | 000000d6 | 000000de | Core Gen8 Mobile
| KBL-G/H/S/E3 | B0 | 06-9e-09/2a | 000000d6 | 000000de | Core Gen7; Xeon E3 v6
| CFL-H/S/E3 | U0 | 06-9e-0a/22 | 000000d6 | 000000de | Core Gen8 Desktop, Mobile, Xeon E
| CFL-S | B0 | 06-9e-0b/02 | 000000d6 | 000000de | Core Gen8
| CFL-H/S | P0 | 06-9e-0c/22 | 000000d6 | 000000de | Core Gen9
| CFL-H | R0 | 06-9e-0d/22 | 000000d6 | 000000de | Core Gen9 Mobile
| CML-U62 | A0 | 06-a6-00/80 | 000000ca | 000000e0 | Core Gen10 Mobile
ModerateSUSE bug 1170446SUSE bug 1173592SUSE bug 1173594SUSE bug 1178971CVE-2020-8695 at SUSECVE-2020-8695 at NVDCVE-2020-8696 at SUSECVE-2020-8696 at NVDCVE-2020-8698 at SUSECVE-2020-8698 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for bluez (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for bluez fixes the following issues:
- CVE-2020-0556: Fixed improper access control which may lead to escalation of privilege and denial of service by an unauthenticated user (bsc#1166751).
ImportantSUSE bug 1166751CVE-2020-0556 at SUSECVE-2020-0556 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for MozillaFirefox fixes the following issues:
- Firefox Extended Support Release 78.5.0 ESR (bsc#1178824)
* CVE-2020-26951: Parsing mismatches could confuse and bypass security sanitizer for chrome privileged code
* CVE-2020-16012: Variable time processing of cross-origin images during drawImage calls
* CVE-2020-26953: Fullscreen could be enabled without displaying the security UI
* CVE-2020-26956: XSS through paste (manual and clipboard API)
* CVE-2020-26958: Requests intercepted through ServiceWorkers lacked MIME type restrictions
* CVE-2020-26959: Use-after-free in WebRequestService
* CVE-2020-26960: Potential use-after-free in uses of nsTArray
* CVE-2020-15999: Heap buffer overflow in freetype
* CVE-2020-26961: DoH did not filter IPv4 mapped IP Addresses
* CVE-2020-26965: Software keyboards may have remembered typed passwords
* CVE-2020-26966: Single-word search queries were also broadcast to local network
* CVE-2020-26968: Memory safety bugs fixed in Firefox 83 and Firefox ESR 78.5
ImportantSUSE bug 1178824CVE-2020-15999 at SUSECVE-2020-15999 at NVDCVE-2020-16012 at SUSECVE-2020-16012 at NVDCVE-2020-26951 at SUSECVE-2020-26951 at NVDCVE-2020-26953 at SUSECVE-2020-26953 at NVDCVE-2020-26956 at SUSECVE-2020-26956 at NVDCVE-2020-26958 at SUSECVE-2020-26958 at NVDCVE-2020-26959 at SUSECVE-2020-26959 at NVDCVE-2020-26960 at SUSECVE-2020-26960 at NVDCVE-2020-26961 at SUSECVE-2020-26961 at NVDCVE-2020-26965 at SUSECVE-2020-26965 at NVDCVE-2020-26966 at SUSECVE-2020-26966 at NVDCVE-2020-26968 at SUSECVE-2020-26968 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for LibVNCServer (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for LibVNCServer fixes the following issues:
- CVE-2020-25708 [bsc#1178682], libvncserver/rfbserver.c has a divide by zero which could result in DoS
ImportantSUSE bug 1178682CVE-2020-25708 at SUSECVE-2020-25708 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for xorg-x11-server (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for xorg-x11-server fixes the following issues:
- CVE-2020-25712: Fixed a heap-based buffer overflow which could have led to privilege escalation (bsc#1177596).
- CVE-2020-14360: Fixed an out of bounds memory accesses on too short request which could lead to denial of service (bsc#1174908).
ImportantSUSE bug 1174908SUSE bug 1177596CVE-2020-14360 at SUSECVE-2020-14360 at NVDCVE-2020-25712 at SUSECVE-2020-25712 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for python-setuptools (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for python-setuptools fixes the following issues:
- Fixed a directory traversal in _download_http_url() (bsc#1176262 CVE-2019-20916)
ImportantSUSE bug 1176262CVE-2019-20916 at SUSECVE-2019-20916 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for python3 (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for python3 fixes the following issues:
- Fixed a directory traversal in _download_http_url() (bsc#1176262 CVE-2019-20916)
ImportantSUSE bug 1176262CVE-2019-20916 at SUSECVE-2019-20916 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for gdm (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for gdm fixes the following issues:
- CVE-2020-16125: Fixed a privilege escalation (bsc#1178150).
ImportantSUSE bug 1178150CVE-2020-16125 at SUSECVE-2020-16125 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for python-cryptography (Moderate)SUSE Linux Enterprise Server 12 SP3-BCL
This update for python-cryptography fixes the following issues:
- CVE-2020-25659: Attempted to mitigate Bleichenbacher attacks on RSA decryption (bsc#1178168).
ModerateSUSE bug 1178168CVE-2020-25659 at SUSECVE-2020-25659 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for postgresql12 (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for postgresql12 fixes the following issues:
Upgrade to version 12.5:
* CVE-2020-25695, bsc#1178666: Block DECLARE CURSOR ... WITH HOLD
and firing of deferred triggers within index expressions and
materialized view queries.
* CVE-2020-25694, bsc#1178667:
a) Fix usage of complex connection-string parameters in pg_dump,
pg_restore, clusterdb, reindexdb, and vacuumdb.
b) When psql's \connect command re-uses connection parameters,
ensure that all non-overridden parameters from a previous
connection string are re-used.
* CVE-2020-25696, bsc#1178668: Prevent psql's \gset command from
modifying specially-treated variables.
* Fix recently-added timetz test case so it works when the USA
is not observing daylight savings time.
(obsoletes postgresql-timetz.patch)
* https://www.postgresql.org/about/news/2111/
* https://www.postgresql.org/docs/12/release-12-5.html
The previous postgresql12 update already addressed:
Update to 12.4:
* CVE-2020-14349, bsc#1175193: Set a secure search_path in logical replication walsenders and apply workers
* CVE-2020-14350, bsc#1175194: Make contrib modules' installation scripts more secure.
* https://www.postgresql.org/docs/12/release-12-4.html
ImportantSUSE bug 1175193SUSE bug 1175194SUSE bug 1178666SUSE bug 1178667SUSE bug 1178668CVE-2020-14349 at SUSECVE-2020-14349 at NVDCVE-2020-14350 at SUSECVE-2020-14350 at NVDCVE-2020-25694 at SUSECVE-2020-25694 at NVDCVE-2020-25695 at SUSECVE-2020-25695 at NVDCVE-2020-25696 at SUSECVE-2020-25696 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for xen (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for xen fixes the following issues:
- bsc#1178963 - stack corruption from XSA-346 change (XSA-355)
- bsc#1177409 - CVE-2020-27674: x86 PV guest INVLPG-like flushes may leave stale TLB entries (XSA-286)
- bsc#1177412 - CVE-2020-27672: Race condition in Xen mapping code (XSA-345)
- bsc#1177413 - CVE-2020-27671: undue deferral of IOMMU TLB flushes (XSA-346)
- bsc#1177414 - CVE-2020-27670: unsafe AMD IOMMU page table updates (XSA-347)
- bsc#1178591 - CVE-2020-28368: Intel RAPL sidechannel attack aka PLATYPUS attack aka XSA-351
ImportantSUSE bug 1177409SUSE bug 1177412SUSE bug 1177413SUSE bug 1177414SUSE bug 1178591SUSE bug 1178963CVE-2020-27670 at SUSECVE-2020-27670 at NVDCVE-2020-27671 at SUSECVE-2020-27671 at NVDCVE-2020-27672 at SUSECVE-2020-27672 at NVDCVE-2020-27674 at SUSECVE-2020-27674 at NVDCVE-2020-28368 at SUSECVE-2020-28368 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for mutt (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for mutt fixes the following issues:
- Find and display the content of messages properly. (bsc#1179461)
- CVE-2020-28896: incomplete connection termination could send credentials over unencrypted connections. (bsc#1179035)
- Avoid that message with a million tiny parts can freeze MUA for several minutes. (bsc#1179113)
ImportantSUSE bug 1179035SUSE bug 1179113SUSE bug 1179461CVE-2020-28896 at SUSECVE-2020-28896 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for dbus-1 (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for dbus-1 fixes the following issues:
Security issue fixed:
- CVE-2019-12749: Fixed an implementation flaw in DBUS_COOKIE_SHA1 which
could have allowed local attackers to bypass authentication (bsc#1137832).
ImportantSUSE bug 1137832CVE-2019-12749 at SUSECVE-2019-12749 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for openssl (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for openssl fixes the following issues:
- CVE-2020-1971: Fixed a null pointer dereference in EDIPARTYNAME (bsc#1179491).
ImportantSUSE bug 1179491CVE-2020-1971 at SUSECVE-2020-1971 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for python (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for python fixes the following issues:
- Fixed a directory traversal in _download_http_url() (bsc#1176262 CVE-2019-20916)
ImportantSUSE bug 1176262CVE-2019-20916 at SUSECVE-2019-20916 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for MozillaFirefox fixes the following issues:
- Firefox Extended Support Release 68.5.0 ESR
* CVE-2020-6796 (bmo#1610426)
Missing bounds check on shared memory read in the parent
process
* CVE-2020-6797 (bmo#1596668)
Extensions granted downloads.open permission could open
arbitrary applications on Mac OSX
* CVE-2020-6798 (bmo#1602944)
Incorrect parsing of template tag could result in JavaScript
injection
* CVE-2020-6799 (bmo#1606596)
Arbitrary code execution when opening pdf links from other
applications, when Firefox is configured as default pdf
reader
* CVE-2020-6800 (bmo#1595786, bmo#1596706, bmo#1598543,
bmo#1604851, bmo#1605777, bmo#1608580, bmo#1608785)
Memory safety bugs fixed in Firefox 73 and Firefox ESR 68.5
* Fixed: Fixed various issues opening files with spaces in
their path (bmo#1601905, bmo#1602726)
ImportantSUSE bug 1161799CVE-2020-6796 at SUSECVE-2020-6796 at NVDCVE-2020-6797 at SUSECVE-2020-6797 at NVDCVE-2020-6798 at SUSECVE-2020-6798 at NVDCVE-2020-6799 at SUSECVE-2020-6799 at NVDCVE-2020-6800 at SUSECVE-2020-6800 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for MozillaFirefox (Critical)SUSE Linux Enterprise Server 12 SP3-BCL
This update for MozillaFirefox fixes the following issues:
- Firefox Extended Support Release 78.6.0 ESR
* Fixed: Various stability, functionality, and security fixes
MFSA 2020-55 (bsc#1180039)
* CVE-2020-16042 (bmo#1679003)
Operations on a BigInt could have caused uninitialized memory
to be exposed
* CVE-2020-26971 (bmo#1663466)
Heap buffer overflow in WebGL
* CVE-2020-26973 (bmo#1680084)
CSS Sanitizer performed incorrect sanitization
* CVE-2020-26974 (bmo#1681022)
Incorrect cast of StyleGenericFlexBasis resulted in a heap
use-after-free
* CVE-2020-26978 (bmo#1677047)
Internal network hosts could have been probed by a malicious
webpage
* CVE-2020-35111 (bmo#1657916)
The proxy.onRequest API did not catch view-source URLs
* CVE-2020-35112 (bmo#1661365)
Opening an extension-less download may have inadvertently
launched an executable instead
* CVE-2020-35113 (bmo#1664831, bmo#1673589)
Memory safety bugs fixed in Firefox 84 and Firefox ESR 78.6
CriticalSUSE bug 1180039CVE-2020-16042 at SUSECVE-2020-16042 at NVDCVE-2020-26971 at SUSECVE-2020-26971 at NVDCVE-2020-26973 at SUSECVE-2020-26973 at NVDCVE-2020-26974 at SUSECVE-2020-26974 at NVDCVE-2020-26978 at SUSECVE-2020-26978 at NVDCVE-2020-35111 at SUSECVE-2020-35111 at NVDCVE-2020-35112 at SUSECVE-2020-35112 at NVDCVE-2020-35113 at SUSECVE-2020-35113 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for clamav (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for clamav fixes the following issues:
clamav was updated to 0.103.0 to implement jsc#ECO-3010 and bsc#1118459.
* clamd can now reload the signature database without blocking
scanning. This multi-threaded database reload improvement was made
possible thanks to a community effort.
- Non-blocking database reloads are now the default behavior. Some
systems that are more constrained on RAM may need to disable
non-blocking reloads as it will temporarily consume two times as
much memory. We added a new clamd config option
ConcurrentDatabaseReload, which may be set to no.
* Fix clamav-milter.service (requires clamd.service to run)
* bsc#1119353, clamav-fips.patch: Fix freshclam crash in FIPS mode.
* Partial sync with SLE15.
Update to version 0.102.4
Accumulated security fixes:
* CVE-2020-3350: Fix a vulnerability wherein a malicious user could
replace a scan target's directory with a symlink to another path
to trick clamscan, clamdscan, or clamonacc into removing or moving
a different file (eg. a critical system file). The issue would
affect users that use the --move or --remove options for clamscan,
clamdscan, and clamonacc. (bsc#1174255)
* CVE-2020-3327: Fix a vulnerability in the ARJ archive parsing
module in ClamAV 0.102.3 that could cause a Denial-of-Service
(DoS) condition. Improper bounds checking results in an
out-of-bounds read which could cause a crash. The previous fix for
this CVE in 0.102.3 was incomplete. This fix correctly resolves
the issue.
* CVE-2020-3481: Fix a vulnerability in the EGG archive module in
ClamAV 0.102.0 - 0.102.3 could cause a Denial-of-Service (DoS)
condition. Improper error handling may result in a crash due to a
NULL pointer dereference. This vulnerability is mitigated for
those using the official ClamAV signature databases because the
file type signatures in daily.cvd will not enable the EGG archive
parser in versions affected by the vulnerability. (bsc#1174250)
* CVE-2020-3341: Fix a vulnerability in the PDF parsing module in
ClamAV 0.101 - 0.102.2 that could cause a Denial-of-Service (DoS)
condition. Improper size checking of a buffer used to initialize AES
decryption routines results in an out-of-bounds read which may cause
a crash. (bsc#1171981)
* CVE-2020-3123: A denial-of-service (DoS) condition may occur when
using the optional credit card data-loss-prevention (DLP) feature.
Improper bounds checking of an unsigned variable resulted in an
out-of-bounds read, which causes a crash.
* CVE-2019-15961: A Denial-of-Service (DoS) vulnerability may
occur when scanning a specially crafted email file as a result
of excessively long scan times. The issue is resolved by
implementing several maximums in parsing MIME messages and by
optimizing use of memory allocation. (bsc#1157763).
* CVE-2019-12900: An out of bounds write in the NSIS bzip2
(bsc#1149458)
* CVE-2019-12625: Introduce a configurable time limit to mitigate
zip bomb vulnerability completely. Default is 2 minutes,
configurable useing the clamscan --max-scantime and for clamd
using the MaxScanTime config option (bsc#1144504)
Update to version 0.101.3:
* ZIP bomb causes extreme CPU spikes (bsc#1144504)
Update to version 0.101.2 (bsc#1118459):
* Support for RAR v5 archive extraction.
* Incompatible changes to the arguments of cl_scandesc,
cl_scandesc_callback, and cl_scanmap_callback.
* Scanning options have been converted from a single flag
bit-field into a structure of multiple categorized flag
bit-fields.
* The CL_SCAN_HEURISTIC_ENCRYPTED scan option was replaced by
2 new scan options: CL_SCAN_HEURISTIC_ENCRYPTED_ARCHIVE, and
CL_SCAN_HEURISTIC_ENCRYPTED_DOC
* Incompatible clamd.conf and command line interface changes.
* Heuristic Alerts' (aka 'Algorithmic Detection') options have
been changed to make the names more consistent. The original
options are deprecated in 0.101, and will be removed in a
future feature release.
* For details, see https://blog.clamav.net/2018/12/clamav-01010-has-been-released.html ImportantSUSE bug 1118459SUSE bug 1119353SUSE bug 1144504SUSE bug 1149458SUSE bug 1157763SUSE bug 1171981SUSE bug 1174250SUSE bug 1174255CVE-2019-12900 at SUSECVE-2019-12900 at NVDCVE-2019-15961 at SUSECVE-2019-15961 at NVDCVE-2020-3123 at SUSECVE-2020-3123 at NVDCVE-2020-3327 at SUSECVE-2020-3327 at NVDCVE-2020-3341 at SUSECVE-2020-3341 at NVDCVE-2020-3350 at SUSECVE-2020-3350 at NVDCVE-2020-3481 at SUSECVE-2020-3481 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for cyrus-sasl (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for cyrus-sasl fixes the following issues:
- CVE-2019-19906: Fixed an out-of-bounds write leading to unauthenticated remote denial-of-service in OpenLDAP via a malformed LDAP packet (bsc#1159635).
ImportantSUSE bug 1159635CVE-2019-19906 at SUSECVE-2019-19906 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for gcc9 (Moderate)SUSE Linux Enterprise Server 12 SP3-BCL
This update for gcc9 fixes the following issues:
The GNU Compiler Collection is shipped in version 9.
A detailed changelog on what changed in GCC 9 is available at https://gcc.gnu.org/gcc-9/changes.html
The compilers have been added to the SUSE Linux Enterprise Toolchain Module.
To use these compilers, install e.g. gcc9, gcc9-c++ and build with CC=gcc-9
CXX=g++-9 set.
For SUSE Linux Enterprise base products, the libstdc++6, libgcc_s1 and
other compiler libraries have been switched from their gcc8 variants to
their gcc9 variants.
Security issues fixed:
- CVE-2019-15847: Fixed a miscompilation in the POWER9 back end, that optimized multiple calls of the __builtin_darn intrinsic into a single call. (bsc#1149145)
- CVE-2019-14250: Fixed a heap overflow in the LTO linker. (bsc#1142649)
Non-security issues fixed:
- Split out libstdc++ pretty-printers into a separate package supplementing gdb and the installed runtime. (bsc#1135254)
- Fixed miscompilation for vector shift on s390. (bsc#1141897)
ModerateSUSE bug 1114592SUSE bug 1135254SUSE bug 1141897SUSE bug 1142649SUSE bug 1142654SUSE bug 1148517SUSE bug 1149145CVE-2019-14250 at SUSECVE-2019-14250 at NVDCVE-2019-15847 at SUSECVE-2019-15847 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for xen (Moderate)SUSE Linux Enterprise Server 12 SP3-BCL
This update for xen fixes the following issues:
- CVE-2020-29480: Fixed an issue which could have allowed leak of non-sensitive data to administrator guests (bsc#117949 XSA-115).
- CVE-2020-29481: Fixed an issue which could have allowd to new domains to inherit existing node permissions (bsc#1179498 XSA-322).
- CVE-2020-29483: Fixed an issue where guests could disturb domain cleanup (bsc#1179502 XSA-325).
- CVE-2020-29484: Fixed an issue where guests could crash xenstored via watchs (bsc#1179501 XSA-324).
- CVE-2020-29566: Fixed an undue recursion in x86 HVM context switch code (bsc#1179506 XSA-348).
- CVE-2020-29570: Fixed an issue where FIFO event channels control block related ordering (bsc#1179514 XSA-358).
- CVE-2020-29571: Fixed an issue where FIFO event channels control structure ordering (bsc#1179516 XSA-359).
- CVE-2020-29130: Fixed an out-of-bounds access while processing ARP packets (bsc#1179477).
- Fixed an issue where dump-core shows missing nr_pages during core (bsc#1176782).
- Multiple other bugs (bsc#1027519)
ModerateSUSE bug 1027519SUSE bug 1176782SUSE bug 1179477SUSE bug 1179496SUSE bug 1179498SUSE bug 1179501SUSE bug 1179502SUSE bug 1179506SUSE bug 1179514SUSE bug 1179516CVE-2020-29130 at SUSECVE-2020-29130 at NVDCVE-2020-29480 at SUSECVE-2020-29480 at NVDCVE-2020-29481 at SUSECVE-2020-29481 at NVDCVE-2020-29483 at SUSECVE-2020-29483 at NVDCVE-2020-29484 at SUSECVE-2020-29484 at NVDCVE-2020-29566 at SUSECVE-2020-29566 at NVDCVE-2020-29570 at SUSECVE-2020-29570 at NVDCVE-2020-29571 at SUSECVE-2020-29571 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for sudo (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for sudo fixes the following issues:
Security issue fixed:
- CVE-2019-18634: Fixed a buffer overflow in the passphrase prompt that could occur when pwfeedback was enabled in /etc/sudoers (bsc#1162202).
Non-security issue fixed:
- Fixed an issue where sudo -l would ask for a password even though `listpw` was set to `never` (bsc#1162675).
ImportantSUSE bug 1162202SUSE bug 1162675CVE-2019-18634 at SUSECVE-2019-18634 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for java-1_7_1-ibm (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for java-1_7_1-ibm fixes the following issues:
Java was updated to 7.1 Service Refresh 4 Fix Pack 60 [bsc#1162972, bsc#1160968].
Security issues fixed:
- CVE-2020-2583: Fixed a serialization vulnerability in BeanContextSupport (bsc#1162972).
- CVE-2020-2593: Fixed an incorrect check in isBuiltinStreamHandler, causing URL normalization issues (bsc#1162972).
- CVE-2020-2604: Fixed a serialization issue in jdk.serialFilter (bsc#1162972).
- CVE-2020-2659: Fixed the incomplete enforcement of the maxDatagramSockets limit in DatagramChannelImpl (bsc#1162972).
Non-security issues fixed:
* Class Libraries:
IJ22333 HANG IN JAVA_JAVA_NET_SOCKETINPUTSTREAM_SOCKETREAD0 EVEN
WHEN TIMEOUT IS SET
IJ22350 JAVA 7 AND JAVA 8 NOT WORKING WELL WITH TRADITIONAL/SIMPLIFIED
CHINESE EDITION OF WINDOWS CLIENT SYSTEM
IJ22337 THE NAME OF THE REPUBLIC OF BELARUS IN THE RUSSIAN LOCALE
INCONSISTENT WITH CLDR
IJ22349 UPDATE TIMEZONE INFORMATION TO TZDATA2019C
* JIT Compiler:
IJ11368 JAVA JIT PPC: CRASH IN JIT COMPILED CODE ON PPC MACHINES
ImportantSUSE bug 1160968SUSE bug 1162972CVE-2020-2583 at SUSECVE-2020-2583 at NVDCVE-2020-2593 at SUSECVE-2020-2593 at NVDCVE-2020-2604 at SUSECVE-2020-2604 at NVDCVE-2020-2659 at SUSECVE-2020-2659 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for libexif (Moderate)SUSE Linux Enterprise Server 12 SP3-BCL
This update for libexif fixes the following issues:
- CVE-2019-9278: Fixed an integer overflow (bsc#1160770).
- CVE-2018-20030: Fixed a denial of service by endless recursion (bsc#1120943).
ModerateSUSE bug 1120943SUSE bug 1160770CVE-2018-20030 at SUSECVE-2018-20030 at NVDCVE-2019-9278 at SUSECVE-2019-9278 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for openssl (Moderate)SUSE Linux Enterprise Server 12 SP3-BCL
This update for openssl fixes the following issues:
Security issue fixed:
- CVE-2019-1551: Fixed an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli (bsc#1158809).
Non-security issue fixed:
- Fixed a crash in BN_copy (bsc#1160163).
ModerateSUSE bug 1117951SUSE bug 1158809SUSE bug 1160163CVE-2019-1551 at SUSECVE-2019-1551 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for ppp (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for ppp fixes the following security issue:
- CVE-2020-8597: Fixed a buffer overflow in the eap_request and eap_response functions (bsc#1162610).
ImportantSUSE bug 1162610CVE-2020-8597 at SUSECVE-2020-8597 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for python3 (Moderate)SUSE Linux Enterprise Server 12 SP3-BCL
This update for python3 fixes the following issues:
Update to 3.4.10 (jsc#SLE-9427, bsc#1159208) from 3.4.6:
Security issues fixed:
- Update expat copy from 2.1.1 to 2.2.0 to fix the following issues:
CVE-2012-0876, CVE-2016-0718, CVE-2016-4472, CVE-2017-9233, CVE-2016-9063
- CVE-2017-1000158: Fix an integer overflow in thePyString_DecodeEscape function in stringobject.c, resulting in heap-based bufferoverflow (bsc#1068664).
ModerateSUSE bug 1068664SUSE bug 1159208SUSE bug 1159623CVE-2012-0876 at SUSECVE-2012-0876 at NVDCVE-2016-0718 at SUSECVE-2016-0718 at NVDCVE-2016-4472 at SUSECVE-2016-4472 at NVDCVE-2016-9063 at SUSECVE-2016-9063 at NVDCVE-2017-1000158 at SUSECVE-2017-1000158 at NVDCVE-2017-9233 at SUSECVE-2017-9233 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for mariadb (Moderate)SUSE Linux Enterprise Server 12 SP3-BCL
This update for mariadb fixes the following issues:
Security issue fixed:
- CVE-2019-2974: Fixed Server Optimizer (bsc#1154162).
ModerateSUSE bug 1154162CVE-2019-2974 at SUSECVE-2019-2974 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for java-1_7_1-ibm (Moderate)SUSE Linux Enterprise Server 12 SP3-BCL
This update for java-1_7_1-ibm fixes the following issues:
- Update to 7.1 Service Refresh 4 Fix Pack 55 [bsc#1158442, bsc#1154212]
* Security fixes:
CVE-2019-2933 CVE-2019-2945 CVE-2019-2962 CVE-2019-2964
CVE-2019-2978 CVE-2019-2983 CVE-2019-2989 CVE-2019-2992
CVE-2019-2999 CVE-2019-2973 CVE-2019-2981
ModerateSUSE bug 1154212SUSE bug 1158442CVE-2019-2933 at SUSECVE-2019-2933 at NVDCVE-2019-2945 at SUSECVE-2019-2945 at NVDCVE-2019-2962 at SUSECVE-2019-2962 at NVDCVE-2019-2964 at SUSECVE-2019-2964 at NVDCVE-2019-2973 at SUSECVE-2019-2973 at NVDCVE-2019-2978 at SUSECVE-2019-2978 at NVDCVE-2019-2981 at SUSECVE-2019-2981 at NVDCVE-2019-2983 at SUSECVE-2019-2983 at NVDCVE-2019-2989 at SUSECVE-2019-2989 at NVDCVE-2019-2992 at SUSECVE-2019-2992 at NVDCVE-2019-2999 at SUSECVE-2019-2999 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for java-1_8_0-ibm (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for java-1_8_0-ibm fixes the following issues:
Java 8.0 was updated to Service Refresh 6 Fix Pack 5 (bsc#1162972, bsc#1160968)
- CVE-2020-2583: Unlink Set of LinkedHashSets
- CVE-2019-4732: Untrusted DLL search path vulnerability
- CVE-2020-2593: Normalize normalization for all
- CVE-2020-2604: Better serial filter handling
- CVE-2020-2659: Enhance datagram socket support
ImportantSUSE bug 1160968SUSE bug 1162972CVE-2019-4732 at SUSECVE-2019-4732 at NVDCVE-2020-2583 at SUSECVE-2020-2583 at NVDCVE-2020-2593 at SUSECVE-2020-2593 at NVDCVE-2020-2604 at SUSECVE-2020-2604 at NVDCVE-2020-2659 at SUSECVE-2020-2659 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for log4j (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for log4j fixes the following issues:
- CVE-2019-17571: Fixed a remote code execution by deserialization of untrusted data in SocketServer (bsc#1159646).
ImportantSUSE bug 1159646CVE-2019-17571 at SUSECVE-2019-17571 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for permissions (Moderate)SUSE Linux Enterprise Server 12 SP3-BCL
This update for permissions fixes the following issues:
Security issues fixed:
- CVE-2020-8013: Fixed an issue where chkstat set unintended setuid/capabilities for mrsh and wodim (bsc#1163922).
Non-security issues fixed:
- Fixed a regression where chkstat broke when /proc was not available (bsc#1160764, bsc#1160594).
- Fixed capability handling when doing multiple permission changes at once (bsc#1161779).
ModerateSUSE bug 1123886SUSE bug 1160594SUSE bug 1160764SUSE bug 1161779SUSE bug 1163922CVE-2020-8013 at SUSECVE-2020-8013 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for python-aws-sam-translator, python-boto3, python-botocore, python-cfn-lint, python-jsonschema, python-nose2, python-parameterized, python-pathlib2, python-pytest-cov, python-requests, python-s3transfer (Moderate)SUSE Linux Enterprise Server 12 SP3-BCL
This update for python-aws-sam-translator, python-boto3, python-botocore, python-cfn-lint, python-jsonschema, python-nose2, python-parameterized, python-pathlib2, python-pytest-cov, python-requests, python-s3transfer, python-jsonpatch, python-jsonpointer, python-scandir, python-PyYAML fixes the following issues:
python-cfn-lint was included as a new package in 0.21.4.
python-aws-sam-translator was updated to 1.11.0:
* Add ReservedConcurrentExecutions to globals
* Fix ElasticsearchHttpPostPolicy resource reference
* Support using AWS::Region in Ref and Sub
* Documentation and examples updates
* Add VersionDescription property to Serverless::Function
* Update ServerlessRepoReadWriteAccessPolicy
* Add additional template validation
Upgrade to 1.10.0:
* Add GSIs to DynamoDBReadPolicy and DynamoDBCrudPolicy
* Add DynamoDBReconfigurePolicy
* Add CostExplorerReadOnlyPolicy and OrganizationsListAccountsPolicy
* Add EKSDescribePolicy
* Add SESBulkTemplatedCrudPolicy
* Add FilterLogEventsPolicy
* Add SSMParameterReadPolicy
* Add SESEmailTemplateCrudPolicy
* Add s3:PutObjectAcl to S3CrudPolicy
* Add allow_credentials CORS option
* Add support for AccessLogSetting and CanarySetting Serverless::Api properties
* Add support for X-Ray in Serverless::Api
* Add support for MinimumCompressionSize in Serverless::Api
* Add Auth to Serverless::Api globals
* Remove trailing slashes from APIGW permissions
* Add SNS FilterPolicy and an example application
* Add Enabled property to Serverless::Function event sources
* Add support for PermissionsBoundary in Serverless::Function
* Fix boto3 client initialization
* Add PublicAccessBlockConfiguration property to S3 bucket resource
* Make PAY_PER_REQUEST default mode for Serverless::SimpleTable
* Add limited support for resolving intrinsics in Serverless::LayerVersion
* SAM now uses Flake8
* Add example application for S3 Events written in Go
* Updated several example applications
- Initial build
+ Version 1.9.0
- Add patch to drop compatible releases operator from setup.py,
required for SLES12 as the setuptools version is too old
+ ast_drop-compatible-releases-operator.patch
python-jsonschema was updated to 2.6.0:
* Improved performance on CPython by adding caching around ref resolution
Update to version 2.5.0:
* Improved performance on CPython by adding caching around ref
resolution (#203)
Update to version 2.4.0:
* Added a CLI (#134)
* Added absolute path and absolute schema path to errors (#120)
* Added ``relevance``
* Meta-schemas are now loaded via ``pkgutil``
* Added ``by_relevance`` and ``best_match`` (#91)
* Fixed ``format`` to allow adding formats for non-strings (#125)
* Fixed the ``uri`` format to reject URI references (#131)
- Install /usr/bin/jsonschema with update-alternatives support
python-nose2 was updated to 0.9.1:
* the prof plugin now uses cProfile instead of hotshot for profiling
* skipped tests now include the user's reason in junit XML's message field
* the prettyassert plugin mishandled multi-line function definitions
* Using a plugin's CLI flag when the plugin is already enabled via config
no longer errors
* nose2.plugins.prettyassert, enabled with --pretty-assert
* Cleanup code for EOLed python versions
* Dropped support for distutils.
* Result reporter respects failure status set by other plugins
* JUnit XML plugin now includes the skip reason in its output
Upgrade to 0.8.0:
List of changes is too long to show here, see
https://github.com/nose-devs/nose2/blob/master/docs/changelog.rst
changes between 0.6.5 and 0.8.0
Update to 0.7.0:
* Added parameterized_class feature, for parameterizing entire test
classes (many thanks to @TobyLL for their suggestions and help testing!)
* Fix DeprecationWarning on `inspect.getargs` (thanks @brettdh;
https://github.com/wolever/parameterized/issues/67)
* Make sure that `setUp` and `tearDown` methods work correctly (#40)
* Raise a ValueError when input is empty (thanks @danielbradburn;
https://github.com/wolever/parameterized/pull/48)
* Fix the order when number of cases exceeds 10 (thanks @ntflc;
https://github.com/wolever/parameterized/pull/49)
python-scandir was included in version 2.3.2.
python-requests was updated to version 2.20.1 (bsc#1111622)
* Fixed bug with unintended Authorization header stripping for
redirects using default ports (http/80, https/443).
* remove restriction for urllib3 < 1.24
Update to version 2.20.0:
* Bugfixes
+ Content-Type header parsing is now case-insensitive
(e.g. charset=utf8 v Charset=utf8).
+ Fixed exception leak where certain redirect urls would raise
uncaught urllib3 exceptions.
+ Requests removes Authorization header from requests redirected
from https to http on the same hostname. (CVE-2018-18074)
+ should_bypass_proxies now handles URIs without hostnames
(e.g. files).
* Dependencies
+ Requests now supports urllib3 v1.24.
* Deprecations
+ Requests has officially stopped support for Python 2.6.
Update to version 2.19.1:
* Fixed issue where status_codes.py’s init function failed trying
to append to a __doc__ value of None.
Update to version 2.19.0:
* Improvements
+ Warn about possible slowdown with cryptography version < 1.3.4
+ Check host in proxy URL, before forwarding request to adapter.
+ Maintain fragments properly across redirects. (RFC7231 7.1.2)
+ Removed use of cgi module to expedite library load time.
+ Added support for SHA-256 and SHA-512 digest auth algorithms.
+ Minor performance improvement to Request.content.
+ Migrate to using collections.abc for 3.7 compatibility.
* Bugfixes
+ Parsing empty Link headers with parse_header_links() no longer
return one bogus entry.
+ Fixed issue where loading the default certificate bundle from
a zip archive would raise an IOError.
+ Fixed issue with unexpected ImportError on windows system
which do not support winreg module.
+ DNS resolution in proxy bypass no longer includes the username
and password in the request. This also fixes the issue of DNS
queries failing on macOS.
+ Properly normalize adapter prefixes for url comparison.
+ Passing None as a file pointer to the files param no longer
raises an exception.
+ Calling copy on a RequestsCookieJar will now preserve the
cookie policy correctly.
* We now support idna v2.7 and urllib3 v1.23.
update to version 2.18.4:
* Improvements
+ Error messages for invalid headers now include the header name
for easier debugging
* Dependencies
+ We now support idna v2.6.
update to version 2.18.3:
* Improvements
+ Running $ python -m requests.help now includes the installed
version of idna.
* Bugfixes
+ Fixed issue where Requests would raise ConnectionError instead
of SSLError when encountering SSL problems when using urllib3
v1.22.
ModerateSUSE bug 1111622SUSE bug 1122668CVE-2018-18074 at SUSECVE-2018-18074 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for libpng16 (Moderate)SUSE Linux Enterprise Server 12 SP3-BCL
This update for libpng16 fixes the following issues:
Security issues fixed:
- CVE-2019-7317: Fixed a use-after-free vulnerability, triggered when
png_image_free() was called under png_safe_execute (bsc#1124211).
- CVE-2017-12652: Fixed an Input Validation Error related to the length of chunks (bsc#1141493).
ModerateSUSE bug 1124211SUSE bug 1141493CVE-2017-12652 at SUSECVE-2017-12652 at NVDCVE-2019-7317 at SUSECVE-2019-7317 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for postgresql96 (Low)SUSE Linux Enterprise Server 12 SP3-BCL
This update for postgresql96 fixes the following issues:
PostgreSQL was updated to version 9.6.17.
Security issue fixed:
- CVE-2020-1720: Fixed a missing authorization check in the ALTER ... DEPENDS ON extension (bsc#1163985).
LowSUSE bug 1163985CVE-2020-1720 at SUSECVE-2020-1720 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for java-1_7_0-openjdk (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for java-1_7_0-openjdk fixes the following issues:
Update java-1_7_0-openjdk to version jdk7u251 (January 2020 CPU, bsc#1160968):
- CVE-2020-2583: Unlink Set of LinkedHashSets
- CVE-2020-2590: Improve Kerberos interop capabilities
- CVE-2020-2593: Normalize normalization for all
- CVE-2020-2601: Better Ticket Granting Services
- CVE-2020-2604: Better serial filter handling
- CVE-2020-2659: Enhance datagram socket support
- CVE-2020-2654: Improve Object Identifier Processing
ImportantSUSE bug 1160968CVE-2020-2583 at SUSECVE-2020-2583 at NVDCVE-2020-2590 at SUSECVE-2020-2590 at NVDCVE-2020-2593 at SUSECVE-2020-2593 at NVDCVE-2020-2601 at SUSECVE-2020-2601 at NVDCVE-2020-2604 at SUSECVE-2020-2604 at NVDCVE-2020-2654 at SUSECVE-2020-2654 at NVDCVE-2020-2659 at SUSECVE-2020-2659 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for ipmitool (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for ipmitool fixes the following issues:
- CVE-2020-5208: Fixed multiple remote code executtion vulnerabilities (bsc#1163026).
- picmg discover messages are now DEBUG and not INFO messages (bsc#1085469).
ImportantSUSE bug 1085469SUSE bug 1163026CVE-2020-5208 at SUSECVE-2020-5208 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for squid (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for squid fixes the following issues:
- CVE-2019-12528: Fixed an information disclosure flaw in the FTP gateway (bsc#1162689).
- CVE-2019-12526: Fixed potential remote code execution during URN processing (bsc#1156326).
- CVE-2019-12523,CVE-2019-18676: Fixed multiple improper validations in URI processing (bsc#1156329).
- CVE-2019-18677: Fixed Cross-Site Request Forgery in HTTP Request processing (bsc#1156328).
- CVE-2019-18678: Fixed incorrect message parsing which could have led to HTTP request splitting issue (bsc#1156323).
- CVE-2019-18679: Fixed information disclosure when processing HTTP Digest Authentication (bsc#1156324).
- CVE-2020-8449: Fixed a buffer overflow when squid is acting as reverse-proxy (bsc#1162687).
- CVE-2020-8450: Fixed a buffer overflow when squid is acting as reverse-proxy (bsc#1162687).
- CVE-2020-8517: Fixed a buffer overflow in ext_lm_group_acl when processing NTLM Authentication credentials (bsc#1162691).
ImportantSUSE bug 1156323SUSE bug 1156324SUSE bug 1156326SUSE bug 1156328SUSE bug 1156329SUSE bug 1162687SUSE bug 1162689SUSE bug 1162691CVE-2019-12523 at SUSECVE-2019-12523 at NVDCVE-2019-12526 at SUSECVE-2019-12526 at NVDCVE-2019-12528 at SUSECVE-2019-12528 at NVDCVE-2019-18676 at SUSECVE-2019-18676 at NVDCVE-2019-18677 at SUSECVE-2019-18677 at NVDCVE-2019-18678 at SUSECVE-2019-18678 at NVDCVE-2019-18679 at SUSECVE-2019-18679 at NVDCVE-2020-8449 at SUSECVE-2020-8449 at NVDCVE-2020-8450 at SUSECVE-2020-8450 at NVDCVE-2020-8517 at SUSECVE-2020-8517 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for MozillaFirefox fixes the following issues:
- Firefox Extended Support Release 68.4.1 ESR
* Fixed: Security fix
MFSA 2020-03 (bsc#1160498)
* CVE-2019-17026 (bmo#1607443)
IonMonkey type confusion with StoreElementHole and
FallibleStoreElement
- Firefox Extended Support Release 68.4.0 ESR
* Fixed: Various security fixes
MFSA 2020-02 (bsc#1160305)
* CVE-2019-17015 (bmo#1599005)
Memory corruption in parent process during new content
process initialization on Windows
* CVE-2019-17016 (bmo#1599181)
Bypass of @namespace CSS sanitization during pasting
* CVE-2019-17017 (bmo#1603055)
Type Confusion in XPCVariant.cpp
* CVE-2019-17021 (bmo#1599008)
Heap address disclosure in parent process during content
process initialization on Windows
* CVE-2019-17022 (bmo#1602843)
CSS sanitization does not escape HTML tags
* CVE-2019-17024 (bmo#1507180, bmo#1595470, bmo#1598605,
bmo#1601826)
Memory safety bugs fixed in Firefox 72 and Firefox ESR 68.4
ImportantSUSE bug 1160305SUSE bug 1160498CVE-2019-17015 at SUSECVE-2019-17015 at NVDCVE-2019-17016 at SUSECVE-2019-17016 at NVDCVE-2019-17017 at SUSECVE-2019-17017 at NVDCVE-2019-17021 at SUSECVE-2019-17021 at NVDCVE-2019-17022 at SUSECVE-2019-17022 at NVDCVE-2019-17024 at SUSECVE-2019-17024 at NVDCVE-2019-17026 at SUSECVE-2019-17026 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for postgresql10 (Low)SUSE Linux Enterprise Server 12 SP3-BCL
This update for postgresql10 fixes the following issues:
PostgreSQL was updated to version 10.12.
Security issue fixed:
- CVE-2020-1720: Fixed a missing authorization check in the ALTER ... DEPENDS ON extension (bsc#1163985).
LowSUSE bug 1163985CVE-2020-1720 at SUSECVE-2020-1720 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for MozillaFirefox fixes the following issues:
MozillaFirefox was updated to 68.6.0 ESR (MFSA 2020-09 bsc#1132665 bsc#1166238)
- CVE-2020-6805: Fixed a use-after-free when removing data about origins
- CVE-2020-6806: Fixed improper protections against state confusion
- CVE-2020-6807: Fixed a use-after-free in cubeb during stream destruction
- CVE-2020-6811: Fixed an issue where copy as cURL' feature did not fully
escape website-controlled data potentially leading to command injection
- CVE-2019-20503: Fixed out of bounds reads in sctp_load_addresses_from_init
- CVE-2020-6812: Fixed an issue where the names of AirPods with personally
identifiable information were exposed to websites with camera or microphone
permission
- CVE-2020-6814: Fixed multiple memory safety bugs
- Fixed an issue with minimizing a window (bsc#1132665).
ImportantSUSE bug 1132665SUSE bug 1166238CVE-2019-20503 at SUSECVE-2019-20503 at NVDCVE-2020-6805 at SUSECVE-2020-6805 at NVDCVE-2020-6806 at SUSECVE-2020-6806 at NVDCVE-2020-6807 at SUSECVE-2020-6807 at NVDCVE-2020-6811 at SUSECVE-2020-6811 at NVDCVE-2020-6812 at SUSECVE-2020-6812 at NVDCVE-2020-6814 at SUSECVE-2020-6814 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for tomcat (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for tomcat fixes the following issues:
- CVE-2020-1938: Fixed a file contents disclosure vulnerability (bsc#1164692).
ImportantSUSE bug 1164692CVE-2020-1938 at SUSECVE-2020-1938 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for libzypp (Moderate)SUSE Linux Enterprise Server 12 SP3-BCL
This update for libzypp fixes the following issues:
Security issue fixed:
- CVE-2019-18900: Fixed assert cookie file that was world readable (bsc#1158763).
ModerateSUSE bug 1158763CVE-2019-18900 at SUSECVE-2019-18900 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for python-cffi, python-cryptography (Moderate)SUSE Linux Enterprise Server 12 SP3-BCL
This update for python-cffi, python-cryptography fixes the following issues:
Security issue fixed:
- CVE-2018-10903: Fixed GCM tag forgery via truncated tag in finalize_with_tag API (bsc#1101820).
Non-security issues fixed:
python-cffi was updated to 1.11.2 (bsc#1138748, jsc#ECO-1256, jsc#PM-1598):
- fixed a build failure on i586 (bsc#1111657)
- Salt was unable to highstate in snapshot 20171129 (bsc#1070737)
- Update pytest in spec to add c directory tests in addition to
testing directory.
- update to version 1.11.2:
* Fix Windows issue with managing the thread-state on CPython 3.0 to
3.5
- Update pytest in spec to add c directory tests in addition to
testing directory.
- Omit test_init_once_multithread tests as they rely on multiple
threads finishing in a given time. Returns sporadic pass/fail
within build.
- Update to 1.11.1:
* Fix tests, remove deprecated C API usage
* Fix (hack) for 3.6.0/3.6.1/3.6.2 giving incompatible binary
extensions (cpython issue #29943)
* Fix for 3.7.0a1+
- Update to 1.11.0:
* Support the modern standard types char16_t and char32_t. These
work like wchar_t: they represent one unicode character, or when
used as charN_t * or charN_t[] they represent a unicode string.
The difference with wchar_t is that they have a known, fixed
size. They should work at all places that used to work with
wchar_t (please report an issue if I missed something). Note
that with set_source(), you need to make sure that these types
are actually defined by the C source you provide (if used in
cdef()).
* Support the C99 types float _Complex and double _Complex. Note
that libffi doesn't support them, which means that in the ABI
mode you still cannot call C functions that take complex
numbers directly as arguments or return type.
* Fixed a rare race condition when creating multiple FFI instances
from multiple threads. (Note that you aren't meant to create
many FFI instances: in inline mode, you should write
ffi = cffi.FFI() at module level just after import cffi; and in
out-of-line mode you don't instantiate FFI explicitly at all.)
* Windows: using callbacks can be messy because the CFFI internal
error messages show up to stderr-but stderr goes nowhere in many
applications. This makes it particularly hard to get started
with the embedding mode. (Once you get started, you can at least
use @ffi.def_extern(onerror=...) and send the error logs where
it makes sense for your application, or record them in log
files, and so on.) So what is new in CFFI is that now, on
Windows CFFI will try to open a non-modal MessageBox (in addition
to sending raw messages to stderr). The MessageBox is only
visible if the process stays alive: typically, console
applications that crash close immediately, but that is also the
situation where stderr should be visible anyway.
* Progress on support for callbacks in NetBSD.
* Functions returning booleans would in some case still return 0
or 1 instead of False or True. Fixed.
* ffi.gc() now takes an optional third parameter, which gives an
estimate of the size (in bytes) of the object. So far, this is
only used by PyPy, to make the next GC occur more quickly
(issue #320). In the future, this might have an effect on
CPython too (provided the CPython issue 31105 is addressed).
* Add a note to the documentation: the ABI mode gives function
objects that are slower to call than the API mode does. For
some reason it is often thought to be faster. It is not!
- Update to 1.10.1:
* Fixed the line numbers reported in case of cdef() errors. Also,
I just noticed, but pycparser always supported the preprocessor
directive # 42 'foo.h' to mean 'from the next line, we're in
file foo.h starting from line 42';, which it puts in the error
messages.
- update to 1.10.0:
* Issue #295: use calloc() directly instead of PyObject_Malloc()+memset()
to handle ffi.new() with a default allocator. Speeds up ffi.new(large-array)
where most of the time you never touch most of the array.
* Some OS/X build fixes ('only with Xcode but without CLT';).
* Improve a couple of error messages: when getting mismatched versions of
cffi and its backend; and when calling functions which cannot be called with
libffi because an argument is a struct that is 'too complicated'; (and not
a struct pointer, which always works).
* Add support for some unusual compilers (non-msvc, non-gcc, non-icc, non-clang)
* Implemented the remaining cases for ffi.from_buffer. Now all
buffer/memoryview objects can be passed. The one remaining check is against
passing unicode strings in Python 2. (They support the buffer interface, but
that gives the raw bytes behind the UTF16/UCS4 storage, which is most of the
times not what you expect. In Python 3 this has been fixed and the unicode
strings don't support the memoryview interface any more.)
* The C type _Bool or bool now converts to a Python boolean when reading,
instead of the content of the byte as an integer. The potential
incompatibility here is what occurs if the byte contains a value different
from 0 and 1. Previously, it would just return it; with this change, CFFI
raises an exception in this case. But this case means 'undefined behavior';
in C; if you really have to interface with a library relying on this,
don't use bool in the CFFI side. Also, it is still valid to use a byte
string as initializer for a bool[], but now it must only contain \x00 or
\x01. As an aside, ffi.string() no longer works on bool[] (but it never made
much sense, as this function stops at the first zero).
* ffi.buffer is now the name of cffi's buffer type, and ffi.buffer() works
like before but is the constructor of that type.
* ffi.addressof(lib, 'name') now works also in in-line mode, not only in
out-of-line mode. This is useful for taking the address of global variables.
* Issue #255: cdata objects of a primitive type (integers, floats, char) are
now compared and ordered by value. For example, <cdata 'int' 42> compares
equal to 42 and <cdata 'char' b'A'> compares equal to b'A'. Unlike C,
<cdata 'int' -1> does not compare equal to ffi.cast('unsigned int', -1): it
compares smaller, because -1 < 4294967295.
* PyPy: ffi.new() and ffi.new_allocator()() did not record 'memory pressure';,
causing the GC to run too infrequently if you call ffi.new() very often
and/or with large arrays. Fixed in PyPy 5.7.
* Support in ffi.cdef() for numeric expressions with + or -. Assumes that
there is no overflow; it should be fixed first before we add more general
support for arbitrary arithmetic on constants.
- do not generate HTML documentation for packages that are indirect
dependencies of Sphinx
(see docs at https://cffi.readthedocs.org/ )
- update to 1.9.1
- Structs with variable-sized arrays as their last field: now we track the
length of the array after ffi.new() is called, just like we always tracked
the length of ffi.new('int[]', 42). This lets us detect out-of-range
accesses to array items. This also lets us display a better repr(), and
have the total size returned by ffi.sizeof() and ffi.buffer(). Previously
both functions would return a result based on the size of the declared
structure type, with an assumed empty array. (Thanks andrew for starting
this refactoring.)
- Add support in cdef()/set_source() for unspecified-length arrays in
typedefs: typedef int foo_t[...];. It was already supported for global
variables or structure fields.
- I turned in v1.8 a warning from cffi/model.py into an error: 'enum xxx' has
no values explicitly defined: refusing to guess which integer type it is
meant to be (unsigned/signed, int/long). Now I'm turning it back to a
warning again; it seems that guessing that the enum has size int is a
99%-safe bet. (But not 100%, so it stays as a warning.)
- Fix leaks in the code handling FILE * arguments. In CPython 3 there is a
remaining issue that is hard to fix: if you pass a Python file object to a
FILE * argument, then os.dup() is used and the new file descriptor is only
closed when the GC reclaims the Python file object-and not at the earlier
time when you call close(), which only closes the original file descriptor.
If this is an issue, you should avoid this automatic convertion of Python
file objects: instead, explicitly manipulate file descriptors and call
fdopen() from C (...via cffi).
- When passing a void * argument to a function with a different pointer type,
or vice-versa, the cast occurs automatically, like in C. The same occurs
for initialization with ffi.new() and a few other places. However, I
thought that char * had the same property-but I was mistaken. In C you get
the usual warning if you try to give a char * to a char ** argument, for
example. Sorry about the confusion. This has been fixed in CFFI by giving
for now a warning, too. It will turn into an error in a future version.
- Issue #283: fixed ffi.new() on structures/unions with nested anonymous
structures/unions, when there is at least one union in the mix. When
initialized with a list or a dict, it should now behave more closely like
the { } syntax does in GCC.
- CPython 3.x: experimental: the generated C extension modules now use the
'limited API';, which means that, as a compiled .so/.dll, it should work
directly on any version of CPython >= 3.2. The name produced by distutils
is still version-specific. To get the version-independent name, you can
rename it manually to NAME.abi3.so, or use the very recent setuptools 26.
- Added ffi.compile(debug=...), similar to python setup.py build --debug but
defaulting to True if we are running a debugging version of Python itself.
- Removed the restriction that ffi.from_buffer() cannot be used on byte
strings. Now you can get a char * out of a byte string, which is valid as
long as the string object is kept alive. (But don't use it to modify the
string object! If you need this, use bytearray or other official
techniques.)
- PyPy 5.4 can now pass a byte string directly to a char * argument (in older
versions, a copy would be made). This used to be a CPython-only
optimization.
- ffi.gc(p, None) removes the destructor on an object previously created by
another call to ffi.gc()
- bool(ffi.cast('primitive type', x)) now returns False if the value is zero
(including -0.0), and True otherwise. Previously this would only return
False for cdata objects of a pointer type when the pointer is NULL.
- bytearrays: ffi.from_buffer(bytearray-object) is now supported. (The reason
it was not supported was that it was hard to do in PyPy, but it works since
PyPy 5.3.) To call a C function with a char * argument from a buffer
object-now including bytearrays-you write lib.foo(ffi.from_buffer(x)).
Additionally, this is now supported: p[0:length] = bytearray-object. The
problem with this was that a iterating over bytearrays gives numbers
instead of characters. (Now it is implemented with just a memcpy, of
course, not actually iterating over the characters.)
- C++: compiling the generated C code with C++ was supposed to work, but
failed if you make use the bool type (because that is rendered as the C
_Bool type, which doesn't exist in C++).
- help(lib) and help(lib.myfunc) now give useful information, as well as
dir(p) where p is a struct or pointer-to-struct.
- update for multipython build
- disable 'negative left shift' warning in test suite to prevent
failures with gcc6, until upstream fixes the undefined code
in question (bsc#981848)
- Update to version 1.6.0:
* ffi.list_types()
* ffi.unpack()
* extern 'Python+C';
* in API mode, lib.foo.__doc__ contains the C signature now.
* Yet another attempt at robustness of ffi.def_extern() against
CPython's interpreter shutdown logic.
- Update in SLE-12 (bsc#1138748, jsc#ECO-1256, jsc#PM-1598)
- Make this version of the package compatible with OpenSSL 1.1.1d, thus fixing bsc#1149792.
- bsc#1101820 CVE-2018-10903 GCM tag forgery via truncated tag in
finalize_with_tag API
- Add proper conditional for the python2, the ifpython works only
for the requires/etc
- add missing dependency on python ssl
- update to version 2.1.4:
* Added X509_up_ref for an upcoming pyOpenSSL release.
- update to version 2.1.3:
* Updated Windows, macOS, and manylinux1 wheels to be compiled with
OpenSSL 1.1.0g.
- update to version 2.1.2:
* Corrected a bug with the manylinux1 wheels where OpenSSL's stack
was marked executable.
- fix BuildRequires conditions for python3
- update to 2.1.1
- Fix cffi version requirement.
- Disable memleak tests to fix build with OpenSSL 1.1 (bsc#1055478)
- update to 2.0.3
- update to 2.0.2
- update to 2.0
- update to 1.9
- add python-packaging to requirements explicitly instead of relying
on setuptools to pull it in
- Switch to singlespec approach
- update to 1.8.1
- Adust Requires and BuildRequires ModerateSUSE bug 1055478SUSE bug 1070737SUSE bug 1101820SUSE bug 1111657SUSE bug 1138748SUSE bug 1149792SUSE bug 981848CVE-2018-10903 at SUSECVE-2018-10903 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for spamassassin (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for spamassassin fixes the following issues:
- CVE-2018-11805: Fixed an issue with delimiter handling in rule files
related to is_regexp_valid() (bsc#1118987).
- CVE-2020-1930: Fixed an issue with rule configuration (.cf) files which
can be configured to run system commands (bsc#1162197).
- CVE-2020-1931: Fixed an issue with rule configuration (.cf) files which
can be configured to run system commands with warnings (bsc#1162200).
ImportantSUSE bug 1118987SUSE bug 1162197SUSE bug 1162200CVE-2018-11805 at SUSECVE-2018-11805 at NVDCVE-2020-1930 at SUSECVE-2020-1930 at NVDCVE-2020-1931 at SUSECVE-2020-1931 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for python3 (Moderate)SUSE Linux Enterprise Server 12 SP3-BCL
This update for python3 fixes the following issue:
- CVE-2019-18348: Fixed a CRLF injection via the host part
of the url passed to urlopen(). Now an InvalidURL exception
is raised (bsc#1155094).
- CVE-2019-9674: Improved the documentation to reflect the
dangers of zip-bombs (bsc#1162825).
- CVE-2020-8492: Fixed a regular expression in urllib that
was prone to denial of service via HTTP (bsc#1162367).
- Fixed an issue with version missmatch (bsc#1162224).
- Rename idle icons to idle3 in order to not conflict with python2
variant of the package. (bsc#1165894)
ModerateSUSE bug 1155094SUSE bug 1162224SUSE bug 1162367SUSE bug 1162825SUSE bug 1165894CVE-2019-18348 at SUSECVE-2019-18348 at NVDCVE-2019-9674 at SUSECVE-2019-9674 at NVDCVE-2020-8492 at SUSECVE-2020-8492 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for mozilla-nspr, mozilla-nss (Moderate)SUSE Linux Enterprise Server 12 SP3-BCL
This update for mozilla-nspr, mozilla-nss fixes the following issues:
mozilla-nss was updated to NSS 3.47.1:
Security issues fixed:
- CVE-2019-17006: Added length checks for cryptographic primitives (bsc#1159819).
- CVE-2019-11745: EncryptUpdate should use maxout, not block size (bsc#1158527).
- CVE-2019-11727: Fixed vulnerability sign CertificateVerify with PKCS#1 v1.5 signatures issue (bsc#1141322).
mozilla-nspr was updated to version 4.23:
- Whitespace in C files was cleaned up and no longer uses tab characters for indenting.
ModerateSUSE bug 1141322SUSE bug 1158527SUSE bug 1159819CVE-2019-11745 at SUSECVE-2019-11745 at NVDCVE-2019-17006 at SUSECVE-2019-17006 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for libxslt (Moderate)SUSE Linux Enterprise Server 12 SP3-BCL
This update for libxslt fixes the following issue:
- CVE-2019-18197: Fixed a dangling pointer in xsltCopyText which may have led to information disclosure (bsc#1154609).
ModerateSUSE bug 1154609CVE-2019-18197 at SUSECVE-2019-18197 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for MozillaFirefox fixes the following issues:
- Mozilla Firefox 68.6.1esr
MFSA 2020-11 (bsc#1168630)
* CVE-2020-6819 (bmo#1620818)
Use-after-free while running the nsDocShell destructor
* CVE-2020-6820 (bmo#1626728)
Use-after-free when handling a ReadableStream
ImportantSUSE bug 1168630CVE-2020-6819 at SUSECVE-2020-6819 at NVDCVE-2020-6820 at SUSECVE-2020-6820 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for MozillaFirefox to version 68.7.0 ESR fixes the following issues:
- CVE-2020-6821: Uninitialized memory could be read when using the WebGL copyTexSubImage method (bsc#1168874).
- CVE-2020-6822: Fixed out of bounds write in GMPDecodeData when processing large images (bsc#1168874).
- CVE-2020-6825: Fixed Memory safety bugs (bsc#1168874).
- CVE-2020-6827: Custom Tabs could have the URI spoofed (bsc#1168874).
- CVE-2020-6828: Preference overwrite via crafted Intent (bsc#1168874).
ImportantSUSE bug 1168874CVE-2020-6821 at SUSECVE-2020-6821 at NVDCVE-2020-6822 at SUSECVE-2020-6822 at NVDCVE-2020-6825 at SUSECVE-2020-6825 at NVDCVE-2020-6827 at SUSECVE-2020-6827 at NVDCVE-2020-6828 at SUSECVE-2020-6828 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for git (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for git fixes the following issues:
Security issue fixed:
- CVE-2020-5260: With a crafted URL that contains a newline in it, the credential
helper machinery can be fooled to give credential information for a wrong host (bsc#1168930).
Non-security issue fixed:
git was updated to 2.26.0 for SHA256 support (bsc#1167890, jsc#SLE-11608):
- the xinetd snippet was removed
- the System V init script for the git-daemon was replaced by a systemd
service file of the same name.
git 2.26.0:
* 'git rebase' now uses a different backend that is based on the
'merge' machinery by default. The 'rebase.backend' configuration
variable reverts to old behaviour when set to 'apply'
* Improved handling of sparse checkouts
* Improvements to many commands and internal features
git 2.25.1:
* 'git commit' now honors advise.statusHints
* various updates, bug fixes and documentation updates
git 2.25.0:
* The branch description ('git branch --edit-description') has been
used to fill the body of the cover letters by the format-patch
command; this has been enhanced so that the subject can also be
filled.
* A few commands learned to take the pathspec from the standard input
or a named file, instead of taking it as the command line
arguments, with the '--pathspec-from-file' option.
* Test updates to prepare for SHA-2 transition continues.
* Redo 'git name-rev' to avoid recursive calls.
* When all files from some subdirectory were renamed to the root
directory, the directory rename heuristics would fail to detect that
as a rename/merge of the subdirectory to the root directory, which has
been corrected.
* HTTP transport had possible allocator/deallocator mismatch, which
has been corrected.
git 2.24.1:
* CVE-2019-1348: The --export-marks option of fast-import is
exposed also via the in-stream command feature export-marks=...
and it allows overwriting arbitrary paths (bsc#1158785)
* CVE-2019-1349: on Windows, when submodules are cloned
recursively, under certain circumstances Git could be fooled
into using the same Git directory twice (bsc#1158787)
* CVE-2019-1350: Incorrect quoting of command-line arguments
allowed remote code execution during a recursive clone in
conjunction with SSH URLs (bsc#1158788)
* CVE-2019-1351: on Windows mistakes drive letters outside of
the US-English alphabet as relative paths (bsc#1158789)
* CVE-2019-1352: on Windows was unaware of NTFS Alternate Data
Streams (bsc#1158790)
* CVE-2019-1353: when run in the Windows Subsystem for Linux
while accessing a working directory on a regular Windows
drive, none of the NTFS protections were active (bsc#1158791)
* CVE-2019-1354: on Windows refuses to write tracked files with
filenames that contain backslashes (bsc#1158792)
* CVE-2019-1387: Recursive clones vulnerability that is caused
by too-lax validation of submodule names, allowing very
targeted attacks via remote code execution in recursive
clones (bsc#1158793)
* CVE-2019-19604: a recursive clone followed by a submodule
update could execute code contained within the repository
without the user explicitly having asked for that (bsc#1158795)
- Fix building with asciidoctor and without DocBook4 stylesheets.
git 2.24.0
* The command line parser learned '--end-of-options' notation.
* A mechanism to affect the default setting for a (related) group of
configuration variables is introduced.
* 'git fetch' learned '--set-upstream' option to help those who first
clone from their private fork they intend to push to, add the true
upstream via 'git remote add' and then 'git fetch' from it.
* fixes and improvements to UI, workflow and features, bash completion fixes
* part of it merged upstream
* the Makefile attempted to download some documentation, banned
git 2.23.0:
* The '--base' option of 'format-patch' computed the patch-ids for
prerequisite patches in an unstable way, which has been updated
to compute in a way that is compatible with 'git patch-id
--stable'.
* The 'git log' command by default behaves as if the --mailmap
option was given.
* fixes and improvements to UI, workflow and features
git 2.22.1:
* A relative pathname given to 'git init --template=<path> <repo>'
ought to be relative to the directory 'git init' gets invoked in,
but it instead was made relative to the repository, which has been
corrected.
* 'git worktree add' used to fail when another worktree connected to
the same repository was corrupt, which has been corrected.
* 'git am -i --resolved' segfaulted after trying to see a commit as
if it were a tree, which has been corrected.
* 'git merge --squash' is designed to update the working tree and the
index without creating the commit, and this cannot be countermanded
by adding the '--commit' option; the command now refuses to work
when both options are given.
* Update to Unicode 12.1 width table.
* 'git request-pull' learned to warn when the ref we ask them to pull
from in the local repository and in the published repository are
different.
* 'git fetch' into a lazy clone forgot to fetch base objects that are
necessary to complete delta in a thin packfile, which has been
corrected.
* The URL decoding code has been updated to avoid going past the end
of the string while parsing %-<hex>-<hex> sequence.
* 'git clean' silently skipped a path when it cannot lstat() it; now
it gives a warning.
* 'git rm' to resolve a conflicted path leaked an internal message
'needs merge' before actually removing the path, which was
confusing. This has been corrected.
* Many more bugfixes and code cleanups.
- removal of SuSEfirewall2 service, since SuSEfirewall2 has been replaced by
firewalld, see [1].
[1]: https://lists.opensuse.org/opensuse-factory/2019-01/msg00490.html
git 2.22.0:
* The filter specification '--filter=sparse:path=<path>' used to
create a lazy/partial clone has been removed. Using a blob that is
part of the project as sparse specification is still supported with
the '--filter=sparse:oid=<blob>' option
* 'git checkout --no-overlay' can be used to trigger a new mode of
checking out paths out of the tree-ish, that allows paths that
match the pathspec that are in the current index and working tree
and are not in the tree-ish.
* Four new configuration variables {author,committer}.{name,email}
have been introduced to override user.{name,email} in more specific
cases.
* 'git branch' learned a new subcommand '--show-current'.
* The command line completion (in contrib/) has been taught to
complete more subcommand parameters.
* The completion helper code now pays attention to repository-local
configuration (when available), which allows --list-cmds to honour
a repository specific setting of completion.commands, for example.
* The list of conflicted paths shown in the editor while concluding a
conflicted merge was shown above the scissors line when the
clean-up mode is set to 'scissors', even though it was commented
out just like the list of updated paths and other information to
help the user explain the merge better.
* 'git rebase' that was reimplemented in C did not set ORIG_HEAD
correctly, which has been corrected.
* 'git worktree add' used to do a 'find an available name with stat
and then mkdir', which is race-prone. This has been fixed by using
mkdir and reacting to EEXIST in a loop.
- update git-web AppArmor profile for bash and tar usrMerge (bsc#1132350)
git 2.21.0:
* Historically, the '-m' (mainline) option can only be used for 'git
cherry-pick' and 'git revert' when working with a merge commit.
This version of Git no longer warns or errors out when working with
a single-parent commit, as long as the argument to the '-m' option
is 1 (i.e. it has only one parent, and the request is to pick or
revert relative to that first parent). Scripts that relied on the
behaviour may get broken with this change.
* Small fixes and features for fast-export and fast-import.
* The 'http.version' configuration variable can be used with recent
enough versions of cURL library to force the version of HTTP used
to talk when fetching and pushing.
* 'git push $there $src:$dst' rejects when $dst is not a fully
qualified refname and it is not clear what the end user meant.
* Update 'git multimail' from the upstream.
* A new date format '--date=human' that morphs its output depending
on how far the time is from the current time has been introduced.
'--date=auto:human' can be used to use this new format (or any
existing format) when the output is going to the pager or to the
terminal, and otherwise the default format.
- Fix worktree creation race (bsc#1114225).
git 2.20.1:
* portability fixes
* 'git help -a' did not work well when an overly long alias was
defined
* no longer squelched an error message when the run_command API
failed to run a missing command
git 2.20.0:
* 'git help -a' now gives verbose output (same as 'git help -av').
Those who want the old output may say 'git help --no-verbose -a'..
* 'git send-email' learned to grab address-looking string on any
trailer whose name ends with '-by'.
* 'git format-patch' learned new '--interdiff' and '--range-diff'
options to explain the difference between this version and the
previous attempt in the cover letter (or after the three-dashes as
a comment).
* Developer builds now use -Wunused-function compilation option.
* Fix a bug in which the same path could be registered under multiple
worktree entries if the path was missing (for instance, was removed
manually). Also, as a convenience, expand the number of cases in
which --force is applicable.
* The overly large Documentation/config.txt file have been split into
million little pieces. This potentially allows each individual piece
to be included into the manual page of the command it affects more easily.
* Malformed or crafted data in packstream can make our code attempt
to read or write past the allocated buffer and abort, instead of
reporting an error, which has been fixed.
* Fix for a long-standing bug that leaves the index file corrupt when
it shrinks during a partial commit.
* 'git merge' and 'git pull' that merges into an unborn branch used
to completely ignore '--verify-signatures', which has been
corrected.
* ...and much more features and fixes
- fix CVE-2018-19486 (bsc#1117257)
git 2.19.2:
* various bug fixes for multiple subcommands and operations
git 2.19.1:
* CVE-2018-17456: Specially crafted .gitmodules files may have
allowed arbitrary code execution when the repository is cloned
with --recurse-submodules (bsc#1110949)
git 2.19.0:
* 'git diff' compares the index and the working tree. For paths
added with intent-to-add bit, the command shows the full contents
of them as added, but the paths themselves were not marked as new
files. They are now shown as new by default.
* 'git apply' learned the '--intent-to-add' option so that an
otherwise working-tree-only application of a patch will add new
paths to the index marked with the 'intent-to-add' bit.
* 'git grep' learned the '--column' option that gives not just the
line number but the column number of the hit.
* The '-l' option in 'git branch -l' is an unfortunate short-hand for
'--create-reflog', but many users, both old and new, somehow expect
it to be something else, perhaps '--list'. This step warns when '-l'
is used as a short-hand for '--create-reflog' and warns about the
future repurposing of the it when it is used.
* The userdiff pattern for .php has been updated.
* The content-transfer-encoding of the message 'git send-email' sends
out by default was 8bit, which can cause trouble when there is an
overlong line to bust RFC 5322/2822 limit. A new option 'auto' to
automatically switch to quoted-printable when there is such a line
in the payload has been introduced and is made the default.
* 'git checkout' and 'git worktree add' learned to honor
checkout.defaultRemote when auto-vivifying a local branch out of a
remote tracking branch in a repository with multiple remotes that
have tracking branches that share the same names.
(merge 8d7b558bae ab/checkout-default-remote later to maint).
* 'git grep' learned the '--only-matching' option.
* 'git rebase --rebase-merges' mode now handles octopus merges as
well.
* Add a server-side knob to skip commits in exponential/fibbonacci
stride in an attempt to cover wider swath of history with a smaller
number of iterations, potentially accepting a larger packfile
transfer, instead of going back one commit a time during common
ancestor discovery during the 'git fetch' transaction.
(merge 42cc7485a2 jt/fetch-negotiator-skipping later to maint).
* A new configuration variable core.usereplacerefs has been added,
primarily to help server installations that want to ignore the
replace mechanism altogether.
* Teach 'git tag -s' etc. a few configuration variables (gpg.format
that can be set to 'openpgp' or 'x509', and gpg.<format>.program
that is used to specify what program to use to deal with the format)
to allow x.509 certs with CMS via 'gpgsm' to be used instead of
openpgp via 'gnupg'.
* Many more strings are prepared for l10n.
* 'git p4 submit' learns to ask its own pre-submit hook if it should
continue with submitting.
* The test performed at the receiving end of 'git push' to prevent
bad objects from entering repository can be customized via
receive.fsck.* configuration variables; we now have gained a
counterpart to do the same on the 'git fetch' side, with
fetch.fsck.* configuration variables.
* 'git pull --rebase=interactive' learned 'i' as a short-hand for
'interactive'.
* 'git instaweb' has been adjusted to run better with newer Apache on
RedHat based distros.
* 'git range-diff' is a reimplementation of 'git tbdiff' that lets us
compare individual patches in two iterations of a topic.
* The sideband code learned to optionally paint selected keywords at
the beginning of incoming lines on the receiving end.
* 'git branch --list' learned to take the default sort order from the
'branch.sort' configuration variable, just like 'git tag --list'
pays attention to 'tag.sort'.
* 'git worktree' command learned '--quiet' option to make it less
verbose.
git 2.18.0:
* improvements to rename detection logic
* When built with more recent cURL, GIT_SSL_VERSION can now
specify 'tlsv1.3' as its value.
* 'git mergetools' learned talking to guiffy.
* various other workflow improvements and fixes
* performance improvements and other developer visible fixes
Update to git 2.16.4: security fix release
git 2.17.1:
* Submodule 'names' come from the untrusted .gitmodules file, but
we blindly append them to $GIT_DIR/modules to create our on-disk
repo paths. This means you can do bad things by putting '../'
into the name. We now enforce some rules for submodule names
which will cause Git to ignore these malicious names
(CVE-2018-11235, bsc#1095219)
* It was possible to trick the code that sanity-checks paths on
NTFS into reading random piece of memory
(CVE-2018-11233, bsc#1095218)
* Support on the server side to reject pushes to repositories
that attempt to create such problematic .gitmodules file etc.
as tracked contents, to help hosting sites protect their
customers by preventing malicious contents from spreading.
git 2.17.0:
* 'diff' family of commands learned '--find-object=<object-id>' option
to limit the findings to changes that involve the named object.
* 'git format-patch' learned to give 72-cols to diffstat, which is
consistent with other line length limits the subcommand uses for
its output meant for e-mails.
* The log from 'git daemon' can be redirected with a new option; one
relevant use case is to send the log to standard error (instead of
syslog) when running it from inetd.
* 'git rebase' learned to take '--allow-empty-message' option.
* 'git am' has learned the '--quit' option, in addition to the
existing '--abort' option; having the pair mirrors a few other
commands like 'rebase' and 'cherry-pick'.
* 'git worktree add' learned to run the post-checkout hook, just like
'git clone' runs it upon the initial checkout.
* 'git tag' learned an explicit '--edit' option that allows the
message given via '-m' and '-F' to be further edited.
* 'git fetch --prune-tags' may be used as a handy short-hand for
getting rid of stale tags that are locally held.
* The new '--show-current-patch' option gives an end-user facing way
to get the diff being applied when 'git rebase' (and 'git am')
stops with a conflict.
* 'git add -p' used to offer '/' (look for a matching hunk) as a
choice, even there was only one hunk, which has been corrected.
Also the single-key help is now given only for keys that are
enabled (e.g. help for '/' won't be shown when there is only one
hunk).
* Since Git 1.7.9, 'git merge' defaulted to --no-ff (i.e. even when
the side branch being merged is a descendant of the current commit,
create a merge commit instead of fast-forwarding) when merging a
tag object. This was appropriate default for integrators who pull
signed tags from their downstream contributors, but caused an
unnecessary merges when used by downstream contributors who
habitually 'catch up' their topic branches with tagged releases
from the upstream. Update 'git merge' to default to --no-ff only
when merging a tag object that does *not* sit at its usual place in
refs/tags/ hierarchy, and allow fast-forwarding otherwise, to
mitigate the problem.
* 'git status' can spend a lot of cycles to compute the relation
between the current branch and its upstream, which can now be
disabled with '--no-ahead-behind' option.
* 'git diff' and friends learned funcname patterns for Go language
source files.
* 'git send-email' learned '--reply-to=<address>' option.
* Funcname pattern used for C# now recognizes 'async' keyword.
* In a way similar to how 'git tag' learned to honor the pager
setting only in the list mode, 'git config' learned to ignore the
pager setting when it is used for setting values (i.e. when the
purpose of the operation is not to 'show').
- Use %license instead of %doc [bsc#1082318]
git 2.16.3:
* 'git status' after moving a path in the working tree (hence
making it appear 'removed') and then adding with the -N option
(hence making that appear 'added') detected it as a rename, but
did not report the old and new pathnames correctly.
* 'git commit --fixup' did not allow '-m<message>' option to be
used at the same time; allow it to annotate resulting commit
with more text.
* When resetting the working tree files recursively, the working
tree of submodules are now also reset to match.
* Fix for a commented-out code to adjust it to a rather old API
change around object ID.
* When there are too many changed paths, 'git diff' showed a
warning message but in the middle of a line.
* The http tracing code, often used to debug connection issues,
learned to redact potentially sensitive information from its
output so that it can be more safely sharable.
* Crash fix for a corner case where an error codepath tried to
unlock what it did not acquire lock on.
* The split-index mode had a few corner case bugs fixed.
* Assorted fixes to 'git daemon'.
* Completion of 'git merge -s<strategy>' (in contrib/) did not
work well in non-C locale.
* Workaround for segfault with more recent versions of SVN.
* Recently introduced leaks in fsck have been plugged.
* Travis CI integration now builds the executable in 'script'
phase to follow the established practice, rather than during
'before_script' phase. This allows the CI categorize the
failures better ('failed' is project's fault, 'errored' is
build environment's).
- Drop superfluous xinetd snippet, no longer used (bsc#1084460)
- Build with asciidoctor for the recent distros (bsc#1075764)
- Move %{?systemd_requires} to daemon subpackage
- Create subpackage for libsecret credential helper.
git 2.16.2:
* An old regression in 'git describe --all $annotated_tag^0' has
been fixed.
* 'git svn dcommit' did not take into account the fact that a
svn+ssh:// URL with a username@ (typically used for pushing)
refers to the same SVN repository without the username@ and
failed when svn.pushmergeinfo option is set.
* 'git merge -Xours/-Xtheirs' learned to use our/their version
when resolving a conflicting updates to a symbolic link.
* 'git clone $there $here' is allowed even when here directory
exists as long as it is an empty directory, but the command
incorrectly removed it upon a failure of the operation.
* 'git stash -- <pathspec>' incorrectly blew away untracked files
in the directory that matched the pathspec, which has been
corrected.
* 'git add -p' was taught to ignore local changes to submodules
as they do not interfere with the partial addition of regular
changes anyway.
git 2.16.1:
* 'git clone' segfaulted when cloning a project that happens to
track two paths that differ only in case on a case insensitive
filesystem
git 2.16.0 (CVE-2017-15298, bsc#1063412):
* See https://raw.github.com/git/git/master/Documentation/RelNotes/2.16.0.txt
git 2.15.1:
* fix 'auto' column output
* fixes to moved lines diffing
* documentation updates
* fix use of repositories immediately under the root directory
* improve usage of libsecret
* fixes to various error conditions in git commands
- Rewrite from sysv init to systemd unit file for git-daemon
(bsc#1069803)
- Replace references to /var/adm/fillup-templates with new
%_fillupdir macro (bsc#1069468)
- split off p4 to a subpackage (bsc#1067502)
- Build with the external libsha1detectcoll (bsc#1042644)
git 2.15.0:
* Use of an empty string as a pathspec element that is used for
'everything matches' is still warned and Git asks users to use a
more explicit '.' for that instead. Removal scheduled for 2.16
* Git now avoids blindly falling back to '.git' when the setup
sequence said we are _not_ in Git repository (another corner
case removed)
* 'branch --set-upstream' was retired, deprecated since 1.8
* many other improvements and updates
git 2.14.3:
* git send-email understands more cc: formats
* fixes so gitk --bisect
* git commit-tree fixed to handle -F file alike
* Prevent segfault in 'git cat-file --textconv'
* Fix function header parsing for HTML
* Various small fixes to user commands and and internal functions
git 2.14.2:
* fixes to color output
* http.{sslkey,sslCert} now interpret '~[username]/' prefix
* fixes to walking of reflogs via 'log -g' and friends
* various fixes to output correctness
* 'git push --recurse-submodules $there HEAD:$target' is now
propagated down to the submodules
* 'git clone --recurse-submodules --quiet' c$how propagates quiet
option down to submodules.
* 'git svn --localtime' correctness fixes
* 'git grep -L' and 'git grep --quiet -L' now report same exit code
* fixes to 'git apply' when converting line endings
* Various Perl scripts did not use safe_pipe_capture() instead
of backticks, leaving them susceptible to end-user input.
CVE-2017-14867 bsc#1061041
* 'git cvsserver' no longer is invoked by 'git daemon' by
default
git 2.14.1 (bsc#1052481):
* Security fix for CVE-2017-1000117: A malicious third-party can
give a crafted 'ssh://...' URL to an unsuspecting victim, and
an attempt to visit the URL can result in any program that
exists on the victim's machine being executed. Such a URL could
be placed in the .gitmodules file of a malicious project, and
an unsuspecting victim could be tricked into running
'git clone --recurse-submodules' to trigger the vulnerability.
* A 'ssh://...' URL can result in a 'ssh' command line with a
hostname that begins with a dash '-', which would cause the
'ssh' command to instead (mis)treat it as an option. This is
now prevented by forbidding such a hostname (which should not
impact any real-world usage).
* Similarly, when GIT_PROXY_COMMAND is configured, the command
is run with host and port that are parsed out from 'ssh://...'
URL; a poorly written GIT_PROXY_COMMAND could be tricked into
treating a string that begins with a dash '-' as an option.
This is now prevented by forbidding such a hostname and port
number (again, which should not impact any real-world usage).
* In the same spirit, a repository name that begins with a dash
'-' is also forbidden now.
git 2.14.0:
* Use of an empty string as a pathspec element that is used for
'everything matches' is deprecated, use '.'
* Avoid blindly falling back to '.git' when the setup sequence
indicates operation not on a Git repository
* 'indent heuristics' are now the default.
* Builds with pcre2
* Many bug fixes, improvements and updates
git 2.13.4:
* Update the character width tables.
* Fix an alias that contained an uppercase letter
* Progress meter fixes
* git gc concurrency fixes
git 2.13.3:
* various internal bug fixes
* Fix a regression to 'git rebase -i'
* Correct unaligned 32-bit access in pack-bitmap code
* Tighten error checks for invalid 'git apply' input
* The split index code did not honor core.sharedrepository setting
correctly
* Fix 'git branch --list' handling of color.branch.local
git 2.13.2:
* 'collision detecting' SHA-1 update for platform fixes
* 'git checkout --recurse-submodules' did not quite work with a
submodule that itself has submodules.
* The 'run-command' API implementation has been made more robust
against dead-locking in a threaded environment.
* 'git clean -d' now only cleans ignored files with '-x'
* 'git status --ignored' did not list ignored and untracked files
without '-uall'
* 'git pull --rebase --autostash' didn't auto-stash when the local
history fast-forwards to the upstream.
* 'git describe --contains' gives as much weight to lightweight
tags as annotated tags
* Fix 'git stash push <pathspec>' from a subdirectory
git 2.13.1:
* Setting 'log.decorate=false' in the configuration file did not
take effect in v2.13, which has been corrected.
* corrections to documentation and command help output
* garbage collection fixes
* memory leaks fixed
* receive-pack now makes sure that the push certificate records
the same set of push options used for pushing
* shell completion corrections for git stash
* fix 'git clone --config var=val' with empty strings
* internal efficiency improvements
* Update sha1 collision detection code for big-endian platforms
and platforms not supporting unaligned fetches
- Fix packaging of documentation
git 2.13.0:
* empty string as a pathspec element for 'everything matches'
is still warned, for future removal.
* deprecated argument order 'git merge <msg> HEAD <commit>...'
was removed
* default location '~/.git-credential-cache/socket' for the
socket used to communicate with the credential-cache daemon
moved to '~/.cache/git/credential/socket'.
* now avoid blindly falling back to '.git' when the setup
sequence indicated otherwise
* many workflow features, improvements and bug fixes
* add a hardened implementation of SHA1 in response to practical
collision attacks (CVE-2005-4900, bsc#1042640)
* CVE-2017-8386: On a server running git-shell as login shell to
restrict user to git commands, remote users may have been able
to have git service programs spawn an interactive pager
and thus escape the shell restrictions. (bsc#1038395)
Changes in pcre2:
- Include the libraries, development and tools packages.
git uses only libpcre2-8 so far, but this allows further
application usage of pcre2.
ImportantSUSE bug 1167890SUSE bug 1168930CVE-2020-5260 at SUSECVE-2020-5260 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for fwupdate (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for fwupdate fixes the following issues:
- Add SBAT section to EFI images (bsc#1182057)
ImportantSUSE bug 1182057cpe:/o:suse:sles-bcl:12:sp3Security update for spamassassin (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for spamassassin fixes the following issues:
- spamassassin was updated to version 3.4.5
- CVE-2019-12420: memory leak via crafted messages (bsc#1159133)
- CVE-2020-1946: security update (bsc#1184221)
ImportantSUSE bug 1159133SUSE bug 1184221CVE-2019-12420 at SUSECVE-2019-12420 at NVDCVE-2020-1946 at SUSECVE-2020-1946 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for xorg-x11-server (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for xorg-x11-server fixes the following issues:
- CVE-2021-3472: XChangeFeedbackControl Integer Underflow Privilege Escalation (bsc#1180128)
ImportantSUSE bug 1180128CVE-2021-3472 at SUSECVE-2021-3472 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for clamav (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for clamav fixes the following issues:
- CVE-2021-1252: Fix for Excel XLM parser infinite loop. (bsc#1184532)
- CVE-2021-1404: Fix for PDF parser buffer over-read; possible crash. (bsc#1184533)
- CVE-2021-1405: Fix for mail parser NULL-dereference crash. (bsc#1184534)
- Fix errors when scanning files > 4G (bsc#1181256)
- Update clamav.keyring
- Update to 0.103.2
ImportantSUSE bug 1181256SUSE bug 1184532SUSE bug 1184533SUSE bug 1184534CVE-2021-1252 at SUSECVE-2021-1252 at NVDCVE-2021-1404 at SUSECVE-2021-1404 at NVDCVE-2021-1405 at SUSECVE-2021-1405 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for qemu (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for qemu fixes the following issues:
- Fix OOB access in sm501 device emulation (CVE-2020-12829, bsc#1172385)
- Fix OOB access possibility in MegaRAID SAS 8708EM2 emulation (CVE-2020-13362 bsc#1172383)
- Fix use-after-free in usb xhci packet handling (CVE-2020-25723, bsc#1178934)
- Fix use-after-free in usb ehci packet handling (CVE-2020-25084, bsc#1176673)
- Fix OOB access in usb hcd-ohci emulation (CVE-2020-25624, bsc#1176682)
- Fix infinite loop (DoS) in usb hcd-ohci emulation (CVE-2020-25625, bsc#1176684)
- Fix guest triggerable assert in shared network handling code (CVE-2020-27617, bsc#1178174)
- Fix infinite loop (DoS) in e1000e device emulation (CVE-2020-28916, bsc#1179468)
- Fix OOB access in atapi emulation (CVE-2020-29443, bsc#1181108)
- Fix null pointer deref. (DoS) in mmio ops (CVE-2020-15469, bsc#1173612)
- Fix infinite loop (DoS) in e1000 device emulation (CVE-2021-20257, bsc#1182577)
- Fix OOB access (stack overflow) in rtl8139 NIC emulation (CVE-2021-3416, bsc#1182968)
- Fix OOB access (stack overflow) in other NIC emulations (CVE-2021-3416)
- Fix OOB access in SLIRP ARP packet processing (CVE-2020-29130, bsc#1179467)
- Fix null pointer dereference possibility (DoS) in MegaRAID SAS 8708EM2 emulation (CVE-2020-13659 bsc#1172386
- Fix OOB access in iscsi (CVE-2020-11947 bsc#1180523)
- Fix OOB access in vmxnet3 emulation (CVE-2021-20203 bsc#1181639)
- Fix buffer overflow in the XGMAC device (CVE-2020-15863, bsc#1174386)
- Fix DoS in packet processing of various emulated NICs (CVE-2020-16092 bsc#1174641)
- Fix OOB access while processing USB packets (CVE-2020-14364 bsc#1175441)
- Fix package scripts to not use hard coded paths for temporary working directories and log files (bsc#1182425)
- Fix potential privilege escalation in virtfs (CVE-2021-20181 bsc#1182137)
- Fix OOB access possibility in ES1370 audio device emulation (CVE-2020-13361 bsc#1172384)
- Fix OOB access in ROM loading (CVE-2020-13765 bsc#1172478)
ImportantSUSE bug 1172383SUSE bug 1172384SUSE bug 1172385SUSE bug 1172386SUSE bug 1172478SUSE bug 1173612SUSE bug 1174386SUSE bug 1174641SUSE bug 1175441SUSE bug 1176673SUSE bug 1176682SUSE bug 1176684SUSE bug 1178174SUSE bug 1178934SUSE bug 1179467SUSE bug 1179468SUSE bug 1180523SUSE bug 1181108SUSE bug 1181639SUSE bug 1182137SUSE bug 1182425SUSE bug 1182577SUSE bug 1182968CVE-2020-11947 at SUSECVE-2020-11947 at NVDCVE-2020-12829 at SUSECVE-2020-12829 at NVDCVE-2020-13361 at SUSECVE-2020-13361 at NVDCVE-2020-13362 at SUSECVE-2020-13362 at NVDCVE-2020-13659 at SUSECVE-2020-13659 at NVDCVE-2020-13765 at SUSECVE-2020-13765 at NVDCVE-2020-14364 at SUSECVE-2020-14364 at NVDCVE-2020-15469 at SUSECVE-2020-15469 at NVDCVE-2020-15863 at SUSECVE-2020-15863 at NVDCVE-2020-16092 at SUSECVE-2020-16092 at NVDCVE-2020-25084 at SUSECVE-2020-25084 at NVDCVE-2020-25624 at SUSECVE-2020-25624 at NVDCVE-2020-25625 at SUSECVE-2020-25625 at NVDCVE-2020-25723 at SUSECVE-2020-25723 at NVDCVE-2020-27617 at SUSECVE-2020-27617 at NVDCVE-2020-28916 at SUSECVE-2020-28916 at NVDCVE-2020-29130 at SUSECVE-2020-29130 at NVDCVE-2020-29443 at SUSECVE-2020-29443 at NVDCVE-2021-20181 at SUSECVE-2021-20181 at NVDCVE-2021-20203 at SUSECVE-2021-20203 at NVDCVE-2021-20257 at SUSECVE-2021-20257 at NVDCVE-2021-3416 at SUSECVE-2021-3416 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for xen (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for xen fixes the following issues:
- CVE-2021-20257: xen: infinite loop issue in the e1000 NIC emulator (bsc#1182846).
- CVE-2021-27379: Fixed an issue where entries in the IOMMU were not being updated
under certain circumstances due to improper backport of XSA-321 (XSA-366, bsc#1182431).
ImportantSUSE bug 1182431SUSE bug 1182846CVE-2021-20257 at SUSECVE-2021-20257 at NVDCVE-2021-27379 at SUSECVE-2021-27379 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for sudo (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for sudo fixes the following issues:
- L3: Tenable Scan reports sudo is vulnerable to CVE-2021-3156 (bsc#1183936)
ImportantSUSE bug 1183936CVE-2021-3156 at SUSECVE-2021-3156 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for MozillaFirefox fixes the following issues:
- Firefox was updated to 78.10.0 ESR (bsc#1184960)
* CVE-2021-23994: Out of bound write due to lazy initialization
* CVE-2021-23995: Use-after-free in Responsive Design Mode
* CVE-2021-23998: Secure Lock icon could have been spoofed
* CVE-2021-23961: More internal network hosts could have been probed by a malicious webpage
* CVE-2021-23999: Blob URLs may have been granted additional privileges
* CVE-2021-24002: Arbitrary FTP command execution on FTP servers using an encoded URL
* CVE-2021-29945: Incorrect size computation in WebAssembly JIT could lead to null-reads
* CVE-2021-29946: Port blocking could be bypassed
ImportantSUSE bug 1184960CVE-2021-23961 at SUSECVE-2021-23961 at NVDCVE-2021-23994 at SUSECVE-2021-23994 at NVDCVE-2021-23995 at SUSECVE-2021-23995 at NVDCVE-2021-23998 at SUSECVE-2021-23998 at NVDCVE-2021-23999 at SUSECVE-2021-23999 at NVDCVE-2021-24002 at SUSECVE-2021-24002 at NVDCVE-2021-29945 at SUSECVE-2021-29945 at NVDCVE-2021-29946 at SUSECVE-2021-29946 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for libnettle (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for libnettle fixes the following issues:
- CVE-2021-20305: Fixed the multiply function which was being called with out-of-range scalars (bsc#1184401, bsc#1183835).
ImportantSUSE bug 1183835SUSE bug 1184401CVE-2021-20305 at SUSECVE-2021-20305 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for gdm (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for gdm fixes the following issues:
- Avoid the signal SIGTRAP when gdm exits (bsc#1184456).
ImportantSUSE bug 1184456cpe:/o:suse:sles-bcl:12:sp3Security update for tomcat (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for tomcat fixes the following issues:
- CVE-2021-25329: Complete fix for CVE-2020-9484 (bsc#1182909)
ImportantSUSE bug 1182909CVE-2021-25329 at SUSECVE-2021-25329 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for java-1_7_0-openjdk (Moderate)SUSE Linux Enterprise Server 12 SP3-BCL
This update for java-1_7_0-openjdk fixes the following issues:
- Update to 2.6.25 - OpenJDK 7u291 (January 2021 CPU, bsc#1181239)
* Security fixes
+ JDK-8247619: Improve Direct Buffering of Characters
* Import of OpenJDK 7 u291 build 1
+ JDK-8254177: (tz) Upgrade time-zone data to tzdata2020b
+ JDK-8254982: (tz) Upgrade time-zone data to tzdata2020c
+ JDK-8255226: (tz) Upgrade time-zone data to tzdata2020d
ModerateSUSE bug 1181239cpe:/o:suse:sles-bcl:12:sp3Security update for cups (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for cups fixes the following issues:
- CVE-2021-25317: ownership of /var/log/cups could allow privilege escalation from lp user to root via symlink attacks (bsc#1184161)
ImportantSUSE bug 1184161CVE-2021-25317 at SUSECVE-2021-25317 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for bind (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for bind fixes the following issues:
- CVE-2021-25214: Fixed a broken inbound incremental zone update (IXFR) which could have caused named to terminate unexpectedly (bsc#1185345).
- CVE-2021-25215: Fixed an assertion check which could have failed while answering queries for DNAME records that required the DNAME to be processed to resolve itself (bsc#1185345).
- CVE-2021-25216: Fixed an issue where policy negotiation can be targeted by a buffer overflow attack (bsc#1185345).
- MD5 warning message using host, dig, nslookup (bind-utils) with FIPS enabled (bsc#1181495).
ImportantSUSE bug 1181495SUSE bug 1185345CVE-2021-25214 at SUSECVE-2021-25214 at NVDCVE-2021-25215 at SUSECVE-2021-25215 at NVDCVE-2021-25216 at SUSECVE-2021-25216 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for samba (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for samba fixes the following issues:
- CVE-2021-20254: Fixed a buffer overrun in sids_to_unixids() (bsc#1184677).
- Avoid free'ing our own pointer in memcache when memcache_trim attempts to reduce cache size (bsc#1179156).
- Adjust smbcacls '--propagate-inheritance' feature to align with upstream (bsc#1178469).
ImportantSUSE bug 1178469SUSE bug 1179156SUSE bug 1184677CVE-2021-20254 at SUSECVE-2021-20254 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for avahi (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for avahi fixes the following issues:
- CVE-2021-3468: avoid infinite loop by handling HUP event in client_work (bsc#1184521).
ImportantSUSE bug 1184521CVE-2021-3468 at SUSECVE-2021-3468 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for python3 (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for python3 fixes the following issues:
Security issues fixed:
- CVE-2020-27619: where Lib/test/multibytecodec_support calls eval() on content retrieved via HTTP. (bsc#1178009)
Other fixes:
- Make sure to close the 'import_failed.map' file after the exception
has been raised in order to avoid ResourceWarnings when the
failing import is part of a try...except block
ImportantCVE-2020-27619 at SUSECVE-2020-27619 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for the Linux Kernel (Important)SUSE Linux Enterprise Server 12 SP3-BCL
The SUSE Linux Enterprise 12 SP2 LTSS kernel was updated to receive various security and bugfixes.
The following security bugs were fixed:
- CVE-2020-36312: Fixed an issue in virt/kvm/kvm_main.c that had a kvm_io_bus_unregister_dev memory leak upon a kmalloc failure (bnc#1184509).
- CVE-2021-29650: Fixed an issue inside the netfilter subsystem that allowed attackers to cause a denial of service (panic) because net/netfilter/x_tables.c and include/linux/netfilter/x_tables.h lack a full memory barrier upon the assignment of a new table value (bnc#1184208).
- CVE-2020-27673: Fixed an issue in Xen where a guest OS users could have caused a denial of service (host OS hang) via a high rate of events to dom0 (bnc#1177411, bnc#1184583).
- CVE-2021-29154: Fixed BPF JIT compilers that allowed to execute arbitrary code within the kernel context (bnc#1184391).
- CVE-2020-25673: Fixed NFC endless loops caused by repeated llcp_sock_connect() (bsc#1178181).
- CVE-2020-25672: Fixed NFC memory leak in llcp_sock_connect() (bsc#1178181).
- CVE-2020-25671: Fixed NFC refcount leak in llcp_sock_connect() (bsc#1178181).
- CVE-2020-25670: Fixed NFC refcount leak in llcp_sock_bind() (bsc#1178181).
- CVE-2021-28950: Fixed an issue in fs/fuse/fuse_i.h where a 'stall on CPU' could have occured because a retry loop continually finds the same bad inode (bnc#1184194, bnc#1184211).
- CVE-2020-36322: Fixed an issue inside the FUSE filesystem implementation where fuse_do_getattr() calls make_bad_inode() in inappropriate situations, could have caused a system crash. NOTE: the original fix for this vulnerability was incomplete, and its incompleteness is tracked as CVE-2021-28950 (bnc#1184211).
- CVE-2021-30002: Fixed a memory leak issue when a webcam device exists (bnc#1184120).
- CVE-2021-3483: Fixed a use-after-free bug in nosy_ioctl() (bsc#1184393).
- CVE-2021-20219: Fixed a denial of service vulnerability in drivers/tty/n_tty.c of the Linux kernel. In this flaw a local attacker with a normal user privilege could have delayed the loop and cause a threat to the system availability (bnc#1184397).
- CVE-2021-29265: Fixed an issue in usbip_sockfd_store in drivers/usb/usbip/stub_dev.c that allowed attackers to cause a denial of service (GPF) because the stub-up sequence has race conditions during an update of the local and shared status (bnc#1184167).
- CVE-2021-29264: Fixed an issue in drivers/net/ethernet/freescale/gianfar.c in the Freescale Gianfar Ethernet driver that allowed attackers to cause a system crash because a negative fragment size is calculated in situations involving an rx queue overrun when jumbo packets are used and NAPI is enabled (bnc#1184168).
- CVE-2021-28972: Fixed an issue in drivers/pci/hotplug/rpadlpar_sysfs.c where the RPA PCI Hotplug driver had a user-tolerable buffer overflow when writing a new device name to the driver from userspace, allowing userspace to write data to the kernel stack frame directly. This occurs because add_slot_store and remove_slot_store mishandle drc_name '\0' termination (bnc#1184198).
- CVE-2021-28660: Fixed rtw_wx_set_scan in drivers/staging/rtl8188eu/os_dep/ioctl_linux.c that allowed writing beyond the end of the ssid array (bnc#1183593).
- CVE-2020-0433: Fixed blk_mq_queue_tag_busy_iter of blk-mq-tag.c, where a possible use after free due to improper locking could have happened. This could have led to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation (bnc#1176720).
- CVE-2021-28038: Fixed an issue with Xen PV. A certain part of the netback driver lacks necessary treatment of errors such as failed memory allocations (as a result of changes to the handling of grant mapping errors). A host OS denial of service may occur during misbehavior of a networking frontend driver. NOTE: this issue exists because of an incomplete fix for CVE-2021-26931 (bnc#1183022, bnc#1183069).
- CVE-2021-27365: Fixed an issue inside the iSCSI data structures that does not have appropriate length constraints or checks, and can exceed the PAGE_SIZE value. An unprivileged user can send a Netlink message that is associated with iSCSI, and has a length up to the maximum length of a Netlink message (bnc#1182715).
- CVE-2021-27363: Fixed an issue with a kernel pointer leak that could have been used to determine the address of the iscsi_transport structure. When an iSCSI transport is registered with the iSCSI subsystem, the transport's handle is available to unprivileged users via the sysfs file system, at /sys/class/iscsi_transport/$TRANSPORT_NAME/handle. When read, the show_transport_handle function (in drivers/scsi/scsi_transport_iscsi.c) is called, which leaks the handle. This handle is actually the pointer to an iscsi_transport struct in the kernel module's global variables (bnc#1182716).
- CVE-2021-27364: Fixed an issue in drivers/scsi/scsi_transport_iscsi.c where an unprivileged user can craft Netlink messages (bnc#1182717).
- CVE-2020-1749: Fixed a flaw inside of some networking protocols in IPsec, such as VXLAN and GENEVE tunnels over IPv6. When an encrypted tunnel is created between two hosts, the kernel isn't correctly routing tunneled data over the encrypted link; rather sending the data unencrypted. This would allow anyone in between the two endpoints to read the traffic unencrypted. The main threat from this vulnerability is to data confidentiality (bnc#1165629).
The following non-security bugs were fixed:
- bluetooth: eliminate the potential race condition when removing the HCI controller (bsc#1184611).
- Btrfs: add missing extents release on file extent cluster relocation error (bsc#1159483).
- btrfs: change timing for qgroup reserved space for ordered extents to fix reserved space leak (bsc#1172247).
- btrfs: Cleanup try_flush_qgroup (bsc#1182047).
- btrfs: Do not flush from btrfs_delayed_inode_reserve_metadata (bsc#1182047).
- btrfs: drop unused parameter qgroup_reserved (bsc#1182261).
- btrfs: fix qgroup data rsv leak caused by falloc failure (bsc#1182261).
- btrfs: fix qgroup_free wrong num_bytes in btrfs_subvolume_reserve_metadata (bsc#1182261).
- btrfs: Free correct amount of space in btrfs_delayed_inode_reserve_metadata (bsc#1182047).
- btrfs: inode: move qgroup reserved space release to the callers of insert_reserved_file_extent() (bsc#1172247).
- btrfs: inode: refactor the parameters of insert_reserved_file_extent() (bsc#1172247).
- btrfs: make btrfs_ordered_extent naming consistent with btrfs_file_extent_item (bsc#1172247).
- btrfs: qgroup: allow to unreserve range without releasing other ranges (bsc#1120163).
- btrfs: qgroup: Always free PREALLOC META reserve in btrfs_delalloc_release_extents() (bsc#1155179).
- btrfs: qgroup: do not commit transaction when we already hold the handle (bsc#1178634).
- btrfs: qgroup: Do not hold qgroup_ioctl_lock in btrfs_qgroup_inherit() (bsc#1165823).
- btrfs: qgroup: do not try to wait flushing if we're already holding a transaction (bsc#1179575).
- btrfs: qgroup: Fix a bug that prevents qgroup to be re-enabled after disable (bsc#1172247).
- btrfs: qgroup: fix data leak caused by race between writeback and truncate (bsc#1172247).
- btrfs: qgroup: fix qgroup meta rsv leak for subvolume operations (bsc#1177856).
- btrfs: qgroup: Fix reserved data space leak if we have multiple reserve calls (bsc#1152975).
- btrfs: qgroup: Fix the wrong target io_tree when freeing reserved data space (bsc#1152974).
- btrfs: qgroup: fix wrong qgroup metadata reserve for delayed inode (bsc#1177855).
- btrfs: qgroup: mark qgroup inconsistent if we're inherting snapshot to a new qgroup (bsc#1165823).
- btrfs: qgroup: remove ASYNC_COMMIT mechanism in favor of reserve retry-after-EDQUOT (bsc#1120163).
- btrfs: qgroup: try to flush qgroup space when we get -EDQUOT (bsc#1120163).
- btrfs: remove unused parameter from btrfs_subvolume_release_metadata (bsc#1182261).
- btrfs: tracepoints: Fix bad entry members of qgroup events (bsc#1155186).
- btrfs: tracepoints: Fix wrong parameter order for qgroup events (bsc#1155184).
- ext4: check journal inode extents more carefully (bsc#1173485).
- ext4: do not allow overlapping system zones (bsc#1173485).
- ext4: handle error of ext4_setup_system_zone() on remount (bsc#1173485).
- hv_netvsc: remove ndo_poll_controller (bsc#1185248).
- KVM: Add proper lockdep assertion in I/O bus unregister (bsc#1185555).
- KVM: Destroy I/O bus devices on unregister failure _after_ sync'ing SRCU (bsc#1185556).
- KVM: Stop looking for coalesced MMIO zones if the bus is destroyed (bsc#1185557).
- xen-netback: respect gnttab_map_refs()'s return value (bsc#1183022 XSA-367).
- Xen/gnttab: handle p2m update errors on a per-slot basis (bsc#1183022 XSA-367).
ImportantSUSE bug 1120163SUSE bug 1152974SUSE bug 1152975SUSE bug 1155179SUSE bug 1155184SUSE bug 1155186SUSE bug 1159483SUSE bug 1165629SUSE bug 1165823SUSE bug 1172247SUSE bug 1173485SUSE bug 1176720SUSE bug 1177411SUSE bug 1177855SUSE bug 1177856SUSE bug 1178181SUSE bug 1178634SUSE bug 1179575SUSE bug 1182047SUSE bug 1182261SUSE bug 1182715SUSE bug 1182716SUSE bug 1182717SUSE bug 1183022SUSE bug 1183069SUSE bug 1183593SUSE bug 1184120SUSE bug 1184167SUSE bug 1184168SUSE bug 1184194SUSE bug 1184198SUSE bug 1184208SUSE bug 1184211SUSE bug 1184391SUSE bug 1184393SUSE bug 1184397SUSE bug 1184509SUSE bug 1184583SUSE bug 1184611SUSE bug 1185248SUSE bug 1185555SUSE bug 1185556SUSE bug 1185557CVE-2020-0433 at SUSECVE-2020-0433 at NVDCVE-2020-1749 at SUSECVE-2020-1749 at NVDCVE-2020-25670 at SUSECVE-2020-25670 at NVDCVE-2020-25671 at SUSECVE-2020-25671 at NVDCVE-2020-25672 at SUSECVE-2020-25672 at NVDCVE-2020-25673 at SUSECVE-2020-25673 at NVDCVE-2020-27673 at SUSECVE-2020-27673 at NVDCVE-2020-36312 at SUSECVE-2020-36312 at NVDCVE-2020-36322 at SUSECVE-2020-36322 at NVDCVE-2021-20219 at SUSECVE-2021-20219 at NVDCVE-2021-27363 at SUSECVE-2021-27363 at NVDCVE-2021-27364 at SUSECVE-2021-27364 at NVDCVE-2021-27365 at SUSECVE-2021-27365 at NVDCVE-2021-28038 at SUSECVE-2021-28038 at NVDCVE-2021-28660 at SUSECVE-2021-28660 at NVDCVE-2021-28950 at SUSECVE-2021-28950 at NVDCVE-2021-28972 at SUSECVE-2021-28972 at NVDCVE-2021-29154 at SUSECVE-2021-29154 at NVDCVE-2021-29264 at SUSECVE-2021-29264 at NVDCVE-2021-29265 at SUSECVE-2021-29265 at NVDCVE-2021-29650 at SUSECVE-2021-29650 at NVDCVE-2021-30002 at SUSECVE-2021-30002 at NVDCVE-2021-3483 at SUSECVE-2021-3483 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for djvulibre (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for djvulibre fixes the following issues:
Security issues fixed:
- CVE-2021-32491 [bsc#1185900]: Integer overflow in function render() in tools/ddjvu via crafted djvu file
- CVE-2021-32492 [bsc#1185904]: Out of bounds read in function DJVU:DataPool:has_data() via crafted djvu file
- CVE-2021-32493 [bsc#1185905]: Heap buffer overflow in function DJVU:GBitmap:decode() via crafted djvu file
ImportantSUSE bug 1185900SUSE bug 1185904SUSE bug 1185905CVE-2019-18804 at SUSECVE-2019-18804 at NVDCVE-2021-32491 at SUSECVE-2021-32491 at NVDCVE-2021-32492 at SUSECVE-2021-32492 at NVDCVE-2021-32493 at SUSECVE-2021-32493 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for graphviz (Critical)SUSE Linux Enterprise Server 12 SP3-BCL
This update for graphviz fixes the following issues:
- CVE-2020-18032: Fixed possible remote code execution via buffer overflow (bsc#1185833).
CriticalSUSE bug 1185833CVE-2020-18032 at SUSECVE-2020-18032 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for libxml2 (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for libxml2 fixes the following issues:
Security issues fixed:
CVE-2021-3537: NULL pointer dereference in valid.c:xmlValidBuildAContentModel (bsc#1185698)
- CVE-2021-3518: Fixed a use after free in xinclude.c:xmlXIncludeDoProcess (bsc#1185408).
- CVE-2021-3517: Fixed a heap based buffer overflow in entities.c:xmlEncodeEntitiesInternal (bsc#1185410).
- CVE-2021-3516: Fixed a use after free in entities.c:xmlEncodeEntitiesInternal (bsc#1185409).
ImportantSUSE bug 1185408SUSE bug 1185409SUSE bug 1185410SUSE bug 1185698CVE-2021-3516 at SUSECVE-2021-3516 at NVDCVE-2021-3517 at SUSECVE-2021-3517 at NVDCVE-2021-3518 at SUSECVE-2021-3518 at NVDCVE-2021-3537 at SUSECVE-2021-3537 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for dnsmasq (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for dnsmasq fixes the following issues:
- bsc#1177077: Fixed DNSpooq vulnerabilities
- CVE-2020-25684, CVE-2020-25685, CVE-2020-25686:
Fixed multiple Cache Poisoning attacks.
- CVE-2020-25681, CVE-2020-25682, CVE-2020-25683, CVE-2020-25687:
Fixed multiple potential Heap-based overflows when DNSSEC is
enabled.
- Retry query to other servers on receipt of SERVFAIL rcode
(bsc#1176076)
ImportantSUSE bug 1176076SUSE bug 1177077CVE-2020-25681 at SUSECVE-2020-25681 at NVDCVE-2020-25682 at SUSECVE-2020-25682 at NVDCVE-2020-25683 at SUSECVE-2020-25683 at NVDCVE-2020-25684 at SUSECVE-2020-25684 at NVDCVE-2020-25685 at SUSECVE-2020-25685 at NVDCVE-2020-25686 at SUSECVE-2020-25686 at NVDCVE-2020-25687 at SUSECVE-2020-25687 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for flac (Moderate)SUSE Linux Enterprise Server 12 SP3-BCL
This update for flac fixes the following issues:
- CVE-2020-0499: Fixed an out-of-bounds access (bsc#1180099).
ModerateSUSE bug 1180099CVE-2020-0499 at SUSECVE-2020-0499 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for dovecot22 (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for dovecot22 fixes the following issues:
- CVE-2020-24386: Fixed an issue with IMAP hibernation that allowed users to access other users' emails (bsc#1180405).
ImportantSUSE bug 1180405CVE-2020-24386 at SUSECVE-2020-24386 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for djvulibre (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for djvulibre fixes the following issues:
- CVE-2021-3500: Stack overflow in function DJVU:DjVuDocument:get_djvu_file() via crafted djvu file (bsc#1186253)
ImportantSUSE bug 1186253CVE-2021-3500 at SUSECVE-2021-3500 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for dhcp (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for dhcp fixes the following issues:
- CVE-2021-25217: A buffer overrun in lease file parsing code can be used to exploit a common vulnerability shared by dhcpd and dhclient (bsc#1186382)
ImportantSUSE bug 1186382CVE-2021-25217 at SUSECVE-2021-25217 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for libwebp (Critical)SUSE Linux Enterprise Server 12 SP3-BCL
This update for libwebp fixes the following issues:
- CVE-2018-25010: Fixed heap-based buffer overflow in ApplyFilter() (bsc#1185685).
- CVE-2020-36330: Fixed heap-based buffer overflow in ChunkVerifyAndAssign() (bsc#1185691).
- CVE-2020-36332: Fixed extreme memory allocation when reading a file (bsc#1185674).
- CVE-2020-36329: Fixed use-after-free in EmitFancyRGB() (bsc#1185652).
- CVE-2018-25012: Fixed heap-based buffer overflow in GetLE24() (bsc#1185690).
- CVE-2018-25013: Fixed heap-based buffer overflow in ShiftBytes() (bsc#1185654).
- CVE-2020-36331: Fixed heap-based buffer overflow in ChunkAssignData() (bsc#1185686).
- CVE-2018-25009: Fixed heap-based buffer overflow in GetLE16() (bsc#1185673).
- CVE-2018-25011: Fixed fail on multiple image chunks (bsc#1186247).
CriticalSUSE bug 1185652SUSE bug 1185654SUSE bug 1185673SUSE bug 1185674SUSE bug 1185685SUSE bug 1185686SUSE bug 1185690SUSE bug 1185691SUSE bug 1186247CVE-2018-25009 at SUSECVE-2018-25009 at NVDCVE-2018-25010 at SUSECVE-2018-25010 at NVDCVE-2018-25011 at SUSECVE-2018-25011 at NVDCVE-2018-25012 at SUSECVE-2018-25012 at NVDCVE-2018-25013 at SUSECVE-2018-25013 at NVDCVE-2020-36329 at SUSECVE-2020-36329 at NVDCVE-2020-36330 at SUSECVE-2020-36330 at NVDCVE-2020-36331 at SUSECVE-2020-36331 at NVDCVE-2020-36332 at SUSECVE-2020-36332 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for polkit (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for polkit fixes the following issues:
- CVE-2021-3560: Fixed a local privilege escalation using polkit_system_bus_name_get_creds_sync() (bsc#1186497).
ImportantSUSE bug 1186497CVE-2021-3560 at SUSECVE-2021-3560 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for gstreamer-plugins-bad (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for gstreamer-plugins-bad fixes the following issues:
- CVE-2021-3185: Fixed buffer overflow in gst_h264_slice_parse_dec_ref_pic_marking (bsc#1181255).
ImportantSUSE bug 1181255CVE-2021-3185 at SUSECVE-2021-3185 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for MozillaFirefox fixes the following issues:
Firefox Extended Support Release 78.11.0 ESR (bsc#1186696)
* CVE-2021-29964: Out of bounds-read when parsing a `WM_COPYDATA` message
* CVE-2021-29967: Memory safety bugs fixed in Firefox
ImportantSUSE bug 1185633SUSE bug 1186696CVE-2021-29951 at SUSECVE-2021-29951 at NVDCVE-2021-29964 at SUSECVE-2021-29964 at NVDCVE-2021-29967 at SUSECVE-2021-29967 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for libX11 (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for libX11 fixes the following issues:
- Regression in the fix for CVE-2021-31535, causing segfaults for xforms applications like fdesign (bsc#1186643)
ImportantSUSE bug 1186643CVE-2021-31535 at SUSECVE-2021-31535 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for qemu (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for qemu fixes the following issues:
- Fix OOB access during mmio operations (CVE-2020-13754, bsc#1172382)
- Fix out-of-bounds read information disclosure in icmp6_send_echoreply (CVE-2020-10756, bsc#1172380)
- Fix out-of-bound heap buffer access via an interrupt ID field (CVE-2021-20221, bsc#1181933)
- For the record, these issues are fixed in this package already.
Most are alternate references to previously mentioned issues:
(CVE-2019-15890, bsc#1149813, CVE-2020-8608, bsc#1163019,
CVE-2020-14364, bsc#1175534, CVE-2020-25707, bsc#1178683,
CVE-2020-25723, bsc#1178935, CVE-2020-29130, bsc#1179477,
CVE-2021-20257, bsc#1182846, CVE-2021-3419, bsc#1182975,
bsc#1094725)
ImportantSUSE bug 1094725SUSE bug 1149813SUSE bug 1163019SUSE bug 1172380SUSE bug 1172382SUSE bug 1175534SUSE bug 1178683SUSE bug 1178935SUSE bug 1179477SUSE bug 1181933SUSE bug 1182846SUSE bug 1182975CVE-2019-15890 at SUSECVE-2019-15890 at NVDCVE-2020-10756 at SUSECVE-2020-10756 at NVDCVE-2020-13754 at SUSECVE-2020-13754 at NVDCVE-2020-14364 at SUSECVE-2020-14364 at NVDCVE-2020-25707 at SUSECVE-2020-25707 at NVDCVE-2020-25723 at SUSECVE-2020-25723 at NVDCVE-2020-29130 at SUSECVE-2020-29130 at NVDCVE-2020-8608 at SUSECVE-2020-8608 at NVDCVE-2021-20221 at SUSECVE-2021-20221 at NVDCVE-2021-20257 at SUSECVE-2021-20257 at NVDCVE-2021-3419 at SUSECVE-2021-3419 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for java-1_7_1-ibm (Moderate)SUSE Linux Enterprise Server 12 SP3-BCL
This update for java-1_7_1-ibm fixes the following issues:
- Update to Java 7.1 Service Refresh 4 Fix Pack 75 [bsc#1180063, bsc#1177943]
CVE-2020-14792 CVE-2020-14797 CVE-2020-14782 CVE-2020-14781
CVE-2020-14779 CVE-2020-14798 CVE-2020-14796 CVE-2020-14803
* Class Libraries:
- Z/OS specific C function send_file is changing the file pointer position
* Security:
- Add the new oracle signer certificate
- Certificate parsing error
- JVM memory growth can be caused by the IBMPKCS11IMPL crypto provider
- Remove check for websphere signed jars
- sessionid.hashcode generates too many collisions
- The Java 8 IBM certpath provider does not honor the user
specified system property for CLR connect timeout
ModerateSUSE bug 1177943SUSE bug 1180063CVE-2020-14779 at SUSECVE-2020-14779 at NVDCVE-2020-14781 at SUSECVE-2020-14781 at NVDCVE-2020-14782 at SUSECVE-2020-14782 at NVDCVE-2020-14792 at SUSECVE-2020-14792 at NVDCVE-2020-14796 at SUSECVE-2020-14796 at NVDCVE-2020-14797 at SUSECVE-2020-14797 at NVDCVE-2020-14798 at SUSECVE-2020-14798 at NVDCVE-2020-14803 at SUSECVE-2020-14803 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for spice (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for spice fixes the following issues:
- CVE-2021-20201: client initiated renegotiation causing denial of service (bsc#1181686)
ImportantSUSE bug 1181686CVE-2021-20201 at SUSECVE-2021-20201 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for ucode-intel (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for ucode-intel fixes the following issues:
Updated to Intel CPU Microcode 20210608 release.
- CVE-2020-24513: A domain bypass transient execution vulnerability was discovered on some Intel Atom processors that use a micro-architectural incident channel. (INTEL-SA-00465 bsc#1179833)
See also: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00465.html
- CVE-2020-24511: The IBRS feature to mitigate Spectre variant 2 transient execution side channel vulnerabilities may not fully prevent non-root (guest) branches from controlling the branch predictions of the root (host) (INTEL-SA-00464 bsc#1179836)
See also https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00464.html)
- CVE-2020-24512: Fixed trivial data value cache-lines such as all-zero value cache-lines may lead to changes in cache-allocation or write-back behavior for such cache-lines (bsc#1179837 INTEL-SA-00464)
See also https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00464.html)
- CVE-2020-24489: Fixed Intel VT-d device pass through potential local privilege escalation (INTEL-SA-00442 bsc#1179839)
See also https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00442.html
Other fixes:
- Update for functional issues. Refer to [Third Generation Intel Xeon Processor Scalable Family Specification Update](https://cdrdv2.intel.com/v1/dl/getContent/637780)for details.
- Update for functional issues. Refer to [Second Generation Intel Xeon Processor Scalable Family Specification Update](https://cdrdv2.intel.com/v1/dl/getContent/338848) for details.
- Update for functional issues. Refer to [Intel Xeon Processor Scalable Family Specification Update](https://cdrdv2.intel.com/v1/dl/getContent/613537) for details.
- Update for functional issues. Refer to [Intel Xeon Processor D-1500, D-1500 NS and D-1600 NS Spec Update](https://www.intel.com/content/www/us/en/products/docs/processors/xeon/xeon-d-1500-specification-update.html) for details.
- Update for functional issues. Refer to [Intel Xeon E7-8800 and E7-4800 v3 Processor Specification Update](https://www.intel.com/content/www/us/en/processors/xeon/xeon-e7-v3-spec-update.html) for details.
- Update for functional issues. Refer to [Intel Xeon Processor E5 v3 Product Family Specification Update](https://www.intel.com/content/www/us/en/processors/xeon/xeon-e5-v3-spec-update.html?wapkw=processor+spec+update+e5) for details.
- Update for functional issues. Refer to [10th Gen Intel Core Processor Families Specification Update](https://www.intel.com/content/www/us/en/products/docs/processors/core/10th-gen-core-families-specification-update.html) for details.
- Update for functional issues. Refer to [8th and 9th Gen Intel Core Processor Family Spec Update](https://www.intel.com/content/www/us/en/products/docs/processors/core/8th-gen-core-spec-update.html) for details.
- Update for functional issues. Refer to [7th Gen and 8th Gen (U Quad-Core) Intel Processor Families Specification Update](https://www.intel.com/content/www/us/en/processors/core/7th-gen-core-family-spec-update.html) for details.
- Update for functional issues. Refer to [6th Gen Intel Processor Family Specification Update](https://cdrdv2.intel.com/v1/dl/getContent/332689) for details.
- Update for functional issues. Refer to [Intel Xeon E3-1200 v6 Processor Family Specification Update](https://www.intel.com/content/www/us/en/processors/xeon/xeon-e3-1200v6-spec-update.html) for details.
- Update for functional issues. Refer to [Intel Xeon E-2100 and E-2200 Processor Family Specification Update](https://www.intel.com/content/www/us/en/products/docs/processors/xeon/xeon-e-2100-specification-update.html) for details.
- New platforms:
| Processor | Stepping | F-M-S/PI | Old Ver | New Ver | Products
|:---------------|:---------|:------------|:---------|:---------|:---------
| CLX-SP | A0 | 06-55-05/b7 | | 03000010 | Xeon Scalable Gen2
| ICX-SP | C0 | 06-6a-05/87 | | 0c0002f0 | Xeon Scalable Gen3
| ICX-SP | D0 | 06-6a-06/87 | | 0d0002a0 | Xeon Scalable Gen3
| SNR | B0 | 06-86-04/01 | | 0b00000f | Atom P59xxB
| SNR | B1 | 06-86-05/01 | | 0b00000f | Atom P59xxB
| TGL | B1 | 06-8c-01/80 | | 00000088 | Core Gen11 Mobile
| TGL-R | C0 | 06-8c-02/c2 | | 00000016 | Core Gen11 Mobile
| TGL-H | R0 | 06-8d-01/c2 | | 0000002c | Core Gen11 Mobile
| EHL | B1 | 06-96-01/01 | | 00000011 | Pentium J6426/N6415, Celeron J6412/J6413/N6210/N6211, Atom x6000E
| JSL | A0/A1 | 06-9c-00/01 | | 0000001d | Pentium N6000/N6005, Celeron N4500/N4505/N5100/N5105
| RKL-S | B0 | 06-a7-01/02 | | 00000040 | Core Gen11
- Updated platforms:
| Processor | Stepping | F-M-S/PI | Old Ver | New Ver | Products
|:---------------|:---------|:------------|:---------|:---------|:---------
| HSX-E/EP | Cx/M1 | 06-3f-02/6f | 00000044 | 00000046 | Core Gen4 X series; Xeon E5 v3
| HSX-EX | E0 | 06-3f-04/80 | 00000016 | 00000019 | Xeon E7 v3
| SKL-U/Y | D0 | 06-4e-03/c0 | 000000e2 | 000000ea | Core Gen6 Mobile
| SKL-U23e | K1 | 06-4e-03/c0 | 000000e2 | 000000ea | Core Gen6 Mobile
| BDX-ML | B0/M0/R0 | 06-4f-01/ef | 0b000038 | 0b00003e | Xeon E5/E7 v4; Core i7-69xx/68xx
| SKX-SP | B1 | 06-55-03/97 | 01000159 | 0100015b | Xeon Scalable
| SKX-SP | H0/M0/U0 | 06-55-04/b7 | 02006a0a | 02006b06 | Xeon Scalable
| SKX-D | M1 | 06-55-04/b7 | 02006a0a | 02006b06 | Xeon D-21xx
| CLX-SP | B0 | 06-55-06/bf | 04003006 | 04003102 | Xeon Scalable Gen2
| CLX-SP | B1 | 06-55-07/bf | 05003006 | 05003102 | Xeon Scalable Gen2
| CPX-SP | A1 | 06-55-0b/bf | 0700001e | 07002302 | Xeon Scalable Gen3
| BDX-DE | V2/V3 | 06-56-03/10 | 07000019 | 0700001b | Xeon D-1518/19/21/27/28/31/33/37/41/48, Pentium D1507/08/09/17/19
| BDX-DE | Y0 | 06-56-04/10 | 0f000017 | 0f000019 | Xeon D-1557/59/67/71/77/81/87
| BDX-NS | A0 | 06-56-05/10 | 0e00000f | 0e000012 | Xeon D-1513N/23/33/43/53
| APL | D0 | 06-5c-09/03 | 00000040 | 00000044 | Pentium N/J4xxx, Celeron N/J3xxx, Atom x5/7-E39xx
| APL | E0 | 06-5c-0a/03 | 0000001e | 00000020 | Atom x5-E39xx
| SKL-H/S | R0/N0 | 06-5e-03/36 | 000000e2 | 000000ea | Core Gen6; Xeon E3 v5
| DNV | B0 | 06-5f-01/01 | 0000002e | 00000034 | Atom C Series
| GLK | B0 | 06-7a-01/01 | 00000034 | 00000036 | Pentium Silver N/J5xxx, Celeron N/J4xxx
| GKL-R | R0 | 06-7a-08/01 | 00000018 | 0000001a | Pentium J5040/N5030, Celeron J4125/J4025/N4020/N4120
| ICL-U/Y | D1 | 06-7e-05/80 | 000000a0 | 000000a6 | Core Gen10 Mobile
| LKF | B2/B3 | 06-8a-01/10 | 00000028 | 0000002a | Core w/Hybrid Technology
| AML-Y22 | H0 | 06-8e-09/10 | 000000de | 000000ea | Core Gen8 Mobile
| KBL-U/Y | H0 | 06-8e-09/c0 | 000000de | 000000ea | Core Gen7 Mobile
| CFL-U43e | D0 | 06-8e-0a/c0 | 000000e0 | 000000ea | Core Gen8 Mobile
| WHL-U | W0 | 06-8e-0b/d0 | 000000de | 000000ea | Core Gen8 Mobile
| AML-Y42 | V0 | 06-8e-0c/94 | 000000de | 000000ea | Core Gen10 Mobile
| CML-Y42 | V0 | 06-8e-0c/94 | 000000de | 000000ea | Core Gen10 Mobile
| WHL-U | V0 | 06-8e-0c/94 | 000000de | 000000ea | Core Gen8 Mobile
| KBL-G/H/S/E3 | B0 | 06-9e-09/2a | 000000de | 000000ea | Core Gen7; Xeon E3 v6
| CFL-H/S/E3 | U0 | 06-9e-0a/22 | 000000de | 000000ea | Core Gen8 Desktop, Mobile, Xeon E
| CFL-S | B0 | 06-9e-0b/02 | 000000de | 000000ea | Core Gen8
| CFL-H/S | P0 | 06-9e-0c/22 | 000000de | 000000ea | Core Gen9
| CFL-H | R0 | 06-9e-0d/22 | 000000de | 000000ea | Core Gen9 Mobile
| CML-H | R1 | 06-a5-02/20 | 000000e0 | 000000ea | Core Gen10 Mobile
| CML-S62 | G1 | 06-a5-03/22 | 000000e0 | 000000ea | Core Gen10
| CML-S102 | Q0 | 06-a5-05/22 | 000000e0 | 000000ec | Core Gen10
| CML-U62 | A0 | 06-a6-00/80 | 000000e0 | 000000e8 | Core Gen10 Mobile
| CML-U62 V2 | K0 | 06-a6-01/80 | 000000e0 | 000000ea | Core Gen10 Mobile
ImportantSUSE bug 1179833SUSE bug 1179836SUSE bug 1179837SUSE bug 1179839CVE-2020-24489 at SUSECVE-2020-24489 at NVDCVE-2020-24511 at SUSECVE-2020-24511 at NVDCVE-2020-24512 at SUSECVE-2020-24512 at NVDCVE-2020-24513 at SUSECVE-2020-24513 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for caribou (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for caribou fixes the following issues:
Security issue fixed:
- CVE-2021-3567: Fixed a segfault when attempting to use shifted characters (bsc#1186617).
ImportantSUSE bug 1186617CVE-2021-3567 at SUSECVE-2021-3567 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for freeradius-server (Moderate)SUSE Linux Enterprise Server 12 SP3-BCL
This update for freeradius-server fixes the following issues:
- Do not log passwords in logfiles (bsc#1184016)
ModerateSUSE bug 1184016cpe:/o:suse:sles-bcl:12:sp3Security update for java-1_8_0-openjdk (Moderate)SUSE Linux Enterprise Server 12 SP3-BCL
This update for java-1_8_0-openjdk fixes the following issues:
- Update to version jdk8u292 (icedtea 3.19.0).
- CVE-2021-2161: Fixed incomplete enforcement of JAR signing disabled algorithms (bsc#1185055).
ModerateSUSE bug 1185055CVE-2021-2163 at SUSECVE-2021-2163 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for ImageMagick (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for ImageMagick fixes the following issues:
- CVE-2020-19667: Fixed a stack buffer overflow in XPM coder could result in a crash (bsc#1179103).
- CVE-2020-25664: Fixed a heap-based buffer overflow in PopShortPixel (bsc#1179202).
- CVE-2020-25665: Fixed a heap-based buffer overflow in WritePALMImage (bsc#1179208).
- CVE-2020-25666: Fixed an outside the range of representable values of type 'int' and signed integer overflow (bsc#1179212).
- CVE-2020-25674: Fixed a heap-based buffer overflow in WriteOnePNGImage (bsc#1179223).
- CVE-2020-25675: Fixed an outside the range of representable values of type 'long' and integer overflow (bsc#1179240).
- CVE-2020-25676: Fixed an outside the range of representable values of type 'long' and integer overflow at MagickCore/pixel.c (bsc#1179244).
- CVE-2020-27750: Fixed an division by zero in MagickCore/colorspace-private.h (bsc#1179260).
- CVE-2020-27751: Fixed an integer overflow in MagickCore/quantum-export.c (bsc#1179269).
- CVE-2020-27752: Fixed a heap-based buffer overflow in PopShortPixel in MagickCore/quantum-private.h (bsc#1179346).
- CVE-2020-27753: Fixed memory leaks in AcquireMagickMemory function (bsc#1179397).
- CVE-2020-27754: Fixed an outside the range of representable values of type 'long' and signed integer overflow at MagickCore/quantize.c (bsc#1179336).
- CVE-2020-27755: Fixed memory leaks in ResizeMagickMemory function in ImageMagick/MagickCore/memory.c (bsc#1179345).
- CVE-2020-27757: Fixed an outside the range of representable values of type 'unsigned long long' at MagickCore/quantum-private.h (bsc#1179268).
- CVE-2020-27759: Fixed an outside the range of representable values of type 'int' at MagickCore/quantize.c (bsc#1179313).
- CVE-2020-27760: Fixed a division by zero at MagickCore/enhance.c (bsc#1179281).
- CVE-2020-27761: Fixed an outside the range of representable values of type 'unsigned long' at coders/palm.c (bsc#1179315).
- CVE-2020-27762: Fixed an outside the range of representable values of type 'unsigned char' (bsc#1179278).
- CVE-2020-27763: Fixed a division by zero at MagickCore/resize.c (bsc#1179312).
- CVE-2020-27764: Fixed an outside the range of representable values of type 'unsigned long' at MagickCore/statistic.c (bsc#1179317).
- CVE-2020-27765: Fixed a division by zero at MagickCore/segment.c (bsc#1179311).
- CVE-2020-27766: Fixed an outside the range of representable values of type 'unsigned long' at MagickCore/statistic.c (bsc#1179361).
- CVE-2020-27767: Fixed an outside the range of representable values of type 'float' at MagickCore/quantum.h (bsc#1179322).
- CVE-2020-27768: Fixed an outside the range of representable values of type 'unsigned int' at MagickCore/quantum-private.h (bsc#1179339).
- CVE-2020-27769: Fixed an outside the range of representable values of type 'float' at MagickCore/quantize.c (bsc#1179321).
- CVE-2020-27770: Fixed an unsigned offset overflowed at MagickCore/string.c (bsc#1179343).
- CVE-2020-27771: Fixed an outside the range of representable values of type 'unsigned char' at coders/pdf.c (bsc#1179327).
- CVE-2020-27772: Fixed an outside the range of representable values of type 'unsigned int' at coders/bmp.c (bsc#1179347).
- CVE-2020-27773: Fixed a division by zero at MagickCore/gem-private.h (bsc#1179285).
- CVE-2020-27774: Fixed an integer overflow at MagickCore/statistic.c (bsc#1179333).
- CVE-2020-27775: Fixed an outside the range of representable values of type 'unsigned char' at MagickCore/quantum.h (bsc#1179338).
- CVE-2020-27776: Fixed an outside the range of representable values of type 'unsigned long' at MagickCore/statistic.c (bsc#1179362).
ImportantSUSE bug 1179103SUSE bug 1179202SUSE bug 1179208SUSE bug 1179212SUSE bug 1179223SUSE bug 1179240SUSE bug 1179244SUSE bug 1179260SUSE bug 1179268SUSE bug 1179269SUSE bug 1179278SUSE bug 1179281SUSE bug 1179285SUSE bug 1179311SUSE bug 1179312SUSE bug 1179313SUSE bug 1179315SUSE bug 1179317SUSE bug 1179321SUSE bug 1179322SUSE bug 1179327SUSE bug 1179333SUSE bug 1179336SUSE bug 1179338SUSE bug 1179339SUSE bug 1179343SUSE bug 1179345SUSE bug 1179346SUSE bug 1179347SUSE bug 1179361SUSE bug 1179362SUSE bug 1179397CVE-2020-19667 at SUSECVE-2020-19667 at NVDCVE-2020-25664 at SUSECVE-2020-25664 at NVDCVE-2020-25665 at SUSECVE-2020-25665 at NVDCVE-2020-25666 at SUSECVE-2020-25666 at NVDCVE-2020-25674 at SUSECVE-2020-25674 at NVDCVE-2020-25675 at SUSECVE-2020-25675 at NVDCVE-2020-25676 at SUSECVE-2020-25676 at NVDCVE-2020-27750 at SUSECVE-2020-27750 at NVDCVE-2020-27751 at SUSECVE-2020-27751 at NVDCVE-2020-27752 at SUSECVE-2020-27752 at NVDCVE-2020-27753 at SUSECVE-2020-27753 at NVDCVE-2020-27754 at SUSECVE-2020-27754 at NVDCVE-2020-27755 at SUSECVE-2020-27755 at NVDCVE-2020-27757 at SUSECVE-2020-27757 at NVDCVE-2020-27759 at SUSECVE-2020-27759 at NVDCVE-2020-27760 at SUSECVE-2020-27760 at NVDCVE-2020-27761 at SUSECVE-2020-27761 at NVDCVE-2020-27762 at SUSECVE-2020-27762 at NVDCVE-2020-27763 at SUSECVE-2020-27763 at NVDCVE-2020-27764 at SUSECVE-2020-27764 at NVDCVE-2020-27765 at SUSECVE-2020-27765 at NVDCVE-2020-27766 at SUSECVE-2020-27766 at NVDCVE-2020-27767 at SUSECVE-2020-27767 at NVDCVE-2020-27768 at SUSECVE-2020-27768 at NVDCVE-2020-27769 at SUSECVE-2020-27769 at NVDCVE-2020-27770 at SUSECVE-2020-27770 at NVDCVE-2020-27771 at SUSECVE-2020-27771 at NVDCVE-2020-27772 at SUSECVE-2020-27772 at NVDCVE-2020-27773 at SUSECVE-2020-27773 at NVDCVE-2020-27774 at SUSECVE-2020-27774 at NVDCVE-2020-27775 at SUSECVE-2020-27775 at NVDCVE-2020-27776 at SUSECVE-2020-27776 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for webkit2gtk3 (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for webkit2gtk3 fixes the following issues:
- Update to version 2.32.1:
+ Improve handling of Media Capture devices.
+ Improve WebAudio playback.
+ Improve video orientation handling.
+ Improve seeking support for MSE playback.
+ Improve flush support in EME decryptors.
+ Fix HTTP status codes for requests done through a custom URI handler.
+ Fix the Bubblewrap sandbox in certain 32-bit systems.
+ Fix inconsistencies between the WebKitWebView.is-muted property
state and values returned by
webkit_web_view_is_playing_audio().
+ Fix the build with ENABLE_VIDEO=OFF.
+ Fix wrong timestamps for long-lived cookies.
+ Fix UI process crash when failing to load favicons.
+ Fix several crashes and rendering issues.
- Including Security fixes for: CVE-2021-1788, CVE-2021-1844, CVE-2021-1871,
CVE-2020-27918, CVE-2020-29623, CVE-2021-1765, CVE-2021-1789, CVE-2021-1799,
CVE-2021-1801, CVE-2021-1870, CVE-2020-13558, CVE-2020-13584, CVE-2020-9983,
CVE-2020-13543, CVE-2020-9947, CVE-2020-9948, CVE-2020-9951.
ImportantSUSE bug 1177087SUSE bug 1179122SUSE bug 1179451SUSE bug 1182286SUSE bug 1184155SUSE bug 1184262CVE-2020-13543 at SUSECVE-2020-13543 at NVDCVE-2020-13558 at SUSECVE-2020-13558 at NVDCVE-2020-13584 at SUSECVE-2020-13584 at NVDCVE-2020-27918 at SUSECVE-2020-27918 at NVDCVE-2020-29623 at SUSECVE-2020-29623 at NVDCVE-2020-9947 at SUSECVE-2020-9947 at NVDCVE-2020-9948 at SUSECVE-2020-9948 at NVDCVE-2020-9951 at SUSECVE-2020-9951 at NVDCVE-2020-9983 at SUSECVE-2020-9983 at NVDCVE-2021-1765 at SUSECVE-2021-1765 at NVDCVE-2021-1788 at SUSECVE-2021-1788 at NVDCVE-2021-1789 at SUSECVE-2021-1789 at NVDCVE-2021-1799 at SUSECVE-2021-1799 at NVDCVE-2021-1801 at SUSECVE-2021-1801 at NVDCVE-2021-1844 at SUSECVE-2021-1844 at NVDCVE-2021-1870 at SUSECVE-2021-1870 at NVDCVE-2021-1871 at SUSECVE-2021-1871 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for apache2 (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for apache2 fixes the following issues:
- fixed CVE-2021-30641 [bsc#1187174]: MergeSlashes regression
- fixed CVE-2021-31618 [bsc#1186924]: NULL pointer dereference on specially crafted HTTP/2 request
- fixed CVE-2020-35452 [bsc#1186922]: Single zero byte stack overflow in mod_auth_digest
- fixed CVE-2021-26690 [bsc#1186923]: mod_session NULL pointer dereference in parser
- fixed CVE-2021-26691 [bsc#1187017]: Heap overflow in mod_session
ImportantSUSE bug 1186922SUSE bug 1186923SUSE bug 1186924SUSE bug 1187017SUSE bug 1187174CVE-2020-35452 at SUSECVE-2020-35452 at NVDCVE-2021-26690 at SUSECVE-2021-26690 at NVDCVE-2021-26691 at SUSECVE-2021-26691 at NVDCVE-2021-30641 at SUSECVE-2021-30641 at NVDCVE-2021-31618 at SUSECVE-2021-31618 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for xterm (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for xterm fixes the following issues:
- CVE-2021-27135: Fixed buffer-overflow when clicking on selected utf8 text. (bsc#1182091)
ImportantSUSE bug 1182091CVE-2021-27135 at SUSECVE-2021-27135 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for ovmf (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for ovmf fixes the following issues:
- Fixed a possible buffer overflow in IScsiDxe (bsc#1186151)
ImportantSUSE bug 1186151cpe:/o:suse:sles-bcl:12:sp3Security update for libnettle (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for libnettle fixes the following issues:
- CVE-2021-3580: Fixed a remote denial of service in the RSA decryption via manipulated ciphertext (bsc#1187060).
ImportantSUSE bug 1187060CVE-2021-3580 at SUSECVE-2021-3580 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for libgcrypt (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for libgcrypt fixes the following issues:
- CVE-2021-33560: Fixed a side-channel against ElGamal encryption, caused by missing exponent blinding (bsc#1187212).
ImportantSUSE bug 1187212CVE-2021-33560 at SUSECVE-2021-33560 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for openexr (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for openexr fixes the following issues:
- Fixed CVE-2021-3479 [bsc#1184354]: Out-of-memory caused by allocation of a very large buffer
- Fixed CVE-2021-3605 [bsc#1187395]: Heap buffer overflow in the rleUncompress function
- Fixed CVE-2021-3598 [bsc#1187310]: Heap buffer overflow in Imf_3_1:CharPtrIO:readChars
ImportantSUSE bug 1184354SUSE bug 1187310SUSE bug 1187395CVE-2021-3479 at SUSECVE-2021-3479 at NVDCVE-2021-3598 at SUSECVE-2021-3598 at NVDCVE-2021-3605 at SUSECVE-2021-3605 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for postgresql, postgresql12, postgresql13 (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for postgresql, postgresql12, postgresql13 fixes the following issues:
Initial packaging of PostgreSQL 13:
* https://www.postgresql.org/about/news/2077/
* https://www.postgresql.org/docs/13/release-13.html
Changes in postgresql:
- Bump postgresql major version to 13.
Changes in postgresql12:
- %ghost the symlinks to pg_config and ecpg. (bsc#1178961)
- BuildRequire libpq5 and libecpg6 when not building them to avoid dangling symlinks in the devel package. (bsc#1179765)
- Fix a DST problem in the test suite.
Changes in postgresql13:
- Add postgresql-icu68.patch: fix build with ICU 68
- %ghost the symlinks to pg_config and ecpg. (bsc#1178961)
- BuildRequire libpq5 and libecpg6 when not building them to avoid dangling symlinks in the devel package. (bsc#1179765)
Upgrade to version 13.1:
* CVE-2020-25695, bsc#1178666: Block DECLARE CURSOR ... WITH HOLD
and firing of deferred triggers within index expressions and
materialized view queries.
* CVE-2020-25694, bsc#1178667:
a) Fix usage of complex connection-string parameters in pg_dump,
pg_restore, clusterdb, reindexdb, and vacuumdb.
b) When psql's \connect command re-uses connection parameters,
ensure that all non-overridden parameters from a previous
connection string are re-used.
* CVE-2020-25696, bsc#1178668: Prevent psql's \gset command from
modifying specially-treated variables.
* Fix recently-added timetz test case so it works when the USA
is not observing daylight savings time.
(obsoletes postgresql-timetz.patch)
* https://www.postgresql.org/about/news/2111/
* https://www.postgresql.org/docs/13/release-13-1.html
- Fix a DST problem in the test suite.
ImportantSUSE bug 1178666SUSE bug 1178667SUSE bug 1178668SUSE bug 1178961SUSE bug 1179765CVE-2020-25694 at SUSECVE-2020-25694 at NVDCVE-2020-25695 at SUSECVE-2020-25695 at NVDCVE-2020-25696 at SUSECVE-2020-25696 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for arpwatch (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for arpwatch fixes the following issues:
- CVE-2021-25321: Fixed local privilege escalation from runtime user to root (bsc#1186240).
ImportantSUSE bug 1186240CVE-2021-25321 at SUSECVE-2021-25321 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for libsolv (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for libsolv fixes the following issues:
Security issues fixed:
- CVE-2019-20387: Fixed heap-buffer-overflow in repodata_schema2id (bsc#1161510)
- CVE-2021-3200: testcase_read: error out if repos are added or the system is changed too late (bsc#1186229)
Other issues fixed:
- backport support for blacklisted packages to support ptf packages and retracted patches
- fix ruleinfo of complex dependencies returning the wrong origin
- fix SOLVER_FLAG_FOCUS_BEST updateing packages without reason
- fix add_complex_recommends() selecting conflicted packages in rare cases
- fix potential segfault in resolve_jobrules
- fix solv_zchunk decoding error if large chunks are used
ImportantSUSE bug 1161510SUSE bug 1186229CVE-2019-20387 at SUSECVE-2019-20387 at NVDCVE-2021-3200 at SUSECVE-2021-3200 at NVDcpe:/o:suse:sles-bcl:12:sp3Recommended update for the Azure and AWS SDKs (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for the SLE Public Cloud module provides the following fixes:
Azure SDK update:
This update for the Azure SDK and CLI adds support for the AHB (Azure Hybrid Benefit).
(bsc#1176784, jsc#ECO-3105)
AWS SDK update:
This update for the AWS SDK updates python-boto3 to version 1.17.9 and aws-cli to 1.19.9.
(bsc#1182421, jsc#ECO-3352)
Security fix for python-urllib3:
- Improve performance of sub-authority splitting in URL. (bsc#1187045, CVE-2021-33503)
ImportantSUSE bug 1125671SUSE bug 1154393SUSE bug 1175289SUSE bug 1176784SUSE bug 1176785SUSE bug 1182421SUSE bug 1187045CVE-2021-33503 at SUSECVE-2021-33503 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for openssh (Moderate)SUSE Linux Enterprise Server 12 SP3-BCL
This update for openssh fixes the following issues:
- CVE-2020-14145: Fixed a potential information leak during host key exchange (bsc#1173513).
ModerateSUSE bug 1173513CVE-2020-14145 at SUSECVE-2020-14145 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for sudo (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for sudo fixes the following issues:
- A Heap-based buffer overflow in sudo could be exploited to allow a user to gain root privileges
[bsc#1181090,CVE-2021-3156]
- It was possible for a user to test for the existence of a directory due to a Race Condition in `sudoedit`
[bsc#1180684,CVE-2021-23239]
- A Possible Symlink Attack vector existed in `sudoedit` if SELinux was running in permissive mode [bsc#1180685,
CVE-2021-23240]
- It was possible for a User to enable Debug Settings not Intended for them [bsc#1180687]
ImportantSUSE bug 1180684SUSE bug 1180685SUSE bug 1180687SUSE bug 1181090CVE-2021-23239 at SUSECVE-2021-23239 at NVDCVE-2021-23240 at SUSECVE-2021-23240 at NVDCVE-2021-3156 at SUSECVE-2021-3156 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for MozillaFirefox fixes the following issues:
Firefox Extended Support Release 78.12.0 ESR
* Fixed: Various stability, functionality, and security fixes
MFSA 2021-29 (bsc#1188275)
* CVE-2021-29970: Use-after-free in accessibility features of a document
* CVE-2021-30547: Out of bounds write in ANGLE
* CVE-2021-29976: Memory safety bugs fixed in Firefox 90 and Firefox ESR 78.12
ImportantSUSE bug 1188275CVE-2021-29970 at SUSECVE-2021-29970 at NVDCVE-2021-29976 at SUSECVE-2021-29976 at NVDCVE-2021-30547 at SUSECVE-2021-30547 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for MozillaFirefox fixes the following issues:
- Firefox Extended Support Release 78.7.0 ESR (MFSA 2021-04, bsc#1181414)
* CVE-2021-23953: Fixed a Cross-origin information leakage via redirected PDF requests
* CVE-2021-23954: Fixed a type confusion when using logical assignment operators in JavaScript switch statements
* CVE-2020-26976: Fixed an issue where HTTPS pages could have been intercepted by a registered service worker when they should not have been
* CVE-2021-23960: Fixed a use-after-poison for incorrectly redeclared JavaScript variables during GC
* CVE-2021-23964: Fixed Memory safety bugs
ImportantSUSE bug 1181414CVE-2020-26976 at SUSECVE-2020-26976 at NVDCVE-2021-23953 at SUSECVE-2021-23953 at NVDCVE-2021-23954 at SUSECVE-2021-23954 at NVDCVE-2021-23960 at SUSECVE-2021-23960 at NVDCVE-2021-23964 at SUSECVE-2021-23964 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for systemd (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for systemd fixes the following issues:
Security issues fixed:
- CVE-2021-33910: Fixed a denial of service (stack exhaustion) in systemd (PID 1) (bsc#1188063)
Other fixes:
- mount-util: shorten the loop a bit (#7545)
- mount-util: do not use the official MAX_HANDLE_SZ (#7523)
- mount-util: tape over name_to_handle_at() flakiness (#7517) (bsc#1184761)
- mount-util: fix bad indenting
- mount-util: EOVERFLOW might have other causes than buffer size issues
- mount-util: fix error propagation in fd_fdinfo_mnt_id()
- mount-util: drop exponential buffer growing in name_to_handle_at_loop()
- udev: port udev_has_devtmpfs() to use path_get_mnt_id()
- mount-util: add new path_get_mnt_id() call that queries the mnt ID of a path
- mount-util: add name_to_handle_at_loop() wrapper around name_to_handle_at()
- mount-util: accept that name_to_handle_at() might fail with EPERM (#5499)
- basic: fallback to the fstat if we don't have access to the /proc/self/fdinfo
- sysusers: use the usual comment style
- test/TEST-21-SYSUSERS: add tests for new functionality
- sysusers: allow admin/runtime overrides to command-line config
- basic/strv: add function to insert items at position
- sysusers: allow the shell to be specified
- sysusers: move various user credential validity checks to src/basic/
- man: reformat table in sysusers.d(5)
- sysusers: take configuration as positional arguments
- sysusers: emit a bit more info at debug level when locking fails
- sysusers: allow force reusing existing user/group IDs (#8037)
- sysusers: ensure GID in uid:gid syntax exists
- sysusers: make ADD_GROUP always create a group
- test: add TEST-21-SYSUSERS test
- sysuser: use OrderedHashmap
- sysusers: allow uid:gid in sysusers.conf files
- sysusers: fix memleak (#4430)
- These commits implement the option '--replace' for systemd-sysusers
so %sysusers_create_package can be introduced in SLE and packages
can rely on this rpm macro without wondering whether the macro is
available on the different target the package is submitted to.
- Expect 644 permissions for /usr/lib/udev/compat-symlink-generation (bsc#1185807)
- systemctl: add --value option
- execute: make sure to call into PAM after initializing resource limits (bsc#1184967)
- rlimit-util: introduce setrlimit_closest_all()
- system-conf: drop reference to ShutdownWatchdogUsec=
- core: rename ShutdownWatchdogSec to RebootWatchdogSec (bsc#1185331)
- Return -EAGAIN instead of -EALREADY from unit_reload (bsc#1185046)
- rules: don't ignore Xen virtual interfaces anymore (bsc#1178561)
- write_net_rules: set execute bits (bsc#1178561)
- udev: rework network device renaming
- Revert 'Revert 'udev: network device renaming - immediately give up if the target name isn't available''
ImportantSUSE bug 1178561SUSE bug 1184761SUSE bug 1184967SUSE bug 1185046SUSE bug 1185331SUSE bug 1185807SUSE bug 1188063CVE-2021-33910 at SUSECVE-2021-33910 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for linuxptp (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for linuxptp fixes the following issues:
- CVE-2021-3570: Validate the messageLength field of incoming messages. (bsc#1187646)
ImportantSUSE bug 1187646CVE-2021-3570 at SUSECVE-2021-3570 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for the Linux Kernel (Important)SUSE Linux Enterprise Server 12 SP3-BCL
The SUSE Linux Enterprise 12 SP3 kernel was updated to receive various security and bugfixes.
The following security bugs were fixed:
- CVE-2021-22555: Fixed an heap out-of-bounds write in net/netfilter/x_tables.c that could allow local provilege escalation. (bsc#1188116)
- CVE-2021-33909: Fixed an out-of-bounds write in the filesystem layer that allows to obtain full root privileges. (bsc#1188062)
- CVE-2021-3609: Fixed a race condition in the CAN BCM networking protocol which allows for local privilege escalation. (bsc#1187215)
- CVE-2021-0605: Fixed an out-of-bounds read which could lead to local information disclosure in the kernel with System execution privileges needed. (bsc#1187601)
- CVE-2021-0512: Fixed a possible out-of-bounds write which could lead to local escalation of privilege with no additional execution privileges needed. (bsc#1187595)
- CVE-2021-34693: Fixed a bug in net/can/bcm.c which could allow local users to obtain sensitive information from kernel stack memory because parts of a data structure are uninitialized. (bsc#1187452)
- CVE-2020-36385: Fixed a use-after-free flaw in ucma.c which allows for local privilege escalation. (bsc#1187050)
- CVE-2021-0129: Fixed an improper access control in BlueZ that may have allowed an authenticated user to potentially enable information disclosure via adjacent access. (bsc#1186463)
- CVE-2020-26558: Fixed a flaw in the Bluetooth LE and BR/EDR secure pairing that could permit a nearby man-in-the-middle attacker to identify the Passkey used during pairing. (bsc#1179610)
- CVE-2020-36386: Fixed an out-of-bounds read in hci_extended_inquiry_result_evt. (bsc#1187038)
- CVE-2020-24588: Fixed a bug that could allow an adversary to abuse devices that support receiving non-SSP A-MSDU frames to inject arbitrary network packets. (bsc#1185861)
- CVE-2021-32399: Fixed a race condition in net/bluetooth/hci_request.c for removal of the HCI controller. (bsc#1184611)
- CVE-2021-33034: Fixed an issue in net/bluetooth/hci_event.c where a use-after-free leads to writing an arbitrary value. (bsc#1186111)
- CVE-2020-26139: Fixed a bug that allows an Access Point (AP) to forward EAPOL frames to other clients even though the sender has not yet successfully authenticated. This might be abused in projected Wi-Fi networks to launch denial-of-service attacks against connected clients and made it easier to exploit other vulnerabilities in connected clients. (bsc#1186062)
- CVE-2021-23134: Fixed a use After Free vulnerability in nfc sockets which allows local attackers to elevate their privileges. (bsc#1186060)
- CVE-2020-24586: Fixed a bug that, under the right circumstances, allows to inject arbitrary network packets and/or exfiltrate user data when another device sends fragmented frames encrypted using WEP, CCMP, or GCMP. (bsc#1185859)
- CVE-2020-26141: Fixed a flaw that could allows an adversary to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-confidentiality protocol. (bsc#1185987)
- CVE-2020-26145: Fixed a bug in the WEP, WPA, WPA2, and WPA3 implementations that could allows an adversary to inject arbitrary network packets. (bsc#1185860)
- CVE-2020-24587: Fixed a bug that allows an adversary to decrypt selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP encryption key is periodically renewed. (bsc#1185862)
- CVE-2020-26147: Fixed a bug in the WEP, WPA, WPA2, and WPA3 implementations that could allows an adversary to inject packets and/or exfiltrate selected fragments when another device sends fragmented frames. (bsc#1185987)
The following non-security bugs were fixed:
- Bluetooth: SMP: Fail if remote and local public keys are identical (git-fixes).
- Drivers: hv: vmbus: Increase wait time for VMbus unload (bsc#1185724).
- Drivers: hv: vmbus: Initialize unload_event statically (bsc#1185724).
- hv_netvsc: Add handlers for ethtool get/set msg level (bsc#1175462).
- hv_netvsc: avoid retry on send during shutdown (bsc#1175462).
- hv_netvsc: avoid unnecessary wakeups on subchannel creation (bsc#1175462).
- hv_netvsc: cancel subchannel setup before halting device (bsc#1175462).
- hv_netvsc: change GPAD teardown order on older versions (bsc#1175462).
- hv_netvsc: common detach logic (bsc#1175462).
- hv_netvsc: delay setup of VF device (bsc#1175462).
- hv_netvsc: disable NAPI before channel close (bsc#1175462).
- hv_netvsc: Ensure correct teardown message sequence order (bsc#1175462).
- hv_netvsc: Fix a deadlock by getting rtnl lock earlier in netvsc_probe() (bsc#1175462).
- hv_netvsc: Fix a network regression after ifdown/ifup (bsc#1175462).
- hv_netvsc: fix deadlock on hotplug (bsc#1175462).
- hv_netvsc: Fix error handling in netvsc_attach() (bsc#1175462).
- hv_netvsc: fix error unwind handling if vmbus_open fails (bsc#1175462).
- hv_netvsc: Fix extra rcu_read_unlock in netvsc_recv_callback() (bsc#1175462).
- hv_netvsc: fix handling of fallback to single queue mode (bsc#1175462).
- hv_netvsc: Fix hash key value reset after other ops (bsc#1175462).
- hv_netvsc: Fix IP header checksum for coalesced packets (bsc#1175462).
- hv_netvsc: Fix net device attach on older Windows hosts (bsc#1175462).
- hv_netvsc: fix network namespace issues with VF support (bsc#1175462).
- hv_netvsc: Fix NULL dereference at single queue mode fallback (bsc#1175462).
- hv_netvsc: fix race during initialization (bsc#1175462).
- hv_netvsc: fix race on sub channel creation (bsc#1175462).
- hv_netvsc: fix race that may miss tx queue wakeup (bsc#1175462).
- hv_netvsc: fix schedule in RCU context (bsc#1175462).
- hv_netvsc: Fix the variable sizes in ipsecv2 and rsc offload (bsc#1175462).
- hv_netvsc: Fix tx_table init in rndis_set_subchannel() (bsc#1175462).
- hv_netvsc: Fix unwanted wakeup after tx_disable (bsc#1175462).
- hv_netvsc: Fix unwanted wakeup in netvsc_attach() (bsc#1175462).
- hv_netvsc: flag software created hash value (bsc#1175462).
- hv_netvsc: netvsc_teardown_gpadl() split (bsc#1175462).
- hv_netvsc: only wake transmit queue if link is up (bsc#1175462).
- hv_netvsc: pass netvsc_device to rndis halt (bsc#1175462).
- hv_netvsc: preserve hw_features on mtu/channels/ringparam changes (bsc#1175462).
- hv_netvsc: Refactor assignments of struct netvsc_device_info (bsc#1175462).
- hv_netvsc: set master device (bsc#1175462).
- hv_netvsc: Set tx_table to equal weight after subchannels open (bsc#1175462).
- hv_netvsc: Simplify num_chn checking in rndis_filter_device_add() (bsc#1175462).
- hv_netvsc: Split netvsc_revoke_buf() and netvsc_teardown_gpadl() (bsc#1175462).
- hv_netvsc: split sub-channel setup into async and sync (bsc#1175462).
- hv_netvsc: typo in NDIS RSS parameters structure (bsc#1175462).
- hv_netvsc: use RCU to fix concurrent rx and queue changes (bsc#1175462).
- hv_netvsc: use reciprocal divide to speed up percent calculation (bsc#1175462).
- hv_netvsc: Use Windows version instead of NVSP version on GPAD teardown (bsc#1175462).
- kgraft: truncate the output from state_show() sysfs attr (bsc#1186235).
- mm, memory_hotplug: do not clear numa_node association after hot_remove (bsc#1115026).
- mm: consider __HW_POISON pages when allocating from pcp lists (bsc#1187388).
- scsi: storvsc: Enable scatterlist entry lengths > 4Kbytes (bsc#1187193).
- video: hyperv_fb: Add ratelimit on error message (bsc#1185724).
ImportantSUSE bug 1115026SUSE bug 1175462SUSE bug 1179610SUSE bug 1184611SUSE bug 1185724SUSE bug 1185859SUSE bug 1185860SUSE bug 1185861SUSE bug 1185862SUSE bug 1185863SUSE bug 1185898SUSE bug 1185987SUSE bug 1186060SUSE bug 1186062SUSE bug 1186111SUSE bug 1186235SUSE bug 1186390SUSE bug 1186463SUSE bug 1187038SUSE bug 1187050SUSE bug 1187193SUSE bug 1187215SUSE bug 1187388SUSE bug 1187452SUSE bug 1187595SUSE bug 1187601SUSE bug 1187934SUSE bug 1188062SUSE bug 1188063SUSE bug 1188116CVE-2020-24586 at SUSECVE-2020-24586 at NVDCVE-2020-24587 at SUSECVE-2020-24587 at NVDCVE-2020-24588 at SUSECVE-2020-24588 at NVDCVE-2020-26139 at SUSECVE-2020-26139 at NVDCVE-2020-26141 at SUSECVE-2020-26141 at NVDCVE-2020-26145 at SUSECVE-2020-26145 at NVDCVE-2020-26147 at SUSECVE-2020-26147 at NVDCVE-2020-26558 at SUSECVE-2020-26558 at NVDCVE-2020-36385 at SUSECVE-2020-36385 at NVDCVE-2020-36386 at SUSECVE-2020-36386 at NVDCVE-2021-0129 at SUSECVE-2021-0129 at NVDCVE-2021-0512 at SUSECVE-2021-0512 at NVDCVE-2021-0605 at SUSECVE-2021-0605 at NVDCVE-2021-22555 at SUSECVE-2021-22555 at NVDCVE-2021-23134 at SUSECVE-2021-23134 at NVDCVE-2021-32399 at SUSECVE-2021-32399 at NVDCVE-2021-33034 at SUSECVE-2021-33034 at NVDCVE-2021-33909 at SUSECVE-2021-33909 at NVDCVE-2021-34693 at SUSECVE-2021-34693 at NVDCVE-2021-3609 at SUSECVE-2021-3609 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for qemu (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for qemu fixes the following issues:
Security issues fixed:
- CVE-2021-3595: Fixed slirp: invalid pointer initialization may lead to information disclosure (tftp) (bsc#1187366)
- CVE-2021-3592: Fix for slirp: invalid pointer initialization may lead to information disclosure (bootp) (bsc#1187364)
- CVE-2021-3594: Fix for slirp: invalid pointer initialization may lead to information disclosure (udp) (bsc#1187367)
- CVE-2021-3593: Fix for slirp: invalid pointer initialization may lead to information disclosure (udp6) (bsc#1187365)
- CVE-2021-3611: Fix intel-hda segmentation fault due to stack overflow (bsc#1187529)
ImportantSUSE bug 1187364SUSE bug 1187365SUSE bug 1187366SUSE bug 1187367SUSE bug 1187529CVE-2021-3592 at SUSECVE-2021-3592 at NVDCVE-2021-3593 at SUSECVE-2021-3593 at NVDCVE-2021-3594 at SUSECVE-2021-3594 at NVDCVE-2021-3595 at SUSECVE-2021-3595 at NVDCVE-2021-3611 at SUSECVE-2021-3611 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for dbus-1 (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for dbus-1 fixes the following issues:
- CVE-2020-35512: Fixed a bug where users with the same numeric UID could lead to use-after-free and undefined behaviour. (bsc#1187105)
- CVE-2020-12049: Fixed a bug where a truncated messages lead to resource exhaustion. (bsc#1172505)
ImportantSUSE bug 1172505SUSE bug 1187105CVE-2020-12049 at SUSECVE-2020-12049 at NVDCVE-2020-35512 at SUSECVE-2020-35512 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for webkit2gtk3 (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for webkit2gtk3 fixes the following issues:
Update to version 2.32.3:
- CVE-2021-21775: Fixed a use-after-free vulnerability in the way certain events are processed for ImageLoader objects. A specially crafted web page can lead to a potential information leak and further memory corruption. A victim must be tricked into visiting a malicious web page to trigger this vulnerability. (bsc#1188697)
- CVE-2021-21779: Fixed a use-after-free vulnerability in the way that WebKit GraphicsContext handles certain events. A specially crafted web page can lead to a potential information leak and further memory corruption. A victim must be tricked into visiting a malicious web page to trigger this vulnerability. (bsc#1188697)
- CVE-2021-30663: An integer overflow was addressed with improved input validation. (bsc#1188697)
- CVE-2021-30665: A memory corruption issue was addressed with improved state management. (bsc#1188697)
- CVE-2021-30689: A logic issue was addressed with improved state management. (bsc#1188697)
- CVE-2021-30720: A logic issue was addressed with improved restrictions. (bsc#1188697)
- CVE-2021-30734: Multiple memory corruption issues were addressed with improved memory handling. (bsc#1188697)
- CVE-2021-30744: A cross-origin issue with iframe elements was addressed with improved tracking of security origins. (bsc#1188697)
- CVE-2021-30749: Multiple memory corruption issues were addressed with improved memory handling. (bsc#1188697)
- CVE-2021-30758: A type confusion issue was addressed with improved state handling. (bsc#1188697)
- CVE-2021-30795: A use after free issue was addressed with improved memory management. (bsc#1188697)
- CVE-2021-30797: This issue was addressed with improved checks. (bsc#1188697)
- CVE-2021-30799: Multiple memory corruption issues were addressed with improved memory handling. (bsc#1188697)
ImportantSUSE bug 1188697CVE-2021-21775 at SUSECVE-2021-21775 at NVDCVE-2021-21779 at SUSECVE-2021-21779 at NVDCVE-2021-30663 at SUSECVE-2021-30663 at NVDCVE-2021-30665 at SUSECVE-2021-30665 at NVDCVE-2021-30689 at SUSECVE-2021-30689 at NVDCVE-2021-30720 at SUSECVE-2021-30720 at NVDCVE-2021-30734 at SUSECVE-2021-30734 at NVDCVE-2021-30744 at SUSECVE-2021-30744 at NVDCVE-2021-30749 at SUSECVE-2021-30749 at NVDCVE-2021-30758 at SUSECVE-2021-30758 at NVDCVE-2021-30795 at SUSECVE-2021-30795 at NVDCVE-2021-30797 at SUSECVE-2021-30797 at NVDCVE-2021-30799 at SUSECVE-2021-30799 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for libsndfile (Critical)SUSE Linux Enterprise Server 12 SP3-BCL
This update for libsndfile fixes the following issues:
- CVE-2018-13139: Fixed a stack-based buffer overflow in psf_memset in common.c in libsndfile 1.0.28allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact. (bsc#1100167)
- CVE-2018-19432: Fixed a NULL pointer dereference in the function sf_write_int in sndfile.c, which will lead to a denial of service. (bsc#1116993)
- CVE-2021-3246: Fixed a heap buffer overflow vulnerability in msadpcm_decode_block. (bsc#1188540)
- CVE-2018-19758: Fixed a heap-based buffer over-read at wav.c in wav_write_header in libsndfile 1.0.28 that will cause a denial of service. (bsc#1117954)
CriticalSUSE bug 1100167SUSE bug 1116993SUSE bug 1117954SUSE bug 1188540CVE-2018-13139 at SUSECVE-2018-13139 at NVDCVE-2018-19432 at SUSECVE-2018-19432 at NVDCVE-2018-19758 at SUSECVE-2018-19758 at NVDCVE-2021-3246 at SUSECVE-2021-3246 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for djvulibre (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for djvulibre fixes the following issues:
- CVE-2021-3630: out-of-bounds write in DJVU:DjVuTXT:decode() in DjVuText.cpp (bsc#1187869)
ImportantSUSE bug 1187869CVE-2021-3630 at SUSECVE-2021-3630 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for cpio (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for cpio fixes the following issues:
It was possible to trigger Remote code execution due to a integer overflow (CVE-2021-38185, bsc#1189206)
ImportantSUSE bug 1189206CVE-2021-38185 at SUSECVE-2021-38185 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for libcares2 (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for libcares2 fixes the following issues:
- CVE-2021-3672: Fixed input validation on hostnames (bsc#1188881).
ImportantSUSE bug 1188881CVE-2021-3672 at SUSECVE-2021-3672 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for MozillaFirefox fixes the following issues:
Firefox Extended Support Release 78.13.0 ESR (MFSA 2021-34, bsc#1188891):
- CVE-2021-29986: Race condition when resolving DNS names could have led to memory corruption
- CVE-2021-29988: Memory corruption as a result of incorrect style treatment
- CVE-2021-29984: Incorrect instruction reordering during JIT optimization
- CVE-2021-29980: Uninitialized memory in a canvas object could have led to memory corruption
- CVE-2021-29985: Use-after-free media channels
- CVE-2021-29989: Memory safety bugs fixed in Firefox 91 and Firefox ESR 78.13
ImportantSUSE bug 1188891CVE-2021-29980 at SUSECVE-2021-29980 at NVDCVE-2021-29984 at SUSECVE-2021-29984 at NVDCVE-2021-29985 at SUSECVE-2021-29985 at NVDCVE-2021-29986 at SUSECVE-2021-29986 at NVDCVE-2021-29988 at SUSECVE-2021-29988 at NVDCVE-2021-29989 at SUSECVE-2021-29989 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for fetchmail (Moderate)SUSE Linux Enterprise Server 12 SP3-BCL
This update for fetchmail fixes the following issues:
- CVE-2021-36386: DoS or information disclosure in some configurations (bsc#1188875)
- Change PASSWORDLEN from 64 to 256 [bsc#1188034]
- Set the hostname for SNI when using TLS [bsc#1182807]
- Allow --syslog option in daemon mode. (bsc#1033081)
- Set the hostname for SNI when using TLS. (bsc#1182807)
- Change PASSWORDLEN from 64 to 256 (bsc#1188034)
ModerateSUSE bug 1033081SUSE bug 1182807SUSE bug 1188034SUSE bug 1188875CVE-2021-36386 at SUSECVE-2021-36386 at NVDcpe:/o:suse:sles-bcl:12:sp3Recommended update for cpio (Critical)SUSE Linux Enterprise Server 12 SP3-BCL
This update for cpio fixes the following issues:
- A regression in the previous update could lead to crashes (bsc#1189465)
CriticalSUSE bug 1189465CVE-2021-38185 at SUSECVE-2021-38185 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for java-1_8_0-openjdk (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for java-1_8_0-openjdk fixes the following issues:
- Update to version jdk8u302 (icedtea 3.20.0)
- CVE-2021-2341: Improve file transfers. (bsc#1188564)
- CVE-2021-2369: Better jar file validation. (bsc#1188565)
- CVE-2021-2388: Enhance compiler validation. (bsc#1188566)
- CVE-2021-2161: Less ambiguous processing. (bsc#1185056)
ImportantSUSE bug 1185056SUSE bug 1188564SUSE bug 1188565SUSE bug 1188566CVE-2021-2161 at SUSECVE-2021-2161 at NVDCVE-2021-2341 at SUSECVE-2021-2341 at NVDCVE-2021-2369 at SUSECVE-2021-2369 at NVDCVE-2021-2388 at SUSECVE-2021-2388 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for cpio (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for cpio fixes the following issues:
- A patch previously applied to remedy CVE-2021-38185 introduced a regression
that had the potential to cause a segmentation fault in cpio. [bsc#1189465]
ImportantSUSE bug 1189465CVE-2021-38185 at SUSECVE-2021-38185 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for python-PyYAML (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for python-PyYAML fixes the following issues:
- Update to 5.3.1.
- CVE-2020-14343: A vulnerability was discovered in the PyYAML library,
where it was susceptible to arbitrary code execution when it processes
untrusted YAML files through the full_load method or with the FullLoader
loader. Applications that use the library to process untrusted input
may be vulnerable to this flaw. This flaw allows an attacker to
execute arbitrary code on the system by abusing the python/object/new
constructor. This flaw is due to an incomplete fix for CVE-2020-1747.
ImportantSUSE bug 1174514CVE-2020-14343 at SUSECVE-2020-14343 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for openssl (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for openssl fixes the following security issue:
- CVE-2021-3712: a bug in the code for printing certificate details could lead
to a buffer overrun that a malicious actor could exploit to crash the
application, causing a denial-of-service attack. [bsc#1189521]
ImportantSUSE bug 1189521CVE-2021-3712 at SUSECVE-2021-3712 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for unrar (Moderate)SUSE Linux Enterprise Server 12 SP3-BCL
This update for unrar to version 5.6.1 fixes several issues.
These security issues were fixed:
- CVE-2017-12938: Prevent remote attackers to bypass a directory-traversal
protection mechanism via vectors involving a symlink to the . directory, a
symlink to the .. directory, and a regular file (bsc#1054038).
- CVE-2017-12940: Prevent out-of-bounds read in the EncodeFileName::Decode call
within the Archive::ReadHeader15 function (bsc#1054038).
- CVE-2017-12941: Prevent an out-of-bounds read in the Unpack::Unpack20
function (bsc#1054038).
- CVE-2017-12942: Prevent a buffer overflow in the Unpack::LongLZ function
(bsc#1054038).
- CVE-2017-20006: Fixed heap-based buffer overflow in Unpack:CopyString (bsc#1187974).
These non-security issues were fixed:
- Added extraction support for .LZ archives created by Lzip compressor
- Enable unpacking of files in ZIP archives compressed with XZ algorithm and
encrypted with AES
- Added support for PAX extended headers inside of TAR archive
- If RAR recovery volumes (.rev files) are present in the same folder as usual
RAR volumes, archive test command verifies .rev contents after completing
testing .rar files
- By default unrar skips symbolic links with absolute paths in link target when
extracting unless -ola command line switch is specified
- Added support for AES-NI CPU instructions
- Support for a new RAR 5.0 archiving format
- Wildcard exclusion mask for folders
- Prevent conditional jumps depending on uninitialised values (bsc#1046882)
ModerateSUSE bug 1046882SUSE bug 1054038SUSE bug 1187974CVE-2012-6706 at SUSECVE-2012-6706 at NVDCVE-2017-12938 at SUSECVE-2017-12938 at NVDCVE-2017-12940 at SUSECVE-2017-12940 at NVDCVE-2017-12941 at SUSECVE-2017-12941 at NVDCVE-2017-12942 at SUSECVE-2017-12942 at NVDCVE-2017-20006 at SUSECVE-2017-20006 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for openvswitch (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for openvswitch fixes the following issues:
- openvswitch was updated to 2.7.12
- CVE-2020-27827: Fixed a memory leak when parsing lldp packets (bsc#1181345)
A lot more minor bugs have been fixed with this openvswitch version. Please refer to the changelog of
the openvswitch.rpm file in order to obtain a list of all changes.
ImportantSUSE bug 1117483SUSE bug 1181345CVE-2020-27827 at SUSECVE-2020-27827 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for aspell (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for aspell fixes the following issues:
- CVE-2019-25051: Fixed heap-buffer-overflow in acommon:ObjStack:dup_top (bsc#1188576).
ImportantSUSE bug 1188576CVE-2019-25051 at SUSECVE-2019-25051 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for bind (Moderate)SUSE Linux Enterprise Server 12 SP3-BCL
This update for bind fixes the following issues:
- CVE-2020-8622: A truncated TSIG response can lead to an assertion failure (bsc#1175443).
ModerateSUSE bug 1175443SUSE bug 1188888CVE-2020-8622 at SUSECVE-2020-8622 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for openexr (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for openexr fixes the following issues:
- CVE-2021-20298 [bsc#1188460]: Fixed Out-of-memory in B44Compressor
- CVE-2021-20299 [bsc#1188459]: Fixed Null-dereference READ in Imf_2_5:Header:operator
- CVE-2021-20300 [bsc#1188458]: Fixed Integer-overflow in Imf_2_5:hufUncompress
- CVE-2021-20302 [bsc#1188462]: Fixed Floating-point-exception in Imf_2_5:precalculateTileInfot
- CVE-2021-20303 [bsc#1188457]: Fixed Heap-buffer-overflow in Imf_2_5::copyIntoFrameBuffer
- CVE-2021-20304 [bsc#1188461]: Fixed Undefined-shift in Imf_2_5:hufDecode
ImportantSUSE bug 1188457SUSE bug 1188458SUSE bug 1188459SUSE bug 1188460SUSE bug 1188461SUSE bug 1188462CVE-2021-20298 at SUSECVE-2021-20298 at NVDCVE-2021-20299 at SUSECVE-2021-20299 at NVDCVE-2021-20300 at SUSECVE-2021-20300 at NVDCVE-2021-20302 at SUSECVE-2021-20302 at NVDCVE-2021-20303 at SUSECVE-2021-20303 at NVDCVE-2021-20304 at SUSECVE-2021-20304 at NVDCVE-2021-3476 at SUSECVE-2021-3476 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for libesmtp (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for libesmtp fixes the following issues:
- CVE-2019-19977: Fix stack-based buffer over-read in ntlm/ntlmstruct.c (bsc#1160462).
ImportantSUSE bug 1160462SUSE bug 1189097CVE-2019-19977 at SUSECVE-2019-19977 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for file (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for file fixes the following issues:
- CVE-2019-18218: Fixed heap-based buffer overflow in cdf_read_property_info in cdf.c (bsc#1154661).
ImportantSUSE bug 1154661CVE-2019-18218 at SUSECVE-2019-18218 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for xen (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for xen fixes the following issues:
- CVE-2021-3594: slirp: invalid pointer initialization may lead to information disclosure (udp)(bsc#1187378).
- CVE-2021-3595: slirp: invalid pointer initialization may lead to information disclosure (tftp)(bsc#1187376).
- CVE-2021-28698: long running loops in grant table handling (XSA-380)(bsc#1189378).
- CVE-2021-28699: inadequate grant-v2 status frames array bounds check (XSA-382)(bsc#1189380).
- CVE-2021-20255: Fixed stack overflow via infinite recursion in eepro100 (bsc#1182654)
- CVE-2021-28690: xen: x86: TSX Async Abort protections not restored after S3 (bsc#1186434)
- CVE-2021-28692: xen: inappropriate x86 IOMMU timeout detection / handling (bsc#1186429)
- CVE-2021-28694,CVE-2021-28695,CVE-2021-28696: IOMMU page mapping issues on x86 (XSA-378)(bsc#1189373).
- CVE-2021-0089: xen: Speculative Code Store Bypass (bsc#1186433)
- CVE-2021-28697: grant table v2 status pages may remain accessible after de-allocation (XSA-379)(bsc#1189376).
- CVE-2021-3592: slirp: invalid pointer initialization may lead to information disclosure (bootp)(bsc#1187369).
- Prevent superpage allocation in the LAPIC and ACPI_INFO range (bsc#1189882).
ImportantSUSE bug 1182654SUSE bug 1186429SUSE bug 1186433SUSE bug 1186434SUSE bug 1187369SUSE bug 1187376SUSE bug 1187378SUSE bug 1189373SUSE bug 1189376SUSE bug 1189378SUSE bug 1189380SUSE bug 1189882CVE-2021-0089 at SUSECVE-2021-0089 at NVDCVE-2021-20255 at SUSECVE-2021-20255 at NVDCVE-2021-28690 at SUSECVE-2021-28690 at NVDCVE-2021-28692 at SUSECVE-2021-28692 at NVDCVE-2021-28694 at SUSECVE-2021-28694 at NVDCVE-2021-28695 at SUSECVE-2021-28695 at NVDCVE-2021-28696 at SUSECVE-2021-28696 at NVDCVE-2021-28697 at SUSECVE-2021-28697 at NVDCVE-2021-28698 at SUSECVE-2021-28698 at NVDCVE-2021-28699 at SUSECVE-2021-28699 at NVDCVE-2021-3592 at SUSECVE-2021-3592 at NVDCVE-2021-3594 at SUSECVE-2021-3594 at NVDCVE-2021-3595 at SUSECVE-2021-3595 at NVDcpe:/o:suse:sles-bcl:12:sp3Recommended update for mozilla-nspr, mozilla-nss (Moderate)SUSE Linux Enterprise Server 12 SP3-BCL
This update for mozilla-nspr fixes the following issues:
mozilla-nspr was updated to version 4.32:
* implement new socket option PR_SockOpt_DontFrag
* support larger DNS records by increasing the default buffer
size for DNS queries
* Lock access to PRCallOnceType members in PR_CallOnce* for
thread safety bmo#1686138
* PR_GetSystemInfo supports a new flag PR_SI_RELEASE_BUILD to get
information about the operating system build version.
Mozilla NSS was updated to version 3.68:
* bmo#1713562 - Fix test leak.
* bmo#1717452 - NSS 3.68 should depend on NSPR 4.32.
* bmo#1693206 - Implement PKCS8 export of ECDSA keys.
* bmo#1712883 - DTLS 1.3 draft-43.
* bmo#1655493 - Support SHA2 HW acceleration using Intel SHA Extension.
* bmo#1713562 - Validate ECH public names.
* bmo#1717610 - Add function to get seconds from epoch from pkix::Time.
update to NSS 3.67
* bmo#1683710 - Add a means to disable ALPN.
* bmo#1715720 - Fix nssckbi version number in NSS 3.67 (was supposed to be incremented in 3.66).
* bmo#1714719 - Set NSS_USE_64 on riscv64 target when using GYP/Ninja.
* bmo#1566124 - Fix counter increase in ppc-gcm-wrap.c.
* bmo#1566124 - Fix AES_GCM mode on ppc64le for messages of length more than 255-byte.
update to NSS 3.66
* bmo#1710716 - Remove Expired Sonera Class2 CA from NSS.
* bmo#1710716 - Remove Expired Root Certificates from NSS - QuoVadis Root Certification Authority.
* bmo#1708307 - Remove Trustis FPS Root CA from NSS.
* bmo#1707097 - Add Certum Trusted Root CA to NSS.
* bmo#1707097 - Add Certum EC-384 CA to NSS.
* bmo#1703942 - Add ANF Secure Server Root CA to NSS.
* bmo#1697071 - Add GLOBALTRUST 2020 root cert to NSS.
* bmo#1712184 - NSS tools manpages need to be updated to reflect that sqlite is the default database.
* bmo#1712230 - Don't build ppc-gcm.s with clang integrated assembler.
* bmo#1712211 - Strict prototype error when trying to compile nss code that includes blapi.h.
* bmo#1710773 - NSS needs FIPS 180-3 FIPS indicators.
* bmo#1709291 - Add VerifyCodeSigningCertificateChain.
update to NSS 3.65
* bmo#1709654 - Update for NetBSD configuration.
* bmo#1709750 - Disable HPKE test when fuzzing.
* bmo#1566124 - Optimize AES-GCM for ppc64le.
* bmo#1699021 - Add AES-256-GCM to HPKE.
* bmo#1698419 - ECH -10 updates.
* bmo#1692930 - Update HPKE to final version.
* bmo#1707130 - NSS should use modern algorithms in PKCS#12 files by default.
* bmo#1703936 - New coverity/cpp scanner errors.
* bmo#1697303 - NSS needs to update it's csp clearing to FIPS 180-3 standards.
* bmo#1702663 - Need to support RSA PSS with Hashing PKCS #11 Mechanisms.
* bmo#1705119 - Deadlock when using GCM and non-thread safe tokens.
update to NSS 3.64
* bmo#1705286 - Properly detect mips64.
* bmo#1687164 - Introduce NSS_DISABLE_CRYPTO_VSX and
disable_crypto_vsx.
* bmo#1698320 - replace __builtin_cpu_supports('vsx') with
ppc_crypto_support() for clang.
* bmo#1613235 - Add POWER ChaCha20 stream cipher vector
acceleration.
Fixed in 3.63
* bmo#1697380 - Make a clang-format run on top of helpful contributions.
* bmo#1683520 - ECCKiila P384, change syntax of nested structs
initialization to prevent build isses with GCC 4.8.
* bmo#1683520 - [lib/freebl/ecl] P-384: allow zero scalars in dual
scalar multiplication.
* bmo#1683520 - ECCKiila P521, change syntax of nested structs
initialization to prevent build isses with GCC 4.8.
* bmo#1683520 - [lib/freebl/ecl] P-521: allow zero scalars in dual
scalar multiplication.
* bmo#1696800 - HACL* update March 2021 - c95ab70fcb2bc21025d8845281bc4bc8987ca683.
* bmo#1694214 - tstclnt can't enable middlebox compat mode.
* bmo#1694392 - NSS does not work with PKCS #11 modules not supporting
profiles.
* bmo#1685880 - Minor fix to prevent unused variable on early return.
* bmo#1685880 - Fix for the gcc compiler version 7 to support setenv
with nss build.
* bmo#1693217 - Increase nssckbi.h version number for March 2021 batch
of root CA changes, CA list version 2.48.
* bmo#1692094 - Set email distrust after to 21-03-01 for Camerfirma's
'Chambers of Commerce' and 'Global Chambersign' roots.
* bmo#1618407 - Symantec root certs - Set CKA_NSS_EMAIL_DISTRUST_AFTER.
* bmo#1693173 - Add GlobalSign R45, E45, R46, and E46 root certs to NSS.
* bmo#1683738 - Add AC RAIZ FNMT-RCM SERVIDORES SEGUROS root cert to NSS.
* bmo#1686854 - Remove GeoTrust PCA-G2 and VeriSign Universal root certs
from NSS.
* bmo#1687822 - Turn off Websites trust bit for the “Staat der
Nederlanden Root CA - G3” root cert in NSS.
* bmo#1692094 - Turn off Websites Trust Bit for 'Chambers of Commerce
Root - 2008' and 'Global Chambersign Root - 2008’.
* bmo#1694291 - Tracing fixes for ECH.
update to NSS 3.62
* bmo#1688374 - Fix parallel build NSS-3.61 with make
* bmo#1682044 - pkix_Build_GatherCerts() + pkix_CacheCert_Add()
can corrupt 'cachedCertTable'
* bmo#1690583 - Fix CH padding extension size calculation
* bmo#1690421 - Adjust 3.62 ABI report formatting for new libabigail
* bmo#1690421 - Install packaged libabigail in docker-builds image
* bmo#1689228 - Minor ECH -09 fixes for interop testing, fuzzing
* bmo#1674819 - Fixup a51fae403328, enum type may be signed
* bmo#1681585 - Add ECH support to selfserv
* bmo#1681585 - Update ECH to Draft-09
* bmo#1678398 - Add Export/Import functions for HPKE context
* bmo#1678398 - Update HPKE to draft-07
update to NSS 3.61
* bmo#1682071 - Fix issue with IKE Quick mode deriving incorrect key
values under certain conditions.
* bmo#1684300 - Fix default PBE iteration count when NSS is compiled
with NSS_DISABLE_DBM.
* bmo#1651411 - Improve constant-timeness in RSA operations.
* bmo#1677207 - Upgrade Google Test version to latest release.
* bmo#1654332 - Add aarch64-make target to nss-try.
Update to NSS 3.60.1:
Notable changes in NSS 3.60:
* TLS 1.3 Encrypted Client Hello (draft-ietf-tls-esni-08) support
has been added, replacing the previous ESNI (draft-ietf-tls-esni-01)
implementation. See bmo#1654332 for more information.
* December 2020 batch of Root CA changes, builtins library updated
to version 2.46. See bmo#1678189, bmo#1678166, and bmo#1670769
for more information.
Update to NSS 3.59.1:
* bmo#1679290 - Fix potential deadlock with certain third-party
PKCS11 modules
Update to NSS 3.59:
Notable changes:
* Exported two existing functions from libnss:
CERT_AddCertToListHeadWithData and CERT_AddCertToListTailWithData
Bugfixes
* bmo#1607449 - Lock cert->nssCertificate to prevent a potential data race
* bmo#1672823 - Add Wycheproof test cases for HMAC, HKDF, and DSA
* bmo#1663661 - Guard against NULL token in nssSlot_IsTokenPresent
* bmo#1670835 - Support enabling and disabling signatures via Crypto Policy
* bmo#1672291 - Resolve libpkix OCSP failures on SHA1 self-signed
root certs when SHA1 signatures are disabled.
* bmo#1644209 - Fix broken SelectedCipherSuiteReplacer filter to
solve some test intermittents
* bmo#1672703 - Tolerate the first CCS in TLS 1.3 to fix a regression in
our CVE-2020-25648 fix that broke purple-discord
(boo#1179382)
* bmo#1666891 - Support key wrap/unwrap with RSA-OAEP
* bmo#1667989 - Fix gyp linking on Solaris
* bmo#1668123 - Export CERT_AddCertToListHeadWithData and
CERT_AddCertToListTailWithData from libnss
* bmo#1634584 - Set CKA_NSS_SERVER_DISTRUST_AFTER for Trustis FPS Root CA
* bmo#1663091 - Remove unnecessary assertions in the streaming
ASN.1 decoder that affected decoding certain PKCS8
private keys when using NSS debug builds
* bmo#670839 - Use ARM crypto extension for AES, SHA1 and SHA2 on MacOS.
update to NSS 3.58
Bugs fixed:
* bmo#1641480 (CVE-2020-25648)
Tighten CCS handling for middlebox compatibility mode.
* bmo#1631890 - Add support for Hybrid Public Key Encryption
(draft-irtf-cfrg-hpke) support for TLS Encrypted Client Hello
(draft-ietf-tls-esni).
* bmo#1657255 - Add CI tests that disable SHA1/SHA2 ARM crypto
extensions.
* bmo#1668328 - Handle spaces in the Python path name when using
gyp on Windows.
* bmo#1667153 - Add PK11_ImportDataKey for data object import.
* bmo#1665715 - Pass the embedded SCT list extension (if present)
to TrustDomain::CheckRevocation instead of the notBefore value.
update to NSS 3.57
* The following CA certificates were Added:
bmo#1663049 - CN=Trustwave Global Certification Authority
SHA-256 Fingerprint: 97552015F5DDFC3C8788C006944555408894450084F100867086BC1A2BB58DC8
bmo#1663049 - CN=Trustwave Global ECC P256 Certification Authority
SHA-256 Fingerprint: 945BBC825EA554F489D1FD51A73DDF2EA624AC7019A05205225C22A78CCFA8B4
bmo#1663049 - CN=Trustwave Global ECC P384 Certification Authority
SHA-256 Fingerprint: 55903859C8C0C3EBB8759ECE4E2557225FF5758BBD38EBD48276601E1BD58097
* The following CA certificates were Removed:
bmo#1651211 - CN=EE Certification Centre Root CA
SHA-256 Fingerprint: 3E84BA4342908516E77573C0992F0979CA084E4685681FF195CCBA8A229B8A76
bmo#1656077 - O=Government Root Certification Authority; C=TW
SHA-256 Fingerprint: 7600295EEFE85B9E1FD624DB76062AAAAE59818A54D2774CD4C0B2C01131E1B3
* Trust settings for the following CA certificates were Modified:
bmo#1653092 - CN=OISTE WISeKey Global Root GA CA
Websites (server authentication) trust bit removed.
* https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.57_release_notes
update to NSS 3.56
Notable changes
* bmo#1650702 - Support SHA-1 HW acceleration on ARMv8
* bmo#1656981 - Use MPI comba and mulq optimizations on x86-64 MacOS.
* bmo#1654142 - Add CPU feature detection for Intel SHA extension.
* bmo#1648822 - Add stricter validation of DH keys in FIPS mode.
* bmo#1656986 - Properly detect arm64 during GYP build architecture
detection.
* bmo#1652729 - Add build flag to disable RC2 and relocate to
lib/freebl/deprecated.
* bmo#1656429 - Correct RTT estimate used in 0-RTT anti-replay.
* bmo#1588941 - Send empty certificate message when scheme selection
fails.
* bmo#1652032 - Fix failure to build in Windows arm64 makefile
cross-compilation.
* bmo#1625791 - Fix deadlock issue in nssSlot_IsTokenPresent.
* bmo#1653975 - Fix 3.53 regression by setting 'all' as the default
makefile target.
* bmo#1659792 - Fix broken libpkix tests with unexpired PayPal cert.
* bmo#1659814 - Fix interop.sh failures with newer tls-interop
commit and dependencies.
* bmo#1656519 - NSPR dependency updated to 4.28
update to NSS 3.55
Notable changes
* P384 and P521 elliptic curve implementations are replaced with
verifiable implementations from Fiat-Crypto [0] and ECCKiila [1].
* PK11_FindCertInSlot is added. With this function, a given slot
can be queried with a DER-Encoded certificate, providing performance
and usability improvements over other mechanisms. (bmo#1649633)
* DTLS 1.3 implementation is updated to draft-38. (bmo#1647752)
Relevant Bugfixes
* bmo#1631583 (CVE-2020-6829, CVE-2020-12400) - Replace P384 and
P521 with new, verifiable implementations from Fiat-Crypto and ECCKiila.
* bmo#1649487 - Move overzealous assertion in VFY_EndWithSignature.
* bmo#1631573 (CVE-2020-12401) - Remove unnecessary scalar padding.
* bmo#1636771 (CVE-2020-12403) - Explicitly disable multi-part
ChaCha20 (which was not functioning correctly) and more strictly
enforce tag length.
* bmo#1649648 - Don't memcpy zero bytes (sanitizer fix).
* bmo#1649316 - Don't memcpy zero bytes (sanitizer fix).
* bmo#1649322 - Don't memcpy zero bytes (sanitizer fix).
* bmo#1653202 - Fix initialization bug in blapitest when compiled
with NSS_DISABLE_DEPRECATED_SEED.
* bmo#1646594 - Fix AVX2 detection in makefile builds.
* bmo#1649633 - Add PK11_FindCertInSlot to search a given slot
for a DER-encoded certificate.
* bmo#1651520 - Fix slotLock race in NSC_GetTokenInfo.
* bmo#1647752 - Update DTLS 1.3 implementation to draft-38.
* bmo#1649190 - Run cipher, sdr, and ocsp tests under standard test cycle in CI.
* bmo#1649226 - Add Wycheproof ECDSA tests.
* bmo#1637222 - Consistently enforce IV requirements for DES and 3DES.
* bmo#1067214 - Enforce minimum PKCS#1 v1.5 padding length in
RSA_CheckSignRecover.
* bmo#1646324 - Advertise PKCS#1 schemes for certificates in the
signature_algorithms extension.
update to NSS 3.54
Notable changes
* Support for TLS 1.3 external pre-shared keys (bmo#1603042).
* Use ARM Cryptography Extension for SHA256, when available
(bmo#1528113)
* The following CA certificates were Added:
bmo#1645186 - certSIGN Root CA G2.
bmo#1645174 - e-Szigno Root CA 2017.
bmo#1641716 - Microsoft ECC Root Certificate Authority 2017.
bmo#1641716 - Microsoft RSA Root Certificate Authority 2017.
* The following CA certificates were Removed:
bmo#1645199 - AddTrust Class 1 CA Root.
bmo#1645199 - AddTrust External CA Root.
bmo#1641718 - LuxTrust Global Root 2.
bmo#1639987 - Staat der Nederlanden Root CA - G2.
bmo#1618402 - Symantec Class 2 Public Primary Certification Authority - G4.
bmo#1618402 - Symantec Class 1 Public Primary Certification Authority - G4.
bmo#1618402 - VeriSign Class 3 Public Primary Certification Authority - G3.
* A number of certificates had their Email trust bit disabled.
See bmo#1618402 for a complete list.
Bugs fixed
* bmo#1528113 - Use ARM Cryptography Extension for SHA256.
* bmo#1603042 - Add TLS 1.3 external PSK support.
* bmo#1642802 - Add uint128 support for HACL* curve25519 on Windows.
* bmo#1645186 - Add 'certSIGN Root CA G2' root certificate.
* bmo#1645174 - Add Microsec's 'e-Szigno Root CA 2017' root certificate.
* bmo#1641716 - Add Microsoft's non-EV root certificates.
* bmo1621151 - Disable email trust bit for 'O=Government
Root Certification Authority; C=TW' root.
* bmo#1645199 - Remove AddTrust root certificates.
* bmo#1641718 - Remove 'LuxTrust Global Root 2' root certificate.
* bmo#1639987 - Remove 'Staat der Nederlanden Root CA - G2' root
certificate.
* bmo#1618402 - Remove Symantec root certificates and disable email trust
bit.
* bmo#1640516 - NSS 3.54 should depend on NSPR 4.26.
* bmo#1642146 - Fix undefined reference to `PORT_ZAlloc_stub' in seed.c.
* bmo#1642153 - Fix infinite recursion building NSS.
* bmo#1642638 - Fix fuzzing assertion crash.
* bmo#1642871 - Enable SSL_SendSessionTicket after resumption.
* bmo#1643123 - Support SSL_ExportEarlyKeyingMaterial with External PSKs.
* bmo#1643557 - Fix numerous compile warnings in NSS.
* bmo#1644774 - SSL gtests to use ClearServerCache when resetting
self-encrypt keys.
* bmo#1645479 - Don't use SECITEM_MakeItem in secutil.c.
* bmo#1646520 - Stricter enforcement of ASN.1 INTEGER encoding.
ModerateSUSE bug 1029961SUSE bug 1174697SUSE bug 1176206SUSE bug 1176934SUSE bug 1179382SUSE bug 1188891CVE-2020-12400 at SUSECVE-2020-12400 at NVDCVE-2020-12401 at SUSECVE-2020-12401 at NVDCVE-2020-12403 at SUSECVE-2020-12403 at NVDCVE-2020-25648 at SUSECVE-2020-25648 at NVDCVE-2020-6829 at SUSECVE-2020-6829 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for transfig (Moderate)SUSE Linux Enterprise Server 12 SP3-BCL
This update for transfig fixes the following issues:
Update to version 3.2.8, including fixes for
- CVE-2021-3561: overflow in fig2dev/read.c in function read_colordef() (bsc#1186329).
- CVE-2020-21683: Fixed buffer overflow in the shade_or_tint_name_after_declare_color in genpstricks.c (bsc#1189325).
- CVE-2020-21682: Fixed buffer overflow in the set_fill component in genge.c (bsc#1189346).
- CVE-2020-21681: Fixed buffer overflow in the set_color component in genge.c (bsc#1189345).
- CVE-2020-21680: Fixed stack-based buffer overflow in the put_arrow() component in genpict2e.c (bsc#1189343).
- CVE-2019-19797: out-of-bounds write in read_colordef in read.c (bsc#1159293).
- CVE-2019-19555: stack-based buffer overflow because of an incorrect sscanf (bsc#1161698).
- CVE-2019-19746: segmentation fault and out-of-bounds write because of an integer overflow via a large arrow type (bsc#1159130).
ModerateSUSE bug 1136882SUSE bug 1159130SUSE bug 1159293SUSE bug 1161698SUSE bug 1186329SUSE bug 1189325SUSE bug 1189343SUSE bug 1189345SUSE bug 1189346CVE-2019-19555 at SUSECVE-2019-19555 at NVDCVE-2019-19746 at SUSECVE-2019-19746 at NVDCVE-2019-19797 at SUSECVE-2019-19797 at NVDCVE-2020-21680 at SUSECVE-2020-21680 at NVDCVE-2020-21681 at SUSECVE-2020-21681 at NVDCVE-2020-21682 at SUSECVE-2020-21682 at NVDCVE-2020-21683 at SUSECVE-2020-21683 at NVDCVE-2021-3561 at SUSECVE-2021-3561 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for gtk-vnc (Moderate)SUSE Linux Enterprise Server 12 SP3-BCL
This update for gtk-vnc fixes the following issues:
- CVE-2017-5885: Correctly validate color map range indexes (bsc#1024268).
- CVE-2017-5884: Fix bounds checking for RRE, hextile & copyrect encodings (bsc#1024266).
- Fix crash when opening connection from a GSocketAddress (bsc#1046782).
- Fix possible crash on connection failure (bsc#1188292).
ModerateSUSE bug 1024266SUSE bug 1024268SUSE bug 1046782SUSE bug 1188292CVE-2017-5884 at SUSECVE-2017-5884 at NVDCVE-2017-5885 at SUSECVE-2017-5885 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for openssl (Low)SUSE Linux Enterprise Server 12 SP3-BCL
This update for openssl fixes the following issues:
- CVE-2021-3712: This is an update for the incomplete fix for CVE-2021-3712.
Read buffer overruns processing ASN.1 strings (bsc#1189521).
LowSUSE bug 1189521CVE-2021-3712 at SUSECVE-2021-3712 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for ghostscript (Critical)SUSE Linux Enterprise Server 12 SP3-BCL
This update for ghostscript fixes the following issues:
- CVE-2021-3781: Fixed a trivial -dSAFER bypass command injection (bsc#1190381)
CriticalSUSE bug 1190381CVE-2021-3781 at SUSECVE-2021-3781 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for MozillaFirefox fixes the following issues:
This update contains the Firefox Extended Support Release 91.1.0 ESR.
* Fixed: Various stability, functionality, and security fixes
MFSA 2021-40 (bsc#1190269, bsc#1190274):
* CVE-2021-38492: Navigating to `mk:` URL scheme could load Internet Explorer
* CVE-2021-38495: Memory safety bugs fixed in Firefox 92 and Firefox ESR 91.1
Firefox 91.0.1esr ESR
* Fixed: Fixed an issue causing buttons on the tab bar to be
resized when loading certain websites (bug 1704404)
* Fixed: Fixed an issue which caused tabs from private windows
to be visible in non-private windows when viewing switch-to-
tab results in the address bar panel (bug 1720369)
* Fixed: Various stability fixes
* Fixed: Security fix MFSA 2021-37 (bsc#1189547)
* CVE-2021-29991 (bmo#1724896)
Header Splitting possible with HTTP/3 Responses
Firefox Extended Support Release 91.0 ESR
* New: Some of the highlights of the new Extended Support Release are:
- A number of user interface changes. For more information,
see the Firefox 89 release notes.
- Firefox now supports logging into Microsoft, work, and
school accounts using Windows single sign-on. Learn more
- On Windows, updates can now be applied in the background
while Firefox is not running.
- Firefox for Windows now offers a new page about:third-party
to help identify compatibility issues caused by third-party
applications
- Version 2 of Firefox's SmartBlock feature further improves
private browsing. Third party Facebook scripts are blocked to
prevent you from being tracked, but are now automatically
loaded 'just in time' if you decide to 'Log in with Facebook'
on any website.
- Enhanced the privacy of the Firefox Browser's Private
Browsing mode with Total Cookie Protection, which confines
cookies to the site where they were created, preventing
companis from using cookies to track your browsing across
sites. This feature was originally launched in Firefox's ETP
Strict mode.
- PDF forms now support JavaScript embedded in PDF files.
Some PDF forms use JavaScript for validation and other
interactive features.
- You'll encounter less website breakage in Private Browsing
and Strict Enhanced Tracking Protection with SmartBlock,
which provides stand-in scripts so that websites load
properly.
- Improved Print functionality with a cleaner design and
better integration with your computer's printer settings.
- Firefox now protects you from supercookies, a type of
tracker that can stay hidden in your browser and track you
online, even after you clear cookies. By isolating
supercookies, Firefox prevents them from tracking your web
browsing from one site to the next.
- Firefox now remembers your preferred location for saved
bookmarks, displays the bookmarks toolbar by default on new
tabs, and gives you easy access to all of your bookmarks via
a toolbar folder.
- Native support for macOS devices built with Apple Silicon
CPUs brings dramatic performance improvements over the non-
native build that was shipped in Firefox 83: Firefox launches
over 2.5 times faster and web apps are now twice as
responsive (per the SpeedoMeter 2.0 test). If you are on a
new Apple device, follow these steps to upgrade to the latest
Firefox.
- Pinch zooming will now be supported for our users with
Windows touchscreen devices and touchpads on Mac devices.
Firefox users may now use pinch to zoom on touch-capable
devices to zoom in and out of webpages.
- We’ve improved functionality and design for a number of
Firefox search features:
* Selecting a search engine at the bottom of the search
panel now enters search mode for that engine, allowing you to
see suggestions (if available) for your search terms. The old
behavior (immediately performing a search) is available with
a shift-click.
* When Firefox autocompletes the URL of one of your search
engines, you can now search with that engine directly in the
address bar by selecting the shortcut in the address bar
results.
* We’ve added buttons at the bottom of the search panel to
allow you to search your bookmarks, open tabs, and history.
- Firefox supports AcroForm, which will allow you to fill in,
print, and save supported PDF forms and the PDF viewer also
has a new fresh look.
- For our users in the US and Canada, Firefox can now save,
manage, and auto-fill credit card information for you, making
shopping on Firefox ever more convenient.
- In addition to our default, dark and light themes, with
this release, Firefox introduces the Alpenglow theme: a
colorful appearance for buttons, menus, and windows. You can
update your Firefox themes under settings or preferences.
* Changed: Firefox no longer supports Adobe Flash. There is no
setting available to re-enable Flash support.
* Enterprise: Various bug fixes and new policies have been
implemented in the latest version of Firefox. See more
details in the Firefox for Enterprise 91 Release Notes.
MFSA 2021-33 (bsc#1188891):
* CVE-2021-29986: Race condition when resolving DNS names could have led to
memory corruption
* CVE-2021-29981: Live range splitting could have led to conflicting
assignments in the JIT
* CVE-2021-29988: Memory corruption as a result of incorrect style treatment
* CVE-2021-29983: Firefox for Android could get stuck in fullscreen mode
* CVE-2021-29984: Incorrect instruction reordering during JIT optimization
* CVE-2021-29980: Uninitialized memory in a canvas object could have led to
memory corruption
* CVE-2021-29987: Users could have been tricked into accepting unwanted
permissions on Linux
* CVE-2021-29985: Use-after-free media channels
* CVE-2021-29982: Single bit data leak due to incorrect JIT optimization and
type confusion
* CVE-2021-29989: Memory safety bugs fixed in Firefox 91 and Firefox ESR 78.13
* CVE-2021-29990: Memory safety bugs fixed in Firefox 91
ImportantSUSE bug 1188891SUSE bug 1189547SUSE bug 1190269SUSE bug 1190274CVE-2021-29980 at SUSECVE-2021-29980 at NVDCVE-2021-29981 at SUSECVE-2021-29981 at NVDCVE-2021-29982 at SUSECVE-2021-29982 at NVDCVE-2021-29983 at SUSECVE-2021-29983 at NVDCVE-2021-29984 at SUSECVE-2021-29984 at NVDCVE-2021-29985 at SUSECVE-2021-29985 at NVDCVE-2021-29986 at SUSECVE-2021-29986 at NVDCVE-2021-29987 at SUSECVE-2021-29987 at NVDCVE-2021-29988 at SUSECVE-2021-29988 at NVDCVE-2021-29989 at SUSECVE-2021-29989 at NVDCVE-2021-29990 at SUSECVE-2021-29990 at NVDCVE-2021-29991 at SUSECVE-2021-29991 at NVDCVE-2021-38492 at SUSECVE-2021-38492 at NVDCVE-2021-38495 at SUSECVE-2021-38495 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for java-1_8_0-ibm (Moderate)SUSE Linux Enterprise Server 12 SP3-BCL
This update for java-1_8_0-ibm fixes the following issues:
- Update to Java 8.0 Service Refresh 6 Fix Pack 20 [bsc#1180063,bsc#1177943]
CVE-2020-14792 CVE-2020-14797 CVE-2020-14781 CVE-2020-14779
CVE-2020-14798 CVE-2020-14796 CVE-2020-14803
* Class libraries:
- SOCKETADAPTOR$SOCKETINPUTSTREAM.READ is blocking for more time
that the set timeout
- Z/OS specific C function send_file is changing the file pointer
position
* Java Virtual Machine:
- Crash on iterate java stack
- Java process hang on SIGTERM
* JIT Compiler:
- JMS performance regression from JDK8 SR5 FP40 TO FP41
* Class Libraries:
- z15 high utilization following Z/VM and Linux migration from
z14 To z15
* Java Virtual Machine:
- Assertion failed when trying to write a class file
- Assertion failure at modronapi.cpp
- Improve the performance of defining and finding classes
* JIT Compiler:
- An assert in ppcbinaryencoding.cpp may trigger when running
with traps disabled on power
- AOT field offset off by n bytes
- Segmentation fault in jit module on ibm z platform ModerateSUSE bug 1177943SUSE bug 1180063CVE-2020-14779 at SUSECVE-2020-14779 at NVDCVE-2020-14781 at SUSECVE-2020-14781 at NVDCVE-2020-14792 at SUSECVE-2020-14792 at NVDCVE-2020-14796 at SUSECVE-2020-14796 at NVDCVE-2020-14797 at SUSECVE-2020-14797 at NVDCVE-2020-14798 at SUSECVE-2020-14798 at NVDCVE-2020-14803 at SUSECVE-2020-14803 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for xen (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for xen fixes the following issues:
- CVE-2021-28701: Fixed race condition in XENMAPSPACE_grant_table handling (XSA-384) (bsc#1189632).
- Integrate bugfixes (bsc#1189373, bsc#1189378).
ImportantSUSE bug 1189373SUSE bug 1189378SUSE bug 1189632CVE-2021-28701 at SUSECVE-2021-28701 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for sqlite3 (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for sqlite3 fixes the following issues:
sqlite3 is sync version 3.36.0 from Factory (jsc#SLE-16032).
The following CVEs have been fixed in upstream releases up to
this point, but were not mentioned in the change log so far:
* bsc#1173641, CVE-2020-15358: heap-based buffer overflow in
multiSelectOrderBy due to mishandling of query-flattener
optimization
* bsc#1164719, CVE-2020-9327: NULL pointer dereference and
segmentation fault because of generated column optimizations in
isAuxiliaryVtabOperator
* bsc#1160439, CVE-2019-20218: selectExpander in select.c proceeds
with WITH stack unwinding even after a parsing error
* bsc#1160438, CVE-2019-19959: memory-management error via
ext/misc/zipfile.c involving embedded '\0' input
* bsc#1160309, CVE-2019-19923: improper handling of certain uses
of SELECT DISTINCT in flattenSubquery may lead to null pointer
dereference
* bsc#1159850, CVE-2019-19924: improper error handling in
sqlite3WindowRewrite()
* bsc#1159847, CVE-2019-19925: improper handling of NULL pathname
during an update of a ZIP archive
* bsc#1159715, CVE-2019-19926: improper handling of certain
errors during parsing multiSelect in select.c
* bsc#1159491, CVE-2019-19880: exprListAppendList in window.c
allows attackers to trigger an invalid pointer dereference
* bsc#1158960, CVE-2019-19603: during handling of CREATE TABLE
and CREATE VIEW statements, does not consider confusion with
a shadow table name
* bsc#1158959, CVE-2019-19646: pragma.c mishandles NOT NULL in an
integrity_check PRAGMA command in certain cases of generated
columns
* bsc#1158958, CVE-2019-19645: alter.c allows attackers to trigger
infinite recursion via certain types of self-referential views
in conjunction with ALTER TABLE statements
* bsc#1158812, CVE-2019-19317: lookupName in resolve.c omits bits
from the colUsed bitmask in the case of a generated column,
which allows attackers to cause a denial of service
* bsc#1157818, CVE-2019-19244: sqlite3,sqlite2,sqlite: The
function sqlite3Select in select.c allows a crash if a
sub-select uses both DISTINCT and window functions, and also
has certain ORDER BY usage
* bsc#928701, CVE-2015-3415: sqlite3VdbeExec comparison operator
vulnerability
* bsc#928700, CVE-2015-3414: sqlite3,sqlite2: dequoting of
collation-sequence names
* CVE-2020-13434 bsc#1172115: integer overflow in
sqlite3_str_vappendf
* CVE-2020-13630 bsc#1172234: use-after-free in fts3EvalNextRow
* CVE-2020-13631 bsc#1172236: virtual table allowed to be renamed
to one of its shadow tables
* CVE-2020-13632 bsc#1172240: NULL pointer dereference via
crafted matchinfo() query
* CVE-2020-13435: Malicious SQL statements could have crashed the
process that is running SQLite (bsc#1172091)
ImportantSUSE bug 1157818SUSE bug 1158812SUSE bug 1158958SUSE bug 1158959SUSE bug 1158960SUSE bug 1159491SUSE bug 1159715SUSE bug 1159847SUSE bug 1159850SUSE bug 1160309SUSE bug 1160438SUSE bug 1160439SUSE bug 1164719SUSE bug 1172091SUSE bug 1172115SUSE bug 1172234SUSE bug 1172236SUSE bug 1172240SUSE bug 1173641SUSE bug 928700SUSE bug 928701CVE-2015-3414 at SUSECVE-2015-3414 at NVDCVE-2015-3415 at SUSECVE-2015-3415 at NVDCVE-2016-6153 at SUSECVE-2016-6153 at NVDCVE-2017-10989 at SUSECVE-2017-10989 at NVDCVE-2017-2518 at SUSECVE-2017-2518 at NVDCVE-2018-20346 at SUSECVE-2018-20346 at NVDCVE-2018-8740 at SUSECVE-2018-8740 at NVDCVE-2019-16168 at SUSECVE-2019-16168 at NVDCVE-2019-19244 at SUSECVE-2019-19244 at NVDCVE-2019-19317 at SUSECVE-2019-19317 at NVDCVE-2019-19603 at SUSECVE-2019-19603 at NVDCVE-2019-19645 at SUSECVE-2019-19645 at NVDCVE-2019-19646 at SUSECVE-2019-19646 at NVDCVE-2019-19880 at SUSECVE-2019-19880 at NVDCVE-2019-19923 at SUSECVE-2019-19923 at NVDCVE-2019-19924 at SUSECVE-2019-19924 at NVDCVE-2019-19925 at SUSECVE-2019-19925 at NVDCVE-2019-19926 at SUSECVE-2019-19926 at NVDCVE-2019-19959 at SUSECVE-2019-19959 at NVDCVE-2019-20218 at SUSECVE-2019-20218 at NVDCVE-2019-8457 at SUSECVE-2019-8457 at NVDCVE-2020-13434 at SUSECVE-2020-13434 at NVDCVE-2020-13435 at SUSECVE-2020-13435 at NVDCVE-2020-13630 at SUSECVE-2020-13630 at NVDCVE-2020-13631 at SUSECVE-2020-13631 at NVDCVE-2020-13632 at SUSECVE-2020-13632 at NVDCVE-2020-15358 at SUSECVE-2020-15358 at NVDCVE-2020-9327 at SUSECVE-2020-9327 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for python-urllib3 (Moderate)SUSE Linux Enterprise Server 12 SP3-BCL
This update for python-urllib3 fixes the following security issue:
- CVE-2020-26137: A CRLF injection via HTTP request method was fixed (bsc#1177120)
Note that this was fixed in a previous version update to 1.25.9, this update just complements the tracking.
ModerateSUSE bug 1177120CVE-2020-26137 at SUSECVE-2020-26137 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for glibc (Moderate)SUSE Linux Enterprise Server 12 SP3-BCL
This update for glibc fixes the following issues:
Security issues fixed:
- CVE-2021-35942: wordexp: handle overflow in positional parameter number (bsc#1187911)
- CVE-2021-33574: Use __pthread_attr_copy in mq_notify (bsc#1186489)
Also the following bug was fixed:
- Avoid concurrency problem in ldconfig (bsc#1117993)
ModerateSUSE bug 1117993SUSE bug 1186489SUSE bug 1187911CVE-2021-33574 at SUSECVE-2021-33574 at NVDCVE-2021-35942 at SUSECVE-2021-35942 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for webkit2gtk3 (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for webkit2gtk3 fixes the following issues:
- Update to version 2.32.4
- CVE-2021-30858: Fixed a security bug that could allow maliciously crafted web content to achieve arbitrary code execution. (bsc#1190701)
- CVE-2021-21806: Fixed an exploitable use-after-free vulnerability via specially crafted HTML web page. (bsc#1188697)
ImportantSUSE bug 1188697SUSE bug 1190701CVE-2021-21806 at SUSECVE-2021-21806 at NVDCVE-2021-30858 at SUSECVE-2021-30858 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for apache2 (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for apache2 fixes the following issues:
- CVE-2021-40438: Fixed a SRF via a crafted request uri-path. (bsc#1190703)
- CVE-2021-39275: Fixed an out-of-bounds write in ap_escape_quotes() via malicious input. (bsc#1190666)
- CVE-2021-34798: Fixed a NULL pointer dereference via malformed requests. (bsc#1190669)
ImportantSUSE bug 1190666SUSE bug 1190669SUSE bug 1190703CVE-2021-34798 at SUSECVE-2021-34798 at NVDCVE-2021-39275 at SUSECVE-2021-39275 at NVDCVE-2021-40438 at SUSECVE-2021-40438 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for python3 (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for python3 fixes the following issues:
- Provide the newest setuptools wheel (bsc#1176262,
CVE-2019-20916) in their correct form (bsc#1180686).
ImportantSUSE bug 1176262SUSE bug 1180686CVE-2019-20916 at SUSECVE-2019-20916 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for MozillaFirefox fixes the following issues:
Firefox Extended Support Release 91.2.0 ESR
* Fixed: Various stability, functionality, and security fixes
MFSA 2021-45 (bsc#1191332)
* CVE-2021-38496: Use-after-free in MessageTask
* CVE-2021-38497: Validation message could have been overlaid on another origin
* CVE-2021-38498: Use-after-free of nsLanguageAtomService object
* CVE-2021-32810: Fixed Data race in crossbeam-deque
* CVE-2021-38500: Memory safety bugs fixed in Firefox 93, Firefox ESR 78.15, and Firefox ESR 91.2
* CVE-2021-38501: Memory safety bugs fixed in Firefox 93 and Firefox ESR 91.2
- Fixed crash in FIPS mode (bsc#1190710)
ImportantSUSE bug 1190710SUSE bug 1191332CVE-2021-32810 at SUSECVE-2021-32810 at NVDCVE-2021-38496 at SUSECVE-2021-38496 at NVDCVE-2021-38497 at SUSECVE-2021-38497 at NVDCVE-2021-38498 at SUSECVE-2021-38498 at NVDCVE-2021-38500 at SUSECVE-2021-38500 at NVDCVE-2021-38501 at SUSECVE-2021-38501 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for util-linux (Moderate)SUSE Linux Enterprise Server 12 SP3-BCL
This update for util-linux fixes the following issues:
- CVE-2021-37600: Fixed an integer overflow which could lead to buffer overflow in get_sem_elements. (bsc#1188921)
- Prevent outdated pam files (bsc#1082293, bsc#1081947#c68).
- Do not trim read-only volumes (bsc#1106214).
- libmount: To prevent incorrect behavior, recognize more pseudofs and netfs (bsc#1122417).
- raw.service: Add RemainAfterExit=yes (bsc#1135534).
- agetty: Reload issue only if it is really needed (bsc#1085196)
- agetty: Return previous response of agetty for special characters (bsc#1085196, bsc#1125886)
- blockdev: Do not fail --report on kpartx-style partitions on multipath. (bsc#1168235)
- nologin: Add support for -c to prevent error from su -c. (bsc#1151708)
- Avoid triggering autofs in lookup_umount_fs_by_statfs. (bsc#1168389)
- libblkid: Do not trigger CDROM autoclose. (bsc#1084671)
- Avoid sulogin failing on not existing or not functional console devices. (bsc#1175514)
- Build with libudev support to support non-root users. (bsc#1169006)
- lscpu: avoid segfault on PowerPC systems with valid hardware configurations. (bsc#1175623, bsc#1178554, bsc#1178825)
- Fix for warning on mounts to CIFS with mount. (SG#57988, bsc#1174942)
ModerateSUSE bug 1081947SUSE bug 1082293SUSE bug 1084671SUSE bug 1085196SUSE bug 1106214SUSE bug 1122417SUSE bug 1125886SUSE bug 1135534SUSE bug 1135708SUSE bug 1151708SUSE bug 1168235SUSE bug 1168389SUSE bug 1169006SUSE bug 1174942SUSE bug 1175514SUSE bug 1175623SUSE bug 1178236SUSE bug 1178554SUSE bug 1178825SUSE bug 1188921CVE-2021-37600 at SUSECVE-2021-37600 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for strongswan (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for strongswan fixes the following issues:
- CVE-2021-41991: Fixed an integer overflow when replacing certificates in cache. (bsc#1191435)
ImportantSUSE bug 1191435CVE-2021-41991 at SUSECVE-2021-41991 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for postgresql10 (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for postgresql10 fixes the following issues:
- Fix for build with llvm12 on s390x. (bsc#1185952)
- Re-enable 'icu' for PostgreSQL 10. (bsc#1179945)
- Add postgresqlXX-server-devel as a dependency for postgresql13-server-devel. (bsc#1187751)
- Upgrade to version 10.18. (bsc#1190177)
Upgrade to version 10.17 (already released for SUSE Linux Enterprise 12 SP5):
- CVE-2021-32027: Fixed integer overflows in array subscripting calculations (bsc#1185924).
- CVE-2021-32028: Fixed mishandling of junk columns in INSERT ... ON CONFLICT ... UPDATE target lists (bsc#1185925).
- Don't use %_stop_on_removal, because it was meant to be private and got removed from openSUSE. %_restart_on_update is also private, but still supported and needed for now (bsc#1183168).
- Re-enable build of the llvmjit subpackage on SLE, but it will only be delivered on PackageHub for now (bsc#1183118).
- Disable icu for PostgreSQL 10 (and older) on TW (bsc#1179945).
- Fixed an issue droping irregular warning messages by removing the package. (bsc#1178961)
- Fixed an issue when build does not build the requiements to avoid dangling symlinks in the devel package. (bsc#1179765)
- Fix recently-added timetz test case so it works when the USA is not observing daylight savings time.
ImportantSUSE bug 1178961SUSE bug 1179765SUSE bug 1179945SUSE bug 1183118SUSE bug 1183168SUSE bug 1185924SUSE bug 1185925SUSE bug 1185952SUSE bug 1187751SUSE bug 1190177CVE-2021-32027 at SUSECVE-2021-32027 at NVDCVE-2021-32028 at SUSECVE-2021-32028 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for opensc (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for opensc fixes the following issues:
- CVE-2021-42780: Fixed use after return in insert_pin() (bsc#1192005).
- CVE-2021-42779: Fixed use after free in sc_file_valid() (bsc#1191992).
- CVE-2021-42781: Fixed multiple heap buffer overflows in pkcs15-oberthur.c (bsc#1192000).
- CVE-2021-42782: Stack buffer overflow issues in various places (bsc#1191957).
ImportantSUSE bug 1191957SUSE bug 1191992SUSE bug 1192000SUSE bug 1192005CVE-2021-42779 at SUSECVE-2021-42779 at NVDCVE-2021-42780 at SUSECVE-2021-42780 at NVDCVE-2021-42781 at SUSECVE-2021-42781 at NVDCVE-2021-42782 at SUSECVE-2021-42782 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for transfig (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for transfig fixes the following issues:
Update to fig2dev version 3.2.8 Patchlevel 8b (Aug 2021)
- bsc#1190618, CVE-2020-21529: stack buffer overflow in the bezier_spline function in genepic.c.
- bsc#1190615, CVE-2020-21530: segmentation fault in the read_objects function in read.c.
- bsc#1190617, CVE-2020-21531: global buffer overflow in the conv_pattern_index function in gencgm.c.
- bsc#1190616, CVE-2020-21532: global buffer overflow in the setfigfont function in genepic.c.
- bsc#1190612, CVE-2020-21533: stack buffer overflow in the read_textobject function in read.c.
- bsc#1190611, CVE-2020-21534: global buffer overflow in the get_line function in read.c.
- bsc#1190607, CVE-2020-21535: segmentation fault in the gencgm_start function in gencgm.c.
- bsc#1192019, CVE-2021-32280: NULL pointer dereference in compute_closed_spline() in trans_spline.c
ImportantSUSE bug 1190607SUSE bug 1190611SUSE bug 1190612SUSE bug 1190615SUSE bug 1190616SUSE bug 1190617SUSE bug 1190618SUSE bug 1192019CVE-2020-21529 at SUSECVE-2020-21529 at NVDCVE-2020-21530 at SUSECVE-2020-21530 at NVDCVE-2020-21531 at SUSECVE-2020-21531 at NVDCVE-2020-21532 at SUSECVE-2020-21532 at NVDCVE-2020-21533 at SUSECVE-2020-21533 at NVDCVE-2020-21534 at SUSECVE-2020-21534 at NVDCVE-2020-21535 at SUSECVE-2020-21535 at NVDCVE-2021-32280 at SUSECVE-2021-32280 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for binutils (Moderate)SUSE Linux Enterprise Server 12 SP3-BCL
This update for binutils fixes the following issues:
Update to binutils 2.37:
* The GNU Binutils sources now requires a C99 compiler and library to
build.
* Support for the arm-symbianelf format has been removed.
* Support for Realm Management Extension (RME) for AArch64 has been
added.
* A new linker option '-z report-relative-reloc' for x86 ELF targets
has been added to report dynamic relative relocations.
* A new linker option '-z start-stop-gc' has been added to disable
special treatment of __start_*/__stop_* references when
--gc-sections.
* A new linker options '-Bno-symbolic' has been added which will
cancel the '-Bsymbolic' and '-Bsymbolic-functions' options.
* The readelf tool has a new command line option which can be used to
specify how the numeric values of symbols are reported.
--sym-base=0|8|10|16 tells readelf to display the values in base 8,
base 10 or base 16. A sym base of 0 represents the default action
of displaying values under 10000 in base 10 and values above that in
base 16.
* A new format has been added to the nm program. Specifying
'--format=just-symbols' (or just using -j) will tell the program to
only display symbol names and nothing else.
* A new command line option '--keep-section-symbols' has been added to
objcopy and strip. This stops the removal of unused section symbols
when the file is copied. Removing these symbols saves space, but
sometimes they are needed by other tools.
* The '--weaken', '--weaken-symbol' and '--weaken-symbols' options
supported by objcopy now make undefined symbols weak on targets that
support weak symbols.
* Readelf and objdump can now display and use the contents of .debug_sup
sections.
* Readelf and objdump will now follow links to separate debug info
files by default. This behaviour can be stopped via the use of the
new '-wN' or '--debug-dump=no-follow-links' options for readelf and
the '-WN' or '--dwarf=no-follow-links' options for objdump. Also
the old behaviour can be restored by the use of the
'--enable-follow-debug-links=no' configure time option.
The semantics of the =follow-links option have also been slightly
changed. When enabled, the option allows for the loading of symbol
tables and string tables from the separate files which can be used
to enhance the information displayed when dumping other sections,
but it does not automatically imply that information from the
separate files should be displayed.
If other debug section display options are also enabled (eg
'--debug-dump=info') then the contents of matching sections in both
the main file and the separate debuginfo file *will* be displayed.
This is because in most cases the debug section will only be present
in one of the files.
If however non-debug section display options are enabled (eg
'--sections') then the contents of matching parts of the separate
debuginfo file will *not* be displayed. This is because in most
cases the user probably only wanted to load the symbol information
from the separate debuginfo file. In order to change this behaviour
a new command line option --process-links can be used. This will
allow di0pslay options to applied to both the main file and any
separate debuginfo files.
* Nm has a new command line option: '--quiet'. This suppresses 'no
symbols' diagnostic.
Update to binutils 2.36:
New features in the Assembler:
General:
* When setting the link order attribute of ELF sections, it is now
possible to use a numeric section index instead of symbol name.
* Added a .nop directive to generate a single no-op instruction in
a target neutral manner. This instruction does have an effect on
DWARF line number generation, if that is active.
* Removed --reduce-memory-overheads and --hash-size as gas now
uses hash tables that can be expand and shrink automatically.
X86/x86_64:
* Add support for AVX VNNI, HRESET, UINTR, TDX, AMX and Key
Locker instructions.
* Support non-absolute segment values for lcall and ljmp.
* Add {disp16} pseudo prefix to x86 assembler.
* Configure with --enable-x86-used-note by default for Linux/x86.
ARM/AArch64:
* Add support for Cortex-A78, Cortex-A78AE and Cortex-X1,
Cortex-R82, Neoverse V1, and Neoverse N2 cores.
* Add support for ETMv4 (Embedded Trace Macrocell), ETE (Embedded
Trace Extension), TRBE (Trace Buffer Extension), CSRE (Call
Stack Recorder Extension) and BRBE (Branch Record Buffer
Extension) system registers.
* Add support for Armv8-R and Armv8.7-A ISA extensions.
* Add support for DSB memory nXS barrier, WFET and WFIT
instruction for Armv8.7.
* Add support for +csre feature for -march. Add CSR PDEC
instruction for CSRE feature in AArch64.
* Add support for +flagm feature for -march in Armv8.4 AArch64.
* Add support for +ls64 feature for -march in Armv8.7
AArch64. Add atomic 64-byte load/store instructions for this
feature.
* Add support for +pauth (Pointer Authentication) feature for
-march in AArch64.
New features in the Linker:
* Add --error-handling-script=<NAME> command line option to allow
a helper script to be invoked when an undefined symbol or a
missing library is encountered. This option can be suppressed
via the configure time switch: --enable-error-handling-script=no.
* Add -z x86-64-{baseline|v[234]} to the x86 ELF linker to mark
x86-64-{baseline|v[234]} ISA level as needed.
* Add -z unique-symbol to avoid duplicated local symbol names.
* The creation of PE format DLLs now defaults to using a more
secure set of DLL characteristics.
* The linker now deduplicates the types in .ctf sections. The new
command-line option --ctf-share-types describes how to do this:
its default value, share-unconflicted, produces the most compact
output.
* The linker now omits the 'variable section' from .ctf sections
by default, saving space. This is almost certainly what you
want unless you are working on a project that has its own
analogue of symbol tables that are not reflected in the ELF
symtabs.
New features in other binary tools:
* The ar tool's previously unused l modifier is now used for
specifying dependencies of a static library. The arguments of
this option (or --record-libdeps long form option) will be
stored verbatim in the __.LIBDEP member of the archive, which
the linker may read at link time.
* Readelf can now display the contents of LTO symbol table
sections when asked to do so via the --lto-syms command line
option.
* Readelf now accepts the -C command line option to enable the
demangling of symbol names. In addition the --demangle=<style>,
--no-demangle, --recurse-limit and --no-recurse-limit options
are also now availale.
Update to binutils 2.35.1:
* This is a point release over the previous 2.35 version, containing bug
fixes, and as an exception to the usual rule, one new feature. The
new feature is the support for a new directive in the assembler:
'.nop'. This directive creates a single no-op instruction in whatever
encoding is correct for the target architecture. Unlike the .space or
.fill this is a real instruction, and it does affect the generation of
DWARF line number tables, should they be enabled.
Update to binutils 2.35:
* The assembler can now produce DWARF-5 format line number tables.
* Readelf now has a 'lint' mode to enable extra checks of the files it is processing.
* Readelf will now display '[...]' when it has to truncate a symbol name.
The old behaviour - of displaying as many characters as possible, up to
the 80 column limit - can be restored by the use of the --silent-truncation
option.
* The linker can now produce a dependency file listing the inputs that it
has processed, much like the -M -MP option supported by the compiler.
Update to binutils 2.34:
* The disassembler (objdump --disassemble) now has an option to
generate ascii art thats show the arcs between that start and end
points of control flow instructions.
* The binutils tools now have support for debuginfod. Debuginfod is a
HTTP service for distributing ELF/DWARF debugging information as
well as source code. The tools can now connect to debuginfod
servers in order to download debug information about the files that
they are processing.
* The assembler and linker now support the generation of ELF format
files for the Z80 architecture.
Update to binutils 2.33.1:
* Adds support for the Arm Scalable Vector Extension version 2
(SVE2) instructions, the Arm Transactional Memory Extension (TME)
instructions and the Armv8.1-M Mainline and M-profile Vector
Extension (MVE) instructions.
* Adds support for the Arm Cortex-A76AE, Cortex-A77 and Cortex-M35P
processors and the AArch64 Cortex-A34, Cortex-A65, Cortex-A65AE,
Cortex-A76AE, and Cortex-A77 processors.
* Adds a .float16 directive for both Arm and AArch64 to allow
encoding of 16-bit floating point literals.
* For MIPS, Add -m[no-]fix-loongson3-llsc option to fix (or not)
Loongson3 LLSC Errata. Add a --enable-mips-fix-loongson3-llsc=[yes|no]
configure time option to set the default behavior. Set the default
if the configure option is not used to 'no'.
* The Cortex-A53 Erratum 843419 workaround now supports a choice of
which workaround to use. The option --fix-cortex-a53-843419 now
takes an optional argument --fix-cortex-a53-843419[=full|adr|adrp]
which can be used to force a particular workaround to be used.
See --help for AArch64 for more details.
* Add support for GNU_PROPERTY_AARCH64_FEATURE_1_BTI and
GNU_PROPERTY_AARCH64_FEATURE_1_PAC in ELF GNU program properties
in the AArch64 ELF linker.
* Add -z force-bti for AArch64 to enable GNU_PROPERTY_AARCH64_FEATURE_1_BTI
on output while warning about missing GNU_PROPERTY_AARCH64_FEATURE_1_BTI
on inputs and use PLTs protected with BTI.
* Add -z pac-plt for AArch64 to pick PAC enabled PLTs.
* Add --source-comment[=<txt>] option to objdump which if present,
provides a prefix to source code lines displayed in a disassembly.
* Add --set-section-alignment <section-name>=<power-of-2-align>
option to objcopy to allow the changing of section alignments.
* Add --verilog-data-width option to objcopy for verilog targets to
control width of data elements in verilog hex format.
* The separate debug info file options of readelf (--debug-dump=links
and --debug-dump=follow) and objdump (--dwarf=links and
--dwarf=follow-links) will now display and/or follow multiple
links if more than one are present in a file. (This usually
happens when gcc's -gsplit-dwarf option is used).
In addition objdump's --dwarf=follow-links now also affects its
other display options, so that for example, when combined with
--syms it will cause the symbol tables in any linked debug info
files to also be displayed. In addition when combined with
--disassemble the --dwarf= follow-links option will ensure that
any symbol tables in the linked files are read and used when
disassembling code in the main file.
* Add support for dumping types encoded in the Compact Type Format
to objdump and readelf.
The following security fixes are addressed by the update:
- CVE-2021-20197: Fixed a race condition which allows users to own arbitrary files (bsc#1181452).
- CVE-2021-20284: Fixed a heap-based buffer overflow in _bfd_elf_slurp_secondary_reloc_section in elf.c (bsc#1183511).
- CVE-2021-3487: Fixed a denial of service via excessive debug section size causing excessive memory consumption in bfd's dwarf2.c read_section() (bsc#1184620).
- CVE-2020-35448: Fixed a heap-based buffer over-read in bfd_getl_signed_32() in libbfd.c (bsc#1184794).
- CVE-2020-16590: Fixed a double free vulnerability in process_symbol_table() (bsc#1179898).
- CVE-2020-16591: Fixed an invalid read in process_symbol_table() (bsc#1179899).
- CVE-2020-16592: Fixed an use-after-free in bfd_hash_lookup() (bsc#1179900).
- CVE-2020-16593: Fixed a null pointer dereference in scan_unit_for_symbols() (bsc#1179901).
- CVE-2020-16598: Fixed a null pointer dereference in debug_get_real_type() (bsc#1179902).
- CVE-2020-16599: Fixed a null pointer dereference in _bfd_elf_get_symbol_version_string() (bsc#1179903)
- CVE-2020-35493: Fixed heap-based buffer overflow in bfd_pef_parse_function_stubs function in bfd/pef.c via crafted PEF file (bsc#1180451).
- CVE-2020-35496: Fixed multiple null pointer dereferences in bfd module due to not checking return value of bfd_malloc (bsc#1180454).
- CVE-2020-35507: Fixed a null pointer dereference in bfd_pef_parse_function_stubs() (bsc#1180461).
- CVE-2019-17451: Fixed an integer overflow leading to a SEGV in _bfd_dwarf2_find_nearest_line() in dwarf2.c (bsc#1153768).
- CVE-2019-17450: Fixed a potential denial of service in find_abstract_instance() in dwarf2.c (bsc#1153770).
- CVE-2019-9077: Fixed a heap-based buffer overflow in process_mips_specific() in readelf.c via a malformed MIPS option section (bsc#1126826).
- CVE-2019-9075: Fixed a heap-based buffer overflow in _bfd_archive_64_bit_slurp_armap() in archive64.c (bsc#1126829).
- CVE-2019-9074: Fixed a out-of-bounds read leading to a SEGV in bfd_getl32() in libbfd.c (bsc#1126831).
- CVE-2019-12972: Fixed a heap-based buffer over-read in _bfd_doprnt() in bfd.c (bsc#1140126).
- CVE-2019-14444: Fixed an integer overflow apply_relocations() in readelf.c (bsc#1143609).
- CVE-2019-14250: Fixed an integer overflow in simple_object_elf_match() in simple-object-elf.c (bsc#1142649).
ModerateSUSE bug 1126826SUSE bug 1126829SUSE bug 1126831SUSE bug 1140126SUSE bug 1142649SUSE bug 1143609SUSE bug 1153768SUSE bug 1153770SUSE bug 1157755SUSE bug 1160254SUSE bug 1160590SUSE bug 1163333SUSE bug 1163744SUSE bug 1179036SUSE bug 1179341SUSE bug 1179898SUSE bug 1179899SUSE bug 1179900SUSE bug 1179901SUSE bug 1179902SUSE bug 1179903SUSE bug 1180451SUSE bug 1180454SUSE bug 1180461SUSE bug 1181452SUSE bug 1182252SUSE bug 1183511SUSE bug 1184620SUSE bug 1184794CVE-2019-12972 at SUSECVE-2019-12972 at NVDCVE-2019-14250 at SUSECVE-2019-14250 at NVDCVE-2019-14444 at SUSECVE-2019-14444 at NVDCVE-2019-17450 at SUSECVE-2019-17450 at NVDCVE-2019-17451 at SUSECVE-2019-17451 at NVDCVE-2019-9074 at SUSECVE-2019-9074 at NVDCVE-2019-9075 at SUSECVE-2019-9075 at NVDCVE-2019-9077 at SUSECVE-2019-9077 at NVDCVE-2020-16590 at SUSECVE-2020-16590 at NVDCVE-2020-16591 at SUSECVE-2020-16591 at NVDCVE-2020-16592 at SUSECVE-2020-16592 at NVDCVE-2020-16593 at SUSECVE-2020-16593 at NVDCVE-2020-16598 at SUSECVE-2020-16598 at NVDCVE-2020-16599 at SUSECVE-2020-16599 at NVDCVE-2020-35448 at SUSECVE-2020-35448 at NVDCVE-2020-35493 at SUSECVE-2020-35493 at NVDCVE-2020-35496 at SUSECVE-2020-35496 at NVDCVE-2020-35507 at SUSECVE-2020-35507 at NVDCVE-2021-20197 at SUSECVE-2021-20197 at NVDCVE-2021-20284 at SUSECVE-2021-20284 at NVDCVE-2021-3487 at SUSECVE-2021-3487 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for binutils (Moderate)SUSE Linux Enterprise Server 12 SP3-BCL
This update for binutils fixes the following issues:
- For compatibility on old code stream that expect 'brcl 0,label' to
not be disassembled as 'jgnop label' on s390x. (bsc#1192267)
This reverts IBM zSeries HLASM support for now.
- Fixed that ppc64 optflags did not enable LTO (bsc#1188941).
- Fix empty man-pages from broken release tarball
- Fixed a memory corruption with rpath option (bsc#1191473).
- Fixed slow performance of stripping some binaries (bsc#1183909).
Security issue fixed:
- CVE-2021-20294: Fixed out-of-bounds write in print_dynamic_symbol in readelf (bnc#1184519)
ModerateSUSE bug 1183909SUSE bug 1184519SUSE bug 1188941SUSE bug 1191473SUSE bug 1192267CVE-2021-20294 at SUSECVE-2021-20294 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for pcre (Moderate)SUSE Linux Enterprise Server 12 SP3-BCL
This update for pcre fixes the following issues:
Update pcre to version 8.45:
- CVE-2020-14155: Fixed integer overflow via a large number after a '(?C' substring (bsc#1172974).
- CVE-2019-20838: Fixed buffer over-read in JIT compiler (bsc#1172973).
- CVE-2017-7244: Fixed invalid read in _pcre32_xclass() (bsc#1030807).
- CVE-2017-7245: Fixed buffer overflow in the pcre32_copy_substring (bsc#1030805).
- CVE-2017-7246: Fixed another buffer overflow in the pcre32_copy_substring (bsc#1030803).
- CVE-2017-7186: Fixed denial of service caused by an invalid Unicode property lookup (bsc#1030066).
- CVE-2017-6004: Fixed denial of service via crafted regular expression (bsc#1025709).
ModerateSUSE bug 1025709SUSE bug 1030066SUSE bug 1030803SUSE bug 1030805SUSE bug 1030807SUSE bug 1172973SUSE bug 1172974CVE-2017-6004 at SUSECVE-2017-6004 at NVDCVE-2017-7186 at SUSECVE-2017-7186 at NVDCVE-2017-7244 at SUSECVE-2017-7244 at NVDCVE-2017-7245 at SUSECVE-2017-7245 at NVDCVE-2017-7246 at SUSECVE-2017-7246 at NVDCVE-2019-20838 at SUSECVE-2019-20838 at NVDCVE-2020-14155 at SUSECVE-2020-14155 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for qemu (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for qemu fixes the following issues:
Security issues fixed:
- Fix out-of-bounds write in UAS (USB Attached SCSI) device emulation (bsc#1189702, CVE-2021-3713)
- Fix heap use-after-free in virtio_net_receive_rcu (bsc#1189938, CVE-2021-3748)
ImportantSUSE bug 1189702SUSE bug 1189938CVE-2021-3713 at SUSECVE-2021-3713 at NVDCVE-2021-3748 at SUSECVE-2021-3748 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for MozillaFirefox fixes the following issues:
MozillaFirefox was updated to Extended Support Release 91.3.0 ESR
* Fixed: Various stability, functionality, and security fixes
MFSA 2021-49 (bsc#1192250)
* CVE-2021-38503: iframe sandbox rules did not apply to XSLT stylesheets
* CVE-2021-38504: Use-after-free in file picker dialog
* CVE-2021-38505: Windows 10 Cloud Clipboard may have recorded sensitive user data
* CVE-2021-38506: Firefox could be coaxed into going into fullscreen mode without notification or warning
* CVE-2021-38507: Opportunistic Encryption in HTTP2 could be used to bypass the Same-Origin-Policy on services hosted on other ports
* CVE-2021-38508: Permission Prompt could be overlaid, resulting in user confusion and potential spoofing
* CVE-2021-38509: Javascript alert box could have been spoofed onto an arbitrary domain
* CVE-2021-38510: Download Protections were bypassed by .inetloc files on Mac OS
* MOZ-2021-0008: Use-after-free in HTTP2 Session object
* MOZ-2021-0007: Memory safety bugs fixed in Firefox 94 and Firefox ESR 91.3
ImportantSUSE bug 1192250CVE-2021-38503 at SUSECVE-2021-38503 at NVDCVE-2021-38504 at SUSECVE-2021-38504 at NVDCVE-2021-38505 at SUSECVE-2021-38505 at NVDCVE-2021-38506 at SUSECVE-2021-38506 at NVDCVE-2021-38507 at SUSECVE-2021-38507 at NVDCVE-2021-38508 at SUSECVE-2021-38508 at NVDCVE-2021-38509 at SUSECVE-2021-38509 at NVDCVE-2021-38510 at SUSECVE-2021-38510 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for samba (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for samba fixes the following issues:
- CVE-2016-2124: Fixed not to fallback to non spnego authentication if we require kerberos (bsc#1014440).
- CVE-2020-25717: Fixed privilege escalation inside an AD Domain where a user could become root on domain members (bsc#1192284).
ImportantSUSE bug 1014440SUSE bug 1192284CVE-2016-2124 at SUSECVE-2016-2124 at NVDCVE-2020-25717 at SUSECVE-2020-25717 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for postgresql, postgresql13, postgresql14 (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for postgresql, postgresql13 and postgresql14 fixes the following issues:
Security issues fixed:
- CVE-2021-23214: Make the server reject extraneous data after an SSL or GSS encryption handshake (bsc#1192516).
- CVE-2021-23222: Make libpq reject extraneous data after an SSL or GSS encryption handshake (bsc#1192516).
This update also ships postgresql14 to SUSE Linux Enterprise 12 SP5. (jsc#SLE-22673)
On older service packs only libpq5 and libecpg6 are being replaced by the postgresql14 variants.
Feature changes in postgresql14:
- https://www.postgresql.org/about/news/postgresql-14-released-2318/
- https://www.postgresql.org/docs/14/release-14.html
ImportantSUSE bug 1192516CVE-2021-23214 at SUSECVE-2021-23214 at NVDCVE-2021-23222 at SUSECVE-2021-23222 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for postgresql96 (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for postgresql96 fixes the following issues:
- CVE-2021-23214: Make the server reject extraneous data after an SSL or GSS encryption handshake (bsc#1192516).
- CVE-2021-23222: Make libpq reject extraneous data after an SSL or GSS encryption handshake (bsc#1192516).
ImportantSUSE bug 1192516CVE-2021-23214 at SUSECVE-2021-23214 at NVDCVE-2021-23222 at SUSECVE-2021-23222 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for postgresql10 (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for postgresql10 fixes the following issues:
- CVE-2021-23214: Make the server reject extraneous data after an SSL or GSS encryption handshake (bsc#1192516).
- CVE-2021-23222: Make libpq reject extraneous data after an SSL or GSS encryption handshake (bsc#1192516).
ImportantSUSE bug 1192516CVE-2021-23214 at SUSECVE-2021-23214 at NVDCVE-2021-23222 at SUSECVE-2021-23222 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for webkit2gtk3 (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for webkit2gtk3 fixes the following issues:
- CVE-2021-42762: Updated seccomp rules with latest changes from flatpak (bsc#1191937).
ImportantSUSE bug 1191937CVE-2021-42762 at SUSECVE-2021-42762 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for java-1_8_0-openjdk (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for java-1_8_0-openjdk fixes the following issues:
Update to version OpenJDK 8u312 (October 2021 CPU):
- CVE-2021-35550: Fixed weak ciphers preferred over stronger ones for TLS (bsc#1191901).
- CVE-2021-35556: Fixed excessive memory allocation in RTFParser (bsc#1191910).
- CVE-2021-35559: Fixed excessive memory allocation in RTFReader (bsc#1191911).
- CVE-2021-35561: Fixed excessive memory allocation in HashMap and HashSet (bsc#1191912).
- CVE-2021-35564: Fixed certificates with end dates too far in the future can corrupt keystore (bsc#1191913).
- CVE-2021-35565: Fixed loop in HttpsServer triggered during TLS session close (bsc#1191909).
- CVE-2021-35567: Fixed incorrect principal selection when using Kerberos Constrained Delegation (bsc#1191903).
- CVE-2021-35578: Fixed unexpected exception raised during TLS handshake (bsc#1191904).
- CVE-2021-35586: Fixed excessive memory allocation in BMPImageReader (bsc#1191914).
- CVE-2021-35588: Fixed incomplete validation of inner class references in ClassFileParser (bsc#1191905)
- CVE-2021-35603: Fixed non-constant comparison during TLS handshakes (bsc#1191906).
ImportantSUSE bug 1191901SUSE bug 1191903SUSE bug 1191904SUSE bug 1191905SUSE bug 1191906SUSE bug 1191909SUSE bug 1191910SUSE bug 1191911SUSE bug 1191912SUSE bug 1191913SUSE bug 1191914CVE-2021-35550 at SUSECVE-2021-35550 at NVDCVE-2021-35556 at SUSECVE-2021-35556 at NVDCVE-2021-35559 at SUSECVE-2021-35559 at NVDCVE-2021-35561 at SUSECVE-2021-35561 at NVDCVE-2021-35564 at SUSECVE-2021-35564 at NVDCVE-2021-35565 at SUSECVE-2021-35565 at NVDCVE-2021-35567 at SUSECVE-2021-35567 at NVDCVE-2021-35578 at SUSECVE-2021-35578 at NVDCVE-2021-35586 at SUSECVE-2021-35586 at NVDCVE-2021-35588 at SUSECVE-2021-35588 at NVDCVE-2021-35603 at SUSECVE-2021-35603 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for java-1_7_0-openjdk (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for java-1_7_0-openjdk fixes the following issues:
Update to OpenJDK 7u321 (October 2021 CPU):
- CVE-2021-35550: Fixed weak ciphers preferred over stronger ones for TLS (bsc#1191901).
- CVE-2021-35556: Fixed excessive memory allocation in RTFParser (bsc#1191910).
- CVE-2021-35559: Fixed excessive memory allocation in RTFReader (bsc#1191911).
- CVE-2021-35561: Fixed excessive memory allocation in HashMap and HashSet (bsc#1191912).
- CVE-2021-35564: Fixed certificates with end dates too far in the future can corrupt keystore (bsc#1191913).
- CVE-2021-35565: Fixed loop in HttpsServer triggered during TLS session close (bsc#1191909).
- CVE-2021-35586: Fixed excessive memory allocation in BMPImageReader (bsc#1191914).
- CVE-2021-35588: Fixed incomplete validation of inner class references in ClassFileParser (bsc#1191905)
- CVE-2021-35603: Fixed non-constant comparison during TLS handshakes (bsc#1191906).
ImportantSUSE bug 1191901SUSE bug 1191905SUSE bug 1191906SUSE bug 1191909SUSE bug 1191910SUSE bug 1191911SUSE bug 1191912SUSE bug 1191913SUSE bug 1191914CVE-2021-35550 at SUSECVE-2021-35550 at NVDCVE-2021-35556 at SUSECVE-2021-35556 at NVDCVE-2021-35559 at SUSECVE-2021-35559 at NVDCVE-2021-35561 at SUSECVE-2021-35561 at NVDCVE-2021-35564 at SUSECVE-2021-35564 at NVDCVE-2021-35565 at SUSECVE-2021-35565 at NVDCVE-2021-35586 at SUSECVE-2021-35586 at NVDCVE-2021-35588 at SUSECVE-2021-35588 at NVDCVE-2021-35603 at SUSECVE-2021-35603 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for ruby2.1 (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for ruby2.1 fixes the following issues:
- CVE-2020-25613: Fixed potential HTTP request smuggling in WEBrick (bsc#1177125).
- CVE-2021-31799: Fixed Command injection vulnerability in RDoc (bsc#1190375).
- CVE-2021-31810: Fixed trusting FTP PASV responses vulnerability in Net:FTP (bsc#1188161).
- CVE-2021-32066: Fixed StartTLS stripping vulnerability in Net:IMAP (bsc#1188160).
ImportantSUSE bug 1177125SUSE bug 1188160SUSE bug 1188161SUSE bug 1190375CVE-2020-25613 at SUSECVE-2020-25613 at NVDCVE-2021-31799 at SUSECVE-2021-31799 at NVDCVE-2021-31810 at SUSECVE-2021-31810 at NVDCVE-2021-32066 at SUSECVE-2021-32066 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for xen (Moderate)SUSE Linux Enterprise Server 12 SP3-BCL
This update for xen fixes the following issues:
- CVE-2021-28704, CVE-2021-28707, CVE-2021-28708: Fixed PoD operations on misaligned GFNs (XSA-388) (bsc#1192557).
- CVE-2021-28705, CVE-2021-28709: Fixed issues with partially successful P2M updates on x86 (XSA-389) (bsc#1192559).
- CVE-2021-28706: Fixed guests may exceed their designated memory limit (XSA-385) (bsc#1192554).
ModerateSUSE bug 1192554SUSE bug 1192557SUSE bug 1192559CVE-2021-28704 at SUSECVE-2021-28704 at NVDCVE-2021-28705 at SUSECVE-2021-28705 at NVDCVE-2021-28706 at SUSECVE-2021-28706 at NVDCVE-2021-28707 at SUSECVE-2021-28707 at NVDCVE-2021-28708 at SUSECVE-2021-28708 at NVDCVE-2021-28709 at SUSECVE-2021-28709 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for clamav (Moderate)SUSE Linux Enterprise Server 12 SP3-BCL
This update for clamav fixes the following issues:
- CVE-2018-14679: Fixed off-by-one issue in embedded libmspack that could lead to denial of service (bsc#1103032).
- Update to 0.103.4 (bsc#1192346).
- Update to 0.103.3 (bsc#1188284).
ModerateSUSE bug 1103032SUSE bug 1188284SUSE bug 1192346CVE-2018-14679 at SUSECVE-2018-14679 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for webkit2gtk3 (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for webkit2gtk3 fixes the following issues:
- CVE-2021-30846: Fixed memory corruption issue that could lead to arbitrary code execution when processing maliciously crafted web content (bsc#1192063).
- CVE-2021-30851: Fixed memory corruption vulnerability that could lead to arbitrary code execution when processing maliciously crafted web content (bsc#1192063).
ImportantSUSE bug 1192063CVE-2021-30846 at SUSECVE-2021-30846 at NVDCVE-2021-30851 at SUSECVE-2021-30851 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for the Linux Kernel (Important)SUSE Linux Enterprise Server 12 SP3-BCL
The SUSE Linux Enterprise 12 SP3 LTSS kernel was updated to receive various security and bugfixes.
The following security bugs were fixed:
- Unprivileged BPF has been disabled by default to reduce attack surface as too many security issues have happened in the past (jsc#SLE-22573)
You can reenable via systemctl setting /proc/sys/kernel/unprivileged_bpf_disabled to 0. (kernel.unprivileged_bpf_disabled = 0)
- CVE-2021-31916: An out-of-bounds (OOB) memory write flaw was found in list_devices in drivers/md/dm-ioctl.c in the Multi-device driver module in the Linux kernel A bound check failure allowed an attacker with special user (CAP_SYS_ADMIN) privilege to gain access to out-of-bounds memory leading to a system crash or a leak of internal kernel information. The highest threat from this vulnerability is to system availability (bnc#1192781).
- CVE-2021-20322: Make the ipv4 and ipv6 ICMP exception caches less predictive to avoid information leaks about UDP ports in use. (bsc#1191790)
- CVE-2021-34981: Fixed file refcounting in cmtp when cmtp_attach_device fails (bsc#1191961).
- CVE-2020-12655: An issue was discovered in xfs_agf_verify in fs/xfs/libxfs/xfs_alloc.c. Attackers may trigger a sync of excessive duration via an XFS v5 image with crafted metadata, aka CID-d0c7feaf8767 (bnc#1171217).
- CVE-2021-43389: There was an array-index-out-of-bounds flaw in the detach_capi_ctr function in drivers/isdn/capi/kcapi.c (bnc#1191958).
- CVE-2021-37159: hso_free_net_device in drivers/net/usb/hso.c called unregister_netdev without checking for the NETREG_REGISTERED state, leading to a use-after-free and a double free (bnc#1188601).
- CVE-2021-34556: An unprivileged BPF program can obtain sensitive information from kernel memory via a Speculative Store Bypass side-channel attack because the protection mechanism neglects the possibility of uninitialized memory locations on the BPF stack (bnc#1188983).
- CVE-2021-35477: An unprivileged BPF program can obtain sensitive information from kernel memory via a Speculative Store Bypass side-channel attack because a certain preempting store operation did not necessarily occur before a store operation that has an attacker-controlled value (bnc#1188985).
- CVE-2017-17862: kernel/bpf/verifier.c in the Linux kernel ignores unreachable code, even though it would still be processed by JIT compilers. This behavior, also considered an improper branch-pruning logic issue, could possibly be used by local users for denial of service (bnc#1073928).
- CVE-2017-17864: kernel/bpf/verifier.c in the Linux kernel mishandled states_equal comparisons between the pointer data type and the UNKNOWN_VALUE data type, which allowed local users to obtain potentially sensitive address information, aka a 'pointer leak (bnc#1073928).
- CVE-2021-20265: A flaw was found in the way memory resources were freed in the unix_stream_recvmsg function in the Linux kernel when a signal was pending. This flaw allowed an unprivileged local user to crash the system by exhausting available memory. The highest threat from this vulnerability is to system availability (bnc#1183089).
- CVE-2021-3772: Fixed sctp vtag check in sctp_sf_ootb (bsc#1190351).
- CVE-2021-3655: Missing size validations on inbound SCTP packets may have allowed the kernel to read uninitialized memory (bnc#1188563).
- CVE-2018-13405: The inode_init_owner function in fs/inode.c in the Linux kernel allowed local users to create files with an unintended group ownership, in a scenario where a directory is SGID to a certain group and is writable by a user who is not a member of that group. Here, the non-member can trigger creation of a plain file whose group ownership is that group. The intended behavior was that the non-member can trigger creation of a directory (but not a plain file) whose group ownership is that group. The non-member can escalate privileges by making the plain file executable and SGID (bnc#1100416 bnc#1129735).
- CVE-2021-3760: Fixed a use-after-free vulnerability with the ndev->rf_conn_info object (bsc#1190067).
- CVE-2021-42739: The firewire subsystem in the Linux kernel has a buffer overflow related to drivers/media/firewire/firedtv-avc.c and drivers/media/firewire/firedtv-ci.c, because avc_ca_pmt mishandled bounds checking (bnc#1184673).
- CVE-2021-3542: Fixed heap buffer overflow in firedtv driver (bsc#1186063).
- CVE-2021-33033: The Linux kernel has a use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c because the CIPSO and CALIPSO refcounting for the DOI definitions is mishandled, aka CID-ad5d07f4a9cd. This leads to writing an arbitrary value (bnc#1186109 bnc#1186390 bnc#1188876).
- CVE-2020-14305: An out-of-bounds memory write flaw was found in how the Linux kernel’s Voice Over IP H.323 connection tracking functionality handled connections on ipv6 port 1720. This flaw allowed an unauthenticated remote user to crash the system, causing a denial of service. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability (bnc#1173346).
- CVE-2021-3715: Fixed a use-after-free in route4_change() in net/sched/cls_route.c (bsc#1190349).
- CVE-2021-3896: Fixed a array-index-out-bounds in detach_capi_ctr in drivers/isdn/capi/kcapi.c (bsc#1191958).
- CVE-2021-42008: The decode_data function in drivers/net/hamradio/6pack.c in the Linux kernel has a slab out-of-bounds write. Input from a process that has the CAP_NET_ADMIN capability can lead to root access (bnc#1191315).
- CVE-2020-3702: Specifically timed and handcrafted traffic can cause internal errors in a WLAN device that lead to improper layer 2 Wi-Fi encryption with a consequent possibility of information disclosure over the air for a discrete set of traffic (bnc#1191193).
- CVE-2021-3752: Fixed a use after free vulnerability in the Linux kernel's bluetooth module. (bsc#1190023)
- CVE-2021-40490: A race condition was discovered in ext4_write_inline_data_end in fs/ext4/inline.c in the ext4 subsystem in the Linux kernel (bnc#1190159 bnc#1192775)
- CVE-2021-3640: Fixed a Use-After-Free vulnerability in function sco_sock_sendmsg() in the bluetooth stack (bsc#1188172).
- CVE-2021-38160: Data corruption or loss could be triggered by an untrusted device that supplies a buf->len value exceeding the buffer size in drivers/char/virtio_console.c (bsc#1190117)
- CVE-2021-3753: Fixed race out-of-bounds in virtual terminal handling (bsc#1190025).
- CVE-2021-3732: Mounting overlayfs inside an unprivileged user namespace can reveal files (bsc#1189706).
- CVE-2021-3653: A flaw was found in the KVM's AMD code for supporting SVM nested virtualization. The flaw occurs when processing the VMCB (virtual machine control block) provided by the L1 guest to spawn/handle a nested guest (L2). Due to improper validation of the 'int_ctl' field, this issue could allow a malicious L1 to enable AVIC support (Advanced Virtual Interrupt Controller) for the L2 guest. As a result, the L2 guest would be allowed to read/write physical pages of the host, resulting in a crash of the entire system, leak of sensitive data or potential guest-to-host escape. This flaw affects Linux kernel versions prior to 5.14-rc7 (bnc#1189399 bnc#1189420).
- CVE-2021-38198: arch/x86/kvm/mmu/paging_tmpl.h in the Linux kernel incorrectly computes the access permissions of a shadow page, leading to a missing guest protection page fault (bnc#1189262 bnc#1189278).
- CVE-2021-38204: drivers/usb/host/max3421-hcd.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (use-after-free and panic) by removing a MAX-3421 USB device in certain situations (bnc#1189291).
- CVE-2021-3679: A lack of CPU resource in the Linux kernel tracing module functionality in versions prior to 5.14-rc3 was found in the way user uses trace ring buffer in a specific way. Only privileged local users (with CAP_SYS_ADMIN capability) could use this flaw to starve the resources causing denial of service (bnc#1189057).
- CVE-2018-16882: A use-after-free issue was found in the way the Linux kernel's KVM hypervisor processed posted interrupts when nested(=1) virtualization is enabled. In nested_get_vmcs12_pages(), in case of an error while processing posted interrupt address, it unmaps the 'pi_desc_page' without resetting 'pi_desc' descriptor address, which is later used in pi_test_and_clear_on(). A guest user/process could use this flaw to crash the host kernel resulting in DoS or potentially gain privileged access to a system. Kernel versions and are vulnerable (bnc#1119934).
- CVE-2020-0429: In l2tp_session_delete and related functions of l2tp_core.c, there is possible memory corruption due to a use after free. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation (bnc#1176724).
- CVE-2020-4788: IBM Power9 (AIX 7.1, 7.2, and VIOS 3.1) processors could allow a local user to obtain sensitive information from the data in the L1 cache under extenuating circumstances. IBM X-Force ID: 189296 (bnc#1177666 bnc#1181158).
- CVE-2021-3659: Fixed a NULL pointer dereference in llsec_key_alloc() in net/mac802154/llsec.c (bsc#1188876).
- CVE-2021-37576: arch/powerpc/kvm/book3s_rtas.c in the Linux kernel on the powerpc platform allowed KVM guest OS users to cause host OS memory corruption via rtas_args.nargs, aka CID-f62f3c20647e (bnc#1188838).
The following non-security bugs were fixed:
- PCI: hv: Use expected affinity when unmasking IRQ (bsc#1185973).
- SUNRPC: improve error response to over-size gss credential (bsc#1190022).
- Update config files: Add CONFIG_BPF_UNPRIV_DEFAULT_OFF is not set
- blacklist.conf: Drop a line that was added by mistake
- bpf: Add kconfig knob for disabling unpriv bpf by default (jsc#SLE-22918)
- bpf: Disallow unprivileged bpf by default (jsc#SLE-22918).
- bpf: properly enforce index mask to prevent out-of-bounds speculation (bsc#1098425).
- config: disable unprivileged BPF by default (jsc#SLE-22918)
- cpufreq: intel_pstate: Add Icelake servers support in no-HWP mode (bsc#1185758,bsc#1192400).
- ftrace: Fix scripts/recordmcount.pl due to new binutils (bsc#1192267).
- hv: mana: adjust mana_select_queue to old API (jsc#SLE-18779, bsc#1185727).
- hv: mana: declare vzalloc (jsc#SLE-18779, bsc#1185726).
- hv: mana: fake bitmap API (jsc#SLE-18779, bsc#1185726).
- hv: mana: remove netdev_lockdep_set_classes usage (jsc#SLE-18779, bsc#1185727).
- kABI: protect struct bpf_map (kabi).
- mm: replace open coded page to virt conversion with page_to_virt() (jsc#SLE-18779, bsc#1185727).
- net/mlx4_en: Avoid scheduling restart task if it is already running (bsc#1181854 bsc#1181855).
- net/mlx4_en: Handle TX error CQE (bsc#1181854 bsc#1181855).
- net: mana: Add WARN_ON_ONCE in case of CQE read overflow (jsc#SLE-18779, bsc#1185727).
- net: mana: Add a driver for Microsoft Azure Network Adapter (MANA) (jsc#SLE-18779, bsc#1185727).
- net: mana: Add support for EQ sharing (jsc#SLE-18779, bsc#1185727).
- net: mana: Fix a memory leak in an error handling path in (jsc#SLE-18779, bsc#1185727).
- net: mana: Fix error handling in mana_create_rxq() (git-fixes, bsc#1191801).
- net: mana: Move NAPI from EQ to CQ (jsc#SLE-18779, bsc#1185727).
- net: mana: Use int to check the return value of mana_gd_poll_cq() (jsc#SLE-18779, bsc#1185727).
- net: mana: fix PCI_HYPERV dependency (jsc#SLE-18779, bsc#1185727).
- net: mana: remove redundant initialization of variable err (jsc#SLE-18779, bsc#1185727).
- net: sched: sch_teql: fix null-pointer dereference (bsc#1190717).
- s390/bpf: Fix 64-bit subtraction of the -0x80000000 constant (bsc#1190601).
- s390/bpf: Fix branch shortening during codegen pass (bsc#1190601).
- s390/bpf: Fix optimizing out zero-extensions (bsc#1190601).
- s390/bpf: Wrap JIT macro parameter usages in parentheses (bsc#1190601).
- s390: bpf: implement jitting of BPF_ALU | BPF_ARSH | BPF_* (bsc#1190601).
- scsi: sg: add sg_remove_request in sg_write (bsc#1171420 CVE2020-12770).
- sctp: check asoc peer.asconf_capable before processing asconf (bsc#1190351).
- sctp: fully initialize v4 addr in some functions (bsc#1188563).
- sctp: simplify addr copy (bsc#1188563).
- x86/CPU: Add more Icelake model numbers (bsc#1185758,bsc#1192400).
- x86/tlb: Flush global mappings when KAISER is disabled (bsc#1190194).
ImportantSUSE bug 1073928SUSE bug 1098425SUSE bug 1100416SUSE bug 1119934SUSE bug 1129735SUSE bug 1171217SUSE bug 1171420SUSE bug 1173346SUSE bug 1176724SUSE bug 1177666SUSE bug 1181158SUSE bug 1181854SUSE bug 1181855SUSE bug 1183089SUSE bug 1184673SUSE bug 1185726SUSE bug 1185727SUSE bug 1185758SUSE bug 1185973SUSE bug 1186109SUSE bug 1186390SUSE bug 1188172SUSE bug 1188563SUSE bug 1188601SUSE bug 1188838SUSE bug 1188876SUSE bug 1188983SUSE bug 1188985SUSE bug 1189057SUSE bug 1189262SUSE bug 1189278SUSE bug 1189291SUSE bug 1189399SUSE bug 1189420SUSE bug 1189706SUSE bug 1190022SUSE bug 1190023SUSE bug 1190025SUSE bug 1190067SUSE bug 1190117SUSE bug 1190159SUSE bug 1190194SUSE bug 1190349SUSE bug 1190351SUSE bug 1190601SUSE bug 1190717SUSE bug 1191193SUSE bug 1191315SUSE bug 1191790SUSE bug 1191801SUSE bug 1191958SUSE bug 1191961SUSE bug 1192267SUSE bug 1192400SUSE bug 1192775SUSE bug 1192781CVE-2017-17862 at SUSECVE-2017-17862 at NVDCVE-2017-17864 at SUSECVE-2017-17864 at NVDCVE-2018-13405 at SUSECVE-2018-13405 at NVDCVE-2018-16882 at SUSECVE-2018-16882 at NVDCVE-2020-0429 at SUSECVE-2020-0429 at NVDCVE-2020-12655 at SUSECVE-2020-12655 at NVDCVE-2020-14305 at SUSECVE-2020-14305 at NVDCVE-2020-3702 at SUSECVE-2020-3702 at NVDCVE-2020-4788 at SUSECVE-2020-4788 at NVDCVE-2021-20265 at SUSECVE-2021-20265 at NVDCVE-2021-20322 at SUSECVE-2021-20322 at NVDCVE-2021-31916 at SUSECVE-2021-31916 at NVDCVE-2021-33033 at SUSECVE-2021-33033 at NVDCVE-2021-34556 at SUSECVE-2021-34556 at NVDCVE-2021-34981 at SUSECVE-2021-34981 at NVDCVE-2021-3542 at SUSECVE-2021-3542 at NVDCVE-2021-35477 at SUSECVE-2021-35477 at NVDCVE-2021-3640 at SUSECVE-2021-3640 at NVDCVE-2021-3653 at SUSECVE-2021-3653 at NVDCVE-2021-3655 at SUSECVE-2021-3655 at NVDCVE-2021-3659 at SUSECVE-2021-3659 at NVDCVE-2021-3679 at SUSECVE-2021-3679 at NVDCVE-2021-3715 at SUSECVE-2021-3715 at NVDCVE-2021-37159 at SUSECVE-2021-37159 at NVDCVE-2021-3732 at SUSECVE-2021-3732 at NVDCVE-2021-3752 at SUSECVE-2021-3752 at NVDCVE-2021-3753 at SUSECVE-2021-3753 at NVDCVE-2021-37576 at SUSECVE-2021-37576 at NVDCVE-2021-3760 at SUSECVE-2021-3760 at NVDCVE-2021-3772 at SUSECVE-2021-3772 at NVDCVE-2021-38160 at SUSECVE-2021-38160 at NVDCVE-2021-38198 at SUSECVE-2021-38198 at NVDCVE-2021-38204 at SUSECVE-2021-38204 at NVDCVE-2021-3896 at SUSECVE-2021-3896 at NVDCVE-2021-40490 at SUSECVE-2021-40490 at NVDCVE-2021-42008 at SUSECVE-2021-42008 at NVDCVE-2021-42739 at SUSECVE-2021-42739 at NVDCVE-2021-43389 at SUSECVE-2021-43389 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for mozilla-nss (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for mozilla-nss fixes the following issues:
Update to version 3.68.1:
- CVE-2021-43527: Fixed a Heap overflow in NSS when verifying DER-encoded DSA or RSA-PSS signatures (bsc#1193170).
ImportantSUSE bug 1193170CVE-2021-43527 at SUSECVE-2021-43527 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for openssh (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for openssh fixes the following issues:
- CVE-2021-41617: Fixed privilege escalation when AuthorizedKeysCommand/AuthorizedPrincipalsCommand are configured (bsc#1190975).
ImportantSUSE bug 1190975CVE-2021-41617 at SUSECVE-2021-41617 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for MozillaFirefox fixes the following issues:
Update to Extended Support Release 91.4.0 (bsc#1193485):
- CVE-2021-43536: URL leakage when navigating while executing asynchronous function
- CVE-2021-43537: Heap buffer overflow when using structured clone
- CVE-2021-43538: Missing fullscreen and pointer lock notification when requesting both
- CVE-2021-43539: GC rooting failure when calling wasm instance methods
- CVE-2021-43541: External protocol handler parameters were unescaped
- CVE-2021-43542: XMLHttpRequest error codes could have leaked the existence of an external protocol handler
- CVE-2021-43543: Bypass of CSP sandbox directive when embedding
- CVE-2021-43545: Denial of Service when using the Location API in a loop
- CVE-2021-43546: Cursor spoofing could overlay user interface when native cursor is zoomed
- Memory safety bugs fixed in Firefox 95 and Firefox ESR 91.4
- Removed x-scheme-handler/ftp from MozillaFirefox.desktop (bsc#1193321)
ImportantSUSE bug 1193321SUSE bug 1193485CVE-2021-43536 at SUSECVE-2021-43536 at NVDCVE-2021-43537 at SUSECVE-2021-43537 at NVDCVE-2021-43538 at SUSECVE-2021-43538 at NVDCVE-2021-43539 at SUSECVE-2021-43539 at NVDCVE-2021-43541 at SUSECVE-2021-43541 at NVDCVE-2021-43542 at SUSECVE-2021-43542 at NVDCVE-2021-43543 at SUSECVE-2021-43543 at NVDCVE-2021-43545 at SUSECVE-2021-43545 at NVDCVE-2021-43546 at SUSECVE-2021-43546 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for glib-networking (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for glib-networking fixes the following issues:
- CVE-2020-13645: Fixed a connection failure when the server identity is unset (bsc#1172460).
ImportantSUSE bug 1172460CVE-2020-13645 at SUSECVE-2020-13645 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for xorg-x11-server (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for xorg-x11-server fixes the following issues:
- CVE-2021-4008: Fixed Privilege Escalation Vulnerability via Out-Of-Bounds Access in SProcRenderCompositeGlyphs (bsc#1193030).
ImportantSUSE bug 1193030CVE-2021-4008 at SUSECVE-2021-4008 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for log4j (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for log4j fixes the following issue:
- CVE-2021-4104: Disable the JMSAppender class from log4j to protect against
the log4jshell vulnerability. [bsc#1193662]
ImportantSUSE bug 1193662CVE-2021-4104 at SUSECVE-2021-4104 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for xorg-x11-server (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for xorg-x11-server fixes the following issues:
- CVE-2021-4009: The handler for the CreatePointerBarrier request of the XFixes
extension does not properly validate the request length leading to out of
bounds memory write. (bsc#1190487)
- CVE-2021-4011: The handlers for the RecordCreateContext and RecordRegisterClients
requests of the Record extension do not properly validate the request
length leading to out of bounds memory write. (bsc#1190489)
ImportantSUSE bug 1190487SUSE bug 1190489CVE-2021-4009 at SUSECVE-2021-4009 at NVDCVE-2021-4011 at SUSECVE-2021-4011 at NVDcpe:/o:suse:sles-bcl:12:sp3Recommended update for samba (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for samba fixes the following issues:
The username map advice from the CVE-2020-25717 advisory
note has undesired side effects for the local nt token. Fallback
to a SID/UID based mapping if the name based lookup fails (bsc#1192849).
ImportantSUSE bug 1192849CVE-2020-25717 at SUSECVE-2020-25717 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for chrony (Moderate)SUSE Linux Enterprise Server 12 SP3-BCL
This update for chrony fixes the following issues:
Chrony was updated to 4.1:
* Add support for NTS servers specified by IP address (matching
Subject Alternative Name in server certificate)
* Add source-specific configuration of trusted certificates
* Allow multiple files and directories with trusted certificates
* Allow multiple pairs of server keys and certificates
* Add copy option to server/pool directive
* Increase PPS lock limit to 40% of pulse interval
* Perform source selection immediately after loading dump files
* Reload dump files for addresses negotiated by NTS-KE server
* Update seccomp filter and add less restrictive level
* Restart ongoing name resolution on online command
* Fix dump files to not include uncorrected offset
* Fix initstepslew to accept time from own NTP clients
* Reset NTP address and port when no longer negotiated by NTS-KE
server
- Update clknetsim to snapshot f89702d.
- Ensure the correct pool packages are installed for openSUSE and SLE (bsc#1180689).
- Enable syscallfilter unconditionally (bsc#1181826).
Chrony was updated to 4.0:
Enhancements
- Add support for Network Time Security (NTS) authentication
- Add support for AES-CMAC keys (AES128, AES256) with Nettle
- Add authselectmode directive to control selection of
unauthenticated sources
- Add binddevice, bindacqdevice, bindcmddevice directives
- Add confdir directive to better support fragmented
configuration
- Add sourcedir directive and 'reload sources' command to
support dynamic NTP sources specified in files
- Add clockprecision directive
- Add dscp directive to set Differentiated Services Code Point
(DSCP)
- Add -L option to limit log messages by severity
- Add -p option to print whole configuration with included
files
- Add -U option to allow start under non-root user
- Allow maxsamples to be set to 1 for faster update with -q/-Q
option
- Avoid replacing NTP sources with sources that have
unreachable address
- Improve pools to repeat name resolution to get 'maxsources'
sources
- Improve source selection with trusted sources
- Improve NTP loop test to prevent synchronisation to itself
- Repeat iburst when NTP source is switched from offline state
to online
- Update clock synchronisation status and leap status more
frequently
- Update seccomp filter
- Add 'add pool' command
- Add 'reset sources' command to drop all measurements
- Add authdata command to print details about NTP
authentication
- Add selectdata command to print details about source
selection
- Add -N option and sourcename command to print original names
of sources
- Add -a option to some commands to print also unresolved
sources
- Add -k, -p, -r options to clients command to select, limit,
reset data
- Bug fixes
- Don’t set interface for NTP responses to allow asymmetric
routing
- Handle RTCs that don’t support interrupts
- Respond to command requests with correct address on
multihomed hosts
- Removed features
- Drop support for RIPEMD keys (RMD128, RMD160, RMD256, RMD320)
- Drop support for long (non-standard) MACs in NTPv4 packets
(chrony 2.x clients using non-MD5/SHA1 keys need to use
option 'version 3')
- By default we don't write log files but log to journald, so
only recommend logrotate.
- Adjust and rename the sysconfig file, so that it matches the
expectations of chronyd.service (bsc#1173277).
Chrony was updated to 3.5.1:
* Create new file when writing pidfile (CVE-2020-14367, bsc#1174911)
- Add chrony-pool-suse and chrony-pool-openSUSE subpackages that
preconfigure chrony to use NTP servers from the respective
pools for SUSE and openSUSE (bsc#1156884, SLE-11424).
- Add chrony-pool-empty to still allow installing chrony without
preconfigured servers.
- Use iburst in the default pool statements to speed up initial
synchronisation (bsc#1172113).
- Update clknetsim to version 79ffe44 (fixes bsc#1162964).
Update to 3.5:
+ Add support for more accurate reading of PHC on Linux 5.0
+ Add support for hardware timestamping on interfaces with read-only timestamping configuration
+ Add support for memory locking and real-time priority on FreeBSD, NetBSD, Solaris
+ Update seccomp filter to work on more architectures
+ Validate refclock driver options
+ Fix bindaddress directive on FreeBSD
+ Fix transposition of hardware RX timestamp on Linux 4.13 and later
+ Fix building on non-glibc systems
- Fix location of helper script in chrony-dnssrv@.service (bsc#1128846).
- Read runtime servers from /var/run/netconfig/chrony.servers (bsc#1099272)
- Move chrony-helper to /usr/lib/chrony/helper, because there should be no executables in /usr/share.
- Remove discrepancies between spec file and chrony-tmpfiles (bsc#1115529)
Update to version 3.4
* Enhancements
+ Add filter option to server/pool/peer directive
+ Add minsamples and maxsamples options to hwtimestamp directive
+ Add support for faster frequency adjustments in Linux 4.19
+ Change default pidfile to /var/run/chrony/chronyd.pid to allow chronyd
without root privileges to remove it on exit
+ Disable sub-second polling intervals for distant NTP sources
+ Extend range of supported sub-second polling intervals
+ Get/set IPv4 destination/source address of NTP packets on FreeBSD
+ Make burst options and command useful with short polling intervals
+ Modify auto_offline option to activate when sending request failed
+ Respond from interface that received NTP request if possible
+ Add onoffline command to switch between online and offline state
according to current system network configuration
+ Improve example NetworkManager dispatcher script
* Bug fixes
+ Avoid waiting in Linux getrandom system call
+ Fix PPS support on FreeBSD and NetBSD
Update to version 3.3
* Enhancements:
+ Add burst option to server/pool directive
+ Add stratum and tai options to refclock directive
+ Add support for Nettle crypto library
+ Add workaround for missing kernel receive timestamps on Linux
+ Wait for late hardware transmit timestamps
+ Improve source selection with unreachable sources
+ Improve protection against replay attacks on symmetric mode
+ Allow PHC refclock to use socket in /var/run/chrony
+ Add shutdown command to stop chronyd
+ Simplify format of response to manual list command
+ Improve handling of unknown responses in chronyc
* Bug fixes:
+ Respond to NTPv1 client requests with zero mode
+ Fix -x option to not require CAP_SYS_TIME under non-root user
+ Fix acquisitionport directive to work with privilege separation
+ Fix handling of socket errors on Linux to avoid high CPU usage
+ Fix chronyc to not get stuck in infinite loop after clock step
- Added /etc/chrony.d/ directory to the package (bsc#1083597) Modifed default chrony.conf to add 'include /etc/chrony.d/*'
- Enable pps support
Upgraded to version 3.2:
Enhancements
* Improve stability with NTP sources and reference clocks
* Improve stability with hardware timestamping
* Improve support for NTP interleaved modes
* Control frequency of system clock on macOS 10.13 and later
* Set TAI-UTC offset of system clock with leapsectz directive
* Minimise data in client requests to improve privacy
* Allow transmit-only hardware timestamping
* Add support for new timestamping options introduced in Linux 4.13
* Add root delay, root dispersion and maximum error to tracking log
* Add mindelay and asymmetry options to server/peer/pool directive
* Add extpps option to PHC refclock to timestamp external PPS signal
* Add pps option to refclock directive to treat any refclock as PPS
* Add width option to refclock directive to filter wrong pulse edges
* Add rxfilter option to hwtimestamp directive
* Add -x option to disable control of system clock
* Add -l option to log to specified file instead of syslog
* Allow multiple command-line options to be specified together
* Allow starting without root privileges with -Q option
* Update seccomp filter for new glibc versions
* Dump history on exit by default with dumpdir directive
* Use hardening compiler options by default
Bug fixes
* Don't drop PHC samples with low-resolution system clock
* Ignore outliers in PHC tracking, RTC tracking, manual input
* Increase polling interval when peer is not responding
* Exit with error message when include directive fails
* Don't allow slash after hostname in allow/deny directive/command
* Try to connect to all addresses in chronyc before giving up
Upgraded to version 3.1:
- Enhancements
- Add support for precise cross timestamping of PHC on Linux
- Add minpoll, precision, nocrossts options to hwtimestamp directive
- Add rawmeasurements option to log directive and modify measurements
option to log only valid measurements from synchronised sources
- Allow sub-second polling interval with NTP sources
- Bug fixes
- Fix time smoothing in interleaved mode
Upgraded to version 3.0:
- Enhancements
- Add support for software and hardware timestamping on Linux
- Add support for client/server and symmetric interleaved modes
- Add support for MS-SNTP authentication in Samba
- Add support for truncated MACs in NTPv4 packets
- Estimate and correct for asymmetric network jitter
- Increase default minsamples and polltarget to improve stability with very low jitter
- Add maxjitter directive to limit source selection by jitter
- Add offset option to server/pool/peer directive
- Add maxlockage option to refclock directive
- Add -t option to chronyd to exit after specified time
- Add partial protection against replay attacks on symmetric mode
- Don't reset polling interval when switching sources to online state
- Allow rate limiting with very short intervals
- Improve maximum server throughput on Linux and NetBSD
- Remove dump files after start
- Add tab-completion to chronyc with libedit/readline
- Add ntpdata command to print details about NTP measurements
- Allow all source options to be set in add server/peer command
- Indicate truncated addresses/hostnames in chronyc output
- Print reference IDs as hexadecimal numbers to avoid confusion with IPv4 addresses
- Bug fixes
- Fix crash with disabled asynchronous name resolving
Upgraded to version 2.4.1:
- Bug fixes
- Fix processing of kernel timestamps on non-Linux systems
- Fix crash with smoothtime directive
- Fix validation of refclock sample times
- Fix parsing of refclock directive
update to 2.4:
- Enhancements
- Add orphan option to local directive for orphan mode
compatible with ntpd
- Add distance option to local directive to set activation
threshold (1 second by default)
- Add maxdrift directive to set maximum allowed drift of system
clock
- Try to replace NTP sources exceeding maximum distance
- Randomise source replacement to avoid getting stuck with bad
sources
- Randomise selection of sources from pools on start
- Ignore reference timestamp as ntpd doesn't always set it
correctly
- Modify tracking report to use same values as seen by NTP
clients
- Add -c option to chronyc to write reports in CSV format
- Provide detailed manual pages
- Bug fixes
- Fix SOCK refclock to work correctly when not specified as
last refclock
- Fix initstepslew and -q/-Q options to accept time from own
NTP clients
- Fix authentication with keys using 512-bit hash functions
- Fix crash on exit when multiple signals are received
- Fix conversion of very small floating-point numbers in
command packets
ModerateSUSE bug 1063704SUSE bug 1069468SUSE bug 1082318SUSE bug 1083597SUSE bug 1099272SUSE bug 1115529SUSE bug 1128846SUSE bug 1156884SUSE bug 1159840SUSE bug 1161119SUSE bug 1162964SUSE bug 1171806SUSE bug 1172113SUSE bug 1173277SUSE bug 1173760SUSE bug 1174075SUSE bug 1174911SUSE bug 1180689SUSE bug 1181826SUSE bug 1183783SUSE bug 1184400SUSE bug 1187906SUSE bug 1190926CVE-2020-14367 at SUSECVE-2020-14367 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for python (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for python fixes the following issues:
- buffer overflow in PyCArg_repr in _ctypes/callproc.c,
which may lead to remote code execution (bsc#1181126, CVE-2021-3177).
- Provide the newest setuptools wheel (bsc#1176262,
CVE-2019-20916) in their correct form (bsc#1180686).
ImportantSUSE bug 1176262SUSE bug 1180686SUSE bug 1181126CVE-2019-20916 at SUSECVE-2019-20916 at NVDCVE-2021-3177 at SUSECVE-2021-3177 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for openvswitch (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for openvswitch fixes the following issues:
- CVE-2020-35498: Fixed a denial of service related to the handling of Ethernet padding (bsc#1181742).
ImportantSUSE bug 1181742CVE-2020-35498 at SUSECVE-2020-35498 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for the Linux Kernel (Important)SUSE Linux Enterprise Server 12 SP3-BCL
The SUSE Linux Enterprise 12 SP3 kernel was updated to receive various security and bugfixes.
The following security bugs were fixed:
- CVE-2021-3347: A use-after-free was discovered in the PI futexes during fault handling, allowing local users to execute code in the kernel (bnc#1181349).
- CVE-2020-25211: Fixed a buffer overflow in ctnetlink_parse_tuple_filter() which could be triggered by a local attackers by injecting conntrack netlink configuration (bnc#1176395).
- CVE-2020-27835: A use-after-free in the infiniband hfi1 driver was found, specifically in the way user calls Ioctl after open dev file and fork. A local user could use this flaw to crash the system (bnc#1179878).
- CVE-2020-29569: Fixed a potential privilege escalation and information leaks related to the PV block backend, as used by Xen (bnc#1179509).
- CVE-2020-29568: Fixed a denial of service issue, related to processing watch events (bnc#1179508).
- CVE-2020-0444: Fixed a bad kfree due to a logic error in audit_data_to_entry (bnc#1180027).
- CVE-2020-0465: Fixed multiple missing bounds checks in hid-multitouch.c that could have led to local privilege escalation (bnc#1180029).
- CVE-2020-0466: Fixed a use-after-free due to a logic error in do_epoll_ctl and ep_loop_check_proc of eventpoll.c (bnc#1180031).
- CVE-2020-4788: Fixed an issue with IBM Power9 processors could have allowed a local user to obtain sensitive information from the data in the L1 cache under extenuating circumstances (bsc#1177666).
- CVE-2020-15436: Fixed a use after free vulnerability in fs/block_dev.c which could have allowed local users to gain privileges or cause a denial of service (bsc#1179141).
- CVE-2020-27068: Fixed an out-of-bounds read due to a missing bounds check in the nl80211_policy policy of nl80211.c (bnc#1180086).
- CVE-2020-27777: Fixed a privilege escalation in the Run-Time Abstraction Services (RTAS) interface, affecting guests running on top of PowerVM or KVM hypervisors (bnc#1179107).
- CVE-2020-27786: Fixed an out-of-bounds write in the MIDI implementation (bnc#1179601).
- CVE-2020-27825: Fixed a race in the trace_open and buffer resize calls (bsc#1179960).
- CVE-2020-29660: Fixed a locking inconsistency in the tty subsystem that may have allowed a read-after-free attack against TIOCGSID (bnc#1179745).
- CVE-2020-29661: Fixed a locking issue in the tty subsystem that allowed a use-after-free attack against TIOCSPGRP (bsc#1179745).
- CVE-2020-28974: Fixed a slab-out-of-bounds read in fbcon which could have been used by local attackers to read privileged information or potentially crash the kernel (bsc#1178589).
- CVE-2020-28915: Fixed a buffer over-read in the fbcon code which could have been used by local attackers to read kernel memory (bsc#1178886).
- CVE-2020-25669: Fixed a use-after-free read in sunkbd_reinit() (bsc#1178182).
- CVE-2020-15437: Fixed a null pointer dereference which could have allowed local users to cause a denial of service(bsc#1179140).
- CVE-2020-36158: Fixed a potential remote code execution in the Marvell mwifiex driver (bsc#1180559).
- CVE-2020-11668: Fixed the mishandling of invalid descriptors in the Xirlink camera USB driver (bnc#1168952).
- CVE-2020-25285: Fixed a race condition between hugetlb sysctl handlers in mm/hugetlb.c (bnc#1176485).
- CVE-2019-20934: Fixed a use-after-free in show_numa_stats() because NUMA fault statistics were inappropriately freed (bsc#1179663).
- CVE-2018-10902: It was found that the raw midi kernel driver did not protect against concurrent access which leads to a double realloc (double free) in snd_rawmidi_input_params() and snd_rawmidi_output_status() which are part of snd_rawmidi_ioctl() handler in rawmidi.c file. A malicious local attacker could possibly use this for privilege escalation (bnc#1105322).
The following non-security bugs were fixed:
- cifs: do not revalidate mountpoint dentries (bsc#1177440).
- cifs: fix potential use-after-free in cifs_echo_request() (bsc#1139944).
- cifs: ignore revalidate failures in case of process gets signaled (bsc#1177440).
- epoll: Keep a reference on files added to the check list (bsc#1180031).
- fix regression in 'epoll: Keep a reference on files added to the check list' (bsc#1180031, git-fixes).
- futex: Avoid freeing an active timer (bsc#969755).
- futex: Avoid violating the 10th rule of futex (bsc#969755).
- futex: Change locking rules (bsc#969755).
- futex: Do not enable IRQs unconditionally in put_pi_state() (bsc#969755).
- futex: Drop hb->lock before enqueueing on the rtmutex (bsc#969755).
- futex: Fix incorrect should_fail_futex() handling (bsc#969755).
- futex: Fix more put_pi_state() vs. exit_pi_state_list() races (bsc#969755).
- futex: Fix OWNER_DEAD fixup (bsc#969755).
- futex: Fix pi_state->owner serialization (bsc#969755).
- futex: Fix small (and harmless looking) inconsistencies (bsc#969755).
- futex: Futex_unlock_pi() determinism (bsc#969755).
- futex: Handle early deadlock return correctly (bsc#969755).
- futex: Handle transient 'ownerless' rtmutex state correctly (bsc#969755).
- futex: Pull rt_mutex_futex_unlock() out from under hb->lock (bsc#969755).
- futex: Rework futex_lock_pi() to use rt_mutex_*_proxy_lock() (bsc#969755).
- futex: Rework inconsistent rt_mutex/futex_q state (bsc#969755).
- futex,rt_mutex: Fix rt_mutex_cleanup_proxy_lock() (bsc#969755).
- futex,rt_mutex: Introduce rt_mutex_init_waiter() (bsc#969755).
- futex,rt_mutex: Provide futex specific rt_mutex API (bsc#969755).
- futex,rt_mutex: Restructure rt_mutex_finish_proxy_lock() (bsc#969755).
- HID: Fix slab-out-of-bounds read in hid_field_extract (bsc#1180052).
- IB/hfi1: Clean up hfi1_user_exp_rcv_setup function (bsc#1179878).
- IB/hfi1: Clean up pin_vector_pages() function (bsc#1179878).
- IB/hfi1: Fix the bail out code in pin_vector_pages() function (bsc#1179878).
- IB/hfi1: Move structure definitions from user_exp_rcv.c to user_exp_rcv.h (bsc#1179878).
- IB/hfi1: Name function prototype parameters (bsc#1179878).
- IB/hfi1: Use filedata rather than filepointer (bsc#1179878).
- locking/futex: Allow low-level atomic operations to return -EAGAIN (bsc#969755).
- mm/userfaultfd: do not access vma->vm_mm after calling handle_userfault() (bsc#1179204).
- scsi: iscsi: Fix a potential deadlock in the timeout handler (bsc#1178272).
- Use r3 instead of r13 for l1d fallback flush in do_uaccess_fush (bsc#1181096 ltc#190883).
- video: hyperv_fb: include vmalloc.h (bsc#1175306).
ImportantSUSE bug 1105322SUSE bug 1105323SUSE bug 1139944SUSE bug 1168952SUSE bug 1173942SUSE bug 1175306SUSE bug 1176395SUSE bug 1176485SUSE bug 1177440SUSE bug 1177666SUSE bug 1178182SUSE bug 1178272SUSE bug 1178589SUSE bug 1178886SUSE bug 1179107SUSE bug 1179140SUSE bug 1179141SUSE bug 1179204SUSE bug 1179419SUSE bug 1179508SUSE bug 1179509SUSE bug 1179601SUSE bug 1179616SUSE bug 1179663SUSE bug 1179666SUSE bug 1179745SUSE bug 1179877SUSE bug 1179878SUSE bug 1179960SUSE bug 1179961SUSE bug 1180008SUSE bug 1180027SUSE bug 1180028SUSE bug 1180029SUSE bug 1180030SUSE bug 1180031SUSE bug 1180032SUSE bug 1180052SUSE bug 1180086SUSE bug 1180559SUSE bug 1180562SUSE bug 1180815SUSE bug 1181096SUSE bug 1181158SUSE bug 1181349SUSE bug 1181553SUSE bug 969755CVE-2018-10902 at SUSECVE-2018-10902 at NVDCVE-2019-20934 at SUSECVE-2019-20934 at NVDCVE-2020-0444 at SUSECVE-2020-0444 at NVDCVE-2020-0465 at SUSECVE-2020-0465 at NVDCVE-2020-0466 at SUSECVE-2020-0466 at NVDCVE-2020-11668 at SUSECVE-2020-11668 at NVDCVE-2020-15436 at SUSECVE-2020-15436 at NVDCVE-2020-15437 at SUSECVE-2020-15437 at NVDCVE-2020-25211 at SUSECVE-2020-25211 at NVDCVE-2020-25285 at SUSECVE-2020-25285 at NVDCVE-2020-25669 at SUSECVE-2020-25669 at NVDCVE-2020-27068 at SUSECVE-2020-27068 at NVDCVE-2020-27777 at SUSECVE-2020-27777 at NVDCVE-2020-27786 at SUSECVE-2020-27786 at NVDCVE-2020-27825 at SUSECVE-2020-27825 at NVDCVE-2020-27835 at SUSECVE-2020-27835 at NVDCVE-2020-28915 at SUSECVE-2020-28915 at NVDCVE-2020-28974 at SUSECVE-2020-28974 at NVDCVE-2020-29568 at SUSECVE-2020-29568 at NVDCVE-2020-29569 at SUSECVE-2020-29569 at NVDCVE-2020-29660 at SUSECVE-2020-29660 at NVDCVE-2020-29661 at SUSECVE-2020-29661 at NVDCVE-2020-36158 at SUSECVE-2020-36158 at NVDCVE-2020-4788 at SUSECVE-2020-4788 at NVDCVE-2021-3347 at SUSECVE-2021-3347 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for wpa_supplicant (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for wpa_supplicant fixes the following issues:
- CVE-2021-0326: P2P group information processing vulnerability (bsc#1181777).
- CVE-2019-16275: AP mode PMF disconnection protection bypass (bsc#1150934)
ImportantSUSE bug 1150934SUSE bug 1181777CVE-2019-16275 at SUSECVE-2019-16275 at NVDCVE-2021-0326 at SUSECVE-2021-0326 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for jasper (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for jasper fixes the following issues:
- bsc#1179748 CVE-2020-27828: Fix heap overflow by checking maxrlvls
- bsc#1181483 CVE-2021-3272: Fix buffer over-read in jp2_decode
ImportantSUSE bug 1179748SUSE bug 1181483CVE-2020-27828 at SUSECVE-2020-27828 at NVDCVE-2021-3272 at SUSECVE-2021-3272 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for screen (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for screen fixes the following issues:
- CVE-2021-26937: Fixed double width combining char handling that could lead to a denial of service or code execution (bsc#1182092).
ImportantSUSE bug 1182092CVE-2021-26937 at SUSECVE-2021-26937 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for bind (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for bind fixes the following issues:
- CVE-2020-8625: A vulnerability in BIND's GSSAPI security policy
negotiation can be targeted by a buffer overflow attack [bsc#1182246, CVE-2020-8625]
ImportantSUSE bug 1182246CVE-2020-8625 at SUSECVE-2020-8625 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for java-1_7_1-ibm (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for java-1_7_1-ibm fixes the following issues:
- Update to Java 7.1 Service Refresh 4 Fix Pack 80
[bsc#1182186, bsc#1181239, CVE-2020-27221, CVE-2020-14803]
* CVE-2020-27221: Potential for a stack-based buffer overflow
when the virtual machine or JNI natives are converting from
UTF-8 characters to platform encoding.
* CVE-2020-14803: Unauthenticated attacker with network access
via multiple protocols allows to compromise Java SE.
ImportantSUSE bug 1181239SUSE bug 1182186CVE-2020-14803 at SUSECVE-2020-14803 at NVDCVE-2020-27221 at SUSECVE-2020-27221 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for krb5-appl (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for krb5-appl fixes the following issues:
- CVE-2019-25017: Check the filenames sent by the server match those requested by the client (bsc#1131109).
- CVE-2019-25018: Disallow empty incoming filename or ones that refer to the current directory (bsc#1131109).
ImportantSUSE bug 1131109CVE-2019-25017 at SUSECVE-2019-25017 at NVDCVE-2019-25018 at SUSECVE-2019-25018 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for java-1_8_0-openjdk (Moderate)SUSE Linux Enterprise Server 12 SP3-BCL
This update for java-1_8_0-openjdk fixes the following issues:
- Update to version jdk8u282 (icedtea 3.18.0)
* January 2021 CPU (bsc#1181239)
* Security fixes
+ JDK-8247619: Improve Direct Buffering of Characters (CVE-2020-14803)
* Import of OpenJDK 8 u282 build 01
+ JDK-6962725: Regtest javax/swing/JFileChooser/6738668/
/bug6738668.java fails under Linux
+ JDK-8025936: Windows .pdb and .map files does not have proper
dependencies setup
+ JDK-8030350: Enable additional compiler warnings for GCC
+ JDK-8031423: Test java/awt/dnd/DisposeFrameOnDragCrash/
/DisposeFrameOnDragTest.java fails by Timeout on Windows
+ JDK-8036122: Fix warning 'format not a string literal'
+ JDK-8051853: new
URI('x/').resolve('..').getSchemeSpecificPart() returns null!
+ JDK-8132664: closed/javax/swing/DataTransfer/DefaultNoDrop/
/DefaultNoDrop.java locks on Windows
+ JDK-8134632: Mark javax/sound/midi/Devices/
/InitializationHang.java as headful
+ JDK-8148854: Class names 'SomeClass' and 'LSomeClass;'
treated by JVM as an equivalent
+ JDK-8148916: Mark bug6400879.java as intermittently failing
+ JDK-8148983: Fix extra comma in changes for JDK-8148916
+ JDK-8160438: javax/swing/plaf/nimbus/8057791/bug8057791.java
fails
+ JDK-8165808: Add release barriers when allocating objects
with concurrent collection
+ JDK-8185003: JMX: Add a version of
ThreadMXBean.dumpAllThreads with a maxDepth argument
+ JDK-8202076: test/jdk/java/io/File/WinSpecialFiles.java on
windows with VS2017
+ JDK-8207766: [testbug] Adapt tests for Aix.
+ JDK-8212070: Introduce diagnostic flag to abort VM on failed
JIT compilation
+ JDK-8213448: [TESTBUG] enhance jfr/jvm/TestDumpOnCrash
+ JDK-8215727: Restore JFR thread sampler loop to old /
previous behavior
+ JDK-8220657: JFR.dump does not work when filename is set
+ JDK-8221342: [TESTBUG] Generate Dockerfile for docker testing
+ JDK-8224502: [TESTBUG] JDK docker test TestSystemMetrics.java
fails with access issues and OOM
+ JDK-8231209: [REDO] ThreadMXBean::getThreadAllocatedBytes()
can be quicker for self thread
+ JDK-8231968: getCurrentThreadAllocatedBytes default
implementation s/b getThreadAllocatedBytes
+ JDK-8232114: JVM crashed at imjpapi.dll in native code
+ JDK-8234270: [REDO] JDK-8204128 NMT might report incorrect
numbers for Compiler area
+ JDK-8234339: replace JLI_StrTok in java_md_solinux.c
+ JDK-8238448: RSASSA-PSS signature verification fail when
using certain odd key sizes
+ JDK-8242335: Additional Tests for RSASSA-PSS
+ JDK-8244225: stringop-overflow warning on strncpy call from
compile_the_world_in
+ JDK-8245400: Upgrade to LittleCMS 2.11
+ JDK-8248214: Add paddings for TaskQueueSuper to reduce
false-sharing cache contention
+ JDK-8249176: Update GlobalSignR6CA test certificates
+ JDK-8250665: Wrong translation for the month name of May in
ar_JO,LB,SY
+ JDK-8250928: JFR: Improve hash algorithm for stack traces
+ JDK-8251469: Better cleanup for
test/jdk/javax/imageio/SetOutput.java
+ JDK-8251840: Java_sun_awt_X11_XToolkit_getDefaultScreenData
should not be in make/mapfiles/libawt_xawt/mapfile-vers
+ JDK-8252384: [TESTBUG] Some tests refer to COMPAT provider
rather than JRE
+ JDK-8252395: [8u] --with-native-debug-symbols=external
doesn't include debuginfo files for binaries
+ JDK-8252497: Incorrect numeric currency code for ROL
+ JDK-8252754: Hash code calculation of JfrStackTrace is
inconsistent
+ JDK-8252904: VM crashes when JFR is used and JFR event class
is transformed
+ JDK-8252975: [8u] JDK-8252395 breaks the build for
--with-native-debug-symbols=internal
+ JDK-8253284: Zero OrderAccess barrier mappings are incorrect
+ JDK-8253550: [8u] JDK-8252395 breaks the build for make
STRIP_POLICY=no_strip
+ JDK-8253752: test/sun/management/jmxremote/bootstrap/
/RmiBootstrapTest.java fails randomly
+ JDK-8254081: java/security/cert/PolicyNode/
/GetPolicyQualifiers.java fails due to an expired certificate
+ JDK-8254144: Non-x86 Zero builds fail with return-type
warning in os_linux_zero.cpp
+ JDK-8254166: Zero: return-type warning in
zeroInterpreter_zero.cpp
+ JDK-8254683: [TEST_BUG] jdk/test/sun/tools/jconsole/
/WorkerDeadlockTest.java fails
+ JDK-8255003: Build failures on Solaris
ModerateSUSE bug 1181239CVE-2020-14803 at SUSECVE-2020-14803 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for java-1_8_0-ibm (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for java-1_8_0-ibm fixes the following issues:
- Update to Java 8.0 Service Refresh 6 Fix Pack 25
[bsc#1182186, bsc#1181239, CVE-2020-27221, CVE-2020-14803]
* CVE-2020-27221: Potential for a stack-based buffer overflow
when the virtual machine or JNI natives are converting from
UTF-8 characters to platform encoding.
* CVE-2020-14803: Unauthenticated attacker with network access
via multiple protocols allows to compromise Java SE.
ImportantSUSE bug 1181239SUSE bug 1182186CVE-2020-14803 at SUSECVE-2020-14803 at NVDCVE-2020-27221 at SUSECVE-2020-27221 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for perl-XML-Twig (Moderate)SUSE Linux Enterprise Server 12 SP3-BCL
This update for perl-XML-Twig fixes the following issues:
- Security fix [bsc#1008644, CVE-2016-9180]
* Added: the no_xxe option to XML::Twig::new, which causes the
parse to fail if external entities are used (to prevent
malicious XML to access the filesystem).
* Setting expand_external_ents to 0 or -1 currently doesn't work
as expected; To completely turn off expanding external entities
use no_xxe.
* Update documentation for XML::Twig to mention problems with
expand_external_ents and add information about new no_xxe argument
ModerateSUSE bug 1008644CVE-2016-9180 at SUSECVE-2016-9180 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for MozillaFirefox fixes the following issues:
- Firefox Extended Support Release 78.8.0 ESR
* Fixed: Various stability, functionality, and security fixes
MFSA 2021-08 (bsc#1182614)
* CVE-2021-23969: Content Security Policy violation report could have contained the destination of a redirect
* CVE-2021-23968: Content Security Policy violation report could have contained the destination of a redirect
* CVE-2021-23973: MediaError message property could have leaked information about cross-origin resources
* CVE-2021-23978: Memory safety bugs fixed in Firefox 86 and Firefox ESR 78.8
ImportantSUSE bug 1182357SUSE bug 1182614CVE-2021-23968 at SUSECVE-2021-23968 at NVDCVE-2021-23969 at SUSECVE-2021-23969 at NVDCVE-2021-23973 at SUSECVE-2021-23973 at NVDCVE-2021-23978 at SUSECVE-2021-23978 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for python-cryptography (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for python-cryptography fixes the following issues:
- CVE-2020-36242: Using the Fernet class to symmetrically encrypt multi gigabyte
values could result in an integer overflow and buffer overflow (bsc#1182066).
ImportantSUSE bug 1182066CVE-2020-36242 at SUSECVE-2020-36242 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for grub2 (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for grub2 fixes the following issues:
grub2 now implements the new 'SBAT' method for SHIM based secure boot revocation. (bsc#1182057)
Following security issues are fixed that can violate secure boot constraints:
- CVE-2020-25632: Fixed a use-after-free in rmmod command (bsc#1176711)
- CVE-2020-25647: Fixed an out-of-bound write in grub_usb_device_initialize() (bsc#1177883)
- CVE-2020-27749: Fixed a stack buffer overflow in grub_parser_split_cmdline (bsc#1179264)
- CVE-2020-27779, CVE-2020-14372: Disallow cutmem and acpi commands in secure boot mode (bsc#1179265 bsc#1175970)
- CVE-2021-20225: Fixed a heap out-of-bounds write in short form option parser (bsc#1182262)
- CVE-2021-20233: Fixed a heap out-of-bound write due to mis-calculation of space required for quoting (bsc#1182263)
ImportantSUSE bug 1175970SUSE bug 1176711SUSE bug 1177883SUSE bug 1179264SUSE bug 1179265SUSE bug 1182057SUSE bug 1182262SUSE bug 1182263CVE-2020-14372 at SUSECVE-2020-14372 at NVDCVE-2020-25632 at SUSECVE-2020-25632 at NVDCVE-2020-25647 at SUSECVE-2020-25647 at NVDCVE-2020-27749 at SUSECVE-2020-27749 at NVDCVE-2020-27779 at SUSECVE-2020-27779 at NVDCVE-2021-20225 at SUSECVE-2021-20225 at NVDCVE-2021-20233 at SUSECVE-2021-20233 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for openldap2 (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for openldap2 fixes the following issues:
- bsc#1182408 CVE-2020-36230 - an assertion failure in slapd in the
X.509 DN parsing in decode.c ber_next_element, resulting in denial
of service.
- bsc#1182411 CVE-2020-36229 - ldap_X509dn2bv crash in the X.509 DN
parsing in ad_keystring, resulting in denial of service.
- bsc#1182412 CVE-2020-36228 - integer underflow leading to crash
in the Certificate List Exact Assertion processing, resulting in
denial of service.
- bsc#1182413 CVE-2020-36227 - infinite loop in slapd with the
cancel_extop Cancel operation, resulting in denial of service.
- bsc#1182416 CVE-2020-36225 - double free and slapd crash in the
saslAuthzTo processing, resulting in denial of service.
- bsc#1182417 CVE-2020-36224 - invalid pointer free and slapd crash
in the saslAuthzTo processing, resulting in denial of service.
- bsc#1182415 CVE-2020-36226 - memch->bv_len miscalculation and slapd
crash in the saslAuthzTo processing, resulting in denial of service.
- bsc#1182419 CVE-2020-36222 - assertion failure in slapd in the
saslAuthzTo validation, resulting in denial of service.
- bsc#1182420 CVE-2020-36221 - slapd crashes in the Certificate Exact
Assertion processing, resulting in denial of service (schema_init.c
serialNumberAndIssuerCheck).
- bsc#1182418 CVE-2020-36223 - slapd crash in the Values Return Filter
control handling, resulting in denial of service (double free and
out-of-bounds read).
- bsc#1182279 CVE-2021-27212 - an assertion failure in slapd can occur
in the issuerAndThisUpdateCheck function via a crafted packet,
resulting in a denial of service (daemon exit) via a short timestamp.
This is related to schema_init.c and checkTime.
ImportantSUSE bug 1182279SUSE bug 1182408SUSE bug 1182411SUSE bug 1182412SUSE bug 1182413SUSE bug 1182415SUSE bug 1182416SUSE bug 1182417SUSE bug 1182418SUSE bug 1182419SUSE bug 1182420CVE-2020-36221 at SUSECVE-2020-36221 at NVDCVE-2020-36222 at SUSECVE-2020-36222 at NVDCVE-2020-36223 at SUSECVE-2020-36223 at NVDCVE-2020-36224 at SUSECVE-2020-36224 at NVDCVE-2020-36225 at SUSECVE-2020-36225 at NVDCVE-2020-36226 at SUSECVE-2020-36226 at NVDCVE-2020-36227 at SUSECVE-2020-36227 at NVDCVE-2020-36228 at SUSECVE-2020-36228 at NVDCVE-2020-36229 at SUSECVE-2020-36229 at NVDCVE-2020-36230 at SUSECVE-2020-36230 at NVDCVE-2021-27212 at SUSECVE-2021-27212 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for the Linux Kernel (Important)SUSE Linux Enterprise Server 12 SP3-BCL
The SUSE Linux Enterprise 12 SP3 kernel was updated to receive various security and bugfixes.
The following security bugs were fixed:
- CVE-2021-26930: Fixed an improper error handling in blkback's grant mapping (XSA-365 bsc#1181843).
- CVE-2021-26931: Fixed an issue where Linux kernel was treating grant mapping errors as bugs (XSA-362 bsc#1181753).
- CVE-2021-26932: Fixed improper error handling issues in Linux grant mapping (XSA-361 bsc#1181747).
- CVE-2020-28374: Fixed insufficient identifier checking in the LIO SCSI target code which could have been used
by remote attackers to read or write files via directory traversal in an XCOPY request (bsc#178372).
The following non-security bugs were fixed:
- cifs: report error instead of invalid when revalidating a dentry fails (bsc#1177440).
- xen/netback: fix spurious event detection for common event case (bsc#1182175).
ImportantSUSE bug 1177440SUSE bug 1178372SUSE bug 1181747SUSE bug 1181753SUSE bug 1181843SUSE bug 1182175CVE-2020-28374 at SUSECVE-2020-28374 at NVDCVE-2021-26930 at SUSECVE-2021-26930 at NVDCVE-2021-26931 at SUSECVE-2021-26931 at NVDCVE-2021-26932 at SUSECVE-2021-26932 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for wpa_supplicant (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for wpa_supplicant fixes the following issues:
- CVE-2021-27803: P2P provision discovery processing vulnerability (bsc#1182805)
ImportantSUSE bug 1182805CVE-2021-27803 at SUSECVE-2021-27803 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for git (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for git fixes the following issues:
- On case-insensitive filesystems, with support for symbolic links,
if Git is configured globally to apply delay-capable clean/smudge
filters (such as Git LFS), Git could be fooled into running
remote code during a clone. (bsc#1183026, CVE-2021-21300)
ImportantSUSE bug 1183026CVE-2021-21300 at SUSECVE-2021-21300 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for python (Moderate)SUSE Linux Enterprise Server 12 SP3-BCL
This update for python fixes the following issues:
- python27 was upgraded to 2.7.18
- CVE-2021-23336: Fixed a potential web cache poisoning by using a semicolon in query parameters use of semicolon as a query string separator (bsc#1182379).
ModerateSUSE bug 1182379CVE-2019-18348 at SUSECVE-2019-18348 at NVDCVE-2021-23336 at SUSECVE-2021-23336 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for MozillaFirefox fixes the following issues:
- Firefox Extended Support Release 78.6.1 ESR
* Fixed: Critical security issue MFSA 2021-01 (bsc#1180623)
* CVE-2020-16044
Use-after-free write when handling a malicious COOKIE-ECHO SCTP chunk
ImportantSUSE bug 1180623CVE-2020-16044 at SUSECVE-2020-16044 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for glib2 (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for glib2 fixes the following issues:
- CVE-2021-27218: g_byte_array_new_take takes a gsize as length but stores in a guint, this patch will refuse if the length is larger than guint. (bsc#1182328)
- CVE-2021-27219: g_memdup takes a guint as parameter and sometimes leads into an integer overflow, so add a g_memdup2 function which uses gsize to replace it. (bsc#1182362)
ImportantSUSE bug 1182328SUSE bug 1182362CVE-2021-27218 at SUSECVE-2021-27218 at NVDCVE-2021-27219 at SUSECVE-2021-27219 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for wavpack (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for wavpack fixes the following issues:
- CVE-2020-35738: Fixed an out-of-bounds write in WavpackPackSamples (bsc#1180414).
ImportantSUSE bug 1180414CVE-2020-35738 at SUSECVE-2020-35738 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for nghttp2 (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for nghttp2 fixes the following issues:
Security issues fixed:
- CVE-2020-11080: HTTP/2 Large Settings Frame DoS (bsc#1181358).
- CVE-2019-9513: Fixed HTTP/2 implementation that is vulnerable to resource loops, potentially leading to a denial of service (bsc#1146184).
- CVE-2019-9511: Fixed HTTP/2 implementations that are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service (bsc#1146182).
- CVE-2018-1000168: Fixed ALTSVC frame client side denial of service (bsc#1088639).
- CVE-2016-1544: Fixed out of memory due to unlimited incoming HTTP header fields (bsc#966514).
Bug fixes and enhancements:
- Packages must not mark license files as %doc (bsc#1082318)
- Typo in description of libnghttp2_asio1 (bsc#962914)
- Fixed mistake in spec file (bsc#1125689)
- Fixed build issue with boost 1.70.0 (bsc#1134616)
- Fixed build issue with GCC 6 (bsc#964140)
- Feature: Add W&S module (FATE#326776, bsc#1112438)
ImportantSUSE bug 1082318SUSE bug 1088639SUSE bug 1112438SUSE bug 1125689SUSE bug 1134616SUSE bug 1146182SUSE bug 1146184SUSE bug 1181358SUSE bug 962914SUSE bug 964140SUSE bug 966514CVE-2016-1544 at SUSECVE-2016-1544 at NVDCVE-2018-1000168 at SUSECVE-2018-1000168 at NVDCVE-2019-9511 at SUSECVE-2019-9511 at NVDCVE-2019-9513 at SUSECVE-2019-9513 at NVDCVE-2020-11080 at SUSECVE-2020-11080 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for openssl (Moderate)SUSE Linux Enterprise Server 12 SP3-BCL
This update for openssl fixes the following issues:
- CVE-2021-23840: Fixed an Integer overflow in CipherUpdate (bsc#1182333)
- CVE-2021-23841: Fixed a Null pointer dereference in X509_issuer_and_serial_hash() (bsc#1182331)
ModerateSUSE bug 1182331SUSE bug 1182333CVE-2021-23840 at SUSECVE-2021-23840 at NVDCVE-2021-23841 at SUSECVE-2021-23841 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for MozillaFirefox fixes the following issues:
- Firefox was updated to 78.9.0 ESR (MFSA 2021-11, bsc#1183942)
* CVE-2021-23981: Texture upload into an unbound backing buffer resulted in an out-of-bound read
* CVE-2021-23982: Internal network hosts could have been probed by a malicious webpage
* CVE-2021-23984: Malicious extensions could have spoofed popup information
* CVE-2021-23987: Memory safety bugs
ImportantSUSE bug 1183942CVE-2021-23981 at SUSECVE-2021-23981 at NVDCVE-2021-23982 at SUSECVE-2021-23982 at NVDCVE-2021-23984 at SUSECVE-2021-23984 at NVDCVE-2021-23987 at SUSECVE-2021-23987 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for openvpn (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for openvpn fixes the following issues:
- CVE-2022-0547: Fixed possible authentication bypass in external authentication plug-in (bsc#1197341).
ImportantSUSE bug 1197341CVE-2022-0547 at SUSECVE-2022-0547 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for java-1_7_1-ibm (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for java-1_7_1-ibm fixes the following issues:
Update Java 7.1 to Service Refresh 7 Fix Pack 5 (bsc#1197126).
Including fixes for the following vulnerabilities:
CVE-2022-21366, CVE-2022-21365, CVE-2022-21360, CVE-2022-21349,
CVE-2022-21341, CVE-2022-21340, CVE-2022-21305, CVE-2022-21277,
CVE-2022-21299, CVE-2022-21296, CVE-2022-21282, CVE-2022-21294,
CVE-2022-21293, CVE-2022-21291, CVE-2022-21283, CVE-2022-21248,
CVE-2022-21271.
ImportantSUSE bug 1194925SUSE bug 1194926SUSE bug 1194927SUSE bug 1194928SUSE bug 1194929SUSE bug 1194930SUSE bug 1194931SUSE bug 1194932SUSE bug 1194933SUSE bug 1194934SUSE bug 1194935SUSE bug 1194937SUSE bug 1194939SUSE bug 1194940SUSE bug 1194941SUSE bug 1196500SUSE bug 1197126CVE-2022-21248 at SUSECVE-2022-21248 at NVDCVE-2022-21271 at SUSECVE-2022-21271 at NVDCVE-2022-21277 at SUSECVE-2022-21277 at NVDCVE-2022-21282 at SUSECVE-2022-21282 at NVDCVE-2022-21283 at SUSECVE-2022-21283 at NVDCVE-2022-21291 at SUSECVE-2022-21291 at NVDCVE-2022-21293 at SUSECVE-2022-21293 at NVDCVE-2022-21294 at SUSECVE-2022-21294 at NVDCVE-2022-21296 at SUSECVE-2022-21296 at NVDCVE-2022-21299 at SUSECVE-2022-21299 at NVDCVE-2022-21305 at SUSECVE-2022-21305 at NVDCVE-2022-21340 at SUSECVE-2022-21340 at NVDCVE-2022-21341 at SUSECVE-2022-21341 at NVDCVE-2022-21349 at SUSECVE-2022-21349 at NVDCVE-2022-21360 at SUSECVE-2022-21360 at NVDCVE-2022-21365 at SUSECVE-2022-21365 at NVDCVE-2022-21366 at SUSECVE-2022-21366 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for java-1_8_0-ibm (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for java-1_8_0-ibm fixes the following issues:
Update Java 8.0 to Service Refresh 7 Fix Pack 5 (bsc#1197126).
Including fixes for the following vulnerabilities:
CVE-2022-21366, CVE-2022-21365, CVE-2022-21360, CVE-2022-21349,
CVE-2022-21341, CVE-2022-21340, CVE-2022-21305, CVE-2022-21277,
CVE-2022-21299, CVE-2022-21296, CVE-2022-21282, CVE-2022-21294,
CVE-2022-21293, CVE-2022-21291, CVE-2022-21283, CVE-2022-21248,
CVE-2022-21271.
Non-securtiy fix:
- Fixed a broken symlink for javaws (bsc#1195146).
ImportantSUSE bug 1194925SUSE bug 1194926SUSE bug 1194927SUSE bug 1194928SUSE bug 1194929SUSE bug 1194930SUSE bug 1194931SUSE bug 1194932SUSE bug 1194933SUSE bug 1194934SUSE bug 1194935SUSE bug 1194937SUSE bug 1194939SUSE bug 1194940SUSE bug 1194941SUSE bug 1195146SUSE bug 1196500SUSE bug 1197126CVE-2022-21248 at SUSECVE-2022-21248 at NVDCVE-2022-21271 at SUSECVE-2022-21271 at NVDCVE-2022-21277 at SUSECVE-2022-21277 at NVDCVE-2022-21282 at SUSECVE-2022-21282 at NVDCVE-2022-21283 at SUSECVE-2022-21283 at NVDCVE-2022-21291 at SUSECVE-2022-21291 at NVDCVE-2022-21293 at SUSECVE-2022-21293 at NVDCVE-2022-21294 at SUSECVE-2022-21294 at NVDCVE-2022-21296 at SUSECVE-2022-21296 at NVDCVE-2022-21299 at SUSECVE-2022-21299 at NVDCVE-2022-21305 at SUSECVE-2022-21305 at NVDCVE-2022-21340 at SUSECVE-2022-21340 at NVDCVE-2022-21341 at SUSECVE-2022-21341 at NVDCVE-2022-21349 at SUSECVE-2022-21349 at NVDCVE-2022-21360 at SUSECVE-2022-21360 at NVDCVE-2022-21365 at SUSECVE-2022-21365 at NVDCVE-2022-21366 at SUSECVE-2022-21366 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for zlib (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for zlib fixes the following issues:
- CVE-2018-25032: Fixed memory corruption on deflate (bsc#1197459).
ImportantSUSE bug 1197459CVE-2018-25032 at SUSECVE-2018-25032 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for java-1_8_0-ibm (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for java-1_8_0-ibm fixes the following issues:
- Update to Java 8.0 Service Refresh 7 Fix Pack 0
- CVE-2021-41035: before version 0.29.0, the openj9 JVM does not throw IllegalAccessError for MethodHandles that invoke inaccessible interface methods. (bsc#1194198, bsc#1192052)
- CVE-2021-35586: Excessive memory allocation in BMPImageReader. (bsc#1191914)
- CVE-2021-35564: Certificates with end dates too far in the future can corrupt keystore. (bsc#1191913)
- CVE-2021-35559: Excessive memory allocation in RTFReader. (bsc#1191911)
- CVE-2021-35556: Excessive memory allocation in RTFParser. (bsc#1191910)
- CVE-2021-35565: Loop in HttpsServer triggered during TLS session close. (bsc#1191909)
- CVE-2021-35588: Incomplete validation of inner class references in ClassFileParser. (bsc#1191905)
- CVE-2021-2341: Fixed a flaw inside the FtpClient. (bsc#1188564)
- CVE-2021-2369: JAR file handling problem containing multiple MANIFEST.MF files. (bsc#1188565)
- CVE-2021-2163: Incomplete enforcement of JAR signing disabled algorithms. (bsc#1185055)
- CVE-2021-35560: Fixed a vulnerability in the component Deployment. (bsc#1191902)
- CVE-2021-35578: Fixed unexpected exception raised during TLS handshake. (bsc#1191904)
ImportantSUSE bug 1185055SUSE bug 1188564SUSE bug 1188565SUSE bug 1191902SUSE bug 1191904SUSE bug 1191905SUSE bug 1191909SUSE bug 1191910SUSE bug 1191911SUSE bug 1191913SUSE bug 1191914SUSE bug 1192052SUSE bug 1194198SUSE bug 1194232CVE-2021-2163 at SUSECVE-2021-2163 at NVDCVE-2021-2341 at SUSECVE-2021-2341 at NVDCVE-2021-2369 at SUSECVE-2021-2369 at NVDCVE-2021-35556 at SUSECVE-2021-35556 at NVDCVE-2021-35559 at SUSECVE-2021-35559 at NVDCVE-2021-35560 at SUSECVE-2021-35560 at NVDCVE-2021-35564 at SUSECVE-2021-35564 at NVDCVE-2021-35565 at SUSECVE-2021-35565 at NVDCVE-2021-35578 at SUSECVE-2021-35578 at NVDCVE-2021-35586 at SUSECVE-2021-35586 at NVDCVE-2021-35588 at SUSECVE-2021-35588 at NVDCVE-2021-41035 at SUSECVE-2021-41035 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for mozilla-nss (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for mozilla-nss fixes the following issues:
Mozilla NSS 3.68.3 (bsc#1197903):
- CVE-2022-1097: Fixed memory safety violations that could occur when PKCS#11
tokens are removed while in use.
ImportantSUSE bug 1197903CVE-2022-1097 at SUSECVE-2022-1097 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for MozillaFirefox fixes the following issues:
Firefox Extended Support Release 91.8.0 ESR (bsc#1197903):
MFSA 2022-14 (bsc#1197903)
* CVE-2022-1097: Fixed memory safety violations that could occur when PKCS#11 tokens are removed while in use
* CVE-2022-28281: Fixed an out of bounds write due to unexpected WebAuthN Extensions
* CVE-2022-1196: Fixed a use-after-free after VR Process destruction
* CVE-2022-28282: Fixed a use-after-free in DocumentL10n::TranslateDocument
* CVE-2022-28285: Fixed incorrect AliasSet used in JIT Codegen
* CVE-2022-28286: Fixed that iframe contents could be rendered outside the border
* CVE-2022-24713: Fixed a denial of service via complex regular expressions
* CVE-2022-28289: Memory safety bugs fixed in Firefox 99 and Firefox ESR 91.8
ImportantSUSE bug 1197903CVE-2022-1097 at SUSECVE-2022-1097 at NVDCVE-2022-1196 at SUSECVE-2022-1196 at NVDCVE-2022-24713 at SUSECVE-2022-24713 at NVDCVE-2022-28281 at SUSECVE-2022-28281 at NVDCVE-2022-28282 at SUSECVE-2022-28282 at NVDCVE-2022-28285 at SUSECVE-2022-28285 at NVDCVE-2022-28286 at SUSECVE-2022-28286 at NVDCVE-2022-28289 at SUSECVE-2022-28289 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for glibc (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for glibc fixes the following issues:
- CVE-2020-1752: Fix use-after-free in glob when expanding ~user (bsc#1167631)
ImportantSUSE bug 1167631CVE-2020-1752 at SUSECVE-2020-1752 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for openjpeg2 (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for openjpeg2 fixes the following issues:
- CVE-2016-1924: Fixed heap buffer overflow (bsc#980504).
- CVE-2016-3183: Fixed out-of-bounds read in sycc422_to_rgb function (bsc#971617).
- CVE-2016-4797: Fixed heap buffer overflow (bsc#980504).
- CVE-2018-14423: Fixed division-by-zero vulnerabilities in the functions pi_next_pcrl, pi_next_cprl,and pi_next_rpcl in lib/openjp3d/pi.c (bsc#1102016).
- CVE-2018-16375: Fixed missing checks for header_info.height and header_info.width in the function pnmtoimage in bin/jpwl/convert.c (bsc#1106882).
- CVE-2018-16376: Fixed heap-based buffer overflow function t2_encode_packet in lib/openmj2/t2.c (bsc#1106881).
- CVE-2018-20845: Fixed division-by-zero in the functions pi_next_pcrl, pi_next_cprl, and pi_next_rpcl in openmj2/pi.c (bsc#1140130).
- CVE-2018-20846: Fixed out-of-bounds accesses in pi_next_lrcp, pi_next_rlcp, pi_next_rpcl, pi_next_pcrl, pi_next_rpcl, and pi_next_cprl in openmj2/pi.c (bsc#1140205).
- CVE-2020-8112: Fixed heap-based buffer overflow in opj_t1_clbl_decode_processor in openjp2/t1.c (bsc#1162090).
- CVE-2020-15389: Fixed use-after-free if t a mix of valid and invalid files in a directory operated on by the decompressor (bsc#1173578).
- CVE-2020-27823: Fixed heap buffer over-write in opj_tcd_dc_level_shift_encode() (bsc#1180457).
- CVE-2021-29338: Fixed integer overflow that allows remote attackers to crash the application (bsc#1184774).
- CVE-2022-1122: Fixed segmentation fault in opj2_decompress due to uninitialized pointer (bsc#1197738).
ImportantSUSE bug 1102016SUSE bug 1106881SUSE bug 1106882SUSE bug 1140130SUSE bug 1140205SUSE bug 1162090SUSE bug 1173578SUSE bug 1180457SUSE bug 1184774SUSE bug 1197738SUSE bug 971617SUSE bug 980504CVE-2016-1924 at SUSECVE-2016-1924 at NVDCVE-2016-3183 at SUSECVE-2016-3183 at NVDCVE-2016-4797 at SUSECVE-2016-4797 at NVDCVE-2018-14423 at SUSECVE-2018-14423 at NVDCVE-2018-16375 at SUSECVE-2018-16375 at NVDCVE-2018-16376 at SUSECVE-2018-16376 at NVDCVE-2018-20845 at SUSECVE-2018-20845 at NVDCVE-2018-20846 at SUSECVE-2018-20846 at NVDCVE-2020-15389 at SUSECVE-2020-15389 at NVDCVE-2020-27823 at SUSECVE-2020-27823 at NVDCVE-2020-8112 at SUSECVE-2020-8112 at NVDCVE-2021-29338 at SUSECVE-2021-29338 at NVDCVE-2022-1122 at SUSECVE-2022-1122 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for MozillaFirefox fixes the following issues:
- CVE-2021-4140: Fixed iframe sandbox bypass with XSLT (bsc#1194547).
- CVE-2022-22737: Fixed race condition when playing audio files (bsc#1194547).
- CVE-2022-22738: Fixed heap-buffer-overflow in blendGaussianBlur (bsc#1194547).
- CVE-2022-22739: Fixed missing throttling on external protocol launch dialog (bsc#1194547).
- CVE-2022-22740: Fixed use-after-free of ChannelEventQueue::mOwner (bsc#1194547).
- CVE-2022-22741: Fixed browser window spoof using fullscreen mode (bsc#1194547).
- CVE-2022-22742: Fixed out-of-bounds memory access when inserting text in edit mode (bsc#1194547).
- CVE-2022-22743: Fixed browser window spoof using fullscreen mode (bsc#1194547).
- CVE-2022-22744: Fixed possible command injection via the 'Copy as curl' feature in DevTools (bsc#1194547).
- CVE-2022-22745: Fixed leaking cross-origin URLs through securitypolicyviolation event (bsc#1194547).
- CVE-2022-22746: Fixed calling into reportValidity could have lead to fullscreen window spoof (bsc#1194547).
- CVE-2022-22747: Fixed crash when handling empty pkcs7 sequence(bsc#1194547).
- CVE-2022-22748: Fixed spoofed origin on external protocol launch dialog (bsc#1194547).
- CVE-2022-22751: Fixed memory safety bugs (bsc#1194547).
ImportantSUSE bug 1194547CVE-2021-4140 at SUSECVE-2021-4140 at NVDCVE-2022-22737 at SUSECVE-2022-22737 at NVDCVE-2022-22738 at SUSECVE-2022-22738 at NVDCVE-2022-22739 at SUSECVE-2022-22739 at NVDCVE-2022-22740 at SUSECVE-2022-22740 at NVDCVE-2022-22741 at SUSECVE-2022-22741 at NVDCVE-2022-22742 at SUSECVE-2022-22742 at NVDCVE-2022-22743 at SUSECVE-2022-22743 at NVDCVE-2022-22744 at SUSECVE-2022-22744 at NVDCVE-2022-22745 at SUSECVE-2022-22745 at NVDCVE-2022-22746 at SUSECVE-2022-22746 at NVDCVE-2022-22747 at SUSECVE-2022-22747 at NVDCVE-2022-22748 at SUSECVE-2022-22748 at NVDCVE-2022-22751 at SUSECVE-2022-22751 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for xz (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for xz fixes the following issues:
- CVE-2022-1271: Fixed an incorrect escaping of malicious filenames (ZDI-CAN-16587). (bsc#1198062)
ImportantSUSE bug 1198062CVE-2022-1271 at SUSECVE-2022-1271 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for libexif (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for libexif fixes the following issues:
- CVE-2020-0181: Fixed an integer overflow that could lead to denial of service
(bsc#1172802).
- CVE-2020-0198: Fixed and unsigned integer overflow that could lead to denial
of service (bsc#1172768).
- CVE-2020-0452: Fixed a buffer overflow check that could be optimized away
by the compiler (bsc#1178479).
ImportantSUSE bug 1172768SUSE bug 1172802SUSE bug 1178479CVE-2020-0181 at SUSECVE-2020-0181 at NVDCVE-2020-0198 at SUSECVE-2020-0198 at NVDCVE-2020-0452 at SUSECVE-2020-0452 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for the Linux Kernel (Important)SUSE Linux Enterprise Server 12 SP3-BCL
The SUSE Linux Enterprise 12 SP3 kernel was updated.
The following security bugs were fixed:
- CVE-2022-1016: Fixed a vulnerability in the nf_tables component of the netfilter subsystem. This vulnerability gives an attacker a powerful primitive that can be used to both read from and write to relative stack data, which can lead to arbitrary code execution. (bsc#1197227)
- CVE-2022-1048: Fixed a race Condition in snd_pcm_hw_free leading to use-after-free due to the AB/BA lock with buffer_mutex and mmap_lock. (bsc#1197331)
- CVE-2022-0850: Fixed a kernel information leak vulnerability in iov_iter.c. (bsc#1196761)
- CVE-2021-45868: Fixed a wrong validation check in fs/quota/quota_tree.c which could lead to an use-after-free if there is a corrupted quota file. (bnc#1197366)
- CVE-2022-26966: Fixed an issue in drivers/net/usb/sr9700.c, which allowed attackers to obtain sensitive information from the memory via crafted frame lengths from a USB device. (bsc#1196836)
- CVE-2022-23036,CVE-2022-23037,CVE-2022-23038,CVE-2022-23039,CVE-2022-23040,CVE-2022-23041,CVE-2022-23042: Fixed multiple issues which could have lead to read/write access to memory pages or denial of service. These issues are related to the Xen PV device frontend drivers. (bsc#1196488)
- CVE-2022-26490: Fixed a buffer overflow in the st21nfca driver. An attacker with adjacent NFC access could crash the system or corrupt the system memory. (bsc#1196830)
The following non-security bugs were fixed:
- ax88179_178a: Merge memcpy + le32_to_cpus to get_unaligned_le32 (bsc#1196018).
- clocksource: Initialize cs->wd_list (git-fixes)
- llc: fix netdevice reference leaks in llc_ui_bind() (git-fixes).
- net: usb: ax88179_178a: Fix out-of-bounds accesses in RX fixup (bsc#1196018).
- net: usb: ax88179_178a: fix packet alignment padding (bsc#1196018).
- sched/autogroup: Fix possible Spectre-v1 indexing for (git-fixes)
- sr9700: sanity check for packet length (bsc#1196836).
- usb: host: xen-hcd: add missing unlock in error path (git-fixes).
- xen/usb: do not use gnttab_end_foreign_access() in xenhcd_gnttab_done() (bsc#1196488, XSA-396).
ImportantSUSE bug 1189562SUSE bug 1196018SUSE bug 1196488SUSE bug 1196761SUSE bug 1196830SUSE bug 1196836SUSE bug 1197227SUSE bug 1197331SUSE bug 1197366CVE-2021-45868 at SUSECVE-2021-45868 at NVDCVE-2022-0850 at SUSECVE-2022-0850 at NVDCVE-2022-1016 at SUSECVE-2022-1016 at NVDCVE-2022-1048 at SUSECVE-2022-1048 at NVDCVE-2022-23036 at SUSECVE-2022-23036 at NVDCVE-2022-23037 at SUSECVE-2022-23037 at NVDCVE-2022-23038 at SUSECVE-2022-23038 at NVDCVE-2022-23039 at SUSECVE-2022-23039 at NVDCVE-2022-23040 at SUSECVE-2022-23040 at NVDCVE-2022-23041 at SUSECVE-2022-23041 at NVDCVE-2022-23042 at SUSECVE-2022-23042 at NVDCVE-2022-26490 at SUSECVE-2022-26490 at NVDCVE-2022-26966 at SUSECVE-2022-26966 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for gzip (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for gzip fixes the following issues:
- CVE-2022-1271: Fixed an incorrect escaping of malicious filenames (ZDI-CAN-16587). (bsc#1198062)
ImportantSUSE bug 1198062CVE-2022-1271 at SUSECVE-2022-1271 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for dnsmasq (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for dnsmasq fixes the following issues:
- CVE-2021-3448: Fixed a potential DNS cache poisoning issue due to a constant
outgoing port being used when for certain use cases of the --server option
(bsc#1183709).
- CVE-2022-0934: Fixed an invalid memory access that could lead to remote denial
of service via crafted packet (bsc#1197872).
ImportantSUSE bug 1183709SUSE bug 1197872CVE-2021-3448 at SUSECVE-2021-3448 at NVDCVE-2022-0934 at SUSECVE-2022-0934 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for tomcat (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for tomcat fixes the following issues:
- Remove the log4j dependency as it is not used by the tomcat package (bsc#1196137)
Security hardening, related to Spring Framework vulnerabilities:
- Deprecate getResources() and always return null (bsc#1198136).
ImportantSUSE bug 1196137SUSE bug 1198136cpe:/o:suse:sles-bcl:12:sp3Security update for git (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for git fixes the following issues:
- CVE-2022-24765: Fixed a potential command injection via git worktree (bsc#1198234).
ImportantSUSE bug 1198234CVE-2022-24765 at SUSECVE-2022-24765 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for libxml2 (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for libxml2 fixes the following issues:
- CVE-2022-23308: Fixed use-after-free of ID and IDREF attributes. (bsc#1196490)
ImportantSUSE bug 1196490CVE-2022-23308 at SUSECVE-2022-23308 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for SDL (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for SDL fixes the following issues:
- CVE-2020-14409: Fixed an integer overflow (and resultant SDL_memcpy heap corruption) in SDL_BlitCopy in video/SDL_blit_copy.c. (bsc#1181202)
- CVE-2020-14410: Fixed a heap-based buffer over-read in Blit_3or4_to_3or4__inversed_rgb in video/SDL_blit_N.c. (bsc#1181201)
- CVE-2021-33657: Fixed a Heap overflow problem in video/SDL_pixels.c. (bsc#1198001)
ImportantSUSE bug 1181201SUSE bug 1181202SUSE bug 1198001CVE-2020-14409 at SUSECVE-2020-14409 at NVDCVE-2020-14410 at SUSECVE-2020-14410 at NVDCVE-2021-33657 at SUSECVE-2021-33657 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for xen (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for xen fixes the following issues:
- CVE-2022-26356: Fixed potential race conditions in dirty memory tracking that
could cause a denial of service in the host (bsc#1197423).
- CVE-2022-26357: Fixed a potential race condition in memory cleanup for hosts
using VT-d IOMMU hardware, which could lead to a denial of service in the host
(bsc#1197425).
- CVE-2022-26358,CVE-2022-26359,CVE-2022-26360,CVE-2022-26361: Fixed various memory
corruption issues for hosts using VT-d or AMD-Vi IOMMU hardware. These could be
leveraged by an attacker to cause a denial of service in the host (bsc#1197426).
- CVE-2022-0001, CVE-2022-0002, CVE-2021-26401: Added BHB speculation issue
mitigations (bsc#1196915).
ImportantSUSE bug 1196915SUSE bug 1197423SUSE bug 1197425SUSE bug 1197426CVE-2021-26401 at SUSECVE-2021-26401 at NVDCVE-2022-0001 at SUSECVE-2022-0001 at NVDCVE-2022-0002 at SUSECVE-2022-0002 at NVDCVE-2022-26356 at SUSECVE-2022-26356 at NVDCVE-2022-26357 at SUSECVE-2022-26357 at NVDCVE-2022-26358 at SUSECVE-2022-26358 at NVDCVE-2022-26359 at SUSECVE-2022-26359 at NVDCVE-2022-26360 at SUSECVE-2022-26360 at NVDCVE-2022-26361 at SUSECVE-2022-26361 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for webkit2gtk3 (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for webkit2gtk3 fixes the following issues:
- Update to version 2.34.3 (bsc#1194019).
- CVE-2021-30887: Fixed logic issue allowing unexpectedly unenforced Content Security Policy when processing maliciously crafted web content.
- CVE-2021-30890: Fixed logic issue allowing universal cross site scripting when processing maliciously crafted web content.
ImportantSUSE bug 1194019CVE-2018-8518 at SUSECVE-2018-8518 at NVDCVE-2018-8523 at SUSECVE-2018-8523 at NVDCVE-2019-8551 at SUSECVE-2019-8551 at NVDCVE-2019-8558 at SUSECVE-2019-8558 at NVDCVE-2019-8559 at SUSECVE-2019-8559 at NVDCVE-2019-8563 at SUSECVE-2019-8563 at NVDCVE-2019-8674 at SUSECVE-2019-8674 at NVDCVE-2019-8681 at SUSECVE-2019-8681 at NVDCVE-2019-8684 at SUSECVE-2019-8684 at NVDCVE-2019-8687 at SUSECVE-2019-8687 at NVDCVE-2019-8688 at SUSECVE-2019-8688 at NVDCVE-2019-8689 at SUSECVE-2019-8689 at NVDCVE-2019-8690 at SUSECVE-2019-8690 at NVDCVE-2019-8707 at SUSECVE-2019-8707 at NVDCVE-2019-8719 at SUSECVE-2019-8719 at NVDCVE-2019-8726 at SUSECVE-2019-8726 at NVDCVE-2019-8733 at SUSECVE-2019-8733 at NVDCVE-2019-8763 at SUSECVE-2019-8763 at NVDCVE-2019-8765 at SUSECVE-2019-8765 at NVDCVE-2019-8766 at SUSECVE-2019-8766 at NVDCVE-2019-8768 at SUSECVE-2019-8768 at NVDCVE-2019-8782 at SUSECVE-2019-8782 at NVDCVE-2019-8808 at SUSECVE-2019-8808 at NVDCVE-2019-8815 at SUSECVE-2019-8815 at NVDCVE-2019-8821 at SUSECVE-2019-8821 at NVDCVE-2019-8822 at SUSECVE-2019-8822 at NVDCVE-2020-10018 at SUSECVE-2020-10018 at NVDCVE-2020-13753 at SUSECVE-2020-13753 at NVDCVE-2020-27918 at SUSECVE-2020-27918 at NVDCVE-2020-29623 at SUSECVE-2020-29623 at NVDCVE-2020-3885 at SUSECVE-2020-3885 at NVDCVE-2020-3894 at SUSECVE-2020-3894 at NVDCVE-2020-3895 at SUSECVE-2020-3895 at NVDCVE-2020-3897 at SUSECVE-2020-3897 at NVDCVE-2020-3900 at SUSECVE-2020-3900 at NVDCVE-2020-3901 at SUSECVE-2020-3901 at NVDCVE-2020-3902 at SUSECVE-2020-3902 at NVDCVE-2020-9802 at SUSECVE-2020-9802 at NVDCVE-2020-9803 at SUSECVE-2020-9803 at NVDCVE-2020-9805 at SUSECVE-2020-9805 at NVDCVE-2020-9947 at SUSECVE-2020-9947 at NVDCVE-2020-9948 at SUSECVE-2020-9948 at NVDCVE-2020-9951 at SUSECVE-2020-9951 at NVDCVE-2020-9952 at SUSECVE-2020-9952 at NVDCVE-2021-1765 at SUSECVE-2021-1765 at NVDCVE-2021-1788 at SUSECVE-2021-1788 at NVDCVE-2021-1817 at SUSECVE-2021-1817 at NVDCVE-2021-1820 at SUSECVE-2021-1820 at NVDCVE-2021-1825 at SUSECVE-2021-1825 at NVDCVE-2021-1826 at SUSECVE-2021-1826 at NVDCVE-2021-1844 at SUSECVE-2021-1844 at NVDCVE-2021-1871 at SUSECVE-2021-1871 at NVDCVE-2021-30661 at SUSECVE-2021-30661 at NVDCVE-2021-30666 at SUSECVE-2021-30666 at NVDCVE-2021-30682 at SUSECVE-2021-30682 at NVDCVE-2021-30761 at SUSECVE-2021-30761 at NVDCVE-2021-30762 at SUSECVE-2021-30762 at NVDCVE-2021-30809 at SUSECVE-2021-30809 at NVDCVE-2021-30818 at SUSECVE-2021-30818 at NVDCVE-2021-30823 at SUSECVE-2021-30823 at NVDCVE-2021-30836 at SUSECVE-2021-30836 at NVDCVE-2021-30846 at SUSECVE-2021-30846 at NVDCVE-2021-30848 at SUSECVE-2021-30848 at NVDCVE-2021-30849 at SUSECVE-2021-30849 at NVDCVE-2021-30851 at SUSECVE-2021-30851 at NVDCVE-2021-30858 at SUSECVE-2021-30858 at NVDCVE-2021-30884 at SUSECVE-2021-30884 at NVDCVE-2021-30887 at SUSECVE-2021-30887 at NVDCVE-2021-30888 at SUSECVE-2021-30888 at NVDCVE-2021-30889 at SUSECVE-2021-30889 at NVDCVE-2021-30890 at SUSECVE-2021-30890 at NVDCVE-2021-30897 at SUSECVE-2021-30897 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for cifs-utils (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for cifs-utils fixes the following issues:
- CVE-2022-27239: Fixed a buffer overflow in the command line ip option (bsc#1197216).
ImportantSUSE bug 1197216CVE-2022-27239 at SUSECVE-2022-27239 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for aide (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for aide fixes the following issues:
- CVE-2021-45417: Fix a bufferoverflow in base64 functions (bsc#1194735)
ImportantSUSE bug 1194735CVE-2021-45417 at SUSECVE-2021-45417 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for MozillaFirefox fixes the following issues:
This update contains the Firefox Extended Support Release 91.1.0 ESR.
* Fixed: Various stability, functionality, and security fixes
MFSA 2021-40 (bsc#1190269, bsc#1190274):
* CVE-2021-38492: Navigating to `mk:` URL scheme could load Internet Explorer
* CVE-2021-38495: Memory safety bugs fixed in Firefox 92 and Firefox ESR 91.1
Firefox 91.0.1esr ESR
* Fixed: Fixed an issue causing buttons on the tab bar to be
resized when loading certain websites (bug 1704404)
* Fixed: Fixed an issue which caused tabs from private windows
to be visible in non-private windows when viewing switch-to-
tab results in the address bar panel (bug 1720369)
* Fixed: Various stability fixes
* Fixed: Security fix MFSA 2021-37 (bsc#1189547)
* CVE-2021-29991 (bmo#1724896)
Header Splitting possible with HTTP/3 Responses
Firefox Extended Support Release 91.0 ESR
* New: Some of the highlights of the new Extended Support Release are:
- A number of user interface changes. For more information,
see the Firefox 89 release notes.
- Firefox now supports logging into Microsoft, work, and
school accounts using Windows single sign-on. Learn more
- On Windows, updates can now be applied in the background
while Firefox is not running.
- Firefox for Windows now offers a new page about:third-party
to help identify compatibility issues caused by third-party
applications
- Version 2 of Firefox's SmartBlock feature further improves
private browsing. Third party Facebook scripts are blocked to
prevent you from being tracked, but are now automatically
loaded 'just in time' if you decide to 'Log in with Facebook'
on any website.
- Enhanced the privacy of the Firefox Browser's Private
Browsing mode with Total Cookie Protection, which confines
cookies to the site where they were created, preventing
companis from using cookies to track your browsing across
sites. This feature was originally launched in Firefox's ETP
Strict mode.
- PDF forms now support JavaScript embedded in PDF files.
Some PDF forms use JavaScript for validation and other
interactive features.
- You'll encounter less website breakage in Private Browsing
and Strict Enhanced Tracking Protection with SmartBlock,
which provides stand-in scripts so that websites load
properly.
- Improved Print functionality with a cleaner design and
better integration with your computer's printer settings.
- Firefox now protects you from supercookies, a type of
tracker that can stay hidden in your browser and track you
online, even after you clear cookies. By isolating
supercookies, Firefox prevents them from tracking your web
browsing from one site to the next.
- Firefox now remembers your preferred location for saved
bookmarks, displays the bookmarks toolbar by default on new
tabs, and gives you easy access to all of your bookmarks via
a toolbar folder.
- Native support for macOS devices built with Apple Silicon
CPUs brings dramatic performance improvements over the non-
native build that was shipped in Firefox 83: Firefox launches
over 2.5 times faster and web apps are now twice as
responsive (per the SpeedoMeter 2.0 test). If you are on a
new Apple device, follow these steps to upgrade to the latest
Firefox.
- Pinch zooming will now be supported for our users with
Windows touchscreen devices and touchpads on Mac devices.
Firefox users may now use pinch to zoom on touch-capable
devices to zoom in and out of webpages.
- We’ve improved functionality and design for a number of
Firefox search features:
* Selecting a search engine at the bottom of the search
panel now enters search mode for that engine, allowing you to
see suggestions (if available) for your search terms. The old
behavior (immediately performing a search) is available with
a shift-click.
* When Firefox autocompletes the URL of one of your search
engines, you can now search with that engine directly in the
address bar by selecting the shortcut in the address bar
results.
* We’ve added buttons at the bottom of the search panel to
allow you to search your bookmarks, open tabs, and history.
- Firefox supports AcroForm, which will allow you to fill in,
print, and save supported PDF forms and the PDF viewer also
has a new fresh look.
- For our users in the US and Canada, Firefox can now save,
manage, and auto-fill credit card information for you, making
shopping on Firefox ever more convenient.
- In addition to our default, dark and light themes, with
this release, Firefox introduces the Alpenglow theme: a
colorful appearance for buttons, menus, and windows. You can
update your Firefox themes under settings or preferences.
* Changed: Firefox no longer supports Adobe Flash. There is no
setting available to re-enable Flash support.
* Enterprise: Various bug fixes and new policies have been
implemented in the latest version of Firefox. See more
details in the Firefox for Enterprise 91 Release Notes.
MFSA 2021-33 (bsc#1188891):
* CVE-2021-29986: Race condition when resolving DNS names could have led to
memory corruption
* CVE-2021-29981: Live range splitting could have led to conflicting
assignments in the JIT
* CVE-2021-29988: Memory corruption as a result of incorrect style treatment
* CVE-2021-29983: Firefox for Android could get stuck in fullscreen mode
* CVE-2021-29984: Incorrect instruction reordering during JIT optimization
* CVE-2021-29980: Uninitialized memory in a canvas object could have led to
memory corruption
* CVE-2021-29987: Users could have been tricked into accepting unwanted
permissions on Linux
* CVE-2021-29985: Use-after-free media channels
* CVE-2021-29982: Single bit data leak due to incorrect JIT optimization and
type confusion
* CVE-2021-29989: Memory safety bugs fixed in Firefox 91 and Firefox ESR 78.13
* CVE-2021-29990: Memory safety bugs fixed in Firefox 91
ImportantSUSE bug 1188891SUSE bug 1189547SUSE bug 1190269SUSE bug 1190274CVE-2021-29980 at SUSECVE-2021-29980 at NVDCVE-2021-29981 at SUSECVE-2021-29981 at NVDCVE-2021-29982 at SUSECVE-2021-29982 at NVDCVE-2021-29983 at SUSECVE-2021-29983 at NVDCVE-2021-29984 at SUSECVE-2021-29984 at NVDCVE-2021-29985 at SUSECVE-2021-29985 at NVDCVE-2021-29986 at SUSECVE-2021-29986 at NVDCVE-2021-29987 at SUSECVE-2021-29987 at NVDCVE-2021-29988 at SUSECVE-2021-29988 at NVDCVE-2021-29989 at SUSECVE-2021-29989 at NVDCVE-2021-29990 at SUSECVE-2021-29990 at NVDCVE-2021-29991 at SUSECVE-2021-29991 at NVDCVE-2021-38492 at SUSECVE-2021-38492 at NVDCVE-2021-38495 at SUSECVE-2021-38495 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for zsh (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for zsh fixes the following issues:
- CVE-2018-0502: Fixed execve call vulnerability to program named on the second line when the beginning of a #! script file was mishandled. (bsc#1107296, bsc#1107294)
- CVE-2018-13259: Fixed execve call vulnerability to program name that is a substring of the intended one. (bsc#1107296, bsc#1107294)
ImportantSUSE bug 1107294SUSE bug 1107296CVE-2018-0502 at SUSECVE-2018-0502 at NVDCVE-2018-13259 at SUSECVE-2018-13259 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for bind (Moderate)SUSE Linux Enterprise Server 12 SP3-BCL
This update for bind fixes the following issues:
- CVE-2021-25220: Fixed potentially incorrect answers by cached forwarders (bsc#1197135).
ModerateSUSE bug 1197135CVE-2021-25220 at SUSECVE-2021-25220 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for e2fsprogs (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for e2fsprogs fixes the following issues:
- CVE-2022-1304: Fixed out-of-bounds read/write leading to segmentation fault
and possibly arbitrary code execution. (bsc#1198446)
ImportantSUSE bug 1198446CVE-2022-1304 at SUSECVE-2022-1304 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for java-1_7_1-ibm (Moderate)SUSE Linux Enterprise Server 12 SP3-BCL
This update for java-1_7_1-ibm fixes the following issues:
- Update to Java 7.1 Service Refresh 5 Fix Pack 0
- CVE-2021-41035: before version 0.29.0, the openj9 JVM does not throw IllegalAccessError for MethodHandles that invoke inaccessible interface methods. (bsc#1194198, bsc#1192052)
- CVE-2021-35586: Excessive memory allocation in BMPImageReader. (bsc#1191914)
- CVE-2021-35564: Certificates with end dates too far in the future can corrupt keystore. (bsc#1191913)
- CVE-2021-35559: Excessive memory allocation in RTFReader. (bsc#1191911)
- CVE-2021-35556: Excessive memory allocation in RTFParser. (bsc#1191910)
- CVE-2021-35565: Loop in HttpsServer triggered during TLS session close. (bsc#1191909)
- CVE-2021-35588: Incomplete validation of inner class references in ClassFileParser. (bsc#1191905)
- CVE-2021-2341: Fixed a flaw inside the FtpClient. (bsc#1188564)
- CVE-2021-2369: JAR file handling problem containing multiple MANIFEST.MF files. (bsc#1188565)
- CVE-2021-2432: Fixed a vulnerability in the omponent JNDI. (bsc#1188568)
- CVE-2021-2163: Incomplete enforcement of JAR signing disabled algorithms. (bsc#1185055)
ModerateSUSE bug 1185055SUSE bug 1188564SUSE bug 1188565SUSE bug 1188568SUSE bug 1191905SUSE bug 1191909SUSE bug 1191910SUSE bug 1191911SUSE bug 1191913SUSE bug 1191914SUSE bug 1192052SUSE bug 1194198SUSE bug 1194232CVE-2021-2163 at SUSECVE-2021-2163 at NVDCVE-2021-2341 at SUSECVE-2021-2341 at NVDCVE-2021-2369 at SUSECVE-2021-2369 at NVDCVE-2021-2432 at SUSECVE-2021-2432 at NVDCVE-2021-35556 at SUSECVE-2021-35556 at NVDCVE-2021-35559 at SUSECVE-2021-35559 at NVDCVE-2021-35564 at SUSECVE-2021-35564 at NVDCVE-2021-35565 at SUSECVE-2021-35565 at NVDCVE-2021-35586 at SUSECVE-2021-35586 at NVDCVE-2021-35588 at SUSECVE-2021-35588 at NVDCVE-2021-41035 at SUSECVE-2021-41035 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for openldap2 (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for openldap2 fixes the following issues:
- CVE-2022-29155: Fixed SQL injection in back-sql (bsc#1199240).
- Fixed issue with SASL init that crashed slapd at startup under certain conditions (bsc#1198383).
ImportantSUSE bug 1198383SUSE bug 1199240CVE-2022-29155 at SUSECVE-2022-29155 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for gzip (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for gzip fixes the following issues:
- CVE-2022-1271: Add hardening for zgrep. (bsc#1198062)
ImportantCVE-2022-1271 at SUSECVE-2022-1271 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for webkit2gtk3 (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for webkit2gtk3 fixes the following issues:
Update to version 2.36.0 (bsc#1198290):
- CVE-2022-22624: Fixed use after free that may lead to arbitrary code execution.
- CVE-2022-22628: Fixed use after free that may lead to arbitrary code execution.
- CVE-2022-22629: Fixed a buffer overflow that may lead to arbitrary code execution.
- CVE-2022-22637: Fixed an unexpected cross-origin behavior due to a logic error.
Missing CVE reference for the update to 2.34.6 (bsc#1196133):
- CVE-2022-22594: Fixed a cross-origin issue in the IndexDB API.
ImportantSUSE bug 1196133SUSE bug 1198290CVE-2022-22594 at SUSECVE-2022-22594 at NVDCVE-2022-22624 at SUSECVE-2022-22624 at NVDCVE-2022-22628 at SUSECVE-2022-22628 at NVDCVE-2022-22629 at SUSECVE-2022-22629 at NVDCVE-2022-22637 at SUSECVE-2022-22637 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for curl (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for curl fixes the following issues:
- CVE-2022-27781: Fixed CERTINFO never-ending busy-loop (bsc#1199223)
- CVE-2022-27782: Fixed TLS and SSH connection too eager reuse (bsc#1199224)
ImportantSUSE bug 1199223SUSE bug 1199224CVE-2022-27781 at SUSECVE-2022-27781 at NVDCVE-2022-27782 at SUSECVE-2022-27782 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for ucode-intel (Moderate)SUSE Linux Enterprise Server 12 SP3-BCL
This update for ucode-intel fixes the following issues:
Updated to Intel CPU Microcode 20220510 release. (bsc#1199423)
Updated to Intel CPU Microcode 20220419 release. (bsc#1198717)
- CVE-2022-21151: Processor optimization removal or modification of security-critical code for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access (bsc#1199423).
ModerateSUSE bug 1198717SUSE bug 1199423CVE-2022-21151 at SUSECVE-2022-21151 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for MozillaFirefox fixes the following issues:
Firefox Extended Support Release 91.9.0 ESR (MFSA 2022-17)(bsc#1198970):
- CVE-2022-29914: Fullscreen notification bypass using popups
- CVE-2022-29909: Bypassing permission prompt in nested browsing contexts
- CVE-2022-29916: Leaking browser history with CSS variables
- CVE-2022-29911: iframe Sandbox bypass
- CVE-2022-29912: Reader mode bypassed SameSite cookies
- CVE-2022-29917: Memory safety bugs fixed in Firefox 100 and Firefox ESR 91.9
ImportantSUSE bug 1198970CVE-2022-29909 at SUSECVE-2022-29909 at NVDCVE-2022-29911 at SUSECVE-2022-29911 at NVDCVE-2022-29912 at SUSECVE-2022-29912 at NVDCVE-2022-29914 at SUSECVE-2022-29914 at NVDCVE-2022-29916 at SUSECVE-2022-29916 at NVDCVE-2022-29917 at SUSECVE-2022-29917 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for expat (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for expat fixes the following issues:
- CVE-2021-45960: Fixed left shift in the storeAtts function in xmlparse.c that can lead to realloc misbehavior (bsc#1194251).
- CVE-2021-46143: Fixed integer overflow in m_groupSize in doProlog (bsc#1194362).
- CVE-2022-22822: Fixed integer overflow in addBinding in xmlparse.c (bsc#1194474).
- CVE-2022-22823: Fixed integer overflow in build_model in xmlparse.c (bsc#1194476).
- CVE-2022-22824: Fixed integer overflow in defineAttribute in xmlparse.c (bsc#1194477).
- CVE-2022-22825: Fixed integer overflow in lookup in xmlparse.c (bsc#1194478).
- CVE-2022-22826: Fixed integer overflow in nextScaffoldPart in xmlparse.c (bsc#1194479).
- CVE-2022-22827: Fixed integer overflow in storeAtts in xmlparse.c (bsc#1194480).
ImportantSUSE bug 1194251SUSE bug 1194362SUSE bug 1194474SUSE bug 1194476SUSE bug 1194477SUSE bug 1194478SUSE bug 1194479SUSE bug 1194480CVE-2021-45960 at SUSECVE-2021-45960 at NVDCVE-2021-46143 at SUSECVE-2021-46143 at NVDCVE-2022-22822 at SUSECVE-2022-22822 at NVDCVE-2022-22823 at SUSECVE-2022-22823 at NVDCVE-2022-22824 at SUSECVE-2022-22824 at NVDCVE-2022-22825 at SUSECVE-2022-22825 at NVDCVE-2022-22826 at SUSECVE-2022-22826 at NVDCVE-2022-22827 at SUSECVE-2022-22827 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for postgresql10 (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for postgresql10 fixes the following issues:
- CVE-2022-1552: Confine additional operations within 'security restricted operation' sandboxes (bsc#1199475).
ImportantSUSE bug 1199475CVE-2022-1552 at SUSECVE-2022-1552 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for MozillaFirefox fixes the following issues:
Firefox Extended Support Release 91.9.1 ESR - MFSA 2022-19 (bsc#1199768):
- CVE-2022-1802: Prototype pollution in Top-Level Await implementation
- CVE-2022-1529: Untrusted input used in JavaScript object indexing, leading to prototype pollution
ImportantSUSE bug 1199768CVE-2022-1529 at SUSECVE-2022-1529 at NVDCVE-2022-1802 at SUSECVE-2022-1802 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for python-requests (Moderate)SUSE Linux Enterprise Server 12 SP3-BCL
This update for python-requests fixes the following issues:
- CVE-2018-18074: Fixed to prevent the package to send an HTTP Authorization header to an http URI
upon receiving a same-hostname https-to-http redirect. (bsc#1111622)
ModerateSUSE bug 1111622CVE-2018-18074 at SUSECVE-2018-18074 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for libxml2 (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for libxml2 fixes the following issues:
- CVE-2022-29824: Fixed integer overflow leading to out-of-bounds write in buf.c and tree.c (bsc#1199132).
- CVE-2017-16932: Prevent infinite recursion in parameter entities (bsc#1069689).
ImportantSUSE bug 1069689SUSE bug 1199132CVE-2017-16932 at SUSECVE-2017-16932 at NVDCVE-2022-29824 at SUSECVE-2022-29824 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for pcre2 (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for pcre2 fixes the following issues:
- CVE-2022-1586: Fixed out-of-bounds read via missing Unicode property matching issue in JIT compiled regular expressions (bsc#1199232).
ImportantSUSE bug 1199232CVE-2022-1586 at SUSECVE-2022-1586 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for wpa_supplicant (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for wpa_supplicant fixes the following issues:
- CVE-2022-23303, CVE-2022-23304: Fixed SAE/EAP-pwd side-channel attacks (bsc#1194732, bsc#1194733)
- CVE-2021-0326: Fixed P2P group information processing vulnerability (bsc#1181777)
- Fix systemd device ready dependencies in wpa_supplicant@.service file. (bsc#1182805)
- Limit P2P_DEVICE name to appropriate ifname size
- Enable SAE support(jsc#SLE-14992).
- Fix wicked wlan (bsc#1156920)
- Change wpa_supplicant.service to ensure wpa_supplicant gets started before
network. Fix WLAN config on boot with wicked. (bsc#1166933)
- Adjust the service to start after network.target wrt bsc#1165266
Update to 2.9 release:
* SAE changes
- disable use of groups using Brainpool curves
- improved protection against side channel attacks
[https://w1.fi/security/2019-6/]
* EAP-pwd changes
- disable use of groups using Brainpool curves
- allow the set of groups to be configured (eap_pwd_groups)
- improved protection against side channel attacks
[https://w1.fi/security/2019-6/]
* fixed FT-EAP initial mobility domain association using PMKSA caching
(disabled by default for backwards compatibility; can be enabled
with ft_eap_pmksa_caching=1)
* fixed a regression in OpenSSL 1.1+ engine loading
* added validation of RSNE in (Re)Association Response frames
* fixed DPP bootstrapping URI parser of channel list
* extended EAP-SIM/AKA fast re-authentication to allow use with FILS
* extended ca_cert_blob to support PEM format
* improved robustness of P2P Action frame scheduling
* added support for EAP-SIM/AKA using anonymous@realm identity
* fixed Hotspot 2.0 credential selection based on roaming consortium
to ignore credentials without a specific EAP method
* added experimental support for EAP-TEAP peer (RFC 7170)
* added experimental support for EAP-TLS peer with TLS v1.3
* fixed a regression in WMM parameter configuration for a TDLS peer
* fixed a regression in operation with drivers that offload 802.1X
4-way handshake
* fixed an ECDH operation corner case with OpenSSL
* SAE changes
- added support for SAE Password Identifier
- changed default configuration to enable only groups 19, 20, 21
(i.e., disable groups 25 and 26) and disable all unsuitable groups
completely based on REVmd changes
- do not regenerate PWE unnecessarily when the AP uses the
anti-clogging token mechanisms
- fixed some association cases where both SAE and FT-SAE were enabled
on both the station and the selected AP
- started to prefer FT-SAE over SAE AKM if both are enabled
- started to prefer FT-SAE over FT-PSK if both are enabled
- fixed FT-SAE when SAE PMKSA caching is used
- reject use of unsuitable groups based on new implementation guidance
in REVmd (allow only FFC groups with prime >= 3072 bits and ECC
groups with prime >= 256)
- minimize timing and memory use differences in PWE derivation
[https://w1.fi/security/2019-1/] (CVE-2019-9494, bsc#1131868)
* EAP-pwd changes
- minimize timing and memory use differences in PWE derivation
[https://w1.fi/security/2019-2/] (CVE-2019-9495, bsc#1131870)
- verify server scalar/element
[https://w1.fi/security/2019-4/] (CVE-2019-9497, CVE-2019-9498,
CVE-2019-9499, bsc#1131874, bsc#1131872, bsc#1131871, bsc#1131644)
- fix message reassembly issue with unexpected fragment
[https://w1.fi/security/2019-5/] (CVE-2019-11555, bsc#1133640)
- enforce rand,mask generation rules more strictly
- fix a memory leak in PWE derivation
- disallow ECC groups with a prime under 256 bits (groups 25, 26, and
27)
- SAE/EAP-pwd side-channel attack update
[https://w1.fi/security/2019-6/] (CVE-2019-13377, bsc#1144443)
* fixed CONFIG_IEEE80211R=y (FT) build without CONFIG_FILS=y
* Hotspot 2.0 changes
- do not indicate release number that is higher than the one
AP supports
- added support for release number 3
- enable PMF automatically for network profiles created from
credentials
* fixed OWE network profile saving
* fixed DPP network profile saving
* added support for RSN operating channel validation
(CONFIG_OCV=y and network profile parameter ocv=1)
* added Multi-AP backhaul STA support
* fixed build with LibreSSL
* number of MKA/MACsec fixes and extensions
* extended domain_match and domain_suffix_match to allow list of values
* fixed dNSName matching in domain_match and domain_suffix_match when
using wolfSSL
* started to prefer FT-EAP-SHA384 over WPA-EAP-SUITE-B-192 AKM if both
are enabled
* extended nl80211 Connect and external authentication to support
SAE, FT-SAE, FT-EAP-SHA384
* fixed KEK2 derivation for FILS+FT
* extended client_cert file to allow loading of a chain of PEM
encoded certificates
* extended beacon reporting functionality
* extended D-Bus interface with number of new properties
* fixed a regression in FT-over-DS with mac80211-based drivers
* OpenSSL: allow systemwide policies to be overridden
* extended driver flags indication for separate 802.1X and PSK
4-way handshake offload capability
* added support for random P2P Device/Interface Address use
* extended PEAP to derive EMSK to enable use with ERP/FILS
* extended WPS to allow SAE configuration to be added automatically
for PSK (wps_cred_add_sae=1)
* removed support for the old D-Bus interface (CONFIG_CTRL_IFACE_DBUS)
* extended domain_match and domain_suffix_match to allow list of values
* added a RSN workaround for misbehaving PMF APs that advertise
IGTK/BIP KeyID using incorrect byte order
* fixed PTK rekeying with FILS and FT
* fixed WPA packet number reuse with replayed messages and key
reinstallation
[https://w1.fi/security/2017-1/] (CVE-2017-13077, CVE-2017-13078,
CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13082,
CVE-2017-13086, CVE-2017-13087, CVE-2017-13088)
* fixed unauthenticated EAPOL-Key decryption in wpa_supplicant
[https://w1.fi/security/2018-1/] (CVE-2018-14526)
* added support for FILS (IEEE 802.11ai) shared key authentication
* added support for OWE (Opportunistic Wireless Encryption, RFC 8110;
and transition mode defined by WFA)
* added support for DPP (Wi-Fi Device Provisioning Protocol)
* added support for RSA 3k key case with Suite B 192-bit level
* fixed Suite B PMKSA caching not to update PMKID during each 4-way
handshake
* fixed EAP-pwd pre-processing with PasswordHashHash
* added EAP-pwd client support for salted passwords
* fixed a regression in TDLS prohibited bit validation
* started to use estimated throughput to avoid undesired signal
strength based roaming decision
* MACsec/MKA:
- new macsec_linux driver interface support for the Linux
kernel macsec module
- number of fixes and extensions
* added support for external persistent storage of PMKSA cache
(PMKSA_GET/PMKSA_ADD control interface commands; and
MESH_PMKSA_GET/MESH_PMKSA_SET for the mesh case)
* fixed mesh channel configuration pri/sec switch case
* added support for beacon report
* large number of other fixes, cleanup, and extensions
* added support for randomizing local address for GAS queries
(gas_rand_mac_addr parameter)
* fixed EAP-SIM/AKA/AKA' ext auth cases within TLS tunnel
* added option for using random WPS UUID (auto_uuid=1)
* added SHA256-hash support for OCSP certificate matching
* fixed EAP-AKA' to add AT_KDF into Synchronization-Failure
* fixed a regression in RSN pre-authentication candidate selection
* added option to configure allowed group management cipher suites
(group_mgmt network profile parameter)
* removed all PeerKey functionality
* fixed nl80211 AP and mesh mode configuration regression with
Linux 4.15 and newer
* added ap_isolate configuration option for AP mode
* added support for nl80211 to offload 4-way handshake into the driver
* added support for using wolfSSL cryptographic library
* SAE
- added support for configuring SAE password separately of the
WPA2 PSK/passphrase
- fixed PTK and EAPOL-Key integrity and key-wrap algorithm selection
for SAE;
note: this is not backwards compatible, i.e., both the AP and
station side implementations will need to be update at the same
time to maintain interoperability
- added support for Password Identifier
- fixed FT-SAE PMKID matching
* Hotspot 2.0
- added support for fetching of Operator Icon Metadata ANQP-element
- added support for Roaming Consortium Selection element
- added support for Terms and Conditions
- added support for OSEN connection in a shared RSN BSS
- added support for fetching Venue URL information
* added support for using OpenSSL 1.1.1
* FT
- disabled PMKSA caching with FT since it is not fully functional
- added support for SHA384 based AKM
- added support for BIP ciphers BIP-CMAC-256, BIP-GMAC-128,
BIP-GMAC-256 in addition to previously supported BIP-CMAC-128
- fixed additional IE inclusion in Reassociation Request frame when
using FT protocol
- CVE-2015-8041: Using O_WRONLY flag [http://w1.fi/security/2015-5/] ImportantSUSE bug 1131644SUSE bug 1131868SUSE bug 1131870SUSE bug 1131871SUSE bug 1131872SUSE bug 1131874SUSE bug 1133640SUSE bug 1144443SUSE bug 1156920SUSE bug 1165266SUSE bug 1166933SUSE bug 1167331SUSE bug 1182805SUSE bug 1194732SUSE bug 1194733CVE-2015-8041 at SUSECVE-2015-8041 at NVDCVE-2017-13077 at SUSECVE-2017-13077 at NVDCVE-2017-13078 at SUSECVE-2017-13078 at NVDCVE-2017-13079 at SUSECVE-2017-13079 at NVDCVE-2017-13080 at SUSECVE-2017-13080 at NVDCVE-2017-13081 at SUSECVE-2017-13081 at NVDCVE-2017-13082 at SUSECVE-2017-13082 at NVDCVE-2017-13086 at SUSECVE-2017-13086 at NVDCVE-2017-13087 at SUSECVE-2017-13087 at NVDCVE-2017-13088 at SUSECVE-2017-13088 at NVDCVE-2018-14526 at SUSECVE-2018-14526 at NVDCVE-2019-11555 at SUSECVE-2019-11555 at NVDCVE-2019-13377 at SUSECVE-2019-13377 at NVDCVE-2019-9494 at SUSECVE-2019-9494 at NVDCVE-2019-9495 at SUSECVE-2019-9495 at NVDCVE-2019-9497 at SUSECVE-2019-9497 at NVDCVE-2019-9498 at SUSECVE-2019-9498 at NVDCVE-2019-9499 at SUSECVE-2019-9499 at NVDCVE-2022-23303 at SUSECVE-2022-23303 at NVDCVE-2022-23304 at SUSECVE-2022-23304 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for postgresql14 (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for postgresql14 fixes the following issues:
- CVE-2022-1552: Confine additional operations within 'security restricted operation' sandboxes (bsc#1199475).
ImportantSUSE bug 1199475CVE-2022-1552 at SUSECVE-2022-1552 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for ImageMagick (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for ImageMagick fixes the following issues:
- CVE-2022-1270: Fixed a memory corruption issue when parsing MIFF files (bsc#1198351).
- CVE-2022-28463: Fixed buffer overflow in coders/cin.c (bsc#1199350).
ImportantSUSE bug 1198351SUSE bug 1199350CVE-2022-1270 at SUSECVE-2022-1270 at NVDCVE-2022-28463 at SUSECVE-2022-28463 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for mailman (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for mailman fixes the following issues:
- CVE-2021-44227: Preventing list moderator or list member accessing the admin UI (bsc#1193316).
- CVE-2021-43332: Preventing list moderator from cracking the list admin password encrypted in a CSRF token (bsc#1192741).
- CVE-2021-43331: Fixed XSS in Cgi/options.py (bsc#1192735).
- CVE-2021-42096: Add protection against remote privilege escalation via csrf_token derived from admin password (bsc#1191959).
ImportantSUSE bug 1191959SUSE bug 1192735SUSE bug 1192741SUSE bug 1193316CVE-2021-42096 at SUSECVE-2021-42096 at NVDCVE-2021-43331 at SUSECVE-2021-43331 at NVDCVE-2021-43332 at SUSECVE-2021-43332 at NVDCVE-2021-44227 at SUSECVE-2021-44227 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for polkit (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for polkit fixes the following issues:
- CVE-2021-4034: Fixed a local privilege escalation in pkexec (bsc#1194568).
ImportantSUSE bug 1194568CVE-2021-4034 at SUSECVE-2021-4034 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for librelp (Moderate)SUSE Linux Enterprise Server 12 SP3-BCL
This update for librelp fixes the following issues:
- CVE-2018-1000140: Fixed remote attack via specially crafted x509 certificates when connecting to rsyslog to trigger a stack buffer overflow and run arbitrary code (bsc#1086730).
ModerateSUSE bug 1086730CVE-2018-1000140 at SUSECVE-2018-1000140 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for MozillaFirefox fixes the following issues:
Firefox Extended Support Release 91.10.0 ESR (MFSA 2022-21)(bsc#1200027)
- CVE-2022-31736: Cross-Origin resource's length leaked
- CVE-2022-31737: Heap buffer overflow in WebGL
- CVE-2022-31738: Browser window spoof using fullscreen mode
- CVE-2022-31739: Attacker-influenced path traversal when saving downloaded files
- CVE-2022-31740: Register allocation problem in WASM on arm64
- CVE-2022-31741: Uninitialized variable leads to invalid memory read
- CVE-2022-31742: Querying a WebAuthn token with a large number of allowCredential entries may have leaked cross-origin information
- CVE-2022-31747: Memory safety bugs fixed in Firefox 101 and Firefox ESR 91.10
ImportantSUSE bug 1200027CVE-2022-31736 at SUSECVE-2022-31736 at NVDCVE-2022-31737 at SUSECVE-2022-31737 at NVDCVE-2022-31738 at SUSECVE-2022-31738 at NVDCVE-2022-31739 at SUSECVE-2022-31739 at NVDCVE-2022-31740 at SUSECVE-2022-31740 at NVDCVE-2022-31741 at SUSECVE-2022-31741 at NVDCVE-2022-31742 at SUSECVE-2022-31742 at NVDCVE-2022-31747 at SUSECVE-2022-31747 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for strongswan (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for strongswan fixes the following issues:
- CVE-2021-45079: Fixed authentication bypass in EAP authentication. (bsc#1194471)
ImportantSUSE bug 1194471CVE-2021-45079 at SUSECVE-2021-45079 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for mozilla-nss (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for mozilla-nss fixes the following issues:
Mozilla NSS 3.68.4 (bsc#1200027)
* CVE-2022-31741: Initialize pointers passed to NSS_CMSDigestContext_FinishMultiple. (bmo#1767590)
ImportantSUSE bug 1200027CVE-2022-31741 at SUSECVE-2022-31741 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for grub2 (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for grub2 fixes the following issues:
Security fixes and hardenings for boothole 3 / boothole 2022 (bsc#1198581)
- CVE-2021-3695: Fixed that a crafted PNG grayscale image could lead to out-of-bounds write in heap (bsc#1191184)
- CVE-2021-3696: Fixed that a crafted PNG image could lead to out-of-bound write during huffman table handling (bsc#1191185)
- CVE-2021-3697: Fixed that a crafted JPEG image could lead to buffer underflow write in the heap (bsc#1191186)
- CVE-2022-28733: Fixed fragmentation math in net/ip (bsc#1198460)
- CVE-2022-28734: Fixed an out-of-bound write for split http headers (bsc#1198493)
- CVE-2022-28736: Fixed a use-after-free in chainloader command (bsc#1198496)
- Update SBAT security contact (bsc#1193282)
- Bump grub's SBAT generation to 2
- Use boot disks in OpenFirmware, fixing regression caused when the root LV is completely in the boot LUN (bsc#1197948)
ImportantSUSE bug 1191184SUSE bug 1191185SUSE bug 1191186SUSE bug 1193282SUSE bug 1197948SUSE bug 1198460SUSE bug 1198493SUSE bug 1198496SUSE bug 1198581CVE-2021-3695 at SUSECVE-2021-3695 at NVDCVE-2021-3696 at SUSECVE-2021-3696 at NVDCVE-2021-3697 at SUSECVE-2021-3697 at NVDCVE-2022-28733 at SUSECVE-2022-28733 at NVDCVE-2022-28734 at SUSECVE-2022-28734 at NVDCVE-2022-28736 at SUSECVE-2022-28736 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for the Linux Kernel (Important)SUSE Linux Enterprise Server 12 SP3-BCL
The SUSE Linux Enterprise 12 SP3 kernel was updated to 3.12.31 to receive various security and bugfixes.
The following security bugs were fixed:
- CVE-2022-21127: Fixed a stale MMIO data transient which can be exploited to speculatively/transiently disclose information via spectre like attacks. (bsc#1199650)
- CVE-2022-21123: Fixed a stale MMIO data transient which can be exploited to speculatively/transiently disclose information via spectre like attacks. (bsc#1199650)
- CVE-2022-21125: Fixed a stale MMIO data transient which can be exploited to speculatively/transiently disclose information via spectre like attacks. (bsc#1199650)
- CVE-2022-21180: Fixed a stale MMIO data transient which can be exploited to speculatively/transiently disclose information via spectre like attacks. (bsc#1199650)
- CVE-2022-21166: Fixed a stale MMIO data transient which can be exploited to speculatively/transiently disclose information via spectre like attacks. (bsc#1199650)
- CVE-2022-1975: Fixed a bug that allows an attacker to crash the linux kernel by simulating nfc device from user-space. (bsc#1200143)
- CVE-2022-1974: Fixed an use-after-free that could causes kernel crash by simulating an nfc device from user-space. (bsc#1200144)
- CVE-2019-19377: Fixed an user-after-free that could be triggered when an attacker mounts a crafted btrfs filesystem image. (bnc#1158266)
- CVE-2022-1729: Fixed a sys_perf_event_open() race condition against self (bsc#1199507).
- CVE-2022-1184: Fixed an use-after-free and memory errors in ext4 when mounting and operating on a corrupted image. (bsc#1198577)
- CVE-2022-21499: Reinforce the kernel lockdown feature, until now it's been trivial to break out of it with kgdb or kdb. (bsc#1199426)
- CVE-2017-13695: Fixed a bug that caused a stack dump allowing local users to obtain sensitive information from kernel memory and bypass the KASLR protection mechanism via a crafted ACPI table. (bnc#1055710)
- CVE-2022-1652: Fixed a statically allocated error counter inside the floppy kernel module (bsc#1199063).
- CVE-2022-1734: Fixed a r/w use-after-free when non synchronized between cleanup routine and firmware download routine. (bnc#1199605)
- CVE-2022-30594: Fixed restriction bypass on setting the PT_SUSPEND_SECCOMP flag (bnc#1199505).
- CVE-2021-28688: Fixed XSA-365 that includes initialization of pointers such that subsequent cleanup code wouldn't use uninitialized or stale values. This initialization went too far and may under certain conditions also overwrite pointers which are in need of cleaning up. The lack of cleanup would result in leaking persistent grants. The leak in turn would prevent fully cleaning up after a respective guest has died, leaving around zombie domains (bnc#1183646).
- CVE-2020-10769: Fixed a buffer over-read flaw in the IPsec Cryptographic algorithm's module. This flaw allowed a local attacker with user privileges to cause a denial of service. (bnc#1173265)
- CVE-2021-33061: Fixed insufficient control flow management for the Intel(R) 82599 Ethernet Controllers and Adapters that may have allowed an authenticated user to potentially enable denial of service via local access (bnc#1196426).
- CVE-2022-1516: Fixed null-ptr-deref caused by x25_disconnect (bsc#1199012).
- CVE-2021-20321: Fixed a race condition accessing file object in the OverlayFS subsystem in the way users do rename in specific way with OverlayFS. A local user could have used this flaw to crash the system (bnc#1191647).
- CVE-2018-7755: Fixed an issue in the fd_locked_ioctl function in drivers/block/floppy.c. The floppy driver will copy a kernel pointer to user memory in response to the FDGETPRM ioctl. An attacker can send the FDGETPRM ioctl and use the obtained kernel pointer to discover the location of kernel code and data and bypass kernel security protections such as KASLR (bnc#1084513).
- CVE-2022-1419: Fixed a concurrency use-after-free in vgem_gem_dumb_create (bsc#1198742).
- CVE-2021-38208: Fixed a denial of service (NULL pointer dereference and BUG) by making a getsockname call after a certain type of failure of a bind call (bnc#1187055).
- CVE-2022-1353: Fixed access controll to kernel memory in the pfkey_register function in net/key/af_key.c. (bnc#1198516)
- CVE-2018-20784: Fixed a denial of service (infinite loop in update_blocked_averages) by mishandled leaf cfs_rq in kernel/sched/fair.c (bnc#1126703).
- CVE-2021-20292: Fixed object validation prior to performing operations on the object in nouveau_sgdma_create_ttm in Nouveau DRM subsystem (bnc#1183723).
- CVE-2022-28390: Fixed a double free in drivers/net/can/usb/ems_usb.c vulnerability in the Linux kernel (bnc#1198031).
- CVE-2022-28388: Fixed a double free in drivers/net/can/usb/usb_8dev.c vulnerability in the Linux kernel (bnc#1198032).
- CVE-2022-1011: Fixed an use-after-free vulnerability which could allow a local attacker to retireve (partial) /etc/shadow hashes or any other data from filesystem when he can mount a FUSE filesystems. (bnc#1197343)
The following non-security bugs were fixed:
- btrfs: tree-checker: fix incorrect printk format (bsc#1200249).
- net: mana: Add handling of CQE_RX_TRUNCATED (bsc#1195651).
- net: mana: Remove unnecessary check of cqe_type in mana_process_rx_cqe() (bsc#1195651).
- PCI: hv: Do not set PCI_COMMAND_MEMORY to reduce VM boot time (bsc#1199314).
- powerpc/pseries: extract host bridge from pci_bus prior to bus removal (bsc#1182171 ltc#190900 bsc#1198660 ltc#197803).
- powerpc/pseries: Fix use after free in remove_phb_dynamic() (bsc#1065729 bsc#1198660 ltc#197803).
- vmbus: do not return values for uninitalized channels (bsc#1051510 bsc#1198997).
- vt: vt_ioctl: fix race in VT_RESIZEX (bsc#1199785).
- x86/hyperv: Read TSC frequency from a synthetic MSR (bsc#1198962).
- x86/speculation: Fix redundant MDS mitigation message (bsc#1199650).
ImportantSUSE bug 1051510SUSE bug 1055710SUSE bug 1065729SUSE bug 1084513SUSE bug 1087082SUSE bug 1126703SUSE bug 1158266SUSE bug 1173265SUSE bug 1182171SUSE bug 1183646SUSE bug 1183723SUSE bug 1187055SUSE bug 1191647SUSE bug 1195651SUSE bug 1196426SUSE bug 1197343SUSE bug 1198031SUSE bug 1198032SUSE bug 1198516SUSE bug 1198577SUSE bug 1198660SUSE bug 1198687SUSE bug 1198742SUSE bug 1198962SUSE bug 1198997SUSE bug 1199012SUSE bug 1199063SUSE bug 1199314SUSE bug 1199426SUSE bug 1199505SUSE bug 1199507SUSE bug 1199605SUSE bug 1199650SUSE bug 1199785SUSE bug 1200143SUSE bug 1200144SUSE bug 1200249CVE-2017-13695 at SUSECVE-2017-13695 at NVDCVE-2018-20784 at SUSECVE-2018-20784 at NVDCVE-2018-7755 at SUSECVE-2018-7755 at NVDCVE-2019-19377 at SUSECVE-2019-19377 at NVDCVE-2020-10769 at SUSECVE-2020-10769 at NVDCVE-2021-20292 at SUSECVE-2021-20292 at NVDCVE-2021-20321 at SUSECVE-2021-20321 at NVDCVE-2021-28688 at SUSECVE-2021-28688 at NVDCVE-2021-33061 at SUSECVE-2021-33061 at NVDCVE-2021-38208 at SUSECVE-2021-38208 at NVDCVE-2022-1011 at SUSECVE-2022-1011 at NVDCVE-2022-1184 at SUSECVE-2022-1184 at NVDCVE-2022-1353 at SUSECVE-2022-1353 at NVDCVE-2022-1419 at SUSECVE-2022-1419 at NVDCVE-2022-1516 at SUSECVE-2022-1516 at NVDCVE-2022-1652 at SUSECVE-2022-1652 at NVDCVE-2022-1729 at SUSECVE-2022-1729 at NVDCVE-2022-1734 at SUSECVE-2022-1734 at NVDCVE-2022-1974 at SUSECVE-2022-1974 at NVDCVE-2022-1975 at SUSECVE-2022-1975 at NVDCVE-2022-21123 at SUSECVE-2022-21123 at NVDCVE-2022-21125 at SUSECVE-2022-21125 at NVDCVE-2022-21127 at SUSECVE-2022-21127 at NVDCVE-2022-21166 at SUSECVE-2022-21166 at NVDCVE-2022-21180 at SUSECVE-2022-21180 at NVDCVE-2022-21499 at SUSECVE-2022-21499 at NVDCVE-2022-28388 at SUSECVE-2022-28388 at NVDCVE-2022-28390 at SUSECVE-2022-28390 at NVDCVE-2022-30594 at SUSECVE-2022-30594 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for webkit2gtk3 (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for webkit2gtk3 fixes the following issues:
Update to version 2.36.3 (bsc#1200106)
- CVE-2022-30293: Fixed heap-based buffer overflow in WebCore::TextureMapperLayer::setContentsLayer (bsc#1199287).
- CVE-2022-26700: Fixed memory corruption issue that may lead to code execution when processing maliciously crafted web content (bsc#1200106).
- CVE-2022-26709: Fixed use after free issue that may lead to code execution when processing maliciously crafted web content (bsc#1200106).
- CVE-2022-26716: Fixed use after free issue that may lead to code execution when processing maliciously crafted web content (bsc#1200106).
- CVE-2022-26717: Fixed memory corruption issue that may lead to code execution when processing maliciously crafted web content (bsc#1200106).
- CVE-2022-26719: Fixed memory corruption issue that may lead to code execution when processing maliciously crafted web content (bsc#1200106).
ImportantSUSE bug 1199287SUSE bug 1200106CVE-2022-26700 at SUSECVE-2022-26700 at NVDCVE-2022-26709 at SUSECVE-2022-26709 at NVDCVE-2022-26716 at SUSECVE-2022-26716 at NVDCVE-2022-26717 at SUSECVE-2022-26717 at NVDCVE-2022-26719 at SUSECVE-2022-26719 at NVDCVE-2022-30293 at SUSECVE-2022-30293 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for openssl (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for openssl fixes the following issues:
- CVE-2022-1292: Fixed command injection in c_rehash (bsc#1199166).
ImportantSUSE bug 1199166CVE-2022-1292 at SUSECVE-2022-1292 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for apache2 (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for apache2 fixes the following issues:
- CVE-2022-26377: Fixed possible request smuggling in mod_proxy_ajp (bsc#1200338)
- CVE-2022-28614: Fixed read beyond bounds via ap_rwrite() (bsc#1200340)
- CVE-2022-28615: Fixed read beyond bounds in ap_strcmp_match() (bsc#1200341)
- CVE-2022-29404: Fixed denial of service in mod_lua r:parsebody (bsc#1200345)
- CVE-2022-30556: Fixed information disclosure in mod_lua with websockets (bsc#1200350)
- CVE-2022-30522: Fixed mod_sed denial of service (bsc#1200352)
- CVE-2022-31813: Fixed mod_proxy X-Forwarded-For dropped by hop-by-hop mechanism (bsc#1200348)
ImportantSUSE bug 1200338SUSE bug 1200340SUSE bug 1200341SUSE bug 1200345SUSE bug 1200348SUSE bug 1200350SUSE bug 1200352CVE-2022-26377 at SUSECVE-2022-26377 at NVDCVE-2022-28614 at SUSECVE-2022-28614 at NVDCVE-2022-28615 at SUSECVE-2022-28615 at NVDCVE-2022-29404 at SUSECVE-2022-29404 at NVDCVE-2022-30522 at SUSECVE-2022-30522 at NVDCVE-2022-30556 at SUSECVE-2022-30556 at NVDCVE-2022-31813 at SUSECVE-2022-31813 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for log4j (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for log4j fixes the following issues:
- CVE-2022-23307: Fix deserialization issue by removing the chainsaw sub-package. (bsc#1194844)
- CVE-2022-23305: Fix SQL injection by removing src/main/java/org/apache/log4j/jdbc/JDBCAppender.java. (bsc#1194843)
- CVE-2022-23302: Fix remote code execution by removing src/main/java/org/apache/log4j/net/JMSSink.java. (bsc#1194842)
ImportantSUSE bug 1194842SUSE bug 1194843SUSE bug 1194844CVE-2022-23302 at SUSECVE-2022-23302 at NVDCVE-2022-23305 at SUSECVE-2022-23305 at NVDCVE-2022-23307 at SUSECVE-2022-23307 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for SUSE Manager Client Tools (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update fixes the following issues:
golang-github-QubitProducts-exporter_exporter:
- Adapted to build on Enterprise Linux.
- Fix build for RedHat 7
- Require Go >= 1.14 also for CentOS
- Add support for CentOS
- Replace %{?systemd_requires} with %{?systemd_ordering}
golang-github-prometheus-alertmanager:
- CVE-2022-21698: Denial of service using InstrumentHandlerCounter.
* Update vendor tarball with prometheus/client_golang 1.11.1 (bsc#1196338, jsc#SLE-24077)
- Update required Go version to 1.16
- Update to version 0.23.0:
* amtool: Detect version drift and warn users (#2672)
* Add ability to skip TLS verification for amtool (#2663)
* Fix empty isEqual in amtool. (#2668)
* Fix main tests (#2670)
* cli: add new template render command (#2538)
* OpsGenie: refer to alert instead of incident (#2609)
* Docs: target_match and source_match are DEPRECATED (#2665)
* Fix test not waiting for cluster member to be ready
- Added hardening to systemd service(s) (bsc#1181400)
golang-github-prometheus-node_exporter:
- CVE-2022-21698: Denial of service using InstrumentHandlerCounter.
* Update vendor tarball with prometheus/client_golang 1.11.1
(bsc#1196338, jsc#SLE-24238, jsc#SLE-24239)
- Update to 1.3.0
* [CHANGE] Add path label to rapl collector #2146
* [CHANGE] Exclude filesystems under /run/credentials #2157
* [CHANGE] Add TCPTimeouts to netstat default filter #2189
* [FEATURE] Add lnstat collector for metrics from /proc/net/stat/ #1771
* [FEATURE] Add darwin powersupply collector #1777
* [FEATURE] Add support for monitoring GPUs on Linux #1998
* [FEATURE] Add Darwin thermal collector #2032
* [FEATURE] Add os release collector #2094
* [FEATURE] Add netdev.address-info collector #2105
* [FEATURE] Add clocksource metrics to time collector #2197
* [ENHANCEMENT] Support glob textfile collector directories #1985
* [ENHANCEMENT] ethtool: Expose node_ethtool_info metric #2080
* [ENHANCEMENT] Use include/exclude flags for ethtool filtering #2165
* [ENHANCEMENT] Add flag to disable guest CPU metrics #2123
* [ENHANCEMENT] Add DMI collector #2131
* [ENHANCEMENT] Add threads metrics to processes collector #2164
* [ENHANCMMENT] Reduce timer GC delays in the Linux filesystem collector #2169
* [ENHANCMMENT] Add TCPTimeouts to netstat default filter #2189
* [ENHANCMMENT] Use SysctlTimeval for boottime collector on BSD #2208
* [BUGFIX] ethtool: Sanitize metric names #2093
* [BUGFIX] Fix ethtool collector for multiple interfaces #2126
* [BUGFIX] Fix possible panic on macOS #2133
* [BUGFIX] Collect flag_info and bug_info only for one core #2156
* [BUGFIX] Prevent duplicate ethtool metric names #2187
- Update to 1.2.2
* Bug fixes
Fix processes collector long int parsing #2112
- Update to 1.2.1
* Removed
Remove obsolete capture permission denied error patch that is already included upstream
Fix zoneinfo parsing prometheus/procfs#386
Fix nvme collector log noise #2091
Fix rapl collector log noise #2092
- Update to 1.2.0
* Changes
Rename filesystem collector flags to match other collectors #2012
Make node_exporter print usage to STDOUT #203
* Features
Add conntrack statistics metrics #1155
Add ethtool stats collector #1832
Add flag to ignore network speed if it is unknown #1989
Add tapestats collector for Linux #2044
Add nvme collector #2062
* Enhancements
Add ErrorLog plumbing to promhttp #1887
Add more Infiniband counters #2019
netclass: retrieve interface names and filter before parsing #2033
Add time zone offset metric #2060
Handle errors from disabled PSI subsystem #1983
Fix panic when using backwards compatible flags #2000
Fix wrong value for OpenBSD memory buffer cache #2015
Only initiate collectors once #2048
Handle small backwards jumps in CPU idle #2067
- Apply patch to capture permission denied error for 'energy_uj' file (bsc#1190535)
grafana:
- Update to version 8.3.5 (jsc#SLE-23439, jsc#SLE-23422)
+ Security:
* Fixes XSS vulnerability in handling data sources
(bsc#1195726, CVE-2022-21702)
* Fixes cross-origin request forgery vulnerability
(bsc#1195727, CVE-2022-21703)
* Fixes Insecure Direct Object Reference vulnerability in Teams
API (bsc#1195728, CVE-2022-21713)
- Update to Go 1.17.
- Add build-time dependency on `wire`.
- Update license to GNU Affero General Public License v3.0.
- Update to version 8.3.4
* GetUserInfo: return an error if no user was found
(bsc#1194873, CVE-2022-21673)
+ Features and enhancements:
* Alerting: Allow configuration of non-ready alertmanagers.
* Alerting: Allow customization of Google chat message.
* AppPlugins: Support app plugins with only default nav.
* InfluxDB: query editor: skip fields in metadata queries.
* Postgres/MySQL/MSSQL: Cancel in-flight SQL query if user
cancels query in grafana.
* Prometheus: Forward oauth tokens after prometheus datasource
migration.
+ Bug fixes:
* Azure Monitor: Bug fix for variable interpolations in metrics
dropdowns.
* Azure Monitor: Improved error messages for variable queries.
* CloudMonitoring: Fixes broken variable queries that use group
bys.
* Configuration: You can now see your expired API keys if you
have no active ones.
* Elasticsearch: Fix handling multiple datalinks for a single
field.
* Export: Fix error being thrown when exporting dashboards
using query variables that reference the default datasource.
* ImportDashboard: Fixes issue with importing dashboard and
name ending up in uid.
* Login: Page no longer overflows on mobile.
* Plugins: Set backend metadata property for core plugins.
* Prometheus: Fill missing steps with null values.
* Prometheus: Fix interpolation of $__rate_interval variable.
* Prometheus: Interpolate variables with curly brackets syntax.
* Prometheus: Respect the http-method data source setting.
* Table: Fixes issue with field config applied to wrong fields
when hiding columns.
* Toolkit: Fix bug with rootUrls not being properly parsed when
signing a private plugin.
* Variables: Fix so data source variables are added to adhoc
configuration.
+ Plugin development fixes & changes:
* Toolkit: Revert build config so tslib is bundled with plugins
to prevent plugins from crashing.
- Update to version 8.3.3:
* BarChart: Use new data error view component to show actions
in panel edit.
* CloudMonitor: Iterate over pageToken for resources.
* Macaron: Prevent WriteHeader invalid HTTP status code panic.
* AnnoListPanel: Fix interpolation of variables in tags.
* CloudWatch: Allow queries to have no dimensions specified.
* CloudWatch: Fix broken queries for users migrating from
8.2.4/8.2.5 to 8.3.0.
* CloudWatch: Make sure MatchExact flag gets the right value.
* Dashboards: Fix so that empty folders can be deleted from the
manage dashboards/folders page.
* InfluxDB: Improve handling of metadata query errors in
InfluxQL.
* Loki: Fix adding of ad hoc filters for queries with parser
and line_format expressions.
* Prometheus: Fix running of exemplar queries for non-histogram
metrics.
* Prometheus: Interpolate template variables in interval.
* StateTimeline: Fix toolitp not showing when for frames with
multiple fields.
* TraceView: Fix virtualized scrolling when trace view is
opened in right pane in Explore.
* Variables: Fix repeating panels for on time range changed
variables.
* Variables: Fix so queryparam option works for scoped
- Update to version 8.3.2
+ Security: Fixes CVE-2021-43813 and CVE-2021-43815.
- Update to version 8.3.1
+ Security: Fixes CVE-2021-43798.
- Update to version 8.3.0
* Alerting: Prevent folders from being deleted when they
contain alerts.
* Alerting: Show full preview value in tooltip.
* BarGauge: Limit title width when name is really long.
* CloudMonitoring: Avoid to escape regexps in filters.
* CloudWatch: Add support for AWS Metric Insights.
* TooltipPlugin: Remove other panels' shared tooltip in edit
panel.
* Visualizations: Limit y label width to 40% of visualization
width.
* Alerting: Clear alerting rule evaluation errors after
intermittent failures.
* Alerting: Fix refresh on legacy Alert List panel.
* Dashboard: Fix queries for panels with non-integer widths.
* Explore: Fix url update inconsistency.
* Prometheus: Fix range variables interpolation for time ranges
smaller than 1 second.
* ValueMappings: Fixes issue with regex value mapping that only
sets color.
- Update to version 8.3.0-beta2
+ Breaking changes:
* Grafana 8 Alerting enabled by default for installations that
do not use legacy alerting.
* Keep Last State for 'If execution error or timeout' when
upgrading to Grafana 8 alerting.
* Alerting: Create DatasourceError alert if evaluation returns
error.
* Alerting: Make Unified Alerting enabled by default for those
who do not use legacy alerting.
* Alerting: Support mute timings configuration through the api
for the embedded alert manager.
* CloudWatch: Add missing AWS/Events metrics.
* Docs: Add easier to find deprecation notices to certain data
sources and to the changelog.
* Plugins Catalog: Enable install controls based on the
pluginAdminEnabled flag.
* Table: Add space between values for the DefaultCell and
JSONViewCell.
* Tracing: Make query editors available in dashboard for Tempo
and Zipkin.
* AccessControl: Renamed orgs roles, removed fixed:orgs:reader
introduced in beta1.
* Azure Monitor: Add trap focus for modals in grafana/ui and
other small a11y fixes for Azure Monitor.
* CodeEditor: Prevent suggestions from being clipped.
* Dashboard: Fix cache timeout persistence.
* Datasource: Fix stable sort order of query responses.
* Explore: Fix error in query history when removing last item.
* Logs: Fix requesting of older logs when flipped order.
* Prometheus: Fix running of health check query based on access
mode.
* TextPanel: Fix suggestions for existing panels.
* Tracing: Fix incorrect indentations due to reoccurring
spanIDs.
* Tracing: Show start time of trace with milliseconds
precision.
* Variables: Make renamed or missing variable section
expandable.
* Select: Select menus now properly scroll during keyboard
navigation.
- Update to version 8.3.0-beta1
* Alerting: Add UI for contact point testing with custom
annotations and labels.
* Alerting: Make alert state indicator in panel header work
with Grafana 8 alerts.
* Alerting: Option for Discord notifier to use webhook name.
* Annotations: Deprecate AnnotationsSrv.
* Auth: Omit all base64 paddings in JWT tokens for the JWT
auth.
* Azure Monitor: Clean up fields when editing Metrics.
* AzureMonitor: Add new starter dashboards.
* AzureMonitor: Add starter dashboard for app monitoring with
Application Insights.
* Barchart/Time series: Allow x axis label.
* CLI: Improve error handling for installing plugins.
* CloudMonitoring: Migrate to use backend plugin SDK contracts.
* CloudWatch Logs: Add retry strategy for hitting max
concurrent queries.
* CloudWatch: Add AWS RoboMaker metrics and dimension.
* CloudWatch: Add AWS Transfer metrics and dimension.
* Dashboard: replace datasource name with a reference object.
* Dashboards: Show logs on time series when hovering.
* Elasticsearch: Add support for Elasticsearch 8.0 (Beta).
* Elasticsearch: Add time zone setting to Date Histogram
aggregation.
* Elasticsearch: Enable full range log volume histogram.
* Elasticsearch: Full range logs volume.
* Explore: Allow changing the graph type.
* Explore: Show ANSI colors when highlighting matched words in
the logs panel.
* Graph(old) panel: Listen to events from Time series panel.
* Import: Load gcom dashboards from URL.
* LibraryPanels: Improves export and import of library panels
between orgs.
* OAuth: Support PKCE.
* Panel edit: Overrides now highlight correctly when searching.
* PanelEdit: Display drag indicators on draggable sections.
* Plugins: Refactor Plugin Management.
* Prometheus: Add custom query parameters when creating
PromLink url.
* Prometheus: Remove limits on metrics, labels, and values in
Metrics Browser.
* StateTimeline: Share cursor with rest of the panels.
* Tempo: Add error details when json upload fails.
* Tempo: Add filtering for service graph query.
* Tempo: Add links to nodes in Service Graph pointing to
Prometheus metrics.
* Time series/Bar chart panel: Add ability to sort series via
legend.
* TimeSeries: Allow multiple axes for the same unit.
* TraceView: Allow span links defined on dataFrame.
* Transformations: Support a rows mode in labels to fields.
* ValueMappings: Don't apply field config defaults to time
fields.
* Variables: Only update panels that are impacted by variable
change.
* API: Fix dashboard quota limit for imports.
* Alerting: Fix rule editor issues with Azure Monitor data
source.
* Azure monitor: Make sure alert rule editor is not enabled
when template variables are being used.
* CloudMonitoring: Fix annotation queries.
* CodeEditor: Trigger the latest getSuggestions() passed to
CodeEditor.
* Dashboard: Remove the current panel from the list of options
in the Dashboard datasource.
* Encryption: Fix decrypting secrets in alerting migration.
* InfluxDB: Fix corner case where index is too large in ALIAS
* NavBar: Order App plugins alphabetically.
* NodeGraph: Fix zooming sensitivity on touchpads.
* Plugins: Add OAuth pass-through logic to api/ds/query
endpoint.
* Snapshots: Fix panel inspector for snapshot data.
* Tempo: Fix basic auth password reset on adding tag.
* ValueMapping: Fixes issue with regex mappings.
* grafana/ui: Enable slider marks display.
- Update to version 8.2.7
- Update to version 8.2.6
* Security: Upgrade Docker base image to Alpine 3.14.3.
* Security: Upgrade Go to 1.17.2.
* TimeSeries: Fix fillBelowTo wrongly affecting fills of
unrelated series.
- Update to version 8.2.5
* Fix No Data behaviour in Legacy Alerting.
* Alerting: Fix a bug where the metric in the evaluation string
was not correctly populated.
* Alerting: Fix no data behaviour in Legacy Alerting for alert
rules using the AND operator.
* CloudMonitoring: Ignore min and max aggregation in MQL
queries.
* Dashboards: 'Copy' is no longer added to new dashboard
titles.
* DataProxy: Fix overriding response body when response is a
WebSocket upgrade.
* Elasticsearch: Use field configured in query editor as field
for date_histogram aggregations.
* Explore: Fix running queries without a datasource property
set.
* InfluxDB: Fix numeric aliases in queries.
* Plugins: Ensure consistent plugin settings list response.
* Tempo: Fix validation of float durations.
* Tracing: Correct tags for each span are shown.
- Update to version 8.2.4
+ Security: Fixes CVE-2021-41244.
- Update to version 8.2.3
+ Security: Fixes CVE-2021-41174.
- Update to version 8.2.2
* Annotations: We have improved tag search performance.
* Application: You can now configure an error-template title.
* AzureMonitor: We removed a restriction from the resource
filter query.
* Packaging: We removed the ProcSubset option in systemd. This
option prevented Grafana from starting in LXC environments.
* Prometheus: We removed the autocomplete limit for metrics.
* Table: We improved the styling of the type icons to make them
more distinct from column / field name.
* ValueMappings: You can now use value mapping in stat, gauge,
bar gauge, and pie chart visualizations.
* Alerting: Fix panic when Slack's API sends unexpected
response.
* Alerting: The Create Alert button now appears on the
dashboard panel when you are working with a default
datasource.
* Explore: We fixed the problem where the Explore log panel
disappears when an Elasticsearch logs query returns no
results.
* Graph: You can now see annotation descriptions on hover.
* Logs: The system now uses the JSON parser only if the line is
parsed to an object.
* Prometheus: We fixed the issue where the system did not reuse
TCP connections when querying from Grafana alerting.
* Prometheus: We fixed the problem that resulted in an error
when a user created a query with a $__interval min step.
* RowsToFields: We fixed the issue where the system was not
properly interpreting number values.
* Scale: We fixed how the system handles NaN percent when data
min = data max.
* Table panel: You can now create a filter that includes
special characters.
- Update to version 8.2.1
* Dashboard: Fix rendering of repeating panels.
* Datasources: Fix deletion of data source if plugin is not
found.
* Packaging: Remove systemcallfilters sections from systemd
unit files.
* Prometheus: Add Headers to HTTP client options.
- Update to version 8.2.0
* AWS: Updated AWS authentication documentation.
* Alerting: Added support Alertmanager data source for upstream
Prometheus AM implementation.
* Alerting: Allows more characters in label names so
notifications are sent.
* Alerting: Get alert rules for a dashboard or a panel using
/api/v1/rules endpoints.
* Annotations: Improved rendering performance of event markers.
* CloudWatch Logs: Skip caching for log queries.
* Explore: Added an opt-in configuration for Node Graph in
Jaeger, Zipkin, and Tempo.
* Packaging: Add stricter systemd unit options.
* Prometheus: Metrics browser can now handle label values with
* CodeEditor: Ensure that we trigger the latest onSave callback
provided to the component.
* DashboardList/AlertList: Fix for missing All folder value.
* Plugins: Create a mock icon component to prevent console
errors.
- Update to version 8.2.0-beta2
* AccessControl: Document new permissions restricting data
source access.
* TimePicker: Add fiscal years and search to time picker.
* Alerting: Added support for Unified Alerting with Grafana HA.
* Alerting: Added support for tune rule evaluation using
configuration options.
* Alerting: Cleanups alertmanager namespace from key-value
store when disabling Grafana 8 alerts.
* Alerting: Remove ngalert feature toggle and introduce two new
settings for enabling Grafana 8 alerts and disabling them for
specific organisations.
* CloudWatch: Introduced new math expression where it is
necessary to specify the period field.
* InfluxDB: Added support for $__interval and $__interval_ms in
Flux queries for alerting.
* InfluxDB: Flux queries can use more precise start and end
timestamps with nanosecond-precision.
* Plugins Catalog: Make the catalog the default way to interact
with plugins.
* Prometheus: Removed autocomplete limit for metrics.
* Alerting: Fixed an issue where the edit page crashes if you
tried to preview an alert without a condition set.
* Alerting: Fixed rules migration to keep existing Grafana 8
alert rules.
* Alerting: Fixed the silence file content generated during
* Analytics: Fixed an issue related to interaction event
propagation in Azure Application Insights.
* BarGauge: Fixed an issue where the cell color was lit even
though there was no data.
* BarGauge: Improved handling of streaming data.
* CloudMonitoring: Fixed INT64 label unmarshal error.
* ConfirmModal: Fixes confirm button focus on modal open.
* Dashboard: Add option to generate short URL for variables
with values containing spaces.
* Explore: No longer hides errors containing refId property.
* Fixed an issue that produced State timeline panel tooltip
error when data was not in sync.
* InfluxDB: InfluxQL query editor is set to always use
resultFormat.
* Loki: Fixed creating context query for logs with parsed
labels.
* PageToolbar: Fixed alignment of titles.
* Plugins Catalog: Update to the list of available panels after
an install, update or uninstall.
* TimeSeries: Fixed an issue where the shared cursor was not
showing when hovering over in old Graph panel.
* Variables: Fixed issues related to change of focus or refresh
pages when pressing enter in a text box variable input.
* Variables: Panel no longer crash when using the adhoc
variable in data links.
- Update to version 8.2.0-beta1
* AccessControl: Introduce new permissions to restrict access
for reloading provisioning configuration.
* Alerting: Add UI to edit Cortex/Loki namespace, group names,
and group evaluation interval.
* Alerting: Add a Test button to test contact point.
* Alerting: Allow creating/editing recording rules for Loki and
Cortex.
* Alerting: Metrics should have the label org instead of user.
* Alerting: Sort notification channels by name to make them
easier to locate.
* Alerting: Support org level isolation of notification
* AzureMonitor: Add data links to deep link to Azure Portal
Azure Resource Graph.
* AzureMonitor: Add support for annotations from Azure Monitor
Metrics and Azure Resource Graph services.
* AzureMonitor: Show error message when subscriptions request
fails in ConfigEditor.
* Chore: Update to Golang 1.16.7.
* CloudWatch Logs: Add link to X-Ray data source for trace IDs
in logs.
* CloudWatch Logs: Disable query path using websockets (Live)
feature.
* CloudWatch/Logs: Don't group dataframes for non time series
* Cloudwatch: Migrate queries that use multiple stats to one
query per stat.
* Dashboard: Keep live timeseries moving left (v2).
* Datasources: Introduce response_limit for datasource
responses.
* Explore: Add filter by trace or span ID to trace to logs
* Explore: Download traces as JSON in Explore Inspector.
* Explore: Reuse Dashboard's QueryRows component.
* Explore: Support custom display label for derived fields
buttons for Loki datasource.
* Grafana UI: Update monaco-related dependencies.
* Graphite: Deprecate browser access mode.
* InfluxDB: Improve handling of intervals in alerting.
* InfluxDB: InfluxQL query editor: Handle unusual characters in
tag values better.
* Jaeger: Add ability to upload JSON file for trace data.
* LibraryElements: Enable specifying UID for new and existing
library elements.
* LibraryPanels: Remove library panel icon from the panel
header so you can no longer tell that a panel is a library
panel from the dashboard view.
* Logs panel: Scroll to the bottom on page refresh when sorting
in ascending order.
* Loki: Add fuzzy search to label browser.
* Navigation: Implement active state for items in the Sidemenu.
* Packaging: Update PID file location from /var/run to /run.
* Plugins: Add Hide OAuth Forward config option.
* Postgres/MySQL/MSSQL: Add setting to limit the maximum number
of rows processed.
* Prometheus: Add browser access mode deprecation warning.
* Prometheus: Add interpolation for built-in-time variables to
backend.
* Tempo: Add ability to upload trace data in JSON format.
* TimeSeries/XYChart: Allow grid lines visibility control in
XYChart and TimeSeries panels.
* Transformations: Convert field types to time string number or
boolean.
* Value mappings: Add regular-expression based value mapping.
* Zipkin: Add ability to upload trace JSON.
* Admin: Prevent user from deleting user's current/active
organization.
* LibraryPanels: Fix library panel getting saved in the
dashboard's folder.
* OAuth: Make generic teams URL and JMES path configurable.
* QueryEditor: Fix broken copy-paste for mouse middle-click
* Thresholds: Fix undefined color in 'Add threshold'.
* Timeseries: Add wide-to-long, and fix multi-frame output.
* TooltipPlugin: Fix behavior of Shared Crosshair when Tooltip
is set to All.
* Grafana UI: Fix TS error property css is missing in type.
- Update to version 8.1.8
- Update to version 8.1.7
* Alerting: Fix alerts with evaluation interval more than 30
seconds resolving before notification.
* Elasticsearch/Prometheus: Fix usage of proper SigV4 service
namespace.
- Update to version 8.1.6
+ Security: Fixes CVE-2021-39226.
- Update to version 8.1.5
* BarChart: Fixes panel error that happens on second refresh.
- Update to version 8.1.4
+ Features and enhancements
* Explore: Ensure logs volume bar colors match legend colors.
* LDAP: Search all DNs for users.
* Alerting: Fix notification channel migration.
* Annotations: Fix blank panels for queries with unknown data
sources.
* BarChart: Fix stale values and x axis labels.
* Graph: Make old graph panel thresholds work even if ngalert
is enabled.
* InfluxDB: Fix regex to identify / as separator.
* LibraryPanels: Fix update issues related to library panels in
rows.
* Variables: Fix variables not updating inside a Panel when the
preceding Row uses 'Repeat For'.
- Update to version 8.1.3
+ Bug fixes
* Alerting: Fix alert flapping in the internal alertmanager.
* Alerting: Fix request handler failed to convert dataframe
'results' to plugins.DataTimeSeriesSlice: input frame is not
recognized as a time series.
* Dashboard: Fix UIDs are not preserved when importing/creating
dashboards thru importing .json file.
* Dashboard: Forces panel re-render when exiting panel edit.
* Dashboard: Prevent folder from changing when navigating to
general settings.
* Docker: Force use of libcrypto1.1 and libssl1.1 versions to
fix CVE-2021-3711.
* Elasticsearch: Fix metric names for alert queries.
* Elasticsearch: Limit Histogram field parameter to numeric
values.
* Elasticsearch: Prevent pipeline aggregations to show up in
terms order by options.
* LibraryPanels: Prevent duplicate repeated panels from being
created.
* Loki: Fix ad-hoc filter in dashboard when used with parser.
* Plugins: Track signed files + add warn log for plugin assets
which are not signed.
* Postgres/MySQL/MSSQL: Fix region annotations not displayed
correctly.
* Prometheus: Fix validate selector in metrics browser.
* Security: Fix stylesheet injection vulnerability.
* Security: Fix short URL vulnerability.
- Update to version 8.1.2
* AzureMonitor: Add support for PostgreSQL and MySQL Flexible
Servers.
* Datasource: Change HTTP status code for failed datasource
health check to 400.
* Explore: Add span duration to left panel in trace viewer.
* Plugins: Use file extension allowlist when serving plugin
assets instead of checking for UNIX executable.
* Profiling: Add support for binding pprof server to custom
network interfaces.
* Search: Make search icon keyboard navigable.
* Template variables: Keyboard navigation improvements.
* Tooltip: Display ms within minute time range.
* Alerting: Fix saving LINE contact point.
* Annotations: Fix alerting annotation coloring.
* Annotations: Alert annotations are now visible in the correct
Panel.
* Auth: Hide SigV4 config UI and disable middleware when its
config flag is disabled.
* Dashboard: Prevent incorrect panel layout by comparing window
width against theme breakpoints.
* Explore: Fix showing of full log context.
* PanelEdit: Fix 'Actual' size by passing the correct panel
size to Dashboard.
* Plugins: Fix TLS datasource settings.
* Variables: Fix issue with empty drop downs on navigation.
* Variables: Fix URL util converting false into true.
* Toolkit: Fix matchMedia not found error.
- Update to version 8.1.1
* CloudWatch Logs: Fix crash when no region is selected.
- Update to version 8.1.0
* Alerting: Deduplicate receivers during migration.
* ColorPicker: Display colors as RGBA.
* Select: Make portalling the menu opt-in, but opt-in
everywhere.
* TimeRangePicker: Improve accessibility.
* Annotations: Correct annotations that are displayed upon page
refresh.
* Annotations: Fix Enabled button that disappeared from Grafana
v8.0.6.
* Annotations: Fix data source template variable that was not
available for annotations.
* AzureMonitor: Fix annotations query editor that does not
load.
* Geomap: Fix scale calculations.
* GraphNG: Fix y-axis autosizing.
* Live: Display stream rate and fix duplicate channels in list
* Loki: Update labels in log browser when time range changes in
dashboard.
* NGAlert: Send resolve signal to alertmanager on alerting ->
Normal.
* PasswordField: Prevent a password from being displayed when
you click the Enter button.
* Renderer: Remove debug.log file when Grafana is stopped.
* Security: Update dependencies to fix CVE-2021-36222.
- Update to version 8.1.0-beta3
* Alerting: Support label matcher syntax in alert rule list
filter.
* IconButton: Put tooltip text as aria-label.
* Live: Experimental HA with Redis.
* UI: FileDropzone component.
* CloudWatch: Add AWS LookoutMetrics.
* Docker: Fix builds by delaying go mod verify until all
required files are copied over.
* Exemplars: Fix disable exemplars only on the query that
failed.
* SQL: Fix SQL dataframe resampling (fill mode + time
intervals).
- Update to version 8.1.0-beta2
* Alerting: Expand the value string in alert annotations and
* Auth: Add Azure HTTP authentication middleware.
* Auth: Auth: Pass user role when using the authentication
proxy.
* Gazetteer: Update countries.json file to allow for linking to
3-letter country codes.
* Config: Fix Docker builds by correcting formatting in
sample.ini.
* Explore: Fix encoding of internal URLs.
- Update to version 8.1.0-beta1
* Alerting: Add Alertmanager notifications tab.
* Alerting: Add button to deactivate current Alertmanager
* Alerting: Add toggle in Loki/Prometheus data source
configuration to opt out of alerting UI.
* Alerting: Allow any 'evaluate for' value >=0 in the alert
rule form.
* Alerting: Load default configuration from status endpoint, if
Cortex Alertmanager returns empty user configuration.
* Alerting: view to display alert rule and its underlying data.
* Annotation panel: Release the annotation panel.
* Annotations: Add typeahead support for tags in built-in
annotations.
* AzureMonitor: Add curated dashboards for Azure services.
* AzureMonitor: Add support for deep links to Microsoft Azure
portal for Metrics.
* AzureMonitor: Remove support for different credentials for
Azure Monitor Logs.
* AzureMonitor: Support querying any Resource for Logs queries.
* Elasticsearch: Add frozen indices search support.
* Elasticsearch: Name fields after template variables values
instead of their name.
* Elasticsearch: add rate aggregation.
* Email: Allow configuration of content types for email
notifications.
* Explore: Add more meta information when line limit is hit.
* Explore: UI improvements to trace view.
* FieldOverrides: Added support to change display name in an
override field and have it be matched by a later rule.
* HTTP Client: Introduce dataproxy_max_idle_connections config
variable.
* InfluxDB: InfluxQL: adds tags to timeseries data.
* InfluxDB: InfluxQL: make measurement search case insensitive.
Legacy Alerting: Replace simplejson with a struct in webhook
notification channel.
* Legend: Updates display name for Last (not null) to just
Last*.
* Logs panel: Add option to show common labels.
* Loki: Add $__range variable.
* Loki: Add support for 'label_values(log stream selector,
label)' in templating.
* Loki: Add support for ad-hoc filtering in dashboard.
* MySQL Datasource: Add timezone parameter.
* NodeGraph: Show gradient fields in legend.
* PanelOptions: Don't mutate panel options/field config object
when updating.
* PieChart: Make pie gradient more subtle to match other
charts.
* Prometheus: Update PromQL typeahead and highlighting.
* Prometheus: interpolate variable for step field.
* Provisioning: Improve validation by validating across all
dashboard providers.
* SQL Datasources: Allow multiple string/labels columns with
time series.
* Select: Portal select menu to document.body.
* Team Sync: Add group mapping to support team sync in the
Generic OAuth provider.
* Tooltip: Make active series more noticeable.
* Tracing: Add support to configure trace to logs start and end
time.
* Transformations: Skip merge when there is only a single data
frame.
* ValueMapping: Added support for mapping text to color,
boolean values, NaN and Null. Improved UI for value mapping.
* Visualizations: Dynamically set any config (min, max, unit,
color, thresholds) from query results.
* live: Add support to handle origin without a value for the
port when matching with root_url.
* Alerting: Handle marshaling Inf values.
* AzureMonitor: Fix macro resolution for template variables.
* AzureMonitor: Fix queries with Microsoft.NetApp/../../volumes
resources.
* AzureMonitor: Request and concat subsequent resource pages.
* Bug: Fix parse duration for day.
* Datasources: Improve error handling for error messages.
* Explore: Correct the functionality of shift-enter shortcut
across all uses.
* Explore: Show all dataFrames in data tab in Inspector.
* GraphNG: Fix Tooltip mode 'All' for XYChart.
* Loki: Fix highlight of logs when using filter expressions
with backticks.
* Modal: Force modal content to overflow with scroll.
* Plugins: Ignore symlinked folders when verifying plugin
signature.
* Toolkit: Improve error messages when tasks fail.
- Update to version 8.0.7
- Update to version 8.0.6
* Alerting: Add annotation upon alert state change.
* Alerting: Allow space in label and annotation names.
* InfluxDB: Improve legend labels for InfluxDB query results.
* Alerting: Fix improper alert by changing the handling of
empty labels.
* CloudWatch/Logs: Reestablish Cloud Watch alert behavior.
* Dashboard: Avoid migration breaking on fieldConfig without
defaults field in folded panel.
* DashboardList: Fix issue not re-fetching dashboard list after
variable change.
* Database: Fix incorrect format of isolation level
configuration parameter for MySQL.
* InfluxDB: Correct tag filtering on InfluxDB data.
* Links: Fix links that caused a full page reload.
* Live: Fix HTTP error when InfluxDB metrics have an incomplete
or asymmetrical field set.
* Postgres/MySQL/MSSQL: Change time field to 'Time' for time
series queries.
* Postgres: Fix the handling of a null return value in query
* Tempo: Show hex strings instead of uints for IDs.
* TimeSeries: Improve tooltip positioning when tooltip
overflows.
* Transformations: Add 'prepare time series' transformer.
- Update to version 8.0.5
* Cloudwatch Logs: Send error down to client.
* Folders: Return 409 Conflict status when folder already
exists.
* TimeSeries: Do not show series in tooltip if it's hidden in
the viz.
* AzureMonitor: Fix issue where resource group name is missing
on the resource picker button.
* Chore: Fix AWS auth assuming role with workspace IAM.
* DashboardQueryRunner: Fixes unrestrained subscriptions being
* DateFormats: Fix reading correct setting key for
use_browser_locale.
* Links: Fix links to other apps outside Grafana when under sub
path.
* Snapshots: Fix snapshot absolute time range issue.
* Table: Fix data link color.
* Time Series: Fix X-axis time format when tick increment is
larger than a year.
* Tooltip Plugin: Prevent tooltip render if field is undefined.
- Update to version 8.0.4
* Live: Rely on app url for origin check.
* PieChart: Sort legend descending, update placeholder.
* TimeSeries panel: Do not reinitialize plot when thresholds
mode change.
* Elasticsearch: Allow case sensitive custom options in
date_histogram interval.
* Elasticsearch: Restore previous field naming strategy when
using variables.
* Explore: Fix import of queries between SQL data sources.
* InfluxDB: InfluxQL query editor: fix retention policy
handling.
* Loki: Send correct time range in template variable queries.
* TimeSeries: Preserve RegExp series overrides when migrating
from old graph panel.
- Update to version 8.0.3
* Alerting: Increase alertmanager_conf column if MySQL.
* Time series/Bar chart panel: Handle infinite numbers as nulls
when converting to plot array.
* TimeSeries: Ensure series overrides that contain color are
migrated, and migrate the previous fieldConfig when changing
the panel type.
* ValueMappings: Improve singlestat value mappings migration.
* Annotations: Fix annotation line and marker colors.
* AzureMonitor: Fix KQL template variable queries without
default workspace.
* CloudWatch/Logs: Fix missing response data for log queries.
* LibraryPanels: Fix crash in library panels list when panel
plugin is not found.
* LogsPanel: Fix performance drop when moving logs panel in
* Loki: Parse log levels when ANSI coloring is enabled.
* MSSQL: Fix issue with hidden queries still being executed.
* PanelEdit: Display the VisualizationPicker that was not
displayed if a panel has an unknown panel plugin.
* Plugins: Fix loading symbolically linked plugins.
* Prometheus: Fix issue where legend name was replaced with
name Value in stat and gauge panels.
* State Timeline: Fix crash when hovering over panel.
- Update to version 8.0.2
* Datasource: Add support for max_conns_per_host in dataproxy
settings.
* Configuration: Fix changing org preferences in FireFox.
* PieChart: Fix legend dimension limits.
* Postgres/MySQL/MSSQL: Fix panic in concurrent map writes.
* Variables: Hide default data source if missing from regex.
- Update to version 8.0.1
* Alerting/SSE: Fix 'count_non_null' reducer validation.
* Cloudwatch: Fix duplicated time series.
* Cloudwatch: Fix missing defaultRegion.
* Dashboard: Fix Dashboard init failed error on dashboards with
old singlestat panels in collapsed rows.
* Datasource: Fix storing timeout option as numeric.
* Postgres/MySQL/MSSQL: Fix annotation parsing for empty
* Postgres/MySQL/MSSQL: Numeric/non-string values are now
returned from query variables.
* Postgres: Fix an error that was thrown when the annotation
query did not return any results.
* StatPanel: Fix an issue with the appearance of the graph when
switching color mode.
* Visualizations: Fix an issue in the
Stat/BarGauge/Gauge/PieChart panels where all values mode
were showing the same name if they had the same value.
* Toolkit: Resolve external fonts when Grafana is served from a
sub path.
- Update to version 8.0.0
* The following endpoints were deprecated for Grafana v5.0 and
support for them has now been removed:
GET /dashboards/db/:slug
GET /dashboard-solo/db/:slug
GET /api/dashboard/db/:slug
DELETE /api/dashboards/db/:slug
* AzureMonitor: Require default subscription for workspaces()
template variable query.
* AzureMonitor: Use resource type display names in the UI.
* Dashboard: Remove support for loading and deleting dashboard
by slug.
* InfluxDB: Deprecate direct browser access in data source.
* VizLegend: Add a read-only property.
* AzureMonitor: Fix Azure Resource Graph queries in Azure
China.
* Checkbox: Fix vertical layout issue with checkboxes due to
fixed height.
* Dashboard: Fix Table view when editing causes the panel data
to not update.
* Dashboard: Fix issues where unsaved-changes warning is not
displayed.
* Login: Fixes Unauthorized message showing when on login page
or snapshot page.
* NodeGraph: Fix sorting markers in grid view.
* Short URL: Include orgId in generated short URLs.
* Variables: Support raw values of boolean type.
- Update to version 8.0.0-beta3
* The default HTTP method for Prometheus data source is now
POST.
* API: Support folder UID in dashboards API.
* Alerting: Add support for configuring avatar URL for the
Discord notifier.
* Alerting: Clarify that Threema Gateway Alerts support only
Basic IDs.
* Azure: Expose Azure settings to external plugins.
* AzureMonitor: Deprecate using separate credentials for Azure
Monitor Logs.
* AzureMonitor: Display variables in resource picker for Azure
* AzureMonitor: Hide application insights for data sources not
using it.
* AzureMonitor: Support querying subscriptions and resource
groups in Azure Monitor Logs.
* AzureMonitor: remove requirement for default subscription.
* CloudWatch: Add Lambda@Edge Amazon CloudFront metrics.
* CloudWatch: Add missing AWS AppSync metrics.
* ConfirmModal: Auto focus delete button.
* Explore: Add caching for queries that are run from logs
* Loki: Add formatting for annotations.
* Loki: Bring back processed bytes as meta information.
* NodeGraph: Display node graph collapsed by default with trace
view.
* Overrides: Include a manual override option to hide something
from visualization.
* PieChart: Support row data in pie charts.
* Prometheus: Update default HTTP method to POST for existing
data sources.
* Time series panel: Position tooltip correctly when window is
scrolled or resized.
* Admin: Fix infinite loading edit on the profile page.
* Color: Fix issues with random colors in string and date
* Dashboard: Fix issue with title or folder change has no
effect after exiting settings view.
* DataLinks: Fix an issue __series.name is not working in data
link.
* Datasource: Fix dataproxy timeout should always be applied
for outgoing data source HTTP requests.
* Elasticsearch: Fix NewClient not passing httpClientProvider
to client impl.
* Explore: Fix Browser title not updated on Navigation to
Explore.
* GraphNG: Remove fieldName and hideInLegend properties from
UPlotSeriesBuilder.
* OAuth: Fix fallback to auto_assign_org_role setting for Azure
AD OAuth when no role claims exists.
* PanelChrome: Fix issue with empty panel after adding a non
data panel and coming back from panel edit.
* StatPanel: Fix data link tooltip not showing for single
value.
* Table: Fix sorting for number fields.
* Table: Have text underline for datalink, and add support for
image datalink.
* Transformations: Prevent FilterByValue transform from
crashing panel edit.
- Update to version 8.0.0-beta2
* AppPlugins: Expose react-router to apps.
* AzureMonitor: Add Azure Resource Graph.
* AzureMonitor: Managed Identity configuration UI.
* AzureMonitor: Token provider with support for Managed
Identities.
* AzureMonitor: Update Logs workspace() template variable query
to return resource URIs.
* BarChart: Value label sizing.
* CloudMonitoring: Add support for preprocessing.
* CloudWatch: Add AWS/EFS StorageBytes metric.
* CloudWatch: Allow use of missing AWS namespaces using custom
* Datasource: Shared HTTP client provider for core backend data
sources and any data source using the data source proxy.
* InfluxDB: InfluxQL: allow empty tag values in the query
editor.
* Instrumentation: Instrument incoming HTTP request with
histograms by default.
* Library Panels: Add name endpoint & unique name validation to
AddLibraryPanelModal.
* Logs panel: Support details view.
* PieChart: Always show the calculation options dropdown in the
* PieChart: Remove beta flag.
* Plugins: Enforce signing for all plugins.
* Plugins: Remove support for deprecated backend plugin
protocol version.
* Tempo/Jaeger: Add better display name to legend.
* Timeline: Add time range zoom.
* Timeline: Adds opacity & line width option.
* Timeline: Value text alignment option.
* ValueMappings: Add duplicate action, and disable dismiss on
backdrop click.
* Zipkin: Add node graph view to trace response.
* Annotations panel: Remove subpath from dashboard links.
* Content Security Policy: Allow all image sources by default.
* Content Security Policy: Relax default template wrt. loading
of scripts, due to nonces not working.
* Datasource: Fix tracing propagation for alert execution by
introducing HTTP client outgoing tracing middleware.
* InfluxDB: InfluxQL always apply time interval end.
* Library Panels: Fixes 'error while loading library panels'.
* NewsPanel: Fixes rendering issue in Safari.
* PanelChrome: Fix queries being issued again when scrolling in
and out of view.
* Plugins: Fix Azure token provider cache panic and auth param
nil value.
* Snapshots: Fix key and deleteKey being ignored when creating
an external snapshot.
* Table: Fix issue with cell border not showing with colored
background cells.
* Table: Makes tooltip scrollable for long JSON values.
* TimeSeries: Fix for Connected null values threshold toggle
during panel editing.
* Variables: Fixes inconsistent selected states on dashboard
* Variables: Refreshes all panels even if panel is full screen.
* QueryField: Remove carriage return character from pasted text.
- Update to version 8.0.0-beta1
+ License update:
* AGPL License: Update license from Apache 2.0 to the GNU
Affero General Public License (AGPL).
* Removes the never refresh option for Query variables.
* Removes the experimental Tags feature for Variables.
+ Deprecations:
* The InfoBox & FeatureInfoBox are now deprecated please use
the Alert component instead with severity info.
* API: Add org users with pagination.
* API: Return 404 when deleting nonexistent API key.
* API: Return query results as JSON rather than base64 encoded
Arrow.
* Alerting: Allow sending notification tags to Opsgenie as
extra properties.
* Alerts: Replaces all uses of InfoBox & FeatureInfoBox with
Alert.
* Auth: Add support for JWT Authentication.
* AzureMonitor: Add support for
Microsoft.SignalRService/SignalR metrics.
* AzureMonitor: Azure settings in Grafana server config.
* AzureMonitor: Migrate Metrics query editor to React.
* BarChart panel: enable series toggling via legend.
* BarChart panel: Adds support for Tooltip in BarChartPanel.
* PieChart panel: Change look of highlighted pie slices.
* CloudMonitoring: Migrate config editor from angular to react.
* CloudWatch: Add Amplify Console metrics and dimensions.
* CloudWatch: Add missing Redshift metrics to CloudWatch data
* CloudWatch: Add metrics for managed RabbitMQ service.
* DashboardList: Enable templating on search tag input.
* Datasource config: correctly remove single custom http
header.
* Elasticsearch: Add generic support for template variables.
* Elasticsearch: Allow omitting field when metric supports
inline script.
* Elasticsearch: Allow setting a custom limit for log queries.
* Elasticsearch: Guess field type from first non-empty value.
* Elasticsearch: Use application/x-ndjson content type for
multisearch requests.
* Elasticsearch: Use semver strings to identify ES version.
* Explore: Add logs navigation to request more logs.
* Explore: Map Graphite queries to Loki.
* Explore: Scroll split panes in Explore independently.
* Explore: Wrap each panel in separate error boundary.
* FieldDisplay: Smarter naming of stat values when visualising
row values (all values) in stat panels.
* Graphite: Expand metric names for variables.
* Graphite: Handle unknown Graphite functions without breaking
the visual editor.
* Graphite: Show graphite functions descriptions.
* Graphite: Support request cancellation properly (Uses new
backendSrv.fetch Observable request API).
* InfluxDB: Flux: Improve handling of complex
response-structures.
* InfluxDB: Support region annotations.
* Inspector: Download logs for manual processing.
* Jaeger: Add node graph view for trace.
* Jaeger: Search traces.
* Loki: Use data source settings for alerting queries.
* NodeGraph: Exploration mode.
* OAuth: Add support for empty scopes.
* PanelChrome: New logic-less emotion based component with no
dependency on PanelModel or DashboardModel.
* PanelEdit: Adds a table view toggle to quickly view data in
table form.
* PanelEdit: Highlight matched words when searching options.
* PanelEdit: UX improvements.
* Plugins: PanelRenderer and simplified QueryRunner to be used
from plugins.
* Plugins: AuthType in route configuration and params
interpolation.
* Plugins: Enable plugin runtime install/uninstall
capabilities.
* Plugins: Support set body content in plugin routes.
* Plugins: Introduce marketplace app.
* Plugins: Moving the DataSourcePicker to grafana/runtime so it
can be reused in plugins.
* Prometheus: Add custom query params for alert and exemplars
* Prometheus: Use fuzzy string matching to autocomplete metric
names and label.
* Routing: Replace Angular routing with react-router.
* Slack: Use chat.postMessage API by default.
* Tempo: Search for Traces by querying Loki directly from
Tempo.
* Tempo: Show graph view of the trace.
* Themes: Switch theme without reload using global shortcut.
* TimeSeries panel: Add support for shared cursor.
* TimeSeries panel: Do not crash the panel if there is no time
series data in the response.
* Variables: Do not save repeated panels, rows and scopedVars.
* Variables: Removes experimental Tags feature.
* Variables: Removes the never refresh option.
* Visualizations: Unify tooltip options across visualizations.
* Visualizations: Refactor and unify option creation between
new visualizations.
* Visualizations: Remove singlestat panel.
* APIKeys: Fixes issue with adding first api key.
* Alerting: Add checks for non supported units - disable
defaulting to seconds.
* Alerting: Fix issue where Slack notifications won't link to
user IDs.
* Alerting: Omit empty message in PagerDuty notifier.
* AzureMonitor: Fix migration error from older versions of App
Insights queries.
* CloudWatch: Fix AWS/Connect dimensions.
* CloudWatch: Fix broken AWS/MediaTailor dimension name.
* Dashboards: Allow string manipulation as advanced variable
format option.
* DataLinks: Includes harmless extended characters like
Cyrillic characters.
* Drawer: Fixes title overflowing its container.
* Explore: Fix issue when some query errors were not shown.
* Generic OAuth: Prevent adding duplicated users.
* Graphite: Handle invalid annotations.
* Graphite: Fix autocomplete when tags are not available.
* InfluxDB: Fix Cannot read property 'length' of undefined in
when parsing response.
* Instrumentation: Enable tracing when Jaeger host and port are
* Instrumentation: Prefix metrics with grafana.
* MSSQL: By default let driver choose port.
* OAuth: Add optional strict parsing of role_attribute_path.
* Panel: Fixes description markdown with inline code being
rendered on newlines and full width.
* PanelChrome: Ignore data updates & errors for non data
panels.
* Permissions: Fix inherited folder permissions can prevent new
permissions being added to a dashboard.
* Plugins: Remove pre-existing plugin installs when installing
with grafana-cli.
* Plugins: Support installing to folders with whitespace and
fix pluginUrl trailing and leading whitespace failures.
* Postgres/MySQL/MSSQL: Don't return connection failure details
to the client.
* Postgres: Fix ms precision of interval in time group macro
when TimescaleDB is enabled.
* Provisioning: Use dashboard checksum field as change
indicator.
* SQL: Fix so that all captured errors are returned from sql
engine.
* Shortcuts: Fixes panel shortcuts so they always work.
* Table: Fixes so border is visible for cells with links.
* Variables: Clear query when data source type changes.
* Variables: Filters out builtin variables from unknown list.
* Button: Introduce buttonStyle prop.
* DataQueryRequest: Remove deprecated props showingGraph and
showingTabel and exploreMode.
* grafana/ui: Update React Hook Form to v7.
* IconButton: Introduce variant for red and blue icon buttons.
* Plugins: Expose the getTimeZone function to be able to get
the current selected timeZone.
* TagsInput: Add className to TagsInput.
* VizLegend: Move onSeriesColorChanged to PanelContext
(breaking change).
- Update to version 7.5.13
* Alerting: Fix NoDataFound for alert rules using AND operator.
mgr-cfg:
- Version 4.3.6-1
* Corrected source URL in spec file
* Fix installation problem for SLE15SP4 due missing python-selinux
* Fix python selinux package name depending on build target (bsc#1193600)
* Do not build python 2 package for SLE15SP4 and higher
* Remove unused legacy code
mgr-custom-info:
- Version 4.3.3-1
* Remove unused legacy code
mgr-daemon:
- Version 4.3.4-1
* Corrected source URLs in spec file
* Update translation strings
mgr-osad:
- Version 4.3.6-1
* Corrected source URL in spec file.
* Do not build python 2 package for SLE15SP4 and higher
* Removed spacewalk-selinux dependencies.
* Updated source url.
mgr-push:
- Version 4.3.4-1
* Corrected source URLs in spec file
mgr-virtualization:
- Version 4.3.5-1
* Corrected source URLs in spec file.
* Do not build python 2 package for SLE15SP4 and higher
prometheus-blackbox_exporter:
- Enhanced to build on Enterprise Linux 8
prometheus-postgres_exporter:
- Updated for RHEL8.
python-hwdata:
- Require python macros for building
rhnlib:
- Version 4.3.4-1
* Reorganize python files
spacecmd:
- Version 4.3.11-1
* on full system update call schedulePackageUpdate API (bsc#1197507)
* parse boolean paramaters correctly (bsc#1197689)
* Add parameter to set containerized proxy SSH port
* Add proxy config generation subcommand
* Option 'org_createfirst' added to perform initial organization and user creation
* Added gettext build requirement for RHEL.
* Removed RHEL 5 references.
* Include group formulas configuration in spacecmd group_backup and
spacecmd group_restore. This changes backup format to json,
previously used plain text is still supported for reading (bsc#1190462)
* Update translation strings
* Improved event history listing and added new system_eventdetails
command to retrieve the details of an event
* Make schedule_deletearchived to get all actions without display limit
* Allow passing a date limit for schedule_deletearchived on spacecmd (bsc#1181223)
spacewalk-client-tools:
- Version 4.3.9-1
* Corrected source URLs in spec file.
* do not build python 2 package for SLE15
* Remove unused legacy code
* Update translation strings
spacewalk-koan:
- Version 4.3.5-1
* Corrected source URLs in spec file.
spacewalk-oscap:
- Version 4.3.5-1
* Corrected source URLs in spec file.
* Do not build python 2 package for SLE15SP4 and higher
spacewalk-remote-utils:
- Version 4.3.3-1
* Adapt the package for changes in rhnlib
supportutils-plugin-susemanager-client:
- Version 4.3.2-1
* Add proxy containers config and logs
suseRegisterInfo:
- Version 4.3.3-1
* Bump version to 4.3.0
supportutils-plugin-salt:
- Add support for Salt Bundle
uyuni-common-libs:
- Version 4.3.4-1
* implement more decompression algorithms for reposync (bsc#1196704)
* Reorganize python files
* Add decompression of zck files to fileutils
ImportantSUSE bug 1181223SUSE bug 1181400SUSE bug 1190462SUSE bug 1190535SUSE bug 1193600SUSE bug 1194873SUSE bug 1195726SUSE bug 1195727SUSE bug 1195728SUSE bug 1196338SUSE bug 1196704SUSE bug 1197507SUSE bug 1197689CVE-2021-36222 at SUSECVE-2021-36222 at NVDCVE-2021-3711 at SUSECVE-2021-3711 at NVDCVE-2021-39226 at SUSECVE-2021-39226 at NVDCVE-2021-41174 at SUSECVE-2021-41174 at NVDCVE-2021-41244 at SUSECVE-2021-41244 at NVDCVE-2021-43798 at SUSECVE-2021-43798 at NVDCVE-2021-43813 at SUSECVE-2021-43813 at NVDCVE-2021-43815 at SUSECVE-2021-43815 at NVDCVE-2022-21673 at SUSECVE-2022-21673 at NVDCVE-2022-21698 at SUSECVE-2022-21698 at NVDCVE-2022-21702 at SUSECVE-2022-21702 at NVDCVE-2022-21703 at SUSECVE-2022-21703 at NVDCVE-2022-21713 at SUSECVE-2022-21713 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for fwupdate (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update of fwupdate fixes the following issue:
- rebuild with new secure boot key due to grub2 boothole 3 issues (bsc#1198581)
ImportantSUSE bug 1198581cpe:/o:suse:sles-bcl:12:sp3Security update for python3 (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for python3 fixes the following issues:
- CVE-2015-20107: avoid command injection in the mailcap module (bsc#1198511).
ImportantSUSE bug 1070738SUSE bug 1198511SUSE bug 1199441CVE-2015-20107 at SUSECVE-2015-20107 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for openssl (Moderate)SUSE Linux Enterprise Server 12 SP3-BCL
This update for openssl fixes the following issues:
- CVE-2022-2068: Fixed more shell code injection issues in c_rehash. (bsc#1200550)
ModerateSUSE bug 1200550CVE-2022-2068 at SUSECVE-2022-2068 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for oracleasm (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update of oracleasm fixes the following issue:
- rebuild with new secure boot key due to grub2 boothole 3 issues (bsc#1198581)
ImportantSUSE bug 1198581cpe:/o:suse:sles-bcl:12:sp3Security update for python (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for python fixes the following issues:
- CVE-2015-20107: avoid command injection in the mailcap module (bsc#1198511).
ImportantSUSE bug 1198511CVE-2015-20107 at SUSECVE-2015-20107 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for sysstat (Moderate)SUSE Linux Enterprise Server 12 SP3-BCL
This update for sysstat fixes the following issues:
Security issue fixed:
- CVE-2019-19725: Fixed double free in check_file_actlst in sa_common.c (bsc#1159104).
Bug fixes:
- Enable log information of starting/stoping services. (bsc#1144923, jsc#SLE-5958)
ModerateSUSE bug 1144923SUSE bug 1159104CVE-2019-19725 at SUSECVE-2019-19725 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for dpdk (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update of dpdk fixes the following issue:
- rebuild with new secure boot key due to grub2 boothole 3 issues (bsc#1198581)
ImportantSUSE bug 1198581cpe:/o:suse:sles-bcl:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for MozillaFirefox fixes the following issues:
Update to Firefox Extended Support Release 91.11.0 ESR (MFSA 2022-25) (bsc#1200793):
- CVE-2022-2200: Undesired attributes could be set as part of prototype pollution (bmo#1771381)
- CVE-2022-31744: CSP bypass enabling stylesheet injection (bmo#1757604)
- CVE-2022-34468: CSP sandbox header without `allow-scripts` can be bypassed via retargeted javascript: URI (bmo#1768537)
- CVE-2022-34470: Use-after-free in nsSHistory (bmo#1765951)
- CVE-2022-34472: Unavailable PAC file resulted in OCSP requests being blocked (bmo#1770123)
- CVE-2022-34478: Microsoft protocols can be attacked if a user accepts a prompt (bmo#1773717)
- CVE-2022-34479: A popup window could be resized in a way to overlay the address bar with web content (bmo#1745595)
- CVE-2022-34481: Potential integer overflow in ReplaceElementsAt (bmo#1497246)
- CVE-2022-34484: Memory safety bugs fixed in Firefox 102 and Firefox ESR 91.11 (bmo#1763634, bmo#1772651)
ImportantSUSE bug 1200793CVE-2022-2200 at SUSECVE-2022-2200 at NVDCVE-2022-31744 at SUSECVE-2022-31744 at NVDCVE-2022-34468 at SUSECVE-2022-34468 at NVDCVE-2022-34470 at SUSECVE-2022-34470 at NVDCVE-2022-34472 at SUSECVE-2022-34472 at NVDCVE-2022-34478 at SUSECVE-2022-34478 at NVDCVE-2022-34479 at SUSECVE-2022-34479 at NVDCVE-2022-34481 at SUSECVE-2022-34481 at NVDCVE-2022-34484 at SUSECVE-2022-34484 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for rsyslog (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for rsyslog fixes the following issues:
- CVE-2022-24903: fix potential heap buffer overflow in modules for TCP syslog reception (bsc#1199061)
ImportantSUSE bug 1199061CVE-2022-24903 at SUSECVE-2022-24903 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for pcre (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for pcre fixes the following issues:
- CVE-2022-1586: Fixed unicode property matching issue. (bsc#1199232)
ImportantSUSE bug 1199232CVE-2022-1586 at SUSECVE-2022-1586 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for curl (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for curl fixes the following issues:
- CVE-2022-32208: FTP-KRB bad message verification (bsc#1200737)
ImportantSUSE bug 1200737CVE-2022-32208 at SUSECVE-2022-32208 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for xorg-x11-server (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for xorg-x11-server fixes the following issues:
- CVE-2022-2319: Fixed out-of-bounds access in _CheckSetSections() (ZDI-CAN-16062) (bsc#1194179).
- CVE-2022-2320: Fixed out-of-bounds access in CheckSetDeviceIndicators() (ZDI-CAN-16070) (bsc#1194181).
ImportantSUSE bug 1194179SUSE bug 1194181CVE-2022-2319 at SUSECVE-2022-2319 at NVDCVE-2022-2320 at SUSECVE-2022-2320 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for squid (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for squid fixes the following issues:
- CVE-2020-25097: Fixed HTTP Request Smuggling (bsc#1183436)
- CVE-2021-28651: Fixed DoS in URN processing (bsc#1185921)
- CVE-2021-46784: Fixed DoS when processing gopher server responses (bsc#1200907)
ImportantSUSE bug 1183436SUSE bug 1185921SUSE bug 1200907CVE-2020-25097 at SUSECVE-2020-25097 at NVDCVE-2021-28651 at SUSECVE-2021-28651 at NVDCVE-2021-46784 at SUSECVE-2021-46784 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for the Linux Kernel (Important)SUSE Linux Enterprise Server 12 SP3-BCL
The SUSE Linux Enterprise 12 SP3 kernel was updated to receive various security and bugfixes.
The following security bugs were fixed:
- CVE-2022-29900, CVE-2022-29901: Fixed the RETBLEED attack, a new Spectre like Branch Target Buffer attack, that can leak arbitrary kernel information (bsc#1199657).
- CVE-2022-1679: Fixed a use-after-free in the Atheros wireless driver in the way a user forces the ath9k_htc_wait_for_target function to fail with some input messages (bsc#1199487).
- CVE-2022-20132: Fixed out of bounds read due to improper input validation in lg_probe and related functions of hid-lg.c (bsc#1200619).
- CVE-2022-33981: Fixed use-after-free in floppy driver (bsc#1200692)
- CVE-2022-20141: Fixed a possible use after free due to improper locking in ip_check_mc_rcu() (bsc#1200604).
- CVE-2021-4157: Fixed an out of memory bounds write flaw in the NFS subsystem, related to the replication of files with NFS. A user could potentially crash the system or escalate privileges on the system (bsc#1194013).
- CVE-2021-26341: Some AMD CPUs may transiently execute beyond unconditional direct branches, which may potentially result in data leakage (bsc#1201050).
- CVE-2017-16525: Fixed a use-after-free after failed setup in usb/serial/console (bsc#1066618).
The following non-security bugs were fixed:
- exec: Force single empty string when argv is empty (bsc#1200571).
ImportantSUSE bug 1066618SUSE bug 1146519SUSE bug 1194013SUSE bug 1196901SUSE bug 1199487SUSE bug 1199657SUSE bug 1200571SUSE bug 1200604SUSE bug 1200605SUSE bug 1200619SUSE bug 1200692SUSE bug 1201050SUSE bug 1201080CVE-2017-16525 at SUSECVE-2017-16525 at NVDCVE-2021-26341 at SUSECVE-2021-26341 at NVDCVE-2021-4157 at SUSECVE-2021-4157 at NVDCVE-2022-1679 at SUSECVE-2022-1679 at NVDCVE-2022-20132 at SUSECVE-2022-20132 at NVDCVE-2022-20141 at SUSECVE-2022-20141 at NVDCVE-2022-29900 at SUSECVE-2022-29900 at NVDCVE-2022-29901 at SUSECVE-2022-29901 at NVDCVE-2022-33981 at SUSECVE-2022-33981 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for webkit2gtk3 (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for webkit2gtk3 fixes the following issues:
Update to version 2.36.4 (bsc#1201221):
- CVE-2022-22662: Processing maliciously crafted web content may disclose sensitive user information.
- CVE-2022-22677: The video in a webRTC call may be interrupted if the audio capture gets interrupted.
- CVE-2022-26710: Processing maliciously crafted web content may lead to arbitrary code execution.
ImportantSUSE bug 1201221CVE-2022-22662 at SUSECVE-2022-22662 at NVDCVE-2022-22677 at SUSECVE-2022-22677 at NVDCVE-2022-26710 at SUSECVE-2022-26710 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for python-M2Crypto (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for python-M2Crypto fixes the following issues:
- CVE-2020-25657: Fixed Bleichenbacher timing attacks in the RSA decryption API (bsc#1178829).
ImportantSUSE bug 1178829CVE-2020-25657 at SUSECVE-2020-25657 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for gpg2 (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for gpg2 fixes the following issues:
- CVE-2022-34903: Fixed a status injection vulnerability (bsc#1201225).
ImportantSUSE bug 1201225CVE-2022-34903 at SUSECVE-2022-34903 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for java-1_8_0-openjdk (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for java-1_8_0-openjdk fixes the following issues:
Update to version jdk8u332 - April 2022 CPU (icedtea-3.23.0)
- CVE-2022-21426: Better XPath expression handling (bsc#1198672)
- CVE-2022-21443: Improved Object Identification (bsc#1198675)
- CVE-2022-21434: Better invocation handler handling (bsc#1198674)
- CVE-2022-21476: Improve Santuario processing (bsc#1198671)
- CVE-2022-21496: Improve URL supports (bsc#1198673)
And further Security fixes, Import of OpenJDK 8 u332, Backports and Bug fixes.
ImportantSUSE bug 1198671SUSE bug 1198672SUSE bug 1198673SUSE bug 1198674SUSE bug 1198675CVE-2022-21426 at SUSECVE-2022-21426 at NVDCVE-2022-21434 at SUSECVE-2022-21434 at NVDCVE-2022-21443 at SUSECVE-2022-21443 at NVDCVE-2022-21476 at SUSECVE-2022-21476 at NVDCVE-2022-21496 at SUSECVE-2022-21496 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for mozilla-nspr, mozilla-nss (Moderate)SUSE Linux Enterprise Server 12 SP3-BCL
This update for mozilla-nspr, mozilla-nss fixes the following issues:
mozilla-nss was updated to fix various issues:
FIPS 140-3 enablement patches were backported from SUSE Linux Enterprise 15.
- FIPS: add on-demand integrity tests through sftk_FIPSRepeatIntegrityCheck() (bsc#1198980).
- FIPS: mark algorithms as approved/non-approved according to security policy (bsc#1191546, bsc#1201298).
- FISP: remove hard disabling of unapproved algorithms. This requirement is now
fulfilled by the service level indicator (bsc#1200325).
Version update to NSS 3.79
- Use PK11_GetSlotInfo instead of raw C_GetSlotInfo calls.
- Update mercurial in clang-format docker image.
- Use of uninitialized pointer in lg_init after alloc fail.
- selfserv and tstclnt should use PR_GetPrefLoopbackAddrInfo.
- Add SECMOD_LockedModuleHasRemovableSlots.
- Fix secasn1d parsing of indefinite SEQUENCE inside indefinite GROUP.
- Added RFC8422 compliant TLS <= 1.2 undefined/compressed ECPointFormat extension alerts.
- TLS 1.3 Server: Send protocol_version alert on unsupported ClientHello.legacy_version.
- Correct invalid record inner and outer content type alerts.
- NSS does not properly import or export pkcs12 files with large passwords and pkcs5v2 encoding.
- improve error handling after nssCKFWInstance_CreateObjectHandle.
- Initialize pointers passed to NSS_CMSDigestContext_FinishMultiple.
- NSS 3.79 should depend on NSPR 4.34
Update to NSS 3.78.1
- Initialize pointers passed to NSS_CMSDigestContext_FinishMultiple
update to NSS 3.78
- Added TLS 1.3 zero-length inner plaintext checks and tests, zero-length record/fragment handling tests.
- Reworked overlong record size checks and added TLS1.3 specific boundaries.
- Add ECH Grease Support to tstclnt
- Add a strict variant of moz::pkix::CheckCertHostname.
- Change SSL_REUSE_SERVER_ECDHE_KEY default to false.
- Make SEC_PKCS12EnableCipher succeed
- Update zlib in NSS to 1.2.12.
Update to NSS 3.77:
- resolve mpitests build failure on Windows.
- Fix link to TLS page on wireshark wiki
- Add two D-TRUST 2020 root certificates.
- Add Telia Root CA v2 root certificate.
- Remove expired explicitly distrusted certificates from certdata.txt.
- support specific RSA-PSS parameters in mozilla::pkix
- Remove obsolete stateEnd check in SEC_ASN1DecoderUpdate.
- Remove token member from NSSSlot struct.
- Provide secure variants of mpp_pprime and mpp_make_prime.
- Support UTF-8 library path in the module spec string.
- Update nssUTF8_Length to RFC 3629 and fix buffer overrun.
- Add a CI Target for gcc-11.
- Change to makefiles for gcc-4.8.
- Update googletest to 1.11.0
- Add SetTls13GreaseEchSize to experimental API.
- TLS 1.3 Illegal legacy_version handling/alerts.
- Fix calculation of ECH HRR Transcript.
- Allow ld path to be set as environment variable.
- Ensure we don't read uninitialized memory in ssl gtests.
- Fix DataBuffer Move Assignment.
- internal_error alert on Certificate Request with sha1+ecdsa in TLS 1.3
- rework signature verification in mozilla::pkix
update to NSS 3.76.1
- Remove token member from NSSSlot struct.
NSS 3.76
- Hold tokensLock through nssToken_GetSlot calls in nssTrustDomain_GetActiveSlots.
- Check return value of PK11Slot_GetNSSToken.
- Use Wycheproof JSON for RSASSA-PSS
- Add SHA256 fingerprint comments to old certdata.txt entries.
- Avoid truncating files in nss-release-helper.py.
- Throw illegal_parameter alert for illegal extensions in handshake message.
update to NSS 3.75
- Make DottedOIDToCode.py compatible with python3.
- Avoid undefined shift in SSL_CERT_IS while fuzzing.
- Remove redundant key type check.
- Update ABI expectations to match ECH changes.
- Enable CKM_CHACHA20.
- check return on NSS_NoDB_Init and NSS_Shutdown.
- real move assignment operator.
- Run ECDSA test vectors from bltest as part of the CI tests.
- Add ECDSA test vectors to the bltest command line tool.
- Allow to build using clang's integrated assembler.
- Allow to override python for the build.
- test HKDF output rather than input.
- Use ASSERT macros to end failed tests early.
- move assignment operator for DataBuffer.
- Add test cases for ECH compression and unexpected extensions in SH.
- Update tests for ECH-13.
- Tidy up error handling.
- Add tests for ECH HRR Changes.
- Server only sends GREASE HRR extension if enabled by preference.
- Update generation of the Associated Data for ECH-13.
- When ECH is accepted, reject extensions which were only advertised in the Outer Client Hello.
- Allow for compressed, non-contiguous, extensions.
- Scramble the PSK extension in CHOuter.
- Split custom extension handling for ECH.
- Add ECH-13 HRR Handling.
- Client side ECH padding.
- Stricter ClientHelloInner Decompression.
- Remove ECH_inner extension, use new enum format.
- Update the version number for ECH-13 and adjust the ECHConfig size.
Update to NSS 3.74:
- mozilla::pkix: support SHA-2 hashes in CertIDs in OCSP responses
- Ensure clients offer consistent ciphersuites after HRR
- NSS does not properly restrict server keys based on policy
- Set nssckbi version number to 2.54
- Replace Google Trust Services LLC (GTS) R4 root certificate
- Replace Google Trust Services LLC (GTS) R3 root certificate
- Replace Google Trust Services LLC (GTS) R2 root certificate
- Replace Google Trust Services LLC (GTS) R1 root certificate
- Replace GlobalSign ECC Root CA R4
- Remove Expired Root Certificates - DST Root CA X3
- Remove Expiring Cybertrust Global Root and GlobalSign root certificates
- Add renewed Autoridad de Certificacion Firmaprofesional CIF A62634068 root certificate
- Add iTrusChina ECC root certificate
- Add iTrusChina RSA root certificate
- Add ISRG Root X2 root certificate
- Add Chunghwa Telecom's HiPKI Root CA - G1 root certificate
- Avoid a clang 13 unused variable warning in opt build
- Check for missing signedData field
- Ensure DER encoded signatures are within size limits
- enable key logging option (bsc#1195040)
Update to NSS 3.73.1:
- Add SHA-2 support to mozilla::pkix's OSCP implementation
Update to NSS 3.73
- check for missing signedData field.
- Ensure DER encoded signatures are within size limits.
- NSS needs FiPS 140-3 version indicators.
- pkix_CacheCert_Lookup doesn't return cached certs
- sunset Coverity from NSS
MFSA 2021-51 (bsc#1193170) CVE-2021-43527: Memory corruption via DER-encoded DSA and RSA-PSS signatures
Update to NSS 3.72
- Fix nsinstall parallel failure.
- Increase KDF cache size to mitigate perf regression in about:logins
Update to NSS 3.71
- Set nssckbi version number to 2.52.
- Respect server requirements of tlsfuzzer/test-tls13-signature-algorithms.py
- Import of PKCS#12 files with Camellia encryption is not supported
- Add HARICA Client ECC Root CA 2021.
- Add HARICA Client RSA Root CA 2021.
- Add HARICA TLS ECC Root CA 2021.
- Add HARICA TLS RSA Root CA 2021.
- Add TunTrust Root CA certificate to NSS.
update to NSS 3.70
- Update test case to verify fix.
- Explicitly disable downgrade check in TlsConnectStreamTls13.EchOuterWith12Max
- Explicitly disable downgrade check in TlsConnectTest.DisableFalseStartOnFallback
- Avoid using a lookup table in nssb64d.
- Use HW accelerated SHA2 on AArch64 Big Endian.
- Change default value of enableHelloDowngradeCheck to true.
- Cache additional PBE entries.
- Read HPKE vectors from official JSON.
Update to NSS 3.69.1
- Disable DTLS 1.0 and 1.1 by default
- integrity checks in key4.db not happening on private components with AES_CBC
NSS 3.69
- Disable DTLS 1.0 and 1.1 by default (backed out again)
- integrity checks in key4.db not happening on private components with AES_CBC (backed out again)
- SSL handling of signature algorithms ignores environmental invalid algorithms.
- sqlite 3.34 changed it's open semantics, causing nss failures.
- Gtest update changed the gtest reports, losing gtest details in all.sh reports.
- NSS incorrectly accepting 1536 bit DH primes in FIPS mode
- SQLite calls could timeout in starvation situations.
- Coverity/cpp scanner errors found in nss 3.67
- Import the NSS documentation from MDN in nss/doc.
- NSS using a tempdir to measure sql performance not active
- FIPS: scan LD_LIBRARY_PATH for external libraries to be checksummed.
- Run test suite at build time, and make it pass (bsc#1198486).
- Enable FIPS during test certificate creation and disables the library checksum
validation during same.
- FIPS: allow checksumming to be disabled, but only if we entered FIPS mode
due to NSS_FIPS being set, not if it came from /proc.
- FIPS: This makes the PBKDF known answer test compliant with NIST SP800-132.
- FIPS: update validation string to version-release format. (bsc#1192079).
- FIPS: remove XCBC MAC from list of FIPS approved algorithms.
- Enable NSS_ENABLE_FIPS_INDICATORS and set NSS_FIPS_MODULE_ID
for build.
- FIPS: claim 3DES unapproved in FIPS mode (bsc#1192080).
- FIPS: allow testing of unapproved algorithms (bsc#1192228).
- FIPS: adds FIPS version indicators. (bmo#1729550, bsc#1192086).
- FIPS: Add CSP clearing (bmo#1697303, bsc#1192087).
mozilla-nspr was updated to version 4.34:
* add an API that returns a preferred loopback IP on hosts that
have two IP stacks available.
update to 4.33:
* fixes to build system and export of private symbols
ModerateSUSE bug 1191546SUSE bug 1192079SUSE bug 1192080SUSE bug 1192086SUSE bug 1192087SUSE bug 1192228SUSE bug 1193170SUSE bug 1195040SUSE bug 1198486SUSE bug 1198980SUSE bug 1200325SUSE bug 1201298CVE-2021-43527 at SUSECVE-2021-43527 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for git (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for git fixes the following issues:
- CVE-2022-29187: Incomplete fix for CVE-2022-24765: potential command injection via git worktree (bsc#1201431).
- Allow to opt-out from the check added in the security fix for CVE-2022-24765 (bsc#1200119)
ImportantSUSE bug 1200119SUSE bug 1201431CVE-2022-29187 at SUSECVE-2022-29187 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for java-1_7_1-ibm (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for java-1_7_1-ibm fixes the following issues:
Update to Java 7.1 Service Refresh 5 Fix Pack 10 (bsc#1201643), including fixes for:
- CVE-2022-21476 (bsc#1198671), CVE-2022-21449 (bsc#1198670),
CVE-2022-21496 (bsc#1198673), CVE-2022-21434 (bsc#1198674),
CVE-2022-21426 (bsc#1198672), CVE-2022-21443 (bsc#1198675),
CVE-2021-35561 (bsc#1191912), CVE-2022-21299 (bsc#1194931).
ImportantSUSE bug 1191912SUSE bug 1194931SUSE bug 1198670SUSE bug 1198671SUSE bug 1198672SUSE bug 1198673SUSE bug 1198674SUSE bug 1198675SUSE bug 1201643CVE-2021-35561 at SUSECVE-2021-35561 at NVDCVE-2022-21299 at SUSECVE-2022-21299 at NVDCVE-2022-21426 at SUSECVE-2022-21426 at NVDCVE-2022-21434 at SUSECVE-2022-21434 at NVDCVE-2022-21443 at SUSECVE-2022-21443 at NVDCVE-2022-21449 at SUSECVE-2022-21449 at NVDCVE-2022-21476 at SUSECVE-2022-21476 at NVDCVE-2022-21496 at SUSECVE-2022-21496 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for java-1_8_0-ibm (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for java-1_8_0-ibm fixes the following issues:
Update to Java 8.0 Service Refresh 7 Fix Pack 10 (bsc#1201643), including fixes for:
- CVE-2022-21476 (bsc#1198671), CVE-2022-21449 (bsc#1198670),
CVE-2022-21496 (bsc#1198673), CVE-2022-21434 (bsc#1198674),
CVE-2022-21426 (bsc#1198672), CVE-2022-21443 (bsc#1198675),
CVE-2021-35561 (bsc#1191912), CVE-2022-21299 (bsc#1194931).
ImportantSUSE bug 1191912SUSE bug 1194931SUSE bug 1198670SUSE bug 1198671SUSE bug 1198672SUSE bug 1198673SUSE bug 1198674SUSE bug 1198675SUSE bug 1201643CVE-2021-35561 at SUSECVE-2021-35561 at NVDCVE-2022-21299 at SUSECVE-2022-21299 at NVDCVE-2022-21426 at SUSECVE-2022-21426 at NVDCVE-2022-21434 at SUSECVE-2022-21434 at NVDCVE-2022-21443 at SUSECVE-2022-21443 at NVDCVE-2022-21449 at SUSECVE-2022-21449 at NVDCVE-2022-21476 at SUSECVE-2022-21476 at NVDCVE-2022-21496 at SUSECVE-2022-21496 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for pcre2 (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for pcre2 fixes the following issues:
- CVE-2022-1587: Fixed out-of-bounds read due to bug in recursions (bsc#1199235).
ImportantSUSE bug 1199235CVE-2022-1587 at SUSECVE-2022-1587 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for xen (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for xen fixes the following issues:
- CVE-2022-26363, CVE-2022-26364: Fixed insufficient care with non-coherent mappings (XSA-402) (bsc#1199966).
- CVE-2022-21123, CVE-2022-21125, CVE-2022-21166: Fixed MMIO stale data vulnerabilities on x86 (XSA-404) (bsc#1200549).
- CVE-2022-26362: Fixed a race condition in typeref acquisition (XSA-401) (bsc#1199965).
- CVE-2022-33745: Fixed insufficient TLB flush for x86 PV guests in shadow mode (XSA-408) (bsc#1201394).
- CVE-2022-23816, CVE-2022-23825, CVE-2022-29900: Fixed RETBLEED vulnerability, arbitrary speculative code execution with return instructions (XSA-407) (bsc#1201469).
ImportantSUSE bug 1199965SUSE bug 1199966SUSE bug 1200549SUSE bug 1201394SUSE bug 1201469CVE-2022-21123 at SUSECVE-2022-21123 at NVDCVE-2022-21125 at SUSECVE-2022-21125 at NVDCVE-2022-21166 at SUSECVE-2022-21166 at NVDCVE-2022-23816 at SUSECVE-2022-23816 at NVDCVE-2022-23825 at SUSECVE-2022-23825 at NVDCVE-2022-26362 at SUSECVE-2022-26362 at NVDCVE-2022-26363 at SUSECVE-2022-26363 at NVDCVE-2022-26364 at SUSECVE-2022-26364 at NVDCVE-2022-29900 at SUSECVE-2022-29900 at NVDCVE-2022-33745 at SUSECVE-2022-33745 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for crash (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update of crash fixes the following issue:
- rebuild with new secure boot key due to grub2 boothole 3 issues (bsc#1198581)
ImportantSUSE bug 1198581cpe:/o:suse:sles-bcl:12:sp3Security update for samba (Moderate)SUSE Linux Enterprise Server 12 SP3-BCL
This update for samba fixes the following issues:
- CVE-2022-32742: Fixed incorrect length check in SMB1write, SMB1write_and_close, SMB1write_and_unlock (bsc#1201496).
ModerateSUSE bug 1201496CVE-2022-32742 at SUSECVE-2022-32742 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for MozillaFirefox fixes the following issues:
Firefox Extended Support Release 91.12.0 ESR (bsc#1201758):
- CVE-2022-36319: Mouse Position spoofing with CSS transforms
- CVE-2022-36318: Directory indexes for bundled resources reflected URL parameters
ImportantSUSE bug 1201758CVE-2022-36318 at SUSECVE-2022-36318 at NVDCVE-2022-36319 at SUSECVE-2022-36319 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for dovecot22 (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for dovecot22 fixes the following issues:
- CVE-2022-30550: Fixed privilege escalation in dovecot when similar master and non-master passdbs are used (bsc#1201267).
ImportantSUSE bug 1201267CVE-2022-30550 at SUSECVE-2022-30550 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for qpdf (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for qpdf fixes the following issues:
- CVE-2022-34503: Fixed a heap buffer overflow via the function QPDF::processXRefStream (bsc#1201830).
- CVE-2021-36978: Fixed heap-based buffer overflow in Pl_ASCII85Decoder::write (bsc#1188514).
ImportantSUSE bug 1188514SUSE bug 1201830CVE-2021-36978 at SUSECVE-2021-36978 at NVDCVE-2022-34503 at SUSECVE-2022-34503 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for samba (Critical)SUSE Linux Enterprise Server 12 SP3-BCL
This update for samba fixes the following issues:
- CVE-2021-44142: Fixed out-of-Bound Read/Write on Samba vfs_fruit module. (bsc#1194859)
CriticalSUSE bug 1194859CVE-2021-44142 at SUSECVE-2021-44142 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for mokutil (Moderate)SUSE Linux Enterprise Server 12 SP3-BCL
This update for mokutil fixes the following issues:
- Adds SBAT revocation support to mokutil. (bsc#1198458)
New options added (see manpage):
- mokutil --sbat
List all entries in SBAT.
- mokutil --set-sbat-policy (latest | previous | delete)
To set the SBAT acceptance policy.
- mokutil --list-sbat-revocations
To list the current SBAT revocations.
ModerateSUSE bug 1198458cpe:/o:suse:sles-bcl:12:sp3Security update for open-iscsi (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for open-iscsi fixes the following issues:
Fixed various vulnerabilities in the embedded TCP/IP stack (bsc#1179908):
- CVE-2020-13987: Fixed an out of bounds memory access when
calculating the checksums for IP packets.
- CVE-2020-13988: Fixed an integer overflow when parsing TCP MSS
options of IPv4 network packets.
- CVE-2020-17437: Fixed an out of bounds memory access when the TCP
urgent flag is set.
ImportantSUSE bug 1179908CVE-2020-13987 at SUSECVE-2020-13987 at NVDCVE-2020-13988 at SUSECVE-2020-13988 at NVDCVE-2020-17437 at SUSECVE-2020-17437 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for java-1_8_0-openjdk (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for java-1_8_0-openjdk fixes the following issues:
- Updated to version jdk8u345 (icedtea-3.24.0)
- CVE-2022-21540: Fixed a potential Java sandbox bypass (bsc#1201694).
- CVE-2022-21541: Fixed a potential Java sandbox bypass (bsc#1201692).
- CVE-2022-34169: Fixed an issue where arbitrary bytecode could
be executed via a malicious stylesheet (bsc#1201684).
- Non-security fixes:
- Allowed for customization of PKCS12 keystores (bsc#1195163).
ImportantSUSE bug 1195163SUSE bug 1201684SUSE bug 1201692SUSE bug 1201694CVE-2022-21540 at SUSECVE-2022-21540 at NVDCVE-2022-21541 at SUSECVE-2022-21541 at NVDCVE-2022-34169 at SUSECVE-2022-34169 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for ucode-intel (Moderate)SUSE Linux Enterprise Server 12 SP3-BCL
This update for ucode-intel fixes the following issues:
Updated to Intel CPU Microcode 20220809 release (bsc#1201727):
- CVE-2022-21233: Fixed an issue where stale data may have been leaked from the legacy xAPIC MMIO region, which could be used to compromise an SGX enclave (INTEL-SA-00657).
See also: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00657.html
Other fixes:
- Update for functional issues.
See also: https://www.intel.com/content/www/us/en/processors/xeon/scalable/xeon-scalable-spec-update.html?wapkw=processor+specification+update
- Updated Platforms:
| Processor | Stepping | F-M-S/PI | Old Ver | New Ver | Products
|:---------------|:---------|:------------|:---------|:---------|:---------
| SKX-SP | B1 | 06-55-03/97 | 0100015d | 0100015e | Xeon Scalable
| SKX-SP | H0/M0/U0 | 06-55-04/b7 | 02006d05 | 02006e05 | Xeon Scalable
| SKX-D | M1 | 06-55-04/b7 | 02006d05 | 02006e05 | Xeon D-21xx
| ICX-SP | D0 | 06-6a-06/87 | 0d000363 | 0d000375 | Xeon Scalable Gen3
| GLK | B0 | 06-7a-01/01 | 0000003a | 0000003c | Pentium Silver N/J5xxx, Celeron N/J4xxx
| GLK-R | R0 | 06-7a-08/01 | 0000001e | 00000020 | Pentium J5040/N5030, Celeron J4125/J4025/N4020/N4120
| ICL-U/Y | D1 | 06-7e-05/80 | 000000b0 | 000000b2 | Core Gen10 Mobile
| TGL-R | C0 | 06-8c-02/c2 | 00000026 | 00000028 | Core Gen11 Mobile
| TGL-H | R0 | 06-8d-01/c2 | 0000003e | 00000040 | Core Gen11 Mobile
| RKL-S | B0 | 06-a7-01/02 | 00000053 | 00000054 | Core Gen11
| ADL | C0 | 06-97-02/03 | 0000001f | 00000022 | Core Gen12
| ADL | C0 | 06-97-05/03 | 0000001f | 00000022 | Core Gen12
| ADL | L0 | 06-9a-03/80 | 0000041c | 00000421 | Core Gen12
| ADL | L0 | 06-9a-04/80 | 0000041c | 00000421 | Core Gen12
| ADL | C0 | 06-bf-02/03 | 0000001f | 00000022 | Core Gen12
| ADL | C0 | 06-bf-05/03 | 0000001f | 00000022 | Core Gen12
------------------------------------------------------------------
ModerateSUSE bug 1201727CVE-2022-21233 at SUSECVE-2022-21233 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for the Linux Kernel (Important)SUSE Linux Enterprise Server 12 SP3-BCL
The SUSE Linux Enterprise 12 SP3 LTSS kernel was updated to receive various security and bugfixes.
The following security bugs were fixed:
- CVE-2020-15393: CVE-2020-15393: Fixed a memory leak in usbtest_disconnect (bnc#1173514).
- CVE-2020-36557: Fixed race condition between the VT_DISALLOCATE ioctl and closing/opening of ttys that could lead to a use-after-free (bnc#1201429).
- CVE-2020-36558: Fixed race condition involving VT_RESIZEX that could lead to a NULL pointer dereference and general protection fault (bnc#1200910).
- CVE-2021-33655: Fixed out of bounds write with ioctl FBIOPUT_VSCREENINFO (bnc#1201635).
- CVE-2021-33656: Fixed out of bounds write with ioctl PIO_FONT (bnc#1201636).
- CVE-2021-39713: Fixed a race condition in the network scheduling subsystem which could lead to a use-after-free. (bnc#1196973)
- CVE-2022-1462: Fixed an out-of-bounds read flaw in the TeleTYpe subsystem (bnc#1198829).
- CVE-2022-20166: Fixed possible out of bounds write due to sprintf unsafety that could cause local escalation of privilege (bnc#1200598).
- CVE-2022-2318: Fixed a use-after-free vulnerabilities in the timer handler in net/rose/rose_timer.c that allow attackers to crash the system without any privileges (bsc#1201251).
- CVE-2022-26365, CVE-2022-33740, CVE-2022-33741, CVE-2022-33742: Fixed multiple potential data leaks with Block and Network devices when using untrusted backends (bsc#1200762).
- CVE-2022-36946: Fixed incorrect packet truncation in nfqnl_mangle() that could lead to remote DoS (bnc#1201940).
The following non-security bugs were fixed:
- kvm: emulate: do not adjust size of fastop and setcc subroutines (bsc#1201930).
- kvm: emulate: Fix SETcc emulation function offsets with SLS (bsc#1201930).
ImportantSUSE bug 1173514SUSE bug 1196973SUSE bug 1198829SUSE bug 1200598SUSE bug 1200762SUSE bug 1200910SUSE bug 1201251SUSE bug 1201429SUSE bug 1201635SUSE bug 1201636SUSE bug 1201930SUSE bug 1201940CVE-2020-15393 at SUSECVE-2020-15393 at NVDCVE-2020-36557 at SUSECVE-2020-36557 at NVDCVE-2020-36558 at SUSECVE-2020-36558 at NVDCVE-2021-33655 at SUSECVE-2021-33655 at NVDCVE-2021-33656 at SUSECVE-2021-33656 at NVDCVE-2021-39713 at SUSECVE-2021-39713 at NVDCVE-2022-1462 at SUSECVE-2022-1462 at NVDCVE-2022-20166 at SUSECVE-2022-20166 at NVDCVE-2022-2318 at SUSECVE-2022-2318 at NVDCVE-2022-26365 at SUSECVE-2022-26365 at NVDCVE-2022-33740 at SUSECVE-2022-33740 at NVDCVE-2022-33741 at SUSECVE-2022-33741 at NVDCVE-2022-33742 at SUSECVE-2022-33742 at NVDCVE-2022-36946 at SUSECVE-2022-36946 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for zlib (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for zlib fixes the following issues:
- CVE-2022-37434: Fixed heap-based buffer over-read or buffer overflow via large gzip header extra field (bsc#1202175).
ImportantSUSE bug 1202175CVE-2022-37434 at SUSECVE-2022-37434 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for rsync (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for rsync fixes the following issues:
- CVE-2022-29154: Fixed an arbitrary file write issue that could be
triggered by a malicious remote server (bsc#1201840).
ImportantSUSE bug 1201840CVE-2022-29154 at SUSECVE-2022-29154 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for glibc (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for glibc fixes the following issues:
Security issues fixed:
- CVE-2015-5180: Fix crash with internal QTYPE in resolv (bsc#941234, BZ #18784)
- CVE-2016-10228: Rewrite iconv option parsing (bsc#1027496, BZ #19519)
- CVE-2019-25013: Fix buffer overrun in EUC-KR conversion module (bsc#1182117, BZ #24973)
- CVE-2020-27618: Accept redundant shift sequences in IBM1364 iconv module (bsc#1178386, BZ #26224)
- CVE-2020-29562: Fix incorrect UCS4 inner loop bounds in iconv (bsc#1179694, BZ #26923)
- CVE-2020-29573: Hardened printf against non-normal long double values (bsc#1179721, BZ #26649)
- CVE-2021-3326: Fix assertion failure in ISO-2022-JP-3 gconv module (bsc#1181505, BZ #27256)
- Recognize ppc64p7 arch to build for power7
ImportantSUSE bug 1027496SUSE bug 1178386SUSE bug 1179694SUSE bug 1179721SUSE bug 1181505SUSE bug 1182117SUSE bug 941234CVE-2015-5180 at SUSECVE-2015-5180 at NVDCVE-2016-10228 at SUSECVE-2016-10228 at NVDCVE-2019-25013 at SUSECVE-2019-25013 at NVDCVE-2020-27618 at SUSECVE-2020-27618 at NVDCVE-2020-29562 at SUSECVE-2020-29562 at NVDCVE-2020-29573 at SUSECVE-2020-29573 at NVDCVE-2021-3326 at SUSECVE-2021-3326 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for java-1_7_1-ibm (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for java-1_7_1-ibm fixes the following issues:
- Updated to Java 7.1 Service Refresh 5 Fix Pack 15 (bsc#1202427):
- CVE-2022-34169: Fixed an integer truncation issue in the Xalan
Java XSLT library that occurred when processing malicious
stylesheets (bsc#1201684).
- CVE-2022-21549: Fixed an issue that could lead to computing
negative random exponentials (bsc#1201685).
- CVE-2022-21541: Fixed a potential bypass of sandbox restrictions
in the Hotspot component (bsc#1201692).
- CVE-2022-21540: Fixed a potential bypass of sandbox restrictions
in the Hotspot component (bsc#1201694).
ImportantSUSE bug 1201684SUSE bug 1201685SUSE bug 1201692SUSE bug 1201694SUSE bug 1202427CVE-2022-21540 at SUSECVE-2022-21540 at NVDCVE-2022-21541 at SUSECVE-2022-21541 at NVDCVE-2022-21549 at SUSECVE-2022-21549 at NVDCVE-2022-34169 at SUSECVE-2022-34169 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for java-1_8_0-ibm (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for java-1_8_0-ibm fixes the following issues:
- Update to Java 8.0 Service Refresh 7 Fix Pack 11 (bsc#1202427):
- CVE-2022-34169: Fixed an integer truncation issue in the Xalan
Java XSLT library that occurred when processing malicious
stylesheets (bsc#1201684).
- CVE-2022-21549: Fixed an issue that could lead to computing
negative random exponentials (bsc#1201685).
- CVE-2022-21541: Fixed a potential bypass of sandbox restrictions
in the Hotspot component (bsc#1201692).
- CVE-2022-21540: Fixed a potential bypass of sandbox restrictions
in the Hotspot component (bsc#1201694).
ImportantSUSE bug 1201684SUSE bug 1201685SUSE bug 1201692SUSE bug 1201694SUSE bug 1202427CVE-2022-21540 at SUSECVE-2022-21540 at NVDCVE-2022-21541 at SUSECVE-2022-21541 at NVDCVE-2022-21549 at SUSECVE-2022-21549 at NVDCVE-2022-34169 at SUSECVE-2022-34169 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for bluez (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for bluez fixes the following issues:
- CVE-2019-8922: Fixed a buffer overflow in the implementation of the
Service Discovery Protocol (bsc#1193227).
ImportantSUSE bug 1193227CVE-2019-8922 at SUSECVE-2019-8922 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for libcroco (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for libcroco fixes the following issues:
- CVE-2020-12825: Fixed an uncontrolled recursion issue (bsc#1171685).
ImportantSUSE bug 1171685CVE-2020-12825 at SUSECVE-2020-12825 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for gstreamer-plugins-good (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for gstreamer-plugins-good fixes the following issues:
- CVE-2022-1920: Fixed integer overflow in WavPack header handling code (bsc#1201688).
- CVE-2022-1921: Fixed integer overflow resulting in heap corruption in avidemux element (bsc#1201693).
- CVE-2022-1922: Fixed integer overflows in mkv demuxing (bsc#1201702).
- CVE-2022-1923: Fixed integer overflows in mkv demuxing using bzip (bsc#1201704).
- CVE-2022-1924: Fixed integer overflows in mkv demuxing using lzo (bsc#1201706).
- CVE-2022-1925: Fixed integer overflows in mkv demuxing using HEADERSTRIP (bsc#1201707).
- CVE-2022-2122: Fixed integer overflows in qtdemux using zlib (bsc#1201708).
ImportantSUSE bug 1201688SUSE bug 1201693SUSE bug 1201702SUSE bug 1201704SUSE bug 1201706SUSE bug 1201707SUSE bug 1201708CVE-2022-1920 at SUSECVE-2022-1920 at NVDCVE-2022-1921 at SUSECVE-2022-1921 at NVDCVE-2022-1922 at SUSECVE-2022-1922 at NVDCVE-2022-1923 at SUSECVE-2022-1923 at NVDCVE-2022-1924 at SUSECVE-2022-1924 at NVDCVE-2022-1925 at SUSECVE-2022-1925 at NVDCVE-2022-2122 at SUSECVE-2022-2122 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for postgresql10 (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for postgresql10 fixes the following issues:
- Upgrade to 10.22:
- CVE-2022-2625: Fixed an issue where extension scripts would replace objects not belonging to that extension (bsc#1202368).
ImportantSUSE bug 1202368CVE-2022-2625 at SUSECVE-2022-2625 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for webkit2gtk3 (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for webkit2gtk3 fixes the following issues:
- Update to version 2.36.5 (bsc#1201980):
- Add support for PAC proxy in the WebDriver implementation.
- Fix video playback when loaded through custom URIs, this fixes
video playback in the Yelp documentation browser.
- Fix WebKitWebView::context-menu when using GTK4.
- Fix LTO builds with GCC.
- Fix several crashes and rendering issues.
- Security fixes:
- CVE-2022-32792: Fixed processing maliciously crafted web content may lead to
arbitrary code execution.
- CVE-2022-32816: Fixed visiting a website that frames malicious content may lead to
UI spoofing.
ImportantSUSE bug 1201980CVE-2022-32792 at SUSECVE-2022-32792 at NVDCVE-2022-32816 at SUSECVE-2022-32816 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for open-vm-tools (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for open-vm-tools fixes the following issues:
- CVE-2022-31676: Fixed an issue that could allow unprivileged users
inside a virtual machine to escalate privileges (bsc#1202657).
ImportantSUSE bug 1202657CVE-2022-31676 at SUSECVE-2022-31676 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for net-snmp (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for net-snmp fixes the following issues:
- CVE-2020-15862: Make extended MIB read-only (bsc#1174961)
ImportantSUSE bug 1100146SUSE bug 1145864SUSE bug 1152968SUSE bug 1174961SUSE bug 1178021SUSE bug 1178351SUSE bug 1179009SUSE bug 1179699SUSE bug 1184839CVE-2020-15862 at SUSECVE-2020-15862 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for json-c (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for json-c fixes the following issues:
- CVE-2020-12762: Fixed an integer overflow that could lead to memory
corruption via a large JSON file (bsc#1171479).
Non-security fixes:
- Updated to version 0.12.1 (jsc#PED-1778).
ImportantSUSE bug 1171479CVE-2020-12762 at SUSECVE-2020-12762 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for MozillaFirefox fixes the following issues:
Firefox Extended Support Release 91.13.0 ESR (bsc#1202645):
- CVE-2022-38472: Fixed a potential address bar spoofing via XSLT error handling.
- CVE-2022-38473: Fixed an issue where cross-origin XSLT documents could inherit the parent's permissions.
- CVE-2022-38478: Fixed various memory safety issues.
ImportantSUSE bug 1202645CVE-2022-38472 at SUSECVE-2022-38472 at NVDCVE-2022-38473 at SUSECVE-2022-38473 at NVDCVE-2022-38478 at SUSECVE-2022-38478 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for libgda (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for libgda fixes the following issues:
- CVE-2021-39359: Enabled TLS certificate verification (bsc#1189849).
ImportantSUSE bug 1189849CVE-2021-39359 at SUSECVE-2021-39359 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for webkit2gtk3 (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for webkit2gtk3 fixes the following issues:
- Updated to version 2.36.7 (bsc#1202807):
- CVE-2022-32893: Fixed an issue that would be triggered when
processing malicious web content and that could lead to arbitrary
code execution.
- Fixed several crashes and rendering issues.
- Updated to version 2.36.6:
- Fixed handling of touchpad scrolling on GTK4 builds
- Fixed WebKitGTK not allowing to be used from non-main threads
(bsc#1202169).
- Fixed several crashes and rendering issues
ImportantSUSE bug 1202169SUSE bug 1202807CVE-2022-32893 at SUSECVE-2022-32893 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for clamav (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for clamav fixes the following issues:
clamav was updated to 0.103.7 (bsc#1202986)
* Upgrade the vendored UnRAR library to version 6.1.7.
* Fix logical signature 'Intermediates' feature.
* Relax constraints on slightly malformed zip archives that
contain overlapping file entries.
ImportantSUSE bug 1202986cpe:/o:suse:sles-bcl:12:sp3Security update for java-1_8_0-ibm (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for java-1_8_0-ibm fixes the following issues:
Note: the issues listed below were NOT fixed with the previous update (8.0-7.11).
- Update to Java 8.0 Service Refresh 7 Fix Pack 15 (bsc#1202427):
- CVE-2022-34169: Fixed an integer truncation issue in the Xalan
Java XSLT library that occurred when processing malicious
stylesheets (bsc#1201684).
- CVE-2022-21549: Fixed an issue that could lead to computing
negative random exponentials (bsc#1201685).
- CVE-2022-21541: Fixed a potential bypass of sandbox restrictions
in the Hotspot component (bsc#1201692).
- CVE-2022-21540: Fixed a potential bypass of sandbox restrictions
in the Hotspot component (bsc#1201694)..
ImportantSUSE bug 1201684SUSE bug 1201685SUSE bug 1201692SUSE bug 1201694SUSE bug 1202427CVE-2022-21540 at SUSECVE-2022-21540 at NVDCVE-2022-21541 at SUSECVE-2022-21541 at NVDCVE-2022-21549 at SUSECVE-2022-21549 at NVDCVE-2022-34169 at SUSECVE-2022-34169 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for udisks2 (Moderate)SUSE Linux Enterprise Server 12 SP3-BCL
This update for udisks2 fixes the following issues:
- CVE-2021-3802: Fixed insecure defaults in user-accessible mount helpers (bsc#1190606).
- Fixed vulnerability that allowed mounting ext4 devices over existing entries in fstab (bsc#1098797).
ModerateSUSE bug 1098797SUSE bug 1190606CVE-2021-3802 at SUSECVE-2021-3802 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for postgresql12 (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for postgresql12 fixes the following issues:
- Update to 12.12:
- CVE-2022-2625: Fixed an issue where extension scripts would replace objects not belonging to that extension (bsc#1202368).
ImportantSUSE bug 1198166SUSE bug 1202368CVE-2022-2625 at SUSECVE-2022-2625 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for the Linux Kernel (Important)SUSE Linux Enterprise Server 12 SP3-BCL
The SUSE Linux Enterprise 12 SP3 kernel was updated to receive various security and bugfixes.
The following security bugs were fixed:
- CVE-2022-39188: Fixed race condition in include/asm-generic/tlb.h where a device driver can free a page while it still has stale TLB entries (bnc#1203107).
- CVE-2022-36879: Fixed an issue in xfrm_expand_policies in net/xfrm/xfrm_policy.c where a refcount could be dropped twice (bnc#1201948).
- CVE-2022-3028: Fixed race condition that was found in the IP framework for transforming packets (XFRM subsystem) (bnc#1202898).
- CVE-2022-2991: Fixed an heap-based overflow in the lightnvm implemenation (bsc#1201420).
- CVE-2022-26373: Fixed non-transparent sharing of return predictor targets between contexts in some Intel Processors (bnc#1201726).
- CVE-2022-2588: Fixed use-after-free in cls_route (bsc#1202096).
- CVE-2022-21385: Fixed a flaw in net_rds_alloc_sgs() that allowed unprivileged local users to crash the machine (bnc#1202897).
- CVE-2022-20369: Fixed out of bounds write in v4l2_m2m_querybuf of v4l2-mem2mem.c (bnc#1202347).
- CVE-2022-20368: Fixed slab-out-of-bounds access in packet_recvmsg() (bsc#1202346).
- CVE-2020-36516: Fixed an issue in the mixed IPID assignment method where an attacker was able to inject data into or terminate a victim's TCP session (bnc#1196616).
- CVE-2019-3900: Fixed infinite loop the vhost_net kernel module that could result in a DoS scenario (bnc#1133374).
The following non-security bugs were fixed:
- net_sched: cls_route: Disallowed handle of 0 (bsc#1202393).
- mm, rmap: Fixed anon_vma->degree ambiguity leading to double-reuse (bsc#1203098).
- lightnvm: Removed lightnvm implemenation (bsc#1191881).
ImportantSUSE bug 1133374SUSE bug 1191881SUSE bug 1196616SUSE bug 1201420SUSE bug 1201726SUSE bug 1201948SUSE bug 1202096SUSE bug 1202346SUSE bug 1202347SUSE bug 1202393SUSE bug 1202897SUSE bug 1202898SUSE bug 1203098SUSE bug 1203107CVE-2019-3900 at SUSECVE-2019-3900 at NVDCVE-2020-36516 at SUSECVE-2020-36516 at NVDCVE-2022-20368 at SUSECVE-2022-20368 at NVDCVE-2022-20369 at SUSECVE-2022-20369 at NVDCVE-2022-21385 at SUSECVE-2022-21385 at NVDCVE-2022-2588 at SUSECVE-2022-2588 at NVDCVE-2022-26373 at SUSECVE-2022-26373 at NVDCVE-2022-2991 at SUSECVE-2022-2991 at NVDCVE-2022-3028 at SUSECVE-2022-3028 at NVDCVE-2022-36879 at SUSECVE-2022-36879 at NVDCVE-2022-39188 at SUSECVE-2022-39188 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for postgresql14 (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for postgresql14 fixes the following issues:
- Upgrade to version 14.5:
- CVE-2022-2625: Fixed an issue where extension scripts would replace objects not belonging to that extension (bsc#1202368).
- Upgrade to version 14.4 (bsc#1200437)
- Release notes: https://www.postgresql.org/docs/release/14.4/
- Release announcement: https://www.postgresql.org/about/news/p-2470/
- Prevent possible corruption of indexes created or rebuilt with the CONCURRENTLY option (bsc#1200437)
- Pin to llvm13 until the next patchlevel update (bsc#1198166)
ImportantSUSE bug 1198166SUSE bug 1200437SUSE bug 1202368CVE-2022-2625 at SUSECVE-2022-2625 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for MozillaFirefox fixes the following issues:
Mozilla Firefox was updated to 102.2.0esr ESR:
* Fixed: Various stability, functionality, and security fixes.
- MFSA 2022-34 (bsc#1202645)
* CVE-2022-38472 (bmo#1769155)
Address bar spoofing via XSLT error handling
* CVE-2022-38473 (bmo#1771685)
Cross-origin XSLT Documents would have inherited the parent's
permissions
* CVE-2022-38476 (bmo#1760998)
Data race and potential use-after-free in PK11_ChangePW
* CVE-2022-38477 (bmo#1760611, bmo#1770219, bmo#1771159,
bmo#1773363)
Memory safety bugs fixed in Firefox 104 and Firefox ESR 102.2
* CVE-2022-38478 (bmo#1770630, bmo#1776658)
Memory safety bugs fixed in Firefox 104, Firefox ESR 102.2,
and Firefox ESR 91.13
Firefox Extended Support Release 102.1 ESR
* Fixed: Various stability, functionality, and security fixes.
- MFSA 2022-30 (bsc#1201758)
* CVE-2022-36319 (bmo#1737722)
Mouse Position spoofing with CSS transforms
* CVE-2022-36318 (bmo#1771774)
Directory indexes for bundled resources reflected URL
parameters
* CVE-2022-36314 (bmo#1773894)
Opening local <code>.lnk</code> files could cause unexpected
network loads
* CVE-2022-2505 (bmo#1769739, bmo#1772824)
Memory safety bugs fixed in Firefox 103 and 102.1
- Firefox Extended Support Release 102.0.1 ESR
* Fixed: Fixed bookmark shortcut creation by dragging to
Windows File Explorer and dropping partially broken
(bmo#1774683)
* Fixed: Fixed bookmarks sidebar flashing white when opened in
dark mode (bmo#1776157)
* Fixed: Fixed multilingual spell checking not working with
content in both English and a non-Latin alphabet
(bmo#1773802)
* Fixed: Developer tools: Fixed an issue where the console
output keep getting scrolled to the bottom when the last
visible message is an evaluation result (bmo#1776262)
* Fixed: Fixed *Delete cookies and site data when Firefox is
closed* checkbox getting disabled on startup (bmo#1777419)
* Fixed: Various stability fixes
Firefox 102.0 ESR:
* New:
- We now provide more secure connections: Firefox can
now automatically upgrade to HTTPS using HTTPS RR as Alt-Svc
headers.
- For added viewing pleasure, full-range color levels are now
supported for video playback on many systems.
- Find it easier now! Mac users can now access the macOS
share options from the Firefox File menu.
- Voil?! Support for images containing ICC v4 profiles is
enabled on macOS.
- Firefox now supports the new AVIF image format, which is
based on the modern and royalty-free AV1 video codec. It
offers significant bandwidth savings for sites compared to
existing image formats. It also supports transparency and
other advanced features.
- Firefox PDF viewer now supports filling more forms (e.g.,
XFA-based forms, used by multiple governments and banks).
Learn more.
- When available system memory is critically low, Firefox on
Windows will automatically unload tabs based on their last
access time, memory usage, and other attributes. This helps
to reduce Firefox out-of-memory crashes. Forgot something?
Switching to an unloaded tab automatically reloads it.
- To prevent session loss for macOS users who are running
Firefox from a mounted .dmg file, they’ll now be prompted to
finish installation. Bear in mind, this permission prompt
only appears the first time these users run Firefox on their
computer.
- For your safety, Firefox now blocks downloads that rely on
insecure connections, protecting against potentially
malicious or unsafe downloads. Learn more and see where to
find downloads in Firefox.
- Improved web compatibility for privacy protections with
SmartBlock 3.0: In Private Browsing and Strict Tracking
Protection, Firefox goes to great lengths to protect your web
browsing activity from trackers. As part of this, the built-
in content blocking will automatically block third-party
scripts, images, and other content from being loaded from
cross-site tracking companies reported by Disconnect. Learn
more.
- Introducing a new referrer tracking protection in Strict
Tracking Protection and Private Browsing. This feature
prevents sites from unknowingly leaking private information
to trackers. Learn more.
- Introducing Firefox Suggest, a feature that provides
website suggestions as you type into the address bar. Learn
more about this faster way to navigate the web and locale-
specific features.
- Firefox macOS now uses Apple's low-power mode for
fullscreen video on sites such as YouTube and Twitch. This
meaningfully extends battery life in long viewing sessions.
Now your kids can find out what the fox says on a loop
without you ever missing a beat…
- With this release, power users can use about:unloads to
release system resources by manually unloading tabs without
closing them.
- On Windows, there will now be fewer interruptions because
Firefox won’t prompt you for updates. Instead, a background
agent will download and install updates even if Firefox is
closed.
- On Linux, we’ve improved WebGL performance and reduced
power consumption for many users.
- To better protect all Firefox users against side-channel
attacks, such as Spectre, we introduced Site Isolation.
- Firefox no longer warns you by default when you exit the
browser or close a window using a menu, button, or three-key
command. This should cut back on unwelcome notifications,
which is always nice—however, if you prefer a bit of notice,
you’ll still have full control over the quit/close modal
behavior. All warnings can be managed within Firefox
Settings. No worries! More details here.
- Firefox supports the new Snap Layouts menus when running on
Windows 11.
- RLBox—a new technology that hardens Firefox against
potential security vulnerabilities in third-party
libraries—is now enabled on all platforms.
- We’ve reduced CPU usage on macOS in Firefox and
WindowServer during event processing.
- We’ve also reduced the power usage of software decoded
video on macOS, especially in fullscreen. This includes
streaming sites such as Netflix and Amazon Prime Video.
- You can now move the Picture-in-Picture toggle button to
the opposite side of the video. Simply look for the new
context menu option Move Picture-in-Picture Toggle to Left
(Right) Side.
- We’ve made significant improvements in noise suppression
and auto-gain-control, as well as slight improvements in
echo-cancellation to provide you with a better overall
experience.
- We’ve also significantly reduced main-thread load.
- When printing, you can now choose to print only the
odd/even pages.
- Firefox now supports and displays the new style of
scrollbars on Windows 11.
- Firefox has a new optimized download flow. Instead of
prompting every time, files will download automatically.
However, they can still be opened from the downloads panel
with just one click. Easy! More information
- Firefox no longer asks what to do for each file by default.
You won’t be prompted to choose a helper application or save
to disk before downloading a file unless you have changed
your download action setting for that type of file.
- Any files you download will be immediately saved on your
disk. Depending on the current configuration, they’ll be
saved in your preferred download folder, or you’ll be asked
to select a location for each download. Windows and Linux
users will find their downloaded files in the destination
folder. They’ll no longer be put in the Temp folder.
- Firefox allows users to choose from a number of built-in
search engines to set as their default. In this release, some
users who had previously configured a default engine might
notice their default search engine has changed since Mozilla
was unable to secure formal permission to continue including
certain search engines in Firefox.
- You can now toggle Narrate in ReaderMode with the keyboard
shortcut 'n.'
- You can find added support for search—with or without
diacritics—in the PDF viewer.
- The Linux sandbox has been strengthened: processes exposed
to web content no longer have access to the X Window system
(X11).
- Firefox now supports credit card autofill and capture in
Germany, France, and the United Kingdom.
- We now support captions/subtitles display on YouTube, Prime
Video, and Netflix videos you watch in Picture-in-Picture.
Just turn on the subtitles on the in-page video player, and
they will appear in PiP.
- Picture-in-Picture now also supports video captions on
websites that use Web Video Text Track (WebVTT) format (e.g.,
Coursera.org, Canadian Broadcasting Corporation, and many
more).
- On the first run after install, Firefox detects when its
language does not match the operating system language and
offers the user a choice between the two languages.
- Firefox spell checking now checks spelling in multiple
languages. To enable additional languages, select them in the
text field’s context menu.
- HDR video is now supported in Firefox on Mac—starting with
YouTube! Firefox users on macOS 11+ (with HDR-compatible
screens) can enjoy higher-fidelity video content. No need to
manually flip any preferences to turn HDR video support
on—just make sure battery preferences are NOT set to
“optimize video streaming while on battery”.
- Hardware-accelerated AV1 video decoding is enabled on
Windows with supported GPUs (Intel Gen 11+, AMD RDNA 2
Excluding Navi 24, GeForce 30). Installing the AV1 Video
Extension from the Microsoft Store may also be required.
- Video overlay is enabled on Windows for Intel GPUs,
reducing power usage during video playback.
- Improved fairness between painting and handling other
events. This noticeably improves the performance of the
volume slider on Twitch.
- Scrollbars on Linux and Windows 11 won't take space by
default. On Linux, users can change this in Settings. On
Windows, Firefox follows the system setting (System Settings
> Accessibility > Visual Effects > Always show scrollbars).
- Firefox now ignores less restricted referrer
policies—including unsafe-url, no-referrer-when-downgrade,
and origin-when-cross-origin—for cross-site
subresource/iframe requests to prevent privacy leaks from the
referrer.
- Reading is now easier with the prefers-contrast media
query, which allows sites to detect if the user has requested
that web content is presented with a higher (or lower)
contrast.
- All non-configured MIME types can now be assigned a custom
action upon download completion.
- Firefox now allows users to use as many microphones as they
want, at the same time, during video conferencing. The most
exciting benefit is that you can easily switch your
microphones at any time (if your conferencing service
provider enables this flexibility).
- Print preview has been updated.
* Fixed: Various security fixes.
- MFSA 2022-24 (bsc#1200793)
* CVE-2022-34479 (bmo#1745595)
A popup window could be resized in a way to overlay the
address bar with web content
* CVE-2022-34470 (bmo#1765951)
Use-after-free in nsSHistory
* CVE-2022-34468 (bmo#1768537)
CSP sandbox header without `allow-scripts` can be bypassed
via retargeted javascript: URI
* CVE-2022-34482 (bmo#845880)
Drag and drop of malicious image could have led to malicious
executable and potential code execution
* CVE-2022-34483 (bmo#1335845)
Drag and drop of malicious image could have led to malicious
executable and potential code execution
* CVE-2022-34476 (bmo#1387919)
ASN.1 parser could have been tricked into accepting malformed
ASN.1
* CVE-2022-34481 (bmo#1483699, bmo#1497246)
Potential integer overflow in ReplaceElementsAt
* CVE-2022-34474 (bmo#1677138)
Sandboxed iframes could redirect to external schemes
* CVE-2022-34469 (bmo#1721220)
TLS certificate errors on HSTS-protected domains could be
bypassed by the user on Firefox for Android
* CVE-2022-34471 (bmo#1766047)
Compromised server could trick a browser into an addon
downgrade
* CVE-2022-34472 (bmo#1770123)
Unavailable PAC file resulted in OCSP requests being blocked
* CVE-2022-34478 (bmo#1773717)
Microsoft protocols can be attacked if a user accepts a
prompt
* CVE-2022-2200 (bmo#1771381)
Undesired attributes could be set as part of prototype
pollution
* CVE-2022-34480 (bmo#1454072)
Free of uninitialized pointer in lg_init
* CVE-2022-34477 (bmo#1731614)
MediaError message property leaked information on cross-
origin same-site pages
* CVE-2022-34475 (bmo#1757210)
HTML Sanitizer could have been bypassed via same-origin
script via use tags
* CVE-2022-34473 (bmo#1770888)
HTML Sanitizer could have been bypassed via use tags
* CVE-2022-34484 (bmo#1763634, bmo#1772651)
Memory safety bugs fixed in Firefox 102 and Firefox ESR 91.11
* CVE-2022-34485 (bmo#1768409, bmo#1768578)
Memory safety bugs fixed in Firefox 102
ImportantSUSE bug 1200793SUSE bug 1201758SUSE bug 1202645CVE-2022-2200 at SUSECVE-2022-2200 at NVDCVE-2022-2505 at SUSECVE-2022-2505 at NVDCVE-2022-34468 at SUSECVE-2022-34468 at NVDCVE-2022-34469 at SUSECVE-2022-34469 at NVDCVE-2022-34470 at SUSECVE-2022-34470 at NVDCVE-2022-34471 at SUSECVE-2022-34471 at NVDCVE-2022-34472 at SUSECVE-2022-34472 at NVDCVE-2022-34473 at SUSECVE-2022-34473 at NVDCVE-2022-34474 at SUSECVE-2022-34474 at NVDCVE-2022-34475 at SUSECVE-2022-34475 at NVDCVE-2022-34476 at SUSECVE-2022-34476 at NVDCVE-2022-34477 at SUSECVE-2022-34477 at NVDCVE-2022-34478 at SUSECVE-2022-34478 at NVDCVE-2022-34479 at SUSECVE-2022-34479 at NVDCVE-2022-34480 at SUSECVE-2022-34480 at NVDCVE-2022-34481 at SUSECVE-2022-34481 at NVDCVE-2022-34482 at SUSECVE-2022-34482 at NVDCVE-2022-34483 at SUSECVE-2022-34483 at NVDCVE-2022-34484 at SUSECVE-2022-34484 at NVDCVE-2022-34485 at SUSECVE-2022-34485 at NVDCVE-2022-36314 at SUSECVE-2022-36314 at NVDCVE-2022-36318 at SUSECVE-2022-36318 at NVDCVE-2022-36319 at SUSECVE-2022-36319 at NVDCVE-2022-38472 at SUSECVE-2022-38472 at NVDCVE-2022-38473 at SUSECVE-2022-38473 at NVDCVE-2022-38476 at SUSECVE-2022-38476 at NVDCVE-2022-38477 at SUSECVE-2022-38477 at NVDCVE-2022-38478 at SUSECVE-2022-38478 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for libsndfile (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for libsndfile fixes the following issues:
- CVE-2021-4156: Fixed heap buffer overflow in flac_buffer_copy that
could potentially lead to heap exploitation (bsc#1194006).
ImportantSUSE bug 1194006CVE-2021-4156 at SUSECVE-2021-4156 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for sqlite3 (Moderate)SUSE Linux Enterprise Server 12 SP3-BCL
This update for sqlite3 fixes the following issues:
Security issues fixed:
- CVE-2022-35737: Fixed an array-bounds overflow if billions of bytes are used in a string argument to a C API (bnc#1201783).
- CVE-2021-36690: Fixed an issue with the SQLite Expert extension when a column has no collating sequence (bsc#1189802).
- Package the Tcl bindings here again so that we only ship one copy of SQLite (bsc#1195773).
sqlite3 was update to 3.39.3:
* Use a statement journal on DML statement affecting two or more
database rows if the statement makes use of a SQL functions
that might abort.
* Use a mutex to protect the PRAGMA temp_store_directory and
PRAGMA data_store_directory statements, even though they are
decremented and documented as not being threadsafe.
Update to 3.39.2:
* Fix a performance regression in the query planner associated
with rearranging the order of FROM clause terms in the
presences of a LEFT JOIN.
* Apply fixes for CVE-2022-35737, Chromium bugs 1343348 and
1345947, forum post 3607259d3c, and other minor problems
discovered by internal testing. [boo#1201783]
Update to 3.39.1:
* Fix an incorrect result from a query that uses a view that
contains a compound SELECT in which only one arm contains a
RIGHT JOIN and where the view is not the first FROM clause term
of the query that contains the view
* Fix a long-standing problem with ALTER TABLE RENAME that can
only arise if the sqlite3_limit(SQLITE_LIMIT_SQL_LENGTH) is set
to a very small value.
* Fix a long-standing problem in FTS3 that can only arise when
compiled with the SQLITE_ENABLE_FTS3_PARENTHESIS compile-time
option.
* Fix the initial-prefix optimization for the REGEXP extension so
that it works correctly even if the prefix contains characters
that require a 3-byte UTF8 encoding.
* Enhance the sqlite_stmt virtual table so that it buffers all of
its output.
Update to 3.39.0:
* Add (long overdue) support for RIGHT and FULL OUTER JOIN
* Add new binary comparison operators IS NOT DISTINCT FROM and
IS DISTINCT FROM that are equivalent to IS and IS NOT,
respective, for compatibility with PostgreSQL and SQL standards
* Add a new return code (value '3') from the sqlite3_vtab_distinct()
interface that indicates a query that has both DISTINCT and
ORDER BY clauses
* Added the sqlite3_db_name() interface
* The unix os interface resolves all symbolic links in database
filenames to create a canonical name for the database before
the file is opened
* Defer materializing views until the materialization is actually
needed, thus avoiding unnecessary work if the materialization
turns out to never be used
* The HAVING clause of a SELECT statement is now allowed on any
aggregate query, even queries that do not have a GROUP BY
clause
* Many microoptimizations collectively reduce CPU cycles by about
2.3%.
Update to 3.38.5:
* Fix a blunder in the CLI of the 3.38.4 release
Update to 3.38.4:
* fix a byte-code problem in the Bloom filter pull-down
optimization added by release 3.38.0 in which an error in the
byte code causes the byte code engine to enter an infinite loop
when the pull-down optimization encounters a NULL key
Update to 3.38.3:
* Fix a case of the query planner be overly aggressive with
optimizing automatic-index and Bloom-filter construction,
using inappropriate ON clause terms to restrict the size of the
automatic-index or Bloom filter, and resulting in missing rows
in the output.
* Other minor patches. See the timeline for details.
Update to 3.38.2:
* Fix a problem with the Bloom filter optimization that might
cause an incorrect answer when doing a LEFT JOIN with a WHERE
clause constraint that says that one of the columns on the
right table of the LEFT JOIN is NULL.
* Other minor patches.
- Package the Tcl bindings here again so that we only ship one copy
of SQLite (bsc#1195773).
Update to 3.38.1:
* Fix problems with the new Bloom filter optimization that might
cause some obscure queries to get an incorrect answer.
* Fix the localtime modifier of the date and time functions so
that it preserves fractional seconds.
* Fix the sqlite_offset SQL function so that it works correctly
even in corner cases such as when the argument is a virtual
column or the column of a view.
* Fix row value IN operator constraints on virtual tables so that
they work correctly even if the virtual table implementation
relies on bytecode to filter rows that do not satisfy the
constraint.
* Other minor fixes to assert() statements, test cases, and
documentation. See the source code timeline for details.
Update to 3.38.0
* Add the -> and ->> operators for easier processing of JSON
* The JSON functions are now built-ins
* Enhancements to date and time functions
* Rename the printf() SQL function to format() for better
compatibility, with alias for backwards compatibility.
* Add the sqlite3_error_offset() interface for helping localize
an SQL error to a specific character in the input SQL text
* Enhance the interface to virtual tables
* CLI columnar output modes are enhanced to correctly handle tabs
and newlines embedded in text, and add options like '--wrap N',
'--wordwrap on', and '--quote' to the columnar output modes.
* Query planner enhancements using a Bloom filter to speed up
large analytic queries, and a balanced merge tree to evaluate
UNION or UNION ALL compound SELECT statements that have an
ORDER BY clause.
* The ALTER TABLE statement is changed to silently ignores
entries in the sqlite_schema table that do not parse when
PRAGMA writable_schema=ON
Update to 3.37.2:
* Fix a bug introduced in version 3.35.0 (2021-03-12) that can
cause database corruption if a SAVEPOINT is rolled back while
in PRAGMA temp_store=MEMORY mode, and other changes are made,
and then the outer transaction commits
* Fix a long-standing problem with ON DELETE CASCADE and ON
UPDATE CASCADE in which a cache of the bytecode used to
implement the cascading change was not being reset following a
local DDL change
Update to 3.37.1:
* Fix a bug introduced by the UPSERT enhancements of version
3.35.0 that can cause incorrect byte-code to be generated for
some obscure but valid SQL, possibly resulting in a NULL-
pointer dereference.
* Fix an OOB read that can occur in FTS5 when reading corrupt
database files.
* Improved robustness of the --safe option in the CLI.
* Other minor fixes to assert() statements and test cases.
Update to 3.37.0:
* STRICT tables provide a prescriptive style of data type
management, for developers who prefer that kind of thing.
* When adding columns that contain a CHECK constraint or a
generated column containing a NOT NULL constraint, the
ALTER TABLE ADD COLUMN now checks new constraints against
preexisting rows in the database and will only proceed if no
constraints are violated.
* Added the PRAGMA table_list statement.
* Add the .connection command, allowing the CLI to keep multiple
database connections open at the same time.
* Add the --safe command-line option that disables dot-commands
and SQL statements that might cause side-effects that extend
beyond the single database file named on the command-line.
* CLI: Performance improvements when reading SQL statements that
span many lines.
* Added the sqlite3_autovacuum_pages() interface.
* The sqlite3_deserialize() does not and has never worked
for the TEMP database. That limitation is now noted in the
documentation.
* The query planner now omits ORDER BY clauses on subqueries and
views if removing those clauses does not change the semantics
of the query.
* The generate_series table-valued function extension is modified
so that the first parameter ('START') is now required. This is
done as a way to demonstrate how to write table-valued
functions with required parameters. The legacy behavior is
available using the -DZERO_ARGUMENT_GENERATE_SERIES
compile-time option.
* Added new sqlite3_changes64() and sqlite3_total_changes64()
interfaces.
* Added the SQLITE_OPEN_EXRESCODE flag option to sqlite3_open_v2().
* Use less memory to hold the database schema.
* bsc#1189802, CVE-2021-36690: Fix an issue with the SQLite Expert
extension when a column has no collating sequence.
ModerateSUSE bug 1189802SUSE bug 1195773SUSE bug 1201783CVE-2021-36690 at SUSECVE-2021-36690 at NVDCVE-2022-35737 at SUSECVE-2022-35737 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for MozillaFirefox fixes the following issues:
Mozilla Firefox was updated from 102.2.0esr to 102.3.0esr (bsc#1203477):
- CVE-2022-40959: Fixed bypassing FeaturePolicy restrictions on transient pages.
- CVE-2022-40960: Fixed data-race when parsing non-UTF-8 URLs in threads.
- CVE-2022-40958: Fixed bypassing secure context restriction for cookies with __Host and __Secure prefix.
- CVE-2022-40956: Fixed content-security-policy base-uri bypass.
- CVE-2022-40957: Fixed incoherent instruction cache when building WASM on ARM64.
- CVE-2022-40962: Fixed memory safety bugs fixed in Firefox 105 and Firefox ESR 102.3.
ImportantSUSE bug 1203477CVE-2022-40956 at SUSECVE-2022-40956 at NVDCVE-2022-40957 at SUSECVE-2022-40957 at NVDCVE-2022-40958 at SUSECVE-2022-40958 at NVDCVE-2022-40959 at SUSECVE-2022-40959 at NVDCVE-2022-40960 at SUSECVE-2022-40960 at NVDCVE-2022-40962 at SUSECVE-2022-40962 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for expat (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for expat fixes the following issues:
- CVE-2022-40674: Fixed use-after-free in the doContent function in xmlparse.c (bsc#1203438).
ImportantSUSE bug 1203438CVE-2022-40674 at SUSECVE-2022-40674 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for krb5-appl (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for krb5-appl fixes the following issues:
- CVE-2022-39028: Fixed NULL pointer dereference in krb5-appl telnetd (bsc#1203759).
ImportantSUSE bug 1203759CVE-2022-39028 at SUSECVE-2022-39028 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for webkit2gtk3 (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for webkit2gtk3 fixes the following issues:
Updated to version 2.36.8 (bsc#1203530):
- CVE-2022-32886: Fixed a buffer overflow issue that could potentially lead to code execution.
- CVE-2022-32912: Fixed an out-of-bounds read that could potentially lead to code execution.
ImportantSUSE bug 1203530CVE-2022-32886 at SUSECVE-2022-32886 at NVDCVE-2022-32912 at SUSECVE-2022-32912 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for bind (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for bind fixes the following issues:
- CVE-2022-2795: Fixed potential performance degredation due to missing database lookup limits when processing large delegations (bsc#1203614).
- CVE-2022-38177: Fixed a memory leak that could be externally triggered in the DNSSEC verification code for the ECDSA algorithm (bsc#1203619).
ImportantSUSE bug 1203614SUSE bug 1203619CVE-2022-2795 at SUSECVE-2022-2795 at NVDCVE-2022-38177 at SUSECVE-2022-38177 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for python3 (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for python3 fixes the following issues:
- CVE-2021-28861: Fixed an open redirection vulnerability in the HTTP server when an URI path starts with // (bsc#1202624).
ImportantSUSE bug 1202624CVE-2021-28861 at SUSECVE-2021-28861 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for squid (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for squid fixes the following issues:
- CVE-2022-41317: Fixed exposure of sensitive information in cache manager (bsc#1203677).
- CVE-2022-41318: Fixed buffer overread in SSPI and SMB Authentication (bsc#1203680).
ImportantSUSE bug 1203677SUSE bug 1203680CVE-2022-41317 at SUSECVE-2022-41317 at NVDCVE-2022-41318 at SUSECVE-2022-41318 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for postgresql-jdbc (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for postgresql-jdbc fixes the following issues:
- CVE-2022-31197: Fixed SQL injection vulnerability (bsc#1202170).
ImportantSUSE bug 1202170CVE-2022-31197 at SUSECVE-2022-31197 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for clamav (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for clamav fixes the following issues:
- CVE-2022-20698: Fixed invalid pointer read allowing denial of service crash. (bsc#1194731)
ImportantSUSE bug 1194731CVE-2022-20698 at SUSECVE-2022-20698 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for xen (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for xen fixes the following issues:
- CVE-2022-23034: Fixed possible DoS by a PV guest Xen while unmapping a grant. (XSA-394) (bsc#1194581)
- CVE-2022-23035: Fixed insufficient cleanup of passed-through device IRQs. (XSA-395) (bsc#1194588)
ImportantSUSE bug 1194581SUSE bug 1194588CVE-2022-23034 at SUSECVE-2022-23034 at NVDCVE-2022-23035 at SUSECVE-2022-23035 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for the Linux Kernel (Important)SUSE Linux Enterprise Server 12 SP3-BCL
The SUSE Linux Enterprise 12 SP3 kernel was updated.
The following security bugs were fixed:
- CVE-2022-3303: Fixed a race condition in the sound subsystem due to improper locking (bnc#1203769).
- CVE-2022-41218: Fixed an use-after-free caused by refcount races in drivers/media/dvb-core/dmxdev.c (bnc#1202960).
- CVE-2022-3239: Fixed an use-after-free in the video4linux driver that could lead a local user to able to crash the system or escalate their privileges (bnc#1203552).
- CVE-2022-2503: Fixed a vulnerability that allowed root to bypass LoadPin and load untrusted and unverified kernel modules and firmware (bnc#1202677).
The following non-security bugs were fixed:
- x86/bugs: Reenable retbleed=off While for older kernels the return thunks are statically built in and cannot be dynamically patched out, retbleed=off should still be possible to do so that the mitigation can still be disabled on Intel who do not use the return thunks but IBRS.
ImportantSUSE bug 1202677SUSE bug 1202960SUSE bug 1203552SUSE bug 1203769CVE-2022-2503 at SUSECVE-2022-2503 at NVDCVE-2022-3239 at SUSECVE-2022-3239 at NVDCVE-2022-3303 at SUSECVE-2022-3303 at NVDCVE-2022-41218 at SUSECVE-2022-41218 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for the Linux Kernel (Important)SUSE Linux Enterprise Server 12 SP3-BCL
The SUSE Linux Enterprise 12 SP3 LTSS kernel was updated to receive various security and bugfixes.
The following security bugs were fixed:
- CVE-2018-25020: Fixed an overflow in the BPF subsystem due to a mishandling of a long jump over an instruction sequence where inner instructions require substantial expansions into multiple BPF instructions. This affects kernel/bpf/core.c and net/core/filter.c (bnc#1193575).
- CVE-2019-0136: Fixed insufficient access control in the Intel(R) PROSet/Wireless WiFi Software driver that may have allowed an unauthenticated user to potentially enable denial of service via adjacent access (bnc#1193157).
- CVE-2020-35519: Fixed out-of-bounds memory access in x25_bind in net/x25/af_x25.c. A bounds check failure allowed a local attacker with a user account on the system to gain access to out-of-bounds memory, leading to a system crash or a leak of internal kernel information (bnc#1183696).
- CVE-2021-0935: Fixed possible out of bounds write in ip6_xmit of ip6_output.c due to a use after free. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation (bnc#1192032).
- CVE-2021-28711: Fixed issue with xen/blkfront to harden blkfront against event channel storms (XSA-391) (bsc#1193440).
- CVE-2021-28712: Fixed issue with xen/netfront to harden netfront against event channel storms (XSA-391) (bsc#1193440).
- CVE-2021-28713: Fixed issue with xen/console to harden hvc_xen against event channel storms (XSA-391) (bsc#1193440).
- CVE-2021-28715: Fixed issue with xen/netback to do not queue unlimited number of packages (XSA-392) (bsc#1193442).
- CVE-2021-33098: Fixed improper input validation in the Intel(R) Ethernet ixgbe driver that may have allowed an authenticated user to potentially cause denial of service via local access (bnc#1192877).
- CVE-2021-3564: Fixed double-free memory corruption in the Linux kernel HCI device initialization subsystem that could have been used by attaching malicious HCI TTY Bluetooth devices. A local user could use this flaw to crash the system (bnc#1186207).
- CVE-2021-39648: Fixed possible disclosure of kernel heap memory due to a race condition in gadget_dev_desc_UDC_show of configfs.c. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation (bnc#1193861).
- CVE-2021-39657: Fixed out of bounds read due to a missing bounds check in ufshcd_eh_device_reset_handler of ufshcd.c. This could lead to local information disclosure with System execution privileges needed (bnc#1193864).
- CVE-2021-4002: Fixed incorrect TLBs flush in hugetlbfs after huge_pmd_unshare (bsc#1192946).
- CVE-2021-4083: Fixed a read-after-free memory flaw inside the garbage collection for Unix domain socket file handlers when users call close() and fget() simultaneouslyand can potentially trigger a race condition (bnc#1193727).
- CVE-2021-4149: Fixed btrfs unlock newly allocated extent buffer after error (bsc#1194001).
- CVE-2021-4155: Fixed XFS map issue when unwritten blocks in XFS_IOC_{ALLOC,FREE}SP just like fallocate (bsc#1194272).
- CVE-2021-4197: Use cgroup open-time credentials for process migraton perm checks (bsc#1194302).
- CVE-2021-4202: Fixed NFC race condition by adding NCI_UNREG flag (bsc#1194529).
- CVE-2021-43976: Fixed insufficient access control in drivers/net/wireless/marvell/mwifiex/usb.c that allowed an attacker who connect a crafted USB device to cause denial of service (bnc#1192847).
- CVE-2021-45095: Fixed refcount leak in pep_sock_accept in net/phonet/pep.c (bnc#1193867).
- CVE-2021-45485: Fixed information leak in the IPv6 implementation in net/ipv6/output_core.c (bnc#1194094).
- CVE-2021-45486: Fixed information leak inside the IPv4 implementation caused by very small hash table (bnc#1194087).
- CVE-2022-0330: Fixed flush TLBs before releasing backing store (bsc#1194880).
The following non-security bugs were fixed:
- fget: clarify and improve __fget_files() implementation (bsc#1193727).
- hv_netvsc: Fix the queue_mapping in netvsc_vf_xmit() (bsc#1193507).
- hv_netvsc: Set needed_headroom according to VF (bsc#1193507).
- kprobes: Limit max data_size of the kretprobe instances (bsc#1193669).
- memstick: rtsx_usb_ms: fix UAF
- moxart: fix potential use-after-free on remove path (bsc1194516).
- net/x25: fix a race in x25_bind() (networking-stable-19_03_15).
- net: mana: Add RX fencing (bsc#1193507).
- net: mana: Allow setting the number of queues while the NIC is down (bsc#1193507).
- net: mana: Fix spelling mistake 'calledd' -> 'called' (bsc#1193507).
- net: mana: Fix the netdev_err()'s vPort argument in mana_init_port() (bsc#1193507).
- net: mana: Improve the HWC error handling (bsc#1193507).
- net: mana: Support hibernation and kexec (bsc#1193507).
- net: mana: Use kcalloc() instead of kzalloc() (bsc#1193507).
- recordmcount.pl: fix typo in s390 mcount regex (bsc#1192267).
- recordmcount.pl: look for jgnop instruction as well as bcrl on s390 (bsc#1192267).
- ring-buffer: Protect ring_buffer_reset() from reentrancy (bsc#1179960).
- tty: hvc: replace BUG_ON() with negative return value (git-fixes).
- xen-netfront: do not assume sk_buff_head list is empty in error handling (git-fixes).
- xen-netfront: do not use ~0U as error return value for xennet_fill_frags() (git-fixes).
- xen/blkfront: do not take local copy of a request from the ring page (git-fixes).
- xen/blkfront: do not trust the backend response data blindly (git-fixes).
- xen/blkfront: read response from backend only once (git-fixes).
- xen/netfront: disentangle tx_skb_freelist (git-fixes).
- xen/netfront: do not bug in case of too many frags (bnc#1012382).
- xen/netfront: do not cache skb_shinfo() (bnc#1012382).
- xen/netfront: do not read data from request on the ring page (git-fixes).
- xen/netfront: do not trust the backend response data blindly (git-fixes).
- xen/netfront: read response from backend only once (git-fixes).
- xen: sync include/xen/interface/io/ring.h with Xen's newest version (git-fixes).
ImportantSUSE bug 1012382SUSE bug 1179960SUSE bug 1183696SUSE bug 1186207SUSE bug 1192032SUSE bug 1192267SUSE bug 1192847SUSE bug 1192877SUSE bug 1192946SUSE bug 1193157SUSE bug 1193440SUSE bug 1193442SUSE bug 1193507SUSE bug 1193575SUSE bug 1193669SUSE bug 1193727SUSE bug 1193861SUSE bug 1193864SUSE bug 1193867SUSE bug 1194001SUSE bug 1194087SUSE bug 1194094SUSE bug 1194272SUSE bug 1194302SUSE bug 1194516SUSE bug 1194529SUSE bug 1194880CVE-2018-25020 at SUSECVE-2018-25020 at NVDCVE-2019-0136 at SUSECVE-2019-0136 at NVDCVE-2020-35519 at SUSECVE-2020-35519 at NVDCVE-2021-0935 at SUSECVE-2021-0935 at NVDCVE-2021-28711 at SUSECVE-2021-28711 at NVDCVE-2021-28712 at SUSECVE-2021-28712 at NVDCVE-2021-28713 at SUSECVE-2021-28713 at NVDCVE-2021-28715 at SUSECVE-2021-28715 at NVDCVE-2021-33098 at SUSECVE-2021-33098 at NVDCVE-2021-3564 at SUSECVE-2021-3564 at NVDCVE-2021-39648 at SUSECVE-2021-39648 at NVDCVE-2021-39657 at SUSECVE-2021-39657 at NVDCVE-2021-4002 at SUSECVE-2021-4002 at NVDCVE-2021-4083 at SUSECVE-2021-4083 at NVDCVE-2021-4149 at SUSECVE-2021-4149 at NVDCVE-2021-4155 at SUSECVE-2021-4155 at NVDCVE-2021-4197 at SUSECVE-2021-4197 at NVDCVE-2021-4202 at SUSECVE-2021-4202 at NVDCVE-2021-43976 at SUSECVE-2021-43976 at NVDCVE-2021-45095 at SUSECVE-2021-45095 at NVDCVE-2021-45485 at SUSECVE-2021-45485 at NVDCVE-2021-45486 at SUSECVE-2021-45486 at NVDCVE-2022-0330 at SUSECVE-2022-0330 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for tiff (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for tiff fixes the following issues:
- CVE-2022-2519: Fixed a double free in rotateImage() (bsc#1202968).
- CVE-2022-2520: Fixed a assertion failure in rotateImage() (bsc#1202973).
- CVE-2022-2521: Fixed invalid free in TIFFClose() (bsc#1202971).
- CVE-2022-2867: Fixed out of bounds read and write in tiffcrop.c (bsc#1202466).
- CVE-2022-2868: Fixed out of bounds read in reverseSamples16bits() (bsc#1202467).
- CVE-2022-2869: Fixed out of bounds read and write in extractContigSamples8bits() (bsc#1202468).
- CVE-2022-34526: Fixed stack overflow in the _TIFFVGetField function of Tiffsplit (bsc#1202026).
ImportantSUSE bug 1201723SUSE bug 1201971SUSE bug 1202026SUSE bug 1202466SUSE bug 1202467SUSE bug 1202468SUSE bug 1202968SUSE bug 1202971SUSE bug 1202973CVE-2022-0561 at SUSECVE-2022-0561 at NVDCVE-2022-2519 at SUSECVE-2022-2519 at NVDCVE-2022-2520 at SUSECVE-2022-2520 at NVDCVE-2022-2521 at SUSECVE-2022-2521 at NVDCVE-2022-2867 at SUSECVE-2022-2867 at NVDCVE-2022-2868 at SUSECVE-2022-2868 at NVDCVE-2022-2869 at SUSECVE-2022-2869 at NVDCVE-2022-34266 at SUSECVE-2022-34266 at NVDCVE-2022-34526 at SUSECVE-2022-34526 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for libksba (Critical)SUSE Linux Enterprise Server 12 SP3-BCL
This update for libksba fixes the following issues:
- CVE-2022-3515: Fixed a possible overflow in the TLV parser (bsc#1204357).
CriticalSUSE bug 1204357CVE-2022-3515 at SUSECVE-2022-3515 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for multipath-tools (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for multipath-tools fixes the following issues:
- CVE-2022-41974: Fixed an authorization bypass issue in multipathd. (bsc#1202739)
- Avoid linking to libreadline to avoid licensing issue (bsc#1202616)
- Avoid device IO in 'multipath -u' (bsc#1125145, bsc#1131789)
- mpathpersist: optimize for setups with many LUNs (bsc#1134648)
- mpathpersist: add option -f/--batch-file (bsc#1134648)
- libmultipath: get_prio(): really don't reset prio for inaccessible paths (bsc#1118495)
- Upstream bug fixes from dm-devel (bsc#1139369):
multipath: call store_pathinfo with DI_BLACKLIST
- hwtable: add Lenovo DE series (bsc#1125507)
ImportantSUSE bug 1118495SUSE bug 1125145SUSE bug 1125507SUSE bug 1131789SUSE bug 1134648SUSE bug 1139369SUSE bug 1202616SUSE bug 1202739SUSE bug 1204325CVE-2022-41974 at SUSECVE-2022-41974 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for libxml2 (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for libxml2 fixes the following issues:
- CVE-2016-3709: Fixed possible XSS vulnerability (bsc#1201978).
- CVE-2022-40303: Fixed integer overflows with XML_PARSE_HUGE (bsc#1204366).
- CVE-2022-40304: Fixed dict corruption caused by entity reference cycles (bsc#1204367).
ImportantSUSE bug 1201978SUSE bug 1204366SUSE bug 1204367CVE-2016-3709 at SUSECVE-2016-3709 at NVDCVE-2022-40303 at SUSECVE-2022-40303 at NVDCVE-2022-40304 at SUSECVE-2022-40304 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for bluez (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for bluez fixes the following issues:
- CVE-2019-8921: Fixed heap-based buffer overflow via crafted request (bsc#1193237).
- CVE-2016-9803: Fixed memory leak (bsc#1013885).
ImportantSUSE bug 1013885SUSE bug 1193237CVE-2016-9803 at SUSECVE-2016-9803 at NVDCVE-2019-8921 at SUSECVE-2019-8921 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for MozillaFirefox fixes the following issues:
Updated to version 102.4.0 ESR (bsc#1204421):
- CVE-2022-42927: Fixed same-origin policy violation that could have leaked cross-origin URLs.
- CVE-2022-42928: Fixed memory Corruption in JS Engine.
- CVE-2022-42929: Fixed denial of Service via window.print.
- CVE-2022-42932: Fixed memory safety bugs.
ImportantSUSE bug 1204421CVE-2022-42927 at SUSECVE-2022-42927 at NVDCVE-2022-42928 at SUSECVE-2022-42928 at NVDCVE-2022-42929 at SUSECVE-2022-42929 at NVDCVE-2022-42932 at SUSECVE-2022-42932 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for telnet (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for telnet fixes the following issues:
- CVE-2022-39028: Fixed NULL pointer dereference in telnetd (bsc#1203759).
ImportantSUSE bug 1203759CVE-2022-39028 at SUSECVE-2022-39028 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for SUSE Manager Client Tools (Moderate)SUSE Linux Enterprise Server 12 SP3-BCL
This update fixes the following issues:
golang-github-lusitaniae-apache_exporter:
- Update to upstream release 0.11.0 (jsc#SLE-24791)
* Add TLS support
* Switch to logger, please check --log.level and --log.format flags
- Update to version 0.10.1
* Bugfix: Reset ProxyBalancer metrics on each scrape to remove stale data
- Update to version 0.10.0
* Add Apache Proxy and other metrics
- Update to version 0.8.0
* Change commandline flags
* Add metrics: Apache version, request duration total
- Adapted to build on Enterprise Linux 8
- Require building with Go 1.15
- Add %license macro for LICENSE file
golang-github-prometheus-alertmanager:
- Do not include sources (bsc#1200725)
golang-github-prometheus-node_exporter:
- CVE-2022-21698: Denial of service using InstrumentHandlerCounter. (bsc#1196338, jsc#SLE-24243, jsc#SUMA-114)
grafana:
- Update to version 8.3.10
+ Security:
* CVE-2022-31097: Cross Site Scripting vulnerability in the Unified Alerting (bsc#1201535)
* CVE-2022-31107: OAuth account takeover vulnerability (bsc#1201539)
- Update to version 8.3.9
+ Bug fixes:
* Geomap: Display legend
* Prometheus: Fix timestamp truncation
- Update to version 8.3.7
+ Bug fix:
* Provisioning: Ensure that the default value for orgID is set when provisioning datasources to be deleted.
- Update to version 8.3.6
+ Features and enhancements:
* Cloud Monitoring: Reduce request size when listing labels.
* Explore: Show scalar data result in a table instead of graph.
* Snapshots: Updates the default external snapshot server URL.
* Table: Makes footer not overlap table content.
* Tempo: Add request histogram to service graph datalink.
* Tempo: Add time range to tempo search query behind a feature flag.
* Tempo: Auto-clear results when changing query type.
* Tempo: Display start time in search results as relative time.
* CloudMonitoring: Fix resource labels in query editor.
* Cursor sync: Apply the settings without saving the dashboard.
* LibraryPanels: Fix for Error while cleaning library panels.
* Logs Panel: Fix timestamp parsing for string dates without timezone.
* Prometheus: Fix some of the alerting queries that use reduce/math operation.
* TablePanel: Fix ad-hoc variables not working on default datasources.
* Text Panel: Fix alignment of elements.
* Variables: Fix for constant variables in self referencing links.
- Update to version 8.3.5 (jsc#SLE-23439, jsc#SLE-23422, jsc#SLE-24565)
kiwi-desc-saltboot:
- Update to version 0.1.1661440542.6cbe0da
* Use standard susemanager.conf
* Use salt bundle
* Add support fo VirtIO disks
mgr-daemon:
- Version 4.3.6-1
* Update translation strings
spacecmd:
- Version 4.3.15-1
* Process date values in spacecmd api calls (bsc#1198903)
spacewalk-client-tools:
- Version 4.3.12-1
* Update translation strings
uyuni-common-libs:
- Version 4.3.6-1
* Do not allow creating path if nonexistent user or group in fileutils.
ModerateSUSE bug 1196338SUSE bug 1198903SUSE bug 1200725SUSE bug 1201535SUSE bug 1201539CVE-2022-21698 at SUSECVE-2022-21698 at NVDCVE-2022-31097 at SUSECVE-2022-31097 at NVDCVE-2022-31107 at SUSECVE-2022-31107 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for curl (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for curl fixes the following issues:
- CVE-2022-32221: Fixed POST following PUT confusion (bsc#1204383).
ImportantSUSE bug 1204383CVE-2022-32221 at SUSECVE-2022-32221 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for libtirpc (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for libtirpc fixes the following issues:
- CVE-2021-46828: Fixed denial of service vulnerability with lots of connections (bsc#1201680).
- Exclude ipv6 addresses in client protocol version 2 code (bsc#1200800)
ImportantSUSE bug 1200800SUSE bug 1201680CVE-2021-46828 at SUSECVE-2021-46828 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for openjpeg2 (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for openjpeg2 fixes the following issues:
- CVE-2018-21010: Fixed heap buffer overflow in color_apply_icc_profile in bin/common/color.c (bsc#1149789).
- CVE-2020-27824: Fixed OOB read in opj_dwt_calc_explicit_stepsizes() (bsc#1179821).
- CVE-2020-27842: Fixed null pointer dereference in opj_tgt_reset function in lib/openjp2/tgt.c (bsc#1180043).
- CVE-2020-27843: Fixed out-of-bounds read in opj_t2_encode_packet function in openjp2/t2.c (bsc#1180044).
- CVE-2020-27845: Fixed heap-based buffer over-read in functions opj_pi_next_rlcp, opj_pi_next_rpcl and opj_pi_next_lrcp in openjp2/pi.c (bsc#1180046).
ImportantSUSE bug 1149789SUSE bug 1179821SUSE bug 1180043SUSE bug 1180044SUSE bug 1180046CVE-2018-21010 at SUSECVE-2018-21010 at NVDCVE-2020-27824 at SUSECVE-2020-27824 at NVDCVE-2020-27842 at SUSECVE-2020-27842 at NVDCVE-2020-27843 at SUSECVE-2020-27843 at NVDCVE-2020-27845 at SUSECVE-2020-27845 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for dbus-1 (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for dbus-1 fixes the following issues:
- CVE-2022-42010: Fixed potential crash that could be triggered by an invalid signature (bsc#1204111).
- CVE-2022-42011: Fixed an out of bounds read caused by a fixed length array (bsc#1204112).
- CVE-2022-42012: Fixed a use-after-free that could be trigged by a message in non-native endianness with out-of-band Unix file descriptor (bsc#1204113).
Bugfixes:
- Disable asserts (bsc#1087072).
ImportantSUSE bug 1087072SUSE bug 1204111SUSE bug 1204112SUSE bug 1204113CVE-2022-42010 at SUSECVE-2022-42010 at NVDCVE-2022-42011 at SUSECVE-2022-42011 at NVDCVE-2022-42012 at SUSECVE-2022-42012 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for libtasn1 (Critical)SUSE Linux Enterprise Server 12 SP3-BCL
This update for libtasn1 fixes the following issues:
- CVE-2021-46848: Fixed off-by-one array size check that affects asn1_encode_simple_der (bsc#1204690).
CriticalSUSE bug 1204690CVE-2021-46848 at SUSECVE-2021-46848 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for xorg-x11-server (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for xorg-x11-server fixes the following issues:
- CVE-2022-3550: Fixed out of bounds read/write in _GetCountedString() (bsc#1204412).
- CVE-2022-3551: Fixed various leaks of the return value of GetComponentSpec() (bsc#1204416).
ImportantSUSE bug 1204412SUSE bug 1204416CVE-2022-3550 at SUSECVE-2022-3550 at NVDCVE-2022-3551 at SUSECVE-2022-3551 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for expat (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for expat fixes the following issues:
- CVE-2022-43680: Fixed use-after free caused by overeager destruction of a shared DTD in XML_ExternalEntityParserCreate (bsc#1204708).
ImportantSUSE bug 1204708CVE-2022-43680 at SUSECVE-2022-43680 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for python (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for python fixes the following issues:
- CVE-2021-28861: Fixed an open redirection vulnerability in the HTTP server when an URI path starts with // BaseHTTPServer (bsc#1202624).
ImportantSUSE bug 1202624CVE-2021-28861 at SUSECVE-2021-28861 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for xen (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for xen fixes the following issues:
- CVE-2022-42311, CVE-2022-42312, CVE-2022-42313, CVE-2022-42314, CVE-2022-42315, CVE-2022-42316, CVE-2022-42317, CVE-2022-42318: xen: Xenstore: Guests can let xenstored run out of memory (bsc#1204482)
- CVE-2022-42309: xen: Xenstore: Guests can crash xenstored (bsc#1204485)
- CVE-2022-42310: xen: Xenstore: Guests can create orphaned Xenstore nodes (bsc#1204487)
- CVE-2022-42319: xen: Xenstore: Guests can cause Xenstore to not free temporary memory (bsc#1204488)
- CVE-2022-42320: xen: Xenstore: Guests can get access to Xenstore nodes of deleted domains (bsc#1204489)
- CVE-2022-42321: xen: Xenstore: Guests can crash xenstored via exhausting the stack (bsc#1204490)
- CVE-2022-42322,CVE-2022-42323: xen: Xenstore: cooperating guests can create arbitrary numbers of nodes (bsc#1204494)
- CVE-2022-42325,CVE-2022-42326: xen: Xenstore: Guests can create arbitrary number of nodes via transactions (bsc#1204496)
ImportantSUSE bug 1204482SUSE bug 1204485SUSE bug 1204487SUSE bug 1204488SUSE bug 1204489SUSE bug 1204490SUSE bug 1204494SUSE bug 1204496CVE-2022-42309 at SUSECVE-2022-42309 at NVDCVE-2022-42310 at SUSECVE-2022-42310 at NVDCVE-2022-42311 at SUSECVE-2022-42311 at NVDCVE-2022-42312 at SUSECVE-2022-42312 at NVDCVE-2022-42313 at SUSECVE-2022-42313 at NVDCVE-2022-42314 at SUSECVE-2022-42314 at NVDCVE-2022-42315 at SUSECVE-2022-42315 at NVDCVE-2022-42316 at SUSECVE-2022-42316 at NVDCVE-2022-42317 at SUSECVE-2022-42317 at NVDCVE-2022-42318 at SUSECVE-2022-42318 at NVDCVE-2022-42319 at SUSECVE-2022-42319 at NVDCVE-2022-42320 at SUSECVE-2022-42320 at NVDCVE-2022-42321 at SUSECVE-2022-42321 at NVDCVE-2022-42322 at SUSECVE-2022-42322 at NVDCVE-2022-42323 at SUSECVE-2022-42323 at NVDCVE-2022-42325 at SUSECVE-2022-42325 at NVDCVE-2022-42326 at SUSECVE-2022-42326 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for libvirt (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for libvirt fixes the following issues:
- CVE-2021-4147: libxl: Fix libvirtd deadlocks and segfaults. (bsc#1194041)
- CVE-2021-3975: Add missing lock in qemuProcessHandleMonitorEOF. (bsc#1192876)
ImportantSUSE bug 1192876SUSE bug 1193981SUSE bug 1194041CVE-2021-3975 at SUSECVE-2021-3975 at NVDCVE-2021-4147 at SUSECVE-2021-4147 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for grub2 (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for grub2 fixes the following issues:
Security Fixes:
- CVE-2022-2601: Fixed buffer overflow in grub_font_construct_glyph (bsc#1205178).
- CVE-2022-3775: Fixed integer underflow in blit_comb() (bsc#1205182).
Other:
- Bump upstream SBAT generation to 3
ImportantSUSE bug 1205178SUSE bug 1205182CVE-2022-2601 at SUSECVE-2022-2601 at NVDCVE-2022-3775 at SUSECVE-2022-3775 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for tomcat (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for tomcat fixes the following issues:
- CVE-2022-42252: Fixed a request smuggling (bsc#1204918).
ImportantSUSE bug 1204918CVE-2022-42252 at SUSECVE-2022-42252 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for sudo (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for sudo fixes the following issues:
Security fixes:
- CVE-2022-43995: Fixed a potential heap-based buffer over-read when entering a password of seven characters or fewer and using the crypt() password backend (bsc#1204986).
Other:
- Make sure SIGCHLD is not ignored when sudo is executed; fixes race condition (bsc#1203201).
- Change sudo-ldap schema from ASCII to UTF8 (bsc#1197998).
ImportantSUSE bug 1197998SUSE bug 1203201SUSE bug 1204986CVE-2022-43995 at SUSECVE-2022-43995 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for MozillaFirefox fixes the following issues:
Update to Firefox Extended Support Release 102.5.0 ESR (MFSA 2022-48, bsc#1205270):
- CVE-2022-45403: Service Workers might have learned size of cross-origin media files
- CVE-2022-45404: Fullscreen notification bypass
- CVE-2022-45405: Use-after-free in InputStream implementation
- CVE-2022-45406: Use-after-free of a JavaScript Realm
- CVE-2022-45408: Fullscreen notification bypass via windowName
- CVE-2022-45409: Use-after-free in Garbage Collection
- CVE-2022-45410: ServiceWorker-intercepted requests bypassed SameSite cookie policy
- CVE-2022-45411: Cross-Site Tracing was possible via non-standard override headers
- CVE-2022-45412: Symlinks may resolve to partially uninitialized buffers
- CVE-2022-45416: Keystroke Side-Channel Leakage
- CVE-2022-45418: Custom mouse cursor could have been drawn over browser UI
- CVE-2022-45420: Iframe contents could be rendered outside the iframe
- CVE-2022-45421: Memory safety bugs fixed in Firefox 107 and Firefox ESR 102.5
ImportantSUSE bug 1205270CVE-2022-45403 at SUSECVE-2022-45403 at NVDCVE-2022-45404 at SUSECVE-2022-45404 at NVDCVE-2022-45405 at SUSECVE-2022-45405 at NVDCVE-2022-45406 at SUSECVE-2022-45406 at NVDCVE-2022-45408 at SUSECVE-2022-45408 at NVDCVE-2022-45409 at SUSECVE-2022-45409 at NVDCVE-2022-45410 at SUSECVE-2022-45410 at NVDCVE-2022-45411 at SUSECVE-2022-45411 at NVDCVE-2022-45412 at SUSECVE-2022-45412 at NVDCVE-2022-45416 at SUSECVE-2022-45416 at NVDCVE-2022-45418 at SUSECVE-2022-45418 at NVDCVE-2022-45420 at SUSECVE-2022-45420 at NVDCVE-2022-45421 at SUSECVE-2022-45421 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for tiff (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for tiff fixes the following issues:
- CVE-2022-3597: Fixed out-of-bounds write in _TIFFmemcpy in libtiff/tif_unix.c (bnc#1204641).
- CVE-2022-3599: Fixed out-of-bounds read in writeSingleSection in tools/tiffcrop.c (bnc#1204643).
- CVE-2022-3626: Fixed out-of-bounds write in _TIFFmemset in libtiff/tif_unix.c (bnc#1204644)
- CVE-2022-3627: Fixed out-of-bounds write in _TIFFmemcpy in libtiff/tif_unix.c (bnc#1204645).
- CVE-2022-3970: Fixed unsigned integer overflow in TIFFReadRGBATileExt() (bnc#1205392).
ImportantSUSE bug 1204641SUSE bug 1204643SUSE bug 1204644SUSE bug 1204645SUSE bug 1205392CVE-2022-3597 at SUSECVE-2022-3597 at NVDCVE-2022-3599 at SUSECVE-2022-3599 at NVDCVE-2022-3626 at SUSECVE-2022-3626 at NVDCVE-2022-3627 at SUSECVE-2022-3627 at NVDCVE-2022-3970 at SUSECVE-2022-3970 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for pixman (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for pixman fixes the following issues:
- CVE-2022-44638: Fixed an integer overflow in pixman_sample_floor_y leading to heap out-of-bounds write (bsc#1205033).
ImportantSUSE bug 1205033CVE-2022-44638 at SUSECVE-2022-44638 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for python3 (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for python3 fixes the following issues:
- CVE-2020-10735: Fixed possible DoS when converting text to int and vice versa (bsc#1203125).
- CVE-2022-45061: Fixed possible DoS when IDNA decoding extremely long domain names (bsc#1205244).
ImportantSUSE bug 1203125SUSE bug 1205244CVE-2020-10735 at SUSECVE-2020-10735 at NVDCVE-2022-45061 at SUSECVE-2022-45061 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for exiv2 (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for exiv2 fixes the following issues:
- CVE-2019-13112: Fixed an uncontrolled memory allocation in PngChunk:parseChunkContent causing denial of service. (bsc#1142681)
- CVE-2021-37620: Fixed out-of-bounds read in XmpTextValue:read(). (bsc#1189332)
- CVE-2021-34334: Fixed a DoS due to integer overflow in loop counter. (bsc#1189338)
- CVE-2021-31291: Fixed a heap-based buffer overflow vulnerability in jp2image.cpp may lead to a denial of service via crafted metadata (bsc#1188733).
- CVE-2021-32815: Fixed a deny-of-service due to assertion failure in crwimage_int.cpp (bsc#1189337).
- CVE-2018-20097: Fixed SEGV in Exiv2::Internal::TiffParserWorker::findPrimaryGroupsu (bsc#1119562).
- CVE-2021-29457: Fixed a heap buffer overflow when write metadata into a crafted image file (bsc#1185002).
- CVE-2021-29473: Fixed out-of-bounds read in Exiv2::Jp2Image:doWriteMetadata (bsc#1186231).
ImportantSUSE bug 1119562SUSE bug 1142681SUSE bug 1185002SUSE bug 1186231SUSE bug 1188733SUSE bug 1189332SUSE bug 1189337SUSE bug 1189338CVE-2018-20097 at SUSECVE-2018-20097 at NVDCVE-2019-13112 at SUSECVE-2019-13112 at NVDCVE-2021-29457 at SUSECVE-2021-29457 at NVDCVE-2021-29473 at SUSECVE-2021-29473 at NVDCVE-2021-31291 at SUSECVE-2021-31291 at NVDCVE-2021-32815 at SUSECVE-2021-32815 at NVDCVE-2021-34334 at SUSECVE-2021-34334 at NVDCVE-2021-37620 at SUSECVE-2021-37620 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for busybox (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for busybox fixes the following issues:
- CVE-2014-9645: Fixed loading of unwanted modules with / (bsc#914660).
- CVE-2017-16544: Fixed insufficient sanitization of filenames when autocompleting (bsc#1069412).
- CVE-2015-9261: Fixed huft_build misuses a pointer, causing segfaults (bsc#1102912).
- CVE-2016-2147: Fixed out of bounds write (heap) due to integer underflow in udhcpc (bsc#970663).
- CVE-2016-2148: Fixed heap-based buffer overflow in OPTION_6RD parsing (bsc#970662).
- CVE-2016-6301: Fixed NTP server denial of service flaw (bsc#991940).
- CVE-2017-15873: Fixed integer overflow in get_next_block function in archival/libarchive/decompress_bunzip2.c (bsc#1064976).
- CVE-2017-15874: Fixed integer overflow in archival/libarchive/decompress_unlzma (bsc#1064978).
- CVE-2019-5747: Fixed out of bounds read in udhcp components (bsc#1121428).
- CVE-2021-42373, CVE-2021-42374, CVE-2021-42375, CVE-2021-42376, CVE-2021-42377, CVE-2021-42378, CVE-2021-42379, CVE-2021-42380, CVE-2021-42381, CVE-2021-42382, CVE-2021-42383, CVE-2021-42384, CVE-2021-42385, CVE-2021-42386: v1.34.0 bugfixes (bsc#1192869).
- CVE-2021-28831: Fixed invalid free or segmentation fault via malformed gzip data (bsc#1184522).
- CVE-2018-20679: Fixed out of bounds read in udhcp (bsc#1121426).
- CVE-2018-1000517: Fixed heap-based buffer overflow in the retrieve_file_data() (bsc#1099260).
- CVE-2011-5325: Fixed tar directory traversal (bsc#951562).
- CVE-2018-1000500: Fixed missing SSL certificate validation in wget (bsc#1099263).
- Update to 1.35.0
- awk: fix printf %%, fix read beyond end of buffer
- chrt: silence analyzer warning
- libarchive: remove duplicate forward declaration
- mount: 'mount -o rw ....' should not fall back to RO mount
- ps: fix -o pid=PID,args interpreting entire 'PID,args' as header
- tar: prevent malicious archives with long name sizes causing OOM
- udhcpc6: fix udhcp_find_option to actually find DHCP6 options
- xxd: fix -p -r
- support for new optoins added to basename, cpio, date, find,
mktemp, wget and others
- Enable fdisk (jsc#CAR-16)
- Update to 1.34.1:
* build system: use SOURCE_DATE_EPOCH for timestamp if available
* many bug fixes and new features
* touch: make FEATURE_TOUCH_NODEREF unconditional
- update to 1.33.1:
* httpd: fix sendfile
* ash: fix HISTFILE corruptio
* ash: fix unset variable pattern expansion
* traceroute: fix option parsing
* gunzip: fix for archive corruption
- Update to version 1.33.0
- many bug fixes and new features
- Update to version 1.32.1
- fixes a case where in ash, 'wait' never finishes.
- prepare usrmerge (bsc#1029961)
- Enable testsuite and package it for later rerun (for QA, jsc#CAR-15)
- Update to version 1.31.1:
+ Bug fix release. 1.30.1 has fixes for dc, ash (PS1 expansion
fix), hush, dpkg-deb, telnet and wget.
- Changes from version 1.31.0:
+ many bugfixes and new features.
- Add busybox-no-stime.patch: stime() has been deprecated in glibc
2.31 and replaced with clock_settime().
- update to 1.25.1:
* fixes for hush, gunzip, ip route, ntpd
- includes changes from 1.25.0:
* many added and expanded implementations of command options
- includes changes from 1.24.2:
* fixes for build system (static build with glibc fixed),
truncate, gunzip and unzip.
- Update to version 1.24.1
* for a full list of changes see http://www.busybox.net/news.html
- Refresh busybox.install.patch
- Update to 1.23.2
* for a full list of changes see http://www.busybox.net/news.html
- Cleaned up spec file with spec-cleaner
- Refreshed patches
- update to 1.22.1:
Many updates and fixes for most included tools, see
see http://www.busybox.net/news.html
ImportantSUSE bug 1029961SUSE bug 1064976SUSE bug 1064978SUSE bug 1069412SUSE bug 1099260SUSE bug 1099263SUSE bug 1102912SUSE bug 1121426SUSE bug 1121428SUSE bug 1184522SUSE bug 1191514SUSE bug 1192869SUSE bug 914660SUSE bug 951562SUSE bug 970662SUSE bug 970663SUSE bug 991940CVE-2011-5325 at SUSECVE-2011-5325 at NVDCVE-2014-9645 at SUSECVE-2014-9645 at NVDCVE-2015-9261 at SUSECVE-2015-9261 at NVDCVE-2016-2147 at SUSECVE-2016-2147 at NVDCVE-2016-2148 at SUSECVE-2016-2148 at NVDCVE-2016-6301 at SUSECVE-2016-6301 at NVDCVE-2017-15873 at SUSECVE-2017-15873 at NVDCVE-2017-15874 at SUSECVE-2017-15874 at NVDCVE-2017-16544 at SUSECVE-2017-16544 at NVDCVE-2018-1000500 at SUSECVE-2018-1000500 at NVDCVE-2018-1000517 at SUSECVE-2018-1000517 at NVDCVE-2018-20679 at SUSECVE-2018-20679 at NVDCVE-2019-5747 at SUSECVE-2019-5747 at NVDCVE-2021-28831 at SUSECVE-2021-28831 at NVDCVE-2021-42373 at SUSECVE-2021-42373 at NVDCVE-2021-42374 at SUSECVE-2021-42374 at NVDCVE-2021-42375 at SUSECVE-2021-42375 at NVDCVE-2021-42376 at SUSECVE-2021-42376 at NVDCVE-2021-42377 at SUSECVE-2021-42377 at NVDCVE-2021-42378 at SUSECVE-2021-42378 at NVDCVE-2021-42379 at SUSECVE-2021-42379 at NVDCVE-2021-42380 at SUSECVE-2021-42380 at NVDCVE-2021-42381 at SUSECVE-2021-42381 at NVDCVE-2021-42382 at SUSECVE-2021-42382 at NVDCVE-2021-42383 at SUSECVE-2021-42383 at NVDCVE-2021-42384 at SUSECVE-2021-42384 at NVDCVE-2021-42385 at SUSECVE-2021-42385 at NVDCVE-2021-42386 at SUSECVE-2021-42386 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for binutils (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for binutils fixes the following issues:
The following security bugs were fixed:
- CVE-2019-1010204: Fixed out-of-bounds read in elfcpp/elfcpp_file.h (bsc#1142579).
- CVE-2021-3530: Fixed stack-based buffer overflow in demangle_path() in rust-demangle.c (bsc#1185597).
- CVE-2021-3648: Fixed infinite loop while demangling rust symbols (bsc#1188374).
- CVE-2021-3826: Fixed heap/stack buffer overflow in the dlang_lname function in d-demangle.c (bsc#1202969).
- CVE-2021-45078: Fixed out-of-bounds write in stab_xcoff_builtin_type() in stabs.c (bsc#1193929).
- CVE-2021-46195: Fixed uncontrolled recursion in libiberty/rust-demangle.c (bsc#1194783).
- CVE-2022-27943: Fixed stack exhaustion in demangle_const in (bsc#1197592).
- CVE-2022-38126: Fixed assertion fail in the display_debug_names() function in binutils/dwarf.c (bsc#1202966).
- CVE-2022-38127: Fixed NULL pointer dereference in the read_and_display_attr_value() function in binutils/dwarf.c (bsc#1202967).
- CVE-2022-38533: Fixed heap out-of-bounds read in bfd_getl32 (bsc#1202816).
The following non-security bugs were fixed:
- SLE toolchain update of binutils, update to 2.39 from 2.37.
- Update to 2.39:
* The ELF linker will now generate a warning message if the stack is made
executable. Similarly it will warn if the output binary contains a
segment with all three of the read, write and execute permission
bits set. These warnings are intended to help developers identify
programs which might be vulnerable to attack via these executable
memory regions.
The warnings are enabled by default but can be disabled via a command
line option. It is also possible to build a linker with the warnings
disabled, should that be necessary.
* The ELF linker now supports a --package-metadata option that allows
embedding a JSON payload in accordance to the Package Metadata
specification.
* In linker scripts it is now possible to use TYPE=<type> in an output
section description to set the section type value.
* The objdump program now supports coloured/colored syntax
highlighting of its disassembler output for some architectures.
(Currently: AVR, RiscV, s390, x86, x86_64).
* The nm program now supports a --no-weak/-W option to make it ignore
weak symbols.
* The readelf and objdump programs now support a -wE option to prevent
them from attempting to access debuginfod servers when following
links.
* The objcopy program's --weaken, --weaken-symbol, and
--weaken-symbols options now works with unique symbols as well.
- Update to 2.38:
* elfedit: Add --output-abiversion option to update ABIVERSION.
* Add support for the LoongArch instruction set.
* Tools which display symbols or strings (readelf, strings, nm, objdump)
have a new command line option which controls how unicode characters are
handled. By default they are treated as normal for the tool. Using
--unicode=locale will display them according to the current locale.
Using --unicode=hex will display them as hex byte values, whilst
--unicode=escape will display them as escape sequences. In addition
using --unicode=highlight will display them as unicode escape sequences
highlighted in red (if supported by the output device).
* readelf -r dumps RELR relative relocations now.
* Support for efi-app-aarch64, efi-rtdrv-aarch64 and efi-bsdrv-aarch64 has been
added to objcopy in order to enable UEFI development using binutils (bsc#1198458).
* ar: Add --thin for creating thin archives. -T is a deprecated alias without
diagnostics. In many ar implementations -T has a different meaning, as
specified by X/Open System Interface.
* Add support for AArch64 system registers that were missing in previous
releases.
* Add support for the LoongArch instruction set.
* Add a command-line option, -muse-unaligned-vector-move, for x86 target
to encode aligned vector move as unaligned vector move.
* Add support for Cortex-R52+ for Arm.
* Add support for Cortex-A510, Cortex-A710, Cortex-X2 for AArch64.
* Add support for Cortex-A710 for Arm.
* Add support for Scalable Matrix Extension (SME) for AArch64.
* The --multibyte-handling=[allow|warn|warn-sym-only] option tells the
assembler what to when it encoutners multibyte characters in the input. The
default is to allow them. Setting the option to 'warn' will generate a
warning message whenever any multibyte character is encountered. Using the
option to 'warn-sym-only' will make the assembler generate a warning whenever a
symbol is defined containing multibyte characters. (References to undefined
symbols will not generate warnings).
* Outputs of .ds.x directive and .tfloat directive with hex input from
x86 assembler have been reduced from 12 bytes to 10 bytes to match the
output of .tfloat directive.
* Add support for 'armv8.8-a', 'armv9-a', 'armv9.1-a', 'armv9.2-a' and
'armv9.3-a' for -march in AArch64 GAS.
* Add support for 'armv8.7-a', 'armv8.8-a', 'armv9-a', 'armv9.1-a',
'armv9.2-a' and 'armv9.3-a' for -march in Arm GAS.
* Add support for Intel AVX512_FP16 instructions.
* Add -z pack-relative-relocs/-z no pack-relative-relocs to x86 ELF
linker to pack relative relocations in the DT_RELR section.
* Add support for the LoongArch architecture.
* Add -z indirect-extern-access/-z noindirect-extern-access to x86 ELF
linker to control canonical function pointers and copy relocation.
* Add --max-cache-size=SIZE to set the the maximum cache size to SIZE
bytes.
- Fixed regression that prevented .ko.debug to be loaded in crash tool (bsc#1191908).
- Explicitly enable --enable-warn-execstack=yes and --enable-warn-rwx-segments=yes.
- Add gprofng subpackage.
- Include recognition of 'z16' name for 'arch14' on s390. (bsc#1198237).
- Add back fix for bsc#1191473, which got lost in the update to 2.38.
- Install symlinks for all target specific tools on arm-eabi-none (bsc#1185712).
- Enable PRU architecture for AM335x CPU (Beagle Bone Black board)
ImportantSUSE bug 1142579SUSE bug 1185597SUSE bug 1185712SUSE bug 1188374SUSE bug 1191473SUSE bug 1191908SUSE bug 1193929SUSE bug 1194783SUSE bug 1197592SUSE bug 1198237SUSE bug 1198458SUSE bug 1202816SUSE bug 1202966SUSE bug 1202967SUSE bug 1202969CVE-2019-1010204 at SUSECVE-2019-1010204 at NVDCVE-2021-3530 at SUSECVE-2021-3530 at NVDCVE-2021-3648 at SUSECVE-2021-3648 at NVDCVE-2021-3826 at SUSECVE-2021-3826 at NVDCVE-2021-45078 at SUSECVE-2021-45078 at NVDCVE-2021-46195 at SUSECVE-2021-46195 at NVDCVE-2022-27943 at SUSECVE-2022-27943 at NVDCVE-2022-38126 at SUSECVE-2022-38126 at NVDCVE-2022-38127 at SUSECVE-2022-38127 at NVDCVE-2022-38533 at SUSECVE-2022-38533 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for webkit2gtk3 (Important)SUSE Linux Enterprise Server 12 SP3-BCL
Security fixes:
- CVE-2022-32888: Fixed possible arbitrary code execution via maliciously crafted web content (bsc#1205121).
- CVE-2022-32923: Fixed possible information leak via maliciously crafted web content (bsc#1205122).
- CVE-2022-42799: Fixed user interface spoofing when visiting a malicious website (bsc#1205123).
- CVE-2022-42823: Fixed possible arbitrary code execution via maliciously crafted web content (bsc#1205120).
- CVE-2022-42824: Fixed possible sensitive user information leak via maliciously crafted web content (bsc#1205124).
Update to version 2.38.2:
- Fix scrolling issues in some sites having fixed background.
- Fix prolonged buffering during progressive live playback.
- Fix the build with accessibility disabled.
- Fix several crashes and rendering issues.
Update to version 2.38.1:
- Make xdg-dbus-proxy work if host session bus address is an
abstract socket.
- Use a single xdg-dbus-proxy process when sandbox is enabled.
- Fix high resolution video playback due to unimplemented
changeType operation.
- Ensure GSubprocess uses posix_spawn() again and inherit file
descriptors.
- Fix player stucking in buffering (paused) state for progressive
streaming.
- Do not try to preconnect on link click when link preconnect
setting is disabled.
- Fix close status code returned when the client closes a
WebSocket in some cases.
- Fix media player duration calculation.
- Fix several crashes and rendering issues.
Update to version 2.38.0:
- New media controls UI style.
- Add new API to set WebView's Content-Security-Policy for web
extensions support.
- Make it possible to use the remote inspector from other
browsers using WEBKIT_INSPECTOR_HTTP_SERVER env var.
- MediaSession is enabled by default, allowing remote media
control using MPRIS.
- Add support for PDF documents using PDF.js.
ImportantSUSE bug 1205120SUSE bug 1205121SUSE bug 1205122SUSE bug 1205123SUSE bug 1205124CVE-2022-32888 at SUSECVE-2022-32888 at NVDCVE-2022-32923 at SUSECVE-2022-32923 at NVDCVE-2022-42799 at SUSECVE-2022-42799 at NVDCVE-2022-42823 at SUSECVE-2022-42823 at NVDCVE-2022-42824 at SUSECVE-2022-42824 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for java-1_8_0-ibm (Moderate)SUSE Linux Enterprise Server 12 SP3-BCL
This update for java-1_8_0-ibm fixes the following issues:
- CVE-2022-21626: An unauthenticated attacker with network access via HTTPS can compromise Oracle Java SE, Oracle GraalVM Enterprise Edition (bsc#1204471).
- CVE-2022-21618: An unauthenticated attacker with network access via Kerberos can compromise Oracle Java SE, Oracle GraalVM Enterprise Edition (bsc#1204468).
- CVE-2022-21619: An unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE (bsc#1204473).
- CVE-2022-21628: An unauthenticated attacker with network access via HTTP can compromise Oracle Java SE, Oracle GraalVM Enterprise Edition (bsc#1204472).
- CVE-2022-21624: An unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise (bsc#1204475).
- CVE-2022-39399: An unauthenticated attacker with network access via HTTP can compromise Oracle Java SE, Oracle GraalVM Enterprise Edition (bsc#1204480).
- Update to Java 8.0 Service Refresh 7 Fix Pack 20 [bsc#1205302]
* Security:
- The IBM ORB Does Not Support Object-Serialisation Data Filtering
- Large Allocation In CipherSuite
- Avoid Evaluating Sslalgorithmconstraints Twice
- Cache The Results Of Constraint Checks
- An incorrect ShortBufferException is thrown by IBMJCEPlus,
IBMJCEPlusFIPS during cipher update operation
- Disable SHA-1 Signed Jars For Ea
- JSSE Performance Improvement
- Oracle Road Map Kerberos Deprecation Of 3DES And RC4 Encryption
* Java 8/Orb:
- Upgrade ibmcfw.jar To Version o2228.02
* Class Libraries:
- Crash In Libjsor.So During An Rdma Failover
- High CPU Consumption Observed In ZosEventPort$EventHandlerTask.run
- Update Timezone Information To The Latest tzdata2022c
* Jit Compiler:
- Crash During JIT Compilation
- Incorrect JIT Optimization Of Java Code
- Incorrect Return From Class.isArray()
- Unexpected ClassCastException
- Performance Regression When Calling VM Helper Code On X86
* X/Os Extentions:
- Add RSA-OAEP Cipher Function To IBMJCECCA
- Update to Java 8.0 Service Refresh 7 Fix Pack 16
* Java Virtual Machine
- Assertion failure at ClassLoaderRememberedSet.cpp
- Assertion failure at StandardAccessBarrier.cpp when
-Xgc:concurrentScavenge is set.
- GC can have unflushed ownable synchronizer objects which
can eventually lead to heap corruption and failure when
-Xgc:concurrentScavenge is set.
* JIT Compiler:
- Incorrect JIT optimization of Java code
- JAVA JIT Power: JIT compile time assert on AIX or LINUXPPC
* Reliability and Serviceability:
- javacore with 'kill -3' SIGQUIT signal freezes Java process
ModerateSUSE bug 1204468SUSE bug 1204471SUSE bug 1204472SUSE bug 1204473SUSE bug 1204475SUSE bug 1204480SUSE bug 1205302CVE-2022-21618 at SUSECVE-2022-21618 at NVDCVE-2022-21619 at SUSECVE-2022-21619 at NVDCVE-2022-21624 at SUSECVE-2022-21624 at NVDCVE-2022-21626 at SUSECVE-2022-21626 at NVDCVE-2022-21628 at SUSECVE-2022-21628 at NVDCVE-2022-39399 at SUSECVE-2022-39399 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for supportutils (Moderate)SUSE Linux Enterprise Server 12 SP3-BCL
This update for supportutils fixes the following issues:
Security issues fixed:
- Passwords correctly removed from email.txt, updates.txt and fs-iscsi.txt (bsc#1203818)
ModerateSUSE bug 1203818cpe:/o:suse:sles-bcl:12:sp3Security update for emacs (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for emacs fixes the following issues:
- CVE-2022-45939: Fixed shell command injection via source code files when using ctags (bsc#1205822).
ImportantSUSE bug 1205822CVE-2022-45939 at SUSECVE-2022-45939 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for krb5 (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for krb5 fixes the following issues:
- CVE-2022-42898: Fixed integer overflow in PAC parsing (bsc#1205126).
ImportantSUSE bug 1205126CVE-2022-42898 at SUSECVE-2022-42898 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for java-1_8_0-openjdk (Moderate)SUSE Linux Enterprise Server 12 SP3-BCL
This update for java-1_8_0-openjdk fixes the following issues:
Update to version jdk8u352 (icedtea-3.25.0):
- CVE-2022-21619,CVE-2022-21624: Fixed difficult to exploit vulnerability allows unauthenticated attacker with network access and can cause unauthorized update, insert or delete access via multiple protocols (bsc#1204473,bsc#1204475).
- CVE-2022-21626: Fixed easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to cause partial denial of service (bsc#1204471).
- CVE-2022-21628: Fixed easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to cause partial denial of service (bsc#1204472).
ModerateSUSE bug 1204471SUSE bug 1204472SUSE bug 1204473SUSE bug 1204475CVE-2022-21619 at SUSECVE-2022-21619 at NVDCVE-2022-21624 at SUSECVE-2022-21624 at NVDCVE-2022-21626 at SUSECVE-2022-21626 at NVDCVE-2022-21628 at SUSECVE-2022-21628 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for MozillaFirefox fixes the following issues:
Firefox Extended Support Release 102.6.0 ESR (bsc#1206242):
- CVE-2022-46880: Use-after-free in WebGL
- CVE-2022-46872: Arbitrary file read from a compromised content process
- CVE-2022-46881: Memory corruption in WebGL
- CVE-2022-46874: Drag and Dropped Filenames could have been truncated to malicious extensions
- CVE-2022-46875: Download Protections were bypassed by .atloc and .ftploc files on Mac OS
- CVE-2022-46882: Use-after-free in WebGL
- CVE-2022-46878: Memory safety bugs fixed in Firefox 108 and Firefox ESR 102.6
ImportantSUSE bug 1206242CVE-2022-46872 at SUSECVE-2022-46872 at NVDCVE-2022-46874 at SUSECVE-2022-46874 at NVDCVE-2022-46875 at SUSECVE-2022-46875 at NVDCVE-2022-46878 at SUSECVE-2022-46878 at NVDCVE-2022-46880 at SUSECVE-2022-46880 at NVDCVE-2022-46881 at SUSECVE-2022-46881 at NVDCVE-2022-46882 at SUSECVE-2022-46882 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for zabbix (Moderate)SUSE Linux Enterprise Server 12 SP3-BCL
This update for zabbix fixes the following issues:
- CVE-2022-43515: X-Forwarded-For header is active by default causes access to Zabbix sites in maintenance mode (bsc#1206083).
ModerateSUSE bug 1206083CVE-2022-43515 at SUSECVE-2022-43515 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for xorg-x11-server (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for xorg-x11-server fixes the following issues:
- CVE-2022-46340: Server XTestSwapFakeInput stack overflow (bsc#1205874)
- CVE-2022-46341: Server XIPassiveUngrabDevice out-of-bounds access (bsc#1205877)
- CVE-2022-46342: Server XvdiSelectVideoNotify use-after-free (bsc#1205879)
- CVE-2022-46343: Server ScreenSaverSetAttributes use-after-free (bsc#1205878)
- CVE-2022-46344: Server XIChangeProperty out-of-bounds access (bsc#1205876)
- CVE-2022-4283: Reset the radio_groups pointer to NULL after freeing it (bsc#1206017)
- Xi: return an error from XI property changes if verification failed (bsc#1205875)
ImportantSUSE bug 1205874SUSE bug 1205875SUSE bug 1205876SUSE bug 1205877SUSE bug 1205878SUSE bug 1205879SUSE bug 1206017CVE-2022-4283 at SUSECVE-2022-4283 at NVDCVE-2022-46340 at SUSECVE-2022-46340 at NVDCVE-2022-46341 at SUSECVE-2022-46341 at NVDCVE-2022-46342 at SUSECVE-2022-46342 at NVDCVE-2022-46343 at SUSECVE-2022-46343 at NVDCVE-2022-46344 at SUSECVE-2022-46344 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for the Linux Kernel (Important)SUSE Linux Enterprise Server 12 SP3-BCL
The SUSE Linux Enterprise 12 SP3 kernel was updated to receive various security and bugfixes.
The following security bugs were fixed:
- CVE-2022-3635: Fixed a use-after-free in the tst_timer() of the file drivers/atm/idt77252.c (bsc#1204631).
- CVE-2022-3424: Fixed use-after-free in gru_set_context_option(), gru_fault() and gru_handle_user_call_os() that could lead to kernel panic (bsc#1204166).
- CVE-2022-41850: Fixed a race condition in roccat_report_event() in drivers/hid/hid-roccat.c (bsc#1203960).
- CVE-2022-45934: Fixed a integer wraparound via L2CAP_CONF_REQ packets in l2cap_config_req in net/bluetooth/l2cap_core.c (bsc#1205796).
- CVE-2022-3628: Fixed potential buffer overflow in brcmf_fweh_event_worker() in wifi/brcmfmac (bsc#1204868).
- CVE-2022-3567: Fixed a to race condition in inet6_stream_ops()/inet6_dgram_ops() (bsc#1204414).
- CVE-2022-41858: Fixed a denial of service in sl_tx_timeout() in drivers/net/slip (bsc#1205671).
- CVE-2022-43945: Fixed a buffer overflow in the NFSD implementation (bsc#1205128).
- CVE-2022-4095: Fixed a use-after-free in rtl8712 driver (bsc#1205514).
- CVE-2022-3903: Fixed a denial of service with the Infrared Transceiver USB driver (bsc#1205220).
- CVE-2022-2964: Fixed memory corruption issues in ax88179_178a devices (bsc#1202686).
- CVE-2021-4037: Fixed function logic vulnerability that allowed local users to create files for the XFS file-system with an unintended group ownership and with group execution and SGID permission bits set (bsc#1198702).
- CVE-2022-43750: Fixed vulnerability in usbmon that allowed a user-space client to corrupt the monitor's internal memory (bsc#1204653).
- CVE-2020-26541: Enforce the secure boot forbidden signature database (aka dbx) protection mechanism (bsc#1177282).
- CVE-2022-3542: Fixed memory leak in bnx2x_tpa_stop() in drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c (bsc#1204402).
- CVE-2022-3629: Fixed memory leak in vsock_connect() in net/vmw_vsock/af_vsock.c (bsc#1204635).
- CVE-2022-3646: Fixed memory leak in nilfs_attach_log_writer() in fs/nilfs2/segment.c (bsc#1204646).
- CVE-2022-3649: Fixed use-after-free in nilfs_new_inode() in fs/nilfs2/inode.c (bsc#1204647).
- CVE-2022-3621: Fixed null pointer dereference in nilfs_bmap_lookup_at_level() in fs/nilfs2/inode.c (bsc#1204574).
- CVE-2022-3594: Fixed excessive data logging in intr_callback() in drivers/net/usb/r8152.c (bsc#1204479).
- CVE-2022-3586: Fixed use-after-free in socket buffer (SKB) that could allow a local unprivileged user to cause a denial of service (bsc#1204439).
- CVE-2022-3565: Fixed use-after-free in del_timer() in drivers/isdn/mISDN/l1oip_core.c (bsc#1204431).
- CVE-2022-3524: Fixed memory leak in ipv6_renew_options() in the IPv6 handler (bsc#1204354).
- CVE-2022-2663: Fixed an issue which allowed a firewall to be bypassed when users are using unencrypted IRC with nf_conntrack_irc configured (bsc#1202097).
- CVE-2022-40768: Fixed information leak in the scsi driver which allowed local users to obtain sensitive information from kernel memory (bsc#1203514).
- CVE-2022-42703: Fixed use-after-free in mm/rmap.c related to leaf anon_vma double reuse (bsc#1204168).
- CVE-2022-3169: Fixed an denial of service though request to NVME_IOCTL_RESET and NVME_IOCTL_SUBSYS_RESET (bsc#1203290).
- CVE-2022-40307: Fixed a race condition that could had been exploited to trigger a use-after-free in the efi firmware capsule-loader.c (bsc#1203322).
- CVE-2022-41848: Fixed a race condition in drivers/char/pcmcia/synclink_cs.c mgslpc_ioctl and mgslpc_detach (bsc#1203987).
The following non-security bugs were fixed:
- net: mana: Add rmb after checking owner bits (git-fixes).
- net: mana: Add the Linux MANA PF driver (bug#1201309, jsc#PED-529).
- x86/hyperv: Output host build info as normal Windows version number (git-fixes).
- x86/hyperv: Set pv_info.name to 'Hyper-V' (git-fixes).
ImportantSUSE bug 1129898SUSE bug 1177282SUSE bug 1196018SUSE bug 1198702SUSE bug 1201309SUSE bug 1202097SUSE bug 1202686SUSE bug 1203008SUSE bug 1203290SUSE bug 1203322SUSE bug 1203514SUSE bug 1203960SUSE bug 1203987SUSE bug 1204166SUSE bug 1204168SUSE bug 1204170SUSE bug 1204354SUSE bug 1204402SUSE bug 1204414SUSE bug 1204431SUSE bug 1204432SUSE bug 1204439SUSE bug 1204479SUSE bug 1204574SUSE bug 1204576SUSE bug 1204631SUSE bug 1204635SUSE bug 1204636SUSE bug 1204646SUSE bug 1204647SUSE bug 1204653SUSE bug 1204868SUSE bug 1205128SUSE bug 1205130SUSE bug 1205220SUSE bug 1205514SUSE bug 1205671SUSE bug 1205796SUSE bug 1206164CVE-2019-3874 at SUSECVE-2019-3874 at NVDCVE-2020-26541 at SUSECVE-2020-26541 at NVDCVE-2021-4037 at SUSECVE-2021-4037 at NVDCVE-2022-2663 at SUSECVE-2022-2663 at NVDCVE-2022-28748 at SUSECVE-2022-28748 at NVDCVE-2022-2964 at SUSECVE-2022-2964 at NVDCVE-2022-3169 at SUSECVE-2022-3169 at NVDCVE-2022-3424 at SUSECVE-2022-3424 at NVDCVE-2022-3524 at SUSECVE-2022-3524 at NVDCVE-2022-3542 at SUSECVE-2022-3542 at NVDCVE-2022-3565 at SUSECVE-2022-3565 at NVDCVE-2022-3567 at SUSECVE-2022-3567 at NVDCVE-2022-3586 at SUSECVE-2022-3586 at NVDCVE-2022-3594 at SUSECVE-2022-3594 at NVDCVE-2022-3621 at SUSECVE-2022-3621 at NVDCVE-2022-3628 at SUSECVE-2022-3628 at NVDCVE-2022-3629 at SUSECVE-2022-3629 at NVDCVE-2022-3635 at SUSECVE-2022-3635 at NVDCVE-2022-3646 at SUSECVE-2022-3646 at NVDCVE-2022-3649 at SUSECVE-2022-3649 at NVDCVE-2022-3903 at SUSECVE-2022-3903 at NVDCVE-2022-40307 at SUSECVE-2022-40307 at NVDCVE-2022-40768 at SUSECVE-2022-40768 at NVDCVE-2022-4095 at SUSECVE-2022-4095 at NVDCVE-2022-41848 at SUSECVE-2022-41848 at NVDCVE-2022-41850 at SUSECVE-2022-41850 at NVDCVE-2022-41858 at SUSECVE-2022-41858 at NVDCVE-2022-42703 at SUSECVE-2022-42703 at NVDCVE-2022-43750 at SUSECVE-2022-43750 at NVDCVE-2022-43945 at SUSECVE-2022-43945 at NVDCVE-2022-45934 at SUSECVE-2022-45934 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for vim (Moderate)SUSE Linux Enterprise Server 12 SP3-BCL
This update for vim fixes the following issues:
Updated to version 9.0.0814:
* Fixing bsc#1192478 VUL-1: CVE-2021-3928: vim: vim is vulnerable to Stack-based Buffer Overflow
* Fixing bsc#1203508 VUL-0: CVE-2022-3234: vim: Heap-based Buffer Overflow prior to 9.0.0483.
* Fixing bsc#1203509 VUL-1: CVE-2022-3235: vim: Use After Free in GitHub prior to 9.0.0490.
* Fixing bsc#1203820 VUL-0: CVE-2022-3324: vim: Stack-based Buffer Overflow in prior to 9.0.0598.
* Fixing bsc#1204779 VUL-0: CVE-2022-3705: vim: use after free in function qf_update_buffer of the file quickfix.c
* Fixing bsc#1203152 VUL-1: CVE-2022-2982: vim: use after free in qf_fill_buffer()
* Fixing bsc#1203796 VUL-1: CVE-2022-3296: vim: stack out of bounds read in ex_finally() in ex_eval.c
* Fixing bsc#1203797 VUL-1: CVE-2022-3297: vim: use-after-free in process_next_cpt_value() at insexpand.c
* Fixing bsc#1203110 VUL-1: CVE-2022-3099: vim: Use After Free in ex_docmd.c
* Fixing bsc#1203194 VUL-1: CVE-2022-3134: vim: use after free in do_tag()
* Fixing bsc#1203272 VUL-1: CVE-2022-3153: vim: NULL Pointer Dereference in GitHub repository vim/vim prior to 9.0.0404.
* Fixing bsc#1203799 VUL-1: CVE-2022-3278: vim: NULL pointer dereference in eval_next_non_blank() in eval.c
* Fixing bsc#1203924 VUL-1: CVE-2022-3352: vim: vim: use after free
* Fixing bsc#1203155 VUL-1: CVE-2022-2980: vim: null pointer dereference in do_mouse()
* Fixing bsc#1202962 VUL-1: CVE-2022-3037: vim: Use After Free in vim prior to 9.0.0321
* Fixing bsc#1200884 Vim: Error on startup
* Fixing bsc#1200902 VUL-0: CVE-2022-2183: vim: Out-of-bounds Read through get_lisp_indent() Mon 13:32
* Fixing bsc#1200903 VUL-0: CVE-2022-2182: vim: Heap-based Buffer Overflow through parse_cmd_address() Tue 08:37
* Fixing bsc#1200904 VUL-0: CVE-2022-2175: vim: Buffer Over-read through cmdline_insert_reg() Tue 08:37
* Fixing bsc#1201249 VUL-0: CVE-2022-2304: vim: stack buffer overflow in spell_dump_compl()
* Fixing bsc#1201356 VUL-1: CVE-2022-2343: vim: Heap-based Buffer Overflow in GitHub repository vim prior to 9.0.0044
* Fixing bsc#1201359 VUL-1: CVE-2022-2344: vim: Another Heap-based Buffer Overflow vim prior to 9.0.0045
* Fixing bsc#1201363 VUL-1: CVE-2022-2345: vim: Use After Free in GitHub repository vim prior to 9.0.0046.
* Fixing bsc#1201620 vim: SLE-15-SP4-Full-x86_64-GM-Media1 and vim-plugin-tlib-1.27-bp154.2.18.noarch issue
* Fixing bsc#1202414 VUL-1: CVE-2022-2819: vim: Heap-based Buffer Overflow in compile_lock_unlock()
* Fixing bsc#1202552 VUL-1: CVE-2022-2874: vim: NULL Pointer Dereference in generate_loadvar()
* Fixing bsc#1200270 VUL-1: CVE-2022-1968: vim: use after free in utf_ptr2char
* Fixing bsc#1200697 VUL-1: CVE-2022-2124: vim: out of bounds read in current_quote()
* Fixing bsc#1200698 VUL-1: CVE-2022-2125: vim: out of bounds read in get_lisp_indent()
* Fixing bsc#1200700 VUL-1: CVE-2022-2126: vim: out of bounds read in suggest_trie_walk()
* Fixing bsc#1200701 VUL-1: CVE-2022-2129: vim: out of bounds write in vim_regsub_both()
* Fixing bsc#1200732 VUL-1: CVE-2022-1720: vim: out of bounds read in grab_file_name()
* Fixing bsc#1201132 VUL-1: CVE-2022-2264: vim: out of bounds read in inc()
* Fixing bsc#1201133 VUL-1: CVE-2022-2284: vim: out of bounds read in utfc_ptr2len()
* Fixing bsc#1201134 VUL-1: CVE-2022-2285: vim: negative size passed to memmove() due to integer overflow
* Fixing bsc#1201135 VUL-1: CVE-2022-2286: vim: out of bounds read in ins_bytes()
* Fixing bsc#1201136 VUL-1: CVE-2022-2287: vim: out of bounds read in suggest_trie_walk()
* Fixing bsc#1201150 VUL-1: CVE-2022-2231: vim: null pointer dereference skipwhite()
* Fixing bsc#1201151 VUL-1: CVE-2022-2210: vim: out of bounds read in ml_append_int()
* Fixing bsc#1201152 VUL-1: CVE-2022-2208: vim: null pointer dereference in diff_check()
* Fixing bsc#1201153 VUL-1: CVE-2022-2207: vim: out of bounds read in ins_bs()
* Fixing bsc#1201154 VUL-1: CVE-2022-2257: vim: out of bounds read in msg_outtrans_special()
* Fixing bsc#1201155 VUL-1: CVE-2022-2206: vim: out of bounds read in msg_outtrans_attr()
* Fixing bsc#1201863 VUL-1: CVE-2022-2522: vim: out of bounds read via nested autocommand
* Fixing bsc#1202046 VUL-1: CVE-2022-2571: vim: Heap-based Buffer Overflow related to ins_comp_get_next_word_or_line()
* Fixing bsc#1202049 VUL-1: CVE-2022-2580: vim: Heap-based Buffer Overflow related to eval_string()
* Fixing bsc#1202050 VUL-1: CVE-2022-2581: vim: Out-of-bounds Read related to cstrchr()
* Fixing bsc#1202051 VUL-1: CVE-2022-2598: vim: Undefined Behavior for Input to API related to diff_mark_adjust_tp() and ex_diffgetput()
* Fixing bsc#1202420 VUL-1: CVE-2022-2817: vim: Use After Free in f_assert_fails()
* Fixing bsc#1202421 VUL-1: CVE-2022-2816: vim: Out-of-bounds Read in check_vim9_unlet()
* Fixing bsc#1202511 VUL-1: CVE-2022-2862: vim: use-after-free in compile_nested_function()
* Fixing bsc#1202512 VUL-1: CVE-2022-2849: vim: Invalid memory access related to mb_ptr2len()
* Fixing bsc#1202515 VUL-1: CVE-2022-2845: vim: Buffer Over-read related to display_dollar()
* Fixing bsc#1202599 VUL-1: CVE-2022-2889: vim: use-after-free in find_var_also_in_script() in evalvars.c
* Fixing bsc#1202687 VUL-1: CVE-2022-2923: vim: NULL Pointer Dereference in GitHub repository vim/vim prior to 9.0.0240
* Fixing bsc#1202689 VUL-1: CVE-2022-2946: vim: use after free in function vim_vsnprintf_typval
* Fixing bsc#1202862 VUL-1: CVE-2022-3016: vim: Use After Free in vim prior to 9.0.0285 Mon 12:00
* Fixing bsc#1191770 VUL-0: CVE-2021-3875: vim: heap-based buffer overflow
* Fixing bsc#1192167 VUL-0: CVE-2021-3903: vim: heap-based buffer overflow
* Fixing bsc#1192902 VUL-0: CVE-2021-3968: vim: vim is vulnerable to
Heap-based Buffer Overflow
* Fixing bsc#1192903 VUL-0: CVE-2021-3973: vim: vim is vulnerable to
Heap-based Buffer Overflow
* Fixing bsc#1192904 VUL-0: CVE-2021-3974: vim: vim is vulnerable to Use
After Free
* Fixing bsc#1193466 VUL-1: CVE-2021-4069: vim: use-after-free in ex_open()
in src/ex_docmd.c
* Fixing bsc#1193905 VUL-0: CVE-2021-4136: vim: vim is vulnerable to
Heap-based Buffer Overflow
* Fixing bsc#1194093 VUL-1: CVE-2021-4166: vim: vim is vulnerable to
Out-of-bounds Read
* Fixing bsc#1194216 VUL-1: CVE-2021-4193: vim: vulnerable to
Out-of-bounds Read
* Fixing bsc#1194217 VUL-0: CVE-2021-4192: vim: vulnerable to Use After Free
* Fixing bsc#1194872 VUL-0: CVE-2022-0261: vim: Heap-based Buffer Overflow
in vim prior to 8.2.
* Fixing bsc#1194885 VUL-0: CVE-2022-0213: vim: vim is vulnerable to
Heap-based Buffer Overflow
* Fixing bsc#1195004 VUL-0: CVE-2022-0318: vim: Heap-based Buffer Overflow in
vim prior to 8.2.
* Fixing bsc#1195203 VUL-0: CVE-2022-0359: vim: heap-based buffer overflow in
init_ccline() in ex_getln.c
* Fixing bsc#1195354 VUL-0: CVE-2022-0407: vim: Heap-based Buffer Overflow in
Conda vim prior to 8.2.
* Fixing bsc#1198596 VUL-0: CVE-2022-1381: vim: global heap buffer overflow
in skip_range
* Fixing bsc#1199331 VUL-0: CVE-2022-1616: vim: Use after free in
append_command
* Fixing bsc#1199333 VUL-0: CVE-2022-1619: vim: Heap-based Buffer Overflow in
function cmdline_erase_chars
* Fixing bsc#1199334 VUL-0: CVE-2022-1620: vim: NULL Pointer Dereference in
function vim_regexec_string
* Fixing bsc#1199747 VUL-0: CVE-2022-1796: vim: Use After in
find_pattern_in_path
* Fixing bsc#1200010 VUL-0: CVE-2022-1897: vim: Out-of-bounds Write in vim
* Fixing bsc#1200011 VUL-0: CVE-2022-1898: vim: Use After Free in vim prior
to 8.2
* Fixing bsc#1200012 VUL-0: CVE-2022-1927: vim: Buffer Over-read in vim prior
to 8.2
* Fixing bsc#1070955 VUL-1: CVE-2017-17087: vim: Sets the group ownership of a
.swp file to the editor's primary group, which allows local users to obtain
sensitive information
* Fixing bsc#1194388 VUL-1: CVE-2022-0128: vim: vim is vulnerable to
Out-of-bounds Read
* Fixing bsc#1195332 VUL-1: CVE-2022-0392: vim: Heap-based Buffer Overflow
in vim prior to 8.2
* Fixing bsc#1196361 VUL-1: CVE-2022-0696: vim: NULL Pointer Dereference in
vim prior to 8.2
* Fixing bsc#1198748 VUL-1: CVE-2022-1420: vim: Out-of-range Pointer Offset
* Fixing bsc#1199651 VUL-1: CVE-2022-1735: vim: heap buffer overflow
* Fixing bsc#1199655 VUL-1: CVE-2022-1733: vim: Heap-based Buffer Overflow in
cindent.c
* Fixing bsc#1199693 VUL-1: CVE-2022-1771: vim: stack exhaustion in vim prior
to 8.2.
* Fixing bsc#1199745 VUL-1: CVE-2022-1785: vim: Out-of-bounds Write
* Fixing bsc#1199936 VUL-1: CVE-2022-1851: vim: out of bounds read
* Fixing bsc#1195004 - (CVE-2022-0318) VUL-0: CVE-2022-0318: vim: Heap-based Buffer Overflow in vim prior to 8.2.
* Fixing bsc#1190570 CVE-2021-3796: vim: use-after-free in nv_replace() in normal.c
* Fixing bsc#1191893 CVE-2021-3872: vim: heap-based buffer overflow in win_redr_status() drawscreen.c
* Fixing bsc#1192481 CVE-2021-3927: vim: vim is vulnerable to Heap-based Buffer Overflow
* Fixing bsc#1192478 CVE-2021-3928: vim: vim is vulnerable to Stack-based Buffer Overflow
* Fixing bsc#1193294 CVE-2021-4019: vim: vim is vulnerable to Heap-based Buffer Overflow
* Fixing bsc#1193298 CVE-2021-3984: vim: illegal memory access when C-indenting could lead to Heap Buffer Overflow
* Fixing bsc#1190533 CVE-2021-3778: vim: Heap-based Buffer Overflow in regexp_nfa.c
* Fixing bsc#1194216 CVE-2021-4193: vim: vulnerable to Out-of-bounds Read
* Fixing bsc#1194556 CVE-2021-46059: vim: A Pointer Dereference vulnerability
exists in Vim 8.2.3883 via the vim_regexec_multi function at regexp.c, which causes a denial of service.
* Fixing bsc#1195066 CVE-2022-0319: vim: Out-of-bounds Read in vim/vim prior to 8.2.
* Fixing bsc#1195126 CVE-2022-0351: vim: uncontrolled recursion in eval7()
* Fixing bsc#1195202 CVE-2022-0361: vim: Heap-based Buffer Overflow in vim prior to 8.2.
* Fixing bsc#1195356 CVE-2022-0413: vim: use after free in src/ex_cmds.c
ModerateSUSE bug 1070955SUSE bug 1173256SUSE bug 1174564SUSE bug 1176549SUSE bug 1182324SUSE bug 1190533SUSE bug 1190570SUSE bug 1191770SUSE bug 1191893SUSE bug 1192167SUSE bug 1192478SUSE bug 1192481SUSE bug 1192902SUSE bug 1192903SUSE bug 1192904SUSE bug 1193294SUSE bug 1193298SUSE bug 1193466SUSE bug 1193905SUSE bug 1194093SUSE bug 1194216SUSE bug 1194217SUSE bug 1194388SUSE bug 1194556SUSE bug 1194872SUSE bug 1194885SUSE bug 1195004SUSE bug 1195066SUSE bug 1195126SUSE bug 1195202SUSE bug 1195203SUSE bug 1195332SUSE bug 1195354SUSE bug 1195356SUSE bug 1196361SUSE bug 1198596SUSE bug 1198748SUSE bug 1199331SUSE bug 1199333SUSE bug 1199334SUSE bug 1199651SUSE bug 1199655SUSE bug 1199693SUSE bug 1199745SUSE bug 1199747SUSE bug 1199936SUSE bug 1200010SUSE bug 1200011SUSE bug 1200012SUSE bug 1200270SUSE bug 1200697SUSE bug 1200698SUSE bug 1200700SUSE bug 1200701SUSE bug 1200732SUSE bug 1200884SUSE bug 1200902SUSE bug 1200903SUSE bug 1200904SUSE bug 1201132SUSE bug 1201133SUSE bug 1201134SUSE bug 1201135SUSE bug 1201136SUSE bug 1201150SUSE bug 1201151SUSE bug 1201152SUSE bug 1201153SUSE bug 1201154SUSE bug 1201155SUSE bug 1201249SUSE bug 1201356SUSE bug 1201359SUSE bug 1201363SUSE bug 1201620SUSE bug 1201863SUSE bug 1202046SUSE bug 1202049SUSE bug 1202050SUSE bug 1202051SUSE bug 1202414SUSE bug 1202420SUSE bug 1202421SUSE bug 1202511SUSE bug 1202512SUSE bug 1202515SUSE bug 1202552SUSE bug 1202599SUSE bug 1202687SUSE bug 1202689SUSE bug 1202862SUSE bug 1202962SUSE bug 1203110SUSE bug 1203152SUSE bug 1203155SUSE bug 1203194SUSE bug 1203272SUSE bug 1203508SUSE bug 1203509SUSE bug 1203796SUSE bug 1203797SUSE bug 1203799SUSE bug 1203820SUSE bug 1203924SUSE bug 1204779CVE-2009-0316 at SUSECVE-2009-0316 at NVDCVE-2016-1248 at SUSECVE-2016-1248 at NVDCVE-2017-17087 at SUSECVE-2017-17087 at NVDCVE-2017-5953 at SUSECVE-2017-5953 at NVDCVE-2017-6349 at SUSECVE-2017-6349 at NVDCVE-2017-6350 at SUSECVE-2017-6350 at NVDCVE-2021-3778 at SUSECVE-2021-3778 at NVDCVE-2021-3796 at SUSECVE-2021-3796 at NVDCVE-2021-3872 at SUSECVE-2021-3872 at NVDCVE-2021-3875 at SUSECVE-2021-3875 at NVDCVE-2021-3903 at SUSECVE-2021-3903 at NVDCVE-2021-3927 at SUSECVE-2021-3927 at NVDCVE-2021-3928 at SUSECVE-2021-3928 at NVDCVE-2021-3968 at SUSECVE-2021-3968 at NVDCVE-2021-3973 at SUSECVE-2021-3973 at NVDCVE-2021-3974 at SUSECVE-2021-3974 at NVDCVE-2021-3984 at SUSECVE-2021-3984 at NVDCVE-2021-4019 at SUSECVE-2021-4019 at NVDCVE-2021-4069 at SUSECVE-2021-4069 at NVDCVE-2021-4136 at SUSECVE-2021-4136 at NVDCVE-2021-4166 at SUSECVE-2021-4166 at NVDCVE-2021-4192 at SUSECVE-2021-4192 at NVDCVE-2021-4193 at SUSECVE-2021-4193 at NVDCVE-2021-46059 at SUSECVE-2021-46059 at NVDCVE-2022-0128 at SUSECVE-2022-0128 at NVDCVE-2022-0213 at SUSECVE-2022-0213 at NVDCVE-2022-0261 at SUSECVE-2022-0261 at NVDCVE-2022-0318 at SUSECVE-2022-0318 at NVDCVE-2022-0319 at SUSECVE-2022-0319 at NVDCVE-2022-0351 at SUSECVE-2022-0351 at NVDCVE-2022-0359 at SUSECVE-2022-0359 at NVDCVE-2022-0361 at SUSECVE-2022-0361 at NVDCVE-2022-0392 at SUSECVE-2022-0392 at NVDCVE-2022-0407 at SUSECVE-2022-0407 at NVDCVE-2022-0413 at SUSECVE-2022-0413 at NVDCVE-2022-0696 at SUSECVE-2022-0696 at NVDCVE-2022-1381 at SUSECVE-2022-1381 at NVDCVE-2022-1420 at SUSECVE-2022-1420 at NVDCVE-2022-1616 at SUSECVE-2022-1616 at NVDCVE-2022-1619 at SUSECVE-2022-1619 at NVDCVE-2022-1620 at SUSECVE-2022-1620 at NVDCVE-2022-1720 at SUSECVE-2022-1720 at NVDCVE-2022-1733 at SUSECVE-2022-1733 at NVDCVE-2022-1735 at SUSECVE-2022-1735 at NVDCVE-2022-1771 at SUSECVE-2022-1771 at NVDCVE-2022-1785 at SUSECVE-2022-1785 at NVDCVE-2022-1796 at SUSECVE-2022-1796 at NVDCVE-2022-1851 at SUSECVE-2022-1851 at NVDCVE-2022-1897 at SUSECVE-2022-1897 at NVDCVE-2022-1898 at SUSECVE-2022-1898 at NVDCVE-2022-1927 at SUSECVE-2022-1927 at NVDCVE-2022-1968 at SUSECVE-2022-1968 at NVDCVE-2022-2124 at SUSECVE-2022-2124 at NVDCVE-2022-2125 at SUSECVE-2022-2125 at NVDCVE-2022-2126 at SUSECVE-2022-2126 at NVDCVE-2022-2129 at SUSECVE-2022-2129 at NVDCVE-2022-2175 at SUSECVE-2022-2175 at NVDCVE-2022-2182 at SUSECVE-2022-2182 at NVDCVE-2022-2183 at SUSECVE-2022-2183 at NVDCVE-2022-2206 at SUSECVE-2022-2206 at NVDCVE-2022-2207 at SUSECVE-2022-2207 at NVDCVE-2022-2208 at SUSECVE-2022-2208 at NVDCVE-2022-2210 at SUSECVE-2022-2210 at NVDCVE-2022-2231 at SUSECVE-2022-2231 at NVDCVE-2022-2257 at SUSECVE-2022-2257 at NVDCVE-2022-2264 at SUSECVE-2022-2264 at NVDCVE-2022-2284 at SUSECVE-2022-2284 at NVDCVE-2022-2285 at SUSECVE-2022-2285 at NVDCVE-2022-2286 at SUSECVE-2022-2286 at NVDCVE-2022-2287 at SUSECVE-2022-2287 at NVDCVE-2022-2304 at SUSECVE-2022-2304 at NVDCVE-2022-2343 at SUSECVE-2022-2343 at NVDCVE-2022-2344 at SUSECVE-2022-2344 at NVDCVE-2022-2345 at SUSECVE-2022-2345 at NVDCVE-2022-2522 at SUSECVE-2022-2522 at NVDCVE-2022-2571 at SUSECVE-2022-2571 at NVDCVE-2022-2580 at SUSECVE-2022-2580 at NVDCVE-2022-2581 at SUSECVE-2022-2581 at NVDCVE-2022-2598 at SUSECVE-2022-2598 at NVDCVE-2022-2816 at SUSECVE-2022-2816 at NVDCVE-2022-2817 at SUSECVE-2022-2817 at NVDCVE-2022-2819 at SUSECVE-2022-2819 at NVDCVE-2022-2845 at SUSECVE-2022-2845 at NVDCVE-2022-2849 at SUSECVE-2022-2849 at NVDCVE-2022-2862 at SUSECVE-2022-2862 at NVDCVE-2022-2874 at SUSECVE-2022-2874 at NVDCVE-2022-2889 at SUSECVE-2022-2889 at NVDCVE-2022-2923 at SUSECVE-2022-2923 at NVDCVE-2022-2946 at SUSECVE-2022-2946 at NVDCVE-2022-2980 at SUSECVE-2022-2980 at NVDCVE-2022-2982 at SUSECVE-2022-2982 at NVDCVE-2022-3016 at SUSECVE-2022-3016 at NVDCVE-2022-3037 at SUSECVE-2022-3037 at NVDCVE-2022-3099 at SUSECVE-2022-3099 at NVDCVE-2022-3134 at SUSECVE-2022-3134 at NVDCVE-2022-3153 at SUSECVE-2022-3153 at NVDCVE-2022-3234 at SUSECVE-2022-3234 at NVDCVE-2022-3235 at SUSECVE-2022-3235 at NVDCVE-2022-3278 at SUSECVE-2022-3278 at NVDCVE-2022-3296 at SUSECVE-2022-3296 at NVDCVE-2022-3297 at SUSECVE-2022-3297 at NVDCVE-2022-3324 at SUSECVE-2022-3324 at NVDCVE-2022-3352 at SUSECVE-2022-3352 at NVDCVE-2022-3705 at SUSECVE-2022-3705 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for virglrenderer (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for virglrenderer fixes the following issues:
- CVE-2022-0135: Fixed out-of-bonds write in read_transfer_data() (bsc#1195389).
ImportantSUSE bug 1195389CVE-2022-0135 at SUSECVE-2022-0135 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for expat (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for expat fixes the following issues:
- CVE-2022-23852: Fixed signed integer overflow in XML_GetBuffer (bsc#1195054).
- CVE-2022-23990: Fixed integer overflow in the doProlog function (bsc#1195217).
ImportantSUSE bug 1195054SUSE bug 1195217CVE-2022-23852 at SUSECVE-2022-23852 at NVDCVE-2022-23990 at SUSECVE-2022-23990 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for tiff (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for tiff fixes the following issues:
- CVE-2017-17095: Fixed DoS in tools/pal2rgb.c in pal2rgb (bsc#1071031).
- CVE-2019-17546: Fixed integer overflow that potentially causes a heap-based buffer overflow via a crafted RGBA image (bsc#1154365).
- CVE-2020-19131: Fixed buffer overflow in tiffcrop that may cause DoS via the invertImage() function (bsc#1190312).
- CVE-2020-35521: Fixed memory allocation failure in tif_read.c (bsc#1182808).
- CVE-2020-35522: Fixed memory allocation failure in tif_pixarlog.c (bsc#1182809).
- CVE-2020-35523: Fixed integer overflow in tif_getimage.c (bsc#1182811).
- CVE-2020-35524: Fixed heap-based buffer overflow in TIFF2PDF tool (bsc#1182812).
- CVE-2022-22844: Fixed out-of-bounds read in _TIFFmemcpy in tif_unix.c (bsc#1194539).
ImportantSUSE bug 1071031SUSE bug 1154365SUSE bug 1182808SUSE bug 1182809SUSE bug 1182811SUSE bug 1182812SUSE bug 1190312SUSE bug 1194539CVE-2017-17095 at SUSECVE-2017-17095 at NVDCVE-2019-17546 at SUSECVE-2019-17546 at NVDCVE-2020-19131 at SUSECVE-2020-19131 at NVDCVE-2020-35521 at SUSECVE-2020-35521 at NVDCVE-2020-35522 at SUSECVE-2020-35522 at NVDCVE-2020-35523 at SUSECVE-2020-35523 at NVDCVE-2020-35524 at SUSECVE-2020-35524 at NVDCVE-2022-22844 at SUSECVE-2022-22844 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for tcpdump (Moderate)SUSE Linux Enterprise Server 12 SP3-BCL
This update for tcpdump fixes the following issues:
- CVE-2018-16301: Fixed segfault when handling large files (bsc#1195825).
ModerateSUSE bug 1195825CVE-2018-16301 at SUSECVE-2018-16301 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for xerces-j2 (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for xerces-j2 fixes the following issues:
- CVE-2022-23437: Fixed infinite loop within Apache XercesJ xml parser (bsc#1195108).
ImportantSUSE bug 1195108CVE-2022-23437 at SUSECVE-2022-23437 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for MozillaFirefox fixes the following issues:
Firefox Extended Support Release 91.6.0 ESR / MFSA 2022-05 (bsc#1195682)
- CVE-2022-22753: Privilege Escalation to SYSTEM on Windows via Maintenance Service
- CVE-2022-22754: Extensions could have bypassed permission confirmation during update
- CVE-2022-22756: Drag and dropping an image could have resulted in the dropped object being an executable
- CVE-2022-22759: Sandboxed iframes could have executed script if the parent appended elements
- CVE-2022-22760: Cross-Origin responses could be distinguished between script and non-script content-types
- CVE-2022-22761: frame-ancestors Content Security Policy directive was not enforced for framed extension pages
- CVE-2022-22763: Script Execution during invalid object state
- CVE-2022-22764: Memory safety bugs fixed in Firefox 97 and Firefox ESR 91.6
Firefox Extended Support Release 91.5.1 ESR (bsc#1195230)
- Fixed an issue that allowed unexpected data to be submitted in some of our search telemetry
ImportantSUSE bug 1195230SUSE bug 1195682CVE-2022-22753 at SUSECVE-2022-22753 at NVDCVE-2022-22754 at SUSECVE-2022-22754 at NVDCVE-2022-22756 at SUSECVE-2022-22756 at NVDCVE-2022-22759 at SUSECVE-2022-22759 at NVDCVE-2022-22760 at SUSECVE-2022-22760 at NVDCVE-2022-22761 at SUSECVE-2022-22761 at NVDCVE-2022-22763 at SUSECVE-2022-22763 at NVDCVE-2022-22764 at SUSECVE-2022-22764 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for ucode-intel (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for ucode-intel fixes the following issues:
Updated to Intel CPU Microcode 20220207 release.
- CVE-2021-0146: Fixed a potential security vulnerability in some Intel Processors may allow escalation of privilege (bsc#1192615)
- CVE-2021-0127: Intel Processor Breakpoint Control Flow (bsc#1195779)
- CVE-2021-0145: Fast store forward predictor - Cross Domain Training (bsc#1195780)
- CVE-2021-33120: Out of bounds read for some Intel Atom processors (bsc#1195781)
- Security updates for [INTEL-SA-00528](https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00528.html)
- Security updates for [INTEL-SA-00532](https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00532.html)
ImportantSUSE bug 1192615SUSE bug 1195779SUSE bug 1195780SUSE bug 1195781CVE-2021-0127 at SUSECVE-2021-0127 at NVDCVE-2021-0145 at SUSECVE-2021-0145 at NVDCVE-2021-0146 at SUSECVE-2021-0146 at NVDCVE-2021-33120 at SUSECVE-2021-33120 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for apache2 (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for apache2 fixes the following issues:
- CVE-2021-44224: Fixed NULL dereference or SSRF in forward proxy configurations. (bsc#1193943)
- CVE-2021-44790: Fixed buffer overflow when parsing multipart content in mod_lua. (bsc#1193942)
ImportantSUSE bug 1193942SUSE bug 1193943CVE-2021-44224 at SUSECVE-2021-44224 at NVDCVE-2021-44790 at SUSECVE-2021-44790 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for cyrus-sasl (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for cyrus-sasl fixes the following issues:
- CVE-2022-24407: Fixed SQL injection in sql_auxprop_store in plugins/sql.c (bsc#1196036).
ImportantSUSE bug 1196036CVE-2022-24407 at SUSECVE-2022-24407 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for webkit2gtk3 (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for webkit2gtk3 fixes the following issues:
Update to version 2.34.5 (bsc#1195735):
- CVE-2022-22589: A validation issue was addressed with improved input sanitization.
- CVE-2022-22590: A use after free issue was addressed with improved memory management.
- CVE-2022-22592: A logic issue was addressed with improved state management.
Update to version 2.34.4 (bsc#1195064):
- CVE-2021-30934: A buffer overflow issue was addressed with improved memory handling.
- CVE-2021-30936: A use after free issue was addressed with improved memory management.
- CVE-2021-30951: A use after free issue was addressed with improved memory management.
- CVE-2021-30952: An integer overflow was addressed with improved input validation.
- CVE-2021-30953: An out-of-bounds read was addressed with improved bounds checking.
- CVE-2021-30954: A type confusion issue was addressed with improved memory handling.
- CVE-2021-30984: A race condition was addressed with improved state handling.
- CVE-2022-22594: A cross-origin issue in the IndexDB API was addressed with improved input validation.
The following CVEs were addressed in a previous update:
- CVE-2021-45481: Incorrect memory allocation in WebCore::ImageBufferCairoImageSurfaceBackend::create.
- CVE-2021-45482: A use-after-free in WebCore::ContainerNode::firstChild.
- CVE-2021-45483: A use-after-free in WebCore::Frame::page.
ImportantSUSE bug 1195064SUSE bug 1195735CVE-2021-30934 at SUSECVE-2021-30934 at NVDCVE-2021-30936 at SUSECVE-2021-30936 at NVDCVE-2021-30951 at SUSECVE-2021-30951 at NVDCVE-2021-30952 at SUSECVE-2021-30952 at NVDCVE-2021-30953 at SUSECVE-2021-30953 at NVDCVE-2021-30954 at SUSECVE-2021-30954 at NVDCVE-2021-30984 at SUSECVE-2021-30984 at NVDCVE-2021-45481 at SUSECVE-2021-45481 at NVDCVE-2021-45482 at SUSECVE-2021-45482 at NVDCVE-2021-45483 at SUSECVE-2021-45483 at NVDCVE-2022-22589 at SUSECVE-2022-22589 at NVDCVE-2022-22590 at SUSECVE-2022-22590 at NVDCVE-2022-22592 at SUSECVE-2022-22592 at NVDCVE-2022-22594 at SUSECVE-2022-22594 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for expat (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for expat fixes the following issues:
- CVE-2022-25236: Fixed possible namespace-separator characters insertion into namespace URIs (bsc#1196025).
- CVE-2022-25235: Fixed UTF-8 character validation in a certain context (bsc#1196026).
- CVE-2022-25313: Fixed stack exhaustion in build_model() via uncontrolled recursion (bsc#1196168).
- CVE-2022-25314: Fixed integer overflow in copyString (bsc#1196169).
- CVE-2022-25315: Fixed integer overflow in storeRawNames (bsc#1196171).
ImportantSUSE bug 1196025SUSE bug 1196026SUSE bug 1196168SUSE bug 1196169SUSE bug 1196171CVE-2022-25235 at SUSECVE-2022-25235 at NVDCVE-2022-25236 at SUSECVE-2022-25236 at NVDCVE-2022-25313 at SUSECVE-2022-25313 at NVDCVE-2022-25314 at SUSECVE-2022-25314 at NVDCVE-2022-25315 at SUSECVE-2022-25315 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for zsh (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for zsh fixes the following issues:
- CVE-2021-45444: Fixed a vulnerability where arbitrary shell commands could be
executed related to prompt expansion (bsc#1196435).
- CVE-2019-20044: Fixed a vulnerability where shell privileges would not be
properly dropped when unsetting the PRIVILEGED option (bsc#1163882).
- CVE-2018-1100: Fixed a potential code execution via a stack-based buffer
overflow in utils.c:checkmailpath() (bsc#1089030).
ImportantSUSE bug 1089030SUSE bug 1163882SUSE bug 1196435CVE-2018-1100 at SUSECVE-2018-1100 at NVDCVE-2019-20044 at SUSECVE-2019-20044 at NVDCVE-2021-45444 at SUSECVE-2021-45444 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for the Linux Kernel (Important)SUSE Linux Enterprise Server 12 SP3-BCL
The SUSE Linux Enterprise 12 SP3 kernel was updated to receive various security and bugfixes.
Transient execution side-channel attacks attacking the Branch History Buffer (BHB),
named 'Branch Target Injection' and 'Intra-Mode Branch History Injection' are now mitigated.
The following security bugs were fixed:
- CVE-2022-0001: Fixed Branch History Injection vulnerability (bsc#1191580).
- CVE-2022-0002: Fixed Intra-Mode Branch Target Injection vulnerability (bsc#1191580).
- CVE-2022-0617: Fixed a null pointer dereference in UDF file system functionality. A local user could crash the system by triggering udf_file_write_iter() via a malicious UDF image. (bsc#1196079)
- CVE-2022-0492: Fixed a privilege escalation related to cgroups v1 release_agent feature, which allowed bypassing namespace isolation unexpectedly (bsc#1195543).
- CVE-2022-24448: Fixed an issue in fs/nfs/dir.c. If an application sets the O_DIRECTORY flag, and tries to open a regular file, nfs_atomic_open() performs a regular lookup. If a regular file is found, ENOTDIR should have occured, but the server instead returned uninitialized data in the file descriptor (bsc#1195612).
- CVE-2021-0920: Fixed a local privilege escalation due to a use-after-free bug in unix_gc (bsc#1193731).
- CVE-2016-10905: Fixed a use-after-free is gfs2_clear_rgrpd() and read_rindex_entry() (bsc#1146312).
ImportantSUSE bug 1146312SUSE bug 1185973SUSE bug 1191580SUSE bug 1193731SUSE bug 1194463SUSE bug 1195536SUSE bug 1195543SUSE bug 1195612SUSE bug 1195908SUSE bug 1195939SUSE bug 1196079SUSE bug 1196612CVE-2016-10905 at SUSECVE-2016-10905 at NVDCVE-2021-0920 at SUSECVE-2021-0920 at NVDCVE-2022-0001 at SUSECVE-2022-0001 at NVDCVE-2022-0002 at SUSECVE-2022-0002 at NVDCVE-2022-0492 at SUSECVE-2022-0492 at NVDCVE-2022-0617 at SUSECVE-2022-0617 at NVDCVE-2022-24448 at SUSECVE-2022-24448 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for MozillaFirefox fixes the following issues:
Firefox Extended Support Release 91.6.1 ESR (bsc#1196809):
- CVE-2022-26485: Use-after-free in XSLT parameter processing
- CVE-2022-26486: Use-after-free in WebGPU IPC Framework
ImportantSUSE bug 1196809CVE-2022-26485 at SUSECVE-2022-26485 at NVDCVE-2022-26486 at SUSECVE-2022-26486 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for webkit2gtk3 (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for webkit2gtk3 fixes the following issues:
Update to version 2.34.6 (bsc#1196133):
- CVE-2022-22620: Processing maliciously crafted web content may have lead to arbitrary code execution.
ImportantSUSE bug 1196133CVE-2022-22620 at SUSECVE-2022-22620 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for libcaca (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for libcaca fixes the following issues:
- CVE-2021-30498, CVE-2021-30499: If an image has a size of 0x0, when exporting, no
data is written and space is allocated for the header only, not taking into
account that sprintf appends a NUL byte (bsc#1184751, bsc#1184752).
ImportantSUSE bug 1184751SUSE bug 1184752CVE-2021-30498 at SUSECVE-2021-30498 at NVDCVE-2021-30499 at SUSECVE-2021-30499 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for MozillaFirefox fixes the following issues:
Firefox Extended Support Release 91.7.0 ESR (bsc#1196900):
- CVE-2022-26383: Browser window spoof using fullscreen mode
- CVE-2022-26384: iframe allow-scripts sandbox bypass
- CVE-2022-26387: Time-of-check time-of-use bug when verifying add-on signatures
- CVE-2022-26381: Use-after-free in text reflows
- CVE-2022-26386: Temporary files downloaded to /tmp and accessible by other local users
ImportantSUSE bug 1196900CVE-2022-26381 at SUSECVE-2022-26381 at NVDCVE-2022-26383 at SUSECVE-2022-26383 at NVDCVE-2022-26384 at SUSECVE-2022-26384 at NVDCVE-2022-26386 at SUSECVE-2022-26386 at NVDCVE-2022-26387 at SUSECVE-2022-26387 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for expat (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for expat fixes the following issues:
- Fixed a regression caused by the patch for CVE-2022-25236 (bsc#1196784).
ImportantSUSE bug 1196025SUSE bug 1196784CVE-2022-25236 at SUSECVE-2022-25236 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for openssl (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for openssl fixes the following issues:
- CVE-2022-0778: Infinite loop in BN_mod_sqrt() reachable when parsing certificates (bsc#1196877).
ImportantSUSE bug 1196877CVE-2022-0778 at SUSECVE-2022-0778 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for java-1_8_0-openjdk (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for java-1_8_0-openjdk fixes the following issues:
Update to version jdk8u322 (icedtea-3.22.0)
Including the following security fixes:
- CVE-2022-21248, bsc#1194926: Enhance cross VM serialization
- CVE-2022-21283, bsc#1194937: Better String matching
- CVE-2022-21293, bsc#1194935: Improve String constructions
- CVE-2022-21294, bsc#1194934: Enhance construction of Identity maps
- CVE-2022-21282, bsc#1194933: Better resolution of URIs
- CVE-2022-21296, bsc#1194932: Improve SAX Parser configuration management
- CVE-2022-21299, bsc#1194931: Improved scanning of XML entities
- CVE-2022-21305, bsc#1194939: Better array indexing
- CVE-2022-21340, bsc#1194940: Verify Jar Verification
- CVE-2022-21341, bsc#1194941: Improve serial forms for transport
- CVE-2022-21349: Improve Solaris font rendering
- CVE-2022-21360, bsc#1194929: Enhance BMP image support
- CVE-2022-21365, bsc#1194928: Enhanced BMP processing
ImportantSUSE bug 1193314SUSE bug 1193444SUSE bug 1193491SUSE bug 1194926SUSE bug 1194928SUSE bug 1194929SUSE bug 1194931SUSE bug 1194932SUSE bug 1194933SUSE bug 1194934SUSE bug 1194935SUSE bug 1194937SUSE bug 1194939SUSE bug 1194940SUSE bug 1194941SUSE bug 1195163CVE-2022-21248 at SUSECVE-2022-21248 at NVDCVE-2022-21282 at SUSECVE-2022-21282 at NVDCVE-2022-21283 at SUSECVE-2022-21283 at NVDCVE-2022-21293 at SUSECVE-2022-21293 at NVDCVE-2022-21294 at SUSECVE-2022-21294 at NVDCVE-2022-21296 at SUSECVE-2022-21296 at NVDCVE-2022-21299 at SUSECVE-2022-21299 at NVDCVE-2022-21305 at SUSECVE-2022-21305 at NVDCVE-2022-21340 at SUSECVE-2022-21340 at NVDCVE-2022-21341 at SUSECVE-2022-21341 at NVDCVE-2022-21349 at SUSECVE-2022-21349 at NVDCVE-2022-21360 at SUSECVE-2022-21360 at NVDCVE-2022-21365 at SUSECVE-2022-21365 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for glibc (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for glibc fixes the following issues:
- CVE-2022-23219: Fixed buffer overflow in sunrpc clnt_create for 'unix' (bsc#1194768)
- CVE-2022-23218: Fixed buffer overflow in sunrpc svcunix_create (bsc#1194770)
- CVE-2021-3999: Fixed getcwd to set errno to ERANGE for size == 1 (bsc#1194640)
ImportantSUSE bug 1194640SUSE bug 1194768SUSE bug 1194770CVE-2021-3999 at SUSECVE-2021-3999 at NVDCVE-2022-23218 at SUSECVE-2022-23218 at NVDCVE-2022-23219 at SUSECVE-2022-23219 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for apache2 (Important)SUSE Linux Enterprise Server 12 SP3-BCL
This update for apache2 fixes the following issues:
- CVE-2022-23943: heap out-of-bounds write in mod_sed (bsc#1197098).
- CVE-2022-22720: HTTP request smuggling due to incorrect error handling (bsc#1197095).
- CVE-2022-22719: use of uninitialized value of in r:parsebody in mod_lua (bsc#1197091).
- CVE-2022-22721: possible buffer overflow with very large or unlimited LimitXMLRequestBody (bsc#1197096).
ImportantSUSE bug 1197091SUSE bug 1197095SUSE bug 1197096SUSE bug 1197098CVE-2022-22719 at SUSECVE-2022-22719 at NVDCVE-2022-22720 at SUSECVE-2022-22720 at NVDCVE-2022-22721 at SUSECVE-2022-22721 at NVDCVE-2022-23943 at SUSECVE-2022-23943 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for glibc (Moderate)SUSE Linux Enterprise Server 12 SP3-BCL
This update for glibc fixes the following issues:
- CVE-2016-10739: getaddrinfo: Fully parse IPv4 address strings (bsc#1122729)
ModerateSUSE bug 1122729CVE-2016-10739 at SUSECVE-2016-10739 at NVDcpe:/o:suse:sles-bcl:12:sp3Security update for libssh2_org (Moderate)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for libssh2_org fixes the following issues:
- Fix the previous fix for CVE-2019-3860 (bsc#1136570, bsc#1128481)
(Out-of-bounds reads with specially crafted SFTP packets)
ModerateSUSE bug 1128481SUSE bug 1136570CVE-2019-3860 at SUSECVE-2019-3860 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for postgresql10 (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for postgresql10 to version 10.9 fixes the following issue:
Security issue fixed:
- CVE-2019-10164: Fixed buffer-overflow vulnerabilities in SCRAM verifier parsing (bsc#1138034).
More information at https://www.postgresql.org/docs/10/release-10-9.html
ImportantSUSE bug 1138034CVE-2019-10164 at SUSECVE-2019-10164 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for glib2 (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for glib2 fixes the following issues:
Security issue fixed:
- CVE-2019-13012: Fixed improper restriction of file permissions when creating directories (bsc#1139959).
Non-security issue fixed:
- Added explicit requires between libglib2 and libgio2 (bsc#1140122).
ImportantSUSE bug 1139959SUSE bug 1140122CVE-2019-13012 at SUSECVE-2019-13012 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for MozillaFirefox, mozilla-nss fixes the following issues:
MozillaFirefox to version ESR 60.8:
- CVE-2019-9811: Sandbox escape via installation of malicious language pack (bsc#1140868).
- CVE-2019-11711: Script injection within domain through inner window reuse (bsc#1140868).
- CVE-2019-11712: Cross-origin POST requests can be made with NPAPI plugins by following 308 redirects (bsc#1140868).
- CVE-2019-11713: Use-after-free with HTTP/2 cached stream (bsc#1140868).
- CVE-2019-11729: Empty or malformed p256-ECDH public keys may trigger a segmentation fault (bsc#1140868).
- CVE-2019-11715: HTML parsing error can contribute to content XSS (bsc#1140868).
- CVE-2019-11717: Caret character improperly escaped in origins (bsc#1140868).
- CVE-2019-11719: Out-of-bounds read when importing curve25519 private key (bsc#1140868).
- CVE-2019-11730: Same-origin policy treats all files in a directory as having the same-origin (bsc#1140868).
- CVE-2019-11709: Multiple Memory safety bugs fixed (bsc#1140868).
mozilla-nss to version 3.44.1:
* Added IPSEC IKE support to softoken
* Many new FIPS test cases
ImportantSUSE bug 1140868CVE-2019-11709 at SUSECVE-2019-11709 at NVDCVE-2019-11711 at SUSECVE-2019-11711 at NVDCVE-2019-11712 at SUSECVE-2019-11712 at NVDCVE-2019-11713 at SUSECVE-2019-11713 at NVDCVE-2019-11715 at SUSECVE-2019-11715 at NVDCVE-2019-11717 at SUSECVE-2019-11717 at NVDCVE-2019-11719 at SUSECVE-2019-11719 at NVDCVE-2019-11729 at SUSECVE-2019-11729 at NVDCVE-2019-11730 at SUSECVE-2019-11730 at NVDCVE-2019-9811 at SUSECVE-2019-9811 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for ucode-intel (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for ucode-intel fixes the following issues:
This update contains the Intel QSR 2019.1 Microcode release (bsc#1111331)
Four new speculative execution information leak issues have been identified in Intel CPUs. (bsc#1111331)
- CVE-2018-12126: Microarchitectural Store Buffer Data Sampling (MSBDS)
- CVE-2018-12127: Microarchitectural Fill Buffer Data Sampling (MFBDS)
- CVE-2018-12130: Microarchitectural Load Port Data Samling (MLPDS)
- CVE-2019-11091: Microarchitectural Data Sampling Uncacheable Memory (MDSUM)
These updates contain the CPU Microcode adjustments for the software mitigations.
For more information on this set of vulnerabilities, check out https://www.suse.com/support/kb/doc/?id=7023736
Release notes:
---- updated platforms ------------------------------------
SNB-E/EN/EP C1/M0 6-2d-6/6d 0000061d->0000061f Xeon E3/E5, Core X
SNB-E/EN/EP C2/M1 6-2d-7/6d 00000714->00000718 Xeon E3/E5, Core X
ImportantSUSE bug 1111331CVE-2018-12126 at SUSECVE-2018-12126 at NVDCVE-2018-12127 at SUSECVE-2018-12127 at NVDCVE-2018-12130 at SUSECVE-2018-12130 at NVDCVE-2019-11091 at SUSECVE-2019-11091 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for glibc (Moderate)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for glibc fixes the following issues:
Security issues fixed:
- CVE-2019-9169: Fixed a heap-based buffer over-read via an attempted case-insensitive regular-expression match (bsc#1127308).
- CVE-2009-5155: Fixed a denial of service in parse_reg_exp() (bsc#1127223).
Non-security issues fixed:
- Added cfi information for start routines in order to stop unwinding on S390 (bsc#1128574).
ModerateSUSE bug 1127223SUSE bug 1127308SUSE bug 1128574CVE-2009-5155 at SUSECVE-2009-5155 at NVDCVE-2019-9169 at SUSECVE-2019-9169 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for bzip2 (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for bzip2 fixes the following issues:
- Fixed a regression with the fix for CVE-2019-12900, which caused incompatibilities
with files that used many selectors (bsc#1139083).
ImportantSUSE bug 1139083CVE-2019-12900 at SUSECVE-2019-12900 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for polkit (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for polkit fixes the following issues:
Security issue fixed:
- CVE-2019-6133: Fixed improper caching of auth decisions, which could bypass
uid checking in the interactive backend (bsc#1121826).
ImportantSUSE bug 1121826CVE-2019-6133 at SUSECVE-2019-6133 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for java-1_8_0-openjdk (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for java-1_8_0-openjdk to version 8u222 fixes the following issues:
Security issues fixed:
- CVE-2019-2745: Improved ECC Implementation (bsc#1141784).
- CVE-2019-2762: Exceptional throw cases (bsc#1141782).
- CVE-2019-2766: Improve file protocol handling (bsc#1141789).
- CVE-2019-2769: Better copies of CopiesList (bsc#1141783).
- CVE-2019-2786: More limited privilege usage (bsc#1141787).
- CVE-2019-2816: Normalize normalization (bsc#1141785).
- CVE-2019-2842: Extended AES support (bsc#1141786).
- CVE-2019-7317: Improve PNG support (bsc#1141780).
- Certificate validation improvements
Non-security issue fixed:
- Fixed an issue where the installation failed when the manpages are not present (bsc#1115375)
ImportantSUSE bug 1115375SUSE bug 1141780SUSE bug 1141782SUSE bug 1141783SUSE bug 1141784SUSE bug 1141785SUSE bug 1141786SUSE bug 1141787SUSE bug 1141789CVE-2019-2745 at SUSECVE-2019-2745 at NVDCVE-2019-2762 at SUSECVE-2019-2762 at NVDCVE-2019-2766 at SUSECVE-2019-2766 at NVDCVE-2019-2769 at SUSECVE-2019-2769 at NVDCVE-2019-2786 at SUSECVE-2019-2786 at NVDCVE-2019-2816 at SUSECVE-2019-2816 at NVDCVE-2019-2842 at SUSECVE-2019-2842 at NVDCVE-2019-7317 at SUSECVE-2019-7317 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for python3 (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for python3 fixes the following issues:
- CVE-2019-10160: Fixed a regression in urlparse() and urlsplit() introduced by the fix for CVE-2019-9636 (bsc#1138459).
- CVE-2018-14647: Fixed a denial of service vulnerability caused by a crafted XML document (bsc#1109847).
- CVE-2018-1000802: Fixed a command injection in the shutil module (bsc#1109663).
ImportantSUSE bug 1109663SUSE bug 1109847SUSE bug 1138459CVE-2018-1000802 at SUSECVE-2018-1000802 at NVDCVE-2018-14647 at SUSECVE-2018-14647 at NVDCVE-2019-10160 at SUSECVE-2019-10160 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for evince (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for evince fixes the following issues:
Security issues fixed:
- CVE-2019-11459: Fixed an improper error handling in which could have led to use of uninitialized use of memory (bsc#1133037).
- CVE-2019-1010006: Fixed a buffer overflow in backend/tiff/tiff-document.c (bsc#1141619).
ImportantSUSE bug 1133037SUSE bug 1141619CVE-2019-1010006 at SUSECVE-2019-1010006 at NVDCVE-2019-11459 at SUSECVE-2019-11459 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for squid (Moderate)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for squid fixes the following issues:
Security issue fixed:
- CVE-2019-12529: Fixed a potential denial of service associated with HTTP Basic Authentication credentials (bsc#1141329).
- CVE-2019-12525: Fixed a denial of service during processing of HTTP Digest Authentication credentials (bsc#1141332).
- CVE-2019-13345: Fixed a cross site scripting vulnerability via user_name or auth parameter in cachemgr.cgi (bsc#1140738).
ModerateSUSE bug 1140738SUSE bug 1141329SUSE bug 1141332CVE-2019-12525 at SUSECVE-2019-12525 at NVDCVE-2019-12529 at SUSECVE-2019-12529 at NVDCVE-2019-13345 at SUSECVE-2019-13345 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for python (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for python fixes the following issues:
- CVE-2019-10160: Fixed a regression in urlparse() and urlsplit() introduced by the fix for CVE-2019-9636 (bsc#1138459).
- CVE-2018-20852: Fixed an information leak where cookies could be send to the wrong server because of incorrect domain validation (bsc#1141853).
ImportantSUSE bug 1138459SUSE bug 1141853CVE-2018-20852 at SUSECVE-2018-20852 at NVDCVE-2019-10160 at SUSECVE-2019-10160 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for postgresql96 (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for postgresql96 fixes the following issues:
Security issue fixed:
- CVE-2019-10208: Fixed arbitrary SQL execution via suitable SECURITY DEFINER function under the identity of the function owner (bsc#1145092).
ImportantSUSE bug 1145092CVE-2019-10208 at SUSECVE-2019-10208 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for libvirt (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for libvirt fixes the following issues:
Security issues fixed:
- CVE-2019-10161: Fixed virDomainSaveImageGetXMLDesc API which could accept a path
parameter pointing anywhere on the system and potentially leading to execution
of a malicious file with root privileges by libvirtd (bsc#1138301).
- CVE-2019-10167: Fixed an issue with virConnectGetDomainCapabilities API which
could have been used to execute arbitrary emulators (bsc#1138303).
Non-security issues fixed:
- Fixed an issue with short bitmaps when setting vcpu affinity using the vcpupin (bsc#1138734).
- Added support for overriding max threads per process limit (bsc#1133719)
ImportantSUSE bug 1133719SUSE bug 1138301SUSE bug 1138303SUSE bug 1138734CVE-2019-10161 at SUSECVE-2019-10161 at NVDCVE-2019-10167 at SUSECVE-2019-10167 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
The SUSE Linux Enterprise 12 SP3 kernel was updated to receive various security and bugfixes.
The following security bugs were fixed:
- CVE-2019-1125: Enable Spectre v1 swapgs mitigations (bsc#1139358).
- CVE-2018-20855: An issue was discovered in create_qp_common in drivers/infiniband/hw/mlx5/qp.c, mlx5_ib_create_qp_resp was never initialized, resulting in a leak of stack memory to userspace (bsc#1143045).
- CVE-2019-14284: The drivers/block/floppy.c allowed a denial of service by setup_format_params division-by-zero. Two consecutive ioctls can trigger the bug: the first one should set the drive geometry with .sect and .rate values that make F_SECT_PER_TRACK be zero. Next, the floppy format operation should be called. It can be triggered by an unprivileged local user even when a floppy disk has not been inserted. NOTE: QEMU creates the floppy device by default (bsc#1143189).
- CVE-2019-14283: The function set_geometry in drivers/block/floppy.c did not validate the sect and head fields, as demonstrated by an integer overflow and out-of-bounds read. It can be triggered by an unprivileged local user when a floppy disk has been inserted. NOTE: QEMU creates the floppy device by default (bsc#1143191).
- CVE-2019-11810: A NULL pointer dereference can occur when megasas_create_frame_pool() fails in megasas_alloc_cmds() in drivers/scsi/megaraid/megaraid_sas_base.c. This causes a Denial of Service, related to a use-after-free (bsc#1134399).
- CVE-2019-13648: In the Linux kernel on the powerpc platform, when hardware transactional memory is disabled, a local user can cause a denial of service (TM Bad Thing exception and system crash) via a sigreturn() system call that sends a crafted signal frame. This affects arch/powerpc/kernel/signal_32.c and arch/powerpc/kernel/signal_64.c (bnc#1142254).
- CVE-2019-13631: In parse_hid_report_descriptor in drivers/input/tablet/gtco.c, a malicious USB device can send an HID report that triggers an out-of-bounds write during generation of debugging messages (bsc#1142023).
- CVE-2019-15118: Fixed kernel stack exhaustion in check_input_term in sound/usb/mixer.c via mishandled recursion (bnc#1145922).
- CVE-2019-15117: Fixed out-of-bounds memory access in parse_audio_mixer_unit in sound/usb/mixer.c via mishandled short descriptor (bnc#1145920).
- CVE-2019-3819: A flaw was fixed in the function hid_debug_events_read() in drivers/hid/hid-debug.c file which may have enter an infinite loop with certain parameters passed from a userspace. A local privileged user ('root') could have caused a system lock up and a denial of service (bnc#1123161).
- CVE-2019-10207: Check for missing tty operations in bluetooth/hci_uart (bsc#1142857).
- CVE-2018-20856: Fixed a use-after-free issue in block/blk-core.c, where certain error case are mishandled (bnc#1143048).
The following non-security bugs were fixed:
- cifs: do not log STATUS_NOT_FOUND errors for DFS (bsc#1125674).
- dlm: Fix saving of NULL callbacks (bsc#1135365).
- bcache: Revert 'bcache: fix high CPU occupancy during journal' (bsc#1140652, bsc#1144288).
- bcache: Revert 'bcache: free heap cache_set->flush_btree in bch_journal_free' (bsc#1140652, bsc#1144288).
- bcache: add reclaimed_journal_buckets to struct cache_set (bsc#1140652, bsc#1144288).
- bcache: fix race in btree_flush_write() (bsc#1140652, bsc#1144288).
- bcache: fix stack corruption by PRECEDING_KEY() (bsc#1130972, bsc#1144257).
- bcache: only set BCACHE_DEV_WB_RUNNING when cached device attached (bsc#1130972, bsc#1144273).
- bcache: performance improvement for btree_flush_write() (bsc#1140652, bsc#1144288).
- bcache: remove retry_flush_write from struct cache_set (bsc#1140652, bsc#1144288).
- bonding: Force slave speed check after link state recovery for 802.3ad (bsc#1137584).
- clocksource: Defer override invalidation unless clock is unstable (bsc#1139826).
- kvm: mmu: Fix overflow on kvm mmu page limit calculation (bsc#1135335).
- kvmclock: fix TSC calibration for nested guests (bsc#1133860, jsc#PM-1211).
- mm, page_alloc: fix has_unmovable_pages for HugePages (bsc#1127034).
- powerpc/watchpoint: Restore NV GPRs while returning from exception (bsc#1140945, bsc#1141401, bsc#1141402, bsc#1141452, bsc#1141453, bsc#1141454).
- qla2xxx: performance degradation when enabling blk-mq (bsc#1128977).
- qlge: Deduplicate lbq_buf_size (bsc#1106061).
- qlge: Deduplicate rx buffer queue management (bsc#1106061).
- qlge: Factor out duplicated expression (bsc#1106061).
- qlge: Fix dma_sync_single calls (bsc#1106061).
- qlge: Fix irq masking in INTx mode (bsc#1106061).
- qlge: Refill empty buffer queues from wq (bsc#1106061).
- qlge: Refill rx buffers up to multiple of 16 (bsc#1106061).
- qlge: Remove bq_desc.maplen (bsc#1106061).
- qlge: Remove irq_cnt (bsc#1106061).
- qlge: Remove page_chunk.last_flag (bsc#1106061).
- qlge: Remove qlge_bq.len size (bsc#1106061).
- qlge: Remove rx_ring.sbq_buf_size (bsc#1106061).
- qlge: Remove rx_ring.type (bsc#1106061).
- qlge: Remove useless dma synchronization calls (bsc#1106061).
- qlge: Remove useless memset (bsc#1106061).
- qlge: Replace memset with assignment (bsc#1106061).
- qlge: Update buffer queue prod index despite oom (bsc#1106061).
- rbd: flush rbd_dev->watch_dwork after watch is unregistered (bsc#1143333).
- rbd: retry watch re-registration periodically (bsc#1143333).
- sched/fair: Do not free p->numa_faults with concurrent readers (bsc#1144920).
- sched/fair: Use RCU accessors consistently for ->numa_group (bsc#1144920).
- scsi: virtio_scsi: let host do exception handling (bsc#1141181).
- x86: mm: fix fast GUP with hyper-based TLB flushing (VM Functionality, bsc#1140903).
- x86: tsc: Add X86_FEATURE_TSC_KNOWN_FREQ flag (bsc#1133860, jsc#PM-1211).
- xen: let alloc_xenballooned_pages() fail if not enough memory free (XSA-300).
ImportantSUSE bug 1106061SUSE bug 1123161SUSE bug 1125674SUSE bug 1127034SUSE bug 1128977SUSE bug 1130972SUSE bug 1133860SUSE bug 1134399SUSE bug 1135335SUSE bug 1135365SUSE bug 1137584SUSE bug 1139358SUSE bug 1139826SUSE bug 1140652SUSE bug 1140903SUSE bug 1140945SUSE bug 1141181SUSE bug 1141401SUSE bug 1141402SUSE bug 1141452SUSE bug 1141453SUSE bug 1141454SUSE bug 1142023SUSE bug 1142254SUSE bug 1142857SUSE bug 1143045SUSE bug 1143048SUSE bug 1143189SUSE bug 1143191SUSE bug 1143333SUSE bug 1144257SUSE bug 1144273SUSE bug 1144288SUSE bug 1144920SUSE bug 1145920SUSE bug 1145922CVE-2018-20855 at SUSECVE-2018-20855 at NVDCVE-2018-20856 at SUSECVE-2018-20856 at NVDCVE-2019-10207 at SUSECVE-2019-10207 at NVDCVE-2019-1125 at SUSECVE-2019-1125 at NVDCVE-2019-11810 at SUSECVE-2019-11810 at NVDCVE-2019-13631 at SUSECVE-2019-13631 at NVDCVE-2019-13648 at SUSECVE-2019-13648 at NVDCVE-2019-14283 at SUSECVE-2019-14283 at NVDCVE-2019-14284 at SUSECVE-2019-14284 at NVDCVE-2019-15117 at SUSECVE-2019-15117 at NVDCVE-2019-15118 at SUSECVE-2019-15118 at NVDCVE-2019-3819 at SUSECVE-2019-3819 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for perl (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for perl fixes the following issues:
Security issue fixed:
- CVE-2018-18311: Fixed integer overflow with oversize environment (bsc#1114674).
ImportantSUSE bug 1114674CVE-2018-18311 at SUSECVE-2018-18311 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for libsolv, libzypp, zypper (Moderate)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for libsolv, libzypp and zypper fixes the following issues:
libsolv was updated to version 0.6.36 and fixes the following issues:
Security issues fixed:
- CVE-2018-20532: Fixed a NULL pointer dereference in testcase_read() (bsc#1120629).
- CVE-2018-20533: Fixed a NULL pointer dereference in testcase_str2dep_complex() (bsc#1120630).
- CVE-2018-20534: Fixed a NULL pointer dereference in pool_whatprovides() (bsc#1120631).
Non-security issues fixed:
- Made cleandeps jobs on patterns work (bsc#1137977).
- Fixed an issue multiversion packages that obsolete their own name (bsc#1127155).
- Keep consistent package name if there are multiple alternatives (bsc#1131823).
Fixes for libzypp:
- Fixes a bug where locking the kernel was not possible (bsc#1113296)
- Fixes a file descriptor leak (bsc#1116995)
- Will now run file conflict check on dry-run (best with download-only) (bsc#1140039)
Fixes for zypper:
- Fixes a bug where the wrong exit code was set when refreshing repos if --root was used (bsc#1134226)
- Improved the displaying of locks (bsc#1112911)
- Fixes an issue where `https` repository urls caused an error prompt to appear twice (bsc#1110542)
- zypper will now always warn when no repositories are defined (bsc#1109893)
- Fixes bash completion option detection (bsc#1049825)
ModerateSUSE bug 1049825SUSE bug 1109893SUSE bug 1110542SUSE bug 1111319SUSE bug 1112911SUSE bug 1113296SUSE bug 1116995SUSE bug 1120629SUSE bug 1120630SUSE bug 1120631SUSE bug 1127155SUSE bug 1131823SUSE bug 1134226SUSE bug 1137977SUSE bug 1140039SUSE bug 1145521CVE-2018-20532 at SUSECVE-2018-20532 at NVDCVE-2018-20533 at SUSECVE-2018-20533 at NVDCVE-2018-20534 at SUSECVE-2018-20534 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for java-1_7_1-ibm (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for java-1_7_1-ibm fixes the following issues:
Update to Java 7.1 Service Refresh 4 Fix Pack 50.
Security issues fixed:
- CVE-2019-11771: IBM Security Update July 2019 (bsc#1147021)
- CVE-2019-11775: IBM Security Update July 2019 (bsc#1147021)
- CVE-2019-4473: IBM Security Update July 2019 (bsc#1147021)
- CVE-2019-7317: Fixed issue inside Component AWT (libpng)(bsc#1141780).
- CVE-2019-2769: Fixed issue inside Component Utilities (bsc#1141783).
- CVE-2019-2762: Fixed issue inside Component Utilities (bsc#1141782).
- CVE-2019-2816: Fixed issue inside Component Networking (bsc#1141785).
- CVE-2019-2766: Fixed issue inside Component Networking (bsc#1141789).
ImportantSUSE bug 1141780SUSE bug 1141782SUSE bug 1141783SUSE bug 1141785SUSE bug 1141789SUSE bug 1147021CVE-2019-11771 at SUSECVE-2019-11771 at NVDCVE-2019-11775 at SUSECVE-2019-11775 at NVDCVE-2019-2762 at SUSECVE-2019-2762 at NVDCVE-2019-2766 at SUSECVE-2019-2766 at NVDCVE-2019-2769 at SUSECVE-2019-2769 at NVDCVE-2019-2816 at SUSECVE-2019-2816 at NVDCVE-2019-4473 at SUSECVE-2019-4473 at NVDCVE-2019-7317 at SUSECVE-2019-7317 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for curl (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for curl fixes the following issues:
Security issue fixed:
- CVE-2019-5482: Fixed TFTP small blocksize heap buffer overflow (bsc#1149496).
ImportantSUSE bug 1149496CVE-2019-5482 at SUSECVE-2019-5482 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for webkit2gtk3 (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for webkit2gtk3 fixes the following issues:
Updated to version 2.24.4 (bsc#1148931).
Security issues fixed:
- CVE-2019-8644, CVE-2019-8649, CVE-2019-8658, CVE-2019-8669, CVE-2019-8678,
CVE-2019-8680, CVE-2019-8683, CVE-2019-8684, CVE-2019-8688, CVE-2019-8595,
CVE-2019-8607, CVE-2019-8615, CVE-2019-8644, CVE-2019-8649, CVE-2019-8658,
CVE-2019-8666, CVE-2019-8669, CVE-2019-8671, CVE-2019-8672, CVE-2019-8673,
CVE-2019-8676, CVE-2019-8677, CVE-2019-8678, CVE-2019-8679, CVE-2019-8680,
CVE-2019-8681, CVE-2019-8683, CVE-2019-8684, CVE-2019-8686, CVE-2019-8687,
CVE-2019-8688, CVE-2019-8689, CVE-2019-8690
Non-security issues fixed:
- Improved loading of multimedia streams to avoid memory exhaustion due to excessive caching.
- Updated the user agent string to make happy certain websites which would claim that the browser being used was unsupported.
ImportantSUSE bug 1135715SUSE bug 1148931CVE-2019-8595 at SUSECVE-2019-8595 at NVDCVE-2019-8607 at SUSECVE-2019-8607 at NVDCVE-2019-8615 at SUSECVE-2019-8615 at NVDCVE-2019-8644 at SUSECVE-2019-8644 at NVDCVE-2019-8649 at SUSECVE-2019-8649 at NVDCVE-2019-8658 at SUSECVE-2019-8658 at NVDCVE-2019-8666 at SUSECVE-2019-8666 at NVDCVE-2019-8669 at SUSECVE-2019-8669 at NVDCVE-2019-8671 at SUSECVE-2019-8671 at NVDCVE-2019-8672 at SUSECVE-2019-8672 at NVDCVE-2019-8673 at SUSECVE-2019-8673 at NVDCVE-2019-8676 at SUSECVE-2019-8676 at NVDCVE-2019-8677 at SUSECVE-2019-8677 at NVDCVE-2019-8678 at SUSECVE-2019-8678 at NVDCVE-2019-8679 at SUSECVE-2019-8679 at NVDCVE-2019-8680 at SUSECVE-2019-8680 at NVDCVE-2019-8681 at SUSECVE-2019-8681 at NVDCVE-2019-8683 at SUSECVE-2019-8683 at NVDCVE-2019-8684 at SUSECVE-2019-8684 at NVDCVE-2019-8686 at SUSECVE-2019-8686 at NVDCVE-2019-8687 at SUSECVE-2019-8687 at NVDCVE-2019-8688 at SUSECVE-2019-8688 at NVDCVE-2019-8689 at SUSECVE-2019-8689 at NVDCVE-2019-8690 at SUSECVE-2019-8690 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for java-1_8_0-ibm (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for java-1_8_0-ibm fixes the following issues:
Update to Java 8.0 Service Refresh 5 Fix Pack 40.
Security issues fixed:
- CVE-2019-11771: IBM Security Update July 2019 (bsc#1147021)
- CVE-2019-11772: IBM Security Update July 2019 (bsc#1147021)
- CVE-2019-11775: IBM Security Update July 2019 (bsc#1147021)
- CVE-2019-4473: IBM Security Update July 2019 (bsc#1147021)
- CVE-2019-7317: Fixed issue inside Component AWT (libpng)(bsc#1141780).
- CVE-2019-2769: Fixed issue inside Component Utilities (bsc#1141783).
- CVE-2019-2762: Fixed issue inside Component Utilities (bsc#1141782).
- CVE-2019-2816: Fixed issue inside Component Networking (bsc#1141785).
- CVE-2019-2766: Fixed issue inside Component Networking (bsc#1141789).
- CVE-2019-2786: Fixed issue inside Component Security (bsc#1141787).
ImportantSUSE bug 1122292SUSE bug 1122299SUSE bug 1141780SUSE bug 1141782SUSE bug 1141783SUSE bug 1141785SUSE bug 1141787SUSE bug 1141789SUSE bug 1147021CVE-2018-11212 at SUSECVE-2018-11212 at NVDCVE-2019-11771 at SUSECVE-2019-11771 at NVDCVE-2019-11772 at SUSECVE-2019-11772 at NVDCVE-2019-11775 at SUSECVE-2019-11775 at NVDCVE-2019-2449 at SUSECVE-2019-2449 at NVDCVE-2019-2762 at SUSECVE-2019-2762 at NVDCVE-2019-2766 at SUSECVE-2019-2766 at NVDCVE-2019-2769 at SUSECVE-2019-2769 at NVDCVE-2019-2786 at SUSECVE-2019-2786 at NVDCVE-2019-2816 at SUSECVE-2019-2816 at NVDCVE-2019-4473 at SUSECVE-2019-4473 at NVDCVE-2019-7317 at SUSECVE-2019-7317 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for ibus (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for ibus fixes the following issues:
Security issue fixed:
- CVE-2019-14822: Fixed a misconfiguration of the DBus server that allowed an unprivileged user to monitor and send method calls to the ibus bus of another user. (bsc#1150011)
ImportantSUSE bug 1150011CVE-2019-14822 at SUSECVE-2019-14822 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for openssl (Moderate)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for openssl fixes the following issues:
OpenSSL Security Advisory [10 September 2019]
- CVE-2019-1547: Added EC_GROUP_set_generator side channel attack avoidance (bsc#1150003).
- CVE-2019-1563: Fixed Bleichenbacher attack against cms/pkcs7 encryption transported key (bsc#1150250).
ModerateSUSE bug 1150003SUSE bug 1150250CVE-2019-1547 at SUSECVE-2019-1547 at NVDCVE-2019-1563 at SUSECVE-2019-1563 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for MozillaFirefox to ESR 60.9 fixes the following issues:
Security issues fixed:
- CVE-2019-11742: Fixed a same-origin policy violation involving SVG filters and canvas to steal cross-origin images. (bsc#1149303)
- CVE-2019-11746: Fixed a use-after-free while manipulating video. (bsc#1149297)
- CVE-2019-11744: Fixed an XSS caused by breaking out of title and textarea elements using innerHTML. (bsc#1149304)
- CVE-2019-11753: Fixed a privilege escalation with Mozilla Maintenance Service in custom Firefox installation location. (bsc#1149295)
- CVE-2019-11752: Fixed a use-after-free while extracting a key value in IndexedDB. (bsc#1149296)
- CVE-2019-11743: Fixed a timing side-channel attack on cross-origin information, utilizing unload event attributes. (bsc#1149298)
- CVE-2019-11740: Fixed several memory safety bugs. (bsc#1149299)
ImportantSUSE bug 1149294SUSE bug 1149295SUSE bug 1149296SUSE bug 1149297SUSE bug 1149298SUSE bug 1149299SUSE bug 1149303SUSE bug 1149304SUSE bug 1149324CVE-2019-11740 at SUSECVE-2019-11740 at NVDCVE-2019-11742 at SUSECVE-2019-11742 at NVDCVE-2019-11743 at SUSECVE-2019-11743 at NVDCVE-2019-11744 at SUSECVE-2019-11744 at NVDCVE-2019-11746 at SUSECVE-2019-11746 at NVDCVE-2019-11752 at SUSECVE-2019-11752 at NVDCVE-2019-11753 at SUSECVE-2019-11753 at NVDCVE-2019-9812 at SUSECVE-2019-9812 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for dovecot22 (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for dovecot22 fixes the following issues:
- CVE-2019-11500: Fixed a potential remote code execution in the IMAP and ManageSieve protocol parsers (bsc#1145559).
ImportantSUSE bug 1145559CVE-2019-11500 at SUSECVE-2019-11500 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for ghostscript (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for ghostscript to 9.27 fixes the following issues:
Security issues fixed:
- CVE-2019-3835: Fixed an unauthorized file system access caused by an available superexec operator. (bsc#1129180)
- CVE-2019-3839: Fixed an unauthorized file system access caused by available privileged operators. (bsc#1134156)
- CVE-2019-12973: Fixed a denial-of-service vulnerability in the OpenJPEG function opj_t1_encode_cblks. (bsc#1140359)
- CVE-2019-14811: Fixed a safer mode bypass by .forceput exposure in .pdf_hook_DSC_Creator. (bsc#1146882)
- CVE-2019-14812: Fixed a safer mode bypass by .forceput exposure in setuserparams. (bsc#1146882)
- CVE-2019-14813: Fixed a safer mode bypass by .forceput exposure in setsystemparams. (bsc#1146882)
- CVE-2019-14817: Fixed a safer mode bypass by .forceput exposure in .pdfexectoken and other procedures. (bsc#1146884)
ImportantSUSE bug 1129180SUSE bug 1131863SUSE bug 1134156SUSE bug 1140359SUSE bug 1146882SUSE bug 1146884CVE-2019-12973 at SUSECVE-2019-12973 at NVDCVE-2019-14811 at SUSECVE-2019-14811 at NVDCVE-2019-14812 at SUSECVE-2019-14812 at NVDCVE-2019-14813 at SUSECVE-2019-14813 at NVDCVE-2019-14817 at SUSECVE-2019-14817 at NVDCVE-2019-3835 at SUSECVE-2019-3835 at NVDCVE-2019-3839 at SUSECVE-2019-3839 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for libgcrypt (Moderate)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for libgcrypt fixes the following issues:
Security issues fixed:
- CVE-2019-13627: Mitigated ECDSA timing attack. (bsc#1148987)
ModerateSUSE bug 1148987CVE-2019-13627 at SUSECVE-2019-13627 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 19 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.156-94_61 fixes several issues.
The following security issues were fixed:
- CVE-2019-14835: A buffer overflow flaw was found in the way vhost functionality, that translates virtqueue buffers to IOVs, logged the buffer descriptors during migration. A privileged guest user able to pass descriptors with invalid length to the host when migration is underway, could use this flaw to increase their privileges on the host (bsc#1151021).
- CVE-2017-18379: Fixed an out of boundary access that happened in drivers/nvme/target/fc.c (bsc#1145604).
ImportantSUSE bug 1145604SUSE bug 1151021CVE-2017-18379 at SUSECVE-2017-18379 at NVDCVE-2019-14835 at SUSECVE-2019-14835 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 18 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.156-94_57 fixes several issues.
The following security issues were fixed:
- CVE-2019-14835: A buffer overflow flaw was found in the way vhost functionality, that translates virtqueue buffers to IOVs, logged the buffer descriptors during migration. A privileged guest user able to pass descriptors with invalid length to the host when migration is underway, could use this flaw to increase their privileges on the host (bsc#1151021).
- CVE-2017-18379: Fixed an out of boundary access that happened in drivers/nvme/target/fc.c (bsc#1145604).
ImportantSUSE bug 1145604SUSE bug 1151021CVE-2017-18379 at SUSECVE-2017-18379 at NVDCVE-2019-14835 at SUSECVE-2019-14835 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 22 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.162-94_72 fixes several issues.
The following security issues were fixed:
- CVE-2019-14835: A buffer overflow flaw was found in the way vhost functionality, that translates virtqueue buffers to IOVs, logged the buffer descriptors during migration. A privileged guest user able to pass descriptors with invalid length to the host when migration is underway, could use this flaw to increase their privileges on the host (bsc#1151021).
- CVE-2017-18379: Fixed an out of boundary access that happened in drivers/nvme/target/fc.c (bsc#1145604).
ImportantSUSE bug 1145604SUSE bug 1151021CVE-2017-18379 at SUSECVE-2017-18379 at NVDCVE-2019-14835 at SUSECVE-2019-14835 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 21 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.162-94_69 fixes several issues.
The following security issues were fixed:
- CVE-2019-14835: A buffer overflow flaw was found in the way vhost functionality, that translates virtqueue buffers to IOVs, logged the buffer descriptors during migration. A privileged guest user able to pass descriptors with invalid length to the host when migration is underway, could use this flaw to increase their privileges on the host (bsc#1151021).
- CVE-2017-18379: Fixed an out of boundary access that happened in drivers/nvme/target/fc.c (bsc#1145604).
ImportantSUSE bug 1145604SUSE bug 1151021CVE-2017-18379 at SUSECVE-2017-18379 at NVDCVE-2019-14835 at SUSECVE-2019-14835 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 20 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.156-94_64 fixes several issues.
The following security issues were fixed:
- CVE-2019-14835: A buffer overflow flaw was found in the way vhost functionality, that translates virtqueue buffers to IOVs, logged the buffer descriptors during migration. A privileged guest user able to pass descriptors with invalid length to the host when migration is underway, could use this flaw to increase their privileges on the host (bsc#1151021).
- CVE-2017-18379: Fixed an out of boundary access that happened in drivers/nvme/target/fc.c (bsc#1145604).
ImportantSUSE bug 1145604SUSE bug 1151021CVE-2017-18379 at SUSECVE-2017-18379 at NVDCVE-2019-14835 at SUSECVE-2019-14835 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 24 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.176-94_88 fixes several issues.
The following security issues were fixed:
- CVE-2019-14835: A buffer overflow flaw was found in the way vhost functionality, that translates virtqueue buffers to IOVs, logged the buffer descriptors during migration. A privileged guest user able to pass descriptors with invalid length to the host when migration is underway, could use this flaw to increase their privileges on the host (bsc#1151021).
- CVE-2017-18379: Fixed an out of boundary access that happened in drivers/nvme/target/fc.c (bsc#1145604).
ImportantSUSE bug 1145604SUSE bug 1151021CVE-2017-18379 at SUSECVE-2017-18379 at NVDCVE-2019-14835 at SUSECVE-2019-14835 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 23 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.175-94_79 fixes several issues.
The following security issues were fixed:
- CVE-2019-14835: A buffer overflow flaw was found in the way vhost functionality, that translates virtqueue buffers to IOVs, logged the buffer descriptors during migration. A privileged guest user able to pass descriptors with invalid length to the host when migration is underway, could use this flaw to increase their privileges on the host (bsc#1151021).
- CVE-2017-18379: Fixed an out of boundary access that happened in drivers/nvme/target/fc.c (bsc#1145604).
ImportantSUSE bug 1145604SUSE bug 1151021CVE-2017-18379 at SUSECVE-2017-18379 at NVDCVE-2019-14835 at SUSECVE-2019-14835 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 28 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_103 fixes several issues.
The following security issues were fixed:
- CVE-2019-14835: A buffer overflow flaw was found in the way vhost functionality, that translates virtqueue buffers to IOVs, logged the buffer descriptors during migration. A privileged guest user able to pass descriptors with invalid length to the host when migration is underway, could use this flaw to increase their privileges on the host (bsc#1151021).
- CVE-2017-18379: Fixed an out of boundary access that happened in drivers/nvme/target/fc.c (bsc#1145604).
ImportantSUSE bug 1145604SUSE bug 1151021CVE-2017-18379 at SUSECVE-2017-18379 at NVDCVE-2019-14835 at SUSECVE-2019-14835 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 27 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_100 fixes several issues.
The following security issues were fixed:
- CVE-2019-14835: A buffer overflow flaw was found in the way vhost functionality, that translates virtqueue buffers to IOVs, logged the buffer descriptors during migration. A privileged guest user able to pass descriptors with invalid length to the host when migration is underway, could use this flaw to increase their privileges on the host (bsc#1151021).
- CVE-2017-18379: Fixed an out of boundary access that happened in drivers/nvme/target/fc.c (bsc#1145604).
ImportantSUSE bug 1145604SUSE bug 1151021CVE-2017-18379 at SUSECVE-2017-18379 at NVDCVE-2019-14835 at SUSECVE-2019-14835 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 26 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_97 fixes several issues.
The following security issues were fixed:
- CVE-2019-14835: A buffer overflow flaw was found in the way vhost functionality, that translates virtqueue buffers to IOVs, logged the buffer descriptors during migration. A privileged guest user able to pass descriptors with invalid length to the host when migration is underway, could use this flaw to increase their privileges on the host (bsc#1151021).
- CVE-2017-18379: Fixed an out of boundary access that happened in drivers/nvme/target/fc.c (bsc#1145604).
ImportantSUSE bug 1145604SUSE bug 1151021CVE-2017-18379 at SUSECVE-2017-18379 at NVDCVE-2019-14835 at SUSECVE-2019-14835 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 25 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.178-94_91 fixes several issues.
The following security issues were fixed:
- CVE-2019-14835: A buffer overflow flaw was found in the way vhost functionality, that translates virtqueue buffers to IOVs, logged the buffer descriptors during migration. A privileged guest user able to pass descriptors with invalid length to the host when migration is underway, could use this flaw to increase their privileges on the host (bsc#1151021).
- CVE-2017-18379: Fixed an out of boundary access that happened in drivers/nvme/target/fc.c (bsc#1145604).
ImportantSUSE bug 1145604SUSE bug 1151021CVE-2017-18379 at SUSECVE-2017-18379 at NVDCVE-2019-14835 at SUSECVE-2019-14835 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for MozillaFirefox fixes the following issues:
Updated to new ESR version 68.1 (bsc#1149323).
In addition to the already fixed vulnerabilities released in previous ESR updates,
the following were also fixed:
CVE-2019-11751, CVE-2019-11736, CVE-2019-9812, CVE-2019-11748, CVE-2019-11749,
CVE-2019-11750, CVE-2019-11738, CVE-2019-11747, CVE-2019-11735.
Several run-time issues were also resolved (bsc#1117473, bsc#1124525, bsc#1133810).
The version displayed in Help > About is now correct (bsc#1087200).
ImportantSUSE bug 1087200SUSE bug 1109465SUSE bug 1117473SUSE bug 1123482SUSE bug 1124525SUSE bug 1133810SUSE bug 1140868SUSE bug 1145665SUSE bug 1149323CVE-2019-11709 at SUSECVE-2019-11709 at NVDCVE-2019-11710 at SUSECVE-2019-11710 at NVDCVE-2019-11711 at SUSECVE-2019-11711 at NVDCVE-2019-11712 at SUSECVE-2019-11712 at NVDCVE-2019-11713 at SUSECVE-2019-11713 at NVDCVE-2019-11714 at SUSECVE-2019-11714 at NVDCVE-2019-11715 at SUSECVE-2019-11715 at NVDCVE-2019-11716 at SUSECVE-2019-11716 at NVDCVE-2019-11717 at SUSECVE-2019-11717 at NVDCVE-2019-11718 at SUSECVE-2019-11718 at NVDCVE-2019-11719 at SUSECVE-2019-11719 at NVDCVE-2019-11720 at SUSECVE-2019-11720 at NVDCVE-2019-11721 at SUSECVE-2019-11721 at NVDCVE-2019-11723 at SUSECVE-2019-11723 at NVDCVE-2019-11724 at SUSECVE-2019-11724 at NVDCVE-2019-11725 at SUSECVE-2019-11725 at NVDCVE-2019-11727 at SUSECVE-2019-11727 at NVDCVE-2019-11728 at SUSECVE-2019-11728 at NVDCVE-2019-11729 at SUSECVE-2019-11729 at NVDCVE-2019-11730 at SUSECVE-2019-11730 at NVDCVE-2019-11733 at SUSECVE-2019-11733 at NVDCVE-2019-11735 at SUSECVE-2019-11735 at NVDCVE-2019-11736 at SUSECVE-2019-11736 at NVDCVE-2019-11738 at SUSECVE-2019-11738 at NVDCVE-2019-11740 at SUSECVE-2019-11740 at NVDCVE-2019-11742 at SUSECVE-2019-11742 at NVDCVE-2019-11743 at SUSECVE-2019-11743 at NVDCVE-2019-11744 at SUSECVE-2019-11744 at NVDCVE-2019-11746 at SUSECVE-2019-11746 at NVDCVE-2019-11747 at SUSECVE-2019-11747 at NVDCVE-2019-11748 at SUSECVE-2019-11748 at NVDCVE-2019-11749 at SUSECVE-2019-11749 at NVDCVE-2019-11750 at SUSECVE-2019-11750 at NVDCVE-2019-11751 at SUSECVE-2019-11751 at NVDCVE-2019-11752 at SUSECVE-2019-11752 at NVDCVE-2019-11753 at SUSECVE-2019-11753 at NVDCVE-2019-9811 at SUSECVE-2019-9811 at NVDCVE-2019-9812 at SUSECVE-2019-9812 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for binutils (Moderate)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for binutils fixes the following issues:
binutils was updated to current 2.32 branch @7b468db3 [jsc#ECO-368]:
Includes the following security fixes:
- CVE-2018-17358: Fixed invalid memory access in _bfd_stab_section_find_nearest_line in syms.c (bsc#1109412)
- CVE-2018-17359: Fixed invalid memory access exists in bfd_zalloc in opncls.c (bsc#1109413)
- CVE-2018-17360: Fixed heap-based buffer over-read in bfd_getl32 in libbfd.c (bsc#1109414)
- CVE-2018-17985: Fixed a stack consumption problem caused by the cplus_demangle_type (bsc#1116827)
- CVE-2018-18309: Fixed an invalid memory address dereference was discovered in read_reloc in reloc.c (bsc#1111996)
- CVE-2018-18483: Fixed get_count function provided by libiberty that allowed attackers to cause a denial of service or other unspecified impact (bsc#1112535)
- CVE-2018-18484: Fixed stack exhaustion in the C++ demangling functions provided by libiberty, caused by recursive stack frames (bsc#1112534)
- CVE-2018-18605: Fixed a heap-based buffer over-read issue was discovered in the function sec_merge_hash_lookup causing a denial of service (bsc#1113255)
- CVE-2018-18606: Fixed a NULL pointer dereference in _bfd_add_merge_section when attempting to merge sections with large alignments, causing denial of service (bsc#1113252)
- CVE-2018-18607: Fixed a NULL pointer dereference in elf_link_input_bfd when used for finding STT_TLS symbols without any TLS section, causing denial of service (bsc#1113247)
- CVE-2018-19931: Fixed a heap-based buffer overflow in bfd_elf32_swap_phdr_in in elfcode.h (bsc#1118831)
- CVE-2018-19932: Fixed an integer overflow and infinite loop caused by the IS_CONTAINED_BY_LMA (bsc#1118830)
- CVE-2018-20623: Fixed a use-after-free in the error function in elfcomm.c (bsc#1121035)
- CVE-2018-20651: Fixed a denial of service via a NULL pointer dereference in elf_link_add_object_symbols in elflink.c (bsc#1121034)
- CVE-2018-20671: Fixed an integer overflow that can trigger a heap-based buffer overflow in load_specific_debug_section in objdump.c (bsc#1121056)
- CVE-2018-1000876: Fixed integer overflow in bfd_get_dynamic_reloc_upper_bound,bfd_canonicalize_dynamic_reloc in objdump (bsc#1120640)
- CVE-2019-1010180: Fixed an out of bound memory access that could lead to crashes (bsc#1142772)
- Enable xtensa architecture (Tensilica lc6 and related)
- Use -ffat-lto-objects in order to provide assembly for static libs
(bsc#1141913).
- Fixed some LTO problems (bsc#1133131 bsc#1133232).
- riscv: Don't check ABI flags if no code section
Update to binutils 2.32:
* The binutils now support for the C-SKY processor series.
* The x86 assembler now supports a -mvexwig=[0|1] option to control
encoding of VEX.W-ignored (WIG) VEX instructions.
It also has a new -mx86-used-note=[yes|no] option to generate (or
not) x86 GNU property notes.
* The MIPS assembler now supports the Loongson EXTensions R2 (EXT2),
the Loongson EXTensions (EXT) instructions, the Loongson Content
Address Memory (CAM) ASE and the Loongson MultiMedia extensions
Instructions (MMI) ASE.
* The addr2line, c++filt, nm and objdump tools now have a default
limit on the maximum amount of recursion that is allowed whilst
demangling strings. This limit can be disabled if necessary.
* Objdump's --disassemble option can now take a parameter,
specifying the starting symbol for disassembly. Disassembly will
continue from this symbol up to the next symbol or the end of the
function.
* The BFD linker will now report property change in linker map file
when merging GNU properties.
* The BFD linker's -t option now doesn't report members within
archives, unless -t is given twice. This makes it more useful
when generating a list of files that should be packaged for a
linker bug report.
* The GOLD linker has improved warning messages for relocations that
refer to discarded sections.
- Improve relro support on s390 [fate#326356]
- Handle ELF compressed header alignment correctly.
ModerateSUSE bug 1109412SUSE bug 1109413SUSE bug 1109414SUSE bug 1111996SUSE bug 1112534SUSE bug 1112535SUSE bug 1113247SUSE bug 1113252SUSE bug 1113255SUSE bug 1116827SUSE bug 1118830SUSE bug 1118831SUSE bug 1120640SUSE bug 1121034SUSE bug 1121035SUSE bug 1121056SUSE bug 1133131SUSE bug 1133232SUSE bug 1141913SUSE bug 1142772CVE-2018-1000876 at SUSECVE-2018-1000876 at NVDCVE-2018-17358 at SUSECVE-2018-17358 at NVDCVE-2018-17359 at SUSECVE-2018-17359 at NVDCVE-2018-17360 at SUSECVE-2018-17360 at NVDCVE-2018-17985 at SUSECVE-2018-17985 at NVDCVE-2018-18309 at SUSECVE-2018-18309 at NVDCVE-2018-18483 at SUSECVE-2018-18483 at NVDCVE-2018-18484 at SUSECVE-2018-18484 at NVDCVE-2018-18605 at SUSECVE-2018-18605 at NVDCVE-2018-18606 at SUSECVE-2018-18606 at NVDCVE-2018-18607 at SUSECVE-2018-18607 at NVDCVE-2018-19931 at SUSECVE-2018-19931 at NVDCVE-2018-19932 at SUSECVE-2018-19932 at NVDCVE-2018-20623 at SUSECVE-2018-20623 at NVDCVE-2018-20651 at SUSECVE-2018-20651 at NVDCVE-2018-20671 at SUSECVE-2018-20671 at NVDCVE-2019-1010180 at SUSECVE-2019-1010180 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for sudo (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for sudo fixes the following issues:
Security issue fixed:
- CVE-2019-14287: Fixed an issue where a user with sudo privileges
that allowed them to run commands with an arbitrary uid, could
run commands as root, despite being forbidden to do so in sudoers
(bsc#1153674).
ImportantSUSE bug 1153674CVE-2019-14287 at SUSECVE-2019-14287 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for libpcap (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for libpcap fixes the following issues:
- CVE-2019-15165: Added sanity checks for PHB header length before allocating memory (bsc#1153332).
- CVE-2018-16301: Fixed a buffer overflow (bsc#1153332).
ImportantSUSE bug 1153332CVE-2018-16301 at SUSECVE-2018-16301 at NVDCVE-2019-15165 at SUSECVE-2019-15165 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for xen (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for xen fixes the following issues:
Security issues fixed:
- CVE-2019-15890: Fixed a use-after-free in SLiRP networking implementation of QEMU emulator
which could have led to Denial of Service (bsc#1149813).
- CVE-2019-12068: Fixed an issue in lsi which could lead to an infinite loop and denial of
service (bsc#1146874).
- CVE-2019-14378: Fixed a heap buffer overflow in SLiRp networking implementation of QEMU
emulator which could have led to execution of arbitrary code with privileges of the
QEMU process (bsc#1143797).
Other issue fixed:
- Fixed an issue where libxenlight could not restore domain vsa6535522 on live migration (bsc#1133818).
ImportantSUSE bug 1126140SUSE bug 1126141SUSE bug 1126192SUSE bug 1126195SUSE bug 1126196SUSE bug 1126197SUSE bug 1126198SUSE bug 1126201SUSE bug 1127400SUSE bug 1133818SUSE bug 1143797SUSE bug 1146874SUSE bug 1149813CVE-2018-12126 at SUSECVE-2018-12126 at NVDCVE-2018-12127 at SUSECVE-2018-12127 at NVDCVE-2018-12130 at SUSECVE-2018-12130 at NVDCVE-2019-11091 at SUSECVE-2019-11091 at NVDCVE-2019-12068 at SUSECVE-2019-12068 at NVDCVE-2019-14378 at SUSECVE-2019-14378 at NVDCVE-2019-15890 at SUSECVE-2019-15890 at NVDCVE-2019-17340 at SUSECVE-2019-17340 at NVDCVE-2019-17341 at SUSECVE-2019-17341 at NVDCVE-2019-17342 at SUSECVE-2019-17342 at NVDCVE-2019-17343 at SUSECVE-2019-17343 at NVDCVE-2019-17344 at SUSECVE-2019-17344 at NVDCVE-2019-17345 at SUSECVE-2019-17345 at NVDCVE-2019-17346 at SUSECVE-2019-17346 at NVDCVE-2019-17347 at SUSECVE-2019-17347 at NVDCVE-2019-17348 at SUSECVE-2019-17348 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for nfs-utils (Moderate)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for nfs-utils fixes the following issues:
- CVE-2019-3689: Fixed root-owned files stored in insecure /var/lib/nfs. (bsc#1150733)
ModerateSUSE bug 1150733CVE-2019-3689 at SUSECVE-2019-3689 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 20 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.156-94_64 fixes several issues.
The following security issues were fixed:
- CVE-2019-10220: Fixed a relative path escape in the Samba client module (bsc#1144903, bsc#1153108).
- CVE-2019-17133: Fixed a buffer overflow in cfg80211_mgd_wext_giwessid in net/wireless/wext-sme.c caused by long SSID IEs (bsc#1153158).
ImportantSUSE bug 1144903SUSE bug 1153108SUSE bug 1153158SUSE bug 1153161CVE-2019-10220 at SUSECVE-2019-10220 at NVDCVE-2019-17133 at SUSECVE-2019-17133 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 21 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.162-94_69 fixes several issues.
The following security issues were fixed:
- CVE-2019-10220: Fixed a relative path escape in the Samba client module (bsc#1144903, bsc#1153108).
- CVE-2019-17133: Fixed a buffer overflow in cfg80211_mgd_wext_giwessid in net/wireless/wext-sme.c caused by long SSID IEs (bsc#1153158).
ImportantSUSE bug 1144903SUSE bug 1153108SUSE bug 1153158SUSE bug 1153161CVE-2019-10220 at SUSECVE-2019-10220 at NVDCVE-2019-17133 at SUSECVE-2019-17133 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 22 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.162-94_72 fixes several issues.
The following security issues were fixed:
- CVE-2019-10220: Fixed a relative path escape in the Samba client module (bsc#1144903, bsc#1153108).
- CVE-2019-17133: Fixed a buffer overflow in cfg80211_mgd_wext_giwessid in net/wireless/wext-sme.c caused by long SSID IEs (bsc#1153158).
ImportantSUSE bug 1144903SUSE bug 1153108SUSE bug 1153158SUSE bug 1153161CVE-2019-10220 at SUSECVE-2019-10220 at NVDCVE-2019-17133 at SUSECVE-2019-17133 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 23 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.175-94_79 fixes several issues.
The following security issues were fixed:
- CVE-2019-10220: Fixed a relative path escape in the Samba client module (bsc#1144903, bsc#1153108).
- CVE-2019-17133: Fixed a buffer overflow in cfg80211_mgd_wext_giwessid in net/wireless/wext-sme.c caused by long SSID IEs (bsc#1153158).
ImportantSUSE bug 1144903SUSE bug 1153108SUSE bug 1153158SUSE bug 1153161CVE-2019-10220 at SUSECVE-2019-10220 at NVDCVE-2019-17133 at SUSECVE-2019-17133 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 24 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.176-94_88 fixes several issues.
The following security issues were fixed:
- CVE-2019-10220: Fixed a relative path escape in the Samba client module (bsc#1144903, bsc#1153108).
- CVE-2019-17133: Fixed a buffer overflow in cfg80211_mgd_wext_giwessid in net/wireless/wext-sme.c caused by long SSID IEs (bsc#1153158).
ImportantSUSE bug 1144903SUSE bug 1153108SUSE bug 1153158SUSE bug 1153161CVE-2019-10220 at SUSECVE-2019-10220 at NVDCVE-2019-17133 at SUSECVE-2019-17133 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 25 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.178-94_91 fixes several issues.
The following security issues were fixed:
- CVE-2019-10220: Fixed a relative path escape in the Samba client module (bsc#1144903, bsc#1153108).
- CVE-2019-17133: Fixed a buffer overflow in cfg80211_mgd_wext_giwessid in net/wireless/wext-sme.c caused by long SSID IEs (bsc#1153158).
ImportantSUSE bug 1144903SUSE bug 1153108SUSE bug 1153158SUSE bug 1153161CVE-2019-10220 at SUSECVE-2019-10220 at NVDCVE-2019-17133 at SUSECVE-2019-17133 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 26 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_97 fixes several issues.
The following security issues were fixed:
- CVE-2019-10220: Fixed a relative path escape in the Samba client module (bsc#1144903, bsc#1153108).
- CVE-2019-17133: Fixed a buffer overflow in cfg80211_mgd_wext_giwessid in net/wireless/wext-sme.c caused by long SSID IEs (bsc#1153158).
ImportantSUSE bug 1144903SUSE bug 1153108SUSE bug 1153158SUSE bug 1153161CVE-2019-10220 at SUSECVE-2019-10220 at NVDCVE-2019-17133 at SUSECVE-2019-17133 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 27 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_100 fixes several issues.
The following security issues were fixed:
- CVE-2019-10220: Fixed a relative path escape in the Samba client module (bsc#1144903, bsc#1153108).
- CVE-2019-17133: Fixed a buffer overflow in cfg80211_mgd_wext_giwessid in net/wireless/wext-sme.c caused by long SSID IEs (bsc#1153158).
ImportantSUSE bug 1144903SUSE bug 1153108SUSE bug 1153158SUSE bug 1153161CVE-2019-10220 at SUSECVE-2019-10220 at NVDCVE-2019-17133 at SUSECVE-2019-17133 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 28 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_103 fixes several issues.
The following security issues were fixed:
- CVE-2019-10220: Fixed a relative path escape in the Samba client module (bsc#1144903, bsc#1153108).
- CVE-2019-17133: Fixed a buffer overflow in cfg80211_mgd_wext_giwessid in net/wireless/wext-sme.c caused by long SSID IEs (bsc#1153158).
ImportantSUSE bug 1144903SUSE bug 1153108SUSE bug 1153158SUSE bug 1153161CVE-2019-10220 at SUSECVE-2019-10220 at NVDCVE-2019-17133 at SUSECVE-2019-17133 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for MozillaFirefox to 68.2.0 ESR fixes the following issues:
Mozilla Firefox was updated to version 68.2.0 ESR (bsc#1154738).
Security issues fixed:
- CVE-2019-15903: Fixed a heap overflow in the expat library (bsc#1149429).
- CVE-2019-11757: Fixed a use-after-free when creating index updates in IndexedDB (bsc#1154738).
- CVE-2019-11758: Fixed a potentially exploitable crash due to 360 Total Security (bsc#1154738).
- CVE-2019-11759: Fixed a stack buffer overflow in HKDF output (bsc#1154738).
- CVE-2019-11760: Fixed a stack buffer overflow in WebRTC networking (bsc#1154738).
- CVE-2019-11761: Fixed an unintended access to a privileged JSONView object (bsc#1154738).
- CVE-2019-11762: Fixed a same-origin-property violation (bsc#1154738).
- CVE-2019-11763: Fixed an XSS bypass (bsc#1154738).
- CVE-2019-11764: Fixed several memory safety bugs (bsc#1154738).
Non-security issues fixed:
- Firefox 60.7 ESR changed the user interface language (bsc#1137990).
- Wrong Firefox GUI Language (bsc#1120374).
- Fixed an inadvertent crash report transmission without user opt-in (bsc#1074235).
- Firefox hangs randomly when browsing and scrolling (bsc#1043008).
- Firefox stops loading page until mouse is moved (bsc#1025108).
ImportantSUSE bug 1010399SUSE bug 1010405SUSE bug 1010406SUSE bug 1010408SUSE bug 1010409SUSE bug 1010421SUSE bug 1010423SUSE bug 1010424SUSE bug 1010425SUSE bug 1010426SUSE bug 1025108SUSE bug 1043008SUSE bug 1047281SUSE bug 1074235SUSE bug 1092611SUSE bug 1120374SUSE bug 1137990SUSE bug 1149429SUSE bug 1154738SUSE bug 959933SUSE bug 983922CVE-2016-2830 at SUSECVE-2016-2830 at NVDCVE-2016-5289 at SUSECVE-2016-5289 at NVDCVE-2016-5292 at SUSECVE-2016-5292 at NVDCVE-2016-9063 at SUSECVE-2016-9063 at NVDCVE-2016-9067 at SUSECVE-2016-9067 at NVDCVE-2016-9068 at SUSECVE-2016-9068 at NVDCVE-2016-9069 at SUSECVE-2016-9069 at NVDCVE-2016-9071 at SUSECVE-2016-9071 at NVDCVE-2016-9073 at SUSECVE-2016-9073 at NVDCVE-2016-9075 at SUSECVE-2016-9075 at NVDCVE-2016-9076 at SUSECVE-2016-9076 at NVDCVE-2016-9077 at SUSECVE-2016-9077 at NVDCVE-2017-7789 at SUSECVE-2017-7789 at NVDCVE-2018-5150 at SUSECVE-2018-5150 at NVDCVE-2018-5151 at SUSECVE-2018-5151 at NVDCVE-2018-5152 at SUSECVE-2018-5152 at NVDCVE-2018-5153 at SUSECVE-2018-5153 at NVDCVE-2018-5154 at SUSECVE-2018-5154 at NVDCVE-2018-5155 at SUSECVE-2018-5155 at NVDCVE-2018-5157 at SUSECVE-2018-5157 at NVDCVE-2018-5158 at SUSECVE-2018-5158 at NVDCVE-2018-5159 at SUSECVE-2018-5159 at NVDCVE-2018-5160 at SUSECVE-2018-5160 at NVDCVE-2018-5163 at SUSECVE-2018-5163 at NVDCVE-2018-5164 at SUSECVE-2018-5164 at NVDCVE-2018-5165 at SUSECVE-2018-5165 at NVDCVE-2018-5166 at SUSECVE-2018-5166 at NVDCVE-2018-5167 at SUSECVE-2018-5167 at NVDCVE-2018-5168 at SUSECVE-2018-5168 at NVDCVE-2018-5169 at SUSECVE-2018-5169 at NVDCVE-2018-5172 at SUSECVE-2018-5172 at NVDCVE-2018-5173 at SUSECVE-2018-5173 at NVDCVE-2018-5174 at SUSECVE-2018-5174 at NVDCVE-2018-5175 at SUSECVE-2018-5175 at NVDCVE-2018-5176 at SUSECVE-2018-5176 at NVDCVE-2018-5177 at SUSECVE-2018-5177 at NVDCVE-2018-5178 at SUSECVE-2018-5178 at NVDCVE-2018-5179 at SUSECVE-2018-5179 at NVDCVE-2018-5180 at SUSECVE-2018-5180 at NVDCVE-2018-5181 at SUSECVE-2018-5181 at NVDCVE-2018-5182 at SUSECVE-2018-5182 at NVDCVE-2018-5183 at SUSECVE-2018-5183 at NVDCVE-2019-11757 at SUSECVE-2019-11757 at NVDCVE-2019-11758 at SUSECVE-2019-11758 at NVDCVE-2019-11759 at SUSECVE-2019-11759 at NVDCVE-2019-11760 at SUSECVE-2019-11760 at NVDCVE-2019-11761 at SUSECVE-2019-11761 at NVDCVE-2019-11762 at SUSECVE-2019-11762 at NVDCVE-2019-11763 at SUSECVE-2019-11763 at NVDCVE-2019-11764 at SUSECVE-2019-11764 at NVDCVE-2019-15903 at SUSECVE-2019-15903 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for samba (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for samba fixes the following issues:
- CVE-2019-10218: Client code can return filenames containing path separators (bsc#1144902).
ImportantSUSE bug 1144902CVE-2019-10218 at SUSECVE-2019-10218 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for gdb (Moderate)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for gdb fixes the following issues:
Update to gdb 8.3.1: (jsc#ECO-368)
Security issues fixed:
- CVE-2019-1010180: Fixed a potential buffer overflow when loading ELF sections larger than the file. (bsc#1142772)
Upgrade libipt from v2.0 to v2.0.1.
- Enable librpm for version > librpm.so.3 [bsc#1145692]:
* Allow any librpm.so.x
* Add %build test to check for 'zypper install <rpm-packagename>'
message
- Copy gdbinit from fedora master @ 25caf28. Add
gdbinit.without-python, and use it for --without=python.
Rebase to 8.3 release (as in fedora 30 @ 1e222a3).
* DWARF index cache: GDB can now automatically save indices of DWARF
symbols on disk to speed up further loading of the same binaries.
* Ada task switching is now supported on aarch64-elf targets when
debugging a program using the Ravenscar Profile.
* Terminal styling is now available for the CLI and the TUI.
* Removed support for old demangling styles arm, edg, gnu, hp and
lucid.
* Support for new native configuration RISC-V GNU/Linux (riscv*-*-linux*).
- Implemented access to more POWER8 registers. [fate#326120, fate#325178]
- Also handle most new s390 arch13 instructions. [fate#327369, jsc#ECO-368]
ModerateSUSE bug 1115034SUSE bug 1142772SUSE bug 1145692CVE-2019-1010180 at SUSECVE-2019-1010180 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for libssh2_org (Moderate)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for libssh2_org fixes the following issue:
- CVE-2019-17498: Fixed an integer overflow in a bounds check that might have led to the disclosure of sensitive information or a denial of service (bsc#1154862).
ModerateSUSE bug 1154862CVE-2019-17498 at SUSECVE-2019-17498 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for libseccomp (Moderate)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for libseccomp fixes the following issues:
Update to new upstream release 2.4.1:
* Fix a BPF generation bug where the optimizer mistakenly
identified duplicate BPF code blocks.
Updated to 2.4.0 (bsc#1128828 CVE-2019-9893):
* Update the syscall table for Linux v5.0-rc5
* Added support for the SCMP_ACT_KILL_PROCESS action
* Added support for the SCMP_ACT_LOG action and SCMP_FLTATR_CTL_LOG attribute
* Added explicit 32-bit (SCMP_AX_32(...)) and 64-bit (SCMP_AX_64(...)) argument comparison macros to help protect against unexpected sign extension
* Added support for the parisc and parisc64 architectures
* Added the ability to query and set the libseccomp API level via seccomp_api_get(3) and seccomp_api_set(3)
* Return -EDOM on an endian mismatch when adding an architecture to a filter
* Renumber the pseudo syscall number for subpage_prot() so it no longer conflicts with spu_run()
* Fix PFC generation when a syscall is prioritized, but no rule exists
* Numerous fixes to the seccomp-bpf filter generation code
* Switch our internal hashing function to jhash/Lookup3 to MurmurHash3
* Numerous tests added to the included test suite, coverage now at ~92%
* Update our Travis CI configuration to use Ubuntu 16.04
* Numerous documentation fixes and updates
Update to release 2.3.3:
* Updated the syscall table for Linux v4.15-rc7
Update to release 2.3.2:
* Achieved full compliance with the CII Best Practices program
* Added Travis CI builds to the GitHub repository
* Added code coverage reporting with the '--enable-code-coverage' configure
flag and added Coveralls to the GitHub repository
* Updated the syscall tables to match Linux v4.10-rc6+
* Support for building with Python v3.x
* Allow rules with the -1 syscall if the SCMP\_FLTATR\_API\_TSKIP attribute is
set to true
* Several small documentation fixes
- ignore make check error for ppc64/ppc64le, bypass bsc#1142614
ModerateSUSE bug 1082318SUSE bug 1128828SUSE bug 1142614CVE-2019-9893 at SUSECVE-2019-9893 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
The SUSE Linux Enterprise 12-SP3 kernel was updated to receive various security and bugfixes.
The following security bugs were fixed:
- CVE-2018-12207: Untrusted virtual machines on Intel CPUs could exploit a race
condition in the Instruction Fetch Unit of the Intel CPU to cause a Machine
Exception during Page Size Change, causing the CPU core to be non-functional.
The Linux Kernel kvm hypervisor was adjusted to avoid page size changes in
executable pages by splitting / merging huge pages into small pages as
needed. More information can be found on https://www.suse.com/support/kb/doc/?id=7023735
- CVE-2019-16995: Fix a memory leak in hsr_dev_finalize() if hsr_add_port
failed to add a port, which may have caused denial of service (bsc#1152685).
- CVE-2019-11135: Aborting an asynchronous TSX operation on Intel CPUs with
Transactional Memory support could be used to facilitate sidechannel
information leaks out of microarchitectural buffers, similar to the
previously described 'Microarchitectural Data Sampling' attack.
The Linux kernel was supplemented with the option to disable TSX operation
altogether (requiring CPU Microcode updates on older systems) and better
flushing of microarchitectural buffers (VERW).
The set of options available is described in our TID at https://www.suse.com/support/kb/doc/?id=7024251
- CVE-2019-16233: drivers/scsi/qla2xxx/qla_os.c did not check the
alloc_workqueue return value, leading to a NULL pointer dereference.
(bsc#1150457).
- CVE-2019-10220: Added sanity checks on the pathnames passed to the user
space. (bsc#1144903).
- CVE-2019-17666: rtlwifi: Fix potential overflow in P2P code (bsc#1154372).
- CVE-2019-17133: cfg80211 wireless extension did not reject a long SSID IE,
leading to a Buffer Overflow (bsc#1153158).
- CVE-2019-16232: Fix a potential NULL pointer dereference in the Marwell
libertas driver (bsc#1150465).
- CVE-2019-16234: iwlwifi pcie driver did not check the alloc_workqueue return
value, leading to a NULL pointer dereference. (bsc#1150452).
- CVE-2019-17055: The AF_ISDN network module in the Linux kernel did not
enforce CAP_NET_RAW, which meant that unprivileged users could create a raw
socket (bnc#1152782).
- CVE-2019-17056: The AF_NFC network module did not enforce CAP_NET_RAW, which
meant that unprivileged users could create a raw socket (bsc#1152788).
- CVE-2019-16413: The 9p filesystem did not protect i_size_write() properly,
which caused an i_size_read() infinite loop and denial of service on SMP
systems (bnc#1151347).
- CVE-2019-15902: A backporting issue was discovered that re-introduced the
Spectre vulnerability it had aimed to eliminate. This occurred because the
backport process depends on cherry picking specific commits, and because two
(correctly ordered) code lines were swapped (bnc#1149376).
- CVE-2019-15291: Fixed a NULL pointer dereference issue that could be caused
by a malicious USB device (bnc#1146519).
- CVE-2019-15807: Fixed a memory leak in the SCSI module that could be abused
to cause denial of service (bnc#1148938).
- CVE-2019-13272: Fixed a mishandled the recording of the credentials of a
process that wants to create a ptrace relationship, which allowed local users
to obtain root access by leveraging certain scenarios with a parent-child
process relationship, where a parent drops privileges and calls execve
(potentially allowing control by an attacker). (bnc#1140671).
- CVE-2019-14821: An out-of-bounds access issue was fixed in the kernel's KVM
hypervisor. An unprivileged host user or process with access to '/dev/kvm'
device could use this flaw to crash the host kernel, resulting in a denial of
service or potentially escalating privileges on the system (bnc#1151350).
- CVE-2019-15505: An out-of-bounds issue had been fixed that could be caused by
crafted USB device traffic (bnc#1147122).
- CVE-2017-18595: A double free in allocate_trace_buffer was fixed
(bnc#1149555).
- CVE-2019-14835: A buffer overflow flaw was found in the kernel's vhost
functionality that translates virtqueue buffers to IOVs. A privileged guest
user able to pass descriptors with invalid length to the host could use this
flaw to increase their privileges on the host (bnc#1150112).
- CVE-2019-15216: A NULL pointer dereference was fixed that could be malicious
USB device (bnc#1146361).
- CVE-2019-15924: A a NULL pointer dereference has been fixed in the
drivers/net/ethernet/intel/fm10k module (bnc#1149612).
- CVE-2019-9456: An out-of-bounds write in the USB monitor driver has been
fixed. This issue could lead to local escalation of privilege with System
execution privileges needed. (bnc#1150025).
- CVE-2019-15926: An out-of-bounds access was fixed in the
drivers/net/wireless/ath/ath6kl module. (bnc#1149527).
- CVE-2019-15927: An out-of-bounds access was fixed in the sound/usb/mixer
module (bnc#1149522).
- CVE-2019-15666: There was an out-of-bounds array access in the net/xfrm
module that could cause denial of service (bnc#1148394).
- CVE-2017-18379: An out-of-boundary access was fixed in the
drivers/nvme/target module (bnc#1143187).
- CVE-2019-15219: A NULL pointer dereference was fixed that could be abused by
a malicious USB device (bnc#1146519 1146524).
- CVE-2019-15220: A use-after-free issue was fixed that could be caused by a
malicious USB device (bnc#1146519 1146526).
- CVE-2019-15221: A NULL pointer dereference was fixed that could be caused by
a malicious USB device (bnc#1146519 1146529).
- CVE-2019-14814: A heap-based buffer overflow was fixed in the marvell wifi
chip driver. That issue allowed local users to cause a denial of service
(system crash) or possibly execute arbitrary code (bnc#1146512).
- CVE-2019-14815: A missing length check while parsing WMM IEs was fixed
(bsc#1146512, bsc#1146514, bsc#1146516).
- CVE-2019-14816: A heap-based buffer overflow in the marvell wifi chip driver
was fixed. Local users would have abused this issue to cause a denial of
service (system crash) or possibly execute arbitrary code (bnc#1146516).
- CVE-2017-18509: An issue in net/ipv6 as fixed. By setting a specific socket
option, an attacker could control a pointer in kernel land and cause an
inet_csk_listen_stop general protection fault, or potentially execute
arbitrary code under certain circumstances. The issue can be triggered as
root (e.g., inside a default LXC container or with the CAP_NET_ADMIN
capability) or after namespace unsharing. (bnc#1145477)
- CVE-2019-9506: The Bluetooth BR/EDR specification used to permit sufficiently
low encryption key length and did not prevent an attacker from influencing
the key length negotiation. This allowed practical brute-force attacks (aka
'KNOB') that could decrypt traffic and inject arbitrary ciphertext without
the victim noticing (bnc#1137865).
- CVE-2019-15098: A NULL pointer dereference in drivers/net/wireless/ath was
fixed (bnc#1146378).
- CVE-2019-15290: A NULL pointer dereference in ath6kl_usb_alloc_urb_from_pipe
was fixed (bsc#1146378).
- CVE-2019-15239: A incorrect patch to net/ipv4 was fixed. By adding to a write
queue between disconnection and re-connection, a local attacker could trigger
multiple use-after-free conditions. This could result in kernel crashes or
potentially in privilege escalation. (bnc#1146589)
- CVE-2019-15212: A double-free issue was fixed in drivers/usb driver
(bnc#1146391).
- CVE-2016-10906: A use-after-free issue was fixed in drivers/net/ethernet/arc
(bnc#1146584).
- CVE-2019-15211: A use-after-free issue caused by a malicious USB device was
fixed in the drivers/media/v4l2-core driver (bnc#1146519).
- CVE-2019-15217: A a NULL pointer dereference issue caused by a malicious USB
device was fixed in the drivers/media/usb/zr364xx driver (bnc#1146519).
- CVE-2019-15214: An a use-after-free issue in the sound subsystem was fixed
(bnc#1146519).
- CVE-2019-15218: A NULL pointer dereference caused by a malicious USB device
was fixed in the drivers/media/usb/siano driver (bnc#1146413).
- CVE-2019-15215: A use-after-free issue caused by a malicious USB device was
fixed in the drivers/media/usb/cpia2 driver (bnc#1146425).
- CVE-2018-20976: A use-after-free issue was fixed in the fs/xfs driver
(bnc#1146285).
- CVE-2017-18551: An out-of-bounds write was fixed in the drivers/i2c driver
(bnc#1146163).
- CVE-2019-0154: An unprotected read access to i915 registers has been fixed
that could have been abused to facilitate a local denial-of-service attack.
(bsc#1135966)
- CVE-2019-0155: A privilege escalation vulnerability has been fixed in the
i915 module that allowed batch buffers from user mode to gain super user
privileges. (bsc#1135967)
The following non-security bugs were fixed:
- array_index_nospec: Sanitize speculative array (bsc#1155671)
- bonding/802.3ad: fix link_failure_count tracking (bsc#1141013).
- bonding/802.3ad: fix slave link initialization transition states (bsc#1141013).
- bonding: correctly update link status during mii-commit phase (bsc#1141013).
- bonding: fix active-backup transition (bsc#1141013).
- bonding: make speed, duplex setting consistent with link state (bsc#1141013).
- bonding: ratelimit failed speed/duplex update warning (bsc#1141013).
- bonding: require speed/duplex only for 802.3ad, alb and tlb (bsc#1141013).
- bonding: set default miimon value for non-arp modes if not set (bsc#1141013).
- bonding: speed/duplex update at NETDEV_UP event (bsc#1141013).
- cifs: fix panic in smb2_reconnect (bsc#1142458).
- cifs: handle netapp error codes (bsc#1136261).
- cpu/speculation: Uninline and export CPU mitigations helpers (bnc#1117665).
- ib/core, ipoib: Do not overreact to SM LID change event (bsc#1154103)
- ib/core: Add mitigation for Spectre V1 (bsc#1155671)
- ixgbe: sync the first fragment unconditionally (bsc#1133140).
- kvm: Convert kvm_lock to a mutex (bsc#1117665).
- kvm: lapic: cap __delay at lapic_timer_advance_ns (bsc#1149083).
- kvm: mmu: drop vcpu param in gpte_access (bsc#1117665).
- kvm: mmu: introduce kvm_mmu_gfn_{allow,disallow}_lpage (bsc#1117665).
- kvm: mmu: rename has_wrprotected_page to mmu_gfn_lpage_is_disallowed (bsc#1117665).
- kvm: vmx, svm: always run with EFER.NXE=1 when shadow paging is active (bsc#1117665).
- kvm: x86, powerpc: do not allow clearing largepages debugfs entry (bsc#1117665).
- kvm: x86: Do not release the page inside mmu_set_spte() (bsc#1117665).
- kvm: x86: MMU: Consolidate quickly_check_mmio_pf() and is_mmio_page_fault() (bsc#1117665).
- kvm: x86: MMU: Encapsulate the type of rmap-chain head in a new struct (bsc#1117665).
- kvm: x86: MMU: Move handle_mmio_page_fault() call to kvm_mmu_page_fault() (bsc#1117665).
- kvm: x86: MMU: Move initialization of parent_ptes out from kvm_mmu_alloc_page() (bsc#1117665).
- kvm: x86: MMU: Move parent_pte handling from kvm_mmu_get_page() to link_shadow_page() (bsc#1117665).
- kvm: x86: MMU: Remove unused parameter parent_pte from kvm_mmu_get_page() (bsc#1117665).
- kvm: x86: MMU: always set accessed bit in shadow PTEs (bsc#1117665).
- kvm: x86: Reduce the overhead when lapic_timer_advance is disabled (bsc#1149083).
- kvm: x86: add tracepoints around __direct_map and FNAME(fetch) (bsc#1117665).
- kvm: x86: adjust kvm_mmu_page member to save 8 bytes (bsc#1117665).
- kvm: x86: change kvm_mmu_page_get_gfn BUG_ON to WARN_ON (bsc#1117665).
- kvm: x86: extend usage of RET_MMIO_PF_* constants (bsc#1117665).
- kvm: x86: make FNAME(fetch) and __direct_map more similar (bsc#1117665).
- kvm: x86: mmu: Apply global mitigations knob to ITLB_MULTIHIT (bnc#1117665).
- kvm: x86: move nsec_to_cycles from x86.c to x86.h (bsc#1149083).
- kvm: x86: remove now unneeded hugepage gfn adjustment (bsc#1117665).
- kvm: x86: simplify ept_misconfig (bsc#1117665).
- media: smsusb: better handle optional alignment (bsc#1146413).
- pci: hv: Use bytes 4 and 5 from instance ID as the PCI domain numbers (bsc#1153263).
- powerpc/64s: support nospectre_v2 cmdline option (bsc#1131107).
- powerpc/pseries: correctly track irq state in default idle (bsc#1150727 bsc#1150942 ltc#178925 ltc#181484).
- powerpc/rtas: use device model APIs and serialization during LPM (bsc#1144123 ltc#178840).
- powerpc/security: Show powerpc_security_features in debugfs (bsc#1131107).
- scsi: scsi_transport_fc: Drop double list_del() (bsc#1084878) During the backport of 260f4aeddb48 ('scsi: scsi_transport_fc: return -EBUSY for deleted vport') an additional list_del() was introduced. The list entry will be freed in fc_vport_terminate(). Do not free it premature in fc_remove_host().
- swiotlb: Add support for DMA_ATTR_SKIP_CPU_SYNC in Xen-swiotlb unmap path (bsc#1133140).
- vmci: Release resource if the work is already queued (bsc#1051510).
- x86/cpu: Add Atom Tremont (Jacobsville) (bsc#1117665).
ImportantSUSE bug 1051510SUSE bug 1084878SUSE bug 1117665SUSE bug 1131107SUSE bug 1133140SUSE bug 1135966SUSE bug 1135967SUSE bug 1136261SUSE bug 1137865SUSE bug 1139073SUSE bug 1140671SUSE bug 1141013SUSE bug 1141054SUSE bug 1142458SUSE bug 1143187SUSE bug 1144123SUSE bug 1144903SUSE bug 1145477SUSE bug 1146042SUSE bug 1146163SUSE bug 1146285SUSE bug 1146361SUSE bug 1146378SUSE bug 1146391SUSE bug 1146413SUSE bug 1146425SUSE bug 1146512SUSE bug 1146514SUSE bug 1146516SUSE bug 1146519SUSE bug 1146524SUSE bug 1146526SUSE bug 1146529SUSE bug 1146540SUSE bug 1146543SUSE bug 1146547SUSE bug 1146550SUSE bug 1146584SUSE bug 1146589SUSE bug 1147022SUSE bug 1147122SUSE bug 1148394SUSE bug 1148938SUSE bug 1149083SUSE bug 1149376SUSE bug 1149522SUSE bug 1149527SUSE bug 1149555SUSE bug 1149612SUSE bug 1150025SUSE bug 1150112SUSE bug 1150452SUSE bug 1150457SUSE bug 1150465SUSE bug 1150727SUSE bug 1150942SUSE bug 1151347SUSE bug 1151350SUSE bug 1152685SUSE bug 1152782SUSE bug 1152788SUSE bug 1153158SUSE bug 1153263SUSE bug 1154103SUSE bug 1154372SUSE bug 1155131SUSE bug 1155671CVE-2016-10906 at SUSECVE-2016-10906 at NVDCVE-2017-18379 at SUSECVE-2017-18379 at NVDCVE-2017-18509 at SUSECVE-2017-18509 at NVDCVE-2017-18551 at SUSECVE-2017-18551 at NVDCVE-2017-18595 at SUSECVE-2017-18595 at NVDCVE-2018-12207 at SUSECVE-2018-12207 at NVDCVE-2018-20976 at SUSECVE-2018-20976 at NVDCVE-2019-0154 at SUSECVE-2019-0154 at NVDCVE-2019-0155 at SUSECVE-2019-0155 at NVDCVE-2019-10220 at SUSECVE-2019-10220 at NVDCVE-2019-11135 at SUSECVE-2019-11135 at NVDCVE-2019-13272 at SUSECVE-2019-13272 at NVDCVE-2019-14814 at SUSECVE-2019-14814 at NVDCVE-2019-14815 at SUSECVE-2019-14815 at NVDCVE-2019-14816 at SUSECVE-2019-14816 at NVDCVE-2019-14821 at SUSECVE-2019-14821 at NVDCVE-2019-14835 at SUSECVE-2019-14835 at NVDCVE-2019-15098 at SUSECVE-2019-15098 at NVDCVE-2019-15211 at SUSECVE-2019-15211 at NVDCVE-2019-15212 at SUSECVE-2019-15212 at NVDCVE-2019-15214 at SUSECVE-2019-15214 at NVDCVE-2019-15215 at SUSECVE-2019-15215 at NVDCVE-2019-15216 at SUSECVE-2019-15216 at NVDCVE-2019-15217 at SUSECVE-2019-15217 at NVDCVE-2019-15218 at SUSECVE-2019-15218 at NVDCVE-2019-15219 at SUSECVE-2019-15219 at NVDCVE-2019-15220 at SUSECVE-2019-15220 at NVDCVE-2019-15221 at SUSECVE-2019-15221 at NVDCVE-2019-15239 at SUSECVE-2019-15239 at NVDCVE-2019-15290 at SUSECVE-2019-15290 at NVDCVE-2019-15291 at SUSECVE-2019-15291 at NVDCVE-2019-15505 at SUSECVE-2019-15505 at NVDCVE-2019-15666 at SUSECVE-2019-15666 at NVDCVE-2019-15807 at SUSECVE-2019-15807 at NVDCVE-2019-15902 at SUSECVE-2019-15902 at NVDCVE-2019-15924 at SUSECVE-2019-15924 at NVDCVE-2019-15926 at SUSECVE-2019-15926 at NVDCVE-2019-15927 at SUSECVE-2019-15927 at NVDCVE-2019-16232 at SUSECVE-2019-16232 at NVDCVE-2019-16233 at SUSECVE-2019-16233 at NVDCVE-2019-16234 at SUSECVE-2019-16234 at NVDCVE-2019-16413 at SUSECVE-2019-16413 at NVDCVE-2019-16995 at SUSECVE-2019-16995 at NVDCVE-2019-17055 at SUSECVE-2019-17055 at NVDCVE-2019-17056 at SUSECVE-2019-17056 at NVDCVE-2019-17133 at SUSECVE-2019-17133 at NVDCVE-2019-17666 at SUSECVE-2019-17666 at NVDCVE-2019-9456 at SUSECVE-2019-9456 at NVDCVE-2019-9506 at SUSECVE-2019-9506 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for ucode-intel (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for ucode-intel fixes the following issues:
- Updated to 20191112 security release (bsc#1155988)
- Processor Identifier Version Products
- Model Stepping F-MO-S/PI Old->New
- ---- new platforms ----------------------------------------
- CML-U62 A0 6-a6-0/80 000000c6 Core Gen10 Mobile
- CNL-U D0 6-66-3/80 0000002a Core Gen8 Mobile
- SKX-SP B1 6-55-3/97 01000150 Xeon Scalable
- ICL U/Y D1 6-7e-5/80 00000046 Core Gen10 Mobile
- ---- updated platforms ------------------------------------
- SKL U/Y D0 6-4e-3/c0 000000cc->000000d4 Core Gen6 Mobile
- SKL H/S/E3 R0/N0 6-5e-3/36 000000cc->000000d4 Core Gen6
- AML-Y22 H0 6-8e-9/10 000000b4->000000c6 Core Gen8 Mobile
- KBL-U/Y H0 6-8e-9/c0 000000b4->000000c6 Core Gen7 Mobile
- CFL-U43e D0 6-8e-a/c0 000000b4->000000c6 Core Gen8 Mobile
- WHL-U W0 6-8e-b/d0 000000b8->000000c6 Core Gen8 Mobile
- AML-Y V0 6-8e-c/94 000000b8->000000c6 Core Gen10 Mobile
- CML-U42 V0 6-8e-c/94 000000b8->000000c6 Core Gen10 Mobile
- WHL-U V0 6-8e-c/94 000000b8->000000c6 Core Gen8 Mobile
- KBL-G/X H0 6-9e-9/2a 000000b4->000000c6 Core Gen7/Gen8
- KBL-H/S/E3 B0 6-9e-9/2a 000000b4->000000c6 Core Gen7; Xeon E3 v6
- CFL-H/S/E3 U0 6-9e-a/22 000000b4->000000c6 Core Gen8 Desktop, Mobile, Xeon E
- CFL-S B0 6-9e-b/02 000000b4->000000c6 Core Gen8
- CFL-H R0 6-9e-d/22 000000b8->000000c6 Core Gen9 Mobile
- Includes security fixes for:
- CVE-2019-11135: Added feature allowing to disable TSX RTM (bsc#1139073)
- CVE-2019-11139: A CPU microcode only fix for Voltage modulation issues (bsc#1141035)
- requires coreutils for the %post script (bsc#1154043)
ImportantSUSE bug 1139073SUSE bug 1141035SUSE bug 1154043SUSE bug 1155988CVE-2019-11135 at SUSECVE-2019-11135 at NVDCVE-2019-11139 at SUSECVE-2019-11139 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for libjpeg-turbo (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for libjpeg-turbo fixes the following issues:
- CVE-2019-2201: Several integer overflow issues and subsequent segfaults occurred in libjpeg-turbo,
when attempting to compress or decompress gigapixel images. [bsc#1156402]
ImportantSUSE bug 1156402CVE-2019-2201 at SUSECVE-2019-2201 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for ghostscript (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for ghostscript fixes the following issue:
- CVE-2019-14869: Fixed a possible dSAFER escape which could have allowed
an attacker to gain high privileges by a specially crafted Postscript
code (bsc#1156275).
ImportantSUSE bug 1156275CVE-2019-14869 at SUSECVE-2019-14869 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for ucode-intel (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for ucode-intel fixes the following issues:
- Updated to 20191112 official security release (bsc#1155988)
- Includes security fixes for:
- CVE-2019-11135: Added feature allowing to disable TSX RTM (bsc#1139073)
- CVE-2019-11139: A CPU microcode only fix for Voltage modulation issues (bsc#1141035)
ImportantSUSE bug 1139073SUSE bug 1141035SUSE bug 1155988CVE-2019-11135 at SUSECVE-2019-11135 at NVDCVE-2019-11139 at SUSECVE-2019-11139 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for sqlite3 (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for sqlite3 fixes the following issues:
- CVE-2017-2518: Fixed a use-after-free vulnerability which could have
led to buffer overflow via a crafted SQL statement (bsc#1155787).
ImportantSUSE bug 1155787CVE-2017-2518 at SUSECVE-2017-2518 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for cups (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for cups fixes the following issues:
- CVE-2019-8675: Fixed a stack buffer overflow in libcups's asn1_get_type function(bsc#1146358).
- CVE-2019-8696: Fixed a stack buffer overflow in libcups's asn1_get_packed function (bsc#1146359).
ImportantSUSE bug 1146358SUSE bug 1146359CVE-2019-8675 at SUSECVE-2019-8675 at NVDCVE-2019-8696 at SUSECVE-2019-8696 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for clamav (Moderate)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for clamav fixes the following issues:
Security issue fixed:
- CVE-2019-12625: Fixed a ZIP bomb issue by adding detection and heuristics for zips with overlapping files (bsc#1144504).
- CVE-2019-12900: Fixed an out-of-bounds write in decompress.c with many selectors (bsc#1149458).
Non-security issues fixed:
- Added the --max-scantime clamscan option and MaxScanTime clamd configuration option (bsc#1144504).
- Increased the startup timeout of clamd to 5 minutes to cater for the grown virus database as a workaround until clamd has learned to talk to systemd to extend the timeout as long as needed (bsc#1151839).
ModerateSUSE bug 1144504SUSE bug 1149458SUSE bug 1151839CVE-2019-12625 at SUSECVE-2019-12625 at NVDCVE-2019-12900 at SUSECVE-2019-12900 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for mailman (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for mailman fixes the following issues:
- CVE-2019-3693: Fixed a local privilege escalation from wwwrun to root (bsc#1154328).
ImportantSUSE bug 1154328CVE-2019-3693 at SUSECVE-2019-3693 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for java-1_7_0-openjdk (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for java-1_7_0-openjdk fixes the following issues:
Security issues fixed (October 2019 CPU bsc#1154212):
- CVE-2019-2933: Windows file handling redux
- CVE-2019-2945: Better socket support
- CVE-2019-2949: Better Kerberos ccache handling
- CVE-2019-2958: Build Better Processes
- CVE-2019-2964: Better support for patterns
- CVE-2019-2962: Better Glyph Images
- CVE-2019-2973: Better pattern compilation
- CVE-2019-2978: Improved handling of jar files
- CVE-2019-2981: Better Path supports
- CVE-2019-2983: Better serial attributes
- CVE-2019-2987: Better rendering of native glyphs
- CVE-2019-2988: Better Graphics2D drawing
- CVE-2019-2989: Improve TLS connection support
- CVE-2019-2992: Enhance font glyph mapping
- CVE-2019-2999: Commentary on Javadoc comments
- CVE-2019-2894: Enhance ECDSA operations (bsc#1152856).
ImportantSUSE bug 1152856SUSE bug 1154212CVE-2019-2894 at SUSECVE-2019-2894 at NVDCVE-2019-2933 at SUSECVE-2019-2933 at NVDCVE-2019-2945 at SUSECVE-2019-2945 at NVDCVE-2019-2949 at SUSECVE-2019-2949 at NVDCVE-2019-2958 at SUSECVE-2019-2958 at NVDCVE-2019-2962 at SUSECVE-2019-2962 at NVDCVE-2019-2964 at SUSECVE-2019-2964 at NVDCVE-2019-2973 at SUSECVE-2019-2973 at NVDCVE-2019-2978 at SUSECVE-2019-2978 at NVDCVE-2019-2981 at SUSECVE-2019-2981 at NVDCVE-2019-2983 at SUSECVE-2019-2983 at NVDCVE-2019-2987 at SUSECVE-2019-2987 at NVDCVE-2019-2988 at SUSECVE-2019-2988 at NVDCVE-2019-2989 at SUSECVE-2019-2989 at NVDCVE-2019-2992 at SUSECVE-2019-2992 at NVDCVE-2019-2999 at SUSECVE-2019-2999 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for clamav (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for clamav fixes the following issues:
- CVE-2019-15961: Fixed a denial of service which might occur when
scanning a specially crafted email file as (bsc#1157763).
ImportantSUSE bug 1157763CVE-2019-15961 at SUSECVE-2019-15961 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for permissions (Moderate)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for permissions fixes the following issues:
- CVE-2019-3688: Changed wrong ownership in /usr/sbin/pinger to root:squid
which could have allowed a squid user to gain persistence by changing the
binary (bsc#1093414).
- CVE-2019-3690: Fixed a privilege escalation through untrusted symbolic
links (bsc#1150734).
- Fixed a regression which caused segmentation fault (bsc#1157198).
ModerateSUSE bug 1093414SUSE bug 1150734SUSE bug 1157198CVE-2019-3688 at SUSECVE-2019-3688 at NVDCVE-2019-3690 at SUSECVE-2019-3690 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 26 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_97 fixes several issues.
The following security issues were fixed:
- CVE-2018-20856: Fixed a use-after-free in __blk_drain_queue() due to an improper error handling (bsc#1156331).
- CVE-2019-13272: Fixed a privilege escalation from user to root due to improper handling of credentials by leveraging certain scenarios with a parent-child process relationship (bsc#1156321).
- CVE-2019-15239: Fixed a vulnerability where a local attacker could have triggered multiple use-after-free conditions resulted in privilege escalation (bsc#1156317).
- CVE-2019-10220: Fixed an issue where samba servers could inject relative paths in directory entry lists (bsc#1153108).
The following bugs were fixed:
- Fixed boot up hang revealed by int3 self test (bsc#1157770).
ImportantSUSE bug 1153108SUSE bug 1156317SUSE bug 1156321SUSE bug 1156331SUSE bug 1157770CVE-2018-20856 at SUSECVE-2018-20856 at NVDCVE-2019-10220 at SUSECVE-2019-10220 at NVDCVE-2019-13272 at SUSECVE-2019-13272 at NVDCVE-2019-15239 at SUSECVE-2019-15239 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 27 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_100 fixes several issues.
The following security issues were fixed:
- CVE-2018-20856: Fixed a use-after-free in __blk_drain_queue() due to an improper error handling (bsc#1156331).
- CVE-2019-13272: Fixed a privilege escalation from user to root due to improper handling of credentials by leveraging certain scenarios with a parent-child process relationship (bsc#1156321).
- CVE-2019-15239: Fixed a vulnerability where a local attacker could have triggered multiple use-after-free conditions resulted in privilege escalation (bsc#1156317).
- CVE-2019-10220: Fixed an issue where samba servers could inject relative paths in directory entry lists (bsc#1153108).
The following bugs were fixed:
- Fixed boot up hang revealed by int3 self test (bsc#1157770).
ImportantSUSE bug 1153108SUSE bug 1156317SUSE bug 1156321SUSE bug 1156331SUSE bug 1157770CVE-2018-20856 at SUSECVE-2018-20856 at NVDCVE-2019-10220 at SUSECVE-2019-10220 at NVDCVE-2019-13272 at SUSECVE-2019-13272 at NVDCVE-2019-15239 at SUSECVE-2019-15239 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 28 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_103 fixes several issues.
The following security issues were fixed:
- CVE-2019-13272: Fixed a privilege escalation from user to root due to improper handling of credentials by leveraging certain scenarios with a parent-child process relationship (bsc#1156321).
- CVE-2019-15239: Fixed a vulnerability where a local attacker could have triggered multiple use-after-free conditions resulted in privilege escalation (bsc#1156317).
- CVE-2019-10220: Fixed an issue where samba servers could inject relative paths in directory entry lists (bsc#1153108).
The following bugs were fixed:
- Fixed boot up hang revealed by int3 self test (bsc#1157770).
ImportantSUSE bug 1153108SUSE bug 1156317SUSE bug 1156321SUSE bug 1157770CVE-2019-10220 at SUSECVE-2019-10220 at NVDCVE-2019-13272 at SUSECVE-2019-13272 at NVDCVE-2019-15239 at SUSECVE-2019-15239 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 23 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.175-94_79 fixes several issues.
The following security issues were fixed:
- CVE-2018-20856: Fixed a use-after-free in block/blk-core.c due to improper error handling (bsc#1156331).
- CVE-2019-13272: Fixed a privilege escalation from user to root due to improper handling of credentials by leveraging
certain scenarios with a parent-child process relationship (bsc#1156321).
- CVE-2019-15239: Fixed a vulnerability where a local attacker could have triggered multiple use-after-free conditions
resulted in privilege escalation (bsc#1156317).
- CVE-2019-10220: Fixed an issue where samba servers could inject relative paths in directory entry lists (bsc#1153108).
ImportantSUSE bug 1153108SUSE bug 1156317SUSE bug 1156321SUSE bug 1156331CVE-2018-20856 at SUSECVE-2018-20856 at NVDCVE-2019-10220 at SUSECVE-2019-10220 at NVDCVE-2019-13272 at SUSECVE-2019-13272 at NVDCVE-2019-15239 at SUSECVE-2019-15239 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 24 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.176-94_88 fixes several issues.
The following security issues were fixed:
- CVE-2018-20856: Fixed a use-after-free in block/blk-core.c due to improper error handling (bsc#1156331).
- CVE-2019-13272: Fixed a privilege escalation from user to root due to improper handling of credentials by leveraging
certain scenarios with a parent-child process relationship (bsc#1156321).
- CVE-2019-15239: Fixed a vulnerability where a local attacker could have triggered multiple use-after-free conditions
resulted in privilege escalation (bsc#1156317).
- CVE-2019-10220: Fixed an issue where samba servers could inject relative paths in directory entry lists (bsc#1153108).
ImportantSUSE bug 1153108SUSE bug 1156317SUSE bug 1156321SUSE bug 1156331CVE-2018-20856 at SUSECVE-2018-20856 at NVDCVE-2019-10220 at SUSECVE-2019-10220 at NVDCVE-2019-13272 at SUSECVE-2019-13272 at NVDCVE-2019-15239 at SUSECVE-2019-15239 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 25 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.178-94_91 fixes several issues.
The following security issues were fixed:
- CVE-2018-20856: Fixed a use-after-free in block/blk-core.c due to improper error handling (bsc#1156331).
- CVE-2019-13272: Fixed a privilege escalation from user to root due to improper handling of credentials by leveraging
certain scenarios with a parent-child process relationship (bsc#1156321).
- CVE-2019-15239: Fixed a vulnerability where a local attacker could have triggered multiple use-after-free conditions
resulted in privilege escalation (bsc#1156317).
- CVE-2019-10220: Fixed an issue where samba servers could inject relative paths in directory entry lists (bsc#1153108).
ImportantSUSE bug 1153108SUSE bug 1156317SUSE bug 1156321SUSE bug 1156331CVE-2018-20856 at SUSECVE-2018-20856 at NVDCVE-2019-10220 at SUSECVE-2019-10220 at NVDCVE-2019-13272 at SUSECVE-2019-13272 at NVDCVE-2019-15239 at SUSECVE-2019-15239 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for xen (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for xen fixes the following issues:
- CVE-2019-19581: Fixed a potential out of bounds on 32-bit Arm (bsc#1158003 XSA-307).
- CVE-2019-19582: Fixed a potential infinite loop when x86 accesses to bitmaps with
a compile time known size of 64 (bsc#1158003 XSA-307).
- CVE-2019-19583: Fixed improper checks which could have allowed HVM/PVH guest userspace
code to crash the guest,leading to a guest denial of service (bsc#1158004 XSA-308).
- CVE-2019-19578: Fixed an issue where a malicious or buggy PV guest could have caused
hypervisor crash resulting in denial of service affecting the entire host (bsc#1158005 XSA-309).
- CVE-2019-19580: Fixed a privilege escalation where a malicious PV guest administrator
could have been able to escalate their privilege to that of the host (bsc#1158006 XSA-310).
- CVE-2019-19577: Fixed an issue where a malicious guest administrator could have caused Xen
to access data structures while they are being modified leading to a crash (bsc#1158007 XSA-311).
- CVE-2019-19579: Fixed a privilege escaltion where an untrusted domain with access
to a physical device can DMA into host memory (bsc#1157888 XSA-306).
- CVE-2019-18420: Malicious x86 PV guests may have caused a hypervisor crash,
resulting in a denial of service (bsc#1154448 XSA-296)
- CVE-2019-18425: 32-bit PV guest user mode could elevate its privileges to that
of the guest kernel. (bsc#1154456 XSA-298).
- CVE-2019-18421: A malicious PV guest administrator may have been able to
escalate their privilege to that of the host. (bsc#1154458 XSA-299).
- CVE-2019-18423: A malicious guest administrator may cause a hypervisor crash,
resulting in a denial of service (bsc#1154460 XSA-301).
- CVE-2019-18422: A malicious ARM guest might contrive to arrange for critical
Xen code to run with interrupts erroneously enabled. This could lead to data
corruption, denial of service, or possibly even privilege escalation. However
a precise attack technique has not been identified. (bsc#1154464 XSA-303)
- CVE-2019-18424: An untrusted domain with access to a physical device can DMA
into host memory, leading to privilege escalation. (bsc#1154461 XSA-302).
- CVE-2018-12207: Untrusted virtual machines on Intel CPUs could exploit a race
condition in the Instruction Fetch Unit of the Intel CPU to cause a Machine
Exception during Page Size Change, causing the CPU core to be non-functional.
(bsc#1155945 XSA-304)
- CVE-2019-11135: Aborting an asynchronous TSX operation on Intel CPUs with
Transactional Memory support could be used to facilitate sidechannel
information leaks out of microarchitectural buffers, similar to the
previously described 'Microarchitectural Data Sampling' attack. (bsc#1152497 XSA-305).
ImportantSUSE bug 1152497SUSE bug 1154448SUSE bug 1154456SUSE bug 1154458SUSE bug 1154460SUSE bug 1154461SUSE bug 1154464SUSE bug 1155945SUSE bug 1157888SUSE bug 1158003SUSE bug 1158004SUSE bug 1158005SUSE bug 1158006SUSE bug 1158007CVE-2018-12207 at SUSECVE-2018-12207 at NVDCVE-2019-11135 at SUSECVE-2019-11135 at NVDCVE-2019-18420 at SUSECVE-2019-18420 at NVDCVE-2019-18421 at SUSECVE-2019-18421 at NVDCVE-2019-18422 at SUSECVE-2019-18422 at NVDCVE-2019-18423 at SUSECVE-2019-18423 at NVDCVE-2019-18424 at SUSECVE-2019-18424 at NVDCVE-2019-18425 at SUSECVE-2019-18425 at NVDCVE-2019-19577 at SUSECVE-2019-19577 at NVDCVE-2019-19578 at SUSECVE-2019-19578 at NVDCVE-2019-19579 at SUSECVE-2019-19579 at NVDCVE-2019-19580 at SUSECVE-2019-19580 at NVDCVE-2019-19581 at SUSECVE-2019-19581 at NVDCVE-2019-19582 at SUSECVE-2019-19582 at NVDCVE-2019-19583 at SUSECVE-2019-19583 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for MozillaFirefox fixes the following issues:
Mozilla Firefox was updated to 68.3esr (MFSA 2019-37 bsc#1158328)
Security issues fixed:
- CVE-2019-17008: Fixed a use-after-free in worker destruction (bmo#1546331)
- CVE-2019-13722: Fixed a stack corruption due to incorrect number of arguments
in WebRTC code (bmo#1580156)
- CVE-2019-11745: Fixed an out of bounds write in NSS when encrypting with a
block cipher (bmo#1586176)
- CVE-2019-17009: Fixed an issue where updater temporary files accessible to
unprivileged processes (bmo#1510494)
- CVE-2019-17010: Fixed a use-after-free when performing device orientation
checks (bmo#1581084)
- CVE-2019-17005: Fixed a buffer overflow in plain text serializer (bmo#1584170)
- CVE-2019-17011: Fixed a use-after-free when retrieving a document
in antitracking (bmo#1591334)
- CVE-2019-17012: Fixed multiple memmory issues
(bmo#1449736, bmo#1533957, bmo#1560667,bmo#1567209, bmo#1580288, bmo#1585760,
bmo#1592502)
ImportantSUSE bug 1158328CVE-2019-11745 at SUSECVE-2019-11745 at NVDCVE-2019-13722 at SUSECVE-2019-13722 at NVDCVE-2019-17005 at SUSECVE-2019-17005 at NVDCVE-2019-17008 at SUSECVE-2019-17008 at NVDCVE-2019-17009 at SUSECVE-2019-17009 at NVDCVE-2019-17010 at SUSECVE-2019-17010 at NVDCVE-2019-17011 at SUSECVE-2019-17011 at NVDCVE-2019-17012 at SUSECVE-2019-17012 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
The SUSE Linux Enterprise 12 SP 3 LTSS kernel was updated to receive various security and bugfixes.
The following security bugs were fixed:
- CVE-2019-14895: A heap-based buffer overflow was discovered in the Linux kernel in Marvell WiFi chip driver. The flaw could occur when the station attempts a connection negotiation during the handling of the remote devices country settings. This could have allowed the remote device to cause a denial of service (system crash) or possibly execute arbitrary code (bnc#1157158).
- CVE-2019-18660: The Linux kernel on powerpc allowed Information Exposure because the Spectre-RSB mitigation is not in place for all applicable CPUs. This is related to arch/powerpc/kernel/entry_64.S and arch/powerpc/kernel/security.c (bnc#1157038).
- CVE-2019-18683: An issue was discovered in drivers/media/platform/vivid in the Linux kernel. It is exploitable for privilege escalation on some Linux distributions where local users have /dev/video0 access, but only if the driver happens to be loaded. There are multiple race conditions during streaming stopping in this driver (part of the V4L2 subsystem). These issues are caused by wrong mutex locking in vivid_stop_generating_vid_cap(), vivid_stop_generating_vid_out(), sdr_cap_stop_streaming(), and the corresponding kthreads. At least one of these race conditions leads to a use-after-free (bnc#1155897).
- CVE-2019-19062: A memory leak in the crypto_report() function in crypto/crypto_user_base.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) by triggering crypto_report_alg() failures (bnc#1157333).
- CVE-2019-19065: A memory leak in the sdma_init() function in drivers/infiniband/hw/hfi1/sdma.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) by triggering rhashtable_init() failures (bnc#1157191).
- CVE-2019-19052: A memory leak in the gs_can_open() function in drivers/net/can/usb/gs_usb.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) by triggering usb_submit_urb() failures (bnc#1157324).
- CVE-2019-19074: A memory leak in the ath9k_wmi_cmd() function in drivers/net/wireless/ath/ath9k/wmi.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) (bnc#1157143).
- CVE-2019-19073: Memory leaks in drivers/net/wireless/ath/ath9k/htc_hst.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) by triggering wait_for_completion_timeout() failures. This affects the htc_config_pipe_credits() function, the htc_setup_complete() function, and the htc_connect_service() function (bnc#1157070).
- CVE-2019-16231: drivers/net/fjes/fjes_main.c in the Linux kernel 5.2.14 did not check the alloc_workqueue return value, leading to a NULL pointer dereference (bnc#1150466).
- CVE-2019-18805: An issue was discovered in net/ipv4/sysctl_net_ipv4.c in the Linux kernel There was a net/ipv4/tcp_input.c signed integer overflow in tcp_ack_update_rtt() when userspace writes a very large integer to /proc/sys/net/ipv4/tcp_min_rtt_wlen, leading to a denial of service or possibly unspecified other impact (bnc#1156187).
- CVE-2019-18680: An issue was discovered in the Linux kernel. There was a NULL pointer dereference in rds_tcp_kill_sock() in net/rds/tcp.c that will cause denial of service (bnc#1155898).
- CVE-2019-15213: An use-after-free was fixed caused by malicious USB device in drivers/media/usb/dvb-usb/dvb-usb-init.c (bsc#1146544).
- CVE-2019-19536: An uninitialized Kernel memory can leak to USB devices in drivers/net/can/usb/peak_usb/pcan_usb_pro.c (bsc#1158394).
- CVE-2019-19534: An uninitialized Kernel memory can leak to USB devices in drivers/net/can/usb/peak_usb/pcan_usb_core.c (bsc#1158398).
- CVE-2019-19530: An use-after-free bug that can be caused by a malicious USB device in the drivers/usb/class/cdc-acm.c driver (bsc#1158410).
- CVE-2019-19524: An use-after-free bug that can be caused by a malicious USB device in the drivers/input/ff-memless.c driver (bsc#1158413).
- CVE-2019-19525: An use-after-free bug that can be caused by a malicious USB device in the drivers/net/ieee802154/atusb.c driver (bsc#1158417).
- CVE-2019-19531: An use-after-free in yurex_delete may lead to denial of service (bsc#1158445).
- CVE-2019-19523: An use-after-free on disconnect in USB adutux (bsc#1158823).
- CVE-2019-19532: An out-of-bounds write bugs that can be caused by a malicious USB device in the Linux kernel HID drivers (bsc#1158824).
- CVE-2019-19332: An out-of-bounds memory write via kvm_dev_ioctl_get_cpuid (bsc#1158827).
- CVE-2019-19533: An info-leak bug that can be caused by a malicious USB device in the drivers/media/usb/ttusb-dec/ttusb_dec.c driver (bsc#1158834).
- CVE-2019-19527: An use-after-free bug that can be caused by a malicious USB device in the drivers/hid/usbhid/hiddev.c driver (bsc#1158900).
- CVE-2019-19535: An info-leak bug that can be caused by a malicious USB device in the drivers/net/can/usb/peak_usb/pcan_usb_fd.c driver (bsc#1158903).
- CVE-2019-19537: Two races in the USB character device registration and deregistration routines (bsc#1158904).
- CVE-2019-19338: An incomplete fix for Transaction Asynchronous Abort (TAA) (bsc#1158954).
The following non-security bugs were fixed:
- hyperv: set nvme msi interrupts to unmanaged (jsc#SLE-8953, jsc#SLE-9221, jsc#SLE-4941, bsc#1119461, bsc#1119465, bsc#1138190, bsc#1154905).
- ibmvnic: Bound waits for device queries (bsc#1155689 ltc#182047).
- ibmvnic: Fix completion structure initialization (bsc#1155689 ltc#182047).
- ibmvnic: Serialize device queries (bsc#1155689 ltc#182047).
- ibmvnic: Terminate waiting device threads after loss of service (bsc#1155689 ltc#182047).
- netfilter: nf_nat: do not bug when mapping already exists (bsc#1146612).
- powerpc/security/book3s64: Report L1TF status in sysfs (bsc#1091041).
- powerpc/security: Fix wrong message when RFI Flush is disable (bsc#1131107).
- sched/fair: WARN() and refuse to set buddy when !se->on_rq (bsc#1158132).
- x86/alternatives: Add int3_emulate_call() selftest (bsc#1153811).
- x86/alternatives: Fix int3_emulate_call() selftest stack corruption (bsc#1153811).
- xen/pv: Fix a boot up hang revealed by int3 self test (bsc#1153811).
- arp: Fix cache issue during Life Partition Migration (bsc#1152631).
- futexes: Fix speed on 4.12 kernel (bsc#1157464).
ImportantSUSE bug 1091041SUSE bug 1119461SUSE bug 1119465SUSE bug 1131107SUSE bug 1138190SUSE bug 1146544SUSE bug 1146612SUSE bug 1150466SUSE bug 1150483SUSE bug 1152631SUSE bug 1153811SUSE bug 1154905SUSE bug 1155689SUSE bug 1155897SUSE bug 1155898SUSE bug 1156187SUSE bug 1157038SUSE bug 1157042SUSE bug 1157070SUSE bug 1157143SUSE bug 1157158SUSE bug 1157191SUSE bug 1157324SUSE bug 1157333SUSE bug 1157464SUSE bug 1158132SUSE bug 1158394SUSE bug 1158398SUSE bug 1158410SUSE bug 1158413SUSE bug 1158417SUSE bug 1158445SUSE bug 1158823SUSE bug 1158824SUSE bug 1158827SUSE bug 1158834SUSE bug 1158900SUSE bug 1158903SUSE bug 1158904SUSE bug 1158954CVE-2019-14895 at SUSECVE-2019-14895 at NVDCVE-2019-15213 at SUSECVE-2019-15213 at NVDCVE-2019-16231 at SUSECVE-2019-16231 at NVDCVE-2019-18660 at SUSECVE-2019-18660 at NVDCVE-2019-18680 at SUSECVE-2019-18680 at NVDCVE-2019-18683 at SUSECVE-2019-18683 at NVDCVE-2019-18805 at SUSECVE-2019-18805 at NVDCVE-2019-19052 at SUSECVE-2019-19052 at NVDCVE-2019-19062 at SUSECVE-2019-19062 at NVDCVE-2019-19065 at SUSECVE-2019-19065 at NVDCVE-2019-19073 at SUSECVE-2019-19073 at NVDCVE-2019-19074 at SUSECVE-2019-19074 at NVDCVE-2019-19332 at SUSECVE-2019-19332 at NVDCVE-2019-19338 at SUSECVE-2019-19338 at NVDCVE-2019-19523 at SUSECVE-2019-19523 at NVDCVE-2019-19524 at SUSECVE-2019-19524 at NVDCVE-2019-19525 at SUSECVE-2019-19525 at NVDCVE-2019-19527 at SUSECVE-2019-19527 at NVDCVE-2019-19530 at SUSECVE-2019-19530 at NVDCVE-2019-19531 at SUSECVE-2019-19531 at NVDCVE-2019-19532 at SUSECVE-2019-19532 at NVDCVE-2019-19533 at SUSECVE-2019-19533 at NVDCVE-2019-19534 at SUSECVE-2019-19534 at NVDCVE-2019-19535 at SUSECVE-2019-19535 at NVDCVE-2019-19536 at SUSECVE-2019-19536 at NVDCVE-2019-19537 at SUSECVE-2019-19537 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for freeradius-server (Moderate)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for freeradius-server fixes the following issues:
- CVE-2019-13456: Fixed a side-channel password leak in EAP-pwd
(bsc#1144524).
- CVE-2019-17185: Fixed a debial of service due to multithreaded
BN_CTX access (bsc#1166847).
- Fixed an issue in TLS-EAP where the OCSP verification, when an
intermediate client certificate was not explicitly trusted
(bsc#1146848).
ModerateSUSE bug 1144524SUSE bug 1146848SUSE bug 1166847CVE-2019-13456 at SUSECVE-2019-13456 at NVDCVE-2019-17185 at SUSECVE-2019-17185 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for cups (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for cups fixes the following issues:
- CVE-2020-3898: Fixed a heap buffer overflow in ppdFindOption() (bsc#1168422).
ImportantSUSE bug 1168422CVE-2020-3898 at SUSECVE-2020-3898 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for pam_radius (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for pam_radius fixes the following issues:
- CVE-2015-9542: Fixed a buffer overflow in password field (bsc#1163933).
- On s390x didn't decrypt passwords correctly (bsc#1141670).
ImportantSUSE bug 1141670SUSE bug 1163933CVE-2015-9542 at SUSECVE-2015-9542 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for webkit2gtk3 (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for webkit2gtk3 to version 2.28.1 fixes the following issues:
Security issues fixed:
- CVE-2020-10018: Fixed a denial of service because the m_deferredFocusedNodeChange data structure was mishandled (bsc#1165528).
- CVE-2020-11793: Fixed a potential arbitrary code execution caused by a use-after-free vulnerability (bsc#1169658).
- CVE-2019-8835: Fixed multiple memory corruption issues (bsc#1161719).
- CVE-2019-8844: Fixed multiple memory corruption issues (bsc#1161719).
- CVE-2019-8846: Fixed a use-after-free issue (bsc#1161719).
- CVE-2020-3862: Fixed a memory handling issue (bsc#1163809).
- CVE-2020-3867: Fixed an XSS issue (bsc#1163809).
- CVE-2020-3868: Fixed multiple memory corruption issues that could have lead to arbitrary code execution (bsc#1163809).
- CVE-2020-3864,CVE-2020-3865: Fixed logic issues in the DOM object context handling (bsc#1163809).
Non-security issues fixed:
- Add API to enable Process Swap on (Cross-site) Navigation.
- Add user messages API for the communication with the web extension.
- Add support for same-site cookies.
- Service workers are enabled by default.
- Add support for Pointer Lock API.
- Add flatpak sandbox support.
- Make ondemand hardware acceleration policy never leave accelerated compositing mode.
- Always use a light theme for rendering form controls.
- Add about:gpu to show information about the graphics stack.
- Fixed issues while trying to play a video on NextCloud.
- Fixed vertical alignment of text containing arabic diacritics.
- Fixed build with icu 65.1.
- Fixed page loading errors with websites using HSTS.
- Fixed web process crash when displaying a KaTeX formula.
- Fixed several crashes and rendering issues.
- Switched to a single web process for Evolution and geary (bsc#1159329).
ImportantSUSE bug 1155321SUSE bug 1156318SUSE bug 1159329SUSE bug 1161719SUSE bug 1163809SUSE bug 1165528SUSE bug 1169658CVE-2019-8625 at SUSECVE-2019-8625 at NVDCVE-2019-8710 at SUSECVE-2019-8710 at NVDCVE-2019-8720 at SUSECVE-2019-8720 at NVDCVE-2019-8743 at SUSECVE-2019-8743 at NVDCVE-2019-8764 at SUSECVE-2019-8764 at NVDCVE-2019-8766 at SUSECVE-2019-8766 at NVDCVE-2019-8769 at SUSECVE-2019-8769 at NVDCVE-2019-8771 at SUSECVE-2019-8771 at NVDCVE-2019-8782 at SUSECVE-2019-8782 at NVDCVE-2019-8783 at SUSECVE-2019-8783 at NVDCVE-2019-8808 at SUSECVE-2019-8808 at NVDCVE-2019-8811 at SUSECVE-2019-8811 at NVDCVE-2019-8812 at SUSECVE-2019-8812 at NVDCVE-2019-8813 at SUSECVE-2019-8813 at NVDCVE-2019-8814 at SUSECVE-2019-8814 at NVDCVE-2019-8815 at SUSECVE-2019-8815 at NVDCVE-2019-8816 at SUSECVE-2019-8816 at NVDCVE-2019-8819 at SUSECVE-2019-8819 at NVDCVE-2019-8820 at SUSECVE-2019-8820 at NVDCVE-2019-8823 at SUSECVE-2019-8823 at NVDCVE-2019-8835 at SUSECVE-2019-8835 at NVDCVE-2019-8844 at SUSECVE-2019-8844 at NVDCVE-2019-8846 at SUSECVE-2019-8846 at NVDCVE-2020-10018 at SUSECVE-2020-10018 at NVDCVE-2020-11793 at SUSECVE-2020-11793 at NVDCVE-2020-3862 at SUSECVE-2020-3862 at NVDCVE-2020-3864 at SUSECVE-2020-3864 at NVDCVE-2020-3865 at SUSECVE-2020-3865 at NVDCVE-2020-3867 at SUSECVE-2020-3867 at NVDCVE-2020-3868 at SUSECVE-2020-3868 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for shibboleth-sp (Moderate)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for shibboleth-sp fixes the following issues:
Security issue fixed:
- CVE-2019-19191: Fixed escalation to root by fixing ownership of log files (bsc#1157471).
ModerateSUSE bug 1157471CVE-2019-19191 at SUSECVE-2019-19191 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for ceph (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for ceph fixes the following issues:
- CVE-2020-12059: Fixed a denial of service caused by a specially crafted XML payload on POST requests (bsc#1170170).
ImportantSUSE bug 1170170CVE-2020-12059 at SUSECVE-2020-12059 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for LibVNCServer (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for LibVNCServer fixes the following issues:
- CVE-2019-15690: Fixed a heap buffer overflow (bsc#1160471).
- CVE-2019-15681: Fixed a memory leak which could have allowed to a remote attacker to read stack memory (bsc#1155419).
- CVE-2019-20788: Fixed a integer overflow and heap-based buffer overflow via a large height or width value (bsc#1170441).
ImportantSUSE bug 1155419SUSE bug 1160471SUSE bug 1170441CVE-2019-15681 at SUSECVE-2019-15681 at NVDCVE-2019-15690 at SUSECVE-2019-15690 at NVDCVE-2019-20788 at SUSECVE-2019-20788 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for icu (Moderate)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for icu fixes the following issues:
- CVE-2020-10531: Fixed integer overflow in UnicodeString:doAppend() (bsc#1166844).
ModerateSUSE bug 1166844CVE-2020-10531 at SUSECVE-2020-10531 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for openldap2 (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for openldap2 fixes the following issues:
- CVE-2020-12243: Fixed a denial of service related to recursive filters (bsc#1170771).
ImportantSUSE bug 1170771CVE-2020-12243 at SUSECVE-2020-12243 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for webkit2gtk3 (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for webkit2gtk3 fixes the following issues:
Security issue fixed:
- CVE-2020-3899: Fixed a memory consumption issue that could have led to remote code execution (bsc#1170643).
Non-security issues fixed:
- Update to version 2.28.2 (bsc#1170643):
+ Fix excessive CPU usage due to GdkFrameClock not being stopped.
+ Fix UI process crash when EGL_WL_bind_wayland_display extension
is not available.
+ Fix position of select popup menus in X11.
+ Fix playing of Youtube 'live stream'/H264 URLs.
+ Fix a crash under X11 when cairo uses xcb.
+ Fix the build in MIPS64.
+ Fix several crashes and rendering issues.
ImportantSUSE bug 1170643CVE-2020-3899 at SUSECVE-2020-3899 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for ghostscript (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for ghostscript to version 9.52 fixes the following issues:
- CVE-2020-12268: Fixed a heap-based buffer overflow in jbig2_image_compose (bsc#1170603).
ImportantSUSE bug 1170603CVE-2020-12268 at SUSECVE-2020-12268 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for MozillaFirefox fixes the following issues:
Update to version 68.8.0 ESR (bsc#1171186):
- CVE-2020-12387: Use-after-free during worker shutdown
- CVE-2020-12388: Sandbox escape with improperly guarded Access Tokens
- CVE-2020-12389: Sandbox escape with improperly separated process types
- CVE-2020-6831: Buffer overflow in SCTP chunk input validation
- CVE-2020-12392: Arbitrary local file access with 'Copy as cURL'
- CVE-2020-12393: Devtools' 'Copy as cURL' feature did not fully escape website-controlled data, potentially leading to command injection
- CVE-2020-12395: Memory safety bugs fixed in Firefox 76 and Firefox ESR 68.8
ImportantSUSE bug 1171186CVE-2020-12387 at SUSECVE-2020-12387 at NVDCVE-2020-12388 at SUSECVE-2020-12388 at NVDCVE-2020-12389 at SUSECVE-2020-12389 at NVDCVE-2020-12392 at SUSECVE-2020-12392 at NVDCVE-2020-12393 at SUSECVE-2020-12393 at NVDCVE-2020-12395 at SUSECVE-2020-12395 at NVDCVE-2020-6831 at SUSECVE-2020-6831 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for squid (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for squid fixes the following issues:
- CVE-2019-12519, CVE-2019-12521: fixes incorrect buffer handling that can
result in cache poisoning, remote execution, and denial of service attacks
when processing ESI responses (bsc#1169659).
- CVE-2020-11945: fixes a potential remote execution vulnerability
when using HTTP Digest Authentication (bsc#1170313).
- CVE-2019-12520, CVE-2019-12524: fixes a potential ACL bypass, cache-bypass
and cross-site scripting attack when processing invalid HTTP
Request messages (bsc#1170423).
ImportantSUSE bug 1169659SUSE bug 1170313SUSE bug 1170423CVE-2019-12519 at SUSECVE-2019-12519 at NVDCVE-2019-12520 at SUSECVE-2019-12520 at NVDCVE-2019-12521 at SUSECVE-2019-12521 at NVDCVE-2019-12524 at SUSECVE-2019-12524 at NVDCVE-2020-11945 at SUSECVE-2020-11945 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for apache2 (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for apache2 fixes the following issues:
- CVE-2020-1934: mod_proxy_ftp may use uninitialized memory when proxying to a malicious FTP server (bsc#1168404).
- CVE-2020-1927: mod_rewrite configurations vulnerable to open redirect (bsc#1168407).
- CVE-2020-1938: mod_proxy_ajp: Add 'secret' parameter to proxy workers to implement legacy AJP13 authentication (bsc#1169066).
ImportantSUSE bug 1168404SUSE bug 1168407SUSE bug 1169066CVE-2020-1927 at SUSECVE-2020-1927 at NVDCVE-2020-1934 at SUSECVE-2020-1934 at NVDCVE-2020-1938 at SUSECVE-2020-1938 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
The SUSE Linux Enterprise 12 SP3 kernel was updated to receive various security and bugfixes.
The following security bugs were fixed:
- CVE-2020-11494: An issue was discovered in slc_bump in drivers/net/can/slcan.c, which allowed attackers to read uninitialized can_frame data, potentially containing sensitive information from kernel stack memory, if the configuration lacks CONFIG_INIT_STACK_ALL (bnc#1168424).
- CVE-2020-10942: In get_raw_socket in drivers/vhost/net.c lacks validation of an sk_family field, which might allow attackers to trigger kernel stack corruption via crafted system calls (bnc#1167629).
- CVE-2020-8647: Fixed a use-after-free vulnerability in the vc_do_resize function in drivers/tty/vt/vt.c (bnc#1162929).
- CVE-2020-8649: Fixed a use-after-free vulnerability in the vgacon_invert_region function in drivers/video/console/vgacon.c (bnc#1162931).
- CVE-2020-9383: Fixed an issue in set_fdc in drivers/block/floppy.c, which leads to a wait_til_ready out-of-bounds read (bnc#1165111).
- CVE-2019-9458: In the video driver there was a use after free due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed (bnc#1168295).
- CVE-2019-3701: Fixed an issue in can_can_gw_rcv, which could cause a system crash (bnc#1120386).
- CVE-2019-19768: Fixed a use-after-free in the __blk_add_trace function in kernel/trace/blktrace.c (bnc#1159285).
- CVE-2020-11609: Fixed a NULL pointer dereference in the stv06xx subsystem caused by mishandling invalid descriptors (bnc#1168854).
- CVE-2020-10720: Fixed a use-after-free read in napi_gro_frags() (bsc#1170778).
- CVE-2020-10690: Fixed the race between the release of ptp_clock and cdev (bsc#1170056).
- CVE-2019-9455: Fixed a pointer leak due to a WARN_ON statement in a video driver. This could lead to local information disclosure with System execution privileges needed (bnc#1170345).
- CVE-2020-11608: Fixed an issue in drivers/media/usb/gspca/ov519.c caused by a NULL pointer dereferences in ov511_mode_init_regs and ov518_mode_init_regs when there are zero endpoints (bnc#1168829).
- CVE-2017-18255: The perf_cpu_time_max_percent_handler function in kernel/events/core.c allowed local users to cause a denial of service (integer overflow) or possibly have unspecified other impact via a large value, as demonstrated by an incorrect sample-rate calculation (bnc#1087813).
- CVE-2020-8648: There was a use-after-free vulnerability in the n_tty_receive_buf_common function in drivers/tty/n_tty.c (bnc#1162928).
- CVE-2020-2732: A flaw was discovered in the way that the KVM hypervisor handled instruction emulation for an L2 guest when nested virtualisation is enabled. Under some circumstances, an L2 guest may trick the L0 guest into accessing sensitive L1 resources that should be inaccessible to the L2 guest (bnc#1163971).
- CVE-2019-5108: Fixed a denial-of-service vulnerability caused by triggering AP to send IAPP location updates for stations before the required authentication process has completed (bnc#1159912).
- CVE-2020-8992: ext4_protect_reserved_inode in fs/ext4/block_validity.c allowed attackers to cause a denial of service (soft lockup) via a crafted journal size (bnc#1164069).
- CVE-2018-21008: Fixed a use-after-free which could be caused by the function rsi_mac80211_detach in the file drivers/net/wireless/rsi/rsi_91x_mac80211.c (bnc#1149591).
- CVE-2019-14896: A heap-based buffer overflow vulnerability was found in Marvell WiFi chip driver. A remote attacker could cause a denial of service (system crash) or, possibly execute arbitrary code, when the lbs_ibss_join_existing function is called after a STA connects to an AP (bnc#1157157).
- CVE-2019-14897: A stack-based buffer overflow was found in Marvell WiFi chip driver. An attacker is able to cause a denial of service (system crash) or, possibly execute arbitrary code, when a STA works in IBSS mode (allows connecting stations together without the use of an AP) and connects to another STA (bnc#1157155).
- CVE-2019-18675: Fixed an integer overflow in cpia2_remap_buffer in drivers/media/usb/cpia2/cpia2_core.c because cpia2 has its own mmap implementation. This allowed local users (with /dev/video0 access) to obtain read and write permissions on kernel physical pages, which can possibly result in a privilege escalation (bnc#1157804).
- CVE-2019-14615: Insufficient control flow in certain data structures for some Intel(R) Processors with Intel(R) Processor Graphics may have allowed an unauthenticated user to potentially enable information disclosure via local access (bnc#1160195, bsc#1165881).
- CVE-2019-19965: Fixed a NULL pointer dereference in drivers/scsi/libsas/sas_discover.c because of mishandling of port disconnection during discovery, related to a PHY down race condition (bnc#1159911).
- CVE-2019-20054: Fixed a NULL pointer dereference in drop_sysctl_table() in fs/proc/proc_sysctl.c, related to put_links (bnc#1159910).
- CVE-2019-20096: Fixed a memory leak in __feat_register_sp() in net/dccp/feat.c, which may cause denial of service (bnc#1159908).
- CVE-2019-19966: Fixed a use-after-free in cpia2_exit() in drivers/media/usb/cpia2/cpia2_v4l.c that will cause denial of service (bnc#1159841).
- CVE-2019-19447: Fixed an issue with mounting a crafted ext4 filesystem image, performing some operations, and unmounting could lead to a use-after-free in ext4_put_super in fs/ext4/super.c, related to dump_orphan_list in fs/ext4/super.c (bnc#1158819).
- CVE-2019-19319: Fixed an issue with a setxattr operation, after a mount of a crafted ext4 image, can cause a slab-out-of-bounds write access because of an ext4_xattr_set_entry use-after-free in fs/ext4/xattr.c when a large old_size value is used in a memset call (bnc#1158021).
- CVE-2019-19767: Fixed mishandling of ext4_expand_extra_isize, as demonstrated by use-after-free errors in __ext4_expand_extra_isize and ext4_xattr_set_entry, related to fs/ext4/inode.c and fs/ext4/super.c (bnc#1159297).
- CVE-2019-11091,CVE-2018-12126,CVE-2018-12130,CVE-2018-12127: Earlier mitigations for the 'MDS' Microarchitectural Data Sampling attacks were not complete.
An additional fix was added to the x86_64 fast systemcall path to further mitigate these attacks. (bsc#1164846 bsc#1170847)
The following non-security bugs were fixed:
- blk: Fix kabi due to blk_trace_mutex addition (bsc#1159285).
- blktrace: fix dereference after null check (bsc#1159285).
- blktrace: fix trace mutex deadlock (bsc#1159285).
- btrfs: fix btrfs_wait_ordered_range() so that it waits for all ordered extents (bsc#1163508).
- btrfs: fix panic during relocation after ENOSPC before writeback happens (bsc#1163508).
- btrfs: qgroup: Fix root item corruption when multiple same source snapshots are created with quota enabled (bsc#1158642)
- btrfs: relocation: fix reloc_root lifespan and access (bsc#1164009).
- enic: prevent waking up stopped tx queues over watchdog reset (bsc#1133147).
- fix PageHeadHuge() race with THP split (VM Functionality, bsc#1165311).
- fs/xfs: fix f_ffree value for statfs when project quota is set (bsc#1165985).
- ibmvnic: Bound waits for device queries (bsc#1155689 ltc#182047).
- ibmvnic: Fix completion structure initialization (bsc#1155689 ltc#182047).
- ibmvnic: Serialize device queries (bsc#1155689 ltc#182047).
- ibmvnic: Terminate waiting device threads after loss of service (bsc#1155689 ltc#182047).
- input: add safety guards to input_set_keycode() (bsc#1168075).
- ipv4: correct gso_size for UFO (bsc#1154844).
- ipv6: fix memory accounting during ipv6 queue expire (bsc#1162227) (bsc#1162227).
- ipvlan: do not add hardware address of master to its unicast filter list (bsc#1137325).
- md: add mddev->pers to avoid potential NULL pointer dereference (bsc#1056134).
- md/bitmap: do not read page from device with Bitmap_sync (bsc#1056134).
- md: change the initialization value for a spare device spot to MD_DISK_ROLE_SPARE (bsc#1056134).
- md: Delete gendisk before cleaning up the request queue (bsc#1056134).
- md: do not call bitmap_create() while array is quiesced (bsc#1056134).
- md: do not set In_sync if array is frozen (bsc#1056134).
- md: fix a potential deadlock of raid5/raid10 reshape (bsc#1056134).
- md: md.c: Return -ENODEV when mddev is NULL in rdev_attr_show (bsc#1056134).
- md: notify about new spare disk in the container (bsc#1056134).
- md/raid0: Fix buffer overflow at debug print (bsc#1164051).
- md/raid10: end bio when the device faulty (bsc#1056134).
- md/raid10: Fix raid10 replace hang when new added disk faulty (bsc#1056134).
- md/raid1,raid10: silence warning about wait-within-wait (bsc#1056134).
- md: return -ENODEV if rdev has no mddev assigned (bsc#1056134).
- media: ov519: add missing endpoint sanity checks (bsc#1168829).
- media: stv06xx: add missing descriptor sanity checks (bsc#1168854).
- net: ena: Add PCI shutdown handler to allow safe kexec (bsc#1167421, bsc#1167423).
- netfilter: conntrack: sctp: use distinct states for new SCTP connections (bsc#1159199).
- net/ibmvnic: Fix typo in retry check (bsc#1155689 ltc#182047).
- rpm/kernel-binary.spec.in: Replace Novell with SUSE
- sched/fair: Scale bandwidth quota and period without losing quota/period ratio precision (bsc#1161586).
- scsi: core: avoid repetitive logging of device offline messages (bsc#1145929).
- scsi: core: kABI fix already_offline (bsc#1145929).
- tcp: clear tp->packets_out when purging write queue (bsc#1154118).
- x86/mitigations: Clear CPU buffers on the SYSCALL fast path (bsc#1164846 bsc#1170847).
- xfs: also remove cached ACLs when removing the underlying attr (bsc#1165873).
- xfs: bulkstat should copy lastip whenever userspace supplies one (bsc#1165984).
ImportantSUSE bug 1056134SUSE bug 1087813SUSE bug 1120386SUSE bug 1133147SUSE bug 1137325SUSE bug 1145929SUSE bug 1149591SUSE bug 1154118SUSE bug 1154844SUSE bug 1155689SUSE bug 1157155SUSE bug 1157157SUSE bug 1157303SUSE bug 1157804SUSE bug 1158021SUSE bug 1158642SUSE bug 1158819SUSE bug 1159199SUSE bug 1159285SUSE bug 1159297SUSE bug 1159841SUSE bug 1159908SUSE bug 1159910SUSE bug 1159911SUSE bug 1159912SUSE bug 1160195SUSE bug 1161586SUSE bug 1162227SUSE bug 1162928SUSE bug 1162929SUSE bug 1162931SUSE bug 1163508SUSE bug 1163971SUSE bug 1164009SUSE bug 1164051SUSE bug 1164069SUSE bug 1164078SUSE bug 1164846SUSE bug 1165111SUSE bug 1165311SUSE bug 1165873SUSE bug 1165881SUSE bug 1165984SUSE bug 1165985SUSE bug 1167421SUSE bug 1167423SUSE bug 1167629SUSE bug 1168075SUSE bug 1168295SUSE bug 1168424SUSE bug 1168829SUSE bug 1168854SUSE bug 1170056SUSE bug 1170345SUSE bug 1170778SUSE bug 1170847CVE-2017-18255 at SUSECVE-2017-18255 at NVDCVE-2018-12126 at SUSECVE-2018-12126 at NVDCVE-2018-12127 at SUSECVE-2018-12127 at NVDCVE-2018-12130 at SUSECVE-2018-12130 at NVDCVE-2018-21008 at SUSECVE-2018-21008 at NVDCVE-2019-11091 at SUSECVE-2019-11091 at NVDCVE-2019-14615 at SUSECVE-2019-14615 at NVDCVE-2019-14896 at SUSECVE-2019-14896 at NVDCVE-2019-14897 at SUSECVE-2019-14897 at NVDCVE-2019-18675 at SUSECVE-2019-18675 at NVDCVE-2019-19066 at SUSECVE-2019-19066 at NVDCVE-2019-19319 at SUSECVE-2019-19319 at NVDCVE-2019-19447 at SUSECVE-2019-19447 at NVDCVE-2019-19767 at SUSECVE-2019-19767 at NVDCVE-2019-19768 at SUSECVE-2019-19768 at NVDCVE-2019-19965 at SUSECVE-2019-19965 at NVDCVE-2019-19966 at SUSECVE-2019-19966 at NVDCVE-2019-20054 at SUSECVE-2019-20054 at NVDCVE-2019-20096 at SUSECVE-2019-20096 at NVDCVE-2019-3701 at SUSECVE-2019-3701 at NVDCVE-2019-5108 at SUSECVE-2019-5108 at NVDCVE-2019-9455 at SUSECVE-2019-9455 at NVDCVE-2019-9458 at SUSECVE-2019-9458 at NVDCVE-2020-10690 at SUSECVE-2020-10690 at NVDCVE-2020-10720 at SUSECVE-2020-10720 at NVDCVE-2020-10942 at SUSECVE-2020-10942 at NVDCVE-2020-11494 at SUSECVE-2020-11494 at NVDCVE-2020-11608 at SUSECVE-2020-11608 at NVDCVE-2020-11609 at SUSECVE-2020-11609 at NVDCVE-2020-2732 at SUSECVE-2020-2732 at NVDCVE-2020-8647 at SUSECVE-2020-8647 at NVDCVE-2020-8648 at SUSECVE-2020-8648 at NVDCVE-2020-8649 at SUSECVE-2020-8649 at NVDCVE-2020-8992 at SUSECVE-2020-8992 at NVDCVE-2020-9383 at SUSECVE-2020-9383 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for python-PyYAML (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for python-PyYAML fixes the following issues:
- CVE-2020-1747: Fixed an arbitrary code execution when YAML files are parsed by FullLoader (bsc#1165439).
ImportantSUSE bug 1165439CVE-2020-1747 at SUSECVE-2020-1747 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for git (Moderate)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for git to 2.26.2 fixes the following issues:
Security issue fixed:
- CVE-2020-11008: Specially crafted URLs may have tricked the credentials helper
to providing credential information that is not appropriate for the protocol
in use and host being contacted (bsc#1169936).
Non-security issue fixed:
- Fixed git-daemon not starting after conversion from sysvinit to systemd service (bsc#1169605).
- Enabled access for git-daemon in firewall configuration (bsc#1170302).
- Fixed problems with recent switch to protocol v2, which caused fetches transferring unreasonable amount of data (bsc#1170741).
ModerateSUSE bug 1149792SUSE bug 1168930SUSE bug 1169605SUSE bug 1169786SUSE bug 1169936SUSE bug 1170302SUSE bug 1170741SUSE bug 1170939CVE-2020-11008 at SUSECVE-2020-11008 at NVDCVE-2020-5260 at SUSECVE-2020-5260 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for mailman (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for mailman fixes the following issues:
Security issue fixed:
- CVE-2020-12108: Fixed a content injection bug (bsc#1171363).
- CVE-2020-12137: Fixed a XSS vulnerability caused by MIME type confusion (bsc#1170558).
Non-security issue fixed:
- Fixed rights and ownership on /var/lib/mailman/archives (bsc#1167068).
- Don't default to invalid hosts for DEFAULT_EMAIL_HOST (bsc#682920).
ImportantSUSE bug 1167068SUSE bug 1170558SUSE bug 1171363SUSE bug 682920CVE-2020-12108 at SUSECVE-2020-12108 at NVDCVE-2020-12137 at SUSECVE-2020-12137 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 30 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_113 fixes several issues.
The following security issues were fixed:
- CVE-2020-12653: Fixed a buffer overflow in mwifiex_cmd_append_vsie_tlv() which could have allowed local users to gain privileges or cause a denial of service (bsc#1171254).
- CVE-2020-12654: Fixed a heap-based buffer overflow in mwifiex_ret_wmm_get_status() which could have been triggered by a remote AP to trigger (bsc#1171252).
ImportantSUSE bug 1171252SUSE bug 1171254CVE-2020-12653 at SUSECVE-2020-12653 at NVDCVE-2020-12654 at SUSECVE-2020-12654 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 29 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_107 fixes several issues.
The following security issues were fixed:
- CVE-2020-12653: Fixed a buffer overflow in mwifiex_cmd_append_vsie_tlv() which could have allowed local users to gain privileges or cause a denial of service (bsc#1171254).
- CVE-2020-12654: Fixed a heap-based buffer overflow in mwifiex_ret_wmm_get_status() which could have been triggered by a remote AP to trigger (bsc#1171252).
ImportantSUSE bug 1171252SUSE bug 1171254CVE-2020-12653 at SUSECVE-2020-12653 at NVDCVE-2020-12654 at SUSECVE-2020-12654 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 28 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_103 fixes several issues.
The following security issues were fixed:
- CVE-2020-12653: Fixed a buffer overflow in mwifiex_cmd_append_vsie_tlv() which could have allowed local users to gain privileges or cause a denial of service (bsc#1171254).
- CVE-2020-12654: Fixed a heap-based buffer overflow in mwifiex_ret_wmm_get_status() which could have been triggered by a remote AP to trigger (bsc#1171252).
ImportantSUSE bug 1171252SUSE bug 1171254CVE-2020-12653 at SUSECVE-2020-12653 at NVDCVE-2020-12654 at SUSECVE-2020-12654 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 27 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_100 fixes several issues.
The following security issues were fixed:
- CVE-2020-12653: Fixed a buffer overflow in mwifiex_cmd_append_vsie_tlv() which could have allowed local users to gain privileges or cause a denial of service (bsc#1171254).
- CVE-2020-12654: Fixed a heap-based buffer overflow in mwifiex_ret_wmm_get_status() which could have been triggered by a remote AP to trigger (bsc#1171252).
ImportantSUSE bug 1171252SUSE bug 1171254CVE-2020-12653 at SUSECVE-2020-12653 at NVDCVE-2020-12654 at SUSECVE-2020-12654 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 26 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_97 fixes several issues.
The following security issues were fixed:
- CVE-2020-12653: Fixed a buffer overflow in mwifiex_cmd_append_vsie_tlv() which could have allowed local users to gain privileges or cause a denial of service (bsc#1171254).
- CVE-2020-12654: Fixed a heap-based buffer overflow in mwifiex_ret_wmm_get_status() which could have been triggered by a remote AP to trigger (bsc#1171252).
ImportantSUSE bug 1171252SUSE bug 1171254CVE-2020-12653 at SUSECVE-2020-12653 at NVDCVE-2020-12654 at SUSECVE-2020-12654 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 25 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.178-94_91 fixes several issues.
The following security issues were fixed:
- CVE-2020-12653: Fixed a buffer overflow in mwifiex_cmd_append_vsie_tlv() which could have allowed local users to gain privileges or cause a denial of service (bsc#1171254).
- CVE-2020-12654: Fixed a heap-based buffer overflow in mwifiex_ret_wmm_get_status() which could have been triggered by a remote AP to trigger (bsc#1171252).
ImportantSUSE bug 1171252SUSE bug 1171254CVE-2020-12653 at SUSECVE-2020-12653 at NVDCVE-2020-12654 at SUSECVE-2020-12654 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for tomcat (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for tomcat fixes the following issues:
CVE-2020-9484 (bsc#1171928)
Apache Tomcat Remote Code Execution via session persistence
If an attacker was able to control the contents and name of a file on a
server configured to use the PersistenceManager, then the attacker could
have triggered a remote code execution via deserialization of the file under
their control.
CVE-2019-12418 (bsc#1159723)
Local privilege escalation by manipulating the RMI registry and performing a man-in-the-middle attack
When Tomcat is configured with the JMX Remote Lifecycle Listener, a local attacker without access to the Tomcat process or configuration files was able to manipulate the RMI registry to perform a man-in-the-middle attack to capture user names and passwords used to access the JMX interface.
The attacker could then use these credentials to access the JMX interface and gain complete control over the Tomcat instance.
CVE-2019-0221 (bsc#1136085)
The SSI printenv command echoed user provided data without escaping, which
made it vulnerable to XSS.
CVE-2019-17563 (bsc#1159729)
When using FORM authentication there was a narrow window where an attacker could perform a session fixation attack.
CVE-2019-17569 (bsc#1164825)
Invalid Transfer-Encoding headers were incorrectly processed leading to a possibility of HTTP Request Smuggling
if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header.
ImportantSUSE bug 1136085SUSE bug 1159723SUSE bug 1159729SUSE bug 1164825SUSE bug 1171928CVE-2019-0221 at SUSECVE-2019-0221 at NVDCVE-2019-12418 at SUSECVE-2019-12418 at NVDCVE-2019-17563 at SUSECVE-2019-17563 at NVDCVE-2019-17569 at SUSECVE-2019-17569 at NVDCVE-2020-9484 at SUSECVE-2020-9484 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for python (Moderate)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for python to version 2.7.17 fixes the following issues:
Syncing with lots of upstream bug fixes and security fixes.
Bug fixes:
- CVE-2019-9674: Improved the documentation to reflect the dangers of zip-bombs (bsc#1162825).
- CVE-2019-18348: Fixed a CRLF injection via the host part of the url passed to urlopen(). Now an InvalidURL exception is raised (bsc#1155094).
- CVE-2020-8492: Fixed a regular expression in urllib that was prone to denial of service via HTTP (bsc#1162367).
- Fixed mismatches between libpython and python-base versions (bsc#1162224).
- Fixed segfault in libpython2.7.so.1 (bsc#1073748).
- Unified packages among openSUSE:Factory and SLE versions (bsc#1159035).
- Added idle.desktop and idle.appdata.xml to provide IDLE in menus (bsc#1153830).
- Excluded tsl_check files from python-base to prevent file conflict with python-strict-tls-checks package (bsc#945401).
- Changed the name of idle3 icons to idle3.png to avoid collision with Python 2 version (bsc#1165894).
Additionally a new 'shared-python-startup' package is provided containing startup files.
python-rpm-macros was updated to fix:
- Do not write .pyc files for tests (bsc#1171561)
ModerateSUSE bug 1027282SUSE bug 1041090SUSE bug 1042670SUSE bug 1073269SUSE bug 1073748SUSE bug 1078326SUSE bug 1078485SUSE bug 1081750SUSE bug 1084650SUSE bug 1086001SUSE bug 1149792SUSE bug 1153830SUSE bug 1155094SUSE bug 1159035SUSE bug 1162224SUSE bug 1162367SUSE bug 1162825SUSE bug 1165894SUSE bug 1170411SUSE bug 1171561SUSE bug 945401CVE-2019-18348 at SUSECVE-2019-18348 at NVDCVE-2019-9674 at SUSECVE-2019-9674 at NVDCVE-2020-8492 at SUSECVE-2020-8492 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for krb5-appl (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for krb5-appl fixes the following issues:
- CVE-2020-10188: Fixed a remote root execution (bsc#1165787).
ImportantSUSE bug 1165787CVE-2020-10188 at SUSECVE-2020-10188 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for libexif (Moderate)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for libexif fixes the following issues:
Security issues fixed:
- CVE-2016-6328: Fixed an integer overflow in parsing MNOTE entry data of the input file (bsc#1055857).
- CVE-2017-7544: Fixed an out-of-bounds heap read vulnerability in exif_data_save_data_entry function in libexif/exif-data.c (bsc#1059893).
- CVE-2018-20030: Fixed a denial of service by endless recursion (bsc#1120943).
- CVE-2019-9278: Fixed an integer overflow (bsc#1160770).
- CVE-2020-0093: Fixed an out-of-bounds read in exif_data_save_data_entry (bsc#1171847).
- CVE-2020-12767: Fixed a divide-by-zero error in exif_entry_get_value (bsc#1171475).
- CVE-2020-13112: Fixed a time consumption DoS when parsing canon array markers (bsc#1172121).
- CVE-2020-13113: Fixed a potential use of uninitialized memory (bsc#1172105).
- CVE-2020-13114: Fixed various buffer overread fixes due to integer overflows in maker notes (bsc#1172116).
Non-security issues fixed:
- libexif was updated to version 0.6.22:
* New translations: ms
* Updated translations for most languages
* Some useful EXIF 2.3 tag added:
* EXIF_TAG_GAMMA
* EXIF_TAG_COMPOSITE_IMAGE
* EXIF_TAG_SOURCE_IMAGE_NUMBER_OF_COMPOSITE_IMAGE
* EXIF_TAG_SOURCE_EXPOSURE_TIMES_OF_COMPOSITE_IMAGE
* EXIF_TAG_GPS_H_POSITIONING_ERROR
* EXIF_TAG_CAMERA_OWNER_NAME
* EXIF_TAG_BODY_SERIAL_NUMBER
* EXIF_TAG_LENS_SPECIFICATION
* EXIF_TAG_LENS_MAKE
* EXIF_TAG_LENS_MODEL
* EXIF_TAG_LENS_SERIAL_NUMBER
ModerateSUSE bug 1055857SUSE bug 1059893SUSE bug 1120943SUSE bug 1160770SUSE bug 1171475SUSE bug 1171847SUSE bug 1172105SUSE bug 1172116SUSE bug 1172121CVE-2016-6328 at SUSECVE-2016-6328 at NVDCVE-2017-7544 at SUSECVE-2017-7544 at NVDCVE-2018-20030 at SUSECVE-2018-20030 at NVDCVE-2019-9278 at SUSECVE-2019-9278 at NVDCVE-2020-0093 at SUSECVE-2020-0093 at NVDCVE-2020-12767 at SUSECVE-2020-12767 at NVDCVE-2020-13112 at SUSECVE-2020-13112 at NVDCVE-2020-13113 at SUSECVE-2020-13113 at NVDCVE-2020-13114 at SUSECVE-2020-13114 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for qemu (Moderate)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for qemu fixes the following issues:
Security issues fixed:
- CVE-2020-1711: Fixed a potential OOB access in the iSCSI client code (bsc#1166240).
- CVE-2019-12068: Fixed a potential DoS in the LSI SCSI controller emulation (bsc#1146873).
- CVE-2020-1983: Fixed a use-after-free in the ip_reass function of slirp (bsc#1170940).
- CVE-2020-8608: Fixed a potential OOB access in slirp (bsc#1163018).
- CVE-2020-7039: Fixed a potential OOB access in slirp (bsc#1161066).
- CVE-2019-15890: Fixed a use-after-free during packet reassembly in slirp (bsc#1149811).
- Fixed multiple potential DoS issues in SLIRP, similar to CVE-2019-6778 (bsc#1123156).
Non-security issue fixed:
- Make sure that required memory is mapped properly during an incoming migration of a Xen HVM domU (bsc#1160024).
ModerateSUSE bug 1123156SUSE bug 1146873SUSE bug 1149811SUSE bug 1160024SUSE bug 1161066SUSE bug 1163018SUSE bug 1166240SUSE bug 1170940CVE-2019-12068 at SUSECVE-2019-12068 at NVDCVE-2019-15890 at SUSECVE-2019-15890 at NVDCVE-2019-6778 at SUSECVE-2019-6778 at NVDCVE-2020-1711 at SUSECVE-2020-1711 at NVDCVE-2020-1983 at SUSECVE-2020-1983 at NVDCVE-2020-7039 at SUSECVE-2020-7039 at NVDCVE-2020-8608 at SUSECVE-2020-8608 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for vim (Moderate)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for vim fixes the following issues:
- CVE-2019-20807: Fixed an issue where escaping from the restrictive mode of vim
was possible using interfaces (bsc#1172225 and bsc#1172031).
ModerateSUSE bug 1172031SUSE bug 1172225CVE-2019-20807 at SUSECVE-2019-20807 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for MozillaFirefox fixes the following issues:
- MozillaFirefox was updated to version 68.9.0 Extended Support Release (bsc#1172402).
- CVE-2020-12405: Fixed a use-after-free in SharedWorkerService.
- CVE-2020-12406: Fixed a JavaScript Type confusion with NativeTypes.
- CVE-2020-12410: Fixed multiple memory safety bugs.
ImportantSUSE bug 1172402CVE-2020-12405 at SUSECVE-2020-12405 at NVDCVE-2020-12406 at SUSECVE-2020-12406 at NVDCVE-2020-12410 at SUSECVE-2020-12410 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for ruby2.1 (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for ruby2.1 fixes the following issues:
Security issues fixed:
- CVE-2015-9096: Fixed an SMTP command injection via CRLFsequences in a RCPT TO or MAIL FROM command (bsc#1043983).
- CVE-2016-7798: Fixed an IV Reuse in GCM Mode (bsc#1055265).
- CVE-2017-0898: Fixed a buffer underrun vulnerability in Kernel.sprintf (bsc#1058755).
- CVE-2017-0899: Fixed an issue with malicious gem specifications, insufficient sanitation when printing gem specifications could have included terminal characters (bsc#1056286).
- CVE-2017-0900: Fixed an issue with malicious gem specifications, the query command could have led to a denial of service attack against clients (bsc#1056286).
- CVE-2017-0901: Fixed an issue with malicious gem specifications, potentially overwriting arbitrary files on the client system (bsc#1056286).
- CVE-2017-0902: Fixed an issue with malicious gem specifications, that could have enabled MITM attacks against clients (bsc#1056286).
- CVE-2017-0903: Fixed an unsafe object deserialization vulnerability (bsc#1062452).
- CVE-2017-9228: Fixed a heap out-of-bounds write in bitset_set_range() during regex compilation (bsc#1069607).
- CVE-2017-9229: Fixed an invalid pointer dereference in left_adjust_char_head() in oniguruma (bsc#1069632).
- CVE-2017-10784: Fixed an escape sequence injection vulnerability in the Basic authentication of WEBrick (bsc#1058754).
- CVE-2017-14033: Fixed a buffer underrun vulnerability in OpenSSL ASN1 decode (bsc#1058757).
- CVE-2017-14064: Fixed an arbitrary memory exposure during a JSON.generate call (bsc#1056782).
- CVE-2017-17405: Fixed a command injection vulnerability in Net::FTP (bsc#1073002).
- CVE-2017-17742: Fixed an HTTP response splitting issue in WEBrick (bsc#1087434).
- CVE-2017-17790: Fixed a command injection in lib/resolv.rb:lazy_initialize() (bsc#1078782).
- CVE-2018-6914: Fixed an unintentional file and directory creation with directory traversal in tempfile and tmpdir (bsc#1087441).
- CVE-2018-8777: Fixed a potential DoS caused by large requests in WEBrick (bsc#1087436).
- CVE-2018-8778: Fixed a buffer under-read in String#unpack (bsc#1087433).
- CVE-2018-8779: Fixed an unintentional socket creation by poisoned NUL byte in UNIXServer and UNIXSocket (bsc#1087440).
- CVE-2018-8780: Fixed an unintentional directory traversal by poisoned NUL byte in Dir (bsc#1087437).
- CVE-2018-16395: Fixed an issue with OpenSSL::X509::Name equality checking (bsc#1112530).
- CVE-2018-16396: Fixed an issue with tainted string handling, where the flag was not propagated in Array#pack and String#unpack with some directives (bsc#1112532).
- CVE-2018-1000073: Fixed a path traversal issue (bsc#1082007).
- CVE-2018-1000074: Fixed an unsafe object deserialization vulnerability in gem owner, allowing arbitrary code execution with specially crafted YAML (bsc#1082008).
- CVE-2018-1000075: Fixed an infinite loop vulnerability due to negative size in tar header causes Denial of Service (bsc#1082014).
- CVE-2018-1000076: Fixed an improper verification of signatures in tarballs (bsc#1082009).
- CVE-2018-1000077: Fixed an improper URL validation in the homepage attribute of ruby gems (bsc#1082010).
- CVE-2018-1000078: Fixed a XSS vulnerability in the homepage attribute when displayed via gem server (bsc#1082011).
- CVE-2018-1000079: Fixed a path traversal issue during gem installation allows to write to arbitrary filesystem locations (bsc#1082058).
- CVE-2019-8320: Fixed a directory traversal issue when decompressing tar files (bsc#1130627).
- CVE-2019-8321: Fixed an escape sequence injection vulnerability in verbose (bsc#1130623).
- CVE-2019-8322: Fixed an escape sequence injection vulnerability in gem owner (bsc#1130622).
- CVE-2019-8323: Fixed an escape sequence injection vulnerability in API response handling (bsc#1130620).
- CVE-2019-8324: Fixed an issue with malicious gems that may have led to arbitrary code execution (bsc#1130617).
- CVE-2019-8325: Fixed an escape sequence injection vulnerability in errors (bsc#1130611).
- CVE-2019-15845: Fixed a NUL injection vulnerability in File.fnmatch and File.fnmatch? (bsc#1152994).
- CVE-2019-16201: Fixed a regular expression denial of service vulnerability in WEBrick's digest access authentication (bsc#1152995).
- CVE-2019-16254: Fixed an HTTP response splitting vulnerability in WEBrick (bsc#1152992).
- CVE-2019-16255: Fixed a code injection vulnerability in Shell#[] and Shell#test (bsc#1152990).
- CVE-2020-10663: Fixed an unsafe object creation vulnerability in JSON (bsc#1171517).
Non-security issue fixed:
- Add conflicts to libruby to make sure ruby and ruby-stdlib are also updated when libruby is updated (bsc#1048072).
Also yast2-ruby-bindings on SLES 12 SP2 LTSS was updated to handle the updated ruby interpreter. (bsc#1172275)
ImportantSUSE bug 1043983SUSE bug 1048072SUSE bug 1055265SUSE bug 1056286SUSE bug 1056782SUSE bug 1058754SUSE bug 1058755SUSE bug 1058757SUSE bug 1062452SUSE bug 1069607SUSE bug 1069632SUSE bug 1073002SUSE bug 1078782SUSE bug 1082007SUSE bug 1082008SUSE bug 1082009SUSE bug 1082010SUSE bug 1082011SUSE bug 1082014SUSE bug 1082058SUSE bug 1087433SUSE bug 1087434SUSE bug 1087436SUSE bug 1087437SUSE bug 1087440SUSE bug 1087441SUSE bug 1112530SUSE bug 1112532SUSE bug 1130611SUSE bug 1130617SUSE bug 1130620SUSE bug 1130622SUSE bug 1130623SUSE bug 1130627SUSE bug 1152990SUSE bug 1152992SUSE bug 1152994SUSE bug 1152995SUSE bug 1171517SUSE bug 1172275CVE-2015-9096 at SUSECVE-2015-9096 at NVDCVE-2016-2339 at SUSECVE-2016-2339 at NVDCVE-2016-7798 at SUSECVE-2016-7798 at NVDCVE-2017-0898 at SUSECVE-2017-0898 at NVDCVE-2017-0899 at SUSECVE-2017-0899 at NVDCVE-2017-0900 at SUSECVE-2017-0900 at NVDCVE-2017-0901 at SUSECVE-2017-0901 at NVDCVE-2017-0902 at SUSECVE-2017-0902 at NVDCVE-2017-0903 at SUSECVE-2017-0903 at NVDCVE-2017-10784 at SUSECVE-2017-10784 at NVDCVE-2017-14033 at SUSECVE-2017-14033 at NVDCVE-2017-14064 at SUSECVE-2017-14064 at NVDCVE-2017-17405 at SUSECVE-2017-17405 at NVDCVE-2017-17742 at SUSECVE-2017-17742 at NVDCVE-2017-17790 at SUSECVE-2017-17790 at NVDCVE-2017-9228 at SUSECVE-2017-9228 at NVDCVE-2017-9229 at SUSECVE-2017-9229 at NVDCVE-2018-1000073 at SUSECVE-2018-1000073 at NVDCVE-2018-1000074 at SUSECVE-2018-1000074 at NVDCVE-2018-1000075 at SUSECVE-2018-1000075 at NVDCVE-2018-1000076 at SUSECVE-2018-1000076 at NVDCVE-2018-1000077 at SUSECVE-2018-1000077 at NVDCVE-2018-1000078 at SUSECVE-2018-1000078 at NVDCVE-2018-1000079 at SUSECVE-2018-1000079 at NVDCVE-2018-16395 at SUSECVE-2018-16395 at NVDCVE-2018-16396 at SUSECVE-2018-16396 at NVDCVE-2018-6914 at SUSECVE-2018-6914 at NVDCVE-2018-8777 at SUSECVE-2018-8777 at NVDCVE-2018-8778 at SUSECVE-2018-8778 at NVDCVE-2018-8779 at SUSECVE-2018-8779 at NVDCVE-2018-8780 at SUSECVE-2018-8780 at NVDCVE-2019-15845 at SUSECVE-2019-15845 at NVDCVE-2019-16201 at SUSECVE-2019-16201 at NVDCVE-2019-16254 at SUSECVE-2019-16254 at NVDCVE-2019-16255 at SUSECVE-2019-16255 at NVDCVE-2019-8320 at SUSECVE-2019-8320 at NVDCVE-2019-8321 at SUSECVE-2019-8321 at NVDCVE-2019-8322 at SUSECVE-2019-8322 at NVDCVE-2019-8323 at SUSECVE-2019-8323 at NVDCVE-2019-8324 at SUSECVE-2019-8324 at NVDCVE-2019-8325 at SUSECVE-2019-8325 at NVDCVE-2020-10663 at SUSECVE-2020-10663 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for java-1_7_0-openjdk (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for java-1_7_0-openjdk to version 7u261 fixes the following issues:
- CVE-2020-2756: Better mapping of serial ENUMs (bsc#1169511)
- CVE-2020-2757: Less Blocking Array Queues (bsc#1169511)
- CVE-2020-2773: Better signatures in XML (bsc#1169511)
- CVE-2020-2781: Improve TLS session handling (bsc#1169511)
- CVE-2020-2800: Better Headings for HTTP Servers (bsc#1169511)
- CVE-2020-2803: Enhance buffering of byte buffers (bsc#1169511)
- CVE-2020-2805: Enhance typing of methods (bsc#1169511)
- CVE-2020-2830: Better Scanner conversions (bsc#1169511)
ImportantSUSE bug 1169511CVE-2020-2756 at SUSECVE-2020-2756 at NVDCVE-2020-2757 at SUSECVE-2020-2757 at NVDCVE-2020-2773 at SUSECVE-2020-2773 at NVDCVE-2020-2781 at SUSECVE-2020-2781 at NVDCVE-2020-2800 at SUSECVE-2020-2800 at NVDCVE-2020-2803 at SUSECVE-2020-2803 at NVDCVE-2020-2805 at SUSECVE-2020-2805 at NVDCVE-2020-2830 at SUSECVE-2020-2830 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for tigervnc (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for tigervnc fixes the following issues:
- CVE-2019-15691: Fixed a use-after-return due to incorrect usage of stack memory in ZRLEDecoder (bsc#1159856).
- CVE-2019-15692: Fixed a heap-based buffer overflow in CopyRectDecode (bsc#1160250).
- CVE-2019-15693: Fixed a heap-based buffer overflow in TightDecoder::FilterGradient (bsc#1159858).
- CVE-2019-15694: Fixed a heap-based buffer overflow, caused by improper error handling in processing MemOutStream (bsc#1160251).
- CVE-2019-15695: Fixed a stack-based buffer overflow, which could be triggered from CMsgReader::readSetCursor (bsc#1159860).
ImportantSUSE bug 1159856SUSE bug 1159858SUSE bug 1159860SUSE bug 1160250SUSE bug 1160251SUSE bug 1160937CVE-2019-15691 at SUSECVE-2019-15691 at NVDCVE-2019-15692 at SUSECVE-2019-15692 at NVDCVE-2019-15693 at SUSECVE-2019-15693 at NVDCVE-2019-15694 at SUSECVE-2019-15694 at NVDCVE-2019-15695 at SUSECVE-2019-15695 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for ucode-intel (Moderate)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for ucode-intel fixes the following issues:
Updated Intel CPU Microcode to 20200602 (prerelease) (bsc#1172466)
This update contains security mitigations for:
- CVE-2020-0543: Fixed a side channel attack against special registers
which could have resulted in leaking of read values to cores other
than the one which called it. This attack is known as Special Register
Buffer Data Sampling (SRBDS) or 'CrossTalk' (bsc#1154824).
- CVE-2020-0548,CVE-2020-0549: Additional ucode updates were supplied to
mitigate the Vector Register and L1D Eviction Sampling aka 'CacheOutAttack'
attacks. (bsc#1156353)
Microcode Table:
Processor Identifier Version Products
Model Stepping F-MO-S/PI Old->New
---- new platforms ----------------------------------------
---- updated platforms ------------------------------------
HSW C0 6-3c-3/32 00000027->00000028 Core Gen4
BDW-U/Y E0/F0 6-3d-4/c0 0000002e->0000002f Core Gen5
HSW-U C0/D0 6-45-1/72 00000025->00000026 Core Gen4
HSW-H C0 6-46-1/32 0000001b->0000001c Core Gen4
BDW-H/E3 E0/G0 6-47-1/22 00000021->00000022 Core Gen5
SKL-U/Y D0 6-4e-3/c0 000000d6->000000dc Core Gen6 Mobile
SKL-U23e K1 6-4e-3/c0 000000d6->000000dc Core Gen6 Mobile
SKX-SP B1 6-55-3/97 01000151->01000157 Xeon Scalable
SKX-SP H0/M0/U0 6-55-4/b7 02000065->02006906 Xeon Scalable
SKX-D M1 6-55-4/b7 02000065->02006906 Xeon D-21xx
CLX-SP B0 6-55-6/bf 0400002c->04002f01 Xeon Scalable Gen2
CLX-SP B1 6-55-7/bf 0500002c->04002f01 Xeon Scalable Gen2
SKL-H/S R0/N0 6-5e-3/36 000000d6->000000dc Core Gen6; Xeon E3 v5
AML-Y22 H0 6-8e-9/10 000000ca->000000d6 Core Gen8 Mobile
KBL-U/Y H0 6-8e-9/c0 000000ca->000000d6 Core Gen7 Mobile
CFL-U43e D0 6-8e-a/c0 000000ca->000000d6 Core Gen8 Mobile
WHL-U W0 6-8e-b/d0 000000ca->000000d6 Core Gen8 Mobile
AML-Y42 V0 6-8e-c/94 000000ca->000000d6 Core Gen10 Mobile
CML-Y42 V0 6-8e-c/94 000000ca->000000d6 Core Gen10 Mobile
WHL-U V0 6-8e-c/94 000000ca->000000d6 Core Gen8 Mobile
KBL-G/H/S/E3 B0 6-9e-9/2a 000000ca->000000d6 Core Gen7; Xeon E3 v6
CFL-H/S/E3 U0 6-9e-a/22 000000ca->000000d6 Core Gen8 Desktop, Mobile, Xeon E
CFL-S B0 6-9e-b/02 000000ca->000000d6 Core Gen8
CFL-H/S P0 6-9e-c/22 000000ca->000000d6 Core Gen9
CFL-H R0 6-9e-d/22 000000ca->000000d6 Core Gen9 Mobile
Also contains the Intel CPU Microcode update to 20200520:
Processor Identifier Version Products
Model Stepping F-MO-S/PI Old->New
---- new platforms ----------------------------------------
---- updated platforms ------------------------------------
SNB-E/EN/EP C1/M0 6-2d-6/6d 0000061f->00000621 Xeon E3/E5, Core X
SNB-E/EN/EP C2/M1 6-2d-7/6d 00000718->0000071a Xeon E3/E5, Core X
ModerateSUSE bug 1154824SUSE bug 1156353SUSE bug 1172466CVE-2020-0543 at SUSECVE-2020-0543 at NVDCVE-2020-0548 at SUSECVE-2020-0548 at NVDCVE-2020-0549 at SUSECVE-2020-0549 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
The SUSE Linux Enterprise 12 SP3 kernel was updated to receive various security and bugfixes.
The following security bugs were fixed:
- CVE-2020-0543: Fixed a side channel attack against special registers which could have resulted in leaking of read values to cores other than the one which called it.
This attack is known as Special Register Buffer Data Sampling (SRBDS) or 'CrossTalk' (bsc#1154824).
- CVE-2020-12652: Fixed an issue which could have allowed local users to hold an incorrect lock during the ioctl operation and trigger a race condition (bsc#1171218).
- CVE-2020-12653: Fixed an issue in the wifi driver which could have allowed local users to gain privileges or cause a denial of service (bsc#1171195).
- CVE-2020-12654: Fixed an issue in he wifi driver which could have allowed a remote AP to trigger a heap-based buffer overflow (bsc#1171202).
- CVE-2020-12656: Fixed an improper handling of certain domain_release calls leadingch could have led to a memory leak (bsc#1171219).
- CVE-2020-12114: Fixed A pivot_root race condition which could have allowed local users to cause a denial of service (panic) by corrupting a mountpoint reference counter (bsc#1171098).
- CVE-2020-10757: Fixed an issue where remaping hugepage DAX to anon mmap could have caused user PTE access (bsc#1172317).
The following non-security bugs were fixed:
- can, slip: Protect tty->disc_data in write_wakeup and close with RCU (bsc#1171698).
- clocksource/drivers/hyper-v: Set TSC clocksource as default w/ InvariantTSC (bsc#1170620).
- Drivers: HV: Send one page worth of kmsg dump over Hyper-V during panic (bsc#1170618).
- Drivers: hv: vmbus: Fix the issue with freeing up hv_ctl_table_hdr (bsc#1170618).
- Drivers: hv: vmbus: Get rid of MSR access from vmbus_drv.c (bsc#1170618).
- Drivers: hv: vmbus: Make panic reporting to be more useful (bsc#1170618).
- Drivers: hv: vmus: Fix the check for return value from kmsg get dump buffer (bsc#1170618).
- EDAC: Convert to new X86 CPU match macros
- ibmvfc: do not send implicit logouts prior to NPIV login (bsc#1169625 ltc#184611).
- ibmvfc: Fix NULL return compiler warning (bsc#1161951 ltc#183551).
- KEYS: reaching the keys quotas correctly (bsc#1171689).
- NFS: Cleanup if nfs_match_client is interrupted (bsc#1169025).
- NFS: Fix a double unlock from nfs_match,get_client (bsc#1169025).
- NFS: make nfs_match_client killable (bsc#1169025).
- NFS: Unlock requests must never fail (bsc#1172032).
- random: always use batched entropy for get_random_u{32,64} (bsc#1164871).
- Revert 'ipc,sem: remove uneeded sem_undo_list lock usage in exit_sem()' (bsc#1172221).
- scsi: ibmvfc: Avoid loss of all paths during SVC node reboot (bsc#1161951 ltc#183551).
- scsi: ibmvfc: Fix NULL return compiler warning (bsc#1161951 ltc#183551).
- x86/dumpstack/64: Handle faults when printing the 'Stack: ' part of an OOPS (bsc#1170383).
- x86/hyperv: Allow guests to enable InvariantTSC (bsc#1170620).
- x86/Hyper-V: Free hv_panic_page when fail to register kmsg dump (bsc#1170618).
- x86/Hyper-V: Report crash data in die() when panic_on_oops is set (bsc#1170618).
- x86/Hyper-V: Report crash register data or kmsg before running crash kernel (bsc#1170618).
- x86/Hyper-V: Report crash register data when sysctl_record_panic_msg is not set (bsc#1170618).
- x86: hyperv: report value of misc_features (git fixes).
- x86/Hyper-V: Trigger crash enlightenment only once during system crash (bsc#1170618).
- x86/Hyper-V: Unload vmbus channel in hv panic callback (bsc#1170618).
ImportantSUSE bug 1154824SUSE bug 1161951SUSE bug 1164871SUSE bug 1169025SUSE bug 1169625SUSE bug 1170383SUSE bug 1170618SUSE bug 1170620SUSE bug 1171098SUSE bug 1171195SUSE bug 1171202SUSE bug 1171218SUSE bug 1171219SUSE bug 1171689SUSE bug 1171698SUSE bug 1172032SUSE bug 1172221SUSE bug 1172317CVE-2020-0543 at SUSECVE-2020-0543 at NVDCVE-2020-10757 at SUSECVE-2020-10757 at NVDCVE-2020-12114 at SUSECVE-2020-12114 at NVDCVE-2020-12652 at SUSECVE-2020-12652 at NVDCVE-2020-12653 at SUSECVE-2020-12653 at NVDCVE-2020-12654 at SUSECVE-2020-12654 at NVDCVE-2020-12656 at SUSECVE-2020-12656 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for virglrenderer (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for virglrenderer fixes the following issues:
- CVE-2019-18388: Fixed a null pointer dereference which could have led
to denial of service (bsc#1159479).
- CVE-2019-18390: Fixed an out of bound read which could have led to
denial of service (bsc#1159478).
- CVE-2019-18389: Fixed a heap buffer overflow which could have led to
guest escape or denial of service (bsc#1159482).
- CVE-2019-18391: Fixed a heap based buffer overflow which could have led to
guest escape or denial of service (bsc#1159486).
ImportantSUSE bug 1159478SUSE bug 1159479SUSE bug 1159482SUSE bug 1159486CVE-2019-18388 at SUSECVE-2019-18388 at NVDCVE-2019-18389 at SUSECVE-2019-18389 at NVDCVE-2019-18390 at SUSECVE-2019-18390 at NVDCVE-2019-18391 at SUSECVE-2019-18391 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for adns (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for adns fixes the following issues:
- CVE-2017-9103,CVE-2017-9104,CVE-2017-9105,CVE-2017-9109: Fixed an issue in local recursive resolver
which could have led to remote code execution (bsc#1172265).
- CVE-2017-9106: Fixed an issue with upstream DNS data sources which could have led to denial of
service (bsc#1172265).
- CVE-2017-9107: Fixed an issue when quering domain names which could have led to denial of service (bsc#1172265).
- CVE-2017-9108: Fixed an issue which could have led to denial of service (bsc#1172265).
ImportantSUSE bug 1172265CVE-2017-9103 at SUSECVE-2017-9103 at NVDCVE-2017-9104 at SUSECVE-2017-9104 at NVDCVE-2017-9105 at SUSECVE-2017-9105 at NVDCVE-2017-9106 at SUSECVE-2017-9106 at NVDCVE-2017-9107 at SUSECVE-2017-9107 at NVDCVE-2017-9108 at SUSECVE-2017-9108 at NVDCVE-2017-9109 at SUSECVE-2017-9109 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for xen (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for xen fixes the following issues:
- CVE-2020-0543: Fixed a side channel attack against special registers which could have resulted in leaking of read values to cores other than the one which called it.
This attack is known as Special Register Buffer Data Sampling (SRBDS) or 'CrossTalk' (bsc#1172205).
- CVE-2020-11742: Bad continuation handling in GNTTABOP_copy (bsc#1169392).
- CVE-2020-11740, CVE-2020-11741: xen: XSA-313 multiple xenoprof issues (bsc#1168140).
- CVE-2020-11739: Missing memory barriers in read-write unlock paths (bsc#1168142).
- CVE-2019-19583: Fixed improper checks which could have allowed HVM/PVH guest userspace code to crash the guest, leading to a guest denial of service (bsc#1158004 XSA-308).
- CVE-2019-19581: Fixed a potential out of bounds on 32-bit Arm (bsc#1158003 XSA-307).
- CVE-2019-19580: Fixed a privilege escalation where a malicious PV guest administrator could have been able to escalate their privilege to that of the host (bsc#1158006 XSA-310).
- CVE-2019-19579: Fixed a privilege escalation where an untrusted domain with access to a physical device can DMA into host memory (bsc#1157888 XSA-306).
- CVE-2019-19578: Fixed an issue where a malicious or buggy PV guest could have caused hypervisor crash resulting in denial of service affecting the entire host (bsc#1158005 XSA-309).
- CVE-2019-19577: Fixed an issue where a malicious guest administrator could have caused Xen to access data structures while they are being modified leading to a crash (bsc#1158007 XSA-311).
- Xenstored Crashed during VM install (bsc#1167152)
ImportantSUSE bug 1157888SUSE bug 1158003SUSE bug 1158004SUSE bug 1158005SUSE bug 1158006SUSE bug 1158007SUSE bug 1161181SUSE bug 1167152SUSE bug 1168140SUSE bug 1168142SUSE bug 1169392SUSE bug 1172205CVE-2019-19577 at SUSECVE-2019-19577 at NVDCVE-2019-19578 at SUSECVE-2019-19578 at NVDCVE-2019-19579 at SUSECVE-2019-19579 at NVDCVE-2019-19580 at SUSECVE-2019-19580 at NVDCVE-2019-19581 at SUSECVE-2019-19581 at NVDCVE-2019-19583 at SUSECVE-2019-19583 at NVDCVE-2020-0543 at SUSECVE-2020-0543 at NVDCVE-2020-11739 at SUSECVE-2020-11739 at NVDCVE-2020-11740 at SUSECVE-2020-11740 at NVDCVE-2020-11741 at SUSECVE-2020-11741 at NVDCVE-2020-11742 at SUSECVE-2020-11742 at NVDCVE-2020-7211 at SUSECVE-2020-7211 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for perl (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for perl fixes the following issues:
- CVE-2020-10543: Fixed a heap buffer overflow in regular expression compiler which could have
allowed overwriting of allocated memory with attacker's data (bsc#1171863).
- CVE-2020-10878: Fixed multiple integer overflows which could have allowed the insertion of
instructions into the compiled form of Perl regular expression (bsc#1171864).
- CVE-2020-12723: Fixed an attacker's corruption of the intermediate language state of a
compiled regular expression (bsc#1171866).
- Fixed utf8 handling in perldoc by useing 'term' instead of 'man' (bsc#1170601).
- Some packages make assumptions about the date and time they are built.
This update will solve the issues caused by calling the perl function timelocal
expressing the year with two digit only instead of four digits. (bsc#1102840) (bsc#1160039)
ImportantSUSE bug 1102840SUSE bug 1160039SUSE bug 1170601SUSE bug 1171863SUSE bug 1171864SUSE bug 1171866CVE-2020-10543 at SUSECVE-2020-10543 at NVDCVE-2020-10878 at SUSECVE-2020-10878 at NVDCVE-2020-12723 at SUSECVE-2020-12723 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for java-1_7_1-ibm (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for java-1_7_1-ibm fixes the following issues:
java-1_7_1-ibm was updated to Java 7.1 Service Refresh 4 Fix Pack 65 (bsc#1172277 and bsc#1169511)
- CVE-2020-2654: Fixed an issue which could have resulted in unauthorized ability to cause a partial denial of service
- CVE-2020-2756: Improved mapping of serial ENUMs
- CVE-2020-2757: Less Blocking Array Queues
- CVE-2020-2781: Improved TLS session handling
- CVE-2020-2800: Improved Headings for HTTP Servers
- CVE-2020-2803: Enhanced buffering of byte buffers
- CVE-2020-2805: Enhanced typing of methods
- CVE-2020-2830: Improved Scanner conversions
ImportantSUSE bug 1169511SUSE bug 1172277CVE-2020-2654 at SUSECVE-2020-2654 at NVDCVE-2020-2756 at SUSECVE-2020-2756 at NVDCVE-2020-2757 at SUSECVE-2020-2757 at NVDCVE-2020-2781 at SUSECVE-2020-2781 at NVDCVE-2020-2800 at SUSECVE-2020-2800 at NVDCVE-2020-2803 at SUSECVE-2020-2803 at NVDCVE-2020-2805 at SUSECVE-2020-2805 at NVDCVE-2020-2830 at SUSECVE-2020-2830 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for java-1_8_0-ibm (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for java-1_8_0-ibm fixes the following issues:
java-1_8_0-ibm was updated to Java 8.0 Service Refresh 6 Fix Pack 10 (bsc#1172277,bsc#1169511,bsc#1160968)
- CVE-2020-2654: Fixed an issue which could have resulted in unauthorized ability to cause a partial denial of service
- CVE-2020-2754: Forwarded references to Nashorn
- CVE-2020-2755: Improved Nashorn matching
- CVE-2020-2756: Improved mapping of serial ENUMs
- CVE-2020-2757: Less Blocking Array Queues
- CVE-2020-2781: Improved TLS session handling
- CVE-2020-2800: Improved Headings for HTTP Servers
- CVE-2020-2803: Enhanced buffering of byte buffers
- CVE-2020-2805: Enhanced typing of methods
- CVE-2020-2830: Improved Scanner conversions
- CVE-2019-2949: Fixed an issue which could have resulted in unauthorized access to critical data
- Added RSA PSS SUPPORT TO IBMPKCS11IMPL
- The pack200 and unpack200 alternatives should be slaves of java (bsc#1171352).
ImportantSUSE bug 1160968SUSE bug 1169511SUSE bug 1171352SUSE bug 1172277CVE-2019-2949 at SUSECVE-2019-2949 at NVDCVE-2020-2654 at SUSECVE-2020-2654 at NVDCVE-2020-2754 at SUSECVE-2020-2754 at NVDCVE-2020-2755 at SUSECVE-2020-2755 at NVDCVE-2020-2756 at SUSECVE-2020-2756 at NVDCVE-2020-2757 at SUSECVE-2020-2757 at NVDCVE-2020-2781 at SUSECVE-2020-2781 at NVDCVE-2020-2800 at SUSECVE-2020-2800 at NVDCVE-2020-2803 at SUSECVE-2020-2803 at NVDCVE-2020-2805 at SUSECVE-2020-2805 at NVDCVE-2020-2830 at SUSECVE-2020-2830 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for java-1_8_0-openjdk (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for java-1_8_0-openjdk to version jdk8u252 fixes the following issues:
- CVE-2020-2754: Forward references to Nashorn (bsc#1169511)
- CVE-2020-2755: Improve Nashorn matching (bsc#1169511)
- CVE-2020-2756: Better mapping of serial ENUMs (bsc#1169511)
- CVE-2020-2757: Less Blocking Array Queues (bsc#1169511)
- CVE-2020-2773: Better signatures in XML (bsc#1169511)
- CVE-2020-2781: Improve TLS session handling (bsc#1169511)
- CVE-2020-2800: Better Headings for HTTP Servers (bsc#1169511)
- CVE-2020-2803: Enhance buffering of byte buffers (bsc#1169511)
- CVE-2020-2805: Enhance typing of methods (bsc#1169511)
- CVE-2020-2830: Better Scanner conversions (bsc#1169511)
ImportantSUSE bug 1160398SUSE bug 1169511CVE-2020-2754 at SUSECVE-2020-2754 at NVDCVE-2020-2755 at SUSECVE-2020-2755 at NVDCVE-2020-2756 at SUSECVE-2020-2756 at NVDCVE-2020-2757 at SUSECVE-2020-2757 at NVDCVE-2020-2773 at SUSECVE-2020-2773 at NVDCVE-2020-2781 at SUSECVE-2020-2781 at NVDCVE-2020-2800 at SUSECVE-2020-2800 at NVDCVE-2020-2803 at SUSECVE-2020-2803 at NVDCVE-2020-2805 at SUSECVE-2020-2805 at NVDCVE-2020-2830 at SUSECVE-2020-2830 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
The SUSE Linux Enterprise 12 SP3 kernel was updated to receive various security and bugfixes.
The following security bugs were fixed:
- CVE-2020-10768: Fixed an issue with the prctl() function which could have allowed indirect branch speculation even after it has been disabled (bsc#1172783).
- CVE-2020-10767: Fixed an issue where the Indirect Branch Prediction Barrier (IBPB) would have been disabled when STIBP is unavailable or enhanced IBRS is available making the system vulnerable to spectre v2 (bsc#1172782).
- CVE-2020-10766: Fixed an issue with Linux scheduler which could have allowed an attacker to turn off the SSBD protection (bsc#1172781).
- xfs: Fix tail rounding in xfs_alloc_file_space() (bsc#1172049).
ImportantSUSE bug 1172049SUSE bug 1172781SUSE bug 1172782SUSE bug 1172783CVE-2020-10766 at SUSECVE-2020-10766 at NVDCVE-2020-10767 at SUSECVE-2020-10767 at NVDCVE-2020-10768 at SUSECVE-2020-10768 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for curl (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for curl fixes the following issues:
- CVE-2020-8177: Fixed an issue where curl could have been tricked by a malicious server to overwrite a local file when using the -J option (bsc#1173027).
ImportantSUSE bug 1173027CVE-2020-8177 at SUSECVE-2020-8177 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for ceph (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This is a version update for ceph to version 12.2.13:
Security issue fixed:
- CVE-2020-10753: Fixed an HTTP header injection via CORS ExposeHeader tag (bsc#1171921).
- Notable changes in this update for ceph:
* mgr: telemetry: backported and now available on SES5.5. Please
consider enabling via 'ceph telemetry on' (bsc#1171670)
* OSD heartbeat ping time: new health warning, options and admin
commands (bsc#1171960)
* 'osd_calc_pg_upmaps_max_stddev' ceph.conf parameter has been
removed; use 'upmap_max_deviation' instead (bsc#1171961)
* Default maximum concurrent bluestore rocksdb compaction threads
raised from 1 to 2 for improved ability to keep up with rgw
bucket index workloads (bsc#1171963)
- Bug fixes in this ceph update:
* mon: Error message displayed when mon_osd_max_split_count would be
exceeded is not as user-friendly as it could be (bsc#1126230)
* ceph_volume_client: remove ceph mds calls in favor of ceph fs
calls (bsc#1136082)
* rgw: crypt: permit RGW-AUTO/default with SSE-S3 headers
(bsc#1157607)
* mon/AuthMonitor: don't validate fs caps on authorize (bsc#1161096)
- Additional bug fixes:
* ceph-volume: strip _dmcrypt suffix in simple scan json output (bsc#1162553) ImportantSUSE bug 1126230SUSE bug 1136082SUSE bug 1157607SUSE bug 1161096SUSE bug 1162553SUSE bug 1171670SUSE bug 1171921SUSE bug 1171960SUSE bug 1171961SUSE bug 1171963CVE-2020-10753 at SUSECVE-2020-10753 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 31 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_116 fixes several issues.
The following security issues were fixed:
- CVE-2020-10757: Fixed an issue where remaping hugepage DAX to anon mmap could have caused user PTE access (bsc#1172437).
- CVE-2020-12653: Fixed an issue in the wifi driver which could have allowed local users to gain privileges or cause a denial of service (bsc#1171254).
- CVE-2020-12654: Fixed an issue in he wifi driver which could have allowed a remote AP to trigger a heap-based buffer overflow (bsc#1171252).
- CVE-2020-1749: Fixed an issue where some ipv6 protocols were not encrypted over ipsec tunnel (bsc#1165631).
ImportantSUSE bug 1165631SUSE bug 1171252SUSE bug 1171254SUSE bug 1172437CVE-2020-10757 at SUSECVE-2020-10757 at NVDCVE-2020-12653 at SUSECVE-2020-12653 at NVDCVE-2020-12654 at SUSECVE-2020-12654 at NVDCVE-2020-1749 at SUSECVE-2020-1749 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 30 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_113 fixes one issue.
The following security issue was fixed:
- CVE-2020-10757: Fixed an issue where remaping hugepage DAX to anon mmap could have caused user PTE access (bsc#1172437).
ImportantSUSE bug 1172437CVE-2020-10757 at SUSECVE-2020-10757 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 29 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_107 fixes one issue.
The following security issue was fixed:
- CVE-2020-10757: Fixed an issue where remaping hugepage DAX to anon mmap could have caused user PTE access (bsc#1172437).
ImportantSUSE bug 1172437CVE-2020-10757 at SUSECVE-2020-10757 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 28 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_103 fixes several issues.
The following security issues were fixed:
- CVE-2020-10757: Fixed an issue where remaping hugepage DAX to anon mmap could have caused user PTE access (bsc#1172437).
- CVE-2019-15666: Fixed an out of bounds read __xfrm_policy_unlink, which could have led to denial of service (bsc#1172140).
ImportantSUSE bug 1172140SUSE bug 1172437CVE-2019-15666 at SUSECVE-2019-15666 at NVDCVE-2020-10757 at SUSECVE-2020-10757 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 27 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_100 fixes several issues.
The following security issues were fixed:
- CVE-2020-10757: Fixed an issue where remaping hugepage DAX to anon mmap could have caused user PTE access (bsc#1172437).
- CVE-2019-15666: Fixed an out of bounds read __xfrm_policy_unlink, which could have led to denial of service (bsc#1172140).
ImportantSUSE bug 1172140SUSE bug 1172437CVE-2019-15666 at SUSECVE-2019-15666 at NVDCVE-2020-10757 at SUSECVE-2020-10757 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 26 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_97 fixes several issues.
The following security issues were fixed:
- CVE-2020-10757: Fixed an issue where remaping hugepage DAX to anon mmap could have caused user PTE access (bsc#1172437).
- CVE-2019-15666: Fixed an out of bounds read __xfrm_policy_unlink, which could have led to denial of service (bsc#1172140).
ImportantSUSE bug 1172140SUSE bug 1172437CVE-2019-15666 at SUSECVE-2019-15666 at NVDCVE-2020-10757 at SUSECVE-2020-10757 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for tomcat (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for tomcat fixes the following issues:
- CVE-2020-8022: Fixed a local root exploit due to improper permissions (bsc#1172405)
ImportantSUSE bug 1172405CVE-2020-8022 at SUSECVE-2020-8022 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for python3-requests (Moderate)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for python3-requests provides the following fix:
python-requests was updated to 2.20.1.
Update to version 2.20.1:
* Fixed bug with unintended Authorization header stripping for
redirects using default ports (http/80, https/443).
Update to version 2.20.0:
* Bugfixes
+ Content-Type header parsing is now case-insensitive
(e.g. charset=utf8 v Charset=utf8).
+ Fixed exception leak where certain redirect urls would raise
uncaught urllib3 exceptions.
+ Requests removes Authorization header from requests redirected
from https to http on the same hostname. (CVE-2018-18074)
+ should_bypass_proxies now handles URIs without hostnames
(e.g. files).
Update to version 2.19.1:
* Fixed issue where status_codes.py’s init function failed trying
to append to a __doc__ value of None.
Update to version 2.19.0:
* Improvements
+ Warn about possible slowdown with cryptography version < 1.3.4
+ Check host in proxy URL, before forwarding request to adapter.
+ Maintain fragments properly across redirects. (RFC7231 7.1.2)
+ Removed use of cgi module to expedite library load time.
+ Added support for SHA-256 and SHA-512 digest auth algorithms.
+ Minor performance improvement to Request.content.
* Bugfixes
+ Parsing empty Link headers with parse_header_links() no longer
return one bogus entry.
+ Fixed issue where loading the default certificate bundle from
a zip archive would raise an IOError.
+ Fixed issue with unexpected ImportError on windows system
which do not support winreg module.
+ DNS resolution in proxy bypass no longer includes the username
and password in the request. This also fixes the issue of DNS
queries failing on macOS.
+ Properly normalize adapter prefixes for url comparison.
+ Passing None as a file pointer to the files param no longer
raises an exception.
+ Calling copy on a RequestsCookieJar will now preserve the
cookie policy correctly.
Update to version 2.18.4:
* Improvements
+ Error messages for invalid headers now include the header name
for easier debugging
Update to version 2.18.3:
* Improvements
+ Running $ python -m requests.help now includes the installed
version of idna.
* Bugfixes
+ Fixed issue where Requests would raise ConnectionError instead
of SSLError when encountering SSL problems when using urllib3
v1.22.
- Add ca-certificates (and ca-certificates-mozilla) to dependencies, otherwise https
connections will fail.
ModerateSUSE bug 1054413SUSE bug 1073879SUSE bug 1111622SUSE bug 1122668SUSE bug 761500SUSE bug 922448SUSE bug 929736SUSE bug 935252SUSE bug 945455SUSE bug 947357SUSE bug 961596SUSE bug 967128CVE-2015-2296 at SUSECVE-2015-2296 at NVDCVE-2018-18074 at SUSECVE-2018-18074 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for mutt (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for mutt fixes the following issues:
- CVE-2020-14954: Fixed a response injection due to a STARTTLS buffering issue which was
affecting IMAP, SMTP, and POP3 (bsc#1173197).
- CVE-2020-14093: Fixed a potential IMAP Man-in-the-Middle attack via a PREAUTH response (bsc#1172906, bsc#1172935).
- CVE-2020-14154: Fixed an issue where Mutt was ignoring an expired certificate and was
proceeding with a connection (bsc#1172906, bsc#1172935).
ImportantSUSE bug 1172906SUSE bug 1172935SUSE bug 1173197CVE-2020-14093 at SUSECVE-2020-14093 at NVDCVE-2020-14154 at SUSECVE-2020-14154 at NVDCVE-2020-14954 at SUSECVE-2020-14954 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for squid (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for squid fixes the following issues:
- CVE-2020-14059: Fixed an issue where a client could potentially deny the service of a server
during TLS Handshake (bsc#1173304).
- CVE-2019-18860: Fixed handling of invalid domain names in cachemgr.cgi (bsc#1167373).
ImportantSUSE bug 1167373SUSE bug 1173304CVE-2019-18860 at SUSECVE-2019-18860 at NVDCVE-2020-14059 at SUSECVE-2020-14059 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for ntp (Moderate)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for ntp fixes the following issues:
ntp was updated to 4.2.8p15
- CVE-2020-11868: Fixed an issue which a server mode packet with spoofed source address
frequently send to the client ntpd could have caused denial of service (bsc#1169740).
- CVE-2018-8956: Fixed an issue which could have allowed remote attackers to prevent
a broadcast client from synchronizing its clock with a broadcast NTP server via spoofed
mode 3 and mode 5 packets (bsc#1171355).
- CVE-2020-13817: Fixed an issue which an off-path attacker with the ability to query time
from victim's ntpd instance could have modified the victim's clock by a limited amount (bsc#1172651).
- CVE-2020-15025: Fixed an issue which remote attacker could have caused denial of service by consuming
the memory when a CMAC key was used andassociated with a CMAC algorithm in the ntp.keys (bsc#1173334).
ModerateSUSE bug 1169740SUSE bug 1171355SUSE bug 1172651SUSE bug 1173334CVE-2018-8956 at SUSECVE-2018-8956 at NVDCVE-2020-11868 at SUSECVE-2020-11868 at NVDCVE-2020-13817 at SUSECVE-2020-13817 at NVDCVE-2020-15025 at SUSECVE-2020-15025 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 26 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_97 fixes several issues.
The following security issues were fixed:
- CVE-2019-14896: A heap-based buffer overflow vulnerability was found in the Marvell WiFi chip driver. A remote attacker could cause a denial of service (system crash) or, possibly execute arbitrary code, when the lbs_ibss_join_existing function is called after a STA connects to an AP (bsc#1157157).
- CVE-2019-14897: A stack-based buffer overflow was found in the Marvell WiFi chip driver. An attacker was able to cause a denial of service (system crash) or, possibly execute arbitrary code, when a STA works in IBSS mode (allows connecting stations together without the use of an AP) and connects to another STA (bsc#1157155).
ImportantSUSE bug 1160467SUSE bug 1160468CVE-2019-14896 at SUSECVE-2019-14896 at NVDCVE-2019-14897 at SUSECVE-2019-14897 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for mozilla-nspr, mozilla-nss (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for mozilla-nspr, mozilla-nss fixes the following issues:
mozilla-nss was updated to version 3.53.1
- CVE-2020-12402: Fixed a potential side channel attack during RSA key generation (bsc#1173032).
- CVE-2020-12399: Fixed a timing attack on DSA signature generation (bsc#1171978).
- CVE-2019-17006: Added length checks for cryptographic primitives (bsc#1159819).
- Fixed various FIPS issues in libfreebl3 which were causing segfaults in the test suite of chrony (bsc#1168669).
- Fixed an issue where Firefox tab was crashing (bsc#1170908).
Release notes: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.53_release_notes
mozilla-nspr to version 4.25
ImportantSUSE bug 1159819SUSE bug 1168669SUSE bug 1169746SUSE bug 1170908SUSE bug 1171978SUSE bug 1173022CVE-2019-17006 at SUSECVE-2019-17006 at NVDCVE-2020-12399 at SUSECVE-2020-12399 at NVDCVE-2020-12402 at SUSECVE-2020-12402 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 25 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.178-94_91 fixes several issues.
The following security issues were fixed:
- CVE-2019-14896: A heap-based buffer overflow vulnerability was found in the Marvell WiFi chip driver. A remote attacker could cause a denial of service (system crash) or, possibly execute arbitrary code, when the lbs_ibss_join_existing function is called after a STA connects to an AP (bsc#1157157).
- CVE-2019-14897: A stack-based buffer overflow was found in the Marvell WiFi chip driver. An attacker was able to cause a denial of service (system crash) or, possibly execute arbitrary code, when a STA works in IBSS mode (allows connecting stations together without the use of an AP) and connects to another STA (bsc#1157155).
ImportantSUSE bug 1160467SUSE bug 1160468CVE-2019-14896 at SUSECVE-2019-14896 at NVDCVE-2019-14897 at SUSECVE-2019-14897 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for openldap2 (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for openldap2 fixes the following issues:
- CVE-2020-8023: Fixed a potential local privilege escalation from ldap to root when OPENLDAP_CONFIG_BACKEND='ldap' was used (bsc#1172698).
- Changed DB_CONFIG to root:ldap permissions (bsc#1172704).
- Fixed an issue where slapd becomes unresponsive after many failed login/bind attempts(bsc#1170715).
ImportantSUSE bug 1170715SUSE bug 1172698SUSE bug 1172704CVE-2020-8023 at SUSECVE-2020-8023 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 24 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.176-94_88 fixes several issues.
The following security issues were fixed:
- CVE-2019-14896: A heap-based buffer overflow vulnerability was found in the Marvell WiFi chip driver. A remote attacker could cause a denial of service (system crash) or, possibly execute arbitrary code, when the lbs_ibss_join_existing function is called after a STA connects to an AP (bsc#1157157).
- CVE-2019-14897: A stack-based buffer overflow was found in the Marvell WiFi chip driver. An attacker was able to cause a denial of service (system crash) or, possibly execute arbitrary code, when a STA works in IBSS mode (allows connecting stations together without the use of an AP) and connects to another STA (bsc#1157155).
ImportantSUSE bug 1160467SUSE bug 1160468CVE-2019-14896 at SUSECVE-2019-14896 at NVDCVE-2019-14897 at SUSECVE-2019-14897 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for xen (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for xen fixes the following issues:
- CVE-2020-15563: Fixed inverted code paths in x86 dirty VRAM tracking (bsc#1173377).
- CVE-2020-15565: Fixed insufficient cache write-back under VT-d (bsc#1173378).
- CVE-2020-15567: Fixed non-atomic modification of live EPT PTE (bsc#1173380).
ImportantSUSE bug 1173377SUSE bug 1173378SUSE bug 1173380CVE-2020-15563 at SUSECVE-2020-15563 at NVDCVE-2020-15565 at SUSECVE-2020-15565 at NVDCVE-2020-15567 at SUSECVE-2020-15567 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 23 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.175-94_79 fixes several issues.
The following security issues were fixed:
- CVE-2019-14896: A heap-based buffer overflow vulnerability was found in the Marvell WiFi chip driver. A remote attacker could cause a denial of service (system crash) or, possibly execute arbitrary code, when the lbs_ibss_join_existing function is called after a STA connects to an AP (bsc#1157157).
- CVE-2019-14897: A stack-based buffer overflow was found in the Marvell WiFi chip driver. An attacker was able to cause a denial of service (system crash) or, possibly execute arbitrary code, when a STA works in IBSS mode (allows connecting stations together without the use of an AP) and connects to another STA (bsc#1157155).
ImportantSUSE bug 1160467SUSE bug 1160468CVE-2019-14896 at SUSECVE-2019-14896 at NVDCVE-2019-14897 at SUSECVE-2019-14897 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for MozillaFirefox to version 78.0.1 ESR fixes the following issues:
Security issues fixed:
- CVE-2020-12415: AppCache manifest poisoning due to url encoded character processing (bsc#1173576).
- CVE-2020-12416: Use-after-free in WebRTC VideoBroadcaster (bsc#1173576).
- CVE-2020-12417: Memory corruption due to missing sign-extension for ValueTags on ARM64 (bsc#1173576).
- CVE-2020-12418: Information disclosure due to manipulated URL object (bsc#1173576).
- CVE-2020-12419: Use-after-free in nsGlobalWindowInner (bsc#1173576).
- CVE-2020-12420: Use-After-Free when trying to connect to a STUN server (bsc#1173576).
- CVE-2020-12402: RSA Key Generation vulnerable to side-channel attack (bsc#1173576).
- CVE-2020-12421: Add-On updates did not respect the same certificate trust rules as software updates (bsc#1173576).
- CVE-2020-12422: Integer overflow in nsJPEGEncoder::emptyOutputBuffer (bsc#1173576).
- CVE-2020-12423: DLL Hijacking due to searching %PATH% for a library (bsc#1173576).
- CVE-2020-12424: WebRTC permission prompt could have been bypassed by a compromised content process (bsc#1173576).
- CVE-2020-12425: Out of bound read in Date.parse() (bsc#1173576).
- CVE-2020-12426: Memory safety bugs fixed in Firefox 78 (bsc#1173576).
- FIPS: MozillaFirefox: allow /proc/sys/crypto/fips_enabled (bsc#1167231).
Non-security issues fixed:
- Fixed interaction with freetype6 (bsc#1173613).
ImportantSUSE bug 1167231SUSE bug 1173576SUSE bug 1173613CVE-2020-12402 at SUSECVE-2020-12402 at NVDCVE-2020-12415 at SUSECVE-2020-12415 at NVDCVE-2020-12416 at SUSECVE-2020-12416 at NVDCVE-2020-12417 at SUSECVE-2020-12417 at NVDCVE-2020-12418 at SUSECVE-2020-12418 at NVDCVE-2020-12419 at SUSECVE-2020-12419 at NVDCVE-2020-12420 at SUSECVE-2020-12420 at NVDCVE-2020-12421 at SUSECVE-2020-12421 at NVDCVE-2020-12422 at SUSECVE-2020-12422 at NVDCVE-2020-12423 at SUSECVE-2020-12423 at NVDCVE-2020-12424 at SUSECVE-2020-12424 at NVDCVE-2020-12425 at SUSECVE-2020-12425 at NVDCVE-2020-12426 at SUSECVE-2020-12426 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for squid (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for squid fixes the following issues:
- CVE-2020-15049.patch: fixes a Cache Poisoning and Request Smuggling
attack (CVE-2020-15049, bsc#1173455)
ImportantSUSE bug 1173455CVE-2020-15049 at SUSECVE-2020-15049 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for SUSE Manager Client Tools (Moderate)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update fixes the following issues:
cobbler:
- Calculate relative path for kernel and inited when generating
grub entry (bsc#1170231)
Added: fix-grub2-entry-paths.diff
- Fix os-release version detection for SUSE
Modified: sles15.patch
- Jinja2 template library fix (bsc#1141661)
- Removes string replace for textmode fix (bsc#1134195)
golang-github-prometheus-node_exporter:
- Update to 0.18.1
* [BUGFIX] Fix incorrect sysctl call in BSD meminfo collector, resulting in broken swap metrics on FreeBSD #1345
* [BUGFIX] Fix rollover bug in mountstats collector #1364
* Renamed interface label to device in netclass collector for consistency with
* other network metrics #1224
* The cpufreq metrics now separate the cpufreq and scaling data based on what the driver provides. #1248
* The labels for the network_up metric have changed, see issue #1236
* Bonding collector now uses mii_status instead of operstatus #1124
* Several systemd metrics have been turned off by default to improve performance #1254
* These include unit_tasks_current, unit_tasks_max, service_restart_total, and unit_start_time_seconds
* The systemd collector blacklist now includes automount, device, mount, and slice units by default. #1255
* [CHANGE] Bonding state uses mii_status #1124
* [CHANGE] Add a limit to the number of in-flight requests #1166
* [CHANGE] Renamed interface label to device in netclass collector #1224
* [CHANGE] Add separate cpufreq and scaling metrics #1248
* [CHANGE] Several systemd metrics have been turned off by default to improve performance #1254
* [CHANGE] Expand systemd collector blacklist #1255
* [CHANGE] Split cpufreq metrics into a separate collector #1253
* [FEATURE] Add a flag to disable exporter metrics #1148
* [FEATURE] Add kstat-based Solaris metrics for boottime, cpu and zfs collectors #1197
* [FEATURE] Add uname collector for FreeBSD #1239
* [FEATURE] Add diskstats collector for OpenBSD #1250
* [FEATURE] Add pressure collector exposing pressure stall information for Linux #1174
* [FEATURE] Add perf exporter for Linux #1274
* [ENHANCEMENT] Add Infiniband counters #1120
* [ENHANCEMENT] Add TCPSynRetrans to netstat default filter #1143
* [ENHANCEMENT] Move network_up labels into new metric network_info #1236
* [ENHANCEMENT] Use 64-bit counters for Darwin netstat
* [BUGFIX] Add fallback for missing /proc/1/mounts #1172
* [BUGFIX] Fix node_textfile_mtime_seconds to work properly on symlinks #1326
- Add network-online (Wants and After) dependency to systemd unit bsc#1143913
golang-github-prometheus-prometheus:
- Update change log and spec file
+ Modified spec file: default to golang 1.14 to avoid 'have choice' build issues in OBS.
+ Rebase and update patches for version 2.18.0
+ Changed:
* 0002-Default-settings.patch Changed
- Update to 2.18.0
+ Features
* Tracing: Added experimental Jaeger support #7148
+ Changes
* Federation: Only use local TSDB for federation (ignore remote read). #7096
* Rules: `rule_evaluations_total` and `rule_evaluation_failures_total` have a `rule_group` label now. #7094
+ Enhancements
* TSDB: Significantly reduce WAL size kept around after a block cut. #7098
* Discovery: Add `architecture` meta label for EC2. #7000
+ Bug fixes
* UI: Fixed wrong MinTime reported by /status. #7182
* React UI: Fixed multiselect legend on OSX. #6880
* Remote Write: Fixed blocked resharding edge case. #7122
* Remote Write: Fixed remote write not updating on relabel configs change. #7073
- Changes from 2.17.2
+ Bug fixes
* Federation: Register federation metrics #7081
* PromQL: Fix panic in parser error handling #7132
* Rules: Fix reloads hanging when deleting a rule group that is being evaluated #7138
* TSDB: Fix a memory leak when prometheus starts with an empty TSDB WAL #7135
* TSDB: Make isolation more robust to panics in web handlers #7129 #7136
- Changes from 2.17.1
+ Bug fixes
* TSDB: Fix query performance regression that increased memory and CPU usage #7051
- Changes from 2.17.0
+ Features
* TSDB: Support isolation #6841
* This release implements isolation in TSDB. API queries and recording rules are
guaranteed to only see full scrapes and full recording rules. This comes with a
certain overhead in resource usage. Depending on the situation, there might be
some increase in memory usage, CPU usage, or query latency.
+ Enhancements
* PromQL: Allow more keywords as metric names #6933
* React UI: Add normalization of localhost URLs in targets page #6794
* Remote read: Read from remote storage concurrently #6770
* Rules: Mark deleted rule series as stale after a reload #6745
* Scrape: Log scrape append failures as debug rather than warn #6852
* TSDB: Improve query performance for queries that partially hit the head #6676
* Consul SD: Expose service health as meta label #5313
* EC2 SD: Expose EC2 instance lifecycle as meta label #6914
* Kubernetes SD: Expose service type as meta label for K8s service role #6684
* Kubernetes SD: Expose label_selector and field_selector #6807
* Openstack SD: Expose hypervisor id as meta label #6962
+ Bug fixes
* PromQL: Do not escape HTML-like chars in query log #6834 #6795
* React UI: Fix data table matrix values #6896
* React UI: Fix new targets page not loading when using non-ASCII characters #6892
* Remote read: Fix duplication of metrics read from remote storage with external labels #6967 #7018
* Remote write: Register WAL watcher and live reader metrics for all remotes, not just the first one #6998
* Scrape: Prevent removal of metric names upon relabeling #6891
* Scrape: Fix 'superfluous response.WriteHeader call' errors when scrape fails under some circonstances #6986
* Scrape: Fix crash when reloads are separated by two scrape intervals #7011
- Changes from 2.16.0
+ Features
* React UI: Support local timezone on /graph #6692
* PromQL: add absent_over_time query function #6490
* Adding optional logging of queries to their own file #6520
+ Enhancements
* React UI: Add support for rules page and 'Xs ago' duration displays #6503
* React UI: alerts page, replace filtering togglers tabs with checkboxes #6543
* TSDB: Export metric for WAL write errors #6647
* TSDB: Improve query performance for queries that only touch the most recent 2h of data. #6651
* PromQL: Refactoring in parser errors to improve error messages #6634
* PromQL: Support trailing commas in grouping opts #6480
* Scrape: Reduce memory usage on reloads by reusing scrape cache #6670
* Scrape: Add metrics to track bytes and entries in the metadata cache #6675
* promtool: Add support for line-column numbers for invalid rules output #6533
* Avoid restarting rule groups when it is unnecessary #6450
+ Bug fixes
* React UI: Send cookies on fetch() on older browsers #6553
* React UI: adopt grafana flot fix for stacked graphs #6603
* React UI: broken graph page browser history so that back button works as expected #6659
* TSDB: ensure compactionsSkipped metric is registered, and log proper error if one is returned from head.Init #6616
* TSDB: return an error on ingesting series with duplicate labels #6664
* PromQL: Fix unary operator precedence #6579
* PromQL: Respect query.timeout even when we reach query.max-concurrency #6712
* PromQL: Fix string and parentheses handling in engine, which affected React UI #6612
* PromQL: Remove output labels returned by absent() if they are produced by multiple identical label matchers #6493
* Scrape: Validate that OpenMetrics input ends with `# EOF` #6505
* Remote read: return the correct error if configs can't be marshal'd to JSON #6622
* Remote write: Make remote client `Store` use passed context, which can affect shutdown timing #6673
* Remote write: Improve sharding calculation in cases where we would always be consistently behind by tracking pendingSamples #6511
* Ensure prometheus_rule_group metrics are deleted when a rule group is removed #6693
- Changes from 2.15.2
+ Bug fixes
* TSDB: Fixed support for TSDB blocks built with Prometheus before 2.1.0. #6564
* TSDB: Fixed block compaction issues on Windows. #6547
- Changes from 2.15.1
+ Bug fixes
* TSDB: Fixed race on concurrent queries against same data. #6512
- Changes from 2.15.0
+ Features
* API: Added new endpoint for exposing per metric metadata `/metadata`. #6420 #6442
+ Changes
* Discovery: Removed `prometheus_sd_kubernetes_cache_*` metrics. Additionally `prometheus_sd_kubernetes_workqueue_latency_seconds` and `prometheus_sd_kubernetes_workqueue_work_duration_seconds` metrics now show correct values in seconds. #6393
* Remote write: Changed `query` label on `prometheus_remote_storage_*` metrics to `remote_name` and `url`. #6043
+ Enhancements
* TSDB: Significantly reduced memory footprint of loaded TSDB blocks. #6418 #6461
* TSDB: Significantly optimized what we buffer during compaction which should result in lower memory footprint during compaction. #6422 #6452 #6468 #6475
* TSDB: Improve replay latency. #6230
* TSDB: WAL size is now used for size based retention calculation. #5886
* Remote read: Added query grouping and range hints to the remote read request #6401
* Remote write: Added `prometheus_remote_storage_sent_bytes_total` counter per queue. #6344
* promql: Improved PromQL parser performance. #6356
* React UI: Implemented missing pages like `/targets` #6276, TSDB status page #6281 #6267 and many other fixes and performance improvements.
* promql: Prometheus now accepts spaces between time range and square bracket. e.g `[ 5m]` #6065
+ Bug fixes
* Config: Fixed alertmanager configuration to not miss targets when configurations are similar. #6455
* Remote write: Value of `prometheus_remote_storage_shards_desired` gauge shows raw value of desired shards and it's updated correctly. #6378
* Rules: Prometheus now fails the evaluation of rules and alerts where metric results collide with labels specified in `labels` field. #6469
* API: Targets Metadata API `/targets/metadata` now accepts empty `match_targets` parameter as in the spec. #6303
- Changes from 2.14.0
+ Features
* API: `/api/v1/status/runtimeinfo` and `/api/v1/status/buildinfo` endpoints added for use by the React UI. #6243
* React UI: implement the new experimental React based UI. #5694 and many more
* Can be found by under `/new`.
* Not all pages are implemented yet.
* Status: Cardinality statistics added to the Runtime & Build Information page. #6125
+ Enhancements
* Remote write: fix delays in remote write after a compaction. #6021
* UI: Alerts can be filtered by state. #5758
+ Bug fixes
* Ensure warnings from the API are escaped. #6279
* API: lifecycle endpoints return 403 when not enabled. #6057
* Build: Fix Solaris build. #6149
* Promtool: Remove false duplicate rule warnings when checking rule files with alerts. #6270
* Remote write: restore use of deduplicating logger in remote write. #6113
* Remote write: do not reshard when unable to send samples. #6111
* Service discovery: errors are no longer logged on context cancellation. #6116, #6133
* UI: handle null response from API properly. #6071
- Changes from 2.13.1
+ Bug fixes
* Fix panic in ARM builds of Prometheus. #6110
* promql: fix potential panic in the query logger. #6094
* Multiple errors of http: superfluous response.WriteHeader call in the logs. #6145
- Changes from 2.13.0
+ Enhancements
* Metrics: renamed prometheus_sd_configs_failed_total to prometheus_sd_failed_configs and changed to Gauge #5254
* Include the tsdb tool in builds. #6089
* Service discovery: add new node address types for kubernetes. #5902
* UI: show warnings if query have returned some warnings. #5964
* Remote write: reduce memory usage of the series cache. #5849
* Remote read: use remote read streaming to reduce memory usage. #5703
* Metrics: added metrics for remote write max/min/desired shards to queue manager. #5787
* Promtool: show the warnings during label query. #5924
* Promtool: improve error messages when parsing bad rules. #5965
* Promtool: more promlint rules. #5515
+ Bug fixes
* UI: Fix a Stored DOM XSS vulnerability with query history [CVE-2019-10215](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10215). #6098
* Promtool: fix recording inconsistency due to duplicate labels. #6026
* UI: fixes service-discovery view when accessed from unhealthy targets. #5915
* Metrics format: OpenMetrics parser crashes on short input. #5939
* UI: avoid truncated Y-axis values. #6014
- Changes from 2.12.0
+ Features
* Track currently active PromQL queries in a log file. #5794
* Enable and provide binaries for `mips64` / `mips64le` architectures. #5792
+ Enhancements
* Improve responsiveness of targets web UI and API endpoint. #5740
* Improve remote write desired shards calculation. #5763
* Flush TSDB pages more precisely. tsdb#660
* Add `prometheus_tsdb_retention_limit_bytes` metric. tsdb#667
* Add logging during TSDB WAL replay on startup. tsdb#662
* Improve TSDB memory usage. tsdb#653, tsdb#643, tsdb#654, tsdb#642, tsdb#627
+ Bug fixes
* Check for duplicate label names in remote read. #5829
* Mark deleted rules' series as stale on next evaluation. #5759
* Fix JavaScript error when showing warning about out-of-sync server time. #5833
* Fix `promtool test rules` panic when providing empty `exp_labels`. #5774
* Only check last directory when discovering checkpoint number. #5756
* Fix error propagation in WAL watcher helper functions. #5741
* Correctly handle empty labels from alert templates. #5845
- Update Uyuni/SUSE Manager service discovery patch
+ Modified 0003-Add-Uyuni-service-discovery.patch:
+ Adapt service discovery to the new Uyuni API endpoints
+ Modified spec file: force golang 1.12 to fix build issues in SLE15SP2
- Update to Prometheus 2.11.2
grafana:
- Update to version 7.0.3
* Features / Enhancements
- Stats: include all fields. #24829, @ryantxu
- Variables: change VariableEditorList row action Icon to IconButton. #25217, @hshoff
* Bug fixes
- Cloudwatch: Fix dimensions of DDoSProtection. #25317, @papagian
- Configuration: Fix env var override of sections containing hyphen. #25178, @marefr
- Dashboard: Get panels in collapsed rows. #25079, @peterholmberg
- Do not show alerts tab when alerting is disabled. #25285, @dprokop
- Jaeger: fixes cascader option label duration value. #25129, @Estrax
- Transformations: Fixed Transform tab crash & no update after adding first transform. #25152, @torkelo
- Update to version 7.0.2
* Bug fixes
- Security: Urgent security patch release to fix CVE-2020-13379
- Update to version 7.0.1
* Features / Enhancements
- Datasource/CloudWatch: Makes CloudWatch Logs query history more readable. #24795, @kaydelaney
- Download CSV: Add date and time formatting. #24992, @ryantxu
- Table: Make last cell value visible when right aligned. #24921, @peterholmberg
- TablePanel: Adding sort order persistance. #24705, @torkelo
- Transformations: Display correct field name when using reduce transformation. #25068, @peterholmberg
- Transformations: Allow custom number input for binary operations. #24752, @ryantxu
* Bug fixes
- Dashboard/Links: Fixes dashboard links by tags not working. #24773, @KamalGalrani
- Dashboard/Links: Fixes open in new window for dashboard link. #24772, @KamalGalrani
- Dashboard/Links: Variables are resolved and limits to 100. #25076, @hugohaggmark
- DataLinks: Bring back variables interpolation in title. #24970, @dprokop
- Datasource/CloudWatch: Field suggestions no longer limited to prefix-only. #24855, @kaydelaney
- Explore/Table: Keep existing field types if possible. #24944, @kaydelaney
- Explore: Fix wrap lines toggle for results of queries with filter expression. #24915, @ivanahuckova
- Explore: fix undo in query editor. #24797, @zoltanbedi
- Explore: fix word break in type head info. #25014, @zoltanbedi
- Graph: Legend decimals now work as expected. #24931, @torkelo
- LoginPage: Fix hover color for service buttons. #25009, @tskarhed
- LogsPanel: Fix scrollbar. #24850, @ivanahuckova
- MoveDashboard: Fix for moving dashboard caused all variables to be lost. #25005, @torkelo
- Organize transformer: Use display name in field order comparer. #24984, @dprokop
- Panel: shows correct panel menu items in view mode. #24912, @hugohaggmark
- PanelEditor Fix missing labels and description if there is only single option in category. #24905, @dprokop
- PanelEditor: Overrides name matcher still show all original field names even after Field default display name is specified. #24933, @torkelo
- PanelInspector: Makes sure Data display options are visible. #24902, @hugohaggmark
- PanelInspector: Hides unsupported data display options for Panel type. #24918, @hugohaggmark
- PanelMenu: Make menu disappear on button press. #25015, @tskarhed
- Postgres: Fix add button. #25087, @phemmer
- Prometheus: Fix recording rules expansion. #24977, @ivanahuckova
- Stackdriver: Fix creating Service Level Objectives (SLO) datasource query variable. #25023, @papagian
- Update to version 7.0.0
* Breaking changes
- Removed PhantomJS: PhantomJS was deprecated in Grafana v6.4 and starting from Grafana v7.0.0, all PhantomJS support has been removed. This means that Grafana no longer ships with a built-in image renderer, and we advise you to install the Grafana Image Renderer plugin.
- Dashboard: A global minimum dashboard refresh interval is now enforced and defaults to 5 seconds.
- Interval calculation: There is now a new option Max data points that controls the auto interval $__interval calculation. Interval was previously calculated by dividing the panel width by the time range. With the new max data points option it is now easy to set $__interval to a dynamic value that is time range agnostic. For example if you set Max data points to 10 Grafana will dynamically set $__interval by dividing the current time range by 10.
- Datasource/Loki: Support for deprecated Loki endpoints has been removed.
- Backend plugins: Grafana now requires backend plugins to be signed, otherwise Grafana will not load/start them. This is an additional security measure to make sure backend plugin binaries and files haven't been tampered with. Refer to Upgrade Grafana for more information.
- @grafana/ui: Forms migration notice, see @grafana/ui changelog
- @grafana/ui: Select API change for creating custom values, see @grafana/ui changelog
+ Deprecation warnings
- Scripted dashboards is now deprecated. The feature is not removed but will be in a future release. We hope to address the underlying requirement of dynamic dashboards in a different way. #24059
- The unofficial first version of backend plugins together with usage of grafana/grafana-plugin-model is now deprecated and support for that will be removed in a future release. Please refer to backend plugins documentation for information about the new officially supported backend plugins.
* Features / Enhancements
- Backend plugins: Log deprecation warning when using the unofficial first version of backend plugins. #24675, @marefr
- Editor: New line on Enter, run query on Shift+Enter. #24654, @davkal
- Loki: Allow multiple derived fields with the same name. #24437, @aocenas
- Orgs: Add future deprecation notice. #24502, @torkelo
* Bug Fixes
- @grafana/toolkit: Use process.cwd() instead of PWD to get directory. #24677, @zoltanbedi
- Admin: Makes long settings values line break in settings page. #24559, @hugohaggmark
- Dashboard: Allow editing provisioned dashboard JSON and add confirmation when JSON is copied to dashboard. #24680, @dprokop
- Dashboard: Fix for strange 'dashboard not found' errors when opening links in dashboard settings. #24416, @torkelo
- Dashboard: Fix so default data source is selected when data source can't be found in panel editor. #24526, @mckn
- Dashboard: Fixed issue changing a panel from transparent back to normal in panel editor. #24483, @torkelo
- Dashboard: Make header names reflect the field name when exporting to CSV file from the the panel inspector. #24624, @peterholmberg
- Dashboard: Make sure side pane is displayed with tabs by default in panel editor. #24636, @dprokop
- Data source: Fix query/annotation help content formatting. #24687, @AgnesToulet
- Data source: Fixes async mount errors. #24579, @Estrax
- Data source: Fixes saving a data source without failure when URL doesn't specify a protocol. #24497, @aknuds1
- Explore/Prometheus: Show results of instant queries only in table. #24508, @ivanahuckova
- Explore: Fix rendering of react query editors. #24593, @ivanahuckova
- Explore: Fixes loading more logs in logs context view. #24135, @Estrax
- Graphite: Fix schema and dedupe strategy in rollup indicators for Metrictank queries. #24685, @torkelo
- Graphite: Makes query annotations work again. #24556, @hugohaggmark
- Logs: Clicking 'Load more' from context overlay doesn't expand log row. #24299, @kaydelaney
- Logs: Fix total bytes process calculation. #24691, @davkal
- Org/user/team preferences: Fixes so UI Theme can be set back to Default. #24628, @AgnesToulet
- Plugins: Fix manifest validation. #24573, @aknuds1
- Provisioning: Use proxy as default access mode in provisioning. #24669, @bergquist
- Search: Fix select item when pressing enter and Grafana is served using a sub path. #24634, @tskarhed
- Search: Save folder expanded state. #24496, @Clarity-89
- Security: Tag value sanitization fix in OpenTSDB data source. #24539, @rotemreiss
- Table: Do not include angular options in options when switching from angular panel. #24684, @torkelo
- Table: Fixed persisting column resize for time series fields. #24505, @torkelo
- Table: Fixes Cannot read property subRows of null. #24578, @hugohaggmark
- Time picker: Fixed so you can enter a relative range in the time picker without being converted to absolute range. #24534, @mckn
- Transformations: Make transform dropdowns not cropped. #24615, @dprokop
- Transformations: Sort order should be preserved as entered by user when using the reduce transformation. #24494, @hugohaggmark
- Units: Adds scale symbol for currencies with suffixed symbol. #24678, @hugohaggmark
- Variables: Fixes filtering options with more than 1000 entries. #24614, @hugohaggmark
- Variables: Fixes so Textbox variables read value from url. #24623, @hugohaggmark
- Zipkin: Fix error when span contains remoteEndpoint. #24524, @aocenas
- SAML: Switch from email to login for user login attribute mapping (Enterprise)
- Update Makefile and spec file
* Remove phantomJS patch from Makefile
* Fix multiline strings in Makefile
* Exclude s390 from SLE12 builds, golang 1.14 is not built for s390
- Add instructions for patching the Grafana javascript frontend.
- BuildRequires golang(API) instead of go metapackage version range
* BuildRequires: golang(API) >= 1.14 from
BuildRequires: ( go >= 1.14 with go < 1.15 )
- Update to version 6.7.3
- This version fixes bsc#1170557 and its corresponding CVE-2020-12245
- Admin: Fix Synced via LDAP message for non-LDAP external users. #23477, @alexanderzobnin
- Alerting: Fixes notifications for alerts with empty message in Google Hangouts notifier. #23559, @hugohaggmark
- AuthProxy: Fixes bug where long username could not be cached.. #22926, @jcmcken
- Dashboard: Fix saving dashboard when editing raw dashboard JSON model. #23314, @peterholmberg
- Dashboard: Try to parse 8 and 15 digit numbers as timestamps if parsing of time range as date fails. #21694, @jessetan
- DashboardListPanel: Fixed problem with empty panel after going into edit mode (General folder filter being automatically added) . #23426, @torkelo
- Data source: Handle datasource withCredentials option properly. #23380, @hvtuananh
- Security: Fix annotation popup XSS vulnerability. #23813, @torkelo
- Server: Exit Grafana with status code 0 if no error. #23312, @aknuds1
- TablePanel: Fix XSS issue in header column rename (backport). #23814, @torkelo
- Variables: Fixes error when setting adhoc variable values. #23580, @hugohaggmark
- Update to version 6.7.2:
(see installed changelog for the full list of changes)
- BackendSrv: Adds config to response to fix issue for external plugins that used this property . #23032, @torkelo
- Dashboard: Fixed issue with saving new dashboard after changing title . #23104, @dprokop
- DataLinks: make sure we use the correct datapoint when dataset contains null value.. #22981, @mckn
- Plugins: Fixed issue for plugins that imported dateMath util . #23069, @mckn
- Security: Fix for dashboard snapshot original dashboard link could contain XSS vulnerability in url. #23254, @torkelo
- Variables: Fixes issue with too many queries being issued for nested template variables after value change. #23220, @torkelo
- Plugins: Expose promiseToDigest. #23249, @torkelo
- Reporting (Enterprise): Fixes issue updating a report created by someone else
- Update to 6.7.1:
(see installed changelog for the full list of changes)
Bug Fixes
- Azure: Fixed dropdowns not showing current value. #22914, @torkelo
- BackendSrv: only add content-type on POST, PUT requests. #22910, @hugohaggmark
- Panels: Fixed size issue with panel internal size when exiting panel edit mode. #22912, @torkelo
- Reporting: fixes migrations compatibility with mysql (Enterprise)
- Reporting: Reduce default concurrency limit to 4 (Enterprise)
- Update to 6.7.0:
(see installed changelog for the full list of changes)
Bug Fixes
- AngularPanels: Fixed inner height calculation for angular panels . #22796, @torkelo
- BackendSrv: makes sure provided headers are correctly recognized and set. #22778, @hugohaggmark
- Forms: Fix input suffix position (caret-down in Select) . #22780, @torkelo
- Graphite: Fixed issue with query editor and next select metric now showing after selecting metric node . #22856, @torkelo
- Rich History: UX adjustments and fixes. #22729, @ivanahuckova
- Update to 6.7.0-beta1:
Breaking changes
- Slack: Removed Mention setting and instead introduce Mention Users, Mention Groups, and Mention Channel. The first two settings require user and group IDs, respectively. This change was necessary because the way of mentioning via the Slack API changed and mentions in Slack notifications no longer worked.
- Alerting: Reverts the behavior of diff and percent_diff to not always be absolute. Something we introduced by mistake in 6.1.0. Alerting now support diff(), diff_abs(), percent_diff() and percent_diff_abs(). #21338
- Notice about changes in backendSrv for plugin authors
In our mission to migrate away from AngularJS to React we have removed all AngularJS dependencies in the core data retrieval service backendSrv.
Removing the AngularJS dependencies in backendSrv has the unfortunate side effect of AngularJS digest no longer being triggered for any request made with backendSrv. Because of this, external plugins using backendSrv directly may suffer from strange behaviour in the UI.
To remedy this issue, as a plugin author you need to trigger the digest after a direct call to backendSrv.
Bug Fixes
API: Fix redirect issues. #22285, @papagian
Alerting: Don't include image_url field with Slack message if empty. #22372, @aknuds1
Alerting: Fixed bad background color for default notifications in alert tab . #22660, @krvajal
Annotations: In table panel when setting transform to annotation, they will now show up right away without a manual refresh. #22323, @krvajal
Azure Monitor: Fix app insights source to allow for new __timeFrom and __timeTo. #21879, @ChadNedzlek
BackendSrv: Fixes POST body for form data. gmark
CloudWatch: Credentials cache invalidation fix. #22473, @sunker
CloudWatch: Expand alias variables when query yields no result. #22695, @sunker
Dashboard: Fix bug with NaN in alerting. #22053, @a-melnyk
Explore: Fix display of multiline logs in log panel and explore. #22057, @thomasdraebing
Heatmap: Legend color range is incorrect when using custom min/max. #21748, @sv5d
Security: Fixed XSS issue in dashboard history diff . #22680, @torkelo
StatPanel: Fixes base color is being used for null values .
#22646, @torkelo
- Update to version 6.6.2:
(see installed changelog for the full list of changes)
- Update to version 6.6.1:
(see installed changelog for the full list of changes)
- Update to version 6.6.0:
(see installed changelog for the full list of changes)
- Update to version 6.5.3:
(see installed changelog for the full list of changes)
- Update to version 6.5.2:
(see installed changelog for the full list of changes)
- Update to version 6.5.1:
(see installed changelog for the full list of changes)
- Update to version 6.5.0
(see installed changelog for the full list of changes)
- Update to version 6.4.5:
* Create version 6.4.5
* CloudWatch: Fix high CPU load (#20579)
- Add obs-service-go_modules to download required modules into vendor.tar.gz
- Adjusted spec file to use vendor.tar.gz
- Adjusted Makefile to work with new filenames
- BuildRequire go1.14
- Update to version 6.4.4:
* DataLinks: Fix blur issues. #19883, @aocenas
* Docker: Makes it possible to parse timezones in the docker image. #20081, @xlson
* LDAP: All LDAP servers should be tried even if one of them returns a connection error. #20077, @jongyllen
* LDAP: No longer shows incorrectly matching groups based on role in debug page. #20018, @xlson
* Singlestat: Fix no data / null value mapping . #19951, @ryantxu
- Revert the spec file and make script
- Remove PhantomJS dependency
- Update to 6.4.3
* Bug Fixes
- Alerting: All notification channels should send even if one fails to send. #19807, @jan25
- AzureMonitor: Fix slate interference with dropdowns. #19799, @aocenas
- ContextMenu: make ContextMenu positioning aware of the viewport width. #19699, @krvajal
- DataLinks: Fix context menu not showing in singlestat-ish visualisations. #19809, @dprokop
- DataLinks: Fix url field not releasing focus. #19804, @aocenas
- Datasource: Fixes clicking outside of some query editors required 2 clicks. #19822, @aocenas
- Panels: Fixes default tab for visualizations without Queries Tab. #19803, @hugohaggmark
- Singlestat: Fixed issue with mapping null to text. #19689, @torkelo
- @grafana/toolkit: Don't fail plugin creation when git user.name config is not set. #19821, @dprokop
- @grafana/toolkit: TSLint line number off by 1. #19782, @fredwangwang
- Update to 6.4.2
* Bug Fixes
- CloudWatch: Changes incorrect dimension wmlid to wlmid . #19679, @ATTron
- Grafana Image Renderer: Fixes plugin page. #19664, @hugohaggmark
- Graph: Fixes auto decimals logic for y axis ticks that results in too many decimals for high values. #19618, @torkelo
- Graph: Switching to series mode should re-render graph. #19623, @torkelo
- Loki: Fix autocomplete on label values. #19579, @aocenas
- Loki: Removes live option for logs panel. #19533, @davkal
- Profile: Fix issue with user profile not showing more than sessions sessions in some cases. #19578, @huynhsamha
- Prometheus: Fixes so results in Panel always are sorted by query order. #19597, @hugohaggmark
- sted keys in YAML provisioning caused a server crash, #19547
- ImageRendering: Fixed issue with image rendering in enterprise build (Enterprise)
- Reporting: Fixed issue with reporting service when STMP was disabled (Enterprise).
- Changes from 6.4.0
* Features / Enhancements
- Build: Upgrade go to 1.12.10. #19499, @marefr
- DataLinks: Suggestions menu improvements. #19396, @dprokop
- Explore: Take root_url setting into account when redirecting from dashboard to explore. #19447, @ivanahuckova
- Explore: Update broken link to logql docs. #19510, @ivanahuckova
- Logs: Adds Logs Panel as a visualization. #19504, @davkal
* Bug Fixes
- CLI: Fix version selection for plugin install. #19498, @aocenas
- Graph: Fixes minor issue with series override color picker and custom color . #19516, @torkelo
- Changes from 6.4.0 Beta 2
* Features / Enhancements
- Azure Monitor: Remove support for cross resource queries (#19115)'. #19346, @sunker
- Docker: Upgrade packages to resolve reported vulnerabilities. #19188, @marefr
- Graphite: Time range expansion reduced from 1 minute to 1 second. #19246, @torkelo
- grafana/toolkit: Add plugin creation task. #19207, @dprokop
* Bug Fixes
- Alerting: Prevents creating alerts from unsupported queries. #19250, @hugohaggmark
- Alerting: Truncate PagerDuty summary when greater than 1024 characters. #18730, @nvllsvm
- Cloudwatch: Fix autocomplete for Gamelift dimensions. #19146, @kevinpz
- Dashboard: Fix export for sharing when panels use default data source. #19315, @torkelo
- Database: Rewrite system statistics query to perform better. #19178, @papagian
- Gauge/BarGauge: Fix issue with [object Object] in titles . #19217, @ryantxu
- MSSQL: Revert usage of new connectionstring format introduced by #18384. #19203, @marefr
- Multi-LDAP: Do not fail-fast on invalid credentials. #19261, @gotjosh
- MySQL, Postgres, MSSQL: Fix validating query with template variables in alert . #19237, @marefr
- MySQL, Postgres: Update raw sql when query builder updates. #19209, @marefr
- MySQL: Limit datasource error details returned from the backend. #19373, @marefr
- Changes from 6.4.0 Beta 1
* Features / Enhancements
- API: Readonly datasources should not be created via the API. #19006, @papagian
- Alerting: Include configured AlertRuleTags in Webhooks notifier. #18233, @dominic-miglar
- Annotations: Add annotations support to Loki. #18949, @aocenas
- Annotations: Use a single row to represent a region. #17673, @ryantxu
- Auth: Allow inviting existing users when login form is disabled. #19048, @548017
- Azure Monitor: Add support for cross resource queries. #19115, @sunker
- CLI: Allow installing custom binary plugins. #17551, @aocenas
- Dashboard: Adds Logs Panel (alpha) as visualization option for Dashboards. #18641, @hugohaggmark
- Dashboard: Reuse query results between panels . #16660, @ryantxu
- Dashboard: Set time to to 23:59:59 when setting To time using calendar. #18595, @simPod
- DataLinks: Add DataLinks support to Gauge, BarGauge and SingleStat2 panel. #18605, @ryantxu
- DataLinks: Enable access to labels & field names. #18918, @torkelo
- DataLinks: Enable multiple data links per panel. #18434, @dprokop
- Docker: switch docker image to alpine base with phantomjs support. #18468, @DanCech
- Elasticsearch: allow templating queries to order by doc_count. #18870, @hackery
- Explore: Add throttling when doing live queries. #19085, @aocenas
- Explore: Adds ability to go back to dashboard, optionally with query changes. #17982, @kaydelaney
- Explore: Reduce default time range to last hour. #18212, @davkal
- Gauge/BarGauge: Support decimals for min/max. #18368, @ryantxu
- Graph: New series override transform constant that renders a single point as a line across the whole graph. #19102, @davkal
- Image rendering: Add deprecation warning when PhantomJS is used for rendering images. #18933, @papagian
- InfluxDB: Enable interpolation within ad-hoc filter values. #18077, @kvc-code
- LDAP: Allow an user to be synchronized against LDAP. #18976, @gotjosh
- Ldap: Add ldap debug page. #18759, @peterholmberg
- Loki: Remove prefetching of default label values. #18213, @davkal
- Metrics: Add failed alert notifications metric. #18089, @koorgoo
- OAuth: Support JMES path lookup when retrieving user email. #14683, @bobmshannon
- OAuth: return GitLab groups as a part of user info (enable team sync). #18388, @alexanderzobnin
- Panels: Add unit for electrical charge - ampere-hour. #18950, @anirudh-ramesh
- Plugin: AzureMonitor - Reapply MetricNamespace support. #17282, @raphaelquati
- Plugins: better warning when plugins fail to load. #18671, @ryantxu
- Postgres: Add support for scram sha 256 authentication. #18397, @nonamef
- RemoteCache: Support SSL with Redis. #18511, @kylebrandt
- SingleStat: The gauge option in now disabled/hidden (unless it's an old panel with it already enabled) . #18610, @ryantxu
- Stackdriver: Add extra alignment period options. #18909, @sunker
- Units: Add South African Rand (ZAR) to currencies. #18893, @jeteon
- Units: Adding T,P,E,Z,and Y bytes. #18706, @chiqomar
* Bug Fixes
- Alerting: Notification is sent when state changes from no_data to ok. #18920, @papagian
- Alerting: fix duplicate alert states when the alert fails to save to the database. #18216, @kylebrandt
- Alerting: fix response popover prompt when add notification channels. #18967, @lzdw
- CloudWatch: Fix alerting for queries with Id (using GetMetricData). #17899, @alex-berger
- Explore: Fix auto completion on label values for Loki. #18988, @aocenas
- Explore: Fixes crash using back button with a zoomed in graph. #19122, @hugohaggmark
- Explore: Fixes so queries in Explore are only run if Graph/Table is shown. #19000, @hugohaggmark
- MSSQL: Change connectionstring to URL format to fix using passwords with semicolon. #18384, @Russiancold
- MSSQL: Fix memory leak when debug enabled. #19049, @briangann
- Provisioning: Allow escaping literal '$' with '$$' in configs to avoid interpolation. #18045, @kylebrandt
- TimePicker: Fixes hiding time picker dropdown in FireFox. #19154, @hugohaggmark
* Breaking changes
+ Annotations
There are some breaking changes in the annotations HTTP API for region annotations. Region annotations are now represented
using a single event instead of two seperate events. Check breaking changes in HTTP API below and HTTP API documentation for more details.
+ Docker
Grafana is now using Alpine 3.10 as docker base image.
+ HTTP API
- GET /api/alert-notifications now requires at least editor access.
New /api/alert-notifications/lookup returns less information than /api/alert-notifications and can be access by any authenticated user.
- GET /api/alert-notifiers now requires at least editor access
- GET /api/org/users now requires org admin role.
New /api/org/users/lookup returns less information than /api/org/users and can be access by users that are org admins,
admin in any folder or admin of any team.
- GET /api/annotations no longer returns regionId property.
- POST /api/annotations no longer supports isRegion property.
- PUT /api/annotations/:id no longer supports isRegion property.
- PATCH /api/annotations/:id no longer supports isRegion property.
- DELETE /api/annotations/region/:id has been removed.
* Deprecation notes
+ PhantomJS
- PhantomJS, which is used for rendering images of dashboards and panels,
is deprecated and will be removed in a future Grafana release.
A deprecation warning will from now on be logged when Grafana starts up if PhantomJS is in use.
Please consider migrating from PhantomJS to the Grafana Image Renderer plugin.
- Changes from 6.3.6
* Features / Enhancements
- Metrics: Adds setting for turning off total stats metrics. #19142, @marefr
* Bug Fixes
- Database: Rewrite system statistics query to perform better. #19178, @papagian
- Explore: Fixes error when switching from prometheus to loki data sources. #18599, @kaydelaney
- Rebase package spec. Use mostly from fedora, fix suse specified things and fix some errors.
- Add missing directories provisioning/datasources and provisioning/notifiers
and sample.yaml as described in packaging/rpm/control from upstream.
Missing directories are shown in logfiles.
- Version 6.3.5
* Upgrades
+ Build: Upgrade to go 1.12.9.
* Bug Fixes
+ Dashboard: Fixes dashboards init failed loading error for dashboards with panel links that had missing properties.
+ Editor: Fixes issue where only entire lines were being copied.
+ Explore: Fixes query field layout in splitted view for Safari browsers.
+ LDAP: multildap + ldap integration.
+ Profile/UserAdmin: Fix for user agent parser crashes grafana-server on 32-bit builds.
+ Prometheus: Prevents panel editor crash when switching to Prometheus datasource.
+ Prometheus: Changes brace-insertion behavior to be less annoying.
- Version 6.3.4
* Security: CVE-2019-15043 - Parts of the HTTP API allow unauthenticated use.
- Version 6.3.3
* Bug Fixes
+ Annotations: Fix failing annotation query when time series query is cancelled. #18532 1, @dprokop 1
+ Auth: Do not set SameSite cookie attribute if cookie_samesite is none. #18462 1, @papagian 3
+ DataLinks: Apply scoped variables to data links correctly. #18454 1, @dprokop 1
+ DataLinks: Respect timezone when displaying datapoint’s timestamp in graph context menu. #18461 2, @dprokop 1
+ DataLinks: Use datapoint timestamp correctly when interpolating variables. #18459 1, @dprokop 1
+ Explore: Fix loading error for empty queries. #18488 1, @davkal
+ Graph: Fixes legend issue clicking on series line icon and issue with horizontal scrollbar being visible on windows. #18563 1, @torkelo 2
+ Graphite: Avoid glob of single-value array variables . #18420, @gotjosh
+ Prometheus: Fix queries with label_replace remove the $1 match when loading query editor. #18480 5, @hugohaggmark 3
+ Prometheus: More consistently allows for multi-line queries in editor. #18362 2, @kaydelaney 2
+ TimeSeries: Assume values are all numbers. #18540 4, @ryantxu
- Version 6.3.2
* Bug Fixes
+ Gauge/BarGauge: Fixes issue with losts thresholds and issue loading Gauge with avg stat. #18375 12
- Version 6.3.1
* Bug Fixes
+ PanelLinks: Fix crash issue Gauge & Bar Gauge for panels with panel links (drill down links). #18430 2
- Version 6.3.0
* Features / Enhancements
+ OAuth: Do not set SameSite OAuth cookie if cookie_samesite is None. #18392 4, @papagian 3
+ Auth Proxy: Include additional headers as part of the cache key. #18298 6, @gotjosh
+ Build grafana images consistently. #18224 12, @hassanfarid
+ Docs: SAML. #18069 11, @gotjosh
+ Permissions: Show plugins in nav for non admin users but hide plugin configuration. #18234 1, @aocenas
+ TimePicker: Increase max height of quick range dropdown. #18247 2, @torkelo 2
+ Alerting: Add tags to alert rules. #10989 13, @Thib17 1
+ Alerting: Attempt to send email notifications to all given email addresses. #16881 1, @zhulongcheng
+ Alerting: Improve alert rule testing. #16286 2, @marefr
+ Alerting: Support for configuring content field for Discord alert notifier. #17017 2, @jan25
+ Alertmanager: Replace illegal chars with underscore in label names. #17002 5, @bergquist 1
+ Auth: Allow expiration of API keys. #17678, @papagian 3
+ Auth: Return device, os and browser when listing user auth tokens in HTTP API. #17504, @shavonn 1
+ Auth: Support list and revoke of user auth tokens in UI. #17434 2, @shavonn 1
+ AzureMonitor: change clashing built-in Grafana variables/macro names for Azure Logs. #17140, @shavonn 1
+ CloudWatch: Made region visible for AWS Cloudwatch Expressions. #17243 2, @utkarshcmu
+ Cloudwatch: Add AWS DocDB metrics. #17241, @utkarshcmu
+ Dashboard: Use timezone dashboard setting when exporting to CSV. #18002 1, @dehrax
+ Data links. #17267 11, @torkelo 2
+ Docker: Switch base image to ubuntu:latest from debian:stretch to avoid security issues… #17066 5, @bergquist 1
+ Elasticsearch: Support for visualizing logs in Explore . #17605 7, @marefr
+ Explore: Adds Live option for supported datasources. #17062 1, @hugohaggmark 3
+ Explore: Adds orgId to URL for sharing purposes. #17895 1, @kaydelaney 2
+ Explore: Adds support for new loki ‘start’ and ‘end’ params for labels endpoint. #17512, @kaydelaney 2
+ Explore: Adds support for toggling raw query mode in explore. #17870, @kaydelaney 2
+ Explore: Allow switching between metrics and logs . #16959 2, @marefr
+ Explore: Combines the timestamp and local time columns into one. #17775, @hugohaggmark 3
+ Explore: Display log lines context . #17097, @dprokop 1
+ Explore: Don’t parse log levels if provided by field or label. #17180 1, @marefr
+ Explore: Improves performance of Logs element by limiting re-rendering. #17685, @kaydelaney 2
+ Explore: Support for new LogQL filtering syntax. #16674 4, @davkal
+ Explore: Use new TimePicker from Grafana/UI. #17793, @hugohaggmark 3
+ Explore: handle newlines in LogRow Highlighter. #17425, @rrfeng 1
+ Graph: Added new fill gradient option. #17528 3, @torkelo 2
+ GraphPanel: Don’t sort series when legend table & sort column is not visible . #17095, @shavonn 1
+ InfluxDB: Support for visualizing logs in Explore. #17450 9, @hugohaggmark 3
+ Logging: Login and Logout actions (#17760). #17883 1, @ATTron
+ Logging: Move log package to pkg/infra. #17023, @zhulongcheng
+ Metrics: Expose stats about roles as metrics. #17469 2, @bergquist 1
+ MySQL/Postgres/MSSQL: Add parsing for day, weeks and year intervals in macros. #13086 6, @bernardd
+ MySQL: Add support for periodically reloading client certs. #14892, @tpetr
+ Plugins: replace dataFormats list with skipDataQuery flag in plugin.json. #16984, @ryantxu
+ Prometheus: Take timezone into account for step alignment. #17477, @fxmiii
+ Prometheus: Use overridden panel range for $__range instead of dashboard range. #17352, @patrick246
+ Prometheus: added time range filter to series labels query. #16851 3, @FUSAKLA
+ Provisioning: Support folder that doesn’t exist yet in dashboard provisioning. #17407 1, @Nexucis
+ Refresh picker: Handle empty intervals. #17585 1, @dehrax
+ Singlestat: Add y min/max config to singlestat sparklines. #17527 4, @pitr
+ Snapshot: use given key and deleteKey. #16876, @zhulongcheng
+ Templating: Correctly display __text in multi-value variable after page reload. #17840 1, @EduardSergeev
+ Templating: Support selecting all filtered values of a multi-value variable. #16873 2, @r66ad
+ Tracing: allow propagation with Zipkin headers. #17009 4, @jrockway
+ Users: Disable users removed from LDAP. #16820 2, @alexanderzobnin
* Bug Fixes
+ PanelLinks: Fix render issue when there is no panel description. #18408 3, @dehrax
+ OAuth: Fix “missing saved state” OAuth login failure due to SameSite cookie policy. #18332 1, @papagian 3
+ cli: fix for recognizing when in dev mode… #18334, @xlson
+ DataLinks: Fixes incorrect interpolation of ${__series_name} . #18251 1, @torkelo 2
+ Loki: Display live tailed logs in correct order in Explore. #18031 3, @kaydelaney 2
+ PhantomJS: Fixes rendering on Debian Buster. #18162 2, @xlson
+ TimePicker: Fixed style issue for custom range popover. #18244, @torkelo 2
+ Timerange: Fixes a bug where custom time ranges didn’t respect UTC. #18248 1, @kaydelaney 2
+ remote_cache: Fix redis connstr parsing. #18204 1, @mblaschke
+ AddPanel: Fix issue when removing moved add panel widget . #17659 2, @dehrax
+ CLI: Fix encrypt-datasource-passwords fails with sql error. #18014, @marefr
+ Elasticsearch: Fix default max concurrent shard requests. #17770 4, @marefr
+ Explore: Fix browsing back to dashboard panel. #17061, @jschill
+ Explore: Fix filter by series level in logs graph. #17798, @marefr
+ Explore: Fix issues when loading and both graph/table are collapsed. #17113, @marefr
+ Explore: Fix selection/copy of log lines. #17121, @marefr
+ Fix: Wrap value of multi variable in array when coming from URL. #16992 1, @aocenas
+ Frontend: Fix for Json tree component not working. #17608, @srid12
+ Graphite: Fix for issue with alias function being moved last. #17791, @torkelo 2
+ Graphite: Fixes issue with seriesByTag & function with variable param. #17795, @torkelo 2
+ Graphite: use POST for /metrics/find requests. #17814 2, @papagian 3
+ HTTP Server: Serve Grafana with a custom URL path prefix. #17048 6, @jan25
+ InfluxDB: Fixes single quotes are not escaped in label value filters. #17398 1, @Panzki
+ Prometheus: Correctly escape ‘|’ literals in interpolated PromQL variables. #16932, @Limess
+ Prometheus: Fix when adding label for metrics which contains colons in Explore. #16760, @tolwi
+ SinglestatPanel: Remove background color when value turns null. #17552 1, @druggieri
- Make phantomjs dependency configurable
- Create plugin directory and clean up (create in %install,
add to %files) handling of /var/lib/grafana/* and
mgr-cfg:
- Remove commented code in test files
- Replace spacewalk-usix with uyuni-common-libs
- Bump version to 4.1.0 (bsc#1154940)
- Add mgr manpage links
mgr-custom-info:
- Bump version to 4.1.0 (bsc#1154940)
mgr-daemon:
- Bump version to 4.1.0 (bsc#1154940)
- Fix systemd timer configuration on SLE12 (bsc#1142038)
mgr-osad:
- Separate osa-dispatcher and jabberd so it can be disabled independently
- Replace spacewalk-usix with uyuni-common-libs
- Bump version to 4.1.0 (bsc#1154940)
- Move /usr/share/rhn/config-defaults to uyuni-base-common
- Require uyuni-base-common for /etc/rhn (for osa-dispatcher)
- Ensure bytes type when using hashlib to avoid traceback (bsc#1138822)
mgr-push:
- Replace spacewalk-usix and spacewalk-backend-libs with uyuni-common-libs
- Bump version to 4.1.0 (bsc#1154940)
mgr-virtualization:
- Replace spacewalk-usix with uyuni-common-libs
- Bump version to 4.1.0 (bsc#1154940)
- Fix mgr-virtualization timer
rhnlib:
- Fix building
- Fix malformed XML response when data contains non-ASCII chars (bsc#1154968)
- Bump version to 4.1.0 (bsc#1154940)
- Fix bootstrapping SLE11SP4 trad client with SSL enabled (bsc#1148177)
spacecmd:
- Only report real error, not result (bsc#1171687)
- Use defined return values for spacecmd methods so scripts can
check for failure (bsc#1171687)
- Disable globbing for api subcommand to allow wildcards in filter
settings (bsc#1163871)
- Bugfix: attempt to purge SSM when it is empty (bsc#1155372)
- Bump version to 4.1.0 (bsc#1154940)
- Prevent error when piping stdout in Python 2 (bsc#1153090)
- Java api expects content as encoded string instead of encoded bytes like before (bsc#1153277)
- Enable building and installing for Ubuntu 16.04 and Ubuntu 18.04
- Add unit test for schedule, errata, user, utils, misc, configchannel
and kickstart modules
- Multiple minor bugfixes alongside the unit tests
- Bugfix: referenced variable before assignment.
- Add unit test for report, package, org, repo and group
spacewalk-client-tools:
- Add workaround for uptime overflow to spacewalk-update-status as well (bsc#1165921)
- Spell correctly 'successful' and 'successfully'
- Skip dmidecode data on aarch64 to prevent coredump (bsc#1113160)
- Replace spacewalk-usix with uyuni-common-libs
- Return a non-zero exit status on errors in rhn_check
- Bump version to 4.1.0 (bsc#1154940)
- Make a explicit requirement to systemd for spacewalk-client-tools
when rhnsd timer is installed
spacewalk-koan:
- Bump version to 4.1.0 (bsc#1154940)
- Require commands we use in merge-rd.sh
spacewalk-oscap:
- Bump version to 4.1.0 (bsc#1154940)
spacewalk-remote-utils:
- Update spacewalk-create-channel with RHEL 7.7 channel definitions
- Bump version to 4.1.0 (bsc#1154940)
supportutils-plugin-susemanager-client:
- Bump version to 4.1.0 (bsc#1154940)
suseRegisterInfo:
- SuseRegisterInfo only needs perl-base, not full perl (bsc#1168310)
- Bump version to 4.1.0 (bsc#1154940)
zypp-plugin-spacewalk:
- Prevent issue with non-ASCII characters in Python 2 systems (bsc#1172462)
ModerateSUSE bug 1113160SUSE bug 1134195SUSE bug 1138822SUSE bug 1141661SUSE bug 1142038SUSE bug 1143913SUSE bug 1148177SUSE bug 1153090SUSE bug 1153277SUSE bug 1154940SUSE bug 1154968SUSE bug 1155372SUSE bug 1163871SUSE bug 1165921SUSE bug 1168310SUSE bug 1170231SUSE bug 1170557SUSE bug 1171687SUSE bug 1172462CVE-2019-10215 at SUSECVE-2019-10215 at NVDCVE-2019-15043 at SUSECVE-2019-15043 at NVDCVE-2020-12245 at SUSECVE-2020-12245 at NVDCVE-2020-13379 at SUSECVE-2020-13379 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for xrdp (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for xrdp fixes the following issues:
- Security fixes (bsc#1173580, CVE-2020-4044):
+ Add patches:
* xrdp-cve-2020-4044-fix-0.patch
* xrdp-cve-2020-4044-fix-1.patch
+ Rebase SLE patch:
* xrdp-fate318398-change-expired-password.patch
- Update patch:
+ xrdp-Allow-sessions-with-32-bpp.patch.patch
ImportantSUSE bug 1173580CVE-2020-4044 at SUSECVE-2020-4044 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 30 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_113 fixes several issues.
The following security issues were fixed:
- CVE-2019-14896: A heap-based buffer overflow vulnerability was found in the Marvell WiFi chip driver. A remote attacker could cause a denial of service (system crash) or, possibly execute arbitrary code, when the lbs_ibss_join_existing function is called after a STA connects to an AP (bsc#1157157).
- CVE-2019-14897: A stack-based buffer overflow was found in the Marvell WiFi chip driver. An attacker was able to cause a denial of service (system crash) or, possibly execute arbitrary code, when a STA works in IBSS mode (allows connecting stations together without the use of an AP) and connects to another STA (bsc#1157155).
ImportantSUSE bug 1160467SUSE bug 1160468CVE-2019-14896 at SUSECVE-2019-14896 at NVDCVE-2019-14897 at SUSECVE-2019-14897 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for mailman (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for mailman fixes the following issues:
- CVE-2020-15011: Fixed a possible Arbitrary Content Injection via the private archive login page (bsc#1173369).
ImportantSUSE bug 1173369CVE-2020-15011 at SUSECVE-2020-15011 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 29 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_107 fixes several issues.
The following security issues were fixed:
- CVE-2019-14896: A heap-based buffer overflow vulnerability was found in the Marvell WiFi chip driver. A remote attacker could cause a denial of service (system crash) or, possibly execute arbitrary code, when the lbs_ibss_join_existing function is called after a STA connects to an AP (bsc#1157157).
- CVE-2019-14897: A stack-based buffer overflow was found in the Marvell WiFi chip driver. An attacker was able to cause a denial of service (system crash) or, possibly execute arbitrary code, when a STA works in IBSS mode (allows connecting stations together without the use of an AP) and connects to another STA (bsc#1157155).
ImportantSUSE bug 1160467SUSE bug 1160468CVE-2019-14896 at SUSECVE-2019-14896 at NVDCVE-2019-14897 at SUSECVE-2019-14897 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for samba (Moderate)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for samba fixes the following issues:
- CVE-2020-10745: Fixed an issue which parsing and packing of NBT and DNS packets containing dots could potentially have consumed excessive CPU (bsc#1173160).
ModerateSUSE bug 1173160CVE-2020-10745 at SUSECVE-2020-10745 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for webkit2gtk3 (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for webkit2gtk3 fixes the following issues:
- Update to version 2.28.3 (bsc#1173998):
+ Enable kinetic scrolling with async scrolling.
+ Fix web process hangs on large GitHub pages.
+ Bubblewrap sandbox should not attempt to bind empty paths.
+ Fix threading issues in the media player.
+ Fix several crashes and rendering issues.
+ Security fixes: CVE-2020-9802, CVE-2020-9803, CVE-2020-9805,
CVE-2020-9806, CVE-2020-9807, CVE-2020-9843, CVE-2020-9850,
CVE-2020-13753.
ImportantSUSE bug 1173998CVE-2020-13753 at SUSECVE-2020-13753 at NVDCVE-2020-9802 at SUSECVE-2020-9802 at NVDCVE-2020-9803 at SUSECVE-2020-9803 at NVDCVE-2020-9805 at SUSECVE-2020-9805 at NVDCVE-2020-9806 at SUSECVE-2020-9806 at NVDCVE-2020-9807 at SUSECVE-2020-9807 at NVDCVE-2020-9843 at SUSECVE-2020-9843 at NVDCVE-2020-9850 at SUSECVE-2020-9850 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for grub2 (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for grub2 fixes the following issues:
- Fix for CVE-2020-10713 (bsc#1168994)
- Fix for CVE-2020-14308 CVE-2020-14309, CVE-2020-14310, CVE-2020-14311
(bsc#1173812)
- Fix for CVE-2020-15706 (bsc#1174463)
- Fix for CVE-2020-15707 (bsc#1174570)
- Use overflow checking primitives where the arithmetic expression for buffer
allocations may include unvalidated data
- Use grub_calloc for overflow check and return NULL when it would occur
- Use gcc-9 compiler for overflow check builtins
- Backport gcc-9 build fixes
- Fix packed-not-aligned error on GCC 8 (bsc#1084632)
ImportantSUSE bug 1084632SUSE bug 1168994SUSE bug 1173812SUSE bug 1174463SUSE bug 1174570CVE-2020-10713 at SUSECVE-2020-10713 at NVDCVE-2020-14308 at SUSECVE-2020-14308 at NVDCVE-2020-14309 at SUSECVE-2020-14309 at NVDCVE-2020-14310 at SUSECVE-2020-14310 at NVDCVE-2020-14311 at SUSECVE-2020-14311 at NVDCVE-2020-15706 at SUSECVE-2020-15706 at NVDCVE-2020-15707 at SUSECVE-2020-15707 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 28 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_103 fixes several issues.
The following security issues were fixed:
- CVE-2019-14896: A heap-based buffer overflow vulnerability was found in the Marvell WiFi chip driver. A remote attacker could cause a denial of service (system crash) or, possibly execute arbitrary code, when the lbs_ibss_join_existing function is called after a STA connects to an AP (bsc#1157157).
- CVE-2019-14897: A stack-based buffer overflow was found in the Marvell WiFi chip driver. An attacker was able to cause a denial of service (system crash) or, possibly execute arbitrary code, when a STA works in IBSS mode (allows connecting stations together without the use of an AP) and connects to another STA (bsc#1157155).
ImportantSUSE bug 1160467SUSE bug 1160468CVE-2019-14896 at SUSECVE-2019-14896 at NVDCVE-2019-14897 at SUSECVE-2019-14897 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for ghostscript (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for ghostscript fixes the following issues:
- fixed CVE-2020-15900 Memory Corruption (SAFER Sandbox Breakout)
cf. https://bugs.ghostscript.com/show_bug.cgi?id=702582
(bsc#1174415)
ImportantSUSE bug 1174415CVE-2020-15900 at SUSECVE-2020-15900 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for MozillaFirefox (Moderate)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for MozillaFirefox fixes the following issues:
- Firefox Extended Support Release 78.1.0 ESR
* Fixed: Various stability, functionality, and security fixes (bsc#1174538)
* CVE-2020-15652: Potential leak of redirect targets when loading scripts in a worker
* CVE-2020-6514: WebRTC data channel leaks internal address to peer
* CVE-2020-15655: Extension APIs could be used to bypass Same-Origin Policy
* CVE-2020-15653: Bypassing iframe sandbox when allowing popups
* CVE-2020-6463: Use-after-free in ANGLE gl::Texture::onUnbindAsSamplerTexture
* CVE-2020-15656: Type confusion for special arguments in IonMonkey
* CVE-2020-15658: Overriding file type when saving to disk
* CVE-2020-15657: DLL hijacking due to incorrect loading path
* CVE-2020-15654: Custom cursor can overlay user interface
* CVE-2020-15659: Memory safety bugs fixed in Firefox 79 and Firefox ESR 78.1
ModerateSUSE bug 1173948SUSE bug 1174538CVE-2020-15652 at SUSECVE-2020-15652 at NVDCVE-2020-15653 at SUSECVE-2020-15653 at NVDCVE-2020-15654 at SUSECVE-2020-15654 at NVDCVE-2020-15655 at SUSECVE-2020-15655 at NVDCVE-2020-15656 at SUSECVE-2020-15656 at NVDCVE-2020-15657 at SUSECVE-2020-15657 at NVDCVE-2020-15658 at SUSECVE-2020-15658 at NVDCVE-2020-15659 at SUSECVE-2020-15659 at NVDCVE-2020-6463 at SUSECVE-2020-6463 at NVDCVE-2020-6514 at SUSECVE-2020-6514 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 27 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_100 fixes several issues.
The following security issues were fixed:
- CVE-2019-14896: A heap-based buffer overflow vulnerability was found in the Marvell WiFi chip driver. A remote attacker could cause a denial of service (system crash) or, possibly execute arbitrary code, when the lbs_ibss_join_existing function is called after a STA connects to an AP (bsc#1157157).
- CVE-2019-14897: A stack-based buffer overflow was found in the Marvell WiFi chip driver. An attacker was able to cause a denial of service (system crash) or, possibly execute arbitrary code, when a STA works in IBSS mode (allows connecting stations together without the use of an AP) and connects to another STA (bsc#1157155).
ImportantSUSE bug 1160467SUSE bug 1160468CVE-2019-14896 at SUSECVE-2019-14896 at NVDCVE-2019-14897 at SUSECVE-2019-14897 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for libX11 (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for libX11 fixes the following issues:
- Fixed XIM client heap overflows (CVE-2020-14344, bsc#1174628)
ImportantSUSE bug 1174628CVE-2020-14344 at SUSECVE-2020-14344 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
The SUSE Linux Enterprise 12 SP3 kernel was updated to receive various security and bugfixes.
The following security bugs were fixed:
- CVE-2020-10135: Legacy pairing and secure-connections pairing authentication in Bluetooth may have allowed an unauthenticated user to complete authentication without pairing credentials via adjacent access. An unauthenticated, adjacent attacker could impersonate a Bluetooth BR/EDR master or slave to pair with a previously paired remote device to successfully complete the authentication procedure without knowing the link key (bnc#1171988).
- CVE-2020-10711: A NULL pointer dereference flaw was found in the SELinux subsystem. This flaw occurs while importing the Commercial IP Security Option (CIPSO) protocol's category bitmap into the SELinux extensible bitmap via the' ebitmap_netlbl_import' routine. This flaw allowed a remote network user to crash the system kernel, resulting in a denial of service (bnc#1171191).
- CVE-2020-10751: A flaw was found in the SELinux LSM hook implementation, where it incorrectly assumed that an skb would only contain a single netlink message. The hook would incorrectly only validate the first netlink message in the skb and allow or deny the rest of the messages within the skb with the granted permission without further processing (bnc#1171189).
- CVE-2019-20812: An issue was discovered in the prb_calc_retire_blk_tmo() function in net/packet/af_packet.c can result in a denial of service (CPU consumption and soft lockup) in a certain failure case involving TPACKET_V3, aka CID-b43d1f9f7067 (bnc#1172453).
- CVE-2020-10732: A flaw was found in the implementation of userspace core dumps. This flaw allowed an attacker with a local account to crash a trivial program and exfiltrate private kernel data (bnc#1171220).
- CVE-2020-0305: In cdev_get of char_dev.c, there is a possible use-after-free due to a race condition. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation (bnc#1174462).
- CVE-2020-12771: btree_gc_coalesce in drivers/md/bcache/btree.c had a deadlock if a coalescing operation fails (bnc#1171732).
- CVE-2020-10773: A kernel stack information leak on s390/s390x was fixed (bnc#1172999).
- CVE-2020-14416: A race condition in tty->disc_data handling in the slip and slcan line discipline could lead to a use-after-free, aka CID-0ace17d56824. This affects drivers/net/slip/slip.c and drivers/net/can/slcan.c (bnc#1162002).
- CVE-2020-13974: drivers/tty/vt/keyboard.c had an integer overflow if k_ascii is called several times in a row, aka CID-b86dab054059. (bnc#1172775).
- CVE-2019-20810: go7007_snd_init in drivers/media/usb/go7007/snd-go7007.c in the Linux kernel did not call snd_card_free for a failure path, which causes a memory leak, aka CID-9453264ef586 (bnc#1172458).
The following non-security bugs were fixed:
- Drivers: hv: Change flag to write log level in panic msg to false (bsc#1170618).
- ibmvnic: Do not process device remove during device reset (bsc#1065729).
- ibmvnic: Do not process reset during or after device removal (bsc#1149652 ltc#179635).
- ibmvnic: Flush existing work items before device removal (bsc#1065729).
- ibmvnic: Harden device login requests (bsc#1170011 ltc#183538).
- ibmvnic: Skip fatal error reset after passive init (bsc#1171078 ltc#184239).
- ibmvnic: Unmap DMA address of TX descriptor buffers after use (bsc#1146351 ltc#180726).
- ibmvnic: continue to init in CRQ reset returns H_CLOSED (bsc#1173280 ltc#185369).
- intel_idle: Graceful probe failure when MWAIT is disabled (bsc#1174115).
- mm, vmstat: reduce zone->lock holding time by /proc/pagetypeinfo (bsc#1164910).
- net/ibmvnic: Fix missing { in __ibmvnic_reset (bsc#1149652 ltc#179635).
- net/ibmvnic: free reset work of removed device from queue (bsc#1149652 ltc#179635).
- net/ibmvnic: prevent more than one thread from running in reset (bsc#1152457 ltc#174432).
- net/ibmvnic: unlock rtnl_lock in reset so linkwatch_event can run (bsc#1152457 ltc#174432).
- udp: drop corrupt packets earlier to avoid data corruption (bsc#1173658).
ImportantSUSE bug 1065729SUSE bug 1146351SUSE bug 1149652SUSE bug 1152457SUSE bug 1162002SUSE bug 1164910SUSE bug 1170011SUSE bug 1170618SUSE bug 1171078SUSE bug 1171189SUSE bug 1171191SUSE bug 1171220SUSE bug 1171732SUSE bug 1171988SUSE bug 1172453SUSE bug 1172458SUSE bug 1172775SUSE bug 1172999SUSE bug 1173280SUSE bug 1173658SUSE bug 1174115SUSE bug 1174462SUSE bug 1174543CVE-2019-20810 at SUSECVE-2019-20810 at NVDCVE-2019-20812 at SUSECVE-2019-20812 at NVDCVE-2020-0305 at SUSECVE-2020-0305 at NVDCVE-2020-10135 at SUSECVE-2020-10135 at NVDCVE-2020-10711 at SUSECVE-2020-10711 at NVDCVE-2020-10732 at SUSECVE-2020-10732 at NVDCVE-2020-10751 at SUSECVE-2020-10751 at NVDCVE-2020-10773 at SUSECVE-2020-10773 at NVDCVE-2020-12771 at SUSECVE-2020-12771 at NVDCVE-2020-13974 at SUSECVE-2020-13974 at NVDCVE-2020-14416 at SUSECVE-2020-14416 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for python-ipaddress (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for python-ipaddress fixes the following issues:
- Add CVE-2020-14422-ipaddress-hash-collision.patch fixing
CVE-2020-14422 (bsc#1173274, bpo#41004), where hash collisions
in IPv4Interface and IPv6Interface could lead to DOS.
ImportantSUSE bug 1173274CVE-2020-14422 at SUSECVE-2020-14422 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for LibVNCServer (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for LibVNCServer fixes the following issues:
- security update
fix CVE-2018-21247 [bsc#1173874], uninitialized memory contents are vulnerable to Information leak
fix CVE-2019-20839 [bsc#1173875], buffer overflow in ConnectClientToUnixSock()
fix CVE-2019-20840 [bsc#1173876], unaligned accesses in hybiReadAndDecode can lead to denial of service
fix CVE-2020-14398 [bsc#1173880], improperly closed TCP connection causes an infinite loop in libvncclient/sockets.c
fix CVE-2020-14397 [bsc#1173700], NULL pointer dereference in libvncserver/rfbregion.c
fix CVE-2020-14399 [bsc#1173743], Byte-aligned data is accessed through uint32_t pointers in libvncclient/rfbproto.c.
fix CVE-2020-14400 [bsc#1173691], Byte-aligned data is accessed through uint16_t pointers in libvncserver/translate.c.
fix CVE-2020-14401 [bsc#1173694], potential integer overflows in libvncserver/scale.c
fix CVE-2020-14402 [bsc#1173701], out-of-bounds access via encodings.
fix CVE-2020-14403 [bsc#1173701], out-of-bounds access via encodings.
fix CVE-2020-14404 [bsc#1173701], out-of-bounds access via encodings.
fix CVE-2017-18922 [bsc#1173477], preauth buffer overwrite
ImportantSUSE bug 1173477SUSE bug 1173691SUSE bug 1173694SUSE bug 1173700SUSE bug 1173701SUSE bug 1173743SUSE bug 1173874SUSE bug 1173875SUSE bug 1173876SUSE bug 1173880CVE-2017-18922 at SUSECVE-2017-18922 at NVDCVE-2018-21247 at SUSECVE-2018-21247 at NVDCVE-2019-20839 at SUSECVE-2019-20839 at NVDCVE-2019-20840 at SUSECVE-2019-20840 at NVDCVE-2020-14397 at SUSECVE-2020-14397 at NVDCVE-2020-14398 at SUSECVE-2020-14398 at NVDCVE-2020-14399 at SUSECVE-2020-14399 at NVDCVE-2020-14400 at SUSECVE-2020-14400 at NVDCVE-2020-14401 at SUSECVE-2020-14401 at NVDCVE-2020-14402 at SUSECVE-2020-14402 at NVDCVE-2020-14403 at SUSECVE-2020-14403 at NVDCVE-2020-14404 at SUSECVE-2020-14404 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for xen (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for xen fixes the following issues:
- bsc#1174543 - secure boot related fixes
- bsc#1163019 - CVE-2020-8608: Potential OOB access due to unsafe snprintf() usages
ImportantSUSE bug 1163019SUSE bug 1174543CVE-2020-8608 at SUSECVE-2020-8608 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for dpdk (Moderate)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for dpdk to version 16.11.9 following issue:
- CVE-2019-14818: Fixed a memory leak vulnerability caused by a malicious container may lead to to denial of service (bsc#1156146).
- CVE-2020-12693: Fixed an authentication bypass via an alternate path or channel (boo#1172004).
- rebuilt with new signing key. (bsc#1174543)
ModerateSUSE bug 1156146SUSE bug 1171477SUSE bug 1171930SUSE bug 1174543CVE-2019-14818 at SUSECVE-2019-14818 at NVDCVE-2020-10722 at SUSECVE-2020-10722 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for libX11 (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for libX11 fixes the following issues:
- Fixed XIM client heap overflows (CVE-2020-14344, bsc#1174628).
ImportantSUSE bug 1174628CVE-2020-14344 at SUSECVE-2020-14344 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for webkit2gtk3 (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for webkit2gtk3 fixes the following issues:
- Update to version 2.28.4 (bsc#1174662):
+ Fix several crashes and rendering issues.
+ Security fixes: CVE-2020-9862, CVE-2020-9893, CVE-2020-9894,
CVE-2020-9895, CVE-2020-9915, CVE-2020-9925.
ImportantSUSE bug 1174662CVE-2020-9862 at SUSECVE-2020-9862 at NVDCVE-2020-9893 at SUSECVE-2020-9893 at NVDCVE-2020-9894 at SUSECVE-2020-9894 at NVDCVE-2020-9895 at SUSECVE-2020-9895 at NVDCVE-2020-9915 at SUSECVE-2020-9915 at NVDCVE-2020-9925 at SUSECVE-2020-9925 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for dovecot22 (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for dovecot22 fixes the following issues:
- CVE-2020-12673: improper implementation of NTLM does not check message buffer size (bsc#1174922).
- CVE-2020-12674: improper implementation of RPA mechanism (bsc#1174923).
ImportantSUSE bug 1174922SUSE bug 1174923CVE-2020-12673 at SUSECVE-2020-12673 at NVDCVE-2020-12674 at SUSECVE-2020-12674 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for grub2 (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for grub2 fixes the following issues:
- CVE-2020-15705: Fail kernel validation without shim protocol (bsc#1174421).
- Add fibre channel device's ofpath support to grub-ofpathname and search hint to speed up root device discovery (bsc#1172745).
ImportantSUSE bug 1172745SUSE bug 1174421CVE-2020-15705 at SUSECVE-2020-15705 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for samba (Moderate)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for samba fixes the following issues:
- CVE-2019-14907: Fixed a Server-side crash after charset conversion failure during NTLMSSP processing (bsc#1160888).
ModerateSUSE bug 1160888CVE-2019-14907 at SUSECVE-2019-14907 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for xorg-x11-server (Moderate)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for xorg-x11-server fixes the following issues:
- CVE-2020-14347: Leak of uninitialized heap memory from the X server to clients on pixmap allocation (bsc#1174633, ZDI-CAN-11426).
- CVE-2020-14346: XIChangeHierarchy Integer Underflow Privilege Escalation Vulnerability (bsc#1174638, ZDI-CAN-11429).
- CVE-2020-14345: XKB out-of-bounds access privilege escalation vulnerability (bsc#1174635, ZDI-CAN-11428).
ModerateSUSE bug 1174633SUSE bug 1174635SUSE bug 1174638CVE-2020-14345 at SUSECVE-2020-14345 at NVDCVE-2020-14346 at SUSECVE-2020-14346 at NVDCVE-2020-14347 at SUSECVE-2020-14347 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for java-1_8_0-ibm (Moderate)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for java-1_8_0-ibm fixes the following issues:
- Update to Java 8.0 Service Refresh 6 [bsc#1158442, bsc#1154212]
* Security fixes:
CVE-2019-2933 CVE-2019-2945 CVE-2019-2958
CVE-2019-2962 CVE-2019-2964 CVE-2019-2975
CVE-2019-2978 CVE-2019-2983 CVE-2019-2988
CVE-2019-2989 CVE-2019-2992 CVE-2019-2996
CVE-2019-2999 CVE-2019-2973 CVE-2019-2981
CVE-2019-17631
ModerateSUSE bug 1154212SUSE bug 1158442CVE-2019-17631 at SUSECVE-2019-17631 at NVDCVE-2019-2933 at SUSECVE-2019-2933 at NVDCVE-2019-2945 at SUSECVE-2019-2945 at NVDCVE-2019-2958 at SUSECVE-2019-2958 at NVDCVE-2019-2962 at SUSECVE-2019-2962 at NVDCVE-2019-2964 at SUSECVE-2019-2964 at NVDCVE-2019-2973 at SUSECVE-2019-2973 at NVDCVE-2019-2975 at SUSECVE-2019-2975 at NVDCVE-2019-2978 at SUSECVE-2019-2978 at NVDCVE-2019-2981 at SUSECVE-2019-2981 at NVDCVE-2019-2983 at SUSECVE-2019-2983 at NVDCVE-2019-2988 at SUSECVE-2019-2988 at NVDCVE-2019-2989 at SUSECVE-2019-2989 at NVDCVE-2019-2992 at SUSECVE-2019-2992 at NVDCVE-2019-2996 at SUSECVE-2019-2996 at NVDCVE-2019-2999 at SUSECVE-2019-2999 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for xorg-x11-server (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for xorg-x11-server fixes the following issues:
- CVE-2020-14361: Fix XkbSelectEvents() integer underflow (bsc#1174910 ZDI-CAN-11573).
- CVE-2020-14362: Fix XRecordRegisterClients() Integer underflow (bsc#1174913 ZDI-CAN-11574).
ImportantSUSE bug 1174910SUSE bug 1174913CVE-2020-14361 at SUSECVE-2020-14361 at NVDCVE-2020-14362 at SUSECVE-2020-14362 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for apache2 (Moderate)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for apache2 fixes the following issues:
- CVE-2020-9490: Fixed a crash caused by a specially crafted value for the 'Cache-Digest' header in a HTTP/2 request (bsc#1175071).
- CVE-2020-11985: IP address spoofing when proxying using mod_remoteip and mod_rewrite (bsc#1175072).
- CVE-2020-11993: When trace/debug was enabled for the HTTP/2 module logging statements were made on the wrong connection (bsc#1175070).
ModerateSUSE bug 1175070SUSE bug 1175071SUSE bug 1175072CVE-2020-11985 at SUSECVE-2020-11985 at NVDCVE-2020-11993 at SUSECVE-2020-11993 at NVDCVE-2020-9490 at SUSECVE-2020-9490 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for java-1_8_0-ibm (Moderate)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for java-1_8_0-ibm fixes the following issues:
- Update to Java 8.0 Service Refresh 6 Fix Pack 15 [bsc#1175259, bsc#1174157]
CVE-2020-14577 CVE-2020-14578 CVE-2020-14579 CVE-2020-14581
CVE-2020-14556 CVE-2020-14621 CVE-2020-14593 CVE-2020-14583
CVE-2019-17639
* Class Libraries:
- JAVA.UTIL.ZIP.DEFLATER OPERATIONS THROW JAVA.LANG.INTERNALERROR
- JAVA 8 DECODER OBJECTS CONSUME A LARGE AMOUNT OF JAVA HEAP
- TRANSLATION MESSAGES UPDATE FOR JCL
- UPDATE TIMEZONE INFORMATION TO TZDATA2020A
* Java Virtual Machine:
- IBM JAVA REGISTERS A HANDLER BY DEFAULT FOR SIGABRT
- LARGE MEMORY FOOTPRINT HELD BY TRACECONTEXT OBJECT
* JIT Compiler:
- CRASH IN THE INTERPRETER AFTER OSR FROM INLINED SYNCHRONIZED METHOD
IN DEBUGGING MODE
- INTERMITTENT ASSERTION FAILURE REPORTED
- CRASH IN RESOLVECLASSREF() DURING AOT LOAD
- JIT CRASH DURING CLASS UNLOADING IN J9METHOD_HT::ONCLASSUNLOADING()
- SEGMENTATION FAULT WHILE COMPILING A METHOD
- UNEXPECTED CLASSCASTEXCEPTION THROWN IN HIGH LEVEL PARALLEL
APPLICATION ON IBM Z PLATFORM
* Security:
- CERTIFICATEEXCEPTION OCCURS WHEN FILE.ENCODING PROPERTY SET TO
NON DEFAULT VALUE
- CHANGES TO IBMJCE AND IBMJCEPLUS PROVIDERS
- IBMJCEPLUS FAILS, WHEN THE SECURITY MANAGER IS ENABLED, WITH
DEFAULT PERMISSIONS, SPECIFIED IN JAVA.POLICY FILE
- IN CERTAIN INSTANCES, IBMJCEPLUS PROVIDER THROWS EXCEPTION FROM
KEYFACTORY CLASS
ModerateSUSE bug 1174157SUSE bug 1175259CVE-2019-17639 at SUSECVE-2019-17639 at NVDCVE-2020-14556 at SUSECVE-2020-14556 at NVDCVE-2020-14577 at SUSECVE-2020-14577 at NVDCVE-2020-14578 at SUSECVE-2020-14578 at NVDCVE-2020-14579 at SUSECVE-2020-14579 at NVDCVE-2020-14581 at SUSECVE-2020-14581 at NVDCVE-2020-14583 at SUSECVE-2020-14583 at NVDCVE-2020-14593 at SUSECVE-2020-14593 at NVDCVE-2020-14621 at SUSECVE-2020-14621 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for squid (Critical)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for squid fixes the following issues:
- CVE-2020-24606: Fix livelocking in peerDigestHandleReply (bsc#1175671).
- CVE-2020-15811: Improve Transfer-Encoding handling (bsc#1175665).
- CVE-2020-15810: Enforce token characters for field-name (bsc#1175664).
CriticalSUSE bug 1175664SUSE bug 1175665SUSE bug 1175671CVE-2020-15810 at SUSECVE-2020-15810 at NVDCVE-2020-15811 at SUSECVE-2020-15811 at NVDCVE-2020-24606 at SUSECVE-2020-24606 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for libX11 (Moderate)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for libX11 fixes the following issues:
- CVE-2020-14363: Fix an integer overflow in init_om() (bsc#1175239).
ModerateSUSE bug 1175239CVE-2020-14363 at SUSECVE-2020-14363 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for java-1_7_1-ibm (Moderate)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for java-1_7_1-ibm fixes the following issues:
- Update to Java 7.1 Service Refresh 4 Fix Pack 70 [bsc#1175259, bsc#1174157]
CVE-2020-14577 CVE-2020-14578 CVE-2020-14579 CVE-2020-14621
CVE-2020-14593 CVE-2020-14583 CVE-2019-17639
* Class Libraries:
- UPDATE TIMEZONE INFORMATION TO TZDATA2020A
* Security:
- CERTIFICATEEXCEPTION OCCURS WHEN FILE.ENCODING PROPERTY SET TO
NON DEFAULT VALUE
ModerateSUSE bug 1174157SUSE bug 1175259CVE-2019-17639 at SUSECVE-2019-17639 at NVDCVE-2020-14577 at SUSECVE-2020-14577 at NVDCVE-2020-14578 at SUSECVE-2020-14578 at NVDCVE-2020-14579 at SUSECVE-2020-14579 at NVDCVE-2020-14583 at SUSECVE-2020-14583 at NVDCVE-2020-14593 at SUSECVE-2020-14593 at NVDCVE-2020-14621 at SUSECVE-2020-14621 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 28 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_103 fixes several issues.
The following security issues were fixed:
- CVE-2020-14331: Fixed a buffer over-write in vgacon_scroll (bsc#1174247).
- CVE-2019-0155: Fixed a privilege escalation in the i915 graphics driver (bsc#1173663).
- CVE-2019-16746: Fixed a buffer overflow in net/wireless/nl80211.c (bsc#1173659).
- CVE-2019-9458: Fixed a use-after-free in media/v4l (bsc#1173963).
- CVE-2020-11668: Fixed a memory corruption issue in the Xirlink camera USB driver (bsc#1173942).
- CVE-2019-19447: Fixed a use-after-free in ext4_put_super (bsc#1173869).
- CVE-2019-18680: Fixed a NULL pointer dereference in rds_tcp_kill_sock() in net/rds/tcp.c (bsc#1173867).
- CVE-2019-14816: Fixed a heap-based buffer overflow in the Marvell WiFi driver (bsc#1173666).
- CVE-2019-14814: Fixed a heap-based buffer overflow in the Marvell WiFi driver (bsc#1173664).
- CVE-2019-14815: Fixed a heap-based buffer overflow in the Marvell WiFi driver (bsc#1173665).
- CVE-2019-14901: Fixed a heap overflow in the Marvell WiFi driver (bsc#1173661).
- CVE-2019-14895: Fixed a heap-based buffer overflow in the Marvell WiFi driver (bsc#1173100).
ImportantSUSE bug 1173100SUSE bug 1173659SUSE bug 1173661SUSE bug 1173663SUSE bug 1173664SUSE bug 1173665SUSE bug 1173666SUSE bug 1173867SUSE bug 1173869SUSE bug 1173942SUSE bug 1173963SUSE bug 1174247CVE-2019-0155 at SUSECVE-2019-0155 at NVDCVE-2019-14814 at SUSECVE-2019-14814 at NVDCVE-2019-14815 at SUSECVE-2019-14815 at NVDCVE-2019-14816 at SUSECVE-2019-14816 at NVDCVE-2019-14895 at SUSECVE-2019-14895 at NVDCVE-2019-14901 at SUSECVE-2019-14901 at NVDCVE-2019-16746 at SUSECVE-2019-16746 at NVDCVE-2019-18680 at SUSECVE-2019-18680 at NVDCVE-2019-19447 at SUSECVE-2019-19447 at NVDCVE-2019-9458 at SUSECVE-2019-9458 at NVDCVE-2020-11668 at SUSECVE-2020-11668 at NVDCVE-2020-14331 at SUSECVE-2020-14331 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 29 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_107 fixes several issues.
The following security issues were fixed:
- CVE-2020-14331: Fixed a buffer over-write in vgacon_scroll (bsc#1174247).
- CVE-2019-0155: Fixed a privilege escalation in the i915 graphics driver (bsc#1173663).
- CVE-2019-16746: Fixed a buffer overflow in net/wireless/nl80211.c (bsc#1173659).
- CVE-2019-9458: Fixed a use-after-free in media/v4l (bsc#1173963).
- CVE-2020-11668: Fixed a memory corruption issue in the Xirlink camera USB driver (bsc#1173942).
- CVE-2019-19447: Fixed a use-after-free in ext4_put_super (bsc#1173869).
- CVE-2019-18680: Fixed a NULL pointer dereference in rds_tcp_kill_sock() in net/rds/tcp.c (bsc#1173867).
- CVE-2019-14901: Fixed a heap overflow in the Marvell WiFi driver (bsc#1173661).
- CVE-2019-14895: Fixed a heap-based buffer overflow in the Marvell WiFi driver (bsc#1173100).
ImportantSUSE bug 1173100SUSE bug 1173659SUSE bug 1173661SUSE bug 1173663SUSE bug 1173867SUSE bug 1173869SUSE bug 1173942SUSE bug 1173963SUSE bug 1174247CVE-2019-0155 at SUSECVE-2019-0155 at NVDCVE-2019-14895 at SUSECVE-2019-14895 at NVDCVE-2019-14901 at SUSECVE-2019-14901 at NVDCVE-2019-16746 at SUSECVE-2019-16746 at NVDCVE-2019-18680 at SUSECVE-2019-18680 at NVDCVE-2019-19447 at SUSECVE-2019-19447 at NVDCVE-2019-9458 at SUSECVE-2019-9458 at NVDCVE-2020-11668 at SUSECVE-2020-11668 at NVDCVE-2020-14331 at SUSECVE-2020-14331 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 30 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_113 fixes several issues.
The following security issues were fixed:
- CVE-2020-14331: Fixed a buffer over-write in vgacon_scroll (bsc#1174247).
- CVE-2019-16746: Fixed a buffer overflow in net/wireless/nl80211.c (bsc#1173659).
- CVE-2019-9458: Fixed a use-after-free in media/v4l (bsc#1173963).
- CVE-2020-11668: Fixed a memory corruption issue in the Xirlink camera USB driver (bsc#1173942).
- CVE-2019-19447: Fixed a use-after-free in ext4_put_super (bsc#1173869).
- CVE-2019-14895: Fixed a heap-based buffer overflow in the Marvell WiFi driver (bsc#1173100).
ImportantSUSE bug 1173100SUSE bug 1173659SUSE bug 1173869SUSE bug 1173942SUSE bug 1173963SUSE bug 1174247CVE-2019-14895 at SUSECVE-2019-14895 at NVDCVE-2019-16746 at SUSECVE-2019-16746 at NVDCVE-2019-19447 at SUSECVE-2019-19447 at NVDCVE-2019-9458 at SUSECVE-2019-9458 at NVDCVE-2020-11668 at SUSECVE-2020-11668 at NVDCVE-2020-14331 at SUSECVE-2020-14331 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 31 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_116 fixes several issues.
The following security issues were fixed:
- CVE-2020-14331: Fixed a buffer over-write in vgacon_scroll (bsc#1174247).
- CVE-2019-16746: Fixed a buffer overflow in net/wireless/nl80211.c (bsc#1173659).
- CVE-2020-11668: Fixed a memory corruption issue in the Xirlink camera USB driver (bsc#1173942).
ImportantSUSE bug 1173659SUSE bug 1173942SUSE bug 1174247CVE-2019-16746 at SUSECVE-2019-16746 at NVDCVE-2020-11668 at SUSECVE-2020-11668 at NVDCVE-2020-14331 at SUSECVE-2020-14331 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 32 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_121 fixes several issues.
The following security issues were fixed:
- CVE-2020-14331: Fixed a buffer over-write in vgacon_scroll (bsc#1174247).
- CVE-2019-16746: Fixed a buffer overflow in net/wireless/nl80211.c (bsc#1173659).
- CVE-2020-11668: Fixed a memory corruption issue in the Xirlink camera USB driver (bsc#1173942).
- CVE-2020-1749: Fixed a flaw in IPsec where some IPv6 protocols were not encrypted (bsc#1165631).
ImportantSUSE bug 1165631SUSE bug 1173659SUSE bug 1173942SUSE bug 1174247CVE-2019-16746 at SUSECVE-2019-16746 at NVDCVE-2020-11668 at SUSECVE-2020-11668 at NVDCVE-2020-14331 at SUSECVE-2020-14331 at NVDCVE-2020-1749 at SUSECVE-2020-1749 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 33 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_124 fixes several issues.
The following security issues were fixed:
- CVE-2020-14331: Fixed a buffer over-write in vgacon_scroll (bsc#1174247).
- CVE-2019-16746: Fixed a buffer overflow in net/wireless/nl80211.c (bsc#1173659).
- CVE-2020-11668: Fixed a memory corruption issue in the Xirlink camera USB driver (bsc#1173942).
- CVE-2020-1749: Fixed a flaw in IPsec where some IPv6 protocols were not encrypted (bsc#1165631).
ImportantSUSE bug 1165631SUSE bug 1173659SUSE bug 1173942SUSE bug 1174247CVE-2019-16746 at SUSECVE-2019-16746 at NVDCVE-2020-11668 at SUSECVE-2020-11668 at NVDCVE-2020-14331 at SUSECVE-2020-14331 at NVDCVE-2020-1749 at SUSECVE-2020-1749 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 34 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_127 fixes several issues.
The following security issues were fixed:
- CVE-2020-14331: Fixed a buffer over-write in vgacon_scroll (bsc#1174247).
- CVE-2019-16746: Fixed a buffer overflow in net/wireless/nl80211.c (bsc#1173659).
- CVE-2020-11668: Fixed a memory corruption issue in the Xirlink camera USB driver (bsc#1173942).
- CVE-2020-1749: Fixed a flaw in IPsec where some IPv6 protocols were not encrypted (bsc#1165631).
ImportantSUSE bug 1165631SUSE bug 1173659SUSE bug 1173942SUSE bug 1174247CVE-2019-16746 at SUSECVE-2019-16746 at NVDCVE-2020-11668 at SUSECVE-2020-11668 at NVDCVE-2020-14331 at SUSECVE-2020-14331 at NVDCVE-2020-1749 at SUSECVE-2020-1749 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for MozillaFirefox (Moderate)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for MozillaFirefox fixes the following issues:
- Firefox Extended Support Release 78.2.0 ESR
* Fixed: Various stability, functionality, and security fixes
- Mozilla Firefox ESR 78.2
MFSA 2020-38 (bsc#1175686)
* CVE-2020-15663 (bmo#1643199)
Downgrade attack on the Mozilla Maintenance Service could
have resulted in escalation of privilege
* CVE-2020-15664 (bmo#1658214)
Attacker-induced prompt for extension installation
* CVE-2020-15670 (bmo#1651001, bmo#1651449, bmo#1653626,
bmo#1656957)
Memory safety bugs fixed in Firefox 80 and Firefox ESR 78.2
- Fixed Firefox tab crash in FIPS mode (bsc#1174284).
- Fix broken translation-loading. (bsc#1173991)
* allow addon sideloading
* mark signatures for langpacks non-mandatory
* do not autodisable user profile scopes
- Google API key is not usable for geolocation service any more
ModerateSUSE bug 1173991SUSE bug 1174284SUSE bug 1175686CVE-2020-15663 at SUSECVE-2020-15663 at NVDCVE-2020-15664 at SUSECVE-2020-15664 at NVDCVE-2020-15670 at SUSECVE-2020-15670 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
The SUSE Linux Enterprise 12 SP3 kernel was updated to receive various security and bugfixes.
The following security bugs were fixed:
- CVE-2020-14314: Fixed a potential negative array index in do_split() (bsc#1173798).
- CVE-2020-14331: Fixed a missing check in vgacon scrollback handling (bsc#1174205).
- CVE-2020-16166: Fixed a potential issue which could have allowed remote attackers to make observations that help to obtain sensitive information about the internal state of the network RNG (bsc#1174757).
- CVE-2019-16746: Fixed an improper check of the length of variable elements in a beacon head, leading to a buffer overflow (bsc#1152107).
- CVE-2020-14386: Fixed a potential local privilege escalation via memory corruption (bsc#1176069).
The following non-security bugs were fixed:
- bonding: fix active-backup failover for current ARP slave (bsc#1174771).
- Drivers: hv: vmbus: Only notify Hyper-V for die events that are oops (bsc#1175127).
- ibmvnic: Fix IRQ mapping disposal in error path (bsc#1175112 ltc#187459).
- mm, vmstat: reduce zone->lock holding time by /proc/pagetypeinfo (bsc#1175691).
- ocfs2: add trimfs dlm lock resource (bsc#1175228).
- ocfs2: add trimfs lock to avoid duplicated trims in cluster (bsc#1175228).
- ocfs2: fix the application IO timeout when fstrim is running (bsc#1175228).
ImportantSUSE bug 1152107SUSE bug 1173798SUSE bug 1174205SUSE bug 1174757SUSE bug 1174771SUSE bug 1175112SUSE bug 1175127SUSE bug 1175228SUSE bug 1175691SUSE bug 1176069CVE-2019-16746 at SUSECVE-2019-16746 at NVDCVE-2020-14314 at SUSECVE-2020-14314 at NVDCVE-2020-14331 at SUSECVE-2020-14331 at NVDCVE-2020-14386 at SUSECVE-2020-14386 at NVDCVE-2020-16166 at SUSECVE-2020-16166 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for java-1_8_0-openjdk (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for java-1_8_0-openjdk fixes the following issues:
Update java-1_8_0-openjdk to version jdk8u242 (icedtea 3.15.0) (January 2020 CPU, bsc#1160968):
- CVE-2020-2583: Unlink Set of LinkedHashSets
- CVE-2020-2590: Improve Kerberos interop capabilities
- CVE-2020-2593: Normalize normalization for all
- CVE-2020-2601: Better Ticket Granting Services
- CVE-2020-2604: Better serial filter handling
- CVE-2020-2659: Enhance datagram socket support
- CVE-2020-2654: Improve Object Identifier Processing
ImportantSUSE bug 1160968CVE-2020-2583 at SUSECVE-2020-2583 at NVDCVE-2020-2590 at SUSECVE-2020-2590 at NVDCVE-2020-2593 at SUSECVE-2020-2593 at NVDCVE-2020-2601 at SUSECVE-2020-2601 at NVDCVE-2020-2604 at SUSECVE-2020-2604 at NVDCVE-2020-2654 at SUSECVE-2020-2654 at NVDCVE-2020-2659 at SUSECVE-2020-2659 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for tomcat (Moderate)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for tomcat fixes the following issues:
- CVE-2020-1935: Fixed an HTTP request smuggling vulnerability (bsc#1164860).
- CVE-2020-13935: Fixed a WebSocket DoS (bsc#1174117).
ModerateSUSE bug 1164860SUSE bug 1174117CVE-2020-13935 at SUSECVE-2020-13935 at NVDCVE-2020-1935 at SUSECVE-2020-1935 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for shim (Moderate)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for shim fixes the following issues:
- Update to the unified shim binary from SUSE Linux Enterprise 15-SP1 (bsc#1168994)
This update addresses the 'BootHole' security issue (master CVE CVE-2020-10713), by
disallowing binaries signed by the previous SUSE UEFI signing key from booting.
This update should only be installed after updates of grub2, the Linux kernel and (if used)
Xen from July / August 2020 are applied.
Additional fixes:
+ shim-install: install MokManager to \EFI\boot to process the pending MOK request (bsc#1175626, bsc#1175656)
ModerateSUSE bug 1168994SUSE bug 1175626SUSE bug 1175656CVE-2020-10713 at SUSECVE-2020-10713 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for libsolv (Moderate)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for libsolv fixes the following issues:
This is a reissue of an existing libsolv update that also included libsolv-devel for LTSS products.
libsolv was updated to version 0.6.36 fixes the following issues:
Security issues fixed:
- CVE-2018-20532: Fixed a NULL pointer dereference in testcase_read() (bsc#1120629).
- CVE-2018-20533: Fixed a NULL pointer dereference in testcase_str2dep_complex() (bsc#1120630).
- CVE-2018-20534: Fixed a NULL pointer dereference in pool_whatprovides() (bsc#1120631).
Non-security issues fixed:
- Made cleandeps jobs on patterns work (bsc#1137977).
- Fixed an issue multiversion packages that obsolete their own name (bsc#1127155).
- Keep consistent package name if there are multiple alternatives (bsc#1131823).
ModerateSUSE bug 1120629SUSE bug 1120630SUSE bug 1120631SUSE bug 1127155SUSE bug 1131823SUSE bug 1137977CVE-2018-20532 at SUSECVE-2018-20532 at NVDCVE-2018-20533 at SUSECVE-2018-20533 at NVDCVE-2018-20534 at SUSECVE-2018-20534 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for perl-DBI (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for perl-DBI fixes the following issues:
Security issues fixed:
- CVE-2020-14392: Memory corruption in XS functions when Perl stack is reallocated (bsc#1176412).
- CVE-2020-14393: Fixed a buffer overflow on an overlong DBD class name (bsc#1176409).
ImportantSUSE bug 1176409SUSE bug 1176412CVE-2020-14392 at SUSECVE-2020-14392 at NVDCVE-2020-14393 at SUSECVE-2020-14393 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for python3 (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for python3 fixes the following issues:
- CVE-2019-20907: Fixed denial of service by avoiding possible infinite loop in specifically crafted tarball (bsc#1174091).
- CVE-2020-14422: Fixed an improper computation of hash values in the IPv4Interface and IPv6Interface
could have led to denial of service (bsc#1173274).
- CVE-2019-16935: Fixed a reflected XSS in python/Lib/DocXMLRPCServer.py (bsc#1153238).
- CVE-2019-9947: Fixed an issue in urllib2 which allowed CRLF injection if the attacker controls a url parameter (bsc#1130840).
- If the locale is 'C', coerce it to C.UTF-8 (bsc#1162423).
ImportantSUSE bug 1088004SUSE bug 1088009SUSE bug 1130840SUSE bug 1141853SUSE bug 1149955SUSE bug 1153238SUSE bug 1162423SUSE bug 1173274SUSE bug 1174091SUSE bug 1174701CVE-2018-14647 at SUSECVE-2018-14647 at NVDCVE-2018-20852 at SUSECVE-2018-20852 at NVDCVE-2019-16056 at SUSECVE-2019-16056 at NVDCVE-2019-16935 at SUSECVE-2019-16935 at NVDCVE-2019-20907 at SUSECVE-2019-20907 at NVDCVE-2019-9947 at SUSECVE-2019-9947 at NVDCVE-2020-14422 at SUSECVE-2020-14422 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for samba (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for samba fixes the following issues:
- ZeroLogon: An elevation of privilege was possible with some configurations when an attacker established
a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC)
(CVE-2020-1472, bsc#1176579).
- Fixed an issue where multiple home folders were created(bsc#1174316, bso#13369).
- Fixed an issue where the net command was unable to negotiate SMB2 (bsc#1174120);
ImportantSUSE bug 1174120SUSE bug 1174316SUSE bug 1176579CVE-2020-1472 at SUSECVE-2020-1472 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for libqt5-qtbase (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for libqt5-qtbase fixes the following issues:
- CVE-2020-17507: Fixed a buffer overflow in XBM parser (bsc#1176315)
- Made handling of XDG_RUNTIME_DIR more secure (bsc#1172515)
ImportantSUSE bug 1172515SUSE bug 1176315CVE-2020-17507 at SUSECVE-2020-17507 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for MozillaFirefox fixes the following issues:
-Firefox was updated to 78.3.0 ESR (bsc#1176756, MFSA 2020-43)
- CVE-2020-15677: Download origin spoofing via redirect
- CVE-2020-15676: Fixed an XSS when pasting attacker-controlled data into a
contenteditable element
- CVE-2020-15678: When recursing through layers while scrolling, an iterator
may have become invalid, resulting in a potential use-after-free scenario
- CVE-2020-15673: Fixed memory safety bugs
- Enhance fix for wayland-detection (bsc#1174420)
- Attempt to fix langpack-parallelization by introducing separate
obj-dirs for each lang (bsc#1173986, bsc#1167976)
ImportantSUSE bug 1167976SUSE bug 1173986SUSE bug 1174420SUSE bug 1176756CVE-2020-15673 at SUSECVE-2020-15673 at NVDCVE-2020-15676 at SUSECVE-2020-15676 at NVDCVE-2020-15677 at SUSECVE-2020-15677 at NVDCVE-2020-15678 at SUSECVE-2020-15678 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for xen (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for xen fixes the following issues:
- CVE-2020-25604: Fixed a race condition when migrating timers between x86
HVM vCPU-s (bsc#1176343,XSA-336)
- CVE-2020-25595: Fixed an issue where PCI passthrough code was reading back hardware registers (bsc#1176344,XSA-337)
- CVE-2020-25597: Fixed an issue where a valid event channels may not turn invalid (bsc#1176346,XSA-338)
- CVE-2020-25596: Fixed a potential denial of service in x86 pv guest kernel via SYSENTER (bsc#1176345,XSA-339)
- CVE-2020-25603: Fixed an issue due to missing barriers when accessing/allocating an event channel (bsc#1176347,XSA-340)
- CVE-2020-25600: Fixed out of bounds event channels available to 32-bit x86 domains (bsc#1176348,XSA-342)
- CVE-2020-25599: Fixed race conditions with evtchn_reset() (bsc#1176349,XSA-343)
- CVE-2020-25601: Fixed an issue due to lack of preemption in evtchn_reset() / evtchn_destroy() (bsc#1176350,XSA-344)
- CVE-2020-14364: Fixed an out-of-bounds read/write access while processing usb packets (bsc#1175534).
- Various bug fixes (bsc#1027519)
ImportantSUSE bug 1175534SUSE bug 1176343SUSE bug 1176344SUSE bug 1176345SUSE bug 1176346SUSE bug 1176347SUSE bug 1176348SUSE bug 1176349SUSE bug 1176350CVE-2020-14364 at SUSECVE-2020-14364 at NVDCVE-2020-25595 at SUSECVE-2020-25595 at NVDCVE-2020-25596 at SUSECVE-2020-25596 at NVDCVE-2020-25597 at SUSECVE-2020-25597 at NVDCVE-2020-25599 at SUSECVE-2020-25599 at NVDCVE-2020-25600 at SUSECVE-2020-25600 at NVDCVE-2020-25601 at SUSECVE-2020-25601 at NVDCVE-2020-25603 at SUSECVE-2020-25603 at NVDCVE-2020-25604 at SUSECVE-2020-25604 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for perl-DBI (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for perl-DBI fixes the following issues:
- CVE-2019-20919: Fixed a NULL profile dereference in dbi_profile (bsc#1176764).
- CVE-2013-7490: Fixed memory corruption when using many arguments
to methods for CallbacksUsing (bsc#1176496).
ImportantSUSE bug 1176496SUSE bug 1176764CVE-2013-7490 at SUSECVE-2013-7490 at NVDCVE-2019-20919 at SUSECVE-2019-20919 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for java-1_7_0-openjdk (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for java-1_7_0-openjdk fixes the following issues:
- java-1_7_0-openjdk was updated to 2.6.23 (July 2020 CPU, bsc#1174157)
- JDK-8028431, CVE-2020-14579: NullPointerException in
- DerValue.equals(DerValue)
- JDK-8028591, CVE-2020-14578: NegativeArraySizeException in
- sun.security.util.DerInputStream.getUnalignedBitString()
- JDK-8230613: Better ASCII conversions
- JDK-8231800: Better listing of arrays
- JDK-8232014: Expand DTD support
- JDK-8233255: Better Swing Buttons
- JDK-8234032: Improve basic calendar services
- JDK-8234042: Better factory production of certificates
- JDK-8234418: Better parsing with CertificateFactory
- JDK-8234836: Improve serialization handling
- JDK-8236191: Enhance OID processing
- JDK-8237592, CVE-2020-14577: Enhance certificate verification
- JDK-8238002, CVE-2020-14581: Better matrix operations
- JDK-8238804: Enhance key handling process
- JDK-8238842: AIOOBE in GIFImageReader.initializeStringTable
- JDK-8238843: Enhanced font handing
- JDK-8238920, CVE-2020-14583: Better Buffer support
- JDK-8238925: Enhance WAV file playback
- JDK-8240119, CVE-2020-14593: Less Affine Transformations
- JDK-8240482: Improved WAV file playback
- JDK-8241379: Update JCEKS support
- JDK-8241522: Manifest improved jar headers redux
- JDK-8242136, CVE-2020-14621: Better XML namespace handling
- JDK-8040113: File not initialized in src/share/native/sun/awt/giflib/dgif_lib.c
- JDK-8054446: Repeated offer and remove on ConcurrentLinkedQueue lead to an OutOfMemoryError
- JDK-8077982: GIFLIB upgrade
- JDK-8081315: 8077982 giflib upgrade breaks system giflib builds with earlier versions
- JDK-8147087: Race when reusing PerRegionTable bitmaps may result in dropped remembered set entries
- JDK-8151582: (ch) test java/nio/channels/AsyncCloseAndInterrupt.java failing due to 'Connection succeeded'
- JDK-8155691: Update GIFlib library to the latest up-to-date
- JDK-8181841: A TSA server returns timestamp with precision higher than milliseconds
- JDK-8203190: SessionId.hashCode generates too many collisions
- JDK-8217676: Upgrade libpng to 1.6.37
- JDK-8220495: Update GIFlib library to the 5.1.8
- JDK-8226892: ActionListeners on JRadioButtons don't get notified when selection is changed with arrow keys
- JDK-8229899: Make java.io.File.isInvalid() less racy
- JDK-8230597: Update GIFlib library to the 5.2.1
- JDK-8230769: BufImg_SetupICM add ReleasePrimitiveArrayCritical call in early return
- JDK-8243541: (tz) Upgrade time-zone data to tzdata2020a
- JDK-8244548: JDK 8u: sun.misc.Version.jdkUpdateVersion() returns wrong result
ImportantSUSE bug 1174157CVE-2020-14577 at SUSECVE-2020-14577 at NVDCVE-2020-14578 at SUSECVE-2020-14578 at NVDCVE-2020-14579 at SUSECVE-2020-14579 at NVDCVE-2020-14581 at SUSECVE-2020-14581 at NVDCVE-2020-14583 at SUSECVE-2020-14583 at NVDCVE-2020-14593 at SUSECVE-2020-14593 at NVDCVE-2020-14621 at SUSECVE-2020-14621 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for tigervnc (Critical)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for tigervnc fixes the following issues:
- CVE-2020-26117: Server certificates were stored as certiticate
authorities, allowing malicious owners of these certificates
to impersonate any server after a client had added an exception
(bsc#1176733).
CriticalSUSE bug 1176733CVE-2020-26117 at SUSECVE-2020-26117 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for libproxy (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for libproxy fixes the following issues:
- CVE-2020-25219: Rewrote url::recvline to be nonrecursive (bsc#1176410).
- CVE-2020-26154: Fixed a buffer overflow when PAC is enabled (bsc#1177143).
ImportantSUSE bug 1176410SUSE bug 1177143CVE-2020-25219 at SUSECVE-2020-25219 at NVDCVE-2020-26154 at SUSECVE-2020-26154 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for freetype2 (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for freetype2 fixes the following issues:
- CVE-2020-15999: fixed a heap buffer overflow found in the handling of embedded PNG bitmaps (bsc#1177914).
ImportantSUSE bug 1177914CVE-2020-15999 at SUSECVE-2020-15999 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for glibc (Moderate)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for glibc fixes the following issues:
- CVE-2020-10029: Fixed a stack corruption from range reduction of pseudo-zero (bsc#1165784)
- Use posix_spawn on popen (bsc#1149332, bsc#1176013)
- Correct locking and cancellation cleanup in syslog functions (bsc#1172085)
- Fixed concurrent changes on nscd aware files (bsc#1171878)
ModerateSUSE bug 1149332SUSE bug 1165784SUSE bug 1171878SUSE bug 1172085SUSE bug 1176013CVE-2020-10029 at SUSECVE-2020-10029 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for MozillaFirefox fixes the following issues:
- Firefox Extended Support Release 78.4.0 ESR
* Fixed: Various stability, functionality, and security fixes MFSA 2020-46 (bsc#1177872, bsc#1176756)
* CVE-2020-15969 Use-after-free in usersctp
* CVE-2020-15683 Memory safety bugs fixed in Firefox 82 and Firefox ESR 78.4
* Fixed: Fixed legacy preferences not being properly applied when set via GPO
ImportantSUSE bug 1176756SUSE bug 1177872CVE-2020-15683 at SUSECVE-2020-15683 at NVDCVE-2020-15969 at SUSECVE-2020-15969 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for spice (Moderate)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for spice fixes the following issues:
- CVE-2020-14355: Fixed multiple buffer overflow vulnerabilities in QUIC image decoding (bsc#1177158).
ModerateSUSE bug 1177158CVE-2020-14355 at SUSECVE-2020-14355 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for spice-gtk (Moderate)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for spice-gtk fixes the following issues:
- CVE-2020-14355: Fixed multiple buffer overflow vulnerabilities in QUIC image decoding (bsc#1177158).
ModerateSUSE bug 1177158CVE-2020-14355 at SUSECVE-2020-14355 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for samba (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for samba fixes the following issues:
- CVE-2020-14383: An authenticated user can crash the DCE/RPC DNS with easily crafted records (bsc#1177613).
- CVE-2020-14323: Unprivileged user can crash winbind (bsc#1173994).
- CVE-2020-14318: Missing permissions check in SMB1/2/3 ChangeNotify (bsc#1173902).
ImportantSUSE bug 1173902SUSE bug 1173994SUSE bug 1177613CVE-2020-14318 at SUSECVE-2020-14318 at NVDCVE-2020-14323 at SUSECVE-2020-14323 at NVDCVE-2020-14383 at SUSECVE-2020-14383 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for libvirt (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for libvirt fixes the following issues:
CVE-2020-15708: Added a note to libvirtd.conf about polkit auth in SUSE distros (bsc#1174955).
CVE-2020-25637: Fixed a double free in qemuAgentGetInterfaces() (bsc#1177155).
ImportantSUSE bug 1174955SUSE bug 1177155CVE-2020-15708 at SUSECVE-2020-15708 at NVDCVE-2020-25637 at SUSECVE-2020-25637 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for sane-backends (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for sane-backends fixes the following issues:
- sane-backends version upgrade to 1.0.31:
* sane-backends version upgrade to 1.0.30
fixes memory corruption bugs CVE-2020-12861, CVE-2020-12862,
CVE-2020-12863, CVE-2020-12864, CVE-2020-12865,
CVE-2020-12866, CVE-2020-12867 (bsc#1172524)
* sane-backends version upgrade to 1.0.31
to further improve hardware enablement for scanner devices
(jsc#SLE-15561 and jsc#SLE-15560 with jsc#ECO-2418)
* The new escl backend cannot be provided for SLE12 because
it requires more additional software (avahi-client, libcurl,
and libpoppler-glib-devel) where in particular for libcurl
the one that is in SLE12 (via libcurl-devel-7.37.0) is likely
too old because with that building the escl backend fails with
'escl/escl.c:1267:34: error: 'CURLOPT_UNIX_SOCKET_PATH'
undeclared curl_easy_setopt(handle, CURLOPT_UNIX_SOCKET_PATH'
ImportantSUSE bug 1172524CVE-2017-6318 at SUSECVE-2017-6318 at NVDCVE-2020-12861 at SUSECVE-2020-12861 at NVDCVE-2020-12862 at SUSECVE-2020-12862 at NVDCVE-2020-12863 at SUSECVE-2020-12863 at NVDCVE-2020-12864 at SUSECVE-2020-12864 at NVDCVE-2020-12865 at SUSECVE-2020-12865 at NVDCVE-2020-12866 at SUSECVE-2020-12866 at NVDCVE-2020-12867 at SUSECVE-2020-12867 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for apache-commons-httpclient (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for apache-commons-httpclient fixes the following issues:
- http/conn/ssl/SSLConnectionSocketFactory.java ignores the
http.socket.timeout configuration setting during an SSL handshake,
which allows remote attackers to cause a denial of service (HTTPS
call hang) via unspecified vectors. [bsc#945190, CVE-2015-5262]
- org.apache.http.conn.ssl.AbstractVerifier does not properly
verify that the server hostname matches a domain name in the
subject's Common Name (CN) or subjectAltName field of the X.509
certificate, which allows MITM attackers to spoof SSL servers
via a 'CN=' string in a field in the distinguished name (DN)
of a certificate. [bsc#1178171, CVE-2014-3577]
ImportantSUSE bug 1178171SUSE bug 945190CVE-2014-3577 at SUSECVE-2014-3577 at NVDCVE-2015-5262 at SUSECVE-2015-5262 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for java-1_8_0-openjdk (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for java-1_8_0-openjdk fixes the following issues:
- Fix regression '8250861: Crash in MinINode::Ideal(PhaseGVN*, bool)',
introduced in October 2020 CPU.
- Update to version jdk8u272 (icedtea 3.17.0) (July 2020 CPU,
bsc#1174157, and October 2020 CPU, bsc#1177943)
* New features
+ JDK-8245468: Add TLSv1.3 implementation classes from 11.0.7
+ PR3796: Allow the number of curves supported to be specified
* Security fixes
+ JDK-8028431, CVE-2020-14579: NullPointerException in
DerValue.equals(DerValue)
+ JDK-8028591, CVE-2020-14578: NegativeArraySizeException in
sun.security.util.DerInputStream.getUnalignedBitString()
+ JDK-8230613: Better ASCII conversions
+ JDK-8231800: Better listing of arrays
+ JDK-8232014: Expand DTD support
+ JDK-8233255: Better Swing Buttons
+ JDK-8233624: Enhance JNI linkage
+ JDK-8234032: Improve basic calendar services
+ JDK-8234042: Better factory production of certificates
+ JDK-8234418: Better parsing with CertificateFactory
+ JDK-8234836: Improve serialization handling
+ JDK-8236191: Enhance OID processing
+ JDK-8236196: Improve string pooling
+ JDK-8236862, CVE-2020-14779: Enhance support of Proxy class
+ JDK-8237117, CVE-2020-14556: Better ForkJoinPool behavior
+ JDK-8237592, CVE-2020-14577: Enhance certificate verification
+ JDK-8237990, CVE-2020-14781: Enhanced LDAP contexts
+ JDK-8237995, CVE-2020-14782: Enhance certificate processing
+ JDK-8238002, CVE-2020-14581: Better matrix operations
+ JDK-8238804: Enhance key handling process
+ JDK-8238842: AIOOBE in GIFImageReader.initializeStringTable
+ JDK-8238843: Enhanced font handing
+ JDK-8238920, CVE-2020-14583: Better Buffer support
+ JDK-8238925: Enhance WAV file playback
+ JDK-8240119, CVE-2020-14593: Less Affine Transformations
+ JDK-8240124: Better VM Interning
+ JDK-8240482: Improved WAV file playback
+ JDK-8241114, CVE-2020-14792: Better range handling
+ JDK-8241379: Update JCEKS support
+ JDK-8241522: Manifest improved jar headers redux
+ JDK-8242136, CVE-2020-14621: Better XML namespace handling
+ JDK-8242680, CVE-2020-14796: Improved URI Support
+ JDK-8242685, CVE-2020-14797: Better Path Validation
+ JDK-8242695, CVE-2020-14798: Enhanced buffer support
+ JDK-8243302: Advanced class supports
+ JDK-8244136, CVE-2020-14803: Improved Buffer supports
+ JDK-8244479: Further constrain certificates
+ JDK-8244955: Additional Fix for JDK-8240124
+ JDK-8245407: Enhance zoning of times
+ JDK-8245412: Better class definitions
+ JDK-8245417: Improve certificate chain handling
+ JDK-8248574: Improve jpeg processing
+ JDK-8249927: Specify limits of jdk.serialProxyInterfaceLimit
+ JDK-8253019: Enhanced JPEG decoding
* Import of OpenJDK 8 u262 build 01
+ JDK-4949105: Access Bridge lacks html tags parsing
+ JDK-8003209: JFR events for network utilization
+ JDK-8030680: 292 cleanup from default method code assessment
+ JDK-8035633: TEST_BUG: java/net/NetworkInterface/Equals.java
and some tests failed on windows intermittently
+ JDK-8041626: Shutdown tracing event
+ JDK-8141056: Erroneous assignment in HeapRegionSet.cpp
+ JDK-8149338: JVM Crash caused by Marlin renderer not handling
NaN coordinates
+ JDK-8151582: (ch) test java/nio/channels/
/AsyncCloseAndInterrupt.java failing due to 'Connection
succeeded'
+ JDK-8165675: Trace event for thread park has incorrect unit
for timeout
+ JDK-8176182: 4 security tests are not run
+ JDK-8178910: Problemlist sample tests
+ JDK-8183925: Decouple crash protection from watcher thread
+ JDK-8191393: Random crashes during cfree+0x1c
+ JDK-8195817: JFR.stop should require name of recording
+ JDK-8195818: JFR.start should increase autogenerated name by
one
+ JDK-8195819: Remove recording=x from jcmd JFR.check output
+ JDK-8199712: Flight Recorder
+ JDK-8202578: Revisit location for class unload events
+ JDK-8202835: jfr/event/os/TestSystemProcess.java fails on
missing events
+ JDK-8203287: Zero fails to build after JDK-8199712 (Flight
Recorder)
+ JDK-8203346: JFR: Inconsistent signature of
jfr_add_string_constant
+ JDK-8203664: JFR start failure after AppCDS archive created
with JFR StartFlightRecording
+ JDK-8203921: JFR thread sampling is missing fixes from
JDK-8194552
+ JDK-8203929: Limit amount of data for JFR.dump
+ JDK-8205516: JFR tool
+ JDK-8207392: [PPC64] Implement JFR profiling
+ JDK-8207829: FlightRecorderMXBeanImpl is leaking the first
classloader which calls it
+ JDK-8209960: -Xlog:jfr* doesn't work with the JFR
+ JDK-8210024: JFR calls virtual is_Java_thread from ~Thread()
+ JDK-8210776: Upgrade X Window System 6.8.2 to the latest XWD
1.0.7
+ JDK-8211239: Build fails without JFR: empty JFR events
signatures mismatch
+ JDK-8212232: Wrong metadata for the configuration of the
cutoff for old object sample events
+ JDK-8213015: Inconsistent settings between JFR.configure and
-XX:FlightRecorderOptions
+ JDK-8213421: Line number information for execution samples
always 0
+ JDK-8213617: JFR should record the PID of the recorded process
+ JDK-8213734: SAXParser.parse(File, ..) does not close
resources when Exception occurs.
+ JDK-8213914: [TESTBUG] Several JFR VM events are not covered
by tests
+ JDK-8213917: [TESTBUG] Shutdown JFR event is not covered by
test
+ JDK-8213966: The ZGC JFR events should be marked as
experimental
+ JDK-8214542: JFR: Old Object Sample event slow on a deep heap
in debug builds
+ JDK-8214750: Unnecessary <p> tags in jfr classes
+ JDK-8214896: JFR Tool left files behind
+ JDK-8214906: [TESTBUG] jfr/event/sampling/TestNative.java
fails with UnsatisfiedLinkError
+ JDK-8214925: JFR tool fails to execute
+ JDK-8215175: Inconsistencies in JFR event metadata
+ JDK-8215237: jdk.jfr.Recording javadoc does not compile
+ JDK-8215284: Reduce noise induced by periodic task
getFileSize()
+ JDK-8215355: Object monitor deadlock with no threads holding
the monitor (using jemalloc 5.1)
+ JDK-8215362: JFR GTest JfrTestNetworkUtilization fails
+ JDK-8215771: The jfr tool should pretty print reference chains
+ JDK-8216064: -XX:StartFlightRecording:settings= doesn't work
properly
+ JDK-8216486: Possibility of integer overflow in
JfrThreadSampler::run()
+ JDK-8216528: test/jdk/java/rmi/transport/
/runtimeThreadInheritanceLeak/
/RuntimeThreadInheritanceLeak.java failing with Xcomp
+ JDK-8216559: [JFR] Native libraries not correctly parsed from
/proc/self/maps
+ JDK-8216578: Remove unused/obsolete method in JFR code
+ JDK-8216995: Clean up JFR command line processing
+ JDK-8217744: [TESTBUG] JFR TestShutdownEvent fails on some
systems due to process surviving SIGINT
+ JDK-8217748: [TESTBUG] Exclude TestSig test case from JFR
TestShutdownEvent
+ JDK-8218935: Make jfr strncpy uses GCC 8.x friendly
+ JDK-8223147: JFR Backport
+ JDK-8223689: Add JFR Thread Sampling Support
+ JDK-8223690: Add JFR BiasedLock Event Support
+ JDK-8223691: Add JFR G1 Region Type Change Event Support
+ JDK-8223692: Add JFR G1 Heap Summary Event Support
+ JDK-8224172: assert(jfr_is_event_enabled(id)) failed:
invariant
+ JDK-8224475: JTextPane does not show images in HTML rendering
+ JDK-8226253: JAWS reports wrong number of radio buttons when
buttons are hidden.
+ JDK-8226779: [TESTBUG] Test JFR API from Java agent
+ JDK-8226892: ActionListeners on JRadioButtons don't get
notified when selection is changed with arrow keys
+ JDK-8227011: Starting a JFR recording in response to JVMTI
VMInit and / or Java agent premain corrupts memory
+ JDK-8227605: Kitchensink fails 'assert((((klass)->trace_id()
& (JfrTraceIdEpoch::leakp_in_use_this_epoch_bit())) != 0))
failed: invariant'
+ JDK-8229366: JFR backport allows unchecked writing to memory
+ JDK-8229401: Fix JFR code cache test failures
+ JDK-8229708: JFR backport code does not initialize
+ JDK-8229873: 8229401 broke jdk8u-jfr-incubator
+ JDK-8230448: [test] JFRSecurityTestSuite.java is failing on
Windows
+ JDK-8230707: JFR related tests are failing
+ JDK-8230782: Robot.createScreenCapture() fails if
'awt.robot.gtk' is set to false
+ JDK-8230856: Java_java_net_NetworkInterface_getByName0 on
unix misses ReleaseStringUTFChars in early return
+ JDK-8230947: TestLookForUntestedEvents.java is failing after
JDK-8230707
+ JDK-8231995: two jtreg tests failed after 8229366 is fixed
+ JDK-8233623: Add classpath exception to copyright in
EventHandlerProxyCreator.java file
+ JDK-8236002: CSR for JFR backport suggests not leaving out
the package-info
+ JDK-8236008: Some backup files were accidentally left in the
hotspot tree
+ JDK-8236074: Missed package-info
+ JDK-8236174: Should update javadoc since tags
+ JDK-8238076: Fix OpenJDK 7 Bootstrap Broken by JFR Backport
+ JDK-8238452: Keytool generates wrong expiration date if
validity is set to 2050/01/01
+ JDK-8238555: Allow Initialization of SunPKCS11 with NSS when
there are external FIPS modules in the NSSDB
+ JDK-8238589: Necessary code cleanup in JFR for JDK8u
+ JDK-8238590: Enable JFR by default during compilation in 8u
+ JDK-8239055: Wrong implementation of VMState.hasListener
+ JDK-8239476: JDK-8238589 broke windows build by moving
OrderedPair
+ JDK-8239479: minimal1 and zero builds are failing
+ JDK-8239867: correct over use of INCLUDE_JFR macro
+ JDK-8240375: Disable JFR by default for July 2020 release
+ JDK-8241444: Metaspace::_class_vsm not initialized if
compressed class pointers are disabled
+ JDK-8241902: AIX Build broken after integration of
JDK-8223147 (JFR Backport)
+ JDK-8242788: Non-PCH build is broken after JDK-8191393
* Import of OpenJDK 8 u262 build 02
+ JDK-8130737: AffineTransformOp can't handle child raster with
non-zero x-offset
+ JDK-8172559: [PIT][TEST_BUG] Move @test to be 1st annotation
in java/awt/image/Raster/TestChildRasterOp.java
+ JDK-8230926: [macosx] Two apostrophes are entered instead of
one with 'U.S. International - PC' layout
+ JDK-8240576: JVM crashes after transformation in C2
IdealLoopTree::merge_many_backedges
+ JDK-8242883: Incomplete backport of JDK-8078268: backport
test part
* Import of OpenJDK 8 u262 build 03
+ JDK-8037866: Replace the Fun class in tests with lambdas
+ JDK-8146612: C2: Precedence edges specification violated
+ JDK-8150986: serviceability/sa/jmap-hprof/
/JMapHProfLargeHeapTest.java failing because expects HPROF
JAVA PROFILE 1.0.1 file format
+ JDK-8229888: (zipfs) Updating an existing zip file does not
preserve original permissions
+ JDK-8230597: Update GIFlib library to the 5.2.1
+ JDK-8230769: BufImg_SetupICM add
ReleasePrimitiveArrayCritical call in early return
+ JDK-8233880, PR3798: Support compilers with multi-digit major
version numbers
+ JDK-8239852: java/util/concurrent tests fail with
-XX:+VerifyGraphEdges: assert(!VerifyGraphEdges) failed:
verification should have failed
+ JDK-8241638: launcher time metrics always report 1 on Linux
when _JAVA_LAUNCHER_DEBUG set
+ JDK-8243059: Build fails when --with-vendor-name contains a
comma
+ JDK-8243474: [TESTBUG] removed three tests of 0 bytes
+ JDK-8244461: [JDK 8u] Build fails with glibc 2.32
+ JDK-8244548: JDK 8u: sun.misc.Version.jdkUpdateVersion()
returns wrong result
* Import of OpenJDK 8 u262 build 04
+ JDK-8067796: (process) Process.waitFor(timeout, unit) doesn't
throw NPE if timeout is less than, or equal to zero when unit
== null
+ JDK-8148886: SEGV in sun.java2d.marlin.Renderer._endRendering
+ JDK-8171934:
ObjectSizeCalculator.getEffectiveMemoryLayoutSpecification()
does not recognize OpenJDK's HotSpot VM
+ JDK-8196969: JTreg Failure:
serviceability/sa/ClhsdbJstack.java causes NPE
+ JDK-8243539: Copyright info (Year) should be updated for fix
of 8241638
+ JDK-8244777: ClassLoaderStats VM Op uses constant hash value
* Import of OpenJDK 8 u262 build 05
+ JDK-7147060: com/sun/org/apache/xml/internal/security/
/transforms/ClassLoaderTest.java doesn't run in agentvm mode
+ JDK-8178374: Problematic ByteBuffer handling in
CipherSpi.bufferCrypt method
+ JDK-8181841: A TSA server returns timestamp with precision
higher than milliseconds
+ JDK-8227269: Slow class loading when running with JDWP
+ JDK-8229899: Make java.io.File.isInvalid() less racy
+ JDK-8236996: Incorrect Roboto font rendering on Windows with
subpixel antialiasing
+ JDK-8241750: x86_32 build failure after JDK-8227269
+ JDK-8244407: JVM crashes after transformation in C2
IdealLoopTree::split_fall_in
+ JDK-8244843: JapanEraNameCompatTest fails
* Import of OpenJDK 8 u262 build 06
+ JDK-8246223: Windows build fails after JDK-8227269
* Import of OpenJDK 8 u262 build 07
+ JDK-8233197: Invert JvmtiExport::post_vm_initialized() and
Jfr:on_vm_start() start-up order for correct option parsing
+ JDK-8243541: (tz) Upgrade time-zone data to tzdata2020a
+ JDK-8245167: Top package in method profiling shows null in JMC
+ JDK-8246703: [TESTBUG] Add test for JDK-8233197
* Import of OpenJDK 8 u262 build 08
+ JDK-8220293: Deadlock in JFR string pool
+ JDK-8225068: Remove DocuSign root certificate that is
expiring in May 2020
+ JDK-8225069: Remove Comodo root certificate that is expiring
in May 2020
* Import of OpenJDK 8 u262 build 09
+ JDK-8248399: Build installs jfr binary when JFR is disabled
* Import of OpenJDK 8 u262 build 10
+ JDK-8248715: New JavaTimeSupplementary localisation for 'in'
installed in wrong package
* Import of OpenJDK 8 u265 build 01
+ JDK-8249677: Regression in 8u after JDK-8237117: Better
ForkJoinPool behavior
+ JDK-8250546: Expect changed behaviour reported in JDK-8249846
* Import of OpenJDK 8 u272 build 01
+ JDK-8006205: [TESTBUG] NEED_TEST: please JTREGIFY
test/compiler/7177917/Test7177917.java
+ JDK-8035493: JVMTI PopFrame capability must instruct
compilers not to prune locals
+ JDK-8036088: Replace strtok() with its safe equivalent
strtok_s() in DefaultProxySelector.c
+ JDK-8039082: [TEST_BUG] Test java/awt/dnd/
/BadSerializationTest/BadSerializationTest.java fails
+ JDK-8075774: Small readability and performance improvements
for zipfs
+ JDK-8132206: move ScanTest.java into OpenJDK
+ JDK-8132376: Add @requires os.family to the client tests with
access to internal OS-specific API
+ JDK-8132745: minor cleanup of java/util/Scanner/ScanTest.java
+ JDK-8137087: [TEST_BUG] Cygwin failure of java/awt/
/appletviewer/IOExceptionIfEncodedURLTest/
/IOExceptionIfEncodedURLTest.sh
+ JDK-8145808: java/awt/Graphics2D/MTGraphicsAccessTest/
/MTGraphicsAccessTest.java hangs on Win. 8
+ JDK-8151788: NullPointerException from ntlm.Client.type3
+ JDK-8151834: Test SmallPrimeExponentP.java times out
intermittently
+ JDK-8153430: jdk regression test MletParserLocaleTest,
ParserInfiniteLoopTest reduce default timeout
+ JDK-8153583: Make OutputAnalyzer.reportDiagnosticSummary
public
+ JDK-8156169: Some sound tests rarely hangs because of
incorrect synchronization
+ JDK-8165936: Potential Heap buffer overflow when seaching
timezone info files
+ JDK-8166148: Fix for JDK-8165936 broke solaris builds
+ JDK-8167300: Scheduling failures during gcm should be fatal
+ JDK-8167615: Opensource unit/regression tests for JavaSound
+ JDK-8172012: [TEST_BUG] delays needed in
javax/swing/JTree/4633594/bug4633594.java
+ JDK-8177628: Opensource unit/regression tests for ImageIO
+ JDK-8183341: Better cleanup for javax/imageio/AllowSearch.java
+ JDK-8183351: Better cleanup for jdk/test/javax/imageio/spi/
/AppletContextTest/BadPluginConfigurationTest.sh
+ JDK-8193137: Nashorn crashes when given an empty script file
+ JDK-8194298: Add support for per Socket configuration of TCP
keepalive
+ JDK-8198004: javax/swing/JFileChooser/6868611/bug6868611.java
throws error
+ JDK-8200313: java/awt/Gtk/GtkVersionTest/GtkVersionTest.java
fails
+ JDK-8210147: adjust some WSAGetLastError usages in windows
network coding
+ JDK-8211714: Need to update vm_version.cpp to recognise
VS2017 minor versions
+ JDK-8214862: assert(proj != __null) at compile.cpp:3251
+ JDK-8217606: LdapContext#reconnect always opens a new
connection
+ JDK-8217647: JFR: recordings on 32-bit systems unreadable
+ JDK-8226697: Several tests which need the @key headful
keyword are missing it.
+ JDK-8229378: jdwp library loader in linker_md.c quietly
truncates on buffer overflow
+ JDK-8230303: JDB hangs when running monitor command
+ JDK-8230711: ConnectionGraph::unique_java_object(Node* N)
return NULL if n is not in the CG
+ JDK-8234617: C1: Incorrect result of field load due to
missing narrowing conversion
+ JDK-8235243: handle VS2017 15.9 and VS2019 in
abstract_vm_version
+ JDK-8235325: build failure on Linux after 8235243
+ JDK-8235687: Contents/MacOS/libjli.dylib cannot be a symlink
+ JDK-8237951: CTW: C2 compilation fails with 'malformed
control flow'
+ JDK-8238225: Issues reported after replacing symlink at
Contents/MacOS/libjli.dylib with binary
+ JDK-8239385: KerberosTicket client name refers wrongly to
sAMAccountName in AD
+ JDK-8239819: XToolkit: Misread of screen information memory
+ JDK-8240295: hs_err elapsed time in seconds is not accurate
enough
+ JDK-8241888: Mirror jdk.security.allowNonCaAnchor system
property with a security one
+ JDK-8242498: Invalid 'sun.awt.TimedWindowEvent' object leads
to JVM crash
+ JDK-8243489: Thread CPU Load event may contain wrong data for
CPU time under certain conditions
+ JDK-8244818: Java2D Queue Flusher crash while moving
application window to external monitor
+ JDK-8246310: Clean commented-out code about ModuleEntry
and PackageEntry in JFR
+ JDK-8246384: Enable JFR by default on supported architectures
for October 2020 release
+ JDK-8248643: Remove extra leading space in JDK-8240295 8u
backport
+ JDK-8249610: Make
sun.security.krb5.Config.getBooleanObject(String... keys)
method public
* Import of OpenJDK 8 u272 build 02
+ JDK-8023697: failed class resolution reports different class
name in detail message for the first and subsequent times
+ JDK-8025886: replace [[ and == bash extensions in regtest
+ JDK-8046274: Removing dependency on jakarta-regexp
+ JDK-8048933: -XX:+TraceExceptions output should include the
message
+ JDK-8076151: [TESTBUG] Test java/awt/FontClass/CreateFont/
/fileaccess/FontFile.java fails
+ JDK-8148854: Class names 'SomeClass' and 'LSomeClass;'
treated by JVM as an equivalent
+ JDK-8154313: Generated javadoc scattered all over the place
+ JDK-8163251: Hard coded loop limit prevents reading of smart
card data greater than 8k
+ JDK-8173300: [TESTBUG]compiler/tiered/NonTieredLevelsTest.java
fails with compiler.whitebox.SimpleTestCaseHelper(int) must be
compiled
+ JDK-8183349: Better cleanup for jdk/test/javax/imageio/
/plugins/shared/CanWriteSequence.java and WriteAfterAbort.java
+ JDK-8191678: [TESTBUG] Add keyword headful in java/awt
FocusTransitionTest test.
+ JDK-8201633: Problems with AES-GCM native acceleration
+ JDK-8211049: Second parameter of 'initialize' method is not
used
+ JDK-8219566: JFR did not collect call stacks when
MaxJavaStackTraceDepth is set to zero
+ JDK-8220165: Encryption using GCM results in
RuntimeException- input length out of bound
+ JDK-8220555: JFR tool shows potentially misleading message
when it cannot access a file
+ JDK-8224217: RecordingInfo should use textual representation
of path
+ JDK-8231779: crash
HeapWord*ParallelScavengeHeap::failed_mem_allocate
+ JDK-8238380, PR3798: java.base/unix/native/libjava/childproc.c
'multiple definition' link errors with GCC10
+ JDK-8238386, PR3798: (sctp) jdk.sctp/unix/native/libsctp/
/SctpNet.c 'multiple definition' link errors with GCC10
+ JDK-8238388, PR3798: libj2gss/NativeFunc.o 'multiple
definition' link errors with GCC10
+ JDK-8242556: Cannot load RSASSA-PSS public key with non-null
params from byte array
+ JDK-8250755: Better cleanup for jdk/test/javax/imageio/
/plugins/shared/CanWriteSequence.java
* Import of OpenJDK 8 u272 build 03
+ JDK-6574989: TEST_BUG:
javax/sound/sampled/Clip/bug5070081.java fails sometimes
+ JDK-8148754: C2 loop unrolling fails due to unexpected graph
shape
+ JDK-8192953: sun/management/jmxremote/bootstrap/*.sh tests
fail with error : revokeall.exe: Permission denied
+ JDK-8203357: Container Metrics
+ JDK-8209113: Use WeakReference for lastFontStrike for created
Fonts
+ JDK-8216283: Allow shorter method sampling interval than 10 ms
+ JDK-8221569: JFR tool produces incorrect output when both
--categories and --events are specified
+ JDK-8233097: Fontmetrics for large Fonts has zero width
+ JDK-8248851: CMS: Missing memory fences between free chunk
check and klass read
+ JDK-8250875: Incorrect parameter type for update_number in
JDK_Version::jdk_update
* Import of OpenJDK 8 u272 build 04
+ JDK-8061616: HotspotDiagnosticMXBean.getVMOption() throws
IllegalArgumentException for flags of type double
+ JDK-8177334: Update xmldsig implementation to Apache
Santuario 2.1.1
+ JDK-8217878: ENVELOPING XML signature no longer works in JDK
11
+ JDK-8218629: XML Digital Signature throws NAMESPACE_ERR
exception on OpenJDK 11, works 8/9/10
+ JDK-8243138: Enhance BaseLdapServer to support starttls
extended request
* Import of OpenJDK 8 u272 build 05
+ JDK-8026236: Add PrimeTest for BigInteger
+ JDK-8057003: Large reference arrays cause extremely long
synchronization times
+ JDK-8060721: Test runtime/SharedArchiveFile/
/LimitSharedSizes.java fails in jdk 9 fcs new
platforms/compiler
+ JDK-8152077: (cal) Calendar.roll does not always roll the
hours during daylight savings
+ JDK-8168517: java/lang/ProcessBuilder/Basic.java failed
+ JDK-8211163: UNIX version of Java_java_io_Console_echo does
not return a clean boolean
+ JDK-8220674: [TESTBUG] MetricsMemoryTester failcount test in
docker container only works with debug JVMs
+ JDK-8231213: Migrate SimpleDateFormatConstTest to JDK Repo
+ JDK-8236645: JDK 8u231 introduces a regression with
incompatible handling of XML messages
+ JDK-8240676: Meet not symmetric failure when running lucene
on jdk8
+ JDK-8243321: Add Entrust root CA - G4 to Oracle Root CA
program
+ JDK-8249158: THREAD_START and THREAD_END event posted in
primordial phase
+ JDK-8250627: Use -XX:+/-UseContainerSupport for
enabling/disabling Java container metrics
+ JDK-8251546: 8u backport of JDK-8194298 breaks AIX and
Solaris builds
+ JDK-8252084: Minimal VM fails to bootcycle: undefined symbol:
AgeTableTracer::is_tenuring_distribution_event_enabled
* Import of OpenJDK 8 u272 build 06
+ JDK-8064319: Need to enable -XX:+TraceExceptions in release
builds
+ JDK-8080462, PR3801: Update SunPKCS11 provider with PKCS11
v2.40 support
+ JDK-8160768: Add capability to custom resolve host/domain
names within the default JNDI LDAP provider
+ JDK-8161973: PKIXRevocationChecker.getSoftFailExceptions()
not working
+ JDK-8169925, PR3801: PKCS #11 Cryptographic Token Interface
license
+ JDK-8184762: ZapStackSegments should use optimized memset
+ JDK-8193234: When using -Xcheck:jni an internally allocated
buffer can leak
+ JDK-8219919: RuntimeStub name lost with
PrintFrameConverterAssembly
+ JDK-8220313: [TESTBUG] Update base image for Docker testing
to OL 7.6
+ JDK-8222079: Don't use memset to initialize fields decode_env
constructor in disassembler.cpp
+ JDK-8225695: 32-bit build failures after JDK-8080462 (Update
SunPKCS11 provider with PKCS11 v2.40 support)
+ JDK-8226575: OperatingSystemMXBean should be made container
aware
+ JDK-8226809: Circular reference in printed stack trace is not
correctly indented & ambiguous
+ JDK-8228835: Memory leak in PKCS11 provider when using AES GCM
+ JDK-8233621: Mismatch in jsse.enableMFLNExtension property
name
+ JDK-8238898, PR3801: Missing hash characters for header on
license file
+ JDK-8243320: Add SSL root certificates to Oracle Root CA
program
+ JDK-8244151: Update MUSCLE PC/SC-Lite headers to the latest
release 1.8.26
+ JDK-8245467: Remove 8u TLSv1.2 implementation files
+ JDK-8245469: Remove DTLS protocol implementation
+ JDK-8245470: Fix JDK8 compatibility issues
+ JDK-8245471: Revert JDK-8148188
+ JDK-8245472: Backport JDK-8038893 to JDK8
+ JDK-8245473: OCSP stapling support
+ JDK-8245474: Add TLS_KRB5 cipher suites support according to
RFC-2712
+ JDK-8245476: Disable TLSv1.3 protocol in the ClientHello
message by default
+ JDK-8245477: Adjust TLS tests location
+ JDK-8245653: Remove 8u TLS tests
+ JDK-8245681: Add TLSv1.3 regression test from 11.0.7
+ JDK-8251117: Cannot check P11Key size in P11Cipher and
P11AEADCipher
+ JDK-8251120, PR3793: [8u] HotSpot build assumes ENABLE_JFR is
set to either true or false
+ JDK-8251341: Minimal Java specification change
+ JDK-8251478: Backport TLSv1.3 regression tests to JDK8u
* Import of OpenJDK 8 u272 build 07
+ JDK-8246193: Possible NPE in ENC-PA-REP search in AS-REQ
* Import of OpenJDK 8 u272 build 08
+ JDK-8062947: Fix exception message to correctly represent
LDAP connection failure
+ JDK-8151678: com/sun/jndi/ldap/LdapTimeoutTest.java failed
due to timeout on DeadServerNoTimeoutTest is incorrect
+ JDK-8252573: 8u: Windows build failed after 8222079 backport
* Import of OpenJDK 8 u272 build 09
+ JDK-8252886: [TESTBUG] sun/security/ec/TestEC.java :
Compilation failed
* Import of OpenJDK 8 u272 build 10
+ JDK-8254673: Call to JvmtiExport::post_vm_start() was removed
by the fix for JDK-8249158
+ JDK-8254937: Revert JDK-8148854 for 8u272
* Backports
+ JDK-8038723, PR3806: Openup some PrinterJob tests
+ JDK-8041480, PR3806: ArrayIndexOutOfBoundsException when
JTable contains certain string
+ JDK-8058779, PR3805: Faster implementation of
String.replace(CharSequence, CharSequence)
+ JDK-8130125, PR3806: [TEST_BUG] add @modules to the several
client tests unaffected by the automated bulk update
+ JDK-8144015, PR3806: [PIT] failures of text layout font tests
+ JDK-8144023, PR3806: [PIT] failure of text measurements in
javax/swing/text/html/parser/Parser/6836089/bug6836089.java
+ JDK-8144240, PR3806: [macosx][PIT] AIOOB in
closed/javax/swing/text/GlyphPainter2/6427244/bug6427244.java
+ JDK-8145542, PR3806: The case failed automatically and thrown
java.lang.ArrayIndexOutOfBoundsException exception
+ JDK-8151725, PR3806: [macosx] ArrayIndexOOB exception when
displaying Devanagari text in JEditorPane
+ JDK-8152358, PR3800: code and comment cleanups found during
the hunt for 8077392
+ JDK-8152545, PR3804: Use preprocessor instead of compiling a
program to generate native nio constants
+ JDK-8152680, PR3806: Regression in
GlyphVector.getGlyphCharIndex behaviour
+ JDK-8158924, PR3806: Incorrect i18n text document layout
+ JDK-8166003, PR3806: [PIT][TEST_BUG] missing helper for
javax/swing/text/GlyphPainter2/6427244/bug6427244.java
+ JDK-8166068, PR3806: test/java/awt/font/GlyphVector/
/GetGlyphCharIndexTest.java does not compile
+ JDK-8169879, PR3806: [TEST_BUG] javax/swing/text/
/GlyphPainter2/6427244/bug6427244.java - compilation failed
+ JDK-8191512, PR3806: T2K font rasterizer code removal
+ JDK-8191522, PR3806: Remove Bigelow&Holmes Lucida fonts from
JDK sources
+ JDK-8236512, PR3801: PKCS11 Connection closed after
Cipher.doFinal and NoPadding
+ JDK-8254177, PR3809: (tz) Upgrade time-zone data to
tzdata2020b
* Bug fixes
+ PR3798: Fix format-overflow error on GCC 10, caused by
passing NULL to a '%s' directive
+ PR3795: ECDSAUtils for XML digital signatures should support
the same curve set as the rest of the JDK
+ PR3799: Adapt elliptic curve patches to JDK-8245468: Add
TLSv1.3 implementation classes from 11.0.7
+ PR3808: IcedTea does not install the JFR *.jfc files
+ PR3810: Enable JFR on x86 (32-bit) now that JDK-8252096 has
fixed its use with Shenandoah
+ PR3811: Don't attempt to install JFR files when JFR is
disabled
* Shenandoah
+ [backport] 8221435: Shenandoah should not mark through weak
roots
+ [backport] 8221629: Shenandoah: Cleanup class unloading logic
+ [backport] 8222992: Shenandoah: Pre-evacuate all roots
+ [backport] 8223215: Shenandoah: Support verifying subset of
roots
+ [backport] 8223774: Shenandoah: Refactor
ShenandoahRootProcessor and family
+ [backport] 8224210: Shenandoah: Refactor
ShenandoahRootScanner to support scanning CSet codecache roots
+ [backport] 8224508: Shenandoah: Need to update thread roots
in final mark for piggyback ref update cycle
+ [backport] 8224579: ResourceMark not declared in
shenandoahRootProcessor.inline.hpp with
--disable-precompiled-headers
+ [backport] 8224679: Shenandoah: Make
ShenandoahParallelCodeCacheIterator noncopyable
+ [backport] 8224751: Shenandoah: Shenandoah Verifier should
select proper roots according to current GC cycle
+ [backport] 8225014: Separate ShenandoahRootScanner method for
object_iterate
+ [backport] 8225216: gc/logging/TestMetaSpaceLog.java doesn't
work for Shenandoah
+ [backport] 8225573: Shenandoah: Enhance ShenandoahVerifier to
ensure roots to-space invariant
+ [backport] 8225590: Shenandoah: Refactor
ShenandoahClassLoaderDataRoots API
+ [backport] 8226413: Shenandoah: Separate root scanner for
SH::object_iterate()
+ [backport] 8230853: Shenandoah: replace leftover
assert(is_in(...)) with rich asserts
+ [backport] 8231198: Shenandoah: heap walking should visit all
roots most of the time
+ [backport] 8231244: Shenandoah: all-roots heap walking misses
some weak roots
+ [backport] 8237632: Shenandoah: accept NULL fwdptr to
cooperate with JVMTI and JFR
+ [backport] 8239786: Shenandoah: print per-cycle statistics
+ [backport] 8239926: Shenandoah: Shenandoah needs to mark
nmethod's metadata
+ [backport] 8240671: Shenandoah: refactor
ShenandoahPhaseTimings
+ [backport] 8240749: Shenandoah: refactor ShenandoahUtils
+ [backport] 8240750: Shenandoah: remove leftover files and
mentions of ShenandoahAllocTracker
+ [backport] 8240868: Shenandoah: remove CM-with-UR
piggybacking cycles
+ [backport] 8240872: Shenandoah: Avoid updating new regions
from start of evacuation
+ [backport] 8240873: Shenandoah: Short-cut arraycopy barriers
+ [backport] 8240915: Shenandoah: Remove unused fields in init
mark tasks
+ [backport] 8240948: Shenandoah: cleanup not-forwarded-objects
paths after JDK-8240868
+ [backport] 8241007: Shenandoah: remove
ShenandoahCriticalControlThreadPriority support
+ [backport] 8241062: Shenandoah: rich asserts trigger 'empty
statement' inspection
+ [backport] 8241081: Shenandoah: Do not modify
update-watermark concurrently
+ [backport] 8241093: Shenandoah: editorial changes in flag
descriptions
+ [backport] 8241139: Shenandoah: distribute mark-compact work
exactly to minimize fragmentation
+ [backport] 8241142: Shenandoah: should not use parallel
reference processing with single GC thread
+ [backport] 8241351: Shenandoah: fragmentation metrics overhaul
+ [backport] 8241435: Shenandoah: avoid disabling pacing with
'aggressive'
+ [backport] 8241520: Shenandoah: simplify region sequence
numbers handling
+ [backport] 8241534: Shenandoah: region status should include
update watermark
+ [backport] 8241574: Shenandoah: remove
ShenandoahAssertToSpaceClosure
+ [backport] 8241583: Shenandoah: turn heap lock asserts into
macros
+ [backport] 8241668: Shenandoah: make ShenandoahHeapRegion not
derive from ContiguousSpace
+ [backport] 8241673: Shenandoah: refactor anti-false-sharing
padding
+ [backport] 8241675: Shenandoah: assert(n->outcnt() > 0) at
shenandoahSupport.cpp:2858 with
java/util/Collections/FindSubList.java
+ [backport] 8241692: Shenandoah: remove
ShenandoahHeapRegion::_reserved
+ [backport] 8241700: Shenandoah: Fold
ShenandoahKeepAliveBarrier flag into ShenandoahSATBBarrier
+ [backport] 8241740: Shenandoah: remove
ShenandoahHeapRegion::_heap
+ [backport] 8241743: Shenandoah: refactor and inline
ShenandoahHeap::heap()
+ [backport] 8241748: Shenandoah: inline MarkingContext TAMS
methods
+ [backport] 8241838: Shenandoah: no need to trash cset during
final mark
+ [backport] 8241841: Shenandoah: ditch one of allocation type
counters in ShenandoahHeapRegion
+ [backport] 8241842: Shenandoah: inline
ShenandoahHeapRegion::region_number
+ [backport] 8241844: Shenandoah: rename
ShenandoahHeapRegion::region_number
+ [backport] 8241845: Shenandoah: align ShenandoahHeapRegions
to cache lines
+ [backport] 8241926: Shenandoah: only print heap changes for
operations that directly affect it
+ [backport] 8241983: Shenandoah: simplify FreeSet logging
+ [backport] 8241985: Shenandoah: simplify collectable garbage
logging
+ [backport] 8242040: Shenandoah: print allocation failure type
+ [backport] 8242041: Shenandoah: adaptive heuristics should
account evac reserve in free target
+ [backport] 8242042: Shenandoah: tune down
ShenandoahGarbageThreshold
+ [backport] 8242054: Shenandoah: New incremental-update mode
+ [backport] 8242075: Shenandoah: rename
ShenandoahHeapRegionSize flag
+ [backport] 8242082: Shenandoah: Purge Traversal mode
+ [backport] 8242083: Shenandoah: split 'Prepare Evacuation'
tracking into cset/freeset counters
+ [backport] 8242089: Shenandoah: per-worker stats should be
summed up, not averaged
+ [backport] 8242101: Shenandoah: coalesce and parallelise heap
region walks during the pauses
+ [backport] 8242114: Shenandoah: remove
ShenandoahHeapRegion::reset_alloc_metadata_to_shared
+ [backport] 8242130: Shenandoah: Simplify arraycopy-barrier
dispatching
+ [backport] 8242211: Shenandoah: remove
ShenandoahHeuristics::RegionData::_seqnum_last_alloc
+ [backport] 8242212: Shenandoah: initialize
ShenandoahHeuristics::_region_data eagerly
+ [backport] 8242213: Shenandoah: remove
ShenandoahHeuristics::_bytes_in_cset
+ [backport] 8242217: Shenandoah: Enable GC mode to be
diagnostic/experimental and have a name
+ [backport] 8242227: Shenandoah: transit regions to cset state
when adding to collection set
+ [backport] 8242228: Shenandoah: remove unused
ShenandoahCollectionSet methods
+ [backport] 8242229: Shenandoah: inline ShenandoahHeapRegion
liveness-related methods
+ [backport] 8242267: Shenandoah: regions space needs to be
aligned by os::vm_allocation_granularity()
+ [backport] 8242271: Shenandoah: add test to verify GC mode
unlock
+ [backport] 8242273: Shenandoah: accept either SATB or IU
barriers, but not both
+ [backport] 8242301: Shenandoah: Inline LRB runtime call
+ [backport] 8242316: Shenandoah: Turn NULL-check into assert
in SATB slow-path entry
+ [backport] 8242353: Shenandoah: micro-optimize region
liveness handling
+ [backport] 8242365: Shenandoah: use uint16_t instead of
jushort for liveness cache
+ [backport] 8242375: Shenandoah: Remove
ShenandoahHeuristic::record_gc_start/end methods
+ [backport] 8242641: Shenandoah: clear live data and update
TAMS optimistically
+ [backport] 8243238: Shenandoah: explicit GC request should
wait for a complete GC cycle
+ [backport] 8243301: Shenandoah: ditch
ShenandoahAllowMixedAllocs
+ [backport] 8243307: Shenandoah: remove
ShCollectionSet::live_data
+ [backport] 8243395: Shenandoah: demote guarantee in
ShenandoahPhaseTimings::record_workers_end
+ [backport] 8243463: Shenandoah: ditch total_pause counters
+ [backport] 8243464: Shenandoah: print statistic counters in
time order
+ [backport] 8243465: Shenandoah: ditch unused pause_other,
conc_other counters
+ [backport] 8243487: Shenandoah: make _num_phases illegal
phase type
+ [backport] 8243494: Shenandoah: set counters once per cycle
+ [backport] 8243573: Shenandoah: rename GCParPhases and
related code
+ [backport] 8243848: Shenandoah: Windows build fails after
JDK-8239786
+ [backport] 8244180: Shenandoah: carry Phase to
ShWorkerTimingsTracker explicitly
+ [backport] 8244200: Shenandoah: build breakages after
JDK-8241743
+ [backport] 8244226: Shenandoah: per-cycle statistics contain
worker data from previous cycles
+ [backport] 8244326: Shenandoah: global statistics should not
accept bogus samples
+ [backport] 8244509: Shenandoah: refactor
ShenandoahBarrierC2Support::test_* methods
+ [backport] 8244551: Shenandoah: Fix racy update of
update_watermark
+ [backport] 8244667: Shenandoah: SBC2Support::test_gc_state
takes loop for wrong control
+ [backport] 8244730: Shenandoah: gc/shenandoah/options/
/TestHeuristicsUnlock.java should only verify the heuristics
+ [backport] 8244732: Shenandoah: move heuristics code to
gc/shenandoah/heuristics
+ [backport] 8244737: Shenandoah: move mode code to
gc/shenandoah/mode
+ [backport] 8244739: Shenandoah: break superclass dependency
on ShenandoahNormalMode
+ [backport] 8244740: Shenandoah: rename ShenandoahNormalMode
to ShenandoahSATBMode
+ [backport] 8245461: Shenandoah: refine mode name()-s
+ [backport] 8245463: Shenandoah: refine ShenandoahPhaseTimings
constructor arguments
+ [backport] 8245464: Shenandoah: allocate collection set
bitmap at lower addresses
+ [backport] 8245465: Shenandoah: test_in_cset can use more
efficient encoding
+ [backport] 8245726: Shenandoah: lift/cleanup
ShenandoahHeuristics names and properties
+ [backport] 8245754: Shenandoah: ditch ShenandoahAlwaysPreTouch
+ [backport] 8245757: Shenandoah: AlwaysPreTouch should not
disable heap resizing or uncommits
+ [backport] 8245773: Shenandoah: Windows assertion failure
after JDK-8245464
+ [backport] 8245812: Shenandoah: compute root phase parallelism
+ [backport] 8245814: Shenandoah: reconsider format specifiers
for stats
+ [backport] 8245825: Shenandoah: Remove diagnostic flag
ShenandoahConcurrentScanCodeRoots
+ [backport] 8246162: Shenandoah: full GC does not mark code
roots when class unloading is off
+ [backport] 8247310: Shenandoah: pacer should not affect
interrupt status
+ [backport] 8247358: Shenandoah: reconsider free budget slice
for marking
+ [backport] 8247367: Shenandoah: pacer should wait on lock
instead of exponential backoff
+ [backport] 8247474: Shenandoah: Windows build warning after
JDK-8247310
+ [backport] 8247560: Shenandoah: heap iteration holds root
locks all the time
+ [backport] 8247593: Shenandoah: should not block pacing
reporters
+ [backport] 8247751: Shenandoah: options tests should run with
smaller heaps
+ [backport] 8247754: Shenandoah: mxbeans tests can be shorter
+ [backport] 8247757: Shenandoah: split heavy tests by
heuristics to improve parallelism
+ [backport] 8247860: Shenandoah: add update watermark line in
rich assert failure message
+ [backport] 8248041: Shenandoah: pre-Full GC root updates may
miss some roots
+ [backport] 8248652: Shenandoah: SATB buffer handling may
assume no forwarded objects
+ [backport] 8249560: Shenandoah: Fix racy GC request handling
+ [backport] 8249649: Shenandoah: provide per-cycle pacing stats
+ [backport] 8249801: Shenandoah: Clear soft-refs on requested
GC cycle
+ [backport] 8249953: Shenandoah: gc/shenandoah/mxbeans tests
should account for corner cases
+ Fix slowdebug build after JDK-8230853 backport
+ JDK-8252096: Shenandoah: adjust SerialPageShiftCount for
x86_32 and JFR
+ JDK-8252366: Shenandoah: revert/cleanup changes in
graphKit.cpp
+ Shenandoah: add JFR roots to root processor after JFR
integration
+ Shenandoah: add root statistics for string dedup table/queues
+ Shenandoah: enable low-frequency STW class unloading
+ Shenandoah: fix build failures after JDK-8244737 backport
+ Shenandoah: Fix build failure with +JFR -PCH
+ Shenandoah: fix forceful pacer claim
+ Shenandoah: fix formats in
ShenandoahStringSymbolTableUnlinkTask
+ Shenandoah: fix runtime linking failure due to non-compiled
shenandoahBarrierSetC1
+ Shenandoah: hook statistics printing to PrintGCDetails, not
PrintGC
+ Shenandoah: JNI weak roots are always cleared before Full GC
mark
+ Shenandoah: missing SystemDictionary roots in
ShenandoahHeapIterationRootScanner
+ Shenandoah: move barrier sets to their proper locations
+ Shenandoah: move parallelCleaning.* to shenandoah/
+ Shenandoah: pacer should use proper Atomics for intptr_t
+ Shenandoah: properly deallocates class loader metadata
+ Shenandoah: specialize String Table scans for better pause
performance
+ Shenandoah: Zero build fails after recent Atomic cleanup in
Pacer
* AArch64 port
+ JDK-8161072, PR3797: AArch64: jtreg
compiler/uncommontrap/TestDeoptOOM failure
+ JDK-8171537, PR3797: aarch64: compiler/c1/Test6849574.java
generates guarantee failure in C1
+ JDK-8183925, PR3797: [AArch64] Decouple crash protection from
watcher thread
+ JDK-8199712, PR3797: [AArch64] Flight Recorder
+ JDK-8203481, PR3797: Incorrect constraint for unextended_sp
in frame:safe_for_sender
+ JDK-8203699, PR3797: java/lang/invoke/SpecialInterfaceCall
fails with SIGILL on aarch64
+ JDK-8209413, PR3797: AArch64: NPE in clhsdb jstack command
+ JDK-8215961, PR3797: jdk/jfr/event/os/TestCPUInformation.java
fails on AArch64
+ JDK-8216989, PR3797:
CardTableBarrierSetAssembler::gen_write_ref_array_post_barrier()
does not check for zero length on AARCH64
+ JDK-8217368, PR3797: AArch64: C2 recursive stack locking
optimisation not triggered
+ JDK-8221658, PR3797: aarch64: add necessary predicate for
ubfx patterns
+ JDK-8237512, PR3797: AArch64: aarch64TestHook leaks a
BufferBlob
+ JDK-8246482, PR3797: Build failures with +JFR -PCH
+ JDK-8247979, PR3797: aarch64: missing side effect of killing
flags for clearArray_reg_reg
+ JDK-8248219, PR3797: aarch64: missing memory barrier in
fast_storefield and fast_accessfield
- Ignore whitespaces after the header or footer in PEM X.509 cert
(bsc#1171352)
ImportantSUSE bug 1171352SUSE bug 1174157SUSE bug 1177943CVE-2020-14556 at SUSECVE-2020-14556 at NVDCVE-2020-14577 at SUSECVE-2020-14577 at NVDCVE-2020-14578 at SUSECVE-2020-14578 at NVDCVE-2020-14579 at SUSECVE-2020-14579 at NVDCVE-2020-14581 at SUSECVE-2020-14581 at NVDCVE-2020-14583 at SUSECVE-2020-14583 at NVDCVE-2020-14593 at SUSECVE-2020-14593 at NVDCVE-2020-14621 at SUSECVE-2020-14621 at NVDCVE-2020-14779 at SUSECVE-2020-14779 at NVDCVE-2020-14781 at SUSECVE-2020-14781 at NVDCVE-2020-14782 at SUSECVE-2020-14782 at NVDCVE-2020-14792 at SUSECVE-2020-14792 at NVDCVE-2020-14796 at SUSECVE-2020-14796 at NVDCVE-2020-14797 at SUSECVE-2020-14797 at NVDCVE-2020-14798 at SUSECVE-2020-14798 at NVDCVE-2020-14803 at SUSECVE-2020-14803 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 33 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_124 fixes several issues.
The following security issues were fixed:
- CVE-2020-0429: In l2tp_session_delete and related functions of l2tp_core.c, there is possible memory corruption due to a use after free. This could lead to local escalation of privilege with system execution privileges needed. User interaction is not needed for exploitation. (bsc#1176724)
- CVE-2020-14381: Fixed a use-after-free in the fast user mutex (futex) wait operation, which could have lead to memory corruption and possibly privilege escalation (bsc#1176011).
- CVE-2020-0431: In kbd_keycode of keyboard.c, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. (bsc#1176722)
- CVE-2020-25212: A TOCTOU mismatch in the NFS client code could be used by local attackers to corrupt memory or possibly have unspecified other impact because a size check is in fs/nfs/nfs4proc.c instead of fs/nfs/nfs4xdr.c (bsc#1176381).
- CVE-2020-14386: Fixed a memory corruption which could have lead to an attacker gaining root privileges from unprivileged processes. The highest threat from this vulnerability is to data confidentiality and integrity (bsc#1176069).
ImportantSUSE bug 1176012SUSE bug 1176072SUSE bug 1176382SUSE bug 1176896SUSE bug 1176931CVE-2020-0429 at SUSECVE-2020-0429 at NVDCVE-2020-0431 at SUSECVE-2020-0431 at NVDCVE-2020-14381 at SUSECVE-2020-14381 at NVDCVE-2020-14386 at SUSECVE-2020-14386 at NVDCVE-2020-25212 at SUSECVE-2020-25212 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 32 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_121 fixes several issues.
The following security issues were fixed:
- CVE-2020-0429: In l2tp_session_delete and related functions of l2tp_core.c, there is possible memory corruption due to a use after free. This could lead to local escalation of privilege with system execution privileges needed. User interaction is not needed for exploitation. (bsc#1176724)
- CVE-2020-14381: Fixed a use-after-free in the fast user mutex (futex) wait operation, which could have lead to memory corruption and possibly privilege escalation (bsc#1176011).
- CVE-2020-0431: In kbd_keycode of keyboard.c, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. (bsc#1176722)
- CVE-2020-25212: A TOCTOU mismatch in the NFS client code could be used by local attackers to corrupt memory or possibly have unspecified other impact because a size check is in fs/nfs/nfs4proc.c instead of fs/nfs/nfs4xdr.c (bsc#1176381).
- CVE-2020-14386: Fixed a memory corruption which could have lead to an attacker gaining root privileges from unprivileged processes. The highest threat from this vulnerability is to data confidentiality and integrity (bsc#1176069).
ImportantSUSE bug 1176012SUSE bug 1176072SUSE bug 1176382SUSE bug 1176896SUSE bug 1176931CVE-2020-0429 at SUSECVE-2020-0429 at NVDCVE-2020-0431 at SUSECVE-2020-0431 at NVDCVE-2020-14381 at SUSECVE-2020-14381 at NVDCVE-2020-14386 at SUSECVE-2020-14386 at NVDCVE-2020-25212 at SUSECVE-2020-25212 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 31 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_116 fixes several issues.
The following security issues were fixed:
- CVE-2020-0429: In l2tp_session_delete and related functions of l2tp_core.c, there is possible memory corruption due to a use after free. This could lead to local escalation of privilege with system execution privileges needed. User interaction is not needed for exploitation. (bsc#1176724)
- CVE-2020-14381: Fixed a use-after-free in the fast user mutex (futex) wait operation, which could have lead to memory corruption and possibly privilege escalation (bsc#1176011).
- CVE-2020-0431: In kbd_keycode of keyboard.c, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. (bsc#1176722)
- CVE-2020-25212: A TOCTOU mismatch in the NFS client code could be used by local attackers to corrupt memory or possibly have unspecified other impact because a size check is in fs/nfs/nfs4proc.c instead of fs/nfs/nfs4xdr.c (bsc#1176381).
- CVE-2020-14386: Fixed a memory corruption which could have lead to an attacker gaining root privileges from unprivileged processes. The highest threat from this vulnerability is to data confidentiality and integrity (bsc#1176069).
ImportantSUSE bug 1176012SUSE bug 1176072SUSE bug 1176382SUSE bug 1176896SUSE bug 1176931CVE-2020-0429 at SUSECVE-2020-0429 at NVDCVE-2020-0431 at SUSECVE-2020-0431 at NVDCVE-2020-14381 at SUSECVE-2020-14381 at NVDCVE-2020-14386 at SUSECVE-2020-14386 at NVDCVE-2020-25212 at SUSECVE-2020-25212 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 35 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_130 fixes several issues.
The following security issues were fixed:
- CVE-2020-0429: In l2tp_session_delete and related functions of l2tp_core.c, there is possible memory corruption due to a use after free. This could lead to local escalation of privilege with system execution privileges needed. User interaction is not needed for exploitation. (bsc#1176724)
- CVE-2020-14381: Fixed a use-after-free in the fast user mutex (futex) wait operation, which could have lead to memory corruption and possibly privilege escalation (bsc#1176011).
- CVE-2020-0431: In kbd_keycode of keyboard.c, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. (bsc#1176722)
- CVE-2020-25212: A TOCTOU mismatch in the NFS client code could be used by local attackers to corrupt memory or possibly have unspecified other impact because a size check is in fs/nfs/nfs4proc.c instead of fs/nfs/nfs4xdr.c (bsc#1176381).
- CVE-2020-11668: Fixed an out of bounds write to the heap in drivers/media/usb/gspca/xirlink_cit.c (aka the Xirlink camera USB driver) caused by mishandling invalid descriptors (bsc#1168952).
- CVE-2020-1749: A flaw was found in the implementation of some networking protocols in IPsec, such as VXLAN and GENEVE tunnels over IPv6. When an encrypted tunnel is created between two hosts, the kernel isn't correctly routing tunneled data over the encrypted link, rather sending the data unencrypted. This would have allowed anyone in between the two endpoints to read the traffic unencrypted. (bsc#1165629)
ImportantSUSE bug 1165631SUSE bug 1173942SUSE bug 1176012SUSE bug 1176382SUSE bug 1176896SUSE bug 1176931CVE-2020-0429 at SUSECVE-2020-0429 at NVDCVE-2020-0431 at SUSECVE-2020-0431 at NVDCVE-2020-11668 at SUSECVE-2020-11668 at NVDCVE-2020-14381 at SUSECVE-2020-14381 at NVDCVE-2020-1749 at SUSECVE-2020-1749 at NVDCVE-2020-25212 at SUSECVE-2020-25212 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 30 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_113 fixes several issues.
The following security issues were fixed:
- CVE-2020-0429: In l2tp_session_delete and related functions of l2tp_core.c, there is possible memory corruption due to a use after free. This could lead to local escalation of privilege with system execution privileges needed. User interaction is not needed for exploitation. (bsc#1176724)
- CVE-2020-14381: Fixed a use-after-free in the fast user mutex (futex) wait operation, which could have lead to memory corruption and possibly privilege escalation (bsc#1176011).
- CVE-2020-0431: In kbd_keycode of keyboard.c, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. (bsc#1176722)
- CVE-2020-25212: A TOCTOU mismatch in the NFS client code could be used by local attackers to corrupt memory or possibly have unspecified other impact because a size check is in fs/nfs/nfs4proc.c instead of fs/nfs/nfs4xdr.c (bsc#1176381).
- CVE-2020-14386: Fixed a memory corruption which could have lead to an attacker gaining root privileges from unprivileged processes. The highest threat from this vulnerability is to data confidentiality and integrity (bsc#1176069).
ImportantSUSE bug 1176012SUSE bug 1176072SUSE bug 1176382SUSE bug 1176896SUSE bug 1176931CVE-2020-0429 at SUSECVE-2020-0429 at NVDCVE-2020-0431 at SUSECVE-2020-0431 at NVDCVE-2020-14381 at SUSECVE-2020-14381 at NVDCVE-2020-14386 at SUSECVE-2020-14386 at NVDCVE-2020-25212 at SUSECVE-2020-25212 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 34 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_127 fixes several issues.
The following security issues were fixed:
- CVE-2020-0429: In l2tp_session_delete and related functions of l2tp_core.c, there is possible memory corruption due to a use after free. This could lead to local escalation of privilege with system execution privileges needed. User interaction is not needed for exploitation. (bsc#1176724)
- CVE-2020-14381: Fixed a use-after-free in the fast user mutex (futex) wait operation, which could have lead to memory corruption and possibly privilege escalation (bsc#1176011).
- CVE-2020-0431: In kbd_keycode of keyboard.c, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. (bsc#1176722)
- CVE-2020-25212: A TOCTOU mismatch in the NFS client code could be used by local attackers to corrupt memory or possibly have unspecified other impact because a size check is in fs/nfs/nfs4proc.c instead of fs/nfs/nfs4xdr.c (bsc#1176381).
- CVE-2020-14386: Fixed a memory corruption which could have lead to an attacker gaining root privileges from unprivileged processes. The highest threat from this vulnerability is to data confidentiality and integrity (bsc#1176069).
ImportantSUSE bug 1176012SUSE bug 1176072SUSE bug 1176382SUSE bug 1176896SUSE bug 1176931CVE-2020-0429 at SUSECVE-2020-0429 at NVDCVE-2020-0431 at SUSECVE-2020-0431 at NVDCVE-2020-14381 at SUSECVE-2020-14381 at NVDCVE-2020-14386 at SUSECVE-2020-14386 at NVDCVE-2020-25212 at SUSECVE-2020-25212 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 29 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_107 fixes several issues.
The following security issues were fixed:
- CVE-2020-0429: In l2tp_session_delete and related functions of l2tp_core.c, there is possible memory corruption due to a use after free. This could lead to local escalation of privilege with system execution privileges needed. User interaction is not needed for exploitation. (bsc#1176724)
- CVE-2020-14381: Fixed a use-after-free in the fast user mutex (futex) wait operation, which could have lead to memory corruption and possibly privilege escalation (bsc#1176011).
- CVE-2020-0431: In kbd_keycode of keyboard.c, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. (bsc#1176722)
- CVE-2020-25212: A TOCTOU mismatch in the NFS client code could be used by local attackers to corrupt memory or possibly have unspecified other impact because a size check is in fs/nfs/nfs4proc.c instead of fs/nfs/nfs4xdr.c (bsc#1176381).
- CVE-2020-14386: Fixed a memory corruption which could have lead to an attacker gaining root privileges from unprivileged processes. The highest threat from this vulnerability is to data confidentiality and integrity (bsc#1176069).
ImportantSUSE bug 1176012SUSE bug 1176072SUSE bug 1176382SUSE bug 1176896SUSE bug 1176931CVE-2020-0429 at SUSECVE-2020-0429 at NVDCVE-2020-0431 at SUSECVE-2020-0431 at NVDCVE-2020-14381 at SUSECVE-2020-14381 at NVDCVE-2020-14386 at SUSECVE-2020-14386 at NVDCVE-2020-25212 at SUSECVE-2020-25212 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for gcc10 (Moderate)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for gcc10 fixes the following issues:
This update provides the GCC10 compiler suite and runtime libraries.
The base SUSE Linux Enterprise libraries libgcc_s1, libstdc++6 are replaced by
the gcc10 variants.
The new compiler variants are available with '-10' suffix, you can specify them
via:
CC=gcc-10
CXX=g++-10
or similar commands.
For a detailed changelog check out https://gcc.gnu.org/gcc-10/changes.html
ModerateSUSE bug 1172798SUSE bug 1172846SUSE bug 1173972SUSE bug 1174753SUSE bug 1174817SUSE bug 1175168CVE-2020-13844 at SUSECVE-2020-13844 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for ucode-intel (Moderate)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for ucode-intel fixes the following issues:
- Intel CPU Microcode updated to 20201027 prerelease
- CVE-2020-8695: Fixed Intel RAPL sidechannel attack (SGX) (bsc#1170446)
- CVE-2020-8698: Fixed Fast Store Forward Predictor INTEL-SA-00381 (bsc#1173594)
# New Platforms:
| Processor | Stepping | F-M-S/PI | Old Ver | New Ver | Products
|:---------------|:---------|:------------|:---------|:---------|:---------
| TGL | B1 | 06-8c-01/80 | | 00000068 | Core Gen11 Mobile
| CPX-SP | A1 | 06-55-0b/bf | | 0700001e | Xeon Scalable Gen3
| CML-H | R1 | 06-a5-02/20 | | 000000e0 | Core Gen10 Mobile
| CML-S62 | G1 | 06-a5-03/22 | | 000000e0 | Core Gen10
| CML-S102 | Q0 | 06-a5-05/22 | | 000000e0 | Core Gen10
| CML-U62 V2 | K0 | 06-a6-01/80 | | 000000e0 | Core Gen10 Mobile
# Updated Platforms:
| Processor | Stepping | F-M-S/PI | Old Ver | New Ver | Products
|:---------------|:---------|:------------|:---------|:---------|:---------
| GKL-R | R0 | 06-7a-08/01 | 00000016 | 00000018 | Pentium J5040/N5030, Celeron J4125/J4025/N4020/N4120
| SKL-U/Y | D0 | 06-4e-03/c0 | 000000d6 | 000000e2 | Core Gen6 Mobile
| SKL-U23e | K1 | 06-4e-03/c0 | 000000d6 | 000000e2 | Core Gen6 Mobile
| APL | D0 | 06-5c-09/03 | 00000038 | 00000040 | Pentium N/J4xxx, Celeron N/J3xxx, Atom x5/7-E39xx
| APL | E0 | 06-5c-0a/03 | 00000016 | 0000001e | Atom x5-E39xx
| SKL-H/S | R0/N0 | 06-5e-03/36 | 000000d6 | 000000e2 | Core Gen6; Xeon E3 v5
| HSX-E/EP | Cx/M1 | 06-3f-02/6f | 00000043 | 00000044 | Core Gen4 X series; Xeon E5 v3
| SKX-SP | B1 | 06-55-03/97 | 01000157 | 01000159 | Xeon Scalable
| SKX-SP | H0/M0/U0 | 06-55-04/b7 | 02006906 | 02006a08 | Xeon Scalable
| SKX-D | M1 | 06-55-04/b7 | 02006906 | 02006a08 | Xeon D-21xx
| CLX-SP | B0 | 06-55-06/bf | 04002f01 | 04003003 | Xeon Scalable Gen2
| CLX-SP | B1 | 06-55-07/bf | 05002f01 | 05003003 | Xeon Scalable Gen2
| ICL-U/Y | D1 | 06-7e-05/80 | 00000078 | 000000a0 | Core Gen10 Mobile
| AML-Y22 | H0 | 06-8e-09/10 | 000000d6 | 000000de | Core Gen8 Mobile
| KBL-U/Y | H0 | 06-8e-09/c0 | 000000d6 | 000000de | Core Gen7 Mobile
| CFL-U43e | D0 | 06-8e-0a/c0 | 000000d6 | 000000e0 | Core Gen8 Mobile
| WHL-U | W0 | 06-8e-0b/d0 | 000000d6 | 000000de | Core Gen8 Mobile
| AML-Y42 | V0 | 06-8e-0c/94 | 000000d6 | 000000de | Core Gen10 Mobile
| CML-Y42 | V0 | 06-8e-0c/94 | 000000d6 | 000000de | Core Gen10 Mobile
| WHL-U | V0 | 06-8e-0c/94 | 000000d6 | 000000de | Core Gen8 Mobile
| KBL-G/H/S/E3 | B0 | 06-9e-09/2a | 000000d6 | 000000de | Core Gen7; Xeon E3 v6
| CFL-H/S/E3 | U0 | 06-9e-0a/22 | 000000d6 | 000000de | Core Gen8 Desktop, Mobile, Xeon E
| CFL-S | B0 | 06-9e-0b/02 | 000000d6 | 000000de | Core Gen8
| CFL-H/S | P0 | 06-9e-0c/22 | 000000d6 | 000000de | Core Gen9
| CFL-H | R0 | 06-9e-0d/22 | 000000d6 | 000000de | Core Gen9 Mobile
| CML-U62 | A0 | 06-a6-00/80 | 000000ca | 000000e0 | Core Gen10 Mobile
ModerateSUSE bug 1170446SUSE bug 1173594CVE-2020-8695 at SUSECVE-2020-8695 at NVDCVE-2020-8698 at SUSECVE-2020-8698 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for systemd (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for systemd fixes the following issues:
- CVE-2020-1712 (bsc#bsc#1162108)
Fix a heap use-after-free vulnerability, when asynchronous
Polkit queries were performed while handling Dbus messages. A local
unprivileged attacker could have abused this flaw to crash systemd services or
potentially execute code and elevate their privileges, by sending specially
crafted Dbus messages.
- Unconfirmed fix for prevent hanging of systemctl during restart. (bsc#1139459)
- Fix warnings thrown during package installation. (bsc#1154043)
- Fix for system-udevd prevent crash within OES2018. (bsc#1151506)
- Fragments of masked units ought not be considered for 'NeedDaemonReload'. (bsc#1156482)
- Wait for workers to finish when exiting. (bsc#1106383)
- Improve log message when inotify limit is reached. (bsc#1155574)
- Mention in the man pages that alias names are only effective after command 'systemctl enable'. (bsc#1151377)
- Introduce function for reading virtual files in 'sysfs' and 'procfs'. (bsc#1133495, bsc#1159814)
ImportantSUSE bug 1106383SUSE bug 1133495SUSE bug 1139459SUSE bug 1151377SUSE bug 1151506SUSE bug 1154043SUSE bug 1155574SUSE bug 1156482SUSE bug 1159814SUSE bug 1162108CVE-2020-1712 at SUSECVE-2020-1712 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for java-1_7_0-openjdk (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for java-1_7_0-openjdk fixes the following issues:
- Update to 2.6.24 - OpenJDK 7u281 (October 2020 CPU, bsc#1177943)
* Security fixes
+ JDK-8233624: Enhance JNI linkage
+ JDK-8236862, CVE-2020-14779: Enhance support of Proxy class
+ JDK-8237990, CVE-2020-14781: Enhanced LDAP contexts
+ JDK-8237995, CVE-2020-14782: Enhance certificate processing
+ JDK-8240124: Better VM Interning
+ JDK-8241114, CVE-2020-14792: Better range handling
+ JDK-8242680, CVE-2020-14796: Improved URI Support
+ JDK-8242685, CVE-2020-14797: Better Path Validation
+ JDK-8242695, CVE-2020-14798: Enhanced buffer support
+ JDK-8243302: Advanced class supports
+ JDK-8244136, CVE-2020-14803: Improved Buffer supports
+ JDK-8244479: Further constrain certificates
+ JDK-8244955: Additional Fix for JDK-8240124
+ JDK-8245407: Enhance zoning of times
+ JDK-8245412: Better class definitions
+ JDK-8245417: Improve certificate chain handling
+ JDK-8248574: Improve jpeg processing
+ JDK-8249927: Specify limits of jdk.serialProxyInterfaceLimit
+ JDK-8253019: Enhanced JPEG decoding
* Import of OpenJDK 7 u281 build 1
+ JDK-8145096: Undefined behaviour in HotSpot
+ JDK-8215265: C2: range check elimination may allow illegal
out of bound access
* Backports
+ JDK-8250861, PR3812: Crash in MinINode::Ideal(PhaseGVN*, bool)
ImportantSUSE bug 1177943CVE-2020-14779 at SUSECVE-2020-14779 at NVDCVE-2020-14781 at SUSECVE-2020-14781 at NVDCVE-2020-14782 at SUSECVE-2020-14782 at NVDCVE-2020-14792 at SUSECVE-2020-14792 at NVDCVE-2020-14796 at SUSECVE-2020-14796 at NVDCVE-2020-14797 at SUSECVE-2020-14797 at NVDCVE-2020-14798 at SUSECVE-2020-14798 at NVDCVE-2020-14803 at SUSECVE-2020-14803 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for openldap2 (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for openldap2 fixes the following issues:
- CVE-2020-25692: Fixed an unauthenticated remote denial of service due to incorrect validation of modrdn equality rules (bsc#1178387).
ImportantSUSE bug 1178387CVE-2020-25692 at SUSECVE-2020-25692 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for MozillaFirefox fixes the following issues:
- Firefox Extended Support Release 78.4.1 ESR
* Fixed: Security fix
MFSA 2020-49 (bsc#1178588)
* CVE-2020-26950 (bmo#1675905)
Write side effects in MCallGetProperty opcode not accounted
for
ImportantSUSE bug 1178588CVE-2020-26950 at SUSECVE-2020-26950 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for postgresql, postgresql96, postgresql10 and postgresql12 (Moderate)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update changes the internal packaging for postgresql, and so contains
all currently maintained postgresql versions across our SUSE Linux Enterprise 12
products.
* postgresql12 is shipped new in version 12.3 (bsc#1171924).
The server and client packages only on SUSE Linux Enterprise Server 12 SP5,
the libraries on SUSE Linux Enterprise Server 12 SP2 LTSS up to 12 SP5.
+ https://www.postgresql.org/about/news/2038/
+ https://www.postgresql.org/docs/12/release-12-3.html
* postgresql10 is updated to 10.13 (bsc#1171924).
On SUSE Linux Enterprise Server 12 SP2 LTSS up to 12 SP5.
+ https://www.postgresql.org/about/news/2038/
+ https://www.postgresql.org/docs/10/release-10-13.html
* postgresql96 is updated to 9.6.18 (bsc#1171924):
+ https://www.postgresql.org/about/news/2038/
+ https://www.postgresql.org/docs/9.6/release-9-6-18.html
On SUSE Linux Enterprise Server 12-SP2 and 12-SP3 LTSS only.
* postgresql 9.4 is updated to 9.4.26:
+ https://www.postgresql.org/about/news/2011/
+ https://www.postgresql.org/docs/9.4/release-9-4-26.html
+ https://www.postgresql.org/about/news/1994/
+ https://www.postgresql.org/docs/9.4/release-9-4-25.html
ModerateSUSE bug 1171924cpe:/o:suse:sles-espos:12:sp3Security update for raptor (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for raptor fixes the following issues:
- Fixed a heap overflow vulnerability (bsc#1178593, CVE-2017-18926).
- Update raptor to version 2.0.15
* Made several fixes to Turtle / N-Triples family of parsers and serializers
* Added utility functions for re-entrant sorting of objects and sequences.
* Made other fixes and improvements including fixing reported issues:
0000574, 0000575, 0000576, 0000577, 0000579, 0000581 and 0000584.
ImportantSUSE bug 1178593CVE-2017-18926 at SUSECVE-2017-18926 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for kernel-firmware (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for kernel-firmware fixes the following issue:
- CVE-2020-12321: Updated the Intel Bluetooth firmware for buffer overflow security bugs (bsc#1178671).
ImportantSUSE bug 1178671CVE-2020-12321 at SUSECVE-2020-12321 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for krb5 (Moderate)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for krb5 fixes the following security issue:
- CVE-2020-28196: Fixed an unbounded recursion via an ASN.1-encoded Kerberos message (bsc#1178512).
ModerateSUSE bug 1178512CVE-2020-28196 at SUSECVE-2020-28196 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 35 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_130 fixes one issue.
The following security issue was fixed:
- CVE-2020-25645: Fixed an an issue in IPsec that caused traffic between two Geneve endpoints to be unencrypted (bnc#1177513).
ImportantSUSE bug 1177513CVE-2020-25645 at SUSECVE-2020-25645 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 34 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_127 fixes one issue.
The following security issue was fixed:
- CVE-2020-25645: Fixed an an issue in IPsec that caused traffic between two Geneve endpoints to be unencrypted (bnc#1177513).
ImportantSUSE bug 1177513CVE-2020-25645 at SUSECVE-2020-25645 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 33 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_124 fixes one issue.
The following security issue was fixed:
- CVE-2020-25645: Fixed an an issue in IPsec that caused traffic between two Geneve endpoints to be unencrypted (bnc#1177513).
ImportantSUSE bug 1177513CVE-2020-25645 at SUSECVE-2020-25645 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 32 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_121 fixes one issue.
The following security issue was fixed:
- CVE-2020-25645: Fixed an an issue in IPsec that caused traffic between two Geneve endpoints to be unencrypted (bnc#1177513).
ImportantSUSE bug 1177513CVE-2020-25645 at SUSECVE-2020-25645 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 31 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_116 fixes one issue.
The following security issue was fixed:
- CVE-2020-25645: Fixed an an issue in IPsec that caused traffic between two Geneve endpoints to be unencrypted (bnc#1177513).
ImportantSUSE bug 1177513CVE-2020-25645 at SUSECVE-2020-25645 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 30 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_113 fixes one issue.
The following security issue was fixed:
- CVE-2020-25645: Fixed an an issue in IPsec that caused traffic between two Geneve endpoints to be unencrypted (bnc#1177513).
ImportantSUSE bug 1177513CVE-2020-25645 at SUSECVE-2020-25645 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 29 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_107 fixes one issue.
The following security issue was fixed:
- CVE-2020-25645: Fixed an an issue in IPsec that caused traffic between two Geneve endpoints to be unencrypted (bnc#1177513).
ImportantSUSE bug 1177513CVE-2020-25645 at SUSECVE-2020-25645 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for postgresql10 (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for postgresql10 fixes the following issues:
Upgrade to version 10.15:
* CVE-2020-25695, bsc#1178666: Block DECLARE CURSOR ... WITH HOLD
and firing of deferred triggers within index expressions and
materialized view queries.
* CVE-2020-25694, bsc#1178667:
a) Fix usage of complex connection-string parameters in pg_dump,
pg_restore, clusterdb, reindexdb, and vacuumdb.
b) When psql's \connect command re-uses connection parameters,
ensure that all non-overridden parameters from a previous
connection string are re-used.
* CVE-2020-25696, bsc#1178668: Prevent psql's \gset command from
modifying specially-treated variables.
* https://www.postgresql.org/about/news/2111/
* https://www.postgresql.org/docs/10/release-10-15.html
Update to 10.14:
* CVE-2020-14349, bsc#1175193: Set a secure search_path in
logical replication walsenders and apply workers
* CVE-2020-14350, bsc#1175194: Make contrib modules' installation
scripts more secure.
* https://www.postgresql.org/docs/10/release-10-14.html
ImportantSUSE bug 1175193SUSE bug 1175194SUSE bug 1178666SUSE bug 1178667SUSE bug 1178668CVE-2020-14349 at SUSECVE-2020-14349 at NVDCVE-2020-14350 at SUSECVE-2020-14350 at NVDCVE-2020-25694 at SUSECVE-2020-25694 at NVDCVE-2020-25695 at SUSECVE-2020-25695 at NVDCVE-2020-25696 at SUSECVE-2020-25696 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for u-boot (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for u-boot fixes the following issues:
Work around CVE-2019-11059 by disabling 64Bit descritptor size (bsc#1134853)
CVE-2019-11690 (bsc#1134157), CVE-2020-10648 (bsc#1167209), CVE-2019-13103 (bsc#1143463),
CVE-2019-14197 (bsc#1143821), CVE-2019-14200 (bsc#1143825), CVE-2019-14201 (bsc#1143827),
CVE-2019-14202 (bsc#1143828), CVE-2019-14203 (bsc#1143830), CVE-2019-14204 (bsc#1143831),
CVE-2019-14194 (bsc#1143818), CVE-2019-14198 (bsc#1143823), CVE-2019-14195 (bsc#1143819),
CVE-2019-14196 (bsc#1143820), CVE-2019-14299 (bsc#1143824), CVE-2019-14192 (bsc#1143777),
CVE-2019-14193 (bsc#1143817).
ImportantSUSE bug 1134157SUSE bug 1134853SUSE bug 1143463SUSE bug 1143777SUSE bug 1143817SUSE bug 1143818SUSE bug 1143819SUSE bug 1143820SUSE bug 1143821SUSE bug 1143823SUSE bug 1143824SUSE bug 1143825SUSE bug 1143827SUSE bug 1143828SUSE bug 1143830SUSE bug 1143831SUSE bug 1167209CVE-2019-11059 at SUSECVE-2019-11059 at NVDCVE-2019-11690 at SUSECVE-2019-11690 at NVDCVE-2019-13103 at SUSECVE-2019-13103 at NVDCVE-2019-14192 at SUSECVE-2019-14192 at NVDCVE-2019-14193 at SUSECVE-2019-14193 at NVDCVE-2019-14194 at SUSECVE-2019-14194 at NVDCVE-2019-14195 at SUSECVE-2019-14195 at NVDCVE-2019-14196 at SUSECVE-2019-14196 at NVDCVE-2019-14197 at SUSECVE-2019-14197 at NVDCVE-2019-14198 at SUSECVE-2019-14198 at NVDCVE-2019-14200 at SUSECVE-2019-14200 at NVDCVE-2019-14201 at SUSECVE-2019-14201 at NVDCVE-2019-14202 at SUSECVE-2019-14202 at NVDCVE-2019-14203 at SUSECVE-2019-14203 at NVDCVE-2019-14204 at SUSECVE-2019-14204 at NVDCVE-2019-14299 at SUSECVE-2019-14299 at NVDCVE-2020-10648 at SUSECVE-2020-10648 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for postgresql96 (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for postgresql96 fixes the following issues:
Upgrade to version 9.6.20:
* CVE-2020-25695, bsc#1178666: Block DECLARE CURSOR ... WITH HOLD
and firing of deferred triggers within index expressions and
materialized view queries.
* CVE-2020-25694, bsc#1178667:
a) Fix usage of complex connection-string parameters in pg_dump,
pg_restore, clusterdb, reindexdb, and vacuumdb.
b) When psql's \connect command re-uses connection parameters,
ensure that all non-overridden parameters from a previous
connection string are re-used.
* CVE-2020-25696, bsc#1178668: Prevent psql's \gset command from
modifying specially-treated variables.
* https://www.postgresql.org/about/news/2111/
* https://www.postgresql.org/docs/9.6/release-9-6-20.html
Changes from 9.6.19:
* CVE-2020-14350, bsc#1175194: Make contrib modules installation
ImportantSUSE bug 1175194SUSE bug 1178666SUSE bug 1178667SUSE bug 1178668CVE-2020-14350 at SUSECVE-2020-14350 at NVDCVE-2020-25694 at SUSECVE-2020-25694 at NVDCVE-2020-25695 at SUSECVE-2020-25695 at NVDCVE-2020-25696 at SUSECVE-2020-25696 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
The SUSE Linux Enterprise 12 SP3 kernel was updated to receive various security and bug fixes.
The following security bugs were fixed:
- CVE-2020-25705: A flaw in the way reply ICMP packets are limited in was found that allowed to quickly scan open UDP ports. This flaw allowed an off-path remote user to effectively bypassing source port UDP randomization. The highest threat from this vulnerability is to confidentiality and possibly integrity, because software and services that rely on UDP source port randomization (like DNS) are indirectly affected as well. Kernel versions may be vulnerable to this issue (bsc#1175721, bsc#1178782).
- CVE-2020-25668: Fixed a use-after-free in con_font_op() (bsc#1178123).
- CVE-2020-25656: Fixed a concurrency use-after-free in vt_do_kdgkb_ioctl (bnc#1177766).
- CVE-2020-14351: Fixed a race in the perf_mmap_close() function (bsc#1177086).
- CVE-2020-8694: Restricted energy meter to root access (bsc#1170415).
- CVE-2020-12352: Fixed an information leak when processing certain AMP packets aka 'BleedingTooth' (bsc#1177725).
- CVE-2020-25645: Fixed an issue which traffic between two Geneve endpoints may be unencrypted when IPsec is configured to encrypt traffic for the specific UDP port used by the GENEVE tunnel allowing anyone between the two endpoints to read the traffic unencrypted (bsc#1177511).
- CVE-2020-14381: Fixed a use-after-free in the fast user mutex (futex) wait operation, which could have lead to memory corruption and possibly privilege escalation (bsc#1176011).
- CVE-2020-25212: Fixed A TOCTOU mismatch in the NFS client code which could have been used by local attackers to corrupt memory (bsc#1176381).
- CVE-2020-14390: Fixed an out-of-bounds memory write leading to memory corruption or a denial of service when changing screen size (bnc#1176235).
- CVE-2020-25643: Fixed a memory corruption and a read overflow which could have caused by improper input validation in the ppp_cp_parse_cr function (bsc#1177206).
- CVE-2020-25641: Fixed a zero-length biovec request issued by the block subsystem could have caused the kernel to enter an infinite loop, causing a denial of service (bsc#1177121).
- CVE-2020-26088: Fixed an improper CAP_NET_RAW check in NFC socket creation could have been used by local attackers to create raw sockets, bypassing security mechanisms (bsc#1176990).
- CVE-2020-0432: Fixed an out of bounds write due to an integer overflow (bsc#1176721).
- CVE-2020-0431: Fixed an out of bounds write due to a missing bounds check (bsc#1176722).
- CVE-2020-0427: Fixed an out of bounds read due to a use after free (bsc#1176725).
- CVE-2020-0404: Fixed a linked list corruption due to an unusual root cause (bsc#1176423).
- CVE-2020-25284: Fixed an incomplete permission checking for access to rbd devices, which could have been leveraged by local attackers to map or unmap rbd block devices (bsc#1176482).
- CVE-2019-19063: Fixed two memory leaks in the rtl_usb_probe() function in drivers/net/wireless/realtek/rtlwifi/usb.c, which could have allowed an attacker to cause a denial of service (memory consumption) (bsc#1157298).
- CVE-2019-6133: In PolicyKit (aka polkit), the 'start time' protection mechanism can be bypassed because fork() is not atomic, and therefore authorization decisions are improperly cached. This is related to lack of uid checking in polkitbackend/polkitbackendinteractiveauthority.c (bsc#1121872).
- CVE-2017-18204: Fixed a denial of service in the ocfs2_setattr function of fs/ocfs2/file.c (bnc#1083244).
The following non-security bugs were fixed:
- hv: vmbus: Add timeout to vmbus_wait_for_unload (bsc#1177816).
- hyperv_fb: disable superfluous VERSION_WIN10_V5 case (bsc#1175306).
- hyperv_fb: Update screen_info after removing old framebuffer (bsc#1175306).
- mm, numa: fix bad pmd by atomically check for pmd_trans_huge when marking page tables prot_numa (bsc#1176816).
- net/packet: fix overflow in tpacket_rcv (bsc#1176069).
- ocfs2: give applications more IO opportunities during fstrim (bsc#1175228).
- video: hyperv: hyperv_fb: Obtain screen resolution from Hyper-V host (bsc#1175306).
- video: hyperv: hyperv_fb: Support deferred IO for Hyper-V frame buffer driver (bsc#1175306).
- video: hyperv: hyperv_fb: Use physical memory for fb on HyperV Gen 1 VMs (bsc#1175306).
- x86/kexec: Use up-to-dated screen_info copy to fill boot params (bsc#1175306).
- xen/blkback: use lateeoi irq binding (XSA-332 bsc#1177411).
- xen-blkfront: switch kcalloc to kvcalloc for large array allocation (bsc#1160917).
- xen: do not reschedule in preemption off sections (bsc#1175749).
- xen/events: add a new 'late EOI' evtchn framework (XSA-332 bsc#1177411).
- xen/events: add a proper barrier to 2-level uevent unmasking (XSA-332 bsc#1177411).
- xen/events: avoid removing an event channel while handling it (XSA-331 bsc#1177410).
- xen/events: block rogue events for some time (XSA-332 bsc#1177411).
- xen/events: defer eoi in case of excessive number of events (XSA-332 bsc#1177411).
- xen/events: do not use chip_data for legacy IRQs (XSA-332 bsc#1065600).
- xen/events: fix race in evtchn_fifo_unmask() (XSA-332 bsc#1177411).
- xen/events: switch user event channels to lateeoi model (XSA-332 bsc#1177411).
- xen/events: use a common cpu hotplug hook for event channels (XSA-332 bsc#1177411).
- xen/netback: use lateeoi irq binding (XSA-332 bsc#1177411).
- xen/pciback: use lateeoi irq binding (XSA-332 bsc#1177411).
- xen/scsiback: use lateeoi irq binding (XSA-332 bsc#1177411).
- xen uses irqdesc::irq_data_common::handler_data to store a per interrupt XEN data pointer which contains XEN specific information (XSA-332 bsc#1065600).
ImportantSUSE bug 1065600SUSE bug 1083244SUSE bug 1121826SUSE bug 1121872SUSE bug 1157298SUSE bug 1160917SUSE bug 1170415SUSE bug 1175228SUSE bug 1175306SUSE bug 1175721SUSE bug 1175749SUSE bug 1176011SUSE bug 1176069SUSE bug 1176235SUSE bug 1176253SUSE bug 1176278SUSE bug 1176381SUSE bug 1176382SUSE bug 1176423SUSE bug 1176482SUSE bug 1176721SUSE bug 1176722SUSE bug 1176725SUSE bug 1176816SUSE bug 1176896SUSE bug 1176990SUSE bug 1177027SUSE bug 1177086SUSE bug 1177121SUSE bug 1177165SUSE bug 1177206SUSE bug 1177226SUSE bug 1177410SUSE bug 1177411SUSE bug 1177511SUSE bug 1177513SUSE bug 1177725SUSE bug 1177766SUSE bug 1177816SUSE bug 1178123SUSE bug 1178622SUSE bug 1178782CVE-2017-18204 at SUSECVE-2017-18204 at NVDCVE-2019-19063 at SUSECVE-2019-19063 at NVDCVE-2019-6133 at SUSECVE-2019-6133 at NVDCVE-2020-0404 at SUSECVE-2020-0404 at NVDCVE-2020-0427 at SUSECVE-2020-0427 at NVDCVE-2020-0431 at SUSECVE-2020-0431 at NVDCVE-2020-0432 at SUSECVE-2020-0432 at NVDCVE-2020-12352 at SUSECVE-2020-12352 at NVDCVE-2020-14351 at SUSECVE-2020-14351 at NVDCVE-2020-14381 at SUSECVE-2020-14381 at NVDCVE-2020-14390 at SUSECVE-2020-14390 at NVDCVE-2020-25212 at SUSECVE-2020-25212 at NVDCVE-2020-25284 at SUSECVE-2020-25284 at NVDCVE-2020-25641 at SUSECVE-2020-25641 at NVDCVE-2020-25643 at SUSECVE-2020-25643 at NVDCVE-2020-25645 at SUSECVE-2020-25645 at NVDCVE-2020-25656 at SUSECVE-2020-25656 at NVDCVE-2020-25668 at SUSECVE-2020-25668 at NVDCVE-2020-25705 at SUSECVE-2020-25705 at NVDCVE-2020-26088 at SUSECVE-2020-26088 at NVDCVE-2020-8694 at SUSECVE-2020-8694 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for ucode-intel (Moderate)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for ucode-intel fixes the following issues:
- Updated Intel CPU Microcode to 20201118 official release. (bsc#1178971)
- Removed TGL/06-8c-01/80 due to functional issues with some OEM platforms.
- CVE-2020-8695: Fixed Intel RAPL sidechannel attack (SGX) INTEL-SA-00389 (bsc#1170446)
- CVE-2020-8698: Fixed Fast Store Forward Predictor INTEL-SA-00381 (bsc#1173594)
- CVE-2020-8696: Vector Register Sampling Active INTEL-SA-00381 (bsc#1173592)
- Release notes:
- Security updates for [INTEL-SA-00381](https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00381.html).
- Security updates for [INTEL-SA-00389](https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00389.html).
- Update for functional issues. Refer to [Second Generation Intel? Xeon? Processor Scalable Family Specification Update](https://cdrdv2.intel.com/v1/dl/getContent/338848) for details.
- Update for functional issues. Refer to [Intel? Xeon? Processor Scalable Family Specification Update](https://cdrdv2.intel.com/v1/dl/getContent/613537) for details.
- Update for functional issues. Refer to [Intel? Xeon? Processor E5 v3 Product Family Specification Update](https://www.intel.com/content/www/us/en/processors/xeon/xeon-e5-v3-spec-update.html?wapkw=processor+spec+update+e5) for details.
- Update for functional issues. Refer to [10th Gen Intel? Core™ Processor Families Specification Update](https://www.intel.com/content/www/us/en/products/docs/processors/core/10th-gen-core-families-specification-update.html) for details.
- Update for functional issues. Refer to [8th and 9th Gen Intel? Core™ Processor Family Spec Update](https://www.intel.com/content/www/us/en/products/docs/processors/core/8th-gen-core-spec-update.html) for details.
- Update for functional issues. Refer to [7th Gen and 8th Gen (U Quad-Core) Intel? Processor Families Specification Update](https://www.intel.com/content/www/us/en/processors/core/7th-gen-core-family-spec-update.html) for details.
- Update for functional issues. Refer to [6th Gen Intel? Processor Family Specification Update](https://cdrdv2.intel.com/v1/dl/getContent/332689) for details.
- Update for functional issues. Refer to [Intel? Xeon? E3-1200 v6 Processor Family Specification Update](https://www.intel.com/content/www/us/en/processors/xeon/xeon-e3-1200v6-spec-update.html) for details.
- Update for functional issues. Refer to [Intel? Xeon? E-2100 and E-2200 Processor Family Specification Update](https://www.intel.com/content/www/us/en/products/docs/processors/xeon/xeon-e-2100-specification-update.html) for details.
### New Platforms
| Processor | Stepping | F-M-S/PI | Old Ver | New Ver | Products
|:---------------|:---------|:------------|:---------|:---------|:---------
| CPX-SP | A1 | 06-55-0b/bf | | 0700001e | Xeon Scalable Gen3
| LKF | B2/B3 | 06-8a-01/10 | | 00000028 | Core w/Hybrid Technology
| TGL | B1 | 06-8c-01/80 | | 00000068 | Core Gen11 Mobile
| CML-H | R1 | 06-a5-02/20 | | 000000e0 | Core Gen10 Mobile
| CML-S62 | G1 | 06-a5-03/22 | | 000000e0 | Core Gen10
| CML-S102 | Q0 | 06-a5-05/22 | | 000000e0 | Core Gen10
| CML-U62 V2 | K0 | 06-a6-01/80 | | 000000e0 | Core Gen10 Mobile
### Updated Platforms
| Processor | Stepping | F-M-S/PI | Old Ver | New Ver | Products
|:---------------|:---------|:------------|:---------|:---------|:---------
| HSX-E/EP | Cx/M1 | 06-3f-02/6f | 00000043 | 00000044 | Core Gen4 X series; Xeon E5 v3
| SKL-U/Y | D0 | 06-4e-03/c0 | 000000d6 | 000000e2 | Core Gen6 Mobile
| SKL-U23e | K1 | 06-4e-03/c0 | 000000d6 | 000000e2 | Core Gen6 Mobile
| SKX-SP | B1 | 06-55-03/97 | 01000157 | 01000159 | Xeon Scalable
| SKX-SP | H0/M0/U0 | 06-55-04/b7 | 02006906 | 02006a08 | Xeon Scalable
| SKX-D | M1 | 06-55-04/b7 | 02006906 | 02006a08 | Xeon D-21xx
| CLX-SP | B0 | 06-55-06/bf | 04002f01 | 04003003 | Xeon Scalable Gen2
| CLX-SP | B1 | 06-55-07/bf | 05002f01 | 05003003 | Xeon Scalable Gen2
| APL | D0 | 06-5c-09/03 | 00000038 | 00000040 | Pentium N/J4xxx, Celeron N/J3xxx, Atom x5/7-E39xx
| APL | E0 | 06-5c-0a/03 | 00000016 | 0000001e | Atom x5-E39xx
| SKL-H/S | R0/N0 | 06-5e-03/36 | 000000d6 | 000000e2 | Core Gen6; Xeon E3 v5
| GKL-R | R0 | 06-7a-08/01 | 00000016 | 00000018 | Pentium J5040/N5030, Celeron J4125/J4025/N4020/N4120
| ICL-U/Y | D1 | 06-7e-05/80 | 00000078 | 000000a0 | Core Gen10 Mobile
| AML-Y22 | H0 | 06-8e-09/10 | 000000d6 | 000000de | Core Gen8 Mobile
| KBL-U/Y | H0 | 06-8e-09/c0 | 000000d6 | 000000de | Core Gen7 Mobile
| CFL-U43e | D0 | 06-8e-0a/c0 | 000000d6 | 000000e0 | Core Gen8 Mobile
| WHL-U | W0 | 06-8e-0b/d0 | 000000d6 | 000000de | Core Gen8 Mobile
| AML-Y42 | V0 | 06-8e-0c/94 | 000000d6 | 000000de | Core Gen10 Mobile
| CML-Y42 | V0 | 06-8e-0c/94 | 000000d6 | 000000de | Core Gen10 Mobile
| WHL-U | V0 | 06-8e-0c/94 | 000000d6 | 000000de | Core Gen8 Mobile
| KBL-G/H/S/E3 | B0 | 06-9e-09/2a | 000000d6 | 000000de | Core Gen7; Xeon E3 v6
| CFL-H/S/E3 | U0 | 06-9e-0a/22 | 000000d6 | 000000de | Core Gen8 Desktop, Mobile, Xeon E
| CFL-S | B0 | 06-9e-0b/02 | 000000d6 | 000000de | Core Gen8
| CFL-H/S | P0 | 06-9e-0c/22 | 000000d6 | 000000de | Core Gen9
| CFL-H | R0 | 06-9e-0d/22 | 000000d6 | 000000de | Core Gen9 Mobile
| CML-U62 | A0 | 06-a6-00/80 | 000000ca | 000000e0 | Core Gen10 Mobile
ModerateSUSE bug 1170446SUSE bug 1173592SUSE bug 1173594SUSE bug 1178971CVE-2020-8695 at SUSECVE-2020-8695 at NVDCVE-2020-8696 at SUSECVE-2020-8696 at NVDCVE-2020-8698 at SUSECVE-2020-8698 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for bluez (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for bluez fixes the following issues:
- CVE-2020-0556: Fixed improper access control which may lead to escalation of privilege and denial of service by an unauthenticated user (bsc#1166751).
ImportantSUSE bug 1166751CVE-2020-0556 at SUSECVE-2020-0556 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for MozillaFirefox fixes the following issues:
- Firefox Extended Support Release 78.5.0 ESR (bsc#1178824)
* CVE-2020-26951: Parsing mismatches could confuse and bypass security sanitizer for chrome privileged code
* CVE-2020-16012: Variable time processing of cross-origin images during drawImage calls
* CVE-2020-26953: Fullscreen could be enabled without displaying the security UI
* CVE-2020-26956: XSS through paste (manual and clipboard API)
* CVE-2020-26958: Requests intercepted through ServiceWorkers lacked MIME type restrictions
* CVE-2020-26959: Use-after-free in WebRequestService
* CVE-2020-26960: Potential use-after-free in uses of nsTArray
* CVE-2020-15999: Heap buffer overflow in freetype
* CVE-2020-26961: DoH did not filter IPv4 mapped IP Addresses
* CVE-2020-26965: Software keyboards may have remembered typed passwords
* CVE-2020-26966: Single-word search queries were also broadcast to local network
* CVE-2020-26968: Memory safety bugs fixed in Firefox 83 and Firefox ESR 78.5
ImportantSUSE bug 1178824CVE-2020-15999 at SUSECVE-2020-15999 at NVDCVE-2020-16012 at SUSECVE-2020-16012 at NVDCVE-2020-26951 at SUSECVE-2020-26951 at NVDCVE-2020-26953 at SUSECVE-2020-26953 at NVDCVE-2020-26956 at SUSECVE-2020-26956 at NVDCVE-2020-26958 at SUSECVE-2020-26958 at NVDCVE-2020-26959 at SUSECVE-2020-26959 at NVDCVE-2020-26960 at SUSECVE-2020-26960 at NVDCVE-2020-26961 at SUSECVE-2020-26961 at NVDCVE-2020-26965 at SUSECVE-2020-26965 at NVDCVE-2020-26966 at SUSECVE-2020-26966 at NVDCVE-2020-26968 at SUSECVE-2020-26968 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for LibVNCServer (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for LibVNCServer fixes the following issues:
- CVE-2020-25708 [bsc#1178682], libvncserver/rfbserver.c has a divide by zero which could result in DoS
ImportantSUSE bug 1178682CVE-2020-25708 at SUSECVE-2020-25708 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for xorg-x11-server (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for xorg-x11-server fixes the following issues:
- CVE-2020-25712: Fixed a heap-based buffer overflow which could have led to privilege escalation (bsc#1177596).
- CVE-2020-14360: Fixed an out of bounds memory accesses on too short request which could lead to denial of service (bsc#1174908).
ImportantSUSE bug 1174908SUSE bug 1177596CVE-2020-14360 at SUSECVE-2020-14360 at NVDCVE-2020-25712 at SUSECVE-2020-25712 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for python-setuptools (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for python-setuptools fixes the following issues:
- Fixed a directory traversal in _download_http_url() (bsc#1176262 CVE-2019-20916)
ImportantSUSE bug 1176262CVE-2019-20916 at SUSECVE-2019-20916 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for python3 (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for python3 fixes the following issues:
- Fixed a directory traversal in _download_http_url() (bsc#1176262 CVE-2019-20916)
ImportantSUSE bug 1176262CVE-2019-20916 at SUSECVE-2019-20916 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for gdm (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for gdm fixes the following issues:
- CVE-2020-16125: Fixed a privilege escalation (bsc#1178150).
ImportantSUSE bug 1178150CVE-2020-16125 at SUSECVE-2020-16125 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for python-cryptography (Moderate)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for python-cryptography fixes the following issues:
- CVE-2020-25659: Attempted to mitigate Bleichenbacher attacks on RSA decryption (bsc#1178168).
ModerateSUSE bug 1178168CVE-2020-25659 at SUSECVE-2020-25659 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for postgresql12 (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for postgresql12 fixes the following issues:
Upgrade to version 12.5:
* CVE-2020-25695, bsc#1178666: Block DECLARE CURSOR ... WITH HOLD
and firing of deferred triggers within index expressions and
materialized view queries.
* CVE-2020-25694, bsc#1178667:
a) Fix usage of complex connection-string parameters in pg_dump,
pg_restore, clusterdb, reindexdb, and vacuumdb.
b) When psql's \connect command re-uses connection parameters,
ensure that all non-overridden parameters from a previous
connection string are re-used.
* CVE-2020-25696, bsc#1178668: Prevent psql's \gset command from
modifying specially-treated variables.
* Fix recently-added timetz test case so it works when the USA
is not observing daylight savings time.
(obsoletes postgresql-timetz.patch)
* https://www.postgresql.org/about/news/2111/
* https://www.postgresql.org/docs/12/release-12-5.html
The previous postgresql12 update already addressed:
Update to 12.4:
* CVE-2020-14349, bsc#1175193: Set a secure search_path in logical replication walsenders and apply workers
* CVE-2020-14350, bsc#1175194: Make contrib modules' installation scripts more secure.
* https://www.postgresql.org/docs/12/release-12-4.html
ImportantSUSE bug 1175193SUSE bug 1175194SUSE bug 1178666SUSE bug 1178667SUSE bug 1178668CVE-2020-14349 at SUSECVE-2020-14349 at NVDCVE-2020-14350 at SUSECVE-2020-14350 at NVDCVE-2020-25694 at SUSECVE-2020-25694 at NVDCVE-2020-25695 at SUSECVE-2020-25695 at NVDCVE-2020-25696 at SUSECVE-2020-25696 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for xen (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for xen fixes the following issues:
- bsc#1178963 - stack corruption from XSA-346 change (XSA-355)
- bsc#1177409 - CVE-2020-27674: x86 PV guest INVLPG-like flushes may leave stale TLB entries (XSA-286)
- bsc#1177412 - CVE-2020-27672: Race condition in Xen mapping code (XSA-345)
- bsc#1177413 - CVE-2020-27671: undue deferral of IOMMU TLB flushes (XSA-346)
- bsc#1177414 - CVE-2020-27670: unsafe AMD IOMMU page table updates (XSA-347)
- bsc#1178591 - CVE-2020-28368: Intel RAPL sidechannel attack aka PLATYPUS attack aka XSA-351
ImportantSUSE bug 1177409SUSE bug 1177412SUSE bug 1177413SUSE bug 1177414SUSE bug 1178591SUSE bug 1178963CVE-2020-27670 at SUSECVE-2020-27670 at NVDCVE-2020-27671 at SUSECVE-2020-27671 at NVDCVE-2020-27672 at SUSECVE-2020-27672 at NVDCVE-2020-27674 at SUSECVE-2020-27674 at NVDCVE-2020-28368 at SUSECVE-2020-28368 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for mutt (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for mutt fixes the following issues:
- Find and display the content of messages properly. (bsc#1179461)
- CVE-2020-28896: incomplete connection termination could send credentials over unencrypted connections. (bsc#1179035)
- Avoid that message with a million tiny parts can freeze MUA for several minutes. (bsc#1179113)
ImportantSUSE bug 1179035SUSE bug 1179113SUSE bug 1179461CVE-2020-28896 at SUSECVE-2020-28896 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 30 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_113 fixes several issues.
The following security issues were fixed:
- CVE-2020-25668: Fixed a concurrency use-after-free in con_font_op (bsc#1178622).
- CVE-2020-8694: Fixed an insufficient access control in the Linux kernel driver for some Intel(R) Processors which might have allowed an authenticated user to potentially enable information disclosure via local access (bsc#1178700).
- CVE-2020-25705: Fixed a flaw which could have allowed an off-path remote user to effectively bypass source port UDP randomization (bsc#1178783).
ImportantSUSE bug 1178622SUSE bug 1178700SUSE bug 1178783CVE-2020-25668 at SUSECVE-2020-25668 at NVDCVE-2020-25705 at SUSECVE-2020-25705 at NVDCVE-2020-8694 at SUSECVE-2020-8694 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 31 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_116 fixes several issues.
The following security issues were fixed:
- CVE-2020-25668: Fixed a concurrency use-after-free in con_font_op (bsc#1178622).
- CVE-2020-8694: Fixed an insufficient access control in the Linux kernel driver for some Intel(R) Processors which might have allowed an authenticated user to potentially enable information disclosure via local access (bsc#1178700).
- CVE-2020-25705: Fixed a flaw which could have allowed an off-path remote user to effectively bypass source port UDP randomization (bsc#1178783).
ImportantSUSE bug 1178622SUSE bug 1178700SUSE bug 1178783CVE-2020-25668 at SUSECVE-2020-25668 at NVDCVE-2020-25705 at SUSECVE-2020-25705 at NVDCVE-2020-8694 at SUSECVE-2020-8694 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 32 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_121 fixes several issues.
The following security issues were fixed:
- CVE-2020-25668: Fixed a concurrency use-after-free in con_font_op (bsc#1178622).
- CVE-2020-8694: Fixed an insufficient access control in the Linux kernel driver for some Intel(R) Processors which might have allowed an authenticated user to potentially enable information disclosure via local access (bsc#1178700).
- CVE-2020-25705: Fixed a flaw which could have allowed an off-path remote user to effectively bypass source port UDP randomization (bsc#1178783).
ImportantSUSE bug 1178622SUSE bug 1178700SUSE bug 1178783CVE-2020-25668 at SUSECVE-2020-25668 at NVDCVE-2020-25705 at SUSECVE-2020-25705 at NVDCVE-2020-8694 at SUSECVE-2020-8694 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 33 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_124 fixes several issues.
The following security issues were fixed:
- CVE-2020-25668: Fixed a concurrency use-after-free in con_font_op (bsc#1178622).
- CVE-2020-8694: Fixed an insufficient access control in the Linux kernel driver for some Intel(R) Processors which might have allowed an authenticated user to potentially enable information disclosure via local access (bsc#1178700).
- CVE-2020-25705: Fixed a flaw which could have allowed an off-path remote user to effectively bypass source port UDP randomization (bsc#1178783).
ImportantSUSE bug 1178622SUSE bug 1178700SUSE bug 1178783CVE-2020-25668 at SUSECVE-2020-25668 at NVDCVE-2020-25705 at SUSECVE-2020-25705 at NVDCVE-2020-8694 at SUSECVE-2020-8694 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 34 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_127 fixes several issues.
The following security issues were fixed:
- CVE-2020-25668: Fixed a concurrency use-after-free in con_font_op (bsc#1178622).
- CVE-2020-8694: Fixed an insufficient access control in the Linux kernel driver for some Intel(R) Processors which might have allowed an authenticated user to potentially enable information disclosure via local access (bsc#1178700).
- CVE-2020-25705: Fixed a flaw which could have allowed an off-path remote user to effectively bypass source port UDP randomization (bsc#1178783).
ImportantSUSE bug 1178622SUSE bug 1178700SUSE bug 1178783CVE-2020-25668 at SUSECVE-2020-25668 at NVDCVE-2020-25705 at SUSECVE-2020-25705 at NVDCVE-2020-8694 at SUSECVE-2020-8694 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 35 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_130 fixes several issues.
The following security issues were fixed:
- CVE-2020-25668: Fixed a concurrency use-after-free in con_font_op (bsc#1178622).
- CVE-2020-8694: Fixed an insufficient access control in the Linux kernel driver for some Intel(R) Processors which might have allowed an authenticated user to potentially enable information disclosure via local access (bsc#1178700).
- CVE-2020-25705: Fixed a flaw which could have allowed an off-path remote user to effectively bypass source port UDP randomization (bsc#1178783).
ImportantSUSE bug 1178622SUSE bug 1178700SUSE bug 1178783CVE-2020-25668 at SUSECVE-2020-25668 at NVDCVE-2020-25705 at SUSECVE-2020-25705 at NVDCVE-2020-8694 at SUSECVE-2020-8694 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 36 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_135 fixes several issues.
The following security issues were fixed:
- CVE-2020-25645: Fixed an issue which traffic between two Geneve endpoints may be unencrypted when IPsec is configured to encrypt traffic for the specific UDP port used by the GENEVE tunnel allowing anyone between the two endpoints to read the traffic unencrypted (bsc#1177513).
- CVE-2020-0429: Fixed a memory corruption due to a use after free which could have led to to local privilege escalation (bsc#1176931).
- CVE-2020-11668: Fixed an issue where the Xirlink camera USB driver mishandled invalid descriptors (bsc#1173942).
- CVE-2020-1749: Use ip6_dst_lookup_flow instead of ip6_dst_lookup (bsc#1165631).
ImportantSUSE bug 1165631SUSE bug 1173942SUSE bug 1176931SUSE bug 1177513CVE-2020-0429 at SUSECVE-2020-0429 at NVDCVE-2020-11668 at SUSECVE-2020-11668 at NVDCVE-2020-1749 at SUSECVE-2020-1749 at NVDCVE-2020-25645 at SUSECVE-2020-25645 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for dbus-1 (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for dbus-1 fixes the following issues:
Security issue fixed:
- CVE-2019-12749: Fixed an implementation flaw in DBUS_COOKIE_SHA1 which
could have allowed local attackers to bypass authentication (bsc#1137832).
ImportantSUSE bug 1137832CVE-2019-12749 at SUSECVE-2019-12749 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for openssl (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for openssl fixes the following issues:
- CVE-2020-1971: Fixed a null pointer dereference in EDIPARTYNAME (bsc#1179491).
ImportantSUSE bug 1179491CVE-2020-1971 at SUSECVE-2020-1971 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for python (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for python fixes the following issues:
- Fixed a directory traversal in _download_http_url() (bsc#1176262 CVE-2019-20916)
ImportantSUSE bug 1176262CVE-2019-20916 at SUSECVE-2019-20916 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for MozillaFirefox fixes the following issues:
- Firefox Extended Support Release 68.5.0 ESR
* CVE-2020-6796 (bmo#1610426)
Missing bounds check on shared memory read in the parent
process
* CVE-2020-6797 (bmo#1596668)
Extensions granted downloads.open permission could open
arbitrary applications on Mac OSX
* CVE-2020-6798 (bmo#1602944)
Incorrect parsing of template tag could result in JavaScript
injection
* CVE-2020-6799 (bmo#1606596)
Arbitrary code execution when opening pdf links from other
applications, when Firefox is configured as default pdf
reader
* CVE-2020-6800 (bmo#1595786, bmo#1596706, bmo#1598543,
bmo#1604851, bmo#1605777, bmo#1608580, bmo#1608785)
Memory safety bugs fixed in Firefox 73 and Firefox ESR 68.5
* Fixed: Fixed various issues opening files with spaces in
their path (bmo#1601905, bmo#1602726)
ImportantSUSE bug 1161799CVE-2020-6796 at SUSECVE-2020-6796 at NVDCVE-2020-6797 at SUSECVE-2020-6797 at NVDCVE-2020-6798 at SUSECVE-2020-6798 at NVDCVE-2020-6799 at SUSECVE-2020-6799 at NVDCVE-2020-6800 at SUSECVE-2020-6800 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for MozillaFirefox (Critical)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for MozillaFirefox fixes the following issues:
- Firefox Extended Support Release 78.6.0 ESR
* Fixed: Various stability, functionality, and security fixes
MFSA 2020-55 (bsc#1180039)
* CVE-2020-16042 (bmo#1679003)
Operations on a BigInt could have caused uninitialized memory
to be exposed
* CVE-2020-26971 (bmo#1663466)
Heap buffer overflow in WebGL
* CVE-2020-26973 (bmo#1680084)
CSS Sanitizer performed incorrect sanitization
* CVE-2020-26974 (bmo#1681022)
Incorrect cast of StyleGenericFlexBasis resulted in a heap
use-after-free
* CVE-2020-26978 (bmo#1677047)
Internal network hosts could have been probed by a malicious
webpage
* CVE-2020-35111 (bmo#1657916)
The proxy.onRequest API did not catch view-source URLs
* CVE-2020-35112 (bmo#1661365)
Opening an extension-less download may have inadvertently
launched an executable instead
* CVE-2020-35113 (bmo#1664831, bmo#1673589)
Memory safety bugs fixed in Firefox 84 and Firefox ESR 78.6
CriticalSUSE bug 1180039CVE-2020-16042 at SUSECVE-2020-16042 at NVDCVE-2020-26971 at SUSECVE-2020-26971 at NVDCVE-2020-26973 at SUSECVE-2020-26973 at NVDCVE-2020-26974 at SUSECVE-2020-26974 at NVDCVE-2020-26978 at SUSECVE-2020-26978 at NVDCVE-2020-35111 at SUSECVE-2020-35111 at NVDCVE-2020-35112 at SUSECVE-2020-35112 at NVDCVE-2020-35113 at SUSECVE-2020-35113 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for clamav (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for clamav fixes the following issues:
clamav was updated to 0.103.0 to implement jsc#ECO-3010 and bsc#1118459.
* clamd can now reload the signature database without blocking
scanning. This multi-threaded database reload improvement was made
possible thanks to a community effort.
- Non-blocking database reloads are now the default behavior. Some
systems that are more constrained on RAM may need to disable
non-blocking reloads as it will temporarily consume two times as
much memory. We added a new clamd config option
ConcurrentDatabaseReload, which may be set to no.
* Fix clamav-milter.service (requires clamd.service to run)
* bsc#1119353, clamav-fips.patch: Fix freshclam crash in FIPS mode.
* Partial sync with SLE15.
Update to version 0.102.4
Accumulated security fixes:
* CVE-2020-3350: Fix a vulnerability wherein a malicious user could
replace a scan target's directory with a symlink to another path
to trick clamscan, clamdscan, or clamonacc into removing or moving
a different file (eg. a critical system file). The issue would
affect users that use the --move or --remove options for clamscan,
clamdscan, and clamonacc. (bsc#1174255)
* CVE-2020-3327: Fix a vulnerability in the ARJ archive parsing
module in ClamAV 0.102.3 that could cause a Denial-of-Service
(DoS) condition. Improper bounds checking results in an
out-of-bounds read which could cause a crash. The previous fix for
this CVE in 0.102.3 was incomplete. This fix correctly resolves
the issue.
* CVE-2020-3481: Fix a vulnerability in the EGG archive module in
ClamAV 0.102.0 - 0.102.3 could cause a Denial-of-Service (DoS)
condition. Improper error handling may result in a crash due to a
NULL pointer dereference. This vulnerability is mitigated for
those using the official ClamAV signature databases because the
file type signatures in daily.cvd will not enable the EGG archive
parser in versions affected by the vulnerability. (bsc#1174250)
* CVE-2020-3341: Fix a vulnerability in the PDF parsing module in
ClamAV 0.101 - 0.102.2 that could cause a Denial-of-Service (DoS)
condition. Improper size checking of a buffer used to initialize AES
decryption routines results in an out-of-bounds read which may cause
a crash. (bsc#1171981)
* CVE-2020-3123: A denial-of-service (DoS) condition may occur when
using the optional credit card data-loss-prevention (DLP) feature.
Improper bounds checking of an unsigned variable resulted in an
out-of-bounds read, which causes a crash.
* CVE-2019-15961: A Denial-of-Service (DoS) vulnerability may
occur when scanning a specially crafted email file as a result
of excessively long scan times. The issue is resolved by
implementing several maximums in parsing MIME messages and by
optimizing use of memory allocation. (bsc#1157763).
* CVE-2019-12900: An out of bounds write in the NSIS bzip2
(bsc#1149458)
* CVE-2019-12625: Introduce a configurable time limit to mitigate
zip bomb vulnerability completely. Default is 2 minutes,
configurable useing the clamscan --max-scantime and for clamd
using the MaxScanTime config option (bsc#1144504)
Update to version 0.101.3:
* ZIP bomb causes extreme CPU spikes (bsc#1144504)
Update to version 0.101.2 (bsc#1118459):
* Support for RAR v5 archive extraction.
* Incompatible changes to the arguments of cl_scandesc,
cl_scandesc_callback, and cl_scanmap_callback.
* Scanning options have been converted from a single flag
bit-field into a structure of multiple categorized flag
bit-fields.
* The CL_SCAN_HEURISTIC_ENCRYPTED scan option was replaced by
2 new scan options: CL_SCAN_HEURISTIC_ENCRYPTED_ARCHIVE, and
CL_SCAN_HEURISTIC_ENCRYPTED_DOC
* Incompatible clamd.conf and command line interface changes.
* Heuristic Alerts' (aka 'Algorithmic Detection') options have
been changed to make the names more consistent. The original
options are deprecated in 0.101, and will be removed in a
future feature release.
* For details, see https://blog.clamav.net/2018/12/clamav-01010-has-been-released.html ImportantSUSE bug 1118459SUSE bug 1119353SUSE bug 1144504SUSE bug 1149458SUSE bug 1157763SUSE bug 1171981SUSE bug 1174250SUSE bug 1174255CVE-2019-12900 at SUSECVE-2019-12900 at NVDCVE-2019-15961 at SUSECVE-2019-15961 at NVDCVE-2020-3123 at SUSECVE-2020-3123 at NVDCVE-2020-3327 at SUSECVE-2020-3327 at NVDCVE-2020-3341 at SUSECVE-2020-3341 at NVDCVE-2020-3350 at SUSECVE-2020-3350 at NVDCVE-2020-3481 at SUSECVE-2020-3481 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for cyrus-sasl (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for cyrus-sasl fixes the following issues:
- CVE-2019-19906: Fixed an out-of-bounds write leading to unauthenticated remote denial-of-service in OpenLDAP via a malformed LDAP packet (bsc#1159635).
ImportantSUSE bug 1159635CVE-2019-19906 at SUSECVE-2019-19906 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for gcc9 (Moderate)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for gcc9 fixes the following issues:
The GNU Compiler Collection is shipped in version 9.
A detailed changelog on what changed in GCC 9 is available at https://gcc.gnu.org/gcc-9/changes.html
The compilers have been added to the SUSE Linux Enterprise Toolchain Module.
To use these compilers, install e.g. gcc9, gcc9-c++ and build with CC=gcc-9
CXX=g++-9 set.
For SUSE Linux Enterprise base products, the libstdc++6, libgcc_s1 and
other compiler libraries have been switched from their gcc8 variants to
their gcc9 variants.
Security issues fixed:
- CVE-2019-15847: Fixed a miscompilation in the POWER9 back end, that optimized multiple calls of the __builtin_darn intrinsic into a single call. (bsc#1149145)
- CVE-2019-14250: Fixed a heap overflow in the LTO linker. (bsc#1142649)
Non-security issues fixed:
- Split out libstdc++ pretty-printers into a separate package supplementing gdb and the installed runtime. (bsc#1135254)
- Fixed miscompilation for vector shift on s390. (bsc#1141897)
ModerateSUSE bug 1114592SUSE bug 1135254SUSE bug 1141897SUSE bug 1142649SUSE bug 1142654SUSE bug 1148517SUSE bug 1149145CVE-2019-14250 at SUSECVE-2019-14250 at NVDCVE-2019-15847 at SUSECVE-2019-15847 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for xen (Moderate)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for xen fixes the following issues:
- CVE-2020-29480: Fixed an issue which could have allowed leak of non-sensitive data to administrator guests (bsc#117949 XSA-115).
- CVE-2020-29481: Fixed an issue which could have allowd to new domains to inherit existing node permissions (bsc#1179498 XSA-322).
- CVE-2020-29483: Fixed an issue where guests could disturb domain cleanup (bsc#1179502 XSA-325).
- CVE-2020-29484: Fixed an issue where guests could crash xenstored via watchs (bsc#1179501 XSA-324).
- CVE-2020-29566: Fixed an undue recursion in x86 HVM context switch code (bsc#1179506 XSA-348).
- CVE-2020-29570: Fixed an issue where FIFO event channels control block related ordering (bsc#1179514 XSA-358).
- CVE-2020-29571: Fixed an issue where FIFO event channels control structure ordering (bsc#1179516 XSA-359).
- CVE-2020-29130: Fixed an out-of-bounds access while processing ARP packets (bsc#1179477).
- Fixed an issue where dump-core shows missing nr_pages during core (bsc#1176782).
- Multiple other bugs (bsc#1027519)
ModerateSUSE bug 1027519SUSE bug 1176782SUSE bug 1179477SUSE bug 1179496SUSE bug 1179498SUSE bug 1179501SUSE bug 1179502SUSE bug 1179506SUSE bug 1179514SUSE bug 1179516CVE-2020-29130 at SUSECVE-2020-29130 at NVDCVE-2020-29480 at SUSECVE-2020-29480 at NVDCVE-2020-29481 at SUSECVE-2020-29481 at NVDCVE-2020-29483 at SUSECVE-2020-29483 at NVDCVE-2020-29484 at SUSECVE-2020-29484 at NVDCVE-2020-29566 at SUSECVE-2020-29566 at NVDCVE-2020-29570 at SUSECVE-2020-29570 at NVDCVE-2020-29571 at SUSECVE-2020-29571 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for sudo (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for sudo fixes the following issues:
Security issue fixed:
- CVE-2019-18634: Fixed a buffer overflow in the passphrase prompt that could occur when pwfeedback was enabled in /etc/sudoers (bsc#1162202).
Non-security issue fixed:
- Fixed an issue where sudo -l would ask for a password even though `listpw` was set to `never` (bsc#1162675).
ImportantSUSE bug 1162202SUSE bug 1162675CVE-2019-18634 at SUSECVE-2019-18634 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for java-1_7_1-ibm (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for java-1_7_1-ibm fixes the following issues:
Java was updated to 7.1 Service Refresh 4 Fix Pack 60 [bsc#1162972, bsc#1160968].
Security issues fixed:
- CVE-2020-2583: Fixed a serialization vulnerability in BeanContextSupport (bsc#1162972).
- CVE-2020-2593: Fixed an incorrect check in isBuiltinStreamHandler, causing URL normalization issues (bsc#1162972).
- CVE-2020-2604: Fixed a serialization issue in jdk.serialFilter (bsc#1162972).
- CVE-2020-2659: Fixed the incomplete enforcement of the maxDatagramSockets limit in DatagramChannelImpl (bsc#1162972).
Non-security issues fixed:
* Class Libraries:
IJ22333 HANG IN JAVA_JAVA_NET_SOCKETINPUTSTREAM_SOCKETREAD0 EVEN
WHEN TIMEOUT IS SET
IJ22350 JAVA 7 AND JAVA 8 NOT WORKING WELL WITH TRADITIONAL/SIMPLIFIED
CHINESE EDITION OF WINDOWS CLIENT SYSTEM
IJ22337 THE NAME OF THE REPUBLIC OF BELARUS IN THE RUSSIAN LOCALE
INCONSISTENT WITH CLDR
IJ22349 UPDATE TIMEZONE INFORMATION TO TZDATA2019C
* JIT Compiler:
IJ11368 JAVA JIT PPC: CRASH IN JIT COMPILED CODE ON PPC MACHINES
ImportantSUSE bug 1160968SUSE bug 1162972CVE-2020-2583 at SUSECVE-2020-2583 at NVDCVE-2020-2593 at SUSECVE-2020-2593 at NVDCVE-2020-2604 at SUSECVE-2020-2604 at NVDCVE-2020-2659 at SUSECVE-2020-2659 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for libexif (Moderate)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for libexif fixes the following issues:
- CVE-2019-9278: Fixed an integer overflow (bsc#1160770).
- CVE-2018-20030: Fixed a denial of service by endless recursion (bsc#1120943).
ModerateSUSE bug 1120943SUSE bug 1160770CVE-2018-20030 at SUSECVE-2018-20030 at NVDCVE-2019-9278 at SUSECVE-2019-9278 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for openssl (Moderate)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for openssl fixes the following issues:
Security issue fixed:
- CVE-2019-1551: Fixed an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli (bsc#1158809).
Non-security issue fixed:
- Fixed a crash in BN_copy (bsc#1160163).
ModerateSUSE bug 1117951SUSE bug 1158809SUSE bug 1160163CVE-2019-1551 at SUSECVE-2019-1551 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for ppp (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for ppp fixes the following security issue:
- CVE-2020-8597: Fixed a buffer overflow in the eap_request and eap_response functions (bsc#1162610).
ImportantSUSE bug 1162610CVE-2020-8597 at SUSECVE-2020-8597 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for python3 (Moderate)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for python3 fixes the following issues:
Update to 3.4.10 (jsc#SLE-9427, bsc#1159208) from 3.4.6:
Security issues fixed:
- Update expat copy from 2.1.1 to 2.2.0 to fix the following issues:
CVE-2012-0876, CVE-2016-0718, CVE-2016-4472, CVE-2017-9233, CVE-2016-9063
- CVE-2017-1000158: Fix an integer overflow in thePyString_DecodeEscape function in stringobject.c, resulting in heap-based bufferoverflow (bsc#1068664).
ModerateSUSE bug 1068664SUSE bug 1159208SUSE bug 1159623CVE-2012-0876 at SUSECVE-2012-0876 at NVDCVE-2016-0718 at SUSECVE-2016-0718 at NVDCVE-2016-4472 at SUSECVE-2016-4472 at NVDCVE-2016-9063 at SUSECVE-2016-9063 at NVDCVE-2017-1000158 at SUSECVE-2017-1000158 at NVDCVE-2017-9233 at SUSECVE-2017-9233 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for mariadb (Moderate)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for mariadb fixes the following issues:
Security issue fixed:
- CVE-2019-2974: Fixed Server Optimizer (bsc#1154162).
ModerateSUSE bug 1154162CVE-2019-2974 at SUSECVE-2019-2974 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for java-1_7_1-ibm (Moderate)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for java-1_7_1-ibm fixes the following issues:
- Update to 7.1 Service Refresh 4 Fix Pack 55 [bsc#1158442, bsc#1154212]
* Security fixes:
CVE-2019-2933 CVE-2019-2945 CVE-2019-2962 CVE-2019-2964
CVE-2019-2978 CVE-2019-2983 CVE-2019-2989 CVE-2019-2992
CVE-2019-2999 CVE-2019-2973 CVE-2019-2981
ModerateSUSE bug 1154212SUSE bug 1158442CVE-2019-2933 at SUSECVE-2019-2933 at NVDCVE-2019-2945 at SUSECVE-2019-2945 at NVDCVE-2019-2962 at SUSECVE-2019-2962 at NVDCVE-2019-2964 at SUSECVE-2019-2964 at NVDCVE-2019-2973 at SUSECVE-2019-2973 at NVDCVE-2019-2978 at SUSECVE-2019-2978 at NVDCVE-2019-2981 at SUSECVE-2019-2981 at NVDCVE-2019-2983 at SUSECVE-2019-2983 at NVDCVE-2019-2989 at SUSECVE-2019-2989 at NVDCVE-2019-2992 at SUSECVE-2019-2992 at NVDCVE-2019-2999 at SUSECVE-2019-2999 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for java-1_8_0-ibm (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for java-1_8_0-ibm fixes the following issues:
Java 8.0 was updated to Service Refresh 6 Fix Pack 5 (bsc#1162972, bsc#1160968)
- CVE-2020-2583: Unlink Set of LinkedHashSets
- CVE-2019-4732: Untrusted DLL search path vulnerability
- CVE-2020-2593: Normalize normalization for all
- CVE-2020-2604: Better serial filter handling
- CVE-2020-2659: Enhance datagram socket support
ImportantSUSE bug 1160968SUSE bug 1162972CVE-2019-4732 at SUSECVE-2019-4732 at NVDCVE-2020-2583 at SUSECVE-2020-2583 at NVDCVE-2020-2593 at SUSECVE-2020-2593 at NVDCVE-2020-2604 at SUSECVE-2020-2604 at NVDCVE-2020-2659 at SUSECVE-2020-2659 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for log4j (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for log4j fixes the following issues:
- CVE-2019-17571: Fixed a remote code execution by deserialization of untrusted data in SocketServer (bsc#1159646).
ImportantSUSE bug 1159646CVE-2019-17571 at SUSECVE-2019-17571 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for permissions (Moderate)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for permissions fixes the following issues:
Security issues fixed:
- CVE-2020-8013: Fixed an issue where chkstat set unintended setuid/capabilities for mrsh and wodim (bsc#1163922).
Non-security issues fixed:
- Fixed a regression where chkstat broke when /proc was not available (bsc#1160764, bsc#1160594).
- Fixed capability handling when doing multiple permission changes at once (bsc#1161779).
ModerateSUSE bug 1123886SUSE bug 1160594SUSE bug 1160764SUSE bug 1161779SUSE bug 1163922CVE-2020-8013 at SUSECVE-2020-8013 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for python-aws-sam-translator, python-boto3, python-botocore, python-cfn-lint, python-jsonschema, python-nose2, python-parameterized, python-pathlib2, python-pytest-cov, python-requests, python-s3transfer (Moderate)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for python-aws-sam-translator, python-boto3, python-botocore, python-cfn-lint, python-jsonschema, python-nose2, python-parameterized, python-pathlib2, python-pytest-cov, python-requests, python-s3transfer, python-jsonpatch, python-jsonpointer, python-scandir, python-PyYAML fixes the following issues:
python-cfn-lint was included as a new package in 0.21.4.
python-aws-sam-translator was updated to 1.11.0:
* Add ReservedConcurrentExecutions to globals
* Fix ElasticsearchHttpPostPolicy resource reference
* Support using AWS::Region in Ref and Sub
* Documentation and examples updates
* Add VersionDescription property to Serverless::Function
* Update ServerlessRepoReadWriteAccessPolicy
* Add additional template validation
Upgrade to 1.10.0:
* Add GSIs to DynamoDBReadPolicy and DynamoDBCrudPolicy
* Add DynamoDBReconfigurePolicy
* Add CostExplorerReadOnlyPolicy and OrganizationsListAccountsPolicy
* Add EKSDescribePolicy
* Add SESBulkTemplatedCrudPolicy
* Add FilterLogEventsPolicy
* Add SSMParameterReadPolicy
* Add SESEmailTemplateCrudPolicy
* Add s3:PutObjectAcl to S3CrudPolicy
* Add allow_credentials CORS option
* Add support for AccessLogSetting and CanarySetting Serverless::Api properties
* Add support for X-Ray in Serverless::Api
* Add support for MinimumCompressionSize in Serverless::Api
* Add Auth to Serverless::Api globals
* Remove trailing slashes from APIGW permissions
* Add SNS FilterPolicy and an example application
* Add Enabled property to Serverless::Function event sources
* Add support for PermissionsBoundary in Serverless::Function
* Fix boto3 client initialization
* Add PublicAccessBlockConfiguration property to S3 bucket resource
* Make PAY_PER_REQUEST default mode for Serverless::SimpleTable
* Add limited support for resolving intrinsics in Serverless::LayerVersion
* SAM now uses Flake8
* Add example application for S3 Events written in Go
* Updated several example applications
- Initial build
+ Version 1.9.0
- Add patch to drop compatible releases operator from setup.py,
required for SLES12 as the setuptools version is too old
+ ast_drop-compatible-releases-operator.patch
python-jsonschema was updated to 2.6.0:
* Improved performance on CPython by adding caching around ref resolution
Update to version 2.5.0:
* Improved performance on CPython by adding caching around ref
resolution (#203)
Update to version 2.4.0:
* Added a CLI (#134)
* Added absolute path and absolute schema path to errors (#120)
* Added ``relevance``
* Meta-schemas are now loaded via ``pkgutil``
* Added ``by_relevance`` and ``best_match`` (#91)
* Fixed ``format`` to allow adding formats for non-strings (#125)
* Fixed the ``uri`` format to reject URI references (#131)
- Install /usr/bin/jsonschema with update-alternatives support
python-nose2 was updated to 0.9.1:
* the prof plugin now uses cProfile instead of hotshot for profiling
* skipped tests now include the user's reason in junit XML's message field
* the prettyassert plugin mishandled multi-line function definitions
* Using a plugin's CLI flag when the plugin is already enabled via config
no longer errors
* nose2.plugins.prettyassert, enabled with --pretty-assert
* Cleanup code for EOLed python versions
* Dropped support for distutils.
* Result reporter respects failure status set by other plugins
* JUnit XML plugin now includes the skip reason in its output
Upgrade to 0.8.0:
List of changes is too long to show here, see
https://github.com/nose-devs/nose2/blob/master/docs/changelog.rst
changes between 0.6.5 and 0.8.0
Update to 0.7.0:
* Added parameterized_class feature, for parameterizing entire test
classes (many thanks to @TobyLL for their suggestions and help testing!)
* Fix DeprecationWarning on `inspect.getargs` (thanks @brettdh;
https://github.com/wolever/parameterized/issues/67)
* Make sure that `setUp` and `tearDown` methods work correctly (#40)
* Raise a ValueError when input is empty (thanks @danielbradburn;
https://github.com/wolever/parameterized/pull/48)
* Fix the order when number of cases exceeds 10 (thanks @ntflc;
https://github.com/wolever/parameterized/pull/49)
python-scandir was included in version 2.3.2.
python-requests was updated to version 2.20.1 (bsc#1111622)
* Fixed bug with unintended Authorization header stripping for
redirects using default ports (http/80, https/443).
* remove restriction for urllib3 < 1.24
Update to version 2.20.0:
* Bugfixes
+ Content-Type header parsing is now case-insensitive
(e.g. charset=utf8 v Charset=utf8).
+ Fixed exception leak where certain redirect urls would raise
uncaught urllib3 exceptions.
+ Requests removes Authorization header from requests redirected
from https to http on the same hostname. (CVE-2018-18074)
+ should_bypass_proxies now handles URIs without hostnames
(e.g. files).
* Dependencies
+ Requests now supports urllib3 v1.24.
* Deprecations
+ Requests has officially stopped support for Python 2.6.
Update to version 2.19.1:
* Fixed issue where status_codes.py’s init function failed trying
to append to a __doc__ value of None.
Update to version 2.19.0:
* Improvements
+ Warn about possible slowdown with cryptography version < 1.3.4
+ Check host in proxy URL, before forwarding request to adapter.
+ Maintain fragments properly across redirects. (RFC7231 7.1.2)
+ Removed use of cgi module to expedite library load time.
+ Added support for SHA-256 and SHA-512 digest auth algorithms.
+ Minor performance improvement to Request.content.
+ Migrate to using collections.abc for 3.7 compatibility.
* Bugfixes
+ Parsing empty Link headers with parse_header_links() no longer
return one bogus entry.
+ Fixed issue where loading the default certificate bundle from
a zip archive would raise an IOError.
+ Fixed issue with unexpected ImportError on windows system
which do not support winreg module.
+ DNS resolution in proxy bypass no longer includes the username
and password in the request. This also fixes the issue of DNS
queries failing on macOS.
+ Properly normalize adapter prefixes for url comparison.
+ Passing None as a file pointer to the files param no longer
raises an exception.
+ Calling copy on a RequestsCookieJar will now preserve the
cookie policy correctly.
* We now support idna v2.7 and urllib3 v1.23.
update to version 2.18.4:
* Improvements
+ Error messages for invalid headers now include the header name
for easier debugging
* Dependencies
+ We now support idna v2.6.
update to version 2.18.3:
* Improvements
+ Running $ python -m requests.help now includes the installed
version of idna.
* Bugfixes
+ Fixed issue where Requests would raise ConnectionError instead
of SSLError when encountering SSL problems when using urllib3
v1.22.
ModerateSUSE bug 1111622SUSE bug 1122668CVE-2018-18074 at SUSECVE-2018-18074 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for postgresql96 (Low)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for postgresql96 fixes the following issues:
PostgreSQL was updated to version 9.6.17.
Security issue fixed:
- CVE-2020-1720: Fixed a missing authorization check in the ALTER ... DEPENDS ON extension (bsc#1163985).
LowSUSE bug 1163985CVE-2020-1720 at SUSECVE-2020-1720 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for java-1_7_0-openjdk (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for java-1_7_0-openjdk fixes the following issues:
Update java-1_7_0-openjdk to version jdk7u251 (January 2020 CPU, bsc#1160968):
- CVE-2020-2583: Unlink Set of LinkedHashSets
- CVE-2020-2590: Improve Kerberos interop capabilities
- CVE-2020-2593: Normalize normalization for all
- CVE-2020-2601: Better Ticket Granting Services
- CVE-2020-2604: Better serial filter handling
- CVE-2020-2659: Enhance datagram socket support
- CVE-2020-2654: Improve Object Identifier Processing
ImportantSUSE bug 1160968CVE-2020-2583 at SUSECVE-2020-2583 at NVDCVE-2020-2590 at SUSECVE-2020-2590 at NVDCVE-2020-2593 at SUSECVE-2020-2593 at NVDCVE-2020-2601 at SUSECVE-2020-2601 at NVDCVE-2020-2604 at SUSECVE-2020-2604 at NVDCVE-2020-2654 at SUSECVE-2020-2654 at NVDCVE-2020-2659 at SUSECVE-2020-2659 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for ipmitool (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for ipmitool fixes the following issues:
- CVE-2020-5208: Fixed multiple remote code executtion vulnerabilities (bsc#1163026).
- picmg discover messages are now DEBUG and not INFO messages (bsc#1085469).
ImportantSUSE bug 1085469SUSE bug 1163026CVE-2020-5208 at SUSECVE-2020-5208 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for squid (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for squid fixes the following issues:
- CVE-2019-12528: Fixed an information disclosure flaw in the FTP gateway (bsc#1162689).
- CVE-2019-12526: Fixed potential remote code execution during URN processing (bsc#1156326).
- CVE-2019-12523,CVE-2019-18676: Fixed multiple improper validations in URI processing (bsc#1156329).
- CVE-2019-18677: Fixed Cross-Site Request Forgery in HTTP Request processing (bsc#1156328).
- CVE-2019-18678: Fixed incorrect message parsing which could have led to HTTP request splitting issue (bsc#1156323).
- CVE-2019-18679: Fixed information disclosure when processing HTTP Digest Authentication (bsc#1156324).
- CVE-2020-8449: Fixed a buffer overflow when squid is acting as reverse-proxy (bsc#1162687).
- CVE-2020-8450: Fixed a buffer overflow when squid is acting as reverse-proxy (bsc#1162687).
- CVE-2020-8517: Fixed a buffer overflow in ext_lm_group_acl when processing NTLM Authentication credentials (bsc#1162691).
ImportantSUSE bug 1156323SUSE bug 1156324SUSE bug 1156326SUSE bug 1156328SUSE bug 1156329SUSE bug 1162687SUSE bug 1162689SUSE bug 1162691CVE-2019-12523 at SUSECVE-2019-12523 at NVDCVE-2019-12526 at SUSECVE-2019-12526 at NVDCVE-2019-12528 at SUSECVE-2019-12528 at NVDCVE-2019-18676 at SUSECVE-2019-18676 at NVDCVE-2019-18677 at SUSECVE-2019-18677 at NVDCVE-2019-18678 at SUSECVE-2019-18678 at NVDCVE-2019-18679 at SUSECVE-2019-18679 at NVDCVE-2020-8449 at SUSECVE-2020-8449 at NVDCVE-2020-8450 at SUSECVE-2020-8450 at NVDCVE-2020-8517 at SUSECVE-2020-8517 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for MozillaFirefox fixes the following issues:
- Firefox Extended Support Release 68.4.1 ESR
* Fixed: Security fix
MFSA 2020-03 (bsc#1160498)
* CVE-2019-17026 (bmo#1607443)
IonMonkey type confusion with StoreElementHole and
FallibleStoreElement
- Firefox Extended Support Release 68.4.0 ESR
* Fixed: Various security fixes
MFSA 2020-02 (bsc#1160305)
* CVE-2019-17015 (bmo#1599005)
Memory corruption in parent process during new content
process initialization on Windows
* CVE-2019-17016 (bmo#1599181)
Bypass of @namespace CSS sanitization during pasting
* CVE-2019-17017 (bmo#1603055)
Type Confusion in XPCVariant.cpp
* CVE-2019-17021 (bmo#1599008)
Heap address disclosure in parent process during content
process initialization on Windows
* CVE-2019-17022 (bmo#1602843)
CSS sanitization does not escape HTML tags
* CVE-2019-17024 (bmo#1507180, bmo#1595470, bmo#1598605,
bmo#1601826)
Memory safety bugs fixed in Firefox 72 and Firefox ESR 68.4
ImportantSUSE bug 1160305SUSE bug 1160498CVE-2019-17015 at SUSECVE-2019-17015 at NVDCVE-2019-17016 at SUSECVE-2019-17016 at NVDCVE-2019-17017 at SUSECVE-2019-17017 at NVDCVE-2019-17021 at SUSECVE-2019-17021 at NVDCVE-2019-17022 at SUSECVE-2019-17022 at NVDCVE-2019-17024 at SUSECVE-2019-17024 at NVDCVE-2019-17026 at SUSECVE-2019-17026 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for postgresql10 (Low)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for postgresql10 fixes the following issues:
PostgreSQL was updated to version 10.12.
Security issue fixed:
- CVE-2020-1720: Fixed a missing authorization check in the ALTER ... DEPENDS ON extension (bsc#1163985).
LowSUSE bug 1163985CVE-2020-1720 at SUSECVE-2020-1720 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for MozillaFirefox fixes the following issues:
MozillaFirefox was updated to 68.6.0 ESR (MFSA 2020-09 bsc#1132665 bsc#1166238)
- CVE-2020-6805: Fixed a use-after-free when removing data about origins
- CVE-2020-6806: Fixed improper protections against state confusion
- CVE-2020-6807: Fixed a use-after-free in cubeb during stream destruction
- CVE-2020-6811: Fixed an issue where copy as cURL' feature did not fully
escape website-controlled data potentially leading to command injection
- CVE-2019-20503: Fixed out of bounds reads in sctp_load_addresses_from_init
- CVE-2020-6812: Fixed an issue where the names of AirPods with personally
identifiable information were exposed to websites with camera or microphone
permission
- CVE-2020-6814: Fixed multiple memory safety bugs
- Fixed an issue with minimizing a window (bsc#1132665).
ImportantSUSE bug 1132665SUSE bug 1166238CVE-2019-20503 at SUSECVE-2019-20503 at NVDCVE-2020-6805 at SUSECVE-2020-6805 at NVDCVE-2020-6806 at SUSECVE-2020-6806 at NVDCVE-2020-6807 at SUSECVE-2020-6807 at NVDCVE-2020-6811 at SUSECVE-2020-6811 at NVDCVE-2020-6812 at SUSECVE-2020-6812 at NVDCVE-2020-6814 at SUSECVE-2020-6814 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for tomcat (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for tomcat fixes the following issues:
- CVE-2020-1938: Fixed a file contents disclosure vulnerability (bsc#1164692).
ImportantSUSE bug 1164692CVE-2020-1938 at SUSECVE-2020-1938 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for libzypp (Moderate)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for libzypp fixes the following issues:
Security issue fixed:
- CVE-2019-18900: Fixed assert cookie file that was world readable (bsc#1158763).
ModerateSUSE bug 1158763CVE-2019-18900 at SUSECVE-2019-18900 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for python-cffi, python-cryptography (Moderate)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for python-cffi, python-cryptography fixes the following issues:
Security issue fixed:
- CVE-2018-10903: Fixed GCM tag forgery via truncated tag in finalize_with_tag API (bsc#1101820).
Non-security issues fixed:
python-cffi was updated to 1.11.2 (bsc#1138748, jsc#ECO-1256, jsc#PM-1598):
- fixed a build failure on i586 (bsc#1111657)
- Salt was unable to highstate in snapshot 20171129 (bsc#1070737)
- Update pytest in spec to add c directory tests in addition to
testing directory.
- update to version 1.11.2:
* Fix Windows issue with managing the thread-state on CPython 3.0 to
3.5
- Update pytest in spec to add c directory tests in addition to
testing directory.
- Omit test_init_once_multithread tests as they rely on multiple
threads finishing in a given time. Returns sporadic pass/fail
within build.
- Update to 1.11.1:
* Fix tests, remove deprecated C API usage
* Fix (hack) for 3.6.0/3.6.1/3.6.2 giving incompatible binary
extensions (cpython issue #29943)
* Fix for 3.7.0a1+
- Update to 1.11.0:
* Support the modern standard types char16_t and char32_t. These
work like wchar_t: they represent one unicode character, or when
used as charN_t * or charN_t[] they represent a unicode string.
The difference with wchar_t is that they have a known, fixed
size. They should work at all places that used to work with
wchar_t (please report an issue if I missed something). Note
that with set_source(), you need to make sure that these types
are actually defined by the C source you provide (if used in
cdef()).
* Support the C99 types float _Complex and double _Complex. Note
that libffi doesn't support them, which means that in the ABI
mode you still cannot call C functions that take complex
numbers directly as arguments or return type.
* Fixed a rare race condition when creating multiple FFI instances
from multiple threads. (Note that you aren't meant to create
many FFI instances: in inline mode, you should write
ffi = cffi.FFI() at module level just after import cffi; and in
out-of-line mode you don't instantiate FFI explicitly at all.)
* Windows: using callbacks can be messy because the CFFI internal
error messages show up to stderr-but stderr goes nowhere in many
applications. This makes it particularly hard to get started
with the embedding mode. (Once you get started, you can at least
use @ffi.def_extern(onerror=...) and send the error logs where
it makes sense for your application, or record them in log
files, and so on.) So what is new in CFFI is that now, on
Windows CFFI will try to open a non-modal MessageBox (in addition
to sending raw messages to stderr). The MessageBox is only
visible if the process stays alive: typically, console
applications that crash close immediately, but that is also the
situation where stderr should be visible anyway.
* Progress on support for callbacks in NetBSD.
* Functions returning booleans would in some case still return 0
or 1 instead of False or True. Fixed.
* ffi.gc() now takes an optional third parameter, which gives an
estimate of the size (in bytes) of the object. So far, this is
only used by PyPy, to make the next GC occur more quickly
(issue #320). In the future, this might have an effect on
CPython too (provided the CPython issue 31105 is addressed).
* Add a note to the documentation: the ABI mode gives function
objects that are slower to call than the API mode does. For
some reason it is often thought to be faster. It is not!
- Update to 1.10.1:
* Fixed the line numbers reported in case of cdef() errors. Also,
I just noticed, but pycparser always supported the preprocessor
directive # 42 'foo.h' to mean 'from the next line, we're in
file foo.h starting from line 42';, which it puts in the error
messages.
- update to 1.10.0:
* Issue #295: use calloc() directly instead of PyObject_Malloc()+memset()
to handle ffi.new() with a default allocator. Speeds up ffi.new(large-array)
where most of the time you never touch most of the array.
* Some OS/X build fixes ('only with Xcode but without CLT';).
* Improve a couple of error messages: when getting mismatched versions of
cffi and its backend; and when calling functions which cannot be called with
libffi because an argument is a struct that is 'too complicated'; (and not
a struct pointer, which always works).
* Add support for some unusual compilers (non-msvc, non-gcc, non-icc, non-clang)
* Implemented the remaining cases for ffi.from_buffer. Now all
buffer/memoryview objects can be passed. The one remaining check is against
passing unicode strings in Python 2. (They support the buffer interface, but
that gives the raw bytes behind the UTF16/UCS4 storage, which is most of the
times not what you expect. In Python 3 this has been fixed and the unicode
strings don't support the memoryview interface any more.)
* The C type _Bool or bool now converts to a Python boolean when reading,
instead of the content of the byte as an integer. The potential
incompatibility here is what occurs if the byte contains a value different
from 0 and 1. Previously, it would just return it; with this change, CFFI
raises an exception in this case. But this case means 'undefined behavior';
in C; if you really have to interface with a library relying on this,
don't use bool in the CFFI side. Also, it is still valid to use a byte
string as initializer for a bool[], but now it must only contain \x00 or
\x01. As an aside, ffi.string() no longer works on bool[] (but it never made
much sense, as this function stops at the first zero).
* ffi.buffer is now the name of cffi's buffer type, and ffi.buffer() works
like before but is the constructor of that type.
* ffi.addressof(lib, 'name') now works also in in-line mode, not only in
out-of-line mode. This is useful for taking the address of global variables.
* Issue #255: cdata objects of a primitive type (integers, floats, char) are
now compared and ordered by value. For example, <cdata 'int' 42> compares
equal to 42 and <cdata 'char' b'A'> compares equal to b'A'. Unlike C,
<cdata 'int' -1> does not compare equal to ffi.cast('unsigned int', -1): it
compares smaller, because -1 < 4294967295.
* PyPy: ffi.new() and ffi.new_allocator()() did not record 'memory pressure';,
causing the GC to run too infrequently if you call ffi.new() very often
and/or with large arrays. Fixed in PyPy 5.7.
* Support in ffi.cdef() for numeric expressions with + or -. Assumes that
there is no overflow; it should be fixed first before we add more general
support for arbitrary arithmetic on constants.
- do not generate HTML documentation for packages that are indirect
dependencies of Sphinx
(see docs at https://cffi.readthedocs.org/ )
- update to 1.9.1
- Structs with variable-sized arrays as their last field: now we track the
length of the array after ffi.new() is called, just like we always tracked
the length of ffi.new('int[]', 42). This lets us detect out-of-range
accesses to array items. This also lets us display a better repr(), and
have the total size returned by ffi.sizeof() and ffi.buffer(). Previously
both functions would return a result based on the size of the declared
structure type, with an assumed empty array. (Thanks andrew for starting
this refactoring.)
- Add support in cdef()/set_source() for unspecified-length arrays in
typedefs: typedef int foo_t[...];. It was already supported for global
variables or structure fields.
- I turned in v1.8 a warning from cffi/model.py into an error: 'enum xxx' has
no values explicitly defined: refusing to guess which integer type it is
meant to be (unsigned/signed, int/long). Now I'm turning it back to a
warning again; it seems that guessing that the enum has size int is a
99%-safe bet. (But not 100%, so it stays as a warning.)
- Fix leaks in the code handling FILE * arguments. In CPython 3 there is a
remaining issue that is hard to fix: if you pass a Python file object to a
FILE * argument, then os.dup() is used and the new file descriptor is only
closed when the GC reclaims the Python file object-and not at the earlier
time when you call close(), which only closes the original file descriptor.
If this is an issue, you should avoid this automatic convertion of Python
file objects: instead, explicitly manipulate file descriptors and call
fdopen() from C (...via cffi).
- When passing a void * argument to a function with a different pointer type,
or vice-versa, the cast occurs automatically, like in C. The same occurs
for initialization with ffi.new() and a few other places. However, I
thought that char * had the same property-but I was mistaken. In C you get
the usual warning if you try to give a char * to a char ** argument, for
example. Sorry about the confusion. This has been fixed in CFFI by giving
for now a warning, too. It will turn into an error in a future version.
- Issue #283: fixed ffi.new() on structures/unions with nested anonymous
structures/unions, when there is at least one union in the mix. When
initialized with a list or a dict, it should now behave more closely like
the { } syntax does in GCC.
- CPython 3.x: experimental: the generated C extension modules now use the
'limited API';, which means that, as a compiled .so/.dll, it should work
directly on any version of CPython >= 3.2. The name produced by distutils
is still version-specific. To get the version-independent name, you can
rename it manually to NAME.abi3.so, or use the very recent setuptools 26.
- Added ffi.compile(debug=...), similar to python setup.py build --debug but
defaulting to True if we are running a debugging version of Python itself.
- Removed the restriction that ffi.from_buffer() cannot be used on byte
strings. Now you can get a char * out of a byte string, which is valid as
long as the string object is kept alive. (But don't use it to modify the
string object! If you need this, use bytearray or other official
techniques.)
- PyPy 5.4 can now pass a byte string directly to a char * argument (in older
versions, a copy would be made). This used to be a CPython-only
optimization.
- ffi.gc(p, None) removes the destructor on an object previously created by
another call to ffi.gc()
- bool(ffi.cast('primitive type', x)) now returns False if the value is zero
(including -0.0), and True otherwise. Previously this would only return
False for cdata objects of a pointer type when the pointer is NULL.
- bytearrays: ffi.from_buffer(bytearray-object) is now supported. (The reason
it was not supported was that it was hard to do in PyPy, but it works since
PyPy 5.3.) To call a C function with a char * argument from a buffer
object-now including bytearrays-you write lib.foo(ffi.from_buffer(x)).
Additionally, this is now supported: p[0:length] = bytearray-object. The
problem with this was that a iterating over bytearrays gives numbers
instead of characters. (Now it is implemented with just a memcpy, of
course, not actually iterating over the characters.)
- C++: compiling the generated C code with C++ was supposed to work, but
failed if you make use the bool type (because that is rendered as the C
_Bool type, which doesn't exist in C++).
- help(lib) and help(lib.myfunc) now give useful information, as well as
dir(p) where p is a struct or pointer-to-struct.
- update for multipython build
- disable 'negative left shift' warning in test suite to prevent
failures with gcc6, until upstream fixes the undefined code
in question (bsc#981848)
- Update to version 1.6.0:
* ffi.list_types()
* ffi.unpack()
* extern 'Python+C';
* in API mode, lib.foo.__doc__ contains the C signature now.
* Yet another attempt at robustness of ffi.def_extern() against
CPython's interpreter shutdown logic.
- Update in SLE-12 (bsc#1138748, jsc#ECO-1256, jsc#PM-1598)
- Make this version of the package compatible with OpenSSL 1.1.1d, thus fixing bsc#1149792.
- bsc#1101820 CVE-2018-10903 GCM tag forgery via truncated tag in
finalize_with_tag API
- Add proper conditional for the python2, the ifpython works only
for the requires/etc
- add missing dependency on python ssl
- update to version 2.1.4:
* Added X509_up_ref for an upcoming pyOpenSSL release.
- update to version 2.1.3:
* Updated Windows, macOS, and manylinux1 wheels to be compiled with
OpenSSL 1.1.0g.
- update to version 2.1.2:
* Corrected a bug with the manylinux1 wheels where OpenSSL's stack
was marked executable.
- fix BuildRequires conditions for python3
- update to 2.1.1
- Fix cffi version requirement.
- Disable memleak tests to fix build with OpenSSL 1.1 (bsc#1055478)
- update to 2.0.3
- update to 2.0.2
- update to 2.0
- update to 1.9
- add python-packaging to requirements explicitly instead of relying
on setuptools to pull it in
- Switch to singlespec approach
- update to 1.8.1
- Adust Requires and BuildRequires ModerateSUSE bug 1055478SUSE bug 1070737SUSE bug 1101820SUSE bug 1111657SUSE bug 1138748SUSE bug 1149792SUSE bug 981848CVE-2018-10903 at SUSECVE-2018-10903 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for spamassassin (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for spamassassin fixes the following issues:
- CVE-2018-11805: Fixed an issue with delimiter handling in rule files
related to is_regexp_valid() (bsc#1118987).
- CVE-2020-1930: Fixed an issue with rule configuration (.cf) files which
can be configured to run system commands (bsc#1162197).
- CVE-2020-1931: Fixed an issue with rule configuration (.cf) files which
can be configured to run system commands with warnings (bsc#1162200).
ImportantSUSE bug 1118987SUSE bug 1162197SUSE bug 1162200CVE-2018-11805 at SUSECVE-2018-11805 at NVDCVE-2020-1930 at SUSECVE-2020-1930 at NVDCVE-2020-1931 at SUSECVE-2020-1931 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for python3 (Moderate)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for python3 fixes the following issue:
- CVE-2019-18348: Fixed a CRLF injection via the host part
of the url passed to urlopen(). Now an InvalidURL exception
is raised (bsc#1155094).
- CVE-2019-9674: Improved the documentation to reflect the
dangers of zip-bombs (bsc#1162825).
- CVE-2020-8492: Fixed a regular expression in urllib that
was prone to denial of service via HTTP (bsc#1162367).
- Fixed an issue with version missmatch (bsc#1162224).
- Rename idle icons to idle3 in order to not conflict with python2
variant of the package. (bsc#1165894)
ModerateSUSE bug 1155094SUSE bug 1162224SUSE bug 1162367SUSE bug 1162825SUSE bug 1165894CVE-2019-18348 at SUSECVE-2019-18348 at NVDCVE-2019-9674 at SUSECVE-2019-9674 at NVDCVE-2020-8492 at SUSECVE-2020-8492 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 24 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.176-94_88 fixes several issues.
The following security issues were fixed:
- CVE-2020-1749: Fixed an issue in the networking protocols in encrypted IPsec tunnel (bsc#1165631)
- CVE-2019-5108: Fixed an issue where by triggering AP to send IAPP location updates for stations before the required authentication process has completed could have led to denial-of-service (bsc#1159913).
ImportantSUSE bug 1159913SUSE bug 1165631CVE-2019-5108 at SUSECVE-2019-5108 at NVDCVE-2020-1749 at SUSECVE-2020-1749 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for mozilla-nspr, mozilla-nss (Moderate)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for mozilla-nspr, mozilla-nss fixes the following issues:
mozilla-nss was updated to NSS 3.47.1:
Security issues fixed:
- CVE-2019-17006: Added length checks for cryptographic primitives (bsc#1159819).
- CVE-2019-11745: EncryptUpdate should use maxout, not block size (bsc#1158527).
- CVE-2019-11727: Fixed vulnerability sign CertificateVerify with PKCS#1 v1.5 signatures issue (bsc#1141322).
mozilla-nspr was updated to version 4.23:
- Whitespace in C files was cleaned up and no longer uses tab characters for indenting.
ModerateSUSE bug 1141322SUSE bug 1158527SUSE bug 1159819CVE-2019-11745 at SUSECVE-2019-11745 at NVDCVE-2019-17006 at SUSECVE-2019-17006 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 30 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_113 fixes several issues.
The following security issues were fixed:
- CVE-2020-1749: Fixed an issue in the networking protocols in encrypted IPsec tunnel (bsc#1165631)
- CVE-2019-5108: Fixed an issue where by triggering AP to send IAPP location updates for stations before the required authentication process has completed could have led to denial-of-service (bsc#1159913).
ImportantSUSE bug 1159913SUSE bug 1165631CVE-2019-5108 at SUSECVE-2019-5108 at NVDCVE-2020-1749 at SUSECVE-2020-1749 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 29 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_107 fixes several issues.
The following security issues were fixed:
- CVE-2020-1749: Fixed an issue in the networking protocols in encrypted IPsec tunnel (bsc#1165631)
- CVE-2019-5108: Fixed an issue where by triggering AP to send IAPP location updates for stations before the required authentication process has completed could have led to denial-of-service (bsc#1159913).
ImportantSUSE bug 1159913SUSE bug 1165631CVE-2019-5108 at SUSECVE-2019-5108 at NVDCVE-2020-1749 at SUSECVE-2020-1749 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 28 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_103 fixes several issues.
The following security issues were fixed:
- CVE-2020-1749: Fixed an issue in the networking protocols in encrypted IPsec tunnel (bsc#1165631)
- CVE-2019-5108: Fixed an issue where by triggering AP to send IAPP location updates for stations before the required authentication process has completed could have led to denial-of-service (bsc#1159913).
ImportantSUSE bug 1159913SUSE bug 1165631CVE-2019-5108 at SUSECVE-2019-5108 at NVDCVE-2020-1749 at SUSECVE-2020-1749 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 27 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_100 fixes several issues.
The following security issues were fixed:
- CVE-2020-1749: Fixed an issue in the networking protocols in encrypted IPsec tunnel (bsc#1165631)
- CVE-2019-5108: Fixed an issue where by triggering AP to send IAPP location updates for stations before the required authentication process has completed could have led to denial-of-service (bsc#1159913).
ImportantSUSE bug 1159913SUSE bug 1165631CVE-2019-5108 at SUSECVE-2019-5108 at NVDCVE-2020-1749 at SUSECVE-2020-1749 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 26 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_97 fixes several issues.
The following security issues were fixed:
- CVE-2020-1749: Fixed an issue in the networking protocols in encrypted IPsec tunnel (bsc#1165631)
- CVE-2019-5108: Fixed an issue where by triggering AP to send IAPP location updates for stations before the required authentication process has completed could have led to denial-of-service (bsc#1159913).
ImportantSUSE bug 1159913SUSE bug 1165631CVE-2019-5108 at SUSECVE-2019-5108 at NVDCVE-2020-1749 at SUSECVE-2020-1749 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 25 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.178-94_91 fixes several issues.
The following security issues were fixed:
- CVE-2020-1749: Fixed an issue in the networking protocols in encrypted IPsec tunnel (bsc#1165631)
- CVE-2019-5108: Fixed an issue where by triggering AP to send IAPP location updates for stations before the required authentication process has completed could have led to denial-of-service (bsc#1159913).
ImportantSUSE bug 1159913SUSE bug 1165631CVE-2019-5108 at SUSECVE-2019-5108 at NVDCVE-2020-1749 at SUSECVE-2020-1749 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for libxslt (Moderate)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for libxslt fixes the following issue:
- CVE-2019-18197: Fixed a dangling pointer in xsltCopyText which may have led to information disclosure (bsc#1154609).
ModerateSUSE bug 1154609CVE-2019-18197 at SUSECVE-2019-18197 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for MozillaFirefox fixes the following issues:
- Mozilla Firefox 68.6.1esr
MFSA 2020-11 (bsc#1168630)
* CVE-2020-6819 (bmo#1620818)
Use-after-free while running the nsDocShell destructor
* CVE-2020-6820 (bmo#1626728)
Use-after-free when handling a ReadableStream
ImportantSUSE bug 1168630CVE-2020-6819 at SUSECVE-2020-6819 at NVDCVE-2020-6820 at SUSECVE-2020-6820 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for MozillaFirefox to version 68.7.0 ESR fixes the following issues:
- CVE-2020-6821: Uninitialized memory could be read when using the WebGL copyTexSubImage method (bsc#1168874).
- CVE-2020-6822: Fixed out of bounds write in GMPDecodeData when processing large images (bsc#1168874).
- CVE-2020-6825: Fixed Memory safety bugs (bsc#1168874).
- CVE-2020-6827: Custom Tabs could have the URI spoofed (bsc#1168874).
- CVE-2020-6828: Preference overwrite via crafted Intent (bsc#1168874).
ImportantSUSE bug 1168874CVE-2020-6821 at SUSECVE-2020-6821 at NVDCVE-2020-6822 at SUSECVE-2020-6822 at NVDCVE-2020-6825 at SUSECVE-2020-6825 at NVDCVE-2020-6827 at SUSECVE-2020-6827 at NVDCVE-2020-6828 at SUSECVE-2020-6828 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for git (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for git fixes the following issues:
Security issue fixed:
- CVE-2020-5260: With a crafted URL that contains a newline in it, the credential
helper machinery can be fooled to give credential information for a wrong host (bsc#1168930).
Non-security issue fixed:
git was updated to 2.26.0 for SHA256 support (bsc#1167890, jsc#SLE-11608):
- the xinetd snippet was removed
- the System V init script for the git-daemon was replaced by a systemd
service file of the same name.
git 2.26.0:
* 'git rebase' now uses a different backend that is based on the
'merge' machinery by default. The 'rebase.backend' configuration
variable reverts to old behaviour when set to 'apply'
* Improved handling of sparse checkouts
* Improvements to many commands and internal features
git 2.25.1:
* 'git commit' now honors advise.statusHints
* various updates, bug fixes and documentation updates
git 2.25.0:
* The branch description ('git branch --edit-description') has been
used to fill the body of the cover letters by the format-patch
command; this has been enhanced so that the subject can also be
filled.
* A few commands learned to take the pathspec from the standard input
or a named file, instead of taking it as the command line
arguments, with the '--pathspec-from-file' option.
* Test updates to prepare for SHA-2 transition continues.
* Redo 'git name-rev' to avoid recursive calls.
* When all files from some subdirectory were renamed to the root
directory, the directory rename heuristics would fail to detect that
as a rename/merge of the subdirectory to the root directory, which has
been corrected.
* HTTP transport had possible allocator/deallocator mismatch, which
has been corrected.
git 2.24.1:
* CVE-2019-1348: The --export-marks option of fast-import is
exposed also via the in-stream command feature export-marks=...
and it allows overwriting arbitrary paths (bsc#1158785)
* CVE-2019-1349: on Windows, when submodules are cloned
recursively, under certain circumstances Git could be fooled
into using the same Git directory twice (bsc#1158787)
* CVE-2019-1350: Incorrect quoting of command-line arguments
allowed remote code execution during a recursive clone in
conjunction with SSH URLs (bsc#1158788)
* CVE-2019-1351: on Windows mistakes drive letters outside of
the US-English alphabet as relative paths (bsc#1158789)
* CVE-2019-1352: on Windows was unaware of NTFS Alternate Data
Streams (bsc#1158790)
* CVE-2019-1353: when run in the Windows Subsystem for Linux
while accessing a working directory on a regular Windows
drive, none of the NTFS protections were active (bsc#1158791)
* CVE-2019-1354: on Windows refuses to write tracked files with
filenames that contain backslashes (bsc#1158792)
* CVE-2019-1387: Recursive clones vulnerability that is caused
by too-lax validation of submodule names, allowing very
targeted attacks via remote code execution in recursive
clones (bsc#1158793)
* CVE-2019-19604: a recursive clone followed by a submodule
update could execute code contained within the repository
without the user explicitly having asked for that (bsc#1158795)
- Fix building with asciidoctor and without DocBook4 stylesheets.
git 2.24.0
* The command line parser learned '--end-of-options' notation.
* A mechanism to affect the default setting for a (related) group of
configuration variables is introduced.
* 'git fetch' learned '--set-upstream' option to help those who first
clone from their private fork they intend to push to, add the true
upstream via 'git remote add' and then 'git fetch' from it.
* fixes and improvements to UI, workflow and features, bash completion fixes
* part of it merged upstream
* the Makefile attempted to download some documentation, banned
git 2.23.0:
* The '--base' option of 'format-patch' computed the patch-ids for
prerequisite patches in an unstable way, which has been updated
to compute in a way that is compatible with 'git patch-id
--stable'.
* The 'git log' command by default behaves as if the --mailmap
option was given.
* fixes and improvements to UI, workflow and features
git 2.22.1:
* A relative pathname given to 'git init --template=<path> <repo>'
ought to be relative to the directory 'git init' gets invoked in,
but it instead was made relative to the repository, which has been
corrected.
* 'git worktree add' used to fail when another worktree connected to
the same repository was corrupt, which has been corrected.
* 'git am -i --resolved' segfaulted after trying to see a commit as
if it were a tree, which has been corrected.
* 'git merge --squash' is designed to update the working tree and the
index without creating the commit, and this cannot be countermanded
by adding the '--commit' option; the command now refuses to work
when both options are given.
* Update to Unicode 12.1 width table.
* 'git request-pull' learned to warn when the ref we ask them to pull
from in the local repository and in the published repository are
different.
* 'git fetch' into a lazy clone forgot to fetch base objects that are
necessary to complete delta in a thin packfile, which has been
corrected.
* The URL decoding code has been updated to avoid going past the end
of the string while parsing %-<hex>-<hex> sequence.
* 'git clean' silently skipped a path when it cannot lstat() it; now
it gives a warning.
* 'git rm' to resolve a conflicted path leaked an internal message
'needs merge' before actually removing the path, which was
confusing. This has been corrected.
* Many more bugfixes and code cleanups.
- removal of SuSEfirewall2 service, since SuSEfirewall2 has been replaced by
firewalld, see [1].
[1]: https://lists.opensuse.org/opensuse-factory/2019-01/msg00490.html
git 2.22.0:
* The filter specification '--filter=sparse:path=<path>' used to
create a lazy/partial clone has been removed. Using a blob that is
part of the project as sparse specification is still supported with
the '--filter=sparse:oid=<blob>' option
* 'git checkout --no-overlay' can be used to trigger a new mode of
checking out paths out of the tree-ish, that allows paths that
match the pathspec that are in the current index and working tree
and are not in the tree-ish.
* Four new configuration variables {author,committer}.{name,email}
have been introduced to override user.{name,email} in more specific
cases.
* 'git branch' learned a new subcommand '--show-current'.
* The command line completion (in contrib/) has been taught to
complete more subcommand parameters.
* The completion helper code now pays attention to repository-local
configuration (when available), which allows --list-cmds to honour
a repository specific setting of completion.commands, for example.
* The list of conflicted paths shown in the editor while concluding a
conflicted merge was shown above the scissors line when the
clean-up mode is set to 'scissors', even though it was commented
out just like the list of updated paths and other information to
help the user explain the merge better.
* 'git rebase' that was reimplemented in C did not set ORIG_HEAD
correctly, which has been corrected.
* 'git worktree add' used to do a 'find an available name with stat
and then mkdir', which is race-prone. This has been fixed by using
mkdir and reacting to EEXIST in a loop.
- update git-web AppArmor profile for bash and tar usrMerge (bsc#1132350)
git 2.21.0:
* Historically, the '-m' (mainline) option can only be used for 'git
cherry-pick' and 'git revert' when working with a merge commit.
This version of Git no longer warns or errors out when working with
a single-parent commit, as long as the argument to the '-m' option
is 1 (i.e. it has only one parent, and the request is to pick or
revert relative to that first parent). Scripts that relied on the
behaviour may get broken with this change.
* Small fixes and features for fast-export and fast-import.
* The 'http.version' configuration variable can be used with recent
enough versions of cURL library to force the version of HTTP used
to talk when fetching and pushing.
* 'git push $there $src:$dst' rejects when $dst is not a fully
qualified refname and it is not clear what the end user meant.
* Update 'git multimail' from the upstream.
* A new date format '--date=human' that morphs its output depending
on how far the time is from the current time has been introduced.
'--date=auto:human' can be used to use this new format (or any
existing format) when the output is going to the pager or to the
terminal, and otherwise the default format.
- Fix worktree creation race (bsc#1114225).
git 2.20.1:
* portability fixes
* 'git help -a' did not work well when an overly long alias was
defined
* no longer squelched an error message when the run_command API
failed to run a missing command
git 2.20.0:
* 'git help -a' now gives verbose output (same as 'git help -av').
Those who want the old output may say 'git help --no-verbose -a'..
* 'git send-email' learned to grab address-looking string on any
trailer whose name ends with '-by'.
* 'git format-patch' learned new '--interdiff' and '--range-diff'
options to explain the difference between this version and the
previous attempt in the cover letter (or after the three-dashes as
a comment).
* Developer builds now use -Wunused-function compilation option.
* Fix a bug in which the same path could be registered under multiple
worktree entries if the path was missing (for instance, was removed
manually). Also, as a convenience, expand the number of cases in
which --force is applicable.
* The overly large Documentation/config.txt file have been split into
million little pieces. This potentially allows each individual piece
to be included into the manual page of the command it affects more easily.
* Malformed or crafted data in packstream can make our code attempt
to read or write past the allocated buffer and abort, instead of
reporting an error, which has been fixed.
* Fix for a long-standing bug that leaves the index file corrupt when
it shrinks during a partial commit.
* 'git merge' and 'git pull' that merges into an unborn branch used
to completely ignore '--verify-signatures', which has been
corrected.
* ...and much more features and fixes
- fix CVE-2018-19486 (bsc#1117257)
git 2.19.2:
* various bug fixes for multiple subcommands and operations
git 2.19.1:
* CVE-2018-17456: Specially crafted .gitmodules files may have
allowed arbitrary code execution when the repository is cloned
with --recurse-submodules (bsc#1110949)
git 2.19.0:
* 'git diff' compares the index and the working tree. For paths
added with intent-to-add bit, the command shows the full contents
of them as added, but the paths themselves were not marked as new
files. They are now shown as new by default.
* 'git apply' learned the '--intent-to-add' option so that an
otherwise working-tree-only application of a patch will add new
paths to the index marked with the 'intent-to-add' bit.
* 'git grep' learned the '--column' option that gives not just the
line number but the column number of the hit.
* The '-l' option in 'git branch -l' is an unfortunate short-hand for
'--create-reflog', but many users, both old and new, somehow expect
it to be something else, perhaps '--list'. This step warns when '-l'
is used as a short-hand for '--create-reflog' and warns about the
future repurposing of the it when it is used.
* The userdiff pattern for .php has been updated.
* The content-transfer-encoding of the message 'git send-email' sends
out by default was 8bit, which can cause trouble when there is an
overlong line to bust RFC 5322/2822 limit. A new option 'auto' to
automatically switch to quoted-printable when there is such a line
in the payload has been introduced and is made the default.
* 'git checkout' and 'git worktree add' learned to honor
checkout.defaultRemote when auto-vivifying a local branch out of a
remote tracking branch in a repository with multiple remotes that
have tracking branches that share the same names.
(merge 8d7b558bae ab/checkout-default-remote later to maint).
* 'git grep' learned the '--only-matching' option.
* 'git rebase --rebase-merges' mode now handles octopus merges as
well.
* Add a server-side knob to skip commits in exponential/fibbonacci
stride in an attempt to cover wider swath of history with a smaller
number of iterations, potentially accepting a larger packfile
transfer, instead of going back one commit a time during common
ancestor discovery during the 'git fetch' transaction.
(merge 42cc7485a2 jt/fetch-negotiator-skipping later to maint).
* A new configuration variable core.usereplacerefs has been added,
primarily to help server installations that want to ignore the
replace mechanism altogether.
* Teach 'git tag -s' etc. a few configuration variables (gpg.format
that can be set to 'openpgp' or 'x509', and gpg.<format>.program
that is used to specify what program to use to deal with the format)
to allow x.509 certs with CMS via 'gpgsm' to be used instead of
openpgp via 'gnupg'.
* Many more strings are prepared for l10n.
* 'git p4 submit' learns to ask its own pre-submit hook if it should
continue with submitting.
* The test performed at the receiving end of 'git push' to prevent
bad objects from entering repository can be customized via
receive.fsck.* configuration variables; we now have gained a
counterpart to do the same on the 'git fetch' side, with
fetch.fsck.* configuration variables.
* 'git pull --rebase=interactive' learned 'i' as a short-hand for
'interactive'.
* 'git instaweb' has been adjusted to run better with newer Apache on
RedHat based distros.
* 'git range-diff' is a reimplementation of 'git tbdiff' that lets us
compare individual patches in two iterations of a topic.
* The sideband code learned to optionally paint selected keywords at
the beginning of incoming lines on the receiving end.
* 'git branch --list' learned to take the default sort order from the
'branch.sort' configuration variable, just like 'git tag --list'
pays attention to 'tag.sort'.
* 'git worktree' command learned '--quiet' option to make it less
verbose.
git 2.18.0:
* improvements to rename detection logic
* When built with more recent cURL, GIT_SSL_VERSION can now
specify 'tlsv1.3' as its value.
* 'git mergetools' learned talking to guiffy.
* various other workflow improvements and fixes
* performance improvements and other developer visible fixes
Update to git 2.16.4: security fix release
git 2.17.1:
* Submodule 'names' come from the untrusted .gitmodules file, but
we blindly append them to $GIT_DIR/modules to create our on-disk
repo paths. This means you can do bad things by putting '../'
into the name. We now enforce some rules for submodule names
which will cause Git to ignore these malicious names
(CVE-2018-11235, bsc#1095219)
* It was possible to trick the code that sanity-checks paths on
NTFS into reading random piece of memory
(CVE-2018-11233, bsc#1095218)
* Support on the server side to reject pushes to repositories
that attempt to create such problematic .gitmodules file etc.
as tracked contents, to help hosting sites protect their
customers by preventing malicious contents from spreading.
git 2.17.0:
* 'diff' family of commands learned '--find-object=<object-id>' option
to limit the findings to changes that involve the named object.
* 'git format-patch' learned to give 72-cols to diffstat, which is
consistent with other line length limits the subcommand uses for
its output meant for e-mails.
* The log from 'git daemon' can be redirected with a new option; one
relevant use case is to send the log to standard error (instead of
syslog) when running it from inetd.
* 'git rebase' learned to take '--allow-empty-message' option.
* 'git am' has learned the '--quit' option, in addition to the
existing '--abort' option; having the pair mirrors a few other
commands like 'rebase' and 'cherry-pick'.
* 'git worktree add' learned to run the post-checkout hook, just like
'git clone' runs it upon the initial checkout.
* 'git tag' learned an explicit '--edit' option that allows the
message given via '-m' and '-F' to be further edited.
* 'git fetch --prune-tags' may be used as a handy short-hand for
getting rid of stale tags that are locally held.
* The new '--show-current-patch' option gives an end-user facing way
to get the diff being applied when 'git rebase' (and 'git am')
stops with a conflict.
* 'git add -p' used to offer '/' (look for a matching hunk) as a
choice, even there was only one hunk, which has been corrected.
Also the single-key help is now given only for keys that are
enabled (e.g. help for '/' won't be shown when there is only one
hunk).
* Since Git 1.7.9, 'git merge' defaulted to --no-ff (i.e. even when
the side branch being merged is a descendant of the current commit,
create a merge commit instead of fast-forwarding) when merging a
tag object. This was appropriate default for integrators who pull
signed tags from their downstream contributors, but caused an
unnecessary merges when used by downstream contributors who
habitually 'catch up' their topic branches with tagged releases
from the upstream. Update 'git merge' to default to --no-ff only
when merging a tag object that does *not* sit at its usual place in
refs/tags/ hierarchy, and allow fast-forwarding otherwise, to
mitigate the problem.
* 'git status' can spend a lot of cycles to compute the relation
between the current branch and its upstream, which can now be
disabled with '--no-ahead-behind' option.
* 'git diff' and friends learned funcname patterns for Go language
source files.
* 'git send-email' learned '--reply-to=<address>' option.
* Funcname pattern used for C# now recognizes 'async' keyword.
* In a way similar to how 'git tag' learned to honor the pager
setting only in the list mode, 'git config' learned to ignore the
pager setting when it is used for setting values (i.e. when the
purpose of the operation is not to 'show').
- Use %license instead of %doc [bsc#1082318]
git 2.16.3:
* 'git status' after moving a path in the working tree (hence
making it appear 'removed') and then adding with the -N option
(hence making that appear 'added') detected it as a rename, but
did not report the old and new pathnames correctly.
* 'git commit --fixup' did not allow '-m<message>' option to be
used at the same time; allow it to annotate resulting commit
with more text.
* When resetting the working tree files recursively, the working
tree of submodules are now also reset to match.
* Fix for a commented-out code to adjust it to a rather old API
change around object ID.
* When there are too many changed paths, 'git diff' showed a
warning message but in the middle of a line.
* The http tracing code, often used to debug connection issues,
learned to redact potentially sensitive information from its
output so that it can be more safely sharable.
* Crash fix for a corner case where an error codepath tried to
unlock what it did not acquire lock on.
* The split-index mode had a few corner case bugs fixed.
* Assorted fixes to 'git daemon'.
* Completion of 'git merge -s<strategy>' (in contrib/) did not
work well in non-C locale.
* Workaround for segfault with more recent versions of SVN.
* Recently introduced leaks in fsck have been plugged.
* Travis CI integration now builds the executable in 'script'
phase to follow the established practice, rather than during
'before_script' phase. This allows the CI categorize the
failures better ('failed' is project's fault, 'errored' is
build environment's).
- Drop superfluous xinetd snippet, no longer used (bsc#1084460)
- Build with asciidoctor for the recent distros (bsc#1075764)
- Move %{?systemd_requires} to daemon subpackage
- Create subpackage for libsecret credential helper.
git 2.16.2:
* An old regression in 'git describe --all $annotated_tag^0' has
been fixed.
* 'git svn dcommit' did not take into account the fact that a
svn+ssh:// URL with a username@ (typically used for pushing)
refers to the same SVN repository without the username@ and
failed when svn.pushmergeinfo option is set.
* 'git merge -Xours/-Xtheirs' learned to use our/their version
when resolving a conflicting updates to a symbolic link.
* 'git clone $there $here' is allowed even when here directory
exists as long as it is an empty directory, but the command
incorrectly removed it upon a failure of the operation.
* 'git stash -- <pathspec>' incorrectly blew away untracked files
in the directory that matched the pathspec, which has been
corrected.
* 'git add -p' was taught to ignore local changes to submodules
as they do not interfere with the partial addition of regular
changes anyway.
git 2.16.1:
* 'git clone' segfaulted when cloning a project that happens to
track two paths that differ only in case on a case insensitive
filesystem
git 2.16.0 (CVE-2017-15298, bsc#1063412):
* See https://raw.github.com/git/git/master/Documentation/RelNotes/2.16.0.txt
git 2.15.1:
* fix 'auto' column output
* fixes to moved lines diffing
* documentation updates
* fix use of repositories immediately under the root directory
* improve usage of libsecret
* fixes to various error conditions in git commands
- Rewrite from sysv init to systemd unit file for git-daemon
(bsc#1069803)
- Replace references to /var/adm/fillup-templates with new
%_fillupdir macro (bsc#1069468)
- split off p4 to a subpackage (bsc#1067502)
- Build with the external libsha1detectcoll (bsc#1042644)
git 2.15.0:
* Use of an empty string as a pathspec element that is used for
'everything matches' is still warned and Git asks users to use a
more explicit '.' for that instead. Removal scheduled for 2.16
* Git now avoids blindly falling back to '.git' when the setup
sequence said we are _not_ in Git repository (another corner
case removed)
* 'branch --set-upstream' was retired, deprecated since 1.8
* many other improvements and updates
git 2.14.3:
* git send-email understands more cc: formats
* fixes so gitk --bisect
* git commit-tree fixed to handle -F file alike
* Prevent segfault in 'git cat-file --textconv'
* Fix function header parsing for HTML
* Various small fixes to user commands and and internal functions
git 2.14.2:
* fixes to color output
* http.{sslkey,sslCert} now interpret '~[username]/' prefix
* fixes to walking of reflogs via 'log -g' and friends
* various fixes to output correctness
* 'git push --recurse-submodules $there HEAD:$target' is now
propagated down to the submodules
* 'git clone --recurse-submodules --quiet' c$how propagates quiet
option down to submodules.
* 'git svn --localtime' correctness fixes
* 'git grep -L' and 'git grep --quiet -L' now report same exit code
* fixes to 'git apply' when converting line endings
* Various Perl scripts did not use safe_pipe_capture() instead
of backticks, leaving them susceptible to end-user input.
CVE-2017-14867 bsc#1061041
* 'git cvsserver' no longer is invoked by 'git daemon' by
default
git 2.14.1 (bsc#1052481):
* Security fix for CVE-2017-1000117: A malicious third-party can
give a crafted 'ssh://...' URL to an unsuspecting victim, and
an attempt to visit the URL can result in any program that
exists on the victim's machine being executed. Such a URL could
be placed in the .gitmodules file of a malicious project, and
an unsuspecting victim could be tricked into running
'git clone --recurse-submodules' to trigger the vulnerability.
* A 'ssh://...' URL can result in a 'ssh' command line with a
hostname that begins with a dash '-', which would cause the
'ssh' command to instead (mis)treat it as an option. This is
now prevented by forbidding such a hostname (which should not
impact any real-world usage).
* Similarly, when GIT_PROXY_COMMAND is configured, the command
is run with host and port that are parsed out from 'ssh://...'
URL; a poorly written GIT_PROXY_COMMAND could be tricked into
treating a string that begins with a dash '-' as an option.
This is now prevented by forbidding such a hostname and port
number (again, which should not impact any real-world usage).
* In the same spirit, a repository name that begins with a dash
'-' is also forbidden now.
git 2.14.0:
* Use of an empty string as a pathspec element that is used for
'everything matches' is deprecated, use '.'
* Avoid blindly falling back to '.git' when the setup sequence
indicates operation not on a Git repository
* 'indent heuristics' are now the default.
* Builds with pcre2
* Many bug fixes, improvements and updates
git 2.13.4:
* Update the character width tables.
* Fix an alias that contained an uppercase letter
* Progress meter fixes
* git gc concurrency fixes
git 2.13.3:
* various internal bug fixes
* Fix a regression to 'git rebase -i'
* Correct unaligned 32-bit access in pack-bitmap code
* Tighten error checks for invalid 'git apply' input
* The split index code did not honor core.sharedrepository setting
correctly
* Fix 'git branch --list' handling of color.branch.local
git 2.13.2:
* 'collision detecting' SHA-1 update for platform fixes
* 'git checkout --recurse-submodules' did not quite work with a
submodule that itself has submodules.
* The 'run-command' API implementation has been made more robust
against dead-locking in a threaded environment.
* 'git clean -d' now only cleans ignored files with '-x'
* 'git status --ignored' did not list ignored and untracked files
without '-uall'
* 'git pull --rebase --autostash' didn't auto-stash when the local
history fast-forwards to the upstream.
* 'git describe --contains' gives as much weight to lightweight
tags as annotated tags
* Fix 'git stash push <pathspec>' from a subdirectory
git 2.13.1:
* Setting 'log.decorate=false' in the configuration file did not
take effect in v2.13, which has been corrected.
* corrections to documentation and command help output
* garbage collection fixes
* memory leaks fixed
* receive-pack now makes sure that the push certificate records
the same set of push options used for pushing
* shell completion corrections for git stash
* fix 'git clone --config var=val' with empty strings
* internal efficiency improvements
* Update sha1 collision detection code for big-endian platforms
and platforms not supporting unaligned fetches
- Fix packaging of documentation
git 2.13.0:
* empty string as a pathspec element for 'everything matches'
is still warned, for future removal.
* deprecated argument order 'git merge <msg> HEAD <commit>...'
was removed
* default location '~/.git-credential-cache/socket' for the
socket used to communicate with the credential-cache daemon
moved to '~/.cache/git/credential/socket'.
* now avoid blindly falling back to '.git' when the setup
sequence indicated otherwise
* many workflow features, improvements and bug fixes
* add a hardened implementation of SHA1 in response to practical
collision attacks (CVE-2005-4900, bsc#1042640)
* CVE-2017-8386: On a server running git-shell as login shell to
restrict user to git commands, remote users may have been able
to have git service programs spawn an interactive pager
and thus escape the shell restrictions. (bsc#1038395)
Changes in pcre2:
- Include the libraries, development and tools packages.
git uses only libpcre2-8 so far, but this allows further
application usage of pcre2.
ImportantSUSE bug 1167890SUSE bug 1168930CVE-2020-5260 at SUSECVE-2020-5260 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 31 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_116 fixes several issues.
The following security issues were fixed:
- CVE-2021-27365: Fixed an issue where data structures did not have appropriate length constraints or checks, and could exceed the PAGE_SIZE value (bsc#1183491).
- CVE-2021-27363: Fixed a kernel pointer leak which could have been used to determine the address of the iscsi_transport structure (bsc#1183120).
- CVE-2021-27364: Fixed an issue where an unprivileged user could craft Netlink messages (bsc#1182717).
ImportantSUSE bug 1182717SUSE bug 1183120SUSE bug 1183491CVE-2021-27363 at SUSECVE-2021-27363 at NVDCVE-2021-27364 at SUSECVE-2021-27364 at NVDCVE-2021-27365 at SUSECVE-2021-27365 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 32 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_121 fixes several issues.
The following security issues were fixed:
- CVE-2021-27365: Fixed an issue where data structures did not have appropriate length constraints or checks, and could exceed the PAGE_SIZE value (bsc#1183491).
- CVE-2021-27363: Fixed a kernel pointer leak which could have been used to determine the address of the iscsi_transport structure (bsc#1183120).
- CVE-2021-27364: Fixed an issue where an unprivileged user could craft Netlink messages (bsc#1182717).
ImportantSUSE bug 1182717SUSE bug 1183120SUSE bug 1183491CVE-2021-27363 at SUSECVE-2021-27363 at NVDCVE-2021-27364 at SUSECVE-2021-27364 at NVDCVE-2021-27365 at SUSECVE-2021-27365 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 33 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_124 fixes several issues.
The following security issues were fixed:
- CVE-2021-27365: Fixed an issue where data structures did not have appropriate length constraints or checks, and could exceed the PAGE_SIZE value (bsc#1183491).
- CVE-2021-27363: Fixed a kernel pointer leak which could have been used to determine the address of the iscsi_transport structure (bsc#1183120).
- CVE-2021-27364: Fixed an issue where an unprivileged user could craft Netlink messages (bsc#1182717).
ImportantSUSE bug 1182717SUSE bug 1183120SUSE bug 1183491CVE-2021-27363 at SUSECVE-2021-27363 at NVDCVE-2021-27364 at SUSECVE-2021-27364 at NVDCVE-2021-27365 at SUSECVE-2021-27365 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 34 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_127 fixes several issues.
The following security issues were fixed:
- CVE-2021-27365: Fixed an issue where data structures did not have appropriate length constraints or checks, and could exceed the PAGE_SIZE value (bsc#1183491).
- CVE-2021-27363: Fixed a kernel pointer leak which could have been used to determine the address of the iscsi_transport structure (bsc#1183120).
- CVE-2021-27364: Fixed an issue where an unprivileged user could craft Netlink messages (bsc#1182717).
ImportantSUSE bug 1182717SUSE bug 1183120SUSE bug 1183491CVE-2021-27363 at SUSECVE-2021-27363 at NVDCVE-2021-27364 at SUSECVE-2021-27364 at NVDCVE-2021-27365 at SUSECVE-2021-27365 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 35 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_130 fixes several issues.
The following security issues were fixed:
- CVE-2021-27365: Fixed an issue where data structures did not have appropriate length constraints or checks, and could exceed the PAGE_SIZE value (bsc#1183491).
- CVE-2021-27363: Fixed a kernel pointer leak which could have been used to determine the address of the iscsi_transport structure (bsc#1183120).
- CVE-2021-27364: Fixed an issue where an unprivileged user could craft Netlink messages (bsc#1182717).
ImportantSUSE bug 1182717SUSE bug 1183120SUSE bug 1183491CVE-2021-27363 at SUSECVE-2021-27363 at NVDCVE-2021-27364 at SUSECVE-2021-27364 at NVDCVE-2021-27365 at SUSECVE-2021-27365 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 36 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_135 fixes several issues.
The following security issues were fixed:
- CVE-2021-27365: Fixed an issue where data structures did not have appropriate length constraints or checks, and could exceed the PAGE_SIZE value (bsc#1183491).
- CVE-2021-27363: Fixed a kernel pointer leak which could have been used to determine the address of the iscsi_transport structure (bsc#1183120).
- CVE-2021-27364: Fixed an issue where an unprivileged user could craft Netlink messages (bsc#1182717).
ImportantSUSE bug 1182717SUSE bug 1183120SUSE bug 1183491CVE-2021-27363 at SUSECVE-2021-27363 at NVDCVE-2021-27364 at SUSECVE-2021-27364 at NVDCVE-2021-27365 at SUSECVE-2021-27365 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 37 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_138 fixes several issues.
The following security issues were fixed:
- CVE-2021-27365: Fixed an issue where data structures did not have appropriate length constraints or checks, and could exceed the PAGE_SIZE value (bsc#1183491).
- CVE-2021-27363: Fixed a kernel pointer leak which could have been used to determine the address of the iscsi_transport structure (bsc#1183120).
- CVE-2021-27364: Fixed an issue where an unprivileged user could craft Netlink messages (bsc#1182717).
ImportantSUSE bug 1182717SUSE bug 1183120SUSE bug 1183491CVE-2021-27363 at SUSECVE-2021-27363 at NVDCVE-2021-27364 at SUSECVE-2021-27364 at NVDCVE-2021-27365 at SUSECVE-2021-27365 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 38 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_141 fixes several issues.
The following security issues were fixed:
- CVE-2021-27365: Fixed an issue where data structures did not have appropriate length constraints or checks, and could exceed the PAGE_SIZE value (bsc#1183491).
- CVE-2021-27363: Fixed a kernel pointer leak which could have been used to determine the address of the iscsi_transport structure (bsc#1183120).
- CVE-2021-27364: Fixed an issue where an unprivileged user could craft Netlink messages (bsc#1182717).
- CVE-2020-25645: Fixed an an issue in IPsec that caused traffic between two Geneve endpoints to be unencrypted (bsc#1177513).
- CVE-2020-0429: Fixed a memory corruption due to a use after free which could have led to local escalation of privilege with System execution privileges needed (bsc#1176931).
- CVE-2020-1749: Use ip6_dst_lookup_flow instead of ip6_dst_lookup (bsc#1165631).
ImportantSUSE bug 1165631SUSE bug 1176931SUSE bug 1177513SUSE bug 1182717SUSE bug 1183120SUSE bug 1183491CVE-2020-0429 at SUSECVE-2020-0429 at NVDCVE-2020-1749 at SUSECVE-2020-1749 at NVDCVE-2020-25645 at SUSECVE-2020-25645 at NVDCVE-2021-27363 at SUSECVE-2021-27363 at NVDCVE-2021-27364 at SUSECVE-2021-27364 at NVDCVE-2021-27365 at SUSECVE-2021-27365 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for fwupdate (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for fwupdate fixes the following issues:
- Add SBAT section to EFI images (bsc#1182057)
ImportantSUSE bug 1182057cpe:/o:suse:sles-espos:12:sp3Security update for spamassassin (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for spamassassin fixes the following issues:
- spamassassin was updated to version 3.4.5
- CVE-2019-12420: memory leak via crafted messages (bsc#1159133)
- CVE-2020-1946: security update (bsc#1184221)
ImportantSUSE bug 1159133SUSE bug 1184221CVE-2019-12420 at SUSECVE-2019-12420 at NVDCVE-2020-1946 at SUSECVE-2020-1946 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for xorg-x11-server (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for xorg-x11-server fixes the following issues:
- CVE-2021-3472: XChangeFeedbackControl Integer Underflow Privilege Escalation (bsc#1180128)
ImportantSUSE bug 1180128CVE-2021-3472 at SUSECVE-2021-3472 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for clamav (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for clamav fixes the following issues:
- CVE-2021-1252: Fix for Excel XLM parser infinite loop. (bsc#1184532)
- CVE-2021-1404: Fix for PDF parser buffer over-read; possible crash. (bsc#1184533)
- CVE-2021-1405: Fix for mail parser NULL-dereference crash. (bsc#1184534)
- Fix errors when scanning files > 4G (bsc#1181256)
- Update clamav.keyring
- Update to 0.103.2
ImportantSUSE bug 1181256SUSE bug 1184532SUSE bug 1184533SUSE bug 1184534CVE-2021-1252 at SUSECVE-2021-1252 at NVDCVE-2021-1404 at SUSECVE-2021-1404 at NVDCVE-2021-1405 at SUSECVE-2021-1405 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for qemu (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for qemu fixes the following issues:
- Fix OOB access in sm501 device emulation (CVE-2020-12829, bsc#1172385)
- Fix OOB access possibility in MegaRAID SAS 8708EM2 emulation (CVE-2020-13362 bsc#1172383)
- Fix use-after-free in usb xhci packet handling (CVE-2020-25723, bsc#1178934)
- Fix use-after-free in usb ehci packet handling (CVE-2020-25084, bsc#1176673)
- Fix OOB access in usb hcd-ohci emulation (CVE-2020-25624, bsc#1176682)
- Fix infinite loop (DoS) in usb hcd-ohci emulation (CVE-2020-25625, bsc#1176684)
- Fix guest triggerable assert in shared network handling code (CVE-2020-27617, bsc#1178174)
- Fix infinite loop (DoS) in e1000e device emulation (CVE-2020-28916, bsc#1179468)
- Fix OOB access in atapi emulation (CVE-2020-29443, bsc#1181108)
- Fix null pointer deref. (DoS) in mmio ops (CVE-2020-15469, bsc#1173612)
- Fix infinite loop (DoS) in e1000 device emulation (CVE-2021-20257, bsc#1182577)
- Fix OOB access (stack overflow) in rtl8139 NIC emulation (CVE-2021-3416, bsc#1182968)
- Fix OOB access (stack overflow) in other NIC emulations (CVE-2021-3416)
- Fix OOB access in SLIRP ARP packet processing (CVE-2020-29130, bsc#1179467)
- Fix null pointer dereference possibility (DoS) in MegaRAID SAS 8708EM2 emulation (CVE-2020-13659 bsc#1172386
- Fix OOB access in iscsi (CVE-2020-11947 bsc#1180523)
- Fix OOB access in vmxnet3 emulation (CVE-2021-20203 bsc#1181639)
- Fix buffer overflow in the XGMAC device (CVE-2020-15863, bsc#1174386)
- Fix DoS in packet processing of various emulated NICs (CVE-2020-16092 bsc#1174641)
- Fix OOB access while processing USB packets (CVE-2020-14364 bsc#1175441)
- Fix package scripts to not use hard coded paths for temporary working directories and log files (bsc#1182425)
- Fix potential privilege escalation in virtfs (CVE-2021-20181 bsc#1182137)
- Fix OOB access possibility in ES1370 audio device emulation (CVE-2020-13361 bsc#1172384)
- Fix OOB access in ROM loading (CVE-2020-13765 bsc#1172478)
ImportantSUSE bug 1172383SUSE bug 1172384SUSE bug 1172385SUSE bug 1172386SUSE bug 1172478SUSE bug 1173612SUSE bug 1174386SUSE bug 1174641SUSE bug 1175441SUSE bug 1176673SUSE bug 1176682SUSE bug 1176684SUSE bug 1178174SUSE bug 1178934SUSE bug 1179467SUSE bug 1179468SUSE bug 1180523SUSE bug 1181108SUSE bug 1181639SUSE bug 1182137SUSE bug 1182425SUSE bug 1182577SUSE bug 1182968CVE-2020-11947 at SUSECVE-2020-11947 at NVDCVE-2020-12829 at SUSECVE-2020-12829 at NVDCVE-2020-13361 at SUSECVE-2020-13361 at NVDCVE-2020-13362 at SUSECVE-2020-13362 at NVDCVE-2020-13659 at SUSECVE-2020-13659 at NVDCVE-2020-13765 at SUSECVE-2020-13765 at NVDCVE-2020-14364 at SUSECVE-2020-14364 at NVDCVE-2020-15469 at SUSECVE-2020-15469 at NVDCVE-2020-15863 at SUSECVE-2020-15863 at NVDCVE-2020-16092 at SUSECVE-2020-16092 at NVDCVE-2020-25084 at SUSECVE-2020-25084 at NVDCVE-2020-25624 at SUSECVE-2020-25624 at NVDCVE-2020-25625 at SUSECVE-2020-25625 at NVDCVE-2020-25723 at SUSECVE-2020-25723 at NVDCVE-2020-27617 at SUSECVE-2020-27617 at NVDCVE-2020-28916 at SUSECVE-2020-28916 at NVDCVE-2020-29130 at SUSECVE-2020-29130 at NVDCVE-2020-29443 at SUSECVE-2020-29443 at NVDCVE-2021-20181 at SUSECVE-2021-20181 at NVDCVE-2021-20203 at SUSECVE-2021-20203 at NVDCVE-2021-20257 at SUSECVE-2021-20257 at NVDCVE-2021-3416 at SUSECVE-2021-3416 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for xen (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for xen fixes the following issues:
- CVE-2021-20257: xen: infinite loop issue in the e1000 NIC emulator (bsc#1182846).
- CVE-2021-27379: Fixed an issue where entries in the IOMMU were not being updated
under certain circumstances due to improper backport of XSA-321 (XSA-366, bsc#1182431).
ImportantSUSE bug 1182431SUSE bug 1182846CVE-2021-20257 at SUSECVE-2021-20257 at NVDCVE-2021-27379 at SUSECVE-2021-27379 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for sudo (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for sudo fixes the following issues:
- L3: Tenable Scan reports sudo is vulnerable to CVE-2021-3156 (bsc#1183936)
ImportantSUSE bug 1183936CVE-2021-3156 at SUSECVE-2021-3156 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for MozillaFirefox fixes the following issues:
- Firefox was updated to 78.10.0 ESR (bsc#1184960)
* CVE-2021-23994: Out of bound write due to lazy initialization
* CVE-2021-23995: Use-after-free in Responsive Design Mode
* CVE-2021-23998: Secure Lock icon could have been spoofed
* CVE-2021-23961: More internal network hosts could have been probed by a malicious webpage
* CVE-2021-23999: Blob URLs may have been granted additional privileges
* CVE-2021-24002: Arbitrary FTP command execution on FTP servers using an encoded URL
* CVE-2021-29945: Incorrect size computation in WebAssembly JIT could lead to null-reads
* CVE-2021-29946: Port blocking could be bypassed
ImportantSUSE bug 1184960CVE-2021-23961 at SUSECVE-2021-23961 at NVDCVE-2021-23994 at SUSECVE-2021-23994 at NVDCVE-2021-23995 at SUSECVE-2021-23995 at NVDCVE-2021-23998 at SUSECVE-2021-23998 at NVDCVE-2021-23999 at SUSECVE-2021-23999 at NVDCVE-2021-24002 at SUSECVE-2021-24002 at NVDCVE-2021-29945 at SUSECVE-2021-29945 at NVDCVE-2021-29946 at SUSECVE-2021-29946 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 33 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_124 fixes one issue.
The following security issues were fixed:
- CVE-2021-28688: Fixed an issue introduced by XSA-365 (bsc##1182294, bsc#1183646).
- CVE-2021-26930: Fixed an improper error handling in blkback's grant mapping (XSA-365 bsc#1182294).
- CVE-2021-26931: Fixed an issue where Linux kernel was treating grant mapping errors as bugs (XSA-362 bsc#1183022).
ImportantSUSE bug 1182294CVE-2021-26930 at SUSECVE-2021-26930 at NVDCVE-2021-26931 at SUSECVE-2021-26931 at NVDCVE-2021-28688 at SUSECVE-2021-28688 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 34 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_127 fixes one issue.
The following security issues were fixed:
- CVE-2021-28688: Fixed an issue introduced by XSA-365 (bsc##1182294, bsc#1183646).
- CVE-2021-26930: Fixed an improper error handling in blkback's grant mapping (XSA-365 bsc#1182294).
- CVE-2021-26931: Fixed an issue where Linux kernel was treating grant mapping errors as bugs (XSA-362 bsc#1183022).
ImportantSUSE bug 1182294CVE-2021-26930 at SUSECVE-2021-26930 at NVDCVE-2021-26931 at SUSECVE-2021-26931 at NVDCVE-2021-28688 at SUSECVE-2021-28688 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 35 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_130 fixes one issue.
The following security issues were fixed:
- CVE-2021-28688: Fixed an issue introduced by XSA-365 (bsc##1182294, bsc#1183646).
- CVE-2021-26930: Fixed an improper error handling in blkback's grant mapping (XSA-365 bsc#1182294).
- CVE-2021-26931: Fixed an issue where Linux kernel was treating grant mapping errors as bugs (XSA-362 bsc#1183022).
ImportantSUSE bug 1182294CVE-2021-26930 at SUSECVE-2021-26930 at NVDCVE-2021-26931 at SUSECVE-2021-26931 at NVDCVE-2021-28688 at SUSECVE-2021-28688 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 37 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_138 fixes one issue.
The following security issues were fixed:
- CVE-2021-28688: Fixed an issue introduced by XSA-365 (bsc##1182294, bsc#1183646).
- CVE-2021-26930: Fixed an improper error handling in blkback's grant mapping (XSA-365 bsc#1182294).
- CVE-2021-26931: Fixed an issue where Linux kernel was treating grant mapping errors as bugs (XSA-362 bsc#1183022).
ImportantSUSE bug 1182294CVE-2021-26930 at SUSECVE-2021-26930 at NVDCVE-2021-26931 at SUSECVE-2021-26931 at NVDCVE-2021-28688 at SUSECVE-2021-28688 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 38 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_141 fixes one issue.
The following security issue was fixed:
- CVE-2021-28688: Fixed an issue introduced by XSA-365 (bsc##1182294, bsc#1183646).
ImportantSUSE bug 1182294CVE-2021-28688 at SUSECVE-2021-28688 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 31 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_116 fixes one issue.
The following security issues were fixed:
- CVE-2021-28688: Fixed an issue introduced by XSA-365 (bsc##1182294, bsc#1183646).
- CVE-2021-26930: Fixed an improper error handling in blkback's grant mapping (XSA-365 bsc#1182294).
- CVE-2021-26931: Fixed an issue where Linux kernel was treating grant mapping errors as bugs (XSA-362 bsc#1183022).
ImportantSUSE bug 1182294CVE-2021-26930 at SUSECVE-2021-26930 at NVDCVE-2021-26931 at SUSECVE-2021-26931 at NVDCVE-2021-28688 at SUSECVE-2021-28688 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 32 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_121 fixes one issue.
The following security issues were fixed:
- CVE-2021-28688: Fixed an issue introduced by XSA-365 (bsc##1182294, bsc#1183646).
- CVE-2021-26930: Fixed an improper error handling in blkback's grant mapping (XSA-365 bsc#1182294).
- CVE-2021-26931: Fixed an issue where Linux kernel was treating grant mapping errors as bugs (XSA-362 bsc#1183022).
ImportantSUSE bug 1182294CVE-2021-26930 at SUSECVE-2021-26930 at NVDCVE-2021-26931 at SUSECVE-2021-26931 at NVDCVE-2021-28688 at SUSECVE-2021-28688 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 36 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_135 fixes one issue.
The following security issues were fixed:
- CVE-2021-28688: Fixed an issue introduced by XSA-365 (bsc##1182294, bsc#1183646).
- CVE-2021-26930: Fixed an improper error handling in blkback's grant mapping (XSA-365 bsc#1182294).
- CVE-2021-26931: Fixed an issue where Linux kernel was treating grant mapping errors as bugs (XSA-362 bsc#1183022).
ImportantSUSE bug 1182294CVE-2021-26930 at SUSECVE-2021-26930 at NVDCVE-2021-26931 at SUSECVE-2021-26931 at NVDCVE-2021-28688 at SUSECVE-2021-28688 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for libnettle (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for libnettle fixes the following issues:
- CVE-2021-20305: Fixed the multiply function which was being called with out-of-range scalars (bsc#1184401, bsc#1183835).
ImportantSUSE bug 1183835SUSE bug 1184401CVE-2021-20305 at SUSECVE-2021-20305 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for gdm (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for gdm fixes the following issues:
- Avoid the signal SIGTRAP when gdm exits (bsc#1184456).
ImportantSUSE bug 1184456cpe:/o:suse:sles-espos:12:sp3Security update for tomcat (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for tomcat fixes the following issues:
- CVE-2021-25329: Complete fix for CVE-2020-9484 (bsc#1182909)
ImportantSUSE bug 1182909CVE-2021-25329 at SUSECVE-2021-25329 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for java-1_7_0-openjdk (Moderate)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for java-1_7_0-openjdk fixes the following issues:
- Update to 2.6.25 - OpenJDK 7u291 (January 2021 CPU, bsc#1181239)
* Security fixes
+ JDK-8247619: Improve Direct Buffering of Characters
* Import of OpenJDK 7 u291 build 1
+ JDK-8254177: (tz) Upgrade time-zone data to tzdata2020b
+ JDK-8254982: (tz) Upgrade time-zone data to tzdata2020c
+ JDK-8255226: (tz) Upgrade time-zone data to tzdata2020d
ModerateSUSE bug 1181239cpe:/o:suse:sles-espos:12:sp3Security update for cups (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for cups fixes the following issues:
- CVE-2021-25317: ownership of /var/log/cups could allow privilege escalation from lp user to root via symlink attacks (bsc#1184161)
ImportantSUSE bug 1184161CVE-2021-25317 at SUSECVE-2021-25317 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for bind (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for bind fixes the following issues:
- CVE-2021-25214: Fixed a broken inbound incremental zone update (IXFR) which could have caused named to terminate unexpectedly (bsc#1185345).
- CVE-2021-25215: Fixed an assertion check which could have failed while answering queries for DNAME records that required the DNAME to be processed to resolve itself (bsc#1185345).
- CVE-2021-25216: Fixed an issue where policy negotiation can be targeted by a buffer overflow attack (bsc#1185345).
- MD5 warning message using host, dig, nslookup (bind-utils) with FIPS enabled (bsc#1181495).
ImportantSUSE bug 1181495SUSE bug 1185345CVE-2021-25214 at SUSECVE-2021-25214 at NVDCVE-2021-25215 at SUSECVE-2021-25215 at NVDCVE-2021-25216 at SUSECVE-2021-25216 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for samba (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for samba fixes the following issues:
- CVE-2021-20254: Fixed a buffer overrun in sids_to_unixids() (bsc#1184677).
- Avoid free'ing our own pointer in memcache when memcache_trim attempts to reduce cache size (bsc#1179156).
- Adjust smbcacls '--propagate-inheritance' feature to align with upstream (bsc#1178469).
ImportantSUSE bug 1178469SUSE bug 1179156SUSE bug 1184677CVE-2021-20254 at SUSECVE-2021-20254 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for avahi (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for avahi fixes the following issues:
- CVE-2021-3468: avoid infinite loop by handling HUP event in client_work (bsc#1184521).
ImportantSUSE bug 1184521CVE-2021-3468 at SUSECVE-2021-3468 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for python3 (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for python3 fixes the following issues:
Security issues fixed:
- CVE-2020-27619: where Lib/test/multibytecodec_support calls eval() on content retrieved via HTTP. (bsc#1178009)
Other fixes:
- Make sure to close the 'import_failed.map' file after the exception
has been raised in order to avoid ResourceWarnings when the
failing import is part of a try...except block
ImportantCVE-2020-27619 at SUSECVE-2020-27619 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
The SUSE Linux Enterprise 12 SP2 LTSS kernel was updated to receive various security and bugfixes.
The following security bugs were fixed:
- CVE-2020-36312: Fixed an issue in virt/kvm/kvm_main.c that had a kvm_io_bus_unregister_dev memory leak upon a kmalloc failure (bnc#1184509).
- CVE-2021-29650: Fixed an issue inside the netfilter subsystem that allowed attackers to cause a denial of service (panic) because net/netfilter/x_tables.c and include/linux/netfilter/x_tables.h lack a full memory barrier upon the assignment of a new table value (bnc#1184208).
- CVE-2020-27673: Fixed an issue in Xen where a guest OS users could have caused a denial of service (host OS hang) via a high rate of events to dom0 (bnc#1177411, bnc#1184583).
- CVE-2021-29154: Fixed BPF JIT compilers that allowed to execute arbitrary code within the kernel context (bnc#1184391).
- CVE-2020-25673: Fixed NFC endless loops caused by repeated llcp_sock_connect() (bsc#1178181).
- CVE-2020-25672: Fixed NFC memory leak in llcp_sock_connect() (bsc#1178181).
- CVE-2020-25671: Fixed NFC refcount leak in llcp_sock_connect() (bsc#1178181).
- CVE-2020-25670: Fixed NFC refcount leak in llcp_sock_bind() (bsc#1178181).
- CVE-2021-28950: Fixed an issue in fs/fuse/fuse_i.h where a 'stall on CPU' could have occured because a retry loop continually finds the same bad inode (bnc#1184194, bnc#1184211).
- CVE-2020-36322: Fixed an issue inside the FUSE filesystem implementation where fuse_do_getattr() calls make_bad_inode() in inappropriate situations, could have caused a system crash. NOTE: the original fix for this vulnerability was incomplete, and its incompleteness is tracked as CVE-2021-28950 (bnc#1184211).
- CVE-2021-30002: Fixed a memory leak issue when a webcam device exists (bnc#1184120).
- CVE-2021-3483: Fixed a use-after-free bug in nosy_ioctl() (bsc#1184393).
- CVE-2021-20219: Fixed a denial of service vulnerability in drivers/tty/n_tty.c of the Linux kernel. In this flaw a local attacker with a normal user privilege could have delayed the loop and cause a threat to the system availability (bnc#1184397).
- CVE-2021-29265: Fixed an issue in usbip_sockfd_store in drivers/usb/usbip/stub_dev.c that allowed attackers to cause a denial of service (GPF) because the stub-up sequence has race conditions during an update of the local and shared status (bnc#1184167).
- CVE-2021-29264: Fixed an issue in drivers/net/ethernet/freescale/gianfar.c in the Freescale Gianfar Ethernet driver that allowed attackers to cause a system crash because a negative fragment size is calculated in situations involving an rx queue overrun when jumbo packets are used and NAPI is enabled (bnc#1184168).
- CVE-2021-28972: Fixed an issue in drivers/pci/hotplug/rpadlpar_sysfs.c where the RPA PCI Hotplug driver had a user-tolerable buffer overflow when writing a new device name to the driver from userspace, allowing userspace to write data to the kernel stack frame directly. This occurs because add_slot_store and remove_slot_store mishandle drc_name '\0' termination (bnc#1184198).
- CVE-2021-28660: Fixed rtw_wx_set_scan in drivers/staging/rtl8188eu/os_dep/ioctl_linux.c that allowed writing beyond the end of the ssid array (bnc#1183593).
- CVE-2020-0433: Fixed blk_mq_queue_tag_busy_iter of blk-mq-tag.c, where a possible use after free due to improper locking could have happened. This could have led to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation (bnc#1176720).
- CVE-2021-28038: Fixed an issue with Xen PV. A certain part of the netback driver lacks necessary treatment of errors such as failed memory allocations (as a result of changes to the handling of grant mapping errors). A host OS denial of service may occur during misbehavior of a networking frontend driver. NOTE: this issue exists because of an incomplete fix for CVE-2021-26931 (bnc#1183022, bnc#1183069).
- CVE-2021-27365: Fixed an issue inside the iSCSI data structures that does not have appropriate length constraints or checks, and can exceed the PAGE_SIZE value. An unprivileged user can send a Netlink message that is associated with iSCSI, and has a length up to the maximum length of a Netlink message (bnc#1182715).
- CVE-2021-27363: Fixed an issue with a kernel pointer leak that could have been used to determine the address of the iscsi_transport structure. When an iSCSI transport is registered with the iSCSI subsystem, the transport's handle is available to unprivileged users via the sysfs file system, at /sys/class/iscsi_transport/$TRANSPORT_NAME/handle. When read, the show_transport_handle function (in drivers/scsi/scsi_transport_iscsi.c) is called, which leaks the handle. This handle is actually the pointer to an iscsi_transport struct in the kernel module's global variables (bnc#1182716).
- CVE-2021-27364: Fixed an issue in drivers/scsi/scsi_transport_iscsi.c where an unprivileged user can craft Netlink messages (bnc#1182717).
- CVE-2020-1749: Fixed a flaw inside of some networking protocols in IPsec, such as VXLAN and GENEVE tunnels over IPv6. When an encrypted tunnel is created between two hosts, the kernel isn't correctly routing tunneled data over the encrypted link; rather sending the data unencrypted. This would allow anyone in between the two endpoints to read the traffic unencrypted. The main threat from this vulnerability is to data confidentiality (bnc#1165629).
The following non-security bugs were fixed:
- bluetooth: eliminate the potential race condition when removing the HCI controller (bsc#1184611).
- Btrfs: add missing extents release on file extent cluster relocation error (bsc#1159483).
- btrfs: change timing for qgroup reserved space for ordered extents to fix reserved space leak (bsc#1172247).
- btrfs: Cleanup try_flush_qgroup (bsc#1182047).
- btrfs: Do not flush from btrfs_delayed_inode_reserve_metadata (bsc#1182047).
- btrfs: drop unused parameter qgroup_reserved (bsc#1182261).
- btrfs: fix qgroup data rsv leak caused by falloc failure (bsc#1182261).
- btrfs: fix qgroup_free wrong num_bytes in btrfs_subvolume_reserve_metadata (bsc#1182261).
- btrfs: Free correct amount of space in btrfs_delayed_inode_reserve_metadata (bsc#1182047).
- btrfs: inode: move qgroup reserved space release to the callers of insert_reserved_file_extent() (bsc#1172247).
- btrfs: inode: refactor the parameters of insert_reserved_file_extent() (bsc#1172247).
- btrfs: make btrfs_ordered_extent naming consistent with btrfs_file_extent_item (bsc#1172247).
- btrfs: qgroup: allow to unreserve range without releasing other ranges (bsc#1120163).
- btrfs: qgroup: Always free PREALLOC META reserve in btrfs_delalloc_release_extents() (bsc#1155179).
- btrfs: qgroup: do not commit transaction when we already hold the handle (bsc#1178634).
- btrfs: qgroup: Do not hold qgroup_ioctl_lock in btrfs_qgroup_inherit() (bsc#1165823).
- btrfs: qgroup: do not try to wait flushing if we're already holding a transaction (bsc#1179575).
- btrfs: qgroup: Fix a bug that prevents qgroup to be re-enabled after disable (bsc#1172247).
- btrfs: qgroup: fix data leak caused by race between writeback and truncate (bsc#1172247).
- btrfs: qgroup: fix qgroup meta rsv leak for subvolume operations (bsc#1177856).
- btrfs: qgroup: Fix reserved data space leak if we have multiple reserve calls (bsc#1152975).
- btrfs: qgroup: Fix the wrong target io_tree when freeing reserved data space (bsc#1152974).
- btrfs: qgroup: fix wrong qgroup metadata reserve for delayed inode (bsc#1177855).
- btrfs: qgroup: mark qgroup inconsistent if we're inherting snapshot to a new qgroup (bsc#1165823).
- btrfs: qgroup: remove ASYNC_COMMIT mechanism in favor of reserve retry-after-EDQUOT (bsc#1120163).
- btrfs: qgroup: try to flush qgroup space when we get -EDQUOT (bsc#1120163).
- btrfs: remove unused parameter from btrfs_subvolume_release_metadata (bsc#1182261).
- btrfs: tracepoints: Fix bad entry members of qgroup events (bsc#1155186).
- btrfs: tracepoints: Fix wrong parameter order for qgroup events (bsc#1155184).
- ext4: check journal inode extents more carefully (bsc#1173485).
- ext4: do not allow overlapping system zones (bsc#1173485).
- ext4: handle error of ext4_setup_system_zone() on remount (bsc#1173485).
- hv_netvsc: remove ndo_poll_controller (bsc#1185248).
- KVM: Add proper lockdep assertion in I/O bus unregister (bsc#1185555).
- KVM: Destroy I/O bus devices on unregister failure _after_ sync'ing SRCU (bsc#1185556).
- KVM: Stop looking for coalesced MMIO zones if the bus is destroyed (bsc#1185557).
- xen-netback: respect gnttab_map_refs()'s return value (bsc#1183022 XSA-367).
- Xen/gnttab: handle p2m update errors on a per-slot basis (bsc#1183022 XSA-367).
ImportantSUSE bug 1120163SUSE bug 1152974SUSE bug 1152975SUSE bug 1155179SUSE bug 1155184SUSE bug 1155186SUSE bug 1159483SUSE bug 1165629SUSE bug 1165823SUSE bug 1172247SUSE bug 1173485SUSE bug 1176720SUSE bug 1177411SUSE bug 1177855SUSE bug 1177856SUSE bug 1178181SUSE bug 1178634SUSE bug 1179575SUSE bug 1182047SUSE bug 1182261SUSE bug 1182715SUSE bug 1182716SUSE bug 1182717SUSE bug 1183022SUSE bug 1183069SUSE bug 1183593SUSE bug 1184120SUSE bug 1184167SUSE bug 1184168SUSE bug 1184194SUSE bug 1184198SUSE bug 1184208SUSE bug 1184211SUSE bug 1184391SUSE bug 1184393SUSE bug 1184397SUSE bug 1184509SUSE bug 1184583SUSE bug 1184611SUSE bug 1185248SUSE bug 1185555SUSE bug 1185556SUSE bug 1185557CVE-2020-0433 at SUSECVE-2020-0433 at NVDCVE-2020-1749 at SUSECVE-2020-1749 at NVDCVE-2020-25670 at SUSECVE-2020-25670 at NVDCVE-2020-25671 at SUSECVE-2020-25671 at NVDCVE-2020-25672 at SUSECVE-2020-25672 at NVDCVE-2020-25673 at SUSECVE-2020-25673 at NVDCVE-2020-27673 at SUSECVE-2020-27673 at NVDCVE-2020-36312 at SUSECVE-2020-36312 at NVDCVE-2020-36322 at SUSECVE-2020-36322 at NVDCVE-2021-20219 at SUSECVE-2021-20219 at NVDCVE-2021-27363 at SUSECVE-2021-27363 at NVDCVE-2021-27364 at SUSECVE-2021-27364 at NVDCVE-2021-27365 at SUSECVE-2021-27365 at NVDCVE-2021-28038 at SUSECVE-2021-28038 at NVDCVE-2021-28660 at SUSECVE-2021-28660 at NVDCVE-2021-28950 at SUSECVE-2021-28950 at NVDCVE-2021-28972 at SUSECVE-2021-28972 at NVDCVE-2021-29154 at SUSECVE-2021-29154 at NVDCVE-2021-29264 at SUSECVE-2021-29264 at NVDCVE-2021-29265 at SUSECVE-2021-29265 at NVDCVE-2021-29650 at SUSECVE-2021-29650 at NVDCVE-2021-30002 at SUSECVE-2021-30002 at NVDCVE-2021-3483 at SUSECVE-2021-3483 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for djvulibre (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for djvulibre fixes the following issues:
Security issues fixed:
- CVE-2021-32491 [bsc#1185900]: Integer overflow in function render() in tools/ddjvu via crafted djvu file
- CVE-2021-32492 [bsc#1185904]: Out of bounds read in function DJVU:DataPool:has_data() via crafted djvu file
- CVE-2021-32493 [bsc#1185905]: Heap buffer overflow in function DJVU:GBitmap:decode() via crafted djvu file
ImportantSUSE bug 1185900SUSE bug 1185904SUSE bug 1185905CVE-2019-18804 at SUSECVE-2019-18804 at NVDCVE-2021-32491 at SUSECVE-2021-32491 at NVDCVE-2021-32492 at SUSECVE-2021-32492 at NVDCVE-2021-32493 at SUSECVE-2021-32493 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for graphviz (Critical)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for graphviz fixes the following issues:
- CVE-2020-18032: Fixed possible remote code execution via buffer overflow (bsc#1185833).
CriticalSUSE bug 1185833CVE-2020-18032 at SUSECVE-2020-18032 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for libxml2 (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for libxml2 fixes the following issues:
Security issues fixed:
CVE-2021-3537: NULL pointer dereference in valid.c:xmlValidBuildAContentModel (bsc#1185698)
- CVE-2021-3518: Fixed a use after free in xinclude.c:xmlXIncludeDoProcess (bsc#1185408).
- CVE-2021-3517: Fixed a heap based buffer overflow in entities.c:xmlEncodeEntitiesInternal (bsc#1185410).
- CVE-2021-3516: Fixed a use after free in entities.c:xmlEncodeEntitiesInternal (bsc#1185409).
ImportantSUSE bug 1185408SUSE bug 1185409SUSE bug 1185410SUSE bug 1185698CVE-2021-3516 at SUSECVE-2021-3516 at NVDCVE-2021-3517 at SUSECVE-2021-3517 at NVDCVE-2021-3518 at SUSECVE-2021-3518 at NVDCVE-2021-3537 at SUSECVE-2021-3537 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for dnsmasq (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for dnsmasq fixes the following issues:
- bsc#1177077: Fixed DNSpooq vulnerabilities
- CVE-2020-25684, CVE-2020-25685, CVE-2020-25686:
Fixed multiple Cache Poisoning attacks.
- CVE-2020-25681, CVE-2020-25682, CVE-2020-25683, CVE-2020-25687:
Fixed multiple potential Heap-based overflows when DNSSEC is
enabled.
- Retry query to other servers on receipt of SERVFAIL rcode
(bsc#1176076)
ImportantSUSE bug 1176076SUSE bug 1177077CVE-2020-25681 at SUSECVE-2020-25681 at NVDCVE-2020-25682 at SUSECVE-2020-25682 at NVDCVE-2020-25683 at SUSECVE-2020-25683 at NVDCVE-2020-25684 at SUSECVE-2020-25684 at NVDCVE-2020-25685 at SUSECVE-2020-25685 at NVDCVE-2020-25686 at SUSECVE-2020-25686 at NVDCVE-2020-25687 at SUSECVE-2020-25687 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for flac (Moderate)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for flac fixes the following issues:
- CVE-2020-0499: Fixed an out-of-bounds access (bsc#1180099).
ModerateSUSE bug 1180099CVE-2020-0499 at SUSECVE-2020-0499 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for dovecot22 (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for dovecot22 fixes the following issues:
- CVE-2020-24386: Fixed an issue with IMAP hibernation that allowed users to access other users' emails (bsc#1180405).
ImportantSUSE bug 1180405CVE-2020-24386 at SUSECVE-2020-24386 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for djvulibre (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for djvulibre fixes the following issues:
- CVE-2021-3500: Stack overflow in function DJVU:DjVuDocument:get_djvu_file() via crafted djvu file (bsc#1186253)
ImportantSUSE bug 1186253CVE-2021-3500 at SUSECVE-2021-3500 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for dhcp (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for dhcp fixes the following issues:
- CVE-2021-25217: A buffer overrun in lease file parsing code can be used to exploit a common vulnerability shared by dhcpd and dhclient (bsc#1186382)
ImportantSUSE bug 1186382CVE-2021-25217 at SUSECVE-2021-25217 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for libwebp (Critical)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for libwebp fixes the following issues:
- CVE-2018-25010: Fixed heap-based buffer overflow in ApplyFilter() (bsc#1185685).
- CVE-2020-36330: Fixed heap-based buffer overflow in ChunkVerifyAndAssign() (bsc#1185691).
- CVE-2020-36332: Fixed extreme memory allocation when reading a file (bsc#1185674).
- CVE-2020-36329: Fixed use-after-free in EmitFancyRGB() (bsc#1185652).
- CVE-2018-25012: Fixed heap-based buffer overflow in GetLE24() (bsc#1185690).
- CVE-2018-25013: Fixed heap-based buffer overflow in ShiftBytes() (bsc#1185654).
- CVE-2020-36331: Fixed heap-based buffer overflow in ChunkAssignData() (bsc#1185686).
- CVE-2018-25009: Fixed heap-based buffer overflow in GetLE16() (bsc#1185673).
- CVE-2018-25011: Fixed fail on multiple image chunks (bsc#1186247).
CriticalSUSE bug 1185652SUSE bug 1185654SUSE bug 1185673SUSE bug 1185674SUSE bug 1185685SUSE bug 1185686SUSE bug 1185690SUSE bug 1185691SUSE bug 1186247CVE-2018-25009 at SUSECVE-2018-25009 at NVDCVE-2018-25010 at SUSECVE-2018-25010 at NVDCVE-2018-25011 at SUSECVE-2018-25011 at NVDCVE-2018-25012 at SUSECVE-2018-25012 at NVDCVE-2018-25013 at SUSECVE-2018-25013 at NVDCVE-2020-36329 at SUSECVE-2020-36329 at NVDCVE-2020-36330 at SUSECVE-2020-36330 at NVDCVE-2020-36331 at SUSECVE-2020-36331 at NVDCVE-2020-36332 at SUSECVE-2020-36332 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for polkit (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for polkit fixes the following issues:
- CVE-2021-3560: Fixed a local privilege escalation using polkit_system_bus_name_get_creds_sync() (bsc#1186497).
ImportantSUSE bug 1186497CVE-2021-3560 at SUSECVE-2021-3560 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 36 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_135 fixes several issues.
The following security issues were fixed:
- Fix a kernel warning during sysfs read (bsc#1186235)
- CVE-2020-36322: An issue was discovered in the FUSE filesystem implementation in the Linux kernel aka CID-5d069dbe8aaf. fuse_do_getattr() calls make_bad_inode() in inappropriate situations, causing a system crash. NOTE: the original fix for this vulnerability was incomplete, and its incompleteness is tracked as CVE-2021-28950 (bsc#1184952).
- CVE-2021-29154: BPF JIT compilers in the Linux kernel have incorrect computation of branch displacements, allowing them to execute arbitrary code within the kernel context. This affects arch/x86/net/bpf_jit_comp.c and arch/x86/net/bpf_jit_comp32.c (bsc#1184710)
ImportantSUSE bug 1184710SUSE bug 1184952SUSE bug 1186235CVE-2020-36322 at SUSECVE-2020-36322 at NVDCVE-2021-29154 at SUSECVE-2021-29154 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 35 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_130 fixes several issues.
The following security issues were fixed:
- Fix a kernel warning during sysfs read (bsc#1186235)
- CVE-2020-36322: An issue was discovered in the FUSE filesystem implementation in the Linux kernel aka CID-5d069dbe8aaf. fuse_do_getattr() calls make_bad_inode() in inappropriate situations, causing a system crash. NOTE: the original fix for this vulnerability was incomplete, and its incompleteness is tracked as CVE-2021-28950 (bsc#1184952).
- CVE-2021-29154: BPF JIT compilers in the Linux kernel have incorrect computation of branch displacements, allowing them to execute arbitrary code within the kernel context. This affects arch/x86/net/bpf_jit_comp.c and arch/x86/net/bpf_jit_comp32.c (bsc#1184710)
ImportantSUSE bug 1184710SUSE bug 1184952SUSE bug 1186235CVE-2020-36322 at SUSECVE-2020-36322 at NVDCVE-2021-29154 at SUSECVE-2021-29154 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 34 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_127 fixes several issues.
The following security issues were fixed:
- Fix a kernel warning during sysfs read (bsc#1186235)
- CVE-2020-36322: An issue was discovered in the FUSE filesystem implementation in the Linux kernel aka CID-5d069dbe8aaf. fuse_do_getattr() calls make_bad_inode() in inappropriate situations, causing a system crash. NOTE: the original fix for this vulnerability was incomplete, and its incompleteness is tracked as CVE-2021-28950 (bsc#1184952).
- CVE-2021-29154: BPF JIT compilers in the Linux kernel have incorrect computation of branch displacements, allowing them to execute arbitrary code within the kernel context. This affects arch/x86/net/bpf_jit_comp.c and arch/x86/net/bpf_jit_comp32.c (bsc#1184710)
ImportantSUSE bug 1184710SUSE bug 1184952SUSE bug 1186235CVE-2020-36322 at SUSECVE-2020-36322 at NVDCVE-2021-29154 at SUSECVE-2021-29154 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 33 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_124 fixes several issues.
The following security issues were fixed:
- Fix a kernel warning during sysfs read (bsc#1186235)
- CVE-2020-36322: An issue was discovered in the FUSE filesystem implementation in the Linux kernel aka CID-5d069dbe8aaf. fuse_do_getattr() calls make_bad_inode() in inappropriate situations, causing a system crash. NOTE: the original fix for this vulnerability was incomplete, and its incompleteness is tracked as CVE-2021-28950 (bsc#1184952).
- CVE-2021-29154: BPF JIT compilers in the Linux kernel have incorrect computation of branch displacements, allowing them to execute arbitrary code within the kernel context. This affects arch/x86/net/bpf_jit_comp.c and arch/x86/net/bpf_jit_comp32.c (bsc#1184710)
ImportantSUSE bug 1184710SUSE bug 1184952SUSE bug 1186235CVE-2020-36322 at SUSECVE-2020-36322 at NVDCVE-2021-29154 at SUSECVE-2021-29154 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 32 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_121 fixes several issues.
The following security issues were fixed:
- Fix a kernel warning during sysfs read (bsc#1186235)
- CVE-2020-36322: An issue was discovered in the FUSE filesystem implementation in the Linux kernel aka CID-5d069dbe8aaf. fuse_do_getattr() calls make_bad_inode() in inappropriate situations, causing a system crash. NOTE: the original fix for this vulnerability was incomplete, and its incompleteness is tracked as CVE-2021-28950 (bsc#1184952).
- CVE-2021-29154: BPF JIT compilers in the Linux kernel have incorrect computation of branch displacements, allowing them to execute arbitrary code within the kernel context. This affects arch/x86/net/bpf_jit_comp.c and arch/x86/net/bpf_jit_comp32.c (bsc#1184710)
ImportantSUSE bug 1184710SUSE bug 1184952SUSE bug 1186235CVE-2020-36322 at SUSECVE-2020-36322 at NVDCVE-2021-29154 at SUSECVE-2021-29154 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 38 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_141 fixes several issues.
The following security issues were fixed:
- CVE-2020-36322: Fixed an issue inside the FUSE filesystem implementation where fuse_do_getattr() calls make_bad_inode() in inappropriate situations, could have caused a system crash. NOTE: the original fix for this vulnerability was incomplete, and its incompleteness is tracked as CVE-2021-28950 (bsc#1184952).
- CVE-2021-29154: Fixed BPF JIT compilers that allowed to execute arbitrary code within the kernel context (bsc#1184710)
ImportantSUSE bug 1184710SUSE bug 1184952CVE-2020-36322 at SUSECVE-2020-36322 at NVDCVE-2021-29154 at SUSECVE-2021-29154 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 37 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_138 fixes several issues.
The following security issues were fixed:
- CVE-2020-36322: Fixed an issue inside the FUSE filesystem implementation where fuse_do_getattr() calls make_bad_inode() in inappropriate situations, could have caused a system crash. NOTE: the original fix for this vulnerability was incomplete, and its incompleteness is tracked as CVE-2021-28950 (bsc#1184952).
- CVE-2021-29154: Fixed BPF JIT compilers that allowed to execute arbitrary code within the kernel context (bsc#1184710)
ImportantSUSE bug 1184710SUSE bug 1184952CVE-2020-36322 at SUSECVE-2020-36322 at NVDCVE-2021-29154 at SUSECVE-2021-29154 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for gstreamer-plugins-bad (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for gstreamer-plugins-bad fixes the following issues:
- CVE-2021-3185: Fixed buffer overflow in gst_h264_slice_parse_dec_ref_pic_marking (bsc#1181255).
ImportantSUSE bug 1181255CVE-2021-3185 at SUSECVE-2021-3185 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for MozillaFirefox fixes the following issues:
Firefox Extended Support Release 78.11.0 ESR (bsc#1186696)
* CVE-2021-29964: Out of bounds-read when parsing a `WM_COPYDATA` message
* CVE-2021-29967: Memory safety bugs fixed in Firefox
ImportantSUSE bug 1185633SUSE bug 1186696CVE-2021-29951 at SUSECVE-2021-29951 at NVDCVE-2021-29964 at SUSECVE-2021-29964 at NVDCVE-2021-29967 at SUSECVE-2021-29967 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for libX11 (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for libX11 fixes the following issues:
- Regression in the fix for CVE-2021-31535, causing segfaults for xforms applications like fdesign (bsc#1186643)
ImportantSUSE bug 1186643CVE-2021-31535 at SUSECVE-2021-31535 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for qemu (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for qemu fixes the following issues:
- Fix OOB access during mmio operations (CVE-2020-13754, bsc#1172382)
- Fix out-of-bounds read information disclosure in icmp6_send_echoreply (CVE-2020-10756, bsc#1172380)
- Fix out-of-bound heap buffer access via an interrupt ID field (CVE-2021-20221, bsc#1181933)
- For the record, these issues are fixed in this package already.
Most are alternate references to previously mentioned issues:
(CVE-2019-15890, bsc#1149813, CVE-2020-8608, bsc#1163019,
CVE-2020-14364, bsc#1175534, CVE-2020-25707, bsc#1178683,
CVE-2020-25723, bsc#1178935, CVE-2020-29130, bsc#1179477,
CVE-2021-20257, bsc#1182846, CVE-2021-3419, bsc#1182975,
bsc#1094725)
ImportantSUSE bug 1094725SUSE bug 1149813SUSE bug 1163019SUSE bug 1172380SUSE bug 1172382SUSE bug 1175534SUSE bug 1178683SUSE bug 1178935SUSE bug 1179477SUSE bug 1181933SUSE bug 1182846SUSE bug 1182975CVE-2019-15890 at SUSECVE-2019-15890 at NVDCVE-2020-10756 at SUSECVE-2020-10756 at NVDCVE-2020-13754 at SUSECVE-2020-13754 at NVDCVE-2020-14364 at SUSECVE-2020-14364 at NVDCVE-2020-25707 at SUSECVE-2020-25707 at NVDCVE-2020-25723 at SUSECVE-2020-25723 at NVDCVE-2020-29130 at SUSECVE-2020-29130 at NVDCVE-2020-8608 at SUSECVE-2020-8608 at NVDCVE-2021-20221 at SUSECVE-2021-20221 at NVDCVE-2021-20257 at SUSECVE-2021-20257 at NVDCVE-2021-3419 at SUSECVE-2021-3419 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for java-1_7_1-ibm (Moderate)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for java-1_7_1-ibm fixes the following issues:
- Update to Java 7.1 Service Refresh 4 Fix Pack 75 [bsc#1180063, bsc#1177943]
CVE-2020-14792 CVE-2020-14797 CVE-2020-14782 CVE-2020-14781
CVE-2020-14779 CVE-2020-14798 CVE-2020-14796 CVE-2020-14803
* Class Libraries:
- Z/OS specific C function send_file is changing the file pointer position
* Security:
- Add the new oracle signer certificate
- Certificate parsing error
- JVM memory growth can be caused by the IBMPKCS11IMPL crypto provider
- Remove check for websphere signed jars
- sessionid.hashcode generates too many collisions
- The Java 8 IBM certpath provider does not honor the user
specified system property for CLR connect timeout
ModerateSUSE bug 1177943SUSE bug 1180063CVE-2020-14779 at SUSECVE-2020-14779 at NVDCVE-2020-14781 at SUSECVE-2020-14781 at NVDCVE-2020-14782 at SUSECVE-2020-14782 at NVDCVE-2020-14792 at SUSECVE-2020-14792 at NVDCVE-2020-14796 at SUSECVE-2020-14796 at NVDCVE-2020-14797 at SUSECVE-2020-14797 at NVDCVE-2020-14798 at SUSECVE-2020-14798 at NVDCVE-2020-14803 at SUSECVE-2020-14803 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for spice (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for spice fixes the following issues:
- CVE-2021-20201: client initiated renegotiation causing denial of service (bsc#1181686)
ImportantSUSE bug 1181686CVE-2021-20201 at SUSECVE-2021-20201 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for ucode-intel (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for ucode-intel fixes the following issues:
Updated to Intel CPU Microcode 20210608 release.
- CVE-2020-24513: A domain bypass transient execution vulnerability was discovered on some Intel Atom processors that use a micro-architectural incident channel. (INTEL-SA-00465 bsc#1179833)
See also: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00465.html
- CVE-2020-24511: The IBRS feature to mitigate Spectre variant 2 transient execution side channel vulnerabilities may not fully prevent non-root (guest) branches from controlling the branch predictions of the root (host) (INTEL-SA-00464 bsc#1179836)
See also https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00464.html)
- CVE-2020-24512: Fixed trivial data value cache-lines such as all-zero value cache-lines may lead to changes in cache-allocation or write-back behavior for such cache-lines (bsc#1179837 INTEL-SA-00464)
See also https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00464.html)
- CVE-2020-24489: Fixed Intel VT-d device pass through potential local privilege escalation (INTEL-SA-00442 bsc#1179839)
See also https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00442.html
Other fixes:
- Update for functional issues. Refer to [Third Generation Intel Xeon Processor Scalable Family Specification Update](https://cdrdv2.intel.com/v1/dl/getContent/637780)for details.
- Update for functional issues. Refer to [Second Generation Intel Xeon Processor Scalable Family Specification Update](https://cdrdv2.intel.com/v1/dl/getContent/338848) for details.
- Update for functional issues. Refer to [Intel Xeon Processor Scalable Family Specification Update](https://cdrdv2.intel.com/v1/dl/getContent/613537) for details.
- Update for functional issues. Refer to [Intel Xeon Processor D-1500, D-1500 NS and D-1600 NS Spec Update](https://www.intel.com/content/www/us/en/products/docs/processors/xeon/xeon-d-1500-specification-update.html) for details.
- Update for functional issues. Refer to [Intel Xeon E7-8800 and E7-4800 v3 Processor Specification Update](https://www.intel.com/content/www/us/en/processors/xeon/xeon-e7-v3-spec-update.html) for details.
- Update for functional issues. Refer to [Intel Xeon Processor E5 v3 Product Family Specification Update](https://www.intel.com/content/www/us/en/processors/xeon/xeon-e5-v3-spec-update.html?wapkw=processor+spec+update+e5) for details.
- Update for functional issues. Refer to [10th Gen Intel Core Processor Families Specification Update](https://www.intel.com/content/www/us/en/products/docs/processors/core/10th-gen-core-families-specification-update.html) for details.
- Update for functional issues. Refer to [8th and 9th Gen Intel Core Processor Family Spec Update](https://www.intel.com/content/www/us/en/products/docs/processors/core/8th-gen-core-spec-update.html) for details.
- Update for functional issues. Refer to [7th Gen and 8th Gen (U Quad-Core) Intel Processor Families Specification Update](https://www.intel.com/content/www/us/en/processors/core/7th-gen-core-family-spec-update.html) for details.
- Update for functional issues. Refer to [6th Gen Intel Processor Family Specification Update](https://cdrdv2.intel.com/v1/dl/getContent/332689) for details.
- Update for functional issues. Refer to [Intel Xeon E3-1200 v6 Processor Family Specification Update](https://www.intel.com/content/www/us/en/processors/xeon/xeon-e3-1200v6-spec-update.html) for details.
- Update for functional issues. Refer to [Intel Xeon E-2100 and E-2200 Processor Family Specification Update](https://www.intel.com/content/www/us/en/products/docs/processors/xeon/xeon-e-2100-specification-update.html) for details.
- New platforms:
| Processor | Stepping | F-M-S/PI | Old Ver | New Ver | Products
|:---------------|:---------|:------------|:---------|:---------|:---------
| CLX-SP | A0 | 06-55-05/b7 | | 03000010 | Xeon Scalable Gen2
| ICX-SP | C0 | 06-6a-05/87 | | 0c0002f0 | Xeon Scalable Gen3
| ICX-SP | D0 | 06-6a-06/87 | | 0d0002a0 | Xeon Scalable Gen3
| SNR | B0 | 06-86-04/01 | | 0b00000f | Atom P59xxB
| SNR | B1 | 06-86-05/01 | | 0b00000f | Atom P59xxB
| TGL | B1 | 06-8c-01/80 | | 00000088 | Core Gen11 Mobile
| TGL-R | C0 | 06-8c-02/c2 | | 00000016 | Core Gen11 Mobile
| TGL-H | R0 | 06-8d-01/c2 | | 0000002c | Core Gen11 Mobile
| EHL | B1 | 06-96-01/01 | | 00000011 | Pentium J6426/N6415, Celeron J6412/J6413/N6210/N6211, Atom x6000E
| JSL | A0/A1 | 06-9c-00/01 | | 0000001d | Pentium N6000/N6005, Celeron N4500/N4505/N5100/N5105
| RKL-S | B0 | 06-a7-01/02 | | 00000040 | Core Gen11
- Updated platforms:
| Processor | Stepping | F-M-S/PI | Old Ver | New Ver | Products
|:---------------|:---------|:------------|:---------|:---------|:---------
| HSX-E/EP | Cx/M1 | 06-3f-02/6f | 00000044 | 00000046 | Core Gen4 X series; Xeon E5 v3
| HSX-EX | E0 | 06-3f-04/80 | 00000016 | 00000019 | Xeon E7 v3
| SKL-U/Y | D0 | 06-4e-03/c0 | 000000e2 | 000000ea | Core Gen6 Mobile
| SKL-U23e | K1 | 06-4e-03/c0 | 000000e2 | 000000ea | Core Gen6 Mobile
| BDX-ML | B0/M0/R0 | 06-4f-01/ef | 0b000038 | 0b00003e | Xeon E5/E7 v4; Core i7-69xx/68xx
| SKX-SP | B1 | 06-55-03/97 | 01000159 | 0100015b | Xeon Scalable
| SKX-SP | H0/M0/U0 | 06-55-04/b7 | 02006a0a | 02006b06 | Xeon Scalable
| SKX-D | M1 | 06-55-04/b7 | 02006a0a | 02006b06 | Xeon D-21xx
| CLX-SP | B0 | 06-55-06/bf | 04003006 | 04003102 | Xeon Scalable Gen2
| CLX-SP | B1 | 06-55-07/bf | 05003006 | 05003102 | Xeon Scalable Gen2
| CPX-SP | A1 | 06-55-0b/bf | 0700001e | 07002302 | Xeon Scalable Gen3
| BDX-DE | V2/V3 | 06-56-03/10 | 07000019 | 0700001b | Xeon D-1518/19/21/27/28/31/33/37/41/48, Pentium D1507/08/09/17/19
| BDX-DE | Y0 | 06-56-04/10 | 0f000017 | 0f000019 | Xeon D-1557/59/67/71/77/81/87
| BDX-NS | A0 | 06-56-05/10 | 0e00000f | 0e000012 | Xeon D-1513N/23/33/43/53
| APL | D0 | 06-5c-09/03 | 00000040 | 00000044 | Pentium N/J4xxx, Celeron N/J3xxx, Atom x5/7-E39xx
| APL | E0 | 06-5c-0a/03 | 0000001e | 00000020 | Atom x5-E39xx
| SKL-H/S | R0/N0 | 06-5e-03/36 | 000000e2 | 000000ea | Core Gen6; Xeon E3 v5
| DNV | B0 | 06-5f-01/01 | 0000002e | 00000034 | Atom C Series
| GLK | B0 | 06-7a-01/01 | 00000034 | 00000036 | Pentium Silver N/J5xxx, Celeron N/J4xxx
| GKL-R | R0 | 06-7a-08/01 | 00000018 | 0000001a | Pentium J5040/N5030, Celeron J4125/J4025/N4020/N4120
| ICL-U/Y | D1 | 06-7e-05/80 | 000000a0 | 000000a6 | Core Gen10 Mobile
| LKF | B2/B3 | 06-8a-01/10 | 00000028 | 0000002a | Core w/Hybrid Technology
| AML-Y22 | H0 | 06-8e-09/10 | 000000de | 000000ea | Core Gen8 Mobile
| KBL-U/Y | H0 | 06-8e-09/c0 | 000000de | 000000ea | Core Gen7 Mobile
| CFL-U43e | D0 | 06-8e-0a/c0 | 000000e0 | 000000ea | Core Gen8 Mobile
| WHL-U | W0 | 06-8e-0b/d0 | 000000de | 000000ea | Core Gen8 Mobile
| AML-Y42 | V0 | 06-8e-0c/94 | 000000de | 000000ea | Core Gen10 Mobile
| CML-Y42 | V0 | 06-8e-0c/94 | 000000de | 000000ea | Core Gen10 Mobile
| WHL-U | V0 | 06-8e-0c/94 | 000000de | 000000ea | Core Gen8 Mobile
| KBL-G/H/S/E3 | B0 | 06-9e-09/2a | 000000de | 000000ea | Core Gen7; Xeon E3 v6
| CFL-H/S/E3 | U0 | 06-9e-0a/22 | 000000de | 000000ea | Core Gen8 Desktop, Mobile, Xeon E
| CFL-S | B0 | 06-9e-0b/02 | 000000de | 000000ea | Core Gen8
| CFL-H/S | P0 | 06-9e-0c/22 | 000000de | 000000ea | Core Gen9
| CFL-H | R0 | 06-9e-0d/22 | 000000de | 000000ea | Core Gen9 Mobile
| CML-H | R1 | 06-a5-02/20 | 000000e0 | 000000ea | Core Gen10 Mobile
| CML-S62 | G1 | 06-a5-03/22 | 000000e0 | 000000ea | Core Gen10
| CML-S102 | Q0 | 06-a5-05/22 | 000000e0 | 000000ec | Core Gen10
| CML-U62 | A0 | 06-a6-00/80 | 000000e0 | 000000e8 | Core Gen10 Mobile
| CML-U62 V2 | K0 | 06-a6-01/80 | 000000e0 | 000000ea | Core Gen10 Mobile
ImportantSUSE bug 1179833SUSE bug 1179836SUSE bug 1179837SUSE bug 1179839CVE-2020-24489 at SUSECVE-2020-24489 at NVDCVE-2020-24511 at SUSECVE-2020-24511 at NVDCVE-2020-24512 at SUSECVE-2020-24512 at NVDCVE-2020-24513 at SUSECVE-2020-24513 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for caribou (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for caribou fixes the following issues:
Security issue fixed:
- CVE-2021-3567: Fixed a segfault when attempting to use shifted characters (bsc#1186617).
ImportantSUSE bug 1186617CVE-2021-3567 at SUSECVE-2021-3567 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for freeradius-server (Moderate)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for freeradius-server fixes the following issues:
- Do not log passwords in logfiles (bsc#1184016)
ModerateSUSE bug 1184016cpe:/o:suse:sles-espos:12:sp3Security update for java-1_8_0-openjdk (Moderate)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for java-1_8_0-openjdk fixes the following issues:
- Update to version jdk8u292 (icedtea 3.19.0).
- CVE-2021-2161: Fixed incomplete enforcement of JAR signing disabled algorithms (bsc#1185055).
ModerateSUSE bug 1185055CVE-2021-2163 at SUSECVE-2021-2163 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for ImageMagick (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for ImageMagick fixes the following issues:
- CVE-2020-19667: Fixed a stack buffer overflow in XPM coder could result in a crash (bsc#1179103).
- CVE-2020-25664: Fixed a heap-based buffer overflow in PopShortPixel (bsc#1179202).
- CVE-2020-25665: Fixed a heap-based buffer overflow in WritePALMImage (bsc#1179208).
- CVE-2020-25666: Fixed an outside the range of representable values of type 'int' and signed integer overflow (bsc#1179212).
- CVE-2020-25674: Fixed a heap-based buffer overflow in WriteOnePNGImage (bsc#1179223).
- CVE-2020-25675: Fixed an outside the range of representable values of type 'long' and integer overflow (bsc#1179240).
- CVE-2020-25676: Fixed an outside the range of representable values of type 'long' and integer overflow at MagickCore/pixel.c (bsc#1179244).
- CVE-2020-27750: Fixed an division by zero in MagickCore/colorspace-private.h (bsc#1179260).
- CVE-2020-27751: Fixed an integer overflow in MagickCore/quantum-export.c (bsc#1179269).
- CVE-2020-27752: Fixed a heap-based buffer overflow in PopShortPixel in MagickCore/quantum-private.h (bsc#1179346).
- CVE-2020-27753: Fixed memory leaks in AcquireMagickMemory function (bsc#1179397).
- CVE-2020-27754: Fixed an outside the range of representable values of type 'long' and signed integer overflow at MagickCore/quantize.c (bsc#1179336).
- CVE-2020-27755: Fixed memory leaks in ResizeMagickMemory function in ImageMagick/MagickCore/memory.c (bsc#1179345).
- CVE-2020-27757: Fixed an outside the range of representable values of type 'unsigned long long' at MagickCore/quantum-private.h (bsc#1179268).
- CVE-2020-27759: Fixed an outside the range of representable values of type 'int' at MagickCore/quantize.c (bsc#1179313).
- CVE-2020-27760: Fixed a division by zero at MagickCore/enhance.c (bsc#1179281).
- CVE-2020-27761: Fixed an outside the range of representable values of type 'unsigned long' at coders/palm.c (bsc#1179315).
- CVE-2020-27762: Fixed an outside the range of representable values of type 'unsigned char' (bsc#1179278).
- CVE-2020-27763: Fixed a division by zero at MagickCore/resize.c (bsc#1179312).
- CVE-2020-27764: Fixed an outside the range of representable values of type 'unsigned long' at MagickCore/statistic.c (bsc#1179317).
- CVE-2020-27765: Fixed a division by zero at MagickCore/segment.c (bsc#1179311).
- CVE-2020-27766: Fixed an outside the range of representable values of type 'unsigned long' at MagickCore/statistic.c (bsc#1179361).
- CVE-2020-27767: Fixed an outside the range of representable values of type 'float' at MagickCore/quantum.h (bsc#1179322).
- CVE-2020-27768: Fixed an outside the range of representable values of type 'unsigned int' at MagickCore/quantum-private.h (bsc#1179339).
- CVE-2020-27769: Fixed an outside the range of representable values of type 'float' at MagickCore/quantize.c (bsc#1179321).
- CVE-2020-27770: Fixed an unsigned offset overflowed at MagickCore/string.c (bsc#1179343).
- CVE-2020-27771: Fixed an outside the range of representable values of type 'unsigned char' at coders/pdf.c (bsc#1179327).
- CVE-2020-27772: Fixed an outside the range of representable values of type 'unsigned int' at coders/bmp.c (bsc#1179347).
- CVE-2020-27773: Fixed a division by zero at MagickCore/gem-private.h (bsc#1179285).
- CVE-2020-27774: Fixed an integer overflow at MagickCore/statistic.c (bsc#1179333).
- CVE-2020-27775: Fixed an outside the range of representable values of type 'unsigned char' at MagickCore/quantum.h (bsc#1179338).
- CVE-2020-27776: Fixed an outside the range of representable values of type 'unsigned long' at MagickCore/statistic.c (bsc#1179362).
ImportantSUSE bug 1179103SUSE bug 1179202SUSE bug 1179208SUSE bug 1179212SUSE bug 1179223SUSE bug 1179240SUSE bug 1179244SUSE bug 1179260SUSE bug 1179268SUSE bug 1179269SUSE bug 1179278SUSE bug 1179281SUSE bug 1179285SUSE bug 1179311SUSE bug 1179312SUSE bug 1179313SUSE bug 1179315SUSE bug 1179317SUSE bug 1179321SUSE bug 1179322SUSE bug 1179327SUSE bug 1179333SUSE bug 1179336SUSE bug 1179338SUSE bug 1179339SUSE bug 1179343SUSE bug 1179345SUSE bug 1179346SUSE bug 1179347SUSE bug 1179361SUSE bug 1179362SUSE bug 1179397CVE-2020-19667 at SUSECVE-2020-19667 at NVDCVE-2020-25664 at SUSECVE-2020-25664 at NVDCVE-2020-25665 at SUSECVE-2020-25665 at NVDCVE-2020-25666 at SUSECVE-2020-25666 at NVDCVE-2020-25674 at SUSECVE-2020-25674 at NVDCVE-2020-25675 at SUSECVE-2020-25675 at NVDCVE-2020-25676 at SUSECVE-2020-25676 at NVDCVE-2020-27750 at SUSECVE-2020-27750 at NVDCVE-2020-27751 at SUSECVE-2020-27751 at NVDCVE-2020-27752 at SUSECVE-2020-27752 at NVDCVE-2020-27753 at SUSECVE-2020-27753 at NVDCVE-2020-27754 at SUSECVE-2020-27754 at NVDCVE-2020-27755 at SUSECVE-2020-27755 at NVDCVE-2020-27757 at SUSECVE-2020-27757 at NVDCVE-2020-27759 at SUSECVE-2020-27759 at NVDCVE-2020-27760 at SUSECVE-2020-27760 at NVDCVE-2020-27761 at SUSECVE-2020-27761 at NVDCVE-2020-27762 at SUSECVE-2020-27762 at NVDCVE-2020-27763 at SUSECVE-2020-27763 at NVDCVE-2020-27764 at SUSECVE-2020-27764 at NVDCVE-2020-27765 at SUSECVE-2020-27765 at NVDCVE-2020-27766 at SUSECVE-2020-27766 at NVDCVE-2020-27767 at SUSECVE-2020-27767 at NVDCVE-2020-27768 at SUSECVE-2020-27768 at NVDCVE-2020-27769 at SUSECVE-2020-27769 at NVDCVE-2020-27770 at SUSECVE-2020-27770 at NVDCVE-2020-27771 at SUSECVE-2020-27771 at NVDCVE-2020-27772 at SUSECVE-2020-27772 at NVDCVE-2020-27773 at SUSECVE-2020-27773 at NVDCVE-2020-27774 at SUSECVE-2020-27774 at NVDCVE-2020-27775 at SUSECVE-2020-27775 at NVDCVE-2020-27776 at SUSECVE-2020-27776 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for webkit2gtk3 (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for webkit2gtk3 fixes the following issues:
- Update to version 2.32.1:
+ Improve handling of Media Capture devices.
+ Improve WebAudio playback.
+ Improve video orientation handling.
+ Improve seeking support for MSE playback.
+ Improve flush support in EME decryptors.
+ Fix HTTP status codes for requests done through a custom URI handler.
+ Fix the Bubblewrap sandbox in certain 32-bit systems.
+ Fix inconsistencies between the WebKitWebView.is-muted property
state and values returned by
webkit_web_view_is_playing_audio().
+ Fix the build with ENABLE_VIDEO=OFF.
+ Fix wrong timestamps for long-lived cookies.
+ Fix UI process crash when failing to load favicons.
+ Fix several crashes and rendering issues.
- Including Security fixes for: CVE-2021-1788, CVE-2021-1844, CVE-2021-1871,
CVE-2020-27918, CVE-2020-29623, CVE-2021-1765, CVE-2021-1789, CVE-2021-1799,
CVE-2021-1801, CVE-2021-1870, CVE-2020-13558, CVE-2020-13584, CVE-2020-9983,
CVE-2020-13543, CVE-2020-9947, CVE-2020-9948, CVE-2020-9951.
ImportantSUSE bug 1177087SUSE bug 1179122SUSE bug 1179451SUSE bug 1182286SUSE bug 1184155SUSE bug 1184262CVE-2020-13543 at SUSECVE-2020-13543 at NVDCVE-2020-13558 at SUSECVE-2020-13558 at NVDCVE-2020-13584 at SUSECVE-2020-13584 at NVDCVE-2020-27918 at SUSECVE-2020-27918 at NVDCVE-2020-29623 at SUSECVE-2020-29623 at NVDCVE-2020-9947 at SUSECVE-2020-9947 at NVDCVE-2020-9948 at SUSECVE-2020-9948 at NVDCVE-2020-9951 at SUSECVE-2020-9951 at NVDCVE-2020-9983 at SUSECVE-2020-9983 at NVDCVE-2021-1765 at SUSECVE-2021-1765 at NVDCVE-2021-1788 at SUSECVE-2021-1788 at NVDCVE-2021-1789 at SUSECVE-2021-1789 at NVDCVE-2021-1799 at SUSECVE-2021-1799 at NVDCVE-2021-1801 at SUSECVE-2021-1801 at NVDCVE-2021-1844 at SUSECVE-2021-1844 at NVDCVE-2021-1870 at SUSECVE-2021-1870 at NVDCVE-2021-1871 at SUSECVE-2021-1871 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for apache2 (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for apache2 fixes the following issues:
- fixed CVE-2021-30641 [bsc#1187174]: MergeSlashes regression
- fixed CVE-2021-31618 [bsc#1186924]: NULL pointer dereference on specially crafted HTTP/2 request
- fixed CVE-2020-35452 [bsc#1186922]: Single zero byte stack overflow in mod_auth_digest
- fixed CVE-2021-26690 [bsc#1186923]: mod_session NULL pointer dereference in parser
- fixed CVE-2021-26691 [bsc#1187017]: Heap overflow in mod_session
ImportantSUSE bug 1186922SUSE bug 1186923SUSE bug 1186924SUSE bug 1187017SUSE bug 1187174CVE-2020-35452 at SUSECVE-2020-35452 at NVDCVE-2021-26690 at SUSECVE-2021-26690 at NVDCVE-2021-26691 at SUSECVE-2021-26691 at NVDCVE-2021-30641 at SUSECVE-2021-30641 at NVDCVE-2021-31618 at SUSECVE-2021-31618 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for xterm (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for xterm fixes the following issues:
- CVE-2021-27135: Fixed buffer-overflow when clicking on selected utf8 text. (bsc#1182091)
ImportantSUSE bug 1182091CVE-2021-27135 at SUSECVE-2021-27135 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 39 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_144 fixes several issues.
The following issues were fixed:
- CVE-2021-33034: Fixed a use-after-free when destroying an hci_chan. This could lead to writing an arbitrary values (bsc#1186111).
- CVE-2021-28688: Fixed an issue introduced by XSA-365, leaving around zombie domains after xen guest has died (bsc#1183646).
- CVE-2020-0429: In l2tp_session_delete and related functions of l2tp_core.c, there is possible memory corruption due to a use after free. This could lead to local escalation of privilege with system execution privileges needed. (bsc#1176724).
- Fixed a regression with the last livepatch which caused a kernel warning during sysfs read (bsc#1186235).
ImportantSUSE bug 1176931SUSE bug 1182294SUSE bug 1186235SUSE bug 1186285CVE-2020-0429 at SUSECVE-2020-0429 at NVDCVE-2021-28688 at SUSECVE-2021-28688 at NVDCVE-2021-33034 at SUSECVE-2021-33034 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 38 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_141 fixes several issues.
The following issues were fixed:
- CVE-2021-33034: Fixed a use-after-free when destroying an hci_chan. This could lead to writing an arbitrary values (bsc#1186111).
- CVE-2021-32399: Fixed a race condition when removing the HCI controller (bnc#1184611).
- Fixed a regression with the last livepatch which caused a kernel warning during sysfs read (bsc#1186235).
ImportantSUSE bug 1185899SUSE bug 1186235SUSE bug 1186285CVE-2021-32399 at SUSECVE-2021-32399 at NVDCVE-2021-33034 at SUSECVE-2021-33034 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 37 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_138 fixes several issues.
The following issues were fixed:
- CVE-2021-33034: Fixed a use-after-free when destroying an hci_chan. This could lead to writing an arbitrary values (bsc#1186111).
- CVE-2021-32399: Fixed a race condition when removing the HCI controller (bnc#1184611).
- Fixed a regression with the last livepatch which caused a kernel warning during sysfs read (bsc#1186235).
ImportantSUSE bug 1185899SUSE bug 1186235SUSE bug 1186285CVE-2021-32399 at SUSECVE-2021-32399 at NVDCVE-2021-33034 at SUSECVE-2021-33034 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 36 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_135 fixes several issues.
The following security issues were fixed:
- CVE-2021-33034: Fixed a use-after-free when destroying an hci_chan. This could lead to writing an arbitrary values (bsc#1186111).
- CVE-2021-32399: Fixed a race condition when removing the HCI controller (bnc#1184611).
ImportantSUSE bug 1185899SUSE bug 1186285CVE-2021-32399 at SUSECVE-2021-32399 at NVDCVE-2021-33034 at SUSECVE-2021-33034 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 35 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_130 fixes several issues.
The following security issues were fixed:
- CVE-2021-33034: Fixed a use-after-free when destroying an hci_chan. This could lead to writing an arbitrary values (bsc#1186111).
- CVE-2021-32399: Fixed a race condition when removing the HCI controller (bnc#1184611).
ImportantSUSE bug 1185899SUSE bug 1186285CVE-2021-32399 at SUSECVE-2021-32399 at NVDCVE-2021-33034 at SUSECVE-2021-33034 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 34 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_127 fixes several issues.
The following security issues were fixed:
- CVE-2021-33034: Fixed a use-after-free when destroying an hci_chan. This could lead to writing an arbitrary values (bsc#1186111).
- CVE-2021-32399: Fixed a race condition when removing the HCI controller (bnc#1184611).
ImportantSUSE bug 1185899SUSE bug 1186285CVE-2021-32399 at SUSECVE-2021-32399 at NVDCVE-2021-33034 at SUSECVE-2021-33034 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 33 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_124 fixes several issues.
The following security issues were fixed:
- CVE-2021-33034: Fixed a use-after-free when destroying an hci_chan. This could lead to writing an arbitrary values (bsc#1186111).
- CVE-2021-32399: Fixed a race condition when removing the HCI controller (bnc#1184611).
ImportantSUSE bug 1185899SUSE bug 1186285CVE-2021-32399 at SUSECVE-2021-32399 at NVDCVE-2021-33034 at SUSECVE-2021-33034 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for ovmf (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for ovmf fixes the following issues:
- Fixed a possible buffer overflow in IScsiDxe (bsc#1186151)
ImportantSUSE bug 1186151cpe:/o:suse:sles-espos:12:sp3Security update for libnettle (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for libnettle fixes the following issues:
- CVE-2021-3580: Fixed a remote denial of service in the RSA decryption via manipulated ciphertext (bsc#1187060).
ImportantSUSE bug 1187060CVE-2021-3580 at SUSECVE-2021-3580 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for libgcrypt (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for libgcrypt fixes the following issues:
- CVE-2021-33560: Fixed a side-channel against ElGamal encryption, caused by missing exponent blinding (bsc#1187212).
ImportantSUSE bug 1187212CVE-2021-33560 at SUSECVE-2021-33560 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for openexr (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for openexr fixes the following issues:
- Fixed CVE-2021-3479 [bsc#1184354]: Out-of-memory caused by allocation of a very large buffer
- Fixed CVE-2021-3605 [bsc#1187395]: Heap buffer overflow in the rleUncompress function
- Fixed CVE-2021-3598 [bsc#1187310]: Heap buffer overflow in Imf_3_1:CharPtrIO:readChars
ImportantSUSE bug 1184354SUSE bug 1187310SUSE bug 1187395CVE-2021-3479 at SUSECVE-2021-3479 at NVDCVE-2021-3598 at SUSECVE-2021-3598 at NVDCVE-2021-3605 at SUSECVE-2021-3605 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for postgresql, postgresql12, postgresql13 (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for postgresql, postgresql12, postgresql13 fixes the following issues:
Initial packaging of PostgreSQL 13:
* https://www.postgresql.org/about/news/2077/
* https://www.postgresql.org/docs/13/release-13.html
Changes in postgresql:
- Bump postgresql major version to 13.
Changes in postgresql12:
- %ghost the symlinks to pg_config and ecpg. (bsc#1178961)
- BuildRequire libpq5 and libecpg6 when not building them to avoid dangling symlinks in the devel package. (bsc#1179765)
- Fix a DST problem in the test suite.
Changes in postgresql13:
- Add postgresql-icu68.patch: fix build with ICU 68
- %ghost the symlinks to pg_config and ecpg. (bsc#1178961)
- BuildRequire libpq5 and libecpg6 when not building them to avoid dangling symlinks in the devel package. (bsc#1179765)
Upgrade to version 13.1:
* CVE-2020-25695, bsc#1178666: Block DECLARE CURSOR ... WITH HOLD
and firing of deferred triggers within index expressions and
materialized view queries.
* CVE-2020-25694, bsc#1178667:
a) Fix usage of complex connection-string parameters in pg_dump,
pg_restore, clusterdb, reindexdb, and vacuumdb.
b) When psql's \connect command re-uses connection parameters,
ensure that all non-overridden parameters from a previous
connection string are re-used.
* CVE-2020-25696, bsc#1178668: Prevent psql's \gset command from
modifying specially-treated variables.
* Fix recently-added timetz test case so it works when the USA
is not observing daylight savings time.
(obsoletes postgresql-timetz.patch)
* https://www.postgresql.org/about/news/2111/
* https://www.postgresql.org/docs/13/release-13-1.html
- Fix a DST problem in the test suite.
ImportantSUSE bug 1178666SUSE bug 1178667SUSE bug 1178668SUSE bug 1178961SUSE bug 1179765CVE-2020-25694 at SUSECVE-2020-25694 at NVDCVE-2020-25695 at SUSECVE-2020-25695 at NVDCVE-2020-25696 at SUSECVE-2020-25696 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for arpwatch (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for arpwatch fixes the following issues:
- CVE-2021-25321: Fixed local privilege escalation from runtime user to root (bsc#1186240).
ImportantSUSE bug 1186240CVE-2021-25321 at SUSECVE-2021-25321 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for libsolv (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for libsolv fixes the following issues:
Security issues fixed:
- CVE-2019-20387: Fixed heap-buffer-overflow in repodata_schema2id (bsc#1161510)
- CVE-2021-3200: testcase_read: error out if repos are added or the system is changed too late (bsc#1186229)
Other issues fixed:
- backport support for blacklisted packages to support ptf packages and retracted patches
- fix ruleinfo of complex dependencies returning the wrong origin
- fix SOLVER_FLAG_FOCUS_BEST updateing packages without reason
- fix add_complex_recommends() selecting conflicted packages in rare cases
- fix potential segfault in resolve_jobrules
- fix solv_zchunk decoding error if large chunks are used
ImportantSUSE bug 1161510SUSE bug 1186229CVE-2019-20387 at SUSECVE-2019-20387 at NVDCVE-2021-3200 at SUSECVE-2021-3200 at NVDcpe:/o:suse:sles-espos:12:sp3Recommended update for the Azure and AWS SDKs (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the SLE Public Cloud module provides the following fixes:
Azure SDK update:
This update for the Azure SDK and CLI adds support for the AHB (Azure Hybrid Benefit).
(bsc#1176784, jsc#ECO-3105)
AWS SDK update:
This update for the AWS SDK updates python-boto3 to version 1.17.9 and aws-cli to 1.19.9.
(bsc#1182421, jsc#ECO-3352)
Security fix for python-urllib3:
- Improve performance of sub-authority splitting in URL. (bsc#1187045, CVE-2021-33503)
ImportantSUSE bug 1125671SUSE bug 1154393SUSE bug 1175289SUSE bug 1176784SUSE bug 1176785SUSE bug 1182421SUSE bug 1187045CVE-2021-33503 at SUSECVE-2021-33503 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for openssh (Moderate)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for openssh fixes the following issues:
- CVE-2020-14145: Fixed a potential information leak during host key exchange (bsc#1173513).
ModerateSUSE bug 1173513CVE-2020-14145 at SUSECVE-2020-14145 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for sudo (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for sudo fixes the following issues:
- A Heap-based buffer overflow in sudo could be exploited to allow a user to gain root privileges
[bsc#1181090,CVE-2021-3156]
- It was possible for a user to test for the existence of a directory due to a Race Condition in `sudoedit`
[bsc#1180684,CVE-2021-23239]
- A Possible Symlink Attack vector existed in `sudoedit` if SELinux was running in permissive mode [bsc#1180685,
CVE-2021-23240]
- It was possible for a User to enable Debug Settings not Intended for them [bsc#1180687]
ImportantSUSE bug 1180684SUSE bug 1180685SUSE bug 1180687SUSE bug 1181090CVE-2021-23239 at SUSECVE-2021-23239 at NVDCVE-2021-23240 at SUSECVE-2021-23240 at NVDCVE-2021-3156 at SUSECVE-2021-3156 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for MozillaFirefox fixes the following issues:
Firefox Extended Support Release 78.12.0 ESR
* Fixed: Various stability, functionality, and security fixes
MFSA 2021-29 (bsc#1188275)
* CVE-2021-29970: Use-after-free in accessibility features of a document
* CVE-2021-30547: Out of bounds write in ANGLE
* CVE-2021-29976: Memory safety bugs fixed in Firefox 90 and Firefox ESR 78.12
ImportantSUSE bug 1188275CVE-2021-29970 at SUSECVE-2021-29970 at NVDCVE-2021-29976 at SUSECVE-2021-29976 at NVDCVE-2021-30547 at SUSECVE-2021-30547 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for MozillaFirefox fixes the following issues:
- Firefox Extended Support Release 78.7.0 ESR (MFSA 2021-04, bsc#1181414)
* CVE-2021-23953: Fixed a Cross-origin information leakage via redirected PDF requests
* CVE-2021-23954: Fixed a type confusion when using logical assignment operators in JavaScript switch statements
* CVE-2020-26976: Fixed an issue where HTTPS pages could have been intercepted by a registered service worker when they should not have been
* CVE-2021-23960: Fixed a use-after-poison for incorrectly redeclared JavaScript variables during GC
* CVE-2021-23964: Fixed Memory safety bugs
ImportantSUSE bug 1181414CVE-2020-26976 at SUSECVE-2020-26976 at NVDCVE-2021-23953 at SUSECVE-2021-23953 at NVDCVE-2021-23954 at SUSECVE-2021-23954 at NVDCVE-2021-23960 at SUSECVE-2021-23960 at NVDCVE-2021-23964 at SUSECVE-2021-23964 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for systemd (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for systemd fixes the following issues:
Security issues fixed:
- CVE-2021-33910: Fixed a denial of service (stack exhaustion) in systemd (PID 1) (bsc#1188063)
Other fixes:
- mount-util: shorten the loop a bit (#7545)
- mount-util: do not use the official MAX_HANDLE_SZ (#7523)
- mount-util: tape over name_to_handle_at() flakiness (#7517) (bsc#1184761)
- mount-util: fix bad indenting
- mount-util: EOVERFLOW might have other causes than buffer size issues
- mount-util: fix error propagation in fd_fdinfo_mnt_id()
- mount-util: drop exponential buffer growing in name_to_handle_at_loop()
- udev: port udev_has_devtmpfs() to use path_get_mnt_id()
- mount-util: add new path_get_mnt_id() call that queries the mnt ID of a path
- mount-util: add name_to_handle_at_loop() wrapper around name_to_handle_at()
- mount-util: accept that name_to_handle_at() might fail with EPERM (#5499)
- basic: fallback to the fstat if we don't have access to the /proc/self/fdinfo
- sysusers: use the usual comment style
- test/TEST-21-SYSUSERS: add tests for new functionality
- sysusers: allow admin/runtime overrides to command-line config
- basic/strv: add function to insert items at position
- sysusers: allow the shell to be specified
- sysusers: move various user credential validity checks to src/basic/
- man: reformat table in sysusers.d(5)
- sysusers: take configuration as positional arguments
- sysusers: emit a bit more info at debug level when locking fails
- sysusers: allow force reusing existing user/group IDs (#8037)
- sysusers: ensure GID in uid:gid syntax exists
- sysusers: make ADD_GROUP always create a group
- test: add TEST-21-SYSUSERS test
- sysuser: use OrderedHashmap
- sysusers: allow uid:gid in sysusers.conf files
- sysusers: fix memleak (#4430)
- These commits implement the option '--replace' for systemd-sysusers
so %sysusers_create_package can be introduced in SLE and packages
can rely on this rpm macro without wondering whether the macro is
available on the different target the package is submitted to.
- Expect 644 permissions for /usr/lib/udev/compat-symlink-generation (bsc#1185807)
- systemctl: add --value option
- execute: make sure to call into PAM after initializing resource limits (bsc#1184967)
- rlimit-util: introduce setrlimit_closest_all()
- system-conf: drop reference to ShutdownWatchdogUsec=
- core: rename ShutdownWatchdogSec to RebootWatchdogSec (bsc#1185331)
- Return -EAGAIN instead of -EALREADY from unit_reload (bsc#1185046)
- rules: don't ignore Xen virtual interfaces anymore (bsc#1178561)
- write_net_rules: set execute bits (bsc#1178561)
- udev: rework network device renaming
- Revert 'Revert 'udev: network device renaming - immediately give up if the target name isn't available''
ImportantSUSE bug 1178561SUSE bug 1184761SUSE bug 1184967SUSE bug 1185046SUSE bug 1185331SUSE bug 1185807SUSE bug 1188063CVE-2021-33910 at SUSECVE-2021-33910 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 39 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_144 fixes several issues.
The following security issues were fixed:
- CVE-2021-0605: Fixed an out-of-bounds read which could lead to local information disclosure in the kernel with System execution privileges needed. (bsc#1187687)
- CVE-2021-0512: Fixed a possible out-of-bounds write which could lead to local escalation of privilege with no additional execution privileges needed. (bsc#1187597)
ImportantSUSE bug 1187597SUSE bug 1187687CVE-2021-0512 at SUSECVE-2021-0512 at NVDCVE-2021-0605 at SUSECVE-2021-0605 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 38 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_141 fixes several issues.
The following security issues were fixed:
- CVE-2021-0605: Fixed an out-of-bounds read which could lead to local information disclosure in the kernel with System execution privileges needed. (bsc#1187687)
- CVE-2021-0512: Fixed a possible out-of-bounds write which could lead to local escalation of privilege with no additional execution privileges needed. (bsc#1187597)
ImportantSUSE bug 1187597SUSE bug 1187687CVE-2021-0512 at SUSECVE-2021-0512 at NVDCVE-2021-0605 at SUSECVE-2021-0605 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 37 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_138 fixes several issues.
The following security issues were fixed:
- CVE-2021-0605: Fixed an out-of-bounds read which could lead to local information disclosure in the kernel with System execution privileges needed. (bsc#1187687)
- CVE-2021-0512: Fixed a possible out-of-bounds write which could lead to local escalation of privilege with no additional execution privileges needed. (bsc#1187597)
ImportantSUSE bug 1187597SUSE bug 1187687CVE-2021-0512 at SUSECVE-2021-0512 at NVDCVE-2021-0605 at SUSECVE-2021-0605 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 36 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_135 fixes several issues.
The following security issues were fixed:
- CVE-2021-0605: Fixed an out-of-bounds read which could lead to local information disclosure in the kernel with System execution privileges needed. (bsc#1187687)
- CVE-2021-0512: Fixed a possible out-of-bounds write which could lead to local escalation of privilege with no additional execution privileges needed. (bsc#1187597)
ImportantSUSE bug 1187597SUSE bug 1187687CVE-2021-0512 at SUSECVE-2021-0512 at NVDCVE-2021-0605 at SUSECVE-2021-0605 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 35 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_130 fixes several issues.
The following security issues were fixed:
- CVE-2021-0605: Fixed an out-of-bounds read which could lead to local information disclosure in the kernel with System execution privileges needed. (bsc#1187687)
- CVE-2021-0512: Fixed a possible out-of-bounds write which could lead to local escalation of privilege with no additional execution privileges needed. (bsc#1187597)
ImportantSUSE bug 1187597SUSE bug 1187687CVE-2021-0512 at SUSECVE-2021-0512 at NVDCVE-2021-0605 at SUSECVE-2021-0605 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 34 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_127 fixes several issues.
The following security issues were fixed:
- CVE-2021-0605: Fixed an out-of-bounds read which could lead to local information disclosure in the kernel with System execution privileges needed. (bsc#1187687)
- CVE-2021-0512: Fixed a possible out-of-bounds write which could lead to local escalation of privilege with no additional execution privileges needed. (bsc#1187597)
ImportantSUSE bug 1187597SUSE bug 1187687CVE-2021-0512 at SUSECVE-2021-0512 at NVDCVE-2021-0605 at SUSECVE-2021-0605 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for linuxptp (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for linuxptp fixes the following issues:
- CVE-2021-3570: Validate the messageLength field of incoming messages. (bsc#1187646)
ImportantSUSE bug 1187646CVE-2021-3570 at SUSECVE-2021-3570 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
The SUSE Linux Enterprise 12 SP3 kernel was updated to receive various security and bugfixes.
The following security bugs were fixed:
- CVE-2021-22555: Fixed an heap out-of-bounds write in net/netfilter/x_tables.c that could allow local provilege escalation. (bsc#1188116)
- CVE-2021-33909: Fixed an out-of-bounds write in the filesystem layer that allows to obtain full root privileges. (bsc#1188062)
- CVE-2021-3609: Fixed a race condition in the CAN BCM networking protocol which allows for local privilege escalation. (bsc#1187215)
- CVE-2021-0605: Fixed an out-of-bounds read which could lead to local information disclosure in the kernel with System execution privileges needed. (bsc#1187601)
- CVE-2021-0512: Fixed a possible out-of-bounds write which could lead to local escalation of privilege with no additional execution privileges needed. (bsc#1187595)
- CVE-2021-34693: Fixed a bug in net/can/bcm.c which could allow local users to obtain sensitive information from kernel stack memory because parts of a data structure are uninitialized. (bsc#1187452)
- CVE-2020-36385: Fixed a use-after-free flaw in ucma.c which allows for local privilege escalation. (bsc#1187050)
- CVE-2021-0129: Fixed an improper access control in BlueZ that may have allowed an authenticated user to potentially enable information disclosure via adjacent access. (bsc#1186463)
- CVE-2020-26558: Fixed a flaw in the Bluetooth LE and BR/EDR secure pairing that could permit a nearby man-in-the-middle attacker to identify the Passkey used during pairing. (bsc#1179610)
- CVE-2020-36386: Fixed an out-of-bounds read in hci_extended_inquiry_result_evt. (bsc#1187038)
- CVE-2020-24588: Fixed a bug that could allow an adversary to abuse devices that support receiving non-SSP A-MSDU frames to inject arbitrary network packets. (bsc#1185861)
- CVE-2021-32399: Fixed a race condition in net/bluetooth/hci_request.c for removal of the HCI controller. (bsc#1184611)
- CVE-2021-33034: Fixed an issue in net/bluetooth/hci_event.c where a use-after-free leads to writing an arbitrary value. (bsc#1186111)
- CVE-2020-26139: Fixed a bug that allows an Access Point (AP) to forward EAPOL frames to other clients even though the sender has not yet successfully authenticated. This might be abused in projected Wi-Fi networks to launch denial-of-service attacks against connected clients and made it easier to exploit other vulnerabilities in connected clients. (bsc#1186062)
- CVE-2021-23134: Fixed a use After Free vulnerability in nfc sockets which allows local attackers to elevate their privileges. (bsc#1186060)
- CVE-2020-24586: Fixed a bug that, under the right circumstances, allows to inject arbitrary network packets and/or exfiltrate user data when another device sends fragmented frames encrypted using WEP, CCMP, or GCMP. (bsc#1185859)
- CVE-2020-26141: Fixed a flaw that could allows an adversary to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-confidentiality protocol. (bsc#1185987)
- CVE-2020-26145: Fixed a bug in the WEP, WPA, WPA2, and WPA3 implementations that could allows an adversary to inject arbitrary network packets. (bsc#1185860)
- CVE-2020-24587: Fixed a bug that allows an adversary to decrypt selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP encryption key is periodically renewed. (bsc#1185862)
- CVE-2020-26147: Fixed a bug in the WEP, WPA, WPA2, and WPA3 implementations that could allows an adversary to inject packets and/or exfiltrate selected fragments when another device sends fragmented frames. (bsc#1185987)
The following non-security bugs were fixed:
- Bluetooth: SMP: Fail if remote and local public keys are identical (git-fixes).
- Drivers: hv: vmbus: Increase wait time for VMbus unload (bsc#1185724).
- Drivers: hv: vmbus: Initialize unload_event statically (bsc#1185724).
- hv_netvsc: Add handlers for ethtool get/set msg level (bsc#1175462).
- hv_netvsc: avoid retry on send during shutdown (bsc#1175462).
- hv_netvsc: avoid unnecessary wakeups on subchannel creation (bsc#1175462).
- hv_netvsc: cancel subchannel setup before halting device (bsc#1175462).
- hv_netvsc: change GPAD teardown order on older versions (bsc#1175462).
- hv_netvsc: common detach logic (bsc#1175462).
- hv_netvsc: delay setup of VF device (bsc#1175462).
- hv_netvsc: disable NAPI before channel close (bsc#1175462).
- hv_netvsc: Ensure correct teardown message sequence order (bsc#1175462).
- hv_netvsc: Fix a deadlock by getting rtnl lock earlier in netvsc_probe() (bsc#1175462).
- hv_netvsc: Fix a network regression after ifdown/ifup (bsc#1175462).
- hv_netvsc: fix deadlock on hotplug (bsc#1175462).
- hv_netvsc: Fix error handling in netvsc_attach() (bsc#1175462).
- hv_netvsc: fix error unwind handling if vmbus_open fails (bsc#1175462).
- hv_netvsc: Fix extra rcu_read_unlock in netvsc_recv_callback() (bsc#1175462).
- hv_netvsc: fix handling of fallback to single queue mode (bsc#1175462).
- hv_netvsc: Fix hash key value reset after other ops (bsc#1175462).
- hv_netvsc: Fix IP header checksum for coalesced packets (bsc#1175462).
- hv_netvsc: Fix net device attach on older Windows hosts (bsc#1175462).
- hv_netvsc: fix network namespace issues with VF support (bsc#1175462).
- hv_netvsc: Fix NULL dereference at single queue mode fallback (bsc#1175462).
- hv_netvsc: fix race during initialization (bsc#1175462).
- hv_netvsc: fix race on sub channel creation (bsc#1175462).
- hv_netvsc: fix race that may miss tx queue wakeup (bsc#1175462).
- hv_netvsc: fix schedule in RCU context (bsc#1175462).
- hv_netvsc: Fix the variable sizes in ipsecv2 and rsc offload (bsc#1175462).
- hv_netvsc: Fix tx_table init in rndis_set_subchannel() (bsc#1175462).
- hv_netvsc: Fix unwanted wakeup after tx_disable (bsc#1175462).
- hv_netvsc: Fix unwanted wakeup in netvsc_attach() (bsc#1175462).
- hv_netvsc: flag software created hash value (bsc#1175462).
- hv_netvsc: netvsc_teardown_gpadl() split (bsc#1175462).
- hv_netvsc: only wake transmit queue if link is up (bsc#1175462).
- hv_netvsc: pass netvsc_device to rndis halt (bsc#1175462).
- hv_netvsc: preserve hw_features on mtu/channels/ringparam changes (bsc#1175462).
- hv_netvsc: Refactor assignments of struct netvsc_device_info (bsc#1175462).
- hv_netvsc: set master device (bsc#1175462).
- hv_netvsc: Set tx_table to equal weight after subchannels open (bsc#1175462).
- hv_netvsc: Simplify num_chn checking in rndis_filter_device_add() (bsc#1175462).
- hv_netvsc: Split netvsc_revoke_buf() and netvsc_teardown_gpadl() (bsc#1175462).
- hv_netvsc: split sub-channel setup into async and sync (bsc#1175462).
- hv_netvsc: typo in NDIS RSS parameters structure (bsc#1175462).
- hv_netvsc: use RCU to fix concurrent rx and queue changes (bsc#1175462).
- hv_netvsc: use reciprocal divide to speed up percent calculation (bsc#1175462).
- hv_netvsc: Use Windows version instead of NVSP version on GPAD teardown (bsc#1175462).
- kgraft: truncate the output from state_show() sysfs attr (bsc#1186235).
- mm, memory_hotplug: do not clear numa_node association after hot_remove (bsc#1115026).
- mm: consider __HW_POISON pages when allocating from pcp lists (bsc#1187388).
- scsi: storvsc: Enable scatterlist entry lengths > 4Kbytes (bsc#1187193).
- video: hyperv_fb: Add ratelimit on error message (bsc#1185724).
ImportantSUSE bug 1115026SUSE bug 1175462SUSE bug 1179610SUSE bug 1184611SUSE bug 1185724SUSE bug 1185859SUSE bug 1185860SUSE bug 1185861SUSE bug 1185862SUSE bug 1185863SUSE bug 1185898SUSE bug 1185987SUSE bug 1186060SUSE bug 1186062SUSE bug 1186111SUSE bug 1186235SUSE bug 1186390SUSE bug 1186463SUSE bug 1187038SUSE bug 1187050SUSE bug 1187193SUSE bug 1187215SUSE bug 1187388SUSE bug 1187452SUSE bug 1187595SUSE bug 1187601SUSE bug 1187934SUSE bug 1188062SUSE bug 1188063SUSE bug 1188116CVE-2020-24586 at SUSECVE-2020-24586 at NVDCVE-2020-24587 at SUSECVE-2020-24587 at NVDCVE-2020-24588 at SUSECVE-2020-24588 at NVDCVE-2020-26139 at SUSECVE-2020-26139 at NVDCVE-2020-26141 at SUSECVE-2020-26141 at NVDCVE-2020-26145 at SUSECVE-2020-26145 at NVDCVE-2020-26147 at SUSECVE-2020-26147 at NVDCVE-2020-26558 at SUSECVE-2020-26558 at NVDCVE-2020-36385 at SUSECVE-2020-36385 at NVDCVE-2020-36386 at SUSECVE-2020-36386 at NVDCVE-2021-0129 at SUSECVE-2021-0129 at NVDCVE-2021-0512 at SUSECVE-2021-0512 at NVDCVE-2021-0605 at SUSECVE-2021-0605 at NVDCVE-2021-22555 at SUSECVE-2021-22555 at NVDCVE-2021-23134 at SUSECVE-2021-23134 at NVDCVE-2021-32399 at SUSECVE-2021-32399 at NVDCVE-2021-33034 at SUSECVE-2021-33034 at NVDCVE-2021-33909 at SUSECVE-2021-33909 at NVDCVE-2021-34693 at SUSECVE-2021-34693 at NVDCVE-2021-3609 at SUSECVE-2021-3609 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 39 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_144 fixes several issues.
The following security issues were fixed:
- CVE-2021-33909: Fixed an out-of-bounds write in the filesystem layer that allows to andobtain full root privileges. (bsc#1188062)
- CVE-2021-22555: Fixed an heap out-of-bounds write in net/netfilter/x_tables.c that could allow local provilege escalation. (bsc#1188116)
- CVE-2020-36385: Fixed a use-after-free vulnerability reached via the ctx_list in some ucma_migrate_id situations where ucma_close is called. (bnc#1187050)
ImportantSUSE bug 1187052SUSE bug 1188117SUSE bug 1188257CVE-2020-36385 at SUSECVE-2020-36385 at NVDCVE-2021-22555 at SUSECVE-2021-22555 at NVDCVE-2021-33909 at SUSECVE-2021-33909 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 38 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_141 fixes several issues.
The following security issues were fixed:
- CVE-2021-33909: Fixed an out-of-bounds write in the filesystem layer that allows to andobtain full root privileges. (bsc#1188062)
- CVE-2021-22555: Fixed an heap out-of-bounds write in net/netfilter/x_tables.c that could allow local provilege escalation. (bsc#1188116)
- CVE-2020-36385: Fixed a use-after-free vulnerability reached via the ctx_list in some ucma_migrate_id situations where ucma_close is called. (bnc#1187050)
ImportantSUSE bug 1187052SUSE bug 1188117SUSE bug 1188257CVE-2020-36385 at SUSECVE-2020-36385 at NVDCVE-2021-22555 at SUSECVE-2021-22555 at NVDCVE-2021-33909 at SUSECVE-2021-33909 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 37 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_138 fixes several issues.
The following security issues were fixed:
- CVE-2021-33909: Fixed an out-of-bounds write in the filesystem layer that allows to andobtain full root privileges. (bsc#1188062)
- CVE-2021-22555: Fixed an heap out-of-bounds write in net/netfilter/x_tables.c that could allow local provilege escalation. (bsc#1188116)
- CVE-2020-36385: Fixed a use-after-free vulnerability reached via the ctx_list in some ucma_migrate_id situations where ucma_close is called. (bnc#1187050)
ImportantSUSE bug 1187052SUSE bug 1188117SUSE bug 1188257CVE-2020-36385 at SUSECVE-2020-36385 at NVDCVE-2021-22555 at SUSECVE-2021-22555 at NVDCVE-2021-33909 at SUSECVE-2021-33909 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 36 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_135 fixes several issues.
The following security issues were fixed:
- CVE-2021-33909: Fixed an out-of-bounds write in the filesystem layer that allows to andobtain full root privileges. (bsc#1188062)
- CVE-2021-22555: Fixed an heap out-of-bounds write in net/netfilter/x_tables.c that could allow local provilege escalation. (bsc#1188116)
- CVE-2020-36385: Fixed a use-after-free vulnerability reached via the ctx_list in some ucma_migrate_id situations where ucma_close is called. (bnc#1187050)
ImportantSUSE bug 1187052SUSE bug 1188117SUSE bug 1188257CVE-2020-36385 at SUSECVE-2020-36385 at NVDCVE-2021-22555 at SUSECVE-2021-22555 at NVDCVE-2021-33909 at SUSECVE-2021-33909 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 35 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_130 fixes several issues.
The following security issues were fixed:
- CVE-2021-33909: Fixed an out-of-bounds write in the filesystem layer that allows to andobtain full root privileges. (bsc#1188062)
- CVE-2021-22555: Fixed an heap out-of-bounds write in net/netfilter/x_tables.c that could allow local provilege escalation. (bsc#1188116)
- CVE-2020-36385: Fixed a use-after-free vulnerability reached via the ctx_list in some ucma_migrate_id situations where ucma_close is called. (bnc#1187050)
ImportantSUSE bug 1187052SUSE bug 1188117SUSE bug 1188257CVE-2020-36385 at SUSECVE-2020-36385 at NVDCVE-2021-22555 at SUSECVE-2021-22555 at NVDCVE-2021-33909 at SUSECVE-2021-33909 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 34 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_127 fixes several issues.
The following security issues were fixed:
- CVE-2021-33909: Fixed an out-of-bounds write in the filesystem layer that allows to andobtain full root privileges. (bsc#1188062)
- CVE-2021-22555: Fixed an heap out-of-bounds write in net/netfilter/x_tables.c that could allow local provilege escalation. (bsc#1188116)
- CVE-2020-36385: Fixed a use-after-free vulnerability reached via the ctx_list in some ucma_migrate_id situations where ucma_close is called. (bnc#1187050)
ImportantSUSE bug 1187052SUSE bug 1188117SUSE bug 1188257CVE-2020-36385 at SUSECVE-2020-36385 at NVDCVE-2021-22555 at SUSECVE-2021-22555 at NVDCVE-2021-33909 at SUSECVE-2021-33909 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for qemu (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for qemu fixes the following issues:
Security issues fixed:
- CVE-2021-3595: Fixed slirp: invalid pointer initialization may lead to information disclosure (tftp) (bsc#1187366)
- CVE-2021-3592: Fix for slirp: invalid pointer initialization may lead to information disclosure (bootp) (bsc#1187364)
- CVE-2021-3594: Fix for slirp: invalid pointer initialization may lead to information disclosure (udp) (bsc#1187367)
- CVE-2021-3593: Fix for slirp: invalid pointer initialization may lead to information disclosure (udp6) (bsc#1187365)
- CVE-2021-3611: Fix intel-hda segmentation fault due to stack overflow (bsc#1187529)
ImportantSUSE bug 1187364SUSE bug 1187365SUSE bug 1187366SUSE bug 1187367SUSE bug 1187529CVE-2021-3592 at SUSECVE-2021-3592 at NVDCVE-2021-3593 at SUSECVE-2021-3593 at NVDCVE-2021-3594 at SUSECVE-2021-3594 at NVDCVE-2021-3595 at SUSECVE-2021-3595 at NVDCVE-2021-3611 at SUSECVE-2021-3611 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for dbus-1 (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for dbus-1 fixes the following issues:
- CVE-2020-35512: Fixed a bug where users with the same numeric UID could lead to use-after-free and undefined behaviour. (bsc#1187105)
- CVE-2020-12049: Fixed a bug where a truncated messages lead to resource exhaustion. (bsc#1172505)
ImportantSUSE bug 1172505SUSE bug 1187105CVE-2020-12049 at SUSECVE-2020-12049 at NVDCVE-2020-35512 at SUSECVE-2020-35512 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for webkit2gtk3 (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for webkit2gtk3 fixes the following issues:
Update to version 2.32.3:
- CVE-2021-21775: Fixed a use-after-free vulnerability in the way certain events are processed for ImageLoader objects. A specially crafted web page can lead to a potential information leak and further memory corruption. A victim must be tricked into visiting a malicious web page to trigger this vulnerability. (bsc#1188697)
- CVE-2021-21779: Fixed a use-after-free vulnerability in the way that WebKit GraphicsContext handles certain events. A specially crafted web page can lead to a potential information leak and further memory corruption. A victim must be tricked into visiting a malicious web page to trigger this vulnerability. (bsc#1188697)
- CVE-2021-30663: An integer overflow was addressed with improved input validation. (bsc#1188697)
- CVE-2021-30665: A memory corruption issue was addressed with improved state management. (bsc#1188697)
- CVE-2021-30689: A logic issue was addressed with improved state management. (bsc#1188697)
- CVE-2021-30720: A logic issue was addressed with improved restrictions. (bsc#1188697)
- CVE-2021-30734: Multiple memory corruption issues were addressed with improved memory handling. (bsc#1188697)
- CVE-2021-30744: A cross-origin issue with iframe elements was addressed with improved tracking of security origins. (bsc#1188697)
- CVE-2021-30749: Multiple memory corruption issues were addressed with improved memory handling. (bsc#1188697)
- CVE-2021-30758: A type confusion issue was addressed with improved state handling. (bsc#1188697)
- CVE-2021-30795: A use after free issue was addressed with improved memory management. (bsc#1188697)
- CVE-2021-30797: This issue was addressed with improved checks. (bsc#1188697)
- CVE-2021-30799: Multiple memory corruption issues were addressed with improved memory handling. (bsc#1188697)
ImportantSUSE bug 1188697CVE-2021-21775 at SUSECVE-2021-21775 at NVDCVE-2021-21779 at SUSECVE-2021-21779 at NVDCVE-2021-30663 at SUSECVE-2021-30663 at NVDCVE-2021-30665 at SUSECVE-2021-30665 at NVDCVE-2021-30689 at SUSECVE-2021-30689 at NVDCVE-2021-30720 at SUSECVE-2021-30720 at NVDCVE-2021-30734 at SUSECVE-2021-30734 at NVDCVE-2021-30744 at SUSECVE-2021-30744 at NVDCVE-2021-30749 at SUSECVE-2021-30749 at NVDCVE-2021-30758 at SUSECVE-2021-30758 at NVDCVE-2021-30795 at SUSECVE-2021-30795 at NVDCVE-2021-30797 at SUSECVE-2021-30797 at NVDCVE-2021-30799 at SUSECVE-2021-30799 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for djvulibre (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for djvulibre fixes the following issues:
- CVE-2021-3630: out-of-bounds write in DJVU:DjVuTXT:decode() in DjVuText.cpp (bsc#1187869)
ImportantSUSE bug 1187869CVE-2021-3630 at SUSECVE-2021-3630 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for cpio (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for cpio fixes the following issues:
It was possible to trigger Remote code execution due to a integer overflow (CVE-2021-38185, bsc#1189206)
ImportantSUSE bug 1189206CVE-2021-38185 at SUSECVE-2021-38185 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for libcares2 (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for libcares2 fixes the following issues:
- CVE-2021-3672: Fixed input validation on hostnames (bsc#1188881).
ImportantSUSE bug 1188881CVE-2021-3672 at SUSECVE-2021-3672 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for MozillaFirefox fixes the following issues:
Firefox Extended Support Release 78.13.0 ESR (MFSA 2021-34, bsc#1188891):
- CVE-2021-29986: Race condition when resolving DNS names could have led to memory corruption
- CVE-2021-29988: Memory corruption as a result of incorrect style treatment
- CVE-2021-29984: Incorrect instruction reordering during JIT optimization
- CVE-2021-29980: Uninitialized memory in a canvas object could have led to memory corruption
- CVE-2021-29985: Use-after-free media channels
- CVE-2021-29989: Memory safety bugs fixed in Firefox 91 and Firefox ESR 78.13
ImportantSUSE bug 1188891CVE-2021-29980 at SUSECVE-2021-29980 at NVDCVE-2021-29984 at SUSECVE-2021-29984 at NVDCVE-2021-29985 at SUSECVE-2021-29985 at NVDCVE-2021-29986 at SUSECVE-2021-29986 at NVDCVE-2021-29988 at SUSECVE-2021-29988 at NVDCVE-2021-29989 at SUSECVE-2021-29989 at NVDcpe:/o:suse:sles-espos:12:sp3Recommended update for cpio (Critical)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for cpio fixes the following issues:
- A regression in the previous update could lead to crashes (bsc#1189465)
CriticalSUSE bug 1189465CVE-2021-38185 at SUSECVE-2021-38185 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for java-1_8_0-openjdk (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for java-1_8_0-openjdk fixes the following issues:
- Update to version jdk8u302 (icedtea 3.20.0)
- CVE-2021-2341: Improve file transfers. (bsc#1188564)
- CVE-2021-2369: Better jar file validation. (bsc#1188565)
- CVE-2021-2388: Enhance compiler validation. (bsc#1188566)
- CVE-2021-2161: Less ambiguous processing. (bsc#1185056)
ImportantSUSE bug 1185056SUSE bug 1188564SUSE bug 1188565SUSE bug 1188566CVE-2021-2161 at SUSECVE-2021-2161 at NVDCVE-2021-2341 at SUSECVE-2021-2341 at NVDCVE-2021-2369 at SUSECVE-2021-2369 at NVDCVE-2021-2388 at SUSECVE-2021-2388 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for cpio (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for cpio fixes the following issues:
- A patch previously applied to remedy CVE-2021-38185 introduced a regression
that had the potential to cause a segmentation fault in cpio. [bsc#1189465]
ImportantSUSE bug 1189465CVE-2021-38185 at SUSECVE-2021-38185 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for python-PyYAML (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for python-PyYAML fixes the following issues:
- Update to 5.3.1.
- CVE-2020-14343: A vulnerability was discovered in the PyYAML library,
where it was susceptible to arbitrary code execution when it processes
untrusted YAML files through the full_load method or with the FullLoader
loader. Applications that use the library to process untrusted input
may be vulnerable to this flaw. This flaw allows an attacker to
execute arbitrary code on the system by abusing the python/object/new
constructor. This flaw is due to an incomplete fix for CVE-2020-1747.
ImportantSUSE bug 1174514CVE-2020-14343 at SUSECVE-2020-14343 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for openssl (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for openssl fixes the following security issue:
- CVE-2021-3712: a bug in the code for printing certificate details could lead
to a buffer overrun that a malicious actor could exploit to crash the
application, causing a denial-of-service attack. [bsc#1189521]
ImportantSUSE bug 1189521CVE-2021-3712 at SUSECVE-2021-3712 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for openvswitch (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for openvswitch fixes the following issues:
- openvswitch was updated to 2.7.12
- CVE-2020-27827: Fixed a memory leak when parsing lldp packets (bsc#1181345)
A lot more minor bugs have been fixed with this openvswitch version. Please refer to the changelog of
the openvswitch.rpm file in order to obtain a list of all changes.
ImportantSUSE bug 1117483SUSE bug 1181345CVE-2020-27827 at SUSECVE-2020-27827 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 34 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_127 fixes several issues.
The following security issues were fixed:
- CVE-2021-37576: On the powerpc platform KVM guest OS users could cause host OS memory corruption via rtas_args.nargs (bsc#1188838).
- CVE-2021-3609: Fixed a local privilege escalation via a race condition in net/can/bcm.c (bsc#1187215).
ImportantSUSE bug 1188323SUSE bug 1188842CVE-2021-3609 at SUSECVE-2021-3609 at NVDCVE-2021-37576 at SUSECVE-2021-37576 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 35 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_130 fixes several issues.
The following security issues were fixed:
- CVE-2021-37576: On the powerpc platform KVM guest OS users could cause host OS memory corruption via rtas_args.nargs (bsc#1188838).
- CVE-2021-3609: Fixed a local privilege escalation via a race condition in net/can/bcm.c (bsc#1187215).
ImportantSUSE bug 1188323SUSE bug 1188842CVE-2021-3609 at SUSECVE-2021-3609 at NVDCVE-2021-37576 at SUSECVE-2021-37576 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 36 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_135 fixes several issues.
The following security issues were fixed:
- CVE-2021-37576: On the powerpc platform KVM guest OS users could cause host OS memory corruption via rtas_args.nargs (bsc#1188838).
- CVE-2021-3609: Fixed a local privilege escalation via a race condition in net/can/bcm.c (bsc#1187215).
ImportantSUSE bug 1188323SUSE bug 1188842CVE-2021-3609 at SUSECVE-2021-3609 at NVDCVE-2021-37576 at SUSECVE-2021-37576 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 37 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_138 fixes several issues.
The following security issues were fixed:
- CVE-2021-37576: On the powerpc platform KVM guest OS users could cause host OS memory corruption via rtas_args.nargs (bsc#1188838).
- CVE-2021-3609: Fixed a local privilege escalation via a race condition in net/can/bcm.c (bsc#1187215).
ImportantSUSE bug 1188323SUSE bug 1188842CVE-2021-3609 at SUSECVE-2021-3609 at NVDCVE-2021-37576 at SUSECVE-2021-37576 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 38 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_141 fixes several issues.
The following security issues were fixed:
- CVE-2021-37576: On the powerpc platform KVM guest OS users could cause host OS memory corruption via rtas_args.nargs (bsc#1188838).
- CVE-2021-3609: Fixed a local privilege escalation via a race condition in net/can/bcm.c (bsc#1187215).
ImportantSUSE bug 1188323SUSE bug 1188842CVE-2021-3609 at SUSECVE-2021-3609 at NVDCVE-2021-37576 at SUSECVE-2021-37576 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 39 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_144 fixes several issues.
The following security issues were fixed:
- CVE-2021-37576: On the powerpc platform KVM guest OS users could cause host OS memory corruption via rtas_args.nargs (bsc#1188838).
- CVE-2021-3609: Fixed a local privilege escalation via a race condition in net/can/bcm.c (bsc#1187215).
ImportantSUSE bug 1188323SUSE bug 1188842CVE-2021-3609 at SUSECVE-2021-3609 at NVDCVE-2021-37576 at SUSECVE-2021-37576 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 40 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_147 fixes several issues.
The following security issues were fixed:
- CVE-2021-37576: On the powerpc platform KVM guest OS users could cause host OS memory corruption via rtas_args.nargs (bsc#1188838).
- CVE-2021-28688: The fix for XSA-365 includes initialization of pointers such that subsequent cleanup code wouldn't use uninitialized or stale values. This initialization went too far and may under certain conditions also overwrite pointers which are in need of cleaning up. (bsc#1183646)
- CVE-2020-0429: Fixed a potential local privilege escalation in l2tp_session_delete and related functions of l2tp_core.c (bsc#1176724).
ImportantSUSE bug 1176931SUSE bug 1182294SUSE bug 1188842CVE-2020-0429 at SUSECVE-2020-0429 at NVDCVE-2021-28688 at SUSECVE-2021-28688 at NVDCVE-2021-37576 at SUSECVE-2021-37576 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for aspell (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for aspell fixes the following issues:
- CVE-2019-25051: Fixed heap-buffer-overflow in acommon:ObjStack:dup_top (bsc#1188576).
ImportantSUSE bug 1188576CVE-2019-25051 at SUSECVE-2019-25051 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for bind (Moderate)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for bind fixes the following issues:
- CVE-2020-8622: A truncated TSIG response can lead to an assertion failure (bsc#1175443).
ModerateSUSE bug 1175443SUSE bug 1188888CVE-2020-8622 at SUSECVE-2020-8622 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for openexr (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for openexr fixes the following issues:
- CVE-2021-20298 [bsc#1188460]: Fixed Out-of-memory in B44Compressor
- CVE-2021-20299 [bsc#1188459]: Fixed Null-dereference READ in Imf_2_5:Header:operator
- CVE-2021-20300 [bsc#1188458]: Fixed Integer-overflow in Imf_2_5:hufUncompress
- CVE-2021-20302 [bsc#1188462]: Fixed Floating-point-exception in Imf_2_5:precalculateTileInfot
- CVE-2021-20303 [bsc#1188457]: Fixed Heap-buffer-overflow in Imf_2_5::copyIntoFrameBuffer
- CVE-2021-20304 [bsc#1188461]: Fixed Undefined-shift in Imf_2_5:hufDecode
ImportantSUSE bug 1188457SUSE bug 1188458SUSE bug 1188459SUSE bug 1188460SUSE bug 1188461SUSE bug 1188462CVE-2021-20298 at SUSECVE-2021-20298 at NVDCVE-2021-20299 at SUSECVE-2021-20299 at NVDCVE-2021-20300 at SUSECVE-2021-20300 at NVDCVE-2021-20302 at SUSECVE-2021-20302 at NVDCVE-2021-20303 at SUSECVE-2021-20303 at NVDCVE-2021-20304 at SUSECVE-2021-20304 at NVDCVE-2021-3476 at SUSECVE-2021-3476 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for libesmtp (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for libesmtp fixes the following issues:
- CVE-2019-19977: Fix stack-based buffer over-read in ntlm/ntlmstruct.c (bsc#1160462).
ImportantSUSE bug 1160462SUSE bug 1189097CVE-2019-19977 at SUSECVE-2019-19977 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for file (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for file fixes the following issues:
- CVE-2019-18218: Fixed heap-based buffer overflow in cdf_read_property_info in cdf.c (bsc#1154661).
ImportantSUSE bug 1154661CVE-2019-18218 at SUSECVE-2019-18218 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for xen (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for xen fixes the following issues:
- CVE-2021-3594: slirp: invalid pointer initialization may lead to information disclosure (udp)(bsc#1187378).
- CVE-2021-3595: slirp: invalid pointer initialization may lead to information disclosure (tftp)(bsc#1187376).
- CVE-2021-28698: long running loops in grant table handling (XSA-380)(bsc#1189378).
- CVE-2021-28699: inadequate grant-v2 status frames array bounds check (XSA-382)(bsc#1189380).
- CVE-2021-20255: Fixed stack overflow via infinite recursion in eepro100 (bsc#1182654)
- CVE-2021-28690: xen: x86: TSX Async Abort protections not restored after S3 (bsc#1186434)
- CVE-2021-28692: xen: inappropriate x86 IOMMU timeout detection / handling (bsc#1186429)
- CVE-2021-28694,CVE-2021-28695,CVE-2021-28696: IOMMU page mapping issues on x86 (XSA-378)(bsc#1189373).
- CVE-2021-0089: xen: Speculative Code Store Bypass (bsc#1186433)
- CVE-2021-28697: grant table v2 status pages may remain accessible after de-allocation (XSA-379)(bsc#1189376).
- CVE-2021-3592: slirp: invalid pointer initialization may lead to information disclosure (bootp)(bsc#1187369).
- Prevent superpage allocation in the LAPIC and ACPI_INFO range (bsc#1189882).
ImportantSUSE bug 1182654SUSE bug 1186429SUSE bug 1186433SUSE bug 1186434SUSE bug 1187369SUSE bug 1187376SUSE bug 1187378SUSE bug 1189373SUSE bug 1189376SUSE bug 1189378SUSE bug 1189380SUSE bug 1189882CVE-2021-0089 at SUSECVE-2021-0089 at NVDCVE-2021-20255 at SUSECVE-2021-20255 at NVDCVE-2021-28690 at SUSECVE-2021-28690 at NVDCVE-2021-28692 at SUSECVE-2021-28692 at NVDCVE-2021-28694 at SUSECVE-2021-28694 at NVDCVE-2021-28695 at SUSECVE-2021-28695 at NVDCVE-2021-28696 at SUSECVE-2021-28696 at NVDCVE-2021-28697 at SUSECVE-2021-28697 at NVDCVE-2021-28698 at SUSECVE-2021-28698 at NVDCVE-2021-28699 at SUSECVE-2021-28699 at NVDCVE-2021-3592 at SUSECVE-2021-3592 at NVDCVE-2021-3594 at SUSECVE-2021-3594 at NVDCVE-2021-3595 at SUSECVE-2021-3595 at NVDcpe:/o:suse:sles-espos:12:sp3Recommended update for mozilla-nspr, mozilla-nss (Moderate)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for mozilla-nspr fixes the following issues:
mozilla-nspr was updated to version 4.32:
* implement new socket option PR_SockOpt_DontFrag
* support larger DNS records by increasing the default buffer
size for DNS queries
* Lock access to PRCallOnceType members in PR_CallOnce* for
thread safety bmo#1686138
* PR_GetSystemInfo supports a new flag PR_SI_RELEASE_BUILD to get
information about the operating system build version.
Mozilla NSS was updated to version 3.68:
* bmo#1713562 - Fix test leak.
* bmo#1717452 - NSS 3.68 should depend on NSPR 4.32.
* bmo#1693206 - Implement PKCS8 export of ECDSA keys.
* bmo#1712883 - DTLS 1.3 draft-43.
* bmo#1655493 - Support SHA2 HW acceleration using Intel SHA Extension.
* bmo#1713562 - Validate ECH public names.
* bmo#1717610 - Add function to get seconds from epoch from pkix::Time.
update to NSS 3.67
* bmo#1683710 - Add a means to disable ALPN.
* bmo#1715720 - Fix nssckbi version number in NSS 3.67 (was supposed to be incremented in 3.66).
* bmo#1714719 - Set NSS_USE_64 on riscv64 target when using GYP/Ninja.
* bmo#1566124 - Fix counter increase in ppc-gcm-wrap.c.
* bmo#1566124 - Fix AES_GCM mode on ppc64le for messages of length more than 255-byte.
update to NSS 3.66
* bmo#1710716 - Remove Expired Sonera Class2 CA from NSS.
* bmo#1710716 - Remove Expired Root Certificates from NSS - QuoVadis Root Certification Authority.
* bmo#1708307 - Remove Trustis FPS Root CA from NSS.
* bmo#1707097 - Add Certum Trusted Root CA to NSS.
* bmo#1707097 - Add Certum EC-384 CA to NSS.
* bmo#1703942 - Add ANF Secure Server Root CA to NSS.
* bmo#1697071 - Add GLOBALTRUST 2020 root cert to NSS.
* bmo#1712184 - NSS tools manpages need to be updated to reflect that sqlite is the default database.
* bmo#1712230 - Don't build ppc-gcm.s with clang integrated assembler.
* bmo#1712211 - Strict prototype error when trying to compile nss code that includes blapi.h.
* bmo#1710773 - NSS needs FIPS 180-3 FIPS indicators.
* bmo#1709291 - Add VerifyCodeSigningCertificateChain.
update to NSS 3.65
* bmo#1709654 - Update for NetBSD configuration.
* bmo#1709750 - Disable HPKE test when fuzzing.
* bmo#1566124 - Optimize AES-GCM for ppc64le.
* bmo#1699021 - Add AES-256-GCM to HPKE.
* bmo#1698419 - ECH -10 updates.
* bmo#1692930 - Update HPKE to final version.
* bmo#1707130 - NSS should use modern algorithms in PKCS#12 files by default.
* bmo#1703936 - New coverity/cpp scanner errors.
* bmo#1697303 - NSS needs to update it's csp clearing to FIPS 180-3 standards.
* bmo#1702663 - Need to support RSA PSS with Hashing PKCS #11 Mechanisms.
* bmo#1705119 - Deadlock when using GCM and non-thread safe tokens.
update to NSS 3.64
* bmo#1705286 - Properly detect mips64.
* bmo#1687164 - Introduce NSS_DISABLE_CRYPTO_VSX and
disable_crypto_vsx.
* bmo#1698320 - replace __builtin_cpu_supports('vsx') with
ppc_crypto_support() for clang.
* bmo#1613235 - Add POWER ChaCha20 stream cipher vector
acceleration.
Fixed in 3.63
* bmo#1697380 - Make a clang-format run on top of helpful contributions.
* bmo#1683520 - ECCKiila P384, change syntax of nested structs
initialization to prevent build isses with GCC 4.8.
* bmo#1683520 - [lib/freebl/ecl] P-384: allow zero scalars in dual
scalar multiplication.
* bmo#1683520 - ECCKiila P521, change syntax of nested structs
initialization to prevent build isses with GCC 4.8.
* bmo#1683520 - [lib/freebl/ecl] P-521: allow zero scalars in dual
scalar multiplication.
* bmo#1696800 - HACL* update March 2021 - c95ab70fcb2bc21025d8845281bc4bc8987ca683.
* bmo#1694214 - tstclnt can't enable middlebox compat mode.
* bmo#1694392 - NSS does not work with PKCS #11 modules not supporting
profiles.
* bmo#1685880 - Minor fix to prevent unused variable on early return.
* bmo#1685880 - Fix for the gcc compiler version 7 to support setenv
with nss build.
* bmo#1693217 - Increase nssckbi.h version number for March 2021 batch
of root CA changes, CA list version 2.48.
* bmo#1692094 - Set email distrust after to 21-03-01 for Camerfirma's
'Chambers of Commerce' and 'Global Chambersign' roots.
* bmo#1618407 - Symantec root certs - Set CKA_NSS_EMAIL_DISTRUST_AFTER.
* bmo#1693173 - Add GlobalSign R45, E45, R46, and E46 root certs to NSS.
* bmo#1683738 - Add AC RAIZ FNMT-RCM SERVIDORES SEGUROS root cert to NSS.
* bmo#1686854 - Remove GeoTrust PCA-G2 and VeriSign Universal root certs
from NSS.
* bmo#1687822 - Turn off Websites trust bit for the “Staat der
Nederlanden Root CA - G3” root cert in NSS.
* bmo#1692094 - Turn off Websites Trust Bit for 'Chambers of Commerce
Root - 2008' and 'Global Chambersign Root - 2008’.
* bmo#1694291 - Tracing fixes for ECH.
update to NSS 3.62
* bmo#1688374 - Fix parallel build NSS-3.61 with make
* bmo#1682044 - pkix_Build_GatherCerts() + pkix_CacheCert_Add()
can corrupt 'cachedCertTable'
* bmo#1690583 - Fix CH padding extension size calculation
* bmo#1690421 - Adjust 3.62 ABI report formatting for new libabigail
* bmo#1690421 - Install packaged libabigail in docker-builds image
* bmo#1689228 - Minor ECH -09 fixes for interop testing, fuzzing
* bmo#1674819 - Fixup a51fae403328, enum type may be signed
* bmo#1681585 - Add ECH support to selfserv
* bmo#1681585 - Update ECH to Draft-09
* bmo#1678398 - Add Export/Import functions for HPKE context
* bmo#1678398 - Update HPKE to draft-07
update to NSS 3.61
* bmo#1682071 - Fix issue with IKE Quick mode deriving incorrect key
values under certain conditions.
* bmo#1684300 - Fix default PBE iteration count when NSS is compiled
with NSS_DISABLE_DBM.
* bmo#1651411 - Improve constant-timeness in RSA operations.
* bmo#1677207 - Upgrade Google Test version to latest release.
* bmo#1654332 - Add aarch64-make target to nss-try.
Update to NSS 3.60.1:
Notable changes in NSS 3.60:
* TLS 1.3 Encrypted Client Hello (draft-ietf-tls-esni-08) support
has been added, replacing the previous ESNI (draft-ietf-tls-esni-01)
implementation. See bmo#1654332 for more information.
* December 2020 batch of Root CA changes, builtins library updated
to version 2.46. See bmo#1678189, bmo#1678166, and bmo#1670769
for more information.
Update to NSS 3.59.1:
* bmo#1679290 - Fix potential deadlock with certain third-party
PKCS11 modules
Update to NSS 3.59:
Notable changes:
* Exported two existing functions from libnss:
CERT_AddCertToListHeadWithData and CERT_AddCertToListTailWithData
Bugfixes
* bmo#1607449 - Lock cert->nssCertificate to prevent a potential data race
* bmo#1672823 - Add Wycheproof test cases for HMAC, HKDF, and DSA
* bmo#1663661 - Guard against NULL token in nssSlot_IsTokenPresent
* bmo#1670835 - Support enabling and disabling signatures via Crypto Policy
* bmo#1672291 - Resolve libpkix OCSP failures on SHA1 self-signed
root certs when SHA1 signatures are disabled.
* bmo#1644209 - Fix broken SelectedCipherSuiteReplacer filter to
solve some test intermittents
* bmo#1672703 - Tolerate the first CCS in TLS 1.3 to fix a regression in
our CVE-2020-25648 fix that broke purple-discord
(boo#1179382)
* bmo#1666891 - Support key wrap/unwrap with RSA-OAEP
* bmo#1667989 - Fix gyp linking on Solaris
* bmo#1668123 - Export CERT_AddCertToListHeadWithData and
CERT_AddCertToListTailWithData from libnss
* bmo#1634584 - Set CKA_NSS_SERVER_DISTRUST_AFTER for Trustis FPS Root CA
* bmo#1663091 - Remove unnecessary assertions in the streaming
ASN.1 decoder that affected decoding certain PKCS8
private keys when using NSS debug builds
* bmo#670839 - Use ARM crypto extension for AES, SHA1 and SHA2 on MacOS.
update to NSS 3.58
Bugs fixed:
* bmo#1641480 (CVE-2020-25648)
Tighten CCS handling for middlebox compatibility mode.
* bmo#1631890 - Add support for Hybrid Public Key Encryption
(draft-irtf-cfrg-hpke) support for TLS Encrypted Client Hello
(draft-ietf-tls-esni).
* bmo#1657255 - Add CI tests that disable SHA1/SHA2 ARM crypto
extensions.
* bmo#1668328 - Handle spaces in the Python path name when using
gyp on Windows.
* bmo#1667153 - Add PK11_ImportDataKey for data object import.
* bmo#1665715 - Pass the embedded SCT list extension (if present)
to TrustDomain::CheckRevocation instead of the notBefore value.
update to NSS 3.57
* The following CA certificates were Added:
bmo#1663049 - CN=Trustwave Global Certification Authority
SHA-256 Fingerprint: 97552015F5DDFC3C8788C006944555408894450084F100867086BC1A2BB58DC8
bmo#1663049 - CN=Trustwave Global ECC P256 Certification Authority
SHA-256 Fingerprint: 945BBC825EA554F489D1FD51A73DDF2EA624AC7019A05205225C22A78CCFA8B4
bmo#1663049 - CN=Trustwave Global ECC P384 Certification Authority
SHA-256 Fingerprint: 55903859C8C0C3EBB8759ECE4E2557225FF5758BBD38EBD48276601E1BD58097
* The following CA certificates were Removed:
bmo#1651211 - CN=EE Certification Centre Root CA
SHA-256 Fingerprint: 3E84BA4342908516E77573C0992F0979CA084E4685681FF195CCBA8A229B8A76
bmo#1656077 - O=Government Root Certification Authority; C=TW
SHA-256 Fingerprint: 7600295EEFE85B9E1FD624DB76062AAAAE59818A54D2774CD4C0B2C01131E1B3
* Trust settings for the following CA certificates were Modified:
bmo#1653092 - CN=OISTE WISeKey Global Root GA CA
Websites (server authentication) trust bit removed.
* https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.57_release_notes
update to NSS 3.56
Notable changes
* bmo#1650702 - Support SHA-1 HW acceleration on ARMv8
* bmo#1656981 - Use MPI comba and mulq optimizations on x86-64 MacOS.
* bmo#1654142 - Add CPU feature detection for Intel SHA extension.
* bmo#1648822 - Add stricter validation of DH keys in FIPS mode.
* bmo#1656986 - Properly detect arm64 during GYP build architecture
detection.
* bmo#1652729 - Add build flag to disable RC2 and relocate to
lib/freebl/deprecated.
* bmo#1656429 - Correct RTT estimate used in 0-RTT anti-replay.
* bmo#1588941 - Send empty certificate message when scheme selection
fails.
* bmo#1652032 - Fix failure to build in Windows arm64 makefile
cross-compilation.
* bmo#1625791 - Fix deadlock issue in nssSlot_IsTokenPresent.
* bmo#1653975 - Fix 3.53 regression by setting 'all' as the default
makefile target.
* bmo#1659792 - Fix broken libpkix tests with unexpired PayPal cert.
* bmo#1659814 - Fix interop.sh failures with newer tls-interop
commit and dependencies.
* bmo#1656519 - NSPR dependency updated to 4.28
update to NSS 3.55
Notable changes
* P384 and P521 elliptic curve implementations are replaced with
verifiable implementations from Fiat-Crypto [0] and ECCKiila [1].
* PK11_FindCertInSlot is added. With this function, a given slot
can be queried with a DER-Encoded certificate, providing performance
and usability improvements over other mechanisms. (bmo#1649633)
* DTLS 1.3 implementation is updated to draft-38. (bmo#1647752)
Relevant Bugfixes
* bmo#1631583 (CVE-2020-6829, CVE-2020-12400) - Replace P384 and
P521 with new, verifiable implementations from Fiat-Crypto and ECCKiila.
* bmo#1649487 - Move overzealous assertion in VFY_EndWithSignature.
* bmo#1631573 (CVE-2020-12401) - Remove unnecessary scalar padding.
* bmo#1636771 (CVE-2020-12403) - Explicitly disable multi-part
ChaCha20 (which was not functioning correctly) and more strictly
enforce tag length.
* bmo#1649648 - Don't memcpy zero bytes (sanitizer fix).
* bmo#1649316 - Don't memcpy zero bytes (sanitizer fix).
* bmo#1649322 - Don't memcpy zero bytes (sanitizer fix).
* bmo#1653202 - Fix initialization bug in blapitest when compiled
with NSS_DISABLE_DEPRECATED_SEED.
* bmo#1646594 - Fix AVX2 detection in makefile builds.
* bmo#1649633 - Add PK11_FindCertInSlot to search a given slot
for a DER-encoded certificate.
* bmo#1651520 - Fix slotLock race in NSC_GetTokenInfo.
* bmo#1647752 - Update DTLS 1.3 implementation to draft-38.
* bmo#1649190 - Run cipher, sdr, and ocsp tests under standard test cycle in CI.
* bmo#1649226 - Add Wycheproof ECDSA tests.
* bmo#1637222 - Consistently enforce IV requirements for DES and 3DES.
* bmo#1067214 - Enforce minimum PKCS#1 v1.5 padding length in
RSA_CheckSignRecover.
* bmo#1646324 - Advertise PKCS#1 schemes for certificates in the
signature_algorithms extension.
update to NSS 3.54
Notable changes
* Support for TLS 1.3 external pre-shared keys (bmo#1603042).
* Use ARM Cryptography Extension for SHA256, when available
(bmo#1528113)
* The following CA certificates were Added:
bmo#1645186 - certSIGN Root CA G2.
bmo#1645174 - e-Szigno Root CA 2017.
bmo#1641716 - Microsoft ECC Root Certificate Authority 2017.
bmo#1641716 - Microsoft RSA Root Certificate Authority 2017.
* The following CA certificates were Removed:
bmo#1645199 - AddTrust Class 1 CA Root.
bmo#1645199 - AddTrust External CA Root.
bmo#1641718 - LuxTrust Global Root 2.
bmo#1639987 - Staat der Nederlanden Root CA - G2.
bmo#1618402 - Symantec Class 2 Public Primary Certification Authority - G4.
bmo#1618402 - Symantec Class 1 Public Primary Certification Authority - G4.
bmo#1618402 - VeriSign Class 3 Public Primary Certification Authority - G3.
* A number of certificates had their Email trust bit disabled.
See bmo#1618402 for a complete list.
Bugs fixed
* bmo#1528113 - Use ARM Cryptography Extension for SHA256.
* bmo#1603042 - Add TLS 1.3 external PSK support.
* bmo#1642802 - Add uint128 support for HACL* curve25519 on Windows.
* bmo#1645186 - Add 'certSIGN Root CA G2' root certificate.
* bmo#1645174 - Add Microsec's 'e-Szigno Root CA 2017' root certificate.
* bmo#1641716 - Add Microsoft's non-EV root certificates.
* bmo1621151 - Disable email trust bit for 'O=Government
Root Certification Authority; C=TW' root.
* bmo#1645199 - Remove AddTrust root certificates.
* bmo#1641718 - Remove 'LuxTrust Global Root 2' root certificate.
* bmo#1639987 - Remove 'Staat der Nederlanden Root CA - G2' root
certificate.
* bmo#1618402 - Remove Symantec root certificates and disable email trust
bit.
* bmo#1640516 - NSS 3.54 should depend on NSPR 4.26.
* bmo#1642146 - Fix undefined reference to `PORT_ZAlloc_stub' in seed.c.
* bmo#1642153 - Fix infinite recursion building NSS.
* bmo#1642638 - Fix fuzzing assertion crash.
* bmo#1642871 - Enable SSL_SendSessionTicket after resumption.
* bmo#1643123 - Support SSL_ExportEarlyKeyingMaterial with External PSKs.
* bmo#1643557 - Fix numerous compile warnings in NSS.
* bmo#1644774 - SSL gtests to use ClearServerCache when resetting
self-encrypt keys.
* bmo#1645479 - Don't use SECITEM_MakeItem in secutil.c.
* bmo#1646520 - Stricter enforcement of ASN.1 INTEGER encoding.
ModerateSUSE bug 1029961SUSE bug 1174697SUSE bug 1176206SUSE bug 1176934SUSE bug 1179382SUSE bug 1188891CVE-2020-12400 at SUSECVE-2020-12400 at NVDCVE-2020-12401 at SUSECVE-2020-12401 at NVDCVE-2020-12403 at SUSECVE-2020-12403 at NVDCVE-2020-25648 at SUSECVE-2020-25648 at NVDCVE-2020-6829 at SUSECVE-2020-6829 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for transfig (Moderate)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for transfig fixes the following issues:
Update to version 3.2.8, including fixes for
- CVE-2021-3561: overflow in fig2dev/read.c in function read_colordef() (bsc#1186329).
- CVE-2020-21683: Fixed buffer overflow in the shade_or_tint_name_after_declare_color in genpstricks.c (bsc#1189325).
- CVE-2020-21682: Fixed buffer overflow in the set_fill component in genge.c (bsc#1189346).
- CVE-2020-21681: Fixed buffer overflow in the set_color component in genge.c (bsc#1189345).
- CVE-2020-21680: Fixed stack-based buffer overflow in the put_arrow() component in genpict2e.c (bsc#1189343).
- CVE-2019-19797: out-of-bounds write in read_colordef in read.c (bsc#1159293).
- CVE-2019-19555: stack-based buffer overflow because of an incorrect sscanf (bsc#1161698).
- CVE-2019-19746: segmentation fault and out-of-bounds write because of an integer overflow via a large arrow type (bsc#1159130).
ModerateSUSE bug 1136882SUSE bug 1159130SUSE bug 1159293SUSE bug 1161698SUSE bug 1186329SUSE bug 1189325SUSE bug 1189343SUSE bug 1189345SUSE bug 1189346CVE-2019-19555 at SUSECVE-2019-19555 at NVDCVE-2019-19746 at SUSECVE-2019-19746 at NVDCVE-2019-19797 at SUSECVE-2019-19797 at NVDCVE-2020-21680 at SUSECVE-2020-21680 at NVDCVE-2020-21681 at SUSECVE-2020-21681 at NVDCVE-2020-21682 at SUSECVE-2020-21682 at NVDCVE-2020-21683 at SUSECVE-2020-21683 at NVDCVE-2021-3561 at SUSECVE-2021-3561 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for gtk-vnc (Moderate)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for gtk-vnc fixes the following issues:
- CVE-2017-5885: Correctly validate color map range indexes (bsc#1024268).
- CVE-2017-5884: Fix bounds checking for RRE, hextile & copyrect encodings (bsc#1024266).
- Fix crash when opening connection from a GSocketAddress (bsc#1046782).
- Fix possible crash on connection failure (bsc#1188292).
ModerateSUSE bug 1024266SUSE bug 1024268SUSE bug 1046782SUSE bug 1188292CVE-2017-5884 at SUSECVE-2017-5884 at NVDCVE-2017-5885 at SUSECVE-2017-5885 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for openssl (Low)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for openssl fixes the following issues:
- CVE-2021-3712: This is an update for the incomplete fix for CVE-2021-3712.
Read buffer overruns processing ASN.1 strings (bsc#1189521).
LowSUSE bug 1189521CVE-2021-3712 at SUSECVE-2021-3712 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for ghostscript (Critical)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for ghostscript fixes the following issues:
- CVE-2021-3781: Fixed a trivial -dSAFER bypass command injection (bsc#1190381)
CriticalSUSE bug 1190381CVE-2021-3781 at SUSECVE-2021-3781 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for MozillaFirefox fixes the following issues:
This update contains the Firefox Extended Support Release 91.1.0 ESR.
* Fixed: Various stability, functionality, and security fixes
MFSA 2021-40 (bsc#1190269, bsc#1190274):
* CVE-2021-38492: Navigating to `mk:` URL scheme could load Internet Explorer
* CVE-2021-38495: Memory safety bugs fixed in Firefox 92 and Firefox ESR 91.1
Firefox 91.0.1esr ESR
* Fixed: Fixed an issue causing buttons on the tab bar to be
resized when loading certain websites (bug 1704404)
* Fixed: Fixed an issue which caused tabs from private windows
to be visible in non-private windows when viewing switch-to-
tab results in the address bar panel (bug 1720369)
* Fixed: Various stability fixes
* Fixed: Security fix MFSA 2021-37 (bsc#1189547)
* CVE-2021-29991 (bmo#1724896)
Header Splitting possible with HTTP/3 Responses
Firefox Extended Support Release 91.0 ESR
* New: Some of the highlights of the new Extended Support Release are:
- A number of user interface changes. For more information,
see the Firefox 89 release notes.
- Firefox now supports logging into Microsoft, work, and
school accounts using Windows single sign-on. Learn more
- On Windows, updates can now be applied in the background
while Firefox is not running.
- Firefox for Windows now offers a new page about:third-party
to help identify compatibility issues caused by third-party
applications
- Version 2 of Firefox's SmartBlock feature further improves
private browsing. Third party Facebook scripts are blocked to
prevent you from being tracked, but are now automatically
loaded 'just in time' if you decide to 'Log in with Facebook'
on any website.
- Enhanced the privacy of the Firefox Browser's Private
Browsing mode with Total Cookie Protection, which confines
cookies to the site where they were created, preventing
companis from using cookies to track your browsing across
sites. This feature was originally launched in Firefox's ETP
Strict mode.
- PDF forms now support JavaScript embedded in PDF files.
Some PDF forms use JavaScript for validation and other
interactive features.
- You'll encounter less website breakage in Private Browsing
and Strict Enhanced Tracking Protection with SmartBlock,
which provides stand-in scripts so that websites load
properly.
- Improved Print functionality with a cleaner design and
better integration with your computer's printer settings.
- Firefox now protects you from supercookies, a type of
tracker that can stay hidden in your browser and track you
online, even after you clear cookies. By isolating
supercookies, Firefox prevents them from tracking your web
browsing from one site to the next.
- Firefox now remembers your preferred location for saved
bookmarks, displays the bookmarks toolbar by default on new
tabs, and gives you easy access to all of your bookmarks via
a toolbar folder.
- Native support for macOS devices built with Apple Silicon
CPUs brings dramatic performance improvements over the non-
native build that was shipped in Firefox 83: Firefox launches
over 2.5 times faster and web apps are now twice as
responsive (per the SpeedoMeter 2.0 test). If you are on a
new Apple device, follow these steps to upgrade to the latest
Firefox.
- Pinch zooming will now be supported for our users with
Windows touchscreen devices and touchpads on Mac devices.
Firefox users may now use pinch to zoom on touch-capable
devices to zoom in and out of webpages.
- We’ve improved functionality and design for a number of
Firefox search features:
* Selecting a search engine at the bottom of the search
panel now enters search mode for that engine, allowing you to
see suggestions (if available) for your search terms. The old
behavior (immediately performing a search) is available with
a shift-click.
* When Firefox autocompletes the URL of one of your search
engines, you can now search with that engine directly in the
address bar by selecting the shortcut in the address bar
results.
* We’ve added buttons at the bottom of the search panel to
allow you to search your bookmarks, open tabs, and history.
- Firefox supports AcroForm, which will allow you to fill in,
print, and save supported PDF forms and the PDF viewer also
has a new fresh look.
- For our users in the US and Canada, Firefox can now save,
manage, and auto-fill credit card information for you, making
shopping on Firefox ever more convenient.
- In addition to our default, dark and light themes, with
this release, Firefox introduces the Alpenglow theme: a
colorful appearance for buttons, menus, and windows. You can
update your Firefox themes under settings or preferences.
* Changed: Firefox no longer supports Adobe Flash. There is no
setting available to re-enable Flash support.
* Enterprise: Various bug fixes and new policies have been
implemented in the latest version of Firefox. See more
details in the Firefox for Enterprise 91 Release Notes.
MFSA 2021-33 (bsc#1188891):
* CVE-2021-29986: Race condition when resolving DNS names could have led to
memory corruption
* CVE-2021-29981: Live range splitting could have led to conflicting
assignments in the JIT
* CVE-2021-29988: Memory corruption as a result of incorrect style treatment
* CVE-2021-29983: Firefox for Android could get stuck in fullscreen mode
* CVE-2021-29984: Incorrect instruction reordering during JIT optimization
* CVE-2021-29980: Uninitialized memory in a canvas object could have led to
memory corruption
* CVE-2021-29987: Users could have been tricked into accepting unwanted
permissions on Linux
* CVE-2021-29985: Use-after-free media channels
* CVE-2021-29982: Single bit data leak due to incorrect JIT optimization and
type confusion
* CVE-2021-29989: Memory safety bugs fixed in Firefox 91 and Firefox ESR 78.13
* CVE-2021-29990: Memory safety bugs fixed in Firefox 91
ImportantSUSE bug 1188891SUSE bug 1189547SUSE bug 1190269SUSE bug 1190274CVE-2021-29980 at SUSECVE-2021-29980 at NVDCVE-2021-29981 at SUSECVE-2021-29981 at NVDCVE-2021-29982 at SUSECVE-2021-29982 at NVDCVE-2021-29983 at SUSECVE-2021-29983 at NVDCVE-2021-29984 at SUSECVE-2021-29984 at NVDCVE-2021-29985 at SUSECVE-2021-29985 at NVDCVE-2021-29986 at SUSECVE-2021-29986 at NVDCVE-2021-29987 at SUSECVE-2021-29987 at NVDCVE-2021-29988 at SUSECVE-2021-29988 at NVDCVE-2021-29989 at SUSECVE-2021-29989 at NVDCVE-2021-29990 at SUSECVE-2021-29990 at NVDCVE-2021-29991 at SUSECVE-2021-29991 at NVDCVE-2021-38492 at SUSECVE-2021-38492 at NVDCVE-2021-38495 at SUSECVE-2021-38495 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 36 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_135 fixes several issues.
The following security issues were fixed:
- CVE-2021-3653: Fixed missing validation of the KVM `int_ctl` VMCB field that would have allowed a malicious L1 guest to enable AVIC support for the L2 guest (bsc#1189420).
- CVE-2021-38198: Fixed KVM MMU to use the correct inherited permissions to get shadow page (bsc#1189278).
ImportantSUSE bug 1189278SUSE bug 1189420CVE-2021-3653 at SUSECVE-2021-3653 at NVDCVE-2021-38198 at SUSECVE-2021-38198 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 40 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_147 fixes several issues.
The following security issues were fixed:
- CVE-2021-3653: Fixed missing validation of the KVM `int_ctl` VMCB field that would have allowed a malicious L1 guest to enable AVIC support for the L2 guest (bsc#1189420).
- CVE-2021-38198: Fixed KVM MMU to use the correct inherited permissions to get shadow page (bsc#1189278).
ImportantSUSE bug 1189278SUSE bug 1189420CVE-2021-3653 at SUSECVE-2021-3653 at NVDCVE-2021-38198 at SUSECVE-2021-38198 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 39 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_144 fixes several issues.
The following security issues were fixed:
- CVE-2021-3653: Fixed missing validation of the KVM `int_ctl` VMCB field that would have allowed a malicious L1 guest to enable AVIC support for the L2 guest (bsc#1189420).
- CVE-2021-38198: Fixed KVM MMU to use the correct inherited permissions to get shadow page (bsc#1189278).
ImportantSUSE bug 1189278SUSE bug 1189420CVE-2021-3653 at SUSECVE-2021-3653 at NVDCVE-2021-38198 at SUSECVE-2021-38198 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 38 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_141 fixes several issues.
The following security issues were fixed:
- CVE-2021-3653: Fixed missing validation of the KVM `int_ctl` VMCB field that would have allowed a malicious L1 guest to enable AVIC support for the L2 guest (bsc#1189420).
- CVE-2021-38198: Fixed KVM MMU to use the correct inherited permissions to get shadow page (bsc#1189278).
ImportantSUSE bug 1189278SUSE bug 1189420CVE-2021-3653 at SUSECVE-2021-3653 at NVDCVE-2021-38198 at SUSECVE-2021-38198 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 37 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_138 fixes several issues.
The following security issues were fixed:
- CVE-2021-3653: Fixed missing validation of the KVM `int_ctl` VMCB field that would have allowed a malicious L1 guest to enable AVIC support for the L2 guest (bsc#1189420).
- CVE-2021-38198: Fixed KVM MMU to use the correct inherited permissions to get shadow page (bsc#1189278).
ImportantSUSE bug 1189278SUSE bug 1189420CVE-2021-3653 at SUSECVE-2021-3653 at NVDCVE-2021-38198 at SUSECVE-2021-38198 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for java-1_8_0-ibm (Moderate)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for java-1_8_0-ibm fixes the following issues:
- Update to Java 8.0 Service Refresh 6 Fix Pack 20 [bsc#1180063,bsc#1177943]
CVE-2020-14792 CVE-2020-14797 CVE-2020-14781 CVE-2020-14779
CVE-2020-14798 CVE-2020-14796 CVE-2020-14803
* Class libraries:
- SOCKETADAPTOR$SOCKETINPUTSTREAM.READ is blocking for more time
that the set timeout
- Z/OS specific C function send_file is changing the file pointer
position
* Java Virtual Machine:
- Crash on iterate java stack
- Java process hang on SIGTERM
* JIT Compiler:
- JMS performance regression from JDK8 SR5 FP40 TO FP41
* Class Libraries:
- z15 high utilization following Z/VM and Linux migration from
z14 To z15
* Java Virtual Machine:
- Assertion failed when trying to write a class file
- Assertion failure at modronapi.cpp
- Improve the performance of defining and finding classes
* JIT Compiler:
- An assert in ppcbinaryencoding.cpp may trigger when running
with traps disabled on power
- AOT field offset off by n bytes
- Segmentation fault in jit module on ibm z platform ModerateSUSE bug 1177943SUSE bug 1180063CVE-2020-14779 at SUSECVE-2020-14779 at NVDCVE-2020-14781 at SUSECVE-2020-14781 at NVDCVE-2020-14792 at SUSECVE-2020-14792 at NVDCVE-2020-14796 at SUSECVE-2020-14796 at NVDCVE-2020-14797 at SUSECVE-2020-14797 at NVDCVE-2020-14798 at SUSECVE-2020-14798 at NVDCVE-2020-14803 at SUSECVE-2020-14803 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 35 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_130 fixes several issues.
The following security issues were fixed:
- CVE-2021-3653: Fixed missing validation of the KVM `int_ctl` VMCB field that would have allowed a malicious L1 guest to enable AVIC support for the L2 guest (bsc#1189420).
- CVE-2021-38198: Fixed KVM MMU to use the correct inherited permissions to get shadow page (bsc#1189278).
ImportantSUSE bug 1189278SUSE bug 1189420CVE-2021-3653 at SUSECVE-2021-3653 at NVDCVE-2021-38198 at SUSECVE-2021-38198 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for xen (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for xen fixes the following issues:
- CVE-2021-28701: Fixed race condition in XENMAPSPACE_grant_table handling (XSA-384) (bsc#1189632).
- Integrate bugfixes (bsc#1189373, bsc#1189378).
ImportantSUSE bug 1189373SUSE bug 1189378SUSE bug 1189632CVE-2021-28701 at SUSECVE-2021-28701 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for sqlite3 (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for sqlite3 fixes the following issues:
sqlite3 is sync version 3.36.0 from Factory (jsc#SLE-16032).
The following CVEs have been fixed in upstream releases up to
this point, but were not mentioned in the change log so far:
* bsc#1173641, CVE-2020-15358: heap-based buffer overflow in
multiSelectOrderBy due to mishandling of query-flattener
optimization
* bsc#1164719, CVE-2020-9327: NULL pointer dereference and
segmentation fault because of generated column optimizations in
isAuxiliaryVtabOperator
* bsc#1160439, CVE-2019-20218: selectExpander in select.c proceeds
with WITH stack unwinding even after a parsing error
* bsc#1160438, CVE-2019-19959: memory-management error via
ext/misc/zipfile.c involving embedded '\0' input
* bsc#1160309, CVE-2019-19923: improper handling of certain uses
of SELECT DISTINCT in flattenSubquery may lead to null pointer
dereference
* bsc#1159850, CVE-2019-19924: improper error handling in
sqlite3WindowRewrite()
* bsc#1159847, CVE-2019-19925: improper handling of NULL pathname
during an update of a ZIP archive
* bsc#1159715, CVE-2019-19926: improper handling of certain
errors during parsing multiSelect in select.c
* bsc#1159491, CVE-2019-19880: exprListAppendList in window.c
allows attackers to trigger an invalid pointer dereference
* bsc#1158960, CVE-2019-19603: during handling of CREATE TABLE
and CREATE VIEW statements, does not consider confusion with
a shadow table name
* bsc#1158959, CVE-2019-19646: pragma.c mishandles NOT NULL in an
integrity_check PRAGMA command in certain cases of generated
columns
* bsc#1158958, CVE-2019-19645: alter.c allows attackers to trigger
infinite recursion via certain types of self-referential views
in conjunction with ALTER TABLE statements
* bsc#1158812, CVE-2019-19317: lookupName in resolve.c omits bits
from the colUsed bitmask in the case of a generated column,
which allows attackers to cause a denial of service
* bsc#1157818, CVE-2019-19244: sqlite3,sqlite2,sqlite: The
function sqlite3Select in select.c allows a crash if a
sub-select uses both DISTINCT and window functions, and also
has certain ORDER BY usage
* bsc#928701, CVE-2015-3415: sqlite3VdbeExec comparison operator
vulnerability
* bsc#928700, CVE-2015-3414: sqlite3,sqlite2: dequoting of
collation-sequence names
* CVE-2020-13434 bsc#1172115: integer overflow in
sqlite3_str_vappendf
* CVE-2020-13630 bsc#1172234: use-after-free in fts3EvalNextRow
* CVE-2020-13631 bsc#1172236: virtual table allowed to be renamed
to one of its shadow tables
* CVE-2020-13632 bsc#1172240: NULL pointer dereference via
crafted matchinfo() query
* CVE-2020-13435: Malicious SQL statements could have crashed the
process that is running SQLite (bsc#1172091)
ImportantSUSE bug 1157818SUSE bug 1158812SUSE bug 1158958SUSE bug 1158959SUSE bug 1158960SUSE bug 1159491SUSE bug 1159715SUSE bug 1159847SUSE bug 1159850SUSE bug 1160309SUSE bug 1160438SUSE bug 1160439SUSE bug 1164719SUSE bug 1172091SUSE bug 1172115SUSE bug 1172234SUSE bug 1172236SUSE bug 1172240SUSE bug 1173641SUSE bug 928700SUSE bug 928701CVE-2015-3414 at SUSECVE-2015-3414 at NVDCVE-2015-3415 at SUSECVE-2015-3415 at NVDCVE-2016-6153 at SUSECVE-2016-6153 at NVDCVE-2017-10989 at SUSECVE-2017-10989 at NVDCVE-2017-2518 at SUSECVE-2017-2518 at NVDCVE-2018-20346 at SUSECVE-2018-20346 at NVDCVE-2018-8740 at SUSECVE-2018-8740 at NVDCVE-2019-16168 at SUSECVE-2019-16168 at NVDCVE-2019-19244 at SUSECVE-2019-19244 at NVDCVE-2019-19317 at SUSECVE-2019-19317 at NVDCVE-2019-19603 at SUSECVE-2019-19603 at NVDCVE-2019-19645 at SUSECVE-2019-19645 at NVDCVE-2019-19646 at SUSECVE-2019-19646 at NVDCVE-2019-19880 at SUSECVE-2019-19880 at NVDCVE-2019-19923 at SUSECVE-2019-19923 at NVDCVE-2019-19924 at SUSECVE-2019-19924 at NVDCVE-2019-19925 at SUSECVE-2019-19925 at NVDCVE-2019-19926 at SUSECVE-2019-19926 at NVDCVE-2019-19959 at SUSECVE-2019-19959 at NVDCVE-2019-20218 at SUSECVE-2019-20218 at NVDCVE-2019-8457 at SUSECVE-2019-8457 at NVDCVE-2020-13434 at SUSECVE-2020-13434 at NVDCVE-2020-13435 at SUSECVE-2020-13435 at NVDCVE-2020-13630 at SUSECVE-2020-13630 at NVDCVE-2020-13631 at SUSECVE-2020-13631 at NVDCVE-2020-13632 at SUSECVE-2020-13632 at NVDCVE-2020-15358 at SUSECVE-2020-15358 at NVDCVE-2020-9327 at SUSECVE-2020-9327 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for python-urllib3 (Moderate)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for python-urllib3 fixes the following security issue:
- CVE-2020-26137: A CRLF injection via HTTP request method was fixed (bsc#1177120)
Note that this was fixed in a previous version update to 1.25.9, this update just complements the tracking.
ModerateSUSE bug 1177120CVE-2020-26137 at SUSECVE-2020-26137 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for glibc (Moderate)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for glibc fixes the following issues:
Security issues fixed:
- CVE-2021-35942: wordexp: handle overflow in positional parameter number (bsc#1187911)
- CVE-2021-33574: Use __pthread_attr_copy in mq_notify (bsc#1186489)
Also the following bug was fixed:
- Avoid concurrency problem in ldconfig (bsc#1117993)
ModerateSUSE bug 1117993SUSE bug 1186489SUSE bug 1187911CVE-2021-33574 at SUSECVE-2021-33574 at NVDCVE-2021-35942 at SUSECVE-2021-35942 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for webkit2gtk3 (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for webkit2gtk3 fixes the following issues:
- Update to version 2.32.4
- CVE-2021-30858: Fixed a security bug that could allow maliciously crafted web content to achieve arbitrary code execution. (bsc#1190701)
- CVE-2021-21806: Fixed an exploitable use-after-free vulnerability via specially crafted HTML web page. (bsc#1188697)
ImportantSUSE bug 1188697SUSE bug 1190701CVE-2021-21806 at SUSECVE-2021-21806 at NVDCVE-2021-30858 at SUSECVE-2021-30858 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for apache2 (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for apache2 fixes the following issues:
- CVE-2021-40438: Fixed a SRF via a crafted request uri-path. (bsc#1190703)
- CVE-2021-39275: Fixed an out-of-bounds write in ap_escape_quotes() via malicious input. (bsc#1190666)
- CVE-2021-34798: Fixed a NULL pointer dereference via malformed requests. (bsc#1190669)
ImportantSUSE bug 1190666SUSE bug 1190669SUSE bug 1190703CVE-2021-34798 at SUSECVE-2021-34798 at NVDCVE-2021-39275 at SUSECVE-2021-39275 at NVDCVE-2021-40438 at SUSECVE-2021-40438 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for python3 (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for python3 fixes the following issues:
- Provide the newest setuptools wheel (bsc#1176262,
CVE-2019-20916) in their correct form (bsc#1180686).
ImportantSUSE bug 1176262SUSE bug 1180686CVE-2019-20916 at SUSECVE-2019-20916 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for MozillaFirefox fixes the following issues:
Firefox Extended Support Release 91.2.0 ESR
* Fixed: Various stability, functionality, and security fixes
MFSA 2021-45 (bsc#1191332)
* CVE-2021-38496: Use-after-free in MessageTask
* CVE-2021-38497: Validation message could have been overlaid on another origin
* CVE-2021-38498: Use-after-free of nsLanguageAtomService object
* CVE-2021-32810: Fixed Data race in crossbeam-deque
* CVE-2021-38500: Memory safety bugs fixed in Firefox 93, Firefox ESR 78.15, and Firefox ESR 91.2
* CVE-2021-38501: Memory safety bugs fixed in Firefox 93 and Firefox ESR 91.2
- Fixed crash in FIPS mode (bsc#1190710)
ImportantSUSE bug 1190710SUSE bug 1191332CVE-2021-32810 at SUSECVE-2021-32810 at NVDCVE-2021-38496 at SUSECVE-2021-38496 at NVDCVE-2021-38497 at SUSECVE-2021-38497 at NVDCVE-2021-38498 at SUSECVE-2021-38498 at NVDCVE-2021-38500 at SUSECVE-2021-38500 at NVDCVE-2021-38501 at SUSECVE-2021-38501 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 39 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_144 fixes several issues.
The following security issues were fixed:
- CVE-2021-3715: Fixed a user-after-free in the Linux kernel's Traffic Control networking subsystem which could lead to local privilege escalation. (bsc#1190350).
- CVE-2021-38160: Fixed a bug that could lead to a data corruption or loss. This can be triggered by an untrusted device that supplies a buf->len value exceeding the buffer size in drivers/char/virtio_console.c (bsc#1190118)
- CVE-2021-3640: Fixed a user-after-free bug in the function sco_sock_sendmsg which could lead to local privilege escalation. (bsc#1188613)
- CVE-2021-3573: Fixed a user-after-free bug in the function hci_sock_bound_ioctl which could lead to local privilege escalation. (bsc#1187054).
ImportantSUSE bug 1187054SUSE bug 1188613SUSE bug 1190118SUSE bug 1190350CVE-2021-3573 at SUSECVE-2021-3573 at NVDCVE-2021-3640 at SUSECVE-2021-3640 at NVDCVE-2021-3715 at SUSECVE-2021-3715 at NVDCVE-2021-38160 at SUSECVE-2021-38160 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 40 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_147 fixes several issues.
The following security issues were fixed:
- CVE-2021-3715: Fixed a user-after-free in the Linux kernel's Traffic Control networking subsystem which could lead to local privilege escalation. (bsc#1190350).
- CVE-2021-38160: Fixed a bug that could lead to a data corruption or loss. This can be triggered by an untrusted device that supplies a buf->len value exceeding the buffer size in drivers/char/virtio_console.c (bsc#1190118)
- CVE-2021-3640: Fixed a user-after-free bug in the function sco_sock_sendmsg which could lead to local privilege escalation. (bsc#1188613)
- CVE-2021-3573: Fixed a user-after-free bug in the function hci_sock_bound_ioctl which could lead to local privilege escalation. (bsc#1187054).
ImportantSUSE bug 1187054SUSE bug 1188613SUSE bug 1190118SUSE bug 1190350CVE-2021-3573 at SUSECVE-2021-3573 at NVDCVE-2021-3640 at SUSECVE-2021-3640 at NVDCVE-2021-3715 at SUSECVE-2021-3715 at NVDCVE-2021-38160 at SUSECVE-2021-38160 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 36 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_135 fixes several issues.
The following security issues were fixed:
- CVE-2021-3715: Fixed a user-after-free in the Linux kernel's Traffic Control networking subsystem which could lead to local privilege escalation. (bsc#1190350).
- CVE-2021-38160: Fixed a bug that could lead to a data corruption or loss. This can be triggered by an untrusted device that supplies a buf->len value exceeding the buffer size in drivers/char/virtio_console.c (bsc#1190118)
- CVE-2021-3640: Fixed a user-after-free bug in the function sco_sock_sendmsg which could lead to local privilege escalation. (bsc#1188613)
- CVE-2021-3573: Fixed a user-after-free bug in the function hci_sock_bound_ioctl which could lead to local privilege escalation. (bsc#1187054).
ImportantSUSE bug 1187054SUSE bug 1188613SUSE bug 1190118SUSE bug 1190350CVE-2021-3573 at SUSECVE-2021-3573 at NVDCVE-2021-3640 at SUSECVE-2021-3640 at NVDCVE-2021-3715 at SUSECVE-2021-3715 at NVDCVE-2021-38160 at SUSECVE-2021-38160 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 37 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_138 fixes several issues.
The following security issues were fixed:
- CVE-2021-3715: Fixed a user-after-free in the Linux kernel's Traffic Control networking subsystem which could lead to local privilege escalation. (bsc#1190350).
- CVE-2021-38160: Fixed a bug that could lead to a data corruption or loss. This can be triggered by an untrusted device that supplies a buf->len value exceeding the buffer size in drivers/char/virtio_console.c (bsc#1190118)
- CVE-2021-3640: Fixed a user-after-free bug in the function sco_sock_sendmsg which could lead to local privilege escalation. (bsc#1188613)
- CVE-2021-3573: Fixed a user-after-free bug in the function hci_sock_bound_ioctl which could lead to local privilege escalation. (bsc#1187054).
ImportantSUSE bug 1187054SUSE bug 1188613SUSE bug 1190118SUSE bug 1190350CVE-2021-3573 at SUSECVE-2021-3573 at NVDCVE-2021-3640 at SUSECVE-2021-3640 at NVDCVE-2021-3715 at SUSECVE-2021-3715 at NVDCVE-2021-38160 at SUSECVE-2021-38160 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 38 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_141 fixes several issues.
The following security issues were fixed:
- CVE-2021-3715: Fixed a user-after-free in the Linux kernel's Traffic Control networking subsystem which could lead to local privilege escalation. (bsc#1190350).
- CVE-2021-38160: Fixed a bug that could lead to a data corruption or loss. This can be triggered by an untrusted device that supplies a buf->len value exceeding the buffer size in drivers/char/virtio_console.c (bsc#1190118)
- CVE-2021-3640: Fixed a user-after-free bug in the function sco_sock_sendmsg which could lead to local privilege escalation. (bsc#1188613)
- CVE-2021-3573: Fixed a user-after-free bug in the function hci_sock_bound_ioctl which could lead to local privilege escalation. (bsc#1187054).
ImportantSUSE bug 1187054SUSE bug 1188613SUSE bug 1190118SUSE bug 1190350CVE-2021-3573 at SUSECVE-2021-3573 at NVDCVE-2021-3640 at SUSECVE-2021-3640 at NVDCVE-2021-3715 at SUSECVE-2021-3715 at NVDCVE-2021-38160 at SUSECVE-2021-38160 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for util-linux (Moderate)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for util-linux fixes the following issues:
- CVE-2021-37600: Fixed an integer overflow which could lead to buffer overflow in get_sem_elements. (bsc#1188921)
- Prevent outdated pam files (bsc#1082293, bsc#1081947#c68).
- Do not trim read-only volumes (bsc#1106214).
- libmount: To prevent incorrect behavior, recognize more pseudofs and netfs (bsc#1122417).
- raw.service: Add RemainAfterExit=yes (bsc#1135534).
- agetty: Reload issue only if it is really needed (bsc#1085196)
- agetty: Return previous response of agetty for special characters (bsc#1085196, bsc#1125886)
- blockdev: Do not fail --report on kpartx-style partitions on multipath. (bsc#1168235)
- nologin: Add support for -c to prevent error from su -c. (bsc#1151708)
- Avoid triggering autofs in lookup_umount_fs_by_statfs. (bsc#1168389)
- libblkid: Do not trigger CDROM autoclose. (bsc#1084671)
- Avoid sulogin failing on not existing or not functional console devices. (bsc#1175514)
- Build with libudev support to support non-root users. (bsc#1169006)
- lscpu: avoid segfault on PowerPC systems with valid hardware configurations. (bsc#1175623, bsc#1178554, bsc#1178825)
- Fix for warning on mounts to CIFS with mount. (SG#57988, bsc#1174942)
ModerateSUSE bug 1081947SUSE bug 1082293SUSE bug 1084671SUSE bug 1085196SUSE bug 1106214SUSE bug 1122417SUSE bug 1125886SUSE bug 1135534SUSE bug 1135708SUSE bug 1151708SUSE bug 1168235SUSE bug 1168389SUSE bug 1169006SUSE bug 1174942SUSE bug 1175514SUSE bug 1175623SUSE bug 1178236SUSE bug 1178554SUSE bug 1178825SUSE bug 1188921CVE-2021-37600 at SUSECVE-2021-37600 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for strongswan (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for strongswan fixes the following issues:
- CVE-2021-41991: Fixed an integer overflow when replacing certificates in cache. (bsc#1191435)
ImportantSUSE bug 1191435CVE-2021-41991 at SUSECVE-2021-41991 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for postgresql10 (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for postgresql10 fixes the following issues:
- Fix for build with llvm12 on s390x. (bsc#1185952)
- Re-enable 'icu' for PostgreSQL 10. (bsc#1179945)
- Add postgresqlXX-server-devel as a dependency for postgresql13-server-devel. (bsc#1187751)
- Upgrade to version 10.18. (bsc#1190177)
Upgrade to version 10.17 (already released for SUSE Linux Enterprise 12 SP5):
- CVE-2021-32027: Fixed integer overflows in array subscripting calculations (bsc#1185924).
- CVE-2021-32028: Fixed mishandling of junk columns in INSERT ... ON CONFLICT ... UPDATE target lists (bsc#1185925).
- Don't use %_stop_on_removal, because it was meant to be private and got removed from openSUSE. %_restart_on_update is also private, but still supported and needed for now (bsc#1183168).
- Re-enable build of the llvmjit subpackage on SLE, but it will only be delivered on PackageHub for now (bsc#1183118).
- Disable icu for PostgreSQL 10 (and older) on TW (bsc#1179945).
- Fixed an issue droping irregular warning messages by removing the package. (bsc#1178961)
- Fixed an issue when build does not build the requiements to avoid dangling symlinks in the devel package. (bsc#1179765)
- Fix recently-added timetz test case so it works when the USA is not observing daylight savings time.
ImportantSUSE bug 1178961SUSE bug 1179765SUSE bug 1179945SUSE bug 1183118SUSE bug 1183168SUSE bug 1185924SUSE bug 1185925SUSE bug 1185952SUSE bug 1187751SUSE bug 1190177CVE-2021-32027 at SUSECVE-2021-32027 at NVDCVE-2021-32028 at SUSECVE-2021-32028 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for opensc (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for opensc fixes the following issues:
- CVE-2021-42780: Fixed use after return in insert_pin() (bsc#1192005).
- CVE-2021-42779: Fixed use after free in sc_file_valid() (bsc#1191992).
- CVE-2021-42781: Fixed multiple heap buffer overflows in pkcs15-oberthur.c (bsc#1192000).
- CVE-2021-42782: Stack buffer overflow issues in various places (bsc#1191957).
ImportantSUSE bug 1191957SUSE bug 1191992SUSE bug 1192000SUSE bug 1192005CVE-2021-42779 at SUSECVE-2021-42779 at NVDCVE-2021-42780 at SUSECVE-2021-42780 at NVDCVE-2021-42781 at SUSECVE-2021-42781 at NVDCVE-2021-42782 at SUSECVE-2021-42782 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for transfig (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for transfig fixes the following issues:
Update to fig2dev version 3.2.8 Patchlevel 8b (Aug 2021)
- bsc#1190618, CVE-2020-21529: stack buffer overflow in the bezier_spline function in genepic.c.
- bsc#1190615, CVE-2020-21530: segmentation fault in the read_objects function in read.c.
- bsc#1190617, CVE-2020-21531: global buffer overflow in the conv_pattern_index function in gencgm.c.
- bsc#1190616, CVE-2020-21532: global buffer overflow in the setfigfont function in genepic.c.
- bsc#1190612, CVE-2020-21533: stack buffer overflow in the read_textobject function in read.c.
- bsc#1190611, CVE-2020-21534: global buffer overflow in the get_line function in read.c.
- bsc#1190607, CVE-2020-21535: segmentation fault in the gencgm_start function in gencgm.c.
- bsc#1192019, CVE-2021-32280: NULL pointer dereference in compute_closed_spline() in trans_spline.c
ImportantSUSE bug 1190607SUSE bug 1190611SUSE bug 1190612SUSE bug 1190615SUSE bug 1190616SUSE bug 1190617SUSE bug 1190618SUSE bug 1192019CVE-2020-21529 at SUSECVE-2020-21529 at NVDCVE-2020-21530 at SUSECVE-2020-21530 at NVDCVE-2020-21531 at SUSECVE-2020-21531 at NVDCVE-2020-21532 at SUSECVE-2020-21532 at NVDCVE-2020-21533 at SUSECVE-2020-21533 at NVDCVE-2020-21534 at SUSECVE-2020-21534 at NVDCVE-2020-21535 at SUSECVE-2020-21535 at NVDCVE-2021-32280 at SUSECVE-2021-32280 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for binutils (Moderate)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for binutils fixes the following issues:
Update to binutils 2.37:
* The GNU Binutils sources now requires a C99 compiler and library to
build.
* Support for the arm-symbianelf format has been removed.
* Support for Realm Management Extension (RME) for AArch64 has been
added.
* A new linker option '-z report-relative-reloc' for x86 ELF targets
has been added to report dynamic relative relocations.
* A new linker option '-z start-stop-gc' has been added to disable
special treatment of __start_*/__stop_* references when
--gc-sections.
* A new linker options '-Bno-symbolic' has been added which will
cancel the '-Bsymbolic' and '-Bsymbolic-functions' options.
* The readelf tool has a new command line option which can be used to
specify how the numeric values of symbols are reported.
--sym-base=0|8|10|16 tells readelf to display the values in base 8,
base 10 or base 16. A sym base of 0 represents the default action
of displaying values under 10000 in base 10 and values above that in
base 16.
* A new format has been added to the nm program. Specifying
'--format=just-symbols' (or just using -j) will tell the program to
only display symbol names and nothing else.
* A new command line option '--keep-section-symbols' has been added to
objcopy and strip. This stops the removal of unused section symbols
when the file is copied. Removing these symbols saves space, but
sometimes they are needed by other tools.
* The '--weaken', '--weaken-symbol' and '--weaken-symbols' options
supported by objcopy now make undefined symbols weak on targets that
support weak symbols.
* Readelf and objdump can now display and use the contents of .debug_sup
sections.
* Readelf and objdump will now follow links to separate debug info
files by default. This behaviour can be stopped via the use of the
new '-wN' or '--debug-dump=no-follow-links' options for readelf and
the '-WN' or '--dwarf=no-follow-links' options for objdump. Also
the old behaviour can be restored by the use of the
'--enable-follow-debug-links=no' configure time option.
The semantics of the =follow-links option have also been slightly
changed. When enabled, the option allows for the loading of symbol
tables and string tables from the separate files which can be used
to enhance the information displayed when dumping other sections,
but it does not automatically imply that information from the
separate files should be displayed.
If other debug section display options are also enabled (eg
'--debug-dump=info') then the contents of matching sections in both
the main file and the separate debuginfo file *will* be displayed.
This is because in most cases the debug section will only be present
in one of the files.
If however non-debug section display options are enabled (eg
'--sections') then the contents of matching parts of the separate
debuginfo file will *not* be displayed. This is because in most
cases the user probably only wanted to load the symbol information
from the separate debuginfo file. In order to change this behaviour
a new command line option --process-links can be used. This will
allow di0pslay options to applied to both the main file and any
separate debuginfo files.
* Nm has a new command line option: '--quiet'. This suppresses 'no
symbols' diagnostic.
Update to binutils 2.36:
New features in the Assembler:
General:
* When setting the link order attribute of ELF sections, it is now
possible to use a numeric section index instead of symbol name.
* Added a .nop directive to generate a single no-op instruction in
a target neutral manner. This instruction does have an effect on
DWARF line number generation, if that is active.
* Removed --reduce-memory-overheads and --hash-size as gas now
uses hash tables that can be expand and shrink automatically.
X86/x86_64:
* Add support for AVX VNNI, HRESET, UINTR, TDX, AMX and Key
Locker instructions.
* Support non-absolute segment values for lcall and ljmp.
* Add {disp16} pseudo prefix to x86 assembler.
* Configure with --enable-x86-used-note by default for Linux/x86.
ARM/AArch64:
* Add support for Cortex-A78, Cortex-A78AE and Cortex-X1,
Cortex-R82, Neoverse V1, and Neoverse N2 cores.
* Add support for ETMv4 (Embedded Trace Macrocell), ETE (Embedded
Trace Extension), TRBE (Trace Buffer Extension), CSRE (Call
Stack Recorder Extension) and BRBE (Branch Record Buffer
Extension) system registers.
* Add support for Armv8-R and Armv8.7-A ISA extensions.
* Add support for DSB memory nXS barrier, WFET and WFIT
instruction for Armv8.7.
* Add support for +csre feature for -march. Add CSR PDEC
instruction for CSRE feature in AArch64.
* Add support for +flagm feature for -march in Armv8.4 AArch64.
* Add support for +ls64 feature for -march in Armv8.7
AArch64. Add atomic 64-byte load/store instructions for this
feature.
* Add support for +pauth (Pointer Authentication) feature for
-march in AArch64.
New features in the Linker:
* Add --error-handling-script=<NAME> command line option to allow
a helper script to be invoked when an undefined symbol or a
missing library is encountered. This option can be suppressed
via the configure time switch: --enable-error-handling-script=no.
* Add -z x86-64-{baseline|v[234]} to the x86 ELF linker to mark
x86-64-{baseline|v[234]} ISA level as needed.
* Add -z unique-symbol to avoid duplicated local symbol names.
* The creation of PE format DLLs now defaults to using a more
secure set of DLL characteristics.
* The linker now deduplicates the types in .ctf sections. The new
command-line option --ctf-share-types describes how to do this:
its default value, share-unconflicted, produces the most compact
output.
* The linker now omits the 'variable section' from .ctf sections
by default, saving space. This is almost certainly what you
want unless you are working on a project that has its own
analogue of symbol tables that are not reflected in the ELF
symtabs.
New features in other binary tools:
* The ar tool's previously unused l modifier is now used for
specifying dependencies of a static library. The arguments of
this option (or --record-libdeps long form option) will be
stored verbatim in the __.LIBDEP member of the archive, which
the linker may read at link time.
* Readelf can now display the contents of LTO symbol table
sections when asked to do so via the --lto-syms command line
option.
* Readelf now accepts the -C command line option to enable the
demangling of symbol names. In addition the --demangle=<style>,
--no-demangle, --recurse-limit and --no-recurse-limit options
are also now availale.
Update to binutils 2.35.1:
* This is a point release over the previous 2.35 version, containing bug
fixes, and as an exception to the usual rule, one new feature. The
new feature is the support for a new directive in the assembler:
'.nop'. This directive creates a single no-op instruction in whatever
encoding is correct for the target architecture. Unlike the .space or
.fill this is a real instruction, and it does affect the generation of
DWARF line number tables, should they be enabled.
Update to binutils 2.35:
* The assembler can now produce DWARF-5 format line number tables.
* Readelf now has a 'lint' mode to enable extra checks of the files it is processing.
* Readelf will now display '[...]' when it has to truncate a symbol name.
The old behaviour - of displaying as many characters as possible, up to
the 80 column limit - can be restored by the use of the --silent-truncation
option.
* The linker can now produce a dependency file listing the inputs that it
has processed, much like the -M -MP option supported by the compiler.
Update to binutils 2.34:
* The disassembler (objdump --disassemble) now has an option to
generate ascii art thats show the arcs between that start and end
points of control flow instructions.
* The binutils tools now have support for debuginfod. Debuginfod is a
HTTP service for distributing ELF/DWARF debugging information as
well as source code. The tools can now connect to debuginfod
servers in order to download debug information about the files that
they are processing.
* The assembler and linker now support the generation of ELF format
files for the Z80 architecture.
Update to binutils 2.33.1:
* Adds support for the Arm Scalable Vector Extension version 2
(SVE2) instructions, the Arm Transactional Memory Extension (TME)
instructions and the Armv8.1-M Mainline and M-profile Vector
Extension (MVE) instructions.
* Adds support for the Arm Cortex-A76AE, Cortex-A77 and Cortex-M35P
processors and the AArch64 Cortex-A34, Cortex-A65, Cortex-A65AE,
Cortex-A76AE, and Cortex-A77 processors.
* Adds a .float16 directive for both Arm and AArch64 to allow
encoding of 16-bit floating point literals.
* For MIPS, Add -m[no-]fix-loongson3-llsc option to fix (or not)
Loongson3 LLSC Errata. Add a --enable-mips-fix-loongson3-llsc=[yes|no]
configure time option to set the default behavior. Set the default
if the configure option is not used to 'no'.
* The Cortex-A53 Erratum 843419 workaround now supports a choice of
which workaround to use. The option --fix-cortex-a53-843419 now
takes an optional argument --fix-cortex-a53-843419[=full|adr|adrp]
which can be used to force a particular workaround to be used.
See --help for AArch64 for more details.
* Add support for GNU_PROPERTY_AARCH64_FEATURE_1_BTI and
GNU_PROPERTY_AARCH64_FEATURE_1_PAC in ELF GNU program properties
in the AArch64 ELF linker.
* Add -z force-bti for AArch64 to enable GNU_PROPERTY_AARCH64_FEATURE_1_BTI
on output while warning about missing GNU_PROPERTY_AARCH64_FEATURE_1_BTI
on inputs and use PLTs protected with BTI.
* Add -z pac-plt for AArch64 to pick PAC enabled PLTs.
* Add --source-comment[=<txt>] option to objdump which if present,
provides a prefix to source code lines displayed in a disassembly.
* Add --set-section-alignment <section-name>=<power-of-2-align>
option to objcopy to allow the changing of section alignments.
* Add --verilog-data-width option to objcopy for verilog targets to
control width of data elements in verilog hex format.
* The separate debug info file options of readelf (--debug-dump=links
and --debug-dump=follow) and objdump (--dwarf=links and
--dwarf=follow-links) will now display and/or follow multiple
links if more than one are present in a file. (This usually
happens when gcc's -gsplit-dwarf option is used).
In addition objdump's --dwarf=follow-links now also affects its
other display options, so that for example, when combined with
--syms it will cause the symbol tables in any linked debug info
files to also be displayed. In addition when combined with
--disassemble the --dwarf= follow-links option will ensure that
any symbol tables in the linked files are read and used when
disassembling code in the main file.
* Add support for dumping types encoded in the Compact Type Format
to objdump and readelf.
The following security fixes are addressed by the update:
- CVE-2021-20197: Fixed a race condition which allows users to own arbitrary files (bsc#1181452).
- CVE-2021-20284: Fixed a heap-based buffer overflow in _bfd_elf_slurp_secondary_reloc_section in elf.c (bsc#1183511).
- CVE-2021-3487: Fixed a denial of service via excessive debug section size causing excessive memory consumption in bfd's dwarf2.c read_section() (bsc#1184620).
- CVE-2020-35448: Fixed a heap-based buffer over-read in bfd_getl_signed_32() in libbfd.c (bsc#1184794).
- CVE-2020-16590: Fixed a double free vulnerability in process_symbol_table() (bsc#1179898).
- CVE-2020-16591: Fixed an invalid read in process_symbol_table() (bsc#1179899).
- CVE-2020-16592: Fixed an use-after-free in bfd_hash_lookup() (bsc#1179900).
- CVE-2020-16593: Fixed a null pointer dereference in scan_unit_for_symbols() (bsc#1179901).
- CVE-2020-16598: Fixed a null pointer dereference in debug_get_real_type() (bsc#1179902).
- CVE-2020-16599: Fixed a null pointer dereference in _bfd_elf_get_symbol_version_string() (bsc#1179903)
- CVE-2020-35493: Fixed heap-based buffer overflow in bfd_pef_parse_function_stubs function in bfd/pef.c via crafted PEF file (bsc#1180451).
- CVE-2020-35496: Fixed multiple null pointer dereferences in bfd module due to not checking return value of bfd_malloc (bsc#1180454).
- CVE-2020-35507: Fixed a null pointer dereference in bfd_pef_parse_function_stubs() (bsc#1180461).
- CVE-2019-17451: Fixed an integer overflow leading to a SEGV in _bfd_dwarf2_find_nearest_line() in dwarf2.c (bsc#1153768).
- CVE-2019-17450: Fixed a potential denial of service in find_abstract_instance() in dwarf2.c (bsc#1153770).
- CVE-2019-9077: Fixed a heap-based buffer overflow in process_mips_specific() in readelf.c via a malformed MIPS option section (bsc#1126826).
- CVE-2019-9075: Fixed a heap-based buffer overflow in _bfd_archive_64_bit_slurp_armap() in archive64.c (bsc#1126829).
- CVE-2019-9074: Fixed a out-of-bounds read leading to a SEGV in bfd_getl32() in libbfd.c (bsc#1126831).
- CVE-2019-12972: Fixed a heap-based buffer over-read in _bfd_doprnt() in bfd.c (bsc#1140126).
- CVE-2019-14444: Fixed an integer overflow apply_relocations() in readelf.c (bsc#1143609).
- CVE-2019-14250: Fixed an integer overflow in simple_object_elf_match() in simple-object-elf.c (bsc#1142649).
ModerateSUSE bug 1126826SUSE bug 1126829SUSE bug 1126831SUSE bug 1140126SUSE bug 1142649SUSE bug 1143609SUSE bug 1153768SUSE bug 1153770SUSE bug 1157755SUSE bug 1160254SUSE bug 1160590SUSE bug 1163333SUSE bug 1163744SUSE bug 1179036SUSE bug 1179341SUSE bug 1179898SUSE bug 1179899SUSE bug 1179900SUSE bug 1179901SUSE bug 1179902SUSE bug 1179903SUSE bug 1180451SUSE bug 1180454SUSE bug 1180461SUSE bug 1181452SUSE bug 1182252SUSE bug 1183511SUSE bug 1184620SUSE bug 1184794CVE-2019-12972 at SUSECVE-2019-12972 at NVDCVE-2019-14250 at SUSECVE-2019-14250 at NVDCVE-2019-14444 at SUSECVE-2019-14444 at NVDCVE-2019-17450 at SUSECVE-2019-17450 at NVDCVE-2019-17451 at SUSECVE-2019-17451 at NVDCVE-2019-9074 at SUSECVE-2019-9074 at NVDCVE-2019-9075 at SUSECVE-2019-9075 at NVDCVE-2019-9077 at SUSECVE-2019-9077 at NVDCVE-2020-16590 at SUSECVE-2020-16590 at NVDCVE-2020-16591 at SUSECVE-2020-16591 at NVDCVE-2020-16592 at SUSECVE-2020-16592 at NVDCVE-2020-16593 at SUSECVE-2020-16593 at NVDCVE-2020-16598 at SUSECVE-2020-16598 at NVDCVE-2020-16599 at SUSECVE-2020-16599 at NVDCVE-2020-35448 at SUSECVE-2020-35448 at NVDCVE-2020-35493 at SUSECVE-2020-35493 at NVDCVE-2020-35496 at SUSECVE-2020-35496 at NVDCVE-2020-35507 at SUSECVE-2020-35507 at NVDCVE-2021-20197 at SUSECVE-2021-20197 at NVDCVE-2021-20284 at SUSECVE-2021-20284 at NVDCVE-2021-3487 at SUSECVE-2021-3487 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for binutils (Moderate)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for binutils fixes the following issues:
- For compatibility on old code stream that expect 'brcl 0,label' to
not be disassembled as 'jgnop label' on s390x. (bsc#1192267)
This reverts IBM zSeries HLASM support for now.
- Fixed that ppc64 optflags did not enable LTO (bsc#1188941).
- Fix empty man-pages from broken release tarball
- Fixed a memory corruption with rpath option (bsc#1191473).
- Fixed slow performance of stripping some binaries (bsc#1183909).
Security issue fixed:
- CVE-2021-20294: Fixed out-of-bounds write in print_dynamic_symbol in readelf (bnc#1184519)
ModerateSUSE bug 1183909SUSE bug 1184519SUSE bug 1188941SUSE bug 1191473SUSE bug 1192267CVE-2021-20294 at SUSECVE-2021-20294 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for pcre (Moderate)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for pcre fixes the following issues:
Update pcre to version 8.45:
- CVE-2020-14155: Fixed integer overflow via a large number after a '(?C' substring (bsc#1172974).
- CVE-2019-20838: Fixed buffer over-read in JIT compiler (bsc#1172973).
- CVE-2017-7244: Fixed invalid read in _pcre32_xclass() (bsc#1030807).
- CVE-2017-7245: Fixed buffer overflow in the pcre32_copy_substring (bsc#1030805).
- CVE-2017-7246: Fixed another buffer overflow in the pcre32_copy_substring (bsc#1030803).
- CVE-2017-7186: Fixed denial of service caused by an invalid Unicode property lookup (bsc#1030066).
- CVE-2017-6004: Fixed denial of service via crafted regular expression (bsc#1025709).
ModerateSUSE bug 1025709SUSE bug 1030066SUSE bug 1030803SUSE bug 1030805SUSE bug 1030807SUSE bug 1172973SUSE bug 1172974CVE-2017-6004 at SUSECVE-2017-6004 at NVDCVE-2017-7186 at SUSECVE-2017-7186 at NVDCVE-2017-7244 at SUSECVE-2017-7244 at NVDCVE-2017-7245 at SUSECVE-2017-7245 at NVDCVE-2017-7246 at SUSECVE-2017-7246 at NVDCVE-2019-20838 at SUSECVE-2019-20838 at NVDCVE-2020-14155 at SUSECVE-2020-14155 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for qemu (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for qemu fixes the following issues:
Security issues fixed:
- Fix out-of-bounds write in UAS (USB Attached SCSI) device emulation (bsc#1189702, CVE-2021-3713)
- Fix heap use-after-free in virtio_net_receive_rcu (bsc#1189938, CVE-2021-3748)
ImportantSUSE bug 1189702SUSE bug 1189938CVE-2021-3713 at SUSECVE-2021-3713 at NVDCVE-2021-3748 at SUSECVE-2021-3748 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for MozillaFirefox fixes the following issues:
MozillaFirefox was updated to Extended Support Release 91.3.0 ESR
* Fixed: Various stability, functionality, and security fixes
MFSA 2021-49 (bsc#1192250)
* CVE-2021-38503: iframe sandbox rules did not apply to XSLT stylesheets
* CVE-2021-38504: Use-after-free in file picker dialog
* CVE-2021-38505: Windows 10 Cloud Clipboard may have recorded sensitive user data
* CVE-2021-38506: Firefox could be coaxed into going into fullscreen mode without notification or warning
* CVE-2021-38507: Opportunistic Encryption in HTTP2 could be used to bypass the Same-Origin-Policy on services hosted on other ports
* CVE-2021-38508: Permission Prompt could be overlaid, resulting in user confusion and potential spoofing
* CVE-2021-38509: Javascript alert box could have been spoofed onto an arbitrary domain
* CVE-2021-38510: Download Protections were bypassed by .inetloc files on Mac OS
* MOZ-2021-0008: Use-after-free in HTTP2 Session object
* MOZ-2021-0007: Memory safety bugs fixed in Firefox 94 and Firefox ESR 91.3
ImportantSUSE bug 1192250CVE-2021-38503 at SUSECVE-2021-38503 at NVDCVE-2021-38504 at SUSECVE-2021-38504 at NVDCVE-2021-38505 at SUSECVE-2021-38505 at NVDCVE-2021-38506 at SUSECVE-2021-38506 at NVDCVE-2021-38507 at SUSECVE-2021-38507 at NVDCVE-2021-38508 at SUSECVE-2021-38508 at NVDCVE-2021-38509 at SUSECVE-2021-38509 at NVDCVE-2021-38510 at SUSECVE-2021-38510 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for samba (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for samba fixes the following issues:
- CVE-2016-2124: Fixed not to fallback to non spnego authentication if we require kerberos (bsc#1014440).
- CVE-2020-25717: Fixed privilege escalation inside an AD Domain where a user could become root on domain members (bsc#1192284).
ImportantSUSE bug 1014440SUSE bug 1192284CVE-2016-2124 at SUSECVE-2016-2124 at NVDCVE-2020-25717 at SUSECVE-2020-25717 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 36 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_135 fixes several issues.
The following security issues were fixed:
- CVE-2021-0935: Fixed use after free that could lead to local escalation of privilege in ip6_xmit of ip6_output.c (bsc#1192042).
- CVE-2021-3752: Fixed vulnerability in the linux kernel Bluetooth uaf module (bsc#1190432).
ImportantSUSE bug 1190432SUSE bug 1192042CVE-2021-0935 at SUSECVE-2021-0935 at NVDCVE-2021-3752 at SUSECVE-2021-3752 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 37 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_138 fixes several issues.
The following security issues were fixed:
- CVE-2021-0935: Fixed use after free that could lead to local escalation of privilege in ip6_xmit of ip6_output.c (bsc#1192042).
- CVE-2021-3752: Fixed vulnerability in the linux kernel Bluetooth uaf module (bsc#1190432).
ImportantSUSE bug 1190432SUSE bug 1192042CVE-2021-0935 at SUSECVE-2021-0935 at NVDCVE-2021-3752 at SUSECVE-2021-3752 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 38 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_141 fixes several issues.
The following security issues were fixed:
- CVE-2021-0935: Fixed use after free that could lead to local escalation of privilege in ip6_xmit of ip6_output.c (bsc#1192042).
- CVE-2021-3752: Fixed vulnerability in the linux kernel Bluetooth uaf module (bsc#1190432).
ImportantSUSE bug 1190432SUSE bug 1192042CVE-2021-0935 at SUSECVE-2021-0935 at NVDCVE-2021-3752 at SUSECVE-2021-3752 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 39 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_144 fixes several issues.
The following security issues were fixed:
- CVE-2021-0935: Fixed use after free that could lead to local escalation of privilege in ip6_xmit of ip6_output.c (bsc#1192042).
- CVE-2021-3752: Fixed vulnerability in the linux kernel Bluetooth uaf module (bsc#1190432).
ImportantSUSE bug 1190432SUSE bug 1192042CVE-2021-0935 at SUSECVE-2021-0935 at NVDCVE-2021-3752 at SUSECVE-2021-3752 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 40 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_147 fixes several issues.
The following security issues were fixed:
- CVE-2021-0935: Fixed use after free that could lead to local escalation of privilege in ip6_xmit of ip6_output.c (bsc#1192042).
- CVE-2021-3752: Fixed vulnerability in the linux kernel Bluetooth uaf module (bsc#1190432).
ImportantSUSE bug 1190432SUSE bug 1192042CVE-2021-0935 at SUSECVE-2021-0935 at NVDCVE-2021-3752 at SUSECVE-2021-3752 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for postgresql, postgresql13, postgresql14 (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for postgresql, postgresql13 and postgresql14 fixes the following issues:
Security issues fixed:
- CVE-2021-23214: Make the server reject extraneous data after an SSL or GSS encryption handshake (bsc#1192516).
- CVE-2021-23222: Make libpq reject extraneous data after an SSL or GSS encryption handshake (bsc#1192516).
This update also ships postgresql14 to SUSE Linux Enterprise 12 SP5. (jsc#SLE-22673)
On older service packs only libpq5 and libecpg6 are being replaced by the postgresql14 variants.
Feature changes in postgresql14:
- https://www.postgresql.org/about/news/postgresql-14-released-2318/
- https://www.postgresql.org/docs/14/release-14.html
ImportantSUSE bug 1192516CVE-2021-23214 at SUSECVE-2021-23214 at NVDCVE-2021-23222 at SUSECVE-2021-23222 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for postgresql96 (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for postgresql96 fixes the following issues:
- CVE-2021-23214: Make the server reject extraneous data after an SSL or GSS encryption handshake (bsc#1192516).
- CVE-2021-23222: Make libpq reject extraneous data after an SSL or GSS encryption handshake (bsc#1192516).
ImportantSUSE bug 1192516CVE-2021-23214 at SUSECVE-2021-23214 at NVDCVE-2021-23222 at SUSECVE-2021-23222 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for postgresql10 (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for postgresql10 fixes the following issues:
- CVE-2021-23214: Make the server reject extraneous data after an SSL or GSS encryption handshake (bsc#1192516).
- CVE-2021-23222: Make libpq reject extraneous data after an SSL or GSS encryption handshake (bsc#1192516).
ImportantSUSE bug 1192516CVE-2021-23214 at SUSECVE-2021-23214 at NVDCVE-2021-23222 at SUSECVE-2021-23222 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for webkit2gtk3 (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for webkit2gtk3 fixes the following issues:
- CVE-2021-42762: Updated seccomp rules with latest changes from flatpak (bsc#1191937).
ImportantSUSE bug 1191937CVE-2021-42762 at SUSECVE-2021-42762 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for java-1_8_0-openjdk (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for java-1_8_0-openjdk fixes the following issues:
Update to version OpenJDK 8u312 (October 2021 CPU):
- CVE-2021-35550: Fixed weak ciphers preferred over stronger ones for TLS (bsc#1191901).
- CVE-2021-35556: Fixed excessive memory allocation in RTFParser (bsc#1191910).
- CVE-2021-35559: Fixed excessive memory allocation in RTFReader (bsc#1191911).
- CVE-2021-35561: Fixed excessive memory allocation in HashMap and HashSet (bsc#1191912).
- CVE-2021-35564: Fixed certificates with end dates too far in the future can corrupt keystore (bsc#1191913).
- CVE-2021-35565: Fixed loop in HttpsServer triggered during TLS session close (bsc#1191909).
- CVE-2021-35567: Fixed incorrect principal selection when using Kerberos Constrained Delegation (bsc#1191903).
- CVE-2021-35578: Fixed unexpected exception raised during TLS handshake (bsc#1191904).
- CVE-2021-35586: Fixed excessive memory allocation in BMPImageReader (bsc#1191914).
- CVE-2021-35588: Fixed incomplete validation of inner class references in ClassFileParser (bsc#1191905)
- CVE-2021-35603: Fixed non-constant comparison during TLS handshakes (bsc#1191906).
ImportantSUSE bug 1191901SUSE bug 1191903SUSE bug 1191904SUSE bug 1191905SUSE bug 1191906SUSE bug 1191909SUSE bug 1191910SUSE bug 1191911SUSE bug 1191912SUSE bug 1191913SUSE bug 1191914CVE-2021-35550 at SUSECVE-2021-35550 at NVDCVE-2021-35556 at SUSECVE-2021-35556 at NVDCVE-2021-35559 at SUSECVE-2021-35559 at NVDCVE-2021-35561 at SUSECVE-2021-35561 at NVDCVE-2021-35564 at SUSECVE-2021-35564 at NVDCVE-2021-35565 at SUSECVE-2021-35565 at NVDCVE-2021-35567 at SUSECVE-2021-35567 at NVDCVE-2021-35578 at SUSECVE-2021-35578 at NVDCVE-2021-35586 at SUSECVE-2021-35586 at NVDCVE-2021-35588 at SUSECVE-2021-35588 at NVDCVE-2021-35603 at SUSECVE-2021-35603 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for java-1_7_0-openjdk (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for java-1_7_0-openjdk fixes the following issues:
Update to OpenJDK 7u321 (October 2021 CPU):
- CVE-2021-35550: Fixed weak ciphers preferred over stronger ones for TLS (bsc#1191901).
- CVE-2021-35556: Fixed excessive memory allocation in RTFParser (bsc#1191910).
- CVE-2021-35559: Fixed excessive memory allocation in RTFReader (bsc#1191911).
- CVE-2021-35561: Fixed excessive memory allocation in HashMap and HashSet (bsc#1191912).
- CVE-2021-35564: Fixed certificates with end dates too far in the future can corrupt keystore (bsc#1191913).
- CVE-2021-35565: Fixed loop in HttpsServer triggered during TLS session close (bsc#1191909).
- CVE-2021-35586: Fixed excessive memory allocation in BMPImageReader (bsc#1191914).
- CVE-2021-35588: Fixed incomplete validation of inner class references in ClassFileParser (bsc#1191905)
- CVE-2021-35603: Fixed non-constant comparison during TLS handshakes (bsc#1191906).
ImportantSUSE bug 1191901SUSE bug 1191905SUSE bug 1191906SUSE bug 1191909SUSE bug 1191910SUSE bug 1191911SUSE bug 1191912SUSE bug 1191913SUSE bug 1191914CVE-2021-35550 at SUSECVE-2021-35550 at NVDCVE-2021-35556 at SUSECVE-2021-35556 at NVDCVE-2021-35559 at SUSECVE-2021-35559 at NVDCVE-2021-35561 at SUSECVE-2021-35561 at NVDCVE-2021-35564 at SUSECVE-2021-35564 at NVDCVE-2021-35565 at SUSECVE-2021-35565 at NVDCVE-2021-35586 at SUSECVE-2021-35586 at NVDCVE-2021-35588 at SUSECVE-2021-35588 at NVDCVE-2021-35603 at SUSECVE-2021-35603 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for ruby2.1 (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for ruby2.1 fixes the following issues:
- CVE-2020-25613: Fixed potential HTTP request smuggling in WEBrick (bsc#1177125).
- CVE-2021-31799: Fixed Command injection vulnerability in RDoc (bsc#1190375).
- CVE-2021-31810: Fixed trusting FTP PASV responses vulnerability in Net:FTP (bsc#1188161).
- CVE-2021-32066: Fixed StartTLS stripping vulnerability in Net:IMAP (bsc#1188160).
ImportantSUSE bug 1177125SUSE bug 1188160SUSE bug 1188161SUSE bug 1190375CVE-2020-25613 at SUSECVE-2020-25613 at NVDCVE-2021-31799 at SUSECVE-2021-31799 at NVDCVE-2021-31810 at SUSECVE-2021-31810 at NVDCVE-2021-32066 at SUSECVE-2021-32066 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for xen (Moderate)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for xen fixes the following issues:
- CVE-2021-28704, CVE-2021-28707, CVE-2021-28708: Fixed PoD operations on misaligned GFNs (XSA-388) (bsc#1192557).
- CVE-2021-28705, CVE-2021-28709: Fixed issues with partially successful P2M updates on x86 (XSA-389) (bsc#1192559).
- CVE-2021-28706: Fixed guests may exceed their designated memory limit (XSA-385) (bsc#1192554).
ModerateSUSE bug 1192554SUSE bug 1192557SUSE bug 1192559CVE-2021-28704 at SUSECVE-2021-28704 at NVDCVE-2021-28705 at SUSECVE-2021-28705 at NVDCVE-2021-28706 at SUSECVE-2021-28706 at NVDCVE-2021-28707 at SUSECVE-2021-28707 at NVDCVE-2021-28708 at SUSECVE-2021-28708 at NVDCVE-2021-28709 at SUSECVE-2021-28709 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for clamav (Moderate)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for clamav fixes the following issues:
- CVE-2018-14679: Fixed off-by-one issue in embedded libmspack that could lead to denial of service (bsc#1103032).
- Update to 0.103.4 (bsc#1192346).
- Update to 0.103.3 (bsc#1188284).
ModerateSUSE bug 1103032SUSE bug 1188284SUSE bug 1192346CVE-2018-14679 at SUSECVE-2018-14679 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for webkit2gtk3 (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for webkit2gtk3 fixes the following issues:
- CVE-2021-30846: Fixed memory corruption issue that could lead to arbitrary code execution when processing maliciously crafted web content (bsc#1192063).
- CVE-2021-30851: Fixed memory corruption vulnerability that could lead to arbitrary code execution when processing maliciously crafted web content (bsc#1192063).
ImportantSUSE bug 1192063CVE-2021-30846 at SUSECVE-2021-30846 at NVDCVE-2021-30851 at SUSECVE-2021-30851 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
The SUSE Linux Enterprise 12 SP3 LTSS kernel was updated to receive various security and bugfixes.
The following security bugs were fixed:
- Unprivileged BPF has been disabled by default to reduce attack surface as too many security issues have happened in the past (jsc#SLE-22573)
You can reenable via systemctl setting /proc/sys/kernel/unprivileged_bpf_disabled to 0. (kernel.unprivileged_bpf_disabled = 0)
- CVE-2021-31916: An out-of-bounds (OOB) memory write flaw was found in list_devices in drivers/md/dm-ioctl.c in the Multi-device driver module in the Linux kernel A bound check failure allowed an attacker with special user (CAP_SYS_ADMIN) privilege to gain access to out-of-bounds memory leading to a system crash or a leak of internal kernel information. The highest threat from this vulnerability is to system availability (bnc#1192781).
- CVE-2021-20322: Make the ipv4 and ipv6 ICMP exception caches less predictive to avoid information leaks about UDP ports in use. (bsc#1191790)
- CVE-2021-34981: Fixed file refcounting in cmtp when cmtp_attach_device fails (bsc#1191961).
- CVE-2020-12655: An issue was discovered in xfs_agf_verify in fs/xfs/libxfs/xfs_alloc.c. Attackers may trigger a sync of excessive duration via an XFS v5 image with crafted metadata, aka CID-d0c7feaf8767 (bnc#1171217).
- CVE-2021-43389: There was an array-index-out-of-bounds flaw in the detach_capi_ctr function in drivers/isdn/capi/kcapi.c (bnc#1191958).
- CVE-2021-37159: hso_free_net_device in drivers/net/usb/hso.c called unregister_netdev without checking for the NETREG_REGISTERED state, leading to a use-after-free and a double free (bnc#1188601).
- CVE-2021-34556: An unprivileged BPF program can obtain sensitive information from kernel memory via a Speculative Store Bypass side-channel attack because the protection mechanism neglects the possibility of uninitialized memory locations on the BPF stack (bnc#1188983).
- CVE-2021-35477: An unprivileged BPF program can obtain sensitive information from kernel memory via a Speculative Store Bypass side-channel attack because a certain preempting store operation did not necessarily occur before a store operation that has an attacker-controlled value (bnc#1188985).
- CVE-2017-17862: kernel/bpf/verifier.c in the Linux kernel ignores unreachable code, even though it would still be processed by JIT compilers. This behavior, also considered an improper branch-pruning logic issue, could possibly be used by local users for denial of service (bnc#1073928).
- CVE-2017-17864: kernel/bpf/verifier.c in the Linux kernel mishandled states_equal comparisons between the pointer data type and the UNKNOWN_VALUE data type, which allowed local users to obtain potentially sensitive address information, aka a 'pointer leak (bnc#1073928).
- CVE-2021-20265: A flaw was found in the way memory resources were freed in the unix_stream_recvmsg function in the Linux kernel when a signal was pending. This flaw allowed an unprivileged local user to crash the system by exhausting available memory. The highest threat from this vulnerability is to system availability (bnc#1183089).
- CVE-2021-3772: Fixed sctp vtag check in sctp_sf_ootb (bsc#1190351).
- CVE-2021-3655: Missing size validations on inbound SCTP packets may have allowed the kernel to read uninitialized memory (bnc#1188563).
- CVE-2018-13405: The inode_init_owner function in fs/inode.c in the Linux kernel allowed local users to create files with an unintended group ownership, in a scenario where a directory is SGID to a certain group and is writable by a user who is not a member of that group. Here, the non-member can trigger creation of a plain file whose group ownership is that group. The intended behavior was that the non-member can trigger creation of a directory (but not a plain file) whose group ownership is that group. The non-member can escalate privileges by making the plain file executable and SGID (bnc#1100416 bnc#1129735).
- CVE-2021-3760: Fixed a use-after-free vulnerability with the ndev->rf_conn_info object (bsc#1190067).
- CVE-2021-42739: The firewire subsystem in the Linux kernel has a buffer overflow related to drivers/media/firewire/firedtv-avc.c and drivers/media/firewire/firedtv-ci.c, because avc_ca_pmt mishandled bounds checking (bnc#1184673).
- CVE-2021-3542: Fixed heap buffer overflow in firedtv driver (bsc#1186063).
- CVE-2021-33033: The Linux kernel has a use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c because the CIPSO and CALIPSO refcounting for the DOI definitions is mishandled, aka CID-ad5d07f4a9cd. This leads to writing an arbitrary value (bnc#1186109 bnc#1186390 bnc#1188876).
- CVE-2020-14305: An out-of-bounds memory write flaw was found in how the Linux kernel’s Voice Over IP H.323 connection tracking functionality handled connections on ipv6 port 1720. This flaw allowed an unauthenticated remote user to crash the system, causing a denial of service. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability (bnc#1173346).
- CVE-2021-3715: Fixed a use-after-free in route4_change() in net/sched/cls_route.c (bsc#1190349).
- CVE-2021-3896: Fixed a array-index-out-bounds in detach_capi_ctr in drivers/isdn/capi/kcapi.c (bsc#1191958).
- CVE-2021-42008: The decode_data function in drivers/net/hamradio/6pack.c in the Linux kernel has a slab out-of-bounds write. Input from a process that has the CAP_NET_ADMIN capability can lead to root access (bnc#1191315).
- CVE-2020-3702: Specifically timed and handcrafted traffic can cause internal errors in a WLAN device that lead to improper layer 2 Wi-Fi encryption with a consequent possibility of information disclosure over the air for a discrete set of traffic (bnc#1191193).
- CVE-2021-3752: Fixed a use after free vulnerability in the Linux kernel's bluetooth module. (bsc#1190023)
- CVE-2021-40490: A race condition was discovered in ext4_write_inline_data_end in fs/ext4/inline.c in the ext4 subsystem in the Linux kernel (bnc#1190159 bnc#1192775)
- CVE-2021-3640: Fixed a Use-After-Free vulnerability in function sco_sock_sendmsg() in the bluetooth stack (bsc#1188172).
- CVE-2021-38160: Data corruption or loss could be triggered by an untrusted device that supplies a buf->len value exceeding the buffer size in drivers/char/virtio_console.c (bsc#1190117)
- CVE-2021-3753: Fixed race out-of-bounds in virtual terminal handling (bsc#1190025).
- CVE-2021-3732: Mounting overlayfs inside an unprivileged user namespace can reveal files (bsc#1189706).
- CVE-2021-3653: A flaw was found in the KVM's AMD code for supporting SVM nested virtualization. The flaw occurs when processing the VMCB (virtual machine control block) provided by the L1 guest to spawn/handle a nested guest (L2). Due to improper validation of the 'int_ctl' field, this issue could allow a malicious L1 to enable AVIC support (Advanced Virtual Interrupt Controller) for the L2 guest. As a result, the L2 guest would be allowed to read/write physical pages of the host, resulting in a crash of the entire system, leak of sensitive data or potential guest-to-host escape. This flaw affects Linux kernel versions prior to 5.14-rc7 (bnc#1189399 bnc#1189420).
- CVE-2021-38198: arch/x86/kvm/mmu/paging_tmpl.h in the Linux kernel incorrectly computes the access permissions of a shadow page, leading to a missing guest protection page fault (bnc#1189262 bnc#1189278).
- CVE-2021-38204: drivers/usb/host/max3421-hcd.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (use-after-free and panic) by removing a MAX-3421 USB device in certain situations (bnc#1189291).
- CVE-2021-3679: A lack of CPU resource in the Linux kernel tracing module functionality in versions prior to 5.14-rc3 was found in the way user uses trace ring buffer in a specific way. Only privileged local users (with CAP_SYS_ADMIN capability) could use this flaw to starve the resources causing denial of service (bnc#1189057).
- CVE-2018-16882: A use-after-free issue was found in the way the Linux kernel's KVM hypervisor processed posted interrupts when nested(=1) virtualization is enabled. In nested_get_vmcs12_pages(), in case of an error while processing posted interrupt address, it unmaps the 'pi_desc_page' without resetting 'pi_desc' descriptor address, which is later used in pi_test_and_clear_on(). A guest user/process could use this flaw to crash the host kernel resulting in DoS or potentially gain privileged access to a system. Kernel versions and are vulnerable (bnc#1119934).
- CVE-2020-0429: In l2tp_session_delete and related functions of l2tp_core.c, there is possible memory corruption due to a use after free. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation (bnc#1176724).
- CVE-2020-4788: IBM Power9 (AIX 7.1, 7.2, and VIOS 3.1) processors could allow a local user to obtain sensitive information from the data in the L1 cache under extenuating circumstances. IBM X-Force ID: 189296 (bnc#1177666 bnc#1181158).
- CVE-2021-3659: Fixed a NULL pointer dereference in llsec_key_alloc() in net/mac802154/llsec.c (bsc#1188876).
- CVE-2021-37576: arch/powerpc/kvm/book3s_rtas.c in the Linux kernel on the powerpc platform allowed KVM guest OS users to cause host OS memory corruption via rtas_args.nargs, aka CID-f62f3c20647e (bnc#1188838).
The following non-security bugs were fixed:
- PCI: hv: Use expected affinity when unmasking IRQ (bsc#1185973).
- SUNRPC: improve error response to over-size gss credential (bsc#1190022).
- Update config files: Add CONFIG_BPF_UNPRIV_DEFAULT_OFF is not set
- blacklist.conf: Drop a line that was added by mistake
- bpf: Add kconfig knob for disabling unpriv bpf by default (jsc#SLE-22918)
- bpf: Disallow unprivileged bpf by default (jsc#SLE-22918).
- bpf: properly enforce index mask to prevent out-of-bounds speculation (bsc#1098425).
- config: disable unprivileged BPF by default (jsc#SLE-22918)
- cpufreq: intel_pstate: Add Icelake servers support in no-HWP mode (bsc#1185758,bsc#1192400).
- ftrace: Fix scripts/recordmcount.pl due to new binutils (bsc#1192267).
- hv: mana: adjust mana_select_queue to old API (jsc#SLE-18779, bsc#1185727).
- hv: mana: declare vzalloc (jsc#SLE-18779, bsc#1185726).
- hv: mana: fake bitmap API (jsc#SLE-18779, bsc#1185726).
- hv: mana: remove netdev_lockdep_set_classes usage (jsc#SLE-18779, bsc#1185727).
- kABI: protect struct bpf_map (kabi).
- mm: replace open coded page to virt conversion with page_to_virt() (jsc#SLE-18779, bsc#1185727).
- net/mlx4_en: Avoid scheduling restart task if it is already running (bsc#1181854 bsc#1181855).
- net/mlx4_en: Handle TX error CQE (bsc#1181854 bsc#1181855).
- net: mana: Add WARN_ON_ONCE in case of CQE read overflow (jsc#SLE-18779, bsc#1185727).
- net: mana: Add a driver for Microsoft Azure Network Adapter (MANA) (jsc#SLE-18779, bsc#1185727).
- net: mana: Add support for EQ sharing (jsc#SLE-18779, bsc#1185727).
- net: mana: Fix a memory leak in an error handling path in (jsc#SLE-18779, bsc#1185727).
- net: mana: Fix error handling in mana_create_rxq() (git-fixes, bsc#1191801).
- net: mana: Move NAPI from EQ to CQ (jsc#SLE-18779, bsc#1185727).
- net: mana: Use int to check the return value of mana_gd_poll_cq() (jsc#SLE-18779, bsc#1185727).
- net: mana: fix PCI_HYPERV dependency (jsc#SLE-18779, bsc#1185727).
- net: mana: remove redundant initialization of variable err (jsc#SLE-18779, bsc#1185727).
- net: sched: sch_teql: fix null-pointer dereference (bsc#1190717).
- s390/bpf: Fix 64-bit subtraction of the -0x80000000 constant (bsc#1190601).
- s390/bpf: Fix branch shortening during codegen pass (bsc#1190601).
- s390/bpf: Fix optimizing out zero-extensions (bsc#1190601).
- s390/bpf: Wrap JIT macro parameter usages in parentheses (bsc#1190601).
- s390: bpf: implement jitting of BPF_ALU | BPF_ARSH | BPF_* (bsc#1190601).
- scsi: sg: add sg_remove_request in sg_write (bsc#1171420 CVE2020-12770).
- sctp: check asoc peer.asconf_capable before processing asconf (bsc#1190351).
- sctp: fully initialize v4 addr in some functions (bsc#1188563).
- sctp: simplify addr copy (bsc#1188563).
- x86/CPU: Add more Icelake model numbers (bsc#1185758,bsc#1192400).
- x86/tlb: Flush global mappings when KAISER is disabled (bsc#1190194).
ImportantSUSE bug 1073928SUSE bug 1098425SUSE bug 1100416SUSE bug 1119934SUSE bug 1129735SUSE bug 1171217SUSE bug 1171420SUSE bug 1173346SUSE bug 1176724SUSE bug 1177666SUSE bug 1181158SUSE bug 1181854SUSE bug 1181855SUSE bug 1183089SUSE bug 1184673SUSE bug 1185726SUSE bug 1185727SUSE bug 1185758SUSE bug 1185973SUSE bug 1186109SUSE bug 1186390SUSE bug 1188172SUSE bug 1188563SUSE bug 1188601SUSE bug 1188838SUSE bug 1188876SUSE bug 1188983SUSE bug 1188985SUSE bug 1189057SUSE bug 1189262SUSE bug 1189278SUSE bug 1189291SUSE bug 1189399SUSE bug 1189420SUSE bug 1189706SUSE bug 1190022SUSE bug 1190023SUSE bug 1190025SUSE bug 1190067SUSE bug 1190117SUSE bug 1190159SUSE bug 1190194SUSE bug 1190349SUSE bug 1190351SUSE bug 1190601SUSE bug 1190717SUSE bug 1191193SUSE bug 1191315SUSE bug 1191790SUSE bug 1191801SUSE bug 1191958SUSE bug 1191961SUSE bug 1192267SUSE bug 1192400SUSE bug 1192775SUSE bug 1192781CVE-2017-17862 at SUSECVE-2017-17862 at NVDCVE-2017-17864 at SUSECVE-2017-17864 at NVDCVE-2018-13405 at SUSECVE-2018-13405 at NVDCVE-2018-16882 at SUSECVE-2018-16882 at NVDCVE-2020-0429 at SUSECVE-2020-0429 at NVDCVE-2020-12655 at SUSECVE-2020-12655 at NVDCVE-2020-14305 at SUSECVE-2020-14305 at NVDCVE-2020-3702 at SUSECVE-2020-3702 at NVDCVE-2020-4788 at SUSECVE-2020-4788 at NVDCVE-2021-20265 at SUSECVE-2021-20265 at NVDCVE-2021-20322 at SUSECVE-2021-20322 at NVDCVE-2021-31916 at SUSECVE-2021-31916 at NVDCVE-2021-33033 at SUSECVE-2021-33033 at NVDCVE-2021-34556 at SUSECVE-2021-34556 at NVDCVE-2021-34981 at SUSECVE-2021-34981 at NVDCVE-2021-3542 at SUSECVE-2021-3542 at NVDCVE-2021-35477 at SUSECVE-2021-35477 at NVDCVE-2021-3640 at SUSECVE-2021-3640 at NVDCVE-2021-3653 at SUSECVE-2021-3653 at NVDCVE-2021-3655 at SUSECVE-2021-3655 at NVDCVE-2021-3659 at SUSECVE-2021-3659 at NVDCVE-2021-3679 at SUSECVE-2021-3679 at NVDCVE-2021-3715 at SUSECVE-2021-3715 at NVDCVE-2021-37159 at SUSECVE-2021-37159 at NVDCVE-2021-3732 at SUSECVE-2021-3732 at NVDCVE-2021-3752 at SUSECVE-2021-3752 at NVDCVE-2021-3753 at SUSECVE-2021-3753 at NVDCVE-2021-37576 at SUSECVE-2021-37576 at NVDCVE-2021-3760 at SUSECVE-2021-3760 at NVDCVE-2021-3772 at SUSECVE-2021-3772 at NVDCVE-2021-38160 at SUSECVE-2021-38160 at NVDCVE-2021-38198 at SUSECVE-2021-38198 at NVDCVE-2021-38204 at SUSECVE-2021-38204 at NVDCVE-2021-3896 at SUSECVE-2021-3896 at NVDCVE-2021-40490 at SUSECVE-2021-40490 at NVDCVE-2021-42008 at SUSECVE-2021-42008 at NVDCVE-2021-42739 at SUSECVE-2021-42739 at NVDCVE-2021-43389 at SUSECVE-2021-43389 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for mozilla-nss (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for mozilla-nss fixes the following issues:
Update to version 3.68.1:
- CVE-2021-43527: Fixed a Heap overflow in NSS when verifying DER-encoded DSA or RSA-PSS signatures (bsc#1193170).
ImportantSUSE bug 1193170CVE-2021-43527 at SUSECVE-2021-43527 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for openssh (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for openssh fixes the following issues:
- CVE-2021-41617: Fixed privilege escalation when AuthorizedKeysCommand/AuthorizedPrincipalsCommand are configured (bsc#1190975).
ImportantSUSE bug 1190975CVE-2021-41617 at SUSECVE-2021-41617 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for MozillaFirefox fixes the following issues:
Update to Extended Support Release 91.4.0 (bsc#1193485):
- CVE-2021-43536: URL leakage when navigating while executing asynchronous function
- CVE-2021-43537: Heap buffer overflow when using structured clone
- CVE-2021-43538: Missing fullscreen and pointer lock notification when requesting both
- CVE-2021-43539: GC rooting failure when calling wasm instance methods
- CVE-2021-43541: External protocol handler parameters were unescaped
- CVE-2021-43542: XMLHttpRequest error codes could have leaked the existence of an external protocol handler
- CVE-2021-43543: Bypass of CSP sandbox directive when embedding
- CVE-2021-43545: Denial of Service when using the Location API in a loop
- CVE-2021-43546: Cursor spoofing could overlay user interface when native cursor is zoomed
- Memory safety bugs fixed in Firefox 95 and Firefox ESR 91.4
- Removed x-scheme-handler/ftp from MozillaFirefox.desktop (bsc#1193321)
ImportantSUSE bug 1193321SUSE bug 1193485CVE-2021-43536 at SUSECVE-2021-43536 at NVDCVE-2021-43537 at SUSECVE-2021-43537 at NVDCVE-2021-43538 at SUSECVE-2021-43538 at NVDCVE-2021-43539 at SUSECVE-2021-43539 at NVDCVE-2021-43541 at SUSECVE-2021-43541 at NVDCVE-2021-43542 at SUSECVE-2021-43542 at NVDCVE-2021-43543 at SUSECVE-2021-43543 at NVDCVE-2021-43545 at SUSECVE-2021-43545 at NVDCVE-2021-43546 at SUSECVE-2021-43546 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for glib-networking (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for glib-networking fixes the following issues:
- CVE-2020-13645: Fixed a connection failure when the server identity is unset (bsc#1172460).
ImportantSUSE bug 1172460CVE-2020-13645 at SUSECVE-2020-13645 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 36 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_135 fixes several issues.
The following security issues were fixed:
- CVE-2020-36158: Fixed a potential remote code execution in the Marvell mwifiex driver (bsc#1180562).
- CVE-2020-0465: Fixed multiple missing bounds checks in hid-multitouch.c that could have led to local privilege escalation (bnc#1180030).
- CVE-2020-0466: Fixed a use-after-free due to a logic error in do_epoll_ctl and ep_loop_check_proc of eventpoll.c (bnc#1180032.
- CVE-2020-29569: Fixed a use after free due to a logic error (bsc#1180008).
- CVE-2020-29660: Fixed a locking inconsistency in the tty subsystem that may have allowed a read-after-free attack against TIOCGSID (bsc#1179877).
- CVE-2020-29661: Fixed a locking issue in the tty subsystem that allowed a use-after-free attack against TIOCSPGRP (bsc#1179877).
ImportantSUSE bug 1179877SUSE bug 1180008SUSE bug 1180030SUSE bug 1180032SUSE bug 1180562CVE-2020-0465 at SUSECVE-2020-0465 at NVDCVE-2020-0466 at SUSECVE-2020-0466 at NVDCVE-2020-29569 at SUSECVE-2020-29569 at NVDCVE-2020-29660 at SUSECVE-2020-29660 at NVDCVE-2020-29661 at SUSECVE-2020-29661 at NVDCVE-2020-36158 at SUSECVE-2020-36158 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 35 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_130 fixes several issues.
The following security issues were fixed:
- CVE-2020-36158: Fixed a potential remote code execution in the Marvell mwifiex driver (bsc#1180562).
- CVE-2020-0465: Fixed multiple missing bounds checks in hid-multitouch.c that could have led to local privilege escalation (bnc#1180030).
- CVE-2020-0466: Fixed a use-after-free due to a logic error in do_epoll_ctl and ep_loop_check_proc of eventpoll.c (bnc#1180032.
- CVE-2020-29569: Fixed a use after free due to a logic error (bsc#1180008).
- CVE-2020-29660: Fixed a locking inconsistency in the tty subsystem that may have allowed a read-after-free attack against TIOCGSID (bsc#1179877).
- CVE-2020-29661: Fixed a locking issue in the tty subsystem that allowed a use-after-free attack against TIOCSPGRP (bsc#1179877).
ImportantSUSE bug 1179877SUSE bug 1180008SUSE bug 1180030SUSE bug 1180032SUSE bug 1180562CVE-2020-0465 at SUSECVE-2020-0465 at NVDCVE-2020-0466 at SUSECVE-2020-0466 at NVDCVE-2020-29569 at SUSECVE-2020-29569 at NVDCVE-2020-29660 at SUSECVE-2020-29660 at NVDCVE-2020-29661 at SUSECVE-2020-29661 at NVDCVE-2020-36158 at SUSECVE-2020-36158 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 41 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_150 fixes several issues.
The following security issues were fixed:
- CVE-2021-0935: In ip6_xmit of ip6_output.c, there is a possible out of bounds write due to a use after free. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. (bsc#1192032)
- CVE-2021-28688: The fix for XSA-365 includes initialization of pointers such that subsequent cleanup code wouldn't use uninitialized or stale values. This initialization went too far and may under certain conditions also overwrite pointers which are in need of cleaning up. The lack of cleanup would result in leaking persistent grants. The leak in turn would prevent fully cleaning up after a respective guest has died, leaving around zombie domains. (bsc#1183646)
ImportantSUSE bug 1182294SUSE bug 1192042CVE-2021-0935 at SUSECVE-2021-0935 at NVDCVE-2021-28688 at SUSECVE-2021-28688 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 40 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_147 fixes one issue.
The following security issue was fixed:
- CVE-2021-20322: Make the ipv4 and ipv6 ICMP exception caches less predictive to avoid information leaks about UDP ports in use. (bsc#1191790)
ImportantSUSE bug 1191813CVE-2021-20322 at SUSECVE-2021-20322 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 39 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_144 fixes one issue.
The following security issue was fixed:
- CVE-2021-20322: Make the ipv4 and ipv6 ICMP exception caches less predictive to avoid information leaks about UDP ports in use. (bsc#1191790)
ImportantSUSE bug 1191813CVE-2021-20322 at SUSECVE-2021-20322 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 38 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_141 fixes one issue.
The following security issue was fixed:
- CVE-2021-20322: Make the ipv4 and ipv6 ICMP exception caches less predictive to avoid information leaks about UDP ports in use. (bsc#1191790)
ImportantSUSE bug 1191813CVE-2021-20322 at SUSECVE-2021-20322 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 37 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_138 fixes one issue.
The following security issue was fixed:
- CVE-2021-20322: Make the ipv4 and ipv6 ICMP exception caches less predictive to avoid information leaks about UDP ports in use. (bsc#1191790)
ImportantSUSE bug 1191813CVE-2021-20322 at SUSECVE-2021-20322 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 34 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_127 fixes several issues.
The following security issues were fixed:
- CVE-2020-36158: Fixed a potential remote code execution in the Marvell mwifiex driver (bsc#1180562).
- CVE-2020-0465: Fixed multiple missing bounds checks in hid-multitouch.c that could have led to local privilege escalation (bnc#1180030).
- CVE-2020-0466: Fixed a use-after-free due to a logic error in do_epoll_ctl and ep_loop_check_proc of eventpoll.c (bnc#1180032.
- CVE-2020-29569: Fixed a use after free due to a logic error (bsc#1180008).
- CVE-2020-29660: Fixed a locking inconsistency in the tty subsystem that may have allowed a read-after-free attack against TIOCGSID (bsc#1179877).
- CVE-2020-29661: Fixed a locking issue in the tty subsystem that allowed a use-after-free attack against TIOCSPGRP (bsc#1179877).
ImportantSUSE bug 1179877SUSE bug 1180008SUSE bug 1180030SUSE bug 1180032SUSE bug 1180562CVE-2020-0465 at SUSECVE-2020-0465 at NVDCVE-2020-0466 at SUSECVE-2020-0466 at NVDCVE-2020-29569 at SUSECVE-2020-29569 at NVDCVE-2020-29660 at SUSECVE-2020-29660 at NVDCVE-2020-29661 at SUSECVE-2020-29661 at NVDCVE-2020-36158 at SUSECVE-2020-36158 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for xorg-x11-server (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for xorg-x11-server fixes the following issues:
- CVE-2021-4008: Fixed Privilege Escalation Vulnerability via Out-Of-Bounds Access in SProcRenderCompositeGlyphs (bsc#1193030).
ImportantSUSE bug 1193030CVE-2021-4008 at SUSECVE-2021-4008 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 33 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_124 fixes several issues.
The following security issues were fixed:
- CVE-2020-36158: Fixed a potential remote code execution in the Marvell mwifiex driver (bsc#1180562).
- CVE-2020-0465: Fixed multiple missing bounds checks in hid-multitouch.c that could have led to local privilege escalation (bnc#1180030).
- CVE-2020-0466: Fixed a use-after-free due to a logic error in do_epoll_ctl and ep_loop_check_proc of eventpoll.c (bnc#1180032.
- CVE-2020-29569: Fixed a use after free due to a logic error (bsc#1180008).
- CVE-2020-29660: Fixed a locking inconsistency in the tty subsystem that may have allowed a read-after-free attack against TIOCGSID (bsc#1179877).
- CVE-2020-29661: Fixed a locking issue in the tty subsystem that allowed a use-after-free attack against TIOCSPGRP (bsc#1179877).
ImportantSUSE bug 1179877SUSE bug 1180008SUSE bug 1180030SUSE bug 1180032SUSE bug 1180562CVE-2020-0465 at SUSECVE-2020-0465 at NVDCVE-2020-0466 at SUSECVE-2020-0466 at NVDCVE-2020-29569 at SUSECVE-2020-29569 at NVDCVE-2020-29660 at SUSECVE-2020-29660 at NVDCVE-2020-29661 at SUSECVE-2020-29661 at NVDCVE-2020-36158 at SUSECVE-2020-36158 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 32 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_121 fixes several issues.
The following security issues were fixed:
- CVE-2020-36158: Fixed a potential remote code execution in the Marvell mwifiex driver (bsc#1180562).
- CVE-2020-0465: Fixed multiple missing bounds checks in hid-multitouch.c that could have led to local privilege escalation (bnc#1180030).
- CVE-2020-0466: Fixed a use-after-free due to a logic error in do_epoll_ctl and ep_loop_check_proc of eventpoll.c (bnc#1180032.
- CVE-2020-29569: Fixed a use after free due to a logic error (bsc#1180008).
- CVE-2020-29660: Fixed a locking inconsistency in the tty subsystem that may have allowed a read-after-free attack against TIOCGSID (bsc#1179877).
- CVE-2020-29661: Fixed a locking issue in the tty subsystem that allowed a use-after-free attack against TIOCSPGRP (bsc#1179877).
ImportantSUSE bug 1179877SUSE bug 1180008SUSE bug 1180030SUSE bug 1180032SUSE bug 1180562CVE-2020-0465 at SUSECVE-2020-0465 at NVDCVE-2020-0466 at SUSECVE-2020-0466 at NVDCVE-2020-29569 at SUSECVE-2020-29569 at NVDCVE-2020-29660 at SUSECVE-2020-29660 at NVDCVE-2020-29661 at SUSECVE-2020-29661 at NVDCVE-2020-36158 at SUSECVE-2020-36158 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 31 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_116 fixes several issues.
The following security issues were fixed:
- CVE-2020-36158: Fixed a potential remote code execution in the Marvell mwifiex driver (bsc#1180562).
- CVE-2020-0465: Fixed multiple missing bounds checks in hid-multitouch.c that could have led to local privilege escalation (bnc#1180030).
- CVE-2020-0466: Fixed a use-after-free due to a logic error in do_epoll_ctl and ep_loop_check_proc of eventpoll.c (bnc#1180032.
- CVE-2020-29569: Fixed a use after free due to a logic error (bsc#1180008).
- CVE-2020-29660: Fixed a locking inconsistency in the tty subsystem that may have allowed a read-after-free attack against TIOCGSID (bsc#1179877).
- CVE-2020-29661: Fixed a locking issue in the tty subsystem that allowed a use-after-free attack against TIOCSPGRP (bsc#1179877).
ImportantSUSE bug 1179877SUSE bug 1180008SUSE bug 1180030SUSE bug 1180032SUSE bug 1180562CVE-2020-0465 at SUSECVE-2020-0465 at NVDCVE-2020-0466 at SUSECVE-2020-0466 at NVDCVE-2020-29569 at SUSECVE-2020-29569 at NVDCVE-2020-29660 at SUSECVE-2020-29660 at NVDCVE-2020-29661 at SUSECVE-2020-29661 at NVDCVE-2020-36158 at SUSECVE-2020-36158 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for log4j (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for log4j fixes the following issue:
- CVE-2021-4104: Disable the JMSAppender class from log4j to protect against
the log4jshell vulnerability. [bsc#1193662]
ImportantSUSE bug 1193662CVE-2021-4104 at SUSECVE-2021-4104 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for xorg-x11-server (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for xorg-x11-server fixes the following issues:
- CVE-2021-4009: The handler for the CreatePointerBarrier request of the XFixes
extension does not properly validate the request length leading to out of
bounds memory write. (bsc#1190487)
- CVE-2021-4011: The handlers for the RecordCreateContext and RecordRegisterClients
requests of the Record extension do not properly validate the request
length leading to out of bounds memory write. (bsc#1190489)
ImportantSUSE bug 1190487SUSE bug 1190489CVE-2021-4009 at SUSECVE-2021-4009 at NVDCVE-2021-4011 at SUSECVE-2021-4011 at NVDcpe:/o:suse:sles-espos:12:sp3Recommended update for samba (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for samba fixes the following issues:
The username map advice from the CVE-2020-25717 advisory
note has undesired side effects for the local nt token. Fallback
to a SID/UID based mapping if the name based lookup fails (bsc#1192849).
ImportantSUSE bug 1192849CVE-2020-25717 at SUSECVE-2020-25717 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for chrony (Moderate)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for chrony fixes the following issues:
Chrony was updated to 4.1:
* Add support for NTS servers specified by IP address (matching
Subject Alternative Name in server certificate)
* Add source-specific configuration of trusted certificates
* Allow multiple files and directories with trusted certificates
* Allow multiple pairs of server keys and certificates
* Add copy option to server/pool directive
* Increase PPS lock limit to 40% of pulse interval
* Perform source selection immediately after loading dump files
* Reload dump files for addresses negotiated by NTS-KE server
* Update seccomp filter and add less restrictive level
* Restart ongoing name resolution on online command
* Fix dump files to not include uncorrected offset
* Fix initstepslew to accept time from own NTP clients
* Reset NTP address and port when no longer negotiated by NTS-KE
server
- Update clknetsim to snapshot f89702d.
- Ensure the correct pool packages are installed for openSUSE and SLE (bsc#1180689).
- Enable syscallfilter unconditionally (bsc#1181826).
Chrony was updated to 4.0:
Enhancements
- Add support for Network Time Security (NTS) authentication
- Add support for AES-CMAC keys (AES128, AES256) with Nettle
- Add authselectmode directive to control selection of
unauthenticated sources
- Add binddevice, bindacqdevice, bindcmddevice directives
- Add confdir directive to better support fragmented
configuration
- Add sourcedir directive and 'reload sources' command to
support dynamic NTP sources specified in files
- Add clockprecision directive
- Add dscp directive to set Differentiated Services Code Point
(DSCP)
- Add -L option to limit log messages by severity
- Add -p option to print whole configuration with included
files
- Add -U option to allow start under non-root user
- Allow maxsamples to be set to 1 for faster update with -q/-Q
option
- Avoid replacing NTP sources with sources that have
unreachable address
- Improve pools to repeat name resolution to get 'maxsources'
sources
- Improve source selection with trusted sources
- Improve NTP loop test to prevent synchronisation to itself
- Repeat iburst when NTP source is switched from offline state
to online
- Update clock synchronisation status and leap status more
frequently
- Update seccomp filter
- Add 'add pool' command
- Add 'reset sources' command to drop all measurements
- Add authdata command to print details about NTP
authentication
- Add selectdata command to print details about source
selection
- Add -N option and sourcename command to print original names
of sources
- Add -a option to some commands to print also unresolved
sources
- Add -k, -p, -r options to clients command to select, limit,
reset data
- Bug fixes
- Don’t set interface for NTP responses to allow asymmetric
routing
- Handle RTCs that don’t support interrupts
- Respond to command requests with correct address on
multihomed hosts
- Removed features
- Drop support for RIPEMD keys (RMD128, RMD160, RMD256, RMD320)
- Drop support for long (non-standard) MACs in NTPv4 packets
(chrony 2.x clients using non-MD5/SHA1 keys need to use
option 'version 3')
- By default we don't write log files but log to journald, so
only recommend logrotate.
- Adjust and rename the sysconfig file, so that it matches the
expectations of chronyd.service (bsc#1173277).
Chrony was updated to 3.5.1:
* Create new file when writing pidfile (CVE-2020-14367, bsc#1174911)
- Add chrony-pool-suse and chrony-pool-openSUSE subpackages that
preconfigure chrony to use NTP servers from the respective
pools for SUSE and openSUSE (bsc#1156884, SLE-11424).
- Add chrony-pool-empty to still allow installing chrony without
preconfigured servers.
- Use iburst in the default pool statements to speed up initial
synchronisation (bsc#1172113).
- Update clknetsim to version 79ffe44 (fixes bsc#1162964).
Update to 3.5:
+ Add support for more accurate reading of PHC on Linux 5.0
+ Add support for hardware timestamping on interfaces with read-only timestamping configuration
+ Add support for memory locking and real-time priority on FreeBSD, NetBSD, Solaris
+ Update seccomp filter to work on more architectures
+ Validate refclock driver options
+ Fix bindaddress directive on FreeBSD
+ Fix transposition of hardware RX timestamp on Linux 4.13 and later
+ Fix building on non-glibc systems
- Fix location of helper script in chrony-dnssrv@.service (bsc#1128846).
- Read runtime servers from /var/run/netconfig/chrony.servers (bsc#1099272)
- Move chrony-helper to /usr/lib/chrony/helper, because there should be no executables in /usr/share.
- Remove discrepancies between spec file and chrony-tmpfiles (bsc#1115529)
Update to version 3.4
* Enhancements
+ Add filter option to server/pool/peer directive
+ Add minsamples and maxsamples options to hwtimestamp directive
+ Add support for faster frequency adjustments in Linux 4.19
+ Change default pidfile to /var/run/chrony/chronyd.pid to allow chronyd
without root privileges to remove it on exit
+ Disable sub-second polling intervals for distant NTP sources
+ Extend range of supported sub-second polling intervals
+ Get/set IPv4 destination/source address of NTP packets on FreeBSD
+ Make burst options and command useful with short polling intervals
+ Modify auto_offline option to activate when sending request failed
+ Respond from interface that received NTP request if possible
+ Add onoffline command to switch between online and offline state
according to current system network configuration
+ Improve example NetworkManager dispatcher script
* Bug fixes
+ Avoid waiting in Linux getrandom system call
+ Fix PPS support on FreeBSD and NetBSD
Update to version 3.3
* Enhancements:
+ Add burst option to server/pool directive
+ Add stratum and tai options to refclock directive
+ Add support for Nettle crypto library
+ Add workaround for missing kernel receive timestamps on Linux
+ Wait for late hardware transmit timestamps
+ Improve source selection with unreachable sources
+ Improve protection against replay attacks on symmetric mode
+ Allow PHC refclock to use socket in /var/run/chrony
+ Add shutdown command to stop chronyd
+ Simplify format of response to manual list command
+ Improve handling of unknown responses in chronyc
* Bug fixes:
+ Respond to NTPv1 client requests with zero mode
+ Fix -x option to not require CAP_SYS_TIME under non-root user
+ Fix acquisitionport directive to work with privilege separation
+ Fix handling of socket errors on Linux to avoid high CPU usage
+ Fix chronyc to not get stuck in infinite loop after clock step
- Added /etc/chrony.d/ directory to the package (bsc#1083597) Modifed default chrony.conf to add 'include /etc/chrony.d/*'
- Enable pps support
Upgraded to version 3.2:
Enhancements
* Improve stability with NTP sources and reference clocks
* Improve stability with hardware timestamping
* Improve support for NTP interleaved modes
* Control frequency of system clock on macOS 10.13 and later
* Set TAI-UTC offset of system clock with leapsectz directive
* Minimise data in client requests to improve privacy
* Allow transmit-only hardware timestamping
* Add support for new timestamping options introduced in Linux 4.13
* Add root delay, root dispersion and maximum error to tracking log
* Add mindelay and asymmetry options to server/peer/pool directive
* Add extpps option to PHC refclock to timestamp external PPS signal
* Add pps option to refclock directive to treat any refclock as PPS
* Add width option to refclock directive to filter wrong pulse edges
* Add rxfilter option to hwtimestamp directive
* Add -x option to disable control of system clock
* Add -l option to log to specified file instead of syslog
* Allow multiple command-line options to be specified together
* Allow starting without root privileges with -Q option
* Update seccomp filter for new glibc versions
* Dump history on exit by default with dumpdir directive
* Use hardening compiler options by default
Bug fixes
* Don't drop PHC samples with low-resolution system clock
* Ignore outliers in PHC tracking, RTC tracking, manual input
* Increase polling interval when peer is not responding
* Exit with error message when include directive fails
* Don't allow slash after hostname in allow/deny directive/command
* Try to connect to all addresses in chronyc before giving up
Upgraded to version 3.1:
- Enhancements
- Add support for precise cross timestamping of PHC on Linux
- Add minpoll, precision, nocrossts options to hwtimestamp directive
- Add rawmeasurements option to log directive and modify measurements
option to log only valid measurements from synchronised sources
- Allow sub-second polling interval with NTP sources
- Bug fixes
- Fix time smoothing in interleaved mode
Upgraded to version 3.0:
- Enhancements
- Add support for software and hardware timestamping on Linux
- Add support for client/server and symmetric interleaved modes
- Add support for MS-SNTP authentication in Samba
- Add support for truncated MACs in NTPv4 packets
- Estimate and correct for asymmetric network jitter
- Increase default minsamples and polltarget to improve stability with very low jitter
- Add maxjitter directive to limit source selection by jitter
- Add offset option to server/pool/peer directive
- Add maxlockage option to refclock directive
- Add -t option to chronyd to exit after specified time
- Add partial protection against replay attacks on symmetric mode
- Don't reset polling interval when switching sources to online state
- Allow rate limiting with very short intervals
- Improve maximum server throughput on Linux and NetBSD
- Remove dump files after start
- Add tab-completion to chronyc with libedit/readline
- Add ntpdata command to print details about NTP measurements
- Allow all source options to be set in add server/peer command
- Indicate truncated addresses/hostnames in chronyc output
- Print reference IDs as hexadecimal numbers to avoid confusion with IPv4 addresses
- Bug fixes
- Fix crash with disabled asynchronous name resolving
Upgraded to version 2.4.1:
- Bug fixes
- Fix processing of kernel timestamps on non-Linux systems
- Fix crash with smoothtime directive
- Fix validation of refclock sample times
- Fix parsing of refclock directive
update to 2.4:
- Enhancements
- Add orphan option to local directive for orphan mode
compatible with ntpd
- Add distance option to local directive to set activation
threshold (1 second by default)
- Add maxdrift directive to set maximum allowed drift of system
clock
- Try to replace NTP sources exceeding maximum distance
- Randomise source replacement to avoid getting stuck with bad
sources
- Randomise selection of sources from pools on start
- Ignore reference timestamp as ntpd doesn't always set it
correctly
- Modify tracking report to use same values as seen by NTP
clients
- Add -c option to chronyc to write reports in CSV format
- Provide detailed manual pages
- Bug fixes
- Fix SOCK refclock to work correctly when not specified as
last refclock
- Fix initstepslew and -q/-Q options to accept time from own
NTP clients
- Fix authentication with keys using 512-bit hash functions
- Fix crash on exit when multiple signals are received
- Fix conversion of very small floating-point numbers in
command packets
ModerateSUSE bug 1063704SUSE bug 1069468SUSE bug 1082318SUSE bug 1083597SUSE bug 1099272SUSE bug 1115529SUSE bug 1128846SUSE bug 1156884SUSE bug 1159840SUSE bug 1161119SUSE bug 1162964SUSE bug 1171806SUSE bug 1172113SUSE bug 1173277SUSE bug 1173760SUSE bug 1174075SUSE bug 1174911SUSE bug 1180689SUSE bug 1181826SUSE bug 1183783SUSE bug 1184400SUSE bug 1187906SUSE bug 1190926CVE-2020-14367 at SUSECVE-2020-14367 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for python (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for python fixes the following issues:
- buffer overflow in PyCArg_repr in _ctypes/callproc.c,
which may lead to remote code execution (bsc#1181126, CVE-2021-3177).
- Provide the newest setuptools wheel (bsc#1176262,
CVE-2019-20916) in their correct form (bsc#1180686).
ImportantSUSE bug 1176262SUSE bug 1180686SUSE bug 1181126CVE-2019-20916 at SUSECVE-2019-20916 at NVDCVE-2021-3177 at SUSECVE-2021-3177 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for openvswitch (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for openvswitch fixes the following issues:
- CVE-2020-35498: Fixed a denial of service related to the handling of Ethernet padding (bsc#1181742).
ImportantSUSE bug 1181742CVE-2020-35498 at SUSECVE-2020-35498 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
The SUSE Linux Enterprise 12 SP3 kernel was updated to receive various security and bugfixes.
The following security bugs were fixed:
- CVE-2021-3347: A use-after-free was discovered in the PI futexes during fault handling, allowing local users to execute code in the kernel (bnc#1181349).
- CVE-2020-25211: Fixed a buffer overflow in ctnetlink_parse_tuple_filter() which could be triggered by a local attackers by injecting conntrack netlink configuration (bnc#1176395).
- CVE-2020-27835: A use-after-free in the infiniband hfi1 driver was found, specifically in the way user calls Ioctl after open dev file and fork. A local user could use this flaw to crash the system (bnc#1179878).
- CVE-2020-29569: Fixed a potential privilege escalation and information leaks related to the PV block backend, as used by Xen (bnc#1179509).
- CVE-2020-29568: Fixed a denial of service issue, related to processing watch events (bnc#1179508).
- CVE-2020-0444: Fixed a bad kfree due to a logic error in audit_data_to_entry (bnc#1180027).
- CVE-2020-0465: Fixed multiple missing bounds checks in hid-multitouch.c that could have led to local privilege escalation (bnc#1180029).
- CVE-2020-0466: Fixed a use-after-free due to a logic error in do_epoll_ctl and ep_loop_check_proc of eventpoll.c (bnc#1180031).
- CVE-2020-4788: Fixed an issue with IBM Power9 processors could have allowed a local user to obtain sensitive information from the data in the L1 cache under extenuating circumstances (bsc#1177666).
- CVE-2020-15436: Fixed a use after free vulnerability in fs/block_dev.c which could have allowed local users to gain privileges or cause a denial of service (bsc#1179141).
- CVE-2020-27068: Fixed an out-of-bounds read due to a missing bounds check in the nl80211_policy policy of nl80211.c (bnc#1180086).
- CVE-2020-27777: Fixed a privilege escalation in the Run-Time Abstraction Services (RTAS) interface, affecting guests running on top of PowerVM or KVM hypervisors (bnc#1179107).
- CVE-2020-27786: Fixed an out-of-bounds write in the MIDI implementation (bnc#1179601).
- CVE-2020-27825: Fixed a race in the trace_open and buffer resize calls (bsc#1179960).
- CVE-2020-29660: Fixed a locking inconsistency in the tty subsystem that may have allowed a read-after-free attack against TIOCGSID (bnc#1179745).
- CVE-2020-29661: Fixed a locking issue in the tty subsystem that allowed a use-after-free attack against TIOCSPGRP (bsc#1179745).
- CVE-2020-28974: Fixed a slab-out-of-bounds read in fbcon which could have been used by local attackers to read privileged information or potentially crash the kernel (bsc#1178589).
- CVE-2020-28915: Fixed a buffer over-read in the fbcon code which could have been used by local attackers to read kernel memory (bsc#1178886).
- CVE-2020-25669: Fixed a use-after-free read in sunkbd_reinit() (bsc#1178182).
- CVE-2020-15437: Fixed a null pointer dereference which could have allowed local users to cause a denial of service(bsc#1179140).
- CVE-2020-36158: Fixed a potential remote code execution in the Marvell mwifiex driver (bsc#1180559).
- CVE-2020-11668: Fixed the mishandling of invalid descriptors in the Xirlink camera USB driver (bnc#1168952).
- CVE-2020-25285: Fixed a race condition between hugetlb sysctl handlers in mm/hugetlb.c (bnc#1176485).
- CVE-2019-20934: Fixed a use-after-free in show_numa_stats() because NUMA fault statistics were inappropriately freed (bsc#1179663).
- CVE-2018-10902: It was found that the raw midi kernel driver did not protect against concurrent access which leads to a double realloc (double free) in snd_rawmidi_input_params() and snd_rawmidi_output_status() which are part of snd_rawmidi_ioctl() handler in rawmidi.c file. A malicious local attacker could possibly use this for privilege escalation (bnc#1105322).
The following non-security bugs were fixed:
- cifs: do not revalidate mountpoint dentries (bsc#1177440).
- cifs: fix potential use-after-free in cifs_echo_request() (bsc#1139944).
- cifs: ignore revalidate failures in case of process gets signaled (bsc#1177440).
- epoll: Keep a reference on files added to the check list (bsc#1180031).
- fix regression in 'epoll: Keep a reference on files added to the check list' (bsc#1180031, git-fixes).
- futex: Avoid freeing an active timer (bsc#969755).
- futex: Avoid violating the 10th rule of futex (bsc#969755).
- futex: Change locking rules (bsc#969755).
- futex: Do not enable IRQs unconditionally in put_pi_state() (bsc#969755).
- futex: Drop hb->lock before enqueueing on the rtmutex (bsc#969755).
- futex: Fix incorrect should_fail_futex() handling (bsc#969755).
- futex: Fix more put_pi_state() vs. exit_pi_state_list() races (bsc#969755).
- futex: Fix OWNER_DEAD fixup (bsc#969755).
- futex: Fix pi_state->owner serialization (bsc#969755).
- futex: Fix small (and harmless looking) inconsistencies (bsc#969755).
- futex: Futex_unlock_pi() determinism (bsc#969755).
- futex: Handle early deadlock return correctly (bsc#969755).
- futex: Handle transient 'ownerless' rtmutex state correctly (bsc#969755).
- futex: Pull rt_mutex_futex_unlock() out from under hb->lock (bsc#969755).
- futex: Rework futex_lock_pi() to use rt_mutex_*_proxy_lock() (bsc#969755).
- futex: Rework inconsistent rt_mutex/futex_q state (bsc#969755).
- futex,rt_mutex: Fix rt_mutex_cleanup_proxy_lock() (bsc#969755).
- futex,rt_mutex: Introduce rt_mutex_init_waiter() (bsc#969755).
- futex,rt_mutex: Provide futex specific rt_mutex API (bsc#969755).
- futex,rt_mutex: Restructure rt_mutex_finish_proxy_lock() (bsc#969755).
- HID: Fix slab-out-of-bounds read in hid_field_extract (bsc#1180052).
- IB/hfi1: Clean up hfi1_user_exp_rcv_setup function (bsc#1179878).
- IB/hfi1: Clean up pin_vector_pages() function (bsc#1179878).
- IB/hfi1: Fix the bail out code in pin_vector_pages() function (bsc#1179878).
- IB/hfi1: Move structure definitions from user_exp_rcv.c to user_exp_rcv.h (bsc#1179878).
- IB/hfi1: Name function prototype parameters (bsc#1179878).
- IB/hfi1: Use filedata rather than filepointer (bsc#1179878).
- locking/futex: Allow low-level atomic operations to return -EAGAIN (bsc#969755).
- mm/userfaultfd: do not access vma->vm_mm after calling handle_userfault() (bsc#1179204).
- scsi: iscsi: Fix a potential deadlock in the timeout handler (bsc#1178272).
- Use r3 instead of r13 for l1d fallback flush in do_uaccess_fush (bsc#1181096 ltc#190883).
- video: hyperv_fb: include vmalloc.h (bsc#1175306).
ImportantSUSE bug 1105322SUSE bug 1105323SUSE bug 1139944SUSE bug 1168952SUSE bug 1173942SUSE bug 1175306SUSE bug 1176395SUSE bug 1176485SUSE bug 1177440SUSE bug 1177666SUSE bug 1178182SUSE bug 1178272SUSE bug 1178589SUSE bug 1178886SUSE bug 1179107SUSE bug 1179140SUSE bug 1179141SUSE bug 1179204SUSE bug 1179419SUSE bug 1179508SUSE bug 1179509SUSE bug 1179601SUSE bug 1179616SUSE bug 1179663SUSE bug 1179666SUSE bug 1179745SUSE bug 1179877SUSE bug 1179878SUSE bug 1179960SUSE bug 1179961SUSE bug 1180008SUSE bug 1180027SUSE bug 1180028SUSE bug 1180029SUSE bug 1180030SUSE bug 1180031SUSE bug 1180032SUSE bug 1180052SUSE bug 1180086SUSE bug 1180559SUSE bug 1180562SUSE bug 1180815SUSE bug 1181096SUSE bug 1181158SUSE bug 1181349SUSE bug 1181553SUSE bug 969755CVE-2018-10902 at SUSECVE-2018-10902 at NVDCVE-2019-20934 at SUSECVE-2019-20934 at NVDCVE-2020-0444 at SUSECVE-2020-0444 at NVDCVE-2020-0465 at SUSECVE-2020-0465 at NVDCVE-2020-0466 at SUSECVE-2020-0466 at NVDCVE-2020-11668 at SUSECVE-2020-11668 at NVDCVE-2020-15436 at SUSECVE-2020-15436 at NVDCVE-2020-15437 at SUSECVE-2020-15437 at NVDCVE-2020-25211 at SUSECVE-2020-25211 at NVDCVE-2020-25285 at SUSECVE-2020-25285 at NVDCVE-2020-25669 at SUSECVE-2020-25669 at NVDCVE-2020-27068 at SUSECVE-2020-27068 at NVDCVE-2020-27777 at SUSECVE-2020-27777 at NVDCVE-2020-27786 at SUSECVE-2020-27786 at NVDCVE-2020-27825 at SUSECVE-2020-27825 at NVDCVE-2020-27835 at SUSECVE-2020-27835 at NVDCVE-2020-28915 at SUSECVE-2020-28915 at NVDCVE-2020-28974 at SUSECVE-2020-28974 at NVDCVE-2020-29568 at SUSECVE-2020-29568 at NVDCVE-2020-29569 at SUSECVE-2020-29569 at NVDCVE-2020-29660 at SUSECVE-2020-29660 at NVDCVE-2020-29661 at SUSECVE-2020-29661 at NVDCVE-2020-36158 at SUSECVE-2020-36158 at NVDCVE-2020-4788 at SUSECVE-2020-4788 at NVDCVE-2021-3347 at SUSECVE-2021-3347 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for wpa_supplicant (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for wpa_supplicant fixes the following issues:
- CVE-2021-0326: P2P group information processing vulnerability (bsc#1181777).
- CVE-2019-16275: AP mode PMF disconnection protection bypass (bsc#1150934)
ImportantSUSE bug 1150934SUSE bug 1181777CVE-2019-16275 at SUSECVE-2019-16275 at NVDCVE-2021-0326 at SUSECVE-2021-0326 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for jasper (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for jasper fixes the following issues:
- bsc#1179748 CVE-2020-27828: Fix heap overflow by checking maxrlvls
- bsc#1181483 CVE-2021-3272: Fix buffer over-read in jp2_decode
ImportantSUSE bug 1179748SUSE bug 1181483CVE-2020-27828 at SUSECVE-2020-27828 at NVDCVE-2021-3272 at SUSECVE-2021-3272 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for screen (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for screen fixes the following issues:
- CVE-2021-26937: Fixed double width combining char handling that could lead to a denial of service or code execution (bsc#1182092).
ImportantSUSE bug 1182092CVE-2021-26937 at SUSECVE-2021-26937 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for bind (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for bind fixes the following issues:
- CVE-2020-8625: A vulnerability in BIND's GSSAPI security policy
negotiation can be targeted by a buffer overflow attack [bsc#1182246, CVE-2020-8625]
ImportantSUSE bug 1182246CVE-2020-8625 at SUSECVE-2020-8625 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for java-1_7_1-ibm (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for java-1_7_1-ibm fixes the following issues:
- Update to Java 7.1 Service Refresh 4 Fix Pack 80
[bsc#1182186, bsc#1181239, CVE-2020-27221, CVE-2020-14803]
* CVE-2020-27221: Potential for a stack-based buffer overflow
when the virtual machine or JNI natives are converting from
UTF-8 characters to platform encoding.
* CVE-2020-14803: Unauthenticated attacker with network access
via multiple protocols allows to compromise Java SE.
ImportantSUSE bug 1181239SUSE bug 1182186CVE-2020-14803 at SUSECVE-2020-14803 at NVDCVE-2020-27221 at SUSECVE-2020-27221 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for krb5-appl (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for krb5-appl fixes the following issues:
- CVE-2019-25017: Check the filenames sent by the server match those requested by the client (bsc#1131109).
- CVE-2019-25018: Disallow empty incoming filename or ones that refer to the current directory (bsc#1131109).
ImportantSUSE bug 1131109CVE-2019-25017 at SUSECVE-2019-25017 at NVDCVE-2019-25018 at SUSECVE-2019-25018 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for java-1_8_0-openjdk (Moderate)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for java-1_8_0-openjdk fixes the following issues:
- Update to version jdk8u282 (icedtea 3.18.0)
* January 2021 CPU (bsc#1181239)
* Security fixes
+ JDK-8247619: Improve Direct Buffering of Characters (CVE-2020-14803)
* Import of OpenJDK 8 u282 build 01
+ JDK-6962725: Regtest javax/swing/JFileChooser/6738668/
/bug6738668.java fails under Linux
+ JDK-8025936: Windows .pdb and .map files does not have proper
dependencies setup
+ JDK-8030350: Enable additional compiler warnings for GCC
+ JDK-8031423: Test java/awt/dnd/DisposeFrameOnDragCrash/
/DisposeFrameOnDragTest.java fails by Timeout on Windows
+ JDK-8036122: Fix warning 'format not a string literal'
+ JDK-8051853: new
URI('x/').resolve('..').getSchemeSpecificPart() returns null!
+ JDK-8132664: closed/javax/swing/DataTransfer/DefaultNoDrop/
/DefaultNoDrop.java locks on Windows
+ JDK-8134632: Mark javax/sound/midi/Devices/
/InitializationHang.java as headful
+ JDK-8148854: Class names 'SomeClass' and 'LSomeClass;'
treated by JVM as an equivalent
+ JDK-8148916: Mark bug6400879.java as intermittently failing
+ JDK-8148983: Fix extra comma in changes for JDK-8148916
+ JDK-8160438: javax/swing/plaf/nimbus/8057791/bug8057791.java
fails
+ JDK-8165808: Add release barriers when allocating objects
with concurrent collection
+ JDK-8185003: JMX: Add a version of
ThreadMXBean.dumpAllThreads with a maxDepth argument
+ JDK-8202076: test/jdk/java/io/File/WinSpecialFiles.java on
windows with VS2017
+ JDK-8207766: [testbug] Adapt tests for Aix.
+ JDK-8212070: Introduce diagnostic flag to abort VM on failed
JIT compilation
+ JDK-8213448: [TESTBUG] enhance jfr/jvm/TestDumpOnCrash
+ JDK-8215727: Restore JFR thread sampler loop to old /
previous behavior
+ JDK-8220657: JFR.dump does not work when filename is set
+ JDK-8221342: [TESTBUG] Generate Dockerfile for docker testing
+ JDK-8224502: [TESTBUG] JDK docker test TestSystemMetrics.java
fails with access issues and OOM
+ JDK-8231209: [REDO] ThreadMXBean::getThreadAllocatedBytes()
can be quicker for self thread
+ JDK-8231968: getCurrentThreadAllocatedBytes default
implementation s/b getThreadAllocatedBytes
+ JDK-8232114: JVM crashed at imjpapi.dll in native code
+ JDK-8234270: [REDO] JDK-8204128 NMT might report incorrect
numbers for Compiler area
+ JDK-8234339: replace JLI_StrTok in java_md_solinux.c
+ JDK-8238448: RSASSA-PSS signature verification fail when
using certain odd key sizes
+ JDK-8242335: Additional Tests for RSASSA-PSS
+ JDK-8244225: stringop-overflow warning on strncpy call from
compile_the_world_in
+ JDK-8245400: Upgrade to LittleCMS 2.11
+ JDK-8248214: Add paddings for TaskQueueSuper to reduce
false-sharing cache contention
+ JDK-8249176: Update GlobalSignR6CA test certificates
+ JDK-8250665: Wrong translation for the month name of May in
ar_JO,LB,SY
+ JDK-8250928: JFR: Improve hash algorithm for stack traces
+ JDK-8251469: Better cleanup for
test/jdk/javax/imageio/SetOutput.java
+ JDK-8251840: Java_sun_awt_X11_XToolkit_getDefaultScreenData
should not be in make/mapfiles/libawt_xawt/mapfile-vers
+ JDK-8252384: [TESTBUG] Some tests refer to COMPAT provider
rather than JRE
+ JDK-8252395: [8u] --with-native-debug-symbols=external
doesn't include debuginfo files for binaries
+ JDK-8252497: Incorrect numeric currency code for ROL
+ JDK-8252754: Hash code calculation of JfrStackTrace is
inconsistent
+ JDK-8252904: VM crashes when JFR is used and JFR event class
is transformed
+ JDK-8252975: [8u] JDK-8252395 breaks the build for
--with-native-debug-symbols=internal
+ JDK-8253284: Zero OrderAccess barrier mappings are incorrect
+ JDK-8253550: [8u] JDK-8252395 breaks the build for make
STRIP_POLICY=no_strip
+ JDK-8253752: test/sun/management/jmxremote/bootstrap/
/RmiBootstrapTest.java fails randomly
+ JDK-8254081: java/security/cert/PolicyNode/
/GetPolicyQualifiers.java fails due to an expired certificate
+ JDK-8254144: Non-x86 Zero builds fail with return-type
warning in os_linux_zero.cpp
+ JDK-8254166: Zero: return-type warning in
zeroInterpreter_zero.cpp
+ JDK-8254683: [TEST_BUG] jdk/test/sun/tools/jconsole/
/WorkerDeadlockTest.java fails
+ JDK-8255003: Build failures on Solaris
ModerateSUSE bug 1181239CVE-2020-14803 at SUSECVE-2020-14803 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for java-1_8_0-ibm (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for java-1_8_0-ibm fixes the following issues:
- Update to Java 8.0 Service Refresh 6 Fix Pack 25
[bsc#1182186, bsc#1181239, CVE-2020-27221, CVE-2020-14803]
* CVE-2020-27221: Potential for a stack-based buffer overflow
when the virtual machine or JNI natives are converting from
UTF-8 characters to platform encoding.
* CVE-2020-14803: Unauthenticated attacker with network access
via multiple protocols allows to compromise Java SE.
ImportantSUSE bug 1181239SUSE bug 1182186CVE-2020-14803 at SUSECVE-2020-14803 at NVDCVE-2020-27221 at SUSECVE-2020-27221 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for perl-XML-Twig (Moderate)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for perl-XML-Twig fixes the following issues:
- Security fix [bsc#1008644, CVE-2016-9180]
* Added: the no_xxe option to XML::Twig::new, which causes the
parse to fail if external entities are used (to prevent
malicious XML to access the filesystem).
* Setting expand_external_ents to 0 or -1 currently doesn't work
as expected; To completely turn off expanding external entities
use no_xxe.
* Update documentation for XML::Twig to mention problems with
expand_external_ents and add information about new no_xxe argument
ModerateSUSE bug 1008644CVE-2016-9180 at SUSECVE-2016-9180 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for MozillaFirefox fixes the following issues:
- Firefox Extended Support Release 78.8.0 ESR
* Fixed: Various stability, functionality, and security fixes
MFSA 2021-08 (bsc#1182614)
* CVE-2021-23969: Content Security Policy violation report could have contained the destination of a redirect
* CVE-2021-23968: Content Security Policy violation report could have contained the destination of a redirect
* CVE-2021-23973: MediaError message property could have leaked information about cross-origin resources
* CVE-2021-23978: Memory safety bugs fixed in Firefox 86 and Firefox ESR 78.8
ImportantSUSE bug 1182357SUSE bug 1182614CVE-2021-23968 at SUSECVE-2021-23968 at NVDCVE-2021-23969 at SUSECVE-2021-23969 at NVDCVE-2021-23973 at SUSECVE-2021-23973 at NVDCVE-2021-23978 at SUSECVE-2021-23978 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for python-cryptography (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for python-cryptography fixes the following issues:
- CVE-2020-36242: Using the Fernet class to symmetrically encrypt multi gigabyte
values could result in an integer overflow and buffer overflow (bsc#1182066).
ImportantSUSE bug 1182066CVE-2020-36242 at SUSECVE-2020-36242 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for grub2 (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for grub2 fixes the following issues:
grub2 now implements the new 'SBAT' method for SHIM based secure boot revocation. (bsc#1182057)
Following security issues are fixed that can violate secure boot constraints:
- CVE-2020-25632: Fixed a use-after-free in rmmod command (bsc#1176711)
- CVE-2020-25647: Fixed an out-of-bound write in grub_usb_device_initialize() (bsc#1177883)
- CVE-2020-27749: Fixed a stack buffer overflow in grub_parser_split_cmdline (bsc#1179264)
- CVE-2020-27779, CVE-2020-14372: Disallow cutmem and acpi commands in secure boot mode (bsc#1179265 bsc#1175970)
- CVE-2021-20225: Fixed a heap out-of-bounds write in short form option parser (bsc#1182262)
- CVE-2021-20233: Fixed a heap out-of-bound write due to mis-calculation of space required for quoting (bsc#1182263)
ImportantSUSE bug 1175970SUSE bug 1176711SUSE bug 1177883SUSE bug 1179264SUSE bug 1179265SUSE bug 1182057SUSE bug 1182262SUSE bug 1182263CVE-2020-14372 at SUSECVE-2020-14372 at NVDCVE-2020-25632 at SUSECVE-2020-25632 at NVDCVE-2020-25647 at SUSECVE-2020-25647 at NVDCVE-2020-27749 at SUSECVE-2020-27749 at NVDCVE-2020-27779 at SUSECVE-2020-27779 at NVDCVE-2021-20225 at SUSECVE-2021-20225 at NVDCVE-2021-20233 at SUSECVE-2021-20233 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for openldap2 (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for openldap2 fixes the following issues:
- bsc#1182408 CVE-2020-36230 - an assertion failure in slapd in the
X.509 DN parsing in decode.c ber_next_element, resulting in denial
of service.
- bsc#1182411 CVE-2020-36229 - ldap_X509dn2bv crash in the X.509 DN
parsing in ad_keystring, resulting in denial of service.
- bsc#1182412 CVE-2020-36228 - integer underflow leading to crash
in the Certificate List Exact Assertion processing, resulting in
denial of service.
- bsc#1182413 CVE-2020-36227 - infinite loop in slapd with the
cancel_extop Cancel operation, resulting in denial of service.
- bsc#1182416 CVE-2020-36225 - double free and slapd crash in the
saslAuthzTo processing, resulting in denial of service.
- bsc#1182417 CVE-2020-36224 - invalid pointer free and slapd crash
in the saslAuthzTo processing, resulting in denial of service.
- bsc#1182415 CVE-2020-36226 - memch->bv_len miscalculation and slapd
crash in the saslAuthzTo processing, resulting in denial of service.
- bsc#1182419 CVE-2020-36222 - assertion failure in slapd in the
saslAuthzTo validation, resulting in denial of service.
- bsc#1182420 CVE-2020-36221 - slapd crashes in the Certificate Exact
Assertion processing, resulting in denial of service (schema_init.c
serialNumberAndIssuerCheck).
- bsc#1182418 CVE-2020-36223 - slapd crash in the Values Return Filter
control handling, resulting in denial of service (double free and
out-of-bounds read).
- bsc#1182279 CVE-2021-27212 - an assertion failure in slapd can occur
in the issuerAndThisUpdateCheck function via a crafted packet,
resulting in a denial of service (daemon exit) via a short timestamp.
This is related to schema_init.c and checkTime.
ImportantSUSE bug 1182279SUSE bug 1182408SUSE bug 1182411SUSE bug 1182412SUSE bug 1182413SUSE bug 1182415SUSE bug 1182416SUSE bug 1182417SUSE bug 1182418SUSE bug 1182419SUSE bug 1182420CVE-2020-36221 at SUSECVE-2020-36221 at NVDCVE-2020-36222 at SUSECVE-2020-36222 at NVDCVE-2020-36223 at SUSECVE-2020-36223 at NVDCVE-2020-36224 at SUSECVE-2020-36224 at NVDCVE-2020-36225 at SUSECVE-2020-36225 at NVDCVE-2020-36226 at SUSECVE-2020-36226 at NVDCVE-2020-36227 at SUSECVE-2020-36227 at NVDCVE-2020-36228 at SUSECVE-2020-36228 at NVDCVE-2020-36229 at SUSECVE-2020-36229 at NVDCVE-2020-36230 at SUSECVE-2020-36230 at NVDCVE-2021-27212 at SUSECVE-2021-27212 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
The SUSE Linux Enterprise 12 SP3 kernel was updated to receive various security and bugfixes.
The following security bugs were fixed:
- CVE-2021-26930: Fixed an improper error handling in blkback's grant mapping (XSA-365 bsc#1181843).
- CVE-2021-26931: Fixed an issue where Linux kernel was treating grant mapping errors as bugs (XSA-362 bsc#1181753).
- CVE-2021-26932: Fixed improper error handling issues in Linux grant mapping (XSA-361 bsc#1181747).
- CVE-2020-28374: Fixed insufficient identifier checking in the LIO SCSI target code which could have been used
by remote attackers to read or write files via directory traversal in an XCOPY request (bsc#178372).
The following non-security bugs were fixed:
- cifs: report error instead of invalid when revalidating a dentry fails (bsc#1177440).
- xen/netback: fix spurious event detection for common event case (bsc#1182175).
ImportantSUSE bug 1177440SUSE bug 1178372SUSE bug 1181747SUSE bug 1181753SUSE bug 1181843SUSE bug 1182175CVE-2020-28374 at SUSECVE-2020-28374 at NVDCVE-2021-26930 at SUSECVE-2021-26930 at NVDCVE-2021-26931 at SUSECVE-2021-26931 at NVDCVE-2021-26932 at SUSECVE-2021-26932 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for wpa_supplicant (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for wpa_supplicant fixes the following issues:
- CVE-2021-27803: P2P provision discovery processing vulnerability (bsc#1182805)
ImportantSUSE bug 1182805CVE-2021-27803 at SUSECVE-2021-27803 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for git (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for git fixes the following issues:
- On case-insensitive filesystems, with support for symbolic links,
if Git is configured globally to apply delay-capable clean/smudge
filters (such as Git LFS), Git could be fooled into running
remote code during a clone. (bsc#1183026, CVE-2021-21300)
ImportantSUSE bug 1183026CVE-2021-21300 at SUSECVE-2021-21300 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for python (Moderate)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for python fixes the following issues:
- python27 was upgraded to 2.7.18
- CVE-2021-23336: Fixed a potential web cache poisoning by using a semicolon in query parameters use of semicolon as a query string separator (bsc#1182379).
ModerateSUSE bug 1182379CVE-2019-18348 at SUSECVE-2019-18348 at NVDCVE-2021-23336 at SUSECVE-2021-23336 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for MozillaFirefox fixes the following issues:
- Firefox Extended Support Release 78.6.1 ESR
* Fixed: Critical security issue MFSA 2021-01 (bsc#1180623)
* CVE-2020-16044
Use-after-free write when handling a malicious COOKIE-ECHO SCTP chunk
ImportantSUSE bug 1180623CVE-2020-16044 at SUSECVE-2020-16044 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for glib2 (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for glib2 fixes the following issues:
- CVE-2021-27218: g_byte_array_new_take takes a gsize as length but stores in a guint, this patch will refuse if the length is larger than guint. (bsc#1182328)
- CVE-2021-27219: g_memdup takes a guint as parameter and sometimes leads into an integer overflow, so add a g_memdup2 function which uses gsize to replace it. (bsc#1182362)
ImportantSUSE bug 1182328SUSE bug 1182362CVE-2021-27218 at SUSECVE-2021-27218 at NVDCVE-2021-27219 at SUSECVE-2021-27219 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 37 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_138 fixes several issues.
The following security issues were fixed:
- CVE-2020-27786: Fixed a potential user after free which could have led to memory corruption or privilege escalation (bsc#1179616).
- CVE-2020-28374: Fixed insufficient identifier checking in the LIO SCSI target code which could have been used by remote attackers to read or write files via directory traversal in an XCOPY request (bsc#1178684).
- CVE-2020-25645: Fixed an issue where the traffic between two Geneve endpoints may have been unencrypted when IPsec was configured to encrypt traffic for the specific UDP port used by the GENEVE tunnel allowing anyone between the two endpoints to read the traffic unencrypted (bsc#1177513).
- CVE-2020-0429: Fixed a potential memory corruption due to a use after free which could have led local escalation of privilege with System execution privileges needed (bsc#1176931).
- CVE-2020-1749: Fixed an issue in some networking protocols in IPsec, such as VXLAN and GENEVE tunnels over IPv6 where the kernel was not correctly routing tunneled data over the encrypted link rather sending the data unencrypted (bsc#1165631).
ImportantSUSE bug 1165631SUSE bug 1176931SUSE bug 1177513SUSE bug 1178684SUSE bug 1179616CVE-2020-0429 at SUSECVE-2020-0429 at NVDCVE-2020-1749 at SUSECVE-2020-1749 at NVDCVE-2020-25645 at SUSECVE-2020-25645 at NVDCVE-2020-27786 at SUSECVE-2020-27786 at NVDCVE-2020-28374 at SUSECVE-2020-28374 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 36 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_135 fixes several issues.
The following security issues were fixed:
- CVE-2021-3347: Fixed a use-after-free in the PI futexes during fault handling, allowing local users to execute code in the kernel (bsc#1181553).
- CVE-2020-27786: Fixed a potential user after free which could have led to memory corruption or privilege escalation (bsc#1179616).
- CVE-2020-28374: Fixed insufficient identifier checking in the LIO SCSI target code which could have been used by remote attackers to read or write files via directory traversal in an XCOPY request (bsc#1178684).
ImportantSUSE bug 1178684SUSE bug 1179616SUSE bug 1181553CVE-2020-27786 at SUSECVE-2020-27786 at NVDCVE-2020-28374 at SUSECVE-2020-28374 at NVDCVE-2021-3347 at SUSECVE-2021-3347 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 35 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_130 fixes several issues.
The following security issues were fixed:
- CVE-2021-3347: Fixed a use-after-free in the PI futexes during fault handling, allowing local users to execute code in the kernel (bsc#1181553).
- CVE-2020-27786: Fixed a potential user after free which could have led to memory corruption or privilege escalation (bsc#1179616).
- CVE-2020-28374: Fixed insufficient identifier checking in the LIO SCSI target code which could have been used by remote attackers to read or write files via directory traversal in an XCOPY request (bsc#1178684).
ImportantSUSE bug 1178684SUSE bug 1179616SUSE bug 1181553CVE-2020-27786 at SUSECVE-2020-27786 at NVDCVE-2020-28374 at SUSECVE-2020-28374 at NVDCVE-2021-3347 at SUSECVE-2021-3347 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 34 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_127 fixes several issues.
The following security issues were fixed:
- CVE-2021-3347: Fixed a use-after-free in the PI futexes during fault handling, allowing local users to execute code in the kernel (bsc#1181553).
- CVE-2020-27786: Fixed a potential user after free which could have led to memory corruption or privilege escalation (bsc#1179616).
- CVE-2020-28374: Fixed insufficient identifier checking in the LIO SCSI target code which could have been used by remote attackers to read or write files via directory traversal in an XCOPY request (bsc#1178684).
ImportantSUSE bug 1178684SUSE bug 1179616SUSE bug 1181553CVE-2020-27786 at SUSECVE-2020-27786 at NVDCVE-2020-28374 at SUSECVE-2020-28374 at NVDCVE-2021-3347 at SUSECVE-2021-3347 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 33 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_124 fixes several issues.
The following security issues were fixed:
- CVE-2021-3347: Fixed a use-after-free in the PI futexes during fault handling, allowing local users to execute code in the kernel (bsc#1181553).
- CVE-2020-27786: Fixed a potential user after free which could have led to memory corruption or privilege escalation (bsc#1179616).
- CVE-2020-28374: Fixed insufficient identifier checking in the LIO SCSI target code which could have been used by remote attackers to read or write files via directory traversal in an XCOPY request (bsc#1178684).
ImportantSUSE bug 1178684SUSE bug 1179616SUSE bug 1181553CVE-2020-27786 at SUSECVE-2020-27786 at NVDCVE-2020-28374 at SUSECVE-2020-28374 at NVDCVE-2021-3347 at SUSECVE-2021-3347 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 32 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_121 fixes several issues.
The following security issues were fixed:
- CVE-2021-3347: Fixed a use-after-free in the PI futexes during fault handling, allowing local users to execute code in the kernel (bsc#1181553).
- CVE-2020-27786: Fixed a potential user after free which could have led to memory corruption or privilege escalation (bsc#1179616).
- CVE-2020-28374: Fixed insufficient identifier checking in the LIO SCSI target code which could have been used by remote attackers to read or write files via directory traversal in an XCOPY request (bsc#1178684).
ImportantSUSE bug 1178684SUSE bug 1179616SUSE bug 1181553CVE-2020-27786 at SUSECVE-2020-27786 at NVDCVE-2020-28374 at SUSECVE-2020-28374 at NVDCVE-2021-3347 at SUSECVE-2021-3347 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 31 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_116 fixes several issues.
The following security issues were fixed:
- CVE-2021-3347: Fixed a use-after-free in the PI futexes during fault handling, allowing local users to execute code in the kernel (bsc#1181553).
- CVE-2020-27786: Fixed a potential user after free which could have led to memory corruption or privilege escalation (bsc#1179616).
- CVE-2020-28374: Fixed insufficient identifier checking in the LIO SCSI target code which could have been used by remote attackers to read or write files via directory traversal in an XCOPY request (bsc#1178684).
ImportantSUSE bug 1178684SUSE bug 1179616SUSE bug 1181553CVE-2020-27786 at SUSECVE-2020-27786 at NVDCVE-2020-28374 at SUSECVE-2020-28374 at NVDCVE-2021-3347 at SUSECVE-2021-3347 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for wavpack (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for wavpack fixes the following issues:
- CVE-2020-35738: Fixed an out-of-bounds write in WavpackPackSamples (bsc#1180414).
ImportantSUSE bug 1180414CVE-2020-35738 at SUSECVE-2020-35738 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for nghttp2 (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for nghttp2 fixes the following issues:
Security issues fixed:
- CVE-2020-11080: HTTP/2 Large Settings Frame DoS (bsc#1181358).
- CVE-2019-9513: Fixed HTTP/2 implementation that is vulnerable to resource loops, potentially leading to a denial of service (bsc#1146184).
- CVE-2019-9511: Fixed HTTP/2 implementations that are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service (bsc#1146182).
- CVE-2018-1000168: Fixed ALTSVC frame client side denial of service (bsc#1088639).
- CVE-2016-1544: Fixed out of memory due to unlimited incoming HTTP header fields (bsc#966514).
Bug fixes and enhancements:
- Packages must not mark license files as %doc (bsc#1082318)
- Typo in description of libnghttp2_asio1 (bsc#962914)
- Fixed mistake in spec file (bsc#1125689)
- Fixed build issue with boost 1.70.0 (bsc#1134616)
- Fixed build issue with GCC 6 (bsc#964140)
- Feature: Add W&S module (FATE#326776, bsc#1112438)
ImportantSUSE bug 1082318SUSE bug 1088639SUSE bug 1112438SUSE bug 1125689SUSE bug 1134616SUSE bug 1146182SUSE bug 1146184SUSE bug 1181358SUSE bug 962914SUSE bug 964140SUSE bug 966514CVE-2016-1544 at SUSECVE-2016-1544 at NVDCVE-2018-1000168 at SUSECVE-2018-1000168 at NVDCVE-2019-9511 at SUSECVE-2019-9511 at NVDCVE-2019-9513 at SUSECVE-2019-9513 at NVDCVE-2020-11080 at SUSECVE-2020-11080 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for openssl (Moderate)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for openssl fixes the following issues:
- CVE-2021-23840: Fixed an Integer overflow in CipherUpdate (bsc#1182333)
- CVE-2021-23841: Fixed a Null pointer dereference in X509_issuer_and_serial_hash() (bsc#1182331)
ModerateSUSE bug 1182331SUSE bug 1182333CVE-2021-23840 at SUSECVE-2021-23840 at NVDCVE-2021-23841 at SUSECVE-2021-23841 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for MozillaFirefox fixes the following issues:
- Firefox was updated to 78.9.0 ESR (MFSA 2021-11, bsc#1183942)
* CVE-2021-23981: Texture upload into an unbound backing buffer resulted in an out-of-bound read
* CVE-2021-23982: Internal network hosts could have been probed by a malicious webpage
* CVE-2021-23984: Malicious extensions could have spoofed popup information
* CVE-2021-23987: Memory safety bugs
ImportantSUSE bug 1183942CVE-2021-23981 at SUSECVE-2021-23981 at NVDCVE-2021-23982 at SUSECVE-2021-23982 at NVDCVE-2021-23984 at SUSECVE-2021-23984 at NVDCVE-2021-23987 at SUSECVE-2021-23987 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 39 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_144 fixes several issues.
The following security issues were fixed:
- CVE-2022-0487: A use-after-free vulnerability was found in rtsx_usb_ms_drv_remove() in drivers/memstick/host/rtsx_usb_ms.c (bsc#1194516).
- CVE-2022-0492: Fixed a privilege escalation related to cgroups v1 release_agent feature, which allowed bypassing namespace isolation unexpectedly (bsc#1195543).
ImportantSUSE bug 1195908SUSE bug 1195949CVE-2022-0487 at SUSECVE-2022-0487 at NVDCVE-2022-0492 at SUSECVE-2022-0492 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 40 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_147 fixes several issues.
The following security issues were fixed:
- CVE-2022-0487: A use-after-free vulnerability was found in rtsx_usb_ms_drv_remove() in drivers/memstick/host/rtsx_usb_ms.c (bsc#1194516).
- CVE-2022-0492: Fixed a privilege escalation related to cgroups v1 release_agent feature, which allowed bypassing namespace isolation unexpectedly (bsc#1195543).
ImportantSUSE bug 1195908SUSE bug 1195949CVE-2022-0487 at SUSECVE-2022-0487 at NVDCVE-2022-0492 at SUSECVE-2022-0492 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 41 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_150 fixes several issues.
The following security issues were fixed:
- CVE-2022-0487: A use-after-free vulnerability was found in rtsx_usb_ms_drv_remove() in drivers/memstick/host/rtsx_usb_ms.c (bsc#1194516).
- CVE-2022-0492: Fixed a privilege escalation related to cgroups v1 release_agent feature, which allowed bypassing namespace isolation unexpectedly (bsc#1195543).
ImportantSUSE bug 1195908SUSE bug 1195949CVE-2022-0487 at SUSECVE-2022-0487 at NVDCVE-2022-0492 at SUSECVE-2022-0492 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 43 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_156 fixes one issue.
The following security issue was fixed:
- CVE-2021-28688: Fixed an issue introduced by XSA-365 (bsc#1183646).
ImportantSUSE bug 1182294CVE-2021-28688 at SUSECVE-2021-28688 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for openvpn (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for openvpn fixes the following issues:
- CVE-2022-0547: Fixed possible authentication bypass in external authentication plug-in (bsc#1197341).
ImportantSUSE bug 1197341CVE-2022-0547 at SUSECVE-2022-0547 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for java-1_7_1-ibm (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for java-1_7_1-ibm fixes the following issues:
Update Java 7.1 to Service Refresh 7 Fix Pack 5 (bsc#1197126).
Including fixes for the following vulnerabilities:
CVE-2022-21366, CVE-2022-21365, CVE-2022-21360, CVE-2022-21349,
CVE-2022-21341, CVE-2022-21340, CVE-2022-21305, CVE-2022-21277,
CVE-2022-21299, CVE-2022-21296, CVE-2022-21282, CVE-2022-21294,
CVE-2022-21293, CVE-2022-21291, CVE-2022-21283, CVE-2022-21248,
CVE-2022-21271.
ImportantSUSE bug 1194925SUSE bug 1194926SUSE bug 1194927SUSE bug 1194928SUSE bug 1194929SUSE bug 1194930SUSE bug 1194931SUSE bug 1194932SUSE bug 1194933SUSE bug 1194934SUSE bug 1194935SUSE bug 1194937SUSE bug 1194939SUSE bug 1194940SUSE bug 1194941SUSE bug 1196500SUSE bug 1197126CVE-2022-21248 at SUSECVE-2022-21248 at NVDCVE-2022-21271 at SUSECVE-2022-21271 at NVDCVE-2022-21277 at SUSECVE-2022-21277 at NVDCVE-2022-21282 at SUSECVE-2022-21282 at NVDCVE-2022-21283 at SUSECVE-2022-21283 at NVDCVE-2022-21291 at SUSECVE-2022-21291 at NVDCVE-2022-21293 at SUSECVE-2022-21293 at NVDCVE-2022-21294 at SUSECVE-2022-21294 at NVDCVE-2022-21296 at SUSECVE-2022-21296 at NVDCVE-2022-21299 at SUSECVE-2022-21299 at NVDCVE-2022-21305 at SUSECVE-2022-21305 at NVDCVE-2022-21340 at SUSECVE-2022-21340 at NVDCVE-2022-21341 at SUSECVE-2022-21341 at NVDCVE-2022-21349 at SUSECVE-2022-21349 at NVDCVE-2022-21360 at SUSECVE-2022-21360 at NVDCVE-2022-21365 at SUSECVE-2022-21365 at NVDCVE-2022-21366 at SUSECVE-2022-21366 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for java-1_8_0-ibm (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for java-1_8_0-ibm fixes the following issues:
Update Java 8.0 to Service Refresh 7 Fix Pack 5 (bsc#1197126).
Including fixes for the following vulnerabilities:
CVE-2022-21366, CVE-2022-21365, CVE-2022-21360, CVE-2022-21349,
CVE-2022-21341, CVE-2022-21340, CVE-2022-21305, CVE-2022-21277,
CVE-2022-21299, CVE-2022-21296, CVE-2022-21282, CVE-2022-21294,
CVE-2022-21293, CVE-2022-21291, CVE-2022-21283, CVE-2022-21248,
CVE-2022-21271.
Non-securtiy fix:
- Fixed a broken symlink for javaws (bsc#1195146).
ImportantSUSE bug 1194925SUSE bug 1194926SUSE bug 1194927SUSE bug 1194928SUSE bug 1194929SUSE bug 1194930SUSE bug 1194931SUSE bug 1194932SUSE bug 1194933SUSE bug 1194934SUSE bug 1194935SUSE bug 1194937SUSE bug 1194939SUSE bug 1194940SUSE bug 1194941SUSE bug 1195146SUSE bug 1196500SUSE bug 1197126CVE-2022-21248 at SUSECVE-2022-21248 at NVDCVE-2022-21271 at SUSECVE-2022-21271 at NVDCVE-2022-21277 at SUSECVE-2022-21277 at NVDCVE-2022-21282 at SUSECVE-2022-21282 at NVDCVE-2022-21283 at SUSECVE-2022-21283 at NVDCVE-2022-21291 at SUSECVE-2022-21291 at NVDCVE-2022-21293 at SUSECVE-2022-21293 at NVDCVE-2022-21294 at SUSECVE-2022-21294 at NVDCVE-2022-21296 at SUSECVE-2022-21296 at NVDCVE-2022-21299 at SUSECVE-2022-21299 at NVDCVE-2022-21305 at SUSECVE-2022-21305 at NVDCVE-2022-21340 at SUSECVE-2022-21340 at NVDCVE-2022-21341 at SUSECVE-2022-21341 at NVDCVE-2022-21349 at SUSECVE-2022-21349 at NVDCVE-2022-21360 at SUSECVE-2022-21360 at NVDCVE-2022-21365 at SUSECVE-2022-21365 at NVDCVE-2022-21366 at SUSECVE-2022-21366 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 42 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_153 fixes one issue.
The following security issue was fixed:
- CVE-2022-0492: Fixed a privilege escalation related to cgroups v1 release_agent feature, which allowed bypassing namespace isolation unexpectedly (bsc#1195543).
ImportantSUSE bug 1195908CVE-2022-0492 at SUSECVE-2022-0492 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for zlib (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for zlib fixes the following issues:
- CVE-2018-25032: Fixed memory corruption on deflate (bsc#1197459).
ImportantSUSE bug 1197459CVE-2018-25032 at SUSECVE-2018-25032 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for java-1_8_0-ibm (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for java-1_8_0-ibm fixes the following issues:
- Update to Java 8.0 Service Refresh 7 Fix Pack 0
- CVE-2021-41035: before version 0.29.0, the openj9 JVM does not throw IllegalAccessError for MethodHandles that invoke inaccessible interface methods. (bsc#1194198, bsc#1192052)
- CVE-2021-35586: Excessive memory allocation in BMPImageReader. (bsc#1191914)
- CVE-2021-35564: Certificates with end dates too far in the future can corrupt keystore. (bsc#1191913)
- CVE-2021-35559: Excessive memory allocation in RTFReader. (bsc#1191911)
- CVE-2021-35556: Excessive memory allocation in RTFParser. (bsc#1191910)
- CVE-2021-35565: Loop in HttpsServer triggered during TLS session close. (bsc#1191909)
- CVE-2021-35588: Incomplete validation of inner class references in ClassFileParser. (bsc#1191905)
- CVE-2021-2341: Fixed a flaw inside the FtpClient. (bsc#1188564)
- CVE-2021-2369: JAR file handling problem containing multiple MANIFEST.MF files. (bsc#1188565)
- CVE-2021-2163: Incomplete enforcement of JAR signing disabled algorithms. (bsc#1185055)
- CVE-2021-35560: Fixed a vulnerability in the component Deployment. (bsc#1191902)
- CVE-2021-35578: Fixed unexpected exception raised during TLS handshake. (bsc#1191904)
ImportantSUSE bug 1185055SUSE bug 1188564SUSE bug 1188565SUSE bug 1191902SUSE bug 1191904SUSE bug 1191905SUSE bug 1191909SUSE bug 1191910SUSE bug 1191911SUSE bug 1191913SUSE bug 1191914SUSE bug 1192052SUSE bug 1194198SUSE bug 1194232CVE-2021-2163 at SUSECVE-2021-2163 at NVDCVE-2021-2341 at SUSECVE-2021-2341 at NVDCVE-2021-2369 at SUSECVE-2021-2369 at NVDCVE-2021-35556 at SUSECVE-2021-35556 at NVDCVE-2021-35559 at SUSECVE-2021-35559 at NVDCVE-2021-35560 at SUSECVE-2021-35560 at NVDCVE-2021-35564 at SUSECVE-2021-35564 at NVDCVE-2021-35565 at SUSECVE-2021-35565 at NVDCVE-2021-35578 at SUSECVE-2021-35578 at NVDCVE-2021-35586 at SUSECVE-2021-35586 at NVDCVE-2021-35588 at SUSECVE-2021-35588 at NVDCVE-2021-41035 at SUSECVE-2021-41035 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for mozilla-nss (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for mozilla-nss fixes the following issues:
Mozilla NSS 3.68.3 (bsc#1197903):
- CVE-2022-1097: Fixed memory safety violations that could occur when PKCS#11
tokens are removed while in use.
ImportantSUSE bug 1197903CVE-2022-1097 at SUSECVE-2022-1097 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for MozillaFirefox fixes the following issues:
Firefox Extended Support Release 91.8.0 ESR (bsc#1197903):
MFSA 2022-14 (bsc#1197903)
* CVE-2022-1097: Fixed memory safety violations that could occur when PKCS#11 tokens are removed while in use
* CVE-2022-28281: Fixed an out of bounds write due to unexpected WebAuthN Extensions
* CVE-2022-1196: Fixed a use-after-free after VR Process destruction
* CVE-2022-28282: Fixed a use-after-free in DocumentL10n::TranslateDocument
* CVE-2022-28285: Fixed incorrect AliasSet used in JIT Codegen
* CVE-2022-28286: Fixed that iframe contents could be rendered outside the border
* CVE-2022-24713: Fixed a denial of service via complex regular expressions
* CVE-2022-28289: Memory safety bugs fixed in Firefox 99 and Firefox ESR 91.8
ImportantSUSE bug 1197903CVE-2022-1097 at SUSECVE-2022-1097 at NVDCVE-2022-1196 at SUSECVE-2022-1196 at NVDCVE-2022-24713 at SUSECVE-2022-24713 at NVDCVE-2022-28281 at SUSECVE-2022-28281 at NVDCVE-2022-28282 at SUSECVE-2022-28282 at NVDCVE-2022-28285 at SUSECVE-2022-28285 at NVDCVE-2022-28286 at SUSECVE-2022-28286 at NVDCVE-2022-28289 at SUSECVE-2022-28289 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for glibc (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for glibc fixes the following issues:
- CVE-2020-1752: Fix use-after-free in glob when expanding ~user (bsc#1167631)
ImportantSUSE bug 1167631CVE-2020-1752 at SUSECVE-2020-1752 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for openjpeg2 (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for openjpeg2 fixes the following issues:
- CVE-2016-1924: Fixed heap buffer overflow (bsc#980504).
- CVE-2016-3183: Fixed out-of-bounds read in sycc422_to_rgb function (bsc#971617).
- CVE-2016-4797: Fixed heap buffer overflow (bsc#980504).
- CVE-2018-14423: Fixed division-by-zero vulnerabilities in the functions pi_next_pcrl, pi_next_cprl,and pi_next_rpcl in lib/openjp3d/pi.c (bsc#1102016).
- CVE-2018-16375: Fixed missing checks for header_info.height and header_info.width in the function pnmtoimage in bin/jpwl/convert.c (bsc#1106882).
- CVE-2018-16376: Fixed heap-based buffer overflow function t2_encode_packet in lib/openmj2/t2.c (bsc#1106881).
- CVE-2018-20845: Fixed division-by-zero in the functions pi_next_pcrl, pi_next_cprl, and pi_next_rpcl in openmj2/pi.c (bsc#1140130).
- CVE-2018-20846: Fixed out-of-bounds accesses in pi_next_lrcp, pi_next_rlcp, pi_next_rpcl, pi_next_pcrl, pi_next_rpcl, and pi_next_cprl in openmj2/pi.c (bsc#1140205).
- CVE-2020-8112: Fixed heap-based buffer overflow in opj_t1_clbl_decode_processor in openjp2/t1.c (bsc#1162090).
- CVE-2020-15389: Fixed use-after-free if t a mix of valid and invalid files in a directory operated on by the decompressor (bsc#1173578).
- CVE-2020-27823: Fixed heap buffer over-write in opj_tcd_dc_level_shift_encode() (bsc#1180457).
- CVE-2021-29338: Fixed integer overflow that allows remote attackers to crash the application (bsc#1184774).
- CVE-2022-1122: Fixed segmentation fault in opj2_decompress due to uninitialized pointer (bsc#1197738).
ImportantSUSE bug 1102016SUSE bug 1106881SUSE bug 1106882SUSE bug 1140130SUSE bug 1140205SUSE bug 1162090SUSE bug 1173578SUSE bug 1180457SUSE bug 1184774SUSE bug 1197738SUSE bug 971617SUSE bug 980504CVE-2016-1924 at SUSECVE-2016-1924 at NVDCVE-2016-3183 at SUSECVE-2016-3183 at NVDCVE-2016-4797 at SUSECVE-2016-4797 at NVDCVE-2018-14423 at SUSECVE-2018-14423 at NVDCVE-2018-16375 at SUSECVE-2018-16375 at NVDCVE-2018-16376 at SUSECVE-2018-16376 at NVDCVE-2018-20845 at SUSECVE-2018-20845 at NVDCVE-2018-20846 at SUSECVE-2018-20846 at NVDCVE-2020-15389 at SUSECVE-2020-15389 at NVDCVE-2020-27823 at SUSECVE-2020-27823 at NVDCVE-2020-8112 at SUSECVE-2020-8112 at NVDCVE-2021-29338 at SUSECVE-2021-29338 at NVDCVE-2022-1122 at SUSECVE-2022-1122 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for MozillaFirefox fixes the following issues:
- CVE-2021-4140: Fixed iframe sandbox bypass with XSLT (bsc#1194547).
- CVE-2022-22737: Fixed race condition when playing audio files (bsc#1194547).
- CVE-2022-22738: Fixed heap-buffer-overflow in blendGaussianBlur (bsc#1194547).
- CVE-2022-22739: Fixed missing throttling on external protocol launch dialog (bsc#1194547).
- CVE-2022-22740: Fixed use-after-free of ChannelEventQueue::mOwner (bsc#1194547).
- CVE-2022-22741: Fixed browser window spoof using fullscreen mode (bsc#1194547).
- CVE-2022-22742: Fixed out-of-bounds memory access when inserting text in edit mode (bsc#1194547).
- CVE-2022-22743: Fixed browser window spoof using fullscreen mode (bsc#1194547).
- CVE-2022-22744: Fixed possible command injection via the 'Copy as curl' feature in DevTools (bsc#1194547).
- CVE-2022-22745: Fixed leaking cross-origin URLs through securitypolicyviolation event (bsc#1194547).
- CVE-2022-22746: Fixed calling into reportValidity could have lead to fullscreen window spoof (bsc#1194547).
- CVE-2022-22747: Fixed crash when handling empty pkcs7 sequence(bsc#1194547).
- CVE-2022-22748: Fixed spoofed origin on external protocol launch dialog (bsc#1194547).
- CVE-2022-22751: Fixed memory safety bugs (bsc#1194547).
ImportantSUSE bug 1194547CVE-2021-4140 at SUSECVE-2021-4140 at NVDCVE-2022-22737 at SUSECVE-2022-22737 at NVDCVE-2022-22738 at SUSECVE-2022-22738 at NVDCVE-2022-22739 at SUSECVE-2022-22739 at NVDCVE-2022-22740 at SUSECVE-2022-22740 at NVDCVE-2022-22741 at SUSECVE-2022-22741 at NVDCVE-2022-22742 at SUSECVE-2022-22742 at NVDCVE-2022-22743 at SUSECVE-2022-22743 at NVDCVE-2022-22744 at SUSECVE-2022-22744 at NVDCVE-2022-22745 at SUSECVE-2022-22745 at NVDCVE-2022-22746 at SUSECVE-2022-22746 at NVDCVE-2022-22747 at SUSECVE-2022-22747 at NVDCVE-2022-22748 at SUSECVE-2022-22748 at NVDCVE-2022-22751 at SUSECVE-2022-22751 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for xz (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for xz fixes the following issues:
- CVE-2022-1271: Fixed an incorrect escaping of malicious filenames (ZDI-CAN-16587). (bsc#1198062)
ImportantSUSE bug 1198062CVE-2022-1271 at SUSECVE-2022-1271 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for libexif (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for libexif fixes the following issues:
- CVE-2020-0181: Fixed an integer overflow that could lead to denial of service
(bsc#1172802).
- CVE-2020-0198: Fixed and unsigned integer overflow that could lead to denial
of service (bsc#1172768).
- CVE-2020-0452: Fixed a buffer overflow check that could be optimized away
by the compiler (bsc#1178479).
ImportantSUSE bug 1172768SUSE bug 1172802SUSE bug 1178479CVE-2020-0181 at SUSECVE-2020-0181 at NVDCVE-2020-0198 at SUSECVE-2020-0198 at NVDCVE-2020-0452 at SUSECVE-2020-0452 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
The SUSE Linux Enterprise 12 SP3 kernel was updated.
The following security bugs were fixed:
- CVE-2022-1016: Fixed a vulnerability in the nf_tables component of the netfilter subsystem. This vulnerability gives an attacker a powerful primitive that can be used to both read from and write to relative stack data, which can lead to arbitrary code execution. (bsc#1197227)
- CVE-2022-1048: Fixed a race Condition in snd_pcm_hw_free leading to use-after-free due to the AB/BA lock with buffer_mutex and mmap_lock. (bsc#1197331)
- CVE-2022-0850: Fixed a kernel information leak vulnerability in iov_iter.c. (bsc#1196761)
- CVE-2021-45868: Fixed a wrong validation check in fs/quota/quota_tree.c which could lead to an use-after-free if there is a corrupted quota file. (bnc#1197366)
- CVE-2022-26966: Fixed an issue in drivers/net/usb/sr9700.c, which allowed attackers to obtain sensitive information from the memory via crafted frame lengths from a USB device. (bsc#1196836)
- CVE-2022-23036,CVE-2022-23037,CVE-2022-23038,CVE-2022-23039,CVE-2022-23040,CVE-2022-23041,CVE-2022-23042: Fixed multiple issues which could have lead to read/write access to memory pages or denial of service. These issues are related to the Xen PV device frontend drivers. (bsc#1196488)
- CVE-2022-26490: Fixed a buffer overflow in the st21nfca driver. An attacker with adjacent NFC access could crash the system or corrupt the system memory. (bsc#1196830)
The following non-security bugs were fixed:
- ax88179_178a: Merge memcpy + le32_to_cpus to get_unaligned_le32 (bsc#1196018).
- clocksource: Initialize cs->wd_list (git-fixes)
- llc: fix netdevice reference leaks in llc_ui_bind() (git-fixes).
- net: usb: ax88179_178a: Fix out-of-bounds accesses in RX fixup (bsc#1196018).
- net: usb: ax88179_178a: fix packet alignment padding (bsc#1196018).
- sched/autogroup: Fix possible Spectre-v1 indexing for (git-fixes)
- sr9700: sanity check for packet length (bsc#1196836).
- usb: host: xen-hcd: add missing unlock in error path (git-fixes).
- xen/usb: do not use gnttab_end_foreign_access() in xenhcd_gnttab_done() (bsc#1196488, XSA-396).
ImportantSUSE bug 1189562SUSE bug 1196018SUSE bug 1196488SUSE bug 1196761SUSE bug 1196830SUSE bug 1196836SUSE bug 1197227SUSE bug 1197331SUSE bug 1197366CVE-2021-45868 at SUSECVE-2021-45868 at NVDCVE-2022-0850 at SUSECVE-2022-0850 at NVDCVE-2022-1016 at SUSECVE-2022-1016 at NVDCVE-2022-1048 at SUSECVE-2022-1048 at NVDCVE-2022-23036 at SUSECVE-2022-23036 at NVDCVE-2022-23037 at SUSECVE-2022-23037 at NVDCVE-2022-23038 at SUSECVE-2022-23038 at NVDCVE-2022-23039 at SUSECVE-2022-23039 at NVDCVE-2022-23040 at SUSECVE-2022-23040 at NVDCVE-2022-23041 at SUSECVE-2022-23041 at NVDCVE-2022-23042 at SUSECVE-2022-23042 at NVDCVE-2022-26490 at SUSECVE-2022-26490 at NVDCVE-2022-26966 at SUSECVE-2022-26966 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for gzip (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for gzip fixes the following issues:
- CVE-2022-1271: Fixed an incorrect escaping of malicious filenames (ZDI-CAN-16587). (bsc#1198062)
ImportantSUSE bug 1198062CVE-2022-1271 at SUSECVE-2022-1271 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for dnsmasq (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for dnsmasq fixes the following issues:
- CVE-2021-3448: Fixed a potential DNS cache poisoning issue due to a constant
outgoing port being used when for certain use cases of the --server option
(bsc#1183709).
- CVE-2022-0934: Fixed an invalid memory access that could lead to remote denial
of service via crafted packet (bsc#1197872).
ImportantSUSE bug 1183709SUSE bug 1197872CVE-2021-3448 at SUSECVE-2021-3448 at NVDCVE-2022-0934 at SUSECVE-2022-0934 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for tomcat (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for tomcat fixes the following issues:
- Remove the log4j dependency as it is not used by the tomcat package (bsc#1196137)
Security hardening, related to Spring Framework vulnerabilities:
- Deprecate getResources() and always return null (bsc#1198136).
ImportantSUSE bug 1196137SUSE bug 1198136cpe:/o:suse:sles-espos:12:sp3Security update for git (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for git fixes the following issues:
- CVE-2022-24765: Fixed a potential command injection via git worktree (bsc#1198234).
ImportantSUSE bug 1198234CVE-2022-24765 at SUSECVE-2022-24765 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for libxml2 (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for libxml2 fixes the following issues:
- CVE-2022-23308: Fixed use-after-free of ID and IDREF attributes. (bsc#1196490)
ImportantSUSE bug 1196490CVE-2022-23308 at SUSECVE-2022-23308 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for SDL (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for SDL fixes the following issues:
- CVE-2020-14409: Fixed an integer overflow (and resultant SDL_memcpy heap corruption) in SDL_BlitCopy in video/SDL_blit_copy.c. (bsc#1181202)
- CVE-2020-14410: Fixed a heap-based buffer over-read in Blit_3or4_to_3or4__inversed_rgb in video/SDL_blit_N.c. (bsc#1181201)
- CVE-2021-33657: Fixed a Heap overflow problem in video/SDL_pixels.c. (bsc#1198001)
ImportantSUSE bug 1181201SUSE bug 1181202SUSE bug 1198001CVE-2020-14409 at SUSECVE-2020-14409 at NVDCVE-2020-14410 at SUSECVE-2020-14410 at NVDCVE-2021-33657 at SUSECVE-2021-33657 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for xen (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for xen fixes the following issues:
- CVE-2022-26356: Fixed potential race conditions in dirty memory tracking that
could cause a denial of service in the host (bsc#1197423).
- CVE-2022-26357: Fixed a potential race condition in memory cleanup for hosts
using VT-d IOMMU hardware, which could lead to a denial of service in the host
(bsc#1197425).
- CVE-2022-26358,CVE-2022-26359,CVE-2022-26360,CVE-2022-26361: Fixed various memory
corruption issues for hosts using VT-d or AMD-Vi IOMMU hardware. These could be
leveraged by an attacker to cause a denial of service in the host (bsc#1197426).
- CVE-2022-0001, CVE-2022-0002, CVE-2021-26401: Added BHB speculation issue
mitigations (bsc#1196915).
ImportantSUSE bug 1196915SUSE bug 1197423SUSE bug 1197425SUSE bug 1197426CVE-2021-26401 at SUSECVE-2021-26401 at NVDCVE-2022-0001 at SUSECVE-2022-0001 at NVDCVE-2022-0002 at SUSECVE-2022-0002 at NVDCVE-2022-26356 at SUSECVE-2022-26356 at NVDCVE-2022-26357 at SUSECVE-2022-26357 at NVDCVE-2022-26358 at SUSECVE-2022-26358 at NVDCVE-2022-26359 at SUSECVE-2022-26359 at NVDCVE-2022-26360 at SUSECVE-2022-26360 at NVDCVE-2022-26361 at SUSECVE-2022-26361 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for webkit2gtk3 (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for webkit2gtk3 fixes the following issues:
- Update to version 2.34.3 (bsc#1194019).
- CVE-2021-30887: Fixed logic issue allowing unexpectedly unenforced Content Security Policy when processing maliciously crafted web content.
- CVE-2021-30890: Fixed logic issue allowing universal cross site scripting when processing maliciously crafted web content.
ImportantSUSE bug 1194019CVE-2018-8518 at SUSECVE-2018-8518 at NVDCVE-2018-8523 at SUSECVE-2018-8523 at NVDCVE-2019-8551 at SUSECVE-2019-8551 at NVDCVE-2019-8558 at SUSECVE-2019-8558 at NVDCVE-2019-8559 at SUSECVE-2019-8559 at NVDCVE-2019-8563 at SUSECVE-2019-8563 at NVDCVE-2019-8674 at SUSECVE-2019-8674 at NVDCVE-2019-8681 at SUSECVE-2019-8681 at NVDCVE-2019-8684 at SUSECVE-2019-8684 at NVDCVE-2019-8687 at SUSECVE-2019-8687 at NVDCVE-2019-8688 at SUSECVE-2019-8688 at NVDCVE-2019-8689 at SUSECVE-2019-8689 at NVDCVE-2019-8690 at SUSECVE-2019-8690 at NVDCVE-2019-8707 at SUSECVE-2019-8707 at NVDCVE-2019-8719 at SUSECVE-2019-8719 at NVDCVE-2019-8726 at SUSECVE-2019-8726 at NVDCVE-2019-8733 at SUSECVE-2019-8733 at NVDCVE-2019-8763 at SUSECVE-2019-8763 at NVDCVE-2019-8765 at SUSECVE-2019-8765 at NVDCVE-2019-8766 at SUSECVE-2019-8766 at NVDCVE-2019-8768 at SUSECVE-2019-8768 at NVDCVE-2019-8782 at SUSECVE-2019-8782 at NVDCVE-2019-8808 at SUSECVE-2019-8808 at NVDCVE-2019-8815 at SUSECVE-2019-8815 at NVDCVE-2019-8821 at SUSECVE-2019-8821 at NVDCVE-2019-8822 at SUSECVE-2019-8822 at NVDCVE-2020-10018 at SUSECVE-2020-10018 at NVDCVE-2020-13753 at SUSECVE-2020-13753 at NVDCVE-2020-27918 at SUSECVE-2020-27918 at NVDCVE-2020-29623 at SUSECVE-2020-29623 at NVDCVE-2020-3885 at SUSECVE-2020-3885 at NVDCVE-2020-3894 at SUSECVE-2020-3894 at NVDCVE-2020-3895 at SUSECVE-2020-3895 at NVDCVE-2020-3897 at SUSECVE-2020-3897 at NVDCVE-2020-3900 at SUSECVE-2020-3900 at NVDCVE-2020-3901 at SUSECVE-2020-3901 at NVDCVE-2020-3902 at SUSECVE-2020-3902 at NVDCVE-2020-9802 at SUSECVE-2020-9802 at NVDCVE-2020-9803 at SUSECVE-2020-9803 at NVDCVE-2020-9805 at SUSECVE-2020-9805 at NVDCVE-2020-9947 at SUSECVE-2020-9947 at NVDCVE-2020-9948 at SUSECVE-2020-9948 at NVDCVE-2020-9951 at SUSECVE-2020-9951 at NVDCVE-2020-9952 at SUSECVE-2020-9952 at NVDCVE-2021-1765 at SUSECVE-2021-1765 at NVDCVE-2021-1788 at SUSECVE-2021-1788 at NVDCVE-2021-1817 at SUSECVE-2021-1817 at NVDCVE-2021-1820 at SUSECVE-2021-1820 at NVDCVE-2021-1825 at SUSECVE-2021-1825 at NVDCVE-2021-1826 at SUSECVE-2021-1826 at NVDCVE-2021-1844 at SUSECVE-2021-1844 at NVDCVE-2021-1871 at SUSECVE-2021-1871 at NVDCVE-2021-30661 at SUSECVE-2021-30661 at NVDCVE-2021-30666 at SUSECVE-2021-30666 at NVDCVE-2021-30682 at SUSECVE-2021-30682 at NVDCVE-2021-30761 at SUSECVE-2021-30761 at NVDCVE-2021-30762 at SUSECVE-2021-30762 at NVDCVE-2021-30809 at SUSECVE-2021-30809 at NVDCVE-2021-30818 at SUSECVE-2021-30818 at NVDCVE-2021-30823 at SUSECVE-2021-30823 at NVDCVE-2021-30836 at SUSECVE-2021-30836 at NVDCVE-2021-30846 at SUSECVE-2021-30846 at NVDCVE-2021-30848 at SUSECVE-2021-30848 at NVDCVE-2021-30849 at SUSECVE-2021-30849 at NVDCVE-2021-30851 at SUSECVE-2021-30851 at NVDCVE-2021-30858 at SUSECVE-2021-30858 at NVDCVE-2021-30884 at SUSECVE-2021-30884 at NVDCVE-2021-30887 at SUSECVE-2021-30887 at NVDCVE-2021-30888 at SUSECVE-2021-30888 at NVDCVE-2021-30889 at SUSECVE-2021-30889 at NVDCVE-2021-30890 at SUSECVE-2021-30890 at NVDCVE-2021-30897 at SUSECVE-2021-30897 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for cifs-utils (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for cifs-utils fixes the following issues:
- CVE-2022-27239: Fixed a buffer overflow in the command line ip option (bsc#1197216).
ImportantSUSE bug 1197216CVE-2022-27239 at SUSECVE-2022-27239 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 43 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_156 fixes several issues.
The following security issues were fixed:
- CVE-2022-1016: Fixed a vulnerability in the nf_tables component of the netfilter subsystem. This vulnerability gives an attacker a powerful primitive that can be used to both read from and write to relative stack data, which can lead to arbitrary code execution. (bsc#1197335)
- CVE-2022-1011: Fixed an use-after-free vulnerability which could allow a local attacker to retireve (partial) /etc/shadow hashes or any other data from filesystem when he can mount a FUSE filesystems. (bsc#1197344)
- CVE-2021-39713: Fixed a race condition in the network scheduling subsystem which could lead to a use-after-free (bsc#1197211).
ImportantSUSE bug 1197211SUSE bug 1197335SUSE bug 1197344CVE-2021-39713 at SUSECVE-2021-39713 at NVDCVE-2022-1011 at SUSECVE-2022-1011 at NVDCVE-2022-1016 at SUSECVE-2022-1016 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 42 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_153 fixes several issues.
The following security issues were fixed:
- CVE-2022-1016: Fixed a vulnerability in the nf_tables component of the netfilter subsystem. This vulnerability gives an attacker a powerful primitive that can be used to both read from and write to relative stack data, which can lead to arbitrary code execution. (bsc#1197335)
- CVE-2022-1011: Fixed an use-after-free vulnerability which could allow a local attacker to retireve (partial) /etc/shadow hashes or any other data from filesystem when he can mount a FUSE filesystems. (bsc#1197344)
- CVE-2021-39713: Fixed a race condition in the network scheduling subsystem which could lead to a use-after-free (bsc#1197211).
ImportantSUSE bug 1197211SUSE bug 1197335SUSE bug 1197344CVE-2021-39713 at SUSECVE-2021-39713 at NVDCVE-2022-1011 at SUSECVE-2022-1011 at NVDCVE-2022-1016 at SUSECVE-2022-1016 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 41 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_150 fixes several issues.
The following security issues were fixed:
- CVE-2022-1016: Fixed a vulnerability in the nf_tables component of the netfilter subsystem. This vulnerability gives an attacker a powerful primitive that can be used to both read from and write to relative stack data, which can lead to arbitrary code execution. (bsc#1197335)
- CVE-2022-1011: Fixed an use-after-free vulnerability which could allow a local attacker to retireve (partial) /etc/shadow hashes or any other data from filesystem when he can mount a FUSE filesystems. (bsc#1197344)
- CVE-2021-39713: Fixed a race condition in the network scheduling subsystem which could lead to a use-after-free (bsc#1197211).
ImportantSUSE bug 1197211SUSE bug 1197335SUSE bug 1197344CVE-2021-39713 at SUSECVE-2021-39713 at NVDCVE-2022-1011 at SUSECVE-2022-1011 at NVDCVE-2022-1016 at SUSECVE-2022-1016 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 40 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_147 fixes several issues.
The following security issues were fixed:
- CVE-2022-1016: Fixed a vulnerability in the nf_tables component of the netfilter subsystem. This vulnerability gives an attacker a powerful primitive that can be used to both read from and write to relative stack data, which can lead to arbitrary code execution. (bsc#1197335)
- CVE-2022-1011: Fixed an use-after-free vulnerability which could allow a local attacker to retireve (partial) /etc/shadow hashes or any other data from filesystem when he can mount a FUSE filesystems. (bsc#1197344)
- CVE-2021-39713: Fixed a race condition in the network scheduling subsystem which could lead to a use-after-free (bsc#1197211).
ImportantSUSE bug 1197211SUSE bug 1197335SUSE bug 1197344CVE-2021-39713 at SUSECVE-2021-39713 at NVDCVE-2022-1011 at SUSECVE-2022-1011 at NVDCVE-2022-1016 at SUSECVE-2022-1016 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 39 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_144 fixes several issues.
The following security issues were fixed:
- CVE-2022-1016: Fixed a vulnerability in the nf_tables component of the netfilter subsystem. This vulnerability gives an attacker a powerful primitive that can be used to both read from and write to relative stack data, which can lead to arbitrary code execution. (bsc#1197335)
- CVE-2022-1011: Fixed an use-after-free vulnerability which could allow a local attacker to retireve (partial) /etc/shadow hashes or any other data from filesystem when he can mount a FUSE filesystems. (bsc#1197344)
- CVE-2021-39713: Fixed a race condition in the network scheduling subsystem which could lead to a use-after-free (bsc#1197211).
ImportantSUSE bug 1197211SUSE bug 1197335SUSE bug 1197344CVE-2021-39713 at SUSECVE-2021-39713 at NVDCVE-2022-1011 at SUSECVE-2022-1011 at NVDCVE-2022-1016 at SUSECVE-2022-1016 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for aide (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for aide fixes the following issues:
- CVE-2021-45417: Fix a bufferoverflow in base64 functions (bsc#1194735)
ImportantSUSE bug 1194735CVE-2021-45417 at SUSECVE-2021-45417 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for MozillaFirefox fixes the following issues:
This update contains the Firefox Extended Support Release 91.1.0 ESR.
* Fixed: Various stability, functionality, and security fixes
MFSA 2021-40 (bsc#1190269, bsc#1190274):
* CVE-2021-38492: Navigating to `mk:` URL scheme could load Internet Explorer
* CVE-2021-38495: Memory safety bugs fixed in Firefox 92 and Firefox ESR 91.1
Firefox 91.0.1esr ESR
* Fixed: Fixed an issue causing buttons on the tab bar to be
resized when loading certain websites (bug 1704404)
* Fixed: Fixed an issue which caused tabs from private windows
to be visible in non-private windows when viewing switch-to-
tab results in the address bar panel (bug 1720369)
* Fixed: Various stability fixes
* Fixed: Security fix MFSA 2021-37 (bsc#1189547)
* CVE-2021-29991 (bmo#1724896)
Header Splitting possible with HTTP/3 Responses
Firefox Extended Support Release 91.0 ESR
* New: Some of the highlights of the new Extended Support Release are:
- A number of user interface changes. For more information,
see the Firefox 89 release notes.
- Firefox now supports logging into Microsoft, work, and
school accounts using Windows single sign-on. Learn more
- On Windows, updates can now be applied in the background
while Firefox is not running.
- Firefox for Windows now offers a new page about:third-party
to help identify compatibility issues caused by third-party
applications
- Version 2 of Firefox's SmartBlock feature further improves
private browsing. Third party Facebook scripts are blocked to
prevent you from being tracked, but are now automatically
loaded 'just in time' if you decide to 'Log in with Facebook'
on any website.
- Enhanced the privacy of the Firefox Browser's Private
Browsing mode with Total Cookie Protection, which confines
cookies to the site where they were created, preventing
companis from using cookies to track your browsing across
sites. This feature was originally launched in Firefox's ETP
Strict mode.
- PDF forms now support JavaScript embedded in PDF files.
Some PDF forms use JavaScript for validation and other
interactive features.
- You'll encounter less website breakage in Private Browsing
and Strict Enhanced Tracking Protection with SmartBlock,
which provides stand-in scripts so that websites load
properly.
- Improved Print functionality with a cleaner design and
better integration with your computer's printer settings.
- Firefox now protects you from supercookies, a type of
tracker that can stay hidden in your browser and track you
online, even after you clear cookies. By isolating
supercookies, Firefox prevents them from tracking your web
browsing from one site to the next.
- Firefox now remembers your preferred location for saved
bookmarks, displays the bookmarks toolbar by default on new
tabs, and gives you easy access to all of your bookmarks via
a toolbar folder.
- Native support for macOS devices built with Apple Silicon
CPUs brings dramatic performance improvements over the non-
native build that was shipped in Firefox 83: Firefox launches
over 2.5 times faster and web apps are now twice as
responsive (per the SpeedoMeter 2.0 test). If you are on a
new Apple device, follow these steps to upgrade to the latest
Firefox.
- Pinch zooming will now be supported for our users with
Windows touchscreen devices and touchpads on Mac devices.
Firefox users may now use pinch to zoom on touch-capable
devices to zoom in and out of webpages.
- We’ve improved functionality and design for a number of
Firefox search features:
* Selecting a search engine at the bottom of the search
panel now enters search mode for that engine, allowing you to
see suggestions (if available) for your search terms. The old
behavior (immediately performing a search) is available with
a shift-click.
* When Firefox autocompletes the URL of one of your search
engines, you can now search with that engine directly in the
address bar by selecting the shortcut in the address bar
results.
* We’ve added buttons at the bottom of the search panel to
allow you to search your bookmarks, open tabs, and history.
- Firefox supports AcroForm, which will allow you to fill in,
print, and save supported PDF forms and the PDF viewer also
has a new fresh look.
- For our users in the US and Canada, Firefox can now save,
manage, and auto-fill credit card information for you, making
shopping on Firefox ever more convenient.
- In addition to our default, dark and light themes, with
this release, Firefox introduces the Alpenglow theme: a
colorful appearance for buttons, menus, and windows. You can
update your Firefox themes under settings or preferences.
* Changed: Firefox no longer supports Adobe Flash. There is no
setting available to re-enable Flash support.
* Enterprise: Various bug fixes and new policies have been
implemented in the latest version of Firefox. See more
details in the Firefox for Enterprise 91 Release Notes.
MFSA 2021-33 (bsc#1188891):
* CVE-2021-29986: Race condition when resolving DNS names could have led to
memory corruption
* CVE-2021-29981: Live range splitting could have led to conflicting
assignments in the JIT
* CVE-2021-29988: Memory corruption as a result of incorrect style treatment
* CVE-2021-29983: Firefox for Android could get stuck in fullscreen mode
* CVE-2021-29984: Incorrect instruction reordering during JIT optimization
* CVE-2021-29980: Uninitialized memory in a canvas object could have led to
memory corruption
* CVE-2021-29987: Users could have been tricked into accepting unwanted
permissions on Linux
* CVE-2021-29985: Use-after-free media channels
* CVE-2021-29982: Single bit data leak due to incorrect JIT optimization and
type confusion
* CVE-2021-29989: Memory safety bugs fixed in Firefox 91 and Firefox ESR 78.13
* CVE-2021-29990: Memory safety bugs fixed in Firefox 91
ImportantSUSE bug 1188891SUSE bug 1189547SUSE bug 1190269SUSE bug 1190274CVE-2021-29980 at SUSECVE-2021-29980 at NVDCVE-2021-29981 at SUSECVE-2021-29981 at NVDCVE-2021-29982 at SUSECVE-2021-29982 at NVDCVE-2021-29983 at SUSECVE-2021-29983 at NVDCVE-2021-29984 at SUSECVE-2021-29984 at NVDCVE-2021-29985 at SUSECVE-2021-29985 at NVDCVE-2021-29986 at SUSECVE-2021-29986 at NVDCVE-2021-29987 at SUSECVE-2021-29987 at NVDCVE-2021-29988 at SUSECVE-2021-29988 at NVDCVE-2021-29989 at SUSECVE-2021-29989 at NVDCVE-2021-29990 at SUSECVE-2021-29990 at NVDCVE-2021-29991 at SUSECVE-2021-29991 at NVDCVE-2021-38492 at SUSECVE-2021-38492 at NVDCVE-2021-38495 at SUSECVE-2021-38495 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for zsh (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for zsh fixes the following issues:
- CVE-2018-0502: Fixed execve call vulnerability to program named on the second line when the beginning of a #! script file was mishandled. (bsc#1107296, bsc#1107294)
- CVE-2018-13259: Fixed execve call vulnerability to program name that is a substring of the intended one. (bsc#1107296, bsc#1107294)
ImportantSUSE bug 1107294SUSE bug 1107296CVE-2018-0502 at SUSECVE-2018-0502 at NVDCVE-2018-13259 at SUSECVE-2018-13259 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for bind (Moderate)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for bind fixes the following issues:
- CVE-2021-25220: Fixed potentially incorrect answers by cached forwarders (bsc#1197135).
ModerateSUSE bug 1197135CVE-2021-25220 at SUSECVE-2021-25220 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 39 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_144 fixes one issue.
The following security issue was fixed:
- CVE-2022-0330: A random memory access flaw was found in the Linux kernel's GPU i915 kernel driver functionality in the way a user may run malicious code on the GPU. This flaw allowed a local user to crash the system or escalate their privileges on the system. (bsc#1195950)
ImportantSUSE bug 1195950CVE-2022-0330 at SUSECVE-2022-0330 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 40 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_147 fixes one issue.
The following security issue was fixed:
- CVE-2022-0330: A random memory access flaw was found in the Linux kernel's GPU i915 kernel driver functionality in the way a user may run malicious code on the GPU. This flaw allowed a local user to crash the system or escalate their privileges on the system. (bsc#1195950)
ImportantSUSE bug 1195950CVE-2022-0330 at SUSECVE-2022-0330 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 41 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_150 fixes one issue.
The following security issue was fixed:
- CVE-2022-0330: A random memory access flaw was found in the Linux kernel's GPU i915 kernel driver functionality in the way a user may run malicious code on the GPU. This flaw allowed a local user to crash the system or escalate their privileges on the system. (bsc#1195950)
ImportantSUSE bug 1195950CVE-2022-0330 at SUSECVE-2022-0330 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 44 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_161 fixes several issues.
The following security issues were fixed:
- CVE-2022-1011: A use-after-free flaw was found in the FUSE filesystem in the way a user triggers write(). This flaw allowed a local user to gain unauthorized access to data from the FUSE filesystem, resulting in privilege escalation. (bsc#1197344)
- CVE-2021-39713: Fixed a race condition in the network scheduling subsystem which could lead to a use-after-free. (bsc#1197211)
- CVE-2021-28688: The fix for XSA-365 includes initialization of pointers such that subsequent cleanup code wouldn't use uninitialized or stale values. This initialization went too far and may under certain conditions also overwrite pointers which are in need of cleaning up. The lack of cleanup would result in leaking persistent grants. The leak in turn would prevent fully cleaning up after a respective guest has died, leaving around zombie domains. All Linux versions having the fix for XSA-365 applied are vulnerable. XSA-365 was classified to affect versions back to at least 3.11 (bsc#1182294)
ImportantSUSE bug 1182294SUSE bug 1197211SUSE bug 1197344CVE-2021-28688 at SUSECVE-2021-28688 at NVDCVE-2021-39713 at SUSECVE-2021-39713 at NVDCVE-2022-1011 at SUSECVE-2022-1011 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for e2fsprogs (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for e2fsprogs fixes the following issues:
- CVE-2022-1304: Fixed out-of-bounds read/write leading to segmentation fault
and possibly arbitrary code execution. (bsc#1198446)
ImportantSUSE bug 1198446CVE-2022-1304 at SUSECVE-2022-1304 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for java-1_7_1-ibm (Moderate)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for java-1_7_1-ibm fixes the following issues:
- Update to Java 7.1 Service Refresh 5 Fix Pack 0
- CVE-2021-41035: before version 0.29.0, the openj9 JVM does not throw IllegalAccessError for MethodHandles that invoke inaccessible interface methods. (bsc#1194198, bsc#1192052)
- CVE-2021-35586: Excessive memory allocation in BMPImageReader. (bsc#1191914)
- CVE-2021-35564: Certificates with end dates too far in the future can corrupt keystore. (bsc#1191913)
- CVE-2021-35559: Excessive memory allocation in RTFReader. (bsc#1191911)
- CVE-2021-35556: Excessive memory allocation in RTFParser. (bsc#1191910)
- CVE-2021-35565: Loop in HttpsServer triggered during TLS session close. (bsc#1191909)
- CVE-2021-35588: Incomplete validation of inner class references in ClassFileParser. (bsc#1191905)
- CVE-2021-2341: Fixed a flaw inside the FtpClient. (bsc#1188564)
- CVE-2021-2369: JAR file handling problem containing multiple MANIFEST.MF files. (bsc#1188565)
- CVE-2021-2432: Fixed a vulnerability in the omponent JNDI. (bsc#1188568)
- CVE-2021-2163: Incomplete enforcement of JAR signing disabled algorithms. (bsc#1185055)
ModerateSUSE bug 1185055SUSE bug 1188564SUSE bug 1188565SUSE bug 1188568SUSE bug 1191905SUSE bug 1191909SUSE bug 1191910SUSE bug 1191911SUSE bug 1191913SUSE bug 1191914SUSE bug 1192052SUSE bug 1194198SUSE bug 1194232CVE-2021-2163 at SUSECVE-2021-2163 at NVDCVE-2021-2341 at SUSECVE-2021-2341 at NVDCVE-2021-2369 at SUSECVE-2021-2369 at NVDCVE-2021-2432 at SUSECVE-2021-2432 at NVDCVE-2021-35556 at SUSECVE-2021-35556 at NVDCVE-2021-35559 at SUSECVE-2021-35559 at NVDCVE-2021-35564 at SUSECVE-2021-35564 at NVDCVE-2021-35565 at SUSECVE-2021-35565 at NVDCVE-2021-35586 at SUSECVE-2021-35586 at NVDCVE-2021-35588 at SUSECVE-2021-35588 at NVDCVE-2021-41035 at SUSECVE-2021-41035 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for openldap2 (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for openldap2 fixes the following issues:
- CVE-2022-29155: Fixed SQL injection in back-sql (bsc#1199240).
- Fixed issue with SASL init that crashed slapd at startup under certain conditions (bsc#1198383).
ImportantSUSE bug 1198383SUSE bug 1199240CVE-2022-29155 at SUSECVE-2022-29155 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for gzip (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for gzip fixes the following issues:
- CVE-2022-1271: Add hardening for zgrep. (bsc#1198062)
ImportantCVE-2022-1271 at SUSECVE-2022-1271 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for webkit2gtk3 (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for webkit2gtk3 fixes the following issues:
Update to version 2.36.0 (bsc#1198290):
- CVE-2022-22624: Fixed use after free that may lead to arbitrary code execution.
- CVE-2022-22628: Fixed use after free that may lead to arbitrary code execution.
- CVE-2022-22629: Fixed a buffer overflow that may lead to arbitrary code execution.
- CVE-2022-22637: Fixed an unexpected cross-origin behavior due to a logic error.
Missing CVE reference for the update to 2.34.6 (bsc#1196133):
- CVE-2022-22594: Fixed a cross-origin issue in the IndexDB API.
ImportantSUSE bug 1196133SUSE bug 1198290CVE-2022-22594 at SUSECVE-2022-22594 at NVDCVE-2022-22624 at SUSECVE-2022-22624 at NVDCVE-2022-22628 at SUSECVE-2022-22628 at NVDCVE-2022-22629 at SUSECVE-2022-22629 at NVDCVE-2022-22637 at SUSECVE-2022-22637 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for curl (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for curl fixes the following issues:
- CVE-2022-27781: Fixed CERTINFO never-ending busy-loop (bsc#1199223)
- CVE-2022-27782: Fixed TLS and SSH connection too eager reuse (bsc#1199224)
ImportantSUSE bug 1199223SUSE bug 1199224CVE-2022-27781 at SUSECVE-2022-27781 at NVDCVE-2022-27782 at SUSECVE-2022-27782 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for ucode-intel (Moderate)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for ucode-intel fixes the following issues:
Updated to Intel CPU Microcode 20220510 release. (bsc#1199423)
Updated to Intel CPU Microcode 20220419 release. (bsc#1198717)
- CVE-2022-21151: Processor optimization removal or modification of security-critical code for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access (bsc#1199423).
ModerateSUSE bug 1198717SUSE bug 1199423CVE-2022-21151 at SUSECVE-2022-21151 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for MozillaFirefox fixes the following issues:
Firefox Extended Support Release 91.9.0 ESR (MFSA 2022-17)(bsc#1198970):
- CVE-2022-29914: Fullscreen notification bypass using popups
- CVE-2022-29909: Bypassing permission prompt in nested browsing contexts
- CVE-2022-29916: Leaking browser history with CSS variables
- CVE-2022-29911: iframe Sandbox bypass
- CVE-2022-29912: Reader mode bypassed SameSite cookies
- CVE-2022-29917: Memory safety bugs fixed in Firefox 100 and Firefox ESR 91.9
ImportantSUSE bug 1198970CVE-2022-29909 at SUSECVE-2022-29909 at NVDCVE-2022-29911 at SUSECVE-2022-29911 at NVDCVE-2022-29912 at SUSECVE-2022-29912 at NVDCVE-2022-29914 at SUSECVE-2022-29914 at NVDCVE-2022-29916 at SUSECVE-2022-29916 at NVDCVE-2022-29917 at SUSECVE-2022-29917 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for expat (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for expat fixes the following issues:
- CVE-2021-45960: Fixed left shift in the storeAtts function in xmlparse.c that can lead to realloc misbehavior (bsc#1194251).
- CVE-2021-46143: Fixed integer overflow in m_groupSize in doProlog (bsc#1194362).
- CVE-2022-22822: Fixed integer overflow in addBinding in xmlparse.c (bsc#1194474).
- CVE-2022-22823: Fixed integer overflow in build_model in xmlparse.c (bsc#1194476).
- CVE-2022-22824: Fixed integer overflow in defineAttribute in xmlparse.c (bsc#1194477).
- CVE-2022-22825: Fixed integer overflow in lookup in xmlparse.c (bsc#1194478).
- CVE-2022-22826: Fixed integer overflow in nextScaffoldPart in xmlparse.c (bsc#1194479).
- CVE-2022-22827: Fixed integer overflow in storeAtts in xmlparse.c (bsc#1194480).
ImportantSUSE bug 1194251SUSE bug 1194362SUSE bug 1194474SUSE bug 1194476SUSE bug 1194477SUSE bug 1194478SUSE bug 1194479SUSE bug 1194480CVE-2021-45960 at SUSECVE-2021-45960 at NVDCVE-2021-46143 at SUSECVE-2021-46143 at NVDCVE-2022-22822 at SUSECVE-2022-22822 at NVDCVE-2022-22823 at SUSECVE-2022-22823 at NVDCVE-2022-22824 at SUSECVE-2022-22824 at NVDCVE-2022-22825 at SUSECVE-2022-22825 at NVDCVE-2022-22826 at SUSECVE-2022-22826 at NVDCVE-2022-22827 at SUSECVE-2022-22827 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for postgresql10 (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for postgresql10 fixes the following issues:
- CVE-2022-1552: Confine additional operations within 'security restricted operation' sandboxes (bsc#1199475).
ImportantSUSE bug 1199475CVE-2022-1552 at SUSECVE-2022-1552 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for MozillaFirefox fixes the following issues:
Firefox Extended Support Release 91.9.1 ESR - MFSA 2022-19 (bsc#1199768):
- CVE-2022-1802: Prototype pollution in Top-Level Await implementation
- CVE-2022-1529: Untrusted input used in JavaScript object indexing, leading to prototype pollution
ImportantSUSE bug 1199768CVE-2022-1529 at SUSECVE-2022-1529 at NVDCVE-2022-1802 at SUSECVE-2022-1802 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for python-requests (Moderate)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for python-requests fixes the following issues:
- CVE-2018-18074: Fixed to prevent the package to send an HTTP Authorization header to an http URI
upon receiving a same-hostname https-to-http redirect. (bsc#1111622)
ModerateSUSE bug 1111622CVE-2018-18074 at SUSECVE-2018-18074 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for libxml2 (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for libxml2 fixes the following issues:
- CVE-2022-29824: Fixed integer overflow leading to out-of-bounds write in buf.c and tree.c (bsc#1199132).
- CVE-2017-16932: Prevent infinite recursion in parameter entities (bsc#1069689).
ImportantSUSE bug 1069689SUSE bug 1199132CVE-2017-16932 at SUSECVE-2017-16932 at NVDCVE-2022-29824 at SUSECVE-2022-29824 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for pcre2 (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for pcre2 fixes the following issues:
- CVE-2022-1586: Fixed out-of-bounds read via missing Unicode property matching issue in JIT compiled regular expressions (bsc#1199232).
ImportantSUSE bug 1199232CVE-2022-1586 at SUSECVE-2022-1586 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for wpa_supplicant (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for wpa_supplicant fixes the following issues:
- CVE-2022-23303, CVE-2022-23304: Fixed SAE/EAP-pwd side-channel attacks (bsc#1194732, bsc#1194733)
- CVE-2021-0326: Fixed P2P group information processing vulnerability (bsc#1181777)
- Fix systemd device ready dependencies in wpa_supplicant@.service file. (bsc#1182805)
- Limit P2P_DEVICE name to appropriate ifname size
- Enable SAE support(jsc#SLE-14992).
- Fix wicked wlan (bsc#1156920)
- Change wpa_supplicant.service to ensure wpa_supplicant gets started before
network. Fix WLAN config on boot with wicked. (bsc#1166933)
- Adjust the service to start after network.target wrt bsc#1165266
Update to 2.9 release:
* SAE changes
- disable use of groups using Brainpool curves
- improved protection against side channel attacks
[https://w1.fi/security/2019-6/]
* EAP-pwd changes
- disable use of groups using Brainpool curves
- allow the set of groups to be configured (eap_pwd_groups)
- improved protection against side channel attacks
[https://w1.fi/security/2019-6/]
* fixed FT-EAP initial mobility domain association using PMKSA caching
(disabled by default for backwards compatibility; can be enabled
with ft_eap_pmksa_caching=1)
* fixed a regression in OpenSSL 1.1+ engine loading
* added validation of RSNE in (Re)Association Response frames
* fixed DPP bootstrapping URI parser of channel list
* extended EAP-SIM/AKA fast re-authentication to allow use with FILS
* extended ca_cert_blob to support PEM format
* improved robustness of P2P Action frame scheduling
* added support for EAP-SIM/AKA using anonymous@realm identity
* fixed Hotspot 2.0 credential selection based on roaming consortium
to ignore credentials without a specific EAP method
* added experimental support for EAP-TEAP peer (RFC 7170)
* added experimental support for EAP-TLS peer with TLS v1.3
* fixed a regression in WMM parameter configuration for a TDLS peer
* fixed a regression in operation with drivers that offload 802.1X
4-way handshake
* fixed an ECDH operation corner case with OpenSSL
* SAE changes
- added support for SAE Password Identifier
- changed default configuration to enable only groups 19, 20, 21
(i.e., disable groups 25 and 26) and disable all unsuitable groups
completely based on REVmd changes
- do not regenerate PWE unnecessarily when the AP uses the
anti-clogging token mechanisms
- fixed some association cases where both SAE and FT-SAE were enabled
on both the station and the selected AP
- started to prefer FT-SAE over SAE AKM if both are enabled
- started to prefer FT-SAE over FT-PSK if both are enabled
- fixed FT-SAE when SAE PMKSA caching is used
- reject use of unsuitable groups based on new implementation guidance
in REVmd (allow only FFC groups with prime >= 3072 bits and ECC
groups with prime >= 256)
- minimize timing and memory use differences in PWE derivation
[https://w1.fi/security/2019-1/] (CVE-2019-9494, bsc#1131868)
* EAP-pwd changes
- minimize timing and memory use differences in PWE derivation
[https://w1.fi/security/2019-2/] (CVE-2019-9495, bsc#1131870)
- verify server scalar/element
[https://w1.fi/security/2019-4/] (CVE-2019-9497, CVE-2019-9498,
CVE-2019-9499, bsc#1131874, bsc#1131872, bsc#1131871, bsc#1131644)
- fix message reassembly issue with unexpected fragment
[https://w1.fi/security/2019-5/] (CVE-2019-11555, bsc#1133640)
- enforce rand,mask generation rules more strictly
- fix a memory leak in PWE derivation
- disallow ECC groups with a prime under 256 bits (groups 25, 26, and
27)
- SAE/EAP-pwd side-channel attack update
[https://w1.fi/security/2019-6/] (CVE-2019-13377, bsc#1144443)
* fixed CONFIG_IEEE80211R=y (FT) build without CONFIG_FILS=y
* Hotspot 2.0 changes
- do not indicate release number that is higher than the one
AP supports
- added support for release number 3
- enable PMF automatically for network profiles created from
credentials
* fixed OWE network profile saving
* fixed DPP network profile saving
* added support for RSN operating channel validation
(CONFIG_OCV=y and network profile parameter ocv=1)
* added Multi-AP backhaul STA support
* fixed build with LibreSSL
* number of MKA/MACsec fixes and extensions
* extended domain_match and domain_suffix_match to allow list of values
* fixed dNSName matching in domain_match and domain_suffix_match when
using wolfSSL
* started to prefer FT-EAP-SHA384 over WPA-EAP-SUITE-B-192 AKM if both
are enabled
* extended nl80211 Connect and external authentication to support
SAE, FT-SAE, FT-EAP-SHA384
* fixed KEK2 derivation for FILS+FT
* extended client_cert file to allow loading of a chain of PEM
encoded certificates
* extended beacon reporting functionality
* extended D-Bus interface with number of new properties
* fixed a regression in FT-over-DS with mac80211-based drivers
* OpenSSL: allow systemwide policies to be overridden
* extended driver flags indication for separate 802.1X and PSK
4-way handshake offload capability
* added support for random P2P Device/Interface Address use
* extended PEAP to derive EMSK to enable use with ERP/FILS
* extended WPS to allow SAE configuration to be added automatically
for PSK (wps_cred_add_sae=1)
* removed support for the old D-Bus interface (CONFIG_CTRL_IFACE_DBUS)
* extended domain_match and domain_suffix_match to allow list of values
* added a RSN workaround for misbehaving PMF APs that advertise
IGTK/BIP KeyID using incorrect byte order
* fixed PTK rekeying with FILS and FT
* fixed WPA packet number reuse with replayed messages and key
reinstallation
[https://w1.fi/security/2017-1/] (CVE-2017-13077, CVE-2017-13078,
CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13082,
CVE-2017-13086, CVE-2017-13087, CVE-2017-13088)
* fixed unauthenticated EAPOL-Key decryption in wpa_supplicant
[https://w1.fi/security/2018-1/] (CVE-2018-14526)
* added support for FILS (IEEE 802.11ai) shared key authentication
* added support for OWE (Opportunistic Wireless Encryption, RFC 8110;
and transition mode defined by WFA)
* added support for DPP (Wi-Fi Device Provisioning Protocol)
* added support for RSA 3k key case with Suite B 192-bit level
* fixed Suite B PMKSA caching not to update PMKID during each 4-way
handshake
* fixed EAP-pwd pre-processing with PasswordHashHash
* added EAP-pwd client support for salted passwords
* fixed a regression in TDLS prohibited bit validation
* started to use estimated throughput to avoid undesired signal
strength based roaming decision
* MACsec/MKA:
- new macsec_linux driver interface support for the Linux
kernel macsec module
- number of fixes and extensions
* added support for external persistent storage of PMKSA cache
(PMKSA_GET/PMKSA_ADD control interface commands; and
MESH_PMKSA_GET/MESH_PMKSA_SET for the mesh case)
* fixed mesh channel configuration pri/sec switch case
* added support for beacon report
* large number of other fixes, cleanup, and extensions
* added support for randomizing local address for GAS queries
(gas_rand_mac_addr parameter)
* fixed EAP-SIM/AKA/AKA' ext auth cases within TLS tunnel
* added option for using random WPS UUID (auto_uuid=1)
* added SHA256-hash support for OCSP certificate matching
* fixed EAP-AKA' to add AT_KDF into Synchronization-Failure
* fixed a regression in RSN pre-authentication candidate selection
* added option to configure allowed group management cipher suites
(group_mgmt network profile parameter)
* removed all PeerKey functionality
* fixed nl80211 AP and mesh mode configuration regression with
Linux 4.15 and newer
* added ap_isolate configuration option for AP mode
* added support for nl80211 to offload 4-way handshake into the driver
* added support for using wolfSSL cryptographic library
* SAE
- added support for configuring SAE password separately of the
WPA2 PSK/passphrase
- fixed PTK and EAPOL-Key integrity and key-wrap algorithm selection
for SAE;
note: this is not backwards compatible, i.e., both the AP and
station side implementations will need to be update at the same
time to maintain interoperability
- added support for Password Identifier
- fixed FT-SAE PMKID matching
* Hotspot 2.0
- added support for fetching of Operator Icon Metadata ANQP-element
- added support for Roaming Consortium Selection element
- added support for Terms and Conditions
- added support for OSEN connection in a shared RSN BSS
- added support for fetching Venue URL information
* added support for using OpenSSL 1.1.1
* FT
- disabled PMKSA caching with FT since it is not fully functional
- added support for SHA384 based AKM
- added support for BIP ciphers BIP-CMAC-256, BIP-GMAC-128,
BIP-GMAC-256 in addition to previously supported BIP-CMAC-128
- fixed additional IE inclusion in Reassociation Request frame when
using FT protocol
- CVE-2015-8041: Using O_WRONLY flag [http://w1.fi/security/2015-5/] ImportantSUSE bug 1131644SUSE bug 1131868SUSE bug 1131870SUSE bug 1131871SUSE bug 1131872SUSE bug 1131874SUSE bug 1133640SUSE bug 1144443SUSE bug 1156920SUSE bug 1165266SUSE bug 1166933SUSE bug 1167331SUSE bug 1182805SUSE bug 1194732SUSE bug 1194733CVE-2015-8041 at SUSECVE-2015-8041 at NVDCVE-2017-13077 at SUSECVE-2017-13077 at NVDCVE-2017-13078 at SUSECVE-2017-13078 at NVDCVE-2017-13079 at SUSECVE-2017-13079 at NVDCVE-2017-13080 at SUSECVE-2017-13080 at NVDCVE-2017-13081 at SUSECVE-2017-13081 at NVDCVE-2017-13082 at SUSECVE-2017-13082 at NVDCVE-2017-13086 at SUSECVE-2017-13086 at NVDCVE-2017-13087 at SUSECVE-2017-13087 at NVDCVE-2017-13088 at SUSECVE-2017-13088 at NVDCVE-2018-14526 at SUSECVE-2018-14526 at NVDCVE-2019-11555 at SUSECVE-2019-11555 at NVDCVE-2019-13377 at SUSECVE-2019-13377 at NVDCVE-2019-9494 at SUSECVE-2019-9494 at NVDCVE-2019-9495 at SUSECVE-2019-9495 at NVDCVE-2019-9497 at SUSECVE-2019-9497 at NVDCVE-2019-9498 at SUSECVE-2019-9498 at NVDCVE-2019-9499 at SUSECVE-2019-9499 at NVDCVE-2022-23303 at SUSECVE-2022-23303 at NVDCVE-2022-23304 at SUSECVE-2022-23304 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for postgresql14 (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for postgresql14 fixes the following issues:
- CVE-2022-1552: Confine additional operations within 'security restricted operation' sandboxes (bsc#1199475).
ImportantSUSE bug 1199475CVE-2022-1552 at SUSECVE-2022-1552 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for ImageMagick (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for ImageMagick fixes the following issues:
- CVE-2022-1270: Fixed a memory corruption issue when parsing MIFF files (bsc#1198351).
- CVE-2022-28463: Fixed buffer overflow in coders/cin.c (bsc#1199350).
ImportantSUSE bug 1198351SUSE bug 1199350CVE-2022-1270 at SUSECVE-2022-1270 at NVDCVE-2022-28463 at SUSECVE-2022-28463 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for mailman (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for mailman fixes the following issues:
- CVE-2021-44227: Preventing list moderator or list member accessing the admin UI (bsc#1193316).
- CVE-2021-43332: Preventing list moderator from cracking the list admin password encrypted in a CSRF token (bsc#1192741).
- CVE-2021-43331: Fixed XSS in Cgi/options.py (bsc#1192735).
- CVE-2021-42096: Add protection against remote privilege escalation via csrf_token derived from admin password (bsc#1191959).
ImportantSUSE bug 1191959SUSE bug 1192735SUSE bug 1192741SUSE bug 1193316CVE-2021-42096 at SUSECVE-2021-42096 at NVDCVE-2021-43331 at SUSECVE-2021-43331 at NVDCVE-2021-43332 at SUSECVE-2021-43332 at NVDCVE-2021-44227 at SUSECVE-2021-44227 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for polkit (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for polkit fixes the following issues:
- CVE-2021-4034: Fixed a local privilege escalation in pkexec (bsc#1194568).
ImportantSUSE bug 1194568CVE-2021-4034 at SUSECVE-2021-4034 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for librelp (Moderate)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for librelp fixes the following issues:
- CVE-2018-1000140: Fixed remote attack via specially crafted x509 certificates when connecting to rsyslog to trigger a stack buffer overflow and run arbitrary code (bsc#1086730).
ModerateSUSE bug 1086730CVE-2018-1000140 at SUSECVE-2018-1000140 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for MozillaFirefox fixes the following issues:
Firefox Extended Support Release 91.10.0 ESR (MFSA 2022-21)(bsc#1200027)
- CVE-2022-31736: Cross-Origin resource's length leaked
- CVE-2022-31737: Heap buffer overflow in WebGL
- CVE-2022-31738: Browser window spoof using fullscreen mode
- CVE-2022-31739: Attacker-influenced path traversal when saving downloaded files
- CVE-2022-31740: Register allocation problem in WASM on arm64
- CVE-2022-31741: Uninitialized variable leads to invalid memory read
- CVE-2022-31742: Querying a WebAuthn token with a large number of allowCredential entries may have leaked cross-origin information
- CVE-2022-31747: Memory safety bugs fixed in Firefox 101 and Firefox ESR 91.10
ImportantSUSE bug 1200027CVE-2022-31736 at SUSECVE-2022-31736 at NVDCVE-2022-31737 at SUSECVE-2022-31737 at NVDCVE-2022-31738 at SUSECVE-2022-31738 at NVDCVE-2022-31739 at SUSECVE-2022-31739 at NVDCVE-2022-31740 at SUSECVE-2022-31740 at NVDCVE-2022-31741 at SUSECVE-2022-31741 at NVDCVE-2022-31742 at SUSECVE-2022-31742 at NVDCVE-2022-31747 at SUSECVE-2022-31747 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 40 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_147 fixes several issues.
The following security issues were fixed:
- CVE-2022-1048: Fixed a race Condition in snd_pcm_hw_free leading to use-after-free due to the AB/BA lock with buffer_mutex and mmap_lock (bsc#1197597).
- CVE-2022-30594: Fixed restriction bypass on setting the PT_SUSPEND_SECCOMP flag (bnc#1199602).
- Add missing module_mutex lock to module notifier for previous live patches (bsc#1199834).
ImportantSUSE bug 1197597SUSE bug 1199602SUSE bug 1199834CVE-2022-1048 at SUSECVE-2022-1048 at NVDCVE-2022-30594 at SUSECVE-2022-30594 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 41 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_150 fixes several issues.
The following security issues were fixed:
- CVE-2022-1048: Fixed a race Condition in snd_pcm_hw_free leading to use-after-free due to the AB/BA lock with buffer_mutex and mmap_lock (bsc#1197597).
- CVE-2022-30594: Fixed restriction bypass on setting the PT_SUSPEND_SECCOMP flag (bnc#1199602).
- Add missing module_mutex lock to module notifier for previous live patches (bsc#1199834).
ImportantSUSE bug 1197597SUSE bug 1199602SUSE bug 1199834CVE-2022-1048 at SUSECVE-2022-1048 at NVDCVE-2022-30594 at SUSECVE-2022-30594 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 42 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_153 fixes several issues.
The following security issues were fixed:
- CVE-2022-1048: Fixed a race Condition in snd_pcm_hw_free leading to use-after-free due to the AB/BA lock with buffer_mutex and mmap_lock (bsc#1197597).
- CVE-2022-30594: Fixed restriction bypass on setting the PT_SUSPEND_SECCOMP flag (bnc#1199602).
- Add missing module_mutex lock to module notifier for previous live patches (bsc#1199834).
ImportantSUSE bug 1197597SUSE bug 1199602SUSE bug 1199834CVE-2022-1048 at SUSECVE-2022-1048 at NVDCVE-2022-30594 at SUSECVE-2022-30594 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 43 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_156 fixes several issues.
The following security issues were fixed:
- CVE-2022-1048: Fixed a race Condition in snd_pcm_hw_free leading to use-after-free due to the AB/BA lock with buffer_mutex and mmap_lock (bsc#1197597).
- CVE-2022-30594: Fixed restriction bypass on setting the PT_SUSPEND_SECCOMP flag (bnc#1199602).
- Add missing module_mutex lock to module notifier for previous live patches (bsc#1199834).
ImportantSUSE bug 1197597SUSE bug 1199602SUSE bug 1199834CVE-2022-1048 at SUSECVE-2022-1048 at NVDCVE-2022-30594 at SUSECVE-2022-30594 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 44 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_161 fixes several issues.
The following security issue was fixed:
- CVE-2022-30594: Fixed restriction bypass on setting the PT_SUSPEND_SECCOMP flag (bnc#1199602).
- Add missing module_mutex lock to module notifier for previous live patches (bsc#1199834).
ImportantSUSE bug 1199602SUSE bug 1199834CVE-2022-30594 at SUSECVE-2022-30594 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for strongswan (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for strongswan fixes the following issues:
- CVE-2021-45079: Fixed authentication bypass in EAP authentication. (bsc#1194471)
ImportantSUSE bug 1194471CVE-2021-45079 at SUSECVE-2021-45079 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for mozilla-nss (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for mozilla-nss fixes the following issues:
Mozilla NSS 3.68.4 (bsc#1200027)
* CVE-2022-31741: Initialize pointers passed to NSS_CMSDigestContext_FinishMultiple. (bmo#1767590)
ImportantSUSE bug 1200027CVE-2022-31741 at SUSECVE-2022-31741 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for grub2 (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for grub2 fixes the following issues:
Security fixes and hardenings for boothole 3 / boothole 2022 (bsc#1198581)
- CVE-2021-3695: Fixed that a crafted PNG grayscale image could lead to out-of-bounds write in heap (bsc#1191184)
- CVE-2021-3696: Fixed that a crafted PNG image could lead to out-of-bound write during huffman table handling (bsc#1191185)
- CVE-2021-3697: Fixed that a crafted JPEG image could lead to buffer underflow write in the heap (bsc#1191186)
- CVE-2022-28733: Fixed fragmentation math in net/ip (bsc#1198460)
- CVE-2022-28734: Fixed an out-of-bound write for split http headers (bsc#1198493)
- CVE-2022-28736: Fixed a use-after-free in chainloader command (bsc#1198496)
- Update SBAT security contact (bsc#1193282)
- Bump grub's SBAT generation to 2
- Use boot disks in OpenFirmware, fixing regression caused when the root LV is completely in the boot LUN (bsc#1197948)
ImportantSUSE bug 1191184SUSE bug 1191185SUSE bug 1191186SUSE bug 1193282SUSE bug 1197948SUSE bug 1198460SUSE bug 1198493SUSE bug 1198496SUSE bug 1198581CVE-2021-3695 at SUSECVE-2021-3695 at NVDCVE-2021-3696 at SUSECVE-2021-3696 at NVDCVE-2021-3697 at SUSECVE-2021-3697 at NVDCVE-2022-28733 at SUSECVE-2022-28733 at NVDCVE-2022-28734 at SUSECVE-2022-28734 at NVDCVE-2022-28736 at SUSECVE-2022-28736 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for u-boot (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for u-boot fixes the following issues:
- A large buffer overflow could have lead to a denial of service in the IP Packet deframentation code.
(CVE-2022-30552, bsc#1200363)
- A Hole Descriptor Overwrite could have lead to an arbitrary out of bounds write primitive.
(CVE-2022-30790, bsc#1200364)
ImportantSUSE bug 1200363SUSE bug 1200364CVE-2022-30552 at SUSECVE-2022-30552 at NVDCVE-2022-30790 at SUSECVE-2022-30790 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
The SUSE Linux Enterprise 12 SP3 kernel was updated to 3.12.31 to receive various security and bugfixes.
The following security bugs were fixed:
- CVE-2022-21127: Fixed a stale MMIO data transient which can be exploited to speculatively/transiently disclose information via spectre like attacks. (bsc#1199650)
- CVE-2022-21123: Fixed a stale MMIO data transient which can be exploited to speculatively/transiently disclose information via spectre like attacks. (bsc#1199650)
- CVE-2022-21125: Fixed a stale MMIO data transient which can be exploited to speculatively/transiently disclose information via spectre like attacks. (bsc#1199650)
- CVE-2022-21180: Fixed a stale MMIO data transient which can be exploited to speculatively/transiently disclose information via spectre like attacks. (bsc#1199650)
- CVE-2022-21166: Fixed a stale MMIO data transient which can be exploited to speculatively/transiently disclose information via spectre like attacks. (bsc#1199650)
- CVE-2022-1975: Fixed a bug that allows an attacker to crash the linux kernel by simulating nfc device from user-space. (bsc#1200143)
- CVE-2022-1974: Fixed an use-after-free that could causes kernel crash by simulating an nfc device from user-space. (bsc#1200144)
- CVE-2019-19377: Fixed an user-after-free that could be triggered when an attacker mounts a crafted btrfs filesystem image. (bnc#1158266)
- CVE-2022-1729: Fixed a sys_perf_event_open() race condition against self (bsc#1199507).
- CVE-2022-1184: Fixed an use-after-free and memory errors in ext4 when mounting and operating on a corrupted image. (bsc#1198577)
- CVE-2022-21499: Reinforce the kernel lockdown feature, until now it's been trivial to break out of it with kgdb or kdb. (bsc#1199426)
- CVE-2017-13695: Fixed a bug that caused a stack dump allowing local users to obtain sensitive information from kernel memory and bypass the KASLR protection mechanism via a crafted ACPI table. (bnc#1055710)
- CVE-2022-1652: Fixed a statically allocated error counter inside the floppy kernel module (bsc#1199063).
- CVE-2022-1734: Fixed a r/w use-after-free when non synchronized between cleanup routine and firmware download routine. (bnc#1199605)
- CVE-2022-30594: Fixed restriction bypass on setting the PT_SUSPEND_SECCOMP flag (bnc#1199505).
- CVE-2021-28688: Fixed XSA-365 that includes initialization of pointers such that subsequent cleanup code wouldn't use uninitialized or stale values. This initialization went too far and may under certain conditions also overwrite pointers which are in need of cleaning up. The lack of cleanup would result in leaking persistent grants. The leak in turn would prevent fully cleaning up after a respective guest has died, leaving around zombie domains (bnc#1183646).
- CVE-2020-10769: Fixed a buffer over-read flaw in the IPsec Cryptographic algorithm's module. This flaw allowed a local attacker with user privileges to cause a denial of service. (bnc#1173265)
- CVE-2021-33061: Fixed insufficient control flow management for the Intel(R) 82599 Ethernet Controllers and Adapters that may have allowed an authenticated user to potentially enable denial of service via local access (bnc#1196426).
- CVE-2022-1516: Fixed null-ptr-deref caused by x25_disconnect (bsc#1199012).
- CVE-2021-20321: Fixed a race condition accessing file object in the OverlayFS subsystem in the way users do rename in specific way with OverlayFS. A local user could have used this flaw to crash the system (bnc#1191647).
- CVE-2018-7755: Fixed an issue in the fd_locked_ioctl function in drivers/block/floppy.c. The floppy driver will copy a kernel pointer to user memory in response to the FDGETPRM ioctl. An attacker can send the FDGETPRM ioctl and use the obtained kernel pointer to discover the location of kernel code and data and bypass kernel security protections such as KASLR (bnc#1084513).
- CVE-2022-1419: Fixed a concurrency use-after-free in vgem_gem_dumb_create (bsc#1198742).
- CVE-2021-38208: Fixed a denial of service (NULL pointer dereference and BUG) by making a getsockname call after a certain type of failure of a bind call (bnc#1187055).
- CVE-2022-1353: Fixed access controll to kernel memory in the pfkey_register function in net/key/af_key.c. (bnc#1198516)
- CVE-2018-20784: Fixed a denial of service (infinite loop in update_blocked_averages) by mishandled leaf cfs_rq in kernel/sched/fair.c (bnc#1126703).
- CVE-2021-20292: Fixed object validation prior to performing operations on the object in nouveau_sgdma_create_ttm in Nouveau DRM subsystem (bnc#1183723).
- CVE-2022-28390: Fixed a double free in drivers/net/can/usb/ems_usb.c vulnerability in the Linux kernel (bnc#1198031).
- CVE-2022-28388: Fixed a double free in drivers/net/can/usb/usb_8dev.c vulnerability in the Linux kernel (bnc#1198032).
- CVE-2022-1011: Fixed an use-after-free vulnerability which could allow a local attacker to retireve (partial) /etc/shadow hashes or any other data from filesystem when he can mount a FUSE filesystems. (bnc#1197343)
The following non-security bugs were fixed:
- btrfs: tree-checker: fix incorrect printk format (bsc#1200249).
- net: mana: Add handling of CQE_RX_TRUNCATED (bsc#1195651).
- net: mana: Remove unnecessary check of cqe_type in mana_process_rx_cqe() (bsc#1195651).
- PCI: hv: Do not set PCI_COMMAND_MEMORY to reduce VM boot time (bsc#1199314).
- powerpc/pseries: extract host bridge from pci_bus prior to bus removal (bsc#1182171 ltc#190900 bsc#1198660 ltc#197803).
- powerpc/pseries: Fix use after free in remove_phb_dynamic() (bsc#1065729 bsc#1198660 ltc#197803).
- vmbus: do not return values for uninitalized channels (bsc#1051510 bsc#1198997).
- vt: vt_ioctl: fix race in VT_RESIZEX (bsc#1199785).
- x86/hyperv: Read TSC frequency from a synthetic MSR (bsc#1198962).
- x86/speculation: Fix redundant MDS mitigation message (bsc#1199650).
ImportantSUSE bug 1051510SUSE bug 1055710SUSE bug 1065729SUSE bug 1084513SUSE bug 1087082SUSE bug 1126703SUSE bug 1158266SUSE bug 1173265SUSE bug 1182171SUSE bug 1183646SUSE bug 1183723SUSE bug 1187055SUSE bug 1191647SUSE bug 1195651SUSE bug 1196426SUSE bug 1197343SUSE bug 1198031SUSE bug 1198032SUSE bug 1198516SUSE bug 1198577SUSE bug 1198660SUSE bug 1198687SUSE bug 1198742SUSE bug 1198962SUSE bug 1198997SUSE bug 1199012SUSE bug 1199063SUSE bug 1199314SUSE bug 1199426SUSE bug 1199505SUSE bug 1199507SUSE bug 1199605SUSE bug 1199650SUSE bug 1199785SUSE bug 1200143SUSE bug 1200144SUSE bug 1200249CVE-2017-13695 at SUSECVE-2017-13695 at NVDCVE-2018-20784 at SUSECVE-2018-20784 at NVDCVE-2018-7755 at SUSECVE-2018-7755 at NVDCVE-2019-19377 at SUSECVE-2019-19377 at NVDCVE-2020-10769 at SUSECVE-2020-10769 at NVDCVE-2021-20292 at SUSECVE-2021-20292 at NVDCVE-2021-20321 at SUSECVE-2021-20321 at NVDCVE-2021-28688 at SUSECVE-2021-28688 at NVDCVE-2021-33061 at SUSECVE-2021-33061 at NVDCVE-2021-38208 at SUSECVE-2021-38208 at NVDCVE-2022-1011 at SUSECVE-2022-1011 at NVDCVE-2022-1184 at SUSECVE-2022-1184 at NVDCVE-2022-1353 at SUSECVE-2022-1353 at NVDCVE-2022-1419 at SUSECVE-2022-1419 at NVDCVE-2022-1516 at SUSECVE-2022-1516 at NVDCVE-2022-1652 at SUSECVE-2022-1652 at NVDCVE-2022-1729 at SUSECVE-2022-1729 at NVDCVE-2022-1734 at SUSECVE-2022-1734 at NVDCVE-2022-1974 at SUSECVE-2022-1974 at NVDCVE-2022-1975 at SUSECVE-2022-1975 at NVDCVE-2022-21123 at SUSECVE-2022-21123 at NVDCVE-2022-21125 at SUSECVE-2022-21125 at NVDCVE-2022-21127 at SUSECVE-2022-21127 at NVDCVE-2022-21166 at SUSECVE-2022-21166 at NVDCVE-2022-21180 at SUSECVE-2022-21180 at NVDCVE-2022-21499 at SUSECVE-2022-21499 at NVDCVE-2022-28388 at SUSECVE-2022-28388 at NVDCVE-2022-28390 at SUSECVE-2022-28390 at NVDCVE-2022-30594 at SUSECVE-2022-30594 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for webkit2gtk3 (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for webkit2gtk3 fixes the following issues:
Update to version 2.36.3 (bsc#1200106)
- CVE-2022-30293: Fixed heap-based buffer overflow in WebCore::TextureMapperLayer::setContentsLayer (bsc#1199287).
- CVE-2022-26700: Fixed memory corruption issue that may lead to code execution when processing maliciously crafted web content (bsc#1200106).
- CVE-2022-26709: Fixed use after free issue that may lead to code execution when processing maliciously crafted web content (bsc#1200106).
- CVE-2022-26716: Fixed use after free issue that may lead to code execution when processing maliciously crafted web content (bsc#1200106).
- CVE-2022-26717: Fixed memory corruption issue that may lead to code execution when processing maliciously crafted web content (bsc#1200106).
- CVE-2022-26719: Fixed memory corruption issue that may lead to code execution when processing maliciously crafted web content (bsc#1200106).
ImportantSUSE bug 1199287SUSE bug 1200106CVE-2022-26700 at SUSECVE-2022-26700 at NVDCVE-2022-26709 at SUSECVE-2022-26709 at NVDCVE-2022-26716 at SUSECVE-2022-26716 at NVDCVE-2022-26717 at SUSECVE-2022-26717 at NVDCVE-2022-26719 at SUSECVE-2022-26719 at NVDCVE-2022-30293 at SUSECVE-2022-30293 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for openssl (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for openssl fixes the following issues:
- CVE-2022-1292: Fixed command injection in c_rehash (bsc#1199166).
ImportantSUSE bug 1199166CVE-2022-1292 at SUSECVE-2022-1292 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for apache2 (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for apache2 fixes the following issues:
- CVE-2022-26377: Fixed possible request smuggling in mod_proxy_ajp (bsc#1200338)
- CVE-2022-28614: Fixed read beyond bounds via ap_rwrite() (bsc#1200340)
- CVE-2022-28615: Fixed read beyond bounds in ap_strcmp_match() (bsc#1200341)
- CVE-2022-29404: Fixed denial of service in mod_lua r:parsebody (bsc#1200345)
- CVE-2022-30556: Fixed information disclosure in mod_lua with websockets (bsc#1200350)
- CVE-2022-30522: Fixed mod_sed denial of service (bsc#1200352)
- CVE-2022-31813: Fixed mod_proxy X-Forwarded-For dropped by hop-by-hop mechanism (bsc#1200348)
ImportantSUSE bug 1200338SUSE bug 1200340SUSE bug 1200341SUSE bug 1200345SUSE bug 1200348SUSE bug 1200350SUSE bug 1200352CVE-2022-26377 at SUSECVE-2022-26377 at NVDCVE-2022-28614 at SUSECVE-2022-28614 at NVDCVE-2022-28615 at SUSECVE-2022-28615 at NVDCVE-2022-29404 at SUSECVE-2022-29404 at NVDCVE-2022-30522 at SUSECVE-2022-30522 at NVDCVE-2022-30556 at SUSECVE-2022-30556 at NVDCVE-2022-31813 at SUSECVE-2022-31813 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for log4j (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for log4j fixes the following issues:
- CVE-2022-23307: Fix deserialization issue by removing the chainsaw sub-package. (bsc#1194844)
- CVE-2022-23305: Fix SQL injection by removing src/main/java/org/apache/log4j/jdbc/JDBCAppender.java. (bsc#1194843)
- CVE-2022-23302: Fix remote code execution by removing src/main/java/org/apache/log4j/net/JMSSink.java. (bsc#1194842)
ImportantSUSE bug 1194842SUSE bug 1194843SUSE bug 1194844CVE-2022-23302 at SUSECVE-2022-23302 at NVDCVE-2022-23305 at SUSECVE-2022-23305 at NVDCVE-2022-23307 at SUSECVE-2022-23307 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for SUSE Manager Client Tools (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update fixes the following issues:
golang-github-QubitProducts-exporter_exporter:
- Adapted to build on Enterprise Linux.
- Fix build for RedHat 7
- Require Go >= 1.14 also for CentOS
- Add support for CentOS
- Replace %{?systemd_requires} with %{?systemd_ordering}
golang-github-prometheus-alertmanager:
- CVE-2022-21698: Denial of service using InstrumentHandlerCounter.
* Update vendor tarball with prometheus/client_golang 1.11.1 (bsc#1196338, jsc#SLE-24077)
- Update required Go version to 1.16
- Update to version 0.23.0:
* amtool: Detect version drift and warn users (#2672)
* Add ability to skip TLS verification for amtool (#2663)
* Fix empty isEqual in amtool. (#2668)
* Fix main tests (#2670)
* cli: add new template render command (#2538)
* OpsGenie: refer to alert instead of incident (#2609)
* Docs: target_match and source_match are DEPRECATED (#2665)
* Fix test not waiting for cluster member to be ready
- Added hardening to systemd service(s) (bsc#1181400)
golang-github-prometheus-node_exporter:
- CVE-2022-21698: Denial of service using InstrumentHandlerCounter.
* Update vendor tarball with prometheus/client_golang 1.11.1
(bsc#1196338, jsc#SLE-24238, jsc#SLE-24239)
- Update to 1.3.0
* [CHANGE] Add path label to rapl collector #2146
* [CHANGE] Exclude filesystems under /run/credentials #2157
* [CHANGE] Add TCPTimeouts to netstat default filter #2189
* [FEATURE] Add lnstat collector for metrics from /proc/net/stat/ #1771
* [FEATURE] Add darwin powersupply collector #1777
* [FEATURE] Add support for monitoring GPUs on Linux #1998
* [FEATURE] Add Darwin thermal collector #2032
* [FEATURE] Add os release collector #2094
* [FEATURE] Add netdev.address-info collector #2105
* [FEATURE] Add clocksource metrics to time collector #2197
* [ENHANCEMENT] Support glob textfile collector directories #1985
* [ENHANCEMENT] ethtool: Expose node_ethtool_info metric #2080
* [ENHANCEMENT] Use include/exclude flags for ethtool filtering #2165
* [ENHANCEMENT] Add flag to disable guest CPU metrics #2123
* [ENHANCEMENT] Add DMI collector #2131
* [ENHANCEMENT] Add threads metrics to processes collector #2164
* [ENHANCMMENT] Reduce timer GC delays in the Linux filesystem collector #2169
* [ENHANCMMENT] Add TCPTimeouts to netstat default filter #2189
* [ENHANCMMENT] Use SysctlTimeval for boottime collector on BSD #2208
* [BUGFIX] ethtool: Sanitize metric names #2093
* [BUGFIX] Fix ethtool collector for multiple interfaces #2126
* [BUGFIX] Fix possible panic on macOS #2133
* [BUGFIX] Collect flag_info and bug_info only for one core #2156
* [BUGFIX] Prevent duplicate ethtool metric names #2187
- Update to 1.2.2
* Bug fixes
Fix processes collector long int parsing #2112
- Update to 1.2.1
* Removed
Remove obsolete capture permission denied error patch that is already included upstream
Fix zoneinfo parsing prometheus/procfs#386
Fix nvme collector log noise #2091
Fix rapl collector log noise #2092
- Update to 1.2.0
* Changes
Rename filesystem collector flags to match other collectors #2012
Make node_exporter print usage to STDOUT #203
* Features
Add conntrack statistics metrics #1155
Add ethtool stats collector #1832
Add flag to ignore network speed if it is unknown #1989
Add tapestats collector for Linux #2044
Add nvme collector #2062
* Enhancements
Add ErrorLog plumbing to promhttp #1887
Add more Infiniband counters #2019
netclass: retrieve interface names and filter before parsing #2033
Add time zone offset metric #2060
Handle errors from disabled PSI subsystem #1983
Fix panic when using backwards compatible flags #2000
Fix wrong value for OpenBSD memory buffer cache #2015
Only initiate collectors once #2048
Handle small backwards jumps in CPU idle #2067
- Apply patch to capture permission denied error for 'energy_uj' file (bsc#1190535)
grafana:
- Update to version 8.3.5 (jsc#SLE-23439, jsc#SLE-23422)
+ Security:
* Fixes XSS vulnerability in handling data sources
(bsc#1195726, CVE-2022-21702)
* Fixes cross-origin request forgery vulnerability
(bsc#1195727, CVE-2022-21703)
* Fixes Insecure Direct Object Reference vulnerability in Teams
API (bsc#1195728, CVE-2022-21713)
- Update to Go 1.17.
- Add build-time dependency on `wire`.
- Update license to GNU Affero General Public License v3.0.
- Update to version 8.3.4
* GetUserInfo: return an error if no user was found
(bsc#1194873, CVE-2022-21673)
+ Features and enhancements:
* Alerting: Allow configuration of non-ready alertmanagers.
* Alerting: Allow customization of Google chat message.
* AppPlugins: Support app plugins with only default nav.
* InfluxDB: query editor: skip fields in metadata queries.
* Postgres/MySQL/MSSQL: Cancel in-flight SQL query if user
cancels query in grafana.
* Prometheus: Forward oauth tokens after prometheus datasource
migration.
+ Bug fixes:
* Azure Monitor: Bug fix for variable interpolations in metrics
dropdowns.
* Azure Monitor: Improved error messages for variable queries.
* CloudMonitoring: Fixes broken variable queries that use group
bys.
* Configuration: You can now see your expired API keys if you
have no active ones.
* Elasticsearch: Fix handling multiple datalinks for a single
field.
* Export: Fix error being thrown when exporting dashboards
using query variables that reference the default datasource.
* ImportDashboard: Fixes issue with importing dashboard and
name ending up in uid.
* Login: Page no longer overflows on mobile.
* Plugins: Set backend metadata property for core plugins.
* Prometheus: Fill missing steps with null values.
* Prometheus: Fix interpolation of $__rate_interval variable.
* Prometheus: Interpolate variables with curly brackets syntax.
* Prometheus: Respect the http-method data source setting.
* Table: Fixes issue with field config applied to wrong fields
when hiding columns.
* Toolkit: Fix bug with rootUrls not being properly parsed when
signing a private plugin.
* Variables: Fix so data source variables are added to adhoc
configuration.
+ Plugin development fixes & changes:
* Toolkit: Revert build config so tslib is bundled with plugins
to prevent plugins from crashing.
- Update to version 8.3.3:
* BarChart: Use new data error view component to show actions
in panel edit.
* CloudMonitor: Iterate over pageToken for resources.
* Macaron: Prevent WriteHeader invalid HTTP status code panic.
* AnnoListPanel: Fix interpolation of variables in tags.
* CloudWatch: Allow queries to have no dimensions specified.
* CloudWatch: Fix broken queries for users migrating from
8.2.4/8.2.5 to 8.3.0.
* CloudWatch: Make sure MatchExact flag gets the right value.
* Dashboards: Fix so that empty folders can be deleted from the
manage dashboards/folders page.
* InfluxDB: Improve handling of metadata query errors in
InfluxQL.
* Loki: Fix adding of ad hoc filters for queries with parser
and line_format expressions.
* Prometheus: Fix running of exemplar queries for non-histogram
metrics.
* Prometheus: Interpolate template variables in interval.
* StateTimeline: Fix toolitp not showing when for frames with
multiple fields.
* TraceView: Fix virtualized scrolling when trace view is
opened in right pane in Explore.
* Variables: Fix repeating panels for on time range changed
variables.
* Variables: Fix so queryparam option works for scoped
- Update to version 8.3.2
+ Security: Fixes CVE-2021-43813 and CVE-2021-43815.
- Update to version 8.3.1
+ Security: Fixes CVE-2021-43798.
- Update to version 8.3.0
* Alerting: Prevent folders from being deleted when they
contain alerts.
* Alerting: Show full preview value in tooltip.
* BarGauge: Limit title width when name is really long.
* CloudMonitoring: Avoid to escape regexps in filters.
* CloudWatch: Add support for AWS Metric Insights.
* TooltipPlugin: Remove other panels' shared tooltip in edit
panel.
* Visualizations: Limit y label width to 40% of visualization
width.
* Alerting: Clear alerting rule evaluation errors after
intermittent failures.
* Alerting: Fix refresh on legacy Alert List panel.
* Dashboard: Fix queries for panels with non-integer widths.
* Explore: Fix url update inconsistency.
* Prometheus: Fix range variables interpolation for time ranges
smaller than 1 second.
* ValueMappings: Fixes issue with regex value mapping that only
sets color.
- Update to version 8.3.0-beta2
+ Breaking changes:
* Grafana 8 Alerting enabled by default for installations that
do not use legacy alerting.
* Keep Last State for 'If execution error or timeout' when
upgrading to Grafana 8 alerting.
* Alerting: Create DatasourceError alert if evaluation returns
error.
* Alerting: Make Unified Alerting enabled by default for those
who do not use legacy alerting.
* Alerting: Support mute timings configuration through the api
for the embedded alert manager.
* CloudWatch: Add missing AWS/Events metrics.
* Docs: Add easier to find deprecation notices to certain data
sources and to the changelog.
* Plugins Catalog: Enable install controls based on the
pluginAdminEnabled flag.
* Table: Add space between values for the DefaultCell and
JSONViewCell.
* Tracing: Make query editors available in dashboard for Tempo
and Zipkin.
* AccessControl: Renamed orgs roles, removed fixed:orgs:reader
introduced in beta1.
* Azure Monitor: Add trap focus for modals in grafana/ui and
other small a11y fixes for Azure Monitor.
* CodeEditor: Prevent suggestions from being clipped.
* Dashboard: Fix cache timeout persistence.
* Datasource: Fix stable sort order of query responses.
* Explore: Fix error in query history when removing last item.
* Logs: Fix requesting of older logs when flipped order.
* Prometheus: Fix running of health check query based on access
mode.
* TextPanel: Fix suggestions for existing panels.
* Tracing: Fix incorrect indentations due to reoccurring
spanIDs.
* Tracing: Show start time of trace with milliseconds
precision.
* Variables: Make renamed or missing variable section
expandable.
* Select: Select menus now properly scroll during keyboard
navigation.
- Update to version 8.3.0-beta1
* Alerting: Add UI for contact point testing with custom
annotations and labels.
* Alerting: Make alert state indicator in panel header work
with Grafana 8 alerts.
* Alerting: Option for Discord notifier to use webhook name.
* Annotations: Deprecate AnnotationsSrv.
* Auth: Omit all base64 paddings in JWT tokens for the JWT
auth.
* Azure Monitor: Clean up fields when editing Metrics.
* AzureMonitor: Add new starter dashboards.
* AzureMonitor: Add starter dashboard for app monitoring with
Application Insights.
* Barchart/Time series: Allow x axis label.
* CLI: Improve error handling for installing plugins.
* CloudMonitoring: Migrate to use backend plugin SDK contracts.
* CloudWatch Logs: Add retry strategy for hitting max
concurrent queries.
* CloudWatch: Add AWS RoboMaker metrics and dimension.
* CloudWatch: Add AWS Transfer metrics and dimension.
* Dashboard: replace datasource name with a reference object.
* Dashboards: Show logs on time series when hovering.
* Elasticsearch: Add support for Elasticsearch 8.0 (Beta).
* Elasticsearch: Add time zone setting to Date Histogram
aggregation.
* Elasticsearch: Enable full range log volume histogram.
* Elasticsearch: Full range logs volume.
* Explore: Allow changing the graph type.
* Explore: Show ANSI colors when highlighting matched words in
the logs panel.
* Graph(old) panel: Listen to events from Time series panel.
* Import: Load gcom dashboards from URL.
* LibraryPanels: Improves export and import of library panels
between orgs.
* OAuth: Support PKCE.
* Panel edit: Overrides now highlight correctly when searching.
* PanelEdit: Display drag indicators on draggable sections.
* Plugins: Refactor Plugin Management.
* Prometheus: Add custom query parameters when creating
PromLink url.
* Prometheus: Remove limits on metrics, labels, and values in
Metrics Browser.
* StateTimeline: Share cursor with rest of the panels.
* Tempo: Add error details when json upload fails.
* Tempo: Add filtering for service graph query.
* Tempo: Add links to nodes in Service Graph pointing to
Prometheus metrics.
* Time series/Bar chart panel: Add ability to sort series via
legend.
* TimeSeries: Allow multiple axes for the same unit.
* TraceView: Allow span links defined on dataFrame.
* Transformations: Support a rows mode in labels to fields.
* ValueMappings: Don't apply field config defaults to time
fields.
* Variables: Only update panels that are impacted by variable
change.
* API: Fix dashboard quota limit for imports.
* Alerting: Fix rule editor issues with Azure Monitor data
source.
* Azure monitor: Make sure alert rule editor is not enabled
when template variables are being used.
* CloudMonitoring: Fix annotation queries.
* CodeEditor: Trigger the latest getSuggestions() passed to
CodeEditor.
* Dashboard: Remove the current panel from the list of options
in the Dashboard datasource.
* Encryption: Fix decrypting secrets in alerting migration.
* InfluxDB: Fix corner case where index is too large in ALIAS
* NavBar: Order App plugins alphabetically.
* NodeGraph: Fix zooming sensitivity on touchpads.
* Plugins: Add OAuth pass-through logic to api/ds/query
endpoint.
* Snapshots: Fix panel inspector for snapshot data.
* Tempo: Fix basic auth password reset on adding tag.
* ValueMapping: Fixes issue with regex mappings.
* grafana/ui: Enable slider marks display.
- Update to version 8.2.7
- Update to version 8.2.6
* Security: Upgrade Docker base image to Alpine 3.14.3.
* Security: Upgrade Go to 1.17.2.
* TimeSeries: Fix fillBelowTo wrongly affecting fills of
unrelated series.
- Update to version 8.2.5
* Fix No Data behaviour in Legacy Alerting.
* Alerting: Fix a bug where the metric in the evaluation string
was not correctly populated.
* Alerting: Fix no data behaviour in Legacy Alerting for alert
rules using the AND operator.
* CloudMonitoring: Ignore min and max aggregation in MQL
queries.
* Dashboards: 'Copy' is no longer added to new dashboard
titles.
* DataProxy: Fix overriding response body when response is a
WebSocket upgrade.
* Elasticsearch: Use field configured in query editor as field
for date_histogram aggregations.
* Explore: Fix running queries without a datasource property
set.
* InfluxDB: Fix numeric aliases in queries.
* Plugins: Ensure consistent plugin settings list response.
* Tempo: Fix validation of float durations.
* Tracing: Correct tags for each span are shown.
- Update to version 8.2.4
+ Security: Fixes CVE-2021-41244.
- Update to version 8.2.3
+ Security: Fixes CVE-2021-41174.
- Update to version 8.2.2
* Annotations: We have improved tag search performance.
* Application: You can now configure an error-template title.
* AzureMonitor: We removed a restriction from the resource
filter query.
* Packaging: We removed the ProcSubset option in systemd. This
option prevented Grafana from starting in LXC environments.
* Prometheus: We removed the autocomplete limit for metrics.
* Table: We improved the styling of the type icons to make them
more distinct from column / field name.
* ValueMappings: You can now use value mapping in stat, gauge,
bar gauge, and pie chart visualizations.
* Alerting: Fix panic when Slack's API sends unexpected
response.
* Alerting: The Create Alert button now appears on the
dashboard panel when you are working with a default
datasource.
* Explore: We fixed the problem where the Explore log panel
disappears when an Elasticsearch logs query returns no
results.
* Graph: You can now see annotation descriptions on hover.
* Logs: The system now uses the JSON parser only if the line is
parsed to an object.
* Prometheus: We fixed the issue where the system did not reuse
TCP connections when querying from Grafana alerting.
* Prometheus: We fixed the problem that resulted in an error
when a user created a query with a $__interval min step.
* RowsToFields: We fixed the issue where the system was not
properly interpreting number values.
* Scale: We fixed how the system handles NaN percent when data
min = data max.
* Table panel: You can now create a filter that includes
special characters.
- Update to version 8.2.1
* Dashboard: Fix rendering of repeating panels.
* Datasources: Fix deletion of data source if plugin is not
found.
* Packaging: Remove systemcallfilters sections from systemd
unit files.
* Prometheus: Add Headers to HTTP client options.
- Update to version 8.2.0
* AWS: Updated AWS authentication documentation.
* Alerting: Added support Alertmanager data source for upstream
Prometheus AM implementation.
* Alerting: Allows more characters in label names so
notifications are sent.
* Alerting: Get alert rules for a dashboard or a panel using
/api/v1/rules endpoints.
* Annotations: Improved rendering performance of event markers.
* CloudWatch Logs: Skip caching for log queries.
* Explore: Added an opt-in configuration for Node Graph in
Jaeger, Zipkin, and Tempo.
* Packaging: Add stricter systemd unit options.
* Prometheus: Metrics browser can now handle label values with
* CodeEditor: Ensure that we trigger the latest onSave callback
provided to the component.
* DashboardList/AlertList: Fix for missing All folder value.
* Plugins: Create a mock icon component to prevent console
errors.
- Update to version 8.2.0-beta2
* AccessControl: Document new permissions restricting data
source access.
* TimePicker: Add fiscal years and search to time picker.
* Alerting: Added support for Unified Alerting with Grafana HA.
* Alerting: Added support for tune rule evaluation using
configuration options.
* Alerting: Cleanups alertmanager namespace from key-value
store when disabling Grafana 8 alerts.
* Alerting: Remove ngalert feature toggle and introduce two new
settings for enabling Grafana 8 alerts and disabling them for
specific organisations.
* CloudWatch: Introduced new math expression where it is
necessary to specify the period field.
* InfluxDB: Added support for $__interval and $__interval_ms in
Flux queries for alerting.
* InfluxDB: Flux queries can use more precise start and end
timestamps with nanosecond-precision.
* Plugins Catalog: Make the catalog the default way to interact
with plugins.
* Prometheus: Removed autocomplete limit for metrics.
* Alerting: Fixed an issue where the edit page crashes if you
tried to preview an alert without a condition set.
* Alerting: Fixed rules migration to keep existing Grafana 8
alert rules.
* Alerting: Fixed the silence file content generated during
* Analytics: Fixed an issue related to interaction event
propagation in Azure Application Insights.
* BarGauge: Fixed an issue where the cell color was lit even
though there was no data.
* BarGauge: Improved handling of streaming data.
* CloudMonitoring: Fixed INT64 label unmarshal error.
* ConfirmModal: Fixes confirm button focus on modal open.
* Dashboard: Add option to generate short URL for variables
with values containing spaces.
* Explore: No longer hides errors containing refId property.
* Fixed an issue that produced State timeline panel tooltip
error when data was not in sync.
* InfluxDB: InfluxQL query editor is set to always use
resultFormat.
* Loki: Fixed creating context query for logs with parsed
labels.
* PageToolbar: Fixed alignment of titles.
* Plugins Catalog: Update to the list of available panels after
an install, update or uninstall.
* TimeSeries: Fixed an issue where the shared cursor was not
showing when hovering over in old Graph panel.
* Variables: Fixed issues related to change of focus or refresh
pages when pressing enter in a text box variable input.
* Variables: Panel no longer crash when using the adhoc
variable in data links.
- Update to version 8.2.0-beta1
* AccessControl: Introduce new permissions to restrict access
for reloading provisioning configuration.
* Alerting: Add UI to edit Cortex/Loki namespace, group names,
and group evaluation interval.
* Alerting: Add a Test button to test contact point.
* Alerting: Allow creating/editing recording rules for Loki and
Cortex.
* Alerting: Metrics should have the label org instead of user.
* Alerting: Sort notification channels by name to make them
easier to locate.
* Alerting: Support org level isolation of notification
* AzureMonitor: Add data links to deep link to Azure Portal
Azure Resource Graph.
* AzureMonitor: Add support for annotations from Azure Monitor
Metrics and Azure Resource Graph services.
* AzureMonitor: Show error message when subscriptions request
fails in ConfigEditor.
* Chore: Update to Golang 1.16.7.
* CloudWatch Logs: Add link to X-Ray data source for trace IDs
in logs.
* CloudWatch Logs: Disable query path using websockets (Live)
feature.
* CloudWatch/Logs: Don't group dataframes for non time series
* Cloudwatch: Migrate queries that use multiple stats to one
query per stat.
* Dashboard: Keep live timeseries moving left (v2).
* Datasources: Introduce response_limit for datasource
responses.
* Explore: Add filter by trace or span ID to trace to logs
* Explore: Download traces as JSON in Explore Inspector.
* Explore: Reuse Dashboard's QueryRows component.
* Explore: Support custom display label for derived fields
buttons for Loki datasource.
* Grafana UI: Update monaco-related dependencies.
* Graphite: Deprecate browser access mode.
* InfluxDB: Improve handling of intervals in alerting.
* InfluxDB: InfluxQL query editor: Handle unusual characters in
tag values better.
* Jaeger: Add ability to upload JSON file for trace data.
* LibraryElements: Enable specifying UID for new and existing
library elements.
* LibraryPanels: Remove library panel icon from the panel
header so you can no longer tell that a panel is a library
panel from the dashboard view.
* Logs panel: Scroll to the bottom on page refresh when sorting
in ascending order.
* Loki: Add fuzzy search to label browser.
* Navigation: Implement active state for items in the Sidemenu.
* Packaging: Update PID file location from /var/run to /run.
* Plugins: Add Hide OAuth Forward config option.
* Postgres/MySQL/MSSQL: Add setting to limit the maximum number
of rows processed.
* Prometheus: Add browser access mode deprecation warning.
* Prometheus: Add interpolation for built-in-time variables to
backend.
* Tempo: Add ability to upload trace data in JSON format.
* TimeSeries/XYChart: Allow grid lines visibility control in
XYChart and TimeSeries panels.
* Transformations: Convert field types to time string number or
boolean.
* Value mappings: Add regular-expression based value mapping.
* Zipkin: Add ability to upload trace JSON.
* Admin: Prevent user from deleting user's current/active
organization.
* LibraryPanels: Fix library panel getting saved in the
dashboard's folder.
* OAuth: Make generic teams URL and JMES path configurable.
* QueryEditor: Fix broken copy-paste for mouse middle-click
* Thresholds: Fix undefined color in 'Add threshold'.
* Timeseries: Add wide-to-long, and fix multi-frame output.
* TooltipPlugin: Fix behavior of Shared Crosshair when Tooltip
is set to All.
* Grafana UI: Fix TS error property css is missing in type.
- Update to version 8.1.8
- Update to version 8.1.7
* Alerting: Fix alerts with evaluation interval more than 30
seconds resolving before notification.
* Elasticsearch/Prometheus: Fix usage of proper SigV4 service
namespace.
- Update to version 8.1.6
+ Security: Fixes CVE-2021-39226.
- Update to version 8.1.5
* BarChart: Fixes panel error that happens on second refresh.
- Update to version 8.1.4
+ Features and enhancements
* Explore: Ensure logs volume bar colors match legend colors.
* LDAP: Search all DNs for users.
* Alerting: Fix notification channel migration.
* Annotations: Fix blank panels for queries with unknown data
sources.
* BarChart: Fix stale values and x axis labels.
* Graph: Make old graph panel thresholds work even if ngalert
is enabled.
* InfluxDB: Fix regex to identify / as separator.
* LibraryPanels: Fix update issues related to library panels in
rows.
* Variables: Fix variables not updating inside a Panel when the
preceding Row uses 'Repeat For'.
- Update to version 8.1.3
+ Bug fixes
* Alerting: Fix alert flapping in the internal alertmanager.
* Alerting: Fix request handler failed to convert dataframe
'results' to plugins.DataTimeSeriesSlice: input frame is not
recognized as a time series.
* Dashboard: Fix UIDs are not preserved when importing/creating
dashboards thru importing .json file.
* Dashboard: Forces panel re-render when exiting panel edit.
* Dashboard: Prevent folder from changing when navigating to
general settings.
* Docker: Force use of libcrypto1.1 and libssl1.1 versions to
fix CVE-2021-3711.
* Elasticsearch: Fix metric names for alert queries.
* Elasticsearch: Limit Histogram field parameter to numeric
values.
* Elasticsearch: Prevent pipeline aggregations to show up in
terms order by options.
* LibraryPanels: Prevent duplicate repeated panels from being
created.
* Loki: Fix ad-hoc filter in dashboard when used with parser.
* Plugins: Track signed files + add warn log for plugin assets
which are not signed.
* Postgres/MySQL/MSSQL: Fix region annotations not displayed
correctly.
* Prometheus: Fix validate selector in metrics browser.
* Security: Fix stylesheet injection vulnerability.
* Security: Fix short URL vulnerability.
- Update to version 8.1.2
* AzureMonitor: Add support for PostgreSQL and MySQL Flexible
Servers.
* Datasource: Change HTTP status code for failed datasource
health check to 400.
* Explore: Add span duration to left panel in trace viewer.
* Plugins: Use file extension allowlist when serving plugin
assets instead of checking for UNIX executable.
* Profiling: Add support for binding pprof server to custom
network interfaces.
* Search: Make search icon keyboard navigable.
* Template variables: Keyboard navigation improvements.
* Tooltip: Display ms within minute time range.
* Alerting: Fix saving LINE contact point.
* Annotations: Fix alerting annotation coloring.
* Annotations: Alert annotations are now visible in the correct
Panel.
* Auth: Hide SigV4 config UI and disable middleware when its
config flag is disabled.
* Dashboard: Prevent incorrect panel layout by comparing window
width against theme breakpoints.
* Explore: Fix showing of full log context.
* PanelEdit: Fix 'Actual' size by passing the correct panel
size to Dashboard.
* Plugins: Fix TLS datasource settings.
* Variables: Fix issue with empty drop downs on navigation.
* Variables: Fix URL util converting false into true.
* Toolkit: Fix matchMedia not found error.
- Update to version 8.1.1
* CloudWatch Logs: Fix crash when no region is selected.
- Update to version 8.1.0
* Alerting: Deduplicate receivers during migration.
* ColorPicker: Display colors as RGBA.
* Select: Make portalling the menu opt-in, but opt-in
everywhere.
* TimeRangePicker: Improve accessibility.
* Annotations: Correct annotations that are displayed upon page
refresh.
* Annotations: Fix Enabled button that disappeared from Grafana
v8.0.6.
* Annotations: Fix data source template variable that was not
available for annotations.
* AzureMonitor: Fix annotations query editor that does not
load.
* Geomap: Fix scale calculations.
* GraphNG: Fix y-axis autosizing.
* Live: Display stream rate and fix duplicate channels in list
* Loki: Update labels in log browser when time range changes in
dashboard.
* NGAlert: Send resolve signal to alertmanager on alerting ->
Normal.
* PasswordField: Prevent a password from being displayed when
you click the Enter button.
* Renderer: Remove debug.log file when Grafana is stopped.
* Security: Update dependencies to fix CVE-2021-36222.
- Update to version 8.1.0-beta3
* Alerting: Support label matcher syntax in alert rule list
filter.
* IconButton: Put tooltip text as aria-label.
* Live: Experimental HA with Redis.
* UI: FileDropzone component.
* CloudWatch: Add AWS LookoutMetrics.
* Docker: Fix builds by delaying go mod verify until all
required files are copied over.
* Exemplars: Fix disable exemplars only on the query that
failed.
* SQL: Fix SQL dataframe resampling (fill mode + time
intervals).
- Update to version 8.1.0-beta2
* Alerting: Expand the value string in alert annotations and
* Auth: Add Azure HTTP authentication middleware.
* Auth: Auth: Pass user role when using the authentication
proxy.
* Gazetteer: Update countries.json file to allow for linking to
3-letter country codes.
* Config: Fix Docker builds by correcting formatting in
sample.ini.
* Explore: Fix encoding of internal URLs.
- Update to version 8.1.0-beta1
* Alerting: Add Alertmanager notifications tab.
* Alerting: Add button to deactivate current Alertmanager
* Alerting: Add toggle in Loki/Prometheus data source
configuration to opt out of alerting UI.
* Alerting: Allow any 'evaluate for' value >=0 in the alert
rule form.
* Alerting: Load default configuration from status endpoint, if
Cortex Alertmanager returns empty user configuration.
* Alerting: view to display alert rule and its underlying data.
* Annotation panel: Release the annotation panel.
* Annotations: Add typeahead support for tags in built-in
annotations.
* AzureMonitor: Add curated dashboards for Azure services.
* AzureMonitor: Add support for deep links to Microsoft Azure
portal for Metrics.
* AzureMonitor: Remove support for different credentials for
Azure Monitor Logs.
* AzureMonitor: Support querying any Resource for Logs queries.
* Elasticsearch: Add frozen indices search support.
* Elasticsearch: Name fields after template variables values
instead of their name.
* Elasticsearch: add rate aggregation.
* Email: Allow configuration of content types for email
notifications.
* Explore: Add more meta information when line limit is hit.
* Explore: UI improvements to trace view.
* FieldOverrides: Added support to change display name in an
override field and have it be matched by a later rule.
* HTTP Client: Introduce dataproxy_max_idle_connections config
variable.
* InfluxDB: InfluxQL: adds tags to timeseries data.
* InfluxDB: InfluxQL: make measurement search case insensitive.
Legacy Alerting: Replace simplejson with a struct in webhook
notification channel.
* Legend: Updates display name for Last (not null) to just
Last*.
* Logs panel: Add option to show common labels.
* Loki: Add $__range variable.
* Loki: Add support for 'label_values(log stream selector,
label)' in templating.
* Loki: Add support for ad-hoc filtering in dashboard.
* MySQL Datasource: Add timezone parameter.
* NodeGraph: Show gradient fields in legend.
* PanelOptions: Don't mutate panel options/field config object
when updating.
* PieChart: Make pie gradient more subtle to match other
charts.
* Prometheus: Update PromQL typeahead and highlighting.
* Prometheus: interpolate variable for step field.
* Provisioning: Improve validation by validating across all
dashboard providers.
* SQL Datasources: Allow multiple string/labels columns with
time series.
* Select: Portal select menu to document.body.
* Team Sync: Add group mapping to support team sync in the
Generic OAuth provider.
* Tooltip: Make active series more noticeable.
* Tracing: Add support to configure trace to logs start and end
time.
* Transformations: Skip merge when there is only a single data
frame.
* ValueMapping: Added support for mapping text to color,
boolean values, NaN and Null. Improved UI for value mapping.
* Visualizations: Dynamically set any config (min, max, unit,
color, thresholds) from query results.
* live: Add support to handle origin without a value for the
port when matching with root_url.
* Alerting: Handle marshaling Inf values.
* AzureMonitor: Fix macro resolution for template variables.
* AzureMonitor: Fix queries with Microsoft.NetApp/../../volumes
resources.
* AzureMonitor: Request and concat subsequent resource pages.
* Bug: Fix parse duration for day.
* Datasources: Improve error handling for error messages.
* Explore: Correct the functionality of shift-enter shortcut
across all uses.
* Explore: Show all dataFrames in data tab in Inspector.
* GraphNG: Fix Tooltip mode 'All' for XYChart.
* Loki: Fix highlight of logs when using filter expressions
with backticks.
* Modal: Force modal content to overflow with scroll.
* Plugins: Ignore symlinked folders when verifying plugin
signature.
* Toolkit: Improve error messages when tasks fail.
- Update to version 8.0.7
- Update to version 8.0.6
* Alerting: Add annotation upon alert state change.
* Alerting: Allow space in label and annotation names.
* InfluxDB: Improve legend labels for InfluxDB query results.
* Alerting: Fix improper alert by changing the handling of
empty labels.
* CloudWatch/Logs: Reestablish Cloud Watch alert behavior.
* Dashboard: Avoid migration breaking on fieldConfig without
defaults field in folded panel.
* DashboardList: Fix issue not re-fetching dashboard list after
variable change.
* Database: Fix incorrect format of isolation level
configuration parameter for MySQL.
* InfluxDB: Correct tag filtering on InfluxDB data.
* Links: Fix links that caused a full page reload.
* Live: Fix HTTP error when InfluxDB metrics have an incomplete
or asymmetrical field set.
* Postgres/MySQL/MSSQL: Change time field to 'Time' for time
series queries.
* Postgres: Fix the handling of a null return value in query
* Tempo: Show hex strings instead of uints for IDs.
* TimeSeries: Improve tooltip positioning when tooltip
overflows.
* Transformations: Add 'prepare time series' transformer.
- Update to version 8.0.5
* Cloudwatch Logs: Send error down to client.
* Folders: Return 409 Conflict status when folder already
exists.
* TimeSeries: Do not show series in tooltip if it's hidden in
the viz.
* AzureMonitor: Fix issue where resource group name is missing
on the resource picker button.
* Chore: Fix AWS auth assuming role with workspace IAM.
* DashboardQueryRunner: Fixes unrestrained subscriptions being
* DateFormats: Fix reading correct setting key for
use_browser_locale.
* Links: Fix links to other apps outside Grafana when under sub
path.
* Snapshots: Fix snapshot absolute time range issue.
* Table: Fix data link color.
* Time Series: Fix X-axis time format when tick increment is
larger than a year.
* Tooltip Plugin: Prevent tooltip render if field is undefined.
- Update to version 8.0.4
* Live: Rely on app url for origin check.
* PieChart: Sort legend descending, update placeholder.
* TimeSeries panel: Do not reinitialize plot when thresholds
mode change.
* Elasticsearch: Allow case sensitive custom options in
date_histogram interval.
* Elasticsearch: Restore previous field naming strategy when
using variables.
* Explore: Fix import of queries between SQL data sources.
* InfluxDB: InfluxQL query editor: fix retention policy
handling.
* Loki: Send correct time range in template variable queries.
* TimeSeries: Preserve RegExp series overrides when migrating
from old graph panel.
- Update to version 8.0.3
* Alerting: Increase alertmanager_conf column if MySQL.
* Time series/Bar chart panel: Handle infinite numbers as nulls
when converting to plot array.
* TimeSeries: Ensure series overrides that contain color are
migrated, and migrate the previous fieldConfig when changing
the panel type.
* ValueMappings: Improve singlestat value mappings migration.
* Annotations: Fix annotation line and marker colors.
* AzureMonitor: Fix KQL template variable queries without
default workspace.
* CloudWatch/Logs: Fix missing response data for log queries.
* LibraryPanels: Fix crash in library panels list when panel
plugin is not found.
* LogsPanel: Fix performance drop when moving logs panel in
* Loki: Parse log levels when ANSI coloring is enabled.
* MSSQL: Fix issue with hidden queries still being executed.
* PanelEdit: Display the VisualizationPicker that was not
displayed if a panel has an unknown panel plugin.
* Plugins: Fix loading symbolically linked plugins.
* Prometheus: Fix issue where legend name was replaced with
name Value in stat and gauge panels.
* State Timeline: Fix crash when hovering over panel.
- Update to version 8.0.2
* Datasource: Add support for max_conns_per_host in dataproxy
settings.
* Configuration: Fix changing org preferences in FireFox.
* PieChart: Fix legend dimension limits.
* Postgres/MySQL/MSSQL: Fix panic in concurrent map writes.
* Variables: Hide default data source if missing from regex.
- Update to version 8.0.1
* Alerting/SSE: Fix 'count_non_null' reducer validation.
* Cloudwatch: Fix duplicated time series.
* Cloudwatch: Fix missing defaultRegion.
* Dashboard: Fix Dashboard init failed error on dashboards with
old singlestat panels in collapsed rows.
* Datasource: Fix storing timeout option as numeric.
* Postgres/MySQL/MSSQL: Fix annotation parsing for empty
* Postgres/MySQL/MSSQL: Numeric/non-string values are now
returned from query variables.
* Postgres: Fix an error that was thrown when the annotation
query did not return any results.
* StatPanel: Fix an issue with the appearance of the graph when
switching color mode.
* Visualizations: Fix an issue in the
Stat/BarGauge/Gauge/PieChart panels where all values mode
were showing the same name if they had the same value.
* Toolkit: Resolve external fonts when Grafana is served from a
sub path.
- Update to version 8.0.0
* The following endpoints were deprecated for Grafana v5.0 and
support for them has now been removed:
GET /dashboards/db/:slug
GET /dashboard-solo/db/:slug
GET /api/dashboard/db/:slug
DELETE /api/dashboards/db/:slug
* AzureMonitor: Require default subscription for workspaces()
template variable query.
* AzureMonitor: Use resource type display names in the UI.
* Dashboard: Remove support for loading and deleting dashboard
by slug.
* InfluxDB: Deprecate direct browser access in data source.
* VizLegend: Add a read-only property.
* AzureMonitor: Fix Azure Resource Graph queries in Azure
China.
* Checkbox: Fix vertical layout issue with checkboxes due to
fixed height.
* Dashboard: Fix Table view when editing causes the panel data
to not update.
* Dashboard: Fix issues where unsaved-changes warning is not
displayed.
* Login: Fixes Unauthorized message showing when on login page
or snapshot page.
* NodeGraph: Fix sorting markers in grid view.
* Short URL: Include orgId in generated short URLs.
* Variables: Support raw values of boolean type.
- Update to version 8.0.0-beta3
* The default HTTP method for Prometheus data source is now
POST.
* API: Support folder UID in dashboards API.
* Alerting: Add support for configuring avatar URL for the
Discord notifier.
* Alerting: Clarify that Threema Gateway Alerts support only
Basic IDs.
* Azure: Expose Azure settings to external plugins.
* AzureMonitor: Deprecate using separate credentials for Azure
Monitor Logs.
* AzureMonitor: Display variables in resource picker for Azure
* AzureMonitor: Hide application insights for data sources not
using it.
* AzureMonitor: Support querying subscriptions and resource
groups in Azure Monitor Logs.
* AzureMonitor: remove requirement for default subscription.
* CloudWatch: Add Lambda@Edge Amazon CloudFront metrics.
* CloudWatch: Add missing AWS AppSync metrics.
* ConfirmModal: Auto focus delete button.
* Explore: Add caching for queries that are run from logs
* Loki: Add formatting for annotations.
* Loki: Bring back processed bytes as meta information.
* NodeGraph: Display node graph collapsed by default with trace
view.
* Overrides: Include a manual override option to hide something
from visualization.
* PieChart: Support row data in pie charts.
* Prometheus: Update default HTTP method to POST for existing
data sources.
* Time series panel: Position tooltip correctly when window is
scrolled or resized.
* Admin: Fix infinite loading edit on the profile page.
* Color: Fix issues with random colors in string and date
* Dashboard: Fix issue with title or folder change has no
effect after exiting settings view.
* DataLinks: Fix an issue __series.name is not working in data
link.
* Datasource: Fix dataproxy timeout should always be applied
for outgoing data source HTTP requests.
* Elasticsearch: Fix NewClient not passing httpClientProvider
to client impl.
* Explore: Fix Browser title not updated on Navigation to
Explore.
* GraphNG: Remove fieldName and hideInLegend properties from
UPlotSeriesBuilder.
* OAuth: Fix fallback to auto_assign_org_role setting for Azure
AD OAuth when no role claims exists.
* PanelChrome: Fix issue with empty panel after adding a non
data panel and coming back from panel edit.
* StatPanel: Fix data link tooltip not showing for single
value.
* Table: Fix sorting for number fields.
* Table: Have text underline for datalink, and add support for
image datalink.
* Transformations: Prevent FilterByValue transform from
crashing panel edit.
- Update to version 8.0.0-beta2
* AppPlugins: Expose react-router to apps.
* AzureMonitor: Add Azure Resource Graph.
* AzureMonitor: Managed Identity configuration UI.
* AzureMonitor: Token provider with support for Managed
Identities.
* AzureMonitor: Update Logs workspace() template variable query
to return resource URIs.
* BarChart: Value label sizing.
* CloudMonitoring: Add support for preprocessing.
* CloudWatch: Add AWS/EFS StorageBytes metric.
* CloudWatch: Allow use of missing AWS namespaces using custom
* Datasource: Shared HTTP client provider for core backend data
sources and any data source using the data source proxy.
* InfluxDB: InfluxQL: allow empty tag values in the query
editor.
* Instrumentation: Instrument incoming HTTP request with
histograms by default.
* Library Panels: Add name endpoint & unique name validation to
AddLibraryPanelModal.
* Logs panel: Support details view.
* PieChart: Always show the calculation options dropdown in the
* PieChart: Remove beta flag.
* Plugins: Enforce signing for all plugins.
* Plugins: Remove support for deprecated backend plugin
protocol version.
* Tempo/Jaeger: Add better display name to legend.
* Timeline: Add time range zoom.
* Timeline: Adds opacity & line width option.
* Timeline: Value text alignment option.
* ValueMappings: Add duplicate action, and disable dismiss on
backdrop click.
* Zipkin: Add node graph view to trace response.
* Annotations panel: Remove subpath from dashboard links.
* Content Security Policy: Allow all image sources by default.
* Content Security Policy: Relax default template wrt. loading
of scripts, due to nonces not working.
* Datasource: Fix tracing propagation for alert execution by
introducing HTTP client outgoing tracing middleware.
* InfluxDB: InfluxQL always apply time interval end.
* Library Panels: Fixes 'error while loading library panels'.
* NewsPanel: Fixes rendering issue in Safari.
* PanelChrome: Fix queries being issued again when scrolling in
and out of view.
* Plugins: Fix Azure token provider cache panic and auth param
nil value.
* Snapshots: Fix key and deleteKey being ignored when creating
an external snapshot.
* Table: Fix issue with cell border not showing with colored
background cells.
* Table: Makes tooltip scrollable for long JSON values.
* TimeSeries: Fix for Connected null values threshold toggle
during panel editing.
* Variables: Fixes inconsistent selected states on dashboard
* Variables: Refreshes all panels even if panel is full screen.
* QueryField: Remove carriage return character from pasted text.
- Update to version 8.0.0-beta1
+ License update:
* AGPL License: Update license from Apache 2.0 to the GNU
Affero General Public License (AGPL).
* Removes the never refresh option for Query variables.
* Removes the experimental Tags feature for Variables.
+ Deprecations:
* The InfoBox & FeatureInfoBox are now deprecated please use
the Alert component instead with severity info.
* API: Add org users with pagination.
* API: Return 404 when deleting nonexistent API key.
* API: Return query results as JSON rather than base64 encoded
Arrow.
* Alerting: Allow sending notification tags to Opsgenie as
extra properties.
* Alerts: Replaces all uses of InfoBox & FeatureInfoBox with
Alert.
* Auth: Add support for JWT Authentication.
* AzureMonitor: Add support for
Microsoft.SignalRService/SignalR metrics.
* AzureMonitor: Azure settings in Grafana server config.
* AzureMonitor: Migrate Metrics query editor to React.
* BarChart panel: enable series toggling via legend.
* BarChart panel: Adds support for Tooltip in BarChartPanel.
* PieChart panel: Change look of highlighted pie slices.
* CloudMonitoring: Migrate config editor from angular to react.
* CloudWatch: Add Amplify Console metrics and dimensions.
* CloudWatch: Add missing Redshift metrics to CloudWatch data
* CloudWatch: Add metrics for managed RabbitMQ service.
* DashboardList: Enable templating on search tag input.
* Datasource config: correctly remove single custom http
header.
* Elasticsearch: Add generic support for template variables.
* Elasticsearch: Allow omitting field when metric supports
inline script.
* Elasticsearch: Allow setting a custom limit for log queries.
* Elasticsearch: Guess field type from first non-empty value.
* Elasticsearch: Use application/x-ndjson content type for
multisearch requests.
* Elasticsearch: Use semver strings to identify ES version.
* Explore: Add logs navigation to request more logs.
* Explore: Map Graphite queries to Loki.
* Explore: Scroll split panes in Explore independently.
* Explore: Wrap each panel in separate error boundary.
* FieldDisplay: Smarter naming of stat values when visualising
row values (all values) in stat panels.
* Graphite: Expand metric names for variables.
* Graphite: Handle unknown Graphite functions without breaking
the visual editor.
* Graphite: Show graphite functions descriptions.
* Graphite: Support request cancellation properly (Uses new
backendSrv.fetch Observable request API).
* InfluxDB: Flux: Improve handling of complex
response-structures.
* InfluxDB: Support region annotations.
* Inspector: Download logs for manual processing.
* Jaeger: Add node graph view for trace.
* Jaeger: Search traces.
* Loki: Use data source settings for alerting queries.
* NodeGraph: Exploration mode.
* OAuth: Add support for empty scopes.
* PanelChrome: New logic-less emotion based component with no
dependency on PanelModel or DashboardModel.
* PanelEdit: Adds a table view toggle to quickly view data in
table form.
* PanelEdit: Highlight matched words when searching options.
* PanelEdit: UX improvements.
* Plugins: PanelRenderer and simplified QueryRunner to be used
from plugins.
* Plugins: AuthType in route configuration and params
interpolation.
* Plugins: Enable plugin runtime install/uninstall
capabilities.
* Plugins: Support set body content in plugin routes.
* Plugins: Introduce marketplace app.
* Plugins: Moving the DataSourcePicker to grafana/runtime so it
can be reused in plugins.
* Prometheus: Add custom query params for alert and exemplars
* Prometheus: Use fuzzy string matching to autocomplete metric
names and label.
* Routing: Replace Angular routing with react-router.
* Slack: Use chat.postMessage API by default.
* Tempo: Search for Traces by querying Loki directly from
Tempo.
* Tempo: Show graph view of the trace.
* Themes: Switch theme without reload using global shortcut.
* TimeSeries panel: Add support for shared cursor.
* TimeSeries panel: Do not crash the panel if there is no time
series data in the response.
* Variables: Do not save repeated panels, rows and scopedVars.
* Variables: Removes experimental Tags feature.
* Variables: Removes the never refresh option.
* Visualizations: Unify tooltip options across visualizations.
* Visualizations: Refactor and unify option creation between
new visualizations.
* Visualizations: Remove singlestat panel.
* APIKeys: Fixes issue with adding first api key.
* Alerting: Add checks for non supported units - disable
defaulting to seconds.
* Alerting: Fix issue where Slack notifications won't link to
user IDs.
* Alerting: Omit empty message in PagerDuty notifier.
* AzureMonitor: Fix migration error from older versions of App
Insights queries.
* CloudWatch: Fix AWS/Connect dimensions.
* CloudWatch: Fix broken AWS/MediaTailor dimension name.
* Dashboards: Allow string manipulation as advanced variable
format option.
* DataLinks: Includes harmless extended characters like
Cyrillic characters.
* Drawer: Fixes title overflowing its container.
* Explore: Fix issue when some query errors were not shown.
* Generic OAuth: Prevent adding duplicated users.
* Graphite: Handle invalid annotations.
* Graphite: Fix autocomplete when tags are not available.
* InfluxDB: Fix Cannot read property 'length' of undefined in
when parsing response.
* Instrumentation: Enable tracing when Jaeger host and port are
* Instrumentation: Prefix metrics with grafana.
* MSSQL: By default let driver choose port.
* OAuth: Add optional strict parsing of role_attribute_path.
* Panel: Fixes description markdown with inline code being
rendered on newlines and full width.
* PanelChrome: Ignore data updates & errors for non data
panels.
* Permissions: Fix inherited folder permissions can prevent new
permissions being added to a dashboard.
* Plugins: Remove pre-existing plugin installs when installing
with grafana-cli.
* Plugins: Support installing to folders with whitespace and
fix pluginUrl trailing and leading whitespace failures.
* Postgres/MySQL/MSSQL: Don't return connection failure details
to the client.
* Postgres: Fix ms precision of interval in time group macro
when TimescaleDB is enabled.
* Provisioning: Use dashboard checksum field as change
indicator.
* SQL: Fix so that all captured errors are returned from sql
engine.
* Shortcuts: Fixes panel shortcuts so they always work.
* Table: Fixes so border is visible for cells with links.
* Variables: Clear query when data source type changes.
* Variables: Filters out builtin variables from unknown list.
* Button: Introduce buttonStyle prop.
* DataQueryRequest: Remove deprecated props showingGraph and
showingTabel and exploreMode.
* grafana/ui: Update React Hook Form to v7.
* IconButton: Introduce variant for red and blue icon buttons.
* Plugins: Expose the getTimeZone function to be able to get
the current selected timeZone.
* TagsInput: Add className to TagsInput.
* VizLegend: Move onSeriesColorChanged to PanelContext
(breaking change).
- Update to version 7.5.13
* Alerting: Fix NoDataFound for alert rules using AND operator.
mgr-cfg:
- Version 4.3.6-1
* Corrected source URL in spec file
* Fix installation problem for SLE15SP4 due missing python-selinux
* Fix python selinux package name depending on build target (bsc#1193600)
* Do not build python 2 package for SLE15SP4 and higher
* Remove unused legacy code
mgr-custom-info:
- Version 4.3.3-1
* Remove unused legacy code
mgr-daemon:
- Version 4.3.4-1
* Corrected source URLs in spec file
* Update translation strings
mgr-osad:
- Version 4.3.6-1
* Corrected source URL in spec file.
* Do not build python 2 package for SLE15SP4 and higher
* Removed spacewalk-selinux dependencies.
* Updated source url.
mgr-push:
- Version 4.3.4-1
* Corrected source URLs in spec file
mgr-virtualization:
- Version 4.3.5-1
* Corrected source URLs in spec file.
* Do not build python 2 package for SLE15SP4 and higher
prometheus-blackbox_exporter:
- Enhanced to build on Enterprise Linux 8
prometheus-postgres_exporter:
- Updated for RHEL8.
python-hwdata:
- Require python macros for building
rhnlib:
- Version 4.3.4-1
* Reorganize python files
spacecmd:
- Version 4.3.11-1
* on full system update call schedulePackageUpdate API (bsc#1197507)
* parse boolean paramaters correctly (bsc#1197689)
* Add parameter to set containerized proxy SSH port
* Add proxy config generation subcommand
* Option 'org_createfirst' added to perform initial organization and user creation
* Added gettext build requirement for RHEL.
* Removed RHEL 5 references.
* Include group formulas configuration in spacecmd group_backup and
spacecmd group_restore. This changes backup format to json,
previously used plain text is still supported for reading (bsc#1190462)
* Update translation strings
* Improved event history listing and added new system_eventdetails
command to retrieve the details of an event
* Make schedule_deletearchived to get all actions without display limit
* Allow passing a date limit for schedule_deletearchived on spacecmd (bsc#1181223)
spacewalk-client-tools:
- Version 4.3.9-1
* Corrected source URLs in spec file.
* do not build python 2 package for SLE15
* Remove unused legacy code
* Update translation strings
spacewalk-koan:
- Version 4.3.5-1
* Corrected source URLs in spec file.
spacewalk-oscap:
- Version 4.3.5-1
* Corrected source URLs in spec file.
* Do not build python 2 package for SLE15SP4 and higher
spacewalk-remote-utils:
- Version 4.3.3-1
* Adapt the package for changes in rhnlib
supportutils-plugin-susemanager-client:
- Version 4.3.2-1
* Add proxy containers config and logs
suseRegisterInfo:
- Version 4.3.3-1
* Bump version to 4.3.0
supportutils-plugin-salt:
- Add support for Salt Bundle
uyuni-common-libs:
- Version 4.3.4-1
* implement more decompression algorithms for reposync (bsc#1196704)
* Reorganize python files
* Add decompression of zck files to fileutils
ImportantSUSE bug 1181223SUSE bug 1181400SUSE bug 1190462SUSE bug 1190535SUSE bug 1193600SUSE bug 1194873SUSE bug 1195726SUSE bug 1195727SUSE bug 1195728SUSE bug 1196338SUSE bug 1196704SUSE bug 1197507SUSE bug 1197689CVE-2021-36222 at SUSECVE-2021-36222 at NVDCVE-2021-3711 at SUSECVE-2021-3711 at NVDCVE-2021-39226 at SUSECVE-2021-39226 at NVDCVE-2021-41174 at SUSECVE-2021-41174 at NVDCVE-2021-41244 at SUSECVE-2021-41244 at NVDCVE-2021-43798 at SUSECVE-2021-43798 at NVDCVE-2021-43813 at SUSECVE-2021-43813 at NVDCVE-2021-43815 at SUSECVE-2021-43815 at NVDCVE-2022-21673 at SUSECVE-2022-21673 at NVDCVE-2022-21698 at SUSECVE-2022-21698 at NVDCVE-2022-21702 at SUSECVE-2022-21702 at NVDCVE-2022-21703 at SUSECVE-2022-21703 at NVDCVE-2022-21713 at SUSECVE-2022-21713 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for fwupdate (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update of fwupdate fixes the following issue:
- rebuild with new secure boot key due to grub2 boothole 3 issues (bsc#1198581)
ImportantSUSE bug 1198581cpe:/o:suse:sles-espos:12:sp3Security update for python3 (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for python3 fixes the following issues:
- CVE-2015-20107: avoid command injection in the mailcap module (bsc#1198511).
ImportantSUSE bug 1070738SUSE bug 1198511SUSE bug 1199441CVE-2015-20107 at SUSECVE-2015-20107 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for openssl (Moderate)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for openssl fixes the following issues:
- CVE-2022-2068: Fixed more shell code injection issues in c_rehash. (bsc#1200550)
ModerateSUSE bug 1200550CVE-2022-2068 at SUSECVE-2022-2068 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for oracleasm (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update of oracleasm fixes the following issue:
- rebuild with new secure boot key due to grub2 boothole 3 issues (bsc#1198581)
ImportantSUSE bug 1198581cpe:/o:suse:sles-espos:12:sp3Security update for python (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for python fixes the following issues:
- CVE-2015-20107: avoid command injection in the mailcap module (bsc#1198511).
ImportantSUSE bug 1198511CVE-2015-20107 at SUSECVE-2015-20107 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for sysstat (Moderate)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for sysstat fixes the following issues:
Security issue fixed:
- CVE-2019-19725: Fixed double free in check_file_actlst in sa_common.c (bsc#1159104).
Bug fixes:
- Enable log information of starting/stoping services. (bsc#1144923, jsc#SLE-5958)
ModerateSUSE bug 1144923SUSE bug 1159104CVE-2019-19725 at SUSECVE-2019-19725 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for dpdk (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update of dpdk fixes the following issue:
- rebuild with new secure boot key due to grub2 boothole 3 issues (bsc#1198581)
ImportantSUSE bug 1198581cpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 40 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_147 fixes one issue.
The following security issue was fixed:
- CVE-2022-1734: Fixed a r/w use-after-free when non synchronized between cleanup routine and firmware download routine. (bnc#1199605)
ImportantSUSE bug 1199606CVE-2022-1734 at SUSECVE-2022-1734 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 41 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_150 fixes one issue.
The following security issue was fixed:
- CVE-2022-1734: Fixed a r/w use-after-free when non synchronized between cleanup routine and firmware download routine. (bnc#1199605)
ImportantSUSE bug 1199606CVE-2022-1734 at SUSECVE-2022-1734 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 42 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_153 fixes one issue.
The following security issue was fixed:
- CVE-2022-1734: Fixed a r/w use-after-free when non synchronized between cleanup routine and firmware download routine. (bnc#1199605)
ImportantSUSE bug 1199606CVE-2022-1734 at SUSECVE-2022-1734 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 43 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_156 fixes one issue.
The following security issue was fixed:
- CVE-2022-1734: Fixed a r/w use-after-free when non synchronized between cleanup routine and firmware download routine. (bnc#1199605)
ImportantSUSE bug 1199606CVE-2022-1734 at SUSECVE-2022-1734 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 44 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_161 fixes one issue.
The following security issue was fixed:
- CVE-2022-1734: Fixed a r/w use-after-free when non synchronized between cleanup routine and firmware download routine. (bnc#1199605)
ImportantSUSE bug 1199606CVE-2022-1734 at SUSECVE-2022-1734 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 45 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_164 fixes one issue.
The following security issue was fixed:
- CVE-2021-39713: Fixed a race condition in the network scheduling subsystem which could lead to a use-after-free. (bnc#1196973)
ImportantSUSE bug 1197211CVE-2021-39713 at SUSECVE-2021-39713 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for MozillaFirefox fixes the following issues:
Update to Firefox Extended Support Release 91.11.0 ESR (MFSA 2022-25) (bsc#1200793):
- CVE-2022-2200: Undesired attributes could be set as part of prototype pollution (bmo#1771381)
- CVE-2022-31744: CSP bypass enabling stylesheet injection (bmo#1757604)
- CVE-2022-34468: CSP sandbox header without `allow-scripts` can be bypassed via retargeted javascript: URI (bmo#1768537)
- CVE-2022-34470: Use-after-free in nsSHistory (bmo#1765951)
- CVE-2022-34472: Unavailable PAC file resulted in OCSP requests being blocked (bmo#1770123)
- CVE-2022-34478: Microsoft protocols can be attacked if a user accepts a prompt (bmo#1773717)
- CVE-2022-34479: A popup window could be resized in a way to overlay the address bar with web content (bmo#1745595)
- CVE-2022-34481: Potential integer overflow in ReplaceElementsAt (bmo#1497246)
- CVE-2022-34484: Memory safety bugs fixed in Firefox 102 and Firefox ESR 91.11 (bmo#1763634, bmo#1772651)
ImportantSUSE bug 1200793CVE-2022-2200 at SUSECVE-2022-2200 at NVDCVE-2022-31744 at SUSECVE-2022-31744 at NVDCVE-2022-34468 at SUSECVE-2022-34468 at NVDCVE-2022-34470 at SUSECVE-2022-34470 at NVDCVE-2022-34472 at SUSECVE-2022-34472 at NVDCVE-2022-34478 at SUSECVE-2022-34478 at NVDCVE-2022-34479 at SUSECVE-2022-34479 at NVDCVE-2022-34481 at SUSECVE-2022-34481 at NVDCVE-2022-34484 at SUSECVE-2022-34484 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for rsyslog (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for rsyslog fixes the following issues:
- CVE-2022-24903: fix potential heap buffer overflow in modules for TCP syslog reception (bsc#1199061)
ImportantSUSE bug 1199061CVE-2022-24903 at SUSECVE-2022-24903 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for pcre (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for pcre fixes the following issues:
- CVE-2022-1586: Fixed unicode property matching issue. (bsc#1199232)
ImportantSUSE bug 1199232CVE-2022-1586 at SUSECVE-2022-1586 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for samba (Critical)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for samba fixes the following issues:
- CVE-2021-44142: Fixed out-of-Bound Read/Write on Samba vfs_fruit module. (bsc#1194859)
CriticalSUSE bug 1194859CVE-2021-44142 at SUSECVE-2021-44142 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for net-snmp (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for net-snmp fixes the following issues:
- CVE-2020-15862: Make extended MIB read-only (bsc#1174961)
ImportantSUSE bug 1100146SUSE bug 1145864SUSE bug 1152968SUSE bug 1174961SUSE bug 1178021SUSE bug 1178351SUSE bug 1179009SUSE bug 1179699SUSE bug 1184839CVE-2020-15862 at SUSECVE-2020-15862 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 37 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_138 fixes several issues.
The following security issues were fixed:
- CVE-2018-25020: Fixed an issue in the BPF subsystem in the Linux kernel mishandled situations with a long jump over an instruction sequence where inner instructions require substantial expansions into multiple BPF instructions, leading to an overflow. (bsc#1193575)
- CVE-2020-3702: Fixed a bug which could be triggered with specifically timed and handcrafted traffic and cause internal errors in a WLAN device that lead to improper layer 2 Wi-Fi encryption with a consequent possibility of information disclosure. (bsc#1191193)
- CVE-2020-25670, CVE-2020-25671, CVE-2020-25672, CVE-2020-25673, CVE-2021-23134: Fixed multiple bugs in NFC subsytem (bsc#1178181, bsc#1186060).
- CVE-2019-0136: Fixed an insufficient access control which allow an unauthenticated user to execute a denial of service. (bsc#1193157)
- CVE-2021-42739: The firewire subsystem had a buffer overflow related to drivers/media/firewire/firedtv-avc.c and drivers/media/firewire/firedtv-ci.c, because avc_ca_pmt mishandled bounds checking (bsc#1184673).
ImportantSUSE bug 1186061SUSE bug 1191529SUSE bug 1192036SUSE bug 1193161SUSE bug 1193863SUSE bug 1194680CVE-2018-25020 at SUSECVE-2018-25020 at NVDCVE-2019-0136 at SUSECVE-2019-0136 at NVDCVE-2020-25670 at SUSECVE-2020-25670 at NVDCVE-2020-25671 at SUSECVE-2020-25671 at NVDCVE-2020-25672 at SUSECVE-2020-25672 at NVDCVE-2020-25673 at SUSECVE-2020-25673 at NVDCVE-2020-3702 at SUSECVE-2020-3702 at NVDCVE-2021-23134 at SUSECVE-2021-23134 at NVDCVE-2021-42739 at SUSECVE-2021-42739 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 38 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_141 fixes several issues.
The following security issues were fixed:
- CVE-2018-25020: Fixed an issue in the BPF subsystem in the Linux kernel mishandled situations with a long jump over an instruction sequence where inner instructions require substantial expansions into multiple BPF instructions, leading to an overflow. (bsc#1193575)
- CVE-2020-3702: Fixed a bug which could be triggered with specifically timed and handcrafted traffic and cause internal errors in a WLAN device that lead to improper layer 2 Wi-Fi encryption with a consequent possibility of information disclosure. (bsc#1191193)
- CVE-2020-25670, CVE-2020-25671, CVE-2020-25672, CVE-2020-25673, CVE-2021-23134: Fixed multiple bugs in NFC subsytem (bsc#1178181, bsc#1186060).
- CVE-2019-0136: Fixed an insufficient access control which allow an unauthenticated user to execute a denial of service. (bsc#1193157)
- CVE-2021-42739: The firewire subsystem had a buffer overflow related to drivers/media/firewire/firedtv-avc.c and drivers/media/firewire/firedtv-ci.c, because avc_ca_pmt mishandled bounds checking (bsc#1184673).
ImportantSUSE bug 1186061SUSE bug 1191529SUSE bug 1192036SUSE bug 1193161SUSE bug 1193863SUSE bug 1194680CVE-2018-25020 at SUSECVE-2018-25020 at NVDCVE-2019-0136 at SUSECVE-2019-0136 at NVDCVE-2020-25670 at SUSECVE-2020-25670 at NVDCVE-2020-25671 at SUSECVE-2020-25671 at NVDCVE-2020-25672 at SUSECVE-2020-25672 at NVDCVE-2020-25673 at SUSECVE-2020-25673 at NVDCVE-2020-3702 at SUSECVE-2020-3702 at NVDCVE-2021-23134 at SUSECVE-2021-23134 at NVDCVE-2021-42739 at SUSECVE-2021-42739 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 39 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_144 fixes several issues.
The following security issues were fixed:
- CVE-2018-25020: Fixed an issue in the BPF subsystem in the Linux kernel mishandled situations with a long jump over an instruction sequence where inner instructions require substantial expansions into multiple BPF instructions, leading to an overflow. (bsc#1193575)
- CVE-2020-3702: Fixed a bug which could be triggered with specifically timed and handcrafted traffic and cause internal errors in a WLAN device that lead to improper layer 2 Wi-Fi encryption with a consequent possibility of information disclosure. (bsc#1191193)
- CVE-2021-23134: Fixed a use After Free vulnerability in nfc sockets which allows local attackers to elevate their privileges. (bsc#1186060)
- CVE-2019-0136: Fixed an insufficient access control which allow an unauthenticated user to execute a denial of service. (bsc#1193157)
- CVE-2021-42739: The firewire subsystem had a buffer overflow related to drivers/media/firewire/firedtv-avc.c and drivers/media/firewire/firedtv-ci.c, because avc_ca_pmt mishandled bounds checking (bsc#1184673).
ImportantSUSE bug 1186061SUSE bug 1191529SUSE bug 1192036SUSE bug 1193161SUSE bug 1193863CVE-2018-25020 at SUSECVE-2018-25020 at NVDCVE-2019-0136 at SUSECVE-2019-0136 at NVDCVE-2020-3702 at SUSECVE-2020-3702 at NVDCVE-2021-23134 at SUSECVE-2021-23134 at NVDCVE-2021-42739 at SUSECVE-2021-42739 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 40 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_147 fixes several issues.
The following security issues were fixed:
- CVE-2018-25020: Fixed an issue in the BPF subsystem in the Linux kernel mishandled situations with a long jump over an instruction sequence where inner instructions require substantial expansions into multiple BPF instructions, leading to an overflow. (bsc#1193575)
- CVE-2020-3702: Fixed a bug which could be triggered with specifically timed and handcrafted traffic and cause internal errors in a WLAN device that lead to improper layer 2 Wi-Fi encryption with a consequent possibility of information disclosure. (bsc#1191193)
- CVE-2019-0136: Fixed an insufficient access control which allow an unauthenticated user to execute a denial of service. (bsc#1193157)
- CVE-2021-42739: The firewire subsystem had a buffer overflow related to drivers/media/firewire/firedtv-avc.c and drivers/media/firewire/firedtv-ci.c, because avc_ca_pmt mishandled bounds checking (bsc#1184673).
ImportantSUSE bug 1191529SUSE bug 1192036SUSE bug 1193161SUSE bug 1193863CVE-2018-25020 at SUSECVE-2018-25020 at NVDCVE-2019-0136 at SUSECVE-2019-0136 at NVDCVE-2020-3702 at SUSECVE-2020-3702 at NVDCVE-2021-42739 at SUSECVE-2021-42739 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 41 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_150 fixes several issues.
The following security issues were fixed:
- CVE-2018-25020: Fixed an issue in the BPF subsystem in the Linux kernel mishandled situations with a long jump over an instruction sequence where inner instructions require substantial expansions into multiple BPF instructions, leading to an overflow. (bsc#1193575)
- CVE-2019-0136: Fixed an insufficient access control which allow an unauthenticated user to execute a denial of service. (bsc#1193157)
ImportantSUSE bug 1193161SUSE bug 1193863CVE-2018-25020 at SUSECVE-2018-25020 at NVDCVE-2019-0136 at SUSECVE-2019-0136 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for libsndfile (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for libsndfile fixes the following issues:
- CVE-2021-4156: Fixed heap buffer overflow in flac_buffer_copy that
could potentially lead to heap exploitation (bsc#1194006).
ImportantSUSE bug 1194006CVE-2021-4156 at SUSECVE-2021-4156 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for clamav (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for clamav fixes the following issues:
- CVE-2022-20698: Fixed invalid pointer read allowing denial of service crash. (bsc#1194731)
ImportantSUSE bug 1194731CVE-2022-20698 at SUSECVE-2022-20698 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for xen (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for xen fixes the following issues:
- CVE-2022-23034: Fixed possible DoS by a PV guest Xen while unmapping a grant. (XSA-394) (bsc#1194581)
- CVE-2022-23035: Fixed insufficient cleanup of passed-through device IRQs. (XSA-395) (bsc#1194588)
ImportantSUSE bug 1194581SUSE bug 1194588CVE-2022-23034 at SUSECVE-2022-23034 at NVDCVE-2022-23035 at SUSECVE-2022-23035 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
The SUSE Linux Enterprise 12 SP3 LTSS kernel was updated to receive various security and bugfixes.
The following security bugs were fixed:
- CVE-2018-25020: Fixed an overflow in the BPF subsystem due to a mishandling of a long jump over an instruction sequence where inner instructions require substantial expansions into multiple BPF instructions. This affects kernel/bpf/core.c and net/core/filter.c (bnc#1193575).
- CVE-2019-0136: Fixed insufficient access control in the Intel(R) PROSet/Wireless WiFi Software driver that may have allowed an unauthenticated user to potentially enable denial of service via adjacent access (bnc#1193157).
- CVE-2020-35519: Fixed out-of-bounds memory access in x25_bind in net/x25/af_x25.c. A bounds check failure allowed a local attacker with a user account on the system to gain access to out-of-bounds memory, leading to a system crash or a leak of internal kernel information (bnc#1183696).
- CVE-2021-0935: Fixed possible out of bounds write in ip6_xmit of ip6_output.c due to a use after free. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation (bnc#1192032).
- CVE-2021-28711: Fixed issue with xen/blkfront to harden blkfront against event channel storms (XSA-391) (bsc#1193440).
- CVE-2021-28712: Fixed issue with xen/netfront to harden netfront against event channel storms (XSA-391) (bsc#1193440).
- CVE-2021-28713: Fixed issue with xen/console to harden hvc_xen against event channel storms (XSA-391) (bsc#1193440).
- CVE-2021-28715: Fixed issue with xen/netback to do not queue unlimited number of packages (XSA-392) (bsc#1193442).
- CVE-2021-33098: Fixed improper input validation in the Intel(R) Ethernet ixgbe driver that may have allowed an authenticated user to potentially cause denial of service via local access (bnc#1192877).
- CVE-2021-3564: Fixed double-free memory corruption in the Linux kernel HCI device initialization subsystem that could have been used by attaching malicious HCI TTY Bluetooth devices. A local user could use this flaw to crash the system (bnc#1186207).
- CVE-2021-39648: Fixed possible disclosure of kernel heap memory due to a race condition in gadget_dev_desc_UDC_show of configfs.c. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation (bnc#1193861).
- CVE-2021-39657: Fixed out of bounds read due to a missing bounds check in ufshcd_eh_device_reset_handler of ufshcd.c. This could lead to local information disclosure with System execution privileges needed (bnc#1193864).
- CVE-2021-4002: Fixed incorrect TLBs flush in hugetlbfs after huge_pmd_unshare (bsc#1192946).
- CVE-2021-4083: Fixed a read-after-free memory flaw inside the garbage collection for Unix domain socket file handlers when users call close() and fget() simultaneouslyand can potentially trigger a race condition (bnc#1193727).
- CVE-2021-4149: Fixed btrfs unlock newly allocated extent buffer after error (bsc#1194001).
- CVE-2021-4155: Fixed XFS map issue when unwritten blocks in XFS_IOC_{ALLOC,FREE}SP just like fallocate (bsc#1194272).
- CVE-2021-4197: Use cgroup open-time credentials for process migraton perm checks (bsc#1194302).
- CVE-2021-4202: Fixed NFC race condition by adding NCI_UNREG flag (bsc#1194529).
- CVE-2021-43976: Fixed insufficient access control in drivers/net/wireless/marvell/mwifiex/usb.c that allowed an attacker who connect a crafted USB device to cause denial of service (bnc#1192847).
- CVE-2021-45095: Fixed refcount leak in pep_sock_accept in net/phonet/pep.c (bnc#1193867).
- CVE-2021-45485: Fixed information leak in the IPv6 implementation in net/ipv6/output_core.c (bnc#1194094).
- CVE-2021-45486: Fixed information leak inside the IPv4 implementation caused by very small hash table (bnc#1194087).
- CVE-2022-0330: Fixed flush TLBs before releasing backing store (bsc#1194880).
The following non-security bugs were fixed:
- fget: clarify and improve __fget_files() implementation (bsc#1193727).
- hv_netvsc: Fix the queue_mapping in netvsc_vf_xmit() (bsc#1193507).
- hv_netvsc: Set needed_headroom according to VF (bsc#1193507).
- kprobes: Limit max data_size of the kretprobe instances (bsc#1193669).
- memstick: rtsx_usb_ms: fix UAF
- moxart: fix potential use-after-free on remove path (bsc1194516).
- net/x25: fix a race in x25_bind() (networking-stable-19_03_15).
- net: mana: Add RX fencing (bsc#1193507).
- net: mana: Allow setting the number of queues while the NIC is down (bsc#1193507).
- net: mana: Fix spelling mistake 'calledd' -> 'called' (bsc#1193507).
- net: mana: Fix the netdev_err()'s vPort argument in mana_init_port() (bsc#1193507).
- net: mana: Improve the HWC error handling (bsc#1193507).
- net: mana: Support hibernation and kexec (bsc#1193507).
- net: mana: Use kcalloc() instead of kzalloc() (bsc#1193507).
- recordmcount.pl: fix typo in s390 mcount regex (bsc#1192267).
- recordmcount.pl: look for jgnop instruction as well as bcrl on s390 (bsc#1192267).
- ring-buffer: Protect ring_buffer_reset() from reentrancy (bsc#1179960).
- tty: hvc: replace BUG_ON() with negative return value (git-fixes).
- xen-netfront: do not assume sk_buff_head list is empty in error handling (git-fixes).
- xen-netfront: do not use ~0U as error return value for xennet_fill_frags() (git-fixes).
- xen/blkfront: do not take local copy of a request from the ring page (git-fixes).
- xen/blkfront: do not trust the backend response data blindly (git-fixes).
- xen/blkfront: read response from backend only once (git-fixes).
- xen/netfront: disentangle tx_skb_freelist (git-fixes).
- xen/netfront: do not bug in case of too many frags (bnc#1012382).
- xen/netfront: do not cache skb_shinfo() (bnc#1012382).
- xen/netfront: do not read data from request on the ring page (git-fixes).
- xen/netfront: do not trust the backend response data blindly (git-fixes).
- xen/netfront: read response from backend only once (git-fixes).
- xen: sync include/xen/interface/io/ring.h with Xen's newest version (git-fixes).
ImportantSUSE bug 1012382SUSE bug 1179960SUSE bug 1183696SUSE bug 1186207SUSE bug 1192032SUSE bug 1192267SUSE bug 1192847SUSE bug 1192877SUSE bug 1192946SUSE bug 1193157SUSE bug 1193440SUSE bug 1193442SUSE bug 1193507SUSE bug 1193575SUSE bug 1193669SUSE bug 1193727SUSE bug 1193861SUSE bug 1193864SUSE bug 1193867SUSE bug 1194001SUSE bug 1194087SUSE bug 1194094SUSE bug 1194272SUSE bug 1194302SUSE bug 1194516SUSE bug 1194529SUSE bug 1194880CVE-2018-25020 at SUSECVE-2018-25020 at NVDCVE-2019-0136 at SUSECVE-2019-0136 at NVDCVE-2020-35519 at SUSECVE-2020-35519 at NVDCVE-2021-0935 at SUSECVE-2021-0935 at NVDCVE-2021-28711 at SUSECVE-2021-28711 at NVDCVE-2021-28712 at SUSECVE-2021-28712 at NVDCVE-2021-28713 at SUSECVE-2021-28713 at NVDCVE-2021-28715 at SUSECVE-2021-28715 at NVDCVE-2021-33098 at SUSECVE-2021-33098 at NVDCVE-2021-3564 at SUSECVE-2021-3564 at NVDCVE-2021-39648 at SUSECVE-2021-39648 at NVDCVE-2021-39657 at SUSECVE-2021-39657 at NVDCVE-2021-4002 at SUSECVE-2021-4002 at NVDCVE-2021-4083 at SUSECVE-2021-4083 at NVDCVE-2021-4149 at SUSECVE-2021-4149 at NVDCVE-2021-4155 at SUSECVE-2021-4155 at NVDCVE-2021-4197 at SUSECVE-2021-4197 at NVDCVE-2021-4202 at SUSECVE-2021-4202 at NVDCVE-2021-43976 at SUSECVE-2021-43976 at NVDCVE-2021-45095 at SUSECVE-2021-45095 at NVDCVE-2021-45485 at SUSECVE-2021-45485 at NVDCVE-2021-45486 at SUSECVE-2021-45486 at NVDCVE-2022-0330 at SUSECVE-2022-0330 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for libvirt (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for libvirt fixes the following issues:
- CVE-2021-4147: libxl: Fix libvirtd deadlocks and segfaults. (bsc#1194041)
- CVE-2021-3975: Add missing lock in qemuProcessHandleMonitorEOF. (bsc#1192876)
ImportantSUSE bug 1192876SUSE bug 1193981SUSE bug 1194041CVE-2021-3975 at SUSECVE-2021-3975 at NVDCVE-2021-4147 at SUSECVE-2021-4147 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for virglrenderer (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for virglrenderer fixes the following issues:
- CVE-2022-0135: Fixed out-of-bonds write in read_transfer_data() (bsc#1195389).
ImportantSUSE bug 1195389CVE-2022-0135 at SUSECVE-2022-0135 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for expat (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for expat fixes the following issues:
- CVE-2022-23852: Fixed signed integer overflow in XML_GetBuffer (bsc#1195054).
- CVE-2022-23990: Fixed integer overflow in the doProlog function (bsc#1195217).
ImportantSUSE bug 1195054SUSE bug 1195217CVE-2022-23852 at SUSECVE-2022-23852 at NVDCVE-2022-23990 at SUSECVE-2022-23990 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for tiff (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for tiff fixes the following issues:
- CVE-2017-17095: Fixed DoS in tools/pal2rgb.c in pal2rgb (bsc#1071031).
- CVE-2019-17546: Fixed integer overflow that potentially causes a heap-based buffer overflow via a crafted RGBA image (bsc#1154365).
- CVE-2020-19131: Fixed buffer overflow in tiffcrop that may cause DoS via the invertImage() function (bsc#1190312).
- CVE-2020-35521: Fixed memory allocation failure in tif_read.c (bsc#1182808).
- CVE-2020-35522: Fixed memory allocation failure in tif_pixarlog.c (bsc#1182809).
- CVE-2020-35523: Fixed integer overflow in tif_getimage.c (bsc#1182811).
- CVE-2020-35524: Fixed heap-based buffer overflow in TIFF2PDF tool (bsc#1182812).
- CVE-2022-22844: Fixed out-of-bounds read in _TIFFmemcpy in tif_unix.c (bsc#1194539).
ImportantSUSE bug 1071031SUSE bug 1154365SUSE bug 1182808SUSE bug 1182809SUSE bug 1182811SUSE bug 1182812SUSE bug 1190312SUSE bug 1194539CVE-2017-17095 at SUSECVE-2017-17095 at NVDCVE-2019-17546 at SUSECVE-2019-17546 at NVDCVE-2020-19131 at SUSECVE-2020-19131 at NVDCVE-2020-35521 at SUSECVE-2020-35521 at NVDCVE-2020-35522 at SUSECVE-2020-35522 at NVDCVE-2020-35523 at SUSECVE-2020-35523 at NVDCVE-2020-35524 at SUSECVE-2020-35524 at NVDCVE-2022-22844 at SUSECVE-2022-22844 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for tcpdump (Moderate)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for tcpdump fixes the following issues:
- CVE-2018-16301: Fixed segfault when handling large files (bsc#1195825).
ModerateSUSE bug 1195825CVE-2018-16301 at SUSECVE-2018-16301 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for xerces-j2 (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for xerces-j2 fixes the following issues:
- CVE-2022-23437: Fixed infinite loop within Apache XercesJ xml parser (bsc#1195108).
ImportantSUSE bug 1195108CVE-2022-23437 at SUSECVE-2022-23437 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 38 for SLE 12 SP3) (Critical)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_141 fixes several issues.
The following security issues were fixed:
- CVE-2021-4202: Fixed NFC race condition by adding NCI_UNREG flag (bsc#1194533).
- CVE-2021-4083: Fixed a read-after-free memory flaw inside the garbage collection for Unix domain socket file handlers when users call close() and fget() simultaneouslyand can potentially trigger a race condition (bnc#1194460).
CriticalSUSE bug 1194460SUSE bug 1194533CVE-2021-4083 at SUSECVE-2021-4083 at NVDCVE-2021-4202 at SUSECVE-2021-4202 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 39 for SLE 12 SP3) (Critical)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_144 fixes several issues.
The following security issues were fixed:
- CVE-2021-4202: Fixed NFC race condition by adding NCI_UNREG flag (bsc#1194533).
- CVE-2021-4083: Fixed a read-after-free memory flaw inside the garbage collection for Unix domain socket file handlers when users call close() and fget() simultaneouslyand can potentially trigger a race condition (bnc#1194460).
CriticalSUSE bug 1194460SUSE bug 1194533CVE-2021-4083 at SUSECVE-2021-4083 at NVDCVE-2021-4202 at SUSECVE-2021-4202 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 40 for SLE 12 SP3) (Critical)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_147 fixes several issues.
The following security issues were fixed:
- CVE-2021-4202: Fixed NFC race condition by adding NCI_UNREG flag (bsc#1194533).
- CVE-2021-4083: Fixed a read-after-free memory flaw inside the garbage collection for Unix domain socket file handlers when users call close() and fget() simultaneouslyand can potentially trigger a race condition (bnc#1194460).
CriticalSUSE bug 1194460SUSE bug 1194533CVE-2021-4083 at SUSECVE-2021-4083 at NVDCVE-2021-4202 at SUSECVE-2021-4202 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 41 for SLE 12 SP3) (Critical)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_150 fixes several issues.
The following security issues were fixed:
- CVE-2021-4202: Fixed NFC race condition by adding NCI_UNREG flag (bsc#1194533).
- CVE-2021-4083: Fixed a read-after-free memory flaw inside the garbage collection for Unix domain socket file handlers when users call close() and fget() simultaneouslyand can potentially trigger a race condition (bnc#1194460).
CriticalSUSE bug 1194460SUSE bug 1194533CVE-2021-4083 at SUSECVE-2021-4083 at NVDCVE-2021-4202 at SUSECVE-2021-4202 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 37 for SLE 12 SP3) (Critical)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_138 fixes several issues.
The following security issues were fixed:
- CVE-2021-4202: Fixed NFC race condition by adding NCI_UNREG flag (bsc#1194533).
- CVE-2021-4083: Fixed a read-after-free memory flaw inside the garbage collection for Unix domain socket file handlers when users call close() and fget() simultaneouslyand can potentially trigger a race condition (bnc#1194460).
CriticalSUSE bug 1194460SUSE bug 1194533CVE-2021-4083 at SUSECVE-2021-4083 at NVDCVE-2021-4202 at SUSECVE-2021-4202 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for MozillaFirefox fixes the following issues:
Firefox Extended Support Release 91.6.0 ESR / MFSA 2022-05 (bsc#1195682)
- CVE-2022-22753: Privilege Escalation to SYSTEM on Windows via Maintenance Service
- CVE-2022-22754: Extensions could have bypassed permission confirmation during update
- CVE-2022-22756: Drag and dropping an image could have resulted in the dropped object being an executable
- CVE-2022-22759: Sandboxed iframes could have executed script if the parent appended elements
- CVE-2022-22760: Cross-Origin responses could be distinguished between script and non-script content-types
- CVE-2022-22761: frame-ancestors Content Security Policy directive was not enforced for framed extension pages
- CVE-2022-22763: Script Execution during invalid object state
- CVE-2022-22764: Memory safety bugs fixed in Firefox 97 and Firefox ESR 91.6
Firefox Extended Support Release 91.5.1 ESR (bsc#1195230)
- Fixed an issue that allowed unexpected data to be submitted in some of our search telemetry
ImportantSUSE bug 1195230SUSE bug 1195682CVE-2022-22753 at SUSECVE-2022-22753 at NVDCVE-2022-22754 at SUSECVE-2022-22754 at NVDCVE-2022-22756 at SUSECVE-2022-22756 at NVDCVE-2022-22759 at SUSECVE-2022-22759 at NVDCVE-2022-22760 at SUSECVE-2022-22760 at NVDCVE-2022-22761 at SUSECVE-2022-22761 at NVDCVE-2022-22763 at SUSECVE-2022-22763 at NVDCVE-2022-22764 at SUSECVE-2022-22764 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for ucode-intel (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for ucode-intel fixes the following issues:
Updated to Intel CPU Microcode 20220207 release.
- CVE-2021-0146: Fixed a potential security vulnerability in some Intel Processors may allow escalation of privilege (bsc#1192615)
- CVE-2021-0127: Intel Processor Breakpoint Control Flow (bsc#1195779)
- CVE-2021-0145: Fast store forward predictor - Cross Domain Training (bsc#1195780)
- CVE-2021-33120: Out of bounds read for some Intel Atom processors (bsc#1195781)
- Security updates for [INTEL-SA-00528](https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00528.html)
- Security updates for [INTEL-SA-00532](https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00532.html)
ImportantSUSE bug 1192615SUSE bug 1195779SUSE bug 1195780SUSE bug 1195781CVE-2021-0127 at SUSECVE-2021-0127 at NVDCVE-2021-0145 at SUSECVE-2021-0145 at NVDCVE-2021-0146 at SUSECVE-2021-0146 at NVDCVE-2021-33120 at SUSECVE-2021-33120 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for apache2 (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for apache2 fixes the following issues:
- CVE-2021-44224: Fixed NULL dereference or SSRF in forward proxy configurations. (bsc#1193943)
- CVE-2021-44790: Fixed buffer overflow when parsing multipart content in mod_lua. (bsc#1193942)
ImportantSUSE bug 1193942SUSE bug 1193943CVE-2021-44224 at SUSECVE-2021-44224 at NVDCVE-2021-44790 at SUSECVE-2021-44790 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for cyrus-sasl (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for cyrus-sasl fixes the following issues:
- CVE-2022-24407: Fixed SQL injection in sql_auxprop_store in plugins/sql.c (bsc#1196036).
ImportantSUSE bug 1196036CVE-2022-24407 at SUSECVE-2022-24407 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 42 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_153 fixes several issues.
The following security issues were fixed:
- CVE-2021-0920: Fixed a local privilege escalation due to an use after free bug in unix_gc (bsc#1194463).
- CVE-2021-28688: Fixed XSA-365 that includes initialization of pointers such that subsequent cleanup code wouldn't use uninitialized or stale values. This initialization went too far and may under certain conditions also overwrite pointers which are in need of cleaning up. The lack of cleanup would result in leaking persistent grants. The leak in turn would prevent fully cleaning up after a respective guest has died, leaving around zombie domains (bsc#1182294).
ImportantSUSE bug 1182294SUSE bug 1194463CVE-2021-0920 at SUSECVE-2021-0920 at NVDCVE-2021-28688 at SUSECVE-2021-28688 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 41 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_150 fixes one issue.
The following security issue was fixed:
- CVE-2021-0920: Fixed a local privilege escalation due to an use after free bug in unix_gc (bsc#1194463).
ImportantSUSE bug 1194463CVE-2021-0920 at SUSECVE-2021-0920 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 40 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_147 fixes one issue.
The following security issue was fixed:
- CVE-2021-0920: Fixed a local privilege escalation due to an use after free bug in unix_gc (bsc#1194463).
ImportantSUSE bug 1194463CVE-2021-0920 at SUSECVE-2021-0920 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 39 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_144 fixes one issue.
The following security issue was fixed:
- CVE-2021-0920: Fixed a local privilege escalation due to an use after free bug in unix_gc (bsc#1194463).
ImportantSUSE bug 1194463CVE-2021-0920 at SUSECVE-2021-0920 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Live Patch 38 for SLE 12 SP3) (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for the Linux Kernel 4.4.180-94_141 fixes one issue.
The following security issue was fixed:
- CVE-2021-0920: Fixed a local privilege escalation due to an use after free bug in unix_gc (bsc#1194463).
ImportantSUSE bug 1194463CVE-2021-0920 at SUSECVE-2021-0920 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for webkit2gtk3 (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for webkit2gtk3 fixes the following issues:
Update to version 2.34.5 (bsc#1195735):
- CVE-2022-22589: A validation issue was addressed with improved input sanitization.
- CVE-2022-22590: A use after free issue was addressed with improved memory management.
- CVE-2022-22592: A logic issue was addressed with improved state management.
Update to version 2.34.4 (bsc#1195064):
- CVE-2021-30934: A buffer overflow issue was addressed with improved memory handling.
- CVE-2021-30936: A use after free issue was addressed with improved memory management.
- CVE-2021-30951: A use after free issue was addressed with improved memory management.
- CVE-2021-30952: An integer overflow was addressed with improved input validation.
- CVE-2021-30953: An out-of-bounds read was addressed with improved bounds checking.
- CVE-2021-30954: A type confusion issue was addressed with improved memory handling.
- CVE-2021-30984: A race condition was addressed with improved state handling.
- CVE-2022-22594: A cross-origin issue in the IndexDB API was addressed with improved input validation.
The following CVEs were addressed in a previous update:
- CVE-2021-45481: Incorrect memory allocation in WebCore::ImageBufferCairoImageSurfaceBackend::create.
- CVE-2021-45482: A use-after-free in WebCore::ContainerNode::firstChild.
- CVE-2021-45483: A use-after-free in WebCore::Frame::page.
ImportantSUSE bug 1195064SUSE bug 1195735CVE-2021-30934 at SUSECVE-2021-30934 at NVDCVE-2021-30936 at SUSECVE-2021-30936 at NVDCVE-2021-30951 at SUSECVE-2021-30951 at NVDCVE-2021-30952 at SUSECVE-2021-30952 at NVDCVE-2021-30953 at SUSECVE-2021-30953 at NVDCVE-2021-30954 at SUSECVE-2021-30954 at NVDCVE-2021-30984 at SUSECVE-2021-30984 at NVDCVE-2021-45481 at SUSECVE-2021-45481 at NVDCVE-2021-45482 at SUSECVE-2021-45482 at NVDCVE-2021-45483 at SUSECVE-2021-45483 at NVDCVE-2022-22589 at SUSECVE-2022-22589 at NVDCVE-2022-22590 at SUSECVE-2022-22590 at NVDCVE-2022-22592 at SUSECVE-2022-22592 at NVDCVE-2022-22594 at SUSECVE-2022-22594 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for expat (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for expat fixes the following issues:
- CVE-2022-25236: Fixed possible namespace-separator characters insertion into namespace URIs (bsc#1196025).
- CVE-2022-25235: Fixed UTF-8 character validation in a certain context (bsc#1196026).
- CVE-2022-25313: Fixed stack exhaustion in build_model() via uncontrolled recursion (bsc#1196168).
- CVE-2022-25314: Fixed integer overflow in copyString (bsc#1196169).
- CVE-2022-25315: Fixed integer overflow in storeRawNames (bsc#1196171).
ImportantSUSE bug 1196025SUSE bug 1196026SUSE bug 1196168SUSE bug 1196169SUSE bug 1196171CVE-2022-25235 at SUSECVE-2022-25235 at NVDCVE-2022-25236 at SUSECVE-2022-25236 at NVDCVE-2022-25313 at SUSECVE-2022-25313 at NVDCVE-2022-25314 at SUSECVE-2022-25314 at NVDCVE-2022-25315 at SUSECVE-2022-25315 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for zsh (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for zsh fixes the following issues:
- CVE-2021-45444: Fixed a vulnerability where arbitrary shell commands could be
executed related to prompt expansion (bsc#1196435).
- CVE-2019-20044: Fixed a vulnerability where shell privileges would not be
properly dropped when unsetting the PRIVILEGED option (bsc#1163882).
- CVE-2018-1100: Fixed a potential code execution via a stack-based buffer
overflow in utils.c:checkmailpath() (bsc#1089030).
ImportantSUSE bug 1089030SUSE bug 1163882SUSE bug 1196435CVE-2018-1100 at SUSECVE-2018-1100 at NVDCVE-2019-20044 at SUSECVE-2019-20044 at NVDCVE-2021-45444 at SUSECVE-2021-45444 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for the Linux Kernel (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
The SUSE Linux Enterprise 12 SP3 kernel was updated to receive various security and bugfixes.
Transient execution side-channel attacks attacking the Branch History Buffer (BHB),
named 'Branch Target Injection' and 'Intra-Mode Branch History Injection' are now mitigated.
The following security bugs were fixed:
- CVE-2022-0001: Fixed Branch History Injection vulnerability (bsc#1191580).
- CVE-2022-0002: Fixed Intra-Mode Branch Target Injection vulnerability (bsc#1191580).
- CVE-2022-0617: Fixed a null pointer dereference in UDF file system functionality. A local user could crash the system by triggering udf_file_write_iter() via a malicious UDF image. (bsc#1196079)
- CVE-2022-0492: Fixed a privilege escalation related to cgroups v1 release_agent feature, which allowed bypassing namespace isolation unexpectedly (bsc#1195543).
- CVE-2022-24448: Fixed an issue in fs/nfs/dir.c. If an application sets the O_DIRECTORY flag, and tries to open a regular file, nfs_atomic_open() performs a regular lookup. If a regular file is found, ENOTDIR should have occured, but the server instead returned uninitialized data in the file descriptor (bsc#1195612).
- CVE-2021-0920: Fixed a local privilege escalation due to a use-after-free bug in unix_gc (bsc#1193731).
- CVE-2016-10905: Fixed a use-after-free is gfs2_clear_rgrpd() and read_rindex_entry() (bsc#1146312).
ImportantSUSE bug 1146312SUSE bug 1185973SUSE bug 1191580SUSE bug 1193731SUSE bug 1194463SUSE bug 1195536SUSE bug 1195543SUSE bug 1195612SUSE bug 1195908SUSE bug 1195939SUSE bug 1196079SUSE bug 1196612CVE-2016-10905 at SUSECVE-2016-10905 at NVDCVE-2021-0920 at SUSECVE-2021-0920 at NVDCVE-2022-0001 at SUSECVE-2022-0001 at NVDCVE-2022-0002 at SUSECVE-2022-0002 at NVDCVE-2022-0492 at SUSECVE-2022-0492 at NVDCVE-2022-0617 at SUSECVE-2022-0617 at NVDCVE-2022-24448 at SUSECVE-2022-24448 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for MozillaFirefox fixes the following issues:
Firefox Extended Support Release 91.6.1 ESR (bsc#1196809):
- CVE-2022-26485: Use-after-free in XSLT parameter processing
- CVE-2022-26486: Use-after-free in WebGPU IPC Framework
ImportantSUSE bug 1196809CVE-2022-26485 at SUSECVE-2022-26485 at NVDCVE-2022-26486 at SUSECVE-2022-26486 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for webkit2gtk3 (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for webkit2gtk3 fixes the following issues:
Update to version 2.34.6 (bsc#1196133):
- CVE-2022-22620: Processing maliciously crafted web content may have lead to arbitrary code execution.
ImportantSUSE bug 1196133CVE-2022-22620 at SUSECVE-2022-22620 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for libcaca (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for libcaca fixes the following issues:
- CVE-2021-30498, CVE-2021-30499: If an image has a size of 0x0, when exporting, no
data is written and space is allocated for the header only, not taking into
account that sprintf appends a NUL byte (bsc#1184751, bsc#1184752).
ImportantSUSE bug 1184751SUSE bug 1184752CVE-2021-30498 at SUSECVE-2021-30498 at NVDCVE-2021-30499 at SUSECVE-2021-30499 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for MozillaFirefox fixes the following issues:
Firefox Extended Support Release 91.7.0 ESR (bsc#1196900):
- CVE-2022-26383: Browser window spoof using fullscreen mode
- CVE-2022-26384: iframe allow-scripts sandbox bypass
- CVE-2022-26387: Time-of-check time-of-use bug when verifying add-on signatures
- CVE-2022-26381: Use-after-free in text reflows
- CVE-2022-26386: Temporary files downloaded to /tmp and accessible by other local users
ImportantSUSE bug 1196900CVE-2022-26381 at SUSECVE-2022-26381 at NVDCVE-2022-26383 at SUSECVE-2022-26383 at NVDCVE-2022-26384 at SUSECVE-2022-26384 at NVDCVE-2022-26386 at SUSECVE-2022-26386 at NVDCVE-2022-26387 at SUSECVE-2022-26387 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for expat (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for expat fixes the following issues:
- Fixed a regression caused by the patch for CVE-2022-25236 (bsc#1196784).
ImportantSUSE bug 1196025SUSE bug 1196784CVE-2022-25236 at SUSECVE-2022-25236 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for openssl (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for openssl fixes the following issues:
- CVE-2022-0778: Infinite loop in BN_mod_sqrt() reachable when parsing certificates (bsc#1196877).
ImportantSUSE bug 1196877CVE-2022-0778 at SUSECVE-2022-0778 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for java-1_8_0-openjdk (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for java-1_8_0-openjdk fixes the following issues:
Update to version jdk8u322 (icedtea-3.22.0)
Including the following security fixes:
- CVE-2022-21248, bsc#1194926: Enhance cross VM serialization
- CVE-2022-21283, bsc#1194937: Better String matching
- CVE-2022-21293, bsc#1194935: Improve String constructions
- CVE-2022-21294, bsc#1194934: Enhance construction of Identity maps
- CVE-2022-21282, bsc#1194933: Better resolution of URIs
- CVE-2022-21296, bsc#1194932: Improve SAX Parser configuration management
- CVE-2022-21299, bsc#1194931: Improved scanning of XML entities
- CVE-2022-21305, bsc#1194939: Better array indexing
- CVE-2022-21340, bsc#1194940: Verify Jar Verification
- CVE-2022-21341, bsc#1194941: Improve serial forms for transport
- CVE-2022-21349: Improve Solaris font rendering
- CVE-2022-21360, bsc#1194929: Enhance BMP image support
- CVE-2022-21365, bsc#1194928: Enhanced BMP processing
ImportantSUSE bug 1193314SUSE bug 1193444SUSE bug 1193491SUSE bug 1194926SUSE bug 1194928SUSE bug 1194929SUSE bug 1194931SUSE bug 1194932SUSE bug 1194933SUSE bug 1194934SUSE bug 1194935SUSE bug 1194937SUSE bug 1194939SUSE bug 1194940SUSE bug 1194941SUSE bug 1195163CVE-2022-21248 at SUSECVE-2022-21248 at NVDCVE-2022-21282 at SUSECVE-2022-21282 at NVDCVE-2022-21283 at SUSECVE-2022-21283 at NVDCVE-2022-21293 at SUSECVE-2022-21293 at NVDCVE-2022-21294 at SUSECVE-2022-21294 at NVDCVE-2022-21296 at SUSECVE-2022-21296 at NVDCVE-2022-21299 at SUSECVE-2022-21299 at NVDCVE-2022-21305 at SUSECVE-2022-21305 at NVDCVE-2022-21340 at SUSECVE-2022-21340 at NVDCVE-2022-21341 at SUSECVE-2022-21341 at NVDCVE-2022-21349 at SUSECVE-2022-21349 at NVDCVE-2022-21360 at SUSECVE-2022-21360 at NVDCVE-2022-21365 at SUSECVE-2022-21365 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for glibc (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for glibc fixes the following issues:
- CVE-2022-23219: Fixed buffer overflow in sunrpc clnt_create for 'unix' (bsc#1194768)
- CVE-2022-23218: Fixed buffer overflow in sunrpc svcunix_create (bsc#1194770)
- CVE-2021-3999: Fixed getcwd to set errno to ERANGE for size == 1 (bsc#1194640)
ImportantSUSE bug 1194640SUSE bug 1194768SUSE bug 1194770CVE-2021-3999 at SUSECVE-2021-3999 at NVDCVE-2022-23218 at SUSECVE-2022-23218 at NVDCVE-2022-23219 at SUSECVE-2022-23219 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for apache2 (Important)SUSE Linux Enterprise Server 12 SP3-ESPOS
This update for apache2 fixes the following issues:
- CVE-2022-23943: heap out-of-bounds write in mod_sed (bsc#1197098).
- CVE-2022-22720: HTTP request smuggling due to incorrect error handling (bsc#1197095).
- CVE-2022-22719: use of uninitialized value of in r:parsebody in mod_lua (bsc#1197091).
- CVE-2022-22721: possible buffer overflow with very large or unlimited LimitXMLRequestBody (bsc#1197096).
ImportantSUSE bug 1197091SUSE bug 1197095SUSE bug 1197096SUSE bug 1197098CVE-2022-22719 at SUSECVE-2022-22719 at NVDCVE-2022-22720 at SUSECVE-2022-22720 at NVDCVE-2022-22721 at SUSECVE-2022-22721 at NVDCVE-2022-23943 at SUSECVE-2022-23943 at NVDcpe:/o:suse:sles-espos:12:sp3Security update for ceph (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for ceph fixes the following issues:
- Update to version 12.2.7-420-gc0ef85b854:
* https://ceph.com/releases/12-2-7-luminous-released/
* luminous: osd: eternal stuck PG in 'unfound_recovery' (bsc#1094932)
* bluestore: db.slow used when db is not full (bsc#1092874)
* CVE-2018-10861: Ensure that ceph-mon does perform authorization on all OSD pool ops (bsc#1099162).
* CVE-2018-1129: cephx signature check bypass (bsc#1096748).
* CVE-2018-1128: cephx protocol was vulnerable to replay attack (bsc#1096748).
ImportantSUSE bug 1092874SUSE bug 1094932SUSE bug 1096748SUSE bug 1099162CVE-2018-10861 at SUSECVE-2018-10861 at NVDCVE-2018-1128 at SUSECVE-2018-1128 at NVDCVE-2018-1129 at SUSECVE-2018-1129 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for libsoup (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for libsoup fixes the following issues:
Security issue fixed:
- CVE-2018-12910: Fix crash when handling empty hostnames (bsc#1100097).
- CVE-2017-2885: Fix chunk decoding buffer overrun that could be exploited against either clients or servers (bsc#1052916).
Bug fixes:
- bsc#1086036: translation-update-upstream commented out for Leap
ModerateSUSE bug 1052916SUSE bug 1086036SUSE bug 1100097CVE-2017-2885 at SUSECVE-2017-2885 at NVDCVE-2018-12910 at SUSECVE-2018-12910 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for samba (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for samba fixes the following issues:
The following security vulnerability was fixed:
- CVE-2018-10858: Fixed insufficient input validation on client directory
listing in libsmbclient; (bsc#1103411);
The following other change was made:
- s3: winbind: Fix 'winbind normalize names' in wb_getpwsid();
- winbind: honor 'winbind use default domain' with empty domain (bsc#1087303)
- winbind: do not modify credentials in NTLM passthru (bsc#1068059)
- net: fix net ads keytab handling (bsc#1067700)
- fix vfs_ceph flock stub
ImportantSUSE bug 1067700SUSE bug 1068059SUSE bug 1087303SUSE bug 1103411CVE-2018-10858 at SUSECVE-2018-10858 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for MozillaFirefox to version ESR 52.9 fixes the following issues:
- CVE-2018-5188: Various memory safety bugs (bsc#1098998)
- CVE-2018-12368: No warning when opening executable SettingContent-ms files
- CVE-2018-12366: Invalid data handling during QCMS transformations
- CVE-2018-12365: Compromised IPC child process can list local filenames
- CVE-2018-12364: CSRF attacks through 307 redirects and NPAPI plugins
- CVE-2018-12363: Use-after-free when appending DOM nodes
- CVE-2018-12362: Integer overflow in SSSE3 scaler
- CVE-2018-12360: Use-after-free when using focus()
- CVE-2018-5156: Media recorder segmentation fault when track type is changed during capture
- CVE-2018-12359: Buffer overflow using computed size of canvas element
ImportantSUSE bug 1098998CVE-2018-12359 at SUSECVE-2018-12359 at NVDCVE-2018-12360 at SUSECVE-2018-12360 at NVDCVE-2018-12362 at SUSECVE-2018-12362 at NVDCVE-2018-12363 at SUSECVE-2018-12363 at NVDCVE-2018-12364 at SUSECVE-2018-12364 at NVDCVE-2018-12365 at SUSECVE-2018-12365 at NVDCVE-2018-12366 at SUSECVE-2018-12366 at NVDCVE-2018-12368 at SUSECVE-2018-12368 at NVDCVE-2018-5156 at SUSECVE-2018-5156 at NVDCVE-2018-5188 at SUSECVE-2018-5188 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for clamav (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for clamav to version 0.100.1 fixes the following issues:
The following security vulnerabilities were addressed:
- CVE-2018-0360: HWP integer overflow, infinite loop vulnerability (bsc#1101410)
- CVE-2018-0361: PDF object length check, unreasonably long time to parse relatively small file (bsc#1101412)
- CVE-2018-1000085: Fixed a out-of-bounds heap read in XAR parser (bsc#1082858)
- CVE-2018-14679: Libmspack heap buffer over-read in CHM parser (bsc#1103040)
- Buffer over-read in unRAR code due to missing max value checks in table initialization
- PDF parser bugs
The following other changes were made:
- Disable YARA support for licensing reasons (bsc#1101654).
- Add HTTPS support for clamsubmit
- Fix for DNS resolution for users on IPv4-only machines where IPv6 is not
available or is link-local only
ModerateSUSE bug 1082858SUSE bug 1101410SUSE bug 1101412SUSE bug 1101654SUSE bug 1103040CVE-2018-0360 at SUSECVE-2018-0360 at NVDCVE-2018-0361 at SUSECVE-2018-0361 at NVDCVE-2018-1000085 at SUSECVE-2018-1000085 at NVDCVE-2018-14679 at SUSECVE-2018-14679 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update to ucode-intel (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
ucode-intel was updated to the 20180807 release.
For the listed CPU chipsets this fixes CVE-2018-3640 (Spectre v3a) and is
part of the mitigations for CVE-2018-3639 (Spectre v4) and CVE-2018-3646
(L1 Terminal fault).
(bsc#1104134 bsc#1087082 bsc#1087083 bsc#1089343)
Processor Identifier Version Products
Model Stepping F-MO-S/PI Old->New
---- new platforms ----------------------------------------
WSM-EP/WS U1 6-2c-2/03 0000001f Xeon E/L/X56xx, W36xx
NHM-EX D0 6-2e-6/04 0000000d Xeon E/L/X65xx/75xx
BXT C0 6-5c-2/01 00000014 Atom T5500/5700
APL E0 6-5c-a/03 0000000c Atom x5-E39xx
DVN B0 6-5f-1/01 00000024 Atom C3xxx
---- updated platforms ------------------------------------
NHM-EP/WS D0 6-1a-5/03 00000019->0000001d Xeon E/L/X/W55xx
NHM B1 6-1e-5/13 00000007->0000000a Core i7-8xx, i5-7xx; Xeon L3426, X24xx
WSM B1 6-25-2/12 0000000e->00000011 Core i7-6xx, i5-6xx/4xxM, i3-5xx/3xxM, Pentium G69xx, Celeon P45xx; Xeon L3406
WSM K0 6-25-5/92 00000004->00000007 Core i7-6xx, i5-6xx/5xx/4xx, i3-5xx/3xx, Pentium G69xx/P6xxx/U5xxx, Celeron P4xxx/U3xxx
SNB D2 6-2a-7/12 0000002d->0000002e Core Gen2; Xeon E3
WSM-EX A2 6-2f-2/05 00000037->0000003b Xeon E7
IVB E2 6-3a-9/12 0000001f->00000020 Core Gen3 Mobile
HSW-H/S/E3 Cx/Dx 6-3c-3/32 00000024->00000025 Core Gen4 Desktop; Xeon E3 v3
BDW-U/Y E/F 6-3d-4/c0 0000002a->0000002b Core Gen5 Mobile
HSW-ULT Cx/Dx 6-45-1/72 00000023->00000024 Core Gen4 Mobile and derived Pentium/Celeron
HSW-H Cx 6-46-1/32 00000019->0000001a Core Extreme i7-5xxxX
BDW-H/E3 E/G 6-47-1/22 0000001d->0000001e Core i5-5xxxR/C, i7-5xxxHQ/EQ; Xeon E3 v4
SKL-U/Y D0 6-4e-3/c0 000000c2->000000c6 Core Gen6 Mobile
BDX-DE V1 6-56-2/10 00000015->00000017 Xeon D-1520/40
BDX-DE V2/3 6-56-3/10 07000012->07000013 Xeon D-1518/19/21/27/28/31/33/37/41/48, Pentium D1507/08/09/17/19
BDX-DE Y0 6-56-4/10 0f000011->0f000012 Xeon D-1557/59/67/71/77/81/87
APL D0 6-5c-9/03 0000002c->00000032 Pentium N/J4xxx, Celeron N/J3xxx, Atom x5/7-E39xx
SKL-H/S/E3 R0 6-5e-3/36 000000c2->000000c6 Core Gen6; Xeon E3 v5
ImportantSUSE bug 1087082SUSE bug 1087083SUSE bug 1089343SUSE bug 1104134CVE-2018-3639 at SUSECVE-2018-3639 at NVDCVE-2018-3640 at SUSECVE-2018-3640 at NVDCVE-2018-3646 at SUSECVE-2018-3646 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for apache2 (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for apache2 fixes the following issues:
The following security vulnerability were fixed:
- CVE-2018-1333: Fixed a worker exhaustion that could have lead to a denial
of service via specially crafted HTTP/2 requests (bsc#1101689).
ModerateSUSE bug 1101689CVE-2018-1333 at SUSECVE-2018-1333 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for libqt4 (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for libqt4 fixes the following issues:
LibQt4 was updated to 4.8.7 (bsc#1039291, CVE-2016-10040):
See
http://download.qt.io/official_releases/qt/4.8/4.8.7/changes-4.8.7
for more details.
Also libQtWebkit4 was updated to 2.3.4 to match libqt4.
Also following bugs were fixed:
- Enable libqt4-devel-32bit (bsc#982826)
- Fixed bolder font in Qt4 apps (boo#956357)
ModerateSUSE bug 1039291SUSE bug 1042657SUSE bug 956357SUSE bug 964458SUSE bug 982826CVE-2016-10040 at SUSECVE-2016-10040 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for ovmf (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for ovmf provide the following fix:
Security issues fixed:
- CVE-2018-0739: Update openssl to 1.0.2o to limit ASN.1 constructed types
recursive definition depth (bsc#1094290, bsc#1094291).
Bug fixes:
- Only use SLES-UEFI-CA-Certificate-2048.crt for the SUSE flavor to provide the
better compatibility. (bsc#1077330)
ModerateSUSE bug 1077330SUSE bug 1094290SUSE bug 1094291CVE-2018-0739 at SUSECVE-2018-0739 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for cups (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for cups fixes the following issues:
The following security vulnerabilities were fixed:
- CVE-2017-18248: Handle invalid characters properly in printing jobs. This fixes a problem that
was causing the DBUS library to abort the calling process. (bsc#1061066 bsc#1087018)
- Fixed a local privilege escalation to root and sandbox bypasses in the
scheduler
- CVE-2018-4180: Fixed a local privilege escalation to root in dnssd backend
(bsc#1096405)
- CVE-2018-4181: Limited local file reads as root via cupsd.conf include
directive (bsc#1096406)
- CVE-2018-4182: Fixed a sandbox bypass due to insecure error handling
(bsc#1096407)
- CVE-2018-4183: Fixed a sandbox bypass due to profile misconfiguration
(bsc#1096408)
The following other issue was fixed:
- Fixed authorization check for clients (like samba) connected through the
local socket when Kerberos authentication is enabled (bsc#1050082)
ModerateSUSE bug 1050082SUSE bug 1061066SUSE bug 1087018SUSE bug 1096405SUSE bug 1096406SUSE bug 1096407SUSE bug 1096408CVE-2017-18248 at SUSECVE-2017-18248 at NVDCVE-2018-4180 at SUSECVE-2018-4180 at NVDCVE-2018-4181 at SUSECVE-2018-4181 at NVDCVE-2018-4182 at SUSECVE-2018-4182 at NVDCVE-2018-4183 at SUSECVE-2018-4183 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for libgcrypt (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for libgcrypt fixes the following issues:
The following security vulnerability was addressed:
- CVE-2018-0495: Mitigate a novel side-channel attack by enabling blinding for
ECDSA signatures (bsc#1097410).
The following other issues were fixed:
- Extended the fipsdrv dsa-sign and dsa-verify commands with the
--algo parameter for the FIPS testing of DSA SigVer and SigGen (bsc#1064455).
- Ensure libgcrypt20-hmac and libgcrypt20 are installed in the correct order. (bsc#1090766)
ModerateSUSE bug 1064455SUSE bug 1090766SUSE bug 1097410CVE-2018-0495 at SUSECVE-2018-0495 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for nautilus (Low)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for nautilus fixes the following issues:
Security issue fixed:
- CVE-2017-14604: Add a metadata::trusted metadata to the file once the user
acknowledges the file as trusted, and also remove the 'trusted' content in the
desktop file (bsc#1060031).
LowSUSE bug 1060031CVE-2017-14604 at SUSECVE-2017-14604 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for python (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for python fixes the following issues:
The following security vulnerabilities were addressed:
- Add a check to Lib/wave.py that verifies that at least one channel is
provided. Prior to this, attackers could cause a denial of service via a
crafted wav format audio file. [bsc#1083507, CVE-2017-18207]
ModerateSUSE bug 1083507CVE-2017-18207 at SUSECVE-2017-18207 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for libsndfile (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for libsndfile fixes the following issues:
Security issues fixed:
- CVE-2018-13139: Fix a stack-based buffer overflow in psf_memset in common.c that allows remote attackers to cause a denial of service (bsc#1100167).
- CVE-2017-17456: Prevent segmentation fault in the function d2alaw_array() that may have lead to a remote DoS (bsc#1071777)
- CVE-2017-17457: Prevent segmentation fault in the function d2ulaw_array() that may have lead to a remote DoS, a different vulnerability than CVE-2017-14246 (bsc#1071767)
ModerateSUSE bug 1071767SUSE bug 1071777SUSE bug 1100167CVE-2017-17456 at SUSECVE-2017-17456 at NVDCVE-2017-17457 at SUSECVE-2017-17457 at NVDCVE-2018-13139 at SUSECVE-2018-13139 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for rsyslog (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for rsyslog fixes the following issues:
The following security vulnerability was addressed:
CVE-2015-3243: Make sure that log files are not created world-readable (bsc#935393)
ModerateSUSE bug 935393CVE-2015-3243 at SUSECVE-2015-3243 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for util-linux (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for util-linux fixes the following issues:
This non-security issue was fixed:
- CVE-2018-7738: bash-completion/umount allowed local users to gain privileges
by embedding shell commands in a mountpoint name, which was mishandled during a
umount command by a different user (bsc#1084300).
These non-security issues were fixed:
- Fixed crash loop in lscpu (bsc#1072947).
- Fixed possible segfault of umount -a
- Fixed mount -a on NFS bind mounts (bsc#1080740).
- Fixed lsblk on NVMe (bsc#1078662).
ModerateSUSE bug 1072947SUSE bug 1078662SUSE bug 1080740SUSE bug 1084300CVE-2018-7738 at SUSECVE-2018-7738 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for openssh (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for openssh fixes the following issues:
Security issue fixed:
- CVE-2016-10708: Prevent DoS due to crashes caused by out-of-sequence NEWKEYS message (bsc#1076957).
ModerateSUSE bug 1076957CVE-2016-10708 at SUSECVE-2016-10708 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for shadow (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for shadow fixes the following issues:
- CVE-2016-6252: Incorrect integer handling could results in local privilege escalation (bsc#1099310)
ImportantSUSE bug 1099310CVE-2016-6252 at SUSECVE-2016-6252 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for polkit (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for polkit fixes the following issues:
Security issue fixed:
- CVE-2018-1116: Fix uid comparison lacking in polkit_backend_interactive_authority_check_authorization (bsc#1099031).
ModerateSUSE bug 1099031CVE-2018-1116 at SUSECVE-2018-1116 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for libtirpc (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for libtirpc fixes the following issues:
Security issue fixed:
- bsc#968175: Fix remote crash of RPC services.
Bug fixes:
- bsc#1072183: Send RPC getport call as specified via parameter.
ImportantSUSE bug 1072183SUSE bug 968175cpe:/o:suse:sles_teradata:12:sp3Security update for mutt (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for mutt fixes the following issues:
Security issues fixed:
- bsc#1101428: Mutt 1.10.1 security release update.
- CVE-2018-14351: Fix imap/command.c that mishandles long IMAP status mailbox literal count size (bsc#1101583).
- CVE-2018-14353: Fix imap_quote_string in imap/util.c that has an integer underflow (bsc#1101581).
- CVE-2018-14362: Fix pop.c that does not forbid characters that may have unsafe interaction with message-cache pathnames (bsc#1101567).
- CVE-2018-14354: Fix arbitrary command execution from remote IMAP servers via backquote characters (bsc#1101578).
- CVE-2018-14352: Fix imap_quote_string in imap/util.c that does not leave room for quote characters (bsc#1101582).
- CVE-2018-14356: Fix pop.c that mishandles a zero-length UID (bsc#1101576).
- CVE-2018-14355: Fix imap/util.c that mishandles '..' directory traversal in a mailbox name (bsc#1101577).
- CVE-2018-14349: Fix imap/command.c that mishandles a NO response without a message (bsc#1101589).
- CVE-2018-14350: Fix imap/message.c that has a stack-based buffer overflow for a FETCH response with along INTERNALDATE field (bsc#1101588).
- CVE-2018-14363: Fix newsrc.c that does not properlyrestrict '/' characters that may have unsafe interaction with cache pathnames (bsc#1101566).
- CVE-2018-14359: Fix buffer overflow via base64 data (bsc#1101570).
- CVE-2018-14358: Fix imap/message.c that has a stack-based buffer overflow for a FETCH response with along RFC822.SIZE field (bsc#1101571).
- CVE-2018-14360: Fix nntp_add_group in newsrc.c that has a stack-based buffer overflow because of incorrect sscanf usage (bsc#1101569).
- CVE-2018-14357: Fix that remote IMAP servers are allowed to execute arbitrary commands via backquote characters (bsc#1101573).
- CVE-2018-14361: Fix that nntp.c proceeds even if memory allocation fails for messages data (bsc#1101568).
Bug fixes:
- mutt reports as neomutt and incorrect version (bsc#1094717)
- No sidebar available in mutt 1.6.1 from Tumbleweed snapshot 20160517 (bsc#980830)
- mutt-1.6.1 unusable when built with --enable-sidebar (bsc#982129)
- (neo)mutt displaying times in Zulu time (bsc#1061343)
- mutt unconditionally segfaults when displaying a message (bsc#986534)
ImportantSUSE bug 1061343SUSE bug 1094717SUSE bug 1101428SUSE bug 1101566SUSE bug 1101567SUSE bug 1101568SUSE bug 1101569SUSE bug 1101570SUSE bug 1101571SUSE bug 1101573SUSE bug 1101576SUSE bug 1101577SUSE bug 1101578SUSE bug 1101581SUSE bug 1101582SUSE bug 1101583SUSE bug 1101588SUSE bug 1101589SUSE bug 980830SUSE bug 982129SUSE bug 986534CVE-2014-9116 at SUSECVE-2014-9116 at NVDCVE-2018-14349 at SUSECVE-2018-14349 at NVDCVE-2018-14350 at SUSECVE-2018-14350 at NVDCVE-2018-14351 at SUSECVE-2018-14351 at NVDCVE-2018-14352 at SUSECVE-2018-14352 at NVDCVE-2018-14353 at SUSECVE-2018-14353 at NVDCVE-2018-14354 at SUSECVE-2018-14354 at NVDCVE-2018-14355 at SUSECVE-2018-14355 at NVDCVE-2018-14356 at SUSECVE-2018-14356 at NVDCVE-2018-14357 at SUSECVE-2018-14357 at NVDCVE-2018-14358 at SUSECVE-2018-14358 at NVDCVE-2018-14359 at SUSECVE-2018-14359 at NVDCVE-2018-14360 at SUSECVE-2018-14360 at NVDCVE-2018-14361 at SUSECVE-2018-14361 at NVDCVE-2018-14362 at SUSECVE-2018-14362 at NVDCVE-2018-14363 at SUSECVE-2018-14363 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for perl-Archive-Zip (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for perl-Archive-Zip fixes the following security issue:
- CVE-2018-10860: Prevent directory traversal caused by not properly sanitizing
paths while extracting zip files. An attacker able to provide a specially
crafted archive for processing could have used this flaw to write or overwrite
arbitrary files in the context of the perl interpreter (bsc#1099497)
ModerateSUSE bug 1099497CVE-2018-10860 at SUSECVE-2018-10860 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for xen (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for xen fixes the following security issues:
- CVE-2018-3646: Systems with microprocessors utilizing speculative execution
and address translations may have allowed unauthorized disclosure of
information residing in the L1 data cache to an attacker with local user access
with guest OS privilege via a terminal page fault and a side-channel analysis
(bsc#1091107, bsc#1027519).
- Incorrect MSR_DEBUGCTL handling let guests enable BTS allowing a malicious or
buggy guest administrator can lock up the entire host (bsc#1103276)
ImportantSUSE bug 1027519SUSE bug 1091107SUSE bug 1103276CVE-2018-3646 at SUSECVE-2018-3646 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for libcares2 (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for libcares2 fixes the following issues:
- CVE-2017-1000381: A NAPTR parser out of bounds access was fixed that could lead to crashes. (bsc#1044946)
ModerateSUSE bug 1044946CVE-2017-1000381 at SUSECVE-2017-1000381 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for gdk-pixbuf (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for gdk-pixbuf fixes the following issues:
Security issue fixed:
- CVE-2015-4491: Fix integer multiplication overflow that allows for DoS or potentially RCE (bsc#1053417).
ModerateSUSE bug 1053417CVE-2015-4491 at SUSECVE-2015-4491 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for procps (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for procps fixes the following security issues:
- CVE-2018-1122: Prevent local privilege escalation in top. If a user ran top
with HOME unset in an attacker-controlled directory, the attacker could have
achieved privilege escalation by exploiting one of several vulnerabilities in
the config_file() function (bsc#1092100).
- CVE-2018-1123: Prevent denial of service in ps via mmap buffer overflow.
Inbuilt protection in ps maped a guard page at the end of the overflowed
buffer, ensuring that the impact of this flaw is limited to a crash (temporary
denial of service) (bsc#1092100).
- CVE-2018-1124: Prevent multiple integer overflows leading to a heap
corruption in file2strvec function. This allowed a privilege escalation for a
local attacker who can create entries in procfs by starting processes, which
could result in crashes or arbitrary code execution in proc utilities run by
other users (bsc#1092100).
- CVE-2018-1125: Prevent stack buffer overflow in pgrep. This vulnerability was
mitigated by FORTIFY limiting the impact to a crash (bsc#1092100).
- CVE-2018-1126: Ensure correct integer size in proc/alloc.* to prevent
truncation/integer overflow issues (bsc#1092100).
ModerateSUSE bug 1092100CVE-2018-1122 at SUSECVE-2018-1122 at NVDCVE-2018-1123 at SUSECVE-2018-1123 at NVDCVE-2018-1124 at SUSECVE-2018-1124 at NVDCVE-2018-1125 at SUSECVE-2018-1125 at NVDCVE-2018-1126 at SUSECVE-2018-1126 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for libgcrypt (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for libgcrypt fixes the following issues:
The following security vulnerability was addressed:
- CVE-2018-0495: Mitigate a novel side-channel attack by enabling blinding for
ECDSA signatures (bsc#1097410).
The following other issues were fixed:
- Extended the fipsdrv dsa-sign and dsa-verify commands with the
--algo parameter for the FIPS testing of DSA SigVer and SigGen (bsc#1064455).
- Ensure libgcrypt20-hmac and libgcrypt20 are installed in the correct order. (bsc#1090766)
ModerateSUSE bug 1064455SUSE bug 1090766SUSE bug 1097410CVE-2018-0495 at SUSECVE-2018-0495 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for libcgroup (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for libcgroup fixes the following issues:
Security issue fixed:
- CVE-2018-14348: Fix daemon that creates /var/log/cgred with mode 0666 (bsc#1100365).
This updates also sets the permissions of already existing log files to proper values.
ModerateSUSE bug 1100365CVE-2018-14348 at SUSECVE-2018-14348 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for gdm (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for gdm fixes the following security issue:
- CVE-2018-14424: The daemon in GDM did not properly unexport display objects
from its D-Bus interface when they are destroyed, which allowed a local
attacker to trigger a use-after-free via a specially crafted sequence of D-Bus
method calls, resulting in a denial of service or potential code execution
(bsc#1103737).
ModerateSUSE bug 1103737CVE-2018-14424 at SUSECVE-2018-14424 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for spice-gtk (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for spice-gtk fixes the following issues:
Security issues fixed:
- CVE-2018-10873: Fix potential heap corruption when demarshalling (bsc#1104448)
- CVE-2018-10893: Avoid buffer overflow on image lz checks (bsc#1101295)
ImportantSUSE bug 1101295SUSE bug 1104448CVE-2018-10873 at SUSECVE-2018-10873 at NVDCVE-2018-10893 at SUSECVE-2018-10893 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for spice (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for spice fixes the following issues:
Security issues fixed:
- CVE-2018-10873: Fix potential heap corruption when demarshalling (bsc#1104448)
- CVE-2018-10893: Avoid buffer overflow on image lz checks (bsc#1101295)
ImportantSUSE bug 1101295SUSE bug 1104448CVE-2018-10873 at SUSECVE-2018-10873 at NVDCVE-2018-10893 at SUSECVE-2018-10893 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for dovecot22 (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for dovecot22 fixes the following issues:
Security issue fixed:
- CVE-2017-15130: Fixed a potential denial of service via TLS SNI config
lookups, which would slow the process down and could have led to exhaustive
memory allocation and/or process restarts (bsc#1082828)
ImportantSUSE bug 1082828CVE-2017-15130 at SUSECVE-2017-15130 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for java-1_7_1-ibm (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for java-1_7_1-ibm fixes the following issues:
Security issues fixed:
- CVE-2018-1517: Fixed a flaw in the java.math component in IBM SDK, which may
allow an attacker to inflict a denial-of-service attack with specially
crafted String data.
- CVE-2018-1656: Protect against path traversal attacks when extracting
compressed dump files.
- CVE-2018-2940: Fixed an easily exploitable vulnerability in the libraries
subcomponent, which allowed unauthenticated attackers with network access
via multiple protocols to compromise the Java SE, leading to
unauthorized read access.
- CVE-2018-2952: Fixed an easily exploitable vulnerability in the concurrency
subcomponent, which allowed unauthenticated attackers with network access
via multiple protocols to compromise the Java SE, leading to denial of
service.
- CVE-2018-2973: Fixed a difficult to exploit vulnerability in the JSSE
subcomponent, which allowed unauthenticated attackers with network access
via SSL/TLS to compromise the Java SE, leading to unauthorized creation,
deletion or modification access to critical data.
- CVE-2018-12539: Fixed a vulnerability in which users other than the process
owner may be able to use Java Attach API to connect to the IBM JVM on the
same machine and use Attach API operations, including the ability to execute
untrusted arbitrary code.
Other changes made:
- Various JIT/JVM crash fixes
- Version update to 7.1.4.30 (bsc#1104668)
You can find detailed information about this update [here](https://developer.ibm.com/javasdk/support/security-vulnerabilities/#IBM_Security_Update_August_2018).
ImportantSUSE bug 1104668CVE-2018-12539 at SUSECVE-2018-12539 at NVDCVE-2018-1517 at SUSECVE-2018-1517 at NVDCVE-2018-1656 at SUSECVE-2018-1656 at NVDCVE-2018-2940 at SUSECVE-2018-2940 at NVDCVE-2018-2952 at SUSECVE-2018-2952 at NVDCVE-2018-2973 at SUSECVE-2018-2973 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for python3 (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for python3 provides the following fixes:
These security issues were fixed:
- CVE-2018-1061: Prevent catastrophic backtracking in the difflib.IS_LINE_JUNK
method. An attacker could have used this flaw to cause denial of service
(bsc#1088004).
- CVE-2018-1060: Prevent catastrophic backtracking in pop3lib's apop() method.
An attacker could have used this flaw to cause denial of service (bsc#1088009).
These non-security issues were fixed:
- Sort files and directories when creating tarfile archives so that they are created in a
more predictable way. (bsc#1086001)
- Add -fwrapv to OPTS (bsc#1107030)
ModerateSUSE bug 1086001SUSE bug 1088004SUSE bug 1088009SUSE bug 1107030CVE-2018-1060 at SUSECVE-2018-1060 at NVDCVE-2018-1061 at SUSECVE-2018-1061 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for tomcat (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for tomcat to 8.0.53 fixes the following issues:
Security issue fixed:
- CVE-2018-1336: An improper handing of overflow in the UTF-8 decoder with
supplementary characters could have lead to an infinite loop in the decoder
causing a Denial of Service (bsc#1102400).
- CVE-2018-8034: The host name verification when using TLS with the WebSocket
client was missing. It is now enabled by default (bsc#1102379).
- CVE-2018-8037: If an async request was completed by the application at the
same time as the container triggered the async timeout, a race condition
existed that could have resulted in a user seeing a response intended for a
different user. An additional issue was present in the NIO and NIO2 connectors
that did not correctly track the closure of the connection when an async
request was completed by the application and timed out by the container at the
same time. This could also have resulted in a user seeing a response intended
for another user (bsc#1102410).
- CVE-2018-8014: Fix insecure default CORS filter settings (bsc#1093697).
Bug fixes:
- bsc#1067720: Avoid overwriting of customer's configuration during update.
- bsc#1095472: Add Obsoletes for tomcat6 packages.
ModerateSUSE bug 1067720SUSE bug 1093697SUSE bug 1095472SUSE bug 1102379SUSE bug 1102400SUSE bug 1102410CVE-2018-1336 at SUSECVE-2018-1336 at NVDCVE-2018-8014 at SUSECVE-2018-8014 at NVDCVE-2018-8034 at SUSECVE-2018-8034 at NVDCVE-2018-8037 at SUSECVE-2018-8037 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for curl (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for curl fixes the following issues:
This security issue was fixed:
- CVE-2018-14618: Prevent integer overflow in the NTLM authentication code (bsc#1106019)
This non-security issue was fixed:
- Fixed erroneous debug message when paired with OpenSSL (bsc#1089533)
ModerateSUSE bug 1089533SUSE bug 1106019CVE-2018-14618 at SUSECVE-2018-14618 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for openslp (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for openslp fixes the following issues:
- CVE-2017-17833: Prevent heap-related memory corruption issue which may have
manifested itself as a denial-of-service or a remote code-execution
vulnerability (bsc#1090638)
- Prevent out of bounds reads in message parsing
ImportantSUSE bug 1090638CVE-2017-17833 at SUSECVE-2017-17833 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for ImageMagick (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for ImageMagick fixes the following issues:
The following security vulnerabilities were fixed:
- CVE-2018-16329: Prevent NULL pointer dereference in the GetMagickProperty
function leading to DoS (bsc#1106858)
- CVE-2018-16323: ReadXBMImage left data uninitialized when processing an XBM
file that has a negative pixel value. If the affected code was used as a
library loaded into a process that includes sensitive information, that
information sometimes can be leaked via the image data (bsc#1106855)
- CVE-2018-14434: Fixed a memory leak for a colormap in WriteMPCImage
(bsc#1102003)
- CVE-2018-14435: Fixed a memory leak in DecodeImage in coders/pcd.c
(bsc#1102007)
- CVE-2018-14436: Fixed a memory leak in ReadMIFFImage in coders/miff.c
(bsc#1102005)
- CVE-2018-14437: Fixed a memory leak in parse8BIM in coders/meta.c
(bsc#1102004)
- Disable PS, PS2, PS3, XPS and PDF coders in default policy.xml (bsc#1105592)
ModerateSUSE bug 1102003SUSE bug 1102004SUSE bug 1102005SUSE bug 1102007SUSE bug 1105592SUSE bug 1106855SUSE bug 1106858CVE-2018-14434 at SUSECVE-2018-14434 at NVDCVE-2018-14435 at SUSECVE-2018-14435 at NVDCVE-2018-14436 at SUSECVE-2018-14436 at NVDCVE-2018-14437 at SUSECVE-2018-14437 at NVDCVE-2018-16323 at SUSECVE-2018-16323 at NVDCVE-2018-16329 at SUSECVE-2018-16329 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for liblouis (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for liblouis, python-louis, python3-louis fixes the
following issues:
Security issues fixed:
- CVE-2018-11440: Fixed a stack-based buffer overflow in the function
parseChars() in compileTranslationTable.c (bsc#1095189)
- CVE-2018-11577: Fixed a segmentation fault in lou_logPrint in logging.c
(bsc#1095945)
- CVE-2018-11683: Fixed a stack-based buffer overflow in the function
parseChars() in compileTranslationTable.c (different vulnerability than
CVE-2018-11440) (bsc#1095827)
- CVE-2018-11684: Fixed stack-based buffer overflow in the function
includeFile() in compileTranslationTable.c (bsc#1095826)
- CVE-2018-11685: Fixed a stack-based buffer overflow in the function
compileHyphenation() in compileTranslationTable.c (bsc#1095825)
- CVE-2018-12085: Fixed a stack-based buffer overflow in the function
parseChars() in compileTranslationTable.c (different vulnerability than
CVE-2018-11440) (bsc#1097103)
ModerateSUSE bug 1095189SUSE bug 1095825SUSE bug 1095826SUSE bug 1095827SUSE bug 1095945SUSE bug 1097103CVE-2018-11440 at SUSECVE-2018-11440 at NVDCVE-2018-11577 at SUSECVE-2018-11577 at NVDCVE-2018-11683 at SUSECVE-2018-11683 at NVDCVE-2018-11684 at SUSECVE-2018-11684 at NVDCVE-2018-11685 at SUSECVE-2018-11685 at NVDCVE-2018-12085 at SUSECVE-2018-12085 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for libzypp, zypper (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for libzypp, zypper fixes the following issues:
Update libzypp to version 16.17.20:
Security issues fixed:
- PackageProvider: Validate deta rpms before caching (bsc#1091624,
bsc#1088705, CVE-2018-7685)
- PackageProvider: Validate downloaded rpm package signatures before
caching (bsc#1091624, bsc#1088705, CVE-2018-7685)
Other bugs fixed:
- lsof: use '-K i' if lsof supports it (bsc#1099847, bsc#1036304)
- Handle http error 502 Bad Gateway in curl backend (bsc#1070851)
- RepoManager: Explicitly request repo2solv to generate application
pseudo packages.
- libzypp-devel should not require cmake (bsc#1101349)
- HardLocksFile: Prevent against empty commit without Target having
been been loaded (bsc#1096803)
- Avoid zombie tar processes (bsc#1076192)
Update to zypper to version 1.13.45:
Security issues fixed:
- Improve signature check callback messages (bsc#1045735, CVE-2017-9269)
- add/modify repo: Add options to tune the GPG check settings
(bsc#1045735, CVE-2017-9269)
Other bugs fixed:
- XML <install-summary> attribute `packages-to-change` added (bsc#1102429)
- man: Strengthen that `--config FILE' affects zypper.conf,
not zypp.conf (bsc#1100028)
- Prevent nested calls to exit() if aborted by a signal (bsc#1092413)
- ansi.h: Prevent ESC sequence strings from going out of scope (bsc#1092413)
- Fix: zypper bash completion expands non-existing options (bsc#1049825)
- Improve signature check callback messages (bsc#1045735)
- add/modify repo: Add options to tune the GPG check settings (bsc#1045735)
ImportantSUSE bug 1036304SUSE bug 1045735SUSE bug 1049825SUSE bug 1070851SUSE bug 1076192SUSE bug 1088705SUSE bug 1091624SUSE bug 1092413SUSE bug 1096803SUSE bug 1099847SUSE bug 1100028SUSE bug 1101349SUSE bug 1102429CVE-2017-9269 at SUSECVE-2017-9269 at NVDCVE-2018-7685 at SUSECVE-2018-7685 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for apache2 (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for apache2 fixes the following issues:
Security issues fixed:
- CVE-2016-8743: Fixed liberal whitespace interpretation accepted from requests
and sent in response lines and headers. Accepting these different behaviors
represented a security concern when httpd participates in any chain of
proxies or interacts with back-end application servers, either through
mod_proxy or using conventional CGI mechanisms, and may result in request
smuggling, response splitting and cache pollution. (bsc#1016715)
- CVE-2016-4975: Fixed possible CRLF injection allowing HTTP response splitting
attacks for sites which use mod_userdir. This issue was mitigated by changes
which prohibit CR or LF injection into the 'Location' or other outbound
header key or value. (bsc#1104826)
ModerateSUSE bug 1016715SUSE bug 1104826CVE-2016-4975 at SUSECVE-2016-4975 at NVDCVE-2016-8743 at SUSECVE-2016-8743 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for libXcursor (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for libXcursor fixes the following security issue:
- CVE-2015-9262: _XcursorThemeInherits allowed remote attackers to cause denial
of service or potentially code execution via a one-byte heap overflow
(bsc#1103511).
ModerateSUSE bug 1103511CVE-2015-9262 at SUSECVE-2015-9262 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for java-1_8_0-ibm (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for java-1_8_0-ibm to 8.0.5.20 fixes the following security issues:
- CVE-2018-2952: Vulnerability in subcomponent: Concurrency. Difficult to
exploit vulnerability allowed unauthenticated attacker with network access via
multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful
attacks of this vulnerability can result in unauthorized ability to cause a
partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit
(bsc#1104668)
- CVE-2018-2940: Vulnerability in subcomponent: Libraries. Easily exploitable
vulnerability allowed unauthenticated attacker with network access via multiple
protocols to compromise Java SE, Java SE Embedded. Successful attacks require
human interaction from a person other than the attacker. Successful attacks of
this vulnerability can result in unauthorized read access to a subset of Java
SE, Java SE Embedded accessible data (bsc#1104668)
- CVE-2018-2973: Vulnerability in subcomponent: JSSE. Difficult to exploit
vulnerability allowed unauthenticated attacker with network access via SSL/TLS
to compromise Java SE, Java SE Embedded. Successful attacks of this
vulnerability can result in unauthorized creation, deletion or modification
access to critical data or all Java SE, Java SE Embedded accessible data
(bsc#1104668)
- CVE-2018-2964: Vulnerability in subcomponent: Deployment. Difficult to
exploit vulnerability allowed unauthenticated attacker with network access via
multiple protocols to compromise Java SE. Successful attacks require human
interaction from a person other than the attacker. Successful attacks of this
vulnerability can result in takeover of Java SE. (bsc#1104668)
- CVE-2016-0705: Prevent double free in the dsa_priv_decode function that
allowed remote attackers to cause a denial of service (memory corruption) or
possibly have unspecified other impact via a malformed DSA private key
(bsc#1104668)
- CVE-2017-3732: Prevent carry propagating bug in the x86_64 Montgomery
squaring procedure (bsc#1104668)
- CVE-2017-3736: Prevent carry propagating bug in the x86_64 Montgomery
squaring procedure (bsc#1104668)
- CVE-2018-1517: Unspecified vulnerability (bsc#1104668)
- CVE-2018-1656: Unspecified vulnerability (bsc#1104668)
- CVE-2018-12539: Users other than the process owner might have been able to
use Java Attach API to connect to an IBM JVM on the same machine and use Attach
API operations, which includes the ability to execute untrusted native code
(bsc#1104668)
ModerateSUSE bug 1104668CVE-2016-0705 at SUSECVE-2016-0705 at NVDCVE-2017-3732 at SUSECVE-2017-3732 at NVDCVE-2017-3736 at SUSECVE-2017-3736 at NVDCVE-2018-12539 at SUSECVE-2018-12539 at NVDCVE-2018-1517 at SUSECVE-2018-1517 at NVDCVE-2018-1656 at SUSECVE-2018-1656 at NVDCVE-2018-2940 at SUSECVE-2018-2940 at NVDCVE-2018-2952 at SUSECVE-2018-2952 at NVDCVE-2018-2964 at SUSECVE-2018-2964 at NVDCVE-2018-2973 at SUSECVE-2018-2973 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for ant (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for ant fixes the following issues:
Security issue fixed:
- CVE-2018-10886: Fixed a path traversal vulnerability in malformed zip file
paths, which allowed arbitrary file writes and could potentially lead to
code execution (bsc#1100053)
ModerateSUSE bug 1100053CVE-2018-10886 at SUSECVE-2018-10886 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for tiff (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for tiff fixes the following issues:
Security issues fixed:
- CVE-2018-10779: Fixed a heap-based buffer overflow in TIFFWriteScanline()
in tif_write.c (bsc#1092480)
- CVE-2017-17942: Fixed a heap-based buffer overflow in the function
PackBitsEncode in tif_packbits.c. (bsc#1074186)
- CVE-2016-5319: Fixed a beap-based buffer overflow in bmp2tiff (bsc#983440)
ModerateSUSE bug 1074186SUSE bug 1092480SUSE bug 983440CVE-2016-5319 at SUSECVE-2016-5319 at NVDCVE-2017-17942 at SUSECVE-2017-17942 at NVDCVE-2018-10779 at SUSECVE-2018-10779 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for gnutls (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for gnutls fixes the following issues:
Security issues fixed:
- Improved mitigations against Lucky 13 class of attacks
- 'Just in Time' PRIME + PROBE cache-based side channel attack can lead to plaintext recovery (CVE-2018-10846, bsc#1105460)
- HMAC-SHA-384 vulnerable to Lucky thirteen attack due to use of wrong constant (CVE-2018-10845, bsc#1105459)
- HMAC-SHA-256 vulnerable to Lucky thirteen attack due to not enough dummy function calls (CVE-2018-10844, bsc#1105437)
- The _asn1_check_identifier function in Libtasn1 caused a NULL pointer dereference and crash (CVE-2017-10790, bsc#1047002)
ModerateSUSE bug 1047002SUSE bug 1105437SUSE bug 1105459SUSE bug 1105460CVE-2017-10790 at SUSECVE-2017-10790 at NVDCVE-2018-10844 at SUSECVE-2018-10844 at NVDCVE-2018-10845 at SUSECVE-2018-10845 at NVDCVE-2018-10846 at SUSECVE-2018-10846 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for gd (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for gd fixes the following issues:
Security issue fixed:
- CVE-2018-1000222: Fixed a double free vulnerability in gdImageBmpPtr() that
could result in remote code execution. This could have been exploited via a
specially crafted JPEG image files. (bsc#1105434)
ModerateSUSE bug 1105434CVE-2018-1000222 at SUSECVE-2018-1000222 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for shadow (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for shadow fixes the following security issue:
- Prevent useradd from creating intermediate directories with mode 0777 (bsc#1106914)
ModerateSUSE bug 1106914cpe:/o:suse:sles_teradata:12:sp3Security update for wireshark (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for wireshark to version 2.4.9 fixes the following issues:
Wireshark was updated to 2.4.9 (bsc#1094301, bsc#1106514).
Security issues fixed:
- CVE-2018-16058: Bluetooth AVDTP dissector crash (wnpa-sec-2018-44)
- CVE-2018-16056: Bluetooth Attribute Protocol dissector crash (wnpa-sec-2018-45)
- CVE-2018-16057: Radiotap dissector crash (wnpa-sec-2018-46)
- CVE-2018-11355: Fix RTCP dissector crash (bsc#1094301).
- CVE-2018-14370: IEEE 802.11 dissector crash (wnpa-sec-2018-43, bsc#1101802)
- CVE-2018-14368: Bazaar dissector infinite loop (wnpa-sec-2018-40, bsc#1101794)
- CVE-2018-11362: Fix LDSS dissector crash (bsc#1094301).
- CVE-2018-11361: Fix IEEE 802.11 dissector crash (bsc#1094301).
- CVE-2018-11360: Fix GSM A DTAP dissector crash (bsc#1094301).
- CVE-2018-14342: BGP dissector large loop (wnpa-sec-2018-34, bsc#1101777)
- CVE-2018-14343: ASN.1 BER dissector crash (wnpa-sec-2018-37, bsc#1101786)
- CVE-2018-14340: Multiple dissectors could crash (wnpa-sec-2018-36, bsc#1101804)
- CVE-2018-14341: DICOM dissector crash (wnpa-sec-2018-39, bsc#1101776)
- CVE-2018-11358: Fix Q.931 dissector crash (bsc#1094301).
- CVE-2018-14344: ISMP dissector crash (wnpa-sec-2018-35, bsc#1101788)
- CVE-2018-11359: Fix multiple dissectors crashs (bsc#1094301).
- CVE-2018-11356: Fix DNS dissector crash (bsc#1094301).
- CVE-2018-14339: MMSE dissector infinite loop (wnpa-sec-2018-38, bsc#1101810)
- CVE-2018-11357: Fix multiple dissectors that could consume excessive memory (bsc#1094301).
- CVE-2018-14367: CoAP dissector crash (wnpa-sec-2018-42, bsc#1101791)
- CVE-2018-11354: Fix IEEE 1905.1a dissector crash (bsc#1094301).
- CVE-2018-14369: HTTP2 dissector crash (wnpa-sec-2018-41, bsc#1101800)
Further bug fixes and updated protocol support as listed in:
https://www.wireshark.org/docs/relnotes/wireshark-2.4.9.html
ModerateSUSE bug 1094301SUSE bug 1101776SUSE bug 1101777SUSE bug 1101786SUSE bug 1101788SUSE bug 1101791SUSE bug 1101794SUSE bug 1101800SUSE bug 1101802SUSE bug 1101804SUSE bug 1101810SUSE bug 1106514CVE-2018-11354 at SUSECVE-2018-11354 at NVDCVE-2018-11355 at SUSECVE-2018-11355 at NVDCVE-2018-11356 at SUSECVE-2018-11356 at NVDCVE-2018-11357 at SUSECVE-2018-11357 at NVDCVE-2018-11358 at SUSECVE-2018-11358 at NVDCVE-2018-11359 at SUSECVE-2018-11359 at NVDCVE-2018-11360 at SUSECVE-2018-11360 at NVDCVE-2018-11361 at SUSECVE-2018-11361 at NVDCVE-2018-11362 at SUSECVE-2018-11362 at NVDCVE-2018-14339 at SUSECVE-2018-14339 at NVDCVE-2018-14340 at SUSECVE-2018-14340 at NVDCVE-2018-14341 at SUSECVE-2018-14341 at NVDCVE-2018-14342 at SUSECVE-2018-14342 at NVDCVE-2018-14343 at SUSECVE-2018-14343 at NVDCVE-2018-14344 at SUSECVE-2018-14344 at NVDCVE-2018-14367 at SUSECVE-2018-14367 at NVDCVE-2018-14368 at SUSECVE-2018-14368 at NVDCVE-2018-14369 at SUSECVE-2018-14369 at NVDCVE-2018-14370 at SUSECVE-2018-14370 at NVDCVE-2018-16056 at SUSECVE-2018-16056 at NVDCVE-2018-16057 at SUSECVE-2018-16057 at NVDCVE-2018-16058 at SUSECVE-2018-16058 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for smt, yast2-smt (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for yast2-smt to 3.0.14 and smt to 3.0.37 fixes the following issues:
These security issues were fixed in SMT:
- CVE-2018-12471: Xml External Entity processing in the RegistrationSharing
modules allowed to read arbitrary file read (bsc#1103809).
- CVE-2018-12470: SQL injection in RegistrationSharing module allows remote
attackers to run arbitrary SQL statements (bsc#1103810).
- CVE-2018-12472: Authentication bypass in sibling check facilitated further
attacks on SMT (bsc#1104076).
SUSE would like to thank Jake Miller for reporting these issues to us.
These non-security issues were fixed in SMT:
- Fix cron jobs randomization (bsc#1097560)
- Fix duplicate migration paths (bsc#1097824)
This non-security issue was fixed in yast2-smt:
- Remove cron job rescheduling (bsc#1097560)
- Added missing translation marks (bsc#1037811)
- Explicitly mention 'Organization Credentials' (fate#321759)
- Rearrange the SMT set-up dialog (bsc#977043)
- Make the Filter button default (bsc#1006984)
- Prevent exiting the repo selection dialog via hitting Enter in
the repository filter (bsc#1006984)
- report when error occurs during repo mirroring (bsc#1006989)
- Use TextEntry-based filter for repos (fate#319777)
ImportantSUSE bug 1006984SUSE bug 1006989SUSE bug 1037811SUSE bug 1097560SUSE bug 1097824SUSE bug 1103809SUSE bug 1103810SUSE bug 1104076SUSE bug 977043CVE-2018-12470 at SUSECVE-2018-12470 at NVDCVE-2018-12471 at SUSECVE-2018-12471 at NVDCVE-2018-12472 at SUSECVE-2018-12472 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for yast2-smt (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update fixes the following issue in yast2-smt:
- Remove cron job rescheduling (bsc#1097560)
This update is a requirement for the security update for SMT. Because of that it is
tagged as security to ensure that all users, even those that only install security updates,
install it.
ImportantSUSE bug 1097560cpe:/o:suse:sles_teradata:12:sp3Security update for openssl (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for openssl fixes the following issues:
These security issues were fixed:
- Prevent One&Done side-channel attack on RSA that allowed physically near
attackers to use EM emanations to recover information (bsc#1104789)
- CVE-2018-0737: The RSA Key generation algorithm has been shown to be
vulnerable to a cache timing side channel attack. An attacker with sufficient
access to mount cache timing attacks during the RSA key generation process
could have recovered the private key (bsc#1089039)
These non-security issues were fixed:
- Add openssl(cli) Provide so the packages that require the openssl
binary can require this instead of the new openssl meta package
(bsc#1101470)
- Fixed path to the engines which are under /lib64 on SLE-12 (bsc#1101246,
bsc#997043)
ModerateSUSE bug 1089039SUSE bug 1101246SUSE bug 1101470SUSE bug 1104789SUSE bug 1106197SUSE bug 997043CVE-2018-0737 at SUSECVE-2018-0737 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for unzip (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for unzip fixes the following security issues:
- CVE-2014-9913: Specially crafted zip files could trigger invalid memory
writes possibly resulting in DoS or corruption (bsc#1013993)
- CVE-2015-7696: Specially crafted zip files with password protection could
trigger a crash and lead to denial of service (bsc#950110)
- CVE-2015-7697: Specially crafted zip files could trigger an endless loop and
lead to denial of service (bsc#950111)
- CVE-2016-9844: Specially crafted zip files could trigger invalid memory
writes possibly resulting in DoS or corruption (bsc#1013992)
- CVE-2018-1000035: Prevent heap-based buffer overflow in the processing of
password-protected archives that allowed an attacker to perform a denial of
service or to possibly achieve code execution (bsc#1080074).
- CVE-2014-9636: Prevent denial of service (out-of-bounds read or write and
crash) via an extra field with an uncompressed size smaller than the compressed
field size in a zip archive that advertises STORED method compression
(bsc#914442).
This non-security issue was fixed:
+- Allow processing of Windows zip64 archives (Windows archivers set
total_disks field to 0 but per standard, valid values are 1 and higher)
(bnc#910683)
ModerateSUSE bug 1013992SUSE bug 1013993SUSE bug 1080074SUSE bug 910683SUSE bug 914442SUSE bug 950110SUSE bug 950111CVE-2014-9636 at SUSECVE-2014-9636 at NVDCVE-2014-9913 at SUSECVE-2014-9913 at NVDCVE-2015-7696 at SUSECVE-2015-7696 at NVDCVE-2015-7697 at SUSECVE-2015-7697 at NVDCVE-2016-9844 at SUSECVE-2016-9844 at NVDCVE-2018-1000035 at SUSECVE-2018-1000035 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for ghostscript (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for ghostscript to version 9.25 fixes the following issues:
These security issues were fixed:
- CVE-2018-17183: Remote attackers were be able to supply crafted PostScript to
potentially overwrite or replace error handlers to inject code (bsc#1109105)
- CVE-2018-15909: Prevent type confusion using the .shfill operator that could
have been used by attackers able to supply crafted PostScript files to crash
the interpreter or potentially execute code (bsc#1106172).
- CVE-2018-15908: Prevent attackers that are able to supply malicious
PostScript files to bypass .tempfile restrictions and write files
(bsc#1106171).
- CVE-2018-15910: Prevent a type confusion in the LockDistillerParams parameter
that could have been used to crash the interpreter or execute code
(bsc#1106173).
- CVE-2018-15911: Prevent use uninitialized memory access in the aesdecode
operator that could have been used to crash the interpreter or potentially
execute code (bsc#1106195).
- CVE-2018-16513: Prevent a type confusion in the setcolor function that could
have been used to crash the interpreter or possibly have unspecified other
impact (bsc#1107412).
- CVE-2018-16509: Incorrect 'restoration of privilege' checking during handling
of /invalidaccess exceptions could be have been used by attackers able to
supply crafted PostScript to execute code using the 'pipe' instruction
(bsc#1107410).
- CVE-2018-16510: Incorrect exec stack handling in the 'CS' and 'SC' PDF
primitives could have been used by remote attackers able to supply crafted PDFs
to crash the interpreter or possibly have unspecified other impact
(bsc#1107411).
- CVE-2018-16542: Prevent attackers able to supply crafted PostScript files
from using insufficient interpreter stack-size checking during error handling
to crash the interpreter (bsc#1107413).
- CVE-2018-16541: Prevent attackers able to supply crafted PostScript files
from using incorrect free logic in pagedevice replacement to crash the
interpreter (bsc#1107421).
- CVE-2018-16540: Prevent use-after-free in copydevice handling that could have
been used to crash the interpreter or possibly have unspecified other impact
(bsc#1107420).
- CVE-2018-16539: Prevent attackers able to supply crafted PostScript files
from using incorrect access checking in temp file handling to disclose contents
of files on the system otherwise not readable (bsc#1107422).
- CVE-2018-16543: gssetresolution and gsgetresolution allowed attackers to have
an unspecified impact (bsc#1107423).
- CVE-2018-16511: A type confusion in 'ztype' could have been used by remote
attackers able to supply crafted PostScript to crash the interpreter or
possibly have unspecified other impact (bsc#1107426).
- CVE-2018-16585: The .setdistillerkeys PostScript command was accepted even
though it is not intended for use during document processing (e.g., after the
startup phase). This lead to memory corruption, allowing remote attackers able
to supply crafted PostScript to crash the interpreter or possibly have
unspecified other impact (bsc#1107581).
- CVE-2018-16802: Incorrect 'restoration of privilege' checking when running
out of stack during exception handling could have been used by attackers able
to supply crafted PostScript to execute code using the 'pipe' instruction. This
is due to an incomplete fix for CVE-2018-16509 (bsc#1108027).
These non-security issues were fixed:
* Fixes problems with argument handling, some unintended results of the
security fixes to the SAFER file access restrictions (specifically accessing
ICC profile files).
* Avoid that ps2epsi fails with 'Error: /undefined in --setpagedevice--'
For additional changes please check http://www.ghostscript.com/doc/9.25/News.htm
and the changes file of the package.
ImportantSUSE bug 1106171SUSE bug 1106172SUSE bug 1106173SUSE bug 1106195SUSE bug 1107410SUSE bug 1107411SUSE bug 1107412SUSE bug 1107413SUSE bug 1107420SUSE bug 1107421SUSE bug 1107422SUSE bug 1107423SUSE bug 1107426SUSE bug 1107581SUSE bug 1108027SUSE bug 1109105CVE-2018-15908 at SUSECVE-2018-15908 at NVDCVE-2018-15909 at SUSECVE-2018-15909 at NVDCVE-2018-15910 at SUSECVE-2018-15910 at NVDCVE-2018-15911 at SUSECVE-2018-15911 at NVDCVE-2018-16509 at SUSECVE-2018-16509 at NVDCVE-2018-16510 at SUSECVE-2018-16510 at NVDCVE-2018-16511 at SUSECVE-2018-16511 at NVDCVE-2018-16513 at SUSECVE-2018-16513 at NVDCVE-2018-16539 at SUSECVE-2018-16539 at NVDCVE-2018-16540 at SUSECVE-2018-16540 at NVDCVE-2018-16541 at SUSECVE-2018-16541 at NVDCVE-2018-16542 at SUSECVE-2018-16542 at NVDCVE-2018-16543 at SUSECVE-2018-16543 at NVDCVE-2018-16585 at SUSECVE-2018-16585 at NVDCVE-2018-16802 at SUSECVE-2018-16802 at NVDCVE-2018-17183 at SUSECVE-2018-17183 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for mgetty (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for mgetty fixes the following security issues:
- CVE-2018-16741: The function do_activate() did not properly sanitize shell
metacharacters to prevent command injection (bsc#1108752)
- CVE-2018-16745: The mail_to parameter was not sanitized, leading to a buffer
overflow if long untrusted input reached it (bsc#1108756)
- CVE-2018-16744: The mail_to parameter was not sanitized, leading to command
injection if untrusted input reached reach it (bsc#1108757)
- CVE-2018-16742: Prevent stack-based buffer overflow that could have been
triggered via a command-line parameter (bsc#1108762)
- CVE-2018-16743: The command-line parameter username wsa passed unsanitized to
strcpy(), which could have caused a stack-based buffer overflow (bsc#1108761)
ImportantSUSE bug 1108752SUSE bug 1108756SUSE bug 1108757SUSE bug 1108761SUSE bug 1108762CVE-2018-16741 at SUSECVE-2018-16741 at NVDCVE-2018-16742 at SUSECVE-2018-16742 at NVDCVE-2018-16743 at SUSECVE-2018-16743 at NVDCVE-2018-16744 at SUSECVE-2018-16744 at NVDCVE-2018-16745 at SUSECVE-2018-16745 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for openslp (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for openslp fixes the following issues:
- CVE-2017-17833: Prevent heap-related memory corruption issue which may have
manifested itself as a denial-of-service or a remote code-execution
vulnerability (bsc#1090638)
- Prevent out of bounds reads in message parsing
ImportantSUSE bug 1090638CVE-2017-17833 at SUSECVE-2017-17833 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for texlive (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for texlive fixes the following issue:
- CVE-2018-17407: Prevent buffer overflow when handling of Type 1 fonts allowed
arbitrary code execution when a malicious font was loaded by one of the
vulnerable tools: pdflatex, pdftex, dvips, or luatex (bsc#1109673)
ImportantSUSE bug 1109673CVE-2018-17407 at SUSECVE-2018-17407 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for java-1_8_0-openjdk (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for java-1_8_0-openjdk to the jdk8u181 (icedtea 3.9.0) release fixes the following issues:
These security issues were fixed:
- CVE-2018-2938: Difficult to exploit vulnerability allowed unauthenticated
attacker with network access via multiple protocols to compromise Java SE.
Successful attacks of this vulnerability can result in takeover of Java SE
(bsc#1101644).
- CVE-2018-2940: Vulnerability in subcomponent: Libraries. Easily exploitable
vulnerability allowed unauthenticated attacker with network access via multiple
protocols to compromise Java SE, Java SE Embedded. Successful attacks require
human interaction from a person other than the attacker. Successful attacks of
this vulnerability can result in unauthorized read access to a subset of Java
SE, Java SE Embedded accessible data (bsc#1101645)
- CVE-2018-2952: Vulnerability in subcomponent: Concurrency. Difficult to
exploit vulnerability allowed unauthenticated attacker with network access via
multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful
attacks of this vulnerability can result in unauthorized ability to cause a
partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit
(bsc#1101651)
- CVE-2018-2973: Vulnerability in subcomponent: JSSE. Difficult to exploit
vulnerability allowed unauthenticated attacker with network access via SSL/TLS
to compromise Java SE, Java SE Embedded. Successful attacks of this
vulnerability can result in unauthorized creation, deletion or modification
access to critical data or all Java SE, Java SE Embedded accessible data
(bsc#1101656)
These non-security issues were fixed:
- Improve desktop file usage
- Better Internet address support
- speculative traps break when classes are redefined
- sun/security/pkcs11/ec/ReadCertificates.java fails intermittently
- Clean up code that saves the previous versions of redefined classes
- Prevent SIGSEGV in ReceiverTypeData::clean_weak_klass_links
- RedefineClasses() tests fail assert(((Metadata*)obj)->is_valid()) failed: obj is valid
- NMT is not enabled if NMT option is specified after class path specifiers
- EndEntityChecker should not process custom extensions after PKIX validation
- SupportedDSAParamGen.java failed with timeout
- Montgomery multiply intrinsic should use correct name
- When determining the ciphersuite lists, there is no debug output for disabled suites.
- sun/security/mscapi/SignedObjectChain.java fails on Windows
- On Windows Swing changes keyboard layout on a window activation
- IfNode::range_check_trap_proj() should handler dying subgraph with single if proj
- Even better Internet address support
- Newlines in JAXB string values of SOAP-requests are escaped to '
'
- TestFlushableGZIPOutputStream failing with IndexOutOfBoundsException
- Unable to use JDWP API in JDK 8 to debug JDK 9 VM
- Hotspot crash on Cassandra 3.11.1 startup with libnuma 2.0.3
- Performance drop with Java JDK 1.8.0_162-b32
- Upgrade time-zone data to tzdata2018d
- Fix potential crash in BufImg_SetupICM
- JDK 8u181 l10n resource file update
- Remove debug print statements from RMI fix
- (tz) Upgrade time-zone data to tzdata2018e
- ObjectInputStream filterCheck method throws NullPointerException
- adjust reflective access checks
ImportantSUSE bug 1101644SUSE bug 1101645SUSE bug 1101651SUSE bug 1101656SUSE bug 1106812CVE-2018-2938 at SUSECVE-2018-2938 at NVDCVE-2018-2940 at SUSECVE-2018-2940 at NVDCVE-2018-2952 at SUSECVE-2018-2952 at NVDCVE-2018-2973 at SUSECVE-2018-2973 at NVDCVE-2018-3639 at SUSECVE-2018-3639 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for qpdf (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for qpdf fixes the following issues:
qpdf was updated to 7.1.1.
Security issues fixed:
- CVE-2017-11627: A stack-consumption vulnerability which allows attackers to cause DoS (bsc#1050577).
- CVE-2017-11625: A stack-consumption vulnerability which allows attackers to cause DoS (bsc#1050579).
- CVE-2017-11626: A stack-consumption vulnerability which allows attackers to cause DoS (bsc#1050578).
- CVE-2017-11624: A stack-consumption vulnerability which allows attackers to cause DoS (bsc#1050581).
- CVE-2017-12595: Stack overflow when processing deeply nested arrays and dictionaries (bsc#1055960).
- CVE-2017-9209: Remote attackers can cause a denial of service (infinite recursion and stack consumption) via a crafted PDF document (bsc#1040312).
- CVE-2017-9210: Remote attackers can cause a denial of service (infinite recursion and stack consumption) via a crafted PDF document (bsc#1040313).
- CVE-2017-9208: Remote attackers can cause a denial of service (infinite recursion and stack consumption) via a crafted PDF document (bsc#1040311).
* Check release notes for detailed bug fixes.
* http://qpdf.sourceforge.net/files/qpdf-manual.html#ref.release-notes
ModerateSUSE bug 1040311SUSE bug 1040312SUSE bug 1040313SUSE bug 1050577SUSE bug 1050578SUSE bug 1050579SUSE bug 1050581SUSE bug 1055960CVE-2017-11624 at SUSECVE-2017-11624 at NVDCVE-2017-11625 at SUSECVE-2017-11625 at NVDCVE-2017-11626 at SUSECVE-2017-11626 at NVDCVE-2017-11627 at SUSECVE-2017-11627 at NVDCVE-2017-12595 at SUSECVE-2017-12595 at NVDCVE-2017-9208 at SUSECVE-2017-9208 at NVDCVE-2017-9209 at SUSECVE-2017-9209 at NVDCVE-2017-9210 at SUSECVE-2017-9210 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for soundtouch (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for soundtouch fixes the following security issue:
- CVE-2018-1000223: Prevent buffer overflow in WavInFile::readHeaderBlock()
that could have resulted in arbitrary code execution when opening maliocius
file in soundstretch utility (bsc#1103676)
ModerateSUSE bug 1103676CVE-2018-1000223 at SUSECVE-2018-1000223 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for postgresql10 (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for brings postgresql10 version 10.5 to SUSE Linux Enterprise 12 SP3. (FATE#325659 bnc#1108308)
This release marks the change of the versioning scheme for PostgreSQL
to a 'x.y' format. This means the next minor releases of PostgreSQL
will be 10.1, 10.2, ... and the next major release will be 11.
* Logical Replication
Logical replication extends the current replication features of
PostgreSQL with the ability to send modifications on a per-database
and per-table level to different PostgreSQL databases. Users can now
fine-tune the data replicated to various database clusters and will
have the ability to perform zero-downtime upgrades to future major
PostgreSQL versions.
* Declarative Table Partitioning
Table partitioning has existed for years in PostgreSQL but required a
user to maintain a nontrivial set of rules and triggers for the
partitioning to work. PostgreSQL 10 introduces a table partitioning
syntax that lets users easily create and maintain range and list
partitioned tables.
* Improved Query Parallelism
PostgreSQL 10 provides better support for parallelized queries by
allowing more parts of the query execution process to be
parallelized. Improvements include additional types of data scans that
are parallelized as well as optimizations when the data is recombined,
such as pre-sorting. These enhancements allow results to be returned
more quickly.
* Quorum Commit for Synchronous Replication
PostgreSQL 10 introduces quorum commit for synchronous replication,
which allows for flexibility in how a primary database receives
acknowledgement that changes were successfully written to remote
replicas.
ModerateSUSE bug 1108308cpe:/o:suse:sles_teradata:12:sp3Security update for libxml2 (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for libxml2 fixes the following security issues:
- CVE-2018-9251: The xz_decomp function allowed remote attackers to cause a
denial of service (infinite loop) via a crafted XML file that triggers
LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint (bsc#1088279).
- CVE-2018-14567: Prevent denial of service (infinite loop) via a crafted XML
file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint
(bsc#1105166).
- CVE-2018-14404: Prevent NULL pointer dereference in the xmlXPathCompOpEval()
function when parsing an invalid XPath expression in the XPATH_OP_AND or
XPATH_OP_OR case leading to a denial of service attack (bsc#1102046).
- CVE-2017-18258: The xz_head function allowed remote attackers to cause a
denial of service (memory consumption) via a crafted LZMA file, because the
decoder functionality did not restrict memory usage to what is required for a
legitimate file (bsc#1088601).
ModerateSUSE bug 1088279SUSE bug 1088601SUSE bug 1102046SUSE bug 1105166CVE-2017-18258 at SUSECVE-2017-18258 at NVDCVE-2018-14404 at SUSECVE-2018-14404 at NVDCVE-2018-14567 at SUSECVE-2018-14567 at NVDCVE-2018-9251 at SUSECVE-2018-9251 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for ImageMagick (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for ImageMagick fixes the following security issues:
- CVE-2017-11532: Prevent a memory leak vulnerability in the WriteMPCImage()
function in coders/mpc.c via a crafted file allowing for DoS (bsc#1050129)
- CVE-2018-16750: Prevent memory leak in the formatIPTCfromBuffer function
(bsc#1108283)
- CVE-2018-16749: Added missing NULL check in ReadOneJNGImage that allowed an
attacker to cause a denial of service (WriteBlob assertion failure and
application exit) via a crafted file (bsc#1108282)
- CVE-2018-16642: The function InsertRow allowed remote attackers to cause a
denial of service via a crafted image file due to an out-of-bounds write
(bsc#1107616)
- CVE-2018-16640: Prevent memory leak in the function ReadOneJNGImage
(bsc#1107619)
- CVE-2018-16643: The functions ReadDCMImage, ReadPWPImage, ReadCALSImage, and
ReadPICTImage did check the return value of the fputc function, which allowed
remote attackers to cause a denial of service via a crafted image file
(bsc#1107612)
- CVE-2018-16644: Added missing check for length in the functions ReadDCMImage
and ReadPICTImage, which allowed remote attackers to cause a denial of service
via a crafted image (bsc#1107609)
- CVE-2018-16645: Prevent excessive memory allocation issue in the functions
ReadBMPImage and ReadDIBImage, which allowed remote attackers to cause a denial
of service via a crafted image file (bsc#1107604)
- CVE-2018-16413: Prevent heap-based buffer over-read in the PushShortPixel
function leading to DoS (bsc#1106989)
This update also relaxes the restrictions of use of Postscript like formats to
'write' only. (bsc#1105592)
ModerateSUSE bug 1050129SUSE bug 1105592SUSE bug 1106989SUSE bug 1107604SUSE bug 1107609SUSE bug 1107612SUSE bug 1107616SUSE bug 1107619SUSE bug 1108282SUSE bug 1108283CVE-2017-11532 at SUSECVE-2017-11532 at NVDCVE-2018-16413 at SUSECVE-2018-16413 at NVDCVE-2018-16640 at SUSECVE-2018-16640 at NVDCVE-2018-16642 at SUSECVE-2018-16642 at NVDCVE-2018-16643 at SUSECVE-2018-16643 at NVDCVE-2018-16644 at SUSECVE-2018-16644 at NVDCVE-2018-16645 at SUSECVE-2018-16645 at NVDCVE-2018-16749 at SUSECVE-2018-16749 at NVDCVE-2018-16750 at SUSECVE-2018-16750 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for libX11 and libxcb (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for libX11 and libxcb fixes the following issue:
libX11:
These security issues were fixed:
- CVE-2018-14599: The function XListExtensions was vulnerable to an off-by-one
error caused by malicious server responses, leading to DoS or possibly
unspecified other impact (bsc#1102062).
- CVE-2018-14600: The function XListExtensions interpreted a variable as signed
instead of unsigned, resulting in an out-of-bounds write (of up to 128 bytes),
leading to DoS or remote code execution (bsc#1102068).
- CVE-2018-14598: A malicious server could have sent a reply in which the first
string overflows, causing a variable to be set to NULL that will be freed later
on, leading to DoS (segmentation fault) (bsc#1102073).
This non-security issue was fixed:
- Make use of the new 64-bit sequence number API in XCB 1.11.1 to avoid the 32-bit
sequence number wrap in libX11 (bsc#1094327).
libxcb:
- Expose 64-bit sequence number from XCB API so that Xlib and others can use it even
on 32-bit environment. (bsc#1094327)
ModerateSUSE bug 1094327SUSE bug 1102062SUSE bug 1102068SUSE bug 1102073CVE-2018-14598 at SUSECVE-2018-14598 at NVDCVE-2018-14599 at SUSECVE-2018-14599 at NVDCVE-2018-14600 at SUSECVE-2018-14600 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for axis (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for axis fixes the following security issue:
- CVE-2018-8032: Prevent cross-site scripting (XSS) attack in the default
servlet/services (bsc#1103658).
ModerateSUSE bug 1103658CVE-2018-8032 at SUSECVE-2018-8032 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for samba (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
Samba was updated to 4.6.15, bringing bug and security fixes. (bsc#1110943)
Following security issues were fixed:
- CVE-2018-10919: Fix unauthorized attribute access via searches. (bsc#1095057);
Non-security bugs fixed:
- Fix ctdb_mutex_ceph_rados_helper deadlock (bsc#1102230).
- Allow idmap_rid to have primary group other than 'Domain Users' (bsc#1087931).
- winbind: avoid using fstrcpy in _dual_init_connection.
- Fix ntlm authentications with 'winbind use default domain = yes' (bsc#1068059).
ModerateSUSE bug 1068059SUSE bug 1087931SUSE bug 1095057SUSE bug 1102230SUSE bug 1110943CVE-2018-10919 at SUSECVE-2018-10919 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for ImageMagick (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for ImageMagick fixes the following issues:
Security issues fixed:
- CVE-2018-18024: Fixed an infinite loop in the ReadBMPImage function of
the coders/bmp.c file. Remote attackers could leverage this vulnerability
to cause a denial of service via a crafted bmp file. (bsc#1111069)
- CVE-2018-18016: Fixed a memory leak in WritePCXImage (bsc#1111072).
- CVE-2018-17965: Fixed a memory leak in WriteSGIImage (bsc#1110747).
- CVE-2018-17966: Fixed a memory leak in WritePDBImage (bsc#1110746).
- CVE-2018-12600: ReadDIBImage and WriteDIBImage allowed attackers to
cause an out of bounds write via a crafted file. (bsc#1098545)
- CVE-2018-12599: ReadBMPImage and WriteBMPImage allowed attackers to
cause an out of bounds write via a crafted file. (bsc#1098546)
ModerateSUSE bug 1098545SUSE bug 1098546SUSE bug 1110746SUSE bug 1110747SUSE bug 1111069SUSE bug 1111072CVE-2017-13058 at SUSECVE-2017-13058 at NVDCVE-2018-12599 at SUSECVE-2018-12599 at NVDCVE-2018-12600 at SUSECVE-2018-12600 at NVDCVE-2018-17965 at SUSECVE-2018-17965 at NVDCVE-2018-17966 at SUSECVE-2018-17966 at NVDCVE-2018-18016 at SUSECVE-2018-18016 at NVDCVE-2018-18024 at SUSECVE-2018-18024 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for binutils (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for binutils to 2.31 fixes the following issues:
These security issues were fixed:
- CVE-2017-15996: readelf allowed remote attackers to cause a denial of service
(excessive memory allocation) or possibly have unspecified other impact via a
crafted ELF file that triggered a buffer overflow on fuzzed archive header
(bsc#1065643).
- CVE-2017-15939: Binary File Descriptor (BFD) library (aka libbfd) mishandled
NULL files in a .debug_line file table, which allowed remote attackers to cause
a denial of service (NULL pointer dereference and application crash) via a
crafted ELF file, related to concat_filename (bsc#1065689).
- CVE-2017-15938: the Binary File Descriptor (BFD) library (aka libbfd)
miscalculated DW_FORM_ref_addr die refs in the case of a relocatable object
file, which allowed remote attackers to cause a denial of service
(find_abstract_instance_name invalid memory read, segmentation fault, and
application crash) (bsc#1065693).
- CVE-2017-16826: The coff_slurp_line_table function the Binary File Descriptor
(BFD) library (aka libbfd) allowed remote attackers to cause a denial of
service (invalid memory access and application crash) or possibly have
unspecified other impact via a crafted PE file (bsc#1068640).
- CVE-2017-16832: The pe_bfd_read_buildid function in the Binary File
Descriptor (BFD) library (aka libbfd) did not validate size and offset values
in the data dictionary, which allowed remote attackers to cause a denial of
service (segmentation violation and application crash) or possibly have
unspecified other impact via a crafted PE file (bsc#1068643).
- CVE-2017-16831: Binary File Descriptor (BFD) library (aka libbfd) did not
validate the symbol count, which allowed remote attackers to cause a denial of
service (integer overflow and application crash, or excessive memory
allocation) or possibly have unspecified other impact via a crafted PE file
(bsc#1068887).
- CVE-2017-16830: The print_gnu_property_note function did not have
integer-overflow protection on 32-bit platforms, which allowed remote attackers
to cause a denial of service (segmentation violation and application crash) or
possibly have unspecified other impact via a crafted ELF file (bsc#1068888).
- CVE-2017-16829: The _bfd_elf_parse_gnu_properties function in the Binary File
Descriptor (BFD) library (aka libbfd) did not prevent negative pointers, which
allowed remote attackers to cause a denial of service (out-of-bounds read and
application crash) or possibly have unspecified other impact via a crafted ELF
file (bsc#1068950).
- CVE-2017-16828: The display_debug_frames function allowed remote attackers to
cause a denial of service (integer overflow and heap-based buffer over-read,
and application crash) or possibly have unspecified other impact via a crafted
ELF file (bsc#1069176).
- CVE-2017-16827: The aout_get_external_symbols function in the Binary File
Descriptor (BFD) library (aka libbfd) allowed remote attackers to cause a
denial of service (slurp_symtab invalid free and application crash) or possibly
have unspecified other impact via a crafted ELF file (bsc#1069202).
- CVE-2018-6323: The elf_object_p function in the Binary File Descriptor (BFD)
library (aka libbfd) had an unsigned integer overflow because bfd_size_type
multiplication is not used. A crafted ELF file allowed remote attackers to
cause a denial of service (application crash) or possibly have unspecified
other impact (bsc#1077745).
- CVE-2018-6543: Prevent integer overflow in the function
load_specific_debug_section() which resulted in `malloc()` with 0 size. A
crafted ELF file allowed remote attackers to cause a denial of service
(application crash) or possibly have unspecified other impact (bsc#1079103).
- CVE-2018-6759: The bfd_get_debug_link_info_1 function in the Binary File
Descriptor (BFD) library (aka libbfd) had an unchecked strnlen operation.
Remote attackers could have leveraged this vulnerability to cause a denial of
service (segmentation fault) via a crafted ELF file (bsc#1079741).
- CVE-2018-6872: The elf_parse_notes function in the Binary File Descriptor
(BFD) library (aka libbfd) allowed remote attackers to cause a denial of
service (out-of-bounds read and segmentation violation) via a note with a large
alignment (bsc#1080556).
- CVE-2018-7208: In the coff_pointerize_aux function in the Binary File
Descriptor (BFD) library (aka libbfd) an index was not validated, which allowed
remote attackers to cause a denial of service (segmentation fault) or possibly
have unspecified other impact via a crafted file, as demonstrated by objcopy of
a COFF object (bsc#1081527).
- CVE-2018-7570: The assign_file_positions_for_non_load_sections function in
the Binary File Descriptor (BFD) library (aka libbfd) allowed remote attackers
to cause a denial of service (NULL pointer dereference and application crash)
via an ELF file with a RELRO segment that lacks a matching LOAD segment, as
demonstrated by objcopy (bsc#1083528).
- CVE-2018-7569: The Binary File Descriptor (BFD) library (aka libbfd) allowed
remote attackers to cause a denial of service (integer underflow or overflow,
and application crash) via an ELF file with a corrupt DWARF FORM block, as
demonstrated by nm (bsc#1083532).
- CVE-2018-8945: The bfd_section_from_shdr function in the Binary File
Descriptor (BFD) library (aka libbfd) allowed remote attackers to cause a
denial of service (segmentation fault) via a large attribute section
(bsc#1086608).
- CVE-2018-7643: The display_debug_ranges function allowed remote attackers to
cause a denial of service (integer overflow and application crash) or possibly
have unspecified other impact via a crafted ELF file, as demonstrated by
objdump (bsc#1086784).
- CVE-2018-7642: The swap_std_reloc_in function in the Binary File Descriptor
(BFD) library (aka libbfd) allowed remote attackers to cause a denial of
service (aout_32_swap_std_reloc_out NULL pointer dereference and application
crash) via a crafted ELF file, as demonstrated by objcopy (bsc#1086786).
- CVE-2018-7568: The parse_die function in the Binary File Descriptor (BFD)
library (aka libbfd) allowed remote attackers to cause a denial of service
(integer overflow and application crash) via an ELF file with corrupt dwarf1
debug information, as demonstrated by nm (bsc#1086788).
- CVE-2018-10373: concat_filename in the Binary File Descriptor (BFD) library
(aka libbfd) allowed remote attackers to cause a denial of service (NULL
pointer dereference and application crash) via a crafted binary file, as
demonstrated by nm-new (bsc#1090997).
- CVE-2018-10372: process_cu_tu_index allowed remote attackers to cause a
denial of service (heap-based buffer over-read and application crash) via a
crafted binary file, as demonstrated by readelf (bsc#1091015).
- CVE-2018-10535: The ignore_section_sym function in the Binary File Descriptor
(BFD) library (aka libbfd) did not validate the output_section pointer in the
case of a symtab entry with a 'SECTION' type that has a '0' value, which
allowed remote attackers to cause a denial of service (NULL pointer dereference
and application crash) via a crafted file, as demonstrated by objcopy
(bsc#1091365).
- CVE-2018-10534: The _bfd_XX_bfd_copy_private_bfd_data_common function in the
Binary File Descriptor (BFD) library (aka libbfd) processesed a negative Data
Directory size with an unbounded loop that increased the value of
(external_IMAGE_DEBUG_DIRECTORY) *edd so that the address exceeded its own
memory region, resulting in an out-of-bounds memory write, as demonstrated by
objcopy copying private info with _bfd_pex64_bfd_copy_private_bfd_data_common
in pex64igen.c (bsc#1091368).
These non-security issues were fixed:
- The AArch64 port now supports showing disassembly notes which are emitted
when inconsistencies are found with the instruction that may result in the
instruction being invalid. These can be turned on with the option -M notes
to objdump.
- The AArch64 port now emits warnings when a combination of an instruction and
a named register could be invalid.
- Added O modifier to ar to display member offsets inside an archive
- The ADR and ADRL pseudo-instructions supported by the ARM assembler
now only set the bottom bit of the address of thumb function symbols
if the -mthumb-interwork command line option is active.
- Add --generate-missing-build-notes=[yes|no] option to create (or not) GNU
Build Attribute notes if none are present in the input sources. Add a
--enable-generate-build-notes=[yes|no] configure time option to set the
default behaviour. Set the default if the configure option is not used
to 'no'.
- Remove -mold-gcc command-line option for x86 targets.
- Add -O[2|s] command-line options to x86 assembler to enable alternate
shorter instruction encoding.
- Add support for .nops directive. It is currently supported only for
x86 targets.
- Speed up direct linking with DLLs for Cygwin and Mingw targets.
- Add a configure option --enable-separate-code to decide whether
-z separate-code should be enabled in ELF linker by default. Default
to yes for Linux/x86 targets. Note that -z separate-code can increase
disk and memory size.
- RISC-V: Fix symbol address problem with versioned symbols
- Restore riscv64-elf cross prefix via symlinks
- RISC-V: Don't enable relaxation in relocatable link
- Prevent linking faiures on i386 with assertion (bsc#1085784)
- Fix symbol size bug when relaxation deletes bytes
- Add --debug-dump=links option to readelf and --dwarf=links option to objdump
which displays the contents of any .gnu_debuglink or .gnu_debugaltlink
sections.
Add a --debug-dump=follow-links option to readelf and a --dwarf=follow-links
option to objdump which causes indirect links into separate debug info files
to be followed when dumping other DWARF sections.
- Add support for loaction views in DWARF debug line information.
- Add -z separate-code to generate separate code PT_LOAD segment.
- Add '-z undefs' command line option as the inverse of the '-z defs' option.
- Add -z globalaudit command line option to force audit libraries to be run
for every dynamic object loaded by an executable - provided that the loader
supports this functionality.
- Tighten linker script grammar around file name specifiers to prevent the use
of SORT_BY_ALIGNMENT and SORT_BY_INIT_PRIORITY on filenames. These would
previously be accepted but had no effect.
- The EXCLUDE_FILE directive can now be placed within any SORT_* directive
within input section lists.
- Fix linker relaxation with --wrap
- Add arm-none-eabi symlinks (bsc#1074741)
Former updates of binutils also fixed the following security issues, for which
there was not CVE assigned at the time the update was released or no mapping
between code change and CVE existed:
- CVE-2014-9939: Prevent stack buffer overflow when printing bad bytes in Intel
Hex objects (bsc#1030296).
- CVE-2017-7225: The find_nearest_line function in addr2line did not handle the
case where the main file name and the directory name are both empty, triggering
a NULL pointer dereference and an invalid write, and leading to a program crash
(bsc#1030585).
- CVE-2017-7224: The find_nearest_line function in objdump was vulnerable to an
invalid write (of size 1) while disassembling a corrupt binary that contains an
empty function name, leading to a program crash (bsc#1030588).
- CVE-2017-7223: GNU assembler in was vulnerable to a global buffer overflow
(of size 1) while attempting to unget an EOF character from the input stream,
potentially leading to a program crash (bsc#1030589).
- CVE-2017-7226: The pe_ILF_object_p function in the Binary File Descriptor
(BFD) library (aka libbfd) was vulnerable to a heap-based buffer over-read of
size 4049 because it used the strlen function instead of strnlen, leading to
program crashes in several utilities such as addr2line, size, and strings. It
could lead to information disclosure as well (bsc#1030584).
- CVE-2017-7299: The Binary File Descriptor (BFD) library (aka libbfd) had an
invalid read (of size 8) because the code to emit relocs (bfd_elf_final_link
function in bfd/elflink.c) did not check the format of the input file trying to
read the ELF reloc section header. The vulnerability leads to a GNU linker (ld)
program crash (bsc#1031644).
- CVE-2017-7300: The Binary File Descriptor (BFD) library (aka libbfd) had an
aout_link_add_symbols function in bfd/aoutx.h that is vulnerable to a
heap-based buffer over-read (off-by-one) because of an incomplete check for
invalid string offsets while loading symbols, leading to a GNU linker (ld)
program crash (bsc#1031656).
- CVE-2017-7302: The Binary File Descriptor (BFD) library (aka libbfd) had a
swap_std_reloc_out function in bfd/aoutx.h that is vulnerable to an invalid
read (of size 4) because of missing checks for relocs that could not be
recognised. This vulnerability caused Binutils utilities like strip to crash
(bsc#1031595).
- CVE-2017-7303: The Binary File Descriptor (BFD) library (aka libbfd) was
vulnerable to an invalid read (of size 4) because of missing a check (in the
find_link function) for null headers attempting to match them. This
vulnerability caused Binutils utilities like strip to crash (bsc#1031593).
- CVE-2017-7301: The Binary File Descriptor (BFD) library (aka libbfd) had an
aout_link_add_symbols function in bfd/aoutx.h that has an off-by-one
vulnerability because it did not carefully check the string offset. The
vulnerability could lead to a GNU linker (ld) program crash (bsc#1031638).
- CVE-2017-7304: The Binary File Descriptor (BFD) library (aka libbfd) was
vulnerable to an invalid read (of size 8) because of missing a check (in the
copy_special_section_fields function) for an invalid sh_link field attempting
to follow it. This vulnerability caused Binutils utilities like strip to crash
(bsc#1031590).
- CVE-2017-8392: The Binary File Descriptor (BFD) library (aka libbfd) was
vulnerable to an invalid read of size 8 because of missing a check to determine
whether symbols are NULL in the _bfd_dwarf2_find_nearest_line function. This
vulnerability caused programs that conduct an analysis of binary programs using
the libbfd library, such as objdump, to crash (bsc#1037052).
- CVE-2017-8393: The Binary File Descriptor (BFD) library (aka libbfd) was
vulnerable to a global buffer over-read error because of an assumption made by
code that runs for objcopy and strip, that SHT_REL/SHR_RELA sections are always
named starting with a .rel/.rela prefix. This vulnerability caused programs
that conduct an analysis of binary programs using the libbfd library, such as
objcopy and strip, to crash (bsc#1037057).
- CVE-2017-8394: The Binary File Descriptor (BFD) library (aka libbfd) was
vulnerable to an invalid read of size 4 due to NULL pointer dereferencing of
_bfd_elf_large_com_section. This vulnerability caused programs that conduct an
analysis of binary programs using the libbfd library, such as objcopy, to crash
(bsc#1037061).
- CVE-2017-8396: The Binary File Descriptor (BFD) library (aka libbfd) was
vulnerable to an invalid read of size 1 because the existing reloc offset range
tests didn't catch small negative offsets less than the size of the reloc
field. This vulnerability caused programs that conduct an analysis of binary
programs using the libbfd library, such as objdump, to crash (bsc#1037066).
- CVE-2017-8421: The function coff_set_alignment_hook in Binary File Descriptor
(BFD) library (aka libbfd) had a memory leak vulnerability which can cause
memory exhaustion in objdump via a crafted PE file (bsc#1037273).
- CVE-2017-9746: The disassemble_bytes function in objdump.c allowed remote
attackers to cause a denial of service (buffer overflow and application crash)
or possibly have unspecified other impact via a crafted binary file, as
demonstrated by mishandling of rae insns printing for this file during 'objdump
-D' execution (bsc#1044891).
- CVE-2017-9747: The ieee_archive_p function in the Binary File Descriptor
(BFD) library (aka libbfd) might have allowed remote attackers to cause a
denial of service (buffer overflow and application crash) or possibly have
unspecified other impact via a crafted binary file, as demonstrated by
mishandling of this file during 'objdump -D' execution (bsc#1044897).
- CVE-2017-9748: The ieee_object_p function in the Binary File Descriptor (BFD)
library (aka libbfd) might have allowed remote attackers to cause a denial of
service (buffer overflow and application crash) or possibly have unspecified
other impact via a crafted binary file, as demonstrated by mishandling of this
file during 'objdump -D' execution (bsc#1044901).
- CVE-2017-9750: opcodes/rx-decode.opc lacked bounds checks for certain scale
arrays, which allowed remote attackers to cause a denial of service (buffer
overflow and application crash) or possibly have unspecified other impact via a
crafted binary file, as demonstrated by mishandling of this file during
'objdump -D' execution (bsc#1044909).
- CVE-2017-9755: Not considering the the number of registers for bnd mode
allowed remote attackers to cause a denial of service (buffer overflow and
application crash) or possibly have unspecified other impact via a crafted
binary file, as demonstrated by mishandling of this file during 'objdump -D'
execution (bsc#1044925).
- CVE-2017-9756: The aarch64_ext_ldst_reglist function allowed remote attackers
to cause a denial of service (buffer overflow and application crash) or
possibly have unspecified other impact via a crafted binary file, as
demonstrated by mishandling of this file during 'objdump -D' execution
(bsc#1044927).
- CVE-2017-7209: The dump_section_as_bytes function in readelf accessed a NULL
pointer while reading section contents in a corrupt binary, leading to a
program crash (bsc#1030298).
- CVE-2017-6965: readelf wrote to illegal addresses while processing corrupt
input files containing symbol-difference relocations, leading to a heap-based
buffer overflow (bsc#1029909).
- CVE-2017-6966: readelf had a use-after-free (specifically read-after-free)
error while processing multiple, relocated sections in an MSP430 binary. This
is caused by mishandling of an invalid symbol index, and mishandling of state
across invocations (bsc#1029908).
- CVE-2017-6969: readelf was vulnerable to a heap-based buffer over-read while
processing corrupt RL78 binaries. The vulnerability can trigger program
crashes. It may lead to an information leak as well (bsc#1029907).
- CVE-2017-7210: objdump was vulnerable to multiple heap-based buffer
over-reads (of size 1 and size 8) while handling corrupt STABS enum type
strings in a crafted object file, leading to program crash (bsc#1030297).
ModerateSUSE bug 1029907SUSE bug 1029908SUSE bug 1029909SUSE bug 1030296SUSE bug 1030297SUSE bug 1030298SUSE bug 1030584SUSE bug 1030585SUSE bug 1030588SUSE bug 1030589SUSE bug 1031590SUSE bug 1031593SUSE bug 1031595SUSE bug 1031638SUSE bug 1031644SUSE bug 1031656SUSE bug 1037052SUSE bug 1037057SUSE bug 1037061SUSE bug 1037066SUSE bug 1037273SUSE bug 1044891SUSE bug 1044897SUSE bug 1044901SUSE bug 1044909SUSE bug 1044925SUSE bug 1044927SUSE bug 1065643SUSE bug 1065689SUSE bug 1065693SUSE bug 1068640SUSE bug 1068643SUSE bug 1068887SUSE bug 1068888SUSE bug 1068950SUSE bug 1069176SUSE bug 1069202SUSE bug 1074741SUSE bug 1077745SUSE bug 1079103SUSE bug 1079741SUSE bug 1080556SUSE bug 1081527SUSE bug 1083528SUSE bug 1083532SUSE bug 1085784SUSE bug 1086608SUSE bug 1086784SUSE bug 1086786SUSE bug 1086788SUSE bug 1090997SUSE bug 1091015SUSE bug 1091365SUSE bug 1091368CVE-2014-9939 at SUSECVE-2014-9939 at NVDCVE-2017-15938 at SUSECVE-2017-15938 at NVDCVE-2017-15939 at SUSECVE-2017-15939 at NVDCVE-2017-15996 at SUSECVE-2017-15996 at NVDCVE-2017-16826 at SUSECVE-2017-16826 at NVDCVE-2017-16827 at SUSECVE-2017-16827 at NVDCVE-2017-16828 at SUSECVE-2017-16828 at NVDCVE-2017-16829 at SUSECVE-2017-16829 at NVDCVE-2017-16830 at SUSECVE-2017-16830 at NVDCVE-2017-16831 at SUSECVE-2017-16831 at NVDCVE-2017-16832 at SUSECVE-2017-16832 at NVDCVE-2017-6965 at SUSECVE-2017-6965 at NVDCVE-2017-6966 at SUSECVE-2017-6966 at NVDCVE-2017-6969 at SUSECVE-2017-6969 at NVDCVE-2017-7209 at SUSECVE-2017-7209 at NVDCVE-2017-7210 at SUSECVE-2017-7210 at NVDCVE-2017-7223 at SUSECVE-2017-7223 at NVDCVE-2017-7224 at SUSECVE-2017-7224 at NVDCVE-2017-7225 at SUSECVE-2017-7225 at NVDCVE-2017-7226 at SUSECVE-2017-7226 at NVDCVE-2017-7299 at SUSECVE-2017-7299 at NVDCVE-2017-7300 at SUSECVE-2017-7300 at NVDCVE-2017-7301 at SUSECVE-2017-7301 at NVDCVE-2017-7302 at SUSECVE-2017-7302 at NVDCVE-2017-7303 at SUSECVE-2017-7303 at NVDCVE-2017-7304 at SUSECVE-2017-7304 at NVDCVE-2017-8392 at SUSECVE-2017-8392 at NVDCVE-2017-8393 at SUSECVE-2017-8393 at NVDCVE-2017-8394 at SUSECVE-2017-8394 at NVDCVE-2017-8396 at SUSECVE-2017-8396 at NVDCVE-2017-8421 at SUSECVE-2017-8421 at NVDCVE-2017-9746 at SUSECVE-2017-9746 at NVDCVE-2017-9747 at SUSECVE-2017-9747 at NVDCVE-2017-9748 at SUSECVE-2017-9748 at NVDCVE-2017-9750 at SUSECVE-2017-9750 at NVDCVE-2017-9755 at SUSECVE-2017-9755 at NVDCVE-2017-9756 at SUSECVE-2017-9756 at NVDCVE-2018-10372 at SUSECVE-2018-10372 at NVDCVE-2018-10373 at SUSECVE-2018-10373 at NVDCVE-2018-10534 at SUSECVE-2018-10534 at NVDCVE-2018-10535 at SUSECVE-2018-10535 at NVDCVE-2018-6323 at SUSECVE-2018-6323 at NVDCVE-2018-6543 at SUSECVE-2018-6543 at NVDCVE-2018-6759 at SUSECVE-2018-6759 at NVDCVE-2018-6872 at SUSECVE-2018-6872 at NVDCVE-2018-7208 at SUSECVE-2018-7208 at NVDCVE-2018-7568 at SUSECVE-2018-7568 at NVDCVE-2018-7569 at SUSECVE-2018-7569 at NVDCVE-2018-7570 at SUSECVE-2018-7570 at NVDCVE-2018-7642 at SUSECVE-2018-7642 at NVDCVE-2018-7643 at SUSECVE-2018-7643 at NVDCVE-2018-8945 at SUSECVE-2018-8945 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for fuse (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for fuse fixes the following security issue:
- CVE-2018-10906: fusermount was vulnerable to a restriction bypass when
SELinux is active. This allowed non-root users to mount a FUSE file system with
the 'allow_other' mount option regardless of whether 'user_allow_other' is set
in the fuse configuration. An attacker may use this flaw to mount a FUSE file
system, accessible by other users, and trick them into accessing files on that
file system, possibly causing Denial of Service or other unspecified effects
(bsc#1101797)
ModerateSUSE bug 1101797CVE-2018-10906 at SUSECVE-2018-10906 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for rpm (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for rpm fixes the following issues:
These security issues were fixed:
- CVE-2017-7500: rpm did not properly handle RPM installations when a
destination path was a symbolic link to a directory, possibly changing
ownership and permissions of an arbitrary directory, and RPM files being placed
in an arbitrary destination (bsc#943457).
- CVE-2017-7501: rpm used temporary files with predictable names when
installing an RPM. An attacker with ability to write in a directory where files
will be installed could create symbolic links to an arbitrary location and
modify content, and possibly permissions to arbitrary files, which could be
used for denial of service or possibly privilege escalation (bsc#943457)
This non-security issue was fixed:
- Use ksym-provides tool [bsc#1077692]
ModerateSUSE bug 1077692SUSE bug 943457CVE-2017-7500 at SUSECVE-2017-7500 at NVDCVE-2017-7501 at SUSECVE-2017-7501 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for tiff (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for tiff fixes the following issues:
- CVE-2018-17100: There is a int32 overflow in multiply_ms in tools/ppm2tiff.c, which can cause a denial of service (crash) or possibly have unspecified other impact via a crafted image file. (bsc#1108637)
- CVE-2018-17101: There are two out-of-bounds writes in cpTags in tools/tiff2bw.c and tools/pal2rgb.c, which can cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image file. (bsc#1108627)
- CVE-2018-17795: The function t2p_write_pdf in tiff2pdf.c allowed remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted TIFF file, a similar issue to CVE-2017-9935. (bsc#1110358)
- CVE-2018-16335: newoffsets handling in ChopUpSingleUncompressedStrip in tif_dirread.c allowed remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted TIFF file, as demonstrated by tiff2pdf. This is a different vulnerability than CVE-2018-15209. (bsc#1106853)
ModerateSUSE bug 1106853SUSE bug 1108627SUSE bug 1108637SUSE bug 1110358CVE-2017-11613 at SUSECVE-2017-11613 at NVDCVE-2017-9935 at SUSECVE-2017-9935 at NVDCVE-2018-16335 at SUSECVE-2018-16335 at NVDCVE-2018-17100 at SUSECVE-2018-17100 at NVDCVE-2018-17101 at SUSECVE-2018-17101 at NVDCVE-2018-17795 at SUSECVE-2018-17795 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for pam_pkcs11 (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for pam_pkcs11 provides the following fixes:
Security issues fixed (bsc#1105012):
- Fixed a logic bug in pampkcs11.c, leading to an authentication replay vulnerability
- Fixed a stack-based buffer overflow in opensshmapper.c
- Make sure memory is properly cleaned before invoking free()
Other changes:
- Add a systemd service file. (bsc#1049219)
ModerateSUSE bug 1049219SUSE bug 1105012cpe:/o:suse:sles_teradata:12:sp3Security update for ntp (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
NTP was updated to 4.2.8p12 (bsc#1111853):
- CVE-2018-12327: Fixed stack buffer overflow in the openhost() command-line call of NTPQ/NTPDC. (bsc#1098531)
- CVE-2018-7170: Add further tweaks to improve the fix for the ephemeral association time spoofing additional protection (bsc#1083424)
Please also see https://www.nwtime.org/network-time-foundation-publishes-ntp-4-2-8p12/ for more information.
ModerateSUSE bug 1083424SUSE bug 1098531SUSE bug 1111853CVE-2018-12327 at SUSECVE-2018-12327 at NVDCVE-2018-7170 at SUSECVE-2018-7170 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for postgresql96 (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for postgresql96 to 9.6.10 fixes the following issues:
These security issues were fixed:
- CVE-2018-10915: libpq failed to properly reset its internal state between
connections. If an affected version of libpq was used with 'host' or 'hostaddr'
connection parameters from untrusted input, attackers could have bypassed
client-side connection security features, obtain access to higher privileged
connections or potentially cause other impact SQL injection, by causing the
PQescape() functions to malfunction (bsc#1104199)
- CVE-2018-10925: Add missing authorization check on certain statements
involved with 'INSERT ... ON CONFLICT DO UPDATE'. An attacker with 'CREATE
TABLE' privileges could have exploited this to read arbitrary bytes server
memory. If the attacker also had certain 'INSERT' and limited 'UPDATE'
privileges to a particular table, they could have exploited this to update
other columns in the same table (bsc#1104202)
For addition details please see
https://www.postgresql.org/docs/current/static/release-9-6-10.html
ImportantSUSE bug 1104199SUSE bug 1104202CVE-2018-10915 at SUSECVE-2018-10915 at NVDCVE-2018-10925 at SUSECVE-2018-10925 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for tomcat (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for tomcat fixes the following issues:
- CVE-2018-11784: When the default servlet in Apache Tomcat returned a redirect to a directory (e.g. redirecting to '/foo/' when the user requested '/foo') a specially crafted URL could be used to cause the redirect to be generated to any URI of the attackers choice. (bsc#1110850)
ModerateSUSE bug 1110850CVE-2018-11784 at SUSECVE-2018-11784 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for webkit2gtk3 (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for webkit2gtk3 to version 2.20.3 fixes the issues:
The following security vulnerabilities were addressed:
- CVE-2018-12911: Fixed an off-by-one error in xdg_mime_get_simple_globs
(boo#1101999)
- CVE-2017-13884: An unspecified issue allowed remote attackers to execute
arbitrary code or cause a denial of service (memory corruption and application
crash) via a crafted web site (bsc#1075775).
- CVE-2017-13885: An unspecified issue allowed remote attackers to execute
arbitrary code or cause a denial of service (memory corruption and application
crash) via a crafted web site (bsc#1075775).
- CVE-2017-7153: An unspecified issue allowed remote attackers to spoof
user-interface information (about whether the entire content is derived from a
valid TLS session) via a crafted web site that sends a 401 Unauthorized
redirect (bsc#1077535).
- CVE-2017-7160: An unspecified issue allowed remote attackers to execute
arbitrary code or cause a denial of service (memory corruption and application
crash) via a crafted web site (bsc#1075775).
- CVE-2017-7161: An unspecified issue allowed remote attackers to execute
arbitrary code via special characters that trigger command injection
(bsc#1075775, bsc#1077535).
- CVE-2017-7165: An unspecified issue allowed remote attackers to execute
arbitrary code or cause a denial of service (memory corruption and application
crash) via a crafted web site (bsc#1075775).
- CVE-2018-4088: An unspecified issue allowed remote attackers to execute
arbitrary code or cause a denial of service (memory corruption and application
crash) via a crafted web site (bsc#1075775).
- CVE-2018-4096: An unspecified issue allowed remote attackers to execute
arbitrary code or cause a denial of service (memory corruption and application
crash) via a crafted web site (bsc#1075775).
- CVE-2018-4200: An unspecified issue allowed remote attackers to execute
arbitrary code or cause a denial of service (memory corruption and application
crash) via a crafted web site that triggers a
WebCore::jsElementScrollHeightGetter use-after-free (bsc#1092280).
- CVE-2018-4204: An unspecified issue allowed remote attackers to execute
arbitrary code or cause a denial of service (memory corruption and application
crash) via a crafted web site (bsc#1092279).
- CVE-2018-4101: An unspecified issue allowed remote attackers to execute
arbitrary code or cause a denial of service (memory corruption and application
crash) via a crafted web site (bsc#1088182).
- CVE-2018-4113: An issue in the JavaScriptCore function in the 'WebKit'
component allowed attackers to trigger an assertion failure by leveraging
improper array indexing (bsc#1088182)
- CVE-2018-4114: An unspecified issue allowed remote attackers to execute
arbitrary code or cause a denial of service (memory corruption and application
crash) via a crafted web site (bsc#1088182)
- CVE-2018-4117: An unspecified issue allowed remote attackers to bypass the
Same Origin Policy and obtain sensitive information via a crafted web site
(bsc#1088182, bsc#1102530).
- CVE-2018-4118: An unspecified issue allowed remote attackers to execute
arbitrary code or cause a denial of service (memory corruption and application
crash) via a crafted web site (bsc#1088182)
- CVE-2018-4119: An unspecified issue allowed remote attackers to execute
arbitrary code or cause a denial of service (memory corruption and application
crash) via a crafted web site (bsc#1088182)
- CVE-2018-4120: An unspecified issue allowed remote attackers to execute
arbitrary code or cause a denial of service (memory corruption and application
crash) via a crafted web site (bsc#1088182).
- CVE-2018-4121: An unspecified issue allowed remote attackers to execute
arbitrary code or cause a denial of service (memory corruption and application
crash) via a crafted web site (bsc#1092278).
- CVE-2018-4122: An unspecified issue allowed remote attackers to execute
arbitrary code or cause a denial of service (memory corruption and application
crash) via a crafted web site (bsc#1088182).
- CVE-2018-4125: An unspecified issue allowed remote attackers to execute
arbitrary code or cause a denial of service (memory corruption and application
crash) via a crafted web site (bsc#1088182).
- CVE-2018-4127: An unspecified issue allowed remote attackers to execute
arbitrary code or cause a denial of service (memory corruption and application
crash) via a crafted web site (bsc#1088182).
- CVE-2018-4128: An unspecified issue allowed remote attackers to execute
arbitrary code or cause a denial of service (memory corruption and application
crash) via a crafted web site (bsc#1088182).
- CVE-2018-4129: An unspecified issue allowed remote attackers to execute
arbitrary code or cause a denial of service (memory corruption and application
crash) via a crafted web site (bsc#1088182).
- CVE-2018-4146: An unspecified issue allowed attackers to cause a denial of
service (memory corruption) via a crafted web site (bsc#1088182).
- CVE-2018-4161: An unspecified issue allowed remote attackers to execute
arbitrary code or cause a denial of service (memory corruption and application
crash) via a crafted web site (bsc#1088182).
- CVE-2018-4162: An unspecified issue allowed remote attackers to execute
arbitrary code or cause a denial of service (memory corruption and application
crash) via a crafted web site (bsc#1088182).
- CVE-2018-4163: An unspecified issue allowed remote attackers to execute
arbitrary code or cause a denial of service (memory corruption and application
crash) via a crafted web site (bsc#1088182).
- CVE-2018-4165: An unspecified issue allowed remote attackers to execute
arbitrary code or cause a denial of service (memory corruption and application
crash) via a crafted web site (bsc#1088182).
- CVE-2018-4190: An unspecified issue allowed remote attackers to obtain
sensitive credential information that is transmitted during a CSS mask-image
fetch (bsc#1097693)
- CVE-2018-4199: An unspecified issue allowed remote attackers to execute
arbitrary code or cause a denial of service (buffer overflow and application
crash) via a crafted web site (bsc#1097693)
- CVE-2018-4218: An unspecified issue allowed remote attackers to execute
arbitrary code or cause a denial of service (memory corruption and application
crash) via a crafted web site that triggers an @generatorState use-after-free
(bsc#1097693)
- CVE-2018-4222: An unspecified issue allowed remote attackers to execute
arbitrary code via a crafted web site that leverages a getWasmBufferFromValue
out-of-bounds read during WebAssembly compilation (bsc#1097693)
- CVE-2018-4232: An unspecified issue allowed remote attackers to overwrite
cookies via a crafted web site (bsc#1097693)
- CVE-2018-4233: An unspecified issue allowed remote attackers to execute
arbitrary code or cause a denial of service (memory corruption and application
crash) via a crafted web site (bsc#1097693)
- CVE-2018-4246: An unspecified issue allowed remote attackers to execute
arbitrary code via a crafted web site that leverages type confusion
(bsc#1104169)
- CVE-2018-11646: webkitFaviconDatabaseSetIconForPageURL and
webkitFaviconDatabaseSetIconURLForPageURL mishandled an unset pageURL, leading
to an application crash (bsc#1095611)
- CVE-2018-4133: A Safari cross-site scripting (XSS) vulnerability allowed
remote attackers to inject arbitrary web script or HTML via a crafted URL
(bsc#1088182).
- CVE-2018-11713: The libsoup network backend of WebKit unexpectedly failed to
use system proxy settings for WebSocket connections. As a result, users could
be deanonymized by crafted web sites via a WebSocket connection (bsc#1096060).
- CVE-2018-11712: The libsoup network backend of WebKit failed to perform TLS
certificate verification for WebSocket connections (bsc#1096061).
This update for webkit2gtk3 fixes the following issues:
- Fixed a crash when atk_object_ref_state_set is called on an AtkObject that's
being destroyed (bsc#1088932).
- Fixed crash when using Wayland with QXL/virtio (bsc#1079512)
- Disable Gigacage if mmap fails to allocate in Linux.
- Add user agent quirk for paypal website.
- Properly detect compiler flags, needed libs, and fallbacks for
usage of 64-bit atomic operations.
- Fix a network process crash when trying to get cookies of
about:blank page.
- Fix UI process crash when closing the window under Wayland.
- Fix several crashes and rendering issues.
- Do TLS error checking on GTlsConnection::accept-certificate to
finish the load earlier in case of errors.
- Properly close the connection to the nested wayland compositor
in the Web Process.
- Avoid painting backing stores for zero-opacity layers.
- Fix downloads started by context menu failing in some websites
due to missing user agent HTTP header.
- Fix video unpause when GStreamerGL is disabled.
- Fix several GObject introspection annotations.
- Update user agent quiks to fix Outlook.com and Chase.com.
- Fix several crashes and rendering issues.
- Improve error message when Gigacage cannot allocate virtual memory.
- Add missing WebKitWebProcessEnumTypes.h to webkit-web-extension.h.
- Improve web process memory monitor thresholds.
- Fix a web process crash when the web view is created and destroyed quickly.
- Fix a network process crash when load is cancelled while searching for
stored HTTP auth credentials.
- Fix the build when ENABLE_VIDEO, ENABLE_WEB_AUDIO and
ENABLE_XSLT are disabled.
- New API to retrieve and delete cookies with WebKitCookieManager.
- New web process API to detect when form is submitted via JavaScript.
- Several improvements and fixes in the touch/gestures support.
- Support for the “system” CSS font family.
- Complex text rendering improvements and fixes.
- More complete and spec compliant WebDriver implementation.
- Ensure DNS prefetching cannot be re-enabled if disabled by settings.
- Fix seek sometimes not working.
- Fix rendering of emojis that were using the wrong scale factor
in some cases.
- Fix rendering of combining enclosed keycap.
- Fix rendering scale of some layers in HiDPI.
- Fix a crash in Wayland when closing the web view.
- Fix crashes upower crashes when running inside a chroot or on
systems with broken dbus/upower.
- Fix memory leaks in GStreamer media backend when using
GStreamer 1.14.
- Fix several crashes and rendering issues.
- Add ENABLE_ADDRESS_SANITIZER to make it easier to build with
asan support.
- Fix a crash a under Wayland when using mesa software
rasterization.
- Make fullscreen video work again.
- Fix handling of missing GStreamer elements.
- Fix rendering when webm video is played twice.
- Fix kinetic scrolling sometimes jumping around.
- Fix build with ICU configured without collation support.
- WebSockets use system proxy settings now (requires libsoup 2.61.90).
- Show the context menu on long-press gesture.
- Add support for Shift + mouse scroll to scroll horizontally.
- Fix zoom gesture to actually zoom instead of changing the page
scale.
- Implement support for Graphics ARIA roles.
- Make sleep inhibitors work under Flatpak.
- Add get element CSS value command to WebDriver.
- Fix a crash aftter a swipe gesture.
- Fix several crashes and rendering issues.
- Fix crashes due to duplicated symbols in libjavascriptcoregtk
and libwebkit2gtk.
- Fix parsing of timeout values in WebDriver.
- Implement get timeouts command in WebDriver.
- Fix deadlock in GStreamer video sink during shutdown when
accelerated compositing is disabled.
- Fix several crashes and rendering issues.
- Add web process API to detect when form is submitted via
JavaScript.
- Add new API to replace
webkit_form_submission_request_get_text_fields() that is now
deprecated.
- Add WebKitWebView::web-process-terminated signal and deprecate
web-process-crashed.
- Fix rendering issues when editing text areas.
- Use FastMalloc based GstAllocator for GStreamer.
- Fix web process crash at startup in bmalloc.
- Fix several memory leaks in GStreamer media backend.
- WebKitWebDriver process no longer links to
libjavascriptcoregtk.
- Fix several crashes and rendering issues.
- Add new API to add, retrieve and delete cookies via
WebKitCookieManager.
- Add functions to WebSettings to convert font sizes between
points and pixels.
- Ensure cookie operations take effect when they happen before a
web process has been spawned.
- Automatically adjust font size when GtkSettings:gtk-xft-dpi
changes.
- Add initial resource load statistics support.
- Add API to expose availability of certain editing commands in
WebKitEditorState.
- Add API to query whether a WebKitNavigationAction is a redirect
or not.
- Improve complex text rendering.
- Add support for the 'system' CSS font family.
- Disable USE_GSTREAMER_GL
ModerateSUSE bug 1075775SUSE bug 1077535SUSE bug 1079512SUSE bug 1088182SUSE bug 1088932SUSE bug 1092278SUSE bug 1092279SUSE bug 1092280SUSE bug 1095611SUSE bug 1096060SUSE bug 1096061SUSE bug 1097693SUSE bug 1101999SUSE bug 1102530SUSE bug 1104169CVE-2017-13884 at SUSECVE-2017-13884 at NVDCVE-2017-13885 at SUSECVE-2017-13885 at NVDCVE-2017-7153 at SUSECVE-2017-7153 at NVDCVE-2017-7160 at SUSECVE-2017-7160 at NVDCVE-2017-7161 at SUSECVE-2017-7161 at NVDCVE-2017-7165 at SUSECVE-2017-7165 at NVDCVE-2018-11646 at SUSECVE-2018-11646 at NVDCVE-2018-11712 at SUSECVE-2018-11712 at NVDCVE-2018-11713 at SUSECVE-2018-11713 at NVDCVE-2018-12911 at SUSECVE-2018-12911 at NVDCVE-2018-4088 at SUSECVE-2018-4088 at NVDCVE-2018-4096 at SUSECVE-2018-4096 at NVDCVE-2018-4101 at SUSECVE-2018-4101 at NVDCVE-2018-4113 at SUSECVE-2018-4113 at NVDCVE-2018-4114 at SUSECVE-2018-4114 at NVDCVE-2018-4117 at SUSECVE-2018-4117 at NVDCVE-2018-4118 at SUSECVE-2018-4118 at NVDCVE-2018-4119 at SUSECVE-2018-4119 at NVDCVE-2018-4120 at SUSECVE-2018-4120 at NVDCVE-2018-4121 at SUSECVE-2018-4121 at NVDCVE-2018-4122 at SUSECVE-2018-4122 at NVDCVE-2018-4125 at SUSECVE-2018-4125 at NVDCVE-2018-4127 at SUSECVE-2018-4127 at NVDCVE-2018-4128 at SUSECVE-2018-4128 at NVDCVE-2018-4129 at SUSECVE-2018-4129 at NVDCVE-2018-4133 at SUSECVE-2018-4133 at NVDCVE-2018-4146 at SUSECVE-2018-4146 at NVDCVE-2018-4161 at SUSECVE-2018-4161 at NVDCVE-2018-4162 at SUSECVE-2018-4162 at NVDCVE-2018-4163 at SUSECVE-2018-4163 at NVDCVE-2018-4165 at SUSECVE-2018-4165 at NVDCVE-2018-4190 at SUSECVE-2018-4190 at NVDCVE-2018-4199 at SUSECVE-2018-4199 at NVDCVE-2018-4200 at SUSECVE-2018-4200 at NVDCVE-2018-4204 at SUSECVE-2018-4204 at NVDCVE-2018-4218 at SUSECVE-2018-4218 at NVDCVE-2018-4222 at SUSECVE-2018-4222 at NVDCVE-2018-4232 at SUSECVE-2018-4232 at NVDCVE-2018-4233 at SUSECVE-2018-4233 at NVDCVE-2018-4246 at SUSECVE-2018-4246 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for exempi (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for exempi fixes the following security issues:
- CVE-2017-18233: Prevent integer overflow in the Chunk class that allowed
remote attackers to cause a denial of service (infinite loop) via crafted XMP
data in a .avi file (bsc#1085584).
- CVE-2017-18238: The TradQT_Manager::ParseCachedBoxes function allowed remote
attackers to cause a denial of service (infinite loop) via crafted XMP data in
a .qt file (bsc#1085583).
- CVE-2018-7728: Fixed heap-based buffer overflow, which allowed denial of
service via crafted TIFF image (bsc#1085297).
- CVE-2018-7730: Fixed heap-based buffer overflow in
XMPFiles/source/FormatSupport/PSIR_FileWriter.cpp (bsc#1085295).
- CVE-2017-18236: The ASF_Support::ReadHeaderObject function allowed remote
attackers to cause a denial of service (infinite loop) via a crafted .asf file
(bsc#1085589).
- CVE-2017-18234: Prevent use-after-free that allowed remote attackers to cause
a denial of service or possibly have unspecified other impact via a .pdf file
containing JPEG data (bsc#1085585).
ModerateSUSE bug 1085295SUSE bug 1085297SUSE bug 1085583SUSE bug 1085584SUSE bug 1085585SUSE bug 1085589CVE-2017-18233 at SUSECVE-2017-18233 at NVDCVE-2017-18234 at SUSECVE-2017-18234 at NVDCVE-2017-18236 at SUSECVE-2017-18236 at NVDCVE-2017-18238 at SUSECVE-2017-18238 at NVDCVE-2018-7728 at SUSECVE-2018-7728 at NVDCVE-2018-7730 at SUSECVE-2018-7730 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for clamav (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for clamav fixes the following issues:
clamav was updated to version 0.100.2:
- CVE-2018-15378: Vulnerability in ClamAV's MEW unpacking feature that
could allow an unauthenticated, remote attacker to cause a denial of
service (DoS) condition on an affected device. (bsc#1110723)
- CVE-2018-14680, CVE-2018-14681, CVE-2018-14682: more fixes for embedded
libmspack. (bsc#1103040)
- Make freshclam more robust against lagging signature mirrors.
- On-Access 'Extra Scanning', an opt-in minor feature of
OnAccess scanning on Linux systems, has been disabled due to a
known issue with resource cleanup OnAccessExtraScanning will
be re-enabled in a future release when the issue is
resolved. In the mean-time, users who enabled the feature in
clamd.conf will see a warning informing them that the feature
is not active. For details, see:
https://bugzilla.clamav.net/show_bug.cgi?id=12048
- Restore exit code compatibility of freshclam with versions before
0.100.0 when the virus database is already up to date
(bsc#1104457).
ModerateSUSE bug 1103040SUSE bug 1104457SUSE bug 1110723CVE-2018-14680 at SUSECVE-2018-14680 at NVDCVE-2018-14681 at SUSECVE-2018-14681 at NVDCVE-2018-14682 at SUSECVE-2018-14682 at NVDCVE-2018-15378 at SUSECVE-2018-15378 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for net-snmp (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for net-snmp fixes the following issues:
Security issues fixed:
- CVE-2018-18065: _set_key in agent/helpers/table_container.c had a NULL Pointer Exception bug that can be used by an authenticated attacker to remotely cause the instance to crash via a crafted UDP packet, resulting in Denial of Service. (bsc#1111122)
Non-security issues fixed:
- swintst_rpm: Protect against unspecified Group name (bsc#1102775)
- Add tsm and tlstm MIBs and the USM security module. (bsc#1081164)
- Fix agentx freezing on timeout (bsc#1027353)
ImportantSUSE bug 1027353SUSE bug 1081164SUSE bug 1102775SUSE bug 1111122CVE-2018-18065 at SUSECVE-2018-18065 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for ImageMagick (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for ImageMagick fixes the following issues:
- CVE-2017-14997: GraphicsMagick allowed remote attackers to cause a denial of service (excessive memory allocation) because of an integer underflow in ReadPICTImage in coders/pict.c. [bsc#1112399]
- CVE-2018-16644: An regression in the security fix for the pict coder was fixed (bsc#1107609)
ModerateSUSE bug 1107609SUSE bug 1112399CVE-2017-14997 at SUSECVE-2017-14997 at NVDCVE-2018-16644 at SUSECVE-2018-16644 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for smt (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
SMT was updated to version 3.0.38.
Following security issue was fixed:
- CVE-2018-12472: Harden hostname check during sibling check by forcing double
reverse lookup (bsc#1104076)
Following non security issues were fixed:
- Add migration path check when registration sharing is enabled
- Fix sibling sync errors (bsc#1111056):
- Synchronize all registered products
- Handle duplicate registrations when syncing
- Force resync to the sibling instance in `upgrade` and
`synchronize` API calls
ModerateSUSE bug 1104076SUSE bug 1111056CVE-2018-12472 at SUSECVE-2018-12472 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for xen (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for xen fixes the following issues:
XEN was updated to the Xen 4.9.3 bug fix only release (bsc#1027519)
- CVE-2018-17963: qemu_deliver_packet_iov accepted packet sizes greater than INT_MAX, which allows attackers to cause a denial of service or possibly have unspecified other impact. (bsc#1111014)
- CVE-2018-15470: oxenstored might not have enforced the configured quota-maxentity. This allowed a malicious or buggy guest to write as many xenstore entries as it wishes, causing unbounded memory usage in oxenstored. This can lead to a system-wide DoS. (XSA-272) (bsc#1103279)
- CVE-2018-15469: ARM never properly implemented grant table v2, either in the hypervisor or in Linux. Unfortunately, an ARM guest can still request v2 grant tables; they will simply not be properly set up, resulting in subsequent grant-related hypercalls hitting BUG() checks. An unprivileged guest can cause a BUG() check in the hypervisor, resulting in a denial-of-service (crash). (XSA-268) (bsc#1103275)
Note that SUSE does not ship ARM Xen, so we are not affected.
- CVE-2018-15468: The DEBUGCTL MSR contains several debugging features, some of which virtualise cleanly, but some do not. In particular, Branch Trace Store is not virtualised by the processor, and software has to be careful to configure it suitably not to lock up the core. As a result, it must only be available to fully trusted guests. Unfortunately, in the case that vPMU is disabled, all value checking was skipped, allowing the guest to choose any MSR_DEBUGCTL setting it likes. A malicious or buggy guest administrator (on Intel x86 HVM or PVH) can lock up the entire host, causing a Denial of Service. (XSA-269) (bsc#1103276)
- CVE-2018-3646: Systems with microprocessors utilizing speculative execution and address translations may have allowed unauthorized disclosure of information residing in the L1 data cache to an attacker with local user access with guest OS privilege via a terminal page fault and a side-channel analysis. (XSA-273) (bsc#1091107)
Non security issues fixed:
- The affinity reporting via 'xl vcpu-list' was broken (bsc#1106263)
- Kernel oops in fs/dcache.c called by d_materialise_unique() (bsc#1094508)
ImportantSUSE bug 1027519SUSE bug 1078292SUSE bug 1091107SUSE bug 1094508SUSE bug 1103275SUSE bug 1103276SUSE bug 1103279SUSE bug 1106263SUSE bug 1111014CVE-2018-15468 at SUSECVE-2018-15468 at NVDCVE-2018-15469 at SUSECVE-2018-15469 at NVDCVE-2018-15470 at SUSECVE-2018-15470 at NVDCVE-2018-17963 at SUSECVE-2018-17963 at NVDCVE-2018-3646 at SUSECVE-2018-3646 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for lcms2 (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for lcms2 fixes the following security issues:
- CVE-2016-10165: The Type_MLU_Read function allowed remote attackers to obtain
sensitive information or cause a denial of service via an image with a crafted
ICC profile, which triggered an out-of-bounds heap read (bsc#1021364).
- CVE-2018-16435: A integer overflow was fixed in the AllocateDataSet
function in cmscgats.c, that could lead to a heap-based buffer overflow
in the SetData function via a crafted file in the second argument to
cmsIT8LoadFromFile. (bsc#1108813)
- Ensure that LUT stages match channel count (bsc#1026649).
- sanitize input and output channels on MPE profiles (bsc#1026650).
ModerateSUSE bug 1021364SUSE bug 1026649SUSE bug 1026650SUSE bug 1108813CVE-2016-10165 at SUSECVE-2016-10165 at NVDCVE-2018-16435 at SUSECVE-2018-16435 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for qemu (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for qemu fixes the following issues:
These security issues were fixed:
- CVE-2018-12617: qmp_guest_file_read had an integer overflow that could have
been exploited by sending a crafted QMP command (including guest-file-read with
a large count value) to the agent via the listening socket causing DoS
(bsc#1098735).
- CVE-2018-11806: Prevent heap-based buffer overflow via incoming fragmented
datagrams (bsc#1096223).
With this release the mitigations for Spectre v4 are moved the the patches from
upstream (CVE-2018-3639, bsc#1092885).
This feature was added:
- Add support for block resize support for disks through the monitor (bsc#1094725).
ModerateSUSE bug 1092885SUSE bug 1094725SUSE bug 1096223SUSE bug 1098735CVE-2018-11806 at SUSECVE-2018-11806 at NVDCVE-2018-12617 at SUSECVE-2018-12617 at NVDCVE-2018-3639 at SUSECVE-2018-3639 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for python, python-base (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for python, python-base fixes the following issues:
Security issues fixed:
- CVE-2018-1000802: Prevent command injection in shutil module (make_archive
function) via passage of unfiltered user input (bsc#1109663).
- CVE-2018-1061: Fixed DoS via regular expression backtracking in
difflib.IS_LINE_JUNK method in difflib (bsc#1088004).
- CVE-2018-1060: Fixed DoS via regular expression catastrophic backtracking in
apop() method in pop3lib (bsc#1088009).
Bug fixes:
- bsc#1086001: python tarfile uses random order.
ModerateSUSE bug 1086001SUSE bug 1088004SUSE bug 1088009SUSE bug 1109663CVE-2018-1000802 at SUSECVE-2018-1000802 at NVDCVE-2018-1060 at SUSECVE-2018-1060 at NVDCVE-2018-1061 at SUSECVE-2018-1061 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for apache2 (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for apache2 fixes the following issues:
Security issues fixed:
- CVE-2018-11763: In Apache HTTP Server by sending continuous, large SETTINGS frames a client can occupy a connection, server thread and CPU time without any connection timeout coming to effect. This affects only HTTP/2 connections. (bsc#1109961)
ImportantSUSE bug 1109961CVE-2018-11763 at SUSECVE-2018-11763 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for audiofile (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for audiofile fixes the following issues:
- CVE-2018-17095: A heap-based buffer overflow in Expand3To4Module::run could occurred when running sfconvert leading to crashes or code execution when handling untrusted soundfiles (bsc#1111586).
ModerateSUSE bug 1111586CVE-2018-17095 at SUSECVE-2018-17095 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for wireshark (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for wireshark fixes the following issues:
Wireshark was updated to 2.4.10 (bsc#1111647).
Following security issues were fixed:
- CVE-2018-18227: MS-WSP dissector crash (wnpa-sec-2018-47)
- CVE-2018-12086: OpcUA dissector crash (wnpa-sec-2018-50)
Further bug fixes and updated protocol support that were done are listed in:
https://www.wireshark.org/docs/relnotes/wireshark-2.4.10.html
ImportantSUSE bug 1111647CVE-2018-12086 at SUSECVE-2018-12086 at NVDCVE-2018-18227 at SUSECVE-2018-18227 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for MozillaFirefox, MozillaFirefox-branding-SLE, llvm4, mozilla-nspr, mozilla-nss, apache2-mod_nss (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for MozillaFirefox to ESR 60.2.2 fixes several issues.
These general changes are part of the version 60 release.
- New browser engine with speed improvements
- Redesigned graphical user interface elements
- Unified address and search bar for new installations
- New tab page listing top visited, recently visited and recommended pages
- Support for configuration policies in enterprise deployments via JSON files
- Support for Web Authentication, allowing the use of USB tokens for
authentication to web sites
The following changes affect compatibility:
- Now exclusively supports extensions built using the WebExtension API.
- Unsupported legacy extensions will no longer work in Firefox 60 ESR
- TLS certificates issued by Symantec before June 1st, 2016 are no longer trusted
The 'security.pki.distrust_ca_policy' preference can be set to 0 to reinstate
trust in those certificates
The following issues affect performance:
- new format for storing private keys, certificates and certificate trust
If the user home or data directory is on a network file system, it is
recommended that users set the following environment variable to avoid
slowdowns: NSS_SDB_USE_CACHE=yes
This setting is not recommended for local, fast file systems.
These security issues were fixed:
- CVE-2018-12381: Dragging and dropping Outlook email message results in page navigation (bsc#1107343).
- CVE-2017-16541: Proxy bypass using automount and autofs (bsc#1107343).
- CVE-2018-12376: Various memory safety bugs (bsc#1107343).
- CVE-2018-12377: Use-after-free in refresh driver timers (bsc#1107343).
- CVE-2018-12378: Use-after-free in IndexedDB (bsc#1107343).
- CVE-2018-12379: Out-of-bounds write with malicious MAR file (bsc#1107343).
- CVE-2018-12386: Type confusion in JavaScript allowed remote code execution (bsc#1110506)
- CVE-2018-12387: Array.prototype.push stack pointer vulnerability may enable exploits in the sandboxed content process (bsc#1110507)
- CVE-2018-12385: Crash in TransportSecurityInfo due to cached data (bsc#1109363)
- CVE-2018-12383: Setting a master password did not delete unencrypted previously stored passwords (bsc#1107343)
This update for mozilla-nspr to version 4.19 fixes the follwing issues
- Added TCP Fast Open functionality
- A socket without PR_NSPR_IO_LAYER will no longer trigger
an assertion when polling
This update for mozilla-nss to version 3.36.4 fixes the follwing issues
- Connecting to a server that was recently upgraded to TLS 1.3
would result in a SSL_RX_MALFORMED_SERVER_HELLO error.
- Fix a rare bug with PKCS#12 files.
- Replaces existing vectorized ChaCha20 code with verified
HACL* implementation.
- TLS 1.3 support has been updated to draft -23.
- Added formally verified implementations of non-vectorized Chacha20
and non-vectorized Poly1305 64-bit.
- The following CA certificates were Removed:
OU = Security Communication EV RootCA1
CN = CA Disig Root R1
CN = DST ACES CA X6
Certum CA, O=Unizeto Sp. z o.o.
StartCom Certification Authority
StartCom Certification Authority G2
T?BİTAK UEKAE K?k Sertifika Hizmet Sağlayıcısı - S?r?m 3
ACEDICOM Root
Certinomis - Autorit? Racine
T?RKTRUST Elektronik Sertifika Hizmet Sağlayıcısı
PSCProcert
CA 沃通根证书, O=WoSign CA Limited
Certification Authority of WoSign
Certification Authority of WoSign G2
CA WoSign ECC Root
Subject CN = VeriSign Class 3 Secure Server CA - G2
O = Japanese Government, OU = ApplicationCA
CN = WellsSecure Public Root Certificate Authority
CN = T?RKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H6
CN = Microsec e-Szigno Root
* The following CA certificates were Removed:
AddTrust Public CA Root
AddTrust Qualified CA Root
China Internet Network Information Center EV Certificates Root
CNNIC ROOT
ComSign Secured CA
GeoTrust Global CA 2
Secure Certificate Services
Swisscom Root CA 1
Swisscom Root EV CA 2
Trusted Certificate Services
UTN-USERFirst-Hardware
UTN-USERFirst-Object
* The following CA certificates were Added
CN = D-TRUST Root CA 3 2013
CN = TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1
GDCA TrustAUTH R5 ROOT
SSL.com Root Certification Authority RSA
SSL.com Root Certification Authority ECC
SSL.com EV Root Certification Authority RSA R2
SSL.com EV Root Certification Authority ECC
TrustCor RootCert CA-1
TrustCor RootCert CA-2
TrustCor ECA-1
* The Websites (TLS/SSL) trust bit was turned off for the following
CA certificates:
CN = Chambers of Commerce Root
CN = Global Chambersign Root
* TLS servers are able to handle a ClientHello statelessly, if the
client supports TLS 1.3. If the server sends a HelloRetryRequest,
it is possible to discard the server socket, and make a new socket
to handle any subsequent ClientHello. This better enables stateless
server operation. (This feature is added in support of QUIC, but it
also has utility for DTLS 1.3 servers.)
Due to the update of mozilla-nss apache2-mod_nss needs to be updated to
change to the SQLite certificate database, which is now the default (bsc#1108771)
ImportantSUSE bug 1012260SUSE bug 1021577SUSE bug 1026191SUSE bug 1041469SUSE bug 1041894SUSE bug 1049703SUSE bug 1061204SUSE bug 1064786SUSE bug 1065464SUSE bug 1066489SUSE bug 1073210SUSE bug 1078436SUSE bug 1091551SUSE bug 1092697SUSE bug 1094767SUSE bug 1096515SUSE bug 1107343SUSE bug 1108771SUSE bug 1108986SUSE bug 1109363SUSE bug 1109465SUSE bug 1110506SUSE bug 1110507SUSE bug 703591SUSE bug 839074SUSE bug 857131SUSE bug 893359CVE-2017-16541 at SUSECVE-2017-16541 at NVDCVE-2018-12376 at SUSECVE-2018-12376 at NVDCVE-2018-12377 at SUSECVE-2018-12377 at NVDCVE-2018-12378 at SUSECVE-2018-12378 at NVDCVE-2018-12379 at SUSECVE-2018-12379 at NVDCVE-2018-12381 at SUSECVE-2018-12381 at NVDCVE-2018-12383 at SUSECVE-2018-12383 at NVDCVE-2018-12385 at SUSECVE-2018-12385 at NVDCVE-2018-12386 at SUSECVE-2018-12386 at NVDCVE-2018-12387 at SUSECVE-2018-12387 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for curl (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for curl fixes the following issues:
- CVE-2018-16840: A use after free in closing SASL handles was fixed (bsc#1112758)
- CVE-2018-16842: A Out-of-bounds Read in tool_msgs.c was fixed which could lead to crashes (bsc#1113660)
ModerateSUSE bug 1112758SUSE bug 1113660CVE-2018-16840 at SUSECVE-2018-16840 at NVDCVE-2018-16842 at SUSECVE-2018-16842 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for soundtouch (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for soundtouch fixes the following issues:
- CVE-2018-17098: The WavFileBase class allowed remote attackers to cause a denial of service (heap corruption from size inconsistency) or possibly have unspecified other impact, as demonstrated by SoundStretch. (bsc#1108632)
- CVE-2018-17097: The WavFileBase class allowed remote attackers to cause a denial of service (double free) or possibly have unspecified other impact, as demonstrated by SoundStretch. (double free) (bsc#1108631)
- CVE-2018-17096: The BPMDetect class allowed remote attackers to cause a denial of service (assertion failure and application exit), as demonstrated by SoundStretch. (bsc#1108630)
ModerateSUSE bug 1108630SUSE bug 1108631SUSE bug 1108632CVE-2018-17096 at SUSECVE-2018-17096 at NVDCVE-2018-17097 at SUSECVE-2018-17097 at NVDCVE-2018-17098 at SUSECVE-2018-17098 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for opensc (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for opensc fixes the following issues:
- CVE-2018-16391: Fixed a denial of service when handling responses from a Muscle Card (bsc#1106998)
- CVE-2018-16392: Fixed a denial of service when handling responses from a TCOS Card (bsc#1106999)
- CVE-2018-16393: Fixed buffer overflows when handling responses from Gemsafe V1 Smartcards (bsc#1108318)
- CVE-2018-16418: Fixed buffer overflow when handling string concatenation in util_acl_to_str (bsc#1107039)
- CVE-2018-16419: Fixed several buffer overflows when handling responses from a Cryptoflex card (bsc#1107107)
- CVE-2018-16420: Fixed buffer overflows when handling responses from an ePass 2003 Card (bsc#1107097)
- CVE-2018-16422: Fixed single byte buffer overflow when handling responses from an esteid Card (bsc#1107038)
- CVE-2018-16423: Fixed double free when handling responses from a smartcard (bsc#1107037)
- CVE-2018-16426: Fixed endless recursion when handling responses from an IAS-ECC card (bsc#1107034)
- CVE-2018-16427: Fixed out of bounds reads when handling responses in OpenSC (bsc#1107033)
ModerateSUSE bug 1104812SUSE bug 1106998SUSE bug 1106999SUSE bug 1107033SUSE bug 1107034SUSE bug 1107037SUSE bug 1107038SUSE bug 1107039SUSE bug 1107097SUSE bug 1107107SUSE bug 1108318CVE-2018-16391 at SUSECVE-2018-16391 at NVDCVE-2018-16392 at SUSECVE-2018-16392 at NVDCVE-2018-16393 at SUSECVE-2018-16393 at NVDCVE-2018-16418 at SUSECVE-2018-16418 at NVDCVE-2018-16419 at SUSECVE-2018-16419 at NVDCVE-2018-16420 at SUSECVE-2018-16420 at NVDCVE-2018-16422 at SUSECVE-2018-16422 at NVDCVE-2018-16423 at SUSECVE-2018-16423 at NVDCVE-2018-16426 at SUSECVE-2018-16426 at NVDCVE-2018-16427 at SUSECVE-2018-16427 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for libarchive (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for libarchive fixes the following issues:
- CVE-2016-10209: The archive_wstring_append_from_mbs function in archive_string.c allowed remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted archive file. (bsc#1032089)
- CVE-2016-10349: The archive_le32dec function in archive_endian.h allowed remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted file. (bsc#1037008)
- CVE-2016-10350: The archive_read_format_cab_read_header function in archive_read_support_format_cab.c allowed remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted file. (bsc#1037009)
- CVE-2017-14166: libarchive allowed remote attackers to cause a denial of service (xml_data heap-based buffer over-read and application crash) via a crafted xar archive, related to the mishandling of empty strings in the atol8 function in archive_read_support_format_xar.c. (bsc#1057514)
- CVE-2017-14501: An out-of-bounds read flaw existed in parse_file_info in archive_read_support_format_iso9660.c when extracting a specially crafted iso9660 iso file, related to archive_read_format_iso9660_read_header. (bsc#1059139)
- CVE-2017-14502: read_header in archive_read_support_format_rar.c suffered from an off-by-one error for UTF-16 names in RAR archives, leading to an out-of-bounds read in archive_read_format_rar_read_header. (bsc#1059134)
- CVE-2017-14503: libarchive suffered from an out-of-bounds read within lha_read_data_none() in archive_read_support_format_lha.c when extracting a specially crafted lha archive, related to lha_crc16. (bsc#1059100)
ModerateSUSE bug 1032089SUSE bug 1037008SUSE bug 1037009SUSE bug 1057514SUSE bug 1059100SUSE bug 1059134SUSE bug 1059139CVE-2016-10209 at SUSECVE-2016-10209 at NVDCVE-2016-10349 at SUSECVE-2016-10349 at NVDCVE-2016-10350 at SUSECVE-2016-10350 at NVDCVE-2017-14166 at SUSECVE-2017-14166 at NVDCVE-2017-14501 at SUSECVE-2017-14501 at NVDCVE-2017-14502 at SUSECVE-2017-14502 at NVDCVE-2017-14503 at SUSECVE-2017-14503 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for MozillaFirefox fixes the following issues:
Security issues fixed:
- Update to Mozilla Firefox 60.3.0esr: MFSA 2018-27 (bsc#1112852)
- CVE-2018-12392: Crash with nested event loops.
- CVE-2018-12393: Integer overflow during Unicode conversion while loading JavaScript.
- CVE-2018-12395: WebExtension bypass of domain restrictions through header rewriting.
- CVE-2018-12396: WebExtension content scripts can execute in disallowed contexts.
- CVE-2018-12397: WebExtension local file access vulnerability.
- CVE-2018-12389: Memory safety bugs fixed in Firefox ESR 60.3.
- CVE-2018-12390: Memory safety bugs fixed in Firefox 63 and Firefox ESR 60.3.
ImportantSUSE bug 1112852CVE-2018-12389 at SUSECVE-2018-12389 at NVDCVE-2018-12390 at SUSECVE-2018-12390 at NVDCVE-2018-12392 at SUSECVE-2018-12392 at NVDCVE-2018-12393 at SUSECVE-2018-12393 at NVDCVE-2018-12395 at SUSECVE-2018-12395 at NVDCVE-2018-12396 at SUSECVE-2018-12396 at NVDCVE-2018-12397 at SUSECVE-2018-12397 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for systemd (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for systemd fixes the following issues:
Security issues fixed:
- CVE-2018-15688: A buffer overflow vulnerability in the dhcp6 client of systemd allowed a malicious dhcp6 server to overwrite heap memory in systemd-networkd. (bsc#1113632)
- CVE-2018-15686: A vulnerability in unit_deserialize of systemd allows an attacker to supply arbitrary state across systemd re-execution via NotifyAccess. This can be used to improperly influence systemd execution and possibly lead to root privilege escalation. (bsc#1113665)
Non-security issues fixed:
- dhcp6: split assert_return() to be more debuggable when hit
- core: skip unit deserialization and move to the next one when unit_deserialize() fails
- core: properly handle deserialization of unknown unit types (#6476)
- core: don't create Requires for workdir if 'missing ok' (bsc#1113083)
- logind: use manager_get_user_by_pid() where appropriate
- logind: rework manager_get_{user|session}_by_pid() a bit
- login: fix user@.service case, so we don't allow nested sessions (#8051) (bsc#1112024)
- core: be more defensive if we can't determine per-connection socket peer (#7329)
- socket-util: introduce port argument in sockaddr_port()
- service: fixup ExecStop for socket-activated shutdown (#4120)
- service: Continue shutdown on socket activated unit on termination (#4108) (bsc#1106923)
- cryptsetup: build fixes for 'add support for sector-size= option'
- udev-rules: IMPORT cmdline does not recognize keys with similar names (bsc#1111278)
- core: keep the kernel coredump defaults when systemd-coredump is disabled
- core: shorten main() a bit, split out coredump initialization
- core: set RLIMIT_CORE to unlimited by default (bsc#1108835)
- core/mount: fstype may be NULL
- journald: don't ship systemd-journald-audit.socket (bsc#1109252)
- core: make 'tmpfs' dependencies on swapfs a 'default' dep, not an 'implicit' (bsc#1110445)
- mount: make sure we unmount tmpfs mounts before we deactivate swaps (#7076)
- tmp.mount.hm4: After swap.target (#3087)
- Ship systemd-sysv-install helper via the main package
This script was part of systemd-sysvinit sub-package but it was
wrong since systemd-sysv-install is a script used to redirect
enable/disable operations to chkconfig when the unit targets are
sysv init scripts. Therefore it's never been a SySV init tool.
ImportantSUSE bug 1106923SUSE bug 1108835SUSE bug 1109252SUSE bug 1110445SUSE bug 1111278SUSE bug 1112024SUSE bug 1113083SUSE bug 1113632SUSE bug 1113665CVE-2018-15686 at SUSECVE-2018-15686 at NVDCVE-2018-15688 at SUSECVE-2018-15688 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for postgresql10 (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for postgresql10 fixes the following issues:
Security issue fixed:
- CVE-2018-16850: Fixed improper quoting of transition table names when pg_dump emits CREATE TRIGGER could have caused privilege escalation (bsc#1114837).
Non-security issues fixed:
- Update to release 10.6:
* https://www.postgresql.org/docs/current/static/release-10-6.html
ModerateSUSE bug 1114837CVE-2018-16850 at SUSECVE-2018-16850 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for squid (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for squid fixes the following issues:
Security issues fixed:
- CVE-2018-19131: Fixed Cross-Site-Scripting vulnerability in the TLS error handling (bsc#1113668).
- CVE-2018-19132: Fixed small memory leak in processing of SNMP packets (bsc#1113669).
Non-security issues fixed:
- Create runtime directories needed when SMP mode is enabled (bsc#1112695, bsc#1112066).
- Install license correctly (bsc#1082318).
ImportantSUSE bug 1082318SUSE bug 1112066SUSE bug 1112695SUSE bug 1113668SUSE bug 1113669CVE-2018-19131 at SUSECVE-2018-19131 at NVDCVE-2018-19132 at SUSECVE-2018-19132 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for openssl (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for openssl fixes the following issues:
Security issues fixed:
- CVE-2018-0734: Fixed timing vulnerability in DSA signature generation (bsc#1113652).
- CVE-2018-5407: Fixed elliptic curve scalar multiplication timing attack defenses (bsc#1113534).
- Add missing timing side channel patch for DSA signature generation (bsc#1113742).
Non-security issues fixed:
- Fixed infinite loop in DSA generation with incorrect parameters (bsc#1112209).
ModerateSUSE bug 1112209SUSE bug 1113534SUSE bug 1113652SUSE bug 1113742CVE-2018-0734 at SUSECVE-2018-0734 at NVDCVE-2018-5407 at SUSECVE-2018-5407 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for rpm (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for rpm fixes the following issues:
These security issues were fixed:
- CVE-2017-7500: rpm did not properly handle RPM installations when a
destination path was a symbolic link to a directory, possibly changing
ownership and permissions of an arbitrary directory, and RPM files being placed
in an arbitrary destination (bsc#943457).
- CVE-2017-7501: rpm used temporary files with predictable names when
installing an RPM. An attacker with ability to write in a directory where files
will be installed could create symbolic links to an arbitrary location and
modify content, and possibly permissions to arbitrary files, which could be
used for denial of service or possibly privilege escalation (bsc#943457)
This is a reissue of the above security fixes for SUSE Linux Enterprise 12 GA, SP1 and SP2 LTSS,
they have already been released for SUSE Linux Enterprise Server 12 SP3.
ImportantSUSE bug 943457CVE-2017-7500 at SUSECVE-2017-7500 at NVDCVE-2017-7501 at SUSECVE-2017-7501 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for exiv2 (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for exiv2 fixes the following issues:
- CVE-2017-11591: A floating point exception in the Exiv2::ValueType function could lead to a remote denial of service attack via crafted input. (bsc#1050257)
- CVE-2017-14864: An invalid memory address dereference was discovered in Exiv2::getULong in types.cpp. The vulnerability caused a segmentation fault and application crash, which lead to denial of service. (bsc#1060995)
- CVE-2017-14862: An invalid memory address dereference was discovered in Exiv2::DataValue::read in value.cpp. The vulnerability caused a segmentation fault and application crash, which lead to denial of service. (bsc#1060996)
- CVE-2017-14859: An invalid memory address dereference was discovered in Exiv2::StringValueBase::read in value.cpp. The vulnerability caused a segmentation fault and application crash, which lead to denial of service. (bsc#1061000)
- CVE-2017-11683: There is a reachable assertion in the Internal::TiffReader::visitDirectory function in tiffvisitor.cpp that could lead to a remote denial of service attack via crafted input. (bsc#1051188)
- CVE-2017-17669: There is a heap-based buffer over-read in the Exiv2::Internal::PngChunk::keyTXTChunk function of pngchunk_int.cpp. A crafted PNG file would lead to a remote denial of service attack. (bsc#1072928)
- CVE-2018-10958: In types.cpp a large size value might have lead to a SIGABRT during an attempt at memory allocation for an Exiv2::Internal::PngChunk::zlibUncompress call. (bsc#1092952)
- CVE-2018-10998: readMetadata in jp2image.cpp allowed remote attackers to cause a denial of service (SIGABRT) by triggering an incorrect Safe::add call. (bsc#1093095)
- CVE-2018-11531: Exiv2 had a heap-based buffer overflow in getData in preview.cpp. (bsc#1095070)
ModerateSUSE bug 1050257SUSE bug 1051188SUSE bug 1060995SUSE bug 1060996SUSE bug 1061000SUSE bug 1072928SUSE bug 1092952SUSE bug 1093095SUSE bug 1095070CVE-2017-11591 at SUSECVE-2017-11591 at NVDCVE-2017-11683 at SUSECVE-2017-11683 at NVDCVE-2017-14859 at SUSECVE-2017-14859 at NVDCVE-2017-14862 at SUSECVE-2017-14862 at NVDCVE-2017-14864 at SUSECVE-2017-14864 at NVDCVE-2017-17669 at SUSECVE-2017-17669 at NVDCVE-2018-10958 at SUSECVE-2018-10958 at NVDCVE-2018-10998 at SUSECVE-2018-10998 at NVDCVE-2018-11531 at SUSECVE-2018-11531 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for tiff (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for tiff fixes the following issues:
Security issues fixed:
- CVE-2018-12900: Fixed heap-based buffer overflow in the cpSeparateBufToContigBuf (bsc#1099257).
- CVE-2018-18661: Fixed NULL pointer dereference in the function LZWDecode in the file tif_lzw.c (bsc#1113672).
- CVE-2018-18557: Fixed JBIG decode can lead to out-of-bounds write (bsc#1113094).
Non-security issues fixed:
- asan_build: build ASAN included
- debug_build: build more suitable for debugging
ModerateSUSE bug 1099257SUSE bug 1113094SUSE bug 1113672CVE-2018-12900 at SUSECVE-2018-12900 at NVDCVE-2018-18557 at SUSECVE-2018-18557 at NVDCVE-2018-18661 at SUSECVE-2018-18661 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for openssh (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for openssh fixes the following issues:
Following security issues have been fixed:
- CVE-2018-15473: OpenSSH was prone to a user existance oracle vulnerability due to not delaying bailout for an invalid authenticating user until after the packet containing the request has been fully parsed, related to auth2-gss.c, auth2-hostbased.c, and auth2-pubkey.c. (bsc#1105010)
The following non-security issues were fixed:
- Stop leaking File descriptors (bsc#964336)
- sftp-client.c returns wrong error code upon failure [bsc#1091396]
ModerateSUSE bug 1091396SUSE bug 1105010SUSE bug 964336CVE-2018-15473 at SUSECVE-2018-15473 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for java-1_7_1-ibm (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
java-1_7_1-ibm was updated to Java 7.1 Service Refresh 4 Fix Pack 35 (bsc#1116574):
* Consumability
- IJ10515 AIX JAVA 7.1.3.10 GENERAL PROTECTION FAULT WHEN ATTEMPTING TO USE HEALTH CENTER API
* Class Libraries
- IJ10934 CVE-2018-13785
- IJ10935 CVE-2018-3136
- IJ10895 CVE-2018-3139
- IJ10932 CVE-2018-3149
- IJ10894 CVE-2018-3180
- IJ10933 CVE-2018-3214
- IJ09315 FLOATING POINT EXCEPTION FROM JAVA.TEXT.DECIMALFORMAT. FORMAT
- IJ09088 INTRODUCING A NEW PROPERTY FOR TURKEY TIMEZONE FOR PRODUCTS NOT IDENTIFYING TRT
- IJ08569 JAVA.IO.IOEXCEPTION OCCURS WHEN A FILECHANNEL IS BIGGER THAN 2GB ON AIX PLATFORM
- IJ10800 REMOVE EXPIRING ROOT CERTIFICATES IN IBM JDK’S CACERTS.
* Java Virtual Machine
- IJ10931 CVE-2018-3169
- IV91132 SOME CORE PATTERN SPECIFIERS ARE NOT HANDLED BY THE JVM ON LINUX
* JIT Compiler
- IJ08205 CRASH WHILE COMPILING
- IJ07886 INCORRECT CALUCATIONS WHEN USING NUMBERFORMAT.FORMAT() AND BIGDECIMAL.{FLOAT/DOUBLE }VALUE()
* ORB
- IX90187 CLIENTREQUESTIMPL.REINVO KE FAILS WITH JAVA.LANG.INDEXOUTOFBOUN DSEXCEPTION
* Security
- IJ10492 'EC KEYSIZE < 384' IS NOT HONORED USING THE 'JDK.TLS.DISABLEDALGORIT HMS' SECURITY PROPERTY
- IJ10491 AES/GCM CIPHER – AAD NOT RESET TO UN-INIT STATE AFTER DOFINAL( ) AND INIT( )
- IJ08442 HTTP PUBLIC KEY PINNING FINGERPRINT,PROBLEM WITH CONVERTING TO JKS KEYSTORE
- IJ09107 IBMPKCS11IMPL CRYPTO PROVIDER – INTERMITTENT ERROR WITH SECP521R1 SIGNATURE ON Z/OS
- IJ10136 IBMPKCS11IMPL – INTERMITTENT ERROR WITH SECP521R1 SIG ON Z/OS AND Z/LINUX
- IJ08530 IBMPKCS11IMPL PROVIDER USES THE WRONG RSA CIPHER MECHANISM FOR THE RSA/ECB/PKCS1PADDING CIPHER
- IJ08723 JAAS THROWS A ‘ARRAY INDEX OUT OF RANGE’ EXCEPTION
- IJ08704 THE SECURITY PROPERTY ‘JDK.CERTPATH.DISABLEDAL GORITHMS’ IS MISTAKENLY BEING USED TO FILTER JAR SIGNING ALGORITHMS
* z/OS Extentions
- PH01244 OUTPUT BUFFER TOO SHORT FOR GCM MODE ENCRYPTION USING IBMJCEHYBRID
ImportantSUSE bug 1116574CVE-2018-13785 at SUSECVE-2018-13785 at NVDCVE-2018-3136 at SUSECVE-2018-3136 at NVDCVE-2018-3139 at SUSECVE-2018-3139 at NVDCVE-2018-3149 at SUSECVE-2018-3149 at NVDCVE-2018-3169 at SUSECVE-2018-3169 at NVDCVE-2018-3180 at SUSECVE-2018-3180 at NVDCVE-2018-3214 at SUSECVE-2018-3214 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for ncurses (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for ncurses fixes the following issue:
Security issue fixed:
- CVE-2018-19211: Fixed denial of service issue that was triggered by a NULL pointer dereference at function _nc_parse_entry (bsc#1115929).
ImportantSUSE bug 1115929CVE-2018-19211 at SUSECVE-2018-19211 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for ImageMagick (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for ImageMagick fixes the following issues:
Security issues fixed:
- CVE-2018-18544: Fixed memory leak in the function WriteMSLImage (bsc#1113064).
Non-security issues fixed:
- Improve import documentation (bsc#1057246).
- Allow override system security policy (bsc#1117463).
- asan_build: build ASAN included
- debug_build: build more suitable for debugging
ModerateSUSE bug 1057246SUSE bug 1113064SUSE bug 1117463CVE-2018-18544 at SUSECVE-2018-18544 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for python-cryptography, python-pyOpenSSL (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for python-cryptography, python-pyOpenSSL fixes the following issues:
Security issues fixed:
- CVE-2018-1000808: A memory leak due to missing reference checking in PKCS#12 store handling was fixed (bsc#1111634)
- CVE-2018-1000807: A use-after-free in X509 object handling was fixed (bsc#1111635)
- avoid bad interaction with python-cryptography package. (bsc#1021578)
ImportantSUSE bug 1021578SUSE bug 1111634SUSE bug 1111635CVE-2018-1000807 at SUSECVE-2018-1000807 at NVDCVE-2018-1000808 at SUSECVE-2018-1000808 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for java-1_8_0-ibm (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
java-1_8_0-ibm was updated to Java 8.0 Service Refresh 5 Fix Pack 25 (bsc#1116574)
* Class Libraries:
- IJ10934 CVE-2018-13785
- IJ10935 CVE-2018-3136
- IJ10895 CVE-2018-3139
- IJ10932 CVE-2018-3149
- IJ10894 CVE-2018-3180
- IJ10930 CVE-2018-3183
- IJ10933 CVE-2018-3214
- IJ09315 FLOATING POINT EXCEPTION FROM JAVA.TEXT.DECIMALFORMAT. FORMAT
- IJ09088 INTRODUCING A NEW PROPERTY FOR TURKEY TIMEZONE FOR PRODUCTS NOT IDENTIFYING TRT
- IJ10800 REMOVE EXPIRING ROOT CERTIFICATES IN IBM JDK’S CACERTS.
- IJ10566 SUPPORT EBCDIC CODE PAGE IBM-274 – BELGIUM EBCDIC
* Java Virtual Machine
- IJ08730 APPLICATION SIGNAL HANDLER NOT INVOKED FOR SIGABRT
- IJ10453 ASSERTION FAILURE AT CLASSPATHITEM.CPP
- IJ09574 CLASSLOADER DEFINED THROUGH SYSTEM PROPERTY ‘JAVA.SYSTEM.CLASS.LOADE R’ IS NOT HONORED.
- IJ10931 CVE-2018-3169
- IJ10618 GPU SORT: UNSPECIFIED LAUNCH FAILURE
- IJ10619 INCORRECT ILLEGALARGUMENTEXCEPTION BECAUSE OBJECT IS NOT AN INSTANCE OF DECLARING CLASS ON REFLECTIVE INVOCATION
- IJ10135 JVM HUNG IN GARBAGECOLLECTORMXBEAN.G ETLASTGCINFO() API
- IJ10680 RECURRENT ABORTED SCAVENGE
* ORB
- IX90187 CLIENTREQUESTIMPL.REINVO KE FAILS WITH JAVA.LANG.INDEXOUTOFBOUN DSEXCEPTION
* Reliability and Serviceability
- IJ09600 DTFJ AND JDMPVIEW FAIL TO PARSE WIDE REGISTER VALUES
* Security
- IJ10492 'EC KEYSIZE < 384' IS NOT HONORED USING THE 'JDK.TLS.DISABLEDALGORIT HMS' SECURITY PROPERTY
- IJ10310 ADD NULL CHECKING ON THE ENCRYPTION TYPES LIST TO CREDENTIALS.GETDEFAULTNA TIVECREDS() METHOD
- IJ10491 AES/GCM CIPHER – AAD NOT RESET TO UN-INIT STATE AFTER DOFINAL( ) AND INIT( )
- IJ08442 HTTP PUBLIC KEY PINNING FINGERPRINT,PROBLEM WITH CONVERTING TO JKS KEYSTORE
- IJ09107 IBMPKCS11IMPL CRYPTO PROVIDER – INTERMITTENT ERROR WITH SECP521R1 SIGNATURE ON Z/OS
- IJ10136 IBMPKCS11IMPL – INTERMITTENT ERROR WITH SECP521R1 SIG ON Z/OS AND Z/LINUX
- IJ08530 IBMPKCS11IMPL PROVIDER USES THE WRONG RSA CIPHER MECHANISM FOR THE RSA/ECB/PKCS1PADDING CIPHER
- IJ08723 JAAS THROWS A ‘ARRAY INDEX OUT OF RANGE’ EXCEPTION
- IJ08704 THE SECURITY PROPERTY ‘JDK.CERTPATH.DISABLEDAL GORITHMS’ IS MISTAKENLY BEING USED TO FILTER JAR SIGNING ALGORITHMS
* z/OS Extentions
- PH03889 ADD SUPPORT FOR TRY-WITH-RESOURCES TO COM.IBM.JZOS.ENQUEUE
- PH03414 ROLLOVER FROM SYE TO SAE FOR ICSF REASON CODE 3059
- PH04008 ZERTJSSE – Z SYSTEMS ENCRYPTION READINESS TOOL (ZERT) NEW SUPPORT IN THE Z/OS JAVA SDK
This includes the update to Java 8.0 Service Refresh 5 Fix Pack 22:
* Java Virtual Machine
- IJ09139 CUDA4J NOT AVAILABLE ON ALL PLATFORMS
* JIT Compiler
- IJ09089 CRASH DURING COMPILATION IN USEREGISTER ON X86-32
- IJ08655 FLOATING POINT ERROR (SIGFPE) IN ZJ9SYM1 OR ANY VM/JIT MODULE ON AN INSTRUCTION FOLLOWING A VECTOR INSTRUCTION
- IJ08850 CRASH IN ARRAYLIST$ITR.NEXT()
- IJ09601 JVM CRASHES ON A SIGBUS SIGNAL WHEN ACCESSING A DIRECTBYTEBUFFER
* z/OS Extentions
- PH02999 JZOS data management classes accept dataset names in code pages supported by z/OS system services
- PH01244 OUTPUT BUFFER TOO SHORT FOR GCM MODE ENCRYPTION USING IBMJCEHYBRID
Also the update to Java 8.0 Service Refresh 5 Fix Pack 21
* Class Libraries
- IJ08569 JAVA.IO.IOEXCEPTION OCCURS WHEN A FILECHANNEL IS BIGGER THAN 2GB ON AIX PLATFORM
- IJ08570 JAVA.LANG.UNSATISFIEDLIN KERROR WITH JAVA OPTION -DSUN.JAVA2D.CMM=SUN.JAV A2D.CMM.KCMS.KCMSSERVICE PROVIDER ON AIX PLATFORM
* Java Virtual Machine
- IJ08001 30% THROUGHPUT DROP FOR CERTAIN SYNCHRONIZATION WORKLOADS
- IJ07997 TRACEASSERT IN GARBAGE COLLECTOR(MEMORYSUBSPACE)
* JIT Compiler
- IJ08503 ASSERTION IS HIT DUE TO UNEXPECTED STACK HEIGHT IN DEBUGGING MODE
- IJ08375 CRASH DURING HARDWARE GENERATED GUARDED STORAGE EVENT WITHIN A TRANSACTIONAL EXECUTION REGION WHEN RUNNING WITH -XGC:CONCURRENTS
- IJ08205 CRASH WHILE COMPILING
- IJ09575 INCORRECT RESULT WHEN USING JAVA.LANG.MATH.MIN OR MAX ON 31-BIT JVM
- IJ07886 INCORRECT CALUCATIONS WHEN USING NUMBERFORMAT.FORMAT() AND BIGDECIMAL.{FLOAT/DOUBLE }VALUE()
ImportantSUSE bug 1116574CVE-2018-13785 at SUSECVE-2018-13785 at NVDCVE-2018-3136 at SUSECVE-2018-3136 at NVDCVE-2018-3139 at SUSECVE-2018-3139 at NVDCVE-2018-3149 at SUSECVE-2018-3149 at NVDCVE-2018-3169 at SUSECVE-2018-3169 at NVDCVE-2018-3180 at SUSECVE-2018-3180 at NVDCVE-2018-3183 at SUSECVE-2018-3183 at NVDCVE-2018-3214 at SUSECVE-2018-3214 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for xen (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for xen fixes the following issues:
Security issues fixed:
- CVE-2018-18849: Fixed an out of bounds memory access issue was found in the LSI53C895A SCSI Host Bus Adapter emulation while writing a message in lsi_do_msgin (bsc#1114423).
- CVE-2018-18883: Fixed a NULL pointer dereference that could have been triggered by nested VT-x that where not properly restricted (XSA-278)(bsc#1114405).
- CVE-2018-19965: Fixed denial of service issue from attempting to use INVPCID with a non-canonical addresses (XSA-279)(bsc#1115045).
- CVE-2018-19966: Fixed issue introduced by XSA-240 that could have caused conflicts with shadow paging (XSA-280)(bsc#1115047).
- CVE-2018-19961 CVE-2018-19962: Fixed insufficient TLB flushing / improper large page mappings with AMD IOMMUs (XSA-275)(bsc#1115040).
Non-security issues fixed:
- Added upstream bug fixes (bsc#1027519).
- Fixed XEN SLE12-SP1 domU hang on SLE12-SP3 HV (bsc#1108940).
ImportantSUSE bug 1027519SUSE bug 1108940SUSE bug 1114405SUSE bug 1114423SUSE bug 1115040SUSE bug 1115045SUSE bug 1115047CVE-2018-18849 at SUSECVE-2018-18849 at NVDCVE-2018-18883 at SUSECVE-2018-18883 at NVDCVE-2018-19961 at SUSECVE-2018-19961 at NVDCVE-2018-19962 at SUSECVE-2018-19962 at NVDCVE-2018-19965 at SUSECVE-2018-19965 at NVDCVE-2018-19966 at SUSECVE-2018-19966 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for ghostscript (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for ghostscript to version 9.26 fixes the following issues:
Security issues fixed:
- CVE-2018-19475: Fixed bypass of an intended access restriction in psi/zdevice2.c (bsc#1117327)
- CVE-2018-19476: Fixed bypass of an intended access restriction in psi/zicc.c (bsc#1117313)
- CVE-2018-19477: Fixed bypass of an intended access restriction in psi/zfjbig2.c (bsc#1117274)
- CVE-2018-19409: Check if another device is used correctly in LockSafetyParams (bsc#1117022)
- CVE-2018-18284: Fixed potential sandbox escape through 1Policy operator (bsc#1112229)
- CVE-2018-18073: Fixed leaks through operator in saved execution stacks (bsc#1111480)
- CVE-2018-17961: Fixed a -dSAFER sandbox escape by bypassing executeonly (bsc#1111479)
- CVE-2018-17183: Fixed a potential code injection by specially crafted PostScript files (bsc#1109105)
Version update to 9.26 (bsc#1117331):
- Security issues have been the primary focus
- Minor bug fixes and improvements
- For release summary see: http://www.ghostscript.com/doc/9.26/News.htm
ImportantSUSE bug 1109105SUSE bug 1111479SUSE bug 1111480SUSE bug 1112229SUSE bug 1117022SUSE bug 1117274SUSE bug 1117313SUSE bug 1117327SUSE bug 1117331CVE-2018-17183 at SUSECVE-2018-17183 at NVDCVE-2018-17961 at SUSECVE-2018-17961 at NVDCVE-2018-18073 at SUSECVE-2018-18073 at NVDCVE-2018-18284 at SUSECVE-2018-18284 at NVDCVE-2018-19409 at SUSECVE-2018-19409 at NVDCVE-2018-19475 at SUSECVE-2018-19475 at NVDCVE-2018-19476 at SUSECVE-2018-19476 at NVDCVE-2018-19477 at SUSECVE-2018-19477 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for cups (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for cups fixes the following issues:
Security issue fixed:
- CVE-2018-4700: Fixed extremely predictable cookie generation that is effectively breaking the CSRF protection of the CUPS web interface (bsc#1115750).
ImportantSUSE bug 1115750CVE-2018-4700 at SUSECVE-2018-4700 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for git (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for git fixes the following issue:
- CVE-2018-17456: Git allowed remote code execution during processing of a recursive 'git clone' of a superproject if a .gitmodules file has a URL field beginning with a '-' character. (boo#1110949).
ImportantSUSE bug 1110949CVE-2018-17456 at SUSECVE-2018-17456 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for openvswitch (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for openvswitch to version 2.7.6 fixes the following issues:
These security issues were fixed:
- CVE-2018-17205: Prevent OVS crash when reverting old flows in bundle commit
(bsc#1104467).
- CVE-2018-17206: Avoid buffer overread in BUNDLE action decoding
(bsc#1104467).
- CVE-2018-17204:When decoding a group mod, it validated the group type and
command after the whole group mod has been decoded. The OF1.5 decoder, however,
tried to use the type and command earlier, when it might still be invalid. This
caused an assertion failure (via OVS_NOT_REACHED) (bsc#1104467).
These non-security issues were fixed:
- ofproto/bond: Fix bond reconfiguration race condition.
- ofproto/bond: Fix bond post recirc rule leak.
- ofproto/bond: fix interal flow leak of tcp-balance bond
- systemd: Restart openvswitch service if a daemon crashes
- conntrack: Fix checks for TCP, UDP, and IPv6 header sizes.
- ofp-actions: Fix translation of set_field for nw_ecn
- netdev-dpdk: Fix mempool segfault.
- ofproto-dpif-upcall: Fix flow setup/delete race.
- learn: Fix memory leak in learn_parse_sepc()
- netdev-dpdk: fix mempool_configure error state
- vswitchd: Add --cleanup option to the 'appctl exit' command
- ofp-parse: Fix memory leak on error path in parse_ofp_group_mod_file().
- actions: Fix memory leak on error path in parse_ct_lb_action().
- dpif-netdev: Fix use-after-free error in reconfigure_datapath().
- bridge: Fix memory leak in bridge_aa_update_trunks().
- dpif-netlink: Fix multiple-free and fd leak on error path.
- ofp-print: Avoid array overread in print_table_instruction_features().
- flow: Fix buffer overread in flow_hash_symmetric_l3l4().
- systemd: start vswitchd after udev
- ofp-util: Check length of buckets in ofputil_pull_ofp15_group_mod().
- ovsdb-types: Fix memory leak on error path.
- tnl-ports: Fix loss of tunneling upon removal of a single tunnel port.
- netdev: check for NULL fields in netdev_get_addrs
- netdev-dpdk: vhost get stats fix.
- netdev-dpdk: use 64-bit arithmetic when converting rates.
- ofp-util: Fix buffer overread in ofputil_decode_bundle_add().
- ofp-util: Fix memory leaks on error cases in ofputil_decode_group_mod().
- ofp-util: Fix memory leaks when parsing OF1.5 group properties.
- ofp-actions: Fix buffer overread in decode_LEARN_specs().
- flow: Fix buffer overread for crafted IPv6 packets.
- ofp-actions: Properly interpret 'output:in_port'.
- ovs-ofctl: Avoid read overrun in ofperr_decode_msg().
- odp-util: Avoid misaligned references to ip6_hdr.
- ofproto-dpif-upcall: Fix action attr iteration.
- ofproto-dpif-upcall: Fix key attr iteration.
- netdev-dpdk: vhost get stats fix.
- netdev-dpdk: use 64-bit arithmetic when converting rates.
- ofp-util: Fix buffer overread in ofputil_decode_bundle_add().
- ofp-util: Fix memory leaks on error cases in ofputil_decode_group_mod().
- ofp-util: Fix memory leaks when parsing OF1.5 group properties.
- odp-util: Fix buffer overread in parsing string form of ODP flows.
- ovs-vsctl: Fix segfault when attempting to del-port from parent bridge.
ModerateSUSE bug 1104467CVE-2018-17204 at SUSECVE-2018-17204 at NVDCVE-2018-17205 at SUSECVE-2018-17205 at NVDCVE-2018-17206 at SUSECVE-2018-17206 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for qemu (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for qemu fixes the following issues:
Security issues fixed:
- CVE-2018-10839: Fixed NE2000 NIC emulation support that is vulnerable to an integer overflow, which could lead to buffer overflow issue. It could occur when receiving packets over the network. A user inside guest could use this flaw to crash the Qemu process resulting in DoS (bsc#1110910).
- CVE-2018-15746: Fixed qemu-seccomp.c that might allow local OS guest users to cause a denial of service (guest crash) by leveraging mishandling of the seccomp policy for threads other than the main thread (bsc#1106222).
- CVE-2018-17958: Fixed a Buffer Overflow in rtl8139_do_receive in hw/net/rtl8139.c because an incorrect integer data type is used (bsc#1111006).
- CVE-2018-17962: Fixed a Buffer Overflow in pcnet_receive in hw/net/pcnet.c because an incorrect integer data type is used (bsc#1111010).
- CVE-2018-17963: Fixed qemu_deliver_packet_iov in net/net.c that accepts packet sizes greater than INT_MAX, which allows attackers to cause a denial of service or possibly have unspecified other impact. (bsc#1111013)
- CVE-2018-18849: Fixed an out of bounds memory access issue that was found in the LSI53C895A SCSI Host Bus Adapter emulation while writing a message in lsi_do_msgin. It could occur during migration if the 'msg_len' field has an invalid value. A user/process could use this flaw to crash the Qemu process resulting in DoS (bsc#1114422).
Non-security issues fixed:
- Improving disk performance for qemu on xen (bsc#1100408)
ModerateSUSE bug 1100408SUSE bug 1106222SUSE bug 1110910SUSE bug 1111006SUSE bug 1111010SUSE bug 1111013SUSE bug 1114422CVE-2018-10839 at SUSECVE-2018-10839 at NVDCVE-2018-15746 at SUSECVE-2018-15746 at NVDCVE-2018-17958 at SUSECVE-2018-17958 at NVDCVE-2018-17962 at SUSECVE-2018-17962 at NVDCVE-2018-17963 at SUSECVE-2018-17963 at NVDCVE-2018-18849 at SUSECVE-2018-18849 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for tcpdump (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for tcpdump fixes the following issues:
Security issues fixed:
- CVE-2018-19519: Fixed a stack-based buffer over-read in the print_prefix function (bsc#1117267)
ModerateSUSE bug 1117267CVE-2018-19519 at SUSECVE-2018-19519 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for openldap2 (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for openldap2 fixes the following issues:
Security issue fixed:
- CVE-2017-17740: When both the nops module and the memberof overlay
are enabled, attempts to free a buffer that was allocated on the stack,
which allows remote attackers to cause a denial of service (slapd crash)
via a member MODDN operation. (bsc#1073313)
ModerateSUSE bug 1073313CVE-2017-17740 at SUSECVE-2017-17740 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for libqt5-qtbase (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for libqt5-qtbase fixes the following issues:
Security issues fixed:
- CVE-2018-15518: Fixed double free in QXmlStreamReader (bsc#1118595)
- CVE-2018-19873: Fixed Denial of Service on malformed BMP file in QBmpHandler (bsc#1118596)
ModerateSUSE bug 1118595SUSE bug 1118596CVE-2018-15518 at SUSECVE-2018-15518 at NVDCVE-2018-19873 at SUSECVE-2018-19873 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for bluez (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for bluez fixes the following issues:
Security issues fixed:
- CVE-2016-9800: Fixed a buffer overflow in the pin_code_reply_dump function (bsc#1013721)
- CVE-2016-9801: Fixed a buffer overflow in the set_ext_ctrl function (bsc#1013732)
ModerateSUSE bug 1013721SUSE bug 1013732CVE-2016-9800 at SUSECVE-2016-9800 at NVDCVE-2016-9801 at SUSECVE-2016-9801 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for tiff (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for tiff fixes the following issues:
Security issues fixed:
- CVE-2018-19210: Fixed NULL pointer dereference in the TIFFWriteDirectorySec function (bsc#1115717).
- CVE-2017-12944: Fixed denial of service issue in the TIFFReadDirEntryArray function (bsc#1054594).
- CVE-2016-10094: Fixed heap-based buffer overflow in the _tiffWriteProc function (bsc#1017693).
- CVE-2016-10093: Fixed heap-based buffer overflow in the _TIFFmemcpy function (bsc#1017693).
- CVE-2016-10092: Fixed heap-based buffer overflow in the TIFFReverseBits function (bsc#1017693).
- CVE-2016-6223: Fixed out-of-bounds read on memory-mapped files in TIFFReadRawStrip1() and TIFFReadRawTile1() (bsc#990460).
ModerateSUSE bug 1017693SUSE bug 1054594SUSE bug 1115717SUSE bug 990460CVE-2016-10092 at SUSECVE-2016-10092 at NVDCVE-2016-10093 at SUSECVE-2016-10093 at NVDCVE-2016-10094 at SUSECVE-2016-10094 at NVDCVE-2016-6223 at SUSECVE-2016-6223 at NVDCVE-2017-12944 at SUSECVE-2017-12944 at NVDCVE-2018-19210 at SUSECVE-2018-19210 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for ovmf (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for ovmf fixes the following issues:
Security issues fixed:
- CVE-2018-3613: Fixed AuthVariable Timestamp zeroing issue on APPEND_WRITE (bsc#1115916).
- CVE-2017-5731: Fixed privilege escalation via processing of malformed files in TianoCompress.c (bsc#1115917).
- CVE-2017-5732: Fixed privilege escalation via processing of malformed files in BaseUefiDecompressLib.c (bsc#1115917).
- CVE-2017-5733: Fixed privilege escalation via heap-based buffer overflow in MakeTable() function (bsc#1115917).
- CVE-2017-5734: Fixed privilege escalation via stack-based buffer overflow in MakeTable() function (bsc#1115917).
- CVE-2017-5735: Fixed privilege escalation via heap-based buffer overflow in Decode() function (bsc#1115917).
ModerateSUSE bug 1115916SUSE bug 1115917CVE-2017-5731 at SUSECVE-2017-5731 at NVDCVE-2017-5732 at SUSECVE-2017-5732 at NVDCVE-2017-5733 at SUSECVE-2017-5733 at NVDCVE-2017-5734 at SUSECVE-2017-5734 at NVDCVE-2017-5735 at SUSECVE-2017-5735 at NVDCVE-2018-3613 at SUSECVE-2018-3613 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for MozillaFirefox, mozilla-nspr and mozilla-nss (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for MozillaFirefox, mozilla-nss and mozilla-nspr fixes the following issues:
Issues fixed in MozillaFirefox:
- Update to Firefox ESR 60.4 (bsc#1119105)
- CVE-2018-17466: Fixed a buffer overflow and out-of-bounds read in ANGLE library with TextureStorage11
- CVE-2018-18492: Fixed a use-after-free with select element
- CVE-2018-18493: Fixed a buffer overflow in accelerated 2D canvas with Skia
- CVE-2018-18494: Fixed a Same-origin policy violation using location attribute and performance.getEntries
to steal cross-origin URLs
- CVE-2018-18498: Fixed a integer overflow when calculating buffer sizes for images
- CVE-2018-12405: Fixed a few memory safety bugs
Issues fixed in mozilla-nss:
- Update to NSS 3.40.1 (bsc#1119105)
- CVE-2018-12404: Fixed a cache side-channel variant of the Bleichenbacher attack (bsc#1119069)
- CVE-2018-12384: Fixed an issue in the SSL handshake. NSS responded to an
SSLv2-compatible ClientHello with a ServerHello that had an all-zero random. (bsc#1106873)
- CVE-2018-0495: Fixed a memory-cache side-channel attack with ECDSA signatures (bsc#1097410)
- Fixed a decryption failure during FFDHE key exchange
- Various security fixes in the ASN.1 code
Issues fixed in mozilla-nspr:
- Update mozilla-nspr to 4.20 (bsc#1119105)
ImportantSUSE bug 1097410SUSE bug 1106873SUSE bug 1119069SUSE bug 1119105CVE-2018-0495 at SUSECVE-2018-0495 at NVDCVE-2018-12384 at SUSECVE-2018-12384 at NVDCVE-2018-12404 at SUSECVE-2018-12404 at NVDCVE-2018-12405 at SUSECVE-2018-12405 at NVDCVE-2018-17466 at SUSECVE-2018-17466 at NVDCVE-2018-18492 at SUSECVE-2018-18492 at NVDCVE-2018-18493 at SUSECVE-2018-18493 at NVDCVE-2018-18494 at SUSECVE-2018-18494 at NVDCVE-2018-18498 at SUSECVE-2018-18498 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for mailman (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for mailman fixes the following security vulnerabilities:
- Fixed a XSS vulnerability and information leak in user options CGI, which
could be used to execute arbitrary scripts in the user's browser via
specially encoded URLs (bsc#1077358 CVE-2018-5950)
- Fixed a directory traversal vulnerability in MTA transports when using the
recommended Mailman Transport for Exim (bsc#925502 CVE-2015-2775)
- Fixed a XSS vulnerability, which allowed malicious listowners to inject
scripts into the listinfo pages (bsc#1099510 CVE-2018-0618)
- Fixed arbitrary text injection vulnerability in several mailman CGIs
(CVE-2018-13796 bsc#1101288)
- Fixed a CSRF vulnerability on the user options page (CVE-2016-6893 bsc#995352)
ImportantSUSE bug 1077358SUSE bug 1099510SUSE bug 1101288SUSE bug 925502SUSE bug 995352CVE-2015-2775 at SUSECVE-2015-2775 at NVDCVE-2016-6893 at SUSECVE-2016-6893 at NVDCVE-2018-0618 at SUSECVE-2018-0618 at NVDCVE-2018-13796 at SUSECVE-2018-13796 at NVDCVE-2018-5950 at SUSECVE-2018-5950 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for wireshark (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for wireshark fixes the following issues:
Update to Wireshark 2.4.11 (bsc#1117740).
Security issues fixed:
- CVE-2018-19625: The Wireshark dissection engine could crash (wnpa-sec-2018-51)
- CVE-2018-19626: The DCOM dissector could crash (wnpa-sec-2018-52)
- CVE-2018-19623: The LBMPDM dissector could crash (wnpa-sec-2018-53)
- CVE-2018-19622: The MMSE dissector could go into an infinite loop (wnpa-sec-2018-54)
- CVE-2018-19627: The IxVeriWave file parser could crash (wnpa-sec-2018-55)
- CVE-2018-19624: The PVFS dissector could crash (wnpa-sec-2018-56)
Further bug fixes and updated protocol support as listed in:
- https://www.wireshark.org/docs/relnotes/wireshark-2.4.11.html
ModerateSUSE bug 1117740CVE-2018-19622 at SUSECVE-2018-19622 at NVDCVE-2018-19623 at SUSECVE-2018-19623 at NVDCVE-2018-19624 at SUSECVE-2018-19624 at NVDCVE-2018-19625 at SUSECVE-2018-19625 at NVDCVE-2018-19626 at SUSECVE-2018-19626 at NVDCVE-2018-19627 at SUSECVE-2018-19627 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for webkit2gtk3 (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for webkit2gtk3 fixes the following issues:
Security issue fixed:
- CVE-2019-8375: Fixed an issue in UIProcess subsystem which could allow the script dialog
size to exceed the web view size leading to Buffer Overflow or other unspecified impact (bsc#1126768).
ModerateSUSE bug 1126768CVE-2019-8375 at SUSECVE-2019-8375 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for ImageMagick (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for ImageMagick fixes the following issues:
Security issues fixed:
- CVE-2019-9956: Fixed a stack-based buffer overflow in PopHexPixel() (bsc#1130330).
- CVE-2019-10650: Fixed a heap-based buffer over-read in WriteTIFFImage() (bsc#1131317).
- CVE-2019-7175: Fixed multiple memory leaks in DecodeImage function (bsc#1128649).
- CVE-2018-20467: Fixed infinite loop in coders/bmp.c (bsc#1120381).
- CVE-2019-7398: Fixed a memory leak in the function WriteDIBImage (bsc#1124365).
- CVE-2019-7397: Fixed a memory leak in the function WritePDFImage (bsc#1124366).
- CVE-2019-7395: Fixed a memory leak in the function WritePSDChannel (bsc#1124368).
- CVE-2018-16413: Fixed a heap-based buffer over-read in PushShortPixel() (bsc#1106989).
- CVE-2018-16412: Fixed a heap-based buffer over-read in ParseImageResourceBlocks() (bsc#1106996).
- CVE-2018-16644: Fixed a regression in dcm coder (bsc#1107609).
- CVE-2019-11007: Fixed a heap-based buffer overflow in ReadMNGImage() (bsc#1132060).
- CVE-2019-11008: Fixed a heap-based buffer overflow in WriteXWDImage() (bsc#1132054).
- CVE-2019-11009: Fixed a heap-based buffer over-read in ReadXWDImage() (bsc#1132053).
- Added extra -config- packages with Postscript/EPS/PDF readers still enabled.
Removing the PS decoders is used to harden ImageMagick against security issues within
ghostscript. Enabling them might impact security. (bsc#1122033)
These are two packages that can be selected:
- ImageMagick-config-6-SUSE: This has the PS decoders disabled.
- ImageMagick-config-6-upstream: This has the PS decoders enabled.
Depending on your local needs install either one of them. The default is the -SUSE configuration.
ModerateSUSE bug 1106989SUSE bug 1106996SUSE bug 1107609SUSE bug 1120381SUSE bug 1122033SUSE bug 1124365SUSE bug 1124366SUSE bug 1124368SUSE bug 1128649SUSE bug 1130330SUSE bug 1131317SUSE bug 1132053SUSE bug 1132054SUSE bug 1132060CVE-2018-16412 at SUSECVE-2018-16412 at NVDCVE-2018-16413 at SUSECVE-2018-16413 at NVDCVE-2018-16644 at SUSECVE-2018-16644 at NVDCVE-2018-20467 at SUSECVE-2018-20467 at NVDCVE-2019-10650 at SUSECVE-2019-10650 at NVDCVE-2019-11007 at SUSECVE-2019-11007 at NVDCVE-2019-11008 at SUSECVE-2019-11008 at NVDCVE-2019-11009 at SUSECVE-2019-11009 at NVDCVE-2019-7175 at SUSECVE-2019-7175 at NVDCVE-2019-7395 at SUSECVE-2019-7395 at NVDCVE-2019-7397 at SUSECVE-2019-7397 at NVDCVE-2019-7398 at SUSECVE-2019-7398 at NVDCVE-2019-9956 at SUSECVE-2019-9956 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for samba (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for samba fixes the following issues:
Security issue fixed:
- CVE-2019-3880: Fixed a path/symlink traversal vulnerability, which allowed an unprivileged user to save registry files outside a share (bsc#1131060).
Non-security issues fixed:
- Fix vfs_ceph ftruncate and fallocate handling (bsc#1127153).
- Abide by load_printers smb.conf parameter (bsc#1124223).
- s3:winbindd: let normalize_name_map() call find_domain_from_name_noinit() (bsc#1123755).
- s3:passdb: Do not return OK if we don't have pinfo set up (bsc#1099590).
- s3:winbind: Fix regression (bsc#1123755).
ModerateSUSE bug 1099590SUSE bug 1123755SUSE bug 1124223SUSE bug 1127153SUSE bug 1131060CVE-2019-3880 at SUSECVE-2019-3880 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for wireshark (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for wireshark to version 2.4.14 fixes the following issues:
Security issues fixed:
- CVE-2019-10895: NetScaler file parser crash.
- CVE-2019-10899: SRVLOC dissector crash.
- CVE-2019-10894: GSS-API dissector crash.
- CVE-2019-10896: DOF dissector crash.
- CVE-2019-10901: LDSS dissector crash.
- CVE-2019-10903: DCERPC SPOOLSS dissector crash.
Non-security issue fixed:
- Update to version 2.4.14 (bsc#1131945).
ModerateSUSE bug 1131945CVE-2019-10894 at SUSECVE-2019-10894 at NVDCVE-2019-10895 at SUSECVE-2019-10895 at NVDCVE-2019-10896 at SUSECVE-2019-10896 at NVDCVE-2019-10899 at SUSECVE-2019-10899 at NVDCVE-2019-10901 at SUSECVE-2019-10901 at NVDCVE-2019-10903 at SUSECVE-2019-10903 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for libvirt (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for libvirt fixes the following issues:
Security issues fixed:
- CVE-2019-3840: Fixed a null pointer dereference vulnerability in virJSONValueObjectHasKey function which could
have resulted in a remote denial of service via the guest agent (bsc#1127458).
- CVE-2019-3886: Fixed an information leak which allowed to retrieve the guest
hostname under readonly mode (bsc#1131595).
Other issue addressed:
- cpu: add Skylake-Server and Skylake-Server-IBRS CPU models (FATE#327261, bsc#1131955)
- libxl: save current memory value after successful balloon (bsc#1120813).
- libxl: support Xen's max_grant_frames setting with maxGrantFrames attribute on the xenbus controller (bsc#1126325).
- conf: add new 'xenbus' controller type
ModerateSUSE bug 1120813SUSE bug 1126325SUSE bug 1127458SUSE bug 1131595SUSE bug 1131955CVE-2019-3840 at SUSECVE-2019-3840 at NVDCVE-2019-3886 at SUSECVE-2019-3886 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for libssh2_org (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for libssh2_org fixes the following issues:
- Incorrect upstream fix for CVE-2019-3859 broke public key authentication [bsc#1133528, bsc#1130103]
ImportantSUSE bug 1130103SUSE bug 1133528CVE-2019-3859 at SUSECVE-2019-3859 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for wpa_supplicant (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for wpa_supplicant fixes the following issues:
This security issue was fixed:
- CVE-2018-14526: Under certain conditions, the integrity of EAPOL-Key messages
was not checked, leading to a decryption oracle. An attacker within range of
the Access Point and client could have abused the vulnerability to recover
sensitive information (bsc#1104205).
This non-security issue was fixed:
- Enabled PWD as EAP method. This allows for password-based authentication,
which is easier to setup than most of the other methods, and is used by the
Eduroam network (bsc#1109209).
ModerateSUSE bug 1104205SUSE bug 1109209CVE-2018-14526 at SUSECVE-2018-14526 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for atftp (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for atftp fixes the following issues:
Security issues fixed:
- CVE-2019-11366: Fixed a denial of service caused by a NULL pointer dereference because thread_list_mutex was not locked (bsc#1133145).
- CVE-2019-11365: Fixed a buffer overflow which could lead to remote code execution caused by an insecure use of strncpy() (bsc#1133114).
ImportantSUSE bug 1133114SUSE bug 1133145CVE-2019-11365 at SUSECVE-2019-11365 at NVDCVE-2019-11366 at SUSECVE-2019-11366 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for krb5 (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for krb5 fixes the following issues:
Security issue fixed:
- CVE-2018-20217: Fixed an assertion issue with older encryption types (bsc#1120489)
ImportantSUSE bug 1120489CVE-2018-20217 at SUSECVE-2018-20217 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for libjpeg-turbo (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for libjpeg-turbo fixes the following issues:
The following security vulnerabilities were addressed:
- CVE-2018-14498: Fixed a heap-based buffer over read in get_8bit_row function
which could allow to an attacker to cause denial of service (bsc#1128712).
- CVE-2018-11813: Fixed the end-of-file mishandling in read_pixel in rdtarga.c,
which allowed remote attackers to cause a denial-of-service via crafted JPG
files due to a large loop (bsc#1096209)
- CVE-2018-1152: Fixed a denial of service in start_input_bmp() rdbmp.c caused
by a divide by zero when processing a crafted BMP image (bsc#1098155)
ModerateSUSE bug 1096209SUSE bug 1098155SUSE bug 1128712CVE-2018-1152 at SUSECVE-2018-1152 at NVDCVE-2018-11813 at SUSECVE-2018-11813 at NVDCVE-2018-14498 at SUSECVE-2018-14498 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for hostinfo, supportutils (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for hostinfo, supportutils fixes the following issues:
Security issues fixed for supportutils:
- CVE-2018-19640: Fixed an issue where users could kill arbitrary processes (bsc#1118463).
- CVE-2018-19638: Fixed an issue where users could overwrite arbitrary log files (bsc#1118460).
- CVE-2018-19639: Fixed a code execution if run with -v (bsc#1118462).
- CVE-2018-19637: Fixed an issue where static temporary filename could allow overwriting of files (bsc#1117776).
- CVE-2018-19636: Fixed a local root exploit via inclusion of attacker controlled shell script (bsc#1117751).
Other issues fixed for supportutils:
- Fixed invalid exit code commands (bsc#1125666)
- SUSE separation in supportconfig (bsc#1125623)
- Clarified supportconfig(8) -x option (bsc#1115245)
- supportconfig: 3.0.127
- btrfs filesystem usage
- List products.d
- Dump lsof errors
- Added ha commands for corosync
- Dumped find errors in ib_info
Issues fixed in hostinfo:
- Removed extra kernel install dates (bsc#1099498)
- Resolved network bond issue (bsc#1054979)
ImportantSUSE bug 1054979SUSE bug 1099498SUSE bug 1115245SUSE bug 1117751SUSE bug 1117776SUSE bug 1118460SUSE bug 1118462SUSE bug 1118463SUSE bug 1125623SUSE bug 1125666CVE-2018-19636 at SUSECVE-2018-19636 at NVDCVE-2018-19637 at SUSECVE-2018-19637 at NVDCVE-2018-19638 at SUSECVE-2018-19638 at NVDCVE-2018-19639 at SUSECVE-2018-19639 at NVDCVE-2018-19640 at SUSECVE-2018-19640 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for openssl (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for openssl fixes the following issues:
- Reject invalid EC point coordinates (bsc#1131291)
This helps openssl using services that do not do this verification on their own.
ModerateSUSE bug 1131291cpe:/o:suse:sles_teradata:12:sp3Security update for webkit2gtk3 (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for webkit2gtk3 to version 2.24.1 fixes the following issues:
Security issues fixed:
- CVE-2019-6201, CVE-2019-6251, CVE-2019-7285, CVE-2019-7292, CVE-2019-8503, CVE-2019-8506,
CVE-2019-8515, CVE-2019-8524, CVE-2019-8535, CVE-2019-8536, CVE-2019-8544, CVE-2019-8551,
CVE-2019-8558, CVE-2019-8559, CVE-2019-8563, CVE-2019-11070 (bsc#1132256).
ImportantSUSE bug 1132256CVE-2019-11070 at SUSECVE-2019-11070 at NVDCVE-2019-6201 at SUSECVE-2019-6201 at NVDCVE-2019-6251 at SUSECVE-2019-6251 at NVDCVE-2019-7285 at SUSECVE-2019-7285 at NVDCVE-2019-7292 at SUSECVE-2019-7292 at NVDCVE-2019-8503 at SUSECVE-2019-8503 at NVDCVE-2019-8506 at SUSECVE-2019-8506 at NVDCVE-2019-8515 at SUSECVE-2019-8515 at NVDCVE-2019-8524 at SUSECVE-2019-8524 at NVDCVE-2019-8535 at SUSECVE-2019-8535 at NVDCVE-2019-8536 at SUSECVE-2019-8536 at NVDCVE-2019-8544 at SUSECVE-2019-8544 at NVDCVE-2019-8551 at SUSECVE-2019-8551 at NVDCVE-2019-8558 at SUSECVE-2019-8558 at NVDCVE-2019-8559 at SUSECVE-2019-8559 at NVDCVE-2019-8563 at SUSECVE-2019-8563 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for audit (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for audit fixes the following issues:
Audit on SUSE Linux Enterprise 12 SP3 was updated to 2.8.1 to bring
new features and bugfixes. (bsc#1125535 FATE#326346)
* Many features were added to auparse_normalize
* cli option added to auditd and audispd for setting config dir
* In auditd, restore the umask after creating a log file
* Option added to auditd for skipping email verification
The full changelog can be found here: http://people.redhat.com/sgrubb/audit/ChangeLog
- Change openldap dependency to client only (bsc#1085003)
Minor security issue fixed:
- CVE-2015-5186: Audit: log terminal emulator escape sequences handling (bsc#941922)
ModerateSUSE bug 1042781SUSE bug 1085003SUSE bug 1125535SUSE bug 941922CVE-2015-5186 at SUSECVE-2015-5186 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for freeradius-server (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for freeradius-server fixes the following issues:
Security issues fixed:
- CVE-2019-11235: Fixed an authentication bypass related to the EAP-PWD Commit frame and insufficent validation of elliptic curve points (bsc#1132549).
- CVE-2019-11234: Fixed an authentication bypass caused by reflecting privous values back to the server (bsc#1132664).
ImportantSUSE bug 1132549SUSE bug 1132664CVE-2019-11234 at SUSECVE-2019-11234 at NVDCVE-2019-11235 at SUSECVE-2019-11235 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for ovmf (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for ovmf fixes the following issues:
Security issue fixed:
- CVE-2019-0161: Fixed a stack overflow in UsbBusDxe and UsbBusPei, which could
potentially be triggered by a local unauthenticated user (bsc#1131361).
ModerateSUSE bug 1131361CVE-2019-0161 at SUSECVE-2019-0161 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for sqlite3 (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for sqlite3 fixes the following issues:
Security issue fixed:
- CVE-2018-8740: Fixed a NULL pointer dereference related to corrupted databases schemas (bsc#1085790).
- CVE-2017-10989: Fixed a heap-based buffer over-read in getNodeSize() (bsc#1132045).
ModerateSUSE bug 1085790SUSE bug 1132045CVE-2017-10989 at SUSECVE-2017-10989 at NVDCVE-2018-8740 at SUSECVE-2018-8740 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for jakarta-commons-fileupload (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for jakarta-commons-fileupload fixes the following issue:
Security issue fixed:
- CVE-2016-1000031: Fixed remote execution (bsc#1128963, bsc#1128829).
ImportantSUSE bug 1128829SUSE bug 1128963CVE-2016-1000031 at SUSECVE-2016-1000031 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for java-1_8_0-openjdk (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for java-1_8_0-openjdk to version 8u212 fixes the following issues:
Security issues fixed:
- CVE-2019-2602: Better String parsing (bsc#1132728).
- CVE-2019-2684: More dynamic RMI interactions (bsc#1132732).
- CVE-2019-2698: Fuzzing TrueType fonts - setCurrGlyphID() (bsc#1132729).
- CVE-2019-2422: Better FileChannel (bsc#1122293).
- CVE-2018-11212: Improve JPEG (bsc#1122299).
Non-Security issue fixed:
- Disable LTO (bsc#1133135).
- Added Japanese new era name.
ImportantSUSE bug 1122293SUSE bug 1122299SUSE bug 1132728SUSE bug 1132729SUSE bug 1132732SUSE bug 1133135CVE-2018-11212 at SUSECVE-2018-11212 at NVDCVE-2018-3639 at SUSECVE-2018-3639 at NVDCVE-2019-2422 at SUSECVE-2019-2422 at NVDCVE-2019-2426 at SUSECVE-2019-2426 at NVDCVE-2019-2602 at SUSECVE-2019-2602 at NVDCVE-2019-2684 at SUSECVE-2019-2684 at NVDCVE-2019-2698 at SUSECVE-2019-2698 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for libxslt (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for libxslt fixes the following issues:
- CVE-2019-11068: Fixed a protection mechanism bypass where callers of
xsltCheckRead() and xsltCheckWrite() would permit access upon receiving an
error (bsc#1132160).
ModerateSUSE bug 1132160CVE-2019-11068 at SUSECVE-2019-11068 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for ucode-intel (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for ucode-intel fixes the following issues:
This update contains the Intel QSR 2019.1 Microcode release (bsc#1111331)
Four new speculative execution information leak issues have been identified in Intel CPUs. (bsc#1111331)
- CVE-2018-12126: Microarchitectural Store Buffer Data Sampling (MSBDS)
- CVE-2018-12127: Microarchitectural Fill Buffer Data Sampling (MFBDS)
- CVE-2018-12130: Microarchitectural Load Port Data Samling (MLPDS)
- CVE-2019-11091: Microarchitectural Data Sampling Uncacheable Memory (MDSUM)
These updates contain the CPU Microcode adjustments for the software mitigations.
For more information on this set of vulnerabilities, check out https://www.suse.com/support/kb/doc/?id=7023736
Release notes:
- Processor Identifier Version Products
- Model Stepping F-MO-S/PI Old->New
- ---- new platforms ----------------------------------------
- CLX-SP B1 6-55-7/bf 05000021 Xeon Scalable Gen2
- ---- updated platforms ------------------------------------
- SNB D2/G1/Q0 6-2a-7/12 0000002e->0000002f Core Gen2
- IVB E1/L1 6-3a-9/12 00000020->00000021 Core Gen3
- HSW C0 6-3c-3/32 00000025->00000027 Core Gen4
- BDW-U/Y E0/F0 6-3d-4/c0 0000002b->0000002d Core Gen5
- IVB-E/EP C1/M1/S1 6-3e-4/ed 0000042e->0000042f Core Gen3 X Series; Xeon E5 v2
- IVB-EX D1 6-3e-7/ed 00000714->00000715 Xeon E7 v2
- HSX-E/EP Cx/M1 6-3f-2/6f 00000041->00000043 Core Gen4 X series; Xeon E5 v3
- HSX-EX E0 6-3f-4/80 00000013->00000014 Xeon E7 v3
- HSW-U C0/D0 6-45-1/72 00000024->00000025 Core Gen4
- HSW-H C0 6-46-1/32 0000001a->0000001b Core Gen4
- BDW-H/E3 E0/G0 6-47-1/22 0000001e->00000020 Core Gen5
- SKL-U/Y D0/K1 6-4e-3/c0 000000c6->000000cc Core Gen6
- SKX-SP H0/M0/U0 6-55-4/b7 0200005a->0000005e Xeon Scalable
- SKX-D M1 6-55-4/b7 0200005a->0000005e Xeon D-21xx
- BDX-DE V1 6-56-2/10 00000019->0000001a Xeon D-1520/40
- BDX-DE V2/3 6-56-3/10 07000016->07000017 Xeon D-1518/19/21/27/28/31/33/37/41/48, Pentium D1507/08/09/17/19
- BDX-DE Y0 6-56-4/10 0f000014->0f000015 Xeon D-1557/59/67/71/77/81/87
- BDX-NS A0 6-56-5/10 0e00000c->0e00000d Xeon D-1513N/23/33/43/53
- APL D0 6-5c-9/03 00000036->00000038 Pentium N/J4xxx, Celeron N/J3xxx, Atom x5/7-E39xx
- SKL-H/S R0/N0 6-5e-3/36 000000c6->000000cc Core Gen6; Xeon E3 v5
- DNV B0 6-5f-1/01 00000024->0000002e Atom Processor C Series
- GLK B0 6-7a-1/01 0000002c->0000002e Pentium Silver N/J5xxx, Celeron N/J4xxx
- AML-Y22 H0 6-8e-9/10 0000009e->000000b4 Core Gen8 Mobile
- KBL-U/Y H0 6-8e-9/c0 0000009a->000000b4 Core Gen7 Mobile
- CFL-U43e D0 6-8e-a/c0 0000009e->000000b4 Core Gen8 Mobile
- WHL-U W0 6-8e-b/d0 000000a4->000000b8 Core Gen8 Mobile
- WHL-U V0 6-8e-d/94 000000b2->000000b8 Core Gen8 Mobile
- KBL-G/H/S/E3 B0 6-9e-9/2a 0000009a->000000b4 Core Gen7; Xeon E3 v6
- CFL-H/S/E3 U0 6-9e-a/22 000000aa->000000b4 Core Gen8 Desktop, Mobile, Xeon E
- CFL-S B0 6-9e-b/02 000000aa->000000b4 Core Gen8
- CFL-H/S P0 6-9e-c/22 000000a2->000000ae Core Gen9
ImportantSUSE bug 1111331CVE-2018-12126 at SUSECVE-2018-12126 at NVDCVE-2018-12127 at SUSECVE-2018-12127 at NVDCVE-2018-12130 at SUSECVE-2018-12130 at NVDCVE-2019-11091 at SUSECVE-2019-11091 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for qemu (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for qemu fixes the following issues:
- CVE-2018-12126 CVE-2018-12127 CVE-2018-12130 CVE-2019-11091: Added x86 cpu feature 'md-clear' (bsc#1111331)
ImportantSUSE bug 1111331CVE-2018-12126 at SUSECVE-2018-12126 at NVDCVE-2018-12127 at SUSECVE-2018-12127 at NVDCVE-2018-12130 at SUSECVE-2018-12130 at NVDCVE-2019-11091 at SUSECVE-2019-11091 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for xen (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for xen fixes the following issues:
Four new speculative execution information leak issues have been identified in Intel CPUs. (bsc#1111331)
- CVE-2018-12126: Microarchitectural Store Buffer Data Sampling (MSBDS)
- CVE-2018-12127: Microarchitectural Fill Buffer Data Sampling (MFBDS)
- CVE-2018-12130: Microarchitectural Load Port Data Samling (MLPDS)
- CVE-2019-11091: Microarchitectural Data Sampling Uncacheable Memory (MDSUM)
These updates contain the XEN Hypervisor adjustments, that additionaly also use CPU Microcode updates.
The mitigation can be controlled via the 'mds' commandline option, see the documentation.
For more information on this set of vulnerabilities, check out https://www.suse.com/support/kb/doc/?id=7023736
Security issue fixed:
- CVE-2018-20815: Fixed a heap buffer overflow while loading device tree blob (bsc#1130680)
Other fixes:
- Added code to change LIBXL_HOTPLUG_TIMEOUT at runtime.
The included README has details about the impact of this change (bsc#1120095)
ImportantSUSE bug 1027519SUSE bug 1111331SUSE bug 1120095SUSE bug 1130680CVE-2018-12126 at SUSECVE-2018-12126 at NVDCVE-2018-12127 at SUSECVE-2018-12127 at NVDCVE-2018-12130 at SUSECVE-2018-12130 at NVDCVE-2018-20815 at SUSECVE-2018-20815 at NVDCVE-2019-11091 at SUSECVE-2019-11091 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for systemd (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for systemd fixes the following issues:
Security issues fixed:
- CVE-2018-6954: Fixed a vulnerability in the symlink handling of systemd-tmpfiles
which allowed a local user to obtain ownership of arbitrary files (bsc#1080919).
- CVE-2019-3842: Fixed a vulnerability in pam_systemd which allowed a local user to escalate privileges (bsc#1132348).
- CVE-2019-6454: Fixed a denial of service caused by long dbus messages (bsc#1125352).
Non-security issues fixed:
- systemd-coredump: generate a stack trace of all core dumps (jsc#SLE-5933)
- udevd: notify when max number value of children is reached only once per batch of events (bsc#1132400)
- sd-bus: bump message queue size again (bsc#1132721)
- core: only watch processes when it's really necessary (bsc#955942 bsc#1128657)
- rules: load drivers only on 'add' events (bsc#1126056)
- sysctl: Don't pass null directive argument to '%s' (bsc#1121563)
- Do not automatically online memory on s390x (bsc#1127557)
ImportantSUSE bug 1080919SUSE bug 1121563SUSE bug 1125352SUSE bug 1126056SUSE bug 1127557SUSE bug 1128657SUSE bug 1130230SUSE bug 1132348SUSE bug 1132400SUSE bug 1132721SUSE bug 955942CVE-2018-6954 at SUSECVE-2018-6954 at NVDCVE-2019-3842 at SUSECVE-2019-3842 at NVDCVE-2019-6454 at SUSECVE-2019-6454 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for PackageKit (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for PackageKit fixes the following issues:
- Fixed displaying the license agreement pop up window during package update (bsc#1038425).
ModerateSUSE bug 1038425cpe:/o:suse:sles_teradata:12:sp3Security update for nmap (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for nmap fixes the following issues:
Security issue fixed:
- CVE-2018-15173: Fixed a remote denial of service attack via a crafted TCP-based service (bsc#1104139).
ModerateSUSE bug 1104139CVE-2018-15173 at SUSECVE-2018-15173 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for ucode-intel (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for ucode-intel fixes the following issues:
ucode-intel was updated to official QSR 2019.1 microcode release (bsc#1111331
CVE-2018-12126 CVE-2018-12130 CVE-2018-12127 CVE-2019-11091)
---- new platforms ----------------------------------------
VLV C0 6-37-8/02 00000838 Atom Z series
VLV C0 6-37-8/0C 00000838 Celeron N2xxx, Pentium N35xx
VLV D0 6-37-9/0F 0000090c Atom E38xx
CHV C0 6-4c-3/01 00000368 Atom X series
CHV D0 6-4c-4/01 00000411 Atom X series
Readded Broadwell CPU ucode that was missing in last update:
BDX-ML B0/M0/R0 6-4f-1/ef 0b00002e->00000036 Xeon E5/E7 v4; Core i7-69xx/68xx
ImportantSUSE bug 1111331CVE-2018-12126 at SUSECVE-2018-12126 at NVDCVE-2018-12127 at SUSECVE-2018-12127 at NVDCVE-2018-12130 at SUSECVE-2018-12130 at NVDCVE-2019-11091 at SUSECVE-2019-11091 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for openssh (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for openssh fixes the following issues:
Security issue fixed:
- CVE-2018-20685: Fixed an issue where scp client allows remote SSH servers to bypass intended access restrictions (bsc#1121571)
- CVE-2019-6109: Fixed an issue where the scp client would allow malicious remote SSH servers to manipulate terminal output via the object name, e.g. by inserting ANSI escape sequences (bsc#1121816)
- CVE-2019-6110: Fixed an issue where the scp client would allow malicious remote SSH servers to manipulate stderr output, e.g. by inserting ANSI escape sequences (bsc#1121818)
- CVE-2019-6111: Fixed an issue where the scp client would allow malicious remote SSH servers to execute directory traversal attacks and overwrite files (bsc#1121821)
ImportantSUSE bug 1121571SUSE bug 1121816SUSE bug 1121818SUSE bug 1121821CVE-2018-20685 at SUSECVE-2018-20685 at NVDCVE-2019-6109 at SUSECVE-2019-6109 at NVDCVE-2019-6110 at SUSECVE-2019-6110 at NVDCVE-2019-6111 at SUSECVE-2019-6111 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for sysstat (Low)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for sysstat fixes the following issues:
Security issues fixed:
- CVE-2018-19416: Fixed out-of-bounds read during a memmove call inside the remap_struct function (bsc#1117001).
- CVE-2018-19517: Fixed out-of-bounds read during a memset call inside the remap_struct function (bsc#1117260).
LowSUSE bug 1117001SUSE bug 1117260CVE-2018-19416 at SUSECVE-2018-19416 at NVDCVE-2018-19517 at SUSECVE-2018-19517 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for bluez (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for bluez fixes the following issues:
Security vulnerability addressed:
- CVE-2016-9797: Fixed a buffer over-read in l2cap_dump() (bsc#1013708).
- CVE-2016-9798: Fixed a use-after-free in conf_opt() (bsc#1013712).
- CVE-2016-9917: Fixed a heap-based buffer overflow in read_n() (bsc#1015171).
- CVE-2016-9802: Fixed a buffer over-read in l2cap_packet() (bsc#1013893).
- CVE-2016-9918: Fixed an out-of-bounds stack read in packet_hexdump(),
which could be triggered by processing a corrupted dump file and will result
in a crash of the hcidump tool (bsc#1015173)
ModerateSUSE bug 1013708SUSE bug 1013712SUSE bug 1013893SUSE bug 1015171SUSE bug 1015173CVE-2016-9797 at SUSECVE-2016-9797 at NVDCVE-2016-9798 at SUSECVE-2016-9798 at NVDCVE-2016-9802 at SUSECVE-2016-9802 at NVDCVE-2016-9917 at SUSECVE-2016-9917 at NVDCVE-2016-9918 at SUSECVE-2016-9918 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for java-1_7_1-ibm (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for java-1_7_1-ibm fixes the following issues:
Update to Java 7.1 Service Refresh 4 Fix Pack 45.
Security issues fixed:
- CVE-2019-10245: Fixed Java bytecode verifier issue causing crashes (bsc#1134718).
- CVE-2019-2698: Fixed out of bounds access flaw in the 2D component (bsc#1132729).
- CVE-2019-2697: Fixed flaw inside the 2D component (bsc#1132734).
- CVE-2019-2602: Fixed flaw inside BigDecimal implementation (Component: Libraries) (bsc#1132728).
- CVE-2019-2684: Fixed flaw was found in the RMI registry implementation (bsc#1132732).
ImportantSUSE bug 1132728SUSE bug 1132729SUSE bug 1132732SUSE bug 1132734SUSE bug 1134718CVE-2019-10245 at SUSECVE-2019-10245 at NVDCVE-2019-2602 at SUSECVE-2019-2602 at NVDCVE-2019-2684 at SUSECVE-2019-2684 at NVDCVE-2019-2697 at SUSECVE-2019-2697 at NVDCVE-2019-2698 at SUSECVE-2019-2698 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for systemd (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for systemd provides the following fixes:
Security issues fixed:
- CVE-2018-16864, CVE-2018-16865: Fixed two memory corruptions through attacker-controlled alloca()s (bsc#1120323)
- CVE-2018-16866: Fixed an information leak in journald (bsc#1120323)
- Fixed an issue during system startup in relation to encrypted swap disks (bsc#1119971)
Non-security issues fixed:
- core: Queue loading transient units after setting their properties. (bsc#1115518)
- logind: Stop managing VT switches if no sessions are registered on that VT. (bsc#1101591)
- terminal-util: introduce vt_release() and vt_restore() helpers.
- terminal: Unify code for resetting kbd utf8 mode a bit.
- terminal Reset should honour default_utf8 kernel setting.
- logind: Make session_restore_vt() static.
- udev: Downgrade message when settting inotify watch up fails. (bsc#1005023)
- log: Never log into foreign fd #2 in PID 1 or its pre-execve() children. (bsc#1114981)
- udev: Ignore the exit code of systemd-detect-virt for memory hot-add. In SLE-12-SP3,
80-hotplug-cpu-mem.rules has a memory hot-add rule that uses systemd-detect-virt to
detect non-zvm environment. The systemd-detect-virt returns exit failure code when it
detected _none_ state. The exit failure code causes that the hot-add memory block can
not be set to online. (bsc#1076696)
ModerateSUSE bug 1005023SUSE bug 1076696SUSE bug 1101591SUSE bug 1114981SUSE bug 1115518SUSE bug 1119971SUSE bug 1120323CVE-2018-16864 at SUSECVE-2018-16864 at NVDCVE-2018-16865 at SUSECVE-2018-16865 at NVDCVE-2018-16866 at SUSECVE-2018-16866 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for screen (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for screen fixes the following issues:
Security issue fixed:
- CVE-2015-6806: Fixed a stack overflow due to deep recursion (bsc#944458).
Non-security issue fixed:
- Fixed segmentation faults related to altscreen and resizing screen (bsc#1130831).
ModerateSUSE bug 1130831SUSE bug 944458CVE-2015-6806 at SUSECVE-2015-6806 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for curl (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for curl fixes the following issues:
Security issue fixed:
- CVE-2019-5436: Fixed a heap buffer overflow exists in tftp_receive_packet that receives data from a TFTP server (bsc#1135170).
ImportantSUSE bug 1135170CVE-2019-5436 at SUSECVE-2019-5436 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for libtasn1 (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for libtasn1 fixes the following issues:
Security issues fixed:
- CVE-2018-1000654: Fixed a denial of service in the asn1 parser (bsc#1105435).
- CVE-2017-6891: Fixed a stack overflow in asn1_find_node() (bsc#1040621).
ModerateSUSE bug 1040621SUSE bug 1105435CVE-2017-6891 at SUSECVE-2017-6891 at NVDCVE-2018-1000654 at SUSECVE-2018-1000654 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for wireshark (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for wireshark to version 2.4.12 fixes the following issues:
Security issues fixed:
- CVE-2019-5717: Fixed a denial of service in the P_MUL dissector (bsc#1121232)
- CVE-2019-5718: Fixed a denial of service in the RTSE dissector and other dissectors (bsc#1121233)
- CVE-2019-5719: Fixed a denial of service in the ISAKMP dissector (bsc#1121234)
- CVE-2019-5721: Fixed a denial of service in the ISAKMP dissector (bsc#1121235)
ModerateSUSE bug 1121232SUSE bug 1121233SUSE bug 1121234SUSE bug 1121235CVE-2019-5717 at SUSECVE-2019-5717 at NVDCVE-2019-5718 at SUSECVE-2019-5718 at NVDCVE-2019-5719 at SUSECVE-2019-5719 at NVDCVE-2019-5721 at SUSECVE-2019-5721 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for axis (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for axis fixes the following issues:
Security issue fixed:
- CVE-2012-5784, CVE-2014-3596: Fixed missing connection hostname check against X.509 certificate name (bsc#1134598).
ModerateSUSE bug 1134598CVE-2012-5784 at SUSECVE-2012-5784 at NVDCVE-2014-3596 at SUSECVE-2014-3596 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for MozillaFirefox fixes the following issues:
Security issues fixed:
- CVE-2019-11691: Use-after-free in XMLHttpRequest
- CVE-2019-11692: Use-after-free removing listeners in the event listener manager
- CVE-2019-11693: Buffer overflow in WebGL bufferdata on Linux
- CVE-2019-11694: Uninitialized memory memory leakage in Windows sandbox
- CVE-2019-11698: Theft of user history data through drag and drop of hyperlinks to and from bookmarks
- CVE-2019-7317: Use-after-free in png_image_free of libpng library
- CVE-2019-9800: Memory safety bugs fixed in Firefox 67 and Firefox ESR 60.7
- CVE-2019-9815: Disable hyperthreading on content JavaScript threads on macOS
- CVE-2019-9816: Type confusion with object groups and UnboxedObjects
- CVE-2019-9817: Stealing of cross-domain images using canvas
- CVE-2019-9818: Use-after-free in crash generation server
- CVE-2019-9819: Compartment mismatch with fetch API
- CVE-2019-9820: Use-after-free of ChromeEventHandler by DocShell
Non-security issues fixed:
- Font and date adjustments to accommodate the new Reiwa era in Japan
- Update to Firefox ESR 60.7 (bsc#1135824)
ImportantSUSE bug 1135824CVE-2019-11691 at SUSECVE-2019-11691 at NVDCVE-2019-11692 at SUSECVE-2019-11692 at NVDCVE-2019-11693 at SUSECVE-2019-11693 at NVDCVE-2019-11694 at SUSECVE-2019-11694 at NVDCVE-2019-11698 at SUSECVE-2019-11698 at NVDCVE-2019-7317 at SUSECVE-2019-7317 at NVDCVE-2019-9800 at SUSECVE-2019-9800 at NVDCVE-2019-9815 at SUSECVE-2019-9815 at NVDCVE-2019-9816 at SUSECVE-2019-9816 at NVDCVE-2019-9817 at SUSECVE-2019-9817 at NVDCVE-2019-9818 at SUSECVE-2019-9818 at NVDCVE-2019-9819 at SUSECVE-2019-9819 at NVDCVE-2019-9820 at SUSECVE-2019-9820 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for gnome-shell (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for gnome-shell fixes the following issues:
Security issue fixed:
- CVE-2019-3820: Fixed a partial lock screen bypass (bsc#1124493).
Fixed bugs:
- Remove sessionList of endSessionDialog for security reasons (jsc#SLE-6660).
ModerateSUSE bug 1124493CVE-2019-3820 at SUSECVE-2019-3820 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for java-1_7_0-openjdk (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for java-1_7_0-openjdk fixes the following issues:
Update to 2.6.18 - OpenJDK 7u221 (April 2019 CPU)
Security issues fixed:
- CVE-2019-2602: Fixed flaw inside BigDecimal implementation (Component: Libraries) (bsc#1132728).
- CVE-2019-2684: Fixed flaw inside the RMI registry implementation (bsc#1132732).
- CVE-2019-2698: Fixed out of bounds access flaw in the 2D component (bsc#1132729).
- CVE-2019-2422: Fixed memory disclosure in FileChannelImpl (bsc#1122293).
- CVE-2018-11212: Fixed a Divide By Zero in alloc_sarray function in jmemmgr.c (bsc#1122299).
- CVE-2019-2426: Improve web server connections (bsc#1134297).
Bug fixes:
- Please check the package Changelog for detailed information.
ModerateSUSE bug 1122293SUSE bug 1122299SUSE bug 1132728SUSE bug 1132729SUSE bug 1132732SUSE bug 1134297CVE-2018-11212 at SUSECVE-2018-11212 at NVDCVE-2019-2422 at SUSECVE-2019-2422 at NVDCVE-2019-2426 at SUSECVE-2019-2426 at NVDCVE-2019-2602 at SUSECVE-2019-2602 at NVDCVE-2019-2684 at SUSECVE-2019-2684 at NVDCVE-2019-2698 at SUSECVE-2019-2698 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for apache2-mod_jk (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for apache2-mod_jk fixes the following issue:
Security issue fixed:
- CVE-2018-11759: Fixed connector path traversal due to mishandled HTTP requests in httpd (bsc#1114612).
ImportantSUSE bug 1114612CVE-2018-11759 at SUSECVE-2018-11759 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for bind (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for bind fixes the following issues:
Security issues fixed:
- CVE-2018-5740: Fixed a denial of service vulnerability in the 'deny-answer-aliases' feature (bsc#1104129).
- CVE-2019-6465: Fixed an issue where controls for zone transfers may not be properly applied to Dynamically Loadable Zones (bsc#1126069).
- CVE-2018-5745: An assertion failure can occur if a trust anchor rolls over to an unsupported key algorithm when using managed-keys. (bsc#1126068)
- CVE-2018-5743: Limiting simultaneous TCP clients is ineffective. (bsc#1133185)
ImportantSUSE bug 1104129SUSE bug 1126068SUSE bug 1126069SUSE bug 1133185CVE-2018-5740 at SUSECVE-2018-5740 at NVDCVE-2018-5743 at SUSECVE-2018-5743 at NVDCVE-2018-5745 at SUSECVE-2018-5745 at NVDCVE-2019-6465 at SUSECVE-2019-6465 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for python (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for python fixes the following issues:
Security issues fixed:
- CVE-2019-9948: Fixed a 'file:' blacklist bypass in URIs by using the 'local-file:' scheme instead (bsc#1130847).
- CVE-2019-9636: Fixed an information disclosure because of incorrect handling of Unicode encoding during NFKC normalization (bsc#1129346).
ImportantSUSE bug 1129346SUSE bug 1130847CVE-2019-9636 at SUSECVE-2019-9636 at NVDCVE-2019-9948 at SUSECVE-2019-9948 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for ghostscript (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for ghostscript to version 9.26a fixes the following issues:
Security issue fixed:
- CVE-2019-6116: subroutines within pseudo-operators must themselves be pseudo-operators (bsc#1122319)
ImportantSUSE bug 1122319CVE-2019-6116 at SUSECVE-2019-6116 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for vim (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for vim fixes the following issue:
Security issue fixed:
- CVE-2019-12735: Fixed a potential arbitrary code execution vulnerability in getchar.c (bsc#1137443).
ImportantSUSE bug 1137443CVE-2019-12735 at SUSECVE-2019-12735 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for webkit2gtk3 (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for webkit2gtk3 to version 2.22.5 fixes the following issues:
Security issues fixed:
- CVE-2018-4438: Fixed a logic issue which lead to memory corruption (bsc#1119554)
- CVE-2018-4437, CVE-2018-4441, CVE-2018-4442, CVE-2018-4443, CVE-2018-4464:
Fixed multiple memory corruption issues with improved memory handling
(bsc#1119553, bsc#1119555, bsc#1119556, bsc#1119557, bsc#1119558)
ImportantSUSE bug 1119553SUSE bug 1119554SUSE bug 1119555SUSE bug 1119556SUSE bug 1119557SUSE bug 1119558CVE-2018-4437 at SUSECVE-2018-4437 at NVDCVE-2018-4438 at SUSECVE-2018-4438 at NVDCVE-2018-4441 at SUSECVE-2018-4441 at NVDCVE-2018-4442 at SUSECVE-2018-4442 at NVDCVE-2018-4443 at SUSECVE-2018-4443 at NVDCVE-2018-4464 at SUSECVE-2018-4464 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for libcroco (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for libcroco fixes the following issues:
Security issues fixed:
- CVE-2017-7960: Fixed heap overflow (input: check end of input before reading a byte) (bsc#1034481).
- CVE-2017-7961: Fixed undefined behavior (tknzr: support only max long rgb values) (bsc#1034482).
- CVE-2017-8834: Fixed denial of service (memory allocation error) via a crafted CSS file (bsc#1043898).
- CVE-2017-8871: Fixed denial of service (infinite loop and CPU consumption) via a crafted CSS file (bsc#1043899).
ModerateSUSE bug 1034481SUSE bug 1034482SUSE bug 1043898SUSE bug 1043899CVE-2017-7960 at SUSECVE-2017-7960 at NVDCVE-2017-7961 at SUSECVE-2017-7961 at NVDCVE-2017-8834 at SUSECVE-2017-8834 at NVDCVE-2017-8871 at SUSECVE-2017-8871 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for sssd (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for sssd fixes the following issues:
Security issue fixed:
- CVE-2018-16838: Fixed an authentication bypass related to the Group Policy Objects implementation (bsc#1124194).
Non-security issue fixed:
- Create directory to download and cache GPOs (bsc#1132879)
ModerateSUSE bug 1124194SUSE bug 1132879CVE-2018-16838 at SUSECVE-2018-16838 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for postgresql10 (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for postgresql10 fixes the following issues:
Security issue fixed:
- CVE-2019-10130: Prevent row-level security policies from being bypassed via selectivity estimators (bsc#1134689).
Bug fixes:
- For a complete list of fixes check the release notes.
* https://www.postgresql.org/docs/10/release-10-8.html
* https://www.postgresql.org/docs/10/release-10-7.html
ModerateSUSE bug 1134689CVE-2019-10130 at SUSECVE-2019-10130 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for openssh (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for openssh fixes the following issues:
Security vulnerabilities addressed:
- CVE-2019-6109: Fixed an character encoding issue in the progress display of
the scp client that could be used to manipulate client output, allowing
for spoofing during file transfers (bsc#1121816).
- CVE-2019-6111: Properly validate object names received by the scp client to
prevent arbitrary file overwrites when interacting with a malicious SSH server
(bsc#1121821).
Other issues fixed:
- Fixed two race conditions in sshd relating to SIGHUP (bsc#1119183).
- Returned proper reason for port forwarding failures (bsc#1090671).
- Fixed a double free() in the KDF CAVS testing tool (bsc#1065237).
ModerateSUSE bug 1065237SUSE bug 1090671SUSE bug 1119183SUSE bug 1121816SUSE bug 1121821SUSE bug 1131709CVE-2019-6109 at SUSECVE-2019-6109 at NVDCVE-2019-6111 at SUSECVE-2019-6111 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for libvirt (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for libvirt fixes the following issues:
Four new speculative execution information leak issues have been identified in Intel CPUs. (bsc#1111331)
- CVE-2018-12126: Microarchitectural Store Buffer Data Sampling (MSBDS)
- CVE-2018-12127: Microarchitectural Fill Buffer Data Sampling (MFBDS)
- CVE-2018-12130: Microarchitectural Load Port Data Sampling (MLPDS)
- CVE-2019-11091: Microarchitectural Data Sampling Uncacheable Memory (MDSUM)
These updates contain the libvirt adjustments, that pass through the new 'md-clear' CPU flag (bsc#1135273).
For more information on this set of vulnerabilities, check out https://www.suse.com/support/kb/doc/?id=7023736
ImportantSUSE bug 1111331SUSE bug 1135273CVE-2018-12126 at SUSECVE-2018-12126 at NVDCVE-2018-12127 at SUSECVE-2018-12127 at NVDCVE-2018-12130 at SUSECVE-2018-12130 at NVDCVE-2019-11091 at SUSECVE-2019-11091 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for gstreamer-plugins-base (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for gstreamer-plugins-base fixes the following issue:
Security issue fixed:
- CVE-2019-9928: Fixed a heap-based overflow in the rtsp connection parser (bsc#1133375).
ImportantSUSE bug 1133375CVE-2019-9928 at SUSECVE-2019-9928 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for sqlite3 (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for sqlite3 fixes the following issues:
Security issue fixed:
- CVE-2019-8457: Fixed a Heap out-of-bound read in rtreenode() when handling invalid rtree tables (bsc#1136976).
ImportantSUSE bug 1136976CVE-2019-8457 at SUSECVE-2019-8457 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for libssh2_org (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for libssh2_org fixes the following issues:
- Fix the previous fix for CVE-2019-3860 (bsc#1136570, bsc#1128481)
(Out-of-bounds reads with specially crafted SFTP packets)
ModerateSUSE bug 1128481SUSE bug 1136570CVE-2019-3860 at SUSECVE-2019-3860 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for wireshark (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for wireshark to version 2.4.15 fixes the following issues:
Security issue fixed:
- Fixed a denial of service in the dissection engine (bsc#1136021).
ModerateSUSE bug 1136021cpe:/o:suse:sles_teradata:12:sp3Recommended update for MozillaFirefox (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for MozillaFirefox to version 60.7.1 fixes the following issues:
Security issue fixed:
- CVE-2019-11707: Fixed a type confusion vulnerability in Arrary.pop (bsc#1138614)
Other issue addressed:
- Fixed broken language plugins (bsc#1137792)
ModerateSUSE bug 1137792SUSE bug 1138614CVE-2019-11707 at SUSECVE-2019-11707 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for java-1_8_0-ibm (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for java-1_8_0-ibm fixes the following issues:
Update to Java 8.0 Service Refresh 5 Fix Pack 35.
Security issues fixed:
- CVE-2019-10245: Fixed Java bytecode verifier issue causing crashes (bsc#1134718).
- CVE-2019-2698: Fixed out of bounds access flaw in the 2D component (bsc#1132729).
- CVE-2019-2697: Fixed flaw inside the 2D component (bsc#1132734).
- CVE-2019-2602: Fixed flaw inside BigDecimal implementation (Component: Libraries) (bsc#1132728).
- CVE-2019-2684: Fixed flaw was found in the RMI registry implementation (bsc#1132732).
ImportantSUSE bug 1132728SUSE bug 1132729SUSE bug 1132732SUSE bug 1132734SUSE bug 1134718CVE-2019-10245 at SUSECVE-2019-10245 at NVDCVE-2019-2602 at SUSECVE-2019-2602 at NVDCVE-2019-2684 at SUSECVE-2019-2684 at NVDCVE-2019-2697 at SUSECVE-2019-2697 at NVDCVE-2019-2698 at SUSECVE-2019-2698 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for netpbm (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for netpbm fixes the following issues:
Security issues fixed:
- CVE-2018-8975: The pm_mallocarray2 function allowed remote attackers to cause
a denial of service (heap-based buffer over-read) via a crafted image file (bsc#1086777).
- CVE-2017-2579: Fixed out-of-bounds read in expandCodeOntoStack() (bsc#1024288).
- CVE-2017-2580: Fixed out-of-bounds write of heap data in addPixelToRaster() function (bsc#1024291).
- create netpbm-vulnerable subpackage and move pstopnm there (bsc#1136936)
ModerateSUSE bug 1024288SUSE bug 1024291SUSE bug 1086777SUSE bug 1136936CVE-2017-2579 at SUSECVE-2017-2579 at NVDCVE-2017-2580 at SUSECVE-2017-2580 at NVDCVE-2018-8975 at SUSECVE-2018-8975 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for MozillaFirefox fixes the following issues:
- Mozilla Firefox Firefox 60.7.2
MFSA 2019-19 (bsc#1138872)
- CVE-2019-11708: Fix sandbox escape using Prompt:Open.
* Insufficient vetting of parameters passed with the Prompt:Open IPC
message between child and parent processes could result in the non-sandboxed
parent process opening web content chosen by a compromised child process.
When combined with additional vulnerabilities this could result in executing
arbitrary code on the user's computer.
ImportantSUSE bug 1138872CVE-2019-11708 at SUSECVE-2019-11708 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for postgresql96 (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for postgresql96 fixes the following issues:
Security issue fixed:
- CVE-2019-10130: Prevent row-level security policies from being bypassed via selectivity estimators (bsc#1134689).
ModerateSUSE bug 1134689CVE-2019-10130 at SUSECVE-2019-10130 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for ImageMagick (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for ImageMagick fixes the following issues:
Security issues fixed:
- CVE-2019-11597: Fixed a heap-based buffer over-read in the WriteTIFFImage() (bsc#1138464).
- Fixed a file content disclosure via SVG and WMF decoding (bsc#1138425).- CVE-2019-11472: Fixed a denial of service in ReadXWDImage() (bsc#1133204).
- CVE-2019-11470: Fixed a denial of service in ReadCINImage() (bsc#1133205).
- CVE-2019-11506: Fixed a heap-based buffer overflow in the WriteMATLABImage() (bsc#1133498).
- CVE-2019-11505: Fixed a heap-based buffer overflow in the WritePDBImage() (bsc#1133501).
- CVE-2019-10131: Fixed a off-by-one read in formatIPTCfromBuffer function in coders/meta.c (bsc#1134075).
- CVE-2017-12806: Fixed a denial of service through memory exhaustion in format8BIM() (bsc#1135232).
- CVE-2017-12805: Fixed a denial of service through memory exhaustion in ReadTIFFImage() (bsc#1135236).
- CVE-2019-11598: Fixed a heap-based buffer over-read in WritePNMImage() (bsc#1136732)
We also now disable PCL in the -SUSE configuration, as it also uses ghostscript for decoding (bsc#1136183)
ModerateSUSE bug 1133204SUSE bug 1133205SUSE bug 1133498SUSE bug 1133501SUSE bug 1134075SUSE bug 1135232SUSE bug 1135236SUSE bug 1136183SUSE bug 1136732SUSE bug 1138425SUSE bug 1138464CVE-2017-12805 at SUSECVE-2017-12805 at NVDCVE-2017-12806 at SUSECVE-2017-12806 at NVDCVE-2019-10131 at SUSECVE-2019-10131 at NVDCVE-2019-11470 at SUSECVE-2019-11470 at NVDCVE-2019-11472 at SUSECVE-2019-11472 at NVDCVE-2019-11505 at SUSECVE-2019-11505 at NVDCVE-2019-11506 at SUSECVE-2019-11506 at NVDCVE-2019-11597 at SUSECVE-2019-11597 at NVDCVE-2019-11598 at SUSECVE-2019-11598 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for dnsmasq (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for dnsmasq fixes the following issues:
Security issue fixed:
- CVE-2017-15107: Fixed a vulnerability in DNSSEC implementation. Processing of
wildcard synthesized NSEC records may result improper validation for non-existance. (bsc#1076958)
Non-security issue fixed:
- Reload system dbus to pick up policy change on install (bsc#1054429).
ModerateSUSE bug 1054429SUSE bug 1076958CVE-2017-15107 at SUSECVE-2017-15107 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for glib2 (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for glib2 provides the following fix:
Security issues fixed:
- CVE-2019-12450: Fixed an improper file permission when copy operation
takes place (bsc#1137001).
- CVE-2018-16428: Avoid a null pointer dereference that could crash glib2 users in markup processing (bnc#1107121).
- CVE-2018-16429: Fixed out-of-bounds read vulnerability ing_markup_parse_context_parse() (bsc#1107116).
Non-security issues fixed:
- Install dummy *-mimeapps.list files to prevent dead symlinks. (bsc#1061599)
ImportantSUSE bug 1061599SUSE bug 1107116SUSE bug 1107121SUSE bug 1137001CVE-2018-16428 at SUSECVE-2018-16428 at NVDCVE-2018-16429 at SUSECVE-2018-16429 at NVDCVE-2019-12450 at SUSECVE-2019-12450 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for elfutils (Low)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for elfutils fixes the following issues:
Security issues fixed:
- CVE-2018-16403: Fixed a heap-based buffer over-read that could have led to Denial of Service (bsc#1107067).
- CVE-2016-10254: Fixed a memory allocation failure in alloxate_elf (bsc#1030472).
- CVE-2019-7665: NT_PLATFORM core file note should be a zero terminated string (bsc#1125007).
- CVE-2016-10255: Fixed a memory allocation failure in libelf_set_rawdata_wrlock (bsc#1030476).
- CVE-2019-7150: Added a missing check in dwfl_segment_report_module which could have allowed truncated files
to be read (bsc#1123685).
- CVE-2018-16062: Fixed a heap-buffer-overflow (bsc#1106390).
- CVE-2017-7611: Fixed a heap-based buffer over-read that could have led to Denial of Service (bsc#1033088).
- CVE-2017-7613: Fixed denial of service caused by the missing validation of the number of sections
and the number of segments in a crafted ELF file (bsc#1033090).
- CVE-2017-7607: Fixed a heap-based buffer overflow in handle_gnu_hash (bsc#1033084).
- CVE-2017-7608: Fixed a heap-based buffer overflow in ebl_object_note_type_name() (bsc#1033085).
- CVE-2017-7610: Fixed a heap-based buffer overflow in check_group (bsc#1033087).
- CVE-2018-18521: Fixed multiple divide-by-zero vulnerabilities in function arlib_add_symbols() (bsc#1112723).
- CVE-2017-7612: Fixed a denial of service in check_sysv_hash() via a crafted ELF file (bsc#1033089).
- CVE-2018-18310: Fixed an invalid address read in dwfl_segment_report_module.c (bsc#1111973).
- CVE-2018-18520: Fixed bad handling of ar files inside are files (bsc#1112726).
LowSUSE bug 1030472SUSE bug 1030476SUSE bug 1033084SUSE bug 1033085SUSE bug 1033087SUSE bug 1033088SUSE bug 1033089SUSE bug 1033090SUSE bug 1106390SUSE bug 1107067SUSE bug 1111973SUSE bug 1112723SUSE bug 1112726SUSE bug 1123685SUSE bug 1125007CVE-2016-10254 at SUSECVE-2016-10254 at NVDCVE-2016-10255 at SUSECVE-2016-10255 at NVDCVE-2017-7607 at SUSECVE-2017-7607 at NVDCVE-2017-7608 at SUSECVE-2017-7608 at NVDCVE-2017-7610 at SUSECVE-2017-7610 at NVDCVE-2017-7611 at SUSECVE-2017-7611 at NVDCVE-2017-7612 at SUSECVE-2017-7612 at NVDCVE-2017-7613 at SUSECVE-2017-7613 at NVDCVE-2018-16062 at SUSECVE-2018-16062 at NVDCVE-2018-16403 at SUSECVE-2018-16403 at NVDCVE-2018-18310 at SUSECVE-2018-18310 at NVDCVE-2018-18520 at SUSECVE-2018-18520 at NVDCVE-2018-18521 at SUSECVE-2018-18521 at NVDCVE-2019-7150 at SUSECVE-2019-7150 at NVDCVE-2019-7665 at SUSECVE-2019-7665 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for postgresql10 (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for postgresql10 to version 10.9 fixes the following issue:
Security issue fixed:
- CVE-2019-10164: Fixed buffer-overflow vulnerabilities in SCRAM verifier parsing (bsc#1138034).
More information at https://www.postgresql.org/docs/10/release-10-9.html
ImportantSUSE bug 1138034CVE-2019-10164 at SUSECVE-2019-10164 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for avahi (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for avahi fixes the following issues:
Security issue fixed:
- CVE-2018-1000845: Fixed DNS amplification and reflection to spoofed addresses (DOS) (bsc#1120281)
ModerateSUSE bug 1120281CVE-2018-1000845 at SUSECVE-2018-1000845 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for glib2 (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for glib2 fixes the following issues:
Security issue fixed:
- CVE-2019-13012: Fixed improper restriction of file permissions when creating directories (bsc#1139959).
Non-security issue fixed:
- Added explicit requires between libglib2 and libgio2 (bsc#1140122).
ImportantSUSE bug 1139959SUSE bug 1140122CVE-2019-13012 at SUSECVE-2019-13012 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for expat (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for expat fixes the following issues:
Security issue fixed:
- CVE-2018-20843: Fixed a denial of service triggered by high resource consumption
in the XML parser when XML names contain a large amount of colons (bsc#1139937).
ModerateSUSE bug 1139937CVE-2018-20843 at SUSECVE-2018-20843 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for xrdp (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for xrdp fixes the following issues:
These security issues were fixed:
- CVE-2013-1430: When successfully logging in using RDP into an xrdp session,
the file ~/.vnc/sesman_${username}_passwd was created. Its content was the equivalent
of the user's cleartext password, DES encrypted with a known key (bsc#1015567).
- CVE-2017-16927: The scp_v0s_accept function in sesman/libscp/libscp_v0.c in the session manager
in xrdp through used an untrusted integer as a write length, which could lead to a
local denial of service (bsc#1069591).
- CVE-2017-6967: Fixed call of the PAM function auth_start_session(). This lead
to to PAM session modules not being properly initialized, with a potential
consequence of incorrect configurations or elevation of privileges, aka a
pam_limits.so bypass (bsc#1029912).
These non-security issues were fixed:
- The KillDisconnected option for TigerVNC Xvnc sessions is now supported (bsc#1101506)
- Fixed an issue with delayed X KeyRelease events (bsc#1100453)
- Force xrdp-sesman.service to start after xrdp.service. (bsc#1014524)
- Avoid use of hard-coded sesman port. (bsc#1060644)
- Fixed a regression connecting from Windows 10. (bsc#1090174)
ImportantSUSE bug 1014524SUSE bug 1015567SUSE bug 1029912SUSE bug 1060644SUSE bug 1069591SUSE bug 1090174SUSE bug 1100453SUSE bug 1101506CVE-2013-1430 at SUSECVE-2013-1430 at NVDCVE-2017-16927 at SUSECVE-2017-16927 at NVDCVE-2017-6967 at SUSECVE-2017-6967 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for webkit2gtk3 (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for webkit2gtk3 to version 2.24.2 fixes the following issues:
Security issues fixed:
- CVE-2019-6237, CVE-2019-8571, CVE-2019-8583, CVE-2019-8584, CVE-2019-8586,
CVE-2019-8587, CVE-2019-8594, CVE-2019-8595, CVE-2019-8596, CVE-2019-8597,
CVE-2019-8601, CVE-2019-8607, CVE-2019-8608, CVE-2019-8609, CVE-2019-8610,
CVE-2019-8615, CVE-2019-8611, CVE-2019-8619, CVE-2019-8622, CVE-2019-8623 (bsc#1135715).
ImportantSUSE bug 1133291SUSE bug 1135715CVE-2019-6237 at SUSECVE-2019-6237 at NVDCVE-2019-8571 at SUSECVE-2019-8571 at NVDCVE-2019-8583 at SUSECVE-2019-8583 at NVDCVE-2019-8584 at SUSECVE-2019-8584 at NVDCVE-2019-8586 at SUSECVE-2019-8586 at NVDCVE-2019-8587 at SUSECVE-2019-8587 at NVDCVE-2019-8594 at SUSECVE-2019-8594 at NVDCVE-2019-8595 at SUSECVE-2019-8595 at NVDCVE-2019-8596 at SUSECVE-2019-8596 at NVDCVE-2019-8597 at SUSECVE-2019-8597 at NVDCVE-2019-8601 at SUSECVE-2019-8601 at NVDCVE-2019-8607 at SUSECVE-2019-8607 at NVDCVE-2019-8608 at SUSECVE-2019-8608 at NVDCVE-2019-8609 at SUSECVE-2019-8609 at NVDCVE-2019-8610 at SUSECVE-2019-8610 at NVDCVE-2019-8611 at SUSECVE-2019-8611 at NVDCVE-2019-8615 at SUSECVE-2019-8615 at NVDCVE-2019-8619 at SUSECVE-2019-8619 at NVDCVE-2019-8622 at SUSECVE-2019-8622 at NVDCVE-2019-8623 at SUSECVE-2019-8623 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for MozillaFirefox, mozilla-nss fixes the following issues:
MozillaFirefox to version ESR 60.8:
- CVE-2019-9811: Sandbox escape via installation of malicious language pack (bsc#1140868).
- CVE-2019-11711: Script injection within domain through inner window reuse (bsc#1140868).
- CVE-2019-11712: Cross-origin POST requests can be made with NPAPI plugins by following 308 redirects (bsc#1140868).
- CVE-2019-11713: Use-after-free with HTTP/2 cached stream (bsc#1140868).
- CVE-2019-11729: Empty or malformed p256-ECDH public keys may trigger a segmentation fault (bsc#1140868).
- CVE-2019-11715: HTML parsing error can contribute to content XSS (bsc#1140868).
- CVE-2019-11717: Caret character improperly escaped in origins (bsc#1140868).
- CVE-2019-11719: Out-of-bounds read when importing curve25519 private key (bsc#1140868).
- CVE-2019-11730: Same-origin policy treats all files in a directory as having the same-origin (bsc#1140868).
- CVE-2019-11709: Multiple Memory safety bugs fixed (bsc#1140868).
mozilla-nss to version 3.44.1:
* Added IPSEC IKE support to softoken
* Many new FIPS test cases
ImportantSUSE bug 1140868CVE-2019-11709 at SUSECVE-2019-11709 at NVDCVE-2019-11711 at SUSECVE-2019-11711 at NVDCVE-2019-11712 at SUSECVE-2019-11712 at NVDCVE-2019-11713 at SUSECVE-2019-11713 at NVDCVE-2019-11715 at SUSECVE-2019-11715 at NVDCVE-2019-11717 at SUSECVE-2019-11717 at NVDCVE-2019-11719 at SUSECVE-2019-11719 at NVDCVE-2019-11729 at SUSECVE-2019-11729 at NVDCVE-2019-11730 at SUSECVE-2019-11730 at NVDCVE-2019-9811 at SUSECVE-2019-9811 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for libxslt (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for libxslt fixes the following issues:
Security issues fixed:
- CVE-2019-13118: Fixed a read of uninitialized stack data (bsc#1140101).
- CVE-2019-13117: Fixed a uninitialized read which allowed to discern whether a byte on the stack contains certain special characters (bsc#1140095).
ModerateSUSE bug 1140095SUSE bug 1140101CVE-2019-13117 at SUSECVE-2019-13117 at NVDCVE-2019-13118 at SUSECVE-2019-13118 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for libxml2 (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for libxml2 fixes the following issues:
Issue fixed:
- Fixed a bug related to the fix for CVE-2016-9318 which allowed xsltproc to access
the internet even when --nonet was given and also was making docbook-xsl-stylesheets to have
incomplete xml catalog file (bsc#1010675, bsc#1126613 and bsc#1110146).
ModerateSUSE bug 1010675SUSE bug 1110146SUSE bug 1126613CVE-2016-9318 at SUSECVE-2016-9318 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for polkit (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for polkit fixes the following issues:
Security issue fixed:
- CVE-2018-19788: Fixed handling of UIDs over MAX_UINT (bsc#1118277)
ModerateSUSE bug 1118277CVE-2018-19788 at SUSECVE-2018-19788 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for ucode-intel (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for ucode-intel fixes the following issues:
This update contains the Intel QSR 2019.1 Microcode release (bsc#1111331)
Four new speculative execution information leak issues have been identified in Intel CPUs. (bsc#1111331)
- CVE-2018-12126: Microarchitectural Store Buffer Data Sampling (MSBDS)
- CVE-2018-12127: Microarchitectural Fill Buffer Data Sampling (MFBDS)
- CVE-2018-12130: Microarchitectural Load Port Data Samling (MLPDS)
- CVE-2019-11091: Microarchitectural Data Sampling Uncacheable Memory (MDSUM)
These updates contain the CPU Microcode adjustments for the software mitigations.
For more information on this set of vulnerabilities, check out https://www.suse.com/support/kb/doc/?id=7023736
Release notes:
---- updated platforms ------------------------------------
SNB-E/EN/EP C1/M0 6-2d-6/6d 0000061d->0000061f Xeon E3/E5, Core X
SNB-E/EN/EP C2/M1 6-2d-7/6d 00000714->00000718 Xeon E3/E5, Core X
ImportantSUSE bug 1111331CVE-2018-12126 at SUSECVE-2018-12126 at NVDCVE-2018-12127 at SUSECVE-2018-12127 at NVDCVE-2018-12130 at SUSECVE-2018-12130 at NVDCVE-2019-11091 at SUSECVE-2019-11091 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for bzip2 (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for bzip2 fixes the following issues:
Security issue fixed:
- CVE-2019-12900: Fixed an out-of-bounds write in decompress.c with many selectors (bsc#1139083).
- CVE-2016-3189: Fixed a use-after-free in bzip2recover (bsc#985657).
ImportantSUSE bug 1139083SUSE bug 985657CVE-2016-3189 at SUSECVE-2016-3189 at NVDCVE-2019-12900 at SUSECVE-2019-12900 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for glibc (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for glibc fixes the following issues:
Security issues fixed:
- CVE-2019-9169: Fixed a heap-based buffer over-read via an attempted case-insensitive regular-expression match (bsc#1127308).
- CVE-2009-5155: Fixed a denial of service in parse_reg_exp() (bsc#1127223).
Non-security issues fixed:
- Added cfi information for start routines in order to stop unwinding on S390 (bsc#1128574).
ModerateSUSE bug 1127223SUSE bug 1127308SUSE bug 1128574CVE-2009-5155 at SUSECVE-2009-5155 at NVDCVE-2019-9169 at SUSECVE-2019-9169 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for spamassassin (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for spamassassin to version 3.4.2 fixes the following issues:
Security issues fixed:
- CVE-2017-15705: Fixed denial of service via unclosed tags in crafted emails (bsc#1108745).
- CVE-2018-11781: Fixed a code injection in the meta rule syntax by local users (bsc#1108748).
- CVE-2018-11780: Fixed a potential remote code execution vulnerability in PDFInfo plugin (bsc#1108750).
Non-security issues fixed:
- Added four new plugins (disabled by default): HashBL, ResourceLimits, FromNameSpoof, Phishing
- sa-update script: optional support for SHA-256 / SHA-512 been added for better validation of rules
- GeoIP2 support has been added to RelayCountry and URILocalBL plugins
- Several new or enhanced configuration options
ImportantSUSE bug 1108745SUSE bug 1108748SUSE bug 1108750CVE-2016-1238 at SUSECVE-2016-1238 at NVDCVE-2017-15705 at SUSECVE-2017-15705 at NVDCVE-2018-11780 at SUSECVE-2018-11780 at NVDCVE-2018-11781 at SUSECVE-2018-11781 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for openexr (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for openexr fixes the following issues:
Security issue fixed:
- CVE-2017-9111: Fixed an invalid write of size 8 in the storeSSE function in ImfOptimizedPixelReading.h (bsc#1040109).
- CVE-2017-9113: Fixed an invalid write of size 1 in the bufferedReadPixels function in ImfInputFile.cpp (bsc#1040113).
- CVE-2017-9115: Fixed an invalid write of size 2 in the = operator function inhalf.h (bsc#1040115).
- CVE-2018-18444: Fixed Out-of-bounds write in makeMultiView.cpp (bsc#1113455).
- CVE-2017-9112: Fixed invalid read of size 1 in the getBits function in ImfHuf.cpp (bsc#1040112).
ModerateSUSE bug 1040109SUSE bug 1040112SUSE bug 1040113SUSE bug 1040115SUSE bug 1113455CVE-2017-9111 at SUSECVE-2017-9111 at NVDCVE-2017-9112 at SUSECVE-2017-9112 at NVDCVE-2017-9113 at SUSECVE-2017-9113 at NVDCVE-2017-9115 at SUSECVE-2017-9115 at NVDCVE-2018-18444 at SUSECVE-2018-18444 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for libsolv, libzypp, zypper (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for libsolv, libzypp and zypper fixes the following issues:
libsolv was updated to version 0.6.36 fixes the following issues:
Security issues fixed:
- CVE-2018-20532: Fixed a NULL pointer dereference in testcase_read() (bsc#1120629).
- CVE-2018-20533: Fixed a NULL pointer dereference in testcase_str2dep_complex() (bsc#1120630).
- CVE-2018-20534: Fixed a NULL pointer dereference in pool_whatprovides() (bsc#1120631).
Non-security issues fixed:
- Made cleandeps jobs on patterns work (bsc#1137977).
- Fixed an issue multiversion packages that obsolete their own name (bsc#1127155).
- Keep consistent package name if there are multiple alternatives (bsc#1131823).
libzypp received following fixes:
- Fixes a bug where locking the kernel was not possible (bsc#1113296)
zypper received following fixes:
- Fixes a bug where the wrong exit code was set when refreshing
repos if --root was used (bsc#1134226)
- Improved the displaying of locks (bsc#1112911)
- Fixes an issue where `https` repository urls caused an error prompt to
appear twice (bsc#1110542)
- zypper will now always warn when no repositories are defined (bsc#1109893)
ModerateSUSE bug 1109893SUSE bug 1110542SUSE bug 1111319SUSE bug 1112911SUSE bug 1113296SUSE bug 1120629SUSE bug 1120630SUSE bug 1120631SUSE bug 1127155SUSE bug 1131823SUSE bug 1134226SUSE bug 1137977CVE-2018-20532 at SUSECVE-2018-20532 at NVDCVE-2018-20533 at SUSECVE-2018-20533 at NVDCVE-2018-20534 at SUSECVE-2018-20534 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for cronie (Low)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for cronie fixes the following issues:
Security issues fixed:
- CVE-2019-9704: Fixed an insufficient check in the return value of calloc which
could allow a local user to create Denial of Service by crashing the deamon (bsc#1128937).
- CVE-2019-9705: Fixed an implementation vulnerability which could allow a local user to
exhaust the memory resulting in Denial of Service (bsc#1128935).
Bug fixes:
- Manual start of cron is possible even when it's already started using systemd (bsc#1133100).
- Cron schedules only one job of crontab (bsc#1130746).
LowSUSE bug 1128935SUSE bug 1128937SUSE bug 1130746SUSE bug 1133100CVE-2019-9704 at SUSECVE-2019-9704 at NVDCVE-2019-9705 at SUSECVE-2019-9705 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for ImageMagick (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for ImageMagick fixes the following issues:
- CVE-2019-13301: Fixed a memory leak in AcquireMagickMemory() (bsc#1140554).
- CVE-2019-13310: Fixed a memory leak at AcquireMagickMemory because of an error in MagickWand/mogrify.c (bsc#1140501).
- CVE-2019-13311: Fixed a memory leak at AcquireMagickMemory because of a wand/mogrify.c error (bsc#1140513).
- CVE-2019-13454: Fixed a division by zero in RemoveDuplicateLayers in MagickCore/layer.c (bsc#1141171).
- CVE-2019-13295: Fixed a heap-based buffer over-read at MagickCore/threshold.c in AdaptiveThresholdImage (bsc#1140664).
- CVE-2019-13297: Fixed a heap-based buffer over-read at MagickCore/threshold.c in AdaptiveThresholdImage (bsc#1140666).
- CVE-2019-12979: Fixed the use of uninitialized values in SyncImageSettings() (bsc#1139886).
- CVE-2019-13391: Fixed a heap-based buffer over-read in MagickCore/fourier.c (bsc#1140673).
- CVE-2019-13308: Fixed a heap-based buffer overflow in MagickCore/fourier.c (bsc#1140534).
- CVE-2019-13300: Fixed a heap-based buffer overflow at MagickCore/statistic.c in EvaluateImages (bsc#1140669).
- CVE-2019-13307: Fixed a heap-based buffer overflow at MagickCore/statistic.c (bsc#1140538).
- CVE-2019-12975: Fixed a memory leak in the WriteDPXImage() in coders/dpx.c (bsc#1140106).
- CVE-2019-13135: Fixed the use of uninitialized values in ReadCUTImage() (bsc#1140103).
- CVE-2019-12978: Fixed the use of uninitialized values in ReadPANGOImage() (bsc#1139885).
- CVE-2019-12974: Fixed a NULL pointer dereference in the ReadPANGOImage() (bsc#1140111).
- CVE-2019-13133: Fixed a memory leak in the ReadBMPImage() (bsc#1140100).
- CVE-2019-13134: Fixed a memory leak in the ReadVIFFImage() (bsc#1140102).
- CVE-2019-12976: Fixed a memory leak in the ReadPCLImage() in coders/pcl.c(bsc#1140110).
ModerateSUSE bug 1139885SUSE bug 1139886SUSE bug 1140100SUSE bug 1140102SUSE bug 1140103SUSE bug 1140106SUSE bug 1140110SUSE bug 1140111SUSE bug 1140501SUSE bug 1140513SUSE bug 1140534SUSE bug 1140538SUSE bug 1140554SUSE bug 1140664SUSE bug 1140666SUSE bug 1140669SUSE bug 1140673SUSE bug 1141171CVE-2019-12974 at SUSECVE-2019-12974 at NVDCVE-2019-12975 at SUSECVE-2019-12975 at NVDCVE-2019-12976 at SUSECVE-2019-12976 at NVDCVE-2019-12978 at SUSECVE-2019-12978 at NVDCVE-2019-12979 at SUSECVE-2019-12979 at NVDCVE-2019-13133 at SUSECVE-2019-13133 at NVDCVE-2019-13134 at SUSECVE-2019-13134 at NVDCVE-2019-13135 at SUSECVE-2019-13135 at NVDCVE-2019-13295 at SUSECVE-2019-13295 at NVDCVE-2019-13297 at SUSECVE-2019-13297 at NVDCVE-2019-13300 at SUSECVE-2019-13300 at NVDCVE-2019-13301 at SUSECVE-2019-13301 at NVDCVE-2019-13307 at SUSECVE-2019-13307 at NVDCVE-2019-13308 at SUSECVE-2019-13308 at NVDCVE-2019-13310 at SUSECVE-2019-13310 at NVDCVE-2019-13311 at SUSECVE-2019-13311 at NVDCVE-2019-13391 at SUSECVE-2019-13391 at NVDCVE-2019-13454 at SUSECVE-2019-13454 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for bzip2 (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for bzip2 fixes the following issues:
- Fixed a regression with the fix for CVE-2019-12900, which caused incompatibilities
with files that used many selectors (bsc#1139083).
ImportantSUSE bug 1139083CVE-2019-12900 at SUSECVE-2019-12900 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for openexr (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for openexr fixes the following issues:
- CVE-2017-14988: Fixed a denial of service in Header::readfrom() (bsc#1061305).
ModerateSUSE bug 1061305CVE-2017-14988 at SUSECVE-2017-14988 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for java-1_7_0-openjdk (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for java-1_7_0-openjdk to version 7u231 fixes the following issues:
Security issues fixed:
- CVE_2019-2426: Improve web server connections (bsc#1134297).
- CVE-2019-2745: Improved ECC Implementation (bsc#1141784).
- CVE-2019-2762: Exceptional throw cases (bsc#1141782).
- CVE-2019-2766: Improve file protocol handling (bsc#1141789).
- CVE-2019-2769: Better copies of CopiesList (bsc#1141783).
- CVE-2019-2786: More limited privilege usage (bsc#1141787).
- CVE-2019-2816: Normalize normalization (bsc#1141785).
- CVE-2019-2842: Extended AES support (bsc#1141786).
- CVE-2019-7317: Improve PNG support (bsc#1141780).
- CVE-2018-3639: fix revision to prefer PR_SPEC_DISABLE_NOEXEC to PR_SPEC_DISABLE (bsc#1087082).
- Certificate validation improvements
ImportantSUSE bug 1087082SUSE bug 1134297SUSE bug 1141780SUSE bug 1141782SUSE bug 1141783SUSE bug 1141784SUSE bug 1141785SUSE bug 1141786SUSE bug 1141787SUSE bug 1141789CVE-2018-3639 at SUSECVE-2018-3639 at NVDCVE-2019-2426 at SUSECVE-2019-2426 at NVDCVE-2019-2745 at SUSECVE-2019-2745 at NVDCVE-2019-2762 at SUSECVE-2019-2762 at NVDCVE-2019-2766 at SUSECVE-2019-2766 at NVDCVE-2019-2769 at SUSECVE-2019-2769 at NVDCVE-2019-2786 at SUSECVE-2019-2786 at NVDCVE-2019-2816 at SUSECVE-2019-2816 at NVDCVE-2019-2842 at SUSECVE-2019-2842 at NVDCVE-2019-7317 at SUSECVE-2019-7317 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for polkit (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for polkit fixes the following issues:
Security issue fixed:
- CVE-2019-6133: Fixed improper caching of auth decisions, which could bypass
uid checking in the interactive backend (bsc#1121826).
ImportantSUSE bug 1121826CVE-2019-6133 at SUSECVE-2019-6133 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for java-1_8_0-openjdk (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for java-1_8_0-openjdk to version 8u222 fixes the following issues:
Security issues fixed:
- CVE-2019-2745: Improved ECC Implementation (bsc#1141784).
- CVE-2019-2762: Exceptional throw cases (bsc#1141782).
- CVE-2019-2766: Improve file protocol handling (bsc#1141789).
- CVE-2019-2769: Better copies of CopiesList (bsc#1141783).
- CVE-2019-2786: More limited privilege usage (bsc#1141787).
- CVE-2019-2816: Normalize normalization (bsc#1141785).
- CVE-2019-2842: Extended AES support (bsc#1141786).
- CVE-2019-7317: Improve PNG support (bsc#1141780).
- Certificate validation improvements
Non-security issue fixed:
- Fixed an issue where the installation failed when the manpages are not present (bsc#1115375)
ImportantSUSE bug 1115375SUSE bug 1141780SUSE bug 1141782SUSE bug 1141783SUSE bug 1141784SUSE bug 1141785SUSE bug 1141786SUSE bug 1141787SUSE bug 1141789CVE-2019-2745 at SUSECVE-2019-2745 at NVDCVE-2019-2762 at SUSECVE-2019-2762 at NVDCVE-2019-2766 at SUSECVE-2019-2766 at NVDCVE-2019-2769 at SUSECVE-2019-2769 at NVDCVE-2019-2786 at SUSECVE-2019-2786 at NVDCVE-2019-2816 at SUSECVE-2019-2816 at NVDCVE-2019-2842 at SUSECVE-2019-2842 at NVDCVE-2019-7317 at SUSECVE-2019-7317 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for mariadb (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for mariadb fixes the following issues:
Update to MariaDB 10.0.38 GA (bsc#1136037).
Security issues fixed:
- CVE-2019-2537: Denial of service via multiple protocols (bsc#1136037)
- CVE-2019-2529: Denial of service via multiple protocols (bsc#1136037)
- CVE-2018-3282: Server Storage Engines unspecified vulnerability (CPU Oct 2018) (bsc#1112432)
- CVE-2018-3251: InnoDB unspecified vulnerability (CPU Oct 2018) (bsc#1112397)
- CVE-2018-3174: Client programs unspecified vulnerability (CPU Oct 2018) (bsc#1112368)
- CVE-2018-3156: InnoDB unspecified vulnerability (CPU Oct 2018) (bsc#1112417)
- CVE-2018-3143: InnoDB unspecified vulnerability (CPU Oct 2018) (bsc#1112421)
- CVE-2018-3066: Unspecified vulnerability in the MySQL Server component of Oracle MySQL (subcomponent Server Options). (bsc#1101678)
- CVE-2018-3064: InnoDB unspecified vulnerability (CPU Jul 2018) (bsc#1103342)
- CVE-2018-3063: Unspecified vulnerability in the MySQL Server component of Oracle MySQL (subcomponent Server Security Privileges). (bsc#1101677)
- CVE-2018-3058: Unspecified vulnerability in the MySQL Server component of Oracle MySQL (subcomponent MyISAM). (bsc#1101676)
- CVE-2016-9843: Big-endian out-of-bounds pointer (bsc#1013882)
Non-security changes:
- Removed PerconaFT from the package as it has AGPL licence (bsc#1118754).
- Do not just remove tokudb plugin but don't build it at all (missing jemalloc dependency).
- Fixed reading options for multiple instances if my${INSTANCE}.cnf is used (bsc#1132666).
- Removed 'umask 077' from mysql-systemd-helper that caused new datadirs created
with wrong permissions (bsc#1132666).
Release notes and changelog:
- https://kb.askmonty.org/en/mariadb-10038-release-notes
- https://kb.askmonty.org/en/mariadb-10038-changelog
- https://kb.askmonty.org/en/mariadb-10037-release-notes
- https://kb.askmonty.org/en/mariadb-10037-changelog
- https://kb.askmonty.org/en/mariadb-10036-release-notes
- https://kb.askmonty.org/en/mariadb-10036-changelog
ImportantSUSE bug 1013882SUSE bug 1101676SUSE bug 1101677SUSE bug 1101678SUSE bug 1103342SUSE bug 1112368SUSE bug 1112397SUSE bug 1112417SUSE bug 1112421SUSE bug 1112432SUSE bug 1116686SUSE bug 1118754SUSE bug 1132666SUSE bug 1136037CVE-2016-9843 at SUSECVE-2016-9843 at NVDCVE-2018-3058 at SUSECVE-2018-3058 at NVDCVE-2018-3063 at SUSECVE-2018-3063 at NVDCVE-2018-3064 at SUSECVE-2018-3064 at NVDCVE-2018-3066 at SUSECVE-2018-3066 at NVDCVE-2018-3143 at SUSECVE-2018-3143 at NVDCVE-2018-3156 at SUSECVE-2018-3156 at NVDCVE-2018-3174 at SUSECVE-2018-3174 at NVDCVE-2018-3251 at SUSECVE-2018-3251 at NVDCVE-2018-3282 at SUSECVE-2018-3282 at NVDCVE-2019-2529 at SUSECVE-2019-2529 at NVDCVE-2019-2537 at SUSECVE-2019-2537 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for python3 (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for python3 fixes the following issues:
- CVE-2019-10160: Fixed a regression in urlparse() and urlsplit() introduced by the fix for CVE-2019-9636 (bsc#1138459).
- CVE-2018-14647: Fixed a denial of service vulnerability caused by a crafted XML document (bsc#1109847).
- CVE-2018-1000802: Fixed a command injection in the shutil module (bsc#1109663).
ImportantSUSE bug 1109663SUSE bug 1109847SUSE bug 1138459CVE-2018-1000802 at SUSECVE-2018-1000802 at NVDCVE-2018-14647 at SUSECVE-2018-14647 at NVDCVE-2019-10160 at SUSECVE-2019-10160 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for evince (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for evince fixes the following issues:
Security issues fixed:
- CVE-2019-11459: Fixed an improper error handling in which could have led to use of uninitialized use of memory (bsc#1133037).
- CVE-2019-1010006: Fixed a buffer overflow in backend/tiff/tiff-document.c (bsc#1141619).
ImportantSUSE bug 1133037SUSE bug 1141619CVE-2019-1010006 at SUSECVE-2019-1010006 at NVDCVE-2019-11459 at SUSECVE-2019-11459 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for tcpdump (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for tcpdump fixes the following issues:
Security issues fixed:
- CVE-2019-1010220: Fixed a buffer over-read in print_prefix() which may expose data (bsc#1142439).
- CVE-2017-16808: Fixed a heap-based buffer over-read related to aoe_print() and lookup_emem() (bsc#1068716).
ModerateSUSE bug 1068716SUSE bug 1142439CVE-2017-16808 at SUSECVE-2017-16808 at NVDCVE-2019-1010220 at SUSECVE-2019-1010220 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for squid (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for squid fixes the following issues:
Security issue fixed:
- CVE-2019-12529: Fixed a potential denial of service associated with HTTP Basic Authentication credentials (bsc#1141329).
- CVE-2019-12525: Fixed a denial of service during processing of HTTP Digest Authentication credentials (bsc#1141332).
- CVE-2019-13345: Fixed a cross site scripting vulnerability via user_name or auth parameter in cachemgr.cgi (bsc#1140738).
ModerateSUSE bug 1140738SUSE bug 1141329SUSE bug 1141332CVE-2019-12525 at SUSECVE-2019-12525 at NVDCVE-2019-12529 at SUSECVE-2019-12529 at NVDCVE-2019-13345 at SUSECVE-2019-13345 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for rsyslog (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for rsyslog fixes the following issues:
Security issue fixed:
- CVE-2018-16881: Fixed a denial of service when both the imtcp module and Octet-Counted TCP Framing is enabled (bsc#1123164).
ImportantSUSE bug 1123164CVE-2018-16881 at SUSECVE-2018-16881 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for python (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for python fixes the following issues:
- CVE-2019-10160: Fixed a regression in urlparse() and urlsplit() introduced by the fix for CVE-2019-9636 (bsc#1138459).
- CVE-2018-20852: Fixed an information leak where cookies could be send to the wrong server because of incorrect domain validation (bsc#1141853).
ImportantSUSE bug 1138459SUSE bug 1141853CVE-2018-20852 at SUSECVE-2018-20852 at NVDCVE-2019-10160 at SUSECVE-2019-10160 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for wireshark (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for wireshark to version 2.4.16 fixes the following issues:
Security issue fixed:
- CVE-2019-13619: ASN.1 BER and related dissectors crash (bsc#1141980).
ModerateSUSE bug 1141980CVE-2019-13619 at SUSECVE-2019-13619 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for openjpeg2 (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for openjpeg2 fixes the following issues:
Security issue fixed:
- CVE-2016-1923: Fixed anout of bounds read int opj_j2k_update_image_data() and opj_tgt_reset () (bsc#962522).
ModerateSUSE bug 962522CVE-2016-1923 at SUSECVE-2016-1923 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for postgresql96 (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for postgresql96 fixes the following issues:
Security issue fixed:
- CVE-2019-10208: Fixed arbitrary SQL execution via suitable SECURITY DEFINER function under the identity of the function owner (bsc#1145092).
ImportantSUSE bug 1145092CVE-2019-10208 at SUSECVE-2019-10208 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for python-urllib3 (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for python-urllib3 fixes the following issues:
Security issues fixed:
- CVE-2019-9740: Fixed CRLF injection issue (bsc#1129071).
- CVE-2019-11324: Fixed invalid CA certificat verification (bsc#1132900).
- CVE-2019-11236: Fixed CRLF injection via request parameter (bsc#1132663).
- CVE-2018-20060: Remove Authorization header when redirecting cross-host (bsc#1119376).
ModerateSUSE bug 1119376SUSE bug 1129071SUSE bug 1132663SUSE bug 1132900CVE-2018-20060 at SUSECVE-2018-20060 at NVDCVE-2019-11236 at SUSECVE-2019-11236 at NVDCVE-2019-11324 at SUSECVE-2019-11324 at NVDCVE-2019-9740 at SUSECVE-2019-9740 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for libvirt (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for libvirt fixes the following issues:
Security issues fixed:
- CVE-2019-10161: Fixed virDomainSaveImageGetXMLDesc API which could accept a path
parameter pointing anywhere on the system and potentially leading to execution
of a malicious file with root privileges by libvirtd (bsc#1138301).
- CVE-2019-10167: Fixed an issue with virConnectGetDomainCapabilities API which
could have been used to execute arbitrary emulators (bsc#1138303).
Non-security issues fixed:
- Fixed an issue with short bitmaps when setting vcpu affinity using the vcpupin (bsc#1138734).
- Added support for overriding max threads per process limit (bsc#1133719)
ImportantSUSE bug 1133719SUSE bug 1138301SUSE bug 1138303SUSE bug 1138734CVE-2019-10161 at SUSECVE-2019-10161 at NVDCVE-2019-10167 at SUSECVE-2019-10167 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for apache-commons-beanutils (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for apache-commons-beanutils fixes the following issues:
Security issue fixed:
- CVE-2019-10086: Added special BeanIntrospector class which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects (bsc#1146657).
ImportantSUSE bug 1146657CVE-2019-10086 at SUSECVE-2019-10086 at NVDcpe:/o:suse:sles_teradata:12:sp3Recommended update for NetworkManager (Low)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for NetworkManager fixes the following issues:
Security issue fixed:
- Fixed that passwords are not echoed on terminal when asking for them (bsc#990204).
LowSUSE bug 990204cpe:/o:suse:sles_teradata:12:sp3Security update for perl (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for perl fixes the following issues:
Security issue fixed:
- CVE-2018-18311: Fixed integer overflow with oversize environment (bsc#1114674).
ImportantSUSE bug 1114674CVE-2018-18311 at SUSECVE-2018-18311 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for libsolv, libzypp, zypper (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for libsolv, libzypp and zypper fixes the following issues:
libsolv was updated to version 0.6.36 and fixes the following issues:
Security issues fixed:
- CVE-2018-20532: Fixed a NULL pointer dereference in testcase_read() (bsc#1120629).
- CVE-2018-20533: Fixed a NULL pointer dereference in testcase_str2dep_complex() (bsc#1120630).
- CVE-2018-20534: Fixed a NULL pointer dereference in pool_whatprovides() (bsc#1120631).
Non-security issues fixed:
- Made cleandeps jobs on patterns work (bsc#1137977).
- Fixed an issue multiversion packages that obsolete their own name (bsc#1127155).
- Keep consistent package name if there are multiple alternatives (bsc#1131823).
Fixes for libzypp:
- Fixes a bug where locking the kernel was not possible (bsc#1113296)
- Fixes a file descriptor leak (bsc#1116995)
- Will now run file conflict check on dry-run (best with download-only) (bsc#1140039)
Fixes for zypper:
- Fixes a bug where the wrong exit code was set when refreshing repos if --root was used (bsc#1134226)
- Improved the displaying of locks (bsc#1112911)
- Fixes an issue where `https` repository urls caused an error prompt to appear twice (bsc#1110542)
- zypper will now always warn when no repositories are defined (bsc#1109893)
- Fixes bash completion option detection (bsc#1049825)
ModerateSUSE bug 1049825SUSE bug 1109893SUSE bug 1110542SUSE bug 1111319SUSE bug 1112911SUSE bug 1113296SUSE bug 1116995SUSE bug 1120629SUSE bug 1120630SUSE bug 1120631SUSE bug 1127155SUSE bug 1131823SUSE bug 1134226SUSE bug 1137977SUSE bug 1140039SUSE bug 1145521CVE-2018-20532 at SUSECVE-2018-20532 at NVDCVE-2018-20533 at SUSECVE-2018-20533 at NVDCVE-2018-20534 at SUSECVE-2018-20534 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for postgresql10 (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for postgresql10 fixes the following issues:
Security issue fixed:
- CVE-2019-10208: Fixed arbitrary SQL execution via suitable SECURITY DEFINER function under the identity of the function owner (bsc#1145092).
ImportantSUSE bug 1145092CVE-2019-10208 at SUSECVE-2019-10208 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for qemu (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for qemu fixes the following issues:
Security issues fixed:
- CVE-2019-14378: Security fix for heap overflow in ip_reass on big packet input (bsc#1143794).
- CVE-2019-12155: Security fix for null pointer dereference while releasing spice resources (bsc#1135902).
- CVE-2019-13164: Security fix for qemu-bridge-helper ACL can be bypassed when names are too long (bsc#1140402).
Bug fixes:
- Provide qcow2 L2 caching improvements, which allows for better storage performance in certain configurations (bsc#1139926, ECO-130).
- Fix setting speed of migration while vm uses hugepages (bsc#1127077).
ModerateSUSE bug 1127077SUSE bug 1135902SUSE bug 1139926SUSE bug 1140402SUSE bug 1143794CVE-2019-12155 at SUSECVE-2019-12155 at NVDCVE-2019-13164 at SUSECVE-2019-13164 at NVDCVE-2019-14378 at SUSECVE-2019-14378 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for apache2 (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for apache2 fixes the following issues:
Security issues fixed:
- CVE-2019-9517: Fixed HTTP/2 implementations that are vulnerable to unconstrained interal data buffering (bsc#1145575).
- CVE-2019-10081: Fixed mod_http2 that is vulnerable to memory corruption on early pushes (bsc#1145742).
- CVE-2019-10082: Fixed mod_http2 that is vulnerable to read-after-free in h2 connection shutdown (bsc#1145741).
- CVE-2019-10092: Fixed limited cross-site scripting in mod_proxy (bsc#1145740).
- CVE-2019-10098: Fixed mod_rewrite configuration vulnerablility to open redirect (bsc#1145738).
ImportantSUSE bug 1145575SUSE bug 1145738SUSE bug 1145740SUSE bug 1145741SUSE bug 1145742CVE-2019-10081 at SUSECVE-2019-10081 at NVDCVE-2019-10082 at SUSECVE-2019-10082 at NVDCVE-2019-10092 at SUSECVE-2019-10092 at NVDCVE-2019-10098 at SUSECVE-2019-10098 at NVDCVE-2019-9517 at SUSECVE-2019-9517 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for java-1_7_1-ibm (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for java-1_7_1-ibm fixes the following issues:
Update to Java 7.1 Service Refresh 4 Fix Pack 50.
Security issues fixed:
- CVE-2019-11771: IBM Security Update July 2019 (bsc#1147021)
- CVE-2019-11775: IBM Security Update July 2019 (bsc#1147021)
- CVE-2019-4473: IBM Security Update July 2019 (bsc#1147021)
- CVE-2019-7317: Fixed issue inside Component AWT (libpng)(bsc#1141780).
- CVE-2019-2769: Fixed issue inside Component Utilities (bsc#1141783).
- CVE-2019-2762: Fixed issue inside Component Utilities (bsc#1141782).
- CVE-2019-2816: Fixed issue inside Component Networking (bsc#1141785).
- CVE-2019-2766: Fixed issue inside Component Networking (bsc#1141789).
ImportantSUSE bug 1141780SUSE bug 1141782SUSE bug 1141783SUSE bug 1141785SUSE bug 1141789SUSE bug 1147021CVE-2019-11771 at SUSECVE-2019-11771 at NVDCVE-2019-11775 at SUSECVE-2019-11775 at NVDCVE-2019-2762 at SUSECVE-2019-2762 at NVDCVE-2019-2766 at SUSECVE-2019-2766 at NVDCVE-2019-2769 at SUSECVE-2019-2769 at NVDCVE-2019-2816 at SUSECVE-2019-2816 at NVDCVE-2019-4473 at SUSECVE-2019-4473 at NVDCVE-2019-7317 at SUSECVE-2019-7317 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for curl (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for curl fixes the following issues:
Security issue fixed:
- CVE-2019-5482: Fixed TFTP small blocksize heap buffer overflow (bsc#1149496).
ImportantSUSE bug 1149496CVE-2019-5482 at SUSECVE-2019-5482 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for webkit2gtk3 (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for webkit2gtk3 fixes the following issues:
Updated to version 2.24.4 (bsc#1148931).
Security issues fixed:
- CVE-2019-8644, CVE-2019-8649, CVE-2019-8658, CVE-2019-8669, CVE-2019-8678,
CVE-2019-8680, CVE-2019-8683, CVE-2019-8684, CVE-2019-8688, CVE-2019-8595,
CVE-2019-8607, CVE-2019-8615, CVE-2019-8644, CVE-2019-8649, CVE-2019-8658,
CVE-2019-8666, CVE-2019-8669, CVE-2019-8671, CVE-2019-8672, CVE-2019-8673,
CVE-2019-8676, CVE-2019-8677, CVE-2019-8678, CVE-2019-8679, CVE-2019-8680,
CVE-2019-8681, CVE-2019-8683, CVE-2019-8684, CVE-2019-8686, CVE-2019-8687,
CVE-2019-8688, CVE-2019-8689, CVE-2019-8690
Non-security issues fixed:
- Improved loading of multimedia streams to avoid memory exhaustion due to excessive caching.
- Updated the user agent string to make happy certain websites which would claim that the browser being used was unsupported.
ImportantSUSE bug 1135715SUSE bug 1148931CVE-2019-8595 at SUSECVE-2019-8595 at NVDCVE-2019-8607 at SUSECVE-2019-8607 at NVDCVE-2019-8615 at SUSECVE-2019-8615 at NVDCVE-2019-8644 at SUSECVE-2019-8644 at NVDCVE-2019-8649 at SUSECVE-2019-8649 at NVDCVE-2019-8658 at SUSECVE-2019-8658 at NVDCVE-2019-8666 at SUSECVE-2019-8666 at NVDCVE-2019-8669 at SUSECVE-2019-8669 at NVDCVE-2019-8671 at SUSECVE-2019-8671 at NVDCVE-2019-8672 at SUSECVE-2019-8672 at NVDCVE-2019-8673 at SUSECVE-2019-8673 at NVDCVE-2019-8676 at SUSECVE-2019-8676 at NVDCVE-2019-8677 at SUSECVE-2019-8677 at NVDCVE-2019-8678 at SUSECVE-2019-8678 at NVDCVE-2019-8679 at SUSECVE-2019-8679 at NVDCVE-2019-8680 at SUSECVE-2019-8680 at NVDCVE-2019-8681 at SUSECVE-2019-8681 at NVDCVE-2019-8683 at SUSECVE-2019-8683 at NVDCVE-2019-8684 at SUSECVE-2019-8684 at NVDCVE-2019-8686 at SUSECVE-2019-8686 at NVDCVE-2019-8687 at SUSECVE-2019-8687 at NVDCVE-2019-8688 at SUSECVE-2019-8688 at NVDCVE-2019-8689 at SUSECVE-2019-8689 at NVDCVE-2019-8690 at SUSECVE-2019-8690 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for ghostscript (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for ghostscript fixes the following issues:
Security issue fixed:
- CVE-2019-10216: Fix privilege escalation via specially crafted PostScript file (bsc#1144621).
ModerateSUSE bug 1144621CVE-2019-10216 at SUSECVE-2019-10216 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for ceph (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for ceph to version 12.2.12-594-g02236657ca fixes the following issues:
Security issues fixed:
- CVE-2018-16889: Fixed missing sanitation of customer encryption keys from log output in v4 auth. (bsc#1121567)
ModerateSUSE bug 1121567SUSE bug 1149961CVE-2018-16889 at SUSECVE-2018-16889 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for java-1_8_0-ibm (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for java-1_8_0-ibm fixes the following issues:
Update to Java 8.0 Service Refresh 5 Fix Pack 40.
Security issues fixed:
- CVE-2019-11771: IBM Security Update July 2019 (bsc#1147021)
- CVE-2019-11772: IBM Security Update July 2019 (bsc#1147021)
- CVE-2019-11775: IBM Security Update July 2019 (bsc#1147021)
- CVE-2019-4473: IBM Security Update July 2019 (bsc#1147021)
- CVE-2019-7317: Fixed issue inside Component AWT (libpng)(bsc#1141780).
- CVE-2019-2769: Fixed issue inside Component Utilities (bsc#1141783).
- CVE-2019-2762: Fixed issue inside Component Utilities (bsc#1141782).
- CVE-2019-2816: Fixed issue inside Component Networking (bsc#1141785).
- CVE-2019-2766: Fixed issue inside Component Networking (bsc#1141789).
- CVE-2019-2786: Fixed issue inside Component Security (bsc#1141787).
ImportantSUSE bug 1122292SUSE bug 1122299SUSE bug 1141780SUSE bug 1141782SUSE bug 1141783SUSE bug 1141785SUSE bug 1141787SUSE bug 1141789SUSE bug 1147021CVE-2018-11212 at SUSECVE-2018-11212 at NVDCVE-2019-11771 at SUSECVE-2019-11771 at NVDCVE-2019-11772 at SUSECVE-2019-11772 at NVDCVE-2019-11775 at SUSECVE-2019-11775 at NVDCVE-2019-2449 at SUSECVE-2019-2449 at NVDCVE-2019-2762 at SUSECVE-2019-2762 at NVDCVE-2019-2766 at SUSECVE-2019-2766 at NVDCVE-2019-2769 at SUSECVE-2019-2769 at NVDCVE-2019-2786 at SUSECVE-2019-2786 at NVDCVE-2019-2816 at SUSECVE-2019-2816 at NVDCVE-2019-4473 at SUSECVE-2019-4473 at NVDCVE-2019-7317 at SUSECVE-2019-7317 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for ibus (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for ibus fixes the following issues:
Security issue fixed:
- CVE-2019-14822: Fixed a misconfiguration of the DBus server that allowed an unprivileged user to monitor and send method calls to the ibus bus of another user. (bsc#1150011)
ImportantSUSE bug 1150011CVE-2019-14822 at SUSECVE-2019-14822 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for openldap2 (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for openldap2 fixes the following issues:
Security issues fixed:
- CVE-2019-13565: Fixed ssf memory reuse that leads to incorrect authorization of another connection, granting excess connection rights (ssf) (bsc#1143194).
- CVE-2019-13057: Fixed rootDN of a backend that may proxyauth incorrectly to another backend, violating multi-tenant isolation (bsc#1143273).
ModerateSUSE bug 1143194SUSE bug 1143273CVE-2019-13057 at SUSECVE-2019-13057 at NVDCVE-2019-13565 at SUSECVE-2019-13565 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for python36 (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for python36 fixes the following issues:
Security issue fixed:
- CVE-2019-16056: Fixed a parser issue in the email module. (bsc#1149955)
Non-security issue fixed:
- bsc#1137942: Avoid duplicate files with python3* packages (https://fate.suse.com/327309)
ModerateSUSE bug 1137942SUSE bug 1149955CVE-2019-16056 at SUSECVE-2019-16056 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for spice (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for spice fixes the following issues:
Security issue fixed:
- CVE-2019-3813: Fixed a out-of-bounds read in the memslot_get_virt function that could lead to denial-of-service or code-execution (bsc#1122706).
ImportantSUSE bug 1122706CVE-2019-3813 at SUSECVE-2019-3813 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for openssl (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for openssl fixes the following issues:
OpenSSL Security Advisory [10 September 2019]
- CVE-2019-1547: Added EC_GROUP_set_generator side channel attack avoidance (bsc#1150003).
- CVE-2019-1563: Fixed Bleichenbacher attack against cms/pkcs7 encryption transported key (bsc#1150250).
ModerateSUSE bug 1150003SUSE bug 1150250CVE-2019-1547 at SUSECVE-2019-1547 at NVDCVE-2019-1563 at SUSECVE-2019-1563 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for nmap (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for nmap fixes the following issues:
- Fixed a regression in the version scanner, caused by the fix for CVE-2018-15173. (bsc#1135350)
ImportantSUSE bug 1135350CVE-2018-15173 at SUSECVE-2018-15173 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for python3 (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for python3 fixes the following issues:
Security issue fixed:
- CVE-2019-5010: Fixed a denial-of-service vulnerability in the X509 certificate parser (bsc#1122191)
- CVE-2018-20406: Fixed a integer overflow via a large LONG_BINPUT (bsc#1120644)
ImportantSUSE bug 1120644SUSE bug 1122191CVE-2018-20406 at SUSECVE-2018-20406 at NVDCVE-2019-5010 at SUSECVE-2019-5010 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for MozillaFirefox to ESR 60.9 fixes the following issues:
Security issues fixed:
- CVE-2019-11742: Fixed a same-origin policy violation involving SVG filters and canvas to steal cross-origin images. (bsc#1149303)
- CVE-2019-11746: Fixed a use-after-free while manipulating video. (bsc#1149297)
- CVE-2019-11744: Fixed an XSS caused by breaking out of title and textarea elements using innerHTML. (bsc#1149304)
- CVE-2019-11753: Fixed a privilege escalation with Mozilla Maintenance Service in custom Firefox installation location. (bsc#1149295)
- CVE-2019-11752: Fixed a use-after-free while extracting a key value in IndexedDB. (bsc#1149296)
- CVE-2019-11743: Fixed a timing side-channel attack on cross-origin information, utilizing unload event attributes. (bsc#1149298)
- CVE-2019-11740: Fixed several memory safety bugs. (bsc#1149299)
ImportantSUSE bug 1149294SUSE bug 1149295SUSE bug 1149296SUSE bug 1149297SUSE bug 1149298SUSE bug 1149299SUSE bug 1149303SUSE bug 1149304SUSE bug 1149324CVE-2019-11740 at SUSECVE-2019-11740 at NVDCVE-2019-11742 at SUSECVE-2019-11742 at NVDCVE-2019-11743 at SUSECVE-2019-11743 at NVDCVE-2019-11744 at SUSECVE-2019-11744 at NVDCVE-2019-11746 at SUSECVE-2019-11746 at NVDCVE-2019-11752 at SUSECVE-2019-11752 at NVDCVE-2019-11753 at SUSECVE-2019-11753 at NVDCVE-2019-9812 at SUSECVE-2019-9812 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for expat (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for expat fixes the following issues:
Security issue fixed:
- CVE-2019-15903: Fixed a heap-based buffer over-read caused by crafted XML documents. (bsc#1149429)
ModerateSUSE bug 1149429CVE-2019-15903 at SUSECVE-2019-15903 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for djvulibre (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for djvulibre fixes the following issues:
Security issues fixed:
- CVE-2019-15142: Fixed heap-based buffer over-read (bsc#1146702).
- CVE-2019-15143: Fixed resource exhaustion caused by corrupted image files (bsc#1146569).
- CVE-2019-15144: Fixed denial-of-service caused by crafted PBM image files (bsc#1146571).
- CVE-2019-15145: Fixed out-of-bounds read caused by corrupted JB2 image files (bsc#1146572).
- Fixed segfault when libtiff encounters corrupted TIFF (upstream issue #295).
ModerateSUSE bug 1146569SUSE bug 1146571SUSE bug 1146572SUSE bug 1146702CVE-2019-15142 at SUSECVE-2019-15142 at NVDCVE-2019-15143 at SUSECVE-2019-15143 at NVDCVE-2019-15144 at SUSECVE-2019-15144 at NVDCVE-2019-15145 at SUSECVE-2019-15145 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for dovecot22 (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for dovecot22 fixes the following issues:
- CVE-2019-11500: Fixed a potential remote code execution in the IMAP and ManageSieve protocol parsers (bsc#1145559).
ImportantSUSE bug 1145559CVE-2019-11500 at SUSECVE-2019-11500 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for mariadb (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for mariadb fixes the following issues:
Updated to MariaDB 10.0.40-1.
Security issues fixed:
- CVE-2019-2805, CVE-2019-2740, CVE-2019-2739, CVE-2019-2737,
CVE-2019-2614, CVE-2019-2627. (bsc#1132826) (bsc#1141798).
Non-security issues fixed:
- Adjusted mysql-systemd-helper ('shutdown protected MySQL' section)
so it checks both ping response and the pid in a process list
as it can take some time till the process is terminated.
Otherwise it can lead to 'found left-over process' situation
when regular mariadb is started. (bsc#1143215)
- Fixed IP resolving in mysql_install_db script. (bsc#1142058, bsc#1127027, MDEV-18526)
ModerateSUSE bug 1127027SUSE bug 1132826SUSE bug 1141798SUSE bug 1142058SUSE bug 1143215CVE-2019-2614 at SUSECVE-2019-2614 at NVDCVE-2019-2627 at SUSECVE-2019-2627 at NVDCVE-2019-2737 at SUSECVE-2019-2737 at NVDCVE-2019-2739 at SUSECVE-2019-2739 at NVDCVE-2019-2740 at SUSECVE-2019-2740 at NVDCVE-2019-2805 at SUSECVE-2019-2805 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for ghostscript (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for ghostscript to 9.27 fixes the following issues:
Security issues fixed:
- CVE-2019-3835: Fixed an unauthorized file system access caused by an available superexec operator. (bsc#1129180)
- CVE-2019-3839: Fixed an unauthorized file system access caused by available privileged operators. (bsc#1134156)
- CVE-2019-12973: Fixed a denial-of-service vulnerability in the OpenJPEG function opj_t1_encode_cblks. (bsc#1140359)
- CVE-2019-14811: Fixed a safer mode bypass by .forceput exposure in .pdf_hook_DSC_Creator. (bsc#1146882)
- CVE-2019-14812: Fixed a safer mode bypass by .forceput exposure in setuserparams. (bsc#1146882)
- CVE-2019-14813: Fixed a safer mode bypass by .forceput exposure in setsystemparams. (bsc#1146882)
- CVE-2019-14817: Fixed a safer mode bypass by .forceput exposure in .pdfexectoken and other procedures. (bsc#1146884)
ImportantSUSE bug 1129180SUSE bug 1131863SUSE bug 1134156SUSE bug 1140359SUSE bug 1146882SUSE bug 1146884CVE-2019-12973 at SUSECVE-2019-12973 at NVDCVE-2019-14811 at SUSECVE-2019-14811 at NVDCVE-2019-14812 at SUSECVE-2019-14812 at NVDCVE-2019-14813 at SUSECVE-2019-14813 at NVDCVE-2019-14817 at SUSECVE-2019-14817 at NVDCVE-2019-3835 at SUSECVE-2019-3835 at NVDCVE-2019-3839 at SUSECVE-2019-3839 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for gpg2 (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for gpg2 fixes the following issues:
Security issue fixed:
- CVE-2019-13050: Fixed denial-of-service attacks via big keys. (bsc#1141093)
Non-security issue fixed:
- Allow coredumps in X11 desktop sessions (bsc#1124847).
ModerateSUSE bug 1124847SUSE bug 1141093CVE-2019-13050 at SUSECVE-2019-13050 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for curl (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for curl fixes the following issues:
Security issues fixed:
- CVE-2019-3823: Fixed a heap out-of-bounds read in the code handling the end-of-response for SMTP (bsc#1123378).
- CVE-2019-3822: Fixed a stack based buffer overflow in the function creating an outgoing NTLM type-3 message (bsc#1123377).
- CVE-2018-16890: Fixed a heap buffer out-of-bounds read in the function handling incoming NTLM type-2 messages (bsc#1123371).
ImportantSUSE bug 1123371SUSE bug 1123377SUSE bug 1123378CVE-2018-16890 at SUSECVE-2018-16890 at NVDCVE-2019-3822 at SUSECVE-2019-3822 at NVDCVE-2019-3823 at SUSECVE-2019-3823 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for libgcrypt (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for libgcrypt fixes the following issues:
Security issues fixed:
- CVE-2019-13627: Mitigated ECDSA timing attack. (bsc#1148987)
ModerateSUSE bug 1148987CVE-2019-13627 at SUSECVE-2019-13627 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for jasper (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for jasper fixes the following issues:
Security issues fixed:
- CVE-2018-19540: Fixed a heap based overflow in jas_icctxtdesc_input (bsc#1117508).
- CVE-2018-19541: Fix heap based overread in jas_image_depalettize (bsc#1117507).
- CVE-2018-19542: Fixed a denial of service in jp2_decode (bsc#1117505).
- CVE-2018-19539: Fixed a denial of service in jas_image_readcmpt (bsc#1117511).
- CVE-2016-9396: Fixed a denial of service in jpc_cox_getcompparms (bsc#1010783).
ModerateSUSE bug 1010783SUSE bug 1117505SUSE bug 1117507SUSE bug 1117508SUSE bug 1117511CVE-2016-9396 at SUSECVE-2016-9396 at NVDCVE-2018-19539 at SUSECVE-2018-19539 at NVDCVE-2018-19540 at SUSECVE-2018-19540 at NVDCVE-2018-19541 at SUSECVE-2018-19541 at NVDCVE-2018-19542 at SUSECVE-2018-19542 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for sqlite3 (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for sqlite3 fixes the following issues:
Security issue fixed:
- CVE-2019-16168: Fixed improper validation of sqlite_stat1 field that could lead to denial of service (bsc#1150137).
ModerateSUSE bug 1150137CVE-2019-16168 at SUSECVE-2019-16168 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for MozillaFirefox fixes the following issues:
Updated to new ESR version 68.1 (bsc#1149323).
In addition to the already fixed vulnerabilities released in previous ESR updates,
the following were also fixed:
CVE-2019-11751, CVE-2019-11736, CVE-2019-9812, CVE-2019-11748, CVE-2019-11749,
CVE-2019-11750, CVE-2019-11738, CVE-2019-11747, CVE-2019-11735.
Several run-time issues were also resolved (bsc#1117473, bsc#1124525, bsc#1133810).
The version displayed in Help > About is now correct (bsc#1087200).
ImportantSUSE bug 1087200SUSE bug 1109465SUSE bug 1117473SUSE bug 1123482SUSE bug 1124525SUSE bug 1133810SUSE bug 1140868SUSE bug 1145665SUSE bug 1149323CVE-2019-11709 at SUSECVE-2019-11709 at NVDCVE-2019-11710 at SUSECVE-2019-11710 at NVDCVE-2019-11711 at SUSECVE-2019-11711 at NVDCVE-2019-11712 at SUSECVE-2019-11712 at NVDCVE-2019-11713 at SUSECVE-2019-11713 at NVDCVE-2019-11714 at SUSECVE-2019-11714 at NVDCVE-2019-11715 at SUSECVE-2019-11715 at NVDCVE-2019-11716 at SUSECVE-2019-11716 at NVDCVE-2019-11717 at SUSECVE-2019-11717 at NVDCVE-2019-11718 at SUSECVE-2019-11718 at NVDCVE-2019-11719 at SUSECVE-2019-11719 at NVDCVE-2019-11720 at SUSECVE-2019-11720 at NVDCVE-2019-11721 at SUSECVE-2019-11721 at NVDCVE-2019-11723 at SUSECVE-2019-11723 at NVDCVE-2019-11724 at SUSECVE-2019-11724 at NVDCVE-2019-11725 at SUSECVE-2019-11725 at NVDCVE-2019-11727 at SUSECVE-2019-11727 at NVDCVE-2019-11728 at SUSECVE-2019-11728 at NVDCVE-2019-11729 at SUSECVE-2019-11729 at NVDCVE-2019-11730 at SUSECVE-2019-11730 at NVDCVE-2019-11733 at SUSECVE-2019-11733 at NVDCVE-2019-11735 at SUSECVE-2019-11735 at NVDCVE-2019-11736 at SUSECVE-2019-11736 at NVDCVE-2019-11738 at SUSECVE-2019-11738 at NVDCVE-2019-11740 at SUSECVE-2019-11740 at NVDCVE-2019-11742 at SUSECVE-2019-11742 at NVDCVE-2019-11743 at SUSECVE-2019-11743 at NVDCVE-2019-11744 at SUSECVE-2019-11744 at NVDCVE-2019-11746 at SUSECVE-2019-11746 at NVDCVE-2019-11747 at SUSECVE-2019-11747 at NVDCVE-2019-11748 at SUSECVE-2019-11748 at NVDCVE-2019-11749 at SUSECVE-2019-11749 at NVDCVE-2019-11750 at SUSECVE-2019-11750 at NVDCVE-2019-11751 at SUSECVE-2019-11751 at NVDCVE-2019-11752 at SUSECVE-2019-11752 at NVDCVE-2019-11753 at SUSECVE-2019-11753 at NVDCVE-2019-9811 at SUSECVE-2019-9811 at NVDCVE-2019-9812 at SUSECVE-2019-9812 at NVDcpe:/o:suse:sles_teradata:12:sp3Recommended update for python-setuptools and dependend packages (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
All changes necessary for upgrade of python-setuptools to 40.6.2 (bsc#1075812)
New packages:
- python-cachetools
- python-google-auth
- python-packaging
Rebuilt without source changes:
- python-cffi
- python-cliff
- python-mock
- python-oauthlib
- python-pbr
- python-PyJWT
- python-pytest
Added python3 packages:
- python-hgtools
- python-pyasn1-modules
- python-rsa
Updated:
- python-kubernetes
Updated to version 6.0
- python-pyparsing
Was updated to version 2.2.0.
- python-setuptools
Was upgraded to version 40.6.2.
ModerateSUSE bug 1024540SUSE bug 1054413SUSE bug 1074247SUSE bug 1075812SUSE bug 1088358SUSE bug 1091826SUSE bug 1110422CVE-2016-9015 at SUSECVE-2016-9015 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for binutils (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for binutils fixes the following issues:
binutils was updated to current 2.32 branch @7b468db3 [jsc#ECO-368]:
Includes the following security fixes:
- CVE-2018-17358: Fixed invalid memory access in _bfd_stab_section_find_nearest_line in syms.c (bsc#1109412)
- CVE-2018-17359: Fixed invalid memory access exists in bfd_zalloc in opncls.c (bsc#1109413)
- CVE-2018-17360: Fixed heap-based buffer over-read in bfd_getl32 in libbfd.c (bsc#1109414)
- CVE-2018-17985: Fixed a stack consumption problem caused by the cplus_demangle_type (bsc#1116827)
- CVE-2018-18309: Fixed an invalid memory address dereference was discovered in read_reloc in reloc.c (bsc#1111996)
- CVE-2018-18483: Fixed get_count function provided by libiberty that allowed attackers to cause a denial of service or other unspecified impact (bsc#1112535)
- CVE-2018-18484: Fixed stack exhaustion in the C++ demangling functions provided by libiberty, caused by recursive stack frames (bsc#1112534)
- CVE-2018-18605: Fixed a heap-based buffer over-read issue was discovered in the function sec_merge_hash_lookup causing a denial of service (bsc#1113255)
- CVE-2018-18606: Fixed a NULL pointer dereference in _bfd_add_merge_section when attempting to merge sections with large alignments, causing denial of service (bsc#1113252)
- CVE-2018-18607: Fixed a NULL pointer dereference in elf_link_input_bfd when used for finding STT_TLS symbols without any TLS section, causing denial of service (bsc#1113247)
- CVE-2018-19931: Fixed a heap-based buffer overflow in bfd_elf32_swap_phdr_in in elfcode.h (bsc#1118831)
- CVE-2018-19932: Fixed an integer overflow and infinite loop caused by the IS_CONTAINED_BY_LMA (bsc#1118830)
- CVE-2018-20623: Fixed a use-after-free in the error function in elfcomm.c (bsc#1121035)
- CVE-2018-20651: Fixed a denial of service via a NULL pointer dereference in elf_link_add_object_symbols in elflink.c (bsc#1121034)
- CVE-2018-20671: Fixed an integer overflow that can trigger a heap-based buffer overflow in load_specific_debug_section in objdump.c (bsc#1121056)
- CVE-2018-1000876: Fixed integer overflow in bfd_get_dynamic_reloc_upper_bound,bfd_canonicalize_dynamic_reloc in objdump (bsc#1120640)
- CVE-2019-1010180: Fixed an out of bound memory access that could lead to crashes (bsc#1142772)
- Enable xtensa architecture (Tensilica lc6 and related)
- Use -ffat-lto-objects in order to provide assembly for static libs
(bsc#1141913).
- Fixed some LTO problems (bsc#1133131 bsc#1133232).
- riscv: Don't check ABI flags if no code section
Update to binutils 2.32:
* The binutils now support for the C-SKY processor series.
* The x86 assembler now supports a -mvexwig=[0|1] option to control
encoding of VEX.W-ignored (WIG) VEX instructions.
It also has a new -mx86-used-note=[yes|no] option to generate (or
not) x86 GNU property notes.
* The MIPS assembler now supports the Loongson EXTensions R2 (EXT2),
the Loongson EXTensions (EXT) instructions, the Loongson Content
Address Memory (CAM) ASE and the Loongson MultiMedia extensions
Instructions (MMI) ASE.
* The addr2line, c++filt, nm and objdump tools now have a default
limit on the maximum amount of recursion that is allowed whilst
demangling strings. This limit can be disabled if necessary.
* Objdump's --disassemble option can now take a parameter,
specifying the starting symbol for disassembly. Disassembly will
continue from this symbol up to the next symbol or the end of the
function.
* The BFD linker will now report property change in linker map file
when merging GNU properties.
* The BFD linker's -t option now doesn't report members within
archives, unless -t is given twice. This makes it more useful
when generating a list of files that should be packaged for a
linker bug report.
* The GOLD linker has improved warning messages for relocations that
refer to discarded sections.
- Improve relro support on s390 [fate#326356]
- Handle ELF compressed header alignment correctly.
ModerateSUSE bug 1109412SUSE bug 1109413SUSE bug 1109414SUSE bug 1111996SUSE bug 1112534SUSE bug 1112535SUSE bug 1113247SUSE bug 1113252SUSE bug 1113255SUSE bug 1116827SUSE bug 1118830SUSE bug 1118831SUSE bug 1120640SUSE bug 1121034SUSE bug 1121035SUSE bug 1121056SUSE bug 1133131SUSE bug 1133232SUSE bug 1141913SUSE bug 1142772CVE-2018-1000876 at SUSECVE-2018-1000876 at NVDCVE-2018-17358 at SUSECVE-2018-17358 at NVDCVE-2018-17359 at SUSECVE-2018-17359 at NVDCVE-2018-17360 at SUSECVE-2018-17360 at NVDCVE-2018-17985 at SUSECVE-2018-17985 at NVDCVE-2018-18309 at SUSECVE-2018-18309 at NVDCVE-2018-18483 at SUSECVE-2018-18483 at NVDCVE-2018-18484 at SUSECVE-2018-18484 at NVDCVE-2018-18605 at SUSECVE-2018-18605 at NVDCVE-2018-18606 at SUSECVE-2018-18606 at NVDCVE-2018-18607 at SUSECVE-2018-18607 at NVDCVE-2018-19931 at SUSECVE-2018-19931 at NVDCVE-2018-19932 at SUSECVE-2018-19932 at NVDCVE-2018-20623 at SUSECVE-2018-20623 at NVDCVE-2018-20651 at SUSECVE-2018-20651 at NVDCVE-2018-20671 at SUSECVE-2018-20671 at NVDCVE-2019-1010180 at SUSECVE-2019-1010180 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for sudo (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for sudo fixes the following issues:
Security issue fixed:
- CVE-2019-14287: Fixed an issue where a user with sudo privileges
that allowed them to run commands with an arbitrary uid, could
run commands as root, despite being forbidden to do so in sudoers
(bsc#1153674).
ImportantSUSE bug 1153674CVE-2019-14287 at SUSECVE-2019-14287 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for libpcap (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for libpcap fixes the following issues:
- CVE-2019-15165: Added sanity checks for PHB header length before allocating memory (bsc#1153332).
- CVE-2018-16301: Fixed a buffer overflow (bsc#1153332).
ImportantSUSE bug 1153332CVE-2018-16301 at SUSECVE-2018-16301 at NVDCVE-2019-15165 at SUSECVE-2019-15165 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for python-xdg (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for python-xdg fixes the following issues:
Security issue fixed:
- CVE-2014-1624: Fixed a TOCTOU race condition in get_runtime_dir(). (bsc#859835)
ModerateSUSE bug 859835CVE-2014-1624 at SUSECVE-2014-1624 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for dhcp (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for dhcp fixes the following issues:
Secuirty issue fixed:
- CVE-2019-6470: Fixed DHCPv6 server crashes (bsc#1134078).
Bug fixes:
- Add compile option --enable-secs-byteorder to avoid duplicate lease warnings (bsc#1089524).
- Use IPv6 when called as dhclient6, dhcpd6, and dhcrelay6 (bsc#1136572).
ModerateSUSE bug 1089524SUSE bug 1134078SUSE bug 1136572CVE-2019-6470 at SUSECVE-2019-6470 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for libcaca (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for libcaca fixes the following issues:
Security issues fixed:
- CVE-2018-20544: Fixed a floating point exception at caca/dither.c (bsc#1120502)
- CVE-2018-20545: Fixed a WRITE memory access in the load_image function at common-image.c for 4bpp (bsc#1120584)
- CVE-2018-20546: Fixed a READ memory access in the get_rgba_default function at caca/dither.c for bpp (bsc#1120503)
- CVE-2018-20547: Fixed a READ memory access in the get_rgba_default function at caca/dither.c for 24bpp (bsc#1120504)
- CVE-2018-20548: Fixed a WRITE memory access in the load_image function at common-image.c for 1bpp (bsc#1120589)
- CVE-2018-20549: Fixed a WRITE memory access in the caca_file_read function at caca/file.c (bsc#1120470)
ModerateSUSE bug 1120470SUSE bug 1120502SUSE bug 1120503SUSE bug 1120504SUSE bug 1120584SUSE bug 1120589CVE-2018-20544 at SUSECVE-2018-20544 at NVDCVE-2018-20545 at SUSECVE-2018-20545 at NVDCVE-2018-20546 at SUSECVE-2018-20546 at NVDCVE-2018-20547 at SUSECVE-2018-20547 at NVDCVE-2018-20548 at SUSECVE-2018-20548 at NVDCVE-2018-20549 at SUSECVE-2018-20549 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for python (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for python fixes the following issues:
Security issue fixed:
- CVE-2019-16056: Fixed a parser issue in the email module (bsc#1149955).
- CVE-2019-16935: Fixed a reflected XSS in python/Lib/DocXMLRPCServer.py (bsc#1153238).
ModerateSUSE bug 1149955SUSE bug 1153238CVE-2019-16056 at SUSECVE-2019-16056 at NVDCVE-2019-16935 at SUSECVE-2019-16935 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for sysstat (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for sysstat fixes the following issue:
- CVE-2019-16167: Fixed a memory corruption due to an integer overflow. (bsc#1150114)
ModerateSUSE bug 1150114CVE-2019-16167 at SUSECVE-2019-16167 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for python36 (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for python36 fixes the following issue:
- CVE-2019-16935: Fixed a reflected XSS in python/Lib/DocXMLRPCServer.py (bsc#1153238).
ModerateSUSE bug 1153238CVE-2019-16935 at SUSECVE-2019-16935 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for xen (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for xen fixes the following issues:
Security issues fixed:
- CVE-2019-15890: Fixed a use-after-free in SLiRP networking implementation of QEMU emulator
which could have led to Denial of Service (bsc#1149813).
- CVE-2019-12068: Fixed an issue in lsi which could lead to an infinite loop and denial of
service (bsc#1146874).
- CVE-2019-14378: Fixed a heap buffer overflow in SLiRp networking implementation of QEMU
emulator which could have led to execution of arbitrary code with privileges of the
QEMU process (bsc#1143797).
Other issue fixed:
- Fixed an issue where libxenlight could not restore domain vsa6535522 on live migration (bsc#1133818).
ImportantSUSE bug 1126140SUSE bug 1126141SUSE bug 1126192SUSE bug 1126195SUSE bug 1126196SUSE bug 1126197SUSE bug 1126198SUSE bug 1126201SUSE bug 1127400SUSE bug 1133818SUSE bug 1143797SUSE bug 1146874SUSE bug 1149813CVE-2018-12126 at SUSECVE-2018-12126 at NVDCVE-2018-12127 at SUSECVE-2018-12127 at NVDCVE-2018-12130 at SUSECVE-2018-12130 at NVDCVE-2019-11091 at SUSECVE-2019-11091 at NVDCVE-2019-12068 at SUSECVE-2019-12068 at NVDCVE-2019-14378 at SUSECVE-2019-14378 at NVDCVE-2019-15890 at SUSECVE-2019-15890 at NVDCVE-2019-17340 at SUSECVE-2019-17340 at NVDCVE-2019-17341 at SUSECVE-2019-17341 at NVDCVE-2019-17342 at SUSECVE-2019-17342 at NVDCVE-2019-17343 at SUSECVE-2019-17343 at NVDCVE-2019-17344 at SUSECVE-2019-17344 at NVDCVE-2019-17345 at SUSECVE-2019-17345 at NVDCVE-2019-17346 at SUSECVE-2019-17346 at NVDCVE-2019-17347 at SUSECVE-2019-17347 at NVDCVE-2019-17348 at SUSECVE-2019-17348 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for accountsservice (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for accountsservice fixes the following issues:
Security issue fixed:
- CVE-2018-14036: Prevent directory traversal caused by an insufficient path
check in user_change_icon_file_authorized_cb() (bsc#1099699).
Non-security issue fixed:
- Improved wtmp io performance (bsc#1139487).
ModerateSUSE bug 1099699SUSE bug 1139487CVE-2018-14036 at SUSECVE-2018-14036 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for ImageMagick (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for ImageMagick fixes the following issues:
Security issues fixed:
- CVE-2019-15139: Fixed a denial-of-service vulnerability in ReadXWDImage. (bsc#1146213)
- CVE-2019-15140: Fixed a use-after-free bug in the Matlab image parser. (bsc#1146212)
- CVE-2019-15141: Fixed a divide-by-zero vulnerability in the MeanShiftImage function. (bsc#1146211)
- CVE-2019-14980: Fixed an application crash resulting from a heap-based buffer over-read in WriteTIFFImage. (bsc#1146068)
- CVE-2019-16708: Fixed a memory leak in magick/xwindow.c (bsc#1151781).
- CVE-2019-16709: Fixed a memory leak in coders/dps.c (bsc#1151782).
- CVE-2019-16710: Fixed a memory leak in coders/dot.c (bsc#1151783).
- CVE-2019-16711: Fixed a memory leak in Huffman2DEncodeImage in coders/ps2.c (bsc#1151784).
- CVE-2019-16712: Fixed a memory leak in Huffman2DEncodeImage in coders/ps3.c (bsc#1151785).
- CVE-2019-16713: Fixed a memory leak in coders/dot.c (bsc#1151786).
ModerateSUSE bug 1146068SUSE bug 1146211SUSE bug 1146212SUSE bug 1146213SUSE bug 1151781SUSE bug 1151782SUSE bug 1151783SUSE bug 1151784SUSE bug 1151785SUSE bug 1151786CVE-2019-14980 at SUSECVE-2019-14980 at NVDCVE-2019-15139 at SUSECVE-2019-15139 at NVDCVE-2019-15140 at SUSECVE-2019-15140 at NVDCVE-2019-15141 at SUSECVE-2019-15141 at NVDCVE-2019-16708 at SUSECVE-2019-16708 at NVDCVE-2019-16709 at SUSECVE-2019-16709 at NVDCVE-2019-16710 at SUSECVE-2019-16710 at NVDCVE-2019-16711 at SUSECVE-2019-16711 at NVDCVE-2019-16712 at SUSECVE-2019-16712 at NVDCVE-2019-16713 at SUSECVE-2019-16713 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for python3 (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for python3 fixes the following issues:
- CVE-2019-16056: Fixed a parser issue in the email module. (bsc#1149955)
- CVE-2018-20852: Fixed an incorrect domain validation that could lead to cookies being sent to the wrong server. (bsc#1141853)
ModerateSUSE bug 1141853SUSE bug 1149955CVE-2018-20852 at SUSECVE-2018-20852 at NVDCVE-2019-16056 at SUSECVE-2019-16056 at NVDcpe:/o:suse:sles_teradata:12:sp3Recommended update for rsyslog (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for rsyslog fixes the following issues:
Security issues fixed:
- CVE-2019-17041: Fixed a heap overflow in the parser for AIX log messages (bsc#1153451).
- CVE-2019-17042: Fixed a heap overflow in the parser for Cisco log messages (bsc#1153459).
Non-security issue fixed:
- imudp: fix segfault in ratelimit code (bsc#1149094)
ModerateSUSE bug 1149094SUSE bug 1153451SUSE bug 1153459CVE-2019-17041 at SUSECVE-2019-17041 at NVDCVE-2019-17042 at SUSECVE-2019-17042 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for libunwind (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for libunwind fixes the following issues:
Security issues fixed:
- CVE-2015-3239: Fixed a off-by-one in the dwarf_to_unw_regnum function (bsc#936786)
Non-security issues fixed:
- Fixed a dependency issue with libzmq5 (bsc#1122012)
- Fixed build on armv7 (bsc#976955)
ModerateSUSE bug 1122012SUSE bug 936786SUSE bug 976955CVE-2015-3239 at SUSECVE-2015-3239 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for MozillaFirefox to 68.2.0 ESR fixes the following issues:
Mozilla Firefox was updated to version 68.2.0 ESR (bsc#1154738).
Security issues fixed:
- CVE-2019-15903: Fixed a heap overflow in the expat library (bsc#1149429).
- CVE-2019-11757: Fixed a use-after-free when creating index updates in IndexedDB (bsc#1154738).
- CVE-2019-11758: Fixed a potentially exploitable crash due to 360 Total Security (bsc#1154738).
- CVE-2019-11759: Fixed a stack buffer overflow in HKDF output (bsc#1154738).
- CVE-2019-11760: Fixed a stack buffer overflow in WebRTC networking (bsc#1154738).
- CVE-2019-11761: Fixed an unintended access to a privileged JSONView object (bsc#1154738).
- CVE-2019-11762: Fixed a same-origin-property violation (bsc#1154738).
- CVE-2019-11763: Fixed an XSS bypass (bsc#1154738).
- CVE-2019-11764: Fixed several memory safety bugs (bsc#1154738).
Non-security issues fixed:
- Firefox 60.7 ESR changed the user interface language (bsc#1137990).
- Wrong Firefox GUI Language (bsc#1120374).
- Fixed an inadvertent crash report transmission without user opt-in (bsc#1074235).
- Firefox hangs randomly when browsing and scrolling (bsc#1043008).
- Firefox stops loading page until mouse is moved (bsc#1025108).
ImportantSUSE bug 1010399SUSE bug 1010405SUSE bug 1010406SUSE bug 1010408SUSE bug 1010409SUSE bug 1010421SUSE bug 1010423SUSE bug 1010424SUSE bug 1010425SUSE bug 1010426SUSE bug 1025108SUSE bug 1043008SUSE bug 1047281SUSE bug 1074235SUSE bug 1092611SUSE bug 1120374SUSE bug 1137990SUSE bug 1149429SUSE bug 1154738SUSE bug 959933SUSE bug 983922CVE-2016-2830 at SUSECVE-2016-2830 at NVDCVE-2016-5289 at SUSECVE-2016-5289 at NVDCVE-2016-5292 at SUSECVE-2016-5292 at NVDCVE-2016-9063 at SUSECVE-2016-9063 at NVDCVE-2016-9067 at SUSECVE-2016-9067 at NVDCVE-2016-9068 at SUSECVE-2016-9068 at NVDCVE-2016-9069 at SUSECVE-2016-9069 at NVDCVE-2016-9071 at SUSECVE-2016-9071 at NVDCVE-2016-9073 at SUSECVE-2016-9073 at NVDCVE-2016-9075 at SUSECVE-2016-9075 at NVDCVE-2016-9076 at SUSECVE-2016-9076 at NVDCVE-2016-9077 at SUSECVE-2016-9077 at NVDCVE-2017-7789 at SUSECVE-2017-7789 at NVDCVE-2018-5150 at SUSECVE-2018-5150 at NVDCVE-2018-5151 at SUSECVE-2018-5151 at NVDCVE-2018-5152 at SUSECVE-2018-5152 at NVDCVE-2018-5153 at SUSECVE-2018-5153 at NVDCVE-2018-5154 at SUSECVE-2018-5154 at NVDCVE-2018-5155 at SUSECVE-2018-5155 at NVDCVE-2018-5157 at SUSECVE-2018-5157 at NVDCVE-2018-5158 at SUSECVE-2018-5158 at NVDCVE-2018-5159 at SUSECVE-2018-5159 at NVDCVE-2018-5160 at SUSECVE-2018-5160 at NVDCVE-2018-5163 at SUSECVE-2018-5163 at NVDCVE-2018-5164 at SUSECVE-2018-5164 at NVDCVE-2018-5165 at SUSECVE-2018-5165 at NVDCVE-2018-5166 at SUSECVE-2018-5166 at NVDCVE-2018-5167 at SUSECVE-2018-5167 at NVDCVE-2018-5168 at SUSECVE-2018-5168 at NVDCVE-2018-5169 at SUSECVE-2018-5169 at NVDCVE-2018-5172 at SUSECVE-2018-5172 at NVDCVE-2018-5173 at SUSECVE-2018-5173 at NVDCVE-2018-5174 at SUSECVE-2018-5174 at NVDCVE-2018-5175 at SUSECVE-2018-5175 at NVDCVE-2018-5176 at SUSECVE-2018-5176 at NVDCVE-2018-5177 at SUSECVE-2018-5177 at NVDCVE-2018-5178 at SUSECVE-2018-5178 at NVDCVE-2018-5179 at SUSECVE-2018-5179 at NVDCVE-2018-5180 at SUSECVE-2018-5180 at NVDCVE-2018-5181 at SUSECVE-2018-5181 at NVDCVE-2018-5182 at SUSECVE-2018-5182 at NVDCVE-2018-5183 at SUSECVE-2018-5183 at NVDCVE-2019-11757 at SUSECVE-2019-11757 at NVDCVE-2019-11758 at SUSECVE-2019-11758 at NVDCVE-2019-11759 at SUSECVE-2019-11759 at NVDCVE-2019-11760 at SUSECVE-2019-11760 at NVDCVE-2019-11761 at SUSECVE-2019-11761 at NVDCVE-2019-11762 at SUSECVE-2019-11762 at NVDCVE-2019-11763 at SUSECVE-2019-11763 at NVDCVE-2019-11764 at SUSECVE-2019-11764 at NVDCVE-2019-15903 at SUSECVE-2019-15903 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for samba (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for samba fixes the following issues:
- CVE-2019-10218: Client code can return filenames containing path separators (bsc#1144902).
ImportantSUSE bug 1144902CVE-2019-10218 at SUSECVE-2019-10218 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for bluez (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for bluez fixes the following issue:
- CVE-2016-9798: Fixed a use-after-free in conf_opt (bsc#1013712).
ModerateSUSE bug 1013712CVE-2016-9798 at SUSECVE-2016-9798 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for gdb (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for gdb fixes the following issues:
Update to gdb 8.3.1: (jsc#ECO-368)
Security issues fixed:
- CVE-2019-1010180: Fixed a potential buffer overflow when loading ELF sections larger than the file. (bsc#1142772)
Upgrade libipt from v2.0 to v2.0.1.
- Enable librpm for version > librpm.so.3 [bsc#1145692]:
* Allow any librpm.so.x
* Add %build test to check for 'zypper install <rpm-packagename>'
message
- Copy gdbinit from fedora master @ 25caf28. Add
gdbinit.without-python, and use it for --without=python.
Rebase to 8.3 release (as in fedora 30 @ 1e222a3).
* DWARF index cache: GDB can now automatically save indices of DWARF
symbols on disk to speed up further loading of the same binaries.
* Ada task switching is now supported on aarch64-elf targets when
debugging a program using the Ravenscar Profile.
* Terminal styling is now available for the CLI and the TUI.
* Removed support for old demangling styles arm, edg, gnu, hp and
lucid.
* Support for new native configuration RISC-V GNU/Linux (riscv*-*-linux*).
- Implemented access to more POWER8 registers. [fate#326120, fate#325178]
- Also handle most new s390 arch13 instructions. [fate#327369, jsc#ECO-368]
ModerateSUSE bug 1115034SUSE bug 1142772SUSE bug 1145692CVE-2019-1010180 at SUSECVE-2019-1010180 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for libssh2_org (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for libssh2_org fixes the following issue:
- CVE-2019-17498: Fixed an integer overflow in a bounds check that might have led to the disclosure of sensitive information or a denial of service (bsc#1154862).
ModerateSUSE bug 1154862CVE-2019-17498 at SUSECVE-2019-17498 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for libseccomp (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for libseccomp fixes the following issues:
Update to new upstream release 2.4.1:
* Fix a BPF generation bug where the optimizer mistakenly
identified duplicate BPF code blocks.
Updated to 2.4.0 (bsc#1128828 CVE-2019-9893):
* Update the syscall table for Linux v5.0-rc5
* Added support for the SCMP_ACT_KILL_PROCESS action
* Added support for the SCMP_ACT_LOG action and SCMP_FLTATR_CTL_LOG attribute
* Added explicit 32-bit (SCMP_AX_32(...)) and 64-bit (SCMP_AX_64(...)) argument comparison macros to help protect against unexpected sign extension
* Added support for the parisc and parisc64 architectures
* Added the ability to query and set the libseccomp API level via seccomp_api_get(3) and seccomp_api_set(3)
* Return -EDOM on an endian mismatch when adding an architecture to a filter
* Renumber the pseudo syscall number for subpage_prot() so it no longer conflicts with spu_run()
* Fix PFC generation when a syscall is prioritized, but no rule exists
* Numerous fixes to the seccomp-bpf filter generation code
* Switch our internal hashing function to jhash/Lookup3 to MurmurHash3
* Numerous tests added to the included test suite, coverage now at ~92%
* Update our Travis CI configuration to use Ubuntu 16.04
* Numerous documentation fixes and updates
Update to release 2.3.3:
* Updated the syscall table for Linux v4.15-rc7
Update to release 2.3.2:
* Achieved full compliance with the CII Best Practices program
* Added Travis CI builds to the GitHub repository
* Added code coverage reporting with the '--enable-code-coverage' configure
flag and added Coveralls to the GitHub repository
* Updated the syscall tables to match Linux v4.10-rc6+
* Support for building with Python v3.x
* Allow rules with the -1 syscall if the SCMP\_FLTATR\_API\_TSKIP attribute is
set to true
* Several small documentation fixes
- ignore make check error for ppc64/ppc64le, bypass bsc#1142614
ModerateSUSE bug 1082318SUSE bug 1128828SUSE bug 1142614CVE-2019-9893 at SUSECVE-2019-9893 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for ucode-intel (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for ucode-intel fixes the following issues:
- Updated to 20191112 security release (bsc#1155988)
- Processor Identifier Version Products
- Model Stepping F-MO-S/PI Old->New
- ---- new platforms ----------------------------------------
- CML-U62 A0 6-a6-0/80 000000c6 Core Gen10 Mobile
- CNL-U D0 6-66-3/80 0000002a Core Gen8 Mobile
- SKX-SP B1 6-55-3/97 01000150 Xeon Scalable
- ICL U/Y D1 6-7e-5/80 00000046 Core Gen10 Mobile
- ---- updated platforms ------------------------------------
- SKL U/Y D0 6-4e-3/c0 000000cc->000000d4 Core Gen6 Mobile
- SKL H/S/E3 R0/N0 6-5e-3/36 000000cc->000000d4 Core Gen6
- AML-Y22 H0 6-8e-9/10 000000b4->000000c6 Core Gen8 Mobile
- KBL-U/Y H0 6-8e-9/c0 000000b4->000000c6 Core Gen7 Mobile
- CFL-U43e D0 6-8e-a/c0 000000b4->000000c6 Core Gen8 Mobile
- WHL-U W0 6-8e-b/d0 000000b8->000000c6 Core Gen8 Mobile
- AML-Y V0 6-8e-c/94 000000b8->000000c6 Core Gen10 Mobile
- CML-U42 V0 6-8e-c/94 000000b8->000000c6 Core Gen10 Mobile
- WHL-U V0 6-8e-c/94 000000b8->000000c6 Core Gen8 Mobile
- KBL-G/X H0 6-9e-9/2a 000000b4->000000c6 Core Gen7/Gen8
- KBL-H/S/E3 B0 6-9e-9/2a 000000b4->000000c6 Core Gen7; Xeon E3 v6
- CFL-H/S/E3 U0 6-9e-a/22 000000b4->000000c6 Core Gen8 Desktop, Mobile, Xeon E
- CFL-S B0 6-9e-b/02 000000b4->000000c6 Core Gen8
- CFL-H R0 6-9e-d/22 000000b8->000000c6 Core Gen9 Mobile
- Includes security fixes for:
- CVE-2019-11135: Added feature allowing to disable TSX RTM (bsc#1139073)
- CVE-2019-11139: A CPU microcode only fix for Voltage modulation issues (bsc#1141035)
- requires coreutils for the %post script (bsc#1154043)
ImportantSUSE bug 1139073SUSE bug 1141035SUSE bug 1154043SUSE bug 1155988CVE-2019-11135 at SUSECVE-2019-11135 at NVDCVE-2019-11139 at SUSECVE-2019-11139 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for libjpeg-turbo (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for libjpeg-turbo fixes the following issues:
- CVE-2019-2201: Several integer overflow issues and subsequent segfaults occurred in libjpeg-turbo,
when attempting to compress or decompress gigapixel images. [bsc#1156402]
ImportantSUSE bug 1156402CVE-2019-2201 at SUSECVE-2019-2201 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for ghostscript (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for ghostscript fixes the following issue:
- CVE-2019-14869: Fixed a possible dSAFER escape which could have allowed
an attacker to gain high privileges by a specially crafted Postscript
code (bsc#1156275).
ImportantSUSE bug 1156275CVE-2019-14869 at SUSECVE-2019-14869 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for ucode-intel (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for ucode-intel fixes the following issues:
- Updated to 20191112 official security release (bsc#1155988)
- Includes security fixes for:
- CVE-2019-11135: Added feature allowing to disable TSX RTM (bsc#1139073)
- CVE-2019-11139: A CPU microcode only fix for Voltage modulation issues (bsc#1141035)
ImportantSUSE bug 1139073SUSE bug 1141035SUSE bug 1155988CVE-2019-11135 at SUSECVE-2019-11135 at NVDCVE-2019-11139 at SUSECVE-2019-11139 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for dpdk (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for dpdk to version 16.11.9 fixes the following issues:
- CVE-2019-14818: Fixed a memory leak vulnerability caused by a malicious
container may lead to to denial of service (bsc#1156146).
ModerateSUSE bug 1156146CVE-2019-14818 at SUSECVE-2019-14818 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for aspell (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for aspell fixes the following issues:
- CVE-2019-17544: Fixed a stack-based buffer over-read in acommon:unescape in common/getdata.cpp via an isolated backslash (bsc#1153892).
ModerateSUSE bug 1153892CVE-2019-17544 at SUSECVE-2019-17544 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for sqlite3 (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for sqlite3 fixes the following issues:
- CVE-2017-2518: Fixed a use-after-free vulnerability which could have
led to buffer overflow via a crafted SQL statement (bsc#1155787).
ImportantSUSE bug 1155787CVE-2017-2518 at SUSECVE-2017-2518 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for cups (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for cups fixes the following issues:
- CVE-2019-8675: Fixed a stack buffer overflow in libcups's asn1_get_type function(bsc#1146358).
- CVE-2019-8696: Fixed a stack buffer overflow in libcups's asn1_get_packed function (bsc#1146359).
ImportantSUSE bug 1146358SUSE bug 1146359CVE-2019-8675 at SUSECVE-2019-8675 at NVDCVE-2019-8696 at SUSECVE-2019-8696 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for tiff (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for tiff fixes the following issues:
Security issues fixed:
- CVE-2019-14973: Fixed an improper check which was depended on the compiler
which could have led to integer overflow (bsc#1146608).
- CVE-2016-5102: Fixed a buffer overflow in readgifimage() (bsc#983268)
- CVE-2018-17000: Fixed a NULL pointer dereference in the _TIFFmemcmp function (bsc#1108606).
- CVE-2019-6128: Fixed a memory leak in the TIFFFdOpen function in tif_unix.c (bsc#1121626).
- CVE-2019-7663: Fixed an invalid address dereference in the
TIFFWriteDirectoryTagTransfer function in libtiff/tif_dirwrite.c (bsc#1125113)
ModerateSUSE bug 1108606SUSE bug 1121626SUSE bug 1125113SUSE bug 1146608SUSE bug 983268CVE-2016-5102 at SUSECVE-2016-5102 at NVDCVE-2018-17000 at SUSECVE-2018-17000 at NVDCVE-2019-14973 at SUSECVE-2019-14973 at NVDCVE-2019-6128 at SUSECVE-2019-6128 at NVDCVE-2019-7663 at SUSECVE-2019-7663 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for cpio (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for cpio fixes the following issues:
- CVE-2019-14866: Fixed an improper validation of the values written
in the header of a TAR file through the to_oct() function which could
have led to unexpected TAR generation (bsc#1155199).
ModerateSUSE bug 1155199CVE-2019-14866 at SUSECVE-2019-14866 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for clamav (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for clamav fixes the following issues:
Security issue fixed:
- CVE-2019-12625: Fixed a ZIP bomb issue by adding detection and heuristics for zips with overlapping files (bsc#1144504).
- CVE-2019-12900: Fixed an out-of-bounds write in decompress.c with many selectors (bsc#1149458).
Non-security issues fixed:
- Added the --max-scantime clamscan option and MaxScanTime clamd configuration option (bsc#1144504).
- Increased the startup timeout of clamd to 5 minutes to cater for the grown virus database as a workaround until clamd has learned to talk to systemd to extend the timeout as long as needed (bsc#1151839).
ModerateSUSE bug 1144504SUSE bug 1149458SUSE bug 1151839CVE-2019-12625 at SUSECVE-2019-12625 at NVDCVE-2019-12900 at SUSECVE-2019-12900 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for mailman (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for mailman fixes the following issues:
- CVE-2019-3693: Fixed a local privilege escalation from wwwrun to root (bsc#1154328).
ImportantSUSE bug 1154328CVE-2019-3693 at SUSECVE-2019-3693 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for java-1_7_0-openjdk (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for java-1_7_0-openjdk fixes the following issues:
Security issues fixed (October 2019 CPU bsc#1154212):
- CVE-2019-2933: Windows file handling redux
- CVE-2019-2945: Better socket support
- CVE-2019-2949: Better Kerberos ccache handling
- CVE-2019-2958: Build Better Processes
- CVE-2019-2964: Better support for patterns
- CVE-2019-2962: Better Glyph Images
- CVE-2019-2973: Better pattern compilation
- CVE-2019-2978: Improved handling of jar files
- CVE-2019-2981: Better Path supports
- CVE-2019-2983: Better serial attributes
- CVE-2019-2987: Better rendering of native glyphs
- CVE-2019-2988: Better Graphics2D drawing
- CVE-2019-2989: Improve TLS connection support
- CVE-2019-2992: Enhance font glyph mapping
- CVE-2019-2999: Commentary on Javadoc comments
- CVE-2019-2894: Enhance ECDSA operations (bsc#1152856).
ImportantSUSE bug 1152856SUSE bug 1154212CVE-2019-2894 at SUSECVE-2019-2894 at NVDCVE-2019-2933 at SUSECVE-2019-2933 at NVDCVE-2019-2945 at SUSECVE-2019-2945 at NVDCVE-2019-2949 at SUSECVE-2019-2949 at NVDCVE-2019-2958 at SUSECVE-2019-2958 at NVDCVE-2019-2962 at SUSECVE-2019-2962 at NVDCVE-2019-2964 at SUSECVE-2019-2964 at NVDCVE-2019-2973 at SUSECVE-2019-2973 at NVDCVE-2019-2978 at SUSECVE-2019-2978 at NVDCVE-2019-2981 at SUSECVE-2019-2981 at NVDCVE-2019-2983 at SUSECVE-2019-2983 at NVDCVE-2019-2987 at SUSECVE-2019-2987 at NVDCVE-2019-2988 at SUSECVE-2019-2988 at NVDCVE-2019-2989 at SUSECVE-2019-2989 at NVDCVE-2019-2992 at SUSECVE-2019-2992 at NVDCVE-2019-2999 at SUSECVE-2019-2999 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for libxml2 (Low)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for libxml2 doesn't fix any additional security issues, but correct the rpm changelog to reflect
all CVEs that have been fixed over the past.
LowSUSE bug 1123919cpe:/o:suse:sles_teradata:12:sp3Security update for libarchive (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for libarchive fixes the following issues:
Security issues fixed:
- CVE-2018-1000877: Fixed a double free vulnerability in RAR decoder (bsc#1120653).
- CVE-2018-1000878: Fixed a Use-After-Free vulnerability in RAR decoder (bsc#1120654).
- CVE-2019-1000019: Fixed an Out-Of-Bounds Read vulnerability in 7zip decompression (bsc#1124341).
- CVE-2019-1000020: Fixed an Infinite Loop vulnerability in ISO9660 parser (bsc#1124342).
- CVE-2019-18408: Fixed a use-after-free in RAR format support (bsc#1155079).
ModerateSUSE bug 1032089SUSE bug 1037008SUSE bug 1037009SUSE bug 1059134SUSE bug 1059139SUSE bug 1120653SUSE bug 1120654SUSE bug 1124341SUSE bug 1124342SUSE bug 1155079CVE-2016-10209 at SUSECVE-2016-10209 at NVDCVE-2016-10349 at SUSECVE-2016-10349 at NVDCVE-2016-10350 at SUSECVE-2016-10350 at NVDCVE-2017-14501 at SUSECVE-2017-14501 at NVDCVE-2017-14502 at SUSECVE-2017-14502 at NVDCVE-2018-1000877 at SUSECVE-2018-1000877 at NVDCVE-2018-1000878 at SUSECVE-2018-1000878 at NVDCVE-2019-1000019 at SUSECVE-2019-1000019 at NVDCVE-2019-1000020 at SUSECVE-2019-1000020 at NVDCVE-2019-18408 at SUSECVE-2019-18408 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for ncurses (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for ncurses fixes the following issues:
Security issue fixed:
- CVE-2018-10754: Fixed a denial of service caused by a NULL Pointer Dereference in the _nc_parse_entry() (bsc#1131830).
- CVE-2019-17594: Fixed a heap-based buffer over-read in _nc_find_entry function in tinfo/comp_hash.c (bsc#1154036).
- CVE-2019-17595: Fixed a heap-based buffer over-read in fmt_entry function in tinfo/comp_hash.c (bsc#1154037).
Bug fixes:
- Fixed ppc64le build configuration (bsc#1134550).
ModerateSUSE bug 1131830SUSE bug 1134550SUSE bug 1154036SUSE bug 1154037CVE-2018-10754 at SUSECVE-2018-10754 at NVDCVE-2019-17594 at SUSECVE-2019-17594 at NVDCVE-2019-17595 at SUSECVE-2019-17595 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for LibVNCServer (Critical)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for LibVNCServer fixes the following issues:
Security issues fixed:
- CVE-2018-20749: Fixed a heap out of bounds write vulnerability in rfbserver.c (bsc#1123828)
- CVE-2018-20750: Fixed a heap out of bounds write vulnerability in rfbserver.c (bsc#1123832)
- CVE-2018-20748: Fixed multiple heap out-of-bound writes in VNC client code (bsc#1123823)
CriticalSUSE bug 1123823SUSE bug 1123828SUSE bug 1123832CVE-2018-20748 at SUSECVE-2018-20748 at NVDCVE-2018-20749 at SUSECVE-2018-20749 at NVDCVE-2018-20750 at SUSECVE-2018-20750 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for clamav (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for clamav fixes the following issues:
- CVE-2019-15961: Fixed a denial of service which might occur when
scanning a specially crafted email file as (bsc#1157763).
ImportantSUSE bug 1157763CVE-2019-15961 at SUSECVE-2019-15961 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for permissions (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for permissions fixes the following issues:
- CVE-2019-3688: Changed wrong ownership in /usr/sbin/pinger to root:squid
which could have allowed a squid user to gain persistence by changing the
binary (bsc#1093414).
- CVE-2019-3690: Fixed a privilege escalation through untrusted symbolic
links (bsc#1150734).
- Fixed a regression which caused segmentation fault (bsc#1157198).
ModerateSUSE bug 1093414SUSE bug 1150734SUSE bug 1157198CVE-2019-3688 at SUSECVE-2019-3688 at NVDCVE-2019-3690 at SUSECVE-2019-3690 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for Mesa (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for Mesa fixes the following issues:
Security issue fixed:
- CVE-2019-5068: Fixed exploitable shared memory permissions vulnerability (bsc#1156015).
ModerateSUSE bug 1156015CVE-2019-5068 at SUSECVE-2019-5068 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for apache2-mod_perl (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for apache2-mod_perl fixes the following issues:
Security issue fixed:
- CVE-2011-2767: Fixed a vulnerability which could have allowed
perl code execution in the context of user account (bsc#1156944).
Other issue addressed:
- Restore process name after sv_setpv_mg() call. (bsc#1091625)
ModerateSUSE bug 1091625SUSE bug 1156944CVE-2011-2767 at SUSECVE-2011-2767 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for strongswan (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for strongswan provides the following fixes:
Security issues fixed:
- CVE-2018-5388: Fixed a buffer underflow which may allow to a remote attacker
with local user credentials to resource exhaustion and denial of service while
reading from the socket (bsc#1094462).
- CVE-2018-10811: Fixed a denial of service during the IKEv2 key derivation if
the openssl plugin is used in FIPS mode and HMAC-MD5 is negotiated as PRF
(bsc#1093536).
- CVE-2018-16151,CVE-2018-16152: Fixed multiple flaws in the gmp plugin which
might lead to authorization bypass (bsc#1107874).
- CVE-2018-17540: Fixed an improper input validation in gmp plugin (bsc#1109845).
Other issues addressed:
- Fixed some client fails when the scep server URL is used with HTTPS protocol (bsc#1071853).
- Reject Diffie-Hellman key exchanges using primes smaller than 1024 bit.
- Handle unexpected informational message from SonicWall. (bsc#1009254)
ImportantSUSE bug 1009254SUSE bug 1071853SUSE bug 1093536SUSE bug 1094462SUSE bug 1107874SUSE bug 1109845CVE-2018-10811 at SUSECVE-2018-10811 at NVDCVE-2018-16151 at SUSECVE-2018-16151 at NVDCVE-2018-16152 at SUSECVE-2018-16152 at NVDCVE-2018-17540 at SUSECVE-2018-17540 at NVDCVE-2018-5388 at SUSECVE-2018-5388 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for xen (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for xen fixes the following issues:
- CVE-2019-19581: Fixed a potential out of bounds on 32-bit Arm (bsc#1158003 XSA-307).
- CVE-2019-19582: Fixed a potential infinite loop when x86 accesses to bitmaps with
a compile time known size of 64 (bsc#1158003 XSA-307).
- CVE-2019-19583: Fixed improper checks which could have allowed HVM/PVH guest userspace
code to crash the guest,leading to a guest denial of service (bsc#1158004 XSA-308).
- CVE-2019-19578: Fixed an issue where a malicious or buggy PV guest could have caused
hypervisor crash resulting in denial of service affecting the entire host (bsc#1158005 XSA-309).
- CVE-2019-19580: Fixed a privilege escalation where a malicious PV guest administrator
could have been able to escalate their privilege to that of the host (bsc#1158006 XSA-310).
- CVE-2019-19577: Fixed an issue where a malicious guest administrator could have caused Xen
to access data structures while they are being modified leading to a crash (bsc#1158007 XSA-311).
- CVE-2019-19579: Fixed a privilege escaltion where an untrusted domain with access
to a physical device can DMA into host memory (bsc#1157888 XSA-306).
- CVE-2019-18420: Malicious x86 PV guests may have caused a hypervisor crash,
resulting in a denial of service (bsc#1154448 XSA-296)
- CVE-2019-18425: 32-bit PV guest user mode could elevate its privileges to that
of the guest kernel. (bsc#1154456 XSA-298).
- CVE-2019-18421: A malicious PV guest administrator may have been able to
escalate their privilege to that of the host. (bsc#1154458 XSA-299).
- CVE-2019-18423: A malicious guest administrator may cause a hypervisor crash,
resulting in a denial of service (bsc#1154460 XSA-301).
- CVE-2019-18422: A malicious ARM guest might contrive to arrange for critical
Xen code to run with interrupts erroneously enabled. This could lead to data
corruption, denial of service, or possibly even privilege escalation. However
a precise attack technique has not been identified. (bsc#1154464 XSA-303)
- CVE-2019-18424: An untrusted domain with access to a physical device can DMA
into host memory, leading to privilege escalation. (bsc#1154461 XSA-302).
- CVE-2018-12207: Untrusted virtual machines on Intel CPUs could exploit a race
condition in the Instruction Fetch Unit of the Intel CPU to cause a Machine
Exception during Page Size Change, causing the CPU core to be non-functional.
(bsc#1155945 XSA-304)
- CVE-2019-11135: Aborting an asynchronous TSX operation on Intel CPUs with
Transactional Memory support could be used to facilitate sidechannel
information leaks out of microarchitectural buffers, similar to the
previously described 'Microarchitectural Data Sampling' attack. (bsc#1152497 XSA-305).
ImportantSUSE bug 1152497SUSE bug 1154448SUSE bug 1154456SUSE bug 1154458SUSE bug 1154460SUSE bug 1154461SUSE bug 1154464SUSE bug 1155945SUSE bug 1157888SUSE bug 1158003SUSE bug 1158004SUSE bug 1158005SUSE bug 1158006SUSE bug 1158007CVE-2018-12207 at SUSECVE-2018-12207 at NVDCVE-2019-11135 at SUSECVE-2019-11135 at NVDCVE-2019-18420 at SUSECVE-2019-18420 at NVDCVE-2019-18421 at SUSECVE-2019-18421 at NVDCVE-2019-18422 at SUSECVE-2019-18422 at NVDCVE-2019-18423 at SUSECVE-2019-18423 at NVDCVE-2019-18424 at SUSECVE-2019-18424 at NVDCVE-2019-18425 at SUSECVE-2019-18425 at NVDCVE-2019-19577 at SUSECVE-2019-19577 at NVDCVE-2019-19578 at SUSECVE-2019-19578 at NVDCVE-2019-19579 at SUSECVE-2019-19579 at NVDCVE-2019-19580 at SUSECVE-2019-19580 at NVDCVE-2019-19581 at SUSECVE-2019-19581 at NVDCVE-2019-19582 at SUSECVE-2019-19582 at NVDCVE-2019-19583 at SUSECVE-2019-19583 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for git (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for git fixes the following issues:
Security issues fixed:
- CVE-2019-1349: Fixed issue on Windows, when submodules are cloned recursively, under certain circumstances Git could be fooled into using the same Git directory twice (bsc#1158787).
- CVE-2019-19604: Fixed a recursive clone followed by a submodule update could execute code contained within the repository without the user explicitly having asked for that (bsc#1158795).
- CVE-2019-1387: Fixed recursive clones that are currently affected by a vulnerability that is caused by too-lax validation of submodule names, allowing very targeted attacks via remote code execution in recursive clones (bsc#1158793).
- CVE-2019-1354: Fixed issue on Windows that refuses to write tracked files with filenames that contain backslashes (bsc#1158792).
- CVE-2019-1353: Fixed issue when run in the Windows Subsystem for Linux while accessing a working directory on a regular Windows drive, none of the NTFS protections were active (bsc#1158791).
- CVE-2019-1352: Fixed issue on Windows was unaware of NTFS Alternate Data Streams (bsc#1158790).
- CVE-2019-1351: Fixed issue on Windows mistakes drive letters outside of the US-English alphabet as relative paths (bsc#1158789).
- CVE-2019-1350: Fixed incorrect quoting of command-line arguments allowed remote code execution during a recursive clone in conjunction with SSH URLs (bsc#1158788).
- CVE-2019-1348: Fixed the --export-marks option of fast-import is exposed also via the in-stream command feature export-marks=... and it allows overwriting arbitrary paths (bsc#1158785).
- Fixed an issue where git send-email fails to authenticate with SMTP server (bsc#1082023)
ImportantSUSE bug 1082023SUSE bug 1158785SUSE bug 1158787SUSE bug 1158788SUSE bug 1158789SUSE bug 1158790SUSE bug 1158791SUSE bug 1158792SUSE bug 1158793SUSE bug 1158795CVE-2019-1348 at SUSECVE-2019-1348 at NVDCVE-2019-1349 at SUSECVE-2019-1349 at NVDCVE-2019-1350 at SUSECVE-2019-1350 at NVDCVE-2019-1351 at SUSECVE-2019-1351 at NVDCVE-2019-1352 at SUSECVE-2019-1352 at NVDCVE-2019-1353 at SUSECVE-2019-1353 at NVDCVE-2019-1354 at SUSECVE-2019-1354 at NVDCVE-2019-1387 at SUSECVE-2019-1387 at NVDCVE-2019-19604 at SUSECVE-2019-19604 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for MozillaFirefox fixes the following issues:
Mozilla Firefox was updated to 68.3esr (MFSA 2019-37 bsc#1158328)
Security issues fixed:
- CVE-2019-17008: Fixed a use-after-free in worker destruction (bmo#1546331)
- CVE-2019-13722: Fixed a stack corruption due to incorrect number of arguments
in WebRTC code (bmo#1580156)
- CVE-2019-11745: Fixed an out of bounds write in NSS when encrypting with a
block cipher (bmo#1586176)
- CVE-2019-17009: Fixed an issue where updater temporary files accessible to
unprivileged processes (bmo#1510494)
- CVE-2019-17010: Fixed a use-after-free when performing device orientation
checks (bmo#1581084)
- CVE-2019-17005: Fixed a buffer overflow in plain text serializer (bmo#1584170)
- CVE-2019-17011: Fixed a use-after-free when retrieving a document
in antitracking (bmo#1591334)
- CVE-2019-17012: Fixed multiple memmory issues
(bmo#1449736, bmo#1533957, bmo#1560667,bmo#1567209, bmo#1580288, bmo#1585760,
bmo#1592502)
ImportantSUSE bug 1158328CVE-2019-11745 at SUSECVE-2019-11745 at NVDCVE-2019-13722 at SUSECVE-2019-13722 at NVDCVE-2019-17005 at SUSECVE-2019-17005 at NVDCVE-2019-17008 at SUSECVE-2019-17008 at NVDCVE-2019-17009 at SUSECVE-2019-17009 at NVDCVE-2019-17010 at SUSECVE-2019-17010 at NVDCVE-2019-17011 at SUSECVE-2019-17011 at NVDCVE-2019-17012 at SUSECVE-2019-17012 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for MozillaFirefox fixes the following issues:
Security issues fixed:
CVE-2018-18500: Fixed a use-after-free parsing HTML5 stream (boo#1122983).
CVE-2018-18501: Fixed multiple memory safety bugs (boo#1122983).
CVE-2018-18505: Fixed a privilege escalation through IPC channel messages (boo#1122983).
ImportantSUSE bug 1120374SUSE bug 1122983CVE-2018-18500 at SUSECVE-2018-18500 at NVDCVE-2018-18501 at SUSECVE-2018-18501 at NVDCVE-2018-18505 at SUSECVE-2018-18505 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for python-numpy (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for python-numpy fixes the following issue:
Security issue fixed:
- CVE-2019-6446: Set allow_pickle to false by default to restrict loading untrusted content (bsc#1122208).
With this update we decrease the possibility of allowing remote attackers to execute arbitrary code by
misusing numpy.load(). A warning during runtime will show-up when the allow_pickle is not explicitly set.
NOTE: By applying this update the behavior of python-numpy changes, which might break your application.
In order to get the old behaviour back, you have to explicitly set `allow_pickle` to True. Be aware
that this should only be done for trusted input, as loading untrusted input might lead to arbitrary code
execution.
ImportantSUSE bug 1122208CVE-2019-6446 at SUSECVE-2019-6446 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for systemd (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for systemd fixes the following issues:
Security vulnerability fixed:
- CVE-2019-6454: Fixed a crash of PID1 by sending specially crafted D-BUS
message on the system bus by an unprivileged user (bsc#1125352)
Other bug fixes and changes:
- journal-remote: set a limit on the number of fields in a message
- journal-remote: verify entry length from header
- journald: set a limit on the number of fields (1k)
- journald: do not store the iovec entry for process commandline on stack
- core: include Found state in device dumps
- device: fix serialization and deserialization of DeviceFound
- fix path in btrfs rule (#6844)
- assemble multidevice btrfs volumes without external tools (#6607) (bsc#1117025)
- Update systemd-system.conf.xml (bsc#1122000)
- units: inform user that the default target is started after exiting from rescue or emergency mode
- manager: don't skip sigchld handler for main and control pid for services (#3738)
- core: Add helper functions unit_{main, control}_pid
- manager: Fixing a debug printf formatting mistake (#3640)
- manager: Only invoke a single sigchld per unit within a cleanup cycle (bsc#1117382)
- core: update invoke_sigchld_event() to handle NULL ->sigchld_event()
- sd-event: expose the event loop iteration counter via sd_event_get_iteration() (#3631)
- unit: rework a bit how we keep the service fdstore from being destroyed during service restart (bsc#1122344)
- core: when restarting services, don't close fds
- cryptsetup: Add dependency on loopback setup to generated units
- journal-gateway: use localStorage['cursor'] only when it has valid value
- journal-gateway: explicitly declare local variables
- analyze: actually select longest activated-time of services
- sd-bus: fix implicit downcast of bitfield reported by LGTM
- core: free lines after reading them (bsc#1123892)
- pam_systemd: reword message about not creating a session (bsc#1111498)
- pam_systemd: suppress LOG_DEBUG log messages if debugging is off (bsc#1111498)
- main: improve RLIMIT_NOFILE handling (#5795) (bsc#1120658)
- sd-bus: if we receive an invalid dbus message, ignore and proceeed
- automount: don't pass non-blocking pipe to kernel.
- units: make sure initrd-cleanup.service terminates before switching to rootfs (bsc#1123333)
- units: add Wants=initrd-cleanup.service to initrd-switch-root.target (#4345) (bsc#1123333)
ImportantSUSE bug 1111498SUSE bug 1117025SUSE bug 1117382SUSE bug 1120658SUSE bug 1122000SUSE bug 1122344SUSE bug 1123333SUSE bug 1123892SUSE bug 1125352CVE-2019-6454 at SUSECVE-2019-6454 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for procps (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for procps fixes the following security issues:
- CVE-2018-1122: Prevent local privilege escalation in top. If a user ran top
with HOME unset in an attacker-controlled directory, the attacker could have
achieved privilege escalation by exploiting one of several vulnerabilities in
the config_file() function (bsc#1092100).
- CVE-2018-1123: Prevent denial of service in ps via mmap buffer overflow.
Inbuilt protection in ps maped a guard page at the end of the overflowed
buffer, ensuring that the impact of this flaw is limited to a crash (temporary
denial of service) (bsc#1092100).
- CVE-2018-1124: Prevent multiple integer overflows leading to a heap
corruption in file2strvec function. This allowed a privilege escalation for a
local attacker who can create entries in procfs by starting processes, which
could result in crashes or arbitrary code execution in proc utilities run by
other users (bsc#1092100).
- CVE-2018-1125: Prevent stack buffer overflow in pgrep. This vulnerability was
mitigated by FORTIFY limiting the impact to a crash (bsc#1092100).
- CVE-2018-1126: Ensure correct integer size in proc/alloc.* to prevent
truncation/integer overflow issues (bsc#1092100).
(These issues were previously released for SUSE Linux Enterprise 12 SP3 and SP4.)
Also the following non-security issue was fixed:
- Fix CPU summary showing old data. (bsc#1121753)
ImportantSUSE bug 1092100SUSE bug 1121753CVE-2018-1122 at SUSECVE-2018-1122 at NVDCVE-2018-1123 at SUSECVE-2018-1123 at NVDCVE-2018-1124 at SUSECVE-2018-1124 at NVDCVE-2018-1125 at SUSECVE-2018-1125 at NVDCVE-2018-1126 at SUSECVE-2018-1126 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for python (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for python fixes the following issues:
Security issues fixed:
- CVE-2019-5010: Fixed a denial-of-service vulnerability in the X509 certificate parser (bsc#1122191).
- CVE-2018-14647: Fixed a denial-of-service vulnerability in Expat (bsc#1109847).
Non-security issue fixed:
- Fixed a bug where PyWeakReference struct was not initialized correctly leading to a crash (bsc#1073748).
ImportantSUSE bug 1073748SUSE bug 1109847SUSE bug 1122191CVE-2018-14647 at SUSECVE-2018-14647 at NVDCVE-2019-5010 at SUSECVE-2019-5010 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for java-1_7_0-openjdk (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for java-1_7_0-openjdk to version 7u201 fixes the following issues:
Security issues fixed:
- CVE-2018-3136: Manifest better support (bsc#1112142)
- CVE-2018-3139: Better HTTP Redirection (bsc#1112143)
- CVE-2018-3149: Enhance JNDI lookups (bsc#1112144)
- CVE-2018-3169: Improve field accesses (bsc#1112146)
- CVE-2018-3180: Improve TLS connections stability (bsc#1112147)
- CVE-2018-3214: Better RIFF reading support (bsc#1112152)
- CVE-2018-13785: Upgrade JDK 8u to libpng 1.6.35 (bsc#1112153)
- CVE-2018-16435: heap-based buffer overflow in SetData function in cmsIT8LoadFromFile
- CVE-2018-2938: Support Derby connections (bsc#1101644)
- CVE-2018-2940: Better stack walking (bsc#1101645)
- CVE-2018-2952: Exception to Pattern Syntax (bsc#1101651)
- CVE-2018-2973: Improve LDAP support (bsc#1101656)
- CVE-2018-3639 cpu speculative store bypass mitigation
ImportantSUSE bug 1101644SUSE bug 1101645SUSE bug 1101651SUSE bug 1101656SUSE bug 1112142SUSE bug 1112143SUSE bug 1112144SUSE bug 1112146SUSE bug 1112147SUSE bug 1112152SUSE bug 1112153CVE-2018-13785 at SUSECVE-2018-13785 at NVDCVE-2018-16435 at SUSECVE-2018-16435 at NVDCVE-2018-2938 at SUSECVE-2018-2938 at NVDCVE-2018-2940 at SUSECVE-2018-2940 at NVDCVE-2018-2952 at SUSECVE-2018-2952 at NVDCVE-2018-2973 at SUSECVE-2018-2973 at NVDCVE-2018-3136 at SUSECVE-2018-3136 at NVDCVE-2018-3139 at SUSECVE-2018-3139 at NVDCVE-2018-3149 at SUSECVE-2018-3149 at NVDCVE-2018-3169 at SUSECVE-2018-3169 at NVDCVE-2018-3180 at SUSECVE-2018-3180 at NVDCVE-2018-3214 at SUSECVE-2018-3214 at NVDCVE-2018-3639 at SUSECVE-2018-3639 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for apache2 (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for apache2 fixes the following issues:
Security issues fixed:
- CVE-2018-17189: Fixed a denial of service in mod_http2, via slow and unneeded request bodies (bsc#1122838)
- CVE-2018-17199: Fixed that mod_session_cookie did not respect expiry time (bsc#1122839)
Non-security issue fixed:
- sysconfig.d is not created anymore if it already exists (bsc#1121086)
ModerateSUSE bug 1121086SUSE bug 1122838SUSE bug 1122839CVE-2018-17189 at SUSECVE-2018-17189 at NVDCVE-2018-17199 at SUSECVE-2018-17199 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for ceph (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for ceph fixes the following issues:
Security issues fixed:
- CVE-2018-14662: mon: limit caps allowed to access the config store (bsc#1111177)
- CVE-2018-16846: rgw: enforce bounds on max-keys/max-uploads/max-parts (bsc#1114710)
- CVE-2018-16889: rgw: sanitize customer encryption keys from log output in v4 auth (bsc#1121567)
Non-security issue fixed:
- os/bluestore: avoid frequent allocator dump on bluefs rebalance failure (bsc#1113246)
ImportantSUSE bug 1111177SUSE bug 1113246SUSE bug 1114710SUSE bug 1121567CVE-2018-14662 at SUSECVE-2018-14662 at NVDCVE-2018-16846 at SUSECVE-2018-16846 at NVDCVE-2018-16889 at SUSECVE-2018-16889 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for webkit2gtk3 (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for webkit2gtk3 to version 2.22.6 fixes the following issues:
Security issues fixed:
- CVE-2019-6212: Fixed multiple memory corruption vulnerabilities which could allow arbitrary code execution during the processing
of special crafted web-content.
- CVE-2019-6215: Fixed a type confusion vulnerability which could allow arbitrary code execution during the processing
of special crafted web-content.
- CVE-2019-6216: Fixed multiple memory corruption vulnerabilities which could allow arbitrary code execution during the processing
of special crafted web-content.
- CVE-2019-6217: Fixed multiple memory corruption vulnerabilities which could allow arbitrary code execution during the processing
of special crafted web-content.
- CVE-2019-6226: Fixed multiple memory corruption vulnerabilities which could allow arbitrary code execution during the processing
of special crafted web-content.
- CVE-2019-6227: Fixed a memory corruption vulnerability which could allow arbitrary code execution during the processing
of special crafted web-content.
- CVE-2019-6229: Fixed a logic issue by improving validation which could allow arbitrary code execution during the processing
of special crafted web-content.
- CVE-2019-6233: Fixed a memory corruption vulnerability which could allow arbitrary code execution during the processing
of special crafted web-content.
- CVE-2019-6234: Fixed a memory corruption vulnerability which could allow arbitrary code execution during the processing
of special crafted web-content.
Other issues addressed:
- Update to version 2.22.6 (bsc#1124937).
- Kinetic scrolling slow down smoothly when reaching the ends of pages, instead of abruptly, to better match the GTK+ behaviour.
- Fixed Web inspector magnifier under Wayland.
- Fixed garbled rendering of some websites (e.g. YouTube) while scrolling under X11.
- Fixed several crashes, race conditions, and rendering issues.
ImportantSUSE bug 1124937CVE-2019-6212 at SUSECVE-2019-6212 at NVDCVE-2019-6215 at SUSECVE-2019-6215 at NVDCVE-2019-6216 at SUSECVE-2019-6216 at NVDCVE-2019-6217 at SUSECVE-2019-6217 at NVDCVE-2019-6226 at SUSECVE-2019-6226 at NVDCVE-2019-6227 at SUSECVE-2019-6227 at NVDCVE-2019-6229 at SUSECVE-2019-6229 at NVDCVE-2019-6233 at SUSECVE-2019-6233 at NVDCVE-2019-6234 at SUSECVE-2019-6234 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for java-1_8_0-openjdk (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for java-1_8_0-openjdk to version 8u191 fixes the following issues:
Security issues fixed:
- CVE-2018-3136: Manifest better support (bsc#1112142)
- CVE-2018-3139: Better HTTP Redirection (bsc#1112143)
- CVE-2018-3149: Enhance JNDI lookups (bsc#1112144)
- CVE-2018-3169: Improve field accesses (bsc#1112146)
- CVE-2018-3180: Improve TLS connections stability (bsc#1112147)
- CVE-2018-3214: Better RIFF reading support (bsc#1112152)
- CVE-2018-13785: Upgrade JDK 8u to libpng 1.6.35 (bsc#1112153)
- CVE-2018-3183: Improve script engine support (bsc#1112148)
- CVE-2018-16435: heap-based buffer overflow in SetData function in cmsIT8LoadFromFile
ImportantSUSE bug 1112142SUSE bug 1112143SUSE bug 1112144SUSE bug 1112146SUSE bug 1112147SUSE bug 1112148SUSE bug 1112152SUSE bug 1112153CVE-2018-13785 at SUSECVE-2018-13785 at NVDCVE-2018-16435 at SUSECVE-2018-16435 at NVDCVE-2018-3136 at SUSECVE-2018-3136 at NVDCVE-2018-3139 at SUSECVE-2018-3139 at NVDCVE-2018-3149 at SUSECVE-2018-3149 at NVDCVE-2018-3169 at SUSECVE-2018-3169 at NVDCVE-2018-3180 at SUSECVE-2018-3180 at NVDCVE-2018-3183 at SUSECVE-2018-3183 at NVDCVE-2018-3214 at SUSECVE-2018-3214 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for ovmf (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for ovmf fixes the following issues:
Security issues fixed:
- CVE-2018-12180: Fixed a buffer overflow in BlockIo service, which could lead
to memory read/write overrun (bsc#1127820).
- CVE-2018-12178: Fixed an improper DNS check upon receiving a new DNS packet (bsc#1127821).
- CVE-2018-3630: Fixed a logic error in FV parsing which could allow a local attacker to
bypass the chain of trust checks (bsc#1127822).
ImportantSUSE bug 1127820SUSE bug 1127821SUSE bug 1127822CVE-2018-12178 at SUSECVE-2018-12178 at NVDCVE-2018-12180 at SUSECVE-2018-12180 at NVDCVE-2018-3630 at SUSECVE-2018-3630 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for qemu (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for qemu fixes the following issues:
Security vulnerabilities addressed:
- CVE-2019-6778: Fixed an out-of-bounds access in slirp (bsc#1123156)
- CVE-2018-16872: Fixed a host security vulnerability related to handling symlinks in usb-mtp (bsc#1119493)
- CVE-2018-19489: Fixed a Denial-of-Service in virtfs (bsc#1117275)
- CVE-2018-19364: Fixed an use-after-free vulnerability if virtfs interface is deliberately abused (bsc#1116717)
- CVE-2018-18954: Fixed an out-of-bounds access performing PowerNV memory operations (bsc#1114957)
- CVE-2017-13673: Fixed a reachable assert failure during during display update (bsc#1056386)
- CVE-2017-13672: Fixed an out-of-bounds read access during display update (bsc#1056334)
- CVE-2018-7858: Fixed an out-of-bounds access in cirrus when updating vga display allowing for Denial-of-Service (bsc#1084604)
Other bug fixes and changes:
- Fix pwrite64/pread64/write to return 0 over -1 for a zero length NULL buffer in qemu (bsc#1121600)
- Fix bad guest time after migration (bsc#1113231)
ImportantSUSE bug 1056334SUSE bug 1056386SUSE bug 1084604SUSE bug 1113231SUSE bug 1114957SUSE bug 1116717SUSE bug 1117275SUSE bug 1119493SUSE bug 1121600SUSE bug 1123156CVE-2017-13672 at SUSECVE-2017-13672 at NVDCVE-2017-13673 at SUSECVE-2017-13673 at NVDCVE-2018-16872 at SUSECVE-2018-16872 at NVDCVE-2018-18954 at SUSECVE-2018-18954 at NVDCVE-2018-19364 at SUSECVE-2018-19364 at NVDCVE-2018-19489 at SUSECVE-2018-19489 at NVDCVE-2018-7858 at SUSECVE-2018-7858 at NVDCVE-2019-6778 at SUSECVE-2019-6778 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for webkit2gtk3 (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for webkit2gtk3 to version 2.22.4 fixes the following issues:
Security issues fixed:
CVE-2018-4191, CVE-2018-4197, CVE-2018-4299, CVE-2018-4306, CVE-2018-4309, CVE-2018-4392,
CVE-2018-4312, CVE-2018-4314, CVE-2018-4315, CVE-2018-4316, CVE-2018-4317, CVE-2018-4318,
CVE-2018-4319, CVE-2018-4323, CVE-2018-4328, CVE-2018-4358, CVE-2018-4359, CVE-2018-4361,
CVE-2018-4345, CVE-2018-4372, CVE-2018-4373, CVE-2018-4375, CVE-2018-4376, CVE-2018-4416,
CVE-2018-4378, CVE-2018-4382, CVE-2018-4386 (bsc#1110279, bsc#1116998).
ImportantSUSE bug 1110279SUSE bug 1116998CVE-2018-4191 at SUSECVE-2018-4191 at NVDCVE-2018-4197 at SUSECVE-2018-4197 at NVDCVE-2018-4207 at SUSECVE-2018-4207 at NVDCVE-2018-4208 at SUSECVE-2018-4208 at NVDCVE-2018-4209 at SUSECVE-2018-4209 at NVDCVE-2018-4210 at SUSECVE-2018-4210 at NVDCVE-2018-4212 at SUSECVE-2018-4212 at NVDCVE-2018-4213 at SUSECVE-2018-4213 at NVDCVE-2018-4261 at SUSECVE-2018-4261 at NVDCVE-2018-4262 at SUSECVE-2018-4262 at NVDCVE-2018-4263 at SUSECVE-2018-4263 at NVDCVE-2018-4264 at SUSECVE-2018-4264 at NVDCVE-2018-4265 at SUSECVE-2018-4265 at NVDCVE-2018-4266 at SUSECVE-2018-4266 at NVDCVE-2018-4267 at SUSECVE-2018-4267 at NVDCVE-2018-4270 at SUSECVE-2018-4270 at NVDCVE-2018-4272 at SUSECVE-2018-4272 at NVDCVE-2018-4273 at SUSECVE-2018-4273 at NVDCVE-2018-4278 at SUSECVE-2018-4278 at NVDCVE-2018-4284 at SUSECVE-2018-4284 at NVDCVE-2018-4299 at SUSECVE-2018-4299 at NVDCVE-2018-4306 at SUSECVE-2018-4306 at NVDCVE-2018-4309 at SUSECVE-2018-4309 at NVDCVE-2018-4312 at SUSECVE-2018-4312 at NVDCVE-2018-4314 at SUSECVE-2018-4314 at NVDCVE-2018-4315 at SUSECVE-2018-4315 at NVDCVE-2018-4316 at SUSECVE-2018-4316 at NVDCVE-2018-4317 at SUSECVE-2018-4317 at NVDCVE-2018-4318 at SUSECVE-2018-4318 at NVDCVE-2018-4319 at SUSECVE-2018-4319 at NVDCVE-2018-4323 at SUSECVE-2018-4323 at NVDCVE-2018-4328 at SUSECVE-2018-4328 at NVDCVE-2018-4345 at SUSECVE-2018-4345 at NVDCVE-2018-4358 at SUSECVE-2018-4358 at NVDCVE-2018-4359 at SUSECVE-2018-4359 at NVDCVE-2018-4361 at SUSECVE-2018-4361 at NVDCVE-2018-4372 at SUSECVE-2018-4372 at NVDCVE-2018-4373 at SUSECVE-2018-4373 at NVDCVE-2018-4375 at SUSECVE-2018-4375 at NVDCVE-2018-4376 at SUSECVE-2018-4376 at NVDCVE-2018-4378 at SUSECVE-2018-4378 at NVDCVE-2018-4382 at SUSECVE-2018-4382 at NVDCVE-2018-4386 at SUSECVE-2018-4386 at NVDCVE-2018-4392 at SUSECVE-2018-4392 at NVDCVE-2018-4416 at SUSECVE-2018-4416 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for LibVNCServer (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for LibVNCServer fixes the following issues:
Security issues fixed:
- CVE-2018-15126: Fixed use-after-free in file transfer extension (bsc#1120114)
- CVE-2018-6307: Fixed use-after-free in file transfer extension server code (bsc#1120115)
- CVE-2018-20020: Fixed heap out-of-bound write inside structure in VNC client code (bsc#1120116)
- CVE-2018-15127: Fixed heap out-of-bounds write in rfbserver.c (bsc#1120117)
- CVE-2018-20019: Fixed multiple heap out-of-bound writes in VNC client code (bsc#1120118)
- CVE-2018-20023: Fixed information disclosure through improper initialization in VNC Repeater client code (bsc#1120119)
- CVE-2018-20022: Fixed information disclosure through improper initialization in VNC client code (bsc#1120120)
- CVE-2018-20024: Fixed NULL pointer dereference in VNC client code (bsc#1120121)
- CVE-2018-20021: Fixed infinite loop in VNC client code (bsc#1120122)
ImportantSUSE bug 1120114SUSE bug 1120115SUSE bug 1120116SUSE bug 1120117SUSE bug 1120118SUSE bug 1120119SUSE bug 1120120SUSE bug 1120121SUSE bug 1120122CVE-2018-15126 at SUSECVE-2018-15126 at NVDCVE-2018-15127 at SUSECVE-2018-15127 at NVDCVE-2018-20019 at SUSECVE-2018-20019 at NVDCVE-2018-20020 at SUSECVE-2018-20020 at NVDCVE-2018-20021 at SUSECVE-2018-20021 at NVDCVE-2018-20022 at SUSECVE-2018-20022 at NVDCVE-2018-20023 at SUSECVE-2018-20023 at NVDCVE-2018-20024 at SUSECVE-2018-20024 at NVDCVE-2018-6307 at SUSECVE-2018-6307 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for java-1_7_1-ibm (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for java-1_7_1-ibm to version 7.1.4.40 fixes the following issues:
Security issues fixed:
- CVE-2019-2422: Fixed a memory disclosure in FileChannelImpl (bsc#1122293).
- CVE-2018-11212: Fixed an issue in alloc_sarray function in jmemmgr.c (bsc#1122299).
More information: https://developer.ibm.com/javasdk/support/security-vulnerabilities/#IBM_Security_Update_February_2019
ImportantSUSE bug 1122293SUSE bug 1122299CVE-2018-11212 at SUSECVE-2018-11212 at NVDCVE-2019-2422 at SUSECVE-2019-2422 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for java-1_8_0-ibm (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for java-1_8_0-ibm to version 8.0.5.30 fixes the following issues:
Security issues fixed:
- CVE-2019-2422: Fixed a memory disclosure in FileChannelImpl (bsc#1122293).
- CVE-2018-11212: Fixed an issue in alloc_sarray function in jmemmgr.c (bsc#1122299).
- CVE-2018-1890: Fixed a local privilege escalation via RPATHs (bsc#1128158).
- CVE-2019-2449: Fixed a vulnerabilit which could allow remote atackers to delete arbitrary files (bsc#1122292).
More information: https://www-01.ibm.com/support/docview.wss?uid=ibm10873332
ImportantSUSE bug 1122292SUSE bug 1122293SUSE bug 1122299SUSE bug 1128158CVE-2018-11212 at SUSECVE-2018-11212 at NVDCVE-2018-1890 at SUSECVE-2018-1890 at NVDCVE-2019-2422 at SUSECVE-2019-2422 at NVDCVE-2019-2449 at SUSECVE-2019-2449 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for lftp (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for lftp fixes the following issues:
Security issue fixed:
- CVE-2018-10916: Fixed an improper file name sanitization which could lead to loss of integrity of
the local system (bsc#1103367).
Other issue addressed:
- The SSH login handling code detects password prompts more reliably (bsc#1120946).
ModerateSUSE bug 1103367SUSE bug 1120946CVE-2018-10916 at SUSECVE-2018-10916 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for libssh2_org (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for libssh2_org fixes the following issues:
Security issues fixed:
- CVE-2019-3861: Fixed Out-of-bounds reads with specially crafted SSH packets (bsc#1128490).
- CVE-2019-3862: Fixed Out-of-bounds memory comparison with specially crafted message channel request packet (bsc#1128492).
- CVE-2019-3860: Fixed Out-of-bounds reads with specially crafted SFTP packets (bsc#1128481).
- CVE-2019-3863: Fixed an Integer overflow in user authenticate keyboard interactive which could allow out-of-bounds writes
with specially crafted keyboard responses (bsc#1128493).
- CVE-2019-3856: Fixed a potential Integer overflow in keyboard interactive handling which could allow out-of-bounds write
with specially crafted payload (bsc#1128472).
- CVE-2019-3859: Fixed Out-of-bounds reads with specially crafted payloads due to unchecked use of _libssh2_packet_require
and _libssh2_packet_requirev (bsc#1128480).
- CVE-2019-3855: Fixed a potential Integer overflow in transport read which could allow out-of-bounds write with specially
crafted payload (bsc#1128471).
- CVE-2019-3858: Fixed a potential zero-byte allocation which could lead to an out-of-bounds read with a specially crafted
SFTP packet (bsc#1128476).
- CVE-2019-3857: Fixed a potential Integer overflow which could lead to zero-byte allocation and out-of-bounds with specially
crafted message channel request SSH packet (bsc#1128474).
Other issue addressed:
- Libbssh2 will stop using keys unsupported types in the known_hosts file (bsc#1091236).
ModerateSUSE bug 1091236SUSE bug 1128471SUSE bug 1128472SUSE bug 1128474SUSE bug 1128476SUSE bug 1128480SUSE bug 1128481SUSE bug 1128490SUSE bug 1128492SUSE bug 1128493CVE-2019-3855 at SUSECVE-2019-3855 at NVDCVE-2019-3856 at SUSECVE-2019-3856 at NVDCVE-2019-3857 at SUSECVE-2019-3857 at NVDCVE-2019-3858 at SUSECVE-2019-3858 at NVDCVE-2019-3859 at SUSECVE-2019-3859 at NVDCVE-2019-3860 at SUSECVE-2019-3860 at NVDCVE-2019-3861 at SUSECVE-2019-3861 at NVDCVE-2019-3862 at SUSECVE-2019-3862 at NVDCVE-2019-3863 at SUSECVE-2019-3863 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for openwsman (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for openwsman fixes the following issues:
Security issues fixed:
- CVE-2019-3816: Fixed a vulnerability in openwsmand deamon which could lead to arbitary file disclosure (bsc#1122623).
- CVE-2019-3833: Fixed a vulnerability in process_connection() which could allow an attacker to trigger an infinite
loop which leads to Denial of Service (bsc#1122623).
ImportantSUSE bug 1122623CVE-2019-3816 at SUSECVE-2019-3816 at NVDCVE-2019-3833 at SUSECVE-2019-3833 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for wireshark (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for wireshark to version 2.4.13 fixes the following issues:
Security issues fixed:
- CVE-2019-9214: Avoided a dereference of a null coversation which could make RPCAP
dissector crash (bsc#1127367).
- CVE-2019-9209: Fixed a buffer overflow in time values which could make ASN.1 BER
and related dissectors crash (bsc#1127369).
- CVE-2019-9208: Fixed a null pointer dereference which could make TCAP dissector
crash (bsc#1127370).
Release notes: https://www.wireshark.org/docs/relnotes/wireshark-2.4.13.html
ModerateSUSE bug 1127367SUSE bug 1127369SUSE bug 1127370CVE-2019-9208 at SUSECVE-2019-9208 at NVDCVE-2019-9209 at SUSECVE-2019-9209 at NVDCVE-2019-9214 at SUSECVE-2019-9214 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for ghostscript (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for ghostscript fixes the following issue:
Security issue fixed:
- CVE-2019-3838: Fixed a vulnerability which made forceput operator in DefineResource to be still accessible
which could allow access to file system outside of the constraints of -dSAFER (bsc#1129186).
ImportantSUSE bug 1129186CVE-2019-3838 at SUSECVE-2019-3838 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for ucode-intel (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for ucode-intel fixes the following issues:
Updated to the 20190312 bundle release (bsc#1129231)
New Platforms:
- AML-Y22 H0 6-8e-9/10 0000009e Core Gen8 Mobile
- WHL-U W0 6-8e-b/d0 000000a4 Core Gen8 Mobile
- WHL-U V0 6-8e-d/94 000000b2 Core Gen8 Mobile
- CFL-S P0 6-9e-c/22 000000a2 Core Gen9 Desktop
- CFL-H R0 6-9e-d/22 000000b0 Core Gen9 Mobile
Updated Platforms:
- HSX-E/EP Cx/M1 6-3f-2/6f 0000003d->00000041 Core Gen4 X series; Xeon E5 v3
- HSX-EX E0 6-3f-4/80 00000012->00000013 Xeon E7 v3
- SKX-SP H0/M0/U0 6-55-4/b7 0200004d->0000005a Xeon Scalable
- SKX-D M1 6-55-4/b7 0200004d->0000005a Xeon D-21xx
- BDX-DE V1 6-56-2/10 00000017->00000019 Xeon D-1520/40
- BDX-DE V2/3 6-56-3/10 07000013->07000016 Xeon D-1518/19/21/27/28/31/33/37/41/48, Pentium D1507/08/09/17/19
- BDX-DE Y0 6-56-4/10 0f000012->0f000014 Xeon D-1557/59/67/71/77/81/87
- BDX-NS A0 6-56-5/10 0e00000a->0e00000c Xeon D-1513N/23/33/43/53
- APL D0 6-5c-9/03 00000032->00000036 Pentium N/J4xxx, Celeron N/J3xxx, Atom x5/7-E39xx
- APL E0 6-5c-a/03 0000000c->00000010 Atom x5/7-E39xx
- GLK B0 6-7a-1/01 00000028->0000002c Pentium Silver N/J5xxx, Celeron N/J4xxx
- KBL-U/Y H0 6-8e-9/c0 0000008e->0000009a Core Gen7 Mobile
- CFL-U43e D0 6-8e-a/c0 00000096->0000009e Core Gen8 Mobile
- KBL-H/S/E3 B0 6-9e-9/2a 0000008e->0000009a Core Gen7; Xeon E3 v6
- CFL-H/S/E3 U0 6-9e-a/22 00000096->000000aa Core Gen8 Desktop, Mobile, Xeon E
- CFL-S B0 6-9e-b/02 0000008e->000000aa Core Gen8
ModerateSUSE bug 1129231cpe:/o:suse:sles_teradata:12:sp3Security update for ovmf (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for ovmf fixes the following issue:
Security issue fixed:
- CVE-2018-12181: Fixed a stack buffer overflow in the HII database when a corrupted Bitmap was used (bsc#1128503).
ModerateSUSE bug 1128503CVE-2018-12181 at SUSECVE-2018-12181 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for gd (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for gd fixes the following issues:
Security issues fixed:
- CVE-2019-6977: Fixed a heap-based buffer overflow the GD Graphics Library used in the imagecolormatch function (bsc#1123361).
- CVE-2019-6978: Fixed a double free in the gdImage*Ptr() functions (bsc#1123522).
ModerateSUSE bug 1123361SUSE bug 1123522CVE-2019-6977 at SUSECVE-2019-6977 at NVDCVE-2019-6978 at SUSECVE-2019-6978 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for w3m (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for w3m fixes several issues.
These security issues were fixed:
- CVE-2018-6196: Prevent infinite recursion in HTMLlineproc0 caused by the feed_table_block_tag function which did not prevent a negative indent value (bsc#1077559)
- CVE-2018-6197: Prevent NULL pointer dereference in formUpdateBuffer (bsc#1077568)
- CVE-2018-6198: w3m did not properly handle temporary files when the ~/.w3m directory is unwritable, which allowed a local attacker to craft a symlink attack to overwrite arbitrary files (bsc#1077572)
ModerateSUSE bug 1077559SUSE bug 1077568SUSE bug 1077572CVE-2018-6196 at SUSECVE-2018-6196 at NVDCVE-2018-6197 at SUSECVE-2018-6197 at NVDCVE-2018-6198 at SUSECVE-2018-6198 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for ntp (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for ntp fixes the following issues:
Security issue fixed:
- CVE-2019-8936: Fixed a null pointer exception which could allow an authenticated attcker to cause
segmentation fault to ntpd (bsc#1128525).
Other isses addressed:
- Fixed an issue which caused openSSL mismatch (bsc#1125401)
- Fixed several bugs in the BANCOMM reclock driver.
- Fixed ntp_loopfilter.c snprintf compilation warnings.
- Fixed spurious initgroups() error message.
- Fixed STA_NANO struct timex units.
- Fixed GPS week rollover in libparse.
- Fixed incorrect poll interval in packet.
- Added a missing check for ENABLE_CMAC.
ModerateSUSE bug 1125401SUSE bug 1128525CVE-2019-8936 at SUSECVE-2019-8936 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for openssl (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for openssl fixes the following issues:
Security issues fixed:
- The 9 Lives of Bleichenbacher's CAT: Cache Attacks on TLS Implementations (bsc#1117951)
- CVE-2019-1559: Fixed OpenSSL 0-byte Record Padding Oracle which under certain circumstances
a TLS server can be forced to respond differently to a client and lead to the decryption of the data (bsc#1127080).
Other issues addressed:
- Fixed IV handling in SHAEXT paths: aes/asm/aesni-sha*-x86_64.pl (bsc#1113975).
- Set TLS version to 0 in msg_callback for record messages to avoid confusing applications (bsc#1100078).
ModerateSUSE bug 1100078SUSE bug 1113975SUSE bug 1117951SUSE bug 1127080CVE-2019-1559 at SUSECVE-2019-1559 at NVDcpe:/o:suse:sles_teradata:12:sp3Recommended update for adcli, sssd (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for adcli and sssd provides the following improvement:
Security vulnerability fixed:
- CVE-2019-3811: Fix fallback_homedir returning '/' for empty home directories
(bsc#1121759)
Other fixes:
- Add an option to disable checking for trusted domains in the subdomains provider (bsc#1125617)
- Clear pid file in corner cases (bsc#1127670)
- Fix child unable to write to log file after SIGHUP (bsc#1127670)
- Include adcli in SUSE Linux Enterprise 12 SP3 for sssd-ad. (fate#326619, bsc#1109849)
The adcli enables sssd to do password renewal when using Active Directory.
ModerateSUSE bug 1109849SUSE bug 1110121SUSE bug 1121759SUSE bug 1125617SUSE bug 1127670CVE-2019-3811 at SUSECVE-2019-3811 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for sssd (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for sssd provides the following fixes:
This security issue was fixed:
- CVE-2018-10852: Set stricter permissions on /var/lib/sss/pipes/sudo to prevent the disclosure of sudo rules for arbitrary users (bsc#1098377)
These non-security issues were fixed:
- Fix a segmentation fault in sss_cache command. (bsc#1072728)
- Fix a failure in autofs initialisation sequence upon system boot. (bsc#1010700)
- Fix race condition on boot between SSSD and autofs. (bsc#1010700)
- Fix a bug where file descriptors were not closed (bsc#1080156)
- Fix an issue where sssd logs were not rotated properly (bsc#1080156)
- Remove whitespaces from netgroup entries (bsc#1087320)
- Remove misleading log messages (bsc#1101877)
- exit() the forked process if exec()-ing a child process fails (bsc#1110299)
- Do not schedule the machine renewal task if adcli is not executable (bsc#1110299)
ModerateSUSE bug 1010700SUSE bug 1072728SUSE bug 1080156SUSE bug 1087320SUSE bug 1098377SUSE bug 1101877SUSE bug 1110299CVE-2018-10852 at SUSECVE-2018-10852 at NVDcpe:/o:suse:sles_teradata:12:sp3Optional update for php72 (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update provides PHP 7.2 and subpackages to the SUSE Linux Enterprise 12 Web and Scripting Module.
It is a replacement of the php7 packages, the packages do not co-exist.
The mcrypt extensions was removed in PHP 7.2.
ModerateSUSE bug 1126314SUSE bug 1129032CVE-2018-20783 at SUSECVE-2018-20783 at NVDCVE-2019-9020 at SUSECVE-2019-9020 at NVDCVE-2019-9021 at SUSECVE-2019-9021 at NVDCVE-2019-9022 at SUSECVE-2019-9022 at NVDCVE-2019-9023 at SUSECVE-2019-9023 at NVDCVE-2019-9024 at SUSECVE-2019-9024 at NVDCVE-2019-9641 at SUSECVE-2019-9641 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for bash (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for bash fixes the following issues:
Security issue fixed:
- CVE-2019-9924: Fixed a vulnerability in which shell did not prevent user BASH_CMDS
allowing the user to execute any command with the permissions of the shell (bsc#1130324).
ImportantSUSE bug 1130324CVE-2019-9924 at SUSECVE-2019-9924 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for file (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for file fixes the following issues:
The following security vulnerabilities were addressed:
- Fixed an out-of-bounds read in the function do_core_note in readelf.c, which
allowed remote attackers to cause a denial of service (application crash) via
a crafted ELF file (bsc#1096974 CVE-2018-10360).
- CVE-2019-8905: Fixed a stack-based buffer over-read in do_core_note in readelf.c
(bsc#1126118)
- CVE-2019-8906: Fixed an out-of-bounds read in do_core_note in readelf. c
(bsc#1126119)
- CVE-2019-8907: Fixed a stack corruption in do_core_note in readelf.c
(bsc#1126117)
ModerateSUSE bug 1096974SUSE bug 1096984SUSE bug 1126117SUSE bug 1126118SUSE bug 1126119CVE-2018-10360 at SUSECVE-2018-10360 at NVDCVE-2019-8905 at SUSECVE-2019-8905 at NVDCVE-2019-8906 at SUSECVE-2019-8906 at NVDCVE-2019-8907 at SUSECVE-2019-8907 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for MozillaFirefox fixes the following issues:
Security issuess addressed:
- update to Firefox ESR 60.6.1 (bsc#1130262):
- CVE-2019-9813: Fixed Ionmonkey type confusion with __proto__ mutations
- CVE-2019-9810: Fixed IonMonkey MArraySlice incorrect alias information
- Update to Firefox ESR 60.6 (bsc#1129821):
- CVE-2018-18506: Fixed an issue with Proxy Auto-Configuration file
- CVE-2019-9801: Fixed an issue which could allow Windows programs to be exposed to web content
- CVE-2019-9788: Fixed multiple memory safety bugs
- CVE-2019-9790: Fixed a Use-after-free vulnerability when removing in-use DOM elements
- CVE-2019-9791: Fixed an incorrect Type inference for constructors entered through on-stack replacement
with IonMonkey
- CVE-2019-9792: Fixed an issue where IonMonkey leaks JS_OPTIMIZED_OUT magic value to script
- CVE-2019-9793: Fixed multiple improper bounds checks when Spectre mitigations are disabled
- CVE-2019-9794: Fixed an issue where command line arguments not discarded during execution
- CVE-2019-9795: Fixed a Type-confusion vulnerability in IonMonkey JIT compiler
- CVE-2019-9796: Fixed a Use-after-free vulnerability in SMIL animation controller
- Update to Firefox ESR 60.5.1 (bsc#1125330):
- CVE-2018-18356: Fixed a use-after-free vulnerability in the Skia library which can occur when
creating a path, leading to a potentially exploitable crash.
- CVE-2019-5785: Fixed an integer overflow vulnerability in the Skia library which can occur
after specific transform operations, leading to a potentially exploitable crash.
- CVE-2018-18335: Fixed a buffer overflow vulnerability in the Skia library which can occur with
Canvas 2D acceleration on macOS. This issue was addressed by disabling Canvas 2D acceleration
in Firefox ESR. Note: this does not affect other versions and platforms where Canvas 2D
acceleration is already disabled by default.
Other issue addressed:
- Fixed an issue with MozillaFirefox-translations-common which was causing error on update (bsc#1127987).
Release notes: https://www.mozilla.org/en-US/security/advisories/mfsa2019-12/
Release notes: https://www.mozilla.org/en-US/security/advisories/mfsa2019-08/
Release notes: https://www.mozilla.org/en-US/security/advisories/mfsa2019-05/
ImportantSUSE bug 1125330SUSE bug 1127987SUSE bug 1129821SUSE bug 1130262CVE-2018-18335 at SUSECVE-2018-18335 at NVDCVE-2018-18356 at SUSECVE-2018-18356 at NVDCVE-2018-18506 at SUSECVE-2018-18506 at NVDCVE-2019-5785 at SUSECVE-2019-5785 at NVDCVE-2019-9788 at SUSECVE-2019-9788 at NVDCVE-2019-9790 at SUSECVE-2019-9790 at NVDCVE-2019-9791 at SUSECVE-2019-9791 at NVDCVE-2019-9792 at SUSECVE-2019-9792 at NVDCVE-2019-9793 at SUSECVE-2019-9793 at NVDCVE-2019-9794 at SUSECVE-2019-9794 at NVDCVE-2019-9795 at SUSECVE-2019-9795 at NVDCVE-2019-9796 at SUSECVE-2019-9796 at NVDCVE-2019-9801 at SUSECVE-2019-9801 at NVDCVE-2019-9810 at SUSECVE-2019-9810 at NVDCVE-2019-9813 at SUSECVE-2019-9813 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for apache2 (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for apache2 fixes the following issues:
* CVE-2019-0220: The Apache HTTP server did not use a consistent strategy for
URL normalization throughout all of its components. In particular,
consecutive slashes were not always collapsed. Attackers could potentially
abuse these inconsistencies to by-pass access control mechanisms and thus
gain unauthorized access to protected parts of the service. [bsc#1131241]
* CVE-2019-0217: A race condition in Apache's 'mod_auth_digest' when running in
a threaded server could have allowed users with valid credentials to
authenticate using another username, bypassing configured access control
restrictions. [bsc#1131239]
* CVE-2019-0211: A flaw in the Apache HTTP Server allowed less-privileged child
processes or threads to execute arbitrary code with the privileges of the
parent process. Attackers with control over CGI scripts or extension modules
run by the server could have abused this issue to potentially gain super user
privileges. [bsc#1131233]
* CVE-2019-0197: When HTTP/2 support was enabled in the Apache server for a
'http' host or H2Upgrade was enabled for h2 on a 'https' host, an Upgrade
request from http/1.1 to http/2 that was not the first request on a
connection could lead to a misconfiguration and crash. This issue could have
been abused to mount a denial-of-service attack. Servers that never enabled
the h2 protocol or that only enabled it for https: and did not configure the
'H2Upgrade on' are unaffected. [bsc#1131245]
* CVE-2019-0196: Through specially crafted network input the Apache's http/2
request handler could be lead to access previously freed memory while
determining the method of a request. This resulted in the request being
misclassified and thus being processed incorrectly. [bsc#1131237]
ImportantSUSE bug 1131233SUSE bug 1131237SUSE bug 1131239SUSE bug 1131241SUSE bug 1131245CVE-2019-0196 at SUSECVE-2019-0196 at NVDCVE-2019-0197 at SUSECVE-2019-0197 at NVDCVE-2019-0211 at SUSECVE-2019-0211 at NVDCVE-2019-0217 at SUSECVE-2019-0217 at NVDCVE-2019-0220 at SUSECVE-2019-0220 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for clamav (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for clamav to version 0.100.3 fixes the following issues:
Security issues fixed (bsc#1130721):
- CVE-2019-1787: Fixed an out-of-bounds heap read condition which may occur
when scanning PDF documents.
- CVE-2019-1789: Fixed an out-of-bounds heap read condition which may occur
when scanning PE files (i.e. Windows EXE and DLL files).
- CVE-2019-1788: Fixed an out-of-bounds heap write condition which may occur
when scanning OLE2 files such as Microsoft Office 97-2003 documents.
ImportantSUSE bug 1130721CVE-2019-1787 at SUSECVE-2019-1787 at NVDCVE-2019-1788 at SUSECVE-2019-1788 at NVDCVE-2019-1789 at SUSECVE-2019-1789 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for SDL (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for SDL fixes the following issues:
Security issues fixed:
- CVE-2019-7572: Fixed a buffer over-read in IMA_ADPCM_nibble in audio/SDL_wave.c.(bsc#1124806).
- CVE-2019-7578: Fixed a heap-based buffer over-read in InitIMA_ADPCM in audio/SDL_wave.c (bsc#1125099).
- CVE-2019-7576: Fixed heap-based buffer over-read in InitMS_ADPCM in audio/SDL_wave.c (bsc#1124799).
- CVE-2019-7573: Fixed a heap-based buffer over-read in InitMS_ADPCM in audio/SDL_wave.c (bsc#1124805).
- CVE-2019-7635: Fixed a heap-based buffer over-read in Blit1to4 in video/SDL_blit_1.c. (bsc#1124827).
- CVE-2019-7636: Fixed a heap-based buffer over-read in SDL_GetRGB in video/SDL_pixels.c (bsc#1124826).
- CVE-2019-7638: Fixed a heap-based buffer over-read in Map1toN in video/SDL_pixels.c (bsc#1124824).
- CVE-2019-7574: Fixed a heap-based buffer over-read in IMA_ADPCM_decode in audio/SDL_wave.c (bsc#1124803).
- CVE-2019-7575: Fixed a heap-based buffer overflow in MS_ADPCM_decode in audio/SDL_wave.c (bsc#1124802).
- CVE-2019-7637: Fixed a heap-based buffer overflow in SDL_FillRect function in SDL_surface.c (bsc#1124825).
- CVE-2019-7577: Fixed a buffer over read in SDL_LoadWAV_RW in audio/SDL_wave.c (bsc#1124800).
ModerateSUSE bug 1124799SUSE bug 1124800SUSE bug 1124802SUSE bug 1124803SUSE bug 1124805SUSE bug 1124806SUSE bug 1124824SUSE bug 1124825SUSE bug 1124826SUSE bug 1124827SUSE bug 1125099CVE-2019-7572 at SUSECVE-2019-7572 at NVDCVE-2019-7573 at SUSECVE-2019-7573 at NVDCVE-2019-7574 at SUSECVE-2019-7574 at NVDCVE-2019-7575 at SUSECVE-2019-7575 at NVDCVE-2019-7576 at SUSECVE-2019-7576 at NVDCVE-2019-7577 at SUSECVE-2019-7577 at NVDCVE-2019-7578 at SUSECVE-2019-7578 at NVDCVE-2019-7635 at SUSECVE-2019-7635 at NVDCVE-2019-7636 at SUSECVE-2019-7636 at NVDCVE-2019-7637 at SUSECVE-2019-7637 at NVDCVE-2019-7638 at SUSECVE-2019-7638 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for dovecot22 (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for dovecot22 fixes the following issues:
Security issues fixed:
- CVE-2019-7524: Fixed an improper file handling which could result in stack overflow allowing
local root escalation (bsc#1130116).
- CVE-2019-3814: Fixed a vulnerability related to SSL client certificate authentication (bsc#1123022).
Other issue fixed:
- Fixed handling of command continuation(bsc#1111789)
ImportantSUSE bug 1111789SUSE bug 1123022SUSE bug 1130116CVE-2019-3814 at SUSECVE-2019-3814 at NVDCVE-2019-7524 at SUSECVE-2019-7524 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for sqlite3 (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for sqlite3 fixes the following issues:
Security issues fixed:
- CVE-2018-20346: Fixed a remote code execution vulnerability in FTS3 (Magellan) (bsc#1119687).
- CVE-2018-20506: Fixed an integer overflow when FTS3 extension is enabled (bsc#1131576).
ModerateSUSE bug 1119687SUSE bug 1131576CVE-2018-20346 at SUSECVE-2018-20346 at NVDCVE-2018-20506 at SUSECVE-2018-20506 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for xen (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for xen fixes the following issues:
Security issues fixed:
- CVE-2018-19967: Fixed HLE constructs that allowed guests to lock up the host,
resulting in a Denial of Service (DoS). (XSA-282) (bsc#1114988)
- CVE-2019-6778: Fixed a heap buffer overflow in tcp_emu() found in slirp (bsc#1123157).
- Fixed an issue which could allow malicious or buggy guests with passed through PCI devices to be able to
escalate their privileges, crash the host, or access data belonging to other guests. Additionally memory
leaks were also possible (bsc#1126140).
- Fixed a race condition issue which could allow malicious PV guests to escalate their privilege to that
of the hypervisor (bsc#1126141).
- Fixed an issue which could allow a malicious unprivileged guest userspace process to escalate its privilege
to that of other userspace processes in the same guest and potentially thereby to that
of the guest operating system (bsc#1126201).
- CVE-2019-9824: Fixed an information leak in SLiRP networking implementation which could allow a user/process
to read uninitialised stack memory contents (bsc#1129623).
- CVE-2018-19961 CVE-2018-19962: Fixed insufficient TLB flushing / improper large page mappings with AMD IOMMUs (XSA-275)(bsc#1115040).
- CVE-2018-19965: Fixed denial of service issue from attempting to use INVPCID with a non-canonical addresses (XSA-279)(bsc#1115045).
- CVE-2018-19966: Fixed issue introduced by XSA-240 that could have caused conflicts with shadow paging (XSA-280)(bsc#1115047).
- Fixed an issue which could allow malicious PV guests may cause a host crash or
gain access to data pertaining to other guests.Additionally, vulnerable configurations
are likely to be unstable even in the absence of an attack (bsc#1126198).
- Fixed multiple access violations introduced by XENMEM_exchange hypercall which could allow
a single PV guest to leak arbitrary amounts of memory, leading to a denial of service (bsc#1126192).
- Fixed an issue which could allow malicious 64bit PV guests to cause a host crash (bsc#1127400).
- Fixed an issue which could allow malicious or buggy x86 PV guest kernels to mount a Denial of Service
attack affecting the whole system (bsc#1126197).
- Fixed an issue which could allow an untrusted PV domain with access to a physical device to DMA into its own
pagetables leading to privilege escalation (bsc#1126195).
- Fixed an issue which could allow a malicious or buggy x86 PV guest kernels can mount a Denial of Service
attack affecting the whole system (bsc#1126196).
Other issues addressed:
- Upstream bug fixes (bsc#1027519)
- Fixed an issue where live migrations were failing when spectre was enabled on xen boot cmdline (bsc#1116380).
- Fixed an issue where setup of grant_tables and other variables may fail (bsc#1126325).
- Fixed a building issue (bsc#1119161).
- Fixed an issue where xpti=no-dom0 was not working as expected (bsc#1105528).
- Packages should no longer use /var/adm/fillup-templates (bsc#1069468).
- Added Xen cmdline option 'suse_vtsc_tolerance' to avoid TSC emulation for HVM domUs (bsc#1026236).
ImportantSUSE bug 1026236SUSE bug 1027519SUSE bug 1069468SUSE bug 1105528SUSE bug 1114988SUSE bug 1115040SUSE bug 1115045SUSE bug 1115047SUSE bug 1116380SUSE bug 1117756SUSE bug 1119161SUSE bug 1123157SUSE bug 1126140SUSE bug 1126141SUSE bug 1126192SUSE bug 1126195SUSE bug 1126196SUSE bug 1126197SUSE bug 1126198SUSE bug 1126201SUSE bug 1126325SUSE bug 1127400SUSE bug 1129623CVE-2018-19665 at SUSECVE-2018-19665 at NVDCVE-2018-19961 at SUSECVE-2018-19961 at NVDCVE-2018-19962 at SUSECVE-2018-19962 at NVDCVE-2018-19965 at SUSECVE-2018-19965 at NVDCVE-2018-19966 at SUSECVE-2018-19966 at NVDCVE-2018-19967 at SUSECVE-2018-19967 at NVDCVE-2019-6778 at SUSECVE-2019-6778 at NVDCVE-2019-9824 at SUSECVE-2019-9824 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for xmltooling (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for xmltooling fixes the following issue:
Security issue fixed:
- CVE-2019-9628: Fixed an improper handling of exception in XMLTooling library which could result in
denial of service against the application using XMLTooling (bsc#1129537).
ModerateSUSE bug 1129537CVE-2019-9628 at SUSECVE-2019-9628 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for wget (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for wget fixes the following issues:
Security issue fixed:
- CVE-2019-5953: Fixed a buffer overflow vulnerability which might cause code execution (bsc#1131493).
ImportantSUSE bug 1131493CVE-2019-5953 at SUSECVE-2019-5953 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for qemu (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for qemu fixes the following issues:
Security issues fixed:
- CVE-2019-9824: Fixed information leak in slirp (bsc#1129622).
- CVE-2019-8934: Added method to specify whether or not to expose certain ppc64 hostinformation (bsc#1126455).
- CVE-2019-3812: Fixed Out-of-bounds memory access and information leak in virtual monitor interface (bsc#1125721).
- CVE-2018-20815: Fixed a denial of service possibility in device tree processing (bsc#1130675).
Non-security issue fixed:
- Backported Skylake-Server vcpu model support from qemu v2.11 (FATE#327261 bsc#1131955).
- Added ability to set virtqueue size using virtqueue_size parameter (FATE#327255 bsc#1118900).
ImportantSUSE bug 1118900SUSE bug 1125721SUSE bug 1126455SUSE bug 1129622SUSE bug 1130675SUSE bug 1131955CVE-2018-20815 at SUSECVE-2018-20815 at NVDCVE-2019-3812 at SUSECVE-2019-3812 at NVDCVE-2019-8934 at SUSECVE-2019-8934 at NVDCVE-2019-9824 at SUSECVE-2019-9824 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for soundtouch (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for soundtouch fixes the following issues:
Security issues fixed:
- CVE-2018-17098: Fixed a heap corruption from size inconsistency, which
allowed remote attackers to cause a denial of service or possibly have
other unspecified impact (bsc#1108632)
- CVE-2018-17097: Fixed a double free, which allowed remote attackers to cause
a denial of service or possibly have other unspecified impact (bsc#1108631)
ModerateSUSE bug 1108631SUSE bug 1108632CVE-2018-17097 at SUSECVE-2018-17097 at NVDCVE-2018-17098 at SUSECVE-2018-17098 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for python3 (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for python3 fixes the following issues:
Security issue fixed:
- CVE-2019-9636: Fixed an information disclosure because of incorrect handling of Unicode encoding during NFKC normalization (bsc#1129346).
ImportantSUSE bug 1129346CVE-2019-9636 at SUSECVE-2019-9636 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for curl (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for curl fixes the following issues:
Security issue fixed:
- CVE-2018-16839: Fixed a buffer overflow in the SASL authentication code (bsc#1112758).
ImportantSUSE bug 1112758SUSE bug 1131886CVE-2018-16839 at SUSECVE-2018-16839 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for freeradius-server (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for freeradius-server fixes the following issues:
- CVE-2019-13456: Fixed a side-channel password leak in EAP-pwd
(bsc#1144524).
- CVE-2019-17185: Fixed a debial of service due to multithreaded
BN_CTX access (bsc#1166847).
- Fixed an issue in TLS-EAP where the OCSP verification, when an
intermediate client certificate was not explicitly trusted
(bsc#1146848).
ModerateSUSE bug 1144524SUSE bug 1146848SUSE bug 1166847CVE-2019-13456 at SUSECVE-2019-13456 at NVDCVE-2019-17185 at SUSECVE-2019-17185 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for man (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for man fixes the following issues:
- Skip using 'safe-rm' in cron job below cache directory (bsc#1159105).
ModerateSUSE bug 1159105cpe:/o:suse:sles_teradata:12:sp3Security update for libqt4 (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for libqt4 fixes the following issues:
- CVE-2018-15518: Fixed a double free in QXmlStreamReader (bsc#1118595)
- CVE-2018-19873: Fixed a segmantation fault via a malformed
BMP file (bsc#1118596).
- CVE-2018-19869: Fixed an improper checking which might lead to
a crach via a malformed url reference (bsc#1118599).
- Added stricter toplevel asm parsing by dropping volatile
qualification that has no effect (bsc#1121214).
ModerateSUSE bug 1118595SUSE bug 1118596SUSE bug 1118599SUSE bug 1121214CVE-2018-15518 at SUSECVE-2018-15518 at NVDCVE-2018-19869 at SUSECVE-2018-19869 at NVDCVE-2018-19873 at SUSECVE-2018-19873 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for cups (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for cups fixes the following issues:
- CVE-2020-3898: Fixed a heap buffer overflow in ppdFindOption() (bsc#1168422).
ImportantSUSE bug 1168422CVE-2020-3898 at SUSECVE-2020-3898 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for file-roller (Low)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for file-roller fixes the following issues:
- CVE-2019-16680: Fixed a path traversal vulnerability which could have allowed
an overwriting of a file during extraction (bsc#1151585).
LowSUSE bug 1151585CVE-2019-16680 at SUSECVE-2019-16680 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for pam_radius (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for pam_radius fixes the following issues:
- CVE-2015-9542: Fixed a buffer overflow in password field (bsc#1163933).
- On s390x didn't decrypt passwords correctly (bsc#1141670).
ImportantSUSE bug 1141670SUSE bug 1163933CVE-2015-9542 at SUSECVE-2015-9542 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for webkit2gtk3 (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for webkit2gtk3 to version 2.28.1 fixes the following issues:
Security issues fixed:
- CVE-2020-10018: Fixed a denial of service because the m_deferredFocusedNodeChange data structure was mishandled (bsc#1165528).
- CVE-2020-11793: Fixed a potential arbitrary code execution caused by a use-after-free vulnerability (bsc#1169658).
- CVE-2019-8835: Fixed multiple memory corruption issues (bsc#1161719).
- CVE-2019-8844: Fixed multiple memory corruption issues (bsc#1161719).
- CVE-2019-8846: Fixed a use-after-free issue (bsc#1161719).
- CVE-2020-3862: Fixed a memory handling issue (bsc#1163809).
- CVE-2020-3867: Fixed an XSS issue (bsc#1163809).
- CVE-2020-3868: Fixed multiple memory corruption issues that could have lead to arbitrary code execution (bsc#1163809).
- CVE-2020-3864,CVE-2020-3865: Fixed logic issues in the DOM object context handling (bsc#1163809).
Non-security issues fixed:
- Add API to enable Process Swap on (Cross-site) Navigation.
- Add user messages API for the communication with the web extension.
- Add support for same-site cookies.
- Service workers are enabled by default.
- Add support for Pointer Lock API.
- Add flatpak sandbox support.
- Make ondemand hardware acceleration policy never leave accelerated compositing mode.
- Always use a light theme for rendering form controls.
- Add about:gpu to show information about the graphics stack.
- Fixed issues while trying to play a video on NextCloud.
- Fixed vertical alignment of text containing arabic diacritics.
- Fixed build with icu 65.1.
- Fixed page loading errors with websites using HSTS.
- Fixed web process crash when displaying a KaTeX formula.
- Fixed several crashes and rendering issues.
- Switched to a single web process for Evolution and geary (bsc#1159329).
ImportantSUSE bug 1155321SUSE bug 1156318SUSE bug 1159329SUSE bug 1161719SUSE bug 1163809SUSE bug 1165528SUSE bug 1169658CVE-2019-8625 at SUSECVE-2019-8625 at NVDCVE-2019-8710 at SUSECVE-2019-8710 at NVDCVE-2019-8720 at SUSECVE-2019-8720 at NVDCVE-2019-8743 at SUSECVE-2019-8743 at NVDCVE-2019-8764 at SUSECVE-2019-8764 at NVDCVE-2019-8766 at SUSECVE-2019-8766 at NVDCVE-2019-8769 at SUSECVE-2019-8769 at NVDCVE-2019-8771 at SUSECVE-2019-8771 at NVDCVE-2019-8782 at SUSECVE-2019-8782 at NVDCVE-2019-8783 at SUSECVE-2019-8783 at NVDCVE-2019-8808 at SUSECVE-2019-8808 at NVDCVE-2019-8811 at SUSECVE-2019-8811 at NVDCVE-2019-8812 at SUSECVE-2019-8812 at NVDCVE-2019-8813 at SUSECVE-2019-8813 at NVDCVE-2019-8814 at SUSECVE-2019-8814 at NVDCVE-2019-8815 at SUSECVE-2019-8815 at NVDCVE-2019-8816 at SUSECVE-2019-8816 at NVDCVE-2019-8819 at SUSECVE-2019-8819 at NVDCVE-2019-8820 at SUSECVE-2019-8820 at NVDCVE-2019-8823 at SUSECVE-2019-8823 at NVDCVE-2019-8835 at SUSECVE-2019-8835 at NVDCVE-2019-8844 at SUSECVE-2019-8844 at NVDCVE-2019-8846 at SUSECVE-2019-8846 at NVDCVE-2020-10018 at SUSECVE-2020-10018 at NVDCVE-2020-11793 at SUSECVE-2020-11793 at NVDCVE-2020-3862 at SUSECVE-2020-3862 at NVDCVE-2020-3864 at SUSECVE-2020-3864 at NVDCVE-2020-3865 at SUSECVE-2020-3865 at NVDCVE-2020-3867 at SUSECVE-2020-3867 at NVDCVE-2020-3868 at SUSECVE-2020-3868 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for shibboleth-sp (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for shibboleth-sp fixes the following issues:
Security issue fixed:
- CVE-2019-19191: Fixed escalation to root by fixing ownership of log files (bsc#1157471).
ModerateSUSE bug 1157471CVE-2019-19191 at SUSECVE-2019-19191 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for ceph (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for ceph fixes the following issues:
- CVE-2020-12059: Fixed a denial of service caused by a specially crafted XML payload on POST requests (bsc#1170170).
ImportantSUSE bug 1170170CVE-2020-12059 at SUSECVE-2020-12059 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for LibVNCServer (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for LibVNCServer fixes the following issues:
- CVE-2019-15690: Fixed a heap buffer overflow (bsc#1160471).
- CVE-2019-15681: Fixed a memory leak which could have allowed to a remote attacker to read stack memory (bsc#1155419).
- CVE-2019-20788: Fixed a integer overflow and heap-based buffer overflow via a large height or width value (bsc#1170441).
ImportantSUSE bug 1155419SUSE bug 1160471SUSE bug 1170441CVE-2019-15681 at SUSECVE-2019-15681 at NVDCVE-2019-15690 at SUSECVE-2019-15690 at NVDCVE-2019-20788 at SUSECVE-2019-20788 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for icu (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for icu fixes the following issues:
- CVE-2020-10531: Fixed integer overflow in UnicodeString:doAppend() (bsc#1166844).
ModerateSUSE bug 1166844CVE-2020-10531 at SUSECVE-2020-10531 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for openldap2 (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for openldap2 fixes the following issues:
- CVE-2020-12243: Fixed a denial of service related to recursive filters (bsc#1170771).
ImportantSUSE bug 1170771CVE-2020-12243 at SUSECVE-2020-12243 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for webkit2gtk3 (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for webkit2gtk3 fixes the following issues:
Security issue fixed:
- CVE-2020-3899: Fixed a memory consumption issue that could have led to remote code execution (bsc#1170643).
Non-security issues fixed:
- Update to version 2.28.2 (bsc#1170643):
+ Fix excessive CPU usage due to GdkFrameClock not being stopped.
+ Fix UI process crash when EGL_WL_bind_wayland_display extension
is not available.
+ Fix position of select popup menus in X11.
+ Fix playing of Youtube 'live stream'/H264 URLs.
+ Fix a crash under X11 when cairo uses xcb.
+ Fix the build in MIPS64.
+ Fix several crashes and rendering issues.
ImportantSUSE bug 1170643CVE-2020-3899 at SUSECVE-2020-3899 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for ghostscript (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for ghostscript to version 9.52 fixes the following issues:
- CVE-2020-12268: Fixed a heap-based buffer overflow in jbig2_image_compose (bsc#1170603).
ImportantSUSE bug 1170603CVE-2020-12268 at SUSECVE-2020-12268 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for MozillaFirefox fixes the following issues:
Update to version 68.8.0 ESR (bsc#1171186):
- CVE-2020-12387: Use-after-free during worker shutdown
- CVE-2020-12388: Sandbox escape with improperly guarded Access Tokens
- CVE-2020-12389: Sandbox escape with improperly separated process types
- CVE-2020-6831: Buffer overflow in SCTP chunk input validation
- CVE-2020-12392: Arbitrary local file access with 'Copy as cURL'
- CVE-2020-12393: Devtools' 'Copy as cURL' feature did not fully escape website-controlled data, potentially leading to command injection
- CVE-2020-12395: Memory safety bugs fixed in Firefox 76 and Firefox ESR 68.8
ImportantSUSE bug 1171186CVE-2020-12387 at SUSECVE-2020-12387 at NVDCVE-2020-12388 at SUSECVE-2020-12388 at NVDCVE-2020-12389 at SUSECVE-2020-12389 at NVDCVE-2020-12392 at SUSECVE-2020-12392 at NVDCVE-2020-12393 at SUSECVE-2020-12393 at NVDCVE-2020-12395 at SUSECVE-2020-12395 at NVDCVE-2020-6831 at SUSECVE-2020-6831 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for squid (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for squid fixes the following issues:
- CVE-2019-12519, CVE-2019-12521: fixes incorrect buffer handling that can
result in cache poisoning, remote execution, and denial of service attacks
when processing ESI responses (bsc#1169659).
- CVE-2020-11945: fixes a potential remote execution vulnerability
when using HTTP Digest Authentication (bsc#1170313).
- CVE-2019-12520, CVE-2019-12524: fixes a potential ACL bypass, cache-bypass
and cross-site scripting attack when processing invalid HTTP
Request messages (bsc#1170423).
ImportantSUSE bug 1169659SUSE bug 1170313SUSE bug 1170423CVE-2019-12519 at SUSECVE-2019-12519 at NVDCVE-2019-12520 at SUSECVE-2019-12520 at NVDCVE-2019-12521 at SUSECVE-2019-12521 at NVDCVE-2019-12524 at SUSECVE-2019-12524 at NVDCVE-2020-11945 at SUSECVE-2020-11945 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for apache2 (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for apache2 fixes the following issues:
- CVE-2020-1934: mod_proxy_ftp may use uninitialized memory when proxying to a malicious FTP server (bsc#1168404).
- CVE-2020-1927: mod_rewrite configurations vulnerable to open redirect (bsc#1168407).
- CVE-2020-1938: mod_proxy_ajp: Add 'secret' parameter to proxy workers to implement legacy AJP13 authentication (bsc#1169066).
ImportantSUSE bug 1168404SUSE bug 1168407SUSE bug 1169066CVE-2020-1927 at SUSECVE-2020-1927 at NVDCVE-2020-1934 at SUSECVE-2020-1934 at NVDCVE-2020-1938 at SUSECVE-2020-1938 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for python-PyYAML (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for python-PyYAML fixes the following issues:
- CVE-2020-1747: Fixed an arbitrary code execution when YAML files are parsed by FullLoader (bsc#1165439).
ImportantSUSE bug 1165439CVE-2020-1747 at SUSECVE-2020-1747 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for openexr (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for openexr provides the following fix:
Security issues fixed:
- CVE-2020-11764: Fixed an out-of-bounds write in copyIntoFrameBuffer in ImfMisc.cpp (bsc#1169574).
- CVE-2020-11763: Fixed an out-of-bounds read and write, as demonstrated by ImfTileOffsets.cpp (bsc#1169576).
- CVE-2020-11758: Fixed an out-of-bounds read in ImfOptimizedPixelReading.h (bsc#1169573).
- CVE-2020-11760: Fixed an out-of-bounds read during RLE uncompression in rleUncompress in ImfRle.cpp (bsc#1169580).
Non-security issue fixed:
- Enable tests when building the package on x86_64. (bsc#1146648)
ModerateSUSE bug 1146648SUSE bug 1169573SUSE bug 1169574SUSE bug 1169576SUSE bug 1169580CVE-2020-11758 at SUSECVE-2020-11758 at NVDCVE-2020-11760 at SUSECVE-2020-11760 at NVDCVE-2020-11763 at SUSECVE-2020-11763 at NVDCVE-2020-11764 at SUSECVE-2020-11764 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for git (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for git to 2.26.2 fixes the following issues:
Security issue fixed:
- CVE-2020-11008: Specially crafted URLs may have tricked the credentials helper
to providing credential information that is not appropriate for the protocol
in use and host being contacted (bsc#1169936).
Non-security issue fixed:
- Fixed git-daemon not starting after conversion from sysvinit to systemd service (bsc#1169605).
- Enabled access for git-daemon in firewall configuration (bsc#1170302).
- Fixed problems with recent switch to protocol v2, which caused fetches transferring unreasonable amount of data (bsc#1170741).
ModerateSUSE bug 1149792SUSE bug 1168930SUSE bug 1169605SUSE bug 1169786SUSE bug 1169936SUSE bug 1170302SUSE bug 1170741SUSE bug 1170939CVE-2020-11008 at SUSECVE-2020-11008 at NVDCVE-2020-5260 at SUSECVE-2020-5260 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for mailman (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for mailman fixes the following issues:
Security issue fixed:
- CVE-2020-12108: Fixed a content injection bug (bsc#1171363).
- CVE-2020-12137: Fixed a XSS vulnerability caused by MIME type confusion (bsc#1170558).
Non-security issue fixed:
- Fixed rights and ownership on /var/lib/mailman/archives (bsc#1167068).
- Don't default to invalid hosts for DEFAULT_EMAIL_HOST (bsc#682920).
ImportantSUSE bug 1167068SUSE bug 1170558SUSE bug 1171363SUSE bug 682920CVE-2020-12108 at SUSECVE-2020-12108 at NVDCVE-2020-12137 at SUSECVE-2020-12137 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for ant (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for ant fixes the following issues:
Security issue fixed:
- CVE-2018-10886: Fixed a path traversal vulnerability in malformed zip file paths, which allowed arbitrary file writes and could potentially lead to code execution (bsc#1100053).
Non-security issues fixed:
- Add rhino to the ant-apache-bsf optional tasks (bsc#1134001).
- Remove jakarta-commons-logging dependencies (bsc#1133997).
- Use apache-commons-logging in optional tasks
ModerateSUSE bug 1100053SUSE bug 1133997SUSE bug 1134001CVE-2018-10886 at SUSECVE-2018-10886 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for dpdk (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for dpdk fixes the following issues:
Security issue fixed:
- CVE-2020-10722: Fixed an integer overflow in vhost_user_set_log_base() (bsc#1171477 bsc#1171930).
ModerateSUSE bug 1171477SUSE bug 1171930CVE-2020-10722 at SUSECVE-2020-10722 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for tomcat (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for tomcat fixes the following issues:
CVE-2020-9484 (bsc#1171928)
Apache Tomcat Remote Code Execution via session persistence
If an attacker was able to control the contents and name of a file on a
server configured to use the PersistenceManager, then the attacker could
have triggered a remote code execution via deserialization of the file under
their control.
CVE-2019-12418 (bsc#1159723)
Local privilege escalation by manipulating the RMI registry and performing a man-in-the-middle attack
When Tomcat is configured with the JMX Remote Lifecycle Listener, a local attacker without access to the Tomcat process or configuration files was able to manipulate the RMI registry to perform a man-in-the-middle attack to capture user names and passwords used to access the JMX interface.
The attacker could then use these credentials to access the JMX interface and gain complete control over the Tomcat instance.
CVE-2019-0221 (bsc#1136085)
The SSI printenv command echoed user provided data without escaping, which
made it vulnerable to XSS.
CVE-2019-17563 (bsc#1159729)
When using FORM authentication there was a narrow window where an attacker could perform a session fixation attack.
CVE-2019-17569 (bsc#1164825)
Invalid Transfer-Encoding headers were incorrectly processed leading to a possibility of HTTP Request Smuggling
if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header.
ImportantSUSE bug 1136085SUSE bug 1159723SUSE bug 1159729SUSE bug 1164825SUSE bug 1171928CVE-2019-0221 at SUSECVE-2019-0221 at NVDCVE-2019-12418 at SUSECVE-2019-12418 at NVDCVE-2019-17563 at SUSECVE-2019-17563 at NVDCVE-2019-17569 at SUSECVE-2019-17569 at NVDCVE-2020-9484 at SUSECVE-2020-9484 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for file-roller (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for file-roller fixes the following issues:
Security issue fixed:
- CVE-2020-11736: Fixed a directory traversal vulnerability due to improper checking whether a file's parent is an external symlink (bsc#1169428).
ModerateSUSE bug 1169428CVE-2020-11736 at SUSECVE-2020-11736 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for python (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for python to version 2.7.17 fixes the following issues:
Syncing with lots of upstream bug fixes and security fixes.
Bug fixes:
- CVE-2019-9674: Improved the documentation to reflect the dangers of zip-bombs (bsc#1162825).
- CVE-2019-18348: Fixed a CRLF injection via the host part of the url passed to urlopen(). Now an InvalidURL exception is raised (bsc#1155094).
- CVE-2020-8492: Fixed a regular expression in urllib that was prone to denial of service via HTTP (bsc#1162367).
- Fixed mismatches between libpython and python-base versions (bsc#1162224).
- Fixed segfault in libpython2.7.so.1 (bsc#1073748).
- Unified packages among openSUSE:Factory and SLE versions (bsc#1159035).
- Added idle.desktop and idle.appdata.xml to provide IDLE in menus (bsc#1153830).
- Excluded tsl_check files from python-base to prevent file conflict with python-strict-tls-checks package (bsc#945401).
- Changed the name of idle3 icons to idle3.png to avoid collision with Python 2 version (bsc#1165894).
Additionally a new 'shared-python-startup' package is provided containing startup files.
python-rpm-macros was updated to fix:
- Do not write .pyc files for tests (bsc#1171561)
ModerateSUSE bug 1027282SUSE bug 1041090SUSE bug 1042670SUSE bug 1073269SUSE bug 1073748SUSE bug 1078326SUSE bug 1078485SUSE bug 1081750SUSE bug 1084650SUSE bug 1086001SUSE bug 1149792SUSE bug 1153830SUSE bug 1155094SUSE bug 1159035SUSE bug 1162224SUSE bug 1162367SUSE bug 1162825SUSE bug 1165894SUSE bug 1170411SUSE bug 1171561SUSE bug 945401CVE-2019-18348 at SUSECVE-2019-18348 at NVDCVE-2019-9674 at SUSECVE-2019-9674 at NVDCVE-2020-8492 at SUSECVE-2020-8492 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for krb5-appl (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for krb5-appl fixes the following issues:
- CVE-2020-10188: Fixed a remote root execution (bsc#1165787).
ImportantSUSE bug 1165787CVE-2020-10188 at SUSECVE-2020-10188 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for libexif (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for libexif fixes the following issues:
Security issues fixed:
- CVE-2016-6328: Fixed an integer overflow in parsing MNOTE entry data of the input file (bsc#1055857).
- CVE-2017-7544: Fixed an out-of-bounds heap read vulnerability in exif_data_save_data_entry function in libexif/exif-data.c (bsc#1059893).
- CVE-2018-20030: Fixed a denial of service by endless recursion (bsc#1120943).
- CVE-2019-9278: Fixed an integer overflow (bsc#1160770).
- CVE-2020-0093: Fixed an out-of-bounds read in exif_data_save_data_entry (bsc#1171847).
- CVE-2020-12767: Fixed a divide-by-zero error in exif_entry_get_value (bsc#1171475).
- CVE-2020-13112: Fixed a time consumption DoS when parsing canon array markers (bsc#1172121).
- CVE-2020-13113: Fixed a potential use of uninitialized memory (bsc#1172105).
- CVE-2020-13114: Fixed various buffer overread fixes due to integer overflows in maker notes (bsc#1172116).
Non-security issues fixed:
- libexif was updated to version 0.6.22:
* New translations: ms
* Updated translations for most languages
* Some useful EXIF 2.3 tag added:
* EXIF_TAG_GAMMA
* EXIF_TAG_COMPOSITE_IMAGE
* EXIF_TAG_SOURCE_IMAGE_NUMBER_OF_COMPOSITE_IMAGE
* EXIF_TAG_SOURCE_EXPOSURE_TIMES_OF_COMPOSITE_IMAGE
* EXIF_TAG_GPS_H_POSITIONING_ERROR
* EXIF_TAG_CAMERA_OWNER_NAME
* EXIF_TAG_BODY_SERIAL_NUMBER
* EXIF_TAG_LENS_SPECIFICATION
* EXIF_TAG_LENS_MAKE
* EXIF_TAG_LENS_MODEL
* EXIF_TAG_LENS_SERIAL_NUMBER
ModerateSUSE bug 1055857SUSE bug 1059893SUSE bug 1120943SUSE bug 1160770SUSE bug 1171475SUSE bug 1171847SUSE bug 1172105SUSE bug 1172116SUSE bug 1172121CVE-2016-6328 at SUSECVE-2016-6328 at NVDCVE-2017-7544 at SUSECVE-2017-7544 at NVDCVE-2018-20030 at SUSECVE-2018-20030 at NVDCVE-2019-9278 at SUSECVE-2019-9278 at NVDCVE-2020-0093 at SUSECVE-2020-0093 at NVDCVE-2020-12767 at SUSECVE-2020-12767 at NVDCVE-2020-13112 at SUSECVE-2020-13112 at NVDCVE-2020-13113 at SUSECVE-2020-13113 at NVDCVE-2020-13114 at SUSECVE-2020-13114 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for qemu (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for qemu fixes the following issues:
Security issues fixed:
- CVE-2020-1711: Fixed a potential OOB access in the iSCSI client code (bsc#1166240).
- CVE-2019-12068: Fixed a potential DoS in the LSI SCSI controller emulation (bsc#1146873).
- CVE-2020-1983: Fixed a use-after-free in the ip_reass function of slirp (bsc#1170940).
- CVE-2020-8608: Fixed a potential OOB access in slirp (bsc#1163018).
- CVE-2020-7039: Fixed a potential OOB access in slirp (bsc#1161066).
- CVE-2019-15890: Fixed a use-after-free during packet reassembly in slirp (bsc#1149811).
- Fixed multiple potential DoS issues in SLIRP, similar to CVE-2019-6778 (bsc#1123156).
Non-security issue fixed:
- Make sure that required memory is mapped properly during an incoming migration of a Xen HVM domU (bsc#1160024).
ModerateSUSE bug 1123156SUSE bug 1146873SUSE bug 1149811SUSE bug 1160024SUSE bug 1161066SUSE bug 1163018SUSE bug 1166240SUSE bug 1170940CVE-2019-12068 at SUSECVE-2019-12068 at NVDCVE-2019-15890 at SUSECVE-2019-15890 at NVDCVE-2019-6778 at SUSECVE-2019-6778 at NVDCVE-2020-1711 at SUSECVE-2020-1711 at NVDCVE-2020-1983 at SUSECVE-2020-1983 at NVDCVE-2020-7039 at SUSECVE-2020-7039 at NVDCVE-2020-8608 at SUSECVE-2020-8608 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for vim (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for vim fixes the following issues:
- CVE-2019-20807: Fixed an issue where escaping from the restrictive mode of vim
was possible using interfaces (bsc#1172225 and bsc#1172031).
ModerateSUSE bug 1172031SUSE bug 1172225CVE-2019-20807 at SUSECVE-2019-20807 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for MozillaFirefox fixes the following issues:
- MozillaFirefox was updated to version 68.9.0 Extended Support Release (bsc#1172402).
- CVE-2020-12405: Fixed a use-after-free in SharedWorkerService.
- CVE-2020-12406: Fixed a JavaScript Type confusion with NativeTypes.
- CVE-2020-12410: Fixed multiple memory safety bugs.
ImportantSUSE bug 1172402CVE-2020-12405 at SUSECVE-2020-12405 at NVDCVE-2020-12406 at SUSECVE-2020-12406 at NVDCVE-2020-12410 at SUSECVE-2020-12410 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for ruby2.1 (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for ruby2.1 fixes the following issues:
Security issues fixed:
- CVE-2015-9096: Fixed an SMTP command injection via CRLFsequences in a RCPT TO or MAIL FROM command (bsc#1043983).
- CVE-2016-7798: Fixed an IV Reuse in GCM Mode (bsc#1055265).
- CVE-2017-0898: Fixed a buffer underrun vulnerability in Kernel.sprintf (bsc#1058755).
- CVE-2017-0899: Fixed an issue with malicious gem specifications, insufficient sanitation when printing gem specifications could have included terminal characters (bsc#1056286).
- CVE-2017-0900: Fixed an issue with malicious gem specifications, the query command could have led to a denial of service attack against clients (bsc#1056286).
- CVE-2017-0901: Fixed an issue with malicious gem specifications, potentially overwriting arbitrary files on the client system (bsc#1056286).
- CVE-2017-0902: Fixed an issue with malicious gem specifications, that could have enabled MITM attacks against clients (bsc#1056286).
- CVE-2017-0903: Fixed an unsafe object deserialization vulnerability (bsc#1062452).
- CVE-2017-9228: Fixed a heap out-of-bounds write in bitset_set_range() during regex compilation (bsc#1069607).
- CVE-2017-9229: Fixed an invalid pointer dereference in left_adjust_char_head() in oniguruma (bsc#1069632).
- CVE-2017-10784: Fixed an escape sequence injection vulnerability in the Basic authentication of WEBrick (bsc#1058754).
- CVE-2017-14033: Fixed a buffer underrun vulnerability in OpenSSL ASN1 decode (bsc#1058757).
- CVE-2017-14064: Fixed an arbitrary memory exposure during a JSON.generate call (bsc#1056782).
- CVE-2017-17405: Fixed a command injection vulnerability in Net::FTP (bsc#1073002).
- CVE-2017-17742: Fixed an HTTP response splitting issue in WEBrick (bsc#1087434).
- CVE-2017-17790: Fixed a command injection in lib/resolv.rb:lazy_initialize() (bsc#1078782).
- CVE-2018-6914: Fixed an unintentional file and directory creation with directory traversal in tempfile and tmpdir (bsc#1087441).
- CVE-2018-8777: Fixed a potential DoS caused by large requests in WEBrick (bsc#1087436).
- CVE-2018-8778: Fixed a buffer under-read in String#unpack (bsc#1087433).
- CVE-2018-8779: Fixed an unintentional socket creation by poisoned NUL byte in UNIXServer and UNIXSocket (bsc#1087440).
- CVE-2018-8780: Fixed an unintentional directory traversal by poisoned NUL byte in Dir (bsc#1087437).
- CVE-2018-16395: Fixed an issue with OpenSSL::X509::Name equality checking (bsc#1112530).
- CVE-2018-16396: Fixed an issue with tainted string handling, where the flag was not propagated in Array#pack and String#unpack with some directives (bsc#1112532).
- CVE-2018-1000073: Fixed a path traversal issue (bsc#1082007).
- CVE-2018-1000074: Fixed an unsafe object deserialization vulnerability in gem owner, allowing arbitrary code execution with specially crafted YAML (bsc#1082008).
- CVE-2018-1000075: Fixed an infinite loop vulnerability due to negative size in tar header causes Denial of Service (bsc#1082014).
- CVE-2018-1000076: Fixed an improper verification of signatures in tarballs (bsc#1082009).
- CVE-2018-1000077: Fixed an improper URL validation in the homepage attribute of ruby gems (bsc#1082010).
- CVE-2018-1000078: Fixed a XSS vulnerability in the homepage attribute when displayed via gem server (bsc#1082011).
- CVE-2018-1000079: Fixed a path traversal issue during gem installation allows to write to arbitrary filesystem locations (bsc#1082058).
- CVE-2019-8320: Fixed a directory traversal issue when decompressing tar files (bsc#1130627).
- CVE-2019-8321: Fixed an escape sequence injection vulnerability in verbose (bsc#1130623).
- CVE-2019-8322: Fixed an escape sequence injection vulnerability in gem owner (bsc#1130622).
- CVE-2019-8323: Fixed an escape sequence injection vulnerability in API response handling (bsc#1130620).
- CVE-2019-8324: Fixed an issue with malicious gems that may have led to arbitrary code execution (bsc#1130617).
- CVE-2019-8325: Fixed an escape sequence injection vulnerability in errors (bsc#1130611).
- CVE-2019-15845: Fixed a NUL injection vulnerability in File.fnmatch and File.fnmatch? (bsc#1152994).
- CVE-2019-16201: Fixed a regular expression denial of service vulnerability in WEBrick's digest access authentication (bsc#1152995).
- CVE-2019-16254: Fixed an HTTP response splitting vulnerability in WEBrick (bsc#1152992).
- CVE-2019-16255: Fixed a code injection vulnerability in Shell#[] and Shell#test (bsc#1152990).
- CVE-2020-10663: Fixed an unsafe object creation vulnerability in JSON (bsc#1171517).
Non-security issue fixed:
- Add conflicts to libruby to make sure ruby and ruby-stdlib are also updated when libruby is updated (bsc#1048072).
Also yast2-ruby-bindings on SLES 12 SP2 LTSS was updated to handle the updated ruby interpreter. (bsc#1172275)
ImportantSUSE bug 1043983SUSE bug 1048072SUSE bug 1055265SUSE bug 1056286SUSE bug 1056782SUSE bug 1058754SUSE bug 1058755SUSE bug 1058757SUSE bug 1062452SUSE bug 1069607SUSE bug 1069632SUSE bug 1073002SUSE bug 1078782SUSE bug 1082007SUSE bug 1082008SUSE bug 1082009SUSE bug 1082010SUSE bug 1082011SUSE bug 1082014SUSE bug 1082058SUSE bug 1087433SUSE bug 1087434SUSE bug 1087436SUSE bug 1087437SUSE bug 1087440SUSE bug 1087441SUSE bug 1112530SUSE bug 1112532SUSE bug 1130611SUSE bug 1130617SUSE bug 1130620SUSE bug 1130622SUSE bug 1130623SUSE bug 1130627SUSE bug 1152990SUSE bug 1152992SUSE bug 1152994SUSE bug 1152995SUSE bug 1171517SUSE bug 1172275CVE-2015-9096 at SUSECVE-2015-9096 at NVDCVE-2016-2339 at SUSECVE-2016-2339 at NVDCVE-2016-7798 at SUSECVE-2016-7798 at NVDCVE-2017-0898 at SUSECVE-2017-0898 at NVDCVE-2017-0899 at SUSECVE-2017-0899 at NVDCVE-2017-0900 at SUSECVE-2017-0900 at NVDCVE-2017-0901 at SUSECVE-2017-0901 at NVDCVE-2017-0902 at SUSECVE-2017-0902 at NVDCVE-2017-0903 at SUSECVE-2017-0903 at NVDCVE-2017-10784 at SUSECVE-2017-10784 at NVDCVE-2017-14033 at SUSECVE-2017-14033 at NVDCVE-2017-14064 at SUSECVE-2017-14064 at NVDCVE-2017-17405 at SUSECVE-2017-17405 at NVDCVE-2017-17742 at SUSECVE-2017-17742 at NVDCVE-2017-17790 at SUSECVE-2017-17790 at NVDCVE-2017-9228 at SUSECVE-2017-9228 at NVDCVE-2017-9229 at SUSECVE-2017-9229 at NVDCVE-2018-1000073 at SUSECVE-2018-1000073 at NVDCVE-2018-1000074 at SUSECVE-2018-1000074 at NVDCVE-2018-1000075 at SUSECVE-2018-1000075 at NVDCVE-2018-1000076 at SUSECVE-2018-1000076 at NVDCVE-2018-1000077 at SUSECVE-2018-1000077 at NVDCVE-2018-1000078 at SUSECVE-2018-1000078 at NVDCVE-2018-1000079 at SUSECVE-2018-1000079 at NVDCVE-2018-16395 at SUSECVE-2018-16395 at NVDCVE-2018-16396 at SUSECVE-2018-16396 at NVDCVE-2018-6914 at SUSECVE-2018-6914 at NVDCVE-2018-8777 at SUSECVE-2018-8777 at NVDCVE-2018-8778 at SUSECVE-2018-8778 at NVDCVE-2018-8779 at SUSECVE-2018-8779 at NVDCVE-2018-8780 at SUSECVE-2018-8780 at NVDCVE-2019-15845 at SUSECVE-2019-15845 at NVDCVE-2019-16201 at SUSECVE-2019-16201 at NVDCVE-2019-16254 at SUSECVE-2019-16254 at NVDCVE-2019-16255 at SUSECVE-2019-16255 at NVDCVE-2019-8320 at SUSECVE-2019-8320 at NVDCVE-2019-8321 at SUSECVE-2019-8321 at NVDCVE-2019-8322 at SUSECVE-2019-8322 at NVDCVE-2019-8323 at SUSECVE-2019-8323 at NVDCVE-2019-8324 at SUSECVE-2019-8324 at NVDCVE-2019-8325 at SUSECVE-2019-8325 at NVDCVE-2020-10663 at SUSECVE-2020-10663 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for java-1_7_0-openjdk (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for java-1_7_0-openjdk to version 7u261 fixes the following issues:
- CVE-2020-2756: Better mapping of serial ENUMs (bsc#1169511)
- CVE-2020-2757: Less Blocking Array Queues (bsc#1169511)
- CVE-2020-2773: Better signatures in XML (bsc#1169511)
- CVE-2020-2781: Improve TLS session handling (bsc#1169511)
- CVE-2020-2800: Better Headings for HTTP Servers (bsc#1169511)
- CVE-2020-2803: Enhance buffering of byte buffers (bsc#1169511)
- CVE-2020-2805: Enhance typing of methods (bsc#1169511)
- CVE-2020-2830: Better Scanner conversions (bsc#1169511)
ImportantSUSE bug 1169511CVE-2020-2756 at SUSECVE-2020-2756 at NVDCVE-2020-2757 at SUSECVE-2020-2757 at NVDCVE-2020-2773 at SUSECVE-2020-2773 at NVDCVE-2020-2781 at SUSECVE-2020-2781 at NVDCVE-2020-2800 at SUSECVE-2020-2800 at NVDCVE-2020-2803 at SUSECVE-2020-2803 at NVDCVE-2020-2805 at SUSECVE-2020-2805 at NVDCVE-2020-2830 at SUSECVE-2020-2830 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for texlive (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for texlive fixes the following issues:
Security issues fixed:
- CVE-2020-8016: Fixed a race condition in the spec file (bsc#1159740).
- CVE-2020-8017: Fixed a race condition on a cron job (bsc#1158910).
- Fixed an issue where pstopdf was crashing (bsc#1138793).
ModerateSUSE bug 1138793SUSE bug 1158910SUSE bug 1159740CVE-2020-8016 at SUSECVE-2020-8016 at NVDCVE-2020-8017 at SUSECVE-2020-8017 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for tigervnc (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for tigervnc fixes the following issues:
- CVE-2019-15691: Fixed a use-after-return due to incorrect usage of stack memory in ZRLEDecoder (bsc#1159856).
- CVE-2019-15692: Fixed a heap-based buffer overflow in CopyRectDecode (bsc#1160250).
- CVE-2019-15693: Fixed a heap-based buffer overflow in TightDecoder::FilterGradient (bsc#1159858).
- CVE-2019-15694: Fixed a heap-based buffer overflow, caused by improper error handling in processing MemOutStream (bsc#1160251).
- CVE-2019-15695: Fixed a stack-based buffer overflow, which could be triggered from CMsgReader::readSetCursor (bsc#1159860).
ImportantSUSE bug 1159856SUSE bug 1159858SUSE bug 1159860SUSE bug 1160250SUSE bug 1160251SUSE bug 1160937CVE-2019-15691 at SUSECVE-2019-15691 at NVDCVE-2019-15692 at SUSECVE-2019-15692 at NVDCVE-2019-15693 at SUSECVE-2019-15693 at NVDCVE-2019-15694 at SUSECVE-2019-15694 at NVDCVE-2019-15695 at SUSECVE-2019-15695 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for ucode-intel (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for ucode-intel fixes the following issues:
Updated Intel CPU Microcode to 20200602 (prerelease) (bsc#1172466)
This update contains security mitigations for:
- CVE-2020-0543: Fixed a side channel attack against special registers
which could have resulted in leaking of read values to cores other
than the one which called it. This attack is known as Special Register
Buffer Data Sampling (SRBDS) or 'CrossTalk' (bsc#1154824).
- CVE-2020-0548,CVE-2020-0549: Additional ucode updates were supplied to
mitigate the Vector Register and L1D Eviction Sampling aka 'CacheOutAttack'
attacks. (bsc#1156353)
Microcode Table:
Processor Identifier Version Products
Model Stepping F-MO-S/PI Old->New
---- new platforms ----------------------------------------
---- updated platforms ------------------------------------
HSW C0 6-3c-3/32 00000027->00000028 Core Gen4
BDW-U/Y E0/F0 6-3d-4/c0 0000002e->0000002f Core Gen5
HSW-U C0/D0 6-45-1/72 00000025->00000026 Core Gen4
HSW-H C0 6-46-1/32 0000001b->0000001c Core Gen4
BDW-H/E3 E0/G0 6-47-1/22 00000021->00000022 Core Gen5
SKL-U/Y D0 6-4e-3/c0 000000d6->000000dc Core Gen6 Mobile
SKL-U23e K1 6-4e-3/c0 000000d6->000000dc Core Gen6 Mobile
SKX-SP B1 6-55-3/97 01000151->01000157 Xeon Scalable
SKX-SP H0/M0/U0 6-55-4/b7 02000065->02006906 Xeon Scalable
SKX-D M1 6-55-4/b7 02000065->02006906 Xeon D-21xx
CLX-SP B0 6-55-6/bf 0400002c->04002f01 Xeon Scalable Gen2
CLX-SP B1 6-55-7/bf 0500002c->04002f01 Xeon Scalable Gen2
SKL-H/S R0/N0 6-5e-3/36 000000d6->000000dc Core Gen6; Xeon E3 v5
AML-Y22 H0 6-8e-9/10 000000ca->000000d6 Core Gen8 Mobile
KBL-U/Y H0 6-8e-9/c0 000000ca->000000d6 Core Gen7 Mobile
CFL-U43e D0 6-8e-a/c0 000000ca->000000d6 Core Gen8 Mobile
WHL-U W0 6-8e-b/d0 000000ca->000000d6 Core Gen8 Mobile
AML-Y42 V0 6-8e-c/94 000000ca->000000d6 Core Gen10 Mobile
CML-Y42 V0 6-8e-c/94 000000ca->000000d6 Core Gen10 Mobile
WHL-U V0 6-8e-c/94 000000ca->000000d6 Core Gen8 Mobile
KBL-G/H/S/E3 B0 6-9e-9/2a 000000ca->000000d6 Core Gen7; Xeon E3 v6
CFL-H/S/E3 U0 6-9e-a/22 000000ca->000000d6 Core Gen8 Desktop, Mobile, Xeon E
CFL-S B0 6-9e-b/02 000000ca->000000d6 Core Gen8
CFL-H/S P0 6-9e-c/22 000000ca->000000d6 Core Gen9
CFL-H R0 6-9e-d/22 000000ca->000000d6 Core Gen9 Mobile
Also contains the Intel CPU Microcode update to 20200520:
Processor Identifier Version Products
Model Stepping F-MO-S/PI Old->New
---- new platforms ----------------------------------------
---- updated platforms ------------------------------------
SNB-E/EN/EP C1/M0 6-2d-6/6d 0000061f->00000621 Xeon E3/E5, Core X
SNB-E/EN/EP C2/M1 6-2d-7/6d 00000718->0000071a Xeon E3/E5, Core X
ModerateSUSE bug 1154824SUSE bug 1156353SUSE bug 1172466CVE-2020-0543 at SUSECVE-2020-0543 at NVDCVE-2020-0548 at SUSECVE-2020-0548 at NVDCVE-2020-0549 at SUSECVE-2020-0549 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for virglrenderer (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for virglrenderer fixes the following issues:
- CVE-2019-18388: Fixed a null pointer dereference which could have led
to denial of service (bsc#1159479).
- CVE-2019-18390: Fixed an out of bound read which could have led to
denial of service (bsc#1159478).
- CVE-2019-18389: Fixed a heap buffer overflow which could have led to
guest escape or denial of service (bsc#1159482).
- CVE-2019-18391: Fixed a heap based buffer overflow which could have led to
guest escape or denial of service (bsc#1159486).
ImportantSUSE bug 1159478SUSE bug 1159479SUSE bug 1159482SUSE bug 1159486CVE-2019-18388 at SUSECVE-2019-18388 at NVDCVE-2019-18389 at SUSECVE-2019-18389 at NVDCVE-2019-18390 at SUSECVE-2019-18390 at NVDCVE-2019-18391 at SUSECVE-2019-18391 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for ed (Low)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for ed fixes the following security issue:
- CVE-2017-5357: An invalid free in the regular expression handling
of the 'ed' command processing could allow local users to crash ed. (bsc#1019807)
LowSUSE bug 1019807CVE-2017-5357 at SUSECVE-2017-5357 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for adns (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for adns fixes the following issues:
- CVE-2017-9103,CVE-2017-9104,CVE-2017-9105,CVE-2017-9109: Fixed an issue in local recursive resolver
which could have led to remote code execution (bsc#1172265).
- CVE-2017-9106: Fixed an issue with upstream DNS data sources which could have led to denial of
service (bsc#1172265).
- CVE-2017-9107: Fixed an issue when quering domain names which could have led to denial of service (bsc#1172265).
- CVE-2017-9108: Fixed an issue which could have led to denial of service (bsc#1172265).
ImportantSUSE bug 1172265CVE-2017-9103 at SUSECVE-2017-9103 at NVDCVE-2017-9104 at SUSECVE-2017-9104 at NVDCVE-2017-9105 at SUSECVE-2017-9105 at NVDCVE-2017-9106 at SUSECVE-2017-9106 at NVDCVE-2017-9107 at SUSECVE-2017-9107 at NVDCVE-2017-9108 at SUSECVE-2017-9108 at NVDCVE-2017-9109 at SUSECVE-2017-9109 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for audiofile (Low)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for audiofile fixes the following issues:
Security issue fixed:
- CVE-2018-13440: Return AF_FAIL instead of causing NULL pointer dereferences later (bsc#1100523).
LowSUSE bug 1100523CVE-2018-13440 at SUSECVE-2018-13440 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for mariadb (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for mariadb fixes the following issues:
mariadb was updated to version 10.0.44 (bsc#1171550)
- CVE-2020-2752: Fixed an issue which could have resulted in unauthorized ability to cause denial of service.
- CVE-2020-2812: Fixed an issue which could have resulted in unauthorized ability to cause denial of service.
ModerateSUSE bug 1171550CVE-2020-2752 at SUSECVE-2020-2752 at NVDCVE-2020-2812 at SUSECVE-2020-2812 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for xen (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for xen fixes the following issues:
- CVE-2020-0543: Fixed a side channel attack against special registers which could have resulted in leaking of read values to cores other than the one which called it.
This attack is known as Special Register Buffer Data Sampling (SRBDS) or 'CrossTalk' (bsc#1172205).
- CVE-2020-11742: Bad continuation handling in GNTTABOP_copy (bsc#1169392).
- CVE-2020-11740, CVE-2020-11741: xen: XSA-313 multiple xenoprof issues (bsc#1168140).
- CVE-2020-11739: Missing memory barriers in read-write unlock paths (bsc#1168142).
- CVE-2019-19583: Fixed improper checks which could have allowed HVM/PVH guest userspace code to crash the guest, leading to a guest denial of service (bsc#1158004 XSA-308).
- CVE-2019-19581: Fixed a potential out of bounds on 32-bit Arm (bsc#1158003 XSA-307).
- CVE-2019-19580: Fixed a privilege escalation where a malicious PV guest administrator could have been able to escalate their privilege to that of the host (bsc#1158006 XSA-310).
- CVE-2019-19579: Fixed a privilege escalation where an untrusted domain with access to a physical device can DMA into host memory (bsc#1157888 XSA-306).
- CVE-2019-19578: Fixed an issue where a malicious or buggy PV guest could have caused hypervisor crash resulting in denial of service affecting the entire host (bsc#1158005 XSA-309).
- CVE-2019-19577: Fixed an issue where a malicious guest administrator could have caused Xen to access data structures while they are being modified leading to a crash (bsc#1158007 XSA-311).
- Xenstored Crashed during VM install (bsc#1167152)
ImportantSUSE bug 1157888SUSE bug 1158003SUSE bug 1158004SUSE bug 1158005SUSE bug 1158006SUSE bug 1158007SUSE bug 1161181SUSE bug 1167152SUSE bug 1168140SUSE bug 1168142SUSE bug 1169392SUSE bug 1172205CVE-2019-19577 at SUSECVE-2019-19577 at NVDCVE-2019-19578 at SUSECVE-2019-19578 at NVDCVE-2019-19579 at SUSECVE-2019-19579 at NVDCVE-2019-19580 at SUSECVE-2019-19580 at NVDCVE-2019-19581 at SUSECVE-2019-19581 at NVDCVE-2019-19583 at SUSECVE-2019-19583 at NVDCVE-2020-0543 at SUSECVE-2020-0543 at NVDCVE-2020-11739 at SUSECVE-2020-11739 at NVDCVE-2020-11740 at SUSECVE-2020-11740 at NVDCVE-2020-11741 at SUSECVE-2020-11741 at NVDCVE-2020-11742 at SUSECVE-2020-11742 at NVDCVE-2020-7211 at SUSECVE-2020-7211 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for gnuplot (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for gnuplot fixes the following issues:
Following security issues were fixed:
- CVE-2018-19492: Fixed a buffer overflow in cairotrm_options function (bsc#1117463)
- CVE-2018-19491: Fixed a buffer overlow in the PS_options function (bsc#1117464)
- CVE-2018-19490: Fixed a heap-based buffer overflow in the df_generate_ascii_array_entry function (bsc#1117465)
- CVE-2017-9670: Fixed a uninitialized stack variable vulnerability which could lead to a Denial of Service (bsc#1044638)
ModerateSUSE bug 1044638SUSE bug 1117463SUSE bug 1117464SUSE bug 1117465CVE-2017-9670 at SUSECVE-2017-9670 at NVDCVE-2018-19490 at SUSECVE-2018-19490 at NVDCVE-2018-19491 at SUSECVE-2018-19491 at NVDCVE-2018-19492 at SUSECVE-2018-19492 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for perl (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for perl fixes the following issues:
- CVE-2020-10543: Fixed a heap buffer overflow in regular expression compiler which could have
allowed overwriting of allocated memory with attacker's data (bsc#1171863).
- CVE-2020-10878: Fixed multiple integer overflows which could have allowed the insertion of
instructions into the compiled form of Perl regular expression (bsc#1171864).
- CVE-2020-12723: Fixed an attacker's corruption of the intermediate language state of a
compiled regular expression (bsc#1171866).
- Fixed utf8 handling in perldoc by useing 'term' instead of 'man' (bsc#1170601).
- Some packages make assumptions about the date and time they are built.
This update will solve the issues caused by calling the perl function timelocal
expressing the year with two digit only instead of four digits. (bsc#1102840) (bsc#1160039)
ImportantSUSE bug 1102840SUSE bug 1160039SUSE bug 1170601SUSE bug 1171863SUSE bug 1171864SUSE bug 1171866CVE-2020-10543 at SUSECVE-2020-10543 at NVDCVE-2020-10878 at SUSECVE-2020-10878 at NVDCVE-2020-12723 at SUSECVE-2020-12723 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for java-1_7_1-ibm (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for java-1_7_1-ibm fixes the following issues:
java-1_7_1-ibm was updated to Java 7.1 Service Refresh 4 Fix Pack 65 (bsc#1172277 and bsc#1169511)
- CVE-2020-2654: Fixed an issue which could have resulted in unauthorized ability to cause a partial denial of service
- CVE-2020-2756: Improved mapping of serial ENUMs
- CVE-2020-2757: Less Blocking Array Queues
- CVE-2020-2781: Improved TLS session handling
- CVE-2020-2800: Improved Headings for HTTP Servers
- CVE-2020-2803: Enhanced buffering of byte buffers
- CVE-2020-2805: Enhanced typing of methods
- CVE-2020-2830: Improved Scanner conversions
ImportantSUSE bug 1169511SUSE bug 1172277CVE-2020-2654 at SUSECVE-2020-2654 at NVDCVE-2020-2756 at SUSECVE-2020-2756 at NVDCVE-2020-2757 at SUSECVE-2020-2757 at NVDCVE-2020-2781 at SUSECVE-2020-2781 at NVDCVE-2020-2800 at SUSECVE-2020-2800 at NVDCVE-2020-2803 at SUSECVE-2020-2803 at NVDCVE-2020-2805 at SUSECVE-2020-2805 at NVDCVE-2020-2830 at SUSECVE-2020-2830 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for java-1_8_0-ibm (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for java-1_8_0-ibm fixes the following issues:
java-1_8_0-ibm was updated to Java 8.0 Service Refresh 6 Fix Pack 10 (bsc#1172277,bsc#1169511,bsc#1160968)
- CVE-2020-2654: Fixed an issue which could have resulted in unauthorized ability to cause a partial denial of service
- CVE-2020-2754: Forwarded references to Nashorn
- CVE-2020-2755: Improved Nashorn matching
- CVE-2020-2756: Improved mapping of serial ENUMs
- CVE-2020-2757: Less Blocking Array Queues
- CVE-2020-2781: Improved TLS session handling
- CVE-2020-2800: Improved Headings for HTTP Servers
- CVE-2020-2803: Enhanced buffering of byte buffers
- CVE-2020-2805: Enhanced typing of methods
- CVE-2020-2830: Improved Scanner conversions
- CVE-2019-2949: Fixed an issue which could have resulted in unauthorized access to critical data
- Added RSA PSS SUPPORT TO IBMPKCS11IMPL
- The pack200 and unpack200 alternatives should be slaves of java (bsc#1171352).
ImportantSUSE bug 1160968SUSE bug 1169511SUSE bug 1171352SUSE bug 1172277CVE-2019-2949 at SUSECVE-2019-2949 at NVDCVE-2020-2654 at SUSECVE-2020-2654 at NVDCVE-2020-2754 at SUSECVE-2020-2754 at NVDCVE-2020-2755 at SUSECVE-2020-2755 at NVDCVE-2020-2756 at SUSECVE-2020-2756 at NVDCVE-2020-2757 at SUSECVE-2020-2757 at NVDCVE-2020-2781 at SUSECVE-2020-2781 at NVDCVE-2020-2800 at SUSECVE-2020-2800 at NVDCVE-2020-2803 at SUSECVE-2020-2803 at NVDCVE-2020-2805 at SUSECVE-2020-2805 at NVDCVE-2020-2830 at SUSECVE-2020-2830 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for java-1_8_0-openjdk (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for java-1_8_0-openjdk to version jdk8u252 fixes the following issues:
- CVE-2020-2754: Forward references to Nashorn (bsc#1169511)
- CVE-2020-2755: Improve Nashorn matching (bsc#1169511)
- CVE-2020-2756: Better mapping of serial ENUMs (bsc#1169511)
- CVE-2020-2757: Less Blocking Array Queues (bsc#1169511)
- CVE-2020-2773: Better signatures in XML (bsc#1169511)
- CVE-2020-2781: Improve TLS session handling (bsc#1169511)
- CVE-2020-2800: Better Headings for HTTP Servers (bsc#1169511)
- CVE-2020-2803: Enhance buffering of byte buffers (bsc#1169511)
- CVE-2020-2805: Enhance typing of methods (bsc#1169511)
- CVE-2020-2830: Better Scanner conversions (bsc#1169511)
ImportantSUSE bug 1160398SUSE bug 1169511CVE-2020-2754 at SUSECVE-2020-2754 at NVDCVE-2020-2755 at SUSECVE-2020-2755 at NVDCVE-2020-2756 at SUSECVE-2020-2756 at NVDCVE-2020-2757 at SUSECVE-2020-2757 at NVDCVE-2020-2773 at SUSECVE-2020-2773 at NVDCVE-2020-2781 at SUSECVE-2020-2781 at NVDCVE-2020-2800 at SUSECVE-2020-2800 at NVDCVE-2020-2803 at SUSECVE-2020-2803 at NVDCVE-2020-2805 at SUSECVE-2020-2805 at NVDCVE-2020-2830 at SUSECVE-2020-2830 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for libgxps (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for libgxps fixes the following issues:
- CVE-2018-10733: Fixed a heap-based buffer over-read issue in ft_font_face_hash (bsc#1092125).
ModerateSUSE bug 1092125CVE-2018-10733 at SUSECVE-2018-10733 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for curl (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for curl fixes the following issues:
- CVE-2020-8177: Fixed an issue where curl could have been tricked by a malicious server to overwrite a local file when using the -J option (bsc#1173027).
ImportantSUSE bug 1173027CVE-2020-8177 at SUSECVE-2020-8177 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for ceph (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This is a version update for ceph to version 12.2.13:
Security issue fixed:
- CVE-2020-10753: Fixed an HTTP header injection via CORS ExposeHeader tag (bsc#1171921).
- Notable changes in this update for ceph:
* mgr: telemetry: backported and now available on SES5.5. Please
consider enabling via 'ceph telemetry on' (bsc#1171670)
* OSD heartbeat ping time: new health warning, options and admin
commands (bsc#1171960)
* 'osd_calc_pg_upmaps_max_stddev' ceph.conf parameter has been
removed; use 'upmap_max_deviation' instead (bsc#1171961)
* Default maximum concurrent bluestore rocksdb compaction threads
raised from 1 to 2 for improved ability to keep up with rgw
bucket index workloads (bsc#1171963)
- Bug fixes in this ceph update:
* mon: Error message displayed when mon_osd_max_split_count would be
exceeded is not as user-friendly as it could be (bsc#1126230)
* ceph_volume_client: remove ceph mds calls in favor of ceph fs
calls (bsc#1136082)
* rgw: crypt: permit RGW-AUTO/default with SSE-S3 headers
(bsc#1157607)
* mon/AuthMonitor: don't validate fs caps on authorize (bsc#1161096)
- Additional bug fixes:
* ceph-volume: strip _dmcrypt suffix in simple scan json output (bsc#1162553) ImportantSUSE bug 1126230SUSE bug 1136082SUSE bug 1157607SUSE bug 1161096SUSE bug 1162553SUSE bug 1171670SUSE bug 1171921SUSE bug 1171960SUSE bug 1171961SUSE bug 1171963CVE-2020-10753 at SUSECVE-2020-10753 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for tomcat (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for tomcat fixes the following issues:
- CVE-2020-8022: Fixed a local root exploit due to improper permissions (bsc#1172405)
ImportantSUSE bug 1172405CVE-2020-8022 at SUSECVE-2020-8022 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for python3-requests (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for python3-requests provides the following fix:
python-requests was updated to 2.20.1.
Update to version 2.20.1:
* Fixed bug with unintended Authorization header stripping for
redirects using default ports (http/80, https/443).
Update to version 2.20.0:
* Bugfixes
+ Content-Type header parsing is now case-insensitive
(e.g. charset=utf8 v Charset=utf8).
+ Fixed exception leak where certain redirect urls would raise
uncaught urllib3 exceptions.
+ Requests removes Authorization header from requests redirected
from https to http on the same hostname. (CVE-2018-18074)
+ should_bypass_proxies now handles URIs without hostnames
(e.g. files).
Update to version 2.19.1:
* Fixed issue where status_codes.py’s init function failed trying
to append to a __doc__ value of None.
Update to version 2.19.0:
* Improvements
+ Warn about possible slowdown with cryptography version < 1.3.4
+ Check host in proxy URL, before forwarding request to adapter.
+ Maintain fragments properly across redirects. (RFC7231 7.1.2)
+ Removed use of cgi module to expedite library load time.
+ Added support for SHA-256 and SHA-512 digest auth algorithms.
+ Minor performance improvement to Request.content.
* Bugfixes
+ Parsing empty Link headers with parse_header_links() no longer
return one bogus entry.
+ Fixed issue where loading the default certificate bundle from
a zip archive would raise an IOError.
+ Fixed issue with unexpected ImportError on windows system
which do not support winreg module.
+ DNS resolution in proxy bypass no longer includes the username
and password in the request. This also fixes the issue of DNS
queries failing on macOS.
+ Properly normalize adapter prefixes for url comparison.
+ Passing None as a file pointer to the files param no longer
raises an exception.
+ Calling copy on a RequestsCookieJar will now preserve the
cookie policy correctly.
Update to version 2.18.4:
* Improvements
+ Error messages for invalid headers now include the header name
for easier debugging
Update to version 2.18.3:
* Improvements
+ Running $ python -m requests.help now includes the installed
version of idna.
* Bugfixes
+ Fixed issue where Requests would raise ConnectionError instead
of SSLError when encountering SSL problems when using urllib3
v1.22.
- Add ca-certificates (and ca-certificates-mozilla) to dependencies, otherwise https
connections will fail.
ModerateSUSE bug 1054413SUSE bug 1073879SUSE bug 1111622SUSE bug 1122668SUSE bug 761500SUSE bug 922448SUSE bug 929736SUSE bug 935252SUSE bug 945455SUSE bug 947357SUSE bug 961596SUSE bug 967128CVE-2015-2296 at SUSECVE-2015-2296 at NVDCVE-2018-18074 at SUSECVE-2018-18074 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for mutt (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for mutt fixes the following issues:
- CVE-2020-14954: Fixed a response injection due to a STARTTLS buffering issue which was
affecting IMAP, SMTP, and POP3 (bsc#1173197).
- CVE-2020-14093: Fixed a potential IMAP Man-in-the-Middle attack via a PREAUTH response (bsc#1172906, bsc#1172935).
- CVE-2020-14154: Fixed an issue where Mutt was ignoring an expired certificate and was
proceeding with a connection (bsc#1172906, bsc#1172935).
ImportantSUSE bug 1172906SUSE bug 1172935SUSE bug 1173197CVE-2020-14093 at SUSECVE-2020-14093 at NVDCVE-2020-14154 at SUSECVE-2020-14154 at NVDCVE-2020-14954 at SUSECVE-2020-14954 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for unzip (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for unzip fixes the following issues:
- CVE-2018-18384: Fixed a buffer overflow when listing files (bsc#1110194)
ModerateSUSE bug 1110194CVE-2018-18384 at SUSECVE-2018-18384 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for squid (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for squid fixes the following issues:
- CVE-2020-14059: Fixed an issue where a client could potentially deny the service of a server
during TLS Handshake (bsc#1173304).
- CVE-2019-18860: Fixed handling of invalid domain names in cachemgr.cgi (bsc#1167373).
ImportantSUSE bug 1167373SUSE bug 1173304CVE-2019-18860 at SUSECVE-2019-18860 at NVDCVE-2020-14059 at SUSECVE-2020-14059 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for ntp (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for ntp fixes the following issues:
ntp was updated to 4.2.8p15
- CVE-2020-11868: Fixed an issue which a server mode packet with spoofed source address
frequently send to the client ntpd could have caused denial of service (bsc#1169740).
- CVE-2018-8956: Fixed an issue which could have allowed remote attackers to prevent
a broadcast client from synchronizing its clock with a broadcast NTP server via spoofed
mode 3 and mode 5 packets (bsc#1171355).
- CVE-2020-13817: Fixed an issue which an off-path attacker with the ability to query time
from victim's ntpd instance could have modified the victim's clock by a limited amount (bsc#1172651).
- CVE-2020-15025: Fixed an issue which remote attacker could have caused denial of service by consuming
the memory when a CMAC key was used andassociated with a CMAC algorithm in the ntp.keys (bsc#1173334).
ModerateSUSE bug 1169740SUSE bug 1171355SUSE bug 1172651SUSE bug 1173334CVE-2018-8956 at SUSECVE-2018-8956 at NVDCVE-2020-11868 at SUSECVE-2020-11868 at NVDCVE-2020-13817 at SUSECVE-2020-13817 at NVDCVE-2020-15025 at SUSECVE-2020-15025 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for transfig (Low)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for transfig fixes the following issues:
Security issue fixed:
- CVE-2019-14275: Fixed stack-based buffer overflow in the calc_arrow function (bsc#1143650).
- CVE-2018-16140: Fixed a buffer underwrite vulnerability in get_line() in
read.c, which allowed an attacker to write prior to the beginning of the
buffer via specially crafted .fig file (bsc#1106531)
LowSUSE bug 1106531SUSE bug 1143650CVE-2018-16140 at SUSECVE-2018-16140 at NVDCVE-2019-14275 at SUSECVE-2019-14275 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for mozilla-nspr, mozilla-nss (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for mozilla-nspr, mozilla-nss fixes the following issues:
mozilla-nss was updated to version 3.53.1
- CVE-2020-12402: Fixed a potential side channel attack during RSA key generation (bsc#1173032).
- CVE-2020-12399: Fixed a timing attack on DSA signature generation (bsc#1171978).
- CVE-2019-17006: Added length checks for cryptographic primitives (bsc#1159819).
- Fixed various FIPS issues in libfreebl3 which were causing segfaults in the test suite of chrony (bsc#1168669).
- Fixed an issue where Firefox tab was crashing (bsc#1170908).
Release notes: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.53_release_notes
mozilla-nspr to version 4.25
ImportantSUSE bug 1159819SUSE bug 1168669SUSE bug 1169746SUSE bug 1170908SUSE bug 1171978SUSE bug 1173022CVE-2019-17006 at SUSECVE-2019-17006 at NVDCVE-2020-12399 at SUSECVE-2020-12399 at NVDCVE-2020-12402 at SUSECVE-2020-12402 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for systemd (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for systemd fixes the following issues:
- CVE-2019-20386: Fixed a memory leak when executing the udevadm trigger command (bsc#1161436).
- Renamed the persistent link for ATA devices (bsc#1164538)
- shared/install: try harder to find enablement symlinks when disabling a unit (bsc#1157315)
- tmpfiles: removed unnecessary assert (bsc#1171145)
- pid1: by default make user units inherit their umask from the user manager (bsc#1162698)
- manager: fixed job mode when signalled to shutdown etc (bsc#1161262)
- coredump: fixed bug that loses core dump files when core dumps are compressed and disk space is low. (bsc#1167622)
- udev: inform systemd how many workers we can potentially spawn (#4036) (bsc#1165633)
- libblkid: open device in nonblock mode. (bsc#1084671)
- udev/cdrom_id: Do not open CD-rom in exclusive mode. (bsc#1154256)
ModerateSUSE bug 1084671SUSE bug 1154256SUSE bug 1157315SUSE bug 1161262SUSE bug 1161436SUSE bug 1162698SUSE bug 1164538SUSE bug 1165633SUSE bug 1167622SUSE bug 1171145CVE-2019-20386 at SUSECVE-2019-20386 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for openldap2 (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for openldap2 fixes the following issues:
- CVE-2020-8023: Fixed a potential local privilege escalation from ldap to root when OPENLDAP_CONFIG_BACKEND='ldap' was used (bsc#1172698).
- Changed DB_CONFIG to root:ldap permissions (bsc#1172704).
- Fixed an issue where slapd becomes unresponsive after many failed login/bind attempts(bsc#1170715).
ImportantSUSE bug 1170715SUSE bug 1172698SUSE bug 1172704CVE-2020-8023 at SUSECVE-2020-8023 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for xen (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for xen fixes the following issues:
- CVE-2020-15563: Fixed inverted code paths in x86 dirty VRAM tracking (bsc#1173377).
- CVE-2020-15565: Fixed insufficient cache write-back under VT-d (bsc#1173378).
- CVE-2020-15567: Fixed non-atomic modification of live EPT PTE (bsc#1173380).
ImportantSUSE bug 1173377SUSE bug 1173378SUSE bug 1173380CVE-2020-15563 at SUSECVE-2020-15563 at NVDCVE-2020-15565 at SUSECVE-2020-15565 at NVDCVE-2020-15567 at SUSECVE-2020-15567 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for MozillaFirefox to version 78.0.1 ESR fixes the following issues:
Security issues fixed:
- CVE-2020-12415: AppCache manifest poisoning due to url encoded character processing (bsc#1173576).
- CVE-2020-12416: Use-after-free in WebRTC VideoBroadcaster (bsc#1173576).
- CVE-2020-12417: Memory corruption due to missing sign-extension for ValueTags on ARM64 (bsc#1173576).
- CVE-2020-12418: Information disclosure due to manipulated URL object (bsc#1173576).
- CVE-2020-12419: Use-after-free in nsGlobalWindowInner (bsc#1173576).
- CVE-2020-12420: Use-After-Free when trying to connect to a STUN server (bsc#1173576).
- CVE-2020-12402: RSA Key Generation vulnerable to side-channel attack (bsc#1173576).
- CVE-2020-12421: Add-On updates did not respect the same certificate trust rules as software updates (bsc#1173576).
- CVE-2020-12422: Integer overflow in nsJPEGEncoder::emptyOutputBuffer (bsc#1173576).
- CVE-2020-12423: DLL Hijacking due to searching %PATH% for a library (bsc#1173576).
- CVE-2020-12424: WebRTC permission prompt could have been bypassed by a compromised content process (bsc#1173576).
- CVE-2020-12425: Out of bound read in Date.parse() (bsc#1173576).
- CVE-2020-12426: Memory safety bugs fixed in Firefox 78 (bsc#1173576).
- FIPS: MozillaFirefox: allow /proc/sys/crypto/fips_enabled (bsc#1167231).
Non-security issues fixed:
- Fixed interaction with freetype6 (bsc#1173613).
ImportantSUSE bug 1167231SUSE bug 1173576SUSE bug 1173613CVE-2020-12402 at SUSECVE-2020-12402 at NVDCVE-2020-12415 at SUSECVE-2020-12415 at NVDCVE-2020-12416 at SUSECVE-2020-12416 at NVDCVE-2020-12417 at SUSECVE-2020-12417 at NVDCVE-2020-12418 at SUSECVE-2020-12418 at NVDCVE-2020-12419 at SUSECVE-2020-12419 at NVDCVE-2020-12420 at SUSECVE-2020-12420 at NVDCVE-2020-12421 at SUSECVE-2020-12421 at NVDCVE-2020-12422 at SUSECVE-2020-12422 at NVDCVE-2020-12423 at SUSECVE-2020-12423 at NVDCVE-2020-12424 at SUSECVE-2020-12424 at NVDCVE-2020-12425 at SUSECVE-2020-12425 at NVDCVE-2020-12426 at SUSECVE-2020-12426 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for bind (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for bind fixes the following issues:
- Amended documentation referring to rule types 'krb5-subdomain'
and 'ms-subdomain'. This incorrect documentation could mislead
operators into believing that policies they had configured were
more restrictive than they actually were. [CVE-2018-5741]
- Further limit the number of queries that can be triggered from a
request. Root and TLD servers are no longer exempt from
max-recursion-queries. Fetches for missing name server address
records are limited to 4 for any domain. [CVE-2020-8616]
- Replaying a TSIG BADTIME response as a request could trigger an
assertion failure. [CVE-2020-8617]
[bsc#1109160, bsc#1171740,
CVE-2018-5741, bind-CVE-2018-5741.patch,
CVE-2020-8616, bind-CVE-2020-8616.patch,
CVE-2020-8617, bind-CVE-2020-8617.patch]
- Don't rely on /etc/insserv.conf anymore for proper dependencies
against nss-lookup.target in named.service and lwresd.service
(bsc#1118367 bsc#1118368)
- Using a drop-in file
ImportantSUSE bug 1109160SUSE bug 1118367SUSE bug 1118368SUSE bug 1171740CVE-2018-5741 at SUSECVE-2018-5741 at NVDCVE-2020-8616 at SUSECVE-2020-8616 at NVDCVE-2020-8617 at SUSECVE-2020-8617 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for squid (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for squid fixes the following issues:
- CVE-2020-15049.patch: fixes a Cache Poisoning and Request Smuggling
attack (CVE-2020-15049, bsc#1173455)
ImportantSUSE bug 1173455CVE-2020-15049 at SUSECVE-2020-15049 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for SUSE Manager Client Tools (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update fixes the following issues:
cobbler:
- Calculate relative path for kernel and inited when generating
grub entry (bsc#1170231)
Added: fix-grub2-entry-paths.diff
- Fix os-release version detection for SUSE
Modified: sles15.patch
- Jinja2 template library fix (bsc#1141661)
- Removes string replace for textmode fix (bsc#1134195)
golang-github-prometheus-node_exporter:
- Update to 0.18.1
* [BUGFIX] Fix incorrect sysctl call in BSD meminfo collector, resulting in broken swap metrics on FreeBSD #1345
* [BUGFIX] Fix rollover bug in mountstats collector #1364
* Renamed interface label to device in netclass collector for consistency with
* other network metrics #1224
* The cpufreq metrics now separate the cpufreq and scaling data based on what the driver provides. #1248
* The labels for the network_up metric have changed, see issue #1236
* Bonding collector now uses mii_status instead of operstatus #1124
* Several systemd metrics have been turned off by default to improve performance #1254
* These include unit_tasks_current, unit_tasks_max, service_restart_total, and unit_start_time_seconds
* The systemd collector blacklist now includes automount, device, mount, and slice units by default. #1255
* [CHANGE] Bonding state uses mii_status #1124
* [CHANGE] Add a limit to the number of in-flight requests #1166
* [CHANGE] Renamed interface label to device in netclass collector #1224
* [CHANGE] Add separate cpufreq and scaling metrics #1248
* [CHANGE] Several systemd metrics have been turned off by default to improve performance #1254
* [CHANGE] Expand systemd collector blacklist #1255
* [CHANGE] Split cpufreq metrics into a separate collector #1253
* [FEATURE] Add a flag to disable exporter metrics #1148
* [FEATURE] Add kstat-based Solaris metrics for boottime, cpu and zfs collectors #1197
* [FEATURE] Add uname collector for FreeBSD #1239
* [FEATURE] Add diskstats collector for OpenBSD #1250
* [FEATURE] Add pressure collector exposing pressure stall information for Linux #1174
* [FEATURE] Add perf exporter for Linux #1274
* [ENHANCEMENT] Add Infiniband counters #1120
* [ENHANCEMENT] Add TCPSynRetrans to netstat default filter #1143
* [ENHANCEMENT] Move network_up labels into new metric network_info #1236
* [ENHANCEMENT] Use 64-bit counters for Darwin netstat
* [BUGFIX] Add fallback for missing /proc/1/mounts #1172
* [BUGFIX] Fix node_textfile_mtime_seconds to work properly on symlinks #1326
- Add network-online (Wants and After) dependency to systemd unit bsc#1143913
golang-github-prometheus-prometheus:
- Update change log and spec file
+ Modified spec file: default to golang 1.14 to avoid 'have choice' build issues in OBS.
+ Rebase and update patches for version 2.18.0
+ Changed:
* 0002-Default-settings.patch Changed
- Update to 2.18.0
+ Features
* Tracing: Added experimental Jaeger support #7148
+ Changes
* Federation: Only use local TSDB for federation (ignore remote read). #7096
* Rules: `rule_evaluations_total` and `rule_evaluation_failures_total` have a `rule_group` label now. #7094
+ Enhancements
* TSDB: Significantly reduce WAL size kept around after a block cut. #7098
* Discovery: Add `architecture` meta label for EC2. #7000
+ Bug fixes
* UI: Fixed wrong MinTime reported by /status. #7182
* React UI: Fixed multiselect legend on OSX. #6880
* Remote Write: Fixed blocked resharding edge case. #7122
* Remote Write: Fixed remote write not updating on relabel configs change. #7073
- Changes from 2.17.2
+ Bug fixes
* Federation: Register federation metrics #7081
* PromQL: Fix panic in parser error handling #7132
* Rules: Fix reloads hanging when deleting a rule group that is being evaluated #7138
* TSDB: Fix a memory leak when prometheus starts with an empty TSDB WAL #7135
* TSDB: Make isolation more robust to panics in web handlers #7129 #7136
- Changes from 2.17.1
+ Bug fixes
* TSDB: Fix query performance regression that increased memory and CPU usage #7051
- Changes from 2.17.0
+ Features
* TSDB: Support isolation #6841
* This release implements isolation in TSDB. API queries and recording rules are
guaranteed to only see full scrapes and full recording rules. This comes with a
certain overhead in resource usage. Depending on the situation, there might be
some increase in memory usage, CPU usage, or query latency.
+ Enhancements
* PromQL: Allow more keywords as metric names #6933
* React UI: Add normalization of localhost URLs in targets page #6794
* Remote read: Read from remote storage concurrently #6770
* Rules: Mark deleted rule series as stale after a reload #6745
* Scrape: Log scrape append failures as debug rather than warn #6852
* TSDB: Improve query performance for queries that partially hit the head #6676
* Consul SD: Expose service health as meta label #5313
* EC2 SD: Expose EC2 instance lifecycle as meta label #6914
* Kubernetes SD: Expose service type as meta label for K8s service role #6684
* Kubernetes SD: Expose label_selector and field_selector #6807
* Openstack SD: Expose hypervisor id as meta label #6962
+ Bug fixes
* PromQL: Do not escape HTML-like chars in query log #6834 #6795
* React UI: Fix data table matrix values #6896
* React UI: Fix new targets page not loading when using non-ASCII characters #6892
* Remote read: Fix duplication of metrics read from remote storage with external labels #6967 #7018
* Remote write: Register WAL watcher and live reader metrics for all remotes, not just the first one #6998
* Scrape: Prevent removal of metric names upon relabeling #6891
* Scrape: Fix 'superfluous response.WriteHeader call' errors when scrape fails under some circonstances #6986
* Scrape: Fix crash when reloads are separated by two scrape intervals #7011
- Changes from 2.16.0
+ Features
* React UI: Support local timezone on /graph #6692
* PromQL: add absent_over_time query function #6490
* Adding optional logging of queries to their own file #6520
+ Enhancements
* React UI: Add support for rules page and 'Xs ago' duration displays #6503
* React UI: alerts page, replace filtering togglers tabs with checkboxes #6543
* TSDB: Export metric for WAL write errors #6647
* TSDB: Improve query performance for queries that only touch the most recent 2h of data. #6651
* PromQL: Refactoring in parser errors to improve error messages #6634
* PromQL: Support trailing commas in grouping opts #6480
* Scrape: Reduce memory usage on reloads by reusing scrape cache #6670
* Scrape: Add metrics to track bytes and entries in the metadata cache #6675
* promtool: Add support for line-column numbers for invalid rules output #6533
* Avoid restarting rule groups when it is unnecessary #6450
+ Bug fixes
* React UI: Send cookies on fetch() on older browsers #6553
* React UI: adopt grafana flot fix for stacked graphs #6603
* React UI: broken graph page browser history so that back button works as expected #6659
* TSDB: ensure compactionsSkipped metric is registered, and log proper error if one is returned from head.Init #6616
* TSDB: return an error on ingesting series with duplicate labels #6664
* PromQL: Fix unary operator precedence #6579
* PromQL: Respect query.timeout even when we reach query.max-concurrency #6712
* PromQL: Fix string and parentheses handling in engine, which affected React UI #6612
* PromQL: Remove output labels returned by absent() if they are produced by multiple identical label matchers #6493
* Scrape: Validate that OpenMetrics input ends with `# EOF` #6505
* Remote read: return the correct error if configs can't be marshal'd to JSON #6622
* Remote write: Make remote client `Store` use passed context, which can affect shutdown timing #6673
* Remote write: Improve sharding calculation in cases where we would always be consistently behind by tracking pendingSamples #6511
* Ensure prometheus_rule_group metrics are deleted when a rule group is removed #6693
- Changes from 2.15.2
+ Bug fixes
* TSDB: Fixed support for TSDB blocks built with Prometheus before 2.1.0. #6564
* TSDB: Fixed block compaction issues on Windows. #6547
- Changes from 2.15.1
+ Bug fixes
* TSDB: Fixed race on concurrent queries against same data. #6512
- Changes from 2.15.0
+ Features
* API: Added new endpoint for exposing per metric metadata `/metadata`. #6420 #6442
+ Changes
* Discovery: Removed `prometheus_sd_kubernetes_cache_*` metrics. Additionally `prometheus_sd_kubernetes_workqueue_latency_seconds` and `prometheus_sd_kubernetes_workqueue_work_duration_seconds` metrics now show correct values in seconds. #6393
* Remote write: Changed `query` label on `prometheus_remote_storage_*` metrics to `remote_name` and `url`. #6043
+ Enhancements
* TSDB: Significantly reduced memory footprint of loaded TSDB blocks. #6418 #6461
* TSDB: Significantly optimized what we buffer during compaction which should result in lower memory footprint during compaction. #6422 #6452 #6468 #6475
* TSDB: Improve replay latency. #6230
* TSDB: WAL size is now used for size based retention calculation. #5886
* Remote read: Added query grouping and range hints to the remote read request #6401
* Remote write: Added `prometheus_remote_storage_sent_bytes_total` counter per queue. #6344
* promql: Improved PromQL parser performance. #6356
* React UI: Implemented missing pages like `/targets` #6276, TSDB status page #6281 #6267 and many other fixes and performance improvements.
* promql: Prometheus now accepts spaces between time range and square bracket. e.g `[ 5m]` #6065
+ Bug fixes
* Config: Fixed alertmanager configuration to not miss targets when configurations are similar. #6455
* Remote write: Value of `prometheus_remote_storage_shards_desired` gauge shows raw value of desired shards and it's updated correctly. #6378
* Rules: Prometheus now fails the evaluation of rules and alerts where metric results collide with labels specified in `labels` field. #6469
* API: Targets Metadata API `/targets/metadata` now accepts empty `match_targets` parameter as in the spec. #6303
- Changes from 2.14.0
+ Features
* API: `/api/v1/status/runtimeinfo` and `/api/v1/status/buildinfo` endpoints added for use by the React UI. #6243
* React UI: implement the new experimental React based UI. #5694 and many more
* Can be found by under `/new`.
* Not all pages are implemented yet.
* Status: Cardinality statistics added to the Runtime & Build Information page. #6125
+ Enhancements
* Remote write: fix delays in remote write after a compaction. #6021
* UI: Alerts can be filtered by state. #5758
+ Bug fixes
* Ensure warnings from the API are escaped. #6279
* API: lifecycle endpoints return 403 when not enabled. #6057
* Build: Fix Solaris build. #6149
* Promtool: Remove false duplicate rule warnings when checking rule files with alerts. #6270
* Remote write: restore use of deduplicating logger in remote write. #6113
* Remote write: do not reshard when unable to send samples. #6111
* Service discovery: errors are no longer logged on context cancellation. #6116, #6133
* UI: handle null response from API properly. #6071
- Changes from 2.13.1
+ Bug fixes
* Fix panic in ARM builds of Prometheus. #6110
* promql: fix potential panic in the query logger. #6094
* Multiple errors of http: superfluous response.WriteHeader call in the logs. #6145
- Changes from 2.13.0
+ Enhancements
* Metrics: renamed prometheus_sd_configs_failed_total to prometheus_sd_failed_configs and changed to Gauge #5254
* Include the tsdb tool in builds. #6089
* Service discovery: add new node address types for kubernetes. #5902
* UI: show warnings if query have returned some warnings. #5964
* Remote write: reduce memory usage of the series cache. #5849
* Remote read: use remote read streaming to reduce memory usage. #5703
* Metrics: added metrics for remote write max/min/desired shards to queue manager. #5787
* Promtool: show the warnings during label query. #5924
* Promtool: improve error messages when parsing bad rules. #5965
* Promtool: more promlint rules. #5515
+ Bug fixes
* UI: Fix a Stored DOM XSS vulnerability with query history [CVE-2019-10215](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10215). #6098
* Promtool: fix recording inconsistency due to duplicate labels. #6026
* UI: fixes service-discovery view when accessed from unhealthy targets. #5915
* Metrics format: OpenMetrics parser crashes on short input. #5939
* UI: avoid truncated Y-axis values. #6014
- Changes from 2.12.0
+ Features
* Track currently active PromQL queries in a log file. #5794
* Enable and provide binaries for `mips64` / `mips64le` architectures. #5792
+ Enhancements
* Improve responsiveness of targets web UI and API endpoint. #5740
* Improve remote write desired shards calculation. #5763
* Flush TSDB pages more precisely. tsdb#660
* Add `prometheus_tsdb_retention_limit_bytes` metric. tsdb#667
* Add logging during TSDB WAL replay on startup. tsdb#662
* Improve TSDB memory usage. tsdb#653, tsdb#643, tsdb#654, tsdb#642, tsdb#627
+ Bug fixes
* Check for duplicate label names in remote read. #5829
* Mark deleted rules' series as stale on next evaluation. #5759
* Fix JavaScript error when showing warning about out-of-sync server time. #5833
* Fix `promtool test rules` panic when providing empty `exp_labels`. #5774
* Only check last directory when discovering checkpoint number. #5756
* Fix error propagation in WAL watcher helper functions. #5741
* Correctly handle empty labels from alert templates. #5845
- Update Uyuni/SUSE Manager service discovery patch
+ Modified 0003-Add-Uyuni-service-discovery.patch:
+ Adapt service discovery to the new Uyuni API endpoints
+ Modified spec file: force golang 1.12 to fix build issues in SLE15SP2
- Update to Prometheus 2.11.2
grafana:
- Update to version 7.0.3
* Features / Enhancements
- Stats: include all fields. #24829, @ryantxu
- Variables: change VariableEditorList row action Icon to IconButton. #25217, @hshoff
* Bug fixes
- Cloudwatch: Fix dimensions of DDoSProtection. #25317, @papagian
- Configuration: Fix env var override of sections containing hyphen. #25178, @marefr
- Dashboard: Get panels in collapsed rows. #25079, @peterholmberg
- Do not show alerts tab when alerting is disabled. #25285, @dprokop
- Jaeger: fixes cascader option label duration value. #25129, @Estrax
- Transformations: Fixed Transform tab crash & no update after adding first transform. #25152, @torkelo
- Update to version 7.0.2
* Bug fixes
- Security: Urgent security patch release to fix CVE-2020-13379
- Update to version 7.0.1
* Features / Enhancements
- Datasource/CloudWatch: Makes CloudWatch Logs query history more readable. #24795, @kaydelaney
- Download CSV: Add date and time formatting. #24992, @ryantxu
- Table: Make last cell value visible when right aligned. #24921, @peterholmberg
- TablePanel: Adding sort order persistance. #24705, @torkelo
- Transformations: Display correct field name when using reduce transformation. #25068, @peterholmberg
- Transformations: Allow custom number input for binary operations. #24752, @ryantxu
* Bug fixes
- Dashboard/Links: Fixes dashboard links by tags not working. #24773, @KamalGalrani
- Dashboard/Links: Fixes open in new window for dashboard link. #24772, @KamalGalrani
- Dashboard/Links: Variables are resolved and limits to 100. #25076, @hugohaggmark
- DataLinks: Bring back variables interpolation in title. #24970, @dprokop
- Datasource/CloudWatch: Field suggestions no longer limited to prefix-only. #24855, @kaydelaney
- Explore/Table: Keep existing field types if possible. #24944, @kaydelaney
- Explore: Fix wrap lines toggle for results of queries with filter expression. #24915, @ivanahuckova
- Explore: fix undo in query editor. #24797, @zoltanbedi
- Explore: fix word break in type head info. #25014, @zoltanbedi
- Graph: Legend decimals now work as expected. #24931, @torkelo
- LoginPage: Fix hover color for service buttons. #25009, @tskarhed
- LogsPanel: Fix scrollbar. #24850, @ivanahuckova
- MoveDashboard: Fix for moving dashboard caused all variables to be lost. #25005, @torkelo
- Organize transformer: Use display name in field order comparer. #24984, @dprokop
- Panel: shows correct panel menu items in view mode. #24912, @hugohaggmark
- PanelEditor Fix missing labels and description if there is only single option in category. #24905, @dprokop
- PanelEditor: Overrides name matcher still show all original field names even after Field default display name is specified. #24933, @torkelo
- PanelInspector: Makes sure Data display options are visible. #24902, @hugohaggmark
- PanelInspector: Hides unsupported data display options for Panel type. #24918, @hugohaggmark
- PanelMenu: Make menu disappear on button press. #25015, @tskarhed
- Postgres: Fix add button. #25087, @phemmer
- Prometheus: Fix recording rules expansion. #24977, @ivanahuckova
- Stackdriver: Fix creating Service Level Objectives (SLO) datasource query variable. #25023, @papagian
- Update to version 7.0.0
* Breaking changes
- Removed PhantomJS: PhantomJS was deprecated in Grafana v6.4 and starting from Grafana v7.0.0, all PhantomJS support has been removed. This means that Grafana no longer ships with a built-in image renderer, and we advise you to install the Grafana Image Renderer plugin.
- Dashboard: A global minimum dashboard refresh interval is now enforced and defaults to 5 seconds.
- Interval calculation: There is now a new option Max data points that controls the auto interval $__interval calculation. Interval was previously calculated by dividing the panel width by the time range. With the new max data points option it is now easy to set $__interval to a dynamic value that is time range agnostic. For example if you set Max data points to 10 Grafana will dynamically set $__interval by dividing the current time range by 10.
- Datasource/Loki: Support for deprecated Loki endpoints has been removed.
- Backend plugins: Grafana now requires backend plugins to be signed, otherwise Grafana will not load/start them. This is an additional security measure to make sure backend plugin binaries and files haven't been tampered with. Refer to Upgrade Grafana for more information.
- @grafana/ui: Forms migration notice, see @grafana/ui changelog
- @grafana/ui: Select API change for creating custom values, see @grafana/ui changelog
+ Deprecation warnings
- Scripted dashboards is now deprecated. The feature is not removed but will be in a future release. We hope to address the underlying requirement of dynamic dashboards in a different way. #24059
- The unofficial first version of backend plugins together with usage of grafana/grafana-plugin-model is now deprecated and support for that will be removed in a future release. Please refer to backend plugins documentation for information about the new officially supported backend plugins.
* Features / Enhancements
- Backend plugins: Log deprecation warning when using the unofficial first version of backend plugins. #24675, @marefr
- Editor: New line on Enter, run query on Shift+Enter. #24654, @davkal
- Loki: Allow multiple derived fields with the same name. #24437, @aocenas
- Orgs: Add future deprecation notice. #24502, @torkelo
* Bug Fixes
- @grafana/toolkit: Use process.cwd() instead of PWD to get directory. #24677, @zoltanbedi
- Admin: Makes long settings values line break in settings page. #24559, @hugohaggmark
- Dashboard: Allow editing provisioned dashboard JSON and add confirmation when JSON is copied to dashboard. #24680, @dprokop
- Dashboard: Fix for strange 'dashboard not found' errors when opening links in dashboard settings. #24416, @torkelo
- Dashboard: Fix so default data source is selected when data source can't be found in panel editor. #24526, @mckn
- Dashboard: Fixed issue changing a panel from transparent back to normal in panel editor. #24483, @torkelo
- Dashboard: Make header names reflect the field name when exporting to CSV file from the the panel inspector. #24624, @peterholmberg
- Dashboard: Make sure side pane is displayed with tabs by default in panel editor. #24636, @dprokop
- Data source: Fix query/annotation help content formatting. #24687, @AgnesToulet
- Data source: Fixes async mount errors. #24579, @Estrax
- Data source: Fixes saving a data source without failure when URL doesn't specify a protocol. #24497, @aknuds1
- Explore/Prometheus: Show results of instant queries only in table. #24508, @ivanahuckova
- Explore: Fix rendering of react query editors. #24593, @ivanahuckova
- Explore: Fixes loading more logs in logs context view. #24135, @Estrax
- Graphite: Fix schema and dedupe strategy in rollup indicators for Metrictank queries. #24685, @torkelo
- Graphite: Makes query annotations work again. #24556, @hugohaggmark
- Logs: Clicking 'Load more' from context overlay doesn't expand log row. #24299, @kaydelaney
- Logs: Fix total bytes process calculation. #24691, @davkal
- Org/user/team preferences: Fixes so UI Theme can be set back to Default. #24628, @AgnesToulet
- Plugins: Fix manifest validation. #24573, @aknuds1
- Provisioning: Use proxy as default access mode in provisioning. #24669, @bergquist
- Search: Fix select item when pressing enter and Grafana is served using a sub path. #24634, @tskarhed
- Search: Save folder expanded state. #24496, @Clarity-89
- Security: Tag value sanitization fix in OpenTSDB data source. #24539, @rotemreiss
- Table: Do not include angular options in options when switching from angular panel. #24684, @torkelo
- Table: Fixed persisting column resize for time series fields. #24505, @torkelo
- Table: Fixes Cannot read property subRows of null. #24578, @hugohaggmark
- Time picker: Fixed so you can enter a relative range in the time picker without being converted to absolute range. #24534, @mckn
- Transformations: Make transform dropdowns not cropped. #24615, @dprokop
- Transformations: Sort order should be preserved as entered by user when using the reduce transformation. #24494, @hugohaggmark
- Units: Adds scale symbol for currencies with suffixed symbol. #24678, @hugohaggmark
- Variables: Fixes filtering options with more than 1000 entries. #24614, @hugohaggmark
- Variables: Fixes so Textbox variables read value from url. #24623, @hugohaggmark
- Zipkin: Fix error when span contains remoteEndpoint. #24524, @aocenas
- SAML: Switch from email to login for user login attribute mapping (Enterprise)
- Update Makefile and spec file
* Remove phantomJS patch from Makefile
* Fix multiline strings in Makefile
* Exclude s390 from SLE12 builds, golang 1.14 is not built for s390
- Add instructions for patching the Grafana javascript frontend.
- BuildRequires golang(API) instead of go metapackage version range
* BuildRequires: golang(API) >= 1.14 from
BuildRequires: ( go >= 1.14 with go < 1.15 )
- Update to version 6.7.3
- This version fixes bsc#1170557 and its corresponding CVE-2020-12245
- Admin: Fix Synced via LDAP message for non-LDAP external users. #23477, @alexanderzobnin
- Alerting: Fixes notifications for alerts with empty message in Google Hangouts notifier. #23559, @hugohaggmark
- AuthProxy: Fixes bug where long username could not be cached.. #22926, @jcmcken
- Dashboard: Fix saving dashboard when editing raw dashboard JSON model. #23314, @peterholmberg
- Dashboard: Try to parse 8 and 15 digit numbers as timestamps if parsing of time range as date fails. #21694, @jessetan
- DashboardListPanel: Fixed problem with empty panel after going into edit mode (General folder filter being automatically added) . #23426, @torkelo
- Data source: Handle datasource withCredentials option properly. #23380, @hvtuananh
- Security: Fix annotation popup XSS vulnerability. #23813, @torkelo
- Server: Exit Grafana with status code 0 if no error. #23312, @aknuds1
- TablePanel: Fix XSS issue in header column rename (backport). #23814, @torkelo
- Variables: Fixes error when setting adhoc variable values. #23580, @hugohaggmark
- Update to version 6.7.2:
(see installed changelog for the full list of changes)
- BackendSrv: Adds config to response to fix issue for external plugins that used this property . #23032, @torkelo
- Dashboard: Fixed issue with saving new dashboard after changing title . #23104, @dprokop
- DataLinks: make sure we use the correct datapoint when dataset contains null value.. #22981, @mckn
- Plugins: Fixed issue for plugins that imported dateMath util . #23069, @mckn
- Security: Fix for dashboard snapshot original dashboard link could contain XSS vulnerability in url. #23254, @torkelo
- Variables: Fixes issue with too many queries being issued for nested template variables after value change. #23220, @torkelo
- Plugins: Expose promiseToDigest. #23249, @torkelo
- Reporting (Enterprise): Fixes issue updating a report created by someone else
- Update to 6.7.1:
(see installed changelog for the full list of changes)
Bug Fixes
- Azure: Fixed dropdowns not showing current value. #22914, @torkelo
- BackendSrv: only add content-type on POST, PUT requests. #22910, @hugohaggmark
- Panels: Fixed size issue with panel internal size when exiting panel edit mode. #22912, @torkelo
- Reporting: fixes migrations compatibility with mysql (Enterprise)
- Reporting: Reduce default concurrency limit to 4 (Enterprise)
- Update to 6.7.0:
(see installed changelog for the full list of changes)
Bug Fixes
- AngularPanels: Fixed inner height calculation for angular panels . #22796, @torkelo
- BackendSrv: makes sure provided headers are correctly recognized and set. #22778, @hugohaggmark
- Forms: Fix input suffix position (caret-down in Select) . #22780, @torkelo
- Graphite: Fixed issue with query editor and next select metric now showing after selecting metric node . #22856, @torkelo
- Rich History: UX adjustments and fixes. #22729, @ivanahuckova
- Update to 6.7.0-beta1:
Breaking changes
- Slack: Removed Mention setting and instead introduce Mention Users, Mention Groups, and Mention Channel. The first two settings require user and group IDs, respectively. This change was necessary because the way of mentioning via the Slack API changed and mentions in Slack notifications no longer worked.
- Alerting: Reverts the behavior of diff and percent_diff to not always be absolute. Something we introduced by mistake in 6.1.0. Alerting now support diff(), diff_abs(), percent_diff() and percent_diff_abs(). #21338
- Notice about changes in backendSrv for plugin authors
In our mission to migrate away from AngularJS to React we have removed all AngularJS dependencies in the core data retrieval service backendSrv.
Removing the AngularJS dependencies in backendSrv has the unfortunate side effect of AngularJS digest no longer being triggered for any request made with backendSrv. Because of this, external plugins using backendSrv directly may suffer from strange behaviour in the UI.
To remedy this issue, as a plugin author you need to trigger the digest after a direct call to backendSrv.
Bug Fixes
API: Fix redirect issues. #22285, @papagian
Alerting: Don't include image_url field with Slack message if empty. #22372, @aknuds1
Alerting: Fixed bad background color for default notifications in alert tab . #22660, @krvajal
Annotations: In table panel when setting transform to annotation, they will now show up right away without a manual refresh. #22323, @krvajal
Azure Monitor: Fix app insights source to allow for new __timeFrom and __timeTo. #21879, @ChadNedzlek
BackendSrv: Fixes POST body for form data. gmark
CloudWatch: Credentials cache invalidation fix. #22473, @sunker
CloudWatch: Expand alias variables when query yields no result. #22695, @sunker
Dashboard: Fix bug with NaN in alerting. #22053, @a-melnyk
Explore: Fix display of multiline logs in log panel and explore. #22057, @thomasdraebing
Heatmap: Legend color range is incorrect when using custom min/max. #21748, @sv5d
Security: Fixed XSS issue in dashboard history diff . #22680, @torkelo
StatPanel: Fixes base color is being used for null values .
#22646, @torkelo
- Update to version 6.6.2:
(see installed changelog for the full list of changes)
- Update to version 6.6.1:
(see installed changelog for the full list of changes)
- Update to version 6.6.0:
(see installed changelog for the full list of changes)
- Update to version 6.5.3:
(see installed changelog for the full list of changes)
- Update to version 6.5.2:
(see installed changelog for the full list of changes)
- Update to version 6.5.1:
(see installed changelog for the full list of changes)
- Update to version 6.5.0
(see installed changelog for the full list of changes)
- Update to version 6.4.5:
* Create version 6.4.5
* CloudWatch: Fix high CPU load (#20579)
- Add obs-service-go_modules to download required modules into vendor.tar.gz
- Adjusted spec file to use vendor.tar.gz
- Adjusted Makefile to work with new filenames
- BuildRequire go1.14
- Update to version 6.4.4:
* DataLinks: Fix blur issues. #19883, @aocenas
* Docker: Makes it possible to parse timezones in the docker image. #20081, @xlson
* LDAP: All LDAP servers should be tried even if one of them returns a connection error. #20077, @jongyllen
* LDAP: No longer shows incorrectly matching groups based on role in debug page. #20018, @xlson
* Singlestat: Fix no data / null value mapping . #19951, @ryantxu
- Revert the spec file and make script
- Remove PhantomJS dependency
- Update to 6.4.3
* Bug Fixes
- Alerting: All notification channels should send even if one fails to send. #19807, @jan25
- AzureMonitor: Fix slate interference with dropdowns. #19799, @aocenas
- ContextMenu: make ContextMenu positioning aware of the viewport width. #19699, @krvajal
- DataLinks: Fix context menu not showing in singlestat-ish visualisations. #19809, @dprokop
- DataLinks: Fix url field not releasing focus. #19804, @aocenas
- Datasource: Fixes clicking outside of some query editors required 2 clicks. #19822, @aocenas
- Panels: Fixes default tab for visualizations without Queries Tab. #19803, @hugohaggmark
- Singlestat: Fixed issue with mapping null to text. #19689, @torkelo
- @grafana/toolkit: Don't fail plugin creation when git user.name config is not set. #19821, @dprokop
- @grafana/toolkit: TSLint line number off by 1. #19782, @fredwangwang
- Update to 6.4.2
* Bug Fixes
- CloudWatch: Changes incorrect dimension wmlid to wlmid . #19679, @ATTron
- Grafana Image Renderer: Fixes plugin page. #19664, @hugohaggmark
- Graph: Fixes auto decimals logic for y axis ticks that results in too many decimals for high values. #19618, @torkelo
- Graph: Switching to series mode should re-render graph. #19623, @torkelo
- Loki: Fix autocomplete on label values. #19579, @aocenas
- Loki: Removes live option for logs panel. #19533, @davkal
- Profile: Fix issue with user profile not showing more than sessions sessions in some cases. #19578, @huynhsamha
- Prometheus: Fixes so results in Panel always are sorted by query order. #19597, @hugohaggmark
- sted keys in YAML provisioning caused a server crash, #19547
- ImageRendering: Fixed issue with image rendering in enterprise build (Enterprise)
- Reporting: Fixed issue with reporting service when STMP was disabled (Enterprise).
- Changes from 6.4.0
* Features / Enhancements
- Build: Upgrade go to 1.12.10. #19499, @marefr
- DataLinks: Suggestions menu improvements. #19396, @dprokop
- Explore: Take root_url setting into account when redirecting from dashboard to explore. #19447, @ivanahuckova
- Explore: Update broken link to logql docs. #19510, @ivanahuckova
- Logs: Adds Logs Panel as a visualization. #19504, @davkal
* Bug Fixes
- CLI: Fix version selection for plugin install. #19498, @aocenas
- Graph: Fixes minor issue with series override color picker and custom color . #19516, @torkelo
- Changes from 6.4.0 Beta 2
* Features / Enhancements
- Azure Monitor: Remove support for cross resource queries (#19115)'. #19346, @sunker
- Docker: Upgrade packages to resolve reported vulnerabilities. #19188, @marefr
- Graphite: Time range expansion reduced from 1 minute to 1 second. #19246, @torkelo
- grafana/toolkit: Add plugin creation task. #19207, @dprokop
* Bug Fixes
- Alerting: Prevents creating alerts from unsupported queries. #19250, @hugohaggmark
- Alerting: Truncate PagerDuty summary when greater than 1024 characters. #18730, @nvllsvm
- Cloudwatch: Fix autocomplete for Gamelift dimensions. #19146, @kevinpz
- Dashboard: Fix export for sharing when panels use default data source. #19315, @torkelo
- Database: Rewrite system statistics query to perform better. #19178, @papagian
- Gauge/BarGauge: Fix issue with [object Object] in titles . #19217, @ryantxu
- MSSQL: Revert usage of new connectionstring format introduced by #18384. #19203, @marefr
- Multi-LDAP: Do not fail-fast on invalid credentials. #19261, @gotjosh
- MySQL, Postgres, MSSQL: Fix validating query with template variables in alert . #19237, @marefr
- MySQL, Postgres: Update raw sql when query builder updates. #19209, @marefr
- MySQL: Limit datasource error details returned from the backend. #19373, @marefr
- Changes from 6.4.0 Beta 1
* Features / Enhancements
- API: Readonly datasources should not be created via the API. #19006, @papagian
- Alerting: Include configured AlertRuleTags in Webhooks notifier. #18233, @dominic-miglar
- Annotations: Add annotations support to Loki. #18949, @aocenas
- Annotations: Use a single row to represent a region. #17673, @ryantxu
- Auth: Allow inviting existing users when login form is disabled. #19048, @548017
- Azure Monitor: Add support for cross resource queries. #19115, @sunker
- CLI: Allow installing custom binary plugins. #17551, @aocenas
- Dashboard: Adds Logs Panel (alpha) as visualization option for Dashboards. #18641, @hugohaggmark
- Dashboard: Reuse query results between panels . #16660, @ryantxu
- Dashboard: Set time to to 23:59:59 when setting To time using calendar. #18595, @simPod
- DataLinks: Add DataLinks support to Gauge, BarGauge and SingleStat2 panel. #18605, @ryantxu
- DataLinks: Enable access to labels & field names. #18918, @torkelo
- DataLinks: Enable multiple data links per panel. #18434, @dprokop
- Docker: switch docker image to alpine base with phantomjs support. #18468, @DanCech
- Elasticsearch: allow templating queries to order by doc_count. #18870, @hackery
- Explore: Add throttling when doing live queries. #19085, @aocenas
- Explore: Adds ability to go back to dashboard, optionally with query changes. #17982, @kaydelaney
- Explore: Reduce default time range to last hour. #18212, @davkal
- Gauge/BarGauge: Support decimals for min/max. #18368, @ryantxu
- Graph: New series override transform constant that renders a single point as a line across the whole graph. #19102, @davkal
- Image rendering: Add deprecation warning when PhantomJS is used for rendering images. #18933, @papagian
- InfluxDB: Enable interpolation within ad-hoc filter values. #18077, @kvc-code
- LDAP: Allow an user to be synchronized against LDAP. #18976, @gotjosh
- Ldap: Add ldap debug page. #18759, @peterholmberg
- Loki: Remove prefetching of default label values. #18213, @davkal
- Metrics: Add failed alert notifications metric. #18089, @koorgoo
- OAuth: Support JMES path lookup when retrieving user email. #14683, @bobmshannon
- OAuth: return GitLab groups as a part of user info (enable team sync). #18388, @alexanderzobnin
- Panels: Add unit for electrical charge - ampere-hour. #18950, @anirudh-ramesh
- Plugin: AzureMonitor - Reapply MetricNamespace support. #17282, @raphaelquati
- Plugins: better warning when plugins fail to load. #18671, @ryantxu
- Postgres: Add support for scram sha 256 authentication. #18397, @nonamef
- RemoteCache: Support SSL with Redis. #18511, @kylebrandt
- SingleStat: The gauge option in now disabled/hidden (unless it's an old panel with it already enabled) . #18610, @ryantxu
- Stackdriver: Add extra alignment period options. #18909, @sunker
- Units: Add South African Rand (ZAR) to currencies. #18893, @jeteon
- Units: Adding T,P,E,Z,and Y bytes. #18706, @chiqomar
* Bug Fixes
- Alerting: Notification is sent when state changes from no_data to ok. #18920, @papagian
- Alerting: fix duplicate alert states when the alert fails to save to the database. #18216, @kylebrandt
- Alerting: fix response popover prompt when add notification channels. #18967, @lzdw
- CloudWatch: Fix alerting for queries with Id (using GetMetricData). #17899, @alex-berger
- Explore: Fix auto completion on label values for Loki. #18988, @aocenas
- Explore: Fixes crash using back button with a zoomed in graph. #19122, @hugohaggmark
- Explore: Fixes so queries in Explore are only run if Graph/Table is shown. #19000, @hugohaggmark
- MSSQL: Change connectionstring to URL format to fix using passwords with semicolon. #18384, @Russiancold
- MSSQL: Fix memory leak when debug enabled. #19049, @briangann
- Provisioning: Allow escaping literal '$' with '$$' in configs to avoid interpolation. #18045, @kylebrandt
- TimePicker: Fixes hiding time picker dropdown in FireFox. #19154, @hugohaggmark
* Breaking changes
+ Annotations
There are some breaking changes in the annotations HTTP API for region annotations. Region annotations are now represented
using a single event instead of two seperate events. Check breaking changes in HTTP API below and HTTP API documentation for more details.
+ Docker
Grafana is now using Alpine 3.10 as docker base image.
+ HTTP API
- GET /api/alert-notifications now requires at least editor access.
New /api/alert-notifications/lookup returns less information than /api/alert-notifications and can be access by any authenticated user.
- GET /api/alert-notifiers now requires at least editor access
- GET /api/org/users now requires org admin role.
New /api/org/users/lookup returns less information than /api/org/users and can be access by users that are org admins,
admin in any folder or admin of any team.
- GET /api/annotations no longer returns regionId property.
- POST /api/annotations no longer supports isRegion property.
- PUT /api/annotations/:id no longer supports isRegion property.
- PATCH /api/annotations/:id no longer supports isRegion property.
- DELETE /api/annotations/region/:id has been removed.
* Deprecation notes
+ PhantomJS
- PhantomJS, which is used for rendering images of dashboards and panels,
is deprecated and will be removed in a future Grafana release.
A deprecation warning will from now on be logged when Grafana starts up if PhantomJS is in use.
Please consider migrating from PhantomJS to the Grafana Image Renderer plugin.
- Changes from 6.3.6
* Features / Enhancements
- Metrics: Adds setting for turning off total stats metrics. #19142, @marefr
* Bug Fixes
- Database: Rewrite system statistics query to perform better. #19178, @papagian
- Explore: Fixes error when switching from prometheus to loki data sources. #18599, @kaydelaney
- Rebase package spec. Use mostly from fedora, fix suse specified things and fix some errors.
- Add missing directories provisioning/datasources and provisioning/notifiers
and sample.yaml as described in packaging/rpm/control from upstream.
Missing directories are shown in logfiles.
- Version 6.3.5
* Upgrades
+ Build: Upgrade to go 1.12.9.
* Bug Fixes
+ Dashboard: Fixes dashboards init failed loading error for dashboards with panel links that had missing properties.
+ Editor: Fixes issue where only entire lines were being copied.
+ Explore: Fixes query field layout in splitted view for Safari browsers.
+ LDAP: multildap + ldap integration.
+ Profile/UserAdmin: Fix for user agent parser crashes grafana-server on 32-bit builds.
+ Prometheus: Prevents panel editor crash when switching to Prometheus datasource.
+ Prometheus: Changes brace-insertion behavior to be less annoying.
- Version 6.3.4
* Security: CVE-2019-15043 - Parts of the HTTP API allow unauthenticated use.
- Version 6.3.3
* Bug Fixes
+ Annotations: Fix failing annotation query when time series query is cancelled. #18532 1, @dprokop 1
+ Auth: Do not set SameSite cookie attribute if cookie_samesite is none. #18462 1, @papagian 3
+ DataLinks: Apply scoped variables to data links correctly. #18454 1, @dprokop 1
+ DataLinks: Respect timezone when displaying datapoint’s timestamp in graph context menu. #18461 2, @dprokop 1
+ DataLinks: Use datapoint timestamp correctly when interpolating variables. #18459 1, @dprokop 1
+ Explore: Fix loading error for empty queries. #18488 1, @davkal
+ Graph: Fixes legend issue clicking on series line icon and issue with horizontal scrollbar being visible on windows. #18563 1, @torkelo 2
+ Graphite: Avoid glob of single-value array variables . #18420, @gotjosh
+ Prometheus: Fix queries with label_replace remove the $1 match when loading query editor. #18480 5, @hugohaggmark 3
+ Prometheus: More consistently allows for multi-line queries in editor. #18362 2, @kaydelaney 2
+ TimeSeries: Assume values are all numbers. #18540 4, @ryantxu
- Version 6.3.2
* Bug Fixes
+ Gauge/BarGauge: Fixes issue with losts thresholds and issue loading Gauge with avg stat. #18375 12
- Version 6.3.1
* Bug Fixes
+ PanelLinks: Fix crash issue Gauge & Bar Gauge for panels with panel links (drill down links). #18430 2
- Version 6.3.0
* Features / Enhancements
+ OAuth: Do not set SameSite OAuth cookie if cookie_samesite is None. #18392 4, @papagian 3
+ Auth Proxy: Include additional headers as part of the cache key. #18298 6, @gotjosh
+ Build grafana images consistently. #18224 12, @hassanfarid
+ Docs: SAML. #18069 11, @gotjosh
+ Permissions: Show plugins in nav for non admin users but hide plugin configuration. #18234 1, @aocenas
+ TimePicker: Increase max height of quick range dropdown. #18247 2, @torkelo 2
+ Alerting: Add tags to alert rules. #10989 13, @Thib17 1
+ Alerting: Attempt to send email notifications to all given email addresses. #16881 1, @zhulongcheng
+ Alerting: Improve alert rule testing. #16286 2, @marefr
+ Alerting: Support for configuring content field for Discord alert notifier. #17017 2, @jan25
+ Alertmanager: Replace illegal chars with underscore in label names. #17002 5, @bergquist 1
+ Auth: Allow expiration of API keys. #17678, @papagian 3
+ Auth: Return device, os and browser when listing user auth tokens in HTTP API. #17504, @shavonn 1
+ Auth: Support list and revoke of user auth tokens in UI. #17434 2, @shavonn 1
+ AzureMonitor: change clashing built-in Grafana variables/macro names for Azure Logs. #17140, @shavonn 1
+ CloudWatch: Made region visible for AWS Cloudwatch Expressions. #17243 2, @utkarshcmu
+ Cloudwatch: Add AWS DocDB metrics. #17241, @utkarshcmu
+ Dashboard: Use timezone dashboard setting when exporting to CSV. #18002 1, @dehrax
+ Data links. #17267 11, @torkelo 2
+ Docker: Switch base image to ubuntu:latest from debian:stretch to avoid security issues… #17066 5, @bergquist 1
+ Elasticsearch: Support for visualizing logs in Explore . #17605 7, @marefr
+ Explore: Adds Live option for supported datasources. #17062 1, @hugohaggmark 3
+ Explore: Adds orgId to URL for sharing purposes. #17895 1, @kaydelaney 2
+ Explore: Adds support for new loki ‘start’ and ‘end’ params for labels endpoint. #17512, @kaydelaney 2
+ Explore: Adds support for toggling raw query mode in explore. #17870, @kaydelaney 2
+ Explore: Allow switching between metrics and logs . #16959 2, @marefr
+ Explore: Combines the timestamp and local time columns into one. #17775, @hugohaggmark 3
+ Explore: Display log lines context . #17097, @dprokop 1
+ Explore: Don’t parse log levels if provided by field or label. #17180 1, @marefr
+ Explore: Improves performance of Logs element by limiting re-rendering. #17685, @kaydelaney 2
+ Explore: Support for new LogQL filtering syntax. #16674 4, @davkal
+ Explore: Use new TimePicker from Grafana/UI. #17793, @hugohaggmark 3
+ Explore: handle newlines in LogRow Highlighter. #17425, @rrfeng 1
+ Graph: Added new fill gradient option. #17528 3, @torkelo 2
+ GraphPanel: Don’t sort series when legend table & sort column is not visible . #17095, @shavonn 1
+ InfluxDB: Support for visualizing logs in Explore. #17450 9, @hugohaggmark 3
+ Logging: Login and Logout actions (#17760). #17883 1, @ATTron
+ Logging: Move log package to pkg/infra. #17023, @zhulongcheng
+ Metrics: Expose stats about roles as metrics. #17469 2, @bergquist 1
+ MySQL/Postgres/MSSQL: Add parsing for day, weeks and year intervals in macros. #13086 6, @bernardd
+ MySQL: Add support for periodically reloading client certs. #14892, @tpetr
+ Plugins: replace dataFormats list with skipDataQuery flag in plugin.json. #16984, @ryantxu
+ Prometheus: Take timezone into account for step alignment. #17477, @fxmiii
+ Prometheus: Use overridden panel range for $__range instead of dashboard range. #17352, @patrick246
+ Prometheus: added time range filter to series labels query. #16851 3, @FUSAKLA
+ Provisioning: Support folder that doesn’t exist yet in dashboard provisioning. #17407 1, @Nexucis
+ Refresh picker: Handle empty intervals. #17585 1, @dehrax
+ Singlestat: Add y min/max config to singlestat sparklines. #17527 4, @pitr
+ Snapshot: use given key and deleteKey. #16876, @zhulongcheng
+ Templating: Correctly display __text in multi-value variable after page reload. #17840 1, @EduardSergeev
+ Templating: Support selecting all filtered values of a multi-value variable. #16873 2, @r66ad
+ Tracing: allow propagation with Zipkin headers. #17009 4, @jrockway
+ Users: Disable users removed from LDAP. #16820 2, @alexanderzobnin
* Bug Fixes
+ PanelLinks: Fix render issue when there is no panel description. #18408 3, @dehrax
+ OAuth: Fix “missing saved state” OAuth login failure due to SameSite cookie policy. #18332 1, @papagian 3
+ cli: fix for recognizing when in dev mode… #18334, @xlson
+ DataLinks: Fixes incorrect interpolation of ${__series_name} . #18251 1, @torkelo 2
+ Loki: Display live tailed logs in correct order in Explore. #18031 3, @kaydelaney 2
+ PhantomJS: Fixes rendering on Debian Buster. #18162 2, @xlson
+ TimePicker: Fixed style issue for custom range popover. #18244, @torkelo 2
+ Timerange: Fixes a bug where custom time ranges didn’t respect UTC. #18248 1, @kaydelaney 2
+ remote_cache: Fix redis connstr parsing. #18204 1, @mblaschke
+ AddPanel: Fix issue when removing moved add panel widget . #17659 2, @dehrax
+ CLI: Fix encrypt-datasource-passwords fails with sql error. #18014, @marefr
+ Elasticsearch: Fix default max concurrent shard requests. #17770 4, @marefr
+ Explore: Fix browsing back to dashboard panel. #17061, @jschill
+ Explore: Fix filter by series level in logs graph. #17798, @marefr
+ Explore: Fix issues when loading and both graph/table are collapsed. #17113, @marefr
+ Explore: Fix selection/copy of log lines. #17121, @marefr
+ Fix: Wrap value of multi variable in array when coming from URL. #16992 1, @aocenas
+ Frontend: Fix for Json tree component not working. #17608, @srid12
+ Graphite: Fix for issue with alias function being moved last. #17791, @torkelo 2
+ Graphite: Fixes issue with seriesByTag & function with variable param. #17795, @torkelo 2
+ Graphite: use POST for /metrics/find requests. #17814 2, @papagian 3
+ HTTP Server: Serve Grafana with a custom URL path prefix. #17048 6, @jan25
+ InfluxDB: Fixes single quotes are not escaped in label value filters. #17398 1, @Panzki
+ Prometheus: Correctly escape ‘|’ literals in interpolated PromQL variables. #16932, @Limess
+ Prometheus: Fix when adding label for metrics which contains colons in Explore. #16760, @tolwi
+ SinglestatPanel: Remove background color when value turns null. #17552 1, @druggieri
- Make phantomjs dependency configurable
- Create plugin directory and clean up (create in %install,
add to %files) handling of /var/lib/grafana/* and
mgr-cfg:
- Remove commented code in test files
- Replace spacewalk-usix with uyuni-common-libs
- Bump version to 4.1.0 (bsc#1154940)
- Add mgr manpage links
mgr-custom-info:
- Bump version to 4.1.0 (bsc#1154940)
mgr-daemon:
- Bump version to 4.1.0 (bsc#1154940)
- Fix systemd timer configuration on SLE12 (bsc#1142038)
mgr-osad:
- Separate osa-dispatcher and jabberd so it can be disabled independently
- Replace spacewalk-usix with uyuni-common-libs
- Bump version to 4.1.0 (bsc#1154940)
- Move /usr/share/rhn/config-defaults to uyuni-base-common
- Require uyuni-base-common for /etc/rhn (for osa-dispatcher)
- Ensure bytes type when using hashlib to avoid traceback (bsc#1138822)
mgr-push:
- Replace spacewalk-usix and spacewalk-backend-libs with uyuni-common-libs
- Bump version to 4.1.0 (bsc#1154940)
mgr-virtualization:
- Replace spacewalk-usix with uyuni-common-libs
- Bump version to 4.1.0 (bsc#1154940)
- Fix mgr-virtualization timer
rhnlib:
- Fix building
- Fix malformed XML response when data contains non-ASCII chars (bsc#1154968)
- Bump version to 4.1.0 (bsc#1154940)
- Fix bootstrapping SLE11SP4 trad client with SSL enabled (bsc#1148177)
spacecmd:
- Only report real error, not result (bsc#1171687)
- Use defined return values for spacecmd methods so scripts can
check for failure (bsc#1171687)
- Disable globbing for api subcommand to allow wildcards in filter
settings (bsc#1163871)
- Bugfix: attempt to purge SSM when it is empty (bsc#1155372)
- Bump version to 4.1.0 (bsc#1154940)
- Prevent error when piping stdout in Python 2 (bsc#1153090)
- Java api expects content as encoded string instead of encoded bytes like before (bsc#1153277)
- Enable building and installing for Ubuntu 16.04 and Ubuntu 18.04
- Add unit test for schedule, errata, user, utils, misc, configchannel
and kickstart modules
- Multiple minor bugfixes alongside the unit tests
- Bugfix: referenced variable before assignment.
- Add unit test for report, package, org, repo and group
spacewalk-client-tools:
- Add workaround for uptime overflow to spacewalk-update-status as well (bsc#1165921)
- Spell correctly 'successful' and 'successfully'
- Skip dmidecode data on aarch64 to prevent coredump (bsc#1113160)
- Replace spacewalk-usix with uyuni-common-libs
- Return a non-zero exit status on errors in rhn_check
- Bump version to 4.1.0 (bsc#1154940)
- Make a explicit requirement to systemd for spacewalk-client-tools
when rhnsd timer is installed
spacewalk-koan:
- Bump version to 4.1.0 (bsc#1154940)
- Require commands we use in merge-rd.sh
spacewalk-oscap:
- Bump version to 4.1.0 (bsc#1154940)
spacewalk-remote-utils:
- Update spacewalk-create-channel with RHEL 7.7 channel definitions
- Bump version to 4.1.0 (bsc#1154940)
supportutils-plugin-susemanager-client:
- Bump version to 4.1.0 (bsc#1154940)
suseRegisterInfo:
- SuseRegisterInfo only needs perl-base, not full perl (bsc#1168310)
- Bump version to 4.1.0 (bsc#1154940)
zypp-plugin-spacewalk:
- Prevent issue with non-ASCII characters in Python 2 systems (bsc#1172462)
ModerateSUSE bug 1113160SUSE bug 1134195SUSE bug 1138822SUSE bug 1141661SUSE bug 1142038SUSE bug 1143913SUSE bug 1148177SUSE bug 1153090SUSE bug 1153277SUSE bug 1154940SUSE bug 1154968SUSE bug 1155372SUSE bug 1163871SUSE bug 1165921SUSE bug 1168310SUSE bug 1170231SUSE bug 1170557SUSE bug 1171687SUSE bug 1172462CVE-2019-10215 at SUSECVE-2019-10215 at NVDCVE-2019-15043 at SUSECVE-2019-15043 at NVDCVE-2020-12245 at SUSECVE-2020-12245 at NVDCVE-2020-13379 at SUSECVE-2020-13379 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for openexr (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for openexr fixes the following issues:
- CVE-2020-15304: Fixed a NULL pointer dereference in TiledInputFile:TiledInputFile() (bsc#1173466).
- CVE-2020-15305: Fixed a use-after-free in DeepScanLineInputFile:DeepScanLineInputFile() (bsc#1173467).
- CVE-2020-15306: Fixed a heap buffer overflow in getChunkOffsetTableSize() (bsc#1173469).
ModerateSUSE bug 1173466SUSE bug 1173467SUSE bug 1173469CVE-2020-15304 at SUSECVE-2020-15304 at NVDCVE-2020-15305 at SUSECVE-2020-15305 at NVDCVE-2020-15306 at SUSECVE-2020-15306 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for xrdp (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for xrdp fixes the following issues:
- Security fixes (bsc#1173580, CVE-2020-4044):
+ Add patches:
* xrdp-cve-2020-4044-fix-0.patch
* xrdp-cve-2020-4044-fix-1.patch
+ Rebase SLE patch:
* xrdp-fate318398-change-expired-password.patch
- Update patch:
+ xrdp-Allow-sessions-with-32-bpp.patch.patch
ImportantSUSE bug 1173580CVE-2020-4044 at SUSECVE-2020-4044 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for mailman (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for mailman fixes the following issues:
- CVE-2020-15011: Fixed a possible Arbitrary Content Injection via the private archive login page (bsc#1173369).
ImportantSUSE bug 1173369CVE-2020-15011 at SUSECVE-2020-15011 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for samba (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for samba fixes the following issues:
- CVE-2020-10745: Fixed an issue which parsing and packing of NBT and DNS packets containing dots could potentially have consumed excessive CPU (bsc#1173160).
ModerateSUSE bug 1173160CVE-2020-10745 at SUSECVE-2020-10745 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for webkit2gtk3 (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for webkit2gtk3 fixes the following issues:
- Update to version 2.28.3 (bsc#1173998):
+ Enable kinetic scrolling with async scrolling.
+ Fix web process hangs on large GitHub pages.
+ Bubblewrap sandbox should not attempt to bind empty paths.
+ Fix threading issues in the media player.
+ Fix several crashes and rendering issues.
+ Security fixes: CVE-2020-9802, CVE-2020-9803, CVE-2020-9805,
CVE-2020-9806, CVE-2020-9807, CVE-2020-9843, CVE-2020-9850,
CVE-2020-13753.
ImportantSUSE bug 1173998CVE-2020-13753 at SUSECVE-2020-13753 at NVDCVE-2020-9802 at SUSECVE-2020-9802 at NVDCVE-2020-9803 at SUSECVE-2020-9803 at NVDCVE-2020-9805 at SUSECVE-2020-9805 at NVDCVE-2020-9806 at SUSECVE-2020-9806 at NVDCVE-2020-9807 at SUSECVE-2020-9807 at NVDCVE-2020-9843 at SUSECVE-2020-9843 at NVDCVE-2020-9850 at SUSECVE-2020-9850 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for grub2 (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for grub2 fixes the following issues:
- Fix for CVE-2020-10713 (bsc#1168994)
- Fix for CVE-2020-14308 CVE-2020-14309, CVE-2020-14310, CVE-2020-14311
(bsc#1173812)
- Fix for CVE-2020-15706 (bsc#1174463)
- Fix for CVE-2020-15707 (bsc#1174570)
- Use overflow checking primitives where the arithmetic expression for buffer
allocations may include unvalidated data
- Use grub_calloc for overflow check and return NULL when it would occur
- Use gcc-9 compiler for overflow check builtins
- Backport gcc-9 build fixes
- Fix packed-not-aligned error on GCC 8 (bsc#1084632)
ImportantSUSE bug 1084632SUSE bug 1168994SUSE bug 1173812SUSE bug 1174463SUSE bug 1174570CVE-2020-10713 at SUSECVE-2020-10713 at NVDCVE-2020-14308 at SUSECVE-2020-14308 at NVDCVE-2020-14309 at SUSECVE-2020-14309 at NVDCVE-2020-14310 at SUSECVE-2020-14310 at NVDCVE-2020-14311 at SUSECVE-2020-14311 at NVDCVE-2020-15706 at SUSECVE-2020-15706 at NVDCVE-2020-15707 at SUSECVE-2020-15707 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for ghostscript (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for ghostscript fixes the following issues:
- fixed CVE-2020-15900 Memory Corruption (SAFER Sandbox Breakout)
cf. https://bugs.ghostscript.com/show_bug.cgi?id=702582
(bsc#1174415)
ImportantSUSE bug 1174415CVE-2020-15900 at SUSECVE-2020-15900 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for MozillaFirefox (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for MozillaFirefox fixes the following issues:
- Firefox Extended Support Release 78.1.0 ESR
* Fixed: Various stability, functionality, and security fixes (bsc#1174538)
* CVE-2020-15652: Potential leak of redirect targets when loading scripts in a worker
* CVE-2020-6514: WebRTC data channel leaks internal address to peer
* CVE-2020-15655: Extension APIs could be used to bypass Same-Origin Policy
* CVE-2020-15653: Bypassing iframe sandbox when allowing popups
* CVE-2020-6463: Use-after-free in ANGLE gl::Texture::onUnbindAsSamplerTexture
* CVE-2020-15656: Type confusion for special arguments in IonMonkey
* CVE-2020-15658: Overriding file type when saving to disk
* CVE-2020-15657: DLL hijacking due to incorrect loading path
* CVE-2020-15654: Custom cursor can overlay user interface
* CVE-2020-15659: Memory safety bugs fixed in Firefox 79 and Firefox ESR 78.1
ModerateSUSE bug 1173948SUSE bug 1174538CVE-2020-15652 at SUSECVE-2020-15652 at NVDCVE-2020-15653 at SUSECVE-2020-15653 at NVDCVE-2020-15654 at SUSECVE-2020-15654 at NVDCVE-2020-15655 at SUSECVE-2020-15655 at NVDCVE-2020-15656 at SUSECVE-2020-15656 at NVDCVE-2020-15657 at SUSECVE-2020-15657 at NVDCVE-2020-15658 at SUSECVE-2020-15658 at NVDCVE-2020-15659 at SUSECVE-2020-15659 at NVDCVE-2020-6463 at SUSECVE-2020-6463 at NVDCVE-2020-6514 at SUSECVE-2020-6514 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for libX11 (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for libX11 fixes the following issues:
- Fixed XIM client heap overflows (CVE-2020-14344, bsc#1174628)
ImportantSUSE bug 1174628CVE-2020-14344 at SUSECVE-2020-14344 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for python-ipaddress (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for python-ipaddress fixes the following issues:
- Add CVE-2020-14422-ipaddress-hash-collision.patch fixing
CVE-2020-14422 (bsc#1173274, bpo#41004), where hash collisions
in IPv4Interface and IPv6Interface could lead to DOS.
ImportantSUSE bug 1173274CVE-2020-14422 at SUSECVE-2020-14422 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for LibVNCServer (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for LibVNCServer fixes the following issues:
- security update
fix CVE-2018-21247 [bsc#1173874], uninitialized memory contents are vulnerable to Information leak
fix CVE-2019-20839 [bsc#1173875], buffer overflow in ConnectClientToUnixSock()
fix CVE-2019-20840 [bsc#1173876], unaligned accesses in hybiReadAndDecode can lead to denial of service
fix CVE-2020-14398 [bsc#1173880], improperly closed TCP connection causes an infinite loop in libvncclient/sockets.c
fix CVE-2020-14397 [bsc#1173700], NULL pointer dereference in libvncserver/rfbregion.c
fix CVE-2020-14399 [bsc#1173743], Byte-aligned data is accessed through uint32_t pointers in libvncclient/rfbproto.c.
fix CVE-2020-14400 [bsc#1173691], Byte-aligned data is accessed through uint16_t pointers in libvncserver/translate.c.
fix CVE-2020-14401 [bsc#1173694], potential integer overflows in libvncserver/scale.c
fix CVE-2020-14402 [bsc#1173701], out-of-bounds access via encodings.
fix CVE-2020-14403 [bsc#1173701], out-of-bounds access via encodings.
fix CVE-2020-14404 [bsc#1173701], out-of-bounds access via encodings.
fix CVE-2017-18922 [bsc#1173477], preauth buffer overwrite
ImportantSUSE bug 1173477SUSE bug 1173691SUSE bug 1173694SUSE bug 1173700SUSE bug 1173701SUSE bug 1173743SUSE bug 1173874SUSE bug 1173875SUSE bug 1173876SUSE bug 1173880CVE-2017-18922 at SUSECVE-2017-18922 at NVDCVE-2018-21247 at SUSECVE-2018-21247 at NVDCVE-2019-20839 at SUSECVE-2019-20839 at NVDCVE-2019-20840 at SUSECVE-2019-20840 at NVDCVE-2020-14397 at SUSECVE-2020-14397 at NVDCVE-2020-14398 at SUSECVE-2020-14398 at NVDCVE-2020-14399 at SUSECVE-2020-14399 at NVDCVE-2020-14400 at SUSECVE-2020-14400 at NVDCVE-2020-14401 at SUSECVE-2020-14401 at NVDCVE-2020-14402 at SUSECVE-2020-14402 at NVDCVE-2020-14403 at SUSECVE-2020-14403 at NVDCVE-2020-14404 at SUSECVE-2020-14404 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for xen (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for xen fixes the following issues:
- bsc#1174543 - secure boot related fixes
- bsc#1163019 - CVE-2020-8608: Potential OOB access due to unsafe snprintf() usages
ImportantSUSE bug 1163019SUSE bug 1174543CVE-2020-8608 at SUSECVE-2020-8608 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for perl-XML-Twig (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for perl-XML-Twig fixes the following issues:
- Security fix [bsc#1008644, CVE-2016-9180]
* Added: the no_xxe option to XML::Twig::new, which causes the
parse to fail if external entities are used (to prevent
malicious XML to access the filesystem).
* Setting expand_external_ents to 0 or -1 currently doesn't work
as expected; To completely turn off expanding external entities
use no_xxe.
* Update documentation for XML::Twig to mention problems with
expand_external_ents and add information about new no_xxe argument
ModerateSUSE bug 1008644CVE-2016-9180 at SUSECVE-2016-9180 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for libX11 (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for libX11 fixes the following issues:
- Fixed XIM client heap overflows (CVE-2020-14344, bsc#1174628).
ImportantSUSE bug 1174628CVE-2020-14344 at SUSECVE-2020-14344 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for xerces-c (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for xerces-c fixes the following issues:
- CVE-2017-12627: Processing of external DTD paths could have resulted in a
null pointer dereference under certain conditions (bsc#1083630)
ModerateSUSE bug 1083630CVE-2017-12627 at SUSECVE-2017-12627 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for webkit2gtk3 (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for webkit2gtk3 fixes the following issues:
- Update to version 2.28.4 (bsc#1174662):
+ Fix several crashes and rendering issues.
+ Security fixes: CVE-2020-9862, CVE-2020-9893, CVE-2020-9894,
CVE-2020-9895, CVE-2020-9915, CVE-2020-9925.
ImportantSUSE bug 1174662CVE-2020-9862 at SUSECVE-2020-9862 at NVDCVE-2020-9893 at SUSECVE-2020-9893 at NVDCVE-2020-9894 at SUSECVE-2020-9894 at NVDCVE-2020-9895 at SUSECVE-2020-9895 at NVDCVE-2020-9915 at SUSECVE-2020-9915 at NVDCVE-2020-9925 at SUSECVE-2020-9925 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for perl-PlRPC (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for perl-PlRPC fixes the following issues:
- Security notice: [bsc#858243, CVE-2013-7284]
* Document security vulnerability on Storable and reply attack
- Add perl-PlRPC-CVE-2013-7284.patch
ModerateSUSE bug 858243CVE-2013-7284 at SUSECVE-2013-7284 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for zabbix (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for zabbix fixes the following issues:
- Add patches to fix bsc#1174253 (CVE-2020-15803)
ModerateSUSE bug 1174253CVE-2020-15803 at SUSECVE-2020-15803 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for dovecot22 (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for dovecot22 fixes the following issues:
- CVE-2020-12673: improper implementation of NTLM does not check message buffer size (bsc#1174922).
- CVE-2020-12674: improper implementation of RPA mechanism (bsc#1174923).
ImportantSUSE bug 1174922SUSE bug 1174923CVE-2020-12673 at SUSECVE-2020-12673 at NVDCVE-2020-12674 at SUSECVE-2020-12674 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for python (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for python fixes the following issues:
- CVE-2019-20907: Avoid a possible infinite loop caused by specifically crafted tarballs (bsc#1174091).
ModerateSUSE bug 1174091CVE-2019-20907 at SUSECVE-2019-20907 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for grub2 (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for grub2 fixes the following issues:
- CVE-2020-15705: Fail kernel validation without shim protocol (bsc#1174421).
- Add fibre channel device's ofpath support to grub-ofpathname and search hint to speed up root device discovery (bsc#1172745).
ImportantSUSE bug 1172745SUSE bug 1174421CVE-2020-15705 at SUSECVE-2020-15705 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for samba (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for samba fixes the following issues:
- CVE-2019-14907: Fixed a Server-side crash after charset conversion failure during NTLMSSP processing (bsc#1160888).
ModerateSUSE bug 1160888CVE-2019-14907 at SUSECVE-2019-14907 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for xorg-x11-server (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for xorg-x11-server fixes the following issues:
- CVE-2020-14347: Leak of uninitialized heap memory from the X server to clients on pixmap allocation (bsc#1174633, ZDI-CAN-11426).
- CVE-2020-14346: XIChangeHierarchy Integer Underflow Privilege Escalation Vulnerability (bsc#1174638, ZDI-CAN-11429).
- CVE-2020-14345: XKB out-of-bounds access privilege escalation vulnerability (bsc#1174635, ZDI-CAN-11428).
ModerateSUSE bug 1174633SUSE bug 1174635SUSE bug 1174638CVE-2020-14345 at SUSECVE-2020-14345 at NVDCVE-2020-14346 at SUSECVE-2020-14346 at NVDCVE-2020-14347 at SUSECVE-2020-14347 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for openvpn (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for openvpn fixes the following issues:
- openvpn-2.3.9-Fix-heap-overflow-on-getaddrinfo-result.patch was
malformed in a way that caused patch(1) to ignore it.
(bsc#959714)
ModerateSUSE bug 959714cpe:/o:suse:sles_teradata:12:sp3Security update for targetcli-fb (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for targetcli-fb fixes the following issues:
- CVE-2020-13867: Fixed weak permissions for /etc/target (bsc#1172743).
ModerateSUSE bug 1172743CVE-2020-13867 at SUSECVE-2020-13867 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for java-1_8_0-ibm (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for java-1_8_0-ibm fixes the following issues:
- Update to Java 8.0 Service Refresh 6 [bsc#1158442, bsc#1154212]
* Security fixes:
CVE-2019-2933 CVE-2019-2945 CVE-2019-2958
CVE-2019-2962 CVE-2019-2964 CVE-2019-2975
CVE-2019-2978 CVE-2019-2983 CVE-2019-2988
CVE-2019-2989 CVE-2019-2992 CVE-2019-2996
CVE-2019-2999 CVE-2019-2973 CVE-2019-2981
CVE-2019-17631
ModerateSUSE bug 1154212SUSE bug 1158442CVE-2019-17631 at SUSECVE-2019-17631 at NVDCVE-2019-2933 at SUSECVE-2019-2933 at NVDCVE-2019-2945 at SUSECVE-2019-2945 at NVDCVE-2019-2958 at SUSECVE-2019-2958 at NVDCVE-2019-2962 at SUSECVE-2019-2962 at NVDCVE-2019-2964 at SUSECVE-2019-2964 at NVDCVE-2019-2973 at SUSECVE-2019-2973 at NVDCVE-2019-2975 at SUSECVE-2019-2975 at NVDCVE-2019-2978 at SUSECVE-2019-2978 at NVDCVE-2019-2981 at SUSECVE-2019-2981 at NVDCVE-2019-2983 at SUSECVE-2019-2983 at NVDCVE-2019-2988 at SUSECVE-2019-2988 at NVDCVE-2019-2989 at SUSECVE-2019-2989 at NVDCVE-2019-2992 at SUSECVE-2019-2992 at NVDCVE-2019-2996 at SUSECVE-2019-2996 at NVDCVE-2019-2999 at SUSECVE-2019-2999 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for xorg-x11-server (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for xorg-x11-server fixes the following issues:
- CVE-2020-14361: Fix XkbSelectEvents() integer underflow (bsc#1174910 ZDI-CAN-11573).
- CVE-2020-14362: Fix XRecordRegisterClients() Integer underflow (bsc#1174913 ZDI-CAN-11574).
ImportantSUSE bug 1174910SUSE bug 1174913CVE-2020-14361 at SUSECVE-2020-14361 at NVDCVE-2020-14362 at SUSECVE-2020-14362 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for apache2 (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for apache2 fixes the following issues:
- CVE-2020-9490: Fixed a crash caused by a specially crafted value for the 'Cache-Digest' header in a HTTP/2 request (bsc#1175071).
- CVE-2020-11985: IP address spoofing when proxying using mod_remoteip and mod_rewrite (bsc#1175072).
- CVE-2020-11993: When trace/debug was enabled for the HTTP/2 module logging statements were made on the wrong connection (bsc#1175070).
ModerateSUSE bug 1175070SUSE bug 1175071SUSE bug 1175072CVE-2020-11985 at SUSECVE-2020-11985 at NVDCVE-2020-11993 at SUSECVE-2020-11993 at NVDCVE-2020-9490 at SUSECVE-2020-9490 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for java-1_8_0-ibm (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for java-1_8_0-ibm fixes the following issues:
- Update to Java 8.0 Service Refresh 6 Fix Pack 15 [bsc#1175259, bsc#1174157]
CVE-2020-14577 CVE-2020-14578 CVE-2020-14579 CVE-2020-14581
CVE-2020-14556 CVE-2020-14621 CVE-2020-14593 CVE-2020-14583
CVE-2019-17639
* Class Libraries:
- JAVA.UTIL.ZIP.DEFLATER OPERATIONS THROW JAVA.LANG.INTERNALERROR
- JAVA 8 DECODER OBJECTS CONSUME A LARGE AMOUNT OF JAVA HEAP
- TRANSLATION MESSAGES UPDATE FOR JCL
- UPDATE TIMEZONE INFORMATION TO TZDATA2020A
* Java Virtual Machine:
- IBM JAVA REGISTERS A HANDLER BY DEFAULT FOR SIGABRT
- LARGE MEMORY FOOTPRINT HELD BY TRACECONTEXT OBJECT
* JIT Compiler:
- CRASH IN THE INTERPRETER AFTER OSR FROM INLINED SYNCHRONIZED METHOD
IN DEBUGGING MODE
- INTERMITTENT ASSERTION FAILURE REPORTED
- CRASH IN RESOLVECLASSREF() DURING AOT LOAD
- JIT CRASH DURING CLASS UNLOADING IN J9METHOD_HT::ONCLASSUNLOADING()
- SEGMENTATION FAULT WHILE COMPILING A METHOD
- UNEXPECTED CLASSCASTEXCEPTION THROWN IN HIGH LEVEL PARALLEL
APPLICATION ON IBM Z PLATFORM
* Security:
- CERTIFICATEEXCEPTION OCCURS WHEN FILE.ENCODING PROPERTY SET TO
NON DEFAULT VALUE
- CHANGES TO IBMJCE AND IBMJCEPLUS PROVIDERS
- IBMJCEPLUS FAILS, WHEN THE SECURITY MANAGER IS ENABLED, WITH
DEFAULT PERMISSIONS, SPECIFIED IN JAVA.POLICY FILE
- IN CERTAIN INSTANCES, IBMJCEPLUS PROVIDER THROWS EXCEPTION FROM
KEYFACTORY CLASS
ModerateSUSE bug 1174157SUSE bug 1175259CVE-2019-17639 at SUSECVE-2019-17639 at NVDCVE-2020-14556 at SUSECVE-2020-14556 at NVDCVE-2020-14577 at SUSECVE-2020-14577 at NVDCVE-2020-14578 at SUSECVE-2020-14578 at NVDCVE-2020-14579 at SUSECVE-2020-14579 at NVDCVE-2020-14581 at SUSECVE-2020-14581 at NVDCVE-2020-14583 at SUSECVE-2020-14583 at NVDCVE-2020-14593 at SUSECVE-2020-14593 at NVDCVE-2020-14621 at SUSECVE-2020-14621 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for squid (Critical)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for squid fixes the following issues:
- CVE-2020-24606: Fix livelocking in peerDigestHandleReply (bsc#1175671).
- CVE-2020-15811: Improve Transfer-Encoding handling (bsc#1175665).
- CVE-2020-15810: Enforce token characters for field-name (bsc#1175664).
CriticalSUSE bug 1175664SUSE bug 1175665SUSE bug 1175671CVE-2020-15810 at SUSECVE-2020-15810 at NVDCVE-2020-15811 at SUSECVE-2020-15811 at NVDCVE-2020-24606 at SUSECVE-2020-24606 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for libX11 (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for libX11 fixes the following issues:
- CVE-2020-14363: Fix an integer overflow in init_om() (bsc#1175239).
ModerateSUSE bug 1175239CVE-2020-14363 at SUSECVE-2020-14363 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for java-1_7_1-ibm (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for java-1_7_1-ibm fixes the following issues:
- Update to Java 7.1 Service Refresh 4 Fix Pack 70 [bsc#1175259, bsc#1174157]
CVE-2020-14577 CVE-2020-14578 CVE-2020-14579 CVE-2020-14621
CVE-2020-14593 CVE-2020-14583 CVE-2019-17639
* Class Libraries:
- UPDATE TIMEZONE INFORMATION TO TZDATA2020A
* Security:
- CERTIFICATEEXCEPTION OCCURS WHEN FILE.ENCODING PROPERTY SET TO
NON DEFAULT VALUE
ModerateSUSE bug 1174157SUSE bug 1175259CVE-2019-17639 at SUSECVE-2019-17639 at NVDCVE-2020-14577 at SUSECVE-2020-14577 at NVDCVE-2020-14578 at SUSECVE-2020-14578 at NVDCVE-2020-14579 at SUSECVE-2020-14579 at NVDCVE-2020-14583 at SUSECVE-2020-14583 at NVDCVE-2020-14593 at SUSECVE-2020-14593 at NVDCVE-2020-14621 at SUSECVE-2020-14621 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for java-1_8_0-openjdk (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for java-1_8_0-openjdk fixes the following issues:
Update to version jdk8u232 (icedtea 3.14.0) (October 2019 CPU, bsc#1154212)
Security issues fixed:
- CVE-2019-2933: Windows file handling redux
- CVE-2019-2945: Better socket support
- CVE-2019-2949: Better Kerberos ccache handling
- CVE-2019-2958: Build Better Processes
- CVE-2019-2964: Better support for patterns
- CVE-2019-2962: Better Glyph Images
- CVE-2019-2973: Better pattern compilation
- CVE-2019-2975: Unexpected exception in jjs
- CVE-2019-2978: Improved handling of jar files
- CVE-2019-2981: Better Path supports
- CVE-2019-2983: Better serial attributes
- CVE-2019-2987: Better rendering of native glyphs
- CVE-2019-2988: Better Graphics2D drawing
- CVE-2019-2989: Improve TLS connection support
- CVE-2019-2992: Enhance font glyph mapping
- CVE-2019-2999: Commentary on Javadoc comments
- CVE-2019-2894: Enhance ECDSA operations (bsc#1152856)
Bug fixes:
- Add patch to fix hotspot-aarch64 (bsc#1138529).
ModerateSUSE bug 1138529SUSE bug 1152856SUSE bug 1154212CVE-2019-2894 at SUSECVE-2019-2894 at NVDCVE-2019-2933 at SUSECVE-2019-2933 at NVDCVE-2019-2945 at SUSECVE-2019-2945 at NVDCVE-2019-2949 at SUSECVE-2019-2949 at NVDCVE-2019-2958 at SUSECVE-2019-2958 at NVDCVE-2019-2962 at SUSECVE-2019-2962 at NVDCVE-2019-2964 at SUSECVE-2019-2964 at NVDCVE-2019-2973 at SUSECVE-2019-2973 at NVDCVE-2019-2975 at SUSECVE-2019-2975 at NVDCVE-2019-2978 at SUSECVE-2019-2978 at NVDCVE-2019-2981 at SUSECVE-2019-2981 at NVDCVE-2019-2983 at SUSECVE-2019-2983 at NVDCVE-2019-2987 at SUSECVE-2019-2987 at NVDCVE-2019-2988 at SUSECVE-2019-2988 at NVDCVE-2019-2989 at SUSECVE-2019-2989 at NVDCVE-2019-2992 at SUSECVE-2019-2992 at NVDCVE-2019-2999 at SUSECVE-2019-2999 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for MozillaFirefox (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for MozillaFirefox fixes the following issues:
- Firefox Extended Support Release 78.2.0 ESR
* Fixed: Various stability, functionality, and security fixes
- Mozilla Firefox ESR 78.2
MFSA 2020-38 (bsc#1175686)
* CVE-2020-15663 (bmo#1643199)
Downgrade attack on the Mozilla Maintenance Service could
have resulted in escalation of privilege
* CVE-2020-15664 (bmo#1658214)
Attacker-induced prompt for extension installation
* CVE-2020-15670 (bmo#1651001, bmo#1651449, bmo#1653626,
bmo#1656957)
Memory safety bugs fixed in Firefox 80 and Firefox ESR 78.2
- Fixed Firefox tab crash in FIPS mode (bsc#1174284).
- Fix broken translation-loading. (bsc#1173991)
* allow addon sideloading
* mark signatures for langpacks non-mandatory
* do not autodisable user profile scopes
- Google API key is not usable for geolocation service any more
ModerateSUSE bug 1173991SUSE bug 1174284SUSE bug 1175686CVE-2020-15663 at SUSECVE-2020-15663 at NVDCVE-2020-15664 at SUSECVE-2020-15664 at NVDCVE-2020-15670 at SUSECVE-2020-15670 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for libjpeg-turbo (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for libjpeg-turbo fixes the following issues:
- CVE-2020-13790: Fixed a heap-based buffer over-read via a malformed PPM input file (bsc#1172491).
ModerateSUSE bug 1172491CVE-2020-13790 at SUSECVE-2020-13790 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for libxml2 (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for libxml2 fixes the following issues:
- CVE-2019-20388: Fixed a memory leak in xmlSchemaPreRun (bsc#1161521).
- CVE-2020-7595: Fixed an infinite loop in an EOF situation (bsc#1161517).
- CVE-2020-24977: Fixed a global-buffer-overflow in xmlEncodeEntitiesInternal (bsc#1176179).
- Fixed invalid xmlns references due to CVE-2019-19956 (bsc#1172021).
ModerateSUSE bug 1159928SUSE bug 1161517SUSE bug 1161521SUSE bug 1172021SUSE bug 1176179CVE-2019-19956 at SUSECVE-2019-19956 at NVDCVE-2019-20388 at SUSECVE-2019-20388 at NVDCVE-2020-24977 at SUSECVE-2020-24977 at NVDCVE-2020-7595 at SUSECVE-2020-7595 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for java-1_8_0-openjdk (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for java-1_8_0-openjdk fixes the following issues:
Update java-1_8_0-openjdk to version jdk8u242 (icedtea 3.15.0) (January 2020 CPU, bsc#1160968):
- CVE-2020-2583: Unlink Set of LinkedHashSets
- CVE-2020-2590: Improve Kerberos interop capabilities
- CVE-2020-2593: Normalize normalization for all
- CVE-2020-2601: Better Ticket Granting Services
- CVE-2020-2604: Better serial filter handling
- CVE-2020-2659: Enhance datagram socket support
- CVE-2020-2654: Improve Object Identifier Processing
ImportantSUSE bug 1160968CVE-2020-2583 at SUSECVE-2020-2583 at NVDCVE-2020-2590 at SUSECVE-2020-2590 at NVDCVE-2020-2593 at SUSECVE-2020-2593 at NVDCVE-2020-2601 at SUSECVE-2020-2601 at NVDCVE-2020-2604 at SUSECVE-2020-2604 at NVDCVE-2020-2654 at SUSECVE-2020-2654 at NVDCVE-2020-2659 at SUSECVE-2020-2659 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for tomcat (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for tomcat fixes the following issues:
- CVE-2020-1935: Fixed an HTTP request smuggling vulnerability (bsc#1164860).
- CVE-2020-13935: Fixed a WebSocket DoS (bsc#1174117).
ModerateSUSE bug 1164860SUSE bug 1174117CVE-2020-13935 at SUSECVE-2020-13935 at NVDCVE-2020-1935 at SUSECVE-2020-1935 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for cifs-utils (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for cifs-utils fixes the following issues:
- CVE-2020-14342: Fixed a shell command injection vulnerability in mount.cifs (bsc#1174477).
- Fixed an invalid free in mount.cifs; (bsc#1152930).
- Fixed a double-free in mount.cifs; (bsc#1149164).
ModerateSUSE bug 1149164SUSE bug 1152930SUSE bug 1174477CVE-2020-14342 at SUSECVE-2020-14342 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for ovmf (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for ovmf fixes the following issues:
- CVE-2019-14562: Fixed an overflow in DxeImageVerificationHandler (bsc#1175476).
ModerateSUSE bug 1175476CVE-2019-14562 at SUSECVE-2019-14562 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for shim (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for shim fixes the following issues:
- Update to the unified shim binary from SUSE Linux Enterprise 15-SP1 (bsc#1168994)
This update addresses the 'BootHole' security issue (master CVE CVE-2020-10713), by
disallowing binaries signed by the previous SUSE UEFI signing key from booting.
This update should only be installed after updates of grub2, the Linux kernel and (if used)
Xen from July / August 2020 are applied.
Additional fixes:
+ shim-install: install MokManager to \EFI\boot to process the pending MOK request (bsc#1175626, bsc#1175656)
ModerateSUSE bug 1168994SUSE bug 1175626SUSE bug 1175656CVE-2020-10713 at SUSECVE-2020-10713 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for libsolv (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for libsolv fixes the following issues:
This is a reissue of an existing libsolv update that also included libsolv-devel for LTSS products.
libsolv was updated to version 0.6.36 fixes the following issues:
Security issues fixed:
- CVE-2018-20532: Fixed a NULL pointer dereference in testcase_read() (bsc#1120629).
- CVE-2018-20533: Fixed a NULL pointer dereference in testcase_str2dep_complex() (bsc#1120630).
- CVE-2018-20534: Fixed a NULL pointer dereference in pool_whatprovides() (bsc#1120631).
Non-security issues fixed:
- Made cleandeps jobs on patterns work (bsc#1137977).
- Fixed an issue multiversion packages that obsolete their own name (bsc#1127155).
- Keep consistent package name if there are multiple alternatives (bsc#1131823).
ModerateSUSE bug 1120629SUSE bug 1120630SUSE bug 1120631SUSE bug 1127155SUSE bug 1131823SUSE bug 1137977CVE-2018-20532 at SUSECVE-2018-20532 at NVDCVE-2018-20533 at SUSECVE-2018-20533 at NVDCVE-2018-20534 at SUSECVE-2018-20534 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for perl-DBI (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for perl-DBI fixes the following issues:
Security issues fixed:
- CVE-2020-14392: Memory corruption in XS functions when Perl stack is reallocated (bsc#1176412).
- CVE-2020-14393: Fixed a buffer overflow on an overlong DBD class name (bsc#1176409).
ImportantSUSE bug 1176409SUSE bug 1176412CVE-2020-14392 at SUSECVE-2020-14392 at NVDCVE-2020-14393 at SUSECVE-2020-14393 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for less (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for less fixes the following issues:
Security issue fixed:
- CVE-2014-9488: Malformed UTF-8 data could have caused an out of bounds read in
the UTF-8 decoding routines, causing an invalid read access (bsc#921719).
ModerateSUSE bug 921719CVE-2014-9488 at SUSECVE-2014-9488 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for jasper (Low)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for jasper fixes the following issues:
- CVE-2016-9398: Improved patch for already fixed issue (bsc#1010979).
- CVE-2016-9399: Fix assert in calcstepsizes (bsc#1010980).
- CVE-2016-9397: Fix assert in jpc_dequantize (bsc#1010786).
- CVE-2016-9557: Fix signed integer overflow (bsc#1011829).
- CVE-2017-5499: Validate component depth bit (bsc#1020451).
- CVE-2017-5503: Check bounds in jas_seq2d_bindsub() (bsc#1020456).
- CVE-2017-5504: Check bounds in jas_seq2d_bindsub() (bsc#1020458).
- CVE-2017-5505: Check bounds in jas_seq2d_bindsub() (bsc#1020460).
- CVE-2017-14132: Fix heap base overflow in by checking components (bsc#1057152).
- CVE-2018-9154: Fixed a potential denial of service in jpc_dec_process_sot() (bsc#1092115).
- CVE-2018-9252: Fix reachable assertion in jpc_abstorelstepsize (bsc#1088278).
- CVE-2018-18873: Fix null pointer deref in ras_putdatastd (bsc#1114498).
- CVE-2018-19139: Fix mem leaks by registering jpc_unk_destroyparms (bsc#1115637).
- CVE-2018-19543, bsc#1045450 CVE-2017-9782: Fix numchans mixup (bsc#1117328).
- CVE-2018-20570: Fix heap based buffer over-read in jp2_encode (bsc#1120807).
- CVE-2018-20622: Fix memory leak in jas_malloc.c (bsc#1120805).
LowSUSE bug 1010786SUSE bug 1010979SUSE bug 1010980SUSE bug 1011829SUSE bug 1020451SUSE bug 1020456SUSE bug 1020458SUSE bug 1020460SUSE bug 1045450SUSE bug 1057152SUSE bug 1088278SUSE bug 1092115SUSE bug 1114498SUSE bug 1115637SUSE bug 1117328SUSE bug 1120805SUSE bug 1120807CVE-2016-9397 at SUSECVE-2016-9397 at NVDCVE-2016-9398 at SUSECVE-2016-9398 at NVDCVE-2016-9399 at SUSECVE-2016-9399 at NVDCVE-2016-9557 at SUSECVE-2016-9557 at NVDCVE-2017-14132 at SUSECVE-2017-14132 at NVDCVE-2017-5499 at SUSECVE-2017-5499 at NVDCVE-2017-5503 at SUSECVE-2017-5503 at NVDCVE-2017-5504 at SUSECVE-2017-5504 at NVDCVE-2017-5505 at SUSECVE-2017-5505 at NVDCVE-2017-9782 at SUSECVE-2017-9782 at NVDCVE-2018-18873 at SUSECVE-2018-18873 at NVDCVE-2018-19139 at SUSECVE-2018-19139 at NVDCVE-2018-19543 at SUSECVE-2018-19543 at NVDCVE-2018-20570 at SUSECVE-2018-20570 at NVDCVE-2018-20622 at SUSECVE-2018-20622 at NVDCVE-2018-9154 at SUSECVE-2018-9154 at NVDCVE-2018-9252 at SUSECVE-2018-9252 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for python3 (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for python3 fixes the following issues:
- CVE-2019-20907: Fixed denial of service by avoiding possible infinite loop in specifically crafted tarball (bsc#1174091).
- CVE-2020-14422: Fixed an improper computation of hash values in the IPv4Interface and IPv6Interface
could have led to denial of service (bsc#1173274).
- CVE-2019-16935: Fixed a reflected XSS in python/Lib/DocXMLRPCServer.py (bsc#1153238).
- CVE-2019-9947: Fixed an issue in urllib2 which allowed CRLF injection if the attacker controls a url parameter (bsc#1130840).
- If the locale is 'C', coerce it to C.UTF-8 (bsc#1162423).
ImportantSUSE bug 1088004SUSE bug 1088009SUSE bug 1130840SUSE bug 1141853SUSE bug 1149955SUSE bug 1153238SUSE bug 1162423SUSE bug 1173274SUSE bug 1174091SUSE bug 1174701CVE-2018-14647 at SUSECVE-2018-14647 at NVDCVE-2018-20852 at SUSECVE-2018-20852 at NVDCVE-2019-16056 at SUSECVE-2019-16056 at NVDCVE-2019-16935 at SUSECVE-2019-16935 at NVDCVE-2019-20907 at SUSECVE-2019-20907 at NVDCVE-2019-9947 at SUSECVE-2019-9947 at NVDCVE-2020-14422 at SUSECVE-2020-14422 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for libmspack (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for libmspack fixes the following issues:
Security issues fixed:
- CVE-2019-1010305: Fixed a buffer overflow triggered by a crafted chm file
which could have led to information disclosure (bsc#1141680).
- CVE-2018-18584: The CAB block input buffer was one byte too small for the
maximal Quantum block, leading to an out-of-bounds write. (bsc#1113038)
- CVE-2018-18585: chmd_read_headers accepted a filename that has '\0' as its
first or second character (such as the '/\0' name). (bsc#1113039)
- Fix off-by-one bounds check on CHM PMGI/PMGL chunk numbers and reject empty filenames.
ModerateSUSE bug 1113038SUSE bug 1113039SUSE bug 1130489SUSE bug 1141680CVE-2018-18584 at SUSECVE-2018-18584 at NVDCVE-2018-18585 at SUSECVE-2018-18585 at NVDCVE-2019-1010305 at SUSECVE-2019-1010305 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for samba (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for samba fixes the following issues:
- ZeroLogon: An elevation of privilege was possible with some configurations when an attacker established
a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC)
(CVE-2020-1472, bsc#1176579).
- Fixed an issue where multiple home folders were created(bsc#1174316, bso#13369).
- Fixed an issue where the net command was unable to negotiate SMB2 (bsc#1174120);
ImportantSUSE bug 1174120SUSE bug 1174316SUSE bug 1176579CVE-2020-1472 at SUSECVE-2020-1472 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for wavpack (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for wavpack fixes the following issues:
Security issues fixed:
- CVE-2018-19840: Fixed a denial-of-service in the WavpackPackInit function from pack_utils.c (bsc#1120930)
ModerateSUSE bug 1120930CVE-2018-19840 at SUSECVE-2018-19840 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for ImageMagick (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for ImageMagick fixes the following issues:
- CVE-2017-11527: Fixed a denial of service inReadDPXImage() (bsc#1047054).
ModerateSUSE bug 1047054CVE-2017-11527 at SUSECVE-2017-11527 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for libqt5-qtbase (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for libqt5-qtbase fixes the following issues:
- CVE-2020-17507: Fixed a buffer overflow in XBM parser (bsc#1176315)
- Made handling of XDG_RUNTIME_DIR more secure (bsc#1172515)
ImportantSUSE bug 1172515SUSE bug 1176315CVE-2020-17507 at SUSECVE-2020-17507 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for MozillaFirefox fixes the following issues:
-Firefox was updated to 78.3.0 ESR (bsc#1176756, MFSA 2020-43)
- CVE-2020-15677: Download origin spoofing via redirect
- CVE-2020-15676: Fixed an XSS when pasting attacker-controlled data into a
contenteditable element
- CVE-2020-15678: When recursing through layers while scrolling, an iterator
may have become invalid, resulting in a potential use-after-free scenario
- CVE-2020-15673: Fixed memory safety bugs
- Enhance fix for wayland-detection (bsc#1174420)
- Attempt to fix langpack-parallelization by introducing separate
obj-dirs for each lang (bsc#1173986, bsc#1167976)
ImportantSUSE bug 1167976SUSE bug 1173986SUSE bug 1174420SUSE bug 1176756CVE-2020-15673 at SUSECVE-2020-15673 at NVDCVE-2020-15676 at SUSECVE-2020-15676 at NVDCVE-2020-15677 at SUSECVE-2020-15677 at NVDCVE-2020-15678 at SUSECVE-2020-15678 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for xen (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for xen fixes the following issues:
- CVE-2020-25604: Fixed a race condition when migrating timers between x86
HVM vCPU-s (bsc#1176343,XSA-336)
- CVE-2020-25595: Fixed an issue where PCI passthrough code was reading back hardware registers (bsc#1176344,XSA-337)
- CVE-2020-25597: Fixed an issue where a valid event channels may not turn invalid (bsc#1176346,XSA-338)
- CVE-2020-25596: Fixed a potential denial of service in x86 pv guest kernel via SYSENTER (bsc#1176345,XSA-339)
- CVE-2020-25603: Fixed an issue due to missing barriers when accessing/allocating an event channel (bsc#1176347,XSA-340)
- CVE-2020-25600: Fixed out of bounds event channels available to 32-bit x86 domains (bsc#1176348,XSA-342)
- CVE-2020-25599: Fixed race conditions with evtchn_reset() (bsc#1176349,XSA-343)
- CVE-2020-25601: Fixed an issue due to lack of preemption in evtchn_reset() / evtchn_destroy() (bsc#1176350,XSA-344)
- CVE-2020-14364: Fixed an out-of-bounds read/write access while processing usb packets (bsc#1175534).
- Various bug fixes (bsc#1027519)
ImportantSUSE bug 1175534SUSE bug 1176343SUSE bug 1176344SUSE bug 1176345SUSE bug 1176346SUSE bug 1176347SUSE bug 1176348SUSE bug 1176349SUSE bug 1176350CVE-2020-14364 at SUSECVE-2020-14364 at NVDCVE-2020-25595 at SUSECVE-2020-25595 at NVDCVE-2020-25596 at SUSECVE-2020-25596 at NVDCVE-2020-25597 at SUSECVE-2020-25597 at NVDCVE-2020-25599 at SUSECVE-2020-25599 at NVDCVE-2020-25600 at SUSECVE-2020-25600 at NVDCVE-2020-25601 at SUSECVE-2020-25601 at NVDCVE-2020-25603 at SUSECVE-2020-25603 at NVDCVE-2020-25604 at SUSECVE-2020-25604 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for tar (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for tar fixes the following issues:
Security issues fixed:
- CVE-2019-9923: Fixed a denial of service while parsing certain archives with malformed extended headers in pax_decode_header() (bsc#1130496).
- CVE-2018-20482: Fixed a denial of service when the '--sparse' option mishandles file shrinkage during read access (bsc#1120610).
ModerateSUSE bug 1120610SUSE bug 1130496CVE-2018-20482 at SUSECVE-2018-20482 at NVDCVE-2019-9923 at SUSECVE-2019-9923 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for aspell (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for aspell fixes the following security issue:
- CVE-2019-20433: Fixed a buffer over-read when processing strings ending with a single '\0' byte with ucs-2 and ucs-4 encoding (bsc#1161982).
ModerateSUSE bug 1161982CVE-2019-20433 at SUSECVE-2019-20433 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for perl-DBI (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for perl-DBI fixes the following issues:
- CVE-2019-20919: Fixed a NULL profile dereference in dbi_profile (bsc#1176764).
- CVE-2013-7490: Fixed memory corruption when using many arguments
to methods for CallbacksUsing (bsc#1176496).
ImportantSUSE bug 1176496SUSE bug 1176764CVE-2013-7490 at SUSECVE-2013-7490 at NVDCVE-2019-20919 at SUSECVE-2019-20919 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for java-1_7_0-openjdk (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for java-1_7_0-openjdk fixes the following issues:
- java-1_7_0-openjdk was updated to 2.6.23 (July 2020 CPU, bsc#1174157)
- JDK-8028431, CVE-2020-14579: NullPointerException in
- DerValue.equals(DerValue)
- JDK-8028591, CVE-2020-14578: NegativeArraySizeException in
- sun.security.util.DerInputStream.getUnalignedBitString()
- JDK-8230613: Better ASCII conversions
- JDK-8231800: Better listing of arrays
- JDK-8232014: Expand DTD support
- JDK-8233255: Better Swing Buttons
- JDK-8234032: Improve basic calendar services
- JDK-8234042: Better factory production of certificates
- JDK-8234418: Better parsing with CertificateFactory
- JDK-8234836: Improve serialization handling
- JDK-8236191: Enhance OID processing
- JDK-8237592, CVE-2020-14577: Enhance certificate verification
- JDK-8238002, CVE-2020-14581: Better matrix operations
- JDK-8238804: Enhance key handling process
- JDK-8238842: AIOOBE in GIFImageReader.initializeStringTable
- JDK-8238843: Enhanced font handing
- JDK-8238920, CVE-2020-14583: Better Buffer support
- JDK-8238925: Enhance WAV file playback
- JDK-8240119, CVE-2020-14593: Less Affine Transformations
- JDK-8240482: Improved WAV file playback
- JDK-8241379: Update JCEKS support
- JDK-8241522: Manifest improved jar headers redux
- JDK-8242136, CVE-2020-14621: Better XML namespace handling
- JDK-8040113: File not initialized in src/share/native/sun/awt/giflib/dgif_lib.c
- JDK-8054446: Repeated offer and remove on ConcurrentLinkedQueue lead to an OutOfMemoryError
- JDK-8077982: GIFLIB upgrade
- JDK-8081315: 8077982 giflib upgrade breaks system giflib builds with earlier versions
- JDK-8147087: Race when reusing PerRegionTable bitmaps may result in dropped remembered set entries
- JDK-8151582: (ch) test java/nio/channels/AsyncCloseAndInterrupt.java failing due to 'Connection succeeded'
- JDK-8155691: Update GIFlib library to the latest up-to-date
- JDK-8181841: A TSA server returns timestamp with precision higher than milliseconds
- JDK-8203190: SessionId.hashCode generates too many collisions
- JDK-8217676: Upgrade libpng to 1.6.37
- JDK-8220495: Update GIFlib library to the 5.1.8
- JDK-8226892: ActionListeners on JRadioButtons don't get notified when selection is changed with arrow keys
- JDK-8229899: Make java.io.File.isInvalid() less racy
- JDK-8230597: Update GIFlib library to the 5.2.1
- JDK-8230769: BufImg_SetupICM add ReleasePrimitiveArrayCritical call in early return
- JDK-8243541: (tz) Upgrade time-zone data to tzdata2020a
- JDK-8244548: JDK 8u: sun.misc.Version.jdkUpdateVersion() returns wrong result
ImportantSUSE bug 1174157CVE-2020-14577 at SUSECVE-2020-14577 at NVDCVE-2020-14578 at SUSECVE-2020-14578 at NVDCVE-2020-14579 at SUSECVE-2020-14579 at NVDCVE-2020-14581 at SUSECVE-2020-14581 at NVDCVE-2020-14583 at SUSECVE-2020-14583 at NVDCVE-2020-14593 at SUSECVE-2020-14593 at NVDCVE-2020-14621 at SUSECVE-2020-14621 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for python36 (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for python36 fixes the following issues:
- CVE-2019-20907, bsc#1174091: avoiding possible infinite loop in specifically crafted tarball.
- CVE-2020-14422, bsc#1173274: where hash collisions in IPv4Interface and IPv6Interface could lead to DOS.
ImportantSUSE bug 1173274SUSE bug 1174091SUSE bug 1174571CVE-2019-20907 at SUSECVE-2019-20907 at NVDCVE-2020-14422 at SUSECVE-2020-14422 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for tigervnc (Critical)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for tigervnc fixes the following issues:
- CVE-2020-26117: Server certificates were stored as certiticate
authorities, allowing malicious owners of these certificates
to impersonate any server after a client had added an exception
(bsc#1176733).
CriticalSUSE bug 1176733CVE-2020-26117 at SUSECVE-2020-26117 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for libproxy (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for libproxy fixes the following issues:
- CVE-2020-25219: Rewrote url::recvline to be nonrecursive (bsc#1176410).
- CVE-2020-26154: Fixed a buffer overflow when PAC is enabled (bsc#1177143).
ImportantSUSE bug 1176410SUSE bug 1177143CVE-2020-25219 at SUSECVE-2020-25219 at NVDCVE-2020-26154 at SUSECVE-2020-26154 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for libqt5-qtimageformats (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for libqt5-qtimageformats fixes the following issues:
Security issues fixed:
- CVE-2018-19871: Fixed CPU exhaustion in QTgaFile (bsc#1118598)
ModerateSUSE bug 1118598CVE-2018-19871 at SUSECVE-2018-19871 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for libqt5-qtsvg (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for libqt5-qtsvg fixes the following issues:
Security issues fixed:
- CVE-2018-19869: Fixed Denial of Service when parsing malformed URL reference (bsc#1118599)
ModerateSUSE bug 1118599CVE-2018-19869 at SUSECVE-2018-19869 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for blktrace (Low)SUSE Linux Enterprise Server 12 SP3-TERADATA
blktrace was updated to fix a security issue:
- CVE-2018-10689: Prevent buffer overflow in the dev_map_read function because
the device and devno arrays were too small (bsc#1091942)
LowSUSE bug 1091942CVE-2018-10689 at SUSECVE-2018-10689 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for hunspell (Low)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for hunspell fixes the following issues:
- CVE-2019-16707: Fixed an invalid read in SuggestMgr:leftcommonsubstring (bsc#1151867).
LowSUSE bug 1151867CVE-2019-16707 at SUSECVE-2019-16707 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for taglib (Low)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for taglib fixes the following issues:
- CVE-2018-11439: The TagLib::Ogg::FLAC::File::scan function allowed remote
attackers to cause information disclosure (heap-based buffer over-read) via a
crafted audio file (bsc#1096180).
LowSUSE bug 1096180CVE-2018-11439 at SUSECVE-2018-11439 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for freetype2 (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for freetype2 fixes the following issues:
- CVE-2020-15999: fixed a heap buffer overflow found in the handling of embedded PNG bitmaps (bsc#1177914).
ImportantSUSE bug 1177914CVE-2020-15999 at SUSECVE-2020-15999 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for libcdio (Low)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for libcdio fixes the following issues:
The following security vulnerability was addressed:
- CVE-2017-18199: Fixed a NULL pointer dereference in realloc_symlink in
rock.c, which allowed remote attackers to cause a denial of service via a
crafted ISO file. (bsc#1082821)
LowSUSE bug 1082821CVE-2017-18199 at SUSECVE-2017-18199 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for glibc (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for glibc fixes the following issues:
- CVE-2020-10029: Fixed a stack corruption from range reduction of pseudo-zero (bsc#1165784)
- Use posix_spawn on popen (bsc#1149332, bsc#1176013)
- Correct locking and cancellation cleanup in syslog functions (bsc#1172085)
- Fixed concurrent changes on nscd aware files (bsc#1171878)
ModerateSUSE bug 1149332SUSE bug 1165784SUSE bug 1171878SUSE bug 1172085SUSE bug 1176013CVE-2020-10029 at SUSECVE-2020-10029 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for SDL (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for SDL fixes the following issues:
Secuirty issue fixed:
- CVE-2019-13616: Fixed heap-based buffer over-read in BlitNtoN in video/SDL_blit_N.c when called from SDL_SoftBlit (bsc#1141844).
ModerateSUSE bug 1141844CVE-2019-13616 at SUSECVE-2019-13616 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for MozillaFirefox fixes the following issues:
- Firefox Extended Support Release 78.4.0 ESR
* Fixed: Various stability, functionality, and security fixes MFSA 2020-46 (bsc#1177872, bsc#1176756)
* CVE-2020-15969 Use-after-free in usersctp
* CVE-2020-15683 Memory safety bugs fixed in Firefox 82 and Firefox ESR 78.4
* Fixed: Fixed legacy preferences not being properly applied when set via GPO
ImportantSUSE bug 1176756SUSE bug 1177872CVE-2020-15683 at SUSECVE-2020-15683 at NVDCVE-2020-15969 at SUSECVE-2020-15969 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for spice (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for spice fixes the following issues:
- CVE-2020-14355: Fixed multiple buffer overflow vulnerabilities in QUIC image decoding (bsc#1177158).
ModerateSUSE bug 1177158CVE-2020-14355 at SUSECVE-2020-14355 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for spice-gtk (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for spice-gtk fixes the following issues:
- CVE-2020-14355: Fixed multiple buffer overflow vulnerabilities in QUIC image decoding (bsc#1177158).
ModerateSUSE bug 1177158CVE-2020-14355 at SUSECVE-2020-14355 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for graphviz (Low)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for graphviz fixes the following issues:
- CVE-2018-10196: Fixed a null dereference in rebuild_vlis (bsc#1093447).
LowSUSE bug 1093447CVE-2018-10196 at SUSECVE-2018-10196 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for samba (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for samba fixes the following issues:
- CVE-2020-14383: An authenticated user can crash the DCE/RPC DNS with easily crafted records (bsc#1177613).
- CVE-2020-14323: Unprivileged user can crash winbind (bsc#1173994).
- CVE-2020-14318: Missing permissions check in SMB1/2/3 ChangeNotify (bsc#1173902).
ImportantSUSE bug 1173902SUSE bug 1173994SUSE bug 1177613CVE-2020-14318 at SUSECVE-2020-14318 at NVDCVE-2020-14323 at SUSECVE-2020-14323 at NVDCVE-2020-14383 at SUSECVE-2020-14383 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for libvirt (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for libvirt fixes the following issues:
CVE-2020-15708: Added a note to libvirtd.conf about polkit auth in SUSE distros (bsc#1174955).
CVE-2020-25637: Fixed a double free in qemuAgentGetInterfaces() (bsc#1177155).
ImportantSUSE bug 1174955SUSE bug 1177155CVE-2020-15708 at SUSECVE-2020-15708 at NVDCVE-2020-25637 at SUSECVE-2020-25637 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for liblouis (Low)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for liblouis, python-luis and python3-louis fixes the following issue:
Security issue fixed:
- CVE-2018-17294: Fixed an out of bounds read in matchCurrentInput function
which could allow a remote attacker to cause Denail of Service (bsc#1109319).
LowSUSE bug 1109319CVE-2018-17294 at SUSECVE-2018-17294 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for python (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for python fixes the following issues:
- CVE-2020-26116: Fixed CRLF injection via HTTP request method (bsc#1177211).
ModerateSUSE bug 1177211CVE-2020-26116 at SUSECVE-2020-26116 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for sane-backends (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for sane-backends fixes the following issues:
- sane-backends version upgrade to 1.0.31:
* sane-backends version upgrade to 1.0.30
fixes memory corruption bugs CVE-2020-12861, CVE-2020-12862,
CVE-2020-12863, CVE-2020-12864, CVE-2020-12865,
CVE-2020-12866, CVE-2020-12867 (bsc#1172524)
* sane-backends version upgrade to 1.0.31
to further improve hardware enablement for scanner devices
(jsc#SLE-15561 and jsc#SLE-15560 with jsc#ECO-2418)
* The new escl backend cannot be provided for SLE12 because
it requires more additional software (avahi-client, libcurl,
and libpoppler-glib-devel) where in particular for libcurl
the one that is in SLE12 (via libcurl-devel-7.37.0) is likely
too old because with that building the escl backend fails with
'escl/escl.c:1267:34: error: 'CURLOPT_UNIX_SOCKET_PATH'
undeclared curl_easy_setopt(handle, CURLOPT_UNIX_SOCKET_PATH'
ImportantSUSE bug 1172524CVE-2017-6318 at SUSECVE-2017-6318 at NVDCVE-2020-12861 at SUSECVE-2020-12861 at NVDCVE-2020-12862 at SUSECVE-2020-12862 at NVDCVE-2020-12863 at SUSECVE-2020-12863 at NVDCVE-2020-12864 at SUSECVE-2020-12864 at NVDCVE-2020-12865 at SUSECVE-2020-12865 at NVDCVE-2020-12866 at SUSECVE-2020-12866 at NVDCVE-2020-12867 at SUSECVE-2020-12867 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for opensc (Low)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for opensc fixes the following issues:
Security issue fixed:
- CVE-2019-6502: Fixed a memory leak in sc_context_create() (bsc#1122756).
LowSUSE bug 1122756CVE-2019-6502 at SUSECVE-2019-6502 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for apache-commons-httpclient (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for apache-commons-httpclient fixes the following issues:
- http/conn/ssl/SSLConnectionSocketFactory.java ignores the
http.socket.timeout configuration setting during an SSL handshake,
which allows remote attackers to cause a denial of service (HTTPS
call hang) via unspecified vectors. [bsc#945190, CVE-2015-5262]
- org.apache.http.conn.ssl.AbstractVerifier does not properly
verify that the server hostname matches a domain name in the
subject's Common Name (CN) or subjectAltName field of the X.509
certificate, which allows MITM attackers to spoof SSL servers
via a 'CN=' string in a field in the distinguished name (DN)
of a certificate. [bsc#1178171, CVE-2014-3577]
ImportantSUSE bug 1178171SUSE bug 945190CVE-2014-3577 at SUSECVE-2014-3577 at NVDCVE-2015-5262 at SUSECVE-2015-5262 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for ImageMagick (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for ImageMagick fixes the following issues:
- CVE-2020-27560: Fixed potential denial of service in OptimizeLayerFrames function in MagickCore/layer.c (bsc#1178067).
ModerateSUSE bug 1178067CVE-2020-27560 at SUSECVE-2020-27560 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for libqt5-qtbase (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for libqt5-qtbase fixes the following issues:
Security issues fixed:
- CVE-2020-0569: Fixed a potential local code execution by loading plugins from CWD (bsc#1161167).
- CVE-2018-19870: Fixed an improper check in QImage allocation which could allow Denial of Service
when opening crafted gif files (bsc#1118597).
- CVE-2018-19872: Fixed an issue which could allow a division by zero leading to crash (bsc#1130246).
ImportantSUSE bug 1118597SUSE bug 1130246SUSE bug 1161167CVE-2018-19870 at SUSECVE-2018-19870 at NVDCVE-2018-19872 at SUSECVE-2018-19872 at NVDCVE-2020-0569 at SUSECVE-2020-0569 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for java-1_8_0-openjdk (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for java-1_8_0-openjdk fixes the following issues:
- Fix regression '8250861: Crash in MinINode::Ideal(PhaseGVN*, bool)',
introduced in October 2020 CPU.
- Update to version jdk8u272 (icedtea 3.17.0) (July 2020 CPU,
bsc#1174157, and October 2020 CPU, bsc#1177943)
* New features
+ JDK-8245468: Add TLSv1.3 implementation classes from 11.0.7
+ PR3796: Allow the number of curves supported to be specified
* Security fixes
+ JDK-8028431, CVE-2020-14579: NullPointerException in
DerValue.equals(DerValue)
+ JDK-8028591, CVE-2020-14578: NegativeArraySizeException in
sun.security.util.DerInputStream.getUnalignedBitString()
+ JDK-8230613: Better ASCII conversions
+ JDK-8231800: Better listing of arrays
+ JDK-8232014: Expand DTD support
+ JDK-8233255: Better Swing Buttons
+ JDK-8233624: Enhance JNI linkage
+ JDK-8234032: Improve basic calendar services
+ JDK-8234042: Better factory production of certificates
+ JDK-8234418: Better parsing with CertificateFactory
+ JDK-8234836: Improve serialization handling
+ JDK-8236191: Enhance OID processing
+ JDK-8236196: Improve string pooling
+ JDK-8236862, CVE-2020-14779: Enhance support of Proxy class
+ JDK-8237117, CVE-2020-14556: Better ForkJoinPool behavior
+ JDK-8237592, CVE-2020-14577: Enhance certificate verification
+ JDK-8237990, CVE-2020-14781: Enhanced LDAP contexts
+ JDK-8237995, CVE-2020-14782: Enhance certificate processing
+ JDK-8238002, CVE-2020-14581: Better matrix operations
+ JDK-8238804: Enhance key handling process
+ JDK-8238842: AIOOBE in GIFImageReader.initializeStringTable
+ JDK-8238843: Enhanced font handing
+ JDK-8238920, CVE-2020-14583: Better Buffer support
+ JDK-8238925: Enhance WAV file playback
+ JDK-8240119, CVE-2020-14593: Less Affine Transformations
+ JDK-8240124: Better VM Interning
+ JDK-8240482: Improved WAV file playback
+ JDK-8241114, CVE-2020-14792: Better range handling
+ JDK-8241379: Update JCEKS support
+ JDK-8241522: Manifest improved jar headers redux
+ JDK-8242136, CVE-2020-14621: Better XML namespace handling
+ JDK-8242680, CVE-2020-14796: Improved URI Support
+ JDK-8242685, CVE-2020-14797: Better Path Validation
+ JDK-8242695, CVE-2020-14798: Enhanced buffer support
+ JDK-8243302: Advanced class supports
+ JDK-8244136, CVE-2020-14803: Improved Buffer supports
+ JDK-8244479: Further constrain certificates
+ JDK-8244955: Additional Fix for JDK-8240124
+ JDK-8245407: Enhance zoning of times
+ JDK-8245412: Better class definitions
+ JDK-8245417: Improve certificate chain handling
+ JDK-8248574: Improve jpeg processing
+ JDK-8249927: Specify limits of jdk.serialProxyInterfaceLimit
+ JDK-8253019: Enhanced JPEG decoding
* Import of OpenJDK 8 u262 build 01
+ JDK-4949105: Access Bridge lacks html tags parsing
+ JDK-8003209: JFR events for network utilization
+ JDK-8030680: 292 cleanup from default method code assessment
+ JDK-8035633: TEST_BUG: java/net/NetworkInterface/Equals.java
and some tests failed on windows intermittently
+ JDK-8041626: Shutdown tracing event
+ JDK-8141056: Erroneous assignment in HeapRegionSet.cpp
+ JDK-8149338: JVM Crash caused by Marlin renderer not handling
NaN coordinates
+ JDK-8151582: (ch) test java/nio/channels/
/AsyncCloseAndInterrupt.java failing due to 'Connection
succeeded'
+ JDK-8165675: Trace event for thread park has incorrect unit
for timeout
+ JDK-8176182: 4 security tests are not run
+ JDK-8178910: Problemlist sample tests
+ JDK-8183925: Decouple crash protection from watcher thread
+ JDK-8191393: Random crashes during cfree+0x1c
+ JDK-8195817: JFR.stop should require name of recording
+ JDK-8195818: JFR.start should increase autogenerated name by
one
+ JDK-8195819: Remove recording=x from jcmd JFR.check output
+ JDK-8199712: Flight Recorder
+ JDK-8202578: Revisit location for class unload events
+ JDK-8202835: jfr/event/os/TestSystemProcess.java fails on
missing events
+ JDK-8203287: Zero fails to build after JDK-8199712 (Flight
Recorder)
+ JDK-8203346: JFR: Inconsistent signature of
jfr_add_string_constant
+ JDK-8203664: JFR start failure after AppCDS archive created
with JFR StartFlightRecording
+ JDK-8203921: JFR thread sampling is missing fixes from
JDK-8194552
+ JDK-8203929: Limit amount of data for JFR.dump
+ JDK-8205516: JFR tool
+ JDK-8207392: [PPC64] Implement JFR profiling
+ JDK-8207829: FlightRecorderMXBeanImpl is leaking the first
classloader which calls it
+ JDK-8209960: -Xlog:jfr* doesn't work with the JFR
+ JDK-8210024: JFR calls virtual is_Java_thread from ~Thread()
+ JDK-8210776: Upgrade X Window System 6.8.2 to the latest XWD
1.0.7
+ JDK-8211239: Build fails without JFR: empty JFR events
signatures mismatch
+ JDK-8212232: Wrong metadata for the configuration of the
cutoff for old object sample events
+ JDK-8213015: Inconsistent settings between JFR.configure and
-XX:FlightRecorderOptions
+ JDK-8213421: Line number information for execution samples
always 0
+ JDK-8213617: JFR should record the PID of the recorded process
+ JDK-8213734: SAXParser.parse(File, ..) does not close
resources when Exception occurs.
+ JDK-8213914: [TESTBUG] Several JFR VM events are not covered
by tests
+ JDK-8213917: [TESTBUG] Shutdown JFR event is not covered by
test
+ JDK-8213966: The ZGC JFR events should be marked as
experimental
+ JDK-8214542: JFR: Old Object Sample event slow on a deep heap
in debug builds
+ JDK-8214750: Unnecessary <p> tags in jfr classes
+ JDK-8214896: JFR Tool left files behind
+ JDK-8214906: [TESTBUG] jfr/event/sampling/TestNative.java
fails with UnsatisfiedLinkError
+ JDK-8214925: JFR tool fails to execute
+ JDK-8215175: Inconsistencies in JFR event metadata
+ JDK-8215237: jdk.jfr.Recording javadoc does not compile
+ JDK-8215284: Reduce noise induced by periodic task
getFileSize()
+ JDK-8215355: Object monitor deadlock with no threads holding
the monitor (using jemalloc 5.1)
+ JDK-8215362: JFR GTest JfrTestNetworkUtilization fails
+ JDK-8215771: The jfr tool should pretty print reference chains
+ JDK-8216064: -XX:StartFlightRecording:settings= doesn't work
properly
+ JDK-8216486: Possibility of integer overflow in
JfrThreadSampler::run()
+ JDK-8216528: test/jdk/java/rmi/transport/
/runtimeThreadInheritanceLeak/
/RuntimeThreadInheritanceLeak.java failing with Xcomp
+ JDK-8216559: [JFR] Native libraries not correctly parsed from
/proc/self/maps
+ JDK-8216578: Remove unused/obsolete method in JFR code
+ JDK-8216995: Clean up JFR command line processing
+ JDK-8217744: [TESTBUG] JFR TestShutdownEvent fails on some
systems due to process surviving SIGINT
+ JDK-8217748: [TESTBUG] Exclude TestSig test case from JFR
TestShutdownEvent
+ JDK-8218935: Make jfr strncpy uses GCC 8.x friendly
+ JDK-8223147: JFR Backport
+ JDK-8223689: Add JFR Thread Sampling Support
+ JDK-8223690: Add JFR BiasedLock Event Support
+ JDK-8223691: Add JFR G1 Region Type Change Event Support
+ JDK-8223692: Add JFR G1 Heap Summary Event Support
+ JDK-8224172: assert(jfr_is_event_enabled(id)) failed:
invariant
+ JDK-8224475: JTextPane does not show images in HTML rendering
+ JDK-8226253: JAWS reports wrong number of radio buttons when
buttons are hidden.
+ JDK-8226779: [TESTBUG] Test JFR API from Java agent
+ JDK-8226892: ActionListeners on JRadioButtons don't get
notified when selection is changed with arrow keys
+ JDK-8227011: Starting a JFR recording in response to JVMTI
VMInit and / or Java agent premain corrupts memory
+ JDK-8227605: Kitchensink fails 'assert((((klass)->trace_id()
& (JfrTraceIdEpoch::leakp_in_use_this_epoch_bit())) != 0))
failed: invariant'
+ JDK-8229366: JFR backport allows unchecked writing to memory
+ JDK-8229401: Fix JFR code cache test failures
+ JDK-8229708: JFR backport code does not initialize
+ JDK-8229873: 8229401 broke jdk8u-jfr-incubator
+ JDK-8230448: [test] JFRSecurityTestSuite.java is failing on
Windows
+ JDK-8230707: JFR related tests are failing
+ JDK-8230782: Robot.createScreenCapture() fails if
'awt.robot.gtk' is set to false
+ JDK-8230856: Java_java_net_NetworkInterface_getByName0 on
unix misses ReleaseStringUTFChars in early return
+ JDK-8230947: TestLookForUntestedEvents.java is failing after
JDK-8230707
+ JDK-8231995: two jtreg tests failed after 8229366 is fixed
+ JDK-8233623: Add classpath exception to copyright in
EventHandlerProxyCreator.java file
+ JDK-8236002: CSR for JFR backport suggests not leaving out
the package-info
+ JDK-8236008: Some backup files were accidentally left in the
hotspot tree
+ JDK-8236074: Missed package-info
+ JDK-8236174: Should update javadoc since tags
+ JDK-8238076: Fix OpenJDK 7 Bootstrap Broken by JFR Backport
+ JDK-8238452: Keytool generates wrong expiration date if
validity is set to 2050/01/01
+ JDK-8238555: Allow Initialization of SunPKCS11 with NSS when
there are external FIPS modules in the NSSDB
+ JDK-8238589: Necessary code cleanup in JFR for JDK8u
+ JDK-8238590: Enable JFR by default during compilation in 8u
+ JDK-8239055: Wrong implementation of VMState.hasListener
+ JDK-8239476: JDK-8238589 broke windows build by moving
OrderedPair
+ JDK-8239479: minimal1 and zero builds are failing
+ JDK-8239867: correct over use of INCLUDE_JFR macro
+ JDK-8240375: Disable JFR by default for July 2020 release
+ JDK-8241444: Metaspace::_class_vsm not initialized if
compressed class pointers are disabled
+ JDK-8241902: AIX Build broken after integration of
JDK-8223147 (JFR Backport)
+ JDK-8242788: Non-PCH build is broken after JDK-8191393
* Import of OpenJDK 8 u262 build 02
+ JDK-8130737: AffineTransformOp can't handle child raster with
non-zero x-offset
+ JDK-8172559: [PIT][TEST_BUG] Move @test to be 1st annotation
in java/awt/image/Raster/TestChildRasterOp.java
+ JDK-8230926: [macosx] Two apostrophes are entered instead of
one with 'U.S. International - PC' layout
+ JDK-8240576: JVM crashes after transformation in C2
IdealLoopTree::merge_many_backedges
+ JDK-8242883: Incomplete backport of JDK-8078268: backport
test part
* Import of OpenJDK 8 u262 build 03
+ JDK-8037866: Replace the Fun class in tests with lambdas
+ JDK-8146612: C2: Precedence edges specification violated
+ JDK-8150986: serviceability/sa/jmap-hprof/
/JMapHProfLargeHeapTest.java failing because expects HPROF
JAVA PROFILE 1.0.1 file format
+ JDK-8229888: (zipfs) Updating an existing zip file does not
preserve original permissions
+ JDK-8230597: Update GIFlib library to the 5.2.1
+ JDK-8230769: BufImg_SetupICM add
ReleasePrimitiveArrayCritical call in early return
+ JDK-8233880, PR3798: Support compilers with multi-digit major
version numbers
+ JDK-8239852: java/util/concurrent tests fail with
-XX:+VerifyGraphEdges: assert(!VerifyGraphEdges) failed:
verification should have failed
+ JDK-8241638: launcher time metrics always report 1 on Linux
when _JAVA_LAUNCHER_DEBUG set
+ JDK-8243059: Build fails when --with-vendor-name contains a
comma
+ JDK-8243474: [TESTBUG] removed three tests of 0 bytes
+ JDK-8244461: [JDK 8u] Build fails with glibc 2.32
+ JDK-8244548: JDK 8u: sun.misc.Version.jdkUpdateVersion()
returns wrong result
* Import of OpenJDK 8 u262 build 04
+ JDK-8067796: (process) Process.waitFor(timeout, unit) doesn't
throw NPE if timeout is less than, or equal to zero when unit
== null
+ JDK-8148886: SEGV in sun.java2d.marlin.Renderer._endRendering
+ JDK-8171934:
ObjectSizeCalculator.getEffectiveMemoryLayoutSpecification()
does not recognize OpenJDK's HotSpot VM
+ JDK-8196969: JTreg Failure:
serviceability/sa/ClhsdbJstack.java causes NPE
+ JDK-8243539: Copyright info (Year) should be updated for fix
of 8241638
+ JDK-8244777: ClassLoaderStats VM Op uses constant hash value
* Import of OpenJDK 8 u262 build 05
+ JDK-7147060: com/sun/org/apache/xml/internal/security/
/transforms/ClassLoaderTest.java doesn't run in agentvm mode
+ JDK-8178374: Problematic ByteBuffer handling in
CipherSpi.bufferCrypt method
+ JDK-8181841: A TSA server returns timestamp with precision
higher than milliseconds
+ JDK-8227269: Slow class loading when running with JDWP
+ JDK-8229899: Make java.io.File.isInvalid() less racy
+ JDK-8236996: Incorrect Roboto font rendering on Windows with
subpixel antialiasing
+ JDK-8241750: x86_32 build failure after JDK-8227269
+ JDK-8244407: JVM crashes after transformation in C2
IdealLoopTree::split_fall_in
+ JDK-8244843: JapanEraNameCompatTest fails
* Import of OpenJDK 8 u262 build 06
+ JDK-8246223: Windows build fails after JDK-8227269
* Import of OpenJDK 8 u262 build 07
+ JDK-8233197: Invert JvmtiExport::post_vm_initialized() and
Jfr:on_vm_start() start-up order for correct option parsing
+ JDK-8243541: (tz) Upgrade time-zone data to tzdata2020a
+ JDK-8245167: Top package in method profiling shows null in JMC
+ JDK-8246703: [TESTBUG] Add test for JDK-8233197
* Import of OpenJDK 8 u262 build 08
+ JDK-8220293: Deadlock in JFR string pool
+ JDK-8225068: Remove DocuSign root certificate that is
expiring in May 2020
+ JDK-8225069: Remove Comodo root certificate that is expiring
in May 2020
* Import of OpenJDK 8 u262 build 09
+ JDK-8248399: Build installs jfr binary when JFR is disabled
* Import of OpenJDK 8 u262 build 10
+ JDK-8248715: New JavaTimeSupplementary localisation for 'in'
installed in wrong package
* Import of OpenJDK 8 u265 build 01
+ JDK-8249677: Regression in 8u after JDK-8237117: Better
ForkJoinPool behavior
+ JDK-8250546: Expect changed behaviour reported in JDK-8249846
* Import of OpenJDK 8 u272 build 01
+ JDK-8006205: [TESTBUG] NEED_TEST: please JTREGIFY
test/compiler/7177917/Test7177917.java
+ JDK-8035493: JVMTI PopFrame capability must instruct
compilers not to prune locals
+ JDK-8036088: Replace strtok() with its safe equivalent
strtok_s() in DefaultProxySelector.c
+ JDK-8039082: [TEST_BUG] Test java/awt/dnd/
/BadSerializationTest/BadSerializationTest.java fails
+ JDK-8075774: Small readability and performance improvements
for zipfs
+ JDK-8132206: move ScanTest.java into OpenJDK
+ JDK-8132376: Add @requires os.family to the client tests with
access to internal OS-specific API
+ JDK-8132745: minor cleanup of java/util/Scanner/ScanTest.java
+ JDK-8137087: [TEST_BUG] Cygwin failure of java/awt/
/appletviewer/IOExceptionIfEncodedURLTest/
/IOExceptionIfEncodedURLTest.sh
+ JDK-8145808: java/awt/Graphics2D/MTGraphicsAccessTest/
/MTGraphicsAccessTest.java hangs on Win. 8
+ JDK-8151788: NullPointerException from ntlm.Client.type3
+ JDK-8151834: Test SmallPrimeExponentP.java times out
intermittently
+ JDK-8153430: jdk regression test MletParserLocaleTest,
ParserInfiniteLoopTest reduce default timeout
+ JDK-8153583: Make OutputAnalyzer.reportDiagnosticSummary
public
+ JDK-8156169: Some sound tests rarely hangs because of
incorrect synchronization
+ JDK-8165936: Potential Heap buffer overflow when seaching
timezone info files
+ JDK-8166148: Fix for JDK-8165936 broke solaris builds
+ JDK-8167300: Scheduling failures during gcm should be fatal
+ JDK-8167615: Opensource unit/regression tests for JavaSound
+ JDK-8172012: [TEST_BUG] delays needed in
javax/swing/JTree/4633594/bug4633594.java
+ JDK-8177628: Opensource unit/regression tests for ImageIO
+ JDK-8183341: Better cleanup for javax/imageio/AllowSearch.java
+ JDK-8183351: Better cleanup for jdk/test/javax/imageio/spi/
/AppletContextTest/BadPluginConfigurationTest.sh
+ JDK-8193137: Nashorn crashes when given an empty script file
+ JDK-8194298: Add support for per Socket configuration of TCP
keepalive
+ JDK-8198004: javax/swing/JFileChooser/6868611/bug6868611.java
throws error
+ JDK-8200313: java/awt/Gtk/GtkVersionTest/GtkVersionTest.java
fails
+ JDK-8210147: adjust some WSAGetLastError usages in windows
network coding
+ JDK-8211714: Need to update vm_version.cpp to recognise
VS2017 minor versions
+ JDK-8214862: assert(proj != __null) at compile.cpp:3251
+ JDK-8217606: LdapContext#reconnect always opens a new
connection
+ JDK-8217647: JFR: recordings on 32-bit systems unreadable
+ JDK-8226697: Several tests which need the @key headful
keyword are missing it.
+ JDK-8229378: jdwp library loader in linker_md.c quietly
truncates on buffer overflow
+ JDK-8230303: JDB hangs when running monitor command
+ JDK-8230711: ConnectionGraph::unique_java_object(Node* N)
return NULL if n is not in the CG
+ JDK-8234617: C1: Incorrect result of field load due to
missing narrowing conversion
+ JDK-8235243: handle VS2017 15.9 and VS2019 in
abstract_vm_version
+ JDK-8235325: build failure on Linux after 8235243
+ JDK-8235687: Contents/MacOS/libjli.dylib cannot be a symlink
+ JDK-8237951: CTW: C2 compilation fails with 'malformed
control flow'
+ JDK-8238225: Issues reported after replacing symlink at
Contents/MacOS/libjli.dylib with binary
+ JDK-8239385: KerberosTicket client name refers wrongly to
sAMAccountName in AD
+ JDK-8239819: XToolkit: Misread of screen information memory
+ JDK-8240295: hs_err elapsed time in seconds is not accurate
enough
+ JDK-8241888: Mirror jdk.security.allowNonCaAnchor system
property with a security one
+ JDK-8242498: Invalid 'sun.awt.TimedWindowEvent' object leads
to JVM crash
+ JDK-8243489: Thread CPU Load event may contain wrong data for
CPU time under certain conditions
+ JDK-8244818: Java2D Queue Flusher crash while moving
application window to external monitor
+ JDK-8246310: Clean commented-out code about ModuleEntry
and PackageEntry in JFR
+ JDK-8246384: Enable JFR by default on supported architectures
for October 2020 release
+ JDK-8248643: Remove extra leading space in JDK-8240295 8u
backport
+ JDK-8249610: Make
sun.security.krb5.Config.getBooleanObject(String... keys)
method public
* Import of OpenJDK 8 u272 build 02
+ JDK-8023697: failed class resolution reports different class
name in detail message for the first and subsequent times
+ JDK-8025886: replace [[ and == bash extensions in regtest
+ JDK-8046274: Removing dependency on jakarta-regexp
+ JDK-8048933: -XX:+TraceExceptions output should include the
message
+ JDK-8076151: [TESTBUG] Test java/awt/FontClass/CreateFont/
/fileaccess/FontFile.java fails
+ JDK-8148854: Class names 'SomeClass' and 'LSomeClass;'
treated by JVM as an equivalent
+ JDK-8154313: Generated javadoc scattered all over the place
+ JDK-8163251: Hard coded loop limit prevents reading of smart
card data greater than 8k
+ JDK-8173300: [TESTBUG]compiler/tiered/NonTieredLevelsTest.java
fails with compiler.whitebox.SimpleTestCaseHelper(int) must be
compiled
+ JDK-8183349: Better cleanup for jdk/test/javax/imageio/
/plugins/shared/CanWriteSequence.java and WriteAfterAbort.java
+ JDK-8191678: [TESTBUG] Add keyword headful in java/awt
FocusTransitionTest test.
+ JDK-8201633: Problems with AES-GCM native acceleration
+ JDK-8211049: Second parameter of 'initialize' method is not
used
+ JDK-8219566: JFR did not collect call stacks when
MaxJavaStackTraceDepth is set to zero
+ JDK-8220165: Encryption using GCM results in
RuntimeException- input length out of bound
+ JDK-8220555: JFR tool shows potentially misleading message
when it cannot access a file
+ JDK-8224217: RecordingInfo should use textual representation
of path
+ JDK-8231779: crash
HeapWord*ParallelScavengeHeap::failed_mem_allocate
+ JDK-8238380, PR3798: java.base/unix/native/libjava/childproc.c
'multiple definition' link errors with GCC10
+ JDK-8238386, PR3798: (sctp) jdk.sctp/unix/native/libsctp/
/SctpNet.c 'multiple definition' link errors with GCC10
+ JDK-8238388, PR3798: libj2gss/NativeFunc.o 'multiple
definition' link errors with GCC10
+ JDK-8242556: Cannot load RSASSA-PSS public key with non-null
params from byte array
+ JDK-8250755: Better cleanup for jdk/test/javax/imageio/
/plugins/shared/CanWriteSequence.java
* Import of OpenJDK 8 u272 build 03
+ JDK-6574989: TEST_BUG:
javax/sound/sampled/Clip/bug5070081.java fails sometimes
+ JDK-8148754: C2 loop unrolling fails due to unexpected graph
shape
+ JDK-8192953: sun/management/jmxremote/bootstrap/*.sh tests
fail with error : revokeall.exe: Permission denied
+ JDK-8203357: Container Metrics
+ JDK-8209113: Use WeakReference for lastFontStrike for created
Fonts
+ JDK-8216283: Allow shorter method sampling interval than 10 ms
+ JDK-8221569: JFR tool produces incorrect output when both
--categories and --events are specified
+ JDK-8233097: Fontmetrics for large Fonts has zero width
+ JDK-8248851: CMS: Missing memory fences between free chunk
check and klass read
+ JDK-8250875: Incorrect parameter type for update_number in
JDK_Version::jdk_update
* Import of OpenJDK 8 u272 build 04
+ JDK-8061616: HotspotDiagnosticMXBean.getVMOption() throws
IllegalArgumentException for flags of type double
+ JDK-8177334: Update xmldsig implementation to Apache
Santuario 2.1.1
+ JDK-8217878: ENVELOPING XML signature no longer works in JDK
11
+ JDK-8218629: XML Digital Signature throws NAMESPACE_ERR
exception on OpenJDK 11, works 8/9/10
+ JDK-8243138: Enhance BaseLdapServer to support starttls
extended request
* Import of OpenJDK 8 u272 build 05
+ JDK-8026236: Add PrimeTest for BigInteger
+ JDK-8057003: Large reference arrays cause extremely long
synchronization times
+ JDK-8060721: Test runtime/SharedArchiveFile/
/LimitSharedSizes.java fails in jdk 9 fcs new
platforms/compiler
+ JDK-8152077: (cal) Calendar.roll does not always roll the
hours during daylight savings
+ JDK-8168517: java/lang/ProcessBuilder/Basic.java failed
+ JDK-8211163: UNIX version of Java_java_io_Console_echo does
not return a clean boolean
+ JDK-8220674: [TESTBUG] MetricsMemoryTester failcount test in
docker container only works with debug JVMs
+ JDK-8231213: Migrate SimpleDateFormatConstTest to JDK Repo
+ JDK-8236645: JDK 8u231 introduces a regression with
incompatible handling of XML messages
+ JDK-8240676: Meet not symmetric failure when running lucene
on jdk8
+ JDK-8243321: Add Entrust root CA - G4 to Oracle Root CA
program
+ JDK-8249158: THREAD_START and THREAD_END event posted in
primordial phase
+ JDK-8250627: Use -XX:+/-UseContainerSupport for
enabling/disabling Java container metrics
+ JDK-8251546: 8u backport of JDK-8194298 breaks AIX and
Solaris builds
+ JDK-8252084: Minimal VM fails to bootcycle: undefined symbol:
AgeTableTracer::is_tenuring_distribution_event_enabled
* Import of OpenJDK 8 u272 build 06
+ JDK-8064319: Need to enable -XX:+TraceExceptions in release
builds
+ JDK-8080462, PR3801: Update SunPKCS11 provider with PKCS11
v2.40 support
+ JDK-8160768: Add capability to custom resolve host/domain
names within the default JNDI LDAP provider
+ JDK-8161973: PKIXRevocationChecker.getSoftFailExceptions()
not working
+ JDK-8169925, PR3801: PKCS #11 Cryptographic Token Interface
license
+ JDK-8184762: ZapStackSegments should use optimized memset
+ JDK-8193234: When using -Xcheck:jni an internally allocated
buffer can leak
+ JDK-8219919: RuntimeStub name lost with
PrintFrameConverterAssembly
+ JDK-8220313: [TESTBUG] Update base image for Docker testing
to OL 7.6
+ JDK-8222079: Don't use memset to initialize fields decode_env
constructor in disassembler.cpp
+ JDK-8225695: 32-bit build failures after JDK-8080462 (Update
SunPKCS11 provider with PKCS11 v2.40 support)
+ JDK-8226575: OperatingSystemMXBean should be made container
aware
+ JDK-8226809: Circular reference in printed stack trace is not
correctly indented & ambiguous
+ JDK-8228835: Memory leak in PKCS11 provider when using AES GCM
+ JDK-8233621: Mismatch in jsse.enableMFLNExtension property
name
+ JDK-8238898, PR3801: Missing hash characters for header on
license file
+ JDK-8243320: Add SSL root certificates to Oracle Root CA
program
+ JDK-8244151: Update MUSCLE PC/SC-Lite headers to the latest
release 1.8.26
+ JDK-8245467: Remove 8u TLSv1.2 implementation files
+ JDK-8245469: Remove DTLS protocol implementation
+ JDK-8245470: Fix JDK8 compatibility issues
+ JDK-8245471: Revert JDK-8148188
+ JDK-8245472: Backport JDK-8038893 to JDK8
+ JDK-8245473: OCSP stapling support
+ JDK-8245474: Add TLS_KRB5 cipher suites support according to
RFC-2712
+ JDK-8245476: Disable TLSv1.3 protocol in the ClientHello
message by default
+ JDK-8245477: Adjust TLS tests location
+ JDK-8245653: Remove 8u TLS tests
+ JDK-8245681: Add TLSv1.3 regression test from 11.0.7
+ JDK-8251117: Cannot check P11Key size in P11Cipher and
P11AEADCipher
+ JDK-8251120, PR3793: [8u] HotSpot build assumes ENABLE_JFR is
set to either true or false
+ JDK-8251341: Minimal Java specification change
+ JDK-8251478: Backport TLSv1.3 regression tests to JDK8u
* Import of OpenJDK 8 u272 build 07
+ JDK-8246193: Possible NPE in ENC-PA-REP search in AS-REQ
* Import of OpenJDK 8 u272 build 08
+ JDK-8062947: Fix exception message to correctly represent
LDAP connection failure
+ JDK-8151678: com/sun/jndi/ldap/LdapTimeoutTest.java failed
due to timeout on DeadServerNoTimeoutTest is incorrect
+ JDK-8252573: 8u: Windows build failed after 8222079 backport
* Import of OpenJDK 8 u272 build 09
+ JDK-8252886: [TESTBUG] sun/security/ec/TestEC.java :
Compilation failed
* Import of OpenJDK 8 u272 build 10
+ JDK-8254673: Call to JvmtiExport::post_vm_start() was removed
by the fix for JDK-8249158
+ JDK-8254937: Revert JDK-8148854 for 8u272
* Backports
+ JDK-8038723, PR3806: Openup some PrinterJob tests
+ JDK-8041480, PR3806: ArrayIndexOutOfBoundsException when
JTable contains certain string
+ JDK-8058779, PR3805: Faster implementation of
String.replace(CharSequence, CharSequence)
+ JDK-8130125, PR3806: [TEST_BUG] add @modules to the several
client tests unaffected by the automated bulk update
+ JDK-8144015, PR3806: [PIT] failures of text layout font tests
+ JDK-8144023, PR3806: [PIT] failure of text measurements in
javax/swing/text/html/parser/Parser/6836089/bug6836089.java
+ JDK-8144240, PR3806: [macosx][PIT] AIOOB in
closed/javax/swing/text/GlyphPainter2/6427244/bug6427244.java
+ JDK-8145542, PR3806: The case failed automatically and thrown
java.lang.ArrayIndexOutOfBoundsException exception
+ JDK-8151725, PR3806: [macosx] ArrayIndexOOB exception when
displaying Devanagari text in JEditorPane
+ JDK-8152358, PR3800: code and comment cleanups found during
the hunt for 8077392
+ JDK-8152545, PR3804: Use preprocessor instead of compiling a
program to generate native nio constants
+ JDK-8152680, PR3806: Regression in
GlyphVector.getGlyphCharIndex behaviour
+ JDK-8158924, PR3806: Incorrect i18n text document layout
+ JDK-8166003, PR3806: [PIT][TEST_BUG] missing helper for
javax/swing/text/GlyphPainter2/6427244/bug6427244.java
+ JDK-8166068, PR3806: test/java/awt/font/GlyphVector/
/GetGlyphCharIndexTest.java does not compile
+ JDK-8169879, PR3806: [TEST_BUG] javax/swing/text/
/GlyphPainter2/6427244/bug6427244.java - compilation failed
+ JDK-8191512, PR3806: T2K font rasterizer code removal
+ JDK-8191522, PR3806: Remove Bigelow&Holmes Lucida fonts from
JDK sources
+ JDK-8236512, PR3801: PKCS11 Connection closed after
Cipher.doFinal and NoPadding
+ JDK-8254177, PR3809: (tz) Upgrade time-zone data to
tzdata2020b
* Bug fixes
+ PR3798: Fix format-overflow error on GCC 10, caused by
passing NULL to a '%s' directive
+ PR3795: ECDSAUtils for XML digital signatures should support
the same curve set as the rest of the JDK
+ PR3799: Adapt elliptic curve patches to JDK-8245468: Add
TLSv1.3 implementation classes from 11.0.7
+ PR3808: IcedTea does not install the JFR *.jfc files
+ PR3810: Enable JFR on x86 (32-bit) now that JDK-8252096 has
fixed its use with Shenandoah
+ PR3811: Don't attempt to install JFR files when JFR is
disabled
* Shenandoah
+ [backport] 8221435: Shenandoah should not mark through weak
roots
+ [backport] 8221629: Shenandoah: Cleanup class unloading logic
+ [backport] 8222992: Shenandoah: Pre-evacuate all roots
+ [backport] 8223215: Shenandoah: Support verifying subset of
roots
+ [backport] 8223774: Shenandoah: Refactor
ShenandoahRootProcessor and family
+ [backport] 8224210: Shenandoah: Refactor
ShenandoahRootScanner to support scanning CSet codecache roots
+ [backport] 8224508: Shenandoah: Need to update thread roots
in final mark for piggyback ref update cycle
+ [backport] 8224579: ResourceMark not declared in
shenandoahRootProcessor.inline.hpp with
--disable-precompiled-headers
+ [backport] 8224679: Shenandoah: Make
ShenandoahParallelCodeCacheIterator noncopyable
+ [backport] 8224751: Shenandoah: Shenandoah Verifier should
select proper roots according to current GC cycle
+ [backport] 8225014: Separate ShenandoahRootScanner method for
object_iterate
+ [backport] 8225216: gc/logging/TestMetaSpaceLog.java doesn't
work for Shenandoah
+ [backport] 8225573: Shenandoah: Enhance ShenandoahVerifier to
ensure roots to-space invariant
+ [backport] 8225590: Shenandoah: Refactor
ShenandoahClassLoaderDataRoots API
+ [backport] 8226413: Shenandoah: Separate root scanner for
SH::object_iterate()
+ [backport] 8230853: Shenandoah: replace leftover
assert(is_in(...)) with rich asserts
+ [backport] 8231198: Shenandoah: heap walking should visit all
roots most of the time
+ [backport] 8231244: Shenandoah: all-roots heap walking misses
some weak roots
+ [backport] 8237632: Shenandoah: accept NULL fwdptr to
cooperate with JVMTI and JFR
+ [backport] 8239786: Shenandoah: print per-cycle statistics
+ [backport] 8239926: Shenandoah: Shenandoah needs to mark
nmethod's metadata
+ [backport] 8240671: Shenandoah: refactor
ShenandoahPhaseTimings
+ [backport] 8240749: Shenandoah: refactor ShenandoahUtils
+ [backport] 8240750: Shenandoah: remove leftover files and
mentions of ShenandoahAllocTracker
+ [backport] 8240868: Shenandoah: remove CM-with-UR
piggybacking cycles
+ [backport] 8240872: Shenandoah: Avoid updating new regions
from start of evacuation
+ [backport] 8240873: Shenandoah: Short-cut arraycopy barriers
+ [backport] 8240915: Shenandoah: Remove unused fields in init
mark tasks
+ [backport] 8240948: Shenandoah: cleanup not-forwarded-objects
paths after JDK-8240868
+ [backport] 8241007: Shenandoah: remove
ShenandoahCriticalControlThreadPriority support
+ [backport] 8241062: Shenandoah: rich asserts trigger 'empty
statement' inspection
+ [backport] 8241081: Shenandoah: Do not modify
update-watermark concurrently
+ [backport] 8241093: Shenandoah: editorial changes in flag
descriptions
+ [backport] 8241139: Shenandoah: distribute mark-compact work
exactly to minimize fragmentation
+ [backport] 8241142: Shenandoah: should not use parallel
reference processing with single GC thread
+ [backport] 8241351: Shenandoah: fragmentation metrics overhaul
+ [backport] 8241435: Shenandoah: avoid disabling pacing with
'aggressive'
+ [backport] 8241520: Shenandoah: simplify region sequence
numbers handling
+ [backport] 8241534: Shenandoah: region status should include
update watermark
+ [backport] 8241574: Shenandoah: remove
ShenandoahAssertToSpaceClosure
+ [backport] 8241583: Shenandoah: turn heap lock asserts into
macros
+ [backport] 8241668: Shenandoah: make ShenandoahHeapRegion not
derive from ContiguousSpace
+ [backport] 8241673: Shenandoah: refactor anti-false-sharing
padding
+ [backport] 8241675: Shenandoah: assert(n->outcnt() > 0) at
shenandoahSupport.cpp:2858 with
java/util/Collections/FindSubList.java
+ [backport] 8241692: Shenandoah: remove
ShenandoahHeapRegion::_reserved
+ [backport] 8241700: Shenandoah: Fold
ShenandoahKeepAliveBarrier flag into ShenandoahSATBBarrier
+ [backport] 8241740: Shenandoah: remove
ShenandoahHeapRegion::_heap
+ [backport] 8241743: Shenandoah: refactor and inline
ShenandoahHeap::heap()
+ [backport] 8241748: Shenandoah: inline MarkingContext TAMS
methods
+ [backport] 8241838: Shenandoah: no need to trash cset during
final mark
+ [backport] 8241841: Shenandoah: ditch one of allocation type
counters in ShenandoahHeapRegion
+ [backport] 8241842: Shenandoah: inline
ShenandoahHeapRegion::region_number
+ [backport] 8241844: Shenandoah: rename
ShenandoahHeapRegion::region_number
+ [backport] 8241845: Shenandoah: align ShenandoahHeapRegions
to cache lines
+ [backport] 8241926: Shenandoah: only print heap changes for
operations that directly affect it
+ [backport] 8241983: Shenandoah: simplify FreeSet logging
+ [backport] 8241985: Shenandoah: simplify collectable garbage
logging
+ [backport] 8242040: Shenandoah: print allocation failure type
+ [backport] 8242041: Shenandoah: adaptive heuristics should
account evac reserve in free target
+ [backport] 8242042: Shenandoah: tune down
ShenandoahGarbageThreshold
+ [backport] 8242054: Shenandoah: New incremental-update mode
+ [backport] 8242075: Shenandoah: rename
ShenandoahHeapRegionSize flag
+ [backport] 8242082: Shenandoah: Purge Traversal mode
+ [backport] 8242083: Shenandoah: split 'Prepare Evacuation'
tracking into cset/freeset counters
+ [backport] 8242089: Shenandoah: per-worker stats should be
summed up, not averaged
+ [backport] 8242101: Shenandoah: coalesce and parallelise heap
region walks during the pauses
+ [backport] 8242114: Shenandoah: remove
ShenandoahHeapRegion::reset_alloc_metadata_to_shared
+ [backport] 8242130: Shenandoah: Simplify arraycopy-barrier
dispatching
+ [backport] 8242211: Shenandoah: remove
ShenandoahHeuristics::RegionData::_seqnum_last_alloc
+ [backport] 8242212: Shenandoah: initialize
ShenandoahHeuristics::_region_data eagerly
+ [backport] 8242213: Shenandoah: remove
ShenandoahHeuristics::_bytes_in_cset
+ [backport] 8242217: Shenandoah: Enable GC mode to be
diagnostic/experimental and have a name
+ [backport] 8242227: Shenandoah: transit regions to cset state
when adding to collection set
+ [backport] 8242228: Shenandoah: remove unused
ShenandoahCollectionSet methods
+ [backport] 8242229: Shenandoah: inline ShenandoahHeapRegion
liveness-related methods
+ [backport] 8242267: Shenandoah: regions space needs to be
aligned by os::vm_allocation_granularity()
+ [backport] 8242271: Shenandoah: add test to verify GC mode
unlock
+ [backport] 8242273: Shenandoah: accept either SATB or IU
barriers, but not both
+ [backport] 8242301: Shenandoah: Inline LRB runtime call
+ [backport] 8242316: Shenandoah: Turn NULL-check into assert
in SATB slow-path entry
+ [backport] 8242353: Shenandoah: micro-optimize region
liveness handling
+ [backport] 8242365: Shenandoah: use uint16_t instead of
jushort for liveness cache
+ [backport] 8242375: Shenandoah: Remove
ShenandoahHeuristic::record_gc_start/end methods
+ [backport] 8242641: Shenandoah: clear live data and update
TAMS optimistically
+ [backport] 8243238: Shenandoah: explicit GC request should
wait for a complete GC cycle
+ [backport] 8243301: Shenandoah: ditch
ShenandoahAllowMixedAllocs
+ [backport] 8243307: Shenandoah: remove
ShCollectionSet::live_data
+ [backport] 8243395: Shenandoah: demote guarantee in
ShenandoahPhaseTimings::record_workers_end
+ [backport] 8243463: Shenandoah: ditch total_pause counters
+ [backport] 8243464: Shenandoah: print statistic counters in
time order
+ [backport] 8243465: Shenandoah: ditch unused pause_other,
conc_other counters
+ [backport] 8243487: Shenandoah: make _num_phases illegal
phase type
+ [backport] 8243494: Shenandoah: set counters once per cycle
+ [backport] 8243573: Shenandoah: rename GCParPhases and
related code
+ [backport] 8243848: Shenandoah: Windows build fails after
JDK-8239786
+ [backport] 8244180: Shenandoah: carry Phase to
ShWorkerTimingsTracker explicitly
+ [backport] 8244200: Shenandoah: build breakages after
JDK-8241743
+ [backport] 8244226: Shenandoah: per-cycle statistics contain
worker data from previous cycles
+ [backport] 8244326: Shenandoah: global statistics should not
accept bogus samples
+ [backport] 8244509: Shenandoah: refactor
ShenandoahBarrierC2Support::test_* methods
+ [backport] 8244551: Shenandoah: Fix racy update of
update_watermark
+ [backport] 8244667: Shenandoah: SBC2Support::test_gc_state
takes loop for wrong control
+ [backport] 8244730: Shenandoah: gc/shenandoah/options/
/TestHeuristicsUnlock.java should only verify the heuristics
+ [backport] 8244732: Shenandoah: move heuristics code to
gc/shenandoah/heuristics
+ [backport] 8244737: Shenandoah: move mode code to
gc/shenandoah/mode
+ [backport] 8244739: Shenandoah: break superclass dependency
on ShenandoahNormalMode
+ [backport] 8244740: Shenandoah: rename ShenandoahNormalMode
to ShenandoahSATBMode
+ [backport] 8245461: Shenandoah: refine mode name()-s
+ [backport] 8245463: Shenandoah: refine ShenandoahPhaseTimings
constructor arguments
+ [backport] 8245464: Shenandoah: allocate collection set
bitmap at lower addresses
+ [backport] 8245465: Shenandoah: test_in_cset can use more
efficient encoding
+ [backport] 8245726: Shenandoah: lift/cleanup
ShenandoahHeuristics names and properties
+ [backport] 8245754: Shenandoah: ditch ShenandoahAlwaysPreTouch
+ [backport] 8245757: Shenandoah: AlwaysPreTouch should not
disable heap resizing or uncommits
+ [backport] 8245773: Shenandoah: Windows assertion failure
after JDK-8245464
+ [backport] 8245812: Shenandoah: compute root phase parallelism
+ [backport] 8245814: Shenandoah: reconsider format specifiers
for stats
+ [backport] 8245825: Shenandoah: Remove diagnostic flag
ShenandoahConcurrentScanCodeRoots
+ [backport] 8246162: Shenandoah: full GC does not mark code
roots when class unloading is off
+ [backport] 8247310: Shenandoah: pacer should not affect
interrupt status
+ [backport] 8247358: Shenandoah: reconsider free budget slice
for marking
+ [backport] 8247367: Shenandoah: pacer should wait on lock
instead of exponential backoff
+ [backport] 8247474: Shenandoah: Windows build warning after
JDK-8247310
+ [backport] 8247560: Shenandoah: heap iteration holds root
locks all the time
+ [backport] 8247593: Shenandoah: should not block pacing
reporters
+ [backport] 8247751: Shenandoah: options tests should run with
smaller heaps
+ [backport] 8247754: Shenandoah: mxbeans tests can be shorter
+ [backport] 8247757: Shenandoah: split heavy tests by
heuristics to improve parallelism
+ [backport] 8247860: Shenandoah: add update watermark line in
rich assert failure message
+ [backport] 8248041: Shenandoah: pre-Full GC root updates may
miss some roots
+ [backport] 8248652: Shenandoah: SATB buffer handling may
assume no forwarded objects
+ [backport] 8249560: Shenandoah: Fix racy GC request handling
+ [backport] 8249649: Shenandoah: provide per-cycle pacing stats
+ [backport] 8249801: Shenandoah: Clear soft-refs on requested
GC cycle
+ [backport] 8249953: Shenandoah: gc/shenandoah/mxbeans tests
should account for corner cases
+ Fix slowdebug build after JDK-8230853 backport
+ JDK-8252096: Shenandoah: adjust SerialPageShiftCount for
x86_32 and JFR
+ JDK-8252366: Shenandoah: revert/cleanup changes in
graphKit.cpp
+ Shenandoah: add JFR roots to root processor after JFR
integration
+ Shenandoah: add root statistics for string dedup table/queues
+ Shenandoah: enable low-frequency STW class unloading
+ Shenandoah: fix build failures after JDK-8244737 backport
+ Shenandoah: Fix build failure with +JFR -PCH
+ Shenandoah: fix forceful pacer claim
+ Shenandoah: fix formats in
ShenandoahStringSymbolTableUnlinkTask
+ Shenandoah: fix runtime linking failure due to non-compiled
shenandoahBarrierSetC1
+ Shenandoah: hook statistics printing to PrintGCDetails, not
PrintGC
+ Shenandoah: JNI weak roots are always cleared before Full GC
mark
+ Shenandoah: missing SystemDictionary roots in
ShenandoahHeapIterationRootScanner
+ Shenandoah: move barrier sets to their proper locations
+ Shenandoah: move parallelCleaning.* to shenandoah/
+ Shenandoah: pacer should use proper Atomics for intptr_t
+ Shenandoah: properly deallocates class loader metadata
+ Shenandoah: specialize String Table scans for better pause
performance
+ Shenandoah: Zero build fails after recent Atomic cleanup in
Pacer
* AArch64 port
+ JDK-8161072, PR3797: AArch64: jtreg
compiler/uncommontrap/TestDeoptOOM failure
+ JDK-8171537, PR3797: aarch64: compiler/c1/Test6849574.java
generates guarantee failure in C1
+ JDK-8183925, PR3797: [AArch64] Decouple crash protection from
watcher thread
+ JDK-8199712, PR3797: [AArch64] Flight Recorder
+ JDK-8203481, PR3797: Incorrect constraint for unextended_sp
in frame:safe_for_sender
+ JDK-8203699, PR3797: java/lang/invoke/SpecialInterfaceCall
fails with SIGILL on aarch64
+ JDK-8209413, PR3797: AArch64: NPE in clhsdb jstack command
+ JDK-8215961, PR3797: jdk/jfr/event/os/TestCPUInformation.java
fails on AArch64
+ JDK-8216989, PR3797:
CardTableBarrierSetAssembler::gen_write_ref_array_post_barrier()
does not check for zero length on AARCH64
+ JDK-8217368, PR3797: AArch64: C2 recursive stack locking
optimisation not triggered
+ JDK-8221658, PR3797: aarch64: add necessary predicate for
ubfx patterns
+ JDK-8237512, PR3797: AArch64: aarch64TestHook leaks a
BufferBlob
+ JDK-8246482, PR3797: Build failures with +JFR -PCH
+ JDK-8247979, PR3797: aarch64: missing side effect of killing
flags for clearArray_reg_reg
+ JDK-8248219, PR3797: aarch64: missing memory barrier in
fast_storefield and fast_accessfield
- Ignore whitespaces after the header or footer in PEM X.509 cert
(bsc#1171352)
ImportantSUSE bug 1171352SUSE bug 1174157SUSE bug 1177943CVE-2020-14556 at SUSECVE-2020-14556 at NVDCVE-2020-14577 at SUSECVE-2020-14577 at NVDCVE-2020-14578 at SUSECVE-2020-14578 at NVDCVE-2020-14579 at SUSECVE-2020-14579 at NVDCVE-2020-14581 at SUSECVE-2020-14581 at NVDCVE-2020-14583 at SUSECVE-2020-14583 at NVDCVE-2020-14593 at SUSECVE-2020-14593 at NVDCVE-2020-14621 at SUSECVE-2020-14621 at NVDCVE-2020-14779 at SUSECVE-2020-14779 at NVDCVE-2020-14781 at SUSECVE-2020-14781 at NVDCVE-2020-14782 at SUSECVE-2020-14782 at NVDCVE-2020-14792 at SUSECVE-2020-14792 at NVDCVE-2020-14796 at SUSECVE-2020-14796 at NVDCVE-2020-14797 at SUSECVE-2020-14797 at NVDCVE-2020-14798 at SUSECVE-2020-14798 at NVDCVE-2020-14803 at SUSECVE-2020-14803 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for python3 (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for python3 fixes the following issues:
- bsc#1177211 (CVE-2020-26116) no longer allowing special characters in the method parameter
of HTTPConnection.putrequest in httplib, stopping injection of headers.
ModerateSUSE bug 1177211CVE-2020-26116 at SUSECVE-2020-26116 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for gcc10 (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for gcc10 fixes the following issues:
This update provides the GCC10 compiler suite and runtime libraries.
The base SUSE Linux Enterprise libraries libgcc_s1, libstdc++6 are replaced by
the gcc10 variants.
The new compiler variants are available with '-10' suffix, you can specify them
via:
CC=gcc-10
CXX=g++-10
or similar commands.
For a detailed changelog check out https://gcc.gnu.org/gcc-10/changes.html
ModerateSUSE bug 1172798SUSE bug 1172846SUSE bug 1173972SUSE bug 1174753SUSE bug 1174817SUSE bug 1175168CVE-2020-13844 at SUSECVE-2020-13844 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for ucode-intel (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for ucode-intel fixes the following issues:
- Intel CPU Microcode updated to 20201027 prerelease
- CVE-2020-8695: Fixed Intel RAPL sidechannel attack (SGX) (bsc#1170446)
- CVE-2020-8698: Fixed Fast Store Forward Predictor INTEL-SA-00381 (bsc#1173594)
# New Platforms:
| Processor | Stepping | F-M-S/PI | Old Ver | New Ver | Products
|:---------------|:---------|:------------|:---------|:---------|:---------
| TGL | B1 | 06-8c-01/80 | | 00000068 | Core Gen11 Mobile
| CPX-SP | A1 | 06-55-0b/bf | | 0700001e | Xeon Scalable Gen3
| CML-H | R1 | 06-a5-02/20 | | 000000e0 | Core Gen10 Mobile
| CML-S62 | G1 | 06-a5-03/22 | | 000000e0 | Core Gen10
| CML-S102 | Q0 | 06-a5-05/22 | | 000000e0 | Core Gen10
| CML-U62 V2 | K0 | 06-a6-01/80 | | 000000e0 | Core Gen10 Mobile
# Updated Platforms:
| Processor | Stepping | F-M-S/PI | Old Ver | New Ver | Products
|:---------------|:---------|:------------|:---------|:---------|:---------
| GKL-R | R0 | 06-7a-08/01 | 00000016 | 00000018 | Pentium J5040/N5030, Celeron J4125/J4025/N4020/N4120
| SKL-U/Y | D0 | 06-4e-03/c0 | 000000d6 | 000000e2 | Core Gen6 Mobile
| SKL-U23e | K1 | 06-4e-03/c0 | 000000d6 | 000000e2 | Core Gen6 Mobile
| APL | D0 | 06-5c-09/03 | 00000038 | 00000040 | Pentium N/J4xxx, Celeron N/J3xxx, Atom x5/7-E39xx
| APL | E0 | 06-5c-0a/03 | 00000016 | 0000001e | Atom x5-E39xx
| SKL-H/S | R0/N0 | 06-5e-03/36 | 000000d6 | 000000e2 | Core Gen6; Xeon E3 v5
| HSX-E/EP | Cx/M1 | 06-3f-02/6f | 00000043 | 00000044 | Core Gen4 X series; Xeon E5 v3
| SKX-SP | B1 | 06-55-03/97 | 01000157 | 01000159 | Xeon Scalable
| SKX-SP | H0/M0/U0 | 06-55-04/b7 | 02006906 | 02006a08 | Xeon Scalable
| SKX-D | M1 | 06-55-04/b7 | 02006906 | 02006a08 | Xeon D-21xx
| CLX-SP | B0 | 06-55-06/bf | 04002f01 | 04003003 | Xeon Scalable Gen2
| CLX-SP | B1 | 06-55-07/bf | 05002f01 | 05003003 | Xeon Scalable Gen2
| ICL-U/Y | D1 | 06-7e-05/80 | 00000078 | 000000a0 | Core Gen10 Mobile
| AML-Y22 | H0 | 06-8e-09/10 | 000000d6 | 000000de | Core Gen8 Mobile
| KBL-U/Y | H0 | 06-8e-09/c0 | 000000d6 | 000000de | Core Gen7 Mobile
| CFL-U43e | D0 | 06-8e-0a/c0 | 000000d6 | 000000e0 | Core Gen8 Mobile
| WHL-U | W0 | 06-8e-0b/d0 | 000000d6 | 000000de | Core Gen8 Mobile
| AML-Y42 | V0 | 06-8e-0c/94 | 000000d6 | 000000de | Core Gen10 Mobile
| CML-Y42 | V0 | 06-8e-0c/94 | 000000d6 | 000000de | Core Gen10 Mobile
| WHL-U | V0 | 06-8e-0c/94 | 000000d6 | 000000de | Core Gen8 Mobile
| KBL-G/H/S/E3 | B0 | 06-9e-09/2a | 000000d6 | 000000de | Core Gen7; Xeon E3 v6
| CFL-H/S/E3 | U0 | 06-9e-0a/22 | 000000d6 | 000000de | Core Gen8 Desktop, Mobile, Xeon E
| CFL-S | B0 | 06-9e-0b/02 | 000000d6 | 000000de | Core Gen8
| CFL-H/S | P0 | 06-9e-0c/22 | 000000d6 | 000000de | Core Gen9
| CFL-H | R0 | 06-9e-0d/22 | 000000d6 | 000000de | Core Gen9 Mobile
| CML-U62 | A0 | 06-a6-00/80 | 000000ca | 000000e0 | Core Gen10 Mobile
ModerateSUSE bug 1170446SUSE bug 1173594CVE-2020-8695 at SUSECVE-2020-8695 at NVDCVE-2020-8698 at SUSECVE-2020-8698 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for systemd (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for systemd fixes the following issues:
- CVE-2020-1712 (bsc#bsc#1162108)
Fix a heap use-after-free vulnerability, when asynchronous
Polkit queries were performed while handling Dbus messages. A local
unprivileged attacker could have abused this flaw to crash systemd services or
potentially execute code and elevate their privileges, by sending specially
crafted Dbus messages.
- Unconfirmed fix for prevent hanging of systemctl during restart. (bsc#1139459)
- Fix warnings thrown during package installation. (bsc#1154043)
- Fix for system-udevd prevent crash within OES2018. (bsc#1151506)
- Fragments of masked units ought not be considered for 'NeedDaemonReload'. (bsc#1156482)
- Wait for workers to finish when exiting. (bsc#1106383)
- Improve log message when inotify limit is reached. (bsc#1155574)
- Mention in the man pages that alias names are only effective after command 'systemctl enable'. (bsc#1151377)
- Introduce function for reading virtual files in 'sysfs' and 'procfs'. (bsc#1133495, bsc#1159814)
ImportantSUSE bug 1106383SUSE bug 1133495SUSE bug 1139459SUSE bug 1151377SUSE bug 1151506SUSE bug 1154043SUSE bug 1155574SUSE bug 1156482SUSE bug 1159814SUSE bug 1162108CVE-2020-1712 at SUSECVE-2020-1712 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for java-1_7_0-openjdk (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for java-1_7_0-openjdk fixes the following issues:
- Update to 2.6.24 - OpenJDK 7u281 (October 2020 CPU, bsc#1177943)
* Security fixes
+ JDK-8233624: Enhance JNI linkage
+ JDK-8236862, CVE-2020-14779: Enhance support of Proxy class
+ JDK-8237990, CVE-2020-14781: Enhanced LDAP contexts
+ JDK-8237995, CVE-2020-14782: Enhance certificate processing
+ JDK-8240124: Better VM Interning
+ JDK-8241114, CVE-2020-14792: Better range handling
+ JDK-8242680, CVE-2020-14796: Improved URI Support
+ JDK-8242685, CVE-2020-14797: Better Path Validation
+ JDK-8242695, CVE-2020-14798: Enhanced buffer support
+ JDK-8243302: Advanced class supports
+ JDK-8244136, CVE-2020-14803: Improved Buffer supports
+ JDK-8244479: Further constrain certificates
+ JDK-8244955: Additional Fix for JDK-8240124
+ JDK-8245407: Enhance zoning of times
+ JDK-8245412: Better class definitions
+ JDK-8245417: Improve certificate chain handling
+ JDK-8248574: Improve jpeg processing
+ JDK-8249927: Specify limits of jdk.serialProxyInterfaceLimit
+ JDK-8253019: Enhanced JPEG decoding
* Import of OpenJDK 7 u281 build 1
+ JDK-8145096: Undefined behaviour in HotSpot
+ JDK-8215265: C2: range check elimination may allow illegal
out of bound access
* Backports
+ JDK-8250861, PR3812: Crash in MinINode::Ideal(PhaseGVN*, bool)
ImportantSUSE bug 1177943CVE-2020-14779 at SUSECVE-2020-14779 at NVDCVE-2020-14781 at SUSECVE-2020-14781 at NVDCVE-2020-14782 at SUSECVE-2020-14782 at NVDCVE-2020-14792 at SUSECVE-2020-14792 at NVDCVE-2020-14796 at SUSECVE-2020-14796 at NVDCVE-2020-14797 at SUSECVE-2020-14797 at NVDCVE-2020-14798 at SUSECVE-2020-14798 at NVDCVE-2020-14803 at SUSECVE-2020-14803 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for openldap2 (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for openldap2 fixes the following issues:
- CVE-2020-25692: Fixed an unauthenticated remote denial of service due to incorrect validation of modrdn equality rules (bsc#1178387).
ImportantSUSE bug 1178387CVE-2020-25692 at SUSECVE-2020-25692 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for MozillaFirefox fixes the following issues:
- Firefox Extended Support Release 78.4.1 ESR
* Fixed: Security fix
MFSA 2020-49 (bsc#1178588)
* CVE-2020-26950 (bmo#1675905)
Write side effects in MCallGetProperty opcode not accounted
for
ImportantSUSE bug 1178588CVE-2020-26950 at SUSECVE-2020-26950 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for postgresql, postgresql96, postgresql10 and postgresql12 (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update changes the internal packaging for postgresql, and so contains
all currently maintained postgresql versions across our SUSE Linux Enterprise 12
products.
* postgresql12 is shipped new in version 12.3 (bsc#1171924).
The server and client packages only on SUSE Linux Enterprise Server 12 SP5,
the libraries on SUSE Linux Enterprise Server 12 SP2 LTSS up to 12 SP5.
+ https://www.postgresql.org/about/news/2038/
+ https://www.postgresql.org/docs/12/release-12-3.html
* postgresql10 is updated to 10.13 (bsc#1171924).
On SUSE Linux Enterprise Server 12 SP2 LTSS up to 12 SP5.
+ https://www.postgresql.org/about/news/2038/
+ https://www.postgresql.org/docs/10/release-10-13.html
* postgresql96 is updated to 9.6.18 (bsc#1171924):
+ https://www.postgresql.org/about/news/2038/
+ https://www.postgresql.org/docs/9.6/release-9-6-18.html
On SUSE Linux Enterprise Server 12-SP2 and 12-SP3 LTSS only.
* postgresql 9.4 is updated to 9.4.26:
+ https://www.postgresql.org/about/news/2011/
+ https://www.postgresql.org/docs/9.4/release-9-4-26.html
+ https://www.postgresql.org/about/news/1994/
+ https://www.postgresql.org/docs/9.4/release-9-4-25.html
ModerateSUSE bug 1171924cpe:/o:suse:sles_teradata:12:sp3Security update for raptor (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for raptor fixes the following issues:
- Fixed a heap overflow vulnerability (bsc#1178593, CVE-2017-18926).
- Update raptor to version 2.0.15
* Made several fixes to Turtle / N-Triples family of parsers and serializers
* Added utility functions for re-entrant sorting of objects and sequences.
* Made other fixes and improvements including fixing reported issues:
0000574, 0000575, 0000576, 0000577, 0000579, 0000581 and 0000584.
ImportantSUSE bug 1178593CVE-2017-18926 at SUSECVE-2017-18926 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for tcpdump (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for tcpdump fixes the following issues:
- CVE-2020-8037: Fixed an issue where PPP decapsulator did not allocate the right buffer size (bsc#1178466).
The previous update of tcpdump already fixed variuous Buffer overflow/overread vulnerabilities [bsc#1153098, bsc#1153332]
- CVE-2017-16808 (AoE)
- CVE-2018-14468 (FrameRelay)
- CVE-2018-14469 (IKEv1)
- CVE-2018-14470 (BABEL)
- CVE-2018-14466 (AFS/RX)
- CVE-2018-14461 (LDP)
- CVE-2018-14462 (ICMP)
- CVE-2018-14465 (RSVP)
- CVE-2018-14464 (LMP)
- CVE-2019-15166 (LMP)
- CVE-2018-14880 (OSPF6)
- CVE-2018-14882 (RPL)
- CVE-2018-16227 (802.11)
- CVE-2018-16229 (DCCP)
- CVE-2018-14467 (BGP)
- CVE-2018-14881 (BGP)
- CVE-2018-16230 (BGP)
- CVE-2018-16300 (BGP)
- CVE-2018-14463 (VRRP)
- CVE-2019-15167 (VRRP)
- CVE-2018-14879 (tcpdump -V)
- CVE-2018-16228 (HNCP) is a duplicate of the already fixed CVE-2019-1010220
- CVE-2018-16301 (fixed in libpcap)
- CVE-2018-16451 (SMB)
- CVE-2018-16452 (SMB)
- CVE-2018-10103 (SMB - partially fixed, but SMB printing disabled)
- CVE-2018-10105 (SMB - too unreliably reproduced, SMB printing disabled)
ModerateSUSE bug 1153098SUSE bug 1153332SUSE bug 1178466CVE-2017-16808 at SUSECVE-2017-16808 at NVDCVE-2018-10103 at SUSECVE-2018-10103 at NVDCVE-2018-10105 at SUSECVE-2018-10105 at NVDCVE-2018-14461 at SUSECVE-2018-14461 at NVDCVE-2018-14462 at SUSECVE-2018-14462 at NVDCVE-2018-14463 at SUSECVE-2018-14463 at NVDCVE-2018-14464 at SUSECVE-2018-14464 at NVDCVE-2018-14465 at SUSECVE-2018-14465 at NVDCVE-2018-14466 at SUSECVE-2018-14466 at NVDCVE-2018-14467 at SUSECVE-2018-14467 at NVDCVE-2018-14468 at SUSECVE-2018-14468 at NVDCVE-2018-14469 at SUSECVE-2018-14469 at NVDCVE-2018-14470 at SUSECVE-2018-14470 at NVDCVE-2018-14879 at SUSECVE-2018-14879 at NVDCVE-2018-14880 at SUSECVE-2018-14880 at NVDCVE-2018-14881 at SUSECVE-2018-14881 at NVDCVE-2018-14882 at SUSECVE-2018-14882 at NVDCVE-2018-16227 at SUSECVE-2018-16227 at NVDCVE-2018-16228 at SUSECVE-2018-16228 at NVDCVE-2018-16229 at SUSECVE-2018-16229 at NVDCVE-2018-16230 at SUSECVE-2018-16230 at NVDCVE-2018-16300 at SUSECVE-2018-16300 at NVDCVE-2018-16301 at SUSECVE-2018-16301 at NVDCVE-2018-16451 at SUSECVE-2018-16451 at NVDCVE-2018-16452 at SUSECVE-2018-16452 at NVDCVE-2019-1010220 at SUSECVE-2019-1010220 at NVDCVE-2019-15166 at SUSECVE-2019-15166 at NVDCVE-2019-15167 at SUSECVE-2019-15167 at NVDCVE-2020-8037 at SUSECVE-2020-8037 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for krb5 (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for krb5 fixes the following security issue:
- CVE-2020-28196: Fixed an unbounded recursion via an ASN.1-encoded Kerberos message (bsc#1178512).
ModerateSUSE bug 1178512CVE-2020-28196 at SUSECVE-2020-28196 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for postgresql10 (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for postgresql10 fixes the following issues:
Upgrade to version 10.15:
* CVE-2020-25695, bsc#1178666: Block DECLARE CURSOR ... WITH HOLD
and firing of deferred triggers within index expressions and
materialized view queries.
* CVE-2020-25694, bsc#1178667:
a) Fix usage of complex connection-string parameters in pg_dump,
pg_restore, clusterdb, reindexdb, and vacuumdb.
b) When psql's \connect command re-uses connection parameters,
ensure that all non-overridden parameters from a previous
connection string are re-used.
* CVE-2020-25696, bsc#1178668: Prevent psql's \gset command from
modifying specially-treated variables.
* https://www.postgresql.org/about/news/2111/
* https://www.postgresql.org/docs/10/release-10-15.html
Update to 10.14:
* CVE-2020-14349, bsc#1175193: Set a secure search_path in
logical replication walsenders and apply workers
* CVE-2020-14350, bsc#1175194: Make contrib modules' installation
scripts more secure.
* https://www.postgresql.org/docs/10/release-10-14.html
ImportantSUSE bug 1175193SUSE bug 1175194SUSE bug 1178666SUSE bug 1178667SUSE bug 1178668CVE-2020-14349 at SUSECVE-2020-14349 at NVDCVE-2020-14350 at SUSECVE-2020-14350 at NVDCVE-2020-25694 at SUSECVE-2020-25694 at NVDCVE-2020-25695 at SUSECVE-2020-25695 at NVDCVE-2020-25696 at SUSECVE-2020-25696 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for postgresql96 (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for postgresql96 fixes the following issues:
Upgrade to version 9.6.20:
* CVE-2020-25695, bsc#1178666: Block DECLARE CURSOR ... WITH HOLD
and firing of deferred triggers within index expressions and
materialized view queries.
* CVE-2020-25694, bsc#1178667:
a) Fix usage of complex connection-string parameters in pg_dump,
pg_restore, clusterdb, reindexdb, and vacuumdb.
b) When psql's \connect command re-uses connection parameters,
ensure that all non-overridden parameters from a previous
connection string are re-used.
* CVE-2020-25696, bsc#1178668: Prevent psql's \gset command from
modifying specially-treated variables.
* https://www.postgresql.org/about/news/2111/
* https://www.postgresql.org/docs/9.6/release-9-6-20.html
Changes from 9.6.19:
* CVE-2020-14350, bsc#1175194: Make contrib modules installation
ImportantSUSE bug 1175194SUSE bug 1178666SUSE bug 1178667SUSE bug 1178668CVE-2020-14350 at SUSECVE-2020-14350 at NVDCVE-2020-25694 at SUSECVE-2020-25694 at NVDCVE-2020-25695 at SUSECVE-2020-25695 at NVDCVE-2020-25696 at SUSECVE-2020-25696 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for ucode-intel (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for ucode-intel fixes the following issues:
- Updated Intel CPU Microcode to 20201118 official release. (bsc#1178971)
- Removed TGL/06-8c-01/80 due to functional issues with some OEM platforms.
- CVE-2020-8695: Fixed Intel RAPL sidechannel attack (SGX) INTEL-SA-00389 (bsc#1170446)
- CVE-2020-8698: Fixed Fast Store Forward Predictor INTEL-SA-00381 (bsc#1173594)
- CVE-2020-8696: Vector Register Sampling Active INTEL-SA-00381 (bsc#1173592)
- Release notes:
- Security updates for [INTEL-SA-00381](https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00381.html).
- Security updates for [INTEL-SA-00389](https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00389.html).
- Update for functional issues. Refer to [Second Generation Intel? Xeon? Processor Scalable Family Specification Update](https://cdrdv2.intel.com/v1/dl/getContent/338848) for details.
- Update for functional issues. Refer to [Intel? Xeon? Processor Scalable Family Specification Update](https://cdrdv2.intel.com/v1/dl/getContent/613537) for details.
- Update for functional issues. Refer to [Intel? Xeon? Processor E5 v3 Product Family Specification Update](https://www.intel.com/content/www/us/en/processors/xeon/xeon-e5-v3-spec-update.html?wapkw=processor+spec+update+e5) for details.
- Update for functional issues. Refer to [10th Gen Intel? Core™ Processor Families Specification Update](https://www.intel.com/content/www/us/en/products/docs/processors/core/10th-gen-core-families-specification-update.html) for details.
- Update for functional issues. Refer to [8th and 9th Gen Intel? Core™ Processor Family Spec Update](https://www.intel.com/content/www/us/en/products/docs/processors/core/8th-gen-core-spec-update.html) for details.
- Update for functional issues. Refer to [7th Gen and 8th Gen (U Quad-Core) Intel? Processor Families Specification Update](https://www.intel.com/content/www/us/en/processors/core/7th-gen-core-family-spec-update.html) for details.
- Update for functional issues. Refer to [6th Gen Intel? Processor Family Specification Update](https://cdrdv2.intel.com/v1/dl/getContent/332689) for details.
- Update for functional issues. Refer to [Intel? Xeon? E3-1200 v6 Processor Family Specification Update](https://www.intel.com/content/www/us/en/processors/xeon/xeon-e3-1200v6-spec-update.html) for details.
- Update for functional issues. Refer to [Intel? Xeon? E-2100 and E-2200 Processor Family Specification Update](https://www.intel.com/content/www/us/en/products/docs/processors/xeon/xeon-e-2100-specification-update.html) for details.
### New Platforms
| Processor | Stepping | F-M-S/PI | Old Ver | New Ver | Products
|:---------------|:---------|:------------|:---------|:---------|:---------
| CPX-SP | A1 | 06-55-0b/bf | | 0700001e | Xeon Scalable Gen3
| LKF | B2/B3 | 06-8a-01/10 | | 00000028 | Core w/Hybrid Technology
| TGL | B1 | 06-8c-01/80 | | 00000068 | Core Gen11 Mobile
| CML-H | R1 | 06-a5-02/20 | | 000000e0 | Core Gen10 Mobile
| CML-S62 | G1 | 06-a5-03/22 | | 000000e0 | Core Gen10
| CML-S102 | Q0 | 06-a5-05/22 | | 000000e0 | Core Gen10
| CML-U62 V2 | K0 | 06-a6-01/80 | | 000000e0 | Core Gen10 Mobile
### Updated Platforms
| Processor | Stepping | F-M-S/PI | Old Ver | New Ver | Products
|:---------------|:---------|:------------|:---------|:---------|:---------
| HSX-E/EP | Cx/M1 | 06-3f-02/6f | 00000043 | 00000044 | Core Gen4 X series; Xeon E5 v3
| SKL-U/Y | D0 | 06-4e-03/c0 | 000000d6 | 000000e2 | Core Gen6 Mobile
| SKL-U23e | K1 | 06-4e-03/c0 | 000000d6 | 000000e2 | Core Gen6 Mobile
| SKX-SP | B1 | 06-55-03/97 | 01000157 | 01000159 | Xeon Scalable
| SKX-SP | H0/M0/U0 | 06-55-04/b7 | 02006906 | 02006a08 | Xeon Scalable
| SKX-D | M1 | 06-55-04/b7 | 02006906 | 02006a08 | Xeon D-21xx
| CLX-SP | B0 | 06-55-06/bf | 04002f01 | 04003003 | Xeon Scalable Gen2
| CLX-SP | B1 | 06-55-07/bf | 05002f01 | 05003003 | Xeon Scalable Gen2
| APL | D0 | 06-5c-09/03 | 00000038 | 00000040 | Pentium N/J4xxx, Celeron N/J3xxx, Atom x5/7-E39xx
| APL | E0 | 06-5c-0a/03 | 00000016 | 0000001e | Atom x5-E39xx
| SKL-H/S | R0/N0 | 06-5e-03/36 | 000000d6 | 000000e2 | Core Gen6; Xeon E3 v5
| GKL-R | R0 | 06-7a-08/01 | 00000016 | 00000018 | Pentium J5040/N5030, Celeron J4125/J4025/N4020/N4120
| ICL-U/Y | D1 | 06-7e-05/80 | 00000078 | 000000a0 | Core Gen10 Mobile
| AML-Y22 | H0 | 06-8e-09/10 | 000000d6 | 000000de | Core Gen8 Mobile
| KBL-U/Y | H0 | 06-8e-09/c0 | 000000d6 | 000000de | Core Gen7 Mobile
| CFL-U43e | D0 | 06-8e-0a/c0 | 000000d6 | 000000e0 | Core Gen8 Mobile
| WHL-U | W0 | 06-8e-0b/d0 | 000000d6 | 000000de | Core Gen8 Mobile
| AML-Y42 | V0 | 06-8e-0c/94 | 000000d6 | 000000de | Core Gen10 Mobile
| CML-Y42 | V0 | 06-8e-0c/94 | 000000d6 | 000000de | Core Gen10 Mobile
| WHL-U | V0 | 06-8e-0c/94 | 000000d6 | 000000de | Core Gen8 Mobile
| KBL-G/H/S/E3 | B0 | 06-9e-09/2a | 000000d6 | 000000de | Core Gen7; Xeon E3 v6
| CFL-H/S/E3 | U0 | 06-9e-0a/22 | 000000d6 | 000000de | Core Gen8 Desktop, Mobile, Xeon E
| CFL-S | B0 | 06-9e-0b/02 | 000000d6 | 000000de | Core Gen8
| CFL-H/S | P0 | 06-9e-0c/22 | 000000d6 | 000000de | Core Gen9
| CFL-H | R0 | 06-9e-0d/22 | 000000d6 | 000000de | Core Gen9 Mobile
| CML-U62 | A0 | 06-a6-00/80 | 000000ca | 000000e0 | Core Gen10 Mobile
ModerateSUSE bug 1170446SUSE bug 1173592SUSE bug 1173594SUSE bug 1178971CVE-2020-8695 at SUSECVE-2020-8695 at NVDCVE-2020-8696 at SUSECVE-2020-8696 at NVDCVE-2020-8698 at SUSECVE-2020-8698 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for bluez (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for bluez fixes the following issues:
- CVE-2020-0556: Fixed improper access control which may lead to escalation of privilege and denial of service by an unauthenticated user (bsc#1166751).
ImportantSUSE bug 1166751CVE-2020-0556 at SUSECVE-2020-0556 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for MozillaFirefox fixes the following issues:
- Firefox Extended Support Release 78.5.0 ESR (bsc#1178824)
* CVE-2020-26951: Parsing mismatches could confuse and bypass security sanitizer for chrome privileged code
* CVE-2020-16012: Variable time processing of cross-origin images during drawImage calls
* CVE-2020-26953: Fullscreen could be enabled without displaying the security UI
* CVE-2020-26956: XSS through paste (manual and clipboard API)
* CVE-2020-26958: Requests intercepted through ServiceWorkers lacked MIME type restrictions
* CVE-2020-26959: Use-after-free in WebRequestService
* CVE-2020-26960: Potential use-after-free in uses of nsTArray
* CVE-2020-15999: Heap buffer overflow in freetype
* CVE-2020-26961: DoH did not filter IPv4 mapped IP Addresses
* CVE-2020-26965: Software keyboards may have remembered typed passwords
* CVE-2020-26966: Single-word search queries were also broadcast to local network
* CVE-2020-26968: Memory safety bugs fixed in Firefox 83 and Firefox ESR 78.5
ImportantSUSE bug 1178824CVE-2020-15999 at SUSECVE-2020-15999 at NVDCVE-2020-16012 at SUSECVE-2020-16012 at NVDCVE-2020-26951 at SUSECVE-2020-26951 at NVDCVE-2020-26953 at SUSECVE-2020-26953 at NVDCVE-2020-26956 at SUSECVE-2020-26956 at NVDCVE-2020-26958 at SUSECVE-2020-26958 at NVDCVE-2020-26959 at SUSECVE-2020-26959 at NVDCVE-2020-26960 at SUSECVE-2020-26960 at NVDCVE-2020-26961 at SUSECVE-2020-26961 at NVDCVE-2020-26965 at SUSECVE-2020-26965 at NVDCVE-2020-26966 at SUSECVE-2020-26966 at NVDCVE-2020-26968 at SUSECVE-2020-26968 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for LibVNCServer (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for LibVNCServer fixes the following issues:
- CVE-2020-25708 [bsc#1178682], libvncserver/rfbserver.c has a divide by zero which could result in DoS
ImportantSUSE bug 1178682CVE-2020-25708 at SUSECVE-2020-25708 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for xorg-x11-server (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for xorg-x11-server fixes the following issues:
- CVE-2020-25712: Fixed a heap-based buffer overflow which could have led to privilege escalation (bsc#1177596).
- CVE-2020-14360: Fixed an out of bounds memory accesses on too short request which could lead to denial of service (bsc#1174908).
ImportantSUSE bug 1174908SUSE bug 1177596CVE-2020-14360 at SUSECVE-2020-14360 at NVDCVE-2020-25712 at SUSECVE-2020-25712 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for python-setuptools (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for python-setuptools fixes the following issues:
- Fixed a directory traversal in _download_http_url() (bsc#1176262 CVE-2019-20916)
ImportantSUSE bug 1176262CVE-2019-20916 at SUSECVE-2019-20916 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for python3 (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for python3 fixes the following issues:
- Fixed a directory traversal in _download_http_url() (bsc#1176262 CVE-2019-20916)
ImportantSUSE bug 1176262CVE-2019-20916 at SUSECVE-2019-20916 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for gdm (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for gdm fixes the following issues:
- CVE-2020-16125: Fixed a privilege escalation (bsc#1178150).
ImportantSUSE bug 1178150CVE-2020-16125 at SUSECVE-2020-16125 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for python-cryptography (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for python-cryptography fixes the following issues:
- CVE-2020-25659: Attempted to mitigate Bleichenbacher attacks on RSA decryption (bsc#1178168).
ModerateSUSE bug 1178168CVE-2020-25659 at SUSECVE-2020-25659 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for postgresql12 (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for postgresql12 fixes the following issues:
Upgrade to version 12.5:
* CVE-2020-25695, bsc#1178666: Block DECLARE CURSOR ... WITH HOLD
and firing of deferred triggers within index expressions and
materialized view queries.
* CVE-2020-25694, bsc#1178667:
a) Fix usage of complex connection-string parameters in pg_dump,
pg_restore, clusterdb, reindexdb, and vacuumdb.
b) When psql's \connect command re-uses connection parameters,
ensure that all non-overridden parameters from a previous
connection string are re-used.
* CVE-2020-25696, bsc#1178668: Prevent psql's \gset command from
modifying specially-treated variables.
* Fix recently-added timetz test case so it works when the USA
is not observing daylight savings time.
(obsoletes postgresql-timetz.patch)
* https://www.postgresql.org/about/news/2111/
* https://www.postgresql.org/docs/12/release-12-5.html
The previous postgresql12 update already addressed:
Update to 12.4:
* CVE-2020-14349, bsc#1175193: Set a secure search_path in logical replication walsenders and apply workers
* CVE-2020-14350, bsc#1175194: Make contrib modules' installation scripts more secure.
* https://www.postgresql.org/docs/12/release-12-4.html
ImportantSUSE bug 1175193SUSE bug 1175194SUSE bug 1178666SUSE bug 1178667SUSE bug 1178668CVE-2020-14349 at SUSECVE-2020-14349 at NVDCVE-2020-14350 at SUSECVE-2020-14350 at NVDCVE-2020-25694 at SUSECVE-2020-25694 at NVDCVE-2020-25695 at SUSECVE-2020-25695 at NVDCVE-2020-25696 at SUSECVE-2020-25696 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for xen (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for xen fixes the following issues:
- bsc#1178963 - stack corruption from XSA-346 change (XSA-355)
- bsc#1177409 - CVE-2020-27674: x86 PV guest INVLPG-like flushes may leave stale TLB entries (XSA-286)
- bsc#1177412 - CVE-2020-27672: Race condition in Xen mapping code (XSA-345)
- bsc#1177413 - CVE-2020-27671: undue deferral of IOMMU TLB flushes (XSA-346)
- bsc#1177414 - CVE-2020-27670: unsafe AMD IOMMU page table updates (XSA-347)
- bsc#1178591 - CVE-2020-28368: Intel RAPL sidechannel attack aka PLATYPUS attack aka XSA-351
ImportantSUSE bug 1177409SUSE bug 1177412SUSE bug 1177413SUSE bug 1177414SUSE bug 1178591SUSE bug 1178963CVE-2020-27670 at SUSECVE-2020-27670 at NVDCVE-2020-27671 at SUSECVE-2020-27671 at NVDCVE-2020-27672 at SUSECVE-2020-27672 at NVDCVE-2020-27674 at SUSECVE-2020-27674 at NVDCVE-2020-28368 at SUSECVE-2020-28368 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for mutt (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for mutt fixes the following issues:
- Find and display the content of messages properly. (bsc#1179461)
- CVE-2020-28896: incomplete connection termination could send credentials over unencrypted connections. (bsc#1179035)
- Avoid that message with a million tiny parts can freeze MUA for several minutes. (bsc#1179113)
ImportantSUSE bug 1179035SUSE bug 1179113SUSE bug 1179461CVE-2020-28896 at SUSECVE-2020-28896 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for LibreOffice (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update libreoffice and libraries fixes the following issues:
LibreOffice was updated to 6.3.3 (jsc#SLE-8705), bringing many bug and stability fixes.
More information for the 6.3 release at: https://wiki.documentfoundation.org/ReleaseNotes/6.3
Security issue fixed:
- CVE-2019-9853: Fixed an issue where by executing macros, the security settings
could have been bypassed (bsc#1152684).
Other issues addressed:
- Dropped disable-kde4 switch, since it is no longer known by configure
- Disabled gtk2 because it will be removed in future releases
- librelogo is now a standalone sub-package (bsc#1144522).
- Partial fixes for an issue where Table(s) from DOCX showed wrong
position or color (bsc#1061210).
cmis-client was updated to 0.5.2:
* Removed header for Uuid's sha1 header(bsc#1105173).
* Fixed Google Drive login
* Added support for Google Drive two-factor authentication
* Fixed access to SharePoint root folder
* Limited the maximal number of redirections to 20
* Switched library implementation to C++11 (the API remains C++98-compatible)
* Fixed encoding of OAuth2 credentials
* Dropped cppcheck run from 'make check'. A new 'make cppcheck' target was created for it
* Added proper API symbol exporting
* Speeded up building of tests a bit
* Fixed a few issues found by coverity and cppcheck
libixion was updated to 0.15.0:
* Updated for new liborcus
* Switched to spdlog for compile-time debug log outputs
* Fixed various issues
libmwaw was updated 0.3.15:
* Fixed fuzzing issues
liborcus was updated to 0.15.3:
* Fixed various xml related bugs
* Improved performance
* Fixed multiple parser issues
* Added map and structure mode to orcus-json
* Other improvements and fixes
mdds was updated to 1.5.0:
* API changed to 1.5
* Moved the API incompatibility notes from README to the rst doc.
* Added the overview section for flat_segment_tree.
myspell-dictionaries was updated to 20191016:
* Updated Slovenian thesaurus
* Updated the da_DK dictionary
* Removed the abbreviations from Thai hunspell dictionary
* Updated the English dictionaries
* Fixed the logo management for 'ca'
spdlog was updated to 0.16.3:
* Fixed sleep issue under MSVC that happens when changing
the clock backwards
* Ensured that macros always expand to expressions
* Added global flush_on function
bluez changes:
* lib: Changed bluetooth.h to compile in strict C
gperf was updated to 3.1:
* The generated C code is now in ANSI-C by default.
* Added option --constants-prefix.
* Added declaration %define constants-prefix.
ModerateSUSE bug 1061210SUSE bug 1105173SUSE bug 1144522SUSE bug 1152684CVE-2019-9853 at SUSECVE-2019-9853 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for dbus-1 (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for dbus-1 fixes the following issues:
Security issue fixed:
- CVE-2019-12749: Fixed an implementation flaw in DBUS_COOKIE_SHA1 which
could have allowed local attackers to bypass authentication (bsc#1137832).
ImportantSUSE bug 1137832CVE-2019-12749 at SUSECVE-2019-12749 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for python36 (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for python36 fixes the following issues:
- CVE-2020-27619: Fixed an issue where the CJK codec tests call eval() on content retrieved via HTTP (bsc#1178009).
- CVE-2019-20916: Fixed a directory traversal in _download_http_url() (bsc#1176262).
- Build of python3 documentation is not independent on the version of Sphinx(bsc#1179630).
ImportantSUSE bug 1176262SUSE bug 1178009SUSE bug 1179630CVE-2019-20916 at SUSECVE-2019-20916 at NVDCVE-2020-27619 at SUSECVE-2020-27619 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for openssl (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for openssl fixes the following issues:
- CVE-2020-1971: Fixed a null pointer dereference in EDIPARTYNAME (bsc#1179491).
ImportantSUSE bug 1179491CVE-2020-1971 at SUSECVE-2020-1971 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for python (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for python fixes the following issues:
- Fixed a directory traversal in _download_http_url() (bsc#1176262 CVE-2019-20916)
ImportantSUSE bug 1176262CVE-2019-20916 at SUSECVE-2019-20916 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for curl (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for curl fixes the following issues:
- CVE-2020-8284: Fixed an issue where a malicius FTP server could make curl connect to a different IP (bsc#1179398).
- CVE-2020-8231: Fixed an issue with trusting FTP PASV responses (bsc#1175109).
ModerateSUSE bug 1175109SUSE bug 1179398CVE-2020-8231 at SUSECVE-2020-8231 at NVDCVE-2020-8284 at SUSECVE-2020-8284 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for MozillaFirefox fixes the following issues:
- Firefox Extended Support Release 68.5.0 ESR
* CVE-2020-6796 (bmo#1610426)
Missing bounds check on shared memory read in the parent
process
* CVE-2020-6797 (bmo#1596668)
Extensions granted downloads.open permission could open
arbitrary applications on Mac OSX
* CVE-2020-6798 (bmo#1602944)
Incorrect parsing of template tag could result in JavaScript
injection
* CVE-2020-6799 (bmo#1606596)
Arbitrary code execution when opening pdf links from other
applications, when Firefox is configured as default pdf
reader
* CVE-2020-6800 (bmo#1595786, bmo#1596706, bmo#1598543,
bmo#1604851, bmo#1605777, bmo#1608580, bmo#1608785)
Memory safety bugs fixed in Firefox 73 and Firefox ESR 68.5
* Fixed: Fixed various issues opening files with spaces in
their path (bmo#1601905, bmo#1602726)
ImportantSUSE bug 1161799CVE-2020-6796 at SUSECVE-2020-6796 at NVDCVE-2020-6797 at SUSECVE-2020-6797 at NVDCVE-2020-6798 at SUSECVE-2020-6798 at NVDCVE-2020-6799 at SUSECVE-2020-6799 at NVDCVE-2020-6800 at SUSECVE-2020-6800 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for ovmf (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for ovmf fixes the following issues:
- CVE-2019-14584: Fixed a null dereference in AuthenticodeVerify() (bsc#1177789).
ModerateSUSE bug 1177789CVE-2019-14584 at SUSECVE-2019-14584 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for curl (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for curl fixes the following issue:
- CVE-2020-8285: Fixed an FTP wildcard stack overflow (bsc#1179399).
- CVE-2020-8284: Adjust trusting FTP PASV responses (bsc#1179398).
ModerateSUSE bug 1179398SUSE bug 1179399CVE-2020-8284 at SUSECVE-2020-8284 at NVDCVE-2020-8285 at SUSECVE-2020-8285 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for MozillaFirefox (Critical)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for MozillaFirefox fixes the following issues:
- Firefox Extended Support Release 78.6.0 ESR
* Fixed: Various stability, functionality, and security fixes
MFSA 2020-55 (bsc#1180039)
* CVE-2020-16042 (bmo#1679003)
Operations on a BigInt could have caused uninitialized memory
to be exposed
* CVE-2020-26971 (bmo#1663466)
Heap buffer overflow in WebGL
* CVE-2020-26973 (bmo#1680084)
CSS Sanitizer performed incorrect sanitization
* CVE-2020-26974 (bmo#1681022)
Incorrect cast of StyleGenericFlexBasis resulted in a heap
use-after-free
* CVE-2020-26978 (bmo#1677047)
Internal network hosts could have been probed by a malicious
webpage
* CVE-2020-35111 (bmo#1657916)
The proxy.onRequest API did not catch view-source URLs
* CVE-2020-35112 (bmo#1661365)
Opening an extension-less download may have inadvertently
launched an executable instead
* CVE-2020-35113 (bmo#1664831, bmo#1673589)
Memory safety bugs fixed in Firefox 84 and Firefox ESR 78.6
CriticalSUSE bug 1180039CVE-2020-16042 at SUSECVE-2020-16042 at NVDCVE-2020-26971 at SUSECVE-2020-26971 at NVDCVE-2020-26973 at SUSECVE-2020-26973 at NVDCVE-2020-26974 at SUSECVE-2020-26974 at NVDCVE-2020-26978 at SUSECVE-2020-26978 at NVDCVE-2020-35111 at SUSECVE-2020-35111 at NVDCVE-2020-35112 at SUSECVE-2020-35112 at NVDCVE-2020-35113 at SUSECVE-2020-35113 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for PackageKit (Low)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for PackageKit fixes the following issues:
- CVE-2020-16121: Fixed an information disclosure in InstallFiles, GetFilesLocal and GetDetailsLocal (bsc#1176930).
LowSUSE bug 1176930CVE-2020-16121 at SUSECVE-2020-16121 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for clamav (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for clamav fixes the following issues:
clamav was updated to 0.103.0 to implement jsc#ECO-3010 and bsc#1118459.
* clamd can now reload the signature database without blocking
scanning. This multi-threaded database reload improvement was made
possible thanks to a community effort.
- Non-blocking database reloads are now the default behavior. Some
systems that are more constrained on RAM may need to disable
non-blocking reloads as it will temporarily consume two times as
much memory. We added a new clamd config option
ConcurrentDatabaseReload, which may be set to no.
* Fix clamav-milter.service (requires clamd.service to run)
* bsc#1119353, clamav-fips.patch: Fix freshclam crash in FIPS mode.
* Partial sync with SLE15.
Update to version 0.102.4
Accumulated security fixes:
* CVE-2020-3350: Fix a vulnerability wherein a malicious user could
replace a scan target's directory with a symlink to another path
to trick clamscan, clamdscan, or clamonacc into removing or moving
a different file (eg. a critical system file). The issue would
affect users that use the --move or --remove options for clamscan,
clamdscan, and clamonacc. (bsc#1174255)
* CVE-2020-3327: Fix a vulnerability in the ARJ archive parsing
module in ClamAV 0.102.3 that could cause a Denial-of-Service
(DoS) condition. Improper bounds checking results in an
out-of-bounds read which could cause a crash. The previous fix for
this CVE in 0.102.3 was incomplete. This fix correctly resolves
the issue.
* CVE-2020-3481: Fix a vulnerability in the EGG archive module in
ClamAV 0.102.0 - 0.102.3 could cause a Denial-of-Service (DoS)
condition. Improper error handling may result in a crash due to a
NULL pointer dereference. This vulnerability is mitigated for
those using the official ClamAV signature databases because the
file type signatures in daily.cvd will not enable the EGG archive
parser in versions affected by the vulnerability. (bsc#1174250)
* CVE-2020-3341: Fix a vulnerability in the PDF parsing module in
ClamAV 0.101 - 0.102.2 that could cause a Denial-of-Service (DoS)
condition. Improper size checking of a buffer used to initialize AES
decryption routines results in an out-of-bounds read which may cause
a crash. (bsc#1171981)
* CVE-2020-3123: A denial-of-service (DoS) condition may occur when
using the optional credit card data-loss-prevention (DLP) feature.
Improper bounds checking of an unsigned variable resulted in an
out-of-bounds read, which causes a crash.
* CVE-2019-15961: A Denial-of-Service (DoS) vulnerability may
occur when scanning a specially crafted email file as a result
of excessively long scan times. The issue is resolved by
implementing several maximums in parsing MIME messages and by
optimizing use of memory allocation. (bsc#1157763).
* CVE-2019-12900: An out of bounds write in the NSIS bzip2
(bsc#1149458)
* CVE-2019-12625: Introduce a configurable time limit to mitigate
zip bomb vulnerability completely. Default is 2 minutes,
configurable useing the clamscan --max-scantime and for clamd
using the MaxScanTime config option (bsc#1144504)
Update to version 0.101.3:
* ZIP bomb causes extreme CPU spikes (bsc#1144504)
Update to version 0.101.2 (bsc#1118459):
* Support for RAR v5 archive extraction.
* Incompatible changes to the arguments of cl_scandesc,
cl_scandesc_callback, and cl_scanmap_callback.
* Scanning options have been converted from a single flag
bit-field into a structure of multiple categorized flag
bit-fields.
* The CL_SCAN_HEURISTIC_ENCRYPTED scan option was replaced by
2 new scan options: CL_SCAN_HEURISTIC_ENCRYPTED_ARCHIVE, and
CL_SCAN_HEURISTIC_ENCRYPTED_DOC
* Incompatible clamd.conf and command line interface changes.
* Heuristic Alerts' (aka 'Algorithmic Detection') options have
been changed to make the names more consistent. The original
options are deprecated in 0.101, and will be removed in a
future feature release.
* For details, see https://blog.clamav.net/2018/12/clamav-01010-has-been-released.html ImportantSUSE bug 1118459SUSE bug 1119353SUSE bug 1144504SUSE bug 1149458SUSE bug 1157763SUSE bug 1171981SUSE bug 1174250SUSE bug 1174255CVE-2019-12900 at SUSECVE-2019-12900 at NVDCVE-2019-15961 at SUSECVE-2019-15961 at NVDCVE-2020-3123 at SUSECVE-2020-3123 at NVDCVE-2020-3327 at SUSECVE-2020-3327 at NVDCVE-2020-3341 at SUSECVE-2020-3341 at NVDCVE-2020-3350 at SUSECVE-2020-3350 at NVDCVE-2020-3481 at SUSECVE-2020-3481 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for openexr (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for openexr fixes the following issues:
Security issues fixed:
- CVE-2020-16587: Fixed a heap-based buffer overflow in chunkOffsetReconstruction in ImfMultiPartInputFile.cpp (bsc#1179879).
- CVE-2020-16588: Fixed a null pointer deference in generatePreview (bsc#1179879).
- CVE-2020-16589: Fixed a heap-based buffer overflow in writeTileData in ImfTiledOutputFile.cpp (bsc#1179879).
ModerateSUSE bug 1179879CVE-2020-16587 at SUSECVE-2020-16587 at NVDCVE-2020-16588 at SUSECVE-2020-16588 at NVDCVE-2020-16589 at SUSECVE-2020-16589 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for cyrus-sasl (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for cyrus-sasl fixes the following issues:
- CVE-2019-19906: Fixed an out-of-bounds write leading to unauthenticated remote denial-of-service in OpenLDAP via a malformed LDAP packet (bsc#1159635).
ImportantSUSE bug 1159635CVE-2019-19906 at SUSECVE-2019-19906 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for gcc9 (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for gcc9 fixes the following issues:
The GNU Compiler Collection is shipped in version 9.
A detailed changelog on what changed in GCC 9 is available at https://gcc.gnu.org/gcc-9/changes.html
The compilers have been added to the SUSE Linux Enterprise Toolchain Module.
To use these compilers, install e.g. gcc9, gcc9-c++ and build with CC=gcc-9
CXX=g++-9 set.
For SUSE Linux Enterprise base products, the libstdc++6, libgcc_s1 and
other compiler libraries have been switched from their gcc8 variants to
their gcc9 variants.
Security issues fixed:
- CVE-2019-15847: Fixed a miscompilation in the POWER9 back end, that optimized multiple calls of the __builtin_darn intrinsic into a single call. (bsc#1149145)
- CVE-2019-14250: Fixed a heap overflow in the LTO linker. (bsc#1142649)
Non-security issues fixed:
- Split out libstdc++ pretty-printers into a separate package supplementing gdb and the installed runtime. (bsc#1135254)
- Fixed miscompilation for vector shift on s390. (bsc#1141897)
ModerateSUSE bug 1114592SUSE bug 1135254SUSE bug 1141897SUSE bug 1142649SUSE bug 1142654SUSE bug 1148517SUSE bug 1149145CVE-2019-14250 at SUSECVE-2019-14250 at NVDCVE-2019-15847 at SUSECVE-2019-15847 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for xen (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for xen fixes the following issues:
- CVE-2020-29480: Fixed an issue which could have allowed leak of non-sensitive data to administrator guests (bsc#117949 XSA-115).
- CVE-2020-29481: Fixed an issue which could have allowd to new domains to inherit existing node permissions (bsc#1179498 XSA-322).
- CVE-2020-29483: Fixed an issue where guests could disturb domain cleanup (bsc#1179502 XSA-325).
- CVE-2020-29484: Fixed an issue where guests could crash xenstored via watchs (bsc#1179501 XSA-324).
- CVE-2020-29566: Fixed an undue recursion in x86 HVM context switch code (bsc#1179506 XSA-348).
- CVE-2020-29570: Fixed an issue where FIFO event channels control block related ordering (bsc#1179514 XSA-358).
- CVE-2020-29571: Fixed an issue where FIFO event channels control structure ordering (bsc#1179516 XSA-359).
- CVE-2020-29130: Fixed an out-of-bounds access while processing ARP packets (bsc#1179477).
- Fixed an issue where dump-core shows missing nr_pages during core (bsc#1176782).
- Multiple other bugs (bsc#1027519)
ModerateSUSE bug 1027519SUSE bug 1176782SUSE bug 1179477SUSE bug 1179496SUSE bug 1179498SUSE bug 1179501SUSE bug 1179502SUSE bug 1179506SUSE bug 1179514SUSE bug 1179516CVE-2020-29130 at SUSECVE-2020-29130 at NVDCVE-2020-29480 at SUSECVE-2020-29480 at NVDCVE-2020-29481 at SUSECVE-2020-29481 at NVDCVE-2020-29483 at SUSECVE-2020-29483 at NVDCVE-2020-29484 at SUSECVE-2020-29484 at NVDCVE-2020-29566 at SUSECVE-2020-29566 at NVDCVE-2020-29570 at SUSECVE-2020-29570 at NVDCVE-2020-29571 at SUSECVE-2020-29571 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for sudo (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for sudo fixes the following issues:
Security issue fixed:
- CVE-2019-18634: Fixed a buffer overflow in the passphrase prompt that could occur when pwfeedback was enabled in /etc/sudoers (bsc#1162202).
Non-security issue fixed:
- Fixed an issue where sudo -l would ask for a password even though `listpw` was set to `never` (bsc#1162675).
ImportantSUSE bug 1162202SUSE bug 1162675CVE-2019-18634 at SUSECVE-2019-18634 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for ImageMagick (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for ImageMagick fixes the following issues:
Security issue fixed:
- CVE-2019-19948: Fixed a heap-based buffer overflow in WriteSGIImage() (bsc#1159861).
- CVE-2019-19949: Fixed a heap-based buffer over-read in WritePNGImage() (bsc#1160369).
Non-security issue fixed:
- Fixed an issue where converting tiff to png would lead to unviewable files (bsc#1161194).
ModerateSUSE bug 1159861SUSE bug 1160369SUSE bug 1161194CVE-2019-19948 at SUSECVE-2019-19948 at NVDCVE-2019-19949 at SUSECVE-2019-19949 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for dnsmasq (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for dnsmasq fixes the following issues:
Security issue fixed:
- CVE-2019-14834: Fixed a memory leak which could have allowed to remote attackers
to cause denial of service via DHCP response creation (bsc#1154849)
Other issue addressed:
- Removed cache size limit (bsc#1138743).
ModerateSUSE bug 1138743SUSE bug 1154849CVE-2019-14834 at SUSECVE-2019-14834 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for java-1_7_1-ibm (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for java-1_7_1-ibm fixes the following issues:
Java was updated to 7.1 Service Refresh 4 Fix Pack 60 [bsc#1162972, bsc#1160968].
Security issues fixed:
- CVE-2020-2583: Fixed a serialization vulnerability in BeanContextSupport (bsc#1162972).
- CVE-2020-2593: Fixed an incorrect check in isBuiltinStreamHandler, causing URL normalization issues (bsc#1162972).
- CVE-2020-2604: Fixed a serialization issue in jdk.serialFilter (bsc#1162972).
- CVE-2020-2659: Fixed the incomplete enforcement of the maxDatagramSockets limit in DatagramChannelImpl (bsc#1162972).
Non-security issues fixed:
* Class Libraries:
IJ22333 HANG IN JAVA_JAVA_NET_SOCKETINPUTSTREAM_SOCKETREAD0 EVEN
WHEN TIMEOUT IS SET
IJ22350 JAVA 7 AND JAVA 8 NOT WORKING WELL WITH TRADITIONAL/SIMPLIFIED
CHINESE EDITION OF WINDOWS CLIENT SYSTEM
IJ22337 THE NAME OF THE REPUBLIC OF BELARUS IN THE RUSSIAN LOCALE
INCONSISTENT WITH CLDR
IJ22349 UPDATE TIMEZONE INFORMATION TO TZDATA2019C
* JIT Compiler:
IJ11368 JAVA JIT PPC: CRASH IN JIT COMPILED CODE ON PPC MACHINES
ImportantSUSE bug 1160968SUSE bug 1162972CVE-2020-2583 at SUSECVE-2020-2583 at NVDCVE-2020-2593 at SUSECVE-2020-2593 at NVDCVE-2020-2604 at SUSECVE-2020-2604 at NVDCVE-2020-2659 at SUSECVE-2020-2659 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for libexif (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for libexif fixes the following issues:
- CVE-2019-9278: Fixed an integer overflow (bsc#1160770).
- CVE-2018-20030: Fixed a denial of service by endless recursion (bsc#1120943).
ModerateSUSE bug 1120943SUSE bug 1160770CVE-2018-20030 at SUSECVE-2018-20030 at NVDCVE-2019-9278 at SUSECVE-2019-9278 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for libvpx (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for libvpx fixes the following issues:
- CVE-2019-9232: Fixed an out of bound memory access (bsc#1160613).
- CVE-2019-9433: Fixdd a use-after-free in vp8_deblock() (bsc#1160614).
ModerateSUSE bug 1160613SUSE bug 1160614CVE-2019-9232 at SUSECVE-2019-9232 at NVDCVE-2019-9433 at SUSECVE-2019-9433 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for openssl (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for openssl fixes the following issues:
Security issue fixed:
- CVE-2019-1551: Fixed an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli (bsc#1158809).
Non-security issue fixed:
- Fixed a crash in BN_copy (bsc#1160163).
ModerateSUSE bug 1117951SUSE bug 1158809SUSE bug 1160163CVE-2019-1551 at SUSECVE-2019-1551 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for ppp (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for ppp fixes the following security issue:
- CVE-2020-8597: Fixed a buffer overflow in the eap_request and eap_response functions (bsc#1162610).
ImportantSUSE bug 1162610CVE-2020-8597 at SUSECVE-2020-8597 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for ovmf (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for ovmf fixes the following issues:
Security issues fixed:
- CVE-2019-14563: Fixed a memory corruption caused by insufficient numeric truncation (bsc#1163959).
- CVE-2019-14553: Fixed the TLS certification verification in HTTPS-over-IPv6 boot sequences (bsc#1153072).
- CVE-2019-14559: Fixed a remotely exploitable memory leak in the ARP handling code (bsc#1163927).
- CVE-2019-14575: Fixed an insufficient signature check in the DxeImageVerificationHandler (bsc#1163969).
- Enabled HTTPS-over-IPv6 (bsc#1153072).
ModerateSUSE bug 1153072SUSE bug 1163927SUSE bug 1163959SUSE bug 1163969CVE-2019-14553 at SUSECVE-2019-14553 at NVDCVE-2019-14559 at SUSECVE-2019-14559 at NVDCVE-2019-14563 at SUSECVE-2019-14563 at NVDCVE-2019-14575 at SUSECVE-2019-14575 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for python3 (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for python3 fixes the following issues:
Update to 3.4.10 (jsc#SLE-9427, bsc#1159208) from 3.4.6:
Security issues fixed:
- Update expat copy from 2.1.1 to 2.2.0 to fix the following issues:
CVE-2012-0876, CVE-2016-0718, CVE-2016-4472, CVE-2017-9233, CVE-2016-9063
- CVE-2017-1000158: Fix an integer overflow in thePyString_DecodeEscape function in stringobject.c, resulting in heap-based bufferoverflow (bsc#1068664).
ModerateSUSE bug 1068664SUSE bug 1159208SUSE bug 1159623CVE-2012-0876 at SUSECVE-2012-0876 at NVDCVE-2016-0718 at SUSECVE-2016-0718 at NVDCVE-2016-4472 at SUSECVE-2016-4472 at NVDCVE-2016-9063 at SUSECVE-2016-9063 at NVDCVE-2017-1000158 at SUSECVE-2017-1000158 at NVDCVE-2017-9233 at SUSECVE-2017-9233 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for mariadb (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for mariadb fixes the following issues:
Security issue fixed:
- CVE-2019-2974: Fixed Server Optimizer (bsc#1154162).
ModerateSUSE bug 1154162CVE-2019-2974 at SUSECVE-2019-2974 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for java-1_7_1-ibm (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for java-1_7_1-ibm fixes the following issues:
- Update to 7.1 Service Refresh 4 Fix Pack 55 [bsc#1158442, bsc#1154212]
* Security fixes:
CVE-2019-2933 CVE-2019-2945 CVE-2019-2962 CVE-2019-2964
CVE-2019-2978 CVE-2019-2983 CVE-2019-2989 CVE-2019-2992
CVE-2019-2999 CVE-2019-2973 CVE-2019-2981
ModerateSUSE bug 1154212SUSE bug 1158442CVE-2019-2933 at SUSECVE-2019-2933 at NVDCVE-2019-2945 at SUSECVE-2019-2945 at NVDCVE-2019-2962 at SUSECVE-2019-2962 at NVDCVE-2019-2964 at SUSECVE-2019-2964 at NVDCVE-2019-2973 at SUSECVE-2019-2973 at NVDCVE-2019-2978 at SUSECVE-2019-2978 at NVDCVE-2019-2981 at SUSECVE-2019-2981 at NVDCVE-2019-2983 at SUSECVE-2019-2983 at NVDCVE-2019-2989 at SUSECVE-2019-2989 at NVDCVE-2019-2992 at SUSECVE-2019-2992 at NVDCVE-2019-2999 at SUSECVE-2019-2999 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for mariadb (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for mariadb fixes the following issues:
MariaDB was updated to version 10.0.40-3 (bsc#1162388).
Security issues fixed:
- CVE-2020-2574: Fixed a difficult to exploit vulnerability that allowed an attacker to crash the client (bsc#1162388).
- CVE-2019-18901: Fixed an unsafe path handling behavior in mysql-systemd-helper (bsc#1160895).
ModerateSUSE bug 1077717SUSE bug 1160895SUSE bug 1160912SUSE bug 1162388CVE-2019-18901 at SUSECVE-2019-18901 at NVDCVE-2020-2574 at SUSECVE-2020-2574 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for java-1_8_0-ibm (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for java-1_8_0-ibm fixes the following issues:
Java 8.0 was updated to Service Refresh 6 Fix Pack 5 (bsc#1162972, bsc#1160968)
- CVE-2020-2583: Unlink Set of LinkedHashSets
- CVE-2019-4732: Untrusted DLL search path vulnerability
- CVE-2020-2593: Normalize normalization for all
- CVE-2020-2604: Better serial filter handling
- CVE-2020-2659: Enhance datagram socket support
ImportantSUSE bug 1160968SUSE bug 1162972CVE-2019-4732 at SUSECVE-2019-4732 at NVDCVE-2020-2583 at SUSECVE-2020-2583 at NVDCVE-2020-2593 at SUSECVE-2020-2593 at NVDCVE-2020-2604 at SUSECVE-2020-2604 at NVDCVE-2020-2659 at SUSECVE-2020-2659 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for log4j (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for log4j fixes the following issues:
- CVE-2019-17571: Fixed a remote code execution by deserialization of untrusted data in SocketServer (bsc#1159646).
ImportantSUSE bug 1159646CVE-2019-17571 at SUSECVE-2019-17571 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for permissions (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for permissions fixes the following issues:
Security issues fixed:
- CVE-2020-8013: Fixed an issue where chkstat set unintended setuid/capabilities for mrsh and wodim (bsc#1163922).
Non-security issues fixed:
- Fixed a regression where chkstat broke when /proc was not available (bsc#1160764, bsc#1160594).
- Fixed capability handling when doing multiple permission changes at once (bsc#1161779).
ModerateSUSE bug 1123886SUSE bug 1160594SUSE bug 1160764SUSE bug 1161779SUSE bug 1163922CVE-2020-8013 at SUSECVE-2020-8013 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for python-aws-sam-translator, python-boto3, python-botocore, python-cfn-lint, python-jsonschema, python-nose2, python-parameterized, python-pathlib2, python-pytest-cov, python-requests, python-s3transfer (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for python-aws-sam-translator, python-boto3, python-botocore, python-cfn-lint, python-jsonschema, python-nose2, python-parameterized, python-pathlib2, python-pytest-cov, python-requests, python-s3transfer, python-jsonpatch, python-jsonpointer, python-scandir, python-PyYAML fixes the following issues:
python-cfn-lint was included as a new package in 0.21.4.
python-aws-sam-translator was updated to 1.11.0:
* Add ReservedConcurrentExecutions to globals
* Fix ElasticsearchHttpPostPolicy resource reference
* Support using AWS::Region in Ref and Sub
* Documentation and examples updates
* Add VersionDescription property to Serverless::Function
* Update ServerlessRepoReadWriteAccessPolicy
* Add additional template validation
Upgrade to 1.10.0:
* Add GSIs to DynamoDBReadPolicy and DynamoDBCrudPolicy
* Add DynamoDBReconfigurePolicy
* Add CostExplorerReadOnlyPolicy and OrganizationsListAccountsPolicy
* Add EKSDescribePolicy
* Add SESBulkTemplatedCrudPolicy
* Add FilterLogEventsPolicy
* Add SSMParameterReadPolicy
* Add SESEmailTemplateCrudPolicy
* Add s3:PutObjectAcl to S3CrudPolicy
* Add allow_credentials CORS option
* Add support for AccessLogSetting and CanarySetting Serverless::Api properties
* Add support for X-Ray in Serverless::Api
* Add support for MinimumCompressionSize in Serverless::Api
* Add Auth to Serverless::Api globals
* Remove trailing slashes from APIGW permissions
* Add SNS FilterPolicy and an example application
* Add Enabled property to Serverless::Function event sources
* Add support for PermissionsBoundary in Serverless::Function
* Fix boto3 client initialization
* Add PublicAccessBlockConfiguration property to S3 bucket resource
* Make PAY_PER_REQUEST default mode for Serverless::SimpleTable
* Add limited support for resolving intrinsics in Serverless::LayerVersion
* SAM now uses Flake8
* Add example application for S3 Events written in Go
* Updated several example applications
- Initial build
+ Version 1.9.0
- Add patch to drop compatible releases operator from setup.py,
required for SLES12 as the setuptools version is too old
+ ast_drop-compatible-releases-operator.patch
python-jsonschema was updated to 2.6.0:
* Improved performance on CPython by adding caching around ref resolution
Update to version 2.5.0:
* Improved performance on CPython by adding caching around ref
resolution (#203)
Update to version 2.4.0:
* Added a CLI (#134)
* Added absolute path and absolute schema path to errors (#120)
* Added ``relevance``
* Meta-schemas are now loaded via ``pkgutil``
* Added ``by_relevance`` and ``best_match`` (#91)
* Fixed ``format`` to allow adding formats for non-strings (#125)
* Fixed the ``uri`` format to reject URI references (#131)
- Install /usr/bin/jsonschema with update-alternatives support
python-nose2 was updated to 0.9.1:
* the prof plugin now uses cProfile instead of hotshot for profiling
* skipped tests now include the user's reason in junit XML's message field
* the prettyassert plugin mishandled multi-line function definitions
* Using a plugin's CLI flag when the plugin is already enabled via config
no longer errors
* nose2.plugins.prettyassert, enabled with --pretty-assert
* Cleanup code for EOLed python versions
* Dropped support for distutils.
* Result reporter respects failure status set by other plugins
* JUnit XML plugin now includes the skip reason in its output
Upgrade to 0.8.0:
List of changes is too long to show here, see
https://github.com/nose-devs/nose2/blob/master/docs/changelog.rst
changes between 0.6.5 and 0.8.0
Update to 0.7.0:
* Added parameterized_class feature, for parameterizing entire test
classes (many thanks to @TobyLL for their suggestions and help testing!)
* Fix DeprecationWarning on `inspect.getargs` (thanks @brettdh;
https://github.com/wolever/parameterized/issues/67)
* Make sure that `setUp` and `tearDown` methods work correctly (#40)
* Raise a ValueError when input is empty (thanks @danielbradburn;
https://github.com/wolever/parameterized/pull/48)
* Fix the order when number of cases exceeds 10 (thanks @ntflc;
https://github.com/wolever/parameterized/pull/49)
python-scandir was included in version 2.3.2.
python-requests was updated to version 2.20.1 (bsc#1111622)
* Fixed bug with unintended Authorization header stripping for
redirects using default ports (http/80, https/443).
* remove restriction for urllib3 < 1.24
Update to version 2.20.0:
* Bugfixes
+ Content-Type header parsing is now case-insensitive
(e.g. charset=utf8 v Charset=utf8).
+ Fixed exception leak where certain redirect urls would raise
uncaught urllib3 exceptions.
+ Requests removes Authorization header from requests redirected
from https to http on the same hostname. (CVE-2018-18074)
+ should_bypass_proxies now handles URIs without hostnames
(e.g. files).
* Dependencies
+ Requests now supports urllib3 v1.24.
* Deprecations
+ Requests has officially stopped support for Python 2.6.
Update to version 2.19.1:
* Fixed issue where status_codes.py’s init function failed trying
to append to a __doc__ value of None.
Update to version 2.19.0:
* Improvements
+ Warn about possible slowdown with cryptography version < 1.3.4
+ Check host in proxy URL, before forwarding request to adapter.
+ Maintain fragments properly across redirects. (RFC7231 7.1.2)
+ Removed use of cgi module to expedite library load time.
+ Added support for SHA-256 and SHA-512 digest auth algorithms.
+ Minor performance improvement to Request.content.
+ Migrate to using collections.abc for 3.7 compatibility.
* Bugfixes
+ Parsing empty Link headers with parse_header_links() no longer
return one bogus entry.
+ Fixed issue where loading the default certificate bundle from
a zip archive would raise an IOError.
+ Fixed issue with unexpected ImportError on windows system
which do not support winreg module.
+ DNS resolution in proxy bypass no longer includes the username
and password in the request. This also fixes the issue of DNS
queries failing on macOS.
+ Properly normalize adapter prefixes for url comparison.
+ Passing None as a file pointer to the files param no longer
raises an exception.
+ Calling copy on a RequestsCookieJar will now preserve the
cookie policy correctly.
* We now support idna v2.7 and urllib3 v1.23.
update to version 2.18.4:
* Improvements
+ Error messages for invalid headers now include the header name
for easier debugging
* Dependencies
+ We now support idna v2.6.
update to version 2.18.3:
* Improvements
+ Running $ python -m requests.help now includes the installed
version of idna.
* Bugfixes
+ Fixed issue where Requests would raise ConnectionError instead
of SSLError when encountering SSL problems when using urllib3
v1.22.
ModerateSUSE bug 1111622SUSE bug 1122668CVE-2018-18074 at SUSECVE-2018-18074 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for libpng16 (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for libpng16 fixes the following issues:
Security issues fixed:
- CVE-2019-7317: Fixed a use-after-free vulnerability, triggered when
png_image_free() was called under png_safe_execute (bsc#1124211).
- CVE-2017-12652: Fixed an Input Validation Error related to the length of chunks (bsc#1141493).
ModerateSUSE bug 1124211SUSE bug 1141493CVE-2017-12652 at SUSECVE-2017-12652 at NVDCVE-2019-7317 at SUSECVE-2019-7317 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for postgresql96 (Low)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for postgresql96 fixes the following issues:
PostgreSQL was updated to version 9.6.17.
Security issue fixed:
- CVE-2020-1720: Fixed a missing authorization check in the ALTER ... DEPENDS ON extension (bsc#1163985).
LowSUSE bug 1163985CVE-2020-1720 at SUSECVE-2020-1720 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for librsvg (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for librsvg to version 2.40.21 fixes the following issues:
librsvg was updated to version 2.40.21 fixing the following issues:
- CVE-2019-20446: Fixed an issue where a crafted SVG file with nested
patterns can cause denial of service (bsc#1162501).
NOTE: Librsvg now has limits on the number of loaded XML elements,
and the number of referenced elements within an SVG document.
- Fixed a stack exhaustion with circular references in <use>
elements.
- Fixed a denial-of-service condition from exponential explosion
of rendered elements, through nested use of SVG 'use' elements in
malicious SVGs.
ModerateSUSE bug 1162501CVE-2019-20446 at SUSECVE-2019-20446 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for gd (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for gd fixes the following issues:
- CVE-2017-7890: Fixed a buffer over-read into uninitialized memory (bsc#1050241).
- CVE-2018-14553: Fixed a null pointer dereference in gdImageClone() (bsc#1165471).
- CVE-2019-11038: Fixed a information disclosure in gdImageCreateFromXbm() (bsc#1140120).
ModerateSUSE bug 1050241SUSE bug 1140120SUSE bug 1165471CVE-2017-7890 at SUSECVE-2017-7890 at NVDCVE-2018-14553 at SUSECVE-2018-14553 at NVDCVE-2019-11038 at SUSECVE-2019-11038 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for java-1_7_0-openjdk (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for java-1_7_0-openjdk fixes the following issues:
Update java-1_7_0-openjdk to version jdk7u251 (January 2020 CPU, bsc#1160968):
- CVE-2020-2583: Unlink Set of LinkedHashSets
- CVE-2020-2590: Improve Kerberos interop capabilities
- CVE-2020-2593: Normalize normalization for all
- CVE-2020-2601: Better Ticket Granting Services
- CVE-2020-2604: Better serial filter handling
- CVE-2020-2659: Enhance datagram socket support
- CVE-2020-2654: Improve Object Identifier Processing
ImportantSUSE bug 1160968CVE-2020-2583 at SUSECVE-2020-2583 at NVDCVE-2020-2590 at SUSECVE-2020-2590 at NVDCVE-2020-2593 at SUSECVE-2020-2593 at NVDCVE-2020-2601 at SUSECVE-2020-2601 at NVDCVE-2020-2604 at SUSECVE-2020-2604 at NVDCVE-2020-2654 at SUSECVE-2020-2654 at NVDCVE-2020-2659 at SUSECVE-2020-2659 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for ipmitool (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for ipmitool fixes the following issues:
- CVE-2020-5208: Fixed multiple remote code executtion vulnerabilities (bsc#1163026).
- picmg discover messages are now DEBUG and not INFO messages (bsc#1085469).
ImportantSUSE bug 1085469SUSE bug 1163026CVE-2020-5208 at SUSECVE-2020-5208 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for squid (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for squid fixes the following issues:
- CVE-2019-12528: Fixed an information disclosure flaw in the FTP gateway (bsc#1162689).
- CVE-2019-12526: Fixed potential remote code execution during URN processing (bsc#1156326).
- CVE-2019-12523,CVE-2019-18676: Fixed multiple improper validations in URI processing (bsc#1156329).
- CVE-2019-18677: Fixed Cross-Site Request Forgery in HTTP Request processing (bsc#1156328).
- CVE-2019-18678: Fixed incorrect message parsing which could have led to HTTP request splitting issue (bsc#1156323).
- CVE-2019-18679: Fixed information disclosure when processing HTTP Digest Authentication (bsc#1156324).
- CVE-2020-8449: Fixed a buffer overflow when squid is acting as reverse-proxy (bsc#1162687).
- CVE-2020-8450: Fixed a buffer overflow when squid is acting as reverse-proxy (bsc#1162687).
- CVE-2020-8517: Fixed a buffer overflow in ext_lm_group_acl when processing NTLM Authentication credentials (bsc#1162691).
ImportantSUSE bug 1156323SUSE bug 1156324SUSE bug 1156326SUSE bug 1156328SUSE bug 1156329SUSE bug 1162687SUSE bug 1162689SUSE bug 1162691CVE-2019-12523 at SUSECVE-2019-12523 at NVDCVE-2019-12526 at SUSECVE-2019-12526 at NVDCVE-2019-12528 at SUSECVE-2019-12528 at NVDCVE-2019-18676 at SUSECVE-2019-18676 at NVDCVE-2019-18677 at SUSECVE-2019-18677 at NVDCVE-2019-18678 at SUSECVE-2019-18678 at NVDCVE-2019-18679 at SUSECVE-2019-18679 at NVDCVE-2020-8449 at SUSECVE-2020-8449 at NVDCVE-2020-8450 at SUSECVE-2020-8450 at NVDCVE-2020-8517 at SUSECVE-2020-8517 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for MozillaFirefox fixes the following issues:
- Firefox Extended Support Release 68.4.1 ESR
* Fixed: Security fix
MFSA 2020-03 (bsc#1160498)
* CVE-2019-17026 (bmo#1607443)
IonMonkey type confusion with StoreElementHole and
FallibleStoreElement
- Firefox Extended Support Release 68.4.0 ESR
* Fixed: Various security fixes
MFSA 2020-02 (bsc#1160305)
* CVE-2019-17015 (bmo#1599005)
Memory corruption in parent process during new content
process initialization on Windows
* CVE-2019-17016 (bmo#1599181)
Bypass of @namespace CSS sanitization during pasting
* CVE-2019-17017 (bmo#1603055)
Type Confusion in XPCVariant.cpp
* CVE-2019-17021 (bmo#1599008)
Heap address disclosure in parent process during content
process initialization on Windows
* CVE-2019-17022 (bmo#1602843)
CSS sanitization does not escape HTML tags
* CVE-2019-17024 (bmo#1507180, bmo#1595470, bmo#1598605,
bmo#1601826)
Memory safety bugs fixed in Firefox 72 and Firefox ESR 68.4
ImportantSUSE bug 1160305SUSE bug 1160498CVE-2019-17015 at SUSECVE-2019-17015 at NVDCVE-2019-17016 at SUSECVE-2019-17016 at NVDCVE-2019-17017 at SUSECVE-2019-17017 at NVDCVE-2019-17021 at SUSECVE-2019-17021 at NVDCVE-2019-17022 at SUSECVE-2019-17022 at NVDCVE-2019-17024 at SUSECVE-2019-17024 at NVDCVE-2019-17026 at SUSECVE-2019-17026 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for postgresql10 (Low)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for postgresql10 fixes the following issues:
PostgreSQL was updated to version 10.12.
Security issue fixed:
- CVE-2020-1720: Fixed a missing authorization check in the ALTER ... DEPENDS ON extension (bsc#1163985).
LowSUSE bug 1163985CVE-2020-1720 at SUSECVE-2020-1720 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for MozillaFirefox fixes the following issues:
MozillaFirefox was updated to 68.6.0 ESR (MFSA 2020-09 bsc#1132665 bsc#1166238)
- CVE-2020-6805: Fixed a use-after-free when removing data about origins
- CVE-2020-6806: Fixed improper protections against state confusion
- CVE-2020-6807: Fixed a use-after-free in cubeb during stream destruction
- CVE-2020-6811: Fixed an issue where copy as cURL' feature did not fully
escape website-controlled data potentially leading to command injection
- CVE-2019-20503: Fixed out of bounds reads in sctp_load_addresses_from_init
- CVE-2020-6812: Fixed an issue where the names of AirPods with personally
identifiable information were exposed to websites with camera or microphone
permission
- CVE-2020-6814: Fixed multiple memory safety bugs
- Fixed an issue with minimizing a window (bsc#1132665).
ImportantSUSE bug 1132665SUSE bug 1166238CVE-2019-20503 at SUSECVE-2019-20503 at NVDCVE-2020-6805 at SUSECVE-2020-6805 at NVDCVE-2020-6806 at SUSECVE-2020-6806 at NVDCVE-2020-6807 at SUSECVE-2020-6807 at NVDCVE-2020-6811 at SUSECVE-2020-6811 at NVDCVE-2020-6812 at SUSECVE-2020-6812 at NVDCVE-2020-6814 at SUSECVE-2020-6814 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for tomcat (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for tomcat fixes the following issues:
- CVE-2020-1938: Fixed a file contents disclosure vulnerability (bsc#1164692).
ImportantSUSE bug 1164692CVE-2020-1938 at SUSECVE-2020-1938 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for python36 (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for python36 fixes the following issues:
Security issues fixed:
- CVE-2019-18348: Fixed a CRLF injection via the host part of the url passed to urlopen().
Now an InvalidURL exception is raised (bsc#1155094).
- CVE-2019-9674: Improved the documentation to reflect the dangers of zip-bombs (bsc#1162825).
- CVE-2020-8492: Fixed a regular expression in urllib that was prone to denial of service via HTTP (bsc#1162367).
Non-security issue fixed:
- If the locale is 'C', coerce it to C.UTF-8 (bsc#1162423).
- Python was updated to 3.6.10 (jsc#SLE-9426, jsc#SLE-9427, bsc#1159035).
ModerateSUSE bug 1027282SUSE bug 1029377SUSE bug 1029902SUSE bug 1040164SUSE bug 1042670SUSE bug 1049186SUSE bug 1050653SUSE bug 1070738SUSE bug 1070853SUSE bug 1077230SUSE bug 1079761SUSE bug 1081750SUSE bug 1083507SUSE bug 1086001SUSE bug 1088004SUSE bug 1088009SUSE bug 1088573SUSE bug 1094814SUSE bug 1107030SUSE bug 1109663SUSE bug 1109847SUSE bug 1120644SUSE bug 1122191SUSE bug 1129346SUSE bug 1130840SUSE bug 1133452SUSE bug 1137942SUSE bug 1138459SUSE bug 1141853SUSE bug 1149121SUSE bug 1149792SUSE bug 1149955SUSE bug 1151490SUSE bug 1153238SUSE bug 1155094SUSE bug 1159035SUSE bug 1159622SUSE bug 1162367SUSE bug 1162423SUSE bug 1162825SUSE bug 637176SUSE bug 658604SUSE bug 673071SUSE bug 709442SUSE bug 743787SUSE bug 747125SUSE bug 751718SUSE bug 754447SUSE bug 754677SUSE bug 787526SUSE bug 809831SUSE bug 831629SUSE bug 834601SUSE bug 867887SUSE bug 871152SUSE bug 885662SUSE bug 885882SUSE bug 917607SUSE bug 935856SUSE bug 942751SUSE bug 951166SUSE bug 983582SUSE bug 984751SUSE bug 985177SUSE bug 985348SUSE bug 989523CVE-2011-3389 at SUSECVE-2011-3389 at NVDCVE-2011-4944 at SUSECVE-2011-4944 at NVDCVE-2012-0845 at SUSECVE-2012-0845 at NVDCVE-2012-1150 at SUSECVE-2012-1150 at NVDCVE-2013-1752 at SUSECVE-2013-1752 at NVDCVE-2013-4238 at SUSECVE-2013-4238 at NVDCVE-2014-2667 at SUSECVE-2014-2667 at NVDCVE-2014-4650 at SUSECVE-2014-4650 at NVDCVE-2016-0772 at SUSECVE-2016-0772 at NVDCVE-2016-1000110 at SUSECVE-2016-1000110 at NVDCVE-2016-5636 at SUSECVE-2016-5636 at NVDCVE-2016-5699 at SUSECVE-2016-5699 at NVDCVE-2017-18207 at SUSECVE-2017-18207 at NVDCVE-2018-1000802 at SUSECVE-2018-1000802 at NVDCVE-2018-1060 at SUSECVE-2018-1060 at NVDCVE-2018-1061 at SUSECVE-2018-1061 at NVDCVE-2018-14647 at SUSECVE-2018-14647 at NVDCVE-2018-20406 at SUSECVE-2018-20406 at NVDCVE-2018-20852 at SUSECVE-2018-20852 at NVDCVE-2019-10160 at SUSECVE-2019-10160 at NVDCVE-2019-15903 at SUSECVE-2019-15903 at NVDCVE-2019-16056 at SUSECVE-2019-16056 at NVDCVE-2019-16935 at SUSECVE-2019-16935 at NVDCVE-2019-18348 at SUSECVE-2019-18348 at NVDCVE-2019-5010 at SUSECVE-2019-5010 at NVDCVE-2019-9636 at SUSECVE-2019-9636 at NVDCVE-2019-9674 at SUSECVE-2019-9674 at NVDCVE-2019-9947 at SUSECVE-2019-9947 at NVDCVE-2020-8492 at SUSECVE-2020-8492 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for libzypp (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for libzypp fixes the following issues:
Security issue fixed:
- CVE-2019-18900: Fixed assert cookie file that was world readable (bsc#1158763).
ModerateSUSE bug 1158763CVE-2019-18900 at SUSECVE-2019-18900 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for python-cffi, python-cryptography (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for python-cffi, python-cryptography fixes the following issues:
Security issue fixed:
- CVE-2018-10903: Fixed GCM tag forgery via truncated tag in finalize_with_tag API (bsc#1101820).
Non-security issues fixed:
python-cffi was updated to 1.11.2 (bsc#1138748, jsc#ECO-1256, jsc#PM-1598):
- fixed a build failure on i586 (bsc#1111657)
- Salt was unable to highstate in snapshot 20171129 (bsc#1070737)
- Update pytest in spec to add c directory tests in addition to
testing directory.
- update to version 1.11.2:
* Fix Windows issue with managing the thread-state on CPython 3.0 to
3.5
- Update pytest in spec to add c directory tests in addition to
testing directory.
- Omit test_init_once_multithread tests as they rely on multiple
threads finishing in a given time. Returns sporadic pass/fail
within build.
- Update to 1.11.1:
* Fix tests, remove deprecated C API usage
* Fix (hack) for 3.6.0/3.6.1/3.6.2 giving incompatible binary
extensions (cpython issue #29943)
* Fix for 3.7.0a1+
- Update to 1.11.0:
* Support the modern standard types char16_t and char32_t. These
work like wchar_t: they represent one unicode character, or when
used as charN_t * or charN_t[] they represent a unicode string.
The difference with wchar_t is that they have a known, fixed
size. They should work at all places that used to work with
wchar_t (please report an issue if I missed something). Note
that with set_source(), you need to make sure that these types
are actually defined by the C source you provide (if used in
cdef()).
* Support the C99 types float _Complex and double _Complex. Note
that libffi doesn't support them, which means that in the ABI
mode you still cannot call C functions that take complex
numbers directly as arguments or return type.
* Fixed a rare race condition when creating multiple FFI instances
from multiple threads. (Note that you aren't meant to create
many FFI instances: in inline mode, you should write
ffi = cffi.FFI() at module level just after import cffi; and in
out-of-line mode you don't instantiate FFI explicitly at all.)
* Windows: using callbacks can be messy because the CFFI internal
error messages show up to stderr-but stderr goes nowhere in many
applications. This makes it particularly hard to get started
with the embedding mode. (Once you get started, you can at least
use @ffi.def_extern(onerror=...) and send the error logs where
it makes sense for your application, or record them in log
files, and so on.) So what is new in CFFI is that now, on
Windows CFFI will try to open a non-modal MessageBox (in addition
to sending raw messages to stderr). The MessageBox is only
visible if the process stays alive: typically, console
applications that crash close immediately, but that is also the
situation where stderr should be visible anyway.
* Progress on support for callbacks in NetBSD.
* Functions returning booleans would in some case still return 0
or 1 instead of False or True. Fixed.
* ffi.gc() now takes an optional third parameter, which gives an
estimate of the size (in bytes) of the object. So far, this is
only used by PyPy, to make the next GC occur more quickly
(issue #320). In the future, this might have an effect on
CPython too (provided the CPython issue 31105 is addressed).
* Add a note to the documentation: the ABI mode gives function
objects that are slower to call than the API mode does. For
some reason it is often thought to be faster. It is not!
- Update to 1.10.1:
* Fixed the line numbers reported in case of cdef() errors. Also,
I just noticed, but pycparser always supported the preprocessor
directive # 42 'foo.h' to mean 'from the next line, we're in
file foo.h starting from line 42';, which it puts in the error
messages.
- update to 1.10.0:
* Issue #295: use calloc() directly instead of PyObject_Malloc()+memset()
to handle ffi.new() with a default allocator. Speeds up ffi.new(large-array)
where most of the time you never touch most of the array.
* Some OS/X build fixes ('only with Xcode but without CLT';).
* Improve a couple of error messages: when getting mismatched versions of
cffi and its backend; and when calling functions which cannot be called with
libffi because an argument is a struct that is 'too complicated'; (and not
a struct pointer, which always works).
* Add support for some unusual compilers (non-msvc, non-gcc, non-icc, non-clang)
* Implemented the remaining cases for ffi.from_buffer. Now all
buffer/memoryview objects can be passed. The one remaining check is against
passing unicode strings in Python 2. (They support the buffer interface, but
that gives the raw bytes behind the UTF16/UCS4 storage, which is most of the
times not what you expect. In Python 3 this has been fixed and the unicode
strings don't support the memoryview interface any more.)
* The C type _Bool or bool now converts to a Python boolean when reading,
instead of the content of the byte as an integer. The potential
incompatibility here is what occurs if the byte contains a value different
from 0 and 1. Previously, it would just return it; with this change, CFFI
raises an exception in this case. But this case means 'undefined behavior';
in C; if you really have to interface with a library relying on this,
don't use bool in the CFFI side. Also, it is still valid to use a byte
string as initializer for a bool[], but now it must only contain \x00 or
\x01. As an aside, ffi.string() no longer works on bool[] (but it never made
much sense, as this function stops at the first zero).
* ffi.buffer is now the name of cffi's buffer type, and ffi.buffer() works
like before but is the constructor of that type.
* ffi.addressof(lib, 'name') now works also in in-line mode, not only in
out-of-line mode. This is useful for taking the address of global variables.
* Issue #255: cdata objects of a primitive type (integers, floats, char) are
now compared and ordered by value. For example, <cdata 'int' 42> compares
equal to 42 and <cdata 'char' b'A'> compares equal to b'A'. Unlike C,
<cdata 'int' -1> does not compare equal to ffi.cast('unsigned int', -1): it
compares smaller, because -1 < 4294967295.
* PyPy: ffi.new() and ffi.new_allocator()() did not record 'memory pressure';,
causing the GC to run too infrequently if you call ffi.new() very often
and/or with large arrays. Fixed in PyPy 5.7.
* Support in ffi.cdef() for numeric expressions with + or -. Assumes that
there is no overflow; it should be fixed first before we add more general
support for arbitrary arithmetic on constants.
- do not generate HTML documentation for packages that are indirect
dependencies of Sphinx
(see docs at https://cffi.readthedocs.org/ )
- update to 1.9.1
- Structs with variable-sized arrays as their last field: now we track the
length of the array after ffi.new() is called, just like we always tracked
the length of ffi.new('int[]', 42). This lets us detect out-of-range
accesses to array items. This also lets us display a better repr(), and
have the total size returned by ffi.sizeof() and ffi.buffer(). Previously
both functions would return a result based on the size of the declared
structure type, with an assumed empty array. (Thanks andrew for starting
this refactoring.)
- Add support in cdef()/set_source() for unspecified-length arrays in
typedefs: typedef int foo_t[...];. It was already supported for global
variables or structure fields.
- I turned in v1.8 a warning from cffi/model.py into an error: 'enum xxx' has
no values explicitly defined: refusing to guess which integer type it is
meant to be (unsigned/signed, int/long). Now I'm turning it back to a
warning again; it seems that guessing that the enum has size int is a
99%-safe bet. (But not 100%, so it stays as a warning.)
- Fix leaks in the code handling FILE * arguments. In CPython 3 there is a
remaining issue that is hard to fix: if you pass a Python file object to a
FILE * argument, then os.dup() is used and the new file descriptor is only
closed when the GC reclaims the Python file object-and not at the earlier
time when you call close(), which only closes the original file descriptor.
If this is an issue, you should avoid this automatic convertion of Python
file objects: instead, explicitly manipulate file descriptors and call
fdopen() from C (...via cffi).
- When passing a void * argument to a function with a different pointer type,
or vice-versa, the cast occurs automatically, like in C. The same occurs
for initialization with ffi.new() and a few other places. However, I
thought that char * had the same property-but I was mistaken. In C you get
the usual warning if you try to give a char * to a char ** argument, for
example. Sorry about the confusion. This has been fixed in CFFI by giving
for now a warning, too. It will turn into an error in a future version.
- Issue #283: fixed ffi.new() on structures/unions with nested anonymous
structures/unions, when there is at least one union in the mix. When
initialized with a list or a dict, it should now behave more closely like
the { } syntax does in GCC.
- CPython 3.x: experimental: the generated C extension modules now use the
'limited API';, which means that, as a compiled .so/.dll, it should work
directly on any version of CPython >= 3.2. The name produced by distutils
is still version-specific. To get the version-independent name, you can
rename it manually to NAME.abi3.so, or use the very recent setuptools 26.
- Added ffi.compile(debug=...), similar to python setup.py build --debug but
defaulting to True if we are running a debugging version of Python itself.
- Removed the restriction that ffi.from_buffer() cannot be used on byte
strings. Now you can get a char * out of a byte string, which is valid as
long as the string object is kept alive. (But don't use it to modify the
string object! If you need this, use bytearray or other official
techniques.)
- PyPy 5.4 can now pass a byte string directly to a char * argument (in older
versions, a copy would be made). This used to be a CPython-only
optimization.
- ffi.gc(p, None) removes the destructor on an object previously created by
another call to ffi.gc()
- bool(ffi.cast('primitive type', x)) now returns False if the value is zero
(including -0.0), and True otherwise. Previously this would only return
False for cdata objects of a pointer type when the pointer is NULL.
- bytearrays: ffi.from_buffer(bytearray-object) is now supported. (The reason
it was not supported was that it was hard to do in PyPy, but it works since
PyPy 5.3.) To call a C function with a char * argument from a buffer
object-now including bytearrays-you write lib.foo(ffi.from_buffer(x)).
Additionally, this is now supported: p[0:length] = bytearray-object. The
problem with this was that a iterating over bytearrays gives numbers
instead of characters. (Now it is implemented with just a memcpy, of
course, not actually iterating over the characters.)
- C++: compiling the generated C code with C++ was supposed to work, but
failed if you make use the bool type (because that is rendered as the C
_Bool type, which doesn't exist in C++).
- help(lib) and help(lib.myfunc) now give useful information, as well as
dir(p) where p is a struct or pointer-to-struct.
- update for multipython build
- disable 'negative left shift' warning in test suite to prevent
failures with gcc6, until upstream fixes the undefined code
in question (bsc#981848)
- Update to version 1.6.0:
* ffi.list_types()
* ffi.unpack()
* extern 'Python+C';
* in API mode, lib.foo.__doc__ contains the C signature now.
* Yet another attempt at robustness of ffi.def_extern() against
CPython's interpreter shutdown logic.
- Update in SLE-12 (bsc#1138748, jsc#ECO-1256, jsc#PM-1598)
- Make this version of the package compatible with OpenSSL 1.1.1d, thus fixing bsc#1149792.
- bsc#1101820 CVE-2018-10903 GCM tag forgery via truncated tag in
finalize_with_tag API
- Add proper conditional for the python2, the ifpython works only
for the requires/etc
- add missing dependency on python ssl
- update to version 2.1.4:
* Added X509_up_ref for an upcoming pyOpenSSL release.
- update to version 2.1.3:
* Updated Windows, macOS, and manylinux1 wheels to be compiled with
OpenSSL 1.1.0g.
- update to version 2.1.2:
* Corrected a bug with the manylinux1 wheels where OpenSSL's stack
was marked executable.
- fix BuildRequires conditions for python3
- update to 2.1.1
- Fix cffi version requirement.
- Disable memleak tests to fix build with OpenSSL 1.1 (bsc#1055478)
- update to 2.0.3
- update to 2.0.2
- update to 2.0
- update to 1.9
- add python-packaging to requirements explicitly instead of relying
on setuptools to pull it in
- Switch to singlespec approach
- update to 1.8.1
- Adust Requires and BuildRequires ModerateSUSE bug 1055478SUSE bug 1070737SUSE bug 1101820SUSE bug 1111657SUSE bug 1138748SUSE bug 1149792SUSE bug 981848CVE-2018-10903 at SUSECVE-2018-10903 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for spamassassin (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for spamassassin fixes the following issues:
- CVE-2018-11805: Fixed an issue with delimiter handling in rule files
related to is_regexp_valid() (bsc#1118987).
- CVE-2020-1930: Fixed an issue with rule configuration (.cf) files which
can be configured to run system commands (bsc#1162197).
- CVE-2020-1931: Fixed an issue with rule configuration (.cf) files which
can be configured to run system commands with warnings (bsc#1162200).
ImportantSUSE bug 1118987SUSE bug 1162197SUSE bug 1162200CVE-2018-11805 at SUSECVE-2018-11805 at NVDCVE-2020-1930 at SUSECVE-2020-1930 at NVDCVE-2020-1931 at SUSECVE-2020-1931 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for memcached (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for memcached fixes the following issues:
Security issue fixed:
- CVE-2019-11596: Fixed a NULL pointer dereference in process_lru_command (bsc#1133817).
- CVE-2019-15026: Fixed a stack-based buffer over-read (bsc#1149110).
ModerateSUSE bug 1133817SUSE bug 1149110CVE-2019-11596 at SUSECVE-2019-11596 at NVDCVE-2019-15026 at SUSECVE-2019-15026 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for mgetty (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for mgetty fixes the following issues:
- CVE-2019-1010190: Fixed a denial of service which could be caused by a local attacker in putwhitespan() (bsc#1142770).
ModerateSUSE bug 1142770CVE-2019-1010190 at SUSECVE-2019-1010190 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for python3 (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for python3 fixes the following issue:
- CVE-2019-18348: Fixed a CRLF injection via the host part
of the url passed to urlopen(). Now an InvalidURL exception
is raised (bsc#1155094).
- CVE-2019-9674: Improved the documentation to reflect the
dangers of zip-bombs (bsc#1162825).
- CVE-2020-8492: Fixed a regular expression in urllib that
was prone to denial of service via HTTP (bsc#1162367).
- Fixed an issue with version missmatch (bsc#1162224).
- Rename idle icons to idle3 in order to not conflict with python2
variant of the package. (bsc#1165894)
ModerateSUSE bug 1155094SUSE bug 1162224SUSE bug 1162367SUSE bug 1162825SUSE bug 1165894CVE-2019-18348 at SUSECVE-2019-18348 at NVDCVE-2019-9674 at SUSECVE-2019-9674 at NVDCVE-2020-8492 at SUSECVE-2020-8492 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for e2fsprogs (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for e2fsprogs fixes the following issues:
- CVE-2019-5188: Fixed a code execution vulnerability in the directory rehashing functionality (bsc#1160571).
ModerateSUSE bug 1160571CVE-2019-5188 at SUSECVE-2019-5188 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for exiv2 (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for exiv2 fixes the following issues:
- CVE-2018-17581: Fixed an excessive stack consumption in CiffDirectory:readDirectory()
which might have led to denial of service (bsc#1110282).
- CVE-2019-13110: Fixed an integer overflow and an out of bounds read in
CiffDirectory:readDirectory which might have led to denial of service (bsc#1142678).
- CVE-2019-13113: Fixed a potential denial of service via an invalid data location
in a CRW image (bsc#1142683).
- CVE-2019-17402: Fixed an improper validation of the relationship of the total
size to the offset and size in Exiv2::getULong (bsc#1153577).
- CVE-2019-20421: Fixed an infinite loop triggered via an input file (bsc#1161901).
- CVE-2017-9239: Fixed a segmentation fault in TiffImageEntry::doWriteImage function (bsc#1040973).
ModerateSUSE bug 1040973SUSE bug 1110282SUSE bug 1142678SUSE bug 1142683SUSE bug 1153577SUSE bug 1161901CVE-2017-9239 at SUSECVE-2017-9239 at NVDCVE-2018-17581 at SUSECVE-2018-17581 at NVDCVE-2019-13110 at SUSECVE-2019-13110 at NVDCVE-2019-13113 at SUSECVE-2019-13113 at NVDCVE-2019-17402 at SUSECVE-2019-17402 at NVDCVE-2019-20421 at SUSECVE-2019-20421 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for mozilla-nspr, mozilla-nss (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for mozilla-nspr, mozilla-nss fixes the following issues:
mozilla-nss was updated to NSS 3.47.1:
Security issues fixed:
- CVE-2019-17006: Added length checks for cryptographic primitives (bsc#1159819).
- CVE-2019-11745: EncryptUpdate should use maxout, not block size (bsc#1158527).
- CVE-2019-11727: Fixed vulnerability sign CertificateVerify with PKCS#1 v1.5 signatures issue (bsc#1141322).
mozilla-nspr was updated to version 4.23:
- Whitespace in C files was cleaned up and no longer uses tab characters for indenting.
ModerateSUSE bug 1141322SUSE bug 1158527SUSE bug 1159819CVE-2019-11745 at SUSECVE-2019-11745 at NVDCVE-2019-17006 at SUSECVE-2019-17006 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for libpng12 (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for libpng12 fixes the following issues:
Security issue fixed:
- CVE-2017-12652: Fixed an Input Validation Error related to the length of chunks (bsc#1141493).
ModerateSUSE bug 1141493CVE-2017-12652 at SUSECVE-2017-12652 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for libxslt (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for libxslt fixes the following issue:
- CVE-2019-18197: Fixed a dangling pointer in xsltCopyText which may have led to information disclosure (bsc#1154609).
ModerateSUSE bug 1154609CVE-2019-18197 at SUSECVE-2019-18197 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for MozillaFirefox fixes the following issues:
- Mozilla Firefox 68.6.1esr
MFSA 2020-11 (bsc#1168630)
* CVE-2020-6819 (bmo#1620818)
Use-after-free while running the nsDocShell destructor
* CVE-2020-6820 (bmo#1626728)
Use-after-free when handling a ReadableStream
ImportantSUSE bug 1168630CVE-2020-6819 at SUSECVE-2020-6819 at NVDCVE-2020-6820 at SUSECVE-2020-6820 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for vino (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for vino fixes the following issues:
- CVE-2019-15681: Fixed a memory leak which could have allowed to a
remote attacker to read stack memory (bsc#1155419).
ModerateSUSE bug 1155419CVE-2019-15681 at SUSECVE-2019-15681 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for ceph (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for ceph fixes the following issues:
- CVE-2020-1760: Fixed XSS due to RGW GetObject header-splitting (bsc#1166484).
ImportantSUSE bug 1166484CVE-2020-1760 at SUSECVE-2020-1760 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for djvulibre (Low)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for djvulibre fixes the following issues:
- CVE-2019-18804: Fixed a null pointer dereference (bsc#1156188).
LowSUSE bug 1156188CVE-2019-18804 at SUSECVE-2019-18804 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for ovmf (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for ovmf fixes the following issues:
- CVE-2019-14559: Fixed a memory leak in ArpOnFrameRcvdDpc() (bsc#1163927).
ModerateSUSE bug 1163927CVE-2019-14559 at SUSECVE-2019-14559 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for MozillaFirefox to version 68.7.0 ESR fixes the following issues:
- CVE-2020-6821: Uninitialized memory could be read when using the WebGL copyTexSubImage method (bsc#1168874).
- CVE-2020-6822: Fixed out of bounds write in GMPDecodeData when processing large images (bsc#1168874).
- CVE-2020-6825: Fixed Memory safety bugs (bsc#1168874).
- CVE-2020-6827: Custom Tabs could have the URI spoofed (bsc#1168874).
- CVE-2020-6828: Preference overwrite via crafted Intent (bsc#1168874).
ImportantSUSE bug 1168874CVE-2020-6821 at SUSECVE-2020-6821 at NVDCVE-2020-6822 at SUSECVE-2020-6822 at NVDCVE-2020-6825 at SUSECVE-2020-6825 at NVDCVE-2020-6827 at SUSECVE-2020-6827 at NVDCVE-2020-6828 at SUSECVE-2020-6828 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for git (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for git fixes the following issues:
Security issue fixed:
- CVE-2020-5260: With a crafted URL that contains a newline in it, the credential
helper machinery can be fooled to give credential information for a wrong host (bsc#1168930).
Non-security issue fixed:
git was updated to 2.26.0 for SHA256 support (bsc#1167890, jsc#SLE-11608):
- the xinetd snippet was removed
- the System V init script for the git-daemon was replaced by a systemd
service file of the same name.
git 2.26.0:
* 'git rebase' now uses a different backend that is based on the
'merge' machinery by default. The 'rebase.backend' configuration
variable reverts to old behaviour when set to 'apply'
* Improved handling of sparse checkouts
* Improvements to many commands and internal features
git 2.25.1:
* 'git commit' now honors advise.statusHints
* various updates, bug fixes and documentation updates
git 2.25.0:
* The branch description ('git branch --edit-description') has been
used to fill the body of the cover letters by the format-patch
command; this has been enhanced so that the subject can also be
filled.
* A few commands learned to take the pathspec from the standard input
or a named file, instead of taking it as the command line
arguments, with the '--pathspec-from-file' option.
* Test updates to prepare for SHA-2 transition continues.
* Redo 'git name-rev' to avoid recursive calls.
* When all files from some subdirectory were renamed to the root
directory, the directory rename heuristics would fail to detect that
as a rename/merge of the subdirectory to the root directory, which has
been corrected.
* HTTP transport had possible allocator/deallocator mismatch, which
has been corrected.
git 2.24.1:
* CVE-2019-1348: The --export-marks option of fast-import is
exposed also via the in-stream command feature export-marks=...
and it allows overwriting arbitrary paths (bsc#1158785)
* CVE-2019-1349: on Windows, when submodules are cloned
recursively, under certain circumstances Git could be fooled
into using the same Git directory twice (bsc#1158787)
* CVE-2019-1350: Incorrect quoting of command-line arguments
allowed remote code execution during a recursive clone in
conjunction with SSH URLs (bsc#1158788)
* CVE-2019-1351: on Windows mistakes drive letters outside of
the US-English alphabet as relative paths (bsc#1158789)
* CVE-2019-1352: on Windows was unaware of NTFS Alternate Data
Streams (bsc#1158790)
* CVE-2019-1353: when run in the Windows Subsystem for Linux
while accessing a working directory on a regular Windows
drive, none of the NTFS protections were active (bsc#1158791)
* CVE-2019-1354: on Windows refuses to write tracked files with
filenames that contain backslashes (bsc#1158792)
* CVE-2019-1387: Recursive clones vulnerability that is caused
by too-lax validation of submodule names, allowing very
targeted attacks via remote code execution in recursive
clones (bsc#1158793)
* CVE-2019-19604: a recursive clone followed by a submodule
update could execute code contained within the repository
without the user explicitly having asked for that (bsc#1158795)
- Fix building with asciidoctor and without DocBook4 stylesheets.
git 2.24.0
* The command line parser learned '--end-of-options' notation.
* A mechanism to affect the default setting for a (related) group of
configuration variables is introduced.
* 'git fetch' learned '--set-upstream' option to help those who first
clone from their private fork they intend to push to, add the true
upstream via 'git remote add' and then 'git fetch' from it.
* fixes and improvements to UI, workflow and features, bash completion fixes
* part of it merged upstream
* the Makefile attempted to download some documentation, banned
git 2.23.0:
* The '--base' option of 'format-patch' computed the patch-ids for
prerequisite patches in an unstable way, which has been updated
to compute in a way that is compatible with 'git patch-id
--stable'.
* The 'git log' command by default behaves as if the --mailmap
option was given.
* fixes and improvements to UI, workflow and features
git 2.22.1:
* A relative pathname given to 'git init --template=<path> <repo>'
ought to be relative to the directory 'git init' gets invoked in,
but it instead was made relative to the repository, which has been
corrected.
* 'git worktree add' used to fail when another worktree connected to
the same repository was corrupt, which has been corrected.
* 'git am -i --resolved' segfaulted after trying to see a commit as
if it were a tree, which has been corrected.
* 'git merge --squash' is designed to update the working tree and the
index without creating the commit, and this cannot be countermanded
by adding the '--commit' option; the command now refuses to work
when both options are given.
* Update to Unicode 12.1 width table.
* 'git request-pull' learned to warn when the ref we ask them to pull
from in the local repository and in the published repository are
different.
* 'git fetch' into a lazy clone forgot to fetch base objects that are
necessary to complete delta in a thin packfile, which has been
corrected.
* The URL decoding code has been updated to avoid going past the end
of the string while parsing %-<hex>-<hex> sequence.
* 'git clean' silently skipped a path when it cannot lstat() it; now
it gives a warning.
* 'git rm' to resolve a conflicted path leaked an internal message
'needs merge' before actually removing the path, which was
confusing. This has been corrected.
* Many more bugfixes and code cleanups.
- removal of SuSEfirewall2 service, since SuSEfirewall2 has been replaced by
firewalld, see [1].
[1]: https://lists.opensuse.org/opensuse-factory/2019-01/msg00490.html
git 2.22.0:
* The filter specification '--filter=sparse:path=<path>' used to
create a lazy/partial clone has been removed. Using a blob that is
part of the project as sparse specification is still supported with
the '--filter=sparse:oid=<blob>' option
* 'git checkout --no-overlay' can be used to trigger a new mode of
checking out paths out of the tree-ish, that allows paths that
match the pathspec that are in the current index and working tree
and are not in the tree-ish.
* Four new configuration variables {author,committer}.{name,email}
have been introduced to override user.{name,email} in more specific
cases.
* 'git branch' learned a new subcommand '--show-current'.
* The command line completion (in contrib/) has been taught to
complete more subcommand parameters.
* The completion helper code now pays attention to repository-local
configuration (when available), which allows --list-cmds to honour
a repository specific setting of completion.commands, for example.
* The list of conflicted paths shown in the editor while concluding a
conflicted merge was shown above the scissors line when the
clean-up mode is set to 'scissors', even though it was commented
out just like the list of updated paths and other information to
help the user explain the merge better.
* 'git rebase' that was reimplemented in C did not set ORIG_HEAD
correctly, which has been corrected.
* 'git worktree add' used to do a 'find an available name with stat
and then mkdir', which is race-prone. This has been fixed by using
mkdir and reacting to EEXIST in a loop.
- update git-web AppArmor profile for bash and tar usrMerge (bsc#1132350)
git 2.21.0:
* Historically, the '-m' (mainline) option can only be used for 'git
cherry-pick' and 'git revert' when working with a merge commit.
This version of Git no longer warns or errors out when working with
a single-parent commit, as long as the argument to the '-m' option
is 1 (i.e. it has only one parent, and the request is to pick or
revert relative to that first parent). Scripts that relied on the
behaviour may get broken with this change.
* Small fixes and features for fast-export and fast-import.
* The 'http.version' configuration variable can be used with recent
enough versions of cURL library to force the version of HTTP used
to talk when fetching and pushing.
* 'git push $there $src:$dst' rejects when $dst is not a fully
qualified refname and it is not clear what the end user meant.
* Update 'git multimail' from the upstream.
* A new date format '--date=human' that morphs its output depending
on how far the time is from the current time has been introduced.
'--date=auto:human' can be used to use this new format (or any
existing format) when the output is going to the pager or to the
terminal, and otherwise the default format.
- Fix worktree creation race (bsc#1114225).
git 2.20.1:
* portability fixes
* 'git help -a' did not work well when an overly long alias was
defined
* no longer squelched an error message when the run_command API
failed to run a missing command
git 2.20.0:
* 'git help -a' now gives verbose output (same as 'git help -av').
Those who want the old output may say 'git help --no-verbose -a'..
* 'git send-email' learned to grab address-looking string on any
trailer whose name ends with '-by'.
* 'git format-patch' learned new '--interdiff' and '--range-diff'
options to explain the difference between this version and the
previous attempt in the cover letter (or after the three-dashes as
a comment).
* Developer builds now use -Wunused-function compilation option.
* Fix a bug in which the same path could be registered under multiple
worktree entries if the path was missing (for instance, was removed
manually). Also, as a convenience, expand the number of cases in
which --force is applicable.
* The overly large Documentation/config.txt file have been split into
million little pieces. This potentially allows each individual piece
to be included into the manual page of the command it affects more easily.
* Malformed or crafted data in packstream can make our code attempt
to read or write past the allocated buffer and abort, instead of
reporting an error, which has been fixed.
* Fix for a long-standing bug that leaves the index file corrupt when
it shrinks during a partial commit.
* 'git merge' and 'git pull' that merges into an unborn branch used
to completely ignore '--verify-signatures', which has been
corrected.
* ...and much more features and fixes
- fix CVE-2018-19486 (bsc#1117257)
git 2.19.2:
* various bug fixes for multiple subcommands and operations
git 2.19.1:
* CVE-2018-17456: Specially crafted .gitmodules files may have
allowed arbitrary code execution when the repository is cloned
with --recurse-submodules (bsc#1110949)
git 2.19.0:
* 'git diff' compares the index and the working tree. For paths
added with intent-to-add bit, the command shows the full contents
of them as added, but the paths themselves were not marked as new
files. They are now shown as new by default.
* 'git apply' learned the '--intent-to-add' option so that an
otherwise working-tree-only application of a patch will add new
paths to the index marked with the 'intent-to-add' bit.
* 'git grep' learned the '--column' option that gives not just the
line number but the column number of the hit.
* The '-l' option in 'git branch -l' is an unfortunate short-hand for
'--create-reflog', but many users, both old and new, somehow expect
it to be something else, perhaps '--list'. This step warns when '-l'
is used as a short-hand for '--create-reflog' and warns about the
future repurposing of the it when it is used.
* The userdiff pattern for .php has been updated.
* The content-transfer-encoding of the message 'git send-email' sends
out by default was 8bit, which can cause trouble when there is an
overlong line to bust RFC 5322/2822 limit. A new option 'auto' to
automatically switch to quoted-printable when there is such a line
in the payload has been introduced and is made the default.
* 'git checkout' and 'git worktree add' learned to honor
checkout.defaultRemote when auto-vivifying a local branch out of a
remote tracking branch in a repository with multiple remotes that
have tracking branches that share the same names.
(merge 8d7b558bae ab/checkout-default-remote later to maint).
* 'git grep' learned the '--only-matching' option.
* 'git rebase --rebase-merges' mode now handles octopus merges as
well.
* Add a server-side knob to skip commits in exponential/fibbonacci
stride in an attempt to cover wider swath of history with a smaller
number of iterations, potentially accepting a larger packfile
transfer, instead of going back one commit a time during common
ancestor discovery during the 'git fetch' transaction.
(merge 42cc7485a2 jt/fetch-negotiator-skipping later to maint).
* A new configuration variable core.usereplacerefs has been added,
primarily to help server installations that want to ignore the
replace mechanism altogether.
* Teach 'git tag -s' etc. a few configuration variables (gpg.format
that can be set to 'openpgp' or 'x509', and gpg.<format>.program
that is used to specify what program to use to deal with the format)
to allow x.509 certs with CMS via 'gpgsm' to be used instead of
openpgp via 'gnupg'.
* Many more strings are prepared for l10n.
* 'git p4 submit' learns to ask its own pre-submit hook if it should
continue with submitting.
* The test performed at the receiving end of 'git push' to prevent
bad objects from entering repository can be customized via
receive.fsck.* configuration variables; we now have gained a
counterpart to do the same on the 'git fetch' side, with
fetch.fsck.* configuration variables.
* 'git pull --rebase=interactive' learned 'i' as a short-hand for
'interactive'.
* 'git instaweb' has been adjusted to run better with newer Apache on
RedHat based distros.
* 'git range-diff' is a reimplementation of 'git tbdiff' that lets us
compare individual patches in two iterations of a topic.
* The sideband code learned to optionally paint selected keywords at
the beginning of incoming lines on the receiving end.
* 'git branch --list' learned to take the default sort order from the
'branch.sort' configuration variable, just like 'git tag --list'
pays attention to 'tag.sort'.
* 'git worktree' command learned '--quiet' option to make it less
verbose.
git 2.18.0:
* improvements to rename detection logic
* When built with more recent cURL, GIT_SSL_VERSION can now
specify 'tlsv1.3' as its value.
* 'git mergetools' learned talking to guiffy.
* various other workflow improvements and fixes
* performance improvements and other developer visible fixes
Update to git 2.16.4: security fix release
git 2.17.1:
* Submodule 'names' come from the untrusted .gitmodules file, but
we blindly append them to $GIT_DIR/modules to create our on-disk
repo paths. This means you can do bad things by putting '../'
into the name. We now enforce some rules for submodule names
which will cause Git to ignore these malicious names
(CVE-2018-11235, bsc#1095219)
* It was possible to trick the code that sanity-checks paths on
NTFS into reading random piece of memory
(CVE-2018-11233, bsc#1095218)
* Support on the server side to reject pushes to repositories
that attempt to create such problematic .gitmodules file etc.
as tracked contents, to help hosting sites protect their
customers by preventing malicious contents from spreading.
git 2.17.0:
* 'diff' family of commands learned '--find-object=<object-id>' option
to limit the findings to changes that involve the named object.
* 'git format-patch' learned to give 72-cols to diffstat, which is
consistent with other line length limits the subcommand uses for
its output meant for e-mails.
* The log from 'git daemon' can be redirected with a new option; one
relevant use case is to send the log to standard error (instead of
syslog) when running it from inetd.
* 'git rebase' learned to take '--allow-empty-message' option.
* 'git am' has learned the '--quit' option, in addition to the
existing '--abort' option; having the pair mirrors a few other
commands like 'rebase' and 'cherry-pick'.
* 'git worktree add' learned to run the post-checkout hook, just like
'git clone' runs it upon the initial checkout.
* 'git tag' learned an explicit '--edit' option that allows the
message given via '-m' and '-F' to be further edited.
* 'git fetch --prune-tags' may be used as a handy short-hand for
getting rid of stale tags that are locally held.
* The new '--show-current-patch' option gives an end-user facing way
to get the diff being applied when 'git rebase' (and 'git am')
stops with a conflict.
* 'git add -p' used to offer '/' (look for a matching hunk) as a
choice, even there was only one hunk, which has been corrected.
Also the single-key help is now given only for keys that are
enabled (e.g. help for '/' won't be shown when there is only one
hunk).
* Since Git 1.7.9, 'git merge' defaulted to --no-ff (i.e. even when
the side branch being merged is a descendant of the current commit,
create a merge commit instead of fast-forwarding) when merging a
tag object. This was appropriate default for integrators who pull
signed tags from their downstream contributors, but caused an
unnecessary merges when used by downstream contributors who
habitually 'catch up' their topic branches with tagged releases
from the upstream. Update 'git merge' to default to --no-ff only
when merging a tag object that does *not* sit at its usual place in
refs/tags/ hierarchy, and allow fast-forwarding otherwise, to
mitigate the problem.
* 'git status' can spend a lot of cycles to compute the relation
between the current branch and its upstream, which can now be
disabled with '--no-ahead-behind' option.
* 'git diff' and friends learned funcname patterns for Go language
source files.
* 'git send-email' learned '--reply-to=<address>' option.
* Funcname pattern used for C# now recognizes 'async' keyword.
* In a way similar to how 'git tag' learned to honor the pager
setting only in the list mode, 'git config' learned to ignore the
pager setting when it is used for setting values (i.e. when the
purpose of the operation is not to 'show').
- Use %license instead of %doc [bsc#1082318]
git 2.16.3:
* 'git status' after moving a path in the working tree (hence
making it appear 'removed') and then adding with the -N option
(hence making that appear 'added') detected it as a rename, but
did not report the old and new pathnames correctly.
* 'git commit --fixup' did not allow '-m<message>' option to be
used at the same time; allow it to annotate resulting commit
with more text.
* When resetting the working tree files recursively, the working
tree of submodules are now also reset to match.
* Fix for a commented-out code to adjust it to a rather old API
change around object ID.
* When there are too many changed paths, 'git diff' showed a
warning message but in the middle of a line.
* The http tracing code, often used to debug connection issues,
learned to redact potentially sensitive information from its
output so that it can be more safely sharable.
* Crash fix for a corner case where an error codepath tried to
unlock what it did not acquire lock on.
* The split-index mode had a few corner case bugs fixed.
* Assorted fixes to 'git daemon'.
* Completion of 'git merge -s<strategy>' (in contrib/) did not
work well in non-C locale.
* Workaround for segfault with more recent versions of SVN.
* Recently introduced leaks in fsck have been plugged.
* Travis CI integration now builds the executable in 'script'
phase to follow the established practice, rather than during
'before_script' phase. This allows the CI categorize the
failures better ('failed' is project's fault, 'errored' is
build environment's).
- Drop superfluous xinetd snippet, no longer used (bsc#1084460)
- Build with asciidoctor for the recent distros (bsc#1075764)
- Move %{?systemd_requires} to daemon subpackage
- Create subpackage for libsecret credential helper.
git 2.16.2:
* An old regression in 'git describe --all $annotated_tag^0' has
been fixed.
* 'git svn dcommit' did not take into account the fact that a
svn+ssh:// URL with a username@ (typically used for pushing)
refers to the same SVN repository without the username@ and
failed when svn.pushmergeinfo option is set.
* 'git merge -Xours/-Xtheirs' learned to use our/their version
when resolving a conflicting updates to a symbolic link.
* 'git clone $there $here' is allowed even when here directory
exists as long as it is an empty directory, but the command
incorrectly removed it upon a failure of the operation.
* 'git stash -- <pathspec>' incorrectly blew away untracked files
in the directory that matched the pathspec, which has been
corrected.
* 'git add -p' was taught to ignore local changes to submodules
as they do not interfere with the partial addition of regular
changes anyway.
git 2.16.1:
* 'git clone' segfaulted when cloning a project that happens to
track two paths that differ only in case on a case insensitive
filesystem
git 2.16.0 (CVE-2017-15298, bsc#1063412):
* See https://raw.github.com/git/git/master/Documentation/RelNotes/2.16.0.txt
git 2.15.1:
* fix 'auto' column output
* fixes to moved lines diffing
* documentation updates
* fix use of repositories immediately under the root directory
* improve usage of libsecret
* fixes to various error conditions in git commands
- Rewrite from sysv init to systemd unit file for git-daemon
(bsc#1069803)
- Replace references to /var/adm/fillup-templates with new
%_fillupdir macro (bsc#1069468)
- split off p4 to a subpackage (bsc#1067502)
- Build with the external libsha1detectcoll (bsc#1042644)
git 2.15.0:
* Use of an empty string as a pathspec element that is used for
'everything matches' is still warned and Git asks users to use a
more explicit '.' for that instead. Removal scheduled for 2.16
* Git now avoids blindly falling back to '.git' when the setup
sequence said we are _not_ in Git repository (another corner
case removed)
* 'branch --set-upstream' was retired, deprecated since 1.8
* many other improvements and updates
git 2.14.3:
* git send-email understands more cc: formats
* fixes so gitk --bisect
* git commit-tree fixed to handle -F file alike
* Prevent segfault in 'git cat-file --textconv'
* Fix function header parsing for HTML
* Various small fixes to user commands and and internal functions
git 2.14.2:
* fixes to color output
* http.{sslkey,sslCert} now interpret '~[username]/' prefix
* fixes to walking of reflogs via 'log -g' and friends
* various fixes to output correctness
* 'git push --recurse-submodules $there HEAD:$target' is now
propagated down to the submodules
* 'git clone --recurse-submodules --quiet' c$how propagates quiet
option down to submodules.
* 'git svn --localtime' correctness fixes
* 'git grep -L' and 'git grep --quiet -L' now report same exit code
* fixes to 'git apply' when converting line endings
* Various Perl scripts did not use safe_pipe_capture() instead
of backticks, leaving them susceptible to end-user input.
CVE-2017-14867 bsc#1061041
* 'git cvsserver' no longer is invoked by 'git daemon' by
default
git 2.14.1 (bsc#1052481):
* Security fix for CVE-2017-1000117: A malicious third-party can
give a crafted 'ssh://...' URL to an unsuspecting victim, and
an attempt to visit the URL can result in any program that
exists on the victim's machine being executed. Such a URL could
be placed in the .gitmodules file of a malicious project, and
an unsuspecting victim could be tricked into running
'git clone --recurse-submodules' to trigger the vulnerability.
* A 'ssh://...' URL can result in a 'ssh' command line with a
hostname that begins with a dash '-', which would cause the
'ssh' command to instead (mis)treat it as an option. This is
now prevented by forbidding such a hostname (which should not
impact any real-world usage).
* Similarly, when GIT_PROXY_COMMAND is configured, the command
is run with host and port that are parsed out from 'ssh://...'
URL; a poorly written GIT_PROXY_COMMAND could be tricked into
treating a string that begins with a dash '-' as an option.
This is now prevented by forbidding such a hostname and port
number (again, which should not impact any real-world usage).
* In the same spirit, a repository name that begins with a dash
'-' is also forbidden now.
git 2.14.0:
* Use of an empty string as a pathspec element that is used for
'everything matches' is deprecated, use '.'
* Avoid blindly falling back to '.git' when the setup sequence
indicates operation not on a Git repository
* 'indent heuristics' are now the default.
* Builds with pcre2
* Many bug fixes, improvements and updates
git 2.13.4:
* Update the character width tables.
* Fix an alias that contained an uppercase letter
* Progress meter fixes
* git gc concurrency fixes
git 2.13.3:
* various internal bug fixes
* Fix a regression to 'git rebase -i'
* Correct unaligned 32-bit access in pack-bitmap code
* Tighten error checks for invalid 'git apply' input
* The split index code did not honor core.sharedrepository setting
correctly
* Fix 'git branch --list' handling of color.branch.local
git 2.13.2:
* 'collision detecting' SHA-1 update for platform fixes
* 'git checkout --recurse-submodules' did not quite work with a
submodule that itself has submodules.
* The 'run-command' API implementation has been made more robust
against dead-locking in a threaded environment.
* 'git clean -d' now only cleans ignored files with '-x'
* 'git status --ignored' did not list ignored and untracked files
without '-uall'
* 'git pull --rebase --autostash' didn't auto-stash when the local
history fast-forwards to the upstream.
* 'git describe --contains' gives as much weight to lightweight
tags as annotated tags
* Fix 'git stash push <pathspec>' from a subdirectory
git 2.13.1:
* Setting 'log.decorate=false' in the configuration file did not
take effect in v2.13, which has been corrected.
* corrections to documentation and command help output
* garbage collection fixes
* memory leaks fixed
* receive-pack now makes sure that the push certificate records
the same set of push options used for pushing
* shell completion corrections for git stash
* fix 'git clone --config var=val' with empty strings
* internal efficiency improvements
* Update sha1 collision detection code for big-endian platforms
and platforms not supporting unaligned fetches
- Fix packaging of documentation
git 2.13.0:
* empty string as a pathspec element for 'everything matches'
is still warned, for future removal.
* deprecated argument order 'git merge <msg> HEAD <commit>...'
was removed
* default location '~/.git-credential-cache/socket' for the
socket used to communicate with the credential-cache daemon
moved to '~/.cache/git/credential/socket'.
* now avoid blindly falling back to '.git' when the setup
sequence indicated otherwise
* many workflow features, improvements and bug fixes
* add a hardened implementation of SHA1 in response to practical
collision attacks (CVE-2005-4900, bsc#1042640)
* CVE-2017-8386: On a server running git-shell as login shell to
restrict user to git commands, remote users may have been able
to have git service programs spawn an interactive pager
and thus escape the shell restrictions. (bsc#1038395)
Changes in pcre2:
- Include the libraries, development and tools packages.
git uses only libpcre2-8 so far, but this allows further
application usage of pcre2.
ImportantSUSE bug 1167890SUSE bug 1168930CVE-2020-5260 at SUSECVE-2020-5260 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for openexr (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for openexr fixes the following issues:
- CVE-2021-3475: Integer-overflow in Imf_2_5::calculateNumTiles (bsc#1184173)
- CVE-2021-3476: Undefined-shift in Imf_2_5::unpack14 (bsc#1184172)
ModerateSUSE bug 1184172SUSE bug 1184173CVE-2021-3475 at SUSECVE-2021-3475 at NVDCVE-2021-3476 at SUSECVE-2021-3476 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for fwupdate (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for fwupdate fixes the following issues:
- Add SBAT section to EFI images (bsc#1182057)
ImportantSUSE bug 1182057cpe:/o:suse:sles_teradata:12:sp3Security update for wpa_supplicant (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for wpa_supplicant fixes the following issues:
- CVE-2021-30004: Fixed an issue where forging attacks might have occured because AlgorithmIdentifier
parameters are mishandled in tls/pkcs1.c and tls/x509v3.c (bsc#1184348).
ModerateSUSE bug 1184348CVE-2021-30004 at SUSECVE-2021-30004 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for spamassassin (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for spamassassin fixes the following issues:
- spamassassin was updated to version 3.4.5
- CVE-2019-12420: memory leak via crafted messages (bsc#1159133)
- CVE-2020-1946: security update (bsc#1184221)
ImportantSUSE bug 1159133SUSE bug 1184221CVE-2019-12420 at SUSECVE-2019-12420 at NVDCVE-2020-1946 at SUSECVE-2020-1946 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for cifs-utils (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for cifs-utils fixes the following issues:
- CVE-2021-20208: Fixed a potential kerberos auth leak escaping from container (bsc#1183239)
ModerateSUSE bug 1183239CVE-2021-20208 at SUSECVE-2021-20208 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for xorg-x11-server (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for xorg-x11-server fixes the following issues:
- CVE-2021-3472: XChangeFeedbackControl Integer Underflow Privilege Escalation (bsc#1180128)
ImportantSUSE bug 1180128CVE-2021-3472 at SUSECVE-2021-3472 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for clamav (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for clamav fixes the following issues:
- CVE-2021-1252: Fix for Excel XLM parser infinite loop. (bsc#1184532)
- CVE-2021-1404: Fix for PDF parser buffer over-read; possible crash. (bsc#1184533)
- CVE-2021-1405: Fix for mail parser NULL-dereference crash. (bsc#1184534)
- Fix errors when scanning files > 4G (bsc#1181256)
- Update clamav.keyring
- Update to 0.103.2
ImportantSUSE bug 1181256SUSE bug 1184532SUSE bug 1184533SUSE bug 1184534CVE-2021-1252 at SUSECVE-2021-1252 at NVDCVE-2021-1404 at SUSECVE-2021-1404 at NVDCVE-2021-1405 at SUSECVE-2021-1405 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for qemu (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for qemu fixes the following issues:
- Fix OOB access in sm501 device emulation (CVE-2020-12829, bsc#1172385)
- Fix OOB access possibility in MegaRAID SAS 8708EM2 emulation (CVE-2020-13362 bsc#1172383)
- Fix use-after-free in usb xhci packet handling (CVE-2020-25723, bsc#1178934)
- Fix use-after-free in usb ehci packet handling (CVE-2020-25084, bsc#1176673)
- Fix OOB access in usb hcd-ohci emulation (CVE-2020-25624, bsc#1176682)
- Fix infinite loop (DoS) in usb hcd-ohci emulation (CVE-2020-25625, bsc#1176684)
- Fix guest triggerable assert in shared network handling code (CVE-2020-27617, bsc#1178174)
- Fix infinite loop (DoS) in e1000e device emulation (CVE-2020-28916, bsc#1179468)
- Fix OOB access in atapi emulation (CVE-2020-29443, bsc#1181108)
- Fix null pointer deref. (DoS) in mmio ops (CVE-2020-15469, bsc#1173612)
- Fix infinite loop (DoS) in e1000 device emulation (CVE-2021-20257, bsc#1182577)
- Fix OOB access (stack overflow) in rtl8139 NIC emulation (CVE-2021-3416, bsc#1182968)
- Fix OOB access (stack overflow) in other NIC emulations (CVE-2021-3416)
- Fix OOB access in SLIRP ARP packet processing (CVE-2020-29130, bsc#1179467)
- Fix null pointer dereference possibility (DoS) in MegaRAID SAS 8708EM2 emulation (CVE-2020-13659 bsc#1172386
- Fix OOB access in iscsi (CVE-2020-11947 bsc#1180523)
- Fix OOB access in vmxnet3 emulation (CVE-2021-20203 bsc#1181639)
- Fix buffer overflow in the XGMAC device (CVE-2020-15863, bsc#1174386)
- Fix DoS in packet processing of various emulated NICs (CVE-2020-16092 bsc#1174641)
- Fix OOB access while processing USB packets (CVE-2020-14364 bsc#1175441)
- Fix package scripts to not use hard coded paths for temporary working directories and log files (bsc#1182425)
- Fix potential privilege escalation in virtfs (CVE-2021-20181 bsc#1182137)
- Fix OOB access possibility in ES1370 audio device emulation (CVE-2020-13361 bsc#1172384)
- Fix OOB access in ROM loading (CVE-2020-13765 bsc#1172478)
ImportantSUSE bug 1172383SUSE bug 1172384SUSE bug 1172385SUSE bug 1172386SUSE bug 1172478SUSE bug 1173612SUSE bug 1174386SUSE bug 1174641SUSE bug 1175441SUSE bug 1176673SUSE bug 1176682SUSE bug 1176684SUSE bug 1178174SUSE bug 1178934SUSE bug 1179467SUSE bug 1179468SUSE bug 1180523SUSE bug 1181108SUSE bug 1181639SUSE bug 1182137SUSE bug 1182425SUSE bug 1182577SUSE bug 1182968CVE-2020-11947 at SUSECVE-2020-11947 at NVDCVE-2020-12829 at SUSECVE-2020-12829 at NVDCVE-2020-13361 at SUSECVE-2020-13361 at NVDCVE-2020-13362 at SUSECVE-2020-13362 at NVDCVE-2020-13659 at SUSECVE-2020-13659 at NVDCVE-2020-13765 at SUSECVE-2020-13765 at NVDCVE-2020-14364 at SUSECVE-2020-14364 at NVDCVE-2020-15469 at SUSECVE-2020-15469 at NVDCVE-2020-15863 at SUSECVE-2020-15863 at NVDCVE-2020-16092 at SUSECVE-2020-16092 at NVDCVE-2020-25084 at SUSECVE-2020-25084 at NVDCVE-2020-25624 at SUSECVE-2020-25624 at NVDCVE-2020-25625 at SUSECVE-2020-25625 at NVDCVE-2020-25723 at SUSECVE-2020-25723 at NVDCVE-2020-27617 at SUSECVE-2020-27617 at NVDCVE-2020-28916 at SUSECVE-2020-28916 at NVDCVE-2020-29130 at SUSECVE-2020-29130 at NVDCVE-2020-29443 at SUSECVE-2020-29443 at NVDCVE-2021-20181 at SUSECVE-2021-20181 at NVDCVE-2021-20203 at SUSECVE-2021-20203 at NVDCVE-2021-20257 at SUSECVE-2021-20257 at NVDCVE-2021-3416 at SUSECVE-2021-3416 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for xen (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for xen fixes the following issues:
- CVE-2021-20257: xen: infinite loop issue in the e1000 NIC emulator (bsc#1182846).
- CVE-2021-27379: Fixed an issue where entries in the IOMMU were not being updated
under certain circumstances due to improper backport of XSA-321 (XSA-366, bsc#1182431).
ImportantSUSE bug 1182431SUSE bug 1182846CVE-2021-20257 at SUSECVE-2021-20257 at NVDCVE-2021-27379 at SUSECVE-2021-27379 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for sudo (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for sudo fixes the following issues:
- L3: Tenable Scan reports sudo is vulnerable to CVE-2021-3156 (bsc#1183936)
ImportantSUSE bug 1183936CVE-2021-3156 at SUSECVE-2021-3156 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for ImageMagick (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for ImageMagick fixes the following issues:
- CVE-2021-20309: Division by zero in WaveImage() of MagickCore/visual-effects. (bsc#1184624)
- CVE-2021-20311: Division by zero in sRGBTransformImage() in MagickCore/colorspace.c (bsc#1184626)
- CVE-2021-20312: Integer overflow in WriteTHUMBNAILImage of coders/thumbnail.c (bsc#1184627)
- CVE-2021-20313: Cipher leak when the calculating signatures in TransformSignatureof MagickCore/signature.c (bsc#1184628)
ModerateSUSE bug 1184624SUSE bug 1184626SUSE bug 1184627SUSE bug 1184628CVE-2021-20309 at SUSECVE-2021-20309 at NVDCVE-2021-20311 at SUSECVE-2021-20311 at NVDCVE-2021-20312 at SUSECVE-2021-20312 at NVDCVE-2021-20313 at SUSECVE-2021-20313 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for openldap2 (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for openldap2 fixes the following issues:
- CVE-2020-25709: Fixed a crash caused by specially crafted network traffic (bsc#1178909).
- CVE-2020-25710: Fixed a crash caused by specially crafted network traffic (bsc#1178909).
ModerateSUSE bug 1178909CVE-2020-25709 at SUSECVE-2020-25709 at NVDCVE-2020-25710 at SUSECVE-2020-25710 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for apache-commons-io (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for apache-commons-io fixes the following issues:
- CVE-2021-29425: Limited path traversal when invoking the method FileNameUtils.normalize
with an improper input string (bsc#1184755).
ModerateSUSE bug 1184755CVE-2021-29425 at SUSECVE-2021-29425 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for MozillaFirefox fixes the following issues:
- Firefox was updated to 78.10.0 ESR (bsc#1184960)
* CVE-2021-23994: Out of bound write due to lazy initialization
* CVE-2021-23995: Use-after-free in Responsive Design Mode
* CVE-2021-23998: Secure Lock icon could have been spoofed
* CVE-2021-23961: More internal network hosts could have been probed by a malicious webpage
* CVE-2021-23999: Blob URLs may have been granted additional privileges
* CVE-2021-24002: Arbitrary FTP command execution on FTP servers using an encoded URL
* CVE-2021-29945: Incorrect size computation in WebAssembly JIT could lead to null-reads
* CVE-2021-29946: Port blocking could be bypassed
ImportantSUSE bug 1184960CVE-2021-23961 at SUSECVE-2021-23961 at NVDCVE-2021-23994 at SUSECVE-2021-23994 at NVDCVE-2021-23995 at SUSECVE-2021-23995 at NVDCVE-2021-23998 at SUSECVE-2021-23998 at NVDCVE-2021-23999 at SUSECVE-2021-23999 at NVDCVE-2021-24002 at SUSECVE-2021-24002 at NVDCVE-2021-29945 at SUSECVE-2021-29945 at NVDCVE-2021-29946 at SUSECVE-2021-29946 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for curl (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for curl fixes the following issues:
- CVE-2021-22876: Fixed an issue where the automatic referer was leaking credentials (bsc#1183933).
ModerateSUSE bug 1183933CVE-2021-22876 at SUSECVE-2021-22876 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for libnettle (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for libnettle fixes the following issues:
- CVE-2021-20305: Fixed the multiply function which was being called with out-of-range scalars (bsc#1184401, bsc#1183835).
ImportantSUSE bug 1183835SUSE bug 1184401CVE-2021-20305 at SUSECVE-2021-20305 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for gdm (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for gdm fixes the following issues:
- Avoid the signal SIGTRAP when gdm exits (bsc#1184456).
ImportantSUSE bug 1184456cpe:/o:suse:sles_teradata:12:sp3Security update for tomcat (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for tomcat fixes the following issues:
- CVE-2021-25329: Complete fix for CVE-2020-9484 (bsc#1182909)
ImportantSUSE bug 1182909CVE-2021-25329 at SUSECVE-2021-25329 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for java-1_7_0-openjdk (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for java-1_7_0-openjdk fixes the following issues:
- Update to 2.6.25 - OpenJDK 7u291 (January 2021 CPU, bsc#1181239)
* Security fixes
+ JDK-8247619: Improve Direct Buffering of Characters
* Import of OpenJDK 7 u291 build 1
+ JDK-8254177: (tz) Upgrade time-zone data to tzdata2020b
+ JDK-8254982: (tz) Upgrade time-zone data to tzdata2020c
+ JDK-8255226: (tz) Upgrade time-zone data to tzdata2020d
ModerateSUSE bug 1181239cpe:/o:suse:sles_teradata:12:sp3Security update for cups (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for cups fixes the following issues:
- CVE-2021-25317: ownership of /var/log/cups could allow privilege escalation from lp user to root via symlink attacks (bsc#1184161)
ImportantSUSE bug 1184161CVE-2021-25317 at SUSECVE-2021-25317 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for bind (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for bind fixes the following issues:
- CVE-2021-25214: Fixed a broken inbound incremental zone update (IXFR) which could have caused named to terminate unexpectedly (bsc#1185345).
- CVE-2021-25215: Fixed an assertion check which could have failed while answering queries for DNAME records that required the DNAME to be processed to resolve itself (bsc#1185345).
- CVE-2021-25216: Fixed an issue where policy negotiation can be targeted by a buffer overflow attack (bsc#1185345).
- MD5 warning message using host, dig, nslookup (bind-utils) with FIPS enabled (bsc#1181495).
ImportantSUSE bug 1181495SUSE bug 1185345CVE-2021-25214 at SUSECVE-2021-25214 at NVDCVE-2021-25215 at SUSECVE-2021-25215 at NVDCVE-2021-25216 at SUSECVE-2021-25216 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for python36 (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for python36 fixes the following issues:
- CVE-2021-3426: Fixed an information disclosure via pydoc (bsc#1183374).
ModerateSUSE bug 1183374CVE-2021-3426 at SUSECVE-2021-3426 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for samba (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for samba fixes the following issues:
- CVE-2021-20254: Fixed a buffer overrun in sids_to_unixids() (bsc#1184677).
- Avoid free'ing our own pointer in memcache when memcache_trim attempts to reduce cache size (bsc#1179156).
- Adjust smbcacls '--propagate-inheritance' feature to align with upstream (bsc#1178469).
ImportantSUSE bug 1178469SUSE bug 1179156SUSE bug 1184677CVE-2021-20254 at SUSECVE-2021-20254 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for avahi (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for avahi fixes the following issues:
- CVE-2021-3468: avoid infinite loop by handling HUP event in client_work (bsc#1184521).
ImportantSUSE bug 1184521CVE-2021-3468 at SUSECVE-2021-3468 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for libxml2 (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for libxml2 fixes the following issues:
- CVE-2021-3518: Fixed a use after free in xinclude.c:xmlXIncludeDoProcess (bsc#1185408).
- CVE-2021-3517: Fixed a heap based buffer overflow in entities.c:xmlEncodeEntitiesInternal (bsc#1185410).
- CVE-2021-3516: Fixed a use after free in entities.c:xmlEncodeEntitiesInternal (bsc#1185409).
ModerateSUSE bug 1185408SUSE bug 1185409SUSE bug 1185410CVE-2021-3516 at SUSECVE-2021-3516 at NVDCVE-2021-3517 at SUSECVE-2021-3517 at NVDCVE-2021-3518 at SUSECVE-2021-3518 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for openvpn (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for openvpn fixes the following issues:
- CVE-2020-15078: Fixed authentication bypass with deferred authentication (bsc#1185279).
- CVE-2018-7544: Fixed cross-protocol scripting issue that was discovered in the management interface (bsc#1085803).
ModerateSUSE bug 1085803SUSE bug 1185279CVE-2018-7544 at SUSECVE-2018-7544 at NVDCVE-2020-15078 at SUSECVE-2020-15078 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for python3 (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for python3 fixes the following issues:
Security issues fixed:
- CVE-2020-27619: where Lib/test/multibytecodec_support calls eval() on content retrieved via HTTP. (bsc#1178009)
Other fixes:
- Make sure to close the 'import_failed.map' file after the exception
has been raised in order to avoid ResourceWarnings when the
failing import is part of a try...except block
ImportantCVE-2020-27619 at SUSECVE-2020-27619 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for djvulibre (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for djvulibre fixes the following issues:
Security issues fixed:
- CVE-2021-32491 [bsc#1185900]: Integer overflow in function render() in tools/ddjvu via crafted djvu file
- CVE-2021-32492 [bsc#1185904]: Out of bounds read in function DJVU:DataPool:has_data() via crafted djvu file
- CVE-2021-32493 [bsc#1185905]: Heap buffer overflow in function DJVU:GBitmap:decode() via crafted djvu file
ImportantSUSE bug 1185900SUSE bug 1185904SUSE bug 1185905CVE-2019-18804 at SUSECVE-2019-18804 at NVDCVE-2021-32491 at SUSECVE-2021-32491 at NVDCVE-2021-32492 at SUSECVE-2021-32492 at NVDCVE-2021-32493 at SUSECVE-2021-32493 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for graphviz (Critical)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for graphviz fixes the following issues:
- CVE-2020-18032: Fixed possible remote code execution via buffer overflow (bsc#1185833).
CriticalSUSE bug 1185833CVE-2020-18032 at SUSECVE-2020-18032 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for libxml2 (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for libxml2 fixes the following issues:
Security issues fixed:
CVE-2021-3537: NULL pointer dereference in valid.c:xmlValidBuildAContentModel (bsc#1185698)
- CVE-2021-3518: Fixed a use after free in xinclude.c:xmlXIncludeDoProcess (bsc#1185408).
- CVE-2021-3517: Fixed a heap based buffer overflow in entities.c:xmlEncodeEntitiesInternal (bsc#1185410).
- CVE-2021-3516: Fixed a use after free in entities.c:xmlEncodeEntitiesInternal (bsc#1185409).
ImportantSUSE bug 1185408SUSE bug 1185409SUSE bug 1185410SUSE bug 1185698CVE-2021-3516 at SUSECVE-2021-3516 at NVDCVE-2021-3517 at SUSECVE-2021-3517 at NVDCVE-2021-3518 at SUSECVE-2021-3518 at NVDCVE-2021-3537 at SUSECVE-2021-3537 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for dnsmasq (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for dnsmasq fixes the following issues:
- bsc#1177077: Fixed DNSpooq vulnerabilities
- CVE-2020-25684, CVE-2020-25685, CVE-2020-25686:
Fixed multiple Cache Poisoning attacks.
- CVE-2020-25681, CVE-2020-25682, CVE-2020-25683, CVE-2020-25687:
Fixed multiple potential Heap-based overflows when DNSSEC is
enabled.
- Retry query to other servers on receipt of SERVFAIL rcode
(bsc#1176076)
ImportantSUSE bug 1176076SUSE bug 1177077CVE-2020-25681 at SUSECVE-2020-25681 at NVDCVE-2020-25682 at SUSECVE-2020-25682 at NVDCVE-2020-25683 at SUSECVE-2020-25683 at NVDCVE-2020-25684 at SUSECVE-2020-25684 at NVDCVE-2020-25685 at SUSECVE-2020-25685 at NVDCVE-2020-25686 at SUSECVE-2020-25686 at NVDCVE-2020-25687 at SUSECVE-2020-25687 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for curl (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for curl fixes the following issues:
- CVE-2021-22898: Fixed curl TELNET stack contents disclosure (bsc#1186114).
ModerateSUSE bug 1186114CVE-2021-22898 at SUSECVE-2021-22898 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for flac (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for flac fixes the following issues:
- CVE-2020-0499: Fixed an out-of-bounds access (bsc#1180099).
ModerateSUSE bug 1180099CVE-2020-0499 at SUSECVE-2020-0499 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for perl-Convert-ASN1 (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for perl-Convert-ASN1 fixes the following issue:
- CVE-2013-7488: Fixed an infinite loop via unexpected input (bsc#1168934).
ModerateSUSE bug 1168934CVE-2013-7488 at SUSECVE-2013-7488 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for hivex (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for hivex fixes the following issues:
- CVE-2021-3504: hivex: missing bounds check within hivex_open() (bsc#1185013)
ModerateSUSE bug 1185013CVE-2021-3504 at SUSECVE-2021-3504 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for libX11 (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for libX11 fixes the following issues:
- CVE-2021-31535: Fixed missing request length checks in libX11 (bsc#1182506).
ModerateSUSE bug 1182506CVE-2021-31535 at SUSECVE-2021-31535 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for postgresql96 (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for postgresql96 fixes the following issues:
- Upgrade to version 9.6.22.
- CVE-2021-32027: Fixed integer overflows in array subscripting calculations (bsc#1185924).
- CVE-2021-32028: Fixed mishandling of junk columns in INSERT ... ON CONFLICT ... UPDATE target lists (bsc#1185925).
- Don't use %_stop_on_removal, because it was meant to be private and got removed from openSUSE. %_restart_on_update is also private, but still supported and needed for now (bsc#1183168).
- Re-enable build of the llvmjit subpackage on SLE, but it will only be delivered on PackageHub for now (bsc#1183118).
- Disable icu for PostgreSQL 10 (and older) on TW (bsc#1179945).
- Fixed %ghost the symlinks to pg_config and ecpg (bsc#1178961).
- BuildRequire libpq5 and libecpg6 when not building them to avoid dangling symlinks in the devel package (bsc#1179765).
ModerateSUSE bug 1178961SUSE bug 1179765SUSE bug 1179945SUSE bug 1183118SUSE bug 1183168SUSE bug 1185924SUSE bug 1185925CVE-2021-32027 at SUSECVE-2021-32027 at NVDCVE-2021-32028 at SUSECVE-2021-32028 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for postgresql10 (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for postgresql10 fixes the following issues:
- Upgrade to version 10.17:
- CVE-2021-32027: Fixed integer overflows in array subscripting calculations (bsc#1185924).
- CVE-2021-32028: Fixed mishandling of junk columns in INSERT ... ON CONFLICT ... UPDATE target lists (bsc#1185925).
- Don't use %_stop_on_removal, because it was meant to be private and got removed from openSUSE. %_restart_on_update is also private, but still supported and needed for now (bsc#1183168).
- Re-enable build of the llvmjit subpackage on SLE, but it will only be delivered on PackageHub for now (bsc#1183118).
- Disable icu for PostgreSQL 10 (and older) on TW (bsc#1179945).
ModerateSUSE bug 1179945SUSE bug 1183118SUSE bug 1183168SUSE bug 1185924SUSE bug 1185925CVE-2021-32027 at SUSECVE-2021-32027 at NVDCVE-2021-32028 at SUSECVE-2021-32028 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for postgresql13 (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for postgresql13 fixes the following issues:
- Upgrade to version 13.3:
- CVE-2021-32027: Fixed integer overflows in array subscripting calculations (bsc#1185924).
- CVE-2021-32028: Fixed mishandling of junk columns in INSERT ... ON CONFLICT ... UPDATE target lists (bsc#1185925).
- CVE-2021-32029: Fixed possibly-incorrect computation of UPDATE ... RETURNING 'pg_psql_temporary_savepoint' does not exist (bsc#1185926).
- Don't use %_stop_on_removal, because it was meant to be private and got removed from openSUSE. %_restart_on_update is also private, but still supported and needed for now (bsc#1183168).
- Re-enable build of the llvmjit subpackage on SLE, but it will only be delivered on PackageHub for now (bsc#1183118).
- Disable icu for PostgreSQL 10 (and older) on TW (bsc#1179945).
ModerateSUSE bug 1179945SUSE bug 1183118SUSE bug 1183168SUSE bug 1185924SUSE bug 1185925SUSE bug 1185926CVE-2021-32027 at SUSECVE-2021-32027 at NVDCVE-2021-32028 at SUSECVE-2021-32028 at NVDCVE-2021-32029 at SUSECVE-2021-32029 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for dovecot22 (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for dovecot22 fixes the following issues:
- CVE-2020-24386: Fixed an issue with IMAP hibernation that allowed users to access other users' emails (bsc#1180405).
ImportantSUSE bug 1180405CVE-2020-24386 at SUSECVE-2020-24386 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for djvulibre (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for djvulibre fixes the following issues:
- CVE-2021-3500: Stack overflow in function DJVU:DjVuDocument:get_djvu_file() via crafted djvu file (bsc#1186253)
ImportantSUSE bug 1186253CVE-2021-3500 at SUSECVE-2021-3500 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for dhcp (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for dhcp fixes the following issues:
- CVE-2021-25217: A buffer overrun in lease file parsing code can be used to exploit a common vulnerability shared by dhcpd and dhclient (bsc#1186382)
ImportantSUSE bug 1186382CVE-2021-25217 at SUSECVE-2021-25217 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for libwebp (Critical)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for libwebp fixes the following issues:
- CVE-2018-25010: Fixed heap-based buffer overflow in ApplyFilter() (bsc#1185685).
- CVE-2020-36330: Fixed heap-based buffer overflow in ChunkVerifyAndAssign() (bsc#1185691).
- CVE-2020-36332: Fixed extreme memory allocation when reading a file (bsc#1185674).
- CVE-2020-36329: Fixed use-after-free in EmitFancyRGB() (bsc#1185652).
- CVE-2018-25012: Fixed heap-based buffer overflow in GetLE24() (bsc#1185690).
- CVE-2018-25013: Fixed heap-based buffer overflow in ShiftBytes() (bsc#1185654).
- CVE-2020-36331: Fixed heap-based buffer overflow in ChunkAssignData() (bsc#1185686).
- CVE-2018-25009: Fixed heap-based buffer overflow in GetLE16() (bsc#1185673).
- CVE-2018-25011: Fixed fail on multiple image chunks (bsc#1186247).
CriticalSUSE bug 1185652SUSE bug 1185654SUSE bug 1185673SUSE bug 1185674SUSE bug 1185685SUSE bug 1185686SUSE bug 1185690SUSE bug 1185691SUSE bug 1186247CVE-2018-25009 at SUSECVE-2018-25009 at NVDCVE-2018-25010 at SUSECVE-2018-25010 at NVDCVE-2018-25011 at SUSECVE-2018-25011 at NVDCVE-2018-25012 at SUSECVE-2018-25012 at NVDCVE-2018-25013 at SUSECVE-2018-25013 at NVDCVE-2020-36329 at SUSECVE-2020-36329 at NVDCVE-2020-36330 at SUSECVE-2020-36330 at NVDCVE-2020-36331 at SUSECVE-2020-36331 at NVDCVE-2020-36332 at SUSECVE-2020-36332 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for polkit (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for polkit fixes the following issues:
- CVE-2021-3560: Fixed a local privilege escalation using polkit_system_bus_name_get_creds_sync() (bsc#1186497).
ImportantSUSE bug 1186497CVE-2021-3560 at SUSECVE-2021-3560 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for gstreamer-plugins-bad (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for gstreamer-plugins-bad fixes the following issues:
- CVE-2021-3185: Fixed buffer overflow in gst_h264_slice_parse_dec_ref_pic_marking (bsc#1181255).
ImportantSUSE bug 1181255CVE-2021-3185 at SUSECVE-2021-3185 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for shim (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for shim fixes the following issues:
- Update to the unified shim binary for SBAT support (bsc#1182057)
- shim-install: Always assume 'removable' for Azure to avoid the endless reset loop (bsc#1185464).
ImportantSUSE bug 1182057SUSE bug 1185464cpe:/o:suse:sles_teradata:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for MozillaFirefox fixes the following issues:
Firefox Extended Support Release 78.11.0 ESR (bsc#1186696)
* CVE-2021-29964: Out of bounds-read when parsing a `WM_COPYDATA` message
* CVE-2021-29967: Memory safety bugs fixed in Firefox
ImportantSUSE bug 1185633SUSE bug 1186696CVE-2021-29951 at SUSECVE-2021-29951 at NVDCVE-2021-29964 at SUSECVE-2021-29964 at NVDCVE-2021-29967 at SUSECVE-2021-29967 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for libX11 (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for libX11 fixes the following issues:
- Regression in the fix for CVE-2021-31535, causing segfaults for xforms applications like fdesign (bsc#1186643)
ImportantSUSE bug 1186643CVE-2021-31535 at SUSECVE-2021-31535 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for qemu (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for qemu fixes the following issues:
- Fix OOB access during mmio operations (CVE-2020-13754, bsc#1172382)
- Fix out-of-bounds read information disclosure in icmp6_send_echoreply (CVE-2020-10756, bsc#1172380)
- Fix out-of-bound heap buffer access via an interrupt ID field (CVE-2021-20221, bsc#1181933)
- For the record, these issues are fixed in this package already.
Most are alternate references to previously mentioned issues:
(CVE-2019-15890, bsc#1149813, CVE-2020-8608, bsc#1163019,
CVE-2020-14364, bsc#1175534, CVE-2020-25707, bsc#1178683,
CVE-2020-25723, bsc#1178935, CVE-2020-29130, bsc#1179477,
CVE-2021-20257, bsc#1182846, CVE-2021-3419, bsc#1182975,
bsc#1094725)
ImportantSUSE bug 1094725SUSE bug 1149813SUSE bug 1163019SUSE bug 1172380SUSE bug 1172382SUSE bug 1175534SUSE bug 1178683SUSE bug 1178935SUSE bug 1179477SUSE bug 1181933SUSE bug 1182846SUSE bug 1182975CVE-2019-15890 at SUSECVE-2019-15890 at NVDCVE-2020-10756 at SUSECVE-2020-10756 at NVDCVE-2020-13754 at SUSECVE-2020-13754 at NVDCVE-2020-14364 at SUSECVE-2020-14364 at NVDCVE-2020-25707 at SUSECVE-2020-25707 at NVDCVE-2020-25723 at SUSECVE-2020-25723 at NVDCVE-2020-29130 at SUSECVE-2020-29130 at NVDCVE-2020-8608 at SUSECVE-2020-8608 at NVDCVE-2021-20221 at SUSECVE-2021-20221 at NVDCVE-2021-20257 at SUSECVE-2021-20257 at NVDCVE-2021-3419 at SUSECVE-2021-3419 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for java-1_7_1-ibm (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for java-1_7_1-ibm fixes the following issues:
- Update to Java 7.1 Service Refresh 4 Fix Pack 75 [bsc#1180063, bsc#1177943]
CVE-2020-14792 CVE-2020-14797 CVE-2020-14782 CVE-2020-14781
CVE-2020-14779 CVE-2020-14798 CVE-2020-14796 CVE-2020-14803
* Class Libraries:
- Z/OS specific C function send_file is changing the file pointer position
* Security:
- Add the new oracle signer certificate
- Certificate parsing error
- JVM memory growth can be caused by the IBMPKCS11IMPL crypto provider
- Remove check for websphere signed jars
- sessionid.hashcode generates too many collisions
- The Java 8 IBM certpath provider does not honor the user
specified system property for CLR connect timeout
ModerateSUSE bug 1177943SUSE bug 1180063CVE-2020-14779 at SUSECVE-2020-14779 at NVDCVE-2020-14781 at SUSECVE-2020-14781 at NVDCVE-2020-14782 at SUSECVE-2020-14782 at NVDCVE-2020-14792 at SUSECVE-2020-14792 at NVDCVE-2020-14796 at SUSECVE-2020-14796 at NVDCVE-2020-14797 at SUSECVE-2020-14797 at NVDCVE-2020-14798 at SUSECVE-2020-14798 at NVDCVE-2020-14803 at SUSECVE-2020-14803 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for spice (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for spice fixes the following issues:
- CVE-2021-20201: client initiated renegotiation causing denial of service (bsc#1181686)
ImportantSUSE bug 1181686CVE-2021-20201 at SUSECVE-2021-20201 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for ucode-intel (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for ucode-intel fixes the following issues:
Updated to Intel CPU Microcode 20210608 release.
- CVE-2020-24513: A domain bypass transient execution vulnerability was discovered on some Intel Atom processors that use a micro-architectural incident channel. (INTEL-SA-00465 bsc#1179833)
See also: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00465.html
- CVE-2020-24511: The IBRS feature to mitigate Spectre variant 2 transient execution side channel vulnerabilities may not fully prevent non-root (guest) branches from controlling the branch predictions of the root (host) (INTEL-SA-00464 bsc#1179836)
See also https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00464.html)
- CVE-2020-24512: Fixed trivial data value cache-lines such as all-zero value cache-lines may lead to changes in cache-allocation or write-back behavior for such cache-lines (bsc#1179837 INTEL-SA-00464)
See also https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00464.html)
- CVE-2020-24489: Fixed Intel VT-d device pass through potential local privilege escalation (INTEL-SA-00442 bsc#1179839)
See also https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00442.html
Other fixes:
- Update for functional issues. Refer to [Third Generation Intel Xeon Processor Scalable Family Specification Update](https://cdrdv2.intel.com/v1/dl/getContent/637780)for details.
- Update for functional issues. Refer to [Second Generation Intel Xeon Processor Scalable Family Specification Update](https://cdrdv2.intel.com/v1/dl/getContent/338848) for details.
- Update for functional issues. Refer to [Intel Xeon Processor Scalable Family Specification Update](https://cdrdv2.intel.com/v1/dl/getContent/613537) for details.
- Update for functional issues. Refer to [Intel Xeon Processor D-1500, D-1500 NS and D-1600 NS Spec Update](https://www.intel.com/content/www/us/en/products/docs/processors/xeon/xeon-d-1500-specification-update.html) for details.
- Update for functional issues. Refer to [Intel Xeon E7-8800 and E7-4800 v3 Processor Specification Update](https://www.intel.com/content/www/us/en/processors/xeon/xeon-e7-v3-spec-update.html) for details.
- Update for functional issues. Refer to [Intel Xeon Processor E5 v3 Product Family Specification Update](https://www.intel.com/content/www/us/en/processors/xeon/xeon-e5-v3-spec-update.html?wapkw=processor+spec+update+e5) for details.
- Update for functional issues. Refer to [10th Gen Intel Core Processor Families Specification Update](https://www.intel.com/content/www/us/en/products/docs/processors/core/10th-gen-core-families-specification-update.html) for details.
- Update for functional issues. Refer to [8th and 9th Gen Intel Core Processor Family Spec Update](https://www.intel.com/content/www/us/en/products/docs/processors/core/8th-gen-core-spec-update.html) for details.
- Update for functional issues. Refer to [7th Gen and 8th Gen (U Quad-Core) Intel Processor Families Specification Update](https://www.intel.com/content/www/us/en/processors/core/7th-gen-core-family-spec-update.html) for details.
- Update for functional issues. Refer to [6th Gen Intel Processor Family Specification Update](https://cdrdv2.intel.com/v1/dl/getContent/332689) for details.
- Update for functional issues. Refer to [Intel Xeon E3-1200 v6 Processor Family Specification Update](https://www.intel.com/content/www/us/en/processors/xeon/xeon-e3-1200v6-spec-update.html) for details.
- Update for functional issues. Refer to [Intel Xeon E-2100 and E-2200 Processor Family Specification Update](https://www.intel.com/content/www/us/en/products/docs/processors/xeon/xeon-e-2100-specification-update.html) for details.
- New platforms:
| Processor | Stepping | F-M-S/PI | Old Ver | New Ver | Products
|:---------------|:---------|:------------|:---------|:---------|:---------
| CLX-SP | A0 | 06-55-05/b7 | | 03000010 | Xeon Scalable Gen2
| ICX-SP | C0 | 06-6a-05/87 | | 0c0002f0 | Xeon Scalable Gen3
| ICX-SP | D0 | 06-6a-06/87 | | 0d0002a0 | Xeon Scalable Gen3
| SNR | B0 | 06-86-04/01 | | 0b00000f | Atom P59xxB
| SNR | B1 | 06-86-05/01 | | 0b00000f | Atom P59xxB
| TGL | B1 | 06-8c-01/80 | | 00000088 | Core Gen11 Mobile
| TGL-R | C0 | 06-8c-02/c2 | | 00000016 | Core Gen11 Mobile
| TGL-H | R0 | 06-8d-01/c2 | | 0000002c | Core Gen11 Mobile
| EHL | B1 | 06-96-01/01 | | 00000011 | Pentium J6426/N6415, Celeron J6412/J6413/N6210/N6211, Atom x6000E
| JSL | A0/A1 | 06-9c-00/01 | | 0000001d | Pentium N6000/N6005, Celeron N4500/N4505/N5100/N5105
| RKL-S | B0 | 06-a7-01/02 | | 00000040 | Core Gen11
- Updated platforms:
| Processor | Stepping | F-M-S/PI | Old Ver | New Ver | Products
|:---------------|:---------|:------------|:---------|:---------|:---------
| HSX-E/EP | Cx/M1 | 06-3f-02/6f | 00000044 | 00000046 | Core Gen4 X series; Xeon E5 v3
| HSX-EX | E0 | 06-3f-04/80 | 00000016 | 00000019 | Xeon E7 v3
| SKL-U/Y | D0 | 06-4e-03/c0 | 000000e2 | 000000ea | Core Gen6 Mobile
| SKL-U23e | K1 | 06-4e-03/c0 | 000000e2 | 000000ea | Core Gen6 Mobile
| BDX-ML | B0/M0/R0 | 06-4f-01/ef | 0b000038 | 0b00003e | Xeon E5/E7 v4; Core i7-69xx/68xx
| SKX-SP | B1 | 06-55-03/97 | 01000159 | 0100015b | Xeon Scalable
| SKX-SP | H0/M0/U0 | 06-55-04/b7 | 02006a0a | 02006b06 | Xeon Scalable
| SKX-D | M1 | 06-55-04/b7 | 02006a0a | 02006b06 | Xeon D-21xx
| CLX-SP | B0 | 06-55-06/bf | 04003006 | 04003102 | Xeon Scalable Gen2
| CLX-SP | B1 | 06-55-07/bf | 05003006 | 05003102 | Xeon Scalable Gen2
| CPX-SP | A1 | 06-55-0b/bf | 0700001e | 07002302 | Xeon Scalable Gen3
| BDX-DE | V2/V3 | 06-56-03/10 | 07000019 | 0700001b | Xeon D-1518/19/21/27/28/31/33/37/41/48, Pentium D1507/08/09/17/19
| BDX-DE | Y0 | 06-56-04/10 | 0f000017 | 0f000019 | Xeon D-1557/59/67/71/77/81/87
| BDX-NS | A0 | 06-56-05/10 | 0e00000f | 0e000012 | Xeon D-1513N/23/33/43/53
| APL | D0 | 06-5c-09/03 | 00000040 | 00000044 | Pentium N/J4xxx, Celeron N/J3xxx, Atom x5/7-E39xx
| APL | E0 | 06-5c-0a/03 | 0000001e | 00000020 | Atom x5-E39xx
| SKL-H/S | R0/N0 | 06-5e-03/36 | 000000e2 | 000000ea | Core Gen6; Xeon E3 v5
| DNV | B0 | 06-5f-01/01 | 0000002e | 00000034 | Atom C Series
| GLK | B0 | 06-7a-01/01 | 00000034 | 00000036 | Pentium Silver N/J5xxx, Celeron N/J4xxx
| GKL-R | R0 | 06-7a-08/01 | 00000018 | 0000001a | Pentium J5040/N5030, Celeron J4125/J4025/N4020/N4120
| ICL-U/Y | D1 | 06-7e-05/80 | 000000a0 | 000000a6 | Core Gen10 Mobile
| LKF | B2/B3 | 06-8a-01/10 | 00000028 | 0000002a | Core w/Hybrid Technology
| AML-Y22 | H0 | 06-8e-09/10 | 000000de | 000000ea | Core Gen8 Mobile
| KBL-U/Y | H0 | 06-8e-09/c0 | 000000de | 000000ea | Core Gen7 Mobile
| CFL-U43e | D0 | 06-8e-0a/c0 | 000000e0 | 000000ea | Core Gen8 Mobile
| WHL-U | W0 | 06-8e-0b/d0 | 000000de | 000000ea | Core Gen8 Mobile
| AML-Y42 | V0 | 06-8e-0c/94 | 000000de | 000000ea | Core Gen10 Mobile
| CML-Y42 | V0 | 06-8e-0c/94 | 000000de | 000000ea | Core Gen10 Mobile
| WHL-U | V0 | 06-8e-0c/94 | 000000de | 000000ea | Core Gen8 Mobile
| KBL-G/H/S/E3 | B0 | 06-9e-09/2a | 000000de | 000000ea | Core Gen7; Xeon E3 v6
| CFL-H/S/E3 | U0 | 06-9e-0a/22 | 000000de | 000000ea | Core Gen8 Desktop, Mobile, Xeon E
| CFL-S | B0 | 06-9e-0b/02 | 000000de | 000000ea | Core Gen8
| CFL-H/S | P0 | 06-9e-0c/22 | 000000de | 000000ea | Core Gen9
| CFL-H | R0 | 06-9e-0d/22 | 000000de | 000000ea | Core Gen9 Mobile
| CML-H | R1 | 06-a5-02/20 | 000000e0 | 000000ea | Core Gen10 Mobile
| CML-S62 | G1 | 06-a5-03/22 | 000000e0 | 000000ea | Core Gen10
| CML-S102 | Q0 | 06-a5-05/22 | 000000e0 | 000000ec | Core Gen10
| CML-U62 | A0 | 06-a6-00/80 | 000000e0 | 000000e8 | Core Gen10 Mobile
| CML-U62 V2 | K0 | 06-a6-01/80 | 000000e0 | 000000ea | Core Gen10 Mobile
ImportantSUSE bug 1179833SUSE bug 1179836SUSE bug 1179837SUSE bug 1179839CVE-2020-24489 at SUSECVE-2020-24489 at NVDCVE-2020-24511 at SUSECVE-2020-24511 at NVDCVE-2020-24512 at SUSECVE-2020-24512 at NVDCVE-2020-24513 at SUSECVE-2020-24513 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for caribou (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for caribou fixes the following issues:
Security issue fixed:
- CVE-2021-3567: Fixed a segfault when attempting to use shifted characters (bsc#1186617).
ImportantSUSE bug 1186617CVE-2021-3567 at SUSECVE-2021-3567 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for libjpeg-turbo (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for libjpeg-turbo fixes the following issues:
- CVE-2020-17541: Fixed a stack-based buffer overflow in the 'transform' component (bsc#1186764).
ModerateSUSE bug 1186764CVE-2020-17541 at SUSECVE-2020-17541 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for mutt (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for mutt fixes the following issue:
- CVE-2021-3181: Fixed a memory leak in recipient parsing (bsc#1181221).
ModerateSUSE bug 1181221CVE-2021-3181 at SUSECVE-2021-3181 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for freeradius-server (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for freeradius-server fixes the following issues:
- Do not log passwords in logfiles (bsc#1184016)
ModerateSUSE bug 1184016cpe:/o:suse:sles_teradata:12:sp3Security update for java-1_8_0-openjdk (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for java-1_8_0-openjdk fixes the following issues:
- Update to version jdk8u292 (icedtea 3.19.0).
- CVE-2021-2161: Fixed incomplete enforcement of JAR signing disabled algorithms (bsc#1185055).
ModerateSUSE bug 1185055CVE-2021-2163 at SUSECVE-2021-2163 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for ImageMagick (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for ImageMagick fixes the following issues:
- CVE-2020-19667: Fixed a stack buffer overflow in XPM coder could result in a crash (bsc#1179103).
- CVE-2020-25664: Fixed a heap-based buffer overflow in PopShortPixel (bsc#1179202).
- CVE-2020-25665: Fixed a heap-based buffer overflow in WritePALMImage (bsc#1179208).
- CVE-2020-25666: Fixed an outside the range of representable values of type 'int' and signed integer overflow (bsc#1179212).
- CVE-2020-25674: Fixed a heap-based buffer overflow in WriteOnePNGImage (bsc#1179223).
- CVE-2020-25675: Fixed an outside the range of representable values of type 'long' and integer overflow (bsc#1179240).
- CVE-2020-25676: Fixed an outside the range of representable values of type 'long' and integer overflow at MagickCore/pixel.c (bsc#1179244).
- CVE-2020-27750: Fixed an division by zero in MagickCore/colorspace-private.h (bsc#1179260).
- CVE-2020-27751: Fixed an integer overflow in MagickCore/quantum-export.c (bsc#1179269).
- CVE-2020-27752: Fixed a heap-based buffer overflow in PopShortPixel in MagickCore/quantum-private.h (bsc#1179346).
- CVE-2020-27753: Fixed memory leaks in AcquireMagickMemory function (bsc#1179397).
- CVE-2020-27754: Fixed an outside the range of representable values of type 'long' and signed integer overflow at MagickCore/quantize.c (bsc#1179336).
- CVE-2020-27755: Fixed memory leaks in ResizeMagickMemory function in ImageMagick/MagickCore/memory.c (bsc#1179345).
- CVE-2020-27757: Fixed an outside the range of representable values of type 'unsigned long long' at MagickCore/quantum-private.h (bsc#1179268).
- CVE-2020-27759: Fixed an outside the range of representable values of type 'int' at MagickCore/quantize.c (bsc#1179313).
- CVE-2020-27760: Fixed a division by zero at MagickCore/enhance.c (bsc#1179281).
- CVE-2020-27761: Fixed an outside the range of representable values of type 'unsigned long' at coders/palm.c (bsc#1179315).
- CVE-2020-27762: Fixed an outside the range of representable values of type 'unsigned char' (bsc#1179278).
- CVE-2020-27763: Fixed a division by zero at MagickCore/resize.c (bsc#1179312).
- CVE-2020-27764: Fixed an outside the range of representable values of type 'unsigned long' at MagickCore/statistic.c (bsc#1179317).
- CVE-2020-27765: Fixed a division by zero at MagickCore/segment.c (bsc#1179311).
- CVE-2020-27766: Fixed an outside the range of representable values of type 'unsigned long' at MagickCore/statistic.c (bsc#1179361).
- CVE-2020-27767: Fixed an outside the range of representable values of type 'float' at MagickCore/quantum.h (bsc#1179322).
- CVE-2020-27768: Fixed an outside the range of representable values of type 'unsigned int' at MagickCore/quantum-private.h (bsc#1179339).
- CVE-2020-27769: Fixed an outside the range of representable values of type 'float' at MagickCore/quantize.c (bsc#1179321).
- CVE-2020-27770: Fixed an unsigned offset overflowed at MagickCore/string.c (bsc#1179343).
- CVE-2020-27771: Fixed an outside the range of representable values of type 'unsigned char' at coders/pdf.c (bsc#1179327).
- CVE-2020-27772: Fixed an outside the range of representable values of type 'unsigned int' at coders/bmp.c (bsc#1179347).
- CVE-2020-27773: Fixed a division by zero at MagickCore/gem-private.h (bsc#1179285).
- CVE-2020-27774: Fixed an integer overflow at MagickCore/statistic.c (bsc#1179333).
- CVE-2020-27775: Fixed an outside the range of representable values of type 'unsigned char' at MagickCore/quantum.h (bsc#1179338).
- CVE-2020-27776: Fixed an outside the range of representable values of type 'unsigned long' at MagickCore/statistic.c (bsc#1179362).
ImportantSUSE bug 1179103SUSE bug 1179202SUSE bug 1179208SUSE bug 1179212SUSE bug 1179223SUSE bug 1179240SUSE bug 1179244SUSE bug 1179260SUSE bug 1179268SUSE bug 1179269SUSE bug 1179278SUSE bug 1179281SUSE bug 1179285SUSE bug 1179311SUSE bug 1179312SUSE bug 1179313SUSE bug 1179315SUSE bug 1179317SUSE bug 1179321SUSE bug 1179322SUSE bug 1179327SUSE bug 1179333SUSE bug 1179336SUSE bug 1179338SUSE bug 1179339SUSE bug 1179343SUSE bug 1179345SUSE bug 1179346SUSE bug 1179347SUSE bug 1179361SUSE bug 1179362SUSE bug 1179397CVE-2020-19667 at SUSECVE-2020-19667 at NVDCVE-2020-25664 at SUSECVE-2020-25664 at NVDCVE-2020-25665 at SUSECVE-2020-25665 at NVDCVE-2020-25666 at SUSECVE-2020-25666 at NVDCVE-2020-25674 at SUSECVE-2020-25674 at NVDCVE-2020-25675 at SUSECVE-2020-25675 at NVDCVE-2020-25676 at SUSECVE-2020-25676 at NVDCVE-2020-27750 at SUSECVE-2020-27750 at NVDCVE-2020-27751 at SUSECVE-2020-27751 at NVDCVE-2020-27752 at SUSECVE-2020-27752 at NVDCVE-2020-27753 at SUSECVE-2020-27753 at NVDCVE-2020-27754 at SUSECVE-2020-27754 at NVDCVE-2020-27755 at SUSECVE-2020-27755 at NVDCVE-2020-27757 at SUSECVE-2020-27757 at NVDCVE-2020-27759 at SUSECVE-2020-27759 at NVDCVE-2020-27760 at SUSECVE-2020-27760 at NVDCVE-2020-27761 at SUSECVE-2020-27761 at NVDCVE-2020-27762 at SUSECVE-2020-27762 at NVDCVE-2020-27763 at SUSECVE-2020-27763 at NVDCVE-2020-27764 at SUSECVE-2020-27764 at NVDCVE-2020-27765 at SUSECVE-2020-27765 at NVDCVE-2020-27766 at SUSECVE-2020-27766 at NVDCVE-2020-27767 at SUSECVE-2020-27767 at NVDCVE-2020-27768 at SUSECVE-2020-27768 at NVDCVE-2020-27769 at SUSECVE-2020-27769 at NVDCVE-2020-27770 at SUSECVE-2020-27770 at NVDCVE-2020-27771 at SUSECVE-2020-27771 at NVDCVE-2020-27772 at SUSECVE-2020-27772 at NVDCVE-2020-27773 at SUSECVE-2020-27773 at NVDCVE-2020-27774 at SUSECVE-2020-27774 at NVDCVE-2020-27775 at SUSECVE-2020-27775 at NVDCVE-2020-27776 at SUSECVE-2020-27776 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for webkit2gtk3 (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for webkit2gtk3 fixes the following issues:
- Update to version 2.32.1:
+ Improve handling of Media Capture devices.
+ Improve WebAudio playback.
+ Improve video orientation handling.
+ Improve seeking support for MSE playback.
+ Improve flush support in EME decryptors.
+ Fix HTTP status codes for requests done through a custom URI handler.
+ Fix the Bubblewrap sandbox in certain 32-bit systems.
+ Fix inconsistencies between the WebKitWebView.is-muted property
state and values returned by
webkit_web_view_is_playing_audio().
+ Fix the build with ENABLE_VIDEO=OFF.
+ Fix wrong timestamps for long-lived cookies.
+ Fix UI process crash when failing to load favicons.
+ Fix several crashes and rendering issues.
- Including Security fixes for: CVE-2021-1788, CVE-2021-1844, CVE-2021-1871,
CVE-2020-27918, CVE-2020-29623, CVE-2021-1765, CVE-2021-1789, CVE-2021-1799,
CVE-2021-1801, CVE-2021-1870, CVE-2020-13558, CVE-2020-13584, CVE-2020-9983,
CVE-2020-13543, CVE-2020-9947, CVE-2020-9948, CVE-2020-9951.
ImportantSUSE bug 1177087SUSE bug 1179122SUSE bug 1179451SUSE bug 1182286SUSE bug 1184155SUSE bug 1184262CVE-2020-13543 at SUSECVE-2020-13543 at NVDCVE-2020-13558 at SUSECVE-2020-13558 at NVDCVE-2020-13584 at SUSECVE-2020-13584 at NVDCVE-2020-27918 at SUSECVE-2020-27918 at NVDCVE-2020-29623 at SUSECVE-2020-29623 at NVDCVE-2020-9947 at SUSECVE-2020-9947 at NVDCVE-2020-9948 at SUSECVE-2020-9948 at NVDCVE-2020-9951 at SUSECVE-2020-9951 at NVDCVE-2020-9983 at SUSECVE-2020-9983 at NVDCVE-2021-1765 at SUSECVE-2021-1765 at NVDCVE-2021-1788 at SUSECVE-2021-1788 at NVDCVE-2021-1789 at SUSECVE-2021-1789 at NVDCVE-2021-1799 at SUSECVE-2021-1799 at NVDCVE-2021-1801 at SUSECVE-2021-1801 at NVDCVE-2021-1844 at SUSECVE-2021-1844 at NVDCVE-2021-1870 at SUSECVE-2021-1870 at NVDCVE-2021-1871 at SUSECVE-2021-1871 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for apache2 (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for apache2 fixes the following issues:
- fixed CVE-2021-30641 [bsc#1187174]: MergeSlashes regression
- fixed CVE-2021-31618 [bsc#1186924]: NULL pointer dereference on specially crafted HTTP/2 request
- fixed CVE-2020-35452 [bsc#1186922]: Single zero byte stack overflow in mod_auth_digest
- fixed CVE-2021-26690 [bsc#1186923]: mod_session NULL pointer dereference in parser
- fixed CVE-2021-26691 [bsc#1187017]: Heap overflow in mod_session
ImportantSUSE bug 1186922SUSE bug 1186923SUSE bug 1186924SUSE bug 1187017SUSE bug 1187174CVE-2020-35452 at SUSECVE-2020-35452 at NVDCVE-2021-26690 at SUSECVE-2021-26690 at NVDCVE-2021-26691 at SUSECVE-2021-26691 at NVDCVE-2021-30641 at SUSECVE-2021-30641 at NVDCVE-2021-31618 at SUSECVE-2021-31618 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for xterm (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for xterm fixes the following issues:
- CVE-2021-27135: Fixed buffer-overflow when clicking on selected utf8 text. (bsc#1182091)
ImportantSUSE bug 1182091CVE-2021-27135 at SUSECVE-2021-27135 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for libxml2 (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for libxml2 fixes the following issues:
- CVE-2021-3541: Fixed exponential entity expansion attack that could bypass all existing protection mechanisms (bsc#1186015).
ModerateSUSE bug 1186015CVE-2021-3541 at SUSECVE-2021-3541 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for ovmf (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for ovmf fixes the following issues:
- Fixed a possible buffer overflow in IScsiDxe (bsc#1186151)
ImportantSUSE bug 1186151cpe:/o:suse:sles_teradata:12:sp3Security update for libnettle (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for libnettle fixes the following issues:
- CVE-2021-3580: Fixed a remote denial of service in the RSA decryption via manipulated ciphertext (bsc#1187060).
ImportantSUSE bug 1187060CVE-2021-3580 at SUSECVE-2021-3580 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for libgcrypt (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for libgcrypt fixes the following issues:
- CVE-2021-33560: Fixed a side-channel against ElGamal encryption, caused by missing exponent blinding (bsc#1187212).
ImportantSUSE bug 1187212CVE-2021-33560 at SUSECVE-2021-33560 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for openexr (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for openexr fixes the following issues:
- Fixed CVE-2021-3479 [bsc#1184354]: Out-of-memory caused by allocation of a very large buffer
- Fixed CVE-2021-3605 [bsc#1187395]: Heap buffer overflow in the rleUncompress function
- Fixed CVE-2021-3598 [bsc#1187310]: Heap buffer overflow in Imf_3_1:CharPtrIO:readChars
ImportantSUSE bug 1184354SUSE bug 1187310SUSE bug 1187395CVE-2021-3479 at SUSECVE-2021-3479 at NVDCVE-2021-3598 at SUSECVE-2021-3598 at NVDCVE-2021-3605 at SUSECVE-2021-3605 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for postgresql, postgresql12, postgresql13 (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for postgresql, postgresql12, postgresql13 fixes the following issues:
Initial packaging of PostgreSQL 13:
* https://www.postgresql.org/about/news/2077/
* https://www.postgresql.org/docs/13/release-13.html
Changes in postgresql:
- Bump postgresql major version to 13.
Changes in postgresql12:
- %ghost the symlinks to pg_config and ecpg. (bsc#1178961)
- BuildRequire libpq5 and libecpg6 when not building them to avoid dangling symlinks in the devel package. (bsc#1179765)
- Fix a DST problem in the test suite.
Changes in postgresql13:
- Add postgresql-icu68.patch: fix build with ICU 68
- %ghost the symlinks to pg_config and ecpg. (bsc#1178961)
- BuildRequire libpq5 and libecpg6 when not building them to avoid dangling symlinks in the devel package. (bsc#1179765)
Upgrade to version 13.1:
* CVE-2020-25695, bsc#1178666: Block DECLARE CURSOR ... WITH HOLD
and firing of deferred triggers within index expressions and
materialized view queries.
* CVE-2020-25694, bsc#1178667:
a) Fix usage of complex connection-string parameters in pg_dump,
pg_restore, clusterdb, reindexdb, and vacuumdb.
b) When psql's \connect command re-uses connection parameters,
ensure that all non-overridden parameters from a previous
connection string are re-used.
* CVE-2020-25696, bsc#1178668: Prevent psql's \gset command from
modifying specially-treated variables.
* Fix recently-added timetz test case so it works when the USA
is not observing daylight savings time.
(obsoletes postgresql-timetz.patch)
* https://www.postgresql.org/about/news/2111/
* https://www.postgresql.org/docs/13/release-13-1.html
- Fix a DST problem in the test suite.
ImportantSUSE bug 1178666SUSE bug 1178667SUSE bug 1178668SUSE bug 1178961SUSE bug 1179765CVE-2020-25694 at SUSECVE-2020-25694 at NVDCVE-2020-25695 at SUSECVE-2020-25695 at NVDCVE-2020-25696 at SUSECVE-2020-25696 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for arpwatch (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for arpwatch fixes the following issues:
- CVE-2021-25321: Fixed local privilege escalation from runtime user to root (bsc#1186240).
ImportantSUSE bug 1186240CVE-2021-25321 at SUSECVE-2021-25321 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for libsolv (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for libsolv fixes the following issues:
Security issues fixed:
- CVE-2019-20387: Fixed heap-buffer-overflow in repodata_schema2id (bsc#1161510)
- CVE-2021-3200: testcase_read: error out if repos are added or the system is changed too late (bsc#1186229)
Other issues fixed:
- backport support for blacklisted packages to support ptf packages and retracted patches
- fix ruleinfo of complex dependencies returning the wrong origin
- fix SOLVER_FLAG_FOCUS_BEST updateing packages without reason
- fix add_complex_recommends() selecting conflicted packages in rare cases
- fix potential segfault in resolve_jobrules
- fix solv_zchunk decoding error if large chunks are used
ImportantSUSE bug 1161510SUSE bug 1186229CVE-2019-20387 at SUSECVE-2019-20387 at NVDCVE-2021-3200 at SUSECVE-2021-3200 at NVDcpe:/o:suse:sles_teradata:12:sp3Recommended update for the Azure and AWS SDKs (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for the SLE Public Cloud module provides the following fixes:
Azure SDK update:
This update for the Azure SDK and CLI adds support for the AHB (Azure Hybrid Benefit).
(bsc#1176784, jsc#ECO-3105)
AWS SDK update:
This update for the AWS SDK updates python-boto3 to version 1.17.9 and aws-cli to 1.19.9.
(bsc#1182421, jsc#ECO-3352)
Security fix for python-urllib3:
- Improve performance of sub-authority splitting in URL. (bsc#1187045, CVE-2021-33503)
ImportantSUSE bug 1125671SUSE bug 1154393SUSE bug 1175289SUSE bug 1176784SUSE bug 1176785SUSE bug 1182421SUSE bug 1187045CVE-2021-33503 at SUSECVE-2021-33503 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for openssh (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for openssh fixes the following issues:
- CVE-2020-14145: Fixed a potential information leak during host key exchange (bsc#1173513).
ModerateSUSE bug 1173513CVE-2020-14145 at SUSECVE-2020-14145 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for sudo (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for sudo fixes the following issues:
- A Heap-based buffer overflow in sudo could be exploited to allow a user to gain root privileges
[bsc#1181090,CVE-2021-3156]
- It was possible for a user to test for the existence of a directory due to a Race Condition in `sudoedit`
[bsc#1180684,CVE-2021-23239]
- A Possible Symlink Attack vector existed in `sudoedit` if SELinux was running in permissive mode [bsc#1180685,
CVE-2021-23240]
- It was possible for a User to enable Debug Settings not Intended for them [bsc#1180687]
ImportantSUSE bug 1180684SUSE bug 1180685SUSE bug 1180687SUSE bug 1181090CVE-2021-23239 at SUSECVE-2021-23239 at NVDCVE-2021-23240 at SUSECVE-2021-23240 at NVDCVE-2021-3156 at SUSECVE-2021-3156 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for MozillaFirefox fixes the following issues:
Firefox Extended Support Release 78.12.0 ESR
* Fixed: Various stability, functionality, and security fixes
MFSA 2021-29 (bsc#1188275)
* CVE-2021-29970: Use-after-free in accessibility features of a document
* CVE-2021-30547: Out of bounds write in ANGLE
* CVE-2021-29976: Memory safety bugs fixed in Firefox 90 and Firefox ESR 78.12
ImportantSUSE bug 1188275CVE-2021-29970 at SUSECVE-2021-29970 at NVDCVE-2021-29976 at SUSECVE-2021-29976 at NVDCVE-2021-30547 at SUSECVE-2021-30547 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for MozillaFirefox fixes the following issues:
- Firefox Extended Support Release 78.7.0 ESR (MFSA 2021-04, bsc#1181414)
* CVE-2021-23953: Fixed a Cross-origin information leakage via redirected PDF requests
* CVE-2021-23954: Fixed a type confusion when using logical assignment operators in JavaScript switch statements
* CVE-2020-26976: Fixed an issue where HTTPS pages could have been intercepted by a registered service worker when they should not have been
* CVE-2021-23960: Fixed a use-after-poison for incorrectly redeclared JavaScript variables during GC
* CVE-2021-23964: Fixed Memory safety bugs
ImportantSUSE bug 1181414CVE-2020-26976 at SUSECVE-2020-26976 at NVDCVE-2021-23953 at SUSECVE-2021-23953 at NVDCVE-2021-23954 at SUSECVE-2021-23954 at NVDCVE-2021-23960 at SUSECVE-2021-23960 at NVDCVE-2021-23964 at SUSECVE-2021-23964 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for curl (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for curl fixes the following issues:
- CVE-2021-22925: TELNET stack contents disclosure again. (bsc#1188220)
- CVE-2021-22924: Bad connection reuse due to flawed path name checks. (bsc#1188219)
- CVE-2021-22923: Insufficiently Protected Credentials. (bsc#1188218)
- CVE-2021-22922: Wrong content via metalink not discarded. (bsc#1188217)
ModerateSUSE bug 1188217SUSE bug 1188218SUSE bug 1188219SUSE bug 1188220CVE-2021-22922 at SUSECVE-2021-22922 at NVDCVE-2021-22923 at SUSECVE-2021-22923 at NVDCVE-2021-22924 at SUSECVE-2021-22924 at NVDCVE-2021-22925 at SUSECVE-2021-22925 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for systemd (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for systemd fixes the following issues:
Security issues fixed:
- CVE-2021-33910: Fixed a denial of service (stack exhaustion) in systemd (PID 1) (bsc#1188063)
Other fixes:
- mount-util: shorten the loop a bit (#7545)
- mount-util: do not use the official MAX_HANDLE_SZ (#7523)
- mount-util: tape over name_to_handle_at() flakiness (#7517) (bsc#1184761)
- mount-util: fix bad indenting
- mount-util: EOVERFLOW might have other causes than buffer size issues
- mount-util: fix error propagation in fd_fdinfo_mnt_id()
- mount-util: drop exponential buffer growing in name_to_handle_at_loop()
- udev: port udev_has_devtmpfs() to use path_get_mnt_id()
- mount-util: add new path_get_mnt_id() call that queries the mnt ID of a path
- mount-util: add name_to_handle_at_loop() wrapper around name_to_handle_at()
- mount-util: accept that name_to_handle_at() might fail with EPERM (#5499)
- basic: fallback to the fstat if we don't have access to the /proc/self/fdinfo
- sysusers: use the usual comment style
- test/TEST-21-SYSUSERS: add tests for new functionality
- sysusers: allow admin/runtime overrides to command-line config
- basic/strv: add function to insert items at position
- sysusers: allow the shell to be specified
- sysusers: move various user credential validity checks to src/basic/
- man: reformat table in sysusers.d(5)
- sysusers: take configuration as positional arguments
- sysusers: emit a bit more info at debug level when locking fails
- sysusers: allow force reusing existing user/group IDs (#8037)
- sysusers: ensure GID in uid:gid syntax exists
- sysusers: make ADD_GROUP always create a group
- test: add TEST-21-SYSUSERS test
- sysuser: use OrderedHashmap
- sysusers: allow uid:gid in sysusers.conf files
- sysusers: fix memleak (#4430)
- These commits implement the option '--replace' for systemd-sysusers
so %sysusers_create_package can be introduced in SLE and packages
can rely on this rpm macro without wondering whether the macro is
available on the different target the package is submitted to.
- Expect 644 permissions for /usr/lib/udev/compat-symlink-generation (bsc#1185807)
- systemctl: add --value option
- execute: make sure to call into PAM after initializing resource limits (bsc#1184967)
- rlimit-util: introduce setrlimit_closest_all()
- system-conf: drop reference to ShutdownWatchdogUsec=
- core: rename ShutdownWatchdogSec to RebootWatchdogSec (bsc#1185331)
- Return -EAGAIN instead of -EALREADY from unit_reload (bsc#1185046)
- rules: don't ignore Xen virtual interfaces anymore (bsc#1178561)
- write_net_rules: set execute bits (bsc#1178561)
- udev: rework network device renaming
- Revert 'Revert 'udev: network device renaming - immediately give up if the target name isn't available''
ImportantSUSE bug 1178561SUSE bug 1184761SUSE bug 1184967SUSE bug 1185046SUSE bug 1185331SUSE bug 1185807SUSE bug 1188063CVE-2021-33910 at SUSECVE-2021-33910 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for linuxptp (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for linuxptp fixes the following issues:
- CVE-2021-3570: Validate the messageLength field of incoming messages. (bsc#1187646)
ImportantSUSE bug 1187646CVE-2021-3570 at SUSECVE-2021-3570 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for python36 (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for python36 fixes the following issues:
- Provide the newest setuptools wheel (bsc#1176262,
CVE-2019-20916) in their correct form (bsc#1180686).
- readd --with-fpectl (bsc#1180377)
ImportantSUSE bug 1176262SUSE bug 1180377SUSE bug 1180686CVE-2019-20916 at SUSECVE-2019-20916 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for qemu (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for qemu fixes the following issues:
Security issues fixed:
- CVE-2021-3595: Fixed slirp: invalid pointer initialization may lead to information disclosure (tftp) (bsc#1187366)
- CVE-2021-3592: Fix for slirp: invalid pointer initialization may lead to information disclosure (bootp) (bsc#1187364)
- CVE-2021-3594: Fix for slirp: invalid pointer initialization may lead to information disclosure (udp) (bsc#1187367)
- CVE-2021-3593: Fix for slirp: invalid pointer initialization may lead to information disclosure (udp6) (bsc#1187365)
- CVE-2021-3611: Fix intel-hda segmentation fault due to stack overflow (bsc#1187529)
ImportantSUSE bug 1187364SUSE bug 1187365SUSE bug 1187366SUSE bug 1187367SUSE bug 1187529CVE-2021-3592 at SUSECVE-2021-3592 at NVDCVE-2021-3593 at SUSECVE-2021-3593 at NVDCVE-2021-3594 at SUSECVE-2021-3594 at NVDCVE-2021-3595 at SUSECVE-2021-3595 at NVDCVE-2021-3611 at SUSECVE-2021-3611 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for dbus-1 (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for dbus-1 fixes the following issues:
- CVE-2020-35512: Fixed a bug where users with the same numeric UID could lead to use-after-free and undefined behaviour. (bsc#1187105)
- CVE-2020-12049: Fixed a bug where a truncated messages lead to resource exhaustion. (bsc#1172505)
ImportantSUSE bug 1172505SUSE bug 1187105CVE-2020-12049 at SUSECVE-2020-12049 at NVDCVE-2020-35512 at SUSECVE-2020-35512 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for webkit2gtk3 (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for webkit2gtk3 fixes the following issues:
Update to version 2.32.3:
- CVE-2021-21775: Fixed a use-after-free vulnerability in the way certain events are processed for ImageLoader objects. A specially crafted web page can lead to a potential information leak and further memory corruption. A victim must be tricked into visiting a malicious web page to trigger this vulnerability. (bsc#1188697)
- CVE-2021-21779: Fixed a use-after-free vulnerability in the way that WebKit GraphicsContext handles certain events. A specially crafted web page can lead to a potential information leak and further memory corruption. A victim must be tricked into visiting a malicious web page to trigger this vulnerability. (bsc#1188697)
- CVE-2021-30663: An integer overflow was addressed with improved input validation. (bsc#1188697)
- CVE-2021-30665: A memory corruption issue was addressed with improved state management. (bsc#1188697)
- CVE-2021-30689: A logic issue was addressed with improved state management. (bsc#1188697)
- CVE-2021-30720: A logic issue was addressed with improved restrictions. (bsc#1188697)
- CVE-2021-30734: Multiple memory corruption issues were addressed with improved memory handling. (bsc#1188697)
- CVE-2021-30744: A cross-origin issue with iframe elements was addressed with improved tracking of security origins. (bsc#1188697)
- CVE-2021-30749: Multiple memory corruption issues were addressed with improved memory handling. (bsc#1188697)
- CVE-2021-30758: A type confusion issue was addressed with improved state handling. (bsc#1188697)
- CVE-2021-30795: A use after free issue was addressed with improved memory management. (bsc#1188697)
- CVE-2021-30797: This issue was addressed with improved checks. (bsc#1188697)
- CVE-2021-30799: Multiple memory corruption issues were addressed with improved memory handling. (bsc#1188697)
ImportantSUSE bug 1188697CVE-2021-21775 at SUSECVE-2021-21775 at NVDCVE-2021-21779 at SUSECVE-2021-21779 at NVDCVE-2021-30663 at SUSECVE-2021-30663 at NVDCVE-2021-30665 at SUSECVE-2021-30665 at NVDCVE-2021-30689 at SUSECVE-2021-30689 at NVDCVE-2021-30720 at SUSECVE-2021-30720 at NVDCVE-2021-30734 at SUSECVE-2021-30734 at NVDCVE-2021-30744 at SUSECVE-2021-30744 at NVDCVE-2021-30749 at SUSECVE-2021-30749 at NVDCVE-2021-30758 at SUSECVE-2021-30758 at NVDCVE-2021-30795 at SUSECVE-2021-30795 at NVDCVE-2021-30797 at SUSECVE-2021-30797 at NVDCVE-2021-30799 at SUSECVE-2021-30799 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for libsndfile (Critical)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for libsndfile fixes the following issues:
- CVE-2018-13139: Fixed a stack-based buffer overflow in psf_memset in common.c in libsndfile 1.0.28allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact. (bsc#1100167)
- CVE-2018-19432: Fixed a NULL pointer dereference in the function sf_write_int in sndfile.c, which will lead to a denial of service. (bsc#1116993)
- CVE-2021-3246: Fixed a heap buffer overflow vulnerability in msadpcm_decode_block. (bsc#1188540)
- CVE-2018-19758: Fixed a heap-based buffer over-read at wav.c in wav_write_header in libsndfile 1.0.28 that will cause a denial of service. (bsc#1117954)
CriticalSUSE bug 1100167SUSE bug 1116993SUSE bug 1117954SUSE bug 1188540CVE-2018-13139 at SUSECVE-2018-13139 at NVDCVE-2018-19432 at SUSECVE-2018-19432 at NVDCVE-2018-19758 at SUSECVE-2018-19758 at NVDCVE-2021-3246 at SUSECVE-2021-3246 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for djvulibre (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for djvulibre fixes the following issues:
- CVE-2021-3630: out-of-bounds write in DJVU:DjVuTXT:decode() in DjVuText.cpp (bsc#1187869)
ImportantSUSE bug 1187869CVE-2021-3630 at SUSECVE-2021-3630 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for fastjar (Low)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for fastjar fixes the following issues:
- CVE-2010-2322: Fixed a directory traversal vulnerabilities. (bsc#1188517)
LowSUSE bug 1188517CVE-2010-2322 at SUSECVE-2010-2322 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for cpio (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for cpio fixes the following issues:
It was possible to trigger Remote code execution due to a integer overflow (CVE-2021-38185, bsc#1189206)
ImportantSUSE bug 1189206CVE-2021-38185 at SUSECVE-2021-38185 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for libcares2 (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for libcares2 fixes the following issues:
- CVE-2021-3672: Fixed input validation on hostnames (bsc#1188881).
ImportantSUSE bug 1188881CVE-2021-3672 at SUSECVE-2021-3672 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for MozillaFirefox fixes the following issues:
Firefox Extended Support Release 78.13.0 ESR (MFSA 2021-34, bsc#1188891):
- CVE-2021-29986: Race condition when resolving DNS names could have led to memory corruption
- CVE-2021-29988: Memory corruption as a result of incorrect style treatment
- CVE-2021-29984: Incorrect instruction reordering during JIT optimization
- CVE-2021-29980: Uninitialized memory in a canvas object could have led to memory corruption
- CVE-2021-29985: Use-after-free media channels
- CVE-2021-29989: Memory safety bugs fixed in Firefox 91 and Firefox ESR 78.13
ImportantSUSE bug 1188891CVE-2021-29980 at SUSECVE-2021-29980 at NVDCVE-2021-29984 at SUSECVE-2021-29984 at NVDCVE-2021-29985 at SUSECVE-2021-29985 at NVDCVE-2021-29986 at SUSECVE-2021-29986 at NVDCVE-2021-29988 at SUSECVE-2021-29988 at NVDCVE-2021-29989 at SUSECVE-2021-29989 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for libmspack (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for libmspack fixes the following issues:
- CVE-2018-14681: Bad KWAJ file header extensions could cause a one or two byte overwrite. (bsc#1103032)
- CVE-2018-14682: There is an off-by-one error in the TOLOWER() macro for CHM decompression. (bsc#1103032)
ModerateSUSE bug 1103032CVE-2018-14681 at SUSECVE-2018-14681 at NVDCVE-2018-14682 at SUSECVE-2018-14682 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for spice-vdagent (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for spice-vdagent fixes the following issues:
- CVE-2020-25650: memory DoS via arbitrary entries in `active_xfers` hash table (bsc#1177780)
- CVE-2020-25651: possible file transfer DoS and information leak via `active_xfers` hash map (bsc#1177781)
- CVE-2020-25652: possibility to exhaust file descriptors in `vdagentd` (bsc#1177782)
- CVE-2020-25653: UNIX domain socket peer PID retrieved via `SO_PEERCRED` is subject to race condition (bsc#1177783)
ModerateSUSE bug 1177780SUSE bug 1177781SUSE bug 1177782SUSE bug 1177783CVE-2020-25650 at SUSECVE-2020-25650 at NVDCVE-2020-25651 at SUSECVE-2020-25651 at NVDCVE-2020-25652 at SUSECVE-2020-25652 at NVDCVE-2020-25653 at SUSECVE-2020-25653 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for fetchmail (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for fetchmail fixes the following issues:
- CVE-2021-36386: DoS or information disclosure in some configurations (bsc#1188875)
- Change PASSWORDLEN from 64 to 256 [bsc#1188034]
- Set the hostname for SNI when using TLS [bsc#1182807]
- Allow --syslog option in daemon mode. (bsc#1033081)
- Set the hostname for SNI when using TLS. (bsc#1182807)
- Change PASSWORDLEN from 64 to 256 (bsc#1188034)
ModerateSUSE bug 1033081SUSE bug 1182807SUSE bug 1188034SUSE bug 1188875CVE-2021-36386 at SUSECVE-2021-36386 at NVDcpe:/o:suse:sles_teradata:12:sp3Recommended update for cpio (Critical)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for cpio fixes the following issues:
- A regression in the previous update could lead to crashes (bsc#1189465)
CriticalSUSE bug 1189465CVE-2021-38185 at SUSECVE-2021-38185 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for java-1_8_0-openjdk (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for java-1_8_0-openjdk fixes the following issues:
- Update to version jdk8u302 (icedtea 3.20.0)
- CVE-2021-2341: Improve file transfers. (bsc#1188564)
- CVE-2021-2369: Better jar file validation. (bsc#1188565)
- CVE-2021-2388: Enhance compiler validation. (bsc#1188566)
- CVE-2021-2161: Less ambiguous processing. (bsc#1185056)
ImportantSUSE bug 1185056SUSE bug 1188564SUSE bug 1188565SUSE bug 1188566CVE-2021-2161 at SUSECVE-2021-2161 at NVDCVE-2021-2341 at SUSECVE-2021-2341 at NVDCVE-2021-2369 at SUSECVE-2021-2369 at NVDCVE-2021-2388 at SUSECVE-2021-2388 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for cpio (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for cpio fixes the following issues:
- A patch previously applied to remedy CVE-2021-38185 introduced a regression
that had the potential to cause a segmentation fault in cpio. [bsc#1189465]
ImportantSUSE bug 1189465CVE-2021-38185 at SUSECVE-2021-38185 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for python-PyYAML (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for python-PyYAML fixes the following issues:
- Update to 5.3.1.
- CVE-2020-14343: A vulnerability was discovered in the PyYAML library,
where it was susceptible to arbitrary code execution when it processes
untrusted YAML files through the full_load method or with the FullLoader
loader. Applications that use the library to process untrusted input
may be vulnerable to this flaw. This flaw allows an attacker to
execute arbitrary code on the system by abusing the python/object/new
constructor. This flaw is due to an incomplete fix for CVE-2020-1747.
ImportantSUSE bug 1174514CVE-2020-14343 at SUSECVE-2020-14343 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for openssl (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for openssl fixes the following security issue:
- CVE-2021-3712: a bug in the code for printing certificate details could lead
to a buffer overrun that a malicious actor could exploit to crash the
application, causing a denial-of-service attack. [bsc#1189521]
ImportantSUSE bug 1189521CVE-2021-3712 at SUSECVE-2021-3712 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for unrar (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for unrar to version 5.6.1 fixes several issues.
These security issues were fixed:
- CVE-2017-12938: Prevent remote attackers to bypass a directory-traversal
protection mechanism via vectors involving a symlink to the . directory, a
symlink to the .. directory, and a regular file (bsc#1054038).
- CVE-2017-12940: Prevent out-of-bounds read in the EncodeFileName::Decode call
within the Archive::ReadHeader15 function (bsc#1054038).
- CVE-2017-12941: Prevent an out-of-bounds read in the Unpack::Unpack20
function (bsc#1054038).
- CVE-2017-12942: Prevent a buffer overflow in the Unpack::LongLZ function
(bsc#1054038).
- CVE-2017-20006: Fixed heap-based buffer overflow in Unpack:CopyString (bsc#1187974).
These non-security issues were fixed:
- Added extraction support for .LZ archives created by Lzip compressor
- Enable unpacking of files in ZIP archives compressed with XZ algorithm and
encrypted with AES
- Added support for PAX extended headers inside of TAR archive
- If RAR recovery volumes (.rev files) are present in the same folder as usual
RAR volumes, archive test command verifies .rev contents after completing
testing .rar files
- By default unrar skips symbolic links with absolute paths in link target when
extracting unless -ola command line switch is specified
- Added support for AES-NI CPU instructions
- Support for a new RAR 5.0 archiving format
- Wildcard exclusion mask for folders
- Prevent conditional jumps depending on uninitialised values (bsc#1046882)
ModerateSUSE bug 1046882SUSE bug 1054038SUSE bug 1187974CVE-2012-6706 at SUSECVE-2012-6706 at NVDCVE-2017-12938 at SUSECVE-2017-12938 at NVDCVE-2017-12940 at SUSECVE-2017-12940 at NVDCVE-2017-12941 at SUSECVE-2017-12941 at NVDCVE-2017-12942 at SUSECVE-2017-12942 at NVDCVE-2017-20006 at SUSECVE-2017-20006 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for openvswitch (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for openvswitch fixes the following issues:
- openvswitch was updated to 2.7.12
- CVE-2020-27827: Fixed a memory leak when parsing lldp packets (bsc#1181345)
A lot more minor bugs have been fixed with this openvswitch version. Please refer to the changelog of
the openvswitch.rpm file in order to obtain a list of all changes.
ImportantSUSE bug 1117483SUSE bug 1181345CVE-2020-27827 at SUSECVE-2020-27827 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for aspell (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for aspell fixes the following issues:
- CVE-2019-25051: Fixed heap-buffer-overflow in acommon:ObjStack:dup_top (bsc#1188576).
ImportantSUSE bug 1188576CVE-2019-25051 at SUSECVE-2019-25051 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for cups (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for cups fixes the following issues:
- CVE-2020-10001: Fixed an out-of-bounds read in the ippReadIO function (bsc#1180520).
- CVE-2019-8842: Fixed an out-of-bounds read in an extension field (bsc#1170671).
ModerateSUSE bug 1170671SUSE bug 1180520CVE-2019-8842 at SUSECVE-2019-8842 at NVDCVE-2020-10001 at SUSECVE-2020-10001 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for bind (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for bind fixes the following issues:
- CVE-2020-8622: A truncated TSIG response can lead to an assertion failure (bsc#1175443).
ModerateSUSE bug 1175443SUSE bug 1188888CVE-2020-8622 at SUSECVE-2020-8622 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for openexr (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for openexr fixes the following issues:
- CVE-2021-20298 [bsc#1188460]: Fixed Out-of-memory in B44Compressor
- CVE-2021-20299 [bsc#1188459]: Fixed Null-dereference READ in Imf_2_5:Header:operator
- CVE-2021-20300 [bsc#1188458]: Fixed Integer-overflow in Imf_2_5:hufUncompress
- CVE-2021-20302 [bsc#1188462]: Fixed Floating-point-exception in Imf_2_5:precalculateTileInfot
- CVE-2021-20303 [bsc#1188457]: Fixed Heap-buffer-overflow in Imf_2_5::copyIntoFrameBuffer
- CVE-2021-20304 [bsc#1188461]: Fixed Undefined-shift in Imf_2_5:hufDecode
ImportantSUSE bug 1188457SUSE bug 1188458SUSE bug 1188459SUSE bug 1188460SUSE bug 1188461SUSE bug 1188462CVE-2021-20298 at SUSECVE-2021-20298 at NVDCVE-2021-20299 at SUSECVE-2021-20299 at NVDCVE-2021-20300 at SUSECVE-2021-20300 at NVDCVE-2021-20302 at SUSECVE-2021-20302 at NVDCVE-2021-20303 at SUSECVE-2021-20303 at NVDCVE-2021-20304 at SUSECVE-2021-20304 at NVDCVE-2021-3476 at SUSECVE-2021-3476 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for gstreamer-plugins-good (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for gstreamer-plugins-good fixes the following issues:
- CVE-2021-3497: Matroskademux: Fix extraction of multichannel WavPack (bsc#1184739).
ModerateSUSE bug 1184739CVE-2021-3497 at SUSECVE-2021-3497 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for libesmtp (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for libesmtp fixes the following issues:
- CVE-2019-19977: Fix stack-based buffer over-read in ntlm/ntlmstruct.c (bsc#1160462).
ImportantSUSE bug 1160462SUSE bug 1189097CVE-2019-19977 at SUSECVE-2019-19977 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for apache2 (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for apache2 fixes the following issues:
- CVE-2021-33193: Fixed request splitting via HTTP/2 method injection and mod_proxy (bsc#1189387).
ImportantSUSE bug 1189387CVE-2021-33193 at SUSECVE-2021-33193 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for file (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for file fixes the following issues:
- CVE-2019-18218: Fixed heap-based buffer overflow in cdf_read_property_info in cdf.c (bsc#1154661).
ImportantSUSE bug 1154661CVE-2019-18218 at SUSECVE-2019-18218 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for xerces-c (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for xerces-c fixes the following issues:
- CVE-2018-1311: Fixed use-after-free inside XML parser during the scanning of external DTDs (bsc#1159552).
ImportantSUSE bug 1159552CVE-2018-1311 at SUSECVE-2018-1311 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for xen (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for xen fixes the following issues:
- CVE-2021-3594: slirp: invalid pointer initialization may lead to information disclosure (udp)(bsc#1187378).
- CVE-2021-3595: slirp: invalid pointer initialization may lead to information disclosure (tftp)(bsc#1187376).
- CVE-2021-28698: long running loops in grant table handling (XSA-380)(bsc#1189378).
- CVE-2021-28699: inadequate grant-v2 status frames array bounds check (XSA-382)(bsc#1189380).
- CVE-2021-20255: Fixed stack overflow via infinite recursion in eepro100 (bsc#1182654)
- CVE-2021-28690: xen: x86: TSX Async Abort protections not restored after S3 (bsc#1186434)
- CVE-2021-28692: xen: inappropriate x86 IOMMU timeout detection / handling (bsc#1186429)
- CVE-2021-28694,CVE-2021-28695,CVE-2021-28696: IOMMU page mapping issues on x86 (XSA-378)(bsc#1189373).
- CVE-2021-0089: xen: Speculative Code Store Bypass (bsc#1186433)
- CVE-2021-28697: grant table v2 status pages may remain accessible after de-allocation (XSA-379)(bsc#1189376).
- CVE-2021-3592: slirp: invalid pointer initialization may lead to information disclosure (bootp)(bsc#1187369).
- Prevent superpage allocation in the LAPIC and ACPI_INFO range (bsc#1189882).
ImportantSUSE bug 1182654SUSE bug 1186429SUSE bug 1186433SUSE bug 1186434SUSE bug 1187369SUSE bug 1187376SUSE bug 1187378SUSE bug 1189373SUSE bug 1189376SUSE bug 1189378SUSE bug 1189380SUSE bug 1189882CVE-2021-0089 at SUSECVE-2021-0089 at NVDCVE-2021-20255 at SUSECVE-2021-20255 at NVDCVE-2021-28690 at SUSECVE-2021-28690 at NVDCVE-2021-28692 at SUSECVE-2021-28692 at NVDCVE-2021-28694 at SUSECVE-2021-28694 at NVDCVE-2021-28695 at SUSECVE-2021-28695 at NVDCVE-2021-28696 at SUSECVE-2021-28696 at NVDCVE-2021-28697 at SUSECVE-2021-28697 at NVDCVE-2021-28698 at SUSECVE-2021-28698 at NVDCVE-2021-28699 at SUSECVE-2021-28699 at NVDCVE-2021-3592 at SUSECVE-2021-3592 at NVDCVE-2021-3594 at SUSECVE-2021-3594 at NVDCVE-2021-3595 at SUSECVE-2021-3595 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for python-urllib3 (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for python-urllib3 fixes the following issues:
- Raise ValueError if method contains control characters and thus prevents CRLF
injection into URLs (bsc#1177211, bpo#39603, CVE-2020-26116,).
ModerateSUSE bug 1177211CVE-2020-26116 at SUSECVE-2020-26116 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for grilo (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for grilo fixes the following issues:
- CVE-2021-39365: Fixed missing TLS certificate verification (bsc#1189839).
ImportantSUSE bug 1189839CVE-2021-39365 at SUSECVE-2021-39365 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for java-1_7_0-openjdk (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for java-1_7_0-openjdk fixes the following issues:
- Update to 2.6.27 - OpenJDK 7u311 (July 2021 CPU)
Security fixes:
- CVE-2021-2341: Improve file transfers (bsc#1188564)
- CVE-2021-2369: Better jar file validation (bsc#1188565)
- CVE-2021-2432: Provide better LDAP provider support (bsc#1188568)
- CVE-2021-2163: Enhance opening JARs (bsc#1185055)
- CVE-2021-2161: Less ambiguous processing (bsc#1185056)
- CVE-2018-3639: Fix revision to prefer
ModerateSUSE bug 1185055SUSE bug 1185056SUSE bug 1188564SUSE bug 1188565SUSE bug 1188568CVE-2018-3639 at SUSECVE-2018-3639 at NVDCVE-2021-2161 at SUSECVE-2021-2161 at NVDCVE-2021-2163 at SUSECVE-2021-2163 at NVDCVE-2021-2341 at SUSECVE-2021-2341 at NVDCVE-2021-2369 at SUSECVE-2021-2369 at NVDCVE-2021-2432 at SUSECVE-2021-2432 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for qemu (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for qemu fixes the following issues:
Security issues fixed:
- usbredir: free call on invalid pointer in bufp_alloc (bsc#1189145, CVE-2021-3682)
- NULL pointer dereference in ESP (bsc#1180433, CVE-2020-35504) (bsc#1180434, CVE-2020-35505) (bsc#1180435, CVE-2020-35506)
- NULL pointer dereference issue in megasas-gen2 host bus adapter (bsc#1180432, CVE-2020-35503)
- eepro100: stack overflow via infinite recursion (bsc#1182651, CVE-2021-20255)
- usb: unbounded stack allocation in usbredir (bsc#1186012, CVE-2021-3527)
ModerateSUSE bug 1180432SUSE bug 1180433SUSE bug 1180434SUSE bug 1180435SUSE bug 1182651SUSE bug 1186012SUSE bug 1189145CVE-2020-35503 at SUSECVE-2020-35503 at NVDCVE-2020-35504 at SUSECVE-2020-35504 at NVDCVE-2020-35505 at SUSECVE-2020-35505 at NVDCVE-2020-35506 at SUSECVE-2020-35506 at NVDCVE-2021-20255 at SUSECVE-2021-20255 at NVDCVE-2021-3527 at SUSECVE-2021-3527 at NVDCVE-2021-3682 at SUSECVE-2021-3682 at NVDcpe:/o:suse:sles_teradata:12:sp3Recommended update for mozilla-nspr, mozilla-nss (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for mozilla-nspr fixes the following issues:
mozilla-nspr was updated to version 4.32:
* implement new socket option PR_SockOpt_DontFrag
* support larger DNS records by increasing the default buffer
size for DNS queries
* Lock access to PRCallOnceType members in PR_CallOnce* for
thread safety bmo#1686138
* PR_GetSystemInfo supports a new flag PR_SI_RELEASE_BUILD to get
information about the operating system build version.
Mozilla NSS was updated to version 3.68:
* bmo#1713562 - Fix test leak.
* bmo#1717452 - NSS 3.68 should depend on NSPR 4.32.
* bmo#1693206 - Implement PKCS8 export of ECDSA keys.
* bmo#1712883 - DTLS 1.3 draft-43.
* bmo#1655493 - Support SHA2 HW acceleration using Intel SHA Extension.
* bmo#1713562 - Validate ECH public names.
* bmo#1717610 - Add function to get seconds from epoch from pkix::Time.
update to NSS 3.67
* bmo#1683710 - Add a means to disable ALPN.
* bmo#1715720 - Fix nssckbi version number in NSS 3.67 (was supposed to be incremented in 3.66).
* bmo#1714719 - Set NSS_USE_64 on riscv64 target when using GYP/Ninja.
* bmo#1566124 - Fix counter increase in ppc-gcm-wrap.c.
* bmo#1566124 - Fix AES_GCM mode on ppc64le for messages of length more than 255-byte.
update to NSS 3.66
* bmo#1710716 - Remove Expired Sonera Class2 CA from NSS.
* bmo#1710716 - Remove Expired Root Certificates from NSS - QuoVadis Root Certification Authority.
* bmo#1708307 - Remove Trustis FPS Root CA from NSS.
* bmo#1707097 - Add Certum Trusted Root CA to NSS.
* bmo#1707097 - Add Certum EC-384 CA to NSS.
* bmo#1703942 - Add ANF Secure Server Root CA to NSS.
* bmo#1697071 - Add GLOBALTRUST 2020 root cert to NSS.
* bmo#1712184 - NSS tools manpages need to be updated to reflect that sqlite is the default database.
* bmo#1712230 - Don't build ppc-gcm.s with clang integrated assembler.
* bmo#1712211 - Strict prototype error when trying to compile nss code that includes blapi.h.
* bmo#1710773 - NSS needs FIPS 180-3 FIPS indicators.
* bmo#1709291 - Add VerifyCodeSigningCertificateChain.
update to NSS 3.65
* bmo#1709654 - Update for NetBSD configuration.
* bmo#1709750 - Disable HPKE test when fuzzing.
* bmo#1566124 - Optimize AES-GCM for ppc64le.
* bmo#1699021 - Add AES-256-GCM to HPKE.
* bmo#1698419 - ECH -10 updates.
* bmo#1692930 - Update HPKE to final version.
* bmo#1707130 - NSS should use modern algorithms in PKCS#12 files by default.
* bmo#1703936 - New coverity/cpp scanner errors.
* bmo#1697303 - NSS needs to update it's csp clearing to FIPS 180-3 standards.
* bmo#1702663 - Need to support RSA PSS with Hashing PKCS #11 Mechanisms.
* bmo#1705119 - Deadlock when using GCM and non-thread safe tokens.
update to NSS 3.64
* bmo#1705286 - Properly detect mips64.
* bmo#1687164 - Introduce NSS_DISABLE_CRYPTO_VSX and
disable_crypto_vsx.
* bmo#1698320 - replace __builtin_cpu_supports('vsx') with
ppc_crypto_support() for clang.
* bmo#1613235 - Add POWER ChaCha20 stream cipher vector
acceleration.
Fixed in 3.63
* bmo#1697380 - Make a clang-format run on top of helpful contributions.
* bmo#1683520 - ECCKiila P384, change syntax of nested structs
initialization to prevent build isses with GCC 4.8.
* bmo#1683520 - [lib/freebl/ecl] P-384: allow zero scalars in dual
scalar multiplication.
* bmo#1683520 - ECCKiila P521, change syntax of nested structs
initialization to prevent build isses with GCC 4.8.
* bmo#1683520 - [lib/freebl/ecl] P-521: allow zero scalars in dual
scalar multiplication.
* bmo#1696800 - HACL* update March 2021 - c95ab70fcb2bc21025d8845281bc4bc8987ca683.
* bmo#1694214 - tstclnt can't enable middlebox compat mode.
* bmo#1694392 - NSS does not work with PKCS #11 modules not supporting
profiles.
* bmo#1685880 - Minor fix to prevent unused variable on early return.
* bmo#1685880 - Fix for the gcc compiler version 7 to support setenv
with nss build.
* bmo#1693217 - Increase nssckbi.h version number for March 2021 batch
of root CA changes, CA list version 2.48.
* bmo#1692094 - Set email distrust after to 21-03-01 for Camerfirma's
'Chambers of Commerce' and 'Global Chambersign' roots.
* bmo#1618407 - Symantec root certs - Set CKA_NSS_EMAIL_DISTRUST_AFTER.
* bmo#1693173 - Add GlobalSign R45, E45, R46, and E46 root certs to NSS.
* bmo#1683738 - Add AC RAIZ FNMT-RCM SERVIDORES SEGUROS root cert to NSS.
* bmo#1686854 - Remove GeoTrust PCA-G2 and VeriSign Universal root certs
from NSS.
* bmo#1687822 - Turn off Websites trust bit for the “Staat der
Nederlanden Root CA - G3” root cert in NSS.
* bmo#1692094 - Turn off Websites Trust Bit for 'Chambers of Commerce
Root - 2008' and 'Global Chambersign Root - 2008’.
* bmo#1694291 - Tracing fixes for ECH.
update to NSS 3.62
* bmo#1688374 - Fix parallel build NSS-3.61 with make
* bmo#1682044 - pkix_Build_GatherCerts() + pkix_CacheCert_Add()
can corrupt 'cachedCertTable'
* bmo#1690583 - Fix CH padding extension size calculation
* bmo#1690421 - Adjust 3.62 ABI report formatting for new libabigail
* bmo#1690421 - Install packaged libabigail in docker-builds image
* bmo#1689228 - Minor ECH -09 fixes for interop testing, fuzzing
* bmo#1674819 - Fixup a51fae403328, enum type may be signed
* bmo#1681585 - Add ECH support to selfserv
* bmo#1681585 - Update ECH to Draft-09
* bmo#1678398 - Add Export/Import functions for HPKE context
* bmo#1678398 - Update HPKE to draft-07
update to NSS 3.61
* bmo#1682071 - Fix issue with IKE Quick mode deriving incorrect key
values under certain conditions.
* bmo#1684300 - Fix default PBE iteration count when NSS is compiled
with NSS_DISABLE_DBM.
* bmo#1651411 - Improve constant-timeness in RSA operations.
* bmo#1677207 - Upgrade Google Test version to latest release.
* bmo#1654332 - Add aarch64-make target to nss-try.
Update to NSS 3.60.1:
Notable changes in NSS 3.60:
* TLS 1.3 Encrypted Client Hello (draft-ietf-tls-esni-08) support
has been added, replacing the previous ESNI (draft-ietf-tls-esni-01)
implementation. See bmo#1654332 for more information.
* December 2020 batch of Root CA changes, builtins library updated
to version 2.46. See bmo#1678189, bmo#1678166, and bmo#1670769
for more information.
Update to NSS 3.59.1:
* bmo#1679290 - Fix potential deadlock with certain third-party
PKCS11 modules
Update to NSS 3.59:
Notable changes:
* Exported two existing functions from libnss:
CERT_AddCertToListHeadWithData and CERT_AddCertToListTailWithData
Bugfixes
* bmo#1607449 - Lock cert->nssCertificate to prevent a potential data race
* bmo#1672823 - Add Wycheproof test cases for HMAC, HKDF, and DSA
* bmo#1663661 - Guard against NULL token in nssSlot_IsTokenPresent
* bmo#1670835 - Support enabling and disabling signatures via Crypto Policy
* bmo#1672291 - Resolve libpkix OCSP failures on SHA1 self-signed
root certs when SHA1 signatures are disabled.
* bmo#1644209 - Fix broken SelectedCipherSuiteReplacer filter to
solve some test intermittents
* bmo#1672703 - Tolerate the first CCS in TLS 1.3 to fix a regression in
our CVE-2020-25648 fix that broke purple-discord
(boo#1179382)
* bmo#1666891 - Support key wrap/unwrap with RSA-OAEP
* bmo#1667989 - Fix gyp linking on Solaris
* bmo#1668123 - Export CERT_AddCertToListHeadWithData and
CERT_AddCertToListTailWithData from libnss
* bmo#1634584 - Set CKA_NSS_SERVER_DISTRUST_AFTER for Trustis FPS Root CA
* bmo#1663091 - Remove unnecessary assertions in the streaming
ASN.1 decoder that affected decoding certain PKCS8
private keys when using NSS debug builds
* bmo#670839 - Use ARM crypto extension for AES, SHA1 and SHA2 on MacOS.
update to NSS 3.58
Bugs fixed:
* bmo#1641480 (CVE-2020-25648)
Tighten CCS handling for middlebox compatibility mode.
* bmo#1631890 - Add support for Hybrid Public Key Encryption
(draft-irtf-cfrg-hpke) support for TLS Encrypted Client Hello
(draft-ietf-tls-esni).
* bmo#1657255 - Add CI tests that disable SHA1/SHA2 ARM crypto
extensions.
* bmo#1668328 - Handle spaces in the Python path name when using
gyp on Windows.
* bmo#1667153 - Add PK11_ImportDataKey for data object import.
* bmo#1665715 - Pass the embedded SCT list extension (if present)
to TrustDomain::CheckRevocation instead of the notBefore value.
update to NSS 3.57
* The following CA certificates were Added:
bmo#1663049 - CN=Trustwave Global Certification Authority
SHA-256 Fingerprint: 97552015F5DDFC3C8788C006944555408894450084F100867086BC1A2BB58DC8
bmo#1663049 - CN=Trustwave Global ECC P256 Certification Authority
SHA-256 Fingerprint: 945BBC825EA554F489D1FD51A73DDF2EA624AC7019A05205225C22A78CCFA8B4
bmo#1663049 - CN=Trustwave Global ECC P384 Certification Authority
SHA-256 Fingerprint: 55903859C8C0C3EBB8759ECE4E2557225FF5758BBD38EBD48276601E1BD58097
* The following CA certificates were Removed:
bmo#1651211 - CN=EE Certification Centre Root CA
SHA-256 Fingerprint: 3E84BA4342908516E77573C0992F0979CA084E4685681FF195CCBA8A229B8A76
bmo#1656077 - O=Government Root Certification Authority; C=TW
SHA-256 Fingerprint: 7600295EEFE85B9E1FD624DB76062AAAAE59818A54D2774CD4C0B2C01131E1B3
* Trust settings for the following CA certificates were Modified:
bmo#1653092 - CN=OISTE WISeKey Global Root GA CA
Websites (server authentication) trust bit removed.
* https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.57_release_notes
update to NSS 3.56
Notable changes
* bmo#1650702 - Support SHA-1 HW acceleration on ARMv8
* bmo#1656981 - Use MPI comba and mulq optimizations on x86-64 MacOS.
* bmo#1654142 - Add CPU feature detection for Intel SHA extension.
* bmo#1648822 - Add stricter validation of DH keys in FIPS mode.
* bmo#1656986 - Properly detect arm64 during GYP build architecture
detection.
* bmo#1652729 - Add build flag to disable RC2 and relocate to
lib/freebl/deprecated.
* bmo#1656429 - Correct RTT estimate used in 0-RTT anti-replay.
* bmo#1588941 - Send empty certificate message when scheme selection
fails.
* bmo#1652032 - Fix failure to build in Windows arm64 makefile
cross-compilation.
* bmo#1625791 - Fix deadlock issue in nssSlot_IsTokenPresent.
* bmo#1653975 - Fix 3.53 regression by setting 'all' as the default
makefile target.
* bmo#1659792 - Fix broken libpkix tests with unexpired PayPal cert.
* bmo#1659814 - Fix interop.sh failures with newer tls-interop
commit and dependencies.
* bmo#1656519 - NSPR dependency updated to 4.28
update to NSS 3.55
Notable changes
* P384 and P521 elliptic curve implementations are replaced with
verifiable implementations from Fiat-Crypto [0] and ECCKiila [1].
* PK11_FindCertInSlot is added. With this function, a given slot
can be queried with a DER-Encoded certificate, providing performance
and usability improvements over other mechanisms. (bmo#1649633)
* DTLS 1.3 implementation is updated to draft-38. (bmo#1647752)
Relevant Bugfixes
* bmo#1631583 (CVE-2020-6829, CVE-2020-12400) - Replace P384 and
P521 with new, verifiable implementations from Fiat-Crypto and ECCKiila.
* bmo#1649487 - Move overzealous assertion in VFY_EndWithSignature.
* bmo#1631573 (CVE-2020-12401) - Remove unnecessary scalar padding.
* bmo#1636771 (CVE-2020-12403) - Explicitly disable multi-part
ChaCha20 (which was not functioning correctly) and more strictly
enforce tag length.
* bmo#1649648 - Don't memcpy zero bytes (sanitizer fix).
* bmo#1649316 - Don't memcpy zero bytes (sanitizer fix).
* bmo#1649322 - Don't memcpy zero bytes (sanitizer fix).
* bmo#1653202 - Fix initialization bug in blapitest when compiled
with NSS_DISABLE_DEPRECATED_SEED.
* bmo#1646594 - Fix AVX2 detection in makefile builds.
* bmo#1649633 - Add PK11_FindCertInSlot to search a given slot
for a DER-encoded certificate.
* bmo#1651520 - Fix slotLock race in NSC_GetTokenInfo.
* bmo#1647752 - Update DTLS 1.3 implementation to draft-38.
* bmo#1649190 - Run cipher, sdr, and ocsp tests under standard test cycle in CI.
* bmo#1649226 - Add Wycheproof ECDSA tests.
* bmo#1637222 - Consistently enforce IV requirements for DES and 3DES.
* bmo#1067214 - Enforce minimum PKCS#1 v1.5 padding length in
RSA_CheckSignRecover.
* bmo#1646324 - Advertise PKCS#1 schemes for certificates in the
signature_algorithms extension.
update to NSS 3.54
Notable changes
* Support for TLS 1.3 external pre-shared keys (bmo#1603042).
* Use ARM Cryptography Extension for SHA256, when available
(bmo#1528113)
* The following CA certificates were Added:
bmo#1645186 - certSIGN Root CA G2.
bmo#1645174 - e-Szigno Root CA 2017.
bmo#1641716 - Microsoft ECC Root Certificate Authority 2017.
bmo#1641716 - Microsoft RSA Root Certificate Authority 2017.
* The following CA certificates were Removed:
bmo#1645199 - AddTrust Class 1 CA Root.
bmo#1645199 - AddTrust External CA Root.
bmo#1641718 - LuxTrust Global Root 2.
bmo#1639987 - Staat der Nederlanden Root CA - G2.
bmo#1618402 - Symantec Class 2 Public Primary Certification Authority - G4.
bmo#1618402 - Symantec Class 1 Public Primary Certification Authority - G4.
bmo#1618402 - VeriSign Class 3 Public Primary Certification Authority - G3.
* A number of certificates had their Email trust bit disabled.
See bmo#1618402 for a complete list.
Bugs fixed
* bmo#1528113 - Use ARM Cryptography Extension for SHA256.
* bmo#1603042 - Add TLS 1.3 external PSK support.
* bmo#1642802 - Add uint128 support for HACL* curve25519 on Windows.
* bmo#1645186 - Add 'certSIGN Root CA G2' root certificate.
* bmo#1645174 - Add Microsec's 'e-Szigno Root CA 2017' root certificate.
* bmo#1641716 - Add Microsoft's non-EV root certificates.
* bmo1621151 - Disable email trust bit for 'O=Government
Root Certification Authority; C=TW' root.
* bmo#1645199 - Remove AddTrust root certificates.
* bmo#1641718 - Remove 'LuxTrust Global Root 2' root certificate.
* bmo#1639987 - Remove 'Staat der Nederlanden Root CA - G2' root
certificate.
* bmo#1618402 - Remove Symantec root certificates and disable email trust
bit.
* bmo#1640516 - NSS 3.54 should depend on NSPR 4.26.
* bmo#1642146 - Fix undefined reference to `PORT_ZAlloc_stub' in seed.c.
* bmo#1642153 - Fix infinite recursion building NSS.
* bmo#1642638 - Fix fuzzing assertion crash.
* bmo#1642871 - Enable SSL_SendSessionTicket after resumption.
* bmo#1643123 - Support SSL_ExportEarlyKeyingMaterial with External PSKs.
* bmo#1643557 - Fix numerous compile warnings in NSS.
* bmo#1644774 - SSL gtests to use ClearServerCache when resetting
self-encrypt keys.
* bmo#1645479 - Don't use SECITEM_MakeItem in secutil.c.
* bmo#1646520 - Stricter enforcement of ASN.1 INTEGER encoding.
ModerateSUSE bug 1029961SUSE bug 1174697SUSE bug 1176206SUSE bug 1176934SUSE bug 1179382SUSE bug 1188891CVE-2020-12400 at SUSECVE-2020-12400 at NVDCVE-2020-12401 at SUSECVE-2020-12401 at NVDCVE-2020-12403 at SUSECVE-2020-12403 at NVDCVE-2020-25648 at SUSECVE-2020-25648 at NVDCVE-2020-6829 at SUSECVE-2020-6829 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for postgresql13 (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for postgresql13 fixes the following issues:
- CVE-2021-3677: Fixed memory disclosure in certain queries (bsc#1189748).
- Fixed build with llvm12 on s390x (bsc#1185952).
- Re-enabled icu for PostgreSQL 10 (bsc#1179945).
- Made the dependency of postgresqlXX-server-devel on llvm and clang optional (bsc#1187751).
- llvm12 breaks PostgreSQL 11 and 12 on s390x. Use llvm11 as a workaround (bsc#1185952).
ModerateSUSE bug 1179945SUSE bug 1185952SUSE bug 1187751SUSE bug 1189748CVE-2021-3677 at SUSECVE-2021-3677 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for transfig (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for transfig fixes the following issues:
Update to version 3.2.8, including fixes for
- CVE-2021-3561: overflow in fig2dev/read.c in function read_colordef() (bsc#1186329).
- CVE-2020-21683: Fixed buffer overflow in the shade_or_tint_name_after_declare_color in genpstricks.c (bsc#1189325).
- CVE-2020-21682: Fixed buffer overflow in the set_fill component in genge.c (bsc#1189346).
- CVE-2020-21681: Fixed buffer overflow in the set_color component in genge.c (bsc#1189345).
- CVE-2020-21680: Fixed stack-based buffer overflow in the put_arrow() component in genpict2e.c (bsc#1189343).
- CVE-2019-19797: out-of-bounds write in read_colordef in read.c (bsc#1159293).
- CVE-2019-19555: stack-based buffer overflow because of an incorrect sscanf (bsc#1161698).
- CVE-2019-19746: segmentation fault and out-of-bounds write because of an integer overflow via a large arrow type (bsc#1159130).
ModerateSUSE bug 1136882SUSE bug 1159130SUSE bug 1159293SUSE bug 1161698SUSE bug 1186329SUSE bug 1189325SUSE bug 1189343SUSE bug 1189345SUSE bug 1189346CVE-2019-19555 at SUSECVE-2019-19555 at NVDCVE-2019-19746 at SUSECVE-2019-19746 at NVDCVE-2019-19797 at SUSECVE-2019-19797 at NVDCVE-2020-21680 at SUSECVE-2020-21680 at NVDCVE-2020-21681 at SUSECVE-2020-21681 at NVDCVE-2020-21682 at SUSECVE-2020-21682 at NVDCVE-2020-21683 at SUSECVE-2020-21683 at NVDCVE-2021-3561 at SUSECVE-2021-3561 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for gtk-vnc (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for gtk-vnc fixes the following issues:
- CVE-2017-5885: Correctly validate color map range indexes (bsc#1024268).
- CVE-2017-5884: Fix bounds checking for RRE, hextile & copyrect encodings (bsc#1024266).
- Fix crash when opening connection from a GSocketAddress (bsc#1046782).
- Fix possible crash on connection failure (bsc#1188292).
ModerateSUSE bug 1024266SUSE bug 1024268SUSE bug 1046782SUSE bug 1188292CVE-2017-5884 at SUSECVE-2017-5884 at NVDCVE-2017-5885 at SUSECVE-2017-5885 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for openssl (Low)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for openssl fixes the following issues:
- CVE-2021-3712: This is an update for the incomplete fix for CVE-2021-3712.
Read buffer overruns processing ASN.1 strings (bsc#1189521).
LowSUSE bug 1189521CVE-2021-3712 at SUSECVE-2021-3712 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for curl (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for curl fixes the following issues:
- CVE-2021-22947: Fixed STARTTLS protocol injection via MITM (bsc#1190374).
- CVE-2021-22946: Fixed protocol downgrade required TLS bypassed (bsc#1190373).
ModerateSUSE bug 1190373SUSE bug 1190374CVE-2021-22946 at SUSECVE-2021-22946 at NVDCVE-2021-22947 at SUSECVE-2021-22947 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for ghostscript (Critical)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for ghostscript fixes the following issues:
- CVE-2021-3781: Fixed a trivial -dSAFER bypass command injection (bsc#1190381)
CriticalSUSE bug 1190381CVE-2021-3781 at SUSECVE-2021-3781 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for MozillaFirefox fixes the following issues:
This update contains the Firefox Extended Support Release 91.1.0 ESR.
* Fixed: Various stability, functionality, and security fixes
MFSA 2021-40 (bsc#1190269, bsc#1190274):
* CVE-2021-38492: Navigating to `mk:` URL scheme could load Internet Explorer
* CVE-2021-38495: Memory safety bugs fixed in Firefox 92 and Firefox ESR 91.1
Firefox 91.0.1esr ESR
* Fixed: Fixed an issue causing buttons on the tab bar to be
resized when loading certain websites (bug 1704404)
* Fixed: Fixed an issue which caused tabs from private windows
to be visible in non-private windows when viewing switch-to-
tab results in the address bar panel (bug 1720369)
* Fixed: Various stability fixes
* Fixed: Security fix MFSA 2021-37 (bsc#1189547)
* CVE-2021-29991 (bmo#1724896)
Header Splitting possible with HTTP/3 Responses
Firefox Extended Support Release 91.0 ESR
* New: Some of the highlights of the new Extended Support Release are:
- A number of user interface changes. For more information,
see the Firefox 89 release notes.
- Firefox now supports logging into Microsoft, work, and
school accounts using Windows single sign-on. Learn more
- On Windows, updates can now be applied in the background
while Firefox is not running.
- Firefox for Windows now offers a new page about:third-party
to help identify compatibility issues caused by third-party
applications
- Version 2 of Firefox's SmartBlock feature further improves
private browsing. Third party Facebook scripts are blocked to
prevent you from being tracked, but are now automatically
loaded 'just in time' if you decide to 'Log in with Facebook'
on any website.
- Enhanced the privacy of the Firefox Browser's Private
Browsing mode with Total Cookie Protection, which confines
cookies to the site where they were created, preventing
companis from using cookies to track your browsing across
sites. This feature was originally launched in Firefox's ETP
Strict mode.
- PDF forms now support JavaScript embedded in PDF files.
Some PDF forms use JavaScript for validation and other
interactive features.
- You'll encounter less website breakage in Private Browsing
and Strict Enhanced Tracking Protection with SmartBlock,
which provides stand-in scripts so that websites load
properly.
- Improved Print functionality with a cleaner design and
better integration with your computer's printer settings.
- Firefox now protects you from supercookies, a type of
tracker that can stay hidden in your browser and track you
online, even after you clear cookies. By isolating
supercookies, Firefox prevents them from tracking your web
browsing from one site to the next.
- Firefox now remembers your preferred location for saved
bookmarks, displays the bookmarks toolbar by default on new
tabs, and gives you easy access to all of your bookmarks via
a toolbar folder.
- Native support for macOS devices built with Apple Silicon
CPUs brings dramatic performance improvements over the non-
native build that was shipped in Firefox 83: Firefox launches
over 2.5 times faster and web apps are now twice as
responsive (per the SpeedoMeter 2.0 test). If you are on a
new Apple device, follow these steps to upgrade to the latest
Firefox.
- Pinch zooming will now be supported for our users with
Windows touchscreen devices and touchpads on Mac devices.
Firefox users may now use pinch to zoom on touch-capable
devices to zoom in and out of webpages.
- We’ve improved functionality and design for a number of
Firefox search features:
* Selecting a search engine at the bottom of the search
panel now enters search mode for that engine, allowing you to
see suggestions (if available) for your search terms. The old
behavior (immediately performing a search) is available with
a shift-click.
* When Firefox autocompletes the URL of one of your search
engines, you can now search with that engine directly in the
address bar by selecting the shortcut in the address bar
results.
* We’ve added buttons at the bottom of the search panel to
allow you to search your bookmarks, open tabs, and history.
- Firefox supports AcroForm, which will allow you to fill in,
print, and save supported PDF forms and the PDF viewer also
has a new fresh look.
- For our users in the US and Canada, Firefox can now save,
manage, and auto-fill credit card information for you, making
shopping on Firefox ever more convenient.
- In addition to our default, dark and light themes, with
this release, Firefox introduces the Alpenglow theme: a
colorful appearance for buttons, menus, and windows. You can
update your Firefox themes under settings or preferences.
* Changed: Firefox no longer supports Adobe Flash. There is no
setting available to re-enable Flash support.
* Enterprise: Various bug fixes and new policies have been
implemented in the latest version of Firefox. See more
details in the Firefox for Enterprise 91 Release Notes.
MFSA 2021-33 (bsc#1188891):
* CVE-2021-29986: Race condition when resolving DNS names could have led to
memory corruption
* CVE-2021-29981: Live range splitting could have led to conflicting
assignments in the JIT
* CVE-2021-29988: Memory corruption as a result of incorrect style treatment
* CVE-2021-29983: Firefox for Android could get stuck in fullscreen mode
* CVE-2021-29984: Incorrect instruction reordering during JIT optimization
* CVE-2021-29980: Uninitialized memory in a canvas object could have led to
memory corruption
* CVE-2021-29987: Users could have been tricked into accepting unwanted
permissions on Linux
* CVE-2021-29985: Use-after-free media channels
* CVE-2021-29982: Single bit data leak due to incorrect JIT optimization and
type confusion
* CVE-2021-29989: Memory safety bugs fixed in Firefox 91 and Firefox ESR 78.13
* CVE-2021-29990: Memory safety bugs fixed in Firefox 91
ImportantSUSE bug 1188891SUSE bug 1189547SUSE bug 1190269SUSE bug 1190274CVE-2021-29980 at SUSECVE-2021-29980 at NVDCVE-2021-29981 at SUSECVE-2021-29981 at NVDCVE-2021-29982 at SUSECVE-2021-29982 at NVDCVE-2021-29983 at SUSECVE-2021-29983 at NVDCVE-2021-29984 at SUSECVE-2021-29984 at NVDCVE-2021-29985 at SUSECVE-2021-29985 at NVDCVE-2021-29986 at SUSECVE-2021-29986 at NVDCVE-2021-29987 at SUSECVE-2021-29987 at NVDCVE-2021-29988 at SUSECVE-2021-29988 at NVDCVE-2021-29989 at SUSECVE-2021-29989 at NVDCVE-2021-29990 at SUSECVE-2021-29990 at NVDCVE-2021-29991 at SUSECVE-2021-29991 at NVDCVE-2021-38492 at SUSECVE-2021-38492 at NVDCVE-2021-38495 at SUSECVE-2021-38495 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for java-1_8_0-ibm (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for java-1_8_0-ibm fixes the following issues:
- Update to Java 8.0 Service Refresh 6 Fix Pack 20 [bsc#1180063,bsc#1177943]
CVE-2020-14792 CVE-2020-14797 CVE-2020-14781 CVE-2020-14779
CVE-2020-14798 CVE-2020-14796 CVE-2020-14803
* Class libraries:
- SOCKETADAPTOR$SOCKETINPUTSTREAM.READ is blocking for more time
that the set timeout
- Z/OS specific C function send_file is changing the file pointer
position
* Java Virtual Machine:
- Crash on iterate java stack
- Java process hang on SIGTERM
* JIT Compiler:
- JMS performance regression from JDK8 SR5 FP40 TO FP41
* Class Libraries:
- z15 high utilization following Z/VM and Linux migration from
z14 To z15
* Java Virtual Machine:
- Assertion failed when trying to write a class file
- Assertion failure at modronapi.cpp
- Improve the performance of defining and finding classes
* JIT Compiler:
- An assert in ppcbinaryencoding.cpp may trigger when running
with traps disabled on power
- AOT field offset off by n bytes
- Segmentation fault in jit module on ibm z platform ModerateSUSE bug 1177943SUSE bug 1180063CVE-2020-14779 at SUSECVE-2020-14779 at NVDCVE-2020-14781 at SUSECVE-2020-14781 at NVDCVE-2020-14792 at SUSECVE-2020-14792 at NVDCVE-2020-14796 at SUSECVE-2020-14796 at NVDCVE-2020-14797 at SUSECVE-2020-14797 at NVDCVE-2020-14798 at SUSECVE-2020-14798 at NVDCVE-2020-14803 at SUSECVE-2020-14803 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for hivex (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for hivex fixes the following issues:
- CVE-2021-3622: Fixed stack overflow due to recursive call of _get_children() (bsc#1189060).
ModerateSUSE bug 1189060CVE-2021-3622 at SUSECVE-2021-3622 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for xen (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for xen fixes the following issues:
- CVE-2021-28701: Fixed race condition in XENMAPSPACE_grant_table handling (XSA-384) (bsc#1189632).
- Integrate bugfixes (bsc#1189373, bsc#1189378).
ImportantSUSE bug 1189373SUSE bug 1189378SUSE bug 1189632CVE-2021-28701 at SUSECVE-2021-28701 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for gd (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for gd fixes the following issues:
- CVE-2021-40812: Fixed out-of-bounds read caused by the lack of certain gdGetBuf and gdPutBuf return value checks (bsc#1190400).
ModerateSUSE bug 1190400CVE-2021-40812 at SUSECVE-2021-40812 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for sqlite3 (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for sqlite3 fixes the following issues:
sqlite3 is sync version 3.36.0 from Factory (jsc#SLE-16032).
The following CVEs have been fixed in upstream releases up to
this point, but were not mentioned in the change log so far:
* bsc#1173641, CVE-2020-15358: heap-based buffer overflow in
multiSelectOrderBy due to mishandling of query-flattener
optimization
* bsc#1164719, CVE-2020-9327: NULL pointer dereference and
segmentation fault because of generated column optimizations in
isAuxiliaryVtabOperator
* bsc#1160439, CVE-2019-20218: selectExpander in select.c proceeds
with WITH stack unwinding even after a parsing error
* bsc#1160438, CVE-2019-19959: memory-management error via
ext/misc/zipfile.c involving embedded '\0' input
* bsc#1160309, CVE-2019-19923: improper handling of certain uses
of SELECT DISTINCT in flattenSubquery may lead to null pointer
dereference
* bsc#1159850, CVE-2019-19924: improper error handling in
sqlite3WindowRewrite()
* bsc#1159847, CVE-2019-19925: improper handling of NULL pathname
during an update of a ZIP archive
* bsc#1159715, CVE-2019-19926: improper handling of certain
errors during parsing multiSelect in select.c
* bsc#1159491, CVE-2019-19880: exprListAppendList in window.c
allows attackers to trigger an invalid pointer dereference
* bsc#1158960, CVE-2019-19603: during handling of CREATE TABLE
and CREATE VIEW statements, does not consider confusion with
a shadow table name
* bsc#1158959, CVE-2019-19646: pragma.c mishandles NOT NULL in an
integrity_check PRAGMA command in certain cases of generated
columns
* bsc#1158958, CVE-2019-19645: alter.c allows attackers to trigger
infinite recursion via certain types of self-referential views
in conjunction with ALTER TABLE statements
* bsc#1158812, CVE-2019-19317: lookupName in resolve.c omits bits
from the colUsed bitmask in the case of a generated column,
which allows attackers to cause a denial of service
* bsc#1157818, CVE-2019-19244: sqlite3,sqlite2,sqlite: The
function sqlite3Select in select.c allows a crash if a
sub-select uses both DISTINCT and window functions, and also
has certain ORDER BY usage
* bsc#928701, CVE-2015-3415: sqlite3VdbeExec comparison operator
vulnerability
* bsc#928700, CVE-2015-3414: sqlite3,sqlite2: dequoting of
collation-sequence names
* CVE-2020-13434 bsc#1172115: integer overflow in
sqlite3_str_vappendf
* CVE-2020-13630 bsc#1172234: use-after-free in fts3EvalNextRow
* CVE-2020-13631 bsc#1172236: virtual table allowed to be renamed
to one of its shadow tables
* CVE-2020-13632 bsc#1172240: NULL pointer dereference via
crafted matchinfo() query
* CVE-2020-13435: Malicious SQL statements could have crashed the
process that is running SQLite (bsc#1172091)
ImportantSUSE bug 1157818SUSE bug 1158812SUSE bug 1158958SUSE bug 1158959SUSE bug 1158960SUSE bug 1159491SUSE bug 1159715SUSE bug 1159847SUSE bug 1159850SUSE bug 1160309SUSE bug 1160438SUSE bug 1160439SUSE bug 1164719SUSE bug 1172091SUSE bug 1172115SUSE bug 1172234SUSE bug 1172236SUSE bug 1172240SUSE bug 1173641SUSE bug 928700SUSE bug 928701CVE-2015-3414 at SUSECVE-2015-3414 at NVDCVE-2015-3415 at SUSECVE-2015-3415 at NVDCVE-2016-6153 at SUSECVE-2016-6153 at NVDCVE-2017-10989 at SUSECVE-2017-10989 at NVDCVE-2017-2518 at SUSECVE-2017-2518 at NVDCVE-2018-20346 at SUSECVE-2018-20346 at NVDCVE-2018-8740 at SUSECVE-2018-8740 at NVDCVE-2019-16168 at SUSECVE-2019-16168 at NVDCVE-2019-19244 at SUSECVE-2019-19244 at NVDCVE-2019-19317 at SUSECVE-2019-19317 at NVDCVE-2019-19603 at SUSECVE-2019-19603 at NVDCVE-2019-19645 at SUSECVE-2019-19645 at NVDCVE-2019-19646 at SUSECVE-2019-19646 at NVDCVE-2019-19880 at SUSECVE-2019-19880 at NVDCVE-2019-19923 at SUSECVE-2019-19923 at NVDCVE-2019-19924 at SUSECVE-2019-19924 at NVDCVE-2019-19925 at SUSECVE-2019-19925 at NVDCVE-2019-19926 at SUSECVE-2019-19926 at NVDCVE-2019-19959 at SUSECVE-2019-19959 at NVDCVE-2019-20218 at SUSECVE-2019-20218 at NVDCVE-2019-8457 at SUSECVE-2019-8457 at NVDCVE-2020-13434 at SUSECVE-2020-13434 at NVDCVE-2020-13435 at SUSECVE-2020-13435 at NVDCVE-2020-13630 at SUSECVE-2020-13630 at NVDCVE-2020-13631 at SUSECVE-2020-13631 at NVDCVE-2020-13632 at SUSECVE-2020-13632 at NVDCVE-2020-15358 at SUSECVE-2020-15358 at NVDCVE-2020-9327 at SUSECVE-2020-9327 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for atftp (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for atftp fixes the following issues:
- CVE-2021-41054: Fixed buffer overflow caused by combination of data, OACK, and other options (bsc#1190522).
ModerateSUSE bug 1190522CVE-2021-41054 at SUSECVE-2021-41054 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for python-urllib3 (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for python-urllib3 fixes the following security issue:
- CVE-2020-26137: A CRLF injection via HTTP request method was fixed (bsc#1177120)
Note that this was fixed in a previous version update to 1.25.9, this update just complements the tracking.
ModerateSUSE bug 1177120CVE-2020-26137 at SUSECVE-2020-26137 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for glibc (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for glibc fixes the following issues:
Security issues fixed:
- CVE-2021-35942: wordexp: handle overflow in positional parameter number (bsc#1187911)
- CVE-2021-33574: Use __pthread_attr_copy in mq_notify (bsc#1186489)
Also the following bug was fixed:
- Avoid concurrency problem in ldconfig (bsc#1117993)
ModerateSUSE bug 1117993SUSE bug 1186489SUSE bug 1187911CVE-2021-33574 at SUSECVE-2021-33574 at NVDCVE-2021-35942 at SUSECVE-2021-35942 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for webkit2gtk3 (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for webkit2gtk3 fixes the following issues:
- Update to version 2.32.4
- CVE-2021-30858: Fixed a security bug that could allow maliciously crafted web content to achieve arbitrary code execution. (bsc#1190701)
- CVE-2021-21806: Fixed an exploitable use-after-free vulnerability via specially crafted HTML web page. (bsc#1188697)
ImportantSUSE bug 1188697SUSE bug 1190701CVE-2021-21806 at SUSECVE-2021-21806 at NVDCVE-2021-30858 at SUSECVE-2021-30858 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for apache2 (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for apache2 fixes the following issues:
- CVE-2021-40438: Fixed a SRF via a crafted request uri-path. (bsc#1190703)
- CVE-2021-39275: Fixed an out-of-bounds write in ap_escape_quotes() via malicious input. (bsc#1190666)
- CVE-2021-34798: Fixed a NULL pointer dereference via malformed requests. (bsc#1190669)
ImportantSUSE bug 1190666SUSE bug 1190669SUSE bug 1190703CVE-2021-34798 at SUSECVE-2021-34798 at NVDCVE-2021-39275 at SUSECVE-2021-39275 at NVDCVE-2021-40438 at SUSECVE-2021-40438 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for python36 (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for python36 fixes the following issues:
- Update to 3.6.15:
- CVE-2021-3737: Fixed a DoS caused by infinitely reading potential HTTP headers after a 100 Continue status response from the server. (bsc#1189241)
- CVE-2021-3426: Fixed an information disclosure via pydoc. (bsc#1183374)
- CVE-2021-3733: Fixed a ReDoS in urllib.request. (bsc#1189287)
ModerateSUSE bug 1180125SUSE bug 1183374SUSE bug 1183858SUSE bug 1185588SUSE bug 1189241SUSE bug 1189287CVE-2021-3426 at SUSECVE-2021-3426 at NVDCVE-2021-3733 at SUSECVE-2021-3733 at NVDCVE-2021-3737 at SUSECVE-2021-3737 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for libqt5-qtsvg (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for libqt5-qtsvg fixes the following issues:
- CVE-2021-3481: Fixed an out of bounds read in function QRadialFetchSimd from crafted svg file. (bsc#1184783)
ModerateSUSE bug 1184783CVE-2021-3481 at SUSECVE-2021-3481 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for python3 (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for python3 fixes the following issues:
- Provide the newest setuptools wheel (bsc#1176262,
CVE-2019-20916) in their correct form (bsc#1180686).
ImportantSUSE bug 1176262SUSE bug 1180686CVE-2019-20916 at SUSECVE-2019-20916 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for MozillaFirefox fixes the following issues:
Firefox Extended Support Release 91.2.0 ESR
* Fixed: Various stability, functionality, and security fixes
MFSA 2021-45 (bsc#1191332)
* CVE-2021-38496: Use-after-free in MessageTask
* CVE-2021-38497: Validation message could have been overlaid on another origin
* CVE-2021-38498: Use-after-free of nsLanguageAtomService object
* CVE-2021-32810: Fixed Data race in crossbeam-deque
* CVE-2021-38500: Memory safety bugs fixed in Firefox 93, Firefox ESR 78.15, and Firefox ESR 91.2
* CVE-2021-38501: Memory safety bugs fixed in Firefox 93 and Firefox ESR 91.2
- Fixed crash in FIPS mode (bsc#1190710)
ImportantSUSE bug 1190710SUSE bug 1191332CVE-2021-32810 at SUSECVE-2021-32810 at NVDCVE-2021-38496 at SUSECVE-2021-38496 at NVDCVE-2021-38497 at SUSECVE-2021-38497 at NVDCVE-2021-38498 at SUSECVE-2021-38498 at NVDCVE-2021-38500 at SUSECVE-2021-38500 at NVDCVE-2021-38501 at SUSECVE-2021-38501 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for util-linux (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for util-linux fixes the following issues:
- CVE-2021-37600: Fixed an integer overflow which could lead to buffer overflow in get_sem_elements. (bsc#1188921)
- Prevent outdated pam files (bsc#1082293, bsc#1081947#c68).
- Do not trim read-only volumes (bsc#1106214).
- libmount: To prevent incorrect behavior, recognize more pseudofs and netfs (bsc#1122417).
- raw.service: Add RemainAfterExit=yes (bsc#1135534).
- agetty: Reload issue only if it is really needed (bsc#1085196)
- agetty: Return previous response of agetty for special characters (bsc#1085196, bsc#1125886)
- blockdev: Do not fail --report on kpartx-style partitions on multipath. (bsc#1168235)
- nologin: Add support for -c to prevent error from su -c. (bsc#1151708)
- Avoid triggering autofs in lookup_umount_fs_by_statfs. (bsc#1168389)
- libblkid: Do not trigger CDROM autoclose. (bsc#1084671)
- Avoid sulogin failing on not existing or not functional console devices. (bsc#1175514)
- Build with libudev support to support non-root users. (bsc#1169006)
- lscpu: avoid segfault on PowerPC systems with valid hardware configurations. (bsc#1175623, bsc#1178554, bsc#1178825)
- Fix for warning on mounts to CIFS with mount. (SG#57988, bsc#1174942)
ModerateSUSE bug 1081947SUSE bug 1082293SUSE bug 1084671SUSE bug 1085196SUSE bug 1106214SUSE bug 1122417SUSE bug 1125886SUSE bug 1135534SUSE bug 1135708SUSE bug 1151708SUSE bug 1168235SUSE bug 1168389SUSE bug 1169006SUSE bug 1174942SUSE bug 1175514SUSE bug 1175623SUSE bug 1178236SUSE bug 1178554SUSE bug 1178825SUSE bug 1188921CVE-2021-37600 at SUSECVE-2021-37600 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for strongswan (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for strongswan fixes the following issues:
- CVE-2021-41991: Fixed an integer overflow when replacing certificates in cache. (bsc#1191435)
ImportantSUSE bug 1191435CVE-2021-41991 at SUSECVE-2021-41991 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for python3 (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for python3 fixes the following issues:
- CVE-2021-3737: Fixed http client infinite line reading (DoS) after a http 100. (bsc#1189241)
- CVE-2021-3733: Fixed ReDoS in urllib.request. (bsc#1189287)
ModerateSUSE bug 1187668SUSE bug 1189241SUSE bug 1189287CVE-2021-3733 at SUSECVE-2021-3733 at NVDCVE-2021-3737 at SUSECVE-2021-3737 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for postgresql10 (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for postgresql10 fixes the following issues:
- Fix for build with llvm12 on s390x. (bsc#1185952)
- Re-enable 'icu' for PostgreSQL 10. (bsc#1179945)
- Add postgresqlXX-server-devel as a dependency for postgresql13-server-devel. (bsc#1187751)
- Upgrade to version 10.18. (bsc#1190177)
Upgrade to version 10.17 (already released for SUSE Linux Enterprise 12 SP5):
- CVE-2021-32027: Fixed integer overflows in array subscripting calculations (bsc#1185924).
- CVE-2021-32028: Fixed mishandling of junk columns in INSERT ... ON CONFLICT ... UPDATE target lists (bsc#1185925).
- Don't use %_stop_on_removal, because it was meant to be private and got removed from openSUSE. %_restart_on_update is also private, but still supported and needed for now (bsc#1183168).
- Re-enable build of the llvmjit subpackage on SLE, but it will only be delivered on PackageHub for now (bsc#1183118).
- Disable icu for PostgreSQL 10 (and older) on TW (bsc#1179945).
- Fixed an issue droping irregular warning messages by removing the package. (bsc#1178961)
- Fixed an issue when build does not build the requiements to avoid dangling symlinks in the devel package. (bsc#1179765)
- Fix recently-added timetz test case so it works when the USA is not observing daylight savings time.
ImportantSUSE bug 1178961SUSE bug 1179765SUSE bug 1179945SUSE bug 1183118SUSE bug 1183168SUSE bug 1185924SUSE bug 1185925SUSE bug 1185952SUSE bug 1187751SUSE bug 1190177CVE-2021-32027 at SUSECVE-2021-32027 at NVDCVE-2021-32028 at SUSECVE-2021-32028 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for git (Low)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for git fixes the following issues:
- CVE-2021-40330: Fixed unexpected cross-protocol requests via newline character in git_connect_git repository path (bsc#1189992).
LowSUSE bug 1189992CVE-2021-40330 at SUSECVE-2021-40330 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for ncurses (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for ncurses fixes the following issues:
- CVE-2021-39537: Fixed an heap-based buffer overflow in _nc_captoinfo. (bsc#1190793)
ModerateSUSE bug 1190793CVE-2021-39537 at SUSECVE-2021-39537 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for fetchmail (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for fetchmail fixes the following issues:
- CVE-2021-39272: Fix failure to enforce STARTTLS session encryption in some circumstances, such as a certain situation with IMAP and PREAUTH. (bsc#1190069)
ModerateSUSE bug 1190069CVE-2021-39272 at SUSECVE-2021-39272 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for cairo (Low)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for cairo fixes the following issues:
- CVE-2019-6462: Fixed a potentially infinite loop (bsc#1122321).
LowSUSE bug 1122321CVE-2019-6462 at SUSECVE-2019-6462 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for open-lldp (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for open-lldp fixes the following issues:
- CVE-2018-10932: Fixed an improper sanitization of shell-escape codes. (bsc#1104624)
ModerateSUSE bug 1104624CVE-2018-10932 at SUSECVE-2018-10932 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for python (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for python fixes the following issues:
- CVE-2021-3737: Fixed http client infinite line reading (DoS) after a http 100. (bsc#1189241)
- CVE-2021-3733: Fixed ReDoS in urllib.request. (bsc#1189287)
ModerateSUSE bug 1189241SUSE bug 1189287CVE-2021-3733 at SUSECVE-2021-3733 at NVDCVE-2021-3737 at SUSECVE-2021-3737 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for opensc (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for opensc fixes the following issues:
- CVE-2021-42780: Fixed use after return in insert_pin() (bsc#1192005).
- CVE-2021-42779: Fixed use after free in sc_file_valid() (bsc#1191992).
- CVE-2021-42781: Fixed multiple heap buffer overflows in pkcs15-oberthur.c (bsc#1192000).
- CVE-2021-42782: Stack buffer overflow issues in various places (bsc#1191957).
ImportantSUSE bug 1191957SUSE bug 1191992SUSE bug 1192000SUSE bug 1192005CVE-2021-42779 at SUSECVE-2021-42779 at NVDCVE-2021-42780 at SUSECVE-2021-42780 at NVDCVE-2021-42781 at SUSECVE-2021-42781 at NVDCVE-2021-42782 at SUSECVE-2021-42782 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for transfig (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for transfig fixes the following issues:
Update to fig2dev version 3.2.8 Patchlevel 8b (Aug 2021)
- bsc#1190618, CVE-2020-21529: stack buffer overflow in the bezier_spline function in genepic.c.
- bsc#1190615, CVE-2020-21530: segmentation fault in the read_objects function in read.c.
- bsc#1190617, CVE-2020-21531: global buffer overflow in the conv_pattern_index function in gencgm.c.
- bsc#1190616, CVE-2020-21532: global buffer overflow in the setfigfont function in genepic.c.
- bsc#1190612, CVE-2020-21533: stack buffer overflow in the read_textobject function in read.c.
- bsc#1190611, CVE-2020-21534: global buffer overflow in the get_line function in read.c.
- bsc#1190607, CVE-2020-21535: segmentation fault in the gencgm_start function in gencgm.c.
- bsc#1192019, CVE-2021-32280: NULL pointer dereference in compute_closed_spline() in trans_spline.c
ImportantSUSE bug 1190607SUSE bug 1190611SUSE bug 1190612SUSE bug 1190615SUSE bug 1190616SUSE bug 1190617SUSE bug 1190618SUSE bug 1192019CVE-2020-21529 at SUSECVE-2020-21529 at NVDCVE-2020-21530 at SUSECVE-2020-21530 at NVDCVE-2020-21531 at SUSECVE-2020-21531 at NVDCVE-2020-21532 at SUSECVE-2020-21532 at NVDCVE-2020-21533 at SUSECVE-2020-21533 at NVDCVE-2020-21534 at SUSECVE-2020-21534 at NVDCVE-2020-21535 at SUSECVE-2020-21535 at NVDCVE-2021-32280 at SUSECVE-2021-32280 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for binutils (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for binutils fixes the following issues:
Update to binutils 2.37:
* The GNU Binutils sources now requires a C99 compiler and library to
build.
* Support for the arm-symbianelf format has been removed.
* Support for Realm Management Extension (RME) for AArch64 has been
added.
* A new linker option '-z report-relative-reloc' for x86 ELF targets
has been added to report dynamic relative relocations.
* A new linker option '-z start-stop-gc' has been added to disable
special treatment of __start_*/__stop_* references when
--gc-sections.
* A new linker options '-Bno-symbolic' has been added which will
cancel the '-Bsymbolic' and '-Bsymbolic-functions' options.
* The readelf tool has a new command line option which can be used to
specify how the numeric values of symbols are reported.
--sym-base=0|8|10|16 tells readelf to display the values in base 8,
base 10 or base 16. A sym base of 0 represents the default action
of displaying values under 10000 in base 10 and values above that in
base 16.
* A new format has been added to the nm program. Specifying
'--format=just-symbols' (or just using -j) will tell the program to
only display symbol names and nothing else.
* A new command line option '--keep-section-symbols' has been added to
objcopy and strip. This stops the removal of unused section symbols
when the file is copied. Removing these symbols saves space, but
sometimes they are needed by other tools.
* The '--weaken', '--weaken-symbol' and '--weaken-symbols' options
supported by objcopy now make undefined symbols weak on targets that
support weak symbols.
* Readelf and objdump can now display and use the contents of .debug_sup
sections.
* Readelf and objdump will now follow links to separate debug info
files by default. This behaviour can be stopped via the use of the
new '-wN' or '--debug-dump=no-follow-links' options for readelf and
the '-WN' or '--dwarf=no-follow-links' options for objdump. Also
the old behaviour can be restored by the use of the
'--enable-follow-debug-links=no' configure time option.
The semantics of the =follow-links option have also been slightly
changed. When enabled, the option allows for the loading of symbol
tables and string tables from the separate files which can be used
to enhance the information displayed when dumping other sections,
but it does not automatically imply that information from the
separate files should be displayed.
If other debug section display options are also enabled (eg
'--debug-dump=info') then the contents of matching sections in both
the main file and the separate debuginfo file *will* be displayed.
This is because in most cases the debug section will only be present
in one of the files.
If however non-debug section display options are enabled (eg
'--sections') then the contents of matching parts of the separate
debuginfo file will *not* be displayed. This is because in most
cases the user probably only wanted to load the symbol information
from the separate debuginfo file. In order to change this behaviour
a new command line option --process-links can be used. This will
allow di0pslay options to applied to both the main file and any
separate debuginfo files.
* Nm has a new command line option: '--quiet'. This suppresses 'no
symbols' diagnostic.
Update to binutils 2.36:
New features in the Assembler:
General:
* When setting the link order attribute of ELF sections, it is now
possible to use a numeric section index instead of symbol name.
* Added a .nop directive to generate a single no-op instruction in
a target neutral manner. This instruction does have an effect on
DWARF line number generation, if that is active.
* Removed --reduce-memory-overheads and --hash-size as gas now
uses hash tables that can be expand and shrink automatically.
X86/x86_64:
* Add support for AVX VNNI, HRESET, UINTR, TDX, AMX and Key
Locker instructions.
* Support non-absolute segment values for lcall and ljmp.
* Add {disp16} pseudo prefix to x86 assembler.
* Configure with --enable-x86-used-note by default for Linux/x86.
ARM/AArch64:
* Add support for Cortex-A78, Cortex-A78AE and Cortex-X1,
Cortex-R82, Neoverse V1, and Neoverse N2 cores.
* Add support for ETMv4 (Embedded Trace Macrocell), ETE (Embedded
Trace Extension), TRBE (Trace Buffer Extension), CSRE (Call
Stack Recorder Extension) and BRBE (Branch Record Buffer
Extension) system registers.
* Add support for Armv8-R and Armv8.7-A ISA extensions.
* Add support for DSB memory nXS barrier, WFET and WFIT
instruction for Armv8.7.
* Add support for +csre feature for -march. Add CSR PDEC
instruction for CSRE feature in AArch64.
* Add support for +flagm feature for -march in Armv8.4 AArch64.
* Add support for +ls64 feature for -march in Armv8.7
AArch64. Add atomic 64-byte load/store instructions for this
feature.
* Add support for +pauth (Pointer Authentication) feature for
-march in AArch64.
New features in the Linker:
* Add --error-handling-script=<NAME> command line option to allow
a helper script to be invoked when an undefined symbol or a
missing library is encountered. This option can be suppressed
via the configure time switch: --enable-error-handling-script=no.
* Add -z x86-64-{baseline|v[234]} to the x86 ELF linker to mark
x86-64-{baseline|v[234]} ISA level as needed.
* Add -z unique-symbol to avoid duplicated local symbol names.
* The creation of PE format DLLs now defaults to using a more
secure set of DLL characteristics.
* The linker now deduplicates the types in .ctf sections. The new
command-line option --ctf-share-types describes how to do this:
its default value, share-unconflicted, produces the most compact
output.
* The linker now omits the 'variable section' from .ctf sections
by default, saving space. This is almost certainly what you
want unless you are working on a project that has its own
analogue of symbol tables that are not reflected in the ELF
symtabs.
New features in other binary tools:
* The ar tool's previously unused l modifier is now used for
specifying dependencies of a static library. The arguments of
this option (or --record-libdeps long form option) will be
stored verbatim in the __.LIBDEP member of the archive, which
the linker may read at link time.
* Readelf can now display the contents of LTO symbol table
sections when asked to do so via the --lto-syms command line
option.
* Readelf now accepts the -C command line option to enable the
demangling of symbol names. In addition the --demangle=<style>,
--no-demangle, --recurse-limit and --no-recurse-limit options
are also now availale.
Update to binutils 2.35.1:
* This is a point release over the previous 2.35 version, containing bug
fixes, and as an exception to the usual rule, one new feature. The
new feature is the support for a new directive in the assembler:
'.nop'. This directive creates a single no-op instruction in whatever
encoding is correct for the target architecture. Unlike the .space or
.fill this is a real instruction, and it does affect the generation of
DWARF line number tables, should they be enabled.
Update to binutils 2.35:
* The assembler can now produce DWARF-5 format line number tables.
* Readelf now has a 'lint' mode to enable extra checks of the files it is processing.
* Readelf will now display '[...]' when it has to truncate a symbol name.
The old behaviour - of displaying as many characters as possible, up to
the 80 column limit - can be restored by the use of the --silent-truncation
option.
* The linker can now produce a dependency file listing the inputs that it
has processed, much like the -M -MP option supported by the compiler.
Update to binutils 2.34:
* The disassembler (objdump --disassemble) now has an option to
generate ascii art thats show the arcs between that start and end
points of control flow instructions.
* The binutils tools now have support for debuginfod. Debuginfod is a
HTTP service for distributing ELF/DWARF debugging information as
well as source code. The tools can now connect to debuginfod
servers in order to download debug information about the files that
they are processing.
* The assembler and linker now support the generation of ELF format
files for the Z80 architecture.
Update to binutils 2.33.1:
* Adds support for the Arm Scalable Vector Extension version 2
(SVE2) instructions, the Arm Transactional Memory Extension (TME)
instructions and the Armv8.1-M Mainline and M-profile Vector
Extension (MVE) instructions.
* Adds support for the Arm Cortex-A76AE, Cortex-A77 and Cortex-M35P
processors and the AArch64 Cortex-A34, Cortex-A65, Cortex-A65AE,
Cortex-A76AE, and Cortex-A77 processors.
* Adds a .float16 directive for both Arm and AArch64 to allow
encoding of 16-bit floating point literals.
* For MIPS, Add -m[no-]fix-loongson3-llsc option to fix (or not)
Loongson3 LLSC Errata. Add a --enable-mips-fix-loongson3-llsc=[yes|no]
configure time option to set the default behavior. Set the default
if the configure option is not used to 'no'.
* The Cortex-A53 Erratum 843419 workaround now supports a choice of
which workaround to use. The option --fix-cortex-a53-843419 now
takes an optional argument --fix-cortex-a53-843419[=full|adr|adrp]
which can be used to force a particular workaround to be used.
See --help for AArch64 for more details.
* Add support for GNU_PROPERTY_AARCH64_FEATURE_1_BTI and
GNU_PROPERTY_AARCH64_FEATURE_1_PAC in ELF GNU program properties
in the AArch64 ELF linker.
* Add -z force-bti for AArch64 to enable GNU_PROPERTY_AARCH64_FEATURE_1_BTI
on output while warning about missing GNU_PROPERTY_AARCH64_FEATURE_1_BTI
on inputs and use PLTs protected with BTI.
* Add -z pac-plt for AArch64 to pick PAC enabled PLTs.
* Add --source-comment[=<txt>] option to objdump which if present,
provides a prefix to source code lines displayed in a disassembly.
* Add --set-section-alignment <section-name>=<power-of-2-align>
option to objcopy to allow the changing of section alignments.
* Add --verilog-data-width option to objcopy for verilog targets to
control width of data elements in verilog hex format.
* The separate debug info file options of readelf (--debug-dump=links
and --debug-dump=follow) and objdump (--dwarf=links and
--dwarf=follow-links) will now display and/or follow multiple
links if more than one are present in a file. (This usually
happens when gcc's -gsplit-dwarf option is used).
In addition objdump's --dwarf=follow-links now also affects its
other display options, so that for example, when combined with
--syms it will cause the symbol tables in any linked debug info
files to also be displayed. In addition when combined with
--disassemble the --dwarf= follow-links option will ensure that
any symbol tables in the linked files are read and used when
disassembling code in the main file.
* Add support for dumping types encoded in the Compact Type Format
to objdump and readelf.
The following security fixes are addressed by the update:
- CVE-2021-20197: Fixed a race condition which allows users to own arbitrary files (bsc#1181452).
- CVE-2021-20284: Fixed a heap-based buffer overflow in _bfd_elf_slurp_secondary_reloc_section in elf.c (bsc#1183511).
- CVE-2021-3487: Fixed a denial of service via excessive debug section size causing excessive memory consumption in bfd's dwarf2.c read_section() (bsc#1184620).
- CVE-2020-35448: Fixed a heap-based buffer over-read in bfd_getl_signed_32() in libbfd.c (bsc#1184794).
- CVE-2020-16590: Fixed a double free vulnerability in process_symbol_table() (bsc#1179898).
- CVE-2020-16591: Fixed an invalid read in process_symbol_table() (bsc#1179899).
- CVE-2020-16592: Fixed an use-after-free in bfd_hash_lookup() (bsc#1179900).
- CVE-2020-16593: Fixed a null pointer dereference in scan_unit_for_symbols() (bsc#1179901).
- CVE-2020-16598: Fixed a null pointer dereference in debug_get_real_type() (bsc#1179902).
- CVE-2020-16599: Fixed a null pointer dereference in _bfd_elf_get_symbol_version_string() (bsc#1179903)
- CVE-2020-35493: Fixed heap-based buffer overflow in bfd_pef_parse_function_stubs function in bfd/pef.c via crafted PEF file (bsc#1180451).
- CVE-2020-35496: Fixed multiple null pointer dereferences in bfd module due to not checking return value of bfd_malloc (bsc#1180454).
- CVE-2020-35507: Fixed a null pointer dereference in bfd_pef_parse_function_stubs() (bsc#1180461).
- CVE-2019-17451: Fixed an integer overflow leading to a SEGV in _bfd_dwarf2_find_nearest_line() in dwarf2.c (bsc#1153768).
- CVE-2019-17450: Fixed a potential denial of service in find_abstract_instance() in dwarf2.c (bsc#1153770).
- CVE-2019-9077: Fixed a heap-based buffer overflow in process_mips_specific() in readelf.c via a malformed MIPS option section (bsc#1126826).
- CVE-2019-9075: Fixed a heap-based buffer overflow in _bfd_archive_64_bit_slurp_armap() in archive64.c (bsc#1126829).
- CVE-2019-9074: Fixed a out-of-bounds read leading to a SEGV in bfd_getl32() in libbfd.c (bsc#1126831).
- CVE-2019-12972: Fixed a heap-based buffer over-read in _bfd_doprnt() in bfd.c (bsc#1140126).
- CVE-2019-14444: Fixed an integer overflow apply_relocations() in readelf.c (bsc#1143609).
- CVE-2019-14250: Fixed an integer overflow in simple_object_elf_match() in simple-object-elf.c (bsc#1142649).
ModerateSUSE bug 1126826SUSE bug 1126829SUSE bug 1126831SUSE bug 1140126SUSE bug 1142649SUSE bug 1143609SUSE bug 1153768SUSE bug 1153770SUSE bug 1157755SUSE bug 1160254SUSE bug 1160590SUSE bug 1163333SUSE bug 1163744SUSE bug 1179036SUSE bug 1179341SUSE bug 1179898SUSE bug 1179899SUSE bug 1179900SUSE bug 1179901SUSE bug 1179902SUSE bug 1179903SUSE bug 1180451SUSE bug 1180454SUSE bug 1180461SUSE bug 1181452SUSE bug 1182252SUSE bug 1183511SUSE bug 1184620SUSE bug 1184794CVE-2019-12972 at SUSECVE-2019-12972 at NVDCVE-2019-14250 at SUSECVE-2019-14250 at NVDCVE-2019-14444 at SUSECVE-2019-14444 at NVDCVE-2019-17450 at SUSECVE-2019-17450 at NVDCVE-2019-17451 at SUSECVE-2019-17451 at NVDCVE-2019-9074 at SUSECVE-2019-9074 at NVDCVE-2019-9075 at SUSECVE-2019-9075 at NVDCVE-2019-9077 at SUSECVE-2019-9077 at NVDCVE-2020-16590 at SUSECVE-2020-16590 at NVDCVE-2020-16591 at SUSECVE-2020-16591 at NVDCVE-2020-16592 at SUSECVE-2020-16592 at NVDCVE-2020-16593 at SUSECVE-2020-16593 at NVDCVE-2020-16598 at SUSECVE-2020-16598 at NVDCVE-2020-16599 at SUSECVE-2020-16599 at NVDCVE-2020-35448 at SUSECVE-2020-35448 at NVDCVE-2020-35493 at SUSECVE-2020-35493 at NVDCVE-2020-35496 at SUSECVE-2020-35496 at NVDCVE-2020-35507 at SUSECVE-2020-35507 at NVDCVE-2021-20197 at SUSECVE-2021-20197 at NVDCVE-2021-20284 at SUSECVE-2021-20284 at NVDCVE-2021-3487 at SUSECVE-2021-3487 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for tomcat (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for tomcat, javapackages-tools fixes the following issue:
Security issue fixed:
- CVE-2021-30640: Escape parameters in JNDI Realm queries (bsc#1188279).
- CVE-2021-33037: Process T-E header from both HTTP 1.0 and HTTP 1.1. clients (bsc#1188278).
- CVE-2021-41079: Fixed a denial of service caused by an unexpected TLS packet (bsc#1190558).
Non-security issues fixed:
- Add requires and conflicts to avoid the usage of the incompatible 'Java 11' with 'Tomcat'. (bsc#1185476)
- Rebuild javapackages-tools to fix a missing package on s390.
ImportantSUSE bug 1185476SUSE bug 1188278SUSE bug 1188279SUSE bug 1190558CVE-2021-30640 at SUSECVE-2021-30640 at NVDCVE-2021-33037 at SUSECVE-2021-33037 at NVDCVE-2021-41079 at SUSECVE-2021-41079 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for bind (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for bind fixes the following issues:
- CVE-2021-25219: Fixed lame cache that could have been abused to severely degrade resolver performance (bsc#1192146).
ImportantSUSE bug 1192146CVE-2021-25219 at SUSECVE-2021-25219 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for binutils (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for binutils fixes the following issues:
- For compatibility on old code stream that expect 'brcl 0,label' to
not be disassembled as 'jgnop label' on s390x. (bsc#1192267)
This reverts IBM zSeries HLASM support for now.
- Fixed that ppc64 optflags did not enable LTO (bsc#1188941).
- Fix empty man-pages from broken release tarball
- Fixed a memory corruption with rpath option (bsc#1191473).
- Fixed slow performance of stripping some binaries (bsc#1183909).
Security issue fixed:
- CVE-2021-20294: Fixed out-of-bounds write in print_dynamic_symbol in readelf (bnc#1184519)
ModerateSUSE bug 1183909SUSE bug 1184519SUSE bug 1188941SUSE bug 1191473SUSE bug 1192267CVE-2021-20294 at SUSECVE-2021-20294 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for pcre (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for pcre fixes the following issues:
Update pcre to version 8.45:
- CVE-2020-14155: Fixed integer overflow via a large number after a '(?C' substring (bsc#1172974).
- CVE-2019-20838: Fixed buffer over-read in JIT compiler (bsc#1172973).
- CVE-2017-7244: Fixed invalid read in _pcre32_xclass() (bsc#1030807).
- CVE-2017-7245: Fixed buffer overflow in the pcre32_copy_substring (bsc#1030805).
- CVE-2017-7246: Fixed another buffer overflow in the pcre32_copy_substring (bsc#1030803).
- CVE-2017-7186: Fixed denial of service caused by an invalid Unicode property lookup (bsc#1030066).
- CVE-2017-6004: Fixed denial of service via crafted regular expression (bsc#1025709).
ModerateSUSE bug 1025709SUSE bug 1030066SUSE bug 1030803SUSE bug 1030805SUSE bug 1030807SUSE bug 1172973SUSE bug 1172974CVE-2017-6004 at SUSECVE-2017-6004 at NVDCVE-2017-7186 at SUSECVE-2017-7186 at NVDCVE-2017-7244 at SUSECVE-2017-7244 at NVDCVE-2017-7245 at SUSECVE-2017-7245 at NVDCVE-2017-7246 at SUSECVE-2017-7246 at NVDCVE-2019-20838 at SUSECVE-2019-20838 at NVDCVE-2020-14155 at SUSECVE-2020-14155 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for qemu (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for qemu fixes the following issues:
Security issues fixed:
- Fix out-of-bounds write in UAS (USB Attached SCSI) device emulation (bsc#1189702, CVE-2021-3713)
- Fix heap use-after-free in virtio_net_receive_rcu (bsc#1189938, CVE-2021-3748)
ImportantSUSE bug 1189702SUSE bug 1189938CVE-2021-3713 at SUSECVE-2021-3713 at NVDCVE-2021-3748 at SUSECVE-2021-3748 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for MozillaFirefox fixes the following issues:
MozillaFirefox was updated to Extended Support Release 91.3.0 ESR
* Fixed: Various stability, functionality, and security fixes
MFSA 2021-49 (bsc#1192250)
* CVE-2021-38503: iframe sandbox rules did not apply to XSLT stylesheets
* CVE-2021-38504: Use-after-free in file picker dialog
* CVE-2021-38505: Windows 10 Cloud Clipboard may have recorded sensitive user data
* CVE-2021-38506: Firefox could be coaxed into going into fullscreen mode without notification or warning
* CVE-2021-38507: Opportunistic Encryption in HTTP2 could be used to bypass the Same-Origin-Policy on services hosted on other ports
* CVE-2021-38508: Permission Prompt could be overlaid, resulting in user confusion and potential spoofing
* CVE-2021-38509: Javascript alert box could have been spoofed onto an arbitrary domain
* CVE-2021-38510: Download Protections were bypassed by .inetloc files on Mac OS
* MOZ-2021-0008: Use-after-free in HTTP2 Session object
* MOZ-2021-0007: Memory safety bugs fixed in Firefox 94 and Firefox ESR 91.3
ImportantSUSE bug 1192250CVE-2021-38503 at SUSECVE-2021-38503 at NVDCVE-2021-38504 at SUSECVE-2021-38504 at NVDCVE-2021-38505 at SUSECVE-2021-38505 at NVDCVE-2021-38506 at SUSECVE-2021-38506 at NVDCVE-2021-38507 at SUSECVE-2021-38507 at NVDCVE-2021-38508 at SUSECVE-2021-38508 at NVDCVE-2021-38509 at SUSECVE-2021-38509 at NVDCVE-2021-38510 at SUSECVE-2021-38510 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for samba (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for samba fixes the following issues:
- CVE-2016-2124: Fixed not to fallback to non spnego authentication if we require kerberos (bsc#1014440).
- CVE-2020-25717: Fixed privilege escalation inside an AD Domain where a user could become root on domain members (bsc#1192284).
ImportantSUSE bug 1014440SUSE bug 1192284CVE-2016-2124 at SUSECVE-2016-2124 at NVDCVE-2020-25717 at SUSECVE-2020-25717 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for postgresql, postgresql13, postgresql14 (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for postgresql, postgresql13 and postgresql14 fixes the following issues:
Security issues fixed:
- CVE-2021-23214: Make the server reject extraneous data after an SSL or GSS encryption handshake (bsc#1192516).
- CVE-2021-23222: Make libpq reject extraneous data after an SSL or GSS encryption handshake (bsc#1192516).
This update also ships postgresql14 to SUSE Linux Enterprise 12 SP5. (jsc#SLE-22673)
On older service packs only libpq5 and libecpg6 are being replaced by the postgresql14 variants.
Feature changes in postgresql14:
- https://www.postgresql.org/about/news/postgresql-14-released-2318/
- https://www.postgresql.org/docs/14/release-14.html
ImportantSUSE bug 1192516CVE-2021-23214 at SUSECVE-2021-23214 at NVDCVE-2021-23222 at SUSECVE-2021-23222 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for postgresql96 (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for postgresql96 fixes the following issues:
- CVE-2021-23214: Make the server reject extraneous data after an SSL or GSS encryption handshake (bsc#1192516).
- CVE-2021-23222: Make libpq reject extraneous data after an SSL or GSS encryption handshake (bsc#1192516).
ImportantSUSE bug 1192516CVE-2021-23214 at SUSECVE-2021-23214 at NVDCVE-2021-23222 at SUSECVE-2021-23222 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for postgresql10 (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for postgresql10 fixes the following issues:
- CVE-2021-23214: Make the server reject extraneous data after an SSL or GSS encryption handshake (bsc#1192516).
- CVE-2021-23222: Make libpq reject extraneous data after an SSL or GSS encryption handshake (bsc#1192516).
ImportantSUSE bug 1192516CVE-2021-23214 at SUSECVE-2021-23214 at NVDCVE-2021-23222 at SUSECVE-2021-23222 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for webkit2gtk3 (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for webkit2gtk3 fixes the following issues:
- CVE-2021-42762: Updated seccomp rules with latest changes from flatpak (bsc#1191937).
ImportantSUSE bug 1191937CVE-2021-42762 at SUSECVE-2021-42762 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for java-1_8_0-openjdk (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for java-1_8_0-openjdk fixes the following issues:
Update to version OpenJDK 8u312 (October 2021 CPU):
- CVE-2021-35550: Fixed weak ciphers preferred over stronger ones for TLS (bsc#1191901).
- CVE-2021-35556: Fixed excessive memory allocation in RTFParser (bsc#1191910).
- CVE-2021-35559: Fixed excessive memory allocation in RTFReader (bsc#1191911).
- CVE-2021-35561: Fixed excessive memory allocation in HashMap and HashSet (bsc#1191912).
- CVE-2021-35564: Fixed certificates with end dates too far in the future can corrupt keystore (bsc#1191913).
- CVE-2021-35565: Fixed loop in HttpsServer triggered during TLS session close (bsc#1191909).
- CVE-2021-35567: Fixed incorrect principal selection when using Kerberos Constrained Delegation (bsc#1191903).
- CVE-2021-35578: Fixed unexpected exception raised during TLS handshake (bsc#1191904).
- CVE-2021-35586: Fixed excessive memory allocation in BMPImageReader (bsc#1191914).
- CVE-2021-35588: Fixed incomplete validation of inner class references in ClassFileParser (bsc#1191905)
- CVE-2021-35603: Fixed non-constant comparison during TLS handshakes (bsc#1191906).
ImportantSUSE bug 1191901SUSE bug 1191903SUSE bug 1191904SUSE bug 1191905SUSE bug 1191906SUSE bug 1191909SUSE bug 1191910SUSE bug 1191911SUSE bug 1191912SUSE bug 1191913SUSE bug 1191914CVE-2021-35550 at SUSECVE-2021-35550 at NVDCVE-2021-35556 at SUSECVE-2021-35556 at NVDCVE-2021-35559 at SUSECVE-2021-35559 at NVDCVE-2021-35561 at SUSECVE-2021-35561 at NVDCVE-2021-35564 at SUSECVE-2021-35564 at NVDCVE-2021-35565 at SUSECVE-2021-35565 at NVDCVE-2021-35567 at SUSECVE-2021-35567 at NVDCVE-2021-35578 at SUSECVE-2021-35578 at NVDCVE-2021-35586 at SUSECVE-2021-35586 at NVDCVE-2021-35588 at SUSECVE-2021-35588 at NVDCVE-2021-35603 at SUSECVE-2021-35603 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for java-1_7_0-openjdk (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for java-1_7_0-openjdk fixes the following issues:
Update to OpenJDK 7u321 (October 2021 CPU):
- CVE-2021-35550: Fixed weak ciphers preferred over stronger ones for TLS (bsc#1191901).
- CVE-2021-35556: Fixed excessive memory allocation in RTFParser (bsc#1191910).
- CVE-2021-35559: Fixed excessive memory allocation in RTFReader (bsc#1191911).
- CVE-2021-35561: Fixed excessive memory allocation in HashMap and HashSet (bsc#1191912).
- CVE-2021-35564: Fixed certificates with end dates too far in the future can corrupt keystore (bsc#1191913).
- CVE-2021-35565: Fixed loop in HttpsServer triggered during TLS session close (bsc#1191909).
- CVE-2021-35586: Fixed excessive memory allocation in BMPImageReader (bsc#1191914).
- CVE-2021-35588: Fixed incomplete validation of inner class references in ClassFileParser (bsc#1191905)
- CVE-2021-35603: Fixed non-constant comparison during TLS handshakes (bsc#1191906).
ImportantSUSE bug 1191901SUSE bug 1191905SUSE bug 1191906SUSE bug 1191909SUSE bug 1191910SUSE bug 1191911SUSE bug 1191912SUSE bug 1191913SUSE bug 1191914CVE-2021-35550 at SUSECVE-2021-35550 at NVDCVE-2021-35556 at SUSECVE-2021-35556 at NVDCVE-2021-35559 at SUSECVE-2021-35559 at NVDCVE-2021-35561 at SUSECVE-2021-35561 at NVDCVE-2021-35564 at SUSECVE-2021-35564 at NVDCVE-2021-35565 at SUSECVE-2021-35565 at NVDCVE-2021-35586 at SUSECVE-2021-35586 at NVDCVE-2021-35588 at SUSECVE-2021-35588 at NVDCVE-2021-35603 at SUSECVE-2021-35603 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for ruby2.1 (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for ruby2.1 fixes the following issues:
- CVE-2020-25613: Fixed potential HTTP request smuggling in WEBrick (bsc#1177125).
- CVE-2021-31799: Fixed Command injection vulnerability in RDoc (bsc#1190375).
- CVE-2021-31810: Fixed trusting FTP PASV responses vulnerability in Net:FTP (bsc#1188161).
- CVE-2021-32066: Fixed StartTLS stripping vulnerability in Net:IMAP (bsc#1188160).
ImportantSUSE bug 1177125SUSE bug 1188160SUSE bug 1188161SUSE bug 1190375CVE-2020-25613 at SUSECVE-2020-25613 at NVDCVE-2021-31799 at SUSECVE-2021-31799 at NVDCVE-2021-31810 at SUSECVE-2021-31810 at NVDCVE-2021-32066 at SUSECVE-2021-32066 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for openexr (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for openexr fixes the following issues:
- CVE-2021-3477: Fixed Heap-buffer-overflow in Imf_2_5::DeepTiledInputFile::readPixelSampleCounts (bsc#1184353).
- CVE-2021-3941: Fixed divide-by-zero in Imf_3_1:RGBtoXYZ (bsc#1192556).
- CVE-2021-3933: Fixed integer-overflow in Imf_3_1:bytesPerDeepLineTable (bsc#1192498).
ModerateSUSE bug 1184353SUSE bug 1192498SUSE bug 1192556CVE-2021-3477 at SUSECVE-2021-3477 at NVDCVE-2021-3933 at SUSECVE-2021-3933 at NVDCVE-2021-3941 at SUSECVE-2021-3941 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for xen (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for xen fixes the following issues:
- CVE-2021-28704, CVE-2021-28707, CVE-2021-28708: Fixed PoD operations on misaligned GFNs (XSA-388) (bsc#1192557).
- CVE-2021-28705, CVE-2021-28709: Fixed issues with partially successful P2M updates on x86 (XSA-389) (bsc#1192559).
- CVE-2021-28706: Fixed guests may exceed their designated memory limit (XSA-385) (bsc#1192554).
ModerateSUSE bug 1192554SUSE bug 1192557SUSE bug 1192559CVE-2021-28704 at SUSECVE-2021-28704 at NVDCVE-2021-28705 at SUSECVE-2021-28705 at NVDCVE-2021-28706 at SUSECVE-2021-28706 at NVDCVE-2021-28707 at SUSECVE-2021-28707 at NVDCVE-2021-28708 at SUSECVE-2021-28708 at NVDCVE-2021-28709 at SUSECVE-2021-28709 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for speex (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for speex fixes the following issues:
- CVE-2020-23903: Fixed zero division error in read_samples (bsc#1192580).
ModerateSUSE bug 1192580CVE-2020-23903 at SUSECVE-2020-23903 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for clamav (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for clamav fixes the following issues:
- CVE-2018-14679: Fixed off-by-one issue in embedded libmspack that could lead to denial of service (bsc#1103032).
- Update to 0.103.4 (bsc#1192346).
- Update to 0.103.3 (bsc#1188284).
ModerateSUSE bug 1103032SUSE bug 1188284SUSE bug 1192346CVE-2018-14679 at SUSECVE-2018-14679 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for webkit2gtk3 (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for webkit2gtk3 fixes the following issues:
- CVE-2021-30846: Fixed memory corruption issue that could lead to arbitrary code execution when processing maliciously crafted web content (bsc#1192063).
- CVE-2021-30851: Fixed memory corruption vulnerability that could lead to arbitrary code execution when processing maliciously crafted web content (bsc#1192063).
ImportantSUSE bug 1192063CVE-2021-30846 at SUSECVE-2021-30846 at NVDCVE-2021-30851 at SUSECVE-2021-30851 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for gmp (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for gmp fixes the following issues:
- CVE-2021-43618: Fixed buffer overflow via crafted input in mpz/inp_raw.c (bsc#1192717).
ModerateSUSE bug 1192717CVE-2021-43618 at SUSECVE-2021-43618 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for mozilla-nss (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for mozilla-nss fixes the following issues:
Update to version 3.68.1:
- CVE-2021-43527: Fixed a Heap overflow in NSS when verifying DER-encoded DSA or RSA-PSS signatures (bsc#1193170).
ImportantSUSE bug 1193170CVE-2021-43527 at SUSECVE-2021-43527 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for openssh (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for openssh fixes the following issues:
- CVE-2021-41617: Fixed privilege escalation when AuthorizedKeysCommand/AuthorizedPrincipalsCommand are configured (bsc#1190975).
ImportantSUSE bug 1190975CVE-2021-41617 at SUSECVE-2021-41617 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for MozillaFirefox fixes the following issues:
Update to Extended Support Release 91.4.0 (bsc#1193485):
- CVE-2021-43536: URL leakage when navigating while executing asynchronous function
- CVE-2021-43537: Heap buffer overflow when using structured clone
- CVE-2021-43538: Missing fullscreen and pointer lock notification when requesting both
- CVE-2021-43539: GC rooting failure when calling wasm instance methods
- CVE-2021-43541: External protocol handler parameters were unescaped
- CVE-2021-43542: XMLHttpRequest error codes could have leaked the existence of an external protocol handler
- CVE-2021-43543: Bypass of CSP sandbox directive when embedding
- CVE-2021-43545: Denial of Service when using the Location API in a loop
- CVE-2021-43546: Cursor spoofing could overlay user interface when native cursor is zoomed
- Memory safety bugs fixed in Firefox 95 and Firefox ESR 91.4
- Removed x-scheme-handler/ftp from MozillaFirefox.desktop (bsc#1193321)
ImportantSUSE bug 1193321SUSE bug 1193485CVE-2021-43536 at SUSECVE-2021-43536 at NVDCVE-2021-43537 at SUSECVE-2021-43537 at NVDCVE-2021-43538 at SUSECVE-2021-43538 at NVDCVE-2021-43539 at SUSECVE-2021-43539 at NVDCVE-2021-43541 at SUSECVE-2021-43541 at NVDCVE-2021-43542 at SUSECVE-2021-43542 at NVDCVE-2021-43543 at SUSECVE-2021-43543 at NVDCVE-2021-43545 at SUSECVE-2021-43545 at NVDCVE-2021-43546 at SUSECVE-2021-43546 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for glib-networking (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for glib-networking fixes the following issues:
- CVE-2020-13645: Fixed a connection failure when the server identity is unset (bsc#1172460).
ImportantSUSE bug 1172460CVE-2020-13645 at SUSECVE-2020-13645 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for gettext-runtime (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for gettext-runtime fixes the following issues:
- CVE-2018-18751: Fixed a double free (bsc#1113719)
ModerateSUSE bug 1113719CVE-2018-18751 at SUSECVE-2018-18751 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for xorg-x11-server (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for xorg-x11-server fixes the following issues:
- CVE-2021-4008: Fixed Privilege Escalation Vulnerability via Out-Of-Bounds Access in SProcRenderCompositeGlyphs (bsc#1193030).
ImportantSUSE bug 1193030CVE-2021-4008 at SUSECVE-2021-4008 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for log4j (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for log4j fixes the following issue:
- CVE-2021-4104: Disable the JMSAppender class from log4j to protect against
the log4jshell vulnerability. [bsc#1193662]
ImportantSUSE bug 1193662CVE-2021-4104 at SUSECVE-2021-4104 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for xorg-x11-server (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for xorg-x11-server fixes the following issues:
- CVE-2021-4009: The handler for the CreatePointerBarrier request of the XFixes
extension does not properly validate the request length leading to out of
bounds memory write. (bsc#1190487)
- CVE-2021-4011: The handlers for the RecordCreateContext and RecordRegisterClients
requests of the Record extension do not properly validate the request
length leading to out of bounds memory write. (bsc#1190489)
ImportantSUSE bug 1190487SUSE bug 1190489CVE-2021-4009 at SUSECVE-2021-4009 at NVDCVE-2021-4011 at SUSECVE-2021-4011 at NVDcpe:/o:suse:sles_teradata:12:sp3Recommended update for samba (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for samba fixes the following issues:
The username map advice from the CVE-2020-25717 advisory
note has undesired side effects for the local nt token. Fallback
to a SID/UID based mapping if the name based lookup fails (bsc#1192849).
ImportantSUSE bug 1192849CVE-2020-25717 at SUSECVE-2020-25717 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for chrony (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for chrony fixes the following issues:
Chrony was updated to 4.1:
* Add support for NTS servers specified by IP address (matching
Subject Alternative Name in server certificate)
* Add source-specific configuration of trusted certificates
* Allow multiple files and directories with trusted certificates
* Allow multiple pairs of server keys and certificates
* Add copy option to server/pool directive
* Increase PPS lock limit to 40% of pulse interval
* Perform source selection immediately after loading dump files
* Reload dump files for addresses negotiated by NTS-KE server
* Update seccomp filter and add less restrictive level
* Restart ongoing name resolution on online command
* Fix dump files to not include uncorrected offset
* Fix initstepslew to accept time from own NTP clients
* Reset NTP address and port when no longer negotiated by NTS-KE
server
- Update clknetsim to snapshot f89702d.
- Ensure the correct pool packages are installed for openSUSE and SLE (bsc#1180689).
- Enable syscallfilter unconditionally (bsc#1181826).
Chrony was updated to 4.0:
Enhancements
- Add support for Network Time Security (NTS) authentication
- Add support for AES-CMAC keys (AES128, AES256) with Nettle
- Add authselectmode directive to control selection of
unauthenticated sources
- Add binddevice, bindacqdevice, bindcmddevice directives
- Add confdir directive to better support fragmented
configuration
- Add sourcedir directive and 'reload sources' command to
support dynamic NTP sources specified in files
- Add clockprecision directive
- Add dscp directive to set Differentiated Services Code Point
(DSCP)
- Add -L option to limit log messages by severity
- Add -p option to print whole configuration with included
files
- Add -U option to allow start under non-root user
- Allow maxsamples to be set to 1 for faster update with -q/-Q
option
- Avoid replacing NTP sources with sources that have
unreachable address
- Improve pools to repeat name resolution to get 'maxsources'
sources
- Improve source selection with trusted sources
- Improve NTP loop test to prevent synchronisation to itself
- Repeat iburst when NTP source is switched from offline state
to online
- Update clock synchronisation status and leap status more
frequently
- Update seccomp filter
- Add 'add pool' command
- Add 'reset sources' command to drop all measurements
- Add authdata command to print details about NTP
authentication
- Add selectdata command to print details about source
selection
- Add -N option and sourcename command to print original names
of sources
- Add -a option to some commands to print also unresolved
sources
- Add -k, -p, -r options to clients command to select, limit,
reset data
- Bug fixes
- Don’t set interface for NTP responses to allow asymmetric
routing
- Handle RTCs that don’t support interrupts
- Respond to command requests with correct address on
multihomed hosts
- Removed features
- Drop support for RIPEMD keys (RMD128, RMD160, RMD256, RMD320)
- Drop support for long (non-standard) MACs in NTPv4 packets
(chrony 2.x clients using non-MD5/SHA1 keys need to use
option 'version 3')
- By default we don't write log files but log to journald, so
only recommend logrotate.
- Adjust and rename the sysconfig file, so that it matches the
expectations of chronyd.service (bsc#1173277).
Chrony was updated to 3.5.1:
* Create new file when writing pidfile (CVE-2020-14367, bsc#1174911)
- Add chrony-pool-suse and chrony-pool-openSUSE subpackages that
preconfigure chrony to use NTP servers from the respective
pools for SUSE and openSUSE (bsc#1156884, SLE-11424).
- Add chrony-pool-empty to still allow installing chrony without
preconfigured servers.
- Use iburst in the default pool statements to speed up initial
synchronisation (bsc#1172113).
- Update clknetsim to version 79ffe44 (fixes bsc#1162964).
Update to 3.5:
+ Add support for more accurate reading of PHC on Linux 5.0
+ Add support for hardware timestamping on interfaces with read-only timestamping configuration
+ Add support for memory locking and real-time priority on FreeBSD, NetBSD, Solaris
+ Update seccomp filter to work on more architectures
+ Validate refclock driver options
+ Fix bindaddress directive on FreeBSD
+ Fix transposition of hardware RX timestamp on Linux 4.13 and later
+ Fix building on non-glibc systems
- Fix location of helper script in chrony-dnssrv@.service (bsc#1128846).
- Read runtime servers from /var/run/netconfig/chrony.servers (bsc#1099272)
- Move chrony-helper to /usr/lib/chrony/helper, because there should be no executables in /usr/share.
- Remove discrepancies between spec file and chrony-tmpfiles (bsc#1115529)
Update to version 3.4
* Enhancements
+ Add filter option to server/pool/peer directive
+ Add minsamples and maxsamples options to hwtimestamp directive
+ Add support for faster frequency adjustments in Linux 4.19
+ Change default pidfile to /var/run/chrony/chronyd.pid to allow chronyd
without root privileges to remove it on exit
+ Disable sub-second polling intervals for distant NTP sources
+ Extend range of supported sub-second polling intervals
+ Get/set IPv4 destination/source address of NTP packets on FreeBSD
+ Make burst options and command useful with short polling intervals
+ Modify auto_offline option to activate when sending request failed
+ Respond from interface that received NTP request if possible
+ Add onoffline command to switch between online and offline state
according to current system network configuration
+ Improve example NetworkManager dispatcher script
* Bug fixes
+ Avoid waiting in Linux getrandom system call
+ Fix PPS support on FreeBSD and NetBSD
Update to version 3.3
* Enhancements:
+ Add burst option to server/pool directive
+ Add stratum and tai options to refclock directive
+ Add support for Nettle crypto library
+ Add workaround for missing kernel receive timestamps on Linux
+ Wait for late hardware transmit timestamps
+ Improve source selection with unreachable sources
+ Improve protection against replay attacks on symmetric mode
+ Allow PHC refclock to use socket in /var/run/chrony
+ Add shutdown command to stop chronyd
+ Simplify format of response to manual list command
+ Improve handling of unknown responses in chronyc
* Bug fixes:
+ Respond to NTPv1 client requests with zero mode
+ Fix -x option to not require CAP_SYS_TIME under non-root user
+ Fix acquisitionport directive to work with privilege separation
+ Fix handling of socket errors on Linux to avoid high CPU usage
+ Fix chronyc to not get stuck in infinite loop after clock step
- Added /etc/chrony.d/ directory to the package (bsc#1083597) Modifed default chrony.conf to add 'include /etc/chrony.d/*'
- Enable pps support
Upgraded to version 3.2:
Enhancements
* Improve stability with NTP sources and reference clocks
* Improve stability with hardware timestamping
* Improve support for NTP interleaved modes
* Control frequency of system clock on macOS 10.13 and later
* Set TAI-UTC offset of system clock with leapsectz directive
* Minimise data in client requests to improve privacy
* Allow transmit-only hardware timestamping
* Add support for new timestamping options introduced in Linux 4.13
* Add root delay, root dispersion and maximum error to tracking log
* Add mindelay and asymmetry options to server/peer/pool directive
* Add extpps option to PHC refclock to timestamp external PPS signal
* Add pps option to refclock directive to treat any refclock as PPS
* Add width option to refclock directive to filter wrong pulse edges
* Add rxfilter option to hwtimestamp directive
* Add -x option to disable control of system clock
* Add -l option to log to specified file instead of syslog
* Allow multiple command-line options to be specified together
* Allow starting without root privileges with -Q option
* Update seccomp filter for new glibc versions
* Dump history on exit by default with dumpdir directive
* Use hardening compiler options by default
Bug fixes
* Don't drop PHC samples with low-resolution system clock
* Ignore outliers in PHC tracking, RTC tracking, manual input
* Increase polling interval when peer is not responding
* Exit with error message when include directive fails
* Don't allow slash after hostname in allow/deny directive/command
* Try to connect to all addresses in chronyc before giving up
Upgraded to version 3.1:
- Enhancements
- Add support for precise cross timestamping of PHC on Linux
- Add minpoll, precision, nocrossts options to hwtimestamp directive
- Add rawmeasurements option to log directive and modify measurements
option to log only valid measurements from synchronised sources
- Allow sub-second polling interval with NTP sources
- Bug fixes
- Fix time smoothing in interleaved mode
Upgraded to version 3.0:
- Enhancements
- Add support for software and hardware timestamping on Linux
- Add support for client/server and symmetric interleaved modes
- Add support for MS-SNTP authentication in Samba
- Add support for truncated MACs in NTPv4 packets
- Estimate and correct for asymmetric network jitter
- Increase default minsamples and polltarget to improve stability with very low jitter
- Add maxjitter directive to limit source selection by jitter
- Add offset option to server/pool/peer directive
- Add maxlockage option to refclock directive
- Add -t option to chronyd to exit after specified time
- Add partial protection against replay attacks on symmetric mode
- Don't reset polling interval when switching sources to online state
- Allow rate limiting with very short intervals
- Improve maximum server throughput on Linux and NetBSD
- Remove dump files after start
- Add tab-completion to chronyc with libedit/readline
- Add ntpdata command to print details about NTP measurements
- Allow all source options to be set in add server/peer command
- Indicate truncated addresses/hostnames in chronyc output
- Print reference IDs as hexadecimal numbers to avoid confusion with IPv4 addresses
- Bug fixes
- Fix crash with disabled asynchronous name resolving
Upgraded to version 2.4.1:
- Bug fixes
- Fix processing of kernel timestamps on non-Linux systems
- Fix crash with smoothtime directive
- Fix validation of refclock sample times
- Fix parsing of refclock directive
update to 2.4:
- Enhancements
- Add orphan option to local directive for orphan mode
compatible with ntpd
- Add distance option to local directive to set activation
threshold (1 second by default)
- Add maxdrift directive to set maximum allowed drift of system
clock
- Try to replace NTP sources exceeding maximum distance
- Randomise source replacement to avoid getting stuck with bad
sources
- Randomise selection of sources from pools on start
- Ignore reference timestamp as ntpd doesn't always set it
correctly
- Modify tracking report to use same values as seen by NTP
clients
- Add -c option to chronyc to write reports in CSV format
- Provide detailed manual pages
- Bug fixes
- Fix SOCK refclock to work correctly when not specified as
last refclock
- Fix initstepslew and -q/-Q options to accept time from own
NTP clients
- Fix authentication with keys using 512-bit hash functions
- Fix crash on exit when multiple signals are received
- Fix conversion of very small floating-point numbers in
command packets
ModerateSUSE bug 1063704SUSE bug 1069468SUSE bug 1082318SUSE bug 1083597SUSE bug 1099272SUSE bug 1115529SUSE bug 1128846SUSE bug 1156884SUSE bug 1159840SUSE bug 1161119SUSE bug 1162964SUSE bug 1171806SUSE bug 1172113SUSE bug 1173277SUSE bug 1173760SUSE bug 1174075SUSE bug 1174911SUSE bug 1180689SUSE bug 1181826SUSE bug 1183783SUSE bug 1184400SUSE bug 1187906SUSE bug 1190926CVE-2020-14367 at SUSECVE-2020-14367 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for libqt4 (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for libqt4 fixes the following issues:
- CVE-2021-3481: Fixed out of bounds read in QRadialFetchSimd() from
crafted svg file (bsc#1184783).
- CVE-2020-17507: Fixed buffer over-read in read_xbm_body() (bsc#1176315).
ImportantSUSE bug 1176315SUSE bug 1184783CVE-2020-17507 at SUSECVE-2020-17507 at NVDCVE-2021-3481 at SUSECVE-2021-3481 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for libvpx (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for libvpx fixes the following issues:
- CVE-2020-0034: Fixed out-of-bounds read on truncated key frames (bsc#1166066)
ModerateSUSE bug 1166066CVE-2020-0034 at SUSECVE-2020-0034 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for python36 (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for python36 fixes the following issues:
- buffer overflow in PyCArg_repr in _ctypes/callproc.c,
which may lead to remote code execution (bsc#1181126, CVE-2021-3177).
ImportantSUSE bug 1181126CVE-2021-3177 at SUSECVE-2021-3177 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for MozillaFirefox (Low)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for MozillaFirefox fixes the following issues:
Firefox Extended Support Release 78.7.1 ESR (bsc#1181848)
- Fixed: Prevent access to NTFS special paths that could lead to filesystem corruption.
- Buffer overflow in depth pitch calculations for compressed textures
LowSUSE bug 1181848cpe:/o:suse:sles_teradata:12:sp3Security update for python (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for python fixes the following issues:
- buffer overflow in PyCArg_repr in _ctypes/callproc.c,
which may lead to remote code execution (bsc#1181126, CVE-2021-3177).
- Provide the newest setuptools wheel (bsc#1176262,
CVE-2019-20916) in their correct form (bsc#1180686).
ImportantSUSE bug 1176262SUSE bug 1180686SUSE bug 1181126CVE-2019-20916 at SUSECVE-2019-20916 at NVDCVE-2021-3177 at SUSECVE-2021-3177 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for openvswitch (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for openvswitch fixes the following issues:
- CVE-2020-35498: Fixed a denial of service related to the handling of Ethernet padding (bsc#1181742).
ImportantSUSE bug 1181742CVE-2020-35498 at SUSECVE-2020-35498 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for wpa_supplicant (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for wpa_supplicant fixes the following issues:
- CVE-2021-0326: P2P group information processing vulnerability (bsc#1181777).
- CVE-2019-16275: AP mode PMF disconnection protection bypass (bsc#1150934)
ImportantSUSE bug 1150934SUSE bug 1181777CVE-2019-16275 at SUSECVE-2019-16275 at NVDCVE-2021-0326 at SUSECVE-2021-0326 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for jasper (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for jasper fixes the following issues:
- bsc#1179748 CVE-2020-27828: Fix heap overflow by checking maxrlvls
- bsc#1181483 CVE-2021-3272: Fix buffer over-read in jp2_decode
ImportantSUSE bug 1179748SUSE bug 1181483CVE-2020-27828 at SUSECVE-2020-27828 at NVDCVE-2021-3272 at SUSECVE-2021-3272 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for screen (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for screen fixes the following issues:
- CVE-2021-26937: Fixed double width combining char handling that could lead to a denial of service or code execution (bsc#1182092).
ImportantSUSE bug 1182092CVE-2021-26937 at SUSECVE-2021-26937 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for bind (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for bind fixes the following issues:
- CVE-2020-8625: A vulnerability in BIND's GSSAPI security policy
negotiation can be targeted by a buffer overflow attack [bsc#1182246, CVE-2020-8625]
ImportantSUSE bug 1182246CVE-2020-8625 at SUSECVE-2020-8625 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for java-1_7_1-ibm (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for java-1_7_1-ibm fixes the following issues:
- Update to Java 7.1 Service Refresh 4 Fix Pack 80
[bsc#1182186, bsc#1181239, CVE-2020-27221, CVE-2020-14803]
* CVE-2020-27221: Potential for a stack-based buffer overflow
when the virtual machine or JNI natives are converting from
UTF-8 characters to platform encoding.
* CVE-2020-14803: Unauthenticated attacker with network access
via multiple protocols allows to compromise Java SE.
ImportantSUSE bug 1181239SUSE bug 1182186CVE-2020-14803 at SUSECVE-2020-14803 at NVDCVE-2020-27221 at SUSECVE-2020-27221 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for krb5-appl (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for krb5-appl fixes the following issues:
- CVE-2019-25017: Check the filenames sent by the server match those requested by the client (bsc#1131109).
- CVE-2019-25018: Disallow empty incoming filename or ones that refer to the current directory (bsc#1131109).
ImportantSUSE bug 1131109CVE-2019-25017 at SUSECVE-2019-25017 at NVDCVE-2019-25018 at SUSECVE-2019-25018 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for ImageMagick (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for ImageMagick fixes the following issues:
- CVE-2021-20176: Fixed an issue where processing a crafted file could lead to division by zero (bsc#1181836).
- CVE-2020-27767: outside the range of representable values of type 'float' at MagickCore/quantum.h (bsc#1179322).
ModerateSUSE bug 1179322SUSE bug 1181836CVE-2020-27767 at SUSECVE-2020-27767 at NVDCVE-2021-20176 at SUSECVE-2021-20176 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for java-1_8_0-openjdk (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for java-1_8_0-openjdk fixes the following issues:
- Update to version jdk8u282 (icedtea 3.18.0)
* January 2021 CPU (bsc#1181239)
* Security fixes
+ JDK-8247619: Improve Direct Buffering of Characters (CVE-2020-14803)
* Import of OpenJDK 8 u282 build 01
+ JDK-6962725: Regtest javax/swing/JFileChooser/6738668/
/bug6738668.java fails under Linux
+ JDK-8025936: Windows .pdb and .map files does not have proper
dependencies setup
+ JDK-8030350: Enable additional compiler warnings for GCC
+ JDK-8031423: Test java/awt/dnd/DisposeFrameOnDragCrash/
/DisposeFrameOnDragTest.java fails by Timeout on Windows
+ JDK-8036122: Fix warning 'format not a string literal'
+ JDK-8051853: new
URI('x/').resolve('..').getSchemeSpecificPart() returns null!
+ JDK-8132664: closed/javax/swing/DataTransfer/DefaultNoDrop/
/DefaultNoDrop.java locks on Windows
+ JDK-8134632: Mark javax/sound/midi/Devices/
/InitializationHang.java as headful
+ JDK-8148854: Class names 'SomeClass' and 'LSomeClass;'
treated by JVM as an equivalent
+ JDK-8148916: Mark bug6400879.java as intermittently failing
+ JDK-8148983: Fix extra comma in changes for JDK-8148916
+ JDK-8160438: javax/swing/plaf/nimbus/8057791/bug8057791.java
fails
+ JDK-8165808: Add release barriers when allocating objects
with concurrent collection
+ JDK-8185003: JMX: Add a version of
ThreadMXBean.dumpAllThreads with a maxDepth argument
+ JDK-8202076: test/jdk/java/io/File/WinSpecialFiles.java on
windows with VS2017
+ JDK-8207766: [testbug] Adapt tests for Aix.
+ JDK-8212070: Introduce diagnostic flag to abort VM on failed
JIT compilation
+ JDK-8213448: [TESTBUG] enhance jfr/jvm/TestDumpOnCrash
+ JDK-8215727: Restore JFR thread sampler loop to old /
previous behavior
+ JDK-8220657: JFR.dump does not work when filename is set
+ JDK-8221342: [TESTBUG] Generate Dockerfile for docker testing
+ JDK-8224502: [TESTBUG] JDK docker test TestSystemMetrics.java
fails with access issues and OOM
+ JDK-8231209: [REDO] ThreadMXBean::getThreadAllocatedBytes()
can be quicker for self thread
+ JDK-8231968: getCurrentThreadAllocatedBytes default
implementation s/b getThreadAllocatedBytes
+ JDK-8232114: JVM crashed at imjpapi.dll in native code
+ JDK-8234270: [REDO] JDK-8204128 NMT might report incorrect
numbers for Compiler area
+ JDK-8234339: replace JLI_StrTok in java_md_solinux.c
+ JDK-8238448: RSASSA-PSS signature verification fail when
using certain odd key sizes
+ JDK-8242335: Additional Tests for RSASSA-PSS
+ JDK-8244225: stringop-overflow warning on strncpy call from
compile_the_world_in
+ JDK-8245400: Upgrade to LittleCMS 2.11
+ JDK-8248214: Add paddings for TaskQueueSuper to reduce
false-sharing cache contention
+ JDK-8249176: Update GlobalSignR6CA test certificates
+ JDK-8250665: Wrong translation for the month name of May in
ar_JO,LB,SY
+ JDK-8250928: JFR: Improve hash algorithm for stack traces
+ JDK-8251469: Better cleanup for
test/jdk/javax/imageio/SetOutput.java
+ JDK-8251840: Java_sun_awt_X11_XToolkit_getDefaultScreenData
should not be in make/mapfiles/libawt_xawt/mapfile-vers
+ JDK-8252384: [TESTBUG] Some tests refer to COMPAT provider
rather than JRE
+ JDK-8252395: [8u] --with-native-debug-symbols=external
doesn't include debuginfo files for binaries
+ JDK-8252497: Incorrect numeric currency code for ROL
+ JDK-8252754: Hash code calculation of JfrStackTrace is
inconsistent
+ JDK-8252904: VM crashes when JFR is used and JFR event class
is transformed
+ JDK-8252975: [8u] JDK-8252395 breaks the build for
--with-native-debug-symbols=internal
+ JDK-8253284: Zero OrderAccess barrier mappings are incorrect
+ JDK-8253550: [8u] JDK-8252395 breaks the build for make
STRIP_POLICY=no_strip
+ JDK-8253752: test/sun/management/jmxremote/bootstrap/
/RmiBootstrapTest.java fails randomly
+ JDK-8254081: java/security/cert/PolicyNode/
/GetPolicyQualifiers.java fails due to an expired certificate
+ JDK-8254144: Non-x86 Zero builds fail with return-type
warning in os_linux_zero.cpp
+ JDK-8254166: Zero: return-type warning in
zeroInterpreter_zero.cpp
+ JDK-8254683: [TEST_BUG] jdk/test/sun/tools/jconsole/
/WorkerDeadlockTest.java fails
+ JDK-8255003: Build failures on Solaris
ModerateSUSE bug 1181239CVE-2020-14803 at SUSECVE-2020-14803 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for postgresql13 (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for postgresql13 fixes the following issues:
Upgrade to version 13.2:
- Updating stored views and reindexing might be needed after applying this update.
- CVE-2021-3393, bsc#1182040: Fix information leakage in constraint-violation error messages.
- CVE-2021-20229, bsc#1182039: Fix failure to check per-column SELECT privileges in some join queries.
ModerateSUSE bug 1182039SUSE bug 1182040CVE-2021-20229 at SUSECVE-2021-20229 at NVDCVE-2021-3393 at SUSECVE-2021-3393 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for freeradius-server (Low)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for freeradius-server fixes the following issues:
- move logrotate options into specific parts for each log as 'global' options
will persist past and clobber global options in the main logrotate config (bsc#1180525)
LowSUSE bug 1180525cpe:/o:suse:sles_teradata:12:sp3Security update for avahi (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for avahi fixes the following issues:
- CVE-2021-26720: drop privileges when invoking avahi-daemon-check-dns.sh (bsc#1180827)
- Add sudo to requires: used to drop privileges.
ModerateSUSE bug 1180827CVE-2021-26720 at SUSECVE-2021-26720 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for tomcat (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for tomcat fixes the following issues:
- CVE-2021-24122: Added logging if file access is blocked due to symlinks (bsc#1180947).
ModerateSUSE bug 1180947CVE-2021-24122 at SUSECVE-2021-24122 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for postgresql-jdbc (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for postgresql-jdbc fixes the following issues:
- CVE-2020-13692: Fixed a XML External Entity vulnerability (bsc#1172746) .
ModerateSUSE bug 1172746CVE-2020-13692 at SUSECVE-2020-13692 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for ImageMagick (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for ImageMagick fixes the following issues:
_ CVE-2021-20243 [bsc#1182336]: Division by zero in GetResizeFilterWeight in MagickCore/resize.c
_ CVE-2021-20244 [bsc#1182325]: Division by zero in ImplodeImage in MagickCore/visual-effects.c
_ CVE-2021-20246 [bsc#1182337]: Division by zero in ScaleResampleFilter in MagickCore/resample.c
ModerateSUSE bug 1182325SUSE bug 1182336SUSE bug 1182337CVE-2021-20243 at SUSECVE-2021-20243 at NVDCVE-2021-20244 at SUSECVE-2021-20244 at NVDCVE-2021-20246 at SUSECVE-2021-20246 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for java-1_8_0-ibm (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for java-1_8_0-ibm fixes the following issues:
- Update to Java 8.0 Service Refresh 6 Fix Pack 25
[bsc#1182186, bsc#1181239, CVE-2020-27221, CVE-2020-14803]
* CVE-2020-27221: Potential for a stack-based buffer overflow
when the virtual machine or JNI natives are converting from
UTF-8 characters to platform encoding.
* CVE-2020-14803: Unauthenticated attacker with network access
via multiple protocols allows to compromise Java SE.
ImportantSUSE bug 1181239SUSE bug 1182186CVE-2020-14803 at SUSECVE-2020-14803 at NVDCVE-2020-27221 at SUSECVE-2020-27221 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for MozillaFirefox fixes the following issues:
- Firefox Extended Support Release 78.8.0 ESR
* Fixed: Various stability, functionality, and security fixes
MFSA 2021-08 (bsc#1182614)
* CVE-2021-23969: Content Security Policy violation report could have contained the destination of a redirect
* CVE-2021-23968: Content Security Policy violation report could have contained the destination of a redirect
* CVE-2021-23973: MediaError message property could have leaked information about cross-origin resources
* CVE-2021-23978: Memory safety bugs fixed in Firefox 86 and Firefox ESR 78.8
ImportantSUSE bug 1182357SUSE bug 1182614CVE-2021-23968 at SUSECVE-2021-23968 at NVDCVE-2021-23969 at SUSECVE-2021-23969 at NVDCVE-2021-23973 at SUSECVE-2021-23973 at NVDCVE-2021-23978 at SUSECVE-2021-23978 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for python-cryptography (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for python-cryptography fixes the following issues:
- CVE-2020-36242: Using the Fernet class to symmetrically encrypt multi gigabyte
values could result in an integer overflow and buffer overflow (bsc#1182066).
ImportantSUSE bug 1182066CVE-2020-36242 at SUSECVE-2020-36242 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for grub2 (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for grub2 fixes the following issues:
grub2 now implements the new 'SBAT' method for SHIM based secure boot revocation. (bsc#1182057)
Following security issues are fixed that can violate secure boot constraints:
- CVE-2020-25632: Fixed a use-after-free in rmmod command (bsc#1176711)
- CVE-2020-25647: Fixed an out-of-bound write in grub_usb_device_initialize() (bsc#1177883)
- CVE-2020-27749: Fixed a stack buffer overflow in grub_parser_split_cmdline (bsc#1179264)
- CVE-2020-27779, CVE-2020-14372: Disallow cutmem and acpi commands in secure boot mode (bsc#1179265 bsc#1175970)
- CVE-2021-20225: Fixed a heap out-of-bounds write in short form option parser (bsc#1182262)
- CVE-2021-20233: Fixed a heap out-of-bound write due to mis-calculation of space required for quoting (bsc#1182263)
ImportantSUSE bug 1175970SUSE bug 1176711SUSE bug 1177883SUSE bug 1179264SUSE bug 1179265SUSE bug 1182057SUSE bug 1182262SUSE bug 1182263CVE-2020-14372 at SUSECVE-2020-14372 at NVDCVE-2020-25632 at SUSECVE-2020-25632 at NVDCVE-2020-25647 at SUSECVE-2020-25647 at NVDCVE-2020-27749 at SUSECVE-2020-27749 at NVDCVE-2020-27779 at SUSECVE-2020-27779 at NVDCVE-2021-20225 at SUSECVE-2021-20225 at NVDCVE-2021-20233 at SUSECVE-2021-20233 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for openldap2 (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for openldap2 fixes the following issues:
- bsc#1182408 CVE-2020-36230 - an assertion failure in slapd in the
X.509 DN parsing in decode.c ber_next_element, resulting in denial
of service.
- bsc#1182411 CVE-2020-36229 - ldap_X509dn2bv crash in the X.509 DN
parsing in ad_keystring, resulting in denial of service.
- bsc#1182412 CVE-2020-36228 - integer underflow leading to crash
in the Certificate List Exact Assertion processing, resulting in
denial of service.
- bsc#1182413 CVE-2020-36227 - infinite loop in slapd with the
cancel_extop Cancel operation, resulting in denial of service.
- bsc#1182416 CVE-2020-36225 - double free and slapd crash in the
saslAuthzTo processing, resulting in denial of service.
- bsc#1182417 CVE-2020-36224 - invalid pointer free and slapd crash
in the saslAuthzTo processing, resulting in denial of service.
- bsc#1182415 CVE-2020-36226 - memch->bv_len miscalculation and slapd
crash in the saslAuthzTo processing, resulting in denial of service.
- bsc#1182419 CVE-2020-36222 - assertion failure in slapd in the
saslAuthzTo validation, resulting in denial of service.
- bsc#1182420 CVE-2020-36221 - slapd crashes in the Certificate Exact
Assertion processing, resulting in denial of service (schema_init.c
serialNumberAndIssuerCheck).
- bsc#1182418 CVE-2020-36223 - slapd crash in the Values Return Filter
control handling, resulting in denial of service (double free and
out-of-bounds read).
- bsc#1182279 CVE-2021-27212 - an assertion failure in slapd can occur
in the issuerAndThisUpdateCheck function via a crafted packet,
resulting in a denial of service (daemon exit) via a short timestamp.
This is related to schema_init.c and checkTime.
ImportantSUSE bug 1182279SUSE bug 1182408SUSE bug 1182411SUSE bug 1182412SUSE bug 1182413SUSE bug 1182415SUSE bug 1182416SUSE bug 1182417SUSE bug 1182418SUSE bug 1182419SUSE bug 1182420CVE-2020-36221 at SUSECVE-2020-36221 at NVDCVE-2020-36222 at SUSECVE-2020-36222 at NVDCVE-2020-36223 at SUSECVE-2020-36223 at NVDCVE-2020-36224 at SUSECVE-2020-36224 at NVDCVE-2020-36225 at SUSECVE-2020-36225 at NVDCVE-2020-36226 at SUSECVE-2020-36226 at NVDCVE-2020-36227 at SUSECVE-2020-36227 at NVDCVE-2020-36228 at SUSECVE-2020-36228 at NVDCVE-2020-36229 at SUSECVE-2020-36229 at NVDCVE-2020-36230 at SUSECVE-2020-36230 at NVDCVE-2021-27212 at SUSECVE-2021-27212 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for wpa_supplicant (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for wpa_supplicant fixes the following issues:
- CVE-2021-27803: P2P provision discovery processing vulnerability (bsc#1182805)
ImportantSUSE bug 1182805CVE-2021-27803 at SUSECVE-2021-27803 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for git (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for git fixes the following issues:
- On case-insensitive filesystems, with support for symbolic links,
if Git is configured globally to apply delay-capable clean/smudge
filters (such as Git LFS), Git could be fooled into running
remote code during a clone. (bsc#1183026, CVE-2021-21300)
ImportantSUSE bug 1183026CVE-2021-21300 at SUSECVE-2021-21300 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for apache2 (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for apache2 fixes the following issues:
- Fixed potential content spoofing with default error pages(bsc#118270)
ModerateSUSE bug 1145740SUSE bug 1182703CVE-2019-10092 at SUSECVE-2019-10092 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for python (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for python fixes the following issues:
- python27 was upgraded to 2.7.18
- CVE-2021-23336: Fixed a potential web cache poisoning by using a semicolon in query parameters use of semicolon as a query string separator (bsc#1182379).
ModerateSUSE bug 1182379CVE-2019-18348 at SUSECVE-2019-18348 at NVDCVE-2021-23336 at SUSECVE-2021-23336 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for MozillaFirefox fixes the following issues:
- Firefox Extended Support Release 78.6.1 ESR
* Fixed: Critical security issue MFSA 2021-01 (bsc#1180623)
* CVE-2020-16044
Use-after-free write when handling a malicious COOKIE-ECHO SCTP chunk
ImportantSUSE bug 1180623CVE-2020-16044 at SUSECVE-2020-16044 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for glib2 (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for glib2 fixes the following issues:
- CVE-2021-27218: g_byte_array_new_take takes a gsize as length but stores in a guint, this patch will refuse if the length is larger than guint. (bsc#1182328)
- CVE-2021-27219: g_memdup takes a guint as parameter and sometimes leads into an integer overflow, so add a g_memdup2 function which uses gsize to replace it. (bsc#1182362)
ImportantSUSE bug 1182328SUSE bug 1182362CVE-2021-27218 at SUSECVE-2021-27218 at NVDCVE-2021-27219 at SUSECVE-2021-27219 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for python3 (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for python3 fixes the following issues:
- CVE-2021-23336: Fixed a potential web cache poisoning by using a semicolon in query parameters use of semicolon as a query string separator (bsc#1182379).
ModerateSUSE bug 1182379CVE-2021-23336 at SUSECVE-2021-23336 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for python36 (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for python36 fixes the following issues:
- python36 was updated to 3.6.13
- CVE-2021-23336: Fixed a potential web cache poisoning by using a semicolon in query parameters use of semicolon as a query string separator (bsc#1182379).
ModerateSUSE bug 1179756SUSE bug 1182379CVE-2021-23336 at SUSECVE-2021-23336 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for wavpack (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for wavpack fixes the following issues:
- CVE-2020-35738: Fixed an out-of-bounds write in WavpackPackSamples (bsc#1180414).
ImportantSUSE bug 1180414CVE-2020-35738 at SUSECVE-2020-35738 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for nghttp2 (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for nghttp2 fixes the following issues:
Security issues fixed:
- CVE-2020-11080: HTTP/2 Large Settings Frame DoS (bsc#1181358).
- CVE-2019-9513: Fixed HTTP/2 implementation that is vulnerable to resource loops, potentially leading to a denial of service (bsc#1146184).
- CVE-2019-9511: Fixed HTTP/2 implementations that are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service (bsc#1146182).
- CVE-2018-1000168: Fixed ALTSVC frame client side denial of service (bsc#1088639).
- CVE-2016-1544: Fixed out of memory due to unlimited incoming HTTP header fields (bsc#966514).
Bug fixes and enhancements:
- Packages must not mark license files as %doc (bsc#1082318)
- Typo in description of libnghttp2_asio1 (bsc#962914)
- Fixed mistake in spec file (bsc#1125689)
- Fixed build issue with boost 1.70.0 (bsc#1134616)
- Fixed build issue with GCC 6 (bsc#964140)
- Feature: Add W&S module (FATE#326776, bsc#1112438)
ImportantSUSE bug 1082318SUSE bug 1088639SUSE bug 1112438SUSE bug 1125689SUSE bug 1134616SUSE bug 1146182SUSE bug 1146184SUSE bug 1181358SUSE bug 962914SUSE bug 964140SUSE bug 966514CVE-2016-1544 at SUSECVE-2016-1544 at NVDCVE-2018-1000168 at SUSECVE-2018-1000168 at NVDCVE-2019-9511 at SUSECVE-2019-9511 at NVDCVE-2019-9513 at SUSECVE-2019-9513 at NVDCVE-2020-11080 at SUSECVE-2020-11080 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for openssl (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for openssl fixes the following issues:
- CVE-2021-23840: Fixed an Integer overflow in CipherUpdate (bsc#1182333)
- CVE-2021-23841: Fixed a Null pointer dereference in X509_issuer_and_serial_hash() (bsc#1182331)
ModerateSUSE bug 1182331SUSE bug 1182333CVE-2021-23840 at SUSECVE-2021-23840 at NVDCVE-2021-23841 at SUSECVE-2021-23841 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for ovmf (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for ovmf fixes the following issues:
- CVE-2021-28211: ovmf: edk2: possible heap corruption with LzmaUefiDecompressGetInfo (bsc#1183578)
- CVE-2021-28210: ovmf: unlimited FV recursion, round 2 (bsc#1183579)
ModerateSUSE bug 1183578SUSE bug 1183579CVE-2021-28210 at SUSECVE-2021-28210 at NVDCVE-2021-28211 at SUSECVE-2021-28211 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for tar (Low)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for tar fixes the following issues:
CVE-2021-20193: Memory leak in read_header() in list.c (bsc#1181131)
LowSUSE bug 1181131CVE-2021-20193 at SUSECVE-2021-20193 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for zabbix (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for zabbix fixes the following issues:
- CVE-2021-27927: Fixed an improper CSRF protection mechanism (bsc#1183014).
- CVE-2013-7484: Fixed an issue where passwords in the users table were unsalted (bsc#1158321).
ModerateSUSE bug 1158321SUSE bug 1183014CVE-2013-7484 at SUSECVE-2013-7484 at NVDCVE-2021-27927 at SUSECVE-2021-27927 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for opensc (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for opensc fixes the following issues:
- CVE-2020-26571: gemsafe GPK smart card software driver stack-based buffer overflow (bsc#1177380)
- CVE-2019-15946: out-of-bounds access of an ASN.1 Octet string in asn1_decode_entry (bsc#1149747)
- CVE-2019-15945: out-of-bounds access of an ASN.1 Bitstring in decode_bit_string (bsc#1149746)
- CVE-2019-19479: incorrect read operation during parsing of a SETCOS file attribute (bsc#1158256)
- CVE-2020-26572: Prevent out of bounds write (bsc#1177378)
- CVE-2020-26570: Fix buffer overflow in sc_oberthur_read_file (bsc#1177364)
ModerateSUSE bug 1149746SUSE bug 1149747SUSE bug 1158256SUSE bug 1177364SUSE bug 1177378SUSE bug 1177380CVE-2019-15945 at SUSECVE-2019-15945 at NVDCVE-2019-15946 at SUSECVE-2019-15946 at NVDCVE-2019-19479 at SUSECVE-2019-19479 at NVDCVE-2020-26570 at SUSECVE-2020-26570 at NVDCVE-2020-26571 at SUSECVE-2020-26571 at NVDCVE-2020-26572 at SUSECVE-2020-26572 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for MozillaFirefox fixes the following issues:
- Firefox was updated to 78.9.0 ESR (MFSA 2021-11, bsc#1183942)
* CVE-2021-23981: Texture upload into an unbound backing buffer resulted in an out-of-bound read
* CVE-2021-23982: Internal network hosts could have been probed by a malicious webpage
* CVE-2021-23984: Malicious extensions could have spoofed popup information
* CVE-2021-23987: Memory safety bugs
ImportantSUSE bug 1183942CVE-2021-23981 at SUSECVE-2021-23981 at NVDCVE-2021-23982 at SUSECVE-2021-23982 at NVDCVE-2021-23984 at SUSECVE-2021-23984 at NVDCVE-2021-23987 at SUSECVE-2021-23987 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for openvpn (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for openvpn fixes the following issues:
- CVE-2022-0547: Fixed possible authentication bypass in external authentication plug-in (bsc#1197341).
ImportantSUSE bug 1197341CVE-2022-0547 at SUSECVE-2022-0547 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for java-1_7_1-ibm (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for java-1_7_1-ibm fixes the following issues:
Update Java 7.1 to Service Refresh 7 Fix Pack 5 (bsc#1197126).
Including fixes for the following vulnerabilities:
CVE-2022-21366, CVE-2022-21365, CVE-2022-21360, CVE-2022-21349,
CVE-2022-21341, CVE-2022-21340, CVE-2022-21305, CVE-2022-21277,
CVE-2022-21299, CVE-2022-21296, CVE-2022-21282, CVE-2022-21294,
CVE-2022-21293, CVE-2022-21291, CVE-2022-21283, CVE-2022-21248,
CVE-2022-21271.
ImportantSUSE bug 1194925SUSE bug 1194926SUSE bug 1194927SUSE bug 1194928SUSE bug 1194929SUSE bug 1194930SUSE bug 1194931SUSE bug 1194932SUSE bug 1194933SUSE bug 1194934SUSE bug 1194935SUSE bug 1194937SUSE bug 1194939SUSE bug 1194940SUSE bug 1194941SUSE bug 1196500SUSE bug 1197126CVE-2022-21248 at SUSECVE-2022-21248 at NVDCVE-2022-21271 at SUSECVE-2022-21271 at NVDCVE-2022-21277 at SUSECVE-2022-21277 at NVDCVE-2022-21282 at SUSECVE-2022-21282 at NVDCVE-2022-21283 at SUSECVE-2022-21283 at NVDCVE-2022-21291 at SUSECVE-2022-21291 at NVDCVE-2022-21293 at SUSECVE-2022-21293 at NVDCVE-2022-21294 at SUSECVE-2022-21294 at NVDCVE-2022-21296 at SUSECVE-2022-21296 at NVDCVE-2022-21299 at SUSECVE-2022-21299 at NVDCVE-2022-21305 at SUSECVE-2022-21305 at NVDCVE-2022-21340 at SUSECVE-2022-21340 at NVDCVE-2022-21341 at SUSECVE-2022-21341 at NVDCVE-2022-21349 at SUSECVE-2022-21349 at NVDCVE-2022-21360 at SUSECVE-2022-21360 at NVDCVE-2022-21365 at SUSECVE-2022-21365 at NVDCVE-2022-21366 at SUSECVE-2022-21366 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for java-1_8_0-ibm (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for java-1_8_0-ibm fixes the following issues:
Update Java 8.0 to Service Refresh 7 Fix Pack 5 (bsc#1197126).
Including fixes for the following vulnerabilities:
CVE-2022-21366, CVE-2022-21365, CVE-2022-21360, CVE-2022-21349,
CVE-2022-21341, CVE-2022-21340, CVE-2022-21305, CVE-2022-21277,
CVE-2022-21299, CVE-2022-21296, CVE-2022-21282, CVE-2022-21294,
CVE-2022-21293, CVE-2022-21291, CVE-2022-21283, CVE-2022-21248,
CVE-2022-21271.
Non-securtiy fix:
- Fixed a broken symlink for javaws (bsc#1195146).
ImportantSUSE bug 1194925SUSE bug 1194926SUSE bug 1194927SUSE bug 1194928SUSE bug 1194929SUSE bug 1194930SUSE bug 1194931SUSE bug 1194932SUSE bug 1194933SUSE bug 1194934SUSE bug 1194935SUSE bug 1194937SUSE bug 1194939SUSE bug 1194940SUSE bug 1194941SUSE bug 1195146SUSE bug 1196500SUSE bug 1197126CVE-2022-21248 at SUSECVE-2022-21248 at NVDCVE-2022-21271 at SUSECVE-2022-21271 at NVDCVE-2022-21277 at SUSECVE-2022-21277 at NVDCVE-2022-21282 at SUSECVE-2022-21282 at NVDCVE-2022-21283 at SUSECVE-2022-21283 at NVDCVE-2022-21291 at SUSECVE-2022-21291 at NVDCVE-2022-21293 at SUSECVE-2022-21293 at NVDCVE-2022-21294 at SUSECVE-2022-21294 at NVDCVE-2022-21296 at SUSECVE-2022-21296 at NVDCVE-2022-21299 at SUSECVE-2022-21299 at NVDCVE-2022-21305 at SUSECVE-2022-21305 at NVDCVE-2022-21340 at SUSECVE-2022-21340 at NVDCVE-2022-21341 at SUSECVE-2022-21341 at NVDCVE-2022-21349 at SUSECVE-2022-21349 at NVDCVE-2022-21360 at SUSECVE-2022-21360 at NVDCVE-2022-21365 at SUSECVE-2022-21365 at NVDCVE-2022-21366 at SUSECVE-2022-21366 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for zlib (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for zlib fixes the following issues:
- CVE-2018-25032: Fixed memory corruption on deflate (bsc#1197459).
ImportantSUSE bug 1197459CVE-2018-25032 at SUSECVE-2018-25032 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for python3 (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for python3 fixes the following issues:
- CVE-2021-3572: Fixed an improper handling of unicode characters in pip (bsc#1186819).
ModerateSUSE bug 1186819CVE-2021-3572 at SUSECVE-2021-3572 at NVDcpe:/o:suse:sles_teradata:12:sp3Feature update for python36 stack (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for python36 stack provides the following changes:
aws-cli-py36:
- Introduce aws-cli-py36 version 1.19.9 and provide python36 needed dependencies. (jsc#SLE-22179)
- Mention existing old fixes. (bsc#1146853, bsc#1182422, bsc#1066528, bsc#1168943, bsc#1117074, bsc#1175148,
bsc#985858, bsc#949877, bsc#1044370, bsc#1105988, bsc#1182421, bsc#902598, bsc#974993, bsc#905354, bsc#1092493,
bsc#1088310, bsc#1118099, bsc#958686, bsc#1015776, bsc#1118024, bsc#1118021, bsc#1175147, bsc#1166924,
CVE-2018-15869, fate#318337, fate#315990)
python36:
- Security fixes:
* CVE-2021-3572: update the bundled pip wheel to the latest SUSE Linux Enterprise version. (bsc#1186819)
- Non security changes:
* Don't use appstream-glib on SUSE Linux Enterprise 12.
* Skip documentation generation on SUSE Linux Enterprise 12.
* Skip tests because of patched OpenSSL.
* Suppress Sphinx warnings
* Support Expat >= 2.4.5 and be more strict with the executed build tests.
python36-appdirs:
- Introduce python36-appdirs version 1.4.3 and provide python36 needed dependencies. (jsc#SLE-22179)
python36-asn1crypto:
- Introduce python36-asn1crypto version 0.24.0 and provide python36 needed dependencies. (jsc#SLE-22179)
- Mention existing old fixes. (fate#323875, bsc#1054413)
python36-atomicwrites:
- Introduce python36-atomicwrites version 1.4.0 and provide python36 needed dependencies. (jsc#SLE-22179)
- Do not provide the documentation for this package as it does not build properly with the current version of Sphinx.
python36-attrs:
- Introduce python36-attrs version 19.3.0 and provide python36 needed dependencies. (jsc#SLE-22179)
- Mention existing old fixes. (bsc#1073845)
python36-boto3:
- Introduce python36-boto3 version 1.17.9 and provide python36 needed dependencies. (jsc#SLE-22179)
- Mention existing old fixes. (jsc#ECO-3352, jsc#PM-2485, jsc#PM-1447, jsc#ECO-2362, jsc#PM-2069, bsc#974705,
bsc#1168943, bsc#1118021, bsc#1122668, bsc#1075263, bsc#1146853, bsc#1146854, bsc#1166924, bsc#1118027,
bsc#1069697, bsc#962170, bsc#1175148, bsc#1175147, bsc#1182422, bsc#1182421, bsc#1118024, bsc#1007084, bsc#1015776,
fate#326950, fate#320335)
python36-botocore:
- Introduce python36-botocore version 1.20.9 and provide python36 needed dependencies. (jsc#SLE-22179)
- Mention existing old fixes. (jsc#PM-2069, jsc#ECO-2362, jsc#ECO-3352, jsc#PM-2485, bsc#1044370, bsc#1182421,
bsc#1129696, bsc#949877, bsc#1118024, bsc#1075263, bsc#905354, bsc#985858, bsc#1146853, bsc#1175148,
bsc#1007084, bsc#1168943, bsc#1146854, bsc#1088310, bsc#1182422, bsc#958686, bsc#1175147, bsc#1118021,
bsc#1015776, bsc#1136184, bsc#1066528, bsc#1118027, bsc#974705, bsc#1095041, bsc#1166924, fate#318337, fate#315990)
python36-certifi:
- Introduce python36-certifi version 2018.1.18 and provide python36 needed dependencies. (jsc#SLE-22179)
python36-cffi:
- Introduce python36-cffi version 1.11.5 and provide python36 needed dependencies. (jsc#SLE-22179)
- Mention existing old fixes. (jsc#ECO-1256, jsc#ECO-3105, fate#324435, fate#323875, fate#318838,
bsc#1138748, bsc#948198, bsc#981848, bsc#1070737, bsc#1111657, bsc#1176784)
python36-chardet:
- Introduce python36-chardet version 3.0.4 and provide python36 needed dependencies. (jsc#SLE-22179)
- Mention existing old fixes. (bsc#1002895, fate#321630)
python36-colorama:
- Introduce python36-colorama version 0.4.4 and provide python36 needed dependencies. (jsc#SLE-22179)
- Mention existing old fixes. (jsc#PM-2352, bnc#1176785).
python36-cryptography:
- Introduce python36-cryptography version 2.8 and provide python36 needed dependencies. (jsc#SLE-22179)
- Mention existing old fixes. (jsc#ECO-3105, jsc#ECO-1256, fate#324191, fate#318838, fate#323875, fate#324435,
CVE-2020-25659, CVE-2020-36242, CVE-2018-1000808, CVE-2018-10903, CVE-2018-1000807,
bsc#1178168, bsc#1065275, bsc#1149792, bsc#1111635, bsc#1101820, bsc#947679, bsc#944204, bsc#1052927, bsc#1002168,
bsc#1073879, bsc#1138748, bsc#1111634, bsc#948198, bsc#1182066, bsc#1055478, bsc#1176784)
python36-cryptography-vectors:
- Introduce python36-cryptography-vectors version 2.8 and provide python36 needed dependencies. (jsc#SLE-22179)
- Mention existing old fixes. (jsc#ECO-3105, bsc#1176784)
python36-docutils:
- Introduce python36-docutils version 0.14 and provide python36 needed dependencies. (jsc#SLE-22179)
- Mention existing old fixes. (bsc#1039394, bsc#564366)
python36-idna:
- Introduce python36-idna version 2.6 and provide python36 needed dependencies. (jsc#SLE-22179)
- Mention existing old fixes. (fate#323875, fate#323875, bsc#1054413)
python36-importlib-metadata:
- Introduce python36-importlib-metadata version 1.5.0 and provide python36 needed dependencies. (jsc#SLE-22179)
python36-iso8601:
- Introduce python36-iso8601 version 0.1.10 and provide python36 needed dependencies. (jsc#SLE-22179)
- Mention existing old fixes. (fate#324191, fate#316168, bsc#1065275)
python36-jmespath:
- Introduce python36-jmespath version 0.9.3 and provide python36 needed dependencies. (jsc#SLE-22179)
- Mention existing old fixes. (bsc#905354)
python36-more-itertools:
- Introduce python36-more-itertools version 5.0.0 and provide python36 needed dependencies. (jsc#SLE-22179)
python36-packaging:
- Introduce python36-packaging version 17.1 and provide python36 needed dependencies. (jsc#SLE-22179)
python36-pip:
- Introduce python36-pip version 9.0.1 and provide python36 needed dependencies. (jsc#SLE-22179)
- Resolve a conflict between python3-pip and python36-pip. (bsc#1195351)
* This package provides only `/usr/bin/pip3.6` and the users has to create their own symlinks if
they want something else.
- Mention existing old fixes. (CVE-2013-5123, CVE-2014-8991, CVE-2015-2296, bsc#842516)
python36-pluggy:
- Introduce python36-pluggy version 0.13.1 and provide python36 needed dependencies. (jsc#SLE-22179)
- Mention existing old fixes. (bsc#1073845)
python36-ply:
- Introduce python36-ply version 3.10 and provide python36 needed dependencies. (jsc#SLE-22179)
python36-pretend:
- Introduce python36-pretend version 1.0.9 and provide python36 needed dependencies. (jsc#SLE-22179)
python36-py:
- Introduce python36-py version 1.8.1 and provide python36 needed dependencies. (jsc#SLE-22179)
- Mention existing old fixes. (CVE-2020-29651, bsc#1184505, bsc#1138666, bsc#1179805)
python36-pyasn1:
- Introduce python36-pyasn1 version 0.1.9 and provide python36 needed dependencies. (jsc#SLE-22179)
- Mention existing old fixes. (fate#323875, fate#318838)
python36-pyasn1-modules:
- Introduce python36-pyasn1-modules version 0.0.5 and provide python36 needed dependencies. (jsc#SLE-22179)
python36-pycparser:
- Introduce python36-pycparser version 2.10 and provide python36 needed dependencies. (jsc#SLE-22179)
- Mention existing old fixes. (bsc#1073879, fate#324435)
python36-pyOpenSSL:
- Introduce python36-pyOpenSSL version 17.1.0 and provide python36 needed dependencies. (jsc#SLE-22179)
- Mention existing old fixes. (bsc#855666, bsc#1073879, bsc#715423, bsc#839107, bsc#1065275, bsc#1138748,
fate#324191, fate#324435, CVE-2013-4314, jsc#ECO-1256)
python36-pyparsing:
- Introduce python36-pyparsing version 2.4.7 and provide python36 needed dependencies. (jsc#SLE-22179)
- Mention existing old fixes. (bsc#1186870)
python36-pytest:
- Introduce python36-pytest version 3.10.1 and provide python36 needed dependencies. (jsc#SLE-22179)
- Mention existing old fixes. (bsc#1167732)
python36-python-dateutil:
- Introduce python36-python-dateutil version 2.7.3 and provide python36 needed dependencies. (jsc#SLE-22179)
python36-PyYAML:
- Introduce python36-PyYAML version 5.3.1 and provide python36 needed dependencies. (jsc#SLE-22179)
- Mention existing old fixes. (jsc#ECO-3105, jsc#PM-2352, CVE-2017-18342, CVE-2020-14343, CVE-2020-1747,
bsc#1099308, bsc#1176785, bsc#1082318, bsc#1140565, bsc#1165439, bsc#1174514)
python36-requests:
- Introduce python36-requests version 2.24.0 and provide python36 needed dependencies. (jsc#SLE-22179)
- Mention existing old fixes. (jsc#ECO-3105, jsc#PM-2352, bsc#922448, bsc#1170175, bsc#945455, bsc#799119, bsc#947357,
bsc#929736, bsc#1111622, bsc#967128, bsc#1176785, bsc#761500, CVE-2015-2296, CVE-2018-18074, CVE-2014-1829,
CVE-2014-1830)
python36-rpm-macros:
- Introduce python36-rpm-macros version 20200207.5feb6c1 and provide python36 needed dependencies. (jsc#SLE-22179)
- Mention existing old fixes. (bsc#1171561, bsc#1161770, bsc#1128323)
python36-rsa:
- Introduce python36-rsa version 3.4.2 and provide python36 needed dependencies. (jsc#SLE-22179)
- Mention existing old fixes. (CVE-2020-13757, bsc#1172389, bsc#954690, bsc#935595, bsc#960680, fate#319904)
python36-s3transfer:
- Introduce python36-s3transfer version 0.3.3 and provide python36 needed dependencies. (jsc#SLE-22179)
- Mention existing old fixes. (bsc#1168943, bsc#1146854, bsc#974993, bsc#1007084, bsc#975949, fate#320748)
python36-setuptools:
- Introduce python36-setuptools version 40.6.2 and provide python36 needed dependencies. (jsc#SLE-22179)
- Mention existing old fixes. (bsc#1176262, bsc#1174035, bsc#1075812, bsc#993968, bsc#930189, bsc#913229, bsc#428177,
bsc#428177, CVE-2019-20916, FATE#323875, FATE#319032, FATE#318137)
python36-setuptools_scm:
- Introduce python36-setuptools_scm version 1.15.6 and provide python36 needed dependencies. (jsc#SLE-22179)
python36-simplejson:
- Introduce python36-simplejson version 3.8.2 and provide python36 needed dependencies. (jsc#SLE-22179)
- Mention existing old fixes. (fate#324435, bsc#1073879)
python36-six:
- Introduce python36-six version 1.14.0 and provide python36 needed dependencies. (jsc#SLE-22179)
- Mention existing old fixes. (jsc#ECO-3105, fate#326838, fate#324435, fate#315990, fate#319030, fate#318838
bsc#1113302, bsc#940812, bsc#1166139, bsc#1176784, bsc#1057496, bsc#1073879, bsc#1123064, bsc#1143893)
python36-pytz:
- Introduce python36-pytz version 2016.10 and provide python36 needed dependencies. (jsc#SLE-22179)
- Mention existing old fixes. (bsc#1027705, bsc#975875)
python36-urllib3:
- Introduce python36-urllib3 version 1.25.10 and provide python36 needed dependencies. (jsc#SLE-22179)
- Mention existing old fixes. (jsc#PM-2485, jsc#ECO-3352, CVE-2020-26137, CVE-2019-11324, CVE-2016-9015, CVE-2019-11236,
CVE-2019-9740, CVE-2021-33503, bsc#1138715, bsc#1177120, bsc#1132663, bsc#1187045, bsc#1132900, bsc#1074247,
bsc#1129071, bsc#1176389, bsc#1182422, bsc#1138746, bsc#1150895, fate#321630)
python36-wheel:
- Introduce python36-wheel version 0.32.3 and provide python36 needed dependencies. (jsc#SLE-22179)
- Mention existing old fixes. (bsc#1037032)
python36-zipp:
- Introduce python36-zipp version 0.6.0 and provide python36 needed dependencies. (jsc#SLE-22179)
ModerateSUSE bug 1002168SUSE bug 1002895SUSE bug 1007084SUSE bug 1015776SUSE bug 1027705SUSE bug 1037032SUSE bug 1039394SUSE bug 1044370SUSE bug 1052927SUSE bug 1054413SUSE bug 1055478SUSE bug 1057496SUSE bug 1065275SUSE bug 1066528SUSE bug 1069697SUSE bug 1070737SUSE bug 1073845SUSE bug 1073879SUSE bug 1074247SUSE bug 1075263SUSE bug 1075812SUSE bug 1082318SUSE bug 1088310SUSE bug 1092493SUSE bug 1095041SUSE bug 1099308SUSE bug 1101820SUSE bug 1105988SUSE bug 1111622SUSE bug 1111634SUSE bug 1111635SUSE bug 1111657SUSE bug 1113302SUSE bug 1117074SUSE bug 1118021SUSE bug 1118024SUSE bug 1118027SUSE bug 1118099SUSE bug 1122668SUSE bug 1123064SUSE bug 1128323SUSE bug 1129071SUSE bug 1129696SUSE bug 1132663SUSE bug 1132900SUSE bug 1136184SUSE bug 1138666SUSE bug 1138715SUSE bug 1138746SUSE bug 1138748SUSE bug 1140565SUSE bug 1143893SUSE bug 1146853SUSE bug 1146854SUSE bug 1149792SUSE bug 1150895SUSE bug 1161770SUSE bug 1165439SUSE bug 1166139SUSE bug 1166924SUSE bug 1167732SUSE bug 1168943SUSE bug 1170175SUSE bug 1171561SUSE bug 1172389SUSE bug 1174035SUSE bug 1174514SUSE bug 1175147SUSE bug 1175148SUSE bug 1176262SUSE bug 1176389SUSE bug 1176784SUSE bug 1176785SUSE bug 1177120SUSE bug 1178168SUSE bug 1179805SUSE bug 1182066SUSE bug 1182421SUSE bug 1182422SUSE bug 1184505SUSE bug 1186819SUSE bug 1186870SUSE bug 1187045SUSE bug 1195351SUSE bug 428177SUSE bug 564366SUSE bug 715423SUSE bug 761500SUSE bug 799119SUSE bug 839107SUSE bug 842516SUSE bug 855666SUSE bug 902598SUSE bug 905354SUSE bug 913229SUSE bug 922448SUSE bug 929736SUSE bug 930189SUSE bug 935595SUSE bug 940812SUSE bug 944204SUSE bug 945455SUSE bug 947357SUSE bug 947679SUSE bug 948198SUSE bug 949877SUSE bug 954690SUSE bug 958686SUSE bug 960680SUSE bug 962170SUSE bug 967128SUSE bug 974705SUSE bug 974993SUSE bug 975875SUSE bug 975949SUSE bug 981848SUSE bug 985858SUSE bug 993968CVE-2013-4314 at SUSECVE-2013-4314 at NVDCVE-2013-5123 at SUSECVE-2013-5123 at NVDCVE-2014-1829 at SUSECVE-2014-1829 at NVDCVE-2014-1830 at SUSECVE-2014-1830 at NVDCVE-2014-8991 at SUSECVE-2014-8991 at NVDCVE-2015-2296 at SUSECVE-2015-2296 at NVDCVE-2016-9015 at SUSECVE-2016-9015 at NVDCVE-2017-18342 at SUSECVE-2017-18342 at NVDCVE-2018-1000807 at SUSECVE-2018-1000807 at NVDCVE-2018-1000808 at SUSECVE-2018-1000808 at NVDCVE-2018-10903 at SUSECVE-2018-10903 at NVDCVE-2018-15869 at SUSECVE-2018-15869 at NVDCVE-2018-18074 at SUSECVE-2018-18074 at NVDCVE-2019-11236 at SUSECVE-2019-11236 at NVDCVE-2019-11324 at SUSECVE-2019-11324 at NVDCVE-2019-20916 at SUSECVE-2019-20916 at NVDCVE-2019-9740 at SUSECVE-2019-9740 at NVDCVE-2020-13757 at SUSECVE-2020-13757 at NVDCVE-2020-14343 at SUSECVE-2020-14343 at NVDCVE-2020-1747 at SUSECVE-2020-1747 at NVDCVE-2020-25659 at SUSECVE-2020-25659 at NVDCVE-2020-26137 at SUSECVE-2020-26137 at NVDCVE-2020-29651 at SUSECVE-2020-29651 at NVDCVE-2020-36242 at SUSECVE-2020-36242 at NVDCVE-2021-33503 at SUSECVE-2021-33503 at NVDCVE-2021-3572 at SUSECVE-2021-3572 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for java-1_8_0-ibm (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for java-1_8_0-ibm fixes the following issues:
- Update to Java 8.0 Service Refresh 7 Fix Pack 0
- CVE-2021-41035: before version 0.29.0, the openj9 JVM does not throw IllegalAccessError for MethodHandles that invoke inaccessible interface methods. (bsc#1194198, bsc#1192052)
- CVE-2021-35586: Excessive memory allocation in BMPImageReader. (bsc#1191914)
- CVE-2021-35564: Certificates with end dates too far in the future can corrupt keystore. (bsc#1191913)
- CVE-2021-35559: Excessive memory allocation in RTFReader. (bsc#1191911)
- CVE-2021-35556: Excessive memory allocation in RTFParser. (bsc#1191910)
- CVE-2021-35565: Loop in HttpsServer triggered during TLS session close. (bsc#1191909)
- CVE-2021-35588: Incomplete validation of inner class references in ClassFileParser. (bsc#1191905)
- CVE-2021-2341: Fixed a flaw inside the FtpClient. (bsc#1188564)
- CVE-2021-2369: JAR file handling problem containing multiple MANIFEST.MF files. (bsc#1188565)
- CVE-2021-2163: Incomplete enforcement of JAR signing disabled algorithms. (bsc#1185055)
- CVE-2021-35560: Fixed a vulnerability in the component Deployment. (bsc#1191902)
- CVE-2021-35578: Fixed unexpected exception raised during TLS handshake. (bsc#1191904)
ImportantSUSE bug 1185055SUSE bug 1188564SUSE bug 1188565SUSE bug 1191902SUSE bug 1191904SUSE bug 1191905SUSE bug 1191909SUSE bug 1191910SUSE bug 1191911SUSE bug 1191913SUSE bug 1191914SUSE bug 1192052SUSE bug 1194198SUSE bug 1194232CVE-2021-2163 at SUSECVE-2021-2163 at NVDCVE-2021-2341 at SUSECVE-2021-2341 at NVDCVE-2021-2369 at SUSECVE-2021-2369 at NVDCVE-2021-35556 at SUSECVE-2021-35556 at NVDCVE-2021-35559 at SUSECVE-2021-35559 at NVDCVE-2021-35560 at SUSECVE-2021-35560 at NVDCVE-2021-35564 at SUSECVE-2021-35564 at NVDCVE-2021-35565 at SUSECVE-2021-35565 at NVDCVE-2021-35578 at SUSECVE-2021-35578 at NVDCVE-2021-35586 at SUSECVE-2021-35586 at NVDCVE-2021-35588 at SUSECVE-2021-35588 at NVDCVE-2021-41035 at SUSECVE-2021-41035 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for virglrenderer (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for virglrenderer fixes the following issues:
- CVE-2022-0175: Fixed missing initialization of res->ptr (bsc#1194601).
ImportantSUSE bug 1194601CVE-2022-0175 at SUSECVE-2022-0175 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for mozilla-nss (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for mozilla-nss fixes the following issues:
Mozilla NSS 3.68.3 (bsc#1197903):
- CVE-2022-1097: Fixed memory safety violations that could occur when PKCS#11
tokens are removed while in use.
ImportantSUSE bug 1197903CVE-2022-1097 at SUSECVE-2022-1097 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for MozillaFirefox fixes the following issues:
Firefox Extended Support Release 91.8.0 ESR (bsc#1197903):
MFSA 2022-14 (bsc#1197903)
* CVE-2022-1097: Fixed memory safety violations that could occur when PKCS#11 tokens are removed while in use
* CVE-2022-28281: Fixed an out of bounds write due to unexpected WebAuthN Extensions
* CVE-2022-1196: Fixed a use-after-free after VR Process destruction
* CVE-2022-28282: Fixed a use-after-free in DocumentL10n::TranslateDocument
* CVE-2022-28285: Fixed incorrect AliasSet used in JIT Codegen
* CVE-2022-28286: Fixed that iframe contents could be rendered outside the border
* CVE-2022-24713: Fixed a denial of service via complex regular expressions
* CVE-2022-28289: Memory safety bugs fixed in Firefox 99 and Firefox ESR 91.8
ImportantSUSE bug 1197903CVE-2022-1097 at SUSECVE-2022-1097 at NVDCVE-2022-1196 at SUSECVE-2022-1196 at NVDCVE-2022-24713 at SUSECVE-2022-24713 at NVDCVE-2022-28281 at SUSECVE-2022-28281 at NVDCVE-2022-28282 at SUSECVE-2022-28282 at NVDCVE-2022-28285 at SUSECVE-2022-28285 at NVDCVE-2022-28286 at SUSECVE-2022-28286 at NVDCVE-2022-28289 at SUSECVE-2022-28289 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for glibc (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for glibc fixes the following issues:
- CVE-2020-1752: Fix use-after-free in glob when expanding ~user (bsc#1167631)
ImportantSUSE bug 1167631CVE-2020-1752 at SUSECVE-2020-1752 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for openjpeg2 (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for openjpeg2 fixes the following issues:
- CVE-2016-1924: Fixed heap buffer overflow (bsc#980504).
- CVE-2016-3183: Fixed out-of-bounds read in sycc422_to_rgb function (bsc#971617).
- CVE-2016-4797: Fixed heap buffer overflow (bsc#980504).
- CVE-2018-14423: Fixed division-by-zero vulnerabilities in the functions pi_next_pcrl, pi_next_cprl,and pi_next_rpcl in lib/openjp3d/pi.c (bsc#1102016).
- CVE-2018-16375: Fixed missing checks for header_info.height and header_info.width in the function pnmtoimage in bin/jpwl/convert.c (bsc#1106882).
- CVE-2018-16376: Fixed heap-based buffer overflow function t2_encode_packet in lib/openmj2/t2.c (bsc#1106881).
- CVE-2018-20845: Fixed division-by-zero in the functions pi_next_pcrl, pi_next_cprl, and pi_next_rpcl in openmj2/pi.c (bsc#1140130).
- CVE-2018-20846: Fixed out-of-bounds accesses in pi_next_lrcp, pi_next_rlcp, pi_next_rpcl, pi_next_pcrl, pi_next_rpcl, and pi_next_cprl in openmj2/pi.c (bsc#1140205).
- CVE-2020-8112: Fixed heap-based buffer overflow in opj_t1_clbl_decode_processor in openjp2/t1.c (bsc#1162090).
- CVE-2020-15389: Fixed use-after-free if t a mix of valid and invalid files in a directory operated on by the decompressor (bsc#1173578).
- CVE-2020-27823: Fixed heap buffer over-write in opj_tcd_dc_level_shift_encode() (bsc#1180457).
- CVE-2021-29338: Fixed integer overflow that allows remote attackers to crash the application (bsc#1184774).
- CVE-2022-1122: Fixed segmentation fault in opj2_decompress due to uninitialized pointer (bsc#1197738).
ImportantSUSE bug 1102016SUSE bug 1106881SUSE bug 1106882SUSE bug 1140130SUSE bug 1140205SUSE bug 1162090SUSE bug 1173578SUSE bug 1180457SUSE bug 1184774SUSE bug 1197738SUSE bug 971617SUSE bug 980504CVE-2016-1924 at SUSECVE-2016-1924 at NVDCVE-2016-3183 at SUSECVE-2016-3183 at NVDCVE-2016-4797 at SUSECVE-2016-4797 at NVDCVE-2018-14423 at SUSECVE-2018-14423 at NVDCVE-2018-16375 at SUSECVE-2018-16375 at NVDCVE-2018-16376 at SUSECVE-2018-16376 at NVDCVE-2018-20845 at SUSECVE-2018-20845 at NVDCVE-2018-20846 at SUSECVE-2018-20846 at NVDCVE-2020-15389 at SUSECVE-2020-15389 at NVDCVE-2020-27823 at SUSECVE-2020-27823 at NVDCVE-2020-8112 at SUSECVE-2020-8112 at NVDCVE-2021-29338 at SUSECVE-2021-29338 at NVDCVE-2022-1122 at SUSECVE-2022-1122 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for MozillaFirefox fixes the following issues:
- CVE-2021-4140: Fixed iframe sandbox bypass with XSLT (bsc#1194547).
- CVE-2022-22737: Fixed race condition when playing audio files (bsc#1194547).
- CVE-2022-22738: Fixed heap-buffer-overflow in blendGaussianBlur (bsc#1194547).
- CVE-2022-22739: Fixed missing throttling on external protocol launch dialog (bsc#1194547).
- CVE-2022-22740: Fixed use-after-free of ChannelEventQueue::mOwner (bsc#1194547).
- CVE-2022-22741: Fixed browser window spoof using fullscreen mode (bsc#1194547).
- CVE-2022-22742: Fixed out-of-bounds memory access when inserting text in edit mode (bsc#1194547).
- CVE-2022-22743: Fixed browser window spoof using fullscreen mode (bsc#1194547).
- CVE-2022-22744: Fixed possible command injection via the 'Copy as curl' feature in DevTools (bsc#1194547).
- CVE-2022-22745: Fixed leaking cross-origin URLs through securitypolicyviolation event (bsc#1194547).
- CVE-2022-22746: Fixed calling into reportValidity could have lead to fullscreen window spoof (bsc#1194547).
- CVE-2022-22747: Fixed crash when handling empty pkcs7 sequence(bsc#1194547).
- CVE-2022-22748: Fixed spoofed origin on external protocol launch dialog (bsc#1194547).
- CVE-2022-22751: Fixed memory safety bugs (bsc#1194547).
ImportantSUSE bug 1194547CVE-2021-4140 at SUSECVE-2021-4140 at NVDCVE-2022-22737 at SUSECVE-2022-22737 at NVDCVE-2022-22738 at SUSECVE-2022-22738 at NVDCVE-2022-22739 at SUSECVE-2022-22739 at NVDCVE-2022-22740 at SUSECVE-2022-22740 at NVDCVE-2022-22741 at SUSECVE-2022-22741 at NVDCVE-2022-22742 at SUSECVE-2022-22742 at NVDCVE-2022-22743 at SUSECVE-2022-22743 at NVDCVE-2022-22744 at SUSECVE-2022-22744 at NVDCVE-2022-22745 at SUSECVE-2022-22745 at NVDCVE-2022-22746 at SUSECVE-2022-22746 at NVDCVE-2022-22747 at SUSECVE-2022-22747 at NVDCVE-2022-22748 at SUSECVE-2022-22748 at NVDCVE-2022-22751 at SUSECVE-2022-22751 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for xz (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for xz fixes the following issues:
- CVE-2022-1271: Fixed an incorrect escaping of malicious filenames (ZDI-CAN-16587). (bsc#1198062)
ImportantSUSE bug 1198062CVE-2022-1271 at SUSECVE-2022-1271 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for libexif (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for libexif fixes the following issues:
- CVE-2020-0181: Fixed an integer overflow that could lead to denial of service
(bsc#1172802).
- CVE-2020-0198: Fixed and unsigned integer overflow that could lead to denial
of service (bsc#1172768).
- CVE-2020-0452: Fixed a buffer overflow check that could be optimized away
by the compiler (bsc#1178479).
ImportantSUSE bug 1172768SUSE bug 1172802SUSE bug 1178479CVE-2020-0181 at SUSECVE-2020-0181 at NVDCVE-2020-0198 at SUSECVE-2020-0198 at NVDCVE-2020-0452 at SUSECVE-2020-0452 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for python-numpy (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for python-numpy fixes the following issues:
- CVE-2021-33430: Fixed buffer overflow that could lead to DoS in PyArray_NewFromDescr_int function of ctors.c (bsc#1193913).
- CVE-2021-41496: Fixed buffer overflow that could lead to DoS in array_from_pyobj function of fortranobject.c (bsc#1193907).
ModerateSUSE bug 1193907SUSE bug 1193913CVE-2021-33430 at SUSECVE-2021-33430 at NVDCVE-2021-41496 at SUSECVE-2021-41496 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for zabbix (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for zabbix fixes the following issues:
- CVE-2022-24349: Fixed a reflected XSS in the action configuration window (bsc#1196944).
- CVE-2022-24917: Fixed a reflected XSS in the service configuration window (bsc#1196945).
- CVE-2022-24918: Fixed a reflected XSS in the item configuration window (bsc#1196946).
- CVE-2022-24919: Fixed a reflected XSS in the graph configuration window (bsc#1196947).
ModerateSUSE bug 1196944SUSE bug 1196945SUSE bug 1196946SUSE bug 1196947CVE-2022-24349 at SUSECVE-2022-24349 at NVDCVE-2022-24917 at SUSECVE-2022-24917 at NVDCVE-2022-24918 at SUSECVE-2022-24918 at NVDCVE-2022-24919 at SUSECVE-2022-24919 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for gzip (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for gzip fixes the following issues:
- CVE-2022-1271: Fixed an incorrect escaping of malicious filenames (ZDI-CAN-16587). (bsc#1198062)
ImportantSUSE bug 1198062CVE-2022-1271 at SUSECVE-2022-1271 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for dnsmasq (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for dnsmasq fixes the following issues:
- CVE-2021-3448: Fixed a potential DNS cache poisoning issue due to a constant
outgoing port being used when for certain use cases of the --server option
(bsc#1183709).
- CVE-2022-0934: Fixed an invalid memory access that could lead to remote denial
of service via crafted packet (bsc#1197872).
ImportantSUSE bug 1183709SUSE bug 1197872CVE-2021-3448 at SUSECVE-2021-3448 at NVDCVE-2022-0934 at SUSECVE-2022-0934 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for git (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for git fixes the following issues:
- CVE-2022-24765: Fixed a potential command injection via git worktree (bsc#1198234).
ImportantSUSE bug 1198234CVE-2022-24765 at SUSECVE-2022-24765 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for libxml2 (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for libxml2 fixes the following issues:
- CVE-2022-23308: Fixed use-after-free of ID and IDREF attributes. (bsc#1196490)
ImportantSUSE bug 1196490CVE-2022-23308 at SUSECVE-2022-23308 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for SDL (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for SDL fixes the following issues:
- CVE-2020-14409: Fixed an integer overflow (and resultant SDL_memcpy heap corruption) in SDL_BlitCopy in video/SDL_blit_copy.c. (bsc#1181202)
- CVE-2020-14410: Fixed a heap-based buffer over-read in Blit_3or4_to_3or4__inversed_rgb in video/SDL_blit_N.c. (bsc#1181201)
- CVE-2021-33657: Fixed a Heap overflow problem in video/SDL_pixels.c. (bsc#1198001)
ImportantSUSE bug 1181201SUSE bug 1181202SUSE bug 1198001CVE-2020-14409 at SUSECVE-2020-14409 at NVDCVE-2020-14410 at SUSECVE-2020-14410 at NVDCVE-2021-33657 at SUSECVE-2021-33657 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for xen (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for xen fixes the following issues:
- CVE-2022-26356: Fixed potential race conditions in dirty memory tracking that
could cause a denial of service in the host (bsc#1197423).
- CVE-2022-26357: Fixed a potential race condition in memory cleanup for hosts
using VT-d IOMMU hardware, which could lead to a denial of service in the host
(bsc#1197425).
- CVE-2022-26358,CVE-2022-26359,CVE-2022-26360,CVE-2022-26361: Fixed various memory
corruption issues for hosts using VT-d or AMD-Vi IOMMU hardware. These could be
leveraged by an attacker to cause a denial of service in the host (bsc#1197426).
- CVE-2022-0001, CVE-2022-0002, CVE-2021-26401: Added BHB speculation issue
mitigations (bsc#1196915).
ImportantSUSE bug 1196915SUSE bug 1197423SUSE bug 1197425SUSE bug 1197426CVE-2021-26401 at SUSECVE-2021-26401 at NVDCVE-2022-0001 at SUSECVE-2022-0001 at NVDCVE-2022-0002 at SUSECVE-2022-0002 at NVDCVE-2022-26356 at SUSECVE-2022-26356 at NVDCVE-2022-26357 at SUSECVE-2022-26357 at NVDCVE-2022-26358 at SUSECVE-2022-26358 at NVDCVE-2022-26359 at SUSECVE-2022-26359 at NVDCVE-2022-26360 at SUSECVE-2022-26360 at NVDCVE-2022-26361 at SUSECVE-2022-26361 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for ant (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for ant fixes the following issues:
- CVE-2021-36373: Fixed an excessive memory allocation when reading a specially
crafted TAR archive (bsc#1188468).
- CVE-2021-36374: Fixed an excessive memory allocation when reading a specially
crafted ZIP archive (bsc#1188469).
ModerateSUSE bug 1188468SUSE bug 1188469CVE-2021-36373 at SUSECVE-2021-36373 at NVDCVE-2021-36374 at SUSECVE-2021-36374 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for webkit2gtk3 (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for webkit2gtk3 fixes the following issues:
- Update to version 2.34.3 (bsc#1194019).
- CVE-2021-30887: Fixed logic issue allowing unexpectedly unenforced Content Security Policy when processing maliciously crafted web content.
- CVE-2021-30890: Fixed logic issue allowing universal cross site scripting when processing maliciously crafted web content.
ImportantSUSE bug 1194019CVE-2018-8518 at SUSECVE-2018-8518 at NVDCVE-2018-8523 at SUSECVE-2018-8523 at NVDCVE-2019-8551 at SUSECVE-2019-8551 at NVDCVE-2019-8558 at SUSECVE-2019-8558 at NVDCVE-2019-8559 at SUSECVE-2019-8559 at NVDCVE-2019-8563 at SUSECVE-2019-8563 at NVDCVE-2019-8674 at SUSECVE-2019-8674 at NVDCVE-2019-8681 at SUSECVE-2019-8681 at NVDCVE-2019-8684 at SUSECVE-2019-8684 at NVDCVE-2019-8687 at SUSECVE-2019-8687 at NVDCVE-2019-8688 at SUSECVE-2019-8688 at NVDCVE-2019-8689 at SUSECVE-2019-8689 at NVDCVE-2019-8690 at SUSECVE-2019-8690 at NVDCVE-2019-8707 at SUSECVE-2019-8707 at NVDCVE-2019-8719 at SUSECVE-2019-8719 at NVDCVE-2019-8726 at SUSECVE-2019-8726 at NVDCVE-2019-8733 at SUSECVE-2019-8733 at NVDCVE-2019-8763 at SUSECVE-2019-8763 at NVDCVE-2019-8765 at SUSECVE-2019-8765 at NVDCVE-2019-8766 at SUSECVE-2019-8766 at NVDCVE-2019-8768 at SUSECVE-2019-8768 at NVDCVE-2019-8782 at SUSECVE-2019-8782 at NVDCVE-2019-8808 at SUSECVE-2019-8808 at NVDCVE-2019-8815 at SUSECVE-2019-8815 at NVDCVE-2019-8821 at SUSECVE-2019-8821 at NVDCVE-2019-8822 at SUSECVE-2019-8822 at NVDCVE-2020-10018 at SUSECVE-2020-10018 at NVDCVE-2020-13753 at SUSECVE-2020-13753 at NVDCVE-2020-27918 at SUSECVE-2020-27918 at NVDCVE-2020-29623 at SUSECVE-2020-29623 at NVDCVE-2020-3885 at SUSECVE-2020-3885 at NVDCVE-2020-3894 at SUSECVE-2020-3894 at NVDCVE-2020-3895 at SUSECVE-2020-3895 at NVDCVE-2020-3897 at SUSECVE-2020-3897 at NVDCVE-2020-3900 at SUSECVE-2020-3900 at NVDCVE-2020-3901 at SUSECVE-2020-3901 at NVDCVE-2020-3902 at SUSECVE-2020-3902 at NVDCVE-2020-9802 at SUSECVE-2020-9802 at NVDCVE-2020-9803 at SUSECVE-2020-9803 at NVDCVE-2020-9805 at SUSECVE-2020-9805 at NVDCVE-2020-9947 at SUSECVE-2020-9947 at NVDCVE-2020-9948 at SUSECVE-2020-9948 at NVDCVE-2020-9951 at SUSECVE-2020-9951 at NVDCVE-2020-9952 at SUSECVE-2020-9952 at NVDCVE-2021-1765 at SUSECVE-2021-1765 at NVDCVE-2021-1788 at SUSECVE-2021-1788 at NVDCVE-2021-1817 at SUSECVE-2021-1817 at NVDCVE-2021-1820 at SUSECVE-2021-1820 at NVDCVE-2021-1825 at SUSECVE-2021-1825 at NVDCVE-2021-1826 at SUSECVE-2021-1826 at NVDCVE-2021-1844 at SUSECVE-2021-1844 at NVDCVE-2021-1871 at SUSECVE-2021-1871 at NVDCVE-2021-30661 at SUSECVE-2021-30661 at NVDCVE-2021-30666 at SUSECVE-2021-30666 at NVDCVE-2021-30682 at SUSECVE-2021-30682 at NVDCVE-2021-30761 at SUSECVE-2021-30761 at NVDCVE-2021-30762 at SUSECVE-2021-30762 at NVDCVE-2021-30809 at SUSECVE-2021-30809 at NVDCVE-2021-30818 at SUSECVE-2021-30818 at NVDCVE-2021-30823 at SUSECVE-2021-30823 at NVDCVE-2021-30836 at SUSECVE-2021-30836 at NVDCVE-2021-30846 at SUSECVE-2021-30846 at NVDCVE-2021-30848 at SUSECVE-2021-30848 at NVDCVE-2021-30849 at SUSECVE-2021-30849 at NVDCVE-2021-30851 at SUSECVE-2021-30851 at NVDCVE-2021-30858 at SUSECVE-2021-30858 at NVDCVE-2021-30884 at SUSECVE-2021-30884 at NVDCVE-2021-30887 at SUSECVE-2021-30887 at NVDCVE-2021-30888 at SUSECVE-2021-30888 at NVDCVE-2021-30889 at SUSECVE-2021-30889 at NVDCVE-2021-30890 at SUSECVE-2021-30890 at NVDCVE-2021-30897 at SUSECVE-2021-30897 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for cifs-utils (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for cifs-utils fixes the following issues:
- CVE-2022-27239: Fixed a buffer overflow in the command line ip option (bsc#1197216).
ImportantSUSE bug 1197216CVE-2022-27239 at SUSECVE-2022-27239 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for aide (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for aide fixes the following issues:
- CVE-2021-45417: Fix a bufferoverflow in base64 functions (bsc#1194735)
ImportantSUSE bug 1194735CVE-2021-45417 at SUSECVE-2021-45417 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for jasper (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for jasper fixes the following issues:
- CVE-2021-3467: Fixed NULL pointer deref in jp2_decode() (bsc#1184757).
- CVE-2021-3443: Fixed NULL pointer deref in jp2_decode() (bsc#1184798).
- CVE-2021-26927: Fixed NULL pointer deref in jp2_decode() (bsc#1182104).
- CVE-2021-26926: Fixed an out of bounds read in jp2_decode() (bsc#1182105).
ModerateSUSE bug 1182104SUSE bug 1182105SUSE bug 1184757SUSE bug 1184798CVE-2021-26926 at SUSECVE-2021-26926 at NVDCVE-2021-26927 at SUSECVE-2021-26927 at NVDCVE-2021-3443 at SUSECVE-2021-3443 at NVDCVE-2021-3467 at SUSECVE-2021-3467 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for mutt (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for mutt fixes the following issues:
- CVE-2022-1328: Fixed an invalid memory access when reading untrusted uuencoded
data. This could result in including private memory in replies (bsc#1198518).
ModerateSUSE bug 1198518CVE-2022-1328 at SUSECVE-2022-1328 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for libcaca (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for libcaca fixes the following issues:
- CVE-2022-0856: Fixed a divide by zero issue which could be exploited to cause
an application crash (bsc#1197028).
ModerateSUSE bug 1197028CVE-2022-0856 at SUSECVE-2022-0856 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for libvirt (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for libvirt fixes the following issues:
- CVE-2022-0897: Fixed a crash in nwfilter when counting number of network filters (bsc#1197636).
ModerateSUSE bug 1197636CVE-2022-0897 at SUSECVE-2022-0897 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for curl (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for curl fixes the following issues:
- CVE-2022-27776: Fixed Auth/cookie leak on redirect (bsc#1198766)
- CVE-2022-22576: Fixed OAUTH2 bearer bypass in connection re-use (bsc#1198614)
ModerateSUSE bug 1198614SUSE bug 1198766CVE-2022-22576 at SUSECVE-2022-22576 at NVDCVE-2022-27776 at SUSECVE-2022-27776 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for MozillaFirefox fixes the following issues:
This update contains the Firefox Extended Support Release 91.1.0 ESR.
* Fixed: Various stability, functionality, and security fixes
MFSA 2021-40 (bsc#1190269, bsc#1190274):
* CVE-2021-38492: Navigating to `mk:` URL scheme could load Internet Explorer
* CVE-2021-38495: Memory safety bugs fixed in Firefox 92 and Firefox ESR 91.1
Firefox 91.0.1esr ESR
* Fixed: Fixed an issue causing buttons on the tab bar to be
resized when loading certain websites (bug 1704404)
* Fixed: Fixed an issue which caused tabs from private windows
to be visible in non-private windows when viewing switch-to-
tab results in the address bar panel (bug 1720369)
* Fixed: Various stability fixes
* Fixed: Security fix MFSA 2021-37 (bsc#1189547)
* CVE-2021-29991 (bmo#1724896)
Header Splitting possible with HTTP/3 Responses
Firefox Extended Support Release 91.0 ESR
* New: Some of the highlights of the new Extended Support Release are:
- A number of user interface changes. For more information,
see the Firefox 89 release notes.
- Firefox now supports logging into Microsoft, work, and
school accounts using Windows single sign-on. Learn more
- On Windows, updates can now be applied in the background
while Firefox is not running.
- Firefox for Windows now offers a new page about:third-party
to help identify compatibility issues caused by third-party
applications
- Version 2 of Firefox's SmartBlock feature further improves
private browsing. Third party Facebook scripts are blocked to
prevent you from being tracked, but are now automatically
loaded 'just in time' if you decide to 'Log in with Facebook'
on any website.
- Enhanced the privacy of the Firefox Browser's Private
Browsing mode with Total Cookie Protection, which confines
cookies to the site where they were created, preventing
companis from using cookies to track your browsing across
sites. This feature was originally launched in Firefox's ETP
Strict mode.
- PDF forms now support JavaScript embedded in PDF files.
Some PDF forms use JavaScript for validation and other
interactive features.
- You'll encounter less website breakage in Private Browsing
and Strict Enhanced Tracking Protection with SmartBlock,
which provides stand-in scripts so that websites load
properly.
- Improved Print functionality with a cleaner design and
better integration with your computer's printer settings.
- Firefox now protects you from supercookies, a type of
tracker that can stay hidden in your browser and track you
online, even after you clear cookies. By isolating
supercookies, Firefox prevents them from tracking your web
browsing from one site to the next.
- Firefox now remembers your preferred location for saved
bookmarks, displays the bookmarks toolbar by default on new
tabs, and gives you easy access to all of your bookmarks via
a toolbar folder.
- Native support for macOS devices built with Apple Silicon
CPUs brings dramatic performance improvements over the non-
native build that was shipped in Firefox 83: Firefox launches
over 2.5 times faster and web apps are now twice as
responsive (per the SpeedoMeter 2.0 test). If you are on a
new Apple device, follow these steps to upgrade to the latest
Firefox.
- Pinch zooming will now be supported for our users with
Windows touchscreen devices and touchpads on Mac devices.
Firefox users may now use pinch to zoom on touch-capable
devices to zoom in and out of webpages.
- We’ve improved functionality and design for a number of
Firefox search features:
* Selecting a search engine at the bottom of the search
panel now enters search mode for that engine, allowing you to
see suggestions (if available) for your search terms. The old
behavior (immediately performing a search) is available with
a shift-click.
* When Firefox autocompletes the URL of one of your search
engines, you can now search with that engine directly in the
address bar by selecting the shortcut in the address bar
results.
* We’ve added buttons at the bottom of the search panel to
allow you to search your bookmarks, open tabs, and history.
- Firefox supports AcroForm, which will allow you to fill in,
print, and save supported PDF forms and the PDF viewer also
has a new fresh look.
- For our users in the US and Canada, Firefox can now save,
manage, and auto-fill credit card information for you, making
shopping on Firefox ever more convenient.
- In addition to our default, dark and light themes, with
this release, Firefox introduces the Alpenglow theme: a
colorful appearance for buttons, menus, and windows. You can
update your Firefox themes under settings or preferences.
* Changed: Firefox no longer supports Adobe Flash. There is no
setting available to re-enable Flash support.
* Enterprise: Various bug fixes and new policies have been
implemented in the latest version of Firefox. See more
details in the Firefox for Enterprise 91 Release Notes.
MFSA 2021-33 (bsc#1188891):
* CVE-2021-29986: Race condition when resolving DNS names could have led to
memory corruption
* CVE-2021-29981: Live range splitting could have led to conflicting
assignments in the JIT
* CVE-2021-29988: Memory corruption as a result of incorrect style treatment
* CVE-2021-29983: Firefox for Android could get stuck in fullscreen mode
* CVE-2021-29984: Incorrect instruction reordering during JIT optimization
* CVE-2021-29980: Uninitialized memory in a canvas object could have led to
memory corruption
* CVE-2021-29987: Users could have been tricked into accepting unwanted
permissions on Linux
* CVE-2021-29985: Use-after-free media channels
* CVE-2021-29982: Single bit data leak due to incorrect JIT optimization and
type confusion
* CVE-2021-29989: Memory safety bugs fixed in Firefox 91 and Firefox ESR 78.13
* CVE-2021-29990: Memory safety bugs fixed in Firefox 91
ImportantSUSE bug 1188891SUSE bug 1189547SUSE bug 1190269SUSE bug 1190274CVE-2021-29980 at SUSECVE-2021-29980 at NVDCVE-2021-29981 at SUSECVE-2021-29981 at NVDCVE-2021-29982 at SUSECVE-2021-29982 at NVDCVE-2021-29983 at SUSECVE-2021-29983 at NVDCVE-2021-29984 at SUSECVE-2021-29984 at NVDCVE-2021-29985 at SUSECVE-2021-29985 at NVDCVE-2021-29986 at SUSECVE-2021-29986 at NVDCVE-2021-29987 at SUSECVE-2021-29987 at NVDCVE-2021-29988 at SUSECVE-2021-29988 at NVDCVE-2021-29989 at SUSECVE-2021-29989 at NVDCVE-2021-29990 at SUSECVE-2021-29990 at NVDCVE-2021-29991 at SUSECVE-2021-29991 at NVDCVE-2021-38492 at SUSECVE-2021-38492 at NVDCVE-2021-38495 at SUSECVE-2021-38495 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for zsh (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for zsh fixes the following issues:
- CVE-2018-0502: Fixed execve call vulnerability to program named on the second line when the beginning of a #! script file was mishandled. (bsc#1107296, bsc#1107294)
- CVE-2018-13259: Fixed execve call vulnerability to program name that is a substring of the intended one. (bsc#1107296, bsc#1107294)
ImportantSUSE bug 1107294SUSE bug 1107296CVE-2018-0502 at SUSECVE-2018-0502 at NVDCVE-2018-13259 at SUSECVE-2018-13259 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for bind (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for bind fixes the following issues:
- CVE-2021-25220: Fixed potentially incorrect answers by cached forwarders (bsc#1197135).
ModerateSUSE bug 1197135CVE-2021-25220 at SUSECVE-2021-25220 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for clamav (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for clamav fixes the following issues:
- CVE-2022-20770: Fixed a possible infinite loop vulnerability in the CHM file parser (bsc#1199242).
- CVE-2022-20796: Fixed a possible NULL-pointer dereference crash in the scan verdict cache check (bsc#1199246).
- CVE-2022-20771: Fixed a possible infinite loop vulnerability in the TIFF file parser (bsc#1199244).
- CVE-2022-20785: Fixed a possible memory leak in the HTML file parser / Javascript normalizer (bsc#1199245).
- CVE-2022-20792: Fixed a possible multi-byte heap buffer overflow write vulnerability in the signature database load module (bsc#1199274).
ImportantSUSE bug 1199242SUSE bug 1199244SUSE bug 1199245SUSE bug 1199246SUSE bug 1199274CVE-2022-20770 at SUSECVE-2022-20770 at NVDCVE-2022-20771 at SUSECVE-2022-20771 at NVDCVE-2022-20785 at SUSECVE-2022-20785 at NVDCVE-2022-20792 at SUSECVE-2022-20792 at NVDCVE-2022-20796 at SUSECVE-2022-20796 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for e2fsprogs (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for e2fsprogs fixes the following issues:
- CVE-2022-1304: Fixed out-of-bounds read/write leading to segmentation fault
and possibly arbitrary code execution. (bsc#1198446)
ImportantSUSE bug 1198446CVE-2022-1304 at SUSECVE-2022-1304 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for java-1_7_1-ibm (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for java-1_7_1-ibm fixes the following issues:
- Update to Java 7.1 Service Refresh 5 Fix Pack 0
- CVE-2021-41035: before version 0.29.0, the openj9 JVM does not throw IllegalAccessError for MethodHandles that invoke inaccessible interface methods. (bsc#1194198, bsc#1192052)
- CVE-2021-35586: Excessive memory allocation in BMPImageReader. (bsc#1191914)
- CVE-2021-35564: Certificates with end dates too far in the future can corrupt keystore. (bsc#1191913)
- CVE-2021-35559: Excessive memory allocation in RTFReader. (bsc#1191911)
- CVE-2021-35556: Excessive memory allocation in RTFParser. (bsc#1191910)
- CVE-2021-35565: Loop in HttpsServer triggered during TLS session close. (bsc#1191909)
- CVE-2021-35588: Incomplete validation of inner class references in ClassFileParser. (bsc#1191905)
- CVE-2021-2341: Fixed a flaw inside the FtpClient. (bsc#1188564)
- CVE-2021-2369: JAR file handling problem containing multiple MANIFEST.MF files. (bsc#1188565)
- CVE-2021-2432: Fixed a vulnerability in the omponent JNDI. (bsc#1188568)
- CVE-2021-2163: Incomplete enforcement of JAR signing disabled algorithms. (bsc#1185055)
ModerateSUSE bug 1185055SUSE bug 1188564SUSE bug 1188565SUSE bug 1188568SUSE bug 1191905SUSE bug 1191909SUSE bug 1191910SUSE bug 1191911SUSE bug 1191913SUSE bug 1191914SUSE bug 1192052SUSE bug 1194198SUSE bug 1194232CVE-2021-2163 at SUSECVE-2021-2163 at NVDCVE-2021-2341 at SUSECVE-2021-2341 at NVDCVE-2021-2369 at SUSECVE-2021-2369 at NVDCVE-2021-2432 at SUSECVE-2021-2432 at NVDCVE-2021-35556 at SUSECVE-2021-35556 at NVDCVE-2021-35559 at SUSECVE-2021-35559 at NVDCVE-2021-35564 at SUSECVE-2021-35564 at NVDCVE-2021-35565 at SUSECVE-2021-35565 at NVDCVE-2021-35586 at SUSECVE-2021-35586 at NVDCVE-2021-35588 at SUSECVE-2021-35588 at NVDCVE-2021-41035 at SUSECVE-2021-41035 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for tiff (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for tiff fixes the following issues:
- CVE-2022-0561: Fixed null source pointer passed as an argument to memcpy() within TIFFFetchStripThing() in tif_dirread.c (bsc#1195964).
- CVE-2022-0562: Fixed null source pointer passed as an argument to memcpy() within TIFFReadDirectory() in tif_dirread.c (bsc#1195965).
- CVE-2022-0865: Fixed assertion failure in TIFFReadAndRealloc (bsc#1197066).
- CVE-2022-0909: Fixed divide by zero error in tiffcrop that could have led to a denial-of-service via a crafted tiff file (bsc#1197072).
- CVE-2022-0924: Fixed out-of-bounds read error in tiffcp that could have led to a denial-of-service via a crafted tiff file (bsc#1197073).
- CVE-2022-0908: Fixed null source pointer passed as an argument to memcpy in TIFFFetchNormalTag() (bsc#1197074).
- CVE-2022-1056: Fixed out-of-bounds read error in tiffcrop that could have led to a denial-of-service via a crafted tiff file (bsc#1197631).
- CVE-2022-0891: Fixed heap buffer overflow in extractImageSection (bsc#1197068).
ImportantSUSE bug 1195964SUSE bug 1195965SUSE bug 1197066SUSE bug 1197068SUSE bug 1197072SUSE bug 1197073SUSE bug 1197074SUSE bug 1197631CVE-2022-0561 at SUSECVE-2022-0561 at NVDCVE-2022-0562 at SUSECVE-2022-0562 at NVDCVE-2022-0865 at SUSECVE-2022-0865 at NVDCVE-2022-0891 at SUSECVE-2022-0891 at NVDCVE-2022-0908 at SUSECVE-2022-0908 at NVDCVE-2022-0909 at SUSECVE-2022-0909 at NVDCVE-2022-0924 at SUSECVE-2022-0924 at NVDCVE-2022-1056 at SUSECVE-2022-1056 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for openldap2 (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for openldap2 fixes the following issues:
- CVE-2022-29155: Fixed SQL injection in back-sql (bsc#1199240).
- Fixed issue with SASL init that crashed slapd at startup under certain conditions (bsc#1198383).
ImportantSUSE bug 1198383SUSE bug 1199240CVE-2022-29155 at SUSECVE-2022-29155 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for gzip (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for gzip fixes the following issues:
- CVE-2022-1271: Add hardening for zgrep. (bsc#1198062)
ImportantCVE-2022-1271 at SUSECVE-2022-1271 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for webkit2gtk3 (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for webkit2gtk3 fixes the following issues:
Update to version 2.36.0 (bsc#1198290):
- CVE-2022-22624: Fixed use after free that may lead to arbitrary code execution.
- CVE-2022-22628: Fixed use after free that may lead to arbitrary code execution.
- CVE-2022-22629: Fixed a buffer overflow that may lead to arbitrary code execution.
- CVE-2022-22637: Fixed an unexpected cross-origin behavior due to a logic error.
Missing CVE reference for the update to 2.34.6 (bsc#1196133):
- CVE-2022-22594: Fixed a cross-origin issue in the IndexDB API.
ImportantSUSE bug 1196133SUSE bug 1198290CVE-2022-22594 at SUSECVE-2022-22594 at NVDCVE-2022-22624 at SUSECVE-2022-22624 at NVDCVE-2022-22628 at SUSECVE-2022-22628 at NVDCVE-2022-22629 at SUSECVE-2022-22629 at NVDCVE-2022-22637 at SUSECVE-2022-22637 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for poppler (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for poppler fixes the following issues:
- CVE-2020-27778: Fixed a buffer overflow in pdftohtml (bsc#1179163).
- CVE-2019-14494: Fixed a divide-by-zero error in pdftoppm (bsc#1143950).
- CVE-2019-9959: Fixed an integer overflow in pdftocairo (bsc#1142465).
- CVE-2019-10871: Fixed an invalid memory access in pdftops (bsc#1131696).
- CVE-2019-10872: Fixed an invalid memory access in pdftoppm (bsc#1131722).
- CVE-2019-9903: Fixed a buffer overflow in pdfunite (bsc#1130229).
- CVE-2019-7310: Fixed an application crash in pdftocairo (bsc#1124150).
- CVE-2019-9631: Fixed an invalid memory access in pdftocairo (bsc#1129202).
ModerateSUSE bug 1124150SUSE bug 1129202SUSE bug 1130229SUSE bug 1131696SUSE bug 1131722SUSE bug 1142465SUSE bug 1143950SUSE bug 1179163CVE-2019-10871 at SUSECVE-2019-10871 at NVDCVE-2019-10872 at SUSECVE-2019-10872 at NVDCVE-2019-14494 at SUSECVE-2019-14494 at NVDCVE-2019-7310 at SUSECVE-2019-7310 at NVDCVE-2019-9631 at SUSECVE-2019-9631 at NVDCVE-2019-9903 at SUSECVE-2019-9903 at NVDCVE-2019-9959 at SUSECVE-2019-9959 at NVDCVE-2020-27778 at SUSECVE-2020-27778 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for curl (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for curl fixes the following issues:
- CVE-2022-27781: Fixed CERTINFO never-ending busy-loop (bsc#1199223)
- CVE-2022-27782: Fixed TLS and SSH connection too eager reuse (bsc#1199224)
ImportantSUSE bug 1199223SUSE bug 1199224CVE-2022-27781 at SUSECVE-2022-27781 at NVDCVE-2022-27782 at SUSECVE-2022-27782 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for libyajl (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for libyajl fixes the following issue:
- CVE-2022-24795: Fixed a heap-based buffer overflow when handling large inputs due to an integer overflow (bsc#1198405)
ModerateSUSE bug 1198405CVE-2022-24795 at SUSECVE-2022-24795 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for ucode-intel (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for ucode-intel fixes the following issues:
Updated to Intel CPU Microcode 20220510 release. (bsc#1199423)
Updated to Intel CPU Microcode 20220419 release. (bsc#1198717)
- CVE-2022-21151: Processor optimization removal or modification of security-critical code for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access (bsc#1199423).
ModerateSUSE bug 1198717SUSE bug 1199423CVE-2022-21151 at SUSECVE-2022-21151 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for MozillaFirefox fixes the following issues:
Firefox Extended Support Release 91.9.0 ESR (MFSA 2022-17)(bsc#1198970):
- CVE-2022-29914: Fullscreen notification bypass using popups
- CVE-2022-29909: Bypassing permission prompt in nested browsing contexts
- CVE-2022-29916: Leaking browser history with CSS variables
- CVE-2022-29911: iframe Sandbox bypass
- CVE-2022-29912: Reader mode bypassed SameSite cookies
- CVE-2022-29917: Memory safety bugs fixed in Firefox 100 and Firefox ESR 91.9
ImportantSUSE bug 1198970CVE-2022-29909 at SUSECVE-2022-29909 at NVDCVE-2022-29911 at SUSECVE-2022-29911 at NVDCVE-2022-29912 at SUSECVE-2022-29912 at NVDCVE-2022-29914 at SUSECVE-2022-29914 at NVDCVE-2022-29916 at SUSECVE-2022-29916 at NVDCVE-2022-29917 at SUSECVE-2022-29917 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for glib2 (Low)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for glib2 fixes the following issues:
- CVE-2021-28153: Fixed a dangling symlink when g_file_replace() is used with G_FILE_CREATE_REPLACE_DESTINATION (bsc#1183533).
LowSUSE bug 1183533CVE-2021-28153 at SUSECVE-2021-28153 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for unrar (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for unrar fixes the following issues:
- CVE-2022-30333: Fixed directory traversal issue that allowed writing to non-designated paths (bsc#1199349).
ModerateSUSE bug 1199349CVE-2022-30333 at SUSECVE-2022-30333 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for expat (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for expat fixes the following issues:
- CVE-2021-45960: Fixed left shift in the storeAtts function in xmlparse.c that can lead to realloc misbehavior (bsc#1194251).
- CVE-2021-46143: Fixed integer overflow in m_groupSize in doProlog (bsc#1194362).
- CVE-2022-22822: Fixed integer overflow in addBinding in xmlparse.c (bsc#1194474).
- CVE-2022-22823: Fixed integer overflow in build_model in xmlparse.c (bsc#1194476).
- CVE-2022-22824: Fixed integer overflow in defineAttribute in xmlparse.c (bsc#1194477).
- CVE-2022-22825: Fixed integer overflow in lookup in xmlparse.c (bsc#1194478).
- CVE-2022-22826: Fixed integer overflow in nextScaffoldPart in xmlparse.c (bsc#1194479).
- CVE-2022-22827: Fixed integer overflow in storeAtts in xmlparse.c (bsc#1194480).
ImportantSUSE bug 1194251SUSE bug 1194362SUSE bug 1194474SUSE bug 1194476SUSE bug 1194477SUSE bug 1194478SUSE bug 1194479SUSE bug 1194480CVE-2021-45960 at SUSECVE-2021-45960 at NVDCVE-2021-46143 at SUSECVE-2021-46143 at NVDCVE-2022-22822 at SUSECVE-2022-22822 at NVDCVE-2022-22823 at SUSECVE-2022-22823 at NVDCVE-2022-22824 at SUSECVE-2022-22824 at NVDCVE-2022-22825 at SUSECVE-2022-22825 at NVDCVE-2022-22826 at SUSECVE-2022-22826 at NVDCVE-2022-22827 at SUSECVE-2022-22827 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for postgresql10 (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for postgresql10 fixes the following issues:
- CVE-2022-1552: Confine additional operations within 'security restricted operation' sandboxes (bsc#1199475).
ImportantSUSE bug 1199475CVE-2022-1552 at SUSECVE-2022-1552 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for MozillaFirefox fixes the following issues:
Firefox Extended Support Release 91.9.1 ESR - MFSA 2022-19 (bsc#1199768):
- CVE-2022-1802: Prototype pollution in Top-Level Await implementation
- CVE-2022-1529: Untrusted input used in JavaScript object indexing, leading to prototype pollution
ImportantSUSE bug 1199768CVE-2022-1529 at SUSECVE-2022-1529 at NVDCVE-2022-1802 at SUSECVE-2022-1802 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for python-requests (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for python-requests fixes the following issues:
- CVE-2018-18074: Fixed to prevent the package to send an HTTP Authorization header to an http URI
upon receiving a same-hostname https-to-http redirect. (bsc#1111622)
ModerateSUSE bug 1111622CVE-2018-18074 at SUSECVE-2018-18074 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for libxml2 (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for libxml2 fixes the following issues:
- CVE-2022-29824: Fixed integer overflow leading to out-of-bounds write in buf.c and tree.c (bsc#1199132).
- CVE-2017-16932: Prevent infinite recursion in parameter entities (bsc#1069689).
ImportantSUSE bug 1069689SUSE bug 1199132CVE-2017-16932 at SUSECVE-2017-16932 at NVDCVE-2022-29824 at SUSECVE-2022-29824 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for postgresql13 (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for postgresql13 fixes the following issues:
- CVE-2022-1552: Confine additional operations within 'security restricted operation' sandboxes (bsc#1199475).
ImportantSUSE bug 1199475CVE-2022-1552 at SUSECVE-2022-1552 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for pcre2 (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for pcre2 fixes the following issues:
- CVE-2022-1586: Fixed out-of-bounds read via missing Unicode property matching issue in JIT compiled regular expressions (bsc#1199232).
ImportantSUSE bug 1199232CVE-2022-1586 at SUSECVE-2022-1586 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for fribidi (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for fribidi fixes the following issues:
- CVE-2022-25308: Fixed stack out of bounds read (bsc#1196147).
- CVE-2022-25309: Fixed heap-buffer-overflow in fribidi_cap_rtl_to_unicode (bsc#1196148).
- CVE-2022-25310: Fixed NULL pointer dereference in fribidi_remove_bidi_marks (bsc#1196150).
ModerateSUSE bug 1196147SUSE bug 1196148SUSE bug 1196150CVE-2022-25308 at SUSECVE-2022-25308 at NVDCVE-2022-25309 at SUSECVE-2022-25309 at NVDCVE-2022-25310 at SUSECVE-2022-25310 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for wpa_supplicant (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for wpa_supplicant fixes the following issues:
- CVE-2022-23303, CVE-2022-23304: Fixed SAE/EAP-pwd side-channel attacks (bsc#1194732, bsc#1194733)
- CVE-2021-0326: Fixed P2P group information processing vulnerability (bsc#1181777)
- Fix systemd device ready dependencies in wpa_supplicant@.service file. (bsc#1182805)
- Limit P2P_DEVICE name to appropriate ifname size
- Enable SAE support(jsc#SLE-14992).
- Fix wicked wlan (bsc#1156920)
- Change wpa_supplicant.service to ensure wpa_supplicant gets started before
network. Fix WLAN config on boot with wicked. (bsc#1166933)
- Adjust the service to start after network.target wrt bsc#1165266
Update to 2.9 release:
* SAE changes
- disable use of groups using Brainpool curves
- improved protection against side channel attacks
[https://w1.fi/security/2019-6/]
* EAP-pwd changes
- disable use of groups using Brainpool curves
- allow the set of groups to be configured (eap_pwd_groups)
- improved protection against side channel attacks
[https://w1.fi/security/2019-6/]
* fixed FT-EAP initial mobility domain association using PMKSA caching
(disabled by default for backwards compatibility; can be enabled
with ft_eap_pmksa_caching=1)
* fixed a regression in OpenSSL 1.1+ engine loading
* added validation of RSNE in (Re)Association Response frames
* fixed DPP bootstrapping URI parser of channel list
* extended EAP-SIM/AKA fast re-authentication to allow use with FILS
* extended ca_cert_blob to support PEM format
* improved robustness of P2P Action frame scheduling
* added support for EAP-SIM/AKA using anonymous@realm identity
* fixed Hotspot 2.0 credential selection based on roaming consortium
to ignore credentials without a specific EAP method
* added experimental support for EAP-TEAP peer (RFC 7170)
* added experimental support for EAP-TLS peer with TLS v1.3
* fixed a regression in WMM parameter configuration for a TDLS peer
* fixed a regression in operation with drivers that offload 802.1X
4-way handshake
* fixed an ECDH operation corner case with OpenSSL
* SAE changes
- added support for SAE Password Identifier
- changed default configuration to enable only groups 19, 20, 21
(i.e., disable groups 25 and 26) and disable all unsuitable groups
completely based on REVmd changes
- do not regenerate PWE unnecessarily when the AP uses the
anti-clogging token mechanisms
- fixed some association cases where both SAE and FT-SAE were enabled
on both the station and the selected AP
- started to prefer FT-SAE over SAE AKM if both are enabled
- started to prefer FT-SAE over FT-PSK if both are enabled
- fixed FT-SAE when SAE PMKSA caching is used
- reject use of unsuitable groups based on new implementation guidance
in REVmd (allow only FFC groups with prime >= 3072 bits and ECC
groups with prime >= 256)
- minimize timing and memory use differences in PWE derivation
[https://w1.fi/security/2019-1/] (CVE-2019-9494, bsc#1131868)
* EAP-pwd changes
- minimize timing and memory use differences in PWE derivation
[https://w1.fi/security/2019-2/] (CVE-2019-9495, bsc#1131870)
- verify server scalar/element
[https://w1.fi/security/2019-4/] (CVE-2019-9497, CVE-2019-9498,
CVE-2019-9499, bsc#1131874, bsc#1131872, bsc#1131871, bsc#1131644)
- fix message reassembly issue with unexpected fragment
[https://w1.fi/security/2019-5/] (CVE-2019-11555, bsc#1133640)
- enforce rand,mask generation rules more strictly
- fix a memory leak in PWE derivation
- disallow ECC groups with a prime under 256 bits (groups 25, 26, and
27)
- SAE/EAP-pwd side-channel attack update
[https://w1.fi/security/2019-6/] (CVE-2019-13377, bsc#1144443)
* fixed CONFIG_IEEE80211R=y (FT) build without CONFIG_FILS=y
* Hotspot 2.0 changes
- do not indicate release number that is higher than the one
AP supports
- added support for release number 3
- enable PMF automatically for network profiles created from
credentials
* fixed OWE network profile saving
* fixed DPP network profile saving
* added support for RSN operating channel validation
(CONFIG_OCV=y and network profile parameter ocv=1)
* added Multi-AP backhaul STA support
* fixed build with LibreSSL
* number of MKA/MACsec fixes and extensions
* extended domain_match and domain_suffix_match to allow list of values
* fixed dNSName matching in domain_match and domain_suffix_match when
using wolfSSL
* started to prefer FT-EAP-SHA384 over WPA-EAP-SUITE-B-192 AKM if both
are enabled
* extended nl80211 Connect and external authentication to support
SAE, FT-SAE, FT-EAP-SHA384
* fixed KEK2 derivation for FILS+FT
* extended client_cert file to allow loading of a chain of PEM
encoded certificates
* extended beacon reporting functionality
* extended D-Bus interface with number of new properties
* fixed a regression in FT-over-DS with mac80211-based drivers
* OpenSSL: allow systemwide policies to be overridden
* extended driver flags indication for separate 802.1X and PSK
4-way handshake offload capability
* added support for random P2P Device/Interface Address use
* extended PEAP to derive EMSK to enable use with ERP/FILS
* extended WPS to allow SAE configuration to be added automatically
for PSK (wps_cred_add_sae=1)
* removed support for the old D-Bus interface (CONFIG_CTRL_IFACE_DBUS)
* extended domain_match and domain_suffix_match to allow list of values
* added a RSN workaround for misbehaving PMF APs that advertise
IGTK/BIP KeyID using incorrect byte order
* fixed PTK rekeying with FILS and FT
* fixed WPA packet number reuse with replayed messages and key
reinstallation
[https://w1.fi/security/2017-1/] (CVE-2017-13077, CVE-2017-13078,
CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13082,
CVE-2017-13086, CVE-2017-13087, CVE-2017-13088)
* fixed unauthenticated EAPOL-Key decryption in wpa_supplicant
[https://w1.fi/security/2018-1/] (CVE-2018-14526)
* added support for FILS (IEEE 802.11ai) shared key authentication
* added support for OWE (Opportunistic Wireless Encryption, RFC 8110;
and transition mode defined by WFA)
* added support for DPP (Wi-Fi Device Provisioning Protocol)
* added support for RSA 3k key case with Suite B 192-bit level
* fixed Suite B PMKSA caching not to update PMKID during each 4-way
handshake
* fixed EAP-pwd pre-processing with PasswordHashHash
* added EAP-pwd client support for salted passwords
* fixed a regression in TDLS prohibited bit validation
* started to use estimated throughput to avoid undesired signal
strength based roaming decision
* MACsec/MKA:
- new macsec_linux driver interface support for the Linux
kernel macsec module
- number of fixes and extensions
* added support for external persistent storage of PMKSA cache
(PMKSA_GET/PMKSA_ADD control interface commands; and
MESH_PMKSA_GET/MESH_PMKSA_SET for the mesh case)
* fixed mesh channel configuration pri/sec switch case
* added support for beacon report
* large number of other fixes, cleanup, and extensions
* added support for randomizing local address for GAS queries
(gas_rand_mac_addr parameter)
* fixed EAP-SIM/AKA/AKA' ext auth cases within TLS tunnel
* added option for using random WPS UUID (auto_uuid=1)
* added SHA256-hash support for OCSP certificate matching
* fixed EAP-AKA' to add AT_KDF into Synchronization-Failure
* fixed a regression in RSN pre-authentication candidate selection
* added option to configure allowed group management cipher suites
(group_mgmt network profile parameter)
* removed all PeerKey functionality
* fixed nl80211 AP and mesh mode configuration regression with
Linux 4.15 and newer
* added ap_isolate configuration option for AP mode
* added support for nl80211 to offload 4-way handshake into the driver
* added support for using wolfSSL cryptographic library
* SAE
- added support for configuring SAE password separately of the
WPA2 PSK/passphrase
- fixed PTK and EAPOL-Key integrity and key-wrap algorithm selection
for SAE;
note: this is not backwards compatible, i.e., both the AP and
station side implementations will need to be update at the same
time to maintain interoperability
- added support for Password Identifier
- fixed FT-SAE PMKID matching
* Hotspot 2.0
- added support for fetching of Operator Icon Metadata ANQP-element
- added support for Roaming Consortium Selection element
- added support for Terms and Conditions
- added support for OSEN connection in a shared RSN BSS
- added support for fetching Venue URL information
* added support for using OpenSSL 1.1.1
* FT
- disabled PMKSA caching with FT since it is not fully functional
- added support for SHA384 based AKM
- added support for BIP ciphers BIP-CMAC-256, BIP-GMAC-128,
BIP-GMAC-256 in addition to previously supported BIP-CMAC-128
- fixed additional IE inclusion in Reassociation Request frame when
using FT protocol
- CVE-2015-8041: Using O_WRONLY flag [http://w1.fi/security/2015-5/] ImportantSUSE bug 1131644SUSE bug 1131868SUSE bug 1131870SUSE bug 1131871SUSE bug 1131872SUSE bug 1131874SUSE bug 1133640SUSE bug 1144443SUSE bug 1156920SUSE bug 1165266SUSE bug 1166933SUSE bug 1167331SUSE bug 1182805SUSE bug 1194732SUSE bug 1194733CVE-2015-8041 at SUSECVE-2015-8041 at NVDCVE-2017-13077 at SUSECVE-2017-13077 at NVDCVE-2017-13078 at SUSECVE-2017-13078 at NVDCVE-2017-13079 at SUSECVE-2017-13079 at NVDCVE-2017-13080 at SUSECVE-2017-13080 at NVDCVE-2017-13081 at SUSECVE-2017-13081 at NVDCVE-2017-13082 at SUSECVE-2017-13082 at NVDCVE-2017-13086 at SUSECVE-2017-13086 at NVDCVE-2017-13087 at SUSECVE-2017-13087 at NVDCVE-2017-13088 at SUSECVE-2017-13088 at NVDCVE-2018-14526 at SUSECVE-2018-14526 at NVDCVE-2019-11555 at SUSECVE-2019-11555 at NVDCVE-2019-13377 at SUSECVE-2019-13377 at NVDCVE-2019-9494 at SUSECVE-2019-9494 at NVDCVE-2019-9495 at SUSECVE-2019-9495 at NVDCVE-2019-9497 at SUSECVE-2019-9497 at NVDCVE-2019-9498 at SUSECVE-2019-9498 at NVDCVE-2019-9499 at SUSECVE-2019-9499 at NVDCVE-2022-23303 at SUSECVE-2022-23303 at NVDCVE-2022-23304 at SUSECVE-2022-23304 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for postgresql12 (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for postgresql12 fixes the following issues:
- CVE-2022-1552: Confine additional operations within 'security restricted operation' sandboxes (bsc#1199475).
ImportantSUSE bug 1199475CVE-2022-1552 at SUSECVE-2022-1552 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for postgresql14 (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for postgresql14 fixes the following issues:
- CVE-2022-1552: Confine additional operations within 'security restricted operation' sandboxes (bsc#1199475).
ImportantSUSE bug 1199475CVE-2022-1552 at SUSECVE-2022-1552 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for ImageMagick (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for ImageMagick fixes the following issues:
- CVE-2022-1270: Fixed a memory corruption issue when parsing MIFF files (bsc#1198351).
- CVE-2022-28463: Fixed buffer overflow in coders/cin.c (bsc#1199350).
ImportantSUSE bug 1198351SUSE bug 1199350CVE-2022-1270 at SUSECVE-2022-1270 at NVDCVE-2022-28463 at SUSECVE-2022-28463 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for mailman (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for mailman fixes the following issues:
- CVE-2021-44227: Preventing list moderator or list member accessing the admin UI (bsc#1193316).
- CVE-2021-43332: Preventing list moderator from cracking the list admin password encrypted in a CSRF token (bsc#1192741).
- CVE-2021-43331: Fixed XSS in Cgi/options.py (bsc#1192735).
- CVE-2021-42096: Add protection against remote privilege escalation via csrf_token derived from admin password (bsc#1191959).
ImportantSUSE bug 1191959SUSE bug 1192735SUSE bug 1192741SUSE bug 1193316CVE-2021-42096 at SUSECVE-2021-42096 at NVDCVE-2021-43331 at SUSECVE-2021-43331 at NVDCVE-2021-43332 at SUSECVE-2021-43332 at NVDCVE-2021-44227 at SUSECVE-2021-44227 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for polkit (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for polkit fixes the following issues:
- CVE-2021-4034: Fixed a local privilege escalation in pkexec (bsc#1194568).
ImportantSUSE bug 1194568CVE-2021-4034 at SUSECVE-2021-4034 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for librelp (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for librelp fixes the following issues:
- CVE-2018-1000140: Fixed remote attack via specially crafted x509 certificates when connecting to rsyslog to trigger a stack buffer overflow and run arbitrary code (bsc#1086730).
ModerateSUSE bug 1086730CVE-2018-1000140 at SUSECVE-2018-1000140 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for MozillaFirefox fixes the following issues:
Firefox Extended Support Release 91.10.0 ESR (MFSA 2022-21)(bsc#1200027)
- CVE-2022-31736: Cross-Origin resource's length leaked
- CVE-2022-31737: Heap buffer overflow in WebGL
- CVE-2022-31738: Browser window spoof using fullscreen mode
- CVE-2022-31739: Attacker-influenced path traversal when saving downloaded files
- CVE-2022-31740: Register allocation problem in WASM on arm64
- CVE-2022-31741: Uninitialized variable leads to invalid memory read
- CVE-2022-31742: Querying a WebAuthn token with a large number of allowCredential entries may have leaked cross-origin information
- CVE-2022-31747: Memory safety bugs fixed in Firefox 101 and Firefox ESR 91.10
ImportantSUSE bug 1200027CVE-2022-31736 at SUSECVE-2022-31736 at NVDCVE-2022-31737 at SUSECVE-2022-31737 at NVDCVE-2022-31738 at SUSECVE-2022-31738 at NVDCVE-2022-31739 at SUSECVE-2022-31739 at NVDCVE-2022-31740 at SUSECVE-2022-31740 at NVDCVE-2022-31741 at SUSECVE-2022-31741 at NVDCVE-2022-31742 at SUSECVE-2022-31742 at NVDCVE-2022-31747 at SUSECVE-2022-31747 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for patch (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for patch fixes the following issues:
Security fixes:
- CVE-2019-13636: Fixed mishandled following of symlinks in certain cases other than input files (bsc#1142041).
- CVE-2018-6952: Fixed double free of memory in pch.c:another_hunk() (bsc#1080985).
Bugfixes:
- Pass the correct stat to backup files (bsc#1198106).
- Fix temporary file leak when applying ed-style patches (bsc#1092500).
ModerateSUSE bug 1080985SUSE bug 1092500SUSE bug 1142041SUSE bug 1198106CVE-2018-6952 at SUSECVE-2018-6952 at NVDCVE-2019-13636 at SUSECVE-2019-13636 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for gcc48 (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for gcc48 fixes the following issues:
- CVE-2019-14250: Fixed an integer overflow that could lead to an invalid memory
access (bsc#1142649).
Non-security fixes:
- Fixed an issue with manual page builds (bsc#1185395).
- Fixed an issue with static initializers (bsc#1177947).
- Fixed an issue with exception handling on s390x (bsc#1161913).
ModerateSUSE bug 1142649SUSE bug 1161913SUSE bug 1177947SUSE bug 1178675SUSE bug 1185395CVE-2019-14250 at SUSECVE-2019-14250 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for strongswan (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for strongswan fixes the following issues:
- CVE-2021-45079: Fixed authentication bypass in EAP authentication. (bsc#1194471)
ImportantSUSE bug 1194471CVE-2021-45079 at SUSECVE-2021-45079 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for mozilla-nss (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for mozilla-nss fixes the following issues:
Mozilla NSS 3.68.4 (bsc#1200027)
* CVE-2022-31741: Initialize pointers passed to NSS_CMSDigestContext_FinishMultiple. (bmo#1767590)
ImportantSUSE bug 1200027CVE-2022-31741 at SUSECVE-2022-31741 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for grub2 (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for grub2 fixes the following issues:
Security fixes and hardenings for boothole 3 / boothole 2022 (bsc#1198581)
- CVE-2021-3695: Fixed that a crafted PNG grayscale image could lead to out-of-bounds write in heap (bsc#1191184)
- CVE-2021-3696: Fixed that a crafted PNG image could lead to out-of-bound write during huffman table handling (bsc#1191185)
- CVE-2021-3697: Fixed that a crafted JPEG image could lead to buffer underflow write in the heap (bsc#1191186)
- CVE-2022-28733: Fixed fragmentation math in net/ip (bsc#1198460)
- CVE-2022-28734: Fixed an out-of-bound write for split http headers (bsc#1198493)
- CVE-2022-28736: Fixed a use-after-free in chainloader command (bsc#1198496)
- Update SBAT security contact (bsc#1193282)
- Bump grub's SBAT generation to 2
- Use boot disks in OpenFirmware, fixing regression caused when the root LV is completely in the boot LUN (bsc#1197948)
ImportantSUSE bug 1191184SUSE bug 1191185SUSE bug 1191186SUSE bug 1193282SUSE bug 1197948SUSE bug 1198460SUSE bug 1198493SUSE bug 1198496SUSE bug 1198581CVE-2021-3695 at SUSECVE-2021-3695 at NVDCVE-2021-3696 at SUSECVE-2021-3696 at NVDCVE-2021-3697 at SUSECVE-2021-3697 at NVDCVE-2022-28733 at SUSECVE-2022-28733 at NVDCVE-2022-28734 at SUSECVE-2022-28734 at NVDCVE-2022-28736 at SUSECVE-2022-28736 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for python36 (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for python36 fixes the following issues:
- CVE-2015-20107: avoid command injection in the mailcap module (bsc#1198511).
ImportantSUSE bug 1198511CVE-2015-20107 at SUSECVE-2015-20107 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for webkit2gtk3 (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for webkit2gtk3 fixes the following issues:
Update to version 2.36.3 (bsc#1200106)
- CVE-2022-30293: Fixed heap-based buffer overflow in WebCore::TextureMapperLayer::setContentsLayer (bsc#1199287).
- CVE-2022-26700: Fixed memory corruption issue that may lead to code execution when processing maliciously crafted web content (bsc#1200106).
- CVE-2022-26709: Fixed use after free issue that may lead to code execution when processing maliciously crafted web content (bsc#1200106).
- CVE-2022-26716: Fixed use after free issue that may lead to code execution when processing maliciously crafted web content (bsc#1200106).
- CVE-2022-26717: Fixed memory corruption issue that may lead to code execution when processing maliciously crafted web content (bsc#1200106).
- CVE-2022-26719: Fixed memory corruption issue that may lead to code execution when processing maliciously crafted web content (bsc#1200106).
ImportantSUSE bug 1199287SUSE bug 1200106CVE-2022-26700 at SUSECVE-2022-26700 at NVDCVE-2022-26709 at SUSECVE-2022-26709 at NVDCVE-2022-26716 at SUSECVE-2022-26716 at NVDCVE-2022-26717 at SUSECVE-2022-26717 at NVDCVE-2022-26719 at SUSECVE-2022-26719 at NVDCVE-2022-30293 at SUSECVE-2022-30293 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for openssl (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for openssl fixes the following issues:
- CVE-2022-1292: Fixed command injection in c_rehash (bsc#1199166).
ImportantSUSE bug 1199166CVE-2022-1292 at SUSECVE-2022-1292 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for apache2 (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for apache2 fixes the following issues:
- CVE-2022-26377: Fixed possible request smuggling in mod_proxy_ajp (bsc#1200338)
- CVE-2022-28614: Fixed read beyond bounds via ap_rwrite() (bsc#1200340)
- CVE-2022-28615: Fixed read beyond bounds in ap_strcmp_match() (bsc#1200341)
- CVE-2022-29404: Fixed denial of service in mod_lua r:parsebody (bsc#1200345)
- CVE-2022-30556: Fixed information disclosure in mod_lua with websockets (bsc#1200350)
- CVE-2022-30522: Fixed mod_sed denial of service (bsc#1200352)
- CVE-2022-31813: Fixed mod_proxy X-Forwarded-For dropped by hop-by-hop mechanism (bsc#1200348)
ImportantSUSE bug 1200338SUSE bug 1200340SUSE bug 1200341SUSE bug 1200345SUSE bug 1200348SUSE bug 1200350SUSE bug 1200352CVE-2022-26377 at SUSECVE-2022-26377 at NVDCVE-2022-28614 at SUSECVE-2022-28614 at NVDCVE-2022-28615 at SUSECVE-2022-28615 at NVDCVE-2022-29404 at SUSECVE-2022-29404 at NVDCVE-2022-30522 at SUSECVE-2022-30522 at NVDCVE-2022-30556 at SUSECVE-2022-30556 at NVDCVE-2022-31813 at SUSECVE-2022-31813 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for log4j (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for log4j fixes the following issues:
- CVE-2022-23307: Fix deserialization issue by removing the chainsaw sub-package. (bsc#1194844)
- CVE-2022-23305: Fix SQL injection by removing src/main/java/org/apache/log4j/jdbc/JDBCAppender.java. (bsc#1194843)
- CVE-2022-23302: Fix remote code execution by removing src/main/java/org/apache/log4j/net/JMSSink.java. (bsc#1194842)
ImportantSUSE bug 1194842SUSE bug 1194843SUSE bug 1194844CVE-2022-23302 at SUSECVE-2022-23302 at NVDCVE-2022-23305 at SUSECVE-2022-23305 at NVDCVE-2022-23307 at SUSECVE-2022-23307 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for SUSE Manager Client Tools (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update fixes the following issues:
golang-github-QubitProducts-exporter_exporter:
- Adapted to build on Enterprise Linux.
- Fix build for RedHat 7
- Require Go >= 1.14 also for CentOS
- Add support for CentOS
- Replace %{?systemd_requires} with %{?systemd_ordering}
golang-github-prometheus-alertmanager:
- CVE-2022-21698: Denial of service using InstrumentHandlerCounter.
* Update vendor tarball with prometheus/client_golang 1.11.1 (bsc#1196338, jsc#SLE-24077)
- Update required Go version to 1.16
- Update to version 0.23.0:
* amtool: Detect version drift and warn users (#2672)
* Add ability to skip TLS verification for amtool (#2663)
* Fix empty isEqual in amtool. (#2668)
* Fix main tests (#2670)
* cli: add new template render command (#2538)
* OpsGenie: refer to alert instead of incident (#2609)
* Docs: target_match and source_match are DEPRECATED (#2665)
* Fix test not waiting for cluster member to be ready
- Added hardening to systemd service(s) (bsc#1181400)
golang-github-prometheus-node_exporter:
- CVE-2022-21698: Denial of service using InstrumentHandlerCounter.
* Update vendor tarball with prometheus/client_golang 1.11.1
(bsc#1196338, jsc#SLE-24238, jsc#SLE-24239)
- Update to 1.3.0
* [CHANGE] Add path label to rapl collector #2146
* [CHANGE] Exclude filesystems under /run/credentials #2157
* [CHANGE] Add TCPTimeouts to netstat default filter #2189
* [FEATURE] Add lnstat collector for metrics from /proc/net/stat/ #1771
* [FEATURE] Add darwin powersupply collector #1777
* [FEATURE] Add support for monitoring GPUs on Linux #1998
* [FEATURE] Add Darwin thermal collector #2032
* [FEATURE] Add os release collector #2094
* [FEATURE] Add netdev.address-info collector #2105
* [FEATURE] Add clocksource metrics to time collector #2197
* [ENHANCEMENT] Support glob textfile collector directories #1985
* [ENHANCEMENT] ethtool: Expose node_ethtool_info metric #2080
* [ENHANCEMENT] Use include/exclude flags for ethtool filtering #2165
* [ENHANCEMENT] Add flag to disable guest CPU metrics #2123
* [ENHANCEMENT] Add DMI collector #2131
* [ENHANCEMENT] Add threads metrics to processes collector #2164
* [ENHANCMMENT] Reduce timer GC delays in the Linux filesystem collector #2169
* [ENHANCMMENT] Add TCPTimeouts to netstat default filter #2189
* [ENHANCMMENT] Use SysctlTimeval for boottime collector on BSD #2208
* [BUGFIX] ethtool: Sanitize metric names #2093
* [BUGFIX] Fix ethtool collector for multiple interfaces #2126
* [BUGFIX] Fix possible panic on macOS #2133
* [BUGFIX] Collect flag_info and bug_info only for one core #2156
* [BUGFIX] Prevent duplicate ethtool metric names #2187
- Update to 1.2.2
* Bug fixes
Fix processes collector long int parsing #2112
- Update to 1.2.1
* Removed
Remove obsolete capture permission denied error patch that is already included upstream
Fix zoneinfo parsing prometheus/procfs#386
Fix nvme collector log noise #2091
Fix rapl collector log noise #2092
- Update to 1.2.0
* Changes
Rename filesystem collector flags to match other collectors #2012
Make node_exporter print usage to STDOUT #203
* Features
Add conntrack statistics metrics #1155
Add ethtool stats collector #1832
Add flag to ignore network speed if it is unknown #1989
Add tapestats collector for Linux #2044
Add nvme collector #2062
* Enhancements
Add ErrorLog plumbing to promhttp #1887
Add more Infiniband counters #2019
netclass: retrieve interface names and filter before parsing #2033
Add time zone offset metric #2060
Handle errors from disabled PSI subsystem #1983
Fix panic when using backwards compatible flags #2000
Fix wrong value for OpenBSD memory buffer cache #2015
Only initiate collectors once #2048
Handle small backwards jumps in CPU idle #2067
- Apply patch to capture permission denied error for 'energy_uj' file (bsc#1190535)
grafana:
- Update to version 8.3.5 (jsc#SLE-23439, jsc#SLE-23422)
+ Security:
* Fixes XSS vulnerability in handling data sources
(bsc#1195726, CVE-2022-21702)
* Fixes cross-origin request forgery vulnerability
(bsc#1195727, CVE-2022-21703)
* Fixes Insecure Direct Object Reference vulnerability in Teams
API (bsc#1195728, CVE-2022-21713)
- Update to Go 1.17.
- Add build-time dependency on `wire`.
- Update license to GNU Affero General Public License v3.0.
- Update to version 8.3.4
* GetUserInfo: return an error if no user was found
(bsc#1194873, CVE-2022-21673)
+ Features and enhancements:
* Alerting: Allow configuration of non-ready alertmanagers.
* Alerting: Allow customization of Google chat message.
* AppPlugins: Support app plugins with only default nav.
* InfluxDB: query editor: skip fields in metadata queries.
* Postgres/MySQL/MSSQL: Cancel in-flight SQL query if user
cancels query in grafana.
* Prometheus: Forward oauth tokens after prometheus datasource
migration.
+ Bug fixes:
* Azure Monitor: Bug fix for variable interpolations in metrics
dropdowns.
* Azure Monitor: Improved error messages for variable queries.
* CloudMonitoring: Fixes broken variable queries that use group
bys.
* Configuration: You can now see your expired API keys if you
have no active ones.
* Elasticsearch: Fix handling multiple datalinks for a single
field.
* Export: Fix error being thrown when exporting dashboards
using query variables that reference the default datasource.
* ImportDashboard: Fixes issue with importing dashboard and
name ending up in uid.
* Login: Page no longer overflows on mobile.
* Plugins: Set backend metadata property for core plugins.
* Prometheus: Fill missing steps with null values.
* Prometheus: Fix interpolation of $__rate_interval variable.
* Prometheus: Interpolate variables with curly brackets syntax.
* Prometheus: Respect the http-method data source setting.
* Table: Fixes issue with field config applied to wrong fields
when hiding columns.
* Toolkit: Fix bug with rootUrls not being properly parsed when
signing a private plugin.
* Variables: Fix so data source variables are added to adhoc
configuration.
+ Plugin development fixes & changes:
* Toolkit: Revert build config so tslib is bundled with plugins
to prevent plugins from crashing.
- Update to version 8.3.3:
* BarChart: Use new data error view component to show actions
in panel edit.
* CloudMonitor: Iterate over pageToken for resources.
* Macaron: Prevent WriteHeader invalid HTTP status code panic.
* AnnoListPanel: Fix interpolation of variables in tags.
* CloudWatch: Allow queries to have no dimensions specified.
* CloudWatch: Fix broken queries for users migrating from
8.2.4/8.2.5 to 8.3.0.
* CloudWatch: Make sure MatchExact flag gets the right value.
* Dashboards: Fix so that empty folders can be deleted from the
manage dashboards/folders page.
* InfluxDB: Improve handling of metadata query errors in
InfluxQL.
* Loki: Fix adding of ad hoc filters for queries with parser
and line_format expressions.
* Prometheus: Fix running of exemplar queries for non-histogram
metrics.
* Prometheus: Interpolate template variables in interval.
* StateTimeline: Fix toolitp not showing when for frames with
multiple fields.
* TraceView: Fix virtualized scrolling when trace view is
opened in right pane in Explore.
* Variables: Fix repeating panels for on time range changed
variables.
* Variables: Fix so queryparam option works for scoped
- Update to version 8.3.2
+ Security: Fixes CVE-2021-43813 and CVE-2021-43815.
- Update to version 8.3.1
+ Security: Fixes CVE-2021-43798.
- Update to version 8.3.0
* Alerting: Prevent folders from being deleted when they
contain alerts.
* Alerting: Show full preview value in tooltip.
* BarGauge: Limit title width when name is really long.
* CloudMonitoring: Avoid to escape regexps in filters.
* CloudWatch: Add support for AWS Metric Insights.
* TooltipPlugin: Remove other panels' shared tooltip in edit
panel.
* Visualizations: Limit y label width to 40% of visualization
width.
* Alerting: Clear alerting rule evaluation errors after
intermittent failures.
* Alerting: Fix refresh on legacy Alert List panel.
* Dashboard: Fix queries for panels with non-integer widths.
* Explore: Fix url update inconsistency.
* Prometheus: Fix range variables interpolation for time ranges
smaller than 1 second.
* ValueMappings: Fixes issue with regex value mapping that only
sets color.
- Update to version 8.3.0-beta2
+ Breaking changes:
* Grafana 8 Alerting enabled by default for installations that
do not use legacy alerting.
* Keep Last State for 'If execution error or timeout' when
upgrading to Grafana 8 alerting.
* Alerting: Create DatasourceError alert if evaluation returns
error.
* Alerting: Make Unified Alerting enabled by default for those
who do not use legacy alerting.
* Alerting: Support mute timings configuration through the api
for the embedded alert manager.
* CloudWatch: Add missing AWS/Events metrics.
* Docs: Add easier to find deprecation notices to certain data
sources and to the changelog.
* Plugins Catalog: Enable install controls based on the
pluginAdminEnabled flag.
* Table: Add space between values for the DefaultCell and
JSONViewCell.
* Tracing: Make query editors available in dashboard for Tempo
and Zipkin.
* AccessControl: Renamed orgs roles, removed fixed:orgs:reader
introduced in beta1.
* Azure Monitor: Add trap focus for modals in grafana/ui and
other small a11y fixes for Azure Monitor.
* CodeEditor: Prevent suggestions from being clipped.
* Dashboard: Fix cache timeout persistence.
* Datasource: Fix stable sort order of query responses.
* Explore: Fix error in query history when removing last item.
* Logs: Fix requesting of older logs when flipped order.
* Prometheus: Fix running of health check query based on access
mode.
* TextPanel: Fix suggestions for existing panels.
* Tracing: Fix incorrect indentations due to reoccurring
spanIDs.
* Tracing: Show start time of trace with milliseconds
precision.
* Variables: Make renamed or missing variable section
expandable.
* Select: Select menus now properly scroll during keyboard
navigation.
- Update to version 8.3.0-beta1
* Alerting: Add UI for contact point testing with custom
annotations and labels.
* Alerting: Make alert state indicator in panel header work
with Grafana 8 alerts.
* Alerting: Option for Discord notifier to use webhook name.
* Annotations: Deprecate AnnotationsSrv.
* Auth: Omit all base64 paddings in JWT tokens for the JWT
auth.
* Azure Monitor: Clean up fields when editing Metrics.
* AzureMonitor: Add new starter dashboards.
* AzureMonitor: Add starter dashboard for app monitoring with
Application Insights.
* Barchart/Time series: Allow x axis label.
* CLI: Improve error handling for installing plugins.
* CloudMonitoring: Migrate to use backend plugin SDK contracts.
* CloudWatch Logs: Add retry strategy for hitting max
concurrent queries.
* CloudWatch: Add AWS RoboMaker metrics and dimension.
* CloudWatch: Add AWS Transfer metrics and dimension.
* Dashboard: replace datasource name with a reference object.
* Dashboards: Show logs on time series when hovering.
* Elasticsearch: Add support for Elasticsearch 8.0 (Beta).
* Elasticsearch: Add time zone setting to Date Histogram
aggregation.
* Elasticsearch: Enable full range log volume histogram.
* Elasticsearch: Full range logs volume.
* Explore: Allow changing the graph type.
* Explore: Show ANSI colors when highlighting matched words in
the logs panel.
* Graph(old) panel: Listen to events from Time series panel.
* Import: Load gcom dashboards from URL.
* LibraryPanels: Improves export and import of library panels
between orgs.
* OAuth: Support PKCE.
* Panel edit: Overrides now highlight correctly when searching.
* PanelEdit: Display drag indicators on draggable sections.
* Plugins: Refactor Plugin Management.
* Prometheus: Add custom query parameters when creating
PromLink url.
* Prometheus: Remove limits on metrics, labels, and values in
Metrics Browser.
* StateTimeline: Share cursor with rest of the panels.
* Tempo: Add error details when json upload fails.
* Tempo: Add filtering for service graph query.
* Tempo: Add links to nodes in Service Graph pointing to
Prometheus metrics.
* Time series/Bar chart panel: Add ability to sort series via
legend.
* TimeSeries: Allow multiple axes for the same unit.
* TraceView: Allow span links defined on dataFrame.
* Transformations: Support a rows mode in labels to fields.
* ValueMappings: Don't apply field config defaults to time
fields.
* Variables: Only update panels that are impacted by variable
change.
* API: Fix dashboard quota limit for imports.
* Alerting: Fix rule editor issues with Azure Monitor data
source.
* Azure monitor: Make sure alert rule editor is not enabled
when template variables are being used.
* CloudMonitoring: Fix annotation queries.
* CodeEditor: Trigger the latest getSuggestions() passed to
CodeEditor.
* Dashboard: Remove the current panel from the list of options
in the Dashboard datasource.
* Encryption: Fix decrypting secrets in alerting migration.
* InfluxDB: Fix corner case where index is too large in ALIAS
* NavBar: Order App plugins alphabetically.
* NodeGraph: Fix zooming sensitivity on touchpads.
* Plugins: Add OAuth pass-through logic to api/ds/query
endpoint.
* Snapshots: Fix panel inspector for snapshot data.
* Tempo: Fix basic auth password reset on adding tag.
* ValueMapping: Fixes issue with regex mappings.
* grafana/ui: Enable slider marks display.
- Update to version 8.2.7
- Update to version 8.2.6
* Security: Upgrade Docker base image to Alpine 3.14.3.
* Security: Upgrade Go to 1.17.2.
* TimeSeries: Fix fillBelowTo wrongly affecting fills of
unrelated series.
- Update to version 8.2.5
* Fix No Data behaviour in Legacy Alerting.
* Alerting: Fix a bug where the metric in the evaluation string
was not correctly populated.
* Alerting: Fix no data behaviour in Legacy Alerting for alert
rules using the AND operator.
* CloudMonitoring: Ignore min and max aggregation in MQL
queries.
* Dashboards: 'Copy' is no longer added to new dashboard
titles.
* DataProxy: Fix overriding response body when response is a
WebSocket upgrade.
* Elasticsearch: Use field configured in query editor as field
for date_histogram aggregations.
* Explore: Fix running queries without a datasource property
set.
* InfluxDB: Fix numeric aliases in queries.
* Plugins: Ensure consistent plugin settings list response.
* Tempo: Fix validation of float durations.
* Tracing: Correct tags for each span are shown.
- Update to version 8.2.4
+ Security: Fixes CVE-2021-41244.
- Update to version 8.2.3
+ Security: Fixes CVE-2021-41174.
- Update to version 8.2.2
* Annotations: We have improved tag search performance.
* Application: You can now configure an error-template title.
* AzureMonitor: We removed a restriction from the resource
filter query.
* Packaging: We removed the ProcSubset option in systemd. This
option prevented Grafana from starting in LXC environments.
* Prometheus: We removed the autocomplete limit for metrics.
* Table: We improved the styling of the type icons to make them
more distinct from column / field name.
* ValueMappings: You can now use value mapping in stat, gauge,
bar gauge, and pie chart visualizations.
* Alerting: Fix panic when Slack's API sends unexpected
response.
* Alerting: The Create Alert button now appears on the
dashboard panel when you are working with a default
datasource.
* Explore: We fixed the problem where the Explore log panel
disappears when an Elasticsearch logs query returns no
results.
* Graph: You can now see annotation descriptions on hover.
* Logs: The system now uses the JSON parser only if the line is
parsed to an object.
* Prometheus: We fixed the issue where the system did not reuse
TCP connections when querying from Grafana alerting.
* Prometheus: We fixed the problem that resulted in an error
when a user created a query with a $__interval min step.
* RowsToFields: We fixed the issue where the system was not
properly interpreting number values.
* Scale: We fixed how the system handles NaN percent when data
min = data max.
* Table panel: You can now create a filter that includes
special characters.
- Update to version 8.2.1
* Dashboard: Fix rendering of repeating panels.
* Datasources: Fix deletion of data source if plugin is not
found.
* Packaging: Remove systemcallfilters sections from systemd
unit files.
* Prometheus: Add Headers to HTTP client options.
- Update to version 8.2.0
* AWS: Updated AWS authentication documentation.
* Alerting: Added support Alertmanager data source for upstream
Prometheus AM implementation.
* Alerting: Allows more characters in label names so
notifications are sent.
* Alerting: Get alert rules for a dashboard or a panel using
/api/v1/rules endpoints.
* Annotations: Improved rendering performance of event markers.
* CloudWatch Logs: Skip caching for log queries.
* Explore: Added an opt-in configuration for Node Graph in
Jaeger, Zipkin, and Tempo.
* Packaging: Add stricter systemd unit options.
* Prometheus: Metrics browser can now handle label values with
* CodeEditor: Ensure that we trigger the latest onSave callback
provided to the component.
* DashboardList/AlertList: Fix for missing All folder value.
* Plugins: Create a mock icon component to prevent console
errors.
- Update to version 8.2.0-beta2
* AccessControl: Document new permissions restricting data
source access.
* TimePicker: Add fiscal years and search to time picker.
* Alerting: Added support for Unified Alerting with Grafana HA.
* Alerting: Added support for tune rule evaluation using
configuration options.
* Alerting: Cleanups alertmanager namespace from key-value
store when disabling Grafana 8 alerts.
* Alerting: Remove ngalert feature toggle and introduce two new
settings for enabling Grafana 8 alerts and disabling them for
specific organisations.
* CloudWatch: Introduced new math expression where it is
necessary to specify the period field.
* InfluxDB: Added support for $__interval and $__interval_ms in
Flux queries for alerting.
* InfluxDB: Flux queries can use more precise start and end
timestamps with nanosecond-precision.
* Plugins Catalog: Make the catalog the default way to interact
with plugins.
* Prometheus: Removed autocomplete limit for metrics.
* Alerting: Fixed an issue where the edit page crashes if you
tried to preview an alert without a condition set.
* Alerting: Fixed rules migration to keep existing Grafana 8
alert rules.
* Alerting: Fixed the silence file content generated during
* Analytics: Fixed an issue related to interaction event
propagation in Azure Application Insights.
* BarGauge: Fixed an issue where the cell color was lit even
though there was no data.
* BarGauge: Improved handling of streaming data.
* CloudMonitoring: Fixed INT64 label unmarshal error.
* ConfirmModal: Fixes confirm button focus on modal open.
* Dashboard: Add option to generate short URL for variables
with values containing spaces.
* Explore: No longer hides errors containing refId property.
* Fixed an issue that produced State timeline panel tooltip
error when data was not in sync.
* InfluxDB: InfluxQL query editor is set to always use
resultFormat.
* Loki: Fixed creating context query for logs with parsed
labels.
* PageToolbar: Fixed alignment of titles.
* Plugins Catalog: Update to the list of available panels after
an install, update or uninstall.
* TimeSeries: Fixed an issue where the shared cursor was not
showing when hovering over in old Graph panel.
* Variables: Fixed issues related to change of focus or refresh
pages when pressing enter in a text box variable input.
* Variables: Panel no longer crash when using the adhoc
variable in data links.
- Update to version 8.2.0-beta1
* AccessControl: Introduce new permissions to restrict access
for reloading provisioning configuration.
* Alerting: Add UI to edit Cortex/Loki namespace, group names,
and group evaluation interval.
* Alerting: Add a Test button to test contact point.
* Alerting: Allow creating/editing recording rules for Loki and
Cortex.
* Alerting: Metrics should have the label org instead of user.
* Alerting: Sort notification channels by name to make them
easier to locate.
* Alerting: Support org level isolation of notification
* AzureMonitor: Add data links to deep link to Azure Portal
Azure Resource Graph.
* AzureMonitor: Add support for annotations from Azure Monitor
Metrics and Azure Resource Graph services.
* AzureMonitor: Show error message when subscriptions request
fails in ConfigEditor.
* Chore: Update to Golang 1.16.7.
* CloudWatch Logs: Add link to X-Ray data source for trace IDs
in logs.
* CloudWatch Logs: Disable query path using websockets (Live)
feature.
* CloudWatch/Logs: Don't group dataframes for non time series
* Cloudwatch: Migrate queries that use multiple stats to one
query per stat.
* Dashboard: Keep live timeseries moving left (v2).
* Datasources: Introduce response_limit for datasource
responses.
* Explore: Add filter by trace or span ID to trace to logs
* Explore: Download traces as JSON in Explore Inspector.
* Explore: Reuse Dashboard's QueryRows component.
* Explore: Support custom display label for derived fields
buttons for Loki datasource.
* Grafana UI: Update monaco-related dependencies.
* Graphite: Deprecate browser access mode.
* InfluxDB: Improve handling of intervals in alerting.
* InfluxDB: InfluxQL query editor: Handle unusual characters in
tag values better.
* Jaeger: Add ability to upload JSON file for trace data.
* LibraryElements: Enable specifying UID for new and existing
library elements.
* LibraryPanels: Remove library panel icon from the panel
header so you can no longer tell that a panel is a library
panel from the dashboard view.
* Logs panel: Scroll to the bottom on page refresh when sorting
in ascending order.
* Loki: Add fuzzy search to label browser.
* Navigation: Implement active state for items in the Sidemenu.
* Packaging: Update PID file location from /var/run to /run.
* Plugins: Add Hide OAuth Forward config option.
* Postgres/MySQL/MSSQL: Add setting to limit the maximum number
of rows processed.
* Prometheus: Add browser access mode deprecation warning.
* Prometheus: Add interpolation for built-in-time variables to
backend.
* Tempo: Add ability to upload trace data in JSON format.
* TimeSeries/XYChart: Allow grid lines visibility control in
XYChart and TimeSeries panels.
* Transformations: Convert field types to time string number or
boolean.
* Value mappings: Add regular-expression based value mapping.
* Zipkin: Add ability to upload trace JSON.
* Admin: Prevent user from deleting user's current/active
organization.
* LibraryPanels: Fix library panel getting saved in the
dashboard's folder.
* OAuth: Make generic teams URL and JMES path configurable.
* QueryEditor: Fix broken copy-paste for mouse middle-click
* Thresholds: Fix undefined color in 'Add threshold'.
* Timeseries: Add wide-to-long, and fix multi-frame output.
* TooltipPlugin: Fix behavior of Shared Crosshair when Tooltip
is set to All.
* Grafana UI: Fix TS error property css is missing in type.
- Update to version 8.1.8
- Update to version 8.1.7
* Alerting: Fix alerts with evaluation interval more than 30
seconds resolving before notification.
* Elasticsearch/Prometheus: Fix usage of proper SigV4 service
namespace.
- Update to version 8.1.6
+ Security: Fixes CVE-2021-39226.
- Update to version 8.1.5
* BarChart: Fixes panel error that happens on second refresh.
- Update to version 8.1.4
+ Features and enhancements
* Explore: Ensure logs volume bar colors match legend colors.
* LDAP: Search all DNs for users.
* Alerting: Fix notification channel migration.
* Annotations: Fix blank panels for queries with unknown data
sources.
* BarChart: Fix stale values and x axis labels.
* Graph: Make old graph panel thresholds work even if ngalert
is enabled.
* InfluxDB: Fix regex to identify / as separator.
* LibraryPanels: Fix update issues related to library panels in
rows.
* Variables: Fix variables not updating inside a Panel when the
preceding Row uses 'Repeat For'.
- Update to version 8.1.3
+ Bug fixes
* Alerting: Fix alert flapping in the internal alertmanager.
* Alerting: Fix request handler failed to convert dataframe
'results' to plugins.DataTimeSeriesSlice: input frame is not
recognized as a time series.
* Dashboard: Fix UIDs are not preserved when importing/creating
dashboards thru importing .json file.
* Dashboard: Forces panel re-render when exiting panel edit.
* Dashboard: Prevent folder from changing when navigating to
general settings.
* Docker: Force use of libcrypto1.1 and libssl1.1 versions to
fix CVE-2021-3711.
* Elasticsearch: Fix metric names for alert queries.
* Elasticsearch: Limit Histogram field parameter to numeric
values.
* Elasticsearch: Prevent pipeline aggregations to show up in
terms order by options.
* LibraryPanels: Prevent duplicate repeated panels from being
created.
* Loki: Fix ad-hoc filter in dashboard when used with parser.
* Plugins: Track signed files + add warn log for plugin assets
which are not signed.
* Postgres/MySQL/MSSQL: Fix region annotations not displayed
correctly.
* Prometheus: Fix validate selector in metrics browser.
* Security: Fix stylesheet injection vulnerability.
* Security: Fix short URL vulnerability.
- Update to version 8.1.2
* AzureMonitor: Add support for PostgreSQL and MySQL Flexible
Servers.
* Datasource: Change HTTP status code for failed datasource
health check to 400.
* Explore: Add span duration to left panel in trace viewer.
* Plugins: Use file extension allowlist when serving plugin
assets instead of checking for UNIX executable.
* Profiling: Add support for binding pprof server to custom
network interfaces.
* Search: Make search icon keyboard navigable.
* Template variables: Keyboard navigation improvements.
* Tooltip: Display ms within minute time range.
* Alerting: Fix saving LINE contact point.
* Annotations: Fix alerting annotation coloring.
* Annotations: Alert annotations are now visible in the correct
Panel.
* Auth: Hide SigV4 config UI and disable middleware when its
config flag is disabled.
* Dashboard: Prevent incorrect panel layout by comparing window
width against theme breakpoints.
* Explore: Fix showing of full log context.
* PanelEdit: Fix 'Actual' size by passing the correct panel
size to Dashboard.
* Plugins: Fix TLS datasource settings.
* Variables: Fix issue with empty drop downs on navigation.
* Variables: Fix URL util converting false into true.
* Toolkit: Fix matchMedia not found error.
- Update to version 8.1.1
* CloudWatch Logs: Fix crash when no region is selected.
- Update to version 8.1.0
* Alerting: Deduplicate receivers during migration.
* ColorPicker: Display colors as RGBA.
* Select: Make portalling the menu opt-in, but opt-in
everywhere.
* TimeRangePicker: Improve accessibility.
* Annotations: Correct annotations that are displayed upon page
refresh.
* Annotations: Fix Enabled button that disappeared from Grafana
v8.0.6.
* Annotations: Fix data source template variable that was not
available for annotations.
* AzureMonitor: Fix annotations query editor that does not
load.
* Geomap: Fix scale calculations.
* GraphNG: Fix y-axis autosizing.
* Live: Display stream rate and fix duplicate channels in list
* Loki: Update labels in log browser when time range changes in
dashboard.
* NGAlert: Send resolve signal to alertmanager on alerting ->
Normal.
* PasswordField: Prevent a password from being displayed when
you click the Enter button.
* Renderer: Remove debug.log file when Grafana is stopped.
* Security: Update dependencies to fix CVE-2021-36222.
- Update to version 8.1.0-beta3
* Alerting: Support label matcher syntax in alert rule list
filter.
* IconButton: Put tooltip text as aria-label.
* Live: Experimental HA with Redis.
* UI: FileDropzone component.
* CloudWatch: Add AWS LookoutMetrics.
* Docker: Fix builds by delaying go mod verify until all
required files are copied over.
* Exemplars: Fix disable exemplars only on the query that
failed.
* SQL: Fix SQL dataframe resampling (fill mode + time
intervals).
- Update to version 8.1.0-beta2
* Alerting: Expand the value string in alert annotations and
* Auth: Add Azure HTTP authentication middleware.
* Auth: Auth: Pass user role when using the authentication
proxy.
* Gazetteer: Update countries.json file to allow for linking to
3-letter country codes.
* Config: Fix Docker builds by correcting formatting in
sample.ini.
* Explore: Fix encoding of internal URLs.
- Update to version 8.1.0-beta1
* Alerting: Add Alertmanager notifications tab.
* Alerting: Add button to deactivate current Alertmanager
* Alerting: Add toggle in Loki/Prometheus data source
configuration to opt out of alerting UI.
* Alerting: Allow any 'evaluate for' value >=0 in the alert
rule form.
* Alerting: Load default configuration from status endpoint, if
Cortex Alertmanager returns empty user configuration.
* Alerting: view to display alert rule and its underlying data.
* Annotation panel: Release the annotation panel.
* Annotations: Add typeahead support for tags in built-in
annotations.
* AzureMonitor: Add curated dashboards for Azure services.
* AzureMonitor: Add support for deep links to Microsoft Azure
portal for Metrics.
* AzureMonitor: Remove support for different credentials for
Azure Monitor Logs.
* AzureMonitor: Support querying any Resource for Logs queries.
* Elasticsearch: Add frozen indices search support.
* Elasticsearch: Name fields after template variables values
instead of their name.
* Elasticsearch: add rate aggregation.
* Email: Allow configuration of content types for email
notifications.
* Explore: Add more meta information when line limit is hit.
* Explore: UI improvements to trace view.
* FieldOverrides: Added support to change display name in an
override field and have it be matched by a later rule.
* HTTP Client: Introduce dataproxy_max_idle_connections config
variable.
* InfluxDB: InfluxQL: adds tags to timeseries data.
* InfluxDB: InfluxQL: make measurement search case insensitive.
Legacy Alerting: Replace simplejson with a struct in webhook
notification channel.
* Legend: Updates display name for Last (not null) to just
Last*.
* Logs panel: Add option to show common labels.
* Loki: Add $__range variable.
* Loki: Add support for 'label_values(log stream selector,
label)' in templating.
* Loki: Add support for ad-hoc filtering in dashboard.
* MySQL Datasource: Add timezone parameter.
* NodeGraph: Show gradient fields in legend.
* PanelOptions: Don't mutate panel options/field config object
when updating.
* PieChart: Make pie gradient more subtle to match other
charts.
* Prometheus: Update PromQL typeahead and highlighting.
* Prometheus: interpolate variable for step field.
* Provisioning: Improve validation by validating across all
dashboard providers.
* SQL Datasources: Allow multiple string/labels columns with
time series.
* Select: Portal select menu to document.body.
* Team Sync: Add group mapping to support team sync in the
Generic OAuth provider.
* Tooltip: Make active series more noticeable.
* Tracing: Add support to configure trace to logs start and end
time.
* Transformations: Skip merge when there is only a single data
frame.
* ValueMapping: Added support for mapping text to color,
boolean values, NaN and Null. Improved UI for value mapping.
* Visualizations: Dynamically set any config (min, max, unit,
color, thresholds) from query results.
* live: Add support to handle origin without a value for the
port when matching with root_url.
* Alerting: Handle marshaling Inf values.
* AzureMonitor: Fix macro resolution for template variables.
* AzureMonitor: Fix queries with Microsoft.NetApp/../../volumes
resources.
* AzureMonitor: Request and concat subsequent resource pages.
* Bug: Fix parse duration for day.
* Datasources: Improve error handling for error messages.
* Explore: Correct the functionality of shift-enter shortcut
across all uses.
* Explore: Show all dataFrames in data tab in Inspector.
* GraphNG: Fix Tooltip mode 'All' for XYChart.
* Loki: Fix highlight of logs when using filter expressions
with backticks.
* Modal: Force modal content to overflow with scroll.
* Plugins: Ignore symlinked folders when verifying plugin
signature.
* Toolkit: Improve error messages when tasks fail.
- Update to version 8.0.7
- Update to version 8.0.6
* Alerting: Add annotation upon alert state change.
* Alerting: Allow space in label and annotation names.
* InfluxDB: Improve legend labels for InfluxDB query results.
* Alerting: Fix improper alert by changing the handling of
empty labels.
* CloudWatch/Logs: Reestablish Cloud Watch alert behavior.
* Dashboard: Avoid migration breaking on fieldConfig without
defaults field in folded panel.
* DashboardList: Fix issue not re-fetching dashboard list after
variable change.
* Database: Fix incorrect format of isolation level
configuration parameter for MySQL.
* InfluxDB: Correct tag filtering on InfluxDB data.
* Links: Fix links that caused a full page reload.
* Live: Fix HTTP error when InfluxDB metrics have an incomplete
or asymmetrical field set.
* Postgres/MySQL/MSSQL: Change time field to 'Time' for time
series queries.
* Postgres: Fix the handling of a null return value in query
* Tempo: Show hex strings instead of uints for IDs.
* TimeSeries: Improve tooltip positioning when tooltip
overflows.
* Transformations: Add 'prepare time series' transformer.
- Update to version 8.0.5
* Cloudwatch Logs: Send error down to client.
* Folders: Return 409 Conflict status when folder already
exists.
* TimeSeries: Do not show series in tooltip if it's hidden in
the viz.
* AzureMonitor: Fix issue where resource group name is missing
on the resource picker button.
* Chore: Fix AWS auth assuming role with workspace IAM.
* DashboardQueryRunner: Fixes unrestrained subscriptions being
* DateFormats: Fix reading correct setting key for
use_browser_locale.
* Links: Fix links to other apps outside Grafana when under sub
path.
* Snapshots: Fix snapshot absolute time range issue.
* Table: Fix data link color.
* Time Series: Fix X-axis time format when tick increment is
larger than a year.
* Tooltip Plugin: Prevent tooltip render if field is undefined.
- Update to version 8.0.4
* Live: Rely on app url for origin check.
* PieChart: Sort legend descending, update placeholder.
* TimeSeries panel: Do not reinitialize plot when thresholds
mode change.
* Elasticsearch: Allow case sensitive custom options in
date_histogram interval.
* Elasticsearch: Restore previous field naming strategy when
using variables.
* Explore: Fix import of queries between SQL data sources.
* InfluxDB: InfluxQL query editor: fix retention policy
handling.
* Loki: Send correct time range in template variable queries.
* TimeSeries: Preserve RegExp series overrides when migrating
from old graph panel.
- Update to version 8.0.3
* Alerting: Increase alertmanager_conf column if MySQL.
* Time series/Bar chart panel: Handle infinite numbers as nulls
when converting to plot array.
* TimeSeries: Ensure series overrides that contain color are
migrated, and migrate the previous fieldConfig when changing
the panel type.
* ValueMappings: Improve singlestat value mappings migration.
* Annotations: Fix annotation line and marker colors.
* AzureMonitor: Fix KQL template variable queries without
default workspace.
* CloudWatch/Logs: Fix missing response data for log queries.
* LibraryPanels: Fix crash in library panels list when panel
plugin is not found.
* LogsPanel: Fix performance drop when moving logs panel in
* Loki: Parse log levels when ANSI coloring is enabled.
* MSSQL: Fix issue with hidden queries still being executed.
* PanelEdit: Display the VisualizationPicker that was not
displayed if a panel has an unknown panel plugin.
* Plugins: Fix loading symbolically linked plugins.
* Prometheus: Fix issue where legend name was replaced with
name Value in stat and gauge panels.
* State Timeline: Fix crash when hovering over panel.
- Update to version 8.0.2
* Datasource: Add support for max_conns_per_host in dataproxy
settings.
* Configuration: Fix changing org preferences in FireFox.
* PieChart: Fix legend dimension limits.
* Postgres/MySQL/MSSQL: Fix panic in concurrent map writes.
* Variables: Hide default data source if missing from regex.
- Update to version 8.0.1
* Alerting/SSE: Fix 'count_non_null' reducer validation.
* Cloudwatch: Fix duplicated time series.
* Cloudwatch: Fix missing defaultRegion.
* Dashboard: Fix Dashboard init failed error on dashboards with
old singlestat panels in collapsed rows.
* Datasource: Fix storing timeout option as numeric.
* Postgres/MySQL/MSSQL: Fix annotation parsing for empty
* Postgres/MySQL/MSSQL: Numeric/non-string values are now
returned from query variables.
* Postgres: Fix an error that was thrown when the annotation
query did not return any results.
* StatPanel: Fix an issue with the appearance of the graph when
switching color mode.
* Visualizations: Fix an issue in the
Stat/BarGauge/Gauge/PieChart panels where all values mode
were showing the same name if they had the same value.
* Toolkit: Resolve external fonts when Grafana is served from a
sub path.
- Update to version 8.0.0
* The following endpoints were deprecated for Grafana v5.0 and
support for them has now been removed:
GET /dashboards/db/:slug
GET /dashboard-solo/db/:slug
GET /api/dashboard/db/:slug
DELETE /api/dashboards/db/:slug
* AzureMonitor: Require default subscription for workspaces()
template variable query.
* AzureMonitor: Use resource type display names in the UI.
* Dashboard: Remove support for loading and deleting dashboard
by slug.
* InfluxDB: Deprecate direct browser access in data source.
* VizLegend: Add a read-only property.
* AzureMonitor: Fix Azure Resource Graph queries in Azure
China.
* Checkbox: Fix vertical layout issue with checkboxes due to
fixed height.
* Dashboard: Fix Table view when editing causes the panel data
to not update.
* Dashboard: Fix issues where unsaved-changes warning is not
displayed.
* Login: Fixes Unauthorized message showing when on login page
or snapshot page.
* NodeGraph: Fix sorting markers in grid view.
* Short URL: Include orgId in generated short URLs.
* Variables: Support raw values of boolean type.
- Update to version 8.0.0-beta3
* The default HTTP method for Prometheus data source is now
POST.
* API: Support folder UID in dashboards API.
* Alerting: Add support for configuring avatar URL for the
Discord notifier.
* Alerting: Clarify that Threema Gateway Alerts support only
Basic IDs.
* Azure: Expose Azure settings to external plugins.
* AzureMonitor: Deprecate using separate credentials for Azure
Monitor Logs.
* AzureMonitor: Display variables in resource picker for Azure
* AzureMonitor: Hide application insights for data sources not
using it.
* AzureMonitor: Support querying subscriptions and resource
groups in Azure Monitor Logs.
* AzureMonitor: remove requirement for default subscription.
* CloudWatch: Add Lambda@Edge Amazon CloudFront metrics.
* CloudWatch: Add missing AWS AppSync metrics.
* ConfirmModal: Auto focus delete button.
* Explore: Add caching for queries that are run from logs
* Loki: Add formatting for annotations.
* Loki: Bring back processed bytes as meta information.
* NodeGraph: Display node graph collapsed by default with trace
view.
* Overrides: Include a manual override option to hide something
from visualization.
* PieChart: Support row data in pie charts.
* Prometheus: Update default HTTP method to POST for existing
data sources.
* Time series panel: Position tooltip correctly when window is
scrolled or resized.
* Admin: Fix infinite loading edit on the profile page.
* Color: Fix issues with random colors in string and date
* Dashboard: Fix issue with title or folder change has no
effect after exiting settings view.
* DataLinks: Fix an issue __series.name is not working in data
link.
* Datasource: Fix dataproxy timeout should always be applied
for outgoing data source HTTP requests.
* Elasticsearch: Fix NewClient not passing httpClientProvider
to client impl.
* Explore: Fix Browser title not updated on Navigation to
Explore.
* GraphNG: Remove fieldName and hideInLegend properties from
UPlotSeriesBuilder.
* OAuth: Fix fallback to auto_assign_org_role setting for Azure
AD OAuth when no role claims exists.
* PanelChrome: Fix issue with empty panel after adding a non
data panel and coming back from panel edit.
* StatPanel: Fix data link tooltip not showing for single
value.
* Table: Fix sorting for number fields.
* Table: Have text underline for datalink, and add support for
image datalink.
* Transformations: Prevent FilterByValue transform from
crashing panel edit.
- Update to version 8.0.0-beta2
* AppPlugins: Expose react-router to apps.
* AzureMonitor: Add Azure Resource Graph.
* AzureMonitor: Managed Identity configuration UI.
* AzureMonitor: Token provider with support for Managed
Identities.
* AzureMonitor: Update Logs workspace() template variable query
to return resource URIs.
* BarChart: Value label sizing.
* CloudMonitoring: Add support for preprocessing.
* CloudWatch: Add AWS/EFS StorageBytes metric.
* CloudWatch: Allow use of missing AWS namespaces using custom
* Datasource: Shared HTTP client provider for core backend data
sources and any data source using the data source proxy.
* InfluxDB: InfluxQL: allow empty tag values in the query
editor.
* Instrumentation: Instrument incoming HTTP request with
histograms by default.
* Library Panels: Add name endpoint & unique name validation to
AddLibraryPanelModal.
* Logs panel: Support details view.
* PieChart: Always show the calculation options dropdown in the
* PieChart: Remove beta flag.
* Plugins: Enforce signing for all plugins.
* Plugins: Remove support for deprecated backend plugin
protocol version.
* Tempo/Jaeger: Add better display name to legend.
* Timeline: Add time range zoom.
* Timeline: Adds opacity & line width option.
* Timeline: Value text alignment option.
* ValueMappings: Add duplicate action, and disable dismiss on
backdrop click.
* Zipkin: Add node graph view to trace response.
* Annotations panel: Remove subpath from dashboard links.
* Content Security Policy: Allow all image sources by default.
* Content Security Policy: Relax default template wrt. loading
of scripts, due to nonces not working.
* Datasource: Fix tracing propagation for alert execution by
introducing HTTP client outgoing tracing middleware.
* InfluxDB: InfluxQL always apply time interval end.
* Library Panels: Fixes 'error while loading library panels'.
* NewsPanel: Fixes rendering issue in Safari.
* PanelChrome: Fix queries being issued again when scrolling in
and out of view.
* Plugins: Fix Azure token provider cache panic and auth param
nil value.
* Snapshots: Fix key and deleteKey being ignored when creating
an external snapshot.
* Table: Fix issue with cell border not showing with colored
background cells.
* Table: Makes tooltip scrollable for long JSON values.
* TimeSeries: Fix for Connected null values threshold toggle
during panel editing.
* Variables: Fixes inconsistent selected states on dashboard
* Variables: Refreshes all panels even if panel is full screen.
* QueryField: Remove carriage return character from pasted text.
- Update to version 8.0.0-beta1
+ License update:
* AGPL License: Update license from Apache 2.0 to the GNU
Affero General Public License (AGPL).
* Removes the never refresh option for Query variables.
* Removes the experimental Tags feature for Variables.
+ Deprecations:
* The InfoBox & FeatureInfoBox are now deprecated please use
the Alert component instead with severity info.
* API: Add org users with pagination.
* API: Return 404 when deleting nonexistent API key.
* API: Return query results as JSON rather than base64 encoded
Arrow.
* Alerting: Allow sending notification tags to Opsgenie as
extra properties.
* Alerts: Replaces all uses of InfoBox & FeatureInfoBox with
Alert.
* Auth: Add support for JWT Authentication.
* AzureMonitor: Add support for
Microsoft.SignalRService/SignalR metrics.
* AzureMonitor: Azure settings in Grafana server config.
* AzureMonitor: Migrate Metrics query editor to React.
* BarChart panel: enable series toggling via legend.
* BarChart panel: Adds support for Tooltip in BarChartPanel.
* PieChart panel: Change look of highlighted pie slices.
* CloudMonitoring: Migrate config editor from angular to react.
* CloudWatch: Add Amplify Console metrics and dimensions.
* CloudWatch: Add missing Redshift metrics to CloudWatch data
* CloudWatch: Add metrics for managed RabbitMQ service.
* DashboardList: Enable templating on search tag input.
* Datasource config: correctly remove single custom http
header.
* Elasticsearch: Add generic support for template variables.
* Elasticsearch: Allow omitting field when metric supports
inline script.
* Elasticsearch: Allow setting a custom limit for log queries.
* Elasticsearch: Guess field type from first non-empty value.
* Elasticsearch: Use application/x-ndjson content type for
multisearch requests.
* Elasticsearch: Use semver strings to identify ES version.
* Explore: Add logs navigation to request more logs.
* Explore: Map Graphite queries to Loki.
* Explore: Scroll split panes in Explore independently.
* Explore: Wrap each panel in separate error boundary.
* FieldDisplay: Smarter naming of stat values when visualising
row values (all values) in stat panels.
* Graphite: Expand metric names for variables.
* Graphite: Handle unknown Graphite functions without breaking
the visual editor.
* Graphite: Show graphite functions descriptions.
* Graphite: Support request cancellation properly (Uses new
backendSrv.fetch Observable request API).
* InfluxDB: Flux: Improve handling of complex
response-structures.
* InfluxDB: Support region annotations.
* Inspector: Download logs for manual processing.
* Jaeger: Add node graph view for trace.
* Jaeger: Search traces.
* Loki: Use data source settings for alerting queries.
* NodeGraph: Exploration mode.
* OAuth: Add support for empty scopes.
* PanelChrome: New logic-less emotion based component with no
dependency on PanelModel or DashboardModel.
* PanelEdit: Adds a table view toggle to quickly view data in
table form.
* PanelEdit: Highlight matched words when searching options.
* PanelEdit: UX improvements.
* Plugins: PanelRenderer and simplified QueryRunner to be used
from plugins.
* Plugins: AuthType in route configuration and params
interpolation.
* Plugins: Enable plugin runtime install/uninstall
capabilities.
* Plugins: Support set body content in plugin routes.
* Plugins: Introduce marketplace app.
* Plugins: Moving the DataSourcePicker to grafana/runtime so it
can be reused in plugins.
* Prometheus: Add custom query params for alert and exemplars
* Prometheus: Use fuzzy string matching to autocomplete metric
names and label.
* Routing: Replace Angular routing with react-router.
* Slack: Use chat.postMessage API by default.
* Tempo: Search for Traces by querying Loki directly from
Tempo.
* Tempo: Show graph view of the trace.
* Themes: Switch theme without reload using global shortcut.
* TimeSeries panel: Add support for shared cursor.
* TimeSeries panel: Do not crash the panel if there is no time
series data in the response.
* Variables: Do not save repeated panels, rows and scopedVars.
* Variables: Removes experimental Tags feature.
* Variables: Removes the never refresh option.
* Visualizations: Unify tooltip options across visualizations.
* Visualizations: Refactor and unify option creation between
new visualizations.
* Visualizations: Remove singlestat panel.
* APIKeys: Fixes issue with adding first api key.
* Alerting: Add checks for non supported units - disable
defaulting to seconds.
* Alerting: Fix issue where Slack notifications won't link to
user IDs.
* Alerting: Omit empty message in PagerDuty notifier.
* AzureMonitor: Fix migration error from older versions of App
Insights queries.
* CloudWatch: Fix AWS/Connect dimensions.
* CloudWatch: Fix broken AWS/MediaTailor dimension name.
* Dashboards: Allow string manipulation as advanced variable
format option.
* DataLinks: Includes harmless extended characters like
Cyrillic characters.
* Drawer: Fixes title overflowing its container.
* Explore: Fix issue when some query errors were not shown.
* Generic OAuth: Prevent adding duplicated users.
* Graphite: Handle invalid annotations.
* Graphite: Fix autocomplete when tags are not available.
* InfluxDB: Fix Cannot read property 'length' of undefined in
when parsing response.
* Instrumentation: Enable tracing when Jaeger host and port are
* Instrumentation: Prefix metrics with grafana.
* MSSQL: By default let driver choose port.
* OAuth: Add optional strict parsing of role_attribute_path.
* Panel: Fixes description markdown with inline code being
rendered on newlines and full width.
* PanelChrome: Ignore data updates & errors for non data
panels.
* Permissions: Fix inherited folder permissions can prevent new
permissions being added to a dashboard.
* Plugins: Remove pre-existing plugin installs when installing
with grafana-cli.
* Plugins: Support installing to folders with whitespace and
fix pluginUrl trailing and leading whitespace failures.
* Postgres/MySQL/MSSQL: Don't return connection failure details
to the client.
* Postgres: Fix ms precision of interval in time group macro
when TimescaleDB is enabled.
* Provisioning: Use dashboard checksum field as change
indicator.
* SQL: Fix so that all captured errors are returned from sql
engine.
* Shortcuts: Fixes panel shortcuts so they always work.
* Table: Fixes so border is visible for cells with links.
* Variables: Clear query when data source type changes.
* Variables: Filters out builtin variables from unknown list.
* Button: Introduce buttonStyle prop.
* DataQueryRequest: Remove deprecated props showingGraph and
showingTabel and exploreMode.
* grafana/ui: Update React Hook Form to v7.
* IconButton: Introduce variant for red and blue icon buttons.
* Plugins: Expose the getTimeZone function to be able to get
the current selected timeZone.
* TagsInput: Add className to TagsInput.
* VizLegend: Move onSeriesColorChanged to PanelContext
(breaking change).
- Update to version 7.5.13
* Alerting: Fix NoDataFound for alert rules using AND operator.
mgr-cfg:
- Version 4.3.6-1
* Corrected source URL in spec file
* Fix installation problem for SLE15SP4 due missing python-selinux
* Fix python selinux package name depending on build target (bsc#1193600)
* Do not build python 2 package for SLE15SP4 and higher
* Remove unused legacy code
mgr-custom-info:
- Version 4.3.3-1
* Remove unused legacy code
mgr-daemon:
- Version 4.3.4-1
* Corrected source URLs in spec file
* Update translation strings
mgr-osad:
- Version 4.3.6-1
* Corrected source URL in spec file.
* Do not build python 2 package for SLE15SP4 and higher
* Removed spacewalk-selinux dependencies.
* Updated source url.
mgr-push:
- Version 4.3.4-1
* Corrected source URLs in spec file
mgr-virtualization:
- Version 4.3.5-1
* Corrected source URLs in spec file.
* Do not build python 2 package for SLE15SP4 and higher
prometheus-blackbox_exporter:
- Enhanced to build on Enterprise Linux 8
prometheus-postgres_exporter:
- Updated for RHEL8.
python-hwdata:
- Require python macros for building
rhnlib:
- Version 4.3.4-1
* Reorganize python files
spacecmd:
- Version 4.3.11-1
* on full system update call schedulePackageUpdate API (bsc#1197507)
* parse boolean paramaters correctly (bsc#1197689)
* Add parameter to set containerized proxy SSH port
* Add proxy config generation subcommand
* Option 'org_createfirst' added to perform initial organization and user creation
* Added gettext build requirement for RHEL.
* Removed RHEL 5 references.
* Include group formulas configuration in spacecmd group_backup and
spacecmd group_restore. This changes backup format to json,
previously used plain text is still supported for reading (bsc#1190462)
* Update translation strings
* Improved event history listing and added new system_eventdetails
command to retrieve the details of an event
* Make schedule_deletearchived to get all actions without display limit
* Allow passing a date limit for schedule_deletearchived on spacecmd (bsc#1181223)
spacewalk-client-tools:
- Version 4.3.9-1
* Corrected source URLs in spec file.
* do not build python 2 package for SLE15
* Remove unused legacy code
* Update translation strings
spacewalk-koan:
- Version 4.3.5-1
* Corrected source URLs in spec file.
spacewalk-oscap:
- Version 4.3.5-1
* Corrected source URLs in spec file.
* Do not build python 2 package for SLE15SP4 and higher
spacewalk-remote-utils:
- Version 4.3.3-1
* Adapt the package for changes in rhnlib
supportutils-plugin-susemanager-client:
- Version 4.3.2-1
* Add proxy containers config and logs
suseRegisterInfo:
- Version 4.3.3-1
* Bump version to 4.3.0
supportutils-plugin-salt:
- Add support for Salt Bundle
uyuni-common-libs:
- Version 4.3.4-1
* implement more decompression algorithms for reposync (bsc#1196704)
* Reorganize python files
* Add decompression of zck files to fileutils
ImportantSUSE bug 1181223SUSE bug 1181400SUSE bug 1190462SUSE bug 1190535SUSE bug 1193600SUSE bug 1194873SUSE bug 1195726SUSE bug 1195727SUSE bug 1195728SUSE bug 1196338SUSE bug 1196704SUSE bug 1197507SUSE bug 1197689CVE-2021-36222 at SUSECVE-2021-36222 at NVDCVE-2021-3711 at SUSECVE-2021-3711 at NVDCVE-2021-39226 at SUSECVE-2021-39226 at NVDCVE-2021-41174 at SUSECVE-2021-41174 at NVDCVE-2021-41244 at SUSECVE-2021-41244 at NVDCVE-2021-43798 at SUSECVE-2021-43798 at NVDCVE-2021-43813 at SUSECVE-2021-43813 at NVDCVE-2021-43815 at SUSECVE-2021-43815 at NVDCVE-2022-21673 at SUSECVE-2022-21673 at NVDCVE-2022-21698 at SUSECVE-2022-21698 at NVDCVE-2022-21702 at SUSECVE-2022-21702 at NVDCVE-2022-21703 at SUSECVE-2022-21703 at NVDCVE-2022-21713 at SUSECVE-2022-21713 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for dpdk (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update of dpdk fixes the following issue:
- rebuild with new secure boot key due to grub2 boothole 3 issues (bsc#1198581)
ImportantSUSE bug 1198581cpe:/o:suse:sles_teradata:12:sp3Security update for fwupdate (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update of fwupdate fixes the following issue:
- rebuild with new secure boot key due to grub2 boothole 3 issues (bsc#1198581)
ImportantSUSE bug 1198581cpe:/o:suse:sles_teradata:12:sp3Security update for python3 (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for python3 fixes the following issues:
- CVE-2015-20107: avoid command injection in the mailcap module (bsc#1198511).
ImportantSUSE bug 1070738SUSE bug 1198511SUSE bug 1199441CVE-2015-20107 at SUSECVE-2015-20107 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for openssl (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for openssl fixes the following issues:
- CVE-2022-2068: Fixed more shell code injection issues in c_rehash. (bsc#1200550)
ModerateSUSE bug 1200550CVE-2022-2068 at SUSECVE-2022-2068 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for python (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for python fixes the following issues:
- CVE-2015-20107: avoid command injection in the mailcap module (bsc#1198511).
ImportantSUSE bug 1198511CVE-2015-20107 at SUSECVE-2015-20107 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for sysstat (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for sysstat fixes the following issues:
Security issue fixed:
- CVE-2019-19725: Fixed double free in check_file_actlst in sa_common.c (bsc#1159104).
Bug fixes:
- Enable log information of starting/stoping services. (bsc#1144923, jsc#SLE-5958)
ModerateSUSE bug 1144923SUSE bug 1159104CVE-2019-19725 at SUSECVE-2019-19725 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for ImageMagick (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for ImageMagick fixes the following issues:
- CVE-2019-17540: Fixed heap-based buffer overflow in ReadPSInfo in coders/ps.c. (bsc#1153866)
- CVE-2022-32545: Fixed an outside the range of representable values of type. (bsc#1200388)
- CVE-2022-32546: Fixed an outside the range of representable values of type. (bsc#1200389)
- CVE-2022-32547: Fixed a load of misaligned address at MagickCore/property.c. (bsc#1200387)
ModerateSUSE bug 1153866SUSE bug 1200387SUSE bug 1200388SUSE bug 1200389CVE-2019-17540 at SUSECVE-2019-17540 at NVDCVE-2022-32545 at SUSECVE-2022-32545 at NVDCVE-2022-32546 at SUSECVE-2022-32546 at NVDCVE-2022-32547 at SUSECVE-2022-32547 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for MozillaFirefox fixes the following issues:
Update to Firefox Extended Support Release 91.11.0 ESR (MFSA 2022-25) (bsc#1200793):
- CVE-2022-2200: Undesired attributes could be set as part of prototype pollution (bmo#1771381)
- CVE-2022-31744: CSP bypass enabling stylesheet injection (bmo#1757604)
- CVE-2022-34468: CSP sandbox header without `allow-scripts` can be bypassed via retargeted javascript: URI (bmo#1768537)
- CVE-2022-34470: Use-after-free in nsSHistory (bmo#1765951)
- CVE-2022-34472: Unavailable PAC file resulted in OCSP requests being blocked (bmo#1770123)
- CVE-2022-34478: Microsoft protocols can be attacked if a user accepts a prompt (bmo#1773717)
- CVE-2022-34479: A popup window could be resized in a way to overlay the address bar with web content (bmo#1745595)
- CVE-2022-34481: Potential integer overflow in ReplaceElementsAt (bmo#1497246)
- CVE-2022-34484: Memory safety bugs fixed in Firefox 102 and Firefox ESR 91.11 (bmo#1763634, bmo#1772651)
ImportantSUSE bug 1200793CVE-2022-2200 at SUSECVE-2022-2200 at NVDCVE-2022-31744 at SUSECVE-2022-31744 at NVDCVE-2022-34468 at SUSECVE-2022-34468 at NVDCVE-2022-34470 at SUSECVE-2022-34470 at NVDCVE-2022-34472 at SUSECVE-2022-34472 at NVDCVE-2022-34478 at SUSECVE-2022-34478 at NVDCVE-2022-34479 at SUSECVE-2022-34479 at NVDCVE-2022-34481 at SUSECVE-2022-34481 at NVDCVE-2022-34484 at SUSECVE-2022-34484 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for crash (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update of crash fixes the following issue:
- rebuild with new secure boot key due to grub2 boothole 3 issues (bsc#1198581)
ImportantSUSE bug 1198581cpe:/o:suse:sles_teradata:12:sp3Security update for rsyslog (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for rsyslog fixes the following issues:
- CVE-2022-24903: fix potential heap buffer overflow in modules for TCP syslog reception (bsc#1199061)
ImportantSUSE bug 1199061CVE-2022-24903 at SUSECVE-2022-24903 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for pcre (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for pcre fixes the following issues:
- CVE-2022-1586: Fixed unicode property matching issue. (bsc#1199232)
ImportantSUSE bug 1199232CVE-2022-1586 at SUSECVE-2022-1586 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for curl (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for curl fixes the following issues:
- CVE-2022-32208: FTP-KRB bad message verification (bsc#1200737)
ImportantSUSE bug 1200737CVE-2022-32208 at SUSECVE-2022-32208 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for xorg-x11-server (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for xorg-x11-server fixes the following issues:
- CVE-2022-2319: Fixed out-of-bounds access in _CheckSetSections() (ZDI-CAN-16062) (bsc#1194179).
- CVE-2022-2320: Fixed out-of-bounds access in CheckSetDeviceIndicators() (ZDI-CAN-16070) (bsc#1194181).
ImportantSUSE bug 1194179SUSE bug 1194181CVE-2022-2319 at SUSECVE-2022-2319 at NVDCVE-2022-2320 at SUSECVE-2022-2320 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for squid (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for squid fixes the following issues:
- CVE-2020-25097: Fixed HTTP Request Smuggling (bsc#1183436)
- CVE-2021-28651: Fixed DoS in URN processing (bsc#1185921)
- CVE-2021-46784: Fixed DoS when processing gopher server responses (bsc#1200907)
ImportantSUSE bug 1183436SUSE bug 1185921SUSE bug 1200907CVE-2020-25097 at SUSECVE-2020-25097 at NVDCVE-2021-28651 at SUSECVE-2021-28651 at NVDCVE-2021-46784 at SUSECVE-2021-46784 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for logrotate (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for logrotate fixes the following issues:
Security issues fixed:
- Improved coredump handing for SUID binaries (bsc#1192449).
Non-security issues fixed:
- Fixed 'logrotate emits unintended warning: keyword size not properly separated, found 0x3d' (bsc#1200278, bsc#1200802).
ImportantSUSE bug 1192449SUSE bug 1200278SUSE bug 1200802cpe:/o:suse:sles_teradata:12:sp3Security update for webkit2gtk3 (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for webkit2gtk3 fixes the following issues:
Update to version 2.36.4 (bsc#1201221):
- CVE-2022-22662: Processing maliciously crafted web content may disclose sensitive user information.
- CVE-2022-22677: The video in a webRTC call may be interrupted if the audio capture gets interrupted.
- CVE-2022-26710: Processing maliciously crafted web content may lead to arbitrary code execution.
ImportantSUSE bug 1201221CVE-2022-22662 at SUSECVE-2022-22662 at NVDCVE-2022-22677 at SUSECVE-2022-22677 at NVDCVE-2022-26710 at SUSECVE-2022-26710 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for python-M2Crypto (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for python-M2Crypto fixes the following issues:
- CVE-2020-25657: Fixed Bleichenbacher timing attacks in the RSA decryption API (bsc#1178829).
ImportantSUSE bug 1178829CVE-2020-25657 at SUSECVE-2020-25657 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for gpg2 (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for gpg2 fixes the following issues:
- CVE-2022-34903: Fixed a status injection vulnerability (bsc#1201225).
ImportantSUSE bug 1201225CVE-2022-34903 at SUSECVE-2022-34903 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for java-1_8_0-openjdk (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for java-1_8_0-openjdk fixes the following issues:
Update to version jdk8u332 - April 2022 CPU (icedtea-3.23.0)
- CVE-2022-21426: Better XPath expression handling (bsc#1198672)
- CVE-2022-21443: Improved Object Identification (bsc#1198675)
- CVE-2022-21434: Better invocation handler handling (bsc#1198674)
- CVE-2022-21476: Improve Santuario processing (bsc#1198671)
- CVE-2022-21496: Improve URL supports (bsc#1198673)
And further Security fixes, Import of OpenJDK 8 u332, Backports and Bug fixes.
ImportantSUSE bug 1198671SUSE bug 1198672SUSE bug 1198673SUSE bug 1198674SUSE bug 1198675CVE-2022-21426 at SUSECVE-2022-21426 at NVDCVE-2022-21434 at SUSECVE-2022-21434 at NVDCVE-2022-21443 at SUSECVE-2022-21443 at NVDCVE-2022-21476 at SUSECVE-2022-21476 at NVDCVE-2022-21496 at SUSECVE-2022-21496 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for mozilla-nspr, mozilla-nss (Moderate)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for mozilla-nspr, mozilla-nss fixes the following issues:
mozilla-nss was updated to fix various issues:
FIPS 140-3 enablement patches were backported from SUSE Linux Enterprise 15.
- FIPS: add on-demand integrity tests through sftk_FIPSRepeatIntegrityCheck() (bsc#1198980).
- FIPS: mark algorithms as approved/non-approved according to security policy (bsc#1191546, bsc#1201298).
- FISP: remove hard disabling of unapproved algorithms. This requirement is now
fulfilled by the service level indicator (bsc#1200325).
Version update to NSS 3.79
- Use PK11_GetSlotInfo instead of raw C_GetSlotInfo calls.
- Update mercurial in clang-format docker image.
- Use of uninitialized pointer in lg_init after alloc fail.
- selfserv and tstclnt should use PR_GetPrefLoopbackAddrInfo.
- Add SECMOD_LockedModuleHasRemovableSlots.
- Fix secasn1d parsing of indefinite SEQUENCE inside indefinite GROUP.
- Added RFC8422 compliant TLS <= 1.2 undefined/compressed ECPointFormat extension alerts.
- TLS 1.3 Server: Send protocol_version alert on unsupported ClientHello.legacy_version.
- Correct invalid record inner and outer content type alerts.
- NSS does not properly import or export pkcs12 files with large passwords and pkcs5v2 encoding.
- improve error handling after nssCKFWInstance_CreateObjectHandle.
- Initialize pointers passed to NSS_CMSDigestContext_FinishMultiple.
- NSS 3.79 should depend on NSPR 4.34
Update to NSS 3.78.1
- Initialize pointers passed to NSS_CMSDigestContext_FinishMultiple
update to NSS 3.78
- Added TLS 1.3 zero-length inner plaintext checks and tests, zero-length record/fragment handling tests.
- Reworked overlong record size checks and added TLS1.3 specific boundaries.
- Add ECH Grease Support to tstclnt
- Add a strict variant of moz::pkix::CheckCertHostname.
- Change SSL_REUSE_SERVER_ECDHE_KEY default to false.
- Make SEC_PKCS12EnableCipher succeed
- Update zlib in NSS to 1.2.12.
Update to NSS 3.77:
- resolve mpitests build failure on Windows.
- Fix link to TLS page on wireshark wiki
- Add two D-TRUST 2020 root certificates.
- Add Telia Root CA v2 root certificate.
- Remove expired explicitly distrusted certificates from certdata.txt.
- support specific RSA-PSS parameters in mozilla::pkix
- Remove obsolete stateEnd check in SEC_ASN1DecoderUpdate.
- Remove token member from NSSSlot struct.
- Provide secure variants of mpp_pprime and mpp_make_prime.
- Support UTF-8 library path in the module spec string.
- Update nssUTF8_Length to RFC 3629 and fix buffer overrun.
- Add a CI Target for gcc-11.
- Change to makefiles for gcc-4.8.
- Update googletest to 1.11.0
- Add SetTls13GreaseEchSize to experimental API.
- TLS 1.3 Illegal legacy_version handling/alerts.
- Fix calculation of ECH HRR Transcript.
- Allow ld path to be set as environment variable.
- Ensure we don't read uninitialized memory in ssl gtests.
- Fix DataBuffer Move Assignment.
- internal_error alert on Certificate Request with sha1+ecdsa in TLS 1.3
- rework signature verification in mozilla::pkix
update to NSS 3.76.1
- Remove token member from NSSSlot struct.
NSS 3.76
- Hold tokensLock through nssToken_GetSlot calls in nssTrustDomain_GetActiveSlots.
- Check return value of PK11Slot_GetNSSToken.
- Use Wycheproof JSON for RSASSA-PSS
- Add SHA256 fingerprint comments to old certdata.txt entries.
- Avoid truncating files in nss-release-helper.py.
- Throw illegal_parameter alert for illegal extensions in handshake message.
update to NSS 3.75
- Make DottedOIDToCode.py compatible with python3.
- Avoid undefined shift in SSL_CERT_IS while fuzzing.
- Remove redundant key type check.
- Update ABI expectations to match ECH changes.
- Enable CKM_CHACHA20.
- check return on NSS_NoDB_Init and NSS_Shutdown.
- real move assignment operator.
- Run ECDSA test vectors from bltest as part of the CI tests.
- Add ECDSA test vectors to the bltest command line tool.
- Allow to build using clang's integrated assembler.
- Allow to override python for the build.
- test HKDF output rather than input.
- Use ASSERT macros to end failed tests early.
- move assignment operator for DataBuffer.
- Add test cases for ECH compression and unexpected extensions in SH.
- Update tests for ECH-13.
- Tidy up error handling.
- Add tests for ECH HRR Changes.
- Server only sends GREASE HRR extension if enabled by preference.
- Update generation of the Associated Data for ECH-13.
- When ECH is accepted, reject extensions which were only advertised in the Outer Client Hello.
- Allow for compressed, non-contiguous, extensions.
- Scramble the PSK extension in CHOuter.
- Split custom extension handling for ECH.
- Add ECH-13 HRR Handling.
- Client side ECH padding.
- Stricter ClientHelloInner Decompression.
- Remove ECH_inner extension, use new enum format.
- Update the version number for ECH-13 and adjust the ECHConfig size.
Update to NSS 3.74:
- mozilla::pkix: support SHA-2 hashes in CertIDs in OCSP responses
- Ensure clients offer consistent ciphersuites after HRR
- NSS does not properly restrict server keys based on policy
- Set nssckbi version number to 2.54
- Replace Google Trust Services LLC (GTS) R4 root certificate
- Replace Google Trust Services LLC (GTS) R3 root certificate
- Replace Google Trust Services LLC (GTS) R2 root certificate
- Replace Google Trust Services LLC (GTS) R1 root certificate
- Replace GlobalSign ECC Root CA R4
- Remove Expired Root Certificates - DST Root CA X3
- Remove Expiring Cybertrust Global Root and GlobalSign root certificates
- Add renewed Autoridad de Certificacion Firmaprofesional CIF A62634068 root certificate
- Add iTrusChina ECC root certificate
- Add iTrusChina RSA root certificate
- Add ISRG Root X2 root certificate
- Add Chunghwa Telecom's HiPKI Root CA - G1 root certificate
- Avoid a clang 13 unused variable warning in opt build
- Check for missing signedData field
- Ensure DER encoded signatures are within size limits
- enable key logging option (bsc#1195040)
Update to NSS 3.73.1:
- Add SHA-2 support to mozilla::pkix's OSCP implementation
Update to NSS 3.73
- check for missing signedData field.
- Ensure DER encoded signatures are within size limits.
- NSS needs FiPS 140-3 version indicators.
- pkix_CacheCert_Lookup doesn't return cached certs
- sunset Coverity from NSS
MFSA 2021-51 (bsc#1193170) CVE-2021-43527: Memory corruption via DER-encoded DSA and RSA-PSS signatures
Update to NSS 3.72
- Fix nsinstall parallel failure.
- Increase KDF cache size to mitigate perf regression in about:logins
Update to NSS 3.71
- Set nssckbi version number to 2.52.
- Respect server requirements of tlsfuzzer/test-tls13-signature-algorithms.py
- Import of PKCS#12 files with Camellia encryption is not supported
- Add HARICA Client ECC Root CA 2021.
- Add HARICA Client RSA Root CA 2021.
- Add HARICA TLS ECC Root CA 2021.
- Add HARICA TLS RSA Root CA 2021.
- Add TunTrust Root CA certificate to NSS.
update to NSS 3.70
- Update test case to verify fix.
- Explicitly disable downgrade check in TlsConnectStreamTls13.EchOuterWith12Max
- Explicitly disable downgrade check in TlsConnectTest.DisableFalseStartOnFallback
- Avoid using a lookup table in nssb64d.
- Use HW accelerated SHA2 on AArch64 Big Endian.
- Change default value of enableHelloDowngradeCheck to true.
- Cache additional PBE entries.
- Read HPKE vectors from official JSON.
Update to NSS 3.69.1
- Disable DTLS 1.0 and 1.1 by default
- integrity checks in key4.db not happening on private components with AES_CBC
NSS 3.69
- Disable DTLS 1.0 and 1.1 by default (backed out again)
- integrity checks in key4.db not happening on private components with AES_CBC (backed out again)
- SSL handling of signature algorithms ignores environmental invalid algorithms.
- sqlite 3.34 changed it's open semantics, causing nss failures.
- Gtest update changed the gtest reports, losing gtest details in all.sh reports.
- NSS incorrectly accepting 1536 bit DH primes in FIPS mode
- SQLite calls could timeout in starvation situations.
- Coverity/cpp scanner errors found in nss 3.67
- Import the NSS documentation from MDN in nss/doc.
- NSS using a tempdir to measure sql performance not active
- FIPS: scan LD_LIBRARY_PATH for external libraries to be checksummed.
- Run test suite at build time, and make it pass (bsc#1198486).
- Enable FIPS during test certificate creation and disables the library checksum
validation during same.
- FIPS: allow checksumming to be disabled, but only if we entered FIPS mode
due to NSS_FIPS being set, not if it came from /proc.
- FIPS: This makes the PBKDF known answer test compliant with NIST SP800-132.
- FIPS: update validation string to version-release format. (bsc#1192079).
- FIPS: remove XCBC MAC from list of FIPS approved algorithms.
- Enable NSS_ENABLE_FIPS_INDICATORS and set NSS_FIPS_MODULE_ID
for build.
- FIPS: claim 3DES unapproved in FIPS mode (bsc#1192080).
- FIPS: allow testing of unapproved algorithms (bsc#1192228).
- FIPS: adds FIPS version indicators. (bmo#1729550, bsc#1192086).
- FIPS: Add CSP clearing (bmo#1697303, bsc#1192087).
mozilla-nspr was updated to version 4.34:
* add an API that returns a preferred loopback IP on hosts that
have two IP stacks available.
update to 4.33:
* fixes to build system and export of private symbols
ModerateSUSE bug 1191546SUSE bug 1192079SUSE bug 1192080SUSE bug 1192086SUSE bug 1192087SUSE bug 1192228SUSE bug 1193170SUSE bug 1195040SUSE bug 1198486SUSE bug 1198980SUSE bug 1200325SUSE bug 1201298CVE-2021-43527 at SUSECVE-2021-43527 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for git (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for git fixes the following issues:
- CVE-2022-29187: Incomplete fix for CVE-2022-24765: potential command injection via git worktree (bsc#1201431).
- Allow to opt-out from the check added in the security fix for CVE-2022-24765 (bsc#1200119)
ImportantSUSE bug 1200119SUSE bug 1201431CVE-2022-29187 at SUSECVE-2022-29187 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for java-1_7_1-ibm (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for java-1_7_1-ibm fixes the following issues:
Update to Java 7.1 Service Refresh 5 Fix Pack 10 (bsc#1201643), including fixes for:
- CVE-2022-21476 (bsc#1198671), CVE-2022-21449 (bsc#1198670),
CVE-2022-21496 (bsc#1198673), CVE-2022-21434 (bsc#1198674),
CVE-2022-21426 (bsc#1198672), CVE-2022-21443 (bsc#1198675),
CVE-2021-35561 (bsc#1191912), CVE-2022-21299 (bsc#1194931).
ImportantSUSE bug 1191912SUSE bug 1194931SUSE bug 1198670SUSE bug 1198671SUSE bug 1198672SUSE bug 1198673SUSE bug 1198674SUSE bug 1198675SUSE bug 1201643CVE-2021-35561 at SUSECVE-2021-35561 at NVDCVE-2022-21299 at SUSECVE-2022-21299 at NVDCVE-2022-21426 at SUSECVE-2022-21426 at NVDCVE-2022-21434 at SUSECVE-2022-21434 at NVDCVE-2022-21443 at SUSECVE-2022-21443 at NVDCVE-2022-21449 at SUSECVE-2022-21449 at NVDCVE-2022-21476 at SUSECVE-2022-21476 at NVDCVE-2022-21496 at SUSECVE-2022-21496 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for java-1_8_0-ibm (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for java-1_8_0-ibm fixes the following issues:
Update to Java 8.0 Service Refresh 7 Fix Pack 10 (bsc#1201643), including fixes for:
- CVE-2022-21476 (bsc#1198671), CVE-2022-21449 (bsc#1198670),
CVE-2022-21496 (bsc#1198673), CVE-2022-21434 (bsc#1198674),
CVE-2022-21426 (bsc#1198672), CVE-2022-21443 (bsc#1198675),
CVE-2021-35561 (bsc#1191912), CVE-2022-21299 (bsc#1194931).
ImportantSUSE bug 1191912SUSE bug 1194931SUSE bug 1198670SUSE bug 1198671SUSE bug 1198672SUSE bug 1198673SUSE bug 1198674SUSE bug 1198675SUSE bug 1201643CVE-2021-35561 at SUSECVE-2021-35561 at NVDCVE-2022-21299 at SUSECVE-2022-21299 at NVDCVE-2022-21426 at SUSECVE-2022-21426 at NVDCVE-2022-21434 at SUSECVE-2022-21434 at NVDCVE-2022-21443 at SUSECVE-2022-21443 at NVDCVE-2022-21449 at SUSECVE-2022-21449 at NVDCVE-2022-21476 at SUSECVE-2022-21476 at NVDCVE-2022-21496 at SUSECVE-2022-21496 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for pcre2 (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for pcre2 fixes the following issues:
- CVE-2022-1587: Fixed out-of-bounds read due to bug in recursions (bsc#1199235).
ImportantSUSE bug 1199235CVE-2022-1587 at SUSECVE-2022-1587 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for xen (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for xen fixes the following issues:
- CVE-2022-26363, CVE-2022-26364: Fixed insufficient care with non-coherent mappings (XSA-402) (bsc#1199966).
- CVE-2022-21123, CVE-2022-21125, CVE-2022-21166: Fixed MMIO stale data vulnerabilities on x86 (XSA-404) (bsc#1200549).
- CVE-2022-26362: Fixed a race condition in typeref acquisition (XSA-401) (bsc#1199965).
- CVE-2022-33745: Fixed insufficient TLB flush for x86 PV guests in shadow mode (XSA-408) (bsc#1201394).
- CVE-2022-23816, CVE-2022-23825, CVE-2022-29900: Fixed RETBLEED vulnerability, arbitrary speculative code execution with return instructions (XSA-407) (bsc#1201469).
ImportantSUSE bug 1199965SUSE bug 1199966SUSE bug 1200549SUSE bug 1201394SUSE bug 1201469CVE-2022-21123 at SUSECVE-2022-21123 at NVDCVE-2022-21125 at SUSECVE-2022-21125 at NVDCVE-2022-21166 at SUSECVE-2022-21166 at NVDCVE-2022-23816 at SUSECVE-2022-23816 at NVDCVE-2022-23825 at SUSECVE-2022-23825 at NVDCVE-2022-26362 at SUSECVE-2022-26362 at NVDCVE-2022-26363 at SUSECVE-2022-26363 at NVDCVE-2022-26364 at SUSECVE-2022-26364 at NVDCVE-2022-29900 at SUSECVE-2022-29900 at NVDCVE-2022-33745 at SUSECVE-2022-33745 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for crash (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATA
This update of crash fixes the following issue:
- rebuild with new secure boot key due to grub2 boothole 3 issues (bsc#1198581)
ImportantSUSE bug 1198581cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for samba (Moderate)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for samba fixes the following issues:
- CVE-2022-32742: Fixed incorrect length check in SMB1write, SMB1write_and_close, SMB1write_and_unlock (bsc#1201496).
ModerateSUSE bug 1201496CVE-2022-32742 at SUSECVE-2022-32742 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for MozillaFirefox fixes the following issues:
Firefox Extended Support Release 91.12.0 ESR (bsc#1201758):
- CVE-2022-36319: Mouse Position spoofing with CSS transforms
- CVE-2022-36318: Directory indexes for bundled resources reflected URL parameters
ImportantSUSE bug 1201758CVE-2022-36318 at SUSECVE-2022-36318 at NVDCVE-2022-36319 at SUSECVE-2022-36319 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for dovecot22 (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for dovecot22 fixes the following issues:
- CVE-2022-30550: Fixed privilege escalation in dovecot when similar master and non-master passdbs are used (bsc#1201267).
ImportantSUSE bug 1201267CVE-2022-30550 at SUSECVE-2022-30550 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for xscreensaver (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for xscreensaver fixes the following issues:
- CVE-2021-34557: Fixed potential crash and unlock while disconnecting video output with more than 10 monitors (bsc#1186918)
ModerateSUSE bug 1186918CVE-2021-34557 at SUSECVE-2021-34557 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for python-numpy (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for python-numpy fixes the following issues:
- CVE-2021-41495: Fixed Null Pointer Dereference in numpy.sort (bsc#1193911).
ModerateSUSE bug 1193911CVE-2021-41495 at SUSECVE-2021-41495 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for tiff (Low)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for tiff fixes the following issues:
- CVE-2022-2056: Fixed a division by zero denial of service (bsc#1201176).
- CVE-2022-2057: Fixed a division by zero denial of service (bsc#1201175).
- CVE-2022-2058: Fixed a division by zero denial of service (bsc#1201174).
LowSUSE bug 1201174SUSE bug 1201175SUSE bug 1201176CVE-2022-2056 at SUSECVE-2022-2056 at NVDCVE-2022-2057 at SUSECVE-2022-2057 at NVDCVE-2022-2058 at SUSECVE-2022-2058 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for qpdf (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for qpdf fixes the following issues:
- CVE-2022-34503: Fixed a heap buffer overflow via the function QPDF::processXRefStream (bsc#1201830).
- CVE-2021-36978: Fixed heap-based buffer overflow in Pl_ASCII85Decoder::write (bsc#1188514).
ImportantSUSE bug 1188514SUSE bug 1201830CVE-2021-36978 at SUSECVE-2021-36978 at NVDCVE-2022-34503 at SUSECVE-2022-34503 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for wavpack (Low)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for wavpack fixes the following issues:
- CVE-2022-2476: Fixed a Null pointer dereference in wvunpack (bsc#1201716).
LowSUSE bug 1201716CVE-2022-2476 at SUSECVE-2022-2476 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for dpkg (Low)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for dpkg fixes the following issues:
- CVE-2022-1664: Fixed directory traversal vulnerability in Dpkg::Source::Archive (bsc#1199944).
LowSUSE bug 1199944CVE-2022-1664 at SUSECVE-2022-1664 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for samba (Critical)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for samba fixes the following issues:
- CVE-2021-44142: Fixed out-of-Bound Read/Write on Samba vfs_fruit module. (bsc#1194859)
CriticalSUSE bug 1194859CVE-2021-44142 at SUSECVE-2021-44142 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for mokutil (Moderate)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for mokutil fixes the following issues:
- Adds SBAT revocation support to mokutil. (bsc#1198458)
New options added (see manpage):
- mokutil --sbat
List all entries in SBAT.
- mokutil --set-sbat-policy (latest | previous | delete)
To set the SBAT acceptance policy.
- mokutil --list-sbat-revocations
To list the current SBAT revocations.
ModerateSUSE bug 1198458cpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for ncurses (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for ncurses fixes the following issues:
- CVE-2022-29458: Fixed segfaulting out-of-bounds read in convert_strings in tinfo/read_entry.c (bsc#1198627).
ModerateSUSE bug 1198627CVE-2022-29458 at SUSECVE-2022-29458 at NVDcpe:/o:suse:sles_teradata:12:sp3Recommended update for python36 (Low)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for python36 fixes the following issues:
- Rename patch to unify it with other packages.
- Skip failing tests on s390x.
LowCVE-2022-25236 at SUSECVE-2022-25236 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for open-iscsi (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for open-iscsi fixes the following issues:
Fixed various vulnerabilities in the embedded TCP/IP stack (bsc#1179908):
- CVE-2020-13987: Fixed an out of bounds memory access when
calculating the checksums for IP packets.
- CVE-2020-13988: Fixed an integer overflow when parsing TCP MSS
options of IPv4 network packets.
- CVE-2020-17437: Fixed an out of bounds memory access when the TCP
urgent flag is set.
ImportantSUSE bug 1179908CVE-2020-13987 at SUSECVE-2020-13987 at NVDCVE-2020-13988 at SUSECVE-2020-13988 at NVDCVE-2020-17437 at SUSECVE-2020-17437 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for java-1_8_0-openjdk (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for java-1_8_0-openjdk fixes the following issues:
- Updated to version jdk8u345 (icedtea-3.24.0)
- CVE-2022-21540: Fixed a potential Java sandbox bypass (bsc#1201694).
- CVE-2022-21541: Fixed a potential Java sandbox bypass (bsc#1201692).
- CVE-2022-34169: Fixed an issue where arbitrary bytecode could
be executed via a malicious stylesheet (bsc#1201684).
- Non-security fixes:
- Allowed for customization of PKCS12 keystores (bsc#1195163).
ImportantSUSE bug 1195163SUSE bug 1201684SUSE bug 1201692SUSE bug 1201694CVE-2022-21540 at SUSECVE-2022-21540 at NVDCVE-2022-21541 at SUSECVE-2022-21541 at NVDCVE-2022-34169 at SUSECVE-2022-34169 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for ucode-intel (Moderate)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for ucode-intel fixes the following issues:
Updated to Intel CPU Microcode 20220809 release (bsc#1201727):
- CVE-2022-21233: Fixed an issue where stale data may have been leaked from the legacy xAPIC MMIO region, which could be used to compromise an SGX enclave (INTEL-SA-00657).
See also: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00657.html
Other fixes:
- Update for functional issues.
See also: https://www.intel.com/content/www/us/en/processors/xeon/scalable/xeon-scalable-spec-update.html?wapkw=processor+specification+update
- Updated Platforms:
| Processor | Stepping | F-M-S/PI | Old Ver | New Ver | Products
|:---------------|:---------|:------------|:---------|:---------|:---------
| SKX-SP | B1 | 06-55-03/97 | 0100015d | 0100015e | Xeon Scalable
| SKX-SP | H0/M0/U0 | 06-55-04/b7 | 02006d05 | 02006e05 | Xeon Scalable
| SKX-D | M1 | 06-55-04/b7 | 02006d05 | 02006e05 | Xeon D-21xx
| ICX-SP | D0 | 06-6a-06/87 | 0d000363 | 0d000375 | Xeon Scalable Gen3
| GLK | B0 | 06-7a-01/01 | 0000003a | 0000003c | Pentium Silver N/J5xxx, Celeron N/J4xxx
| GLK-R | R0 | 06-7a-08/01 | 0000001e | 00000020 | Pentium J5040/N5030, Celeron J4125/J4025/N4020/N4120
| ICL-U/Y | D1 | 06-7e-05/80 | 000000b0 | 000000b2 | Core Gen10 Mobile
| TGL-R | C0 | 06-8c-02/c2 | 00000026 | 00000028 | Core Gen11 Mobile
| TGL-H | R0 | 06-8d-01/c2 | 0000003e | 00000040 | Core Gen11 Mobile
| RKL-S | B0 | 06-a7-01/02 | 00000053 | 00000054 | Core Gen11
| ADL | C0 | 06-97-02/03 | 0000001f | 00000022 | Core Gen12
| ADL | C0 | 06-97-05/03 | 0000001f | 00000022 | Core Gen12
| ADL | L0 | 06-9a-03/80 | 0000041c | 00000421 | Core Gen12
| ADL | L0 | 06-9a-04/80 | 0000041c | 00000421 | Core Gen12
| ADL | C0 | 06-bf-02/03 | 0000001f | 00000022 | Core Gen12
| ADL | C0 | 06-bf-05/03 | 0000001f | 00000022 | Core Gen12
------------------------------------------------------------------
ModerateSUSE bug 1201727CVE-2022-21233 at SUSECVE-2022-21233 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for zlib (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for zlib fixes the following issues:
- CVE-2022-37434: Fixed heap-based buffer over-read or buffer overflow via large gzip header extra field (bsc#1202175).
ImportantSUSE bug 1202175CVE-2022-37434 at SUSECVE-2022-37434 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for rsync (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for rsync fixes the following issues:
- CVE-2022-29154: Fixed an arbitrary file write issue that could be
triggered by a malicious remote server (bsc#1201840).
ImportantSUSE bug 1201840CVE-2022-29154 at SUSECVE-2022-29154 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for perl-HTTP-Daemon (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for perl-HTTP-Daemon fixes the following issues:
- CVE-2022-31081: Fixed request smuggling in HTTP::Daemon (bsc#1201157).
ModerateSUSE bug 1201157CVE-2022-31081 at SUSECVE-2022-31081 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for glibc (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for glibc fixes the following issues:
Security issues fixed:
- CVE-2015-5180: Fix crash with internal QTYPE in resolv (bsc#941234, BZ #18784)
- CVE-2016-10228: Rewrite iconv option parsing (bsc#1027496, BZ #19519)
- CVE-2019-25013: Fix buffer overrun in EUC-KR conversion module (bsc#1182117, BZ #24973)
- CVE-2020-27618: Accept redundant shift sequences in IBM1364 iconv module (bsc#1178386, BZ #26224)
- CVE-2020-29562: Fix incorrect UCS4 inner loop bounds in iconv (bsc#1179694, BZ #26923)
- CVE-2020-29573: Hardened printf against non-normal long double values (bsc#1179721, BZ #26649)
- CVE-2021-3326: Fix assertion failure in ISO-2022-JP-3 gconv module (bsc#1181505, BZ #27256)
- Recognize ppc64p7 arch to build for power7
ImportantSUSE bug 1027496SUSE bug 1178386SUSE bug 1179694SUSE bug 1179721SUSE bug 1181505SUSE bug 1182117SUSE bug 941234CVE-2015-5180 at SUSECVE-2015-5180 at NVDCVE-2016-10228 at SUSECVE-2016-10228 at NVDCVE-2019-25013 at SUSECVE-2019-25013 at NVDCVE-2020-27618 at SUSECVE-2020-27618 at NVDCVE-2020-29562 at SUSECVE-2020-29562 at NVDCVE-2020-29573 at SUSECVE-2020-29573 at NVDCVE-2021-3326 at SUSECVE-2021-3326 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for raptor (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for raptor fixes the following issues:
- CVE-2020-25713: Fixed an out of bounds access triggered via a
malformed input file (bsc#1178903).
ModerateSUSE bug 1178903CVE-2020-25713 at SUSECVE-2020-25713 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for java-1_7_1-ibm (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for java-1_7_1-ibm fixes the following issues:
- Updated to Java 7.1 Service Refresh 5 Fix Pack 15 (bsc#1202427):
- CVE-2022-34169: Fixed an integer truncation issue in the Xalan
Java XSLT library that occurred when processing malicious
stylesheets (bsc#1201684).
- CVE-2022-21549: Fixed an issue that could lead to computing
negative random exponentials (bsc#1201685).
- CVE-2022-21541: Fixed a potential bypass of sandbox restrictions
in the Hotspot component (bsc#1201692).
- CVE-2022-21540: Fixed a potential bypass of sandbox restrictions
in the Hotspot component (bsc#1201694).
ImportantSUSE bug 1201684SUSE bug 1201685SUSE bug 1201692SUSE bug 1201694SUSE bug 1202427CVE-2022-21540 at SUSECVE-2022-21540 at NVDCVE-2022-21541 at SUSECVE-2022-21541 at NVDCVE-2022-21549 at SUSECVE-2022-21549 at NVDCVE-2022-34169 at SUSECVE-2022-34169 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for java-1_8_0-ibm (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for java-1_8_0-ibm fixes the following issues:
- Update to Java 8.0 Service Refresh 7 Fix Pack 11 (bsc#1202427):
- CVE-2022-34169: Fixed an integer truncation issue in the Xalan
Java XSLT library that occurred when processing malicious
stylesheets (bsc#1201684).
- CVE-2022-21549: Fixed an issue that could lead to computing
negative random exponentials (bsc#1201685).
- CVE-2022-21541: Fixed a potential bypass of sandbox restrictions
in the Hotspot component (bsc#1201692).
- CVE-2022-21540: Fixed a potential bypass of sandbox restrictions
in the Hotspot component (bsc#1201694).
ImportantSUSE bug 1201684SUSE bug 1201685SUSE bug 1201692SUSE bug 1201694SUSE bug 1202427CVE-2022-21540 at SUSECVE-2022-21540 at NVDCVE-2022-21541 at SUSECVE-2022-21541 at NVDCVE-2022-21549 at SUSECVE-2022-21549 at NVDCVE-2022-34169 at SUSECVE-2022-34169 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for bluez (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for bluez fixes the following issues:
- CVE-2019-8922: Fixed a buffer overflow in the implementation of the
Service Discovery Protocol (bsc#1193227).
ImportantSUSE bug 1193227CVE-2019-8922 at SUSECVE-2019-8922 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for libcroco (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for libcroco fixes the following issues:
- CVE-2020-12825: Fixed an uncontrolled recursion issue (bsc#1171685).
ImportantSUSE bug 1171685CVE-2020-12825 at SUSECVE-2020-12825 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for gstreamer-plugins-good (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for gstreamer-plugins-good fixes the following issues:
- CVE-2022-1920: Fixed integer overflow in WavPack header handling code (bsc#1201688).
- CVE-2022-1921: Fixed integer overflow resulting in heap corruption in avidemux element (bsc#1201693).
- CVE-2022-1922: Fixed integer overflows in mkv demuxing (bsc#1201702).
- CVE-2022-1923: Fixed integer overflows in mkv demuxing using bzip (bsc#1201704).
- CVE-2022-1924: Fixed integer overflows in mkv demuxing using lzo (bsc#1201706).
- CVE-2022-1925: Fixed integer overflows in mkv demuxing using HEADERSTRIP (bsc#1201707).
- CVE-2022-2122: Fixed integer overflows in qtdemux using zlib (bsc#1201708).
ImportantSUSE bug 1201688SUSE bug 1201693SUSE bug 1201702SUSE bug 1201704SUSE bug 1201706SUSE bug 1201707SUSE bug 1201708CVE-2022-1920 at SUSECVE-2022-1920 at NVDCVE-2022-1921 at SUSECVE-2022-1921 at NVDCVE-2022-1922 at SUSECVE-2022-1922 at NVDCVE-2022-1923 at SUSECVE-2022-1923 at NVDCVE-2022-1924 at SUSECVE-2022-1924 at NVDCVE-2022-1925 at SUSECVE-2022-1925 at NVDCVE-2022-2122 at SUSECVE-2022-2122 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for postgresql13 (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for postgresql13 fixes the following issues:
- Update to 13.8:
- CVE-2022-2625: Fixed an issue where extension scripts would replace objects not belonging to that extension (bsc#1202368).
ImportantSUSE bug 1198166SUSE bug 1202368CVE-2022-2625 at SUSECVE-2022-2625 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for postgresql10 (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for postgresql10 fixes the following issues:
- Upgrade to 10.22:
- CVE-2022-2625: Fixed an issue where extension scripts would replace objects not belonging to that extension (bsc#1202368).
ImportantSUSE bug 1202368CVE-2022-2625 at SUSECVE-2022-2625 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for webkit2gtk3 (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for webkit2gtk3 fixes the following issues:
- Update to version 2.36.5 (bsc#1201980):
- Add support for PAC proxy in the WebDriver implementation.
- Fix video playback when loaded through custom URIs, this fixes
video playback in the Yelp documentation browser.
- Fix WebKitWebView::context-menu when using GTK4.
- Fix LTO builds with GCC.
- Fix several crashes and rendering issues.
- Security fixes:
- CVE-2022-32792: Fixed processing maliciously crafted web content may lead to
arbitrary code execution.
- CVE-2022-32816: Fixed visiting a website that frames malicious content may lead to
UI spoofing.
ImportantSUSE bug 1201980CVE-2022-32792 at SUSECVE-2022-32792 at NVDCVE-2022-32816 at SUSECVE-2022-32816 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for open-vm-tools (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for open-vm-tools fixes the following issues:
- CVE-2022-31676: Fixed an issue that could allow unprivileged users
inside a virtual machine to escalate privileges (bsc#1202657).
ImportantSUSE bug 1202657CVE-2022-31676 at SUSECVE-2022-31676 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for net-snmp (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for net-snmp fixes the following issues:
- CVE-2020-15862: Make extended MIB read-only (bsc#1174961)
ImportantSUSE bug 1100146SUSE bug 1145864SUSE bug 1152968SUSE bug 1174961SUSE bug 1178021SUSE bug 1178351SUSE bug 1179009SUSE bug 1179699SUSE bug 1184839CVE-2020-15862 at SUSECVE-2020-15862 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for json-c (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for json-c fixes the following issues:
- CVE-2020-12762: Fixed an integer overflow that could lead to memory
corruption via a large JSON file (bsc#1171479).
Non-security fixes:
- Updated to version 0.12.1 (jsc#PED-1778).
ImportantSUSE bug 1171479CVE-2020-12762 at SUSECVE-2020-12762 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for MozillaFirefox fixes the following issues:
Firefox Extended Support Release 91.13.0 ESR (bsc#1202645):
- CVE-2022-38472: Fixed a potential address bar spoofing via XSLT error handling.
- CVE-2022-38473: Fixed an issue where cross-origin XSLT documents could inherit the parent's permissions.
- CVE-2022-38478: Fixed various memory safety issues.
ImportantSUSE bug 1202645CVE-2022-38472 at SUSECVE-2022-38472 at NVDCVE-2022-38473 at SUSECVE-2022-38473 at NVDCVE-2022-38478 at SUSECVE-2022-38478 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for libgda (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for libgda fixes the following issues:
- CVE-2021-39359: Enabled TLS certificate verification (bsc#1189849).
ImportantSUSE bug 1189849CVE-2021-39359 at SUSECVE-2021-39359 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for zabbix (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for zabbix fixes the following issues:
- CVE-2022-35230: Javascript embedded in links for graphs page will be executed (bsc#1201290).
ModerateSUSE bug 1201290CVE-2022-35230 at SUSECVE-2022-35230 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for webkit2gtk3 (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for webkit2gtk3 fixes the following issues:
- Updated to version 2.36.7 (bsc#1202807):
- CVE-2022-32893: Fixed an issue that would be triggered when
processing malicious web content and that could lead to arbitrary
code execution.
- Fixed several crashes and rendering issues.
- Updated to version 2.36.6:
- Fixed handling of touchpad scrolling on GTK4 builds
- Fixed WebKitGTK not allowing to be used from non-main threads
(bsc#1202169).
- Fixed several crashes and rendering issues
ImportantSUSE bug 1202169SUSE bug 1202807CVE-2022-32893 at SUSECVE-2022-32893 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for ImageMagick (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for ImageMagick fixes the following issues:
- CVE-2021-20224: Fixed an integer overflow that could be triggered
via a crafted file (bsc#1202800).
ModerateSUSE bug 1202800CVE-2021-20224 at SUSECVE-2021-20224 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for clamav (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for clamav fixes the following issues:
clamav was updated to 0.103.7 (bsc#1202986)
* Upgrade the vendored UnRAR library to version 6.1.7.
* Fix logical signature 'Intermediates' feature.
* Relax constraints on slightly malformed zip archives that
contain overlapping file entries.
ImportantSUSE bug 1202986cpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for icu (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for icu fixes the following issues:
- CVE-2020-21913: Fixed a memory safety issue that could lead to use
after free (bsc#1193951).
ModerateSUSE bug 1193951CVE-2020-21913 at SUSECVE-2020-21913 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for java-1_8_0-ibm (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for java-1_8_0-ibm fixes the following issues:
Note: the issues listed below were NOT fixed with the previous update (8.0-7.11).
- Update to Java 8.0 Service Refresh 7 Fix Pack 15 (bsc#1202427):
- CVE-2022-34169: Fixed an integer truncation issue in the Xalan
Java XSLT library that occurred when processing malicious
stylesheets (bsc#1201684).
- CVE-2022-21549: Fixed an issue that could lead to computing
negative random exponentials (bsc#1201685).
- CVE-2022-21541: Fixed a potential bypass of sandbox restrictions
in the Hotspot component (bsc#1201692).
- CVE-2022-21540: Fixed a potential bypass of sandbox restrictions
in the Hotspot component (bsc#1201694)..
ImportantSUSE bug 1201684SUSE bug 1201685SUSE bug 1201692SUSE bug 1201694SUSE bug 1202427CVE-2022-21540 at SUSECVE-2022-21540 at NVDCVE-2022-21541 at SUSECVE-2022-21541 at NVDCVE-2022-21549 at SUSECVE-2022-21549 at NVDCVE-2022-34169 at SUSECVE-2022-34169 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for udisks2 (Moderate)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for udisks2 fixes the following issues:
- CVE-2021-3802: Fixed insecure defaults in user-accessible mount helpers (bsc#1190606).
- Fixed vulnerability that allowed mounting ext4 devices over existing entries in fstab (bsc#1098797).
ModerateSUSE bug 1098797SUSE bug 1190606CVE-2021-3802 at SUSECVE-2021-3802 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for postgresql12 (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for postgresql12 fixes the following issues:
- Update to 12.12:
- CVE-2022-2625: Fixed an issue where extension scripts would replace objects not belonging to that extension (bsc#1202368).
ImportantSUSE bug 1198166SUSE bug 1202368CVE-2022-2625 at SUSECVE-2022-2625 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for libnl-1_1 (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for libnl-1_1 fixes the following issues:
- CVE-2017-0386: Fixed an issue that could enable a local malicious
application to execute arbitrary code within the context of a
different process. This only affects setups were libnl is passed
untrusted arguments. (bsc#1020123)
ModerateSUSE bug 1020123CVE-2017-0386 at SUSECVE-2017-0386 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for libnl3 (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for libnl3 fixes the following issues:
- CVE-2017-0386: Fixed an issue that could enable a local malicious
application to execute arbitrary code within the context of a
different process. This only affects setups were libnl is passed
untrusted arguments. (bsc#1020123)
ModerateSUSE bug 1020123CVE-2017-0386 at SUSECVE-2017-0386 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for postgresql14 (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for postgresql14 fixes the following issues:
- Upgrade to version 14.5:
- CVE-2022-2625: Fixed an issue where extension scripts would replace objects not belonging to that extension (bsc#1202368).
- Upgrade to version 14.4 (bsc#1200437)
- Release notes: https://www.postgresql.org/docs/release/14.4/
- Release announcement: https://www.postgresql.org/about/news/p-2470/
- Prevent possible corruption of indexes created or rebuilt with the CONCURRENTLY option (bsc#1200437)
- Pin to llvm13 until the next patchlevel update (bsc#1198166)
ImportantSUSE bug 1198166SUSE bug 1200437SUSE bug 1202368CVE-2022-2625 at SUSECVE-2022-2625 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for MozillaFirefox fixes the following issues:
Mozilla Firefox was updated to 102.2.0esr ESR:
* Fixed: Various stability, functionality, and security fixes.
- MFSA 2022-34 (bsc#1202645)
* CVE-2022-38472 (bmo#1769155)
Address bar spoofing via XSLT error handling
* CVE-2022-38473 (bmo#1771685)
Cross-origin XSLT Documents would have inherited the parent's
permissions
* CVE-2022-38476 (bmo#1760998)
Data race and potential use-after-free in PK11_ChangePW
* CVE-2022-38477 (bmo#1760611, bmo#1770219, bmo#1771159,
bmo#1773363)
Memory safety bugs fixed in Firefox 104 and Firefox ESR 102.2
* CVE-2022-38478 (bmo#1770630, bmo#1776658)
Memory safety bugs fixed in Firefox 104, Firefox ESR 102.2,
and Firefox ESR 91.13
Firefox Extended Support Release 102.1 ESR
* Fixed: Various stability, functionality, and security fixes.
- MFSA 2022-30 (bsc#1201758)
* CVE-2022-36319 (bmo#1737722)
Mouse Position spoofing with CSS transforms
* CVE-2022-36318 (bmo#1771774)
Directory indexes for bundled resources reflected URL
parameters
* CVE-2022-36314 (bmo#1773894)
Opening local <code>.lnk</code> files could cause unexpected
network loads
* CVE-2022-2505 (bmo#1769739, bmo#1772824)
Memory safety bugs fixed in Firefox 103 and 102.1
- Firefox Extended Support Release 102.0.1 ESR
* Fixed: Fixed bookmark shortcut creation by dragging to
Windows File Explorer and dropping partially broken
(bmo#1774683)
* Fixed: Fixed bookmarks sidebar flashing white when opened in
dark mode (bmo#1776157)
* Fixed: Fixed multilingual spell checking not working with
content in both English and a non-Latin alphabet
(bmo#1773802)
* Fixed: Developer tools: Fixed an issue where the console
output keep getting scrolled to the bottom when the last
visible message is an evaluation result (bmo#1776262)
* Fixed: Fixed *Delete cookies and site data when Firefox is
closed* checkbox getting disabled on startup (bmo#1777419)
* Fixed: Various stability fixes
Firefox 102.0 ESR:
* New:
- We now provide more secure connections: Firefox can
now automatically upgrade to HTTPS using HTTPS RR as Alt-Svc
headers.
- For added viewing pleasure, full-range color levels are now
supported for video playback on many systems.
- Find it easier now! Mac users can now access the macOS
share options from the Firefox File menu.
- Voil?! Support for images containing ICC v4 profiles is
enabled on macOS.
- Firefox now supports the new AVIF image format, which is
based on the modern and royalty-free AV1 video codec. It
offers significant bandwidth savings for sites compared to
existing image formats. It also supports transparency and
other advanced features.
- Firefox PDF viewer now supports filling more forms (e.g.,
XFA-based forms, used by multiple governments and banks).
Learn more.
- When available system memory is critically low, Firefox on
Windows will automatically unload tabs based on their last
access time, memory usage, and other attributes. This helps
to reduce Firefox out-of-memory crashes. Forgot something?
Switching to an unloaded tab automatically reloads it.
- To prevent session loss for macOS users who are running
Firefox from a mounted .dmg file, they’ll now be prompted to
finish installation. Bear in mind, this permission prompt
only appears the first time these users run Firefox on their
computer.
- For your safety, Firefox now blocks downloads that rely on
insecure connections, protecting against potentially
malicious or unsafe downloads. Learn more and see where to
find downloads in Firefox.
- Improved web compatibility for privacy protections with
SmartBlock 3.0: In Private Browsing and Strict Tracking
Protection, Firefox goes to great lengths to protect your web
browsing activity from trackers. As part of this, the built-
in content blocking will automatically block third-party
scripts, images, and other content from being loaded from
cross-site tracking companies reported by Disconnect. Learn
more.
- Introducing a new referrer tracking protection in Strict
Tracking Protection and Private Browsing. This feature
prevents sites from unknowingly leaking private information
to trackers. Learn more.
- Introducing Firefox Suggest, a feature that provides
website suggestions as you type into the address bar. Learn
more about this faster way to navigate the web and locale-
specific features.
- Firefox macOS now uses Apple's low-power mode for
fullscreen video on sites such as YouTube and Twitch. This
meaningfully extends battery life in long viewing sessions.
Now your kids can find out what the fox says on a loop
without you ever missing a beat…
- With this release, power users can use about:unloads to
release system resources by manually unloading tabs without
closing them.
- On Windows, there will now be fewer interruptions because
Firefox won’t prompt you for updates. Instead, a background
agent will download and install updates even if Firefox is
closed.
- On Linux, we’ve improved WebGL performance and reduced
power consumption for many users.
- To better protect all Firefox users against side-channel
attacks, such as Spectre, we introduced Site Isolation.
- Firefox no longer warns you by default when you exit the
browser or close a window using a menu, button, or three-key
command. This should cut back on unwelcome notifications,
which is always nice—however, if you prefer a bit of notice,
you’ll still have full control over the quit/close modal
behavior. All warnings can be managed within Firefox
Settings. No worries! More details here.
- Firefox supports the new Snap Layouts menus when running on
Windows 11.
- RLBox—a new technology that hardens Firefox against
potential security vulnerabilities in third-party
libraries—is now enabled on all platforms.
- We’ve reduced CPU usage on macOS in Firefox and
WindowServer during event processing.
- We’ve also reduced the power usage of software decoded
video on macOS, especially in fullscreen. This includes
streaming sites such as Netflix and Amazon Prime Video.
- You can now move the Picture-in-Picture toggle button to
the opposite side of the video. Simply look for the new
context menu option Move Picture-in-Picture Toggle to Left
(Right) Side.
- We’ve made significant improvements in noise suppression
and auto-gain-control, as well as slight improvements in
echo-cancellation to provide you with a better overall
experience.
- We’ve also significantly reduced main-thread load.
- When printing, you can now choose to print only the
odd/even pages.
- Firefox now supports and displays the new style of
scrollbars on Windows 11.
- Firefox has a new optimized download flow. Instead of
prompting every time, files will download automatically.
However, they can still be opened from the downloads panel
with just one click. Easy! More information
- Firefox no longer asks what to do for each file by default.
You won’t be prompted to choose a helper application or save
to disk before downloading a file unless you have changed
your download action setting for that type of file.
- Any files you download will be immediately saved on your
disk. Depending on the current configuration, they’ll be
saved in your preferred download folder, or you’ll be asked
to select a location for each download. Windows and Linux
users will find their downloaded files in the destination
folder. They’ll no longer be put in the Temp folder.
- Firefox allows users to choose from a number of built-in
search engines to set as their default. In this release, some
users who had previously configured a default engine might
notice their default search engine has changed since Mozilla
was unable to secure formal permission to continue including
certain search engines in Firefox.
- You can now toggle Narrate in ReaderMode with the keyboard
shortcut 'n.'
- You can find added support for search—with or without
diacritics—in the PDF viewer.
- The Linux sandbox has been strengthened: processes exposed
to web content no longer have access to the X Window system
(X11).
- Firefox now supports credit card autofill and capture in
Germany, France, and the United Kingdom.
- We now support captions/subtitles display on YouTube, Prime
Video, and Netflix videos you watch in Picture-in-Picture.
Just turn on the subtitles on the in-page video player, and
they will appear in PiP.
- Picture-in-Picture now also supports video captions on
websites that use Web Video Text Track (WebVTT) format (e.g.,
Coursera.org, Canadian Broadcasting Corporation, and many
more).
- On the first run after install, Firefox detects when its
language does not match the operating system language and
offers the user a choice between the two languages.
- Firefox spell checking now checks spelling in multiple
languages. To enable additional languages, select them in the
text field’s context menu.
- HDR video is now supported in Firefox on Mac—starting with
YouTube! Firefox users on macOS 11+ (with HDR-compatible
screens) can enjoy higher-fidelity video content. No need to
manually flip any preferences to turn HDR video support
on—just make sure battery preferences are NOT set to
“optimize video streaming while on battery”.
- Hardware-accelerated AV1 video decoding is enabled on
Windows with supported GPUs (Intel Gen 11+, AMD RDNA 2
Excluding Navi 24, GeForce 30). Installing the AV1 Video
Extension from the Microsoft Store may also be required.
- Video overlay is enabled on Windows for Intel GPUs,
reducing power usage during video playback.
- Improved fairness between painting and handling other
events. This noticeably improves the performance of the
volume slider on Twitch.
- Scrollbars on Linux and Windows 11 won't take space by
default. On Linux, users can change this in Settings. On
Windows, Firefox follows the system setting (System Settings
> Accessibility > Visual Effects > Always show scrollbars).
- Firefox now ignores less restricted referrer
policies—including unsafe-url, no-referrer-when-downgrade,
and origin-when-cross-origin—for cross-site
subresource/iframe requests to prevent privacy leaks from the
referrer.
- Reading is now easier with the prefers-contrast media
query, which allows sites to detect if the user has requested
that web content is presented with a higher (or lower)
contrast.
- All non-configured MIME types can now be assigned a custom
action upon download completion.
- Firefox now allows users to use as many microphones as they
want, at the same time, during video conferencing. The most
exciting benefit is that you can easily switch your
microphones at any time (if your conferencing service
provider enables this flexibility).
- Print preview has been updated.
* Fixed: Various security fixes.
- MFSA 2022-24 (bsc#1200793)
* CVE-2022-34479 (bmo#1745595)
A popup window could be resized in a way to overlay the
address bar with web content
* CVE-2022-34470 (bmo#1765951)
Use-after-free in nsSHistory
* CVE-2022-34468 (bmo#1768537)
CSP sandbox header without `allow-scripts` can be bypassed
via retargeted javascript: URI
* CVE-2022-34482 (bmo#845880)
Drag and drop of malicious image could have led to malicious
executable and potential code execution
* CVE-2022-34483 (bmo#1335845)
Drag and drop of malicious image could have led to malicious
executable and potential code execution
* CVE-2022-34476 (bmo#1387919)
ASN.1 parser could have been tricked into accepting malformed
ASN.1
* CVE-2022-34481 (bmo#1483699, bmo#1497246)
Potential integer overflow in ReplaceElementsAt
* CVE-2022-34474 (bmo#1677138)
Sandboxed iframes could redirect to external schemes
* CVE-2022-34469 (bmo#1721220)
TLS certificate errors on HSTS-protected domains could be
bypassed by the user on Firefox for Android
* CVE-2022-34471 (bmo#1766047)
Compromised server could trick a browser into an addon
downgrade
* CVE-2022-34472 (bmo#1770123)
Unavailable PAC file resulted in OCSP requests being blocked
* CVE-2022-34478 (bmo#1773717)
Microsoft protocols can be attacked if a user accepts a
prompt
* CVE-2022-2200 (bmo#1771381)
Undesired attributes could be set as part of prototype
pollution
* CVE-2022-34480 (bmo#1454072)
Free of uninitialized pointer in lg_init
* CVE-2022-34477 (bmo#1731614)
MediaError message property leaked information on cross-
origin same-site pages
* CVE-2022-34475 (bmo#1757210)
HTML Sanitizer could have been bypassed via same-origin
script via use tags
* CVE-2022-34473 (bmo#1770888)
HTML Sanitizer could have been bypassed via use tags
* CVE-2022-34484 (bmo#1763634, bmo#1772651)
Memory safety bugs fixed in Firefox 102 and Firefox ESR 91.11
* CVE-2022-34485 (bmo#1768409, bmo#1768578)
Memory safety bugs fixed in Firefox 102
ImportantSUSE bug 1200793SUSE bug 1201758SUSE bug 1202645CVE-2022-2200 at SUSECVE-2022-2200 at NVDCVE-2022-2505 at SUSECVE-2022-2505 at NVDCVE-2022-34468 at SUSECVE-2022-34468 at NVDCVE-2022-34469 at SUSECVE-2022-34469 at NVDCVE-2022-34470 at SUSECVE-2022-34470 at NVDCVE-2022-34471 at SUSECVE-2022-34471 at NVDCVE-2022-34472 at SUSECVE-2022-34472 at NVDCVE-2022-34473 at SUSECVE-2022-34473 at NVDCVE-2022-34474 at SUSECVE-2022-34474 at NVDCVE-2022-34475 at SUSECVE-2022-34475 at NVDCVE-2022-34476 at SUSECVE-2022-34476 at NVDCVE-2022-34477 at SUSECVE-2022-34477 at NVDCVE-2022-34478 at SUSECVE-2022-34478 at NVDCVE-2022-34479 at SUSECVE-2022-34479 at NVDCVE-2022-34480 at SUSECVE-2022-34480 at NVDCVE-2022-34481 at SUSECVE-2022-34481 at NVDCVE-2022-34482 at SUSECVE-2022-34482 at NVDCVE-2022-34483 at SUSECVE-2022-34483 at NVDCVE-2022-34484 at SUSECVE-2022-34484 at NVDCVE-2022-34485 at SUSECVE-2022-34485 at NVDCVE-2022-36314 at SUSECVE-2022-36314 at NVDCVE-2022-36318 at SUSECVE-2022-36318 at NVDCVE-2022-36319 at SUSECVE-2022-36319 at NVDCVE-2022-38472 at SUSECVE-2022-38472 at NVDCVE-2022-38473 at SUSECVE-2022-38473 at NVDCVE-2022-38476 at SUSECVE-2022-38476 at NVDCVE-2022-38477 at SUSECVE-2022-38477 at NVDCVE-2022-38478 at SUSECVE-2022-38478 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for libarchive (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for libarchive fixes the following issues:
- CVE-2021-23177: Fixed symlink ACL extraction that modifies ACLs of the target system (bsc#1192425).
ModerateSUSE bug 1192425CVE-2021-23177 at SUSECVE-2021-23177 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for permissions (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for permissions fixes the following issues:
- CVE-2022-31252: Fixed chkstat group controlled paths (bsc#1203018).
ModerateSUSE bug 1203018CVE-2022-31252 at SUSECVE-2022-31252 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for curl (Low)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for curl fixes the following issues:
- CVE-2022-35252: Fixed DoS caused by misusing control codes in cookies (bsc#1202593).
LowSUSE bug 1202593CVE-2022-35252 at SUSECVE-2022-35252 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for cifs-utils (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for cifs-utils fixes the following issues:
- CVE-2022-29869: Fixed verbose messages on option parsing (bsc#1198976).
ModerateSUSE bug 1198976CVE-2022-29869 at SUSECVE-2022-29869 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for python36 (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for python36 fixes the following issues:
- CVE-2021-28861: Fixed an open redirection vulnerability in the HTTP server when an URI path starts with // (bsc#1202624).
ModerateSUSE bug 1202624CVE-2021-28861 at SUSECVE-2021-28861 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for unzip (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for unzip fixes the following issues:
- CVE-2022-0530: Fixed SIGSEGV during the conversion of an utf-8 string to a local string (bsc#1196177).
- CVE-2022-0529: Fixed heap out-of-bound writes and reads during conversion of wide string to local string (bsc#1196180).
ModerateSUSE bug 1196177SUSE bug 1196180CVE-2022-0529 at SUSECVE-2022-0529 at NVDCVE-2022-0530 at SUSECVE-2022-0530 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for libsndfile (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for libsndfile fixes the following issues:
- CVE-2021-4156: Fixed heap buffer overflow in flac_buffer_copy that
could potentially lead to heap exploitation (bsc#1194006).
ImportantSUSE bug 1194006CVE-2021-4156 at SUSECVE-2021-4156 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for sqlite3 (Moderate)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for sqlite3 fixes the following issues:
Security issues fixed:
- CVE-2022-35737: Fixed an array-bounds overflow if billions of bytes are used in a string argument to a C API (bnc#1201783).
- CVE-2021-36690: Fixed an issue with the SQLite Expert extension when a column has no collating sequence (bsc#1189802).
- Package the Tcl bindings here again so that we only ship one copy of SQLite (bsc#1195773).
sqlite3 was update to 3.39.3:
* Use a statement journal on DML statement affecting two or more
database rows if the statement makes use of a SQL functions
that might abort.
* Use a mutex to protect the PRAGMA temp_store_directory and
PRAGMA data_store_directory statements, even though they are
decremented and documented as not being threadsafe.
Update to 3.39.2:
* Fix a performance regression in the query planner associated
with rearranging the order of FROM clause terms in the
presences of a LEFT JOIN.
* Apply fixes for CVE-2022-35737, Chromium bugs 1343348 and
1345947, forum post 3607259d3c, and other minor problems
discovered by internal testing. [boo#1201783]
Update to 3.39.1:
* Fix an incorrect result from a query that uses a view that
contains a compound SELECT in which only one arm contains a
RIGHT JOIN and where the view is not the first FROM clause term
of the query that contains the view
* Fix a long-standing problem with ALTER TABLE RENAME that can
only arise if the sqlite3_limit(SQLITE_LIMIT_SQL_LENGTH) is set
to a very small value.
* Fix a long-standing problem in FTS3 that can only arise when
compiled with the SQLITE_ENABLE_FTS3_PARENTHESIS compile-time
option.
* Fix the initial-prefix optimization for the REGEXP extension so
that it works correctly even if the prefix contains characters
that require a 3-byte UTF8 encoding.
* Enhance the sqlite_stmt virtual table so that it buffers all of
its output.
Update to 3.39.0:
* Add (long overdue) support for RIGHT and FULL OUTER JOIN
* Add new binary comparison operators IS NOT DISTINCT FROM and
IS DISTINCT FROM that are equivalent to IS and IS NOT,
respective, for compatibility with PostgreSQL and SQL standards
* Add a new return code (value '3') from the sqlite3_vtab_distinct()
interface that indicates a query that has both DISTINCT and
ORDER BY clauses
* Added the sqlite3_db_name() interface
* The unix os interface resolves all symbolic links in database
filenames to create a canonical name for the database before
the file is opened
* Defer materializing views until the materialization is actually
needed, thus avoiding unnecessary work if the materialization
turns out to never be used
* The HAVING clause of a SELECT statement is now allowed on any
aggregate query, even queries that do not have a GROUP BY
clause
* Many microoptimizations collectively reduce CPU cycles by about
2.3%.
Update to 3.38.5:
* Fix a blunder in the CLI of the 3.38.4 release
Update to 3.38.4:
* fix a byte-code problem in the Bloom filter pull-down
optimization added by release 3.38.0 in which an error in the
byte code causes the byte code engine to enter an infinite loop
when the pull-down optimization encounters a NULL key
Update to 3.38.3:
* Fix a case of the query planner be overly aggressive with
optimizing automatic-index and Bloom-filter construction,
using inappropriate ON clause terms to restrict the size of the
automatic-index or Bloom filter, and resulting in missing rows
in the output.
* Other minor patches. See the timeline for details.
Update to 3.38.2:
* Fix a problem with the Bloom filter optimization that might
cause an incorrect answer when doing a LEFT JOIN with a WHERE
clause constraint that says that one of the columns on the
right table of the LEFT JOIN is NULL.
* Other minor patches.
- Package the Tcl bindings here again so that we only ship one copy
of SQLite (bsc#1195773).
Update to 3.38.1:
* Fix problems with the new Bloom filter optimization that might
cause some obscure queries to get an incorrect answer.
* Fix the localtime modifier of the date and time functions so
that it preserves fractional seconds.
* Fix the sqlite_offset SQL function so that it works correctly
even in corner cases such as when the argument is a virtual
column or the column of a view.
* Fix row value IN operator constraints on virtual tables so that
they work correctly even if the virtual table implementation
relies on bytecode to filter rows that do not satisfy the
constraint.
* Other minor fixes to assert() statements, test cases, and
documentation. See the source code timeline for details.
Update to 3.38.0
* Add the -> and ->> operators for easier processing of JSON
* The JSON functions are now built-ins
* Enhancements to date and time functions
* Rename the printf() SQL function to format() for better
compatibility, with alias for backwards compatibility.
* Add the sqlite3_error_offset() interface for helping localize
an SQL error to a specific character in the input SQL text
* Enhance the interface to virtual tables
* CLI columnar output modes are enhanced to correctly handle tabs
and newlines embedded in text, and add options like '--wrap N',
'--wordwrap on', and '--quote' to the columnar output modes.
* Query planner enhancements using a Bloom filter to speed up
large analytic queries, and a balanced merge tree to evaluate
UNION or UNION ALL compound SELECT statements that have an
ORDER BY clause.
* The ALTER TABLE statement is changed to silently ignores
entries in the sqlite_schema table that do not parse when
PRAGMA writable_schema=ON
Update to 3.37.2:
* Fix a bug introduced in version 3.35.0 (2021-03-12) that can
cause database corruption if a SAVEPOINT is rolled back while
in PRAGMA temp_store=MEMORY mode, and other changes are made,
and then the outer transaction commits
* Fix a long-standing problem with ON DELETE CASCADE and ON
UPDATE CASCADE in which a cache of the bytecode used to
implement the cascading change was not being reset following a
local DDL change
Update to 3.37.1:
* Fix a bug introduced by the UPSERT enhancements of version
3.35.0 that can cause incorrect byte-code to be generated for
some obscure but valid SQL, possibly resulting in a NULL-
pointer dereference.
* Fix an OOB read that can occur in FTS5 when reading corrupt
database files.
* Improved robustness of the --safe option in the CLI.
* Other minor fixes to assert() statements and test cases.
Update to 3.37.0:
* STRICT tables provide a prescriptive style of data type
management, for developers who prefer that kind of thing.
* When adding columns that contain a CHECK constraint or a
generated column containing a NOT NULL constraint, the
ALTER TABLE ADD COLUMN now checks new constraints against
preexisting rows in the database and will only proceed if no
constraints are violated.
* Added the PRAGMA table_list statement.
* Add the .connection command, allowing the CLI to keep multiple
database connections open at the same time.
* Add the --safe command-line option that disables dot-commands
and SQL statements that might cause side-effects that extend
beyond the single database file named on the command-line.
* CLI: Performance improvements when reading SQL statements that
span many lines.
* Added the sqlite3_autovacuum_pages() interface.
* The sqlite3_deserialize() does not and has never worked
for the TEMP database. That limitation is now noted in the
documentation.
* The query planner now omits ORDER BY clauses on subqueries and
views if removing those clauses does not change the semantics
of the query.
* The generate_series table-valued function extension is modified
so that the first parameter ('START') is now required. This is
done as a way to demonstrate how to write table-valued
functions with required parameters. The legacy behavior is
available using the -DZERO_ARGUMENT_GENERATE_SERIES
compile-time option.
* Added new sqlite3_changes64() and sqlite3_total_changes64()
interfaces.
* Added the SQLITE_OPEN_EXRESCODE flag option to sqlite3_open_v2().
* Use less memory to hold the database schema.
* bsc#1189802, CVE-2021-36690: Fix an issue with the SQLite Expert
extension when a column has no collating sequence.
ModerateSUSE bug 1189802SUSE bug 1195773SUSE bug 1201783CVE-2021-36690 at SUSECVE-2021-36690 at NVDCVE-2022-35737 at SUSECVE-2022-35737 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for libcaca (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for libcaca fixes the following issues:
- CVE-2021-3410: Fixed overflow when multiplying large ints (bsc#1182731).
ModerateSUSE bug 1182731CVE-2021-3410 at SUSECVE-2021-3410 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for MozillaFirefox fixes the following issues:
Mozilla Firefox was updated from 102.2.0esr to 102.3.0esr (bsc#1203477):
- CVE-2022-40959: Fixed bypassing FeaturePolicy restrictions on transient pages.
- CVE-2022-40960: Fixed data-race when parsing non-UTF-8 URLs in threads.
- CVE-2022-40958: Fixed bypassing secure context restriction for cookies with __Host and __Secure prefix.
- CVE-2022-40956: Fixed content-security-policy base-uri bypass.
- CVE-2022-40957: Fixed incoherent instruction cache when building WASM on ARM64.
- CVE-2022-40962: Fixed memory safety bugs fixed in Firefox 105 and Firefox ESR 102.3.
ImportantSUSE bug 1203477CVE-2022-40956 at SUSECVE-2022-40956 at NVDCVE-2022-40957 at SUSECVE-2022-40957 at NVDCVE-2022-40958 at SUSECVE-2022-40958 at NVDCVE-2022-40959 at SUSECVE-2022-40959 at NVDCVE-2022-40960 at SUSECVE-2022-40960 at NVDCVE-2022-40962 at SUSECVE-2022-40962 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for python3-lxml (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for python3-lxml fixes the following issues:
- CVE-2020-27783: Fixed XSS due to the use of improper parser (bsc#1179534).
ModerateSUSE bug 1179534CVE-2020-27783 at SUSECVE-2020-27783 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for expat (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for expat fixes the following issues:
- CVE-2022-40674: Fixed use-after-free in the doContent function in xmlparse.c (bsc#1203438).
ImportantSUSE bug 1203438CVE-2022-40674 at SUSECVE-2022-40674 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for krb5-appl (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for krb5-appl fixes the following issues:
- CVE-2022-39028: Fixed NULL pointer dereference in krb5-appl telnetd (bsc#1203759).
ImportantSUSE bug 1203759CVE-2022-39028 at SUSECVE-2022-39028 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for libjpeg-turbo (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for libjpeg-turbo fixes the following issues:
- CVE-2020-35538: Fixed null pointer dereference in jcopy_sample_rows() function (bsc#1202915).
ModerateSUSE bug 1202915CVE-2020-35538 at SUSECVE-2020-35538 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for openvswitch (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for openvswitch fixes the following issues:
- CVE-2022-32166: Fixed out of bounds read in minimask_equal() (bsc#1203865).
ModerateSUSE bug 1203865CVE-2022-32166 at SUSECVE-2022-32166 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for webkit2gtk3 (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for webkit2gtk3 fixes the following issues:
Updated to version 2.36.8 (bsc#1203530):
- CVE-2022-32886: Fixed a buffer overflow issue that could potentially lead to code execution.
- CVE-2022-32912: Fixed an out-of-bounds read that could potentially lead to code execution.
ImportantSUSE bug 1203530CVE-2022-32886 at SUSECVE-2022-32886 at NVDCVE-2022-32912 at SUSECVE-2022-32912 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for bind (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for bind fixes the following issues:
- CVE-2022-2795: Fixed potential performance degredation due to missing database lookup limits when processing large delegations (bsc#1203614).
- CVE-2022-38177: Fixed a memory leak that could be externally triggered in the DNSSEC verification code for the ECDSA algorithm (bsc#1203619).
ImportantSUSE bug 1203614SUSE bug 1203619CVE-2022-2795 at SUSECVE-2022-2795 at NVDCVE-2022-38177 at SUSECVE-2022-38177 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for python3 (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for python3 fixes the following issues:
- CVE-2021-28861: Fixed an open redirection vulnerability in the HTTP server when an URI path starts with // (bsc#1202624).
ImportantSUSE bug 1202624CVE-2021-28861 at SUSECVE-2021-28861 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for squid (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for squid fixes the following issues:
- CVE-2022-41317: Fixed exposure of sensitive information in cache manager (bsc#1203677).
- CVE-2022-41318: Fixed buffer overread in SSPI and SMB Authentication (bsc#1203680).
ImportantSUSE bug 1203677SUSE bug 1203680CVE-2022-41317 at SUSECVE-2022-41317 at NVDCVE-2022-41318 at SUSECVE-2022-41318 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for postgresql-jdbc (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for postgresql-jdbc fixes the following issues:
- CVE-2022-31197: Fixed SQL injection vulnerability (bsc#1202170).
ImportantSUSE bug 1202170CVE-2022-31197 at SUSECVE-2022-31197 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for exiv2 (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for exiv2 fixes the following issues:
- CVE-2021-31291: Fixed heap-based buffer overflow vulnerability in jp2image.cpp may lead to a denial of service (bsc#1188733).
- CVE-2021-32617: Fixed denial of service inside inefficient algorithm (quadratic complexity) (bsc#1186192).
ModerateSUSE bug 1186192SUSE bug 1188733CVE-2021-31291 at SUSECVE-2021-31291 at NVDCVE-2021-32617 at SUSECVE-2021-32617 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for clamav (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for clamav fixes the following issues:
- CVE-2022-20698: Fixed invalid pointer read allowing denial of service crash. (bsc#1194731)
ImportantSUSE bug 1194731CVE-2022-20698 at SUSECVE-2022-20698 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for xen (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for xen fixes the following issues:
- CVE-2022-23034: Fixed possible DoS by a PV guest Xen while unmapping a grant. (XSA-394) (bsc#1194581)
- CVE-2022-23035: Fixed insufficient cleanup of passed-through device IRQs. (XSA-395) (bsc#1194588)
ImportantSUSE bug 1194581SUSE bug 1194588CVE-2022-23034 at SUSECVE-2022-23034 at NVDCVE-2022-23035 at SUSECVE-2022-23035 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for glibc (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for glibc fixes the following issues:
- CVE-2015-8985: Fixed assertion failure in pop_fail_stack when executing
a malformed regexp (bsc#1193625)
ModerateSUSE bug 1193625CVE-2015-8985 at SUSECVE-2015-8985 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for jasper (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for jasper fixes the following issues:
- CVE-2022-2963: Fixed memory leaks in function cmdopts_parse (bsc#1202642).
ModerateSUSE bug 1202642CVE-2022-2963 at SUSECVE-2022-2963 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for clone-master-clean-up (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for clone-master-clean-up fixes the following issues:
- CVE-2021-32000: Fixed some potentially dangerous file system operations (bsc#1181050).
Bugfixes:
- Fixed failures to remove btrfs snapshots (bsc#1203651).
ModerateSUSE bug 1181050SUSE bug 1203651CVE-2021-32000 at SUSECVE-2021-32000 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for tiff (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for tiff fixes the following issues:
- CVE-2022-2519: Fixed a double free in rotateImage() (bsc#1202968).
- CVE-2022-2520: Fixed a assertion failure in rotateImage() (bsc#1202973).
- CVE-2022-2521: Fixed invalid free in TIFFClose() (bsc#1202971).
- CVE-2022-2867: Fixed out of bounds read and write in tiffcrop.c (bsc#1202466).
- CVE-2022-2868: Fixed out of bounds read in reverseSamples16bits() (bsc#1202467).
- CVE-2022-2869: Fixed out of bounds read and write in extractContigSamples8bits() (bsc#1202468).
- CVE-2022-34526: Fixed stack overflow in the _TIFFVGetField function of Tiffsplit (bsc#1202026).
ImportantSUSE bug 1201723SUSE bug 1201971SUSE bug 1202026SUSE bug 1202466SUSE bug 1202467SUSE bug 1202468SUSE bug 1202968SUSE bug 1202971SUSE bug 1202973CVE-2022-0561 at SUSECVE-2022-0561 at NVDCVE-2022-2519 at SUSECVE-2022-2519 at NVDCVE-2022-2520 at SUSECVE-2022-2520 at NVDCVE-2022-2521 at SUSECVE-2022-2521 at NVDCVE-2022-2867 at SUSECVE-2022-2867 at NVDCVE-2022-2868 at SUSECVE-2022-2868 at NVDCVE-2022-2869 at SUSECVE-2022-2869 at NVDCVE-2022-34266 at SUSECVE-2022-34266 at NVDCVE-2022-34526 at SUSECVE-2022-34526 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for libksba (Critical)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for libksba fixes the following issues:
- CVE-2022-3515: Fixed a possible overflow in the TLV parser (bsc#1204357).
CriticalSUSE bug 1204357CVE-2022-3515 at SUSECVE-2022-3515 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for libarchive (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for libarchive fixes the following issues:
- CVE-2021-31566: Fixed vulnerability where libarchive modifies file flags of symlink target (bsc#1192426)
ModerateSUSE bug 1192426CVE-2021-31566 at SUSECVE-2021-31566 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for squid (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for squid fixes the following issues:
This update ships squid 4.17 (jsc#SLE-24797, jsc#SLE-24799)
Importantcpe:/o:suse:sles_teradata:12:sp3Security update for multipath-tools (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for multipath-tools fixes the following issues:
- CVE-2022-41974: Fixed an authorization bypass issue in multipathd. (bsc#1202739)
- Avoid linking to libreadline to avoid licensing issue (bsc#1202616)
- Avoid device IO in 'multipath -u' (bsc#1125145, bsc#1131789)
- mpathpersist: optimize for setups with many LUNs (bsc#1134648)
- mpathpersist: add option -f/--batch-file (bsc#1134648)
- libmultipath: get_prio(): really don't reset prio for inaccessible paths (bsc#1118495)
- Upstream bug fixes from dm-devel (bsc#1139369):
multipath: call store_pathinfo with DI_BLACKLIST
- hwtable: add Lenovo DE series (bsc#1125507)
ImportantSUSE bug 1118495SUSE bug 1125145SUSE bug 1125507SUSE bug 1131789SUSE bug 1134648SUSE bug 1139369SUSE bug 1202616SUSE bug 1202739SUSE bug 1204325CVE-2022-41974 at SUSECVE-2022-41974 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for libxml2 (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for libxml2 fixes the following issues:
- CVE-2016-3709: Fixed possible XSS vulnerability (bsc#1201978).
- CVE-2022-40303: Fixed integer overflows with XML_PARSE_HUGE (bsc#1204366).
- CVE-2022-40304: Fixed dict corruption caused by entity reference cycles (bsc#1204367).
ImportantSUSE bug 1201978SUSE bug 1204366SUSE bug 1204367CVE-2016-3709 at SUSECVE-2016-3709 at NVDCVE-2022-40303 at SUSECVE-2022-40303 at NVDCVE-2022-40304 at SUSECVE-2022-40304 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for bluez (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for bluez fixes the following issues:
- CVE-2019-8921: Fixed heap-based buffer overflow via crafted request (bsc#1193237).
- CVE-2016-9803: Fixed memory leak (bsc#1013885).
ImportantSUSE bug 1013885SUSE bug 1193237CVE-2016-9803 at SUSECVE-2016-9803 at NVDCVE-2019-8921 at SUSECVE-2019-8921 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for MozillaFirefox fixes the following issues:
Updated to version 102.4.0 ESR (bsc#1204421):
- CVE-2022-42927: Fixed same-origin policy violation that could have leaked cross-origin URLs.
- CVE-2022-42928: Fixed memory Corruption in JS Engine.
- CVE-2022-42929: Fixed denial of Service via window.print.
- CVE-2022-42932: Fixed memory safety bugs.
ImportantSUSE bug 1204421CVE-2022-42927 at SUSECVE-2022-42927 at NVDCVE-2022-42928 at SUSECVE-2022-42928 at NVDCVE-2022-42929 at SUSECVE-2022-42929 at NVDCVE-2022-42932 at SUSECVE-2022-42932 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for telnet (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for telnet fixes the following issues:
- CVE-2022-39028: Fixed NULL pointer dereference in telnetd (bsc#1203759).
ImportantSUSE bug 1203759CVE-2022-39028 at SUSECVE-2022-39028 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for SUSE Manager Client Tools (Moderate)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update fixes the following issues:
golang-github-lusitaniae-apache_exporter:
- Update to upstream release 0.11.0 (jsc#SLE-24791)
* Add TLS support
* Switch to logger, please check --log.level and --log.format flags
- Update to version 0.10.1
* Bugfix: Reset ProxyBalancer metrics on each scrape to remove stale data
- Update to version 0.10.0
* Add Apache Proxy and other metrics
- Update to version 0.8.0
* Change commandline flags
* Add metrics: Apache version, request duration total
- Adapted to build on Enterprise Linux 8
- Require building with Go 1.15
- Add %license macro for LICENSE file
golang-github-prometheus-alertmanager:
- Do not include sources (bsc#1200725)
golang-github-prometheus-node_exporter:
- CVE-2022-21698: Denial of service using InstrumentHandlerCounter. (bsc#1196338, jsc#SLE-24243, jsc#SUMA-114)
grafana:
- Update to version 8.3.10
+ Security:
* CVE-2022-31097: Cross Site Scripting vulnerability in the Unified Alerting (bsc#1201535)
* CVE-2022-31107: OAuth account takeover vulnerability (bsc#1201539)
- Update to version 8.3.9
+ Bug fixes:
* Geomap: Display legend
* Prometheus: Fix timestamp truncation
- Update to version 8.3.7
+ Bug fix:
* Provisioning: Ensure that the default value for orgID is set when provisioning datasources to be deleted.
- Update to version 8.3.6
+ Features and enhancements:
* Cloud Monitoring: Reduce request size when listing labels.
* Explore: Show scalar data result in a table instead of graph.
* Snapshots: Updates the default external snapshot server URL.
* Table: Makes footer not overlap table content.
* Tempo: Add request histogram to service graph datalink.
* Tempo: Add time range to tempo search query behind a feature flag.
* Tempo: Auto-clear results when changing query type.
* Tempo: Display start time in search results as relative time.
* CloudMonitoring: Fix resource labels in query editor.
* Cursor sync: Apply the settings without saving the dashboard.
* LibraryPanels: Fix for Error while cleaning library panels.
* Logs Panel: Fix timestamp parsing for string dates without timezone.
* Prometheus: Fix some of the alerting queries that use reduce/math operation.
* TablePanel: Fix ad-hoc variables not working on default datasources.
* Text Panel: Fix alignment of elements.
* Variables: Fix for constant variables in self referencing links.
- Update to version 8.3.5 (jsc#SLE-23439, jsc#SLE-23422, jsc#SLE-24565)
kiwi-desc-saltboot:
- Update to version 0.1.1661440542.6cbe0da
* Use standard susemanager.conf
* Use salt bundle
* Add support fo VirtIO disks
mgr-daemon:
- Version 4.3.6-1
* Update translation strings
spacecmd:
- Version 4.3.15-1
* Process date values in spacecmd api calls (bsc#1198903)
spacewalk-client-tools:
- Version 4.3.12-1
* Update translation strings
uyuni-common-libs:
- Version 4.3.6-1
* Do not allow creating path if nonexistent user or group in fileutils.
ModerateSUSE bug 1196338SUSE bug 1198903SUSE bug 1200725SUSE bug 1201535SUSE bug 1201539CVE-2022-21698 at SUSECVE-2022-21698 at NVDCVE-2022-31097 at SUSECVE-2022-31097 at NVDCVE-2022-31107 at SUSECVE-2022-31107 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for curl (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for curl fixes the following issues:
- CVE-2022-32221: Fixed POST following PUT confusion (bsc#1204383).
ImportantSUSE bug 1204383CVE-2022-32221 at SUSECVE-2022-32221 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for xen (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for xen fixes the following issues:
- CVE-2022-33746: Fixed DoS due to excessively long P2M pool freeing (bsc#1203806).
- CVE-2022-33748: Fixed DoS due to race in locking (bsc#1203807).
- CVE-2021-28689: Fixed speculative vulnerabilities with bare (non-shim) 32-bit PV guests (bsc#1185104).
ModerateSUSE bug 1185104SUSE bug 1203806SUSE bug 1203807CVE-2021-28689 at SUSECVE-2021-28689 at NVDCVE-2022-33746 at SUSECVE-2022-33746 at NVDCVE-2022-33748 at SUSECVE-2022-33748 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for libtirpc (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for libtirpc fixes the following issues:
- CVE-2021-46828: Fixed denial of service vulnerability with lots of connections (bsc#1201680).
- Exclude ipv6 addresses in client protocol version 2 code (bsc#1200800)
ImportantSUSE bug 1200800SUSE bug 1201680CVE-2021-46828 at SUSECVE-2021-46828 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for openjpeg2 (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for openjpeg2 fixes the following issues:
- CVE-2018-21010: Fixed heap buffer overflow in color_apply_icc_profile in bin/common/color.c (bsc#1149789).
- CVE-2020-27824: Fixed OOB read in opj_dwt_calc_explicit_stepsizes() (bsc#1179821).
- CVE-2020-27842: Fixed null pointer dereference in opj_tgt_reset function in lib/openjp2/tgt.c (bsc#1180043).
- CVE-2020-27843: Fixed out-of-bounds read in opj_t2_encode_packet function in openjp2/t2.c (bsc#1180044).
- CVE-2020-27845: Fixed heap-based buffer over-read in functions opj_pi_next_rlcp, opj_pi_next_rpcl and opj_pi_next_lrcp in openjp2/pi.c (bsc#1180046).
ImportantSUSE bug 1149789SUSE bug 1179821SUSE bug 1180043SUSE bug 1180044SUSE bug 1180046CVE-2018-21010 at SUSECVE-2018-21010 at NVDCVE-2020-27824 at SUSECVE-2020-27824 at NVDCVE-2020-27842 at SUSECVE-2020-27842 at NVDCVE-2020-27843 at SUSECVE-2020-27843 at NVDCVE-2020-27845 at SUSECVE-2020-27845 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for dbus-1 (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for dbus-1 fixes the following issues:
- CVE-2022-42010: Fixed potential crash that could be triggered by an invalid signature (bsc#1204111).
- CVE-2022-42011: Fixed an out of bounds read caused by a fixed length array (bsc#1204112).
- CVE-2022-42012: Fixed a use-after-free that could be trigged by a message in non-native endianness with out-of-band Unix file descriptor (bsc#1204113).
Bugfixes:
- Disable asserts (bsc#1087072).
ImportantSUSE bug 1087072SUSE bug 1204111SUSE bug 1204112SUSE bug 1204113CVE-2022-42010 at SUSECVE-2022-42010 at NVDCVE-2022-42011 at SUSECVE-2022-42011 at NVDCVE-2022-42012 at SUSECVE-2022-42012 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for libtasn1 (Critical)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for libtasn1 fixes the following issues:
- CVE-2021-46848: Fixed off-by-one array size check that affects asn1_encode_simple_der (bsc#1204690).
CriticalSUSE bug 1204690CVE-2021-46848 at SUSECVE-2021-46848 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for xorg-x11-server (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for xorg-x11-server fixes the following issues:
- CVE-2022-3550: Fixed out of bounds read/write in _GetCountedString() (bsc#1204412).
- CVE-2022-3551: Fixed various leaks of the return value of GetComponentSpec() (bsc#1204416).
ImportantSUSE bug 1204412SUSE bug 1204416CVE-2022-3550 at SUSECVE-2022-3550 at NVDCVE-2022-3551 at SUSECVE-2022-3551 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for python3 (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for python3 fixes the following issues:
- CVE-2022-37454: Fixed a buffer overflow in hashlib.sha3_* implementations. (bsc#1204577)
- CVE-2020-10735: Fixed a bug to limit amount of digits converting text to int and vice vera. (bsc#1203125)
ImportantSUSE bug 1203125SUSE bug 1204577CVE-2020-10735 at SUSECVE-2020-10735 at NVDCVE-2022-37454 at SUSECVE-2022-37454 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for expat (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for expat fixes the following issues:
- CVE-2022-43680: Fixed use-after free caused by overeager destruction of a shared DTD in XML_ExternalEntityParserCreate (bsc#1204708).
ImportantSUSE bug 1204708CVE-2022-43680 at SUSECVE-2022-43680 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for gstreamer-plugins-base (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for gstreamer-plugins-base fixes the following issues:
- CVE-2021-3522: Fixed frame size check and potential invalid reads (bsc#1185448).
ModerateSUSE bug 1185448CVE-2021-3522 at SUSECVE-2021-3522 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for python3-lxml (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for python3-lxml fixes the following issues:
- CVE-2021-28957: Fixed XSS due to missing input sanitization for HTML5 attributes (bsc#1184177).
ModerateSUSE bug 1184177CVE-2021-28957 at SUSECVE-2021-28957 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for rpm (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for rpm fixes the following issues:
- Fixed PGP parsing bugs (bsc#1185299).
- Fixed various format handling bugs (bsc#996280).
- CVE-2021-3421: Fixed vulnerability where unsigned headers could be injected into the rpm database (bsc#1183543).
- CVE-2021-20271: Fixed vulnerability where a corrupted rpm could corrupt the rpm database (bsc#1183545).
- CVE-2021-20266: Fixed missing bounds check in hdrblobInit (bsc#1183632).
Bugfixes:
- Fixed deadlock when multiple rpm processes tried to acquire the database lock (bsc#1183659).
ModerateSUSE bug 1183543SUSE bug 1183545SUSE bug 1183632SUSE bug 1183659SUSE bug 1185299SUSE bug 996280CVE-2021-20266 at SUSECVE-2021-20266 at NVDCVE-2021-20271 at SUSECVE-2021-20271 at NVDCVE-2021-3421 at SUSECVE-2021-3421 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for python (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for python fixes the following issues:
- CVE-2021-28861: Fixed an open redirection vulnerability in the HTTP server when an URI path starts with // BaseHTTPServer (bsc#1202624).
ImportantSUSE bug 1202624CVE-2021-28861 at SUSECVE-2021-28861 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for xterm (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for xterm fixes the following issues:
- CVE-2022-24130: Fixed buffer overflow in set_sixel when Sixel support is enabled. (bsc#1195387)
ModerateSUSE bug 1195387CVE-2022-24130 at SUSECVE-2022-24130 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for python-numpy (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for python-numpy fixes the following issues:
- CVE-2017-12852: Fixed missing input validation leading to infinite loops (bsc#1053963).
Bugfixes:
- Use update-alternatives for /usr/bin/f2py (bsc#1199500).
ModerateSUSE bug 1053963SUSE bug 1199500CVE-2017-12852 at SUSECVE-2017-12852 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for xen (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for xen fixes the following issues:
- CVE-2022-42311, CVE-2022-42312, CVE-2022-42313, CVE-2022-42314, CVE-2022-42315, CVE-2022-42316, CVE-2022-42317, CVE-2022-42318: xen: Xenstore: Guests can let xenstored run out of memory (bsc#1204482)
- CVE-2022-42309: xen: Xenstore: Guests can crash xenstored (bsc#1204485)
- CVE-2022-42310: xen: Xenstore: Guests can create orphaned Xenstore nodes (bsc#1204487)
- CVE-2022-42319: xen: Xenstore: Guests can cause Xenstore to not free temporary memory (bsc#1204488)
- CVE-2022-42320: xen: Xenstore: Guests can get access to Xenstore nodes of deleted domains (bsc#1204489)
- CVE-2022-42321: xen: Xenstore: Guests can crash xenstored via exhausting the stack (bsc#1204490)
- CVE-2022-42322,CVE-2022-42323: xen: Xenstore: cooperating guests can create arbitrary numbers of nodes (bsc#1204494)
- CVE-2022-42325,CVE-2022-42326: xen: Xenstore: Guests can create arbitrary number of nodes via transactions (bsc#1204496)
ImportantSUSE bug 1204482SUSE bug 1204485SUSE bug 1204487SUSE bug 1204488SUSE bug 1204489SUSE bug 1204490SUSE bug 1204494SUSE bug 1204496CVE-2022-42309 at SUSECVE-2022-42309 at NVDCVE-2022-42310 at SUSECVE-2022-42310 at NVDCVE-2022-42311 at SUSECVE-2022-42311 at NVDCVE-2022-42312 at SUSECVE-2022-42312 at NVDCVE-2022-42313 at SUSECVE-2022-42313 at NVDCVE-2022-42314 at SUSECVE-2022-42314 at NVDCVE-2022-42315 at SUSECVE-2022-42315 at NVDCVE-2022-42316 at SUSECVE-2022-42316 at NVDCVE-2022-42317 at SUSECVE-2022-42317 at NVDCVE-2022-42318 at SUSECVE-2022-42318 at NVDCVE-2022-42319 at SUSECVE-2022-42319 at NVDCVE-2022-42320 at SUSECVE-2022-42320 at NVDCVE-2022-42321 at SUSECVE-2022-42321 at NVDCVE-2022-42322 at SUSECVE-2022-42322 at NVDCVE-2022-42323 at SUSECVE-2022-42323 at NVDCVE-2022-42325 at SUSECVE-2022-42325 at NVDCVE-2022-42326 at SUSECVE-2022-42326 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for libX11 (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for libX11 fixes the following issues:
- CVE-2022-3554: Fixed memory leak in XRegisterIMInstantiateCallback() (bsc#1204422).
- CVE-2022-3555: Fixed memory leak in _XFreeX11XCBStructure() (bsc#1204425).
ModerateSUSE bug 1204422SUSE bug 1204425CVE-2022-3554 at SUSECVE-2022-3554 at NVDCVE-2022-3555 at SUSECVE-2022-3555 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for dhcp (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for dhcp fixes the following issues:
- CVE-2022-2928: Fixed an option refcount overflow (bsc#1203988).
- CVE-2022-2929: Fixed a DHCP memory leak (bsc#1203989).
ModerateSUSE bug 1203988SUSE bug 1203989CVE-2022-2928 at SUSECVE-2022-2928 at NVDCVE-2022-2929 at SUSECVE-2022-2929 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for ant (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for ant fixes the following issues:
- CVE-2020-1945: Fixed insecure temporary file vulnerability (bsc#1171696).
- CVE-2020-11979: Fixed issue introduced with fix for CVE-2020-1945 (bsc#1177180).
ModerateSUSE bug 1171696SUSE bug 1177180CVE-2020-11979 at SUSECVE-2020-11979 at NVDCVE-2020-1945 at SUSECVE-2020-1945 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for libvirt (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for libvirt fixes the following issues:
- CVE-2021-4147: libxl: Fix libvirtd deadlocks and segfaults. (bsc#1194041)
- CVE-2021-3975: Add missing lock in qemuProcessHandleMonitorEOF. (bsc#1192876)
ImportantSUSE bug 1192876SUSE bug 1193981SUSE bug 1194041CVE-2021-3975 at SUSECVE-2021-3975 at NVDCVE-2021-4147 at SUSECVE-2021-4147 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for python36 (Low)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for python36 fixes the following issues:
- Update list of already merged patches.
Lowcpe:/o:suse:sles_teradata:12:sp3Security update for grub2 (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for grub2 fixes the following issues:
Security Fixes:
- CVE-2022-2601: Fixed buffer overflow in grub_font_construct_glyph (bsc#1205178).
- CVE-2022-3775: Fixed integer underflow in blit_comb() (bsc#1205182).
Other:
- Bump upstream SBAT generation to 3
ImportantSUSE bug 1205178SUSE bug 1205182CVE-2022-2601 at SUSECVE-2022-2601 at NVDCVE-2022-3775 at SUSECVE-2022-3775 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for strongswan (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for strongswan fixes the following issues:
- CVE-2022-40617: Fixed that using untrusted URIs for revocation checking could lead to denial of service (bsc#1203556)
ModerateSUSE bug 1203556CVE-2022-40617 at SUSECVE-2022-40617 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for libarchive (Low)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for libarchive fixes the following issues:
- CVE-2022-36227: Fixed potential NULL pointer dereference in __archive_write_allocate_filter() (bsc#1205629).
LowSUSE bug 1205629CVE-2022-36227 at SUSECVE-2022-36227 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for tomcat (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for tomcat fixes the following issues:
- CVE-2022-42252: Fixed a request smuggling (bsc#1204918).
ImportantSUSE bug 1204918CVE-2022-42252 at SUSECVE-2022-42252 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for sudo (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for sudo fixes the following issues:
Security fixes:
- CVE-2022-43995: Fixed a potential heap-based buffer over-read when entering a password of seven characters or fewer and using the crypt() password backend (bsc#1204986).
Other:
- Make sure SIGCHLD is not ignored when sudo is executed; fixes race condition (bsc#1203201).
- Change sudo-ldap schema from ASCII to UTF8 (bsc#1197998).
ImportantSUSE bug 1197998SUSE bug 1203201SUSE bug 1204986CVE-2022-43995 at SUSECVE-2022-43995 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for MozillaFirefox fixes the following issues:
Update to Firefox Extended Support Release 102.5.0 ESR (MFSA 2022-48, bsc#1205270):
- CVE-2022-45403: Service Workers might have learned size of cross-origin media files
- CVE-2022-45404: Fullscreen notification bypass
- CVE-2022-45405: Use-after-free in InputStream implementation
- CVE-2022-45406: Use-after-free of a JavaScript Realm
- CVE-2022-45408: Fullscreen notification bypass via windowName
- CVE-2022-45409: Use-after-free in Garbage Collection
- CVE-2022-45410: ServiceWorker-intercepted requests bypassed SameSite cookie policy
- CVE-2022-45411: Cross-Site Tracing was possible via non-standard override headers
- CVE-2022-45412: Symlinks may resolve to partially uninitialized buffers
- CVE-2022-45416: Keystroke Side-Channel Leakage
- CVE-2022-45418: Custom mouse cursor could have been drawn over browser UI
- CVE-2022-45420: Iframe contents could be rendered outside the iframe
- CVE-2022-45421: Memory safety bugs fixed in Firefox 107 and Firefox ESR 102.5
ImportantSUSE bug 1205270CVE-2022-45403 at SUSECVE-2022-45403 at NVDCVE-2022-45404 at SUSECVE-2022-45404 at NVDCVE-2022-45405 at SUSECVE-2022-45405 at NVDCVE-2022-45406 at SUSECVE-2022-45406 at NVDCVE-2022-45408 at SUSECVE-2022-45408 at NVDCVE-2022-45409 at SUSECVE-2022-45409 at NVDCVE-2022-45410 at SUSECVE-2022-45410 at NVDCVE-2022-45411 at SUSECVE-2022-45411 at NVDCVE-2022-45412 at SUSECVE-2022-45412 at NVDCVE-2022-45416 at SUSECVE-2022-45416 at NVDCVE-2022-45418 at SUSECVE-2022-45418 at NVDCVE-2022-45420 at SUSECVE-2022-45420 at NVDCVE-2022-45421 at SUSECVE-2022-45421 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for tiff (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for tiff fixes the following issues:
- CVE-2022-3597: Fixed out-of-bounds write in _TIFFmemcpy in libtiff/tif_unix.c (bnc#1204641).
- CVE-2022-3599: Fixed out-of-bounds read in writeSingleSection in tools/tiffcrop.c (bnc#1204643).
- CVE-2022-3626: Fixed out-of-bounds write in _TIFFmemset in libtiff/tif_unix.c (bnc#1204644)
- CVE-2022-3627: Fixed out-of-bounds write in _TIFFmemcpy in libtiff/tif_unix.c (bnc#1204645).
- CVE-2022-3970: Fixed unsigned integer overflow in TIFFReadRGBATileExt() (bnc#1205392).
ImportantSUSE bug 1204641SUSE bug 1204643SUSE bug 1204644SUSE bug 1204645SUSE bug 1205392CVE-2022-3597 at SUSECVE-2022-3597 at NVDCVE-2022-3599 at SUSECVE-2022-3599 at NVDCVE-2022-3626 at SUSECVE-2022-3626 at NVDCVE-2022-3627 at SUSECVE-2022-3627 at NVDCVE-2022-3970 at SUSECVE-2022-3970 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for pixman (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for pixman fixes the following issues:
- CVE-2022-44638: Fixed an integer overflow in pixman_sample_floor_y leading to heap out-of-bounds write (bsc#1205033).
ImportantSUSE bug 1205033CVE-2022-44638 at SUSECVE-2022-44638 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for python3 (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for python3 fixes the following issues:
- CVE-2020-10735: Fixed possible DoS when converting text to int and vice versa (bsc#1203125).
- CVE-2022-45061: Fixed possible DoS when IDNA decoding extremely long domain names (bsc#1205244).
ImportantSUSE bug 1203125SUSE bug 1205244CVE-2020-10735 at SUSECVE-2020-10735 at NVDCVE-2022-45061 at SUSECVE-2022-45061 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for exiv2 (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for exiv2 fixes the following issues:
- CVE-2019-13112: Fixed an uncontrolled memory allocation in PngChunk:parseChunkContent causing denial of service. (bsc#1142681)
- CVE-2021-37620: Fixed out-of-bounds read in XmpTextValue:read(). (bsc#1189332)
- CVE-2021-34334: Fixed a DoS due to integer overflow in loop counter. (bsc#1189338)
- CVE-2021-31291: Fixed a heap-based buffer overflow vulnerability in jp2image.cpp may lead to a denial of service via crafted metadata (bsc#1188733).
- CVE-2021-32815: Fixed a deny-of-service due to assertion failure in crwimage_int.cpp (bsc#1189337).
- CVE-2018-20097: Fixed SEGV in Exiv2::Internal::TiffParserWorker::findPrimaryGroupsu (bsc#1119562).
- CVE-2021-29457: Fixed a heap buffer overflow when write metadata into a crafted image file (bsc#1185002).
- CVE-2021-29473: Fixed out-of-bounds read in Exiv2::Jp2Image:doWriteMetadata (bsc#1186231).
ImportantSUSE bug 1119562SUSE bug 1142681SUSE bug 1185002SUSE bug 1186231SUSE bug 1188733SUSE bug 1189332SUSE bug 1189337SUSE bug 1189338CVE-2018-20097 at SUSECVE-2018-20097 at NVDCVE-2019-13112 at SUSECVE-2019-13112 at NVDCVE-2021-29457 at SUSECVE-2021-29457 at NVDCVE-2021-29473 at SUSECVE-2021-29473 at NVDCVE-2021-31291 at SUSECVE-2021-31291 at NVDCVE-2021-32815 at SUSECVE-2021-32815 at NVDCVE-2021-34334 at SUSECVE-2021-34334 at NVDCVE-2021-37620 at SUSECVE-2021-37620 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for busybox (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for busybox fixes the following issues:
- CVE-2014-9645: Fixed loading of unwanted modules with / (bsc#914660).
- CVE-2017-16544: Fixed insufficient sanitization of filenames when autocompleting (bsc#1069412).
- CVE-2015-9261: Fixed huft_build misuses a pointer, causing segfaults (bsc#1102912).
- CVE-2016-2147: Fixed out of bounds write (heap) due to integer underflow in udhcpc (bsc#970663).
- CVE-2016-2148: Fixed heap-based buffer overflow in OPTION_6RD parsing (bsc#970662).
- CVE-2016-6301: Fixed NTP server denial of service flaw (bsc#991940).
- CVE-2017-15873: Fixed integer overflow in get_next_block function in archival/libarchive/decompress_bunzip2.c (bsc#1064976).
- CVE-2017-15874: Fixed integer overflow in archival/libarchive/decompress_unlzma (bsc#1064978).
- CVE-2019-5747: Fixed out of bounds read in udhcp components (bsc#1121428).
- CVE-2021-42373, CVE-2021-42374, CVE-2021-42375, CVE-2021-42376, CVE-2021-42377, CVE-2021-42378, CVE-2021-42379, CVE-2021-42380, CVE-2021-42381, CVE-2021-42382, CVE-2021-42383, CVE-2021-42384, CVE-2021-42385, CVE-2021-42386: v1.34.0 bugfixes (bsc#1192869).
- CVE-2021-28831: Fixed invalid free or segmentation fault via malformed gzip data (bsc#1184522).
- CVE-2018-20679: Fixed out of bounds read in udhcp (bsc#1121426).
- CVE-2018-1000517: Fixed heap-based buffer overflow in the retrieve_file_data() (bsc#1099260).
- CVE-2011-5325: Fixed tar directory traversal (bsc#951562).
- CVE-2018-1000500: Fixed missing SSL certificate validation in wget (bsc#1099263).
- Update to 1.35.0
- awk: fix printf %%, fix read beyond end of buffer
- chrt: silence analyzer warning
- libarchive: remove duplicate forward declaration
- mount: 'mount -o rw ....' should not fall back to RO mount
- ps: fix -o pid=PID,args interpreting entire 'PID,args' as header
- tar: prevent malicious archives with long name sizes causing OOM
- udhcpc6: fix udhcp_find_option to actually find DHCP6 options
- xxd: fix -p -r
- support for new optoins added to basename, cpio, date, find,
mktemp, wget and others
- Enable fdisk (jsc#CAR-16)
- Update to 1.34.1:
* build system: use SOURCE_DATE_EPOCH for timestamp if available
* many bug fixes and new features
* touch: make FEATURE_TOUCH_NODEREF unconditional
- update to 1.33.1:
* httpd: fix sendfile
* ash: fix HISTFILE corruptio
* ash: fix unset variable pattern expansion
* traceroute: fix option parsing
* gunzip: fix for archive corruption
- Update to version 1.33.0
- many bug fixes and new features
- Update to version 1.32.1
- fixes a case where in ash, 'wait' never finishes.
- prepare usrmerge (bsc#1029961)
- Enable testsuite and package it for later rerun (for QA, jsc#CAR-15)
- Update to version 1.31.1:
+ Bug fix release. 1.30.1 has fixes for dc, ash (PS1 expansion
fix), hush, dpkg-deb, telnet and wget.
- Changes from version 1.31.0:
+ many bugfixes and new features.
- Add busybox-no-stime.patch: stime() has been deprecated in glibc
2.31 and replaced with clock_settime().
- update to 1.25.1:
* fixes for hush, gunzip, ip route, ntpd
- includes changes from 1.25.0:
* many added and expanded implementations of command options
- includes changes from 1.24.2:
* fixes for build system (static build with glibc fixed),
truncate, gunzip and unzip.
- Update to version 1.24.1
* for a full list of changes see http://www.busybox.net/news.html
- Refresh busybox.install.patch
- Update to 1.23.2
* for a full list of changes see http://www.busybox.net/news.html
- Cleaned up spec file with spec-cleaner
- Refreshed patches
- update to 1.22.1:
Many updates and fixes for most included tools, see
see http://www.busybox.net/news.html
ImportantSUSE bug 1029961SUSE bug 1064976SUSE bug 1064978SUSE bug 1069412SUSE bug 1099260SUSE bug 1099263SUSE bug 1102912SUSE bug 1121426SUSE bug 1121428SUSE bug 1184522SUSE bug 1191514SUSE bug 1192869SUSE bug 914660SUSE bug 951562SUSE bug 970662SUSE bug 970663SUSE bug 991940CVE-2011-5325 at SUSECVE-2011-5325 at NVDCVE-2014-9645 at SUSECVE-2014-9645 at NVDCVE-2015-9261 at SUSECVE-2015-9261 at NVDCVE-2016-2147 at SUSECVE-2016-2147 at NVDCVE-2016-2148 at SUSECVE-2016-2148 at NVDCVE-2016-6301 at SUSECVE-2016-6301 at NVDCVE-2017-15873 at SUSECVE-2017-15873 at NVDCVE-2017-15874 at SUSECVE-2017-15874 at NVDCVE-2017-16544 at SUSECVE-2017-16544 at NVDCVE-2018-1000500 at SUSECVE-2018-1000500 at NVDCVE-2018-1000517 at SUSECVE-2018-1000517 at NVDCVE-2018-20679 at SUSECVE-2018-20679 at NVDCVE-2019-5747 at SUSECVE-2019-5747 at NVDCVE-2021-28831 at SUSECVE-2021-28831 at NVDCVE-2021-42373 at SUSECVE-2021-42373 at NVDCVE-2021-42374 at SUSECVE-2021-42374 at NVDCVE-2021-42375 at SUSECVE-2021-42375 at NVDCVE-2021-42376 at SUSECVE-2021-42376 at NVDCVE-2021-42377 at SUSECVE-2021-42377 at NVDCVE-2021-42378 at SUSECVE-2021-42378 at NVDCVE-2021-42379 at SUSECVE-2021-42379 at NVDCVE-2021-42380 at SUSECVE-2021-42380 at NVDCVE-2021-42381 at SUSECVE-2021-42381 at NVDCVE-2021-42382 at SUSECVE-2021-42382 at NVDCVE-2021-42383 at SUSECVE-2021-42383 at NVDCVE-2021-42384 at SUSECVE-2021-42384 at NVDCVE-2021-42385 at SUSECVE-2021-42385 at NVDCVE-2021-42386 at SUSECVE-2021-42386 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for git (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for git fixes the following issues:
- CVE-2022-39260: Fixed overflow in split_cmdline() (bsc#1204456).
- CVE-2022-39253: Fixed dereference issue with symbolic links via the `--local` clone mechanism (bsc#1204455).
ModerateSUSE bug 1204455SUSE bug 1204456CVE-2022-39253 at SUSECVE-2022-39253 at NVDCVE-2022-39260 at SUSECVE-2022-39260 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for binutils (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for binutils fixes the following issues:
The following security bugs were fixed:
- CVE-2019-1010204: Fixed out-of-bounds read in elfcpp/elfcpp_file.h (bsc#1142579).
- CVE-2021-3530: Fixed stack-based buffer overflow in demangle_path() in rust-demangle.c (bsc#1185597).
- CVE-2021-3648: Fixed infinite loop while demangling rust symbols (bsc#1188374).
- CVE-2021-3826: Fixed heap/stack buffer overflow in the dlang_lname function in d-demangle.c (bsc#1202969).
- CVE-2021-45078: Fixed out-of-bounds write in stab_xcoff_builtin_type() in stabs.c (bsc#1193929).
- CVE-2021-46195: Fixed uncontrolled recursion in libiberty/rust-demangle.c (bsc#1194783).
- CVE-2022-27943: Fixed stack exhaustion in demangle_const in (bsc#1197592).
- CVE-2022-38126: Fixed assertion fail in the display_debug_names() function in binutils/dwarf.c (bsc#1202966).
- CVE-2022-38127: Fixed NULL pointer dereference in the read_and_display_attr_value() function in binutils/dwarf.c (bsc#1202967).
- CVE-2022-38533: Fixed heap out-of-bounds read in bfd_getl32 (bsc#1202816).
The following non-security bugs were fixed:
- SLE toolchain update of binutils, update to 2.39 from 2.37.
- Update to 2.39:
* The ELF linker will now generate a warning message if the stack is made
executable. Similarly it will warn if the output binary contains a
segment with all three of the read, write and execute permission
bits set. These warnings are intended to help developers identify
programs which might be vulnerable to attack via these executable
memory regions.
The warnings are enabled by default but can be disabled via a command
line option. It is also possible to build a linker with the warnings
disabled, should that be necessary.
* The ELF linker now supports a --package-metadata option that allows
embedding a JSON payload in accordance to the Package Metadata
specification.
* In linker scripts it is now possible to use TYPE=<type> in an output
section description to set the section type value.
* The objdump program now supports coloured/colored syntax
highlighting of its disassembler output for some architectures.
(Currently: AVR, RiscV, s390, x86, x86_64).
* The nm program now supports a --no-weak/-W option to make it ignore
weak symbols.
* The readelf and objdump programs now support a -wE option to prevent
them from attempting to access debuginfod servers when following
links.
* The objcopy program's --weaken, --weaken-symbol, and
--weaken-symbols options now works with unique symbols as well.
- Update to 2.38:
* elfedit: Add --output-abiversion option to update ABIVERSION.
* Add support for the LoongArch instruction set.
* Tools which display symbols or strings (readelf, strings, nm, objdump)
have a new command line option which controls how unicode characters are
handled. By default they are treated as normal for the tool. Using
--unicode=locale will display them according to the current locale.
Using --unicode=hex will display them as hex byte values, whilst
--unicode=escape will display them as escape sequences. In addition
using --unicode=highlight will display them as unicode escape sequences
highlighted in red (if supported by the output device).
* readelf -r dumps RELR relative relocations now.
* Support for efi-app-aarch64, efi-rtdrv-aarch64 and efi-bsdrv-aarch64 has been
added to objcopy in order to enable UEFI development using binutils (bsc#1198458).
* ar: Add --thin for creating thin archives. -T is a deprecated alias without
diagnostics. In many ar implementations -T has a different meaning, as
specified by X/Open System Interface.
* Add support for AArch64 system registers that were missing in previous
releases.
* Add support for the LoongArch instruction set.
* Add a command-line option, -muse-unaligned-vector-move, for x86 target
to encode aligned vector move as unaligned vector move.
* Add support for Cortex-R52+ for Arm.
* Add support for Cortex-A510, Cortex-A710, Cortex-X2 for AArch64.
* Add support for Cortex-A710 for Arm.
* Add support for Scalable Matrix Extension (SME) for AArch64.
* The --multibyte-handling=[allow|warn|warn-sym-only] option tells the
assembler what to when it encoutners multibyte characters in the input. The
default is to allow them. Setting the option to 'warn' will generate a
warning message whenever any multibyte character is encountered. Using the
option to 'warn-sym-only' will make the assembler generate a warning whenever a
symbol is defined containing multibyte characters. (References to undefined
symbols will not generate warnings).
* Outputs of .ds.x directive and .tfloat directive with hex input from
x86 assembler have been reduced from 12 bytes to 10 bytes to match the
output of .tfloat directive.
* Add support for 'armv8.8-a', 'armv9-a', 'armv9.1-a', 'armv9.2-a' and
'armv9.3-a' for -march in AArch64 GAS.
* Add support for 'armv8.7-a', 'armv8.8-a', 'armv9-a', 'armv9.1-a',
'armv9.2-a' and 'armv9.3-a' for -march in Arm GAS.
* Add support for Intel AVX512_FP16 instructions.
* Add -z pack-relative-relocs/-z no pack-relative-relocs to x86 ELF
linker to pack relative relocations in the DT_RELR section.
* Add support for the LoongArch architecture.
* Add -z indirect-extern-access/-z noindirect-extern-access to x86 ELF
linker to control canonical function pointers and copy relocation.
* Add --max-cache-size=SIZE to set the the maximum cache size to SIZE
bytes.
- Fixed regression that prevented .ko.debug to be loaded in crash tool (bsc#1191908).
- Explicitly enable --enable-warn-execstack=yes and --enable-warn-rwx-segments=yes.
- Add gprofng subpackage.
- Include recognition of 'z16' name for 'arch14' on s390. (bsc#1198237).
- Add back fix for bsc#1191473, which got lost in the update to 2.38.
- Install symlinks for all target specific tools on arm-eabi-none (bsc#1185712).
- Enable PRU architecture for AM335x CPU (Beagle Bone Black board)
ImportantSUSE bug 1142579SUSE bug 1185597SUSE bug 1185712SUSE bug 1188374SUSE bug 1191473SUSE bug 1191908SUSE bug 1193929SUSE bug 1194783SUSE bug 1197592SUSE bug 1198237SUSE bug 1198458SUSE bug 1202816SUSE bug 1202966SUSE bug 1202967SUSE bug 1202969CVE-2019-1010204 at SUSECVE-2019-1010204 at NVDCVE-2021-3530 at SUSECVE-2021-3530 at NVDCVE-2021-3648 at SUSECVE-2021-3648 at NVDCVE-2021-3826 at SUSECVE-2021-3826 at NVDCVE-2021-45078 at SUSECVE-2021-45078 at NVDCVE-2021-46195 at SUSECVE-2021-46195 at NVDCVE-2022-27943 at SUSECVE-2022-27943 at NVDCVE-2022-38126 at SUSECVE-2022-38126 at NVDCVE-2022-38127 at SUSECVE-2022-38127 at NVDCVE-2022-38533 at SUSECVE-2022-38533 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for webkit2gtk3 (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
Security fixes:
- CVE-2022-32888: Fixed possible arbitrary code execution via maliciously crafted web content (bsc#1205121).
- CVE-2022-32923: Fixed possible information leak via maliciously crafted web content (bsc#1205122).
- CVE-2022-42799: Fixed user interface spoofing when visiting a malicious website (bsc#1205123).
- CVE-2022-42823: Fixed possible arbitrary code execution via maliciously crafted web content (bsc#1205120).
- CVE-2022-42824: Fixed possible sensitive user information leak via maliciously crafted web content (bsc#1205124).
Update to version 2.38.2:
- Fix scrolling issues in some sites having fixed background.
- Fix prolonged buffering during progressive live playback.
- Fix the build with accessibility disabled.
- Fix several crashes and rendering issues.
Update to version 2.38.1:
- Make xdg-dbus-proxy work if host session bus address is an
abstract socket.
- Use a single xdg-dbus-proxy process when sandbox is enabled.
- Fix high resolution video playback due to unimplemented
changeType operation.
- Ensure GSubprocess uses posix_spawn() again and inherit file
descriptors.
- Fix player stucking in buffering (paused) state for progressive
streaming.
- Do not try to preconnect on link click when link preconnect
setting is disabled.
- Fix close status code returned when the client closes a
WebSocket in some cases.
- Fix media player duration calculation.
- Fix several crashes and rendering issues.
Update to version 2.38.0:
- New media controls UI style.
- Add new API to set WebView's Content-Security-Policy for web
extensions support.
- Make it possible to use the remote inspector from other
browsers using WEBKIT_INSPECTOR_HTTP_SERVER env var.
- MediaSession is enabled by default, allowing remote media
control using MPRIS.
- Add support for PDF documents using PDF.js.
ImportantSUSE bug 1205120SUSE bug 1205121SUSE bug 1205122SUSE bug 1205123SUSE bug 1205124CVE-2022-32888 at SUSECVE-2022-32888 at NVDCVE-2022-32923 at SUSECVE-2022-32923 at NVDCVE-2022-42799 at SUSECVE-2022-42799 at NVDCVE-2022-42823 at SUSECVE-2022-42823 at NVDCVE-2022-42824 at SUSECVE-2022-42824 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for libmspack (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for libmspack fixes the following issues:
- CVE-2018-18586: Add leading slash protection to chmextract. (bsc#1113040)
ModerateSUSE bug 1113040CVE-2018-18586 at SUSECVE-2018-18586 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for opencc (Low)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for opencc fixes the following issues:
- CVE-2018-16982: Fixed out-of-bounds keyOffset and valueOffset values in BinaryDict.cpp. (bsc#1108310)
LowSUSE bug 1108310CVE-2018-16982 at SUSECVE-2018-16982 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for libdb-4_8 (Low)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for libdb-4_8 fixes the following issues:
- CVE-2019-2708: Fixed partial DoS due to data store execution (bsc#1174414).
LowSUSE bug 1174414CVE-2019-2708 at SUSECVE-2019-2708 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for java-1_8_0-ibm (Moderate)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for java-1_8_0-ibm fixes the following issues:
- CVE-2022-21626: An unauthenticated attacker with network access via HTTPS can compromise Oracle Java SE, Oracle GraalVM Enterprise Edition (bsc#1204471).
- CVE-2022-21618: An unauthenticated attacker with network access via Kerberos can compromise Oracle Java SE, Oracle GraalVM Enterprise Edition (bsc#1204468).
- CVE-2022-21619: An unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE (bsc#1204473).
- CVE-2022-21628: An unauthenticated attacker with network access via HTTP can compromise Oracle Java SE, Oracle GraalVM Enterprise Edition (bsc#1204472).
- CVE-2022-21624: An unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise (bsc#1204475).
- CVE-2022-39399: An unauthenticated attacker with network access via HTTP can compromise Oracle Java SE, Oracle GraalVM Enterprise Edition (bsc#1204480).
- Update to Java 8.0 Service Refresh 7 Fix Pack 20 [bsc#1205302]
* Security:
- The IBM ORB Does Not Support Object-Serialisation Data Filtering
- Large Allocation In CipherSuite
- Avoid Evaluating Sslalgorithmconstraints Twice
- Cache The Results Of Constraint Checks
- An incorrect ShortBufferException is thrown by IBMJCEPlus,
IBMJCEPlusFIPS during cipher update operation
- Disable SHA-1 Signed Jars For Ea
- JSSE Performance Improvement
- Oracle Road Map Kerberos Deprecation Of 3DES And RC4 Encryption
* Java 8/Orb:
- Upgrade ibmcfw.jar To Version o2228.02
* Class Libraries:
- Crash In Libjsor.So During An Rdma Failover
- High CPU Consumption Observed In ZosEventPort$EventHandlerTask.run
- Update Timezone Information To The Latest tzdata2022c
* Jit Compiler:
- Crash During JIT Compilation
- Incorrect JIT Optimization Of Java Code
- Incorrect Return From Class.isArray()
- Unexpected ClassCastException
- Performance Regression When Calling VM Helper Code On X86
* X/Os Extentions:
- Add RSA-OAEP Cipher Function To IBMJCECCA
- Update to Java 8.0 Service Refresh 7 Fix Pack 16
* Java Virtual Machine
- Assertion failure at ClassLoaderRememberedSet.cpp
- Assertion failure at StandardAccessBarrier.cpp when
-Xgc:concurrentScavenge is set.
- GC can have unflushed ownable synchronizer objects which
can eventually lead to heap corruption and failure when
-Xgc:concurrentScavenge is set.
* JIT Compiler:
- Incorrect JIT optimization of Java code
- JAVA JIT Power: JIT compile time assert on AIX or LINUXPPC
* Reliability and Serviceability:
- javacore with 'kill -3' SIGQUIT signal freezes Java process
ModerateSUSE bug 1204468SUSE bug 1204471SUSE bug 1204472SUSE bug 1204473SUSE bug 1204475SUSE bug 1204480SUSE bug 1205302CVE-2022-21618 at SUSECVE-2022-21618 at NVDCVE-2022-21619 at SUSECVE-2022-21619 at NVDCVE-2022-21624 at SUSECVE-2022-21624 at NVDCVE-2022-21626 at SUSECVE-2022-21626 at NVDCVE-2022-21628 at SUSECVE-2022-21628 at NVDCVE-2022-39399 at SUSECVE-2022-39399 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for supportutils (Moderate)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for supportutils fixes the following issues:
Security issues fixed:
- Passwords correctly removed from email.txt, updates.txt and fs-iscsi.txt (bsc#1203818)
ModerateSUSE bug 1203818cpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for emacs (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for emacs fixes the following issues:
- CVE-2022-45939: Fixed shell command injection via source code files when using ctags (bsc#1205822).
ImportantSUSE bug 1205822CVE-2022-45939 at SUSECVE-2022-45939 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for LibVNCServer (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for LibVNCServer fixes the following issues:
- CVE-2020-29260: Fixed memory leakage via rfbClientCleanup() (bsc#1203106).
ModerateSUSE bug 1170916SUSE bug 1203106SUSE bug 1204127SUSE bug 1204129CVE-2020-29260 at SUSECVE-2020-29260 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for bcel (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for bcel fixes the following issues:
- CVE-2022-42920: Fixed producing arbitrary bytecode via out-of-bounds writing (bsc#1205125).
ModerateSUSE bug 1205125CVE-2022-42920 at SUSECVE-2022-42920 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for krb5 (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for krb5 fixes the following issues:
- CVE-2022-42898: Fixed integer overflow in PAC parsing (bsc#1205126).
ImportantSUSE bug 1205126CVE-2022-42898 at SUSECVE-2022-42898 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for busybox (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for busybox fixes the following issues:
- CVE-2022-30065: Fixed use-after-free in the AWK applet (bsc#1199744).
ModerateSUSE bug 1199744CVE-2022-30065 at SUSECVE-2022-30065 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for java-1_8_0-openjdk (Moderate)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for java-1_8_0-openjdk fixes the following issues:
Update to version jdk8u352 (icedtea-3.25.0):
- CVE-2022-21619,CVE-2022-21624: Fixed difficult to exploit vulnerability allows unauthenticated attacker with network access and can cause unauthorized update, insert or delete access via multiple protocols (bsc#1204473,bsc#1204475).
- CVE-2022-21626: Fixed easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to cause partial denial of service (bsc#1204471).
- CVE-2022-21628: Fixed easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to cause partial denial of service (bsc#1204472).
ModerateSUSE bug 1204471SUSE bug 1204472SUSE bug 1204473SUSE bug 1204475CVE-2022-21619 at SUSECVE-2022-21619 at NVDCVE-2022-21624 at SUSECVE-2022-21624 at NVDCVE-2022-21626 at SUSECVE-2022-21626 at NVDCVE-2022-21628 at SUSECVE-2022-21628 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for nautilus (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for nautilus fixes the following issues:
- CVE-2022-37290: Fixed a denial of service caused by pasted ZIP archives (bsc#1205418).
ModerateSUSE bug 1205418CVE-2022-37290 at SUSECVE-2022-37290 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for colord (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for colord fixes the following issues:
- CVE-2021-42523: Fixed a small memory leak in sqlite3_exec (bsc#1202802).
ModerateSUSE bug 1202802CVE-2021-42523 at SUSECVE-2021-42523 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for MozillaFirefox fixes the following issues:
Firefox Extended Support Release 102.6.0 ESR (bsc#1206242):
- CVE-2022-46880: Use-after-free in WebGL
- CVE-2022-46872: Arbitrary file read from a compromised content process
- CVE-2022-46881: Memory corruption in WebGL
- CVE-2022-46874: Drag and Dropped Filenames could have been truncated to malicious extensions
- CVE-2022-46875: Download Protections were bypassed by .atloc and .ftploc files on Mac OS
- CVE-2022-46882: Use-after-free in WebGL
- CVE-2022-46878: Memory safety bugs fixed in Firefox 108 and Firefox ESR 102.6
ImportantSUSE bug 1206242CVE-2022-46872 at SUSECVE-2022-46872 at NVDCVE-2022-46874 at SUSECVE-2022-46874 at NVDCVE-2022-46875 at SUSECVE-2022-46875 at NVDCVE-2022-46878 at SUSECVE-2022-46878 at NVDCVE-2022-46880 at SUSECVE-2022-46880 at NVDCVE-2022-46881 at SUSECVE-2022-46881 at NVDCVE-2022-46882 at SUSECVE-2022-46882 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for zabbix (Moderate)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for zabbix fixes the following issues:
- CVE-2022-43515: X-Forwarded-For header is active by default causes access to Zabbix sites in maintenance mode (bsc#1206083).
ModerateSUSE bug 1206083CVE-2022-43515 at SUSECVE-2022-43515 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for xorg-x11-server (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for xorg-x11-server fixes the following issues:
- CVE-2022-46340: Server XTestSwapFakeInput stack overflow (bsc#1205874)
- CVE-2022-46341: Server XIPassiveUngrabDevice out-of-bounds access (bsc#1205877)
- CVE-2022-46342: Server XvdiSelectVideoNotify use-after-free (bsc#1205879)
- CVE-2022-46343: Server ScreenSaverSetAttributes use-after-free (bsc#1205878)
- CVE-2022-46344: Server XIChangeProperty out-of-bounds access (bsc#1205876)
- CVE-2022-4283: Reset the radio_groups pointer to NULL after freeing it (bsc#1206017)
- Xi: return an error from XI property changes if verification failed (bsc#1205875)
ImportantSUSE bug 1205874SUSE bug 1205875SUSE bug 1205876SUSE bug 1205877SUSE bug 1205878SUSE bug 1205879SUSE bug 1206017CVE-2022-4283 at SUSECVE-2022-4283 at NVDCVE-2022-46340 at SUSECVE-2022-46340 at NVDCVE-2022-46341 at SUSECVE-2022-46341 at NVDCVE-2022-46342 at SUSECVE-2022-46342 at NVDCVE-2022-46343 at SUSECVE-2022-46343 at NVDCVE-2022-46344 at SUSECVE-2022-46344 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for java-1_7_1-ibm (Moderate)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for java-1_7_1-ibm fixes the following issues:
IBM Security Update November 2022: (bsc#1205302, bsc#1204703)
- CVE-2022-3676: A security vulnerability was fixed in version 7.1.5.15, adding the reference here.
ModerateSUSE bug 1204703SUSE bug 1205302CVE-2022-3676 at SUSECVE-2022-3676 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for curl (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for curl fixes the following issues:
- CVE-2022-43552: HTTP Proxy deny use-after-free (bsc#1206309).
ModerateSUSE bug 1206309CVE-2022-43552 at SUSECVE-2022-43552 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for java-1_8_0-ibm (Moderate)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for java-1_8_0-ibm fixes the following issues:
IBM Security Update November 2022: (bsc#1205302, bsc#1204703)
- CVE-2022-3676: A security vulnerability was fixed in version 8.0.7.20, adding the reference here.
ModerateSUSE bug 1204703SUSE bug 1205302CVE-2022-3676 at SUSECVE-2022-3676 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for sqlite3 (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for sqlite3 fixes the following issues:
- CVE-2022-46908: Properly implement the azProhibitedFunctions protection mechanism,
when relying on --safe for execution of an untrusted CLI script (bsc#1206337).
ModerateSUSE bug 1206337CVE-2022-46908 at SUSECVE-2022-46908 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for vim (Moderate)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for vim fixes the following issues:
Updated to version 9.0.0814:
* Fixing bsc#1192478 VUL-1: CVE-2021-3928: vim: vim is vulnerable to Stack-based Buffer Overflow
* Fixing bsc#1203508 VUL-0: CVE-2022-3234: vim: Heap-based Buffer Overflow prior to 9.0.0483.
* Fixing bsc#1203509 VUL-1: CVE-2022-3235: vim: Use After Free in GitHub prior to 9.0.0490.
* Fixing bsc#1203820 VUL-0: CVE-2022-3324: vim: Stack-based Buffer Overflow in prior to 9.0.0598.
* Fixing bsc#1204779 VUL-0: CVE-2022-3705: vim: use after free in function qf_update_buffer of the file quickfix.c
* Fixing bsc#1203152 VUL-1: CVE-2022-2982: vim: use after free in qf_fill_buffer()
* Fixing bsc#1203796 VUL-1: CVE-2022-3296: vim: stack out of bounds read in ex_finally() in ex_eval.c
* Fixing bsc#1203797 VUL-1: CVE-2022-3297: vim: use-after-free in process_next_cpt_value() at insexpand.c
* Fixing bsc#1203110 VUL-1: CVE-2022-3099: vim: Use After Free in ex_docmd.c
* Fixing bsc#1203194 VUL-1: CVE-2022-3134: vim: use after free in do_tag()
* Fixing bsc#1203272 VUL-1: CVE-2022-3153: vim: NULL Pointer Dereference in GitHub repository vim/vim prior to 9.0.0404.
* Fixing bsc#1203799 VUL-1: CVE-2022-3278: vim: NULL pointer dereference in eval_next_non_blank() in eval.c
* Fixing bsc#1203924 VUL-1: CVE-2022-3352: vim: vim: use after free
* Fixing bsc#1203155 VUL-1: CVE-2022-2980: vim: null pointer dereference in do_mouse()
* Fixing bsc#1202962 VUL-1: CVE-2022-3037: vim: Use After Free in vim prior to 9.0.0321
* Fixing bsc#1200884 Vim: Error on startup
* Fixing bsc#1200902 VUL-0: CVE-2022-2183: vim: Out-of-bounds Read through get_lisp_indent() Mon 13:32
* Fixing bsc#1200903 VUL-0: CVE-2022-2182: vim: Heap-based Buffer Overflow through parse_cmd_address() Tue 08:37
* Fixing bsc#1200904 VUL-0: CVE-2022-2175: vim: Buffer Over-read through cmdline_insert_reg() Tue 08:37
* Fixing bsc#1201249 VUL-0: CVE-2022-2304: vim: stack buffer overflow in spell_dump_compl()
* Fixing bsc#1201356 VUL-1: CVE-2022-2343: vim: Heap-based Buffer Overflow in GitHub repository vim prior to 9.0.0044
* Fixing bsc#1201359 VUL-1: CVE-2022-2344: vim: Another Heap-based Buffer Overflow vim prior to 9.0.0045
* Fixing bsc#1201363 VUL-1: CVE-2022-2345: vim: Use After Free in GitHub repository vim prior to 9.0.0046.
* Fixing bsc#1201620 vim: SLE-15-SP4-Full-x86_64-GM-Media1 and vim-plugin-tlib-1.27-bp154.2.18.noarch issue
* Fixing bsc#1202414 VUL-1: CVE-2022-2819: vim: Heap-based Buffer Overflow in compile_lock_unlock()
* Fixing bsc#1202552 VUL-1: CVE-2022-2874: vim: NULL Pointer Dereference in generate_loadvar()
* Fixing bsc#1200270 VUL-1: CVE-2022-1968: vim: use after free in utf_ptr2char
* Fixing bsc#1200697 VUL-1: CVE-2022-2124: vim: out of bounds read in current_quote()
* Fixing bsc#1200698 VUL-1: CVE-2022-2125: vim: out of bounds read in get_lisp_indent()
* Fixing bsc#1200700 VUL-1: CVE-2022-2126: vim: out of bounds read in suggest_trie_walk()
* Fixing bsc#1200701 VUL-1: CVE-2022-2129: vim: out of bounds write in vim_regsub_both()
* Fixing bsc#1200732 VUL-1: CVE-2022-1720: vim: out of bounds read in grab_file_name()
* Fixing bsc#1201132 VUL-1: CVE-2022-2264: vim: out of bounds read in inc()
* Fixing bsc#1201133 VUL-1: CVE-2022-2284: vim: out of bounds read in utfc_ptr2len()
* Fixing bsc#1201134 VUL-1: CVE-2022-2285: vim: negative size passed to memmove() due to integer overflow
* Fixing bsc#1201135 VUL-1: CVE-2022-2286: vim: out of bounds read in ins_bytes()
* Fixing bsc#1201136 VUL-1: CVE-2022-2287: vim: out of bounds read in suggest_trie_walk()
* Fixing bsc#1201150 VUL-1: CVE-2022-2231: vim: null pointer dereference skipwhite()
* Fixing bsc#1201151 VUL-1: CVE-2022-2210: vim: out of bounds read in ml_append_int()
* Fixing bsc#1201152 VUL-1: CVE-2022-2208: vim: null pointer dereference in diff_check()
* Fixing bsc#1201153 VUL-1: CVE-2022-2207: vim: out of bounds read in ins_bs()
* Fixing bsc#1201154 VUL-1: CVE-2022-2257: vim: out of bounds read in msg_outtrans_special()
* Fixing bsc#1201155 VUL-1: CVE-2022-2206: vim: out of bounds read in msg_outtrans_attr()
* Fixing bsc#1201863 VUL-1: CVE-2022-2522: vim: out of bounds read via nested autocommand
* Fixing bsc#1202046 VUL-1: CVE-2022-2571: vim: Heap-based Buffer Overflow related to ins_comp_get_next_word_or_line()
* Fixing bsc#1202049 VUL-1: CVE-2022-2580: vim: Heap-based Buffer Overflow related to eval_string()
* Fixing bsc#1202050 VUL-1: CVE-2022-2581: vim: Out-of-bounds Read related to cstrchr()
* Fixing bsc#1202051 VUL-1: CVE-2022-2598: vim: Undefined Behavior for Input to API related to diff_mark_adjust_tp() and ex_diffgetput()
* Fixing bsc#1202420 VUL-1: CVE-2022-2817: vim: Use After Free in f_assert_fails()
* Fixing bsc#1202421 VUL-1: CVE-2022-2816: vim: Out-of-bounds Read in check_vim9_unlet()
* Fixing bsc#1202511 VUL-1: CVE-2022-2862: vim: use-after-free in compile_nested_function()
* Fixing bsc#1202512 VUL-1: CVE-2022-2849: vim: Invalid memory access related to mb_ptr2len()
* Fixing bsc#1202515 VUL-1: CVE-2022-2845: vim: Buffer Over-read related to display_dollar()
* Fixing bsc#1202599 VUL-1: CVE-2022-2889: vim: use-after-free in find_var_also_in_script() in evalvars.c
* Fixing bsc#1202687 VUL-1: CVE-2022-2923: vim: NULL Pointer Dereference in GitHub repository vim/vim prior to 9.0.0240
* Fixing bsc#1202689 VUL-1: CVE-2022-2946: vim: use after free in function vim_vsnprintf_typval
* Fixing bsc#1202862 VUL-1: CVE-2022-3016: vim: Use After Free in vim prior to 9.0.0285 Mon 12:00
* Fixing bsc#1191770 VUL-0: CVE-2021-3875: vim: heap-based buffer overflow
* Fixing bsc#1192167 VUL-0: CVE-2021-3903: vim: heap-based buffer overflow
* Fixing bsc#1192902 VUL-0: CVE-2021-3968: vim: vim is vulnerable to
Heap-based Buffer Overflow
* Fixing bsc#1192903 VUL-0: CVE-2021-3973: vim: vim is vulnerable to
Heap-based Buffer Overflow
* Fixing bsc#1192904 VUL-0: CVE-2021-3974: vim: vim is vulnerable to Use
After Free
* Fixing bsc#1193466 VUL-1: CVE-2021-4069: vim: use-after-free in ex_open()
in src/ex_docmd.c
* Fixing bsc#1193905 VUL-0: CVE-2021-4136: vim: vim is vulnerable to
Heap-based Buffer Overflow
* Fixing bsc#1194093 VUL-1: CVE-2021-4166: vim: vim is vulnerable to
Out-of-bounds Read
* Fixing bsc#1194216 VUL-1: CVE-2021-4193: vim: vulnerable to
Out-of-bounds Read
* Fixing bsc#1194217 VUL-0: CVE-2021-4192: vim: vulnerable to Use After Free
* Fixing bsc#1194872 VUL-0: CVE-2022-0261: vim: Heap-based Buffer Overflow
in vim prior to 8.2.
* Fixing bsc#1194885 VUL-0: CVE-2022-0213: vim: vim is vulnerable to
Heap-based Buffer Overflow
* Fixing bsc#1195004 VUL-0: CVE-2022-0318: vim: Heap-based Buffer Overflow in
vim prior to 8.2.
* Fixing bsc#1195203 VUL-0: CVE-2022-0359: vim: heap-based buffer overflow in
init_ccline() in ex_getln.c
* Fixing bsc#1195354 VUL-0: CVE-2022-0407: vim: Heap-based Buffer Overflow in
Conda vim prior to 8.2.
* Fixing bsc#1198596 VUL-0: CVE-2022-1381: vim: global heap buffer overflow
in skip_range
* Fixing bsc#1199331 VUL-0: CVE-2022-1616: vim: Use after free in
append_command
* Fixing bsc#1199333 VUL-0: CVE-2022-1619: vim: Heap-based Buffer Overflow in
function cmdline_erase_chars
* Fixing bsc#1199334 VUL-0: CVE-2022-1620: vim: NULL Pointer Dereference in
function vim_regexec_string
* Fixing bsc#1199747 VUL-0: CVE-2022-1796: vim: Use After in
find_pattern_in_path
* Fixing bsc#1200010 VUL-0: CVE-2022-1897: vim: Out-of-bounds Write in vim
* Fixing bsc#1200011 VUL-0: CVE-2022-1898: vim: Use After Free in vim prior
to 8.2
* Fixing bsc#1200012 VUL-0: CVE-2022-1927: vim: Buffer Over-read in vim prior
to 8.2
* Fixing bsc#1070955 VUL-1: CVE-2017-17087: vim: Sets the group ownership of a
.swp file to the editor's primary group, which allows local users to obtain
sensitive information
* Fixing bsc#1194388 VUL-1: CVE-2022-0128: vim: vim is vulnerable to
Out-of-bounds Read
* Fixing bsc#1195332 VUL-1: CVE-2022-0392: vim: Heap-based Buffer Overflow
in vim prior to 8.2
* Fixing bsc#1196361 VUL-1: CVE-2022-0696: vim: NULL Pointer Dereference in
vim prior to 8.2
* Fixing bsc#1198748 VUL-1: CVE-2022-1420: vim: Out-of-range Pointer Offset
* Fixing bsc#1199651 VUL-1: CVE-2022-1735: vim: heap buffer overflow
* Fixing bsc#1199655 VUL-1: CVE-2022-1733: vim: Heap-based Buffer Overflow in
cindent.c
* Fixing bsc#1199693 VUL-1: CVE-2022-1771: vim: stack exhaustion in vim prior
to 8.2.
* Fixing bsc#1199745 VUL-1: CVE-2022-1785: vim: Out-of-bounds Write
* Fixing bsc#1199936 VUL-1: CVE-2022-1851: vim: out of bounds read
* Fixing bsc#1195004 - (CVE-2022-0318) VUL-0: CVE-2022-0318: vim: Heap-based Buffer Overflow in vim prior to 8.2.
* Fixing bsc#1190570 CVE-2021-3796: vim: use-after-free in nv_replace() in normal.c
* Fixing bsc#1191893 CVE-2021-3872: vim: heap-based buffer overflow in win_redr_status() drawscreen.c
* Fixing bsc#1192481 CVE-2021-3927: vim: vim is vulnerable to Heap-based Buffer Overflow
* Fixing bsc#1192478 CVE-2021-3928: vim: vim is vulnerable to Stack-based Buffer Overflow
* Fixing bsc#1193294 CVE-2021-4019: vim: vim is vulnerable to Heap-based Buffer Overflow
* Fixing bsc#1193298 CVE-2021-3984: vim: illegal memory access when C-indenting could lead to Heap Buffer Overflow
* Fixing bsc#1190533 CVE-2021-3778: vim: Heap-based Buffer Overflow in regexp_nfa.c
* Fixing bsc#1194216 CVE-2021-4193: vim: vulnerable to Out-of-bounds Read
* Fixing bsc#1194556 CVE-2021-46059: vim: A Pointer Dereference vulnerability
exists in Vim 8.2.3883 via the vim_regexec_multi function at regexp.c, which causes a denial of service.
* Fixing bsc#1195066 CVE-2022-0319: vim: Out-of-bounds Read in vim/vim prior to 8.2.
* Fixing bsc#1195126 CVE-2022-0351: vim: uncontrolled recursion in eval7()
* Fixing bsc#1195202 CVE-2022-0361: vim: Heap-based Buffer Overflow in vim prior to 8.2.
* Fixing bsc#1195356 CVE-2022-0413: vim: use after free in src/ex_cmds.c
ModerateSUSE bug 1070955SUSE bug 1173256SUSE bug 1174564SUSE bug 1176549SUSE bug 1182324SUSE bug 1190533SUSE bug 1190570SUSE bug 1191770SUSE bug 1191893SUSE bug 1192167SUSE bug 1192478SUSE bug 1192481SUSE bug 1192902SUSE bug 1192903SUSE bug 1192904SUSE bug 1193294SUSE bug 1193298SUSE bug 1193466SUSE bug 1193905SUSE bug 1194093SUSE bug 1194216SUSE bug 1194217SUSE bug 1194388SUSE bug 1194556SUSE bug 1194872SUSE bug 1194885SUSE bug 1195004SUSE bug 1195066SUSE bug 1195126SUSE bug 1195202SUSE bug 1195203SUSE bug 1195332SUSE bug 1195354SUSE bug 1195356SUSE bug 1196361SUSE bug 1198596SUSE bug 1198748SUSE bug 1199331SUSE bug 1199333SUSE bug 1199334SUSE bug 1199651SUSE bug 1199655SUSE bug 1199693SUSE bug 1199745SUSE bug 1199747SUSE bug 1199936SUSE bug 1200010SUSE bug 1200011SUSE bug 1200012SUSE bug 1200270SUSE bug 1200697SUSE bug 1200698SUSE bug 1200700SUSE bug 1200701SUSE bug 1200732SUSE bug 1200884SUSE bug 1200902SUSE bug 1200903SUSE bug 1200904SUSE bug 1201132SUSE bug 1201133SUSE bug 1201134SUSE bug 1201135SUSE bug 1201136SUSE bug 1201150SUSE bug 1201151SUSE bug 1201152SUSE bug 1201153SUSE bug 1201154SUSE bug 1201155SUSE bug 1201249SUSE bug 1201356SUSE bug 1201359SUSE bug 1201363SUSE bug 1201620SUSE bug 1201863SUSE bug 1202046SUSE bug 1202049SUSE bug 1202050SUSE bug 1202051SUSE bug 1202414SUSE bug 1202420SUSE bug 1202421SUSE bug 1202511SUSE bug 1202512SUSE bug 1202515SUSE bug 1202552SUSE bug 1202599SUSE bug 1202687SUSE bug 1202689SUSE bug 1202862SUSE bug 1202962SUSE bug 1203110SUSE bug 1203152SUSE bug 1203155SUSE bug 1203194SUSE bug 1203272SUSE bug 1203508SUSE bug 1203509SUSE bug 1203796SUSE bug 1203797SUSE bug 1203799SUSE bug 1203820SUSE bug 1203924SUSE bug 1204779CVE-2009-0316 at SUSECVE-2009-0316 at NVDCVE-2016-1248 at SUSECVE-2016-1248 at NVDCVE-2017-17087 at SUSECVE-2017-17087 at NVDCVE-2017-5953 at SUSECVE-2017-5953 at NVDCVE-2017-6349 at SUSECVE-2017-6349 at NVDCVE-2017-6350 at SUSECVE-2017-6350 at NVDCVE-2021-3778 at SUSECVE-2021-3778 at NVDCVE-2021-3796 at SUSECVE-2021-3796 at NVDCVE-2021-3872 at SUSECVE-2021-3872 at NVDCVE-2021-3875 at SUSECVE-2021-3875 at NVDCVE-2021-3903 at SUSECVE-2021-3903 at NVDCVE-2021-3927 at SUSECVE-2021-3927 at NVDCVE-2021-3928 at SUSECVE-2021-3928 at NVDCVE-2021-3968 at SUSECVE-2021-3968 at NVDCVE-2021-3973 at SUSECVE-2021-3973 at NVDCVE-2021-3974 at SUSECVE-2021-3974 at NVDCVE-2021-3984 at SUSECVE-2021-3984 at NVDCVE-2021-4019 at SUSECVE-2021-4019 at NVDCVE-2021-4069 at SUSECVE-2021-4069 at NVDCVE-2021-4136 at SUSECVE-2021-4136 at NVDCVE-2021-4166 at SUSECVE-2021-4166 at NVDCVE-2021-4192 at SUSECVE-2021-4192 at NVDCVE-2021-4193 at SUSECVE-2021-4193 at NVDCVE-2021-46059 at SUSECVE-2021-46059 at NVDCVE-2022-0128 at SUSECVE-2022-0128 at NVDCVE-2022-0213 at SUSECVE-2022-0213 at NVDCVE-2022-0261 at SUSECVE-2022-0261 at NVDCVE-2022-0318 at SUSECVE-2022-0318 at NVDCVE-2022-0319 at SUSECVE-2022-0319 at NVDCVE-2022-0351 at SUSECVE-2022-0351 at NVDCVE-2022-0359 at SUSECVE-2022-0359 at NVDCVE-2022-0361 at SUSECVE-2022-0361 at NVDCVE-2022-0392 at SUSECVE-2022-0392 at NVDCVE-2022-0407 at SUSECVE-2022-0407 at NVDCVE-2022-0413 at SUSECVE-2022-0413 at NVDCVE-2022-0696 at SUSECVE-2022-0696 at NVDCVE-2022-1381 at SUSECVE-2022-1381 at NVDCVE-2022-1420 at SUSECVE-2022-1420 at NVDCVE-2022-1616 at SUSECVE-2022-1616 at NVDCVE-2022-1619 at SUSECVE-2022-1619 at NVDCVE-2022-1620 at SUSECVE-2022-1620 at NVDCVE-2022-1720 at SUSECVE-2022-1720 at NVDCVE-2022-1733 at SUSECVE-2022-1733 at NVDCVE-2022-1735 at SUSECVE-2022-1735 at NVDCVE-2022-1771 at SUSECVE-2022-1771 at NVDCVE-2022-1785 at SUSECVE-2022-1785 at NVDCVE-2022-1796 at SUSECVE-2022-1796 at NVDCVE-2022-1851 at SUSECVE-2022-1851 at NVDCVE-2022-1897 at SUSECVE-2022-1897 at NVDCVE-2022-1898 at SUSECVE-2022-1898 at NVDCVE-2022-1927 at SUSECVE-2022-1927 at NVDCVE-2022-1968 at SUSECVE-2022-1968 at NVDCVE-2022-2124 at SUSECVE-2022-2124 at NVDCVE-2022-2125 at SUSECVE-2022-2125 at NVDCVE-2022-2126 at SUSECVE-2022-2126 at NVDCVE-2022-2129 at SUSECVE-2022-2129 at NVDCVE-2022-2175 at SUSECVE-2022-2175 at NVDCVE-2022-2182 at SUSECVE-2022-2182 at NVDCVE-2022-2183 at SUSECVE-2022-2183 at NVDCVE-2022-2206 at SUSECVE-2022-2206 at NVDCVE-2022-2207 at SUSECVE-2022-2207 at NVDCVE-2022-2208 at SUSECVE-2022-2208 at NVDCVE-2022-2210 at SUSECVE-2022-2210 at NVDCVE-2022-2231 at SUSECVE-2022-2231 at NVDCVE-2022-2257 at SUSECVE-2022-2257 at NVDCVE-2022-2264 at SUSECVE-2022-2264 at NVDCVE-2022-2284 at SUSECVE-2022-2284 at NVDCVE-2022-2285 at SUSECVE-2022-2285 at NVDCVE-2022-2286 at SUSECVE-2022-2286 at NVDCVE-2022-2287 at SUSECVE-2022-2287 at NVDCVE-2022-2304 at SUSECVE-2022-2304 at NVDCVE-2022-2343 at SUSECVE-2022-2343 at NVDCVE-2022-2344 at SUSECVE-2022-2344 at NVDCVE-2022-2345 at SUSECVE-2022-2345 at NVDCVE-2022-2522 at SUSECVE-2022-2522 at NVDCVE-2022-2571 at SUSECVE-2022-2571 at NVDCVE-2022-2580 at SUSECVE-2022-2580 at NVDCVE-2022-2581 at SUSECVE-2022-2581 at NVDCVE-2022-2598 at SUSECVE-2022-2598 at NVDCVE-2022-2816 at SUSECVE-2022-2816 at NVDCVE-2022-2817 at SUSECVE-2022-2817 at NVDCVE-2022-2819 at SUSECVE-2022-2819 at NVDCVE-2022-2845 at SUSECVE-2022-2845 at NVDCVE-2022-2849 at SUSECVE-2022-2849 at NVDCVE-2022-2862 at SUSECVE-2022-2862 at NVDCVE-2022-2874 at SUSECVE-2022-2874 at NVDCVE-2022-2889 at SUSECVE-2022-2889 at NVDCVE-2022-2923 at SUSECVE-2022-2923 at NVDCVE-2022-2946 at SUSECVE-2022-2946 at NVDCVE-2022-2980 at SUSECVE-2022-2980 at NVDCVE-2022-2982 at SUSECVE-2022-2982 at NVDCVE-2022-3016 at SUSECVE-2022-3016 at NVDCVE-2022-3037 at SUSECVE-2022-3037 at NVDCVE-2022-3099 at SUSECVE-2022-3099 at NVDCVE-2022-3134 at SUSECVE-2022-3134 at NVDCVE-2022-3153 at SUSECVE-2022-3153 at NVDCVE-2022-3234 at SUSECVE-2022-3234 at NVDCVE-2022-3235 at SUSECVE-2022-3235 at NVDCVE-2022-3278 at SUSECVE-2022-3278 at NVDCVE-2022-3296 at SUSECVE-2022-3296 at NVDCVE-2022-3297 at SUSECVE-2022-3297 at NVDCVE-2022-3324 at SUSECVE-2022-3324 at NVDCVE-2022-3352 at SUSECVE-2022-3352 at NVDCVE-2022-3705 at SUSECVE-2022-3705 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for ca-certificates-mozilla (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for ca-certificates-mozilla fixes the following issues:
- Updated to 2.60 state of Mozilla SSL root CAs (bsc#1206622)
Removed CAs:
- Global Chambersign Root
- EC-ACC
- Network Solutions Certificate Authority
- Staat der Nederlanden EV Root CA
- SwissSign Platinum CA - G2
Added CAs:
- DIGITALSIGN GLOBAL ROOT ECDSA CA
- DIGITALSIGN GLOBAL ROOT RSA CA
- Security Communication ECC RootCA1
- Security Communication RootCA3
Changed trust:
- TrustCor certificates only trusted up to Nov 30 (bsc#1206212)
- Removed CAs (bsc#1206212) as most code does not handle 'valid before nov 30 2022'
and it is not clear how many certs were issued for SSL middleware by TrustCor:
- TrustCor RootCert CA-1
- TrustCor RootCert CA-2
- TrustCor ECA-1
ImportantSUSE bug 1206212SUSE bug 1206622cpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for virglrenderer (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for virglrenderer fixes the following issues:
- CVE-2022-0135: Fixed out-of-bonds write in read_transfer_data() (bsc#1195389).
ImportantSUSE bug 1195389CVE-2022-0135 at SUSECVE-2022-0135 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for expat (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for expat fixes the following issues:
- CVE-2022-23852: Fixed signed integer overflow in XML_GetBuffer (bsc#1195054).
- CVE-2022-23990: Fixed integer overflow in the doProlog function (bsc#1195217).
ImportantSUSE bug 1195054SUSE bug 1195217CVE-2022-23852 at SUSECVE-2022-23852 at NVDCVE-2022-23990 at SUSECVE-2022-23990 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for tiff (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for tiff fixes the following issues:
- CVE-2017-17095: Fixed DoS in tools/pal2rgb.c in pal2rgb (bsc#1071031).
- CVE-2019-17546: Fixed integer overflow that potentially causes a heap-based buffer overflow via a crafted RGBA image (bsc#1154365).
- CVE-2020-19131: Fixed buffer overflow in tiffcrop that may cause DoS via the invertImage() function (bsc#1190312).
- CVE-2020-35521: Fixed memory allocation failure in tif_read.c (bsc#1182808).
- CVE-2020-35522: Fixed memory allocation failure in tif_pixarlog.c (bsc#1182809).
- CVE-2020-35523: Fixed integer overflow in tif_getimage.c (bsc#1182811).
- CVE-2020-35524: Fixed heap-based buffer overflow in TIFF2PDF tool (bsc#1182812).
- CVE-2022-22844: Fixed out-of-bounds read in _TIFFmemcpy in tif_unix.c (bsc#1194539).
ImportantSUSE bug 1071031SUSE bug 1154365SUSE bug 1182808SUSE bug 1182809SUSE bug 1182811SUSE bug 1182812SUSE bug 1190312SUSE bug 1194539CVE-2017-17095 at SUSECVE-2017-17095 at NVDCVE-2019-17546 at SUSECVE-2019-17546 at NVDCVE-2020-19131 at SUSECVE-2020-19131 at NVDCVE-2020-35521 at SUSECVE-2020-35521 at NVDCVE-2020-35522 at SUSECVE-2020-35522 at NVDCVE-2020-35523 at SUSECVE-2020-35523 at NVDCVE-2020-35524 at SUSECVE-2020-35524 at NVDCVE-2022-22844 at SUSECVE-2022-22844 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for tcpdump (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for tcpdump fixes the following issues:
- CVE-2018-16301: Fixed segfault when handling large files (bsc#1195825).
ModerateSUSE bug 1195825CVE-2018-16301 at SUSECVE-2018-16301 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for polkit (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for polkit fixes the following issues:
- CVE-2021-4115: Fixed a denial of service via file descriptor leak (bsc#1195542).
ModerateSUSE bug 1195542CVE-2021-4115 at SUSECVE-2021-4115 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for xerces-j2 (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for xerces-j2 fixes the following issues:
- CVE-2022-23437: Fixed infinite loop within Apache XercesJ xml parser (bsc#1195108).
ImportantSUSE bug 1195108CVE-2022-23437 at SUSECVE-2022-23437 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for jasper (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for jasper fixes the following issues:
- CVE-2021-27845: Fixed divide-by-zery issue in cp_create() (bsc#1188437).
ModerateSUSE bug 1188437CVE-2021-27845 at SUSECVE-2021-27845 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for MozillaFirefox fixes the following issues:
Firefox Extended Support Release 91.6.0 ESR / MFSA 2022-05 (bsc#1195682)
- CVE-2022-22753: Privilege Escalation to SYSTEM on Windows via Maintenance Service
- CVE-2022-22754: Extensions could have bypassed permission confirmation during update
- CVE-2022-22756: Drag and dropping an image could have resulted in the dropped object being an executable
- CVE-2022-22759: Sandboxed iframes could have executed script if the parent appended elements
- CVE-2022-22760: Cross-Origin responses could be distinguished between script and non-script content-types
- CVE-2022-22761: frame-ancestors Content Security Policy directive was not enforced for framed extension pages
- CVE-2022-22763: Script Execution during invalid object state
- CVE-2022-22764: Memory safety bugs fixed in Firefox 97 and Firefox ESR 91.6
Firefox Extended Support Release 91.5.1 ESR (bsc#1195230)
- Fixed an issue that allowed unexpected data to be submitted in some of our search telemetry
ImportantSUSE bug 1195230SUSE bug 1195682CVE-2022-22753 at SUSECVE-2022-22753 at NVDCVE-2022-22754 at SUSECVE-2022-22754 at NVDCVE-2022-22756 at SUSECVE-2022-22756 at NVDCVE-2022-22759 at SUSECVE-2022-22759 at NVDCVE-2022-22760 at SUSECVE-2022-22760 at NVDCVE-2022-22761 at SUSECVE-2022-22761 at NVDCVE-2022-22763 at SUSECVE-2022-22763 at NVDCVE-2022-22764 at SUSECVE-2022-22764 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for tomcat (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for tomcat fixes the following issues:
- CVE-2021-30640: Fixed incorrect parameters escape in JNDI Realm queries (bsc#1188279).
- CVE-2022-23181: Fixed incorrect calculation of session storage location (bsc#1195255).
ImportantSUSE bug 1188279SUSE bug 1195255CVE-2021-30640 at SUSECVE-2021-30640 at NVDCVE-2022-23181 at SUSECVE-2022-23181 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for ucode-intel (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for ucode-intel fixes the following issues:
Updated to Intel CPU Microcode 20220207 release.
- CVE-2021-0146: Fixed a potential security vulnerability in some Intel Processors may allow escalation of privilege (bsc#1192615)
- CVE-2021-0127: Intel Processor Breakpoint Control Flow (bsc#1195779)
- CVE-2021-0145: Fast store forward predictor - Cross Domain Training (bsc#1195780)
- CVE-2021-33120: Out of bounds read for some Intel Atom processors (bsc#1195781)
- Security updates for [INTEL-SA-00528](https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00528.html)
- Security updates for [INTEL-SA-00532](https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00532.html)
ImportantSUSE bug 1192615SUSE bug 1195779SUSE bug 1195780SUSE bug 1195781CVE-2021-0127 at SUSECVE-2021-0127 at NVDCVE-2021-0145 at SUSECVE-2021-0145 at NVDCVE-2021-0146 at SUSECVE-2021-0146 at NVDCVE-2021-33120 at SUSECVE-2021-33120 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for openexr (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for openexr fixes the following issues:
- CVE-2021-45942: Fixed heap-based buffer overflow in Imf_3_1:LineCompositeTask:execute. (bsc#1194333)
ImportantSUSE bug 1194333CVE-2021-45942 at SUSECVE-2021-45942 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for apache2 (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for apache2 fixes the following issues:
- CVE-2021-44224: Fixed NULL dereference or SSRF in forward proxy configurations. (bsc#1193943)
- CVE-2021-44790: Fixed buffer overflow when parsing multipart content in mod_lua. (bsc#1193942)
ImportantSUSE bug 1193942SUSE bug 1193943CVE-2021-44224 at SUSECVE-2021-44224 at NVDCVE-2021-44790 at SUSECVE-2021-44790 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for cyrus-sasl (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for cyrus-sasl fixes the following issues:
- CVE-2022-24407: Fixed SQL injection in sql_auxprop_store in plugins/sql.c (bsc#1196036).
ImportantSUSE bug 1196036CVE-2022-24407 at SUSECVE-2022-24407 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for gnutls (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for gnutls fixes the following issues:
- CVE-2021-4209: Fixed null pointer dereference in MD_UPDATE (bsc#1196167).
ModerateSUSE bug 1196167CVE-2021-4209 at SUSECVE-2021-4209 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for webkit2gtk3 (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for webkit2gtk3 fixes the following issues:
Update to version 2.34.5 (bsc#1195735):
- CVE-2022-22589: A validation issue was addressed with improved input sanitization.
- CVE-2022-22590: A use after free issue was addressed with improved memory management.
- CVE-2022-22592: A logic issue was addressed with improved state management.
Update to version 2.34.4 (bsc#1195064):
- CVE-2021-30934: A buffer overflow issue was addressed with improved memory handling.
- CVE-2021-30936: A use after free issue was addressed with improved memory management.
- CVE-2021-30951: A use after free issue was addressed with improved memory management.
- CVE-2021-30952: An integer overflow was addressed with improved input validation.
- CVE-2021-30953: An out-of-bounds read was addressed with improved bounds checking.
- CVE-2021-30954: A type confusion issue was addressed with improved memory handling.
- CVE-2021-30984: A race condition was addressed with improved state handling.
- CVE-2022-22594: A cross-origin issue in the IndexDB API was addressed with improved input validation.
The following CVEs were addressed in a previous update:
- CVE-2021-45481: Incorrect memory allocation in WebCore::ImageBufferCairoImageSurfaceBackend::create.
- CVE-2021-45482: A use-after-free in WebCore::ContainerNode::firstChild.
- CVE-2021-45483: A use-after-free in WebCore::Frame::page.
ImportantSUSE bug 1195064SUSE bug 1195735CVE-2021-30934 at SUSECVE-2021-30934 at NVDCVE-2021-30936 at SUSECVE-2021-30936 at NVDCVE-2021-30951 at SUSECVE-2021-30951 at NVDCVE-2021-30952 at SUSECVE-2021-30952 at NVDCVE-2021-30953 at SUSECVE-2021-30953 at NVDCVE-2021-30954 at SUSECVE-2021-30954 at NVDCVE-2021-30984 at SUSECVE-2021-30984 at NVDCVE-2021-45481 at SUSECVE-2021-45481 at NVDCVE-2021-45482 at SUSECVE-2021-45482 at NVDCVE-2021-45483 at SUSECVE-2021-45483 at NVDCVE-2022-22589 at SUSECVE-2022-22589 at NVDCVE-2022-22590 at SUSECVE-2022-22590 at NVDCVE-2022-22592 at SUSECVE-2022-22592 at NVDCVE-2022-22594 at SUSECVE-2022-22594 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for expat (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for expat fixes the following issues:
- CVE-2022-25236: Fixed possible namespace-separator characters insertion into namespace URIs (bsc#1196025).
- CVE-2022-25235: Fixed UTF-8 character validation in a certain context (bsc#1196026).
- CVE-2022-25313: Fixed stack exhaustion in build_model() via uncontrolled recursion (bsc#1196168).
- CVE-2022-25314: Fixed integer overflow in copyString (bsc#1196169).
- CVE-2022-25315: Fixed integer overflow in storeRawNames (bsc#1196171).
ImportantSUSE bug 1196025SUSE bug 1196026SUSE bug 1196168SUSE bug 1196169SUSE bug 1196171CVE-2022-25235 at SUSECVE-2022-25235 at NVDCVE-2022-25236 at SUSECVE-2022-25236 at NVDCVE-2022-25313 at SUSECVE-2022-25313 at NVDCVE-2022-25314 at SUSECVE-2022-25314 at NVDCVE-2022-25315 at SUSECVE-2022-25315 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for zsh (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for zsh fixes the following issues:
- CVE-2021-45444: Fixed a vulnerability where arbitrary shell commands could be
executed related to prompt expansion (bsc#1196435).
- CVE-2019-20044: Fixed a vulnerability where shell privileges would not be
properly dropped when unsetting the PRIVILEGED option (bsc#1163882).
- CVE-2018-1100: Fixed a potential code execution via a stack-based buffer
overflow in utils.c:checkmailpath() (bsc#1089030).
ImportantSUSE bug 1089030SUSE bug 1163882SUSE bug 1196435CVE-2018-1100 at SUSECVE-2018-1100 at NVDCVE-2019-20044 at SUSECVE-2019-20044 at NVDCVE-2021-45444 at SUSECVE-2021-45444 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for flac (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for flac fixes the following issues:
- CVE-2021-0561: Fixed out of bound write in append_to_verify_fifo_interleaved_ (bsc#1196660).
ModerateSUSE bug 1196660CVE-2021-0561 at SUSECVE-2021-0561 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for MozillaFirefox fixes the following issues:
Firefox Extended Support Release 91.6.1 ESR (bsc#1196809):
- CVE-2022-26485: Use-after-free in XSLT parameter processing
- CVE-2022-26486: Use-after-free in WebGPU IPC Framework
ImportantSUSE bug 1196809CVE-2022-26485 at SUSECVE-2022-26485 at NVDCVE-2022-26486 at SUSECVE-2022-26486 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for ghostscript (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for ghostscript fixes the following issues:
- CVE-2021-45944: Fixed use-after-free in sampled_data_sample (bsc#1194303)
- CVE-2021-45949: Fixed heap-based buffer overflow in sampled_data_finish (bsc#1194304)
ModerateSUSE bug 1194303SUSE bug 1194304CVE-2021-45944 at SUSECVE-2021-45944 at NVDCVE-2021-45949 at SUSECVE-2021-45949 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for webkit2gtk3 (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for webkit2gtk3 fixes the following issues:
Update to version 2.34.6 (bsc#1196133):
- CVE-2022-22620: Processing maliciously crafted web content may have lead to arbitrary code execution.
ImportantSUSE bug 1196133CVE-2022-22620 at SUSECVE-2022-22620 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for libcaca (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for libcaca fixes the following issues:
- CVE-2021-30498, CVE-2021-30499: If an image has a size of 0x0, when exporting, no
data is written and space is allocated for the header only, not taking into
account that sprintf appends a NUL byte (bsc#1184751, bsc#1184752).
ImportantSUSE bug 1184751SUSE bug 1184752CVE-2021-30498 at SUSECVE-2021-30498 at NVDCVE-2021-30499 at SUSECVE-2021-30499 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for MozillaFirefox fixes the following issues:
Firefox Extended Support Release 91.7.0 ESR (bsc#1196900):
- CVE-2022-26383: Browser window spoof using fullscreen mode
- CVE-2022-26384: iframe allow-scripts sandbox bypass
- CVE-2022-26387: Time-of-check time-of-use bug when verifying add-on signatures
- CVE-2022-26381: Use-after-free in text reflows
- CVE-2022-26386: Temporary files downloaded to /tmp and accessible by other local users
ImportantSUSE bug 1196900CVE-2022-26381 at SUSECVE-2022-26381 at NVDCVE-2022-26383 at SUSECVE-2022-26383 at NVDCVE-2022-26384 at SUSECVE-2022-26384 at NVDCVE-2022-26386 at SUSECVE-2022-26386 at NVDCVE-2022-26387 at SUSECVE-2022-26387 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for glib2 (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for glib2 fixes the following issues:
- CVE-2021-3800: Fixed a file content leak in pkexec due to charset aliases (bsc#1191489).
ModerateSUSE bug 1191489CVE-2021-3800 at SUSECVE-2021-3800 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for expat (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for expat fixes the following issues:
- Fixed a regression caused by the patch for CVE-2022-25236 (bsc#1196784).
ImportantSUSE bug 1196025SUSE bug 1196784CVE-2022-25236 at SUSECVE-2022-25236 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for openssl (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for openssl fixes the following issues:
- CVE-2022-0778: Infinite loop in BN_mod_sqrt() reachable when parsing certificates (bsc#1196877).
ImportantSUSE bug 1196877CVE-2022-0778 at SUSECVE-2022-0778 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for java-1_8_0-openjdk (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for java-1_8_0-openjdk fixes the following issues:
Update to version jdk8u322 (icedtea-3.22.0)
Including the following security fixes:
- CVE-2022-21248, bsc#1194926: Enhance cross VM serialization
- CVE-2022-21283, bsc#1194937: Better String matching
- CVE-2022-21293, bsc#1194935: Improve String constructions
- CVE-2022-21294, bsc#1194934: Enhance construction of Identity maps
- CVE-2022-21282, bsc#1194933: Better resolution of URIs
- CVE-2022-21296, bsc#1194932: Improve SAX Parser configuration management
- CVE-2022-21299, bsc#1194931: Improved scanning of XML entities
- CVE-2022-21305, bsc#1194939: Better array indexing
- CVE-2022-21340, bsc#1194940: Verify Jar Verification
- CVE-2022-21341, bsc#1194941: Improve serial forms for transport
- CVE-2022-21349: Improve Solaris font rendering
- CVE-2022-21360, bsc#1194929: Enhance BMP image support
- CVE-2022-21365, bsc#1194928: Enhanced BMP processing
ImportantSUSE bug 1193314SUSE bug 1193444SUSE bug 1193491SUSE bug 1194926SUSE bug 1194928SUSE bug 1194929SUSE bug 1194931SUSE bug 1194932SUSE bug 1194933SUSE bug 1194934SUSE bug 1194935SUSE bug 1194937SUSE bug 1194939SUSE bug 1194940SUSE bug 1194941SUSE bug 1195163CVE-2022-21248 at SUSECVE-2022-21248 at NVDCVE-2022-21282 at SUSECVE-2022-21282 at NVDCVE-2022-21283 at SUSECVE-2022-21283 at NVDCVE-2022-21293 at SUSECVE-2022-21293 at NVDCVE-2022-21294 at SUSECVE-2022-21294 at NVDCVE-2022-21296 at SUSECVE-2022-21296 at NVDCVE-2022-21299 at SUSECVE-2022-21299 at NVDCVE-2022-21305 at SUSECVE-2022-21305 at NVDCVE-2022-21340 at SUSECVE-2022-21340 at NVDCVE-2022-21341 at SUSECVE-2022-21341 at NVDCVE-2022-21349 at SUSECVE-2022-21349 at NVDCVE-2022-21360 at SUSECVE-2022-21360 at NVDCVE-2022-21365 at SUSECVE-2022-21365 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for atftp (Low)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for atftp fixes the following issues:
- CVE-2021-46671: Fixed a potential information leak in atftpd (bsc#1195619).
LowSUSE bug 1195619CVE-2021-46671 at SUSECVE-2021-46671 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for python3 (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for python3 fixes the following issues:
- CVE-2021-4189: Fixed default access from PASV response in the FTP client (bsc#1194146).
- CVE-2022-0391: Fixed sanitizing of URLs containing ASCII newline and tabs in urlparse (bsc#1195396).
ModerateSUSE bug 1194146SUSE bug 1195396CVE-2021-4189 at SUSECVE-2021-4189 at NVDCVE-2022-0391 at SUSECVE-2022-0391 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for python-lxml (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for python-lxml fixes the following issues:
- CVE-2021-43818: Removed SVG image data URLs since they can embed script
content (bsc#1193752).
- CVE-2021-28957: Fixed a potential XSS due to improper input sanitization (bsc#1184177).
- CVE-2020-27783: Fixed a potential XSS due to improper HTML parsing (bsc#1179534).
- CVE-2018-19787: Fixed a potential XSS due to improper input sanitization (bsc#1118088).
ModerateSUSE bug 1118088SUSE bug 1179534SUSE bug 1184177SUSE bug 1193752CVE-2018-19787 at SUSECVE-2018-19787 at NVDCVE-2020-27783 at SUSECVE-2020-27783 at NVDCVE-2021-28957 at SUSECVE-2021-28957 at NVDCVE-2021-43818 at SUSECVE-2021-43818 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for glibc (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for glibc fixes the following issues:
- CVE-2022-23219: Fixed buffer overflow in sunrpc clnt_create for 'unix' (bsc#1194768)
- CVE-2022-23218: Fixed buffer overflow in sunrpc svcunix_create (bsc#1194770)
- CVE-2021-3999: Fixed getcwd to set errno to ERANGE for size == 1 (bsc#1194640)
ImportantSUSE bug 1194640SUSE bug 1194768SUSE bug 1194770CVE-2021-3999 at SUSECVE-2021-3999 at NVDCVE-2022-23218 at SUSECVE-2022-23218 at NVDCVE-2022-23219 at SUSECVE-2022-23219 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for lapack (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for lapack fixes the following issues:
- CVE-2021-4048: Fixed an out of bounds read when user input was not validated properly (bsc#1193562).
ModerateSUSE bug 1193562CVE-2021-4048 at SUSECVE-2021-4048 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for apache2 (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for apache2 fixes the following issues:
- CVE-2022-23943: heap out-of-bounds write in mod_sed (bsc#1197098).
- CVE-2022-22720: HTTP request smuggling due to incorrect error handling (bsc#1197095).
- CVE-2022-22719: use of uninitialized value of in r:parsebody in mod_lua (bsc#1197091).
- CVE-2022-22721: possible buffer overflow with very large or unlimited LimitXMLRequestBody (bsc#1197096).
ImportantSUSE bug 1197091SUSE bug 1197095SUSE bug 1197096SUSE bug 1197098CVE-2022-22719 at SUSECVE-2022-22719 at NVDCVE-2022-22720 at SUSECVE-2022-22720 at NVDCVE-2022-22721 at SUSECVE-2022-22721 at NVDCVE-2022-23943 at SUSECVE-2022-23943 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for python (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for python fixes the following issues:
- CVE-2022-0391: Fixed sanitizing URLs containing ASCII newline and tabs in urlparse (bsc#1195396).
- CVE-2021-4189: Make ftplib not trust the PASV response (bsc#1194146).
- CVE-2021-3572: Fixed an improper handling of unicode characters in pip (bsc#1186819).
ModerateSUSE bug 1175619SUSE bug 1186819SUSE bug 1194146SUSE bug 1195396CVE-2021-3572 at SUSECVE-2021-3572 at NVDCVE-2021-4189 at SUSECVE-2021-4189 at NVDCVE-2022-0391 at SUSECVE-2022-0391 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for sudo (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for sudo fixes the following issues:
- CVE-2023-22809: Fixed an arbitrary file write issue that could be
exploited by users with sudoedit permissions (bsc#1207082).
ImportantSUSE bug 1207082CVE-2023-22809 at SUSECVE-2023-22809 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for postgresql-jdbc (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for postgresql-jdbc fixes the following issues:
- CVE-2022-41946: Fixed a local information disclosure issue due to
improper handling of temporary files (bsc#1206921).
ModerateSUSE bug 1206921CVE-2022-41946 at SUSECVE-2022-41946 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for git (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for git fixes the following issues:
- CVE-2022-41903: Fixed a heap overflow in the 'git archive' and
'git log --format' commands (bsc#1207033).
- CVE-2022-23521: Fixed an integer overflow that could be triggered
when parsing a gitattributes file (bsc#1207032).
ImportantSUSE bug 1207032SUSE bug 1207033CVE-2022-23521 at SUSECVE-2022-23521 at NVDCVE-2022-41903 at SUSECVE-2022-41903 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for MozillaFirefox fixes the following issues:
- Updated to version 102.7.0 ESR (bsc#1207119):
- CVE-2022-46871: Updated an out of date library (libusrsctp) which
contained several vulnerabilities.
- CVE-2023-23598: Fixed an arbitrary file read from GTK drag and
drop on Linux.
- CVE-2023-23601: Fixed a potential spoofing attack when dragging a
URL from a cross-origin iframe into the same tab.
- CVE-2023-23602: Fixed a mishandled security check, which caused
the Content Security Policy header to be ignored for WebSockets
in WebWorkers.
- CVE-2022-46877: Fixed a fullscreen notification bypass which
could be leveraged in spoofing attacks.
- CVE-2023-23603: Fixed a Content Security Policy bypass via format
directives.
- CVE-2023-23605: Fixed several memory safety bugs.
ImportantSUSE bug 1207119CVE-2022-46871 at SUSECVE-2022-46871 at NVDCVE-2022-46877 at SUSECVE-2022-46877 at NVDCVE-2023-23598 at SUSECVE-2023-23598 at NVDCVE-2023-23601 at SUSECVE-2023-23601 at NVDCVE-2023-23602 at SUSECVE-2023-23602 at NVDCVE-2023-23603 at SUSECVE-2023-23603 at NVDCVE-2023-23605 at SUSECVE-2023-23605 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for mozilla-nss (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for mozilla-nss fixes the following issues:
- CVE-2022-3479: Fixed a potential crash that could be triggered when
a server requested a client authentication certificate, but the
client had no certificates stored (bsc#1204272).
- Updated to version 3.79.3 (bsc#1207038):
- CVE-2022-23491: Removed trust for 3 root certificates from TrustCor.
ImportantSUSE bug 1204272SUSE bug 1207038CVE-2022-23491 at SUSECVE-2022-23491 at NVDCVE-2022-3479 at SUSECVE-2022-3479 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for freeradius-server (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for freeradius-server fixes the following issues:
- CVE-2022-41859: Fixed an issue in EAP-PWD that could leak
information about the password, which could facilitate dictionary
attacks (bsc#1206204).
- CVE-2022-41860: Fixed a crash in servers with EAP_SIM manually
configured, which could be triggered via a malformed SIM option
(bsc#1206205).
- CVE-2022-41861: Fixed a server crash that could be triggered by
sending malformed data from a system in the RADIUS circle of trust
(bsc#1206206).
ImportantSUSE bug 1206204SUSE bug 1206205SUSE bug 1206206CVE-2022-41859 at SUSECVE-2022-41859 at NVDCVE-2022-41860 at SUSECVE-2022-41860 at NVDCVE-2022-41861 at SUSECVE-2022-41861 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for samba (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for samba fixes the following issues:
- CVE-2021-20251: Fixed an issue where the bad password count would
not be properly incremented, which could allow attackers to brute
force a user's password (bsc#1206546).
- CVE-2022-38023: Disabled weak ciphers by default in the Netlogon
Secure channel (bsc#1206504).
- CVE-2022-37966: Fixed an issue where a weak cipher would be
selected to encrypt session keys, which could lead to privilege
escalation (bsc#1205385).
ImportantSUSE bug 1205385SUSE bug 1206504SUSE bug 1206546CVE-2021-20251 at SUSECVE-2021-20251 at NVDCVE-2022-37966 at SUSECVE-2022-37966 at NVDCVE-2022-38023 at SUSECVE-2022-38023 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for xen (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for xen fixes the following issues:
- CVE-2022-23824: Fixed multiple speculative execution issues (bnc#1205209).
ImportantSUSE bug 1027519SUSE bug 1205209CVE-2022-23824 at SUSECVE-2022-23824 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for glibc (Moderate)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for glibc fixes the following issues:
- CVE-2016-10739: getaddrinfo: Fully parse IPv4 address strings (bsc#1122729)
ModerateSUSE bug 1122729CVE-2016-10739 at SUSECVE-2016-10739 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for libXpm (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for libXpm fixes the following issues:
- CVE-2022-46285: Fixed an infinite loop that could be triggered
when reading a XPM image with a C-style comment that is never
closed (bsc#1207029).
- CVE-2022-44617: Fixed an excessive resource consumption that could
be triggered when reading small crafted XPM image (bsc#1207030).
- CVE-2022-4883: Fixed an issue that made decompression commands
susceptible to PATH environment variable manipulation attacks
(bsc#1207031).
ImportantSUSE bug 1207029SUSE bug 1207030SUSE bug 1207031CVE-2022-44617 at SUSECVE-2022-44617 at NVDCVE-2022-46285 at SUSECVE-2022-46285 at NVDCVE-2022-4883 at SUSECVE-2022-4883 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for bluez (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for bluez fixes the following issues:
- CVE-2022-39176: Fixed a memory safety issue that could allow
physically proximate attackers to obtain sensitive information
(bsc#1203121).
- CVE-2022-39177: Fixed a memory safety issue that could allow
physically proximate attackers to cause a denial of service
(bsc#1203120).
ImportantSUSE bug 1203120SUSE bug 1203121CVE-2022-39176 at SUSECVE-2022-39176 at NVDCVE-2022-39177 at SUSECVE-2022-39177 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for xorg-x11-server (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for xorg-x11-server fixes the following issues:
- CVE-2023-1393: Fixed use-after-free overlay window (ZDI-CAN-19866) (bsc#1209543).
ImportantSUSE bug 1209543CVE-2023-1393 at SUSECVE-2023-1393 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for webkit2gtk3 (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for webkit2gtk3 fixes the following issues:
Update to version 2.38.5 (boo#1208328):
- CVE-2023-23529: Fixed possible arbitrary code execution via maliciously crafted web content.
- CVE-2023-23518: Processing maliciously crafted web content may lead to
Previously fixed inside update to version 2.38.4 (boo#1207997):
- CVE-2022-42826: Fixed a use-after-free issue that was caused by improper memory management.
ImportantSUSE bug 1207997SUSE bug 1208328CVE-2022-42826 at SUSECVE-2022-42826 at NVDCVE-2023-23518 at SUSECVE-2023-23518 at NVDCVE-2023-23529 at SUSECVE-2023-23529 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for sudo (Moderate)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for sudo fixes the following issues:
- CVE-2023-28486: Fixed missing control characters escaping in log messages (bsc#1209362).
- CVE-2023-28487: Fixed missing control characters escaping in sudoreplay output (bsc#1209361).
ModerateSUSE bug 1209361SUSE bug 1209362CVE-2023-28486 at SUSECVE-2023-28486 at NVDCVE-2023-28487 at SUSECVE-2023-28487 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for ImageMagick (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for ImageMagick fixes the following issues:
- CVE-2023-1289: Fixed segmentation fault and possible DoS via specially crafted SVG. (bsc#1209141)
ModerateSUSE bug 1209141CVE-2023-1289 at SUSECVE-2023-1289 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for openssl (Moderate)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for openssl fixes the following issues:
- CVE-2023-0464: Fixed excessive Resource Usage Verifying X.509 Policy Constraints (bsc#1209624).
ModerateSUSE bug 1209624CVE-2023-0464 at SUSECVE-2023-0464 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for python-cryptography (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for python-cryptography fixes the following issues:
- CVE-2023-23931: Fixed memory corruption in Cipher.update_into (bsc#1208036).
ModerateSUSE bug 1208036CVE-2023-23931 at SUSECVE-2023-23931 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for systemd (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for systemd fixes the following issues:
- CVE-2023-26604: Fixed a privilege escalation via the less pager. (bsc#1208958)
- CVE-2022-4415: Fixed systemd-coredump that did not respect the fs.suid_dumpable kernel setting (bsc#1205000).
- CVE-2022-3821: Fixed buffer overrun in format_timespan() function (bsc#1204968).
Bug fixes:
- Restrict cpu rule to x86_64, and also update the rule files to make use of the 'CONST{arch}' syntax (bsc#1204423).
- Fixed 'systemd --user' call pam_loginuid when creating user@.service (bsc#1198507).
- Fixed 'systemd-detect-virt' refine hypervisor detection (bsc#1197244).
- Fixed 'udev' 60-persistent-storage-tape.rules: handle duplicate device ID (bsc#1195529).
- Fixed 'man' tweak description of auto/noauto (bsc#1191502).
ImportantSUSE bug 1191502SUSE bug 1195529SUSE bug 1197244SUSE bug 1198507SUSE bug 1204423SUSE bug 1204968SUSE bug 1205000SUSE bug 1206985SUSE bug 1208958CVE-2022-3821 at SUSECVE-2022-3821 at NVDCVE-2022-4415 at SUSECVE-2022-4415 at NVDCVE-2023-26604 at SUSECVE-2023-26604 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for ghostscript (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for ghostscript fixes the following issues:
- CVE-2023-28879: Fixed buffer Overflow in s_xBCPE_process (bsc#1210062).
ImportantSUSE bug 1210062CVE-2023-28879 at SUSECVE-2023-28879 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for MozillaFirefox fixes the following issues:
- Firefox Extended Support Release 102.10.0 ESR (bsc#1210212)
- CVE-2023-29531: Out-of-bound memory access in WebGL on macOS
- CVE-2023-29532: Mozilla Maintenance Service Write-lock bypass
- CVE-2023-29533: Fullscreen notification obscured
- MFSA-TMP-2023-0001: Double-free in libwebp
- CVE-2023-29535: Potential Memory Corruption following Garbage Collector compaction
- CVE-2023-29536: Invalid free from JavaScript code
- CVE-2023-29539: Content-Disposition filename truncation leads to Reflected File Download
- CVE-2023-29541: Files with malicious extensions could have been downloaded unsafely on Linux
- CVE-2023-29542: Bypass of file download extension restrictions
- CVE-2023-29545: Windows Save As dialog resolved environment variables
- CVE-2023-1945: Memory Corruption in Safe Browsing Code
- CVE-2023-29548: Incorrect optimization result on ARM64
- CVE-2023-29550: Memory safety bugs fixed in Firefox 112 and Firefox ESR 102.10
ImportantSUSE bug 1210212CVE-2023-1945 at SUSECVE-2023-1945 at NVDCVE-2023-29531 at SUSECVE-2023-29531 at NVDCVE-2023-29532 at SUSECVE-2023-29532 at NVDCVE-2023-29533 at SUSECVE-2023-29533 at NVDCVE-2023-29535 at SUSECVE-2023-29535 at NVDCVE-2023-29536 at SUSECVE-2023-29536 at NVDCVE-2023-29539 at SUSECVE-2023-29539 at NVDCVE-2023-29541 at SUSECVE-2023-29541 at NVDCVE-2023-29542 at SUSECVE-2023-29542 at NVDCVE-2023-29545 at SUSECVE-2023-29545 at NVDCVE-2023-29548 at SUSECVE-2023-29548 at NVDCVE-2023-29550 at SUSECVE-2023-29550 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for harfbuzz (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for harfbuzz fixes the following issues:
- CVE-2023-25193: Fixed vulnerability that allowed attackers to trigger O(n^2) growth via consecutive marks (bsc#1207922).
ImportantSUSE bug 1207922CVE-2023-25193 at SUSECVE-2023-25193 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for java-1_8_0-ibm (Moderate)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for java-1_8_0-ibm fixes the following issues:
- Update to Java 8.0 Service Refresh 8 (bsc#1208480):
* Security fixes:
- CVE-2023-21830: Fixed improper restrictions in CORBA deserialization (bsc#1207249).
- CVE-2023-21835: Fixed handshake DoS attack against DTLS connections (bsc#1207246).
- CVE-2023-21843: Fixed soundbank URL remote loading (bsc#1207248).
* New Features/Enhancements:
- Add RSA-PSS signature to IBMJCECCA.
* Defect Fixes:
- IJ45437 Service, Build, Packaging and Deliver: Getting
FIPSRUNTIMEEXCEPTION when calling java code:
MESSAGEDIGEST.GETINSTANCE('SHA256', 'IBMJCEFIPS'); in MAC
- IJ45272 Class Libraries: Fix security vulnerability CVE-2023-21843
- IJ45280 Class Libraries: Update timezone information to the
latest TZDATA2022F
- IJ44896 Class Libraries: Update timezone information to the
latest TZDATA2022G
- IJ45436 Java Virtual Machine: Stack walking code gets into
endless loop, hanging the application
- IJ44079 Java Virtual Machine: When -DFILE.ENCODING is specified
multiple times on the same command line the first option takes
precedence instead of the last
- IJ44532 JIT Compiler: Java JIT: Crash in DECREFERENCECOUNT()
due to a NULL pointer
- IJ44596 JIT Compiler: Java JIT: Invalid hard-coding of static
final field object properties
- IJ44107 JIT Compiler: JIT publishes new object reference to other
threads without executing a memory flush
- IX90193 ORB: Fix security vulnerability CVE-2023-21830
- IJ44267 Security: 8273553: SSLENGINEIMPL.CLOSEINBOUND also has
similar error of JDK-8253368
- IJ45148 Security: code changes for tech preview
- IJ44621 Security: Computing Diffie-Hellman secret repeatedly,
using IBMJCEPLUS, causes a small memory leak
- IJ44172 Security: Disable SHA-1 signed jars for EA
- IJ44040 Security: Generating Diffie-Hellman key pairs repeatedly,
using IBMJCEPLUS, Causes a small memory leak
- IJ45200 Security: IBMJCEPLUS provider, during CHACHA20-POLY1305
crypto operations, incorrectly throws an ILLEGALSTATEEXCEPTION
- IJ45182 Security: IBMJCEPLUS provider fails in RSAPSS and ECDSA
during signature operations resulting in Java cores
- IJ45201 Security: IBMJCEPLUS provider failures (two) with AESGCM algorithm
- IJ45202 Security: KEYTOOL NPE if signing certificate does not contain
a SUBJECTKEYIDENTIFIER extension
- IJ44075 Security: PKCS11KEYSTORE.JAVA - DOESPUBLICKEYMATCHPRIVATEKEY()
method uses SHA1XXXX signature algorithms to match private and public keys
- IJ45203 Security: RSAPSS multiple names for KEYTYPE
- IJ43920 Security: The PKCS12 keystore update and the PBES2 support
- IJ40002 XML: Fix security vulnerability CVE-2022-21426
ModerateSUSE bug 1207246SUSE bug 1207248SUSE bug 1207249SUSE bug 1208480CVE-2022-21426 at SUSECVE-2022-21426 at NVDCVE-2023-21830 at SUSECVE-2023-21830 at NVDCVE-2023-21835 at SUSECVE-2023-21835 at NVDCVE-2023-21843 at SUSECVE-2023-21843 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for liblouis (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for liblouis fixes the following issues:
- CVE-2023-26767: Fixed buffer overflow vulnerability in lou_logFile function (bsc#1209429).
- CVE-2023-26768: Fixed buffer overflow in lou_logFile() (bsc#1209431).
- CVE-2023-26769: Fixed buffer Overflow vulnerability in resolveSubtable function (bsc#1209432).
ImportantSUSE bug 1209429SUSE bug 1209431SUSE bug 1209432SUSE bug 1209855CVE-2023-26767 at SUSECVE-2023-26767 at NVDCVE-2023-26768 at SUSECVE-2023-26768 at NVDCVE-2023-26769 at SUSECVE-2023-26769 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for apache2 (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for apache2 fixes the following issues:
- CVE-2022-37436: Fixed an issue in mod_proxy where a malicious
backend could cause the response headers to be truncated early,
resulting in some headers being incorporated into the response body
(bsc#1207251).
- CVE-2022-36760: Fixed an issue in mod_proxy_ajp that could allow
request smuggling attacks (bsc#1207250).
- CVE-2006-20001: Fixed an issue in mod_proxy_ajp where a request
header could cause memory corruption (bsc#1207247).
ImportantSUSE bug 1207247SUSE bug 1207250SUSE bug 1207251CVE-2006-20001 at SUSECVE-2006-20001 at NVDCVE-2022-36760 at SUSECVE-2022-36760 at NVDCVE-2022-37436 at SUSECVE-2022-37436 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for shim (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for shim fixes the following issues:
- Updated shim signature after shim 15.7 be signed back:
signature-sles.x86_64.asc, signature-sles.aarch64.asc (bsc#1198458)
- Add POST_PROCESS_PE_FLAGS=-N to the build command in shim.spec to
disable the NX compatibility flag when using post-process-pe because
grub2 is not ready. (bsc#1205588)
- Enable the NX compatibility flag by default. (jsc#PED-127)
Update to 15.7 (bsc#1198458) (jsc#PED-127):
- Make SBAT variable payload introspectable
- Reference MokListRT instead of MokList
- Add a link to the test plan in the readme.
- [V3] Enable TDX measurement to RTMR register
- Discard load-options that start with a NUL
- Fixed load_cert_file bugs
- Add -malign-double to IA32 compiler flags
- pe: Fix image section entry-point validation
- make-archive: Build reproducible tarball
- mok: remove MokListTrusted from PCR 7
Other fixes:
- Support enhance shim measurement to TD RTMR. (jsc#PED-1273)
- shim-install: ensure grub.cfg created is not overwritten after installing grub related files
- Add logic to shim.spec to only set sbat policy when efivarfs is writeable. (bsc#1201066)
- Add logic to shim.spec for detecting --set-sbat-policy option before using mokutil to set sbat policy. (bsc#1202120)
- Change the URL in SBAT section to mail:security@suse.de. (bsc#1193282)
Update to 15.6 (bsc#1198458):
- MokManager: removed Locate graphic output protocol fail error message
- shim: implement SBAT verification for the shim_lock protocol
- post-process-pe: Fix a missing return code check
- Update github actions matrix to be more useful
- post-process-pe: Fix format string warnings on 32-bit platforms
- Allow MokListTrusted to be enabled by default
- Re-add ARM AArch64 support
- Use ASCII as fallback if Unicode Box Drawing characters fail
- make: don't treat cert.S specially
- shim: use SHIM_DEVEL_VERBOSE when built in devel mode
- Break out of the inner sbat loop if we find the entry.
- Support loading additional certificates
- Add support for NX (W^X) mitigations.
- Fix preserve_sbat_uefi_variable() logic
- SBAT Policy latest should be a one-shot
- pe: Fix a buffer overflow when SizeOfRawData > VirtualSize
- pe: Perform image verification earlier when loading grub
- Update advertised sbat generation number for shim
- Update SBAT generation requirements for 05/24/22
- Also avoid CVE-2022-28737 in verify_image() by @vathpela
Update to 15.5 (bsc#1198458):
- Broken ia32 relocs and an unimportant submodule change.
- mok: allocate MOK config table as BootServicesData
- Don't call QueryVariableInfo() on EFI 1.10 machines (bsc#1187260)
- Relax the check for import_mok_state() (bsc#1185261)
- SBAT.md: trivial changes
- shim: another attempt to fix load options handling
- Add tests for our load options parsing.
- arm/aa64: fix the size of .rela* sections
- mok: fix potential buffer overrun in import_mok_state
- mok: relax the maximum variable size check
- Don't unhook ExitBootServices when EBS protection is disabled
- fallback: find_boot_option() needs to return the index for the boot entry in optnum
- httpboot: Ignore case when checking HTTP headers
- Fallback allocation errors
- shim: avoid BOOTx64.EFI in message on other architectures
- str: remove duplicate parameter check
- fallback: add compile option FALLBACK_NONINTERACTIVE
- Test mok mirror
- Modify sbat.md to help with readability.
- csv: detect end of csv file correctly
- Specify that the .sbat section is ASCII not UTF-8
- tests: add 'include-fixed' GCC directory to include directories
- pe: simplify generate_hash()
- Don't make shim abort when TPM log event fails (RHBZ #2002265)
- Fallback to default loader if parsed one does not exist
- fallback: Fix for BootOrder crash when index returned
- Better console checks
- docs: update SBAT UEFI variable name
- Don't parse load options if invoked from removable media path
- fallback: fix fallback not passing arguments of the first boot option
- shim: Don't stop forever at 'Secure Boot not enabled' notification
- Allocate mokvar table in runtime memory.
- Remove post-process-pe on 'make clean'
- pe: missing perror argument
- CVE-2022-28737: Fixed a buffer overflow when SizeOfRawData > VirtualSize (bsc#1198458)
- Add mokutil command to post script for setting sbat policy to latest mode
when the SbatPolicy-605dab50-e046-4300-abb6-3dd810dd8b23 is not created.
(bsc#1198458)
- Updated vendor dbx binary and script (bsc#1198458)
- Updated dbx-cert.tar.xz and vendor-dbx-sles.bin for adding
SLES-UEFI-SIGN-Certificate-2021-05.crt to vendor dbx list.
- Updated dbx-cert.tar.xz and vendor-dbx-opensuse.bin for adding
openSUSE-UEFI-SIGN-Certificate-2021-05.crt to vendor dbx list.
- Updated vendor-dbx.bin for adding SLES-UEFI-SIGN-Certificate-2021-05.crt
and openSUSE-UEFI-SIGN-Certificate-2021-05.crt for testing environment.
- Updated generate-vendor-dbx.sh script for generating a vendor-dbx.bin
file which includes all .der for testing environment.
- avoid buffer overflow when copying data to the MOK config table (bsc#1185232)
- Disable exporting vendor-dbx to MokListXRT since writing a large RT variable could crash some machines (bsc#1185261)
- ignore the odd LoadOptions length (bsc#1185232)
- shim-install: reset def_shim_efi to 'shim.efi' if the given file doesn't exist
- relax the maximum variable size check for u-boot (bsc#1185621)
- handle ignore_db and user_insecure_mode correctly (bsc#1185441, bsc#1187071)
- Split the keys in vendor-dbx.bin to vendor-dbx-sles and
vendor-dbx-opensuse for shim-sles and shim-opensuse to reduce
the size of MokListXRT (bsc#1185261)
+ Also update generate-vendor-dbx.sh in dbx-cert.tar.xz
ImportantSUSE bug 1185232SUSE bug 1185261SUSE bug 1185441SUSE bug 1185621SUSE bug 1187071SUSE bug 1187260SUSE bug 1193282SUSE bug 1193315SUSE bug 1198458SUSE bug 1201066SUSE bug 1202120SUSE bug 1205588CVE-2022-28737 at SUSECVE-2022-28737 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for openssl (Moderate)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for openssl fixes the following issues:
- CVE-2023-0465: Invalid certificate policies in leaf certificates were silently ignored (bsc#1209878).
- CVE-2023-0466: Certificate policy check were not enabled (bsc#1209873).
ModerateSUSE bug 1209873SUSE bug 1209878CVE-2023-0465 at SUSECVE-2023-0465 at NVDCVE-2023-0466 at SUSECVE-2023-0466 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for glib2 (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for glib2 fixes the following issues:
- CVE-2023-24593: Fixed a denial of service caused by handling a malicious text-form variant (bsc#1209714).
- CVE-2023-25180: Fixed a denial of service caused by malicious serialised variant (bsc#1209713).
ModerateSUSE bug 1209713SUSE bug 1209714CVE-2023-24593 at SUSECVE-2023-24593 at NVDCVE-2023-25180 at SUSECVE-2023-25180 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for ovmf (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for ovmf fixes the following issues:
- CVE-2019-14560: Fixed potential secure boot bypass via an improper check of GetEfiGlobalVariable2 (bsc#1174246).
- CVE-2021-38578: Fixed underflow in MdeModulePkg/PiSmmCore SmmEntryPointAdd (bsc#1196741).
ImportantSUSE bug 1174246SUSE bug 1196741CVE-2019-14560 at SUSECVE-2019-14560 at NVDCVE-2021-38578 at SUSECVE-2021-38578 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for libmicrohttpd (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for libmicrohttpd fixes the following issues:
- CVE-2023-27371: Fixed parser bug that could be used to crash servers using the MHD_PostProcessor (bsc#1208745). ModerateSUSE bug 1208745CVE-2023-27371 at SUSECVE-2023-27371 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for avahi (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for avahi fixes the following issues:
- CVE-2023-1981: Fixed crash in avahi-daemon (bsc#1210328).
ModerateSUSE bug 1210328CVE-2023-1981 at SUSECVE-2023-1981 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for tiff (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for tiff fixes the following issues:
- CVE-2022-48281: Fixed a buffer overflow that could be triggered via
a crafted image (bsc#1207413).
ImportantSUSE bug 1207413CVE-2022-48281 at SUSECVE-2022-48281 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for dmidecode (Moderate)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for dmidecode fixes the following issues:
- CVE-2023-30630: Fixed potential privilege escalation vulnerability via file overwrite (bsc#1210418).
ModerateSUSE bug 1210418CVE-2023-30630 at SUSECVE-2023-30630 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for libxml2 (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for libxml2 fixes the following issues:
- CVE-2023-29469: Fixed inconsistent result when hashing empty strings (bsc#1210412).
- CVE-2023-28484: Fixed NULL pointer dereference in xmlSchemaFixupComplexType (bsc#1210411).
ModerateSUSE bug 1210411SUSE bug 1210412CVE-2023-28484 at SUSECVE-2023-28484 at NVDCVE-2023-29469 at SUSECVE-2023-29469 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for webkit2gtk3 (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for webkit2gtk3 fixes the following issues:
Update to version 2.38.6 (bsc#1210731):
- CVE-2022-0108: Fixed information leak.
- CVE-2022-32885: Fixed arbitrary code execution.
- CVE-2023-25358: Fixed use-after-free vulnerability in WebCore::RenderLayer.
- CVE-2023-27932: Fixed Same Origin Policy bypass.
- CVE-2023-27954: Fixed sensitive user information tracking.
- CVE-2023-28205: Fixed arbitrary code execution (bsc#1210295).
Already fixed in version 2.38.5:
- CVE-2022-32886, CVE-2022-32912, CVE-2023-25360, CVE-2023-25361, CVE-2023-25362, CVE-2023-25363.
ImportantSUSE bug 1210295SUSE bug 1210731CVE-2022-0108 at SUSECVE-2022-0108 at NVDCVE-2022-32885 at SUSECVE-2022-32885 at NVDCVE-2022-32886 at SUSECVE-2022-32886 at NVDCVE-2022-32912 at SUSECVE-2022-32912 at NVDCVE-2023-25358 at SUSECVE-2023-25358 at NVDCVE-2023-25360 at SUSECVE-2023-25360 at NVDCVE-2023-25361 at SUSECVE-2023-25361 at NVDCVE-2023-25362 at SUSECVE-2023-25362 at NVDCVE-2023-25363 at SUSECVE-2023-25363 at NVDCVE-2023-27932 at SUSECVE-2023-27932 at NVDCVE-2023-27954 at SUSECVE-2023-27954 at NVDCVE-2023-28205 at SUSECVE-2023-28205 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for git (Moderate)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for git fixes the following issues:
- CVE-2023-25652: Fixed partial overwrite of paths outside the working tree (bsc#1210686).
- CVE-2023-25815: Fixed malicious placemtn of crafted message (bsc#1210686).
- CVE-2023-29007: Fixed arbitrary configuration injection (bsc#1210686).
ModerateSUSE bug 1210686CVE-2023-25652 at SUSECVE-2023-25652 at NVDCVE-2023-25815 at SUSECVE-2023-25815 at NVDCVE-2023-29007 at SUSECVE-2023-29007 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for shadow (Moderate)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for shadow fixes the following issues:
- CVE-2023-29383: Fixed apparent /etc/shadow manipulation via chfn (bsc#1210507).
ModerateSUSE bug 1210507CVE-2023-29383 at SUSECVE-2023-29383 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for vim (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for vim fixes the following issues:
- Updated to version 9.0.1234:
- CVE-2023-0433: Fixed an out of bounds memory access that could
cause a crash (bsc#1207396).
- CVE-2023-0288: Fixed an out of bounds memory access that could
cause a crash (bsc#1207162).
- CVE-2023-0054: Fixed an out of bounds memory write that could
cause a crash or memory corruption (bsc#1206868).
- CVE-2023-0051: Fixed an out of bounds memory access that could
cause a crash (bsc#1206867).
- CVE-2023-0049: Fixed an out of bounds memory access that could
cause a crash (bsc#1206866).
- CVE-2022-3491: Fixed an out of bounds memory access that could
cause a crash (bsc#1206028).
- CVE-2022-3520: Fixed an out of bounds memory access that could
cause a crash (bsc#1206071).
- CVE-2022-3591: Fixed a use-after-free issue that could cause
memory corruption or undefined behavior (bsc#1206072).
- CVE-2022-4292: Fixed a use-after-free issue that could cause
memory corruption or undefined behavior (bsc#1206075).
- CVE-2022-4293: Fixed a floating point exception that could cause
a crash (bsc#1206077).
- CVE-2022-4141: Fixed an out of bounds memory write that could
cause a crash or memory corruption (bsc#1205797).
- CVE-2022-3705: Fixed an use-after-free issue that could cause
a crash or memory corruption (bsc#1204779).
ImportantSUSE bug 1204779SUSE bug 1205797SUSE bug 1206028SUSE bug 1206071SUSE bug 1206072SUSE bug 1206075SUSE bug 1206077SUSE bug 1206866SUSE bug 1206867SUSE bug 1206868SUSE bug 1207162SUSE bug 1207396CVE-2022-3491 at SUSECVE-2022-3491 at NVDCVE-2022-3520 at SUSECVE-2022-3520 at NVDCVE-2022-3591 at SUSECVE-2022-3591 at NVDCVE-2022-3705 at SUSECVE-2022-3705 at NVDCVE-2022-4141 at SUSECVE-2022-4141 at NVDCVE-2022-4292 at SUSECVE-2022-4292 at NVDCVE-2022-4293 at SUSECVE-2022-4293 at NVDCVE-2023-0049 at SUSECVE-2023-0049 at NVDCVE-2023-0051 at SUSECVE-2023-0051 at NVDCVE-2023-0054 at SUSECVE-2023-0054 at NVDCVE-2023-0288 at SUSECVE-2023-0288 at NVDCVE-2023-0433 at SUSECVE-2023-0433 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for shim (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for shim fixes the following issues:
- Update only adds the CVE reference to the previously released update (bsc#1198458, CVE-2022-28737)
ImportantSUSE bug 1198458CVE-2022-28737 at SUSECVE-2022-28737 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for ncurses (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for ncurses fixes the following issues:
- CVE-2023-29491: Fixed memory corruption issues when processing malformed terminfo data (bsc#1210434).
ModerateSUSE bug 1210434CVE-2023-29491 at SUSECVE-2023-29491 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for dnsmasq (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for dnsmasq fixes the following issues:
- CVE-2023-28450: Fixed default maximum size for EDNS.0 UDP packets (bsc#1209358).
ModerateSUSE bug 1209358CVE-2023-28450 at SUSECVE-2023-28450 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for python (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for python fixes the following issues:
- CVE-2022-45061: Fixed an excessive CPU usage when decoding crafted
IDNA domain names (bsc#1205244).
Non-security fixes:
- Fixed the 2038 bug in the compileall module (bsc#1202666).
ImportantSUSE bug 1202666SUSE bug 1205244CVE-2022-45061 at SUSECVE-2022-45061 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for ntp (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for ntp fixes the following issues:
Fixed multiple out of bound writes:
CVE-2023-26551 (bsc#1210386), CVE-2023-26552 (bsc#1210388), CVE-2023-26553 (bsc#1210387), CVE-2023-26554 (bsc#1210389).
ModerateSUSE bug 1210386SUSE bug 1210387SUSE bug 1210388SUSE bug 1210389CVE-2023-26551 at SUSECVE-2023-26551 at NVDCVE-2023-26552 at SUSECVE-2023-26552 at NVDCVE-2023-26553 at SUSECVE-2023-26553 at NVDCVE-2023-26554 at SUSECVE-2023-26554 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for MozillaFirefox fixes the following issues:
Extended Support Release 102.11.0 ESR (bsc#1211175):
- CVE-2023-32205: Browser prompts could have been obscured by popups
- CVE-2023-32206: Crash in RLBox Expat driver
- CVE-2023-32207: Potential permissions request bypass via clickjacking
- CVE-2023-32211: Content process crash due to invalid wasm code
- CVE-2023-32212: Potential spoof due to obscured address bar
- CVE-2023-32213: Potential memory corruption in FileReader::DoReadData()
- CVE-2023-32214: Potential DoS via exposed protocol handlers
- CVE-2023-32215: Memory safety bugs fixed in Firefox 113 and Firefox ESR 102.11
ImportantSUSE bug 1211175CVE-2023-32205 at SUSECVE-2023-32205 at NVDCVE-2023-32206 at SUSECVE-2023-32206 at NVDCVE-2023-32207 at SUSECVE-2023-32207 at NVDCVE-2023-32211 at SUSECVE-2023-32211 at NVDCVE-2023-32212 at SUSECVE-2023-32212 at NVDCVE-2023-32213 at SUSECVE-2023-32213 at NVDCVE-2023-32214 at SUSECVE-2023-32214 at NVDCVE-2023-32215 at SUSECVE-2023-32215 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for SUSE Manager Client Tools (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update fixes the following issues:
golang-github-prometheus-alertmanager:
- Security issues fixed:
* CVE-2022-46146: Fix authentication bypass via cache poisoning (bsc#1208051)
prometheus-blackbox_exporter:
- Security issues fixed:
* CVE-2022-46146: Fix authentication bypass via cache poisoning (bsc#1208062)
- Other non-security bugs fixed and changes:
* Add `min_version` parameter of `tls_config` to allow enabling TLS 1.0 and 1.1 (bsc#1209113)
* On SUSE Linux Enterprise build always with Go >= 1.19 (bsc#1203599)
prometheus-postgres_exporter:
- Security issues fixed:
* CVE-2022-46146: Fix authentication bypass via cache poisoning (bsc#1208060)
- Other non-security issues fixed:
* Adapt the systemd service security configuration to be able to start it on for Red Hat Linux Enterprise systems and
clones
* Create the prometheus user for Red Hat Linux Enterprise systems and clones
* Fix broken log-level for values other than debug (bsc#1208965)
golang-github-prometheus-node_exporter:
- Security issues fixed in this version update to version 1.5.0 (jsc#PED-3578):
* CVE-2022-27191: Update go/x/crypto (bsc#1197284)
* CVE-2022-27664: Update go/x/net (bsc#1203185)
* CVE-2022-46146: Update exporter-toolkit (bsc#1208064)
- Other non-security bug fixes and changes in this version update to 1.5.0 (jsc#PED-3578):
* NOTE: This changes the Go runtime 'GOMAXPROCS' to 1. This is done to limit the concurrency of the exporter to 1 CPU
thread at a time in order to avoid a race condition problem in the Linux kernel and parallel IO issues on nodes
with high numbers of CPUs/CPU threads.
* [BUGFIX] Fix hwmon label sanitizer
* [BUGFIX] Use native endianness when encoding InetDiagMsg
* [BUGFIX] Fix btrfs device stats always being zero
* [BUGFIX] Fix diskstats exclude flags
* [BUGFIX] [node-mixin] Fix fsSpaceAvailableCriticalThreshold and fsSpaceAvailableWarning
* [BUGFIX] Fix concurrency issue in ethtool collector
* [BUGFIX] Fix concurrency issue in netdev collector
* [BUGFIX] Fix diskstat reads and write metrics for disks with different sector sizes
* [BUGFIX] Fix iostat on macos broken by deprecation warning
* [BUGFIX] Fix NodeFileDescriptorLimit alerts
* [BUGFIX] Sanitize rapl zone names
* [BUGFIX] Add file descriptor close safely in test
* [BUGFIX] Fix race condition in os_release.go
* [BUGFIX] Skip ZFS IO metrics if their paths are missing
* [BUGFIX] Handle nil CPU thermal power status on M1
* [BUGFIX] bsd: Ignore filesystems flagged as MNT_IGNORE
* [BUGFIX] Sanitize UTF-8 in dmi collector
* [CHANGE] Merge metrics descriptions in textfile collector
* [FEATURE] Add multiple listeners and systemd socket listener activation
* [FEATURE] [node-mixin] Add darwin dashboard to mixin
* [FEATURE] Add 'isolated' metric on cpu collector on linux
* [FEATURE] Add cgroup summary collector
* [FEATURE] Add selinux collector
* [FEATURE] Add slab info collector
* [FEATURE] Add sysctl collector
* [FEATURE] Also track the CPU Spin time for OpenBSD systems
* [FEATURE] Add support for MacOS version
* [ENHANCEMENT] Add RTNL version of netclass collector
* [ENHANCEMENT] [node-mixin] Add missing selectors
* [ENHANCEMENT] [node-mixin] Change current datasource to grafana's default
* [ENHANCEMENT] [node-mixin] Change disk graph to disk table
* [ENHANCEMENT] [node-mixin] Change io time units to %util
* [ENHANCEMENT] Ad user_wired_bytes and laundry_bytes on *bsd
* [ENHANCEMENT] Add additional vm_stat memory metrics for darwin
* [ENHANCEMENT] Add device filter flags to arp collector
* [ENHANCEMENT] Add diskstats include and exclude device flags
* [ENHANCEMENT] Add node_softirqs_total metric
* [ENHANCEMENT] Add rapl zone name label option
* [ENHANCEMENT] Add slabinfo collector
* [ENHANCEMENT] Allow user to select port on NTP server to query
* [ENHANCEMENT] collector/diskstats: Add labels and metrics from udev
* [ENHANCEMENT] Enable builds against older macOS SDK
* [ENHANCEMENT] qdisk-linux: Add exclude and include flags for interface name
* [ENHANCEMENT] systemd: Expose systemd minor version
* [ENHANCEMENT] Use netlink for tcpstat collector
* [ENHANCEMENT] Use netlink to get netdev stats
* [ENHANCEMENT] Add additional perf counters for stalled frontend/backend cycles
* [ENHANCEMENT] Add btrfs device error stats
golang-github-prometheus-prometheus:
- Security issues fixed in this version update to 2.37.6 (jsc#PED-3576):
* CVE-2022-46146: Fix basic authentication bypass vulnerability (bsc#1208049, jsc#PED-3576)
* CVE-2022-41715: Update our regexp library to fix upstream (bsc#1204023)
- Other non-security bug fixes and changes in this version update to 2.37.6 (jsc#PED-3576):
* [BUGFIX] TSDB: Turn off isolation for Head compaction to fix a memory leak.
* [BUGFIX] TSDB: Fix 'invalid magic number 0' error on Prometheus startup.
* [BUGFIX] Agent: Fix validation of flag options and prevent WAL from growing more than desired.
* [BUGFIX] Properly close file descriptor when logging unfinished queries.
* [BUGFIX] TSDB: In the WAL watcher metrics, expose the type='exemplar' label instead of type='unknown' for exemplar
records.
* [BUGFIX] Alerting: Fix Alertmanager targets not being updated when alerts were queued.
* [BUGFIX] Hetzner SD: Make authentication files relative to Prometheus config file.
* [BUGFIX] Promtool: Fix promtool check config not erroring properly on failures.
* [BUGFIX] Scrape: Keep relabeled scrape interval and timeout on reloads.
* [BUGFIX] TSDB: Don't increment prometheus_tsdb_compactions_failed_total when context is canceled.
* [BUGFIX] TSDB: Fix panic if series is not found when deleting series.
* [BUGFIX] TSDB: Increase prometheus_tsdb_mmap_chunk_corruptions_total on out of sequence errors.
* [BUGFIX] Uyuni SD: Make authentication files relative to Prometheus configuration file and fix default
configuration values.
* [BUGFIX] Fix serving of static assets like fonts and favicon.
* [BUGFIX] promtool: Add --lint-fatal option.
* [BUGFIX] Changing TotalQueryableSamples from int to int64.
* [BUGFIX] tsdb/agent: Ignore duplicate exemplars.
* [BUGFIX] TSDB: Fix chunk overflow appending samples at a variable rate.
* [BUGFIX] Stop rule manager before TSDB is stopped.
* [BUGFIX] Kubernetes SD: Explicitly include gcp auth from k8s.io.
* [BUGFIX] Fix OpenMetrics parser to sort uppercase labels correctly.
* [BUGFIX] UI: Fix scrape interval and duration tooltip not showing on target page.
* [BUGFIX] Tracing/GRPC: Set TLS credentials only when insecure is false.
* [BUGFIX] Agent: Fix ID collision when loading a WAL with multiple segments.
* [BUGFIX] Remote-write: Fix a deadlock between Batch and flushing the queue.
* [BUGFIX] PromQL: Properly return an error from histogram_quantile when metrics have the same labelset.
* [BUGFIX] UI: Fix bug that sets the range input to the resolution.
* [BUGFIX] TSDB: Fix a query panic when memory-snapshot-on-shutdown is enabled.
* [BUGFIX] Parser: Specify type in metadata parser errors.
* [BUGFIX] Scrape: Fix label limit changes not applying.
* [BUGFIX] Remote-write: Fix deadlock between adding to queue and getting batch.
* [BUGFIX] TSDB: Fix panic when m-mapping head chunks onto the disk.
* [BUGFIX] Azure SD: Fix a regression when public IP Address isn't set.
* [BUGFIX] Azure SD: Fix panic when public IP Address isn't set.
* [BUGFIX] Remote-write: Fix deadlock when stopping a shard.
* [BUGFIX] SD: Fix no such file or directory in K8s SD when not running inside K8s.
* [BUGFIX] Promtool: Make exit codes more consistent.
* [BUGFIX] Promtool: Fix flakiness of rule testing.
* [BUGFIX] Remote-write: Update prometheus_remote_storage_queue_highest_sent_timestamp_seconds metric when write
irrecoverably fails.
* [BUGFIX] Storage: Avoid panic in BufferedSeriesIterator.
* [BUGFIX] TSDB: CompactBlockMetas should produce correct mint/maxt for overlapping blocks.
* [BUGFIX] TSDB: Fix logging of exemplar storage size.
* [BUGFIX] UI: Fix overlapping click targets for the alert state checkboxes.
* [BUGFIX] UI: Fix Unhealthy filter on target page to actually display only Unhealthy targets.
* [BUGFIX] UI: Fix autocompletion when expression is empty.
* [BUGFIX] TSDB: Fix deadlock from simultaneous GC and write.
* [CHANGE] TSDB: Delete *.tmp WAL files when Prometheus starts.
* [CHANGE] promtool: Add new flag --lint (enabled by default) for the commands check rules and check config, resulting
in a new exit code (3) for linter errors.
* [CHANGE] UI: Classic UI removed.
* [CHANGE] Tracing: Migrate from Jaeger to OpenTelemetry based tracing.
* [CHANGE] PromQL: Promote negative offset and @ modifer to stable features.
* [CHANGE] Web: Promote remote-write-receiver to stable.
* [FEATURE] Nomad SD: New service discovery for Nomad built-in service discovery.
* [FEATURE] Add lowercase and uppercase relabel action.
* [FEATURE] SD: Add IONOS Cloud integration.
* [FEATURE] SD: Add Vultr integration.
* [FEATURE] SD: Add Linode SD failure count metric.
* [FEATURE] Add prometheus_ready metric.
* [FEATURE] Support for automatically setting the variable GOMAXPROCS to the container CPU limit.
Enable with the flag `--enable-feature=auto-gomaxprocs`.
* [FEATURE] PromQL: Extend statistics with total and peak number of samples in a query.
Additionally, per-step statistics are available with --enable-feature=promql-per-step-stats and using
stats=all in the query API. Enable with the flag `--enable-feature=per-step-stats`.
* [FEATURE] Config: Add stripPort template function.
* [FEATURE] Promtool: Add cardinality analysis to check metrics, enabled by flag --extended.
* [FEATURE] SD: Enable target discovery in own K8s namespace.
* [FEATURE] SD: Add provider ID label in K8s SD.
* [FEATURE] Web: Add limit field to the rules API.
* [ENHANCEMENT] Kubernetes SD: Allow attaching node labels for endpoint role.
* [ENHANCEMENT] PromQL: Optimise creation of signature with/without labels.
* [ENHANCEMENT] TSDB: Memory optimizations.
* [ENHANCEMENT] TSDB: Reduce sleep time when reading WAL.
* [ENHANCEMENT] OAuth2: Add appropriate timeouts and User-Agent header.
* [ENHANCEMENT] Add stripDomain to template function.
* [ENHANCEMENT] UI: Enable active search through dropped targets.
* [ENHANCEMENT] promtool: support matchers when querying label
* [ENHANCEMENT] Add agent mode identifier.
* [ENHANCEMENT] TSDB: more efficient sorting of postings read from WAL at startup.
* [ENHANCEMENT] Azure SD: Add metric to track Azure SD failures.
* [ENHANCEMENT] Azure SD: Add an optional resource_group configuration.
* [ENHANCEMENT] Kubernetes SD: Support discovery.k8s.io/v1
EndpointSlice (previously only discovery.k8s.io/v1beta1
EndpointSlice was supported).
* [ENHANCEMENT] Kubernetes SD: Allow attaching node metadata to discovered pods.
* [ENHANCEMENT] OAuth2: Support for using a proxy URL to fetch OAuth2 tokens.
* [ENHANCEMENT] Configuration: Add the ability to disable HTTP2.
* [ENHANCEMENT] Config: Support overriding minimum TLS version.
* [ENHANCEMENT] TSDB: Disable the chunk write queue by default and allow configuration with the experimental flag
`--storage.tsdb.head-chunks-write-queue-size`.
* [ENHANCEMENT] HTTP SD: Add a failure counter.
* [ENHANCEMENT] Azure SD: Set Prometheus User-Agent on requests.
* [ENHANCEMENT] Uyuni SD: Reduce the number of logins to Uyuni.
* [ENHANCEMENT] Scrape: Log when an invalid media type is encountered during a scrape.
* [ENHANCEMENT] Scrape: Accept application/openmetrics-text;version=1.0.0 in addition to version=0.0.1.
* [ENHANCEMENT] Remote-read: Add an option to not use external labels as selectors for remote read.
* [ENHANCEMENT] UI: Optimize the alerts page and add a search bar.
* [ENHANCEMENT] UI: Improve graph colors that were hard to see.
* [ENHANCEMENT] Config: Allow escaping of $ with $$ when using environment variables with external labels.
* [ENHANCEMENT] Remote-write: Avoid allocations by buffering concrete structs instead of interfaces.
* [ENHANCEMENT] Remote-write: Log time series details for out-of-order samples in remote write receiver.
* [ENHANCEMENT] Remote-write: Shard up more when backlogged.
* [ENHANCEMENT] TSDB: Use simpler map key to improve exemplar ingest performance.
* [ENHANCEMENT] TSDB: Avoid allocations when popping from the intersected postings heap.
* [ENHANCEMENT] TSDB: Make chunk writing non-blocking, avoiding latency spikes in remote-write.
* [ENHANCEMENT] TSDB: Improve label matching performance.
* [ENHANCEMENT] UI: Optimize the service discovery page and add a search bar.
* [ENHANCEMENT] UI: Optimize the target page and add a search bar.
golang-github-prometheus-promu:
- Non-security bug fixes and changes in this version update to 0.14.0 (jsc#PED-3576):
* [BUGFIX] Set build date from last changelog modification (bsc#1047218)
* [BUGFIX] Validate environment variable value
* [BUGFIX]Set build date from SOURCE_DATE_EPOCH
* [BUGFIX]Make extldflags extensible by configuration.
* [BUGFIX] Avoid bind-mounting to allow building with a remote docker engine
* [BUGFIX] Fix build on SmartOS by not setting gcc's -static flag
* [BUGFIX] Fix git repository url parsing
* [CHANGE] Remove ioutil
* [CHANGE] Update common Prometheus files
* [FEATURE] Add the ability to override tags per GOOS
* [FEATURE] Adding changes to support s390x
* [FEATURE] Added check_licenses Command to Promu
* [ENHANCEMENT] Allow to customize nested options via env variables
* [ENHANCEMENT] Add warning if promu info is unable to determine repo info
ImportantSUSE bug 1047218SUSE bug 1197284SUSE bug 1203185SUSE bug 1203599SUSE bug 1204023SUSE bug 1208049SUSE bug 1208051SUSE bug 1208060SUSE bug 1208062SUSE bug 1208064SUSE bug 1208965SUSE bug 1209113CVE-2022-27191 at SUSECVE-2022-27191 at NVDCVE-2022-27664 at SUSECVE-2022-27664 at NVDCVE-2022-41715 at SUSECVE-2022-41715 at NVDCVE-2022-46146 at SUSECVE-2022-46146 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for postgresql12 (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for postgresql12 fixes the following issues:
Updated to version 12.15:
- CVE-2023-2454: Fixed an issue where a user having permission to
create a schema could hijack the privileges of a security definer
function or extension script (bsc#1211228).
- CVE-2023-2455: Fixed an issue that could allow a user to see or
modify rows that should have been invisible (bsc#1211229).
- Internal fixes (bsc#1210303).
ImportantSUSE bug 1210303SUSE bug 1211228SUSE bug 1211229CVE-2023-2454 at SUSECVE-2023-2454 at NVDCVE-2023-2455 at SUSECVE-2023-2455 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for postgresql13 (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for postgresql13 fixes the following issues:
Updated to version 13.11:
- CVE-2023-2454: Fixed an issue where a user having permission to
create a schema could hijack the privileges of a security definer
function or extension script (bsc#1211228).
- CVE-2023-2455: Fixed an issue that could allow a user to see or
modify rows that should have been invisible (bsc#1211229).
- Internal fixes (bsc#1210303).
ImportantSUSE bug 1210303SUSE bug 1211228SUSE bug 1211229CVE-2023-2454 at SUSECVE-2023-2454 at NVDCVE-2023-2455 at SUSECVE-2023-2455 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for postgresql14 (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for postgresql14 fixes the following issues:
Updated to version 14.8:
- CVE-2023-2454: Fixed an issue where a user having permission to
create a schema could hijack the privileges of a security definer
function or extension script (bsc#1211228).
- CVE-2023-2455: Fixed an issue that could allow a user to see or
modify rows that should have been invisible (bsc#1211229).
- Internal fixes (bsc#1210303).
ImportantSUSE bug 1210303SUSE bug 1211228SUSE bug 1211229CVE-2023-2454 at SUSECVE-2023-2454 at NVDCVE-2023-2455 at SUSECVE-2023-2455 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for postgresql15 (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for postgresql15 fixes the following issues:
Updated to version 15.3:
- CVE-2023-2454: Fixed an issue where a user having permission to
create a schema could hijack the privileges of a security definer
function or extension script (bsc#1211228).
- CVE-2023-2455: Fixed an issue that could allow a user to see or
modify rows that should have been invisible (bsc#1211229).
- Internal fixes (bsc#1210303).
ImportantSUSE bug 1210303SUSE bug 1211228SUSE bug 1211229CVE-2023-2454 at SUSECVE-2023-2454 at NVDCVE-2023-2455 at SUSECVE-2023-2455 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for curl (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for curl fixes the following issues:
- CVE-2023-28320: Fixed siglongjmp race condition (bsc#1211231).
- CVE-2023-28321: Fixed IDN wildcard matching (bsc#1211232).
- CVE-2023-28322: Fixed POST-after-PUT confusion (bsc#1211233).
ImportantSUSE bug 1211231SUSE bug 1211232SUSE bug 1211233SUSE bug 1211339CVE-2023-28320 at SUSECVE-2023-28320 at NVDCVE-2023-28321 at SUSECVE-2023-28321 at NVDCVE-2023-28322 at SUSECVE-2023-28322 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for java-1_8_0-openjdk (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for java-1_8_0-openjdk fixes the following issues:
- Updated to version jdk8u372 (icedtea-3.27.0):
- CVE-2023-21930: Fixed an issue in the JSSE component that could
allow an attacker to access critical data without authorization
(bsc#1210628).
- CVE-2023-21937: Fixed an issue in the Networking component that
could allow an attacker to update, insert or delete some data
without authorization (bsc#1210631).
- CVE-2023-21938: Fixed an issue in the Libraries component that
could allow an attacker to update, insert or delete some data
without authorization (bsc#1210632).
- CVE-2023-21939: Fixed an issue in the Swing component that could
allow an attacker to update, insert or delete some data without
authorization (bsc#1210634).
- CVE-2023-21954: Fixed an issue in the Hotspot component that
could allow an attacker to access critical data without
authorization (bsc#1210635).
- CVE-2023-21967: Fixed an issue in the JSSE component that could
allow an attacker to cause a hang or frequently repeatable
crash without authorization (bsc#1210636).
- CVE-2023-21968: Fixed an issue in the Libraries component that
could allow an attacker to update, insert or delete some data
without authorization (bsc#1210637).
ImportantSUSE bug 1210628SUSE bug 1210631SUSE bug 1210632SUSE bug 1210634SUSE bug 1210635SUSE bug 1210636SUSE bug 1210637CVE-2023-21930 at SUSECVE-2023-21930 at NVDCVE-2023-21937 at SUSECVE-2023-21937 at NVDCVE-2023-21938 at SUSECVE-2023-21938 at NVDCVE-2023-21939 at SUSECVE-2023-21939 at NVDCVE-2023-21954 at SUSECVE-2023-21954 at NVDCVE-2023-21967 at SUSECVE-2023-21967 at NVDCVE-2023-21968 at SUSECVE-2023-21968 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for ctags (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for ctags fixes the following issues:
- CVE-2022-4515: Fixed a command injection issue via a tag file wih a
crafted filename (bsc#1206543).
ImportantSUSE bug 1206543CVE-2022-4515 at SUSECVE-2022-4515 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for openvswitch (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for openvswitch fixes the following issues:
- CVE-2022-4338: Fixed Integer Underflow in Organization Specific TLV (bsc#1206580).
- CVE-2022-4337: Fixed Out-of-Bounds Read in Organization Specific TLV (bsc#1206581).
ImportantSUSE bug 1206580SUSE bug 1206581CVE-2022-4337 at SUSECVE-2022-4337 at NVDCVE-2022-4338 at SUSECVE-2022-4338 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for ucode-intel (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for ucode-intel fixes the following issues:
- Updated to Intel CPU Microcode 20230512 release. (bsc#1211382)
- New Platforms
| Processor | Stepping | F-M-S/PI | Old Ver | New Ver | Products
|:---------------|:---------|:------------|:---------|:---------|:---------
| ADL-N | A0 | 06-be-00/01 | | 00000010 | Core i3-N305/N300, N50/N97/N100/N200, Atom x7211E/x7213E/x7425E
| AZB | A0 | 06-9a-04/40 | | 00000004 | Intel(R) Atom(R) C1100
| AZB | R0 | 06-9a-04/40 | | 00000004 | Intel(R) Atom(R) C1100
- Updated Platforms
| Processor | Stepping | F-M-S/PI | Old Ver | New Ver | Products
|:---------------|:---------|:------------|:---------|:---------|:---------
| ADL | L0 | 06-9a-03/80 | 00000429 | 0000042a | Core Gen12
| ADL | L0 | 06-9a-04/80 | 00000429 | 0000042a | Core Gen12
| AML-Y22 | H0 | 06-8e-09/10 | | 000000f2 | Core Gen8 Mobile
| AML-Y42 | V0 | 06-8e-0c/94 | 000000f4 | 000000f6 | Core Gen10 Mobile
| CFL-H | R0 | 06-9e-0d/22 | 000000f4 | 000000f8 | Core Gen9 Mobile
| CFL-H/S | P0 | 06-9e-0c/22 | 000000f0 | 000000f2 | Core Gen9
| CFL-H/S/E3 | U0 | 06-9e-0a/22 | 000000f0 | 000000f2 | Core Gen8 Desktop, Mobile, Xeon E
| CFL-S | B0 | 06-9e-0b/02 | 000000f0 | 000000f2 | Core Gen8
| CFL-U43e | D0 | 06-8e-0a/c0 | 000000f0 | 000000f2 | Core Gen8 Mobile
| CLX-SP | B0 | 06-55-06/bf | 04003303 | 04003501 | Xeon Scalable Gen2
| CLX-SP | B1 | 06-55-07/bf | 05003303 | 05003501 | Xeon Scalable Gen2
| CML-H | R1 | 06-a5-02/20 | 000000f4 | 000000f6 | Core Gen10 Mobile
| CML-S102 | Q0 | 06-a5-05/22 | 000000f4 | 000000f6 | Core Gen10
| CML-S62 | G1 | 06-a5-03/22 | 000000f4 | 000000f6 | Core Gen10
| CML-U62 V1 | A0 | 06-a6-00/80 | 000000f4 | 000000f6 | Core Gen10 Mobile
| CML-U62 V2 | K1 | 06-a6-01/80 | 000000f4 | 000000f6 | Core Gen10 Mobile
| CML-Y42 | V0 | 06-8e-0c/94 | 000000f4 | 000000f6 | Core Gen10 Mobile
| CPX-SP | A1 | 06-55-0b/bf | 07002503 | 07002601 | Xeon Scalable Gen3
| ICL-D | B0 | 06-6c-01/10 | 01000211 | 01000230 | Xeon D-17xx, D-27xx
| ICL-U/Y | D1 | 06-7e-05/80 | 000000b8 | 000000ba | Core Gen10 Mobile
| ICX-SP | D0 | 06-6a-06/87 | 0d000389 | 0d000390 | Xeon Scalable Gen3
| KBL-G/H/S/E3 | B0 | 06-9e-09/2a | 000000f0 | 000000f2 | Core Gen7; Xeon E3 v6
| KBL-U/Y | H0 | 06-8e-09/c0 | | 000000f2 | Core Gen7 Mobile
| LKF | B2/B3 | 06-8a-01/10 | 00000032 | 00000033 | Core w/Hybrid Technology
| RKL-S | B0 | 06-a7-01/02 | 00000057 | 00000058 | Core Gen11
| RPL-H 6+8 | J0 | 06-ba-02/07 | 0000410e | 00004112 | Core Gen13
| RPL-P 6+8 | J0 | 06-ba-02/07 | 0000410e | 00004112 | Core Gen13
| RPL-S | S0 | 06-b7-01/32 | 00000112 | 00000113 | Core Gen13
| RPL-U 2+8 | Q0 | 06-ba-03/07 | 0000410e | 00004112 | Core Gen13
| SKX-D | H0 | 06-55-04/b7 | | 02006f05 | Xeon D-21xx
| SKX-SP | B1 | 06-55-03/97 | 01000161 | 01000171 | Xeon Scalable
| SKX-SP | H0/M0/U0 | 06-55-04/b7 | | 02006f05 | Xeon Scalable
| SPR-HBM | B3 | 06-8f-08/10 | 2c000170 | 2c0001d1 | Xeon Max
| SPR-SP | E0 | 06-8f-04/87 | 2b000181 | 2b000461 | Xeon Scalable Gen4
| SPR-SP | E2 | 06-8f-05/87 | 2b000181 | 2b000461 | Xeon Scalable Gen4
| SPR-SP | E3 | 06-8f-06/87 | 2b000181 | 2b000461 | Xeon Scalable Gen4
| SPR-SP | E4 | 06-8f-07/87 | 2b000181 | 2b000461 | Xeon Scalable Gen4
| SPR-SP | E5 | 06-8f-08/87 | 2b000181 | 2b000461 | Xeon Scalable Gen4
| SPR-SP | S2 | 06-8f-07/87 | 2b000181 | 2b000461 | Xeon Scalable Gen4
| SPR-SP | S3 | 06-8f-08/87 | 2b000181 | 2b000461 | Xeon Scalable Gen4
| TGL | B1 | 06-8c-01/80 | 000000a6 | 000000aa | Core Gen11 Mobile
| TGL-H | R0 | 06-8d-01/c2 | 00000042 | 00000044 | Core Gen11 Mobile
| TGL-R | C0 | 06-8c-02/c2 | 00000028 | 0000002a | Core Gen11 Mobile
| WHL-U | V0 | 06-8e-0c/94 | 000000f4 | 000000f6 | Core Gen8 Mobile
| WHL-U | W0 | 06-8e-0b/d0 | | 000000f2 | Core Gen8 Mobile
ImportantSUSE bug 1208479SUSE bug 1211382CVE-2022-33972 at SUSECVE-2022-33972 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for tomcat (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for tomcat fixes the following issues:
- CVE-2023-28709: Mended an incomplete fix for CVE-2023-24998 (bsc#1211608).
ImportantSUSE bug 1211608CVE-2023-28709 at SUSECVE-2023-28709 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for tiff (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for tiff fixes the following issues:
Fixed multiple out of bounds read/write security issues:
CVE-2023-0795 (bsc#1208226), CVE-2023-0796 (bsc#1208227), CVE-2023-0797 (bsc#1208228),
CVE-2023-0798 (bsc#1208229), CVE-2023-0799 (bsc#1208230), CVE-2023-0800 (bsc#1208231),
CVE-2023-0801 (bsc#1208232), CVE-2023-0802 (bsc#1208233), CVE-2023-0803 (bsc#1208234),
CVE-2023-0804 (bsc#1208236).
ModerateSUSE bug 1208226SUSE bug 1208227SUSE bug 1208228SUSE bug 1208229SUSE bug 1208230SUSE bug 1208231SUSE bug 1208232SUSE bug 1208233SUSE bug 1208234SUSE bug 1208236CVE-2023-0795 at SUSECVE-2023-0795 at NVDCVE-2023-0796 at SUSECVE-2023-0796 at NVDCVE-2023-0797 at SUSECVE-2023-0797 at NVDCVE-2023-0798 at SUSECVE-2023-0798 at NVDCVE-2023-0799 at SUSECVE-2023-0799 at NVDCVE-2023-0800 at SUSECVE-2023-0800 at NVDCVE-2023-0801 at SUSECVE-2023-0801 at NVDCVE-2023-0802 at SUSECVE-2023-0802 at NVDCVE-2023-0803 at SUSECVE-2023-0803 at NVDCVE-2023-0804 at SUSECVE-2023-0804 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for openssl (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for openssl fixes the following issues:
- CVE-2023-2650: Fixed possible denial of service translating ASN.1 object identifiers (bsc#1211430).
ImportantSUSE bug 1211430CVE-2023-2650 at SUSECVE-2023-2650 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for ImageMagick (Low)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for ImageMagick fixes the following issues:
- CVE-2023-34151: Fixed an undefined behavior issue due to floating
point truncation (bsc#1211791).
LowSUSE bug 1211791CVE-2023-34151 at SUSECVE-2023-34151 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for cups (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for cups fixes the following issues:
- CVE-2023-32324: Fixed a buffer overflow in format_log_line() which could cause a denial-of-service (bsc#1211643).
ImportantSUSE bug 1211643CVE-2023-32324 at SUSECVE-2023-32324 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for openldap2 (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for openldap2 fixes the following issues:
- CVE-2023-2953: Fixed null pointer deref in ber_memalloc_x (bsc#1211795).
ModerateSUSE bug 1211795CVE-2023-2953 at SUSECVE-2023-2953 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for MozillaFirefox fixes the following issues:
Extended Support Release 102.12.0 ESR (bsc#1211922):
- CVE-2023-34414: Click-jacking certificate exceptions through rendering lag
- CVE-2023-34416: Memory safety bugs fixed in Firefox 114 and Firefox ESR 102.12
ImportantSUSE bug 1211922CVE-2023-34414 at SUSECVE-2023-34414 at NVDCVE-2023-34416 at SUSECVE-2023-34416 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for python (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for python fixes the following issues:
- CVE-2023-24329: Fixed a blocklist bypass via the urllib.parse component when supplying a URL that starts with blank characters (bsc#1208471).
ImportantSUSE bug 1208471CVE-2023-24329 at SUSECVE-2023-24329 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for python36 (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for python36 fixes the following issues:
- CVE-2007-4559: Fixed filter for tarfile.extractall (bsc#1203750).
- Fixed unittest.mock.patch.dict returns function when applied to coroutines (bsc#1211158).
ModerateSUSE bug 1203750SUSE bug 1211158CVE-2007-4559 at SUSECVE-2007-4559 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for supportutils (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for supportutils fixes the following issues:
Security fixes:
- CVE-2022-45154: Removed iSCSI passwords from supportconfig archive (bsc#1207598).
Bug fixes:
- Fixed missing status detail for apparmor (bsc#1196933)
- Corrected invalid argument list in docker.txt (bsc#1206608)
- Changed _sanitize_file to include lio_setup.sh (bsc#1206350)
ModerateSUSE bug 1196933SUSE bug 1206350SUSE bug 1206608SUSE bug 1207598CVE-2022-45154 at SUSECVE-2022-45154 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for opensc (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for opensc fixes the following issues:
- CVE-2023-2977: Fixed out of bounds read in pkcs15 cardos_have_verifyrc_package() (bsc#1211894).
ModerateSUSE bug 1211894CVE-2023-2977 at SUSECVE-2023-2977 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for java-1_8_0-ibm (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for java-1_8_0-ibm fixes the following issues:
- CVE-2023-21930: Fixed possible compromise from unauthenticated attacker with network access via TLS (bsc#1210628).
- CVE-2023-21937: Fixed vulnerability inside the networking component (bsc#1210631).
- CVE-2023-21938: Fixed vulnerability inside the library component (bsc#1210632).
- CVE-2023-21939: Fixed vulnerability inside the swing component (bsc#1210634).
- CVE-2023-21968: Fixed vulnerability inside the library component (bsc#1210637).
- CVE-2023-2597: Fixed buffer overflow in shared cache implementation (bsc#1211615).
- CVE-2023-21967: Fixed vulnerability inside the JSSE component (bsc#1210636).
- CVE-2023-21954: Fixed vulnerability inside the hotspot component (bsc#1210635).
Additional reference fixed already in 8.0.7.15:
- CVE-2023-30441: Fixed components that could have exposed sensitive information using a combination of flaws and configurations (bsc#1210711).
ImportantSUSE bug 1210628SUSE bug 1210631SUSE bug 1210632SUSE bug 1210634SUSE bug 1210635SUSE bug 1210636SUSE bug 1210637SUSE bug 1210711SUSE bug 1210826SUSE bug 1211615CVE-2023-21930 at SUSECVE-2023-21930 at NVDCVE-2023-21937 at SUSECVE-2023-21937 at NVDCVE-2023-21938 at SUSECVE-2023-21938 at NVDCVE-2023-21939 at SUSECVE-2023-21939 at NVDCVE-2023-21954 at SUSECVE-2023-21954 at NVDCVE-2023-21967 at SUSECVE-2023-21967 at NVDCVE-2023-21968 at SUSECVE-2023-21968 at NVDCVE-2023-2597 at SUSECVE-2023-2597 at NVDCVE-2023-30441 at SUSECVE-2023-30441 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for libcares2 (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for libcares2 fixes the following issues:
- CVE-2023-32067: Fixed a denial of service that could be triggered by
a 0-byte UDP payload (bsc#1211604).
- CVE-2023-31147: Fixed an insufficient randomness in generation of
DNS query IDs (bsc#1211605).
- CVE-2023-31130: Fixed a buffer underflow when configuring specific
IPv6 addresses (bsc#1211606).
- CVE-2023-31124: Fixed a build issue when cross-compiling that could
lead to insufficient randomness (bsc#1211607).
ImportantSUSE bug 1211604SUSE bug 1211605SUSE bug 1211606SUSE bug 1211607CVE-2023-31124 at SUSECVE-2023-31124 at NVDCVE-2023-31130 at SUSECVE-2023-31130 at NVDCVE-2023-31147 at SUSECVE-2023-31147 at NVDCVE-2023-32067 at SUSECVE-2023-32067 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for gdb (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for gdb fixes the following issues:
gdb was updated to 12.1. (jsc#SLE-21561)
* DBX mode is deprecated, and will be removed in GDB 13.
* GDB 12 is the last release of GDB that will support building against
Python 2. From GDB 13, it will only be possible to build GDB itself
with Python 3 support.
* Improved C++ template support:
GDB now treats functions/types involving C++ templates like it does function
overloads. Users may omit parameter lists to set breakpoints on families of
template functions, including types/functions composed of multiple template types:
(gdb) break template_func(template_1, int)
The above will set breakpoints at every function `template_func' where
the first function parameter is any template type named `template_1' and
the second function parameter is `int'.
TAB completion also gains similar improvements.
* New commands:
- maint set backtrace-on-fatal-signal on|off
- maint show backtrace-on-fatal-signal
This setting is 'on' by default. When 'on' GDB will print a limited
backtrace to stderr in the situation where GDB terminates with a
fatal signal. This only supported on some platforms where the
backtrace and backtrace_symbols_fd functions are available.
- set source open on|off
- show source open
This setting, which is on by default, controls whether GDB will try
to open source code files. Switching this off will stop GDB trying
to open and read source code files, which can be useful if the files
are located over a slow network connection.
- set varsize-limit
- show varsize-limit
These are now deprecated aliases for 'set max-value-size' and
'show max-value-size'.
- task apply [all | TASK-IDS...] [FLAG]... COMMAND
Like 'thread apply', but applies COMMAND to Ada tasks.
- watch [...] task ID
Watchpoints can now be restricted to a specific Ada task.
- maint set internal-error backtrace on|off
- maint show internal-error backtrace
- maint set internal-warning backtrace on|off
- maint show internal-warning backtrace
GDB can now print a backtrace of itself when it encounters either an
internal-error, or an internal-warning. This is on by default for
internal-error and off by default for internal-warning.
- set logging on|off
Deprecated and replaced by 'set logging enabled on|off'.
- set logging enabled on|off
- show logging enabled
These commands set or show whether logging is enabled or disabled.
- exit
You can now exit GDB by using the new command 'exit', in addition to
the existing 'quit' command.
- set debug threads on|off
- show debug threads
Print additional debug messages about thread creation and deletion.
- set debug linux-nat on|off
- show debug linux-nat
These new commands replaced the old 'set debug lin-lwp' and 'show
debug lin-lwp' respectively. Turning this setting on prints debug
messages relating to GDB's handling of native Linux inferiors.
- maint flush source-cache
Flush the contents of the source code cache.
- maint set gnu-source-highlight enabled on|off
- maint show gnu-source-highlight enabled
Whether GDB should use the GNU Source Highlight library for adding
styling to source code. When off, the library will not be used, even
when available. When GNU Source Highlight isn't used, or can't add
styling to a particular source file, then the Python Pygments
library will be used instead.
- set suppress-cli-notifications (on|off)
- show suppress-cli-notifications
This controls whether printing the notifications is suppressed for CLI.
CLI notifications occur when you change the selected context
(i.e., the current inferior, thread and/or the frame), or when
the program being debugged stops (e.g., because of hitting a
breakpoint, completing source-stepping, an interrupt, etc.).
- set style disassembler enabled on|off
- show style disassembler enabled
If GDB is compiled with Python support, and the Python Pygments
package is available, then, when this setting is on, disassembler
output will have styling applied.
- set ada source-charset
- show ada source-charset
Set the character set encoding that is assumed for Ada symbols. Valid
values for this follow the values that can be passed to the GNAT
compiler via the '-gnati' option. The default is ISO-8859-1.
* Changed commands:
- print
Printing of floating-point values with base-modifying formats like
/x has been changed to display the underlying bytes of the value in
the desired base. This was GDB's documented behavior, but was never
implemented correctly.
- maint packet
This command can now print a reply, if the reply includes
non-printable characters. Any non-printable characters are printed
as escaped hex, e.g. \x?? where '??' is replaces with the value of
the non-printable character.
- clone-inferior
The clone-inferior command now ensures that the TTY, CMD and ARGS
settings are copied from the original inferior to the new one.
All modifications to the environment variables done using the 'set
environment' or 'unset environment' commands are also copied to the new
inferior.
- set debug lin-lwp on|off
- show debug lin-lwp
These commands have been removed from GDB. The new command 'set
debug linux-nat' and 'show debug linux-nat' should be used
instead.
- info win
This command now includes information about the width of the tui
windows in its output.
* GDB's Ada parser now supports an extension for specifying the exact
byte contents of a floating-point literal. This can be useful for
setting floating-point registers to a precise value without loss of
precision. The syntax is an extension of the based literal syntax.
Use, e.g., '16lf#0123abcd#' -- the number of 'l's controls the width
of the floating-point type, and the 'f' is the marker for floating
point.
* MI changes:
** The '-add-inferior' with no option flags now inherits the
connection of the current inferior, this restores the behaviour of
GDB as it was prior to GDB 10.
** The '-add-inferior' command now accepts a '--no-connection'
option, which causes the new inferior to start without a
connection.
* Python API:
** New function gdb.add_history(), which takes a gdb.Value object
and adds the value it represents to GDB's history list. An
integer, the index of the new item in the history list, is
returned.
** New function gdb.history_count(), which returns the number of
values in GDB's value history.
** New gdb.events.gdb_exiting event. This event is called with a
gdb.GdbExitingEvent object which has the read-only attribute
'exit_code', which contains the value of the GDB exit code. This
event is triggered once GDB decides it is going to exit, but
before GDB starts to clean up its internal state.
** New function gdb.architecture_names(), which returns a list
containing all of the possible Architecture.name() values. Each
entry is a string.
** New function gdb.Architecture.integer_type(), which returns an
integer type given a size and a signed-ness.
** New gdb.TargetConnection object type that represents a connection
(as displayed by the 'info connections' command). A sub-class,
gdb.RemoteTargetConnection, is used to represent 'remote' and
'extended-remote' connections.
** The gdb.Inferior type now has a 'connection' property which is an
instance of gdb.TargetConnection, the connection used by this
inferior. This can be None if the inferior has no connection.
** New 'gdb.events.connection_removed' event registry, which emits a
'gdb.ConnectionEvent' when a connection is removed from GDB.
This event has a 'connection' property, a gdb.TargetConnection
object for the connection being removed.
** New gdb.connections() function that returns a list of all
currently active connections.
** New gdb.RemoteTargetConnection.send_packet(PACKET) method. This
is equivalent to the existing 'maint packet' CLI command; it
allows a user specified packet to be sent to the remote target.
** New function gdb.host_charset(), returns a string, which is the
name of the current host charset.
** New gdb.set_parameter(NAME, VALUE). This sets the gdb parameter
NAME to VALUE.
** New gdb.with_parameter(NAME, VALUE). This returns a context
manager that temporarily sets the gdb parameter NAME to VALUE,
then resets it when the context is exited.
** The gdb.Value.format_string method now takes a 'styling'
argument, which is a boolean. When true, the returned string can
include escape sequences to apply styling. The styling will only
be present if styling is otherwise turned on in GDB (see 'help
set styling'). When false, which is the default if the argument
is not given, then no styling is applied to the returned string.
** New read-only attribute gdb.InferiorThread.details, which is
either a string, containing additional, target specific thread
state information, or None, if there is no such additional
information.
** New read-only attribute gdb.Type.is_scalar, which is True for
scalar types, and False for all other types.
** New read-only attribute gdb.Type.is_signed. This attribute
should only be read when Type.is_scalar is True, and will be True
for signed types, and False for all other types. Attempting to
read this attribute for non-scalar types will raise a ValueError.
** It is now possible to add GDB/MI commands implemented in Python.
- Update libipt to v2.0.5.
- CVE-2018-7208: Fixed improper bounds check in coffgen.c:coff_pointerize_aux() that allowed for denial of service when parsing a crafted COFF file (bsc#1081527).
- CVE-2017-16829: Fixed possible remote denial of service via the _bfd_elf_parse_gnu_properties() function in elf-properties.c (bsc#1068950).
Bug fixes:
- Fixed license (bsc#1210081).
- Advertises RHEL version support status (bsc#1207712).
- Fixed crashes while debugging a clang-cpp app (bsc#1192285).
ModerateSUSE bug 1068950SUSE bug 1081527SUSE bug 1192285SUSE bug 1207712SUSE bug 1210081CVE-2017-16829 at SUSECVE-2017-16829 at NVDCVE-2018-7208 at SUSECVE-2018-7208 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for libX11 (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for libX11 fixes the following issues:
- CVE-2023-3138: Fixed buffer overflows in InitExt.c (bsc#1212102).
ImportantSUSE bug 1212102CVE-2023-3138 at SUSECVE-2023-3138 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for python36-requests (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for python36-requests fixes the following issues:
- CVE-2023-32681: Fixed unintended leak of Proxy-Authorization header (bsc#1211674).
ModerateSUSE bug 1211674CVE-2023-32681 at SUSECVE-2023-32681 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for libwebp (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for libwebp fixes the following issues:
- CVE-2023-1999: Fixed double free (bsc#1210212).
ImportantSUSE bug 1210212CVE-2023-1999 at SUSECVE-2023-1999 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for bluez (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for bluez fixes the following issues:
- CVE-2023-27349: Fixed crash while handling unsupported events (bsc#1210398).
ImportantSUSE bug 1210398CVE-2023-27349 at SUSECVE-2023-27349 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for dbus-1 (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for dbus-1 fixes the following issues:
- CVE-2023-34969: Fixed a possible dbus-daemon crash by an unprivileged users (bsc#1212126).
ModerateSUSE bug 1212126CVE-2023-34969 at SUSECVE-2023-34969 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for webkit2gtk3 (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for webkit2gtk3 fixes the following issues:
Add security patches (bsc#1211846):
- CVE-2023-28204: Fixed processing of web content that may disclose sensitive information (bsc#1211659).
- CVE-2023-32373: Fixed processing of maliciously crafted web content that may lead to arbitrary code execution (bsc#1211658).
ImportantSUSE bug 1211658SUSE bug 1211659SUSE bug 1211846CVE-2023-28204 at SUSECVE-2023-28204 at NVDCVE-2023-32373 at SUSECVE-2023-32373 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for ntp (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for ntp fixes the following issues:
ntp was updated to 4.2.8p17:
* Fix some regressions of 4.2.8p16
Update to 4.2.8p16:
* [Sec 3808] Assertion failure in ntpq on malformed RT-11 date
* [Sec 3807], bsc#1210390, CVE-2023-26555:
praecis_parse() in the Palisade refclock driver has a
hypothetical input buffer overflow.
* [Sec 3767] An OOB KoD RATE value triggers an assertion when
debug is enabled.
* Multiple bug fixes and improvements. For details, see /usr/share/doc/packages/ntp/ChangeLog
http://www.ntp.org/support/securitynotice/4_2_8-series-changelog/
- CVE-2023-26555: Fixed assertion failure on malformed RT-11 dates (bsc#1210390).
ModerateSUSE bug 1210390CVE-2023-26555 at SUSECVE-2023-26555 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for openssl (Moderate)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for openssl fixes the following issues:
- CVE-2022-4304: Reworked the fix for the Timing-Oracle in RSA decryption.
The previous fix for this timing side channel turned out to cause a
severe 2-3x performance regression in the typical use case (bsc#1207534).
ModerateSUSE bug 1207534CVE-2022-4304 at SUSECVE-2022-4304 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for sqlite3 (Moderate)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATA
This update for sqlite3 fixes the following issues:
- CVE-2022-46908: Properly implement the azProhibitedFunctions protection mechanism,
when relying on --safe for execution of an untrusted CLI script (bsc#1206337).
ModerateSUSE bug 1206337CVE-2022-46908 at SUSECVE-2022-46908 at NVDcpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for iniparser (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for iniparser fixes the following issues:
- CVE-2023-33461: Fixed NULL pointer dereference in iniparser_getboolean() (bsc#1211889).
ModerateSUSE bug 1211889CVE-2023-33461 at SUSECVE-2023-33461 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for libcap (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for libcap fixes the following issues:
- CVE-2023-2603: Fixed an integer overflow or wraparound in libcap/cap_alloc.c:_libcap_strdup() (bsc#1211419).
ModerateSUSE bug 1211419CVE-2023-2603 at SUSECVE-2023-2603 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for bind (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for bind fixes the following issues:
- CVE-2023-2828: Fixed DOS against recursive resolvers related to cache-cleaning algorithm (bsc#1212544).
ImportantSUSE bug 1212544CVE-2023-2828 at SUSECVE-2023-2828 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for libqt5-qtbase (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for libqt5-qtbase fixes the following issues:
- CVE-2020-24741: Fixed a bug that allow QLibrary to load libraries relative to CWD which could result in arbitrary code execution (bsc#1189408).
- CVE-2023-32763: Fixed buffer overflow in QTextLayout (bsc#1211798).
ImportantSUSE bug 1189408SUSE bug 1211798CVE-2020-24741 at SUSECVE-2020-24741 at NVDCVE-2023-32763 at SUSECVE-2023-32763 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for xorg-x11-server (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for xorg-x11-server fixes the following issues:
- CVE-2023-0494: Fixed a use-after-free in DeepCopyPointerClasses (bsc#1207783).
ImportantSUSE bug 1207783CVE-2023-0494 at SUSECVE-2023-0494 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for ghostscript (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for ghostscript fixes the following issues:
- CVE-2023-36664: Fixed permission validation mishandling for pipe devices with the %pipe% prefix or the | pipe character prefix (bsc#1212711).
ImportantSUSE bug 1212711CVE-2023-36664 at SUSECVE-2023-36664 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for MozillaFirefox, MozillaFirefox-branding-SLE (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for MozillaFirefox, MozillaFirefox-branding-SLE fixes the following issues:
Changes in MozillaFirefox and MozillaFirefox-branding-SLE:
This update provides Firefox Extended Support Release 115.0 ESR
* New:
- Required fields are now highlighted in PDF forms.
- Improved performance on high-refresh rate monitors (120Hz+).
- Buttons in the Tabs toolbar can now be reached with Tab,
Shift+Tab, and Arrow keys. View this article for additional
details.
- Windows' 'Make text bigger' accessibility setting now
affects all the UI and content pages, rather than only
applying to system font sizes.
- Non-breaking spaces are now preserved—preventing automatic
line breaks—when copying text from a form control.
- Fixed WebGL performance issues on NVIDIA binary drivers via
DMA-Buf on Linux.
- Fixed an issue in which Firefox startup could be
significantly slowed down by the processing of Web content
local storage. This had the greatest impact on users with
platter hard drives and significant local storage.
- Removed a configuration option to allow SHA-1 signatures in
certificates: SHA-1 signatures in certificates—long since
determined to no longer be secure enough—are now not
supported.
- Highlight color is preserved correctly after typing `Enter`
in the mail composer of Yahoo Mail and Outlook.
After bypassing the https only error page navigating back
would take you to the error page that was previously
dismissed. Back now takes you to the previous site that was
visited.
- Paste unformatted shortcut (shift+ctrl/cmd+v) now works in
plain text contexts, such as input and text area.
- Added an option to print only the current page from the
print preview dialog.
- Swipe to navigate (two fingers on a touchpad swiped left or
right to perform history back or forward) on Windows is now
enabled.
- Stability on Windows is significantly improved as Firefox
handles low-memory situations much better.
- Touchpad scrolling on macOS was made more accessible by
reducing unintended diagonal scrolling opposite of the
intended scroll axis.
- Firefox is less likely to run out of memory on Linux and
performs more efficiently for the rest of the system when
memory runs low.
- It is now possible to edit PDFs: including writing text,
drawing, and adding signatures.
- Setting Firefox as your default browser now also makes it
the default PDF application on Windows systems.
- Swipe-to-navigate (two fingers on a touchpad swiped left or
right to perform history back or forward) now works for Linux
users on Wayland.
- Text Recognition in images allows users on macOS 10.15 and
higher to extract text from the selected image (such as a
meme or screenshot).
- Firefox View helps you get back to content you previously
discovered. A pinned tab allows you to find and open recently
closed tabs on your current device and access tabs from other
devices (via our “Tab Pickup” feature).
- Import maps, which allow web pages to control the behavior
of JavaScript imports, are now enabled by default.
- Processes used for background tabs now use efficiency mode
on Windows 11 to limit resource use.
- The shift+esc keyboard shortcut now opens the Process
Manager, offering a way to quickly identify processes that
are using too many resources.
- Firefox now supports properly color correcting images
tagged with ICCv4 profiles.
- Support for non-English characters when saving and printing
PDF forms.
- The bookmarks toolbar's default 'Only show on New Tab'
state works correctly for blank new tabs. As before, you can
change the bookmark toolbar's behavior using the toolbar
context menu.
- Manifest Version 3 (MV3) extension support is now enabled
by default (MV2 remains enabled/supported). This major update
also ushers an exciting user interface change in the form of
the new extensions button.
- The Arbitrary Code Guard exploit protection has been
enabled in the media playback utility processes, improving
security for Windows users.
- The native HTML date picker for date and datetime inputs
can now be used with a keyboard alone, improving its
accessibility for screen reader users. Users with limited
mobility can also now use common keyboard shortcuts to
navigate the calendar grid and month selection spinners.
- Firefox builds in the Spanish from Spain (es-ES) and
Spanish from Argentina (es-AR) locales now come with a built-
in dictionary for the Firefox spellchecker.
- On macOS, Ctrl or Cmd + trackpad or mouse wheel now scrolls
the page instead of zooming. This avoids accidental zooming
and matches the behavior of other web browsers on macOS.
- It's now possible to import bookmarks, history and
passwords not only from Edge, Chrome or Safari but also from
Opera, Opera GX, and Vivaldi.
- GPU sandboxing has been enabled on Windows.
- On Windows, third-party modules can now be blocked from
injecting themselves into Firefox, which can be helpful if
they are causing crashes or other undesirable behavior.
- Date, time, and datetime-local input fields can now be
cleared with `Cmd+Backspace` and `Cmd+Delete` shortcut on
macOS and `Ctrl+Backspace` and `Ctrl+Delete` on Windows and
Linux.
- GPU-accelerated Canvas2D is enabled by default on macOS and
Linux.
- WebGL performance improvement on Windows, MacOS and Linux.
- Enables overlay of hardware-decoded video with non-Intel
GPUs on Windows 10/11, improving video playback performance
and video scaling quality.
- Windows native notifications are now enabled.
- Firefox Relay users can now opt-in to create Relay email
masks directly from the Firefox credential manager. You must
be signed in with your Firefox Account.
- We’ve added two new locales: Silhe Friulian (fur) and
Sardinian (sc).
- Right-clicking on password fields now shows an option to
reveal the password.
- Private windows and ETP set to strict will now include
email tracking protection. This will make it harder for email
trackers to learn the browsing habits of Firefox users. You
can check the Tracking Content in the sub-panel on the shield
icon panel.
- The deprecated U2F Javascript API is now disabled by
default. The U2F protocol remains usable through the WebAuthn
API. The U2F API can be re-enabled using the
`security.webauth.u2f` preference.
- Say hello to enhanced Picture-in-Picture! Rewind, check
video duration, and effortlessly switch to full-screen mode
on the web's most popular video websites.
- Firefox's address bar is already a great place to search
for what you're looking for. Now you'll always be able to see
your web search terms and refine them while viewing your
search's results - no additional scrolling needed! Also, a
new result menu has been added making it easier to remove
history results and dismiss sponsored Firefox Suggest
entries.
- Private windows now protect users even better by blocking
third-party cookies and storage of content trackers.
- Passwords automatically generated by Firefox now include
special characters, giving users more secure passwords by
default.
- Firefox 115 introduces a redesigned accessibility engine
which significantly improves the speed, responsiveness, and
stability of Firefox when used with:
- Screen readers, as well as certain other accessibility
software;
- East Asian input methods;
- Enterprise single sign-on software; and
- Other applications which use accessibility frameworks to
access information.
- Firefox 115 now supports AV1 Image Format files containing
animations (AVIS), improving support for AVIF images across
the web.
- The Windows GPU sandbox first shipped in the Firefox 110
release has been tightened to enhance the security benefits
it provides.
- A 13-year-old feature request was fulfilled and Firefox now
supports files being drag-and-dropped directly from Microsoft
Outlook. A special thanks to volunteer contributor Marco
Spiess for helping to get this across the finish line!
- Users on macOS can now access the Services sub-menu
directly from Firefox context menus.
- On Windows, the elastic overscroll effect has been enabled
by default. When two-finger scrolling on the touchpad or
scrolling on the touchscreen, you will now see a bouncing
animation when scrolling past the edge of a scroll container.
- Firefox is now available in the Tajik (tg) language.
- Added UI to manage the DNS over HTTPS exception list.
- Bookmarks can now be searched from the Bookmarks menu. The
Bookmarks menu is accessible by adding the Bookmarks menu
button to the toolbar.
- Restrict searches to your local browsing history by
selecting Search history from the History, Library or
Application menu buttons.
- Mac users can now capture video from their cameras in all
supported native resolutions. This enables resolutions higher
than 1280x720.
- It is now possible to reorder the extensions listed in the
extensions panel.
- Users on macOS, Linux, and Windows 7 can now use FIDO2 /
WebAuthn authenticators over USB. Some advanced features,
such as fully passwordless logins, require a PIN to be set on
the authenticator.
- Pocket Recommended content can now be seen in France,
Italy, and Spain.
- DNS over HTTPS settings are now part of the Privacy &
Security section of the Settings page and allow the user to
choose from all the supported modes.
- Migrating from another browser? Now you can bring over
payment methods you've saved in Chrome-based browsers to
Firefox.
- Hardware video decoding enabled for Intel GPUs on Linux.
- The Tab Manager dropdown now features close buttons, so you
can close tabs more quickly.
- Windows Magnifier now follows the text cursor correctly
when the Firefox title bar is visible.
- Undo and redo are now available in Password fields.
[1]:https://support.mozilla.org/kb/access-toolbar-functions-
using-keyboard?_gl=1*16it7nj*_ga*MTEzNjg4MjY5NC4xNjQ1MjAxMDU3
*_ga_MQ7767QQQW*MTY1Njk2MzExMS43LjEuMTY1Njk2MzIzMy4w
[2]:https://support.mozilla.org/kb/how-set-tab-pickup-firefox-view
[3]:https://support.mozilla.org/kb/task-manager-tabs-or-extensions-are-slowing-firefox
[4]:https://blog.mozilla.org/addons/2022/11/17/manifest-v3-signing-available-november-21-on-firefox-nightly/
[5]:https://blog.mozilla.org/addons/2022/05/18/manifest-v3-in-firefox-recap-next-steps/
[6]:https://support.mozilla.org/kb/unified-extensions
[7]:https://support.mozilla.org/kb/import-data-another-browser
[8]:https://support.mozilla.org/kb/identify-problems-third-party-modules-firefox-windows
[9]:https://support.mozilla.org/kb/how-generate-secure-password-firefox
[10]:https://blog.mozilla.org/accessibility/firefox-113-accessibility-performance/
* Fixed: Various security fixes. MFSA 2023-22 (bsc#1212438)
* CVE-2023-3482 (bmo#1839464)
Block all cookies bypass for localstorage
* CVE-2023-37201 (bmo#1826002)
Use-after-free in WebRTC certificate generation
* CVE-2023-37202 (bmo#1834711)
Potential use-after-free from compartment mismatch in
SpiderMonkey
* CVE-2023-37203 (bmo#291640)
Drag and Drop API may provide access to local system files
* CVE-2023-37204 (bmo#1832195)
Fullscreen notification obscured via option element
* CVE-2023-37205 (bmo#1704420)
URL spoofing in address bar using RTL characters
* CVE-2023-37206 (bmo#1813299)
Insufficient validation of symlinks in the FileSystem API
* CVE-2023-37207 (bmo#1816287)
Fullscreen notification obscured
* CVE-2023-37208 (bmo#1837675)
Lack of warning when opening Diagcab files
* CVE-2023-37209 (bmo#1837993)
Use-after-free in `NotifyOnHistoryReload`
* CVE-2023-37210 (bmo#1821886)
Full-screen mode exit prevention
* CVE-2023-37211 (bmo#1832306, bmo#1834862, bmo#1835886,
bmo#1836550, bmo#1837450)
Memory safety bugs fixed in Firefox 115, Firefox ESR 102.13,
and Thunderbird 102.13
* CVE-2023-37212 (bmo#1750870, bmo#1825552, bmo#1826206,
bmo#1827076, bmo#1828690, bmo#1833503, bmo#1835710,
bmo#1838587)
Memory safety bugs fixed in Firefox 115
- Fixed potential SIGILL on older CPUs (bsc#1212101)
* Fixed: Various security fixes and other quality
ImportantSUSE bug 1212101SUSE bug 1212438CVE-2023-3482 at SUSECVE-2023-3482 at NVDCVE-2023-37201 at SUSECVE-2023-37201 at NVDCVE-2023-37202 at SUSECVE-2023-37202 at NVDCVE-2023-37203 at SUSECVE-2023-37203 at NVDCVE-2023-37204 at SUSECVE-2023-37204 at NVDCVE-2023-37205 at SUSECVE-2023-37205 at NVDCVE-2023-37206 at SUSECVE-2023-37206 at NVDCVE-2023-37207 at SUSECVE-2023-37207 at NVDCVE-2023-37208 at SUSECVE-2023-37208 at NVDCVE-2023-37209 at SUSECVE-2023-37209 at NVDCVE-2023-37210 at SUSECVE-2023-37210 at NVDCVE-2023-37211 at SUSECVE-2023-37211 at NVDCVE-2023-37212 at SUSECVE-2023-37212 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for java-1_8_0-ibm (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for java-1_8_0-ibm fixes the following issues:
Updated to Java 8.0 Service Refresh 8 Fix Pack 6 (bsc#1213000):
- Fixed issue in Java Virtual Machine where outofmemory (OOM) killer terminates the jvm due to failure in control groups detection.
ImportantSUSE bug 1213000cpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for python-requests (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for python-requests fixes the following issues:
- CVE-2023-32681: Fixed unintended leak of Proxy-Authorization header (bsc#1211674).
ModerateSUSE bug 1211674CVE-2023-32681 at SUSECVE-2023-32681 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for ImageMagick (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for ImageMagick fixes the following issues:
- CVE-2023-3195: Fixed stack overflow in coders/tiff.c while parsing malicious tiff file (bsc#1212235).
ModerateSUSE bug 1212235CVE-2023-3195 at SUSECVE-2023-3195 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for perl (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for perl fixes the following issues:
- CVE-2023-31484: Enable TLS cert verification in CPAN (bsc#1210999).
ImportantSUSE bug 1210999CVE-2023-31484 at SUSECVE-2023-31484 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for python3-requests (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for python3-requests fixes the following issues:
- CVE-2023-32681: Fixed unintended leak of Proxy-Authorization header (bsc#1211674).
ModerateSUSE bug 1211674CVE-2023-32681 at SUSECVE-2023-32681 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for samba (Moderate)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for samba fixes the following issues:
- CVE-2022-2127: Fixed issue where lm_resp_len was not checked properly in winbindd_pam_auth_crap_send (bsc#1213174).
Bugfixes:
- Fixed trust relationship failure (bsc#1213384).
ModerateSUSE bug 1213174SUSE bug 1213384CVE-2022-2127 at SUSECVE-2022-2127 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for poppler (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for poppler fixes the following issues:
- CVE-2022-27337: Fixed a logic error in the Hints::Hints function which can cause denial of service (bsc#1199272).
- CVE-2018-21009: Fixed integer overflow in Parser:makeStream in Parser.cc (bsc#1149635).
- CVE-2019-12293: Fixed heap-based buffer over-read in JPXStream:init in JPEG2000Stream.cc (bsc#1136105).
- CVE-2018-20481: Fixed memory leak in GfxColorSpace:setDisplayProfile in GfxState.cc (bsc#1114966).
- CVE-2019-7310: Fixed a heap-based buffer over-read allows remote attackers to cause DOS via a special crafted PDF (bsc#1124150).
- CVE-2018-13988: Fixed buffer overflow in pdfunite (bsc#1102531).
- CVE-2018-16646: Fixed infinite recursion in poppler/Parser.cc:Parser::getObj() function (bsc#1107597).
- CVE-2018-19058: Fixed reachable abort in Object.h leading to denial of service (bsc#1115187).
- CVE-2018-19059: Fixed out-of-bounds read in EmbFile:save2 in FileSpec.cc leading to denial of service (bsc#1115186).
- CVE-2018-19060: Fixed NULL pointer dereference in goo/GooString.h leading to denial of service (bsc#1115185).
- CVE-2018-19149: Fixed NULL pointer dereference in _poppler_attachment_new when called from poppler_annot_file_attachment_get_attachment (bsc#1115626).
- CVE-2017-18267: Fixed denial of service (infinite recursion) via a crafted PDF file (bsc#1092945).
- CVE-2018-20650: Fixed issue where a reachable Object in dictLookup assertion allows attackers to cause DOS (bsc#1120939).
ModerateSUSE bug 1092945SUSE bug 1102531SUSE bug 1107597SUSE bug 1114966SUSE bug 1115185SUSE bug 1115186SUSE bug 1115187SUSE bug 1115626SUSE bug 1120939SUSE bug 1124150SUSE bug 1136105SUSE bug 1149635SUSE bug 1199272CVE-2017-18267 at SUSECVE-2017-18267 at NVDCVE-2018-13988 at SUSECVE-2018-13988 at NVDCVE-2018-16646 at SUSECVE-2018-16646 at NVDCVE-2018-18897 at SUSECVE-2018-18897 at NVDCVE-2018-19058 at SUSECVE-2018-19058 at NVDCVE-2018-19059 at SUSECVE-2018-19059 at NVDCVE-2018-19060 at SUSECVE-2018-19060 at NVDCVE-2018-19149 at SUSECVE-2018-19149 at NVDCVE-2018-20481 at SUSECVE-2018-20481 at NVDCVE-2018-20650 at SUSECVE-2018-20650 at NVDCVE-2018-21009 at SUSECVE-2018-21009 at NVDCVE-2019-12293 at SUSECVE-2019-12293 at NVDCVE-2019-7310 at SUSECVE-2019-7310 at NVDCVE-2022-27337 at SUSECVE-2022-27337 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for openssh (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for openssh fixes the following issues:
- CVE-2023-38408: Fixed a condition where specific libaries loaded via
ssh-agent(1)'s PKCS#11 support could be abused to achieve remote code
execution via a forwarded agent socket if those libraries were present on the
victim's system and if the agent was forwarded to an attacker-controlled
system. [bsc#1213504, CVE-2023-38408]
ImportantSUSE bug 1213504CVE-2023-38408 at SUSECVE-2023-38408 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for MozillaFirefox fixes the following issues:
Firefox Extended Support Release 115.0.2 ESR (MFSA 2023-26, bsc#1213230)
Security fixes:
- CVE-2023-3600: Fixed use-after-free in workers (bmo#1839703)
Other fixes:
- Fixed a startup crash experienced by some Windows
users by blocking instances of a malicious injected DLL
(bmo#1841751)
- Fixed a bug with displaying a caret in the text editor
on some websites (bmo#1840804)
- Fixed a bug with broken audio rendering on some
websites (bmo#1841982)
- Fixed a bug with patternTransform translate using the
wrong units (bmo#1840746)
- Fixed a crash affecting Windows 7 users related to the
DLL blocklist.
Firefox Extended Support Release 115.0.1 ESR
- Fixed a startup crash for Windows users with Kingsoft
Antivirus software installed (bmo#1837242)
ImportantSUSE bug 1213230CVE-2023-3600 at SUSECVE-2023-3600 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for libqt5-qtsvg (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for libqt5-qtsvg fixes the following issues:
- CVE-2021-45930: Fixed an out-of-bounds write that may have let to a denial-of-service (bsc#1196654).
- CVE-2023-32573: Fixed missing initialization of QtSvg QSvgFont m_unitsPerEm variable (bsc#1211298).
ModerateSUSE bug 1196654SUSE bug 1211298CVE-2021-45930 at SUSECVE-2021-45930 at NVDCVE-2023-32573 at SUSECVE-2023-32573 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for libqt5-qtbase (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for libqt5-qtbase fixes the following issues:
- CVE-2023-24607: Fixed Qt SQL ODBC driver plugin DOS (bsc#1209616).
- CVE-2023-33285: Fixed buffer overflow in QDnsLookup (bsc#1211642).
- CVE-2023-34410: Fixed certificate validation does not always consider whether the root of a chain is a configured CA certificate (bsc#1211994).
- CVE-2023-38197: Fixed infinite loops in QXmlStreamReader(bsc#1213326).
ImportantSUSE bug 1209616SUSE bug 1211642SUSE bug 1211994SUSE bug 1213326CVE-2023-24607 at SUSECVE-2023-24607 at NVDCVE-2023-33285 at SUSECVE-2023-33285 at NVDCVE-2023-34410 at SUSECVE-2023-34410 at NVDCVE-2023-38197 at SUSECVE-2023-38197 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for xmltooling (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for xmltooling fixes the following issues:
- CVE-2023-36661: Fixed a server-side-request-forgery (SSRF) vulnerability (bsc#1212359).
ModerateSUSE bug 1212359CVE-2023-36661 at SUSECVE-2023-36661 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for zabbix (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for zabbix fixes the following issues:
- CVE-2023-29450: Fixed unauthorized file system access in JS preprocessing (bsc#1213307).
ImportantSUSE bug 1213307CVE-2023-29450 at SUSECVE-2023-29450 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for gnuplot (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for gnuplot fixes the following issues:
- CVE-2020-25969: Fixed buffer overflow via the function plotrequest() (bsc#1213068).
- CVE-2020-25559: Fixed double free when executing print_set_output (bsc#1176689).
ModerateSUSE bug 1176689SUSE bug 1213068CVE-2020-25969 at SUSECVE-2020-25969 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for libksba (Moderate)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for libksba fixes the following issues:
- CVE-2022-47629: Fixed an integer overflow vulnerability in the CRL
signature parser (bsc#1206579).
ModerateSUSE bug 1206579CVE-2022-47629 at SUSECVE-2022-47629 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for openssl (Moderate)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for openssl fixes the following issues:
- CVE-2023-3446: Fixed DH_check() excessive time with over sized modulus (bsc#1213487).
ModerateSUSE bug 1213487CVE-2023-3446 at SUSECVE-2023-3446 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for MozillaFirefox fixes the following security issues:
Firefox was updated to Extended Support Release 115.1.0 ESR (bsc#1213746).
- CVE-2023-4045: Fixed cross-origin restrictions bypass with Offscreen Canvas (bmo#1833876).
- CVE-2023-4046: Fixed incorrect value used during WASM compilation (bmo#1837686).
- CVE-2023-4047: Fixed potential permissions request bypass via clickjacking (bmo#1839073).
- CVE-2023-4048: Fixed crash in DOMParser due to out-of-memory conditions (bmo#1841368).
- CVE-2023-4049: Fixed potential race conditions when releasing platform objects (bmo#1842658).
- CVE-2023-4050: Fixed stack buffer overflow in StorageManager (bmo#1843038).
- CVE-2023-4052: Fixed file deletion and privilege escalation through Firefox uninstaller (bmo#1824420).
- CVE-2023-4054: Fixed lack of warning when opening appref-ms files (bmo#1840777).
- CVE-2023-4055: Fixed cookie jar overflow caused unexpected cookie jar state (bmo#1782561).
- CVE-2023-4056: Fixed memory safety bugs (bmo#1820587, bmo#1824634, bmo#1839235, bmo#1842325, bmo#1843847).
- CVE-2023-4057: Fixed memory safety bugs (bmo#1841682).
Bugfixes:
- Remove bashisms from startup-script (bsc#1213657).
ImportantSUSE bug 1213657SUSE bug 1213746CVE-2023-4045 at SUSECVE-2023-4045 at NVDCVE-2023-4046 at SUSECVE-2023-4046 at NVDCVE-2023-4047 at SUSECVE-2023-4047 at NVDCVE-2023-4048 at SUSECVE-2023-4048 at NVDCVE-2023-4049 at SUSECVE-2023-4049 at NVDCVE-2023-4050 at SUSECVE-2023-4050 at NVDCVE-2023-4052 at SUSECVE-2023-4052 at NVDCVE-2023-4054 at SUSECVE-2023-4054 at NVDCVE-2023-4055 at SUSECVE-2023-4055 at NVDCVE-2023-4056 at SUSECVE-2023-4056 at NVDCVE-2023-4057 at SUSECVE-2023-4057 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for apache2-mod_security2 (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for apache2-mod_security2 fixes the following issues:
- CVE-2022-48279: Fixed a potential firewall bypass due to an
incorrect parsing of HTTP multipart requests (bsc#1207378).
ImportantSUSE bug 1207378CVE-2022-48279 at SUSECVE-2022-48279 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for javapackages-tools, javassist, mysql-connector-java, protobuf, python-python-gflags (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for javapackages-tools, javassist, mysql-connector-java, protobuf, python-python-gflags contains the following fixes:
Changes in mysql-connector-java:
- Restrict license to GPL-2.0-only
- Fix README adjustments
- Depend on log4j rather than log4j-mini and adjust log4j dependencies to
account for the lack of log4j12 Provides in some code streams.
- Add missing Group tag
- Update to 8.0.25 (SOC-11543)
Changes in 8.0.25
* No functional changes: version alignment with MySQL Server 8.0.25.
Changes in 8.0.24
* Bug#102188 (32526663), AccessControlException with AuthenticationLdapSaslClientPlugin.
* Bug#22508715, SETSESSIONMAXROWS() CALL ON CLOSED CONNECTION RESULTS IN NPE.
* Bug#102131 (32338451), UPDATABLERESULTSET NPE WHEN USING DERIVED QUERIES OR VIEWS.
* Bug#101596 (32151143), GET THE 'HOST' PROPERTY ERROR AFTER CALLING TRANSFORMPROPERTIES() METHOD.
* Bug#20391832, SETOBJECT() FOR TYPES.TIME RESULTS IN EXCEPTION WHEN VALUE HAS FRACTIONAL PART.
* Bug#97730 (31699993), xdev api: ConcurrentModificationException at Session.close.
* Bug#99708 (31510398), mysql-connector-java 8.0.20 ASSERTION FAILED: Unknown message type: 57 s.close.
* Bug#32122553, EXTRA BYTE IN COM_STMT_EXECUTE.
* Bug#101558 (32141210), NULLPOINTEREXCEPTION WHEN EXECUTING INVALID QUERY WITH USEUSAGEADVISOR ENABLED.
* Bug#102076 (32329915), CONTRIBUTION: MYSQL JDBC DRIVER RESULTSET.GETLONG() THROWS NUMBEROUTOFRANGE.
* Bug#31747910, BUG 30474158 FIX IMPROVES JDBC COMPLIANCE BUT CHANGES DEFAULT RESULTSETTYPE HANDLING.
* Bug#102321 (32405590), CALLING RESULTSETMETADATA.GETCOLUMNCLASSNAME RETURNS WRONG VALUE FOR DATETIME.
* WL#14453, Pluggable authentication: new default behavior & user-less authentications.
* WL#14392, Improve timeout error messages [classic].
* WL#14202, XProtocol: Support connection close notification.
Changes in 8.0.23
* Bug#21789378, FORCED TO SET SERVER TIMEZONE IN CONNECT STRING.
* Bug#95644 (30573281), JDBC GETDATE/GETTIME/GETTIMESTAMP INTERFACE BEHAVIOR CHANGE AFTER UPGRADE 8.0.
* Bug#94457 (29402209), CONNECTOR/J RESULTSET.GETOBJECT( ..., OFFSETDATETIME.CLASS ) THROWS.
* Bug#76775 (20959249), FRACTIONAL SECONDS IN TIME VALUES ARE NOT AVAILABLE VIA JDBC.
* Bug#99013 (31074051), AN EXTRA HOUR GETS ADDED TO THE TIMESTAMP WHEN SUBTRACTING INTERVAL 'N' DAYS.
* Bug#98695 (30962953), EXECUTION OF 'LOAD DATA LOCAL INFILE' COMMAND THROUGH JDBC FOR DATETIME COLUMN.
* Bug#101413 (32099505), JAVA.TIME.LOCALDATETIME CANNOT BE CAST TO JAVA.SQL.TIMESTAMP.
* Bug#101242 (32046007), CANNOT USE BYTEARRAYINPUTSTREAM AS ARGUMENTS IN PREPARED STATEMENTS AN MORE.
* WL#14274, Support for authentication_ldap_sasl_client(SCRAM-SHA-256) authentication plugin.
* WL#14206, Support for authentication_ldap_sasl_client(GSSAPI) authentication plugin.
* WL#14207, Replace language in APIs and source code/docs.
Changes in 8.0.22
* Bug#98667 (31711961), 'All pipe instances are busy' exception on multiple connections to named Pipe.
* Bug#96309 (31699357), MultiHost in loadbalance may lead to a TPS reduction during a quick switch.
* Bug#99076 (31083755), Unclear exception/error when connecting with jdbc:mysql to a mysqlx port.
* Bug#96870 (30304764), Contribution: Allow to disable AbandonedConnectionCleanupThread completely.
* WL#14115, Support for authentication_ldap_sasl_client (SCRAM-SHA-1) authentication plugin.
* WL#14096, Add option to specify LOAD DATA LOCAL allow list folder.
* WL#13780, Skip system-wide trust and key stores (incl. X DevAPI client certs).
* WL#14017, XProtocol -- support for configurable compression algorithms.
* Bug#92903 (28834903), MySQL Connector/j should support wildcard names or alternative names.
* Bug#99767 (31443178), Contribution: Check SubjectAlternativeName for TLS instead of commonName.
* Bug#93444 (29015453), LOCALDATETIME PARAMETER VA UES ALTERED WHEN CLIENT AND SERVER TIMEZONES DIFFER.
* WL#14052, Remove asynchronous variant of X Protocol.
* Bug#99713 (31418928), NPE DURING COM.MYSQL.CJ.SERVERPREPAREDQUERYBINDVALUE.STOREDATE().
* WL#14068, Remove legacy integration with JBoss.
Changes in 8.0.21
* WL#14051, Upgrade Protocol Buffers dependency to protobuf-java-3.11.4.
* WL#14042, Upgrade testsuite to JUnit 5.
* Bug#98237 (30911870), PREPAREDSTATEMENT.SETOBJECT(I, 'FALSE', TYPES.BOOLEAN) ALWAYS SETS TRUE OR 1.
* WL#13008, DevAPI: Add schema validation to create collection.
Changes in 8.0.20
* Bug#30805426, IN CASE OF ISAUTHMETHODSWITCHREQUESTPACKET , TOSERVERS > 1 ARE IGNORED.
* Bug#97714 (30570249), Contribution: Expose elapsed time for query interceptor
* Bug#97724 (30570721), Contribution: Allow \'3.\' formatted numbers.
* Bug#98536 (30877755), SIMPLEDATEFORMAT COULD CACHE A WRONG CALENDAR.
Fix for Bug#91112 (28125069), AGAIN WRONG JAVA.SQL.DATE.
* Bug#30474158, CONNECTOR/J 8 DOES NOT HONOR THE REQUESTED RESULTSETTYPE SCROLL_INSENSITIVE ETC.
* Bug#98445 (30832513), Connection option clientInfoProvider=ClientInfoProviderSP causes NPE.
* WL#12248, DevAPI: Connection compression.
* Bug#30636056, ResultSetUtil.resultSetToMap() can be unsafe to use.
* Bug#97757 (30584907), NULLPOINTEREXCEPTION WITH CACHERESULTSETMETADATA=TRUE AND EXECUTEQUERY OF 'SET'.
Changes in 8.0.19
* WL#13346, Support for mult-host and failover.
* Bug#97413 (30477722), DATABASEMETADATA IS BROKEN AFTER SERVER WL#13528.
* WL#13367, DNS SRV support.
* WL#12736, DevAPI: Specify TLS ciphers to be used by a client or session.
* Bug#96383 (30119545) RS.GETTIMESTAMP() HAS * DIFFERENT RESULTS FOR TIME FIELDS WITH USECURSORFETCH=TRUE.
* Bug#96059 (29999318), ERROR STREAMING MULTI RESULTSETS WITH MYSQL-CONNECTOR-JAVA 8.0.X.
* Bug#96442 (30151808), INCORRECT DATE ERROR WHEN CALLING GETMETADATA ON PREPARED STATEMENT.
Changes in 8.0.18
* WL#13347, Connectors should handle expired password sandbox without SET operations.
* Bug#84098 (25223123), endless loop in LoadBalancedAutoCommitInterceptor.
* Bug#23721537, MULTI-SELECT WITH EXECUTEASYNC() GIVES IMPROPER ERROR.
* Bug#95741 (29898567), METADATA QUERY USES UPPER() AROUND NUMERIC EXPRESSION.
* Bug#20913289, PSTMT.EXECUTEUPDATE() FAILS WHEN SQL MODE IS NO_BACKSLASH_ESCAPES.
* Bug#80441 (22850444), SYNTAX ERROR ON RESULTSET.UPDATEROW() WITH SQL_MODE NO_BACKSLASH_ESCAPES.
Changes in 8.0.17
* WL#13210, Generate Javadocs via ant.
* WL#12247, DevAPI: indexing array fields.
* WL#12726, DevAPI: Add overlaps and not_overlaps as operator.
* Bug#95503 (29821029), Operator IN not mapping consistently to the right X Plugin operation.
* WL#12942, Update README.md and add new CONTRIBUTING.md.
* WL#13125, Support fully qualified hostnames longer than 60 characters.
* Bug#95210 (29807741), ClassCastException in BlobFromLocator when connecting as jdbc:mysql:replication.
* Bug#29591275, THE JAR FILE NEEDS TO CONTAIN A README AND LICENSE FILE.
* WL#13124, Support new utf8mb4 bin collation.
* WL#13009, DevAPI: Deprecate methods.
* WL#11101, Remove de-cache and close of SSPSs on double call to close().
* Bug#89133 (27356869) CONTRIBUTION: UPDATE DA ABASEMETADATA.JAVA.
* Bug#11891000, DABATASEMETADATA.GETTABLES() IGNORES THE SCHEMA_PATTERN ARGUMENT.
* Bug#94101 (29277648), SETTING LOGSLOWQUERIES SHOULD NOT AUTOMATICALLY ENABLE PROFILESQL FOR QUERIES.
* Bug#74690 (20010454), PROFILEREVENT HOSTNAME HAS NO GETTER().
* Bug#70677 (17640628), CONNECTOR J WITH PROFILESQL - LOG CONTAINS LOTS OF STACKTRACE DATA.
* Bug#41172 (11750577), PROFILEREVENT.PACK() THROWS ARRAYINDEXOUTOFBOUNDSEXCEPTION.
* Bug#27453692, CHARACTERS GET GARBLED IN CONCAT() IN PS WHEN USECURSORFETCH=TRUE.
* Bug#94585 (29452669), GETTABLENAME() RETURNS NULL FOR A QUERY HAVING COUNT(*) WITH JDBC DRIVER V8.0.12.
* Bug#94442 (29446059), RESULTSETIMPL.GETDOUBLE IS INEFFICIENT BECAUSE OF BIGDECIMAL (RE)CONSTRUCTIONS.
Changes in 8.0.16
* WL#12825, Remove third-party libraries from sources and bundles.
* Bug#93590 (29054329), javax.net.ssl.SSLException: closing inbound before receiving peer's close_notify.
* Bug#94414 (29384853), Connector/J RPM package have version number in path.
* Bug#27786499, REDUNDANT FILES IN DEBIAN PACKAGE FOR DEBIAN9(COMMUNITY PACKAGE) FOR CJAVA.
* WL#12246, DevAPI: Prepared statement support.
* WL#10839, Adjust c/J tests to the new 'ON' default for explicit_defaults_for_timestamp.
* Bug#29329326, PLEASE AVOID SHOW PROCESSLIST IF POSSIBLE.
* WL#12460, DevAPI: Support new session reset functionality.
* WL#12459, DevAPI: Support connection-attributes.
* Bug#25650385, GETBYTE() RETURNS ERROR FOR BINARY() FLD.
* Bug#27784363, MYSQL 8.0 JDBC DRIVER THROWS NUMBERFORMATEXCEPTION FOR TEXT DATA
* Bug#93007 (28860051), LoadBalancedConnectionProxy.getGlobalBlacklist bug.
* Bug#29186870, CONNECTOR/J REGRESSION: NOT RETURNING PRECISION GETPROCEDURECOLUMNS.
* Bug#22038729, X DEVAPI: ANY API CALL AFTER A FAILED CALL PROC() RESULTS IN HANG.
* Bug#29244101, ADD MAPPING FOR UTF8MB4_ZH_0900_AS_CS COLLATION.
* Bug#92819 (28834959), EXPRPARSER THROWS WRONGARGUMENTEXCEPTION WHEN PARSING EMPTY JSON ARRAY.
* Bug#21921956, X DEVAPI: EXPRESSION PARSE ERROR WITH UNARY OPERATOR.
* Bug#94031 (29257922), WRONG JSON_UNQUOTE WORKAROUND.
* Bug#22931700, BINDINGS.GETBOOLEAN() ALWAYS RETURNS FALSE.
* Bug#25650912, ERROR MESSAGE NOT CLEAR WHEN WE PASS A CHAR DATA TO ANY TABLE API.
* Bug#25642021, CHANGEUSER() FAILS WHEN ENABLEPACKETDEBUG=TRUE.
Changes in 8.0.15
* Bug#94051 (29261254), Not recommended default for 'allowLoadLocalInfile'.
Changes in 8.0.14
* WL#12298, Connectors: Expose metadata about source and binaries in unified way.
* Bug#93111 (28894344), ConnectionUrl.java contains char U+00A7 (section sign).
* WL#12621, DevAPI: Handling of Default Schema.
* Bug#93340 (28970166), C/J BUILD SCRIPT IS TOO VERBOSE
* WL#12462, DevAPI: Be prepared for initial notice on connection.
* Bug#28924137, WL#12463:IF COLLECTION DOESN'T EXIST, COLL.COUNT() IS GIVING A WRONG ERROR MESSAGE.
* WL#12463, DevAPI: Standardize count method.
* Bug#92508 (28747636), mysql-connector in bootclasspath causing memory leak.
* Bug#25650514, UPDATEROW() CALL FAILS WITH NPE WHEN SSPS=TRUE AND TABLE HAS MULTI-FLD KEY.
* Bug#25650482, REFRESHROW() CALL AFTER UPDATEROW() API FAILS WHEN USESERVERPREPSTMTS=TRUE.
* Bug#92536 (28692243), UPDATEING SERVER SIDE PREPSTMTS RESULTSET FAIL.
* Bug#92625 (28731795), CONTRIBUTION: FIX OBSERVED NPE IN CLEARINPUTSTREAM.
* Bug#23045642, ADDING NO-DOC (MYSQLCONNJ-696) RESULTS IN EXCEPTION.
* Bug#91065 (28101003), ZERODATETIMEBEHAVIOR=CONVERT_TO_NULL SHOULD NOT APPLY TO 00:00:00 TIME COLUMNS.
* Bug#92574 (28706219), WHEN CONVERTING FROM VARCHAR TO JAVA BOOLEAN, 'N' IS NOT SUPPORTED.
* Bug#25642226, CHANGEUSER() NOT SETTING THE DATABASE PROPERLY WITH SHA USER.
* Bug#28606708, NAMED PIPE CONNECTION FOR X PROTOCOL RETURNS NPE, EXPECTED PROPER ERROR MESSAGE.
Changes in 8.0.13
* Bug#91317 (28207422), Wrong defaults on collation mappings.
* WL#12245, DevAPI: Implement connect timeout.
* Bug#21774249, UNIT TEST FAILS WITH ERROR ' 'CEST' IS UNRECOGNIZED TIME ZONE'.
* WL#11857, DevAPI: Implement connection pooling for xprotocol.
* Bug#91873 (28444461), REMOVE USEOLDUTF8BEHAVIOR CONNECTION PROPERTY.
* Bug#92264 (28594434), JSONPARSER PUTS UNNECESSARY MAXIMUM LIMIT ON JSONNUMBER TO 10 DIGITS.
* WL#12110, Extend PropertyDefinitions.PropertyKey usage.
* Bug#81063 (23098159), w/ rewriteBatchedStatements, when 2 tables involved, the rewriting not correct.
* Bug#84813 (25501750), rewriteBatchedStatements fails in INSERT.
* Bug#81196 (23227334), CONNECTOR/J NOT FOLLOWING DATABASE CHARACTER SET.
* Bug#72609 (18749544), SETDATE() NOT USING A PROLEPTIC GREGORIAN CALENDAR.
* Bug#87534 (26730196), UNION ALL query fails when useServerPrepStmts=true on database connection.
* Bug#89948 (27658489), Batched statements are not committed for useLocalTransactionState=true.
* BUG#22305979, WRONG RECORD UPDATED IF SENDFRACTIONALSECONDS=FALSE AND SMT IS SCROLLABLE.
* Bug#27102307, CHANGE USESSL AND VERIFYSERVERCERTIFICATE TO SSLMODE OPTION.
* Bug#28150662, CONNECTOR/J 8 MALFORMED DATABASE URL EXCEPTION WHIT CORRECT URL STRING.
* Bug#91421 (28246270), ALLOWED VALUES FOR ZERODATETIMEBEHAVIOR ARE INCOMPATIBLE WITH NETBEANS.
* Bug#23045604, XSESSION.GETURI() RETURNS NPE.
* Bug#21914769, NPE WHEN TRY TO EXECUTE INVALID JSON STRING.
* Bug#BUG#90887 (28034570), DATABASEMETADATAUSINGINFOSCHEMA#GETTABLES FAILS IF METHOD ARGUMENTS ARE NULL.
* Bug#28207088, C/JAVA: UPDATECLOB(INT COLUMNLABEL, JAVA.SQL.CLOB CLOB) IS FAILING.
* Bug#27629553, NPE FROM GETSESSION() FOR SSL CONNECTION WHEN NO PASSWORD PASSED.
Changes in 8.0.12
* Bug#28208000, MASTER : HANG IN ASYNCHRONOUS SELECT TEST.
* WL#10544, Update MySQL 8.0 keywords list.
* WL#11858, DevAPI: Core API v1 alignment.
* Bug#27652379, NPE FROM GETSESSION(PROPERTIES) WHEN HOST PARAMETER IS GIVEN IN SMALL LETTER.
* BUG#87600 (26724154), CONNECTOR THROWS 'MALFORMED DATABASE URL' ON NON MYSQL CONNECTION-URLS.
* BUG#26089880, GETCONNECTION('MYSQLX://..') RETURNS NON-X PROTOCOL CONNECTION.
* WL#11876, Improve connection properties design.
* WL#11933, Connector/J 8.0 X DevAPI reference documentation update.
* WL#11860, Ensure >= 75% code coverage.
* Bug#90753 (27977617), WAIT_TIMEOUT EXCEEDED MESSAGE NOT TRIGGERED.
* Bug#85941 (25924324), WASNULL NOT SET AFTER GETBYTES IS CALLED.
* Bug#28066709, COLLECTION.CREATEINDEX() TEST IS BROKEN AFTER WL#11808 IMPLEMENTATION.
* Bug#90872 (28027459), FILTERPARAMS CLASS IS NOT NEEDED.
* Bug#27522054, POSSIBLE ASYNC XPROTOCOL MESSAGE HANDLING PERF ISSUE.
The 'xdevapi.useAsyncProtocol' connection property default value is changed to 'false'.
Changes in 8.0.11
* WL#11293, DevAPI: Support new locking modes : NOWAIT and SKIP LOCKED.
* Bug#90029 (27678308), FAILURE WHEN GETTING GEOMCOLLECTION COLUMN TYPE.
* BUG#90024 (27677574), SOME TESTS FAILED AGAINST MYSQL 8.0.5 BECAUSE OF DEPRECATED FEATURES REMOVAL.
* Bug#86741 (26314325), Multi-Host connection with autocommit=0 getAutoCommit maybe wrong.
* Bug#27231383, PROVIDE MAVEN-FRIENDLY COMMERCIAL PACKAGES WITHOUT '-BIN'.
* Bug#26819691, SETTING PACKETDEBUGBUFFERSIZE=0 RESULTS IN CONNECTION FAILURE.
* Bug#88227 (27029657), Connector/J 5.1.44 cannot be used against MySQL 5.7.20 without warnings.
* Bug#27374581, CONNECTION FAILS WHEN GPL SERVER STARTED WITH TLS-VERSION=TLSV1.2.
* WL#11419, DevAPI: New document _id generation support.
* WL#11620, Change caching_sha2_password padding.
* WL#11604, DevAPI: Add SHA256_MEMORY support.
* BUG#86278 (26092824), SUPPORT CUSTOM CONSTRUCTION OF SSLSOCKET DURING CONNECTION ESTABLISHMENT.
* BUG#27226293, JSONNUMBER.GETINTEGER() & NUMBERFORMATEXCEPTION.
* WL#10527, Clean up Protocol and Session interfaces.
Changes in 8.0.9
* WL#11469, Update license header in GPL packages.
* BUG#27247349, WL#11208 : UNIQUE DOES NOT GIVE ERROR EVEN THOUGH IT IS NOT SUPPORTED.
* WL#11208, DevAPI: Collection.createIndex.
* WL#10156, Add setters/getters for connection properties to MysqlDataSource,
MysqlXADataSource and MysqlConnectionPoolDataSource.
* WL#11401, DevAPI: Remove configuration API.
* WL#10619, Ensure compatibility with new data dictionary.
* BUG#27217264, WL#10937: NULL POINTER EXCEPTION WHEN NULL IS PASSED AS _ID IN COLL.REPLACEONE.
* WL#10937, DevAPI: ReplaceOne, AddOrReplaceOne, GetOne, RemoveOne.
* Bug#26723646, JSON_MERGE() FUNCTION IS DEPRECATED IN MYSQL 8.0.
* Bug#27185332, WL#11210:ERROR IS THROWN WHEN NESTED EMPTY DOCUMENTS ARE INSERTED TO COLLECTION.
* Bug#27151601, WL#11210: DOCUMENT PATCH EXPRESSIONS ARE NOT SUPPORTED.
* WL#11210, DevAPI: Modify/MergePatch.
* Bug#79612 (22362474), CONNECTION ATTRIBUTES LOST WHEN CONNECTING WITHOUT DEFAULT DATABASE.
* WL#10152, Enable TLSv1.2 on mysqlx.
* Bug#27131768, NULL POINTER EXCEPTION IN CONNECTION.
* Bug#88232 (27047676), c/J does not rollback transaction when autoReconnect=true.
* Bug#88242 (27040063), autoReconnect and socketTimeout JDBC option makes wrong order of client packet.
* Bug#88021 (26939943), High GC pressure when driver configured with serversideprepared statements.
* Bug#26724085, CHARSET MAPPING TO BE UPDATED FOR MYSQL 8.0.3.
* Bug#87704 (26771560), THE STREAM GETS THE RESULT SET ?THE DRIVER SIDE GET WRONG ABOUT GETLONG().
* Bug#24924097, SERVER GREETING ERROR ISN'T RECOGNIZED DURING HANDSHAKE.
* Bug#26748909, MASTER : ERROR - NO OPERATIONS ALLOWED AFTER STATEMENT CLOSED FOR TOSTRING().
* Bug#26266731, CONCUR_UPDATABLE RESULTSET OPERATIONS FAIL AGAINST 8.0 FOR BOOLEAN COLUMN.
* WL#11239, DevAPI: Remove create table implementation.
* Bug#27131100, WL#11212 : SAVEPOINT CREATING WITH EMPTY STRING AND SPACE AS NAME.
* WL#11212, DevAPI: transaction save-points.
* WL#11060, Support new SHA-256 authentication system.
* Bug#87826 (26846249), MYSQL JDBC CONNECTOR/J DATABASEMETADATA NULL PATTERN HANDLING IS NON-COMPLIANT.
* WL#11163, Extract parameter setters, serverPrepare() and serverExecute() to core classes.
* BUG#26995710, WL#11161 : NULL POINTER EXCEPTION IN EXECUTEBATCH() AND CLOSE().
* WL#11161, Unify query bindings.
* WL#8469, Don't extract query text from packets when possible.
Changes in 8.0.8
* BUG#26722030, TEST FAILING DUE TO BINARY LOGGING ENABLED BY DEFAULT IN MYSQL 8.0.3.
* BUG#26722018, TESTS FAILING DUE TO CHANGE IN INFORMATION_SCHEMA.INNODB_SYS_* NAMING.
* BUG#26750807, MASTER : NULL POINTER EXCEPTION IN SCHEMA.DROPVIEW(NULL).
* BUG#26750705, MASTER : ERROR - UNSUPPORTED CONVERSION FROM TIME TO JAVA.SQL.DATE.
* WL#10620, DevAPI: SHA256 Authentication support.
* WL#10936, DevAPI: Row locking for Crud.Find.
* WL#9868, DevAPI: Configuration handling interface.
* WL#10935, DevAPI: Array or Object 'contains' operator.
* WL#9875, Prepare c/J 8.0 for DEB and RPM builds.
* BUG#26259384, CALLABLE STATEMENT GIVES ERROR IN C/JAVA WHEN RUN AGAINST MYSQL 8.0.
* Bug#26393132, NULLPOINTEREXCEPTION IS THROWN WHEN TRIED TO DROP A NULL COLLECTION.
* WL#10532, DevAPI: Cleanup Drop APIs.
* Bug#87429 (26633984), repeated close of ServerPreparedStatement causes memory leak.
* Bug#87379 (26646676), Perform actual TLS capabilities check when restricting TLSv1.2.
* Bug#85601 (25777822), Unit notation is missing in the description of the property involved in the time.
* Bug#87153 (26501245), INCORRECT RESULT OF DBMD.GETVERSIONCOLUMNS() AGAINST MYSQL 8.0.2+.
* Bug#78313 (21931572), proxies not handling Object.equals(Object) calls correctly.
* Bug#85885 (25874048), resultSetConcurrency and resultSetType are swapped in call to prepareStatement.
* Bug#74932 (20066806), ConnectionImp Doesn't Close Server Prepared Statement (PreparedStatement Leak).
* WL#10536, Deprecating COM_SHUTDOWN.
* Bug#25946965, UPDATE THE TIME ZONE MAPPINGS WITH LATEST TZ DATABASES.
* Bug#20182108, INCLUDE CUSTOM LOAD BALANCING STRATEGY USING PLUGIN API.
* Bug#26440544, CONNECTOR/J SHOULD NOT USE TX_{READ_ONLY,ISOLATION} WHICH IS PLANNED FOR REMOVAL.
* Bug#26399958, UNABLE TO CONNECT TO MYSQL 8.0.3.
* Bug#25650305, GETDATE(),GETTIME() AND GETTIMESTAMP() CALL WITH NULL CALENDAR RETURNS NPE.
Changes in 8.0.7
* Bug#26227653, WL#10528 DIFF BEHAVIOUR WHEN SYSTEM PROP JAVAX.NET.SSL.TRUSTSTORETYPE IS SET.
* WL#10528, DevAPI: Ensure all connectors are secure by default.
* WL#8305, Remove internal dependency on connection objects.
* Bug#22972057, X DEVAPI: CLIENT HANGS AFTER CONNECTION FAILURE.
* Bug#26140577, GIS TESTS ARE FAILING WITH MYSQL 8.0.1.
* WL#10765, DevAPI: Forbid modify() and remove() with no condition.
* Bug#26090721, CONNECTION FAILING WHEN SERVER STARTED WITH COLLATION UTF8MB4_DE_PB_0900_AI_CI.
* WL#10781, enum-based connection properties.
* Bug#73775 (19531384), DBMD.getProcedureColumns()/.getFunctionColumns() fail to filter by columnPattern.
* Bug#84324 (25321524), CallableStatement.extractProcedureName() not work when catalog name with dash.
* Bug#79561 (22333996), NullPointerException when calling a fully qualified stored procedure.
* Bug#84783 (25490163), query timeout is not working(thread hang).
* Bug#70704 (17653733), Deadlock using UpdatableResultSet.
* Bug#66430 (16714868), setCatalog on connection leaves ServerPreparedStatement cache for old catalog.
* Bug#70808 (17757070), Set sessionVariables in a single query.
* Bug#77192 (21170603), Description for the Property replicationConnetionGroup Missing from the Manual.
* Bug#83834 (25101890), Typo in Connector/J error message.
* WL#10531, Support utf8mb4 as default charset.
* Bug#85555 (25757019), useConfigs Can't find configuration template named, in mysql-connector-java 6.x
* WL#10529, Move version number to 8.0.
* WL#10530, DevAPI: Remove XSession, rename NodeSession to Session.
* Bug#23510958, CONCURRENT ASYNC OPERATIONS RESULT IN HANG.
* Bug#23597281, GETNODESESSION() CALL WITH SSL PARAMETERS RETURNS CJCOMMUNICATIONSEXCEPTION.
* Bug#25207784, C/J DOESN'T FOLLOW THE FINAL X DEVAPI MY-193 SPECIFICATION.
* Bug#25494338, ENABLEDSSLCIPHERSUITES PARAMETER NOT WORKING AS EXPECTED WITH X-PLUGIN.
* Bug#84084 (25215008), JAVA.LANG.ARRAYINDEXOUTOFBOUNDSEXCEPTION ON ATTEMPT TO GET VALUE FROM RESULTSET.
* WL#10553, Add mapping for Japanese utf8mb4 collation.
* Bug#25575103, NPE FROM CREATETABLE() WHEN SOME OF THE INPUTS ARE NULL.
* Bug#25575156, NPE FROM CREATEVIEW() WHEN SOME OF THE INPUTS ARE NULL.
* Bug#25636947, CONNECTION USING MYSQL CLIENT FAILS IF WE USE THE SSL CERTIFICATES FROM C/J SRC.
* Bug#25687718, INCORRECT TIME ZONE IDENTIFIER IN STATEMENTREGRESSIONTEST.
* Bug#25556597, RESULTSETTEST.TESTPADDING UNIT TEST IS FAILING IN 5.1.41 RELEASE PACKAGE.
* Bug#25517837, CONNECT PERFORMNACE DEGRADED BY 10% IN 5.1.41.
* Bug#25504578, CONNECT FAILS WHEN CONNECTIONCOLLATION=ISO-8859-13.
* Bug#25438355, Improper automatic deserialization of binary data.
* Bug#70785 (17756825), MySQL Connector/J inconsistent init state for autocommit.
* Bug#66884: Property 'elideSetAutoCommits' temporarily defaults to 'false' until this bug is fixed.
* Bug#75615 (21181249), Incorrect implementation of Connection.setNetworkTimeout().
* Bug#81706 (23535001), NullPointerException in driver.
* Bug#83052 (25048543), static method in com.mysql.jdbc.Util relies on null object.
* Bug#69526 (17035755), 'Abandoned connection cleanup thread' at mysql-connector-java-5.1.25.
* Bug#82826 (24942672), Unneeded version requirement for javax.net.ssl Import-Package on OSGi MANIFEST.MF.
Changes in 6.0.6
* Added Core TLS/SSL options for the mysqlx URI scheme.
* Updated collations map.
* Bug#24350526, UNEXPECTED BEHAVIOUR OF IS_NUMBER_SIGNED API IN C/JAVA.
* Bug#82707 (24512766), WRONG MILLI SECOND VALUE RETURNED FROM TIMESTAMP COLUMN.
* Bug#82005 (23702040), JDBCDATEVALUEFACTORY FAILS TO PARSE SOME DATES.
* Bug#83725 (25056803), NPE IN XPROTOCOL.GETPLUGINVERSION() WITH MYSQL 5.7.17.
* Bug#24525461, UPDATABLE RESULTSET FEATURE FAILS WHEN USESERVERPREPSTMTS=TRUE.
* Bug#24527173, QUERY EXECUTION USING PREPARED STMT FAILS WHEN USECURSORFETCH=TRUE.
* Bug#82964 (24658016), JSR-310 DATA TYPES CREATED THROUGH JAVA.SQL TYPES.
* Bug#81202 (23188159), RESULTSETIMPL.GETOBJECT THROWS NULLPOINTEREXCEPTION WHEN FIELD IS NULL.
* Bug#22931277, COLUMN.GETTYPE() RETURNS ERROR FOR VALID DATATYPES.
* BUG#24471057, UPDATE FAILS WHEN THE NEW VALUE IS OF TYPE DBDOC WHICH HAS ARRAY IN IT.
* Bug#81691 (23519211), GETLASTDOCUMENTIDS() DOESN'T REPORT IDS PROVIDED BY USER.
* Bug#82826 (24942672), Unneeded version requirement for javax.net.ssl Import-Package on OSGi MANIFEST.MF.
Changes in 6.0.5
* BUG#82896 (24613062), Unexpected behavior on attempt to connect to JDBC driver with unsupported URL.
* Added client-side failover during XSession initialization for multi-router configuration.
* Removed Extension interface. All extension classes now implement their specific interfaces.
* Bug#22988922, GETLENGTH() RETURNS -1 FOR LONGBLOB AND LONGTEXT FIELDS.
* Bug#24619829, NEW FAILURES IN C/JAVA UNITTESTS AGAINST MYSQL 8.0.
* Bug#75209 (20212882), Set useLocalTransactionState may result in partially committed transaction.
* Bug#48346 (11756431), Communications link failure when reading compressed data with compressed=true.
* Bug#80631 (22891845), ResultSet.getString return garbled result with json type data.
* Bug#64188 (13702433), MysqlXAConnection.MYSQL_ERROR_CODES_TO_XA_ERROR_CODES is missing XA error codes.
* Bug#72632 (18759269), NullPointerException for invalid JDBC URL.
* Bug#82115 (23743956), Some exceptions are intercepted twice or fail to set the init cause.
* Bug#78685 (21938551), Wrong results when retrieving the value of a BIT column as an integer.
* Bug#80615 (22954007), prepared statement leak when rewriteBatchedStatements=true and useServerPrepStmt.
* Extended X DevAPI with flexible parameter lists.
* Added a virtual NodeSession to X DevAPI.
Changes in 6.0.4
* X DevAPI URL prefix changed from 'mysql:x:' to 'mysqlx:'.
* Bug#24301468 X DEVAPI SSL CONNECTION FAILS ON WINDOWS
* The X DevAPI Table object now represents both database tables and views.
* Added support for matching against pattern for X DevAPI list_objects calls.
* Added Schema.getCollections(String pattern) and Schema.getTables(String pattern) interface methods.
* Switched to 'mysqlx' namespace for X DevAPI StmtExecute messages.
This change is incompatible to MySQL server versions < 5.7.14.
* Bug#82046 (23743947), MYSQL CONNECTOR JAVA OSGI METADATA BROKEN.
* Bug#21690043, CONNECT FAILS WHEN PASSWORD IS BLANK.
* Bug#22931433, GETTING VALUE OF BIT COLUMN RESULTS IN EXCEPTION.
Changes in 6.0.3
* Bug#23535571, EXCESSIVE MEMORY USAGE WHEN ENABLEPACKETDEBUG=TRUE.
* Bug#23212347, ALL API CALLS ON RESULTSET METADATA RESULTS IN NPE WHEN USESERVERPREPSTMTS=TRUE.
* Bug#23201930, CLIENT HANG WHEN RSLT CUNCURRENCY=CONCUR_UPDATABLE AND RSLTSET TYPE=FORWARD_ONLY.
* Bug#23188498, CLIENT HANG WHILE USING SERVERPREPSTMT WHEN PROFILESQL=TRUE AND USEIS=TRUE.
* Bug#22678872, NPE DURING UPDATE WITH FABRIC.
* Bug#71131 (18068303), Poor error message in CallableStatement.java.
* Bug#59462 (16736619), ConcurrentModificationException inside ConnectionImpl.closeAllOpenStatements().
* Bug#22848249, LOADBALANCECONNECTIONGROUPMANAGER.REMOVEHOST() NOT WORKING AS EXPECTED.
* Bug#22730682, ARRAYINDEXOUTOFBOUNDSEXCEPTION FROM CONNECTIONGROUPMANAGER.REMOVEHOST().
* Bug#77171 (21181466), On every connect getting sql_mode from server creates unnecessary exception.
* Bug#79343 (22353759), NPE in TimeUtil.loadTimeZoneMappings causing server time zone value unrecognized.
* Bug#22038729, X DevAPI: Any API call after a failed CALL PROC() results in hang
* Replace Schema.drop(), Collection.drop() by X DevAPI's session.dropSchema() and session.dropCollection().
* Added session.dropTable().
* Bug#22932078, GETTIMESTAMP() RETURNS WRONG VALUE FOR FRACTIONAL PART
* Extracted packet readers from MysqlaProtocol.
* Bug#22972057, X protocol CLIENT HANGS AFTER CONNECTION FAILURE
* Bug#23044312, NullPointerException in X protocol AsyncMessageReader due to race condition
* Returned support for MySQL 5.5 and 5.6.
Changes in 6.0.2
* Deprecate the EOF packet.
* Bug#75956, Inserting timestamps using a server PreparedStatement and useLegacyDatetimeCode=false
* Bug#22385172, CONNECTOR/J MANIFEST DOES NOT EXPOSE FABRIC (OSGi).
* Bug#22598938, FABRICMYSQLDATASOURCE.GETCONNECTION() NPE AFTER SWITCHOVER.
* Bug#21286268, CONNECTOR/J REPLICATION USE MASTER IF SLAVE IS UNAVAILABLE.
* Bug#21296840 & Bug#17910835, Server information in a group from Fabric is not refreshed after expired TTL.
* Bug#56122 (11763419), JDBC4 functionality failure when using replication connections.
* Added support for TLSv1.1 and TLSv1.2
* Bug#78961 (22096981), Can't call MySQL procedure with InOut parameters in Fabric environment.
* Bug#56100 (11763401), Replication driver routes DML statements to read-only slaves.
* StandardSSLSocketFactory implements SocketMetadata.
* Bug#21978216, GETTYPEINFO REPORT MAXIMUM PRECISION OF 255 FOR VARBINARY.
* Bug#78706 (21947042), Prefer TLS where supported by MySQL Server.
* Bug#21934573, FABRIC CODE INVOLVED IN THREAD DEADLOCK.
* Bug#21876798, CONNECTOR/J WITH MYSQL FABRIC AND SPRING PRODUCES PROXY ERROR.
Changes in 6.0.1
* Removed useJvmCharsetConverters connection property. JVM charset converters are now used in all cases.
* Refactored value decoding and removed all date/time connection properties
* Refactored connection properties
* Assume existence of INFORMATION_SCHEMA.PARAMETERS (and thus MySQL 5.5) when preparing stored procedure calls.
* Removed retainStatementAfterResultSetClose connection property.
* Null-merge of Bug#54095 (11761585) fix.
* Removed support code for MySQL server versions < 5.7.
* Bug#76859 (20969312), DBMD getColumns using I_S doesn't have column IS_GENERATEDCOLUMN as per JDBC 4.1.
* Added support for GENERATED COLUMNS.
* Update Time Zone mappings with IANA Time Zone database tsdata2015f and Unicode CLDR v.28.
* Update DatabaseMetaData SQL keywords.
* Added tests for Optimizer hints syntax introduced in MySQL 5.7.7.
* Bug#21860833, JSON DATA TYPE DOESN'T WORK WITH SSPS.
* Added support for JSON data type.
* Added support for JDBC 4.2 new features.
* Bug#16634180, LOCK WAIT TIMEOUT EXCEEDED CAUSES SQLEXCEPTION, SHOULD CAUSE SQLTRANSIENTEXCEPTION
* Bug#75849 (20536592), NPE in abortInternal() method on line 1358 of ConnectionImpl.
* Bug#78106 (21648826), Potential memory leak with inflater.
* Bug#78225 (21697684), DEFAULT NO_AUTO_CREATE_USER SQL_MODE BEHAVIOR BROKE SOME TESTS
* Bug#77665 (21415165), JDBC fails to connect with MySQL 5.0.
* Bug#77681 (21429909), rewrite replace sql like insert when rewriteBatchedStatements=true (contribution).
* Bug#77449 (21304726) Add 'truncateFractionalSeconds=true|false' property (contribution).
* Bug#50348 (11758179), mysql connector/j 5.1.10 render the wrong value for dateTime column in GMT DB.
* Bug#75670 (20433047), Connection fails with 'Public Key Retrieval is not allowed' for native auth.
* Bug#76187 (20675539), getTypeInfo report maximum precision of 255 for varchar.
* Add test for new syntax 'ALTER TABLE ... DISCARD|IMPORT PARTITION ...' introduced in MySQL 5.7.4.
* Bug#20727196, GETPROCEDURECOLUMNS() RETURNS EXCEPTION FOR FUNCTION WHICH RETURNS ENUM/SET TYPE.
* Bug#19803348, GETPROCEDURES() RETURNS INCORRECT OUTPUT WHEN USEINFORMATIONSCHEMA=FALSE.
* Bug#21215151, DATABASEMETADATA.GETCATALOGS() FAILS TO SORT RESULTS.
* Bug#72630 (18758686), NullPointerException during handshake in some situations
* Bug#20825727, CONNECT FAILURE WHEN TRY TO CONNECT SHA USER WITH DIFFERENT CHARSET.
* Flag RowDataDynamic.isInterrupted removed as it isn't needed.
* Bug#20518653, XSL FILES IN PACKAGES
* Bug#20804635, GETTIME() AND GETDATE() FUNCTIONS FAILS WHEN FRACTIONAL PART EXISTS
* Bug#62452 (16444069), NPE thrown in JDBC4MySQLPooledException when statement is closed.
* BUG#70927 (17810800), Connector/J COM_CHANGE_USER handling is broken
* Bug#75335 (20283655), Maven artifact for Connector/J is missing source jar.
* BUG#75592 (20408891), 'SHOW VARIABLES WHERE' is expensive.
* Bug#75113 (20821888), Fail in failover of the connection in MySQL fabric
* Bug#72077 (18425861), Fabric connection with username to a server with disabled auth throws NPE
* Add test for already fixed Bug#72546 (18719760), C/J Fabric createGroup() throws ClassCastException
* Bug#77217 (21184949), ClassCastException when executing a streaming PreparedStatement with Fabric
* Bug#19536760, GETSTRING() CALL AFTER RS.RELATIVE() RETURNS NULLPOINTEREXCEPTION
* BUG#20453712, CLOB.SETSTRING() WITH VALID INPUT RETURNS EXCEPTION
* BUG#20453671, CLOB.POSITION() API CALL WITH CLOB INPUT RETURNS EXCEPTION
* Bug#20685022, SSL CONNECTION TO MYSQL 5.7.6 COMMUNITY SERVER FAILS.
* Bug#20606107, TEST FAILURES WHEN RUNNING AGAINST 5.7.6 SERVER VERSION
* Bug#20533907, BUG#20204783 FIX EXPOSES WRONG BEAHAVIORS IN FAILOVER CONNECTIONS.
* Bug#20504139, GETFUNCTIONCOLUMNS() AND GETPROCEDURECOLUMNS() RETURNS ERROR FOR VALID INPUTS.
* Expose PreparedStatment.ParseInfo for external usage, with no capture of the connection
* Bug#75309 (20272931), mysql connector/J driver in streaming mode will in the blocking state.
* New property 'readOnlyPropagatesToServer' controls the implicit propagation of read only transaction access mode to server.
* Bug#54095 (11761585), Unnecessary call in newSetTimestampInternal.
* Bug#67760 (15936413), Deadlock when concurrently executing prepared statements with Timestamp objects.
* Bug#71084 (18028319), Wrong java.sql.Date stored if client and server time zones differ.
* Bug#75080 (20217686), NullPointerException during setTimestamp on Fabric connection.
* Bug#75168 (20204783), loadBalanceExceptionChecker interface cannot work using JDBC4/JDK7.
* Bug#73595 (19465516), Replace usage of StringBuffer in JDBC driver.
* Bug#18925727, SQL INJECTION IN MYSQL JDBC DRIVER.
* Bug#74998 (20112694), readRemainingMultiPackets not computed correctly for rows larger than 16 MB.
* Bug#73012 (19219158), Precedence between timezone options is unclear.
* Implement support for connecting through SOCKS proxies (WL#8105).
* Ant buildfile reworked to fix incompatibilities with latest Eclipse
* Bug#18474141, TESTSUITE.FABRIC TEST CASES FAIL IF NO FABRIC.TESTSUITE PROPERTIES PROVIDED
* Bug#19383371, CONNECT USING MYSQL_OLD_PASSWORD USER FAILS WHEN PWD IS BLANK
* Bug#17441747, C/J DOESN'T SUPPORT XA RECOVER OUTPUT FORMAT CHANGED IN MYSQL 5.7.
* Bug#19145408, Error messages may not be interpreted according to the proper character set
* Bug#19505524, UNIT TEST SUITE DOES NOT CONSIDER ALL THE PARAMETERS PASSED TO BUILD.XML.
* Bug#73474 (19365473), Invalid empty line in MANIFEST.MF
* Bug#70436 (17527948), Incorrect mapping of windows timezone to Olson timezone.
* Bug73163 (19171665), IndexOutOfBoundsException thrown preparing statement.
* Added support for gb18030 character set
* Bug#73663 (19479242), utf8mb4 does not work for connector/j >=5.1.13
* Bug#73594 (19450418), ClassCastException in MysqlXADataSource if pinGlobalTxToPhysicalConnection=true
* Bug#19354014, changeUser() call results in 'packets out of order' error when useCompression=true.
* Bug#73577 (19443777), CHANGEUSER() CALL WITH USECOMPRESSION=TRUE COULD LEAD TO IO FREEZE
* Bug#19172037, TEST FAILURES WHEN RUNNING AGAINST 5.6.20 SERVER VERSION
* Bug#71923 (18344403), Incorrect generated keys if ON DUPLICATE KEY UPDATE not exact.
* Bug#72502 (18691866), NullPointerException in isInterfaceJdbc() when using DynaTrace
* Bug#72890 (18970520), Java jdbc driver returns incorrect return code when it's part of XA transaction.
* Fabric client now supports Fabric 1.5. Older versions are no longer supported.
* Bug#71672 (18232840), Every SQL statement is checked if it contains 'ON DUPLICATE KEY UPDATE' or not.
* Bug#73070 (19034681), Preparing a stored procedure call with Fabric results in an exception
* Bug#73053 (19022745), Endless loop in MysqlIO.clearInputStream due to Linux kernel bug.
* Bug#18869381, CHANGEUSER() FOR SHA USER RESULTS IN NULLPOINTEREXCEPTION
* Bug#62577 (16722757), XA connection fails with ClassCastException
* Bug#18852587, CONNECT WITH A USER CREATED USING SHA256_PASSWORD PLUGIN FAILS WHEN PWD IS BLANK
* Bug#18852682, TEST TESTSHA256PASSWORDPLUGIN FAILS WHEN EXECUTE AGAINST COMMERCIAL SERVER
* failing tests when running test suite with Java 6+.
* Bug#72712 (18836319), No way to configure Connector JDBC to not do extra queries on connection
- Adjust log4j/log4j-mini dependencies to account for the lack of
log4j12/log4jmini12 Provides in some code streams.
Changes in javapackages-tools:
- Can't assume non-existence of python38 macros in Leap.
gh#openSUSE/python-rpm-macros#107
Test for suse_version instead. Only Tumbleweed has and needs the
python_subpackage_only support.
- Fix typo in spec file sitearch -> sitelib
- Fix the python subpackage generation
gh#openSUSE/python-rpm-macros#79
- Support python subpackages for each flavor
gh#openSUSE/python-rpm-macros#66
- Replace old nose with pytest gh#fedora-java/javapackages#86
- when building extra flavor, BuildRequire javapackages-filesystem:
/etc/java is being cleaned out of the filesystems package.
- Upgrade to version 5.3.1
- Define _rpmmacrodir for distributions that don't have it
- Use %{_rpmmacrodir} instead of %{_libexecdir}/rpm/macros.d: this
just happens to overlap in some distros.
- Rename gradle-local and ivy-local to javapackages-gradle and
javapackages-ivy and let them depend only on javapackages-tools
and javapackages-local. These packages only install files
produced during the javapackages-tools build. The dependencies
will be pulled by gradle-local, ivy-local and maven-local
meta-packages built in a separate spec file.
- Split maven-local meta-package out of javapackages-tools spec
file
- Make the ivy-local and maven-local sub-packages depend on the
right stuff, so that they actually can be used for building
- Provide both com.sun:tools and sun.jdk:jconsole that are part of
standard OpenJDK installation. These provides cannot be generated
from metadata due to build sequence.
+ fix directories for eclipse.conf too
- Make the javapackages-local package depend on java-devel. It is
used for package building and this avoids each package to require
java-devel itself.
- Replace the occurences of /usr/lib by libdir in configuration
files too
- Update to version 5.3.0
- Modified patch:
- Build the :extras flavour as noarch
+ we did not bump epoch of OpenJDK packages in SUSE
+ fix a potential generation of unresolvable requires
+ adapt the tests to not expect the epoch
- Switch to multibuild layout
- Update to version 5.2.0+git20180620.70fa2258:
* Rename the async kwarg in call_script to wait (reverses the logic)
* Actually bump version to 5.3.0 snapshot
* Bump version in VERSION file
* [man] s/Pacakge/Package/g
* Fix typos in README
* Fix configure-base.sh after filesystem macro split
* Split filesystem macros to separate macro file
* Introduce javapackages-filesystem package
* [java-functions] extend ABRT Java agent options
* change abrt-java-connector upstream URL
* Remove resolverSettings/prefixes from XMvn config
* Add macros to allow passing arbitrary options to XMvn
* [spec] Bump package version to 5.1.0
* Allow specifying custom repo when calling xmvn-install
- Update to version 5.0.0+git20180104.9367c8f6:
* [java-functions] Avoid colons in jar names
* Workaround for SCL enable scripts not working with -e
* Second argument to pom_xpath_inject is mandatory
* [mvn_artifact] Provide more helpful error messages
* Fix traceback on corrupt zipfile
* [test] Add reproducer for rhbz#1481005
* [spec] Fix default JRE path
* [readme] Fix typo
* Add initial content to README.md (#21)
* Decouple JAVA_HOME setting from java command alternatives
- Fix url to correct one https://github.com/fedora-java/javapackages
- Split to python and non-python edition for smaller depgraph
- Fix abs2rel shebang:
- Fix Requires on subpackages to point to javapackages-tools proper
- Update to version 4.7.0+git20170331.ef4057e7:
* Reimplement abs2rel in Python
* Don't expand {scl} in macro definitions
* Install expanded rpmfc attr files
* [spec] Avoid file conflicts between in SCL
* Fix macros.d directory ownership
* Make %ant macro enable SCL when needed
* [spec] Fix file conflicts between SCL and non-SCL packages
* Fix ownership of ivyxmldir
* [test] Force locale for python processes
* Don't include timestamp in generated pom.properties
* We switch to /usr/lib/ location for macros
- Try to reduce some dependencies bsc#1036025
- python-lxml 3.5.0 introduces validation for xml comments, and
one of the comments created in this package were not valid.
This patch fixes the problem. It backported from upstream and
should be in the next release.
https://github.com/mizdebsk/javapackages/commit/84211c0ee761e93ee507f5d37e9fc80ec377e89d
- Version update to 4.6.0:
* various bugfixes for maven tooling
* introduction to gradle-local package for gradle packaging
- Drop dependency over source-highlight as it causes build cycle
- Try to break buildcycle detected on Factory
- Fix build on SLE11
- Use python-devel instead of pkgconfig to build on sle11
- Add python-javapackages as requirement for main package
- Update requires on python packages to properly have all the needed
dependencies on runtime
- Install macros to /etc/rpm as we do in SUSE:
- Cleanup with spec-cleaner
- Fix rpmlint errors
- Enable maven-local
- Avoid unsatisfiable dependencies
- Enable unit tests
- Update to version 4.4.0
- create directories for java, so that ant build works
- Add virtual provide jpackage-utils-java9 to be able to
distinguish the presence of java9 compatibility
- fix bashisms
- SLES patch for ZipFile, having no attribute '__exit__' which was causing
ecj build failures
- set correct libxslt package when building for SLES
Changes in javassist:
+ Add OSGi manifest to the javassist.jar
- Allow building on systems that do not have java 9 or higher
- Install and package the maven pom and metadata files
- BuildRequire at least Java 9. This version uses APIs introduced
in Java 9
- Replace old $RPM_* shell vars by macros.
- Version update to 3.23.1:
* 3.23.1 Github PR #171
* 3.23 Fix leaking file handlers in ClassPool and removed
ClassPath.close(). Github issue #165
* 3.22 Java 9 supports.
JIRA JASSIST-261.
- Specify java target and source version 1.6 in order to allow
building with jdk9
- fix javadoc errors that are fatal with jdk9
- Version update to 3.21.0:
* various compiler settings
* Require java >= 1.6
- Update to version 3.19.0
* Including a number of bug fixes and Java 8 supports.
- Clean up specfile
- Remove redundant %clean section
- Build for java API 1.5
- Remove unzip requirement
- Update home page and download source Urls
Changes in protobuf:
- Update to 3.17.3:
C++
* Introduce FieldAccessListener.
* Stop emitting boilerplate {Copy/Merge}From in each ProtoBuf class
* Provide stable versions of SortAndUnique().
* Make sure to cache proto3 optional message fields when they are cleared.
* Expose UnsafeArena methods to Reflection.
* Use std::string::empty() rather than std::string::size() > 0.
* [Protoc] C++ Resolved an issue where NO_DESTROY and CONSTINIT are in incorrect order (#8296)
* Fix PROTOBUF_CONSTINIT macro redefinition (#8323)
* Delete StringPiecePod (#8353)
* Create a CMake option to control whether or not RTTI is enabled (#8347)
* Make util::Status more similar to absl::Status (#8405)
* The ::pb namespace is no longer exposed due to conflicts.
* Allow MessageDifferencer::TreatAsSet() (and friends) to override previous
calls instead of crashing.
* Reduce the size of generated proto headers for protos with string or
bytes fields.
* Move arena() operation on uncommon path to out-of-line routine
* For iterator-pair function parameter types, take both iterators by value.
* Code-space savings and perhaps some modest performance improvements in
* RepeatedPtrField.
* Eliminate nullptr check from every tag parse.
* Remove unused _$name$cached_byte_size fields.
* Serialize extension ranges together when not broken by a proto field in the
middle.
* Do out-of-line allocation and deallocation of string object in ArenaString.
* Streamline ParseContext::ParseMessage to avoid code bloat and improve
performance.
* New member functions RepeatedField::Assign, RepeatedPtrField::{Add, Assign}.
on an error path.
* util::DefaultFieldComparator will be final in a future version of protobuf.
* Subclasses should inherit from SimpleFieldComparator instead.
Kotlin
* Introduce support for Kotlin protos (#8272)
* Restrict extension setter and getter operators to non-nullable T.
Java
* Fixed parser to check that we are at a proper limit when a sub-message has
finished parsing.
* updating GSON and Guava to more recent versions (#8524)
* Reduce the time spent evaluating isExtensionNumber by storing the extension
ranges in a TreeMap for faster queries. This is particularly relevant for
protos which define a large number of extension ranges, for example when
each tag is defined as an extension.
* Fix java bytecode estimation logic for optional fields.
* Optimize Descriptor.isExtensionNumber.
* deps: update JUnit and Truth (#8319)
* Detect invalid overflow of byteLimit and return InvalidProtocolBufferException as documented.
* Exceptions thrown while reading from an InputStream in parseFrom are now
included as causes.
* Support potentially more efficient proto parsing from RopeByteStrings.
* Clarify runtime of ByteString.Output.toStringBuffer().
* Added UnsafeByteOperations to protobuf-lite (#8426)
Python
* Add MethodDescriptor.CopyToProto() (#8327)
* Remove unused python_protobuf.{cc,h} (#8513)
* Start publishing python aarch64 manylinux wheels normally (#8530)
* Fix constness issue detected by MSVC standard conforming mode (#8568)
* Make JSON parsing match C++ and Java when multiple fields from the same
oneof are present and all but one is null.
* Fix some constness / char literal issues being found by MSVC standard conforming mode (#8344)
* Switch on 'new' buffer API (#8339)
* Enable crosscompiling aarch64 python wheels under dockcross manylinux docker image (#8280)
* Fixed a bug in text format where a trailing colon was printed for repeated field.
* When TextFormat encounters a duplicate message map key, replace the current
one instead of merging.
Ruby
* Add support for proto3 json_name in compiler and field definitions (#8356)
* Fixed memory leak of Ruby arena objects. (#8461)
* Fix source gem compilation (#8471)
* Fix various exceptions in Ruby on 64-bit Windows (#8563)
* Fix crash when calculating Message hash values on 64-bit Windows (#8565)
General
* Support M1 (#8557)
- Update to 3.15.8:
- Fixed memory leak of Ruby arena objects (#8461)
- update to 3.15.7:
C++
* Remove the ::pb namespace (alias) (#8423)
Ruby
* Fix unbounded memory growth for Ruby <2.7 (#8429)
* Fixed message equality in cases where the message type is different (#8434)
- Can't assume non-existence of python38 macros in Leap.
gh#openSUSE/python-rpm-macros#107
Test for suse_version instead. Only Tumbleweed has and needs the
python_subpackage_only support.
- update to 3.15.6:
Ruby
* Fixed bug in string comparison logic (#8386)
* Fixed quadratic memory use in array append (#8379)
* Fixed SEGV when users pass nil messages (#8363)
* Fixed quadratic memory usage when appending to arrays (#8364)
* Ruby <2.7 now uses WeakMap too, which prevents memory leaks. (#8341)
* Fix for FieldDescriptor.get(msg) (#8330)
* Bugfix for Message.[] for repeated or map fields (#8313)
PHP
* read_property() handler is not supposed to return NULL (#8362)
Protocol Compiler
* Optional fields for proto3 are enabled by default, and no longer require
the --experimental_allow_proto3_optional flag.
C++
* Do not disable RTTI by default in the CMake build (#8377)
* Create a CMake option to control whether or not RTTI is enabled (#8361)
* Fix PROTOBUF_CONSTINIT macro redefinition (#8323)
* MessageDifferencer: fixed bug when using custom ignore with multiple
unknown fields
* Use init_seg in MSVC to push initialization to an earlier phase.
* Runtime no longer triggers -Wsign-compare warnings.
* Fixed -Wtautological-constant-out-of-range-compare warning.
* DynamicCastToGenerated works for nullptr input for even if RTTI is disabled
* Arena is refactored and optimized.
* Clarified/specified that the exact value of Arena::SpaceAllocated() is an
implementation detail users must not rely on. It should not be used in
unit tests.
* Change the signature of Any::PackFrom() to return false on error.
* Add fast reflection getter API for strings.
* Constant initialize the global message instances
* Avoid potential for missed wakeup in UnknownFieldSet
* Now Proto3 Oneof fields have 'has' methods for checking their presence in
C++.
* Bugfix for NVCC
* Return early in _InternalSerialize for empty maps.
* Adding functionality for outputting map key values in proto path logging
output (does not affect comparison logic) and stop printing 'value' in the
path. The modified print functionality is in the
MessageDifferencer::StreamReporter.
* Fixed https://github.com/protocolbuffers/protobuf/issues/8129
* Ensure that null char symbol, package and file names do not result in a
crash.
* Constant initialize the global message instances
* Pretty print 'max' instead of numeric values in reserved ranges.
* Removed remaining instances of std::is_pod, which is deprecated in C++20.
* Changes to reduce code size for unknown field handling by making uncommon
cases out of line.
* Fix std::is_pod deprecated in C++20 (#7180)
* Fix some -Wunused-parameter warnings (#8053)
* Fix detecting file as directory on zOS issue #8051 (#8052)
* Don't include sys/param.h for _BYTE_ORDER (#8106)
* remove CMAKE_THREAD_LIBS_INIT from pkgconfig CFLAGS (#8154)
* Fix TextFormatMapTest.DynamicMessage issue#5136 (#8159)
* Fix for compiler warning issue#8145 (#8160)
* fix: support deprecated enums for GCC < 6 (#8164)
* Fix some warning when compiling with Visual Studio 2019 on x64 target (#8125)
Python
* Provided an override for the reverse() method that will reverse the internal
collection directly instead of using the other methods of the BaseContainer.
* MessageFactory.CreateProtoype can be overridden to customize class creation.
* Fix PyUnknownFields memory leak (#7928)
* Add macOS big sur compatibility (#8126)
JavaScript
* Generate `getDescriptor` methods with `*` as their `this` type.
* Enforce `let/const` for generated messages.
* js/binary/utils.js: Fix jspb.utils.joinUnsignedDecimalString to work with
negative bitsLow and low but non-zero bitsHigh parameter. (#8170)
PHP
* Added support for PHP 8. (#8105)
* unregister INI entries and fix invalid read on shutdown (#8042)
* Fix PhpDoc comments for message accessors to include '|null'. (#8136)
* fix: convert native PHP floats to single precision (#8187)
* Fixed PHP to support field numbers >=2**28. (#8235)
* feat: add support for deprecated fields to PHP compiler (#8223)
* Protect against stack overflow if the user derives from Message. (#8248)
* Fixed clone for Message, RepeatedField, and MapField. (#8245)
* Updated upb to allow nonzero offset minutes in JSON timestamps. (#8258)
Ruby
* Added support for Ruby 3. (#8184)
* Rewrote the data storage layer to be based on upb_msg objects from the
upb library. This should lead to much better parsing performance,
particularly for large messages. (#8184).
* Fill out JRuby support (#7923)
* [Ruby] Fix: (SIGSEGV) gRPC-Ruby issue on Windows. memory alloc infinite
recursion/run out of memory (#8195)
* Fix jruby support to handle messages nested more than 1 level deep (#8194)
Java
* Avoid possible UnsupportedOperationException when using CodedInputSteam
with a direct ByteBuffer.
* Make Durations.comparator() and Timestamps.comparator() Serializable.
* Add more detailed error information for dynamic message field type
validation failure
* Removed declarations of functions declared in java_names.h from
java_helpers.h.
* Now Proto3 Oneof fields have 'has' methods for checking their presence in
Java.
* Annotates Java proto generated *_FIELD_NUMBER constants.
* Add -assumevalues to remove JvmMemoryAccessor on Android.
C#
* Fix parsing negative Int32Value that crosses segment boundary (#8035)
* Change ByteString to use memory and support unsafe create without copy (#7645)
* Optimize MapField serialization by removing MessageAdapter (#8143)
* Allow FileDescriptors to be parsed with extension registries (#8220)
* Optimize writing small strings (#8149)
- Updated URL to https://github.com/protocolbuffers/protobuf
- Update to v3.14.0
Protocol Compiler
* The proto compiler no longer requires a .proto filename when it is not
generating code.
* Added flag `--deterministic_output` to `protoc --encode=...`.
* Fixed deadlock when using google.protobuf.Any embedded in aggregate options.
C++
* Arenas are now unconditionally enabled. cc_enable_arenas no longer has
any effect.
* Removed inlined string support, which is incompatible with arenas.
* Fix a memory corruption bug in reflection when mixing optional and
non-optional fields.
* Make SpaceUsed() calculation more thorough for map fields.
* Add stack overflow protection for text format with unknown field values.
* FieldPath::FollowAll() now returns a bool to signal if an out-of-bounds
error was encountered.
* Performance improvements for Map.
* Minor formatting fix when dumping a descriptor to .proto format with
DebugString.
* UBSAN fix in RepeatedField
* When running under ASAN, skip a test that makes huge allocations.
* Fixed a crash that could happen when creating more than 256 extensions in
a single message.
* Fix a crash in BuildFile when passing in invalid descriptor proto.
* Parser security fix when operating with CodedInputStream.
* Warn against the use of AllowUnknownExtension.
* Migrated to C++11 for-range loops instead of index-based loops where
possible. This fixes a lot of warnings when compiling with -Wsign-compare.
* Fix segment fault for proto3 optional
* Adds a CMake option to build `libprotoc` separately
Java
* Bugfix in mergeFrom() when a oneof has multiple message fields.
* Fix RopeByteString.RopeInputStream.read() returning -1 when told to read
0 bytes when not at EOF.
* Redefine remove(Object) on primitive repeated field Lists to avoid
autoboxing.
* Support '\u' escapes in textformat string literals.
* Trailing empty spaces are no longer ignored for FieldMask.
* Fix FieldMaskUtil.subtract to recursively remove mask.
* Mark enums with `@java.lang.Deprecated` if the proto enum has option
`deprecated = true;`.
* Adding forgotten duration.proto to the lite library
Python
* Print google.protobuf.NullValue as null instead of 'NULL_VALUE' when it is
used outside WKT Value/Struct.
* Fix bug occurring when attempting to deep copy an enum type in python 3.
* Add a setuptools extension for generating Python protobufs
* Remove uses of pkg_resources in non-namespace packages
* [bazel/py] Omit google/__init__.py from the Protobuf runtime
* Removed the unnecessary setuptools package dependency for Python package
* Fix PyUnknownFields memory leak
PHP
* Added support for '==' to the PHP C extension
* Added `==` operators for Map and Array
* Native C well-known types
* Optimized away hex2bin() call in generated code
* New version of upb, and a new hash function wyhash in third_party
* add missing hasOneof method to check presence of oneof fields
Go:
* Update go_package options to reference google.golang.org/protobuf module.
C#:
* annotate ByteString.CopyFrom(ReadOnlySpan<byte>) as SecuritySafeCritical
* Fix C# optional field reflection when there are regular fields too
* Fix parsing negative Int32Value that crosses segment boundary
Javascript:
* JS: parse (un)packed fields conditionally
- from version 3.13.0
PHP:
* The C extension is completely rewritten. The new C extension has significantly
better parsing performance and fixes a handful of conformance issues. It will
also make it easier to add support for more features like proto2 and proto3 presence.
* The new C extension does not support PHP 5.x. PHP 5.x users can still use pure-PHP.
C++:
* Removed deprecated unsafe arena string accessors
* Enabled heterogeneous lookup for std::string keys in maps.
* Removed implicit conversion from StringPiece to std::string
* Fix use-after-destroy bug when the Map is allocated in the arena.
* Improved the randomness of map ordering
* Added stack overflow protection for text format with unknown fields
* Use std::hash for proto maps to help with portability.
* Added more Windows macros to proto whitelist.
* Arena constructors for map entry messages are now marked 'explicit'
(for regular messages they were already explicit).
* Fix subtle aliasing bug in RepeatedField::Add
* Fix mismatch between MapEntry ByteSize and Serialize with respect to unset
fields.
Python:
* JSON format conformance fixes:
* Reject lowercase t for Timestamp json format.
* Print full_name directly for extensions (no camelCase).
* Reject boolean values for integer fields.
* Reject NaN, Infinity, -Infinity that is not quoted.
* Base64 fixes for bytes fields: accept URL-safe base64 and missing padding.
* Bugfix for fields/files named 'async' or 'await'.
* Improved the error message when AttributeError is returned from __getattr__
in EnumTypeWrapper.
Java:
* Fixed a bug where setting optional proto3 enums with setFooValue() would
not mark the value as present.
* Add Subtract function to FieldMaskUtil.
C#:
* Dropped support for netstandard1.0 (replaced by support for netstandard1.1).
This was required to modernize the parsing stack to use the `Span<byte>`
type internally
* Add `ParseFrom(ReadOnlySequence<byte>)` method to enable GC friendly
parsing with reduced allocations and buffer copies
* Add support for serialization directly to a `IBufferWriter<byte>` or
to a `Span<byte>` to enable GC friendly serialization.
The new API is available as extension methods on the `IMessage` type
* Add `GOOGLE_PROTOBUF_REFSTRUCT_COMPATIBILITY_MODE` define to make
generated code compatible with old C# compilers (pre-roslyn compilers
from .NET framework and old versions of mono) that do not support
ref structs. Users that are still on a legacy stack that does
not support C# 7.2 compiler might need to use the new define
in their projects to be able to build the newly generated code
* Due to the major overhaul of parsing and serialization internals,
it is recommended to regenerate your generated code to achieve the best
performance (the legacy generated code will still work, but might incur
a slight performance penalty).
- Fix the python subpackage generation
gh#openSUSE/python-rpm-macros#79
- Support multiple python3 flavors gh#openSUSE/python-rpm-macros#66
- Update to version 3.12.3; notable changes since 3.11.4:
Protocol Compiler
* [experimental] Singular, non-message typed fields in proto3 now support
presence tracking. This is enabled by adding the 'optional' field label and
passing the --experimental_allow_proto3_optional flag to protoc.
* For usage info, see docs/field_presence.md.
* During this experimental phase, code generators should update to support
proto3 presence, see docs/implementing_proto3_presence.md for instructions.
* Allow duplicate symbol names when multiple descriptor sets are passed on
the command-line, to match the behavior when multiple .proto files are passed.
* Deterministic `protoc --descriptor_set_out` (#7175)
Objective-C
* Tweak the union used for Extensions to support old generated code. #7573
* Fix for the :protobuf_objc target in the Bazel BUILD file. (#7538)
if p['result'] == 'FAIL':
* [experimental] ObjC Proto3 optional support (#7421)
* Block subclassing of generated classes (#7124)
* Use references to Obj C classes instead of names in descriptors. (#7026)
* Revisit how the WKTs are bundled with ObjC. (#7173)
C++
* Simplified the template export macros to fix the build for mingw32. (#7539)
* [experimental] Added proto3 presence support.
* New descriptor APIs to support proto3 presence.
* Enable Arenas by default on all .proto files.
* Documented that users are not allowed to subclass Message or MessageLite.
* Mark generated classes as final; inheriting from protos is strongly discouraged.
* Add stack overflow protection for text format with unknown fields.
* Add accessors for map key and value FieldDescriptors.
* Add FieldMaskUtil::FromFieldNumbers().
* MessageDifferencer: use ParsePartial() on Any fields so the diff does not
fail when there are missing required fields.
* ReflectionOps::Merge(): lookup messages in the right factory, if it can.
* Added Descriptor::WellKnownTypes enum and Descriptor::well_known_type()
accessor as an easier way of determining if a message is a Well-Known Type.
* Optimized RepeatedField::Add() when it is used in a loop.
* Made proto move/swap more efficient.
* De-virtualize the GetArena() method in MessageLite.
* Improves performance of json_stream_parser.cc by factor 1000 (#7230)
* bug: #7076 undefine Windows OUT and OPTIONAL macros (#7087)
* Fixed a bug in FieldDescriptor::DebugString() that would erroneously print
an 'optional' label for a field in a oneof.
* Fix bug in parsing bool extensions that assumed they are always 1 byte.
* Fix off-by-one error in FieldOptions::ByteSize() when extensions are present.
* Clarified the comments to show an example of the difference between
Descriptor::extension and DescriptorPool::FindAllExtensions.
* Add a compiler option 'code_size' to force optimize_for=code_size on all
protos where this is possible.
Ruby
* Re-add binary gems for Ruby 2.3 and 2.4. These are EOL upstream, however
many people still use them and dropping support will require more
coordination.
* [experimental] Implemented proto3 presence for Ruby. (#7406)
* Stop building binary gems for ruby <2.5 (#7453)
* Fix for wrappers with a zero value (#7195)
* Fix for JSON serialization of 0/empty-valued wrapper types (#7198)
* Call 'Class#new' over rb_class_new_instance in decoding (#7352)
* Build extensions for Ruby 2.7 (#7027)
* assigning 'nil' to submessage should clear the field. (#7397)
Java
* [experimental] Added proto3 presence support.
* Mark java enum _VALUE constants as @Deprecated if the enum field is deprecated
* reduce <clinit> size for enums with allow_alias set to true.
* Sort map fields alphabetically by the field's key when printing textproto.
* Fixed a bug in map sorting that appeared in -rc1 and -rc2 (#7508).
* TextFormat.merge() handles Any as top level type.
* Throw a descriptive IllegalArgumentException when calling
getValueDescriptor() on enum special value UNRECOGNIZED instead of
ArrayIndexOutOfBoundsException.
* Fixed an issue with JsonFormat.printer() where setting printingEnumsAsInts()
would override the configuration passed into includingDefaultValueFields().
* Implement overrides of indexOf() and contains() on primitive lists returned
for repeated fields to avoid autoboxing the list contents.
* Add overload to FieldMaskUtil.fromStringList that accepts a descriptor.
* [bazel] Move Java runtime/toolchains into //java (#7190)
Python
* [experimental] Added proto3 presence support.
* [experimental] fast import protobuf module, only works with cpp generated code linked in.
* Truncate 'float' fields to 4 bytes of precision in setters for pure-Python
implementation (C++ extension was already doing this).
* Fixed a memory leak in C++ bindings.
* Added a deprecation warning when code tries to create Descriptor objects
directly.
* Fix unintended comparison between bytes and string in descriptor.py.
* Avoid printing excess digits for float fields in TextFormat.
* Remove Python 2.5 syntax compatibility from the proto compiler generated _pb2.py module code.
* Drop 3.3, 3.4 and use single version docker images for all python tests (#7396)
JavaScript
* Fix js message pivot selection (#6813)
PHP
* Persistent Descriptor Pool (#6899)
* Implement lazy loading of php class for proto messages (#6911)
* Correct @return in Any.unpack docblock (#7089)
* Ignore unknown enum value when ignore_unknown specified (#7455)
C#
* [experimental] Add support for proto3 presence fields in C# (#7382)
* Mark GetOption API as obsolete and expose the 'GetOptions()' method on descriptors instead (#7491)
* Remove Has/Clear members for C# message fields in proto2 (#7429)
* Enforce recursion depth checking for unknown fields (#7132)
* Fix conformance test failures for Google.Protobuf (#6910)
* Cleanup various bits of Google.Protobuf (#6674)
* Fix latest ArgumentException for C# extensions (#6938)
* Remove unnecessary branch from ReadTag (#7289)
Other
* Add a proto_lang_toolchain for javalite (#6882)
* [bazel] Update gtest and deprecate //external:{gtest,gtest_main} (#7237)
* Add application note for explicit presence tracking. (#7390)
* Howto doc for implementing proto3 presence in a code generator. (#7407)
- Python: Add requirement on python-six
- Update to version 3.11.4; notable changes since 3.9.2:
* C++: Make serialization method naming consistent
* C++: Moved ShutdownProtobufLibrary() to message_lite.h. For
backward compatibility a declaration is still available
in stubs/common.h, but users should prefer message_lite.h
* C++: Removed non-namespace macro EXPECT_OK()
* C++: Removed mathlimits.h from stubs in favor of using
std::numeric_limits from C++11
* C++: Support direct pickling of nested messages
* C++: Disable extension code gen for C#
* C++: Switch the proto parser to the faster MOMI parser
* C++: Unused imports of files defining descriptor extensions
will now be reported
* C++: Add proto2::util::RemoveSubranges to remove multiple
subranges in linear time
* C++: Support 32 bit values for ProtoStreamObjectWriter to Struct
* C++: Removed the internal-only header coded_stream_inl.h and
the internal-only methods defined there
* C++: Enforced no SWIG wrapping of descriptor_database.h
(other headers already had this restriction)
* C++: Implementation of the equivalent of the MOMI parser for
serialization. This removes one of the two serialization
routines, by making the fast array serialization routine
completely general. SerializeToCodedStream can now be
implemented in terms of the much much faster array
serialization. The array serialization regresses slightly,
but when array serialization is not possible this wins big
* C++: Add move constructor for Reflection's SetString
* Java: Remove the usage of MethodHandle, so that Android users
prior to API version 26 can use protobuf-java
* Java: Publish ProGuard config for javalite
* Java: Include unknown fields when merging proto3 messages in
Java lite builders
* Java: Have oneof enums implement a separate interface (other
than EnumLite) for clarity
* Java: Opensource Android Memory Accessors
* Java: Change ProtobufArrayList to use Object[] instead of
ArrayList for 5-10% faster parsing
* Java: Make a copy of JsonFormat.TypeRegistry at the protobuf
top level package. This will eventually replace
JsonFormat.TypeRegistry
* Java: Add Automatic-Module-Name entries to the Manifest
* Python: Add float_precision option in json format printer
* Python: Optionally print bytes fields as messages in unknown
fields, if possible
* Python: Experimental code gen (fast import protobuf module)
which only work with cpp generated code linked in
* Python: Add descriptor methods in descriptor_pool are deprecated
* Python: Added delitem for Python extension dict
* JavaScript: Remove guard for Symbol iterator for jspb.Map
* JavaScript: Remove deprecated boolean option to getResultBase64String()
* JavaScript: Change the parameter types of binaryReaderFn in
ExtensionFieldBinaryInfo to (number, ?, ?)
* JavaScript: Create dates.ts and time_of_days.ts to mirror Java
versions. This is a near-identical conversion of
c.g.type.util.{Dates,TimeOfDays} respectively
* JavaScript: Migrate moneys to TypeScript
* PHP: Increase php7.4 compatibility
* PHP: Implement lazy loading of php class for proto messages
* Ruby: Support hashes for struct initializers
* C#: Experimental proto2 support is now officially available
* C#: Change _Extensions property to normal body rather than expression
* Objective C: Remove OSReadLittle* due to alignment requirements
* Other: Override CocoaPods module to lowercase
* further bugfixes and optimisations
- Use tarball provided by upstream
- Small package cleanup
- Updated to version 3.9.2 (bsc#1162343)
(Objective-C)
* Remove OSReadLittle* due to alignment requirements. (#6678)
* Don't use unions and instead use memcpy for the type swaps. (#6672)
- Package also the protobuf-bom pom file
- Update to new upstream release 3.9.1
* Optimized the implementation of RepeatedPtrFieldBase.
* Added delimited parse and serialize util.
* Added FieldDescriptor::PrintableNameForExtension() and
DescriptorPool::FindExtensionByPrintableName(). The latter
will replace Reflection::FindKnownExtensionByName().
* Created a new Add method in repeated field that allows adding
a range of elements all at once.
* Drop building wheel for Python 3.4.
- Specify java source and target levels in order to build
compatible protobuf-java binaries
- Update to new upstream release 3.8.0
* Introduced new MOMI (maybe-outside-memory-interval) parser.
* Added use of C++ override keyword where appropriate.
* Always declare enums to be int-sized.
* Append '_' to C++ reserved keywords for message, enum, extension.
- Disable LTO (boo#1133277).
- fixes build with Bazel 0.22.0.
- Add protobuf-source package - some programs using gRPC and
protobuf need protobuf definitions which are included inside the
source code, but are not included in the devel package.
- Add maven pom files to the protobuf-java package
- update to version v3.6.1:
* PHP namespaces for nested messages and enums (#4536)
* Allows the json marshaller to be passed json marshal options (#4252)
* Make sure to delete temporary maps used by FileDescriptorTables
* fix python cpp kokoro build
* Change C# reflection to avoid using expression trees
* Updated checked-in generated code
* Removed unused variables in repeated_scalar_container.cc
* Removed unused code pertaining to shared_ptr
* Include no_package.proto in Python test
* Only check filenames when end with .py in _CalledFromGeneratedFile() (#4262)
* Convert descriptortype to type for upb_msgval_sizeof (#4357)
* Removed duplicate using statement from ReflectionUtil.cs
* Add support for power ppc64le
* Cat the test-suite.log on errors for presubits
* Address review comments
* Add third-party RPC implementation: raster - a network framework supports pbrpc by 'service' keyword.
* Delete javanano kokoro build configs.
* Updated Ruby conformance test failure list
* Removed use of some type traits
* Adopt php_metadata_namespace in php code generator (#4622)
* Move to Xcode 9.3 which also means a High Sierra image.
* Add protoc release script for Linux build.
* protoc-artifacts: Avoid storing temporary files and use fewer layers
* Rewrite go_benchmark
* Add files to build ruby artifact for mac on kokoro (#4814)
* Remove javanano.
* Comment out unused command from release script.
* Avoid direct check of class name (#4601)
* The JsonParseOptions::ignore_unknown_fields option behavior treats
* Fix php memory leak test (#4692)
* Fix benchmark build
* Add VS2017 optional component dependency details to the C# readme (#4128)
* Fix initialization with Visual Studio
* For windows, all python version should use /MT (#4468)
* use brew install instead of easy_install in OSX (#4537)
* Sync upb change (#4373)
* Always add -std=c++11 for mac (#4684)
* Add kokoro build status badges.
* Removed unrecognized option from no_package.proto
* Fixed up proto3_lite_unittest.cc
* Update Xcode settings
* Cleanup LICENSE file.
* Remove js_embed binary. (#4709)
* Fixed JS parsing of unspecified map keys
* Update version number to 3.6.0
* Deliberately call simple code to avoid Unity linker pruning
* Revert 'Move `compiler/plugin.pb.cc` to libprotobuf with the other WKT sources.'
* protoc-artifacts: Use ENTRYPOINT to enable devtoolset-1.1
* MinGW build failed
* Support using MSVC intrinsics in Log2FloorNonZero
* Fix array constructor in c extension for compatibility (#4667)
* Add space between class name and concat message (#4577)
* fix python
* Add performance.md and add instruction for linking tcmalloc
* Add script for run and upload the benchmark result to bq
* Add test for failing write of raw pointer to output stream
* [objectivec] Fix memory leak of exceptions raised by RaiseException() (#4556)
* Remove stray indent on normal imports.
* Fix python ext build on kokoro (#4527)
* Add compile test sources for to test include order.
* Fixed a Visual Studio 2017 build error. (#4488)
* fix linux kokoro build in docker
* Fixes MSVC compiler warning C4800 'Forcing value to bool 'true' or 'false'' (#4350)
* Updated Docker setup to use GCC 4.8
* Remove broken build status icons.
* Run autogen.sh in release script.
* Output *_pb2_grpc.py when use_grpc_plugin=True
* Adopt ruby_package in ruby generated code. (#4627)
* Cygwin build failed
* Work around an 'old runtime' issue with reflection
* Added Kokoro protoc release build for OS X (#4770)
* Updated change log for 3.6.1 release
* Move methods out of class (#4697)
* Fix to allow AOT compilers to play nicely with reflection
* Update Makefile.am for Java lite files.
* Added map_lite_test.proto to fix LiteTest
* Introduce a compatiblity shim to support .NET 3.5 delegate creation
* Revert 'Removed mention of Buffer in byteSourceToUint8Array'
* Add gogo benchmark
* Set ext.no_native = true for non mac platform
* Removed atomicops.h since it is no longer used
* Rename a shadowed variable.
* Add kokoro bazel configs for 3.6.x branch.
* Deleted scoped_ptr.h
* Check the message to be encoded is the wrong type. (#4885) (#4949)
* protoc-artifacts: Avoid checking out protobuf code
* Add conformance test for null value in list JSON
* Build ruby gem on kokoro (#4819)
* Try using a new version of Visual Studio on AppVeyor
* Make ruby release configs consistent with protoc.
* fix for API change in PHP 7.3 (#4898)
* Add .proto files to extract_includes.bat
* Update protoc build scripts.
* Blacklist all WELL_KNOWN_PROTOS from Bazel C++ code generation.
* Additional support for building and deploying ppcle_64 artifacts
* Fix php tests
* Cleanup + documentation for Java Lite runtime.
* Added Kokoro Windows release build config for protoc (#4766)
* typo
* fix golang kokoro linux build
* Fix spelling error of __GNUC_MINOR__
* Update code to work for Xcode 10b1 (#4729)
* Added pyext/thread_unsafe_shared_ptr.h
* Added missing .inc files to BUILD
* js message support for jstype string on integers (#4332)
* Improve error message when googletest is missing.
* Make assertEquals pass for message (#4947)
* Sync internal benchmark changes
* Removed some unused C++ source files
* Fix missing LIBPROTOC_EXPORT.
* Added new test source files to Makefile.am
* Update php version to 3.6.0 (#4736)
* Fix RepeatedField#delete_if (#4292)
* Merge branch (#4466)
* Implement array constructor in php c extension.
* protoc-artifacts: Update centos base from 6.6 to 6.9
* PHP array constructors for protobuf messages (#4530)
* Fix problem: cmake build failed in c++11 by clang
* Don't assume Windows builds use MSVC.
* Use legacy name in php runtime (#4741)
* Add file option php_metadata_namespace and ruby_package (#4609)
* Fix cpp benchmark dependency on mac
* Use the first enum value instead of 0 in DefaultValueObjectWriter::FindEnumDefault
* Check return value on write of raw pointer
* Delete unused directories.
* Replace //:protoc and similar default macro arguments with
* Add extra C# file to Makefile.am
* includes the expected class in the exception, otherwise the error is harder to track down (#3371)
* Update instructions about getting protobuf source.
* Add cpp tests under release docker image.
* fix java benchmark, fix dashboard build
* `update_file_lists.sh` depends on Bash features, thus needs Bash sebang.
* Rename build_artifacts.cfg to release.cfg (#4818)
* Fix bug: whether always_print_enums_as_ints is true or false, it always print the default value of enums as strings
* source code info for interpreted options; fix source code info for extension range options (#4342)
* Updated version numbers to 3.6.1
* Trim imports for bundled generated protos.
* Require C++11 and pass -std=c++11
* Remove the iOS Test App.
* fix duplicate mkdir in update_file_lists.sh
* Updated csharp/README.md to reflect testing changes
* Fix bazel build of examples.
* Add missing ruby/tests/test_ruby_package.proto
* Fix cpp_distcheck
* Updated the change log with changes for 3.6.0
* some fix
* CMake: Update CXX Standard management
* Add the files added in #4485.
* Change to deal all messages in one loop
* Fix php conformance test.
* Add __init__.py files to compiler and util subpackages (#4117)
* Updated .gitignore to exclude downloaded gmock/ directory
* Fix error in Clang UndefinedBehaviorSanitizer
* Work around MSVC issue with std::atomic initialization (#4777)
* Updated conformance failure lists
* Add back GeneratedClassName to public (#4686)
* Add continuous test for ruby 2.3, 2.4 and 2.5 (#4829)
* Throw error if user want to access message properties (#4603)
* fix json_decode call parameters (#4381)
* Move `compiler/plugin.pb.cc` to libprotobuf with the other WKT sources.
* PHP: fixed typo in message.c
* Add go benchmark
* Allow list values to be null when parsing
* Added instruction for existing ZLIB configuration
* Fix 32bit php tests
* Removed javanano from post_process_dist.sh
* Don't generate imports for the WKTs unless generating the WKTs.
* For encoding upb needs descriptor type instead of type. (#4354)
* Include googletest as a submodule (#3993)
* Write messages to backing field in generated C# cloning code (#4440)
* Integrated internal changes from Google
- bump soname version
update to version v3.5.2:
* Update release date
* Disable pip cache when testing uploaded packages
* Replace private timelib_update_ts with public date_timestamp_get
* Remove py2.6 support.
* Cherrypick for csharp, including:
* Update changelog
* Update changelog for 3.5.1
* Fix uploading binary wheel.
* Fix memory leak when creating map field via array.
* Update rake file to build of 2.1.6.
* Avoid using php_date_get_date_ce() in case date extension is not
* Update protoc-artfacts
* Fix string::back() usage in googletest.cc
* Fix memory leak in php7
* Support ruby2.5
* io_win32: support non-ASCII paths
* Explicitly propagate the status of Flush().
* Add discard unknown API in ruby. (#3990)
* Update version for 3.5.0.post1
* remove nullptr
* Fix more memory leak for php c extension (#4211)
* Bumping number to fix ruby 2.1 on mac
* io_win32_unittest: remove incorrect error check
* Fix memory leak when creating repeated field via array.
* Update version number for php c extension (#3896)
* Fix file permission for python package.
* Create containing directory before generating well_known_types_embed.cc
* Replace C++11 only method std::map::at
* Recursively clear unknown fields in submessages. (#3982)
* Update version number to 3.5.1
* io_win32_unittest: fix condition in GetCwdAsUtf8
* Add release log
* io_win32_unittest: use CWD as last tempdir
* Add PROTOBUF_ENABLE_TIMESTAMP to let user decide whether timestamp util
* Add support for Windows ARM64 build
* Add protobuf-all in post release
* Use fully qualifed name for DescriptorPool in Any.php to avoid name (#3886)
* Add _file_desc_by_toplevel_extension back
* Fix setup.py for windows build.
* io_win32_unittest: make //:win32_test run again
* Provide discardUnknonwnFields API in php (#3976)
* Update php c extension version number to 3.5.0.1
* Fix ruby gc_test in ruby 2.4 (#4011)
* Remove duplicate typedef. (#3975)
* Accept DatetimeInterface in fromDatetime
* io_win32: add more encoding-related tests
* Bump version number to 3.5.2
* Bump protoc-artifact version for a patch rebuild
* Call php method via function name instead of calling directly.
* Well known types are not initialized properly. (#4139)
* Use matching enum type for IsPOD.
* Fix several more memory leak
* Fix for php5.5
* Add backslach to make class explict in global namespace
* Fix compile error undefined reference to
`google::protobuf::internal::Release_CompareAndSwap(long volatile*, long, long)'
on s390x https://github.com/google/protobuf/issues/3937
- Conditionalize python2 and python3 in order to be able to build
without python2 present in distribution
* Use singlespec macros to simplify the logic
- Run fdupes on python modules to avoid duplicates
- Remove shebangs from import-only code
- Update to new upstream release 3.5.0
* Proto3 messages are now preserving unknown fields by default.
If you rely on unknowns fields being dropped, use
DiscardUnknownFields() explicitly.
* Deprecated the unsafe_arena_release_* and
unsafe_arena_add_allocated_* methods for string fields.
* Added move constructor and move assignment to RepeatedField,
RepeatedPtrField and google::protobuf::Any.
* Added perfect forwarding in Arena::CreateMessage.
* In-progress experimental support for implicit weak fields
with lite protos. This feature allows the linker to strip out
more unused messages and reduce binary size.
- Rename %soname to %sover to better reflect its use.
- Install LICENSE
- Update to 3.3.0 :
* C++:
* Fixed map fields serialization of DynamicMessage to correctly serialize
both key and value regardless of their presence.
* Parser now rejects field number 0 correctly.
* New API Message::SpaceUsedLong() that’s equivalent to
Message::SpaceUsed() but returns the value in size_t.
* JSON support
- New flag always_print_enums_as_ints in JsonPrintOptions.
- New flag preserve_proto_field_names in JsonPrintOptions. It will instruct
the JSON printer to use the original field name declared in the .proto
file instead of converting them to lowerCamelCase when printing JSON.
- JsonPrintOptions.always_print_primtive_fields now works for oneof message
fields.
- Fixed a bug that doesn’t allow different fields to set the same json_name
value.
- Fixed a performance bug that causes excessive memory copy when printing
large messages.
* Various performance optimizations.
* Java:
* Map field setters eagerly validate inputs and throw NullPointerExceptions
as appropriate.
* Added ByteBuffer overloads to the generated parsing methods and the Parser
interface.
* proto3 enum's getNumber() method now throws on UNRECOGNIZED values.
* Output of JsonFormat is now locale independent.
* Python:
* Added FindServiceByName() in the pure-Python DescriptorPool. This works only
for descriptors added with DescriptorPool.Add(). Generated descriptor_pool
does not support this yet.
* Added a descriptor_pool parameter for parsing Any in text_format.Parse().
* descriptor_pool.FindFileContainingSymbol() now is able to find nested
extensions.
* Extending empty [] to repeated field now sets parent message presence.
- Update to 3.2.0 :
* Added protoc version number to protoc plugin protocol. It can be used by
protoc plugin to detect which version of protoc is used with the plugin and
mitigate known problems in certain version of protoc.
* C++:
* The default parsing byte size limit has been raised from 64MB to 2GB.
* Added rvalue setters for non-arena string fields.
* Enabled debug logging for Android.
* Fixed a double-free problem when using Reflection::SetAllocatedMessage()
with extension fields.
* Fixed several deterministic serialization bugs:
* MessageLite::SerializeAsString() now respects the global deterministic
serialization flag.
* Extension fields are serialized deterministically as well. Fixed protocol
compiler to correctly report importing-self as an error.
* Fixed FileDescriptor::DebugString() to print custom options correctly.
* Various performance/codesize optimizations and cleanups.
* Java:
* The default parsing byte size limit has been raised from 64MB to 2GB.
* Added recursion limit when parsing JSON.
* Fixed a bug that enumType.getDescriptor().getOptions() doesn't have custom
options.
* Fixed generated code to support field numbers up to 2^29-1.
* Python:
* You can now assign NumPy scalars/arrays (np.int32, np.int64) to protobuf
fields, and assigning other numeric types has been optimized for
performance.
* Pure-Python: message types are now garbage-collectable.
* Python/C++: a lot of internal cleanup/refactoring.
- Increase soname to 13
- Generate python2-protobuf and python3-protobuf packages in Factory
- Make the python2-protobuf package provide and obsolete python-protobuf
to make the transition smooth in Tumbleweed
- Fix an issue with setup.py where some files are built on the
first invocation, but only copied on the second. This resulted
in an incomplete protobuf-python package.
- Update to protobuf v3.1.0. Protobuf v3.0.0 introduceced a new
version of the protocol buffer language, proto3, which supersedes
proto2.
The protoc compiler is able to read old proto2 protocol definitions,
and defaults to the proto2 syntax if a syntax is not specified, thus
packages can be recompiled to link to the new library. For backwards
compatibility, the old library version is available from the
protobuf2 package.
As the API for proto2 is not compatible to the proto3 API, proto3
should only be used for new Protocol Buffers, whereas current users
are advised to keep using proto2. For a detailed list of changes,
see https://github.com/google/protobuf/releases
- Use py_sitedir for library installation with setup.py install
- Drop protobuf-libs as it is just workaround for rpmlint issue
- Cleanup specfile:
* remove any conditionals for versions predating SLES 12/Leap 42.x
* add Provides: protobuf-libs to fix rpmlint warning
Changes in python-python-gflags:
- Don't provide python2-gflags, singlespec packages should use
correct name.
- Provide python-gflags in the python2 package
- Fix URL.
- Update to version 3.1.1
* Added PEP8 style method/function aliases.
- Update to version 3.1.0
* Python3 compatibility
* Removed UnrecognizedFlag exception.
* Replaced flags.DuplicateFlag with flags.DuplicateFlagError.
* Moved the validators.Error class to exceptions.ValidationError.
* Renamed IllegalFlagValue to IllegalFlagValueError.
* Removed MutualExclusionValidator class, in favor of flags.MarkFlagsAsMutualExclusive.
* Removed FlagValues.AddValidator method.
* Removed _helpers.GetMainModule.
* Use xml.dom.minidom to create XML strings, instead of manual crafting.
* Declared PEP8-style names.
* Added examples.
- Update to version 3.0.7
* Removed the unused method ShortestUniquePrefixes.
* Removed _GetCallingModule function alias.
- Update to version 3.0.6
* Declared pypi package classifiers.
* Added support for CLIF flag processing (not included in python-gflags repo
yet).
- Update to version 3.0.5
* Added a warning when FLAGS.SetDefault is used after flags were parsed.
* Added new function: MarkFlagsAsRequired.
- Update to version 3.0.4
* One more fix for setup.py - this time about third_party package.
- Update to version 3.0.3
* Fixed setup.py.
* --noflag if argument is given is no longer allowed.
* Python3 compatibility: removed need for cgi import.
* Disallowed unparsed flag usage after FLAGS.Reset()
- Update to version 3.0.2
* Fix MANIFEST.in to include all relevant files.
- Update to version 3.0.1
* Some changes for python3 compatibility.
* Automatically generate ordering operations for Flag.
* Add optional comma compatibility to whitespace-separated list flags.
* A lot of potentially backwards incompatible changes since 2.0.
* This version is NOT recommended to use in production. Some of the files and
documentation has been lost during export; this will be fixed in next
versions.
- Fix source URL
- Implement single-spec version
ImportantSUSE bug 1036025SUSE bug 1133277SUSE bug 1162343cpe:/o:suse:sles_teradata:12:sp3Security update for tomcat (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for tomcat fixes the following issues:
- Remove the log4j dependency as it is not used by the tomcat package (bsc#1196137)
Security hardening, related to Spring Framework vulnerabilities:
- Deprecate getResources() and always return null (bsc#1198136).
ImportantSUSE bug 1196137SUSE bug 1198136cpe:/o:suse:sles_teradata:12:sp3Security update for gstreamer-plugins-base (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for gstreamer-plugins-base fixes the following issues:
- CVE-2023-37327: Fixed FLAC file parsing integer overflow remote code execution vulnerability. (bsc#1213128)
- CVE-2023-37328: Fixed PGS file parsing heap-based buffer overflow remote code execution vulnerability. (bsc#1213131)
ImportantSUSE bug 1213128SUSE bug 1213131CVE-2023-37327 at SUSECVE-2023-37327 at NVDCVE-2023-37328 at SUSECVE-2023-37328 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for webkit2gtk3 (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for webkit2gtk3 fixes the following issues:
Update to version 2.40.5 (bsc#1213905):
- CVE-2023-38133: Fixed information disclosure.
- CVE-2023-38572: Fixed Same-Origin-Policy bypass.
- CVE-2023-38592: Fixed arbitrary code execution.
- CVE-2023-38594: Fixed arbitrary code execution.
- CVE-2023-38595: Fixed arbitrary code execution.
- CVE-2023-38597: Fixed arbitrary code execution.
- CVE-2023-38599: Fixed sensitive user information tracking.
- CVE-2023-38600: Fixed arbitrary code execution.
- CVE-2023-38611: Fixed arbitrary code execution.
Update to version 2.40.3 (bsc#1212863):
- CVE-2023-32439: Fixed a bug where processing maliciously crafted web content may lead to arbitrary code execution. (bsc#1212863)
- CVE-2023-32435: Fixed a bug where processing web content may lead to arbitrary code execution. (bsc#1212863)
- CVE-2022-48503: Fixed a bug where processing web content may lead to arbitrary code execution. (bsc#1212863)
ImportantSUSE bug 1212863SUSE bug 1213905CVE-2022-48503 at SUSECVE-2022-48503 at NVDCVE-2023-32435 at SUSECVE-2023-32435 at NVDCVE-2023-32439 at SUSECVE-2023-32439 at NVDCVE-2023-38133 at SUSECVE-2023-38133 at NVDCVE-2023-38572 at SUSECVE-2023-38572 at NVDCVE-2023-38592 at SUSECVE-2023-38592 at NVDCVE-2023-38594 at SUSECVE-2023-38594 at NVDCVE-2023-38595 at SUSECVE-2023-38595 at NVDCVE-2023-38597 at SUSECVE-2023-38597 at NVDCVE-2023-38599 at SUSECVE-2023-38599 at NVDCVE-2023-38600 at SUSECVE-2023-38600 at NVDCVE-2023-38611 at SUSECVE-2023-38611 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for gstreamer-plugins-good (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for gstreamer-plugins-good fixes the following issues:
- CVE-2023-37327: Fixed FLAC file parsing integer overflow remote code execution vulnerability. (bsc#1213128)
ImportantSUSE bug 1213128CVE-2023-37327 at SUSECVE-2023-37327 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for ucode-intel (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for ucode-intel fixes the following issues:
- Updated to Intel CPU Microcode 20230808 release. (bsc#1214099)
- CVE-2022-40982: Fixed a potential security vulnerability in some Intel? Processors which may allow information disclosure.
- CVE-2023-23908: Fixed a potential security vulnerability in some 3rd Generation Intel? Xeon? Scalable processors which may allow information disclosure.
- CVE-2022-41804: Fixed a potential security vulnerability in some Intel? Xeon? Processors with Intel? Software Guard Extensions (SGX) which may allow escalation of privilege.
ImportantSUSE bug 1206418SUSE bug 1214099CVE-2022-40982 at SUSECVE-2022-40982 at NVDCVE-2022-41804 at SUSECVE-2022-41804 at NVDCVE-2023-23908 at SUSECVE-2023-23908 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for openssl-1_0_0 (Moderate)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for openssl-1_0_0 fixes the following issues:
- CVE-2023-3817: Fixed a potential DoS due to excessive time spent checking DH q parameter value. (bsc#1213853)
ModerateSUSE bug 1213853CVE-2023-3817 at SUSECVE-2023-3817 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for pcre2 (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for pcre2 fixes the following issues:
- CVE-2022-41409: Fixed integer overflow vulnerability in pcre2test that allows attackers to cause a denial of service via negative input (bsc#1213514).
ModerateSUSE bug 1213514CVE-2022-41409 at SUSECVE-2022-41409 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for postgresql12 (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for postgresql12 fixes the following issues:
- Update to 12.16
- CVE-2023-39417: Fixed potential SQL injection for trusted extensions. (bsc#1214059)
ModerateSUSE bug 1214059CVE-2023-39417 at SUSECVE-2023-39417 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for postgresql15 (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for postgresql15 fixes the following issues:
- Update to 15.4
- CVE-2023-39417: Fixed potential SQL injection for trusted extensions. (bsc#1214059)
- CVE-2023-39418: Fix MERGE to enforce row security. (bsc#1214061)
ModerateSUSE bug 1214059SUSE bug 1214061CVE-2023-39417 at SUSECVE-2023-39417 at NVDCVE-2023-39418 at SUSECVE-2023-39418 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for postgresql15 (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for postgresql15 fixes the following issues:
- Update to 14.9
- CVE-2023-39417: Fixed potential SQL injection for trusted extensions. (bsc#1214059)
ModerateSUSE bug 1214059CVE-2023-39417 at SUSECVE-2023-39417 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for postgresql15 (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for postgresql15 fixes the following issues:
- Update to 13.12
- CVE-2023-39417: Fixed potential SQL injection for trusted extensions. (bsc#1214059)
ModerateSUSE bug 1214059CVE-2023-39417 at SUSECVE-2023-39417 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for ImageMagick (Low)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for ImageMagick fixes the following issues:
- CVE-2023-3745: Fixed heap out of bounds read in PushCharPixel() in quantum-private.h (bsc#1213624).
LowSUSE bug 1213624CVE-2023-3745 at SUSECVE-2023-3745 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for python-configobj (Low)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for python-configobj fixes the following issues:
- CVE-2023-26112: Fixed regular expression denial of service vulnerability in validate.py (bsc#1210070).
LowSUSE bug 1210070CVE-2023-26112 at SUSECVE-2023-26112 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for clamav (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for clamav fixes the following issues:
- Update to 0.103.9
- CVE-2023-20197: Fixed a possible denial of service vulnerability in the HFS+ file parser. (bsc#1214342)
ImportantSUSE bug 1214342CVE-2023-20197 at SUSECVE-2023-20197 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for libapr-util1 (Critical)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for libapr-util1 fixes the following issues:
- CVE-2022-25147: Fixed a buffer overflow possible with specially crafted input during base64 encoding (bsc#1207866)
CriticalSUSE bug 1207866CVE-2022-25147 at SUSECVE-2022-25147 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for krb5 (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for krb5 fixes the following issues:
- CVE-2023-36054: Fixed a DoS that could be triggered by an authenticated remote user. (bsc#1214054)
ImportantSUSE bug 1214054CVE-2023-36054 at SUSECVE-2023-36054 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for poppler (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for poppler fixes the following issues:
- CVE-2019-16115: Fixed an uninitialized memory error in GfxUnivariateShading::setupCache. (bsc#1150039)
ModerateSUSE bug 1150039CVE-2019-16115 at SUSECVE-2019-16115 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for xrdp (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for xrdp fixes the following issues:
- CVE-2022-23468: Fixed a buffer overflow in xrdp_login_wnd_create() (bsc#1206300).
- CVE-2022-23479: Fixed a buffer overflow in xrdp_mm_chan_data_in() (bsc#1206303).
- CVE-2022-23480: Fixed a buffer overflow in devredir_proc_client_devlist_announce_req() (bsc#1206306).
- CVE-2022-23481: Fixed an out of bound read in xrdp_caps_process_confirm_active() (bsc#1206307).
- CVE-2022-23482: Fixed an out of bound read in xrdp_sec_process_mcs_data_CS_CORE() (bsc#1206310).
- CVE-2022-23483: Fixed an out of bound read in libxrdp_send_to_channel() (bsc#1206311).
- CVE-2022-23484: Fixed a integer overflow in xrdp_mm_process_rail_update_window_text() (bsc#1206312).
ImportantSUSE bug 1206300SUSE bug 1206303SUSE bug 1206306SUSE bug 1206307SUSE bug 1206310SUSE bug 1206311SUSE bug 1206312CVE-2022-23468 at SUSECVE-2022-23468 at NVDCVE-2022-23479 at SUSECVE-2022-23479 at NVDCVE-2022-23480 at SUSECVE-2022-23480 at NVDCVE-2022-23481 at SUSECVE-2022-23481 at NVDCVE-2022-23482 at SUSECVE-2022-23482 at NVDCVE-2022-23483 at SUSECVE-2022-23483 at NVDCVE-2022-23484 at SUSECVE-2022-23484 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for gstreamer-plugins-base (Low)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for gstreamer-plugins-base fixes the following issues:
- The patch for CVE-2023-37328 is removed because it was added by mistake and the package has never been affected by this vulnerability. (bsc#1213131)
LowSUSE bug 1213131CVE-2023-37328 at SUSECVE-2023-37328 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for ca-certificates-mozilla (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for ca-certificates-mozilla fixes the following issues:
- Updated to 2.62 state of Mozilla SSL root CAs (bsc#1214248)
Added:
- Atos TrustedRoot Root CA ECC G2 2020
- Atos TrustedRoot Root CA ECC TLS 2021
- Atos TrustedRoot Root CA RSA G2 2020
- Atos TrustedRoot Root CA RSA TLS 2021
- BJCA Global Root CA1
- BJCA Global Root CA2
- LAWtrust Root CA2 (4096)
- Sectigo Public Email Protection Root E46
- Sectigo Public Email Protection Root R46
- Sectigo Public Server Authentication Root E46
- Sectigo Public Server Authentication Root R46
- SSL.com Client ECC Root CA 2022
- SSL.com Client RSA Root CA 2022
- SSL.com TLS ECC Root CA 2022
- SSL.com TLS RSA Root CA 2022
Removed CAs:
- Chambers of Commerce Root
- E-Tugra Certification Authority
- E-Tugra Global Root CA ECC v3
- E-Tugra Global Root CA RSA v3
- Hongkong Post Root CA 1
ImportantSUSE bug 1214248cpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for java-1_8_0-ibm (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for java-1_8_0-ibm fixes the following issues:
- Update to Java 8.0 Service Refresh 8 Fix Pack 10 (bsc#1213541)
- CVE-2022-40609: Fixed an unsafe deserialization flaw which could allow a remote attacker to execute arbitrary code on the system. (bsc#1213934)
- CVE-2023-22041: Fixed a flaw whcih could allow unauthorized access to critical data or complete access. (bsc#1213475)
- CVE-2023-22049: Fixed a flaw which could result in unauthorized update. (bsc#1213482)
- CVE-2023-22045: Fixed a flaw which could result in unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK accessible data. (bsc#1213481)
- CVE-2023-22044: Fixed a flaw which could result in unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK accessible data. (bsc#1213479)
- CVE-2023-22036: Fixed a flaw which could result in unauthorized ability to cause a partial denial of service. (bsc#1213474)
- CVE-2023-25193: Fixed a flaw which could allows attackers to trigger O(n^2) growth via consecutive marks during the process of looking back for base glyphs when attaching marks. (bsc#1207922)
- CVE-2023-22006: Fixed a flaw which could result in unauthorized update, insert or delete access for JDK accessible data. (bsc#1213473)
ImportantSUSE bug 1214431CVE-2022-40609 at SUSECVE-2022-40609 at NVDCVE-2023-22006 at SUSECVE-2023-22006 at NVDCVE-2023-22036 at SUSECVE-2023-22036 at NVDCVE-2023-22041 at SUSECVE-2023-22041 at NVDCVE-2023-22044 at SUSECVE-2023-22044 at NVDCVE-2023-22045 at SUSECVE-2023-22045 at NVDCVE-2023-22049 at SUSECVE-2023-22049 at NVDCVE-2023-25193 at SUSECVE-2023-25193 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for libcares2 (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for libcares2 fixes the following issues:
- CVE-2022-4904: Fixed stack overflow in ares_set_sortlist() (bsc#1208067).
ImportantSUSE bug 1208067CVE-2022-4904 at SUSECVE-2022-4904 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for curl (Low)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for curl fixes the following issues:
- CVE-2020-19909: Fixed Integer overflow vulnerability in tool_operate.c via crafted value as the retry delay (bsc#1214495).
LowSUSE bug 1214495CVE-2020-19909 at SUSECVE-2020-19909 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for gawk (Low)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for gawk fixes the following issues:
- CVE-2023-4156: Fix a heap out of bound read by validating the index into argument list. (bsc#1214025)
LowSUSE bug 1214025CVE-2023-4156 at SUSECVE-2023-4156 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for ghostscript (Low)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for ghostscript fixes the following issues:
- CVE-2023-38559: Fixed out-of-bounds read in devn_pcx_write_rle() that could result in DoS (bsc#1213637).
LowSUSE bug 1213637CVE-2023-38559 at SUSECVE-2023-38559 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for java-1_8_0-openjdk (Moderate)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for java-1_8_0-openjdk fixes the following issues:
Update to version jdk8u382 (icedtea-3.28.0)
- CVE-2023-22045: Fixed a difficult to exploit vulnerability that allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK (bsc#1213481).
- CVE-2023-22049: Fixed a difficult to exploit vulnerability that allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK (bsc#1213482).
ModerateSUSE bug 1213481SUSE bug 1213482CVE-2023-22045 at SUSECVE-2023-22045 at NVDCVE-2023-22049 at SUSECVE-2023-22049 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for vim (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for vim fixes the following issues:
Updated to version 9.0 with patch level 1572.
- CVE-2023-2426: Fixed Out-of-range Pointer Offset use (bsc#1210996).
- CVE-2023-2609: Fixed NULL Pointer Dereference (bsc#1211256).
- CVE-2023-2610: Fixed nteger Overflow or Wraparound (bsc#1211257).
- CVE-2023-1264: Fixed NULL Pointer Dereference (bsc#1209042).
- CVE-2023-1355: Fixed NULL Pointer Dereference (bsc#1209187).
- CVE-2023-1127: Fixed divide by zero in scrolldown() (bsc#1208828).
ImportantSUSE bug 1208828SUSE bug 1209042SUSE bug 1209187SUSE bug 1210996SUSE bug 1211256SUSE bug 1211257CVE-2023-1127 at SUSECVE-2023-1127 at NVDCVE-2023-1264 at SUSECVE-2023-1264 at NVDCVE-2023-1355 at SUSECVE-2023-1355 at NVDCVE-2023-2426 at SUSECVE-2023-2426 at NVDCVE-2023-2609 at SUSECVE-2023-2609 at NVDCVE-2023-2610 at SUSECVE-2023-2610 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for procps (Low)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for procps fixes the following issues:
- CVE-2023-4016: Fixed ps buffer overflow (bsc#1214290).
LowSUSE bug 1214290CVE-2023-4016 at SUSECVE-2023-4016 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for libssh2_org (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for libssh2_org fixes the following issues:
- CVE-2020-22218: Fixed a bug in _libssh2_packet_add() which allows to access out of bounds memory. (bsc#1214527)
ImportantSUSE bug 1214527CVE-2020-22218 at SUSECVE-2020-22218 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for open-vm-tools (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for open-vm-tools fixes the following issues:
- CVE-2023-20900: Fixed SAML token signature bypass vulnerability (bsc#1214566).
- CVE-2023-20867: Fixed authentication bypass in the vgauth module (bsc#1212143).
ImportantSUSE bug 1212143SUSE bug 1214566CVE-2023-20867 at SUSECVE-2023-20867 at NVDCVE-2023-20900 at SUSECVE-2023-20900 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for MozillaFirefox fixes the following issues:
Firefox was updated to Extended Support Release 115.2.0 ESR (MFSA 2023-36) (bsc#1214606).
- CVE-2023-4574: Fixed memory corruption in IPC ColorPickerShownCallback (bmo#1846688)
- CVE-2023-4575: Fixed memory corruption in IPC FilePickerShownCallback (bmo#1846689)
- CVE-2023-4576: Fixed integer Overflow in RecordedSourceSurfaceCreation (bmo#1846694)
- CVE-2023-4577: Fixed memory corruption in JIT UpdateRegExpStatics (bmo#1847397)
- CVE-2023-4051: Fixed full screen notification obscured by file open dialog (bmo#1821884)
- CVE-2023-4578: Fixed Out of Memory Exception in SpiderMonkey could have triggered an (bmo#1839007)
- CVE-2023-4053: Fixed full screen notification obscured by external program (bmo#1839079)
- CVE-2023-4580: Fixed push notifications saved to disk unencrypted (bmo#1843046)
- CVE-2023-4581: Fixed XLL file extensions downloadable without warnings (bmo#1843758)
- CVE-2023-4582: Fixed buffer Overflow in WebGL glGetProgramiv (bmo#1773874)
- CVE-2023-4583: Fixed browsing Context potentially not cleared when closing Private Window (bmo#1842030)
- CVE-2023-4584: Fixed memory safety bugs fixed in Firefox 117, Firefox ESR 102.15, Firefox ESR 115.2, Thunderbird 102.15, and Thunderbird 115.2 (bmo#1843968, bmo#1845205, bmo#1846080, bmo#1846526, bmo#1847529)
- CVE-2023-4585: Fixed memory safety bugs fixed in Firefox 117, Firefox ESR 115.2, and Thunderbird 115.2(bmo#1751583, bmo#1833504, bmo#1841082, bmo#1847904, bmo#1848999).
ImportantSUSE bug 1214606CVE-2023-4051 at SUSECVE-2023-4051 at NVDCVE-2023-4053 at SUSECVE-2023-4053 at NVDCVE-2023-4574 at SUSECVE-2023-4574 at NVDCVE-2023-4575 at SUSECVE-2023-4575 at NVDCVE-2023-4576 at SUSECVE-2023-4576 at NVDCVE-2023-4577 at SUSECVE-2023-4577 at NVDCVE-2023-4578 at SUSECVE-2023-4578 at NVDCVE-2023-4580 at SUSECVE-2023-4580 at NVDCVE-2023-4581 at SUSECVE-2023-4581 at NVDCVE-2023-4582 at SUSECVE-2023-4582 at NVDCVE-2023-4583 at SUSECVE-2023-4583 at NVDCVE-2023-4584 at SUSECVE-2023-4584 at NVDCVE-2023-4585 at SUSECVE-2023-4585 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for python36 (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for python36 fixes the following issues:
- CVE-2023-40217: Fixed TLS handshake bypass on closed sockets (bsc#1214692).
ImportantSUSE bug 1214692CVE-2023-40217 at SUSECVE-2023-40217 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for MozillaFirefox (Critical)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for MozillaFirefox fixes the following issues:
Firefox Extended Support Release 115.2.1 ESR (bsc#1215245).
- CVE-2023-4863: Fixed heap buffer overflow in libwebp (MFSA 2023-40) (bsc#1215231).
The following non-security bug was fixed:
- Fix i586 build by reducing debug info to -g1 (bsc#1210168).
CriticalSUSE bug 1210168SUSE bug 1215231SUSE bug 1215245CVE-2023-4863 at SUSECVE-2023-4863 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for gcc12 (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for gcc12 fixes the following issues:
- CVE-2023-4039: Fixed incorrect stack protector for C99 VLAs on Aarch64 (bsc#1214052).
ImportantSUSE bug 1214052CVE-2023-4039 at SUSECVE-2023-4039 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for gcc7 (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for gcc7 fixes the following issues:
Security issues fixed:
- CVE-2023-4039: Fixed incorrect stack protector for C99 VLAs on Aarch64 (bsc#1214052).
- CVE-2019-15847: Fixed POWER9 DARN miscompilation. (bsc#1149145)
- CVE-2019-14250: Includes fix for LTO linker plugin heap overflow. (bsc#1142649)
Update to GCC 7.5.0 release.
Other changes:
- Fixed KASAN kernel compile. (bsc#1205145)
- Fixed ICE with C++17 code. (bsc#1204505)
- Fixed altivec.h redefining bool in C++ which makes bool unusable (bsc#1195517):
- Adjust gnats idea of the target, fixing the build of gprbuild. [bsc#1196861]
- Do not handle exceptions in std::thread (jsc#CAR-1182)
- add -fpatchable-function-entry feature to gcc-7.
- Fixed glibc namespace violation with getauxval. (bsc#1167939)
- Backport aarch64 Straight Line Speculation mitigation [bsc#1172798, CVE-2020-13844]
- Enable fortran for the nvptx offload compiler.
- Update README.First-for.SuSE.packagers
- Avoid assembler errors with AVX512 gather and scatter instructions when using -masm=intel.
- Backport the aarch64 -moutline-atomics feature and accumulated fixes but not its
default enabling. (jsc#SLE-12209, bsc#1167939)
- Fixed memcpy miscompilation on aarch64. (bsc#1178624, bsc#1178577)
- Fixed debug line info for try/catch. (bsc#1178614)
- Fixed corruption of pass private ->aux via DF. (gcc#94148)
- Fixed debug information issue with inlined functions and passed by reference arguments. [gcc#93888]
- Fixed register allocation issue with exception handling code on s390x. (bsc#1161913)
- Backport PR target/92692 to fix miscompilation of some atomic code on aarch64. (bsc#1150164)
- Fixed miscompilation in vectorized code for s390x. (bsc#1160086) [gcc#92950]
- Fixed miscompilation with thread-safe local static initialization. [gcc#85887]
- Fixed debug info created for array definitions that complete an earlier declaration. [bsc#1146475]
- Fixed vector shift miscompilation on s390. (bsc#1141897)
- Add gcc7 -flive-patching patch. [bsc#1071995, fate#323487]
- Strip -flto from $optflags.
- Disables switch jump-tables when retpolines are used. (bsc#1131264, jsc#SLE-6738)
- Fixed ICE compiling tensorflow on aarch64. (bsc#1129389)
- Fixed for aarch64 FMA steering pass use-after-free. (bsc#1128794)
- Fixed ICE compiling tensorflow. (bsc#1129389)
- Fixed s390x FP load-and-test issue. (bsc#1124644)
- Adjust gnat manual entries in the info directory. (bsc#1114592)
- Fixed to no longer try linking -lieee with -mieee-fp. (bsc#1084842)
ImportantSUSE bug 1071995SUSE bug 1084842SUSE bug 1114592SUSE bug 1124644SUSE bug 1128794SUSE bug 1129389SUSE bug 1131264SUSE bug 1141897SUSE bug 1142649SUSE bug 1146475SUSE bug 1148517SUSE bug 1149145SUSE bug 1150164SUSE bug 1160086SUSE bug 1161913SUSE bug 1167939SUSE bug 1172798SUSE bug 1178577SUSE bug 1178614SUSE bug 1178624SUSE bug 1178675SUSE bug 1181618SUSE bug 1195517SUSE bug 1196861SUSE bug 1204505SUSE bug 1205145SUSE bug 1214052CVE-2019-14250 at SUSECVE-2019-14250 at NVDCVE-2019-15847 at SUSECVE-2019-15847 at NVDCVE-2020-13844 at SUSECVE-2020-13844 at NVDCVE-2023-4039 at SUSECVE-2023-4039 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for libxml2 (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for libxml2 fixes the following issues:
- CVE-2023-29469: Fixed not deterministic hashing of empty dict strings (bsc#1210412).
- CVE-2023-28484: Fixed NULL dereference in xmlSchemaFixupComplexType (bsc#1210411).
- CVE-2023-39615: Fixed crafted xml can cause global buffer overflow (bsc#1214768).
- CVE-2016-3709: Fixed cross-site scripting vulnerability in libxml (bsc#1201978).
ImportantSUSE bug 1201978SUSE bug 1210411SUSE bug 1210412SUSE bug 1214768CVE-2016-3709 at SUSECVE-2016-3709 at NVDCVE-2023-28484 at SUSECVE-2023-28484 at NVDCVE-2023-29469 at SUSECVE-2023-29469 at NVDCVE-2023-39615 at SUSECVE-2023-39615 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for xen (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for xen fixes the following issues:
- CVE-2022-40982: Fixed x86/Intel Gather Data Sampling (XSA-435) (bsc#1214083).
- CVE-2023-20569: Fixed Speculative Return Stack Overflow (XSA-434) (bsc#1214082).
- CVE-2023-20593: Fixed Zenbleed vulnerability (XSA-433) (bsc#1213616).
ImportantSUSE bug 1213616SUSE bug 1214082SUSE bug 1214083CVE-2022-40982 at SUSECVE-2022-40982 at NVDCVE-2023-20569 at SUSECVE-2023-20569 at NVDCVE-2023-20593 at SUSECVE-2023-20593 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for bluez (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for bluez fixes the following issues:
- CVE-2021-41229: Fixed leaking buffers stored in cstates cache (bsc#1192760).
ModerateSUSE bug 1192760CVE-2021-41229 at SUSECVE-2021-41229 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for libcares2 (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for libcares2 fixes the following issues:
- CVE-2020-22217: Fixed an out of bounds read in ares_parse_soa_reply(). (bsc#1214674)
ImportantSUSE bug 1214674CVE-2020-22217 at SUSECVE-2020-22217 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for binutils (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for binutils fixes the following issues:
Update to version 2.41 [jsc#PED-5778]:
* The MIPS port now supports the Sony Interactive Entertainment Allegrex
processor, used with the PlayStation Portable, which implements the MIPS
II ISA along with a single-precision FPU and a few implementation-specific
integer instructions.
* Objdump's --private option can now be used on PE format files to display the
fields in the file header and section headers.
* New versioned release of libsframe: libsframe.so.1. This release introduces
versioned symbols with version node name LIBSFRAME_1.0. This release also
updates the ABI in an incompatible way: this includes removal of
sframe_get_funcdesc_with_addr API, change in the behavior of
sframe_fre_get_ra_offset and sframe_fre_get_fp_offset APIs.
* SFrame Version 2 is now the default (and only) format version supported by
gas, ld, readelf and objdump.
* Add command-line option, --strip-section-headers, to objcopy and strip to
remove ELF section header from ELF file.
* The RISC-V port now supports the following new standard extensions:
- Zicond (conditional zero instructions)
- Zfa (additional floating-point instructions)
- Zvbb, Zvbc, Zvkg, Zvkned, Zvknh[ab], Zvksed, Zvksh, Zvkn, Zvknc, Zvkng,
Zvks, Zvksc, Zvkg, Zvkt (vector crypto instructions)
* The RISC-V port now supports the following vendor-defined extensions:
- XVentanaCondOps
* Add support for Intel FRED, LKGS and AMX-COMPLEX instructions.
* A new .insn directive is recognized by x86 gas.
* Add SME2 support to the AArch64 port.
* The linker now accepts a command line option of --remap-inputs
<PATTERN>=<FILE> to relace any input file that matches <PATTERN> with
<FILE>. In addition the option --remap-inputs-file=<FILE> can be used to
specify a file containing any number of these remapping directives.
* The linker command line option --print-map-locals can be used to include
local symbols in a linker map. (ELF targets only).
* For most ELF based targets, if the --enable-linker-version option is used
then the version of the linker will be inserted as a string into the .comment
section.
* The linker script syntax has a new command for output sections: ASCIZ 'string'
This will insert a zero-terminated string at the current location.
* Add command-line option, -z nosectionheader, to omit ELF section
header.
- Contains fixes for these non-CVEs (not security bugs per upstreams SECURITY.md):
* bsc#1209642 aka CVE-2023-1579 aka PR29988
* bsc#1210297 aka CVE-2023-1972 aka PR30285
* bsc#1210733 aka CVE-2023-2222 aka PR29936
* bsc#1213458 aka CVE-2021-32256 aka PR105039 (gcc)
* bsc#1214565 aka CVE-2020-19726 aka PR26240
* bsc#1214567 aka CVE-2022-35206 aka PR29290
* bsc#1214579 aka CVE-2022-35205 aka PR29289
* bsc#1214580 aka CVE-2022-44840 aka PR29732
* bsc#1214604 aka CVE-2022-45703 aka PR29799
* bsc#1214611 aka CVE-2022-48065 aka PR29925
* bsc#1214619 aka CVE-2022-48064 aka PR29922
* bsc#1214620 aka CVE-2022-48063 aka PR29924
* bsc#1214623 aka CVE-2022-47696 aka PR29677
* bsc#1214624 aka CVE-2022-47695 aka PR29846
* bsc#1214625 aka CVE-2022-47673 aka PR29876
- Fixed a compatibility problem caused by binutils-revert-rela.diff in
SLE codestreams. Needed for update of glibc as that would otherwise pick up
the broken relative relocs support. [bsc#1213282, jsc#PED-1435]
- Document fixed CVEs:
* bsc#1208037 aka CVE-2023-25588 aka PR29677
* bsc#1208038 aka CVE-2023-25587 aka PR29846
* bsc#1208040 aka CVE-2023-25585 aka PR29892
* bsc#1208409 aka CVE-2023-0687 aka PR29444
- Enable bpf-none cross target and add bpf-none to the multitarget
set of supported targets.
- Disable packed-relative-relocs for old codestreams. They generate
buggy relocations when binutils-revert-rela.diff is active.
[bsc#1206556]
- Disable ZSTD debug section compress by default.
- Enable zstd compression algorithm (instead of zlib)
for debug info sections by default.
- Pack libgprofng only for supported platforms.
- Move libgprofng-related libraries to the proper locations (packages).
- Add --without=bootstrap for skipping of bootstrap (faster testing
of the package).
Update to version 2.40:
* Objdump has a new command line option --show-all-symbols which will make it
display all symbols that match a given address when disassembling. (Normally
only the first symbol that matches an address is shown).
* Add --enable-colored-disassembly configure time option to enable colored
disassembly output by default, if the output device is a terminal. Note,
this configure option is disabled by default.
* DCO signed contributions are now accepted.
* objcopy --decompress-debug-sections now supports zstd compressed debug
sections. The new option --compress-debug-sections=zstd compresses debug
sections with zstd.
* addr2line and objdump --dwarf now support zstd compressed debug sections.
* The dlltool program now accepts --deterministic-libraries and
--non-deterministic-libraries as command line options to control whether or
not it generates deterministic output libraries. If neither of these options
are used the default is whatever was set when the binutils were configured.
* readelf and objdump now have a newly added option --sframe which dumps the
SFrame section.
* Add support for Intel RAO-INT instructions.
* Add support for Intel AVX-NE-CONVERT instructions.
* Add support for Intel MSRLIST instructions.
* Add support for Intel WRMSRNS instructions.
* Add support for Intel CMPccXADD instructions.
* Add support for Intel AVX-VNNI-INT8 instructions.
* Add support for Intel AVX-IFMA instructions.
* Add support for Intel PREFETCHI instructions.
* Add support for Intel AMX-FP16 instructions.
* gas now supports --compress-debug-sections=zstd to compress
debug sections with zstd.
* Add --enable-default-compressed-debug-sections-algorithm={zlib,zstd}
that selects the default compression algorithm
for --enable-compressed-debug-sections.
* Add support for various T-Head extensions (XTheadBa, XTheadBb, XTheadBs,
XTheadCmo, XTheadCondMov, XTheadFMemIdx, XTheadFmv, XTheadInt, XTheadMemIdx,
XTheadMemPair, XTheadMac, and XTheadSync) from version 2.0 of the T-Head
ISA manual, which are implemented in the Allwinner D1.
* Add support for the RISC-V Zawrs extension, version 1.0-rc4.
* Add support for Cortex-X1C for Arm.
* New command line option --gsframe to generate SFrame unwind information
on x86_64 and aarch64 targets.
* The linker has a new command line option to suppress the generation of any
warning or error messages. This can be useful when there is a need to create
a known non-working binary. The option is -w or --no-warnings.
* ld now supports zstd compressed debug sections. The new option
--compress-debug-sections=zstd compresses debug sections with zstd.
* Add --enable-default-compressed-debug-sections-algorithm={zlib,zstd}
that selects the default compression algorithm
for --enable-compressed-debug-sections.
* Remove support for -z bndplt (MPX prefix instructions).
- Includes fixes for these CVEs:
* bsc#1206080 aka CVE-2022-4285 aka PR29699
- Enable by default: --enable-colored-disassembly.
- fix build on x86_64_vX platforms
- add arm32 avoid copyreloc patch for PR16177 (bsc#1200962)
ImportantSUSE bug 1200962SUSE bug 1206080SUSE bug 1206556SUSE bug 1208037SUSE bug 1208038SUSE bug 1208040SUSE bug 1208409SUSE bug 1209642SUSE bug 1210297SUSE bug 1210733SUSE bug 1213282SUSE bug 1213458SUSE bug 1214565SUSE bug 1214567SUSE bug 1214579SUSE bug 1214580SUSE bug 1214604SUSE bug 1214611SUSE bug 1214619SUSE bug 1214620SUSE bug 1214623SUSE bug 1214624SUSE bug 1214625CVE-2020-19726 at SUSECVE-2020-19726 at NVDCVE-2021-32256 at SUSECVE-2021-32256 at NVDCVE-2022-35205 at SUSECVE-2022-35205 at NVDCVE-2022-35206 at SUSECVE-2022-35206 at NVDCVE-2022-4285 at SUSECVE-2022-4285 at NVDCVE-2022-44840 at SUSECVE-2022-44840 at NVDCVE-2022-45703 at SUSECVE-2022-45703 at NVDCVE-2022-47673 at SUSECVE-2022-47673 at NVDCVE-2022-47695 at SUSECVE-2022-47695 at NVDCVE-2022-47696 at SUSECVE-2022-47696 at NVDCVE-2022-48063 at SUSECVE-2022-48063 at NVDCVE-2022-48064 at SUSECVE-2022-48064 at NVDCVE-2022-48065 at SUSECVE-2022-48065 at NVDCVE-2023-0687 at SUSECVE-2023-0687 at NVDCVE-2023-1579 at SUSECVE-2023-1579 at NVDCVE-2023-1972 at SUSECVE-2023-1972 at NVDCVE-2023-2222 at SUSECVE-2023-2222 at NVDCVE-2023-25585 at SUSECVE-2023-25585 at NVDCVE-2023-25587 at SUSECVE-2023-25587 at NVDCVE-2023-25588 at SUSECVE-2023-25588 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for mutt (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for mutt fixes the following issues:
- CVE-2023-4874: Fixed NULL pointer dereference when composing an email (bsc#1215189).
- CVE-2023-4875: Fixed NULL pointer dereference when receiving an email (bsc#1215191).
ModerateSUSE bug 1215189SUSE bug 1215191CVE-2023-4874 at SUSECVE-2023-4874 at NVDCVE-2023-4875 at SUSECVE-2023-4875 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for python (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for python fixes the following issues:
- CVE-2023-40217: Fixed TLS handshake bypass on closed sockets (bsc#1214692).
ImportantSUSE bug 1214692CVE-2023-40217 at SUSECVE-2023-40217 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for cups (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for cups fixes the following issues:
- CVE-2023-4504: Fixed heap overflow in OpenPrinting CUPS Postscript Parsing (bsc#1215204).
- CVE-2023-34241: Fixed a use-after-free problem in cupsdAcceptClient() (bsc#1212230).
- CVE-2023-32360: Fixed information leak through Cups-Get-Document operation (bsc#1214254).
ImportantSUSE bug 1212230SUSE bug 1214254SUSE bug 1215204CVE-2023-32360 at SUSECVE-2023-32360 at NVDCVE-2023-34241 at SUSECVE-2023-34241 at NVDCVE-2023-4504 at SUSECVE-2023-4504 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for xrdp (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for xrdp fixes the following issues:
- CVE-2023-40184: Fixed restriction bypass via improper session handling (bsc#1214805). ModerateSUSE bug 1214805CVE-2023-40184 at SUSECVE-2023-40184 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for busybox (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for busybox fixes the following issues:
- CVE-2022-48174: Fixed stack overflow vulnerability. (bsc#1214538)
ImportantSUSE bug 1214538CVE-2022-48174 at SUSECVE-2022-48174 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for postfix (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for postfix fixes the following issues:
Security fixes:
- CVE-2023-32182: Fixed config_postfix SUSE specific script using potentially bad /tmp file (bsc#1211196).
Other fixes:
- postfix: config.postfix causes too tight permission on main.cf (bsc#1215372).
ModerateSUSE bug 1211196SUSE bug 1215372CVE-2023-32182 at SUSECVE-2023-32182 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for exempi (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for exempi fixes the following issues:
- CVE-2020-18651: Fixed a buffer overflow in ID3 support (bsc#1214486).
ModerateSUSE bug 1214486CVE-2020-18651 at SUSECVE-2020-18651 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for ImageMagick (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for ImageMagick fixes the following issues:
- CVE-2020-21679: Fixed a buffer overflow in WritePCXImage function in pcx.c which may allow a remote attackers to cause a denial of service. (bsc#1214578)
ModerateSUSE bug 1214578CVE-2020-21679 at SUSECVE-2020-21679 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for djvulibre (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for djvulibre fixes the following issues:
- CVE-2021-46310: Fixed divide by zero in IW44Image.cpp (bsc#1214670).
- CVE-2021-46312: Fixed divide by zero in IW44EncodeCodec.cpp (bsc#1214672).
- CVE-2021-32490: Fixed out of bounds write in function DJVU:filter_bv() via crafted djvu file (bsc#1185895).
ImportantSUSE bug 1185895SUSE bug 1214670SUSE bug 1214672CVE-2021-32490 at SUSECVE-2021-32490 at NVDCVE-2021-46310 at SUSECVE-2021-46310 at NVDCVE-2021-46312 at SUSECVE-2021-46312 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for tomcat (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for tomcat fixes the following issues:
- CVE-2023-41080: Fixed URL Redirection to Untrusted Site ('Open Redirect') vulnerability in FORM authentication feature (bsc#1214666).
ModerateSUSE bug 1214666CVE-2023-41080 at SUSECVE-2023-41080 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for quagga (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for quagga fixes the following issues:
- CVE-2023-38802: Fixed bad length handling in BGP attribute handling (bsc#1213284).
- CVE-2023-41358: Fixed possible crash when processing NLRIs if the attribute length is zero (bsc#1214735).
ImportantSUSE bug 1213284SUSE bug 1214735CVE-2023-38802 at SUSECVE-2023-38802 at NVDCVE-2023-41358 at SUSECVE-2023-41358 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for libwebp (Critical)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for libwebp fixes the following issues:
- CVE-2023-4863: Fixed a heap buffer overflow (bsc#1215231).
CriticalSUSE bug 1215231CVE-2023-4863 at SUSECVE-2023-4863 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for libpng15 (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for libpng15 fixes the following issues:
Security issue fixed:
- CVE-2017-12652: Fixed an Input Validation Error related to the length of chunks (bsc#1141493).
ModerateSUSE bug 1141493CVE-2017-12652 at SUSECVE-2017-12652 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for MozillaFirefox fixes the following issues:
Update to Firefox Extended Support Release 115.3.0 ESR (MFSA 2023-42, bsc#1215575):
Security fixes:
- CVE-2023-5168: Out-of-bounds write in FilterNodeD2D1 (bmo#1846683).
- CVE-2023-5169: Out-of-bounds write in PathOps (bmo#1846685).
- CVE-2023-5171: Use-after-free in Ion Compiler (bmo#1851599).
- CVE-2023-5174: Double-free in process spawning on Windows (bmo#1848454).
- CVE-2023-5176: Memory safety bugs fixed in Firefox 118, Firefox ESR 115.3, and Thunderbird 115.3 (bmo#1836353, bmo#1842674, bmo#1843824, bmo#1843962, bmo#1848890, bmo#1850180, bmo#1850983, bmo#1851195).
Other fixes:
- Fix broken build with newer binutils (bsc#1215309)
ImportantSUSE bug 1215309SUSE bug 1215575CVE-2023-5168 at SUSECVE-2023-5168 at NVDCVE-2023-5169 at SUSECVE-2023-5169 at NVDCVE-2023-5171 at SUSECVE-2023-5171 at NVDCVE-2023-5174 at SUSECVE-2023-5174 at NVDCVE-2023-5176 at SUSECVE-2023-5176 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for nghttp2 (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for nghttp2 fixes the following issues:
- CVE-2023-35945: Fixed memory leak when PUSH_PROMISE or HEADERS frame cannot be sent (bsc#1215713).
ImportantSUSE bug 1215713CVE-2023-35945 at SUSECVE-2023-35945 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for gpg2 (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for gpg2 fixes the following issues:
- CVE-2018-9234: Fixed unenforced configuration allows for apparently valid certifications actually signed by signing subkeys (bsc#1088255).
ImportantSUSE bug 1088255CVE-2018-9234 at SUSECVE-2018-9234 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for SUSE Manager Client Tools (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update fixes the following issues:
golang-github-lusitaniae-apache_exporter:
- Security issues fixed:
* CVE-2022-32149: Fix denial of service vulnerability (bsc#1204501)
* CVE-2022-41723: Fix uncontrolled resource consumption (bsc#1208270)
* CVE-2022-46146: Fix authentication bypass vulnarability (bsc#1208046)
- Changes and bugs fixed:
* Updated to 1.0.0 (jsc#PED-5405)
+ Improved flag parsing
+ Added support for custom headers
* Changes from 0.13.1
+ Fix panic caused by missing flagConfig options
* Added AppArmor profile
* Added sandboxing options to systemd service unit
* Build using promu
* Build with Go 1.19
* Exclude s390 architecture
golang-github-prometheus-alertmanager:
- CVE-2023-29409: Restrict RSA keys in certificates to less than or equal to 8192 bits to avoid DoSing client/server
while validating signatures for extremely large RSA keys. (bsc#1213880)
There are no direct source changes. The CVE is fixed rebuilding the sources with the patched Go version.
golang-github-prometheus-node_exporter:
- CVE-2023-29409: Restrict RSA keys in certificates to less than or equal to 8192 bits to avoid DoSing client/server
while validating signatures for extremely large RSA keys. (bsc#1213880)
There are no direct source changes. The CVE is fixed rebuilding the sources with the patched Go version.
golang-github-prometheus-prometheus:
- This update introduces breaking changes. Please, read carefully the provided informations.
- Security issues fixed:
* CVE-2022-41723: Fix uncontrolled resource consumption by updating Go to version 1.20.1 (bsc#1208298)
- Updated to 2.45.0 (jsc#PED-5406):
* [FEATURE] API: New limit parameter to limit the number of items returned by `/api/v1/status/tsdb` endpoint
* [FEATURE] Config: Add limits to global config
* [FEATURE] Consul SD: Added support for `path_prefix`
* [FEATURE] Native histograms: Add option to scrape both classic and native histograms.
* [FEATURE] Native histograms: Added support for two more arithmetic operators `avg_over_time` and `sum_over_time`
* [FEATURE] Promtool: When providing the block id, only one block will be loaded and analyzed
* [FEATURE] Remote-write: New Azure ad configuration to support remote writing directly to Azure Monitor workspace
* [FEATURE] TSDB: Samples per chunk are now configurable with flag `storage.tsdb.samples-per-chunk`. By default set
to its former value 120
* [ENHANCEMENT] Native histograms: bucket size can now be limited to avoid scrape fails
* [ENHANCEMENT] TSDB: Dropped series are now deleted from the WAL sooner
* [BUGFIX] Native histograms: ChunkSeries iterator now checks if a new sample can be appended to the open chunk
* [BUGFIX] Native histograms: Fix Histogram Appender `Appendable()` segfault
* [BUGFIX] Native histograms: Fix setting reset header to gauge histograms in seriesToChunkEncoder
* [BUGFIX] TSDB: Tombstone intervals are not modified after Get() call
* [BUGFIX] TSDB: Use path/filepath to set the WAL directory.
- Changes from 2.44.0:
* [FEATURE] Remote-read: Handle native histograms
* [FEATURE] Promtool: Health and readiness check of prometheus server in CLI
* [FEATURE] PromQL: Add `query_samples_total` metric, the total number of samples loaded by all queries
* [ENHANCEMENT] Storage: Optimise buffer used to iterate through samples
* [ENHANCEMENT] Scrape: Reduce memory allocations on target labels
* [ENHANCEMENT] PromQL: Use faster heap method for `topk()` / `bottomk()`
* [ENHANCEMENT] Rules API: Allow filtering by rule name
* [ENHANCEMENT] Native Histograms: Various fixes and improvements
* [ENHANCEMENT] UI: Search of scraping pools is now case-insensitive
* [ENHANCEMENT] TSDB: Add an affirmative log message for successful WAL repair
* [BUGFIX] TSDB: Block compaction failed when shutting down
* [BUGFIX] TSDB: Out-of-order chunks could be ignored if the write-behind log was deleted
- Changes from 2.43.1
* [BUGFIX] Labels: Set() after Del() would be ignored, which broke some relabeling rules
- Changes from 2.43.0:
* [FEATURE] Promtool: Add HTTP client configuration to query commands
* [FEATURE] Scrape: Add `include_scrape_configs` to include scrape configs from different files
* [FEATURE] HTTP client: Add `no_proxy` to exclude URLs from proxied requests
* [FEATURE] HTTP client: Add `proxy_from_enviroment` to read proxies from env variables
* [ENHANCEMENT] API: Add support for setting lookback delta per query via the API
* [ENHANCEMENT] API: Change HTTP status code from 503/422 to 499 if a request is canceled
* [ENHANCEMENT] Scrape: Allow exemplars for all metric types
* [ENHANCEMENT] TSDB: Add metrics for head chunks and WAL folders size
* [ENHANCEMENT] TSDB: Automatically remove incorrect snapshot with index that is ahead of WAL
* [ENHANCEMENT] TSDB: Improve Prometheus parser error outputs to be more comprehensible
* [ENHANCEMENT] UI: Scope `group by` labels to metric in autocompletion
* [BUGFIX] Scrape: Fix `prometheus_target_scrape_pool_target_limit` metric not set before reloading
* [BUGFIX] TSDB: Correctly update `prometheus_tsdb_head_chunks_removed_total` and `prometheus_tsdb_head_chunks`
metrics when reading WAL
* [BUGFIX] TSDB: Use the correct unit (seconds) when recording out-of-order append deltas in the
`prometheus_tsdb_sample_ooo_delta` metric
- Changes from 2.42.0:
This release comes with a new feature coverage for native histograms and breaking changes.
If you are trying native histograms already, we recommend you remove the `wal` directory when upgrading. Because the
old WAL record for native histograms is not backward compatible in v2.42.0, this will lead to some data loss for the
latest data. Additionally, if you scrape 'float histograms' or use recording rules on native histograms in v2.42.0
(which writes float histograms), it is a one-way street since older versions do not support float histograms.
* [CHANGE] **breaking** TSDB: Changed WAL record format for the experimental native histograms
* [FEATURE] Add 'keep_firing_for' field to alerting rules
* [FEATURE] Promtool: Add support of selecting timeseries for TSDB dump
* [ENHANCEMENT] Agent: Native histogram support.
* [ENHANCEMENT] Rules: Support native histograms in recording rules
* [ENHANCEMENT] SD: Add container ID as a meta label for pod targets for Kubernetes
* [ENHANCEMENT] SD: Add VM size label to azure service discovery
* [ENHANCEMENT] Support native histograms in federation
* [ENHANCEMENT] TSDB: Add gauge histogram support
* [ENHANCEMENT] TSDB/Scrape: Support FloatHistogram that represents buckets as float64 values
* [ENHANCEMENT] UI: Show individual scrape pools on /targets page
- Changes from 2.41.0:
* [FEATURE] Relabeling: Add keepequal and dropequal relabel actions
* [FEATURE] Add support for HTTP proxy headers
* [ENHANCEMENT] Reload private certificates when changed on disk
* [ENHANCEMENT] Add max_version to specify maximum TLS version in tls_config
* [ENHANCEMENT] Add goos and goarch labels to prometheus_build_info
* [ENHANCEMENT] SD: Add proxy support for EC2 and LightSail SDs
* [ENHANCEMENT] SD: Add new metric prometheus_sd_file_watcher_errors_total
* [ENHANCEMENT] Remote Read: Use a pool to speed up marshalling
* [ENHANCEMENT] TSDB: Improve handling of tombstoned chunks in iterators
* [ENHANCEMENT] TSDB: Optimize postings offset table reading
* [BUGFIX] Scrape: Validate the metric name, label names, and label values after relabeling
* [BUGFIX] Remote Write receiver and rule manager: Fix error handling
- Changes from 2.40.7:
* [BUGFIX] TSDB: Fix queries involving negative buckets of native histograms
- Changes from 2.40.5:
* [BUGFIX] TSDB: Fix queries involving native histograms due to improper reset of iterators
- Changes from 2.40.3:
* [BUGFIX] TSDB: Fix compaction after a deletion is called
- Changes from 2.40.2:
* [BUGFIX] UI: Fix black-on-black metric name color in dark mode
- Changes from 2.40.1:
* [BUGFIX] TSDB: Fix alignment for atomic int64 for 32 bit architecture
* [BUGFIX] Scrape: Fix accept headers
- Changes from 2.40.0:
* [FEATURE] Add experimental support for native histograms.
Enable with the flag --enable-feature=native-histograms.
* [FEATURE] SD: Add service discovery for OVHcloud
* [ENHANCEMENT] Kubernetes SD: Use protobuf encoding
* [ENHANCEMENT] TSDB: Use golang.org/x/exp/slices for improved sorting speed
* [ENHANCEMENT] Consul SD: Add enterprise admin partitions. Adds __meta_consul_partition label. Adds partition
config in consul_sd_config
* [BUGFIX] API: Fix API error codes for /api/v1/labels and /api/v1/series
- Changes from 2.39.1:
* [BUGFIX] Rules: Fix notifier relabel changing the labels on active alerts
- Changes from 2.39.0:
* [FEATURE] experimental TSDB: Add support for ingesting out-of-order samples. This is configured via
out_of_order_time_window field in the config file; check config file docs for more info
* [ENHANCEMENT] API: /-/healthy and /-/ready API calls now also respond to a HEAD request on top of existing
GET support.
* [ENHANCEMENT] PuppetDB SD: Add __meta_puppetdb_query label.
* [ENHANCEMENT] AWS EC2 SD: Add __meta_ec2_region label.
* [ENHANCEMENT] AWS Lightsail SD: Add __meta_lightsail_region label.
* [ENHANCEMENT] Scrape: Optimise relabeling by re-using memory.
* [ENHANCEMENT] TSDB: Improve WAL replay timings.
* [ENHANCEMENT] TSDB: Optimise memory by not storing unnecessary data in the memory.
* [ENHANCEMENT] TSDB: Allow overlapping blocks by default.
--storage.tsdb.allow-overlapping-blocks now has no effect.
* [ENHANCEMENT] UI: Click to copy label-value pair from query result to clipboard.
* [BUGFIX] TSDB: Turn off isolation for Head compaction to fix a memory leak.
* [BUGFIX] TSDB: Fix 'invalid magic number 0' error on Prometheus startup.
* [BUGFIX] PromQL: Properly close file descriptor when logging unfinished queries.
* [BUGFIX] Agent: Fix validation of flag options and prevent WAL from growing more than desired.
- Changes from 2.38.0:
* [FEATURE]: Web: Add a /api/v1/format_query HTTP API endpoint that allows pretty-formatting PromQL expressions.
* [FEATURE]: UI: Add support for formatting PromQL expressions in the UI.
* [FEATURE]: DNS SD: Support MX records for discovering targets.
* [FEATURE]: Templates: Add toTime() template function that allows converting sample timestamps to
Go time.Time values
* [ENHANCEMENT]: Kubernetes SD: Add
__meta_kubernetes_service_port_number meta label indicating the service port number.
__meta_kubernetes_pod_container_image meta label indicating the container image.
* [ENHANCEMENT]: PromQL: When a query panics, also log the query itself alongside the panic message.
* [ENHANCEMENT]: UI: Tweak colors in the dark theme to improve the contrast ratio.
* [ENHANCEMENT]: Web: Speed up calls to /api/v1/rules by avoiding locks and using atomic types instead.
* [ENHANCEMENT]: Scrape: Add a no-default-scrape-port feature flag, which omits or removes any default HTTP (:80)
or HTTPS (:443) ports in the target's scrape address.
* [BUGFIX]: TSDB: In the WAL watcher metrics, expose the
type='exemplar' label instead of type='unknown' for exemplar records.
* [BUGFIX]: TSDB: Fix race condition around allocating series IDs during chunk snapshot loading.
golang-github-QubitProducts-exporter_exporter:
- CVE-2023-29409: Restrict RSA keys in certificates to less than or equal to 8192 bits to avoid DoSing client/server
while validating signatures for extremely large RSA keys. (bsc#1213880)
There are no direct source changes. The CVE is fixed rebuilding the sources with the patched Go version.
grafana:
- CVE-2023-29409: Restrict RSA keys in certificates to less than or equal to 8192 bits to avoid DoSing client/server
while validating signatures for extremely large RSA keys. (bsc#1213880)
There are no direct source changes. The CVE is fixed rebuilding the sources with the patched Go version.
prometheus-blackbox_exporter:
- CVE-2023-29409: Restrict RSA keys in certificates to less than or equal to 8192 bits to avoid DoSing client/server
while validating signatures for extremely large RSA keys. (bsc#1213880)
There are no direct source changes. The CVE is fixed rebuilding the sources with the patched Go version.
prometheus-postgres_exporter:
- CVE-2023-29409: Restrict RSA keys in certificates to less than or equal to 8192 bits to avoid DoSing client/server
while validating signatures for extremely large RSA keys. (bsc#1213880)
There are no direct source changes. The CVE is fixed rebuilding the sources with the patched Go version.
spacecmd:
- Updated to 4.3.23-1
* Update translation strings
supportutils-plugin-susemanager-client:
- Updated to 4.3.3-1
* Write configured crypto-policy in supportconfig
* Add cloud and Pay-as-you-go checks
uyuni-common-libs:
- Updated to 4.3.9-1
* Workaround for python3-debian bug about collecting control file (bsc#1211525, bsc#1208692)
ImportantSUSE bug 1204501SUSE bug 1208046SUSE bug 1208270SUSE bug 1208298SUSE bug 1208692SUSE bug 1211525SUSE bug 1213880CVE-2022-32149 at SUSECVE-2022-32149 at NVDCVE-2022-41723 at SUSECVE-2022-41723 at NVDCVE-2022-46146 at SUSECVE-2022-46146 at NVDCVE-2023-29409 at SUSECVE-2023-29409 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for xen (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for xen fixes the following issues:
- CVE-2023-20588: Fixed AMD CPU transitional execution leak via division by zero (XSA-439) (bsc#1215474).
- CVE-2023-34322: Fixed top-level shadow reference dropped too early for 64-bit PV guests (XSA-438) (bsc#1215145).
- CVE-2023-20593: Fixed AMD Zenbleed (XSA-433) (bsc#1213616).
ImportantSUSE bug 1213616SUSE bug 1215145SUSE bug 1215474CVE-2023-20588 at SUSECVE-2023-20588 at NVDCVE-2023-20593 at SUSECVE-2023-20593 at NVDCVE-2023-34322 at SUSECVE-2023-34322 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for postgresql12 (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for postgresql12 fixes the following issues:
Update to 12.14:
- CVE-2022-41862: Fixed memory leak in libpq (bsc#1208102).
ImportantSUSE bug 1208102CVE-2022-41862 at SUSECVE-2022-41862 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for postgresql13 (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for postgresql13 fixes the following issues:
Update to 13.10:
- CVE-2022-41862: Fixed memory leak in libpq (bsc#1208102).
ImportantSUSE bug 1208102CVE-2022-41862 at SUSECVE-2022-41862 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for postgresql14 (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for postgresql14 fixes the following issues:
Update to 14.7:
- CVE-2022-41862: Fixed memory leak in libpq (bsc#1208102).
ImportantSUSE bug 1208102CVE-2022-41862 at SUSECVE-2022-41862 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for postgresql15 (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for postgresql15 fixes the following issues:
Update to 15.2:
- CVE-2022-41862: Fixed memory leak in libpq (bsc#1208102).
ImportantSUSE bug 1208102CVE-2022-41862 at SUSECVE-2022-41862 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for ghostscript (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for ghostscript fixes the following issues:
- CVE-2023-43115: Fixed remote code execution via crafted PostScript documents in gdevijs.c (b
sc#1215466).
ImportantSUSE bug 1215466CVE-2023-43115 at SUSECVE-2023-43115 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for python3 (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for python3 fixes the following issues:
- CVE-2023-40217: Fixed TLS handshake bypass on closed sockets (bsc#1214692).
- CVE-2023-41105: Fixed input truncation on null bytes in os.path.normpath (bsc#1214693).
ImportantSUSE bug 1214692SUSE bug 1214693CVE-2023-40217 at SUSECVE-2023-40217 at NVDCVE-2023-41105 at SUSECVE-2023-41105 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for libvpx (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for libvpx fixes the following issues:
- CVE-2023-5217: Fixed a heap buffer overflow (bsc#1215778).
ImportantSUSE bug 1215778CVE-2023-5217 at SUSECVE-2023-5217 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for vim (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for vim fixes the following issues:
Security fixes:
- CVE-2023-4733: Fixed use-after-free in function buflist_altfpos (bsc#1215004).
- CVE-2023-4734: Fixed segmentation fault in function f_fullcommand (bsc#1214925).
- CVE-2023-4735: Fixed out of bounds write in ops.c (bsc#1214924).
- CVE-2023-4738: Fixed heap buffer overflow in vim_regsub_both (bsc#1214922).
- CVE-2023-4752: Fixed heap use-after-free in function ins_compl_get_exp (bsc#1215006).
- CVE-2023-4781: Fixed heap buffer overflow in function vim_regsub_both (bsc#1215033).
Other fixes:
- Calling vim on xterm leads to missing first character of the command prompt (bsc#1211461)
- Rendering corruption in gvim with all 9.x versions (bsc#1210738)
- Updated to version 9.0 with patch level 1894
ImportantSUSE bug 1210738SUSE bug 1211461SUSE bug 1214922SUSE bug 1214924SUSE bug 1214925SUSE bug 1215004SUSE bug 1215006SUSE bug 1215033CVE-2023-4733 at SUSECVE-2023-4733 at NVDCVE-2023-4734 at SUSECVE-2023-4734 at NVDCVE-2023-4735 at SUSECVE-2023-4735 at NVDCVE-2023-4738 at SUSECVE-2023-4738 at NVDCVE-2023-4752 at SUSECVE-2023-4752 at NVDCVE-2023-4781 at SUSECVE-2023-4781 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for python-py (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for python-py fixes the following issues:
- CVE-2022-42969: Fixed an excessive resource consumption that could
be triggered when interacting with a Subversion repository
containing crated data (bsc#1204364).
This also updates python3-py to version 1.8.1 for SUSE Linux Enterprise Server.
ModerateSUSE bug 1204364CVE-2022-42969 at SUSECVE-2022-42969 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for MozillaFirefox fixes the following issues:
Mozilla Firefox was updated to 115.3.1 ESR, fixing a security issue:
MFSA 2023-44 (bsc#1215814)
* CVE-2023-5217: Fixed heap buffer overflow in libvpx
ImportantSUSE bug 1215814CVE-2023-5217 at SUSECVE-2023-5217 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for python (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for python fixes the following issues:
- CVE-2022-48566: Constant-time-defeating optimisations were possible in the accumulator variable in hmac.compare_digest. (bsc#1214691)
- CVE-2022-48565: Fixed an XXE in the plistlib module. (bsc#1214685)
ModerateSUSE bug 1214685SUSE bug 1214691CVE-2022-48565 at SUSECVE-2022-48565 at NVDCVE-2022-48566 at SUSECVE-2022-48566 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for libXpm (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for libXpm fixes the following issues:
- CVE-2023-43788: Fixed an out of bounds read when creating an image
(bsc#1215686).
- CVE-2023-43789: Fixed an out of bounds read when parsing an XPM file
with a corrupted colormap (bsc#1215687).
ModerateSUSE bug 1215686SUSE bug 1215687CVE-2023-43788 at SUSECVE-2023-43788 at NVDCVE-2023-43789 at SUSECVE-2023-43789 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for webkit2gtk3 (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for webkit2gtk3 fixes the following issues:
Update to version 2.38.4 (boo#1207997):
- CVE-2023-23517: Fixed web content processing that could have led to arbitrary code execution.
- CVE-2023-23518: Fixed web content processing that could have led to arbitrary code execution.
- CVE-2023-42826: Fixed a use-after-free issue that was caused by improper memory management.
ImportantSUSE bug 1207997CVE-2022-42826 at SUSECVE-2022-42826 at NVDCVE-2023-23517 at SUSECVE-2023-23517 at NVDCVE-2023-23518 at SUSECVE-2023-23518 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for poppler (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for poppler fixes the following issues:
- CVE-2020-23804: Fixed uncontrolled recursion in pdfinfo and pdftops (bsc#1215422).
- CVE-2020-36024: Fixed NULL Pointer Deference in `FoFiType1C:convertToType1` (bsc#1214257).
- CVE-2022-37050: Fixed denial-of-service via savePageAs in PDFDoc.c (bsc#1214622).
- CVE-2022-37051: Fixed abort in main() in pdfunite.cc (bsc#1214621).
- CVE-2022-38349: Fixed reachable assertion in Object.h that will lead to denial of service (bsc#1214618).
ImportantSUSE bug 1214257SUSE bug 1214618SUSE bug 1214621SUSE bug 1214622SUSE bug 1215422CVE-2020-23804 at SUSECVE-2020-23804 at NVDCVE-2020-36024 at SUSECVE-2020-36024 at NVDCVE-2022-37050 at SUSECVE-2022-37050 at NVDCVE-2022-37051 at SUSECVE-2022-37051 at NVDCVE-2022-38349 at SUSECVE-2022-38349 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for libX11 (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for libX11 fixes the following issues:
- CVE-2023-43786: Fixed stack exhaustion from infinite recursion in PutSubImage() (bsc#1215684).
- CVE-2023-43787: Fixed integer overflow in XCreateImage() leading to a heap overflow (bsc#1215685).
- CVE-2023-43785: Fixed out-of-bounds memory access in _XkbReadKeySyms() (bsc#1215683).
ModerateSUSE bug 1215683SUSE bug 1215684SUSE bug 1215685CVE-2023-43785 at SUSECVE-2023-43785 at NVDCVE-2023-43786 at SUSECVE-2023-43786 at NVDCVE-2023-43787 at SUSECVE-2023-43787 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for bind (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for bind fixes the following issues:
- CVE-2023-3341: Fixed stack exhaustion flaw in control channel code may cause named to terminate unexpectedly (bsc#1215472).
ImportantSUSE bug 1215472CVE-2023-3341 at SUSECVE-2023-3341 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for python-urllib3 (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for python-urllib3 fixes the following issues:
- CVE-2023-43804: Fixed a potential cookie leak via HTTP redirect if
the user manually set the corresponding header (bsc#1215968).
ModerateSUSE bug 1215968CVE-2023-43804 at SUSECVE-2023-43804 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for shadow (Low)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for shadow fixes the following issues:
- CVE-2023-4641: Fixed potential password leak (bsc#1214806).
LowSUSE bug 1214806CVE-2023-4641 at SUSECVE-2023-4641 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for samba (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for samba fixes the following issues:
- CVE-2023-4091: Fixed a bug where a client can truncate file with read-only permissions. (bsc#1215904)
ModerateSUSE bug 1215904CVE-2023-4091 at SUSECVE-2023-4091 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for ImageMagick (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for ImageMagick fixes the following issues:
- CVE-2023-5341: Fixed a heap use-after-free in coders/bmp.c. (bsc#1215939)
ModerateSUSE bug 1215939CVE-2023-5341 at SUSECVE-2023-5341 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for python-urllib3 (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for python-urllib3 fixes the following issues:
- CVE-2023-43804: Fixed a potential cookie leak via HTTP redirect if the user manually set the corresponding header (bsc#1215968).
ModerateSUSE bug 1215968CVE-2023-43804 at SUSECVE-2023-43804 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for opensc (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for opensc fixes the following issues:
- CVE-2021-42782: Fixed several stack buffer overflows (bsc#1191957).
- CVE-2023-40661: Fixed several memory safety issues that could happen
during the card enrollment process using pkcs15-init (bsc#1215761).
ImportantSUSE bug 1191957SUSE bug 1215761CVE-2021-42782 at SUSECVE-2021-42782 at NVDCVE-2023-40661 at SUSECVE-2023-40661 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for exiv2 (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for exiv2 fixes the following issues:
- CVE-2018-19535: Fixed a heap-based buffer over-read which may cause a DoS via a crafted PNG file. (bsc#1117291)
ModerateSUSE bug 1117291CVE-2018-19535 at SUSECVE-2018-19535 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for grub2 (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for grub2 fixes the following issues:
- CVE-2023-4692: Fixed an out-of-bounds write at fs/ntfs.c which may lead to unsigned code execution. (bsc#1215935)
- CVE-2023-4693: Fixed an out-of-bounds read at fs/ntfs.c which may lead to leak sensitive information. (bsc#1215936)
ImportantSUSE bug 1215935SUSE bug 1215936CVE-2023-4692 at SUSECVE-2023-4692 at NVDCVE-2023-4693 at SUSECVE-2023-4693 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for python-urllib3 (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for python-urllib3 fixes the following issues:
- CVE-2018-25091: Fixed a potential leak of the Authorization header during a cross-origin redirect (bsc#1216275).
ModerateSUSE bug 1216275CVE-2018-25091 at SUSECVE-2018-25091 at NVDcpe:/o:suse:sles_teradata:12:sp3Recommended update for stunnel (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for stunnel fixes the following issues:
- Version 5.62 (jsc#SLE-24316, jsc#SLE-20679)
- Add support for OCSP and TLS
- Added a bash completion script.
- Version 5.61
New features:
- Added new 'protocol = capwin' and 'protocol = capwinctrl'
configuration file options.
- Rewritten the testing framework in python.
Bugfixes:
- Fixed reloading configuration with 'systemctl reload stunnel.service'.
- Fixed incorrect messages logged for OpenSSL errors.
- Added hardening to systemd service(s) (bsc#1181400)
- Version 5.60:
New features:
- New 'sessionResume' service-level option to allow
or disallow session resumption
- Added support for the new SSL_set_options() values.
Bugfixes:
- Fixed 'redirect' with 'protocol'. This combination is not supported by 'smtp', 'pop3' and 'imap' protocols.
- ensure proper startup after network
- Version 5.59:
- new feature: Client-side 'protocol = ldap' support
- Fix configuration reload when compression is used
- Fix paths in generated manuals
- run testsuite during package build
- Security fixes: (bsc#1177580, bsc#1182529, CVE-2021-20230)
- 'redirect' option does not properly handle 'verifyChain = yes'
- Version 5.58:
Security bugfixes:
- The 'redirect' option was fixed to properly handle unauthenticated requests. (bsc#1182529)
- Fixed a double free with OpenSSL older than 1.1.0
New features:
- New 'protocolHeader' service-level option to insert custom 'connect' protocol negotiation headers.
This feature can be used to impersonate other software (e.g. web browsers).
- 'protocolHost' can also be used to control the client SMTP protocol negotiation HELO/EHLO value.
- Initial FIPS 3.0 support.
Bugfixes:
- X.509v3 extensions required by modern versions of OpenSSL are added to generated self-signed test certificates.
- Fixed a tiny memory leak in configuration file reload error handling
- FIPS TLS feature is reported when a provider or container is available, and not when FIPS control API is available.
- Do not replace the active config file (bsc#1182376)
- Remove pidfile from service file fixes start bug (bsc#1178533)
- Version 5.57:
Security bugfixes
- The 'redirect' option was fixed to properly handle 'verifyChain = yes' (bsc#1177580)
New features:
- New securityLevel configuration file option.
- Support for modern PostgreSQL clients
- TLS 1.3 configuration updated for better compatibility.
Bugfixes:
- DH/ECDH initialization restored for client sections.
- Delay startup with systemd until network is online.
- A number of testing framework fixes and improvements.
Version 5.56:
- Various text files converted to Markdown format.
- Support for realpath(3) implementations incompatible with POSIX.1-2008, such as 4.4BSD or Solaris.
- Support for engines without PRNG seeding methods
- Retry unsuccessful port binding on configuration file reload.
- Thread safety fixes in SSL_SESSION object handling.
- Terminate clients on exit in the FORK threading model.
- Fixup stunnel.conf handling:
- Remove old static openSUSE provided stunnel.conf
- Use upstream stunnel.conf and tailor it for openSUSE using sed
- Don't show README.openSUSE when installing
- enable /etc/stunnel/conf.d
- re-enable openssl.cnf
- Install the correct file as README.openSUSE (bsc#1150730)
Version 5.55
New features:
- New 'ticketKeySecret' and 'ticketMacSecret' options to control confidentiality
and integrity protection of the issued session tickets.
- Added sslversion, sslversionMin and sslversionMax for OpenSSL 1.1.0 and later.
- Hexadecimal PSK keys are automatically converted to binary.
- Session ticket support (requires OpenSSL 1.1.1 or later). 'connect' address
persistence is currently unsupported with session tickets.
- SMTP HELO before authentication
- New 'curves' option to control the list of elliptic curves in OpenSSL 1.1.0 and later.
- New 'ciphersuites' option to control the list of permitted TLS 1.3 ciphersuites.
- Include file name and line number in OpenSSL errors.
- Compatibility with the current OpenSSL 3.0.0-dev branch.
- Better performance with SSL_set_read_ahead()/SSL_pending().
Bugfixes:
- A number of testing framework fixes and improvements.
- Service threads are terminated before OpenSSL cleanup to prevent occasional stunnel crashes at shutdown.
- Fixed data transfer stalls introduced in stunnel 5.51.
- Fixed a transfer() loop bug introduced in stunnel 5.51.
- Fixed PSKsecrets as a global option
- Fixed a memory allocation bug
- Fixed PSK session resumption with TLS 1.3.
- Fixed a memory leak in the WIN32 logging subsystem.
- Allow for zero value (ignored) TLS options.
- Partially refactored configuration file parsing and logging subsystems for clearer code and minor bugfixes.
Caveats:
- We removed FIPS support from our standard builds. FIPS will still be available with custom builds.
- disabled checks; checks depend on ncat and network accessibility
Version 5.49
- Logging of negotiated or resumed TLS session IDs
- OpenSSL DLLs updated to version 1.0.2p.
- PKCS#11 engine DLL updated to version 0.4.9.
- Fixed a crash in the session persistence implementation.
- Fixed syslog identifier after configuration file reload.
- Fixed non-interactive 'make check' invocations.
- Fixed reloading syslog configuration.
- stunnel.pem created with SHA-256 instead of SHA-1.
- SHA-256 'make check' certificates.
Version 5.48
- Fixed requesting client certificate when specified as a global option.
- Certificate subject checks modified to accept certificates if at least one of the specified checks matches.
Version 5.47
- Fast add_lock_callback for OpenSS. This largely improves performance on heavy load.
- Automatic detection of Homebrew OpenSSL.
- Clarified port binding error logs.
- Various 'make test' improvements.
- Fixed a crash on switching to SNI slave sections.
Version 5.46
- The default cipher list was updated to a safer value: 'HIGH:!aNULL:!SSLv2:!DH:!kDHEPSK'.
- Default accept address restored to INADDR_ANY.
Version 5.45
- Implemented delayed deallocation of service sections after configuration file reload.
- OpenSSL DLLs updated to version 1.0.2o.
- Deprecated the sslversion option.
- The 'socket' option is now also available in service sections.
- Implemented try-restart in the SysV init script
- TLS 1.3 compliant session handling for OpenSSL 1.1.1.
- Default 'failover' value changed from 'rr' to 'prio'.
- A service no longer refuses to start if binding fails for some (but not all) addresses:ports.
- Fixed compression handling with OpenSSL 1.1.0 and later.
- Fixed exception handling in libwrap.
- Fixed exec+connect services.
- Fixed automatic resolver delaying.
- A number of 'make check' framework fixes.
- Fixed false postive memory leak logs.
- Build fixes for OpenSSL versions down to 0.9.7.
- Do not ignore errors from useradd. Ensure nogroup exists beforehand.
Version 5.44
- Default accept address restored to INADDR_ANY
- Fix race condition in 'make check'
- Fix removing the pid file after configuration reload
- includes 5.43
- Allow for multiple 'accept' ports per section
- Self-test framework (make check)
- Added config load before OpenSSL init
- OpenSSL 1.1.1-dev compilation fixes
- Fixed round-robin failover in the FORK threading model
- Fixed handling SSL_ERROR_ZERO_RETURN in SSL_shutdown()
- Minor fixes of the logging subsystem
- OpenSSL DLLs updated to version 1.0.2m
Version 5.42
- New features
- 'redirect' also supports 'exec' and not only 'connect'.
- PKCS#11 engine DLL updated to version 0.4.7.
- Bugfixes
- Fixed premature cron thread initialization causing hangs.
- Fixed 'verifyPeer = yes' on OpenSSL
- Fixed pthreads support on OpenSolaris.
- Require package config for libsystemd to help the configure script
to detect and enable systemd socket activation (bsc#1032557)
- Don't require insserv if we don't use it
- Update rpm group and description and make -doc noarch
- Do not suppress errors from useradd
- Remove redundant %clean section
Version 5.36
- Removed direct zlib dependency.
Version 5.35
- adjust systemd unit file to start after network-online.target
- bugixes:
- Fixed incorrectly enforced client certificate requests.
- Fixed thread safety of the configuration file reopening.
- Only reset the watchdog if some data was actually transferred.
- Fixed logging an incorrect value of the round-robin starting point
- new features:
- Added three new service-level options: requireCert, verifyChain, and
- verifyPeer for fine-grained certificate verification control.
- SNI support also enabled on OpenSSL 0.9.8f and later
- Added support for PKCS #12 (.p12/.pfx) certificates
- New 'socket = a:IPV6_V6ONLY=yes' option to only bind IPv6.
- Added logging the list of client CAs requested by the server.
- Version 5.30
Features
- Improved compatibility with the current OpenSSL 1.1.0-dev tree.
- Added OpenSSL autodetection for the recent versions of Xcode.
Bugfixes
- Fixed references to /etc removed from stunnel.init.in.
- Stopped even trying -fstack-protector on unsupported platforms
- Version 5.29
- system script restarts stunnel after a crash
- readd rcstunnel macro for systemd systems
- Fix compatibility issues with older OpenSSL
Version 5.22
- New features
- 'OCSPaia = yes' added to the configuration file templates.
- Improved double free detection.
- Bugfixes
- Fixed a number of OCSP bugs. The most severe of those bugs caused stunnel to
treat OCSP responses that failed OCSP_basic_verify() checks as if they were successful.
- Fixed the passive IPv6 resolver (broken in stunnel 5.21).
- Remove executable bit from sample scripts
Version 5.21
New features:
- Signal names are displayed instead of numbers.
- First resolve IPv4 addresses on passive resolver requests.
More elaborate descriptions were added to the warning about using 'verify = 2' without 'checkHost' or 'checkIP'.
- Performance optimization was performed on the debug code.
Bugfixes:
- Fixed the FORK and UCONTEXT threading support.
- Fixed 'failover=prio' (broken since stunnel 5.15).
- Added a retry when sleep(3) was interrupted by a signal in the cron thread scheduler.
- Version 5.20
New features:
- The SSL library detection algorithm was made a bit smarter.
- Warnings about insecure authentication were modified to include the name of the affected service section.
Bugfixes
- Signal pipe reinitialization added to prevent turning the main accepting
thread into a busy wait loop when an external condition breaks the signal pipe.
This bug was found to surface on Win32, but other platforms may also be
affected.
- Generated temporary DH parameters are used for configuration reload instead
of the static defaults.
- Fixed the manual page headers
Version 5.19
Bugfixes:
- Improved socket error handling.
- Fixed handling of dynamic connect targets.
- Fixed handling of trailing whitespaces in the Content-Length header of the
NTLM authentication.
- Fixed memory leaks in certificate verification.
New features:
- The 'redirect' option was improved to not only redirect sessions established
with an untrusted certificate, but also sessions established without a
client certificate.
- Randomize the initial value of the round-robin counter.
- Added 'include' configuration file option to include all configuration file
parts located in a specified directory.
- Temporary DH parameters are refreshed every 24 hours, unless static DH
parameters were provided in the certificate file.
- Warnings are logged on potentially insecure authentication.
- stunnel.service: Modified to start after network.target, not syslog.target.
Version 5.09
New features:
- Added PSK authentication with two new service-level
configuration file options 'PSKsecrets' and 'PSKidentity'.
- Added additional security checks to the OpenSSL memory management functions.
- Added support for the OPENSSL_NO_OCSP and OPENSSL_NO_ENGINE OpenSSL configuration flags.
- Added compatibility with the current OpenSSL 1.1.0-dev tree.
Bugfixes:
- Removed defective s_poll_error() code occasionally causing
connections to be prematurely closed (truncated).
This bug was introduced in stunnel 4.34.
- Fixed ./configure systemd detection
- Fixed ./configure sysroot detection
- Fixed compilation against old versions of OpenSSL.
- Removed outdated French manual page.
Version 5.08
New features:
- Added SOCKS4/SOCKS4a protocol support.
- Added SOCKS5 protocol support.
- Added SOCKS RESOLVE [F0] TOR extension support.
- Updated automake to version 1.14.1.
- OpenSSL directory searching is now relative to the sysroot.
- Several SMTP server protocol negotiation improvements.
- Added UTF-8 byte order marks to stunnel.conf templates.
- DH parameters are no longer generated by 'make cert'.
The hardcoded DH parameters are sufficiently secure,
and modern TLS implementations will use ECDH anyway.
- Updated manual for the 'options' configuration file option.
- Added support for systemd 209 or later.
- New --disable-systemd ./configure option.
- setuid/setgid commented out in stunnel.conf-sample.
Bugfixes
- Added support for UTF-8 byte order mark in stunnel.conf.
- Compilation fix for OpenSSL with disabled SSLv2 or SSLv3.
- Non-blocking mode set on inetd and systemd descriptors.
- shfolder.h replaced with shlobj.h for compatibility
with modern Microsoft compilers.
Version 5.06
Security bugfixes
- OpenSSL DLLs updated to version 1.0.1j.
https://www.openssl.org/news/secadv_20141015.txt
- The insecure SSLv2 protocol is now disabled by default.
It can be enabled with 'options = -NO_SSLv2'.
- The insecure SSLv3 protocol is now disabled by default.
It can be enabled with 'options = -NO_SSLv3'.
- Default sslversion changed to 'all' (also in FIPS mode)
to autonegotiate the highest supported TLS version.
New features
- Added missing SSL options to match OpenSSL 1.0.1j.
- New '-options' commandline option to display the list
of supported SSL options.
Bugfixes:
- Fixed FORK threading build regression bug.
- Fixed missing periodic Win32 GUI log updates.
Version 5.05
New features:
- Asynchronous communication with the GUI thread for faster
logging on Win32.
- systemd socket activation
- The parameter of 'options' can now be prefixed with '-'
to clear an SSL option, for example:
'options = -LEGACY_SERVER_CONNECT'.
- Improved 'transparent = destination' manual page
* Bugfixes
- A number of minor Win32 GUI bugfixes and improvements.
- Merged most of the Windows CE patches
Version 5.04
* New features
- Support for local mode ('exec' option) on Win32.
- Support for UTF-8 config file and log file.
- Support for Unicode file names on Win32.
- TCP/IP dependency added for NT service in order to prevent
initialization failure at boot time.
- FIPS canister updated to version 2.0.8 in the Win32 binary
build.
* Bugfixes
- load_icon_default() modified to return copies of default icons
instead of the original resources to prevent the resources
from being destroyed.
- Missing REMOTE_PORT environmental variable is provided to
processes spawned with 'exec' on Unix platforms.
- Taskbar icon is no longer disabled for NT service.
- Fixed taskbar icon initialization when commandline options are
specified.
- A number of minor Win32 GUI bugfixes and improvements.
Version 5.03
* Security bugfixes
- OpenSSL DLLs updated to version 1.0.1i.
See https://www.openssl.org/news/secadv_20140806.txt
* New features
- FIPS autoconfiguration cleanup.
- FIPS canister updated to version 2.0.6.
- Improved SNI diagnostic logging.
* Bugfixes
- Compilation fixes for old versions of OpenSSL.
- Fixed whitespace handling in the stunnel.init script.
Version 5.02
* Security bugfixes
- OpenSSL DLLs updated to version 1.0.1h.
See https://www.openssl.org/news/secadv_20140605.txt
* New features
- Major rewrite of the protocol.c interface: it is now possible to add
protocol negotiations at multiple connection phases, protocols can
individually decide whether the remote connection will be
established before or after SSL/TLS is negotiated.
- Heap memory blocks are wiped before release. This only works for
block allocated by stunnel, and not by OpenSSL or other libraries.
- Updated the stunnel.conf and stunnel.init templates.
- Added a client-mode example to the manual.
* Bugfixes
- Fixed 'failover = rr' broken since version 5.00.
- Fixed 'taskbar = no' broken since version 5.00.
- Compilation fix for missing SSL_OP_MSIE_SSLV2_RSA_PADDING option.
Version 5.01:
Security bugfixes
- OpenSSL DLLs updated to version 1.0.1g. This version mitigates TLS heartbeat read overrun (CVE-2014-0160).
New features
- X.509 extensions added to the created self-signed stunnel.pem.
- 'FIPS = no' also allowed in non-FIPS builds of stunnel.
- Search all certificates with the same subject name for a matching public key rather than only the first one
- Create logs in the local application data folder if stunnel folder is not writable on Win32.
Bugfixes
- close_notify not sent when SSL still has some data buffered.
- Protocol negotiation with server-side SNI fixed.
- A Mac OS X missing symbols fixed.
- Win32 configuration file reload crash fixed.
- Added s_pool_free() on exec+connect service retires.
- Line-buffering enforced on stderr output.
- re-add openssl cert conf file stunnel.cnf dropped by oversight.
Version 4.56
CVE-2013-1762, bsc#807440)
- 'session' option renamed to more readable 'sessionCacheTimeout'.
The old name remains accepted for backward compatibility.
- New service-level 'sessionCacheSize' option to control session cache size.
- New service-level option 'reset' to control whether TCP RST flag is used to
indicate errors. The default value is 'reset = yes'.
- New service-level option 'renegotiation' to disable SSL renegotiation.
- Added client-mode 'sni' option to directly control the value of TLS Server
Name Indication (RFC 3546) extension.
- Glibc-specific dynamic allocation tuning was applied to help unused memory deallocation.
- Non-blocking OCSP implementation.
- New 'compression = deflate' global option to enable RFC 2246 compresion.
- correct configure option to enable libwrap support
- Fix background operation to really go into background (stunnel-daemonize.diff)
Version 4.53
- Usage of uninitialized variables fixed in exec+connect services.
- Fixed handling of a rare inetd mode use case, where either stdin
or stdout is a socket, but not both of them at the same time.
- Fixed crash on termination with FORK threading model.
- Fixed missing file descriptors passed to local mode processes.
Version 4.49
- A bug was fixed causing crashes on MacOS X and some other platforms.
Additional changes from 4.48
- FIPS support on Win32 platform added. OpenSSL 0.9.8r DLLs
based on FIPS 1.2.3 canister are included with this version of
stunnel. FIPS mode can be disabled with 'fips = no' configuration file option.
- Fixed canary initialization problem on Win32 platform.
- pass the path to the config file to the binary in the init
script: without this the init script does not work for me.
Version 4.47
Internal improvements
- CVE-2010-3864 workaround improved to check runtime version of
- Encoding of man page sources changed to UTF-8.
Bugfixes:
- Logging was modified to save and restore system error codes.
- Option 'service' was restricted to Unix, as since stunnel
4.42 it wasn't doing anything useful on Windows platform.
Version 4.46
New features:
- Added Unix socket support (e.g. 'connect =
/var/run/stunnel/socket').
Added 'verify = 4' mode to ignore CA chain and only verify peer certificate.
- Removed the limit of 16 IP addresses for a single 'connect' option.
- Removed the limit of 256 stunnel.conf sections in PTHREAD
threading model. It is still not possible have more than 63
sections on WIN32 platform.
Optimizations:
- Reduced per-connection memory usage.
- Performed a major refactoring of internal data structures. Extensive
internal testing was performed, but some regression bugs are expected.
Bugfixes:
- Fixed WIN32 compilation with Mingw32.
- Fixed non-blocking API emulation layer in UCONTEXT threading model.
- Fixed signal handling in UCONTEXT threading model.
Version 4.45
New features:
- 'protocol = proxy' support to send original client IP address to haproxy:
http://haproxy.1wt.eu/download/1.5/doc/proxy-protocol.txt
This requires accept-proxy bind option of haproxy 1.5-dev3 or later.
- Added Win32 configuration reload without a valid configuration loaded.
- Added compatibility with LTS OpenSSL versions 0.9.6 and 0.9.7.
Some features are only available in OpenSSL 1.0.0 and later.
Performance optimizations:
- Use SSL_MODE_RELEASE_BUFFERS if supported by the OpenSSL library.
- Libwrap helper processes are no longer started if libwrap is disabled
in all sections of the configuration file.
Internal improvements:
- Protocol negotiation framework was rewritten to support
additional code to be executed after
SSL_accept()/SSL_connect().
- Handling of memory allocation errors was rewritten to
gracefully terminate the process
Bugfixes:
- Fixed -l option handling in stunnel3 script
- Script to build default stunnel.pem was fixed
- MinGW compilation script (mingw.mak) was fixed
- MSVC compilation script (vc.mak) was fixed.
- A number of problems in WINSOCK error handling were fixed.
Version 4.43
New features:
- Major optimization of the logging subsystem.
Bugfixes'
- Fixed FORK and UCONTEXT threading models.
Version 4.42
New features
- New verify level 0 to request and ignore peer certificate.
- Manual page has been updated.
Bugfixes:
- Fixed a heap corruption vulnerability in versions 4.40 and 4.41.
- correct path in stunnel3 (bsc#710879)
Version 4.40
New features:
- Hardcoded 2048-bit DH parameters are used as a fallback if DH
parameters are not provided in stunnel.pem.
- Default ECDH curve updated to 'prime256v1'.
- Removed support for temporary RSA keys (used in obsolete export ciphers).
- Version 4.38
New features:
- Server-side SNI implemented (RFC 3546 section 3.1) with a new
service-level option 'nsi'.
- 'socket' option also accepts 'yes' and 'no' for flags.
- Nagle's algorithm is now disabled by default for improved
interactivity.
Bugfixes:
- A compilation fix was added for OpenSSL
- Signal pipe set to non-blocking mode. This bug caused hangs
of stunnel features based on signals, e.g. local mode, FORK
threading, or configuration file reload on Unix.
- disable the previous two patches for the time being
- create debug packages
- fix ucontext handling (backport from v4.37)
- fix non-blocking socket handling (backport from v4.37)
- explicitly enable libwrap in configure call
New features:
- Dynamic memory management for strings manipulation: no more static
STRLEN limit, lower stack footprint.
- Strict public key comparison added for 'verify = 3' certificate checking mode
- Backlog parameter of listen(2) changed from 5 to SOMAXCONN: improved behavior on heavy load.
Old behavior can be restored with 'listenqueue = 5' in stunnel.conf
Bugfixes:
- Missing pthread_attr_destroy() added to fix memory leak
- Version 4.35
New features:
- Updated Win32 DLLs for OpenSSL 1.0.0c.
- Transparent source (non-local bind) added for FreeBSD 8.x.
- Transparent destination ('transparent = destination') added for Linux.
Bugfixes:
- Fixed reload of FIPS-enabled stunnel.
- Compiler options are now auto-detected by ./configure script
in order to support obsolete versions of gcc.
- Async-signal-unsafe s_log() removed from SIGTERM/SIGQUIT/SIGINT handler.
This issue may have security implications on some deployments.
- Directory lib64 included in the OpenSSL library search path.
- Windows CE compilation fixes
- Domain name changes
- http://stunnel.mirt.net/ http://www.stunnel.org/
- ftp://stunnel.mirt.net/ http://ftp.stunnel.org/
- stunnel.mirt.net::stunnel rsync.stunnel.org::stunnel
- stunnel-users@mirt.net stunnel-users@stunnel.org
- stunnel-announce@mirt.net stunnel-announce@stunnel.org
- Version 4.34:
- Added ECC support with a new service-level 'curve' option.
- DH support is now enabled by default.
- Added support for OpenSSL builds with some algorithms disabled.
- ./configure modified to support cross-compilation.
- Implemented fixes in user interface to enter engine PIN.
- Fixed a transfer() loop issue on socket errors.
- Fixed missing WIN32 taskbar icon while displaying a global option error.
- Inetd mode fixed.
- New service-level 'libwrap' option for run-time control whether
/etc/hosts.allow and /etc/hosts.deny are used for access control.
Disabling libwrap significantly increases performance of stunnel.
- Win32 DLLs for OpenSSL 0.9.8m.
- Fixed a transfer() loop issue with SSLv2 connections.
- Fixed a 'setsockopt IP_TRANSPARENT' warning with 'local' option.
- Logging subsystem bugfixes and cleanup.
- Installer bugfixes for Vista and later versions of Windows.
- FIPS mode can be enabled/disabled at runtime.
- Log file reopen on USR1 signal was added.
- Some regression issues introduced in 4.30 were fixed.
- Graceful configuration reload with HUP signal on Unix
and with GUI on Windows.
- A serious bug in asynchronous shutdown code fixed.
- Data alignment updated in libwrap.c.
- Polish manual encoding fixed.
- Notes on compression implementation in OpenSSL added to the manual.
- bugfixes for 4.28
Bugfixes:
- 'execargs' defaults to the 'exec' parameter
- Version 4.27:
New features:
- Win32 DLLs for OpenSSL 0.9.8l.
- Transparent proxy support on Linux kernels >=2.6.28. See the manual for details.
- New socket options to control TCP keepalive on Linux: TCP_KEEPCNT, TCP_KEEPIDLE, TCP_KEEPINTVL.
- SSL options updated for the recent version of OpenSSL library.
Bugfixes:
- A serious bug in asynchronous shutdown code fixed.
- Data alignment updated in libwrap.c.
- Polish manual encoding fixed.
- Notes on compression implementation in OpenSSL added to the manual. ImportantSUSE bug 1032557SUSE bug 1069468SUSE bug 1150730SUSE bug 1177580SUSE bug 1178533SUSE bug 1181400SUSE bug 1182376SUSE bug 1182529SUSE bug 674554SUSE bug 710879SUSE bug 807440CVE-2010-3864 at SUSECVE-2010-3864 at NVDCVE-2011-2940 at SUSECVE-2011-2940 at NVDCVE-2013-1762 at SUSECVE-2013-1762 at NVDCVE-2014-0160 at SUSECVE-2014-0160 at NVDCVE-2015-3644 at SUSECVE-2015-3644 at NVDCVE-2021-20230 at SUSECVE-2021-20230 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for zlib (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for zlib fixes the following issues:
- CVE-2023-45853: Fixed an integer overflow that would lead to a
buffer overflow in the minizip subcomponent (bsc#1216378).
ModerateSUSE bug 1216378CVE-2023-45853 at SUSECVE-2023-45853 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for fwupdate (Moderate)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update of fwupdate fixes the following issues:
- rebuild the package with the new secure boot key (bsc#1209188).
ModerateSUSE bug 1209188cpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for xen (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for xen fixes the following issues:
- CVE-2023-34323: Fixed a potential crash in C Xenstored due to an
incorrect assertion (XSA-440) (bsc#1215744).
- CVE-2023-34326: Fixed a missing IOMMU TLB flush on x86 AMD systems
with IOMMU hardware and PCI passthrough enabled (XSA-442)
(bsc#1215746).
- CVE-2023-34325: Fixed multiple parsing issues in libfsimage
(XSA-443) (bsc#1215747).
- CVE-2023-34327, CVE-2023-34328: Fixed multiple issues with AMD x86
debugging functionality for guests (XSA-444) (bsc#1215748).
ImportantSUSE bug 1215744SUSE bug 1215746SUSE bug 1215747SUSE bug 1215748CVE-2023-34323 at SUSECVE-2023-34323 at NVDCVE-2023-34325 at SUSECVE-2023-34325 at NVDCVE-2023-34326 at SUSECVE-2023-34326 at NVDCVE-2023-34327 at SUSECVE-2023-34327 at NVDCVE-2023-34328 at SUSECVE-2023-34328 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for nghttp2 (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for nghttp2 fixes the following issues:
- CVE-2023-44487: Fixed HTTP/2 Rapid Reset attack. (bsc#1216174)
ImportantSUSE bug 1216123SUSE bug 1216174CVE-2023-44487 at SUSECVE-2023-44487 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for webkit2gtk3 (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for webkit2gtk3 fixes the following issues:
- CVE-2023-41993: Fixed an issue where processing malicious web
content could have lead to arbitrary code execution (bsc#1215661).
- CVE-2023-39928: Fixed a use-after-free that could be exploited to
execute arbitrary code when visiting a malicious webpage
(bsc#1215868).
- CVE-2023-41074: Fixed an issue where processing malicious web
content could have lead to arbitrary code execution (bsc#1215870).
Non-security fixes:
- Fixed missing package dependencies (bsc#1215072).
ImportantSUSE bug 1213379SUSE bug 1213581SUSE bug 1213905SUSE bug 1215072SUSE bug 1215661SUSE bug 1215866SUSE bug 1215867SUSE bug 1215868SUSE bug 1215869SUSE bug 1215870SUSE bug 1216483CVE-2023-32393 at SUSECVE-2023-32393 at NVDCVE-2023-35074 at SUSECVE-2023-35074 at NVDCVE-2023-37450 at SUSECVE-2023-37450 at NVDCVE-2023-39434 at SUSECVE-2023-39434 at NVDCVE-2023-39928 at SUSECVE-2023-39928 at NVDCVE-2023-40451 at SUSECVE-2023-40451 at NVDCVE-2023-41074 at SUSECVE-2023-41074 at NVDCVE-2023-41993 at SUSECVE-2023-41993 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for ImageMagick (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for ImageMagick fixes the following issues:
- CVE-2022-44267: Fixed a denial of service when parsing a PNG image (bsc#1207982).
- CVE-2022-44268: Fixed arbitrary file disclosure when parsing a PNG image (bsc#1207983).
ImportantSUSE bug 1207982SUSE bug 1207983CVE-2022-44267 at SUSECVE-2022-44267 at NVDCVE-2022-44268 at SUSECVE-2022-44268 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for MozillaFirefox fixes the following issues:
- Updated to version 115.4.0 ESR (bsc#1216338).
- CVE-2023-5721: Fixed a potential clickjack via queued up
rendering.
- CVE-2023-5722: Fixed a cross-Origin size and header leakage.
- CVE-2023-5723: Fixed unexpected errors when handling invalid
cookie characters.
- CVE-2023-5724: Fixed a crash due to a large WebGL draw.
- CVE-2023-5725: Fixed an issue where WebExtensions could open
arbitrary URLs.
- CVE-2023-5726: Fixed an issue where fullscreen notifications would
be obscured by file the open dialog on macOS.
- CVE-2023-5727: Fixed a download protection bypass on on Windows.
- CVE-2023-5728: Fixed a crash caused by improper object tracking
during GC in the JavaScript engine.
- CVE-2023-5729: Fixed an issue where fullscreen notifications would
be obscured by WebAuthn prompts.
- CVE-2023-5730: Fixed multiple memory safety issues.
- CVE-2023-5731: Fixed multiple memory safety issues.
ImportantSUSE bug 1216338CVE-2023-5721 at SUSECVE-2023-5721 at NVDCVE-2023-5722 at SUSECVE-2023-5722 at NVDCVE-2023-5723 at SUSECVE-2023-5723 at NVDCVE-2023-5724 at SUSECVE-2023-5724 at NVDCVE-2023-5725 at SUSECVE-2023-5725 at NVDCVE-2023-5726 at SUSECVE-2023-5726 at NVDCVE-2023-5727 at SUSECVE-2023-5727 at NVDCVE-2023-5728 at SUSECVE-2023-5728 at NVDCVE-2023-5729 at SUSECVE-2023-5729 at NVDCVE-2023-5730 at SUSECVE-2023-5730 at NVDCVE-2023-5731 at SUSECVE-2023-5731 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for vorbis-tools (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for vorbis-tools fixes the following issues:
- CVE-2023-43361: Fixed a buffer overflow vulnerability during the conversion of wav files to ogg files. (bsc#1215942)
ImportantSUSE bug 1215942CVE-2023-43361 at SUSECVE-2023-43361 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for python-urllib3 (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for python-urllib3 fixes the following issues:
- CVE-2023-45803: Fix a request body leak that could occur when
receiving a 303 HTTP response (bsc#1216377).
ModerateSUSE bug 1216377CVE-2023-45803 at SUSECVE-2023-45803 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for git (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for git fixes the following issues:
- CVE-2023-22490: Fixed incorrectly usable local clone optimization even when using a non-local transport (bsc#1208027).
- CVE-2023-23946: Fixed issue where a path outside the working tree can be overwritten as the user who is running 'git apply' (bsc#1208028).
ImportantSUSE bug 1208027SUSE bug 1208028CVE-2023-22490 at SUSECVE-2023-22490 at NVDCVE-2023-23946 at SUSECVE-2023-23946 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for clamav (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for clamav fixes the following issues:
- Updated to version 0.103.11:
- CVE-2023-40477: Updated libclamunrar dependency to version 6.2.12
(bsc#1216625).
ImportantSUSE bug 1216625CVE-2023-40477 at SUSECVE-2023-40477 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for libsndfile (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for libsndfile fixes the following issues:
- CVE-2022-33065: Fixed an integer overflow that could cause memory
safety issues when reading a MAT4 file (bsc#1213451).
ImportantSUSE bug 1213451CVE-2022-33065 at SUSECVE-2022-33065 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for tomcat (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for tomcat fixes the following issues:
- CVE-2023-42795: Fixed a potential information leak due to insufficient cleanup. (bsc#1216119)
ImportantSUSE bug 1216119CVE-2023-42795 at SUSECVE-2023-42795 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for apache2 (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for apache2 fixes the following issues:
- CVE-2023-31122: Fixed an out of bounds read in mod_macro (bsc#1216424).
Non-security fixes:
- Fixed the content type handling in mod_proxy_http2 (bsc#1214357).
ImportantSUSE bug 1214357SUSE bug 1216424CVE-2023-31122 at SUSECVE-2023-31122 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for poppler (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for poppler fixes the following issues:
- CVE-2019-9545: Fixed a potential crash due to uncontrolled recursion
in the JBIG parser (bsc#1128114).
- CVE-2019-9631: Fixed an out of bounds read when converting a PDF to
an image (bsc#1129202).
- CVE-2022-37052: Fixed a reachable assertion when extracting pages of
a PDf file (bsc#1214726).
- CVE-2020-36023: Fixed a stack bugger overflow in
FoFiType1C:cvtGlyph (bsc#1214256).
- CVE-2019-13287: Fixed an out-of-bounds read vulnerability in the
function SplashXPath:strokeAdjust (bsc#1140745).
- CVE-2018-18456: Fixed a stack-based buffer over-read via a crafted
pdf file (bsc#1112428).
- CVE-2018-18454: Fixed heap-based buffer over-read via a crafted pdf
file (bsc#1112424).
- CVE-2019-14292: Fixed an out of bounds read in GfxState.cc
(bsc#1143570).
- CVE-2022-48545: Fixed an infinite recursion in
Catalog::findDestInTree which can cause denial of service
(bsc#1214723).
ModerateSUSE bug 1112424SUSE bug 1112428SUSE bug 1128114SUSE bug 1129202SUSE bug 1140745SUSE bug 1143570SUSE bug 1214256SUSE bug 1214723SUSE bug 1214726CVE-2018-18454 at SUSECVE-2018-18454 at NVDCVE-2018-18456 at SUSECVE-2018-18456 at NVDCVE-2019-13287 at SUSECVE-2019-13287 at NVDCVE-2019-14292 at SUSECVE-2019-14292 at NVDCVE-2019-9545 at SUSECVE-2019-9545 at NVDCVE-2019-9631 at SUSECVE-2019-9631 at NVDCVE-2020-36023 at SUSECVE-2020-36023 at NVDCVE-2022-37052 at SUSECVE-2022-37052 at NVDCVE-2022-48545 at SUSECVE-2022-48545 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for gstreamer-plugins-bad (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for gstreamer-plugins-bad fixes the following issues:
- CVE-2023-40474: Fixed a remote code execution issue due to improper parsing of H265 encoded video files (bsc#1215793).
ImportantSUSE bug 1215793CVE-2023-40474 at SUSECVE-2023-40474 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for java-1_8_0-openjdk (Moderate)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for java-1_8_0-openjdk fixes the following issues:
Updated to version jdk8u362 (icedtea-3.26.0):
- CVE-2023-21830: Fixed improper restrictions in CORBA deserialization (bsc#1207249).
- CVE-2023-21843: Fixed soundbank URL remote loading (bsc#1207248).
ModerateSUSE bug 1207248SUSE bug 1207249CVE-2023-21830 at SUSECVE-2023-21830 at NVDCVE-2023-21843 at SUSECVE-2023-21843 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for tiff (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for tiff fixes the following issues:
- CVE-2023-38289: Fixed a NULL pointer dereference in raw2tiff
(bsc#1213589).
- CVE-2023-38288: Fixed an integer overflow in raw2tiff (bsc#1213590).
- CVE-2023-3576: Fixed a memory leak in tiffcrop (bsc#1213273).
- CVE-2020-18768: Fixed an out of bounds read in tiffcp (bsc#1214574).
- CVE-2023-26966: Fixed an out of bounds read when transforming a
little-endian file to a big-endian output (bsc#1212881)
- CVE-2023-3618: Fixed a NULL pointer dereference while encoding FAX3
files (bsc#1213274).
- CVE-2023-2908: Fixed an undefined behavior issue when doing pointer
arithmetic on a NULL pointer (bsc#1212888).
- CVE-2023-3316: Fixed a NULL pointer dereference while opening a file
in an inaccessible path (bsc#1212535).
- CVE-2023-25433: Fixed a buffer overflow in tiffcrop (bsc#1212883).
ModerateSUSE bug 1212535SUSE bug 1212881SUSE bug 1212883SUSE bug 1212888SUSE bug 1213273SUSE bug 1213274SUSE bug 1213589SUSE bug 1213590SUSE bug 1214574CVE-2020-18768 at SUSECVE-2020-18768 at NVDCVE-2023-25433 at SUSECVE-2023-25433 at NVDCVE-2023-26966 at SUSECVE-2023-26966 at NVDCVE-2023-2908 at SUSECVE-2023-2908 at NVDCVE-2023-3316 at SUSECVE-2023-3316 at NVDCVE-2023-3576 at SUSECVE-2023-3576 at NVDCVE-2023-3618 at SUSECVE-2023-3618 at NVDCVE-2023-38288 at SUSECVE-2023-38288 at NVDCVE-2023-38289 at SUSECVE-2023-38289 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for squid (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for squid fixes the following issues:
- CVE-2023-46846: Request/Response smuggling in HTTP/1.1 and ICAP (bsc#1216500).
- CVE-2023-46847: Denial of Service in HTTP Digest Authentication (bsc#1216495).
- CVE-2023-46724: Fix validation of certificates with CN=* (bsc#1216803).
- CVE-2023-46848: Denial of Service in FTP (bsc#1216498).
ImportantSUSE bug 1216495SUSE bug 1216498SUSE bug 1216500SUSE bug 1216803CVE-2023-46724 at SUSECVE-2023-46724 at NVDCVE-2023-46846 at SUSECVE-2023-46846 at NVDCVE-2023-46847 at SUSECVE-2023-46847 at NVDCVE-2023-46848 at SUSECVE-2023-46848 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for tar (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for tar fixes the following issues:
- CVE-2022-48303: Fixed a one-byte out-of-bounds read that resulted in use of uninitialized memory for a conditional jump (bsc#1207753).
ModerateSUSE bug 1207753CVE-2022-48303 at SUSECVE-2022-48303 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for postgresql14 (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for postgresql14 fixes the following issues:
Security issues fixed:
* CVE-2023-5868: Fix handling of unknown-type
arguments in DISTINCT 'any' aggregate functions. This error led
to a text-type value being interpreted as an unknown-type value
(that is, a zero-terminated string) at runtime. This could
result in disclosure of server memory following the text value. (bsc#1216962)
* CVE-2023-5869: Detect integer overflow while
computing new array dimensions. When assigning new elements to
array subscripts that are outside the current array bounds, an
undetected integer overflow could occur in edge cases. Memory
stomps that are potentially exploitable for arbitrary code
execution are possible, and so is disclosure of server memory. (bsc#1216961)
* CVE-2023-5870: Prevent the pg_signal_backend role
from signalling background workers and autovacuum processes.
The documentation says that pg_signal_backend cannot issue
signals to superuser-owned processes. It was able to signal
these background processes, though, because they advertise a
role OID of zero. Treat that as indicating superuser ownership.
The security implications of cancelling one of these process
types are fairly small so far as the core code goes (we'll just
start another one), but extensions might add background workers
that are more vulnerable.
Also ensure that the is_superuser parameter is set correctly in
such processes. No specific security consequences are known for
that oversight, but it might be significant for some extensions.
(bsc#1216960)
- updated to 14.10 https://www.postgresql.org/docs/14/release-14-10.html
- Overhaul postgresql-README.SUSE and move it from the binary
package to the noarch wrapper package.
- Change the unix domain socket location from /var/run to /run.
ImportantSUSE bug 1216022SUSE bug 1216734SUSE bug 1216960SUSE bug 1216961SUSE bug 1216962CVE-2023-5868 at SUSECVE-2023-5868 at NVDCVE-2023-5869 at SUSECVE-2023-5869 at NVDCVE-2023-5870 at SUSECVE-2023-5870 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for squashfs (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for squashfs fixes the following issues:
- CVE-2015-4645,CVE-2015-4646: Multiple buffer overflows fixed in squashfs-tools (bsc#935380)
- CVE-2021-40153: Fixed an issue where an attacker might have been
able to write a file outside of destination (bsc#1189936)
- CVE-2021-41072: Fixed an issue where an attacker might have been
able to write a file outside the destination directory via a
symlink (bsc#1190531).
ImportantSUSE bug 1133284SUSE bug 1160294SUSE bug 1189936SUSE bug 1190531SUSE bug 935380CVE-2015-4645 at SUSECVE-2015-4645 at NVDCVE-2015-4646 at SUSECVE-2015-4646 at NVDCVE-2021-40153 at SUSECVE-2021-40153 at NVDCVE-2021-41072 at SUSECVE-2021-41072 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for postgresql, postgresql15, postgresql16 (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for postgresql, postgresql15, postgresql16 fixes the following issues:
This update ships postgresql 16 (jsc#PED-5586).
Security issues fixed:
* CVE-2023-5868: Fix handling of unknown-type
arguments in DISTINCT 'any' aggregate functions. This error led
to a text-type value being interpreted as an unknown-type value
(that is, a zero-terminated string) at runtime. This could
result in disclosure of server memory following the text value. (bsc#1216962)
* CVE-2023-5869: Detect integer overflow while
computing new array dimensions. When assigning new elements to
array subscripts that are outside the current array bounds, an
undetected integer overflow could occur in edge cases. Memory
stomps that are potentially exploitable for arbitrary code
execution are possible, and so is disclosure of server memory. (bsc#1216961)
* CVE-2023-5870: Prevent the pg_signal_backend role
from signalling background workers and autovacuum processes.
The documentation says that pg_signal_backend cannot issue
signals to superuser-owned processes. It was able to signal
these background processes, though, because they advertise a
role OID of zero. Treat that as indicating superuser ownership.
The security implications of cancelling one of these process
types are fairly small so far as the core code goes (we'll just
start another one), but extensions might add background workers
that are more vulnerable.
Also ensure that the is_superuser parameter is set correctly in
such processes. No specific security consequences are known for
that oversight, but it might be significant for some extensions.
(bsc#1216960)
Changes in postgresql16:
- Upgrade to 16.1:
* https://www.postgresql.org/about/news/2715
* https://www.postgresql.org/docs/16/release-16.html
* https://www.postgresql.org/docs/16/release-16-1.html
Changes in postgresql15:
- Update to 15.5 https://www.postgresql.org/docs/15/release-15-5.html
- The libs and mini package are now provided by postgresql16.
- Overhaul postgresql-README.SUSE and move it from the binary
package to the noarch wrapper package.
- Change the unix domain socket location from /var/run to /run.
Changes in postgresql:
- Bump default to 16.
- Interlock version and release of all noarch packages except for
the postgresql-docs.
- Bump major version to prepare for PostgreSQL 16, but keep
default at 15 for now on Factory.
- bsc#1122892: Add a sysconfig variable for initdb.
- Overhaul postgresql-README.SUSE and move it from the binary
package to the noarch wrapper package.
- bsc#1179231: Add an explanation for the /tmp -> /run/postgresql
move and permission change.
- Add postgresql-README as a separate source file.
- bsc#1209208: Drop hard dependency on systemd
- bsc#1206796: Refine the distinction of where to use sysusers and
use bcond to have the expression only in one place.
- avoid bashisms in /bin/sh based startup script
- Bump to postgresql 15
- Change to systemd-sysusers
ImportantSUSE bug 1122892SUSE bug 1179231SUSE bug 1206796SUSE bug 1209208SUSE bug 1216022SUSE bug 1216734SUSE bug 1216960SUSE bug 1216961SUSE bug 1216962CVE-2023-5868 at SUSECVE-2023-5868 at NVDCVE-2023-5869 at SUSECVE-2023-5869 at NVDCVE-2023-5870 at SUSECVE-2023-5870 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for postgresql12 (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for postgresql12 fixes the following issues:
Security issues fixed:
* CVE-2023-5868: Fix handling of unknown-type
arguments in DISTINCT 'any' aggregate functions. This error led
to a text-type value being interpreted as an unknown-type value
(that is, a zero-terminated string) at runtime. This could
result in disclosure of server memory following the text value. (bsc#1216962)
* CVE-2023-5869: Detect integer overflow while
computing new array dimensions. When assigning new elements to
array subscripts that are outside the current array bounds, an
undetected integer overflow could occur in edge cases. Memory
stomps that are potentially exploitable for arbitrary code
execution are possible, and so is disclosure of server memory. (bsc#1216961)
* CVE-2023-5870: Prevent the pg_signal_backend role
from signalling background workers and autovacuum processes.
The documentation says that pg_signal_backend cannot issue
signals to superuser-owned processes. It was able to signal
these background processes, though, because they advertise a
role OID of zero. Treat that as indicating superuser ownership.
The security implications of cancelling one of these process
types are fairly small so far as the core code goes (we'll just
start another one), but extensions might add background workers
that are more vulnerable.
Also ensure that the is_superuser parameter is set correctly in
such processes. No specific security consequences are known for
that oversight, but it might be significant for some extensions.
(bsc#1216960)
- Update to 12.17 https://www.postgresql.org/docs/12/release-12-17.html
- Overhaul postgresql-README.SUSE and move it from the binary
package to the noarch wrapper package.
- Change the unix domain socket location from /var/run to /run.
ImportantSUSE bug 1216022SUSE bug 1216734SUSE bug 1216960SUSE bug 1216961SUSE bug 1216962CVE-2023-5868 at SUSECVE-2023-5868 at NVDCVE-2023-5869 at SUSECVE-2023-5869 at NVDCVE-2023-5870 at SUSECVE-2023-5870 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for postgresql13 (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for postgresql13 fixes the following issues:
Security issues fixed:
* CVE-2023-5868: Fix handling of unknown-type
arguments in DISTINCT 'any' aggregate functions. This error led
to a text-type value being interpreted as an unknown-type value
(that is, a zero-terminated string) at runtime. This could
result in disclosure of server memory following the text value. (bsc#1216962)
* CVE-2023-5869: Detect integer overflow while
computing new array dimensions. When assigning new elements to
array subscripts that are outside the current array bounds, an
undetected integer overflow could occur in edge cases. Memory
stomps that are potentially exploitable for arbitrary code
execution are possible, and so is disclosure of server memory. (bsc#1216961)
* CVE-2023-5870: Prevent the pg_signal_backend role
from signalling background workers and autovacuum processes.
The documentation says that pg_signal_backend cannot issue
signals to superuser-owned processes. It was able to signal
these background processes, though, because they advertise a
role OID of zero. Treat that as indicating superuser ownership.
The security implications of cancelling one of these process
types are fairly small so far as the core code goes (we'll just
start another one), but extensions might add background workers
that are more vulnerable.
Also ensure that the is_superuser parameter is set correctly in
such processes. No specific security consequences are known for
that oversight, but it might be significant for some extensions.
(bsc#1216960)
- Update to 13.13: https://www.postgresql.org/docs/13/release-13-13.html
- Overhaul postgresql-README.SUSE and move it from the binary
package to the noarch wrapper package.
- Change the unix domain socket location from /var/run to /run.
ImportantSUSE bug 1216022SUSE bug 1216734SUSE bug 1216960SUSE bug 1216961SUSE bug 1216962CVE-2023-5868 at SUSECVE-2023-5868 at NVDCVE-2023-5869 at SUSECVE-2023-5869 at NVDCVE-2023-5870 at SUSECVE-2023-5870 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for util-linux (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for util-linux fixes the following issues:
- CVE-2018-7738: Fixed shell code injection in umount bash-completions (bsc#1213865).
Bug fixes:
- Fix tests not passing when '@' character is in build path:
Fixes rpmbuild %checks fail when @ in the directory path (bsc#1194038).
ImportantSUSE bug 1194038SUSE bug 1213865CVE-2018-7738 at SUSECVE-2018-7738 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for ucode-intel (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for ucode-intel fixes the following issues:
- Updated to Intel CPU Microcode 20231114 pre-release (labeled 20231113). (bsc#1215278)
- CVE-2023-23583: Fixed potential CPU deadlocks or privilege escalation. (bsc#1215278)
ImportantSUSE bug 1215278CVE-2023-23583 at SUSECVE-2023-23583 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for python-urllib3 (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for python-urllib3 fixes the following issues:
- CVE-2023-45803: Fix a request body leak that could occur when
receiving a 303 HTTP response (bsc#1216377).
ModerateSUSE bug 1216377CVE-2023-45803 at SUSECVE-2023-45803 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for gcc13 (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for gcc13 fixes the following issues:
This update ship the GCC 13.2 compiler suite and its base libraries.
The compiler base libraries are provided for all SUSE Linux Enterprise 15
versions and replace the same named GCC 12 ones.
The new compilers for C, C++, and Fortran are provided for SUSE Linux
Enterprise 15 SP4 and SP5, and provided in the 'Development Tools' module.
The Go, D, Ada and Modula 2 language compiler parts are available
unsupported via the PackageHub repositories.
To use gcc13 compilers use:
- install 'gcc13' or 'gcc13-c++' or one of the other 'gcc13-COMPILER' frontend packages.
- override your Makefile to use CC=gcc-13, CXX=g++-13 and similar overrides for the other languages.
For a full changelog with all new GCC13 features, check out
https://gcc.gnu.org/gcc-13/changes.html
Detailed changes:
* CVE-2023-4039: Fixed -fstack-protector issues on aarch64 with variable
length stack allocations. (bsc#1214052)
- Work around third party app crash during C++ standard library initialization. [bsc#1216664]
- Fixed that GCC13 fails to compile some packages with error: unrecognizable insn (bsc#1215427)
- Bump included newlib to version 4.3.0.
- Update to GCC trunk head (r13-5254-g05b9868b182bb9)
- Redo floatn fixinclude pick-up to simply keep what is there.
- Turn cross compiler to s390x to a glibc cross. [bsc#1214460]
- Also handle -static-pie in the default-PIE specs
- Fixed missed optimization in Skia resulting in Firefox crashes when
building with LTO. [bsc#1212101]
- Make libstdc++6-devel packages own their directories since they
can be installed standalone. [bsc#1211427]
- Add new x86-related intrinsics (amxcomplexintrin.h).
- RISC-V: Add support for inlining subword atomic operations
- Use --enable-link-serialization rather that --enable-link-mutex,
the benefit of the former one is that the linker jobs are not
holding tokens of the make's jobserver.
- Add cross-bpf packages. See https://gcc.gnu.org/wiki/BPFBackEnd
for the general state of BPF with GCC.
- Add bootstrap conditional to allow --without=bootstrap to be
specified to speed up local builds for testing.
- Bump included newlib to version 4.3.0.
- Also package libhwasan_preinit.o on aarch64.
- Configure external timezone database provided by the timezone
package. Make libstdc++6 recommend timezone to get a fully
working std::chrono. Install timezone when running the testsuite.
- Package libhwasan_preinit.o on x86_64.
- Fixed unwinding on aarch64 with pointer signing. [bsc#1206684]
- Enable PRU flavour for gcc13
- update floatn fixinclude pickup to check each header separately (bsc#1206480)
- Redo floatn fixinclude pick-up to simply keep what is there.
- Bump libgo SONAME to libgo22.
- Do not package libhwasan for biarch (32-bit architecture)
as the extension depends on 64-bit pointers.
- Adjust floatn fixincludes guard to work with SLE12 and earlier
SLE15.
- Depend on at least LLVM 13 for GCN cross compiler.
- Update embedded newlib to version 4.2.0
- Allow cross-pru-gcc12-bootstrap for armv7l architecture.
PRU architecture is used for real-time MCUs embedded into TI
armv7l and aarch64 SoCs. We need to have cross-pru-gcc12 for
armv7l in order to build both host applications and PRU firmware
during the same build.
ImportantSUSE bug 1206480SUSE bug 1206684SUSE bug 1210557SUSE bug 1211427SUSE bug 1212101SUSE bug 1213915SUSE bug 1214052SUSE bug 1214460SUSE bug 1215427SUSE bug 1216664CVE-2023-4039 at SUSECVE-2023-4039 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for ucode-intel (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for ucode-intel fixes the following issues:
- Updated to Intel CPU Microcode 20231114 release. (bsc#1215278)
- CVE-2023-23583: Fixed potential CPU deadlocks or privilege escalation. (bsc#1215278)
ImportantSUSE bug 1215278CVE-2023-23583 at SUSECVE-2023-23583 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for xen (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for xen fixes the following issues:
- CVE-2023-46835: x86/AMD: mismatch in IOMMU quarantine page table levels (XSA-445) (bsc#1216654).
- CVE-2023-46836: x86: BTC/SRSO fixes not fully effective (XSA-446) (bsc#1216807).
ImportantSUSE bug 1216654SUSE bug 1216807CVE-2023-46835 at SUSECVE-2023-46835 at NVDCVE-2023-46836 at SUSECVE-2023-46836 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for avahi (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for avahi fixes the following issues:
- CVE-2023-38473: Fixed a reachable assertion when parsing a host
name (bsc#1216419).
ModerateSUSE bug 1216419CVE-2023-38473 at SUSECVE-2023-38473 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for libxml2 (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for libxml2 fixes the following issues:
- CVE-2023-45322: Fixed a use-after-free in xmlUnlinkNode() in tree.c (bsc#1216129).
ModerateSUSE bug 1216129CVE-2023-45322 at SUSECVE-2023-45322 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for java-1_8_0-openjdk (Moderate)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for java-1_8_0-openjdk fixes the following issues:
Update to version jdk8u392 (icedtea-3.29.0) October 2023 CPU:
- CVE-2023-22067: Fixed IOR deserialization issue in CORBA (bsc#1216379).
- CVE-2023-22081: Fixed certificate path validation issue during client authentication (bsc#1216374).
- CVE-2015-4000: Fixed Logjam issue in SLES12SP5 (bsc#1211968).
ModerateSUSE bug 1211968SUSE bug 1216374SUSE bug 1216379CVE-2015-4000 at SUSECVE-2015-4000 at NVDCVE-2023-22067 at SUSECVE-2023-22067 at NVDCVE-2023-22081 at SUSECVE-2023-22081 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for clamav (Critical)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for clamav fixes the following issues:
- CVE-2023-20032: Fixed a possible remote code execution vulnerability in the HFS+ file parser (bsc#1208363).
- CVE-2023-20052: Fixed a possible remote information leak vulnerability in the DMG file parser (bsc#1208365).
CriticalSUSE bug 1208363SUSE bug 1208365CVE-2023-20032 at SUSECVE-2023-20032 at NVDCVE-2023-20052 at SUSECVE-2023-20052 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for squid (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for squid fixes the following issues:
- CVE-2023-46728: Remove gopher support (bsc#1216926).
- Fixed overread in HTTP request header parsing (bsc#1217274).
ImportantSUSE bug 1216926SUSE bug 1217274CVE-2023-46728 at SUSECVE-2023-46728 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for MozillaFirefox fixes the following issues:
- Firefox Extended Support Release 115.5.0 ESR Placeholder changelog-entry (bsc#1217230)
* Fixed: Various security fixes and other quality improvements. MFSA 2023-46 (bsc#1216338)
* CVE-2023-5721: Queued up rendering could have allowed websites to clickjack
* CVE-2023-5732: Address bar spoofing via bidirectional characters
* CVE-2023-5724: Large WebGL draw could have led to a crash
* CVE-2023-5725: WebExtensions could open arbitrary URLs
* CVE-2023-5726: Full screen notification obscured by file open dialog on macOS
* CVE-2023-5727: Download Protections were bypassed by .msix, .msixbundle, .appx, and .appxbundle files on Windows
* CVE-2023-5728: Improper object tracking during GC in the JavaScript engine could have led to a crash.
* CVE-2023-5730: Memory safety bugs fixed in Firefox 119, Firefox ESR 115.4, and Thunderbird 115.4.1
ImportantSUSE bug 1216338SUSE bug 1217230CVE-2023-5721 at SUSECVE-2023-5721 at NVDCVE-2023-5724 at SUSECVE-2023-5724 at NVDCVE-2023-5725 at SUSECVE-2023-5725 at NVDCVE-2023-5726 at SUSECVE-2023-5726 at NVDCVE-2023-5727 at SUSECVE-2023-5727 at NVDCVE-2023-5728 at SUSECVE-2023-5728 at NVDCVE-2023-5730 at SUSECVE-2023-5730 at NVDCVE-2023-5732 at SUSECVE-2023-5732 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for xerces-c (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for xerces-c fixes the following issues:
- CVE-2023-37536: Fixed an integer overflow that could have led to a out-of-bounds memory accesses (bsc#1216156).
ImportantSUSE bug 1216156CVE-2023-37536 at SUSECVE-2023-37536 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for ucode-intel (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for ucode-intel fixes the following issues:
Updated to Intel CPU Microcode 20230214 release.
Security issues fixed:
- CVE-2022-38090: Security updates for [INTEL-SA-00767](https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00767.html) (bsc#1208275)
- CVE-2022-33196: Security updates for [INTEL-SA-00738](https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00738.html) (bsc#1208276)
- CVE-2022-21216: Security updates for [INTEL-SA-00700](https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00700.html) (bsc#1208277)
- New Platforms:
| Processor | Stepping | F-M-S/PI | Old Ver | New Ver | Products
|:---------------|:---------|:------------|:---------|:---------|:---------
| SPR-SP | E2 | 06-8f-05/87 | | 2b000181 | Xeon Scalable Gen4
| SPR-SP | E3 | 06-8f-06/87 | | 2b000181 | Xeon Scalable Gen4
| SPR-SP | E4 | 06-8f-07/87 | | 2b000181 | Xeon Scalable Gen4
| SPR-SP | E5 | 06-8f-08/87 | | 2b000181 | Xeon Scalable Gen4
| SPR-HBM | B3 | 06-8f-08/10 | | 2c000170 | Xeon Max
| RPL-P 6+8 | J0 | 06-ba-02/07 | | 0000410e | Core Gen13
| RPL-H 6+8 | J0 | 06-ba-02/07 | | 0000410e | Core Gen13
| RPL-U 2+8 | Q0 | 06-ba-02/07 | | 0000410e | Core Gen13
- Updated Platforms:
| Processor | Stepping | F-M-S/PI | Old Ver | New Ver | Products
|:---------------|:---------|:------------|:---------|:---------|:---------
| ADL | C0 | 06-97-02/07 | 00000026 | 0000002c | Core Gen12
| ADL | C0 | 06-97-05/07 | 00000026 | 0000002c | Core Gen12
| ADL | C0 | 06-bf-02/07 | 00000026 | 0000002c | Core Gen12
| ADL | C0 | 06-bf-05/07 | 00000026 | 0000002c | Core Gen12
| ADL | L0 | 06-9a-03/80 | 00000424 | 00000429 | Core Gen12
| ADL | L0 | 06-9a-04/80 | 00000424 | 00000429 | Core Gen12
| CLX-SP | B0 | 06-55-06/bf | 04003302 | 04003303 | Xeon Scalable Gen2
| CLX-SP | B1 | 06-55-07/bf | 05003302 | 05003303 | Xeon Scalable Gen2
| CPX-SP | A1 | 06-55-0b/bf | 07002501 | 07002503 | Xeon Scalable Gen3
| GLK | B0 | 06-7a-01/01 | 0000003c | 0000003e | Pentium Silver N/J5xxx, Celeron N/J4xxx
| GLK-R | R0 | 06-7a-08/01 | 00000020 | 00000022 | Pentium J5040/N5030, Celeron J4125/J4025/N4020/N4120
| ICL-D | B0 | 06-6c-01/10 | 01000201 | 01000211 | Xeon D-17xx, D-27xx
| ICL-U/Y | D1 | 06-7e-05/80 | 000000b6 | 000000b8 | Core Gen10 Mobile
| ICX-SP | D0 | 06-6a-06/87 | 0d000375 | 0d000389 | Xeon Scalable Gen3
| JSL | A0/A1 | 06-9c-00/01 | 24000023 | 24000024 | Pentium N6000/N6005, Celeron N4500/N4505/N5100/N5105
| LKF | B2/B3 | 06-8a-01/10 | 00000031 | 00000032 | Core w/Hybrid Technology
| RKL-S | B0 | 06-a7-01/02 | 00000056 | 00000057 | Core Gen11
| RPL-S | S0 | 06-b7-01/32 | 0000010e | 00000112 | Core Gen13
| SKX-SP | B1 | 06-55-03/97 | 0100015e | 01000161 | Xeon Scalable
ImportantSUSE bug 1208275SUSE bug 1208276SUSE bug 1208277CVE-2022-21216 at SUSECVE-2022-21216 at NVDCVE-2022-33196 at SUSECVE-2022-33196 at NVDCVE-2022-38090 at SUSECVE-2022-38090 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for vim (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for vim fixes the following issues:
- CVE-2023-5344: Heap-based Buffer Overflow in vim prior to 9.0.1969 (bsc#1215940)
- CVE-2023-5441: segfault in exmode when redrawing (bsc#1216001)
- CVE-2023-5535: use-after-free from buf_contents_changed() (bsc#1216167)
- CVE-2023-46246: Integer Overflow in :history command (bsc#1216696)
ImportantSUSE bug 1215940SUSE bug 1216001SUSE bug 1216167SUSE bug 1216696CVE-2023-46246 at SUSECVE-2023-46246 at NVDCVE-2023-5344 at SUSECVE-2023-5344 at NVDCVE-2023-5441 at SUSECVE-2023-5441 at NVDCVE-2023-5535 at SUSECVE-2023-5535 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for sqlite3 (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for sqlite3 fixes the following issues:
- CVE-2023-2137: Fixed heap buffer overflow (bsc#1210660).
ImportantSUSE bug 1210660CVE-2023-2137 at SUSECVE-2023-2137 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for gstreamer-plugins-bad (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for gstreamer-plugins-bad fixes the following issues:
- CVE-2023-40474: Fixed integer overflow causing out of bounds writes when handling invalid uncompressed video (bsc#1215796).
- CVE-2023-40476: Fixed possible overflow using max_sub_layers_minus1 (bsc#1215793).
ImportantSUSE bug 1215793SUSE bug 1215796CVE-2023-40474 at SUSECVE-2023-40474 at NVDCVE-2023-40476 at SUSECVE-2023-40476 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for java-1_8_0-ibm (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for java-1_8_0-ibm fixes the following issues:
- Update to Java 8.0 Service Refresh 8 Fix Pack 15:
* Oracle October 17 2023 CPU [bsc#1216640]
Security fixes:
- CVE-2023-22081: Fixed enhanced TLS connections (bsc#1216374)
- CVE-2023-22067: Fixed IOR deserialization issue in CORBA (bsc#1216379)
- CVE-2023-22025: Fixed memory corruption issue on x86_64 with AVX-512 (bsc#1216339)
- CVE-2023-5676: Fixed receiving a signal before initialization may lead to an infinite loop or unexpected crash (bsc#1217214)
Bug fixes:
- IBM Java idlj compiler switch definition because IBM java idlj seems to confuse char and wchar for typedef types (bsc#1204264).
ImportantSUSE bug 1204264SUSE bug 1216339SUSE bug 1216374SUSE bug 1216379SUSE bug 1216640SUSE bug 1217214CVE-2023-22025 at SUSECVE-2023-22025 at NVDCVE-2023-22067 at SUSECVE-2023-22067 at NVDCVE-2023-22081 at SUSECVE-2023-22081 at NVDCVE-2023-5676 at SUSECVE-2023-5676 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for libqt4 (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for libqt4 fixes the following issues:
- CVE-2021-45930: Fix out of-bounds write when parsing path nodes (bsc#1196654).
- CVE-2023-32573: Fix missing initialization of QSvgFont unitsPerEm (bsc#1211298).
- CVE-2023-32763: Fix potential buffer when rendering a SVG file with an image inside (bsc#1211798).
- CVE-2023-34410: Fix missing sync of disablement of loading root certificates in qsslsocketprivate (bsc#1211994).
- CVE-2023-37369: Fix buffer overflow in QXmlStreamReader (bsc#1214327).
- CVE-2023-38197: Fix infinite loops in QXmlStreamReader (bsc#1213326).
ImportantSUSE bug 1196654SUSE bug 1211298SUSE bug 1211798SUSE bug 1211994SUSE bug 1213326SUSE bug 1214327CVE-2021-45930 at SUSECVE-2021-45930 at NVDCVE-2023-32573 at SUSECVE-2023-32573 at NVDCVE-2023-32763 at SUSECVE-2023-32763 at NVDCVE-2023-34410 at SUSECVE-2023-34410 at NVDCVE-2023-37369 at SUSECVE-2023-37369 at NVDCVE-2023-38197 at SUSECVE-2023-38197 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for squid (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for squid fixes the following issues:
- Fix X-Forwarded-For Stack Overflow (bsc#1217654)
ModerateSUSE bug 1217654cpe:/o:suse:sles_teradata:12:sp3Security update for squid (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATA
This update for squid fixes the following issues:
- Fixed overread in HTTP request header parsing (bsc#1217274).
- Fixed X-Forwarded-For Stack Overflow (bsc#1217654).
- CVE-2023-46728: Fixed NULL pointer dereference in gopher gateway (bsc#1216926).
- CVE-2023-46847: Fixed denial of Service in HTTP Digest Authentication (bsc#1216495).
- CVE-2023-46724: Fixed validation of certificates with CN=* (bsc#1216803).
ImportantSUSE bug 1216495SUSE bug 1216803SUSE bug 1216926SUSE bug 1217274SUSE bug 1217654CVE-2023-46724 at SUSECVE-2023-46724 at NVDCVE-2023-46728 at SUSECVE-2023-46728 at NVDCVE-2023-46847 at SUSECVE-2023-46847 at NVDcpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for webkit2gtk3 (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for webkit2gtk3 fixes the following issues:
Update to version 2.42.2 (bsc#1217210):
- CVE-2023-41983: Processing web content may lead to a denial-of-service.
- CVE-2023-42852: Processing web content may lead to arbitrary code execution.
Already previously fixed:
- CVE-2022-32919: Visiting a website that frames malicious content may lead to UI spoofing (fixed already in 2.38.4).
- CVE-2022-32933: A website may be able to track the websites a user visited in private browsing mode (fixed already in 2.38.0).
- CVE-2022-46705: Visiting a malicious website may lead to address bar spoofing (fixed already in 2.38.4).
- CVE-2022-46725: Visiting a malicious website may lead to address bar spoofing (fixed already in 2.38.4).
- CVE-2023-32359: A user’s password may be read aloud by a text-to-speech accessibility feature (fixed already in 2.42.0).
Bug fixes:
- Disable DMABuf renderer for NVIDIA proprietary drivers (bsc#1216778).
ImportantSUSE bug 1216778SUSE bug 1217210CVE-2022-32919 at SUSECVE-2022-32919 at NVDCVE-2022-32933 at SUSECVE-2022-32933 at NVDCVE-2022-46705 at SUSECVE-2022-46705 at NVDCVE-2022-46725 at SUSECVE-2022-46725 at NVDCVE-2023-32359 at SUSECVE-2023-32359 at NVDCVE-2023-41983 at SUSECVE-2023-41983 at NVDCVE-2023-42852 at SUSECVE-2023-42852 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for traceroute (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for traceroute fixes the following issues:
- CVE-2023-46316: wrapper scripts do not properly parse command lines (bsc#1216591).
ModerateSUSE bug 1216591CVE-2023-46316 at SUSECVE-2023-46316 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for MozillaFirefox fixes the following issues:
Updated to version 102.8.0 ESR (bsc#1208144):
- CVE-2023-25728: Fixed content security policy leak in violation reports using iframes.
- CVE-2023-25730: Fixed screen hijack via browser fullscreen mode.
- CVE-2023-25743: Fixed Fullscreen notification not being shown in Firefox Focus.
- CVE-2023-0767: Fixed arbitrary memory write via PKCS 12 in NSS.
- CVE-2023-25735: Fixed potential use-after-free from compartment mismatch in SpiderMonkey.
- CVE-2023-25737: Fixed invalid downcast in SVGUtils::SetupStrokeGeometry.
- CVE-2023-25738: Fixed printing on Windows which could potentially crash Firefox with some device drivers.
- CVE-2023-25739: Fixed use-after-free in mozilla::dom::ScriptLoadContext::~ScriptLoadContext.
- CVE-2023-25729: Fixed extensions opening external schemes without user knowledge.
- CVE-2023-25732: Fixed out of bounds memory write from EncodeInputStream.
- CVE-2023-25734: Fixed opening local .url files that causes unexpected network loads.
- CVE-2023-25742: Fixed tab crash by Web Crypto ImportKey.
- CVE-2023-25744: Fixed Memory safety bugs.
- CVE-2023-25746: Fixed Memory safety bugs.
ImportantSUSE bug 1208138SUSE bug 1208144CVE-2023-0767 at SUSECVE-2023-0767 at NVDCVE-2023-25728 at SUSECVE-2023-25728 at NVDCVE-2023-25729 at SUSECVE-2023-25729 at NVDCVE-2023-25730 at SUSECVE-2023-25730 at NVDCVE-2023-25732 at SUSECVE-2023-25732 at NVDCVE-2023-25734 at SUSECVE-2023-25734 at NVDCVE-2023-25735 at SUSECVE-2023-25735 at NVDCVE-2023-25737 at SUSECVE-2023-25737 at NVDCVE-2023-25738 at SUSECVE-2023-25738 at NVDCVE-2023-25739 at SUSECVE-2023-25739 at NVDCVE-2023-25742 at SUSECVE-2023-25742 at NVDCVE-2023-25743 at SUSECVE-2023-25743 at NVDCVE-2023-25744 at SUSECVE-2023-25744 at NVDCVE-2023-25746 at SUSECVE-2023-25746 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for mozilla-nss (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for mozilla-nss fixes the following issues:
Updated to NSS 3.79.4 (bsc#1208138):
- CVE-2023-0767: Fixed handling of unknown PKCS#12 safe bag types.
ImportantSUSE bug 1208138CVE-2023-0767 at SUSECVE-2023-0767 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for squid (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for squid fixes the following issues:
- CVE-2023-49285: Fixed buffer overread bug on HTTP Message processing flow (bsc#1217813).
- CVE-2023-49286: Fixed Denial of Service attack against its Helper process management (bsc#1217815).
ImportantSUSE bug 1217813SUSE bug 1217815CVE-2023-49285 at SUSECVE-2023-49285 at NVDCVE-2023-49286 at SUSECVE-2023-49286 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for tiff (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for tiff fixes the following issues:
- CVE-2023-2731: Fix null pointer deference in LZWDecode() (bsc#1211478).
- CVE-2023-1916: Fix out-of-bounds read in extractImageSection() (bsc#1210231).
- CVE-2023-26965: Fix heap-based use after free in loadImage() (bsc#1212398).
- CVE-2022-40090: Fix infinite loop in TIFFReadDirectory() (bsc#1214680).
ImportantSUSE bug 1199483SUSE bug 1210231SUSE bug 1211478SUSE bug 1212398SUSE bug 1214680CVE-2022-1622 at SUSECVE-2022-1622 at NVDCVE-2022-40090 at SUSECVE-2022-40090 at NVDCVE-2023-1916 at SUSECVE-2023-1916 at NVDCVE-2023-26965 at SUSECVE-2023-26965 at NVDCVE-2023-2731 at SUSECVE-2023-2731 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for squid (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATA
This update for squid fixes the following issues:
- CVE-2023-49285: Fixed buffer over read bug on HTTP Message processing flow (bsc#1217813)
- CVE-2023-49286: Fixed Denial of Service vulnerability in helper process management (bsc#1217815)
ImportantSUSE bug 1217813SUSE bug 1217815CVE-2023-49285 at SUSECVE-2023-49285 at NVDCVE-2023-49286 at SUSECVE-2023-49286 at NVDcpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for webkit2gtk3 (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for webkit2gtk3 fixes the following issues:
Update to version 2.42.3 (bsc#1217844):
- Fix flickering while playing videos with DMA-BUF sink.
- Fix color picker being triggered in the inspector when typing 'tan'.
- Do not special case the 'sans' font family name.
- Fix build failure with libxml2 version 2.12.0 due to an API change.
- Fix several crashes and rendering issues.
- Security fixes: CVE-2023-42916, CVE-2023-42917.
ImportantSUSE bug 1217844CVE-2023-42916 at SUSECVE-2023-42916 at NVDCVE-2023-42917 at SUSECVE-2023-42917 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for xrdp (Moderate)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for xrdp fixes the following issues:
- CVE-2023-42822: Fixed unchecked access to font glyph info (bsc#1215803).
ModerateSUSE bug 1215803CVE-2023-42822 at SUSECVE-2023-42822 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for ncurses (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for ncurses fixes the following issues:
- CVE-2023-50495: Fixed a segmentation fault via _nc_wrap_entry() (bsc#1218014)
ModerateSUSE bug 1218014CVE-2023-50495 at SUSECVE-2023-50495 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for openssh (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for openssh fixes the following issues:
- CVE-2023-48795: Fixed prefix truncation breaking ssh channel integrity (bsc#1217950).
ImportantSUSE bug 1217950CVE-2023-48795 at SUSECVE-2023-48795 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for suse-module-tools (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for suse-module-tools fixes the following issues:
- CVE-2023-1829: Fixed vulnerabilities in the tcindex classifier (bsc#1210335).
= Fixed protocol problems in RNDIS drivers (bsc#1205767).
ImportantSUSE bug 1205767SUSE bug 1210335CVE-2023-1829 at SUSECVE-2023-1829 at NVDCVE-2023-23559 at SUSECVE-2023-23559 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for MozillaFirefox fixes the following issues:
- Firefox Extended Support Release 115.6.0 ESR changelog-entry (bsc#1217974)
* CVE-2023-6856: Heap-buffer-overflow affecting WebGL DrawElementsInstanced method with Mesa VM driver (bmo#1843782).
* CVE-2023-6857: Symlinks may resolve to smaller than expected buffers (bmo#1796023).
* CVE-2023-6858: Heap buffer overflow in nsTextFragment (bmo#1826791).
* CVE-2023-6859: Use-after-free in PR_GetIdentitiesLayer (bmo#1840144).
* CVE-2023-6860: Potential sandbox escape due to VideoBridge lack of texture validation (bmo#1854669).
* CVE-2023-6861: Heap buffer overflow affected nsWindow::PickerOpen(void) in headless mode (bmo#1864118).
* CVE-2023-6862: Use-after-free in nsDNSService (bsc#1868042).
* CVE-2023-6863: Undefined behavior in ShutdownObserver() (bmo#1868901).
* CVE-2023-6864: Memory safety bugs fixed in Firefox 121, Firefox ESR 115.6, and Thunderbird 115.6.
* CVE-2023-6865: Potential exposure of uninitialized data in EncryptingOutputStream (bmo#1864123).
* CVE-2023-6867: Clickjacking permission prompts using the popup transition (bmo#1863863).
- Fixed: Various security fixes and other quality improvements MFSA 2023-50 (bsc#1217230)
* CVE-2023-6204 (bmo#1841050)
Out-of-bound memory access in WebGL2 blitFramebuffer
* CVE-2023-6205 (bmo#1854076)
Use-after-free in MessagePort::Entangled
* CVE-2023-6206 (bmo#1857430)
Clickjacking permission prompts using the fullscreen
transition
* CVE-2023-6207 (bmo#1861344)
Use-after-free in ReadableByteStreamQueueEntry::Buffer
* CVE-2023-6208 (bmo#1855345)
Using Selection API would copy contents into X11 primary
selection.
* CVE-2023-6209 (bmo#1858570)
Incorrect parsing of relative URLs starting with '///'
* CVE-2023-6212 (bmo#1658432, bmo#1820983, bmo#1829252,
bmo#1856072, bmo#1856091, bmo#1859030, bmo#1860943,
bmo#1862782)
Memory safety bugs fixed in Firefox 120, Firefox ESR 115.5,
and Thunderbird 115.5 ImportantSUSE bug 1217230SUSE bug 1217974CVE-2023-6204 at SUSECVE-2023-6204 at NVDCVE-2023-6205 at SUSECVE-2023-6205 at NVDCVE-2023-6206 at SUSECVE-2023-6206 at NVDCVE-2023-6207 at SUSECVE-2023-6207 at NVDCVE-2023-6208 at SUSECVE-2023-6208 at NVDCVE-2023-6209 at SUSECVE-2023-6209 at NVDCVE-2023-6212 at SUSECVE-2023-6212 at NVDCVE-2023-6856 at SUSECVE-2023-6856 at NVDCVE-2023-6857 at SUSECVE-2023-6857 at NVDCVE-2023-6858 at SUSECVE-2023-6858 at NVDCVE-2023-6859 at SUSECVE-2023-6859 at NVDCVE-2023-6860 at SUSECVE-2023-6860 at NVDCVE-2023-6861 at SUSECVE-2023-6861 at NVDCVE-2023-6862 at SUSECVE-2023-6862 at NVDCVE-2023-6863 at SUSECVE-2023-6863 at NVDCVE-2023-6864 at SUSECVE-2023-6864 at NVDCVE-2023-6865 at SUSECVE-2023-6865 at NVDCVE-2023-6867 at SUSECVE-2023-6867 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for ghostscript (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for ghostscript fixes the following issues:
- CVE-2023-46751: Fixed dangling pointer in gdev_prn_open_printer_seekable() (bsc#1217871).
ImportantSUSE bug 1217871CVE-2023-46751 at SUSECVE-2023-46751 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for poppler (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for poppler fixes the following issues:
- CVE-2022-38784: Fixed integer overflow in the JBIG2 decoder (bsc#1202692).
- CVE-2019-13283: Fixed heap-based buffer over-read that could be triggered by sending a crafted PDF document to the pdftotext tool (bsc#1140877).
ImportantSUSE bug 1140877SUSE bug 1202692CVE-2019-13283 at SUSECVE-2019-13283 at NVDCVE-2022-38784 at SUSECVE-2022-38784 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for poppler (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for poppler fixes the following issues:
- CVE-2018-20662: PDFDoc setup in PDFDoc.cc allows attackers to cause DOS because of a wrong return value from PDFDoc:setup (bsc#1120956).
ModerateSUSE bug 1120956CVE-2018-20662 at SUSECVE-2018-20662 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for ppp (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for ppp fixes the following issues:
- CVE-2022-4603: Fixed improper validation of array index of the component pppdump (bsc#1218251).
ModerateSUSE bug 1218251CVE-2022-4603 at SUSECVE-2022-4603 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for jbigkit (Low)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for jbigkit fixes the following issues:
- CVE-2022-1210: Fixed denial of service in TIFF File Handler (bsc#1198146).
LowSUSE bug 1198146CVE-2022-1210 at SUSECVE-2022-1210 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for python36 (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for python36 fixes the following issues:
- CVE-2022-45061: Fixed DoS when IDNA decodes extremely long domain names (bsc#1205244).
Bugfixes:
- Fixed issue where email.generator.py replaces a non-existent header (bsc#1208443).
ModerateSUSE bug 1205244SUSE bug 1208443CVE-2022-45061 at SUSECVE-2022-45061 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for gstreamer-plugins-bad (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for gstreamer-plugins-bad fixes the following issues:
- CVE-2023-40475: Fixed GStreamer MXF File Parsing Integer Overflow (bsc#1215792).
ImportantSUSE bug 1215792CVE-2023-40475 at SUSECVE-2023-40475 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for webkit2gtk3 (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for webkit2gtk3 fixes the following issues:
- CVE-2023-42890: Fixed processing malicious web content may lead to arbitrary code execution (bsc#1218033).
- CVE-2023-42883: Fixed processing a malicious image may lead to a denial-of-service (bsc#1218032).
- CVE-2023-41074: Fixed use-after-free in the MediaRecorder API of the WebKit GStreamer-based ports (bsc#1215870).
- CVE-2023-39928: Fixed use-after-free in the MediaRecorder API of the WebKit GStreamer-based ports (bsc#1215868).
- CVE-2023-40451: Update to version 2.42.4 (bsc#1215869).
ImportantSUSE bug 1215868SUSE bug 1215869SUSE bug 1215870SUSE bug 1218032SUSE bug 1218033CVE-2023-39928 at SUSECVE-2023-39928 at NVDCVE-2023-40451 at SUSECVE-2023-40451 at NVDCVE-2023-41074 at SUSECVE-2023-41074 at NVDCVE-2023-42883 at SUSECVE-2023-42883 at NVDCVE-2023-42890 at SUSECVE-2023-42890 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for gstreamer (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for gstreamer fixes the following issues:
- CVE-2023-40474: Fixed GStreamer MXF File Parsing Integer Overflow (bsc#1215796).
ImportantSUSE bug 1215796CVE-2023-40474 at SUSECVE-2023-40474 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for libxslt (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for libxslt fixes the following issues:
- CVE-2021-30560: Fixing a use after free vulnerability in Blink XSLT (bsc#1208574).
ImportantSUSE bug 1208574CVE-2021-30560 at SUSECVE-2021-30560 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for xterm (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for xterm fixes the following issues:
- CVE-2022-45063: Fixed command injection in ESC 50 fontoperation by disabling the change font functionality (bsc#1205305).
ImportantSUSE bug 1205305CVE-2022-45063 at SUSECVE-2022-45063 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for nrpe (Moderate)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for nrpe fixes the following issues:
- CVE-2015-4000: Fixed Logjam Attack by increasing the standard size of 512 bit dh parameters to 2048 (bsc#931600, bsc#938906).
ModerateSUSE bug 931600SUSE bug 938906CVE-2015-4000 at SUSECVE-2015-4000 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for emacs (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for emacs fixes the following issues:
- CVE-2022-48337: Fixed etags local command injection vulnerability (bsc#1208515).
- CVE-2022-48339: Fixed htmlfontify.el command injection vulnerability (bsc#1208512).
ImportantSUSE bug 1208512SUSE bug 1208515CVE-2022-48337 at SUSECVE-2022-48337 at NVDCVE-2022-48339 at SUSECVE-2022-48339 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for tiff (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for tiff fixes the following issues:
- CVE-2022-3570: Fixed a potential crash in the tiffcrop utility (bsc#1205422).
- CVE-2022-3598: Fixed a potential crash in the tiffcrop utility (bsc#1204642).
ModerateSUSE bug 1204642SUSE bug 1205422CVE-2022-3570 at SUSECVE-2022-3570 at NVDCVE-2022-3598 at SUSECVE-2022-3598 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for webkit2gtk3 (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for webkit2gtk3 fixes the following issues:
Update to version 2.38.3 (bnc#1206750):
- CVE-2022-42852: Fixed disclosure of process memory by improved memory handling.
- CVE-2022-42856: Fixed a potential arbitrary code execution when processing maliciously crafted web content (bsc#1206474).
- CVE-2022-42863: Fixed a potential arbitrary code execution when processing maliciously crafted web content.
- CVE-2022-42867: Fixed a use after free issue was addressed with improved memory management.
- CVE-2022-46691: Fixed a potential arbitrary code execution when processing maliciously crafted web content.
- CVE-2022-46692: Fixed bypass of Same Origin Policy through improved state management.
- CVE-2022-46698: Fixed disclosure of sensitive user information with improved checks.
- CVE-2022-46699: Fixed an arbitrary code execution caused by memory corruption.
- CVE-2022-46700: Fixed a potential arbitrary code execution when processing maliciously crafted web content.
ImportantSUSE bug 1206474SUSE bug 1206750CVE-2022-42852 at SUSECVE-2022-42852 at NVDCVE-2022-42856 at SUSECVE-2022-42856 at NVDCVE-2022-42863 at SUSECVE-2022-42863 at NVDCVE-2022-42867 at SUSECVE-2022-42867 at NVDCVE-2022-46691 at SUSECVE-2022-46691 at NVDCVE-2022-46692 at SUSECVE-2022-46692 at NVDCVE-2022-46698 at SUSECVE-2022-46698 at NVDCVE-2022-46699 at SUSECVE-2022-46699 at NVDCVE-2022-46700 at SUSECVE-2022-46700 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for python36 (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for python36 fixes the following issues:
- CVE-2023-24329: Fixed a blocklist bypass via the urllib.parse component when supplying a URL that starts with blank characters (bsc#1208471).
ImportantSUSE bug 1208471CVE-2023-24329 at SUSECVE-2023-24329 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for python36-setuptools (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for python36-setuptools fixes the following issues:
- CVE-2022-40897: Fixed an excessive CPU usage that could be triggered
by fetching a malicious HTML document (bsc#1206667).
ModerateSUSE bug 1206667CVE-2022-40897 at SUSECVE-2022-40897 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for xorg-x11-server (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for xorg-x11-server fixes the following issues:
- Fixed a regression introduced with security update for CVE-2022-46340 (bsc#1205874).
ImportantSUSE bug 1205874CVE-2022-46340 at SUSECVE-2022-46340 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for w3m (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for w3m fixes the following issues:
- CVE-2022-38223: Fixed a memory safety issue when dumping crafted
input to standard out (bsc#1202684).
ModerateSUSE bug 1202684CVE-2022-38223 at SUSECVE-2022-38223 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for python3 (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for python3 fixes the following issues:
- CVE-2023-24329: Fixed blocklist bypass via the urllib.parse component when supplying a URL that starts with blank characters (bsc#1208471).
- CVE-2022-40899: Fixed REDoS in http.cookiejar (gh#python/cpython#17157) (bsc#1206673).
ImportantSUSE bug 1206673SUSE bug 1208471CVE-2022-40899 at SUSECVE-2022-40899 at NVDCVE-2023-24329 at SUSECVE-2023-24329 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for libX11 (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for libX11 fixes the following issues:
- Fixed regression introduced with security update for CVE-2022-3555 (bsc#1204425, bsc#1208881)
ModerateSUSE bug 1204425SUSE bug 1208881CVE-2022-3555 at SUSECVE-2022-3555 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for python-py (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for python-py fixes the following issues:
Bugfixes:
- Fixed bugs introduced with the fix for CVE-2022-42969 (bsc#1204364, bsc#1208181).
ModerateSUSE bug 1204364SUSE bug 1208181CVE-2022-42969 at SUSECVE-2022-42969 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for openssl (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for openssl fixes the following issues:
- CVE-2023-0286: Fixed X.400 address type confusion in X.509 GeneralNameFixed (bsc#1207533).
- CVE-2023-0215: Fixed a use-after-free following BIO_new_NDEF (bsc#1207536).
- CVE-2022-4304: Fixed a timing oracle in RSA decryption (bsc#1207534).
The following non-security bug were fixed:
- Fix DH key generation in FIPS mode, add support for constant BN for DH parameters (bsc#1202062).
- Update further expiring certificates that affect tests (bsc#1201627).
ImportantSUSE bug 1201627SUSE bug 1202062SUSE bug 1207533SUSE bug 1207534SUSE bug 1207536CVE-2022-4304 at SUSECVE-2022-4304 at NVDCVE-2023-0215 at SUSECVE-2023-0215 at NVDCVE-2023-0286 at SUSECVE-2023-0286 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for tomcat (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for tomcat fixes the following issues:
- CVE-2023-24998: Fixed FileUpload DoS with excessive parts (bsc#1208513).
ImportantSUSE bug 1208513CVE-2023-24998 at SUSECVE-2023-24998 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for jakarta-commons-fileupload (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for jakarta-commons-fileupload fixes the following issues:
- CVE-2016-3092: Fixed a usage of vulnerable FileUpload package can result in denial of service (bsc#986359).
- CVE-2023-24998: Fixed a FileUpload deny of service with excessive parts (bsc#1208513).
ImportantSUSE bug 1208513SUSE bug 986359CVE-2016-3092 at SUSECVE-2016-3092 at NVDCVE-2023-24998 at SUSECVE-2023-24998 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for perl-Net-Server (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for perl-Net-Server fixes the following issues:
- CVE-2013-1841: Fixed insufficient hostname access checking (bsc#808830).
ModerateSUSE bug 808830CVE-2013-1841 at SUSECVE-2013-1841 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for python3 (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for python3 fixes the following issues:
- CVE-2022-40899: Fixed an issue that could allow attackers to cause
an excessive CPU usage via a crafted Set-Cookie header (bsc#1206673).
ModerateSUSE bug 1206673CVE-2022-40899 at SUSECVE-2022-40899 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for vim (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for vim fixes the following issues:
- CVE-2023-0512: Fixed a divide By Zero (bsc#1207780).
- CVE-2023-1175: vim: an incorrect calculation of buffer size (bsc#1208957).
- CVE-2023-1170: Fixed a heap-based Buffer Overflow (bsc#1208959).
- CVE-2023-1127: Fixed divide by zero in scrolldown() (bsc#1208828).
Updated to version 9.0 with patch level 1386.
- https://github.com/vim/vim/compare/v9.0.1234...v9.0.1386
ImportantSUSE bug 1207780SUSE bug 1208828SUSE bug 1208957SUSE bug 1208959CVE-2023-0512 at SUSECVE-2023-0512 at NVDCVE-2023-1127 at SUSECVE-2023-1127 at NVDCVE-2023-1170 at SUSECVE-2023-1170 at NVDCVE-2023-1175 at SUSECVE-2023-1175 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for MozillaFirefox fixes the following issues:
Update to version 102.9.0 ESR (bsc#1209173):
- CVE-2023-28159: Fullscreen Notification could have been hidden by download popups on Android
- CVE-2023-25748: Fullscreen Notification could have been hidden by window prompts on Android
- CVE-2023-25749: Firefox for Android may have opened third-party apps without a prompt
- CVE-2023-25750: Potential ServiceWorker cache leak during private browsing mode
- CVE-2023-25751: Incorrect code generation during JIT compilation
- CVE-2023-28160: Redirect to Web Extension files may have leaked local path
- CVE-2023-28164: URL being dragged from a removed cross-origin iframe into the same tab triggered navigation
- CVE-2023-28161: One-time permissions granted to a local file were extended to other local files loaded in the same tab
- CVE-2023-28162: Invalid downcast in Worklets
- CVE-2023-25752: Potential out-of-bounds when accessing throttled streams
- CVE-2023-28163: Windows Save As dialog resolved environment variables
- CVE-2023-28176: Memory safety bugs fixed in Firefox 111 and Firefox ESR 102.9
- CVE-2023-28177: Memory safety bugs fixed in Firefox 111
ImportantSUSE bug 1209173CVE-2023-25748 at SUSECVE-2023-25748 at NVDCVE-2023-25749 at SUSECVE-2023-25749 at NVDCVE-2023-25750 at SUSECVE-2023-25750 at NVDCVE-2023-25751 at SUSECVE-2023-25751 at NVDCVE-2023-25752 at SUSECVE-2023-25752 at NVDCVE-2023-28159 at SUSECVE-2023-28159 at NVDCVE-2023-28160 at SUSECVE-2023-28160 at NVDCVE-2023-28161 at SUSECVE-2023-28161 at NVDCVE-2023-28162 at SUSECVE-2023-28162 at NVDCVE-2023-28163 at SUSECVE-2023-28163 at NVDCVE-2023-28164 at SUSECVE-2023-28164 at NVDCVE-2023-28176 at SUSECVE-2023-28176 at NVDCVE-2023-28177 at SUSECVE-2023-28177 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for qemu (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for qemu fixes the following issues:
- bsc#1198038 (CVE-2022-0216)
- bsc#1193880 (CVE-2021-3929)
- bsc#1198712 (CVE-2022-26354)
- bsc#1198037 (CVE-2021-4207)
- bsc#1205808 (CVE-2022-4144), bsc#1185000
(CVE-2021-3507)
- bsc#1198035 (CVE-2021-4206)
- Fix: kvm,qemu: heap buffer overflow in sdhci_sdma_transfer_multi_blocks()
in hw/sd/sdhci.c (bsc#1175144, CVE-2020-17380, CVE-2020-25085, CVE-2021-3409)
- kvm,qemu: sdhci: out-of-bounds access issue while doing multi block SDMA
(bsc#1176681, CVE-2020-25085)
- Amend .changes file: avoid declaring a still unfixed CVE, as
fixed (bsc#1187529)
- the build breaks caused by binutils update
(bsc#1192463)
- out-of-bounds write in UAS (USB Attached SCSI) device emulation
(bsc#1189702, CVE-2021-3713)
- heap use-after-free in virtio_net_receive_rcu
(bsc#1189938, CVE-2021-3748)
- usbredir: free call on invalid pointer in bufp_alloc
(bsc#1189145, CVE-2021-3682)
- NULL pointer dereference issue in megasas-gen2 host bus adapter
(bsc#1180432, CVE-2020-35503)
- eepro100: stack overflow via infinite recursion
(bsc#1182651, CVE-2021-20255)
- usb: unbounded stack allocation in usbredir
(bsc#1186012, CVE-2021-3527)
- NULL pointer dereference in ESP
(bsc#1180433, CVE-2020-35504)
(bsc#1180434, CVE-2020-35505)
(bsc#1180435, CVE-2020-35506)
- bsc#1187366, CVE-2021-3595
- bsc#1187364, CVE-2021-3592
- bsc#1187367, CVE-2021-3594
- bsc#1187365, CVE-2021-3593
- intel-hda segmentation fault due to stack overflow
(bsc#1187529)
- OOB access during mmio operations
(CVE-2020-13754, bsc#1172382)
- out-of-bounds read information disclosure in icmp6_send_echoreply
(CVE-2020-10756, bsc#1172380)
- out-of-bound heap buffer access via an interrupt ID field
(CVE-2021-20221, bsc#1181933)
- (CVE-2019-15890, bsc#1149813, CVE-2020-8608, bsc#1163019,
CVE-2020-14364, bsc#1175534, CVE-2020-25707, bsc#1178683,
CVE-2020-25723, bsc#1178935, CVE-2020-29130, bsc#1179477,
CVE-2021-20257, bsc#1182846, CVE-2021-3419, bsc#1182975,
bsc#1094725)
- OOB access in sm501 device emulation (CVE-2020-12829, bsc#1172385)
- OOB access possibility in MegaRAID SAS 8708EM2 emulation
(CVE-2020-13362 bsc#1172383)
- use-after-free in usb xhci packet handling (CVE-2020-25723,
bsc#1178934)
- use-after-free in usb ehci packet handling (CVE-2020-25084,
bsc#1176673)
- OOB access in usb hcd-ohci emulation (CVE-2020-25624,
bsc#1176682)
- infinite loop (DoS) in usb hcd-ohci emulation
(CVE-2020-25625, bsc#1176684)
- guest triggerable assert in shared network
handling code (CVE-2020-27617, bsc#1178174)
- infinite loop (DoS) in e1000e device emulation
(CVE-2020-28916, bsc#1179468)
- OOB access in atapi emulation (CVE-2020-29443, bsc#1181108)
- null pointer deref. (DoS) in mmio ops (CVE-2020-15469,
bsc#1173612)
- infinite loop (DoS) in e1000 device emulation
(CVE-2021-20257, bsc#1182577)
- OOB access (stack overflow) in rtl8139 NIC emulation
(CVE-2021-3416, bsc#1182968)
- OOB access (stack overflow) in other NIC emulations
(CVE-2021-3416)
- OOB access in SLIRP ARP packet processing
(CVE-2020-29130, bsc#1179467)
- null pointer dereference possibility (DoS) in MegaRAID SAS
8708EM2 emulation (CVE-2020-13659 bsc#1172386
- OOB access in iscsi (CVE-2020-11947 bsc#1180523)
- OOB access in vmxnet3 emulation (CVE-2021-20203 bsc#1181639)
- buffer overflow in the XGMAC device (CVE-2020-15863
bsc#1174386)
- DoS in packet processing of various emulated NICs
(CVE-2020-16092 bsc#1174641)
- OOB access while processing USB packets (CVE-2020-14364
bsc#1175441)
- package scripts to not use hard coded paths for temporary
working directories and log files (bsc#1182425)
- bsc#1198038 (CVE-2022-0216)
- bsc#1193880 (CVE-2021-3929)
- bsc#1198712 (CVE-2022-26354)
- bsc#1198037 (CVE-2021-4207)
- bsc#1205808 (CVE-2022-4144), bsc#1185000
(CVE-2021-3507)
- bsc#1198035 (CVE-2021-4206)
- kvm,qemu: heap buffer overflow in sdhci_sdma_transfer_multi_blocks()
in hw/sd/sdhci.c (bsc#1175144, CVE-2020-17380, CVE-2020-25085, CVE-2021-3409)
- kvm,qemu: sdhci: out-of-bounds access issue while doing multi block SDMA
(bsc#1176681, CVE-2020-25085)
- Add missing patches, as compared to the qemu package (bsc#1192463):
- bsc#1198038 (CVE-2022-0216)
- bsc#1193880 (CVE-2021-3929)
- bsc#1198712 (CVE-2022-26354)
- bsc#1198037 (CVE-2021-4207)
- bsc#1205808 (CVE-2022-4144), bsc#1185000
(CVE-2021-3507)
- bsc#1198035( CVE-2021-4206)
- kvm,qemu: heap buffer overflow in sdhci_sdma_transfer_multi_blocks()
in hw/sd/sdhci.c (bsc#1175144, CVE-2020-17380, CVE-2020-25085, CVE-2021-3409)
- kvm,qemu: sdhci: out-of-bounds access issue while doing multi block SDMA
(bsc#1176681, CVE-2020-25085)
- Amend .changes file: avoid declaring a still unfixed CVE, as
fixed (bsc#1187529)
- the build breaks caused by binutils update
(bsc#1192463)
ImportantSUSE bug 1094725SUSE bug 1149813SUSE bug 1163019SUSE bug 1172380SUSE bug 1172382SUSE bug 1172383SUSE bug 1172385SUSE bug 1172386SUSE bug 1173612SUSE bug 1174386SUSE bug 1174641SUSE bug 1175144SUSE bug 1175441SUSE bug 1175534SUSE bug 1176673SUSE bug 1176681SUSE bug 1176682SUSE bug 1176684SUSE bug 1178174SUSE bug 1178683SUSE bug 1178934SUSE bug 1178935SUSE bug 1179467SUSE bug 1179468SUSE bug 1179477SUSE bug 1180432SUSE bug 1180433SUSE bug 1180434SUSE bug 1180435SUSE bug 1180523SUSE bug 1181108SUSE bug 1181639SUSE bug 1181933SUSE bug 1182425SUSE bug 1182577SUSE bug 1182651SUSE bug 1182846SUSE bug 1182968SUSE bug 1182975SUSE bug 1185000SUSE bug 1186012SUSE bug 1187364SUSE bug 1187365SUSE bug 1187366SUSE bug 1187367SUSE bug 1187529SUSE bug 1189145SUSE bug 1189702SUSE bug 1189938SUSE bug 1192463SUSE bug 1193880SUSE bug 1198035SUSE bug 1198037SUSE bug 1198038SUSE bug 1198712SUSE bug 1205808CVE-2019-15890 at SUSECVE-2019-15890 at NVDCVE-2020-10756 at SUSECVE-2020-10756 at NVDCVE-2020-11947 at SUSECVE-2020-11947 at NVDCVE-2020-12829 at SUSECVE-2020-12829 at NVDCVE-2020-13362 at SUSECVE-2020-13362 at NVDCVE-2020-13659 at SUSECVE-2020-13659 at NVDCVE-2020-13754 at SUSECVE-2020-13754 at NVDCVE-2020-14364 at SUSECVE-2020-14364 at NVDCVE-2020-15469 at SUSECVE-2020-15469 at NVDCVE-2020-15863 at SUSECVE-2020-15863 at NVDCVE-2020-16092 at SUSECVE-2020-16092 at NVDCVE-2020-17380 at SUSECVE-2020-17380 at NVDCVE-2020-25084 at SUSECVE-2020-25084 at NVDCVE-2020-25085 at SUSECVE-2020-25085 at NVDCVE-2020-25624 at SUSECVE-2020-25624 at NVDCVE-2020-25625 at SUSECVE-2020-25625 at NVDCVE-2020-25707 at SUSECVE-2020-25707 at NVDCVE-2020-25723 at SUSECVE-2020-25723 at NVDCVE-2020-27617 at SUSECVE-2020-27617 at NVDCVE-2020-28916 at SUSECVE-2020-28916 at NVDCVE-2020-29130 at SUSECVE-2020-29130 at NVDCVE-2020-29443 at SUSECVE-2020-29443 at NVDCVE-2020-35503 at SUSECVE-2020-35503 at NVDCVE-2020-35504 at SUSECVE-2020-35504 at NVDCVE-2020-35505 at SUSECVE-2020-35505 at NVDCVE-2020-35506 at SUSECVE-2020-35506 at NVDCVE-2020-8608 at SUSECVE-2020-8608 at NVDCVE-2021-20203 at SUSECVE-2021-20203 at NVDCVE-2021-20221 at SUSECVE-2021-20221 at NVDCVE-2021-20255 at SUSECVE-2021-20255 at NVDCVE-2021-20257 at SUSECVE-2021-20257 at NVDCVE-2021-3409 at SUSECVE-2021-3409 at NVDCVE-2021-3416 at SUSECVE-2021-3416 at NVDCVE-2021-3419 at SUSECVE-2021-3419 at NVDCVE-2021-3507 at SUSECVE-2021-3507 at NVDCVE-2021-3527 at SUSECVE-2021-3527 at NVDCVE-2021-3592 at SUSECVE-2021-3592 at NVDCVE-2021-3593 at SUSECVE-2021-3593 at NVDCVE-2021-3594 at SUSECVE-2021-3594 at NVDCVE-2021-3595 at SUSECVE-2021-3595 at NVDCVE-2021-3682 at SUSECVE-2021-3682 at NVDCVE-2021-3713 at SUSECVE-2021-3713 at NVDCVE-2021-3748 at SUSECVE-2021-3748 at NVDCVE-2021-3929 at SUSECVE-2021-3929 at NVDCVE-2021-4206 at SUSECVE-2021-4206 at NVDCVE-2021-4207 at SUSECVE-2021-4207 at NVDCVE-2022-0216 at SUSECVE-2022-0216 at NVDCVE-2022-26354 at SUSECVE-2022-26354 at NVDCVE-2022-4144 at SUSECVE-2022-4144 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for python-future (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for python-future fixes the following issues:
- CVE-2022-40899: Fixed an issue that could allow attackers to cause
an excessive CPU usage via a crafted Set-Cookie header (bsc#1206673).
ModerateSUSE bug 1206673CVE-2022-40899 at SUSECVE-2022-40899 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for apache2 (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for apache2 fixes the following issues:
- CVE-2023-25690: Fixed HTTP request splitting with mod_rewrite and mod_proxy (bsc#1209047).
The following non-security bugs were fixed:
- Fixed passing health check does not recover worker from its error state (bsc#1208708).
ImportantSUSE bug 1208708SUSE bug 1209047CVE-2023-25690 at SUSECVE-2023-25690 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for curl (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for curl fixes the following issues:
- CVE-2023-27533: Fixed TELNET option IAC injection (bsc#1209209)
- CVE-2023-27534: Fixed SFTP path ~ resolving discrepancy (bsc#1209210)
- CVE-2023-27535: Fixed FTP too eager connection reuse (bsc#1209211)
- CVE-2023-27536: Fixed GSS delegation too eager connection re-use (bsc#1209212)
- CVE-2023-27538: Fixed SSH connection too eager reuse still (bsc#1209214)
ModerateSUSE bug 1209209SUSE bug 1209210SUSE bug 1209211SUSE bug 1209212SUSE bug 1209214CVE-2023-27533 at SUSECVE-2023-27533 at NVDCVE-2023-27534 at SUSECVE-2023-27534 at NVDCVE-2023-27535 at SUSECVE-2023-27535 at NVDCVE-2023-27536 at SUSECVE-2023-27536 at NVDCVE-2023-27538 at SUSECVE-2023-27538 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for python-cffi (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for python-cffi fixes the following issues:
- CVE-2023-23931: Fixed memory corruption due to immutable python object being changed (bsc#1208036).
ModerateSUSE bug 1208036CVE-2023-23931 at SUSECVE-2023-23931 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for xen (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for xen fixes the following issues:
- CVE-2022-42332: Fixed use-after-free in x86 shadow plus log-dirty mode (bsc#1209017).
- CVE-2022-42331: Fixed speculative vulnerability in 32bit SYSCALL path on x86 (bsc#1209019).
ImportantSUSE bug 1209017SUSE bug 1209019SUSE bug 1209188CVE-2022-42331 at SUSECVE-2022-42331 at NVDCVE-2022-42332 at SUSECVE-2022-42332 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for dpdk (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update of dpdk fixes the following issues:
- rebuild the package with the new secure boot key (bsc#1209188).
ModerateSUSE bug 1209188cpe:/o:suse:sles_teradata:12:sp3Security update for dpdk (Moderate)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATA
This update of dpdk fixes the following issues:
- rebuild the package with the new secure boot key (bsc#1209188).
ModerateSUSE bug 1209188cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for libplist (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for libplist fixes the following issues:
- CVE-2015-10082: Fixed XXEsecurity vulnerability with XML plists (bsc#1208546).
ModerateSUSE bug 1208546CVE-2015-10082 at SUSECVE-2015-10082 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for grub2 (Moderate)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update of grub2 fixes the following issues:
- rebuild the package with the new secure boot key (bsc#1209188).
ModerateSUSE bug 1209188cpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for python-setuptools (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for python-setuptools fixes the following issues:
- CVE-2022-40897: Fixed an excessive CPU usage that could be triggered
by fetching a malicious HTML document (bsc#1206667).
ModerateSUSE bug 1206667CVE-2022-40897 at SUSECVE-2022-40897 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for MozillaFirefox (Critical)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for MozillaFirefox fixes the following issues:
Firefox Extended Support Release 115.9.1esr ESR MFSA 2024-16 (bsc#1221850)
- CVE-2024-29944: Privileged JavaScript Execution via Event Handlers (bmo#1886852).
CriticalSUSE bug 1221850CVE-2024-29944 at SUSECVE-2024-29944 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for avahi (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for avahi fixes the following issues:
- CVE-2023-38471: Fixed reachable assertion in dbus_set_host_name (bsc#1216594).
- CVE-2023-38469: Fixed reachable assertions in avahi (bsc#1216598).
ModerateSUSE bug 1216594SUSE bug 1216598CVE-2023-38469 at SUSECVE-2023-38469 at NVDCVE-2023-38471 at SUSECVE-2023-38471 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for squid (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for squid fixes the following issues:
- CVE-2024-25617: Fixes denial of service in HTTP header parser (bsc#1219960)
- CVE-2024-25111: Fixes Chunked Encoding Stack Overflow (bsc#1216715)
ImportantSUSE bug 1216715SUSE bug 1219960CVE-2024-25111 at SUSECVE-2024-25111 at NVDCVE-2024-25617 at SUSECVE-2024-25617 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for xen (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for xen fixes the following issues:
- CVE-2023-28746: Register File Data Sampling (bsc#1221332)
- CVE-2024-2193: Fixed GhostRace, a speculative race conditions. (bsc#1221334)
ModerateSUSE bug 1221332SUSE bug 1221334CVE-2023-28746 at SUSECVE-2023-28746 at NVDCVE-2024-2193 at SUSECVE-2024-2193 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for libvirt (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for libvirt fixes the following issues:
- CVE-2024-2494: Fixed negative g_new0 length can lead to unbounded memory allocation (bsc#1221815).
ModerateSUSE bug 1221815CVE-2024-2494 at SUSECVE-2024-2494 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for ncurses (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for ncurses fixes the following issues:
- CVE-2023-45918: Fixed NULL pointer dereference via corrupted xterm-256color file (bsc#1220061).
ModerateSUSE bug 1220061CVE-2023-45918 at SUSECVE-2023-45918 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for libcares2 (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for libcares2 fixes the following issues:
- CVE-2024-25629: Fixed out of bounds read in ares__read_line() (bsc#1220279).
ModerateSUSE bug 1220279CVE-2024-25629 at SUSECVE-2024-25629 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for postfix (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for postfix fixes the following issues:
- CVE-2023-51764: Prevent SMTP smuggling attack. (bsc#1218304)
ModerateSUSE bug 1218304SUSE bug 1218314CVE-2023-51764 at SUSECVE-2023-51764 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for nghttp2 (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for nghttp2 fixes the following issues:
- CVE-2024-28182: Fixed denial of service via http/2 continuation frames (bsc#1221399)
ImportantSUSE bug 1221399CVE-2024-28182 at SUSECVE-2024-28182 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for less (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for less fixes the following issues:
- CVE-2022-48624: Fixed LESSCLOSE handling in less that does not quote shell metacharacters (bsc#1219901).
ImportantSUSE bug 1219901CVE-2022-48624 at SUSECVE-2022-48624 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for apache2-mod_jk (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for apache2-mod_jk fixes the following issues:
- Upgrade from version 1.2.40 to 1.2.49
- CVE-2023-41081: Fix an information disclosure issue in mod_jk. (bsc#1215301)
ModerateSUSE bug 1167896SUSE bug 1206261SUSE bug 1215301CVE-2023-41081 at SUSECVE-2023-41081 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for util-linux (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for util-linux fixes the following issues:
- CVE-2024-28085: Fixed improper neutralization of escape sequences in wall (bsc#1221831)
ImportantSUSE bug 1221831CVE-2024-28085 at SUSECVE-2024-28085 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for webkit2gtk3 (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
webkit2gtk3 was updated to fix the following issues:
Update to version 2.44.0 (boo#1222010):
- CVE-2024-23252:
Credit to anbu1024 of SecANT.
Impact: Processing web content may lead to a denial-of-service.
Description: The issue was addressed with improved memory handling.
- CVE-2024-23254:
Credit to James Lee (@Windowsrcer).
Impact: A malicious website may exfiltrate audio data cross-origin.
Description: The issue was addressed with improved UI handling.
- CVE-2024-23263:
Credit to Johan Carlsson (joaxcar).
Impact: Processing maliciously crafted web content may prevent
Content Security Policy from being enforced. Description: A logic
issue was addressed with improved validation.
- CVE-2024-23280:
Credit to An anonymous researcher.
Impact: A maliciously crafted webpage may be able to fingerprint the
user. Description: An injection issue was addressed with improved
validation.
- CVE-2024-23284:
Credit to Georg Felber and Marco Squarcina.
Impact: Processing maliciously crafted web content may prevent
Content Security Policy from being enforced. Description: A logic
issue was addressed with improved state management.
- CVE-2023-42950:
Credit to Nan Wang (@eternalsakura13) of 360 Vulnerability Research
Institute and rushikesh nandedkar.
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution. Description: A use after free issue was
addressed with improved memory management.
- CVE-2023-42956:
Credit to SungKwon Lee (Demon.Team).
Impact: Processing web content may lead to a denial-of-service.
Description: The issue was addressed with improved memory handling.
- CVE-2023-42843:
Credit to Kacper Kwapisz (@KKKas_).
Impact: Visiting a malicious website may lead to address bar
spoofing. Description: An inconsistent user interface issue was
addressed with improved state management.
+ Make the DOM accessibility tree reachable from UI process with GTK4.
+ Removed the X11 and WPE renderers in favor of DMA-BUF.
+ Improved vblank synchronization when rendering.
+ Removed key event reinjection in GTK4 to make keyboard shortcuts work in web sites.
+ Fix gamepads detection by correctly handling focused window in GTK4.
- Use WebAssembly on aarch64. It is the upstream default and no
longer makes the build fail. Stop passing -DENABLE_C_LOOP=ON,
-DENABLE_WEBASSEMBLY=OFF and -DENABLE_SAMPLING_PROFILER=OFF for
the same reason.
ImportantSUSE bug 1222010CVE-2023-42843 at SUSECVE-2023-42843 at NVDCVE-2023-42950 at SUSECVE-2023-42950 at NVDCVE-2023-42956 at SUSECVE-2023-42956 at NVDCVE-2024-23252 at SUSECVE-2024-23252 at NVDCVE-2024-23254 at SUSECVE-2024-23254 at NVDCVE-2024-23263 at SUSECVE-2024-23263 at NVDCVE-2024-23280 at SUSECVE-2024-23280 at NVDCVE-2024-23284 at SUSECVE-2024-23284 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for texlive (Low)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for texlive fixes the following issues:
- CVE-2023-46048: Fixed null pointer dereference in texk/web2c/pdftexdir/writet1.c (bsc#1222126)
LowSUSE bug 1222126CVE-2023-46048 at SUSECVE-2023-46048 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for krb5 (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for krb5 fixes the following issues:
- CVE-2024-26458: Fixed a memory leak at /krb5/src/lib/rpc/pmap_rmt.c (bsc#1220770)
ImportantSUSE bug 1220770CVE-2024-26458 at SUSECVE-2024-26458 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for emacs (Low)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for emacs fixes the following issues:
- CVE-2024-30203: Fixed denial of service via MIME contents (bsc#1222053)
- CVE-2024-30204: Fixed denial of service via LaTeX preview in e-mail attachments (bsc#1222052)
- CVE-2024-30205: Fixed Org mode considering contents of remote files as trusted (bsc#1222050)
LowSUSE bug 1222050SUSE bug 1222052SUSE bug 1222053CVE-2024-30203 at SUSECVE-2024-30203 at NVDCVE-2024-30204 at SUSECVE-2024-30204 at NVDCVE-2024-30205 at SUSECVE-2024-30205 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for MozillaFirefox fixes the following issues:
Update to Firefox Extended Support Release 115.10.0 ESR (MSFA 2024-19) (bsc#1222535):
- CVE-2024-3852: GetBoundName in the JIT returned the wrong object
- CVE-2024-3854: Out-of-bounds-read after mis-optimized switch statement
- CVE-2024-3857: Incorrect JITting of arguments led to use-after-free during garbage collection
- CVE-2024-2609: Permission prompt input delay could expire when not in focus
- CVE-2024-3859: Integer-overflow led to out-of-bounds-read in the OpenType sanitizer
- CVE-2024-3861: Potential use-after-free due to AlignedBuffer self-move
- CVE-2024-3863: Download Protections were bypassed by .xrm-ms files on Windows
- CVE-2024-3302: Denial of Service using HTTP/2 CONTINUATION frames
- CVE-2024-3864: Memory safety bug fixed in Firefox 125, Firefox ESR 115.10, and Thunderbird 115.10
ImportantSUSE bug 1222535CVE-2024-2609 at SUSECVE-2024-2609 at NVDCVE-2024-3302 at SUSECVE-2024-3302 at NVDCVE-2024-3852 at SUSECVE-2024-3852 at NVDCVE-2024-3854 at SUSECVE-2024-3854 at NVDCVE-2024-3857 at SUSECVE-2024-3857 at NVDCVE-2024-3859 at SUSECVE-2024-3859 at NVDCVE-2024-3861 at SUSECVE-2024-3861 at NVDCVE-2024-3863 at SUSECVE-2024-3863 at NVDCVE-2024-3864 at SUSECVE-2024-3864 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for wireshark (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for wireshark fixes the following issues:
- CVE-2024-24476: Fixed a denial of service in ws_manuf_lookup_str() (bsc#1220181)
ImportantSUSE bug 1220181CVE-2024-24476 at SUSECVE-2024-24476 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for pam (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for pam fixes the following issues:
- CVE-2024-22365: Fixed a local denial of service during PAM login
due to a missing check during path manipulation (bsc#1218475).
ModerateSUSE bug 1218475CVE-2024-22365 at SUSECVE-2024-22365 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for jasper (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for jasper fixes the following issues:
- CVE-2024-31744: Fixed denial of service through assertion failure in jpc_streamlist_remove() (bsc#1223155).
ImportantSUSE bug 1223155CVE-2024-31744 at SUSECVE-2024-31744 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for w3m (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for w3m fixes the following issues:
- CVE-2023-4255: Fixed out-of-bounds write in function checkType() in etc.c (bsc#1218226).
ModerateSUSE bug 1218226CVE-2023-4255 at SUSECVE-2023-4255 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for nrpe (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for nrpe fixes the following issues:
CVE-2014-2913: Fixed remote command execution when command arguments are enabled (bsc#1118590,bsc#874743)
ImportantSUSE bug 1118590SUSE bug 874743CVE-2014-2913 at SUSECVE-2014-2913 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for python-idna (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for python-idna fixes the following issues:
- CVE-2024-3651: Fixed potential DoS via resource consumption via specially crafted inputs to idna.encode() (bsc#1222842).
ModerateSUSE bug 1222842CVE-2024-3651 at SUSECVE-2024-3651 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for java-1_8_0-openjdk (Low)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for java-1_8_0-openjdk fixes the following issues:
- CVE-2024-21011: Fixed denial of service due to long Exception message logging (JDK-8319851,bsc#1222979)
- CVE-2024-21068: Fixed integer overflow in C1 compiler address generation (JDK-8322122,bsc#1222983)
- CVE-2024-21085: Fixed Pack200 excessive memory allocation (JDK-8322114,bsc#1222984)
- CVE-2024-21094: Fixed unauthorized data modification due to C2 compilation failure with 'Exceeded _node_regs array' (JDK-8317507,JDK-8325348,bsc#1222986)
Other fixes:
- Update to version jdk8u412 (icedtea-3.31.0) (April 2024 CPU)
* Security fixes
+ JDK-8318340: Improve RSA key implementations
* Import of OpenJDK 8 u412 build 08
+ JDK-8011180: Delete obsolete scripts
+ JDK-8016451: Scary messages emitted by
build.tools.generatenimbus.PainterGenerator during build
+ JDK-8021961: setAlwaysOnTop doesn't behave correctly in
Linux/Solaris under certain scenarios
+ JDK-8023735: [TESTBUG][macosx]
runtime/XCheckJniJsig/XCheckJSig.java fails on MacOS X
+ JDK-8074860: Structured Exception Catcher missing around
CreateJavaVM on Windows
+ JDK-8079441: Intermittent failures on Windows with 'Unexpected
exit from test [exit code: 1080890248]' (0x406d1388)
+ JDK-8155590: Dubious collection management in
sun.net.www.http.KeepAliveCache
+ JDK-8168518: rcache interop with krb5-1.15
+ JDK-8183503: Update hotspot tests to allow for unique test
classes directory
+ JDK-8186095: upgrade to jtreg 4.2 b08
+ JDK-8186199: [windows] JNI_DestroyJavaVM not covered by SEH
+ JDK-8192931: Regression test
java/awt/font/TextLayout/CombiningPerf.java fails
+ JDK-8208655: use JTreg skipped status in hotspot tests
+ JDK-8208701: Fix for JDK-8208655 causes test failures in CI
tier1
+ JDK-8208706: compiler/tiered/
/ConstantGettersTransitionsTest.java fails to compile
+ JDK-8213410: UseCompressedOops requirement check fails fails
on 32-bit system
+ JDK-8222323: ChildAlwaysOnTopTest.java fails with
'RuntimeException: Failed to unset alwaysOnTop'
+ JDK-8224768: Test ActalisCA.java fails
+ JDK-8251155: HostIdentifier fails to canonicalize hostnames
starting with digits
+ JDK-8251551: Use .md filename extension for README
+ JDK-8268678: LetsEncryptCA.java test fails as Let’s Encrypt
Authority X3 is retired
+ JDK-8270280: security/infra/java/security/cert/
/CertPathValidator/certification/LetsEncryptCA.java OCSP
response error
+ JDK-8270517: Add Zero support for LoongArch
+ JDK-8272708: [Test]: Cleanup: test/jdk/security/infra/java/
/security/cert/CertPathValidator/certification/BuypassCA.java
no longer needs ocspEnabled
+ JDK-8276139: TestJpsHostName.java not reliable, better to
expand HostIdentifierCreate.java test
+ JDK-8288132: Update test artifacts in QuoVadis CA interop
tests
+ JDK-8297955: LDAP CertStore should use LdapName and not
String for DNs
+ JDK-8301310: The SendRawSysexMessage test may cause a JVM
crash
+ JDK-8308592: Framework for CA interoperability testing
+ JDK-8312126: NullPointerException in CertStore.getCRLs after
8297955
+ JDK-8315042: NPE in PKCS7.parseOldSignedData
+ JDK-8315757: [8u] Add cacerts JTREG tests to GHA tier1 test
set
+ JDK-8320713: Bump update version of OpenJDK: 8u412
+ JDK-8321060: [8u] hotspot needs to recognise VS2022
+ JDK-8321408: Add Certainly roots R1 and E1
+ JDK-8322725: (tz) Update Timezone Data to 2023d
+ JDK-8322750: Test 'api/java_awt/interactive/
/SystemTrayTests.html' failed because A blue ball icon is
added outside of the system tray
+ JDK-8323202: [8u] Remove get_source.sh and hgforest.sh
+ JDK-8323640: [TESTBUG]testMemoryFailCount in jdk/internal/
/platform/docker/TestDockerMemoryMetrics.java always fail
because OOM killed
+ JDK-8324530: Build error with gcc 10
+ JDK-8325150: (tz) Update Timezone Data to 2024a
* Bug fixes
+ Support make 4.4
- Do not recommend timezone-java8 (bsc#1213470)
- Use %patch -P N instead of deprecated %patchN.
LowSUSE bug 1213470SUSE bug 1222979SUSE bug 1222983SUSE bug 1222984SUSE bug 1222986CVE-2024-21011 at SUSECVE-2024-21011 at NVDCVE-2024-21068 at SUSECVE-2024-21068 at NVDCVE-2024-21085 at SUSECVE-2024-21085 at NVDCVE-2024-21094 at SUSECVE-2024-21094 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for shim (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for shim fixes the following issues:
- Update shim-install to set the TPM2 SRK algorithm (bsc#1213945)
- Limit the requirement of fde-tpm-helper-macros to the distro with
suse_version 1600 and above (bsc#1219460)
Update to version 15.8:
Security issues fixed:
- mok: fix LogError() invocation (bsc#1215099,CVE-2023-40546)
- avoid incorrectly trusting HTTP headers (bsc#1215098,CVE-2023-40547)
- Fix integer overflow on SBAT section size on 32-bit system (bsc#1215100,CVE-2023-40548)
- Authenticode: verify that the signature header is in bounds (bsc#1215101,CVE-2023-40549)
- pe: Fix an out-of-bound read in verify_buffer_sbat() (bsc#1215102,CVE-2023-40550)
- pe-relocate: Fix bounds check for MZ binaries (bsc#1215103,CVE-2023-40551)
The NX flag is disable which is same as the default value of shim-15.8, hence, not need to enable it by this patch now.
- Generate dbx during build so we don't include binary files in sources
- Don't require grub so shim can still be used with systemd-boot
- Update shim-install to fix boot failure of ext4 root file system
on RAID10 (bsc#1205855)
- Adopt the macros from fde-tpm-helper-macros to update the
signature in the sealed key after a bootloader upgrade
- Update shim-install to amend full disk encryption support
- Adopt TPM 2.0 Key File for grub2 TPM 2.0 protector
- Use the long name to specify the grub2 key protector
- cryptodisk: support TPM authorized policies
- Do not use tpm_record_pcrs unless the command is in command.lst
- Removed POST_PROCESS_PE_FLAGS=-N from the build command in shim.spec to
enable the NX compatibility flag when using post-process-pe after
discussed with grub2 experts in mail. It's useful for further development
and testing. (bsc#1205588)
ImportantSUSE bug 1198101SUSE bug 1205588SUSE bug 1205855SUSE bug 1210382SUSE bug 1213945SUSE bug 1215098SUSE bug 1215099SUSE bug 1215100SUSE bug 1215101SUSE bug 1215102SUSE bug 1215103SUSE bug 1219460CVE-2022-28737 at SUSECVE-2022-28737 at NVDCVE-2023-40546 at SUSECVE-2023-40546 at NVDCVE-2023-40547 at SUSECVE-2023-40547 at NVDCVE-2023-40548 at SUSECVE-2023-40548 at NVDCVE-2023-40549 at SUSECVE-2023-40549 at NVDCVE-2023-40550 at SUSECVE-2023-40550 at NVDCVE-2023-40551 at SUSECVE-2023-40551 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for avahi (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for avahi fixes the following issues:
- CVE-2023-38472: Fixed denial of service due to a reachable assertion found in avahi_rdata_parse (bsc#1216853)
- CVE-2023-38470: Fixed denial of service due to a reachable assertion found in avahi_escape_label (bsc#1215947)
---------------------------------------------------------------- ModerateSUSE bug 1215947SUSE bug 1216853CVE-2023-38470 at SUSECVE-2023-38470 at NVDCVE-2023-38472 at SUSECVE-2023-38472 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for SUSE Manager Client Tools (Moderate)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update fixes the following issues:
golang-github-prometheus-node_exporter:
- Update to 1.7.0 (jsc#PED-7893, jsc#PED-7928):
* [FEATURE] Add ZFS freebsd per dataset stats #2753
* [FEATURE] Add cpu vulnerabilities reporting from sysfs #2721
* [ENHANCEMENT] Parallelize stat calls in Linux filesystem
collector #1772
* [ENHANCEMENT] Add missing linkspeeds to ethtool collector #2711
* [ENHANCEMENT] Add CPU MHz as the value for node_cpu_info metric
#2778
* [ENHANCEMENT] Improve qdisc collector performance #2779
* [ENHANCEMENT] Add include and exclude filter for hwmon
collector #2699
* [ENHANCEMENT] Optionally fetch ARP stats via rtnetlink instead
of procfs #2777
* [BUFFIX] Fix ZFS arcstats on FreeBSD 14.0+ 2754
* [BUGFIX] Fallback to 32-bit stats in netdev #2757
* [BUGFIX] Close btrfs.FS handle after use #2780
* [BUGFIX] Move RO status before error return #2807
* [BUFFIX] Fix promhttp_metric_handler_errors_total being always
active #2808
* [BUGFIX] Fix nfsd v4 index miss #2824
- Update to 1.6.1:
(no source code changes in this release)
- BuildRequire go1.20
- Update to 1.6.0:
* [CHANGE] Fix cpustat when some cpus are offline #2318
* [CHANGE] Remove metrics of offline CPUs in CPU collector #2605
* [CHANGE] Deprecate ntp collector #2603
* [CHANGE] Remove bcache `cache_readaheads_totals` metrics #2583
* [CHANGE] Deprecate supervisord collector #2685
* [FEATURE] Enable uname collector on NetBSD #2559
* [FEATURE] NetBSD support for the meminfo collector #2570
* [FEATURE] NetBSD support for CPU collector #2626
* [FEATURE] Add FreeBSD collector for netisr subsystem #2668
* [FEATURE] Add softirqs collector #2669
* [ENHANCEMENT] Add suspended as a `node_zfs_zpool_state` #2449
* [ENHANCEMENT] Add administrative state of Linux network
interfaces #2515
* [ENHANCEMENT] Log current value of GOMAXPROCS #2537
* [ENHANCEMENT] Add profiler options for perf collector #2542
* [ENHANCEMENT] Allow root path as metrics path #2590
* [ENHANCEMENT] Add cpu frequency governor metrics #2569
* [ENHANCEMENT] Add new landing page #2622
* [ENHANCEMENT] Reduce privileges needed for btrfs device stats
#2634
* [ENHANCEMENT] Add ZFS `memory_available_bytes` #2687
* [ENHANCEMENT] Use `SCSI_IDENT_SERIAL` as serial in diskstats
#2612
* [ENHANCEMENT] Read missing from netlink netclass attributes
from sysfs #2669
* [BUGFIX] perf: fixes for automatically detecting the correct
tracefs mountpoints #2553
* [BUGFIX] Fix `thermal_zone` collector noise @2554
* [BUGFIX] Fix a problem fetching the user wire count on FreeBSD
2584
* [BUGFIX] interrupts: Fix fields on linux aarch64 #2631
* [BUGFIX] Remove metrics of offline CPUs in CPU collector #2605
* [BUGFIX] Fix OpenBSD filesystem collector string parsing #2637
* [BUGFIX] Fix bad reporting of `node_cpu_seconds_total` in
OpenBSD #2663
- Change go_modules archive in _service to use obscpio file
grafana:
- Packaging improvements:
* Changed deprecated `disabled` service mode to `manual`
* Drop golang-packaging macros
* Drop explicit mod=vendor as it is enabled automatically
- Update to version 9.5.18:
* [SECURITY] CVE-2024-1313: Require same organisation when
deleting snapshots (bsc#1222155)
- Update to version 9.5.17:
* [FEATURE] Alerting: Backport use Alertmanager API v2
- Require Go 1.20
- Update to version 9.5.16:
* [SECURITY] CVE-2023-6152: Add email verification when updating
user email (bsc#1219912)
* [BUGFIX] Annotations: Split cleanup into separate queries and
deletes to avoid deadlocks on MySQL
- Update to version 9.5.15:
* [FEATURE] Alerting: Attempt to retry retryable errors
- Update to version 9.5.14:
* [BUGFIX] Alerting: Fix state manager to not keep
datasource_uid and ref_id labels in state after Error
* [BUGFIX] Transformations: Config overrides being lost when
config from query transform is applied
* [BUGFIX] LDAP: Fix enable users on successfull login
- Update to version 9.5.13:
* [BUGFIX] BrowseDashboards: Only remember the most recent
expanded folder
* [BUGFIX] Licensing: Pass func to update env variables when
starting plugin
- Update to version 9.5.12:
* [FEATURE] Azure: Add support for Workload Identity
authentication
- Update to version 9.5.9:
* [FEATURE] SSE: Fix DSNode to not panic when response has empty
response
* [FEATURE] Prometheus: Handle the response with different field
key order
* [BUGFIX] LDAP: Fix user disabling
mgr-daemon:
- Version 4.3.9-0
* Update translation strings
spacecmd:
- Version 4.3.27-0
* Update translation strings
spacewalk-client-tools:
- Version 4.3.19-0
* Update translation strings
spacewalk-koan:
- Version 4.3.6-0
* Change Docker image location for test
uyuni-common-libs:
- Version 4.3.10-0
* Add support for package signature type V4 RSA/SHA384
* Add support for package signature type V4 RSA/SHA512 (bsc#1221465)
ModerateSUSE bug 1219912SUSE bug 1221465SUSE bug 1222155CVE-2023-6152 at SUSECVE-2023-6152 at NVDCVE-2024-1313 at SUSECVE-2024-1313 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for xen (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for xen fixes the following issues:
- CVE-2024-2201: Mitigation for Native Branch History Injection (XSA-456, bsc#1222453)
- CVE-2023-46842: HVM hypercalls may trigger Xen bug check (XSA-454, bsc#1221984)
- CVE-2024-31142: Fixed incorrect logic for BTC/SRSO mitigations (XSA-455, bsc#1222302)
ModerateSUSE bug 1221984SUSE bug 1222302SUSE bug 1222453CVE-2023-46842 at SUSECVE-2023-46842 at NVDCVE-2024-2201 at SUSECVE-2024-2201 at NVDCVE-2024-31142 at SUSECVE-2024-31142 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for less (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for less fixes the following issues:
- CVE-2024-32487: Fixed mishandling of \n character in paths when LESSOPEN is set leads to OS command execution. (bsc#1222849)
ImportantSUSE bug 1222849CVE-2024-32487 at SUSECVE-2024-32487 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for ding-libs, sssd (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for ding-libs, sssd fixes the following issues:
Changes in sssd:
- CVE-2023-3758: Fix possible race evaluating GPO based access policies (bsc#1223100).
Changes in ding-libs:
- Add new hash key constant string type (bsc#1223100).
ImportantSUSE bug 1223100CVE-2023-3758 at SUSECVE-2023-3758 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for ghostscript (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for ghostscript fixes the following issues:
- CVE-2023-52722: Do not allow eexec seeds other than the Type 1 standard while using SAFER mode (bsc#1223852).
ModerateSUSE bug 1223852CVE-2023-52722 at SUSECVE-2023-52722 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for xorg-x11-server (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for xorg-x11-server fixes the following issues:
- CVE-2024-31080: Xi: ProcXIGetSelectedEvents needs to use unswapped length (bsc#1222309)
- CVE-2024-31081: Xi: ProcXIPassiveGrabDevice needs to use unswapped length to send reply (bsc#1222310)
- CVE-2024-3108: Xquartz: ProcAppleDRICreatePixmap needs to use unswapped length to send reply (bsc#1222311)
- CVE-2024-31083: render: fix refcounting of glyphs during ProcRenderAddGlyphs (bsc#1222312)
ImportantSUSE bug 1222309SUSE bug 1222310SUSE bug 1222311SUSE bug 1222312SUSE bug 1222442CVE-2024-31080 at SUSECVE-2024-31080 at NVDCVE-2024-31081 at SUSECVE-2024-31081 at NVDCVE-2024-31082 at SUSECVE-2024-31082 at NVDCVE-2024-31083 at SUSECVE-2024-31083 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for giflib (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for giflib fixes the following issues:
- CVE-2018-11490: Fixed a heap-based buffer overflow in DGifDecompressLine() (bsc#1094832)
- CVE-2021-40633: Fixed a denial of service from excessive memory (bsc#1200551)
ImportantSUSE bug 1094832SUSE bug 1200551CVE-2018-11490 at SUSECVE-2018-11490 at NVDCVE-2021-40633 at SUSECVE-2021-40633 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for opensc (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for opensc fixes the following issues:
- CVE-2023-5992: Fixed a side-channel leaks while stripping encryption PKCS#1 padding (bsc#1219386)
ModerateSUSE bug 1219386CVE-2023-5992 at SUSECVE-2023-5992 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for python-pyOpenSSL (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for python-pyOpenSSL fixes the following issues:
- CVE-2018-1000807: Fixed a use-after-free in X509 object handling (bsc#1111635)
- CVE-2018-1000808: Fixed a use-after-free in PKCS #12 Store (bsc#1111634)
ImportantSUSE bug 1021578SUSE bug 1111634SUSE bug 1111635CVE-2018-1000807 at SUSECVE-2018-1000807 at NVDCVE-2018-1000808 at SUSECVE-2018-1000808 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for apache2 (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for apache2 fixes the following issues:
- CVE-2023-38709: Fixed faulty input validation inside the HTTP response splitting code (bsc#1222330).
- CVE-2024-24795: Fixed handling of malicious HTTP splitting response headers in multiple modules (bsc#1222332).
- CVE-2024-27316: Fixed HTTP/2 CONTINUATION frames that could have been utilized for DoS attacks (bsc#1221401).
ImportantSUSE bug 1221401SUSE bug 1222330SUSE bug 1222332CVE-2023-38709 at SUSECVE-2023-38709 at NVDCVE-2024-24795 at SUSECVE-2024-24795 at NVDCVE-2024-27316 at SUSECVE-2024-27316 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for SUSE Manager Client Tools Beta (Moderate)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for SUSE Manager Client Tools Beta fixes the following issues:
- Changed codestream origin of SUSE Manager Client Tools Beta (no source changes)
icinga in SUSE Manager Client Tools Beta also received the following security fixes:
- CVE-2016-9566: Fixed root privilege escalation (bsc#1014637)
- CVE-2019-3698 : Symbolic Link (Symlink) following
vulnerability in the cronjob allows local attackers to cause cause
DoS or potentially escalate privileges by winning a race (bsc#1156309)
ModerateSUSE bug 1014637SUSE bug 1156309CVE-2016-9566 at SUSECVE-2016-9566 at NVDCVE-2019-3698 at SUSECVE-2019-3698 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for postgresql16 (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for postgresql16 fixes the following issues:
PostgreSQL upgrade to version 16.3 (bsc#1224051):
- CVE-2024-4317: Fixed visibility restriction of pg_stats_ext and pg_stats_ext_exprs entries to the table owner (bsc#1224038).
Bug fixes:
- Fix incompatibility with LLVM 18.
- Prepare for PostgreSQL 17.
- Make sure all compilation and doc generation happens in %build.
- Require LLVM <= 17 for now, because LLVM 18 doesn't seem to work.
- Remove constraints file because improved memory usage for s390x
- Use %patch -P N instead of deprecated %patchN.
Release notes:
- https://www.postgresql.org/docs/release/16.3/
ModerateSUSE bug 1224038SUSE bug 1224051CVE-2024-4317 at SUSECVE-2024-4317 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for postgresql15 (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for postgresql15 fixes the following issues:
PostgreSQL upgrade to version 15.7 (bsc#1224051):
- CVE-2024-4317: Fixed visibility restriction of pg_stats_ext and pg_stats_ext_exprs entries to the table owner (bsc#1224038).
Bug fixes:
- Fix incompatibility with LLVM 18.
- Prepare for PostgreSQL 17.
- Make sure all compilation and doc generation happens in %build.
- Require LLVM <= 17 for now, because LLVM 18 doesn't seem to work.
- Remove constraints file because improved memory usage for s390x
- Use %patch -P N instead of deprecated %patchN.
Release notes:
- https://www.postgresql.org/docs/release/15.7/
ModerateSUSE bug 1224038SUSE bug 1224051CVE-2024-4317 at SUSECVE-2024-4317 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for python3 (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for python3 fixes the following issues:
- CVE-2023-52425: Fixed etree XMLPullParser tests for Expat >=2.6.0 with reparse deferral (bsc#1219559).
ModerateSUSE bug 1219559CVE-2023-52425 at SUSECVE-2023-52425 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for python (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for python fixes the following issues:
- CVE-2023-52425: Fixed using the system libexpat (bsc#1219559).
- CVE-2023-27043: Modifed fix for unicode string handling in email.utils.parseaddr() (bsc#1222537).
- CVE-2022-48560: Fixed use-after-free in Python via heappushpop in heapq (bsc#1214675).
Bug fixes:
- Switch off tests. ONLY FOR FACTORY!!! (bsc#1219306).
- Build with -std=gnu89 to build correctly with gcc14 (bsc#1220970).
- Switch from %patchN style to the %patch -P N one.
ModerateSUSE bug 1214675SUSE bug 1219306SUSE bug 1219559SUSE bug 1220970SUSE bug 1222537CVE-2022-48560 at SUSECVE-2022-48560 at NVDCVE-2023-27043 at SUSECVE-2023-27043 at NVDCVE-2023-52425 at SUSECVE-2023-52425 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for glibc (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for glibc fixes the following issues:
- nscd: Fix use-after-free in addgetnetgrentX (BZ #23520)
- CVE-2024-33599: nscd: Stack-based buffer overflow in netgroup cache (bsc#1223423, BZ #31677)
- CVE-2024-33600: nscd: Avoid null pointer crashes after notfound response (bsc#1223424, BZ #31678)
- CVE-2024-33600: nscd: Do not send missing not-found response in addgetnetgrentX (bsc#1223424, BZ #31678)
- CVE-2024-33601, CVE-2024-33602: netgroup: Use two buffers in addgetnetgrentX (bsc#1223425, BZ #31680)
- CVE-2024-33602: Use time_t for return type of addgetnetgrentX (bsc#1223425)
- CVE-2024-2961: iconv: ISO-2022-CN-EXT: fix out-of-bound writes when writing escape sequence (bsc#1222992)
ImportantSUSE bug 1222992SUSE bug 1223423SUSE bug 1223424SUSE bug 1223425CVE-2024-2961 at SUSECVE-2024-2961 at NVDCVE-2024-33599 at SUSECVE-2024-33599 at NVDCVE-2024-33600 at SUSECVE-2024-33600 at NVDCVE-2024-33601 at SUSECVE-2024-33601 at NVDCVE-2024-33602 at SUSECVE-2024-33602 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for glibc (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATA
This update for glibc fixes the following issues:
- nscd: Fix use-after-free in addgetnetgrentX (BZ #23520)
- CVE-2024-33599; nscd: Stack-based buffer overflow in netgroup cache
(bsc#1223423, BZ #31677)
- CVE-2024-33600: nscd: Avoid null pointer crashes after notfound response
(bsc#1223424, BZ #31678)
- CVE-2024-33600: nscd: Do not send missing not-found response in addgetnetgrentX
(bsc#1223424, BZ #31678)
- CVE-2024-33601, CVE-2024-33602: netgroup: Use two buffers in addgetnetgrentX ( bsc#1223425, BZ #31680)
- CVE-2024-33602: Use time_t for return type of addgetnetgrentX (bsc#1223425)
- CVE-2024-2961; iconv: ISO-2022-CN-EXT: fix out-of-bound writes when writing escape sequence (bsc#1222992)
ImportantSUSE bug 1222992SUSE bug 1223423SUSE bug 1223424SUSE bug 1223425CVE-2024-2961 at SUSECVE-2024-2961 at NVDCVE-2024-33599 at SUSECVE-2024-33599 at NVDCVE-2024-33600 at SUSECVE-2024-33600 at NVDCVE-2024-33601 at SUSECVE-2024-33601 at NVDCVE-2024-33602 at SUSECVE-2024-33602 at NVDcpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for MozillaFirefox fixes the following issues:
Update to version 115.11.0 ESR (bsc#1224056):
- CVE-2024-4367: Arbitrary JavaScript execution in PDF.js
- CVE-2024-4767: IndexedDB files retained in private browsing mode
- CVE-2024-4768: Potential permissions request bypass via clickjacking
- CVE-2024-4769: Cross-origin responses could be distinguished between script and non-script content-types
- CVE-2024-4770: Use-after-free could occur when printing to PDF
- CVE-2024-4777: Memory safety bugs fixed in Firefox 126, Firefox ESR 115.11, and Thunderbird 115.11
ImportantSUSE bug 1222535SUSE bug 1224056CVE-2024-2609 at SUSECVE-2024-2609 at NVDCVE-2024-3302 at SUSECVE-2024-3302 at NVDCVE-2024-3852 at SUSECVE-2024-3852 at NVDCVE-2024-3854 at SUSECVE-2024-3854 at NVDCVE-2024-3857 at SUSECVE-2024-3857 at NVDCVE-2024-3859 at SUSECVE-2024-3859 at NVDCVE-2024-3861 at SUSECVE-2024-3861 at NVDCVE-2024-3863 at SUSECVE-2024-3863 at NVDCVE-2024-3864 at SUSECVE-2024-3864 at NVDCVE-2024-4367 at SUSECVE-2024-4367 at NVDCVE-2024-4767 at SUSECVE-2024-4767 at NVDCVE-2024-4768 at SUSECVE-2024-4768 at NVDCVE-2024-4769 at SUSECVE-2024-4769 at NVDCVE-2024-4770 at SUSECVE-2024-4770 at NVDCVE-2024-4777 at SUSECVE-2024-4777 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for gdk-pixbuf (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for gdk-pixbuf fixes the following issues:
- CVE-2022-48622: Fixed files rejection with multiple anih chunks (bsc#1219276).
ImportantSUSE bug 1219276CVE-2022-48622 at SUSECVE-2022-48622 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for ucode-intel (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for ucode-intel fixes the following issues:
Intel CPU Microcode was updated to the 20240514 release (bsc#1224277)
- CVE-2023-45733: Fixed a potential security vulnerability in some
Intel? Processors that may have allowed information disclosure.
- CVE-2023-46103: Fixed a potential security vulnerability in Intel?
Core™ Ultra Processors that may have allowed denial of service.
- CVE-2023-45745,CVE-2023-47855: Fixed a potential security
vulnerabilities in some Intel? Trust Domain Extensions (TDX) module
software that may have allowed escalation of privilege.
ImportantSUSE bug 1224277CVE-2023-45733 at SUSECVE-2023-45733 at NVDCVE-2023-45745 at SUSECVE-2023-45745 at NVDCVE-2023-46103 at SUSECVE-2023-46103 at NVDCVE-2023-47855 at SUSECVE-2023-47855 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for postgresql14 (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for postgresql14 fixes the following issues:
PostgreSQL upgrade to version 14.12 (bsc#1224051):
- CVE-2024-4317: Fixed visibility restriction of pg_stats_ext and pg_stats_ext_exprs entries to the table owner (bsc#1224038).
Bug fixes:
- Fix incompatibility with LLVM 18.
- Prepare for PostgreSQL 17.
- Make sure all compilation and doc generation happens in %build.
- Require LLVM <= 17 for now, because LLVM 18 doesn't seem to work.
- Remove constraints file because improved memory usage for s390x
- Use %patch -P N instead of deprecated %patchN.
Release notes:
- https://www.postgresql.org/docs/release/14.12/
ModerateSUSE bug 1224038SUSE bug 1224051CVE-2024-4317 at SUSECVE-2024-4317 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for libosinfo (Low)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for libosinfo fixes the following issues:
- CVE-2019-13313: Fixed password leak via command line argument inside osinfo-install-script (bsc#1140749).
LowSUSE bug 1140749CVE-2019-13313 at SUSECVE-2019-13313 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for python36 (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for python36 fixes the following issues:
- CVE-2023-52425: Fixed backport so it uses features sniffing, not just comparing version number (bsc#1219559).
- CVE-2024-0450: Fixed detecting the vulnerability of 'quoted-overlap' zipbomb (bsc#1221854).
Bug fixes:
- Fixed syslog making default 'ident from sys.argv[0] (bsc#1222109).
ImportantSUSE bug 1219559SUSE bug 1220664SUSE bug 1221563SUSE bug 1221854SUSE bug 1222075SUSE bug 1222109CVE-2023-52425 at SUSECVE-2023-52425 at NVDCVE-2024-0450 at SUSECVE-2024-0450 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for python (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for python fixes the following issues:
- CVE-2024-0450: Fixed detecting the vulnerability of 'quoted-overlap' zipbomb (bsc#1221854).
ModerateSUSE bug 1221854CVE-2024-0450 at SUSECVE-2024-0450 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for glib2 (Low)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for glib2 fixes the following issues:
- CVE-2024-34397: Fixed signal subscription unicast spoofing vulnerability (bsc#1224044).
LowSUSE bug 1224044CVE-2024-34397 at SUSECVE-2024-34397 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for python3 (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for python3 fixes the following issues:
- CVE-2024-0450: Fixed detecting the vulnerability of 'quoted-overlap' zipbomb (bsc#1221854).
ModerateSUSE bug 1221854CVE-2024-0450 at SUSECVE-2024-0450 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for java-1_8_0-ibm (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for java-1_8_0-ibm fixes the following issues:
Update to Java 8.0 Service Refresh 8 Fix Pack 25 (bsc#1223470):
- CVE-2023-38264: Fixed Object Request Broker (ORB) denial of service (bsc#1224164).
- CVE-2024-21094: Fixed C2 compilation fails with 'Exceeded _node_regs array' (bsc#1222986).
- CVE-2024-21068: Fixed integer overflow in C1 compiler address generation (bsc#1222983).
- CVE-2024-21085: Fixed Pack200 excessive memory allocation (bsc#1222984).
- CVE-2024-21011: Fixed Long Exception message leading to crash (bsc#1222979).
- CVE-2024-21012: Fixed HTTP/2 client improper reverse DNS lookup (bsc#1222987).
ImportantSUSE bug 1222979SUSE bug 1222983SUSE bug 1222984SUSE bug 1222986SUSE bug 1222987SUSE bug 1223470SUSE bug 1224164CVE-2023-38264 at SUSECVE-2023-38264 at NVDCVE-2024-21011 at SUSECVE-2024-21011 at NVDCVE-2024-21012 at SUSECVE-2024-21012 at NVDCVE-2024-21068 at SUSECVE-2024-21068 at NVDCVE-2024-21085 at SUSECVE-2024-21085 at NVDCVE-2024-21094 at SUSECVE-2024-21094 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for libfastjson (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for libfastjson fixes the following issues:
- CVE-2020-12762: Fixed integer overflow and out-of-bounds write via a large JSON file (bsc#1171479).
ImportantSUSE bug 1171479CVE-2020-12762 at SUSECVE-2020-12762 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for squid (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for squid fixes the following issues:
- CVE-2024-33427: Fixed possible buffer overread that could have led to a denial-of-service (bsc#1225417).
ModerateSUSE bug 1225417CVE-2024-33427 at SUSECVE-2024-33427 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for tiff (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for tiff fixes the following issues:
- CVE-2023-3164: Fixed a heap buffer overflow in tiffcrop. (bsc#1212233)
ModerateSUSE bug 1212233CVE-2023-3164 at SUSECVE-2023-3164 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for gstreamer-plugins-base (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for gstreamer-plugins-base fixes the following issues:
- CVE-2024-4453: Fixed lack of proper validation of user-supplied data when parsing EXIF metadata (bsc#1224806)
ImportantSUSE bug 1224806CVE-2024-4453 at SUSECVE-2024-4453 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for poppler (Low)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for poppler fixes the following issues:
- CVE-2024-4141: Fixed out-of-bounds array write (bsc#1223375).
LowSUSE bug 1223375CVE-2024-4141 at SUSECVE-2024-4141 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for tomcat (Moderate)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for tomcat fixes the following issues:
Security fixes:
- CVE-2023-46589: Fixed HTTP request smuggling due to incorrect headers parsing. (bsc#1217649)
Other fixes:
- Streamline how patches are handled in the spec file of the package
ModerateSUSE bug 1217649CVE-2023-46589 at SUSECVE-2023-46589 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for MozillaFirefox fixes the following issues:
Update to Firefox Extended Support Release 115.7.0 ESR (MFSA 2024-02) (bsc#1218955):
- CVE-2024-0741: Out of bounds write in ANGLE
- CVE-2024-0742: Failure to update user input timestamp
- CVE-2024-0746: Crash when listing printers on Linux
- CVE-2024-0747: Bypass of Content Security Policy when directive unsafe-inline was set
- CVE-2024-0749: Phishing site popup could show local origin in address bar
- CVE-2024-0750: Potential permissions request bypass via clickjacking
- CVE-2024-0751: Privilege escalation through devtools
- CVE-2024-0753: HSTS policy on subdomain could bypass policy of upper domain
- CVE-2024-0755: Memory safety bugs fixed in Firefox 122, Firefox ESR 115.7, and Thunderbird 115.7
ImportantSUSE bug 1218955CVE-2024-0741 at SUSECVE-2024-0741 at NVDCVE-2024-0742 at SUSECVE-2024-0742 at NVDCVE-2024-0746 at SUSECVE-2024-0746 at NVDCVE-2024-0747 at SUSECVE-2024-0747 at NVDCVE-2024-0749 at SUSECVE-2024-0749 at NVDCVE-2024-0750 at SUSECVE-2024-0750 at NVDCVE-2024-0751 at SUSECVE-2024-0751 at NVDCVE-2024-0753 at SUSECVE-2024-0753 at NVDCVE-2024-0755 at SUSECVE-2024-0755 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for glibc (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update of glibc fixes the following issues:
- CVE-2023-4813: Fixed a potential use-after-free in gaih_inet() (bsc#1215286, BZ #28931)
- CVE-2016-10739: getaddrinfo: Fully parse IPv4 address strings (bsc#1122729, BZ #20018)
- S390: Fix relocation of _nl_current_LC_CATETORY_used in static build (bsc#1215504, BZ #19860)
ModerateSUSE bug 1122729SUSE bug 1215286SUSE bug 1215504CVE-2016-10739 at SUSECVE-2016-10739 at NVDCVE-2023-4813 at SUSECVE-2023-4813 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for jasper (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for jasper fixes the following issues:
- CVE-2023-51257: Fixed an out of bounds write in the JPC encoder (bsc#1218802).
ModerateSUSE bug 1218802CVE-2023-51257 at SUSECVE-2023-51257 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for cpio (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for cpio fixes the following issues:
- CVE-2023-7207: Fixed a path traversal issue that could lead to an
arbitrary file write during archive extraction (bsc#1218571).
ModerateSUSE bug 1218571CVE-2023-7207 at SUSECVE-2023-7207 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for squid (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for squid fixes the following issues:
- CVE-2023-50269: fixed X-Forwarded-For Stack Overflow. (bsc#1217654)
- CVE-2024-23638: fixed Denial of Service attack against Cache Manager error responses. (bsc#1219131)
ImportantSUSE bug 1217654SUSE bug 1219131CVE-2023-50269 at SUSECVE-2023-50269 at NVDCVE-2024-23638 at SUSECVE-2024-23638 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for xen (Moderate)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for xen fixes the following issues:
- CVE-2023-46839: Fixed phantom functions assigned to incorrect contexts (XSA-449) (bsc#1218851)
ModerateSUSE bug 1218851CVE-2023-46839 at SUSECVE-2023-46839 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for python36-urllib3 (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for python36-urllib3 fixes the following issues:
- CVE-2023-45803: Fixed request body not stripped after redirect from 303 status changes request method to GET. (bsc#1216377)
ModerateSUSE bug 1216377CVE-2023-45803 at SUSECVE-2023-45803 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for squid (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATA
This update for squid fixes the following issues:
- CVE-2023-50269: fixed X-Forwarded-For Stack Overflow. (bsc#1217654)
- CVE-2024-23638: fixed Denial of Service attack against Cache Manager error responses. (bsc#1219131)
ImportantSUSE bug 1217654SUSE bug 1219131CVE-2023-50269 at SUSECVE-2023-50269 at NVDCVE-2024-23638 at SUSECVE-2024-23638 at NVDcpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for xerces-c (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for xerces-c fixes the following issues:
- CVE-2018-1311: fixed use-after-free triggered during the scanning of external DTDs potentially leading to DOS. (bsc#1159552)
ImportantSUSE bug 1159552CVE-2018-1311 at SUSECVE-2018-1311 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for gstreamer (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for gstreamer fixes the following issues:
- CVE-2023-40474: Fixed an integer overflow during MXF file parsing (bsc#1215796).
ImportantSUSE bug 1215796CVE-2023-40474 at SUSECVE-2023-40474 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for open-vm-tools (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for open-vm-tools fixes the following issues:
- CVE-2023-34058: Fixed a SAML token signature bypass (bsc#1216432).
- CVE-2023-34059: Fixed a file descriptor hijacking issue in
vmware-user-suid-wrapper (bsc#1216433).
ImportantSUSE bug 1216432SUSE bug 1216433CVE-2023-34058 at SUSECVE-2023-34058 at NVDCVE-2023-34059 at SUSECVE-2023-34059 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for gdb (Moderate)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for gdb fixes the following issues:
- Drop libdebuginfod1 BuildRequires/Recommends. The former isn't
needed because there's a build requirement on libdebuginfod-devel
already, which will pull the shared library. And the latter,
because it's bogus since RPM auto generated dependency will take
care of that requirement.
gdb was released in 13.2:
* This version of GDB includes the following changes and enhancements:
* Support for the following new targets has been added in both GDB and GDBserver:
* GNU/Linux/LoongArch (gdbserver) loongarch*-*-linux*
* GNU/Linux/CSKY (gdbserver) csky*-*linux*
* The Windows native target now supports target async.
* Floating-point support has now been added on LoongArch GNU/Linux.
* New commands:
* set print nibbles [on|off]
* show print nibbles
* This controls whether the 'print/t' command will display binary values in groups of four bits, known as 'nibbles'. The default is 'off'.
Various styling-related commands. See the gdb/NEWS file for more details.
Various maintenance commands. These are normally aimed at GDB experts or developers. See the gdb/NEWS file for more details.
* Python API improvements:
* New Python API for instruction disassembly.
* The new attribute 'locations' of gdb.Breakpoint returns a list of gdb.BreakpointLocation objects specifying the locations where the breakpoint is inserted into the debuggee.
* New Python type gdb.BreakpointLocation.
* New function gdb.format_address(ADDRESS, PROGSPACE, ARCHITECTURE) that formats ADDRESS as 'address '
* New function gdb.current_language that returns the name of the current language. Unlike gdb.parameter('language'), this will never return 'auto'.
* New function gdb.print_options that returns a dictionary of the prevailing print options, in the form accepted by gdb.Value.format_string.
* New method gdb.Frame.language that returns the name of the frame's language.
* gdb.Value.format_string now uses the format provided by 'print', if it is called during a 'print' or other similar operation.
* gdb.Value.format_string now accepts the 'summary' keyword. This can be used to request a shorter representation of a value, the way that 'set print frame-arguments scalars' does.
* The gdb.register_window_type method now restricts the set of acceptable window names. The first character of a window's name must start with a character in the set [a-zA-Z], every subsequent character of a window's name must be in the set [-_.a-zA-Z0-9].
* GDB/MI changes:
* MI version 1 is deprecated, and will be removed in GDB 14.
* The async record stating the stopped reason 'breakpoint-hit' now contains an optional field locno.
* Miscellaneous improvements:
* gdb now supports zstd compressed debug sections (ELFCOMPRESS_ZSTD) for ELF.
* New convenience variable $_inferior_thread_count contains the number of live threads in the current inferior.
* New convenience variables $_hit_bpnum and $_hit_locno, set to the breakpoint number and the breakpoint location number of the breakpoint last hit.
* The 'info breakpoints' now displays enabled breakpoint locations of disabled breakpoints as in the 'y-' state.
* The format of 'disassemble /r' and 'record instruction-history /r' has changed to match the layout of GNU objdump when disassembling.
* A new format '/b' has been introduce to provide the old behavior of '/r'.
* The TUI no longer styles the source and assembly code highlighted by the current position indicator by default. You can however re-enable styling using the new 'set style tui-current-position' command.
* It is now possible to use the 'document' command to document user-defined commands.
* Support for memory tag data for AArch64 MTE.
* Support Removal notices:
* DBX mode has been removed.
* Support for building against Python version 2 has been removed. It is now only possible to build GDB against Python 3.
* Support for the following commands has been removed:
* set debug aix-solib on|off
* show debug aix-solib
* set debug solib-frv on|off
* show debug solib-frv
* Use the 'set/show debug solib' commands instead.
See the NEWS file for a more complete and detailed list of what this release includes.
ModerateSUSE bug 1068950SUSE bug 1081527SUSE bug 1211052CVE-2017-16829 at SUSECVE-2017-16829 at NVDCVE-2018-7208 at SUSECVE-2018-7208 at NVDCVE-2022-48064 at SUSECVE-2022-48064 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for python (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for python fixes the following issues:
- CVE-2023-27043: Fixed incorrectly parses e-mail addresses which contain a special character (bsc#1210638).
ModerateSUSE bug 1210638CVE-2023-27043 at SUSECVE-2023-27043 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for python36 (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for python36 fixes the following issues:
- CVE-2023-27043: Fixed incorrectly parses e-mail addresses which contain a special character (bsc#1210638).
ModerateSUSE bug 1210638CVE-2023-27043 at SUSECVE-2023-27043 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for libxkbcommon (Low)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for libxkbcommon fixes the following issues:
Fixed multiple memory handling and correctness issues (bsc#1105832):
- CVE-2018-15859
- CVE-2018-15856
- CVE-2018-15858
- CVE-2018-15864
- CVE-2018-15863
- CVE-2018-15862
- CVE-2018-15861
- CVE-2018-15855
- CVE-2018-15854
- CVE-2018-15857
- CVE-2018-15853
LowSUSE bug 1105832CVE-2018-15853 at SUSECVE-2018-15853 at NVDCVE-2018-15854 at SUSECVE-2018-15854 at NVDCVE-2018-15855 at SUSECVE-2018-15855 at NVDCVE-2018-15856 at SUSECVE-2018-15856 at NVDCVE-2018-15857 at SUSECVE-2018-15857 at NVDCVE-2018-15858 at SUSECVE-2018-15858 at NVDCVE-2018-15859 at SUSECVE-2018-15859 at NVDCVE-2018-15861 at SUSECVE-2018-15861 at NVDCVE-2018-15862 at SUSECVE-2018-15862 at NVDCVE-2018-15863 at SUSECVE-2018-15863 at NVDCVE-2018-15864 at SUSECVE-2018-15864 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for netpbm (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for netpbm fixes the following issues:
- CVE-2017-5849: Fixed out-of-bound read and write issue that can occur in function putgreytile() and put1bitbwtile() (bsc#1022790, bsc#1022791).
ModerateSUSE bug 1022790SUSE bug 1022791CVE-2017-5849 at SUSECVE-2017-5849 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for python3 (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for python3 fixes the following issues:
- CVE-2023-27043: Fixed incorrectly parses e-mail addresses which contain a special character (bsc#1210638).
ModerateSUSE bug 1210638CVE-2023-27043 at SUSECVE-2023-27043 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for openssl (Moderate)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for openssl fixes the following issues:
- CVE-2024-0727: Denial of service when processing a maliciously formatted PKCS12 file (bsc#1219243).
- CVE-2023-5678: Denial of service via long X9.42 DH keys (bsc#1216922).
ModerateSUSE bug 1216922SUSE bug 1219243CVE-2023-5678 at SUSECVE-2023-5678 at NVDCVE-2024-0727 at SUSECVE-2024-0727 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for postgresql15 (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for postgresql15 fixes the following issues:
Upgrade to 15.6:
- CVE-2024-0985: Tighten security restrictions within REFRESH MATERIALIZED VIEW CONCURRENTLY (bsc#1219679).
ImportantSUSE bug 1219679CVE-2024-0985 at SUSECVE-2024-0985 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for postgresql14 (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for postgresql14 fixes the following issues:
Upgrade to 14.11:
- CVE-2024-0985: Tighten security restrictions within REFRESH MATERIALIZED VIEW CONCURRENTLY (bsc#1219679).
ImportantSUSE bug 1219679CVE-2024-0985 at SUSECVE-2024-0985 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for postgresql13 (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for postgresql13 fixes the following issues:
Upgrade to 13.14:
- CVE-2024-0985: Tighten security restrictions within REFRESH MATERIALIZED VIEW CONCURRENTLY (bsc#1219679).
ImportantSUSE bug 1219679CVE-2024-0985 at SUSECVE-2024-0985 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for postgresql12 (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for postgresql12 fixes the following issues:
Upgrade to 12.18:
- CVE-2024-0985: Tighten security restrictions within REFRESH MATERIALIZED VIEW CONCURRENTLY (bsc#1219679).
ImportantSUSE bug 1219679CVE-2024-0985 at SUSECVE-2024-0985 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for webkit2gtk3 (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for webkit2gtk3 fixes the following issues:
Update to version 2.42.5 (bsc#1219604):
- CVE-2024-23222: Fixed processing maliciously crafted web content that may have led to arbitrary code execution (bsc#1219113).
- CVE-2024-23206: Fixed fingerprint user via maliciously crafted webpages (bsc#1219604).
- CVE-2024-23213: Fixed processing web content that may have led to arbitrary code execution (bsc#1219604).
- CVE-2023-40414: Fixed processing web content that may have led to arbitrary code execution (bsc#1219604).
- CVE-2014-1745: Fixed denial-of-service or potentially disclose memory contents while processing maliciously crafted files (bsc#1219604).
- CVE-2023-42833: Fixed processing web content that may have led to arbitrary code execution (bsc#1219604).
ImportantSUSE bug 1219113SUSE bug 1219604CVE-2014-1745 at SUSECVE-2014-1745 at NVDCVE-2023-40414 at SUSECVE-2023-40414 at NVDCVE-2023-42833 at SUSECVE-2023-42833 at NVDCVE-2024-23206 at SUSECVE-2024-23206 at NVDCVE-2024-23213 at SUSECVE-2024-23213 at NVDCVE-2024-23222 at SUSECVE-2024-23222 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for postgresql16 (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for postgresql16 fixes the following issues:
Upgrade to 16.2:
- CVE-2024-0985: Tighten security restrictions within REFRESH MATERIALIZED VIEW CONCURRENTLY (bsc#1219679).
ImportantSUSE bug 1219679CVE-2024-0985 at SUSECVE-2024-0985 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for libxml2 (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for libxml2 fixes the following issues:
- CVE-2024-25062: Fixed use-after-free in XMLReader (bsc#1219576).
ImportantSUSE bug 1219576CVE-2024-25062 at SUSECVE-2024-25062 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for mozilla-nss (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for mozilla-nss fixes the following issues:
Update to NSS 3.90.2:
- CVE-2023-5388: Fixed timing attack against RSA decryption in TLS (bsc#1216198)
ImportantSUSE bug 1216198CVE-2023-5388 at SUSECVE-2023-5388 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for MozillaFirefox fixes the following issues:
Update to Firefox Extended Support Release 115.8.0 ESR (MFSA 2024-06) (bsc#1220048):
- CVE-2024-1546: Out-of-bounds memory read in networking channels
- CVE-2024-1547: Alert dialog could have been spoofed on another site
- CVE-2024-1548: Fullscreen Notification could have been hidden by select element
- CVE-2024-1549: Custom cursor could obscure the permission dialog
- CVE-2024-1550: Mouse cursor re-positioned unexpectedly could have led to unintended permission grants
- CVE-2024-1551: Multipart HTTP Responses would accept the Set-Cookie header in response parts
- CVE-2024-1552: Incorrect code generation on 32-bit ARM devices
- CVE-2024-1553: Memory safety bugs fixed in Firefox 123, Firefox ESR 115.8, and Thunderbird 115.8
- Recommend libfido2-udev on codestreams that exist, in order to try
to get security keys (e.g. Yubikeys) work out of the box. (bsc#1184272)
ImportantSUSE bug 1184272SUSE bug 1220048CVE-2024-1546 at SUSECVE-2024-1546 at NVDCVE-2024-1547 at SUSECVE-2024-1547 at NVDCVE-2024-1548 at SUSECVE-2024-1548 at NVDCVE-2024-1549 at SUSECVE-2024-1549 at NVDCVE-2024-1550 at SUSECVE-2024-1550 at NVDCVE-2024-1551 at SUSECVE-2024-1551 at NVDCVE-2024-1552 at SUSECVE-2024-1552 at NVDCVE-2024-1553 at SUSECVE-2024-1553 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for tiff (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for tiff fixes the following issues:
- CVE-2023-52356: Fixed segfault in TIFFReadRGBATileExt() (bsc#1219213).
ModerateSUSE bug 1219213CVE-2023-52356 at SUSECVE-2023-52356 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for openssh (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for openssh fixes the following issues:
- CVE-2023-51385: Fixed a command injection via user name or host name metacharacters (bsc#1218215).
ImportantSUSE bug 1218215CVE-2023-51385 at SUSECVE-2023-51385 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for java-1_8_0-ibm (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for java-1_8_0-ibm fixes the following issues:
Update to Java 8.0 Service Refresh 8 Fix Pack 20: [bsc#1219843]
Security fixes:
- CVE-2023-33850: Fixed information disclosure vulnerability due to the consumed GSKit library (bsc#1219843).
- CVE-2024-20932: Fixed incorrect handling of ZIP files with duplicate entries (bsc#1218908).
- CVE-2024-20952: Fixed RSA padding issue and timing side-channel attack against TLS (bsc#1218911).
- CVE-2024-20918: Fixed array out-of-bounds access due to missing range check in C1 compiler (bsc#1218907).
- CVE-2024-20921: Fixed range check loop optimization issue (bsc#1218905).
- CVE-2024-20919: Fixed JVM class file verifier flaw allows unverified bytecode execution (bsc#1218903).
- CVE-2024-20926: Fixed arbitrary Java code execution in Nashorn (bsc#1218906).
- CVE-2024-20945: Fixed logging of digital signature private keys (bsc#1218909).
ImportantSUSE bug 1218903SUSE bug 1218905SUSE bug 1218906SUSE bug 1218907SUSE bug 1218908SUSE bug 1218909SUSE bug 1218911SUSE bug 1219843CVE-2023-33850 at SUSECVE-2023-33850 at NVDCVE-2024-20918 at SUSECVE-2024-20918 at NVDCVE-2024-20919 at SUSECVE-2024-20919 at NVDCVE-2024-20921 at SUSECVE-2024-20921 at NVDCVE-2024-20926 at SUSECVE-2024-20926 at NVDCVE-2024-20932 at SUSECVE-2024-20932 at NVDCVE-2024-20945 at SUSECVE-2024-20945 at NVDCVE-2024-20952 at SUSECVE-2024-20952 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for tar (Low)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for tar fixes the following issues:
- CVE-2023-39804: Incorrectly handled extension attributes in PAX archives can lead to a crash (bsc#1217969)
LowSUSE bug 1217969CVE-2023-39804 at SUSECVE-2023-39804 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for LibreOffice (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for LibreOffice fixes the following issues:
libreoffice:
- Version update from 7.3.6.2 to 7.5.4.1 (jsc#PED-3561, jsc#PED-3550, jsc#PED-1785):
* For the highlights of changes of version 7.5 please consult the official release notes:
https://wiki.documentfoundation.org/ReleaseNotes/7.5
* For the highlights of changes of version 7.4 please consult the official release notes:
https://wiki.documentfoundation.org/ReleaseNotes/7.4
* Security issues fixed:
+ CVE-2023-0950: Fixed stack underflow in ScInterpreter (bsc#1209242)
+ CVE-2023-2255: Fixed vulnerability where remote documents could be loaded without prompt via IFrame (bsc#1211746)
* Bug fixes:
+ Fix PPTX shadow effect for table offset (bsc#1204040)
+ Fix ability to set the default tab size for each text object (bsc#1198666)
+ Fix PPTX extra vertical space between different text formats (bsc#1200085)
+ Do not use binutils-gold as the package is unmaintainedd and will be removed in the future (bsc#1210687)
* Updated bundled dependencies:
* boost version update from 1_77_0 to 1_80_0
* curl version update from 7.83.1 to 8.0.1
* icu4c-data version update from 70_1 to 72_1
* icu4c version update from 70_1 to 72_1
* pdfium version update from 4699 to 5408
* poppler version update from 21.11.0 to 22.12.0
* poppler-data version update from 0.4.10 to 0.4.11
* skia version from m97-a7230803d64ae9d44f4e128244480111a3ae967 to m103-b301ff025004c9cd82816c86c547588e6c24b466
* New build dependencies:
* fixmath-devel
* libwebp-devel
* zlib-devel
* dragonbox-devel
* at-spi2-core-devel
* libtiff-devel
dragonbox:
- New package at version 1.1.3 (jsc#PED-1785)
* New dependency for LibreOffice 7.4
fixmath:
- New package at version 2022.07.20 (jsc#PED-1785)
* New dependency for LibreOffice 7.4
libmwaw:
- Version update from 0.3.20 to 0.3.21 (jsc#PED-1785):
* Add debug code to read some private rsrc data
* Allow to read some MacWrite which does not have printer informations
* Add a parser for Scoop files
* Add a parser for ScriptWriter files
* Add a parser for ReadySetGo 1-4 files
xmlsec1:
- Version update from 1.2.28 to 1.2.37 required by LibreOffice 7.5.2.2 (jsc#PED-3561, jsc#PED-3550):
* Retired the XMLSec mailing list 'xmlsec@aleksey.com' and the XMLSec Online Signature Verifier.
* Migration to OpenSSL 3.0 API Note that OpenSSL engines are disabled by default when XMLSec library is compiled
against OpenSSL 3.0.
To re-enable OpenSSL engines, use `--enable-openssl3-engines` configure flag
(there will be a lot of deprecation warnings).
* The OpenSSL before 1.1.0 and LibreSSL before 2.7.0 are now deprecated and will be removed in the future versions of
XMLSec Library.
* Refactored all the integer casts to ensure cast-safety. Fixed all warnings and enabled `-Werror` and `-pedantic`
flags on CI builds.
* Added configure flag to use size_t for xmlSecSize (currently disabled by default for backward compatibility).
* Support for OpenSSL compiled with OPENSSL_NO_ERR.
* Full support for LibreSSL 3.5.0 and above
* Several other small fixes
* Fix decrypting session key for two recipients
* Added `--privkey-openssl-engine` option to enhance openssl engine support
* Remove MD5 for NSS 3.59 and above
* Fix PKCS12_parse return code handling
* Fix OpenSSL lookup
* xmlSecX509DataGetNodeContent(): don't return 0 for non-empty elements - fix for LibreOffice
* Unload error strings in OpenSSL shutdown.
* Make userData available when executing preExecCallback function
* Add an option to use secure memset.
* Enabled XML_PARSE_HUGE for all xml parsers.
* Various build and tests fixes and improvements.
* Move remaining private header files away from xmlsec/include/`` folder
- Other packaging changes:
* Relax the crypto policies for the test-suite. It allows the tests using certificates with small key lengths to pass.
* Pass `--disable-md5` to configure: The cryptographic strength of the MD5 algorithm is sufficiently doubtful that its
use is discouraged at this time. It is not listed as an algorithm in [XMLDSIG-CORE1]
https://www.w3.org/TR/xmlsec-algorithms/#bib-XMLDSIG-CORE1
ImportantSUSE bug 1198666SUSE bug 1200085SUSE bug 1204040SUSE bug 1209242SUSE bug 1210687SUSE bug 1211746CVE-2023-0950 at SUSECVE-2023-0950 at NVDCVE-2023-2255 at SUSECVE-2023-2255 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for python36 (Important)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for python36 fixes the following issues:
- CVE-2023-6597: Fixed symlink bug in cleanup of tempfile.TemporaryDirectory (bsc#1219666).
- CVE-2022-48566: Make compare_digest more constant-time (bsc#1214691).
ImportantSUSE bug 1214691SUSE bug 1219666CVE-2022-48566 at SUSECVE-2022-48566 at NVDCVE-2023-6597 at SUSECVE-2023-6597 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for postgresql-jdbc (Critical)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for postgresql-jdbc fixes the following issues:
- CVE-2024-1597: Fixed SQL Injection via line comment generation (bsc#1220644).
CriticalSUSE bug 1220644CVE-2024-1597 at SUSECVE-2024-1597 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for gstreamer-plugins-bad (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for gstreamer-plugins-bad fixes the following issues:
- CVE-2023-44446: Fixed use-after-free remote code execution vulnerability via MXF file (bsc#1217213).
ImportantSUSE bug 1217213CVE-2023-44446 at SUSECVE-2023-44446 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for vim (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for vim fixes the following issues:
- CVE-2023-48231: Fixed Use-After-Free in win_close() (bsc#1217316).
- CVE-2023-48232: Fixed Floating point Exception in adjust_plines_for_skipcol() (bsc#1217320).
- CVE-2023-48233: Fixed overflow with count for :s command (bsc#1217321).
- CVE-2023-48234: Fixed overflow in nv_z_get_count (bsc#1217324).
- CVE-2023-48235: Fixed overflow in ex address parsing (bsc#1217326).
- CVE-2023-48236: Fixed overflow in get_number (bsc#1217329).
- CVE-2023-48237: Fixed overflow in shift_line (bsc#1217330).
- CVE-2023-48706: Fixed heap-use-after-free in ex_substitute (bsc#1217432).
- CVE-2024-22667: Fixed stack-based buffer overflow in did_set_langmap function in map.c (bsc#1219581).
- CVE-2023-4750: Fixed heap use-after-free in function bt_quickfix (bsc#1215005).
Updated to version 9.1 with patch level 0111:
https://github.com/vim/vim/compare/v9.0.2103...v9.1.0111
ImportantSUSE bug 1215005SUSE bug 1217316SUSE bug 1217320SUSE bug 1217321SUSE bug 1217324SUSE bug 1217326SUSE bug 1217329SUSE bug 1217330SUSE bug 1217432SUSE bug 1219581CVE-2023-4750 at SUSECVE-2023-4750 at NVDCVE-2023-48231 at SUSECVE-2023-48231 at NVDCVE-2023-48232 at SUSECVE-2023-48232 at NVDCVE-2023-48233 at SUSECVE-2023-48233 at NVDCVE-2023-48234 at SUSECVE-2023-48234 at NVDCVE-2023-48235 at SUSECVE-2023-48235 at NVDCVE-2023-48236 at SUSECVE-2023-48236 at NVDCVE-2023-48237 at SUSECVE-2023-48237 at NVDCVE-2023-48706 at SUSECVE-2023-48706 at NVDCVE-2024-22667 at SUSECVE-2024-22667 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for python3 (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for python3 fixes the following issues:
- CVE-2023-40217: Fixed bypass TLS handshake on closed sockets (bsc#1214692).
- CVE-2023-6597: Fixed symlink bug in cleanup (bsc#1219666).
ImportantSUSE bug 1214692SUSE bug 1219666CVE-2023-40217 at SUSECVE-2023-40217 at NVDCVE-2023-6597 at SUSECVE-2023-6597 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for sudo (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for sudo fixes the following issues:
- CVE-2023-42465: Try to make sudo less vulnerable to ROWHAMMER attacks (bsc#1219026).
ImportantSUSE bug 1219026SUSE bug 1220389CVE-2023-42465 at SUSECVE-2023-42465 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for java-1_8_0-openjdk (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for java-1_8_0-openjdk fixes the following issues:
- CVE-2024-20952: Fixed RSA padding issue and timing side-channel attack against TLS (8317547) (bsc#1218911).
- CVE-2024-20921: Fixed range check loop optimization issue (8314307) (bsc#1218905).
- CVE-2024-20926: Fixed rbitrary Java code execution in Nashorn (8314284) (bsc#1218906).
- CVE-2024-20919: Fixed JVM class file verifier flaw allows unverified byte code execution (8314295) (bsc#1218903).
- CVE-2024-20918: Fixed array out-of-bounds access due to missing range check in C1 compiler (8314468) (bsc#1218907).
- CVE-2024-20945: Fixed logging of digital signature private keys (8316976) (bsc#1218909).
Update to version jdk8u402 (icedtea-3.30.0).
ImportantSUSE bug 1218903SUSE bug 1218905SUSE bug 1218906SUSE bug 1218907SUSE bug 1218909SUSE bug 1218911CVE-2024-20918 at SUSECVE-2024-20918 at NVDCVE-2024-20919 at SUSECVE-2024-20919 at NVDCVE-2024-20921 at SUSECVE-2024-20921 at NVDCVE-2024-20926 at SUSECVE-2024-20926 at NVDCVE-2024-20945 at SUSECVE-2024-20945 at NVDCVE-2024-20952 at SUSECVE-2024-20952 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for cpio (Moderate)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for cpio fixes the following issues:
- Fixed cpio not extracting correctly when using --no-absolute-filenames option the security fix for CVE-2023-7207 (bsc#1218571, bsc#1219238)
ModerateSUSE bug 1218571SUSE bug 1219238CVE-2023-7207 at SUSECVE-2023-7207 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for axis (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for axis fixes the following issues:
- CVE-2023-51441: Fixed SSRF when untrusted input is passed to the service admin HTTP API (bsc#1218605).
ModerateSUSE bug 1218605CVE-2023-51441 at SUSECVE-2023-51441 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for zabbix (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for zabbix fixes the following issues:
- CVE-2024-22119: Fixed ability to run XSS in graph item names (bsc#1219775).
ModerateSUSE bug 1219775CVE-2024-22119 at SUSECVE-2024-22119 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for sudo (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for sudo fixes the following issues:
- CVE-2023-42465: Fixed issues introduced by first patches (bsc#1221151, bsc#1221134).
ImportantSUSE bug 1221134SUSE bug 1221151CVE-2023-42465 at SUSECVE-2023-42465 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for tiff (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for tiff fixes the following issues:
- CVE-2023-41175: Fixed potential integer overflow in raw2tiff.c (bsc#1214686).
- CVE-2023-38288: Fixed potential integer overflow in raw2tiff.c (bsc#1213590).
- CVE-2023-40745: Fixed integer overflow in tiffcp.c (bsc#1214687).
- CVE-2015-8668: Fixed Heap-based buffer overflow in bmp2tiff / PackBitsEncode (bsc#960589).
ModerateSUSE bug 1213590SUSE bug 1214686SUSE bug 1214687SUSE bug 1221187SUSE bug 960589CVE-2015-8668 at SUSECVE-2015-8668 at NVDCVE-2023-38288 at SUSECVE-2023-38288 at NVDCVE-2023-40745 at SUSECVE-2023-40745 at NVDCVE-2023-41175 at SUSECVE-2023-41175 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for ucode-intel (Moderate)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for ucode-intel fixes the following issues:
- Updated to Intel CPU Microcode 20240312 release. (bsc#1221323)
- CVE-2023-39368: Protection mechanism failure of bus lock regulator
for some Intel Processors may allow an unauthenticated user to
potentially enable denial of service via network access
- CVE-2023-38575: Non-transparent sharing of return predictor targets
between contexts in some Intel Processors may allow an authorized
user to potentially enable information disclosure via local access.
- CVE-2023-28746: Information exposure through microarchitectural
state after transient execution from some register files for some
Intel Atom Processors may allow an authenticated user to potentially
enable information disclosure via local access.
- CVE-2023-22655 Protection mechanism failure in some 3rd and 4th
Generation Intel Xeon Processors when using Intel SGX or Intel TDX
may allow a privileged user to potentially enable escalation of
privilege via local access.
- CVE-2023-43490: Incorrect calculation in microcode keying mechanism
for some Intel Xeon D Processors with Intel? SGX may allow a
privileged user to potentially enable information disclosure via
local access.
ModerateSUSE bug 1221323CVE-2023-22655 at SUSECVE-2023-22655 at NVDCVE-2023-28746 at SUSECVE-2023-28746 at NVDCVE-2023-38575 at SUSECVE-2023-38575 at NVDCVE-2023-39368 at SUSECVE-2023-39368 at NVDCVE-2023-43490 at SUSECVE-2023-43490 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for ghostscript (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for ghostscript fixes the following issues:
- Fixed segfaults in gs_heap_free_object() — ref:_00D1igLOd._500Tr4BRgx:ref (bsc#1219357).
Previously fixed security issue:
- CVE-2020-36773: Fixed out-of-bounds write and use-after-free in devices/vector/gdevtxtw.c (for txtwrite) (bsc#1219554).
ModerateSUSE bug 1219357SUSE bug 1219554CVE-2020-36773 at SUSECVE-2020-36773 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for PackageKit (Moderate)SUSE Linux Enterprise Server 12 SP3-TERADATA
This update for PackageKit fixes the following issues:
- CVE-2024-0217: Check that Finished signal is emitted at most once (bsc#1218544).
ModerateSUSE bug 1218544CVE-2024-0217 at SUSECVE-2024-0217 at NVDcpe:/o:suse:sles_teradata:12:sp3Security update for MozillaFirefox (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATASUSE Linux Enterprise Server 12 SP3-TERADATA
This update for MozillaFirefox fixes the following issues:
Firefox Extended Support Release 115.9.0 ESR (bsc#1221327):
- CVE-2024-0743: Crash in NSS TLS method (bmo#1867408).
- CVE-2024-2605: Windows Error Reporter could be used as a Sandbox escape
vector (bmo#1872920).
- CVE-2024-2607: JIT code failed to save return registers on Armv7-A (bmo#1879939).
- CVE-2024-2608: Integer overflow could have led to out of bounds write (bmo#1880692).
- CVE-2024-2616: Improve handling of out-of-memory conditions in ICU (bmo#1846197).
- CVE-2023-5388: NSS susceptible to timing attack against RSA decryption (bmo#1780432).
- CVE-2024-2610: Improper handling of html and body tags enabled CSP nonce
leakage (bmo#1871112).
- CVE-2024-2611: Clickjacking vulnerability could have led to a user
accidentally granting permissions (bmo#1876675).
- CVE-2024-2612: Self referencing object could have potentially led to a use-
after-free (bmo#1879444).
- CVE-2024-2614: Memory safety bugs fixed in Firefox 124, Firefox ESR 115.9,
and Thunderbird 115.9 (bmo#1685358, bmo#1861016, bmo#1880405,
bmo#1881093).
ImportantSUSE bug 1221327CVE-2023-5388 at SUSECVE-2023-5388 at NVDCVE-2024-0743 at SUSECVE-2024-0743 at NVDCVE-2024-2605 at SUSECVE-2024-2605 at NVDCVE-2024-2607 at SUSECVE-2024-2607 at NVDCVE-2024-2608 at SUSECVE-2024-2608 at NVDCVE-2024-2610 at SUSECVE-2024-2610 at NVDCVE-2024-2611 at SUSECVE-2024-2611 at NVDCVE-2024-2612 at SUSECVE-2024-2612 at NVDCVE-2024-2614 at SUSECVE-2024-2614 at NVDCVE-2024-2616 at SUSECVE-2024-2616 at NVDcpe:/o:suse:sles_teradata:12:sp3cpe:/o:suse:sles_teradata:12:sp3-ltssSecurity update for squid (Important)SUSE Linux Enterprise Server 12 SP3-LTSS-TERADATA
This update for squid fixes the following issues:
- CVE-2024-25617: Fixed denial of service in HTTP header parser (bsc#1219960).
ImportantSUSE bug 1219960CVE-2024-25617 at SUSECVE-2024-25617 at NVDcpe:/o:suse:sles_teradata:12:sp3-ltssDirectFBlib++dfb-1_7-1libdirectfb-1_7-1sles-releaseMozillaFirefoxMozillaFirefox-translationsaaa_baseaaa_base-extrasaccountsserviceaccountsservice-langlibaccountsservice0typelib-1_0-AccountsService-1_0alsaalsa-docslibasound2libasound2-32bitantapache-commons-beanutilsapache-commons-beanutils-javadocapache-commons-daemonapache-commons-daemon-javadocapache-commons-httpclientapache2apache2-docapache2-example-pagesapache2-preforkapache2-utilsapache2-workerapache2-mod_apparmorapparmor-docsapparmor-parserapparmor-profilesapparmor-utilslibapparmor1libapparmor1-32bitpam_apparmorpam_apparmor-32bitperl-apparmorapache2-mod_jkapache2-mod_nssapache2-mod_perlatflexflex-32bitlibQtWebKit4libQtWebKit4-32bitlibbonobolibbonobo-32bitlibbonobo-doclibbonobo-langaudiofilelibaudiofile1libaudiofile1-32bitaugeasaugeas-lenseslibaugeas0autofsautomakem4avahiavahi-langavahi-utilslibavahi-client3libavahi-client3-32bitlibavahi-common3libavahi-common3-32bitlibavahi-core7libdns_sdlibdns_sd-32bitbashbash-doclibreadline6libreadline6-32bitreadline-docbindbind-chrootenvbind-docbind-libsbind-libs-32bitbind-utilsbinutilsbusyboxbzip2bzip2-doclibbz2-1libbz2-1-32bitchronycifs-utilsclamavcolord-gtk-langlibcolord-gtk1libcolord2libcolord2-32bitlibcolorhug2coolkeycoreutilscoreutils-langcpiocpio-langcpp48gcc48gcc48-32bitgcc48-c++gcc48-infogcc48-localelibasan0libasan0-32bitlibstdc++48-devellibstdc++48-devel-32bitcrackliblibcrack2libcrack2-32bitcrashcrash-kmp-defaultcroncroniectagscupscups-clientcups-libscups-libs-32bitcups-filterscups-filters-cups-browsedcups-filters-foomatic-ripcups-filters-ghostscriptcups-pk-helpercups-pk-helper-langcurllibcurl4libcurl4-32bitcvscvs-doccyrus-saslcyrus-sasl-32bitcyrus-sasl-crammd5cyrus-sasl-crammd5-32bitcyrus-sasl-digestmd5cyrus-sasl-gssapicyrus-sasl-gssapi-32bitcyrus-sasl-otpcyrus-sasl-otp-32bitcyrus-sasl-plaincyrus-sasl-plain-32bitcyrus-sasl-saslauthdcyrus-sasl-sqlauxpropcyrus-sasl-sqlauxprop-32bitlibsasl2-3libsasl2-3-32bitdavfs2dbus-1dbus-1-x11libdbus-1-3libdbus-1-3-32bitdbus-1-glibdbus-1-glib-32bitdhcpdhcp-clientdhcp-relaydhcp-serverdnsmasqdosfstoolsdovecot22dovecot22-backend-mysqldovecot22-backend-pgsqldovecot22-backend-sqlitedracutdracut-fipsdstate2fsprogslibcom_err2libcom_err2-32bitlibext2fs2ecryptfs-utilsecryptfs-utils-32bitelfutilslibasm1libasm1-32bitlibdw1libdw1-32bitlibebl1libebl1-32bitlibelf1libelf1-32bitemacsemacs-elemacs-infoemacs-noxemacs-x11etagseogeog-langevinceevince-browser-pluginevince-langevince-plugin-djvudocumentevince-plugin-dvidocumentevince-plugin-pdfdocumentevince-plugin-psdocumentevince-plugin-tiffdocumentevince-plugin-xpsdocumentlibevdocument3-4libevview3-3nautilus-evinceexpatlibexpat1libexpat1-32bitfetchmailfetchmailconffilefile-magiclibmagic1libmagic1-32bitfontconfigfontconfig-32bitfreeradius-serverfreeradius-server-docfreeradius-server-krb5freeradius-server-ldapfreeradius-server-libsfreeradius-server-mysqlfreeradius-server-perlfreeradius-server-postgresqlfreeradius-server-pythonfreeradius-server-sqlitefreeradius-server-utilsft2demosfuselibfuse2gdgdk-pixbuf-langgdk-pixbuf-query-loadersgdk-pixbuf-query-loaders-32bitlibgdk_pixbuf-2_0-0libgdk_pixbuf-2_0-0-32bittypelib-1_0-GdkPixbuf-2_0gdk-pixbuf-loader-rsvglibrsvg-2-2librsvg-2-2-32bitrsvg-viewgdmgdm-langgdmflexiserverlibgdm1typelib-1_0-Gdm-1_0ghostscriptghostscript-x11giflib-progslibgif6libgif6-32bitgit-coreglib2-langglib2-toolslibgio-2_0-0libgio-2_0-0-32bitlibglib-2_0-0libglib-2_0-0-32bitlibgmodule-2_0-0libgmodule-2_0-0-32bitlibgobject-2_0-0libgobject-2_0-0-32bitlibgthread-2_0-0libgthread-2_0-0-32bitglibcglibc-32bitglibc-develglibc-devel-32bitglibc-htmlglibc-i18ndataglibc-infoglibc-localeglibc-locale-32bitglibc-profileglibc-profile-32bitnscdgnome-keyringgnome-keyring-32bitgnome-keyring-langgnome-keyring-pamgnome-keyring-pam-32bitlibgck-modules-gnome-keyringgnome-settings-daemongnome-settings-daemon-langgnome-shellgnome-shell-browser-plugingnome-shell-langgnutlslibgnutls-openssl27libgnutls28libgnutls28-32bitgpg2gpg2-langgpgmelibgpgme11groffgroff-fullgxditviewgrub2grub2-arm64-efigrub2-i386-pcgrub2-powerpc-ieee1275grub2-s390x-emugrub2-snapper-plugingrub2-systemd-sleep-plugingrub2-x86_64-efigrub2-x86_64-xengstreamergstreamer-langgstreamer-utilslibgstreamer-1_0-0libgstreamer-1_0-0-32bittypelib-1_0-Gst-1_0gstreamer-plugins-badgstreamer-plugins-bad-langlibgstadaptivedemux-1_0-0libgstbadaudio-1_0-0libgstbadbase-1_0-0libgstbadvideo-1_0-0libgstbasecamerabinsrc-1_0-0libgstcodecparsers-1_0-0libgstgl-1_0-0libgstmpegts-1_0-0libgstphotography-1_0-0libgsturidownloader-1_0-0gstreamer-plugins-basegstreamer-plugins-base-langlibgstallocators-1_0-0libgstapp-1_0-0libgstapp-1_0-0-32bitlibgstaudio-1_0-0libgstaudio-1_0-0-32bitlibgstfft-1_0-0libgstpbutils-1_0-0libgstpbutils-1_0-0-32bitlibgstriff-1_0-0libgstrtp-1_0-0libgstrtsp-1_0-0libgstsdp-1_0-0libgsttag-1_0-0libgsttag-1_0-0-32bitlibgstvideo-1_0-0libgstvideo-1_0-0-32bitgstreamer-plugins-goodgstreamer-plugins-good-langgtk2-datagtk2-langgtk2-toolsgtk2-tools-32bitlibgtk-2_0-0libgtk-2_0-0-32bitguestfs-dataguestfs-toolsguestfsdlibguestfs0perl-Sys-Guestfspython-libguestfsvirt-p2vvirt-v2vguileguile-modules-2_0libguile-2_0-22gvwdiffgvimvimvim-datagziphardlinkhpliphplip-hpijshplip-sanehyper-vibus-chewingibus-pinyinipsec-toolsiputilsjakarta-commons-fileuploadjakarta-commons-fileupload-javadocjakarta-taglibs-standardjakarta-taglibs-standard-javadocjava-1_7_0-openjdkjava-1_7_0-openjdk-demojava-1_7_0-openjdk-develjava-1_7_0-openjdk-headlessjava-1_7_1-ibmjava-1_7_1-ibm-alsajava-1_7_1-ibm-jdbcjava-1_7_1-ibm-pluginjava-1_8_0-ibmjava-1_8_0-ibm-alsajava-1_8_0-ibm-pluginjava-1_8_0-openjdkjava-1_8_0-openjdk-demojava-1_8_0-openjdk-develjava-1_8_0-openjdk-headlesskbdkdumpkernel-defaultkernel-default-basekernel-default-develkernel-default-mankernel-develkernel-macroskernel-sourcekernel-symskrb5krb5-32bitkrb5-clientkrb5-dockrb5-plugin-kdb-ldapkrb5-plugin-preauth-otpkrb5-plugin-preauth-pkinitkrb5-serverkrb5-appl-clientskrb5-appl-serverslftplibFLAC++6libFLAC8libFLAC8-32bitlibHX28libHX28-32bitlibIlmImf-Imf_2_1-21openexrlibMagickCore-6_Q16-1libMagickWand-6_Q16-1libQt5Concurrent5libQt5Core5libQt5DBus5libQt5Gui5libQt5Network5libQt5OpenGL5libQt5PrintSupport5libQt5Sql5libQt5Sql5-mysqllibQt5Sql5-postgresqllibQt5Sql5-sqlitelibQt5Sql5-unixODBClibQt5Test5libQt5Widgets5libQt5Xml5libQt5WebKit5libQt5WebKit5-importslibQt5WebKitWidgets5libX11-6libX11-6-32bitlibX11-datalibX11-xcb1libX11-xcb1-32bitlibXRes1libXRes1-32bitlibXcursor1libXcursor1-32bitlibXext6libXext6-32bitlibXfixes3libXfixes3-32bitlibXfont1libXi6libXi6-32bitlibXinerama1libXinerama1-32bitlibXp6libXp6-32bitlibXpm4libXpm4-32bitlibXrandr2libXrandr2-32bitlibXrender1libXrender1-32bitlibXt6libXt6-32bitlibXtst6libXtst6-32bitlibXv1libXv1-32bitlibXvMC1libXvnc1tigervncxorg-x11-XvnclibXxf86dga1libXxf86vm1libXxf86vm1-32bitlibapr-util1libapr-util1-dbd-sqlite3libapr1libarchive13libasan2libasan2-32bitlibffi4libffi4-32bitlibmpx0libmpx0-32bitlibmpxwrappers0libmpxwrappers0-32bitlibass5libblkid1libblkid1-32bitlibfdisk1libmount1libmount1-32bitlibsmartcols1libuuid1libuuid1-32bitpython-libmountutil-linuxutil-linux-langutil-linux-systemduuiddlibcairo-gobject2libcairo-gobject2-32bitlibcairo-script-interpreter2libcairo2libcairo2-32bitlibcares2libcgroup-toolslibcgroup1libdcerpc-binding0libdcerpc-binding0-32bitlibdcerpc0libdcerpc0-32bitlibndr-krb5pac0libndr-krb5pac0-32bitlibndr-nbt0libndr-nbt0-32bitlibndr-standard0libndr-standard0-32bitlibndr0libndr0-32bitlibnetapi0libnetapi0-32bitlibsamba-credentials0libsamba-credentials0-32bitlibsamba-errors0libsamba-errors0-32bitlibsamba-hostconfig0libsamba-hostconfig0-32bitlibsamba-passdb0libsamba-passdb0-32bitlibsamba-util0libsamba-util0-32bitlibsamdb0libsamdb0-32bitlibsmbclient0libsmbclient0-32bitlibsmbconf0libsmbconf0-32bitlibsmbldap0libsmbldap0-32bitlibtevent-util0libtevent-util0-32bitlibwbclient0libwbclient0-32bitsambasamba-clientsamba-client-32bitsamba-docsamba-libssamba-libs-32bitsamba-winbindsamba-winbind-32bitlibdmx1libecpg6libpq5libpq5-32bitpostgresql96postgresql96-contribpostgresql96-docspostgresql96-serverlibevent-2_0-5libexif12libexif12-32bitlibfreebl3libfreebl3-32bitlibfreebl3-hmaclibfreebl3-hmac-32bitlibsoftokn3libsoftokn3-32bitlibsoftokn3-hmaclibsoftokn3-hmac-32bitmozilla-nssmozilla-nss-32bitmozilla-nss-certsmozilla-nss-certs-32bitmozilla-nss-sysinitmozilla-nss-sysinit-32bitmozilla-nss-toolslibfreetype6libfreetype6-32bitlibgc1libgcrypt20libgcrypt20-32bitlibgcrypt20-hmaclibgcrypt20-hmac-32bitlibgme0libgnomesulibgnomesu-langlibgnomesu0libgoa-1_0-0libgoa-backend-1_0-1libgraphite2-3libgraphite2-3-32bitlibgssglue1libgssglue1-32bitlibgypsy0libhivex0perl-Win-Hivexlibhogweed2libhogweed2-32bitlibnettle4libnettle4-32bitlibicu-doclibicu52_1libicu52_1-32bitlibicu52_1-datalibidn-toolslibidn11libidn11-32bitlibimobiledevice6libipa_hbac0libsss_idmap0libsss_nss_idmap0libsss_sudopython-sssd-configsssdsssd-32bitsssd-adsssd-ipasssd-krb5sssd-krb5-commonsssd-ldapsssd-proxysssd-toolslibjansson4libjasper1libjasper1-32bitlibjavascriptcoregtk-3_0-0libwebkitgtk-3_0-0libwebkitgtk3-langlibjavascriptcoregtk-4_0-18libwebkit2gtk-4_0-37typelib-1_0-JavaScriptCore-4_0typelib-1_0-WebKit2-4_0webkit2gtk-4_0-injected-bundleslibjbig2libjbig2-32bitlibjpeg-turbolibjpeg62libjpeg62-32bitlibjpeg62-turbolibjpeg8libjpeg8-32bitlibturbojpeg0libjson-c2libjson-c2-32bitlibkde4libkde4-32bitlibkdecore4libkdecore4-32bitlibksuseinstall1libksuseinstall1-32bitlibksba8liblcms1liblcms1-32bitlibldap-2_4-2libldap-2_4-2-32bitopenldap2openldap2-back-metaopenldap2-clientlibldb1libldb1-32bitlibltdl7libltdl7-32bitlibtoollibtool-32bitliblua5_2liblua5_2-32bitlualiblzo2-2liblzo2-2-32bitlibmicrohttpd10libmms0libmodplug1libmpfr4libmpfr4-32bitlibmspack0libmusicbrainz4libmysqlclient18libmysqlclient18-32bitmariadbmariadb-clientmariadb-errormessagesmariadb-toolslibneon27libneon27-32bitlibnetpbm11libnetpbm11-32bitnetpbmlibnghttp2-14libnm-glib-vpn1libnm-glib4libnm-util2libnm0typelib-1_0-NMClient-1_0typelib-1_0-NetworkManager-1_0libopenjp2-7libopenssl-devellibopenssl1_0_0libopenssl1_0_0-32bitlibopenssl1_0_0-hmaclibopenssl1_0_0-hmac-32bitopensslopenssl-doclibopus0libotr5libpango-1_0-0libpango-1_0-0-32bittypelib-1_0-Pango-1_0libpcre1libpcre1-32bitlibpcre16-0libpcsclite1pcsc-litelibplist3libpng12-0libpng12-0-32bitlibpng15-15libpng16-16libpng16-16-32bitlibpolkit0polkittypelib-1_0-Polkit-1_0libpoppler-glib8libpoppler-qt4-4libpoppler60poppler-toolslibproxy1libproxy1-32bitlibproxy1-config-gnome3libproxy1-config-gnome3-32bitlibproxy1-networkmanagerlibproxy1-pacrunner-webkitlibpulse-mainloop-glib0libpulse-mainloop-glib0-32bitlibpulse0libpulse0-32bitpulseaudiopulseaudio-esound-compatpulseaudio-gdm-hookspulseaudio-langpulseaudio-module-x11pulseaudio-module-zeroconfpulseaudio-utilslibpython2_7-1_0libpython2_7-1_0-32bitpython-basepython-base-32bitpython-xmllibpython3_4m1_0python3-baselibqt4libqt4-32bitlibqt4-qt3supportlibqt4-qt3support-32bitlibqt4-sqllibqt4-sql-32bitlibqt4-sql-mysqllibqt4-sql-sqlitelibqt4-x11libqt4-x11-32bitqt4-x11-toolslibquicktime0libraptor2-0libruby2_1-2_1ruby2.1ruby2.1-stdliblibsmilibsmi2libsndfile1libsndfile1-32bitlibsnmp30libsnmp30-32bitnet-snmpperl-SNMPsnmp-mibslibsoup-2_4-1libsoup-2_4-1-32bitlibsoup-langtypelib-1_0-Soup-2_4libspice-client-glib-2_0-8libspice-client-glib-helperlibspice-client-gtk-3_0-5libspice-controller0typelib-1_0-SpiceClientGlib-2_0typelib-1_0-SpiceClientGtk-3_0libspice-server1libsqlite3-0libsqlite3-0-32bitsqlite3libsrtp1libssh2-1libssh2-1-32bitlibsystemd0libsystemd0-32bitlibudev1libudev1-32bitsystemdsystemd-32bitsystemd-bash-completionsystemd-sysvinitudevlibtag1libtag_c0tagliblibtasn1libtasn1-6libtasn1-6-32bitlibtcnative-1-0libthai-datalibthai0libthai0-32bitlibtiff5libtiff5-32bittifflibtirpc-netconfiglibtirpc3libtirpc3-32bitlibudisks2-0udisks2udisks2-langlibupsclient1nutnut-drivers-netlibusbmuxd4libvdpau1libvirglrenderer0libvirtlibvirt-adminlibvirt-clientlibvirt-daemonlibvirt-daemon-config-networklibvirt-daemon-config-nwfilterlibvirt-daemon-driver-interfacelibvirt-daemon-driver-libxllibvirt-daemon-driver-lxclibvirt-daemon-driver-networklibvirt-daemon-driver-nodedevlibvirt-daemon-driver-nwfilterlibvirt-daemon-driver-qemulibvirt-daemon-driver-secretlibvirt-daemon-driver-storagelibvirt-daemon-driver-storage-corelibvirt-daemon-driver-storage-disklibvirt-daemon-driver-storage-iscsilibvirt-daemon-driver-storage-logicallibvirt-daemon-driver-storage-mpathlibvirt-daemon-driver-storage-rbdlibvirt-daemon-driver-storage-scsilibvirt-daemon-lxclibvirt-daemon-qemulibvirt-daemon-xenlibvirt-doclibvirt-libslibvirt-lock-sanlocklibvirt-nsslibvmtools0open-vm-toolsopen-vm-tools-desktoplibvncclient0libvncserver0libvorbis-doclibvorbis0libvorbis0-32bitlibvorbisenc2libvorbisenc2-32bitlibvorbisfile3libvorbisfile3-32bitlibvte9python-vtevte2-langlibwireshark8libwiretap6libwscodecs1libwsutil7wiresharkwireshark-gtklibxcb-dri2-0libxcb-dri2-0-32bitlibxcb-dri3-0libxcb-dri3-0-32bitlibxcb-glx0libxcb-glx0-32bitlibxcb-present0libxcb-present0-32bitlibxcb-randr0libxcb-render0libxcb-render0-32bitlibxcb-shape0libxcb-shm0libxcb-shm0-32bitlibxcb-sync1libxcb-sync1-32bitlibxcb-xf86dri0libxcb-xfixes0libxcb-xfixes0-32bitlibxcb-xinerama0libxcb-xkb1libxcb-xkb1-32bitlibxcb-xv0libxcb1libxcb1-32bitlibxerces-c-3_1libxerces-c-3_1-32bitlibxml2-2libxml2-2-32bitlibxml2-doclibxml2-toolslibxslt-toolslibxslt1libxslt1-32bitlibyaml-0-2libz1libz1-32bitzlib-devellibzip2logrotatelogwatchmailmanmailxmemcachedminicommipv6dmozilla-nsprmozilla-nspr-32bitmuttntpntp-docopenscopenslpopenslp-32bitopenslp-serveropensshopenssh-fipsopenssh-helpersopenvpnopenvpn-auth-pam-pluginopenvswitchopieopie-32bitp7zippampam-32bitpam-docpam-modulespam-modules-32bitpam_krb5pam_krb5-32bitpam_sshpam_ssh-32bitpatchpcsc-ccidperlperl-32bitperl-baseperl-docperl-Config-IniFilesperl-DBD-mysqlperl-HTML-Parserperl-LWP-Protocol-httpsperl-Tkperl-XML-LibXMLperl-YAML-LibYAMLpigzpolicycoreutilspolicycoreutils-pythonpowerpc-utilsppc64-diagpppprocmailpythonpython-32bitpython-cursespython-demopython-gdbmpython-idlepython-tkpython-PyYAMLpython-cupshelperssystem-config-printersystem-config-printer-commonsystem-config-printer-common-langsystem-config-printer-dbus-serviceudev-configure-printerpython-docpython-doc-pdfpython-imagingpython-libxml2python-pyOpenSSLpython-pywbempython-requestspython3python3-cursesqemuqemu-armqemu-block-curlqemu-block-rbdqemu-block-sshqemu-guest-agentqemu-ipxeqemu-kvmqemu-langqemu-ppcqemu-s390qemu-seabiosqemu-sgabiosqemu-toolsqemu-vgabiosqemu-x86quaggaradvdres-signingkeyssmtsmt-supportrpcbindrpmrpm-32bitrpm-buildrrdtoolrrdtool-cachedrsyncrsyslogrsyslog-diag-toolsrsyslog-docrsyslog-module-gssapirsyslog-module-gtlsrsyslog-module-mysqlrsyslog-module-pgsqlrsyslog-module-relprsyslog-module-snmprsyslog-module-udpspoofrtkitrubysane-backendssblim-sfcbshimsocatsquashfssquidsquidGuardsquidGuard-docstrongswanstrongswan-docstrongswan-hmacstrongswan-ipsecstrongswan-libs0stunnelsudosupportutilssysconfigsysconfig-netconfigsyslog-servicesystemtapsystemtap-runtimesystemtap-serversysvinit-toolswhoistartar-langtcpdumptftptomcattomcat-admin-webappstomcat-docs-webapptomcat-el-3_0-apitomcat-javadoctomcat-jsp-2_3-apitomcat-libtomcat-servlet-3_1-apitomcat-webappstpm2.0-toolsunixODBCunixODBC-32bitunrarunzipupdate-alternativesvinovino-langvorbis-toolsvorbis-tools-langvsftpdw3mwgetwpa_supplicantxalan-j2xdg-utilsxenxen-doc-htmlxen-libsxen-libs-32bitxen-toolsxen-tools-domUxf86-video-intelxfsprogsxinetdxlockmorexorg-x11xorg-x11-essentialsxrdbxorg-x11-libsxorg-x11-serverxorg-x11-server-extraxscreensaverxscreensaver-datayast2yast2-coreyast2-userszoogitsuse-openstack-cloud-releasepdnspdns-backend-mysqlslf4jcobblerlibmariadb3mariadb-galeraxtrabackupgrafanakafkalogstashopenstack-monasca-installeropenstack-aodhopenstack-aodh-apiopenstack-aodh-docopenstack-aodh-evaluatoropenstack-aodh-expireropenstack-aodh-listeneropenstack-aodh-notifieropenstack-barbicanopenstack-barbican-apiopenstack-barbican-docopenstack-barbican-keystone-listeneropenstack-barbican-retryopenstack-barbican-workeropenstack-cinderopenstack-cinder-apiopenstack-cinder-backupopenstack-cinder-docopenstack-cinder-scheduleropenstack-cinder-volumeopenstack-dashboardopenstack-designateopenstack-designate-agentopenstack-designate-apiopenstack-designate-centralopenstack-designate-docopenstack-designate-produceropenstack-designate-sinkopenstack-designate-workeropenstack-glanceopenstack-glance-apiopenstack-glance-docopenstack-glance-registryopenstack-heatopenstack-heat-apiopenstack-heat-api-cfnopenstack-heat-api-cloudwatchopenstack-heat-docopenstack-heat-engineopenstack-heat-plugin-heat_dockeropenstack-heat-templatesopenstack-heat-testopenstack-horizon-plugin-designate-uiopenstack-horizon-plugin-freezer-uiopenstack-horizon-plugin-gbp-uiopenstack-horizon-plugin-manila-uiopenstack-horizon-plugin-neutron-lbaas-uiopenstack-horizon-plugin-trove-uiopenstack-ironicopenstack-ironic-apiopenstack-ironic-conductoropenstack-ironic-docopenstack-keystoneopenstack-keystone-docopenstack-manilaopenstack-manila-apiopenstack-manila-dataopenstack-manila-docopenstack-manila-scheduleropenstack-manila-shareopenstack-neutronopenstack-neutron-dhcp-agentopenstack-neutron-docopenstack-neutron-fwaasopenstack-neutron-fwaas-docopenstack-neutron-ha-toolopenstack-neutron-l3-agentopenstack-neutron-lbaasopenstack-neutron-lbaas-agentopenstack-neutron-lbaas-docopenstack-neutron-linuxbridge-agentopenstack-neutron-macvtap-agentopenstack-neutron-metadata-agentopenstack-neutron-metering-agentopenstack-neutron-openvswitch-agentopenstack-neutron-serveropenstack-neutron-vpn-agentopenstack-neutron-vpnaasopenstack-neutron-vpnaas-docopenstack-neutron-vyatta-agentopenstack-neutron-zvm-agentopenstack-novaopenstack-nova-apiopenstack-nova-cellsopenstack-nova-computeopenstack-nova-conductoropenstack-nova-consoleopenstack-nova-consoleauthopenstack-nova-docopenstack-nova-novncproxyopenstack-nova-placement-apiopenstack-nova-scheduleropenstack-nova-serialproxyopenstack-nova-virt-zvmopenstack-nova-vncproxyopenstack-octaviaopenstack-octavia-amphora-agentopenstack-octavia-apiopenstack-octavia-health-manageropenstack-octavia-housekeepingopenstack-octavia-workeropenstack-troveopenstack-trove-apiopenstack-trove-conductoropenstack-trove-docopenstack-trove-guestagentopenstack-trove-taskmanagerpython-aodhpython-barbicanpython-barbicanclientpython-barbicanclient-docpython-cinderpython-designatepython-glancepython-heatpython-horizonpython-horizon-plugin-designate-uipython-horizon-plugin-freezer-uipython-horizon-plugin-gbp-uipython-horizon-plugin-manila-uipython-horizon-plugin-neutron-lbaas-uipython-horizon-plugin-trove-uipython-ironicpython-keystonepython-keystone-json-assignmentpython-manilapython-manilaclientpython-manilaclient-docpython-neutronpython-neutron-fwaaspython-neutron-lbaaspython-neutron-vpnaaspython-novapython-octaviapython-trovepython-vmware-nsxpython-vmware-nsxlibvenv-openstack-aodh-x86_64venv-openstack-barbican-x86_64venv-openstack-cinder-x86_64venv-openstack-designate-x86_64venv-openstack-glance-x86_64venv-openstack-heat-x86_64venv-openstack-horizon-x86_64venv-openstack-ironic-x86_64venv-openstack-keystone-x86_64venv-openstack-magnum-x86_64venv-openstack-manila-x86_64venv-openstack-neutron-x86_64venv-openstack-nova-x86_64venv-openstack-octavia-x86_64venv-openstack-sahara-x86_64venv-openstack-trove-x86_64python-cryptographypython-Djangoardana-monascaardana-sparkopenstack-monasca-apipython-monasca-apiardana-ansibleardana-barbicanardana-cinderardana-clusterardana-cobblerardana-freezerardana-glanceardana-input-modelardana-keystoneardana-mqardana-neutronardana-novaardana-octaviaardana-osconfigardana-serviceardana-service-ansibleardana-sesardana-swiftansibleardana-dbardana-heatardana-manilaardana-tempestdocumentation-suse-openstack-cloud-installationdocumentation-suse-openstack-cloud-operationsdocumentation-suse-openstack-cloud-opsconsoledocumentation-suse-openstack-cloud-planningdocumentation-suse-openstack-cloud-securitydocumentation-suse-openstack-cloud-supplementdocumentation-suse-openstack-cloud-upstream-admindocumentation-suse-openstack-cloud-upstream-userdocumentation-suse-openstack-cloud-usergalera-python-clustercheckopenstack-ec2-apiopenstack-ec2-api-apiopenstack-ec2-api-metadataopenstack-ec2-api-s3openstack-horizon-plugin-ironic-uiopenstack-horizon-plugin-magnum-uiopenstack-horizon-plugin-sahara-uiopenstack-magnumopenstack-magnum-apiopenstack-magnum-conductoropenstack-magnum-docopenstack-monasca-notificationopenstack-monasca-persisteropenstack-muranoopenstack-murano-apiopenstack-murano-docopenstack-murano-engineopenstack-saharaopenstack-sahara-apiopenstack-sahara-docopenstack-sahara-engineopenstack-swiftopenstack-swift-accountopenstack-swift-containeropenstack-swift-docopenstack-swift-objectopenstack-swift-proxyopenstack-tempestopenstack-tempest-testpython-cinderclientpython-cinderclient-docpython-ec2apipython-horizon-plugin-ironic-uipython-horizon-plugin-magnum-uipython-horizon-plugin-sahara-uipython-magnumpython-monasca-commonpython-monasca-notificationpython-monasca-persisterpython-muranopython-os-brickpython-saharapython-swiftpython-tempestvenv-openstack-ceilometer-x86_64venv-openstack-freezer-x86_64venv-openstack-monasca-ceilometer-x86_64venv-openstack-monasca-x86_64venv-openstack-murano-x86_64venv-openstack-swift-x86_64MozillaFirefox-translations-commondnsmasq-utilspostgresql10postgresql10-contribpostgresql10-docspostgresql10-plperlpostgresql10-plpythonpostgresql10-pltclpostgresql10-serverkgraft-patch-4_4_180-94_100-defaultardana-cassandraardana-ceilometerardana-designateardana-horizonardana-ironicardana-loggingardana-magnumardana-memcachedardana-monasca-transformardana-opsconsoleardana-opsconsole-uiardana-tlsopenstack-ceilometeropenstack-ceilometer-agent-centralopenstack-ceilometer-agent-computeopenstack-ceilometer-agent-ipmiopenstack-ceilometer-agent-notificationopenstack-ceilometer-apiopenstack-ceilometer-collectoropenstack-ceilometer-docopenstack-ceilometer-pollingopenstack-dashboard-theme-SUSEopenstack-heat-gbpopenstack-monasca-agentopenstack-monasca-log-apiopenstack-neutron-gbppython-ardana-configurationprocessorpython-ceilometerpython-cinderlmpython-cliffpython-freezerclientpython-freezerclient-docpython-heat-gbppython-ironicclientpython-ironicclient-docpython-magnumclientpython-magnumclient-docpython-monasca-agentpython-monasca-log-apipython-muranoclientpython-muranoclient-docpython-neutron-gbppython-novaclientpython-novaclient-docpython-openstackclientpython-os-client-configpython-os-vifpython-os-winpython-oslo.cachepython-oslo.concurrencypython-oslo.configpython-oslo.config-docpython-oslo.i18npython-oslo.logpython-oslo.messagingpython-oslo.middlewarepython-oslo.policypython-oslo.privseppython-oslo.reportspython-oslo.utilspython-oslo.versionedobjectspython-oslo.vmwarepython-oslotestpython-python-subunitpython-saharaclientpython-saharaclient-docpython-swiftclientpython-swiftclient-docpython-zaqarclientsupportutils-plugin-suse-openstack-clouducode-intellibsolv-toolslibzyppperl-solvpython-solvzypperzypper-logpython-Twistedpython-develpostgresql96-plperlpostgresql96-plpythonpostgresql96-pltclardana-swiftlm-drive-provisionardana-swiftlm-log-tailerardana-swiftlm-uptime-moncaasp-openstack-heat-templatesgrafana-monasca-ui-drilldownopenstack-horizon-plugin-monasca-uiopenstack-horizon-plugin-neutron-fwaas-uiopenstack-monasca-persister-javapython-Beaverpython-horizon-plugin-monasca-uipython-horizon-plugin-neutron-fwaas-uipython-oslo.dbpython-osprofilerpython-swiftlmlibvirt-daemon-hookspython-SQLAlchemykgraft-patch-4_4_180-94_103-defaultpython-urllib3libwebkit2gtk3-langpython-Werkzeugibusibus-gtkibus-gtk3ibus-langlibibus-1_0-5typelib-1_0-IBus-1_0MozillaFirefox-branding-SLEpython-oauthliblibpcap1nfs-clientnfs-docnfs-kernel-servergalera-3-wsrep-providernovncopenstack-horizon-plugin-neutron-vpnaas-uipython-amqppython-horizon-plugin-neutron-vpnaas-uipython-ovspython-pysaml2python-python-engineiorelease-notes-suse-openstack-cloudgdblibseccomp2libseccomp2-32bitkernel-default-kgraftkgraft-patch-4_4_180-94_107-defaultpython-ecdsapermissionshaproxykgraft-patch-4_4_180-94_113-defaultpython-PyKMIPpython-paramikozookeeper-serverpam_radiuspam_radius-32bitlibshibsp-lite6libshibsp6shibboleth-spceph-commonlibcephfs2librados2libradosstriper1librbd1librgw2python-cephfspython-radospython-rbdpython-rgwopenldap2-docopenldap2-ppolicy-check-passwordlibspectre1kgraft-patch-4_4_180-94_116-defaultpython3-PyYAMLpython-rpm-macrosshared-python-startupqemu-block-iscsikgraft-patch-4_4_180-94_121-defaultlibadns1java-1_7_1-ibm-develjava-1_8_0-ibm-develkgraft-patch-4_4_180-94_124-defaultpython3-certifipython3-chardetpython3-requestspython3-urllib3mozilla-nspr-develmozilla-nss-develMozillaFirefox-develansible1kibanaopenstack-octavia-amphora-image-x86_64python-Flaskpython-GitPythonpython-Pillowpython-apicapipython-keystoneauth1python-psutilpython-pyroute2python-toozpython-waitressstormstorm-nimbusstorm-supervisorpython-ipaddressgolang-github-prometheus-node_exporterxrdptypelib-1_0-WebKit2WebExtension-4_0kgraft-patch-4_4_180-94_127-defaultdpdkdpdk-kmp-defaultdpdk-toolsaws-clikgraft-patch-4_4_180-94_130-defaultlibsolv-develperl-DBIpython3-develpython-piplibasan6libasan6-32bitlibatomic1libatomic1-32bitlibgcc_s1libgcc_s1-32bitlibgfortran5libgfortran5-32bitlibgo16libgo16-32bitlibgomp1libgomp1-32bitlibitm1libitm1-32bitliblsan0libobjc4libobjc4-32bitlibquadmath0libquadmath0-32bitlibstdc++6libstdc++6-32bitlibstdc++6-localelibstdc++6-pp-gcc10libstdc++6-pp-gcc10-32bitlibtsan0libubsan1libubsan1-32bitgrafana-natel-discrete-panelpython-Flask-Corspython-ardana-packagerpython-keystoneclientpython-keystoneclient-docpython-keystonemiddlewarepython-kombupython-straight-pluginlibudev-develpostgresqlpostgresql-contribpostgresql-docspostgresql-plperlpostgresql-plpythonpostgresql-pltclpostgresql-serverkernel-firmwareucode-amdkgraft-patch-4_4_180-94_135-defaultbluezlibbluetooth3python-setuptoolspython3-setuptoolspython3-cryptographylibasan5libasan5-32bitlibgo14libgo14-32bitlog4jpython-asn1cryptopython-botocorepython-jsonpatchpython-jsonpointerpython-packagingpython3-asn1cryptopython3-jsonpointerpython3-packagingipmitoolardana-extensions-exampleardana-extensions-nsxkeepalivedopenstack-neutron-vsphereopenstack-neutron-vsphere-docopenstack-neutron-vsphere-dvs-agentopenstack-neutron-vsphere-ovsvapp-agentopenstack-resource-agentspython-congressclientpython-designateclientpython-designateclient-docpython-freezegunpython-ironic-libpython-networking-ciscopython-networking-vspherepython-osc-libpython-oslo.contextpython-oslo.rootwrappython-oslo.serializationpython-oslo.servicepython-stevedorepython-taskflowpython-futureslibzypp-develpython-cffipython-xattrpython3-cffiperl-Mail-SpamAssassinspamassassinlibpcre2-16-0libpcre2-32-0libpcre2-8-0libpcre2-posix2perl-CGIfwupdatefwupdate-efilibfwup0libavahi-glib1libavahi-glib1-32bitkgraft-patch-4_4_180-94_144-defaultlibdjvulibre21graphvizgraphviz-gdgraphviz-gnomegraphviz-tclpython-httplib2libwebp5libwebp5-32bitlibwebpdemux1libwebpmux1caribou-commonlibcaribou0typelib-1_0-Caribou-1_0ImageMagick-config-6-SUSEImageMagick-config-6-upstreamxtermovmfovmf-toolsqemu-ovmf-x86_64arpwatchpython-coloramapython-pexpectpython-ptyprocesspython-sixpython3-sixopenssh-askpass-gnomesystemd-devellinuxptpkgraft-patch-4_4_180-94_147-defaultcassandracassandra-toolspython-elementpathpython-eventletpython-pypython-xmlschemaaspellaspell-ispelllibaspell15libaspell15-32bitmysql-connector-javalibesmtptransfiglibgtk-vnc-1_0-0libgtk-vnc-2_0-0libgvnc-1_0-0python-gtk-vnctypelib-1_0-GVnc-1_0typelib-1_0-GtkVnc-2_0ghostscript-devellibspectre-develsqlite3-develjavapackages-filesystemsparkbinutils-devellibctf-nobfd0libctf0libpcrecpp0libpcreposix0pcre-develselinux-policyselinux-policy-develselinux-policy-minimumkgraft-patch-4_4_180-94_150-defaultglib-networkingglib-networking-langelasticsearchopenstack-monasca-threshkgraft-patch-4_4_180-94_138-defaultscreeninfluxdbpython-Jinja2perl-XML-Twigkgraft-patch-4_4_180-94_141-defaultgit-cvsgit-daemongit-emailgit-guigit-svngit-webgitklibwavpack1liblzma5liblzma5-32bitxzxz-langkgraft-patch-4_4_180-94_161-defaultlibSDL-1_2-0libSDL-1_2-0-32bitaidezshlibrelp0kgraft-patch-4_4_180-94_164-defaultoracleasm-kmp-defaultsysstatsysstat-isagpython-Babelpython-rsarabbitmq-serverrabbitmq-server-pluginsopenstack-monasca-log-metricsopenstack-monasca-log-persisteropenstack-monasca-log-transformerkgraft-patch-4_4_180-94_153-defaultpython-Makoapache2-mod_wsgixerces-j2xerces-j2-xml-apisxerces-j2-xml-resolverkgraft-patch-4_4_180-94_156-defaultlibcaca0python-lxmlpython-sqlparsepython-tornadopython-swift3python-geventnodejs6ruby2.1-rubygem-sprockets-2_12crowbarcrowbar-corecrowbar-core-branding-upstreamcrowbar-develcrowbar-hacrowbar-initcrowbar-openstackcrowbar-uicouchdbdocumentation-suse-openstack-cloud-deploymentruby2.1-rubygem-rackruby2.1-rubygem-activejob-4_2crowbar-core-branding-SOCruby2.1-rubygem-rails-html-sanitizerruby2.1-rubygem-loofahruby2.1-rubygem-easy_diffruby2.1-rubygem-hamlruby2.1-rubygem-actionpack-4_2ruby2.1-rubygem-pumaruby2.1-rubygem-activeresourceruby2.1-rubygem-crowbar-clientruby2.1-rubygem-json-1_7ruby2.1-rubygem-actionview-4_2ruby2.1-rubygem-activesupport-4_2ruby2.1-rubygem-nokogiriruby2.1-rubygem-activerecord-session_storeruby2.1-rubygem-addressableruby2.1-rubygem-activerecord-4_2sleshammer-aarch64sleshammer-ppc64lesleshammer-s390xsleshammer-x86_64ruby2.1-rubygem-redcarpetruby2.1-rubygem-yajl-rubyruby2.1-rubygem-sinatraruby2.1-rubygem-tzinfolibical1libical1-32bitlibncurses5libncurses5-32bitlibncurses6libncurses6-32bitncurses-develncurses-devel-32bitncurses-utilstackterminfoterminfo-baselibtcmu1tcmu-runneryast2-pkg-bindingslibfpm_pb0libospf0libospfapiclient0libquagga_pb0libzebra1liblouis-dataliblouis9python-louispython3-louisSuSEfirewall2shadowtbootlibsaml8opensaml-binopensaml-schemasdpdk-thunderxdpdk-thunderx-kmp-defaultlttng-moduleslttng-modules-kmp-defaultlibxmltooling6xmltooling-schemaslibprocps3procpslibvpx1libqca2libqca2-32bitgnome-shell-search-provider-nautiluslibnautilus-extension1nautilusnautilus-langqemu-uefi-aarch64kernel-azurekernel-azure-basekernel-azure-develkernel-devel-azurekernel-source-azureperl-Archive-Zipkernel-syms-azurelibwireshark9libwiretap7libwsutil8yast2-smtg3utilsmgettylibkpathsea6libqpdf18qpdflibSoundTouch0postgresql-initaxislibXdmcp6libXdmcp6-32bitlibICE6libICE6-32bitpython3-rpmrpm-pythonpam_pkcs11pam_pkcs11-32bitlibexempi3lcms2liblcms2-2liblcms2-2-32bitspice-vdagentlibexiv2-12python3-pyOpenSSLdb48-utilslibdb-4_8libdb-4_8-32bitlibcdio14libcdio14-32bitlibtalloc2libtalloc2-32bitlibtevent0libtevent0-32bitpython-tallocpython-talloc-32bitvirt-installvirt-managervirt-manager-commonPackageKitPackageKit-backend-zyppPackageKit-langlibpackagekit-glib2-18typelib-1_0-PackageKitGlib-1_0rzszboost-license1_54_0libboost_atomic1_54_0libboost_date_time1_54_0libboost_iostreams1_54_0libboost_program_options1_54_0libboost_random1_54_0libboost_regex1_54_0libboost_signals1_54_0libboost_system1_54_0libboost_thread1_54_0atftphostinfoauditaudit-audispd-pluginslibaudit1libaudit1-32bitlibauparse0nmaplibcroco-0_6-3libcroco-0_6-3-32bitkgraft-patch-4_4_140-94_42-defaultkgraft-patch-4_4_143-94_47-defaultkgraft-patch-4_4_155-94_50-defaultkgraft-patch-4_4_156-94_57-defaultkgraft-patch-4_4_156-94_61-defaultkgraft-patch-4_4_156-94_64-defaultkgraft-patch-4_4_162-94_69-defaultkgraft-patch-4_4_162-94_72-defaultkgraft-patch-4_4_175-94_79-defaultkgraft-patch-4_4_176-94_88-defaultkgraft-patch-4_4_178-94_91-defaultkgraft-patch-4_4_180-94_97-defaultlibunwindlibunwind-develpython-numpylibwsman1libwsman_clientpp1openwsman-serveradclilibmemcachedlibmemcached11libmemcachedutil2u-boot-rpi3u-boot-toolssles-bcl-releasepython-M2Cryptopython3-M2Cryptocrash-gcoremokutiliscsiuiolibopeniscsiusr0_2_0open-iscsilibjson-c-devellibgda-5_0-4libgda-5_0-mysqllibgda-5_0-postgreslibgda-5_0-sqlitelibgda-ui-5_0-4sqlite3-tclpostgresql-jdbckpartxmultipath-toolstelnettelnet-serverlibpixman-1-0libpixman-1-0-32bitzabbix-agentvim-data-commonlibpython3_6m1_0python36python36-basepython36-cursespython36-dbmpython36-develpython36-docpython36-idlepython36-testsuitepython36-tkpython36-toolspython-xdgMesaMesa-32bitMesa-libEGL1Mesa-libEGL1-32bitMesa-libGL1Mesa-libGL1-32bitMesa-libGLESv2-2Mesa-libglapi0Mesa-libglapi0-32bitlibgbm1libgbm1-32bitlibxatracker2manfile-rollerfile-roller-langnautilus-file-rolleredgnuplotlibgxps2perl-PlRPCtargetcli-fblesslibqt5-qtimageformatslibQt5Svg5blktracehunspellhunspell-32bithunspell-toolsapache-commons-ioperl-Convert-ASN1python-boto3fastjarlibgrilo-0_3-0liblldp_clif1open-lldpjavapackages-toolslibspeex1libspeex1-32bitlibspeexdsp1libgmp10libgmp10-32bitgettext-runtimegettext-runtime-32bitgettext-toolsaws-cli-py36python36-PyYAMLpython36-appdirspython36-asn1cryptopython36-boto3python36-botocorepython36-certifipython36-cffipython36-chardetpython36-coloramapython36-cryptographypython36-docutilspython36-idnapython36-jmespathpython36-packagingpython36-plypython36-ply-docpython36-pypython36-pyOpenSSLpython36-pyasn1python36-pycparserpython36-pyparsingpython36-pyparsing-docpython36-python-dateutilpython36-requestspython36-rpm-generatorspython36-rpm-macrospython36-rsapython36-s3transferpython36-setuptoolspython36-setuptools-testpython36-setuptools-wheelpython36-simplejsonpython36-sixpython36-six-docpython36-urllib3libyajl2libyajl2-32bitpostgresql13postgresql13-contribpostgresql13-docspostgresql13-plperlpostgresql13-plpythonpostgresql13-pltclpostgresql13-serverfribidifribidi-32bitpostgresql12postgresql12-contribpostgresql12-develpostgresql12-docspostgresql12-llvmjit-develpostgresql12-plperlpostgresql12-plpythonpostgresql12-pltclpostgresql12-serverpostgresql12-server-devellibecpg6-32bitpostgresql14postgresql14-contribpostgresql14-develpostgresql14-devel-minipostgresql14-docspostgresql14-llvmjit-develpostgresql14-plperlpostgresql14-plpythonpostgresql14-pltclpostgresql14-serverpostgresql14-server-develperl-HTTP-Daemonpostgresql-develpostgresql-server-devellibnl1libnl1-32bitlibnl-configlibnl3-200libnl3-200-32bitpython3-lxmlclone-master-clean-uplibopencc2openccopencc-databcelca-certificates-mozillalibblas3liblapack3libharfbuzz-icu0libharfbuzz0libharfbuzz0-32bitdmidecodepostgresql15postgresql15-contribpostgresql15-develpostgresql15-docspostgresql15-plperlpostgresql15-plpythonpostgresql15-pltclpostgresql15-serverpostgresql15-server-devellibiniparser0libiniparser0-32bitlibcap-progslibcap2libcap2-32bitapache2-mod_security2python-configobjgawklibasan8libasan8-32bitlibstdc++6-pplibstdc++6-pp-32bitlibtsan2libasan4libasan4-32bitlibcilkrts5libcilkrts5-32bitlibgfortran4libgfortran4-32bitlibubsan0libubsan0-32bitpostfixpostfix-docpostfix-mysqlpython3-pypostgresql16postgresql16-contribpostgresql16-develpostgresql16-docspostgresql16-plperlpostgresql16-plpythonpostgresql16-pltclpostgresql16-serverpostgresql16-server-devellibhwasan0traceroutesuse-module-toolsmonitoring-plugins-nrpenrpeperl-Net-Serverpython-futurepam-extrapam-extra-32bitpython-idnapython3-idnalibbasicobjects0libcollection4libdhash1libini_config5libpath_utils1libref_array1sysuser-shadowsysuser-toolslibosinfolibosinfo-1_0-0libosinfo-langtypelib-1_0-Libosinfo-1_0libfastjson4libxkbcommon-x11-0libxkbcommon-x11-0-32bitlibxkbcommon0libxkbcommon0-32bitatk-docatk-langlibatk-1_0-0libatk-1_0-0-32bittypelib-1_0-Atk-1_00:1.7.1-6.112.30:52.2.0esr-108.30:13.2+git20140911.61c1681-36.10:0.6.42-14.20:1.0.27.2-15.10:1.9.4-1.60:1.9.2-1.270:1.0.15-6.100:3.1-4.4980:2.4.23-28.10:2.8.2-49.210:1.2.40-5.20:1.0.14-18.30:2.0.8-11.430:3.1.14-7.30:2.5.37-8.10:4.8.6+2.3.3-3.10:2.32.1-16.10:0.3.6-10.10:1.2.0-15.30:5.0.9-27.20:1.13.4-6.20:1.4.16-15.740:0.6.32-30.360:4.3-82.10:6.3-82.10:9.9.9P1-62.10:2.26.1-9.12.10:1.21.1-3.30:1.0.6-29.20:2.3-3.1100:6.5-8.90:0.99.2-32.10:0.1.26-6.30:1.3.3-12.130:1.1.0-147.710:8.25-12.80:2.11-35.10:4.8.5-30.10:2.9.0-7.10:7.1.8-3.90:7.1.8_k4.4.73_5-3.90:4.2-58.30:1.4.11-58.30:5.8-7.10:1.7.5-19.10:1.0.58-17.110:0.2.5-5.10:7.37.0-36.10:1.12.12-181.630:2.1.26-7.10:1.5.2-2.30:1.8.22-28.190:1.8.22-28.140:0.100.2-3.580:4.3.3-9.10:2.76-17.10:3.0.26-6.50:2.2.30.2-14.20:044-113.100:0.7.2-1.20:1.42.11-15.10:103-7.10:0.158-6.10:24.3-19.20:3.20.4-7.70:3.20.1-5.660:2.1.0-20.20:6.3.26-12.30:5.19-9.10:2.11.1-7.10:3.0.14-1.80:2.6.3-7.10.10:2.9.3-5.10:2.1.0-23.10:2.34.0-18.10:2.40.15-4.50:3.10.0.1-52.50:9.15-22.10:5.0.5-12.10:2.12.3-26.10:2.48.2-10.20:2.22-61.30:3.20.0-27.20:3.20.1-49.30:3.20.4-76.30:3.3.27-1.100:2.0.24-8.10:1.5.1-1.120:1.22.2-5.4290:2.02-2.120:1.8.3-9.50:1.8.3-17.20:1.8.3-12.110:1.8.3-15.10:2.24.31-7.110:1.32.4-19.240:2.0.9-8.30:3.7.4-1.390:1.2.1-3.640:7.4.326-16.10:1.6-7.3920:1.0-6.450:3.16.11-1.330:7-13.10:1.4.14-4.110:1.5.0-11.20:0.8.0-18.10:s20121221-2.190:1.1.1-120.2380:1.1.1-255.20:1.7.0.141-42.10:1.7.1_sr4.5-37.10:1.8.0_sr4.5-29.10:1.8.0.131-26.30:1.15.5-8.7.10:0.8.16-5.10:4.4.73-5.10:1.12.5-39.10:1.0.3-1.50:4.7.4-1.130:1.3.0-11.10:3.18-1.190:2.1.0-4.50:6.8.8.1-70.10:5.6.2-5.90:5.6.2-1.310:1.6.2-11.10:1.0.7-3.540:1.1.14-3.600:1.3.2-3.610:5.0.1-7.10:1.5.1-10.30:1.7.4-17.10:1.1.3-3.550:1.0.2-3.580:3.5.11-5.10:1.5.0-6.20:0.9.8-7.10:1.1.4-3.590:1.2.2-7.10:1.0.10-7.10:1.0.8-7.10:1.6.0-18.11.10:1.1.3-3.540:1.5.3-1.770:1.5.1-2.70:3.1.2-25.10:5.3.1+r233831-12.10:0.10.2-3.10:2.29.2-2.30:2.29.2-2.20:1.15.2-24.10:1.9.1-5.10:0.41.rc1-9.10:4.6.5+git.27.6afd48b1083-2.110:1.1.3-3.520:9.6.3-2.10:9.6.3-2.40:2.0.21-4.10:0.6.21-6.40:3.29.5-57.10:7.2d-5.10:1.6.1-16.39.10:0.6.0-5.10:2.0.0-353.6.20:3.20.5-9.60:1.3.1-9.10:0.4-3.830:0.9-6.240:1.3.10-4.10:2.7.1-12.10:52.1-7.10:1.28-4.10:1.2.0-7.310:1.13.4-33.20:2.7-1.20:1.900.14-194.10:2.4.11-23.200:2.12.5-1.120:2.0-12.60:2.0-12.130:1.3.1-30.30:62.1.0-30.10:1.3.1-30.10:8.0.2-30.30:0.11-2.220:4.12.0-10.10:1.3.0-23.10:1.19-17.310:2.4.41-18.29.10:1.1.29-1.130:2.4.2-16.10:5.2.4-6.10:2.08-1.60:2.08-1.130:0.9.30-5.10:0.6.2-15.80:0.8.8.4-13.690:3.1.2-7.10:0.4-14.40:2.1.5-27.860:10.0.30-28.10:0.30.0-3.650:10.66.3-7.10:1.7.1-1.840:1.0.12-12.40:2.1.0-3.10:1.0.2j-59.10:1.1-3.10:4.0.0-9.10:1.40.1-9.50:8.39-7.10:1.8.10-6.10:1.12-19.10:1.2.50-19.10:1.5.22-9.10:1.6.8-14.10:0.113-5.6.10:0.43.0-15.10:0.4.13-16.30:0.4.13-16.60:5.0-4.10:2.7.13-27.10:3.4.6-24.10:4.8.6-7.10:4.8.6-7.30:1.2.4-10.10:2.0.10-3.670:2.1.9-18.10:0.4.8-18.630:1.0.25-35.10:5.7.3-4.20:2.54.1-4.50:0.33-1.330:0.12.8-1.170:3.8.10.2-8.10:1.5.2-2.10:1.4.3-19.10:228-142.10:1.9.1-1.2650:4.9-1.70:1.1.34-12.10:0.1.25-4.20:4.0.7-43.10:1.0.1-16.10:2.1.3-1.140:2.7.1-4.840:1.0.10-2.30:1.1.1-6.730:0.5.0-11.10:3.3.0-4.280:10.1.5-2.170:0.9.9-16.10:1.3.3-8.60:1.3.3-8.230:0.28.2-19.70:2.2.7-47.10:1.10-3.10:3.1.1-12.30:2.9.4-45.10:1.1.28-16.10:0.1.6-7.10:1.2.8-11.10:0.11.1-12.10:3.11.0-1.150:7.4.3-15.650:2.1.17-1.180:12.5-28.10:1.4.33-3.10:2.7-3.10:2.0.2.umip.0.4-19.770:4.13.1-18.10:1.6.0-54.10:4.2.8p10-63.30:0.13.0-1.1220:2.0.0-17.10:7.2p2-69.10:2.3.8-16.17.10:2.7.0-2.290:2.4-724.650:9.20.1-6.10:1.1.8-23.10:12.1-23.60:12.1-23.120:2.4.4-4.50:2.0-1.400:2.7.5-7.10:1.4.25-4.10:5.18.2-11.10:2.82-3.140:4.021-11.10:3.71-1.1780:6.04-5.40:804.031-3.820:2.0019-5.30:0.38-10.10:2.3-5.10:2.5-9.10:1.3.3-5.30:2.7.3-1.170:2.4.7-3.40:3.22-267.30:3.12-25.10:1.5.7-7.50:1.1.7-21.80:16.0.0-2.3.20:0.7.0-4.70:2.8.1-6.16.10:2.9.0-5.100:1.0.0-5.100:1.10.2-5.100:8-5.100:0.99.22.1-15.10:1.9.7-2.170:3.0.25-48.10:0.2.3-23.10:4.11.2-15.10:1.4.7-20.10:3.1.0-12.10:8.24.0-1.200:0.11_git201205151338-8.170:2.1-1.60:1.0.24-3.10:1.4.8-16.10:0.9-23.140:1.7.2.4-3.10:4.3-6.20:3.5.21-25.10:1.4-29.10:5.1.3-25.10:5.00-3.10:1.8.20p2-1.30:3.0-94.10:0.84.0-13.10:2.0-778.10:3.0-10.150:2.88+-99.150:5.1.1-1.170:1.27.1-14.10:4.9.0-13.10:5.2-10.30:8.0.43-23.10:2.0.0-2.10:2.3.4-6.50:5.0.14-3.10:6.00-32.10:1.18.4-14.2160:3.20.2-5.80:1.4.0-26.10:3.0.2-39.10:0.5.3.git20161120-160.10:1.14-20.10:2.2-14.20:2.7.0-264.380:20140630-5.10:4.9.0_08-2.20:2.99.917.770_gcb6ba2da-1.230:4.3.0-12.10:2.3.15-7.70:5.43-5.330:7.6_1-14.80:1.1.0-3.580:7.6-45.70:7.6_1.18.3-71.10:5.22-7.10:3.2.36-1.110:3.2.2-1.290:3.2.11-1.470:2.10-1020.62(x86_64)0:2.12.3-27.14.18(x86_64)0:4.1.2-3.3.1(noarch)0:1.7.12-3.3.1(noarch)0:2.6.6-49.9.1(x86_64)0:3.0.3-3.3.1(x86_64)0:10.2.15-4.3.1(noarch)0:10.2.15-4.3.1(x86_64)0:2.4.10-4.3.1(x86_64)0:4.5.1-4.3.1(x86_64)0:0.9.0.1-5.3.1(x86_64)0:2.4.1-5.4.1(noarch)0:20180622_15.06-3.6.1(noarch)0:2.6.6-49.14.1(noarch)0:5.1.1~dev5-3.5.3(noarch)0:5.1.1~dev5-3.5.4(noarch)0:5.0.1~dev11-3.8.3(noarch)0:11.1.2~dev14-3.6.3(noarch)0:11.1.2~dev14-3.6.4(noarch)0:12.0.4~dev1-3.8.3(noarch)0:5.0.2~dev5-3.5.3(noarch)0:15.0.2~dev4-3.3.3(noarch)0:9.0.5~dev11-3.6.3(noarch)0:9.0.5~dev11-3.6.4(noarch)0:0.0.0+git.1525957319.6b5a7cd-3.3.3(noarch)0:5.0.2~dev5-3.3.5(noarch)0:5.0.1~dev6-3.3.5(noarch)0:5.0.1~dev21-4.3.3(noarch)0:2.10.3~dev4-4.5.5(noarch)0:3.0.3~dev2-3.5.4(noarch)0:9.0.1~dev7-3.3.5(noarch)0:9.1.5~dev7-3.6.3(noarch)0:12.0.1~dev19-5.8.3(noarch)0:5.0.2~dev55-3.6.3(noarch)0:5.0.2~dev55-3.6.4(noarch)0:11.0.6~dev63-3.6.3(noarch)0:11.0.2~dev7-3.5.3(noarch)0:11.0.4~dev4-3.3.4(noarch)0:11.0.4~dev4-3.3.3(noarch)0:11.0.1~dev1-3.3.3(noarch)0:8.0.1~dev12-4.3.3(noarch)0:16.1.5~dev49-3.8.4(noarch)0:8.0.1~dev56-3.3.4(noarch)0:1.0.3~dev21-4.6.3(noarch)0:8.0.1~dev11-3.3.3(noarch)0:4.5.2-4.3.2(noarch)0:0.0.2-3.3.2(noarch)0:1.17.3-3.3.2(noarch)0:11.0.3~dev16-3.3.2(noarch)0:11.0.4~dev7-3.3.2(noarch)0:5.0.1-12.4.1(noarch)0:5.0.1-12.5.1(noarch)0:11.0.2-14.5.1(noarch)0:5.0.1-12.3.1(noarch)0:15.0.1-12.3.1(noarch)0:9.0.1-12.5.1(noarch)0:11.0.2-14.6.1(noarch)0:9.1.3-12.5.1(noarch)0:12.0.1-11.5.1(noarch)0:5.0.2-11.4.1(noarch)0:5.0.2-12.5.1(noarch)0:11.0.2-13.8.1(noarch)0:16.0.3-11.6.1(noarch)0:1.0.2-12.5.1(noarch)0:7.0.1-11.4.1(noarch)0:8.0.0.0-11.4.1(x86_64)0:2.0.3-3.3.1(noarch)0:1.11.11-3.3.1(noarch)0:8.0+git.1535031421.9262a47-3.12.1(noarch)0:8.0+git.1534267176.a5f3a22-3.6.1(x86_64)0:0.10.2.2-5.6.1(noarch)0:2.2.1~dev24-3.6.1(noarch)0:8.0+git.1539739656.0ef51c9-3.46.1(noarch)0:8.0+git.1534266594.8136db7-4.27.2(noarch)0:8.0+git.1535412193.d9ad231-3.27.2(noarch)0:8.0+git.1534266734.ec4822f-3.30.2(noarch)0:8.0+git.1534780521.780753b-3.29.2(noarch)0:8.0+git.1534266805.c9ea29b-3.12.2(noarch)0:8.0+git.1537790499.b15fdea-3.8.2(noarch)0:8.0+git.1539086744.5ae1d6f-3.21.2(noarch)0:8.0+git.1536100286.ddd8d3e-3.15.2(noarch)0:8.0+git.1534267034.f95e1ec-3.5.2(noarch)0:8.0+git.1537805998.7898f24-3.21.2(noarch)0:8.0+git.1537895345.35a03a2-3.14.2(noarch)0:8.0+git.1534267086.b7dbe77-3.8.2(noarch)0:8.0+git.1540330973.aab0174-3.27.1(noarch)0:8.0+git.1537825617.23552c2-3.14.2(noarch)0:8.0+git.1537806377.25b5d68-3.11.2(noarch)0:8.0+git.1539113493.6631423-1.8.2(noarch)0:8.0+git.1534267211.78fb7e3-3.18.2(x86_64)0:2.12.3-27.17.2(noarch)0:2.4.6.0-3.3.1(noarch)0:8.0+git.1553878455.7439e04-3.58.2(noarch)0:8.0+git.1550694449.df88054-3.35.2(noarch)0:8.0+git.1550589454.df2e733-3.22.2(noarch)0:8.0+git.1552935705.e9a92b3-3.9.2(noarch)0:8.0+git.1551748668.7427826-1.15.2(noarch)0:8.0+git.1551113207.9f1db17-3.27.2(noarch)0:8.0+git.1551718533.227cb9e-3.26.2(noarch)0:8.0+git.1553890679.8a50307-3.14.2(noarch)0:8.0+git.1552503158.6b6b195-3.33.2(noarch)0:8.0+git.1551382173.a81d5e1-3.23.2(noarch)0:8.0+git.1554145115.63a4cf2-1.17.2(noarch)0:8.0+git.1551502730.f4d219d-3.24.2(noarch)0:8.0+git.1554307220.ed24e63-3.18.2(noarch)0:8.20190329-1.14.2(noarch)0:0.0+git.1506329536.8f5878c-4.3.2(noarch)0:12.0.4~dev5-3.17.3(noarch)0:5.0.1~dev10-4.6.2(noarch)0:9.0.6~dev17-3.15.3(noarch)0:9.0.6~dev17-3.15.2(noarch)0:0.0.0+git.1553459627.948e8cc-3.9.2(noarch)0:3.0.4~dev3-3.6.2(noarch)0:3.0.1~dev9-3.6.2(noarch)0:7.0.4~dev1-3.6.2(noarch)0:9.1.7~dev7-3.15.3(noarch)0:9.1.7~dev7-3.15.2(noarch)0:12.0.3~dev1-5.16.3(noarch)0:12.0.3~dev1-5.16.2(noarch)0:5.0.2~dev31-4.12.3(noarch)0:5.0.2~dev31-4.12.2(noarch)0:5.0.4~dev17-3.15.3(noarch)0:5.0.4~dev17-3.15.2(noarch)0:2.2.1~dev25-3.9.3(noarch)0:1.10.2~dev2-3.6.3(noarch)0:1.7.1~dev8-3.6.3(noarch)0:4.0.1~dev5-3.6.2(noarch)0:11.0.7~dev100-3.15.3(noarch)0:11.0.7~dev100-3.15.2(noarch)0:11.0.2~dev8-3.11.2(noarch)0:16.1.8~dev53-3.20.3(noarch)0:16.1.8~dev53-3.20.2(noarch)0:1.0.5~dev1-4.15.2(noarch)0:7.0.4~dev1-3.9.3(noarch)0:7.0.4~dev1-3.9.2(noarch)0:2.15.2~dev32-3.6.2(noarch)0:17.0.0-4.6.2(noarch)0:3.1.1-3.3.2(x86_64)0:2.0.3-3.7.2(noarch)0:2.3.1~dev4-4.6.2(noarch)0:1.15.8-3.3.2(noarch)0:5.1.1~dev6-12.14.3(noarch)0:5.0.2~dev2-12.15.3(noarch)0:9.0.7~dev2-12.12.3(noarch)0:11.1.2~dev58-14.15.3(noarch)0:5.0.3~dev6-12.13.3(noarch)0:5.0.0.0~xrc2~dev2-10.10.3(noarch)0:15.0.2~dev9-12.13.3(noarch)0:9.0.6~dev17-12.15.3(noarch)0:12.0.4~dev5-14.20.3(noarch)0:9.1.7~dev7-12.15.3(noarch)0:12.0.3~dev1-11.15.3(noarch)0:5.0.2-11.13.1(noarch)0:5.0.4~dev17-12.17.3(noarch)0:1.5.1-8.9.1(noarch)0:2.2.1-11.11.1(noarch)0:4.0.1-12.9.1(noarch)0:11.0.2-13.17.1(noarch)0:16.1.8~dev53-11.16.3(noarch)0:1.0.5~dev1-12.15.3(noarch)0:7.0.4~dev1-11.14.3(noarch)0:2.15.2-11.9.1(noarch)0:8.0.1~dev12-11.14.3(x86_64)0:10.2.22-4.11.1(noarch)0:10.2.22-4.11.1(x86_64)0:1.4.3-20.9.1(x86_64)0:60.7.2-109.80.1(x86_64)0:2.78-18.6.1(x86_64)0:10.9-1.12.1(x86_64)0:10.9-1.12.2(noarch)0:10.9-1.12.2(noarch)0:2.48.2-12.15.1(x86_64)0:2.48.2-12.15.1(x86_64)0:4.4.180-94.100.1(noarch)0:4.4.180-94.100.1(x86_64)0:1-4.3.1(x86_64)0:60.8.0-109.83.3(x86_64)0:3.44.1-58.28.1(noarch)0:8.0+git.1553878455.7439e04-3.61.1(noarch)0:8.0+git.1534266594.8136db7-4.30.1(noarch)0:8.0+git.1534266612.44dcb20-3.12.1(noarch)0:8.0+git.1534266629.0bb5d54-3.9.1(noarch)0:8.0+git.1558619942.6bd075c-3.36.1(noarch)0:8.0+git.1534266734.ec4822f-3.33.1(noarch)0:8.0+git.1550694449.df88054-3.38.1(noarch)0:8.0+git.1555341117.d812d88-3.25.1(noarch)0:8.0+git.1558636763.f7f09ca-3.14.1(noarch)0:8.0+git.1534266805.c9ea29b-3.15.1(noarch)0:8.0+git.1555450219.97789ac-3.11.1(noarch)0:8.0+git.1555450207.a7d3bfe-3.12.1(noarch)0:8.0+git.1554732431.8f9dd50-3.15.1(noarch)0:8.0+git.1557418274.fb273dd-3.27.1(noarch)0:8.0+git.1534266893.1d69df7-3.6.1(noarch)0:8.0+git.1554915846.db23473-3.24.1(noarch)0:8.0+git.1544117621.1c9a954-3.18.1(noarch)0:8.0+git.1555450198.c42dc52-3.6.1(noarch)0:8.0+git.1551748668.7427826-1.18.1(noarch)0:8.0+git.1534266982.498c352-3.6.1(noarch)0:8.0+git.1557856965.bde9eb2-3.18.1(noarch)0:8.0+git.1534267017.4bbecd9-3.9.1(noarch)0:8.0+git.1549882721.b2e8873-3.13.1(noarch)0:8.0+git.1557523208.81aa1da-3.30.1(noarch)0:8.0+git.1559253853.bb932ea-3.29.1(noarch)0:8.0+git.1557523035.ab44613-3.17.1(noarch)0:8.0+git.1534267103.829be13-3.10.1(noarch)0:8.0+git.1537201508.68c32e6-3.16.1(noarch)0:8.0+git.1557503482.852ec24-3.36.1(noarch)0:8.0+git.1551382173.a81d5e1-3.26.1(noarch)0:8.0+git.1544119019.e68516a-3.17.1(noarch)0:8.0+git.1554912320.73ad306-1.20.1(noarch)0:8.0+git.1539709555.5b31c25-3.12.1(noarch)0:8.0+git.1551502730.f4d219d-3.27.1(noarch)0:8.0+git.1557761054.b971c8f-3.21.1(noarch)0:8.0+git.1534267264.6b1e899-3.6.1(noarch)0:8.20190521-1.17.1(noarch)0:5.1.1~dev7-3.11.2(noarch)0:5.1.1~dev7-3.11.1(noarch)0:5.0.2~dev3-3.14.2(noarch)0:5.0.2~dev3-3.14.1(noarch)0:9.0.8~dev7-3.12.2(noarch)0:9.0.8~dev7-3.12.1(noarch)0:11.2.3~dev5-3.15.2(noarch)0:11.2.3~dev5-3.15.1(noarch)0:12.0.4~dev6-3.20.2(noarch)0:2017.2+git.1554906711.9dbe79b-7.11.1(noarch)0:5.0.3~dev7-3.11.1(noarch)0:9.0.8~dev3-3.18.2(noarch)0:7.0.1~dev1-3.3.1(noarch)0:9.0.1~dev10-3.9.1(noarch)0:9.1.8~dev5-3.18.2(noarch)0:9.1.8~dev5-3.18.1(noarch)0:12.0.4~dev2-5.19.2(noarch)0:12.0.4~dev2-5.19.1(noarch)0:2.2.5~dev2-3.9.2(noarch)0:2.2.1~dev26-3.12.2(noarch)0:2.3.1~dev12-3.6.2(noarch)0:11.0.9~dev28-3.18.2(noarch)0:11.0.9~dev28-3.18.1(noarch)0:11.0.3~dev1-3.14.1(noarch)0:7.3.1~dev28-3.3.1(noarch)0:11.0.4~dev6-3.9.1(noarch)0:11.0.1~dev5-3.12.1(noarch)0:16.1.9~dev3-3.23.2(noarch)0:16.1.9~dev3-3.23.1(noarch)0:8.0.1~dev13-3.9.1(noarch)0:1.11.20-3.7.1(noarch)0:8.0+git.1534266236.fb1623c-6.9.1(noarch)0:0.0.2+git.1541444073.4d3347c-3.6.1(noarch)0:2.8.3-3.6.2(noarch)0:1.5.1-3.3.2(noarch)0:1.17.2-3.3.1(noarch)0:2.7.1-3.3.1(noarch)0:1.17.4-3.6.1(noarch)0:0.14.1-3.3.1(noarch)0:9.1.3-3.6.2(noarch)0:3.12.2-3.3.1(noarch)0:1.15.9-3.6.2(noarch)0:1.28.1-3.3.1(noarch)0:1.7.2-3.3.2(noarch)0:2.2.1-3.3.1(noarch)0:1.25.2-3.3.1(noarch)0:3.21.2-3.3.1(noarch)0:4.11.2-3.3.1(noarch)0:3.17.2-3.3.2(noarch)0:3.30.3-3.3.1(noarch)0:5.30.8-3.8.1(noarch)0:3.30.2-3.3.1(noarch)0:1.25.4-3.6.1(noarch)0:1.22.2-3.3.1(noarch)0:3.28.4-3.6.1(noarch)0:1.26.3-3.6.1(noarch)0:2.23.2-3.3.1(noarch)0:2.17.2-3.3.1(noarch)0:1.2.0-4.3.1(noarch)0:1.3.1-3.3.1(noarch)0:3.4.1-3.3.1(noarch)0:1.7.1-3.3.1(noarch)0:8.0.1551262227.7a7deb6-3.3.1(noarch)0:5.1.1~dev7-12.16.1(noarch)0:5.0.2~dev3-12.17.1(noarch)0:9.0.8~dev7-12.14.1(noarch)0:11.2.3~dev5-14.17.1(noarch)0:5.0.3~dev7-12.15.1(noarch)0:5.0.0.0~xrc2~dev2-10.12.1(noarch)0:15.0.2~dev9-12.15.1(noarch)0:9.0.8~dev3-12.17.1(noarch)0:12.0.4~dev6-14.22.1(noarch)0:9.1.8~dev5-12.17.1(noarch)0:12.0.4~dev2-11.17.1(noarch)0:5.0.2-11.15.1(noarch)0:5.0.4~dev17-12.19.1(noarch)0:1.5.1-8.11.1(noarch)0:2.2.1-11.13.1(noarch)0:4.0.1-12.11.1(noarch)0:11.0.2-13.19.1(noarch)0:16.1.9~dev3-11.18.1(noarch)0:1.0.5~dev1-12.17.1(noarch)0:7.0.4~dev1-11.16.1(noarch)0:2.15.2-11.11.1(noarch)0:8.0.1~dev13-11.16.1(x86_64)0:20190618-13.47.1(x86_64)0:1.0.6-30.5.1(noarch)0:1.0.6-30.5.1(x86_64)0:2.22-62.22.5(noarch)0:2.22-62.22.5(x86_64)0:0.6.36-2.16.2(x86_64)0:16.20.0-2.39.4(x86_64)0:1.13.51-21.26.4(noarch)0:1.13.51-21.26.4(x86_64)0:1.0.6-30.8.1(noarch)0:1.0.6-30.8.1(x86_64)0:0.113-5.18.1(x86_64)0:1.8.0.222-27.35.2(x86_64)0:10.0.38-29.27.3(x86_64)0:3.4.6-25.29.1(x86_64)0:15.2.1-9.5.2(x86_64)0:3.20.2-6.27.1(noarch)0:3.20.2-6.27.1(x86_64)0:3.5.21-26.17.1(x86_64)0:2.7.13-28.31.1(noarch)0:2.7.13-28.31.2(x86_64)0:9.6.15-3.29.1(noarch)0:9.6.15-3.29.1(noarch)0:8.0+git.1560208949.67048e3-3.64.1(noarch)0:8.0+git.1564410318.f0cca2c-3.28.1(noarch)0:8.0+git.1564164977.ef9baeb-3.18.1(noarch)0:8.0+git.1564491709.349d78e-3.14.1(noarch)0:8.0+git.1562848601.c3daff0-3.30.1(noarch)0:8.0+git.1565388406.c6abb8d-3.32.1(noarch)0:8.0+git.1563383198.c7fd9b4-3.39.1(noarch)0:8.0+git.1541434883.e0ebe69-5.9.1(noarch)0:8.0+git.1562849010.73bc517-3.24.1(noarch)0:1.0+git.1560518045.ad7dc6d-4.15.1(noarch)0:8.20190805-1.20.1(noarch)0:0.0+git.1562242499.36b8b64-4.6.1(noarch)0:1.8.1~dev39-3.9.2(noarch)0:11.2.3~dev7-3.18.2(noarch)0:11.2.3~dev7-3.18.1(noarch)0:15.0.3~dev2-3.9.2(noarch)0:15.0.3~dev2-3.9.1(noarch)0:9.0.8~dev11-3.21.2(noarch)0:9.0.8~dev11-3.21.1(noarch)0:1.0.1~dev9-4.6.2(noarch)0:9.1.8~dev7-3.21.2(noarch)0:9.1.8~dev7-3.21.1(noarch)0:12.0.4~dev2-5.22.2(noarch)0:12.0.4~dev2-5.22.1(noarch)0:5.1.1~dev2-3.18.2(noarch)0:5.1.1~dev2-3.18.1(noarch)0:2.2.5~dev5-3.12.1(noarch)0:2.2.2~dev1-3.15.2(noarch)0:1.7.1~dev10-3.9.1(noarch)0:1.7.1~a0~dev2-3.3.1(noarch)0:4.0.2~dev2-3.9.2(noarch)0:4.0.2~dev2-3.9.1(noarch)0:11.0.9~dev42-3.21.2(noarch)0:11.0.9~dev42-3.21.1(noarch)0:7.3.1~dev45-3.6.1(noarch)0:11.0.4~dev6-3.12.1(noarch)0:16.1.9~dev4-3.26.2(noarch)0:16.1.9~dev4-3.26.1(noarch)0:1.0.6~dev2-4.18.1(noarch)0:8.0+git.1502900605.3e0068a-4.3.1(noarch)0:4.25.2-3.6.1(noarch)0:1.11.1-3.3.1(noarch)0:5.0.2_5.0.2_5.0.2~dev31-11.18.1(noarch)0:1.5.1_1.5.1_1.5.1~dev3-8.14.1(noarch)0:2.2.2~dev1-11.16.1(noarch)0:4.0.2~dev2-12.14.1(noarch)0:11.0.9~dev42-13.22.1(x86_64)0:3.3.0-5.40.1(noarch)0:1.11.23-3.12.1(x86_64)0:1.1.12-3.5.1(x86_64)0:4.4.180-94.103.1(noarch)0:4.4.180-94.103.1(x86_64)0:5.18.2-12.20.1(noarch)0:5.18.2-12.20.1(x86_64)0:0.6.36-2.27.19.8(x86_64)0:16.20.2-27.60.4(x86_64)0:1.13.54-18.40.2(noarch)0:1.13.54-18.40.2(noarch)0:2.4.6.0-3.6.1(noarch)0:1.22-5.6.1(x86_64)0:1.7.1_sr4.50-38.41.1(x86_64)0:7.37.0-37.43.1(x86_64)0:2.24.4-2.47.1(noarch)0:2.24.4-2.47.1(noarch)0:0.12.2-3.3.1(x86_64)0:1.8.0_sr5.40-30.54.1(x86_64)0:1.5.13-15.11.2(noarch)0:1.5.13-15.11.2(x86_64)0:1.0.2j-60.55.1(noarch)0:1.0.2j-60.55.1(x86_64)0:60.9.0-109.86.1(x86_64)0:15.2.1-9.8.1(x86_64)0:2.2.31-19.17.1(x86_64)0:10.0.40.1-29.32.1(x86_64)0:9.27-23.28.1(x86_64)0:1.6.1-16.68.1(x86_64)0:68.1.0-109.89.1(x86_64)0:68-32.8.1(noarch)0:0.7.2-3.9.20(x86_64)0:2.32-9.33.1(x86_64)0:1.8.20p2-3.14.1(x86_64)0:1.8.1-10.3.1(x86_64)0:4.9.2-14.14.1(x86_64)0:4.9.4_04-3.56.2(x86_64)0:1.3.0-34.22.1(noarch)0:8.0+git.1566374355.c509923-3.67.3(noarch)0:8.0+git.1566376789.be0fe01-3.17.3(noarch)0:8.0+git.1565816064.5d4f73f-3.18.3(noarch)0:8.0+git.1566517401.98450e6-3.33.3(noarch)0:8.0+git.1568835837.2452e7a-1.21.3(noarch)0:8.0+git.1568220097.74ee4b4-3.33.3(noarch)0:8.0+git.1566902754.c58ff69-3.35.3(noarch)0:8.0+git.1568373448.bcaee7e-3.20.3(noarch)0:8.0+git.1566471887.fd2fec7-3.27.3(x86_64)0:25.3.25-4.6.3(x86_64)0:4.6.5-4.6.3(x86_64)0:3.1.2-3.12.3(x86_64)0:10.2.25-4.14.2(noarch)0:10.2.25-4.14.2(noarch)0:1.0.0-3.6.3(noarch)0:11.2.3~dev16-3.21.4(noarch)0:11.2.3~dev16-3.21.3(noarch)0:15.0.3~dev3-3.12.4(noarch)0:15.0.3~dev3-3.12.3(noarch)0:9.0.8~dev13-3.24.4(noarch)0:9.0.8~dev13-3.24.3(noarch)0:1.0.1~dev3-3.6.4(noarch)0:12.0.4~dev4-5.27.4(noarch)0:12.0.4~dev4-5.27.3(noarch)0:20190923_16.32-3.9.3(noarch)0:11.0.9~dev51-3.24.5(noarch)0:11.0.9~dev51-3.24.4(noarch)0:7.3.1~dev56-3.9.4(noarch)0:11.0.4~dev6-3.15.4(noarch)0:16.1.9~dev7-3.29.3(noarch)0:2.2.2-3.6.3(x86_64)0:2.7.2-3.6.1(noarch)0:4.0.2-5.3.3(noarch)0:2.0.2-3.3.3(noarch)0:1.22-5.9.3(noarch)0:8.20190911-3.20.3(noarch)0:5.1.1~dev7-12.20.2(noarch)0:5.0.2~dev3-12.21.2(noarch)0:9.0.8~dev7-12.18.2(noarch)0:11.2.3~dev16-14.21.2(noarch)0:5.0.3~dev7-12.19.2(noarch)0:5.0.0.0~xrc2~dev2-10.16.2(noarch)0:15.0.3~dev3-12.19.2(noarch)0:9.0.8~dev13-12.21.2(noarch)0:12.0.4~dev6-14.26.2(noarch)0:9.1.8~dev7-12.21.2(noarch)0:12.0.4~dev4-11.22.3(noarch)0:5.0.2_5.0.2_5.0.2~dev31-11.20.2(noarch)0:5.1.1~dev2-12.23.2(noarch)0:1.5.1_1.5.1_1.5.1~dev3-8.16.2(noarch)0:2.2.2~dev1-11.18.2(noarch)0:4.0.2~dev2-12.16.2(noarch)0:11.0.9~dev51-13.24.3(noarch)0:16.1.9~dev7-11.22.3(noarch)0:1.0.6~dev2-12.21.2(noarch)0:7.0.4~dev1-11.20.2(noarch)0:2.15.2-11.13.3(noarch)0:8.0.1~dev13-11.20.2(x86_64)0:68.2.0-109.95.2(x86_64)0:4.6.16+git.169.064abe062be-3.46.1(noarch)0:4.6.16+git.169.064abe062be-3.46.1(x86_64)0:8.3.1-2.14.1(x86_64)0:1.4.3-20.14.1(x86_64)0:2.4.1-11.3.2(x86_64)0:4.4.180-94.107.1(noarch)0:4.4.180-94.107.1(x86_64)0:20191112-13.53.1(x86_64)0:1.5.3-31.19.1(x86_64)0:62.2.0-31.19.1(x86_64)0:8.1.2-31.19.1(x86_64)0:9.27-23.31.1(x86_64)0:20191112a-13.56.1(noarch)0:0.13.3-5.10.1(x86_64)0:3.8.10.2-9.15.1(x86_64)0:1.7.5-20.26.1(x86_64)0:0.100.3-33.26.1(x86_64)0:2.1.17-3.11.1(x86_64)0:1.7.0.241-43.30.1(x86_64)0:0.100.3-33.29.1(x86_64)0:2015.09.28.1626-17.20.1(x86_64)0:5.1.3-26.13.1(noarch)0:5.1.3-26.13.1(x86_64)0:1.6.11-11.3.1(x86_64)0:4.9.4_06-3.59.1(x86_64)0:2.12.3-27.22.1(x86_64)0:68.3.0-109.98.1(x86_64)0:4.4.180-94.113.1(noarch)0:4.4.180-94.113.1(x86_64)0:1-4.5.1(noarch)0:0.6.0-3.3.1(noarch)0:2.2.4-4.3.1(x86_64)0:25.3.24-4.3.1(x86_64)0:3.0.6-3.6.1(x86_64)0:10.2.21-4.8.1(noarch)0:10.2.21-4.8.1(x86_64)0:3.0.15-2.14.1(x86_64)0:1.7.5-20.29.1(noarch)0:8.0+git.1583432621.24fa60e-3.70.1(noarch)0:8.0+git.1585152761.8ef3d61-4.33.1(noarch)0:8.0+git.1583944923.03cca6c-3.31.1(noarch)0:8.0+git.1583944894.38f023a-3.24.1(noarch)0:8.0+git.1583944811.dc14403-3.19.1(noarch)0:8.0+git.1584715262.e4ea620-3.39.1(noarch)0:8.0+git.1585171918.418f5cf-3.26.1(noarch)0:8.0+git.1585311051.6ab5488-3.33.1(noarch)0:8.20200319-1.23.1(x86_64)0:1.5.17-3.3.1(noarch)0:5.1.1~dev5-3.26.2(noarch)0:5.1.1~dev5-3.26.1(noarch)0:11.0.9~dev63-3.30.2(noarch)0:11.0.9~dev63-3.30.1(noarch)0:16.1.9~dev61-3.35.2(noarch)0:16.1.9~dev61-3.35.1(x86_64)0:4.1.2-3.6.1(noarch)0:2.4.2-3.9.1(noarch)0:5.1.1~dev7-12.24.1(noarch)0:5.0.2~dev3-12.25.1(noarch)0:9.0.8~dev7-12.22.1(noarch)0:11.2.3~dev23-14.25.1(noarch)0:5.0.3~dev7-12.23.1(noarch)0:5.0.0.0~xrc2~dev2-10.20.1(noarch)0:15.0.3~dev3-12.23.1(noarch)0:9.0.8~dev22-12.25.1(noarch)0:9.1.8~dev8-12.25.1(noarch)0:12.0.4~dev5-11.26.1(noarch)0:5.0.2_5.0.2_5.0.2~dev31-11.24.1(noarch)0:5.1.1~dev5-12.29.1(noarch)0:1.5.1_1.5.1_1.5.1~dev3-8.20.1(noarch)0:4.0.2~dev2-12.20.1(noarch)0:11.0.9~dev63-13.28.1(noarch)0:16.1.9~dev61-11.26.1(noarch)0:1.0.6~dev3-12.25.1(noarch)0:7.0.5~dev4-11.24.1(noarch)0:8.0.2~dev2-11.24.1(noarch)0:3.4.10-3.6.1(x86_64)0:1.3.16-239.4.1(x86_64)0:2.28.1-2.50.3(noarch)0:2.28.1-2.50.3(x86_64)0:2.5.5-6.6.1(x86_64)0:12.2.12+git.1587570958.35d78d0243-2.45.1(x86_64)0:0.9.9-17.19.1(x86_64)0:52.1-8.10.1(x86_64)0:2.4.41-18.68.1(noarch)0:2.4.41-18.68.1(x86_64)0:1.2-18.68.1(x86_64)0:2.28.2-2.53.2(noarch)0:2.28.2-2.53.2(x86_64)0:9.52-23.34.1(x86_64)0:0.2.7-12.10.1(x86_64)0:68.8.0-109.119.1(x86_64)0:3.5.21-26.23.1(x86_64)0:2.4.23-29.54.1(noarch)0:2.4.23-29.54.1(x86_64)0:4.4.180-94.116.1(noarch)0:4.4.180-94.116.1(x86_64)0:5.1.2-26.12.1(x86_64)0:2.26.2-27.36.1(x86_64)0:2.1.17-3.20.1(noarch)0:8.0.53-29.27.1(x86_64)0:2.7.17-28.42.1(noarch)0:2.7.17-28.42.1(noarch)0:20200207.5feb6c1-3.19.1(noarch)0:0.1-1.3.1(x86_64)0:1.0.3-3.3.1(x86_64)0:0.6.22-8.9.1(x86_64)0:2.9.1-6.44.1(noarch)0:1.0.0+-6.44.1(noarch)0:1.10.2-6.44.1(noarch)0:8-6.44.1(x86_64)0:7.4.326-17.6.1(noarch)0:7.4.326-17.6.1(x86_64)0:68.9.0-109.123.1(x86_64)0:2.1.9-19.3.2(x86_64)0:1.7.0.261-43.38.8(x86_64)0:1.6.0-18.28.1(x86_64)0:20200602-13.68.1(x86_64)0:4.4.180-94.121.1(noarch)0:4.4.180-94.121.1(x86_64)0:0.5.0-12.3.1(x86_64)0:1.4-103.3.1(x86_64)0:10.0.40.4-29.41.3(x86_64)0:4.9.4_06-3.62.1(x86_64)0:5.18.2-12.23.1(noarch)0:5.18.2-12.23.1(x86_64)0:1.7.1_sr4.65-38.53.1(x86_64)0:1.8.0_sr6.10-30.69.1(x86_64)0:1.8.0.252-27.45.6(x86_64)0:4.4.180-94.124.1(noarch)0:4.4.180-94.124.1(x86_64)0:7.37.0-37.47.1(x86_64)0:12.2.13+git.1592168685.85110a3e9d-2.50.1(noarch)0:8.0.53-29.32.1(noarch)0:2018.4.16-3.6.1(noarch)0:3.0.4-5.6.1(noarch)0:2.20.1-5.2(noarch)0:1.22-3.20.1(x86_64)0:1.10.1-55.11.1(i586|x86_64)0:3.5.21-26.26.1(x86_64)0:4.2.8p15-88.1(x86_64)0:3.53.1-58.48.1(x86_64)0:4.25-19.15.1(x86_64)0:2.4.41-18.71.2(noarch)0:2.4.41-18.71.2(x86_64)0:1.2-18.71.2(x86_64)0:4.9.4_08-3.66.1(x86_64)0:78.0.1-112.3.1(x86_64)0:78-35.3.1(noarch)0:2.4.6.0-3.9.1(noarch)0:1.9.6-7.3.1(noarch)0:8.0+git.1589740980.6c3bcdc-3.73.1(noarch)0:8.0+git.1585685203.3e71e49-3.36.1(noarch)0:8.0+git.1586539529.b7d295f-3.21.1(noarch)0:8.0+git.1589740934.0e0ad61-3.39.1(noarch)0:8.0+git.1591194866.b7375d0-3.24.1(noarch)0:8.0+git.1589715269.62ad6df-3.22.1(noarch)0:8.0+git.1590756744.ba84abc-3.42.1(noarch)0:8.0+git.1590100427.cf4cc8f-3.29.1(noarch)0:8.0+git.1587034587.eac37b8-3.45.1(noarch)0:1.0+git.1560518045.ad7dc6d-4.18.1(noarch)0:8.20200527-1.26.1(x86_64)0:4.6.5-4.9.1(x86_64)0:4.6.3-3.3.1(noarch)0:12.0.5~dev3-3.26.1(noarch)0:0.0.0+git.1582270132.8a20477-3.15.1(noarch)0:12.0.4~dev11-5.33.2(noarch)0:2.2.6~dev4-3.18.1(noarch)0:20190923_16.32-3.12.1(noarch)0:11.0.9~dev65-3.33.2(noarch)0:0.1.4-3.12.2(noarch)0:1.11.23-3.15.1(noarch)0:0.12.1-3.3.1(noarch)0:2.1.8-3.3.1(x86_64)0:4.2.1-3.5.1(noarch)0:2.4.2-3.12.1(noarch)0:1.6.0-3.6.1(noarch)0:3.1.2~dev2-3.3.1(noarch)0:5.30.8-3.11.1(x86_64)0:5.2.2-3.3.1(noarch)0:0.4.21-3.3.1(noarch)0:4.0.2-5.6.1(noarch)0:1.58.1-3.3.1(noarch)0:1.4.3-3.3.1(x86_64)0:1.1.3-3.3.1(noarch)0:5.1.1~dev7-12.26.2(noarch)0:5.0.2~dev3-12.27.2(noarch)0:9.0.8~dev7-12.24.2(noarch)0:11.2.3~dev23-14.27.2(noarch)0:5.0.3~dev7-12.25.2(noarch)0:5.0.0.0~xrc2~dev2-10.22.1(noarch)0:15.0.3~dev3-12.25.1(noarch)0:9.0.8~dev22-12.27.1(noarch)0:12.0.5~dev3-14.30.1(noarch)0:9.1.8~dev8-12.27.2(noarch)0:12.0.4~dev11-11.28.2(noarch)0:5.0.2_5.0.2_5.0.2~dev31-11.26.2(noarch)0:5.1.1~dev5-12.31.2(noarch)0:1.5.1_1.5.1_1.5.1~dev3-8.22.2(noarch)0:2.2.2~dev1-11.22.3(noarch)0:4.0.2~dev2-12.22.1(noarch)0:11.0.9~dev65-13.30.2(noarch)0:16.1.9~dev61-11.28.2(noarch)0:1.0.6~dev3-12.27.2(noarch)0:7.0.5~dev4-11.26.2(noarch)0:2.15.2_2.15.2_2.15.2~dev32-11.18.1(noarch)0:8.0.2~dev2-11.26.1(x86_64)0:9.9.9P1-63.17.1(noarch)0:9.9.9P1-63.17.1(noarch)0:1.0.18-3.3.1(x86_64)0:3.5.21-26.29.1(noarch)0:2.6.6-49.26.3(x86_64)0:0.18.1-1.6.2(x86_64)0:0.9.0~git.1456906198.f422461-21.27.1(x86_64)0:2.1.17-3.23.1(x86_64)0:4.6.16+git.186.c6d77b0d5a6-3.52.1(noarch)0:4.6.16+git.186.c6d77b0d5a6-3.52.1(x86_64)0:2.28.3-2.56.1(noarch)0:2.28.3-2.56.1(x86_64)0:2.02-4.53.1(noarch)0:2.02-4.53.1(x86_64)0:9.52-23.39.1(x86_64)0:78.1.0-112.8.1(x86_64)0:1.6.2-12.8.1(noarch)0:1.6.2-12.8.1(x86_64)0:1.10-4.5.1(x86_64)0:4.4.180-94.127.1(noarch)0:4.4.180-94.127.1(noarch)0:1.0.18-3.13.1(x86_64)0:0.9.9-17.31.1(x86_64)0:4.9.4_10-3.71.1(x86_64)0:16.11.9-8.15.13(x86_64)0:16.11.9_k4.4.180_94.127-8.15.13(x86_64)0:1.6.2-12.12.1(noarch)0:1.6.2-12.12.1(x86_64)0:3.1.1-13.3.6(x86_64)0:2.28.4-2.59.1(noarch)0:2.28.4-2.59.1(x86_64)0:2.2.31-19.22.1(x86_64)0:2.02-4.61.1(noarch)0:2.02-4.61.1(x86_64)0:4.6.16+git.174.c2fd2e28c84-3.49.1(noarch)0:4.6.16+git.174.c2fd2e28c84-3.49.1(x86_64)0:7.6_1.18.3-76.26.1(x86_64)0:1.8.0_sr6.0-30.60.1(x86_64)0:7.6_1.18.3-76.29.1(x86_64)0:2.4.23-29.63.1(noarch)0:2.4.23-29.63.1(x86_64)0:1.8.0_sr6.15-30.72.1(x86_64)0:3.5.21-26.32.1(x86_64)0:1.6.2-12.15.1(noarch)0:1.6.2-12.15.1(x86_64)0:1.7.1_sr4.70-38.56.1(noarch)0:1.16.297-22.11.1(x86_64)0:78.2.0-112.19.2(x86_64)0:4.4.180-94.130.1(noarch)0:4.4.180-94.130.1(x86_64)0:1.8.0.242-27.41.1(noarch)0:8.0.53-29.37.1(x86_64)0:15+git47-25.11.1(x86_64)0:0.6.36-2.30.1(x86_64)0:1.628-5.3.1(x86_64)0:3.4.10-25.52.1(x86_64)0:4.1.2-3.9.1(x86_64)0:4.6.16+git.237.40a3f495f75-3.55.1(noarch)0:4.6.16+git.237.40a3f495f75-3.55.1(noarch)0:9.0.1-3.3.1(x86_64)0:5.6.2-6.25.1(x86_64)0:78.3.0-112.22.1(x86_64)0:4.9.4_12-3.74.1(x86_64)0:1.628-5.6.1(x86_64)0:1.7.0.271-43.41.1(x86_64)0:1.6.0-27.1(x86_64)0:0.4.13-18.3.1(x86_64)0:2.6.3-7.18.1(x86_64)0:2.22-113.4(noarch)0:2.22-113.4(x86_64)0:78.4.0-112.28.1(x86_64)0:0.12.8-15.1(x86_64)0:0.33-3.9.1(x86_64)0:4.6.16+git.248.c833312e640-3.58.1(noarch)0:4.6.16+git.248.c833312e640-3.58.1(x86_64)0:3.3.0-5.46.1(x86_64)0:1.0.31-4.3.1(noarch)0:3.1-6.3.1(x86_64)0:5.6.2-6.22.1(x86_64)0:1.8.0.272-27.48.1(x86_64)0:10.2.1+git583-1.3.5(x86_64)0:20201027-13.76.1(x86_64)0:2.9.14-3.15.1(noarch)0:8.0+git.1596735237.54109b1-3.77.1(noarch)0:8.0+git.1596129856.263f430-3.43.1(noarch)0:8.0+git.1593631779.76fa9b7-3.24.1(noarch)0:8.0+git.1593618123.678c32b-3.26.1(noarch)0:8.0+git.1601298847.dd01585-3.42.1(noarch)0:8.0+git.1595885113.93abcbc-3.49.1(noarch)0:8.20201007-1.29.1(x86_64)0:6.7.4-4.12.1(noarch)0:0.0.9-3.3.6(noarch)0:11.2.3~dev29-3.28.2(noarch)0:11.2.3~dev29-3.28.1(noarch)0:20190923_16.32-3.15.1(noarch)0:11.0.9~dev69-3.37.2(noarch)0:11.0.9~dev69-3.37.1(noarch)0:16.1.9~dev76-3.39.2(noarch)0:16.1.9~dev76-3.39.1(noarch)0:1.11.29-3.19.2(noarch)0:3.0.3-3.3.1(x86_64)0:4.2.1-3.9.2(noarch)0:0.0.3-7.7.2(noarch)0:3.13.1-3.3.2(noarch)0:4.17.1-5.3.1(noarch)0:4.1.0-3.7.1(noarch)0:1.5.0-1.3.1(noarch)0:1.22-5.12.1(noarch)0:8.20200922-3.23.1(x86_64)0:1.2.3-3.6.1(noarch)0:5.1.1~dev7-12.28.1(noarch)0:5.0.2~dev3-12.29.1(noarch)0:9.0.8~dev7-12.26.1(noarch)0:11.2.3~dev29-14.30.1(noarch)0:5.0.3~dev7-12.27.1(noarch)0:5.0.0.0~xrc2~dev2-10.24.1(noarch)0:15.0.3~dev3-12.27.1(noarch)0:9.0.8~dev22-12.29.1(noarch)0:12.0.5~dev3-14.32.1(noarch)0:9.1.8~dev8-12.29.1(noarch)0:12.0.4~dev11-11.30.1(noarch)0:5.0.2_5.0.2_5.0.2~dev31-11.28.1(noarch)0:5.1.1~dev5-12.33.1(noarch)0:1.5.1_1.5.1_1.5.1~dev3-8.24.1(noarch)0:2.2.2~dev1-11.24.1(noarch)0:4.0.2~dev2-12.24.1(noarch)0:11.0.9~dev69-13.32.1(noarch)0:16.1.9~dev76-11.30.1(noarch)0:1.0.6~dev3-12.29.1(noarch)0:7.0.5~dev4-11.28.1(noarch)0:2.15.2_2.15.2_2.15.2~dev32-11.21.1(noarch)0:8.0.2~dev2-11.28.1(x86_64)0:228-150.82.1(noarch)0:228-150.82.1(x86_64)0:1.7.0.281-43.44.2(x86_64)0:2.4.41-18.77.1(noarch)0:2.4.41-18.77.1(x86_64)0:1.2-18.77.1(x86_64)0:78.4.1-112.32.1(x86_64)0:12.4-3.5.1(noarch)0:12.0.1-4.4.1(x86_64)0:10.14-4.4.1(noarch)0:10.14-4.4.1(x86_64)0:9.6.19-6.4.1(noarch)0:9.6.19-6.4.1(x86_64)0:2.0.15-5.3.1(noarch)0:20170530-21.31.1(x86_64)0:1.12.5-40.40.2(x86_64)0:10.15-4.9.1(noarch)0:10.15-4.9.1(x86_64)0:9.6.20-6.8.1(noarch)0:9.6.20-6.8.1(x86_64)0:4.4.180-94.135.1(noarch)0:4.4.180-94.135.1(x86_64)0:20201118-13.81.1(x86_64)0:5.13-5.23.1(x86_64)0:78.5.0-112.36.1(x86_64)0:0.9.9-17.34.1(x86_64)0:7.6_1.18.3-76.37.1(noarch)0:40.6.2-4.18.1(x86_64)0:3.4.10-25.58.1(x86_64)0:3.10.0.1-54.17.2(noarch)0:3.10.0.1-54.17.2(x86_64)0:2.1.4-7.31.1(x86_64)0:12.5-3.9.3(x86_64)0:4.9.4_14-3.77.1(x86_64)0:1.10.1-55.18.1(x86_64)0:1.8.22-29.17.12(x86_64)0:1.8.22-29.17.7(x86_64)0:1.0.2j-60.63.1(noarch)0:1.0.2j-60.63.1(x86_64)0:2.7.17-28.59.1(noarch)0:2.7.17-28.59.1(x86_64)0:68.5.0-109.106.1(x86_64)0:78.6.0-112.39.1(x86_64)0:0.103.0-33.32.1(x86_64)0:2.1.26-8.13.1(x86_64)0:9.2.1+r275327-1.3.9(x86_64)0:4.9.4_16-3.80.1(x86_64)0:1.8.20p2-3.17.1(x86_64)0:2.78-18.12.1(x86_64)0:1.7.1_sr4.60-38.47.1(x86_64)0:0.6.21-8.6.1(x86_64)0:1.0.2j-60.60.1(noarch)0:1.0.2j-60.60.1(x86_64)0:2.4.7-4.3.1(x86_64)0:3.4.10-25.39.2(x86_64)0:3.4.10-25.39.3(x86_64)0:10.0.40.2-29.35.1(x86_64)0:1.7.1_sr4.55-38.44.1(x86_64)0:10.0.40.3-29.38.1(x86_64)0:1.8.0_sr6.5-30.63.1(noarch)0:1.2.15-126.3.1(x86_64)0:2015.09.28.1626-17.27.1(x86_64)0:5.1.2-26.9.4(noarch)0:0.24.0-2.5.1(noarch)0:1.12.213-28.12.1(noarch)0:1.1-10.4.1(noarch)0:1.0-10.3.1(noarch)0:17.1-2.5.1(x86_64)0:1.6.8-15.5.2(x86_64)0:9.6.17-3.33.1(noarch)0:9.6.17-3.33.1(x86_64)0:1.7.0.251-43.35.1(x86_64)0:1.8.18-5.9.1(noarch)0:8.0+git.1579279939.ee7da88-3.39.3(noarch)0:8.0+git.1575037115.0326803-3.41.3(noarch)0:8.0+git.1573597788.15b7984-3.17.3(noarch)0:8.0+git.1534266307.db1ec28-3.3.3(noarch)0:8.0+git.1567529036.a41a037-3.6.4(noarch)0:8.0+git.1571846045.ab9e3ea-3.20.3(noarch)0:8.0+git.1571777596.14dce6a-3.15.3(noarch)0:8.0+git.1582147997.b9ed134-3.36.3(noarch)0:8.0+git.1571845225.006843d-3.9.3(noarch)0:8.0+git.1573147067.09e3ea0-3.27.3(noarch)0:8.0+git.1572452293.e65d714-3.21.3(noarch)0:8.0+git.1572527728.9b34bdf-3.21.3(noarch)0:8.0+git.1571845965.97714fb-3.12.3(noarch)0:8.0+git.1581024906.fbf0be3-3.16.3(noarch)0:8.0+git.1573050365.ff6fa06-3.36.3(noarch)0:8.0+git.1571846125.584d988-3.38.3(noarch)0:8.0+git.1575642049.1f321d0-3.23.3(noarch)0:8.0+git.1581015942.2d21e63-3.42.3(noarch)0:8.0+git.1579261264.7dd213a-3.30.3(x86_64)0:2.0.19-3.6.3(x86_64)0:10.2.31-4.17.3(noarch)0:10.2.31-4.17.3(noarch)0:11.2.3~dev23-3.24.4(noarch)0:11.2.3~dev23-3.24.3(noarch)0:12.0.5~dev2-3.23.4(noarch)0:2017.2+git.1573629528.6b21fa5-7.14.3(noarch)0:9.0.8~dev22-3.27.4(noarch)0:9.0.8~dev22-3.27.3(noarch)0:0.0.0+git.1560033670.e3b5a52-3.12.3(noarch)0:5.0.3~dev2-3.9.3(noarch)0:3.0.3~dev5-3.14.3(noarch)0:9.1.8~dev8-3.24.4(noarch)0:9.1.8~dev8-3.24.3(noarch)0:12.0.4~dev5-5.30.4(noarch)0:12.0.4~dev5-5.30.3(noarch)0:2.2.5~dev5-3.15.2(noarch)0:11.0.9~dev60-3.27.4(noarch)0:11.0.9~dev60-3.27.3(noarch)0:7.3.1~dev72-3.12.3(noarch)0:2.0.1~dev133-3.12.3(noarch)0:16.1.9~dev49-3.32.4(noarch)0:16.1.9~dev49-3.32.3(noarch)0:1.0.6~dev3-4.21.3(noarch)0:0.1.2-3.9.3(noarch)0:1.0+git.1569436425.8b9c49f-3.3.3(noarch)0:7.0.5~dev4-3.12.4(noarch)0:7.0.5~dev4-3.12.3(noarch)0:8.0.2~dev2-3.12.3(noarch)0:0.0.2+git.1571845893.27f0b7b-3.9.3(noarch)0:1.8.1-3.3.4(noarch)0:2.7.1-3.3.4(noarch)0:0.3.9-1.3.3(noarch)0:2.10.2-3.3.3(noarch)0:6.1.1~dev65-3.3.3(noarch)0:1.7.1-3.3.3(noarch)0:2.17.2-3.3.3(noarch)0:5.9.3-3.3.3(noarch)0:2.20.3-3.3.3(noarch)0:1.25.2-3.3.3(noarch)0:2.14.2-3.3.3(noarch)0:5.1.1~dev7-12.22.2(noarch)0:5.0.2~dev3-12.23.2(noarch)0:9.0.8~dev7-12.20.2(noarch)0:11.2.3~dev23-14.23.2(noarch)0:5.0.3~dev7-12.21.2(noarch)0:5.0.0.0~xrc2~dev2-10.18.2(noarch)0:15.0.3~dev3-12.21.2(noarch)0:9.0.8~dev22-12.23.2(noarch)0:12.0.5~dev2-14.28.2(noarch)0:9.1.8~dev8-12.23.2(noarch)0:12.0.4~dev5-11.24.2(noarch)0:5.0.2_5.0.2_5.0.2~dev31-11.22.2(noarch)0:5.1.1~dev2-12.25.2(noarch)0:1.5.1_1.5.1_1.5.1~dev3-8.18.2(noarch)0:2.2.2~dev1-11.20.2(noarch)0:4.0.2~dev2-12.18.2(noarch)0:11.0.9~dev60-13.26.2(noarch)0:16.1.9~dev49-11.24.2(noarch)0:1.0.6~dev3-12.23.2(noarch)0:7.0.5~dev4-11.22.2(noarch)0:2.15.2_2.15.2_2.15.2~dev32-11.16.3(noarch)0:8.0.2~dev2-11.22.2(noarch)0:5.1.1~dev2-3.23.1(noarch)0:5.1.1~dev2-12.27.1(x86_64)0:3.5.21-26.20.1(x86_64)0:68.4.1-109.101.1(x86_64)0:10.12-1.18.1(noarch)0:10.12-1.18.1(x86_64)0:68.6.0-109.110.1(noarch)0:8.0.53-29.22.1(noarch)0:1.13.33-28.20.1(noarch)0:3.0.2-15.3.1(x86_64)0:16.21.2-2.45.1(x86_64)0:1.11.2-5.11.1(x86_64)0:2.1.4-7.28.2(x86_64)0:0.7.5-6.3.2(x86_64)0:3.4.2-44.8.1(x86_64)0:3.4.10-25.45.1(x86_64)0:3.47.1-58.34.1(x86_64)0:4.23-19.12.1(x86_64)0:1.1.28-17.9.1(x86_64)0:68.6.1-109.113.1(x86_64)0:68.7.0-109.116.1(x86_64)0:2.26.0-27.27.1(x86_64)0:10.34-1.3.1(noarch)0:4.38-1.3.1(x86_64)0:0.5-10.10.1(x86_64)0:3.4.5-44.13.1(x86_64)0:7.6_1.18.3-76.40.1(x86_64)0:0.103.2-33.35.1(x86_64)0:2.9.1-6.47.1(noarch)0:1.0.0+-6.47.1(noarch)0:1.10.2_0_g5f4c7b1-6.47.1(noarch)0:8-6.47.1(x86_64)0:4.9.4_16-3.83.1(x86_64)0:1.8.20p2-3.23.1(x86_64)0:78.10.0-112.57.2(x86_64)0:2.7.1-13.3.1(x86_64)0:3.10.0.1-54.20.1(noarch)0:3.10.0.1-54.20.1(noarch)0:8.0.53-29.46.1(x86_64)0:1.7.0.291-43.47.3(x86_64)0:1.7.5-20.36.1(x86_64)0:9.9.9P1-63.25.1(noarch)0:9.9.9P1-63.25.1(x86_64)0:4.6.16+git.282.cfafed5922a-3.61.1(noarch)0:4.6.16+git.282.cfafed5922a-3.61.1(x86_64)0:0.6.32-32.15.1(noarch)0:0.6.32-32.15.1(x86_64)0:3.4.10-25.71.1(x86_64)0:4.4.180-94.144.1(noarch)0:4.4.180-94.144.1(x86_64)0:3.5.25.3-5.9.1(x86_64)0:2.28.0-29.6.1(x86_64)0:2.9.4-46.43.1(noarch)0:2.9.4-46.43.1(x86_64)0:2.78-18.15.1(x86_64)0:1.3.0-12.3.1(x86_64)0:2.2.31-19.25.1(noarch)0:0.19.0-7.3.1(x86_64)0:3.5.25.3-5.12.1(x86_64)0:4.3.3-10.22.1(x86_64)0:0.4.3-4.7.1(x86_64)0:0.113-5.21.1(x86_64)0:1.8.3-18.3.5(noarch)0:1.8.3-18.3.5(x86_64)0:78.11.0-112.62.1(x86_64)0:1.6.2-12.21.1(noarch)0:1.6.2-12.21.1(x86_64)0:2.9.1-6.50.1(noarch)0:1.0.0+-6.50.1(noarch)0:1.10.2_0_g5f4c7b1-6.50.1(noarch)0:8-6.50.1(x86_64)0:1.7.1_sr4.75-38.59.1(x86_64)0:0.12.8-18.1(x86_64)0:20210525-13.90.1(x86_64)0:4.2.1-3.14.1(x86_64)0:0.4.21-8.3.1(x86_64)0:3.0.15-2.20.1(x86_64)0:1.8.0.292-27.60.1(x86_64)0:6.8.8.1-71.154.1(x86_64)0:2.32.1-2.63.3(noarch)0:2.32.1-2.63.3(x86_64)0:2.4.23-29.74.1(noarch)0:2.4.23-29.74.1(x86_64)0:308-5.3.1(x86_64)0:2017+git1492060560.b6d11d7c46-4.44.1(noarch)0:2017+git1492060560.b6d11d7c46-4.44.1(x86_64)0:2.9.22-3.18.1(x86_64)0:2.7.1-13.6.1(x86_64)0:1.6.1-16.77.1(x86_64)0:2.1.0-6.34.1(x86_64)0:13.1-3.3.1(noarch)0:13-4.7.1(x86_64)0:2.1a15-159.9.1(x86_64)0:0.6.37-2.33.1(x86_64)0:16.21.4-2.51.1(noarch)0:1.19.9-22.24.2(x86_64)0:5.3.1-28.4.3(noarch)0:1.20.9-28.30.2(noarch)0:0.4.4-4.4.2(noarch)0:4.3.1-3.9.2(noarch)0:0.5.2-2.8.2(noarch)0:1.14.0-13.10.3(noarch)0:2.24.0-8.14.3(noarch)0:1.25.10-3.29.1(noarch)0:2.24.0-3.3.1(noarch)0:1.25.10-5.19.1(x86_64)0:7.2p2-74.57.1(x86_64)0:1.8.20p2-3.20.1(x86_64)0:78.12.0-112.65.1(x86_64)0:78.7.0-112.45.1(x86_64)0:228-150.98.1(noarch)0:228-150.98.1(noarch)0:9.0.1-3.6.1(x86_64)0:1.4-15.3.1(x86_64)0:4.4.180-94.147.1(noarch)0:4.4.180-94.147.1(noarch)0:8.0+git.1614096566.e8c2b27-3.44.3(x86_64)0:3.11.10-5.3.5(noarch)0:8.20210512-1.32.5(x86_64)0:6.7.4-4.18.2(x86_64)0:4.6.6-3.9.2(noarch)0:0.0.0+git.1623056900.7917e18-3.21.3(noarch)0:20190923_16.32-3.18.2(noarch)0:16.1.9~dev92-3.48.5(noarch)0:1.11.29-3.25.3(noarch)0:1.3.1-1.3.2(noarch)0:0.20.0-6.3.3(noarch)0:1.4.34-3.3.3(noarch)0:4.0.2-5.9.2(noarch)0:1.0.18-1.3.3(noarch)0:5.1.1~dev7-12.32.3(noarch)0:5.0.2~dev3-12.33.3(noarch)0:9.0.8~dev7-12.30.3(noarch)0:11.2.3~dev29-14.34.2(noarch)0:5.0.3~dev7-12.31.3(noarch)0:5.0.0.0~xrc2~dev2-10.28.3(noarch)0:15.0.3~dev3-12.31.3(noarch)0:9.0.8~dev22-12.33.2(noarch)0:12.0.5~dev6-14.36.6(noarch)0:9.1.8~dev8-12.33.3(noarch)0:12.0.4~dev11-11.35.3(noarch)0:5.0.2_5.0.2_5.0.2~dev31-11.32.2(noarch)0:5.1.1~dev5-12.37.3(noarch)0:1.5.1_1.5.1_1.5.1~dev3-8.28.3(noarch)0:2.2.2~dev1-11.28.3(noarch)0:4.0.2~dev2-12.28.3(noarch)0:11.0.9~dev69-13.38.3(noarch)0:16.1.9~dev92-11.36.3(noarch)0:1.0.6~dev3-12.33.3(noarch)0:7.0.5~dev4-11.32.3(noarch)0:2.15.2_2.15.2_2.15.2~dev32-11.23.3(noarch)0:8.0.2~dev2-11.32.3(x86_64)0:2.9.1-6.53.1(noarch)0:1.0.0+-6.53.1(noarch)0:1.10.2_0_g5f4c7b1-6.53.1(noarch)0:8-6.53.1(x86_64)0:1.8.22-29.21.1(x86_64)0:2.32.3-2.66.1(noarch)0:2.32.3-2.66.1(x86_64)0:1.0.25-36.23.1(x86_64)0:3.5.25.3-5.19.2(x86_64)0:4.2.1-3.17.1(x86_64)0:2.11-36.9.1(noarch)0:2.11-36.9.1(x86_64)0:1.9.1-9.7.1(x86_64)0:78.13.0-112.68.1(x86_64)0:6.3.26-13.12.1(x86_64)0:2.11-36.12.1(noarch)0:2.11-36.12.1(x86_64)0:1.8.0.302-27.63.2(x86_64)0:2.11-36.15.1(noarch)0:2.11-36.15.1(x86_64)0:5.3.1-28.6.1(x86_64)0:1.0.2j-60.69.3(noarch)0:1.0.2j-60.69.3(x86_64)0:5.6.1-4.5.1(x86_64)0:2.7.12-3.36.1(x86_64)0:0.60.6.1-18.11.1(x86_64)0:9.9.9P1-63.28.1(noarch)0:9.9.9P1-63.28.1(noarch)0:5.1.42-5.7.1(x86_64)0:2.1.0-6.37.1(x86_64)0:1.0.6-17.3.1(x86_64)0:5.22-10.21.1(x86_64)0:4.9.4_20-3.91.1(x86_64)0:3.68-58.54.1(x86_64)0:4.32-19.18.1(x86_64)0:3.2.8a-2.17.1(x86_64)0:0.6.0-11.3.1(x86_64)0:1.0.2j-60.72.2(noarch)0:1.0.2j-60.72.2(x86_64)0:9.52-23.42.1(x86_64)0:0.2.7-12.12.1(x86_64)0:91.1.0-112.71.1(x86_64)0:91-35.6.6(x86_64)0:1.8.0_sr6.20-30.78.1(x86_64)0:4.9.4_22-3.94.2(x86_64)0:3.36.0-9.18.1(x86_64)0:4.2.1-3.20.2(noarch)0:1.25.10-3.31.2(x86_64)0:2.22-116.1(noarch)0:2.22-116.1(x86_64)0:2.32.4-2.71.2(noarch)0:2.32.4-2.71.2(x86_64)0:2.4.23-29.80.1(noarch)0:2.4.23-29.80.1(x86_64)0:3.4.10-25.63.2(x86_64)0:3.4.10-25.63.1(x86_64)0:91.2.0-112.74.1(x86_64)0:5.3.1-14.3.1(noarch)0:8.0.25-5.10.1(x86_64)0:2.29.2-3.24.1(noarch)0:2.29.2-3.24.1(x86_64)0:5.1.3-26.16.1(noarch)0:5.1.3-26.16.1(x86_64)0:10.18-4.19.6(noarch)0:10.18-4.19.6(x86_64)0:2.26.2-27.49.3(noarch)0:8.0+git.1610733160.0f577f4-3.21.1(noarch)0:8.0+git.1610573640.452aed1-3.27.1(noarch)0:8.0+git.1610740501.5dca121-3.27.1(noarch)0:8.0+git.1605176800.52cccfa-3.29.1(noarch)0:8.0+git.1610643571.91b88d6-3.52.1(x86_64)0:4.6.3-3.6.1(noarch)0:11.0.9~dev69-3.40.1(noarch)0:16.1.9~dev78-3.45.1(noarch)0:1.11.29-3.22.1(noarch)0:8.20201214-3.29.1(noarch)0:1.6.3-8.6.1(noarch)0:12.0.5~dev6-14.34.3(noarch)0:11.0.9~dev69-13.36.1(noarch)0:16.1.9~dev78-11.34.1(x86_64)0:0.13.0-3.19.1(x86_64)0:3.2.8b-2.20.1(x86_64)0:2.37-9.39.1(x86_64)0:2.37-9.44.1(x86_64)0:8.45-8.7.1(noarch)0:20140730-36.5.2(x86_64)0:2.9.1-43.62.1(noarch)0:1.0.0+-43.62.1(noarch)0:1.10.2_0_g5f4c7b1-43.62.1(noarch)0:8-43.62.1(x86_64)0:91.3.0-112.80.2(noarch)0:8.0+git.1632499354.a56668f-3.82.1(noarch)0:8.0+git.1627997000.6c3bc04-3.30.1(noarch)0:8.20210806-1.35.1(noarch)0:5.0.1~dev12-4.9.1(noarch)0:0.0.0+git.1628179051.7d761bf-3.24.1(noarch)0:1.11.29-3.28.1(noarch)0:2.3.1~dev4-4.9.1(noarch)0:9.0.8~dev22-12.35.1(noarch)0:12.0.5~dev6-14.38.2(noarch)0:2.2.2~dev1-11.30.1(x86_64)0:4.6.16+git.307.b3899d08cc6-3.64.2(noarch)0:4.6.16+git.307.b3899d08cc6-3.64.2(x86_64)0:14.1-3.3.1(noarch)0:14-4.10.1(x86_64)0:9.6.24-6.18.2(noarch)0:9.6.24-6.18.2(x86_64)0:10.19-4.22.1(noarch)0:10.19-4.22.1(x86_64)0:2.32.4-2.74.5(noarch)0:2.32.4-2.74.5(x86_64)0:1.8.0.312-27.66.1(x86_64)0:1.7.0.321-43.53.2(x86_64)0:2.1.9-19.6.1(x86_64)0:4.9.4_24-3.97.1(x86_64)0:0.103.4-33.41.1(x86_64)0:2.34.1-2.77.1(noarch)0:2.34.1-2.77.1(x86_64)0:4.4.180-94.150.1(noarch)0:4.4.180-94.150.1(x86_64)0:3.68.1-58.57.1(x86_64)0:7.2p2-74.60.1(x86_64)0:91.4.0-112.83.1(x86_64)0:2.48.2-6.3.1(noarch)0:2.48.2-6.3.1(x86_64)0:7.6_1.18.3-76.43.1(x86_64)0:1.2.3-3.8.2(noarch)0:2.2.2~dev1-11.32.1(noarch)0:1.2.15-126.6.1(x86_64)0:7.6_1.18.3-76.46.1(x86_64)0:4.6.16+git.313.502515a5bfc-3.67.2(noarch)0:4.6.16+git.313.502515a5bfc-3.67.2(x86_64)0:4.1-5.9.1(x86_64)0:2.9.27-3.21.1(noarch)0:2.4.2-5.3.1(x86_64)0:0.10.2.2-5.9.1(x86_64)0:2.4.1-5.7.1(noarch)0:2.2.6~dev4-3.21.1(noarch)0:1.7.1~a0~dev2-3.6.1(noarch)0:2.1.1-4.3.1(noarch)0:5.1.1~dev7-12.34.1(noarch)0:5.0.2~dev3-12.35.1(noarch)0:9.0.8~dev7-12.32.1(noarch)0:11.2.3~dev29-14.36.1(noarch)0:5.0.3~dev7-12.33.1(noarch)0:5.0.0.0~xrc2~dev2-10.30.1(noarch)0:15.0.3~dev3-12.33.1(noarch)0:9.0.8~dev22-12.37.1(noarch)0:12.0.5~dev6-14.40.1(noarch)0:9.1.8~dev8-12.35.1(noarch)0:12.0.4~dev11-11.37.1(noarch)0:5.0.2_5.0.2_5.0.2~dev31-11.34.1(noarch)0:5.1.1~dev5-12.39.1(noarch)0:1.5.1_1.5.1_1.5.1~dev3-8.30.1(noarch)0:2.2.2~dev1-11.34.1(noarch)0:4.0.2~dev2-12.30.1(noarch)0:11.0.9~dev69-13.40.1(noarch)0:16.1.9~dev92-11.38.1(noarch)0:1.0.6~dev3-12.35.1(noarch)0:7.0.5~dev4-11.34.1(noarch)0:2.15.2_2.15.2_2.15.2~dev32-11.25.1(noarch)0:8.0.2~dev2-11.34.1(noarch)0:3.4.10-3.9.1(x86_64)0:2.7.17-28.64.1(noarch)0:2.7.17-28.64.3(x86_64)0:2.7.12-3.39.1(x86_64)0:4.4.180-94.138.1(noarch)0:4.4.180-94.138.1(x86_64)0:2.6-15.13.1(x86_64)0:1.900.14-195.25.1(x86_64)0:4.0.4-23.6.1(x86_64)0:9.9.9P1-63.20.1(noarch)0:9.9.9P1-63.20.1(x86_64)0:1.7.1_sr4.80-38.62.1(noarch)0:1.22-5.15.1(x86_64)0:1.0.3-3.6.1(x86_64)0:1.8.0.282-27.56.2(x86_64)0:6.7.4-4.15.1(x86_64)0:1.3.4-4.3.1(noarch)0:0.0.0+git.1605509190.64f020b-3.18.1(noarch)0:16.1.9~dev77-3.42.1(noarch)0:2.9.6-3.3.1(noarch)0:5.1.1~dev7-12.30.1(noarch)0:5.0.2~dev3-12.31.1(noarch)0:9.0.8~dev7-12.28.1(noarch)0:11.2.3~dev29-14.32.1(noarch)0:5.0.3~dev7-12.29.1(noarch)0:5.0.0.0~xrc2~dev2-10.26.1(noarch)0:15.0.3~dev3-12.29.1(noarch)0:9.0.8~dev22-12.31.1(noarch)0:9.1.8~dev8-12.31.1(noarch)0:12.0.4~dev11-11.32.1(noarch)0:5.0.2_5.0.2_5.0.2~dev31-11.30.1(noarch)0:5.1.1~dev5-12.35.1(noarch)0:1.5.1_1.5.1_1.5.1~dev3-8.26.1(noarch)0:2.2.2~dev1-11.26.1(noarch)0:4.0.2~dev2-12.26.1(noarch)0:11.0.9~dev69-13.34.1(noarch)0:16.1.9~dev77-11.32.1(noarch)0:1.0.6~dev3-12.31.1(noarch)0:7.0.5~dev4-11.30.1(noarch)0:8.0.2~dev2-11.30.1(noarch)0:2.9.6-3.6.1(x86_64)0:1.8.0_sr6.25-30.81.1(noarch)0:3.44-5.3.1(x86_64)0:78.8.0-112.51.1(x86_64)0:2.0.3-3.10.1(x86_64)0:2.1.4-7.34.1(x86_64)0:2.02-4.69.1(noarch)0:2.02-4.69.1(x86_64)0:2.4.41-18.83.1(noarch)0:2.4.41-18.83.1(x86_64)0:1.2-18.83.1(x86_64)0:4.4.180-94.141.2(noarch)0:4.4.180-94.141.2(x86_64)0:1-4.3.2(x86_64)0:2.6-15.16.1(x86_64)0:2.26.2-27.43.1(x86_64)0:2.7.18-28.67.1(noarch)0:2.7.18-28.67.1(x86_64)0:78.6.1-112.42.1(noarch)0:2.48.2-12.22.1(x86_64)0:2.48.2-12.22.1(x86_64)0:4.60.99-5.9.1(x86_64)0:1.39.2-3.5.1(x86_64)0:1.0.2j-60.66.1(noarch)0:1.0.2j-60.66.1(noarch)0:12.0.5~dev6-3.29.1(noarch)0:8.20201214-3.26.1(x86_64)0:78.9.0-112.54.1(noarch)0:1.11.29-3.33.1(x86_64)0:2.3.8-16.29.1(x86_64)0:1.7.1_sr5.5-38.68.1(x86_64)0:1.8.0_sr7.5-30.87.1(x86_64)0:1.2.8-12.6.1(x86_64)0:1.8.0_sr7.0-30.84.1(x86_64)0:3.68.3-58.69.1(x86_64)0:91.8.0-112.98.1(x86_64)0:2.22-123.1(noarch)0:2.22-123.1(x86_64)0:2.1.0-4.15.1(noarch)0:8.0.25-5.13.1(x86_64)0:91.5.0-112.86.1(x86_64)0:5.0.5-6.7.1(noarch)0:5.0.5-6.7.1(x86_64)0:0.6.22-8.13.1(noarch)0:2.2.6~dev4-3.24.1(noarch)0:1.6.3-8.9.2(noarch)0:2.2.2~dev1-11.37.1(noarch)0:3.4.10-3.12.1(x86_64)0:4.4.180-94.161.1(noarch)0:4.4.180-94.161.1(x86_64)0:1.6-9.6.2(x86_64)0:2.78-18.18.1(x86_64)0:2.26.2-27.52.1(x86_64)0:2.9.4-46.49.1(noarch)0:2.9.4-46.49.1(x86_64)0:1.2.15-15.17.1(x86_64)0:4.9.4_28-3.103.1(x86_64)0:2.34.3-2.82.1(noarch)0:2.34.3-2.82.1(x86_64)0:6.9-9.18.1(x86_64)0:0.16-20.15.1(x86_64)0:15.2.1-9.14.1(x86_64)0:91.9.0-112.104.1(x86_64)0:5.0.5-6.12.2(x86_64)0:9.9.9P1-63.34.1(noarch)0:9.9.9P1-63.34.1(x86_64)0:1.42.11-16.9.1(noarch)0:8.20211112-1.38.1(x86_64)0:4.6.6-3.12.1(noarch)0:12.0.4~dev11-5.36.1(noarch)0:1.10.2~dev4-3.9.1(noarch)0:12.0.4~dev11-11.45.1(noarch)0:2.2.2~dev1-11.45.1(x86_64)0:1.7.1_sr5.0-38.65.1(x86_64)0:2.4.41-18.89.1(noarch)0:2.4.41-18.89.1(x86_64)0:1.2-18.89.1(x86_64)0:1.6-9.9.1(x86_64)0:2.36.0-2.96.1(noarch)0:2.36.0-2.96.1(x86_64)0:7.37.0-37.76.1(x86_64)0:20220510-13.97.1(x86_64)0:91.9.0-112.108.4(x86_64)0:2.1.0-21.12.1(x86_64)0:10.21-4.28.3(noarch)0:10.21-4.28.3(x86_64)0:91.9.1-112.111.1(noarch)0:2.11.1-6.31.1(x86_64)0:2.9.4-46.54.3(noarch)0:2.9.4-46.54.3(x86_64)0:10.34-1.7.1(x86_64)0:2.9-15.22.1(x86_64)0:14.3-3.9.3(noarch)0:11.0.9~dev69-3.43.1(x86_64)0:6.8.8.1-71.172.1(x86_64)0:2.1.17-3.26.1(x86_64)0:0.113-5.24.1(x86_64)0:1.2.15-3.6.3(x86_64)0:91.10.0-112.114.1(x86_64)0:5.1.3-26.20.1(noarch)0:5.1.3-26.20.1(x86_64)0:3.68.4-58.72.1(x86_64)0:2.02-137.2(noarch)0:2.02-137.2(x86_64)0:4.4.180-94.164.3(noarch)0:4.4.180-94.164.2(x86_64)0:4.4.180-94.164.2(x86_64)0:2.36.3-2.99.1(noarch)0:2.36.3-2.99.1(x86_64)0:1.0.2j-60.80.1(noarch)0:1.0.2j-60.80.1(x86_64)0:2.4.23-29.91.1(noarch)0:2.4.23-29.91.1(x86_64)0:15.2.1-9.17.1(noarch)0:1.2.15-126.9.1(x86_64)0:1.3.0-1.15.3(x86_64)0:0.5-10.12.1(x86_64)0:3.4.10-25.93.1(x86_64)0:1.0.2j-60.83.1(noarch)0:1.0.2j-60.83.1(x86_64)0:2.0.8_k4.4.180_94.164-3.13.1(x86_64)0:2.7.18-28.87.1(noarch)0:2.7.18-28.87.1(x86_64)0:12.0.2-10.36.1(x86_64)0:16.11.9-8.19.1(x86_64)0:16.11.9_k4.4.180_94.164-8.19.1(x86_64)0:91.11.0-112.119.1(x86_64)0:8.24.0-3.58.2(x86_64)0:8.45-8.12.1(x86_64)0:2.26.2-27.57.1(x86_64)0:4.6.16+git.320.a2d80a7efef-3.70.1(noarch)0:4.6.16+git.320.a2d80a7efef-3.70.1(x86_64)0:15.2.1-9.20.1(noarch)0:1.11.29-3.39.1(noarch)0:5.1.1~dev7-12.37.1(noarch)0:5.0.2~dev3-12.38.1(noarch)0:9.0.8~dev7-12.35.1(noarch)0:11.2.3~dev29-14.39.1(noarch)0:5.0.3~dev7-12.36.1(noarch)0:5.0.0.0~xrc2~dev2-10.33.1(noarch)0:15.0.3~dev3-12.36.1(noarch)0:9.0.8~dev22-12.40.1(noarch)0:12.0.5~dev6-14.43.2(noarch)0:9.1.8~dev8-12.38.1(noarch)0:12.0.4~dev11-11.40.1(noarch)0:5.0.2_5.0.2_5.0.2~dev31-11.37.1(noarch)0:5.1.1~dev5-12.42.1(noarch)0:1.5.1_1.5.1_1.5.1~dev3-8.33.1(noarch)0:2.2.2~dev1-11.40.1(noarch)0:4.0.2~dev2-12.33.1(noarch)0:11.0.9~dev69-13.43.1(noarch)0:16.1.9~dev92-11.41.1(noarch)0:1.0.6~dev3-12.38.1(noarch)0:7.0.5~dev4-11.37.1(noarch)0:2.15.2_2.15.2_2.15.2~dev32-11.28.1(noarch)0:8.0.2~dev2-11.37.1(noarch)0:2.3.4-4.3.1(x86_64)0:5.7.3-6.9.1(x86_64)0:2.0.19-3.9.1(noarch)0:3.4.2-3.3.1(noarch)0:8.0+git.1660773729.3789a6d-3.85.1(noarch)0:8.0+git.1660773402.d845a45-3.47.1(x86_64)0:6.7.4-4.23.1(noarch)0:0.0.0+git.1654529662.75fa04a-3.27.1(noarch)0:4.0.2~dev3-3.12.1(noarch)0:1.11.29-3.42.1(x86_64)0:3.6.16-3.13.1(noarch)0:9.0.8~dev22-12.45.1(noarch)0:12.0.5~dev6-14.48.1(noarch)0:4.0.2~dev3-12.38.1(x86_64)0:1.0.25-36.26.1(noarch)0:2.4.2-5.6.1(x86_64)0:0.10.2.2-5.12.1(x86_64)0:2.4.1-5.10.1(noarch)0:2.2.6~dev4-3.27.1(noarch)0:0.0.1-3.3.1(noarch)0:0.0.1-5.3.1(noarch)0:0.0.1-4.3.1(noarch)0:1.7.1~a0~dev2-3.9.1(noarch)0:2.1.1-4.6.1(noarch)0:1.6.3-8.12.1(x86_64)0:1.2.3-3.11.2(noarch)0:5.1.1~dev7-12.40.1(noarch)0:5.0.2~dev3-12.41.1(noarch)0:9.0.8~dev7-12.38.1(noarch)0:11.2.3~dev29-14.42.1(noarch)0:5.0.3~dev7-12.39.1(noarch)0:5.0.0.0~xrc2~dev2-10.36.1(noarch)0:15.0.3~dev3-12.39.1(noarch)0:9.0.8~dev22-12.43.1(noarch)0:12.0.5~dev6-14.46.1(noarch)0:9.1.8~dev8-12.41.1(noarch)0:12.0.4~dev11-11.43.1(noarch)0:5.0.2_5.0.2_5.0.2~dev31-11.40.1(noarch)0:5.1.1~dev5-12.45.1(noarch)0:1.5.1_1.5.1_1.5.1~dev3-8.36.1(noarch)0:2.2.2~dev1-11.43.1(noarch)0:4.0.2~dev2-12.36.1(noarch)0:11.0.9~dev69-13.46.1(noarch)0:16.1.9~dev92-11.44.1(noarch)0:1.0.6~dev3-12.41.1(noarch)0:7.0.5~dev4-11.40.1(noarch)0:2.15.2_2.15.2_2.15.2~dev32-11.31.1(noarch)0:8.0.2~dev2-11.40.1(noarch)0:3.4.10-3.15.1(x86_64)0:0.103.5-33.44.1(x86_64)0:4.9.4_26-3.100.1(x86_64)0:4.4.180-94.153.1(noarch)0:4.4.180-94.153.1(noarch)0:1.4.3-3.6.1(noarch)0:1.0.7-3.3.1(x86_64)0:4.4.13-3.3.1(x86_64)0:15.2.1-9.23.1(x86_64)0:3.3.0-5.49.1(x86_64)0:2.26.2-27.60.1(x86_64)0:0.5.0-12.9.1(x86_64)0:2.1.0-21.15.1(x86_64)0:4.0.9-44.45.1(x86_64)0:4.9.2-14.20.1(noarch)0:2.6.6-49.35.1(noarch)0:2.8.1-268.9.1(x86_64)0:91.6.0-112.89.1(x86_64)0:20220207-13.93.1(x86_64)0:2.4.23-29.83.1(noarch)0:2.4.23-29.83.1(x86_64)0:2.1.26-8.17.1(x86_64)0:2.34.5-2.85.3(noarch)0:2.34.5-2.85.3(x86_64)0:2.1.0-21.18.1(x86_64)0:5.0.5-6.19.1(x86_64)0:15.2.1-9.11.1(x86_64)0:4.4.180-94.156.1(noarch)0:4.4.180-94.156.1(x86_64)0:91.6.1-112.92.1(x86_64)0:5.3.1-14.5.1(x86_64)0:2.34.6-2.88.1(noarch)0:2.34.6-2.88.1(x86_64)0:0.99.beta18-14.6.1(x86_64)0:91.7.0-112.95.1(x86_64)0:2.1.0-21.22.1(x86_64)0:1.0.2j-60.75.1(noarch)0:1.0.2j-60.75.1(x86_64)0:1.8.0.322-27.72.2(x86_64)0:3.6.1-8.5.1(x86_64)0:2.22-119.1(noarch)0:2.22-119.1(x86_64)0:2.4.23-29.88.1(noarch)0:2.4.23-29.88.1(x86_64)0:2.26.2-27.63.2(noarch)0:11.2.3~dev29-3.31.2(noarch)0:11.2.3~dev29-3.31.1(noarch)0:16.1.9~dev92-3.51.2(noarch)0:16.1.9~dev92-3.51.1(noarch)0:3.28.4-3.9.1(noarch)0:5.1.1~dev7-12.42.1(noarch)0:5.0.2~dev3-12.45.1(noarch)0:9.0.8~dev7-12.40.1(noarch)0:11.2.3~dev29-14.44.1(noarch)0:5.0.3~dev7-12.41.1(noarch)0:5.0.0.0~xrc2~dev2-10.38.1(noarch)0:15.0.3~dev3-12.41.1(noarch)0:9.0.8~dev22-12.47.1(noarch)0:12.0.5~dev6-14.50.2(noarch)0:9.1.8~dev8-12.43.1(noarch)0:12.0.4~dev11-11.47.1(noarch)0:5.0.2_5.0.2_5.0.2~dev31-11.42.1(noarch)0:5.1.1~dev5-12.47.1(noarch)0:1.5.1_1.5.1_1.5.1~dev3-8.38.1(noarch)0:2.2.2~dev1-11.47.1(noarch)0:4.0.2~dev3-12.40.1(noarch)0:11.0.9~dev69-13.48.1(noarch)0:16.1.9~dev92-11.46.1(noarch)0:1.0.6~dev3-12.43.1(noarch)0:7.0.5~dev4-11.42.1(noarch)0:2.15.2_2.15.2_2.15.2~dev32-11.33.1(noarch)0:8.0.2~dev2-11.42.1(x86_64)0:2.26.2-27.69.1(x86_64)0:2.78-18.21.1(x86_64)0:2.0.3-3.14.2(noarch)0:5.1.1~dev7-12.44.1(noarch)0:5.0.2~dev3-12.47.1(noarch)0:9.0.8~dev7-12.42.1(noarch)0:11.2.3~dev29-14.46.1(noarch)0:5.0.3~dev7-12.43.1(noarch)0:5.0.0.0~xrc2~dev2-10.40.1(noarch)0:15.0.3~dev3-12.43.1(noarch)0:9.0.8~dev22-12.49.1(noarch)0:12.0.5~dev6-14.52.1(noarch)0:9.1.8~dev8-12.45.1(noarch)0:12.0.4~dev11-11.49.1(noarch)0:5.0.2_5.0.2_5.0.2~dev31-11.44.1(noarch)0:5.1.1~dev5-12.49.1(noarch)0:1.5.1_1.5.1_1.5.1~dev3-8.40.1(noarch)0:2.2.2~dev1-11.49.1(noarch)0:4.0.2~dev3-12.42.1(noarch)0:11.0.9~dev69-13.50.1(noarch)0:16.1.9~dev92-11.48.1(noarch)0:1.0.6~dev3-12.45.1(noarch)0:7.0.5~dev4-11.44.1(noarch)0:2.15.2_2.15.2_2.15.2~dev32-11.35.1(noarch)0:8.0.2~dev2-11.44.1(noarch)0:9.0.8~dev22-3.30.3(noarch)0:0.12.2-3.6.2(noarch)0:5.0.3~dev7-12.45.1(noarch)0:9.0.8~dev22-12.51.1(noarch)0:5.0.2_5.0.2_5.0.2~dev31-11.46.1(noarch)0:1.0.6~dev3-12.47.1(noarch)0:7.0.5~dev4-11.46.1(x86_64)0:0.4.3-4.10.1(noarch)0:0.2.3-3.3.1(x86_64)0:4.4.3-3.3.1(noarch)0:1.11.29-3.48.1(noarch)0:1.7.0.dev372-3.3.1(x86_64)0:5.3.1-14.7.3(noarch)0:1.11.29-3.51.1(x86_64)0:0.4.3-4.15.1(x86_64)0:1.1.2-3.3.1(noarch)0:36.5.0-3.3.1(noarch)0:1.25.10-5.22.1(noarch)0:1.11.29-3.54.1(x86_64)0:2.26.2-27.66.1(noarch)0:1.25.10-5.25.1(x86_64)0:4.2.1-3.23.2(noarch)0:1.11.29-3.45.1(noarch)0:5.0.2~dev3-3.17.2(noarch)0:5.0.2~dev3-12.43.2(x86_64)0:1.10.0-4.3.1(noarch)0:1.11.29-3.62.1(noarch)0:12.0.5~dev6-14.56.1(x86_64)0:4.2.1-3.29.2(noarch)0:12.0.5~dev6-14.58.2(x86_64)0:4.2.1-3.26.1(noarch)0:1.11.29-3.59.3(noarch)0:12.0.5~dev6-14.54.5(x86_64)0:6.14.3-11.15.1(x86_64)0:2.12.5-1.4.1(noarch)0:5.0+git.1528696845.81a7b5d0-3.3.1(x86_64)0:5.0+git.1533887407.6e9b0412d-3.8.2(noarch)0:5.0+git.1530177874.35b9099-3.3.1(noarch)0:5.0+git.1520420379.d5bbb35-3.3.1(noarch)0:5.0+git.1534167599.d325ef804-4.8.2(noarch)0:1.2.0+git.1533844061.4ac8e723-3.3.1(x86_64)0:1.7.2-3.3.1(x86_64)0:6.14.4-11.18.1(noarch)0:5.0+git.1551088826.010c0399-3.12.2(x86_64)0:5.0+git.1552461227.43e65d269-3.20.2(noarch)0:5.0+git.1553248675.7e103ea-3.14.2(noarch)0:5.0+git.1554709170.195ba0e26-4.22.2(x86_64)0:1.6.11-3.3.1(x86_64)0:4.2.9-3.6.1(x86_64)0:5.0+git.1558533551.8d8ed2058-3.23.1(noarch)0:5.0-10.6.3(noarch)0:5.0+git.1559282566.6b06ca3-3.17.1(noarch)0:5.0+git.1559335140.62bb4c014-4.25.1(x86_64)0:6.17.0-11.27.1(x86_64)0:1.0.3-8.8.1(x86_64)0:2.0.2-3.8.1(x86_64)0:5.0+git.1565280360.01fed6905-3.26.1(noarch)0:5.0+git.1562069707.e2de18c-3.20.1(noarch)0:5.0+git.1565270683.ea6e63d87-4.28.1(noarch)0:1.2.0+git.1563181545.65360af5-3.9.1(x86_64)0:5.0+git.1569597589.1f025c557-3.32.2(noarch)0:5.0+git.1567673535.607aada-3.26.2(noarch)0:5.0+git.1570141351.058c8bd44-4.31.2(noarch)0:1.2.0+git.1568396400.0344a727-3.12.3(x86_64)0:1.0.0-3.4.2(x86_64)0:4.0.6-3.3.1(x86_64)0:1.7.2-3.6.1(x86_64)0:2.0.2-3.5.1(x86_64)0:6.16.0-11.21.1(x86_64)0:6.17.0-11.24.1(x86_64)0:4.2.9-7.6.1(x86_64)0:5.0+git.1585575551.16781d00d-3.38.1(noarch)0:5.0+git.1585316176.344190f-3.32.1(noarch)0:5.0+git.1585304226.2164b7895-4.37.1(x86_64)0:2.16.0-3.6.1(x86_64)0:6.17.1-11.37.1(x86_64)0:5.0+git.1593156248.55bbdb26d-3.41.2(noarch)0:5.0+git.1593085772.64c4ab43c-4.40.2(x86_64)0:4.0.0-3.3.1(x86_64)0:3.9.2-3.12.1(x86_64)0:1.7.7-3.3.1(x86_64)0:2.16.0-3.9.1(x86_64)0:4.2.9-9.9.1(x86_64)0:6.17.1-11.30.1(x86_64)0:1.6.13-3.8.1(x86_64)0:4.2.9-9.12.1(x86_64)0:4.2.9-7.9.1(x86_64)0:5.0+git.1600432272.b3ad722f0-3.44.1(noarch)0:5.0+git.1599037158.5c4d07480-4.43.1(x86_64)0:3.9.3-1.1(x86_64)0:6.17.1-11.33.1(x86_64)0:5.0+git.1582968668.1a55c77c5-3.35.4(noarch)0:5.0+git.1574286229.e0364c3-3.29.3(noarch)0:5.0+git.1582911795.5081ef1da-4.34.3(noarch)0:1.2.0+git.1575896697.a01a3a08-3.15.3(x86_64)0:3.9.1-3.9.3(x86_64)0:2.16.0-3.3.3(x86_64)0:4.2.9-9.6.1(x86_64)0:4.2.9-7.12.1(x86_64)0:1.6.1-5.3.1(x86_64)0:5.0+git.1622489449.a8e60e238-3.50.4(noarch)0:5.0+git.1616001417.67fd9c2a1-4.52.5(x86_64)0:0.1.2-3.3.2(x86_64)0:2.16.0-3.12.1(x86_64)0:2.3.6-3.3.3(x86_64)0:4.2.9-6.6.1(noarch)0:5.0+git.1610564036.b75ee1b-3.35.1(noarch)0:5.0+git.1610402513.08dca931e-4.49.1(noarch)0:0.8.0-0.20.2(x86_64)0:2.16.0-3.15.1(x86_64)0:3.2.3-3.3.1(x86_64)0:5.0+git.1606840757.839a64745-3.47.1(noarch)0:5.0+git.1604938523.ded915845-4.46.1(x86_64)0:3.9.3-3.15.1(x86_64)0:1.3.1-4.6.1(x86_64)0:1.4.6-3.3.1(x86_64)0:1.6.13-3.13.1(x86_64)0:1.2.2-3.3.1(x86_64)0:1.0.3-8.11.1(x86_64)0:2.16.0-3.18.1(x86_64)0:4.2.9-9.15.1(x86_64)0:1.6.1-5.6.1(x86_64)0:2.0.2-3.11.1(x86_64)0:1.6.13-3.19.1(x86_64)0:4.2.9-7.18.1(x86_64)0:1.0.3-8.14.1(x86_64)0:4.2.9-7.15.1(x86_64)0:4.2.9-6.9.1(x86_64)0:4.2.9-6.12.1(x86_64)0:1.6.13-3.16.1(x86_64)0:1.6.13-3.22.1(aarch64|ppc64le|s390x|x86_64)0:2.4.23-29.3.2(noarch)0:2.4.23-29.3.2(aarch64|ppc64le|s390x|x86_64)0:1.2.4-14.3.1(aarch64|ppc64le|s390x|x86_64)0:1.0.1-16.3.1(s390x|x86_64)0:1.0.1-16.3.1(aarch64|ppc64le|s390x|x86_64)0:0.43.0-16.5.1(aarch64|ppc64le|s390x|x86_64)0:228-150.9.3(s390x|x86_64)0:228-150.9.3(noarch)0:228-150.9.3(aarch64|ppc64le|s390x|x86_64)0:10.0.31-29.3.1(s390x|x86_64)0:10.0.31-29.3.1(aarch64|ppc64le|s390x|x86_64)0:2.2.8-48.6.1(aarch64|ppc64le|s390x|x86_64)0:5.9-50.1(s390x|x86_64)0:5.9-50.1(aarch64|ppc64le|s390x|x86_64)0:1.2.0-2.3.1(aarch64|ppc64le|s390x|x86_64)0:2.40.18-5.3.1(s390x|x86_64)0:2.40.18-5.3.1(aarch64|ppc64le|s390x|x86_64)0:2.54.1-5.3.1(s390x|x86_64)0:2.54.1-5.3.1(noarch)0:2.54.1-5.3.1(aarch64|ppc64le|s390x|x86_64)0:5.1.3-26.5.1(noarch)0:5.1.3-26.5.1(aarch64|ppc64le|s390x|x86_64)0:2.1.0-4.3.2(aarch64|ppc64le|s390x|x86_64)0:2.9.4-46.3.2(s390x|x86_64)0:2.9.4-46.3.2(noarch)0:2.9.4-46.3.2(aarch64|ppc64le|s390x|x86_64)0:7.37.0-37.3.1(s390x|x86_64)0:7.37.0-37.3.1(aarch64|ppc64le|s390x|x86_64)0:1.8.0.144-27.5.3(aarch64|ppc64le|s390x|x86_64)0:3.0.15-2.3.1(aarch64|ppc64le|s390x|x86_64)0:1.12-20.3.2(aarch64|ppc64le|s390x|x86_64)0:6.8.8.1-71.5.3(aarch64|ppc64le|s390x|x86_64)0:2.7.0-3.3.1(aarch64|ppc64le|s390x|x86_64)0:3.20.4-77.7.5(noarch)0:3.20.4-77.7.5(aarch64|ppc64le|s390x|x86_64)0:4.6.7+git.38.90b2cdb4f22-3.7.1(s390x|x86_64)0:4.6.7+git.38.90b2cdb4f22-3.7.1(noarch)0:4.6.7+git.38.90b2cdb4f22-3.7.1(ppc64le|s390x|x86_64)0:1.8.0_sr4.10-30.5.1(x86_64)0:1.8.0_sr4.10-30.5.1(aarch64|ppc64le|s390x|x86_64)0:16.15.3-2.3.1(aarch64|ppc64le|s390x|x86_64)0:3.2.4-2.3.1(ppc64le|s390x|x86_64)0:1.7.1_sr4.10-38.5.1(x86_64)0:1.7.1_sr4.10-38.5.1(aarch64|ppc64le|s390x|x86_64)0:4.4.82-6.3.1(s390x)0:4.4.82-6.3.1(noarch)0:4.4.82-6.3.1(aarch64|ppc64le|s390x|x86_64)0:1.1.1-17.3.3(aarch64|ppc64le|s390x|x86_64)0:2.1.0-21.3.1(s390x|x86_64)0:2.1.0-21.3.1(aarch64|ppc64le|s390x|x86_64)0:2.12.3-27.5.1(aarch64|ppc64le|s390x|x86_64)0:52.1-8.3.1(s390x|x86_64)0:52.1-8.3.1(x86_64)0:4.9.0_11-3.9.1(aarch64|ppc64le|s390x|x86_64)0:16.15.6-2.8.1(aarch64|ppc64le|s390x|x86_64)0:1.13.32-21.3.2(noarch)0:1.13.32-21.3.2(aarch64|ppc64le|s390x|x86_64)0:9.6.4-3.6.1(s390x|x86_64)0:9.6.4-3.6.1(noarch)0:9.6.4-3.6.1(noarch)0:2.34.0-19.5.1(aarch64|ppc64le|s390x|x86_64)0:2.34.0-19.5.1(s390x|x86_64)0:2.34.0-19.5.1(aarch64|ppc64le|s390x|x86_64)0:3.20.1-6.16.1(noarch)0:3.20.1-6.16.1(aarch64|ppc64le|s390x|x86_64)0:2.9.0-6.3.1(aarch64)0:2.9.0-6.3.1(aarch64|x86_64)0:2.9.0-6.3.1(noarch)0:1.0.0-6.3.1(s390x|x86_64)0:2.9.0-6.3.1(ppc64le)0:2.9.0-6.3.1(s390x)0:2.9.0-6.3.1(noarch)0:1.10.2-6.3.1(noarch)0:8-6.3.1(x86_64)0:2.9.0-6.3.1(aarch64|ppc64le|s390x|x86_64)0:1.12.12-182.3.1(noarch)0:1.12.12-182.3.1(x86_64)0:4.9.0_12-3.15.1(aarch64|ppc64le|s390x|x86_64)0:4.4.82-6.6.1(s390x)0:4.4.82-6.6.1(noarch)0:4.4.82-6.6.1(aarch64|ppc64le|s390x|x86_64)0:4.8.5-31.3.1(ppc64le|s390x|x86_64)0:4.8.5-31.3.1(s390x|x86_64)0:4.8.5-31.3.1(noarch)0:4.8.5-31.3.1(x86_64)0:4.8.5-31.3.1(aarch64|ppc64le|s390x|x86_64)0:24.3-25.3.1(noarch)0:24.3-25.3.1(aarch64|ppc64le|s390x|x86_64)0:0.11.1-13.3.1(aarch64|ppc64le|s390x|x86_64)0:2.4.23-29.6.1(noarch)0:2.4.23-29.6.1(aarch64|ppc64le|s390x|x86_64)0:0.12.8-3.9(aarch64|ppc64le|s390x|x86_64)0:2.2.9-48.9.2(aarch64|ppc64le|s390x|x86_64)0:4.0.8-44.3.1(s390x|x86_64)0:4.0.8-44.3.1(aarch64|ppc64le|s390x|x86_64)0:2.6.4-6.3.1(aarch64|ppc64le|s390x|x86_64)0:52.3.0esr-109.3.1(aarch64|ppc64le|s390x|x86_64)0:3.3.0-5.3.1(x86_64)0:3.3.0-5.3.1(aarch64|x86_64)0:3.3.0-5.3.1(aarch64|ppc64le|s390x|x86_64)0:2.78-18.3.1(aarch64|ppc64le|s390x|x86_64)0:2.1.0-4.6.1(aarch64|ppc64le|s390x|x86_64)0:1.12.5-40.13.1(s390x|x86_64)0:1.12.5-40.13.1(aarch64|ppc64le|s390x|x86_64)0:52.4.0esr-109.6.2(aarch64|ppc64le|s390x|x86_64)0:3.29.5-58.3.1(s390x|x86_64)0:3.29.5-58.3.1(aarch64|ppc64le|s390x|x86_64)0:4.6.7+git.51.327af8d0a11-3.12.1(s390x|x86_64)0:4.6.7+git.51.327af8d0a11-3.12.1(noarch)0:4.6.7+git.51.327af8d0a11-3.12.1(noarch)0:2.8.1-268.6.2(x86_64)0:4.9.0_14-3.18.1(aarch64|ppc64le|s390x|x86_64)0:2.12.3-27.9.1(aarch64|ppc64le|s390x|x86_64)0:2.2-15.3.1(aarch64|ppc64le|s390x|x86_64)0:7.37.0-37.8.1(s390x|x86_64)0:7.37.0-37.8.1(aarch64|ppc64le|s390x|x86_64)0:2.3.8-16.20.1(aarch64|ppc64le|s390x|x86_64)0:4.4.92-6.18.1(s390x)0:4.4.92-6.18.1(noarch)0:4.4.92-6.18.1(aarch64|ppc64le|s390x|x86_64)0:3.3.0-5.8.1(x86_64)0:3.3.0-5.8.1(aarch64|x86_64)0:3.3.0-5.8.1(aarch64|ppc64le|s390x|x86_64)0:4.9.2-14.5.1(aarch64|ppc64le|s390x|x86_64)0:2.2.10-48.12.1(aarch64|ppc64le|s390x|x86_64)0:1.14-21.3.1(aarch64|ppc64le|s390x|x86_64)0:2.9.1-6.6.3(aarch64)0:2.9.1-6.6.3(aarch64|x86_64)0:2.9.1-6.6.3(noarch)0:1.0.0-6.6.3(s390x|x86_64)0:2.9.1-6.6.3(ppc64le)0:2.9.1-6.6.3(s390x)0:2.9.1-6.6.3(noarch)0:1.10.2-6.6.3(noarch)0:8-6.6.3(x86_64)0:2.9.1-6.6.3(aarch64|ppc64le|s390x|x86_64)0:2.18.0-2.9.1(noarch)0:3.6.312.333-3.10.1(aarch64|ppc64le|s390x|x86_64)0:1.13.4-34.7.1(s390x|x86_64)0:1.13.4-34.7.1(aarch64|ppc64le|s390x|x86_64)0:1.12.5-40.16.1(s390x|x86_64)0:1.12.5-40.16.1(aarch64|ppc64le|s390x|x86_64)0:6.8.8.1-71.12.1(aarch64|ppc64le|s390x|x86_64)0:4.2.1-27.3.3(aarch64|ppc64le|s390x|x86_64)0:1.8.0.151-27.8.1(noarch)0:8.0.43-29.5.1(aarch64|ppc64le|s390x|x86_64)0:5.22-10.3.1(s390x|x86_64)0:5.22-10.3.1(aarch64|ppc64le|s390x|x86_64)0:7.6_1.18.3-76.15.2(x86_64)0:20160518_1.9.4-7.5.1(aarch64|ppc64le|s390x|x86_64)0:5.18.2-12.3.1(s390x|x86_64)0:5.18.2-12.3.1(noarch)0:5.18.2-12.3.1(noarch)0:20170530-21.13.1(x86_64)0:4.9.1_02-3.21.1(aarch64|ppc64le|s390x|x86_64)0:4.6.9+git.59.c2cff9cea4c-3.17.1(s390x|x86_64)0:4.6.9+git.59.c2cff9cea4c-3.17.1(noarch)0:4.6.9+git.59.c2cff9cea4c-3.17.1(aarch64|ppc64le|s390x|x86_64)0:1.0.2j-60.16.1(s390x|x86_64)0:1.0.2j-60.16.1(noarch)0:1.0.2j-60.16.1(aarch64|ppc64le|s390x|x86_64)0:2.29.1-9.20.2(aarch64|ppc64le|s390x|x86_64)0:52.5.0esr-109.9.1(aarch64|ppc64le|s390x|x86_64)0:1.1.14-4.3.1(s390x|x86_64)0:1.1.14-4.3.1(aarch64|ppc64le|s390x|x86_64)0:2.5.5-6.3.1(aarch64|ppc64le|s390x|x86_64)0:4.4.92-6.30.1(s390x)0:4.4.92-6.30.1(noarch)0:4.4.92-6.30.1(aarch64|ppc64le|s390x|x86_64)0:7.2p2-74.11.1(aarch64|ppc64le|s390x|x86_64)0:7.2p2-74.11.3(aarch64|ppc64le|s390x|x86_64)0:2.5.5-3.3.1(aarch64|ppc64le|s390x|x86_64)0:2.7.0-3.10.1(aarch64|ppc64le|s390x|x86_64)0:1.5.3-2.3.1(aarch64|ppc64le|s390x|x86_64)0:1.0.2j-60.20.2(s390x|x86_64)0:1.0.2j-60.20.2(noarch)0:1.0.2j-60.20.2(aarch64|ppc64le|s390x|x86_64)0:6.8.8.1-71.17.1(aarch64|ppc64le|s390x|x86_64)0:9.6.6-3.10.1(s390x|x86_64)0:9.6.6-3.10.1(noarch)0:9.6.6-3.10.1(aarch64|ppc64le|s390x|x86_64)0:4.4.103-6.33.1(s390x)0:4.4.103-6.33.1(noarch)0:4.4.103-6.33.1(ppc64le|s390x|x86_64)0:1.8.0_sr5.5-30.13.1(x86_64)0:1.8.0_sr5.5-30.13.1(aarch64|ppc64le|s390x|x86_64)0:3.20.2-6.19.15(noarch)0:3.20.2-6.19.15(aarch64|ppc64le|s390x|x86_64)0:2.2.11-48.15.3(noarch)0:2.34.0-19.8.1(aarch64|ppc64le|s390x|x86_64)0:2.34.0-19.8.1(s390x|x86_64)0:2.34.0-19.8.1(ppc64le|s390x|x86_64)0:1.7.1_sr4.15-38.8.1(x86_64)0:1.7.1_sr4.15-38.8.1(aarch64|ppc64le|s390x|x86_64)0:2.1.0-24.3.4(aarch64|ppc64le|x86_64)0:16.11.6-8.4.2(x86_64)0:16.11.6_k4.4.126_94.22-8.4.2(aarch64)0:16.11.6-8.4.2(aarch64)0:16.11.6_k4.4.126_94.22-8.4.2(noarch)0:20140630-6.3.1(aarch64|ppc64le|s390x|x86_64)0:7.1.8-4.8.1(aarch64|ppc64le|s390x|x86_64)0:7.1.8_k4.4.131_94.29-4.8.1(x86_64)0:2.7.1-8.2.1(x86_64)0:2.7.1_k4.4.131_94.29-8.2.1(aarch64|ppc64le|s390x|x86_64)0:2.0.8_k4.4.131_94.29-3.8.1(aarch64|ppc64le|s390x|x86_64)0:1.5.6-3.3.2(aarch64|ppc64le|s390x|x86_64)0:2.22-62.13.2(s390x|x86_64)0:2.22-62.13.2(noarch)0:2.22-62.13.2(aarch64|ppc64le|s390x|x86_64)0:2.12.3-27.14.1(noarch)0:1.3.3-10.14.1(aarch64|ppc64le|s390x|x86_64)0:1.3.3-10.14.1(s390x|x86_64)0:1.3.3-10.14.1(noarch)0:20170530-21.22.1(aarch64|ppc64le|s390x|x86_64)0:0.43.0-16.15.1(x86_64)0:20180425-13.20.1(aarch64|ppc64le|s390x|x86_64)0:4.6.14+git.150.1540e575faf-3.24.1(s390x|x86_64)0:4.6.14+git.150.1540e575faf-3.24.1(noarch)0:4.6.14+git.150.1540e575faf-3.24.1(aarch64|ppc64le|s390x|x86_64)0:1.8.0.171-27.19.1(aarch64|ppc64le|s390x|x86_64)0:1.7.0.181-43.15.2(aarch64|ppc64le|s390x|x86_64)0:9.6.9-3.19.1(s390x|x86_64)0:9.6.9-3.19.1(noarch)0:9.6.9-3.19.1(aarch64|ppc64le|s390x|x86_64)0:2.0.24-9.3.1(noarch)0:2.0.24-9.3.1(aarch64|ppc64le|s390x|x86_64)0:3.1.0-13.10.1(ppc64le|s390x|x86_64)0:1.8.0_sr5.15-30.33.1(x86_64)0:1.8.0_sr5.15-30.33.1(aarch64|ppc64le|s390x|x86_64)0:3.22-269.3.5(ppc64le|s390x|x86_64)0:1.7.1_sr4.25-38.23.1(x86_64)0:1.7.1_sr4.25-38.23.1(aarch64|ppc64le|s390x|x86_64)0:4.2.8p11-64.5.1(aarch64|ppc64le|s390x|x86_64)0:5.13-5.4.1(aarch64|ppc64le|s390x|x86_64)0:4.4.138-94.39.1(s390x)0:4.4.138-94.39.1(noarch)0:4.4.138-94.39.1(aarch64|ppc64le|s390x|x86_64)0:4.4.103-6.38.1(s390x)0:4.4.103-6.38.1(noarch)0:4.4.103-6.38.1(aarch64|ppc64le|s390x|x86_64)0:10.0.35-29.20.3(s390x|x86_64)0:10.0.35-29.20.3(aarch64|ppc64le|s390x|x86_64)0:52.8.1esr-109.34.1(aarch64|ppc64le|s390x|x86_64)0:4.0.9-44.15.2(s390x|x86_64)0:4.0.9-44.15.2(aarch64|ppc64le|s390x|x86_64)0:2.3.6-7.9.1(s390x|x86_64)0:2.3.6-7.9.1(aarch64|ppc64le|s390x|x86_64)0:3.3.9-11.11.1(aarch64|ppc64le|s390x|x86_64)0:6.8.8.1-71.65.1(aarch64|ppc64le|s390x|x86_64)0:1.3.0-3.3.1(aarch64|ppc64le|s390x|x86_64)0:1.0.2j-60.30.1(s390x|x86_64)0:1.0.2j-60.30.1(noarch)0:1.0.2j-60.30.1(aarch64|ppc64le|s390x|x86_64)0:4.8.7+2.3.4-4.5.1(s390x|x86_64)0:4.8.7+2.3.4-4.5.1(aarch64|ppc64le|s390x|x86_64)0:2.0.3-17.2.1(s390x|x86_64)0:2.0.3-17.2.1(aarch64|ppc64le|s390x|x86_64)0:4.8.7-8.6.1(s390x|x86_64)0:4.8.7-8.6.1(aarch64|ppc64le|s390x|x86_64)0:4.8.7-8.6.4(x86_64)0:20180703-13.25.1(noarch)0:2.34.0-19.11.1(aarch64|ppc64le|s390x|x86_64)0:2.34.0-19.11.1(s390x|x86_64)0:2.34.0-19.11.1(aarch64|ppc64le|s390x|x86_64)0:5.18.2-12.14.1(s390x|x86_64)0:5.18.2-12.14.1(noarch)0:5.18.2-12.14.1(aarch64|ppc64le|s390x|x86_64)0:2.2.12-48.18.1(aarch64|ppc64le|s390x|x86_64)0:4.2.1-27.9.1(aarch64|ppc64le|s390x|x86_64)0:7.2p2-74.19.1(aarch64|ppc64le|s390x|x86_64)0:0.6.21-8.3.1(s390x|x86_64)0:0.6.21-8.3.1(aarch64|ppc64le|s390x|x86_64)0:8.24.0-3.3.1(aarch64|ppc64le|s390x|x86_64)0:2.7.13-28.6.1(s390x|x86_64)0:2.7.13-28.6.1(noarch)0:2.7.13-28.6.1(aarch64|ppc64le|s390x|x86_64)0:4.4.140-94.42.1(s390x)0:4.4.140-94.42.1(noarch)0:4.4.140-94.42.1(aarch64|ppc64le|s390x|x86_64)0:3.20.3-23.3.14(noarch)0:3.20.3-23.3.14(x86_64)0:4.9.2_08-3.35.2(aarch64|ppc64le|s390x|x86_64)0:6.8.8.1-71.20.1(aarch64|ppc64le|s390x|x86_64)0:2.29.2-3.8.1(s390x|x86_64)0:2.29.2-3.8.1(noarch)0:2.29.2-3.8.1(aarch64|ppc64le|s390x|x86_64)0:1.0.25-36.13.1(s390x|x86_64)0:1.0.25-36.13.1(aarch64|ppc64le|s390x|x86_64)0:1.6.1-16.55.1(s390x|x86_64)0:1.6.1-16.55.1(aarch64|ppc64le|s390x|x86_64)0:1.10.1-55.3.1(aarch64|ppc64le|s390x|x86_64)0:2.0.21-6.3.1(noarch)0:2.34.0-19.14.2(aarch64|ppc64le|s390x|x86_64)0:2.34.0-19.14.2(s390x|x86_64)0:2.34.0-19.14.2(aarch64|ppc64le|s390x|x86_64)0:0.41.rc1-10.3.1(aarch64|ppc64le|s390x|x86_64)0:0.113-5.9.1(aarch64|x86_64)0:2017+git1492060560.b6d11d7c46-4.9.4(noarch)0:2017+git1492060560.b6d11d7c46-4.9.4(aarch64|ppc64le|s390x|x86_64)0:1.7.5-20.14.1(s390x|x86_64)0:1.7.5-20.14.1(aarch64|ppc64le|s390x|x86_64)0:1.0.1-17.3.1(s390x|x86_64)0:1.0.1-17.3.1(aarch64|ppc64le|s390x|x86_64)0:7.37.0-37.14.1(s390x|x86_64)0:7.37.0-37.14.1(aarch64|ppc64le|s390x|x86_64)0:12.2.7+git.1531910353.c0ef85b854-2.12.1(aarch64|ppc64le|s390x|x86_64)0:2.62.2-5.7.1(s390x|x86_64)0:2.62.2-5.7.1(noarch)0:2.62.2-5.7.1(noarch)0:1.3.3-10.3.1(aarch64|ppc64le|s390x|x86_64)0:1.3.3-10.3.1(s390x|x86_64)0:1.3.3-10.3.1(aarch64|ppc64le|s390x|x86_64)0:2.18.5-2.18.1(aarch64|ppc64le|s390x|x86_64)0:3.2.5e-2.3.2(aarch64|ppc64le|s390x|x86_64)0:3.3.0-5.22.1(x86_64)0:3.3.0-5.22.1(aarch64|x86_64)0:3.3.0-5.22.1(aarch64|ppc64le|s390x|x86_64)0:4.6.14+git.157.c2d53c2b191-3.29.1(s390x|x86_64)0:4.6.14+git.157.c2d53c2b191-3.29.1(noarch)0:4.6.14+git.157.c2d53c2b191-3.29.1(aarch64|ppc64le|s390x|x86_64)0:52.9.0esr-109.38.2(aarch64|ppc64le|s390x|x86_64)0:0.100.1-33.15.2(aarch64|ppc64le|x86_64)0:16.11.6-8.7.2(x86_64)0:16.11.6_k4.4.143_94.47-8.7.2(aarch64)0:16.11.6-8.7.2(aarch64)0:16.11.6_k4.4.143_94.47-8.7.2(aarch64|ppc64le|s390x|x86_64)0:4.4.143-94.47.1(s390x)0:4.4.143-94.47.1(noarch)0:4.4.143-94.47.1(x86_64)0:2.7.1-8.4.2(x86_64)0:2.7.1_k4.4.143_94.47-8.4.2(x86_64)0:20180807-13.29.1(aarch64|ppc64le|s390x|x86_64)0:2.4.23-29.21.1(noarch)0:2.4.23-29.21.1(x86_64)0:4.4.143-4.13.1(noarch)0:4.4.143-4.13.1(aarch64|ppc64le|s390x|x86_64)0:2.29.2-3.12.1(s390x|x86_64)0:2.29.2-3.12.1(noarch)0:2.29.2-3.12.1(noarch)0:1.34-3.3.1(x86_64)0:4.9.2_10-3.41.1(aarch64|ppc64le|s390x|x86_64)0:3.3.9-11.14.1(aarch64|ppc64le|s390x|x86_64)0:1.6.1-16.62.1(s390x|x86_64)0:1.6.1-16.62.1(aarch64|ppc64le|s390x|x86_64)0:0.41.rc1-10.9.1(aarch64|ppc64le|s390x|x86_64)0:0.99.3-33.5.1(aarch64|ppc64le|s390x|x86_64)0:3.10.0.1-54.6.3(noarch)0:3.10.0.1-54.6.3(aarch64|ppc64le|s390x|x86_64)0:2.1.0-24.6.1(aarch64|ppc64le|s390x|x86_64)0:2.4.23-29.13.1(noarch)0:2.4.23-29.13.1(aarch64|ppc64le|s390x|x86_64)0:0.33-3.6.1(aarch64|ppc64le|s390x|x86_64)0:0.12.8-6.1(aarch64|ppc64le|s390x|x86_64)0:2.2.31-19.11.1(ppc64le|s390x|x86_64)0:1.7.1_sr4.30-38.26.1(x86_64)0:1.7.1_sr4.30-38.26.1(aarch64|ppc64le|s390x|x86_64)0:3.4.6-25.16.1(noarch)0:8.0.53-29.13.1(aarch64|ppc64le|s390x|x86_64)0:7.37.0-37.26.1(s390x|x86_64)0:7.37.0-37.26.1(aarch64|ppc64le|s390x|x86_64)0:4.4.155-94.50.1(s390x)0:4.4.155-94.50.1(noarch)0:4.4.155-94.50.1(aarch64|ppc64le|s390x|x86_64)0:2.0.0-18.15.1(s390x|x86_64)0:2.0.0-18.15.1(aarch64|ppc64le|s390x|x86_64)0:6.8.8.1-71.74.1(aarch64|ppc64le|s390x|x86_64)0:2.6.4-6.6.1(aarch64|ppc64le|s390x|x86_64)0:16.17.20-2.33.2(aarch64|ppc64le|s390x|x86_64)0:1.13.45-21.21.2(noarch)0:1.13.45-21.21.2(aarch64|ppc64le|s390x|x86_64)0:2.4.23-29.24.1(noarch)0:2.4.23-29.24.1(aarch64|ppc64le|s390x|x86_64)0:1.1.14-4.6.1(s390x|x86_64)0:1.1.14-4.6.1(ppc64le|s390x|x86_64)0:1.8.0_sr5.20-30.36.1(x86_64)0:1.8.0_sr5.20-30.36.1(noarch)0:1.9.4-3.3.1(aarch64|ppc64le|s390x|x86_64)0:4.0.9-44.21.1(s390x|x86_64)0:4.0.9-44.21.1(aarch64|ppc64le|s390x|x86_64)0:3.3.27-3.3.1(s390x|x86_64)0:3.3.27-3.3.1(aarch64|ppc64le|s390x|x86_64)0:2.1.0-24.9.1(aarch64|ppc64le|s390x|x86_64)0:4.2.1-27.19.1(x86_64)0:4.4.155-4.16.1(noarch)0:4.4.155-4.16.1(aarch64|ppc64le|s390x|x86_64)0:3.3.0-5.13.1(x86_64)0:3.3.0-5.13.1(aarch64|x86_64)0:3.3.0-5.13.1(aarch64|ppc64le|s390x|x86_64)0:2.4.9-48.29.1(aarch64|ppc64le|s390x|x86_64)0:3.0.37-52.23.6(noarch)0:3.0.14-3.3.1(aarch64|ppc64le|s390x|x86_64)0:1.0.2j-60.39.1(s390x|x86_64)0:1.0.2j-60.39.1(noarch)0:1.0.2j-60.39.1(aarch64|ppc64le|s390x|x86_64)0:5.9-58.1(s390x|x86_64)0:5.9-58.1(aarch64|ppc64le|s390x|x86_64)0:6.00-33.8.1(aarch64|ppc64le|s390x|x86_64)0:9.25-23.13.1(aarch64|ppc64le|s390x|x86_64)0:1.1.36-58.3.1(aarch64|ppc64le|s390x|x86_64)0:228-150.29.1(s390x|x86_64)0:228-150.29.1(noarch)0:228-150.29.1(aarch64|ppc64le|s390x|x86_64)0:2.0.0-18.17.1(s390x|x86_64)0:2.0.0-18.17.1(aarch64|ppc64le|s390x|x86_64)0:4.4.156-94.57.1(s390x)0:4.4.156-94.57.1(noarch)0:4.4.156-94.57.1(aarch64|ppc64le|s390x|x86_64)0:4.9-3.5.1(s390x|x86_64)0:4.9-3.5.1(aarch64|ppc64le|s390x|x86_64)0:6.2.0dev-22.3.1(aarch64|ppc64le|s390x|x86_64)0:1.8.0.181-27.26.2(aarch64|ppc64le|s390x|x86_64)0:1.0.58-19.2.3(aarch64|ppc64le|s390x|x86_64)0:7.1.1-3.3.4(aarch64|ppc64le|s390x|x86_64)0:1.7.1-5.3.1(aarch64|ppc64le|s390x|x86_64)0:10.5-1.3.1(s390x|x86_64)0:10.5-1.3.1(noarch)0:10-17.20.1(aarch64|ppc64le|s390x|x86_64)0:10.5-1.3.2(noarch)0:10.5-1.3.2(aarch64|ppc64le|s390x|x86_64)0:2.9.4-46.15.1(s390x|x86_64)0:2.9.4-46.15.1(noarch)0:2.9.4-46.15.1(aarch64|ppc64le|s390x|x86_64)0:6.8.8.1-71.79.1(aarch64|ppc64le|s390x|x86_64)0:9.9.9P1-63.7.1(noarch)0:9.9.9P1-63.7.1(s390x|x86_64)0:9.9.9P1-63.7.1(aarch64|ppc64le|s390x|x86_64)0:1.6.2-12.5.1(s390x|x86_64)0:1.6.2-12.5.1(noarch)0:1.6.2-12.5.1(aarch64|ppc64le|s390x|x86_64)0:1.10-4.3.1(s390x|x86_64)0:1.10-4.3.1(noarch)0:1.4-290.3.1(aarch64|ppc64le|s390x|x86_64)0:4.6.16+git.124.aee309c5c18-3.32.1(s390x|x86_64)0:4.6.16+git.124.aee309c5c18-3.32.1(noarch)0:4.6.16+git.124.aee309c5c18-3.32.1(aarch64|ppc64le|s390x|x86_64)0:6.8.8.1-71.82.1(aarch64|ppc64le|s390x|x86_64)0:2.31-9.26.1(aarch64|ppc64le|s390x|x86_64)0:2.9.3-6.3.1(aarch64|ppc64le|s390x|x86_64)0:1.5.1-11.3.12(aarch64|ppc64le|s390x|x86_64)0:103-8.3.1(s390x|x86_64)0:103-8.3.1(aarch64|ppc64le|s390x|x86_64)0:1.1.1-12.1(s390x|x86_64)0:1.1.1-12.1(aarch64|ppc64le|s390x|x86_64)0:1.0.8-12.1(s390x|x86_64)0:1.0.8-12.1(aarch64|ppc64le|s390x|x86_64)0:4.11.2-16.16.1(s390x|x86_64)0:4.11.2-16.16.1(aarch64|ppc64le|s390x|x86_64)0:4.0.9-44.24.1(s390x|x86_64)0:4.0.9-44.24.1(aarch64|ppc64le|s390x|x86_64)0:0.6.8-7.5.1(s390x|x86_64)0:0.6.8-7.5.1(aarch64|ppc64le|s390x|x86_64)0:1.900.14-195.5.1(s390x|x86_64)0:1.900.14-195.5.1(aarch64|ppc64le|s390x|x86_64)0:4.2.8p12-64.8.2(aarch64|ppc64le|s390x|x86_64)0:9.6.10-3.22.7(noarch)0:9.6.10-3.22.7(noarch)0:8.0.53-29.16.2(aarch64|ppc64le|s390x|x86_64)0:2.20.3-2.23.8(aarch64|ppc64le|s390x|x86_64)0:2.2.1-5.7.1(aarch64|ppc64le|s390x|x86_64)0:6.8.8.1-71.33.1(aarch64|ppc64le|s390x|x86_64)0:0.100.2-33.18.1(aarch64|ppc64le|s390x|x86_64)0:5.7.3-6.3.1(s390x|x86_64)0:5.7.3-6.3.1(aarch64|ppc64le|s390x|x86_64)0:1.0.25-36.7.2(s390x|x86_64)0:1.0.25-36.7.2(aarch64|ppc64le|s390x|x86_64)0:6.8.8.1-71.85.1(aarch64|ppc64le|s390x|x86_64)0:3.0.38-52.26.1(x86_64)0:4.9.3_03-3.44.2(aarch64|ppc64le|s390x|x86_64)0:2.7-9.7.1(s390x|x86_64)0:2.7-9.7.1(aarch64|ppc64le|s390x|x86_64)0:2.9.1-6.19.11(aarch64)0:2.9.1-6.19.11(aarch64|x86_64)0:2.9.1-6.19.11(noarch)0:1.0.0-6.19.11(s390x|x86_64)0:2.9.1-6.19.11(ppc64le)0:2.9.1-6.19.11(s390x)0:2.9.1-6.19.11(noarch)0:1.10.2-6.19.11(noarch)0:8-6.19.11(x86_64)0:2.9.1-6.19.11(aarch64|ppc64le|s390x|x86_64)0:2.7.13-28.16.1(s390x|x86_64)0:2.7.13-28.16.1(noarch)0:2.7.13-28.16.1(aarch64|ppc64le|s390x|x86_64)0:2.4.23-29.27.2(noarch)0:2.4.23-29.27.2(aarch64|ppc64le|s390x|x86_64)0:0.3.6-11.3.1(s390x|x86_64)0:0.3.6-11.3.1(aarch64|ppc64le|s390x|x86_64)0:2.4.10-48.32.1(aarch64|ppc64le|s390x|x86_64)0:60.2.2esr-109.46.1(aarch64|ppc64le|s390x|x86_64)0:60-32.3.1(aarch64|ppc64le|s390x|x86_64)0:1.0.14-19.6.3(aarch64|ppc64le|s390x|x86_64)0:3.36.4-58.15.3(s390x|x86_64)0:3.36.4-58.15.3(aarch64|ppc64le|s390x|x86_64)0:4.19-19.3.1(s390x|x86_64)0:4.19-19.3.1(aarch64|ppc64le|s390x|x86_64)0:7.37.0-37.31.1(s390x|x86_64)0:7.37.0-37.31.1(aarch64|ppc64le|s390x|x86_64)0:1.7.1-5.6.1(aarch64|ppc64le|s390x|x86_64)0:0.13.0-3.3.2(aarch64|ppc64le|s390x|x86_64)0:3.1.2-26.3.1(aarch64|ppc64le|s390x|x86_64)0:1.5.3-31.7.4(aarch64|ppc64le|s390x|x86_64)0:62.2.0-31.7.4(s390x|x86_64)0:62.2.0-31.7.4(aarch64|ppc64le|s390x|x86_64)0:8.1.2-31.7.4(s390x|x86_64)0:8.1.2-31.7.4(aarch64|ppc64le|s390x|x86_64)0:0.16.0-8.5.15(aarch64|ppc64le|s390x|x86_64)0:4.4.162-94.69.2(s390x)0:4.4.162-94.69.2(noarch)0:4.4.162-94.69.2(x86_64)0:2.7.1-8.6.1(x86_64)0:2.7.1_k4.4.162_94.69-8.6.1(aarch64|ppc64le|s390x|x86_64)0:52.6.0esr-109.13.1(aarch64|ppc64le|s390x|x86_64)0:60.3.0-109.50.2(aarch64|ppc64le|s390x|x86_64)0:228-150.53.3(s390x|x86_64)0:228-150.53.3(noarch)0:228-150.53.3(aarch64|ppc64le|s390x|x86_64)0:10.6-1.6.1(s390x|x86_64)0:10.6-1.6.1(noarch)0:10.6-1.6.1(aarch64|ppc64le|s390x|x86_64)0:3.5.21-26.12.1(aarch64|ppc64le|s390x|x86_64)0:10.0.33-29.13.1(s390x|x86_64)0:10.0.33-29.13.1(aarch64|ppc64le|s390x|x86_64)0:4.4.114-94.11.3(s390x)0:4.4.114-94.11.3(noarch)0:4.4.114-94.11.2(aarch64|ppc64le|s390x|x86_64)0:4.4.114-94.11.2(aarch64|ppc64le|s390x|x86_64)0:2.9.4-46.12.1(s390x|x86_64)0:2.9.4-46.12.1(noarch)0:2.9.4-46.12.1(aarch64|ppc64le|s390x|x86_64)0:1.0.2j-60.46.1(s390x|x86_64)0:1.0.2j-60.46.1(noarch)0:1.0.2j-60.46.1(aarch64|ppc64le|s390x|x86_64)0:4.11.2-16.21.1(s390x|x86_64)0:4.11.2-16.21.1(aarch64|ppc64le|s390x|x86_64)0:9.15-23.7.1(aarch64|ppc64le|s390x|x86_64)0:0.23-12.5.1(aarch64|ppc64le|s390x|x86_64)0:4.0.9-44.27.1(s390x|x86_64)0:4.0.9-44.27.1(aarch64|ppc64le|s390x|x86_64)0:7.2p2-74.30.1(aarch64|ppc64le|x86_64)0:16.11.8-8.10.2(x86_64)0:16.11.8_k4.4.156_94.64-8.10.2(aarch64)0:16.11.8-8.10.2(aarch64)0:16.11.8_k4.4.156_94.64-8.10.2(ppc64le|s390x|x86_64)0:1.7.1_sr4.35-38.29.1(x86_64)0:1.7.1_sr4.35-38.29.1(aarch64|ppc64le|s390x|x86_64)0:5.9-61.1(s390x|x86_64)0:5.9-61.1(aarch64|ppc64le|s390x|x86_64)0:2.6.3-7.15.1(s390x|x86_64)0:2.6.3-7.15.1(aarch64|ppc64le|s390x|x86_64)0:6.8.8.1-71.93.2(aarch64|ppc64le|s390x|x86_64)0:0.8.0-19.3.1(aarch64|ppc64le|s390x|x86_64)0:1.3.1-7.13.4(noarch)0:16.0.0-4.11.3(noarch)0:18.0.1-4.8.1(ppc64le|s390x|x86_64)0:1.8.0_sr5.25-30.39.1(x86_64)0:1.8.0_sr5.25-30.39.1(x86_64)0:4.9.3_03-3.47.1(aarch64|ppc64le|s390x|x86_64)0:9.26-23.16.1(aarch64|ppc64le|s390x|x86_64)0:0.2.7-12.4.1(aarch64|ppc64le|s390x|x86_64)0:1.7.5-20.20.1(s390x|x86_64)0:1.7.5-20.20.1(aarch64|ppc64le|s390x|x86_64)0:2.12.3-27.17.2(aarch64|ppc64le|s390x|x86_64)0:2.7.6-3.23.1(aarch64|ppc64le|s390x|x86_64)0:2.9.1-6.22.3(aarch64)0:2.9.1-6.22.3(aarch64|x86_64)0:2.9.1-6.22.3(noarch)0:1.0.0+-6.22.3(s390x|x86_64)0:2.9.1-6.22.3(ppc64le)0:2.9.1-6.22.3(s390x)0:2.9.1-6.22.3(noarch)0:1.10.2-6.22.3(noarch)0:8-6.22.3(x86_64)0:2.9.1-6.22.3(aarch64|ppc64le|s390x|x86_64)0:4.9.2-14.8.1(aarch64|ppc64le|s390x|x86_64)0:2.4.41-18.43.1(s390x|x86_64)0:2.4.41-18.43.1(aarch64|ppc64le|s390x|x86_64)0:5.6.2-6.15.2(aarch64|ppc64le|s390x|x86_64)0:5.13-5.7.1(aarch64|ppc64le|s390x|x86_64)0:4.0.9-44.30.1(s390x|x86_64)0:4.0.9-44.30.1(aarch64|x86_64)0:2017+git1492060560.b6d11d7c46-4.17.1(noarch)0:2017+git1492060560.b6d11d7c46-4.17.1(x86_64)0:4.9.1_08-3.26.1(aarch64|ppc64le|s390x|x86_64)0:60.4.0esr-109.55.1(aarch64|ppc64le|s390x|x86_64)0:3.40.1-58.18.1(s390x|x86_64)0:3.40.1-58.18.1(aarch64|ppc64le|s390x|x86_64)0:4.20-19.6.1(s390x|x86_64)0:4.20-19.6.1(ppc64le|s390x|x86_64)0:2.1.17-3.3.3(aarch64|ppc64le|s390x|x86_64)0:2.4.11-48.35.1(aarch64|ppc64le|s390x|x86_64)0:2.22-62.6.2(s390x|x86_64)0:2.22-62.6.2(noarch)0:2.22-62.6.2(aarch64|ppc64le|s390x|x86_64)0:1.1.1-17.7.1(aarch64|ppc64le|s390x|x86_64)0:9.20.1-7.3.1(aarch64|ppc64le|s390x|x86_64)0:2.2.31-19.5.1(aarch64|ppc64le|s390x|x86_64)0:9.6.7-3.13.1(s390x|x86_64)0:9.6.7-3.13.1(noarch)0:9.6.7-3.13.1(aarch64|ppc64le|s390x|x86_64)0:4.8.30-29.6(s390x|x86_64)0:4.8.30-29.6(aarch64|ppc64le|s390x|x86_64)0:4.3.3-10.11.1(aarch64|ppc64le|s390x|x86_64)0:228-150.32.1(s390x|x86_64)0:228-150.32.1(noarch)0:228-150.32.1(aarch64|ppc64le|s390x|x86_64)0:6.8.8.1-71.42.1(aarch64|ppc64le|s390x|x86_64)0:2.1.0-6.3.1(aarch64|ppc64le|s390x|x86_64)0:6.8.8.1-71.23.1(aarch64|ppc64le|s390x|x86_64)0:1.7.5-20.3.1(s390x|x86_64)0:1.7.5-20.3.1(aarch64|ppc64le|s390x|x86_64)0:4.60.99-5.3.1(aarch64|ppc64le|s390x|x86_64)0:3.5.21-26.6.1(aarch64|ppc64le|s390x|x86_64)0:1.2.0-17.3.1(aarch64|ppc64le|s390x|x86_64)0:2.22-62.10.1(s390x|x86_64)0:2.22-62.10.1(noarch)0:2.22-62.10.1(aarch64|ppc64le|s390x|x86_64)0:4.2.1-27.6.1(ppc64le|s390x|x86_64)0:1.8.0_sr5.10-30.16.1(x86_64)0:1.8.0_sr5.10-30.16.1(aarch64|ppc64le|s390x|x86_64)0:1.7.0.171-43.12.1(aarch64|ppc64le|s390x|x86_64)0:1.8.0.161-27.13.1(noarch)0:20170530-21.19.1(aarch64|ppc64le|s390x|x86_64)0:0.90-6.3.1(s390x|x86_64)0:0.90-6.3.1(ppc64le|s390x|x86_64)0:1.7.1_sr4.20-38.12.1(x86_64)0:1.7.1_sr4.20-38.12.1(aarch64|ppc64le|s390x|x86_64)0:10.0.34-29.16.1(s390x|x86_64)0:10.0.34-29.16.1(x86_64)0:20180312-13.17.1(aarch64|ppc64le|s390x|x86_64)0:1.5.6-3.6.1(ppc64le|s390x|x86_64)0:1.7.1_sr4.20-38.16.1(x86_64)0:1.7.1_sr4.20-38.16.1(aarch64|ppc64le|s390x|x86_64)0:4.6.13+git.72.2a684235f41-3.21.3(s390x|x86_64)0:4.6.13+git.72.2a684235f41-3.21.3(aarch64|ppc64le|s390x|x86_64)0:2.1.10-3.3.2(s390x|x86_64)0:2.1.10-3.3.2(aarch64|ppc64le|s390x|x86_64)0:0.9.34-3.3.2(s390x|x86_64)0:0.9.34-3.3.2(noarch)0:4.6.13+git.72.2a684235f41-3.21.3(aarch64|ppc64le|s390x|x86_64)0:9.6.8-3.16.1(s390x|x86_64)0:9.6.8-3.16.1(noarch)0:9.6.8-3.16.1(aarch64|ppc64le|s390x|x86_64)0:2.9.1-6.12.1(aarch64)0:2.9.1-6.12.1(aarch64|x86_64)0:2.9.1-6.12.1(noarch)0:1.0.0-6.12.1(s390x|x86_64)0:2.9.1-6.12.1(ppc64le)0:2.9.1-6.12.1(s390x)0:2.9.1-6.12.1(noarch)0:1.10.2-6.12.1(noarch)0:8-6.12.1(x86_64)0:2.9.1-6.12.1(aarch64|ppc64le|s390x|x86_64)0:7.37.0-37.17.1(s390x|x86_64)0:7.37.0-37.17.1(noarch)0:1.3.3-10.6.1(aarch64|ppc64le|s390x|x86_64)0:1.3.3-10.6.1(s390x|x86_64)0:1.3.3-10.6.1(aarch64|ppc64le|s390x|x86_64)0:4.4.120-94.17.1(s390x)0:4.4.120-94.17.1(noarch)0:4.4.120-94.17.1(aarch64|ppc64le|s390x|x86_64)0:0.99.4-33.9.1(aarch64|ppc64le|s390x|x86_64)0:4.3.3-10.14.1(noarch)0:8.0.50-29.8.2(aarch64|ppc64le|s390x|x86_64)0:2.2.13-48.21.1(aarch64|ppc64le|s390x|x86_64)0:2.22-62.3.4(s390x|x86_64)0:2.22-62.3.4(noarch)0:2.22-62.3.4(aarch64|ppc64le|s390x|x86_64)0:1.2.12-3.3.1(aarch64|ppc64le|s390x|x86_64)0:0.9.9-17.5.1(aarch64|ppc64le|s390x|x86_64)0:1.4.39-4.3.1(aarch64|ppc64le|s390x|x86_64)0:1.12.5-40.23.2(s390x|x86_64)0:1.12.5-40.23.2(aarch64|ppc64le|s390x|x86_64)0:52.7.3esr-109.25.1(aarch64|ppc64le|s390x|x86_64)0:6.8.8.1-71.47.1(aarch64|ppc64le|s390x|x86_64)0:1.3.1-10.3.1(s390x|x86_64)0:1.3.1-10.3.1(aarch64|ppc64le|s390x|x86_64)0:4.0.9-44.7.1(s390x|x86_64)0:4.0.9-44.7.1(aarch64|ppc64le|s390x|x86_64)0:0.33-3.3.2(aarch64|ppc64le|s390x|x86_64)0:1.28-5.3.1(s390x|x86_64)0:1.28-5.3.1(aarch64|ppc64le|s390x|x86_64)0:1.7.0.161-43.7.6(aarch64|ppc64le|s390x|x86_64)0:3.3.0-5.19.2(x86_64)0:3.3.0-5.19.2(aarch64|x86_64)0:3.3.0-5.19.2(noarch)0:1.4.1-5.8.1(aarch64|ppc64le|s390x|x86_64)0:2.5-10.3.1(aarch64|ppc64le|s390x|x86_64)0:1.0.2j-60.24.1(s390x|x86_64)0:1.0.2j-60.24.1(noarch)0:1.0.2j-60.24.1(aarch64|ppc64le|s390x|x86_64)0:3.4.6-25.7.1(aarch64|ppc64le|s390x|x86_64)0:3.20.2-6.22.9(noarch)0:3.20.2-6.22.9(aarch64|ppc64le|s390x|x86_64)0:10.0.32-29.10.1(s390x|x86_64)0:10.0.32-29.10.1(aarch64|ppc64le|s390x|x86_64)0:1.4.39-4.6.1(aarch64|ppc64le|s390x|x86_64)0:4.2.8p11-64.3.2(aarch64|ppc64le|s390x|x86_64)0:2.2.14-48.24.1(aarch64|ppc64le|s390x|x86_64)0:4.4.126-94.22.1(s390x)0:4.4.126-94.22.1(noarch)0:4.4.126-94.22.2(aarch64|ppc64le|s390x|x86_64)0:1.1.3-24.6.1(noarch)0:1.1.3-24.6.1(aarch64|ppc64le|s390x|x86_64)0:0.12.21~rc-1001.3.1(aarch64|ppc64le|s390x|x86_64)0:5.18.2-12.11.1(s390x|x86_64)0:5.18.2-12.11.1(noarch)0:5.18.2-12.11.1(aarch64|ppc64le|s390x|x86_64)0:5.0.5-6.7.2(noarch)0:1.54.0-26.3.1(aarch64|ppc64le|s390x|x86_64)0:1.54.0-26.3.1(aarch64|ppc64le|s390x|x86_64)0:3.5.21-26.9.1(aarch64|ppc64le|s390x|x86_64)0:2.2.31-19.8.1(aarch64|ppc64le|s390x|x86_64)0:2.7.5-8.5.1(noarch)0:20170530-21.16.1(s390x)0:4.4.103-94.6.1(noarch)0:4.4.103-94.6.1(s390x)0:4.4.103-94.6.2(aarch64|ppc64le|s390x|x86_64)0:2.4.23-29.18.2(noarch)0:2.4.23-29.18.2(aarch64|ppc64le|s390x|x86_64)0:6.8.8.1-71.54.5(aarch64|ppc64le|s390x|x86_64)0:4.0.9-44.10.1(s390x|x86_64)0:4.0.9-44.10.1(x86_64)0:4.9.2_04-3.29.1(aarch64|ppc64le|s390x|x86_64)0:1.5.1-4.3.1(aarch64|ppc64le|s390x|x86_64)0:1.15.2-25.3.2(s390x|x86_64)0:1.15.2-25.3.2(aarch64|ppc64le|s390x|x86_64)0:3.1.0-13.7.1(aarch64|ppc64le|s390x|x86_64)0:5.9-55.1(s390x|x86_64)0:5.9-55.1(aarch64|ppc64le|s390x|x86_64)0:7.37.0-37.11.3(s390x|x86_64)0:7.37.0-37.11.3(aarch64|ppc64le|s390x|x86_64)0:2.0019-6.3.5(aarch64|ppc64le|s390x|x86_64)0:2.9.1-6.9.2(aarch64)0:2.9.1-6.9.2(aarch64|x86_64)0:2.9.1-6.9.2(noarch)0:1.0.0-6.9.2(s390x|x86_64)0:2.9.1-6.9.2(ppc64le)0:2.9.1-6.9.2(s390x)0:2.9.1-6.9.2(noarch)0:1.10.2-6.9.2(noarch)0:8-6.9.2(x86_64)0:2.9.1-6.9.2(aarch64|ppc64le|s390x|x86_64)0:2.40.20-5.6.1(s390x|x86_64)0:2.40.20-5.6.1(noarch)0:1.3.3-10.11.1(aarch64|ppc64le|s390x|x86_64)0:1.3.3-10.11.1(s390x|x86_64)0:1.3.3-10.11.1(aarch64|ppc64le|s390x|x86_64)0:7.37.0-37.23.1(s390x|x86_64)0:7.37.0-37.23.1(aarch64|ppc64le|s390x|x86_64)0:9.15-23.10.2(aarch64|ppc64le|s390x|x86_64)0:52.8.0esr-109.31.2(aarch64|ppc64le|s390x|x86_64)0:2.1.0-4.9.1(aarch64|ppc64le|s390x|x86_64)0:2.9.1-6.16.1(aarch64)0:2.9.1-6.16.1(aarch64|x86_64)0:2.9.1-6.16.1(noarch)0:1.0.0-6.16.1(s390x|x86_64)0:2.9.1-6.16.1(ppc64le)0:2.9.1-6.16.1(s390x)0:2.9.1-6.16.1(noarch)0:1.10.2-6.16.1(noarch)0:8-6.16.1(x86_64)0:2.9.1-6.16.1(aarch64|ppc64le|s390x|x86_64)0:4.4.131-94.29.1(s390x)0:4.4.131-94.29.1(noarch)0:4.4.131-94.29.1(aarch64|ppc64le|s390x|x86_64)0:1.14-21.7.1(aarch64|ppc64le|s390x|x86_64)0:2.7.13-28.3.2(s390x|x86_64)0:2.7.13-28.3.2(noarch)0:2.7.13-28.3.3(aarch64|ppc64le|s390x|x86_64)0:6.8.8.1-71.26.1(aarch64|ppc64le|s390x|x86_64)0:4.3-83.10.1(noarch)0:4.3-83.10.1(aarch64|ppc64le|s390x|x86_64)0:6.3-83.10.1(s390x|x86_64)0:6.3-83.10.1(noarch)0:6.3-83.10.1(aarch64|ppc64le|s390x|x86_64)0:52.1-8.7.1(s390x|x86_64)0:52.1-8.7.1(aarch64|ppc64le|s390x|x86_64)0:12.2.5+git.1524775272.5e7ea8cf03-2.7.1(aarch64|ppc64le|s390x|x86_64)0:1.900.14-195.8.1(s390x|x86_64)0:1.900.14-195.8.1(aarch64|ppc64le|s390x|x86_64)0:0.8.9.0+git20170610.f6dd59a-15.4.1(aarch64|ppc64le|s390x|x86_64)0:4.021-12.5.2(x86_64)0:4.9.2_06-3.32.1(aarch64|ppc64le|s390x|x86_64)0:2.24.0-2.38.2(aarch64|ppc64le|s390x|x86_64)0:6.8.8.1-71.108.1(aarch64|ppc64le|s390x|x86_64)0:4.6.16+git.154.2998451b912-3.40.3(s390x|x86_64)0:4.6.16+git.154.2998451b912-3.40.3(noarch)0:4.6.16+git.154.2998451b912-3.40.3(aarch64|ppc64le|s390x|x86_64)0:2.4.14-48.45.1(aarch64|ppc64le|s390x|x86_64)0:3.3.0-5.30.1(x86_64)0:3.3.0-5.30.1(aarch64|x86_64)0:3.3.0-5.30.1(aarch64|ppc64le|s390x|x86_64)0:1.4.3-20.6.1(s390x|x86_64)0:1.4.3-20.6.1(aarch64|ppc64le|s390x|x86_64)0:2.6-15.10.1(aarch64|ppc64le|s390x|x86_64)0:0.7.0-160.8.1(aarch64|ppc64le|s390x|x86_64)0:1.12.5-40.31.1(s390x|x86_64)0:1.12.5-40.31.1(aarch64|ppc64le|s390x|x86_64)0:1.5.3-31.14.2(aarch64|ppc64le|s390x|x86_64)0:62.2.0-31.14.2(s390x|x86_64)0:62.2.0-31.14.2(aarch64|ppc64le|s390x|x86_64)0:8.1.2-31.14.2(s390x|x86_64)0:8.1.2-31.14.2(noarch)0:1.0.1-19.5.1(noarch)0:3.0-95.21.1(aarch64|ppc64le|s390x|x86_64)0:1.0.2j-60.52.1(s390x|x86_64)0:1.0.2j-60.52.1(noarch)0:1.0.2j-60.52.1(aarch64|ppc64le|s390x|x86_64)0:2.24.1-2.41.5(aarch64|ppc64le|s390x|x86_64)0:2.8.1-8.3.3(aarch64|ppc64le|s390x|x86_64)0:2.8.1-8.3.1(s390x|x86_64)0:2.8.1-8.3.1(aarch64|ppc64le|s390x|x86_64)0:3.0.15-2.11.2(aarch64|ppc64le|s390x|x86_64)0:1.10.1-55.6.1(aarch64|x86_64)0:2017+git1492060560.b6d11d7c46-4.26.1(noarch)0:2017+git1492060560.b6d11d7c46-4.26.1(aarch64|ppc64le|s390x|x86_64)0:3.8.10.2-9.6.1(s390x|x86_64)0:3.8.10.2-9.6.1(noarch)0:1.1.1-122.3.1(aarch64|ppc64le|s390x|x86_64)0:1.8.0.212-27.32.1(aarch64|ppc64le|s390x|x86_64)0:1.1.28-17.3.1(s390x|x86_64)0:1.1.28-17.3.1(x86_64)0:20190507-13.41.1(aarch64|ppc64le|s390x|x86_64)0:2.9.1-6.34.1(aarch64)0:2.9.1-6.34.1(aarch64|x86_64)0:2.9.1-6.34.1(noarch)0:1.0.0+-6.34.1(s390x|x86_64)0:2.9.1-6.34.1(ppc64le)0:2.9.1-6.34.1(s390x)0:2.9.1-6.34.1(noarch)0:1.10.2-6.34.1(noarch)0:8-6.34.1(x86_64)0:2.9.1-6.34.1(aarch64|ppc64le|s390x|x86_64)0:4.4.178-94.91.2(s390x)0:4.4.178-94.91.2(noarch)0:4.4.178-94.91.1(aarch64|ppc64le|s390x|x86_64)0:4.4.178-94.91.1(x86_64)0:4.4.178-4.28.1(noarch)0:4.4.178-4.28.1(x86_64)0:4.9.4_04-3.53.1(aarch64|ppc64le|s390x|x86_64)0:228-150.66.4(s390x|x86_64)0:228-150.66.4(noarch)0:228-150.66.4(aarch64|ppc64le|s390x|x86_64)0:1.1.3-24.9.1(noarch)0:1.1.3-24.9.1(aarch64|ppc64le|s390x|x86_64)0:6.46-3.3.1(x86_64)0:20190514-13.44.1(aarch64|ppc64le|s390x|x86_64)0:7.2p2-74.35.1(aarch64|ppc64le|s390x|x86_64)0:12.0.2-10.18.1(aarch64|ppc64le|s390x|x86_64)0:5.13-5.12.1(ppc64le|s390x|x86_64)0:1.7.1_sr4.45-38.37.1(x86_64)0:1.7.1_sr4.45-38.37.1(aarch64|ppc64le|s390x|x86_64)0:228-150.58.1(s390x|x86_64)0:228-150.58.1(noarch)0:228-150.58.1(aarch64|ppc64le|s390x|x86_64)0:4.0.4-23.3.3(aarch64|ppc64le|s390x|x86_64)0:7.37.0-37.40.1(s390x|x86_64)0:7.37.0-37.40.1(aarch64|ppc64le|s390x|x86_64)0:4.9-3.10.1(s390x|x86_64)0:4.9-3.10.1(aarch64|ppc64le|s390x|x86_64)0:2.4.12-48.39.1(noarch)0:1.4-290.6.1(aarch64|ppc64le|s390x|x86_64)0:60.7.0-109.72.1(aarch64|ppc64le|s390x|x86_64)0:3.20.4-77.23.1(noarch)0:3.20.4-77.23.1(aarch64|ppc64le|s390x|x86_64)0:1.7.0.221-43.22.1(aarch64|ppc64le|s390x|x86_64)0:1.2.40-7.3.1(aarch64|ppc64le|s390x|x86_64)0:9.9.9P1-63.12.1(noarch)0:9.9.9P1-63.12.1(aarch64|ppc64le|s390x|x86_64)0:2.7.13-28.26.1(s390x|x86_64)0:2.7.13-28.26.1(noarch)0:2.7.13-28.26.1(aarch64|ppc64le|s390x|x86_64)0:9.26a-23.19.1(aarch64|ppc64le|s390x|x86_64)0:0.2.7-12.6.1(aarch64|ppc64le|s390x|x86_64)0:7.4.326-17.3.1(noarch)0:7.4.326-17.3.1(aarch64|ppc64le|s390x|x86_64)0:2.22.5-2.32.2(aarch64|ppc64le|s390x|x86_64)0:0.6.11-12.3.1(s390x|x86_64)0:0.6.11-12.3.1(aarch64|ppc64le|s390x|x86_64)0:1.13.4-34.37.1(x86_64)0:4.4.170-4.22.1(noarch)0:4.4.170-4.22.1(aarch64|ppc64le|s390x|x86_64)0:10.8-1.9.1(s390x|x86_64)0:10.8-1.9.1(noarch)0:10.8-1.9.1(aarch64|ppc64le|s390x|x86_64)0:7.2p2-74.42.8(aarch64|ppc64le|s390x|x86_64)0:7.2p2-74.42.10(x86_64)0:4.4.180-4.31.1(noarch)0:4.4.180-4.31.1(aarch64|ppc64le|s390x|x86_64)0:4.4.180-94.97.1(s390x)0:4.4.180-94.97.1(noarch)0:4.4.180-94.97.1(aarch64|ppc64le|s390x|x86_64)0:3.3.0-5.33.2(x86_64)0:3.3.0-5.33.2(aarch64|x86_64)0:3.3.0-5.33.2(aarch64|ppc64le|s390x|x86_64)0:1.8.3-13.3.2(noarch)0:1.8.3-13.3.2(s390x|x86_64)0:1.8.3-13.3.2(aarch64|ppc64le|s390x|x86_64)0:3.8.10.2-9.9.1(s390x|x86_64)0:3.8.10.2-9.9.1(aarch64|ppc64le|s390x|x86_64)0:1.4.3-20.9.1(s390x|x86_64)0:1.4.3-20.9.1(aarch64|ppc64le|s390x|x86_64)0:2.4.15-48.48.1(aarch64|ppc64le|s390x|x86_64)0:60.7.1-109.77.1(ppc64le|s390x|x86_64)0:1.8.0_sr5.35-30.50.1(x86_64)0:1.8.0_sr5.35-30.50.1(aarch64|ppc64le|s390x|x86_64)0:10.66.3-8.7.2(s390x|x86_64)0:10.66.3-8.7.2(aarch64|ppc64le|s390x|x86_64)0:60.7.2-109.80.1(aarch64|ppc64le|s390x|x86_64)0:9.6.13-3.25.1(noarch)0:9.6.13-3.25.1(aarch64|ppc64le|s390x|x86_64)0:6.8.8.1-71.123.2(aarch64|ppc64le|s390x|x86_64)0:2.78-18.6.1(noarch)0:2.48.2-12.12.2(aarch64|ppc64le|s390x|x86_64)0:2.48.2-12.12.2(s390x|x86_64)0:2.48.2-12.12.2(aarch64|ppc64le|s390x|x86_64)0:0.158-7.7.2(s390x|x86_64)0:0.158-7.7.2(aarch64|ppc64le|s390x|x86_64)0:10.9-1.12.1(s390x|x86_64)0:10.9-1.12.1(aarch64|ppc64le|s390x|x86_64)0:10.9-1.12.2(aarch64|ppc64le|s390x|x86_64)0:0.6.32-32.3.1(noarch)0:0.6.32-32.3.1(s390x|x86_64)0:0.6.32-32.3.1(aarch64|ppc64le|s390x|x86_64)0:0.6.32-32.3.2(s390x|x86_64)0:0.6.32-32.3.2(aarch64|ppc64le|s390x|x86_64)0:2.48.2-12.15.1(s390x|x86_64)0:2.48.2-12.15.1(aarch64|ppc64le|s390x|x86_64)0:4.4.180-94.100.1(s390x)0:4.4.180-94.100.1(ppc64le|x86_64)0:1-4.3.1(aarch64|ppc64le|s390x|x86_64)0:60.8.0-109.83.3(aarch64|ppc64le|s390x|x86_64)0:3.44.1-58.28.1(s390x|x86_64)0:3.44.1-58.28.1(aarch64|ppc64le|s390x|x86_64)0:0.113-5.15.14.4.140-94.42-default(ppc64le|x86_64)0:10-2.14.4.143-94.47-default(ppc64le|x86_64)0:7-2.14.4.155-94.50-default4.4.156-94.57-default4.4.156-94.61-default4.4.156-94.64-default(ppc64le|x86_64)0:6-2.14.4.162-94.69-default(ppc64le|x86_64)0:5-2.14.4.162-94.72-default4.4.175-94.79-default(ppc64le|x86_64)0:4-2.14.4.176-94.88-default(ppc64le|x86_64)0:3-2.14.4.178-94.91-default4.4.180-94.97-default(ppc64le|s390x|x86_64)0:1.0.6-30.5.1(s390x|x86_64)0:1.0.6-30.5.1(aarch64|ppc64le|s390x|x86_64)0:2.22-62.22.5(s390x|x86_64)0:2.22-62.22.5(ppc64le|s390x|x86_64)0:0.6.36-2.16.2(ppc64le|s390x|x86_64)0:16.20.0-2.39.4(ppc64le|s390x|x86_64)0:1.13.51-21.26.4(aarch64|ppc64le|s390x|x86_64)0:1.0.6-30.8.1(s390x|x86_64)0:1.0.6-30.8.1(aarch64|ppc64le|s390x|x86_64)0:0.113-5.18.1(aarch64|ppc64le|s390x|x86_64)0:1.8.0.222-27.35.2(aarch64|ppc64le|s390x|x86_64)0:3.4.6-25.29.1(aarch64|ppc64le|s390x|x86_64)0:3.20.2-6.27.1(aarch64|ppc64le|s390x|x86_64)0:3.5.21-26.17.1(aarch64|ppc64le|s390x|x86_64)0:8.24.0-3.19.1(aarch64|ppc64le|s390x|x86_64)0:2.7.13-28.31.1(s390x|x86_64)0:2.7.13-28.31.1(aarch64|ppc64le|s390x|x86_64)0:9.6.15-3.29.1(aarch64|ppc64le|s390x|x86_64)0:3.3.0-5.40.1(aarch64|x86_64)0:3.3.0-5.40.1(aarch64|ppc64le|s390x|x86_64)0:4.4.180-94.103.1(s390x)0:4.4.180-94.103.1(aarch64|ppc64le|s390x|x86_64)0:5.18.2-12.20.1(s390x|x86_64)0:5.18.2-12.20.1(aarch64|ppc64le|s390x|x86_64)0:0.6.36-2.27.19.8(aarch64|ppc64le|s390x|x86_64)0:16.20.2-27.60.4(aarch64|ppc64le|s390x|x86_64)0:1.13.54-18.40.2(ppc64le|s390x|x86_64)0:1.7.1_sr4.50-38.41.1(aarch64|ppc64le|s390x|x86_64)0:7.37.0-37.43.1(s390x|x86_64)0:7.37.0-37.43.1(aarch64|ppc64le|s390x|x86_64)0:2.24.4-2.47.1(ppc64le|s390x|x86_64)0:1.8.0_sr5.40-30.54.1(aarch64|ppc64le|s390x|x86_64)0:1.5.13-15.11.2(aarch64|ppc64le|s390x|x86_64)0:0.12.8-12.1(aarch64|ppc64le|s390x|x86_64)0:1.0.2j-60.55.1(s390x|x86_64)0:1.0.2j-60.55.1(aarch64|ppc64le|s390x|x86_64)0:3.4.6-25.21.1(aarch64|ppc64le|s390x|x86_64)0:60.9.0-109.86.1(aarch64|ppc64le|s390x|x86_64)0:2.2.31-19.17.1(aarch64|ppc64le|s390x|x86_64)0:9.27-23.28.1(aarch64|ppc64le|s390x|x86_64)0:7.37.0-37.34.1(s390x|x86_64)0:7.37.0-37.34.1(aarch64|ppc64le|s390x|x86_64)0:1.6.1-16.68.1(s390x|x86_64)0:1.6.1-16.68.1(ppc64le|x86_64)0:8-2.14.4.180-94.103-default(ppc64le|x86_64)0:2-2.14.4.180-94.100-default(aarch64|ppc64le|s390x|x86_64)0:68.1.0-109.89.1(aarch64|ppc64le|s390x|x86_64)0:68-32.8.1(aarch64|ppc64le|s390x|x86_64)0:2.32-9.33.1(aarch64|ppc64le|s390x|x86_64)0:1.8.20p2-3.14.1(aarch64|ppc64le|s390x|x86_64)0:1.8.1-10.3.1(aarch64|ppc64le|s390x|x86_64)0:4.9.2-14.14.1(aarch64|ppc64le|s390x|x86_64)0:1.3.0-34.22.1(aarch64|ppc64le|x86_64)0:1.1-11.3.1(aarch64|ppc64le|s390x|x86_64)0:68.2.0-109.95.2(aarch64|ppc64le|s390x|x86_64)0:4.6.16+git.169.064abe062be-3.46.1(s390x|x86_64)0:4.6.16+git.169.064abe062be-3.46.1(aarch64|ppc64le|s390x|x86_64)0:8.3.1-2.14.1(aarch64|ppc64le|s390x|x86_64)0:1.4.3-20.14.1(s390x|x86_64)0:1.4.3-20.14.1(aarch64|ppc64le|s390x|x86_64)0:2.4.1-11.3.2(s390x|x86_64)0:2.4.1-11.3.2(aarch64|ppc64le|s390x|x86_64)0:4.4.180-94.107.1(ppc64le|x86_64)0:4.4.180-94.107.1(s390x)0:4.4.180-94.107.1(aarch64|ppc64le|s390x|x86_64)0:1.5.3-31.19.1(aarch64|ppc64le|s390x|x86_64)0:62.2.0-31.19.1(s390x|x86_64)0:62.2.0-31.19.1(aarch64|ppc64le|s390x|x86_64)0:8.1.2-31.19.1(s390x|x86_64)0:8.1.2-31.19.1(aarch64|ppc64le|s390x|x86_64)0:9.27-23.31.1(aarch64|ppc64le|s390x|x86_64)0:3.8.10.2-9.15.1(s390x|x86_64)0:3.8.10.2-9.15.1(aarch64|ppc64le|s390x|x86_64)0:1.7.5-20.26.1(s390x|x86_64)0:1.7.5-20.26.1(aarch64|ppc64le|s390x|x86_64)0:0.100.3-33.26.1(ppc64le|s390x|x86_64)0:2.1.17-3.11.1(aarch64|ppc64le|s390x|x86_64)0:1.7.0.241-43.30.1(aarch64|ppc64le|s390x|x86_64)0:0.9.9-17.11.1(aarch64|ppc64le|s390x|x86_64)0:0.100.3-33.29.1(aarch64|ppc64le|s390x|x86_64)0:2015.09.28.1626-17.20.1(ppc64le|x86_64)0:7-2.5(ppc64le|x86_64)0:6-2.5(aarch64|ppc64le|s390x|x86_64)0:5.1.3-26.13.1(aarch64|ppc64le|s390x|x86_64)0:2.12.3-27.22.1(aarch64|ppc64le|s390x|x86_64)0:68.3.0-109.98.1(aarch64|ppc64le|s390x|x86_64)0:60.5.0esr-109.58.3(aarch64|ppc64le|s390x|x86_64)0:60-32.5.1(aarch64|ppc64le|s390x|x86_64)0:3.41.1-58.25.1(s390x|x86_64)0:3.41.1-58.25.1(aarch64|ppc64le|s390x|x86_64)0:4.4.180-94.113.1(ppc64le|x86_64)0:4.4.180-94.113.1(s390x)0:4.4.180-94.113.1(ppc64le|x86_64)0:1-4.5.1(aarch64|ppc64le|s390x|x86_64)0:1.8.0-5.8.1(aarch64|ppc64le|s390x|x86_64)0:228-150.63.1(s390x|x86_64)0:228-150.63.1(noarch)0:228-150.63.1(aarch64|ppc64le|s390x|x86_64)0:3.3.9-11.18.1(noarch)0:20170530-21.28.1(aarch64|ppc64le|s390x|x86_64)0:2.7.13-28.21.1(s390x|x86_64)0:2.7.13-28.21.1(noarch)0:2.7.13-28.21.1(aarch64|ppc64le|s390x|x86_64)0:1.7.0.201-43.18.1(aarch64|ppc64le|s390x|x86_64)0:2.4.23-29.34.4(noarch)0:2.4.23-29.34.4(aarch64|ppc64le|s390x|x86_64)0:12.2.10+git.1549630712.bb089269ea-2.27.2(aarch64|ppc64le|s390x|x86_64)0:2.22.6-2.35.1(aarch64|ppc64le|s390x|x86_64)0:4.4.175-94.79.1(s390x)0:4.4.175-94.79.1(noarch)0:4.4.175-94.79.1(aarch64|ppc64le|s390x|x86_64)0:1.8.0.191-27.29.1(aarch64|x86_64)0:2017+git1492060560.b6d11d7c46-4.20.1(noarch)0:2017+git1492060560.b6d11d7c46-4.20.1(aarch64|ppc64le|s390x|x86_64)0:2.9.1-6.28.1(aarch64)0:2.9.1-6.28.1(aarch64|x86_64)0:2.9.1-6.28.1(noarch)0:1.0.0+-6.28.1(s390x|x86_64)0:2.9.1-6.28.1(ppc64le)0:2.9.1-6.28.1(s390x)0:2.9.1-6.28.1(noarch)0:1.10.2-6.28.1(noarch)0:8-6.28.1(x86_64)0:2.9.1-6.28.1(aarch64|ppc64le|s390x|x86_64)0:2.22.4-2.29.3(aarch64|ppc64le|s390x|x86_64)0:0.9.9-17.8.1(ppc64le|s390x|x86_64)0:1.7.1_sr4.40-38.34.1(x86_64)0:1.7.1_sr4.40-38.34.1(ppc64le|s390x|x86_64)0:1.8.0_sr5.30-30.46.1(x86_64)0:1.8.0_sr5.30-30.46.1(aarch64|ppc64le|s390x|x86_64)0:4.7.4-3.6.1(aarch64|ppc64le|s390x|x86_64)0:1.4.3-20.3.1(s390x|x86_64)0:1.4.3-20.3.1(aarch64|ppc64le|s390x|x86_64)0:2.4.11-21.8.1(aarch64|ppc64le|s390x|x86_64)0:2.4.13-48.42.1(aarch64|ppc64le|s390x|x86_64)0:9.26a-23.22.1(x86_64)0:20190312-13.38.1(aarch64|x86_64)0:2017+git1492060560.b6d11d7c46-4.23.1(noarch)0:2017+git1492060560.b6d11d7c46-4.23.1(aarch64|ppc64le|s390x|x86_64)0:2.1.0-24.12.1(aarch64|ppc64le|s390x|x86_64)0:0.5.3.git20161120-161.3.4(aarch64|ppc64le|s390x|x86_64)0:4.2.8p13-85.1(aarch64|ppc64le|s390x|x86_64)0:4.4.176-94.88.1(s390x)0:4.4.176-94.88.1(noarch)0:4.4.176-94.88.1(aarch64|ppc64le|s390x|x86_64)0:1.0.2j-60.49.1(s390x|x86_64)0:1.0.2j-60.49.1(noarch)0:1.0.2j-60.49.1(aarch64|ppc64le|s390x|x86_64)0:0.8.2-1.3.1(aarch64|ppc64le|s390x|x86_64)0:1.13.4-34.31.1(s390x|x86_64)0:1.13.4-34.31.1(aarch64|ppc64le|s390x|x86_64)0:1.13.4-34.23.1(s390x|x86_64)0:1.13.4-34.23.1(aarch64|ppc64le|s390x|x86_64)0:1.0.18-3.2.1(aarch64|ppc64le|s390x|x86_64)0:4.3-83.23.1(noarch)0:4.3-83.23.1(aarch64|ppc64le|s390x|x86_64)0:6.3-83.23.1(s390x|x86_64)0:6.3-83.23.1(noarch)0:6.3-83.23.1(aarch64|ppc64le|s390x|x86_64)0:5.22-10.12.2(s390x|x86_64)0:5.22-10.12.2(aarch64|ppc64le|s390x|x86_64)0:60.6.1esr-109.63.2(aarch64|ppc64le|s390x|x86_64)0:2.4.23-29.40.1(noarch)0:2.4.23-29.40.1(aarch64|ppc64le|s390x|x86_64)0:0.100.3-33.21.1(aarch64|ppc64le|s390x|x86_64)0:1.2.15-15.11.1(s390x|x86_64)0:1.2.15-15.11.1(aarch64|ppc64le|s390x|x86_64)0:2.2.31-19.14.2(x86_64)0:4.4.176-4.25.1(noarch)0:4.4.176-4.25.1(aarch64|ppc64le|s390x|x86_64)0:3.8.10.2-9.3.1(s390x|x86_64)0:3.8.10.2-9.3.1(x86_64)0:4.9.4_02-3.50.1(aarch64|ppc64le|s390x|x86_64)0:1.5.6-3.9.1(x86_64)0:4.4.162-4.19.2(noarch)0:4.4.162-4.19.1(x86_64)0:4.4.162-4.19.1(aarch64|ppc64le|s390x|x86_64)0:1.14-21.10.1(aarch64|ppc64le|s390x|x86_64)0:2.9.1-6.31.1(aarch64)0:2.9.1-6.31.1(aarch64|x86_64)0:2.9.1-6.31.1(noarch)0:1.0.0+-6.31.1(s390x|x86_64)0:2.9.1-6.31.1(ppc64le)0:2.9.1-6.31.1(s390x)0:2.9.1-6.31.1(noarch)0:1.10.2-6.31.1(noarch)0:8-6.31.1(x86_64)0:2.9.1-6.31.1(aarch64|ppc64le|s390x|x86_64)0:1.7.1-5.11.1(aarch64|ppc64le|s390x|x86_64)0:3.4.6-25.24.1(aarch64|ppc64le|s390x|x86_64)0:7.37.0-37.37.1(s390x|x86_64)0:7.37.0-37.37.1(aarch64|ppc64le|s390x|x86_64)0:3.0.15-2.14.1(aarch64|ppc64le|s390x|x86_64)0:1.7.5-20.29.1(s390x|x86_64)0:1.7.5-20.29.1(aarch64|ppc64le|s390x|x86_64)0:1.3.16-239.4.1(s390x|x86_64)0:1.3.16-239.4.1(aarch64|ppc64le|s390x|x86_64)0:2.28.1-2.50.3(aarch64|ppc64le|s390x|x86_64)0:2.5.5-6.6.1(aarch64|ppc64le|s390x|x86_64)0:12.2.12+git.1587570958.35d78d0243-2.45.1(aarch64|ppc64le|s390x|x86_64)0:0.9.9-17.19.1(aarch64|ppc64le|s390x|x86_64)0:52.1-8.10.1(s390x|x86_64)0:52.1-8.10.1(aarch64|ppc64le|s390x|x86_64)0:2.4.41-18.68.1(s390x|x86_64)0:2.4.41-18.68.1(aarch64|ppc64le|s390x|x86_64)0:1.2-18.68.1(aarch64|ppc64le|s390x|x86_64)0:2.28.2-2.53.2(aarch64|ppc64le|s390x|x86_64)0:9.52-23.34.1(aarch64|ppc64le|s390x|x86_64)0:0.2.7-12.10.1(aarch64|ppc64le|s390x|x86_64)0:68.8.0-109.119.1(aarch64|ppc64le|s390x|x86_64)0:3.5.21-26.23.1(aarch64|ppc64le|s390x|x86_64)0:2.4.23-29.54.1(aarch64|ppc64le|s390x|x86_64)0:4.4.180-94.116.1(ppc64le|x86_64)0:4.4.180-94.116.1(s390x)0:4.4.180-94.116.1(aarch64|ppc64le|s390x|x86_64)0:5.1.2-26.12.1(aarch64|ppc64le|s390x|x86_64)0:2.26.2-27.36.1(ppc64le|s390x|x86_64)0:2.1.17-3.20.14.4.180-94.113-default4.4.180-94.107-default(ppc64le|x86_64)0:9-2.1(aarch64|ppc64le|s390x|x86_64)0:2.7.17-28.42.1(s390x|x86_64)0:2.7.17-28.42.1(aarch64|ppc64le|s390x|x86_64)0:1.0.3-3.3.1(aarch64|ppc64le|s390x|x86_64)0:0.6.22-8.9.1(s390x|x86_64)0:0.6.22-8.9.1(aarch64|ppc64le|s390x|x86_64)0:2.9.1-6.44.1(aarch64)0:2.9.1-6.44.1(aarch64|x86_64)0:2.9.1-6.44.1(s390x|x86_64)0:2.9.1-6.44.1(ppc64le)0:2.9.1-6.44.1(s390x)0:2.9.1-6.44.1(aarch64|ppc64le|s390x|x86_64)0:7.4.326-17.6.1(aarch64|ppc64le|s390x|x86_64)0:68.9.0-109.123.1(aarch64|ppc64le|s390x|x86_64)0:2.1.9-19.3.2(aarch64|ppc64le|s390x|x86_64)0:1.7.0.261-43.38.8(aarch64|ppc64le|s390x|x86_64)0:1.6.0-18.28.1(aarch64|ppc64le|s390x|x86_64)0:4.4.180-94.121.1(ppc64le|x86_64)0:4.4.180-94.121.1(s390x)0:4.4.180-94.121.1(aarch64|ppc64le|s390x|x86_64)0:0.5.0-12.3.1(aarch64|ppc64le|s390x|x86_64)0:1.4-103.3.1(aarch64|ppc64le|s390x|x86_64)0:5.18.2-12.23.1(s390x|x86_64)0:5.18.2-12.23.1(ppc64le|s390x|x86_64)0:1.7.1_sr4.65-38.53.1(ppc64le|s390x|x86_64)0:1.8.0_sr6.10-30.69.1(aarch64|ppc64le|s390x|x86_64)0:1.8.0.252-27.45.6(aarch64|ppc64le|s390x|x86_64)0:4.4.180-94.124.1(ppc64le|x86_64)0:4.4.180-94.124.1(s390x)0:4.4.180-94.124.1(aarch64|ppc64le|s390x|x86_64)0:7.37.0-37.47.1(s390x|x86_64)0:7.37.0-37.47.1(aarch64|ppc64le|s390x|x86_64)0:12.2.13+git.1592168685.85110a3e9d-2.50.14.4.180-94.116-default(aarch64|ppc64le|s390x|x86_64)0:1.10.1-55.11.1(aarch64|i586|ppc64le|s390|s390x|x86_64)0:3.5.21-26.26.1(aarch64|ppc64le|s390x|x86_64)0:4.2.8p15-88.1(aarch64|ppc64le|s390x|x86_64)0:3.53.1-58.48.1(s390x|x86_64)0:3.53.1-58.48.1(aarch64|ppc64le|s390x|x86_64)0:4.25-19.15.1(s390x|x86_64)0:4.25-19.15.1(aarch64|ppc64le|s390x|x86_64)0:2.4.41-18.71.2(s390x|x86_64)0:2.4.41-18.71.2(aarch64|ppc64le|s390x|x86_64)0:1.2-18.71.2(aarch64|ppc64le|s390x|x86_64)0:78.0.1-112.3.1(aarch64|ppc64le|s390x|x86_64)0:78-35.3.1(aarch64|ppc64le|s390x|x86_64)0:9.9.9P1-63.17.1(s390x|x86_64)0:9.9.9P1-63.17.1(aarch64|ppc64le|s390x|x86_64)0:3.5.21-26.29.1(aarch64|ppc64le|s390x|x86_64)0:0.18.1-1.6.2(aarch64|ppc64le|s390x|x86_64)0:0.9.0~git.1456906198.f422461-21.27.1(ppc64le|s390x|x86_64)0:2.1.17-3.23.1(aarch64|ppc64le|s390x|x86_64)0:4.6.16+git.186.c6d77b0d5a6-3.52.1(s390x|x86_64)0:4.6.16+git.186.c6d77b0d5a6-3.52.1(aarch64|ppc64le|s390x|x86_64)0:2.28.3-2.56.1(aarch64|ppc64le|s390x|x86_64)0:2.02-4.53.1(aarch64)0:2.02-4.53.1(ppc64le)0:2.02-4.53.1(s390x)0:2.02-4.53.1(aarch64|ppc64le|s390x|x86_64)0:9.52-23.39.1(aarch64|ppc64le|s390x|x86_64)0:78.1.0-112.8.1(aarch64|ppc64le|s390x|x86_64)0:1.6.2-12.8.1(s390x|x86_64)0:1.6.2-12.8.1(aarch64|ppc64le|s390x|x86_64)0:1.10-4.5.1(s390x|x86_64)0:1.10-4.5.1(aarch64|ppc64le|s390x|x86_64)0:4.4.180-94.127.1(ppc64le|x86_64)0:4.4.180-94.127.1(s390x)0:4.4.180-94.127.1(aarch64|ppc64le|s390x|x86_64)0:0.9.9-17.31.1(aarch64|ppc64le|x86_64)0:16.11.9-8.15.13(aarch64)0:16.11.9-8.15.10(aarch64)0:16.11.9_k4.4.180_94.127-8.15.10(aarch64|ppc64le|s390x|x86_64)0:1.6.2-12.12.1(s390x|x86_64)0:1.6.2-12.12.1(aarch64|ppc64le|s390x|x86_64)0:3.1.1-13.3.6(s390x|x86_64)0:3.1.1-13.3.6(aarch64|ppc64le|s390x|x86_64)0:2.28.4-2.59.1(aarch64|ppc64le|s390x|x86_64)0:2.2.31-19.22.1(aarch64|ppc64le|s390x|x86_64)0:2.02-4.61.1(aarch64)0:2.02-4.61.1(ppc64le)0:2.02-4.61.1(s390x)0:2.02-4.61.1(aarch64|ppc64le|s390x|x86_64)0:4.6.16+git.174.c2fd2e28c84-3.49.1(s390x|x86_64)0:4.6.16+git.174.c2fd2e28c84-3.49.1(aarch64|ppc64le|s390x|x86_64)0:7.6_1.18.3-76.26.1(ppc64le|s390x|x86_64)0:1.8.0_sr6.0-30.60.1(aarch64|ppc64le|s390x|x86_64)0:7.6_1.18.3-76.29.1(aarch64|ppc64le|s390x|x86_64)0:2.4.23-29.63.1(ppc64le|s390x|x86_64)0:1.8.0_sr6.15-30.72.1(aarch64|ppc64le|s390x|x86_64)0:3.5.21-26.32.1(aarch64|ppc64le|s390x|x86_64)0:1.6.2-12.15.1(s390x|x86_64)0:1.6.2-12.15.1(ppc64le|s390x|x86_64)0:1.7.1_sr4.70-38.56.1(ppc64le|x86_64)0:9-2.2(ppc64le|x86_64)0:7-2.2(ppc64le|x86_64)0:6-2.2(ppc64le|x86_64)0:3-2.24.4.180-94.121-default(ppc64le|x86_64)0:2-2.24.4.180-94.124-default4.4.180-94.127-default(aarch64|ppc64le|s390x|x86_64)0:78.2.0-112.19.2(aarch64|ppc64le|s390x|x86_64)0:4.4.180-94.130.1(ppc64le|x86_64)0:4.4.180-94.130.1(s390x)0:4.4.180-94.130.1(aarch64|ppc64le|s390x|x86_64)0:1.8.0.242-27.41.1(aarch64|ppc64le|s390x|x86_64)0:0.6.36-2.30.1(aarch64|ppc64le|s390x|x86_64)0:1.628-5.3.1(aarch64|ppc64le|s390x|x86_64)0:3.4.10-25.52.1(aarch64|ppc64le|s390x|x86_64)0:4.6.16+git.237.40a3f495f75-3.55.1(s390x|x86_64)0:4.6.16+git.237.40a3f495f75-3.55.1(aarch64|ppc64le|s390x|x86_64)0:5.6.2-6.25.1(aarch64|ppc64le|s390x|x86_64)0:78.3.0-112.22.1(aarch64|ppc64le|s390x|x86_64)0:1.628-5.6.1(aarch64|ppc64le|s390x|x86_64)0:1.7.0.271-43.41.1(aarch64|ppc64le|s390x|x86_64)0:1.6.0-27.1(aarch64|ppc64le|s390x|x86_64)0:0.4.13-18.3.1(s390x|x86_64)0:0.4.13-18.3.1(aarch64|ppc64le|s390x|x86_64)0:2.6.3-7.18.1(s390x|x86_64)0:2.6.3-7.18.1(aarch64|ppc64le|s390x|x86_64)0:2.22-113.4(s390x|x86_64)0:2.22-113.4(aarch64|ppc64le|s390x|x86_64)0:78.4.0-112.28.1(aarch64|ppc64le|s390x|x86_64)0:0.12.8-15.1(aarch64|ppc64le|s390x|x86_64)0:0.33-3.9.1(aarch64|ppc64le|s390x|x86_64)0:4.6.16+git.248.c833312e640-3.58.1(s390x|x86_64)0:4.6.16+git.248.c833312e640-3.58.1(aarch64|ppc64le|s390x|x86_64)0:3.3.0-5.46.1(aarch64|x86_64)0:3.3.0-5.46.1(aarch64|ppc64le|s390x|x86_64)0:1.0.31-4.3.1(aarch64|ppc64le|s390x|x86_64)0:5.6.2-6.22.1(aarch64|ppc64le|s390x|x86_64)0:1.8.0.272-27.48.1(ppc64le|x86_64)0:4-2.24.4.180-94.130-default(ppc64le|x86_64)0:8-2.2(aarch64|ppc64le|s390x|x86_64)0:10.2.1+git583-1.3.5(s390x|x86_64)0:10.2.1+git583-1.3.5(aarch64|ppc64le|x86_64)0:10.2.1+git583-1.3.5(ppc64le|x86_64)0:10.2.1+git583-1.3.5(aarch64|ppc64le|s390x|x86_64)0:228-150.82.1(s390x|x86_64)0:228-150.82.1(aarch64|ppc64le|s390x|x86_64)0:1.7.0.281-43.44.2(aarch64|ppc64le|s390x|x86_64)0:2.4.41-18.77.1(s390x|x86_64)0:2.4.41-18.77.1(aarch64|ppc64le|s390x|x86_64)0:1.2-18.77.1(aarch64|ppc64le|s390x|x86_64)0:78.4.1-112.32.1(aarch64|ppc64le|s390x|x86_64)0:12.4-3.5.1(s390x|x86_64)0:12.4-3.5.1(aarch64|ppc64le|s390x|x86_64)0:10.14-4.4.1(aarch64|ppc64le|s390x|x86_64)0:9.6.19-6.4.1(aarch64|ppc64le|s390x|x86_64)0:2.0.15-5.3.1(aarch64|ppc64le|s390x|x86_64)0:1.12.5-40.40.2(s390x|x86_64)0:1.12.5-40.40.2(ppc64le|x86_64)0:5-2.2(aarch64|ppc64le|s390x|x86_64)0:10.15-4.9.1(aarch64)0:2016.07-12.3.1(aarch64|ppc64le|s390x|x86_64)0:9.6.20-6.8.1(aarch64|ppc64le|s390x|x86_64)0:4.4.180-94.135.1(ppc64le|x86_64)0:4.4.180-94.135.1(s390x)0:4.4.180-94.135.1(aarch64|ppc64le|s390x|x86_64)0:5.13-5.23.1(aarch64|ppc64le|s390x|x86_64)0:78.5.0-112.36.1(aarch64|ppc64le|s390x|x86_64)0:0.9.9-17.34.1(aarch64|ppc64le|s390x|x86_64)0:7.6_1.18.3-76.37.1(aarch64|ppc64le|s390x|x86_64)0:3.4.10-25.58.1(aarch64|ppc64le|s390x|x86_64)0:3.10.0.1-54.17.2(aarch64|ppc64le|s390x|x86_64)0:2.1.4-7.31.1(aarch64|ppc64le|s390x|x86_64)0:12.5-3.9.3(s390x|x86_64)0:12.5-3.9.3(aarch64|ppc64le|s390x|x86_64)0:1.10.1-55.18.14.4.180-94.135-default(aarch64|ppc64le|s390x|x86_64)0:1.8.22-29.17.12(aarch64|ppc64le|s390x|x86_64)0:1.8.22-29.17.7(s390x|x86_64)0:1.8.22-29.17.7(aarch64|ppc64le|s390x|x86_64)0:1.0.2j-60.63.1(s390x|x86_64)0:1.0.2j-60.63.1(aarch64|ppc64le|s390x|x86_64)0:2.7.17-28.59.1(s390x|x86_64)0:2.7.17-28.59.1(aarch64|ppc64le|s390x|x86_64)0:68.5.0-109.106.1(aarch64|ppc64le|s390x|x86_64)0:78.6.0-112.39.1(aarch64|ppc64le|s390x|x86_64)0:0.103.0-33.32.1(aarch64|ppc64le|s390x|x86_64)0:2.1.26-8.13.1(s390x|x86_64)0:2.1.26-8.13.1(aarch64|ppc64le|s390x|x86_64)0:9.2.1+r275327-1.3.9(s390x|x86_64)0:9.2.1+r275327-1.3.9(aarch64|ppc64le|x86_64)0:9.2.1+r275327-1.3.9(ppc64le|x86_64)0:9.2.1+r275327-1.3.9(aarch64|ppc64le|s390x|x86_64)0:1.8.20p2-3.17.1(ppc64le|s390x|x86_64)0:1.7.1_sr4.60-38.47.1(aarch64|ppc64le|s390x|x86_64)0:0.6.21-8.6.1(s390x|x86_64)0:0.6.21-8.6.1(aarch64|ppc64le|s390x|x86_64)0:1.0.2j-60.60.1(s390x|x86_64)0:1.0.2j-60.60.1(aarch64|ppc64le|s390x|x86_64)0:2.4.7-4.3.1(aarch64|ppc64le|s390x|x86_64)0:3.4.10-25.39.2(aarch64|ppc64le|s390x|x86_64)0:3.4.10-25.39.3(aarch64|ppc64le|s390x|x86_64)0:10.0.40.2-29.35.1(s390x|x86_64)0:10.0.40.2-29.35.1(ppc64le|s390x|x86_64)0:1.7.1_sr4.55-38.44.1(ppc64le|s390x|x86_64)0:1.8.0_sr6.5-30.63.1(aarch64|ppc64le|s390x|x86_64)0:2015.09.28.1626-17.27.1(aarch64|ppc64le|s390x|x86_64)0:5.1.2-26.9.4(aarch64|ppc64le|s390x|x86_64)0:1.6.8-15.5.2(s390x|x86_64)0:1.6.8-15.5.2(aarch64|ppc64le|s390x|x86_64)0:9.6.17-3.33.1(aarch64|ppc64le|s390x|x86_64)0:1.7.0.251-43.35.1(aarch64|ppc64le|s390x|x86_64)0:1.8.18-5.9.1(aarch64|ppc64le|s390x|x86_64)0:3.5.21-26.20.1(aarch64|ppc64le|s390x|x86_64)0:68.4.1-109.101.1(aarch64|ppc64le|s390x|x86_64)0:10.12-1.18.1(s390x|x86_64)0:10.12-1.18.1(aarch64|ppc64le|s390x|x86_64)0:68.6.0-109.110.1(aarch64|ppc64le|s390x|x86_64)0:16.21.2-2.45.1(aarch64|ppc64le|s390x|x86_64)0:1.11.2-5.11.1(aarch64|ppc64le|s390x|x86_64)0:2.1.4-7.28.2(aarch64|ppc64le|s390x|x86_64)0:0.7.5-6.3.2(aarch64|ppc64le|s390x|x86_64)0:3.4.2-44.8.1(aarch64|ppc64le|s390x|x86_64)0:3.4.10-25.45.1(aarch64|ppc64le|s390x|x86_64)0:3.47.1-58.34.1(s390x|x86_64)0:3.47.1-58.34.1(aarch64|ppc64le|s390x|x86_64)0:4.23-19.12.1(s390x|x86_64)0:4.23-19.12.1(aarch64|ppc64le|s390x|x86_64)0:1.1.28-17.9.1(s390x|x86_64)0:1.1.28-17.9.1(aarch64|ppc64le|s390x|x86_64)0:68.6.1-109.113.1(aarch64|ppc64le|s390x|x86_64)0:68.7.0-109.116.1(aarch64|ppc64le|s390x|x86_64)0:2.26.0-27.27.1(aarch64|ppc64le|s390x|x86_64)0:10.34-1.3.14.4.180-94.138-default4.4.180-94.141-default(aarch64|ppc64le|s390x|x86_64)0:3.4.5-44.13.1(aarch64|ppc64le|s390x|x86_64)0:7.6_1.18.3-76.40.1(aarch64|ppc64le|s390x|x86_64)0:0.103.2-33.35.1(aarch64|ppc64le|s390x|x86_64)0:2.9.1-6.47.1(aarch64)0:2.9.1-6.47.1(aarch64|x86_64)0:2.9.1-6.47.1(s390x|x86_64)0:2.9.1-6.47.1(ppc64le)0:2.9.1-6.47.1(s390x)0:2.9.1-6.47.1(aarch64|ppc64le|s390x|x86_64)0:1.8.20p2-3.23.1(aarch64|ppc64le|s390x|x86_64)0:78.10.0-112.57.2(ppc64le|x86_64)0:10-2.2(aarch64|ppc64le|s390x|x86_64)0:2.7.1-13.3.1(s390x|x86_64)0:2.7.1-13.3.1(aarch64|ppc64le|s390x|x86_64)0:3.10.0.1-54.20.1(aarch64|ppc64le|s390x|x86_64)0:1.7.0.291-43.47.3(aarch64|ppc64le|s390x|x86_64)0:1.7.5-20.36.1(s390x|x86_64)0:1.7.5-20.36.1(aarch64|ppc64le|s390x|x86_64)0:9.9.9P1-63.25.1(s390x|x86_64)0:9.9.9P1-63.25.1(aarch64|ppc64le|s390x|x86_64)0:4.6.16+git.282.cfafed5922a-3.61.1(s390x|x86_64)0:4.6.16+git.282.cfafed5922a-3.61.1(aarch64|ppc64le|s390x|x86_64)0:0.6.32-32.15.1(s390x|x86_64)0:0.6.32-32.15.1(aarch64|ppc64le|s390x|x86_64)0:3.4.10-25.71.1(aarch64|ppc64le|s390x|x86_64)0:4.4.180-94.144.1(ppc64le|x86_64)0:4.4.180-94.144.1(s390x)0:4.4.180-94.144.1(aarch64|ppc64le|s390x|x86_64)0:3.5.25.3-5.9.1(aarch64|ppc64le|s390x|x86_64)0:2.28.0-29.6.1(aarch64|ppc64le|s390x|x86_64)0:2.9.4-46.43.1(s390x|x86_64)0:2.9.4-46.43.1(aarch64|ppc64le|s390x|x86_64)0:2.78-18.15.1(aarch64|ppc64le|s390x|x86_64)0:1.3.0-12.3.1(s390x|x86_64)0:1.3.0-12.3.1(aarch64|ppc64le|s390x|x86_64)0:2.2.31-19.25.1(aarch64|ppc64le|s390x|x86_64)0:3.5.25.3-5.12.1(aarch64|ppc64le|s390x|x86_64)0:4.3.3-10.22.1(aarch64|ppc64le|s390x|x86_64)0:0.4.3-4.7.1(s390x|x86_64)0:0.4.3-4.7.1(aarch64|ppc64le|s390x|x86_64)0:0.113-5.21.1(aarch64|ppc64le|s390x|x86_64)0:1.8.3-18.3.5(aarch64|ppc64le|s390x|x86_64)0:78.11.0-112.62.1(aarch64|ppc64le|s390x|x86_64)0:1.6.2-12.21.1(s390x|x86_64)0:1.6.2-12.21.1(aarch64|ppc64le|s390x|x86_64)0:2.9.1-6.50.1(aarch64)0:2.9.1-6.50.1(aarch64|x86_64)0:2.9.1-6.50.1(s390x|x86_64)0:2.9.1-6.50.1(ppc64le)0:2.9.1-6.50.1(s390x)0:2.9.1-6.50.1(ppc64le|s390x|x86_64)0:1.7.1_sr4.75-38.59.1(aarch64|ppc64le|s390x|x86_64)0:0.12.8-18.1(aarch64|ppc64le|s390x|x86_64)0:0.4.21-8.3.1(aarch64|ppc64le|s390x|x86_64)0:3.0.15-2.20.1(aarch64|ppc64le|s390x|x86_64)0:1.8.0.292-27.60.1(aarch64|ppc64le|s390x|x86_64)0:6.8.8.1-71.154.1(aarch64|ppc64le|s390x|x86_64)0:2.32.1-2.63.3(aarch64|ppc64le|s390x|x86_64)0:2.4.23-29.74.1(aarch64|ppc64le|s390x|x86_64)0:308-5.3.14.4.180-94.144-default(ppc64le|x86_64)0:11-2.2(ppc64le|x86_64)0:11-2.3(aarch64|x86_64)0:2017+git1492060560.b6d11d7c46-4.44.1(aarch64|ppc64le|s390x|x86_64)0:2.7.1-13.6.1(s390x|x86_64)0:2.7.1-13.6.1(aarch64|ppc64le|s390x|x86_64)0:1.6.1-16.77.1(s390x|x86_64)0:1.6.1-16.77.1(aarch64|ppc64le|s390x|x86_64)0:2.1.0-6.34.1(aarch64|ppc64le|s390x|x86_64)0:13.1-3.3.1(s390x|x86_64)0:13.1-3.3.1(aarch64|ppc64le|s390x|x86_64)0:2.1a15-159.9.1(aarch64|ppc64le|s390x|x86_64)0:0.6.37-2.33.1(aarch64|ppc64le|s390x|x86_64)0:16.21.4-2.51.1(aarch64|ppc64le|s390x|x86_64)0:7.2p2-74.57.1(aarch64|ppc64le|s390x|x86_64)0:1.8.20p2-3.20.1(aarch64|ppc64le|s390x|x86_64)0:78.12.0-112.65.1(aarch64|ppc64le|s390x|x86_64)0:78.7.0-112.45.1(aarch64|ppc64le|s390x|x86_64)0:228-150.98.1(s390x|x86_64)0:228-150.98.1(ppc64le|x86_64)0:12-2.2(aarch64|ppc64le|s390x|x86_64)0:1.4-15.3.1(aarch64|ppc64le|s390x|x86_64)0:4.4.180-94.147.1(ppc64le|x86_64)0:4.4.180-94.147.1(s390x)0:4.4.180-94.147.1(ppc64le|x86_64)0:13-2.2(aarch64|ppc64le|s390x|x86_64)0:2.9.1-6.53.1(aarch64)0:2.9.1-6.53.1(aarch64|x86_64)0:2.9.1-6.53.1(s390x|x86_64)0:2.9.1-6.53.1(ppc64le)0:2.9.1-6.53.1(s390x)0:2.9.1-6.53.1(aarch64|ppc64le|s390x|x86_64)0:1.8.22-29.21.1(s390x|x86_64)0:1.8.22-29.21.1(aarch64|ppc64le|s390x|x86_64)0:2.32.3-2.66.1(aarch64|ppc64le|s390x|x86_64)0:1.0.25-36.23.1(s390x|x86_64)0:1.0.25-36.23.1(aarch64|ppc64le|s390x|x86_64)0:3.5.25.3-5.19.2(aarch64|ppc64le|s390x|x86_64)0:2.11-36.9.1(aarch64|ppc64le|s390x|x86_64)0:1.9.1-9.7.1(aarch64|ppc64le|s390x|x86_64)0:78.13.0-112.68.1(aarch64|ppc64le|s390x|x86_64)0:6.3.26-13.12.1(aarch64|ppc64le|s390x|x86_64)0:2.11-36.12.1(aarch64|ppc64le|s390x|x86_64)0:1.8.0.302-27.63.2(aarch64|ppc64le|s390x|x86_64)0:2.11-36.15.1(aarch64|ppc64le|s390x|x86_64)0:5.3.1-28.6.1(aarch64|ppc64le|s390x|x86_64)0:1.0.2j-60.69.3(s390x|x86_64)0:1.0.2j-60.69.3(aarch64|ppc64le|s390x|x86_64)0:5.6.1-4.5.1(aarch64|ppc64le|s390x|x86_64)0:2.7.12-3.36.1(ppc64le|x86_64)0:14-2.24.4.180-94.147-default(aarch64|ppc64le|s390x|x86_64)0:0.60.6.1-18.11.1(s390x|x86_64)0:0.60.6.1-18.11.1(aarch64|ppc64le|s390x|x86_64)0:9.9.9P1-63.28.1(s390x|x86_64)0:9.9.9P1-63.28.1(aarch64|ppc64le|s390x|x86_64)0:2.1.0-6.37.1(aarch64|ppc64le|s390x|x86_64)0:1.0.6-17.3.1(aarch64|ppc64le|s390x|x86_64)0:5.22-10.21.1(s390x|x86_64)0:5.22-10.21.1(aarch64|ppc64le|s390x|x86_64)0:3.68-58.54.1(s390x|x86_64)0:3.68-58.54.1(aarch64|ppc64le|s390x|x86_64)0:4.32-19.18.1(s390x|x86_64)0:4.32-19.18.1(aarch64|ppc64le|s390x|x86_64)0:3.2.8a-2.17.1(aarch64|ppc64le|s390x|x86_64)0:0.6.0-11.3.1(aarch64|ppc64le|s390x|x86_64)0:1.0.2j-60.72.2(s390x|x86_64)0:1.0.2j-60.72.2(aarch64|ppc64le|s390x|x86_64)0:9.52-23.42.1(aarch64|ppc64le|s390x|x86_64)0:0.2.7-12.12.1(aarch64|ppc64le|s390x|x86_64)0:91.1.0-112.71.1(aarch64|ppc64le|s390x|x86_64)0:91-35.6.6(ppc64le|x86_64)0:12-2.3(ppc64le|s390x|x86_64)0:1.8.0_sr6.20-30.78.1(ppc64le|x86_64)0:14-2.3(aarch64|ppc64le|s390x|x86_64)0:3.36.0-9.18.1(s390x|x86_64)0:3.36.0-9.18.1(aarch64|ppc64le|s390x|x86_64)0:2.22-116.1(s390x|x86_64)0:2.22-116.1(aarch64|ppc64le|s390x|x86_64)0:2.32.4-2.71.2(aarch64|ppc64le|s390x|x86_64)0:2.4.23-29.80.1(aarch64|ppc64le|s390x|x86_64)0:3.4.10-25.63.2(aarch64|ppc64le|s390x|x86_64)0:3.4.10-25.63.1(aarch64|ppc64le|s390x|x86_64)0:91.2.0-112.74.1(aarch64|ppc64le|s390x|x86_64)0:2.29.2-3.24.1(s390x|x86_64)0:2.29.2-3.24.1(aarch64|ppc64le|s390x|x86_64)0:5.1.3-26.16.1(aarch64|ppc64le|s390x|x86_64)0:10.18-4.19.6(aarch64|ppc64le|s390x|x86_64)0:0.13.0-3.19.1(aarch64|ppc64le|s390x|x86_64)0:3.2.8b-2.20.1(aarch64|ppc64le|s390x|x86_64)0:2.37-9.39.1(aarch64|ppc64le|s390x|x86_64)0:2.37-9.44.1(aarch64|ppc64le|s390x|x86_64)0:8.45-8.7.1(s390x|x86_64)0:8.45-8.7.1(aarch64|ppc64le|s390x|x86_64)0:2.9.1-43.62.1(aarch64)0:2.9.1-43.62.1(aarch64|x86_64)0:2.9.1-43.62.1(s390x|x86_64)0:2.9.1-43.62.1(ppc64le)0:2.9.1-43.62.1(s390x)0:2.9.1-43.62.1(aarch64|ppc64le|s390x|x86_64)0:91.3.0-112.80.2(aarch64|ppc64le|s390x|x86_64)0:4.6.16+git.307.b3899d08cc6-3.64.2(s390x|x86_64)0:4.6.16+git.307.b3899d08cc6-3.64.2(aarch64|ppc64le|s390x|x86_64)0:14.1-3.3.1(s390x|x86_64)0:14.1-3.3.1(aarch64|ppc64le|s390x|x86_64)0:9.6.24-6.18.2(aarch64|ppc64le|s390x|x86_64)0:10.19-4.22.1(aarch64|ppc64le|s390x|x86_64)0:2.32.4-2.74.5(aarch64|ppc64le|s390x|x86_64)0:1.8.0.312-27.66.1(aarch64|ppc64le|s390x|x86_64)0:1.7.0.321-43.53.2(aarch64|ppc64le|s390x|x86_64)0:2.1.9-19.6.1(aarch64|ppc64le|s390x|x86_64)0:0.103.4-33.41.1(aarch64|ppc64le|s390x|x86_64)0:2.34.1-2.77.1(aarch64|ppc64le|s390x|x86_64)0:4.4.180-94.150.1(ppc64le|x86_64)0:4.4.180-94.150.1(s390x)0:4.4.180-94.150.1(aarch64|ppc64le|s390x|x86_64)0:3.68.1-58.57.1(s390x|x86_64)0:3.68.1-58.57.1(aarch64|ppc64le|s390x|x86_64)0:7.2p2-74.60.1(aarch64|ppc64le|s390x|x86_64)0:91.4.0-112.83.1(aarch64|ppc64le|s390x|x86_64)0:2.48.2-6.3.14.4.180-94.150-default(aarch64|ppc64le|s390x|x86_64)0:7.6_1.18.3-76.43.1(aarch64|ppc64le|s390x|x86_64)0:7.6_1.18.3-76.46.1(aarch64|ppc64le|s390x|x86_64)0:4.6.16+git.313.502515a5bfc-3.67.2(s390x|x86_64)0:4.6.16+git.313.502515a5bfc-3.67.2(aarch64|ppc64le|s390x|x86_64)0:4.1-5.9.1(aarch64|ppc64le|s390x|x86_64)0:2.7.17-28.64.1(s390x|x86_64)0:2.7.17-28.64.1(aarch64|ppc64le|s390x|x86_64)0:2.7.12-3.39.1(aarch64|ppc64le|s390x|x86_64)0:4.4.180-94.138.1(ppc64le|x86_64)0:4.4.180-94.138.1(s390x)0:4.4.180-94.138.1(aarch64|ppc64le|s390x|x86_64)0:2.6-15.13.1(aarch64|ppc64le|s390x|x86_64)0:1.900.14-195.25.1(s390x|x86_64)0:1.900.14-195.25.1(aarch64|ppc64le|s390x|x86_64)0:4.0.4-23.6.1(aarch64|ppc64le|s390x|x86_64)0:9.9.9P1-63.20.1(s390x|x86_64)0:9.9.9P1-63.20.1(ppc64le|s390x|x86_64)0:1.7.1_sr4.80-38.62.1(aarch64|ppc64le|s390x|x86_64)0:1.0.3-3.6.1(aarch64|ppc64le|s390x|x86_64)0:1.8.0.282-27.56.2(ppc64le|s390x|x86_64)0:1.8.0_sr6.25-30.81.1(aarch64|ppc64le|s390x|x86_64)0:78.8.0-112.51.1(aarch64|ppc64le|s390x|x86_64)0:2.1.4-7.34.1(aarch64|ppc64le|s390x|x86_64)0:2.02-4.69.1(aarch64)0:2.02-4.69.1(ppc64le)0:2.02-4.69.1(s390x)0:2.02-4.69.1(aarch64|ppc64le|s390x|x86_64)0:2.4.41-18.83.1(s390x|x86_64)0:2.4.41-18.83.1(aarch64|ppc64le|s390x|x86_64)0:1.2-18.83.1(aarch64|ppc64le|s390x|x86_64)0:4.4.180-94.141.2(ppc64le|x86_64)0:4.4.180-94.141.2(s390x)0:4.4.180-94.141.2(ppc64le|x86_64)0:1-4.3.2(aarch64|ppc64le|s390x|x86_64)0:2.6-15.16.1(aarch64|ppc64le|s390x|x86_64)0:2.26.2-27.43.1(aarch64|ppc64le|s390x|x86_64)0:2.7.18-28.67.1(s390x|x86_64)0:2.7.18-28.67.1(aarch64|ppc64le|s390x|x86_64)0:78.6.1-112.42.1(aarch64|ppc64le|s390x|x86_64)0:2.48.2-12.22.1(s390x|x86_64)0:2.48.2-12.22.1(aarch64|ppc64le|s390x|x86_64)0:4.60.99-5.9.1(aarch64|ppc64le|s390x|x86_64)0:1.39.2-3.5.1(aarch64|ppc64le|s390x|x86_64)0:1.0.2j-60.66.1(s390x|x86_64)0:1.0.2j-60.66.1(aarch64|ppc64le|s390x|x86_64)0:78.9.0-112.54.1(ppc64le|x86_64)0:13-2.14.4.180-94.156-default(aarch64|ppc64le|s390x|x86_64)0:2.3.8-16.29.1(ppc64le|s390x|x86_64)0:1.7.1_sr5.5-38.68.1(ppc64le|s390x|x86_64)0:1.8.0_sr7.5-30.87.14.4.180-94.153-default(aarch64|ppc64le|s390x|x86_64)0:1.2.8-12.6.1(s390x|x86_64)0:1.2.8-12.6.1(ppc64le|s390x|x86_64)0:1.8.0_sr7.0-30.84.1(aarch64|ppc64le|s390x|x86_64)0:3.68.3-58.69.1(s390x|x86_64)0:3.68.3-58.69.1(aarch64|ppc64le|s390x|x86_64)0:91.8.0-112.98.1(aarch64|ppc64le|s390x|x86_64)0:2.22-123.1(s390x|x86_64)0:2.22-123.1(aarch64|ppc64le|s390x|x86_64)0:2.1.0-4.15.1(aarch64|ppc64le|s390x|x86_64)0:91.5.0-112.86.1(aarch64|ppc64le|s390x|x86_64)0:5.0.5-6.7.1(s390x|x86_64)0:5.0.5-6.7.1(aarch64|ppc64le|s390x|x86_64)0:0.6.22-8.13.1(s390x|x86_64)0:0.6.22-8.13.1(aarch64|ppc64le|s390x|x86_64)0:4.4.180-94.161.1(ppc64le|x86_64)0:4.4.180-94.161.1(s390x)0:4.4.180-94.161.1(aarch64|ppc64le|s390x|x86_64)0:1.6-9.6.2(aarch64|ppc64le|s390x|x86_64)0:2.78-18.18.1(aarch64|ppc64le|s390x|x86_64)0:5.3.1-14.7.3(noarch)0:8.0.53-29.54.1(aarch64|ppc64le|s390x|x86_64)0:2.26.2-27.52.1(aarch64|ppc64le|s390x|x86_64)0:2.9.4-46.49.1(s390x|x86_64)0:2.9.4-46.49.1(aarch64|ppc64le|s390x|x86_64)0:1.2.15-15.17.1(s390x|x86_64)0:1.2.15-15.17.1(aarch64|ppc64le|s390x|x86_64)0:2.34.3-2.82.1(aarch64|ppc64le|s390x|x86_64)0:6.9-9.18.1(ppc64le|x86_64)0:11-2.1(ppc64le|x86_64)0:14-2.1(aarch64|ppc64le|s390x|x86_64)0:0.16-20.15.1(aarch64|ppc64le|s390x|x86_64)0:91.9.0-112.104.1(aarch64|ppc64le|s390x|x86_64)0:5.0.5-6.12.2(aarch64|ppc64le|s390x|x86_64)0:9.9.9P1-63.34.1(s390x|x86_64)0:9.9.9P1-63.34.1(ppc64le|x86_64)0:15-2.1(ppc64le|x86_64)0:12-2.14.4.180-94.161-default(aarch64|ppc64le|s390x|x86_64)0:1.42.11-16.9.1(s390x|x86_64)0:1.42.11-16.9.1(ppc64le|s390x|x86_64)0:1.7.1_sr5.0-38.65.1(aarch64|ppc64le|s390x|x86_64)0:2.4.41-18.89.1(s390x|x86_64)0:2.4.41-18.89.1(aarch64|ppc64le|s390x|x86_64)0:1.2-18.89.1(aarch64|ppc64le|s390x|x86_64)0:1.6-9.9.1(aarch64|ppc64le|s390x|x86_64)0:2.36.0-2.96.1(aarch64|ppc64le|s390x|x86_64)0:7.37.0-37.76.1(s390x|x86_64)0:7.37.0-37.76.1(aarch64|ppc64le|s390x|x86_64)0:91.9.0-112.108.4(aarch64|ppc64le|s390x|x86_64)0:2.1.0-21.12.1(s390x|x86_64)0:2.1.0-21.12.1(aarch64|ppc64le|s390x|x86_64)0:10.21-4.28.3(aarch64|ppc64le|s390x|x86_64)0:91.9.1-112.111.1(aarch64|ppc64le|s390x|x86_64)0:2.9.4-46.54.3(s390x|x86_64)0:2.9.4-46.54.3(aarch64|ppc64le|s390x|x86_64)0:10.34-1.7.1(aarch64|ppc64le|s390x|x86_64)0:2.9-15.22.1(aarch64|ppc64le|s390x|x86_64)0:14.3-3.9.3(s390x|x86_64)0:14.3-3.9.3(aarch64|ppc64le|s390x|x86_64)0:6.8.8.1-71.172.1(ppc64le|s390x|x86_64)0:2.1.17-3.26.1(aarch64|ppc64le|s390x|x86_64)0:0.113-5.24.1(aarch64|ppc64le|s390x|x86_64)0:1.2.15-3.6.3(aarch64|ppc64le|s390x|x86_64)0:91.10.0-112.114.1(aarch64|ppc64le|s390x|x86_64)0:5.1.3-26.20.1(aarch64|ppc64le|s390x|x86_64)0:3.68.4-58.72.1(s390x|x86_64)0:3.68.4-58.72.1(aarch64|ppc64le|s390x|x86_64)0:2.02-137.2(aarch64)0:2.02-137.2(ppc64le)0:2.02-137.2(s390x)0:2.02-137.2(aarch64)0:2016.07-12.6.1(aarch64|ppc64le|s390x|x86_64)0:4.4.180-94.164.3(ppc64le|x86_64)0:4.4.180-94.164.3(s390x)0:4.4.180-94.164.3(aarch64|ppc64le|s390x|x86_64)0:4.4.180-94.164.2(aarch64|ppc64le|s390x|x86_64)0:2.36.3-2.99.1(aarch64|ppc64le|s390x|x86_64)0:1.0.2j-60.80.1(s390x|x86_64)0:1.0.2j-60.80.1(aarch64|ppc64le|s390x|x86_64)0:2.4.23-29.91.1(aarch64|ppc64le|s390x|x86_64)0:1.3.0-1.15.3(aarch64|ppc64le|s390x|x86_64)0:3.4.10-25.93.1(aarch64|ppc64le|s390x|x86_64)0:1.0.2j-60.83.1(s390x|x86_64)0:1.0.2j-60.83.1(aarch64|ppc64le|s390x|x86_64)0:2.0.8_k4.4.180_94.164-3.13.1(aarch64|ppc64le|s390x|x86_64)0:2.7.18-28.87.1(s390x|x86_64)0:2.7.18-28.87.1(aarch64|ppc64le|s390x|x86_64)0:12.0.2-10.36.1(aarch64|ppc64le|x86_64)0:16.11.9-8.19.1(aarch64)0:16.11.9-8.19.1(aarch64)0:16.11.9_k4.4.180_94.164-8.19.14.4.180-94.164-default(aarch64|ppc64le|s390x|x86_64)0:91.11.0-112.119.1(aarch64|ppc64le|s390x|x86_64)0:8.24.0-3.58.2(aarch64|ppc64le|s390x|x86_64)0:8.45-8.12.1(s390x|x86_64)0:8.45-8.12.1(aarch64|ppc64le|s390x|x86_64)0:4.6.16+git.320.a2d80a7efef-3.70.1(s390x|x86_64)0:4.6.16+git.320.a2d80a7efef-3.70.1(aarch64|ppc64le|s390x|x86_64)0:5.7.3-6.9.1(s390x|x86_64)0:5.7.3-6.9.1(aarch64|ppc64le|s390x|x86_64)0:1.0.25-36.26.1(s390x|x86_64)0:1.0.25-36.26.1(aarch64|ppc64le|s390x|x86_64)0:0.103.5-33.44.1(aarch64|ppc64le|s390x|x86_64)0:4.4.180-94.153.1(ppc64le|x86_64)0:4.4.180-94.153.1(s390x)0:4.4.180-94.153.1(aarch64|ppc64le|s390x|x86_64)0:3.3.0-5.49.1(aarch64|x86_64)0:3.3.0-5.49.1(aarch64|ppc64le|s390x|x86_64)0:0.5.0-12.9.1(aarch64|ppc64le|s390x|x86_64)0:2.1.0-21.15.1(s390x|x86_64)0:2.1.0-21.15.1(aarch64|ppc64le|s390x|x86_64)0:4.0.9-44.45.1(s390x|x86_64)0:4.0.9-44.45.1(aarch64|ppc64le|s390x|x86_64)0:4.9.2-14.20.1(ppc64le|x86_64)0:15-2.2(aarch64|ppc64le|s390x|x86_64)0:91.6.0-112.89.1(aarch64|ppc64le|s390x|x86_64)0:2.4.23-29.83.1(aarch64|ppc64le|s390x|x86_64)0:2.1.26-8.17.1(s390x|x86_64)0:2.1.26-8.17.1(aarch64|ppc64le|s390x|x86_64)0:2.34.5-2.85.3(aarch64|ppc64le|s390x|x86_64)0:2.1.0-21.18.1(s390x|x86_64)0:2.1.0-21.18.1(aarch64|ppc64le|s390x|x86_64)0:5.0.5-6.19.1(aarch64|ppc64le|s390x|x86_64)0:4.4.180-94.156.1(ppc64le|x86_64)0:4.4.180-94.156.1(s390x)0:4.4.180-94.156.1(aarch64|ppc64le|s390x|x86_64)0:91.6.1-112.92.1(aarch64|ppc64le|s390x|x86_64)0:2.34.6-2.88.1(aarch64|ppc64le|s390x|x86_64)0:0.99.beta18-14.6.1(aarch64|ppc64le|s390x|x86_64)0:91.7.0-112.95.1(aarch64|ppc64le|s390x|x86_64)0:2.1.0-21.22.1(s390x|x86_64)0:2.1.0-21.22.1(aarch64|ppc64le|s390x|x86_64)0:1.0.2j-60.75.1(s390x|x86_64)0:1.0.2j-60.75.1(aarch64|ppc64le|s390x|x86_64)0:1.8.0.322-27.72.2(aarch64|ppc64le|s390x|x86_64)0:2.22-119.1(s390x|x86_64)0:2.22-119.1(aarch64|ppc64le|s390x|x86_64)0:2.4.23-29.88.1(i586|x86_64)0:10.2.1+git583-1.3.5(x86_64)0:7.37.0-37.79.1(x86_64)0:7.6_1.18.3-76.49.1(x86_64)0:3.5.21-26.35.1(x86_64)0:4.4.180-94.167.1(noarch)0:4.4.180-94.167.1(x86_64)0:2.36.4-2.102.1(x86_64)0:0.29.0-23.8.1(x86_64)0:2.0.24-9.11.1(noarch)0:2.0.24-9.11.1(x86_64)0:1.8.0.332-27.75.2(x86_64)0:3.79-58.75.1(x86_64)0:4.34-19.21.1(x86_64)0:1.7.1_sr5.10-38.71.1(x86_64)0:1.8.0_sr7.10-30.90.1(x86_64)0:10.34-1.10.1(x86_64)0:4.9.4_30-3.106.1(x86_64)0:7.1.8-4.17.1(x86_64)0:7.1.8_k4.4.180_94.164-4.17.1(x86_64)0:4.6.16+git.324.6bba9ddab76-3.73.1(noarch)0:4.6.16+git.324.6bba9ddab76-3.73.1(x86_64)0:91.12.0-112.124.1(x86_64)0:2.2.31-19.29.1(x86_64)0:7.1.1-3.8.1(x86_64)0:0.2.0-12.3.1(x86_64)0:0.7.8.2-53.34.1(x86_64)0:2.0.876-53.34.1(x86_64)0:1.8.0.345-27.78.1(x86_64)0:20220809-13.101.1(x86_64)0:4.4.180-94.171.1(noarch)0:4.4.180-94.171.1(x86_64)0:1.2.8-12.9.1(x86_64)0:3.1.0-13.19.1(x86_64)0:2.22-126.1(noarch)0:2.22-126.1(x86_64)0:1.7.1_sr5.15-38.74.1(x86_64)0:1.8.0_sr7.11-30.93.1(x86_64)0:5.13-5.26.1(x86_64)0:0.6.11-12.6.45(x86_64)0:1.8.3-16.6.2(noarch)0:1.8.3-16.6.2(x86_64)0:10.22-4.31.1(noarch)0:10.22-4.31.1(x86_64)0:2.36.5-2.107.2(x86_64)0:10.3.10-3.34.1(x86_64)0:0.12.1-4.3.1(x86_64)0:91.13.0-112.127.4(x86_64)0:5.2.4-9.3.1(x86_64)0:2.36.7-2.110.1(x86_64)0:0.103.7-33.50.1(x86_64)0:1.8.0_sr7.15-30.96.1(x86_64)0:2.1.3-3.8.1(noarch)0:2.1.3-3.8.1(noarch)0:14-4.17.2(x86_64)0:4.4.180-94.174.1(noarch)0:4.4.180-94.174.1(x86_64)0:14.5-3.14.9(x86_64)0:102.2.0-112.130.1(x86_64)0:102-35.9.1(x86_64)0:3.39.3-9.23.1(x86_64)0:102.3.0-112.133.1(x86_64)0:2.1.0-21.25.1(x86_64)0:1.0.3-3.9.1(x86_64)0:2.36.8-2.113.1(x86_64)0:9.9.9P1-63.37.1(noarch)0:9.9.9P1-63.37.1(x86_64)0:3.4.10-25.96.1(x86_64)0:3.5.21-26.38.1(noarch)0:9.4-3.6.3(x86_64)0:4.4.180-94.177.1(noarch)0:4.4.180-94.177.1(x86_64)0:4.0.9-44.56.1(x86_64)0:1.3.0-24.3.1(x86_64)0:0.7.1+125+suse.c18e287-2.23.1(x86_64)0:2.9.4-46.59.2(noarch)0:2.9.4-46.59.2(x86_64)0:2.9.4-46.59.3(x86_64)0:5.13-5.31.1(x86_64)0:102.4.0-112.136.3(x86_64)0:1.2-167.10.1(x86_64)0:1.3.0-1.21.1(x86_64)0:7.37.0-37.85.1(x86_64)0:1.0.1-17.24.1(x86_64)0:2.1.0-4.18.2(x86_64)0:1.8.22-29.24.1(x86_64)0:4.9-3.13.1(x86_64)0:7.6_1.18.3-76.52.1(x86_64)0:2.1.0-21.28.1(x86_64)0:2.7.18-28.90.1(noarch)0:2.7.18-28.90.1(x86_64)0:4.9.4_34-3.114.1(x86_64)0:2.02-142.1(noarch)0:2.02-142.1(noarch)0:8.0.53-29.57.1(x86_64)0:1.8.20p2-3.33.1(x86_64)0:102.5.0-112.139.1(x86_64)0:4.0.9-44.59.1(x86_64)0:0.34.0-8.3.1(x86_64)0:3.4.10-25.102.2(x86_64)0:0.23-12.18.1(x86_64)0:1.35.0-4.3.1(x86_64)0:2.39-9.50.1(x86_64)0:2.38.2-2.120.1(x86_64)0:1.8.0_sr7.20-30.99.1(noarch)0:3.0.10-95.51.1(x86_64)0:24.3-25.9.1(noarch)0:24.3-25.9.1(x86_64)0:1.12.5-40.43.1(x86_64)0:1.8.0.352-27.81.1(x86_64)0:102.6.0-112.142.1(x86_64)0:4.0.12-4.21.1(x86_64)0:7.6_1.18.3-76.57.1(x86_64)0:4.4.180-94.182.1(noarch)0:4.4.180-94.182.1(x86_64)0:9.0.0814-17.9.1(noarch)0:9.0.0814-17.9.1(x86_64)0:2.22-133.1(noarch)0:2.22-133.1(aarch64|x86_64)0:1.4.3-20.9.13(aarch64|x86_64)0:10.9-1.12.1(aarch64|x86_64)0:10.9-1.12.2(aarch64|x86_64)0:2.48.2-12.15.1(aarch64|x86_64)0:60.8.0-109.83.3(aarch64|x86_64)0:3.44.1-58.28.1(aarch64|x86_64)0:2.22-62.22.5(aarch64|x86_64)0:1.0.6-30.8.1(aarch64|x86_64)0:0.113-5.18.1(aarch64|x86_64)0:1.8.0.222-27.35.2(aarch64|x86_64)0:3.4.6-25.29.1(aarch64|x86_64)0:3.20.2-6.27.1(aarch64|x86_64)0:3.5.21-26.17.1(aarch64|x86_64)0:2.7.13-28.31.1(aarch64|x86_64)0:9.6.15-3.29.1(aarch64|x86_64)0:4.4.180-94.103.1(aarch64|x86_64)0:5.18.2-12.20.1(aarch64|x86_64)0:0.6.36-2.27.19.8(aarch64|x86_64)0:16.20.2-27.60.4(aarch64|x86_64)0:1.13.54-18.40.2(aarch64|x86_64)0:7.37.0-37.43.1(aarch64|x86_64)0:2.24.4-2.47.1(aarch64|x86_64)0:1.5.13-15.11.2(aarch64|x86_64)0:1.0.2j-60.55.1(aarch64|x86_64)0:60.9.0-109.86.1(aarch64|x86_64)0:2.2.31-19.17.1(aarch64|x86_64)0:9.27-23.28.1(aarch64|x86_64)0:1.6.1-16.68.1(x86_64)0:8-2.1(x86_64)0:6-2.1(x86_64)0:7-2.1(x86_64)0:4-2.1(x86_64)0:5-2.1(x86_64)0:2-2.1(aarch64|x86_64)0:68.1.0-109.89.1(aarch64|x86_64)0:68-32.8.1(aarch64|x86_64)0:2.32-9.33.1(aarch64|x86_64)0:1.8.20p2-3.14.1(aarch64|x86_64)0:1.8.1-10.3.1(aarch64|x86_64)0:4.9.2-14.14.1(aarch64|x86_64)0:1.3.0-34.22.1(x86_64)0:3-2.1(aarch64|x86_64)0:68.2.0-109.95.2(aarch64|x86_64)0:4.6.16+git.169.064abe062be-3.46.1(aarch64|x86_64)0:8.3.1-2.14.1(aarch64|x86_64)0:1.4.3-20.14.1(aarch64|x86_64)0:2.4.1-11.3.2(aarch64|x86_64)0:4.4.180-94.107.1(aarch64|x86_64)0:1.5.3-31.19.1(aarch64|x86_64)0:62.2.0-31.19.1(aarch64|x86_64)0:8.1.2-31.19.1(aarch64|x86_64)0:9.27-23.31.1(aarch64|x86_64)0:3.8.10.2-9.15.1(aarch64|x86_64)0:1.7.5-20.26.1(aarch64|x86_64)0:0.100.3-33.26.1(aarch64|x86_64)0:1.7.0.241-43.30.1(aarch64|x86_64)0:0.100.3-33.29.1(aarch64|x86_64)0:2015.09.28.1626-17.20.1(x86_64)0:7-2.5(x86_64)0:6-2.5(aarch64|x86_64)0:68.3.0-109.98.1(aarch64|x86_64)0:4.4.180-94.113.1(aarch64|x86_64)0:3.0.15-2.14.1(aarch64|x86_64)0:1.7.5-20.29.1(aarch64|x86_64)0:1.3.16-239.4.1(aarch64|x86_64)0:2.28.1-2.50.3(aarch64|x86_64)0:2.5.5-6.6.1(aarch64|x86_64)0:12.2.12+git.1587570958.35d78d0243-2.45.1(aarch64|x86_64)0:0.9.9-17.19.1(aarch64|x86_64)0:52.1-8.10.1(aarch64|x86_64)0:2.4.41-18.68.1(aarch64|x86_64)0:1.2-18.68.1(aarch64|x86_64)0:2.28.2-2.53.2(aarch64|x86_64)0:9.52-23.34.1(aarch64|x86_64)0:0.2.7-12.10.1(aarch64|x86_64)0:68.8.0-109.119.1(aarch64|x86_64)0:3.5.21-26.23.1(aarch64|x86_64)0:2.4.23-29.54.1(aarch64|x86_64)0:4.4.180-94.116.1(aarch64|x86_64)0:5.1.2-26.12.1(aarch64|x86_64)0:2.26.2-27.36.1(x86_64)0:9-2.1(aarch64|x86_64)0:2.7.17-28.42.1(aarch64|x86_64)0:1.0.3-3.3.1(aarch64|x86_64)0:0.6.22-8.9.1(aarch64|x86_64)0:7.4.326-17.6.1(aarch64|x86_64)0:68.9.0-109.123.1(aarch64|x86_64)0:2.1.9-19.3.2(aarch64|x86_64)0:1.7.0.261-43.38.8(aarch64|x86_64)0:1.6.0-18.28.1(aarch64|x86_64)0:4.4.180-94.121.1(aarch64|x86_64)0:0.5.0-12.3.1(aarch64|x86_64)0:1.4-103.3.1(aarch64|x86_64)0:5.18.2-12.23.1(aarch64|x86_64)0:1.8.0.252-27.45.6(aarch64|x86_64)0:4.4.180-94.124.1(aarch64|x86_64)0:7.37.0-37.47.1(aarch64|x86_64)0:12.2.13+git.1592168685.85110a3e9d-2.50.1(x86_64)0:10-2.1(aarch64|x86_64)0:1.10.1-55.11.1(aarch64|i586|x86_64)0:3.5.21-26.26.1(aarch64|x86_64)0:4.2.8p15-88.1(aarch64|x86_64)0:3.53.1-58.48.1(aarch64|x86_64)0:4.25-19.15.1(aarch64|x86_64)0:2.4.41-18.71.2(aarch64|x86_64)0:1.2-18.71.2(aarch64|x86_64)0:78.0.1-112.3.1(aarch64|x86_64)0:78-35.3.1(aarch64|x86_64)0:3.5.21-26.29.1(aarch64|x86_64)0:0.18.1-1.6.2(aarch64|x86_64)0:0.9.0~git.1456906198.f422461-21.27.1(aarch64|x86_64)0:4.6.16+git.186.c6d77b0d5a6-3.52.1(aarch64|x86_64)0:2.28.3-2.56.1(aarch64|x86_64)0:2.02-4.53.1(aarch64|x86_64)0:9.52-23.39.1(aarch64|x86_64)0:78.1.0-112.8.1(aarch64|x86_64)0:1.6.2-12.8.1(aarch64|x86_64)0:1.10-4.5.1(aarch64|x86_64)0:4.4.180-94.127.1(aarch64|x86_64)0:0.9.9-17.31.1(aarch64|x86_64)0:16.11.9-8.15.13(aarch64|x86_64)0:1.6.2-12.12.1(aarch64|x86_64)0:2.28.4-2.59.1(aarch64|x86_64)0:2.2.31-19.22.1(aarch64|x86_64)0:2.02-4.61.1(aarch64|x86_64)0:4.6.16+git.174.c2fd2e28c84-3.49.1(aarch64|x86_64)0:7.6_1.18.3-76.26.1(aarch64|x86_64)0:7.6_1.18.3-76.29.1(aarch64|x86_64)0:2.4.23-29.63.1(aarch64|x86_64)0:3.5.21-26.32.1(aarch64|x86_64)0:1.6.2-12.15.1(x86_64)0:9-2.2(x86_64)0:7-2.2(x86_64)0:6-2.2(x86_64)0:3-2.2(x86_64)0:2-2.2(aarch64|x86_64)0:78.2.0-112.19.2(aarch64|x86_64)0:4.4.180-94.130.1(aarch64|x86_64)0:1.8.0.242-27.41.1(aarch64|x86_64)0:0.6.36-2.30.1(aarch64|x86_64)0:1.628-5.3.1(aarch64|x86_64)0:3.4.10-25.52.1(aarch64|x86_64)0:4.6.16+git.237.40a3f495f75-3.55.1(aarch64|x86_64)0:5.6.2-6.25.1(aarch64|x86_64)0:78.3.0-112.22.1(aarch64|x86_64)0:1.628-5.6.1(aarch64|x86_64)0:1.7.0.271-43.41.1(aarch64|x86_64)0:1.6.0-27.1(aarch64|x86_64)0:0.4.13-18.3.1(aarch64|x86_64)0:2.6.3-7.18.1(aarch64|x86_64)0:2.22-113.4(aarch64|x86_64)0:78.4.0-112.28.1(aarch64|x86_64)0:0.12.8-15.1(aarch64|x86_64)0:0.33-3.9.1(aarch64|x86_64)0:4.6.16+git.248.c833312e640-3.58.1(aarch64|x86_64)0:1.0.31-4.3.1(aarch64|x86_64)0:1.8.0.272-27.48.1(x86_64)0:4-2.2(x86_64)0:8-2.2(aarch64|x86_64)0:10.2.1+git583-1.3.5(aarch64|x86_64)0:228-150.82.1(aarch64|x86_64)0:1.7.0.281-43.44.2(aarch64|x86_64)0:2.4.41-18.77.1(aarch64|x86_64)0:1.2-18.77.1(aarch64|x86_64)0:78.4.1-112.32.1(aarch64|x86_64)0:12.4-3.5.1(aarch64|x86_64)0:10.14-4.4.1(aarch64|x86_64)0:9.6.19-6.4.1(aarch64|x86_64)0:2.0.15-5.3.1(aarch64|x86_64)0:1.12.5-40.40.2(x86_64)0:5-2.2(aarch64|x86_64)0:10.15-4.9.1(aarch64|x86_64)0:9.6.20-6.8.1(aarch64|x86_64)0:4.4.180-94.135.1(aarch64|x86_64)0:5.13-5.23.1(aarch64|x86_64)0:78.5.0-112.36.1(aarch64|x86_64)0:0.9.9-17.34.1(aarch64|x86_64)0:7.6_1.18.3-76.37.1(aarch64|x86_64)0:3.4.10-25.58.1(aarch64|x86_64)0:3.10.0.1-54.17.2(aarch64|x86_64)0:2.1.4-7.31.1(aarch64|x86_64)0:12.5-3.9.3(aarch64|x86_64)0:1.10.1-55.18.1(aarch64|x86_64)0:1.8.22-29.17.12(aarch64|x86_64)0:1.8.22-29.17.7(aarch64|x86_64)0:1.0.2j-60.63.1(aarch64|x86_64)0:2.7.17-28.59.1(aarch64|x86_64)0:68.5.0-109.106.1(aarch64|x86_64)0:78.6.0-112.39.1(aarch64|x86_64)0:0.103.0-33.32.1(aarch64|x86_64)0:2.1.26-8.13.1(aarch64|x86_64)0:9.2.1+r275327-1.3.9(aarch64|x86_64)0:1.8.20p2-3.17.1(aarch64|x86_64)0:0.6.21-8.6.1(aarch64|x86_64)0:1.0.2j-60.60.1(aarch64|x86_64)0:2.4.7-4.3.1(aarch64|x86_64)0:3.4.10-25.39.2(aarch64|x86_64)0:3.4.10-25.39.3(aarch64|x86_64)0:10.0.40.2-29.35.1(aarch64|x86_64)0:2015.09.28.1626-17.27.1(aarch64|x86_64)0:5.1.2-26.9.4(aarch64|x86_64)0:9.6.17-3.33.1(aarch64|x86_64)0:1.7.0.251-43.35.1(aarch64|x86_64)0:1.8.18-5.9.1(aarch64|x86_64)0:3.5.21-26.20.1(aarch64|x86_64)0:68.4.1-109.101.1(aarch64|x86_64)0:10.12-1.18.1(aarch64|x86_64)0:68.6.0-109.110.1(aarch64|x86_64)0:16.21.2-2.45.1(aarch64|x86_64)0:1.11.2-5.11.1(aarch64|x86_64)0:2.1.4-7.28.2(aarch64|x86_64)0:0.7.5-6.3.2(aarch64|x86_64)0:3.4.2-44.8.1(aarch64|x86_64)0:3.4.10-25.45.1(aarch64|x86_64)0:3.47.1-58.34.1(aarch64|x86_64)0:4.23-19.12.1(aarch64|x86_64)0:1.1.28-17.9.1(aarch64|x86_64)0:68.6.1-109.113.1(aarch64|x86_64)0:68.7.0-109.116.1(aarch64|x86_64)0:2.26.0-27.27.1(aarch64|x86_64)0:10.34-1.3.1(aarch64|x86_64)0:3.4.5-44.13.1(aarch64|x86_64)0:7.6_1.18.3-76.40.1(aarch64|x86_64)0:0.103.2-33.35.1(aarch64|x86_64)0:1.8.20p2-3.23.1(aarch64|x86_64)0:78.10.0-112.57.2(x86_64)0:10-2.2(aarch64|x86_64)0:2.7.1-13.3.1(aarch64|x86_64)0:3.10.0.1-54.20.1(aarch64|x86_64)0:1.7.0.291-43.47.3(aarch64|x86_64)0:1.7.5-20.36.1(aarch64|x86_64)0:9.9.9P1-63.25.1(aarch64|x86_64)0:4.6.16+git.282.cfafed5922a-3.61.1(aarch64|x86_64)0:0.6.32-32.15.1(aarch64|x86_64)0:3.4.10-25.71.1(aarch64|x86_64)0:4.4.180-94.144.1(aarch64|x86_64)0:3.5.25.3-5.9.1(aarch64|x86_64)0:2.28.0-29.6.1(aarch64|x86_64)0:2.9.4-46.43.1(aarch64|x86_64)0:2.78-18.15.1(aarch64|x86_64)0:1.3.0-12.3.1(aarch64|x86_64)0:2.2.31-19.25.1(aarch64|x86_64)0:3.5.25.3-5.12.1(aarch64|x86_64)0:4.3.3-10.22.1(aarch64|x86_64)0:0.4.3-4.7.1(aarch64|x86_64)0:0.113-5.21.1(aarch64|x86_64)0:1.8.3-18.3.5(aarch64|x86_64)0:78.11.0-112.62.1(aarch64|x86_64)0:1.6.2-12.21.1(aarch64|x86_64)0:0.12.8-18.1(aarch64|x86_64)0:0.4.21-8.3.1(aarch64|x86_64)0:3.0.15-2.20.1(aarch64|x86_64)0:1.8.0.292-27.60.1(aarch64|x86_64)0:6.8.8.1-71.154.1(aarch64|x86_64)0:2.32.1-2.63.3(aarch64|x86_64)0:2.4.23-29.74.1(aarch64|x86_64)0:308-5.3.1(x86_64)0:11-2.2(x86_64)0:11-2.3(aarch64|x86_64)0:2.7.1-13.6.1(aarch64|x86_64)0:1.6.1-16.77.1(aarch64|x86_64)0:2.1.0-6.34.1(aarch64|x86_64)0:13.1-3.3.1(aarch64|x86_64)0:2.1a15-159.9.1(aarch64|x86_64)0:0.6.37-2.33.1(aarch64|x86_64)0:16.21.4-2.51.1(aarch64|x86_64)0:7.2p2-74.57.1(aarch64|x86_64)0:1.8.20p2-3.20.1(aarch64|x86_64)0:78.12.0-112.65.1(aarch64|x86_64)0:78.7.0-112.45.1(aarch64|x86_64)0:228-150.98.1(x86_64)0:12-2.2(aarch64|x86_64)0:1.4-15.3.1(aarch64|x86_64)0:4.4.180-94.147.1(x86_64)0:13-2.2(aarch64|x86_64)0:1.8.22-29.21.1(aarch64|x86_64)0:2.32.3-2.66.1(aarch64|x86_64)0:3.5.25.3-5.19.2(aarch64|x86_64)0:2.11-36.9.1(aarch64|x86_64)0:1.9.1-9.7.1(aarch64|x86_64)0:78.13.0-112.68.1(aarch64|x86_64)0:2.11-36.12.1(aarch64|x86_64)0:1.8.0.302-27.63.2(aarch64|x86_64)0:2.11-36.15.1(aarch64|x86_64)0:5.3.1-28.6.1(aarch64|x86_64)0:1.0.2j-60.69.3(aarch64|x86_64)0:2.7.12-3.36.1(x86_64)0:14-2.2(aarch64|x86_64)0:0.60.6.1-18.11.1(aarch64|x86_64)0:9.9.9P1-63.28.1(aarch64|x86_64)0:2.1.0-6.37.1(aarch64|x86_64)0:1.0.6-17.3.1(aarch64|x86_64)0:5.22-10.21.1(aarch64|x86_64)0:3.68-58.54.1(aarch64|x86_64)0:4.32-19.18.1(aarch64|x86_64)0:3.2.8a-2.17.1(aarch64|x86_64)0:0.6.0-11.3.1(aarch64|x86_64)0:1.0.2j-60.72.2(aarch64|x86_64)0:9.52-23.42.1(aarch64|x86_64)0:0.2.7-12.12.1(aarch64|x86_64)0:91.1.0-112.71.1(aarch64|x86_64)0:91-35.6.6(x86_64)0:12-2.3(x86_64)0:14-2.3(aarch64|x86_64)0:3.36.0-9.18.1(aarch64|x86_64)0:2.22-116.1(aarch64|x86_64)0:2.32.4-2.71.2(aarch64|x86_64)0:2.4.23-29.80.1(aarch64|x86_64)0:3.4.10-25.63.2(aarch64|x86_64)0:3.4.10-25.63.1(aarch64|x86_64)0:91.2.0-112.74.1(aarch64|x86_64)0:2.29.2-3.24.1(aarch64|x86_64)0:5.1.3-26.16.1(aarch64|x86_64)0:10.18-4.19.6(aarch64|x86_64)0:0.13.0-3.19.1(aarch64|x86_64)0:3.2.8b-2.20.1(aarch64|x86_64)0:2.37-9.39.1(aarch64|x86_64)0:2.37-9.44.1(aarch64|x86_64)0:8.45-8.7.1(aarch64|x86_64)0:91.3.0-112.80.2(aarch64|x86_64)0:4.6.16+git.307.b3899d08cc6-3.64.2(aarch64|x86_64)0:14.1-3.3.1(aarch64|x86_64)0:9.6.24-6.18.2(aarch64|x86_64)0:10.19-4.22.1(aarch64|x86_64)0:2.32.4-2.74.5(aarch64|x86_64)0:1.8.0.312-27.66.1(aarch64|x86_64)0:1.7.0.321-43.53.2(aarch64|x86_64)0:2.1.9-19.6.1(aarch64|x86_64)0:0.103.4-33.41.1(aarch64|x86_64)0:2.34.1-2.77.1(aarch64|x86_64)0:4.4.180-94.150.1(aarch64|x86_64)0:3.68.1-58.57.1(aarch64|x86_64)0:7.2p2-74.60.1(aarch64|x86_64)0:91.4.0-112.83.1(aarch64|x86_64)0:2.48.2-6.3.1(aarch64|x86_64)0:7.6_1.18.3-76.43.1(aarch64|x86_64)0:7.6_1.18.3-76.46.1(aarch64|x86_64)0:4.6.16+git.313.502515a5bfc-3.67.2(aarch64|x86_64)0:4.1-5.9.1(aarch64|x86_64)0:2.7.17-28.64.1(aarch64|x86_64)0:2.7.12-3.39.1(aarch64|x86_64)0:4.4.180-94.138.1(aarch64|x86_64)0:2.6-15.13.1(aarch64|x86_64)0:1.900.14-195.25.1(aarch64|x86_64)0:4.0.4-23.6.1(aarch64|x86_64)0:9.9.9P1-63.20.1(aarch64|x86_64)0:1.0.3-3.6.1(aarch64|x86_64)0:1.8.0.282-27.56.2(aarch64|x86_64)0:78.8.0-112.51.1(aarch64|x86_64)0:2.1.4-7.34.1(aarch64|x86_64)0:2.02-4.69.1(aarch64|x86_64)0:2.4.41-18.83.1(aarch64|x86_64)0:1.2-18.83.1(aarch64|x86_64)0:4.4.180-94.141.2(aarch64|x86_64)0:2.6-15.16.1(aarch64|x86_64)0:2.26.2-27.43.1(aarch64|x86_64)0:2.7.18-28.67.1(aarch64|x86_64)0:78.6.1-112.42.1(aarch64|x86_64)0:2.48.2-12.22.1(aarch64|x86_64)0:4.60.99-5.9.1(aarch64|x86_64)0:1.39.2-3.5.1(aarch64|x86_64)0:1.0.2j-60.66.1(aarch64|x86_64)0:78.9.0-112.54.1(x86_64)0:13-2.1(aarch64|x86_64)0:2.3.8-16.29.1(aarch64|x86_64)0:1.2.8-12.6.1(aarch64|x86_64)0:3.68.3-58.69.1(aarch64|x86_64)0:91.8.0-112.98.1(aarch64|x86_64)0:2.22-123.1(aarch64|x86_64)0:2.1.0-4.15.1(aarch64|x86_64)0:91.5.0-112.86.1(aarch64|x86_64)0:5.0.5-6.7.1(aarch64|x86_64)0:0.6.22-8.13.1(aarch64|x86_64)0:4.4.180-94.161.1(aarch64|x86_64)0:1.6-9.6.2(aarch64|x86_64)0:2.78-18.18.1(aarch64|x86_64)0:5.3.1-14.7.3(aarch64|x86_64)0:2.26.2-27.52.1(aarch64|x86_64)0:2.9.4-46.49.1(aarch64|x86_64)0:1.2.15-15.17.1(aarch64|x86_64)0:2.34.3-2.82.1(aarch64|x86_64)0:6.9-9.18.1(x86_64)0:11-2.1(x86_64)0:14-2.1(aarch64|x86_64)0:0.16-20.15.1(aarch64|x86_64)0:91.9.0-112.104.1(aarch64|x86_64)0:5.0.5-6.12.2(aarch64|x86_64)0:9.9.9P1-63.34.1(x86_64)0:15-2.1(x86_64)0:12-2.1(aarch64|x86_64)0:1.42.11-16.9.1(aarch64|x86_64)0:2.4.41-18.89.1(aarch64|x86_64)0:1.2-18.89.1(aarch64|x86_64)0:1.6-9.9.1(aarch64|x86_64)0:2.36.0-2.96.1(aarch64|x86_64)0:7.37.0-37.76.1(aarch64|x86_64)0:91.9.0-112.108.4(aarch64|x86_64)0:2.1.0-21.12.1(aarch64|x86_64)0:10.21-4.28.3(aarch64|x86_64)0:91.9.1-112.111.1(aarch64|x86_64)0:2.9.4-46.54.3(aarch64|x86_64)0:10.34-1.7.1(aarch64|x86_64)0:2.9-15.22.1(aarch64|x86_64)0:14.3-3.9.3(aarch64|x86_64)0:6.8.8.1-71.172.1(aarch64|x86_64)0:0.113-5.24.1(aarch64|x86_64)0:1.2.15-3.6.3(aarch64|x86_64)0:91.10.0-112.114.1(aarch64|x86_64)0:5.1.3-26.20.1(aarch64|x86_64)0:3.68.4-58.72.1(aarch64|x86_64)0:2.02-137.2(aarch64|x86_64)0:4.4.180-94.164.3(aarch64|x86_64)0:4.4.180-94.164.2(aarch64|x86_64)0:2.36.3-2.99.1(aarch64|x86_64)0:1.0.2j-60.80.1(aarch64|x86_64)0:2.4.23-29.91.1(aarch64|x86_64)0:1.3.0-1.15.3(aarch64|x86_64)0:3.4.10-25.93.1(aarch64|x86_64)0:1.0.2j-60.83.1(aarch64|x86_64)0:2.0.8_k4.4.180_94.164-3.13.1(aarch64|x86_64)0:2.7.18-28.87.1(aarch64|x86_64)0:12.0.2-10.36.1(aarch64|x86_64)0:16.11.9-8.19.1(aarch64|x86_64)0:91.11.0-112.119.1(aarch64|x86_64)0:8.24.0-3.58.2(aarch64|x86_64)0:8.45-8.12.1(aarch64|x86_64)0:4.6.16+git.320.a2d80a7efef-3.70.1(aarch64|x86_64)0:5.7.3-6.9.1(aarch64|x86_64)0:1.0.25-36.26.1(aarch64|x86_64)0:0.103.5-33.44.1(aarch64|x86_64)0:4.4.180-94.153.1(aarch64|x86_64)0:0.5.0-12.9.1(aarch64|x86_64)0:2.1.0-21.15.1(aarch64|x86_64)0:4.0.9-44.45.1(aarch64|x86_64)0:4.9.2-14.20.1(x86_64)0:15-2.2(aarch64|x86_64)0:91.6.0-112.89.1(aarch64|x86_64)0:2.4.23-29.83.1(aarch64|x86_64)0:2.1.26-8.17.1(aarch64|x86_64)0:2.34.5-2.85.3(aarch64|x86_64)0:2.1.0-21.18.1(aarch64|x86_64)0:5.0.5-6.19.1(aarch64|x86_64)0:4.4.180-94.156.1(aarch64|x86_64)0:91.6.1-112.92.1(aarch64|x86_64)0:2.34.6-2.88.1(aarch64|x86_64)0:0.99.beta18-14.6.1(aarch64|x86_64)0:91.7.0-112.95.1(aarch64|x86_64)0:2.1.0-21.22.1(aarch64|x86_64)0:1.0.2j-60.75.1(aarch64|x86_64)0:1.8.0.322-27.72.2(aarch64|x86_64)0:2.22-119.1(aarch64|x86_64)0:2.4.23-29.88.1(x86_64)0:12.2.7+git.1531910353.c0ef85b854-2.12.1(x86_64)0:2.62.2-5.7.1(x86_64)0:4.6.14+git.157.c2d53c2b191-3.29.1(x86_64)0:52.9.0esr-109.38.2(x86_64)0:0.100.1-33.15.2(x86_64)0:2.4.23-29.21.1(x86_64)0:4.8.7+2.3.4-4.7.2(x86_64)0:2.0.3-17.7.1(x86_64)0:4.8.7-8.8.1(x86_64)0:2017+git1492060560.b6d11d7c46-4.12.1(noarch)0:2017+git1492060560.b6d11d7c46-4.12.1(x86_64)0:1.7.5-20.17.1(x86_64)0:1.6.1-16.58.1(x86_64)0:3.20.3-23.6.1(noarch)0:3.20.3-23.6.1(x86_64)0:2.7.13-28.8.1(noarch)0:2.7.13-28.8.1(x86_64)0:1.0.25-36.16.1(x86_64)0:8.24.0-3.7.1(x86_64)0:2.29.2-3.12.1(x86_64)0:7.2p2-74.23.1(x86_64)0:4.2.1-27.12.1(x86_64)0:0.113-5.12.1(x86_64)0:1.0.1-17.6.1(x86_64)0:1.10.1-55.6.1(x86_64)0:1.9.1-9.4.1(noarch)0:2.34.0-19.17.1(x86_64)0:2.34.0-19.17.1(x86_64)0:3.3.9-11.14.1(x86_64)0:1.6.1-16.62.1(x86_64)0:0.41.rc1-10.9.1(x86_64)0:3.10.0.1-54.6.3(x86_64)0:0.33-3.6.1(x86_64)0:0.12.8-6.1(x86_64)0:2.2.31-19.11.1(x86_64)0:3.4.6-25.16.1(x86_64)0:7.37.0-37.26.1(x86_64)0:2.0.0-18.15.1(x86_64)0:6.8.8.1-71.74.1(x86_64)0:2.6.4-6.6.1(x86_64)0:16.17.20-2.33.2(x86_64)0:1.13.45-21.21.2(x86_64)0:2.4.23-29.24.1(x86_64)0:1.1.14-4.6.1(x86_64)0:4.0.9-44.21.1(x86_64)0:3.3.27-3.3.1(x86_64)0:2.1.0-24.9.1(x86_64)0:4.2.1-27.19.1(x86_64)0:2.4.9-48.29.1(x86_64)0:3.0.37-52.23.6(x86_64)0:1.0.2j-60.39.1(x86_64)0:6.00-33.8.1(x86_64)0:9.25-23.13.1(x86_64)0:1.1.36-58.3.1(x86_64)0:2.0.0-18.17.1(x86_64)0:6.2.0dev-22.3.1(x86_64)0:1.8.0.181-27.26.2(x86_64)0:1.0.58-19.2.3(x86_64)0:7.1.1-3.3.4(x86_64)0:1.7.1-5.3.1(x86_64)0:10.5-1.3.1(x86_64)0:10.5-1.3.2(x86_64)0:2.9.4-46.15.1(x86_64)0:6.8.8.1-71.79.1(x86_64)0:1.6.2-12.5.1(x86_64)0:1.10-4.3.1(x86_64)0:4.6.16+git.124.aee309c5c18-3.32.1(x86_64)0:6.8.8.1-71.82.1(x86_64)0:2.31-9.26.1(x86_64)0:2.9.3-6.3.1(x86_64)0:4.11.2-16.16.1(x86_64)0:4.0.9-44.24.1(x86_64)0:0.6.8-7.5.1(x86_64)0:4.2.8p12-64.8.2(x86_64)0:9.6.10-3.22.7(x86_64)0:2.20.3-2.23.8(x86_64)0:2.2.1-5.7.1(x86_64)0:0.100.2-33.18.1(x86_64)0:5.7.3-6.3.1(x86_64)0:6.8.8.1-71.85.1(x86_64)0:3.0.38-52.26.1(x86_64)0:2.7-9.7.1(x86_64)0:2.7.13-28.16.1(x86_64)0:2.4.23-29.27.2(x86_64)0:0.3.6-11.3.1(x86_64)0:2.4.10-48.32.1(x86_64)0:60.2.2esr-109.46.1(x86_64)0:60-32.3.1(x86_64)0:1.0.14-19.6.3(x86_64)0:3.36.4-58.15.3(x86_64)0:4.19-19.3.1(x86_64)0:7.37.0-37.31.1(x86_64)0:1.7.1-5.6.1(x86_64)0:0.13.0-3.3.2(x86_64)0:3.1.2-26.3.1(x86_64)0:60.3.0-109.50.2(x86_64)0:228-150.53.3(x86_64)0:10.6-1.6.1(x86_64)0:3.5.21-26.12.1(x86_64)0:1.0.2j-60.46.1(x86_64)0:4.11.2-16.21.1(x86_64)0:0.23-12.5.1(x86_64)0:4.0.9-44.27.1(x86_64)0:7.2p2-74.30.1(x86_64)0:5.9-61.1(x86_64)0:6.8.8.1-71.93.2(x86_64)0:1.3.1-7.13.4(x86_64)0:9.26-23.16.1(x86_64)0:0.2.7-12.4.1(x86_64)0:1.7.5-20.20.1(x86_64)0:2.7.6-3.23.1(x86_64)0:4.9.2-14.8.1(x86_64)0:2.4.41-18.43.1(x86_64)0:5.6.2-6.15.2(x86_64)0:5.13-5.7.1(x86_64)0:4.0.9-44.30.1(x86_64)0:2017+git1492060560.b6d11d7c46-4.17.1(x86_64)0:60.4.0esr-109.55.1(x86_64)0:3.40.1-58.18.1(x86_64)0:4.20-19.6.1(x86_64)0:2.1.17-3.3.3(x86_64)0:2.4.11-48.35.1(x86_64)0:2.24.0-2.38.2(x86_64)0:6.8.8.1-71.108.1(x86_64)0:4.6.16+git.154.2998451b912-3.40.3(x86_64)0:2.4.14-48.45.1(x86_64)0:1.4.3-20.6.1(x86_64)0:2.6-15.10.1(x86_64)0:0.7.0-160.8.1(x86_64)0:1.12.5-40.31.1(x86_64)0:1.5.3-31.14.2(x86_64)0:62.2.0-31.14.2(x86_64)0:8.1.2-31.14.2(x86_64)0:1.0.2j-60.52.1(x86_64)0:2.24.1-2.41.5(x86_64)0:2.8.1-8.3.3(x86_64)0:2.8.1-8.3.1(x86_64)0:3.0.15-2.11.2(x86_64)0:2017+git1492060560.b6d11d7c46-4.26.1(x86_64)0:3.8.10.2-9.6.1(x86_64)0:1.8.0.212-27.32.1(x86_64)0:1.1.28-17.3.1(x86_64)0:228-150.66.4(x86_64)0:1.1.3-24.9.1(x86_64)0:6.46-3.3.1(x86_64)0:7.2p2-74.35.1(x86_64)0:12.0.2-10.18.1(x86_64)0:5.13-5.12.1(x86_64)0:228-150.58.1(x86_64)0:4.0.4-23.3.3(x86_64)0:7.37.0-37.40.1(x86_64)0:4.9-3.10.1(x86_64)0:2.4.12-48.39.1(x86_64)0:60.7.0-109.72.1(x86_64)0:3.20.4-77.23.1(x86_64)0:1.7.0.221-43.22.1(x86_64)0:1.2.40-7.3.1(x86_64)0:9.9.9P1-63.12.1(x86_64)0:2.7.13-28.26.1(x86_64)0:9.26a-23.19.1(x86_64)0:0.2.7-12.6.1(x86_64)0:7.4.326-17.3.1(x86_64)0:2.22.5-2.32.2(x86_64)0:0.6.11-12.3.1(x86_64)0:1.13.4-34.37.1(x86_64)0:10.8-1.9.1(x86_64)0:7.2p2-74.42.8(x86_64)0:7.2p2-74.42.10(x86_64)0:1.8.3-13.3.2(x86_64)0:3.8.10.2-9.9.1(x86_64)0:2.4.15-48.48.1(x86_64)0:60.7.1-109.77.1(x86_64)0:10.66.3-8.7.2(x86_64)0:9.6.13-3.25.1(x86_64)0:6.8.8.1-71.123.2(x86_64)0:2.48.2-12.12.2(x86_64)0:0.158-7.7.2(x86_64)0:0.6.32-32.3.1(x86_64)0:0.6.32-32.3.2(x86_64)0:2.1.0-21.6.1(x86_64)0:0.9.0~git.1456906198.f422461-21.9.1(x86_64)0:2.24.2-2.44.1(x86_64)0:1.1.28-17.6.1(x86_64)0:2.9.4-46.20.1(noarch)0:2.9.4-46.20.1(x86_64)0:0.113-5.15.1(x86_64)0:3.4.2-44.3.1(x86_64)0:2.1.0-6.10.1(x86_64)0:4.2-59.10.1(x86_64)0:1.4.11-59.10.1(x86_64)0:6.8.8.1-71.126.1(x86_64)0:2.1.0-6.13.1(x86_64)0:1.7.0.231-43.27.2(x86_64)0:4.9.2-14.11.1(x86_64)0:8.24.0-3.19.1(x86_64)0:2.4.16-48.51.1(x86_64)0:2.1.0-4.12.2(noarch)0:1.22-7.7.1(noarch)0:1.9.2-3.3.1(x86_64)0:1.0.12-13.12.1(x86_64)0:10.10-1.15.1(noarch)0:10.10-1.15.1(x86_64)0:2.9.1-6.41.1(noarch)0:1.0.0+-6.41.1(noarch)0:1.10.2-6.41.1(noarch)0:8-6.41.1(x86_64)0:2.4.23-29.43.1(noarch)0:2.4.23-29.43.1(x86_64)0:9.26a-23.25.1(x86_64)0:12.2.12+git.1568024032.02236657ca-2.39.1(x86_64)0:2.4.41-18.63.1(noarch)0:2.4.41-18.63.1(x86_64)0:3.6.8-6.6.1(noarch)0:3.6.8-6.6.1(x86_64)0:0.12.8-12.1(x86_64)0:6.46-3.6.1(x86_64)0:3.4.6-25.21.1(x86_64)0:2.1.0-21.9.1(x86_64)0:3.5.25.3-5.3.1(x86_64)0:2.0.24-9.8.1(noarch)0:2.0.24-9.8.1(x86_64)0:7.37.0-37.34.1(x86_64)0:1.900.14-195.15.1(x86_64)0:3.8.10.2-9.12.1(noarch)0:40.6.2-4.12.23(noarch)0:0.25-9.3.1(x86_64)0:4.3.3-10.19.1(x86_64)0:0.99.beta18-14.3.27(x86_64)0:2.7.13-28.36.1(noarch)0:2.7.13-28.36.1(x86_64)0:12.0.2-10.27.1(x86_64)0:3.6.8-6.9.1(noarch)0:3.6.8-6.9.1(x86_64)0:0.6.42-16.8.3(noarch)0:0.6.42-16.8.3(x86_64)0:6.8.8.1-71.131.1(x86_64)0:3.4.6-25.34.2(x86_64)0:8.24.0-3.33.2(x86_64)0:1.1-11.3.1(x86_64)0:5.13-5.15.3(x86_64)0:16.11.9-11.3.2(x86_64)0:16.11.9_k4.4.140_96.45.TDC-11.3.2(x86_64)0:0.60.6.1-18.3.1(x86_64)0:4.0.9-44.42.1(x86_64)0:2.11-36.6.1(noarch)0:2.11-36.6.1(x86_64)0:2.9.4-46.23.2(noarch)0:2.9.4-46.23.2(x86_64)0:2.9.4-46.23.3(x86_64)0:3.1.2-26.6.1(x86_64)0:5.9-69.1(x86_64)0:0.9.9-17.11.1(x86_64)0:17.0.5-117.8.2(x86_64)0:1.0.0-117.8.2(x86_64)0:2.0.8-13.5.1(x86_64)0:60.5.0esr-109.58.3(x86_64)0:60-32.5.1(x86_64)0:3.41.1-58.25.1(x86_64)0:1.8.0-5.8.1(x86_64)0:228-150.63.1(x86_64)0:3.3.9-11.18.1(x86_64)0:2.7.13-28.21.1(x86_64)0:1.7.0.201-43.18.1(x86_64)0:2.4.23-29.34.4(x86_64)0:12.2.10+git.1549630712.bb089269ea-2.27.2(x86_64)0:2.22.6-2.35.1(x86_64)0:1.8.0.191-27.29.1(x86_64)0:2017+git1492060560.b6d11d7c46-4.20.1(x86_64)0:2.22.4-2.29.3(x86_64)0:0.9.9-17.8.1(x86_64)0:4.7.4-3.6.1(x86_64)0:1.4.3-20.3.1(x86_64)0:2.4.11-21.8.1(x86_64)0:2.4.13-48.42.1(x86_64)0:9.26a-23.22.1(x86_64)0:2017+git1492060560.b6d11d7c46-4.23.1(x86_64)0:2.1.0-24.12.1(x86_64)0:0.5.3.git20161120-161.3.4(x86_64)0:4.2.8p13-85.1(x86_64)0:1.0.2j-60.49.1(x86_64)0:0.8.2-1.3.1(x86_64)0:1.13.4-34.31.1(x86_64)0:1.13.4-34.23.1(x86_64)0:1.0.18-3.2.1(x86_64)0:4.3-83.23.1(x86_64)0:6.3-83.23.1(x86_64)0:5.22-10.12.2(x86_64)0:60.6.1esr-109.63.2(x86_64)0:2.4.23-29.40.1(x86_64)0:0.100.3-33.21.1(x86_64)0:1.2.15-15.11.1(x86_64)0:2.2.31-19.14.2(x86_64)0:3.8.10.2-9.3.1(x86_64)0:1.5.6-3.9.1(x86_64)0:1.14-21.10.1(x86_64)0:1.7.1-5.11.1(x86_64)0:3.4.6-25.24.1(x86_64)0:7.37.0-37.37.1(x86_64)0:2.6.6-4.3.1(x86_64)0:4.8.7-8.13.1(x86_64)0:3.20.3-15.3.25(noarch)0:3.20.3-15.3.25(x86_64)0:2.1.0-6.20.1(noarch)0:1.9.4-3.6.1(x86_64)0:16.11.9-11.6.1(x86_64)0:16.11.9_k4.4.140_96.58.TDC-11.6.1(x86_64)0:3.20.3-15.6.1(noarch)0:3.20.3-15.6.1(x86_64)0:6.2.0dev-22.8.2(x86_64)0:1.9-4.4.5(x86_64)0:0.3.6-11.7.8(x86_64)0:4.6.5-3.3.74(x86_64)0:0.2.2-10.3.5(x86_64)0:6.00-33.13.3(x86_64)0:3.2.5e-2.8.2(x86_64)0:228-150.86.3(noarch)0:228-150.86.3(x86_64)0:2.1.0-6.23.1(x86_64)0:0.2020-25.3.1(x86_64)0:4.0.12-4.7.1(x86_64)0:2.7.17-28.48.1(noarch)0:2.7.17-28.48.1(x86_64)0:2.3.8-16.23.1(noarch)0:2.1.43-7.9.4(x86_64)0:1.8.0.232-27.38.1(x86_64)0:1.5.3-31.22.2(x86_64)0:62.2.0-31.22.2(x86_64)0:8.1.2-31.22.2(x86_64)0:2.9.4-46.34.1(noarch)0:2.9.4-46.34.1(x86_64)0:6.9-9.9.1(x86_64)0:2017+git1492060560.b6d11d7c46-4.35.1(noarch)0:2017+git1492060560.b6d11d7c46-4.35.1(x86_64)0:458-7.3.3(x86_64)0:1.900.14-195.22.1(x86_64)0:0.4-15.7.1(x86_64)0:4.60.99-5.6.3(x86_64)0:6.8.8.1-71.144.8(x86_64)0:1.27.1-15.6.3(noarch)0:1.27.1-15.6.3(x86_64)0:0.60.6.1-18.8.2(x86_64)0:3.6.8-6.19.1(noarch)0:3.6.8-6.19.1(x86_64)0:5.6.2-3.3.110(x86_64)0:1.0.5-8.5.74(x86_64)0:1.3.2-19.3.1(x86_64)0:1.9.1-3.4.18(x86_64)0:0.90-6.6.5(x86_64)0:1.2.15-15.14.2(x86_64)0:2.28.0-29.3.8(x86_64)0:2.28.0-29.3.17(x86_64)0:2.6.4-6.9.24(x86_64)0:2.6.4-6.9.39(x86_64)0:2.6.4-6.9.41(x86_64)0:2.7.17-28.56.1(noarch)0:2.7.17-28.56.1(x86_64)0:0.13.0-3.6.27(x86_64)0:6.8.8.1-71.147.1(x86_64)0:3.4.10-25.55.1(x86_64)0:4.9.2-14.17.1(x86_64)0:5.13-5.20.6(x86_64)0:3.6.12-6.27.1(x86_64)0:7.37.0-37.52.1(x86_64)0:2017+git1492060560.b6d11d7c46-4.38.1(noarch)0:2017+git1492060560.b6d11d7c46-4.38.1(x86_64)0:7.37.0-37.55.1(x86_64)0:1.1.3-24.15.1(noarch)0:1.1.3-24.15.1(x86_64)0:2.1.0-6.26.1(x86_64)0:6.8.8.1-71.141.1(x86_64)0:1.3.0-3.6.1(x86_64)0:2017+git1492060560.b6d11d7c46-4.29.3(noarch)0:2017+git1492060560.b6d11d7c46-4.29.3(x86_64)0:2.40.21-5.9.1(x86_64)0:2.1.0-24.17.1(x86_64)0:3.6.8-6.14.1(noarch)0:3.6.8-6.14.1(x86_64)0:1.4.39-4.11.2(x86_64)0:1.1.36-58.9.2(x86_64)0:1.42.11-16.6.1(x86_64)0:0.23-12.8.1(x86_64)0:1.2.50-20.3.2(x86_64)0:3.20.2-7.3.21(noarch)0:3.20.2-7.3.21(x86_64)0:12.2.12+git.1585658687.363df3a813-2.42.4(x86_64)0:3.5.25.3-5.6.10(x86_64)0:2017+git1492060560.b6d11d7c46-4.32.1(noarch)0:2017+git1492060560.b6d11d7c46-4.32.1(x86_64)0:2.1.0-6.29.1(x86_64)0:2.6-15.19.1(x86_64)0:6.9-9.12.1(x86_64)0:6.8.8.1-71.165.1(x86_64)0:2.4.41-18.80.1(noarch)0:2.4.41-18.80.1(x86_64)0:1.2-18.80.1(noarch)0:2.4-9.3.1(x86_64)0:7.37.0-37.58.1(x86_64)0:3.6.13-6.39.1(x86_64)0:2.9.4-46.40.1(noarch)0:2.9.4-46.40.1(x86_64)0:2.3.8-16.26.1(x86_64)0:7.37.0-37.61.1(noarch)0:0.26-5.3.1(x86_64)0:1.3.10-5.3.1(x86_64)0:1.6.2-12.18.1(noarch)0:1.6.2-12.18.1(x86_64)0:9.6.22-6.12.3(noarch)0:9.6.22-6.12.3(x86_64)0:10.17-4.16.4(noarch)0:10.17-4.16.4(x86_64)0:13.3-3.9.3(x86_64)0:15.4-25.16.1(x86_64)0:1.5.3-31.25.1(x86_64)0:62.2.0-31.25.1(x86_64)0:8.1.2-31.25.1(x86_64)0:1.10.1-55.24.1(x86_64)0:2.9.4-46.46.1(noarch)0:2.9.4-46.46.1(noarch)0:1.17.9-14.24.2(x86_64)0:7.37.0-37.67.1(x86_64)0:3.6.12-6.30.1(x86_64)0:0.98-22.3.1(x86_64)0:0.4-15.10.1(x86_64)0:0.16.0-8.8.2(x86_64)0:1.7.5-20.33.1(x86_64)0:1.8.3-16.3.1(noarch)0:1.8.3-16.3.1(x86_64)0:2.4.23-29.77.2(noarch)0:2.4.23-29.77.2(x86_64)0:3.1.1-13.6.1(noarch)0:1.22-3.23.1(x86_64)0:0.3.2-7.3.1(x86_64)0:1.7.0.311-43.50.2(x86_64)0:2.9.1-6.56.1(noarch)0:1.0.0+-6.56.1(noarch)0:1.10.2_0_g5f4c7b1-6.56.1(noarch)0:8-6.56.1(x86_64)0:13.4-3.12.2(x86_64)0:7.37.0-37.70.1(x86_64)0:1.3.10-5.7.1(x86_64)0:2.1.0-24.20.1(x86_64)0:0.7.0-160.11.1(x86_64)0:3.6.15-6.49.1(x86_64)0:5.6.2-3.6.1(x86_64)0:3.4.10-25.80.2(x86_64)0:5.9-75.1(x86_64)0:6.3.26-13.15.1(x86_64)0:1.15.2-25.6.2(x86_64)0:0.9.46-7.3.1(x86_64)0:2.7.18-28.74.2(x86_64)0:2.7.18-28.74.1(noarch)0:2.7.18-28.74.1(x86_64)0:2.0.1-13.1(x86_64)0:9.9.9P1-63.31.1(noarch)0:9.9.9P1-63.31.1(x86_64)0:2.1.0-6.42.1(x86_64)0:1.1.999_1.2rc1-24.3.1(x86_64)0:5.1.3-4.3.1(x86_64)0:0.19.2-3.3.6(x86_64)0:4.8.7-8.16.1(x86_64)0:4.8.7-8.16.2(x86_64)0:1.3.0-3.9.1(x86_64)0:3.6.12-6.33.1(x86_64)0:78.7.1-112.48.1(x86_64)0:6.8.8.1-71.159.2(x86_64)0:13.2-3.6.1(x86_64)0:3.0.15-2.17.1(x86_64)0:0.6.32-32.12.2(noarch)0:0.6.32-32.12.2(x86_64)0:0.6.32-32.12.3(noarch)0:8.0.53-29.43.2(noarch)0:9.4-3.3.1(x86_64)0:6.8.8.1-71.162.1(x86_64)0:2.4.23-29.69.1(noarch)0:2.4.23-29.69.1(x86_64)0:3.4.10-25.66.1(x86_64)0:3.6.13-6.36.1(x86_64)0:2017+git1492060560.b6d11d7c46-4.41.1(noarch)0:2017+git1492060560.b6d11d7c46-4.41.1(x86_64)0:1.27.1-15.9.1(noarch)0:1.27.1-15.9.1(x86_64)0:4.0.12-4.12.1(x86_64)0:0.13.0-3.11.1(x86_64)0:3.4.10-25.88.1(noarch)0:1.19.9-6.3.15(x86_64)0:3.6.15-6.61.5(x86_64)0:3.6.15-6.61.6(x86_64)0:5.3.1-6.5.12(noarch)0:1.4.3-6.3.8(noarch)0:0.24.0-6.3.16(noarch)0:1.17.9-6.3.11(noarch)0:1.20.9-6.3.11(noarch)0:2018.1.18-6.3.15(x86_64)0:1.11.5-6.3.18(noarch)0:3.0.4-6.3.15(noarch)0:0.4.4-6.3.15(x86_64)0:2.8-6.3.17(noarch)0:0.14-6.3.8(noarch)0:2.6-6.5.15(noarch)0:0.9.3-6.3.14(noarch)0:17.1-6.6.8(noarch)0:3.10-6.3.8(noarch)0:1.8.1-6.3.15(noarch)0:17.1.0-6.3.16(noarch)0:0.1.9-6.3.18(noarch)0:2.10-6.3.9(noarch)0:2.4.7-6.3.9(noarch)0:2.7.3-6.3.13(noarch)0:2.24.0-6.3.15(noarch)0:20200207.5feb6c1-6.3.3(noarch)0:3.4.2-6.3.15(noarch)0:0.3.3-6.3.11(noarch)0:44.1.1-9.11.1(noarch)0:44.1.1-6.7.4(noarch)0:44.1.1-6.7.3(x86_64)0:3.8.2-6.3.16(noarch)0:1.14.0-6.7.3(noarch)0:1.14.0-6.7.6(noarch)0:1.25.10-6.3.13(x86_64)0:0.5.0-12.6.1(x86_64)0:1.8.0-5.11.1(x86_64)0:4.0.12-4.15.2(noarch)0:1.9.4-3.9.1(x86_64)0:1.900.14-195.31.1(x86_64)0:1.10.1-55.27.1(x86_64)0:0.99.beta18-14.9.1(x86_64)0:3.3.0-5.52.1(x86_64)0:7.37.0-37.73.1(x86_64)0:0.103.6-33.47.1(x86_64)0:4.0.9-44.48.1(x86_64)0:0.43.0-16.19.3(x86_64)0:2.0.1-18.7.1(noarch)0:2.48.2-12.28.1(x86_64)0:2.48.2-12.28.1(x86_64)0:5.6.1-4.8.1(x86_64)0:13.7-3.21.3(noarch)0:13.7-3.21.3(x86_64)0:0.19.2-14.3.1(x86_64)0:12.11-3.27.3(noarch)0:12.11-3.27.3(noarch)0:14.3-3.9.3(x86_64)0:2.7.5-8.8.1(x86_64)0:4.8.5-31.26.1(noarch)0:4.8.5-31.26.1(x86_64)0:3.6.15-6.64.1(x86_64)0:16.11.9-11.8.1(x86_64)0:16.11.9_k4.4.140_96.103.TDC-11.8.1(x86_64)0:6.8.8.1-71.177.1(x86_64)0:7.1.8-7.4.1(x86_64)0:7.1.8_k4.4.140_96.103.TDC-7.4.1(x86_64)0:3.11.0-2.20.1(noarch)0:2.36.4-2.102.1(x86_64)0:5.22-8.3.1(x86_64)0:1.8.0-5.14.1(x86_64)0:4.0.9-44.51.1(x86_64)0:4.60.99-5.12.1(x86_64)0:1.18.4-16.3.5(x86_64)0:5.9-78.1(x86_64)0:3.6.15-6.67.4(noarch)0:6.01-9.5.1(x86_64)0:2.0.15-5.6.1(x86_64)0:13.8-3.24.1(noarch)0:13.8-3.24.1(noarch)0:2.36.5-2.107.2(x86_64)0:4.0.12-4.18.1(noarch)0:2.36.7-2.110.1(x86_64)0:6.8.8.1-71.180.1(x86_64)0:52.1-8.13.1(x86_64)0:12.12-3.30.2(noarch)0:12.12-3.30.2(x86_64)0:1.1.4-6.3.1(noarch)0:3.2.23-4.7.1(x86_64)0:3.2.23-4.7.1(noarch)0:14.5-3.14.9(x86_64)0:3.3.3-26.13.1(x86_64)0:2015.09.28.1626-17.30.1(x86_64)0:7.37.0-37.82.1(x86_64)0:6.9-9.21.1(x86_64)0:3.6.15-6.70.1(x86_64)0:6.00-33.16.1(x86_64)0:0.99.beta18-14.12.1(x86_64)0:3.3.5-3.12.1(x86_64)0:1.5.3-31.28.1(x86_64)0:62.2.0-31.28.1(x86_64)0:8.1.2-31.28.1(x86_64)0:2.7.12-3.42.1(noarch)0:2.36.8-2.113.1(x86_64)0:0.23-12.11.1(x86_64)0:2.22-129.1(noarch)0:2.22-129.1(x86_64)0:1.900.14-195.34.1(noarch)0:1.8-4.11.1(x86_64)0:3.3.3-26.16.1(x86_64)0:4.17-30.3.1(x86_64)0:4.9.4_32-3.109.1(x86_64)0:3.6.15-6.73.1(x86_64)0:1.8.3-13.6.1(noarch)0:1.8.3-13.6.1(x86_64)0:3.3.5-3.15.1(x86_64)0:4.11.2-16.26.1(x86_64)0:308-5.6.1(x86_64)0:1.8.0-5.19.1(x86_64)0:1.6.2-12.24.1(noarch)0:1.6.2-12.24.1(x86_64)0:4.3.3-10.28.1(noarch)0:1.9.4-3.12.1(x86_64)0:3.6.15-6.76.1(x86_64)0:5.1.3-26.23.1(noarch)0:5.1.3-26.23.1(x86_64)0:3.3.3-26.19.1(noarch)0:2.38.2-2.120.1(x86_64)0:0.4-15.13.1(x86_64)0:1.0.3-5.3.1(x86_64)0:4.8.30-33.1(x86_64)0:0.9.9-17.41.1(noarch)0:5.2-28.3.1(x86_64)0:1.35.0-4.6.2(x86_64)0:3.20.3-23.15.1(noarch)0:3.20.3-23.15.1(x86_64)0:1.3.3-13.3.1(x86_64)0:1.7.1_sr5.15-38.77.1(x86_64)0:7.37.0-37.88.1(x86_64)0:1.8.0_sr7.20-30.102.1(x86_64)0:3.39.3-9.26.1(noarch)0:2.60-12.40.1(x86_64)0:0.113-5.27.1(x86_64)0:1.900.14-195.28.1(noarch)0:8.0.53-29.49.3(x86_64)0:2.1.0-6.45.1(x86_64)0:3.3.27-3.6.1(x86_64)0:1.3.0-12.6.1(x86_64)0:9.52-23.48.1(noarch)0:2.48.2-12.25.1(x86_64)0:2.48.2-12.25.1(x86_64)0:0.7.0-160.14.1(x86_64)0:3.4.10-25.85.1(x86_64)0:3.4.10-25.85.2(x86_64)0:3.5.0-3.9.1(x86_64)0:2.7.18-28.84.1(noarch)0:2.7.18-28.84.1(x86_64)0:1.8.20p2-3.36.1(noarch)0:9.4-3.9.1(x86_64)0:102.7.0-112.145.1(x86_64)0:3.79.3-58.91.1(x86_64)0:3.0.15-2.23.1(x86_64)0:4.6.16+git.384.9fec958bed-3.76.1(noarch)0:4.6.16+git.384.9fec958bed-3.76.1(x86_64)0:4.9.4_36-3.117.1(x86_64)0:3.5.11-6.7.1(x86_64)0:5.13-5.36.1(x86_64)0:7.6_1.18.3-76.66.1(x86_64)0:2.38.5-2.131.4(noarch)0:2.38.5-2.131.4(x86_64)0:1.8.20p2-3.39.1(x86_64)0:6.8.8.1-71.186.1(x86_64)0:1.0.2j-60.89.1(noarch)0:1.0.2j-60.89.1(x86_64)0:2.8-7.40.1(x86_64)0:228-150.108.2(noarch)0:228-150.108.2(x86_64)0:9.52-23.51.1(x86_64)0:102.10.0-112.156.1(x86_64)0:1.4.5-8.3.1(x86_64)0:1.8.0_sr8.0-30.105.1(x86_64)0:2.6.4-6.14.2(x86_64)0:2.6.4-6.14.3(x86_64)0:2.6.4-6.16.1(x86_64)0:2.4.23-29.94.1(noarch)0:2.4.23-29.94.1(x86_64)0:15.7-25.24.1(x86_64)0:1.0.2j-60.92.1(noarch)0:1.0.2j-60.92.1(noarch)0:2.48.2-12.31.1(x86_64)0:2.48.2-12.31.1(x86_64)0:2017+git1492060560.b6d11d7c46-4.47.1(noarch)0:2017+git1492060560.b6d11d7c46-4.47.1(x86_64)0:0.9.30-6.3.1(x86_64)0:0.6.32-32.18.1(noarch)0:0.6.32-32.18.1(x86_64)0:4.0.9-44.65.1(x86_64)0:3.0-10.6.1(x86_64)0:2.9.4-46.62.1(noarch)0:2.9.4-46.62.1(x86_64)0:2.38.6-2.136.1(noarch)0:2.38.6-2.136.1(x86_64)0:4.2.1-27.22.1(x86_64)0:9.0.1234-17.12.1(noarch)0:9.0.1234-17.12.1(x86_64)0:15.7-25.27.1(x86_64)0:5.9-81.1(x86_64)0:2.7.18-28.93.1(noarch)0:2.7.18-28.93.1(x86_64)0:4.2.8p15-100.1(x86_64)0:102.11.0-112.159.1(x86_64)0:1.5.0-1.24.4(x86_64)0:12.15-3.39.1(noarch)0:12.15-3.39.1(x86_64)0:13.11-3.33.1(noarch)0:13.11-3.33.1(x86_64)0:14.8-3.23.1(noarch)0:14.8-3.23.1(x86_64)0:15.3-3.9.1(noarch)0:15.3-3.9.1(x86_64)0:7.37.0-37.98.1(x86_64)0:1.8.0.372-27.87.1(x86_64)0:5.8-8.3.1(x86_64)0:2.7.12-3.45.1(x86_64)0:20230512-13.107.1(noarch)0:8.0.53-29.66.1(x86_64)0:4.0.9-44.68.1(x86_64)0:1.0.2j-60.95.1(noarch)0:1.0.2j-60.95.1(x86_64)0:6.8.8.1-71.189.1(x86_64)0:1.7.5-20.39.1(x86_64)0:2.4.41-18.95.1(noarch)0:2.4.41-18.95.1(x86_64)0:1.2-18.95.1(x86_64)0:102.12.0-112.162.1(x86_64)0:2.7.18-28.96.1(noarch)0:2.7.18-28.96.1(x86_64)0:3.6.15-6.91.1(noarch)0:3.0.11-95.54.1(x86_64)0:0.13.0-3.22.1(x86_64)0:1.8.0_sr8.5-30.108.1(x86_64)0:1.9.1-9.12.1(x86_64)0:12.1-2.20.1(x86_64)0:1.6.2-12.30.1(noarch)0:1.6.2-12.30.1(noarch)0:2.24.0-6.6.1(x86_64)0:5.13-5.39.1(x86_64)0:1.8.22-29.27.1(x86_64)0:2.38.6-2.139.1(noarch)0:2.38.6-2.139.1(x86_64)0:4.2.8p17-103.1(x86_64)0:1.0.2j-60.98.1(noarch)0:1.0.2j-60.98.1(x86_64)0:3.1.0.git20140619_c5beb80a-3.3.1(x86_64)0:2.26-14.9.1(x86_64)0:9.9.9P1-63.40.1(noarch)0:9.9.9P1-63.40.1(x86_64)0:5.6.2-6.33.1(x86_64)0:7.6_1.18.3-76.60.1(x86_64)0:9.52-23.54.1(x86_64)0:115.0-112.165.1(x86_64)0:115-35.12.2(noarch)0:115.0-112.165.1(x86_64)0:1.8.0_sr8.6-30.111.1(noarch)0:2.11.1-6.34.1(x86_64)0:6.8.8.1-71.192.1(x86_64)0:5.18.2-12.26.1(noarch)0:5.18.2-12.26.1(noarch)0:2.24.0-8.17.1(x86_64)0:4.6.16+git.393.97432483687-3.81.1(noarch)0:4.6.16+git.393.97432483687-3.81.1(x86_64)0:0.43.0-16.25.1(x86_64)0:7.2p2-74.63.1(x86_64)0:115.0.2-112.170.2(noarch)0:115.0.2-112.170.2(x86_64)0:5.6.2-3.11.1(x86_64)0:5.6.2-6.36.1(x86_64)0:1.5.6-3.13.1(x86_64)0:4.0.12-4.24.1(x86_64)0:4.6.5-3.6.1(x86_64)0:1.3.0-24.6.1(x86_64)0:1.0.2j-60.101.1(noarch)0:1.0.2j-60.101.1(x86_64)0:115.1.0-112.173.1(noarch)0:115.1.0-112.173.1(x86_64)0:2.8.0-7.6.1(x86_64)0:1.8.3-13.9.1(noarch)0:1.8.3-13.9.1(x86_64)0:2.40.5-2.146.1(noarch)0:2.40.5-2.146.1(x86_64)0:1.8.3-16.9.1(noarch)0:1.8.3-16.9.1(x86_64)0:20230808-13.110.1(x86_64)0:1.0.2j-60.104.1(noarch)0:1.0.2j-60.104.1(x86_64)0:10.34-1.13.1(x86_64)0:12.16-3.42.1(noarch)0:12.16-3.42.1(x86_64)0:15.4-3.12.1(noarch)0:15.4-3.12.1(x86_64)0:14.9-3.26.1(noarch)0:14.9-3.26.1(x86_64)0:13.12-3.36.1(noarch)0:13.12-3.36.1(x86_64)0:6.8.8.1-71.195.1(noarch)0:5.0.6-20.8.1(x86_64)0:0.103.9-33.56.1(x86_64)0:1.5.3-2.11.1(x86_64)0:1.12.5-40.52.1(x86_64)0:0.43.0-16.28.1(x86_64)0:0.9.0~git.1456906198.f422461-21.30.2(x86_64)0:1.8.3-13.12.1(noarch)0:1.8.3-13.12.1(noarch)0:2.62-12.43.1(x86_64)0:1.8.0_sr8.10-30.114.1(x86_64)0:1.9.1-9.15.1(x86_64)0:7.37.0-37.101.1(x86_64)0:4.1.0-5.3.1(x86_64)0:9.52-23.57.1(x86_64)0:1.8.0.382-27.90.1(x86_64)0:9.0.1572-17.18.1(noarch)0:9.0.1572-17.18.1(x86_64)0:3.3.9-11.27.1(x86_64)0:1.4.3-20.17.1(x86_64)0:10.3.10-3.38.2(x86_64)0:115.2.0-112.176.1(noarch)0:115.2.0-112.176.1(x86_64)0:3.6.15-6.94.1(x86_64)0:115.2.1-112.179.1(noarch)0:115.2.1-112.179.1(x86_64)0:12.3.0+git1204-1.13.1(x86_64)0:7.5.0+r278197-13.1(x86_64)0:2.9.4-46.65.1(noarch)0:2.9.4-46.65.1(x86_64)0:4.9.4_40-3.123.1(x86_64)0:5.13-5.42.2(x86_64)0:1.9.1-9.18.1(x86_64)0:2.41-9.53.1(x86_64)0:1.10.1-55.30.1(x86_64)0:2.7.18-28.102.1(noarch)0:2.7.18-28.102.1(x86_64)0:1.7.5-20.46.1(x86_64)0:0.9.0~git.1456906198.f422461-21.36.2(x86_64)0:1.35.0-4.12.1(x86_64)0:3.2.10-3.27.2(noarch)0:3.2.10-3.27.2(x86_64)0:2.2.1-5.10.1(x86_64)0:6.8.8.1-71.198.1(x86_64)0:3.5.25.3-5.22.1(noarch)0:8.0.53-29.69.1(x86_64)0:1.1.1-17.10.1(x86_64)0:1.5.22-10.4.1(x86_64)0:115.3.0-112.182.1(noarch)0:115.3.0-112.182.1(x86_64)0:1.39.2-3.10.1(x86_64)0:2.0.24-9.14.1(noarch)0:2.0.24-9.14.1(x86_64)0:1.5.0-1.27.2(x86_64)0:4.9.4_42-3.126.1(x86_64)0:12.14-3.36.1(noarch)0:12.14-3.36.1(x86_64)0:13.10-3.30.1(noarch)0:13.10-3.30.1(x86_64)0:14.7-3.20.1(noarch)0:14.7-3.20.1(x86_64)0:15.2-3.6.1(noarch)0:15.2-3.6.1(x86_64)0:9.52-23.60.1(x86_64)0:3.4.10-25.116.1(x86_64)0:1.3.0-3.12.1(x86_64)0:9.0.1894-17.23.2(noarch)0:9.0.1894-17.23.2(noarch)0:1.8.1-11.15.2(x86_64)0:115.3.1-112.185.1(noarch)0:115.3.1-112.185.1(x86_64)0:2.7.18-28.105.1(noarch)0:2.7.18-28.105.1(x86_64)0:3.5.11-6.10.1(x86_64)0:2.38.4-2.126.1(noarch)0:2.38.4-2.126.1(x86_64)0:0.43.0-16.35.2(x86_64)0:1.6.2-12.33.1(noarch)0:1.6.2-12.33.1(x86_64)0:9.9.9P1-63.43.1(noarch)0:9.9.9P1-63.43.1(noarch)0:1.22-7.13.1(x86_64)0:4.2.1-27.25.1(x86_64)0:4.6.16+git.397.ee6c0d1a065-3.84.1(noarch)0:4.6.16+git.397.ee6c0d1a065-3.84.1(x86_64)0:6.8.8.1-71.201.1(noarch)0:1.25.10-3.34.1(x86_64)0:0.13.0-3.25.1(x86_64)0:0.23-12.21.1(x86_64)0:2.02-147.1(noarch)0:2.02-147.1(noarch)0:1.22-7.16.1(x86_64)0:5.62-10.3.1(x86_64)0:1.2.8-12.12.1(x86_64)0:0.5-10.14.5(x86_64)0:4.9.4_44-3.129.1(x86_64)0:1.39.2-3.13.1(x86_64)0:2.42.1-2.155.1(noarch)0:2.42.1-2.155.1(x86_64)0:6.8.8.1-71.183.1(x86_64)0:115.4.0-112.188.1(noarch)0:115.4.0-112.188.1(x86_64)0:1.4.0-27.3.1(noarch)0:1.4.0-27.3.1(noarch)0:1.22-7.19.1(x86_64)0:0.103.11-33.59.1(x86_64)0:1.0.25-36.29.1(noarch)0:8.0.53-29.72.1(x86_64)0:2.4.23-29.100.1(noarch)0:2.4.23-29.100.1(x86_64)0:0.43.0-16.40.1(x86_64)0:1.8.3-18.6.1(noarch)0:1.8.3-18.6.1(x86_64)0:1.8.0.362-27.84.1(x86_64)0:4.0.9-44.71.1(x86_64)0:4.17-30.6.1(x86_64)0:1.27.1-15.18.1(noarch)0:1.27.1-15.18.1(x86_64)0:14.10-3.33.1(noarch)0:14.10-3.33.1(x86_64)0:4.6.1-8.3.2(x86_64)0:16.1-3.7.1(noarch)0:16-4.23.3(x86_64)0:15.5-3.19.2(noarch)0:15.5-3.19.2(noarch)0:16.1-3.7.1(x86_64)0:12.17-3.49.1(noarch)0:12.17-3.49.1(x86_64)0:13.13-3.43.1(noarch)0:13.13-3.43.1(x86_64)0:2.29.2-3.39.2(noarch)0:2.29.2-3.39.2(x86_64)0:20231113-13.115.1(noarch)0:1.25.10-3.37.1(x86_64)0:13.2.1+git7813-1.10.1(x86_64)0:20231114-13.118.1(x86_64)0:4.9.4_46-3.132.1(x86_64)0:0.6.32-32.21.1(noarch)0:0.6.32-32.21.1(x86_64)0:2.9.4-46.68.2(noarch)0:2.9.4-46.68.2(x86_64)0:1.8.0.392-27.93.1(x86_64)0:0.103.8-33.53.1(x86_64)0:4.17-30.9.3(x86_64)0:115.5.0-112.191.1(noarch)0:115.5.0-112.191.1(x86_64)0:3.1.1-13.9.1(x86_64)0:20230214-13.104.1(x86_64)0:9.0.2103-17.26.1(noarch)0:9.0.2103-17.26.1(x86_64)0:3.44.0-9.29.1(x86_64)0:1.8.3-18.9.3(noarch)0:1.8.3-18.9.3(x86_64)0:1.8.0_sr8.15-30.117.1(x86_64)0:4.8.7-8.19.1(x86_64)0:4.17-30.12.1(x86_64)0:3.5.21-26.41.1(x86_64)0:2.42.2-2.158.2(noarch)0:2.42.2-2.158.2(x86_64)0:2.0.19-3.6.1(x86_64)0:102.8.0-112.150.1(x86_64)0:3.79.4-58.94.1(x86_64)0:4.17-30.15.1(x86_64)0:4.0.9-44.74.1(x86_64)0:3.5.21-26.44.1(x86_64)0:2.42.3-2.161.1(noarch)0:2.42.3-2.161.1(x86_64)0:0.9.0~git.1456906198.f422461-21.39.1(x86_64)0:5.9-85.1(x86_64)0:7.2p2-74.66.1(x86_64)0:12.6.2-27.9.1(x86_64)0:115.6.0-112.194.1(noarch)0:115.6.0-112.194.1(x86_64)0:9.52-23.63.1(x86_64)0:0.43.0-16.22.1(x86_64)0:0.43.0-16.43.1(x86_64)0:2.4.7-4.6.1(x86_64)0:2.0-14.3.1(x86_64)0:3.6.15-6.82.1(x86_64)0:1.8.3-18.12.1(noarch)0:1.8.3-18.12.1(x86_64)0:2.42.4-2.164.1(noarch)0:2.42.4-2.164.1(x86_64)0:1.8.3-10.6.1(noarch)0:1.8.3-10.6.1(x86_64)0:1.1.28-17.15.1(x86_64)0:308-5.9.1(x86_64)0:2.15-6.3.1(x86_64)0:24.3-25.12.1(noarch)0:24.3-25.12.1(x86_64)0:4.0.9-44.62.1(x86_64)0:2.38.3-2.123.1(noarch)0:2.38.3-2.123.1(x86_64)0:3.6.15-6.85.1(noarch)0:44.1.1-9.14.1(x86_64)0:7.6_1.18.3-76.63.1(x86_64)0:0.5.3.git20161120-161.6.1(x86_64)0:3.4.10-25.108.1(x86_64)0:1.6.2-12.27.1(noarch)0:1.6.2-12.27.1(noarch)0:1.8.1-11.18.1(x86_64)0:1.0.2j-60.86.1(noarch)0:1.0.2j-60.86.1(noarch)0:8.0.53-29.63.1(noarch)0:1.1.1-122.8.1(noarch)0:2.007-5.3.1(x86_64)0:3.4.10-25.105.1(x86_64)0:9.0.1386-17.15.4(noarch)0:9.0.1386-17.15.4(x86_64)0:102.9.0-112.153.1(x86_64)0:2.9.1-43.65.2(noarch)0:1.0.0+-43.65.2(noarch)0:1.10.2_0_g5f4c7b1-43.65.2(noarch)0:8-43.65.2(noarch)0:0.15.2-3.5.1(x86_64)0:2.4.23-29.97.1(noarch)0:2.4.23-29.97.1(x86_64)0:7.37.0-37.93.1(x86_64)0:1.11.5-5.19.1(x86_64)0:4.9.4_38-3.120.1(x86_64)0:16.11.9-11.10.1(x86_64)0:16.11.9_k4.4.140_96.112.TDC-11.10.1(x86_64)0:16.11.9-8.21.1(x86_64)0:16.11.9_k4.4.180_94.185-8.21.1(x86_64)0:1.12-20.6.1(x86_64)0:2.02-144.1(noarch)0:2.02-144.1(noarch)0:40.6.2-4.21.1(x86_64)0:115.9.1-112.206.1(noarch)0:115.9.1-112.206.1(x86_64)0:0.6.32-32.24.1(noarch)0:0.6.32-32.24.1(x86_64)0:4.17-30.21.1(x86_64)0:4.9.4_50-3.138.1(x86_64)0:3.3.0-5.55.2(x86_64)0:5.9-88.1(x86_64)0:1.9.1-9.21.1(x86_64)0:3.2.10-3.30.1(noarch)0:3.2.10-3.30.1(x86_64)0:1.39.2-3.18.1(x86_64)0:458-7.12.1(x86_64)0:1.2.49-7.9.1(x86_64)0:2.29.2-3.42.1(noarch)0:2.29.2-3.42.1(x86_64)0:2.44.0-4.3.2(noarch)0:2.44.0-4.3.2(x86_64)0:6.2.0dev-22.11.1(x86_64)0:1.12.5-40.55.1(x86_64)0:24.3-25.17.1(noarch)0:24.3-25.17.1(x86_64)0:115.10.0-112.209.1(noarch)0:115.10.0-112.209.1(x86_64)0:2.4.16-48.54.1(x86_64)0:1.1.8-24.56.1(noarch)0:1.1.8-24.56.1(x86_64)0:1.900.14-195.40.1(x86_64)0:0.5.3.git20161120-161.9.1(x86_64)0:2.15-6.6.1(noarch)0:2.5-3.13.1(x86_64)0:1.8.0.412-27.99.1(x86_64)0:15.8-25.30.1(x86_64)0:0.6.32-32.27.1(noarch)0:0.6.32-32.27.1(x86_64)0:1.7.0-1.30.2(x86_64)0:4.9.4_52-3.141.1(x86_64)0:458-7.15.1(x86_64)0:0.1.1-25.3.1(x86_64)0:0.7.0-25.3.1(x86_64)0:0.4.3-25.3.1(x86_64)0:1.2.0-25.3.1(x86_64)0:1.13.4-34.46.1(x86_64)0:0.2.1-25.3.1(x86_64)0:0.1.5-25.3.1(x86_64)0:9.52-23.74.1(x86_64)0:7.6_1.18.3-76.69.1(x86_64)0:5.0.5-13.3.1(x86_64)0:0.13.0-3.28.1(noarch)0:17.1.0-4.26.1(x86_64)0:2.4.23-29.103.1(noarch)0:2.4.23-29.103.1(noarch)0:2.0-1.9.1(x86_64)0:16.3-3.13.1(noarch)0:16.3-3.13.1(x86_64)0:15.7-3.25.1(noarch)0:15.7-3.25.1(x86_64)0:3.4.10-25.127.1(x86_64)0:2.7.18-28.111.1(noarch)0:2.7.18-28.111.1(x86_64)0:2.22-145.6.1(noarch)0:2.22-145.6.1(x86_64)0:2.22-143.1(noarch)0:2.22-143.1(x86_64)0:115.11.0-112.212.1(noarch)0:115.11.0-112.212.1(noarch)0:2.34.0-19.20.1(x86_64)0:2.34.0-19.20.1(x86_64)0:20240514-13.124.1(x86_64)0:14.12-3.41.1(noarch)0:14.12-3.41.1(x86_64)0:1.0.0-3.3.1(noarch)0:1.0.0-3.3.1(x86_64)0:3.6.15-6.103.1(x86_64)0:2.7.18-28.114.1(noarch)0:2.7.18-28.114.1(noarch)0:2.48.2-12.37.1(x86_64)0:2.48.2-12.37.1(x86_64)0:3.4.10-25.130.1(x86_64)0:1.8.0_sr8.25-30.123.1(x86_64)0:0.99.8-3.6.1(x86_64)0:4.17-30.24.1(x86_64)0:4.0.9-44.83.1(x86_64)0:1.8.3-13.15.1(noarch)0:1.8.3-13.15.1(x86_64)0:0.43.0-16.46.1(noarch)0:8.0.53-29.77.1(x86_64)0:115.7.0-112.197.1(noarch)0:115.7.0-112.197.1(x86_64)0:2.22-140.1(noarch)0:2.22-140.1(x86_64)0:1.900.14-195.37.1(x86_64)0:2.11-36.18.1(noarch)0:2.11-36.18.1(x86_64)0:4.17-30.18.1(x86_64)0:4.9.4_48-3.135.1(noarch)0:1.25.10-6.6.1(x86_64)0:3.5.21-26.47.1(x86_64)0:3.1.1-13.12.1(x86_64)0:1.8.3-10.9.1(noarch)0:1.8.3-10.9.1(x86_64)0:10.3.10-3.41.1(x86_64)0:13.2-2.23.1(x86_64)0:2.7.18-28.108.1(noarch)0:2.7.18-28.108.1(x86_64)0:3.6.15-6.97.1(x86_64)0:0.6.1-9.3.1(x86_64)0:10.66.3-8.10.1(x86_64)0:3.4.10-25.119.1(x86_64)0:1.0.2j-60.107.1(noarch)0:1.0.2j-60.107.1(x86_64)0:15.6-3.22.1(noarch)0:15.6-3.22.1(x86_64)0:14.11-3.36.1(noarch)0:14.11-3.36.1(x86_64)0:13.14-3.46.1(noarch)0:13.14-3.46.1(x86_64)0:12.18-3.52.1(noarch)0:12.18-3.52.1(x86_64)0:2.42.5-2.168.2(noarch)0:2.42.5-2.168.2(x86_64)0:16.2-3.10.1(noarch)0:16.2-3.10.1(x86_64)0:2.9.4-46.71.1(noarch)0:2.9.4-46.71.1(x86_64)0:3.90.2-58.111.1(x86_64)0:115.8.0-112.200.1(noarch)0:115.8.0-112.200.1(x86_64)0:4.0.9-44.77.1(x86_64)0:7.2p2-74.69.1(x86_64)0:1.8.0_sr8.20-30.120.1(x86_64)0:1.27.1-15.24.1(noarch)0:1.27.1-15.24.1(noarch)0:2.28.1-6.5.23(x86_64)0:2.28.1-6.5.23(x86_64)0:3.6.15-6.100.1(noarch)0:9.4-3.12.1(x86_64)0:1.8.3-18.15.1(noarch)0:1.8.3-18.15.1(x86_64)0:9.1.0111-17.29.1(noarch)0:9.1.0111-17.29.1(x86_64)0:3.4.10-25.124.1(x86_64)0:1.8.20p2-3.46.1(x86_64)0:1.8.0.402-27.96.1(x86_64)0:2.11-36.21.1(noarch)0:2.11-36.21.1(noarch)0:1.4-290.9.1(x86_64)0:4.0.12-4.27.1(x86_64)0:1.8.20p2-3.49.2(x86_64)0:4.0.9-44.80.1(x86_64)0:20240312-13.121.1(x86_64)0:9.52-23.71.1(x86_64)0:1.1.3-24.18.1(noarch)0:1.1.3-24.18.1(x86_64)0:115.9.0-112.203.2(noarch)0:115.9.0-112.203.2(x86_64)0:3.5.21-26.50.1